diff -urN flow-tools-0.56/src/Makefile.in flow-tools-0.56-patched/src/Makefile.in --- flow-tools-0.56/src/Makefile.in Fri Dec 28 23:27:29 2001 +++ flow-tools-0.56-patched/src/Makefile.in Sun Mar 3 15:03:54 2002 @@ -66,7 +66,7 @@ YACC = @YACC@ YLIB = @YLIB@ -noinst_HEADERS = flow-dscan.h pcap.h cflowd.h acl2.h aclyacc.h +noinst_HEADERS = flow-dscan.h ftpcap.h cflowd.h acl2.h aclyacc.h EXTRA_DIST = ftbuild.sh @@ -76,7 +76,7 @@ flow_import_SOURCES = flow-import.c ftbuild.h -flow_import_LDFLAGS = -L../lib +flow_import_LDFLAGS = -L../lib -lpcap flow_import_LDADD = -lft flow_import_DEPENDENCIES = ftbuild.h @@ -409,7 +409,7 @@ flow-expire.o: flow-expire.c ../config.h ../lib/ftlib.h ../lib/bytes.h \ ../lib/ftqueue.h ../lib/ftpaths.h ftbuild.h ../lib/support.h flow-export.o: flow-export.c ../config.h ../lib/ftlib.h ../lib/bytes.h \ - ../lib/ftqueue.h ../lib/ftpaths.h ftbuild.h ../lib/fmt.h pcap.h \ + ../lib/ftqueue.h ../lib/ftpaths.h ftbuild.h ../lib/fmt.h ftpcap.h \ cflowd.h flow-fanout.o: flow-fanout.c ../config.h ../lib/ftlib.h ../lib/bytes.h \ ../lib/ftqueue.h ../lib/ftpaths.h ftbuild.h ../lib/support.h diff -urN flow-tools-0.56/src/flow-export.c flow-tools-0.56-patched/src/flow-export.c --- flow-tools-0.56/src/flow-export.c Fri Dec 28 22:39:25 2001 +++ flow-tools-0.56-patched/src/flow-export.c Sun Mar 3 15:04:12 2002 @@ -47,7 +47,7 @@ #include #include "ftbuild.h" #include "fmt.h" -#include "pcap.h" +#include "ftpcap.h" #include "cflowd.h" #define PRCOMMA\ diff -urN flow-tools-0.56/src/flow-import.c flow-tools-0.56-patched/src/flow-import.c --- flow-tools-0.56/src/flow-import.c Fri Dec 28 22:39:26 2001 +++ flow-tools-0.56-patched/src/flow-import.c Sun Mar 3 14:59:22 2002 @@ -34,6 +34,10 @@ #include #include #include +#include +#include +#include +#include #include #include #include @@ -52,6 +56,8 @@ #include "ftbuild.h" #include "cflowd.h" +#include + struct options { struct ftver ftv; u_int64 ft_mask; @@ -160,7 +166,7 @@ if (format_index >= NFORMATS) fterr_errx(1, "No such format, %d", format_index); - if (!opt.ftv.set) + if (format_index != 1 && !opt.ftv.set) fterr_errx(1, "Must specify export version to store flows"); /* output to stdout */ @@ -175,13 +181,15 @@ ftio_set_streaming(&ftio, 1); ftio_set_debug(&ftio, debug); - if (ftio_set_ver(&ftio, &opt.ftv) < 0) - fterr_errx(1, "ftio_set_ver(): failed"); - - /* header first */ - if (ftio_write_header(&ftio) < 0) - fterr_errx(1, "ftio_write_header(): failed"); - + if (format_index != 1){ /* For format pcap we do it later */ + if (ftio_set_ver(&ftio, &opt.ftv) < 0) + fterr_errx(1, "ftio_set_ver(): failed"); + + /* header first */ + if (ftio_write_header(&ftio) < 0) + fterr_errx(1, "ftio_write_header(): failed"); + } + ret = format[format_index].where(&ftio, &opt); if (ftio_close(&ftio) < 0) @@ -524,10 +532,82 @@ } /* format0 */ +static unsigned long PktCount = 0; +static unsigned long FlowCount = 0; +static int WroteHeader = 0; +static struct ftseq Seq; + +#define min( a, b ) ( a < b ? a : b ) + +static void next_packet( u_char *user, const struct pcap_pkthdr *h, const u_char *sp ) +{ + struct ftio *ftio = (struct ftio *)user; + struct ip *ip = ( struct ip *)( sp + 14 ); /* 14 is length of Ethernet header */ + struct udphdr *udp = (struct udphdr *)( (void *)ip + ip->ip_hl * 4 ); + void *data = (void *)udp + sizeof( struct udphdr ); + struct ftpdu pdu; + int i, n, offset; + + if( ip->ip_p != IPPROTO_UDP ) + return; + + PktCount++; + + pdu.bused = min( h->caplen - ( (void *)data - (void *)sp ), sizeof( pdu.buf ) ); + memcpy( pdu.buf, data, pdu.bused ); + + /* Verify and parse packet header */ + if( ftpdu_verify( &pdu ) < 0){ + fterr_warnx( "ftpdu_verify failed for packet %d", PktCount ); + return; + } + + /* If it's the first flow, put out the header */ + if( ! WroteHeader){ + if( ftio_set_ver( ftio, &pdu.ftv ) < 0 ) + fterr_errx( 1, "ftio_set_ver(): failed" ); + + if( ftio_write_header( ftio ) < 0 ) + fterr_errx( 1, "ftio_write_header(): failed" ); + + bzero( &Seq, sizeof( Seq ) ); + WroteHeader = 1; + } + + /* Check sequence number */ + if( ftpdu_check_seq( &pdu, &Seq ) < 0 ){ + fterr_warnx( "ftpdu_seq_check: expected=%d received=%d lost=%d", Seq.seq_exp, Seq.seq_rcv, Seq.seq_lost ); + return; + } + + /* Write flows */ + n = fts3rec_pdu_decode( &pdu ); + + for( i = 0, offset = 0; i < n; ++i, offset += pdu.ftd.rec_size ){ + + FlowCount++; + + if( ftio_write( ftio, pdu.ftd.buf+offset ) < 0 ) + fterr_errx( 1, "ftio_write(): failed" ); + } +} + int format1(struct ftio *ftio, struct options *opt) { - fterr_warnx("Not implemented"); - return -1; + char errbuf[PCAP_ERRBUF_SIZE]; + pcap_t *p = pcap_open_offline( "-", errbuf ); + + if( ! p ) + fterr_errx( 1, errbuf ); + + if( pcap_datalink( p ) != DLT_EN10MB ) + fterr_errx( 1, "Unsupported link layer type" ); + + while( pcap_dispatch( p, -1, next_packet, (u_char *)ftio ) ); + + opt->records = FlowCount; + + return 0; } /* format1 */ /* diff -urN flow-tools-0.56/src/ftbuild.h flow-tools-0.56-patched/src/ftbuild.h --- flow-tools-0.56/src/ftbuild.h Fri Dec 28 23:27:29 2001 +++ flow-tools-0.56-patched/src/ftbuild.h Sun Mar 3 15:04:28 2002 @@ -1 +1 @@ -#define FT_PROG_BUILD "maf@char on Fri Dec 28 17:27:29 EST 2001" +#define FT_PROG_BUILD "robin@flamingo on Sun Mar 3 15:04:28 CET 2002" diff -urN flow-tools-0.56/src/ftpcap.h flow-tools-0.56-patched/src/ftpcap.h --- flow-tools-0.56/src/ftpcap.h Thu Jan 1 01:00:00 1970 +++ flow-tools-0.56-patched/src/ftpcap.h Sat Feb 24 22:32:16 2001 @@ -0,0 +1,104 @@ +/* + * Copyright (c) 2001 Mark Fullmer and The Ohio State University + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $Id: ft-0.56-importpcap.diff,v 1.1 2002/12/20 13:42:19 robin Exp $ + */ + +#if HAVE_CONFIG_H + #include +#endif + +#include +#include "bytes.h" + +#define TCPDUMP_MAGIC 0xa1b2c3d4 +#define TCPDUMP_VERSION_MAJOR 2 +#define TCPDUMP_VERSION_MINOR 2 + +struct pcap_file_header { + u_long magic; + u_short version_major; + u_short version_minor; + long thiszone; /* gmt to local correction */ + u_long sigfigs; /* accuracy of timestamps */ + u_long snaplen; /* max length saved portion of each pkt */ + u_long linktype; +}; + +struct pcap_packet_header { + struct timeval ts; /* time stamp */ + u_long len; /* length this packet (off wire) */ + u_long caplen; /* length of portion present */ +}; + +/* eth header */ +struct pcap_data1 { + /* eth header */ + u_int8 eth_dst[6]; + u_int8 eth_src[6]; + u_int16 eth_prot; +}; + +/* ip header */ +struct pcap_data2 { + u_int8 version; + u_int8 tos; + u_int16 len; + u_int16 id; + u_int16 flags_fragment; + u_int8 ttl; + u_int8 prot; + u_int16 csum; + u_int32 srcaddr; + u_int32 dstaddr; +}; + +/* tcp header */ +struct pcap_data3 { + u_int16 srcport; + u_int16 dstport; + u_int32 hold1; /* seq */ + u_int32 hold2; /* ack */ + u_int32 hold3; /* data, reserved, flags, window */ + u_int32 hold4; /* csum, urg pointer */ + u_int32 hold5; /* options, padding */ +}; + + +/* udp header */ +struct pcap_data4 { + u_int16 srcport; + u_int16 dstport; + u_int32 hold1; /* len */ + u_int32 hold2; /* csum */ + u_int32 hold3; /* data ...*/ + u_int32 hold4; /* data ... */ + u_int32 hold5; /* data ... */ +#ifdef XXX + u_int32 hold6; /* data */ +#endif /* XXX */ +}; + + diff -urN flow-tools-0.56/src/pcap.h flow-tools-0.56-patched/src/pcap.h --- flow-tools-0.56/src/pcap.h Sat Feb 24 22:32:16 2001 +++ flow-tools-0.56-patched/src/pcap.h Thu Jan 1 01:00:00 1970 @@ -1,104 +0,0 @@ -/* - * Copyright (c) 2001 Mark Fullmer and The Ohio State University - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * $Id: ft-0.56-importpcap.diff,v 1.1 2002/12/20 13:42:19 robin Exp $ - */ - -#if HAVE_CONFIG_H - #include -#endif - -#include -#include "bytes.h" - -#define TCPDUMP_MAGIC 0xa1b2c3d4 -#define TCPDUMP_VERSION_MAJOR 2 -#define TCPDUMP_VERSION_MINOR 2 - -struct pcap_file_header { - u_long magic; - u_short version_major; - u_short version_minor; - long thiszone; /* gmt to local correction */ - u_long sigfigs; /* accuracy of timestamps */ - u_long snaplen; /* max length saved portion of each pkt */ - u_long linktype; -}; - -struct pcap_packet_header { - struct timeval ts; /* time stamp */ - u_long len; /* length this packet (off wire) */ - u_long caplen; /* length of portion present */ -}; - -/* eth header */ -struct pcap_data1 { - /* eth header */ - u_int8 eth_dst[6]; - u_int8 eth_src[6]; - u_int16 eth_prot; -}; - -/* ip header */ -struct pcap_data2 { - u_int8 version; - u_int8 tos; - u_int16 len; - u_int16 id; - u_int16 flags_fragment; - u_int8 ttl; - u_int8 prot; - u_int16 csum; - u_int32 srcaddr; - u_int32 dstaddr; -}; - -/* tcp header */ -struct pcap_data3 { - u_int16 srcport; - u_int16 dstport; - u_int32 hold1; /* seq */ - u_int32 hold2; /* ack */ - u_int32 hold3; /* data, reserved, flags, window */ - u_int32 hold4; /* csum, urg pointer */ - u_int32 hold5; /* options, padding */ -}; - - -/* udp header */ -struct pcap_data4 { - u_int16 srcport; - u_int16 dstport; - u_int32 hold1; /* len */ - u_int32 hold2; /* csum */ - u_int32 hold3; /* data ...*/ - u_int32 hold4; /* data ... */ - u_int32 hold5; /* data ... */ -#ifdef XXX - u_int32 hold6; /* data */ -#endif /* XXX */ -}; - -