3 * $Id: follow.c,v 1.10 1999/07/07 22:51:39 gram Exp $
5 * Copyright 1998 Mike Hall <mlh@io.com>
7 * Ethereal - Network traffic analyzer
8 * By Gerald Combs <gerald@zing.org>
9 * Copyright 1998 Gerald Combs
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
38 #ifdef HAVE_SYS_TYPES_H
39 # include <sys/types.h>
47 extern FILE* data_out_file;
49 gboolean incomplete_tcp_stream = FALSE;
51 static int check_fragments( int );
52 static void write_packet_data( const u_char *, int );
54 /* this will build libpcap filter text that will only
55 pass the packets related to the stream. There is a
56 chance that two streams could intersect, but not a
59 build_follow_filter( packet_info *pi ) {
60 char* buf = malloc(1024);
61 if( pi->ipproto == 6 ) {
63 sprintf( buf, "host %s and host %s and (ip proto \\tcp) and (port %d and port %d)",
64 pi->srcip, pi->destip, pi->srcport, pi->destport );
73 /* here we are going to try and reconstruct the data portion of a TCP
74 session. We will try and handle duplicates, TCP fragments, and out
75 of order packets in a smart way. */
77 static tcp_frag *frags[2] = { 0, 0};
79 static u_long src[2] = { 0, 0 };
82 reassemble_tcp( u_long sequence, u_long length, const char* data, u_long data_length, int synflag, u_long srcx ) {
83 int src_index, j, first = 0;
87 /* first we check to see if we have seen this src ip before. */
88 for( j=0; j<2; j++ ) {
89 if( src[j] == srcx ) {
93 /* we didn't find it if src_index == -1 */
95 /* assign it to a src_index and get going */
96 for( j=0; j<2; j++ ) {
105 if( src_index < 0 ) {
106 fprintf( stderr, "ERROR in reassemble_tcp: Too many addresses!\n");
110 if( data_length < length ) {
111 incomplete_tcp_stream = TRUE;
114 /* now that we have filed away the srcs, lets get the sequence number stuff
117 /* this is the first time we have seen this src's sequence number */
118 seq[src_index] = sequence + length;
122 /* write out the packet data */
123 write_packet_data( data, data_length );
126 /* if we are here, we have already seen this src, let's
127 try and figure out if this packet is in the right place */
128 if( sequence < seq[src_index] ) {
129 /* this sequence number seems dated, but
130 check the end to make sure it has no more
131 info than we have already seen */
132 newseq = sequence + length;
133 if( newseq > seq[src_index] ) {
136 /* this one has more than we have seen. let's get the
137 payload that we have not seen. */
139 new_len = seq[src_index] - sequence;
141 if ( data_length <= new_len ) {
144 incomplete_tcp_stream = TRUE;
147 data_length -= new_len;
149 sequence = seq[src_index];
150 length = newseq - seq[src_index];
152 /* this will now appear to be right on time :) */
155 if ( sequence == seq[src_index] ) {
157 seq[src_index] += length;
158 if( synflag ) seq[src_index]++;
160 write_packet_data( data, data_length );
162 /* done with the packet, see if it caused a fragment to fit */
163 while( check_fragments( src_index ) )
167 /* out of order packet */
168 if( sequence > seq[src_index] ) {
169 tmp_frag = (tcp_frag *)malloc( sizeof( tcp_frag ) );
170 tmp_frag->data = (u_char *)malloc( data_length );
171 tmp_frag->seq = sequence;
172 tmp_frag->len = length;
173 tmp_frag->data_len = data_length;
174 memcpy( tmp_frag->data, data, data_length );
175 if( frags[src_index] ) {
176 tmp_frag->next = frags[src_index];
178 tmp_frag->next = NULL;
180 frags[src_index] = tmp_frag;
183 } /* end reassemble_tcp */
185 /* here we search through all the frag we have collected to see if
188 check_fragments( int index ) {
189 tcp_frag *prev = NULL;
191 current = frags[index];
193 if( current->seq == seq[index] ) {
194 /* this fragment fits the stream */
195 if( current->data ) {
196 write_packet_data( current->data, current->data_len );
198 seq[index] += current->len;
200 prev->next = current->next;
202 frags[index] = current->next;
204 free( current->data );
209 current = current->next;
214 /* this should always be called before we start to reassemble a stream */
216 reset_tcp_reassembly() {
217 tcp_frag *current, *next;
219 incomplete_tcp_stream = FALSE;
220 for( i=0; i<2; i++ ) {
225 next = current->next;
226 free( current->data );
235 write_packet_data( const u_char* data, int length ) {
236 fwrite( data, 1, length, data_out_file );