forked from robertdavidgraham/masscan
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain-ptrace.c
122 lines (112 loc) · 4.68 KB
/
main-ptrace.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
#include "main-ptrace.h"
#include "proto-preprocess.h"
#include "pixie-timer.h"
#include "string_s.h"
/***************************************************************************
* Print packet info, when using nmap-style --packet-trace option
***************************************************************************/
void
packet_trace(FILE *fp, double pt_start, const unsigned char *px, size_t length, unsigned is_sent)
{
unsigned x;
struct PreprocessedInfo parsed;
unsigned src_ip;
unsigned dst_ip;
char from[32];
char to[32];
char sz_type[32];
unsigned type;
double timestamp = 1.0 * pixie_gettime() / 1000000.0;
unsigned offset;
const char *direction;
if (is_sent)
direction = "SENT";
else
direction = "RCVD";
/* parse the packet */
x = preprocess_frame(px, (unsigned)length, 1, &parsed);
if (!x)
return;
offset = parsed.found_offset;
src_ip = parsed.ip_src[0] << 24
| parsed.ip_src[1] << 16
| parsed.ip_src[2] << 8
| parsed.ip_src[3];
dst_ip = parsed.ip_dst[0] << 24
| parsed.ip_dst[1] << 16
| parsed.ip_dst[2] << 8
| parsed.ip_dst[3];
/* format the IP addresses into fixed-width fields */
sprintf_s(from, sizeof(from), "%u.%u.%u.%u:%u",
(src_ip>>24)&0xFF, (src_ip>>16)&0xFF,
(src_ip>>8)&0xFF, (src_ip>>0)&0xFF,
parsed.port_src);
sprintf_s(to, sizeof(to), "%u.%u.%u.%u:%u",
(dst_ip>>24)&0xFF, (dst_ip>>16)&0xFF,
(dst_ip>>8)&0xFF, (dst_ip>>0)&0xFF,
parsed.port_dst);
switch (parsed.found) {
case FOUND_ARP:
type = px[offset+6]<<8 | px[offset+7];
*strchr(to, ':') = '\0';
*strchr(from, ':') = '\0';
switch (type) {
case 1:strcpy_s(sz_type, sizeof(sz_type), "request"); break;
case 2:strcpy_s(sz_type, sizeof(sz_type), "response"); break;
default: sprintf_s(sz_type, sizeof(sz_type), "unknown(%u)", type); break;
}
fprintf(fp, "%s (%5.4f) ARP %-21s > %-21s %s\n", direction,
timestamp - pt_start, from, to, sz_type);
break;
case FOUND_DNS:
case FOUND_UDP:
fprintf(fp, "%s (%5.4f) UDP %-21s > %-21s \n", direction,
timestamp - pt_start, from, to);
break;
case FOUND_ICMP:
fprintf(fp, "%s (%5.4f) ICMP %-21s > %-21s \n", direction,
timestamp - pt_start, from, to);
break;
case FOUND_TCP:
type = px[offset+13];
switch (type) {
case 0x00: strcpy_s(sz_type, sizeof(sz_type), "NULL"); break;
case 0x01: strcpy_s(sz_type, sizeof(sz_type), "FIN"); break;
case 0x11: strcpy_s(sz_type, sizeof(sz_type), "FIN-ACK"); break;
case 0x19: strcpy_s(sz_type, sizeof(sz_type), "FIN-ACK-PSH"); break;
case 0x02: strcpy_s(sz_type, sizeof(sz_type), "SYN"); break;
case 0x12: strcpy_s(sz_type, sizeof(sz_type), "SYN-ACK"); break;
case 0x04: strcpy_s(sz_type, sizeof(sz_type), "RST"); break;
case 0x14: strcpy_s(sz_type, sizeof(sz_type), "RST-ACK"); break;
case 0x15: strcpy_s(sz_type, sizeof(sz_type), "RST-FIN-ACK"); break;
case 0x10: strcpy_s(sz_type, sizeof(sz_type), "ACK"); break;
case 0x18: strcpy_s(sz_type, sizeof(sz_type), "ACK-PSH"); break;
default:
sprintf_s(sz_type, sizeof(sz_type),
"%s%s%s%s%s%s%s%s",
(type&0x01)?"FIN":"",
(type&0x02)?"SYN":"",
(type&0x04)?"RST":"",
(type&0x08)?"PSH":"",
(type&0x10)?"ACK":"",
(type&0x20)?"URG":"",
(type&0x40)?"ECE":"",
(type&0x80)?"CWR":""
);
break;
}
if (parsed.app_length)
fprintf(fp, "%s (%5.4f) TCP %-21s > %-21s %s %u-bytes\n", direction,
timestamp - pt_start, from, to, sz_type, parsed.app_length);
else
fprintf(fp, "%s (%5.4f) TCP %-21s > %-21s %s\n", direction,
timestamp - pt_start, from, to, sz_type);
break;
case FOUND_IPV6:
break;
default:
fprintf(fp, "%s (%5.4f) UNK %-21s > %-21s [%u]\n", direction,
timestamp - pt_start, from, to, parsed.found);
break;
}
}