2 * Routines for Sebek - Kernel based data capture - packet dissection
3 * Copyright 1999, Nathan Neulinger <nneul@umr.edu>
5 * See: http://project.honeynet.org/tools/sebek/ for more details
7 * $Id: packet-sebek.c,v 1.1 2003/11/19 22:13:29 nneul Exp $
9 * Ethereal - Network traffic analyzer
10 * By Gerald Combs <gerald@ethereal.com>
11 * Copyright 1998 Gerald Combs
13 * This program is free software; you can redistribute it and/or
14 * modify it under the terms of the GNU General Public License
15 * as published by the Free Software Foundation; either version 2
16 * of the License, or (at your option) any later version.
18 * This program is distributed in the hope that it will be useful,
19 * but WITHOUT ANY WARRANTY; without even the implied warranty of
20 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21 * GNU General Public License for more details.
23 * You should have received a copy of the GNU General Public License
24 * along with this program; if not, write to the Free Software
25 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
39 #ifdef NEED_SNPRINTF_H
40 # include "snprintf.h"
43 #include <epan/packet.h>
44 #include <epan/resolv.h>
47 IP address: 32bit unsigned
48 MAGIC Val: 32bit unsigned
49 Sebek Ver: 16bit unsigned
51 Counter: 32bit unsigned
52 Time_sec: 32bit unsigned
53 Time_usec: 32bit unsigned
54 Proc ID: 32bit unsigned
55 User ID: 32bit unsigned
56 File Desc: 32bit unsigned
60 Data: Variable Length data
65 /* By default, but can be completely different */
66 #define UDP_PORT_SEBEK 1101
68 static int proto_sebek = -1;
70 static int hf_sebek_magic = -1;
71 static int hf_sebek_version = -1;
72 static int hf_sebek_type = -1;
73 static int hf_sebek_counter = -1;
74 static int hf_sebek_time = -1;
75 static int hf_sebek_pid = -1;
76 static int hf_sebek_uid = -1;
77 static int hf_sebek_fd = -1;
78 static int hf_sebek_cmd = -1;
79 static int hf_sebek_len = -1;
80 static int hf_sebek_data = -1;
82 static gint ett_sebek = -1;
84 /* dissect_sebek - dissects sebek packet data
85 * tvb - tvbuff for packet data (IN)
87 * proto_tree - resolved protocol tree
90 dissect_sebek(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
92 proto_tree *sebek_tree;
98 if (check_col(pinfo->cinfo, COL_PROTOCOL))
99 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SEBEK");
101 if (check_col(pinfo->cinfo, COL_INFO))
103 col_clear(pinfo->cinfo, COL_INFO);
104 col_set_str(pinfo->cinfo, COL_INFO, "SEBEK - ");
105 col_append_fstr(pinfo->cinfo, COL_INFO, " pid(%d)", tvb_get_ntohl(tvb, 20));
106 col_append_fstr(pinfo->cinfo, COL_INFO, " uid(%d)", tvb_get_ntohl(tvb, 24));
107 col_append_fstr(pinfo->cinfo, COL_INFO, " fd(%d)", tvb_get_ntohl(tvb, 28));
108 col_append_fstr(pinfo->cinfo, COL_INFO, " cmd: %s", tvb_get_string(tvb, 32, 12));
113 /* Adding NTP item and subtree */
114 ti = proto_tree_add_item(tree, proto_sebek, tvb, 0, -1, FALSE);
115 sebek_tree = proto_item_add_subtree(ti, ett_sebek);
117 proto_tree_add_item(sebek_tree, hf_sebek_magic, tvb, offset, 4, FALSE);
120 proto_tree_add_item(sebek_tree, hf_sebek_version, tvb, offset, 2, FALSE);
123 proto_tree_add_item(sebek_tree, hf_sebek_type, tvb, offset, 2, FALSE);
126 proto_tree_add_item(sebek_tree, hf_sebek_counter, tvb, offset, 4, FALSE);
129 ts.secs = tvb_get_ntohl(tvb, offset);
130 ts.nsecs = tvb_get_ntohl(tvb, offset+4);
131 proto_tree_add_time(sebek_tree, hf_sebek_time, tvb, offset, 8, &ts);
134 proto_tree_add_item(sebek_tree, hf_sebek_pid, tvb, offset, 4, FALSE);
137 proto_tree_add_item(sebek_tree, hf_sebek_uid, tvb, offset, 4, FALSE);
140 proto_tree_add_item(sebek_tree, hf_sebek_fd, tvb, offset, 4, FALSE);
143 proto_tree_add_item(sebek_tree, hf_sebek_cmd, tvb, offset, 12, FALSE);
146 datalen = tvb_get_letohl(tvb, offset);
147 proto_tree_add_item(sebek_tree, hf_sebek_len, tvb, offset, 4, FALSE);
150 proto_tree_add_item(sebek_tree, hf_sebek_data, tvb, offset, -1, FALSE);
156 proto_register_sebek(void)
158 static hf_register_info hf[] = {
160 "Magic", "sebek.magic", FT_UINT32, BASE_HEX,
161 NULL, 0, "Magic Number", HFILL }},
162 { &hf_sebek_version, {
163 "Version", "sebek.version", FT_UINT16, BASE_DEC,
164 NULL, 0, "Version Number", HFILL }},
166 "Type", "sebek.type", FT_UINT16, BASE_DEC,
167 NULL, 0, "Type", HFILL }},
168 { &hf_sebek_counter, {
169 "Counter", "sebek.counter", FT_UINT32, BASE_DEC,
170 NULL, 0, "Counter", HFILL }},
172 "Time", "sebek.time.sec", FT_ABSOLUTE_TIME, BASE_NONE,
173 NULL, 0, "Time", HFILL }},
175 "Process ID", "sebek.pid", FT_UINT32, BASE_DEC,
176 NULL, 0, "Process ID", HFILL }},
178 "User ID", "sebek.uid", FT_UINT32, BASE_DEC,
179 NULL, 0, "User ID", HFILL }},
181 "File Descriptor", "sebek.fd", FT_UINT32, BASE_DEC,
182 NULL, 0, "File Descriptor Number", HFILL }},
184 "Command Name", "sebek.cmd", FT_STRING, 0,
185 NULL, 0, "Command Name", HFILL }},
187 "Data Length", "sebek.len", FT_UINT32, BASE_DEC,
188 NULL, 0, "Data Length", HFILL }},
190 "Data", "sebek.data", FT_STRING, 0,
191 NULL, 0, "Data", HFILL }},
193 static gint *ett[] = {
197 proto_sebek = proto_register_protocol("SEBEK - Kernel Data Capture", "SEBEK",
199 proto_register_field_array(proto_sebek, hf, array_length(hf));
200 proto_register_subtree_array(ett, array_length(ett));
204 proto_reg_handoff_sebek(void)
206 dissector_handle_t sebek_handle;
208 sebek_handle = create_dissector_handle(dissect_sebek, proto_sebek);
209 dissector_add("udp.port", UDP_PORT_SEBEK, sebek_handle);