1 | /* |
---|
2 | * This file is part of libtrace |
---|
3 | * |
---|
4 | * Copyright (c) 2007,2008,2009,2010 The University of Waikato, Hamilton, |
---|
5 | * New Zealand. |
---|
6 | * |
---|
7 | * Authors: Daniel Lawson |
---|
8 | * Perry Lorier |
---|
9 | * Shane Alcock |
---|
10 | * |
---|
11 | * All rights reserved. |
---|
12 | * |
---|
13 | * This code has been developed by the University of Waikato WAND |
---|
14 | * research group. For further information please see http://www.wand.net.nz/ |
---|
15 | * |
---|
16 | * libtrace is free software; you can redistribute it and/or modify |
---|
17 | * it under the terms of the GNU General Public License as published by |
---|
18 | * the Free Software Foundation; either version 2 of the License, or |
---|
19 | * (at your option) any later version. |
---|
20 | * |
---|
21 | * libtrace is distributed in the hope that it will be useful, |
---|
22 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
---|
23 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
---|
24 | * GNU General Public License for more details. |
---|
25 | * |
---|
26 | * You should have received a copy of the GNU General Public License |
---|
27 | * along with libtrace; if not, write to the Free Software |
---|
28 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
---|
29 | * |
---|
30 | * $Id$ |
---|
31 | * |
---|
32 | */ |
---|
33 | |
---|
34 | |
---|
35 | #include "libtrace.h" |
---|
36 | #include "protocols.h" |
---|
37 | #include <assert.h> |
---|
38 | #include <stdlib.h> |
---|
39 | #include <stdio.h> // fprintf |
---|
40 | |
---|
41 | /* This file contains all the protocol decoding functions for transport layer |
---|
42 | * protocols. This includes functions for access port numbers. |
---|
43 | * |
---|
44 | * Supported protocols include (but are not limited to): |
---|
45 | * TCP |
---|
46 | * UDP |
---|
47 | * ICMP |
---|
48 | */ |
---|
49 | |
---|
50 | /* Get the size of the payload as it was in the original packet, i.e. prior |
---|
51 | * to any truncation. |
---|
52 | * |
---|
53 | * Basically, wire length minus the packet headers. |
---|
54 | * |
---|
55 | * Currently only supports IP (v4 and v6) and TCP, UDP and ICMP. Will return |
---|
56 | * 0 if an unsupported protocol header is encountered, or if one of the |
---|
57 | * headers is truncated. |
---|
58 | */ |
---|
59 | DLLEXPORT size_t trace_get_payload_length(const libtrace_packet_t *packet) { |
---|
60 | |
---|
61 | void *layer; |
---|
62 | uint16_t ethertype; |
---|
63 | uint8_t proto; |
---|
64 | uint32_t rem; |
---|
65 | libtrace_ip_t *ip; |
---|
66 | libtrace_ip6_t *ip6; |
---|
67 | libtrace_tcp_t *tcp; |
---|
68 | size_t len = 0; |
---|
69 | |
---|
70 | |
---|
71 | |
---|
72 | layer = trace_get_layer3(packet, ðertype, &rem); |
---|
73 | |
---|
74 | if (!layer) |
---|
75 | return 0; |
---|
76 | switch (ethertype) { |
---|
77 | case TRACE_ETHERTYPE_IP: |
---|
78 | ip = (libtrace_ip_t *)layer; |
---|
79 | if (rem < sizeof(libtrace_ip_t)) |
---|
80 | return 0; |
---|
81 | len = ntohs(ip->ip_len) - (4 * ip->ip_hl); |
---|
82 | |
---|
83 | /* Deal with v6 within v4 */ |
---|
84 | if (ip->ip_p == TRACE_IPPROTO_IPV6) |
---|
85 | len -= sizeof(libtrace_ip6_t); |
---|
86 | |
---|
87 | break; |
---|
88 | case TRACE_ETHERTYPE_IPV6: |
---|
89 | ip6 = (libtrace_ip6_t *)layer; |
---|
90 | if (rem < sizeof(libtrace_ip6_t)) |
---|
91 | return 0; |
---|
92 | len = ntohs(ip6->plen); |
---|
93 | break; |
---|
94 | default: |
---|
95 | return 0; |
---|
96 | } |
---|
97 | |
---|
98 | layer = trace_get_transport(packet, &proto, &rem); |
---|
99 | if (!layer) |
---|
100 | return 0; |
---|
101 | |
---|
102 | switch(proto) { |
---|
103 | case TRACE_IPPROTO_TCP: |
---|
104 | if (rem < sizeof(libtrace_tcp_t)) |
---|
105 | return 0; |
---|
106 | tcp = (libtrace_tcp_t *)layer; |
---|
107 | len -= (4 * tcp->doff); |
---|
108 | break; |
---|
109 | case TRACE_IPPROTO_UDP: |
---|
110 | len -= sizeof(libtrace_udp_t); |
---|
111 | break; |
---|
112 | case TRACE_IPPROTO_ICMP: |
---|
113 | len -= sizeof(libtrace_icmp_t); |
---|
114 | break; |
---|
115 | |
---|
116 | default: |
---|
117 | return 0; |
---|
118 | } |
---|
119 | |
---|
120 | return len; |
---|
121 | |
---|
122 | } |
---|
123 | |
---|
124 | DLLEXPORT void *trace_get_transport(const libtrace_packet_t *packet, |
---|
125 | uint8_t *proto, |
---|
126 | uint32_t *remaining |
---|
127 | ) |
---|
128 | { |
---|
129 | uint8_t dummy_proto; |
---|
130 | uint16_t ethertype; |
---|
131 | uint32_t dummy_remaining; |
---|
132 | void *transport; |
---|
133 | |
---|
134 | if (!proto) proto=&dummy_proto; |
---|
135 | |
---|
136 | if (!remaining) remaining=&dummy_remaining; |
---|
137 | |
---|
138 | transport = trace_get_layer3(packet,ðertype,remaining); |
---|
139 | |
---|
140 | if (!transport || *remaining == 0) |
---|
141 | return NULL; |
---|
142 | |
---|
143 | switch (ethertype) { |
---|
144 | case TRACE_ETHERTYPE_IP: /* IPv4 */ |
---|
145 | transport=trace_get_payload_from_ip( |
---|
146 | (libtrace_ip_t*)transport, proto, remaining); |
---|
147 | /* IPv6 */ |
---|
148 | if (transport && *proto == TRACE_IPPROTO_IPV6) { |
---|
149 | transport=trace_get_payload_from_ip6( |
---|
150 | (libtrace_ip6_t*)transport, proto,remaining); |
---|
151 | } |
---|
152 | return transport; |
---|
153 | case TRACE_ETHERTYPE_IPV6: /* IPv6 */ |
---|
154 | return trace_get_payload_from_ip6( |
---|
155 | (libtrace_ip6_t*)transport, proto, remaining); |
---|
156 | |
---|
157 | } |
---|
158 | |
---|
159 | *proto=0; |
---|
160 | return NULL; |
---|
161 | } |
---|
162 | |
---|
163 | DLLEXPORT libtrace_tcp_t *trace_get_tcp(libtrace_packet_t *packet) { |
---|
164 | uint8_t proto; |
---|
165 | uint32_t rem = 0; |
---|
166 | libtrace_tcp_t *tcp; |
---|
167 | |
---|
168 | tcp=(libtrace_tcp_t*)trace_get_transport(packet,&proto,&rem); |
---|
169 | |
---|
170 | if (!tcp || proto != TRACE_IPPROTO_TCP) |
---|
171 | return NULL; |
---|
172 | |
---|
173 | /* We should return NULL if there isn't a full TCP header, because the |
---|
174 | * caller has no way of telling how much of a TCP header we have |
---|
175 | * returned - use trace_get_transport() if you want to deal with |
---|
176 | * partial headers |
---|
177 | * |
---|
178 | * NOTE: We're not going to insist that all the TCP options are present |
---|
179 | * as well, because lots of traces are snapped after 20 bytes of TCP |
---|
180 | * header and I don't really want to break libtrace programs that |
---|
181 | * use this function to process those traces */ |
---|
182 | |
---|
183 | if (rem < sizeof(libtrace_tcp_t)) |
---|
184 | return NULL; |
---|
185 | |
---|
186 | return (libtrace_tcp_t*)tcp; |
---|
187 | } |
---|
188 | |
---|
189 | DLLEXPORT libtrace_tcp_t *trace_get_tcp_from_ip(libtrace_ip_t *ip, uint32_t *remaining) |
---|
190 | { |
---|
191 | libtrace_tcp_t *tcpptr = 0; |
---|
192 | |
---|
193 | if (ip->ip_p == TRACE_IPPROTO_TCP) { |
---|
194 | tcpptr = (libtrace_tcp_t *) |
---|
195 | trace_get_payload_from_ip(ip, NULL, remaining); |
---|
196 | } |
---|
197 | |
---|
198 | return tcpptr; |
---|
199 | } |
---|
200 | |
---|
201 | DLLEXPORT libtrace_udp_t *trace_get_udp(libtrace_packet_t *packet) { |
---|
202 | uint8_t proto; |
---|
203 | uint32_t rem = 0; |
---|
204 | libtrace_udp_t *udp; |
---|
205 | |
---|
206 | udp=(libtrace_udp_t*)trace_get_transport(packet,&proto,&rem); |
---|
207 | |
---|
208 | if (!udp || proto != TRACE_IPPROTO_UDP) |
---|
209 | return NULL; |
---|
210 | |
---|
211 | /* Make sure we return a full UDP header as the caller has no way of |
---|
212 | * telling how much of the packet is remaining */ |
---|
213 | if (rem < sizeof(libtrace_udp_t)) |
---|
214 | return NULL; |
---|
215 | |
---|
216 | return udp; |
---|
217 | } |
---|
218 | |
---|
219 | DLLEXPORT libtrace_udp_t *trace_get_udp_from_ip(libtrace_ip_t *ip, uint32_t *remaining) |
---|
220 | { |
---|
221 | libtrace_udp_t *udpptr = 0; |
---|
222 | |
---|
223 | if (ip->ip_p == TRACE_IPPROTO_UDP) { |
---|
224 | udpptr = (libtrace_udp_t *) |
---|
225 | trace_get_payload_from_ip(ip, NULL, remaining); |
---|
226 | } |
---|
227 | |
---|
228 | return udpptr; |
---|
229 | } |
---|
230 | |
---|
231 | DLLEXPORT libtrace_icmp_t *trace_get_icmp(libtrace_packet_t *packet) { |
---|
232 | uint8_t proto; |
---|
233 | uint32_t rem = 0; |
---|
234 | libtrace_icmp_t *icmp; |
---|
235 | |
---|
236 | icmp=(libtrace_icmp_t*)trace_get_transport(packet,&proto,&rem); |
---|
237 | |
---|
238 | if (!icmp || proto != TRACE_IPPROTO_ICMP) |
---|
239 | return NULL; |
---|
240 | |
---|
241 | /* Make sure we return a full ICMP header as the caller has no way of |
---|
242 | * telling how much of the packet is remaining */ |
---|
243 | if (rem < sizeof(libtrace_icmp_t)) |
---|
244 | return NULL; |
---|
245 | |
---|
246 | return icmp; |
---|
247 | } |
---|
248 | |
---|
249 | DLLEXPORT libtrace_icmp_t *trace_get_icmp_from_ip(libtrace_ip_t *ip, uint32_t *remaining) |
---|
250 | { |
---|
251 | libtrace_icmp_t *icmpptr = 0; |
---|
252 | |
---|
253 | if (ip->ip_p == TRACE_IPPROTO_ICMP) { |
---|
254 | icmpptr = (libtrace_icmp_t *)trace_get_payload_from_ip(ip, |
---|
255 | NULL, remaining); |
---|
256 | } |
---|
257 | |
---|
258 | return icmpptr; |
---|
259 | } |
---|
260 | |
---|
261 | DLLEXPORT void *trace_get_payload_from_udp(libtrace_udp_t *udp, uint32_t *remaining) |
---|
262 | { |
---|
263 | if (remaining) { |
---|
264 | if (*remaining < sizeof(libtrace_udp_t)) { |
---|
265 | *remaining = 0; |
---|
266 | return NULL; |
---|
267 | } |
---|
268 | *remaining-=sizeof(libtrace_udp_t); |
---|
269 | } |
---|
270 | return (void*)((char*)udp+sizeof(libtrace_udp_t)); |
---|
271 | } |
---|
272 | |
---|
273 | DLLEXPORT void *trace_get_payload_from_tcp(libtrace_tcp_t *tcp, uint32_t *remaining) |
---|
274 | { |
---|
275 | unsigned int dlen = tcp->doff*4; |
---|
276 | if (remaining) { |
---|
277 | if (*remaining < dlen) { |
---|
278 | *remaining = 0; |
---|
279 | return NULL; |
---|
280 | } |
---|
281 | *remaining-=dlen; |
---|
282 | } |
---|
283 | return (void *)((char *)tcp+dlen); |
---|
284 | } |
---|
285 | |
---|
286 | DLLEXPORT void *trace_get_payload_from_icmp(libtrace_icmp_t *icmp, uint32_t *remaining) |
---|
287 | { |
---|
288 | if (remaining) { |
---|
289 | if (*remaining < sizeof(libtrace_icmp_t)) { |
---|
290 | *remaining = 0; |
---|
291 | return NULL; |
---|
292 | } |
---|
293 | *remaining-=sizeof(libtrace_icmp_t); |
---|
294 | } |
---|
295 | return (char*)icmp+sizeof(libtrace_icmp_t); |
---|
296 | } |
---|
297 | |
---|
298 | /* Return the source port |
---|
299 | */ |
---|
300 | DLLEXPORT uint16_t trace_get_source_port(const libtrace_packet_t *packet) |
---|
301 | { |
---|
302 | uint32_t remaining; |
---|
303 | uint8_t proto; |
---|
304 | const struct ports_t *port = |
---|
305 | (const struct ports_t*)trace_get_transport((libtrace_packet_t*)packet, |
---|
306 | &proto, &remaining); |
---|
307 | |
---|
308 | /* Snapped too early */ |
---|
309 | if (remaining<2) |
---|
310 | return 0; |
---|
311 | |
---|
312 | /* ICMP *technically* doesn't have ports */ |
---|
313 | if (proto == TRACE_IPPROTO_ICMP) |
---|
314 | return 0; |
---|
315 | |
---|
316 | if (port) |
---|
317 | return ntohs(port->src); |
---|
318 | else |
---|
319 | return 0; |
---|
320 | } |
---|
321 | |
---|
322 | /* Same as get_source_port except use the destination port */ |
---|
323 | DLLEXPORT uint16_t trace_get_destination_port(const libtrace_packet_t *packet) |
---|
324 | { |
---|
325 | uint32_t remaining; |
---|
326 | uint8_t proto; |
---|
327 | struct ports_t *port = |
---|
328 | (struct ports_t*)trace_get_transport((libtrace_packet_t*)packet, |
---|
329 | &proto, &remaining); |
---|
330 | /* Snapped too early */ |
---|
331 | if (remaining<4) |
---|
332 | return 0; |
---|
333 | |
---|
334 | /* ICMP *technically* doesn't have ports */ |
---|
335 | if (proto == TRACE_IPPROTO_ICMP) |
---|
336 | return 0; |
---|
337 | |
---|
338 | if (port) |
---|
339 | return ntohs(port->dst); |
---|
340 | else |
---|
341 | return 0; |
---|
342 | } |
---|
343 | |
---|
344 | |
---|