search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Revert "TODO epan/dissectors/asn1/kerberos/packet-kerberos-template.c new GSS flags"
[wireshark-sm.git] / epan / dissectors / packet-sebek.c
blob8543963fecb152c9e8a3da620cfd94f8fd69705b
1 /* packet-sebek.c
2 * Routines for Sebek - Kernel based data capture - packet dissection
3 * Modified to add sebek V3
4 * Copyright 2006, Camilo Viecco <cviecco@indiana.edu>
5 * Copyright 1999, Nathan Neulinger <nneul@umr.edu>
6 *
7 * See: http://project.honeynet.org/tools/sebek/ for more details
8 *
9 * Wireshark - Network traffic analyzer
10 * By Gerald Combs <gerald@wireshark.org>
11 * Copyright 1998 Gerald Combs
12 *
13 * SPDX-License-Identifier: GPL-2.0-or-later
14 */
15
16 #include "config.h"
17
18 #include <math.h>
19 #include <epan/packet.h>
20
21 /*
22 Sebek v2:
23
24 IP address: 32bit unsigned
25 MAGIC Val: 32bit unsigned
26 Sebek Ver: 16bit unsigned #value must match 2
27 Type 16bit unsigned
28 Counter: 32bit unsigned
29 Time_sec: 32bit unsigned
30 Time_usec: 32bit unsigned
31 Proc ID: 32bit unsigned
32 User ID: 32bit unsigned
33 File Desc: 32bit unsigned
34 Command: 12char array
35 Length: Data Length
36
37 Data: Variable Length data
38
39
40 Sebek v3 header
41 IP address: 32bit unsigned
42 MAGIC Val: 32bit unsigned
43 Sebek Ver: 16bit unsigned #value must match 3
44 Type 16bit unsigned
45 Counter: 32bit unsigned
46 Time_sec: 32bit unsigned
47 Time_usec: 32bit unsigned
48 Parent_pid: 32bit unsigned
49 Proc ID: 32bit unsigned
50 User ID: 32bit unsigned
51 File Desc: 32bit unsigned
52 inode: 32bit unsigned
53 Command: 12char array
54 Length: Data Length
55 Data: Variable data length
56
57 Sebekv3 has a sock_socket_record subheader for IPV4:
58 Dest_ip: 32bit unsigned
59 Dest_port: 16bit unsigned
60 Src_ip: 32bit unsigned
61 src_port: 16bit unsigned
62 call: 16bit unsigned
63 proto 8bit unsigned
64
65 */
66
67 /* By default, but can be completely different */
68 #define UDP_PORT_SEBEK 1101 /* Not IANA registered */
69
70 void proto_register_sebek(void);
71 void proto_reg_handoff_sebek(void);
72
73 static dissector_handle_t sebek_handle;
74
75 static int proto_sebek;
76
77 static int hf_sebek_magic;
78 static int hf_sebek_version;
79 static int hf_sebek_type;
80 static int hf_sebek_counter;
81 static int hf_sebek_time;
82 static int hf_sebek_pid;
83 static int hf_sebek_uid;
84 static int hf_sebek_fd;
85 static int hf_sebek_cmd;
86 static int hf_sebek_len;
87 static int hf_sebek_data;
88 static int hf_sebek_ppid;
89 static int hf_sebek_inode;
90 static int hf_sebek_socket_src_ip;
91 static int hf_sebek_socket_src_port;
92 static int hf_sebek_socket_dst_ip;
93 static int hf_sebek_socket_dst_port;
94 static int hf_sebek_socket_call;
95 static int hf_sebek_socket_proto;
96
97
98 static int ett_sebek;
99
100 /* dissect_sebek - dissects sebek packet data
101 * tvb - tvbuff for packet data (IN)
102 * pinfo - packet info
103 * proto_tree - resolved protocol tree
104 */
105 static int
106 dissect_sebek(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
107 {
108 proto_tree *sebek_tree;
109 proto_item *ti;
110 int offset = 0;
111 int sebek_ver = 0;
112 int sebek_type = 0;
113 int cmd_len = 0;
114
115 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SEBEK");
116
117 col_set_str(pinfo->cinfo, COL_INFO, "SEBEK - ");
118
119 if (tvb_captured_length(tvb)<6)
120 sebek_ver = 0;
121 else
122 sebek_ver = tvb_get_ntohs(tvb, 4);
123
124 switch (sebek_ver) {
125 case 2: col_append_fstr(pinfo->cinfo, COL_INFO, " pid(%d)", tvb_get_ntohl(tvb, 20));
126 col_append_fstr(pinfo->cinfo, COL_INFO, " uid(%d)", tvb_get_ntohl(tvb, 24));
127 col_append_fstr(pinfo->cinfo, COL_INFO, " fd(%d)", tvb_get_ntohl(tvb, 28));
128 col_append_fstr(pinfo->cinfo, COL_INFO, " cmd: %s", tvb_format_text(pinfo->pool, tvb, 32, 12));
129 break;
130 case 3: col_append_fstr(pinfo->cinfo, COL_INFO, " pid(%d)", tvb_get_ntohl(tvb, 24));
131 col_append_fstr(pinfo->cinfo, COL_INFO, " uid(%d)", tvb_get_ntohl(tvb, 28));
132 col_append_fstr(pinfo->cinfo, COL_INFO, " fd(%d)", tvb_get_ntohl(tvb, 32));
133 cmd_len = tvb_strnlen(tvb, 40, 12);
134 if (cmd_len<0)
135 cmd_len = 0;
136 col_append_fstr(pinfo->cinfo, COL_INFO, " cmd: %s", tvb_format_text(pinfo->pool, tvb, 40, cmd_len));
137 break;
138 default:
139 break;
140 }
141
142 if (tree) {
143 /* Adding Sebek item and subtree */
144 ti = proto_tree_add_item(tree, proto_sebek, tvb, 0, -1, ENC_NA);
145 sebek_tree = proto_item_add_subtree(ti, ett_sebek);
146
147 /* check for minimum length before deciding where to go*/
148 if (tvb_captured_length(tvb)<6)
149 sebek_ver = 0;
150 else
151 sebek_ver = tvb_get_ntohs(tvb, 4);
152
153 switch (sebek_ver) {
154 case 2: proto_tree_add_item(sebek_tree, hf_sebek_magic, tvb, offset, 4, ENC_BIG_ENDIAN);
155 offset += 4;
156
157 proto_tree_add_item(sebek_tree, hf_sebek_version, tvb, offset, 2, ENC_BIG_ENDIAN);
158 offset += 2;
159
160 proto_tree_add_item(sebek_tree, hf_sebek_type, tvb, offset, 2, ENC_BIG_ENDIAN);
161 offset += 2;
162
163 proto_tree_add_item(sebek_tree, hf_sebek_counter, tvb, offset, 4, ENC_BIG_ENDIAN);
164 offset += 4;
165
166 proto_tree_add_item(sebek_tree, hf_sebek_time, tvb, offset, 8, ENC_TIME_SECS_NSECS|ENC_BIG_ENDIAN);
167 offset += 8;
168
169 proto_tree_add_item(sebek_tree, hf_sebek_pid, tvb, offset, 4, ENC_BIG_ENDIAN);
170 offset += 4;
171
172 proto_tree_add_item(sebek_tree, hf_sebek_uid, tvb, offset, 4, ENC_BIG_ENDIAN);
173 offset += 4;
174
175 proto_tree_add_item(sebek_tree, hf_sebek_fd, tvb, offset, 4, ENC_BIG_ENDIAN);
176 offset += 4;
177
178 proto_tree_add_item(sebek_tree, hf_sebek_cmd, tvb, offset, 12, ENC_ASCII);
179 offset += 12;
180
181 proto_tree_add_item(sebek_tree, hf_sebek_len, tvb, offset, 4, ENC_BIG_ENDIAN);
182 offset += 4;
183
184 proto_tree_add_item(sebek_tree, hf_sebek_data, tvb, offset, -1, ENC_ASCII);
185
186 break;
187
188 case 3: proto_tree_add_item(sebek_tree, hf_sebek_magic, tvb, offset, 4, ENC_BIG_ENDIAN);
189 offset += 4;
190
191 proto_tree_add_item(sebek_tree, hf_sebek_version, tvb, offset, 2, ENC_BIG_ENDIAN);
192 offset += 2;
193
194 sebek_type=tvb_get_ntohs(tvb, offset);
195 proto_tree_add_item(sebek_tree, hf_sebek_type, tvb, offset, 2, ENC_BIG_ENDIAN);
196 offset += 2;
197
198 proto_tree_add_item(sebek_tree, hf_sebek_counter, tvb, offset, 4, ENC_BIG_ENDIAN);
199 offset += 4;
200
201 proto_tree_add_item(sebek_tree, hf_sebek_time, tvb, offset, 8, ENC_TIME_SECS_NSECS|ENC_BIG_ENDIAN);
202 offset += 8;
203
204 proto_tree_add_item(sebek_tree, hf_sebek_ppid, tvb, offset, 4, ENC_BIG_ENDIAN);
205 offset += 4;
206
207 proto_tree_add_item(sebek_tree, hf_sebek_pid, tvb, offset, 4, ENC_BIG_ENDIAN);
208 offset += 4;
209
210 proto_tree_add_item(sebek_tree, hf_sebek_uid, tvb, offset, 4, ENC_BIG_ENDIAN);
211 offset += 4;
212
213 proto_tree_add_item(sebek_tree, hf_sebek_fd, tvb, offset, 4, ENC_BIG_ENDIAN);
214 offset += 4;
215
216 proto_tree_add_item(sebek_tree, hf_sebek_inode, tvb, offset, 4, ENC_BIG_ENDIAN);
217 offset += 4;
218
219 proto_tree_add_item(sebek_tree, hf_sebek_cmd, tvb, offset, 12, ENC_ASCII);
220 offset += 12;
221
222 proto_tree_add_item(sebek_tree, hf_sebek_len, tvb, offset, 4, ENC_BIG_ENDIAN);
223 offset += 4;
224
225 if (sebek_type == 2) {
226 /*data is socket data, process accordingly*/
227 proto_tree_add_item(sebek_tree, hf_sebek_socket_dst_ip, tvb, offset, 4, ENC_BIG_ENDIAN);
228 offset += 4;
229 proto_tree_add_item(sebek_tree, hf_sebek_socket_dst_port, tvb, offset, 2, ENC_BIG_ENDIAN);
230 offset += 2;
231 proto_tree_add_item(sebek_tree, hf_sebek_socket_src_ip, tvb, offset, 4, ENC_BIG_ENDIAN);
232 offset += 4;
233 proto_tree_add_item(sebek_tree, hf_sebek_socket_src_port, tvb, offset, 2, ENC_BIG_ENDIAN);
234 offset += 2;
235 proto_tree_add_item(sebek_tree, hf_sebek_socket_call, tvb, offset, 2, ENC_BIG_ENDIAN);
236 offset += 2;
237 proto_tree_add_item(sebek_tree, hf_sebek_socket_proto, tvb, offset, 1, ENC_BIG_ENDIAN);
238 offset += 1;
239 } else {
240 proto_tree_add_item(sebek_tree, hf_sebek_data, tvb, offset, -1, ENC_ASCII);
241 }
242
243 break;
244
245 default:
246 break;
247
248 }
249 }
250 return offset;
251 }
252
253 void
254 proto_register_sebek(void)
255 {
256 static hf_register_info hf[] = {
257 { &hf_sebek_magic, {
258 "Magic", "sebek.magic", FT_UINT32, BASE_HEX,
259 NULL, 0, "Magic Number", HFILL }},
260 { &hf_sebek_version, {
261 "Version", "sebek.version", FT_UINT16, BASE_DEC,
262 NULL, 0, "Version Number", HFILL }},
263 { &hf_sebek_type, {
264 "Type", "sebek.type", FT_UINT16, BASE_DEC,
265 NULL, 0, NULL, HFILL }},
266 { &hf_sebek_counter, {
267 "Counter", "sebek.counter", FT_UINT32, BASE_DEC,
268 NULL, 0, NULL, HFILL }},
269 { &hf_sebek_time, {
270 "Time", "sebek.time.sec", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
271 NULL, 0, NULL, HFILL }},
272 { &hf_sebek_pid, {
273 "Process ID", "sebek.pid", FT_UINT32, BASE_DEC,
274 NULL, 0, NULL, HFILL }},
275 { &hf_sebek_uid, {
276 "User ID", "sebek.uid", FT_UINT32, BASE_DEC,
277 NULL, 0, NULL, HFILL }},
278 { &hf_sebek_fd, {
279 "File Descriptor", "sebek.fd", FT_UINT32, BASE_DEC,
280 NULL, 0, "File Descriptor Number", HFILL }},
281 { &hf_sebek_cmd, {
282 "Command Name", "sebek.cmd", FT_STRING, BASE_NONE,
283 NULL, 0, NULL, HFILL }},
284 { &hf_sebek_len, {
285 "Data Length", "sebek.len", FT_UINT32, BASE_DEC,
286 NULL, 0, NULL, HFILL }},
287 { &hf_sebek_ppid, {
288 "Parent Process ID", "sebek.ppid", FT_UINT32, BASE_DEC,
289 NULL, 0, NULL, HFILL }},
290 { &hf_sebek_inode, {
291 "Inode ID", "sebek.inode", FT_UINT32, BASE_DEC,
292 NULL, 0, NULL, HFILL }},
293 { &hf_sebek_data, {
294 "Data", "sebek.data", FT_STRING, BASE_NONE,
295 NULL, 0, NULL, HFILL }},
296 { &hf_sebek_socket_src_ip, {
297 "Socket.local_ip", "sebek.socket.src_ip", FT_IPv4, BASE_NONE,
298 NULL, 0, "Socket.src_ip", HFILL }},
299 { &hf_sebek_socket_src_port, {
300 "Socket.local_port", "sebek.socket.src_port", FT_UINT16, BASE_DEC,
301 NULL, 0, "Socket.src_port", HFILL }},
302 { &hf_sebek_socket_dst_ip, {
303 "Socket.remote_ip", "sebek.socket.dst_ip", FT_IPv4, BASE_NONE,
304 NULL, 0, "Socket.dst_ip", HFILL }},
305 { &hf_sebek_socket_dst_port, {
306 "Socket.remote_port", "sebek.socket.dst_port", FT_UINT16, BASE_DEC,
307 NULL, 0, "Socket.dst_port", HFILL }},
308 { &hf_sebek_socket_call, {
309 "Socket.Call_id", "sebek.socket.call", FT_UINT16, BASE_DEC,
310 NULL, 0, "Socket.call", HFILL }},
311 { &hf_sebek_socket_proto, {
312 "Socket.ip_proto", "sebek.socket.ip_proto", FT_UINT8, BASE_DEC,
313 NULL, 0, NULL, HFILL }}
314 };
315 static int *ett[] = {
316 &ett_sebek
317 };
318
319 proto_sebek = proto_register_protocol("SEBEK - Kernel Data Capture", "SEBEK", "sebek");
320 proto_register_field_array(proto_sebek, hf, array_length(hf));
321 proto_register_subtree_array(ett, array_length(ett));
322
323 sebek_handle = register_dissector("sebek", dissect_sebek, proto_sebek);
324 }
325
326 void
327 proto_reg_handoff_sebek(void)
328 {
329 dissector_add_uint_with_preference("udp.port", UDP_PORT_SEBEK, sebek_handle);
330 }
331
332 /*
333 * Editor modelines - https://www.wireshark.org/tools/modelines.html
334 *
335 * Local variables:
336 * c-basic-offset: 8
337 * tab-width: 8
338 * indent-tabs-mode: t
339 * End:
340 *
341 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
342 * :indentSize=8:tabSize=8:noTabs=false:
343 */
Metzes wireshark repo