report.c

该软件根据网络数据生成NetFlow记录。NetFlow可用于网络规划、负载均衡、安全监控等

	{
	  REP(f, "(client");
	  if (state & TCP_SERV_SERV_ERR)
	    REP(f, "/server) ");
	  else 
	    REP(f, ") ");
	}
      else
	REP(f, "(server) ");
    }

  REP(f, "\n");

  if (state & TCP_FORCED)
    {
      REP(f, "*** FORCED ");
      if (state & TCP_FORCED_OPEN)
	REP(f, "OPEN ");
      if (state & TCP_FORCED_CLOSE)
	REP(f, "CLOSE ");
      if (state & TCP_FORCED_ALT)
	REP(f, "ALT ");
      REP(f, "***\n");
    }
  
  return;
}

void 
report_syn_nonsense(FILE *f, unsigned int state)
{
  if (state & TSP_SYN_NONSENSE)
    {
      REP(f, "** SYN ");
      if (state & TSP_DUP_SYN)
	REP(f, "DUP ");
      if (state & TSP_SYN_TOO_LATE)
	REP(f, "LATE ");
      if (state & TSP_MAVERICK_SYN)
	REP(f, "MAVERICK ");
      REP(f, "** ");
    }

  if (state & TSP_CONN_FORCED)
    {
      REP(f, "** FORCED ");
      if (state & TSP_FORCED_OPEN)
	REP(f, "OPEN ");
      if (state & TSP_FORCED_CLOSE)
	REP(f, "CLOSE ");
      if (state & TSP_FORCED_ALT)
	REP(f, "ALT ");
      REP(f, "** ");
    }
  
  REP(f, "\n");

  return;
}
  

void 
report_timeo_type(FILE *f, unsigned int state)
{
  REP(f, "( ");
  if (state & TSP_SEQ_HELD)
    REP(f, "held ");
  if (state & TSP_SEQ_TIMEO)
    REP(f, "to ");
  if (state & TSP_SEQ_TIMEO_FORCED)
    REP(f, "tf ");
  if (state & TSP_SEQ_TIMEO_QL)
    REP(f, "tq ");
  if (state & TSP_SEQ_TIMEO_ACK)
    REP(f, "ta ");
  REP(f, ")\n");

  return;
}

void 
report_flags(FILE *f, unsigned int state)
{
  if (state & TSP_SYN)
    REP(f, "S");
  if (state & TSP_RST)
    REP(f, "R");
  if (state & TSP_FIN)
    REP(f, "F");

  if (state & (TSP_SYN | TSP_RST | TSP_FIN))
    REP(f, " ");
  
  return;
}

void 
report_tcp_conn(FILE *f, tcp_conn_t *tconnp, unsigned int indx, int print_hdrs) 
{

  int i;
  http_trans_t *tp = tconnp->su.http.trans;
  tcp_simplex_flow_t *client = &tconnp->tcp.client;
  tcp_simplex_flow_t *server = &tconnp->tcp.server;
  int client_seen = tconnp->flow_inner.state & TCP_CLIENT_SEEN;
  int server_seen = tconnp->flow_inner.state & TCP_SERVER_SEEN;
  unsigned int csyn = 0L, ssyn = 0L;
  unsigned int crst = 0L, srst = 0L;
  us_clock_t start = tconnp->flow_inner.first_arr_tm; 
  us_clock_t end = tconnp->flow_inner.last_arr_tm;
  us_clock_t dur = end - start;

  if (client_seen)
    {
      csyn = tconnp->tcp.client.syn_us;
      crst = tconnp->tcp.client.rst_us;
    }

  if (server_seen)
    {
      ssyn = tconnp->tcp.server.syn_us;
      srst = tconnp->tcp.server.rst_us;
    }

  REP(f, " #%u", indx);
 
  REP(f, " %s <> %s TCP #%u ", 
      get_hname((char *)&tconnp->flow_inner.srcaddr), 
      get_hname((char *)&tconnp->flow_inner.dstaddr),
      tconnp->hdrs.conn_id);

  REP(f, "(%s <> ", get_atmaddr(tconnp->flow_inner.src_atmdata));
  REP(f, "%s)\n", get_atmaddr(tconnp->flow_inner.dst_atmdata));

  REP(f, "  %s <> %s ", 
	 tcpudp_port_string(ntohs(tconnp->flow_inner.srcport), FLOW_TCP), 
	 tcpudp_port_string(ntohs(tconnp->flow_inner.dstport), FLOW_TCP));

  REP(f, "%s", tcp_pload_string(tconnp->flow_inner.serv_type));
  if (tconnp->flow_inner.serv_type == TCP_SERV_HTTP)
    {
      if (tconnp->su.http.meta.status & HTTP_WAS_PERSISTENT)
	REP(f, "-P ");
      else if (tconnp->su.http.meta.status & HTTP_CLOSE)
	REP(f, "-NP ");
      else 
	REP(f, "-U ");
    }

  report_tcp_close(f, tconnp->flow_inner.state);

  if (client_seen)
    REP(f, "clisyn %u\n", csyn);

  REP(f, "    Open %s  ", us_clock_time_string(start));
  REP(f, "close %s  ", us_clock_time_string(end));
  
  REP(f, "Duration %.3f ms\n", (float)dur/US_IN_MS);
  REP(f, "Client mss %hu Server mss %hu\n", client->mss, server->mss);
  
  //REP(f, "\n");

  if (client_seen)
    {
      REP(f, "  client: %u/%u octets/pkts. (%u empty) ", client->tot_bytes, 
	     client->tot_pkts,  client->tot_e_pkts);
      REP(f, "(seq %u ack %u) ", 
	  client->solidseq - client->firstseq, 
	  client->lastack - client->firstack);
      report_flags(f, client->state);
      report_syn_nonsense(f, client->state);
      if (client->duplicate_bytes)
	REP(f, "    retransmitted: %u/%u\n", client->duplicate_bytes,
	       client->duplicate_pkts);
      if (client->ooo_bytes)
	REP(f, "    ooo: %u/%u\n", client->ooo_bytes, client->ooo_pkts);
      if (client->gap_bytes)
	{
	  REP(f, "    sequence gaps: %u/%u ", client->gap_bytes, client->gap_pkts);
	  report_timeo_type(f, client->state);
	}
    }

  if (server_seen)
    {
      REP(f, "  server: %u/%u octets/pkts. (%u empty) ", server->tot_bytes, 
	  server->tot_pkts,  server->tot_e_pkts);
      REP(f, "(seq %u ack %u) ", 
	  server->solidseq - server->firstseq, 
	  server->lastack - server->firstack);
      report_flags(f, server->state);
      report_syn_nonsense(f, server->state);
      if (server->duplicate_bytes)
	REP(f, "    retransmitted: %u/%u\n", server->duplicate_bytes,
	    server->duplicate_pkts);
      if (server->ooo_bytes)
	REP(f, "    ooo: %u/%u\n", server->ooo_bytes, server->ooo_pkts);
      if (server->gap_bytes)
	{
	  REP(f, "    sequence gaps: %u/%u ", server->gap_bytes, server->gap_pkts);
	  report_timeo_type(f, server->state);
	}
    }

  REP(f, "\n");

  switch (tconnp->flow_inner.serv_type)
    {
    case TCP_SERV_HTTP:
  
      REP(f, "%d transactions (%d/2 dummy)\n", 
	  tconnp->su.http.meta.ntrans, tconnp->su.http.meta.ndummytrans);
      if (tconnp->su.http.trans)
	{
	  //REP(f, "%d transactions (%d/2 dummy)\n", 
	  //tconnp->su.http.meta.ntrans, tconnp->su.http.meta.ndummytrans);
	  for (i = 0, tp = tconnp->su.http.trans; 
	       i < tconnp->su.http.meta.ntrans; 
	       i++, tp = tp->next)
	    {
	      REP(f, "Trans #%d\n", i);
	      print_trans(f, tp, -1, client_seen, server_seen, 
			  tconnp->su.http.addit_trans_fields, start);
	    }
	  
	  if (!tconnp->su.http.meta.ntrans)
	    REP(f, "\n");
	}
      break;

    case TCP_SERV_OTHER:
    case TCP_SERV_TEST:
    case TCP_SERV_FTP:
    case TCP_SERV_FTP_DATA:
    case TCP_SERV_TELNET:
    case TCP_SERV_SMTP:
    case TCP_SERV_POP3:
    case TCP_SERV_NNTP:
    case TCP_SERV_NETBIOS_SSN:
    case TCP_SERV_RTSP:
    case TCP_SERV_PNM:
      break;

    default:
      fprintf(stderr, "Report_tcp_conn() - unknown service type (%hu)\n",
	     tconnp->flow_inner.serv_type);
      exit (1);
      break;
    }
  /* end switch */

  if (print_hdrs)
    {
      
      REP(f, " %d %s headers\n", tconnp->hdrs.nheld, 
	  tconnp->flow_inner.state & TCP_HDRS_DUMPED ? "remaining" : "");
      
      for (i = 0; i < tconnp->hdrs.nheld; i++)
	print_hdr_rec(f, &tconnp->hdrs.hdrs[i], &tconnp->hdrs.atm);
    }
  
  REP(f, "\n");

#ifdef PRINT_OUT
  fflush(repfile);
#endif
  
  
  return;
}

/*
 * Report TCP open record 
 */

void 
report_tcp_open(tcp_open_t *flow, us_clock_t tm, unsigned int indx)
{
  REP(stdout, " #%u %s TCP open id #%u ", indx, us_clock_ts_string(tm), flow->conn_id);
  print_flow(stdout, &flow->flow, CLIENT);
  REP(stdout, "\n");

  return;
}

/*
 * Report a block of TCP hdr info 
 */
void 
report_tcp_hdrs(tcp_hdrs_t *hdrs, unsigned int indx)
{
  int i;
  us_clock_t atm = hdrs->atm;

  REP(stdout, " #%u TCP id %u %d headers\n", indx, hdrs->conn_id, hdrs->nheld);

  for (i = 0; i < hdrs->nheld; i++)
    print_hdr_rec(stdout, &hdrs->hdrs[i], &atm);

  REP(stdout, "\n");

  return;
}
  

/*****************************************************************************/

/*
 * UDP stuff 
 */

void 
report_udp_conn(udp_conn_t *uconnp, unsigned int indx) 
{

  udp_simplex_flow_t *client = &uconnp->udp.client;
  udp_simplex_flow_t *server = &uconnp->udp.server;
  int client_seen = uconnp->flow_inner.state & UDP_CLIENT_SEEN;
  int server_seen = uconnp->flow_inner.state & UDP_SERVER_SEEN;
  us_clock_t cstart = 0L, sstart = 0L;
  us_clock_t cend = 0L, send = 0L;
  us_clock_t start = uconnp->flow_inner.first_arr_tm;
  us_clock_t end = uconnp->flow_inner.last_arr_tm;
  us_clock_t dur = end - start;

  if (client_seen)
    {
      cstart = uconnp->udp.client.start_us;
      cend = uconnp->udp.client.end_us;
    }

  if (server_seen)
    {
      sstart = uconnp->udp.server.start_us;
      send = uconnp->udp.server.end_us;
    }
 
  REP(stdout, " #%u %s <> %s UDP ", indx, 
      get_hname((char *)&uconnp->flow_inner.srcaddr), 
      get_hname((char *)&uconnp->flow_inner.dstaddr));

  REP(stdout, "(%s <> ", get_atmaddr(uconnp->flow_inner.src_atmdata));
  REP(stdout, "%s)\n", get_atmaddr(uconnp->flow_inner.dst_atmdata));

  REP(stdout, "  %s <> %s ", 
	 tcpudp_port_string(ntohs(uconnp->flow_inner.srcport), FLOW_UDP), 
	 tcpudp_port_string(ntohs(uconnp->flow_inner.dstport), FLOW_UDP));

  REP(stdout, "%s ", udp_pload_string(uconnp->flow_inner.serv_type));

  if(uconnp->flow_inner.state & UDP_TIMEO)
    REP(stdout, "timed out\n");
  else if (uconnp->flow_inner.state & UDP_SERV_DONE)
    REP(stdout, "done\n");
  else
    REP(stdout, "open\n");

  REP(stdout, "    Open %s  ", us_clock_ts_string(start));
  REP(stdout, "close %s  ", us_clock_ts_string(end));

  REP(stdout, "Duration %.3f ms\n", (float)dur/US_IN_MS);

  if (client_seen)
    {
      REP(stdout, "  client: %u/%u octets/pkts\n", client->tot_bytes, 
	     client->tot_pkts);
    }

  if (server_seen)
    {
      REP(stdout, "  server: %u/%u octets/pkts\n", server->tot_bytes, 
	  server->tot_pkts);
    }

  if (uconnp->service_data)
    {
      switch (uconnp->flow_inner.serv_type)
	{
	case UDP_SERV_DNS: 
	  report_ns(uconnp->service_data); break;
	case UDP_SERV_NFS:
	case UDP_SERV_ICQ:
	case UDP_SERV_OTHER:
	  break;				/* nothing */
	default:
	  break;
	}
    }

  printf("\n");
  return;
}

/* 
 * DNS stuff 
 */

/* 
 * Report ns record 
 */
void 
report_ns(ns_fullrec_t *nfp)
{
  ns_rec_t *np = &nfp->ns_rec;
  unsigned short state = np->state;
  ns_parms_t parms = np->ns_parms;
  int bad = 0;

  printf("\t");

  if (state & NS_CLIENT_SEEN)
    {
      if (state & NS_REQ_REQ)
	{
	  printf("request %s%s", ns_ops[parms.opcode], parms.rd ? " R" : "");
	}
      else
	{
	  printf("Client not request");
	  bad++;
	}
      if (state & NS_SERVER_SEEN)
	{
	  printf(" + ");
	}
      else
	{
	  printf("\n");
	}
    }

  if (state &  NS_SERVER_SEEN)
    {
      if (state & NS_RESP_RESP)
	{
	  printf("response%s%s%s %s ", 
		 parms.aa ? " A" : "", parms.tc ? " |" : "",
		 parms.ra ? " R" : "", ns_resp[parms.rcode]);
	}
      else
	{
	  printf("Server not response");
	  bad++;
	}
      printf("\n");
    }
      

  if (state & NS_UNMATCHED_RESPONSE)