2 * Routines for Sebek - Kernel based data capture - packet dissection
3 * Modified to add sebek V3
4 * Copyright 2006, Camilo Viecco <cviecco@indiana.edu>
5 * Copyright 1999, Nathan Neulinger <nneul@umr.edu>
7 * See: http://project.honeynet.org/tools/sebek/ for more details
11 * Wireshark - Network traffic analyzer
12 * By Gerald Combs <gerald@wireshark.org>
13 * Copyright 1998 Gerald Combs
15 * This program is free software; you can redistribute it and/or
16 * modify it under the terms of the GNU General Public License
17 * as published by the Free Software Foundation; either version 2
18 * of the License, or (at your option) any later version.
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, write to the Free Software
27 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
39 #include <epan/packet.h>
40 #include <epan/addr_resolv.h>
45 IP address: 32bit unsigned
46 MAGIC Val: 32bit unsigned
47 Sebek Ver: 16bit unsigned #value must match 2
49 Counter: 32bit unsigned
50 Time_sec: 32bit unsigned
51 Time_usec: 32bit unsigned
52 Proc ID: 32bit unsigned
53 User ID: 32bit unsigned
54 File Desc: 32bit unsigned
58 Data: Variable Length data
62 IP address: 32bit unsigned
63 MAGIC Val: 32bit unsigned
64 Sebek Ver: 16bit unsigned #value must match 3
66 Counter: 32bit unsigned
67 Time_sec: 32bit unsigned
68 Time_usec: 32bit unsigned
69 Parent_pid: 32bit unsigned
70 Proc ID: 32bit unsigned
71 User ID: 32bit unsigned
72 File Desc: 32bit unsigned
76 Data: Variable data length
78 Sebekv3 has a sock_socket_record subheader for IPV4:
79 Dest_ip: 32bit unsigned
80 Dest_port: 16bit unsigned
81 Src_ip: 32bit unsigned
82 src_port: 16bit unsigned
88 /* By default, but can be completely different */
89 #define UDP_PORT_SEBEK 1101
91 static int proto_sebek = -1;
93 static int hf_sebek_magic = -1;
94 static int hf_sebek_version = -1;
95 static int hf_sebek_type = -1;
96 static int hf_sebek_counter = -1;
97 static int hf_sebek_time = -1;
98 static int hf_sebek_pid = -1;
99 static int hf_sebek_uid = -1;
100 static int hf_sebek_fd = -1;
101 static int hf_sebek_cmd = -1;
102 static int hf_sebek_len = -1;
103 static int hf_sebek_data = -1;
104 static int hf_sebek_ppid = -1;
105 static int hf_sebek_inode = -1;
106 static int hf_sebek_socket_src_ip=-1;
107 static int hf_sebek_socket_src_port=-1;
108 static int hf_sebek_socket_dst_ip=-1;
109 static int hf_sebek_socket_dst_port=-1;
110 static int hf_sebek_socket_call=-1;
111 static int hf_sebek_socket_proto=-1;
114 static gint ett_sebek = -1;
116 /* dissect_sebek - dissects sebek packet data
117 * tvb - tvbuff for packet data (IN)
118 * pinfo - packet info
119 * proto_tree - resolved protocol tree
122 dissect_sebek(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
124 proto_tree *sebek_tree;
132 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SEBEK");
134 if (check_col(pinfo->cinfo, COL_INFO))
136 col_set_str(pinfo->cinfo, COL_INFO, "SEBEK - ");
138 if (tvb_length(tvb)<6)
141 sebek_ver = tvb_get_ntohs(tvb, 4);
144 case 2: col_append_fstr(pinfo->cinfo, COL_INFO, " pid(%d)", tvb_get_ntohl(tvb, 20));
145 col_append_fstr(pinfo->cinfo, COL_INFO, " uid(%d)", tvb_get_ntohl(tvb, 24));
146 col_append_fstr(pinfo->cinfo, COL_INFO, " fd(%d)", tvb_get_ntohl(tvb, 28));
147 col_append_fstr(pinfo->cinfo, COL_INFO, " cmd: %s", tvb_format_text(tvb, 32, 12));
149 case 3: col_append_fstr(pinfo->cinfo, COL_INFO, " pid(%d)", tvb_get_ntohl(tvb, 24));
150 col_append_fstr(pinfo->cinfo, COL_INFO, " uid(%d)", tvb_get_ntohl(tvb, 28));
151 col_append_fstr(pinfo->cinfo, COL_INFO, " fd(%d)", tvb_get_ntohl(tvb, 32));
152 cmd_len = tvb_strnlen(tvb, 40, 12);
155 col_append_fstr(pinfo->cinfo, COL_INFO, " cmd: %s", tvb_format_text(tvb, 40, cmd_len));
164 /* Adding Sebek item and subtree */
165 ti = proto_tree_add_item(tree, proto_sebek, tvb, 0, -1, ENC_NA);
166 sebek_tree = proto_item_add_subtree(ti, ett_sebek);
168 /* check for minimum length before deciding where to go*/
169 if (tvb_length(tvb)<6)
172 sebek_ver = tvb_get_ntohs(tvb, 4);
175 case 2: proto_tree_add_item(sebek_tree, hf_sebek_magic, tvb, offset, 4, ENC_BIG_ENDIAN);
178 proto_tree_add_item(sebek_tree, hf_sebek_version, tvb, offset, 2, ENC_BIG_ENDIAN);
181 proto_tree_add_item(sebek_tree, hf_sebek_type, tvb, offset, 2, ENC_BIG_ENDIAN);
184 proto_tree_add_item(sebek_tree, hf_sebek_counter, tvb, offset, 4, ENC_BIG_ENDIAN);
187 ts.secs = tvb_get_ntohl(tvb, offset);
188 ts.nsecs = tvb_get_ntohl(tvb, offset+4);
189 proto_tree_add_time(sebek_tree, hf_sebek_time, tvb, offset, 8, &ts);
192 proto_tree_add_item(sebek_tree, hf_sebek_pid, tvb, offset, 4, ENC_BIG_ENDIAN);
195 proto_tree_add_item(sebek_tree, hf_sebek_uid, tvb, offset, 4, ENC_BIG_ENDIAN);
198 proto_tree_add_item(sebek_tree, hf_sebek_fd, tvb, offset, 4, ENC_BIG_ENDIAN);
201 proto_tree_add_item(sebek_tree, hf_sebek_cmd, tvb, offset, 12, ENC_ASCII|ENC_NA);
204 proto_tree_add_item(sebek_tree, hf_sebek_len, tvb, offset, 4, ENC_BIG_ENDIAN);
207 proto_tree_add_item(sebek_tree, hf_sebek_data, tvb, offset, -1, ENC_ASCII|ENC_NA);
211 case 3: proto_tree_add_item(sebek_tree, hf_sebek_magic, tvb, offset, 4, ENC_BIG_ENDIAN);
214 proto_tree_add_item(sebek_tree, hf_sebek_version, tvb, offset, 2, ENC_BIG_ENDIAN);
217 sebek_type=tvb_get_ntohs(tvb, offset);
218 proto_tree_add_item(sebek_tree, hf_sebek_type, tvb, offset, 2, ENC_BIG_ENDIAN);
221 proto_tree_add_item(sebek_tree, hf_sebek_counter, tvb, offset, 4, ENC_BIG_ENDIAN);
224 ts.secs = tvb_get_ntohl(tvb, offset);
225 ts.nsecs = tvb_get_ntohl(tvb, offset+4);
226 proto_tree_add_time(sebek_tree, hf_sebek_time, tvb, offset, 8, &ts);
229 proto_tree_add_item(sebek_tree, hf_sebek_ppid, tvb, offset, 4, ENC_BIG_ENDIAN);
232 proto_tree_add_item(sebek_tree, hf_sebek_pid, tvb, offset, 4, ENC_BIG_ENDIAN);
235 proto_tree_add_item(sebek_tree, hf_sebek_uid, tvb, offset, 4, ENC_BIG_ENDIAN);
238 proto_tree_add_item(sebek_tree, hf_sebek_fd, tvb, offset, 4, ENC_BIG_ENDIAN);
241 proto_tree_add_item(sebek_tree, hf_sebek_inode, tvb, offset, 4, ENC_BIG_ENDIAN);
244 proto_tree_add_item(sebek_tree, hf_sebek_cmd, tvb, offset, 12, ENC_ASCII|ENC_NA);
247 proto_tree_add_item(sebek_tree, hf_sebek_len, tvb, offset, 4, ENC_BIG_ENDIAN);
250 if (sebek_type == 2) {
251 /*data is socket data, process accordingly*/
252 proto_tree_add_item(sebek_tree, hf_sebek_socket_dst_ip, tvb, offset, 4, ENC_BIG_ENDIAN);
254 proto_tree_add_item(sebek_tree, hf_sebek_socket_dst_port, tvb, offset, 2, ENC_BIG_ENDIAN);
256 proto_tree_add_item(sebek_tree, hf_sebek_socket_src_ip, tvb, offset, 4, ENC_BIG_ENDIAN);
258 proto_tree_add_item(sebek_tree, hf_sebek_socket_src_port, tvb, offset, 2, ENC_BIG_ENDIAN);
260 proto_tree_add_item(sebek_tree, hf_sebek_socket_call, tvb, offset, 2, ENC_BIG_ENDIAN);
262 proto_tree_add_item(sebek_tree, hf_sebek_socket_proto, tvb, offset, 1, ENC_BIG_ENDIAN);
265 proto_tree_add_item(sebek_tree, hf_sebek_data, tvb, offset, -1, ENC_ASCII|ENC_NA);
279 proto_register_sebek(void)
281 static hf_register_info hf[] = {
283 "Magic", "sebek.magic", FT_UINT32, BASE_HEX,
284 NULL, 0, "Magic Number", HFILL }},
285 { &hf_sebek_version, {
286 "Version", "sebek.version", FT_UINT16, BASE_DEC,
287 NULL, 0, "Version Number", HFILL }},
289 "Type", "sebek.type", FT_UINT16, BASE_DEC,
290 NULL, 0, NULL, HFILL }},
291 { &hf_sebek_counter, {
292 "Counter", "sebek.counter", FT_UINT32, BASE_DEC,
293 NULL, 0, NULL, HFILL }},
295 "Time", "sebek.time.sec", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
296 NULL, 0, NULL, HFILL }},
298 "Process ID", "sebek.pid", FT_UINT32, BASE_DEC,
299 NULL, 0, NULL, HFILL }},
301 "User ID", "sebek.uid", FT_UINT32, BASE_DEC,
302 NULL, 0, NULL, HFILL }},
304 "File Descriptor", "sebek.fd", FT_UINT32, BASE_DEC,
305 NULL, 0, "File Descriptor Number", HFILL }},
307 "Command Name", "sebek.cmd", FT_STRING, BASE_NONE,
308 NULL, 0, NULL, HFILL }},
310 "Data Length", "sebek.len", FT_UINT32, BASE_DEC,
311 NULL, 0, NULL, HFILL }},
313 "Parent Process ID", "sebek.ppid", FT_UINT32, BASE_DEC,
314 NULL, 0, "Process ID", HFILL }},
316 "Inode ID", "sebek.inode", FT_UINT32, BASE_DEC,
317 NULL, 0, "Process ID", HFILL }},
319 "Data", "sebek.data", FT_STRING, BASE_NONE,
320 NULL, 0, NULL, HFILL }},
321 { &hf_sebek_socket_src_ip, {
322 "Socket.local_ip", "sebek.socket.src_ip", FT_IPv4, BASE_NONE,
323 NULL, 0, "Socket.src_ip", HFILL }},
324 { &hf_sebek_socket_src_port, {
325 "Socket.local_port", "sebek.socket.src_port", FT_UINT16, BASE_DEC,
326 NULL, 0, "Socket.src_port", HFILL }},
327 { &hf_sebek_socket_dst_ip, {
328 "Socket.remote_ip", "sebek.socket.dst_ip", FT_IPv4, BASE_NONE,
329 NULL, 0, "Socket.dst_ip", HFILL }},
330 { &hf_sebek_socket_dst_port, {
331 "Socket.remote_port", "sebek.socket.dst_port", FT_UINT16, BASE_DEC,
332 NULL, 0, "Socket.dst_port", HFILL }},
333 { &hf_sebek_socket_call, {
334 "Socket.Call_id", "sebek.socket.call", FT_UINT16, BASE_DEC,
335 NULL, 0, "Socket.call", HFILL }},
336 { &hf_sebek_socket_proto, {
337 "Socket.ip_proto", "sebek.socket.ip_proto", FT_UINT8, BASE_DEC,
338 NULL, 0, NULL, HFILL }}
340 static gint *ett[] = {
344 proto_sebek = proto_register_protocol("SEBEK - Kernel Data Capture", "SEBEK", "sebek");
345 proto_register_field_array(proto_sebek, hf, array_length(hf));
346 proto_register_subtree_array(ett, array_length(ett));
350 proto_reg_handoff_sebek(void)
352 dissector_handle_t sebek_handle;
354 sebek_handle = new_create_dissector_handle(dissect_sebek, proto_sebek);
355 dissector_add_uint("udp.port", UDP_PORT_SEBEK, sebek_handle);