1 /************************************************************************** 2 **sA Network Connection Profiler [sancp] - A TCP/IP statistical/collection tool 3 * ************************************************************************ 4 * * Copyright (C) 2003 John Curry <john.curry@metre.net> 5 * * 6 * * This program is distributed under the terms of version 1.0 of the 7 * * Q Public License. See LICENSE.QPL for further details. 8 * * 9 * * This program is distributed in the hope that it will be useful, 10 * * but WITHOUT ANY WARRANTY; without even the implied warranty of 11 * * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 12 * * 13 * ***********************************************************************/ 14 15 #include "fileHandle.h" 16 17 #define PCAP_HEADER_SIZE 24 18 19 const char pcap_header[] = { 0xd4,0xc3,0xb2,0xa1,0x02,0x00,0x04,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x4e,0x00,0x00,0x01,0x00,0x00,0x00 }; 20 21 class pcapFileHandle : public fileHandle { 22 23 public: 24 pcapFileHandle(); 25 26 pcapFileHandle(const char *newfilename); 27 28 int open(); 29 30 int stat(); 31 32 ssize_t write(const char *data, int len, struct timeval *time); 33 34 pcapFileHandle * attach(); 35 36 protected: 37 ~pcapFileHandle(); 38 39 private: 40 void writePcapHeader(); 41 42 }; 43 44 45 /* 46 Flow of stuff 47 ------------- 48 49 Upon startup, process command line, read configuration file (setup rules), get last connection ID, 50 open files, setup signal handling, open input device or file, run pcap_loop 51 52 Packet Processing 53 54 New connection -> first packet arrives check if we want the packet 55 (ARP, RARP, IP broadcasts are not welcome) (need to use BPF instead) 56 Allocate memory for a "cnx" structure 57 Decode the packet; fill in the "cnx" structure 58 59 Check if we are already tracking this session, 60 if not, locate applicable rule and initialize tracking, accordingly 61 record realtime if required 62 Update connection information 63 64 Record raw data to appropriate output file handle 65 66 Erase all idle connections (if 10 seconds have transpired since the last packet was received) 67 Close any unused output file handles 68 Free memory used for each connection we expire 69 70 71 Upon termination, record all open connections to stdout (should be configurable - or flag a 72 connection as being recorded pre-maturely) 73 Free all memory, close all open file handles, record last connection ID 74 75 76 77 78 79 80 81 1. Process-based output files - created when process starts 82 2. Rule-based output files - created when rules are processed 83 3. Connection-based output files - created when new connections are created 84 85 A. Open a connection, increment in_use; open output_file when in_use == 1 86 Z. Close a connection, decrement in_use; close output_file when in_use == 0 87 88 Need something to locate all connections that have the a pointer to a specific file handle. 89 (not really but it would be cool) 90 */ 91