search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge pull request #56 from wuruilong01/master
[prads.git] / src / ipfp / udp_fp.c
blob64d1ee3efbe301fdc61f6af42cef827b597fbd50
1 #include "../common.h"
2 #include "../prads.h"
3 #include "ipfp.h"
4
5 void fp_udp4(packetinfo *pi, ip4_header * ip4, udp_header * udph, const uint8_t * end_ptr)
6 {
7
8 uint8_t *opt_ptr;
9 int32_t ilen, olen;
10 uint32_t quirks = 0;
11 uint8_t *payload = 0;
12
13 /*
14 * Decode variable length header options and remaining data in field
15 */
16 olen = IP_HL(ip4) - 5;
17 if (olen < 0) { // Check for bad hlen
18 olen = 0;
19 } else {
20 /*
21 * Option length is number of 32 bit words
22 */
23 olen = olen * 4;
24 quirks |= QUIRK_IPOPT;
25 }
26 /*
27 * If the declared length is shorter than the snapshot (etherleak
28 * or such), truncate the package.
29 */
30 opt_ptr = (uint8_t *) ip4 + ntohs(ip4->ip_len);
31 if (end_ptr > opt_ptr)
32 end_ptr = opt_ptr;
33
34 ilen = ip4->ip_vhl & 15;
35 /*
36 * B0rked packet
37 */
38 if (ilen < 5)
39 return;
40
41 if (ilen > 5) {
42 quirks |= QUIRK_IPOPT;
43 }
44 /*
45 * If IP header ends past end_ptr
46 */
47 if ((uint8_t *) (ip4 + 1) > end_ptr)
48 return;
49
50 if ((uint8_t *) opt_ptr + ilen < end_ptr) {
51 quirks |= QUIRK_DATA;
52 payload = opt_ptr + ilen;
53 }
54 uint8_t udata = (uint8_t *) end_ptr - payload;
55
56 if (!ip4->ip_id)
57 quirks |= QUIRK_ZEROID;
58
59 // Fingerprint format: $fplen,$ttl,$df,$io,$if,$fo
60 gen_fp_udp(ntohs(ip4->ip_len) - ntohs(udph->len), udata, ip4->ip_ttl,
61 (ntohs(ip4->ip_off) & IP_DF) != 0, olen, ntohs(ip4->ip_len),
62 ip4->ip_off, ip4->ip_tos, quirks,
63 //ip_src, udph->src_port,AF_INET);
64 pi);
65
66 //icmp_os_find_match($type,$code,$gttl,$df,$ipopts,$len,$ipflags,$foffset,$tos);
67
68 }
PRADS is a Passive Real-time Asset Detection System. It passively listen to network traffic and gathers information on hosts and services it sees on the network.