2 * Routines for Sebek - Kernel based data capture - packet dissection
3 * Modified to add sebek V3
4 * Copyright 2006, Camilo Viecco <cviecco@indiana.edu>
5 * Copyright 1999, Nathan Neulinger <nneul@umr.edu>
7 * See: http://project.honeynet.org/tools/sebek/ for more details
11 * Wireshark - Network traffic analyzer
12 * By Gerald Combs <gerald@wireshark.org>
13 * Copyright 1998 Gerald Combs
15 * This program is free software; you can redistribute it and/or
16 * modify it under the terms of the GNU General Public License
17 * as published by the Free Software Foundation; either version 2
18 * of the License, or (at your option) any later version.
20 * This program is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
25 * You should have received a copy of the GNU General Public License
26 * along with this program; if not, write to the Free Software
27 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
41 #include <epan/packet.h>
42 #include <epan/addr_resolv.h>
47 IP address: 32bit unsigned
48 MAGIC Val: 32bit unsigned
49 Sebek Ver: 16bit unsigned #value must match 2
51 Counter: 32bit unsigned
52 Time_sec: 32bit unsigned
53 Time_usec: 32bit unsigned
54 Proc ID: 32bit unsigned
55 User ID: 32bit unsigned
56 File Desc: 32bit unsigned
60 Data: Variable Length data
64 IP address: 32bit unsigned
65 MAGIC Val: 32bit unsigned
66 Sebek Ver: 16bit unsigned #value must match 3
68 Counter: 32bit unsigned
69 Time_sec: 32bit unsigned
70 Time_usec: 32bit unsigned
71 Parent_pid: 32bit unsigned
72 Proc ID: 32bit unsigned
73 User ID: 32bit unsigned
74 File Desc: 32bit unsigned
78 Data: Variable data length
80 Sebekv3 has a sock_socket_record subheader for IPV4:
81 Dest_ip: 32bit unsigned
82 Dest_port: 16bit unsigned
83 Src_ip: 32bit unsigned
84 src_port: 16bit unsigned
90 /* By default, but can be completely different */
91 #define UDP_PORT_SEBEK 1101
93 static int proto_sebek = -1;
95 static int hf_sebek_magic = -1;
96 static int hf_sebek_version = -1;
97 static int hf_sebek_type = -1;
98 static int hf_sebek_counter = -1;
99 static int hf_sebek_time = -1;
100 static int hf_sebek_pid = -1;
101 static int hf_sebek_uid = -1;
102 static int hf_sebek_fd = -1;
103 static int hf_sebek_cmd = -1;
104 static int hf_sebek_len = -1;
105 static int hf_sebek_data = -1;
106 static int hf_sebek_ppid = -1;
107 static int hf_sebek_inode = -1;
108 static int hf_sebek_socket_src_ip=-1;
109 static int hf_sebek_socket_src_port=-1;
110 static int hf_sebek_socket_dst_ip=-1;
111 static int hf_sebek_socket_dst_port=-1;
112 static int hf_sebek_socket_call=-1;
113 static int hf_sebek_socket_proto=-1;
116 static gint ett_sebek = -1;
118 /* dissect_sebek - dissects sebek packet data
119 * tvb - tvbuff for packet data (IN)
120 * pinfo - packet info
121 * proto_tree - resolved protocol tree
124 dissect_sebek(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
126 proto_tree *sebek_tree;
135 if (check_col(pinfo->cinfo, COL_PROTOCOL))
136 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SEBEK");
138 if (check_col(pinfo->cinfo, COL_INFO))
140 col_clear(pinfo->cinfo, COL_INFO);
141 col_set_str(pinfo->cinfo, COL_INFO, "SEBEK - ");
146 sebek_ver = tvb_get_ntohs(tvb, 4);
149 case 2: col_append_fstr(pinfo->cinfo, COL_INFO, " pid(%d)", tvb_get_ntohl(tvb, 20));
150 col_append_fstr(pinfo->cinfo, COL_INFO, " uid(%d)", tvb_get_ntohl(tvb, 24));
151 col_append_fstr(pinfo->cinfo, COL_INFO, " fd(%d)", tvb_get_ntohl(tvb, 28));
152 col_append_fstr(pinfo->cinfo, COL_INFO, " cmd: %s", tvb_format_text(tvb, 32, 12));
154 case 3: col_append_fstr(pinfo->cinfo, COL_INFO, " pid(%d)", tvb_get_ntohl(tvb, 24));
155 col_append_fstr(pinfo->cinfo, COL_INFO, " uid(%d)", tvb_get_ntohl(tvb, 28));
156 col_append_fstr(pinfo->cinfo, COL_INFO, " fd(%d)", tvb_get_ntohl(tvb, 32));
157 cmd_len = tvb_strnlen(tvb, 40, 12);
160 col_append_fstr(pinfo->cinfo, COL_INFO, " cmd: %s", tvb_format_text(tvb, 40, cmd_len));
169 /* Adding Sebek item and subtree */
170 ti = proto_tree_add_item(tree, proto_sebek, tvb, 0, -1, FALSE);
171 sebek_tree = proto_item_add_subtree(ti, ett_sebek);
173 /* check for minimum length before deciding where to go*/
177 sebek_ver = tvb_get_ntohs(tvb, 4);
180 case 2: proto_tree_add_item(sebek_tree, hf_sebek_magic, tvb, offset, 4, FALSE);
183 proto_tree_add_item(sebek_tree, hf_sebek_version, tvb, offset, 2, FALSE);
186 proto_tree_add_item(sebek_tree, hf_sebek_type, tvb, offset, 2, FALSE);
189 proto_tree_add_item(sebek_tree, hf_sebek_counter, tvb, offset, 4, FALSE);
192 ts.secs = tvb_get_ntohl(tvb, offset);
193 ts.nsecs = tvb_get_ntohl(tvb, offset+4);
194 proto_tree_add_time(sebek_tree, hf_sebek_time, tvb, offset, 8, &ts);
197 proto_tree_add_item(sebek_tree, hf_sebek_pid, tvb, offset, 4, FALSE);
200 proto_tree_add_item(sebek_tree, hf_sebek_uid, tvb, offset, 4, FALSE);
203 proto_tree_add_item(sebek_tree, hf_sebek_fd, tvb, offset, 4, FALSE);
206 proto_tree_add_item(sebek_tree, hf_sebek_cmd, tvb, offset, 12, FALSE);
209 datalen = tvb_get_letohl(tvb, offset);
210 proto_tree_add_item(sebek_tree, hf_sebek_len, tvb, offset, 4, FALSE);
213 proto_tree_add_item(sebek_tree, hf_sebek_data, tvb, offset, -1, FALSE);
217 case 3: proto_tree_add_item(sebek_tree, hf_sebek_magic, tvb, offset, 4, FALSE);
220 proto_tree_add_item(sebek_tree, hf_sebek_version, tvb, offset, 2, FALSE);
223 sebek_type=tvb_get_ntohs(tvb, offset);
224 proto_tree_add_item(sebek_tree, hf_sebek_type, tvb, offset, 2, FALSE);
227 proto_tree_add_item(sebek_tree, hf_sebek_counter, tvb, offset, 4, FALSE);
230 ts.secs = tvb_get_ntohl(tvb, offset);
231 ts.nsecs = tvb_get_ntohl(tvb, offset+4);
232 proto_tree_add_time(sebek_tree, hf_sebek_time, tvb, offset, 8, &ts);
235 proto_tree_add_item(sebek_tree, hf_sebek_ppid, tvb, offset, 4, FALSE);
238 proto_tree_add_item(sebek_tree, hf_sebek_pid, tvb, offset, 4, FALSE);
241 proto_tree_add_item(sebek_tree, hf_sebek_uid, tvb, offset, 4, FALSE);
244 proto_tree_add_item(sebek_tree, hf_sebek_fd, tvb, offset, 4, FALSE);
247 proto_tree_add_item(sebek_tree, hf_sebek_inode, tvb, offset, 4, FALSE);
250 proto_tree_add_item(sebek_tree, hf_sebek_cmd, tvb, offset, 12, FALSE);
253 datalen = tvb_get_ntohl(tvb, offset);
254 proto_tree_add_item(sebek_tree, hf_sebek_len, tvb, offset, 4, FALSE);
257 if (sebek_type == 2) {
258 /*data is socket data, process accordingly*/
259 proto_tree_add_item(sebek_tree, hf_sebek_socket_dst_ip, tvb, offset, 4, FALSE);
261 proto_tree_add_item(sebek_tree, hf_sebek_socket_dst_port, tvb, offset, 2, FALSE);
263 proto_tree_add_item(sebek_tree, hf_sebek_socket_src_ip, tvb, offset, 4, FALSE);
265 proto_tree_add_item(sebek_tree, hf_sebek_socket_src_port, tvb, offset, 2, FALSE);
267 proto_tree_add_item(sebek_tree, hf_sebek_socket_call, tvb, offset, 2, FALSE);
269 proto_tree_add_item(sebek_tree, hf_sebek_socket_proto, tvb, offset, 1, FALSE);
272 proto_tree_add_item(sebek_tree, hf_sebek_data, tvb, offset, -1, FALSE);
285 proto_register_sebek(void)
287 static hf_register_info hf[] = {
289 "Magic", "sebek.magic", FT_UINT32, BASE_HEX,
290 NULL, 0, "Magic Number", HFILL }},
291 { &hf_sebek_version, {
292 "Version", "sebek.version", FT_UINT16, BASE_DEC,
293 NULL, 0, "Version Number", HFILL }},
295 "Type", "sebek.type", FT_UINT16, BASE_DEC,
296 NULL, 0, "Type", HFILL }},
297 { &hf_sebek_counter, {
298 "Counter", "sebek.counter", FT_UINT32, BASE_DEC,
299 NULL, 0, "Counter", HFILL }},
301 "Time", "sebek.time.sec", FT_ABSOLUTE_TIME, BASE_NONE,
302 NULL, 0, "Time", HFILL }},
304 "Process ID", "sebek.pid", FT_UINT32, BASE_DEC,
305 NULL, 0, "Process ID", HFILL }},
307 "User ID", "sebek.uid", FT_UINT32, BASE_DEC,
308 NULL, 0, "User ID", HFILL }},
310 "File Descriptor", "sebek.fd", FT_UINT32, BASE_DEC,
311 NULL, 0, "File Descriptor Number", HFILL }},
313 "Command Name", "sebek.cmd", FT_STRING, 0,
314 NULL, 0, "Command Name", HFILL }},
316 "Data Length", "sebek.len", FT_UINT32, BASE_DEC,
317 NULL, 0, "Data Length", HFILL }},
319 "Parent Process ID", "sebek.ppid", FT_UINT32, BASE_DEC,
320 NULL, 0, "Process ID", HFILL }},
322 "Inode ID", "sebek.inode", FT_UINT32, BASE_DEC,
323 NULL, 0, "Process ID", HFILL }},
325 "Data", "sebek.data", FT_STRING, 0,
326 NULL, 0, "Data", HFILL }},
327 { &hf_sebek_socket_src_ip, {
328 "Socket.local_ip", "sebek.socket.src_ip", FT_IPv4, 0,
329 NULL, 0, "Socket.src_ip", HFILL }},
330 { &hf_sebek_socket_src_port, {
331 "Socket.local_port", "sebek.socket.src_port", FT_UINT16, BASE_DEC,
332 NULL, 0, "Socket.src_port", HFILL }},
333 { &hf_sebek_socket_dst_ip, {
334 "Socket.remote_ip", "sebek.socket.dst_ip", FT_IPv4, 0,
335 NULL, 0, "Socket.dst_ip", HFILL }},
336 { &hf_sebek_socket_dst_port, {
337 "Socket.remote_port", "sebek.socket.dst_port", FT_UINT16, BASE_DEC,
338 NULL, 0, "Socket.dst_port", HFILL }},
339 { &hf_sebek_socket_call, {
340 "Socket.Call_id", "sebek.socket.call", FT_UINT16, BASE_DEC,
341 NULL, 0, "Socket.call", HFILL }},
342 { &hf_sebek_socket_proto, {
343 "Socket.ip_proto", "sebek.socket.ip_proto", FT_UINT8, BASE_DEC,
344 NULL, 0, "Socket.ip_proto", HFILL }}
346 static gint *ett[] = {
350 proto_sebek = proto_register_protocol("SEBEK - Kernel Data Capture", "SEBEK", "sebek");
351 proto_register_field_array(proto_sebek, hf, array_length(hf));
352 proto_register_subtree_array(ett, array_length(ett));
356 proto_reg_handoff_sebek(void)
358 dissector_handle_t sebek_handle;
360 sebek_handle = create_dissector_handle(dissect_sebek, proto_sebek);
361 dissector_add("udp.port", UDP_PORT_SEBEK, sebek_handle);
git.samba.org / obnox / wireshark / wip.git / blob