print_util.c

该软件根据网络数据生成NetFlow记录。NetFlow可用于网络规划、负载均衡、安全监控等

/*  -*- Mode: C;  -*- */

/******************************************************************************
*                                                                             *
*   Copyright 2005 University of Cambridge Computer Laboratory.               *
*                                                                             *
*   This file is part of Nprobe.                                              *
*                                                                             *
*   Nprobe is free software; you can redistribute it and/or modify            *
*   it under the terms of the GNU General Public License as published by      *
*   the Free Software Foundation; either version 2 of the License, or         *
*   (at your option) any later version.                                       *
*                                                                             *
*   Nprobe is distributed in the hope that it will be useful,                 *
*   but WITHOUT ANY WARRANTY; without even the implied warranty of            *
*   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the             *
*   GNU General Public License for more details.                              *
*                                                                             *
*   You should have received a copy of the GNU General Public License         *
*   along with Nprobe; if not, write to the Free Software                     *
*   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA *
*                                                                             *
******************************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#ifdef __alpha__
#include <sys/mbuf.h>
#endif
#include <net/route.h>
#include <net/if.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#ifdef __alpha__
#include <netinet/ip_var.h>
#endif
#ifdef __linux__
#define __FAVOR_BSD
#endif
#include <netinet/tcp.h>
#include <netinet/if_ether.h>
#include <arpa/inet.h>
#include <netinet/ip_icmp.h>
#include <signal.h>
#include <unistd.h>
#include <time.h>
#include <assert.h>
#include <arpa/nameser.h>

#include "list.h"
#include "pkt.h"
#include "seq.h"
#include "flows.h"
#include "http.h"
#include "tcp.h"
#include "service.h"
#include "udp.h"
#include "udp_ns.h"
#include "print_util.h"
#include "http_util.h"
#include "content_t.h"
#include "np_file.h"

#include "cprintf.h"

#define HTTP_PARSE_DEBUG

int print_packets = 0;
int print_hostnames = 0;

#if defined SWIG_ONLY || defined SWIG
char null_string[] = {'\0'};
#endif


#define TBUFSZ 250

/*
 * Print struct timeval
 */
void
print_ts(tmval *tvp, FILE *f)
{
  int i = tvp->tv_sec;
  fprintf(f, "%02d:%02d:%02d.%06lu ",
		 i / 3600, (i % 3600) / 60, i % 60, tvp->tv_usec);
  return;
}

/*
 * Return struct timeval as string
 */
char *
ts_string(tmval *tvp)
{
  static char tbuf[TBUFSZ];
  int i = tvp->tv_sec;
  sprintf(tbuf, "%02d:%02d:%02d.%06lu ",
		 i / 3600, (i % 3600) / 60, i % 60, tvp->tv_usec);
  return tbuf;
}


/*
 * Return nice ascii presentation of struct timeval
 */

char *
time_string(tmval *tvp)
{
  static char tbuf[TBUFSZ];
  char *tbp = tbuf;
  time_t tm = (time_t)tvp->tv_sec;
  struct tm *time = gmtime(&tm);
  //printf("time {%d, %d}, %d sec\n", tvp->tv_sec, tvp->tv_usec, tm);
  //printf("%x %x %x %x \n", tm & 0xff, tm>>8 & 0xff, tm>>16 & 0xff, tm>>24 & 0xff);
  
  tbp += strftime(tbuf, TBUFSZ, "%a %d %b %H:%M:%S", time);
  sprintf(tbp, ".%.3lu", tvp->tv_usec/1000);

  return tbuf;
}

#ifndef SWIG_ONLY
/*
 * Return us_clock_t as a string
 */

char *
us_clock_ts_string(us_clock_t t)
{
  struct timeval tv;
  tv.tv_sec = (unsigned int)(t/US_IN_S);
  tv.tv_usec = (unsigned int)(t%US_IN_S);

  return ts_string(&tv);
}
/*
 * Return us_clock_t as a nice date/time
 */

char *
us_clock_time_string(us_clock_t t)
{
  tmval tv;
  tv.tv_sec = (unsigned int)(t/US_IN_S);
  tv.tv_usec = (unsigned int)(t%US_IN_S);

  return time_string(&tv);
}
/*
 * Return unsigned int as a string
 */

char *
us_ts_string(unsigned int t)
{
  struct timeval tv;
  tv.tv_sec = (unsigned int)(t/US_IN_S);
  tv.tv_usec = (unsigned int)(t%US_IN_S);

  return ts_string(&tv);
}
#endif /* ifndef SWIG_ONLY */

/*
 * A faster replacement for inet_ntoa().
 */
char *
intoa(unsigned int addr)
{
  char *cp;
  u_int byte;
  int n;
  static char buf[sizeof(".xxx.xxx.xxx.xxx")];
  
//  NTOHL(addr);
  addr = ntohl(addr);
  cp = &buf[sizeof buf];
  *--cp = '\0';
  
  n = 4;
  do 
    {
      byte = addr & 0xff;
      *--cp = byte % 10 + '0';
      byte /= 10;
      if (byte > 0) 
	{
	  *--cp = byte % 10 + '0';
	  byte /= 10;
	  if (byte > 0)
	    *--cp = byte + '0';
	}
      *--cp = '.';
      addr >>= 8;
    } while (--n > 0);
  
  return cp + 1;
}

/*
 * hash tables for whatever-to-name translations
 */

#define HASHNAMESIZE 4096

struct hnamemem {
	u_long addr;
	char *name;
	char proto;		/* distinguish protocol for port look-ups */
	struct hnamemem *nxt;
};

struct hnamemem hnametable[HASHNAMESIZE];
struct hnamemem tporttable[HASHNAMESIZE];

#ifdef USE_HOSTNAMES
 
/*
 * "getname" is written in this atrocious way to make sure we don't
 * wait forever while trying to get hostnames from yp.
 */
#include <setjmp.h>

jmp_buf getname_env;

static void
nohostname(unused)
int unused;
{
  longjmp(getname_env, 1);
} 

#endif

/*
 * Return a name for the IP address pointed to by ap.  This address
 * is assumed to be in network byte order.
 *
 * S'be already aligned
 */
char *
get_hname(char *ap)
{
  struct hnamemem *p;
  char *cp;
  unsigned int addr = *(unsigned int *)ap;
 
  p = &hnametable[addr & (HASHNAMESIZE-1)]; 
  for (; p->nxt; p = p->nxt) 
    {
      if (p->addr == addr)
	return (p->name);
    }

  p->addr = addr;
  p->nxt = (struct hnamemem *)calloc(1, sizeof (*p));

#ifdef  USE_HOSTNAMES
  if (print_hostnames)
    {
      if (!setjmp(getname_env)) 
	{
	  struct hostent *hp;
	  (void)signal(SIGALRM, nohostname);
	  (void)alarm(20);
	  hp = gethostbyaddr((char *)&addr, 4, AF_INET);
	  (void)alarm(0);
	  if (hp) 
	    {	
	      u_int len = strlen(hp->h_name) + 1;
	      p->name = (char *)malloc(len);
	      (void)strcpy(p->name, hp->h_name);
	      return (p->name);
	    }
	}
    }

#endif

  cp = intoa(addr);
  p->name = (char *)malloc((unsigned)(strlen(cp) + 1));
  (void)strcpy(p->name, cp);
  return (p->name);
} 

void 
print_tcp_flags(unsigned char flags, FILE *f)
{
  if (flags & TH_SYN)
    fputc('S', f);
  if (flags & TH_ACK)
    fputc('A', f);
  if (flags & TH_FIN)
    fputc('F', f);
  if (flags & TH_RST)
    fputc('R', f);
  if (flags & TH_PUSH)
    fputc('P', f);
}

#ifndef SWIG

void 
print_tcpopts(char *cp, int len, FILE *f)
{
  int i;
  char ch = '<';
  
  fputc(' ', f);
  while (--len >= 0) 
    {
      fputc(ch, f);
      switch (*cp++) 
	{
	case TCPOPT_MAXSEG:
	  {
	    unsigned short mss;
	    bcopy((char *)cp + 1, (char *)&mss, sizeof(mss));
	    (void)fprintf(f, "mss %d", ntohs(mss));
	    if (*cp != 4)
	      (void)fprintf(f, "[len %d]", *cp);
	    cp += 3;
	    len -= 3;
	    break;
	  }
	case TCPOPT_EOL:
	  (void)fprintf(f, "eol");
	  break;
	case TCPOPT_NOP:
	  (void)fprintf(f, "nop");
	  break;
	case TCPOPT_WSCALE:
	  (void)fprintf(f, "wscale %d", cp[1]);
	  if (*cp != 3)
	    (void)fprintf(f, "[len %d]", *cp);
	  cp += 2;
	  len -= 2;
	  break;
	case TCPOPT_SACKOK:
	  (void)fprintf(f, "sackOK");
	  if (*cp != 2)
	    (void)fprintf(f, "[len %d]", *cp);
	  cp += 1;
	  len -= 1;
	  break;
	case TCPOPT_ECHO:
	  {
	    unsigned int v;
	    bcopy((char *)cp + 1, (char *)&v, sizeof(v));
	    (void)fprintf(f, "echo %u", v);
	    if (*cp != 6)
	      (void)fprintf(f, "[len %d]", *cp);
	    cp += 5;
	    len -= 5;
	    break;
	  }
	case TCPOPT_ECHOREPLY:
	  {
	    unsigned int v;
	    bcopy((char *)cp + 1, (char *)&v, sizeof(v));
	    (void)fprintf(f, "echoreply %u", v);
	    if (*cp != 6)
	      (void)fprintf(f, "[len %d]", *cp);
	    cp += 5;
	    len -= 5;
	    break;
	  }
	default:
	  (void)fprintf(f, "opt-%d:", cp[-1]);
	  for (i = *cp++ - 2, len -= i + 1; i > 0; --i)
	    (void)fprintf(f, "%02x", *cp++);
	  break;
	}
      ch = ',';
    }
  fputc('>', f);
  
  return;
}

#endif /* ifndef SWIG */

/* 
 * Return textual version of port number (port in host order)
 */

#define TCP 0
#define UDP 1

char *
tcpudp_port_string(unsigned short port, char proto)
{
  struct hnamemem *tp;
  struct servent *sep;
  int i = port;
  char *prot;
  
  /* got it already? */
  for (tp = &tporttable[i & (HASHNAMESIZE-1)]; tp->nxt; tp = tp->nxt)
    if (tp->addr == i && tp->proto == proto)
      goto done;
  
  /* else new entry */
  //tp->name = (char *)malloc(strlen("0000000000"));
  tp->name = (char *)malloc(1024);
  tp->addr = i;
  tp->proto = proto;
  tp->nxt = (struct hnamemem *)calloc(1, sizeof (*tp));

  /* cream off particular known not in, or at variance with, /etc/services */
  switch (port)
    {
    case 161: strcpy(tp->name, "SNMP"); goto done; break;
    case 8008: strcpy(tp->name, "http_alt1"); goto done; break; 
    case 8080: strcpy(tp->name, "http_alt2"); goto done; break; 
    case 8554:
    case 554: strcpy(tp->name, "RTSP"); goto done; break;
    case 4000: strcpy(tp->name, "ICQ"); goto done; break;
    default: break;
    } /* end switch */

  prot = (proto == FLOW_TCP ? "tcp" : "udp");
  /* refer to /etc/services only for wk numbers */
  if (port < 1024)
    {
      sep = getservbyport(htons(port), prot);
      endservent();
      if (sep)
	{
	  strcpy(tp->name, sep->s_name);
	   goto done;
	}
    }

  sprintf(tp->name, "%d", i);
  
 done:
  return (tp->name);
}

char *
get_atmaddr(unsigned int atmdata)
{
  static char addr[32];
  unsigned char card = atmdata >> 24;
  unsigned char vpi = (atmdata >> 16) & 0xff;
  unsigned short vci = atmdata & 0xffff;