search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
MSWSP: add two more Property Sets
[wireshark-wip.git] / epan / dissectors / packet-sebek.c
blob27efea0da4e461783819dfece1d1568d1dac1136
1 /* packet-sebek.c
2 * Routines for Sebek - Kernel based data capture - packet dissection
3 * Modified to add sebek V3
4 * Copyright 2006, Camilo Viecco <cviecco@indiana.edu>
5 * Copyright 1999, Nathan Neulinger <nneul@umr.edu>
6 *
7 * See: http://project.honeynet.org/tools/sebek/ for more details
8 *
9 * $Id$
10 *
11 * Wireshark - Network traffic analyzer
12 * By Gerald Combs <gerald@wireshark.org>
13 * Copyright 1998 Gerald Combs
14 *
15 * This program is free software; you can redistribute it and/or
16 * modify it under the terms of the GNU General Public License
17 * as published by the Free Software Foundation; either version 2
18 * of the License, or (at your option) any later version.
19 *
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
24 *
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, write to the Free Software
27 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
28 */
29
30 #include "config.h"
31
32 #include <string.h>
33 #include <time.h>
34 #include <math.h>
35 #include <glib.h>
36
37 #include <epan/packet.h>
38 #include <epan/addr_resolv.h>
39
40 /*
41 Sebek v2:
42
43 IP address: 32bit unsigned
44 MAGIC Val: 32bit unsigned
45 Sebek Ver: 16bit unsigned #value must match 2
46 Type 16bit unsigned
47 Counter: 32bit unsigned
48 Time_sec: 32bit unsigned
49 Time_usec: 32bit unsigned
50 Proc ID: 32bit unsigned
51 User ID: 32bit unsigned
52 File Desc: 32bit unsigned
53 Command: 12char array
54 Length: Data Length
55
56 Data: Variable Length data
57
58
59 Sebek v3 header
60 IP address: 32bit unsigned
61 MAGIC Val: 32bit unsigned
62 Sebek Ver: 16bit unsigned #value must match 3
63 Type 16bit unsigned
64 Counter: 32bit unsigned
65 Time_sec: 32bit unsigned
66 Time_usec: 32bit unsigned
67 Parent_pid: 32bit unsigned
68 Proc ID: 32bit unsigned
69 User ID: 32bit unsigned
70 File Desc: 32bit unsigned
71 inode: 32bit unsigned
72 Command: 12char array
73 Length: Data Length
74 Data: Variable data length
75
76 Sebekv3 has a sock_socket_record subheader for IPV4:
77 Dest_ip: 32bit unsigned
78 Dest_port: 16bit unsigned
79 Src_ip: 32bit unsigned
80 src_port: 16bit unsigned
81 call: 16bit unsigned
82 proto 8bit unsigned
83
84 */
85
86 /* By default, but can be completely different */
87 #define UDP_PORT_SEBEK 1101
88
89 static int proto_sebek = -1;
90
91 static int hf_sebek_magic = -1;
92 static int hf_sebek_version = -1;
93 static int hf_sebek_type = -1;
94 static int hf_sebek_counter = -1;
95 static int hf_sebek_time = -1;
96 static int hf_sebek_pid = -1;
97 static int hf_sebek_uid = -1;
98 static int hf_sebek_fd = -1;
99 static int hf_sebek_cmd = -1;
100 static int hf_sebek_len = -1;
101 static int hf_sebek_data = -1;
102 static int hf_sebek_ppid = -1;
103 static int hf_sebek_inode = -1;
104 static int hf_sebek_socket_src_ip=-1;
105 static int hf_sebek_socket_src_port=-1;
106 static int hf_sebek_socket_dst_ip=-1;
107 static int hf_sebek_socket_dst_port=-1;
108 static int hf_sebek_socket_call=-1;
109 static int hf_sebek_socket_proto=-1;
110
111
112 static gint ett_sebek = -1;
113
114 /* dissect_sebek - dissects sebek packet data
115 * tvb - tvbuff for packet data (IN)
116 * pinfo - packet info
117 * proto_tree - resolved protocol tree
118 */
119 static int
120 dissect_sebek(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
121 {
122 proto_tree *sebek_tree;
123 proto_item *ti;
124 int offset = 0;
125 nstime_t ts;
126 int sebek_ver = 0;
127 int sebek_type = 0;
128 int cmd_len = 0;
129
130 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SEBEK");
131
132 col_set_str(pinfo->cinfo, COL_INFO, "SEBEK - ");
133
134 if (tvb_length(tvb)<6)
135 sebek_ver = 0;
136 else
137 sebek_ver = tvb_get_ntohs(tvb, 4);
138
139 switch (sebek_ver) {
140 case 2: col_append_fstr(pinfo->cinfo, COL_INFO, " pid(%d)", tvb_get_ntohl(tvb, 20));
141 col_append_fstr(pinfo->cinfo, COL_INFO, " uid(%d)", tvb_get_ntohl(tvb, 24));
142 col_append_fstr(pinfo->cinfo, COL_INFO, " fd(%d)", tvb_get_ntohl(tvb, 28));
143 col_append_fstr(pinfo->cinfo, COL_INFO, " cmd: %s", tvb_format_text(tvb, 32, 12));
144 break;
145 case 3: col_append_fstr(pinfo->cinfo, COL_INFO, " pid(%d)", tvb_get_ntohl(tvb, 24));
146 col_append_fstr(pinfo->cinfo, COL_INFO, " uid(%d)", tvb_get_ntohl(tvb, 28));
147 col_append_fstr(pinfo->cinfo, COL_INFO, " fd(%d)", tvb_get_ntohl(tvb, 32));
148 cmd_len = tvb_strnlen(tvb, 40, 12);
149 if (cmd_len<0)
150 cmd_len = 0;
151 col_append_fstr(pinfo->cinfo, COL_INFO, " cmd: %s", tvb_format_text(tvb, 40, cmd_len));
152 break;
153 default:
154 break;
155 }
156
157 if (tree) {
158 /* Adding Sebek item and subtree */
159 ti = proto_tree_add_item(tree, proto_sebek, tvb, 0, -1, ENC_NA);
160 sebek_tree = proto_item_add_subtree(ti, ett_sebek);
161
162 /* check for minimum length before deciding where to go*/
163 if (tvb_length(tvb)<6)
164 sebek_ver = 0;
165 else
166 sebek_ver = tvb_get_ntohs(tvb, 4);
167
168 switch (sebek_ver) {
169 case 2: proto_tree_add_item(sebek_tree, hf_sebek_magic, tvb, offset, 4, ENC_BIG_ENDIAN);
170 offset += 4;
171
172 proto_tree_add_item(sebek_tree, hf_sebek_version, tvb, offset, 2, ENC_BIG_ENDIAN);
173 offset += 2;
174
175 proto_tree_add_item(sebek_tree, hf_sebek_type, tvb, offset, 2, ENC_BIG_ENDIAN);
176 offset += 2;
177
178 proto_tree_add_item(sebek_tree, hf_sebek_counter, tvb, offset, 4, ENC_BIG_ENDIAN);
179 offset += 4;
180
181 ts.secs = tvb_get_ntohl(tvb, offset);
182 ts.nsecs = tvb_get_ntohl(tvb, offset+4);
183 proto_tree_add_time(sebek_tree, hf_sebek_time, tvb, offset, 8, &ts);
184 offset += 8;
185
186 proto_tree_add_item(sebek_tree, hf_sebek_pid, tvb, offset, 4, ENC_BIG_ENDIAN);
187 offset += 4;
188
189 proto_tree_add_item(sebek_tree, hf_sebek_uid, tvb, offset, 4, ENC_BIG_ENDIAN);
190 offset += 4;
191
192 proto_tree_add_item(sebek_tree, hf_sebek_fd, tvb, offset, 4, ENC_BIG_ENDIAN);
193 offset += 4;
194
195 proto_tree_add_item(sebek_tree, hf_sebek_cmd, tvb, offset, 12, ENC_ASCII|ENC_NA);
196 offset += 12;
197
198 proto_tree_add_item(sebek_tree, hf_sebek_len, tvb, offset, 4, ENC_BIG_ENDIAN);
199 offset += 4;
200
201 proto_tree_add_item(sebek_tree, hf_sebek_data, tvb, offset, -1, ENC_ASCII|ENC_NA);
202
203 break;
204
205 case 3: proto_tree_add_item(sebek_tree, hf_sebek_magic, tvb, offset, 4, ENC_BIG_ENDIAN);
206 offset += 4;
207
208 proto_tree_add_item(sebek_tree, hf_sebek_version, tvb, offset, 2, ENC_BIG_ENDIAN);
209 offset += 2;
210
211 sebek_type=tvb_get_ntohs(tvb, offset);
212 proto_tree_add_item(sebek_tree, hf_sebek_type, tvb, offset, 2, ENC_BIG_ENDIAN);
213 offset += 2;
214
215 proto_tree_add_item(sebek_tree, hf_sebek_counter, tvb, offset, 4, ENC_BIG_ENDIAN);
216 offset += 4;
217
218 ts.secs = tvb_get_ntohl(tvb, offset);
219 ts.nsecs = tvb_get_ntohl(tvb, offset+4);
220 proto_tree_add_time(sebek_tree, hf_sebek_time, tvb, offset, 8, &ts);
221 offset += 8;
222
223 proto_tree_add_item(sebek_tree, hf_sebek_ppid, tvb, offset, 4, ENC_BIG_ENDIAN);
224 offset += 4;
225
226 proto_tree_add_item(sebek_tree, hf_sebek_pid, tvb, offset, 4, ENC_BIG_ENDIAN);
227 offset += 4;
228
229 proto_tree_add_item(sebek_tree, hf_sebek_uid, tvb, offset, 4, ENC_BIG_ENDIAN);
230 offset += 4;
231
232 proto_tree_add_item(sebek_tree, hf_sebek_fd, tvb, offset, 4, ENC_BIG_ENDIAN);
233 offset += 4;
234
235 proto_tree_add_item(sebek_tree, hf_sebek_inode, tvb, offset, 4, ENC_BIG_ENDIAN);
236 offset += 4;
237
238 proto_tree_add_item(sebek_tree, hf_sebek_cmd, tvb, offset, 12, ENC_ASCII|ENC_NA);
239 offset += 12;
240
241 proto_tree_add_item(sebek_tree, hf_sebek_len, tvb, offset, 4, ENC_BIG_ENDIAN);
242 offset += 4;
243
244 if (sebek_type == 2) {
245 /*data is socket data, process accordingly*/
246 proto_tree_add_item(sebek_tree, hf_sebek_socket_dst_ip, tvb, offset, 4, ENC_BIG_ENDIAN);
247 offset += 4;
248 proto_tree_add_item(sebek_tree, hf_sebek_socket_dst_port, tvb, offset, 2, ENC_BIG_ENDIAN);
249 offset += 2;
250 proto_tree_add_item(sebek_tree, hf_sebek_socket_src_ip, tvb, offset, 4, ENC_BIG_ENDIAN);
251 offset += 4;
252 proto_tree_add_item(sebek_tree, hf_sebek_socket_src_port, tvb, offset, 2, ENC_BIG_ENDIAN);
253 offset += 2;
254 proto_tree_add_item(sebek_tree, hf_sebek_socket_call, tvb, offset, 2, ENC_BIG_ENDIAN);
255 offset += 2;
256 proto_tree_add_item(sebek_tree, hf_sebek_socket_proto, tvb, offset, 1, ENC_BIG_ENDIAN);
257 offset += 1;
258 } else {
259 proto_tree_add_item(sebek_tree, hf_sebek_data, tvb, offset, -1, ENC_ASCII|ENC_NA);
260 }
261
262 break;
263
264 default:
265 break;
266
267 }
268 }
269 return offset;
270 }
271
272 void
273 proto_register_sebek(void)
274 {
275 static hf_register_info hf[] = {
276 { &hf_sebek_magic, {
277 "Magic", "sebek.magic", FT_UINT32, BASE_HEX,
278 NULL, 0, "Magic Number", HFILL }},
279 { &hf_sebek_version, {
280 "Version", "sebek.version", FT_UINT16, BASE_DEC,
281 NULL, 0, "Version Number", HFILL }},
282 { &hf_sebek_type, {
283 "Type", "sebek.type", FT_UINT16, BASE_DEC,
284 NULL, 0, NULL, HFILL }},
285 { &hf_sebek_counter, {
286 "Counter", "sebek.counter", FT_UINT32, BASE_DEC,
287 NULL, 0, NULL, HFILL }},
288 { &hf_sebek_time, {
289 "Time", "sebek.time.sec", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
290 NULL, 0, NULL, HFILL }},
291 { &hf_sebek_pid, {
292 "Process ID", "sebek.pid", FT_UINT32, BASE_DEC,
293 NULL, 0, NULL, HFILL }},
294 { &hf_sebek_uid, {
295 "User ID", "sebek.uid", FT_UINT32, BASE_DEC,
296 NULL, 0, NULL, HFILL }},
297 { &hf_sebek_fd, {
298 "File Descriptor", "sebek.fd", FT_UINT32, BASE_DEC,
299 NULL, 0, "File Descriptor Number", HFILL }},
300 { &hf_sebek_cmd, {
301 "Command Name", "sebek.cmd", FT_STRING, BASE_NONE,
302 NULL, 0, NULL, HFILL }},
303 { &hf_sebek_len, {
304 "Data Length", "sebek.len", FT_UINT32, BASE_DEC,
305 NULL, 0, NULL, HFILL }},
306 { &hf_sebek_ppid, {
307 "Parent Process ID", "sebek.ppid", FT_UINT32, BASE_DEC,
308 NULL, 0, "Process ID", HFILL }},
309 { &hf_sebek_inode, {
310 "Inode ID", "sebek.inode", FT_UINT32, BASE_DEC,
311 NULL, 0, "Process ID", HFILL }},
312 { &hf_sebek_data, {
313 "Data", "sebek.data", FT_STRING, BASE_NONE,
314 NULL, 0, NULL, HFILL }},
315 { &hf_sebek_socket_src_ip, {
316 "Socket.local_ip", "sebek.socket.src_ip", FT_IPv4, BASE_NONE,
317 NULL, 0, "Socket.src_ip", HFILL }},
318 { &hf_sebek_socket_src_port, {
319 "Socket.local_port", "sebek.socket.src_port", FT_UINT16, BASE_DEC,
320 NULL, 0, "Socket.src_port", HFILL }},
321 { &hf_sebek_socket_dst_ip, {
322 "Socket.remote_ip", "sebek.socket.dst_ip", FT_IPv4, BASE_NONE,
323 NULL, 0, "Socket.dst_ip", HFILL }},
324 { &hf_sebek_socket_dst_port, {
325 "Socket.remote_port", "sebek.socket.dst_port", FT_UINT16, BASE_DEC,
326 NULL, 0, "Socket.dst_port", HFILL }},
327 { &hf_sebek_socket_call, {
328 "Socket.Call_id", "sebek.socket.call", FT_UINT16, BASE_DEC,
329 NULL, 0, "Socket.call", HFILL }},
330 { &hf_sebek_socket_proto, {
331 "Socket.ip_proto", "sebek.socket.ip_proto", FT_UINT8, BASE_DEC,
332 NULL, 0, NULL, HFILL }}
333 };
334 static gint *ett[] = {
335 &ett_sebek
336 };
337
338 proto_sebek = proto_register_protocol("SEBEK - Kernel Data Capture", "SEBEK", "sebek");
339 proto_register_field_array(proto_sebek, hf, array_length(hf));
340 proto_register_subtree_array(ett, array_length(ett));
341 }
342
343 void
344 proto_reg_handoff_sebek(void)
345 {
346 dissector_handle_t sebek_handle;
347
348 sebek_handle = new_create_dissector_handle(dissect_sebek, proto_sebek);
349 dissector_add_uint("udp.port", UDP_PORT_SEBEK, sebek_handle);
350 }