├── AUTHORS ├── CHANGES ├── LICENSE ├── Makefile.am ├── README.md ├── configure.ac ├── src ├── Makefile.am ├── cmd.c ├── cmd.h ├── hash.c ├── hash.h ├── sig.c ├── sig.h ├── streams.c ├── streams.h ├── strm.c ├── strm.h ├── util.c └── util.h └── test ├── data-on-fin.pcap └── ports-reused.pcap /AUTHORS: -------------------------------------------------------------------------------- 1 | Tillmann Werner, 2 | -------------------------------------------------------------------------------- /CHANGES: -------------------------------------------------------------------------------- 1 | v0.1.1 2 | - tcp session timeout, required for detecting port reuse 3 | - fixed an off-by-one bug in the stream selection code 4 | - reassembly code restructured to improve speed (less hash lookups) 5 | - ports command for basic stream destination port statistics 6 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 2, June 1991 3 | 4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc., 5 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 6 | Everyone is permitted to copy and distribute verbatim copies 7 | of this license document, but changing it is not allowed. 8 | 9 | Preamble 10 | 11 | The licenses for most software are designed to take away your 12 | freedom to share and change it. By contrast, the GNU General Public 13 | License is intended to guarantee your freedom to share and change free 14 | software--to make sure the software is free for all its users. This 15 | General Public License applies to most of the Free Software 16 | Foundation's software and to any other program whose authors commit to 17 | using it. (Some other Free Software Foundation software is covered by 18 | the GNU Lesser General Public License instead.) You can apply it to 19 | your programs, too. 20 | 21 | When we speak of free software, we are referring to freedom, not 22 | price. Our General Public Licenses are designed to make sure that you 23 | have the freedom to distribute copies of free software (and charge for 24 | this service if you wish), that you receive source code or can get it 25 | if you want it, that you can change the software or use pieces of it 26 | in new free programs; and that you know you can do these things. 27 | 28 | To protect your rights, we need to make restrictions that forbid 29 | anyone to deny you these rights or to ask you to surrender the rights. 30 | These restrictions translate to certain responsibilities for you if you 31 | distribute copies of the software, or if you modify it. 32 | 33 | For example, if you distribute copies of such a program, whether 34 | gratis or for a fee, you must give the recipients all the rights that 35 | you have. You must make sure that they, too, receive or can get the 36 | source code. And you must show them these terms so they know their 37 | rights. 38 | 39 | We protect your rights with two steps: (1) copyright the software, and 40 | (2) offer you this license which gives you legal permission to copy, 41 | distribute and/or modify the software. 42 | 43 | Also, for each author's protection and ours, we want to make certain 44 | that everyone understands that there is no warranty for this free 45 | software. If the software is modified by someone else and passed on, we 46 | want its recipients to know that what they have is not the original, so 47 | that any problems introduced by others will not reflect on the original 48 | authors' reputations. 49 | 50 | Finally, any free program is threatened constantly by software 51 | patents. We wish to avoid the danger that redistributors of a free 52 | program will individually obtain patent licenses, in effect making the 53 | program proprietary. To prevent this, we have made it clear that any 54 | patent must be licensed for everyone's free use or not licensed at all. 55 | 56 | The precise terms and conditions for copying, distribution and 57 | modification follow. 58 | 59 | GNU GENERAL PUBLIC LICENSE 60 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 61 | 62 | 0. This License applies to any program or other work which contains 63 | a notice placed by the copyright holder saying it may be distributed 64 | under the terms of this General Public License. The "Program", below, 65 | refers to any such program or work, and a "work based on the Program" 66 | means either the Program or any derivative work under copyright law: 67 | that is to say, a work containing the Program or a portion of it, 68 | either verbatim or with modifications and/or translated into another 69 | language. (Hereinafter, translation is included without limitation in 70 | the term "modification".) Each licensee is addressed as "you". 71 | 72 | Activities other than copying, distribution and modification are not 73 | covered by this License; they are outside its scope. The act of 74 | running the Program is not restricted, and the output from the Program 75 | is covered only if its contents constitute a work based on the 76 | Program (independent of having been made by running the Program). 77 | Whether that is true depends on what the Program does. 78 | 79 | 1. You may copy and distribute verbatim copies of the Program's 80 | source code as you receive it, in any medium, provided that you 81 | conspicuously and appropriately publish on each copy an appropriate 82 | copyright notice and disclaimer of warranty; keep intact all the 83 | notices that refer to this License and to the absence of any warranty; 84 | and give any other recipients of the Program a copy of this License 85 | along with the Program. 86 | 87 | You may charge a fee for the physical act of transferring a copy, and 88 | you may at your option offer warranty protection in exchange for a fee. 89 | 90 | 2. You may modify your copy or copies of the Program or any portion 91 | of it, thus forming a work based on the Program, and copy and 92 | distribute such modifications or work under the terms of Section 1 93 | above, provided that you also meet all of these conditions: 94 | 95 | a) You must cause the modified files to carry prominent notices 96 | stating that you changed the files and the date of any change. 97 | 98 | b) You must cause any work that you distribute or publish, that in 99 | whole or in part contains or is derived from the Program or any 100 | part thereof, to be licensed as a whole at no charge to all third 101 | parties under the terms of this License. 102 | 103 | c) If the modified program normally reads commands interactively 104 | when run, you must cause it, when started running for such 105 | interactive use in the most ordinary way, to print or display an 106 | announcement including an appropriate copyright notice and a 107 | notice that there is no warranty (or else, saying that you provide 108 | a warranty) and that users may redistribute the program under 109 | these conditions, and telling the user how to view a copy of this 110 | License. (Exception: if the Program itself is interactive but 111 | does not normally print such an announcement, your work based on 112 | the Program is not required to print an announcement.) 113 | 114 | These requirements apply to the modified work as a whole. If 115 | identifiable sections of that work are not derived from the Program, 116 | and can be reasonably considered independent and separate works in 117 | themselves, then this License, and its terms, do not apply to those 118 | sections when you distribute them as separate works. But when you 119 | distribute the same sections as part of a whole which is a work based 120 | on the Program, the distribution of the whole must be on the terms of 121 | this License, whose permissions for other licensees extend to the 122 | entire whole, and thus to each and every part regardless of who wrote it. 123 | 124 | Thus, it is not the intent of this section to claim rights or contest 125 | your rights to work written entirely by you; rather, the intent is to 126 | exercise the right to control the distribution of derivative or 127 | collective works based on the Program. 128 | 129 | In addition, mere aggregation of another work not based on the Program 130 | with the Program (or with a work based on the Program) on a volume of 131 | a storage or distribution medium does not bring the other work under 132 | the scope of this License. 133 | 134 | 3. You may copy and distribute the Program (or a work based on it, 135 | under Section 2) in object code or executable form under the terms of 136 | Sections 1 and 2 above provided that you also do one of the following: 137 | 138 | a) Accompany it with the complete corresponding machine-readable 139 | source code, which must be distributed under the terms of Sections 140 | 1 and 2 above on a medium customarily used for software interchange; or, 141 | 142 | b) Accompany it with a written offer, valid for at least three 143 | years, to give any third party, for a charge no more than your 144 | cost of physically performing source distribution, a complete 145 | machine-readable copy of the corresponding source code, to be 146 | distributed under the terms of Sections 1 and 2 above on a medium 147 | customarily used for software interchange; or, 148 | 149 | c) Accompany it with the information you received as to the offer 150 | to distribute corresponding source code. (This alternative is 151 | allowed only for noncommercial distribution and only if you 152 | received the program in object code or executable form with such 153 | an offer, in accord with Subsection b above.) 154 | 155 | The source code for a work means the preferred form of the work for 156 | making modifications to it. For an executable work, complete source 157 | code means all the source code for all modules it contains, plus any 158 | associated interface definition files, plus the scripts used to 159 | control compilation and installation of the executable. However, as a 160 | special exception, the source code distributed need not include 161 | anything that is normally distributed (in either source or binary 162 | form) with the major components (compiler, kernel, and so on) of the 163 | operating system on which the executable runs, unless that component 164 | itself accompanies the executable. 165 | 166 | If distribution of executable or object code is made by offering 167 | access to copy from a designated place, then offering equivalent 168 | access to copy the source code from the same place counts as 169 | distribution of the source code, even though third parties are not 170 | compelled to copy the source along with the object code. 171 | 172 | 4. You may not copy, modify, sublicense, or distribute the Program 173 | except as expressly provided under this License. Any attempt 174 | otherwise to copy, modify, sublicense or distribute the Program is 175 | void, and will automatically terminate your rights under this License. 176 | However, parties who have received copies, or rights, from you under 177 | this License will not have their licenses terminated so long as such 178 | parties remain in full compliance. 179 | 180 | 5. You are not required to accept this License, since you have not 181 | signed it. However, nothing else grants you permission to modify or 182 | distribute the Program or its derivative works. These actions are 183 | prohibited by law if you do not accept this License. Therefore, by 184 | modifying or distributing the Program (or any work based on the 185 | Program), you indicate your acceptance of this License to do so, and 186 | all its terms and conditions for copying, distributing or modifying 187 | the Program or works based on it. 188 | 189 | 6. Each time you redistribute the Program (or any work based on the 190 | Program), the recipient automatically receives a license from the 191 | original licensor to copy, distribute or modify the Program subject to 192 | these terms and conditions. You may not impose any further 193 | restrictions on the recipients' exercise of the rights granted herein. 194 | You are not responsible for enforcing compliance by third parties to 195 | this License. 196 | 197 | 7. If, as a consequence of a court judgment or allegation of patent 198 | infringement or for any other reason (not limited to patent issues), 199 | conditions are imposed on you (whether by court order, agreement or 200 | otherwise) that contradict the conditions of this License, they do not 201 | excuse you from the conditions of this License. If you cannot 202 | distribute so as to satisfy simultaneously your obligations under this 203 | License and any other pertinent obligations, then as a consequence you 204 | may not distribute the Program at all. For example, if a patent 205 | license would not permit royalty-free redistribution of the Program by 206 | all those who receive copies directly or indirectly through you, then 207 | the only way you could satisfy both it and this License would be to 208 | refrain entirely from distribution of the Program. 209 | 210 | If any portion of this section is held invalid or unenforceable under 211 | any particular circumstance, the balance of the section is intended to 212 | apply and the section as a whole is intended to apply in other 213 | circumstances. 214 | 215 | It is not the purpose of this section to induce you to infringe any 216 | patents or other property right claims or to contest validity of any 217 | such claims; this section has the sole purpose of protecting the 218 | integrity of the free software distribution system, which is 219 | implemented by public license practices. Many people have made 220 | generous contributions to the wide range of software distributed 221 | through that system in reliance on consistent application of that 222 | system; it is up to the author/donor to decide if he or she is willing 223 | to distribute software through any other system and a licensee cannot 224 | impose that choice. 225 | 226 | This section is intended to make thoroughly clear what is believed to 227 | be a consequence of the rest of this License. 228 | 229 | 8. If the distribution and/or use of the Program is restricted in 230 | certain countries either by patents or by copyrighted interfaces, the 231 | original copyright holder who places the Program under this License 232 | may add an explicit geographical distribution limitation excluding 233 | those countries, so that distribution is permitted only in or among 234 | countries not thus excluded. In such case, this License incorporates 235 | the limitation as if written in the body of this License. 236 | 237 | 9. The Free Software Foundation may publish revised and/or new versions 238 | of the General Public License from time to time. Such new versions will 239 | be similar in spirit to the present version, but may differ in detail to 240 | address new problems or concerns. 241 | 242 | Each version is given a distinguishing version number. If the Program 243 | specifies a version number of this License which applies to it and "any 244 | later version", you have the option of following the terms and conditions 245 | either of that version or of any later version published by the Free 246 | Software Foundation. If the Program does not specify a version number of 247 | this License, you may choose any version ever published by the Free Software 248 | Foundation. 249 | 250 | 10. If you wish to incorporate parts of the Program into other free 251 | programs whose distribution conditions are different, write to the author 252 | to ask for permission. For software which is copyrighted by the Free 253 | Software Foundation, write to the Free Software Foundation; we sometimes 254 | make exceptions for this. Our decision will be guided by the two goals 255 | of preserving the free status of all derivatives of our free software and 256 | of promoting the sharing and reuse of software generally. 257 | 258 | NO WARRANTY 259 | 260 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN 262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES 263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED 264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS 266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE 267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, 268 | REPAIR OR CORRECTION. 269 | 270 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR 272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, 273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING 274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED 275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY 276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER 277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 278 | POSSIBILITY OF SUCH DAMAGES. 279 | 280 | END OF TERMS AND CONDITIONS 281 | 282 | How to Apply These Terms to Your New Programs 283 | 284 | If you develop a new program, and you want it to be of the greatest 285 | possible use to the public, the best way to achieve this is to make it 286 | free software which everyone can redistribute and change under these terms. 287 | 288 | To do so, attach the following notices to the program. It is safest 289 | to attach them to the start of each source file to most effectively 290 | convey the exclusion of warranty; and each file should have at least 291 | the "copyright" line and a pointer to where the full notice is found. 292 | 293 | 294 | Copyright (C) 295 | 296 | This program is free software; you can redistribute it and/or modify 297 | it under the terms of the GNU General Public License as published by 298 | the Free Software Foundation; either version 2 of the License, or 299 | (at your option) any later version. 300 | 301 | This program is distributed in the hope that it will be useful, 302 | but WITHOUT ANY WARRANTY; without even the implied warranty of 303 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 304 | GNU General Public License for more details. 305 | 306 | You should have received a copy of the GNU General Public License along 307 | with this program; if not, write to the Free Software Foundation, Inc., 308 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 309 | 310 | Also add information on how to contact you by electronic and paper mail. 311 | 312 | If the program is interactive, make it output a short notice like this 313 | when it starts in an interactive mode: 314 | 315 | Gnomovision version 69, Copyright (C) year name of author 316 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 317 | This is free software, and you are welcome to redistribute it 318 | under certain conditions; type `show c' for details. 319 | 320 | The hypothetical commands `show w' and `show c' should show the appropriate 321 | parts of the General Public License. Of course, the commands you use may 322 | be called something other than `show w' and `show c'; they could even be 323 | mouse-clicks or menu items--whatever suits your program. 324 | 325 | You should also get your employer (if you work as a programmer) or your 326 | school, if any, to sign a "copyright disclaimer" for the program, if 327 | necessary. Here is a sample; alter the names: 328 | 329 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program 330 | `Gnomovision' (which makes passes at compilers) written by James Hacker. 331 | 332 | , 1 April 1989 333 | Ty Coon, President of Vice 334 | 335 | This General Public License does not permit incorporating your program into 336 | proprietary programs. If your program is a subroutine library, you may 337 | consider it more useful to permit linking proprietary applications with the 338 | library. If this is what you want to do, use the GNU Lesser General 339 | Public License instead of this License. 340 | -------------------------------------------------------------------------------- /Makefile.am: -------------------------------------------------------------------------------- 1 | # $Id$ 2 | 3 | AUTOMAKE_OPTIONS = foreign 4 | 5 | EXTRA_DIST = configure.ac CHANGES 6 | 7 | SUBDIRS = src 8 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Interactive command line tool for fast TCP stream processing 2 | 3 | *streams* is a tool for browsing, mining and processing TCP streams in pcap files. It provides a command line prompt for filtering, selecting and dumping reassembled session data. It can further invoke external tools to pipe stream data through. Here is the output of an example session: 4 | 5 | 6 | ``` 7 | $ /opt/streams/bin/streams 8 | _ 9 | _____ _____ ___| |_ _ __ ___ __ _ _ __ ___ ___ 10 | _____ |_____|_____| / __| __| '__/ _ \/ _` | '_ ` _ \/ __| 11 | |_____| _ |_____|_____| \__ \ |_| | | __/ (_| | | | | | \__ \ _ _ _ 12 | (_|_)____ (_) |___/\__|_| \___|\__,_|_| |_| |_|___/ (_) (_|_) 13 | |_____| 14 | version 0.1.2, Copyright (C) 2011-2016 by Tillmann Werner 15 | 16 | streams> help 17 | 18 | analyze analyze trace file 19 | bpf specify a berkeley packet filter expression 20 | count display number of streams 21 | dump dump selected stream to a file (see outfile) 22 | ext specify external program (+ arguments) to pipe streams through (see pipe) 23 | filter toggle stream filter status (include/exclude empty and incomplete streams) 24 | help show help (this output) 25 | list list streams 26 | match specify a content pattern, use 'x [pattern]' for patterns in hexadecimal encoding 27 | offset set datalink layer offset for packet trace file 28 | outfile specify an output file for stream dumps (see dump) 29 | pipe pipe selected stream through an external program (see ext) 30 | quit quit program 31 | status display program status 32 | timestamps toggle time display format (absolute/relative) 33 | timeout set tcp session timeout (needed to detect port reuse) 34 | 35 | streams> analyze /tmp/http.pcap 36 | file processed, 4 streams (2 non-empty and complete). 37 | streams> list 38 | 2: 0.042225 40.832919 92.123.68.42:80 > 192.168.178.47:56628 (7484 bytes) 39 | 3: 0.042321 44.841711 92.123.68.42:80 > 192.168.178.47:56630 (7397 bytes) 40 | streams> filter 41 | stream filter: off (list all streams) 42 | streams> list 43 | 0: 0.000000 40.873249 192.168.178.47:56628 > 92.123.68.42:80 (137 bytes) [incomplete] 44 | 1: 0.000436 44.889474 192.168.178.47:56630 > 92.123.68.42:80 (137 bytes) [incomplete] 45 | 2: 0.042225 40.832919 92.123.68.42:80 > 192.168.178.47:56628 (7484 bytes) 46 | 3: 0.042321 44.841711 92.123.68.42:80 > 192.168.178.47:56630 (7397 bytes) 47 | streams> ext hd 48 | streams> pipe 0 49 | 00000000 47 45 54 20 2f 63 67 69 2d 62 69 6e 2f 6d 67 65 |GET /cgi-bin/mge| 50 | 00000010 74 6d 65 74 61 72 2e 70 6c 3f 63 63 63 63 3d 55 |tmetar.pl?cccc=U| 51 | 00000020 55 44 44 20 48 54 54 50 2f 31 2e 31 0d 0a 48 6f |UDD HTTP/1.1..Ho| 52 | 00000030 73 74 3a 20 77 65 61 74 68 65 72 2e 6e 6f 61 61 |st: weather.noaa| 53 | 00000040 2e 67 6f 76 0d 0a 0d 0a 47 45 54 20 2f 6d 67 65 |.gov....GET /mge| 54 | 00000050 74 6d 65 74 61 72 2e 70 68 70 3f 63 63 63 63 3d |tmetar.php?cccc=| 55 | 00000060 55 55 44 44 20 48 54 54 50 2f 31 2e 31 0d 0a 48 |UUDD HTTP/1.1..H| 56 | 00000070 6f 73 74 3a 20 77 65 61 74 68 65 72 2e 6e 6f 61 |ost: weather.noa| 57 | 00000080 61 2e 67 6f 76 0d 0a 0d 0a |a.gov....| 58 | 00000089 59 | streams> outfile /tmp/streams.bin 60 | streams> dump 3 61 | 7397 bytes written to /tmp/streams.bin 62 | streams> match Moved 63 | applying new match expression... 64 | streams> list 65 | 2: 0.042225 40.832919 92.123.68.42:80 > 192.168.178.47:56628 (7484 bytes) 66 | 3: 0.042321 44.841711 92.123.68.42:80 > 192.168.178.47:56630 (7397 bytes) 67 | streams> bpf tcp port 56628 68 | applying new filter... 69 | file processed, 2 streams (1 non-empty and complete). 70 | streams> list 71 | 1: 0.042225 40.832919 92.123.68.42:80 > 192.168.178.47:56628 (7484 bytes) 72 | streams> match 73 | match expression removed 74 | streams> list 75 | 0: 0.000000 40.873249 192.168.178.47:56628 > 92.123.68.42:80 (137 bytes) [incomplete] 76 | 1: 0.042225 40.832919 92.123.68.42:80 > 192.168.178.47:56628 (7484 bytes) 77 | streams> quit 78 | $ 79 | ``` 80 | 81 | 82 | streams is (C) 2011-2016 by Tillmann Werner 83 | -------------------------------------------------------------------------------- /configure.ac: -------------------------------------------------------------------------------- 1 | # -*- mode: m4; -*- 2 | # -*- Autoconf -*- 3 | # Process this file with autoconf to produce a configure script. 4 | # $Id$ 5 | 6 | AC_PREREQ(2.59) 7 | AC_INIT([streams], [0.1.2], [tillmann.werner@gmx.de]) 8 | AM_INIT_AUTOMAKE([streams], [0.1.2]) 9 | AC_REVISION([$Id$]) 10 | 11 | AC_PREFIX_DEFAULT(/opt/streams) 12 | AM_CONFIG_HEADER([config.h]) 13 | # AM_MAINTAINER_MODE 14 | 15 | AC_CANONICAL_HOST 16 | AC_C_CONST 17 | AC_C_BIGENDIAN 18 | 19 | # Checks for programs. 20 | AC_PROG_CC 21 | AC_PROG_MAKE_SET 22 | 23 | AC_TYPE_SIZE_T 24 | 25 | dnl ************************************************** 26 | dnl * debug code & debug messages * 27 | dnl ************************************************** 28 | 29 | AC_MSG_CHECKING(whether debug code generation should be enabled) 30 | AC_ARG_ENABLE([debug], 31 | [AS_HELP_STRING(--enable-debug, enable debug code generation [[default=no]])], 32 | [enable_debug=${enableval}], [enable_debug="no"]) 33 | if test x"$enable_debug" = "xyes"; then 34 | echo "--- enabling debug codee" 35 | AC_DEFINE([DEBUG], 1, [enable debug code generation]) 36 | fi 37 | AC_MSG_RESULT($enable_debug) 38 | 39 | 40 | dnl ************************************************** 41 | dnl * pcap * 42 | dnl ************************************************** 43 | 44 | AC_ARG_WITH(libpcap_includes, 45 | [ --with-libpcap-includes=DIR libpcap include directory], 46 | [with_libpcap_includes="$withval"],[with_libpcap_includes=no]) 47 | 48 | AC_ARG_WITH(libpcap_libraries, 49 | [ --with-libpcap-libraries=DIR libpcap library directory], 50 | [with_libpcap_libraries="$withval"],[with_libpcap_libraries=no]) 51 | 52 | if test "$with_libpcap_includes" != "no"; then 53 | CPPFLAGS="${CPPFLAGS} -I${with_libpcap_includes}" 54 | fi 55 | HPCAP="" 56 | AC_CHECK_HEADER(pcap.h,, HPCAP="no") 57 | if test "$HPCAP" = "no"; then 58 | echo " Error - libpcap headers not found." 59 | exit 1 60 | fi 61 | 62 | if test "$with_libpcap_libraries" != "no"; then 63 | LDFLAGS="${LDFLAGS} -L${with_libpcap_libraries}" 64 | fi 65 | LPCAP="" 66 | AC_CHECK_LIB(pcap, pcap_datalink,, LPCAP="no") 67 | if test "$LPCAP" = "no"; then 68 | echo " Error - libpcap library not found." 69 | exit 1 70 | fi 71 | 72 | 73 | dnl ************************************************** 74 | dnl * readline * 75 | dnl ************************************************** 76 | 77 | AC_ARG_WITH(libreadline_includes, 78 | [ --with-libreadline-includes=DIR libreadline include directory], 79 | [with_libreadline_includes="$withval"],[with_libreadline_includes=no]) 80 | 81 | AC_ARG_WITH(libreadline_libraries, 82 | [ --with-libreadline-libraries=DIR libreadline library directory], 83 | [with_libreadline_libraries="$withval"],[with_libreadline_libraries=no]) 84 | 85 | if test "$with_libreadline_includes" != "no"; then 86 | CPPFLAGS="${CPPFLAGS} -I${with_libreadline_includes}" 87 | fi 88 | HPCAP="" 89 | AC_CHECK_HEADER(readline.h,, HPCAP="no") 90 | if test "$HPCAP" = "no"; then 91 | echo " Error - libreadline headers not found." 92 | exit 1 93 | fi 94 | 95 | if test "$with_libreadline_libraries" != "no"; then 96 | LDFLAGS="${LDFLAGS} -L${with_libreadline_libraries}" 97 | fi 98 | LPCAP="" 99 | AC_CHECK_LIB(readline, readline,, LPCAP="no") 100 | if test "$LPCAP" = "no"; then 101 | echo " Error - libreadline library not found." 102 | exit 1 103 | fi 104 | 105 | 106 | AC_DEFUN([AC_DEFINE_DIR], [ 107 | prefix_NONE= 108 | exec_prefix_NONE= 109 | test "x$prefix" = xNONE && prefix_NONE=yes && prefix=$ac_default_prefix 110 | test "x$exec_prefix" = xNONE && exec_prefix_NONE=yes && exec_prefix=$prefix 111 | dnl In Autoconf 2.60, ${datadir} refers to ${datarootdir}, which in turn 112 | dnl refers to ${prefix}. Thus we have to use `eval' twice. 113 | eval ac_define_dir="\"[$]$2\"" 114 | eval ac_define_dir="\"$ac_define_dir\"" 115 | AC_SUBST($1, "$ac_define_dir") 116 | AC_DEFINE_UNQUOTED($1, "$ac_define_dir", [$3]) 117 | test "$prefix_NONE" && prefix=NONE 118 | test "$exec_prefix_NONE" && exec_prefix=NONE 119 | ]) 120 | 121 | AC_DEFINE_DIR(PREFIX, prefix, [default working directory]) 122 | 123 | AC_CONFIG_FILES([Makefile 124 | src/Makefile 125 | ]) 126 | 127 | AC_OUTPUT 128 | -------------------------------------------------------------------------------- /src/Makefile.am: -------------------------------------------------------------------------------- 1 | AUTOMAKE_OPTIONS = foreign 2 | 3 | AM_CFLAGS = -g -Wall -Werror -D_GNU_SOURCE 4 | 5 | bin_PROGRAMS = streams 6 | 7 | streams_CFLAGS = ${AM_CFLAGS} 8 | streams_LDFLAGS = ${AM_LDFLAGS} 9 | streams_SOURCES = cmd.c hash.c sig.c streams.c strm.c util.c 10 | -------------------------------------------------------------------------------- /src/cmd.c: -------------------------------------------------------------------------------- 1 | /* 2 | cmd.c 3 | Copyright (C) 2011-2016 Tillmann Werner, tillmann.werner@gmx.de 4 | 5 | This program is free software; you can redistribute it and/or modify 6 | it under the terms of the GNU General Public License version 2 as 7 | published by the Free Software Foundation. 8 | 9 | This program is distributed in the hope that it will be useful, 10 | but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | GNU General Public License for more details. 13 | 14 | You should have received a copy of the GNU General Public License 15 | along with this program. If not, see . 16 | */ 17 | 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | 28 | #include "cmd.h" 29 | #include "hash.h" 30 | #include "streams.h" 31 | #include "strm.h" 32 | #include "util.h" 33 | 34 | #define max(a,b) ((a) > (b)) ? (a) : (b) 35 | #define min(a,b) ((a) < (b)) ? (a) : (b) 36 | 37 | 38 | int cmd_analyze(char *arg) { 39 | char *filename; 40 | struct bpf_program bpf; 41 | char errbuf[PCAP_ERRBUF_SIZE]; 42 | int i; 43 | hash_entry_t *he, *next; 44 | 45 | if (arg) { 46 | // close previous tracefile 47 | if (pktsrc) pcap_close(pktsrc); 48 | 49 | // get file name 50 | if ((filename = strtok(strchr(arg, ' '), " ")) == NULL) { 51 | printf("need an argument.\n"); 52 | return -1; 53 | } 54 | tracefile = strdup(filename); 55 | 56 | // new file, reset global time stamp 57 | global_start.tv_sec = 0; 58 | global_start.tv_usec = 0; 59 | } else { 60 | // re-analyze currently selected packet source 61 | if (pktsrc == NULL) { 62 | printf("Error: cannot re-analyze, no source selected\n"); 63 | return -1; 64 | } 65 | } 66 | 67 | // initialize chronological stream list 68 | if (slist) free(slist); 69 | slist = NULL; 70 | 71 | // flush port stats 72 | memset(pstats, 0, 0x10000 * sizeof(portstat)); 73 | for (i=0; i<0x10000; ++i) pstats[i].port = i; 74 | 75 | // initialize stream hash map 76 | he = NULL; 77 | next = NULL; 78 | for (i=0; i<0x10000; ++i) { 79 | he = hashmap[i]; 80 | while (he) { 81 | next = he->next; 82 | if (((stream *)(he->data))->data) free(((stream *)(he->data))->data); 83 | free(he->data); 84 | free(he); 85 | he = next; 86 | } 87 | } 88 | memset(hashmap, 0, 0x10000 * sizeof(hash_entry_t *)); 89 | 90 | // open tracefile 91 | if ((pktsrc = pcap_open_offline(tracefile, errbuf)) == NULL) { 92 | fprintf(stderr, "could not open trace file: %s\n", errbuf); 93 | return -1; 94 | } 95 | 96 | // activate filter for new tracefile 97 | if (filter) { 98 | if (pcap_compile(pktsrc, &bpf, filter, 1, 0) == -1) { 99 | fprintf(stderr, "pcap_compile(): %s\n", pcap_geterr(pktsrc)); 100 | return -1; 101 | } 102 | if (pcap_setfilter(pktsrc, &bpf) == -1) { 103 | fprintf(stderr, "pcap_setfilter(): %s\n", pcap_geterr(pktsrc)); 104 | return -1; 105 | } 106 | pcap_freecode(&bpf); 107 | } 108 | 109 | 110 | if (pktsrc == NULL) { 111 | printf("no packet source selected\n"); 112 | return -1; 113 | } 114 | 115 | if (!offset) switch (pcap_datalink(pktsrc)) { 116 | case DLT_RAW: offset = 0; break; 117 | case DLT_PPP: offset = 2; break; 118 | case DLT_NULL: offset = 4; break; 119 | case DLT_LOOP: offset = 14; break; 120 | case DLT_EN10MB: offset = 14; break; 121 | case DLT_LINUX_SLL: offset = 16; break; 122 | default: 123 | printf("unsupported data link type: %d.\n", pcap_datalink(pktsrc)); 124 | return -1; 125 | } 126 | 127 | stream_total_count = 0; 128 | stream_complete_count = 0; 129 | 130 | switch (pcap_loop(pktsrc, 0, strm_assemble, (u_char *) &offset)) { 131 | case 0: 132 | // count exhausted 133 | break; 134 | case -1: 135 | case -2: 136 | default: 137 | fprintf(stderr, "pcap_loop(): %s\n", pcap_geterr(pktsrc)); 138 | // exit(EXIT_FAILURE); 139 | } 140 | 141 | fprintf(stderr, "file processed, %d streams (%d non-empty and complete).\n", stream_total_count, stream_complete_count); 142 | 143 | return 0; 144 | } 145 | 146 | 147 | int cmd_count(char *arg) { 148 | printf("number of streams: %u (%u non-empty and complete)\n", stream_total_count, stream_complete_count); 149 | return 0; 150 | }; 151 | 152 | 153 | int cmd_offset(char *arg) { 154 | char *o; 155 | 156 | if ((o = strchr(arg, ' ')) == NULL) { 157 | printf("offset: need an argument\n"); 158 | return -1; 159 | } 160 | offset = strtoul(o, NULL, 0); 161 | 162 | // apply offset to selected packet source 163 | if (pktsrc) { 164 | printf("applying new offset...\n"); 165 | cmd_analyze(NULL); 166 | } 167 | 168 | return 0; 169 | } 170 | 171 | 172 | int cmd_outfile(char *arg) { 173 | char *name; 174 | 175 | if ((name = strchr(arg, ' ')) == NULL) { 176 | printf("outfile: need an argument\n"); 177 | return -1; 178 | } 179 | 180 | outfile = strdup(name + 1); 181 | 182 | return 0; 183 | }; 184 | 185 | 186 | int cmd_dump(char *arg) { 187 | char *number; 188 | int n = -1; 189 | 190 | if (pktsrc == NULL) { 191 | printf("select a packet source first\n"); 192 | return -1; 193 | } 194 | 195 | if (outfile == NULL) { 196 | printf("no output file specified\n"); 197 | return -1; 198 | } 199 | 200 | if ((number = strchr(arg, ' ')) == NULL) { 201 | printf("dump: need an argument\n"); 202 | return -1; 203 | } 204 | 205 | n = strtoul(number, NULL, 0); 206 | if (n > stream_total_count) { 207 | printf("no such stream\n"); 208 | return -1; 209 | } 210 | 211 | FILE *f; 212 | if ((f = fopen(outfile, "w")) == NULL) { 213 | perror("fopen()"); 214 | return -1; 215 | } 216 | 217 | fwrite(slist[n]->data, 1, slist[n]->len, f); 218 | 219 | if (ferror(f)) { 220 | perror("fwrite()"); 221 | fclose(f); 222 | return -1; 223 | } 224 | 225 | fclose(f); 226 | 227 | return 0; 228 | }; 229 | 230 | 231 | int cmd_quit(char *arg) { 232 | // delete hash map 233 | int i; 234 | hash_entry_t *he, *next; 235 | he = NULL; 236 | next = NULL; 237 | 238 | if (slist) { 239 | for (i = 0; i < stream_total_count; ++i) { 240 | free(slist[i]->data); 241 | free(slist[i]); 242 | } 243 | 244 | free(slist); 245 | } 246 | 247 | for (i=0; i<0x10000; ++i) { 248 | he = hashmap[i]; 249 | while (he) { 250 | next = he->next; 251 | free(he); 252 | he = next; 253 | } 254 | } 255 | 256 | // set done flag to stop looping 257 | done = 1; 258 | 259 | return 0; 260 | }; 261 | 262 | 263 | int cmd_bpf(char *arg) { 264 | free(filter); 265 | 266 | if ((filter = strchr(arg, ' ')) == NULL) 267 | filter = strdup("tcp"); 268 | else 269 | filter = strdup(strchr(arg, ' ') + 1); 270 | 271 | if (strlen(filter) == 0) filter = NULL; 272 | 273 | // apply filter to selected packet source 274 | if (pktsrc) { 275 | printf("applying new filter...\n"); 276 | cmd_analyze(NULL); 277 | } 278 | 279 | return 0; 280 | }; 281 | 282 | 283 | int cmd_help(char *arg) { 284 | int i; 285 | 286 | putchar('\n'); 287 | for (i = 0; commands[i].name; ++i) 288 | printf(" %s\t%s\n", commands[i].name, commands[i].desc); 289 | putchar('\n'); 290 | 291 | return 0; 292 | }; 293 | 294 | 295 | int cmd_list(char *arg) { 296 | char *number; 297 | int n = -1; 298 | 299 | if (pktsrc == NULL) { 300 | printf("select a packet source first\n"); 301 | return -1; 302 | } 303 | 304 | if ((number = strchr(arg, ' ')) != NULL) { 305 | n = strtoul(number, NULL, 0); 306 | if (n > stream_total_count) { 307 | printf("no such stream\n"); 308 | return -1; 309 | } 310 | } 311 | 312 | strm_list(n); 313 | 314 | return 0; 315 | }; 316 | 317 | 318 | int cmd_match(char *arg) { 319 | char *argz, *s; 320 | int i; 321 | size_t argzlen; 322 | 323 | argz = NULL; 324 | argzlen = 0; 325 | 326 | // clear old match expression 327 | if (matchexpr) free(matchexpr); 328 | matchexpr = NULL; 329 | 330 | // create argument vector from extprog string 331 | s = strchr(arg, ' '); 332 | if (s && argz_create_sep(s, ' ', &argz, &argzlen) != 0) { 333 | perror("argz_create_sep()"); 334 | return -1; 335 | } 336 | 337 | // if one argument is given, take it as the pattern, two arguments indicate a hex pattern and the first one must be an 'x' 338 | switch (argz_count(argz, argzlen)) { 339 | case 0: 340 | for (i = 0; i < stream_total_count; ++i) 341 | slist[i]->match = 1; 342 | 343 | printf("match expression removed\n"); 344 | return 0; 345 | case 1: 346 | matchexpr = strdup(s + 1); 347 | matchexprlen = strlen(matchexpr); 348 | break; 349 | default: 350 | // we have at least 2 arguments, the first one must be an 'x' 351 | if (strcmp(argz, "x") != 0) { 352 | printf("invalid arguments"); 353 | return -1; 354 | } 355 | // get second arg 356 | char *entry; 357 | entry = argz_next(argz, argzlen, NULL); 358 | entry = argz_next(argz, argzlen, entry); 359 | 360 | // make sure len is a multiple of 2 361 | size_t len = (strlen(entry) >> 1) << 1; 362 | matchexprlen = len/2; 363 | 364 | if ((matchexpr = (malloc(matchexprlen))) == NULL) { 365 | perror("malloc()"); 366 | return -1; 367 | } 368 | 369 | // convert hex string into binary string 370 | size_t i; 371 | for (i = 0; i < matchexprlen; i ++) 372 | if (sscanf(entry + (2 * i), "%02x", (unsigned int *) &matchexpr[i]) != 1) { 373 | printf("pattern is not a valid hex string\n"); 374 | free(matchexpr); 375 | matchexpr = NULL; 376 | return -1; 377 | } 378 | 379 | break; 380 | } 381 | 382 | free(argz); 383 | 384 | // apply match expression to selected packet source 385 | if (pktsrc) { 386 | printf("applying new match expression...\n"); 387 | for (i = 0; i < stream_total_count; ++i) { 388 | if (matchexpr == NULL) { 389 | slist[i]->match = 1; 390 | } else { 391 | // match expression defined, check if stream matches 392 | if (memmem(slist[i]->data, slist[i]->len, matchexpr, matchexprlen) != NULL) 393 | slist[i]->match = 1; 394 | else 395 | slist[i]->match = 0; 396 | } 397 | } 398 | } 399 | 400 | return 0; 401 | } 402 | 403 | 404 | int cmd_pipe(char *arg) { 405 | char **argv, *argz, *number; 406 | int fpipefd[2], bpipefd[2]; // pipes for bidirectional communication with a child process 407 | int pid; 408 | unsigned int n; 409 | size_t argzlen; 410 | 411 | if (pktsrc == NULL) { 412 | printf("select a packet source first\n"); 413 | return -1; 414 | } 415 | 416 | if (extprog == NULL) { 417 | printf("no external program specified\n"); 418 | return -1; 419 | } 420 | 421 | // create argument vector from extprog string 422 | if (argz_create_sep(extprog, ' ', &argz, &argzlen) != 0) { 423 | perror("argz_create_sep()"); 424 | return -1; 425 | } 426 | if ((argv = calloc(argz_count(argz, argzlen) + 1, sizeof(char *))) == NULL) { 427 | perror("calloc()"); 428 | return -1; 429 | } 430 | argz_extract(argz, argzlen, argv); 431 | 432 | if ((number = strchr(arg, ' ')) == NULL) { 433 | printf("pipe: need a stream number.\n"); 434 | return -1; 435 | } 436 | n = strtoul(number, NULL, 0); 437 | 438 | if (n >= stream_total_count) { 439 | printf("no such stream\n"); 440 | return -1; 441 | } 442 | 443 | // insert pipe, fork, dup2, exec here 444 | if ((pipe(fpipefd) == -1) || (pipe(bpipefd) == -1)) { 445 | perror("pipe()"); 446 | return -1; 447 | } 448 | 449 | switch (pid = fork()) { 450 | case -1: 451 | perror("fork()"); 452 | return -1; 453 | case 0: 454 | // client code 455 | close(fpipefd[1]); 456 | close(bpipefd[0]); 457 | 458 | dup2(fpipefd[0], STDIN_FILENO); // connect stdin to 1st pipe's read end 459 | close(fpipefd[0]); 460 | 461 | dup2(bpipefd[1], STDOUT_FILENO); // connect stdout to 2nd pipe's write end 462 | dup2(bpipefd[1], STDERR_FILENO); // connect stdout to 2nd pipe's write end 463 | close(bpipefd[1]); 464 | 465 | // execute external program 466 | execvp(argv[0], argv); 467 | 468 | perror("execvp()"); // should never get here... 469 | _exit(EXIT_FAILURE); 470 | break; 471 | } 472 | // server code 473 | free(argv); 474 | free(argz); 475 | 476 | close(fpipefd[0]); // close 1st pipe's read end 477 | close(bpipefd[1]); // close 2nd pipe's write end 478 | 479 | fd_set rfds, wfds; 480 | 481 | FD_ZERO(&rfds); 482 | FD_ZERO(&wfds); 483 | 484 | FD_SET(fpipefd[1], &wfds); 485 | FD_SET(bpipefd[0], &rfds); 486 | 487 | char buffer[BUFSIZ]; 488 | int complete, bytes_total, bytes_written, bytes_read; 489 | 490 | bytes_total = 0; 491 | complete = 0; 492 | 493 | for (;;) { 494 | // make sure we poll what needs to be polled 495 | if (bytes_total < slist[n]->len) { 496 | FD_SET(fpipefd[1], &wfds); 497 | } 498 | FD_SET(bpipefd[0], &rfds); 499 | 500 | switch (select(max(fpipefd[1], bpipefd[0]) + 1, &rfds, &wfds, NULL, NULL)) { 501 | case -1: 502 | if (errno == EINTR) break; 503 | perror("select()"); 504 | exit(EXIT_FAILURE); 505 | default: 506 | /* 507 | We *must* handle incoming data first as external programs 508 | might block otherwise when they buffer data to stdout. 509 | Thus, we only write data if there is no data to read. 510 | */ 511 | if (FD_ISSET(bpipefd[0], &rfds)) { 512 | // read child's stdout and dump it 513 | switch (bytes_read = read(bpipefd[0], buffer, BUFSIZ)) { 514 | case -1: 515 | perror("read()"); 516 | close(bpipefd[0]); 517 | return -1; 518 | case 0: 519 | complete = 1; 520 | break; 521 | default: 522 | if (write(STDOUT_FILENO, buffer, bytes_read) == -1) { 523 | perror("write()"); 524 | close(bpipefd[0]); 525 | return -1; 526 | }; 527 | break; 528 | } 529 | break; // breaking from the select loop here makes sure we read as much as possible at a time 530 | } 531 | if (FD_ISSET(fpipefd[1], &wfds)) { 532 | // pipe stream to child's stdin 533 | switch (bytes_written = write(fpipefd[1], slist[n]->data + bytes_total, min(slist[n]->len - bytes_total, BUFSIZ))) { 534 | case -1: 535 | perror("write()"); 536 | close(fpipefd[1]); 537 | close(bpipefd[0]); 538 | return -1; 539 | default: 540 | bytes_total += bytes_written; 541 | break; 542 | } 543 | 544 | if (bytes_total >= slist[n]->len) { 545 | close(fpipefd[1]); 546 | FD_ZERO(&wfds); 547 | } 548 | } 549 | } 550 | 551 | if (bytes_total >= slist[n]->len && complete) break; 552 | } 553 | 554 | close(bpipefd[0]); 555 | 556 | // wait for child process to terminate 557 | // do not catch SIGCHILD, that screws it up 558 | int status; 559 | if (waitpid(pid, &status, WUNTRACED) == -1) { 560 | perror("waitpid()"); 561 | return -1; 562 | } 563 | 564 | return 0; 565 | }; 566 | 567 | 568 | int cmd_ports(char *arg) { 569 | int i; 570 | portstat ps[0x10000]; 571 | 572 | memcpy(ps, pstats, 0x10000 * sizeof(portstat)); 573 | qsort(ps, 0x10000, sizeof(portstat), portcmp); 574 | 575 | for (i = 0; i < 0x10000; ++i) 576 | if (ps[i].count) printf(" %5u: %lu\n", ps[i].port, ps[i].count); 577 | 578 | return 0; 579 | }; 580 | 581 | 582 | int cmd_ext(char *arg) { 583 | char *prog; 584 | 585 | if ((prog = strchr(arg, ' ')) == NULL) { 586 | printf("no program specified.\n"); 587 | return -1; 588 | } 589 | 590 | extprog = strdup(prog + 1); 591 | 592 | return 0; 593 | }; 594 | 595 | 596 | int cmd_status(char *arg) { 597 | putchar('\n'); 598 | printf(" trace file:\t\t%s\n", tracefile ? tracefile : "[none]"); 599 | printf(" bpf expression:\t%s\n", filter ? filter: "[none]"); 600 | printf(" match expression:\t"); 601 | if (matchexpr == NULL) { 602 | printf("[none]\n"); 603 | } else { 604 | int binary = 0; 605 | size_t i; 606 | for (i = 0; i < matchexprlen; ++i) { 607 | if (!isprint(matchexpr[i])) { 608 | binary = 1; 609 | break; 610 | } 611 | } 612 | 613 | if (binary == 0) { 614 | printf("%s\n", matchexpr); 615 | } else { 616 | putchar('\n'); 617 | hd((u_char *) matchexpr, matchexprlen); 618 | } 619 | } 620 | printf(" stream filter:\t%s\n", filter_streams ? "on (exclude empty and incomplete streams)" : "off (list all streams)"); 621 | printf(" time display mode:\t%s\n", relative_timestamps ? "relative" : "absolute"); 622 | printf(" tcp seession timeout:\t%u seconds\n", tcp_timeout); 623 | printf(" external program:\t%s\n", extprog ? extprog : "[none]"); 624 | printf(" output file:\t\t%s\n", outfile ? outfile : "[none]"); 625 | putchar('\n'); 626 | return 0; 627 | }; 628 | 629 | 630 | int cmd_filter(char *arg) { 631 | filter_streams ^= 1; 632 | printf("stream filter: %s\n", filter_streams ? "on (list only non-empty, complete streams)" : "off (list all streams)"); 633 | return 0; 634 | }; 635 | 636 | 637 | int cmd_timestamps(char *arg) { 638 | relative_timestamps ^= 1; 639 | printf("timestamps: %s\n", relative_timestamps ? "relative" : "absolute"); 640 | return 0; 641 | }; 642 | 643 | int cmd_timeout(char *arg) { 644 | char *timeout; 645 | 646 | if ((timeout = strchr(arg, ' ')) == NULL) { 647 | printf("timeout: need an argument\n"); 648 | return -1; 649 | } 650 | tcp_timeout = strtoul(timeout, NULL, 0); 651 | 652 | printf("new tcp session timeout: %u seconds\n", tcp_timeout); 653 | 654 | return 0; 655 | }; 656 | -------------------------------------------------------------------------------- /src/cmd.h: -------------------------------------------------------------------------------- 1 | /* 2 | cmd.h 3 | Copyright (C) 2011 Tillmann Werner, tillmann.werner@gmx.de 4 | 5 | This program is free software; you can redistribute it and/or modify 6 | it under the terms of the GNU General Public License version 2 as 7 | published by the Free Software Foundation. 8 | 9 | This program is distributed in the hope that it will be useful, 10 | but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | GNU General Public License for more details. 13 | 14 | You should have received a copy of the GNU General Public License 15 | along with this program. If not, see . 16 | */ 17 | 18 | #ifndef __CMD_H 19 | #define __CMD_H 20 | 21 | 22 | typedef struct { 23 | char *name; // command string 24 | rl_icpfunc_t *fn; // command handler 25 | char *desc; // command description 26 | } cmd; 27 | 28 | int cmd_analyze(char *arg); 29 | int cmd_bpf(char *arg); 30 | int cmd_count(char *arg); 31 | int cmd_dump(char *arg); 32 | int cmd_ext(char *arg); 33 | int cmd_help(char *arg); 34 | int cmd_list(char *arg); 35 | int cmd_match(char *arg); 36 | int cmd_offset(char *arg); 37 | int cmd_outfile(char *arg); 38 | int cmd_pipe(char *arg); 39 | int cmd_ports(char *arg); 40 | int cmd_quit(char *arg); 41 | int cmd_status(char *arg); 42 | int cmd_filter(char *arg); 43 | int cmd_timestamps(char *arg); 44 | int cmd_timeout(char *arg); 45 | 46 | static cmd commands[] = { 47 | { "analyze", cmd_analyze, "analyze trace file" }, 48 | { "bpf", cmd_bpf, "\tspecify a berkeley packet filter expression" }, 49 | { "count", cmd_count, "\tdisplay number of streams" }, 50 | { "dump", cmd_dump, "\tdump selected stream to a file (see outfile)" }, 51 | { "ext", cmd_ext, "\tspecify external program (+ arguments) to pipe streams through (see pipe)" }, 52 | { "filter", cmd_filter, "toggle stream filter status (include/exclude empty and incomplete streams)" }, 53 | { "help", cmd_help, "\tshow help (this output)" }, 54 | { "list", cmd_list, "\tlist streams" }, 55 | { "match", cmd_match, "\tspecify a content pattern, use 'x [pattern]' for patterns in hexadecimal encoding" }, 56 | { "offset", cmd_offset, "set datalink layer offset for packet trace file" }, 57 | { "outfile", cmd_outfile, "specify an output file for stream dumps (see dump)" }, 58 | { "pipe", cmd_pipe, "\tpipe selected stream through an external program (see ext)" }, 59 | { "ports", cmd_ports, "\tprint basic stream destination port statistics" }, 60 | { "quit", cmd_quit, "\tquit program" }, 61 | { "status", cmd_status, "display program status" }, 62 | { "timestamps", cmd_timestamps, "toggle time display format (absolute/relative)" }, 63 | { "timeout", cmd_timeout, "set tcp session timeout (needed to detect port reuse)" }, 64 | { NULL, NULL, NULL } 65 | }; 66 | 67 | #endif 68 | -------------------------------------------------------------------------------- /src/hash.c: -------------------------------------------------------------------------------- 1 | /* 2 | hash.c 3 | Copyright (C) 2011 Tillmann Werner, tillmann.werner@gmx.de 4 | 5 | This program is free software; you can redistribute it and/or modify 6 | it under the terms of the GNU General Public License version 2 as 7 | published by the Free Software Foundation. 8 | 9 | This program is distributed in the hope that it will be useful, 10 | but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | GNU General Public License for more details. 13 | 14 | You should have received a copy of the GNU General Public License 15 | along with this program. If not, see . 16 | */ 17 | 18 | #include 19 | #include 20 | #include 21 | #include 22 | 23 | #include "hash.h" 24 | 25 | u_int16_t const crc16_table[256] = { 26 | 0x0000, 0xC0C1, 0xC181, 0x0140, 0xC301, 0x03C0, 0x0280, 0xC241, 27 | 0xC601, 0x06C0, 0x0780, 0xC741, 0x0500, 0xC5C1, 0xC481, 0x0440, 28 | 0xCC01, 0x0CC0, 0x0D80, 0xCD41, 0x0F00, 0xCFC1, 0xCE81, 0x0E40, 29 | 0x0A00, 0xCAC1, 0xCB81, 0x0B40, 0xC901, 0x09C0, 0x0880, 0xC841, 30 | 0xD801, 0x18C0, 0x1980, 0xD941, 0x1B00, 0xDBC1, 0xDA81, 0x1A40, 31 | 0x1E00, 0xDEC1, 0xDF81, 0x1F40, 0xDD01, 0x1DC0, 0x1C80, 0xDC41, 32 | 0x1400, 0xD4C1, 0xD581, 0x1540, 0xD701, 0x17C0, 0x1680, 0xD641, 33 | 0xD201, 0x12C0, 0x1380, 0xD341, 0x1100, 0xD1C1, 0xD081, 0x1040, 34 | 0xF001, 0x30C0, 0x3180, 0xF141, 0x3300, 0xF3C1, 0xF281, 0x3240, 35 | 0x3600, 0xF6C1, 0xF781, 0x3740, 0xF501, 0x35C0, 0x3480, 0xF441, 36 | 0x3C00, 0xFCC1, 0xFD81, 0x3D40, 0xFF01, 0x3FC0, 0x3E80, 0xFE41, 37 | 0xFA01, 0x3AC0, 0x3B80, 0xFB41, 0x3900, 0xF9C1, 0xF881, 0x3840, 38 | 0x2800, 0xE8C1, 0xE981, 0x2940, 0xEB01, 0x2BC0, 0x2A80, 0xEA41, 39 | 0xEE01, 0x2EC0, 0x2F80, 0xEF41, 0x2D00, 0xEDC1, 0xEC81, 0x2C40, 40 | 0xE401, 0x24C0, 0x2580, 0xE541, 0x2700, 0xE7C1, 0xE681, 0x2640, 41 | 0x2200, 0xE2C1, 0xE381, 0x2340, 0xE101, 0x21C0, 0x2080, 0xE041, 42 | 0xA001, 0x60C0, 0x6180, 0xA141, 0x6300, 0xA3C1, 0xA281, 0x6240, 43 | 0x6600, 0xA6C1, 0xA781, 0x6740, 0xA501, 0x65C0, 0x6480, 0xA441, 44 | 0x6C00, 0xACC1, 0xAD81, 0x6D40, 0xAF01, 0x6FC0, 0x6E80, 0xAE41, 45 | 0xAA01, 0x6AC0, 0x6B80, 0xAB41, 0x6900, 0xA9C1, 0xA881, 0x6840, 46 | 0x7800, 0xB8C1, 0xB981, 0x7940, 0xBB01, 0x7BC0, 0x7A80, 0xBA41, 47 | 0xBE01, 0x7EC0, 0x7F80, 0xBF41, 0x7D00, 0xBDC1, 0xBC81, 0x7C40, 48 | 0xB401, 0x74C0, 0x7580, 0xB541, 0x7700, 0xB7C1, 0xB681, 0x7640, 49 | 0x7200, 0xB2C1, 0xB381, 0x7340, 0xB101, 0x71C0, 0x7080, 0xB041, 50 | 0x5000, 0x90C1, 0x9181, 0x5140, 0x9301, 0x53C0, 0x5280, 0x9241, 51 | 0x9601, 0x56C0, 0x5780, 0x9741, 0x5500, 0x95C1, 0x9481, 0x5440, 52 | 0x9C01, 0x5CC0, 0x5D80, 0x9D41, 0x5F00, 0x9FC1, 0x9E81, 0x5E40, 53 | 0x5A00, 0x9AC1, 0x9B81, 0x5B40, 0x9901, 0x59C0, 0x5880, 0x9841, 54 | 0x8801, 0x48C0, 0x4980, 0x8941, 0x4B00, 0x8BC1, 0x8A81, 0x4A40, 55 | 0x4E00, 0x8EC1, 0x8F81, 0x4F40, 0x8D01, 0x4DC0, 0x4C80, 0x8C41, 56 | 0x4400, 0x84C1, 0x8581, 0x4540, 0x8701, 0x47C0, 0x4680, 0x8641, 57 | 0x8201, 0x42C0, 0x4380, 0x8341, 0x4100, 0x81C1, 0x8081, 0x4040 58 | }; 59 | 60 | static inline u_int16_t crc16_byte(u_int16_t crc, const u_char data) { 61 | return (crc >> 8) ^ crc16_table[(crc ^ data) & 0xff]; 62 | } 63 | 64 | u_int16_t crc16(register const u_char *buffer, register size_t len) { 65 | register u_int16_t crc = 0; 66 | while (len--) crc = crc16_byte(crc, *buffer++); 67 | return crc; 68 | } 69 | 70 | hash_entry_t *hash_add(u_int32_t addr1, u_int16_t port1, u_int32_t addr2, u_int16_t port2, void *data) { 71 | register hash_entry_t *h, *new; 72 | 73 | if ((new = malloc(sizeof(hash_entry_t))) == NULL) { 74 | perror("malloc()"); 75 | exit(EXIT_FAILURE); 76 | } 77 | 78 | memcpy(&new->key[0], &addr1, 4); 79 | memcpy(&new->key[4], &port1, 2); 80 | memcpy(&new->key[6], &addr2, 4); 81 | memcpy(&new->key[10], &port2, 2); 82 | 83 | new->hash = crc16(new->key, 12); 84 | new->data = data; 85 | new->next = NULL; 86 | 87 | if (hashmap[new->hash]) { 88 | for (h = hashmap[new->hash]; h->next; h = h->next) 89 | if (memcmp(h->key, new->key, 12) == 0) 90 | return NULL; // value already in hashmap 91 | 92 | h = new; 93 | } else { 94 | hashmap[new->hash] = new; 95 | } 96 | 97 | return new; 98 | } 99 | 100 | // returns a pointer to the hash entry if hash was found, and NULL otherwise 101 | // if remove > 0, remove hash from map and return the entry (must be free()d by caller) 102 | void *hash_lookup(u_int32_t addr1, u_int16_t port1, u_int32_t addr2, u_int16_t port2, int remove) { 103 | register hash_entry_t *cur, *prev; 104 | hash_entry_t query; 105 | 106 | memcpy(&query.key[0], &addr1, 4); 107 | memcpy(&query.key[4], &port1, 2); 108 | memcpy(&query.key[6], &addr2, 4); 109 | memcpy(&query.key[10], &port2, 2); 110 | 111 | query.hash = crc16(query.key, 12); 112 | 113 | for (prev = cur = hashmap[query.hash]; cur; prev = cur, cur = cur->next) { 114 | if (memcmp(cur->key, query.key, 12) == 0) { 115 | if (remove) { 116 | // remove hash from map 117 | if (prev == cur) { 118 | // it's the first list entry 119 | hashmap[query.hash] = cur->next; 120 | } else { 121 | // unlink entry 122 | prev->next = cur->next; 123 | } 124 | } 125 | return cur; 126 | } 127 | } 128 | 129 | return NULL; 130 | } 131 | -------------------------------------------------------------------------------- /src/hash.h: -------------------------------------------------------------------------------- 1 | /* 2 | hash.h 3 | Copyright (C) 2011 Tillmann Werner, tillmann.werner@gmx.de 4 | 5 | This program is free software; you can redistribute it and/or modify 6 | it under the terms of the GNU General Public License version 2 as 7 | published by the Free Software Foundation. 8 | 9 | This program is distributed in the hope that it will be useful, 10 | but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | GNU General Public License for more details. 13 | 14 | You should have received a copy of the GNU General Public License 15 | along with this program. If not, see . 16 | */ 17 | 18 | #ifndef __HASH_H 19 | #define __HASH_H 20 | 21 | #include 22 | 23 | typedef struct hash_entry_t { 24 | u_int32_t hash; 25 | u_char key[12]; 26 | void *data; 27 | struct hash_entry_t *next; 28 | } hash_entry_t; 29 | 30 | hash_entry_t *hashmap[0x10000]; 31 | 32 | hash_entry_t *hash_add(u_int32_t addr1, u_int16_t port1, u_int32_t addr2, u_int16_t port2, void *data); 33 | void *hash_lookup(u_int32_t addr1, u_int16_t port1, u_int32_t addr2, u_int16_t port2, int remove); 34 | 35 | #endif 36 | -------------------------------------------------------------------------------- /src/sig.c: -------------------------------------------------------------------------------- 1 | /* 2 | sig.c 3 | Copyright (C) 2011 Tillmann Werner, tillmann.werner@gmx.de 4 | 5 | This program is free software; you can redistribute it and/or modify 6 | it under the terms of the GNU General Public License version 2 as 7 | published by the Free Software Foundation. 8 | 9 | This program is distributed in the hope that it will be useful, 10 | but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | GNU General Public License for more details. 13 | 14 | You should have received a copy of the GNU General Public License 15 | along with this program. If not, see . 16 | */ 17 | 18 | #include 19 | #include 20 | #include 21 | #include 22 | 23 | #include "hash.h" 24 | #include "strm.h" 25 | 26 | void sh_general(int s) { 27 | int i; 28 | hash_entry_t *he, *next; 29 | 30 | switch (s) { 31 | case SIGINT: 32 | if (slist) { 33 | for (i = 0; i < stream_total_count; ++i) { 34 | free(slist[i]->data); 35 | free(slist[i]); 36 | } 37 | 38 | free(slist); 39 | } 40 | 41 | for (i=0; i<0x10000; ++i) { 42 | he = hashmap[i]; 43 | while (he) { 44 | next = he->next; 45 | free(he); 46 | he = next; 47 | } 48 | } 49 | 50 | exit(EXIT_SUCCESS); 51 | case SIGCHLD: 52 | printf("--> sigchild\n"); 53 | break; 54 | default: 55 | break; 56 | } 57 | 58 | return; 59 | } 60 | -------------------------------------------------------------------------------- /src/sig.h: -------------------------------------------------------------------------------- 1 | /* 2 | sig.h 3 | Copyright (C) 2011 Tillmann Werner, tillmann.werner@gmx.de 4 | 5 | This program is free software; you can redistribute it and/or modify 6 | it under the terms of the GNU General Public License version 2 as 7 | published by the Free Software Foundation. 8 | 9 | This program is distributed in the hope that it will be useful, 10 | but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | GNU General Public License for more details. 13 | 14 | You should have received a copy of the GNU General Public License 15 | along with this program. If not, see . 16 | */ 17 | 18 | #ifndef __SIG_H 19 | #define __SIG_H 20 | 21 | void sh_general(int s); 22 | 23 | #endif 24 | -------------------------------------------------------------------------------- /src/streams.c: -------------------------------------------------------------------------------- 1 | /* 2 | streams.c 3 | Copyright (C) 2011-2015 Tillmann Werner, tillmann.werner@gmx.de 4 | 5 | This program is free software; you can redistribute it and/or modify 6 | it under the terms of the GNU General Public License version 2 as 7 | published by the Free Software Foundation. 8 | 9 | This program is distributed in the hope that it will be useful, 10 | but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | GNU General Public License for more details. 13 | 14 | You should have received a copy of the GNU General Public License 15 | along with this program. If not, see . 16 | */ 17 | 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | 28 | #ifdef HAVE_CONFIG_H 29 | #include 30 | #endif 31 | 32 | #include "cmd.h" 33 | #include "sig.h" 34 | #include "streams.h" 35 | #include "strm.h" 36 | 37 | 38 | char *command_generate(const char *line, int state) { 39 | static int i; 40 | static size_t len; 41 | char *c; 42 | 43 | if (state == 0) { 44 | i = 0; 45 | len = strlen(line); 46 | } 47 | while ((c = commands[i].name) != NULL) { 48 | i++; 49 | if (strncmp(c, line, len) == 0) return strdup(c); 50 | } 51 | 52 | return NULL; 53 | } 54 | 55 | char **command_complete(const char *line, int start, int end) { 56 | char **matches = NULL; 57 | 58 | if (start == 0) 59 | matches = rl_completion_matches(line, command_generate); 60 | 61 | return matches; 62 | } 63 | 64 | cmd *command_find(const char *line, size_t len) { 65 | int i; 66 | 67 | for (i = 0; commands[i].name; ++i) { 68 | if (strncmp(commands[i].name, line, len) == 0) { 69 | return &commands[i]; 70 | } 71 | } 72 | 73 | return NULL; 74 | } 75 | 76 | char *stripwhite(char *string) { 77 | register char *s, *t; 78 | 79 | for (s = string; whitespace(*s); s++); 80 | 81 | if (*s == 0) return (s); 82 | 83 | t = s + strlen (s) - 1; 84 | while (t > s && whitespace (*t)) t--; 85 | *++t = '\0'; 86 | 87 | return s; 88 | } 89 | 90 | int main(int argc, char *argv[]) { 91 | char *line, *c; 92 | int wordlen; 93 | cmd *command; 94 | const char *prompt = "streams> "; 95 | struct sigaction saction; 96 | 97 | 98 | // signal stuff 99 | memset(&saction, 0, sizeof(struct sigaction)); 100 | saction.sa_handler = sh_general; 101 | saction.sa_flags |= SA_NOCLDWAIT; 102 | if (sigaction(SIGINT, &saction, NULL) == -1) { 103 | perror("sigaction()"); 104 | exit(EXIT_FAILURE); 105 | } 106 | 107 | printf( " _\n" \ 108 | " _____ _____ ___| |_ _ __ ___ __ _ _ __ ___ ___\n" \ 109 | " _____ |_____|_____| / __| __| '__/ _ \\/ _` | '_ ` _ \\/ __|\n" \ 110 | " |_____| _ |_____|_____| \\__ \\ |_| | | __/ (_| | | | | | \\__ \\ _ _ _\n" \ 111 | " (_|_)____ (_) |___/\\__|_| \\___|\\__,_|_| |_| |_|___/ (_) (_|_)\n" \ 112 | " |_____|\n" \ 113 | " version %s, Copyright (C) 2011-2016 by Tillmann Werner\n\n", VERSION); 114 | 115 | 116 | rl_attempted_completion_function = command_complete; 117 | 118 | filter = strdup("tcp"); 119 | tracefile = NULL; 120 | pktsrc = NULL; 121 | slist = NULL; 122 | extprog = NULL; 123 | matchexpr = NULL; 124 | outfile = NULL; 125 | global_start.tv_sec = 0; 126 | global_start.tv_usec = 0; 127 | relative_timestamps = 1; 128 | filter_streams = 1; 129 | offset = 0; 130 | tcp_timeout = 30; // set default tcp timeout to 30 seconds 131 | 132 | if (argc > 1) { 133 | char *command; 134 | if ((command = calloc(strlen(argv[1]) + 6, 1)) == NULL) { 135 | perror("calloc()"); 136 | exit(EXIT_FAILURE); 137 | } 138 | sprintf(command, "file %s", argv[1]); 139 | cmd_analyze(command); 140 | free(command); 141 | } 142 | 143 | for (done = 0; done == 0; ) { 144 | line = readline(prompt); 145 | 146 | if (line && *line) { 147 | c = stripwhite(line); 148 | 149 | add_history(c); 150 | 151 | wordlen = strlen(c); 152 | if (strchr(c, ' ')) 153 | wordlen = strchr(c, ' ') - line; 154 | 155 | if ((command = command_find(c, wordlen)) != NULL) command->fn(c); 156 | else printf("Command not implemented. Type 'help' for a list of supported commands.\n"); 157 | } else putchar('\r'); 158 | 159 | free(line); 160 | } 161 | 162 | // close packet source 163 | if (pktsrc) pcap_close(pktsrc); 164 | 165 | free(tracefile); 166 | 167 | return EXIT_SUCCESS; 168 | } 169 | -------------------------------------------------------------------------------- /src/streams.h: -------------------------------------------------------------------------------- 1 | // streams.h -- (C) 2011 Tillmann Werner, . 16 | */ 17 | 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | 31 | #include "hash.h" 32 | #include "streams.h" 33 | #include "strm.h" 34 | #include "util.h" 35 | 36 | #define max(a, b) (a) > (b) ? (a) : (b) 37 | 38 | 39 | // Note that TCP stream reassembly is quite an expensive task. To quote the Wireshark Wiki: "Warning : memory is consumed like there is no tomorrow" 40 | 41 | 42 | void strm_assemble(u_char *user, const struct pcap_pkthdr *h, const u_char *bytes) { 43 | int dl_offset = *(int *) user; 44 | struct iphdr *ip; 45 | struct tcphdr *tcp; 46 | hash_entry_t *he; 47 | stream *strm; 48 | u_int32_t plen; 49 | u_char *payload; 50 | int embd_offset = 0; 51 | 52 | if (!h || !bytes) return; 53 | 54 | if (global_start.tv_sec == 0 && global_start.tv_usec == 0) 55 | global_start = h->ts; 56 | 57 | if (h->len < dl_offset + sizeof(struct iphdr)) return; 58 | 59 | if (dl_offset == 14 && ((u_short *)bytes)[6] == 0x6488) embd_offset = 8; 60 | 61 | ip = (struct iphdr *) (bytes + dl_offset + embd_offset); 62 | 63 | // ignore non-TCP packets for now 64 | if (ip->protocol != 6) return; 65 | 66 | if (h->len < dl_offset + embd_offset + (4 * ip->ihl) + sizeof(struct tcphdr)) return; 67 | tcp = (struct tcphdr *) (bytes + dl_offset + embd_offset + (4 * ip->ihl)); 68 | 69 | payload = (u_char *) (bytes + dl_offset + embd_offset + (4 * (ip->ihl + tcp->doff))); 70 | plen = ntohs(ip->tot_len) - (4 * (ip->ihl + tcp->doff)); 71 | 72 | /* 73 | char s[16], d[16]; 74 | printf("%s:%d > %s:%d %c%c%c%c %u (%d bytes)\n", inet_ntop(AF_INET, &ip->saddr, s, 16), ntohs(tcp->source), inet_ntop(AF_INET, &ip->daddr, d, 16), ntohs(tcp->dest), 75 | tcp->fin ? 'F' : '.', tcp->syn ? 'S' : '.', tcp->rst ? 'R' : '.', tcp->ack ? 'A' : '.', ntohl(tcp->seq), plen); 76 | */ 77 | 78 | // search for a stream this segment may belong to 79 | he = hash_lookup(ip->saddr, tcp->source, ip->daddr, tcp->dest, 0); 80 | 81 | if (he != NULL) { 82 | // tcp session timeout exceeded? 83 | strm = he->data; 84 | if (h->ts.tv_sec - strm->end.tv_sec > tcp_timeout) { 85 | // stream timed out, remove it from hash table 86 | if ((he = hash_lookup(ip->saddr, tcp->source, ip->daddr, tcp->dest, 1)) == NULL) { 87 | fprintf(stderr, "Error while processing timed out stream.\n"); 88 | exit(EXIT_FAILURE); 89 | } 90 | 91 | // if a match expression is defined: check if stream matches 92 | strm->match = 1; 93 | if (matchexpr && memmem(strm->data, strm->len, matchexpr, strlen(matchexpr)) == NULL) 94 | strm->match = 0; 95 | 96 | // hashmap entry has already been removed from the map, now free it 97 | free(he); 98 | he = NULL; 99 | } 100 | } 101 | 102 | if (tcp->syn) { 103 | if (he == NULL) { 104 | // new stream, insert it into the hash table 105 | if (((strm = calloc(1, sizeof(stream))) == NULL) || 106 | ((strm->data = malloc(plen)) == NULL)) { 107 | perror("malloc()"); 108 | exit(EXIT_FAILURE); 109 | } 110 | if ((he = hash_add(ip->saddr, tcp->source, ip->daddr, tcp->dest, strm)) == NULL) { 111 | fprintf(stderr, "Cannot add hashmap entry: key already exists.\n"); 112 | exit(EXIT_FAILURE); 113 | } 114 | strm = he->data; 115 | strm->number = stream_total_count; 116 | strm->isn = ntohl(tcp->seq); 117 | strm->relisn = ntohl(tcp->seq); 118 | strm->s.addr = ip->saddr; 119 | strm->s.port = tcp->source; 120 | strm->d.addr = ip->daddr; 121 | strm->d.port = tcp->dest; 122 | strm->start = h->ts; 123 | strm->match = matchexpr ? 0 : 1; 124 | 125 | pstats[ntohs(tcp->dest)].count++; 126 | 127 | // add stream to chronological list 128 | if ((slist = realloc(slist, (stream_total_count + 1) * sizeof(stream *))) == NULL) { 129 | perror("realloc()"); 130 | exit(EXIT_FAILURE); 131 | } 132 | slist[stream_total_count] = strm; 133 | 134 | stream_total_count++; 135 | } else strm = he->data; 136 | 137 | strm->end = h->ts; 138 | 139 | // data on syn? then add it to the stream (allowed per RFC, but should not really happen in practice) 140 | if (plen) { 141 | memmove(strm->data, payload, plen); 142 | strm->len += plen; 143 | } 144 | } else { 145 | // if a stream exists, add payload 146 | if (he != NULL) { 147 | strm = he->data; 148 | strm->end = h->ts; 149 | 150 | // check if sequence number wrapped around and is in a valid range 151 | if (strm->isn == strm->relisn && strm->isn > ntohl(tcp->seq)) { 152 | // sanity check, drop stream if wrapped segment is more than one megabyte into the stream 153 | if (ntohl(tcp->seq) - strm->isn > 1024 * 1024) { 154 | char s[16], d[16]; 155 | printf("Error: cannot handle packet with wrapped sequence number %d for stream: %s:%d > %s:%d %c%c%c%c %u (ISN was %u)\n", 156 | ntohl(tcp->seq), 157 | inet_ntop(AF_INET, &ip->saddr, s, 16), ntohs(tcp->source), 158 | inet_ntop(AF_INET, &ip->daddr, d, 16), ntohs(tcp->dest), 159 | tcp->fin ? 'F' : '.', tcp->syn ? 'S' : '.', tcp->rst ? 'R' : '.', tcp->ack ? 'A' : '.', 160 | ntohl(tcp->seq), strm->isn); 161 | exit(EXIT_FAILURE); 162 | } 163 | } 164 | 165 | // basic overwrite style stream reassembly 166 | if (strm && plen) { 167 | // FIXME: bad things happen if a duplicate ISN segments with data arrives 168 | if (strm->len < (ntohl(tcp->seq) - strm->isn + plen)) { 169 | // need more space 170 | if ((strm->data = realloc(strm->data, (u_int32_t) (ntohl(tcp->seq) - strm->isn + plen))) == NULL) { 171 | perror("realloc()"); 172 | exit(EXIT_FAILURE); 173 | } 174 | } 175 | memmove(strm->data + (ntohl(tcp->seq) - strm->isn) - 1, payload, plen); 176 | strm->len = max(strm->len, ntohl(tcp->seq) - strm->isn + plen - 1); 177 | } 178 | 179 | // if segment has the FIN or RST flag set, terminate the stream 180 | if (tcp->fin || tcp->rst) { 181 | if ((he = hash_lookup(ip->saddr, tcp->source, ip->daddr, tcp->dest, 1)) != NULL) { 182 | // stream terminated, mark it as complete 183 | strm = he->data; 184 | strm->end = h->ts; 185 | 186 | if (strm->len) { 187 | // non-empty stream 188 | stream_complete_count++; 189 | strm->complete = 1; 190 | } 191 | 192 | // if a match expression is defined: check if stream matches 193 | strm->match = 1; 194 | if (matchexpr && memmem(strm->data, strm->len, matchexpr, strlen(matchexpr)) == NULL) 195 | strm->match = 0; 196 | } 197 | } 198 | } 199 | } 200 | 201 | return; 202 | } 203 | 204 | 205 | int strm_list(int number) { 206 | stream *s; 207 | int i; 208 | char saddr[16], daddr[16], start[20], end[20]; 209 | struct timeval sdiff, ediff; 210 | 211 | for (i = 0; i < stream_total_count; ++i) { 212 | if (number >= 0 && i != number) continue; 213 | 214 | s = slist[i]; 215 | if (s->match == 0) continue; 216 | if (number == -1 && filter_streams && (s->complete == 0 || s->len == 0)) continue; 217 | 218 | inet_ntop(AF_INET, &s->s.addr, saddr, sizeof(struct sockaddr_in)); 219 | inet_ntop(AF_INET, &s->d.addr, daddr, sizeof(struct sockaddr_in)); 220 | if (relative_timestamps) { 221 | sdiff = timediff(global_start, s->start); 222 | ediff = timediff(global_start, s->end); 223 | 224 | printf("%5d: %6d.%06d %6d.%06d %s:%d > %s:%d (%lu bytes)%s\n", 225 | s->number, 226 | (unsigned int) sdiff.tv_sec, (unsigned int) sdiff.tv_usec, (unsigned int) ediff.tv_sec, (unsigned int) ediff.tv_usec, 227 | saddr, ntohs(s->s.port), daddr, ntohs(s->d.port), (long unsigned int) s->len, 228 | s->complete ? "" : " [empty/incomplete]"); 229 | } else { 230 | strftime(start, 20, "%Y-%m-%d %H:%M:%S", gmtime((time_t *) &s->start.tv_sec)); 231 | strftime(end, 20, "%Y-%m-%d %H:%M:%S", gmtime((time_t *) &s->end.tv_sec)); 232 | printf("%5d: %s.%06u %s.%06u %s:%d > %s:%d (%lu bytes)%s\n", 233 | s->number, 234 | start, (unsigned int) s->start.tv_usec, end, (unsigned int) s->end.tv_usec, 235 | saddr, ntohs(s->s.port), daddr, ntohs(s->d.port), (long unsigned int) s->len, 236 | s->complete ? "" : " [empty/incomplete]"); 237 | } 238 | if (number >= 0 && i == number) break; 239 | } 240 | return 0; 241 | } 242 | 243 | 244 | int portcmp(const void *a, const void *b) { 245 | portstat *pa = (portstat *) a; 246 | portstat *pb = (portstat *) b; 247 | 248 | if (pa->count > pb->count) return 1; 249 | if (pa->count < pb->count) return -1; 250 | return 0; 251 | } 252 | -------------------------------------------------------------------------------- /src/strm.h: -------------------------------------------------------------------------------- 1 | /* 2 | strm.h 3 | Copyright (C) 2011 Tillmann Werner, tillmann.werner@gmx.de 4 | 5 | This program is free software; you can redistribute it and/or modify 6 | it under the terms of the GNU General Public License version 2 as 7 | published by the Free Software Foundation. 8 | 9 | This program is distributed in the hope that it will be useful, 10 | but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | GNU General Public License for more details. 13 | 14 | You should have received a copy of the GNU General Public License 15 | along with this program. If not, see . 16 | */ 17 | 18 | #ifndef __TRACKER_H 19 | #define __TRACKER_H 20 | 21 | #include 22 | #include 23 | #include 24 | 25 | 26 | typedef struct { 27 | int number; 28 | int complete; 29 | int match; 30 | size_t len; 31 | u_char *data; 32 | struct { 33 | in_addr_t addr; 34 | u_int16_t port; 35 | } s, d; 36 | u_int32_t isn; 37 | int64_t relisn; 38 | struct timeval start; 39 | struct timeval end; 40 | } stream; 41 | 42 | stream **slist; 43 | 44 | typedef struct { 45 | uint16_t port; 46 | size_t count; 47 | } portstat; 48 | 49 | portstat pstats[0x10000]; 50 | 51 | pcap_t *pktsrc; 52 | int stream_total_count; 53 | int stream_complete_count; 54 | int relative_timestamps; 55 | int filter_streams; 56 | unsigned int tcp_timeout; 57 | struct timeval global_start; 58 | 59 | void strm_assemble(u_char *user, const struct pcap_pkthdr *h, const u_char *bytes); 60 | int strm_list(int number); 61 | int portcmp(const void *a, const void *b); 62 | 63 | #endif 64 | -------------------------------------------------------------------------------- /src/util.c: -------------------------------------------------------------------------------- 1 | /* 2 | util.c 3 | Copyright (C) 2011 Tillmann Werner, tillmann.werner@gmx.de 4 | 5 | This program is free software; you can redistribute it and/or modify 6 | it under the terms of the GNU General Public License version 2 as 7 | published by the Free Software Foundation. 8 | 9 | This program is distributed in the hope that it will be useful, 10 | but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | GNU General Public License for more details. 13 | 14 | You should have received a copy of the GNU General Public License 15 | along with this program. If not, see . 16 | */ 17 | 18 | #include 19 | #include 20 | #include 21 | #include 22 | 23 | 24 | void hd(const u_char *data, size_t len) { 25 | register int i, j; 26 | 27 | if (!data || !len) return; 28 | 29 | for (i = 0; i < len; i += 0x10) { 30 | printf("0x%08x ", i); 31 | 32 | for (j = 0; j < 0x10 && i+j 0x8 ? 1 : 2), ' '); 38 | 39 | for (j = 0; j < 0x10 && i + j < len; j++) 40 | putchar(isprint(data[i+j]) ? data[i+j] : '.'); 41 | 42 | puts("|"); 43 | } 44 | putchar('\n'); 45 | 46 | return; 47 | } 48 | 49 | struct timeval timediff(struct timeval x, struct timeval y) { 50 | struct timeval result = y; 51 | 52 | result.tv_sec -= x.tv_sec; 53 | 54 | if (x.tv_usec > result.tv_usec) { 55 | result.tv_sec -= 1; 56 | result.tv_usec += 1000000; 57 | } 58 | result.tv_usec -= x.tv_usec; 59 | 60 | return result; 61 | } 62 | -------------------------------------------------------------------------------- /src/util.h: -------------------------------------------------------------------------------- 1 | /* 2 | util.h 3 | Copyright (C) 2011 Tillmann Werner, tillmann.werner@gmx.de 4 | 5 | This program is free software; you can redistribute it and/or modify 6 | it under the terms of the GNU General Public License version 2 as 7 | published by the Free Software Foundation. 8 | 9 | This program is distributed in the hope that it will be useful, 10 | but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | GNU General Public License for more details. 13 | 14 | You should have received a copy of the GNU General Public License 15 | along with this program. If not, see . 16 | */ 17 | 18 | #ifndef __UTIL_H 19 | #define __UTIL_H 20 | 21 | #include 22 | #include 23 | 24 | void hd(const u_char *data, size_t len); 25 | struct timeval timediff(struct timeval x, struct timeval y); 26 | 27 | #endif 28 | -------------------------------------------------------------------------------- /test/data-on-fin.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tillmannw/streams/a5458854b18ca4b2e33c070f5fa6f07ff9ca80ba/test/data-on-fin.pcap -------------------------------------------------------------------------------- /test/ports-reused.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tillmannw/streams/a5458854b18ca4b2e33c070f5fa6f07ff9ca80ba/test/ports-reused.pcap --------------------------------------------------------------------------------