diff options
Diffstat (limited to 'contrib/impcap')
-rw-r--r-- | contrib/impcap/Makefile.am | 22 | ||||
-rw-r--r-- | contrib/impcap/Makefile.in | 949 | ||||
-rw-r--r-- | contrib/impcap/arp_parser.c | 163 | ||||
-rw-r--r-- | contrib/impcap/dns_parser.c | 372 | ||||
-rw-r--r-- | contrib/impcap/eth_parser.c | 179 | ||||
-rw-r--r-- | contrib/impcap/ftp_parser.c | 152 | ||||
-rw-r--r-- | contrib/impcap/http_parser.c | 159 | ||||
-rw-r--r-- | contrib/impcap/icmp_parser.c | 79 | ||||
-rw-r--r-- | contrib/impcap/impcap.c | 748 | ||||
-rw-r--r-- | contrib/impcap/ipv4_parser.c | 101 | ||||
-rw-r--r-- | contrib/impcap/ipv6_parser.c | 305 | ||||
-rw-r--r-- | contrib/impcap/ipx_parser.c | 97 | ||||
-rw-r--r-- | contrib/impcap/llc_parser.c | 109 | ||||
-rw-r--r-- | contrib/impcap/parsers.h | 189 | ||||
-rw-r--r-- | contrib/impcap/smb_parser.c | 145 | ||||
-rw-r--r-- | contrib/impcap/tcp_parser.c | 121 | ||||
-rw-r--r-- | contrib/impcap/udp_parser.c | 90 |
17 files changed, 3980 insertions, 0 deletions
diff --git a/contrib/impcap/Makefile.am b/contrib/impcap/Makefile.am new file mode 100644 index 0000000..e1c80e5 --- /dev/null +++ b/contrib/impcap/Makefile.am @@ -0,0 +1,22 @@ +pkglib_LTLIBRARIES = impcap.la + +impcap_la_SOURCES = impcap.c +impcap_la_CPPFLAGS = -I$(top_srcdir) $(PTHREADS_CFLAGS) $(RSRT_CFLAGS) +impcap_la_LDFLAGS = -module -avoid-version +impcap_la_LIBADD = -lpcap + +impcap_la_SOURCES += arp_parser.c +impcap_la_SOURCES += eth_parser.c +impcap_la_SOURCES += icmp_parser.c +impcap_la_SOURCES += ipv4_parser.c +impcap_la_SOURCES += ipv6_parser.c +impcap_la_SOURCES += ipx_parser.c +impcap_la_SOURCES += llc_parser.c +impcap_la_SOURCES += udp_parser.c +impcap_la_SOURCES += dns_parser.c +impcap_la_SOURCES += tcp_parser.c +impcap_la_SOURCES += smb_parser.c +impcap_la_SOURCES += ftp_parser.c +impcap_la_SOURCES += http_parser.c + +EXTRA_DIST=parsers.h diff --git a/contrib/impcap/Makefile.in b/contrib/impcap/Makefile.in new file mode 100644 index 0000000..506aaef --- /dev/null +++ b/contrib/impcap/Makefile.in @@ -0,0 +1,949 @@ +# Makefile.in generated by automake 1.16.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2018 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = contrib/impcap +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/ac_check_define.m4 \ + $(top_srcdir)/m4/atomic_operations.m4 \ + $(top_srcdir)/m4/atomic_operations_64bit.m4 \ + $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ + $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \ + $(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +am__installdirs = "$(DESTDIR)$(pkglibdir)" +LTLIBRARIES = $(pkglib_LTLIBRARIES) +impcap_la_DEPENDENCIES = +am_impcap_la_OBJECTS = impcap_la-impcap.lo impcap_la-arp_parser.lo \ + impcap_la-eth_parser.lo impcap_la-icmp_parser.lo \ + impcap_la-ipv4_parser.lo impcap_la-ipv6_parser.lo \ + impcap_la-ipx_parser.lo impcap_la-llc_parser.lo \ + impcap_la-udp_parser.lo impcap_la-dns_parser.lo \ + impcap_la-tcp_parser.lo impcap_la-smb_parser.lo \ + impcap_la-ftp_parser.lo impcap_la-http_parser.lo +impcap_la_OBJECTS = $(am_impcap_la_OBJECTS) +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +impcap_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(impcap_la_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/impcap_la-arp_parser.Plo \ + ./$(DEPDIR)/impcap_la-dns_parser.Plo \ + ./$(DEPDIR)/impcap_la-eth_parser.Plo \ + ./$(DEPDIR)/impcap_la-ftp_parser.Plo \ + ./$(DEPDIR)/impcap_la-http_parser.Plo \ + ./$(DEPDIR)/impcap_la-icmp_parser.Plo \ + ./$(DEPDIR)/impcap_la-impcap.Plo \ + ./$(DEPDIR)/impcap_la-ipv4_parser.Plo \ + ./$(DEPDIR)/impcap_la-ipv6_parser.Plo \ + ./$(DEPDIR)/impcap_la-ipx_parser.Plo \ + ./$(DEPDIR)/impcap_la-llc_parser.Plo \ + ./$(DEPDIR)/impcap_la-smb_parser.Plo \ + ./$(DEPDIR)/impcap_la-tcp_parser.Plo \ + ./$(DEPDIR)/impcap_la-udp_parser.Plo +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(impcap_la_SOURCES) +DIST_SOURCES = $(impcap_la_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +APU_CFLAGS = @APU_CFLAGS@ +APU_LIBS = @APU_LIBS@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CIVETWEB_LIBS = @CIVETWEB_LIBS@ +CONF_FILE_PATH = @CONF_FILE_PATH@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CURL_CFLAGS = @CURL_CFLAGS@ +CURL_LIBS = @CURL_LIBS@ +CYGPATH_W = @CYGPATH_W@ +CZMQ_CFLAGS = @CZMQ_CFLAGS@ +CZMQ_LIBS = @CZMQ_LIBS@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLTOOL = @DLLTOOL@ +DL_LIBS = @DL_LIBS@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FAUP_LIBS = @FAUP_LIBS@ +FGREP = @FGREP@ +GLIB_CFLAGS = @GLIB_CFLAGS@ +GLIB_LIBS = @GLIB_LIBS@ +GNUTLS_CFLAGS = @GNUTLS_CFLAGS@ +GNUTLS_LIBS = @GNUTLS_LIBS@ +GREP = @GREP@ +GSS_LIBS = @GSS_LIBS@ +GT_KSI_LS12_CFLAGS = @GT_KSI_LS12_CFLAGS@ +GT_KSI_LS12_LIBS = @GT_KSI_LS12_LIBS@ +HASH_XXHASH_LIBS = @HASH_XXHASH_LIBS@ +HIREDIS_CFLAGS = @HIREDIS_CFLAGS@ +HIREDIS_LIBS = @HIREDIS_LIBS@ +IMUDP_LIBS = @IMUDP_LIBS@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +IP = @IP@ +JAVA = @JAVA@ +JAVAC = @JAVAC@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBCAPNG_CFLAGS = @LIBCAPNG_CFLAGS@ +LIBCAPNG_LIBS = @LIBCAPNG_LIBS@ +LIBCAPNG_PRESENT_CFLAGS = @LIBCAPNG_PRESENT_CFLAGS@ +LIBCAPNG_PRESENT_LIBS = @LIBCAPNG_PRESENT_LIBS@ +LIBDBI_CFLAGS = @LIBDBI_CFLAGS@ +LIBDBI_LIBS = @LIBDBI_LIBS@ +LIBESTR_CFLAGS = @LIBESTR_CFLAGS@ +LIBESTR_LIBS = @LIBESTR_LIBS@ +LIBEVENT_CFLAGS = @LIBEVENT_CFLAGS@ +LIBEVENT_LIBS = @LIBEVENT_LIBS@ +LIBFASTJSON_CFLAGS = @LIBFASTJSON_CFLAGS@ +LIBFASTJSON_LIBS = @LIBFASTJSON_LIBS@ +LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@ +LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@ +LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@ +LIBLOGGING_CFLAGS = @LIBLOGGING_CFLAGS@ +LIBLOGGING_LIBS = @LIBLOGGING_LIBS@ +LIBLOGGING_STDLOG_CFLAGS = @LIBLOGGING_STDLOG_CFLAGS@ +LIBLOGGING_STDLOG_LIBS = @LIBLOGGING_STDLOG_LIBS@ +LIBLOGNORM_CFLAGS = @LIBLOGNORM_CFLAGS@ +LIBLOGNORM_LIBS = @LIBLOGNORM_LIBS@ +LIBLZ4_CFLAGS = @LIBLZ4_CFLAGS@ +LIBLZ4_LIBS = @LIBLZ4_LIBS@ +LIBM = @LIBM@ +LIBMONGOC_CFLAGS = @LIBMONGOC_CFLAGS@ +LIBMONGOC_LIBS = @LIBMONGOC_LIBS@ +LIBOBJS = @LIBOBJS@ +LIBRDKAFKA_CFLAGS = @LIBRDKAFKA_CFLAGS@ +LIBRDKAFKA_LIBS = @LIBRDKAFKA_LIBS@ +LIBS = @LIBS@ +LIBSYSTEMD_CFLAGS = @LIBSYSTEMD_CFLAGS@ +LIBSYSTEMD_JOURNAL_CFLAGS = @LIBSYSTEMD_JOURNAL_CFLAGS@ +LIBSYSTEMD_JOURNAL_LIBS = @LIBSYSTEMD_JOURNAL_LIBS@ +LIBSYSTEMD_LIBS = @LIBSYSTEMD_LIBS@ +LIBTOOL = @LIBTOOL@ +LIBUUID_CFLAGS = @LIBUUID_CFLAGS@ +LIBUUID_LIBS = @LIBUUID_LIBS@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MYSQL_CFLAGS = @MYSQL_CFLAGS@ +MYSQL_CONFIG = @MYSQL_CONFIG@ +MYSQL_LIBS = @MYSQL_LIBS@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OPENSSL_CFLAGS = @OPENSSL_CFLAGS@ +OPENSSL_LIBS = @OPENSSL_LIBS@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PGSQL_CFLAGS = @PGSQL_CFLAGS@ +PGSQL_LIBS = @PGSQL_LIBS@ +PG_CONFIG = @PG_CONFIG@ +PID_FILE_PATH = @PID_FILE_PATH@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PROTON_CFLAGS = @PROTON_CFLAGS@ +PROTON_LIBS = @PROTON_LIBS@ +PROTON_PROACTOR_CFLAGS = @PROTON_PROACTOR_CFLAGS@ +PROTON_PROACTOR_LIBS = @PROTON_PROACTOR_LIBS@ +PTHREADS_CFLAGS = @PTHREADS_CFLAGS@ +PTHREADS_LIBS = @PTHREADS_LIBS@ +PYTHON = @PYTHON@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +RABBITMQ_CFLAGS = @RABBITMQ_CFLAGS@ +RABBITMQ_LIBS = @RABBITMQ_LIBS@ +RANLIB = @RANLIB@ +READLINK = @READLINK@ +REDIS = @REDIS@ +RELP_CFLAGS = @RELP_CFLAGS@ +RELP_LIBS = @RELP_LIBS@ +RSRT_CFLAGS = @RSRT_CFLAGS@ +RSRT_CFLAGS1 = @RSRT_CFLAGS1@ +RSRT_LIBS = @RSRT_LIBS@ +RSRT_LIBS1 = @RSRT_LIBS1@ +RST2MAN = @RST2MAN@ +RT_LIBS = @RT_LIBS@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SNMP_CFLAGS = @SNMP_CFLAGS@ +SNMP_LIBS = @SNMP_LIBS@ +SOL_LIBS = @SOL_LIBS@ +STRIP = @STRIP@ +TCL_BIN_DIR = @TCL_BIN_DIR@ +TCL_INCLUDE_SPEC = @TCL_INCLUDE_SPEC@ +TCL_LIB_FILE = @TCL_LIB_FILE@ +TCL_LIB_FLAG = @TCL_LIB_FLAG@ +TCL_LIB_SPEC = @TCL_LIB_SPEC@ +TCL_PATCH_LEVEL = @TCL_PATCH_LEVEL@ +TCL_SRC_DIR = @TCL_SRC_DIR@ +TCL_STUB_LIB_FILE = @TCL_STUB_LIB_FILE@ +TCL_STUB_LIB_FLAG = @TCL_STUB_LIB_FLAG@ +TCL_STUB_LIB_SPEC = @TCL_STUB_LIB_SPEC@ +TCL_VERSION = @TCL_VERSION@ +UDPSPOOF_CFLAGS = @UDPSPOOF_CFLAGS@ +UDPSPOOF_LIBS = @UDPSPOOF_LIBS@ +VALGRIND = @VALGRIND@ +VERSION = @VERSION@ +WARN_CFLAGS = @WARN_CFLAGS@ +WARN_LDFLAGS = @WARN_LDFLAGS@ +WARN_SCANNERFLAGS = @WARN_SCANNERFLAGS@ +WGET = @WGET@ +YACC = @YACC@ +YACC_FOUND = @YACC_FOUND@ +YFLAGS = @YFLAGS@ +ZLIB_CFLAGS = @ZLIB_CFLAGS@ +ZLIB_LIBS = @ZLIB_LIBS@ +ZSTD_CFLAGS = @ZSTD_CFLAGS@ +ZSTD_LIBS = @ZSTD_LIBS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +moddirs = @moddirs@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pyexecdir = @pyexecdir@ +pythondir = @pythondir@ +runstatedir = @runstatedir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +pkglib_LTLIBRARIES = impcap.la +impcap_la_SOURCES = impcap.c arp_parser.c eth_parser.c icmp_parser.c \ + ipv4_parser.c ipv6_parser.c ipx_parser.c llc_parser.c \ + udp_parser.c dns_parser.c tcp_parser.c smb_parser.c \ + ftp_parser.c http_parser.c +impcap_la_CPPFLAGS = -I$(top_srcdir) $(PTHREADS_CFLAGS) $(RSRT_CFLAGS) +impcap_la_LDFLAGS = -module -avoid-version +impcap_la_LIBADD = -lpcap +EXTRA_DIST = parsers.h +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu contrib/impcap/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu contrib/impcap/Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +install-pkglibLTLIBRARIES: $(pkglib_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(pkglib_LTLIBRARIES)'; test -n "$(pkglibdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(pkglibdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(pkglibdir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(pkglibdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(pkglibdir)"; \ + } + +uninstall-pkglibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(pkglib_LTLIBRARIES)'; test -n "$(pkglibdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(pkglibdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(pkglibdir)/$$f"; \ + done + +clean-pkglibLTLIBRARIES: + -test -z "$(pkglib_LTLIBRARIES)" || rm -f $(pkglib_LTLIBRARIES) + @list='$(pkglib_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +impcap.la: $(impcap_la_OBJECTS) $(impcap_la_DEPENDENCIES) $(EXTRA_impcap_la_DEPENDENCIES) + $(AM_V_CCLD)$(impcap_la_LINK) -rpath $(pkglibdir) $(impcap_la_OBJECTS) $(impcap_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/impcap_la-arp_parser.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/impcap_la-dns_parser.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/impcap_la-eth_parser.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/impcap_la-ftp_parser.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/impcap_la-http_parser.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/impcap_la-icmp_parser.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/impcap_la-impcap.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/impcap_la-ipv4_parser.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/impcap_la-ipv6_parser.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/impcap_la-ipx_parser.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/impcap_la-llc_parser.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/impcap_la-smb_parser.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/impcap_la-tcp_parser.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/impcap_la-udp_parser.Plo@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +impcap_la-impcap.lo: impcap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT impcap_la-impcap.lo -MD -MP -MF $(DEPDIR)/impcap_la-impcap.Tpo -c -o impcap_la-impcap.lo `test -f 'impcap.c' || echo '$(srcdir)/'`impcap.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/impcap_la-impcap.Tpo $(DEPDIR)/impcap_la-impcap.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='impcap.c' object='impcap_la-impcap.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o impcap_la-impcap.lo `test -f 'impcap.c' || echo '$(srcdir)/'`impcap.c + +impcap_la-arp_parser.lo: arp_parser.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT impcap_la-arp_parser.lo -MD -MP -MF $(DEPDIR)/impcap_la-arp_parser.Tpo -c -o impcap_la-arp_parser.lo `test -f 'arp_parser.c' || echo '$(srcdir)/'`arp_parser.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/impcap_la-arp_parser.Tpo $(DEPDIR)/impcap_la-arp_parser.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='arp_parser.c' object='impcap_la-arp_parser.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o impcap_la-arp_parser.lo `test -f 'arp_parser.c' || echo '$(srcdir)/'`arp_parser.c + +impcap_la-eth_parser.lo: eth_parser.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT impcap_la-eth_parser.lo -MD -MP -MF $(DEPDIR)/impcap_la-eth_parser.Tpo -c -o impcap_la-eth_parser.lo `test -f 'eth_parser.c' || echo '$(srcdir)/'`eth_parser.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/impcap_la-eth_parser.Tpo $(DEPDIR)/impcap_la-eth_parser.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='eth_parser.c' object='impcap_la-eth_parser.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o impcap_la-eth_parser.lo `test -f 'eth_parser.c' || echo '$(srcdir)/'`eth_parser.c + +impcap_la-icmp_parser.lo: icmp_parser.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT impcap_la-icmp_parser.lo -MD -MP -MF $(DEPDIR)/impcap_la-icmp_parser.Tpo -c -o impcap_la-icmp_parser.lo `test -f 'icmp_parser.c' || echo '$(srcdir)/'`icmp_parser.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/impcap_la-icmp_parser.Tpo $(DEPDIR)/impcap_la-icmp_parser.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='icmp_parser.c' object='impcap_la-icmp_parser.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o impcap_la-icmp_parser.lo `test -f 'icmp_parser.c' || echo '$(srcdir)/'`icmp_parser.c + +impcap_la-ipv4_parser.lo: ipv4_parser.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT impcap_la-ipv4_parser.lo -MD -MP -MF $(DEPDIR)/impcap_la-ipv4_parser.Tpo -c -o impcap_la-ipv4_parser.lo `test -f 'ipv4_parser.c' || echo '$(srcdir)/'`ipv4_parser.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/impcap_la-ipv4_parser.Tpo $(DEPDIR)/impcap_la-ipv4_parser.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='ipv4_parser.c' object='impcap_la-ipv4_parser.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o impcap_la-ipv4_parser.lo `test -f 'ipv4_parser.c' || echo '$(srcdir)/'`ipv4_parser.c + +impcap_la-ipv6_parser.lo: ipv6_parser.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT impcap_la-ipv6_parser.lo -MD -MP -MF $(DEPDIR)/impcap_la-ipv6_parser.Tpo -c -o impcap_la-ipv6_parser.lo `test -f 'ipv6_parser.c' || echo '$(srcdir)/'`ipv6_parser.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/impcap_la-ipv6_parser.Tpo $(DEPDIR)/impcap_la-ipv6_parser.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='ipv6_parser.c' object='impcap_la-ipv6_parser.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o impcap_la-ipv6_parser.lo `test -f 'ipv6_parser.c' || echo '$(srcdir)/'`ipv6_parser.c + +impcap_la-ipx_parser.lo: ipx_parser.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT impcap_la-ipx_parser.lo -MD -MP -MF $(DEPDIR)/impcap_la-ipx_parser.Tpo -c -o impcap_la-ipx_parser.lo `test -f 'ipx_parser.c' || echo '$(srcdir)/'`ipx_parser.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/impcap_la-ipx_parser.Tpo $(DEPDIR)/impcap_la-ipx_parser.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='ipx_parser.c' object='impcap_la-ipx_parser.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o impcap_la-ipx_parser.lo `test -f 'ipx_parser.c' || echo '$(srcdir)/'`ipx_parser.c + +impcap_la-llc_parser.lo: llc_parser.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT impcap_la-llc_parser.lo -MD -MP -MF $(DEPDIR)/impcap_la-llc_parser.Tpo -c -o impcap_la-llc_parser.lo `test -f 'llc_parser.c' || echo '$(srcdir)/'`llc_parser.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/impcap_la-llc_parser.Tpo $(DEPDIR)/impcap_la-llc_parser.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='llc_parser.c' object='impcap_la-llc_parser.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o impcap_la-llc_parser.lo `test -f 'llc_parser.c' || echo '$(srcdir)/'`llc_parser.c + +impcap_la-udp_parser.lo: udp_parser.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT impcap_la-udp_parser.lo -MD -MP -MF $(DEPDIR)/impcap_la-udp_parser.Tpo -c -o impcap_la-udp_parser.lo `test -f 'udp_parser.c' || echo '$(srcdir)/'`udp_parser.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/impcap_la-udp_parser.Tpo $(DEPDIR)/impcap_la-udp_parser.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='udp_parser.c' object='impcap_la-udp_parser.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o impcap_la-udp_parser.lo `test -f 'udp_parser.c' || echo '$(srcdir)/'`udp_parser.c + +impcap_la-dns_parser.lo: dns_parser.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT impcap_la-dns_parser.lo -MD -MP -MF $(DEPDIR)/impcap_la-dns_parser.Tpo -c -o impcap_la-dns_parser.lo `test -f 'dns_parser.c' || echo '$(srcdir)/'`dns_parser.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/impcap_la-dns_parser.Tpo $(DEPDIR)/impcap_la-dns_parser.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='dns_parser.c' object='impcap_la-dns_parser.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o impcap_la-dns_parser.lo `test -f 'dns_parser.c' || echo '$(srcdir)/'`dns_parser.c + +impcap_la-tcp_parser.lo: tcp_parser.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT impcap_la-tcp_parser.lo -MD -MP -MF $(DEPDIR)/impcap_la-tcp_parser.Tpo -c -o impcap_la-tcp_parser.lo `test -f 'tcp_parser.c' || echo '$(srcdir)/'`tcp_parser.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/impcap_la-tcp_parser.Tpo $(DEPDIR)/impcap_la-tcp_parser.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='tcp_parser.c' object='impcap_la-tcp_parser.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o impcap_la-tcp_parser.lo `test -f 'tcp_parser.c' || echo '$(srcdir)/'`tcp_parser.c + +impcap_la-smb_parser.lo: smb_parser.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT impcap_la-smb_parser.lo -MD -MP -MF $(DEPDIR)/impcap_la-smb_parser.Tpo -c -o impcap_la-smb_parser.lo `test -f 'smb_parser.c' || echo '$(srcdir)/'`smb_parser.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/impcap_la-smb_parser.Tpo $(DEPDIR)/impcap_la-smb_parser.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='smb_parser.c' object='impcap_la-smb_parser.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o impcap_la-smb_parser.lo `test -f 'smb_parser.c' || echo '$(srcdir)/'`smb_parser.c + +impcap_la-ftp_parser.lo: ftp_parser.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT impcap_la-ftp_parser.lo -MD -MP -MF $(DEPDIR)/impcap_la-ftp_parser.Tpo -c -o impcap_la-ftp_parser.lo `test -f 'ftp_parser.c' || echo '$(srcdir)/'`ftp_parser.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/impcap_la-ftp_parser.Tpo $(DEPDIR)/impcap_la-ftp_parser.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='ftp_parser.c' object='impcap_la-ftp_parser.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o impcap_la-ftp_parser.lo `test -f 'ftp_parser.c' || echo '$(srcdir)/'`ftp_parser.c + +impcap_la-http_parser.lo: http_parser.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT impcap_la-http_parser.lo -MD -MP -MF $(DEPDIR)/impcap_la-http_parser.Tpo -c -o impcap_la-http_parser.lo `test -f 'http_parser.c' || echo '$(srcdir)/'`http_parser.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/impcap_la-http_parser.Tpo $(DEPDIR)/impcap_la-http_parser.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='http_parser.c' object='impcap_la-http_parser.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(impcap_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o impcap_la-http_parser.lo `test -f 'http_parser.c' || echo '$(srcdir)/'`http_parser.c + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(pkglibdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-pkglibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -f ./$(DEPDIR)/impcap_la-arp_parser.Plo + -rm -f ./$(DEPDIR)/impcap_la-dns_parser.Plo + -rm -f ./$(DEPDIR)/impcap_la-eth_parser.Plo + -rm -f ./$(DEPDIR)/impcap_la-ftp_parser.Plo + -rm -f ./$(DEPDIR)/impcap_la-http_parser.Plo + -rm -f ./$(DEPDIR)/impcap_la-icmp_parser.Plo + -rm -f ./$(DEPDIR)/impcap_la-impcap.Plo + -rm -f ./$(DEPDIR)/impcap_la-ipv4_parser.Plo + -rm -f ./$(DEPDIR)/impcap_la-ipv6_parser.Plo + -rm -f ./$(DEPDIR)/impcap_la-ipx_parser.Plo + -rm -f ./$(DEPDIR)/impcap_la-llc_parser.Plo + -rm -f ./$(DEPDIR)/impcap_la-smb_parser.Plo + -rm -f ./$(DEPDIR)/impcap_la-tcp_parser.Plo + -rm -f ./$(DEPDIR)/impcap_la-udp_parser.Plo + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: install-pkglibLTLIBRARIES + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f ./$(DEPDIR)/impcap_la-arp_parser.Plo + -rm -f ./$(DEPDIR)/impcap_la-dns_parser.Plo + -rm -f ./$(DEPDIR)/impcap_la-eth_parser.Plo + -rm -f ./$(DEPDIR)/impcap_la-ftp_parser.Plo + -rm -f ./$(DEPDIR)/impcap_la-http_parser.Plo + -rm -f ./$(DEPDIR)/impcap_la-icmp_parser.Plo + -rm -f ./$(DEPDIR)/impcap_la-impcap.Plo + -rm -f ./$(DEPDIR)/impcap_la-ipv4_parser.Plo + -rm -f ./$(DEPDIR)/impcap_la-ipv6_parser.Plo + -rm -f ./$(DEPDIR)/impcap_la-ipx_parser.Plo + -rm -f ./$(DEPDIR)/impcap_la-llc_parser.Plo + -rm -f ./$(DEPDIR)/impcap_la-smb_parser.Plo + -rm -f ./$(DEPDIR)/impcap_la-tcp_parser.Plo + -rm -f ./$(DEPDIR)/impcap_la-udp_parser.Plo + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pkglibLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-am clean \ + clean-generic clean-libtool clean-pkglibLTLIBRARIES \ + cscopelist-am ctags ctags-am distclean distclean-compile \ + distclean-generic distclean-libtool distclean-tags distdir dvi \ + dvi-am html html-am info info-am install install-am \ + install-data install-data-am install-dvi install-dvi-am \ + install-exec install-exec-am install-html install-html-am \ + install-info install-info-am install-man install-pdf \ + install-pdf-am install-pkglibLTLIBRARIES install-ps \ + install-ps-am install-strip installcheck installcheck-am \ + installdirs maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \ + uninstall-am uninstall-pkglibLTLIBRARIES + +.PRECIOUS: Makefile + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/contrib/impcap/arp_parser.c b/contrib/impcap/arp_parser.c new file mode 100644 index 0000000..5d8ce6e --- /dev/null +++ b/contrib/impcap/arp_parser.c @@ -0,0 +1,163 @@ +/* arp_parser.c + * + * This file contains functions to parse ARP and RARP headers. + * + * File begun on 2018-11-13 + * + * Created by: + * - Théo Bertin (theo.bertin@advens.fr) + * + * With: + * - François Bernard (francois.bernard@isen.yncrea.fr) + * - Tianyu Geng (tianyu.geng@isen.yncrea.fr) + * + * This file is part of rsyslog. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * -or- + * see COPYING.ASL20 in the source distribution + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "config.h" +#include "parsers.h" + +struct arp_header_s { + uint16_t hwType; + uint16_t pType; + uint8_t hwAddrLen; + uint8_t pAddrLen; + uint16_t opCode; + uint8_t pAddr[]; +}; + +typedef struct arp_header_s arp_header_t; + +/* + * This function parses the bytes in the received packet to extract ARP metadata. + * + * its parameters are: + * - a pointer on the list of bytes representing the packet + * the first byte must be the beginning of the ARP header + * - the size of the list passed as first parameter + * - a pointer on a json_object, containing all the metadata recovered so far + * this is also where ARP metadata will be added + * + * This function returns a structure containing the data unprocessed by this parser + * or the ones after (as a list of bytes), and the length of this data. +*/ +data_ret_t *arp_parse(const uchar *packet, int pktSize, struct json_object *jparent) { + DBGPRINTF("arp_parse\n"); + DBGPRINTF("packet size %d\n", pktSize); + + if (pktSize < 28) { /* too small for ARP header*/ + DBGPRINTF("ARP packet too small : %d\n", pktSize); + RETURN_DATA_AFTER(0); + } + + /* Union to prevent cast from uchar to arp_header_t */ + union { + const uchar *pck; + arp_header_t *hdr; + } arp_header_to_char; + + arp_header_to_char.pck = packet; + arp_header_t *arp_header = arp_header_to_char.hdr; + + char pAddrSrc[20], pAddrDst[20]; + + json_object_object_add(jparent, "ARP_hwType", json_object_new_int(ntohs(arp_header->hwType))); + json_object_object_add(jparent, "ARP_pType", json_object_new_int(ntohs(arp_header->pType))); + json_object_object_add(jparent, "ARP_op", json_object_new_int(ntohs(arp_header->opCode))); + + if (ntohs(arp_header->hwType) == 1) { /* ethernet addresses */ + char hwAddrSrc[20], hwAddrDst[20]; + + ether_ntoa_r((struct ether_addr *)arp_header->pAddr, hwAddrSrc); + ether_ntoa_r((struct ether_addr *)(arp_header->pAddr + arp_header->hwAddrLen + arp_header->pAddrLen), + hwAddrDst); + + json_object_object_add(jparent, "ARP_hwSrc", json_object_new_string((char *)hwAddrSrc)); + json_object_object_add(jparent, "ARP_hwDst", json_object_new_string((char *)hwAddrDst)); + } + + if (ntohs(arp_header->pType) == ETHERTYPE_IP) { + inet_ntop(AF_INET, (void *)(arp_header->pAddr + arp_header->hwAddrLen), pAddrSrc, 20); + inet_ntop(AF_INET, (void *)(arp_header->pAddr + 2 * arp_header->hwAddrLen + arp_header->pAddrLen), + pAddrDst, 20); + + json_object_object_add(jparent, "ARP_pSrc", json_object_new_string((char *)pAddrSrc)); + json_object_object_add(jparent, "ARP_pDst", json_object_new_string((char *)pAddrDst)); + } + + RETURN_DATA_AFTER(28); +} + +/* + * This function parses the bytes in the received packet to extract RARP metadata. + * This is a copy of ARP handler, as structure is the same but protocol code and name are different + * + * its parameters are: + * - a pointer on the list of bytes representing the packet + * the first byte must be the beginning of the RARP header + * - the size of the list passed as first parameter + * - a pointer on a json_object, containing all the metadata recovered so far + * this is also where RARP metadata will be added + * + * This function returns a structure containing the data unprocessed by this parser + * or the ones after (as a list of bytes), and the length of this data. +*/ +data_ret_t *rarp_parse(const uchar *packet, int pktSize, struct json_object *jparent) { + DBGPRINTF("rarp_parse\n"); + DBGPRINTF("packet size %d\n", pktSize); + + if (pktSize < 28) { /* too small for RARP header*/ + DBGPRINTF("RARP packet too small : %d\n", pktSize); + RETURN_DATA_AFTER(0); + } + + /* Union to prevent cast from uchar to arp_header_t */ + union { + const uchar *pck; + arp_header_t *hdr; + } arp_header_to_char; + + arp_header_to_char.pck = packet; + arp_header_t *rarp_header = arp_header_to_char.hdr; + + char pAddrSrc[20], pAddrDst[20]; + + json_object_object_add(jparent, "RARP_hwType", json_object_new_int(ntohs(rarp_header->hwType))); + json_object_object_add(jparent, "RARP_pType", json_object_new_int(ntohs(rarp_header->pType))); + json_object_object_add(jparent, "RARP_op", json_object_new_int(ntohs(rarp_header->opCode))); + + if (ntohs(rarp_header->hwType) == 1) { /* ethernet addresses */ + char *hwAddrSrc = ether_ntoa((struct ether_addr *)rarp_header->pAddr); + char *hwAddrDst = ether_ntoa((struct ether_addr *)(rarp_header->pAddr + + rarp_header->hwAddrLen + + rarp_header->pAddrLen)); + + json_object_object_add(jparent, "RARP_hwSrc", json_object_new_string((char *)hwAddrSrc)); + json_object_object_add(jparent, "RARP_hwDst", json_object_new_string((char *)hwAddrDst)); + } + + if (ntohs(rarp_header->pType) == ETHERTYPE_IP) { + inet_ntop(AF_INET, (void *)(rarp_header->pAddr + rarp_header->hwAddrLen), pAddrSrc, 20); + inet_ntop(AF_INET, (void *)(rarp_header->pAddr + 2 * rarp_header->hwAddrLen + rarp_header->pAddrLen), + pAddrDst, 20); + + json_object_object_add(jparent, "RARP_pSrc", json_object_new_string((char *)pAddrSrc)); + json_object_object_add(jparent, "RARP_pDst", json_object_new_string((char *)pAddrDst)); + } + + RETURN_DATA_AFTER(28); +} diff --git a/contrib/impcap/dns_parser.c b/contrib/impcap/dns_parser.c new file mode 100644 index 0000000..f9f4e68 --- /dev/null +++ b/contrib/impcap/dns_parser.c @@ -0,0 +1,372 @@ +/* dns_parser.c + * + * This file contains functions to parse DNS headers. + * + * File begun on 2018-11-13 + * + * Created by: + * - Kevin Guillemot (kevin.guillemot@advens.fr) + * + * This file is part of rsyslog. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * -or- + * see COPYING.ASL20 in the source distribution + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "config.h" +#include "parsers.h" + + +/* List of RCodes defined in RFC6895 : https://tools.ietf.org/html/rfc6895 */ +static const char *dns_rcodes[] = { + "NoError", // 0 + "FormErr", // 1 + "ServFail", // 2 + "NXDomain", // 3 + "NotImp", // 4 + "Refused", // 5 + "YXDomain", // 6 + "YXRRSet", // 7 + "NXRRSet", // 8 + "NotAuth", // 9 + "NotZone", // 10 + "", // 11 - Reserved + "", // 12 - Reserved + "", // 13 - Reserved + "", // 14 - Reserved + "", // 15 - Reserved + "BADVERS|BADSIG", // 16 + "BADKEY", // 17 + "BADTIME", // 18 + "BADMODE", // 19 + "BADNAME", // 20 + "BADALG", // 21 + "BADTRUNC", // 22 + /* Reserved for private use */ + NULL +}; + +/* List of record types (maybe not complete) */ +static const char *dns_types[] = { + 0, + "A", // 1 + "NS", // 2 + "MD", // 3 + "MF", // 4 + "CNAME", // 5 + "SOA", // 6 + "MB", // 7 + "MG", // 8 + "MR", // 9 + "NULL", // 10 + "WKS", // 11 + "PTR", // 12 + "HINFO", // 13 + "MINFO", // 14 + "MX", // 15 + "TXT", // 16 + "RP", // 17 + "AFSDB", // 18 + "X25", // 19 + "ISDN", // 20 + "RT", // 21 + "NSAP", // 22 + "NSAP-PTR", // 23 + "SIG", // 24 + "KEY", // 25 + "PX", // 26 + "GPOS", // 27 + "AAAA", // 28 + "LOC", // 29 + "NXT", // 30 + "EID", // 31 + "NIMLOC", // 32 + "SRV", // 33 + "ATMA", // 34 + "NAPTR", // 35 + "KX", // 36 + "CERT", // 37 + "A6", // 38 + "DNAME", // 39 + "SINK", // 40 + "OPT", // 41 + "APL", // 42 + "DS", // 43 + "SSHFP", // 44 + "IPSECKEY", // 45 + "RRSIG", // 46 + "NSEC", // 47 + "DNSKEY", // 48 + "DHCID", // 49 + "NSEC3", // 50 + "NSEC3PARAM", // 51 + "TLSA", // 51 + "SMIMEA", // 52 + "Unassigned", // 53 + "HIP", // 53 + "NINFO", // 54 + "RKEY", // 55 + "TALINK", // 56 + "CDS", // 57 + "CDNSKEY", // 58 + "OPENPGPKEY", // 59 + "CSYNC", // 60 + "ZONEMD", // 61 + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + "SPF", // 99 + "UINFO", // 100 + "UID", // 101 + "GID", // 102 + "UNSPEC", // 103 + "NID", // 104 + "L32", // 105 + "L64", // 106 + "LP", // 107 + "EUI48", // 108 + "EUI64", // 109 + /* Reserved for private use */ + NULL +}; +/* Part 2, since 249. To prevent useless large buffer in memory */ +static const char *dns_types2[] = { + "TKEY", + "TSIG", + "IXFR", + "AXFR", + "MAILB", + "MAILA", + "*", + "URI", + "CAA", + "AVC", + "DOA", + "AMTRELAY", + NULL +}; +/* Part 3, since 32768. To prevent useless large buffer in memory */ +static const char *dns_types3[] = { + "TA", + "DLV", + NULL +}; + + +/* This function takes an integer as parameter + * and returns the corresponding string type of DNS query + */ +static const char *get_type(uint16_t x) { + const char **types = NULL; + uint16_t len_types3 = (sizeof(dns_types3) / sizeof(char *)) - 1; + uint16_t len_types2 = (sizeof(dns_types2) / sizeof(char *)) - 1; + uint16_t len_types = (sizeof(dns_types) / sizeof(char *)) - 1; + if (x >= 32768 && x < 32768 + len_types3) { + types = dns_types3; + x -= 32768; + } + else if (x >= 249 && x < 249 + len_types2) { + types = dns_types2; + x -= 249; + } + else if (x > 0 && x < len_types) + types = dns_types; + else + return "UNKNOWN"; + if (types[x] != NULL) + return types[x]; + return "UNKNOWN"; +} + + +/* This function takes an integer as parameter + * and returns the corresponding string class of DNS query + */ +static const char *get_class(uint16_t x) { + switch (x) { + case 1: + return "IN"; + case 3: + return "CH"; + case 4: + return "HS"; + case 254: + return "QCLASS NONE"; + case 255: + return "QCLASS *"; + } + return "UNKNOWN"; +} + + +/* + * This function parses the bytes in the received packet to extract DNS metadata. + * + * its parameters are: + * - a pointer on the list of bytes representing the packet + * - the size of the list passed as first parameter + * - a pointer on a json_object, containing all the metadata recovered so far + * this is also where DNS metadata will be added + * + * This function returns a structure containing the data unprocessed by this parser + * or the ones after (as a list of bytes), and the length of this data. +*/ +data_ret_t *dns_parse(const uchar *packet, int pktSize, struct json_object *jparent) { + const uchar *packet_ptr = packet; + const uchar *end_packet = packet + pktSize; + DBGPRINTF("dns_parse\n"); + DBGPRINTF("packet size %d\n", pktSize); + + /* Union to prevent cast from uchar to smb_header_t */ + union { + unsigned short int *two_bytes; + const uchar *pckt; + } union_short_int; + + /* Get transaction id */ + union_short_int.pckt = packet_ptr; + unsigned short int transaction_id = ntohs(*(union_short_int.two_bytes)); + //DBGPRINTF("transaction_id = %02x \n", transaction_id); + union_short_int.pckt += 2; + + /* Get flags */ + unsigned short int flags = ntohs(*(union_short_int.two_bytes)); + //DBGPRINTF("flags = %02x \n", flags); + + /* Get response flag */ + unsigned short int response_flag = (flags >> 15) & 0b1; // Get the left bit + //DBGPRINTF("response_flag = %02x \n", response_flag); + + /* Get Opcode */ + unsigned short int opcode = (flags >> 11) & 0b1111; + //DBGPRINTF("opcode = %02x \n", opcode); + + /* Verify Z: reserved bit */ + unsigned short int reserved = (flags >> 6) & 0b1; + //DBGPRINTF("reserved = %02x \n", reserved); + /* Reserved bit MUST be 0 */ + if (reserved != 0) { + DBGPRINTF("DNS packet reserved bit (Z) is not 0, aborting message. \n"); + RETURN_DATA_AFTER(0) + } + + /* Get reply code : 4 last bits */ + unsigned short int reply_code = flags & 0b1111; + //DBGPRINTF("reply_code = %02x \n", reply_code); + + union_short_int.pckt += 2; + + /* Get QDCOUNT */ + unsigned short int query_count = ntohs(*(union_short_int.two_bytes)); + //DBGPRINTF("query_count = %02x \n", query_count); + union_short_int.pckt += 2; + + /* Get ANCOUNT */ + unsigned short int answer_count = ntohs(*(union_short_int.two_bytes)); + //DBGPRINTF("answer_count = %02x \n", answer_count); + union_short_int.pckt += 2; + + /* Get NSCOUNT */ + unsigned short int authority_count = ntohs(*(union_short_int.two_bytes)); + //DBGPRINTF("authority_count = %02x \n", authority_count); + union_short_int.pckt += 2; + + /* Get ARCOUNT */ + unsigned short int additionnal_count = ntohs(*(union_short_int.two_bytes)); + //DBGPRINTF("additionnal_count = %02x \n", additionnal_count); + union_short_int.pckt += 2; + packet_ptr = union_short_int.pckt; + + fjson_object *queries = NULL; + if ((queries = json_object_new_array()) == NULL) { + DBGPRINTF("impcap::dns_parser: Cannot create new json array. Stopping.\n"); + RETURN_DATA_AFTER(0) + } + + // For each query of query_count + int query_cpt = 0; + while (query_cpt < query_count && packet_ptr < end_packet) { + size_t query_size = strnlen((const char *)packet_ptr, (size_t)(end_packet - packet_ptr)); + // Check if query is valid (max 255 bytes, plus a '\0') + if (query_size >= 256) { + DBGPRINTF("impcap::dns_parser: Length of domain queried is > 255. Stopping.\n"); + break; + } + // Check if remaining data is enough to hold query + '\0' + 4 bytes (QTYPE and QCLASS fields) + if (query_size + 5 > (size_t)(end_packet - packet_ptr)) { + DBGPRINTF("impcap::dns_parser: packet size too small to parse query. Stopping.\n"); + break; + } + fjson_object *query = NULL; + if ((query = json_object_new_object()) == NULL) { + DBGPRINTF("impcap::dns_parser: Cannot create new json object. Stopping.\n"); + break; + } + char domain_query[256] = {0}; + uchar nb_char = *packet_ptr; + packet_ptr++; + size_t cpt = 0; + while (cpt + 1 < query_size) { + if (nb_char == 0) { + nb_char = *packet_ptr; + domain_query[cpt] = '.'; + } else { + domain_query[cpt] = (char)*packet_ptr; + nb_char--; + } + cpt++; + packet_ptr++; + } + domain_query[cpt] = '\0'; + if (cpt) + packet_ptr++; // pass the last \0, only if query was not empty + // DBGPRINTF("Requested domain : '%s' \n", domain_query); + + /* Register the name in dict */ + json_object_object_add(query, "qname", json_object_new_string(domain_query)); + /* Get QTYPE */ + union_short_int.pckt = packet_ptr; + unsigned short int qtype = ntohs(*(union_short_int.two_bytes)); + //DBGPRINTF("qtype = %02x \n", qtype); + json_object_object_add(query, "qtype", json_object_new_int((int)qtype)); + json_object_object_add(query, "type", json_object_new_string(get_type(qtype))); + union_short_int.pckt += 2; + /* Retrieve QCLASS */ + unsigned short int qclass = ntohs(*(union_short_int.two_bytes)); + //DBGPRINTF("qclass = %02x \n", qclass); + json_object_object_add(query, "qclass", json_object_new_int((int)qclass)); + json_object_object_add(query, "class", json_object_new_string(get_class(qclass))); + packet_ptr = union_short_int.pckt + 2; + /* Register the query in json array */ + json_object_array_add(queries, query); + query_cpt++; + } + + json_object_object_add(jparent, "DNS_transaction_id", json_object_new_int((int)transaction_id)); + + json_bool is_reponse = FALSE; + if (response_flag) + is_reponse = TRUE; + json_object_object_add(jparent, "DNS_response_flag", json_object_new_boolean(is_reponse)); + + json_object_object_add(jparent, "DNS_opcode", json_object_new_int(opcode)); + json_object_object_add(jparent, "DNS_rcode", json_object_new_int((int)reply_code)); + json_object_object_add(jparent, "DNS_error", json_object_new_string(dns_rcodes[reply_code])); + json_object_object_add(jparent, "DNS_QDCOUNT", json_object_new_int((int)query_count)); + json_object_object_add(jparent, "DNS_ANCOUNT", json_object_new_int((int)answer_count)); + json_object_object_add(jparent, "DNS_NSCOUNT", json_object_new_int((int)authority_count)); + json_object_object_add(jparent, "DNS_ARCOUNT", json_object_new_int((int)additionnal_count)); + json_object_object_add(jparent, "DNS_Names", queries); + + /* Packet has been successfully parsed, there still can be some responses left, but do not process them */ + RETURN_DATA_AFTER(0); +} diff --git a/contrib/impcap/eth_parser.c b/contrib/impcap/eth_parser.c new file mode 100644 index 0000000..4bda2d5 --- /dev/null +++ b/contrib/impcap/eth_parser.c @@ -0,0 +1,179 @@ +/* eth_parser.c + * + * This file contains functions to parse Ethernet II headers. + * + * File begun on 2018-11-13 + * + * Created by: + * - Théo Bertin (theo.bertin@advens.fr) + * + * With: + * - François Bernard (francois.bernard@isen.yncrea.fr) + * - Tianyu Geng (tianyu.geng@isen.yncrea.fr) + * + * This file is part of rsyslog. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * -or- + * see COPYING.ASL20 in the source distribution + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "config.h" +#include "parsers.h" + +#pragma GCC diagnostic push +#pragma GCC diagnostic ignored "-Wpacked" +#pragma GCC diagnostic ignored "-Wattributes" +struct __attribute__ ((__packed__)) eth_header_s { + uint8_t addrDst[6]; + uint8_t addrSrc[6]; + uint16_t type; +}; + +struct __attribute__ ((__packed__)) vlan_header_s { + uint8_t addrDst[6]; + uint8_t addrSrc[6]; + uint16_t vlanCode; + uint16_t vlanTag; + uint16_t type; +}; +#pragma GCC diagnostic pop + +typedef struct eth_header_s eth_header_t; +typedef struct vlan_header_s vlan_header_t; + + +/* + * Get an ethernet header type as uint16_t + * and return the correspondence as string + * NOTE : Only most common types are present, to complete if needed + */ +static const char *eth_type_to_string(uint16_t eth_type) { + switch (eth_type) { + case 0x00bb: // Extreme Networks Discovery Protocol + return "EDP"; + case 0x0200: // PUP protocol + return "PUP"; + case 0x0800: // IP protocol + return "IP"; + case 0x0806: // address resolution protocol + return "ARP"; + case 0x88a2: // AoE protocol + return "AOE"; + case 0x2000: // Cisco Discovery Protocol + return "CDP"; + case 0x2004: // Cisco Dynamic Trunking Protocol + return "DTP"; + case 0x8035: // reverse addr resolution protocol + return "REVARP"; + case 0x8100: // IEEE 802.1Q VLAN tagging + return "802.1Q"; + case 0x88a8: // IEEE 802.1ad + return "802.1AD"; + case 0x9100: // Legacy QinQ + return "QINQ1"; + case 0x9200: // Legacy QinQ + return "QINQ2"; + case 0x8137: // Internetwork Packet Exchange + return "IPX"; + case 0x86DD: // IPv6 protocol + return "IPv6"; + case 0x880B: // PPP + return "PPP"; + case 0x8847: // MPLS + return "MPLS"; + case 0x8848: // MPLS Multicast + return "MPLS_MCAST"; + case 0x8863: // PPP Over Ethernet Discovery Stage + return "PPPoE_DISC"; + case 0x8864: // PPP Over Ethernet Session Stage + return "PPPoE"; + case 0x88CC: // Link Layer Discovery Protocol + return "LLDP"; + case 0x6558: // Transparent Ethernet Bridging + return "TEB"; + default: + return "UNKNOWN"; + } +} + + +/* + * This function parses the bytes in the received packet to extract Ethernet II metadata. + * + * its parameters are: + * - a pointer on the list of bytes representing the packet + * the first byte must be the beginning of the ETH header + * - the size of the list passed as first parameter + * - a pointer on a json_object, containing all the metadata recovered so far + * this is also where ETH metadata will be added + * + * This function returns a structure containing the data unprocessed by this parser + * or the ones after (as a list of bytes), and the length of this data. +*/ +data_ret_t *eth_parse(const uchar *packet, int pktSize, struct json_object *jparent) { + DBGPRINTF("entered eth_parse\n"); + DBGPRINTF("packet size %d\n", pktSize); + if (pktSize < 14) { /* too short for eth header */ + DBGPRINTF("ETH packet too small : %d\n", pktSize); + RETURN_DATA_AFTER(0) + } + + eth_header_t *eth_header = (eth_header_t *)packet; + char ethMacSrc[20], ethMacDst[20]; + uint8_t hdrLen = 14; + + ether_ntoa_r((struct ether_addr *)eth_header->addrSrc, ethMacSrc); + ether_ntoa_r((struct ether_addr *)eth_header->addrDst, ethMacDst); + + json_object_object_add(jparent, "ETH_src", json_object_new_string((char *)ethMacSrc)); + json_object_object_add(jparent, "ETH_dst", json_object_new_string((char *)ethMacDst)); + + uint16_t ethType = (uint16_t)ntohs(eth_header->type); + + if (ethType == ETHERTYPE_VLAN) { + vlan_header_t *vlan_header = (vlan_header_t *)packet; + json_object_object_add(jparent, "ETH_tag", json_object_new_int(ntohs(vlan_header->vlanTag))); + ethType = (uint16_t)ntohs(vlan_header->type); + hdrLen += 4; + } + + data_ret_t *ret; + + if (ethType < 1500) { + /* this is a LLC header */ + json_object_object_add(jparent, "ETH_len", json_object_new_int(ethType)); + ret = llc_parse(packet + hdrLen, pktSize - hdrLen, jparent); + + /* packet has the minimum allowed size, so the remaining data is + * most likely padding, this should not appear as data, so remove it + * */ + //TODO this is a quick win, a more elaborate solution would be to check if all data + // is indeed zero, but that would take more processing time + if (pktSize <= 60 && ret->pData != NULL) { + if (!ret->pData[0]) ret->size = 0; + } + return ret; + } + + json_object_object_add(jparent, "ETH_type", json_object_new_int(ethType)); + json_object_object_add(jparent, "ETH_typestr", json_object_new_string((char *)eth_type_to_string(ethType))); + ret = eth_proto_parse(ethType, (packet + hdrLen), (pktSize - hdrLen), jparent); + + /* packet has the minimum allowed size, so the remaining data is + * most likely padding, this should not appear as data, so remove it */ + if (pktSize <= 60 && ret->pData != NULL) { + if (!ret->pData[0]) ret->size = 0; + } + return ret; +} diff --git a/contrib/impcap/ftp_parser.c b/contrib/impcap/ftp_parser.c new file mode 100644 index 0000000..6e724c9 --- /dev/null +++ b/contrib/impcap/ftp_parser.c @@ -0,0 +1,152 @@ +/* ftp_parser.c + * + * This file contains functions to parse FTP headers. + * + * File begun on 2018-11-13 + * + * Created by: + * - Théo Bertin (theo.bertin@advens.fr) + * + * With: + * - François Bernard (francois.bernard@isen.yncrea.fr) + * - Tianyu Geng (tianyu.geng@isen.yncrea.fr) + * + * This file is part of rsyslog. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * -or- + * see COPYING.ASL20 in the source distribution + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "config.h" +#include "parsers.h" + +static const int ftp_cds[] = { + 100, 110, 120, 125, 150, + 200, 202, 211, 212, 213, 214, 215, 220, 221, 225, 226, 227, 228, 229, 230, 231, 232, 250, 257, + 300, 331, 332, 350, + 400, 421, 425, 426, 430, 434, 450, 451, 452, + 500, 501, 502, 503, 504, 530, 532, 550, 551, 552, 553, + 600, 631, 632, 633, + 10000, 100054, 10060, 10061, 10066, 10068, + 0 +}; + +static const char *ftp_cmds[] = { + "STOR", + "TYPE", + "ABOR", + "ACCT", + "ALLO", + "APPE", + "CDUP", + "CWD", + "DELE", + "HELP", + "LIST", + "MKD", + "MODE", + "NLST", + "NOOP", + "PASS", + "PASV", + "PORT", + "PWD", + "QUIT", + "REIN", + "REST", + "RETR", + "RMD", + "RNFR", + "RNTO", + "SITE", + "SMNT", + "STAT", + "STOU", + "STRU", + "SYST", + "USER", + NULL +}; + +/* + * This function searches for a valid command in the header (from the list defined in ftp_cmds[]) + * and returns either the command or a NULL pointer +*/ +static const char *check_Command_ftp(uchar *first_part_packet) { + DBGPRINTF("in check_Command_ftp\n"); + DBGPRINTF("first_part_packet : '%s' \n", first_part_packet); + int i = 0; + for (i = 0; ftp_cmds[i] != NULL; i++) { + if (strncmp((const char *)first_part_packet, ftp_cmds[i], strlen((const char *)ftp_cmds[i]) + 1) == 0) { + return ftp_cmds[i]; + } + } + return "UNKNOWN"; +} + +/* + * This function searches for a valid code in the header (from the list defined in ftp_cds[]) + * and returns either the command or a NULL pointer +*/ +static int check_Code_ftp(uchar *first_part_packet) { + DBGPRINTF("in check_Code_ftp\n"); + DBGPRINTF("first_part_packet : %s \n", first_part_packet); + int i = 0; + for (i = 0; ftp_cds[i] != 0; i++) { + if (strtol((const char *)first_part_packet, NULL, 10) == ftp_cds[i]) { + return ftp_cds[i]; + } + } + return 0; +} + +/* + * This function parses the bytes in the received packet to extract FTP metadata. + * + * its parameters are: + * - a pointer on the list of bytes representing the packet + * the first byte must be the beginning of the FTP header + * - the size of the list passed as first parameter + * - a pointer on a json_object, containing all the metadata recovered so far + * this is also where FTP metadata will be added + * + * This function returns a structure containing the data unprocessed by this parser + * or the ones after (as a list of bytes), and the length of this data. +*/ +data_ret_t *ftp_parse(const uchar *packet, int pktSize, struct json_object *jparent) { + DBGPRINTF("ftp_parse\n"); + DBGPRINTF("packet size %d\n", pktSize); + + if (pktSize < 5) { /* too short for ftp packet*/ + RETURN_DATA_AFTER(0) + } + uchar *packet2 = (uchar *)malloc(pktSize * sizeof(uchar)); + + memcpy(packet2, packet, pktSize); // strtok changes original packet + uchar *frst_part_ftp; + frst_part_ftp = (uchar *)strtok((char *)packet2, " "); // Get first part of packet ftp + strtok(NULL, "\r\n"); + + if (frst_part_ftp) { + int code = check_Code_ftp(frst_part_ftp); + const char *command = check_Command_ftp(frst_part_ftp); + if (code != 0) { + json_object_object_add(jparent, "FTP_response", json_object_new_int(code)); + } else if (command != NULL) { + json_object_object_add(jparent, "FTP_request", json_object_new_string(command)); + } + } + free(packet2); + RETURN_DATA_AFTER(0) +} diff --git a/contrib/impcap/http_parser.c b/contrib/impcap/http_parser.c new file mode 100644 index 0000000..56d8a25 --- /dev/null +++ b/contrib/impcap/http_parser.c @@ -0,0 +1,159 @@ +/* http_parser.c + * + * This file contains functions to parse HTTP headers. + * + * File begun on 2018-11-13 + * + * Created by: + * - Théo Bertin (theo.bertin@advens.fr) + * + * With: + * - François Bernard (francois.bernard@isen.yncrea.fr) + * - Tianyu Geng (tianyu.geng@isen.yncrea.fr) + * + * This file is part of rsyslog. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * -or- + * see COPYING.ASL20 in the source distribution + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "config.h" +#include "parsers.h" + +static const char *keywords[] = { + "OPTIONS", + "GET", + "HEAD", + "POST", + "PUT", + "DELETE", + "TRACE", + "CONNECT", + "HTTP", + NULL +}; + +static inline char *string_split(char **initString, const char *delimiterString) { + char *ret = *initString; + + if (*initString) { + char *pos = strstr(*initString, delimiterString); + if (pos) { + *initString = pos; + **initString = '\0'; + *initString += strlen(delimiterString); + } else { + *initString = NULL; + } + } + + return ret; +} + +static inline int has_status_keyword(char *http) { + const char *found; + int i; + + for (i = 0; keywords[i] != NULL; i++) { + found = strstr(http, keywords[i]); + if (found && (found - http) < 20) { + return 1; + } + } + + return 0; +} + +/* + * This function catches HTTP header fields and status line + * and adds them to the provided json object +*/ +static inline void catch_status_and_fields(char *header, struct json_object *jparent) { + DBGPRINTF("catch_status_and_fields\n"); + + struct json_object *fields = json_object_new_object(); + + char *statusLine = string_split(&header, "\r\n"); + char *firstPart, *secondPart, *thirdPart; + firstPart = string_split(&statusLine, " "); + secondPart = string_split(&statusLine, " "); + thirdPart = statusLine; + if (firstPart && secondPart && thirdPart) { + if (strstr(firstPart, "HTTP")) { + json_object_object_add(jparent, "HTTP_version", json_object_new_string(firstPart)); + json_object_object_add(jparent, "HTTP_status_code", json_object_new_string(secondPart)); + json_object_object_add(jparent, "HTTP_reason", json_object_new_string(thirdPart)); + } else { + json_object_object_add(jparent, "HTTP_method", json_object_new_string(firstPart)); + json_object_object_add(jparent, "HTTP_request_URI", json_object_new_string(secondPart)); + json_object_object_add(jparent, "HTTP_version", json_object_new_string(thirdPart)); + } + } + + char *fieldValue = string_split(&header, "\r\n"); + char *field, *value; + while (fieldValue) { + field = string_split(&fieldValue, ":"); + value = fieldValue; + if (value) { + while (*value == ' ') { value++; } + DBGPRINTF("got header field -> '%s': '%s'\n", field, value); + json_object_object_add(fields, field, json_object_new_string(value)); + } + + fieldValue = string_split(&header, "\r\n"); + } + + json_object_object_add(jparent, "HTTP_header_fields", fields); + + return; +} + +/* + * This function parses the bytes in the received packet to extract HTTP metadata. + * + * its parameters are: + * - a pointer on the list of bytes representing the packet + * the beginning of the header will be checked by the function + * - the size of the list passed as first parameter + * - a pointer on a json_object, containing all the metadata recovered so far + * this is also where HTTP metadata will be added + * + * This function returns a structure containing the data unprocessed by this parser + * or the ones after (as a list of bytes), and the length of this data. +*/ +data_ret_t *http_parse(const uchar *packet, int pktSize, struct json_object *jparent) { + DBGPRINTF("http_parse\n"); + DBGPRINTF("packet size %d\n", pktSize); + if (pktSize < 6) { + RETURN_DATA_AFTER(0) + } + + char *pHttp = malloc(pktSize + 1); + char *http = pHttp; + memcpy(http, packet, pktSize); + *(http + pktSize) = '\0'; + + if (!has_status_keyword(http)) { + free(pHttp); + RETURN_DATA_AFTER(0) + } + + char *header = string_split(&http, "\r\n\r\n"); + + catch_status_and_fields(header, jparent); + + free(pHttp); + RETURN_DATA_AFTER(0) +} diff --git a/contrib/impcap/icmp_parser.c b/contrib/impcap/icmp_parser.c new file mode 100644 index 0000000..8a627ee --- /dev/null +++ b/contrib/impcap/icmp_parser.c @@ -0,0 +1,79 @@ +/* icmp_parser.c + * + * This file contains functions to parse ICMP headers. + * + * File begun on 2018-11-13 + * + * Created by: + * - Théo Bertin (theo.bertin@advens.fr) + * + * With: + * - François Bernard (francois.bernard@isen.yncrea.fr) + * - Tianyu Geng (tianyu.geng@isen.yncrea.fr) + * + * This file is part of rsyslog. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * -or- + * see COPYING.ASL20 in the source distribution + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "config.h" +#include "parsers.h" + +struct icmp_header_s { + uint8_t type; + uint8_t code; + uint16_t checksum; + uint8_t data[]; +}; + +typedef struct icmp_header_s icmp_header_t; + +/* + * This function parses the bytes in the received packet to extract ICMP metadata. + * + * its parameters are: + * - a pointer on the list of bytes representing the packet + * the first byte must be the beginning of the ICMP header + * - the size of the list passed as first parameter + * - a pointer on a json_object, containing all the metadata recovered so far + * this is also where ICMP metadata will be added + * + * This function returns a structure containing the data unprocessed by this parser + * or the ones after (as a list of bytes), and the length of this data. +*/ +data_ret_t *icmp_parse(const uchar *packet, int pktSize, struct json_object *jparent) { + DBGPRINTF("icmp_parse\n"); + DBGPRINTF("packet size %d\n", pktSize); + + if (pktSize < 8) { + DBGPRINTF("ICMP packet too small : %d\n", pktSize); + RETURN_DATA_AFTER(0); + } + + /* Union to prevent cast from uchar to icmp_header_t */ + union { + const uchar *pck; + icmp_header_t *hdr; + } icmp_header_to_char; + + icmp_header_to_char.pck = packet; + icmp_header_t *icmp_header = icmp_header_to_char.hdr; + + json_object_object_add(jparent, "net_icmp_type", json_object_new_int(icmp_header->type)); + json_object_object_add(jparent, "net_icmp_code", json_object_new_int(icmp_header->code)); + json_object_object_add(jparent, "icmp_checksum", json_object_new_int(ntohs(icmp_header->checksum))); + + RETURN_DATA_AFTER(8) +} diff --git a/contrib/impcap/impcap.c b/contrib/impcap/impcap.c new file mode 100644 index 0000000..cdb1e54 --- /dev/null +++ b/contrib/impcap/impcap.c @@ -0,0 +1,748 @@ +/* impcap.c + * + * This is an input module using libpcap, a + * portable C/C++ library for network traffic capture. + * This module reads packets received from a network interface + * using libpcap, to extract information such as IP addresses, ports, + * protocols, etc... and make it available to rsyslog and other modules. + * + * File begun on 2018-11-13 + * + * Created by: + * - Théo Bertin (theo.bertin@advens.fr) + * + * With: + * - François Bernard (francois.bernard@isen.yncrea.fr) + * - Tianyu Geng (tianyu.geng@isen.yncrea.fr) + * + * This file is part of rsyslog. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * -or- + * see COPYING.ASL20 in the source distribution + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "config.h" +#include <stdlib.h> +#include <assert.h> +#include <string.h> +#include <errno.h> +#include <unistd.h> +#include <stdarg.h> +#include <ctype.h> +#include <signal.h> +#include <json.h> + +#include <pcap.h> + +#include "rsyslog.h" +#include "prop.h" +#include "ruleset.h" +#include "datetime.h" + +#include "errmsg.h" +#include "unicode-helper.h" +#include "module-template.h" +#include "rainerscript.h" +#include "rsconf.h" +#include "glbl.h" +#include "srUtils.h" + +#include "parsers.h" + + +MODULE_TYPE_INPUT +MODULE_TYPE_NOKEEP +MODULE_CNFNAME("impcap") + +#define DEFAULT_META_CONTAINER "!impcap" +#define DEFAULT_DATA_CONTAINER "!data" + + +/* static data */ +DEF_IMOD_STATIC_DATA +DEFobjCurrIf(glbl) +DEFobjCurrIf(prop) +DEFobjCurrIf(ruleset) +DEFobjCurrIf(datetime) + +static prop_t *pInputName = NULL; + +char *stringToHex(char *string, size_t length); + +static ATTR_NORETURN void *startCaptureThread(void *instanceConf); + +/* conf structures */ + +struct instanceConf_s { + char *interface; + uchar *filePath; + pcap_t *device; + uchar *filter; + uchar *tag; + uint8_t promiscuous; + uint8_t immediateMode; + uint32_t bufSize; + uint8_t bufTimeout; + uint8_t pktBatchCnt; + pthread_t tid; + uchar *pszBindRuleset; /* name of ruleset to bind to */ + ruleset_t *pBindRuleset; /* ruleset to bind listener to (use system default if unspecified) */ + struct instanceConf_s *next; +}; + +struct modConfData_s { + rsconf_t *pConf; + instanceConf_t *root, *tail; + uint16_t snap_length; + uint8_t metadataOnly; + char *metadataContainer; + char *dataContainer; +}; + +static modConfData_t *loadModConf = NULL;/* modConf ptr to use for the current load process */ +static modConfData_t *runModConf = NULL; /* modConf ptr to use for the current exec process */ + +/* input instance parameters */ +static struct cnfparamdescr inppdescr[] = { + {"interface", eCmdHdlrGetWord, 0}, + {"file", eCmdHdlrString, 0}, + {"promiscuous", eCmdHdlrBinary, 0}, + {"filter", eCmdHdlrString, 0}, + {"tag", eCmdHdlrString, 0}, + {"ruleset", eCmdHdlrString, 0}, + {"no_buffer", eCmdHdlrBinary, 0}, + {"buffer_size", eCmdHdlrPositiveInt, 0}, + {"buffer_timeout", eCmdHdlrPositiveInt, 0}, + {"packet_count", eCmdHdlrPositiveInt, 0} +}; +static struct cnfparamblk inppblk = { + CNFPARAMBLK_VERSION, + sizeof(inppdescr) / sizeof(struct cnfparamdescr), + inppdescr +}; + +/* module-global parameters */ +static struct cnfparamdescr modpdescr[] = { + {"snap_length", eCmdHdlrPositiveInt, 0}, + {"metadata_only", eCmdHdlrBinary, 0}, + {"metadata_container", eCmdHdlrGetWord, 0}, + {"data_container", eCmdHdlrGetWord, 0} +}; +static struct cnfparamblk modpblk = { + CNFPARAMBLK_VERSION, + sizeof(modpdescr) / sizeof(struct cnfparamdescr), + modpdescr +}; + +#include "im-helper.h" + +/* + * create input instance, set default parameters, and + * add it to the list of instances. + */ +static rsRetVal +createInstance(instanceConf_t **pinst) { + instanceConf_t *inst; + DEFiRet; + CHKmalloc(inst = malloc(sizeof(instanceConf_t))); + inst->next = NULL; + inst->interface = NULL; + inst->filePath = NULL; + inst->device = NULL; + inst->promiscuous = 0; + inst->filter = NULL; + inst->tag = NULL; + inst->pszBindRuleset = NULL; + inst->immediateMode = 0; + inst->bufTimeout = 10; + inst->bufSize = 1024 * 1024 * 15; /* should be enough for up to 10Gb interface*/ + inst->pktBatchCnt = 5; + + /* node created, let's add to global config */ + if (loadModConf->tail == NULL) { + loadModConf->tail = loadModConf->root = inst; + } else { + loadModConf->tail->next = inst; + loadModConf->tail = inst; + } + + *pinst = inst; +finalize_it: + RETiRet; +} + +/* input instances */ + +BEGINnewInpInst +struct cnfparamvals *pvals; +instanceConf_t *inst; +int i; +CODESTARTnewInpInst + pvals = nvlstGetParams(lst, &inppblk, NULL); + + if(pvals == NULL) { + LogError(0, RS_RET_MISSING_CNFPARAMS, + "impcap: required parameters are missing\n"); + ABORT_FINALIZE(RS_RET_MISSING_CNFPARAMS); + } + + CHKiRet(createInstance(&inst)); + + for (i = 0 ; i<inppblk.nParams ; ++i) { + if (!pvals[i].bUsed) + continue; + if (!strcmp(inppblk.descr[i].name, "interface")) { + inst->interface = (char *)es_str2cstr(pvals[i].val.d.estr, NULL); + } + else if (!strcmp(inppblk.descr[i].name, "file")) { + inst->filePath = (uchar *)es_str2cstr(pvals[i].val.d.estr, NULL); + } + else if (!strcmp(inppblk.descr[i].name, "promiscuous")) { + inst->promiscuous = (uint8_t)pvals[i].val.d.n; + } + else if (!strcmp(inppblk.descr[i].name, "filter")) { + inst-> + filter = (uchar *)es_str2cstr(pvals[i].val.d.estr, NULL); + } + else if (!strcmp(inppblk.descr[i].name, "tag")) { + inst->tag = (uchar *) es_str2cstr(pvals[i].val.d.estr, NULL); + } + else if (!strcmp(inppblk.descr[i].name, "ruleset")) { + inst->pszBindRuleset = (uchar *)es_str2cstr(pvals[i].val.d.estr, NULL); + } + else if (!strcmp(inppblk.descr[i].name, "no_buffer")) { + inst->immediateMode = (uint8_t)pvals[i].val.d.n; + } + else if (!strcmp(inppblk.descr[i].name, "buffer_size")) { + inst->bufSize = (uint32_t)pvals[i].val.d.n; + } + else if (!strcmp(inppblk.descr[i].name, "buffer_timeout")) { + inst->bufTimeout = (uint8_t)pvals[i].val.d.n; + } + else if (!strcmp(inppblk.descr[i].name, "packet_count")) { + inst->pktBatchCnt = (uint8_t)pvals[i].val.d.n; + } + else { + dbgprintf("impcap: non-handled param %s in beginCnfLoad\n", inppblk.descr[i].name); + } + } + +finalize_it: + +CODE_STD_FINALIZERnewInpInst + cnfparamvalsDestruct(pvals, &inppblk); +ENDnewInpInst + +/* global mod conf (v2 system) */ +BEGINsetModCnf + struct cnfparamvals *pvals = NULL; + int i; + +CODESTARTsetModCnf + pvals = nvlstGetParams(lst, &modpblk, NULL); + if (pvals == NULL) { + LogError(0, RS_RET_MISSING_CNFPARAMS, "impcap: error processing module " + "config parameters missing [module(...)]"); + ABORT_FINALIZE(RS_RET_MISSING_CNFPARAMS); + } + + for (i = 0 ; i<modpblk.nParams ; ++i) { + if (!pvals[i].bUsed) + continue; + if (!strcmp(modpblk.descr[i].name, "snap_length")) { + loadModConf->snap_length = (int)pvals[i].val.d.n; + } + else if (!strcmp(modpblk.descr[i].name, "metadata_only")) { + loadModConf->metadataOnly = (uint8_t)pvals[i].val.d.n; + } + else if (!strcmp(modpblk.descr[i].name, "metadata_container")) { + loadModConf->metadataContainer = (char *)es_str2cstr(pvals[i].val.d.estr, NULL); + } + else if (!strcmp(modpblk.descr[i].name, "data_container")) { + loadModConf->dataContainer = (char *)es_str2cstr(pvals[i].val.d.estr, NULL); + } + else { + dbgprintf("impcap: non-handled param %s in beginSetModCnf\n", modpblk.descr[i].name); + } + } + + if (!loadModConf->metadataContainer) + CHKmalloc(loadModConf->metadataContainer = strdup(DEFAULT_META_CONTAINER)); + + if (!loadModConf->dataContainer) + CHKmalloc(loadModConf->dataContainer = strdup(DEFAULT_DATA_CONTAINER)); +finalize_it: + if (pvals != NULL) + cnfparamvalsDestruct(pvals, &modpblk); +ENDsetModCnf + +/* config v2 system */ + +BEGINbeginCnfLoad +CODESTARTbeginCnfLoad + loadModConf = pModConf; + loadModConf->pConf = pConf; + loadModConf->metadataOnly = 0; + loadModConf->snap_length = 65535; + loadModConf->metadataContainer = NULL; + loadModConf->dataContainer = NULL; +ENDbeginCnfLoad + +BEGINendCnfLoad +CODESTARTendCnfLoad +ENDendCnfLoad + + +/* function to generate error message if framework does not find requested ruleset */ +static inline void +std_checkRuleset_genErrMsg(__attribute__((unused)) modConfData_t *modConf, instanceConf_t *inst) { + LogError(0, NO_ERRCODE, "impcap: ruleset '%s' for interface %s not found - " + "using default ruleset instead", inst->pszBindRuleset, + inst->interface); +} + +BEGINcheckCnf + instanceConf_t *inst; +CODESTARTcheckCnf + if (pModConf->root == NULL) { + LogError(0, RS_RET_NO_LISTNERS , "impcap: module loaded, but " + "no interface defined - no input will be gathered"); + iRet = RS_RET_NO_LISTNERS; + } + + if (pModConf->metadataOnly) { /* if metadata_only is "on", snap_length is overwritten */ + pModConf->snap_length = 100; /* arbitrary value, but should be enough for most protocols */ + } + + if (!pModConf->metadataContainer || !pModConf->dataContainer) { + LogError(0, RS_RET_LOAD_ERROR, "impcap: no name defined for metadata_container and " + "data_container, this shouldn't happen"); + } + else { + DBGPRINTF("impcap: metadata will be stored in '%s', and data in '%s'\n", + pModConf->metadataContainer, pModConf->dataContainer); + } + + for (inst = pModConf->root ; inst != NULL ; inst = inst->next) { + std_checkRuleset(pModConf, inst); + if (inst->interface ==NULL &&inst->filePath == NULL) { + iRet = RS_RET_INVALID_PARAMS; + LogError(0, RS_RET_LOAD_ERROR, "impcap: 'interface' or 'file' must be specified"); + break; + } + if (inst->interface !=NULL &&inst->filePath != NULL) { + iRet = RS_RET_INVALID_PARAMS; + LogError(0, RS_RET_LOAD_ERROR, "impcap: either 'interface' or 'file' must be specified"); + break; + } + } + +ENDcheckCnf + +BEGINactivateCnfPrePrivDrop +CODESTARTactivateCnfPrePrivDrop + runModConf = pModConf; +ENDactivateCnfPrePrivDrop + +BEGINactivateCnf + instanceConf_t *inst; + pcap_t *dev = NULL; + struct bpf_program filter_program; + bpf_u_int32 SubNet, NetMask; + char errBuf[PCAP_ERRBUF_SIZE]; + uint8_t retCode = 0; +CODESTARTactivateCnf + for (inst = pModConf->root ; inst != NULL ; inst = inst->next) { + if (inst->filePath != NULL) { + dev = pcap_open_offline((const char *)inst->filePath, errBuf); + if (dev == NULL) { + LogError(0, RS_RET_LOAD_ERROR, "pcap: error while opening capture file: '%s'", errBuf); + ABORT_FINALIZE(RS_RET_LOAD_ERROR); + } + } + else if (inst->interface != NULL) { + dev = pcap_create((const char *)inst->interface, errBuf); + if (dev == NULL) { + LogError(0, RS_RET_LOAD_ERROR, "pcap: error while creating packet capture: '%s'", + errBuf); + ABORT_FINALIZE(RS_RET_LOAD_ERROR); + } + + DBGPRINTF("setting snap_length %d\n", pModConf->snap_length); + if (pcap_set_snaplen(dev, pModConf->snap_length)) { + LogError(0, RS_RET_LOAD_ERROR, "pcap: error while setting snap length: '%s'", + pcap_geterr(dev)); + ABORT_FINALIZE(RS_RET_LOAD_ERROR); + } + + DBGPRINTF("setting promiscuous %d\n", inst->promiscuous); + if (pcap_set_promisc(dev, inst->promiscuous)) { + LogError(0, RS_RET_LOAD_ERROR, "pcap: error while setting promiscuous mode: '%s'", + pcap_geterr(dev)); + ABORT_FINALIZE(RS_RET_LOAD_ERROR); + } + + if (inst->immediateMode) { + DBGPRINTF("setting immediate mode %d\n", inst->immediateMode); + retCode = pcap_set_immediate_mode(dev, inst->immediateMode); + if (retCode) { + LogError(0, RS_RET_LOAD_ERROR, "pcap: error while setting immediate mode: '%s'," + " using buffer instead\n",pcap_geterr(dev)); + } + } + + if (!inst->immediateMode || retCode){ + DBGPRINTF("setting buffer size %u \n", inst->bufSize); + if (pcap_set_buffer_size(dev, inst->bufSize)) { + LogError(0, RS_RET_LOAD_ERROR, "pcap: error while setting buffer size: '%s'", + pcap_geterr(dev)); + ABORT_FINALIZE(RS_RET_LOAD_ERROR); + } + DBGPRINTF("setting buffer timeout %dms\n", inst->bufTimeout); + if (pcap_set_timeout(dev, inst->bufTimeout)) { + LogError(0, RS_RET_LOAD_ERROR, "pcap: error while setting buffer timeout: '%s'", + pcap_geterr(dev)); + ABORT_FINALIZE(RS_RET_LOAD_ERROR); + } + } + + switch (pcap_activate(dev)) { + case PCAP_WARNING_PROMISC_NOTSUP: + LogError(0, NO_ERRCODE, "interface doesn't support promiscuous mode"); + break; + case PCAP_WARNING_TSTAMP_TYPE_NOTSUP: + LogError(0, NO_ERRCODE, "timestamp type is not supported"); + break; + case PCAP_WARNING: + LogError(0, NO_ERRCODE, "pcap: %s", pcap_geterr(dev)); + break; + case PCAP_ERROR_ACTIVATED: + LogError(0, RS_RET_LOAD_ERROR, "already activated, shouldn't happen"); + ABORT_FINALIZE(RS_RET_LOAD_ERROR); + case PCAP_ERROR_NO_SUCH_DEVICE: + LogError(0, RS_RET_LOAD_ERROR, "device doesn't exist"); + ABORT_FINALIZE(RS_RET_LOAD_ERROR); + case PCAP_ERROR_PERM_DENIED: + LogError(0, RS_RET_LOAD_ERROR, "elevated privilege needed to open capture " + "interface"); + ABORT_FINALIZE(RS_RET_LOAD_ERROR); + case PCAP_ERROR_PROMISC_PERM_DENIED: + LogError(0, RS_RET_LOAD_ERROR, "elevated privilege needed to put interface " + "in promiscuous mode"); + ABORT_FINALIZE(RS_RET_LOAD_ERROR); + case PCAP_ERROR_RFMON_NOTSUP: + LogError(0, RS_RET_LOAD_ERROR, "interface doesn't support monitor mode"); + ABORT_FINALIZE(RS_RET_LOAD_ERROR); + case PCAP_ERROR_IFACE_NOT_UP: + LogError(0, RS_RET_LOAD_ERROR, "interface is not up"); + ABORT_FINALIZE(RS_RET_LOAD_ERROR); + case PCAP_ERROR: + LogError(0, RS_RET_LOAD_ERROR, "pcap: %s", pcap_geterr(dev)); + ABORT_FINALIZE(RS_RET_LOAD_ERROR); + } + + if (inst->filter != NULL) { + DBGPRINTF("getting netmask on %s\n", inst->interface); + //obtain the subnet + if (pcap_lookupnet(inst->interface, &SubNet, &NetMask, errBuf)){ + DBGPRINTF("could not get netmask\n"); + NetMask = PCAP_NETMASK_UNKNOWN; + } + DBGPRINTF("setting filter to '%s'\n", inst->filter); + /* Compile the filter */ + if (pcap_compile(dev, &filter_program, (const char *)inst->filter, 1, NetMask)) { + LogError(0, RS_RET_LOAD_ERROR, "pcap: error while compiling filter: '%s'", + pcap_geterr(dev)); + ABORT_FINALIZE(RS_RET_LOAD_ERROR); + } + else if (pcap_setfilter(dev, &filter_program)) { + LogError(0, RS_RET_LOAD_ERROR, "pcap: error while setting filter: '%s'", + pcap_geterr(dev)); + pcap_freecode(& filter_program); + ABORT_FINALIZE(RS_RET_LOAD_ERROR); + } + pcap_freecode(&filter_program); + } + + if (pcap_set_datalink(dev, DLT_EN10MB)) { + LogError(0, RS_RET_LOAD_ERROR, "pcap: error while setting datalink type: '%s'", + pcap_geterr(dev)); + ABORT_FINALIZE(RS_RET_LOAD_ERROR); + } + } /* inst->interface != NULL */ + else { + LogError(0, RS_RET_LOAD_ERROR, "impcap: no capture method specified, " + "please specify either 'interface' or 'file' in config"); + ABORT_FINALIZE(RS_RET_LOAD_ERROR); + } + + inst->device = dev; + } + +finalize_it: + if(iRet != 0) { + if(dev) pcap_close(dev); + } +ENDactivateCnf + +BEGINfreeCnf + instanceConf_t *inst, *del; +CODESTARTfreeCnf + DBGPRINTF("impcap: freeing confs...\n"); + for (inst = pModConf->root ; inst != NULL ; ) { + del = inst; + inst = inst->next; + free(del->filePath); + free(del->filter); + free(del->pszBindRuleset); + free(del->interface); + free(del->tag); + free(del); + } + free(pModConf->metadataContainer); + free(pModConf->dataContainer); + DBGPRINTF("impcap: finished freeing confs\n"); +ENDfreeCnf + +/* runtime functions */ + +/* + * Converts a list of bytes to their hexadecimal representation in ASCII + * + * Gets the list of bytes and the length as parameters + * + * Returns a pointer on the new list, being a string of ASCII characters + * representing hexadecimal values, in the form "A5B34C65..." + * its size is twice length parameter + 1 +*/ +char *stringToHex(char *string, size_t length) { + const char *hexChar = "0123456789ABCDEF"; + char *retBuf; + uint16_t i; + + retBuf = malloc((2 * length + 1) * sizeof(char)); + for (i = 0; i < length; ++i) { + retBuf[2 * i] = hexChar[(string[i] & 0xF0) >> 4]; + retBuf[2 * i + 1] = hexChar[string[i] & 0x0F]; + } + retBuf[2 * length] = '\0'; + + return retBuf; +} + +/* + * This method parses every packet received by libpcap, and is called by it + * It creates the message for Rsyslog, calls the parsers and add all necessary information + * in the message +*/ +void packet_parse(uchar *arg, const struct pcap_pkthdr *pkthdr, const uchar *packet) { + DBGPRINTF("impcap : entered packet_parse\n"); + smsg_t *pMsg; + + /* Prevent cast error from char to int with arg */ + union { + uchar *buf; + int *id; + } aux; + + aux.buf = arg; + int *id = aux.id; + msgConstruct(&pMsg); + + MsgSetInputName(pMsg, pInputName); + //search inst in loadmodconf,and check if there is tag. if so set tag in msg. + pthread_t ctid = pthread_self(); + instanceConf_t * inst; + for (inst = runModConf->root; inst != NULL; inst = inst->next) { + if (pthread_equal(ctid, inst->tid)) { + if (inst->pBindRuleset != NULL) { + MsgSetRuleset(pMsg, inst->pBindRuleset); + } + if (inst->tag != NULL) { + MsgSetTAG(pMsg, inst->tag, strlen((const char *)inst->tag)); + } + } + } + + + struct json_object *jown = json_object_new_object(); + json_object_object_add(jown, "ID", json_object_new_int(++(*id))); + + struct syslogTime sysTimePkt; + char timeStr[30]; + struct timeval tv = pkthdr->ts; + datetime.timeval2syslogTime(&tv, &sysTimePkt, 1/*inUTC*/); + if (datetime.formatTimestamp3339(&sysTimePkt, timeStr)) { + json_object_object_add(jown, "timestamp", json_object_new_string(timeStr)); + } + + json_object_object_add(jown, "net_bytes_total", json_object_new_int(pkthdr->len)); + + data_ret_t * dataLeft = eth_parse(packet, pkthdr->caplen, jown); + + json_object_object_add(jown, "net_bytes_data", json_object_new_int(dataLeft->size)); + char *dataHex = stringToHex(dataLeft->pData, dataLeft->size); + if (dataHex != NULL) { + struct json_object *jadd = json_object_new_object(); + json_object_object_add(jadd, "length", json_object_new_int(strlen(dataHex))); + json_object_object_add(jadd, "content", json_object_new_string(dataHex)); + msgAddJSON(pMsg, (uchar *)runModConf->dataContainer, jadd, 0, 0); + free(dataHex); + } + free(dataLeft); + + msgAddJSON(pMsg, (uchar *)runModConf->metadataContainer, jown, 0, 0); + submitMsg2(pMsg); +} + +/* This is used to terminate the plugin. + */ +static void +doSIGTTIN(int __attribute__((unused)) sig) +{ + pthread_t tid = pthread_self(); + const int bTerminate = ATOMIC_FETCH_32BIT(&bTerminateInputs, &mutTerminateInputs); + DBGPRINTF("impcap: awoken via SIGTTIN; bTerminateInputs: %d\n", bTerminate); + if(bTerminate) { + for(instanceConf_t *inst = runModConf->root; inst != NULL; inst = inst->next) { + if(pthread_equal(tid, inst->tid)) { + pcap_breakloop(inst->device); + DBGPRINTF("impcap: thread %lx, termination requested via SIGTTIN - telling libpcap\n", + (long unsigned int)tid); + } + } + } +} + +/* + * This is the main function for each thread + * taking care of a specified network interface +*/ +static ATTR_NORETURN void *startCaptureThread(void *instanceConf) { + int id = 0; + pthread_t tid = pthread_self(); + + /* we want to support non-cancel input termination. To do so, we must signal libpcap + * when to stop. As we run on the same thread, we need to register as SIGTTIN handler, + * which will be used to put the terminating condition into libpcap. + */ + DBGPRINTF("impcap: setting catch for SIGTTIN, thread %lx\n", + (long unsigned int)tid); + sigset_t sigSet; + struct sigaction sigAct; + sigfillset(&sigSet); + pthread_sigmask(SIG_BLOCK, &sigSet, NULL); + sigemptyset(&sigSet); + sigaddset(&sigSet, SIGTTIN); + pthread_sigmask(SIG_UNBLOCK, &sigSet, NULL); + memset(&sigAct, 0, sizeof (sigAct)); + sigemptyset(&sigAct.sa_mask); + sigAct.sa_handler = doSIGTTIN; + sigaction(SIGTTIN, &sigAct, NULL); + + instanceConf_t * inst = (instanceConf_t * )instanceConf; + DBGPRINTF("impcap: thread %lx, begin capture!\n", + (long unsigned int)tid); + while (glbl.GetGlobalInputTermState() == 0) { + pcap_dispatch(inst->device, inst->pktBatchCnt, packet_parse, (uchar * ) & id); + } + DBGPRINTF("impcap: thread %lx, capture finished\n", + (long unsigned int)tid); + pthread_exit(0); +} + +BEGINrunInput + instanceConf_t *inst; + int ret = 0; +CODESTARTrunInput + for (inst = runModConf->root ; inst != NULL ; inst = inst->next) { + /* creates a thread and starts capturing on the interface */ + ret = pthread_create(&inst->tid, NULL, startCaptureThread, inst); + if (ret) { + LogError(0, RS_RET_NO_RUN, "impcap: error while creating threads\n"); + } + } + + DBGPRINTF("impcap: starting to wait for close condition\n"); + // TODO: Use thread for capture instead of just waiting + while(glbl.GetGlobalInputTermState() == 0) { + if(glbl.GetGlobalInputTermState() == 0) + srSleep(0, 400000); + } + + DBGPRINTF("impcap: received close signal, signaling instance threads...\n"); + for (inst = runModConf->root; inst != NULL; inst = inst->next) { + pthread_kill(inst->tid, SIGTTIN); + } + + DBGPRINTF("impcap: threads signaled, waiting for join..."); + for (inst = runModConf->root ; inst != NULL ; inst = inst->next) { + pthread_join(inst->tid, NULL); + pcap_close(inst->device); + } + + DBGPRINTF("impcap: finished threads, stopping\n"); +ENDrunInput + +BEGINwillRun +CODESTARTwillRun +/* we need to create the inputName property (only once during our lifetime) */ + CHKiRet(prop.Construct(&pInputName)); + CHKiRet(prop.SetString(pInputName, UCHAR_CONSTANT("impcap"), sizeof("impcap") - 1)); + CHKiRet(prop.ConstructFinalize(pInputName)); +finalize_it: +ENDwillRun + +BEGINafterRun +CODESTARTafterRun + if (pInputName != NULL) { + prop.Destruct(&pInputName); + } +ENDafterRun + +BEGINmodExit +CODESTARTmodExit + DBGPRINTF("impcap:: modExit\n"); + objRelease(glbl, CORE_COMPONENT); + objRelease(prop, CORE_COMPONENT); + objRelease(ruleset, CORE_COMPONENT); + objRelease(datetime, CORE_COMPONENT); +ENDmodExit + +/* declaration of functions */ + +BEGINisCompatibleWithFeature +CODESTARTisCompatibleWithFeature + if(eFeat == sFEATURENonCancelInputTermination) + iRet = RS_RET_OK; +ENDisCompatibleWithFeature + +BEGINqueryEtryPt +CODESTARTqueryEtryPt + CODEqueryEtryPt_STD_IMOD_QUERIES + CODEqueryEtryPt_STD_CONF2_QUERIES + CODEqueryEtryPt_STD_CONF2_setModCnf_QUERIES + CODEqueryEtryPt_STD_CONF2_IMOD_QUERIES + CODEqueryEtryPt_STD_CONF2_PREPRIVDROP_QUERIES /* might need it */ + CODEqueryEtryPt_IsCompatibleWithFeature_IF_OMOD_QUERIES +ENDqueryEtryPt + +BEGINmodInit() +CODESTARTmodInit + *ipIFVersProvided = CURR_MOD_IF_VERSION; + CHKiRet(objUse(glbl, CORE_COMPONENT)); + CHKiRet(objUse(ruleset, CORE_COMPONENT)); + CHKiRet(objUse(prop, CORE_COMPONENT)); + CHKiRet(objUse(datetime, CORE_COMPONENT)); +ENDmodInit diff --git a/contrib/impcap/ipv4_parser.c b/contrib/impcap/ipv4_parser.c new file mode 100644 index 0000000..2693c60 --- /dev/null +++ b/contrib/impcap/ipv4_parser.c @@ -0,0 +1,101 @@ +/* ipv4_parser.c + * + * This file contains functions to parse IP headers. + * + * File begun on 2018-11-13 + * + * Created by: + * - Théo Bertin (theo.bertin@advens.fr) + * + * With: + * - François Bernard (francois.bernard@isen.yncrea.fr) + * - Tianyu Geng (tianyu.geng@isen.yncrea.fr) + * + * This file is part of rsyslog. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * -or- + * see COPYING.ASL20 in the source distribution + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "config.h" +#include "parsers.h" + +struct ipv4_header_s { +/*#if __BYTE_ORDER == __BIG_ENDIAN + unsigned char version:4; + unsigned char ihl:4; +#else*/ + unsigned char ihl:4; + unsigned char version:4; +//#endif + uint8_t service; + uint16_t totLen; + uint16_t id; + uint16_t frag; + uint8_t ttl; + uint8_t proto; + uint16_t hdrChksum; + uint8_t addrSrc[4]; + uint8_t addrDst[4]; + uint8_t pOptions[]; +}; + +typedef struct ipv4_header_s ipv4_header_t; + +/* + * This function parses the bytes in the received packet to extract IP metadata. + * + * its parameters are: + * - a pointer on the list of bytes representing the packet + * the first byte must be the beginning of the IP header + * - the size of the list passed as first parameter + * - a pointer on a json_object, containing all the metadata recovered so far + * this is also where IP metadata will be added + * + * This function returns a structure containing the data unprocessed by this parser + * or the ones after (as a list of bytes), and the length of this data. +*/ +data_ret_t *ipv4_parse(const uchar *packet, int pktSize, struct json_object *jparent) { + DBGPRINTF("ipv4_parse\n"); + DBGPRINTF("packet size %d\n", pktSize); + + if (pktSize < 20) { /* too small for IPv4 header + data (header might be longer)*/ + DBGPRINTF("IPv4 packet too small : %d\n", pktSize); + RETURN_DATA_AFTER(0) + } + + /* Union to prevent cast from uchar to ipv4_header_t */ + union { + const uchar *pck; + ipv4_header_t *hdr; + } ipv4_header_to_char; + + ipv4_header_to_char.pck = packet; + ipv4_header_t *ipv4_header = ipv4_header_to_char.hdr; + + char addrSrc[20], addrDst[20]; + uint8_t hdrLen = 4 * ipv4_header->ihl; /* 4 x length in words */ + + inet_ntop(AF_INET, (void *)&ipv4_header->addrSrc, addrSrc, 20); + inet_ntop(AF_INET, (void *)&ipv4_header->addrDst, addrDst, 20); + + json_object_object_add(jparent, "net_dst_ip", json_object_new_string((char *)addrDst)); + json_object_object_add(jparent, "net_src_ip", json_object_new_string((char *)addrSrc)); + json_object_object_add(jparent, "IP_ihl", json_object_new_int(ipv4_header->ihl)); + json_object_object_add(jparent, "net_ttl", json_object_new_int(ipv4_header->ttl)); + json_object_object_add(jparent, "IP_proto", json_object_new_int(ipv4_header->proto)); + + + return ip_proto_parse(ipv4_header->proto, (packet + hdrLen), (pktSize - hdrLen), jparent); +} diff --git a/contrib/impcap/ipv6_parser.c b/contrib/impcap/ipv6_parser.c new file mode 100644 index 0000000..25c6b4c --- /dev/null +++ b/contrib/impcap/ipv6_parser.c @@ -0,0 +1,305 @@ +/* ipv6_parser.c + * + * This file contains functions to parse IPv6 headers. + * + * File begun on 2018-11-13 + * + * Created by: + * - Théo Bertin (theo.bertin@advens.fr) + * + * With: + * - François Bernard (francois.bernard@isen.yncrea.fr) + * - Tianyu Geng (tianyu.geng@isen.yncrea.fr) + * + * This file is part of rsyslog. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * -or- + * see COPYING.ASL20 in the source distribution + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "config.h" +#include "parsers.h" + +#pragma GCC diagnostic push +#pragma GCC diagnostic ignored "-Wpacked" +#pragma GCC diagnostic ignored "-Wattributes" +typedef struct __attribute__ ((__packed__)) ipv6_header_s { +#ifndef IPV6_VERSION_MASK +#define IPV6_VERSION_MASK 0xF0000000 +#endif +#ifndef IPV6_TC_MASK +#define IPV6_TC_MASK 0x0FF00000 +#endif +#ifndef IPV6_FLOW_MASK +#define IPV6_FLOW_MASK 0x000FFFFF +#endif + uint32_t vtf; + uint16_t dataLength; + uint8_t nextHeader; +#define IPV6_NHDR_HBH 0 +#define IPV6_NHDR_TCP 6 +#define IPV6_NHDR_UDP 17 +#define IPV6_NHDR_ENCIP6 41 +#define IPV6_NHDR_ROUT 43 +#define IPV6_NHDR_FRAG 44 +#define IPV6_NHDR_RRSV 46 +#define IPV6_NHDR_SEC 50 +#define IPV6_NHDR_AUTH 51 +#define IPV6_NHDR_ICMP6 58 +#define IPV6_NHDR_NONHDR 59 +#define IPV6_NHDR_DOPTS 60 + + uint8_t hopLimit; + uint8_t addrSrc[16]; + uint8_t addrDst[16]; +} ipv6_header_t; +#pragma GCC diagnostic pop + +#ifndef IPV6_VERSION +#define IPV6_VERSION(h) (ntohl(h->vtf) & IPV6_VERSION_MASK)>>28 +#endif +#ifndef IPV6_TC +#define IPV6_TC(h) (ntohl(h->vtf) & IPV6_TC_MASK)>>20 +#endif +#ifndef IPV6_FLOW +#define IPV6_FLOW(h) (ntohl(h->vtf) & IPV6_FLOW_MASK) +#endif + +/* extension headers */ +typedef struct hbh_header_s { + uint8_t nextHeader; + uint8_t hLength; + uint8_t *pOptions; +} hbh_header_t; + +typedef struct dest_header_s { + uint8_t nextHeader; + uint8_t hLength; + uint8_t *pOptions; +} dest_header_t; + +typedef struct route_header_s { + uint8_t nextHeader; + uint8_t hLength; + uint8_t rType; + uint8_t segsLeft; + uint32_t reserved; + uint8_t addrs[16]; +} route_header_t; + +typedef struct frag_header_s { + uint8_t nextHeader; + uint8_t reserved; + uint16_t offsetFlags; + uint32_t id; +} frag_header_t; + +static inline uint8_t hbh_header_parse(const uchar **packet, int *pktSize) { + DBGPRINTF("hbh_header_parse\n"); + + /* Union to prevent cast from uchar to hbh_header_t */ + union { + const uchar *pck; + hbh_header_t *hdr; + } hbh_header_to_char; + + hbh_header_to_char.pck = *packet; + hbh_header_t *hbh_header = hbh_header_to_char.hdr; + + /* hbh_header->hLength is the number of octets of header in 8-octet units minus 1 + * the header length SHOULD be a multiple of 8 */ + uint8_t hByteLength = hbh_header->hLength * 8 + 8; + DBGPRINTF("hByteLength: %d\n", hByteLength); + *pktSize -= hByteLength; + *packet += hByteLength; + + return hbh_header->nextHeader; +} + +static inline uint8_t dest_header_parse(const uchar **packet, int *pktSize) { + DBGPRINTF("dest_header_parse\n"); + + /* Union to prevent cast from uchar to dest_header_t */ + union { + const uchar *pck; + dest_header_t *hdr; + } dest_header_to_char; + + dest_header_to_char.pck = *packet; + dest_header_t *dest_header = dest_header_to_char.hdr; + + /* dest_header->hLength is the number of octets of header in 8-octet units minus 1 + * the header length SHOULD be a multiple of 8 */ + uint8_t hByteLength = dest_header->hLength * 8 + 8; + DBGPRINTF("hByteLength: %d\n", hByteLength); + *pktSize -= hByteLength; + *packet += hByteLength; + + return dest_header->nextHeader; +} + +static inline uint8_t route_header_parse(const uchar **packet, int *pktSize, struct json_object *jparent) { + DBGPRINTF("route_header_parse\n"); + + /* Union to prevent cast from uchar to route_header_t */ + union { + const uchar *pck; + route_header_t *hdr; + } route_header_to_char; + + route_header_to_char.pck = *packet; + route_header_t *route_header = route_header_to_char.hdr; + + /* route_header->hLength is the number of octets of header in 8-octet units minus 1 + * the header length (in bytes) SHOULD be a multiple of 8 */ + uint8_t hByteLength = route_header->hLength * 8 + 8; + *pktSize -= hByteLength; + *packet += hByteLength; + + if (route_header->rType == 0) { + json_object_object_add(jparent, "IP6_route_seg_left", json_object_new_int(route_header->segsLeft)); + + hByteLength -= 8; //leave only length of routing addresses + + char addrStr[40], routeFieldName[20]; + int addrNum = 1; + uint8_t *addr = &(route_header->addrs[0]); + + //while there is enough space for an IPv6 address + while (hByteLength >= 16) { + inet_ntop(AF_INET6, (void *)addr, addrStr, 40); + snprintf(routeFieldName, 20, "IP6_route_%d", addrNum++); + json_object_object_add(jparent, routeFieldName, json_object_new_string((char *)addrStr)); + + addr += 16; + hByteLength -= 16; + } + } + + return route_header->nextHeader; +} + +#define FRAG_OFFSET_MASK 0xFFF8 +#define MFLAG_MASK 0x0001 +static inline uint8_t frag_header_parse(const uchar **packet, int *pktSize, struct json_object *jparent) { + DBGPRINTF("frag_header_parse\n"); + + /* Union to prevent cast from uchar to frag_header_t */ + union { + const uchar *pck; + frag_header_t *hdr; + } frag_header_to_char; + + frag_header_to_char.pck = *packet; + frag_header_t *frag_header = frag_header_to_char.hdr; + + uint16_t flags = ntohs(frag_header->offsetFlags); + + json_object_object_add(jparent, "IP6_frag_offset", json_object_new_int((flags & FRAG_OFFSET_MASK) >> 3)); + json_object_object_add(jparent, "IP6_frag_more", json_object_new_boolean(flags & MFLAG_MASK)); + json_object_object_add(jparent, "IP6_frag_id", json_object_new_int64(frag_header->id)); + + *pktSize -= 8; + *packet += 8; + + return frag_header->nextHeader; +} + +/* + * This function parses the bytes in the received packet to extract IPv6 metadata. + * + * its parameters are: + * - a pointer on the list of bytes representing the packet + * the first byte must be the beginning of the IPv6 header + * - the size of the list passed as first parameter + * - a pointer on a json_object, containing all the metadata recovered so far + * this is also where IPv6 metadata will be added + * + * This function returns a structure containing the data unprocessed by this parser + * or the ones after (as a list of bytes), and the length of this data. +*/ +data_ret_t *ipv6_parse(const uchar *packet, int pktSize, struct json_object *jparent) { + DBGPRINTF("ipv6_parse\n"); + DBGPRINTF("packet size %d\n", pktSize); + + if (pktSize < 40) { /* too small for IPv6 header + data (header might be longer)*/ + DBGPRINTF("IPv6 packet too small : %d\n", pktSize); + RETURN_DATA_AFTER(0) + } + + ipv6_header_t *ipv6_header = (ipv6_header_t *)packet; + + char addrSrc[40], addrDst[40]; + + inet_ntop(AF_INET6, (void *)&ipv6_header->addrSrc, addrSrc, 40); + inet_ntop(AF_INET6, (void *)&ipv6_header->addrDst, addrDst, 40); + + json_object_object_add(jparent, "net_dst_ip", json_object_new_string((char *)addrDst)); + json_object_object_add(jparent, "net_src_ip", json_object_new_string((char *)addrSrc)); + json_object_object_add(jparent, "net_ttl", json_object_new_int(ipv6_header->hopLimit)); + + uint8_t nextHeader = ipv6_header->nextHeader; + + packet += sizeof(ipv6_header_t); + pktSize -= sizeof(ipv6_header_t); + + DBGPRINTF("beginning ext headers scan\n"); + uint8_t hasNext = 1; + do { + switch (nextHeader) { + case IPV6_NHDR_HBH: + nextHeader = hbh_header_parse(&packet, &pktSize); + break; + case IPV6_NHDR_TCP: + json_object_object_add(jparent, "IP_proto", json_object_new_int(nextHeader)); + return tcp_parse(packet, pktSize, jparent); + case IPV6_NHDR_UDP: + json_object_object_add(jparent, "IP_proto", json_object_new_int(nextHeader)); + return udp_parse(packet, pktSize, jparent); + case IPV6_NHDR_ENCIP6: + hasNext = 0; + break; + case IPV6_NHDR_ROUT: + nextHeader = route_header_parse(&packet, &pktSize, jparent); + break; + case IPV6_NHDR_FRAG: + nextHeader = frag_header_parse(&packet, &pktSize, jparent); + break; + case IPV6_NHDR_RRSV: + hasNext = 0; + break; + case IPV6_NHDR_SEC: + hasNext = 0; + break; + case IPV6_NHDR_AUTH: + hasNext = 0; + break; + case IPV6_NHDR_ICMP6: + json_object_object_add(jparent, "IP_proto", json_object_new_int(nextHeader)); + return icmp_parse(packet, pktSize, jparent); + case IPV6_NHDR_NONHDR: + hasNext = 0; + break; + case IPV6_NHDR_DOPTS: + nextHeader = dest_header_parse(&packet, &pktSize); + break; + default: + hasNext = 0; + break; + } + } while (hasNext); + + json_object_object_add(jparent, "IP_proto", json_object_new_int(nextHeader)); + RETURN_DATA_AFTER(0) +} diff --git a/contrib/impcap/ipx_parser.c b/contrib/impcap/ipx_parser.c new file mode 100644 index 0000000..acd43bc --- /dev/null +++ b/contrib/impcap/ipx_parser.c @@ -0,0 +1,97 @@ +/* ipx_parser.c + * + * This file contains functions to parse IPX (Novell) headers. + * + * File begun on 2018-11-13 + * + * Created by: + * - Théo Bertin (theo.bertin@advens.fr) + * + * With: + * - François Bernard (francois.bernard@isen.yncrea.fr) + * - Tianyu Geng (tianyu.geng@isen.yncrea.fr) + * + * This file is part of rsyslog. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * -or- + * see COPYING.ASL20 in the source distribution + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "config.h" +#include "parsers.h" + +#pragma GCC diagnostic push +#pragma GCC diagnostic ignored "-Wpacked" +#pragma GCC diagnostic ignored "-Wattributes" +struct __attribute__ ((__packed__)) ipx_header_s { + uint16_t chksum; + uint16_t pktLen; + uint8_t transCtrl; + uint8_t type; + uint32_t dstNet; + uint8_t dstNode[6]; + uint16_t dstSocket; + uint32_t srcNet; + uint8_t srcNode[6]; + uint16_t srcSocket; +}; +#pragma GCC diagnostic pop + +typedef struct ipx_header_s ipx_header_t; + +/* + * This function parses the bytes in the received packet to extract IPX metadata. + * + * its parameters are: + * - a pointer on the list of bytes representing the packet + * the first byte must be the beginning of the IPX header + * - the size of the list passed as first parameter + * - a pointer on a json_object, containing all the metadata recovered so far + * this is also where IPX metadata will be added + * + * This function returns a structure containing the data unprocessed by this parser + * or the ones after (as a list of bytes), and the length of this data. +*/ +data_ret_t *ipx_parse(const uchar *packet, int pktSize, struct json_object *jparent) { + + DBGPRINTF("entered ipx_parse\n"); + DBGPRINTF("packet size %d\n", pktSize); + + if (pktSize < 30) { /* too short for IPX header */ + DBGPRINTF("IPX packet too small : %d\n", pktSize); + RETURN_DATA_AFTER(0) + } + + char ipxSrcNode[20], ipxDstNode[20]; + ipx_header_t *ipx_header = (ipx_header_t *)packet; + + snprintf(ipxDstNode, sizeof(ipxDstNode), "%02x:%02x:%02x:%02x:%02x:%02x", ipx_header->dstNode[0], + ipx_header->dstNode[1], ipx_header->dstNode[2], ipx_header->dstNode[3], ipx_header->dstNode[4], + ipx_header->dstNode[5]); + + snprintf(ipxSrcNode, sizeof(ipxSrcNode), "%02x:%02x:%02x:%02x:%02x:%02x", ipx_header->srcNode[0], + ipx_header->srcNode[1], ipx_header->srcNode[2], ipx_header->srcNode[3], ipx_header->srcNode[4], + ipx_header->srcNode[5]); + + json_object_object_add(jparent, "IPX_transCtrl", json_object_new_int(ipx_header->transCtrl)); + json_object_object_add(jparent, "IPX_type", json_object_new_int(ipx_header->type)); + json_object_object_add(jparent, "IPX_dest_net", json_object_new_int(ntohl(ipx_header->dstNet))); + json_object_object_add(jparent, "IPX_src_net", json_object_new_int(ntohl(ipx_header->srcNet))); + json_object_object_add(jparent, "IPX_dest_node", json_object_new_string(ipxDstNode)); + json_object_object_add(jparent, "IPX_src_node", json_object_new_string(ipxSrcNode)); + json_object_object_add(jparent, "IPX_dest_socket", json_object_new_int(ntohs(ipx_header->dstSocket))); + json_object_object_add(jparent, "IPX_src_socket", json_object_new_int(ntohs(ipx_header->srcSocket))); + + RETURN_DATA_AFTER(30) +} diff --git a/contrib/impcap/llc_parser.c b/contrib/impcap/llc_parser.c new file mode 100644 index 0000000..fca4568 --- /dev/null +++ b/contrib/impcap/llc_parser.c @@ -0,0 +1,109 @@ +/* llc_parser.c + * + * This file contains functions to parse llc headers. + * + * File begun on 2018-11-13 + * + * Created by: + * - Théo Bertin (theo.bertin@advens.fr) + * + * With: + * - François Bernard (francois.bernard@isen.yncrea.fr) + * - Tianyu Geng (tianyu.geng@isen.yncrea.fr) + * + * This file is part of rsyslog. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * -or- + * see COPYING.ASL20 in the source distribution + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "config.h" +#include "parsers.h" + +/* + * This function parses the bytes in the received packet to extract LLC metadata. + * + * its parameters are: + * - a pointer on the list of bytes representing the packet + * the first byte must be the beginning of the LLC header + * - the size of the list passed as first parameter + * - a pointer on a json_object, containing all the metadata recovered so far + * this is also where LLC metadata will be added + * + * This function returns a structure containing the data unprocessed by this parser + * or the ones after (as a list of bytes), and the length of this data. +*/ +data_ret_t *llc_parse(const uchar *packet, int pktSize, struct json_object *jparent) { + DBGPRINTF("entered llc_parse\n"); + DBGPRINTF("packet size %d\n", pktSize); + + if (pktSize < 3) { /* too short for llc header */ + DBGPRINTF("LLC packet too small : %d\n", pktSize); + RETURN_DATA_AFTER(0) + } + + uint8_t dsapField, dsap, ssapField, ssap; + uint16_t ctrl; + uint8_t headerLen; + + dsapField = (uint8_t)packet[0]; + ssapField = (uint8_t)packet[1]; + DBGPRINTF("dsapField : %02X\n", dsapField); + DBGPRINTF("ssapField : %02X\n", ssapField); + + if (dsapField == 0xff && ssapField == 0xff) { + /* this is an IPX packet, without LLC */ + return ipx_parse(packet, pktSize, jparent); + } + + if ((packet[2] & 0x03) == 3) { + /* U frame: LLC control is 8 bits */ + ctrl = (uint8_t)packet[2]; + headerLen = 3; + } else { + /* I and S data frames: LLC control is 16 bits */ + ctrl = ntohs((uint16_t)packet[2]); + headerLen = 4; + } + + /* don't take last bit into account */ + dsap = dsapField & 0xfe; + ssap = ssapField & 0xfe; + + json_object_object_add(jparent, "LLC_dsap", json_object_new_int(dsap)); + json_object_object_add(jparent, "LLC_ssap", json_object_new_int(ssap)); + json_object_object_add(jparent, "LLC_ctrl", json_object_new_int(ctrl)); + + if (dsap == 0xaa && ssap == 0xaa && ctrl == 0x03) { + /* SNAP header */ + uint32_t orgCode = packet[headerLen] << 16 | + packet[headerLen + 1] << 8 | + packet[headerLen + 2]; + uint16_t ethType = packet[headerLen + 3] << 8 | + packet[headerLen + 4]; + json_object_object_add(jparent, "SNAP_oui", json_object_new_int(orgCode)); + json_object_object_add(jparent, "SNAP_ethType", json_object_new_int(ethType)); + return eth_proto_parse(ethType, packet + headerLen, pktSize - headerLen, jparent); + } + if (dsap == 0x06 && ssap == 0x06 && ctrl == 0x03) { + /* IPv4 header */ + return ipv4_parse(packet + headerLen, pktSize - headerLen, jparent); + } + if (dsap == 0xe0 && ssap == 0xe0 && ctrl == 0x03) { + /* IPX packet with LLC */ + return ipx_parse(packet + headerLen, pktSize - headerLen, jparent); + } + + RETURN_DATA_AFTER(headerLen) +} diff --git a/contrib/impcap/parsers.h b/contrib/impcap/parsers.h new file mode 100644 index 0000000..d2e71d4 --- /dev/null +++ b/contrib/impcap/parsers.h @@ -0,0 +1,189 @@ +/* parser.h + * + * This file contains the prototypes of all the parsers available within impcap. + * + * File begun on 2018-11-13 + * + * Created by: + * - Théo Bertin (theo.bertin@advens.fr) + * + * With: + * - François Bernard (francois.bernard@isen.yncrea.fr) + * - Tianyu Geng (tianyu.geng@isen.yncrea.fr) + * + * This file is part of rsyslog. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * -or- + * see COPYING.ASL20 in the source distribution + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "config.h" +#include <stdlib.h> +#include <string.h> +#include <errno.h> +#include <unistd.h> +#include <stdarg.h> +#include <ctype.h> +#include <pcap.h> + +#include "rsyslog.h" +#include "msg.h" +#include "dirty.h" + +#ifdef __FreeBSD__ +#include <sys/socket.h> +#else + +#include <netinet/ether.h> + +#endif + +#include <netinet/in.h> +#include <netinet/ip.h> +#include <netinet/ip6.h> +#include <netinet/ip_icmp.h> +#include <netinet/tcp.h> +#include <netinet/udp.h> +#include <net/ethernet.h> +#include <arpa/inet.h> + +#ifndef INCLUDED_PARSER_H +#define INCLUDED_PARSER_H 1 + +/* data return structure */ +struct data_ret_s { + size_t size; + char *pData; +}; +typedef struct data_ret_s data_ret_t; + +#define RETURN_DATA_AFTER(x) data_ret_t *retData = malloc(sizeof(data_ret_t)); \ + if(pktSize > x) { \ + retData->size = pktSize - x; \ + retData->pData = (char *)packet + x; \ + } \ + else { \ + retData->size = 0; \ + retData->pData = NULL; \ + } \ + return retData; \ + +/* --- handlers prototypes --- */ +void packet_parse(uchar *arg, const struct pcap_pkthdr *pkthdr, const uchar *packet); + +data_ret_t *eth_parse(const uchar *packet, int pktSize, struct json_object *jparent); + +data_ret_t *llc_parse(const uchar *packet, int pktSize, struct json_object *jparent); + +data_ret_t *ipx_parse(const uchar *packet, int pktSize, struct json_object *jparent); + +data_ret_t *ipv4_parse(const uchar *packet, int pktSize, struct json_object *jparent); + +data_ret_t *icmp_parse(const uchar *packet, int pktSize, struct json_object *jparent); + +data_ret_t *tcp_parse(const uchar *packet, int pktSize, struct json_object *jparent); + +data_ret_t *udp_parse(const uchar *packet, int pktSize, struct json_object *jparent); + +data_ret_t *ipv6_parse(const uchar *packet, int pktSize, struct json_object *jparent); + +data_ret_t *arp_parse(const uchar *packet, int pktSize, struct json_object *jparent); + +data_ret_t *rarp_parse(const uchar *packet, int pktSize, struct json_object *jparent); + +data_ret_t *ah_parse(const uchar *packet, int pktSize, struct json_object *jparent); + +data_ret_t *esp_parse(const uchar *packet, int pktSize, struct json_object *jparent); + +data_ret_t *smb_parse(const uchar *packet, int pktSize, struct json_object *jparent); + +data_ret_t *ftp_parse(const uchar *packet, int pktSize, struct json_object *jparent); + +data_ret_t *http_parse(const uchar *packet, int pktSize, struct json_object *jparent); + +data_ret_t *dns_parse(const uchar *packet, int pktSize, struct json_object *jparent); + + +// inline function definitions +static inline data_ret_t *dont_parse( + const uchar *packet, + int pktSize, + __attribute__((unused)) struct json_object *jparent); + +static inline data_ret_t *eth_proto_parse( + uint16_t ethProto, + const uchar *packet, + int pktSize, + struct json_object *jparent); + +static inline data_ret_t *ip_proto_parse( + uint16_t ipProto, + const uchar *packet, + int pktSize, + struct json_object *jparent); + +/* + * Mock function to do no parsing when protocol is not a valid number +*/ +static inline data_ret_t *dont_parse( + const uchar *packet, + int pktSize, + __attribute__((unused)) struct json_object *jparent) +{ + DBGPRINTF("protocol not handled\n"); + RETURN_DATA_AFTER(0) +} + +// proto code handlers +static inline data_ret_t *eth_proto_parse( + uint16_t ethProto, + const uchar *packet, + int pktSize, + struct json_object *jparent) +{ + switch(ethProto) { + case ETHERTYPE_IP: + return ipv4_parse(packet, pktSize, jparent); + case ETHERTYPE_IPV6: + return ipv6_parse(packet, pktSize, jparent); + case ETHERTYPE_ARP: + return arp_parse(packet, pktSize, jparent); + case ETHERTYPE_REVARP: + return rarp_parse(packet, pktSize, jparent); + case ETHERTYPE_IPX: + return ipx_parse(packet, pktSize, jparent); + default: + return dont_parse(packet, pktSize, jparent); + } +} + +static inline data_ret_t *ip_proto_parse( + uint16_t ipProto, + const uchar *packet, + int pktSize, + struct json_object *jparent) +{ + switch(ipProto) { + case IPPROTO_TCP: + return tcp_parse(packet, pktSize, jparent); + case IPPROTO_UDP: + return udp_parse(packet, pktSize, jparent); + case IPPROTO_ICMP: + return icmp_parse(packet, pktSize, jparent); + default: + return dont_parse(packet, pktSize, jparent); + } +} + +#endif /* INCLUDED_PARSER_H */ diff --git a/contrib/impcap/smb_parser.c b/contrib/impcap/smb_parser.c new file mode 100644 index 0000000..e673cd3 --- /dev/null +++ b/contrib/impcap/smb_parser.c @@ -0,0 +1,145 @@ +/* smb_parser.c + * + * This file contains functions to parse SMB (version 2 and 3) headers. + * + * File begun on 2018-11-13 + * + * Created by: + * - Théo Bertin (theo.bertin@advens.fr) + * + * With: + * - François Bernard (francois.bernard@isen.yncrea.fr) + * - Tianyu Geng (tianyu.geng@isen.yncrea.fr) + * + * This file is part of rsyslog. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * -or- + * see COPYING.ASL20 in the source distribution + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "config.h" +#include "parsers.h" + +/* SMB2 opCodes */ +#define SMB2_NEGOTIATE 0x00 +#define SMB2_SESSIONSET 0x01 +#define SMB2_SESSIONLOGOFF 0x02 +#define SMB2_TREECONNECT 0x03 +#define SMB2_TREEDISCONNECT 0x04 +#define SMB2_CREATE 0x05 +#define SMB2_CLOSE 0x06 +#define SMB2_FLUSH 0x07 +#define SMB2_READ 0x08 +#define SMB2_WRITE 0x09 +#define SMB2_LOCK 0x0a +#define SMB2_IOCTL 0x0b +#define SMB2_CANCEL 0x0c +#define SMB2_KEEPALIVE 0x0d +#define SMB2_FIND 0x0e +#define SMB2_NOTIFY 0x0f +#define SMB2_GETINFO 0x10 +#define SMB2_SETINFO 0x11 +#define SMB2_BREAK 0x12 + +struct smb_header_s { + uint32_t version; + uint16_t headerLength; + uint16_t padding1; + uint32_t ntStatus; + uint16_t opCode; + uint16_t padding2; + uint32_t flags; + uint32_t chainOffset; + uint32_t comSeqNumber[2]; + uint32_t processID; + uint32_t treeID; + uint32_t userID[2]; + uint32_t signature[4]; +}; + +typedef struct smb_header_s smb_header_t; + +static char flagCodes[5] = "RPCS"; + +/* + * This function parses the bytes in the received packet to extract SMB2 metadata. + * + * its parameters are: + * - a pointer on the list of bytes representing the packet + * the beginning of the header will be checked by the function + * - the size of the list passed as first parameter + * - a pointer on a json_object, containing all the metadata recovered so far + * this is also where SMB2 metadata will be added + * + * This function returns a structure containing the data unprocessed by this parser + * or the ones after (as a list of bytes), and the length of this data. +*/ +data_ret_t *smb_parse(const uchar *packet, int pktSize, struct json_object *jparent) { + DBGPRINTF("smb_parse\n"); + DBGPRINTF("packet size %d\n", pktSize); + + int pktSizeCpy = pktSize; + const uchar *packetCpy = packet; + + while (pktSizeCpy > 0) { + /* don't check packetCpy[0] to include SMB version byte at the beginning */ + if (packetCpy[1] == 'S') { + if (packetCpy[2] == 'M') { + if (packetCpy[3] == 'B') { + break; + } + } + } + packetCpy++, pktSizeCpy--; + } + + if ((int)pktSizeCpy < 64) { + DBGPRINTF("SMB packet too small : %d\n", pktSizeCpy); + RETURN_DATA_AFTER(0) + } + + /* Union to prevent cast from uchar to smb_header_t */ + union { + const uchar *pck; + smb_header_t *hdr; + } smb_header_to_char; + + smb_header_to_char.pck = packetCpy; + smb_header_t *smb_header = smb_header_to_char.hdr; + + char flags[5] = {0}; + uint64_t seqNum, userID; + uint8_t version; + + version = (smb_header->version == 0xFF) ? 1 : 2; + seqNum = smb_header->comSeqNumber[0] | smb_header->comSeqNumber[1] << 16; + userID = smb_header->userID[0] | smb_header->userID[1] << 16; + + uint8_t i, pos = 0; + for (i = 0; i < 4; ++i) { + if (smb_header->flags & (0x01 << i)) + flags[pos++] = flagCodes[i]; + } + + json_object_object_add(jparent, "SMB_version", json_object_new_int(version)); + json_object_object_add(jparent, "SMB_NTstatus", json_object_new_int64(smb_header->ntStatus)); + json_object_object_add(jparent, "SMB_operation", json_object_new_int(smb_header->opCode)); + json_object_object_add(jparent, "SMB_flags", json_object_new_string(flags)); + json_object_object_add(jparent, "SMB_seqNumber", json_object_new_int64(seqNum)); + json_object_object_add(jparent, "SMB_processID", json_object_new_int64(smb_header->processID)); + json_object_object_add(jparent, "SMB_treeID", json_object_new_int64(smb_header->treeID)); + json_object_object_add(jparent, "SMB_userID", json_object_new_int64(userID)); + + RETURN_DATA_AFTER(0) +} diff --git a/contrib/impcap/tcp_parser.c b/contrib/impcap/tcp_parser.c new file mode 100644 index 0000000..b96c1f3 --- /dev/null +++ b/contrib/impcap/tcp_parser.c @@ -0,0 +1,121 @@ +/* tcp_parser.c + * + * This file contains functions to parse TCP headers. + * + * File begun on 2018-11-13 + * + * Created by: + * - Théo Bertin (theo.bertin@advens.fr) + * + * With: + * - François Bernard (francois.bernard@isen.yncrea.fr) + * - Tianyu Geng (tianyu.geng@isen.yncrea.fr) + * + * This file is part of rsyslog. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * -or- + * see COPYING.ASL20 in the source distribution + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "config.h" +#include "parsers.h" + +#define SMB_PORT 445 +#define HTTP_PORT 80 +#define HTTP_PORT_ALT 8080 +#define FTP_PORT 21 +#define FTP_PORT_DATA 20 + +struct tcp_header_s { + uint16_t srcPort; + uint16_t dstPort; + uint32_t seq; + uint32_t ack; + uint8_t dor; + uint8_t flags; + uint16_t windowSize; + uint16_t checksum; + uint16_t urgPointer; + uint8_t options[]; +}; + +typedef struct tcp_header_s tcp_header_t; + +static char flagCodes[10] = "FSRPAUECN"; + +/* + * This function parses the bytes in the received packet to extract TCP metadata. + * + * its parameters are: + * - a pointer on the list of bytes representing the packet + * the first byte must be the beginning of the TCP header + * - the size of the list passed as first parameter + * - a pointer on a json_object, containing all the metadata recovered so far + * this is also where TCP metadata will be added + * + * This function returns a structure containing the data unprocessed by this parser + * or the ones after (as a list of bytes), and the length of this data. +*/ +data_ret_t *tcp_parse(const uchar *packet, int pktSize, struct json_object *jparent) { + DBGPRINTF("tcp_parse\n"); + DBGPRINTF("packet size %d\n", pktSize); + + if (pktSize < 20) { + DBGPRINTF("TCP packet too small : %d\n", pktSize); + RETURN_DATA_AFTER(0) + } + + /* Union to prevent cast from uchar to tcp_header_t */ + union { + const uchar *pck; + tcp_header_t *hdr; + } tcp_header_to_char; + + tcp_header_to_char.pck = packet; + tcp_header_t *tcp_header = tcp_header_to_char.hdr; + + uint8_t i, pos = 0; + char flags[10] = {0}; + + for (i = 0; i < 8; ++i) { + if (tcp_header->flags & (0x01 << i)) + flags[pos++] = flagCodes[i]; + } + if (tcp_header->dor & 0x01) + flags[pos++] = flagCodes[9]; + + uint16_t srcPort = ntohs(tcp_header->srcPort); + uint16_t dstPort = ntohs(tcp_header->dstPort); + + uint8_t headerLength = (tcp_header->dor & 0xF0) >> 2; //>>4 to offset but <<2 to get offset as bytes + + json_object_object_add(jparent, "net_src_port", json_object_new_int(srcPort)); + json_object_object_add(jparent, "net_dst_port", json_object_new_int(dstPort)); + json_object_object_add(jparent, "TCP_seq_number", json_object_new_int64(ntohl(tcp_header->seq))); + json_object_object_add(jparent, "TCP_ack_number", json_object_new_int64(ntohl(tcp_header->ack))); + json_object_object_add(jparent, "net_flags", json_object_new_string(flags)); + + if (srcPort == SMB_PORT || dstPort == SMB_PORT) { + return smb_parse(packet + headerLength, pktSize - headerLength, jparent); + } + if (srcPort == FTP_PORT || dstPort == FTP_PORT || srcPort == FTP_PORT_DATA || dstPort == FTP_PORT_DATA) { + return ftp_parse(packet + headerLength, pktSize - headerLength, jparent); + } + if (srcPort == HTTP_PORT || dstPort == HTTP_PORT || + srcPort == HTTP_PORT_ALT || dstPort == HTTP_PORT_ALT) { + return http_parse(packet + headerLength, pktSize - headerLength, jparent); + } + DBGPRINTF("tcp return after header length (%u)\n", headerLength); + RETURN_DATA_AFTER(headerLength) +} diff --git a/contrib/impcap/udp_parser.c b/contrib/impcap/udp_parser.c new file mode 100644 index 0000000..a9b7dca --- /dev/null +++ b/contrib/impcap/udp_parser.c @@ -0,0 +1,90 @@ +/* udp_parser.c + * + * This file contains functions to parse UDP headers. + * + * File begun on 2018-11-13 + * + * Created by: + * - Théo Bertin (theo.bertin@advens.fr) + * + * With: + * - François Bernard (francois.bernard@isen.yncrea.fr) + * - Tianyu Geng (tianyu.geng@isen.yncrea.fr) + * + * This file is part of rsyslog. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * -or- + * see COPYING.ASL20 in the source distribution + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "config.h" +#include "parsers.h" + +#define DNS_PORT 53 + +struct udp_header_s { + uint16_t srcPort; + uint16_t dstPort; + uint16_t totalLength; + uint16_t checksum; +}; + +typedef struct udp_header_s udp_header_t; + +/* + * This function parses the bytes in the received packet to extract UDP metadata. + * + * its parameters are: + * - a pointer on the list of bytes representing the packet + * the first byte must be the beginning of the UDP header + * - the size of the list passed as first parameter + * - a pointer on a json_object, containing all the metadata recovered so far + * this is also where UDP metadata will be added + * + * This function returns a structure containing the data unprocessed by this parser + * or the ones after (as a list of bytes), and the length of this data. +*/ +data_ret_t *udp_parse(const uchar *packet, int pktSize, struct json_object *jparent) { + DBGPRINTF("udp_parse\n"); + DBGPRINTF("packet size %d\n", pktSize); + + if (pktSize < 8) { + DBGPRINTF("UDP packet too small : %d\n", pktSize); + RETURN_DATA_AFTER(0) + } + + /* Union to prevent cast from uchar to udp_header_t */ + union { + const uchar *pck; + udp_header_t *hdr; + } udp_header_to_char; + + udp_header_to_char.pck = packet; + udp_header_t *udp_header = udp_header_to_char.hdr; + + // Prevent endianness issue + unsigned short int src_port = ntohs(udp_header->srcPort); + unsigned short int dst_port = ntohs(udp_header->dstPort); + + json_object_object_add(jparent, "net_src_port", json_object_new_int(src_port)); + json_object_object_add(jparent, "net_dst_port", json_object_new_int(dst_port)); + json_object_object_add(jparent, "UDP_Length", json_object_new_int(ntohs(udp_header->totalLength))); + json_object_object_add(jparent, "UDP_Checksum", json_object_new_int(ntohs(udp_header->checksum))); + + if (src_port == DNS_PORT || dst_port == DNS_PORT) { + return dns_parse(packet + sizeof(udp_header_t), pktSize - sizeof(udp_header_t), jparent); + } + + RETURN_DATA_AFTER(8) +} |