diff -NarU5 argus-2.0.6.fixes.1.orig/common/argus_auth.c argus-2.0.6.fixes.1/common/argus_auth.c --- argus-2.0.6.fixes.1.orig/common/argus_auth.c 2004-02-23 10:00:36.000000000 -0500 +++ argus-2.0.6.fixes.1/common/argus_auth.c 1969-12-31 19:00:00.000000000 -0500 @@ -1,569 +0,0 @@ -/* - * Copyright (c) 2000-2004 QoSient, LLC - * All rights reserved. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2, or (at your option) - * any later version. - - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - * - */ - -/* - * Copyright (c) 2000 Carnegie Mellon University. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. The name "Carnegie Mellon University" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For permission or any other legal - * details, please contact - * Office of Technology Transfer - * Carnegie Mellon University - * 5000 Forbes Avenue - * Pittsburgh, PA 15213-3890 - * (412) 268-4387, fax: (412) 268-7395 - * tech-transfer@andrew.cmu.edu - * - * 4. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by Computing Services - * at Carnegie Mellon University (http://www.cmu.edu/computing/)." - * - * CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO - * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE - * FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN - * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING - * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -/* - * Modified by Carter Bullard - * QoSient, LLC - * - */ - - -#ifndef ArgusAuth -#define ArgusAuth -#endif - -#include -#include - -#include -#include - -#ifdef ARGUS_SASL - -#include -#include -#include - -#endif /* ARGUS_SASL */ - -#include -#include - -#include -#include - -#include -#include -#include -#include - - -extern void ArgusLog (int, char *, ...); - -int ArgusInitializeAuthentication (struct ARGUS_INPUT *); -int ArgusAuthenticate (struct ARGUS_INPUT *); - -#ifdef ARGUS_SASL - -static int RaGetRealm(void *context, int, const char **, const char **); -static int RaSimple(void *context, int, const char **, unsigned *); -static int RaGetSecret(sasl_conn_t *, void *context, int, sasl_secret_t **); - -int RaSaslNegotiate(FILE *, FILE *, sasl_conn_t *); -int RaGetSaslString (FILE *, char *, int); -int RaSendSaslString (FILE *, const char *, int); - -/* RaCallBacks we support */ - -static sasl_callback_t RaCallBacks[] = { - { SASL_CB_GETREALM, &RaGetRealm, NULL }, - { SASL_CB_USER, &RaSimple, NULL }, - { SASL_CB_AUTHNAME, &RaSimple, NULL }, - { SASL_CB_PASS, &RaGetSecret, NULL }, - { SASL_CB_LIST_END, NULL, NULL } -}; - -char *RaSaslMech = NULL; - -#endif - - -#if defined(HAVE_SOLARIS) -extern int getdomainname(char *name, size_t len); -#endif - - -int -ArgusInitializeAuthentication (struct ARGUS_INPUT *input) -{ - int retn = 1; - -#ifdef ARGUS_SASL - struct sockaddr_in localaddr, remoteaddr; - int salen, fd = input->fd; - char *localhostname = NULL; - - if ((retn = sasl_client_init(RaCallBacks)) != SASL_OK) - ArgusLog (LOG_ERR, "ArgusInitializeAuthentication() sasl_client_init %d", retn); - - localhostname = ArgusCalloc (1, 1024); - gethostname(localhostname, 1024); - if (!strchr (localhostname, '.')) { - strcat (localhostname, "."); - getdomainname (&localhostname[strlen(localhostname)], 1024 - strlen(localhostname)); - } - - if ((retn = sasl_client_new("argus", localhostname, NULL, SASL_SECURITY_LAYER, &input->sasl_conn)) != SASL_OK) - ArgusLog (LOG_ERR, "ArgusInitializeAuthentication() sasl_client_new %d", retn); - - /* set external properties here - sasl_setprop(input->sasl_conn, SASL_SSF_EXTERNAL, &extprops); */ - - /* set required security properties here - sasl_setprop(input->sasl_conn, SASL_SEC_PROPS, &secprops); */ - - /* set ip addresses */ - salen = sizeof(localaddr); - if (getsockname(fd, (struct sockaddr *)&localaddr, &salen) < 0) - perror("getsockname"); - - salen = sizeof(remoteaddr); - if (getpeername(fd, (struct sockaddr *)&remoteaddr, &salen) < 0) - perror("getpeername"); - - if ((retn = sasl_setprop(input->sasl_conn, SASL_IP_LOCAL, &localaddr)) != SASL_OK) - ArgusLog (LOG_ERR, "ArgusInitializeAuthentication() error setting localaddr %d", retn); - - if ((retn = sasl_setprop(input->sasl_conn, SASL_IP_REMOTE, &remoteaddr)) != SASL_OK) - ArgusLog (LOG_ERR, "ArgusInitializeAuthentication() error setting remoteaddr %d", retn); - - retn = 1; -#endif - -#ifdef ARGUSDEBUG - ArgusDebug (2, "ArgusInitializeAuthentication () returning %d\n", retn); -#endif - - return (retn); -} - - -int -ArgusAuthenticate (struct ARGUS_INPUT *input) -{ - int retn = 0; - - if (ArgusInitializeAuthentication(input)) { -#ifdef ARGUS_SASL - int fd = input->fd; - - if ((input->in = fdopen(fd, "r")) == NULL) - ArgusLog (LOG_ERR, "ArgusAuthenticate(0x%x) fdopen in failed %s", strerror(errno)); - - if ((input->out = fdopen(fd, "w")) == NULL) - ArgusLog (LOG_ERR, "ArgusAuthenticate(0x%x) fdopen out failed %s", strerror(errno)); - - if ((retn = RaSaslNegotiate(input->in, input->out, input->sasl_conn)) == SASL_OK) - retn = 1; - else - retn = 0; -#endif - } - -#ifdef ARGUSDEBUG - ArgusDebug (2, "ArgusAuthenticate (0x%x) returning %d\n", input, retn); -#endif - - return (retn); -} - - -#ifdef ARGUS_SASL - -static void RaChop (char *s) /* remove \r\n at end of the line */ -{ - char *p; - - assert(s); - - p = s + strlen(s) - 1; - if (p[0] == '\n') - *p-- = '\0'; - - if (p >= s && p[0] == '\r') - *p-- = '\0'; -} - -static int -RaGetRealm(void *context __attribute__((unused)), int id, - const char **availrealms, const char **result) -{ - static char buf[1024]; - - if (id != SASL_CB_GETREALM) - return SASL_BADPARAM; - - if (!result) - return SASL_BADPARAM; - - printf("please choose a realm (available:"); - while (*availrealms) { - printf(" %s", *availrealms); - availrealms++; - } - printf("): "); - - fgets(buf, sizeof buf, stdin); - RaChop(buf); - *result = buf; - - return SASL_OK; -} - -static char RaSimpleBuf[1024]; - -static int -RaSimple(void *context __attribute__((unused)), int id, - const char **result, unsigned *len) -{ - char *ptr = NULL; - - if (! result) - return SASL_BADPARAM; - - switch (id) { - case SASL_CB_USER: - if (ustr == NULL) { - printf("please enter an authorization id: "); - fgets(RaSimpleBuf, sizeof RaSimpleBuf, stdin); - - } else { - if ((ptr = strchr(ustr, '/')) != NULL) - *ptr = '\0'; - - sprintf (RaSimpleBuf, "%s", ustr); - if (ptr) - *ptr = '/'; - } - - break; - - case SASL_CB_AUTHNAME: - if (ustr != NULL) - if ((ptr = strchr(ustr, '/')) != NULL) - ptr++; - - if (ptr == NULL) { - printf("please enter an authentication id: "); - fgets(RaSimpleBuf, sizeof RaSimpleBuf, stdin); - } else - sprintf (RaSimpleBuf, "%s", ptr); - - break; - - default: - return SASL_BADPARAM; - } - - RaChop(RaSimpleBuf); - *result = RaSimpleBuf; - - if (len) - *len = strlen(RaSimpleBuf); - - return SASL_OK; -} - -#ifndef HAVE_GETPASSPHRASE -char * -getpassphrase(const char *prompt) -{ - return getpass(prompt); -} -#endif - -static int -RaGetSecret(sasl_conn_t *conn, void *context __attribute__((unused)), - int id, sasl_secret_t **psecret) -{ - char *password; - size_t len; - static sasl_secret_t *x; - - if (! conn || ! psecret || id != SASL_CB_PASS) - return SASL_BADPARAM; - - if (pstr != NULL) - password = pstr; - else - password = getpassphrase("Password: "); - - if (! password) - return SASL_FAIL; - - len = strlen(password); - - x = (sasl_secret_t *) realloc(x, sizeof(sasl_secret_t) + len); - - if (!x) { - memset(password, 0, len); - return SASL_NOMEM; - } - - x->len = len; - strcpy(x->data, password); - memset(password, 0, len); - - *psecret = x; - return SASL_OK; -} - - -int -RaSaslNegotiate(FILE *in, FILE *out, sasl_conn_t *conn) -{ - int retn = 0; - char buf[8192]; - char *data; - const char *chosenmech; - int len, c; - -#ifdef ARGUSDEBUG - ArgusDebug (1, "RaSaslNegotiate(0x%x, 0x%x, 0x%x) receiving capability list... ", in, out, conn); -#endif - - if ((len = RaGetSaslString(in, buf, sizeof(buf))) <= 0) - ArgusLog (LOG_ERR, "RaSaslNegotiate: RaGetSaslString(0x%x, 0x%x, %d) error %s\n", in, buf, sizeof(buf), strerror(errno)); - - if (RaSaslMech) { - /* make sure that 'RaSaslMech' appears in 'buf' */ - if (!strstr(buf, RaSaslMech)) { - printf("server doesn't offer mandatory mech '%s'\n", RaSaslMech); - return 0; - } - } else - RaSaslMech = buf; - -#ifdef ARGUSDEBUG - ArgusDebug (1, "RaSaslNegotiate(0x%x, 0x%x, 0x%x) calling sasl_client_start()", in, out, conn); -#endif - - retn = sasl_client_start(conn, RaSaslMech, NULL, NULL, &data, &len, &chosenmech); - - if ((retn != SASL_OK) && (retn != SASL_CONTINUE)) { - fputc ('N', out); - fflush(out); - ArgusLog (LOG_ERR, "RaSaslNegotiate: error starting SASL negotiation"); - } - - if (retn == SASL_INTERACT) - ArgusLog (LOG_ERR, "RaSaslNegotiate: returned SASL_INTERACT\n"); - -#ifdef ARGUSDEBUG - ArgusDebug (1, "RaSaslNegotiate: using mechanism %s\n", chosenmech); -#endif - - /* we send two strings; the mechanism chosen and the initial response */ - - RaSendSaslString(out, chosenmech, strlen(chosenmech)); - RaSendSaslString(out, data, len); - - for (;;) { -#ifdef ARGUSDEBUG - ArgusDebug (2, "waiting for server reply...\n"); -#endif - - switch (c = fgetc(in)) { - case 'O': - goto done_ok; - - case 'N': - goto done_no; - - case 'C': /* continue authentication */ - break; - - default: - printf("bad protocol from server (%c %x)\n", c, c); - return 0; - } - - if ((len = RaGetSaslString(in, buf, sizeof(buf))) <= 0) - ArgusLog (LOG_ERR, "RaSaslNegotiate: RaGetSaslString(0x%x, 0x%x, %d) returned %d\n", in, buf, sizeof(buf), len); - - retn = sasl_client_step(conn, buf, len, NULL, &data, &len); - - if ((retn != SASL_OK) && (retn != SASL_CONTINUE)) { - fputc ('N', out); - fflush(out); - ArgusLog (LOG_ERR, "RaSaslNegotiate: error performing SASL negotiation"); - } - - if (data) { - -#ifdef ARGUSDEBUG - ArgusDebug (2, "sending response length %d...\n", len); -#endif - - RaSendSaslString(out, data, len); - free(data); - } else { - -#ifdef ARGUSDEBUG - ArgusDebug (2, "sending null response...\n"); -#endif - - RaSendSaslString(out, "", 0); - } - } - - done_ok: -#ifdef ARGUSDEBUG - ArgusDebug (1, "successful authentication"); -#endif - return SASL_OK; - - done_no: -#ifdef ARGUSDEBUG - ArgusDebug (1, "authentication failed"); -#endif - return -1; -} - - -/* send/recv library for IMAP4 style literals. */ - -int -RaSendSaslString (FILE *f, const char *s, int l) -{ - char saslbuf[MAXSTRLEN]; - int len, al = 0; - - bzero (saslbuf, MAXSTRLEN); - - sprintf(saslbuf, "{%d}\r\n", l); - len = strlen(saslbuf); - - bcopy (s, &saslbuf[len], l); - len += l; - - al = fwrite(saslbuf, 1, len, f); - fflush(f); - -#ifdef ARGUSDEBUG - ArgusDebug (3, "ArgusSendSaslString(0x%x, 0x%x, %d)\n", f, s, l); - s = saslbuf; - if (3 <= Argusdflag) { - while (len--) { - if (isprint((int)((unsigned char) *s))) { - printf("%c ", *s); - } else { - printf("%x ", (unsigned char) *s); - } - s++; - } - printf("\n"); - } -#endif - - return al; -} - -int -RaGetSaslString (FILE *f, char *buf, int buflen) -{ - int c, len, l; - char *s; - - if ((c = fgetc(f)) != '{') - return -1; - - /* read length */ - len = 0; - c = fgetc(f); - while (isdigit(c)) { - len = len * 10 + (c - '0'); - c = fgetc(f); - } - if (c != '}') - return -1; - - if ((c = fgetc(f)) != '\r') - return -1; - - if ((c = fgetc(f)) != '\n') - return -1; - - /* read string */ - if (buflen <= len) { - fread(buf, buflen - 1, 1, f); - buf[buflen - 1] = '\0'; - /* discard oversized string */ - len -= buflen - 1; - while (len--) - (void)fgetc(f); - len = buflen - 1; - } else { - fread(buf, len, 1, f); - buf[len] = '\0'; - } - - l = len; - s = buf; - -#ifdef ARGUSDEBUG - ArgusDebug (3, "ArgusGetSaslString(0x%x, 0x%x, %d)\n", f, s, l); - if (3 <= Argusdflag) { - while (l--) { - if (isprint((int)((unsigned char) *s))) { - printf("%c ", *s); - } else { - printf("%X ", (unsigned char) *s); - } - s++; - } - printf("\n"); - } -#endif - - return len; -} - -#endif diff -NarU5 argus-2.0.6.fixes.1.orig/common/argus_parse.c argus-2.0.6.fixes.1/common/argus_parse.c --- argus-2.0.6.fixes.1.orig/common/argus_parse.c 2004-02-23 10:00:36.000000000 -0500 +++ argus-2.0.6.fixes.1/common/argus_parse.c 1969-12-31 19:00:00.000000000 -0500 @@ -1,3550 +0,0 @@ -/* - * Copyright (c) 2000-2004 QoSient, LLC - * All rights reserved. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2, or (at your option) - * any later version. - - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - * - */ - -/* - * Copyright (c) 1993, 1994 Carnegie Mellon University. - * All rights reserved. - * - * Permission to use, copy, modify, and distribute this software and - * its documentation for any purpose and without fee is hereby granted, - * provided that the above copyright notice appear in all copies and - * that both that copyright notice and this permission notice appear - * in supporting documentation, and that the name of CMU not be - * used in advertising or publicity pertaining to distribution of the - * software without specific, written prior permission. - * - * CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING - * ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL - * CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR - * ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, - * WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, - * ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS - * SOFTWARE. - * - */ - -/* - * argus_parse - parse argus output. - * this module performs all the argus(1) related connection parsing, - * selects datum from a set of criteria, and then calls specific - * protocol dependant routines, depending on the selected datum. - * at the end of processing, argus_parse calls an application - * specific finish routine, RaParseComplete(), and when - * connected to a remote data source, it supplies a periodic - * timeout routine; - * - * this module defines all things, except: - * - * (void) usage ((char *) argv[0]); - * this routine should print the standard usage message - * for the specific application. - * - * ArgusClientInit (); this is the application specific init - * routine, which is called after all parsing - * initialization is done, prior to reading the - * first monitor(1) datum. - * - * (void) ArgusClientTimeout (); - * this routine is called every second, when - * argus_parse is connected to a remote data source. - * - * process_man ((struct ArgusRecord *) ptr); - * this routine should process management control events; - * - * process_tcp ((struct ArgusRecord *) ptr); - * this routine should process tcp events; - * - * process_udp ((struct ArgusRecord *) ptr); - * this routine should process tcp events; - * - * process_icmp ((struct ArgusRecord *) ptr); - * this routine should process tcp events; - * - * process_ip ((struct ArgusRecord *) ptr); - * this routine should process tcp events; - * - * process_arp ((struct ArgusRecord *) ptr); - * this routine should process arp events; - * - * process_non_ip ((struct ArgusRecord *) ptr); - * this routine should process all other events; - * - * (void) RaParseComplete (0); - * this routine will be called after all the - * monitor data has been read. - * - * - * written by Carter Bullard - * QoSient, LLC - * - */ - - -#define ArgusParse - -#include -#include -#include - -#if defined(CYGWIN) -#include -#endif - -#include -#include -#include - -#include -#include - -#include - -#include -#include - - -int ArgusParseResourceFile (char *); -unsigned char *ArgusRemoteFilter = NULL; - -extern void ArgusLog (int, char *, ...); - -int ArgusParseInit = 0; - -extern void ArgusClientTimeout (void); - -#define ARGUS_READINGPREHDR 1 -#define ARGUS_READINGHDR 2 -#define ARGUS_READINGBLOCK 4 - -void -argus_parse_init (struct ARGUS_INPUT *input) -{ - char errbuf[MAXSTRLEN]; - char *device = NULL; - struct tm *tm; - struct argtimeval tvpbuf, *tvp = &tvpbuf; - unsigned int net, mask; - int i, fd = 0; - - if (input != NULL) - fd = input->fd; - - if (initCon) { - input->ArgusLocalNet = htonl(initCon->argus_mar.localnet); - input->ArgusNetMask = htonl(initCon->argus_mar.netmask); - - if (tflag && timearg) { - tvp->tv_sec = ntohl(initCon->argus_mar.now.tv_sec); - tm = localtime((time_t *) &tvp->tv_sec); - if (check_time_format (tm, timearg)) - ArgusLog (LOG_ERR, "time syntax error %s\n", timearg); - } - - } else { - if ((device = argus_lookupdev (errbuf)) != NULL) { - argus_lookupnet(device, &net, &mask, errbuf); - input->ArgusLocalNet = net; - input->ArgusNetMask = mask; - } - } - - if ((input->ArgusReadBuffer = (unsigned char *)ArgusCalloc (1, MAXSTRLEN)) == NULL) - ArgusLog (LOG_ERR, "ArgusCalloc error %s\n", strerror(errno)); - - if ((input->ArgusConvBuffer = (u_char *)ArgusCalloc (1, MAXSTRLEN)) == NULL) - ArgusLog (LOG_ERR, "ArgusCalloc error %s\n", strerror(errno)); - - input->ArgusReadPtr = input->ArgusReadBuffer; - input->ArgusConvPtr = input->ArgusConvBuffer; - - if (Cflag) { - input->ArgusReadSocketState = ARGUS_READINGPREHDR; -/* - input->ArgusReadSize = k_maxFlowPacketSize; -*/ - input->ArgusReadSize = 4; - - } else { - if (major_version > 1) - input->ArgusReadSocketState = ARGUS_READINGHDR; - else { - input->ArgusReadSocketState = ARGUS_READINGBLOCK; - input->ArgusReadSize = 60; - } - } - - input->ArgusReadSocketSize = (input->ArgusReadSize < 0) ? - sizeof(struct ArgusRecordHeader) : input->ArgusReadSize; - - if (!ArgusParseInit++) - for (i = 0; i < ARGUS_MAX_REMOTE_CONN; i++) - ArgusRemoteFDs[i] = NULL; - -#ifdef ARGUSDEBUG - ArgusDebug (1, "ArgusParseInit (0x%x) returning\n", input); -#endif -} - - - -int ArgusPortNum = 0; -char *getoptStr = "aAbB:cCd:D:E:e:f:F:gGhHiIL:lmM:nN:p:P:qr:RS:s:t:T:uU:vVw:zZ:"; - -#define RaEnvItems 2 - -char *RaResourceEnvStr [] = { - "HOME", - "ARGUSHOME", -}; - - -int -main (int argc, char **argv) -{ - int i, cc, op, retn = 0, fd = 0, Scmdline = 0, rcmdline = 0; - char *cmdbuf = NULL, *infile = NULL; - char *envstr = NULL, *homepath = NULL; - struct stat statbuf; - static char path[MAXPATHNAMELEN]; - struct timeval now; - struct timezone tz; - extern char *optarg; - extern int optind, opterr; - - opterr = 0; - - for (i = 0, cc = 0; i < argc; i++) - cc += strlen(argv[i]); - - if (cc > 0) { - int len = cc + (argc + 1); - - if ((cmdline = (char *) ArgusCalloc (len, sizeof(char))) != NULL) { - for (i = 0, *cmdline = '\0'; i < argc; i++) { - strcat (cmdline, argv[i]); - strcat (cmdline, " "); - } - } else - ArgusLog (LOG_ERR, "ArgusCalloc(%d, %d) failed %s\n", len, sizeof(char), strerror(errno)); - } - - if (strchr (argv[0], '/')) - argv[0] = strrchr(argv[0], '/') + 1; - - if (gettimeofday(&now, &tz) < 0) - error("gettimeofday"); - - ArgusGlobalTime = now; - ArgusNowTime = now; - - thiszone = tz.tz_minuteswest * -60; - - if ((RaTmStruct = localtime ((time_t *)&now.tv_sec))) { - if (RaTmStruct->tm_isdst) - thiszone += 3600; - } else { - fprintf (stderr, "%s: localtime: error %s \n", *argv, strerror(errno)); - exit (1); - } - - ArgusProgramName = argv[0]; - - snprintf (path, MAXPATHNAMELEN - 1, "/etc/ra.conf"); - - if (stat (path, &statbuf) == 0) - ArgusParseResourceFile (path); - - if ((homepath = getenv("ARGUSHOME")) != NULL) { - snprintf (path, MAXPATHNAMELEN - 1, "%s/ra.conf", homepath); - if (stat (path, &statbuf) == 0) { - ArgusParseResourceFile (path); - } - } - - if ((envstr = getenv("ARGUSPATH")) != NULL) { - while ((homepath = strtok(envstr, ":")) != NULL) { - snprintf (path, MAXPATHNAMELEN - 1, "%s/.rarc", homepath); - if (stat (path, &statbuf) == 0) { - ArgusParseResourceFile (path); - break; - } - envstr = NULL; - } - - } else { - for (i = 0; i < RaEnvItems; i++) { - envstr = RaResourceEnvStr[i]; - if ((homepath = getenv(envstr)) != NULL) { - sprintf (path, "%s/.rarc", homepath); - if (stat (path, &statbuf) == 0) { - ArgusParseResourceFile (path); - break; - } - } - } - } - - if ((argv[optind]) != NULL) - ArgusProgramOptions = strdup(copy_argv (&argv[optind])); - - while ((op = getopt (argc, argv, getoptStr)) != EOF) { - switch (op) { - case 'a': ++aflag; break; - case 'A': ++Aflag; break; - case 'b': ++bflag; break; - case 'B': Bflag = atoi(optarg); break; - case 'c': ++cflag; break; - case 'C': ++Cflag; break; - case 'D': Argusdflag = atoi (optarg); break; - case 'd': ++dflag; - if ((dataarg = optarg) != NULL) { - if ((retn = parseUserDataArg (&dataarg, argv, optind)) < 0) { - usage (); - } else { - optind += retn; - } - } - break; - case 'e': - estr = optarg; - if (strncmp(ArgusProgramName, "ragrep", 6)) { - if (!(strncasecmp(optarg, "ascii", 5))) - eflag = ARGUS_ENCODE_ASCII; - else - if (!(strncasecmp(optarg, "encode64", 8))) - eflag = ARGUS_ENCODE_64; - else - usage(); - } else { - ArgusGrepSource++; - ArgusGrepDestination++; - - if ((estr[0] == 's') && (estr[1] == ':')) { - ArgusGrepDestination = 0; - estr = &estr[2]; - } - - if ((estr[0] == 'd') && (estr[1] == ':')) { - ArgusGrepSource = 0; - estr = &estr[2]; - } - } - break; - - case 'E': exceptfile = optarg; break; - case 'f': ArgusFlowModelFile = optarg; break; - case 'F': - if (!(ArgusParseResourceFile (optarg))) - ArgusLog (LOG_ERR, "ArgusParseResourceFile(%s) error. %s\n", optarg, strerror(errno)); - break; - case 'g': ++gflag; Gflag = 0; break; - case 'G': ++Gflag; gflag = 0; break; - case 'H': ++Hflag; break; - case 'i': ++idflag; break; - case 'I': ++Iflag; break; - case 'L': - switch (Lflag = atoi(optarg)) { - case 0: Lflag = -1; break; - case -1: Lflag = 0; break; - } - break; - case 'l': ++lflag; break; - case 'm': ++mflag; break; - case 'M': Mflag = optarg; break; - case 'n': ++nflag; break; - case 'N': Nflag = atoi (optarg); break; - case 'p': pflag = atoi (optarg); break; - case 'P': ArgusPortNum = atoi (optarg); break; - case 'q': ++qflag; break; - case 'r': ++rflag; - Sflag = 0; - if ((!rcmdline++) && (ArgusInputFileList != NULL)) - ArgusDeleteFileList(); - - if (optarg == NULL) - optarg = "-"; - do { - if (!(ArgusAddFileList (optarg))) { - fprintf (stderr, "%s: error: file arg %s \n", *argv, optarg); - exit (1); - } - if ((optarg = argv[optind]) != NULL) - if (*optarg != '-') - optind++; - } while (optarg && (*optarg != '-')); - break; - - case 'R': ++Rflag; break; - case 's': - if (RaSortIndex < ARGUS_MAX_SORT_ALG) - RaSortAlgorithmStrings[RaSortIndex++] = optarg; - else - ArgusLog (LOG_ERR, "usage: number of sort options exceeds %d\n", ARGUS_MAX_SORT_ALG); - break; - case 'S': - ++Sflag; - if ((!Scmdline++) && (ArgusRemoteHostList != NULL)) - ArgusDeleteHostList(); - - if (!(ArgusAddHostList (optarg))) { - fprintf (stderr, "%s: host %s unknown\n", *argv, optarg); - exit (1); - } - break; - - case 't': ++tflag; - if ((timearg = optarg) != NULL) { - if ((retn = parseTimeArg (&timearg, argv, optind, RaTmStruct)) < 0) { - usage (); - } else { - optind += retn; - } - } - break; - case 'T': Tflag = atoi(optarg); break; - case 'u': uflag++; break; - case 'U': ustr = optarg; break; - case 'v': vflag++; break; - case 'V': Vflag++; break; - case 'w': - if ((wfile = optarg) == NULL) - if (!strcmp (argv[optind], "-")) { - wfile = "-"; - } - break; - case 'z': ++zflag; break; - case 'Z': Zflag = *optarg; break; - case 'h': - default: - usage (); - /* NOTREACHED */ - } - } - - if (infile) - cmdbuf = read_infile (infile); - else { - char *str; - - if ((str = argv[optind]) != NULL) { - if (strcmp(str, "-") == 0) - optind++; - cmdbuf = copy_argv (&argv[optind]); - } - } - - if (cmdbuf) { - if (RaInputFilter != NULL) - ArgusFree(RaInputFilter); - - RaInputFilter = cmdbuf; - } - - init_addrtoname (fflag, ArgusLocalNet, ArgusNetMask); - - bzero ((char *) &ArgusFilterCode, sizeof (ArgusFilterCode)); - - if (!(ArgusFilterCompile (&ArgusFilterCode, RaInputFilter, 1, ArgusNetMask) < 0)) { - if (cmdbuf) - ArgusRemoteFilter = (unsigned char *) strdup(cmdbuf); - else - ArgusRemoteFilter = NULL; - } - - if (bflag) { - bpf_dump(&ArgusFilterCode, bflag); - exit (0); - } - - ArgusClientInit (); - - if (Sflag) { - register struct ARGUS_INPUT *addr; - - if ((addr = ArgusRemoteHostList) != NULL) { - while (addr != NULL) { - if ((addr->fd = ArgusGetServerSocket (addr)) >= 0) - if ((ArgusReadConnection (addr, NULL)) >= 0) - ArgusRemoteFDs[ArgusActiveServers++] = addr; - - addr = addr->nxt; - } - } - - ArgusReadStream(); - - } else { - struct ARGUS_INPUT *addr; - - if (ArgusInputFileList == NULL) - if (!(ArgusAddFileList ("-"))) - ArgusLog (LOG_ERR, "ArgusAddFilelist('-') error %s\n", strerror(errno)); - - if ((addr = ArgusInputFileList) != NULL) { - while (addr) { - if (strcmp (addr->filename, "-")) { - if ((addr->fd = open(addr->filename, O_RDONLY)) >= 0) { - if (((ArgusReadConnection (addr, addr->filename)) >= 0)) { - ArgusRemoteFDs[0] = addr; - ArgusReadStream(); - close(addr->fd); - } - } else { - fprintf (stderr, "%s: open '%s': %s\n", ArgusProgramName, - addr->filename, strerror(errno)); - } - } else { - addr->fd = 0; - if (((ArgusReadConnection (addr, NULL)) >= 0)) { - ArgusRemoteFDs[0] = addr; - ArgusReadStream(); - } - } - addr = addr->nxt; - } - } else { - struct ARGUS_INPUT addrbuf, *addr = &addrbuf; - - bzero ((char *) addr, sizeof (*addr)); - addr->fd = 0; - - if (((ArgusReadConnection (addr, NULL)) >= 0)) { - ArgusRemoteFDs[0] = addr; - ArgusReadStream(); - } - } - } - - if (fd >= 0) { - ArgusShutDown (0); - } else - retn = 1; - -#ifdef ARGUSDEBUG - ArgusDebug (1, "main () exiting with %d\n", retn); -#endif - - exit (retn); -} - - -void -ArgusShutDown (int value) -{ - -#ifdef ARGUSDEBUG - ArgusDebug (1, "ArgusShutDown (%d)\n", value); -#endif - - if (value >= 0) - RaParseComplete (value); - - _exit (value); -} - -unsigned int ArgusTotalCount = 0; -unsigned int ArgusTotalBytes = 0; -static int firstWrite = 1; - -int -ArgusHandleDatum (struct ArgusRecord *ptr, struct bpf_program *filter) -{ - int retn = 0; - - if (ptr != NULL) { - int len = ntohs(ptr->ahdr.length); - struct bpf_insn *fcode = filter->bf_insns; - u_char buf[MAXSTRLEN]; - - totalrecords++; - - if (len > MAXSTRLEN) - ArgusLog (LOG_ERR, "ArgusHandleDatum(0x%x) input record %d size = %d\n", totalrecords, len); - - bcopy ((char *)ptr, (char *)ArgusOriginal, len); - bcopy ((char *)ptr, (char *)&buf, len); - - switch (ptr->ahdr.type) { - case ARGUS_MAR: - case (ARGUS_MAR | ARGUS_CISCO_NETFLOW): - case ARGUS_INDEX: - case ARGUS_EVENT: - marrecords++; - break; - - case ARGUS_FAR: - case ARGUS_DATASUP: - farrecords++; - break; - } - - if ((retn = argus_filter (fcode, (unsigned char *) ptr)) != 0) { -#ifdef _LITTLE_ENDIAN - ArgusNtoH ((struct ArgusRecord *)&buf); -#endif - ArgusThisFarStatus = ArgusIndexRecord ((struct ArgusRecord *)&buf, ArgusThisFarHdrs); - - if ((retn = check_time ((struct ArgusRecord *)&buf)) != 0) { - struct ArgusRecord *argus = (struct ArgusRecord *)&buf; - - if (!(ptr->ahdr.type & ARGUS_MAR)) { - unsigned int count, bytes; - -#define ARGUSMAXPACKETSIZE 65536 /* correct for 1.8x byte count bug */ - - if ((count = argus->argus_far.src.count) > 0) - if ((bytes = argus->argus_far.src.bytes) > 0) - if ((bytes/count) > ARGUSMAXPACKETSIZE) - argus->argus_far.src.bytes = 0; - if ((count = argus->argus_far.dst.count) > 0) - if ((bytes = argus->argus_far.dst.bytes) > 0) - if ((bytes/count) > ARGUSMAXPACKETSIZE) - argus->argus_far.dst.bytes = 0; - - ArgusTotalCount += (argus->argus_far.src.count + argus->argus_far.dst.count); - if (Aflag) - ArgusTotalBytes += (argus->argus_far.src.appbytes + argus->argus_far.dst.appbytes); - else - ArgusTotalBytes += (argus->argus_far.src.bytes + argus->argus_far.dst.bytes); - } - - if (wfile) { - if (RaWriteOut) { - if (!(firstWrite && ((argus->ahdr.type & ARGUS_MAR) && (argus->ahdr.cause & ARGUS_START)))) - if (ArgusWriteNewLogfile (wfile, ArgusOriginal)) { - fprintf (stderr, "ArgusWriteNewLogfile: error\n"); - exit (1); - } - } else - ArgusProcessRecord ((struct ArgusRecord *)&buf); - } else - ArgusProcessRecord ((struct ArgusRecord *)&buf); - } - } else { - if (exceptfile) { - if (ArgusWriteNewLogfile (exceptfile, ArgusOriginal)) { - fprintf (stderr, "ArgusWriteNewLogfile: error using file %s\n", exceptfile); - exit (1); - } - } - } - - retn = 0; - - if (ptr->ahdr.type & ARGUS_MAR) { - switch (ptr->ahdr.cause) { - case ARGUS_STOP: - case ARGUS_SHUTDOWN: - case ARGUS_ERROR: { -#ifdef ARGUSDEBUG - ArgusDebug (3, "ArgusHandleDatum (0x%x, 0x%x) received closing Mar\n", ptr, filter); -#endif - if (Sflag) - retn = 1; - break; - } - } - } - } - -#ifdef ARGUSDEBUG - ArgusDebug (6, "ArgusHandleDatum (0x%x, 0x%x) returning %d\n", ptr, filter, retn); -#endif - - return (retn); -} - - -#include - -struct ArgusRecord *ArgusNetFlowCallRecord (u_char **); -struct ArgusRecord *ArgusNetFlowDetailInt (u_char **); -struct ArgusRecord *ArgusParseCiscoRecord (u_char **); - -struct ArgusRecord *ArgusParseCiscoRecordV1 (u_char **); -struct ArgusRecord *ArgusParseCiscoRecordV5 (u_char **); -struct ArgusRecord *ArgusParseCiscoRecordV6 (u_char **); - -unsigned char *ArgusNetFlowRecordHeader = NULL; - -unsigned char ArgusNetFlowArgusRecordBuf[1024]; -struct ArgusRecord *ArgusNetFlowArgusRecord = (struct ArgusRecord *) ArgusNetFlowArgusRecordBuf; - -struct ArgusRecord * -ArgusParseCiscoRecordV1 (u_char **ptr) -{ - CiscoFlowEntryV1_t *entryPtrV1 = (CiscoFlowEntryV1_t *) *ptr; - CiscoFlowHeaderV1_t *hdrPtrV1 = (CiscoFlowHeaderV1_t *) ArgusNetFlowRecordHeader; - struct ArgusRecord *argus = ArgusNetFlowArgusRecord; - struct ArgusMacStruct mac; - - *ptr += sizeof(CiscoFlowEntryV1_t); - bzero ((char *) argus, sizeof (*argus)); - argus->ahdr.type = ARGUS_FAR | ARGUS_CISCO_NETFLOW; - argus->ahdr.cause = ARGUS_STATUS; - argus->ahdr.length = sizeof(argus->ahdr) + sizeof(argus->argus_far); - - argus->ahdr.status |= ETHERTYPE_IP; - - argus->argus_far.type = ARGUS_FAR; - argus->argus_far.length = sizeof(argus->argus_far); - - if (hdrPtrV1) { - long time; - time = ntohl(entryPtrV1->first); - argus->argus_far.time.start.tv_sec = (time - (long)hdrPtrV1->sysUptime)/1000; - argus->argus_far.time.start.tv_sec += hdrPtrV1->unix_secs; - - argus->argus_far.time.start.tv_usec = ((time - (long)hdrPtrV1->sysUptime)%1000) * 1000; - argus->argus_far.time.start.tv_usec += hdrPtrV1->unix_nsecs/1000; - - if (argus->argus_far.time.start.tv_usec >= 1000000) { - argus->argus_far.time.start.tv_sec++; - argus->argus_far.time.start.tv_usec -= 1000000; - } - if (argus->argus_far.time.start.tv_usec < 0) { - argus->argus_far.time.start.tv_sec--; - argus->argus_far.time.start.tv_usec += 1000000; - } - - time = ntohl(entryPtrV1->last); - argus->argus_far.time.last.tv_sec = (time - (long)hdrPtrV1->sysUptime)/1000; - argus->argus_far.time.last.tv_sec += hdrPtrV1->unix_secs; - - argus->argus_far.time.last.tv_usec = ((time - (long)hdrPtrV1->sysUptime)%1000) * 1000; - argus->argus_far.time.last.tv_usec += hdrPtrV1->unix_nsecs/1000; - - if (argus->argus_far.time.last.tv_usec >= 1000000) { - argus->argus_far.time.last.tv_sec++; - argus->argus_far.time.last.tv_usec -= 1000000; - } - if (argus->argus_far.time.last.tv_usec < 0) { - argus->argus_far.time.last.tv_sec--; - argus->argus_far.time.last.tv_usec += 1000000; - } - - argus->argus_far.time.start.tv_usec = (argus->argus_far.time.start.tv_usec / 1000) * 1000; - argus->argus_far.time.last.tv_usec = (argus->argus_far.time.last.tv_usec / 1000) * 1000; - } - - argus->argus_far.flow.ip_flow.ip_src = ntohl(entryPtrV1->srcaddr); - argus->argus_far.flow.ip_flow.ip_dst = ntohl(entryPtrV1->dstaddr); - argus->argus_far.flow.ip_flow.ip_p = entryPtrV1->prot; - argus->argus_far.attr_ip.stos = entryPtrV1->tos; - argus->argus_far.src.count = ntohl(entryPtrV1->pkts); - argus->argus_far.src.bytes = ntohl(entryPtrV1->bytes); - argus->argus_far.src.appbytes = 0; - - switch (argus->argus_far.flow.ip_flow.ip_p) { - case IPPROTO_TCP: { - struct ArgusTCPObject tcpbuf, *tcp = &tcpbuf; - - bzero ((char *) tcp, sizeof(*tcp)); - tcp->type = ARGUS_TCP_DSR; - tcp->length = sizeof(struct ArgusTCPObject); - tcp->src.flags = entryPtrV1->flags; - - if (tcp->src.flags & TH_RST) { - if (argus->argus_far.src.count == 1) { - if (tcp->src.flags == (TH_RST | TH_ACK)) - tcp->state |= ARGUS_DST_RESET; - else - tcp->state |= ARGUS_SRC_RESET; - } else - tcp->state |= ARGUS_RESET; - } - - if (tcp->src.flags & TH_FIN) - tcp->state |= ARGUS_FIN; - - if ((tcp->src.flags & TH_ACK) || (tcp->src.flags & TH_PUSH) || (tcp->src.flags & TH_URG)) - tcp->state |= ARGUS_CON_ESTABLISHED; - - switch (tcp->src.flags & (TH_SYN|TH_ACK|TH_FIN|TH_PUSH|TH_URG)) { - case (TH_SYN): - tcp->state |= ARGUS_SAW_SYN; - break; - case (TH_SYN|TH_ACK): - if (argus->argus_far.src.count == 1) - tcp->state |= ARGUS_SAW_SYN_SENT; - break; - } - - bcopy ((char *)tcp, &((char *)argus)[argus->ahdr.length], sizeof(*tcp)); - argus->ahdr.length += sizeof(*tcp); - } - -/* fall through to UDP switch to get the ports */ - - case IPPROTO_UDP: - argus->argus_far.flow.ip_flow.sport = ntohs(entryPtrV1->srcport); - argus->argus_far.flow.ip_flow.dport = ntohs(entryPtrV1->dstport); - break; - - case IPPROTO_ICMP: { - argus->argus_far.flow.icmp_flow.type = ((char *)&entryPtrV1->dstport)[0]; - argus->argus_far.flow.icmp_flow.code = ((char *)&entryPtrV1->dstport)[1]; - } - break; - } - - bzero ((char *)&mac, sizeof (mac)); - mac.type = ARGUS_MAC_DSR; - mac.length = sizeof(mac); - mac.status = 0; - entryPtrV1->input = ntohs(entryPtrV1->input); - entryPtrV1->output = ntohs(entryPtrV1->output); - - bcopy((char *)&entryPtrV1->input, (char *)&mac.phys_union.ether.ethersrc[4], 2); - bcopy((char *)&entryPtrV1->output,(char *)&mac.phys_union.ether.etherdst[4], 2); - - bcopy ((char *)&mac, &((char *)argus)[argus->ahdr.length], sizeof(mac)); - argus->ahdr.length += sizeof(mac); - -#ifdef _LITTLE_ENDIAN - ArgusHtoN(argus); -#endif - -#ifdef ARGUSDEBUG - ArgusDebug (5, "ArgusParseCiscoRecordV1 (0x%x) returning 0x%x\n", *ptr, argus); -#endif - - return(argus); -} - - -struct ArgusRecord * -ArgusParseCiscoRecordV5 (u_char **ptr) -{ - CiscoFlowEntryV5_t *entryPtrV5 = ((CiscoFlowEntryV5_t *) *ptr); - CiscoFlowHeaderV5_t *hdrPtrV5 = (CiscoFlowHeaderV5_t *) ArgusNetFlowRecordHeader; - struct ArgusRecord *argus = ArgusNetFlowArgusRecord; - struct ArgusMacStruct mac; - - *ptr += sizeof(CiscoFlowEntryV5_t); - bzero ((char *) argus, sizeof (*argus)); - argus->ahdr.type = ARGUS_FAR | ARGUS_CISCO_NETFLOW; - argus->ahdr.cause = ARGUS_STATUS; - argus->ahdr.length = sizeof(argus->ahdr) + sizeof(argus->argus_far); - - argus->ahdr.status |= ETHERTYPE_IP; - - argus->argus_far.type = ARGUS_FAR; - argus->argus_far.length = sizeof(argus->argus_far); - - if (hdrPtrV5) { - long time; - time = ntohl(entryPtrV5->first); - argus->argus_far.time.start.tv_sec = (time - (long)hdrPtrV5->sysUptime)/1000; - argus->argus_far.time.start.tv_sec += hdrPtrV5->unix_secs; - - argus->argus_far.time.start.tv_usec = ((time - (long)hdrPtrV5->sysUptime)%1000) * 1000; - argus->argus_far.time.start.tv_usec += hdrPtrV5->unix_nsecs/1000; - - if (argus->argus_far.time.start.tv_usec >= 1000000) { - argus->argus_far.time.start.tv_sec++; - argus->argus_far.time.start.tv_usec -= 1000000; - } - if (argus->argus_far.time.start.tv_usec < 0) { - argus->argus_far.time.start.tv_sec--; - argus->argus_far.time.start.tv_usec += 1000000; - } - - time = ntohl(entryPtrV5->last); - argus->argus_far.time.last.tv_sec = (time - (long)hdrPtrV5->sysUptime)/1000; - argus->argus_far.time.last.tv_sec += hdrPtrV5->unix_secs; - - argus->argus_far.time.last.tv_usec = ((time - (long)hdrPtrV5->sysUptime)%1000) * 1000; - argus->argus_far.time.last.tv_usec += hdrPtrV5->unix_nsecs/1000; - - if (argus->argus_far.time.last.tv_usec >= 1000000) { - argus->argus_far.time.last.tv_sec++; - argus->argus_far.time.last.tv_usec -= 1000000; - } - if (argus->argus_far.time.last.tv_usec < 0) { - argus->argus_far.time.last.tv_sec--; - argus->argus_far.time.last.tv_usec += 1000000; - } - - argus->argus_far.time.start.tv_usec = (argus->argus_far.time.start.tv_usec / 1000) * 1000; - argus->argus_far.time.last.tv_usec = (argus->argus_far.time.last.tv_usec / 1000) * 1000; - } - - argus->argus_far.flow.ip_flow.ip_src = ntohl(entryPtrV5->srcaddr); - argus->argus_far.flow.ip_flow.ip_dst = ntohl(entryPtrV5->dstaddr); - argus->argus_far.flow.ip_flow.sport = ntohs(entryPtrV5->srcport); - argus->argus_far.flow.ip_flow.dport = ntohs(entryPtrV5->dstport); - argus->argus_far.flow.ip_flow.ip_p = entryPtrV5->prot; - argus->argus_far.attr_ip.stos = entryPtrV5->tos; - argus->argus_far.src.count = ntohl(entryPtrV5->pkts); - argus->argus_far.src.bytes = ntohl(entryPtrV5->bytes); - argus->argus_far.src.appbytes = 0; - - switch (argus->argus_far.flow.ip_flow.ip_p) { - case IPPROTO_TCP: { - struct ArgusTCPObject tcpbuf, *tcp = &tcpbuf; - - bzero ((char *) tcp, sizeof(*tcp)); - tcp->type = ARGUS_TCP_DSR; - tcp->length = sizeof(struct ArgusTCPObject); - tcp->src.flags = entryPtrV5->tcp_flags; - - if (tcp->src.flags & TH_RST) - tcp->status |= ARGUS_RESET; - - if (tcp->src.flags & TH_FIN) - tcp->status |= ARGUS_FIN; - - if ((tcp->src.flags & TH_ACK) || (tcp->src.flags & TH_PUSH) || (tcp->src.flags & TH_URG)) - tcp->status |= ARGUS_CON_ESTABLISHED; - - switch (tcp->src.flags & (TH_SYN|TH_ACK|TH_FIN|TH_PUSH|TH_URG)) { - case (TH_SYN): - tcp->status |= ARGUS_SAW_SYN; - break; - } - - bcopy ((char *)tcp, &((char *)argus)[argus->ahdr.length], sizeof(*tcp)); - argus->ahdr.length += sizeof(*tcp); - } - break; - } - - bzero ((char *)&mac, sizeof (mac)); - mac.type = ARGUS_MAC_DSR; - mac.length = sizeof(mac); - mac.status = 0; - entryPtrV5->input = ntohs(entryPtrV5->input); - entryPtrV5->output = ntohs(entryPtrV5->output); - - bcopy((char *)&entryPtrV5->input, (char *)&mac.phys_union.ether.ethersrc[4], 2); - bcopy((char *)&entryPtrV5->output,(char *)&mac.phys_union.ether.etherdst[4], 2); - - bcopy ((char *)&mac, &((char *)argus)[argus->ahdr.length], sizeof(mac)); - argus->ahdr.length += sizeof(mac); - -#ifdef _LITTLE_ENDIAN - ArgusHtoN(argus); -#endif - -#ifdef ARGUSDEBUG - ArgusDebug (5, "ArgusParseCiscoRecordV5 (0x%x) returning 0x%x\n", *ptr, argus); -#endif - - return (argus); -} - - -struct ArgusRecord * -ArgusParseCiscoRecordV6 (u_char **ptr) -{ - CiscoFlowEntryV6_t *entryPtrV6 = (CiscoFlowEntryV6_t *) *ptr; - CiscoFlowHeaderV6_t *hdrPtrV6 = (CiscoFlowHeaderV6_t *) ArgusNetFlowRecordHeader; - struct ArgusRecord *argus = ArgusNetFlowArgusRecord; - struct ArgusMacStruct mac; - - *ptr += sizeof(CiscoFlowEntryV6_t); - bzero ((char *) argus, sizeof (*argus)); - argus->ahdr.type = ARGUS_FAR | ARGUS_CISCO_NETFLOW; - argus->ahdr.cause = ARGUS_STATUS; - argus->ahdr.length = sizeof(argus->ahdr) + sizeof(argus->argus_far); - - argus->ahdr.status |= ETHERTYPE_IP; - - argus->argus_far.type = ARGUS_FAR; - argus->argus_far.length = sizeof(argus->argus_far); - - if (hdrPtrV6) { - long time; - time = ntohl(entryPtrV6->first); - argus->argus_far.time.start.tv_sec = (time - (long)hdrPtrV6->sysUptime)/1000; - argus->argus_far.time.start.tv_sec += hdrPtrV6->unix_secs; - - argus->argus_far.time.start.tv_usec = ((time - (long)hdrPtrV6->sysUptime)%1000) * 1000; - argus->argus_far.time.start.tv_usec += hdrPtrV6->unix_nsecs/1000; - - if (argus->argus_far.time.start.tv_usec >= 1000000) { - argus->argus_far.time.start.tv_sec++; - argus->argus_far.time.start.tv_usec -= 1000000; - } - if (argus->argus_far.time.start.tv_usec < 0) { - argus->argus_far.time.start.tv_sec--; - argus->argus_far.time.start.tv_usec += 1000000; - } - - time = ntohl(entryPtrV6->last); - argus->argus_far.time.last.tv_sec = (time - (long)hdrPtrV6->sysUptime)/1000; - argus->argus_far.time.last.tv_sec += hdrPtrV6->unix_secs; - - argus->argus_far.time.last.tv_usec = ((time - (long)hdrPtrV6->sysUptime)%1000) * 1000; - argus->argus_far.time.last.tv_usec += hdrPtrV6->unix_nsecs/1000; - - if (argus->argus_far.time.last.tv_usec >= 1000000) { - argus->argus_far.time.last.tv_sec++; - argus->argus_far.time.last.tv_usec -= 1000000; - } - if (argus->argus_far.time.last.tv_usec < 0) { - argus->argus_far.time.last.tv_sec--; - argus->argus_far.time.last.tv_usec += 1000000; - } - - argus->argus_far.time.start.tv_usec = (argus->argus_far.time.start.tv_usec / 1000) * 1000; - argus->argus_far.time.last.tv_usec = (argus->argus_far.time.last.tv_usec / 1000) * 1000; - } - - argus->argus_far.flow.ip_flow.ip_src = ntohl(entryPtrV6->srcaddr); - argus->argus_far.flow.ip_flow.ip_dst = ntohl(entryPtrV6->dstaddr); - argus->argus_far.flow.ip_flow.sport = ntohs(entryPtrV6->srcport); - argus->argus_far.flow.ip_flow.dport = ntohs(entryPtrV6->dstport); - argus->argus_far.flow.ip_flow.ip_p = entryPtrV6->prot; - argus->argus_far.attr_ip.stos = entryPtrV6->tos; - argus->argus_far.src.count = ntohl(entryPtrV6->pkts); - argus->argus_far.src.bytes = ntohl(entryPtrV6->bytes); - argus->argus_far.src.appbytes = 0; - - switch (argus->argus_far.flow.ip_flow.ip_p) { - case IPPROTO_TCP: { - struct ArgusTCPObject tcpbuf, *tcp = &tcpbuf; - - bzero ((char *) tcp, sizeof(*tcp)); - tcp->type = ARGUS_TCP_DSR; - tcp->length = sizeof(struct ArgusTCPObject); - tcp->src.flags = entryPtrV6->tcp_flags; - - if (tcp->src.flags & TH_RST) - tcp->status |= ARGUS_RESET; - - if (tcp->src.flags & TH_FIN) - tcp->status |= ARGUS_FIN; - - if ((tcp->src.flags & TH_ACK) || (tcp->src.flags & TH_PUSH) || (tcp->src.flags & TH_URG)) - tcp->status |= ARGUS_CON_ESTABLISHED; - - switch (tcp->src.flags & (TH_SYN|TH_ACK|TH_FIN|TH_PUSH|TH_URG)) { - case (TH_SYN): - tcp->status |= ARGUS_SAW_SYN; - break; - } - - bcopy ((char *)tcp, &((char *)argus)[argus->ahdr.length], sizeof(*tcp)); - argus->ahdr.length += sizeof(*tcp); - } - break; - } - - bzero ((char *)&mac, sizeof (mac)); - mac.type = ARGUS_MAC_DSR; - mac.length = sizeof(mac); - mac.status = 0; - entryPtrV6->input = ntohs(entryPtrV6->input); - entryPtrV6->output = ntohs(entryPtrV6->output); - - bcopy((char *)&entryPtrV6->input, (char *)&mac.phys_union.ether.ethersrc[4], 2); - bcopy((char *)&entryPtrV6->output,(char *)&mac.phys_union.ether.etherdst[4], 2); - - bcopy ((char *)&mac, &((char *)argus)[argus->ahdr.length], sizeof(mac)); - argus->ahdr.length += sizeof(mac); - -#ifdef _LITTLE_ENDIAN - ArgusHtoN(argus); -#endif - -#ifdef ARGUSDEBUG - ArgusDebug (5, "ArgusParseCiscoRecord (0x%x) returning 0x%x\n", *ptr, argus); -#endif - - return(argus); -} - -struct ArgusRecord * -ArgusParseCiscoRecord (u_char **ptr) -{ - struct ArgusRecord *argus = ArgusNetFlowArgusRecord; - unsigned short *sptr = (unsigned short *) *ptr; - -#ifdef ARGUSDEBUG - ArgusDebug (5, "ArgusParseCiscoRecord (0x%x) version %h\n", *ptr, *sptr); -#endif - - switch (*sptr) { - case Version1: { - CiscoFlowHeaderV1_t *hdrPtrV1 = (CiscoFlowHeaderV1_t *) *ptr; - CiscoFlowEntryV1_t *entryPtrV1 = (CiscoFlowEntryV1_t *) (hdrPtrV1 + 1); - - bzero ((char *) argus, sizeof (*argus)); - argus->ahdr.type = ARGUS_FAR | ARGUS_CISCO_NETFLOW; - argus->ahdr.cause = ARGUS_STATUS; - argus->ahdr.length = sizeof(argus->ahdr) + sizeof(argus->argus_far); - - argus->ahdr.status |= ETHERTYPE_IP; - - argus->argus_far.type = ARGUS_FAR; - argus->argus_far.length = sizeof(argus->argus_far); - - if (hdrPtrV1) { - long time; - time = ntohl(entryPtrV1->first); - argus->argus_far.time.start.tv_sec = (time - (long)hdrPtrV1->sysUptime)/1000; - argus->argus_far.time.start.tv_sec += hdrPtrV1->unix_secs; - - argus->argus_far.time.start.tv_usec = ((time - (long)hdrPtrV1->sysUptime)%1000) * 1000; - argus->argus_far.time.start.tv_usec += hdrPtrV1->unix_nsecs/1000; - - if (argus->argus_far.time.start.tv_usec >= 1000000) { - argus->argus_far.time.start.tv_sec++; - argus->argus_far.time.start.tv_usec -= 1000000; - } - if (argus->argus_far.time.start.tv_usec < 0) { - argus->argus_far.time.start.tv_sec--; - argus->argus_far.time.start.tv_usec += 1000000; - } - - time = ntohl(entryPtrV1->last); - argus->argus_far.time.last.tv_sec = (time - (long)hdrPtrV1->sysUptime)/1000; - argus->argus_far.time.last.tv_sec += hdrPtrV1->unix_secs; - - argus->argus_far.time.last.tv_usec = ((time - (long)hdrPtrV1->sysUptime)%1000) * 1000; - argus->argus_far.time.last.tv_usec += hdrPtrV1->unix_nsecs/1000; - - if (argus->argus_far.time.last.tv_usec >= 1000000) { - argus->argus_far.time.last.tv_sec++; - argus->argus_far.time.last.tv_usec -= 1000000; - } - if (argus->argus_far.time.last.tv_usec < 0) { - argus->argus_far.time.last.tv_sec--; - argus->argus_far.time.last.tv_usec += 1000000; - } - - argus->argus_far.time.start.tv_usec = (argus->argus_far.time.start.tv_usec / 1000) * 1000; - argus->argus_far.time.last.tv_usec = (argus->argus_far.time.last.tv_usec / 1000) * 1000; - } - - argus->argus_far.flow.ip_flow.ip_src = ntohl(entryPtrV1->srcaddr); - argus->argus_far.flow.ip_flow.ip_dst = ntohl(entryPtrV1->dstaddr); - argus->argus_far.flow.ip_flow.sport = ntohs(entryPtrV1->srcport); - argus->argus_far.flow.ip_flow.dport = ntohs(entryPtrV1->dstport); - argus->argus_far.flow.ip_flow.ip_p = entryPtrV1->prot; - argus->argus_far.attr_ip.stos = entryPtrV1->tos; - argus->argus_far.src.count = ntohl(entryPtrV1->pkts); - argus->argus_far.src.bytes = ntohl(entryPtrV1->bytes); - -#ifdef _LITTLE_ENDIAN - ArgusHtoN(argus); -#endif - break; - } - - case Version5: { - CiscoFlowHeaderV5_t *hdrPtrV5 = (CiscoFlowHeaderV5_t *) ptr; - CiscoFlowEntryV5_t *entryPtrV5 = (CiscoFlowEntryV5_t *) (hdrPtrV5 + 1); - - bzero ((char *) argus, sizeof (*argus)); - argus->ahdr.type = ARGUS_FAR | ARGUS_CISCO_NETFLOW; - argus->ahdr.cause = ARGUS_STATUS; - argus->ahdr.length = sizeof(argus->ahdr) + sizeof(argus->argus_far); - - argus->ahdr.status |= ETHERTYPE_IP; - - argus->argus_far.type = ARGUS_FAR; - argus->argus_far.length = sizeof(argus->argus_far); - - if (hdrPtrV5) { - long time; - time = ntohl(entryPtrV5->first); - argus->argus_far.time.start.tv_sec = (time - (long)hdrPtrV5->sysUptime)/1000; - argus->argus_far.time.start.tv_sec += hdrPtrV5->unix_secs; - - argus->argus_far.time.start.tv_usec = ((time - (long)hdrPtrV5->sysUptime)%1000) * 1000; - argus->argus_far.time.start.tv_usec += hdrPtrV5->unix_nsecs/1000; - - if (argus->argus_far.time.start.tv_usec >= 1000000) { - argus->argus_far.time.start.tv_sec++; - argus->argus_far.time.start.tv_usec -= 1000000; - } - if (argus->argus_far.time.start.tv_usec < 0) { - argus->argus_far.time.start.tv_sec--; - argus->argus_far.time.start.tv_usec += 1000000; - } - - time = ntohl(entryPtrV5->last); - argus->argus_far.time.last.tv_sec = (time - (long)hdrPtrV5->sysUptime)/1000; - argus->argus_far.time.last.tv_sec += hdrPtrV5->unix_secs; - - argus->argus_far.time.last.tv_usec = ((time - (long)hdrPtrV5->sysUptime)%1000) * 1000; - argus->argus_far.time.last.tv_usec += hdrPtrV5->unix_nsecs/1000; - - if (argus->argus_far.time.last.tv_usec >= 1000000) { - argus->argus_far.time.last.tv_sec++; - argus->argus_far.time.last.tv_usec -= 1000000; - } - if (argus->argus_far.time.last.tv_usec < 0) { - argus->argus_far.time.last.tv_sec--; - argus->argus_far.time.last.tv_usec += 1000000; - } - - argus->argus_far.time.start.tv_usec = (argus->argus_far.time.start.tv_usec / 1000) * 1000; - argus->argus_far.time.last.tv_usec = (argus->argus_far.time.last.tv_usec / 1000) * 1000; - } - - argus->argus_far.flow.ip_flow.ip_src = ntohl(entryPtrV5->srcaddr); - argus->argus_far.flow.ip_flow.ip_dst = ntohl(entryPtrV5->dstaddr); - argus->argus_far.flow.ip_flow.sport = ntohs(entryPtrV5->srcport); - argus->argus_far.flow.ip_flow.dport = ntohs(entryPtrV5->dstport); - argus->argus_far.flow.ip_flow.ip_p = entryPtrV5->prot; - argus->argus_far.attr_ip.stos = entryPtrV5->tos; - argus->argus_far.src.count = ntohl(entryPtrV5->pkts); - argus->argus_far.src.bytes = ntohl(entryPtrV5->bytes); - argus->argus_far.src.appbytes = 0; - -#ifdef _LITTLE_ENDIAN - ArgusHtoN(argus); -#endif - break; - } - - case Version6: { - CiscoFlowHeaderV6_t *hdrPtrV6 = (CiscoFlowHeaderV6_t *) ptr; - CiscoFlowEntryV6_t *entryPtrV6 = (CiscoFlowEntryV6_t *) (hdrPtrV6 + 1); - - bzero ((char *) argus, sizeof (*argus)); - argus->ahdr.type = ARGUS_FAR | ARGUS_CISCO_NETFLOW; - argus->ahdr.cause = ARGUS_STATUS; - argus->ahdr.length = sizeof(argus->ahdr) + sizeof(argus->argus_far); - - argus->ahdr.status |= ETHERTYPE_IP; - - argus->argus_far.type = ARGUS_FAR; - argus->argus_far.length = sizeof(argus->argus_far); - - if (hdrPtrV6) { - long time; - time = ntohl(entryPtrV6->first); - argus->argus_far.time.start.tv_sec = (time - (long)hdrPtrV6->sysUptime)/1000; - argus->argus_far.time.start.tv_sec += hdrPtrV6->unix_secs; - - argus->argus_far.time.start.tv_usec = ((time - (long)hdrPtrV6->sysUptime)%1000) * 1000; - argus->argus_far.time.start.tv_usec += hdrPtrV6->unix_nsecs/1000; - - if (argus->argus_far.time.start.tv_usec >= 1000000) { - argus->argus_far.time.start.tv_sec++; - argus->argus_far.time.start.tv_usec -= 1000000; - } - if (argus->argus_far.time.start.tv_usec < 0) { - argus->argus_far.time.start.tv_sec--; - argus->argus_far.time.start.tv_usec += 1000000; - } - - time = ntohl(entryPtrV6->last); - argus->argus_far.time.last.tv_sec = (time - (long)hdrPtrV6->sysUptime)/1000; - argus->argus_far.time.last.tv_sec += hdrPtrV6->unix_secs; - - argus->argus_far.time.last.tv_usec = ((time - (long)hdrPtrV6->sysUptime)%1000) * 1000; - argus->argus_far.time.last.tv_usec += hdrPtrV6->unix_nsecs/1000; - - if (argus->argus_far.time.last.tv_usec >= 1000000) { - argus->argus_far.time.last.tv_sec++; - argus->argus_far.time.last.tv_usec -= 1000000; - } - if (argus->argus_far.time.last.tv_usec < 0) { - argus->argus_far.time.last.tv_sec--; - argus->argus_far.time.last.tv_usec += 1000000; - } - - argus->argus_far.time.start.tv_usec = (argus->argus_far.time.start.tv_usec / 1000) * 1000; - argus->argus_far.time.last.tv_usec = (argus->argus_far.time.last.tv_usec / 1000) * 1000; - } - - argus->argus_far.flow.ip_flow.ip_src = ntohl(entryPtrV6->srcaddr); - argus->argus_far.flow.ip_flow.ip_dst = ntohl(entryPtrV6->dstaddr); - argus->argus_far.flow.ip_flow.sport = ntohs(entryPtrV6->srcport); - argus->argus_far.flow.ip_flow.dport = ntohs(entryPtrV6->dstport); - argus->argus_far.flow.ip_flow.ip_p = entryPtrV6->prot; - argus->argus_far.attr_ip.stos = entryPtrV6->tos; - argus->argus_far.src.count = ntohl(entryPtrV6->pkts); - argus->argus_far.src.bytes = ntohl(entryPtrV6->bytes); - argus->argus_far.src.appbytes = 0; - -#ifdef _LITTLE_ENDIAN - ArgusHtoN(argus); -#endif - break; - } - - case Version8: { - break; - } - } - -#ifdef ARGUSDEBUG - ArgusDebug (5, "ArgusParseCiscoRecord (0x%x) returning 0x%x\n", *ptr, argus); -#endif - - return (argus); -} - - -struct ArgusRecord * -ArgusNetFlowCallRecord (u_char **ptr) -{ - struct ArgusRecord *argus = ArgusNetFlowArgusRecord; - BinaryRecord_CallRecord_V1 *call = (BinaryRecord_CallRecord_V1 *) *ptr; - - if (*ptr) { - bzero ((char *) argus, sizeof (*argus)); - argus->ahdr.type = ARGUS_FAR | ARGUS_CISCO_NETFLOW; - argus->ahdr.cause = ARGUS_STATUS; - argus->ahdr.length = sizeof(argus->ahdr) + sizeof(argus->argus_far); - - argus->ahdr.status |= ETHERTYPE_IP; - - argus->argus_far.type = ARGUS_FAR; - argus->argus_far.length = sizeof(argus->argus_far); - - argus->argus_far.time.start.tv_sec = ntohl(call->starttime); - argus->argus_far.time.last.tv_sec = ntohl(call->endtime); - - argus->argus_far.time.last.tv_usec = ntohl(call->activetime) % 1000000; - argus->argus_far.time.last.tv_sec += ntohl(call->activetime) / 1000000; - - argus->argus_far.flow.ip_flow.ip_src = ntohl(call->srcaddr); - argus->argus_far.flow.ip_flow.ip_dst = ntohl(call->dstaddr); - argus->argus_far.flow.ip_flow.sport = ntohs(call->srcport); - argus->argus_far.flow.ip_flow.dport = ntohs(call->dstport); - argus->argus_far.flow.ip_flow.ip_p = call->prot; - argus->argus_far.attr_ip.stos = call->tos; - argus->argus_far.src.count = ntohl(call->pkts); - argus->argus_far.src.bytes = ntohl(call->octets); - argus->argus_far.src.appbytes = 0; - -#ifdef _LITTLE_ENDIAN - ArgusHtoN(argus); -#endif - } - -#ifdef ARGUSDEBUG - ArgusDebug (6, "ArgusNetFlowCallRecord (0x%x) returns 0x%x\n", *ptr, argus); -#endif - - return (argus); -} - - -struct ArgusRecord * -ArgusNetFlowDetailInt (u_char **ptr) -{ - struct ArgusRecord *argus = ArgusNetFlowArgusRecord; - BinaryRecord_DetailInterface_V1 *dint = (BinaryRecord_DetailInterface_V1 *) *ptr; - - if (*ptr) { - dint = NULL; - bzero ((char *) argus, sizeof (*argus)); - } - - -#ifdef ARGUSDEBUG - ArgusDebug (1, "ArgusNetFlowDetailInt (0x%x) returns 0x%x\n", *ptr, argus); -#endif - - return (argus); -} - - -ArgusNetFlowHandler ArgusLookUpNetFlow(struct ARGUS_INPUT *, int); - -struct ArgusNetFlowParsers { - int type, size; - ArgusNetFlowHandler proc; -}; - -struct ArgusNetFlowParsers ArgusNetFlowParsers [] = { - { SourceNode, 0, NULL }, - { DestNode, 0, NULL }, - { HostMatrix, 0, NULL }, - { SourcePort, 0, NULL }, - { DestPort, 0, NULL }, - { Protocol, 0, NULL }, - { DetailDestNode, 0, NULL }, - { DetailHostMatrix, 0, NULL }, - { DetailInterface, sizeof(BinaryRecord_DetailInterface_V1), ArgusNetFlowDetailInt }, - { CallRecord, sizeof(BinaryRecord_CallRecord_V1), ArgusNetFlowCallRecord }, - { ASMatrix, 0, NULL }, - { NetMatrix, 0, NULL }, - { DetailSourceNode, 0, NULL }, - { DetailASMatrix, 0, NULL }, - { ASHostMatrix, 0, NULL }, - { HostMatrixInterface, 0, NULL }, - { DetailCallRecord, 0, NULL }, - { RouterAS, 0, NULL }, - { RouterProtoPort, 0, NULL }, - { RouterSrcPrefix, 0, NULL }, - { RouterDstPrefix, 0, NULL }, - { RouterPrefix, 0, NULL }, - { -1, 0, NULL }, -}; - -ArgusNetFlowHandler ArgusCiscoNetFlowParse = NULL; -int ArgusWriteConnection (struct ARGUS_INPUT *, unsigned char *, int); - -ArgusNetFlowHandler -ArgusLookUpNetFlow(struct ARGUS_INPUT *input, int type) -{ - ArgusNetFlowHandler retn = NULL; - struct ArgusNetFlowParsers *p = ArgusNetFlowParsers; - - do { - if (type == p->type) { - retn = p->proc; - input->ArgusReadSize = p->size; - break; - } - p++; - } while (p->type != -1); - -#ifdef ARGUSDEBUG - ArgusDebug (1, "ArgusLookUpNetFlow (0x%x, %d) returning 0x%x\n", input, type, retn); -#endif - - return (retn); -} - -extern char *ArgusVersionStr; - -int -ArgusReadConnection (struct ARGUS_INPUT *input, char *filename) -{ - struct ArgusCanonicalRecord canonbuf, *canon = &canonbuf; - struct ArgusRecord argus; - u_char *ptr = (u_char *)&argus; - unsigned char buf[MAXSTRLEN]; - int cnt, fd = -1; - - if (input != NULL) - fd = input->fd; - else - fd = 0; - - if (fd >= 0) { - switch (input->status & (ARGUS_DATA_SOURCE | ARGUS_CISCO_DATA_SOURCE)) { - case ARGUS_DATA_SOURCE: - bzero ((char *) &argus, sizeof(argus)); - if ((cnt = read (fd, &argus, sizeof(argus.ahdr))) == sizeof(argus.ahdr)) { -#ifdef ARGUSDEBUG - ArgusDebug (5, "ArgusReadConnection() read %d bytes\n", cnt); -#endif - if (filename) { - if (((ptr[0] == 0x1F) && ((ptr[1] == 0x8B) || (ptr[1] == 0x9D))) || - ((ptr[0] == 'B') && (ptr[1] == 'Z') && (ptr[2] == 'h'))) { - char cmd[256]; - bzero(cmd, 256); - close(fd); - if (ptr[0] == 'B') - strcpy(cmd, "bzip2 -dc "); - else - if (ptr[1] == 0x8B) - strcpy(cmd, "gzip -dc "); - else - strcpy(cmd, "zcat "); - - strcat(cmd, filename); - - if ((input->pipe = popen(cmd, "r")) == NULL) { - ArgusLog (LOG_ERR, "ArgusReadConnection: popen(%s) failed. %s\n", cmd, strerror(errno)); - - close (fd); - return (-1); - } else { - fd = fileno(input->pipe); - if ((cnt = read (fd, &argus, sizeof(argus.ahdr))) != sizeof(argus.ahdr)) { - ArgusLog (LOG_ERR, "ArgusReadConnection: read from '%s' failed. %s\n", cmd, strerror(errno)); - pclose(input->pipe); - input->pipe = NULL; - close (fd); - return (-1); - } - } - } - } - - if (argus.ahdr.type & ARGUS_MAR) { - unsigned short length = ntohs(argus.ahdr.length); - unsigned int argusid = ntohl(argus.ahdr.argusid); - unsigned int sequence = ntohl(argus.ahdr.seqNumber); - unsigned int status = ntohl(argus.ahdr.status); - - if (argus.ahdr.cause & ARGUS_ERROR) { -#ifdef ARGUSDEBUG - ArgusDebug (5, "ArgusReadConnection() ARGUS_ERROR Mar.\n"); -#endif - if (status & ARGUS_MAXLISTENEXCD) { - fprintf (stderr, "%s: remote exceed listen error.\n", ArgusProgramName); - close (fd); - return (-1); - } - } - - if (argus.ahdr.cause == ARGUS_START) { -#ifdef ARGUSDEBUG - ArgusDebug (5, "ArgusReadConnection() ARGUS_START Mar.\n"); -#endif - input->status |= ARGUS_DATA_SOURCE; - if ((argusid == ARGUS_COOKIE) && (sequence == 0)) { - int size = length - sizeof(argus.ahdr); - - if ((cnt = read (fd, &argus.argus_mar, size)) != size) { -#ifdef ARGUSDEBUG - ArgusDebug (5, "ArgusReadConnection() read failed for ARGUS_START Mar %s.\n", - strerror(errno)); -#endif - close (fd); - return (-1); - } - - bcopy ((char *) &argus, (char *)&input->ArgusInitCon, sizeof (argus)); - bcopy ((char *) &argus, (char *) ArgusOriginal, length); - ArgusInput = input; - - ArgusHandleDatum ((struct ArgusRecord *)&argus, &ArgusFilterCode); - -#ifdef _LITTLE_ENDIAN - ArgusNtoH(&argus); -#endif - - bcopy ((char *) &argus, (char *)&input->ArgusManStart, sizeof (argus)); - input->major_version = MAJOR_VERSION_2; - input->minor_version = MINOR_VERSION_0; - input->ArgusReadSize = argus.argus_mar.record_len; - - argus_parse_init (input); - - if (Sflag && (input->major_version >= MAJOR_VERSION_2)) { - if (ntohl(argus.ahdr.status) & ARGUS_SASL_AUTHENTICATE) { - if (!(ArgusAuthenticate(input))) { - fprintf (stderr, "%s: incorrect password\n", ArgusProgramName); - close(fd); - return (-1); - } - } - - if ((ArgusRemoteFilter != NULL) && (filename == NULL) && (fd != 0)) { - int len; - snprintf ((char *) buf, MAXSTRLEN-1, "FILTER: man or %s", (char *) ArgusRemoteFilter); - len = strlen((char *) buf); - if ((cnt = write (fd, buf, len)) != len) { - fprintf (stderr, "%s: write remote filter error %s.\n", - ArgusProgramName, strerror(errno)); - close(fd); - return (-1); - } - } - } - } else { - fprintf (stderr, "%s: not Argus-2.0 data stream.\n", ArgusProgramName); - close(fd); - fd = -1; - } - } else { - - struct WriteStruct *ws = NULL; - char *ptr; - int size; - - bcopy ((char *)&argus, buf, sizeof(argus.ahdr)); - - size = sizeof(*ws) - sizeof(argus.ahdr); - - if ((cnt = read (fd, &buf[sizeof(argus.ahdr)], size)) != size) { - fprintf (stderr, "%s: reading %d bytes, got %d bytes. %s", ArgusProgramName, size, cnt, strerror(errno)); - close (fd); - return (-1); - - } else - ws = (struct WriteStruct *) buf; - - if ((ptr = strstr (ws->ws_init.initString, ArgusVersionStr)) != NULL) { - ArgusConvertInitialWriteStruct (ws, &argus); - input->major_version = argus.argus_mar.major_version; - input->minor_version = argus.argus_mar.minor_version; - input->ArgusReadSize = sizeof(*ws); - - if (initCon == NULL) { - if ((initCon = (struct ArgusRecord *) calloc (1, sizeof (argus))) != NULL) - bcopy ((char *) &argus, (char *) initCon, sizeof (argus)); - } - - bcopy ((char *) &argus, (char *)&input->ArgusInitCon, sizeof (argus)); - bcopy ((char *)&argus, (char *) ArgusOriginal, sizeof(argus)); - - ArgusInput = input; - - ArgusHandleDatum ((struct ArgusRecord *)&argus, &ArgusFilterCode); -#ifdef _LITTLE_ENDIAN - ArgusNtoH(&argus); -#endif - - argus_parse_init (input); - - input->status |= ARGUS_DATA_SOURCE; - - } else { - fprintf (stderr, "%s: not Argus-2.0 data stream.\n", ArgusProgramName); - close(fd); - fd = -1; - } - } - } else { - char *ptr = (char *)&argus; - -#ifdef ARGUSDEBUG - ArgusDebug (2, "ArgusReadConnection() testing for CISCO records\n"); -#endif - if (!(strncmp(&ptr[3], "SOURCE", 6))) { - BinaryHeaderF2 *ArgusNetFlow = (BinaryHeaderF2 *) buf; - int size; - - bcopy ((char *)&argus, buf, sizeof(argus.ahdr)); - size = sizeof(*ArgusNetFlow) - sizeof(argus.ahdr); - - if ((cnt = read (fd, &buf[sizeof(argus.ahdr)], size)) != size) { - fprintf (stderr, "%s: reading %d bytes, got %d bytes. %s", ArgusProgramName, size, cnt, strerror(errno)); - close (fd); - return (-1); - - } else { -#ifdef _LITTLE_ENDIAN - ArgusNetFlow->starttime = ntohl(ArgusNetFlow->starttime); - ArgusNetFlow->endtime = ntohl(ArgusNetFlow->endtime); - ArgusNetFlow->flows = ntohl(ArgusNetFlow->flows); - ArgusNetFlow->missed = ntohl(ArgusNetFlow->missed); - ArgusNetFlow->records = ntohl(ArgusNetFlow->records); -#endif - bzero ((char *)&argus, sizeof(argus)); - - argus.ahdr.type = ARGUS_MAR | ARGUS_CISCO_NETFLOW; - argus.ahdr.length = sizeof (argus); - argus.ahdr.cause = ARGUS_START; - argus.ahdr.argusid = ARGUS_COOKIE; - argus.argus_mar.startime.tv_sec = ArgusNetFlow->starttime; - argus.argus_mar.now.tv_sec = ArgusNetFlow->starttime; - argus.argus_mar.major_version = major_version; - argus.argus_mar.minor_version = minor_version; - argus.argus_mar.flows = ArgusNetFlow->flows; - argus.argus_mar.pktsDrop = ArgusNetFlow->missed; - argus.argus_mar.record_len = -1; - - input->major_version = argus.argus_mar.major_version; - input->minor_version = argus.argus_mar.minor_version; - - if ((input->ArgusCiscoNetFlowParse = - ArgusLookUpNetFlow(input, ArgusNetFlow->aggregation)) != NULL) { -#ifdef _LITTLE_ENDIAN - ArgusHtoN(&argus); -#endif - if (initCon == NULL) { - if ((initCon = (struct ArgusRecord *) calloc (1, sizeof (argus))) != NULL) - bcopy ((char *) &argus, (char *) initCon, sizeof (argus)); - } - - bcopy ((char *) &argus, (char *)&input->ArgusInitCon, sizeof (argus)); - bcopy ((char *) &argus, (char *) ArgusOriginal, sizeof(argus)); - ArgusInput = input; - - ArgusGenerateCanonicalRecord (&argus, canon); -#ifdef _LITTLE_ENDIAN - ArgusNtoH(&argus); -#endif - argus_parse_init (input); - - if (check_time (&argus)) { - if (!(wfile) || !(wfile || RaWriteOut)) - ArgusProcessRecord(&argus); - } - - input->status |= ARGUS_CISCO_DATA_SOURCE; - - } else { - fprintf (stderr, "%s: not supported Cisco data stream.\n", ArgusProgramName); - close(fd); - fd = -1; - } - } - } else { - fprintf (stderr, "%s: not Argus-2.0 data stream.\n", ArgusProgramName); - close(fd); - fd = -1; - } - } - } else { - fprintf (stderr, "%s: no data in data stream.\n", ArgusProgramName); - close(fd); - fd = -1; - } - break; - - case ARGUS_CISCO_DATA_SOURCE: -#ifdef ARGUSDEBUG - ArgusDebug (2, "ArgusReadConnection(0x%x) reading from Cisco Router.\n", input); -#endif - bzero((char *)&argus, sizeof(argus)); - - argus.ahdr.type = ARGUS_MAR | ARGUS_CISCO_NETFLOW; - argus.ahdr.length = sizeof (argus); - argus.ahdr.cause = ARGUS_START; - argus.ahdr.argusid = ARGUS_COOKIE; - argus.argus_mar.startime.tv_sec = ArgusGlobalTime.tv_sec; - argus.argus_mar.now.tv_sec = ArgusGlobalTime.tv_sec; - argus.argus_mar.major_version = major_version; - argus.argus_mar.minor_version = minor_version; - argus.argus_mar.record_len = -1; - - input->major_version = argus.argus_mar.major_version; - input->minor_version = argus.argus_mar.minor_version; - -#ifdef _LITTLE_ENDIAN - ArgusHtoN(&argus); -#endif - if (initCon == NULL) { - if ((initCon = (struct ArgusRecord *) calloc (1, sizeof (argus))) != NULL) - bcopy ((char *) &argus, (char *) initCon, sizeof (argus)); - } - - bcopy ((char *) &argus, (char *)&input->ArgusInitCon, sizeof (argus)); - bcopy ((char *) &argus, (char *) ArgusOriginal, sizeof(argus)); - ArgusInput = input; - - argus_parse_init (input); - break; - } - } - -#ifdef ARGUSDEBUG - ArgusDebug (3, "ArgusReadConnection() returning %d\n", fd); -#endif - - return (fd); -} - - -void ArgusCloseInput(struct ARGUS_INPUT *); -int ArgusReadStreamSocket (struct ARGUS_INPUT *); -int ArgusReadCiscoStreamSocket (struct ARGUS_INPUT *); -int ArgusReadCiscoDatagramSocket (struct ARGUS_INPUT *); - - -void -ArgusCloseInput(struct ARGUS_INPUT *input) -{ - if (input->pipe) { - pclose(input->pipe); - input->pipe = NULL; - } - - if (input->in != NULL) - fclose(input->in); - - if (input->out != NULL) - fclose(input->out); - - if (input->ArgusReadBuffer != NULL) - ArgusFree(input->ArgusReadBuffer); - - if (input->ArgusConvBuffer != NULL) - ArgusFree(input->ArgusConvBuffer); - - close (input->fd); - -#ifdef ARGUSDEBUG - ArgusDebug (4, "ArgusCloseInput(0x%x) done\n", input); -#endif -} - - -#ifdef ARGUS_SASL -#include - -int ArgusReadSaslStreamSocket (struct ARGUS_INPUT *); - -int -ArgusReadSaslStreamSocket (struct ARGUS_INPUT *input) -{ - int retn = 0, fd = input->fd, cnt; - unsigned int value = 0, *pvalue = &value; - struct ArgusRecord *argus = NULL; - char *output = NULL, *end = NULL, *ptr = NULL; - unsigned int outputlen = 0; - - - if ((retn = sasl_getprop(input->sasl_conn, SASL_MAXOUTBUF, (void **) &pvalue)) != SASL_OK) - ArgusLog (LOG_ERR, "ArgusReadSaslStreamSocket: sasl_getprop %s\n", strerror(errno)); - - if (value == 0) - value = MAXSTRLEN; - - if ((cnt = read (fd, input->ArgusSaslBuffer + input->ArgusSaslBufCnt, MAXSTRLEN)) > 0) { - input->ArgusSaslBufCnt = cnt; - ptr = input->ArgusSaslBuffer; - - do { - cnt = (input->ArgusSaslBufCnt > value) ? value : input->ArgusSaslBufCnt; - - if (sasl_decode (input->sasl_conn, ptr, cnt, &output, &outputlen) == SASL_OK) { -#ifdef ARGUSDEBUG - ArgusDebug (5, "ArgusReadSaslStreamSocket (0x%x) sasl_decoded %d bytes\n", input, outputlen); -#endif - ptr += cnt; - - if (outputlen) { - argus = (struct ArgusRecord *) output; - end = output + outputlen; - - while ((char *)argus < end) { - input->ArgusReadSocketCnt = ntohs(argus->ahdr.length); - bcopy (argus, input->ArgusReadBuffer, input->ArgusReadSocketCnt); - - if (ArgusHandleDatum (argus, &ArgusFilterCode) == 1) { - if (!input->filename) - write (fd, "DONE: ", strlen("DONE: ")); - - retn = 1; - break; - - } else - (char *)argus += input->ArgusReadSocketCnt; - } - - free (output); - input->ArgusSaslBufCnt -= cnt; - - } else { - input->ArgusSaslBufCnt = 0; - break; - } - - } else { - ArgusLog (LOG_ERR, "ArgusReadSaslStreamSocket: sasl_decode () failed"); - break; - } - - } while (input->ArgusSaslBufCnt > 0); - - } else { - retn = 1; - - if ((cnt < 0) && ((errno == EAGAIN) || (errno == EINTR))) { - retn = 0; - } - } - -#ifdef ARGUSDEBUG - ArgusDebug (5, "ArgusReadSaslStreamSocket (0x%x) returning %d\n", input, retn); -#endif - - return (retn); -} - -#endif /* ARGUS_SASL */ - - -int -ArgusReadStreamSocket (struct ARGUS_INPUT *input) -{ - int retn = 0, fd = input->fd, cnt = 0; - unsigned short length; - -#ifdef ARGUSDEBUG - ArgusDebug (8, "ArgusReadStreamSocket (0x%x) starting\n", input); -#endif - - if ((cnt = read (fd, input->ArgusReadPtr + input->ArgusReadSocketCnt, - (input->ArgusReadSocketSize - input->ArgusReadSocketCnt))) > 0) { - input->ArgusReadSocketCnt += cnt; - -#ifdef ARGUSDEBUG - ArgusDebug (8, "ArgusReadStreamSocket (0x%x) read %d bytes\n", input, cnt); -#endif - - if (input->ArgusReadSocketCnt == input->ArgusReadSocketSize) { - if (input->ArgusReadSocketState == ARGUS_READINGHDR) { - input->ArgusReadSocketState = ARGUS_READINGBLOCK; - - bcopy ((char *)&((struct ArgusRecordHeader *)input->ArgusReadPtr)->length, (char *)&length, sizeof(length)); - input->ArgusReadSocketSize = ntohs(length) - sizeof(struct ArgusRecordHeader); - - input->ArgusReadPtr = &input->ArgusReadBuffer[input->ArgusReadSocketCnt]; - input->ArgusReadSocketCnt = 0; - - } else { - if (input->major_version < 2) { - ArgusConvertWriteStruct ((struct WriteStruct *)input->ArgusReadBuffer, - (struct ArgusRecord *)input->ArgusConvBuffer); - bcopy (input->ArgusConvBuffer, input->ArgusReadBuffer, MAXSTRLEN); - } - - if (ArgusHandleDatum ((struct ArgusRecord *)input->ArgusReadBuffer, &ArgusFilterCode) == 1) { - if (!input->filename) { - write (fd, "DONE: ", strlen("DONE: ")); - retn = 1; - } - } - - if (input->major_version >= 2) { - input->ArgusReadSocketState = ARGUS_READINGHDR; - input->ArgusReadSocketSize = sizeof(struct ArgusRecordHeader); - } - - input->ArgusReadPtr = input->ArgusReadBuffer; - bzero (input->ArgusReadBuffer, MAXSTRLEN); - input->ArgusReadSocketCnt = 0; - } - } - } else { -#ifdef ARGUSDEBUG - ArgusDebug (3, "ArgusReadStreamSocket (0x%x) read returned %d\n", input, cnt); -#endif - - retn = 1; - - if ((cnt < 0) && ((errno == EAGAIN) || (errno == EINTR))) { - retn = 0; - } - } - -#ifdef ARGUSDEBUG - ArgusDebug (5, "ArgusReadStreamSocket (0x%x) returning %d\n", input, retn); -#endif - - return (retn); -} - - -int -ArgusReadCiscoStreamSocket (struct ARGUS_INPUT *input) -{ - int cnt = 0, retn = 0; - -#ifdef ARGUSDEBUG - ArgusDebug (8, "ArgusReadCiscoStreamSocket (0x%x) starting\n", input); -#endif - - if ((cnt = read (input->fd, input->ArgusReadPtr + input->ArgusReadSocketCnt, - (input->ArgusReadSocketSize - input->ArgusReadSocketCnt))) > 0) { - input->ArgusReadSocketCnt += cnt; - -#ifdef ARGUSDEBUG - ArgusDebug (8, "ArgusReadCiscoStreamSocket (0x%x) read %d bytes, total %d need %d\n", - input, cnt, input->ArgusReadSocketCnt, input->ArgusReadSocketSize); -#endif - - if (input->ArgusReadSocketCnt == input->ArgusReadSocketSize) { - switch (input->ArgusReadSocketState) { - - case ARGUS_READINGPREHDR: { - unsigned short *sptr = (unsigned short *) input->ArgusReadPtr; - - input->ArgusReadCiscoVersion = ntohs(*sptr++); - input->ArgusReadSocketNum = ntohs(*sptr); - -#define CISCO_VERSION_1 1 -#define CISCO_VERSION_5 5 - - switch (input->ArgusReadCiscoVersion) { - case CISCO_VERSION_1: - input->ArgusReadSocketSize = sizeof(CiscoFlowHeaderV1_t) - 4; - input->ArgusReadPtr = &input->ArgusReadBuffer[input->ArgusReadSocketCnt]; - break; - - case CISCO_VERSION_5: - input->ArgusReadSocketSize = sizeof(CiscoFlowHeaderV5_t) - 4; - input->ArgusReadPtr = &input->ArgusReadBuffer[input->ArgusReadSocketCnt]; - break; - - default: { - fprintf (stderr, "input not Cisco wire format\n"); - return(1); - } - } - - input->ArgusReadSocketState = ARGUS_READINGHDR; - input->ArgusReadSocketCnt = 0; - break; - } - - case ARGUS_READINGHDR: { -#ifdef ARGUSDEBUG - ArgusDebug (7, "ArgusReadCiscoStreamSocket (0x%x) read record header\n", input); -#endif - switch (input->ArgusReadCiscoVersion) { - case CISCO_VERSION_1: { - CiscoFlowHeaderV1_t *ArgusNetFlow = (CiscoFlowHeaderV1_t *) input->ArgusReadBuffer; - CiscoFlowHeaderV1_t *nfptr = ArgusNetFlow; - - input->ArgusCiscoNetFlowParse = ArgusParseCiscoRecordV1; - input->ArgusReadSocketSize = sizeof(CiscoFlowEntryV1_t); - input->ArgusReadPtr = &input->ArgusReadBuffer[sizeof(CiscoFlowHeaderV1_t)]; - - ArgusNetFlow->version = ntohs(nfptr->version); - ArgusNetFlow->count = ntohs(nfptr->count); - ArgusNetFlow->sysUptime = ntohl(nfptr->sysUptime); - ArgusNetFlow->unix_secs = ntohl(nfptr->unix_secs); - ArgusNetFlow->unix_nsecs = ntohl(nfptr->unix_nsecs); - ArgusNetFlowRecordHeader = (unsigned char *)ArgusNetFlow; - break; - } - - case CISCO_VERSION_5: { - CiscoFlowHeaderV5_t *ArgusNetFlow = (CiscoFlowHeaderV5_t *) input->ArgusReadBuffer; - CiscoFlowHeaderV5_t *nfptr = ArgusNetFlow; - - input->ArgusCiscoNetFlowParse = ArgusParseCiscoRecordV5; - input->ArgusReadSocketSize = sizeof(CiscoFlowEntryV5_t); - input->ArgusReadPtr = &input->ArgusReadBuffer[sizeof(CiscoFlowHeaderV5_t)]; - - ArgusNetFlow->version = ntohs(nfptr->version); - ArgusNetFlow->count = ntohs(nfptr->count); - ArgusNetFlow->sysUptime = ntohl(nfptr->sysUptime); - ArgusNetFlow->unix_secs = ntohl(nfptr->unix_secs); - ArgusNetFlow->unix_nsecs = ntohl(nfptr->unix_nsecs); - ArgusNetFlow->flow_sequence = ntohl(nfptr->flow_sequence); - ArgusNetFlowRecordHeader = (unsigned char *)ArgusNetFlow; - break; - } - - default: { -#ifdef ARGUSDEBUG - ArgusDebug (7, "ArgusReadCiscoStreamSocket (0x%x) read header\n", input); -#endif - } - } - - input->ArgusReadSocketState = ARGUS_READINGBLOCK; - input->ArgusReadBlockPtr = input->ArgusReadPtr; - input->ArgusReadSocketCnt = 0; - break; - } - - default: -#ifdef ARGUSDEBUG - ArgusDebug (7, "ArgusReadCiscoStreamSocket (0x%x) read record complete\n", input); -#endif - if (ArgusHandleDatum (input->ArgusCiscoNetFlowParse (&input->ArgusReadPtr), &ArgusFilterCode)) - return(1); - - if (!(--input->ArgusReadSocketNum)) { - input->ArgusReadPtr = input->ArgusReadBuffer; - bzero (input->ArgusReadBuffer, k_maxFlowPacketSize); - input->ArgusReadSocketState = ARGUS_READINGPREHDR; - input->ArgusReadSocketSize = 4; - - } else { - switch (input->ArgusReadCiscoVersion) { - case CISCO_VERSION_1: - input->ArgusReadPtr = &input->ArgusReadBuffer[sizeof(CiscoFlowHeaderV1_t)]; - break; - - case CISCO_VERSION_5: - input->ArgusReadPtr = &input->ArgusReadBuffer[sizeof(CiscoFlowHeaderV5_t)]; - break; - - default: { -#ifdef ARGUSDEBUG - ArgusDebug (7, "ArgusReadCiscoStreamSocket (0x%x) read header\n", input); -#endif - } - } - } - - input->ArgusReadSocketCnt = 0; - break; - } - } - - } else { -#ifdef ARGUSDEBUG - if (cnt < 0) - ArgusDebug (3, "ArgusReadCiscoStreamSocket (0x%x) read returned %d error %s\n", input, cnt, strerror(errno)); - else - ArgusDebug (3, "ArgusReadCiscoStreamSocket (0x%x) read returned %d\n", input, cnt); -#endif - - retn = 1; - - if ((cnt < 0) && ((errno == EAGAIN) || (errno == EINTR))) { - retn = 0; - } - } - -#ifdef ARGUSDEBUG - ArgusDebug (5, "ArgusReadCiscoStreamSocket (0x%x) returning %d\n", input, retn); -#endif - - return (retn); -} - - -int ArgusCiscoDatagramSocketStart = 1; -int -ArgusReadCiscoDatagramSocket (struct ARGUS_INPUT *input) -{ - int retn = 0, cnt = 0, count = 0, i = 0; - unsigned short *sptr = NULL; - unsigned char *ptr = NULL; - -#ifdef ARGUSDEBUG - ArgusDebug (8, "ArgusReadCiscoDatagramSocket (0x%x) starting\n", input); -#endif - - if ((cnt = read (input->fd, input->ArgusReadPtr, input->ArgusReadSocketSize)) > 0) { - input->ArgusReadSocketCnt = cnt; - sptr = (unsigned short *) input->ArgusReadPtr; - ptr = (unsigned char *) input->ArgusReadPtr; - -#ifdef ARGUSDEBUG - ArgusDebug (8, "ArgusReadCiscoDatagramSocket (0x%x) read %d bytes, capacity %d\n", - input, cnt, input->ArgusReadSocketCnt, input->ArgusReadSocketSize); -#endif - -#define CISCO_VERSION_1 1 -#define CISCO_VERSION_5 5 -#define CISCO_VERSION_6 6 -#define CISCO_VERSION_8 8 - - switch (input->ArgusReadCiscoVersion = ntohs(*sptr)) { - case CISCO_VERSION_1: { - CiscoFlowHeaderV1_t *ArgusNetFlow = (CiscoFlowHeaderV1_t *) ptr; - CiscoFlowHeaderV1_t *nfptr = (CiscoFlowHeaderV1_t *) sptr; - - input->ArgusCiscoNetFlowParse = ArgusParseCiscoRecordV1; - ArgusNetFlow->version = ntohs(nfptr->version); - ArgusNetFlow->count = ntohs(nfptr->count); - ArgusNetFlow->sysUptime = ntohl(nfptr->sysUptime); - ArgusNetFlow->unix_secs = ntohl(nfptr->unix_secs); - ArgusNetFlow->unix_nsecs = ntohl(nfptr->unix_nsecs); - ArgusNetFlowRecordHeader = ptr; - ptr = (unsigned char *) (nfptr + 1); - count = ArgusNetFlow->count; - } - break; - - case CISCO_VERSION_5: { - CiscoFlowHeaderV5_t *ArgusNetFlow = (CiscoFlowHeaderV5_t *) ptr; - CiscoFlowHeaderV5_t *nfptr = (CiscoFlowHeaderV5_t *) sptr; - - input->ArgusCiscoNetFlowParse = ArgusParseCiscoRecordV5; - ArgusNetFlow->version = ntohs(nfptr->version); - ArgusNetFlow->count = ntohs(nfptr->count); - ArgusNetFlow->sysUptime = ntohl(nfptr->sysUptime); - ArgusNetFlow->unix_secs = ntohl(nfptr->unix_secs); - ArgusNetFlow->unix_nsecs = ntohl(nfptr->unix_nsecs); - ArgusNetFlow->flow_sequence = ntohl(nfptr->flow_sequence); - ArgusNetFlowRecordHeader = ptr; - ptr = (unsigned char *) (nfptr + 1); - count = ArgusNetFlow->count; - } - break; - - case CISCO_VERSION_6: { - CiscoFlowHeaderV6_t *ArgusNetFlow = (CiscoFlowHeaderV6_t *) ptr; - CiscoFlowHeaderV6_t *nfptr = (CiscoFlowHeaderV6_t *) sptr; - - input->ArgusCiscoNetFlowParse = ArgusParseCiscoRecordV6; - ArgusNetFlow->version = ntohs(nfptr->version); - ArgusNetFlow->count = ntohs(nfptr->count); - ArgusNetFlow->sysUptime = ntohl(nfptr->sysUptime); - ArgusNetFlow->unix_secs = ntohl(nfptr->unix_secs); - ArgusNetFlow->unix_nsecs = ntohl(nfptr->unix_nsecs); - ArgusNetFlow->flow_sequence = ntohl(nfptr->flow_sequence); - ArgusNetFlowRecordHeader = ptr; - ptr = (unsigned char *) (nfptr + 1); - count = ArgusNetFlow->count; - } - break; - - case CISCO_VERSION_8: { - CiscoFlowHeaderV8_t *ArgusNetFlow = (CiscoFlowHeaderV8_t *) ptr; - CiscoFlowHeaderV8_t *nfptr = (CiscoFlowHeaderV8_t *) sptr; - - ArgusNetFlow->version = ntohs(nfptr->version); - ArgusNetFlow->count = ntohs(nfptr->count); - ArgusNetFlow->sysUptime = ntohl(nfptr->sysUptime); - ArgusNetFlow->unix_secs = ntohl(nfptr->unix_secs); - ArgusNetFlow->unix_nsecs = ntohl(nfptr->unix_nsecs); - ArgusNetFlow->flow_sequence = ntohl(nfptr->flow_sequence); - ArgusNetFlowRecordHeader = ptr; - ptr = (unsigned char *) (nfptr + 1); - count = ArgusNetFlow->count; - - if ((input->ArgusCiscoNetFlowParse = - ArgusLookUpNetFlow(input, ArgusNetFlow->agg_method)) != NULL) { - } - } - break; - } - - for (i = 0; i < count; i++) { - if (ArgusHandleDatum (input->ArgusCiscoNetFlowParse (&ptr), &ArgusFilterCode)) - return(1); - } - - } else { -#ifdef ARGUSDEBUG - ArgusDebug (3, "ArgusReadCiscoDatagramSocket (0x%x) read returned %d error %s\n", input, cnt, strerror(errno)); -#endif - - - if ((cnt < 0) && ((errno == EAGAIN) || (errno == EINTR))) { - retn = 0; - } else - retn = 1; - } - -#ifdef ARGUSDEBUG - ArgusDebug (5, "ArgusReadCiscoDatagramSocket (0x%x) returning %d\n", input, retn); -#endif - - return (retn); -} - - -void -ArgusReadStream () -{ - int retn = 0, width = -1, i; - struct timeval now, wait, timeoutValue; - struct ARGUS_INPUT *input = NULL; - fd_set readmask; - - if (ArgusRemoteFDs[0] == NULL) { -#ifdef ARGUSDEBUG - ArgusDebug (4, "ArgusReadStream() ArgusRemoteFDs is empty\n"); -#endif - - return; - } - - if (gettimeofday (&now, NULL) == 0) { - ArgusAdjustGlobalTime(&now); - - FD_ZERO (&readmask); - for (i = 0; i < ARGUS_MAX_REMOTE_CONN; i++) - if (ArgusRemoteFDs[i] != NULL) { - FD_SET (ArgusRemoteFDs[i]->fd, &readmask); - width = (width < ArgusRemoteFDs[i]->fd) ? ArgusRemoteFDs[i]->fd : width; - } - width++; - - wait.tv_sec = 0; - wait.tv_usec = 250000; - -#ifdef ARGUSDEBUG - ArgusDebug (4, "ArgusReadStream() starting\n"); -#endif - - for (;;) { - if ((retn = select (width, &readmask, NULL, NULL, &wait)) >= 0) { - for (i = 0; i < ARGUS_MAX_REMOTE_CONN; i++) { - if ((input = ArgusRemoteFDs[i]) != NULL) { - if (FD_ISSET (input->fd, &readmask)) { - ArgusInput = input; - switch (input->status & (ARGUS_DATA_SOURCE | ARGUS_CISCO_DATA_SOURCE)) { - case ARGUS_DATA_SOURCE: -#ifdef ARGUS_SASL - if (input->sasl_conn && (input->sasl_conn->oparams.decode != NULL)) { - if (ArgusReadSaslStreamSocket (input)) { - ArgusCloseInput(input); - ArgusRemoteFDs[i] = NULL; - } - } else -#endif - if (ArgusReadStreamSocket (input)) { - ArgusCloseInput(input); - ArgusRemoteFDs[i] = NULL; - } - break; - - case ARGUS_CISCO_DATA_SOURCE: - if (ArgusRemoteHostList) - if (ArgusReadCiscoDatagramSocket (input)) { - ArgusCloseInput(input); - ArgusRemoteFDs[i] = NULL; - } - - if (ArgusInputFileList) - if (ArgusReadCiscoStreamSocket (input)) { - ArgusCloseInput(input); - ArgusRemoteFDs[i] = NULL; - } - - break; - } - } - } - } - - if (Sflag) { - gettimeofday (&now, NULL); - ArgusAdjustGlobalTime(&now); - } else - now = ArgusGlobalTime; - - if (timeoutValue.tv_sec == 0) { - timeoutValue = ArgusGlobalTime; - - timeoutValue.tv_sec += RaClientTimeout.tv_sec; - timeoutValue.tv_usec += RaClientTimeout.tv_usec; - - if (timeoutValue.tv_usec >= 1000000) { - timeoutValue.tv_sec += 1; - timeoutValue.tv_usec -= 1000000; - } - } - - if ((now.tv_sec > timeoutValue.tv_sec) || - ((now.tv_sec == timeoutValue.tv_sec) && - (now.tv_usec > timeoutValue.tv_usec))) { - - ArgusClientTimeout (); - - if (Tflag) { - if ((Tflag - 1) == 0) { - ArgusShutDown(0); - } - Tflag--; - } - - timeoutValue = now; - timeoutValue.tv_sec += RaClientTimeout.tv_sec; - timeoutValue.tv_usec += RaClientTimeout.tv_usec; - } - - width = -1; - FD_ZERO (&readmask); - for (i = 0; i < ARGUS_MAX_REMOTE_CONN; i++) - if (ArgusRemoteFDs[i] != NULL) { - FD_SET (ArgusRemoteFDs[i]->fd, &readmask); - width = (width < ArgusRemoteFDs[i]->fd) ? ArgusRemoteFDs[i]->fd : width; - } - - if (width < 0) - return; - else - width++; - - wait.tv_sec = 0; - wait.tv_usec = 250000; - - } else { - -#ifdef ARGUSDEBUG - ArgusDebug (3, "ArgusReadStream() select returned %s\n", strerror(errno)); -#endif - if (errno != EINTR) - break; - } - } - } - -#ifdef ARGUSDEBUG - ArgusDebug (5, "ArgusReadStream() returning\n"); -#endif -} - -void -ArgusProcessRecord (struct ArgusRecord *ptr) -{ - if (ptr->ahdr.type & ARGUS_MAR) - process_man (ptr); - - else { - - switch (ptr->ahdr.status & 0xFFFF) { - case ETHERTYPE_IP: - switch (ptr->argus_far.flow.ip_flow.ip_p) { - case IPPROTO_TCP: - process_tcp (ptr); - break; - - case IPPROTO_UDP: - process_udp (ptr); - break; - - case IPPROTO_ICMP: - process_icmp (ptr); - break; - - default: - process_ip (ptr); - break; - } - break; - - case ETHERTYPE_ARP: - case ETHERTYPE_REVARP: - process_arp (ptr); - break; - - default: - process_non_ip (ptr); - break; - } - } - -#ifdef ARGUSDEBUG - ArgusDebug (6, "ArgusProcessRecord (0x%x) returning\n", ptr); -#endif -} - - - -#include - -extern void ArgusLog (int, char *, ...); - -#define ARGUS_DEFAULTCISCOPORT 9995 - -char *ArgusRecordType = NULL; - -extern int ArgusInitializeAuthentication(void); - -#include -#include - -int -ArgusGetServerSocket (struct ARGUS_INPUT *input) -{ - int retn = -1; - struct sockaddr_in server; - struct servent *sp; - struct hostent *hp; - int s, type = 0; - unsigned short portnum = 0; - - switch (input->status & (ARGUS_DATA_SOURCE | ARGUS_CISCO_DATA_SOURCE)) { - case ARGUS_DATA_SOURCE: { - ArgusRecordType = "Argus"; - type = SOCK_STREAM; - if (!input->portnum) { - if (!ArgusPortNum) { - if ((sp = getservbyname ("monitor", "tcp")) != NULL) - portnum = sp->s_port; - else - portnum = htons(ARGUS_DEFAULTPORT); - } else - portnum = htons(ArgusPortNum); - - input->portnum = ntohs(portnum); - - } else - portnum = htons(input->portnum); - break; - } - - case ARGUS_CISCO_DATA_SOURCE: { - struct ArgusRecord argus; - - ArgusRecordType = "Netflow"; - type = SOCK_DGRAM; - if (!input->portnum) { - if (!ArgusPortNum) - portnum = htons(ARGUS_DEFAULTCISCOPORT); - else - portnum = htons(ArgusPortNum); - - input->portnum = ntohs(portnum); - - } else - portnum = htons(input->portnum); - - bzero ((char *)&argus, sizeof(argus)); - argus.ahdr.type = ARGUS_MAR | ARGUS_CISCO_NETFLOW; - argus.ahdr.length = sizeof (argus); - argus.ahdr.cause = ARGUS_START; - argus.ahdr.argusid = ARGUS_COOKIE; - argus.argus_mar.startime.tv_sec = ArgusGlobalTime.tv_sec; - argus.argus_mar.now.tv_sec = ArgusGlobalTime.tv_sec; - argus.argus_mar.major_version = major_version; - argus.argus_mar.minor_version = minor_version; - argus.argus_mar.record_len = -1; - - input->major_version = argus.argus_mar.major_version; - input->minor_version = argus.argus_mar.minor_version; - - bcopy ((char *) &argus, (char *)&input->ArgusInitCon, sizeof (argus)); - bcopy ((char *) &argus, (char *) ArgusOriginal, sizeof(argus)); - ArgusInput = input; - break; - } - - default: - ArgusLog (LOG_ERR, "ArgusGetServerSocket(0x%x) unknown type\n", input); - } - - bzero ((char *) &server, sizeof (server)); - - if ((s = socket (AF_INET, type, 0)) >= 0) { - if (type == SOCK_DGRAM) { - server.sin_addr.s_addr = INADDR_ANY; - server.sin_family = AF_INET; - server.sin_port = portnum; - fprintf (stderr, "%s: Binding port %d Expecting %s records\n", ArgusProgramName, - ntohs(portnum), ArgusRecordType); - if ((bind (s, (struct sockaddr *)&server, sizeof(server))) < 0) - ArgusLog (LOG_ERR, "bind (%d, %s:%hu, %d) failed %s\n", s, inet_ntoa(server.sin_addr), - server.sin_port, sizeof(server), strerror(errno)); - } else { - int optval = 1; - if (setsockopt(s, SOL_SOCKET, SO_KEEPALIVE, (char *)&optval, sizeof(int)) < 0) { -#ifdef ARGUSDEBUG - ArgusDebug (2, "setsockopt(%d, SOL_SOCKET, SO_KEEPALIVE, 0x%x, %d) failed:", s, optval, sizeof(int)); -#endif - } - - if ((hp = gethostbyaddr ((char *)&input->addr, sizeof (input->addr), AF_INET)) != NULL) { - bcopy ((char *) hp->h_addr, (char *)&server.sin_addr, hp->h_length); - server.sin_family = hp->h_addrtype; - server.sin_port = portnum; - fprintf (stderr, "%s: Trying %s port %d Expecting %s records\n", ArgusProgramName, (hp->h_name) ? - (hp->h_name) : intoa (input->addr), ntohs(portnum), ArgusRecordType); - } else { - server.sin_addr.s_addr = input->addr; - server.sin_family = AF_INET; - server.sin_port = portnum; - fprintf (stderr, "%s: Trying %s port %d Expecting %s records\n", ArgusProgramName, - intoa (input->addr), ntohs(portnum), ArgusRecordType); - } - - if ((connect (s, (struct sockaddr *)&server, sizeof(server))) < 0) - ArgusLog (LOG_ERR, "connect (%d, %s:%hu, %d) failed %s\n", s, inet_ntoa(server.sin_addr), - server.sin_port, sizeof(server), strerror(errno)); - } - - retn = s; - input->fd = s; - - if (type == SOCK_DGRAM) - fprintf (stderr, "%s: receiving\n", ArgusProgramName); - else - fprintf (stderr, "%s: connected\n", ArgusProgramName); - - } else { - fprintf (stderr, "%s: socket() failed. %s\n", ArgusProgramName, strerror(errno)); - } - -#ifdef ARGUSDEBUG - ArgusDebug (1, "ArgusGetServerSocket (0x%x) returning %d\n", input, retn); -#endif - - return (retn); -} - - -int -ArgusAddFileList (char *ptr) -{ - register int retn = 0; - register struct ARGUS_INPUT *file, *list; - - if (ptr) { - if ((file = (struct ARGUS_INPUT *) ArgusCalloc (1, sizeof(struct ARGUS_INPUT))) != NULL) { - if ((list = ArgusInputFileList) != NULL) { - while (list->nxt) list = list->nxt; - list->nxt = file; - } else - ArgusInputFileList = file; - - file->filename = strdup(ptr); - file->status |= (Cflag ? ARGUS_CISCO_DATA_SOURCE : ARGUS_DATA_SOURCE); - retn = 1; - } - } - -#ifdef ARGUSDEBUG - ArgusDebug (2, "ArgusAddFileList (%s) returning %d\n", ptr, retn); -#endif - - return (retn); -} - -void -ArgusDeleteFileList () -{ - struct ARGUS_INPUT *addr = ArgusInputFileList; - - while (addr) { - if (addr->filename) - free(addr->filename); - - addr = addr->nxt; - ArgusFree(ArgusInputFileList); - ArgusInputFileList = addr; - } - -#ifdef ARGUSDEBUG - ArgusDebug (2, "ArgusDeleteFileList () returning\n"); -#endif -} - - -#include -#include -#include - - -int -ArgusAddHostList (char *str) -{ - int retn = 0; - struct ARGUS_INPUT *addr = NULL; - unsigned int ipaddr, **name; - long int portnum = 0; - char *ptr = NULL, *endptr = NULL; - - if ((ptr = strchr (str, (int)':')) != NULL) { - *ptr++ = '\0'; - - portnum = strtol(ptr, &endptr, 10); - - if (endptr == ptr) - usage(); - } - - if ((ipaddr = (unsigned int) inet_addr (str)) == (unsigned int) -1) { - if ((name = (unsigned int **) argus_nametoaddr (str)) != NULL) { - if (*name) { - if ((addr = (struct ARGUS_INPUT *) ArgusCalloc (1, sizeof (struct ARGUS_INPUT))) != NULL) { - addr->nxt = ArgusRemoteHostList; - ArgusRemoteHostList = addr; - addr->addr = ntohl(**name); - addr->hostname = strdup(str); - addr->portnum = portnum; - retn = 1; - } - } - } - } else - if ((addr = (struct ARGUS_INPUT *) ArgusCalloc (1, sizeof (struct ARGUS_INPUT))) != NULL) { - addr->nxt = ArgusRemoteHostList; - ArgusRemoteHostList = addr; - addr->addr = ipaddr; - addr->portnum = portnum; - retn = 1; - } - - if (addr) - addr->status |= (Cflag ? ARGUS_CISCO_DATA_SOURCE : ARGUS_DATA_SOURCE); - -#ifdef ARGUSDEBUG - ArgusDebug (2, "ArgusAddHostList (%s) returning %d\n", str, retn); -#endif - - return (retn); -} - -void -ArgusDeleteHostList () -{ - struct ARGUS_INPUT *addr = ArgusRemoteHostList; - - while (addr) { - if (addr->hostname) - free(addr->hostname); - - addr = addr->nxt; - ArgusFree(ArgusRemoteHostList); - ArgusRemoteHostList = addr; - } - -#ifdef ARGUSDEBUG - ArgusDebug (2, "ArgusDeleteHostList () returning\n"); -#endif -} - -#include -#include -#include - -int -ArgusWriteNewLogfile (char *file, struct ArgusRecord *argus) -{ - int retn = 0, fd; - struct stat buf; - - if (file) { - if (strcmp (file, "-")) { - if ((fd = open (file, O_WRONLY|O_CREAT|O_APPEND, 0644)) >= 0) { - if (fstat (fd, &buf) >= 0) { - if (buf.st_size == 0) - if ((write (fd, (char *)&ArgusInput->ArgusInitCon, ntohs(ArgusInput->ArgusInitCon.ahdr.length))) < 0) - ArgusLog (LOG_ERR, "ArgusWriteNewLogfile(%s, 0x%x) write error %s", file, argus, strerror(errno)); - } else { - ArgusLog (LOG_ERR, "ArgusWriteNewLogfile(%s, 0x%x) fstat error %s", - file, argus, strerror(errno)); - } - - if (argus != NULL) { - if ((write (fd, argus, ntohs(argus->ahdr.length))) < 0) - ArgusLog (LOG_ERR, "ArgusWriteNewLogfile(%s, 0x%x) write error %s", - file, argus, strerror(errno)); - } - close (fd); - - } else { - ArgusLog (LOG_ERR, "ArgusWriteNewLogfile(%s, 0x%x) open error %s", - file, argus, strerror(errno)); - } - - if (firstWrite) - firstWrite = 0; - - } else { - if (firstWrite) { - if (!(fwrite ((char *)&ArgusInput->ArgusInitCon, ntohs(ArgusInput->ArgusInitCon.ahdr.length), 1, stdout))) - ArgusLog (LOG_ERR, "ArgusWriteNewLogfile(%s, 0x%x) fwrite error %s", file, argus, strerror(errno)); - - fflush (stdout); - firstWrite = 0; - } - if (argus) { - if (!(fwrite (argus, ntohs(argus->ahdr.length), 1, stdout))) - retn++; - fflush (stdout); - } - } - } - -#ifdef ARGUSDEBUG - ArgusDebug (4, "ArgusWriteNewLogFile (%s, 0x%x) returning %d\n", file, argus, retn); -#endif - - return (retn); -} - - -int -check_time (struct ArgusRecord *ptr) -{ - struct tm tmbuf, *tm; - int retn = 0; - struct timeval *start, *last, lastbuf; - - if (ptr->ahdr.type & ARGUS_MAR) { - start = &ptr->argus_mar.startime; - last = &ptr->argus_mar.now; - if (!(start->tv_sec)) - start = &ptr->argus_mar.now; - - } else { - start = &ptr->argus_far.time.start; - last = &ptr->argus_far.time.last; - - if (ArgusThisFarStatus & ARGUS_AGR_DSR_STATUS) { - lastbuf = ((struct ArgusAGRStruct *)ArgusThisFarHdrs[ARGUS_AGR_DSR_INDEX])->lasttime; - } - } - - ArgusGlobalTime = *last; - gettimeofday (&ArgusNowTime, 0L); - - if ((tm = localtime ((time_t *)&start->tv_sec)) != NULL) - bcopy ((char *) tm, (char *)&tm_startime, sizeof (struct tm)); - else - bzero ((char *)&tm_startime, sizeof (struct tm)); - - if ((tm = localtime ((time_t *)&last->tv_sec)) != NULL) - bcopy ((char *) tm, (char *)&tm_lasttime, sizeof (struct tm)); - else - bzero ((char *)&tm_startime, sizeof (struct tm)); - - if (tflag) { - time_t *sec; - - if (!explicit_date) { - sec = (time_t *)&start->tv_sec; - - tm = localtime(sec); - if (tm->tm_yday != starTimeFilter.tm_yday) { - bcopy ((char *) tm, (char *) &tmbuf, sizeof (struct tm)); - if (check_time_format (&tmbuf, timearg)) - ArgusLog (LOG_ERR, "time syntax error %s\n", timearg); - } - } - - if (ptr->ahdr.type & ARGUS_MAR) { - if (ptr->ahdr.status & ARGUS_START) { - if ((ptr->argus_mar.now.tv_sec >= startime_t) && - (ptr->argus_mar.now.tv_sec <= lasttime_t)) - retn++; - } else { - if ((ptr->argus_mar.now.tv_sec >= startime_t) && - (ptr->argus_mar.now.tv_sec <= lasttime_t)) - retn++; - } - } else { - if (((start->tv_sec >= startime_t) && (start->tv_sec <= lasttime_t)) || - ((last->tv_sec >= startime_t) && (last->tv_sec <= lasttime_t)) || - ((start->tv_sec < startime_t) && (last->tv_sec > lasttime_t))) - retn++; - } - } else - retn++; - - return (retn); -} - - -#include - -int -parseUserDataArg (char **arg, char *args[], int ind) -{ - int retn = -1; - char buf[64], *ptr = buf; - - bzero (buf, 64); - strcpy (buf, *arg); - ptr += strlen (buf); - - if ((ptr = strchr(*arg, ':')) && (*(ptr + 1) != '\0')) { - retn = 0; - } else { - if (args) { - if (args[ind] && (*args[ind] == ':')) { - if (strlen (args[ind]) == 1) { - strcat (buf, ":"); - strcat (buf, args[ind + 1]); - retn = 2; - } else { - ptr = args[ind]; - if (isdigit((int)*(ptr + 1))) { - strcat (buf, args[ind]); - retn = 1; - } else - retn = 0; - } - } else - retn = 0; - } else - retn = 0; - } - - *arg = savestr(buf); - - if ((ptr = strchr (buf, ':')) != NULL) { - ptr++; - if (*buf == 's') - ArgusSrcUserDataLen = atoi(buf + 1); - else - ArgusLog (LOG_ERR, "user data syntax error %s\n", buf); - - if (*ptr == 'd') - ArgusDstUserDataLen = atoi(ptr + 1); - else - ArgusLog (LOG_ERR, "user data syntax error %s\n", buf); - - } else { - if (isdigit((int)*buf)) { - ArgusSrcUserDataLen = atoi(buf); - ArgusDstUserDataLen = atoi(buf); - } else { - if (*buf == 's') - ArgusSrcUserDataLen = atoi(buf + 1); - - if (*buf == 'd') - ArgusDstUserDataLen = atoi(buf + 1); - } - } - - if (retn < 0) - ArgusLog (LOG_ERR, "user data syntax error %s\n", buf); - - return (retn); -} - -int -parseTimeArg ( char **arg, char *args[], int ind, struct tm *tm) -{ - int retn = -1; - char buf[64], *ptr = buf; - - bzero (buf, 64); - strcpy (buf, *arg); - ptr += strlen (buf); - if ((ptr = strchr(*arg, '-')) && (*(ptr + 1) != '\0')) { - retn = 0; - } else { - if (args) { - if (args[ind] && (*args[ind] == '-')) { - if (strlen (args[ind]) == 1) { - strcat (buf, "-"); - strcat (buf, args[ind + 1]); - retn = 2; - } else { - ptr = args[ind]; - if (isdigit((int)*(ptr + 1))) { - strcat (buf, args[ind]); - retn = 1; - } else - retn = 0; - } - } else - retn = 0; - } - } - - if ((ptr = strchr(*arg, '.')) || (ptr = strchr(*arg, '/'))) - explicit_date++; - - if (check_time_format (tm, buf)) - ArgusLog (LOG_ERR, "time syntax error %s\n", buf); - - *arg = savestr(buf); - return (retn); -} - - -#define ARGUS_YEAR 1 -#define ARGUS_MONTH 2 -#define ARGUS_DAY 3 -#define ARGUS_HOUR 4 -#define ARGUS_MIN 5 -#define ARGUS_SEC 6 - -int RaDaysInAMonth[12] = {31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31}; - -int -check_time_format (struct tm *tm, char *str) -{ - int retn = 0; - char *ptr, buf[64]; - - /*[[[yyyy/]mm/]dd.]hh[:mm[:ss]] - [[[yyyy/]mm/]dd.]hh[:mm[:ss]]*/ - - strcpy (buf, str); - - if ((ptr = strchr(buf, '-')) != NULL) { - *ptr = '\0'; - if ((retn = parseTime (&starTimeFilter, tm, buf)) > 0) - if ((retn = parseTime (&lastTimeFilter, &starTimeFilter, ptr + 1)) > 0) - retn = 0; - - } else { - if ((retn = parseTime (&starTimeFilter, tm, buf)) > 0) { - bcopy ((char *)&starTimeFilter, (char *)&lastTimeFilter, sizeof(struct tm)); - switch (retn) { - case ARGUS_YEAR: lastTimeFilter.tm_year++; break; - case ARGUS_MONTH: lastTimeFilter.tm_mon++; break; - case ARGUS_DAY: lastTimeFilter.tm_mday++; break; - case ARGUS_HOUR: lastTimeFilter.tm_hour++; break; - case ARGUS_MIN: lastTimeFilter.tm_min++; break; - case ARGUS_SEC: lastTimeFilter.tm_sec++; break; - } - - while (tm->tm_sec > 59) {tm->tm_min++; tm->tm_sec -= 60;} - while (tm->tm_min > 59) {tm->tm_hour++; tm->tm_min -= 60;} - while (tm->tm_hour > 23) {tm->tm_mday++; tm->tm_hour -= 24;} - while (tm->tm_mday > RaDaysInAMonth[tm->tm_mon]) {tm->tm_mday -= RaDaysInAMonth[tm->tm_mon]; tm->tm_mon++;} - while (tm->tm_mon > 11) {tm->tm_year++; tm->tm_mon -= 12;} - - retn = 0; - } - } - - if (retn == 0) { - startime_t = timelocal (&starTimeFilter); - lasttime_t = timelocal (&lastTimeFilter); - - if (!(lasttime_t >= startime_t)) { - fprintf (stderr, "error: invalid time range\n"); - retn++; - } - } - - return (retn); -} - -int -parseTime (struct tm *tm, struct tm *ctm, char *str) -{ - char *hptr = NULL, *dptr = NULL, *mptr = NULL, *yptr = NULL; - char *minptr = NULL, *secptr = NULL, *ptr; - int retn = 0, hour = 0, mins = 0, sec = 0, i; - time_t thistime; - - /*[[[yyyy/]mm/]dd].]hh[:mm[:ss]]*/ - - bcopy ((u_char *) ctm, (u_char *) tm, sizeof (struct tm)); - - if ((hptr = strchr (str, '.')) != NULL) { - *hptr++ = '\0'; - if (!(isdigit((int)*hptr))) - return -1; - } - - if ((dptr = strrchr (str, '/')) != NULL) { /* mm/dd */ - /* ^ */ - *dptr++ = '\0'; - if ((mptr = strrchr (str, '/')) != NULL) { /* yyyy/mm/dd */ - /* ^ */ - *mptr++ = '\0'; - yptr = str; - } else - mptr = str; - } else { - if (hptr != NULL) - dptr = str; - else - hptr = str; - } - - if (yptr) { - if (strlen(yptr) != 4) - return -1; - for (ptr = yptr, i = 0; i < strlen(yptr); i++) - if (!(isdigit((int)*ptr++))) - return -1; - tm->tm_year = atoi(yptr) - 1900; - retn = ARGUS_YEAR; - } - if (mptr) { - if (strlen(mptr) != 2) - return -1; - for (ptr = mptr, i = 0; i < strlen(mptr); i++) - if (!(isdigit((int)*ptr++))) - return -1; - tm->tm_mon = atoi(mptr) - 1; - retn = ARGUS_MONTH; - } - - if (dptr) { - if (strlen(dptr) != 2) - return -1; - for (ptr = dptr, i = 0; i < strlen(dptr); i++) - if (!(isdigit((int)*ptr++))) - return -1; - tm->tm_mday = atoi(dptr); - retn = ARGUS_DAY; - } - - if (hptr) { - if ((minptr = strchr (hptr, ':')) != NULL) { - *minptr++ = '\0'; - if ((secptr = strchr (minptr, ':')) != NULL) { - *secptr++ = '\0'; - } - } - - for (ptr = hptr, i = 0; i < strlen(hptr); i++) - if (!(isdigit((int)*ptr++))) - return -1; - - hour = atoi(hptr); - retn = ARGUS_HOUR; - - if (minptr != NULL) { - for (ptr = minptr, i = 0; i < strlen(minptr); i++) - if (!(isdigit((int)*ptr++))) - return -1; - - mins = atoi(minptr); - retn = ARGUS_MIN; - } - - if (secptr != NULL) { - for (ptr = secptr, i = 0; i < strlen(secptr); i++) - if (!(isdigit((int)*ptr++))) - return -1; - - sec = atoi(secptr); - retn = ARGUS_SEC; - } - } - - tm->tm_hour = hour; - tm->tm_min = mins; - tm->tm_sec = sec; - -#if !defined(HAVE_SOLARIS) && !defined(__sgi) && !defined(linux) && !defined(AIX) && !defined(CYGWIN) - tm->tm_zone = NULL; - tm->tm_gmtoff = 0; -#endif - - if (tm->tm_year < 0) - retn = -1; - if ((tm->tm_mon > 11) || (tm->tm_mon < 0)) - retn = -1; - if ((tm->tm_mday > 31) || (tm->tm_mday < 0)) - retn = -1; - if ((tm->tm_hour > 23) || (tm->tm_hour < 0)) - retn = -1; - if ((tm->tm_min > 60) || (tm->tm_min < 0)) - retn = -1; - if ((tm->tm_sec > 60) || (tm->tm_sec < 0)) - retn = -1; - - if (retn >= 0) { - thistime = timelocal (tm); - tm = localtime ((time_t *)&thistime); - } - - return (retn); -} - - -#define ARGUS_RCITEMS 41 - -#define RA_ARGUS_SERVER 0 -#define RA_CISCONETFLOW_SOURCE 1 -#define RA_ARGUS_SERVERPORT 2 -#define RA_INPUT_FILE 3 -#define RA_NO_OUTPUT 4 -#define RA_USER_AUTH 5 -#define RA_AUTH_PASS 6 -#define RA_OUTPUT_FILE 7 -#define RA_EXCEPTION_OUTPUT_FILE 8 -#define RA_TIMERANGE 9 -#define RA_RUNTIME 10 -#define RA_FLOW_MODEL 11 -#define RA_FIELD_DELIMITER 12 -#define RA_TIME_FORMAT 13 -#define RA_USEC_PRECISION 14 -#define RA_PRINT_LABELS 15 -#define RA_PRINT_SUMMARY 16 -#define RA_PRINT_ARGUSID 17 -#define RA_PRINT_MACADDRS 18 -#define RA_PRINT_HOSTNAMES 19 -#define RA_PRINT_LOCALONLY 20 -#define RA_PRINT_COUNTS 21 -#define RA_PRINT_APPLICATION_BYTES 22 -#define RA_PRINT_RESPONSE_DATA 23 -#define RA_PRINT_UNIX_TIME 24 -#define RA_PRINT_STARTIME 25 -#define RA_PRINT_LASTIME 26 -#define RA_PRINT_INDICATORS 27 -#define RA_PRINT_DURATION 28 -#define RA_PRINT_TCPSTATES 29 -#define RA_PRINT_TCPFLAGS 30 -#define RAGATOR_TIME_SERIES 31 -#define RAGATOR_VALIDATE 32 -#define RAMON_MODE 33 -#define RAMON_NUMBER 34 -#define RA_DEBUG_LEVEL 35 -#define RA_PRINT_USERDATA 36 -#define RA_USERDATA_ENCODE 37 -#define RA_FILTER 38 -#define RA_HOST_FIELD_LENGTH 39 -#define RA_PORT_FIELD_LENGTH 40 - - -char *ArgusResourceFileStr [] = { - "RA_ARGUS_SERVER=", - "RA_CISCONETFLOW_SOURCE=", - "RA_ARGUS_SERVERPORT=", - "RA_INPUT_FILE=", - "RA_NO_OUTPUT=", - "RA_USER_AUTH=", - "RA_AUTH_PASS=", - "RA_OUTPUT_FILE=", - "RA_EXCEPTION_OUTPUT_FILE=", - "RA_TIMERANGE=", - "RA_RUN_TIME=", - "RA_FLOW_MODEL=", - "RA_FIELD_DELIMITER=", - "RA_TIME_FORMAT=", - "RA_USEC_PRECISION=", - "RA_PRINT_LABELS=", - "RA_PRINT_SUMMARY=", - "RA_PRINT_ARGUSID=", - "RA_PRINT_MACADDRS=", - "RA_PRINT_HOSTNAMES=", - "RA_PRINT_LOCALONLY=", - "RA_PRINT_COUNTS=", - "RA_PRINT_APPLICATION_BYTES=", - "RA_PRINT_RESPONSE_DATA=", - "RA_PRINT_UNIX_TIME=", - "RA_PRINT_STARTIME=", - "RA_PRINT_LASTIME=", - "RA_PRINT_INDICATORS=", - "RA_PRINT_DURATION=", - "RA_PRINT_TCPSTATES=", - "RA_PRINT_TCPFLAGS=", - "RAGATOR_TIME_SERIES=", - "RAGATOR_VALIDATE=", - "RAMON_MODE=", - "RAMON_NUMBER=", - "RA_DEBUG_LEVEL=", - "RA_PRINT_USERDATA=", - "RA_USERDATA_ENCODE=", - "RA_FILTER=", - "RA_HOST_FIELD_LENGTH=", - "RA_PORT_FIELD_LENGTH=", -}; - -#include - -int -ArgusParseResourceFile (char *file) -{ - int retn = 0, i, len, Soption = 0, roption = 0, found = 0, lines = 0; - char strbuf[MAXSTRLEN], *str = strbuf, *optarg = NULL, *ptr = NULL; - FILE *fd; - - if (file) { - if ((fd = fopen (file, "r")) != NULL) { - retn = 1; - while ((fgets(str, MAXSTRLEN, fd)) != NULL) { - lines++; - while (*str && isspace((int)*str)) - str++; - - if (*str && (*str != '#') && (*str != '\n') && (*str != '!')) { - found = 0; - for (i = 0; i < ARGUS_RCITEMS; i++) { - len = strlen(ArgusResourceFileStr[i]); - if (!(strncmp (str, ArgusResourceFileStr[i], len))) { - - optarg = &str[len]; - - if (optarg[strlen(optarg) - 1] == '\n') - optarg[strlen(optarg) - 1] = '\0'; - - if (*optarg == '\"') - optarg++; - - if (optarg[strlen(optarg) - 1] == '\"') - optarg[strlen(optarg) - 1] = '\0'; - - if (*optarg == '\0') - optarg = NULL; - - if (optarg) { - switch (i) { - case RA_ARGUS_SERVER: - ++Sflag; - if (!Soption++ && (ArgusRemoteHostList != NULL)) - ArgusDeleteHostList(); - - if (!(ArgusAddHostList (optarg))) { - fprintf (stderr, "%s: host %s unknown\n", ArgusProgramName, optarg); - exit (1); - } - break; - - case RA_CISCONETFLOW_SOURCE: - ++Sflag; ++Cflag; - if (!Soption++ && (ArgusRemoteHostList != NULL)) - ArgusDeleteHostList(); - - if (!(ArgusAddHostList (optarg))) { - fprintf (stderr, "%s: host %s unknown\n", ArgusProgramName, optarg); - exit (1); - } - break; - - case RA_ARGUS_SERVERPORT: - ArgusPortNum = atoi (optarg); break; - break; - - case RA_INPUT_FILE: - if ((!roption++) && (ArgusInputFileList != NULL)) - ArgusDeleteFileList(); - - if (!(ArgusAddFileList (optarg))) { - fprintf (stderr, "%s: error: file arg %s\n", ArgusProgramName, optarg); - exit (1); - } - break; - - case RA_NO_OUTPUT: - if (!(strncasecmp(optarg, "yes", 3))) - qflag++; - else - qflag = 0; - break; - - case RA_USER_AUTH: - ustr = strdup(optarg); - break; - - case RA_AUTH_PASS: - pstr = strdup(optarg); - break; - - case RA_OUTPUT_FILE: - wfile = strdup(optarg); - break; - - case RA_EXCEPTION_OUTPUT_FILE: - exceptfile = optarg; - break; - - case RA_TIMERANGE: - if ((parseTimeArg (&timearg, NULL, 0, RaTmStruct)) < 0) - usage (); - break; - - case RA_RUNTIME: - Tflag = atoi (optarg); - break; - - case RA_FIELD_DELIMITER: - ptr = optarg; - if ((ptr = strchr (optarg, '\'')) != NULL) { - ptr++; - if (ptr[0] == '\'') - break; - } - - if (ptr[0] == '\\') { - switch (ptr[1]) { - case 'a': RaFieldDelimiter = '\a'; break; - case 'b': RaFieldDelimiter = '\b'; break; - case 't': RaFieldDelimiter = '\t'; break; - case 'n': RaFieldDelimiter = '\n'; break; - case 'v': RaFieldDelimiter = '\v'; break; - case 'f': RaFieldDelimiter = '\f'; break; - case 'r': RaFieldDelimiter = '\r'; break; - case '\\': RaFieldDelimiter = '\\'; break; - } - if (RaFieldDelimiter != '\0') - break; - } else - RaFieldDelimiter = *ptr; - - break; - - case RA_TIME_FORMAT: - RaTimeFormat = strdup(optarg); - - case RA_USEC_PRECISION: - pflag = atoi (optarg); - break; - - case RA_PRINT_SUMMARY: - if (!(strncasecmp(optarg, "yes", 3))) - aflag = 1; - else - aflag = 0; - break; - - case RA_PRINT_ARGUSID: - if (!(strncasecmp(optarg, "yes", 3))) - idflag = 1; - else - idflag = 0; - break; - - case RA_PRINT_MACADDRS: - if (!(strncasecmp(optarg, "yes", 3))) - mflag = 1; - else - mflag = 0; - break; - - case RA_PRINT_HOSTNAMES: - if (!(strncasecmp(optarg, "yes", 3))) - nflag = 0; - else - nflag = 1; - break; - - case RA_PRINT_LOCALONLY: - if (!(strncasecmp(optarg, "yes", 3))) - ++fflag; - else - fflag = 0; - break; - - case RA_FLOW_MODEL: - ArgusFlowModelFile = strdup(optarg); - break; - - case RA_PRINT_LABELS: - switch (Lflag = atoi(optarg)) { - case 0: Lflag = -1; break; - case -1: Lflag = 0; break; - } - break; - - case RA_PRINT_COUNTS: - if (!(strncasecmp(optarg, "yes", 3))) - ++cflag; - else - cflag = 0; - break; - - case RA_PRINT_APPLICATION_BYTES: - if (!(strncasecmp(optarg, "yes", 3))) - ++Aflag; - else - Aflag = 0; - break; - - case RA_PRINT_RESPONSE_DATA: - if (!(strncasecmp(optarg, "yes", 3))) - Rflag++; - else - Rflag = 0; - break; - - case RA_PRINT_UNIX_TIME: - if (!(strncasecmp(optarg, "yes", 3))) - ++uflag; - else - uflag = 0; - break; - - case RA_PRINT_STARTIME: - if (!(strncasecmp(optarg, "yes", 3))) - ++RaPrintStartTime; - else - RaPrintStartTime = 0; - break; - - case RA_PRINT_LASTIME: - if (!(strncasecmp(optarg, "yes", 3))) - ++RaPrintLastTime; - else - RaPrintLastTime = 0; - break; - - case RA_PRINT_INDICATORS: - if (!(strncasecmp(optarg, "yes", 3))) - Iflag++; - else - Iflag = 0; - break; - - case RA_PRINT_DURATION: - if (!(strncasecmp(optarg, "yes", 3))) - gflag++; - break; - - case RA_PRINT_TCPSTATES: - if (!(strncasecmp(optarg, "yes", 3))) - zflag++; - else - zflag = 0; - break; - - case RA_PRINT_TCPFLAGS: - Zflag = *optarg; - break; - - case RAGATOR_TIME_SERIES: - if (!(strncasecmp(optarg, "yes", 3))) - Hflag++; - else - Hflag = 0; - break; - - case RAGATOR_VALIDATE: - if (!(strncasecmp(optarg, "yes", 3))) - Vflag++; - else - Vflag = 0; - break; - - case RAMON_MODE: - Mflag = optarg; - break; - - case RAMON_NUMBER: - Nflag = atoi (optarg); - break; - - case RA_DEBUG_LEVEL: - Argusdflag = (atoi(optarg)); - break; - - case RA_PRINT_USERDATA: - dflag++; - if ((parseUserDataArg (&optarg, NULL, 0)) < 0) - usage (); - break; - - case RA_USERDATA_ENCODE: - if (!(strncasecmp(optarg, "ascii", 5))) - eflag = ARGUS_ENCODE_ASCII; - else - eflag = ARGUS_ENCODE_64; - break; - - case RA_FILTER: { - char *ptr; - - if ((RaInputFilter = ArgusCalloc (1, MAXSTRLEN)) != NULL) { - ptr = RaInputFilter; - str = optarg; - while (*str) { - if ((*str == '\\') && (str[1] == '\n')) { - fgets(str, MAXSTRLEN, fd); - while (*str && (isspace((int)*str) && (str[1] && isspace((int)str[1])))) - str++; - } - - if ((*str != '\n') && (*str != '"')) - *ptr++ = *str++; - else - str++; - } - } -#ifdef ARGUSDEBUG - ArgusDebug (1, "ArgusParseResourceFile: ArgusFilter \"%s\" \n", RaInputFilter); -#endif - break; - } - - case RA_HOST_FIELD_LENGTH: - hfield = atoi (optarg); - break; - - case RA_PORT_FIELD_LENGTH: - pfield = atoi (optarg); - break; - } - - } - found++; - break; - } - } - if (!found) { - ArgusLog (LOG_ERR, "ArgusParseResourceFile (%s) syntax error line %d\n", file, lines); - } - } - } - - } else { -#ifdef ARGUSDEBUG - ArgusDebug (1, "config file '%s' %s\n", file, strerror(errno)); -#endif - } - - if (RaPrintStartTime && RaPrintLastTime) - Gflag++; - else - if (RaPrintLastTime) - lflag++; - } - -#ifdef ARGUSDEBUG - ArgusDebug (1, "ArgusParseResourceFile (%s) returning %d\n", file, retn); -#endif - - return (retn); -} diff -NarU5 argus-2.0.6.fixes.1.orig/common/argus_util.c argus-2.0.6.fixes.1/common/argus_util.c --- argus-2.0.6.fixes.1.orig/common/argus_util.c 2004-02-23 10:00:36.000000000 -0500 +++ argus-2.0.6.fixes.1/common/argus_util.c 1969-12-31 19:00:00.000000000 -0500 @@ -1,2512 +0,0 @@ -/* - * Copyright (c) 2000-2004 QoSient, LLC - * All rights reserved. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2, or (at your option) - * any later version. - - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - * - */ - -/* - * Copyright (c) 1988-1990 The Regents of the University of California. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that: (1) source code distributions - * retain the above copyright notice and this paragraph in its entirety, (2) - * distributions including binary code include the above copyright notice and - * this paragraph in its entirety in the documentation or other materials - * provided with the distribution, and (3) all advertising materials mentioning - * features or use of this software display the following acknowledgement: - * ``This product includes software developed by the University of California, - * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of - * the University nor the names of its contributors may be used to endorse - * or promote products derived from this software without specific prior - * written permission. - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. - */ - - -#ifndef ArgusUtil -#define ArgusUtil -#endif - -#include -#include -#include - -#include -#include -#include -#include - -#include -#include - -#include - -#include -#include -#include -#include - - -int target_flags = 0; - -void -ArgusAdjustGlobalTime (struct timeval *now) -{ - struct timeval ArgusTimeDelta; - - ArgusTimeDelta.tv_sec = ArgusNowTime.tv_sec - ArgusGlobalTime.tv_sec; - ArgusTimeDelta.tv_usec = ArgusNowTime.tv_usec - ArgusGlobalTime.tv_usec; - - ArgusGlobalTime.tv_sec = now->tv_sec - ArgusTimeDelta.tv_sec; - ArgusGlobalTime.tv_usec = now->tv_usec - ArgusTimeDelta.tv_usec; - - if (ArgusGlobalTime.tv_usec < 0) { - ArgusGlobalTime.tv_sec--; - ArgusGlobalTime.tv_usec += 1000000; - } else { - if (ArgusGlobalTime.tv_usec > 1000000) { - ArgusGlobalTime.tv_sec++; - ArgusGlobalTime.tv_usec -= 1000000; - } - } - ArgusNowTime = *now; -} - -char *ArgusVersionStr = "Argus Version "; - -int -ArgusConvertInitialWriteStruct (struct WriteStruct *ws, struct ArgusRecord *argus) -{ - int retn = 0; - char *ptr; - - if (ws && argus) { - bzero ((char *) argus, sizeof (*argus)); - if ((ptr = strstr (ws->ws_init.initString, ArgusVersionStr)) != NULL) { - ptr = &ptr[strlen(ArgusVersionStr)]; - if (sscanf (ptr, "%d.%d", &major_version, &minor_version)) { - argus->ahdr.type = ARGUS_MAR | ARGUS_WRITESTRUCT; - argus->ahdr.length = sizeof (*argus); - argus->ahdr.length = htons(argus->ahdr.length); - argus->ahdr.cause = ARGUS_START; - argus->ahdr.status = htonl(ARGUS_VERSION); - argus->ahdr.argusid = htonl(ARGUS_COOKIE); - argus->argus_mar.startime = ws->ws_init.startime; - argus->argus_mar.now = ws->ws_init.now; - argus->argus_mar.major_version = major_version; - argus->argus_mar.minor_version = minor_version; - argus->argus_mar.interfaceType = ws->ws_init.interfaceType; - argus->argus_mar.interfaceStatus = ws->ws_init.interfaceStatus; - - argus->argus_mar.reportInterval = ws->ws_init.reportInterval; - argus->argus_mar.argusMrInterval = ws->ws_init.dflagInterval; - argus->argus_mar.record_len = -1; - retn = 1; - } - } - } - - return (retn); -} - -#include - -#if !defined(__OpenBSD__) || !defined(_NETINET_IP_ICMP_H_) -#include -#define _NETINET_IP_ICMP_H_ -#endif - -extern int ArgusTotalBytes; -extern int ArgusTotalCount; - -extern long long ntohll (long long); - -int -ArgusConvertWriteStruct (struct WriteStruct *ws, struct ArgusRecord *argus) -{ - int retn = 0; - unsigned int status; - - if (ws && argus) { - bzero ((char *) argus, sizeof (*argus)); - status = ntohl(ws->status); - - if (status & ARGUSCONTROL) { - argus->ahdr.type = ARGUS_MAR | ARGUS_WRITESTRUCT; - argus->ahdr.length = sizeof (*argus); - argus->ahdr.argusid = 0; - argus->ahdr.status = ARGUS_VERSION; - - argus->argus_mar.major_version = VERSION_MAJOR; - argus->argus_mar.minor_version = VERSION_MINOR; - argus->argus_mar.interfaceType = ws->ws_stat.interfaceType; - argus->argus_mar.interfaceStatus = ws->ws_stat.interfaceStatus; - argus->argus_mar.reportInterval = ntohs(ws->ws_stat.reportInterval); - argus->argus_mar.argusMrInterval = ntohs(ws->ws_stat.dflagInterval); - - if (status & CLOSE) { - argus->ahdr.cause = ARGUS_STOP; - argus->argus_mar.startime.tv_sec = ws->ws_stat.startime.tv_sec; - argus->argus_mar.startime.tv_usec = ws->ws_stat.startime.tv_usec; - argus->argus_mar.now.tv_sec = ws->ws_stat.now.tv_sec; - argus->argus_mar.now.tv_usec = ws->ws_stat.now.tv_usec; - argus->argus_mar.pktsRcvd = ArgusTotalCount; - argus->argus_mar.bytesRcvd = ArgusTotalBytes; - argus->argus_mar.pktsDrop = ntohl(ws->ws_stat.pktsDrop); - argus->argus_mar.actIPcons += ntohl(ws->ws_stat.actTCPcons); - argus->argus_mar.actIPcons += ntohl(ws->ws_stat.actUDPcons); - argus->argus_mar.actIPcons += ntohl(ws->ws_stat.actIPcons); - argus->argus_mar.cloIPcons += ntohl(ws->ws_stat.cloTCPcons); - argus->argus_mar.cloIPcons += ntohl(ws->ws_stat.cloUDPcons); - argus->argus_mar.cloIPcons += ntohl(ws->ws_stat.cloIPcons); - argus->argus_mar.actICMPcons = ntohl(ws->ws_stat.actICMPcons); - argus->argus_mar.cloICMPcons = ntohl(ws->ws_stat.cloICMPcons); - argus->argus_mar.actFRAGcons = ntohl(ws->ws_stat.actFRAGcons); - argus->argus_mar.cloFRAGcons = ntohl(ws->ws_stat.cloFRAGcons); - - } else { - argus->ahdr.cause = ARGUS_STATUS; - argus->argus_mar.startime.tv_sec = ntohl(ws->ws_stat.startime.tv_sec); - argus->argus_mar.startime.tv_usec = ntohl(ws->ws_stat.startime.tv_usec); - argus->argus_mar.now.tv_sec = ntohl(ws->ws_stat.now.tv_sec); - argus->argus_mar.now.tv_usec = ntohl(ws->ws_stat.now.tv_usec); - - argus->argus_mar.pktsRcvd = ntohl(ws->ws_stat.pktsRcvd); - argus->argus_mar.bytesRcvd = ntohl(ws->ws_stat.bytesRcvd); - - argus->argus_mar.pktsDrop = ntohl(ws->ws_stat.pktsDrop); - argus->argus_mar.actIPcons += ntohl(ws->ws_stat.actTCPcons); - argus->argus_mar.actIPcons += ntohl(ws->ws_stat.actUDPcons); - argus->argus_mar.actIPcons += ntohl(ws->ws_stat.actIPcons); - argus->argus_mar.cloIPcons += ntohl(ws->ws_stat.cloTCPcons); - argus->argus_mar.cloIPcons += ntohl(ws->ws_stat.cloUDPcons); - argus->argus_mar.cloIPcons += ntohl(ws->ws_stat.cloIPcons); - argus->argus_mar.actICMPcons = ntohl(ws->ws_stat.actICMPcons); - argus->argus_mar.cloICMPcons = ntohl(ws->ws_stat.cloICMPcons); - argus->argus_mar.actFRAGcons = ntohl(ws->ws_stat.actFRAGcons); - argus->argus_mar.cloFRAGcons = ntohl(ws->ws_stat.cloFRAGcons); - } - - argus->argus_mar.record_len = -1; - retn = 1; - - } else { - struct ArgusMacStruct macbuffer, *mac = &macbuffer; - unsigned int lasttime = 0; - unsigned short difftime = 0, ttl = 0; - - argus->ahdr.type = ARGUS_FAR | ARGUS_WRITESTRUCT; - argus->ahdr.length = sizeof (argus->ahdr) + sizeof (argus->argus_far); - argus->ahdr.cause = ARGUS_STATUS; - argus->ahdr.status = ARGUS_VERSION; - argus->ahdr.status |= ETHERTYPE_IP; - argus->ahdr.argusid = 0; - argus->argus_far.type = ARGUS_FAR; - argus->argus_far.length = sizeof(argus->argus_far); - argus->argus_far.status = 0; - argus->argus_far.ArgusTransRefNum = 0; - - argus->argus_far.flow.ip_flow.ip_src = ntohl(ws->ws_ip.src.s_addr); - argus->argus_far.flow.ip_flow.ip_dst = ntohl(ws->ws_ip.dst.s_addr); - - if (!(status & (ICMPPROTO | TCPPROTO | UDPPROTO)) && (status & FRAG_ONLY)) { - struct ArgusFragObject fragbuf, *frag = &fragbuf; - - bzero ((char *) frag, sizeof (*frag)); - frag->type = ARGUS_FRG_DSR; - frag->length = sizeof(*frag); - frag->status = ntohs(ws->ws_ip_frag.status); - - argus->argus_far.flow.ip_flow.sport = ntohs(ws->ws_ip.sport); - argus->argus_far.flow.ip_flow.dport = ntohs(ws->ws_ip.dport); - - frag->fragnum = ntohl(ws->ws_ip_frag.fragnum); - frag->frag_id = ntohl(ws->ws_ip_frag.frag_id); - frag->totlen = ntohs(ws->ws_ip_frag.totlen); - frag->currlen = ntohs(ws->ws_ip_frag.currlen); - frag->maxfraglen = ntohs(ws->ws_ip_frag.maxfraglen); - - argus->argus_far.status |= ARGUS_FRAGMENTS; - argus->argus_far.attr_ip.soptions |= ARGUS_FRAGMENTS; - argus->argus_far.src.count = frag->fragnum; - argus->argus_far.src.bytes = frag->currlen; - - bcopy ((char *)frag, &((char *)argus)[argus->ahdr.length], sizeof(*frag)); - argus->ahdr.length += sizeof(*frag); - - } else { - switch (status & (ICMPPROTO | TCPPROTO | UDPPROTO)) { - case ICMPPROTO: { - struct icmpWriteStruct *icmp = &ws->ws_ip_icmp; - struct ArgusICMPFlow *icmpFlow = &argus->argus_far.flow.icmp_flow; - - argus->argus_far.flow.ip_flow.ip_p = IPPROTO_ICMP; - - argus->argus_far.src.count = ntohl(ws->ws_ip_udp.src_count); - argus->argus_far.src.bytes = ntohl(ws->ws_ip_udp.src_bytes); - argus->argus_far.dst.count = ntohl(ws->ws_ip_udp.dst_count); - argus->argus_far.dst.bytes = ntohl(ws->ws_ip_udp.dst_bytes); - - if (!(status & (CON_ESTABLISHED | TIMED_OUT))) { - icmpFlow->type = icmp->type; - icmpFlow->code = icmp->code; - icmpFlow->id = icmp->data; - icmpFlow->id = ntohs(icmpFlow->id); - - } else { - icmpFlow->type = ((unsigned char *) &ws->ws_ip_udp.src_bytes)[0]; - icmpFlow->code = ((unsigned char *) &ws->ws_ip_udp.src_bytes)[1]; - icmpFlow->id = ((unsigned short *)&ws->ws_ip_udp.src_bytes)[1]; - icmpFlow->id = ntohs(icmpFlow->id); - - argus->argus_far.src.bytes = 0; - argus->argus_far.dst.bytes = 0; - } - - if ((icmpFlow->type == ICMP_UNREACH) && (icmpFlow->code == ICMP_UNREACH_PORT)) - argus->argus_far.flow.ip_flow.tp_p = ((char *)&ws->ws_ip_icmp.gwaddr.s_addr)[3]; - - break; - } - - case TCPPROTO: { - struct ArgusTCPObject tcpbuffer, *tcp = &tcpbuffer; - - bzero ((char *) tcp, sizeof (*tcp)); - tcp->type = ARGUS_TCP_DSR; - tcp->length = sizeof(*tcp); - - if (status & SAW_SYN) - tcp->state |= ARGUS_SAW_SYN; - if (status & SAW_SYN_SENT) - tcp->state |= ARGUS_SAW_SYN_SENT; - if (status & CON_ESTABLISHED) - tcp->state |= ARGUS_CON_ESTABLISHED; - if (status & SRC_RESET) - tcp->state |= ARGUS_SRC_RESET; - if (status & DST_RESET) - tcp->state |= ARGUS_DST_RESET; - if (status & CLOSE_WAITING) - tcp->state |= ARGUS_FIN; - if (status & NORMAL_CLOSE) - tcp->state |= ARGUS_NORMAL_CLOSE; - - if (status & PKTS_RETRANS) { - if (status & SRC_PKTS_RETRANS) - tcp->state |= ARGUS_SRC_PKTS_RETRANS; - if (status & DST_PKTS_RETRANS) - tcp->state |= ARGUS_DST_PKTS_RETRANS; - } - - argus->argus_far.src.count = ntohl(ws->ws_ip_tcp.src_count); - argus->argus_far.dst.count = ntohl(ws->ws_ip_tcp.dst_count); - - if ((status & SAW_SYN) && - !(status & (SAW_SYN_SENT|CON_ESTABLISHED|RESET))) { - tcp->src.seqbase = ntohl(ws->ws_ip_inittcp.seq); - } else { - if ((status & (SAW_SYN | SAW_SYN_SENT)) && - !(status & (CON_ESTABLISHED))) { - tcp->dst.seqbase = ntohl(ws->ws_ip_inittcp.seq); - } else { - argus->argus_far.src.bytes = ntohl(ws->ws_ip_tcp.src_bytes); - argus->argus_far.dst.bytes = ntohl(ws->ws_ip_tcp.dst_bytes); - } - } - - bcopy ((char *)tcp, &((char *)argus)[argus->ahdr.length], sizeof(*tcp)); - argus->ahdr.length += sizeof(*tcp); - - argus->argus_far.flow.ip_flow.ip_p = IPPROTO_TCP; - argus->argus_far.flow.ip_flow.sport = ntohs(ws->ws_ip.sport); - argus->argus_far.flow.ip_flow.dport = ntohs(ws->ws_ip.dport); - break; - } - - case UDPPROTO: - argus->argus_far.flow.ip_flow.ip_p = IPPROTO_UDP; - argus->argus_far.flow.ip_flow.sport = ntohs(ws->ws_ip.sport); - argus->argus_far.flow.ip_flow.dport = ntohs(ws->ws_ip.dport); - - default: - argus->argus_far.src.count = ntohl(ws->ws_ip_udp.src_count); - argus->argus_far.src.bytes = ntohl(ws->ws_ip_udp.src_bytes); - argus->argus_far.dst.count = ntohl(ws->ws_ip_udp.dst_count); - argus->argus_far.dst.bytes = ntohl(ws->ws_ip_udp.dst_bytes); - break; - } - } - - if (status & TIMED_OUT) - argus->ahdr.cause |= ARGUS_TIMEOUT; - - if (status & FRAGMENTS) - argus->argus_far.status |= ARGUS_FRAGMENTS; - - if (status & IPOPTIONMASK) { - argus->argus_far.status |= ARGUS_IPOPTIONS; - if (status & SSRCROUTE) { - argus->argus_far.attr_ip.soptions |= ARGUS_SSRCROUTE; - argus->argus_far.attr_ip.doptions |= ARGUS_SSRCROUTE; - } - if (status & LSRCROUTE) { - argus->argus_far.attr_ip.soptions |= ARGUS_LSRCROUTE; - argus->argus_far.attr_ip.doptions |= ARGUS_LSRCROUTE; - } - if (status & TIMESTAMP) { - argus->argus_far.attr_ip.soptions |= ARGUS_TIMESTAMP; - argus->argus_far.attr_ip.doptions |= ARGUS_TIMESTAMP; - } - if (status & SECURITY) { - argus->argus_far.attr_ip.soptions |= ARGUS_SECURITY; - argus->argus_far.attr_ip.doptions |= ARGUS_SECURITY; - } - if (status & RECORDROUTE) { - argus->argus_far.attr_ip.soptions |= ARGUS_RECORDROUTE; - argus->argus_far.attr_ip.doptions |= ARGUS_RECORDROUTE; - } - if (status & SATNETID) { - argus->argus_far.attr_ip.soptions |= ARGUS_SATNETID; - argus->argus_far.attr_ip.doptions |= ARGUS_SATNETID; - } - } - - if (status & CON_ESTABLISHED) - argus->ahdr.status |= ARGUS_CONNECTED; - - argus->argus_far.time.start.tv_sec = ntohl(ws->ws_ip.startime.tv_sec); - argus->argus_far.time.start.tv_usec = ntohl(ws->ws_ip.startime.tv_usec); - - if ((major_version > 1) || (minor_version > 6)) { - difftime = ntohs(((u_short *)&ws->ws_ip.lasttime.tv_sec)[1]); - lasttime = ntohl(((arg_uint32)ws->ws_ip.startime.tv_sec)) + difftime; - ttl = ((u_short *)&ws->ws_ip.lasttime.tv_sec)[0]; - ws->ws_ip.lasttime.tv_sec = lasttime; - } - - argus->argus_far.time.last.tv_sec = ws->ws_ip.lasttime.tv_sec; - argus->argus_far.time.last.tv_usec = ntohl(ws->ws_ip.lasttime.tv_usec); - mac->type = ARGUS_MAC_DSR; - mac->length = sizeof(*mac); - bcopy((char *)&ws->ws_ip.ws_phys.ethersrc, (char *)&mac->phys_union.ether.ethersrc, 6); - bcopy((char *)&ws->ws_ip.ws_phys.etherdst, (char *)&mac->phys_union.ether.etherdst, 6); - - bcopy ((char *)mac, &((char *)argus)[argus->ahdr.length], sizeof(*mac)); - argus->ahdr.length += sizeof(*mac); - retn = 1; - } - -#ifdef _LITTLE_ENDIAN - ArgusHtoN(argus); -#endif - } - - return (retn); -} - - -extern char *ArgusProgramName; - - -void -print_date(struct ArgusRecord *argus, char *date) -{ - struct ArgusAGRStruct *ArgusThisAgr = NULL; - struct timeval *start = NULL, *last = NULL; - struct timeval buf, *time = &buf; - struct timeval zbuf, *ztime = &zbuf; - struct tm *tm = NULL; - char *sptr, *iptr, delim = ' '; - - bzero ((char *)ztime, sizeof(zbuf)); - - if (argus->ahdr.type & ARGUS_MAR) { - start = &argus->argus_mar.startime; - last = &argus->argus_mar.now; - - } else { - start = &argus->argus_far.time.start; - last = &argus->argus_far.time.last; - } - - if (lflag && !(Gflag)) - *time = *last; - else - *time = *start; - - tm = localtime ((time_t *)&time->tv_sec); - - if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) - delim = RaFieldDelimiter; - - sprintf (date, " "); - sprintf (date, "%s%c", print_time(time), delim); - - if (gflag) { - ArgusThisAgr = (struct ArgusAGRStruct *)ArgusThisFarHdrs[ARGUS_AGR_DSR_INDEX]; - if (Hflag && (ArgusThisAgr && (ArgusThisAgr->type == ARGUS_AGR_DSR))) { - int ArgusThisMultiplier = 1000; - - if (ArgusThisAgr->status & ARGUS_AGR_USECACTTIME) - ArgusThisMultiplier = 1000000; - - time->tv_sec = ArgusThisAgr->act.mean / ArgusThisMultiplier; - time->tv_usec = ArgusThisAgr->act.mean % ArgusThisMultiplier; - - } else { - *time = *last; - time->tv_sec -= start->tv_sec; - time->tv_usec -= start->tv_usec; - - if (time->tv_usec < 0) { - time->tv_sec--; - time->tv_usec += 1000000; - } - - if (time->tv_usec >= 1000000) { - time->tv_sec++; - time->tv_usec -= 1000000; - } - } - - iptr = &date[strlen(date)]; - sptr = &date[strlen(date)]; - - if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) - sprintf(sptr, "%u", (unsigned int) time->tv_sec); - else - sprintf(sptr, "%8u", (unsigned int) time->tv_sec); - - if (pflag) { - sptr = &date[strlen(date)]; - sprintf(sptr, ".%06d", (int) time->tv_usec); - sptr[pflag + 1] = '\0'; - } - - if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) - sprintf(&date[strlen(date)], "%c", delim); - - } else - - if (Gflag) { - if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) - sprintf(&date[strlen(date)], "%s%c", print_time(last), RaFieldDelimiter); - else - sprintf(&date[strlen(date)], " %s", print_time(last)); - } -} - -void ArgusGetIndicatorString (struct ArgusRecord *, char *); - - -void -ArgusGetIndicatorString (struct ArgusRecord *argus, char *buf) -{ - char *ptr = buf; - - bzero (buf, 16); - - if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) { - if (argus->ahdr.type & ARGUS_MAR) { - - } else { - if (argus->ahdr.status & ARGUS_MPLS) - *ptr++ = 'm'; - - if (argus->ahdr.status & ARGUS_PPPoE) - *ptr++ = 'p'; - - if (argus->ahdr.status & ARGUS_VLAN) - *ptr++ = 'q'; - - if ((argus->ahdr.status & 0xFFFF) == ETHERTYPE_IP) { - if (argus->argus_far.status & ARGUS_ICMP_MAPPED) - *ptr++ = 'I'; - - if ((argus->argus_far.attr_ip.soptions & ARGUS_FRAGMENTS) || - (argus->argus_far.attr_ip.doptions & ARGUS_FRAGMENTS)) { - - if (argus->argus_far.flow.ip_flow.tp_p == ARGUS_FRAG_FLOWTAG) - *ptr++ = 'f'; - else - *ptr++ = 'F'; - - if (argus->argus_far.attr_ip.soptions & ARGUS_FRAGOVERLAP) - *ptr++ = 'V'; - } - - if (argus->ahdr.status & ARGUS_MULTIADDR) - *ptr++ = 'M'; - - if (ArgusThisFarStatus & ARGUS_TCP_DSR_STATUS) { - struct ArgusTCPObject *tcp = NULL; - unsigned int status; - - tcp = (struct ArgusTCPObject *)ArgusThisFarHdrs[ARGUS_TCP_DSR_INDEX]; - if ((tcp != NULL) && ((status = tcp->state) != 0)) { - if (status) { - if (status & ARGUS_PKTS_RETRANS) { - if ((status & ARGUS_SRC_PKTS_RETRANS) && (status & ARGUS_DST_PKTS_RETRANS)) - *ptr++ = '*'; - else { - if (status & ARGUS_SRC_PKTS_RETRANS) - *ptr++ = 's'; - if (status & ARGUS_DST_PKTS_RETRANS) - *ptr++ = 'd'; - } - } - if (status & ARGUS_WINDOW_SHUT) { - if ((status & ARGUS_SRC_WINDOW_SHUT) && (status & ARGUS_DST_WINDOW_SHUT)) - *ptr++ = '@'; - else { - if (status & ARGUS_SRC_WINDOW_SHUT) - *ptr++ = 'S'; - if (status & ARGUS_DST_WINDOW_SHUT) - *ptr++ = 'D'; - } - } - if (status & ARGUS_ECN_CONGESTED) - *ptr++ = 'E'; - } - } - } - if (ArgusThisFarStatus & ARGUS_ESP_DSR_STATUS) { - struct ArgusESPStruct *esp = NULL; - - if ((esp = (struct ArgusESPStruct *)ArgusThisFarHdrs[ARGUS_ESP_DSR_INDEX]) != NULL) { - if ((esp->src.lostseq > 0) && (esp->dst.lostseq > 0)) - *ptr++ = '*'; - else { - if (esp->src.lostseq > 0) - *ptr++ = 's'; - if (esp->dst.lostseq > 0) - *ptr++ = 'd'; - } - } - } - } - } - - *ptr = RaFieldDelimiter; - - } else { - int encdone = 0; - - if (Iflag) { - bcopy (" ", buf, 9); - if (argus->ahdr.type & ARGUS_MAR) { - } else { - if (argus->ahdr.status & ARGUS_MPLS) { - buf[1] = 'm'; - encdone++; - } - - if (argus->ahdr.status & ARGUS_PPPoE) { - buf[1] = 'p'; - encdone++; - } - - if (argus->ahdr.status & ARGUS_VLAN) { - buf[1] = 'q'; - encdone++; - } - - if (encdone > 1) - buf[1] = 'E'; - - if ((argus->ahdr.status & 0xFFFF) == ETHERTYPE_IP) { - if (ArgusThisFarStatus & ARGUS_TCP_DSR_STATUS) { - struct ArgusTCPObject *tcp = NULL; - unsigned int status; - - tcp = (struct ArgusTCPObject *)ArgusThisFarHdrs[ARGUS_TCP_DSR_INDEX]; - - if ((tcp != NULL) && ((status = tcp->state) != 0)) { - if (status) { - if (status & ARGUS_WINDOW_SHUT) { - if ((status & ARGUS_SRC_WINDOW_SHUT) && (status & ARGUS_DST_WINDOW_SHUT)) - buf[3] = '@'; - else { - if (status & ARGUS_SRC_WINDOW_SHUT) - buf[3] = 'S'; - if (status & ARGUS_DST_WINDOW_SHUT) - buf[3] = 'D'; - } - } - if (status & ARGUS_PKTS_RETRANS) { - if ((status & ARGUS_SRC_PKTS_RETRANS) && (status & ARGUS_DST_PKTS_RETRANS)) - buf[2] = '*'; - else { - if (status & ARGUS_SRC_PKTS_RETRANS) - buf[2] = 's'; - if (status & ARGUS_DST_PKTS_RETRANS) - buf[2] = 'd'; - } - } - if (status & ARGUS_ECN_CONGESTED) { - if ((status & ARGUS_SRC_CONGESTED) && (status & ARGUS_DST_CONGESTED)) - buf[3] = 'E'; - else { - if (status & ARGUS_SRC_CONGESTED) - buf[3] = 'e'; - if (status & ARGUS_DST_CONGESTED) - buf[3] = 'e'; - } - } - } - } - } - - if (ArgusThisFarStatus & ARGUS_ESP_DSR_STATUS) { - struct ArgusESPStruct *esp = NULL; - - if ((esp = (struct ArgusESPStruct *)ArgusThisFarHdrs[ARGUS_ESP_DSR_INDEX]) != NULL) { - if ((esp->src.lostseq > 0) && (esp->dst.lostseq > 0)) - buf[2] = '*'; - else { - if (esp->src.lostseq > 0) - buf[2] = 's'; - if (esp->dst.lostseq > 0) - buf[2] = 'd'; - } - } - } - - if (argus->ahdr.status & ARGUS_MULTIADDR) - buf[4] = 'M'; - - if (argus->argus_far.status & ARGUS_ICMP_MAPPED) - buf[5] = 'I'; - - if ((argus->argus_far.attr_ip.soptions & ARGUS_FRAGMENTS) || - (argus->argus_far.attr_ip.doptions & ARGUS_FRAGMENTS)) { - - if (argus->argus_far.flow.ip_flow.tp_p == ARGUS_FRAG_FLOWTAG) - buf[6] = 'f'; - else - buf[6] = 'F'; - - if ((argus->argus_far.attr_ip.soptions & ARGUS_FRAGOVERLAP) || - (argus->argus_far.attr_ip.doptions & ARGUS_FRAGOVERLAP)) { - buf[6] = 'V'; - } - } - - if ((argus->argus_far.attr_ip.soptions & ARGUS_IPOPTIONS) || - (argus->argus_far.attr_ip.doptions & ARGUS_IPOPTIONS)) { - switch ((argus->argus_far.attr_ip.soptions | argus->argus_far.attr_ip.doptions) - & ARGUS_IPOPTIONS) { - case SSRCROUTE: buf[7] = 'S'; break; - case LSRCROUTE: buf[7] = 'L'; break; - case TIMESTAMP: buf[7] = 'T'; break; - case SECURITY: buf[7] = '+'; break; - case RECORDROUTE: buf[7] = 'R'; break; - case SATNETID: buf[7] = 'N'; break; - case IPOPTIONMASK: buf[7] = 'E'; break; - default: buf[7] = 'O'; break; - } - } - } - } - } - } - - return; -} - - -char RaUserDataStr[MAXSTRLEN]; - -char * -RaGetUserDataString (struct ArgusRecord *argus) -{ - char *retn = RaUserDataStr; - char strbuf[MAXSTRLEN], *str = strbuf; - char delim = ' '; - int len = 0; - - bzero (RaUserDataStr, MAXSTRLEN); - - if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) - delim = RaFieldDelimiter; - - if (ArgusSrcUserDataLen > 0) { - len = 0; - if (ArgusThisFarStatus & ARGUS_SRCUSRDATA_DSR_STATUS) { - struct ArgusUserStruct *user = (struct ArgusUserStruct *) ArgusThisFarHdrs[ARGUS_SRCUSRDATA_DSR_INDEX]; - - len = (user->length - 1) * 4; - len = (len < argus->argus_far.src.appbytes) ? len : argus->argus_far.src.appbytes; - len = len > ArgusSrcUserDataLen ? ArgusSrcUserDataLen : len; - - if ((len = ArgusEncode (&user->data, len, str, sizeof(strbuf))) != 0) - sprintf (RaUserDataStr, "%cs[%d]=%s", delim, len, str); - - } else - if (delim != ' ') - sprintf (&RaUserDataStr[strlen(RaUserDataStr)], "%c", delim); - - if (delim == ' ') - sprintf (&RaUserDataStr[strlen(RaUserDataStr)], "%*s", (ArgusSrcUserDataLen - len) + 1, " "); - } - - - if (ArgusDstUserDataLen > 0) { - len = 0; - if (ArgusThisFarStatus & ARGUS_DSTUSRDATA_DSR_STATUS) { - struct ArgusUserStruct *user = (struct ArgusUserStruct *) ArgusThisFarHdrs[ARGUS_DSTUSRDATA_DSR_INDEX]; - - len = (user->length - 1) * 4; - len = (len < argus->argus_far.dst.appbytes) ? len : argus->argus_far.dst.appbytes; - len = len > ArgusDstUserDataLen ? ArgusDstUserDataLen : len; - - if ((len = ArgusEncode (&user->data, len, str, sizeof(strbuf))) != 0) - sprintf (&RaUserDataStr[strlen(RaUserDataStr)], "%cd[%d]=%s", delim, len, str); - } else - if (delim != ' ') - sprintf (&RaUserDataStr[strlen(RaUserDataStr)], "%c", delim); - } - - return (retn); -} - -extern void ArgusLog (int, char *, ...); - - -static char basis_64[] = - "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????"; - - -int -ArgusEncode (const char *ptr, int len, char *str, int slen) -{ - int retn = 0; - - switch (eflag) { - case ARGUS_ENCODE_64: - sprintf (str, "\""); - retn = ArgusEncode64(ptr, len, &str[strlen(str)], slen - strlen(str)); - strcat (str, "\""); - break; - - case ARGUS_ENCODE_ASCII: - sprintf (str, "\""); - retn = ArgusEncodeAscii(ptr, len, &str[strlen(str)], slen - strlen(str)); - strcat (str, "\""); - break; - - default: - ArgusLog (LOG_ERR, "ArgusEncode: error encode method %d unknown", eflag); - break; - } - - return (retn); -} - -int -ArgusEncode64 (const char *ptr, int len, char *str, int slen) -{ - int retn = 0; - const unsigned char *in = (const unsigned char *)ptr; - unsigned char *buf = (unsigned char *) str; - unsigned char oval; - unsigned newlen; - - if (ptr && ((newlen = (len + 2) / 3 * 4) < slen)) { - while (len >= 3) { - *buf++ = basis_64[in[0] >> 2]; - *buf++ = basis_64[((in[0] << 4) & 0x30) | (in[1] >> 4)]; - *buf++ = basis_64[((in[1] << 2) & 0x3c) | (in[2] >> 6)]; - *buf++ = basis_64[in[2] & 0x3f]; - in += 3; - len -= 3; - } - if (len > 0) { - *buf++ = basis_64[in[0] >> 2]; - oval = (in[0] << 4) & 0x30; - if (len > 1) oval |= in[1] >> 4; - *buf++ = basis_64[oval]; - *buf++ = (len < 2) ? '=' : basis_64[(in[1] << 2) & 0x3c]; - *buf++ = '='; - } - - if (newlen < slen) - *buf = '\0'; - - retn = newlen; - } - - return (retn); -} - -#include - -int -ArgusEncodeAscii (const char *ptr, int len, char *str, int slen) -{ - int retn = 0, newlen = len; - unsigned char *buf = (unsigned char *) str; - - if (ptr && (len < slen)) { - while (len > 0) { - if (isprint((int)*ptr)) - *buf = *ptr; - else - *buf = '.'; - buf++; - ptr++; - len--; - } - - if (len < slen) - *buf = '\0'; - - retn = newlen; - } - - return (retn); -} - - - -struct ArgusInterfaceStruct interfacetypes [] = { -{ 0, "DLT_NULL", "no link-layer encapsulation"}, -{ 1, "DLT_EN10MB", "Ethernet (10Mb)"}, -{ 2, "DLT_EN3MB", "Experimental Ethernet (3Mb)"}, -{ 3, "DLT_AX25", "Amateur Radio AX.25"}, -{ 4, "DLT_PRONET", "Proteon ProNET Token Ring"}, -{ 5, "DLT_CHAOS", "Chaos"}, -{ 6, "DLT_IEEE802", "IEEE 802 Networks"}, -{ 7, "DLT_ARCNET", "ARCNET"}, -{ 8, "DLT_SLIP", "Serial Line IP"}, -{ 9, "DLT_PPP", "Point-to-point Protocol"}, -{ 10,"DLT_FDDI", "FDDI"}, -{ 11, "DLT_ATM_RFC1483", "LLC/SNAP encapsulated atm"}, -{ 12, "DLT_LOOP", "loopback"}, -{100, "DLT_ATM_RFC1483", "LLC/SNAP encapsulated atm"}, -{101, "DLT_RAW", "raw IP"}, -{102, "DLT_SLIP_BSDOS", "BSD/OS Serial Line IP"}, -{103, "DLT_PPP_BSDOS", "BSD/OS Point-to-point Protocol"}, -{104, "DLT_CHDLC", "Cisco HDLC"}, -{-1, "Undefined", "Undefined"}, -}; - - -char argus_strbuf[MAXSTRLEN]; - -char * -get_man_string (struct ArgusRecord *ptr) -{ - char protoStr[128], argusIDStrBuf[32], *argusIDStr = argusIDStrBuf; - char probeIDStrBuf[128], *probeIDStr = probeIDStrBuf; - char versionStrBuf[128]; - char date [128], fmtstr[MAXSTRLEN], indStr[16]; - - bzero (argus_strbuf, MAXSTRLEN); - bzero (fmtstr, MAXSTRLEN); - - print_date(ptr, date); - - if (mflag) { - struct ArgusInterfaceStruct *interface = &interfacetypes[0]; - while (interface->value >= 0) { - if (ptr->argus_mar.interfaceType == interface->value) - break; - interface++; - } - sprintf(protoStr, " man InterfaceType %-*.*s", hfield, hfield, interface->label); - - } else - sprintf(protoStr, "man"); - - if (ptr->ahdr.status & ARGUS_ID_IS_IPADDR) - argusIDStr = strdup (ipaddr_string (&ptr->argus_mar.argusid)); - else - sprintf (argusIDStr, "%u", ptr->argus_mar.argusid); - - if (idflag) - sprintf(argus_strbuf, "%-15.15s ", argusIDStr); - - if (!cflag && ((ptr->ahdr.type & ARGUS_RMON) && (ptr->ahdr.status & ARGUS_TOPN))) - sprintf (probeIDStr, " "); - else - sprintf (probeIDStr, "probeid=%-*.*s %*s", hfield, hfield, argusIDStr, pfield, " "); - - sprintf (versionStrBuf, "version=%d.%d", ptr->argus_mar.major_version, - ptr->argus_mar.minor_version); - - if (ptr->ahdr.cause & ARGUS_START) { - - if (Iflag) - strcpy (fmtstr, "%s%s%4s %-*.*s %s%*s"); - else - strcpy (fmtstr, "%s %4s %-*.*s %s%*s"); - - if (cflag) { - if ((ptr->ahdr.type & ARGUS_RMON) && (ptr->ahdr.status & ARGUS_TOPN)) - strcat (fmtstr, " "); - else - strcat (fmtstr, " "); - } - - } else { - if (Iflag) -#if defined(HAVE_SOLARIS) || defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) - strcpy (fmtstr, "%s%s%4s pkts %9lld bytes %12lld drops %5u "); - else - strcpy (fmtstr, "%s %4s pkts %9lld bytes %12lld drops %5u "); -#else - strcpy (fmtstr, "%s%s%4s pkts %9Ld bytes %12Ld drops %5u "); - else - strcpy (fmtstr, "%s %4s pkts %9Ld bytes %12Ld drops %5u "); -#endif - - if (cflag) - strcat (fmtstr, "flows %-8u closed %-8u "); - } - - if (ptr->ahdr.cause & ARGUS_START) strcat (fmtstr, "STA"); - else if (ptr->ahdr.cause & ARGUS_STATUS) strcat (fmtstr, "CON"); - else if (ptr->ahdr.cause & ARGUS_STOP) strcat (fmtstr, "STP"); - else if (ptr->ahdr.cause & ARGUS_SHUTDOWN) strcat (fmtstr, "SHT"); - else if (ptr->ahdr.cause & ARGUS_ERROR) strcat (fmtstr, "ERR"); - else if (ptr->ahdr.cause & ARGUS_MAXLISTENEXCD) strcat (fmtstr, "MAX"); - - ArgusGetIndicatorString (ptr, indStr); - - if (ptr->ahdr.cause & ARGUS_START) { - if (Iflag) { - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr, hfield, hfield, versionStrBuf, probeIDStr, pfield, " "); - } else { - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr, hfield, hfield, versionStrBuf, probeIDStr, pfield, " "); - } - } else { - if (Iflag) { - if (cflag) { - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr, - ptr->argus_mar.pktsRcvd, ptr->argus_mar.bytesRcvd, ptr->argus_mar.pktsDrop, - ptr->argus_mar.flows, ptr->argus_mar.flowsClosed); - } else { - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr, - ptr->argus_mar.pktsRcvd, ptr->argus_mar.bytesRcvd, ptr->argus_mar.pktsDrop); - } - } else { - if (cflag) { - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr, - ptr->argus_mar.pktsRcvd, ptr->argus_mar.bytesRcvd, ptr->argus_mar.pktsDrop, - ptr->argus_mar.flows, ptr->argus_mar.flowsClosed); - } else { - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr, - ptr->argus_mar.pktsRcvd, ptr->argus_mar.bytesRcvd, ptr->argus_mar.pktsDrop); - } - } - } - - if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) { - char tmpbuf[128], *ptr = tmpbuf, *str = argus_strbuf, lastchr = ' '; - int len = strlen(date) - 1; - bzero (tmpbuf, sizeof(tmpbuf)); - - bcopy (str, ptr, len); - str += len; - ptr += len; - - while (*str) { - if (*str == ' ') { - if (lastchr != RaFieldDelimiter) - *ptr++ = RaFieldDelimiter; - while (isspace((int)*str)) str++; - } - lastchr = *str; - - *ptr++ = *str++; - } - bzero (argus_strbuf, MAXSTRLEN); - bcopy (tmpbuf, argus_strbuf, strlen(tmpbuf)); - } - - return (argus_strbuf); -} - - -char *ArgusTCPFlags [] = { - "F", "S", "R", "P", "A", "U", "7", "8" -}; - -char * -get_tcp_string (argus) -struct ArgusRecord *argus; -{ - struct ArgusFlow *flow; - - unsigned int status, rev = 0; - int vc = 0, ahdrlen, farhdrlen; - char *processStr = NULL; - char statusbuf[MAXSTRLEN], *TCPStatusString = statusbuf; - char SrcTCPFlagsStr[16], DstTCPFlagsStr[16], delim; - char argusIDStrBuf[32], *argusIDStr = argusIDStrBuf; - char *edstString = NULL, *esrcString = NULL; - char dstString[256], srcString[256]; - char *protoStr, indStr[16], *blankStr = " "; - char date[128], fmtstr[MAXSTRLEN], protoStrargus_strbuf[16]; - char portstr[128], portbuf[16]; - int src_count = 0, dst_count = 0, src_bytes = 0, dst_bytes = 0; - u_char proto; - struct ArgusTCPObject *tcp = NULL; - - bzero (protoStrargus_strbuf, 16); - bzero (argus_strbuf, MAXSTRLEN); - bzero (statusbuf, MAXSTRLEN); - bzero (fmtstr, MAXSTRLEN); - bzero (SrcTCPFlagsStr, 16); - bzero (DstTCPFlagsStr, 16); - bzero (argusIDStrBuf, 32); - bzero (dstString, 256); - bzero (srcString, 256); - bzero (portbuf, 16); - bzero (portstr, 128); - bzero (indStr, 16); - bzero (date, 128); - - flow = &argus->argus_far.flow; - - if (mflag) { - if (ArgusThisFarStatus & ARGUS_MAC_DSR_STATUS) { - struct ArgusMacStruct *mac = (struct ArgusMacStruct *) ArgusThisFarHdrs[ARGUS_MAC_DSR_INDEX]; - - esrcString = etheraddr_string ((u_char *)&mac->phys_union.ether.ethersrc); - edstString = etheraddr_string ((u_char *)&mac->phys_union.ether.etherdst); - - sprintf (srcString, "%17.17s %17.17s %*.*s", - esrcString, edstString, hfield, hfield, ipaddr_string (&flow->ip_flow.ip_src)); - } else - sprintf (srcString, "%17.17s %17.17s %*.*s", - blankStr, blankStr, hfield, hfield, ipaddr_string (&flow->ip_flow.ip_src)); - - } else - sprintf (srcString, "%*.*s", hfield, hfield, ipaddr_string (&flow->ip_flow.ip_src)); - - sprintf (dstString, "%*.*s", hfield, hfield, ipaddr_string (&flow->ip_flow.ip_dst)); - - if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) - delim = RaFieldDelimiter; - else - delim = '.'; - - if (!((flow->ip_flow.sport == 0xFFFF) && (argus->ahdr.status & ARGUS_MERGED))) - sprintf (portbuf, "%c%-*.*s", delim, pfield, pfield, tcpport_string(flow->ip_flow.sport)); - else - if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) { - sprintf (portbuf, "%c%s%c", RaFieldDelimiter, "*", RaFieldDelimiter); - } else - sprintf (portbuf, "%c%-*s", delim, pfield, "*"); - - strcat (srcString, portbuf); - - if (!((flow->ip_flow.dport == 0xFFFF) && (argus->ahdr.status & ARGUS_MERGED))) { - sprintf (portstr, " %-*.*s", hfield, hfield, tcpport_string(flow->ip_flow.dport)); - sprintf (portbuf, "%c%-*.*s", delim, pfield, pfield, tcpport_string(flow->ip_flow.dport)); - } else { - if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) { - sprintf (portstr, "%c%s%c", RaFieldDelimiter, "*", RaFieldDelimiter); - sprintf (portbuf, "%c%s%c", RaFieldDelimiter, "*", RaFieldDelimiter); - } else { - sprintf (portstr, " %-*s", hfield, "*"); - sprintf (portbuf, "%c%-*s", delim, pfield, "*"); - } - } - - strcat (dstString, portbuf); - - print_date (argus, date); - - if (idflag) { - if (ArgusInput->ArgusManStart.ahdr.status & ARGUS_ID_IS_IPADDR) - argusIDStr = strdup (ipaddr_string (&argus->ahdr.argusid)); - else - sprintf (argusIDStr, "%u", argus->ahdr.argusid); - - sprintf(argus_strbuf, "%-15.15s ", argusIDStr); - } - - if ((argus->ahdr.type & ARGUS_RMON) && (flow->ip_flow.ip_dst == 0)) { - if (Iflag) { - strcpy (fmtstr, "%s%s%4s %s - "); - } else - strcpy (fmtstr, "%s %4s %s - "); - } else { - if (Iflag) { - strcpy (fmtstr, "%s%s%4s %s - %s "); - } else - strcpy (fmtstr, "%s %4s %s - %s "); - } - - ahdrlen = sizeof(argus->ahdr); - farhdrlen = sizeof(argus->argus_far); - - if (ArgusThisFarStatus & ARGUS_TCP_DSR_STATUS) - tcp = (struct ArgusTCPObject *)ArgusThisFarHdrs[ARGUS_TCP_DSR_INDEX]; - - src_count = argus->argus_far.src.count; - dst_count = argus->argus_far.dst.count; - - if (Aflag) { - src_bytes = argus->argus_far.src.appbytes; - dst_bytes = argus->argus_far.dst.appbytes; - } else { - src_bytes = argus->argus_far.src.bytes; - dst_bytes = argus->argus_far.dst.bytes; - } - - if ((tcp != NULL) && ((status = tcp->state) != 0)) { - if (!(status & (ARGUS_SAW_SYN | ARGUS_SAW_SYN_SENT))) { - fmtstr[12 + vc] = '?'; - if (src_count) fmtstr[13 + vc] = '>'; - if (dst_count) fmtstr[11 + vc] = '<'; - } - - if (Rflag && (status & ARGUS_RESET)) { - if (status & ARGUS_DST_RESET) { - fmtstr[11 + vc] = '<'; - fmtstr[13 + vc] = ' '; - } - if (status & ARGUS_SRC_RESET) { - fmtstr[11 + vc] = ' '; - fmtstr[13 + vc] = '>'; - } - fmtstr[12 + vc] = '|'; - - } else - if (status & ARGUS_RESET) { - fmtstr[11 + vc] = ' '; fmtstr[13 + vc] = '>'; - processStr = process_state_strings[5]; - } else - if (status & ARGUS_NORMAL_CLOSE) { - fmtstr[11 + vc] = ' '; fmtstr[13 + vc] = '>'; - processStr = process_state_strings[3]; - } else - if (status & (ARGUS_FIN | ARGUS_FIN_ACK)) { - fmtstr[11 + vc] = ' '; fmtstr[13 + vc] = '>'; - processStr = process_state_strings[6]; - } else - if (argus->ahdr.cause & ARGUS_TIMEOUT) { - if (src_count) fmtstr[13 + vc] = '>'; - if (dst_count) fmtstr[11 + vc] = '<'; - processStr = process_state_strings[4]; - } else - if (status & ARGUS_CON_ESTABLISHED) { - fmtstr[11 + vc] = ' '; fmtstr[13 + vc] = '>'; - processStr = process_state_strings[2]; - } else - if (status & ARGUS_SAW_SYN_SENT) { - fmtstr[11 + vc] = '<'; - fmtstr[13 + vc] = ' '; - processStr = process_state_strings[1]; - } else - if (status & ARGUS_SAW_SYN) { - fmtstr[13 + vc] = '>'; - fmtstr[11 + vc] = ' '; - processStr = process_state_strings[0]; - } - - if (status & ARGUS_RESET) - processStr = process_state_strings[5]; - - if (zflag) { - bzero ((char *)TCPStatusString, sizeof(statusbuf)); - if (status & ARGUS_SAW_SYN) strcat (TCPStatusString, "s"); - if (status & ARGUS_SAW_SYN_SENT) strcat (TCPStatusString, "S"); - if (status & ARGUS_CON_ESTABLISHED) strcat (TCPStatusString, "E"); - if (status & ARGUS_FIN) strcat (TCPStatusString, "f"); - if (status & ARGUS_FIN_ACK) strcat (TCPStatusString, "F"); - if (status & ARGUS_NORMAL_CLOSE) strcat (TCPStatusString, "C"); - if (status & ARGUS_RESET) strcat (TCPStatusString, "R"); - } else - - if (Zflag) { - int i, index; - bzero(SrcTCPFlagsStr, sizeof(SrcTCPFlagsStr)); - bzero(DstTCPFlagsStr, sizeof(DstTCPFlagsStr)); - - for (i = 0, index = 1; i < 8; i++) { - if (tcp->src.flags & index) { - strcat (SrcTCPFlagsStr, ArgusTCPFlags[i]); - } - if (tcp->dst.flags & index) { - strcat (DstTCPFlagsStr, ArgusTCPFlags[i]); - } - index <<= 1; - } - switch (Zflag) { - case 'b': - sprintf(TCPStatusString, "%s_%s", SrcTCPFlagsStr, DstTCPFlagsStr); - break; - case 's': - sprintf(TCPStatusString, "%s", SrcTCPFlagsStr); - break; - case 'd': - sprintf(TCPStatusString, "%s", DstTCPFlagsStr); - break; - } - } - } else { - if (argus->ahdr.cause & ARGUS_START) processStr = "REQ"; - if (argus->ahdr.cause & ARGUS_STATUS) processStr = "CON"; - if (argus->ahdr.cause & ARGUS_STOP) processStr = "CLO"; - if (argus->ahdr.cause & ARGUS_TIMEOUT) processStr = "TIM"; - if (argus->ahdr.cause & ARGUS_ERROR) processStr = "ERR"; - - if (src_count) fmtstr[13 + vc] = '>'; - if (dst_count) fmtstr[11 + vc] = '<'; - fmtstr[12 + vc] = '?'; - - if (argus->ahdr.type & ARGUS_CISCO_NETFLOW) { - if (argus->argus_far.flow.ip_flow.sport < argus->argus_far.flow.ip_flow.dport) - rev++; - } - } - - if (rev) { - int flag = 0; - char tmpString[256]; - bcopy (srcString, tmpString, 256); - bcopy (dstString, srcString, 256); - bcopy (tmpString, dstString, 256); - - src_count = argus->argus_far.dst.count; - dst_count = argus->argus_far.src.count; - - if (Aflag) { - src_bytes = argus->argus_far.dst.appbytes; - dst_bytes = argus->argus_far.src.appbytes; - } else { - src_bytes = argus->argus_far.dst.bytes; - dst_bytes = argus->argus_far.src.bytes; - } - - if (fmtstr[13 + vc] == '>') - flag++; - - if (fmtstr[11 + vc] == '<') - fmtstr[13 + vc] = '>'; - else - fmtstr[13 + vc] = ' '; - - if (flag) - fmtstr[11 + vc] = '<'; - else - fmtstr[11 + vc] = ' '; - - } - - if (cflag) - strcat (fmtstr, "%-8u %-8u %-12u %-12u"); - - if (processStr == NULL) processStr = "UNK"; - - if (zflag || Zflag) - processStr = TCPStatusString; - - strcat (fmtstr, processStr); - - proto = flow->ip_flow.ip_p; - - sprintf (protoStrargus_strbuf, "%u", proto); - - protoStr = (nflag > 1) ? protoStrargus_strbuf : - proto >= IPPROTOSTR ? "unas" : ip_proto_string[proto]; - - ArgusGetIndicatorString (argus, indStr); - - if ((argus->ahdr.type & ARGUS_RMON) && (flow->ip_flow.ip_dst == 0)) { - fmtstr[11 + vc] = ' '; - fmtstr[12 + vc] = ' '; - fmtstr[13 + vc] = ' '; - - if ((argus->ahdr.type & ARGUS_RMON) && (flow->ip_flow.ip_src == 0)) { - if (Iflag) { - if (cflag) - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr, - portstr, src_count, dst_count, - src_bytes, dst_bytes); - else - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr, - portstr); - } else { - if (cflag) - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr, - portstr, src_count, dst_count, - src_bytes, dst_bytes); - else - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr, - portstr); - } - - } else { - if (Iflag) { - if (cflag) - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr, - srcString, src_count, dst_count, - src_bytes, dst_bytes); - else - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr, - srcString); - } else { - if (cflag) - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr, - srcString, src_count, dst_count, - src_bytes, dst_bytes); - else - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr, - srcString); - } - } - - } else { - if (Iflag) { - if (cflag) - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr, - srcString, dstString, - src_count, dst_count, - src_bytes, dst_bytes); - else - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr, - srcString, dstString); - } else { - if (cflag) - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr, - srcString, dstString, - src_count, dst_count, - src_bytes, dst_bytes); - else - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr, - srcString, dstString); - } - } - - if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) { - char tmpbuf[128], *ptr = tmpbuf, *str = argus_strbuf, lastchr = ' '; - int len = strlen(date) - 1; - bzero (tmpbuf, sizeof(tmpbuf)); - - bcopy (str, ptr, len); - str += len; - ptr += len; - - while (*str) { - if (*str == ' ') { - if (lastchr != RaFieldDelimiter) - *ptr++ = RaFieldDelimiter; - while (isspace((int)*str)) str++; - } - lastchr = *str; - - *ptr++ = *str++; - } - bzero (argus_strbuf, MAXSTRLEN); - bcopy (tmpbuf, argus_strbuf, strlen(tmpbuf)); - } - - return (argus_strbuf); -} - - - -char * -get_icmp_string (ptr) -struct ArgusRecord *ptr; -{ - int vc = 0, rev = 0, srccnt = 0, dstcnt = 0; - int ahdrlen, farhdrlen; - struct ArgusICMPObject *icmp = NULL; - char fmtstr[MAXSTRLEN], icmptype[32], icmpstr[128]; - char extendedstring[32], *blankStr = " "; - char *edstString = NULL, *esrcString = NULL, *protoStr, indStr[16]; - char argusIDStrBuf[32], *argusIDStr = argusIDStrBuf; - char dstString[256], srcString[256]; - char date[128]; - - struct ArgusICMPFlow *icmpFlow = &ptr->argus_far.flow.icmp_flow; - unsigned char ra_icmp_type = 0, ra_icmp_code = 0; - unsigned short ra_icmp_data = 0; - unsigned int ra_src_addr = 0, ra_dst_addr = 0, ra_gw_addr = 0; - - bzero (extendedstring, 32); - bzero (argusIDStrBuf, 32); - bzero (fmtstr, MAXSTRLEN); - bzero (srcString, 256); - bzero (dstString, 256); - bzero (indStr, 16); - - if (ptr) { - ahdrlen = sizeof(ptr->ahdr); - farhdrlen = sizeof(ptr->argus_far); - if (ArgusThisFarStatus & ARGUS_ICMP_DSR_STATUS) { - icmp = (struct ArgusICMPObject *)ArgusThisFarHdrs[ARGUS_ICMP_DSR_INDEX]; - if (icmp->type != ARGUS_ICMP_DSR) { - icmp = NULL; - } else { - ra_src_addr = icmp->isrcaddr; - ra_dst_addr = icmp->idstaddr; - ra_gw_addr = icmp->igwaddr; - ra_icmp_type = icmp->icmp_type; - ra_icmp_code = icmpFlow->code; - } - } else { - ra_icmp_type = icmpFlow->type; - ra_icmp_code = icmpFlow->code; - } - - ra_icmp_data = icmpFlow->id; - - bzero (icmpstr, sizeof (icmpstr)); - bzero (icmptype, sizeof (icmptype)); - bzero (argus_strbuf, MAXSTRLEN); - bzero (extendedstring, sizeof (extendedstring)); - bzero (icmptype, sizeof (icmptype)); - bzero (date, 128); - - print_date (ptr, date); - - if (idflag) { - if (ArgusInput->ArgusManStart.ahdr.status & ARGUS_ID_IS_IPADDR) - argusIDStr = strdup (ipaddr_string (&ptr->ahdr.argusid)); - else - sprintf (argusIDStr, "%u", ptr->ahdr.argusid); - - sprintf(argus_strbuf, "%-15.15s ", argusIDStr); - } - - if (ra_icmp_type < (unsigned char) (ICMP_MAXTYPE + 1)) - strcpy (icmptype, icmptypestr[ra_icmp_type]); - else - strcpy (icmptype, "UNK"); - - switch (ra_icmp_type) { - case ICMP_UNREACH: - switch (ra_icmp_code) { - case ICMP_UNREACH_NET: - strcat (icmptype, "N"); - if (ra_dst_addr) { - u_long addr = ra_dst_addr; - sprintf (extendedstring, "net %s", - ipaddr_string (&addr)); - } - break; - case ICMP_UNREACH_HOST: - strcat (icmptype, "H"); - - if (ra_dst_addr) - sprintf (extendedstring, "host %s", - ipaddr_string (&ra_dst_addr)); - break; - - case ICMP_UNREACH_PROTOCOL: - strcat (icmptype, "O"); - if (ra_icmp_data && (ra_icmp_data < IPPROTOSTR)) - sprintf (extendedstring,"proto %s", - ip_proto_string[ra_icmp_data]); - break; - - case ICMP_UNREACH_PORT: { - int index = icmpFlow->tp_p; - strcat (icmptype, "P"); - - if ((ra_icmp_data && ((index < IPPROTOSTR)) && (index > 0))) { - sprintf (extendedstring, "%s_port %d", ip_proto_string[index], ra_icmp_data); - - } else if (ra_icmp_data) - sprintf (extendedstring, "port %d", ra_icmp_data); - break; - } - case ICMP_UNREACH_NEEDFRAG: - strcat (icmptype, "F"); break; - case ICMP_UNREACH_SRCFAIL: - strcat (icmptype, "S"); break; - -#ifndef ICMP_UNREACH_NET_UNKNOWN -#define ICMP_UNREACH_NET_UNKNOWN 6 -#endif - case ICMP_UNREACH_NET_UNKNOWN: - strcat (icmptype, "NU"); - sprintf (extendedstring, "dst_net unknown"); break; - -#ifndef ICMP_UNREACH_HOST_UNKNOWN -#define ICMP_UNREACH_HOST_UNKNOWN 7 -#endif - case ICMP_UNREACH_HOST_UNKNOWN: - strcat (icmptype, "HU"); - sprintf (extendedstring, "dst_host unknown"); break; - -#ifndef ICMP_UNREACH_ISOLATED -#define ICMP_UNREACH_ISOLATED 8 -#endif - case ICMP_UNREACH_ISOLATED: - strcat (icmptype, "ISO"); - sprintf (extendedstring, "src_host isolated"); break; - -#ifndef ICMP_UNREACH_NET_PROHIB -#define ICMP_UNREACH_NET_PROHIB 9 -#endif - case ICMP_UNREACH_NET_PROHIB: - strcat (icmptype, "NPRO"); - sprintf (extendedstring, "admin_net prohib"); break; - -#ifndef ICMP_UNREACH_HOST_PROHIB -#define ICMP_UNREACH_HOST_PROHIB 10 -#endif - case ICMP_UNREACH_HOST_PROHIB: - strcat (icmptype, "HPRO"); - sprintf (extendedstring, "admin_host prohib"); break; - -#ifndef ICMP_UNREACH_TOSNET -#define ICMP_UNREACH_TOSNET 11 -#endif - case ICMP_UNREACH_TOSNET: - strcat (icmptype, "NTOS"); - sprintf (extendedstring, "tos_net prohib"); break; - -#ifndef ICMP_UNREACH_TOSHOST -#define ICMP_UNREACH_TOSHOST 12 -#endif - case ICMP_UNREACH_TOSHOST: - strcat (icmptype, "HTOS"); - sprintf (extendedstring, "tos_host prohib"); break; - -#ifndef ICMP_UNREACH_FILTER_PROHIB -#define ICMP_UNREACH_FILTER_PROHIB 13 -#endif - case ICMP_UNREACH_FILTER_PROHIB: - strcat (icmptype, "FIL"); - sprintf (extendedstring, "admin_filter prohib"); break; - -#ifndef ICMP_UNREACH_HOST_PRECEDENCE -#define ICMP_UNREACH_HOST_PRECEDENCE 14 -#endif - case ICMP_UNREACH_HOST_PRECEDENCE: - strcat (icmptype, "PRE"); - sprintf (extendedstring, "precedence violation"); break; - -#ifndef ICMP_UNREACH_PRECEDENCE_CUTOFF -#define ICMP_UNREACH_PRECEDENCE_CUTOFF 15 -#endif - case ICMP_UNREACH_PRECEDENCE_CUTOFF: - strcat (icmptype, "CUT"); - sprintf (extendedstring, "precedence cutoff"); break; - - } - break; - - case ICMP_MASKREPLY: - rev = 1; - if (ra_src_addr) - sprintf (extendedstring, "mask 0x%08x", ra_src_addr); - break; - - case ICMP_REDIRECT: - switch (ra_icmp_code) { - case ICMP_REDIRECT_NET: - (void) sprintf (extendedstring, "net %s", - ipaddr_string (&ra_gw_addr)); - break; - - case ICMP_REDIRECT_HOST: - (void) sprintf (extendedstring, "host %s", - ipaddr_string (&ra_gw_addr)); - break; - - case ICMP_REDIRECT_TOSNET: - (void) sprintf (extendedstring, "tosN %s", - ipaddr_string (&ra_gw_addr)); - break; - - case ICMP_REDIRECT_TOSHOST: - (void) sprintf (extendedstring, "tosH %s", - ipaddr_string (&ra_gw_addr)); - break; - } - break; - -#ifndef ICMP_ROUTERADVERT -#define ICMP_ROUTERADVERT 9 /* router advertisement */ -#endif - case ICMP_ROUTERADVERT: - sprintf (extendedstring, "router advertisement"); break; - -#ifndef ICMP_ROUTERSOLICIT -#define ICMP_ROUTERSOLICIT 10 /* router solicitation */ -#endif - case ICMP_ROUTERSOLICIT: - sprintf (extendedstring, "router solicitation"); break; - - - case ICMP_ECHOREPLY: - case ICMP_TSTAMPREPLY: - case ICMP_IREQREPLY: - rev = 1; - sprintf (extendedstring, "%-6d %-6d", - ptr->argus_far.src.bytes, ptr->argus_far.dst.bytes); - break; - - case ICMP_TIMXCEED: - (void) sprintf (extendedstring, "timexceed %s", - ra_icmp_code ? "reassembly" : "in-transit"); - break; - - case ICMP_PARAMPROB: - case ICMP_SOURCEQUENCH: - case ICMP_ECHO: - case ICMP_TSTAMP: - case ICMP_IREQ: - case ICMP_MASKREQ: - sprintf (extendedstring, "%-6d %-6d", - ptr->argus_far.src.bytes, ptr->argus_far.dst.bytes); - default: - sprintf (extendedstring, "%-6d %-6d", - ptr->argus_far.src.bytes, ptr->argus_far.dst.bytes); - break; - } - - if (!(Rflag)) { - sprintf (extendedstring, "%-6d %-6d", - ptr->argus_far.src.bytes, ptr->argus_far.dst.bytes); - } - - protoStr = (nflag > 1) ? " 1" : "icmp"; - - if (mflag) { - if (ArgusThisFarStatus & ARGUS_MAC_DSR_STATUS) { - struct ArgusMacStruct *mac = (struct ArgusMacStruct *) ArgusThisFarHdrs[ARGUS_MAC_DSR_INDEX]; - - esrcString = etheraddr_string ((u_char *)&mac->phys_union.ether.ethersrc); - edstString = etheraddr_string ((u_char *)&mac->phys_union.ether.etherdst); - sprintf (srcString, "%17.17s %17.17s %*.*s", - esrcString, edstString, hfield, hfield, ipaddr_string (&icmpFlow->ip_src)); - - } else - sprintf (srcString, "%17.17s %17.17s %*.*s", - blankStr, blankStr, hfield, hfield, ipaddr_string (&icmpFlow->ip_src)); - } else - sprintf (srcString, "%*.*s", hfield, hfield, ipaddr_string (&icmpFlow->ip_src)); - - if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) - sprintf (&srcString[strlen(srcString)], "%c%c", RaFieldDelimiter, RaFieldDelimiter); - else - sprintf (&srcString[strlen(srcString)] , " %*.*s", pfield, pfield, " "); - - sprintf (dstString, "%*.*s", hfield, hfield, ipaddr_string (&icmpFlow->ip_dst)); - if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) - sprintf (&dstString[strlen(dstString)], "%c%c", RaFieldDelimiter, RaFieldDelimiter); - else - sprintf (&dstString[strlen(dstString)] , " %*.*s", pfield, pfield, " "); - - ArgusGetIndicatorString (ptr, indStr); - - if ((ptr->ahdr.type & ARGUS_RMON) && (icmpFlow->ip_dst == 0)) { - if (Iflag) { - strcpy (fmtstr, "%s%s%4s %s - "); - } else - strcpy (fmtstr, "%s %4s %s - "); - } else { - if (Iflag) { - strcpy (fmtstr, "%s%s%4s %s - %s "); - } else - strcpy (fmtstr, "%s %4s %s - %s "); - } - - if (cflag) - strcat (fmtstr, "%-8u %-6u %-24.24s "); - - if (ptr->argus_far.src.count) - fmtstr[13 + vc] = '>'; - - if (ptr->argus_far.dst.count) - fmtstr[11 + vc] = '<'; - - srccnt = ptr->argus_far.src.count; - dstcnt = ptr->argus_far.dst.count; - - strcat (fmtstr, icmptype); - sprintf (icmpstr, " %-*s", hfield, " "); - - if ((ptr->ahdr.type & ARGUS_RMON) && (icmpFlow->ip_dst == 0)) { - fmtstr[11 + vc] = ' '; - fmtstr[12 + vc] = ' '; - fmtstr[13 + vc] = ' '; - - if ((ptr->ahdr.type & ARGUS_RMON) && (icmpFlow->ip_src == 0)) { - if (Iflag) { - if (cflag) - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr, - icmpstr, srccnt, dstcnt, extendedstring); - else - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr, - icmpstr); - } else { - if (cflag) - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr, - icmpstr, srccnt, dstcnt, extendedstring); - else - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr, - icmpstr); - } - - } else { - - if (Iflag) { - if (cflag) { - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr, - srcString, srccnt, dstcnt, extendedstring); - } else - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr, - srcString); - } else { - if (cflag) { - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr, - srcString, srccnt, dstcnt, extendedstring); - } else - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr, - srcString); - } - } - - } else { - if (Iflag) { - if (cflag) { - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr, - srcString, dstString, srccnt, dstcnt, extendedstring); - } else - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr, - srcString, dstString); - } else { - if (cflag) { - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr, - srcString, dstString, srccnt, dstcnt, extendedstring); - } else - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr, - srcString, dstString); - } - } - } - - if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) { - char tmpbuf[128], *ptr = tmpbuf, *str = argus_strbuf, lastchr = ' '; - int len = strlen(date) - 1; - bzero (tmpbuf, sizeof(tmpbuf)); - - bcopy (str, ptr, len); - str += len; - ptr += len; - - while (*str) { - if (*str == ' ') { - if (lastchr != RaFieldDelimiter) - *ptr++ = RaFieldDelimiter; - while (isspace((int)*str)) str++; - } - lastchr = *str; - - *ptr++ = *str++; - } - bzero (argus_strbuf, MAXSTRLEN); - bcopy (tmpbuf, argus_strbuf, strlen(tmpbuf)); - } - - return (argus_strbuf); -} - - -char * -get_udp_string (argus) -struct ArgusRecord *argus; -{ - return (get_ip_string (argus)); -} - - -char * -get_ip_string (argus) -struct ArgusRecord *argus; -{ - struct ArgusFlow *flow; - - int vc = 0; - char *edstString = NULL, *esrcString = NULL; - char dstString[128], srcString[128], delim; - char protoStr[32], indStr[16], *blankStr = " "; - char argusIDStrBuf[32], *argusIDStr = argusIDStrBuf; - char date[128], fmtstr[MAXSTRLEN], protoStrargus_strbuf[16]; - char portbuf[16], portstr[128]; - int src_count, dst_count, src_bytes, dst_bytes; - u_char proto; - - bzero (argus_strbuf, MAXSTRLEN); - bzero (fmtstr, MAXSTRLEN); - bzero (srcString, 128); - bzero (dstString, 128); - bzero (portbuf, 16); - bzero (portstr, 128); - bzero (date, 128); - - flow = &argus->argus_far.flow; - - proto = flow->ip_flow.ip_p; - - if (mflag) { - if (ArgusThisFarStatus & ARGUS_MAC_DSR_STATUS) { - struct ArgusMacStruct *mac = (struct ArgusMacStruct *) ArgusThisFarHdrs[ARGUS_MAC_DSR_INDEX]; - - esrcString = etheraddr_string ((u_char *)&mac->phys_union.ether.ethersrc); - edstString = etheraddr_string ((u_char *)&mac->phys_union.ether.etherdst); - - sprintf (srcString, "%17.17s %17.17s %*.*s", - esrcString, edstString, hfield, hfield, ipaddr_string (&flow->ip_flow.ip_src)); - } else - sprintf (srcString, "%17.17s %17.17s %*.*s", - blankStr, blankStr, hfield, hfield, ipaddr_string (&flow->ip_flow.ip_src)); - } else - sprintf (srcString, "%*.*s", hfield, hfield, ipaddr_string (&flow->ip_flow.ip_src)); - - sprintf (dstString, "%*.*s", hfield, hfield, ipaddr_string (&flow->ip_flow.ip_dst)); - - if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) - delim = RaFieldDelimiter; - else - delim = '.'; - - switch (proto) { - case IPPROTO_TCP: - if (flow->ip_flow.sport != 0xFFFF) - sprintf (portbuf, "%c%-*s", delim, pfield, tcpport_string(flow->ip_flow.sport)); - else - if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) { - sprintf (portbuf, "%c%c", RaFieldDelimiter, RaFieldDelimiter); - } else - sprintf (portbuf, "%-*s ", pfield, " "); - - strcat (srcString, portbuf); - - if (flow->ip_flow.dport != 0xFFFF) { - sprintf (portstr, " %-*s", hfield, tcpport_string(flow->ip_flow.dport)); - sprintf (portbuf, "%c%-*s", delim, pfield, tcpport_string(flow->ip_flow.dport)); - } else - if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) { - sprintf (portstr, "%c%c", RaFieldDelimiter, RaFieldDelimiter); - sprintf (portbuf, "%c%c", RaFieldDelimiter, RaFieldDelimiter); - } else { - sprintf (portstr, "%-*s", hfield, " "); - sprintf (portbuf, "%-*s ", pfield, " "); - } - - strcat (dstString, portbuf); - break; - - case IPPROTO_UDP: - if (flow->ip_flow.sport != 0xFFFF) - sprintf (portbuf, "%c%-*.*s", delim, pfield, pfield, udpport_string(flow->ip_flow.sport)); - else - if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) { - sprintf (portbuf, "%c%c", RaFieldDelimiter, RaFieldDelimiter); - } else - sprintf (portbuf, "%-*s ", pfield, " "); - - strcat (srcString, portbuf); - - if (flow->ip_flow.dport != 0xFFFF) { - sprintf (portstr, " %-*.*s", hfield, hfield, udpport_string(flow->ip_flow.dport)); - sprintf (portbuf, "%c%-*.*s", delim, pfield, pfield, udpport_string(flow->ip_flow.dport)); - - } else { - if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) { - sprintf (portstr, "%c%c", RaFieldDelimiter, RaFieldDelimiter); - sprintf (portbuf, "%c%c", RaFieldDelimiter, RaFieldDelimiter); - } else { - sprintf (portstr, " %-*s", hfield, " "); - sprintf (portbuf, "%-*s ", pfield, " "); - } - } - - strcat (dstString, portbuf); - break; - - default: - if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) { - sprintf (portstr, "%c%c", RaFieldDelimiter, RaFieldDelimiter); - sprintf (portbuf, "%c%c", RaFieldDelimiter, RaFieldDelimiter); - } else { - sprintf (portstr, " %*s", hfield, " "); - sprintf (portbuf, "%*s ", pfield, " "); - } - strcat (srcString, portbuf); - strcat (dstString, portbuf); - break; - } - - src_count = argus->argus_far.src.count; - dst_count = argus->argus_far.dst.count; - - if (Aflag) { - src_bytes = argus->argus_far.src.appbytes; - dst_bytes = argus->argus_far.dst.appbytes; - } else { - src_bytes = argus->argus_far.src.bytes; - dst_bytes = argus->argus_far.dst.bytes; - } - - print_date (argus, date); - - if (idflag) { - if (ArgusInput->ArgusManStart.ahdr.status & ARGUS_ID_IS_IPADDR) - argusIDStr = strdup (ipaddr_string (&argus->ahdr.argusid)); - else - sprintf (argusIDStr, "%u", argus->ahdr.argusid); - - sprintf(argus_strbuf, "%-15.15s ", argusIDStr); - } - - if ((argus->ahdr.type & ARGUS_RMON) && (flow->ip_flow.ip_dst == 0)) { - if (Iflag) { - strcpy (fmtstr, "%s%s%4s %s - "); - } else - strcpy (fmtstr, "%s %4s %s - "); - } else { - if (Iflag) { - strcpy (fmtstr, "%s%s%4s %s - %s "); - } else - strcpy (fmtstr, "%s %4s %s - %s "); - } - - fmtstr[11 + vc] = (dst_count) ? '<' : ' '; - fmtstr[13 + vc] = (src_count) ? '>' : ' '; - - if (cflag) - strcat (fmtstr, "%-8u %-8u %-12u %-12u"); - - if ((argus->ahdr.cause & ARGUS_TIMEOUT)) - strcat (fmtstr, "TIM"); - else - if (argus->argus_far.src.count && argus->argus_far.dst.count) { - if ((argus->argus_far.src.count == 1) && (argus->argus_far.dst.count == 1)) - strcat (fmtstr, "ACC"); - else - strcat (fmtstr, "CON"); - } else - if (argus->ahdr.type & ARGUS_START) - strcat (fmtstr, "INT"); - - sprintf (protoStrargus_strbuf, "%u", proto); - - if ((flow->ip_flow.tp_p == ARGUS_RTP_FLOWTAG) && ((src_count > 3) || (dst_count > 3))) - sprintf (protoStr, "%s", ((nflag > 1) ? protoStrargus_strbuf : "rtp")); - else - sprintf (protoStr, "%s", ((nflag > 1) ? protoStrargus_strbuf : - proto >= IPPROTOSTR ? "unas" : ip_proto_string[proto])); - - if ((strlen(protoStr) > 4) && !((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0'))) - protoStr[4] = '\0'; - - ArgusGetIndicatorString (argus, indStr); - - if ((argus->ahdr.type & ARGUS_RMON) && (flow->ip_flow.ip_dst == 0)) { - fmtstr[11 + vc] = ' '; - fmtstr[12 + vc] = ' '; - fmtstr[13 + vc] = ' '; - - if ((argus->ahdr.type & ARGUS_RMON) && (flow->ip_flow.ip_src == 0)) { - if (Iflag) { - if (cflag) - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr, - portstr, src_count, dst_count, - src_bytes, dst_bytes); - else - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr, - portbuf); - } else { - if (cflag) - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr, - portstr, src_count, dst_count, - src_bytes, dst_bytes); - else - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr, - portstr); - } - - } else { - if (Iflag) { - if (cflag) - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr, - srcString, src_count, dst_count, - src_bytes, dst_bytes); - else - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr, - srcString); - } else { - if (cflag) - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr, - srcString, src_count, dst_count, - src_bytes, dst_bytes); - else - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr, - srcString); - } - } - - } else { - if (Iflag) { - if (cflag) - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr, - srcString, dstString, - src_count, dst_count, - src_bytes, dst_bytes); - else - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr, - srcString, dstString); - } else { - if (cflag) - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr, - srcString, dstString, - src_count, dst_count, - src_bytes, dst_bytes); - else - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr, - srcString, dstString); - } - } - - if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) { - char tmpbuf[128], *ptr = tmpbuf, *str = argus_strbuf, lastchr = ' '; - int len = strlen(date) - 1; - bzero (tmpbuf, sizeof(tmpbuf)); - - bcopy (str, ptr, len); - str += len; - ptr += len; - - while (*str) { - if (*str == ' ') { - if (lastchr != RaFieldDelimiter) - *ptr++ = RaFieldDelimiter; - while (isspace((int)*str)) str++; - } - lastchr = *str; - - *ptr++ = *str++; - } - bzero (argus_strbuf, MAXSTRLEN); - bcopy (tmpbuf, argus_strbuf, strlen(tmpbuf)); - } - - return (argus_strbuf); -} - - -char * -get_arp_string (argus) -struct ArgusRecord *argus; -{ - struct ArgusFlow *flow; - - char *targetString, *sourceString, *protoStr, indStr[16]; - char *esrcString = NULL, *edstString = NULL; - char srcString[256], dstString[256]; - char argusIDStrBuf[32], *argusIDStr = argusIDStrBuf; - char date[128], fmtstr[256], *blankStr = " "; - int src_count, dst_count, src_bytes, dst_bytes; - int afield, xfield; - unsigned short proto; - - bzero (argus_strbuf, MAXSTRLEN); - bzero (date, 128); - - flow = &argus->argus_far.flow; - - src_count = argus->argus_far.src.count; - dst_count = argus->argus_far.dst.count; - - if (Aflag) { - src_bytes = argus->argus_far.src.appbytes; - dst_bytes = argus->argus_far.dst.appbytes; - } else { - src_bytes = argus->argus_far.src.bytes; - dst_bytes = argus->argus_far.dst.bytes; - } - - print_date (argus, date); - - if (idflag) { - if (ArgusInput->ArgusManStart.ahdr.status & ARGUS_ID_IS_IPADDR) - argusIDStr = strdup (ipaddr_string (&argus->ahdr.argusid)); - else - sprintf (argusIDStr, "%u", argus->ahdr.argusid); - - sprintf(argus_strbuf, "%-15.15s ", argusIDStr); - } - - proto = argus->ahdr.status & 0xFFFF; - protoStr = etherproto_string( proto); - - if (proto == ETHERTYPE_REVARP) { - if (Rflag) { - sourceString = etheraddr_string (flow->rarp_flow.tareaddr); - targetString = ipaddr_string (&flow->rarp_flow.arp_tpa); - - if (Iflag) { - strcpy (fmtstr, "%s%s%4s %s%*.*s is-at %*.*s %*.*s "); - } else - strcpy (fmtstr, "%s %4s %s%*.*s is-at %*.*s %*.*s "); - - } else { - sourceString = etheraddr_string (flow->rarp_flow.srceaddr); - targetString = etheraddr_string (flow->rarp_flow.tareaddr); - - if (Iflag) { - strcpy (fmtstr, "%s%s%4s %s%*.*swho-has %*.*s %*.*s "); - } else - strcpy (fmtstr, "%s %4s %s%*.*swho-has %*.*s %*.*s "); - } - } else { - if (Rflag) { - sourceString = ipaddr_string (&flow->arp_flow.arp_tpa); - targetString = etheraddr_string (argus->argus_far.attr_arp.response); - - if (Iflag) { - strcpy (fmtstr, "%s%s%4s %s%*.*s is-at %*.*s %*.*s "); - } else - strcpy (fmtstr, "%s %4s %s%*.*s is-at %*.*s %*.*s "); - - } else { - sourceString = ipaddr_string (&flow->arp_flow.arp_spa); - targetString = ipaddr_string (&flow->arp_flow.arp_tpa); - - if (Iflag) { - strcpy (fmtstr, "%s%s%4s %s%*.*swho-has %*.*s %*.*s "); - } else - strcpy (fmtstr, "%s %4s %s%*.*swho-has %*.*s %*.*s "); - } - } - - if (mflag) { - if (ArgusThisFarStatus & ARGUS_MAC_DSR_STATUS) { - struct ArgusMacStruct *mac = (struct ArgusMacStruct *) ArgusThisFarHdrs[ARGUS_MAC_DSR_INDEX]; - - esrcString = etheraddr_string ((u_char *)&mac->phys_union.ether.ethersrc); - edstString = etheraddr_string ((u_char *)&mac->phys_union.ether.etherdst); - - sprintf (srcString, "%17.17s %17.17s %*.*s", - esrcString, edstString, hfield, hfield, sourceString); - } else - sprintf (srcString, "%17.17s %17.17s %*.*s", - blankStr, blankStr, hfield, hfield, sourceString); - - } else - sprintf (srcString, "%*.*s", hfield, hfield, sourceString); - - sprintf (dstString, "%s", targetString); - - if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) { - sprintf (&srcString[strlen(srcString)], "%c%c", RaFieldDelimiter, RaFieldDelimiter); - sprintf (&dstString[strlen(dstString)], "%c%c", RaFieldDelimiter, RaFieldDelimiter); - } - - if (cflag) - strcat (fmtstr, "%-8u %-8u %-12u %-12u"); - - if ((argus->ahdr.cause & ARGUS_TIMEOUT)) - strcat (fmtstr, "TIM"); - else - if (argus->argus_far.src.count && argus->argus_far.dst.count) { - if ((argus->argus_far.src.count == 1) && (argus->argus_far.dst.count == 1)) - strcat (fmtstr, "ACC"); - else - strcat (fmtstr, "CON"); - } else - if (argus->ahdr.type & ARGUS_START) - strcat (fmtstr, "INT"); - - ArgusGetIndicatorString (argus, indStr); - - xfield = pfield; - afield = hfield; - - if (Rflag) { - afield += 2; - xfield -= 2; - } - - if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) { - afield += 5; - } - - if (Iflag) { - if (cflag) - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr, - srcString, pfield, pfield, " ", afield, afield, dstString, xfield, xfield, " ", - src_count, dst_count, - src_bytes, dst_bytes); - else - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr, - srcString, pfield, pfield, " ", afield, afield, dstString, xfield, xfield, " "); - } else { - if (cflag) - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr, - srcString, pfield, pfield, " ", afield, afield, dstString, xfield, xfield, " ", - src_count, dst_count, - src_bytes, dst_bytes); - else - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr, - srcString, pfield, pfield, " ", afield, afield, dstString, xfield, xfield, " "); - } - - if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) { - char tmpbuf[128], *ptr = tmpbuf, *str = argus_strbuf, lastchr = ' '; - int len = strlen(date) - 1; - bzero (tmpbuf, sizeof(tmpbuf)); - - bcopy (str, ptr, len); - str += len; - ptr += len; - - while (*str) { - if (*str == ' ') { - if (lastchr != RaFieldDelimiter) - *ptr++ = RaFieldDelimiter; - while (isspace((int)*str)) str++; - } - lastchr = *str; - - *ptr++ = *str++; - } - bzero (argus_strbuf, MAXSTRLEN); - bcopy (tmpbuf, argus_strbuf, strlen(tmpbuf)); - } - - return (argus_strbuf); -} - - - -char * -get_nonip_string (argus) -struct ArgusRecord *argus; -{ - struct ArgusFlow *flow; - - int vc = 0; - char srcString[256], dstString[256]; - char protoStr[32], indStr[16]; - char *edstString = NULL, *esrcString = NULL; - char argusIDStrBuf[32], *argusIDStr = argusIDStrBuf; - char date[128], fmtstr[MAXSTRLEN], *blankStr = " "; - char sportbuf[16], dportbuf[16], delim; - int src_count, dst_count, src_bytes, dst_bytes; - unsigned short proto = 0; - - bzero (argus_strbuf, MAXSTRLEN); - bzero (argusIDStrBuf, 32); - bzero (fmtstr, MAXSTRLEN); - bzero (srcString, 256); - bzero (dstString, 256); - bzero (protoStr, 32); - bzero (sportbuf, 16); - bzero (dportbuf, 16); - bzero (indStr, 16); - bzero (date, 128); - - flow = &argus->argus_far.flow; - - sprintf (srcString, "%17.17s", etheraddr_string((unsigned char *)&flow->mac_flow.ehdr.ether_shost)); - sprintf (dstString, "%17.17s", etheraddr_string((unsigned char *)&flow->mac_flow.ehdr.ether_dhost)); - - src_count = argus->argus_far.src.count; - dst_count = argus->argus_far.dst.count; - - if (Aflag) { - src_bytes = argus->argus_far.src.appbytes; - dst_bytes = argus->argus_far.dst.appbytes; - } else { - src_bytes = argus->argus_far.src.bytes; - dst_bytes = argus->argus_far.dst.bytes; - } - - print_date (argus, date); - - if (idflag) { - if (ArgusInput->ArgusManStart.ahdr.status & ARGUS_ID_IS_IPADDR) - argusIDStr = strdup (ipaddr_string (&argus->ahdr.argusid)); - else - sprintf (argusIDStr, "%u", argus->ahdr.argusid); - - sprintf(argus_strbuf, "%-15.15s ", argusIDStr); - } - - if (mflag) { - if (ArgusThisFarStatus & ARGUS_MAC_DSR_STATUS) { - struct ArgusMacStruct *mac = (struct ArgusMacStruct *) ArgusThisFarHdrs[ARGUS_MAC_DSR_INDEX]; - - esrcString = etheraddr_string ((u_char *)&mac->phys_union.ether.ethersrc); - edstString = etheraddr_string ((u_char *)&mac->phys_union.ether.etherdst); - - sprintf (srcString, "%17.17s %17.17s %*.*s", - esrcString, edstString, hfield + 2, hfield + 2, - etheraddr_string((unsigned char *)&flow->mac_flow.ehdr.ether_shost)); - } else - sprintf (srcString, "%17.17s %17.17s %*.*s", - blankStr, blankStr, hfield + 2, hfield + 2, - etheraddr_string((unsigned char *)&flow->mac_flow.ehdr.ether_shost)); - } - - if (Iflag) - strcpy (fmtstr, "%s%s%4s %s - %22.22s "); - else - strcpy (fmtstr, "%s %4s %s - %22.22s "); - - if (cflag) - strcat (fmtstr, "%-8u %-8u %-12u %-12u"); - - if ((argus->ahdr.cause & ARGUS_TIMEOUT)) - strcat (fmtstr, "TIM"); - else - if (argus->argus_far.src.count && argus->argus_far.dst.count) { - if ((argus->argus_far.src.count == 1) && (argus->argus_far.dst.count == 1)) - strcat (fmtstr, "ACC"); - else - strcat (fmtstr, "CON"); - } else - if (argus->ahdr.type & ARGUS_START) - strcat (fmtstr, "INT"); - - proto = argus->ahdr.status & 0xFFFF; - - sprintf (protoStr, "%s", etherproto_string(proto)); - - if (src_count) - fmtstr[12 + vc] = '>'; - if (dst_count) - fmtstr[10 + vc] = '<'; - - - if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) - delim = RaFieldDelimiter; - else { - if (proto == 0) { - delim = '.'; - } else { - delim = ' '; - } - } - - if (proto == 0) { - sprintf (sportbuf, "%c%-4.4s", delim, llcsap_string((unsigned char) flow->mac_flow.ssap)); - sprintf (dportbuf, "%c%-4.4s", delim, llcsap_string((unsigned char) flow->mac_flow.dsap)); - } else { - sprintf (sportbuf, "%c ", delim); - sprintf (dportbuf, "%c ", delim); - - if (dst_count) { - if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) - fmtstr[9 + vc] = RaFieldDelimiter; - } else - if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) - fmtstr[10 + vc] = RaFieldDelimiter; - - if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) { - fmtstr[22 + vc] = RaFieldDelimiter; - } - } - - strcat (srcString, sportbuf); - strcat (dstString, dportbuf); - - if ((strlen(protoStr) > 4) && !((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0'))) - protoStr[4] = '\0'; - - ArgusGetIndicatorString (argus, indStr); - - if (Iflag) { - if (cflag) - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr, - srcString, dstString, - src_count, dst_count, - src_bytes, dst_bytes); - else - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr, - srcString, dstString); - } else { - if (cflag) - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr, - srcString, dstString, - src_count, dst_count, - src_bytes, dst_bytes); - else - sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr, - srcString, dstString); - } - - if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) { - char tmpbuf[128], *ptr = tmpbuf, *str = argus_strbuf, lastchr = ' '; - int len = strlen(date) - 1; - bzero (tmpbuf, sizeof(tmpbuf)); - - bcopy (str, ptr, len); - str += len; - ptr += len; - - while (*str) { - if (*str == ' ') { - if (lastchr != RaFieldDelimiter) - *ptr++ = RaFieldDelimiter; - while (isspace((int)*str)) str++; - } - lastchr = *str; - - *ptr++ = *str++; - } - bzero (argus_strbuf, MAXSTRLEN); - bcopy (tmpbuf, argus_strbuf, strlen(tmpbuf)); - } - - return (argus_strbuf); -} - - - -#ifdef NOVFPRINTF -/* - * Stock 4.3 doesn't have vfprintf. - * This routine is due to Chris Torek. - */ -vfprintf(f, fmt, args) - FILE *f; - char *fmt; - va_list args; -{ - int ret; - - if ((f->_flag & _IOWRT) == 0) { - if (f->_flag & _IORW) - f->_flag |= _IOWRT; - else - return EOF; - } - ret = _doprnt(fmt, args, f); - return ferror(f) ? EOF : ret; -} -#endif - diff -NarU5 argus-2.0.6.fixes.1.orig/common/gencode.c argus-2.0.6.fixes.1/common/gencode.c --- argus-2.0.6.fixes.1.orig/common/gencode.c 2004-02-23 10:00:36.000000000 -0500 +++ argus-2.0.6.fixes.1/common/gencode.c 2006-04-21 14:57:52.000000000 -0400 @@ -57,11 +57,11 @@ #include #include #include #include -#include +#include #include #include #include #include diff -NarU5 argus-2.0.6.fixes.1.orig/server/ArgusOutput.c argus-2.0.6.fixes.1/server/ArgusOutput.c --- argus-2.0.6.fixes.1.orig/server/ArgusOutput.c 2004-02-23 10:00:36.000000000 -0500 +++ argus-2.0.6.fixes.1/server/ArgusOutput.c 2006-04-21 14:57:52.000000000 -0400 @@ -1196,11 +1196,11 @@ void ArgusCheckClientStatus () { int retn, fd; struct sockaddr from; - int len = sizeof (from); + socklen_t len = sizeof (from); if ((fd = accept (ArgusLfd, (struct sockaddr *)&from, &len)) > 0) { if ((fcntl (fd, F_SETFL, O_NONBLOCK)) >= 0) { if (ArgusTcpWrapper (fd, &from) >= 0) { int i;