d3/d56/flowmon-input-tcp_8c_source.html

static const char rcsid[] __attribute__((used)) = "$Id: flowmon-input-tcp.c 928 2013-01-16 08:32:47Z 255519 $";


#include <stdio.h>

#include <stdlib.h>

#include <unistd.h>

#include <string.h>

#include <sys/socket.h>

#include <arpa/inet.h>

#include <endian.h>

#include <errno.h>

#include <netinet/if_ether.h>

#include <netinet/ip.h>

#include <netinet/ip6.h>

#include <netinet/tcp.h>


#include <flowmonexp/plugin_input_filter.h>


#define _ETH_P_8021AD                           0x88A8

#define _ETH_P_8021QINQ                         0x9100

#define _ETH_P_8021QINQ_DOUBLE          0x9200

#define _ETH_P_8021QINQ_TRIPPLE         0x9300


#define VLAN_HLEN                                       4

#define VLAN_ID_MASK                            0xFF0F


#define MPLS_HLEN                                       4

#define MPLS_STACK_MASK                         0xFF7F


SET_PLUGIN_TYPE(PLUGIN_TYPE_INPUT_FILTER);


typedef struct {

        int data_offset;

        int32_t link_len;

} plugin_private_t;


typedef struct {

        uint16_t tcp_win_size;

        uint16_t syn_size;

} plugin_record_t;


static plugin_desc_t pcap_desc = {

        "input-tcp",

        "input filter plugin that stores size of TCP SYN packet",

        sizeof(plugin_record_t),

        0

};


PLUGIN_INPUT_FILTER_DESC{

        return(&pcap_desc);

}


RECORD_VALID(value_syn_ok){

        plugin_private_t *p = (plugin_private_t*) self;

        plugin_record_t *pr = PLUGIN_DATA(r, p->data_offset);


        return pr->syn_size;

}


RECORD_VALID(value_win_ok){

        plugin_private_t *p = (plugin_private_t*) self;

        plugin_record_t *pr = PLUGIN_DATA(r, p->data_offset);


        return pr->tcp_win_size;

}

RECORD_CURRENT_LENGTH(value_length){

        return(sizeof(uint16_t));

}


RECORD_FILLER(value_fill_syn_size){

        plugin_private_t *p = (plugin_private_t*) self;

        plugin_record_t *pr = PLUGIN_DATA(record, p->data_offset);


        record_universal_get(dst,&pr->syn_size, 0, sizeof(uint16_t), len, to_network_byte_order);

}


RECORD_FILLER_TXT(value_fill_syn_size_txt){

        plugin_private_t *p = (plugin_private_t*) self;

        plugin_record_t *pr = PLUGIN_DATA(record, p->data_offset);


        record_universal_get_txt_num(dst, &pr->syn_size, 0, sizeof(uint16_t), len);

}


RECORD_FILLER(value_fill_win_size){

        plugin_private_t *p = (plugin_private_t*) self;

        plugin_record_t *pr = PLUGIN_DATA(record, p->data_offset);


        record_universal_get(dst,&pr->tcp_win_size, 0, sizeof(uint16_t), len, to_network_byte_order);

}


RECORD_FILLER_TXT(value_fill_win_size_txt){

        plugin_private_t *p = (plugin_private_t*) self;

        plugin_record_t *pr = PLUGIN_DATA(record, p->data_offset);


        record_universal_get_txt_num(dst, &pr->tcp_win_size, 0, sizeof(uint16_t), len);

}


PLUGIN_INPUT_FILTER_INIT{

        plugin_private_t *retval;


        retval = malloc(sizeof(plugin_private_t));

        if(!retval){

                return(NULL);

        }

        retval->data_offset = data_offset;

        retval->link_len = -1;


        getter_add(getter_list,"SYN_SIZE", sizeof(uint16_t), retval, &value_syn_ok, &value_length, &value_fill_syn_size, &value_fill_syn_size_txt);

        getter_add(getter_list,"TCP_WIN_SIZE", sizeof(uint16_t), retval, &value_win_ok, &value_length, &value_fill_win_size, &value_fill_win_size_txt);


        return(retval);

}


int32_t link_offset (unsigned char* data, uint32_t caplen)

{

        uint16_t ethtype;

        struct ethhdr *eth;

        unsigned char* next_hdr = data;

        uint16_t link_len = 0;


        if (caplen < ETH_HLEN) {

                return (-1);

        }


        eth = (struct ethhdr*) data;

        ethtype = ntohs (eth->h_proto);


        /* move from simple 802.3 header to PDU */

        next_hdr += ETH_HLEN;

        link_len += ETH_HLEN;

        caplen -= ETH_HLEN;


        recurse:

        switch (ethtype) {

                case ETH_P_IP:

                case ETH_P_IPV6: {

                        return link_len;

                        break;

                }

                case ETH_P_8021Q:

                case _ETH_P_8021QINQ:

                case _ETH_P_8021QINQ_DOUBLE:

                case _ETH_P_8021QINQ_TRIPPLE:

                case _ETH_P_8021AD: {


                        if (caplen < VLAN_HLEN) {

                                return (-1);

                        }


                        /* skip VLAN */

                        ethtype = ntohs (*(uint16_t *) (next_hdr + 2));

                        next_hdr += VLAN_HLEN;

                        link_len += VLAN_HLEN;

                        caplen -= VLAN_HLEN;


                        goto recurse;

                }

                case ETH_P_MPLS_UC:

                case ETH_P_MPLS_MC: {


                        if (caplen < MPLS_HLEN) {

                                return (-1);

                        }


                        if ((*(uint32_t *) next_hdr) & MPLS_STACK_MASK) {

                                // try to guess the ethtype

                                switch(*(uint8_t *) (next_hdr + MPLS_HLEN) >> 4) {

                                        case 4: {

                                                        ethtype = ETH_P_IP;

                                                        break;

                                                }

                                        case 6: {

                                                        ethtype = ETH_P_IPV6;

                                                        break;

                                                }

                                        default:

                                                return (-1);

                                }

                        }


                        next_hdr += MPLS_HLEN;

                        link_len += MPLS_HLEN;

                        caplen -= MPLS_HLEN;


                        goto recurse;

                }

                default: {

                        /* unknown ethernet type is an error */

                        return -1;

                }

        }


        return (link_len);

}


PLUGIN_INPUT_FILTER_FILTER{

        plugin_private_t *p = plugin_private;

        plugin_record_t *r  = PLUGIN_DATA(record, p->data_offset);

        r->syn_size = 0;

        r->tcp_win_size = 0;


        if(record->l4.protocol == 6 && (record->l4.tcp_flags & 0x02 )){

                /* remember the size */

                r->syn_size = record->flow_octets;


                /* get TCP windows size */

                /* we need to parse the whole packet */


                /* get link header length */

                if (p->link_len < 0) p->link_len = link_offset(packet, packet_len);


                /* skip link header */

                if (p->link_len > 0) {

                        packet += p->link_len;

                        packet_len -= p->link_len;

                }


                /* skip IP header */

                if (record->l3.protocol == 4) {

                        uint8_t hlen = ((struct ip*) packet)->ip_hl*4;

                        packet += hlen;

                        packet_len -= hlen;

                } else if (record->l3.protocol == 6) {

                        /* parse only one header, the next must be TCP */

                        if (((struct ip6_hdr*) packet)->ip6_nxt != 6) {

                                return FLOW_FILTER_PASS;

                        }

                        packet += 40;

                        packet_len -= 40;

                } else {

                        return FLOW_FILTER_PASS;

                }


                /* get TCP window size */

                r->tcp_win_size = htons(((struct tcphdr*) packet)->window);

        }


        return FLOW_FILTER_PASS;

}


PLUGIN_INPUT_FILTER_SHUTDOWN{

        /* nothing to do */

        return(0);

}