git Service of IN-Ulm e.V. Explore Help
Sign In
cbiedl
/
tcpreplay
1
0
Fork 0
Files
Tree: 27a7598261
Branches Tags
tcpreplay
/
src
/
tree.c

tree.c 26 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881 
  1. /* $Id$ */
    2. 

  2. 

  3. /*
    4. 

  4.  *   Copyright (c) 2001-2010 Aaron Turner <aturner at synfin dot net>
    5. 

  5.  *   Copyright (c) 2013-2022 Fred Klassen <tcpreplay at appneta dot com> - AppNeta
    6. 

  6.  *
    7. 

  7.  *   The Tcpreplay Suite of tools is free software: you can redistribute it
    8. 

  8.  *   and/or modify it under the terms of the GNU General Public License as
    9. 

  9.  *   published by the Free Software Foundation, either version 3 of the
    10. 

  10.  *   License, or with the authors permission any later version.
    11. 

  11.  *
    12. 

  12.  *   The Tcpreplay Suite is distributed in the hope that it will be useful,
    13. 

  13.  *   but WITHOUT ANY WARRANTY; without even the implied warranty of
    14. 

  14.  *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    15. 

  15.  *   GNU General Public License for more details.
    16. 

  16.  *
    17. 

  17.  *   You should have received a copy of the GNU General Public License
    18. 

  18.  *   along with the Tcpreplay Suite.  If not, see <http://www.gnu.org/licenses/>.
    19. 

  19.  */
    20. 

  20. 

  21. #include "tree.h"
    22. 

  22. #include "config.h"
    23. 

  23. #include "common.h"
    24. 

  24. #include "tcpprep_api.h"
    25. 

  25. #include "tcpprep_opts.h"
    26. 

  26. #include <stdio.h>
    27. 

  27. #include <stdlib.h>
    28. 

  28. #include <string.h>
    29. 

  29. 

  30. extern tcpr_data_tree_t treeroot;
    31. 

  31. extern tcpprep_t *tcpprep;
    32. 

  32. 

  33. /* static buffer used by tree_print*() functions */
    34. 

  34. char tree_print_buff[TREEPRINTBUFFLEN];
    35. 

  35. 

  36. static tcpr_tree_t *new_tree();
    37. 

  37. static tcpr_tree_t *packet2tree(const u_char *, int, int);
    38. 

  38. #ifdef DEBUG /* prevent compile warnings */
    39. 

  39. static char *tree_print(tcpr_data_tree_t *);
    40. 

  40. static char *tree_printnode(const char *, const tcpr_tree_t *);
    41. 

  41. #endif /* DEBUG */
    42. 

  42. static void tree_buildcidr(tcpr_data_tree_t *, tcpr_buildcidr_t *);
    43. 

  43. static int tree_checkincidr(tcpr_data_tree_t *, tcpr_buildcidr_t *);
    44. 

  44. 

  45. static int ipv6_cmp(const struct tcpr_in6_addr *a, const struct tcpr_in6_addr *b);
    46. 

  46. 

  47. RB_PROTOTYPE(tcpr_data_tree_s, tcpr_tree_s, node, tree_comp)
    48. 

  48. RB_GENERATE(tcpr_data_tree_s, tcpr_tree_s, node, tree_comp)
    49. 

  49. 

  50. /**
    51. 

  51.  * used with rbwalk to walk a tree and generate cidr_t * cidrdata.
    52. 

  52.  * is smart enough to prevent dupes.  void * arg is cast to bulidcidr_t
    53. 

  53.  */
    54. 

  54. void
    55. 

  55. tree_buildcidr(tcpr_data_tree_t *tree_root, tcpr_buildcidr_t *bcdata)
    56. 

  56. {
    57. 

  57.     tcpr_tree_t *node = NULL;
    58. 

  58.     tcpr_cidr_t *newcidr = NULL;
    59. 

  59.     unsigned long network;
    60. 

  60.     struct tcpr_in6_addr network6;
    61. 

  61.     unsigned long mask = ~0; /* turn on all bits */
    62. 

  62.     tcpprep_opt_t *options = tcpprep->options;
    63. 

  63.     uint32_t i, j, k;
    64. 

  64. 

  65.     dbg(1, "Running: tree_buildcidr()");
    66. 

  66. 

  67.     RB_FOREACH(node, tcpr_data_tree_s, tree_root)
    68. 

  68.     {
    69. 

  69.         /* we only check types that are valid */
    70. 

  70.         if (bcdata->type != DIR_ANY)        /* don't check if we're adding ANY */
    71. 

  71.             if (bcdata->type != node->type) /* no match, exit early */
    72. 

  72.                 return;
    73. 

  73.         /*
    74. 

  74.          * in cases of leaves and last visit add to cidrdata if
    75. 

  75.          * necessary.  First check IPv4
    76. 

  76.          */
    77. 

  77.         dbgx(4, "Checking if %s exists in cidrdata...", get_addr2name4(node->u.ip, RESOLVE));
    78. 

  78.         if (node->family == AF_INET) {
    79. 

  79.             if (!check_ip_cidr(options->cidrdata, node->u.ip)) { /* if we exist, abort */
    80. 

  80.                 dbgx(3, "Node %s doesn't exist... creating.", get_addr2name4(node->u.ip, RESOLVE));
    81. 

  81.                 newcidr = new_cidr();
    82. 

  82.                 newcidr->masklen = bcdata->masklen;
    83. 

  83.                 network = node->u.ip & (mask << (32 - bcdata->masklen));
    84. 

  84.                 dbgx(3, "Using network: %s", get_addr2name4(network, RESOLVE));
    85. 

  85.                 newcidr->u.network = network;
    86. 

  86.                 add_cidr(&options->cidrdata, &newcidr);
    87. 

  87.             }
    88. 

  88.         }
    89. 

  89.         /* Check IPv6 Address */
    90. 

  90.         else if (node->family == AF_INET6) {
    91. 

  91.             if (!check_ip6_cidr(options->cidrdata, &node->u.ip6)) { /* if we exist, abort */
    92. 

  92.                 dbgx(3, "Node %s doesn't exist... creating.", get_addr2name6(&node->u.ip6, RESOLVE));
    93. 

  93. 

  94.                 newcidr = new_cidr();
    95. 

  95.                 newcidr->masklen = bcdata->masklen;
    96. 

  96. 

  97.                 /* init each 4 quads to zero */
    98. 

  98.                 for (i = 0; i < 4; i++)
    99. 

  99.                     network6.tcpr_s6_addr32[i] = 0;
    100. 

  100. 

  101.                 /* Build our mask */
    102. 

  102.                 j = bcdata->masklen / 8;
    103. 

  103. 

  104.                 for (i = 0; i < j; i++)
    105. 

  105.                     network6.tcpr_s6_addr[i] = node->u.ip6.tcpr_s6_addr[i];
    106. 

  106. 

  107.                 if ((k = bcdata->masklen % 8) != 0) {
    108. 

  108.                     k = (uint32_t)~0 << (8 - k);
    109. 

  109.                     network6.tcpr_s6_addr[j] = node->u.ip6.tcpr_s6_addr[i] & k;
    110. 

  110.                 }
    111. 

  111. 

  112.                 dbgx(3, "Using network: %s", get_addr2name6(&network6, RESOLVE));
    113. 

  113.                 newcidr->u.network6 = network6;
    114. 

  114.                 add_cidr(&options->cidrdata, &newcidr);
    115. 

  115.             }
    116. 

  116.         }
    117. 

  117.     }
    118. 

  118. }
    119. 

  119. 

  120. /**
    121. 

  121.  * uses rbwalk to check to see if a given ip address of a given type in the
    122. 

  122.  * tree is inside any of the cidrdata
    123. 

  123.  */
    124. 

  124. static int
    125. 

  125. tree_checkincidr(tcpr_data_tree_t *tree_root, tcpr_buildcidr_t *bcdata)
    126. 

  126. {
    127. 

  127.     tcpr_tree_t *node = NULL;
    128. 

  128.     tcpprep_opt_t *options = tcpprep->options;
    129. 

  129. 

  130.     RB_FOREACH(node, tcpr_data_tree_s, tree_root)
    131. 

  131.     {
    132. 

  132.         /* we only check types that are valid */
    133. 

  133.         if (bcdata->type != DIR_ANY)        /* don't check if we're adding ANY */
    134. 

  134.             if (bcdata->type != node->type) /* no match, exit early */
    135. 

  135.                 return 0;
    136. 

  136. 

  137.         /*
    138. 

  138.          * in cases of leaves and last visit add to cidrdata if
    139. 

  139.          * necessary
    140. 

  140.          */
    141. 

  141.         if (node->family == AF_INET && check_ip_cidr(options->cidrdata, node->u.ip)) /* if we exist, abort */
    142. 

  142.             return 1;
    143. 

  143.         if (node->family == AF_INET6 && check_ip6_cidr(options->cidrdata, &node->u.ip6))
    144. 

  144.             return 1;
    145. 

  145.     }
    146. 

  146.     return 0;
    147. 

  147. }
    148. 

  148. 

  149. /**
    150. 

  150.  * processes the tree using rbwalk / tree2cidr to generate a CIDR
    151. 

  151.  * used for 2nd pass, router mode
    152. 

  152.  *
    153. 

  153.  * returns > 0 for success (the mask len), 0 for fail
    154. 

  154.  */
    155. 

  155. int
    156. 

  156. process_tree(void)
    157. 

  157. {
    158. 

  158.     int mymask;
    159. 

  159.     tcpr_buildcidr_t *bcdata;
    160. 

  160.     tcpprep_opt_t *options = tcpprep->options;
    161. 

  161. 

  162.     dbg(1, "Running: process_tree()");
    163. 

  163. 

  164.     bcdata = (tcpr_buildcidr_t *)safe_malloc(sizeof(tcpr_buildcidr_t));
    165. 

  165. 

  166.     for (mymask = options->max_mask; mymask <= options->min_mask; mymask++) {
    167. 

  167.         dbgx(1, "Current mask: %u", mymask);
    168. 

  168. 

  169.         /* set starting vals */
    170. 

  170.         bcdata->type = DIR_SERVER;
    171. 

  171.         bcdata->masklen = mymask;
    172. 

  172. 

  173.         /* build cidrdata with servers */
    174. 

  174.         tree_buildcidr(&treeroot, bcdata);
    175. 

  175. 

  176.         /* calculate types of all IP's */
    177. 

  177.         tree_calculate(&treeroot);
    178. 

  178. 

  179.         /* try to find clients in cidrdata */
    180. 

  180.         bcdata->type = DIR_CLIENT;
    181. 

  181. 

  182.         if (!tree_checkincidr(&treeroot, bcdata)) { /* didn't find any clients in cidrdata */
    183. 

  183.             safe_free(bcdata);
    184. 

  184.             return (mymask); /* success! */
    185. 

  185.         } else {
    186. 

  186.             destroy_cidr(options->cidrdata); /* clean up after our mess */
    187. 

  187.             options->cidrdata = NULL;
    188. 

  188.         }
    189. 

  189.     }
    190. 

  190. 

  191.     safe_free(bcdata);
    192. 

  192.     /* we failed to find a valid cidr list */
    193. 

  193.     notice("Unable to determine any IP addresses as a clients.");
    194. 

  194.     notice("Perhaps you should change the --ratio, --minmask/maxmask settings, or try another mode?");
    195. 

  195.     return (0);
    196. 

  196. }
    197. 

  197. 

  198. /*
    199. 

  199.  * processes rbdata to build cidrdata based upon the
    200. 

  200.  * given type (SERVER, CLIENT, UNKNOWN) using the given masklen
    201. 

  201.  *
    202. 

  202.  * is smart enough to prevent dupes
    203. 

  203. 

  204. void
    205. 

  205. tcpr_tree_to_cidr(int masklen, int type)
    206. 

  206. {
    207. 

  207. 

  208. }
    209. 

  209.  */
    210. 

  210. 

  211. /**
    212. 

  212.  * Checks to see if an IP is client or server by finding it in the tree
    213. 

  213.  * returns TCPR_DIR_C2S or TCPR_DIR_S2C or -1 on error
    214. 

  214.  * if mode = UNKNOWN, then abort on unknowns
    215. 

  215.  * if mode = CLIENT, then unknowns become clients
    216. 

  216.  * if mode = SERVER, then unknowns become servers
    217. 

  217.  */
    218. 

  218. tcpr_dir_t
    219. 

  219. check_ip_tree(int mode, unsigned long ip)
    220. 

  220. {
    221. 

  221.     tcpr_tree_t *node, *finder;
    222. 

  222. 

  223.     finder = new_tree();
    224. 

  224.     finder->family = AF_INET;
    225. 

  225.     finder->u.ip = ip;
    226. 

  226. 

  227.     node = RB_FIND(tcpr_data_tree_s, &treeroot, finder);
    228. 

  228. 

  229.     if (node == NULL && mode == DIR_UNKNOWN) {
    230. 

  230.         safe_free(finder);
    231. 

  231.         errx(-1,
    232. 

  232.              "%s (%lu) is an unknown system... aborting.!\n"
    233. 

  233.              "Try a different auto mode (-n router|client|server)",
    234. 

  234.              get_addr2name4(ip, RESOLVE),
    235. 

  235.              ip);
    236. 

  236.     }
    237. 

  237. 

  238.     /* return node type if we found the node, else return the default (mode) */
    239. 

  239.     if (node != NULL) {
    240. 

  240.         switch (node->type) {
    241. 

  241.         case DIR_SERVER:
    242. 

  242.             dbgx(1, "DIR_SERVER: %s", get_addr2name4(ip, RESOLVE));
    243. 

  243.             safe_free(finder);
    244. 

  244.             return TCPR_DIR_S2C;
    245. 

  245.         case DIR_CLIENT:
    246. 

  246.             dbgx(1, "DIR_CLIENT: %s", get_addr2name4(ip, RESOLVE));
    247. 

  247.             safe_free(finder);
    248. 

  248.             return TCPR_DIR_C2S;
    249. 

  249.         case DIR_UNKNOWN:
    250. 

  250.             dbgx(1, "DIR_UNKNOWN: %s", get_addr2name4(ip, RESOLVE));
    251. 

  251.             /* use our current mode to determine return code */
    252. 

  252.             goto return_unknown;
    253. 

  253.         case DIR_ANY:
    254. 

  254.             dbgx(1, "DIR_ANY: %s", get_addr2name4(ip, RESOLVE));
    255. 

  255.             goto return_unknown;
    256. 

  256.         default:
    257. 

  257.             errx(-1, "Node for %s has invalid type: %d", get_addr2name4(ip, RESOLVE), node->type);
    258. 

  258.         }
    259. 

  259.     }
    260. 

  260. 

  261. return_unknown:
    262. 

  262.     safe_free(finder);
    263. 

  263.     switch (mode) {
    264. 

  264.     case DIR_SERVER:
    265. 

  265.         return TCPR_DIR_S2C;
    266. 

  266.     case DIR_CLIENT:
    267. 

  267.         return TCPR_DIR_C2S;
    268. 

  268.     default:
    269. 

  269.         return -1;
    270. 

  270.     }
    271. 

  271. }
    272. 

  272. 

  273. tcpr_dir_t
    274. 

  274. check_ip6_tree(int mode, const struct tcpr_in6_addr *addr)
    275. 

  275. {
    276. 

  276.     tcpr_tree_t *node, *finder;
    277. 

  277. 

  278.     finder = new_tree();
    279. 

  279.     finder->family = AF_INET6;
    280. 

  280.     finder->u.ip6 = *addr;
    281. 

  281. 

  282.     node = RB_FIND(tcpr_data_tree_s, &treeroot, finder);
    283. 

  283. 

  284.     if (node == NULL && mode == DIR_UNKNOWN) {
    285. 

  285.         safe_free(finder);
    286. 

  286.         errx(-1,
    287. 

  287.              "%s is an unknown system... aborting.!\n"
    288. 

  288.              "Try a different auto mode (-n router|client|server)",
    289. 

  289.              get_addr2name6(addr, RESOLVE));
    290. 

  290.     }
    291. 

  291. 

  292.     /* return node type if we found the node, else return the default (mode) */
    293. 

  293.     if (node != NULL) {
    294. 

  294.         switch (node->type) {
    295. 

  295.         case DIR_SERVER:
    296. 

  296.             dbgx(1, "DIR_SERVER: %s", get_addr2name6(addr, RESOLVE));
    297. 

  297.             safe_free(finder);
    298. 

  298.             return TCPR_DIR_S2C;
    299. 

  299.         case DIR_CLIENT:
    300. 

  300.             dbgx(1, "DIR_CLIENT: %s", get_addr2name6(addr, RESOLVE));
    301. 

  301.             safe_free(finder);
    302. 

  302.             return TCPR_DIR_C2S;
    303. 

  303.         case DIR_UNKNOWN:
    304. 

  304.             dbgx(1, "DIR_UNKNOWN: %s", get_addr2name6(addr, RESOLVE));
    305. 

  305.             /* use our current mode to determine return code */
    306. 

  306.             goto return_unknown;
    307. 

  307.         case DIR_ANY:
    308. 

  308.             dbgx(1, "DIR_ANY: %s", get_addr2name6(addr, RESOLVE));
    309. 

  309.             goto return_unknown;
    310. 

  310.         default:
    311. 

  311.             errx(-1, "Node for %s has invalid type: %d", get_addr2name6(addr, RESOLVE), node->type);
    312. 

  312.         }
    313. 

  313.     }
    314. 

  314. 

  315. return_unknown:
    316. 

  316.     safe_free(finder);
    317. 

  317.     switch (mode) {
    318. 

  318.     case DIR_SERVER:
    319. 

  319.         return TCPR_DIR_S2C;
    320. 

  320.     case DIR_CLIENT:
    321. 

  321.         return TCPR_DIR_C2S;
    322. 

  322.     default:
    323. 

  323.         return -1;
    324. 

  324.     }
    325. 

  325. }
    326. 

  326. 

  327. /**
    328. 

  328.  * Parses the IP header of the given packet (data) to get the SRC/DST IP
    329. 

  329.  * addresses.  If the SRC IP doesn't exist in the TREE, we add it as a
    330. 

  330.  * client, if the DST IP doesn't exist in the TREE, we add it as a server
    331. 

  331.  */
    332. 

  332. void
    333. 

  333. add_tree_first_ipv4(const u_char *data, int len, int datalink)
    334. 

  334. {
    335. 

  335.     tcpr_tree_t *newnode, *findnode;
    336. 

  336.     uint32_t _U_ vlan_offset;
    337. 

  337.     uint32_t pkt_len = len;
    338. 

  338.     uint16_t ether_type;
    339. 

  339.     uint32_t l2offset;
    340. 

  340.     ipv4_hdr_t ip_hdr;
    341. 

  341.     uint32_t l2len;
    342. 

  342.     int res;
    343. 

  343. 

  344.     assert(data);
    345. 

  345. 

  346.     res = get_l2len_protocol(data, pkt_len, datalink, &ether_type, &l2len, &l2offset, &vlan_offset);
    347. 

  347. 

  348.     if (res == -1 || len < (int)(l2len + TCPR_IPV4_H)) {
    349. 

  349.         errx(-1, "Capture length %d too small for IPv4 parsing", len);
    350. 

  350.     }
    351. 

  351. 

  352.     /*
    353. 

  353.      * first add/find the source IP/client
    354. 

  354.      */
    355. 

  355.     newnode = new_tree();
    356. 

  356. 

  357.     /* prevent issues with byte alignment, must memcpy */
    358. 

  358.     memcpy(&ip_hdr, data + l2len, TCPR_IPV4_H);
    359. 

  359. 

  360.     /* copy over the source ip, and values to guarantee this a client */
    361. 

  361.     newnode->family = AF_INET;
    362. 

  362.     newnode->u.ip = ip_hdr.ip_src.s_addr;
    363. 

  363.     newnode->type = DIR_CLIENT;
    364. 

  364.     newnode->client_cnt = 1000;
    365. 

  365.     findnode = RB_FIND(tcpr_data_tree_s, &treeroot, newnode);
    366. 

  366. 

  367.     /* if we didn't find it, add it to the tree, else free it */
    368. 

  368.     if (findnode == NULL) {
    369. 

  369.         RB_INSERT(tcpr_data_tree_s, &treeroot, newnode);
    370. 

  370.     } else {
    371. 

  371.         safe_free(newnode);
    372. 

  372.     }
    373. 

  373. 

  374.     /*
    375. 

  375.      * now add/find the destination IP/server
    376. 

  376.      */
    377. 

  377.     newnode = new_tree();
    378. 

  378.     memcpy(&ip_hdr, data + l2len, TCPR_IPV4_H);
    379. 

  379. 

  380.     newnode->family = AF_INET;
    381. 

  381.     newnode->u.ip = ip_hdr.ip_dst.s_addr;
    382. 

  382.     newnode->type = DIR_SERVER;
    383. 

  383.     newnode->server_cnt = 1000;
    384. 

  384.     findnode = RB_FIND(tcpr_data_tree_s, &treeroot, newnode);
    385. 

  385. 

  386.     if (findnode == NULL) {
    387. 

  387.         RB_INSERT(tcpr_data_tree_s, &treeroot, newnode);
    388. 

  388.     } else {
    389. 

  389.         safe_free(newnode);
    390. 

  390.     }
    391. 

  391. }
    392. 

  392. 

  393. void
    394. 

  394. add_tree_first_ipv6(const u_char *data, int len, int datalink)
    395. 

  395. {
    396. 

  396.     tcpr_tree_t *newnode, *findnode;
    397. 

  397.     uint32_t _U_ vlan_offset;
    398. 

  398.     uint32_t pkt_len = len;
    399. 

  399.     uint16_t ether_type;
    400. 

  400.     ipv6_hdr_t ip6_hdr;
    401. 

  401.     uint32_t l2offset;
    402. 

  402.     uint32_t l2len;
    403. 

  403.     int res;
    404. 

  404. 

  405.     assert(data);
    406. 

  406. 

  407.     res = get_l2len_protocol(data, pkt_len, datalink, &ether_type, &l2len, &l2offset, &vlan_offset);
    408. 

  408. 

  409.     if (res == -1 || len < (int)(l2len + TCPR_IPV6_H))
    410. 

  410.         errx(-1, "Capture length %d too small for IPv6 parsing", len);
    411. 

  411. 

  412.     /*
    413. 

  413.      * first add/find the source IP/client
    414. 

  414.      */
    415. 

  415.     newnode = new_tree();
    416. 

  416. 

  417.     /* prevent issues with byte alignment, must memcpy */
    418. 

  418.     memcpy(&ip6_hdr, data + l2len, TCPR_IPV6_H);
    419. 

  419. 

  420.     /* copy over the source ip, and values to guarantee this a client */
    421. 

  421.     newnode->family = AF_INET6;
    422. 

  422.     newnode->u.ip6 = ip6_hdr.ip_src;
    423. 

  423.     newnode->type = DIR_CLIENT;
    424. 

  424.     newnode->client_cnt = 1000;
    425. 

  425.     findnode = RB_FIND(tcpr_data_tree_s, &treeroot, newnode);
    426. 

  426. 

  427.     /* if we didn't find it, add it to the tree, else free it */
    428. 

  428.     if (findnode == NULL) {
    429. 

  429.         RB_INSERT(tcpr_data_tree_s, &treeroot, newnode);
    430. 

  430.     } else {
    431. 

  431.         safe_free(newnode);
    432. 

  432.     }
    433. 

  433. 

  434.     /*
    435. 

  435.      * now add/find the destination IP/server
    436. 

  436.      */
    437. 

  437.     newnode = new_tree();
    438. 

  438.     memcpy(&ip6_hdr, data + l2len, TCPR_IPV6_H);
    439. 

  439. 

  440.     newnode->family = AF_INET6;
    441. 

  441.     newnode->u.ip6 = ip6_hdr.ip_dst;
    442. 

  442.     newnode->type = DIR_SERVER;
    443. 

  443.     newnode->server_cnt = 1000;
    444. 

  444.     findnode = RB_FIND(tcpr_data_tree_s, &treeroot, newnode);
    445. 

  445. 

  446.     if (findnode == NULL) {
    447. 

  447.         RB_INSERT(tcpr_data_tree_s, &treeroot, newnode);
    448. 

  448.     } else {
    449. 

  449.         safe_free(newnode);
    450. 

  450.     }
    451. 

  451. }
    452. 

  452. 

  453. static void
    454. 

  454. add_tree_node(tcpr_tree_t *newnode)
    455. 

  455. {
    456. 

  456.     tcpr_tree_t *node;
    457. 

  457. 

  458.     /* try to find a simular entry in the tree */
    459. 

  459.     node = RB_FIND(tcpr_data_tree_s, &treeroot, newnode);
    460. 

  460. 

  461.     dbgx(3, "%s", tree_printnode("add_tree", node));
    462. 

  462. 

  463.     /* new entry required */
    464. 

  464.     if (node == NULL) {
    465. 

  465.         /* increment counters */
    466. 

  466.         if (newnode->type == DIR_SERVER) {
    467. 

  467.             newnode->server_cnt++;
    468. 

  468.         } else if (newnode->type == DIR_CLIENT) {
    469. 

  469.             newnode->client_cnt++;
    470. 

  470.         }
    471. 

  471.         /* insert it in */
    472. 

  472.         RB_INSERT(tcpr_data_tree_s, &treeroot, newnode);
    473. 

  473. 

  474.     } else {
    475. 

  475.         /* we found something, so update it */
    476. 

  476.         dbgx(2, "   node: %p\nnewnode: %p", node, newnode);
    477. 

  477.         dbgx(3, "%s", tree_printnode("update node", node));
    478. 

  478.         /* increment counter */
    479. 

  479.         if (newnode->type == DIR_SERVER) {
    480. 

  480.             node->server_cnt++;
    481. 

  481.         } else if (newnode->type == DIR_CLIENT) {
    482. 

  482.             /* temp debug code */
    483. 

  483.             node->client_cnt++;
    484. 

  484.         }
    485. 

  485. 

  486.         /* didn't insert it, so free it */
    487. 

  487.         safe_free(newnode);
    488. 

  488.     }
    489. 

  489. 

  490.     dbg(2, "------- START NEXT -------");
    491. 

  491.     dbgx(3, "%s", tree_print(&treeroot));
    492. 

  492. }
    493. 

  493. 

  494. /**
    495. 

  495.  * adds an entry to the tree (phase 1 of auto mode).  We add each host
    496. 

  496.  * to the tree if it doesn't yet exist.  We go through and track:
    497. 

  497.  * - number of times each host acts as a client or server
    498. 

  498.  * - the way the host acted the first time we saw it (client or server)
    499. 

  499.  */
    500. 

  500. void
    501. 

  501. add_tree_ipv4(unsigned long ip, const u_char *data, int len, int datalink)
    502. 

  502. {
    503. 

  503.     tcpr_tree_t *newnode;
    504. 

  504.     assert(data);
    505. 

  505. 

  506.     newnode = packet2tree(data, len, datalink);
    507. 

  507.     assert(newnode);
    508. 

  508.     assert(ip == newnode->u.ip);
    509. 

  509.     if (newnode->type == DIR_UNKNOWN) {
    510. 

  510.         /* couldn't figure out if packet was client or server */
    511. 

  511. 

  512.         dbgx(2, "%s (%lu) unknown client/server", get_addr2name4(newnode->u.ip, RESOLVE), newnode->u.ip);
    513. 

  513.     }
    514. 

  514. 

  515.     add_tree_node(newnode);
    516. 

  516. }
    517. 

  517. 

  518. void
    519. 

  519. add_tree_ipv6(const struct tcpr_in6_addr *addr, const u_char *data, int len, int datalink)
    520. 

  520. {
    521. 

  521.     tcpr_tree_t *newnode;
    522. 

  522.     assert(data);
    523. 

  523. 

  524.     newnode = packet2tree(data, len, datalink);
    525. 

  525.     assert(newnode);
    526. 

  526.     assert(ipv6_cmp(addr, &newnode->u.ip6) == 0);
    527. 

  527.     if (newnode->type == DIR_UNKNOWN) {
    528. 

  528.         /* couldn't figure out if packet was client or server */
    529. 

  529. 

  530.         dbgx(2, "%s unknown client/server", get_addr2name6(&newnode->u.ip6, RESOLVE));
    531. 

  531.     }
    532. 

  532. 

  533.     add_tree_node(newnode);
    534. 

  534. }
    535. 

  535. 

  536. /**
    537. 

  537.  * calculates whether each node in the tree is a client, server, or unknown for each node in the tree
    538. 

  538.  */
    539. 

  539. void
    540. 

  540. tree_calculate(tcpr_data_tree_t *tree_root)
    541. 

  541. {
    542. 

  542.     tcpr_tree_t *node;
    543. 

  543.     tcpprep_opt_t *options = tcpprep->options;
    544. 

  544. 

  545.     dbg(1, "Running tree_calculate()");
    546. 

  546. 

  547.     RB_FOREACH(node, tcpr_data_tree_s, tree_root)
    548. 

  548.     {
    549. 

  549.         dbgx(4, "Processing %s", get_addr2name4(node->u.ip, RESOLVE));
    550. 

  550.         if ((node->server_cnt > 0) || (node->client_cnt > 0)) {
    551. 

  551.             /* type based on: server >= (client*ratio) */
    552. 

  552.             if ((double)node->server_cnt >= (double)node->client_cnt * options->ratio) {
    553. 

  553.                 node->type = DIR_SERVER;
    554. 

  554.                 dbgx(3, "Setting %s to server", get_addr2name4(node->u.ip, RESOLVE));
    555. 

  555.             } else {
    556. 

  556.                 node->type = DIR_CLIENT;
    557. 

  557.                 dbgx(3, "Setting %s to client", get_addr2name4(node->u.ip, RESOLVE));
    558. 

  558.             }
    559. 

  559.         } else { /* IP had no client or server connections */
    560. 

  560.             node->type = DIR_UNKNOWN;
    561. 

  561.             dbgx(3, "Setting %s to unknown", get_addr2name4(node->u.ip, RESOLVE));
    562. 

  562.         }
    563. 

  563.     }
    564. 

  564. }
    565. 

  565. 

  566. static int
    567. 

  567. ipv6_cmp(const struct tcpr_in6_addr *a, const struct tcpr_in6_addr *b)
    568. 

  568. {
    569. 

  569.     int i;
    570. 

  570. 

  571.     for (i = 0; i < 4; i++) {
    572. 

  572.         int k;
    573. 

  573.         if ((k = ((int)a->tcpr_s6_addr32[i] - (int)b->tcpr_s6_addr32[i]))) {
    574. 

  574.             return (k > 0) ? 1 : -1;
    575. 

  575.         }
    576. 

  576.     }
    577. 

  577. 

  578.     return 0;
    579. 

  579. }
    580. 

  580. 

  581. /**
    582. 

  582.  * tree_comp(), called by rbsearch compares two treees and returns:
    583. 

  583.  * 1  = first > second
    584. 

  584.  * -1 = first < second
    585. 

  585.  * 0  = first = second
    586. 

  586.  * based upon the ip address stored
    587. 

  587.  *
    588. 

  588.  */
    589. 

  589. int
    590. 

  590. tree_comp(tcpr_tree_t *t1, tcpr_tree_t *t2)
    591. 

  591. {
    592. 

  592.     if (t1->family > t2->family) {
    593. 

  593.         dbgx(2, "family %d > %d", t1->family, t2->family);
    594. 

  594.         return 1;
    595. 

  595.     }
    596. 

  596. 

  597.     if (t1->family < t2->family) {
    598. 

  598.         dbgx(2, "family %d < %d", t1->family, t2->family);
    599. 

  599.         return -1;
    600. 

  600.     }
    601. 

  601. 

  602.     if (t1->family == AF_INET) {
    603. 

  603.         if (t1->u.ip > t2->u.ip) {
    604. 

  604.             dbgx(2, "%s > %s", get_addr2name4(t1->u.ip, RESOLVE), get_addr2name4(t2->u.ip, RESOLVE));
    605. 

  605.             return 1;
    606. 

  606.         }
    607. 

  607. 

  608.         if (t1->u.ip < t2->u.ip) {
    609. 

  609.             dbgx(2, "%s < %s", get_addr2name4(t1->u.ip, RESOLVE), get_addr2name4(t2->u.ip, RESOLVE));
    610. 

  610.             return -1;
    611. 

  611.         }
    612. 

  612. 

  613.         dbgx(2, "%s = %s", get_addr2name4(t1->u.ip, RESOLVE), get_addr2name4(t2->u.ip, RESOLVE));
    614. 

  614. 

  615.         return 0;
    616. 

  616.     }
    617. 

  617. 

  618.     if (t1->family == AF_INET6) {
    619. 

  619.         int ret = ipv6_cmp(&t1->u.ip6, &t1->u.ip6);
    620. 

  620.         dbgx(2, "cmp(%s, %s) = %d", get_addr2name6(&t1->u.ip6, RESOLVE), get_addr2name6(&t2->u.ip6, RESOLVE), ret);
    621. 

  621.         return ret;
    622. 

  622.     }
    623. 

  623. 

  624.     return 0;
    625. 

  625. }
    626. 

  626. 

  627. /**
    628. 

  628.  * creates a new TREE * with reasonable defaults
    629. 

  629.  */
    630. 

  630. static tcpr_tree_t *
    631. 

  631. new_tree()
    632. 

  632. {
    633. 

  633.     tcpr_tree_t *node;
    634. 

  634. 

  635.     node = (tcpr_tree_t *)safe_malloc(sizeof(tcpr_tree_t));
    636. 

  636. 

  637.     memset(node, '\0', sizeof(tcpr_tree_t));
    638. 

  638.     node->server_cnt = 0;
    639. 

  639.     node->client_cnt = 0;
    640. 

  640.     node->type = DIR_UNKNOWN;
    641. 

  641.     node->masklen = -1;
    642. 

  642.     node->u.ip = 0;
    643. 

  643.     return (node);
    644. 

  644. }
    645. 

  645. 

  646. /**
    647. 

  647.  * returns a struct of TREE * from a packet header
    648. 

  648.  * and sets the type to be SERVER or CLIENT or UNKNOWN
    649. 

  649.  * if it's an undefined packet, we return -1 for the type
    650. 

  650.  * the u_char * data should be the data that is passed by pcap_dispatch()
    651. 

  651.  */
    652. 

  652. static tcpr_tree_t *
    653. 

  653. packet2tree(const u_char *data, int len, int datalink)
    654. 

  654. {
    655. 

  655.     uint32_t _U_ vlan_offset;
    656. 

  656.     ssize_t pkt_len = len;
    657. 

  657.     tcpr_tree_t *node = NULL;
    658. 

  658.     ipv4_hdr_t ip_hdr;
    659. 

  659.     ipv6_hdr_t ip6_hdr;
    660. 

  660.     tcp_hdr_t tcp_hdr;
    661. 

  661.     udp_hdr_t udp_hdr;
    662. 

  662.     icmpv4_hdr_t icmp_hdr;
    663. 

  663.     dnsv4_hdr_t dnsv4_hdr;
    664. 

  664.     u_int16_t ether_type;
    665. 

  665.     uint32_t l2offset;
    666. 

  666.     u_char proto = 0;
    667. 

  667.     uint32_t l2len;
    668. 

  668.     int hl = 0;
    669. 

  669.     int res;
    670. 

  670. 

  671. #ifdef DEBUG
    672. 

  672.     char srcip[INET6_ADDRSTRLEN];
    673. 

  673. #endif
    674. 

  674. 

  675.     res = get_l2len_protocol(data, pkt_len, datalink, &ether_type, &l2len, &l2offset, &vlan_offset);
    676. 

  676. 

  677.     if (res == -1)
    678. 

  678.         goto len_error;
    679. 

  679. 

  680.     node = new_tree();
    681. 

  681. 

  682.     if (ether_type == ETHERTYPE_IP) {
    683. 

  683.         if (pkt_len < (ssize_t)l2len + TCPR_IPV4_H + hl)
    684. 

  684.             goto len_error;
    685. 

  685. 

  686.         memcpy(&ip_hdr, data + l2len + hl, TCPR_IPV4_H);
    687. 

  687. 

  688.         node->family = AF_INET;
    689. 

  689.         node->u.ip = ip_hdr.ip_src.s_addr;
    690. 

  690.         proto = ip_hdr.ip_p;
    691. 

  691.         hl += ip_hdr.ip_hl * 4;
    692. 

  692. 

  693. #ifdef DEBUG
    694. 

  694.         strlcpy(srcip, get_addr2name4(ip_hdr.ip_src.s_addr, RESOLVE), 16);
    695. 

  695. #endif
    696. 

  696.     } else if (ether_type == ETHERTYPE_IP6) {
    697. 

  697.         if (pkt_len < (ssize_t)l2len + TCPR_IPV6_H + hl) {
    698. 

  698.             goto len_error;
    699. 

  699.         }
    700. 

  700. 

  701.         memcpy(&ip6_hdr, data + l2len + hl, TCPR_IPV6_H);
    702. 

  702. 

  703.         node->family = AF_INET6;
    704. 

  704.         node->u.ip6 = ip6_hdr.ip_src;
    705. 

  705.         proto = ip6_hdr.ip_nh;
    706. 

  706.         hl += TCPR_IPV6_H;
    707. 

  707. 

  708. #ifdef DEBUG
    709. 

  709.         strlcpy(srcip, get_addr2name6(&ip6_hdr.ip_src, RESOLVE), INET6_ADDRSTRLEN);
    710. 

  710. #endif
    711. 

  711.     } else {
    712. 

  712.         dbgx(2, "Unrecognized ether_type (%x)", ether_type);
    713. 

  713.     }
    714. 

  714. 

  715.     /*
    716. 

  716.      * TCP
    717. 

  717.      */
    718. 

  718.     if (proto == IPPROTO_TCP) {
    719. 

  719. #ifdef DEBUG
    720. 

  720.         dbgx(3, "%s uses TCP...  ", srcip);
    721. 

  721. #endif
    722. 

  722. 

  723.         if (pkt_len < (ssize_t)l2len + TCPR_TCP_H + hl)
    724. 

  724.             goto len_error;
    725. 

  725. 

  726.         /* memcpy it over to prevent alignment issues */
    727. 

  727.         memcpy(&tcp_hdr, data + l2len + hl, TCPR_TCP_H);
    728. 

  728. 

  729.         /* ftp-data is going to skew our results so we ignore it */
    730. 

  730.         if (tcp_hdr.th_sport == 20)
    731. 

  731.             return (node);
    732. 

  732. 

  733.         /* set TREE->type based on TCP flags */
    734. 

  734.         if (tcp_hdr.th_flags == TH_SYN) {
    735. 

  735.             node->type = DIR_CLIENT;
    736. 

  736.             dbg(3, "is a client");
    737. 

  737.         } else if (tcp_hdr.th_flags == (TH_SYN | TH_ACK)) {
    738. 

  738.             node->type = DIR_SERVER;
    739. 

  739.             dbg(3, "is a server");
    740. 

  740.         } else {
    741. 

  741.             dbg(3, "is an unknown");
    742. 

  742.         }
    743. 

  743.     }
    744. 

  744.     /*
    745. 

  745.      * UDP
    746. 

  746.      */
    747. 

  747.     else if (proto == IPPROTO_UDP) {
    748. 

  748.         if (pkt_len < (ssize_t)l2len + TCPR_UDP_H + hl)
    749. 

  749.             goto len_error;
    750. 

  750. 

  751.         /* memcpy over to prevent alignment issues */
    752. 

  752.         memcpy(&udp_hdr, data + l2len + hl, TCPR_UDP_H);
    753. 

  753. #ifdef DEBUG
    754. 

  754.         dbgx(3, "%s uses UDP...  ", srcip);
    755. 

  755. #endif
    756. 

  756. 

  757.         switch (ntohs(udp_hdr.uh_dport)) {
    758. 

  758.         case 0x0035: /* dns */
    759. 

  759.             if (pkt_len < (ssize_t)l2len + TCPR_UDP_H + TCPR_DNS_H + hl)
    760. 

  760.                 goto len_error;
    761. 

  761. 

  762.             /* prevent memory alignment issues */
    763. 

  763.             memcpy(&dnsv4_hdr, data + l2len + hl + TCPR_UDP_H, TCPR_DNS_H);
    764. 

  764. 

  765.             if (dnsv4_hdr.flags & DNS_QUERY_FLAG) {
    766. 

  766.                 /* bit set, response */
    767. 

  767.                 node->type = DIR_SERVER;
    768. 

  768. 

  769.                 dbg(3, "is a dns server");
    770. 

  770. 

  771.             } else {
    772. 

  772.                 /* bit not set, query */
    773. 

  773.                 node->type = DIR_CLIENT;
    774. 

  774. 

  775.                 dbg(3, "is a dns client");
    776. 

  776.             }
    777. 

  777.             return (node);
    778. 

  778.         default:
    779. 

  779.             break;
    780. 

  780.         }
    781. 

  781. 

  782.         switch (ntohs(udp_hdr.uh_sport)) {
    783. 

  783.         case 0x0035: /* dns */
    784. 

  784.             if (pkt_len < (ssize_t)l2len + TCPR_UDP_H + TCPR_DNS_H + hl)
    785. 

  785.                 goto len_error;
    786. 

  786. 

  787.             /* prevent memory alignment issues */
    788. 

  788.             memcpy(&dnsv4_hdr, data + l2len + hl + TCPR_UDP_H, TCPR_DNS_H);
    789. 

  789. 

  790.             if ((dnsv4_hdr.flags & 0x7FFFF) ^ DNS_QUERY_FLAG) {
    791. 

  791.                 /* bit set, response */
    792. 

  792.                 node->type = DIR_SERVER;
    793. 

  793.                 dbg(3, "is a dns server");
    794. 

  794.             } else {
    795. 

  795.                 /* bit not set, query */
    796. 

  796.                 node->type = DIR_CLIENT;
    797. 

  797.                 dbg(3, "is a dns client");
    798. 

  798.             }
    799. 

  799.             return (node);
    800. 

  800.         default:
    801. 

  801. 

  802.             dbgx(3, "unknown UDP protocol: %hu->%hu", udp_hdr.uh_sport, udp_hdr.uh_dport);
    803. 

  803.             break;
    804. 

  804.         }
    805. 

  805.     }
    806. 

  806.     /*
    807. 

  807.      * ICMP
    808. 

  808.      */
    809. 

  809.     else if (proto == IPPROTO_ICMP) {
    810. 

  810.         if (pkt_len < (ssize_t)l2len + TCPR_ICMPV4_H + hl)
    811. 

  811.             goto len_error;
    812. 

  812. 

  813.         /* prevent alignment issues */
    814. 

  814.         memcpy(&icmp_hdr, data + l2len + hl, TCPR_ICMPV4_H);
    815. 

  815. 

  816. #ifdef DEBUG
    817. 

  817.         dbgx(3, "%s uses ICMP...  ", srcip);
    818. 

  818. #endif
    819. 

  819. 

  820.         /*
    821. 

  821.          * if port unreachable, then source == server, dst == client
    822. 

  822.          */
    823. 

  823.         if ((icmp_hdr.icmp_type == ICMP_UNREACH) && (icmp_hdr.icmp_code == ICMP_UNREACH_PORT)) {
    824. 

  824.             node->type = DIR_SERVER;
    825. 

  825.             dbg(3, "is a server with a closed port");
    826. 

  826.         }
    827. 

  827.     }
    828. 

  828. 

  829.     return (node);
    830. 

  830. 

  831. len_error:
    832. 

  832.     safe_free(node);
    833. 

  833.     errx(-1, "packet capture length %d too small to process", len);
    834. 

  834. }
    835. 

  835. 

  836. #ifdef DEBUG
    837. 

  837. /**
    838. 

  838.  * prints out a node of the tree to stderr
    839. 

  839.  */
    840. 

  840. static char *
    841. 

  841. tree_printnode(const char *name, const tcpr_tree_t *node)
    842. 

  842. {
    843. 

  843.     memset(&tree_print_buff, '\0', TREEPRINTBUFFLEN);
    844. 

  844.     if (node == NULL) {
    845. 

  845.         snprintf(tree_print_buff, TREEPRINTBUFFLEN, "%s node is null", name);
    846. 

  846.     }
    847. 

  847. 

  848.     else {
    849. 

  849.         snprintf(tree_print_buff,
    850. 

  850.                  TREEPRINTBUFFLEN,
    851. 

  851.                  "-- %s: %p\nIP: %s\nMask: %d\nSrvr: %d\nClnt: %d\n",
    852. 

  852.                  name,
    853. 

  853.                  (void *)node,
    854. 

  854.                  node->family == AF_INET ? get_addr2name4(node->u.ip, RESOLVE) : get_addr2name6(&node->u.ip6, RESOLVE),
    855. 

  855.                  node->masklen,
    856. 

  856.                  node->server_cnt,
    857. 

  857.                  node->client_cnt);
    858. 

  858.         if (node->type == DIR_SERVER) {
    859. 

  859.             strlcat(tree_print_buff, "Type: Server\n--\n", TREEPRINTBUFFLEN);
    860. 

  860.         } else {
    861. 

  861.             strlcat(tree_print_buff, "Type: Client\n--", TREEPRINTBUFFLEN);
    862. 

  862.         }
    863. 

  863.     }
    864. 

  864.     return (tree_print_buff);
    865. 

  865. }
    866. 

  866. 

  867. /**
    868. 

  868.  * prints out the entire tree
    869. 

  869.  */
    870. 

  870. static char *
    871. 

  871. tree_print(tcpr_data_tree_t *tree_root)
    872. 

  872. {
    873. 

  873.     tcpr_tree_t *node = NULL;
    874. 

  874.     memset(&tree_print_buff, '\0', TREEPRINTBUFFLEN);
    875. 

  875.     RB_FOREACH(node, tcpr_data_tree_s, tree_root)
    876. 

  876.     {
    877. 

  877.         tree_printnode("my node", node);
    878. 

  878.     }
    879. 

  879.     return (tree_print_buff);
    880. 

  880. }
    881. 

  881. #endif /* DEBUG */
    882.