wread_util.c

该软件根据网络数据生成NetFlow记录。NetFlow可用于网络规划、负载均衡、安全监控等

    ERROR("_filter_file(): fclose()");

  return 0;
  
}


/*
 * Return offset of current record and advance to next 
 */
long 
_indx_rec(struct np_file *file)
{
  FILE *f = file->file;
  long offset = ftell(f);
  struct rep_rec_hdr rec_hdr;

  GET_STRUCT(f, &rec_hdr, struct rep_rec_hdr);
  
  if (rec_hdr.indx != (file->indx & 0xff))
    {
      char errbuf[250];
      sprintf(errbuf, 
	      "Record delimiter problem: delim %u record %u\n",
	    rec_hdr.indx, file->indx);
      ERROR(errbuf);
    }
  file->indx++;

  if (fseek(f, (long) (rec_hdr.len - sizeof(struct rep_rec_hdr)), 
	    SEEK_CUR) != 0)
    ERROR("next_rec(): fseek()");

  return offset;
}
  


/*
 * Position file at start of next record of specified type
 * - return -1 if EOF else type of record 
 */
int 
_next_rec(struct np_file *file, unsigned char rec_type)
{
  FILE *f = file->file;
  struct rep_rec_hdr rec_hdr;
  long off;
  char errbuf[250];
  

  for (;;)
    {

     GET_STRUCT(f, &rec_hdr, struct rep_rec_hdr);
     if (feof(f))
       {
	 printf("FEOF\n");
	 return -1;
	}

     off = ftell(f);
     if (off < 0)
       ERROR("next_rec(): ftell()");	
     
#ifdef DUMP_DEBUG

      if (rec_hdr.magic != REC_HDR_MAGIC)
	{
	  long end;
	  long start = off-sizeof(struct rep_rec_hdr) + 1; /* fail point + 1 */
	  long pos = start;
	  sprintf(errbuf, 
		  " XXXXX Record delimiter problem: file %s offset %ld following record indx %lu\n",
		 file->fnm, off - sizeof(struct rep_rec_hdr), file->indx-1);

	  if (file->patches++ <= MAX_REC_PATCHES)
	    {
	      fprintf(stderr, "%s\t- attempting recovery\n", errbuf);
	      /* find end - if attempt to go over will get error */
	      if (fseek(f, 0L, SEEK_END) != 0)
		    ERROR("next_rec() recover initial: fseek() end");
	      end = ftell(f) - sizeof(struct rep_rec_hdr);
	      /* back to fail point */
	      if (fseek(f, pos, SEEK_SET) != 0)
		    ERROR("next_rec(): fseek()");	
	      while (pos < end)
		{
		  /* resume 1 byte after failed read */
		  GET_STRUCT(f, &rec_hdr, struct rep_rec_hdr);
		  off = ftell(f);
		  if (off < 0)
		    ERROR("next_rec(): ftell()");
		  if (feof(f))
		    {
		      printf("FEOF\n");
		      return -1;
		    }
		  if (rec_hdr.magic == REC_HDR_MAGIC)
		    {
		      file->indx = rec_hdr.indx;
		      fprintf(stderr, "? recovery at rec. indx %d (+%ld)\n", 
			      file->indx, pos-start);
		      break;
		    }
		  if (fseek(f, ++pos, SEEK_SET) != 0)
		    ERROR("next_rec() recover: fseek()");
		}
	    }
	  else 
	    {
	      fprintf(stderr, "%s too many patches\n", errbuf);
	      ERROR(errbuf);
	    }
	}
      
      if (rec_hdr.indx != file->indx)
	{
	  sprintf(errbuf, 
		  " XXXXX Record index problem: offset %ld record indx %lu type %d expected %lu\n",
		 off - sizeof(struct rep_rec_hdr), rec_hdr.indx, rec_hdr.type,
		  file->indx);
	  ERROR(errbuf);
	}

#else
      
      if (rec_hdr.indx != (file->indx & 0xff))
	{
	  sprintf(errbuf, 
		  " XXXXX Record index problem: offset %ld record indx %x expected %x (%lu) type %d\n",
		 off - sizeof(struct rep_rec_hdr), rec_hdr.indx & 0xff, 
		  file->indx & 0xff, file->indx, rec_hdr.type);
	  ERROR(errbuf);
	}

#endif /* ifdef DUMP_DEBUG */
	  


     file->indx++;
     file->curr_offset = off;
     file->curr_len = rec_hdr.len - sizeof(struct rep_rec_hdr);

      if (rec_hdr.type == REC_COUNTERS)
	{
	  //printf("COUNTERS\n");
	  /* end of records */
	  return -1;
	}
      else if (_is_rectype((int)rec_hdr.type, (int)rec_type))
	{
	  return (int)rec_hdr.type;
	}
      else
	{
	  if (fseek(f, (long) file->curr_len, 
		    SEEK_CUR) != 0)
	    ERROR("next_rec(): fseek()");
	}
    }
  /* NOT REACHED */
  return -1;
}

/*
 * Advance the file to the next record preamble 
 * assumes _next_rec has just been called 
 */
int 
_advance(struct np_file *file)
{
  //if (fseek(file->file, (long) file->curr_len, SEEK_CUR) != 0)
  if (fseek(file->file, (long) file->curr_len + file->curr_offset, SEEK_SET) != 0)
    ERROR("next_rec(): fseek()");
  return 0;
}


int 
_indx(struct np_file *file)
{
  long i;
  unsigned int nrecords = file->counters.nrecords;
  /* get indx space */
  if((file->offsets = (int *)malloc(sizeof(long)*file->counters.nrecords)) == NULL)
    ERROR("_indx(): malloc()");

  /* run through connection records and record offsets */
  for (i = 0; i < nrecords; i++)
    {
      //fprintf(stderr, "indexing #%u\n", i+1);
      file->offsets[i] = _indx_rec(file);
    }
  
  /* position to read records */
  if (fseek(file->file, 0, SEEK_SET) != 0)
      ERROR("_indx() - fseek()  failed");
  
  return 0;
}

int
_rewind(struct np_file *file)
{
  rewind(file->file);
#ifdef DUMP_DEBUG
  file->indx = 0U;
#endif
  return 0;
}

int 
_seek_rec(struct np_file *file, unsigned int recno)
{
  if (fseek(file->file, file->offsets[recno], SEEK_SET) != 0)
    ERROR("_rec_seek: fseek");
#ifdef DUMP_DEBUG
  file->indx = recno;
#endif
  
  return 0;
}

long 
_offset(struct np_file *file)
{
  //long off = ftell(file->file) - sizeof(rep_rec_hdr_t);
  long off = ftell(file->file);
  if (off < 0)
    ERROR("_offset: fseek()");
  else
    return off;

  /* NOT REACHED */
  return 0;
}

int 
_seek(struct np_file *file, long off)
{
  int ret = fseek(file->file, off, SEEK_SET);
  if (ret != 0)
    ERROR("_seek: fseek() fail");
  return ret;
}

/*****************************************************************************/

/* 
 * Record type comparison function 
 */
int
_is_rectype(int type, int wanted)
{
  if (wanted)
    /* not REC_ALL */
    {
      if (type == wanted)
	/* specific type */
	return 1;

      else if (wanted >= REC_TCP_MIN && wanted < REC_TCP_MAX)
	{
	  if (type  == (wanted | OPEN_BIT) || type == (wanted | HDRS_BIT))
	    {
	      return 1;
	    }
	  else if ((wanted & ~(OPEN_BIT | HDRS_BIT)) == REC_TCP_ALL
		   && type > REC_TCP_MIN && type < REC_TCP_MAX)
	    {
	      int wbits = wanted & (OPEN_BIT | HDRS_BIT);
	      int tbits = type & (OPEN_BIT | HDRS_BIT);
	      if ((tbits & wbits) || (tbits == 0))
		return 1;
	      else
		return 0;
	    }
	  else
	    {
	      return 0;
	    }
	}

      else if (wanted == REC_IP)
	if (type > REC_TCP_MIN && type < REC_UDP_MAX)
	  return 1;
	else
	  return 0;
     
      else if (wanted == REC_UDP_ALL)
	if (type > REC_UDP_MIN && type < REC_UDP_MAX)
	  return 1;
	else
	  return 0;
      
      else if (wanted == REC_OTHER_ALL)
	if (type > REC_OTHER_MIN && type < REC_OTHER_MAX)
	  return 1;
	else
	  return 0;
      
      else if (wanted == REC_ICMP_ALL)
	if (type > REC_ICMP_MIN && type < REC_ICMP_MAX)
	  return 1;
	else
	  return 0;
      
      else
	return 0;
    }
  else
    /* accept all */
    return 1;
}

/*****************************************************************************/


/*
 * TCP specific 
 */

int 
_tcp_alloc_hdrbuffs(tcp_hdrs_t *hdrs, int nbufs)
{
 char errbuf[100];

 if ((hdrs->hdrs = (tcp_dumphdr_t *)malloc(sizeof(tcp_dumphdr_t)*nbufs)) == NULL)
   ERROR("_tcp_alloc_hdrbuffs: malloc hdrs buffer");

 return 0;
}

int 
_tcp_dealloc_hdrbuffs(tcp_hdrs_t *hdrs)
{

  free(hdrs->hdrs);

 return 0;
}


/* 
 * Deallocate tcp connection record 
 */
int 
_dealloc_tcp_conn(tcp_conn_t *tconnp)
{
  char errbuf[100];

  /* free any supplementary storage */
  switch (tconnp->flow_inner.serv_type)
    {
    case TCP_SERV_HTTP: _http_dealloc_trans(tconnp); break;
      /* these require no storage beyond the basic tcp connection record */
    case TCP_SERV_OTHER:
    case TCP_SERV_TEST:
    case TCP_SERV_FTP:
    case TCP_SERV_FTP_DATA:
    case TCP_SERV_TELNET:
    case TCP_SERV_SMTP:
    case TCP_SERV_POP3:
    case TCP_SERV_NNTP:
    case TCP_SERV_NETBIOS_SSN:
    case TCP_SERV_RTSP:
    case TCP_SERV_PNM:
      break;

    default:
      sprintf(errbuf, "dealloc_tcp_conn - unknown service type %d", tconnp->flow_inner.serv_type);
      ERROR(errbuf);
      break;
    } /* end switch serv_type */

  if (tconnp->hdrs.hdrs)
    free(tconnp->hdrs.hdrs);

  /* free the connection record */
  free(tconnp);
  
  return 0;
}     

int  
_read_tcp_conn(struct np_file *file, tcp_conn_t *tconnp, int allocflag, int get_trans)
{
  FILE *f = file->file;
  int i;
  int server_seen = 0, client_seen = 0;
  http_trans_t *tp;
  //unsigned int addit_trans_fields;

  char errbuf[256];


#ifdef SWIG
  tconnp->indx = file->indx - 1;
#endif /* SWIG */

  /* get conn_id and absolute open time */
  GET_INT(f, &tconnp->hdrs.conn_id, unsigned int);
  /* get TCP state, ports and addresses */
  GET_STRUCT(f, &tconnp->flow_inner, flow_inner_t);

  client_seen = tconnp->flow_inner.state & TCP_CLIENT_SEEN;
  server_seen = tconnp->flow_inner.state & TCP_SERVER_SEEN;

  /* data on tcp connection */
  if (client_seen)
    GET_STRUCT(f, &tconnp->tcp.client, tcp_simplex_flow_t);
  if (server_seen)
    GET_STRUCT(f, &tconnp->tcp.server, tcp_simplex_flow_t);

  /* get any pkt hdrs info */
  GET_INT(f, &tconnp->hdrs.atm, us_clock_t);
  GET_INT(f, &tconnp->hdrs.nheld, int);

  if (tconnp->hdrs.nheld)
    {
      if (allocflag == TRANS_ALLOC_ON_FLY)
	_tcp_alloc_hdrbuffs(&tconnp->hdrs, tconnp->hdrs.nheld);
      GET_MEM(f, tconnp->hdrs.hdrs, sizeof(tcp_dumphdr_t)*tconnp->hdrs.nheld);
    }
  else if (allocflag == TRANS_ALLOC_ON_FLY)
    {
      tconnp->hdrs.hdrs = NULL;
    }

  switch (tconnp->flow_inner.serv_type)
    {
    case TCP_SERV_HTTP:

      /* data on HTTP transactions */
      
      /* first the status, versions and number of transactions */
      
      GET_STRUCT(f, &tconnp->su.http.meta, http_conn_meta_t);
      
      if (tconnp->su.http.meta.ntrans > MAX_NTRANS)
	{
	  sprintf(errbuf, "%s #%u:\n%s:%s<>%s:%s too many transactions (%hu) \n",
		  file->fnm, file->indx, 
		  get_hname((char *)&tconnp->flow_inner.srcaddr),
		  tcpudp_port_string(ntohs(tconnp->flow_inner.srcport), FLOW_TCP),
		  get_hname((char *)&tconnp->flow_inner.dstaddr),
		  tcpudp_port_string(ntohs(tconnp->flow_inner.dstport), FLOW_TCP),
		  tconnp->su.http.meta.ntrans);
	  ERROR(errbuf);
	}

      /* additional transaction fields present? */
      if (tconnp->su.http.meta.status & HTTP_ADDITIONAL_FIELDS_PRESENT)
	GET_INT(f, &tconnp->su.http.addit_trans_fields, unsigned int);
      else
	tconnp->su.http.addit_trans_fields = 0U;
      
      if (get_trans)
	{
	  if (allocflag == TRANS_ALLOC_ON_FLY)
	    /* allocate transaction chain now */
	    _http_alloc_trans(tconnp, tconnp->su.http.meta.ntrans, NO_IMGBUFS);
	  
	  /* then finally the data for each */
	  for (i = 0, tp = tconnp->su.http.trans; i < tconnp->su.http.meta.ntrans; i++, tp = tp->next)
	    _http_read_trans(tp, file, client_seen, server_seen, tconnp->su.http.addit_trans_fields, allocflag);
	}
      else
	{
	  tconnp->su.http.trans = NULL;
	}
      break;	
      /* end case SERV_HTTP */

    case TCP_SERV_OTHER:
    case TCP_SERV_TEST:
    case TCP_SERV_FTP:
    case TCP_SERV_FTP_DATA:
    case TCP_SERV_TELNET:
    case TCP_SERV_SMTP:
    case TCP_SERV_POP3:
    case TCP_SERV_NNTP:
    case TCP_SERV_NETBIOS_SSN:
    case TCP_SERV_RTSP:
    case TCP_SERV_PNM:
      break;

    default:
      sprintf(errbuf, "read_tconn - unknown service type %d", 
	      tconnp->flow_inner.serv_type);
      ERROR(errbuf);
      break;
    } /* end switch serv_type */
  
  return 0;
}

/*
 * Read TCP connection open record
 */
int 
_read_tcp_open(struct np_file *file, tcp_open_t *flow)
{
  FILE *f = file->file;

  GET_INT(f, &flow->conn_id, unsigned int);
  /* get TCP ports and addresses etc. */
  GET_STRUCT(f, &flow->flow, flow_inner_t);

  return 0;
}


/*
 * Read a block of TCP headers 
 */
int 
_read_tcp_hdrs(struct np_file *file, struct tcp_hdrs *drec, int allocflag)
{
  FILE *f = file->file;

  GET_INT(f, &drec->conn_id, unsigned int);
  GET_INT(f, &drec->atm, us_clock_t);

  drec->nheld = MAX_TCP_DUMPHDRS_HELD;

  //if ((drec->hdrs = (tcp_dumphdr_t *)malloc(sizeof(tcp_dumphdr_t)*MAX_TCP_DUMPHDRS_HELD)) == NULL)
    //ERROR("_read_tcp_hdrs: malloc hdrs buffer");

  if (allocflag == TRANS_ALLOC_ON_FLY)
    _tcp_alloc_hdrbuffs(drec, MAX_TCP_DUMPHDRS_HELD);
  
  GET_MEM(f, drec->hdrs, sizeof(tcp_dumphdr_t)*MAX_TCP_DUMPHDRS_HELD);
  
  return 0;