3 * $Id: follow.c,v 1.7 1999/06/23 20:09:58 gram Exp $
5 * Copyright 1998 Mike Hall <mlh@io.com>
7 * Ethereal - Network traffic analyzer
8 * By Gerald Combs <gerald@zing.org>
9 * Copyright 1998 Gerald Combs
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
38 #ifdef HAVE_SYS_TYPES_H
39 # include <sys/types.h>
46 extern FILE* data_out_file;
48 gboolean incomplete_tcp_stream = FALSE;
50 /* this will build libpcap filter text that will only
51 pass the packets related to the stream. There is a
52 chance that two streams could intersect, but not a
55 build_follow_filter( packet_info *pi ) {
56 char* buf = malloc(1024);
57 if( pi->ipproto == 6 ) {
59 sprintf( buf, "host %s and host %s and (ip proto \\tcp) and (port %d and port %d)",
60 pi->srcip, pi->destip, pi->srcport, pi->destport );
69 /* here we are going to try and reconstruct the data portion of a TCP
70 session. We will try and handle duplicates, TCP fragments, and out
71 of order packets in a smart way. */
73 static tcp_frag *frags[2] = { 0, 0};
75 static u_long src[2] = { 0, 0 };
78 reassemble_tcp( u_long sequence, u_long length, const char* data, u_long data_length, int synflag, u_long srcx ) {
79 int src_index, j, first = 0;
83 /* first we check to see if we have seen this src ip before. */
84 for( j=0; j<2; j++ ) {
85 if( src[j] == srcx ) {
89 /* we didn't find it if src_index == -1 */
91 /* assign it to a src_index and get going */
92 for( j=0; j<2; j++ ) {
101 if( src_index < 0 ) {
102 fprintf( stderr, "ERROR in reassemble_tcp: Too many addresses!\n");
106 if( data_length < length ) {
107 incomplete_tcp_stream = TRUE;
110 /* now that we have filed away the srcs, lets get the sequence number stuff
113 /* this is the first time we have seen this src's sequence number */
114 seq[src_index] = sequence + length;
118 /* write out the packet data */
119 write_packet_data( data, data_length );
122 /* if we are here, we have already seen this src, let's
123 try and figure out if this packet is in the right place */
124 if( sequence < seq[src_index] ) {
125 /* this sequence number seems dated, but
126 check the end to make sure it has no more
127 info than we have already seen */
128 newseq = sequence + length;
129 if( newseq > seq[src_index] ) {
132 /* this one has more than we have seen. let's get the
133 payload that we have not seen. */
135 new_len = seq[src_index] - sequence;
137 if ( data_length <= new_len ) {
140 incomplete_tcp_stream = TRUE;
143 data_length -= new_len;
145 sequence = seq[src_index];
146 length = newseq - seq[src_index];
148 /* this will now appear to be right on time :) */
151 if ( sequence == seq[src_index] ) {
153 seq[src_index] += length;
154 if( synflag ) seq[src_index]++;
156 write_packet_data( data, data_length );
158 /* done with the packet, see if it caused a fragment to fit */
159 while( check_fragments( src_index ) )
163 /* out of order packet */
164 if( sequence > seq[src_index] ) {
165 tmp_frag = (tcp_frag *)malloc( sizeof( tcp_frag ) );
166 tmp_frag->data = (u_char *)malloc( data_length );
167 tmp_frag->seq = sequence;
168 tmp_frag->len = length;
169 tmp_frag->data_len = data_length;
170 memcpy( tmp_frag->data, data, data_length );
171 if( frags[src_index] ) {
172 tmp_frag->next = frags[src_index];
174 tmp_frag->next = NULL;
176 frags[src_index] = tmp_frag;
179 } /* end reassemble_tcp */
181 /* here we search through all the frag we have collected to see if
184 check_fragments( int index ) {
185 tcp_frag *prev = NULL;
187 current = frags[index];
189 if( current->seq == seq[index] ) {
190 /* this fragment fits the stream */
191 if( current->data ) {
192 write_packet_data( current->data, current->data_len );
194 seq[index] += current->len;
196 prev->next = current->next;
198 src[index] = GPOINTER_TO_INT(current->next);
200 free( current->data );
205 current = current->next;
210 /* this should always be called before we start to reassemble a stream */
212 reset_tcp_reassembly() {
213 tcp_frag *current, *next;
215 incomplete_tcp_stream = FALSE;
216 for( i=0; i<2; i++ ) {
221 next = current->next;
222 free( current->data );
231 write_packet_data( const u_char* data, int length ) {
232 fwrite( data, 1, length, data_out_file );