http_connect.c

跑leach需要的

             }

          /* ACK is required for each 2 segments with space for gaps */

          if (((input_type == FIN) ||
               (input_type == ACK_ONLY) ||
               (input_type == DATA_ACK)) &&
               (new_ack > (current_request_end + 16384)))
	     {
              if (have_value_error == 0)
		 {
                  error_line ("suspect ACK value");
                  have_value_error = 1;
                 }
              return (-1);
             }
         }
 return(0);
}

/* Output data associated with ending a connection */

void log_connection(void)
{
/* if no more tcpdump records found while processing an http
   request, log (perhaps incomplete) client request */  

   if (connection_state == IN_REQUEST)
      log_REQ();
   else
      {
       /* if no more records found while processing an http 
          response, log (perhaps incomplete) response information */

       if ((connection_state == IN_RESPONSE) ||
           ((connection_state == RESET) && last_state == IN_RESPONSE))
	  { /* don't log if just ACKed 1 (assume  FIN) */
           if (current_response_end > (last_response_end + 1))
               log_RSP();
          }
      }

   /* make log entry indicating type of connection termination;
      entry for connection is made only if a valid start (SYN) was
      previously recognized */ 

   if (connection_state != PENDING)  /* saw SYN */
      {
       if (connection_state == FIN_SENT) 
           log_END("FIN");
       else
	  {
           if (connection_state == RESET) 
               log_END("RST");
           else
               log_END("TRM");
	  }
      }
   else
      {
       if (((have_pending_fins > 0) +
            (have_pending_rsts > 0) +
            (have_pending_othr > 0) +
            (have_pending_acks > 0)) > 1)
          pending_cmb_count++;
       else
	  {
           pending_fin_count += (have_pending_fins > 0);
           pending_rst_count += (have_pending_rsts > 0);
           pending_ack_count += (have_pending_acks > 0);
           pending_oth_count += (have_pending_othr > 0);
          }
      }
}


void log_log(void)
{
 fprintf(logFP, "Input tcpdump file: %s \n", input_name);
 fprintf(logFP, "Output connection file: %s \n", output_name);
 fprintf(logFP, "   SYNs     %8d \n", syn_count);
 fprintf(logFP, "   REQs     %8d \n", req_count);
 fprintf(logFP, "   ACT-REQs %8d \n", act_req_count);
 fprintf(logFP, "   RSPs     %8d \n", rsp_count);
 fprintf(logFP, "   ACT-RSPs %8d \n", act_rsp_count);
 fprintf(logFP, "   FINs     %8d \n", fin_count);
 fprintf(logFP, "   RSTs     %8d \n", rst_count);
 fprintf(logFP, "   TRMs     %8d \n", trm_count);
 fprintf(logFP, "   ERRs     %8d \n", err_count);
 fprintf(logFP, "Partial Connections:\n");
 fprintf(logFP, " FIN only   %8d \n", pending_fin_count);
 fprintf(logFP, " RST only   %8d \n", pending_rst_count);
 fprintf(logFP, " ACK only   %8d \n", pending_ack_count);
 fprintf(logFP, " Combos     %8d \n", pending_cmb_count);
 fprintf(logFP, " Other      %8d \n", pending_oth_count);
}

/* A set of event-specific data logging functions.  A critical part of
   the logging functions for Requests and Responses is to save the 
   "current" value of the sequence number (ACK or data) that marks the
   end of it as the "last" value.  This is done to tell when the 
   sequence number advances again for multiple request/response pairs
   in a connection and to allow computing its size as (current - last). */

void log_REQ(void)
{
/* parse sourse host/port */
  get_host_port(current_src, src_host, src_port);

/* parse destination host/port */
  get_host_port(current_dst, dst_host, dst_port);

  /* for requests we log the request start time  -- the tcpdump 
     timestamp on the first record associated with a request -- 
     along with the TCP connection information and the size of the 
     request data */

  fprintf(outFP, "%s %-15s %5s > %-15s %4s: REQ %12d  %s\n", 
                                    start_request_time,  
                                    dst_host, dst_port, src_host, src_port,  
                                    current_request_end - last_request_end,
                                    request_end_time);
  /* IMPORTANT */
  last_request_end = current_request_end;
  req_count++;
}

void log_RSP(void)
{
/* parse sourse host/port */
  get_host_port(current_src, src_host, src_port);

/* parse destination host/port */
  get_host_port(current_dst, dst_host, dst_port);

  /* for responses we log the response end time  -- the tcpdump 
     timestamp on the last record associated with a response -- 
     along with the TCP connection information, the size of the 
     response data, and the response start time -- the tcpdump
     timestamp on the first record associated with the response. */

  fprintf(outFP, "%s %-15s %5s > %-15s %4s: RSP %12d  %s\n", 
                                   response_end_time, 
                                   dst_host, dst_port, src_host, src_port,  
                                   current_response_end - last_response_end,
                                   start_response_time);
#ifdef FOO
  fprintf(outFP, "%s %-15s %5s > %-15s %4s RSP %d %s\n", start_response_time, 
                                   src_host, src_port, dst_host, dst_port, 
                                   current_response_end - last_response_end,
                                   response_end_time);
  fprintf(outFP, "%s %s > %s RSP %d\n", start_response_time, current_src, 
                                   current_dst, 
                                   current_response_end - last_response_end);
#endif
  /* IMPORTANT */
  last_response_end = current_response_end;
  rsp_count++;
}

void log_SYN(void)
{
/* parse sourse host/port */
  get_host_port(current_src, src_host, src_port);

/* parse destination host/port */
  get_host_port(current_dst, dst_host, dst_port);

  fprintf(outFP, "%s %-15s %5s > %-15s %4s: SYN\n", ts, 
                                     dst_host, dst_port, src_host, src_port);  
  syn_count++;
}

void log_END(char *how)
{
  char logical_end_time[20];
  
/* parse sourse host/port */
  get_host_port(current_src, src_host, src_port);

/* parse destination host/port */
  get_host_port(current_dst, dst_host, dst_port);

  if (strcmp(how, "FIN") == 0)
     {
      fin_count++;
      strcpy(logical_end_time, FIN_sent_time);
     }
  else
    {
     if (strcmp(how, "RST") == 0)
        {
         rst_count++;
         strcpy(logical_end_time, RST_sent_time);
        }
     else
        if (strcmp(how, "TRM") == 0)
	   {
            trm_count++;
            strcpy(logical_end_time, last_connection_time);
           }
    }

  /* for termination of a connection we record the tcpdump timestamp of
     the last record of any kind associated with that conneciton along
     with the TCP connection 4-tuple and the way the connection ended
     (FIN, Reset, or just no more records in the trace). */

  fprintf(outFP, "%s %-15s %5s > %-15s %4s: %s               %s\n", 
                                    last_connection_time, 
                                    dst_host, dst_port, src_host, src_port,  
                                    how, logical_end_time);
}

void log_ACT(char *how)
{
/* parse sourse host/port */
  get_host_port(current_src, src_host, src_port);

/* parse destination host/port */
  get_host_port(current_dst, dst_host, dst_port);

  /* for activity on a SYN-less connection we record the tcpdump timestamp
     of the first record of activiy associated with that conneciton along
     with the TCP connection 4-tuple and the way the connection started
     (Request or Response). */

  fprintf(outFP, "%s %-15s %5s > %-15s %4s: ACT-%s\n", ts, 
                                    dst_host, dst_port, src_host, src_port,  
                                    how);
  if (strcmp(how, "REQ") == 0)
     act_req_count++;
  else
     if (strcmp(how, "RSP") == 0)
        act_rsp_count++;
}

void error_line(char * s)
{
/* parse sourse host/port */
  get_host_port(sh, src_host, src_port);

/* parse destination host/port */
  get_host_port(dh, dst_host, dst_port);

  fprintf(outFP, "%s %-15s %5s > %-15s %4s: ERR: %s\n", ts, 
                                   dst_host, dst_port, src_host, src_port, s);
  err_count++;
}

void error_state(char * s)
{
/* parse sourse host/port */
  get_host_port(sh, src_host, src_port);

/* parse destination host/port */
  get_host_port(dh, dst_host, dst_port);

  fprintf(outFP, "%s %-15s %5s > %-15s %4s: ERR: %s\n", ts, 
                                   dst_host, dst_port, src_host, src_port, s);
  err_count++;
}

void get_host_port(char *adr, char *host, char *port)
{
 char *fp;
 char *fpx;
 char adr_field[50];

 strcpy(adr_field, adr);
 /* break string at '.' separating host and port fields (last in string) */
 fp = (char *)rindex(adr_field, '.');
 *fp = '\0';   /* replace '.' with string terminator */
 strcpy(host, adr_field); /* copies host name up to terminator */ 

 fp++;  /* move pointer past terminator to 1st char in port field */
 fpx = (char *)index(fp, ':');   /* see if we have the ':' after a dst port */
 if (fpx != NULL)
     *fpx = '\0';  /* if so, replace with string terminator */
 strcpy(port, fp); 
}

int get_sequence(char *p, unsigned long *begin, unsigned long *end,
                           unsigned long *bytes)
{
 char seq_field[50];
 char *cursor = seq_field;
 char *fp;

 strcpy (seq_field, p);

 fp = (char *)strsep(&cursor, ":" );
 if ((cursor == (char *)NULL) ||
     (fp == (char *)NULL))
    return (-1);
 else
    *begin = strtoul(fp, (char **)NULL, 10);

 fp = (char *)strsep(&cursor, "(" );
 if ((cursor == (char *)NULL) ||
     (fp == (char *)NULL))
    return (-1);
 else
    *end = strtoul(fp, (char **)NULL, 10);

 fp = (char *)strsep(&cursor, ")" );
 if ((cursor == (char *)NULL) ||
     (fp == (char *)NULL))
    return (-1);
 else
    *bytes = strtoul(fp, (char **)NULL, 10);
 return(0);
}

/*--------------------------------------------------------------*/ 
/* subtract two timevals (t1 - t0) with result in tdiff         */
/* tdiff, t1 and t0 are all pointers to struct timeval          */
/*--------------------------------------------------------------*/ 
static void
tvsub(tdiff, t1, t0)
struct timeval *tdiff, *t1, *t0;
{

        tdiff->tv_sec = t1->tv_sec - t0->tv_sec;
        tdiff->tv_usec = t1->tv_usec - t0->tv_usec;
        if (tdiff->tv_usec < 0)
           {
            tdiff->tv_sec--;
            tdiff->tv_usec += 1000000;
           }
}

/*--------------------------------------------------------------*/ 
/* compute the elapsed time in milliseconds to end_time         */
/* from some past time given by start_time (both formatted timevals) */
/*--------------------------------------------------------------*/ 
long elapsed_ms(char *end, char *start)
{
 struct timeval delta, end_time, start_time;
 long elapsed_time;

 char end_tmp[20];
 char start_tmp[20];

 char *cursor;
 char *cp;

 strcpy(end_tmp, end);
 cursor = end_tmp;
 cp = (char *)strsep(&cursor, "." );
 end_time.tv_sec = atoi(end_tmp);
 end_time.tv_usec = atoi(cursor);

 strcpy(start_tmp, start);
 cursor = start_tmp;
 cp = (char *)strsep(&cursor, "." );
 start_time.tv_sec = atoi(start_tmp);
 start_time.tv_usec = atoi(cursor);

 tvsub(&delta, &end_time, &start_time);
 /* express as milliseconds */
 elapsed_time = (delta.tv_sec * 1000) + (delta.tv_usec/1000);
 return (elapsed_time);
}