diff -NarU5 argus-2.0.6.fixes.1.orig/common/argus_auth.c argus-2.0.6.fixes.1/common/argus_auth.c
--- argus-2.0.6.fixes.1.orig/common/argus_auth.c 2004-02-23 10:00:36.000000000 -0500
+++ argus-2.0.6.fixes.1/common/argus_auth.c 1969-12-31 19:00:00.000000000 -0500
@@ -1,569 +0,0 @@
-/*
- * Copyright (c) 2000-2004 QoSient, LLC
- * All rights reserved.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2, or (at your option)
- * any later version.
-
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
-
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
- *
- */
-
-/*
- * Copyright (c) 2000 Carnegie Mellon University. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. The name "Carnegie Mellon University" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For permission or any other legal
- * details, please contact
- * Office of Technology Transfer
- * Carnegie Mellon University
- * 5000 Forbes Avenue
- * Pittsburgh, PA 15213-3890
- * (412) 268-4387, fax: (412) 268-7395
- * tech-transfer@andrew.cmu.edu
- *
- * 4. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by Computing Services
- * at Carnegie Mellon University (http://www.cmu.edu/computing/)."
- *
- * CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO
- * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE
- * FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
- * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
- * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Modified by Carter Bullard
- * QoSient, LLC
- *
- */
-
-
-#ifndef ArgusAuth
-#define ArgusAuth
-#endif
-
-#include <stdlib.h>
-#include <unistd.h>
-
-#include <errno.h>
-#include <string.h>
-
-#ifdef ARGUS_SASL
-
-#include <ctype.h>
-#include <assert.h>
-#include <sasl.h>
-
-#endif /* ARGUS_SASL */
-
-#include <netinet/in.h>
-#include <pcap.h>
-
-#include <compat.h>
-#include <interface.h>
-
-#include <argus_parse.h>
-#include <argus_util.h>
-#include <argus_out.h>
-#include <argus_filter.h>
-
-
-extern void ArgusLog (int, char *, ...);
-
-int ArgusInitializeAuthentication (struct ARGUS_INPUT *);
-int ArgusAuthenticate (struct ARGUS_INPUT *);
-
-#ifdef ARGUS_SASL
-
-static int RaGetRealm(void *context, int, const char **, const char **);
-static int RaSimple(void *context, int, const char **, unsigned *);
-static int RaGetSecret(sasl_conn_t *, void *context, int, sasl_secret_t **);
-
-int RaSaslNegotiate(FILE *, FILE *, sasl_conn_t *);
-int RaGetSaslString (FILE *, char *, int);
-int RaSendSaslString (FILE *, const char *, int);
-
-/* RaCallBacks we support */
-
-static sasl_callback_t RaCallBacks[] = {
- { SASL_CB_GETREALM, &RaGetRealm, NULL },
- { SASL_CB_USER, &RaSimple, NULL },
- { SASL_CB_AUTHNAME, &RaSimple, NULL },
- { SASL_CB_PASS, &RaGetSecret, NULL },
- { SASL_CB_LIST_END, NULL, NULL }
-};
-
-char *RaSaslMech = NULL;
-
-#endif
-
-
-#if defined(HAVE_SOLARIS)
-extern int getdomainname(char *name, size_t len);
-#endif
-
-
-int
-ArgusInitializeAuthentication (struct ARGUS_INPUT *input)
-{
- int retn = 1;
-
-#ifdef ARGUS_SASL
- struct sockaddr_in localaddr, remoteaddr;
- int salen, fd = input->fd;
- char *localhostname = NULL;
-
- if ((retn = sasl_client_init(RaCallBacks)) != SASL_OK)
- ArgusLog (LOG_ERR, "ArgusInitializeAuthentication() sasl_client_init %d", retn);
-
- localhostname = ArgusCalloc (1, 1024);
- gethostname(localhostname, 1024);
- if (!strchr (localhostname, '.')) {
- strcat (localhostname, ".");
- getdomainname (&localhostname[strlen(localhostname)], 1024 - strlen(localhostname));
- }
-
- if ((retn = sasl_client_new("argus", localhostname, NULL, SASL_SECURITY_LAYER, &input->sasl_conn)) != SASL_OK)
- ArgusLog (LOG_ERR, "ArgusInitializeAuthentication() sasl_client_new %d", retn);
-
- /* set external properties here
- sasl_setprop(input->sasl_conn, SASL_SSF_EXTERNAL, &extprops); */
-
- /* set required security properties here
- sasl_setprop(input->sasl_conn, SASL_SEC_PROPS, &secprops); */
-
- /* set ip addresses */
- salen = sizeof(localaddr);
- if (getsockname(fd, (struct sockaddr *)&localaddr, &salen) < 0)
- perror("getsockname");
-
- salen = sizeof(remoteaddr);
- if (getpeername(fd, (struct sockaddr *)&remoteaddr, &salen) < 0)
- perror("getpeername");
-
- if ((retn = sasl_setprop(input->sasl_conn, SASL_IP_LOCAL, &localaddr)) != SASL_OK)
- ArgusLog (LOG_ERR, "ArgusInitializeAuthentication() error setting localaddr %d", retn);
-
- if ((retn = sasl_setprop(input->sasl_conn, SASL_IP_REMOTE, &remoteaddr)) != SASL_OK)
- ArgusLog (LOG_ERR, "ArgusInitializeAuthentication() error setting remoteaddr %d", retn);
-
- retn = 1;
-#endif
-
-#ifdef ARGUSDEBUG
- ArgusDebug (2, "ArgusInitializeAuthentication () returning %d\n", retn);
-#endif
-
- return (retn);
-}
-
-
-int
-ArgusAuthenticate (struct ARGUS_INPUT *input)
-{
- int retn = 0;
-
- if (ArgusInitializeAuthentication(input)) {
-#ifdef ARGUS_SASL
- int fd = input->fd;
-
- if ((input->in = fdopen(fd, "r")) == NULL)
- ArgusLog (LOG_ERR, "ArgusAuthenticate(0x%x) fdopen in failed %s", strerror(errno));
-
- if ((input->out = fdopen(fd, "w")) == NULL)
- ArgusLog (LOG_ERR, "ArgusAuthenticate(0x%x) fdopen out failed %s", strerror(errno));
-
- if ((retn = RaSaslNegotiate(input->in, input->out, input->sasl_conn)) == SASL_OK)
- retn = 1;
- else
- retn = 0;
-#endif
- }
-
-#ifdef ARGUSDEBUG
- ArgusDebug (2, "ArgusAuthenticate (0x%x) returning %d\n", input, retn);
-#endif
-
- return (retn);
-}
-
-
-#ifdef ARGUS_SASL
-
-static void RaChop (char *s) /* remove \r\n at end of the line */
-{
- char *p;
-
- assert(s);
-
- p = s + strlen(s) - 1;
- if (p[0] == '\n')
- *p-- = '\0';
-
- if (p >= s && p[0] == '\r')
- *p-- = '\0';
-}
-
-static int
-RaGetRealm(void *context __attribute__((unused)), int id,
- const char **availrealms, const char **result)
-{
- static char buf[1024];
-
- if (id != SASL_CB_GETREALM)
- return SASL_BADPARAM;
-
- if (!result)
- return SASL_BADPARAM;
-
- printf("please choose a realm (available:");
- while (*availrealms) {
- printf(" %s", *availrealms);
- availrealms++;
- }
- printf("): ");
-
- fgets(buf, sizeof buf, stdin);
- RaChop(buf);
- *result = buf;
-
- return SASL_OK;
-}
-
-static char RaSimpleBuf[1024];
-
-static int
-RaSimple(void *context __attribute__((unused)), int id,
- const char **result, unsigned *len)
-{
- char *ptr = NULL;
-
- if (! result)
- return SASL_BADPARAM;
-
- switch (id) {
- case SASL_CB_USER:
- if (ustr == NULL) {
- printf("please enter an authorization id: ");
- fgets(RaSimpleBuf, sizeof RaSimpleBuf, stdin);
-
- } else {
- if ((ptr = strchr(ustr, '/')) != NULL)
- *ptr = '\0';
-
- sprintf (RaSimpleBuf, "%s", ustr);
- if (ptr)
- *ptr = '/';
- }
-
- break;
-
- case SASL_CB_AUTHNAME:
- if (ustr != NULL)
- if ((ptr = strchr(ustr, '/')) != NULL)
- ptr++;
-
- if (ptr == NULL) {
- printf("please enter an authentication id: ");
- fgets(RaSimpleBuf, sizeof RaSimpleBuf, stdin);
- } else
- sprintf (RaSimpleBuf, "%s", ptr);
-
- break;
-
- default:
- return SASL_BADPARAM;
- }
-
- RaChop(RaSimpleBuf);
- *result = RaSimpleBuf;
-
- if (len)
- *len = strlen(RaSimpleBuf);
-
- return SASL_OK;
-}
-
-#ifndef HAVE_GETPASSPHRASE
-char *
-getpassphrase(const char *prompt)
-{
- return getpass(prompt);
-}
-#endif
-
-static int
-RaGetSecret(sasl_conn_t *conn, void *context __attribute__((unused)),
- int id, sasl_secret_t **psecret)
-{
- char *password;
- size_t len;
- static sasl_secret_t *x;
-
- if (! conn || ! psecret || id != SASL_CB_PASS)
- return SASL_BADPARAM;
-
- if (pstr != NULL)
- password = pstr;
- else
- password = getpassphrase("Password: ");
-
- if (! password)
- return SASL_FAIL;
-
- len = strlen(password);
-
- x = (sasl_secret_t *) realloc(x, sizeof(sasl_secret_t) + len);
-
- if (!x) {
- memset(password, 0, len);
- return SASL_NOMEM;
- }
-
- x->len = len;
- strcpy(x->data, password);
- memset(password, 0, len);
-
- *psecret = x;
- return SASL_OK;
-}
-
-
-int
-RaSaslNegotiate(FILE *in, FILE *out, sasl_conn_t *conn)
-{
- int retn = 0;
- char buf[8192];
- char *data;
- const char *chosenmech;
- int len, c;
-
-#ifdef ARGUSDEBUG
- ArgusDebug (1, "RaSaslNegotiate(0x%x, 0x%x, 0x%x) receiving capability list... ", in, out, conn);
-#endif
-
- if ((len = RaGetSaslString(in, buf, sizeof(buf))) <= 0)
- ArgusLog (LOG_ERR, "RaSaslNegotiate: RaGetSaslString(0x%x, 0x%x, %d) error %s\n", in, buf, sizeof(buf), strerror(errno));
-
- if (RaSaslMech) {
- /* make sure that 'RaSaslMech' appears in 'buf' */
- if (!strstr(buf, RaSaslMech)) {
- printf("server doesn't offer mandatory mech '%s'\n", RaSaslMech);
- return 0;
- }
- } else
- RaSaslMech = buf;
-
-#ifdef ARGUSDEBUG
- ArgusDebug (1, "RaSaslNegotiate(0x%x, 0x%x, 0x%x) calling sasl_client_start()", in, out, conn);
-#endif
-
- retn = sasl_client_start(conn, RaSaslMech, NULL, NULL, &data, &len, &chosenmech);
-
- if ((retn != SASL_OK) && (retn != SASL_CONTINUE)) {
- fputc ('N', out);
- fflush(out);
- ArgusLog (LOG_ERR, "RaSaslNegotiate: error starting SASL negotiation");
- }
-
- if (retn == SASL_INTERACT)
- ArgusLog (LOG_ERR, "RaSaslNegotiate: returned SASL_INTERACT\n");
-
-#ifdef ARGUSDEBUG
- ArgusDebug (1, "RaSaslNegotiate: using mechanism %s\n", chosenmech);
-#endif
-
- /* we send two strings; the mechanism chosen and the initial response */
-
- RaSendSaslString(out, chosenmech, strlen(chosenmech));
- RaSendSaslString(out, data, len);
-
- for (;;) {
-#ifdef ARGUSDEBUG
- ArgusDebug (2, "waiting for server reply...\n");
-#endif
-
- switch (c = fgetc(in)) {
- case 'O':
- goto done_ok;
-
- case 'N':
- goto done_no;
-
- case 'C': /* continue authentication */
- break;
-
- default:
- printf("bad protocol from server (%c %x)\n", c, c);
- return 0;
- }
-
- if ((len = RaGetSaslString(in, buf, sizeof(buf))) <= 0)
- ArgusLog (LOG_ERR, "RaSaslNegotiate: RaGetSaslString(0x%x, 0x%x, %d) returned %d\n", in, buf, sizeof(buf), len);
-
- retn = sasl_client_step(conn, buf, len, NULL, &data, &len);
-
- if ((retn != SASL_OK) && (retn != SASL_CONTINUE)) {
- fputc ('N', out);
- fflush(out);
- ArgusLog (LOG_ERR, "RaSaslNegotiate: error performing SASL negotiation");
- }
-
- if (data) {
-
-#ifdef ARGUSDEBUG
- ArgusDebug (2, "sending response length %d...\n", len);
-#endif
-
- RaSendSaslString(out, data, len);
- free(data);
- } else {
-
-#ifdef ARGUSDEBUG
- ArgusDebug (2, "sending null response...\n");
-#endif
-
- RaSendSaslString(out, "", 0);
- }
- }
-
- done_ok:
-#ifdef ARGUSDEBUG
- ArgusDebug (1, "successful authentication");
-#endif
- return SASL_OK;
-
- done_no:
-#ifdef ARGUSDEBUG
- ArgusDebug (1, "authentication failed");
-#endif
- return -1;
-}
-
-
-/* send/recv library for IMAP4 style literals. */
-
-int
-RaSendSaslString (FILE *f, const char *s, int l)
-{
- char saslbuf[MAXSTRLEN];
- int len, al = 0;
-
- bzero (saslbuf, MAXSTRLEN);
-
- sprintf(saslbuf, "{%d}\r\n", l);
- len = strlen(saslbuf);
-
- bcopy (s, &saslbuf[len], l);
- len += l;
-
- al = fwrite(saslbuf, 1, len, f);
- fflush(f);
-
-#ifdef ARGUSDEBUG
- ArgusDebug (3, "ArgusSendSaslString(0x%x, 0x%x, %d)\n", f, s, l);
- s = saslbuf;
- if (3 <= Argusdflag) {
- while (len--) {
- if (isprint((int)((unsigned char) *s))) {
- printf("%c ", *s);
- } else {
- printf("%x ", (unsigned char) *s);
- }
- s++;
- }
- printf("\n");
- }
-#endif
-
- return al;
-}
-
-int
-RaGetSaslString (FILE *f, char *buf, int buflen)
-{
- int c, len, l;
- char *s;
-
- if ((c = fgetc(f)) != '{')
- return -1;
-
- /* read length */
- len = 0;
- c = fgetc(f);
- while (isdigit(c)) {
- len = len * 10 + (c - '0');
- c = fgetc(f);
- }
- if (c != '}')
- return -1;
-
- if ((c = fgetc(f)) != '\r')
- return -1;
-
- if ((c = fgetc(f)) != '\n')
- return -1;
-
- /* read string */
- if (buflen <= len) {
- fread(buf, buflen - 1, 1, f);
- buf[buflen - 1] = '\0';
- /* discard oversized string */
- len -= buflen - 1;
- while (len--)
- (void)fgetc(f);
- len = buflen - 1;
- } else {
- fread(buf, len, 1, f);
- buf[len] = '\0';
- }
-
- l = len;
- s = buf;
-
-#ifdef ARGUSDEBUG
- ArgusDebug (3, "ArgusGetSaslString(0x%x, 0x%x, %d)\n", f, s, l);
- if (3 <= Argusdflag) {
- while (l--) {
- if (isprint((int)((unsigned char) *s))) {
- printf("%c ", *s);
- } else {
- printf("%X ", (unsigned char) *s);
- }
- s++;
- }
- printf("\n");
- }
-#endif
-
- return len;
-}
-
-#endif
diff -NarU5 argus-2.0.6.fixes.1.orig/common/argus_parse.c argus-2.0.6.fixes.1/common/argus_parse.c
--- argus-2.0.6.fixes.1.orig/common/argus_parse.c 2004-02-23 10:00:36.000000000 -0500
+++ argus-2.0.6.fixes.1/common/argus_parse.c 1969-12-31 19:00:00.000000000 -0500
@@ -1,3550 +0,0 @@
-/*
- * Copyright (c) 2000-2004 QoSient, LLC
- * All rights reserved.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2, or (at your option)
- * any later version.
-
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
-
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
- *
- */
-
-/*
- * Copyright (c) 1993, 1994 Carnegie Mellon University.
- * All rights reserved.
- *
- * Permission to use, copy, modify, and distribute this software and
- * its documentation for any purpose and without fee is hereby granted,
- * provided that the above copyright notice appear in all copies and
- * that both that copyright notice and this permission notice appear
- * in supporting documentation, and that the name of CMU not be
- * used in advertising or publicity pertaining to distribution of the
- * software without specific, written prior permission.
- *
- * CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING
- * ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL
- * CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR
- * ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
- * WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION,
- * ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- *
- */
-
-/*
- * argus_parse - parse argus output.
- * this module performs all the argus(1) related connection parsing,
- * selects datum from a set of criteria, and then calls specific
- * protocol dependant routines, depending on the selected datum.
- * at the end of processing, argus_parse calls an application
- * specific finish routine, RaParseComplete(), and when
- * connected to a remote data source, it supplies a periodic
- * timeout routine;
- *
- * this module defines all things, except:
- *
- * (void) usage ((char *) argv[0]);
- * this routine should print the standard usage message
- * for the specific application.
- *
- * ArgusClientInit (); this is the application specific init
- * routine, which is called after all parsing
- * initialization is done, prior to reading the
- * first monitor(1) datum.
- *
- * (void) ArgusClientTimeout ();
- * this routine is called every second, when
- * argus_parse is connected to a remote data source.
- *
- * process_man ((struct ArgusRecord *) ptr);
- * this routine should process management control events;
- *
- * process_tcp ((struct ArgusRecord *) ptr);
- * this routine should process tcp events;
- *
- * process_udp ((struct ArgusRecord *) ptr);
- * this routine should process tcp events;
- *
- * process_icmp ((struct ArgusRecord *) ptr);
- * this routine should process tcp events;
- *
- * process_ip ((struct ArgusRecord *) ptr);
- * this routine should process tcp events;
- *
- * process_arp ((struct ArgusRecord *) ptr);
- * this routine should process arp events;
- *
- * process_non_ip ((struct ArgusRecord *) ptr);
- * this routine should process all other events;
- *
- * (void) RaParseComplete (0);
- * this routine will be called after all the
- * monitor data has been read.
- *
- *
- * written by Carter Bullard
- * QoSient, LLC
- *
- */
-
-
-#define ArgusParse
-
-#include <stdio.h>
-#include <errno.h>
-#include <fcntl.h>
-
-#if defined(CYGWIN)
-#include <getopt.h>
-#endif
-
-#include <netinet/in.h>
-#include <string.h>
-#include <sys/stat.h>
-
-#include <compat.h>
-#include <pcap.h>
-
-#include <interface.h>
-
-#include <argus_parse.h>
-#include <argus_filter.h>
-
-
-int ArgusParseResourceFile (char *);
-unsigned char *ArgusRemoteFilter = NULL;
-
-extern void ArgusLog (int, char *, ...);
-
-int ArgusParseInit = 0;
-
-extern void ArgusClientTimeout (void);
-
-#define ARGUS_READINGPREHDR 1
-#define ARGUS_READINGHDR 2
-#define ARGUS_READINGBLOCK 4
-
-void
-argus_parse_init (struct ARGUS_INPUT *input)
-{
- char errbuf[MAXSTRLEN];
- char *device = NULL;
- struct tm *tm;
- struct argtimeval tvpbuf, *tvp = &tvpbuf;
- unsigned int net, mask;
- int i, fd = 0;
-
- if (input != NULL)
- fd = input->fd;
-
- if (initCon) {
- input->ArgusLocalNet = htonl(initCon->argus_mar.localnet);
- input->ArgusNetMask = htonl(initCon->argus_mar.netmask);
-
- if (tflag && timearg) {
- tvp->tv_sec = ntohl(initCon->argus_mar.now.tv_sec);
- tm = localtime((time_t *) &tvp->tv_sec);
- if (check_time_format (tm, timearg))
- ArgusLog (LOG_ERR, "time syntax error %s\n", timearg);
- }
-
- } else {
- if ((device = argus_lookupdev (errbuf)) != NULL) {
- argus_lookupnet(device, &net, &mask, errbuf);
- input->ArgusLocalNet = net;
- input->ArgusNetMask = mask;
- }
- }
-
- if ((input->ArgusReadBuffer = (unsigned char *)ArgusCalloc (1, MAXSTRLEN)) == NULL)
- ArgusLog (LOG_ERR, "ArgusCalloc error %s\n", strerror(errno));
-
- if ((input->ArgusConvBuffer = (u_char *)ArgusCalloc (1, MAXSTRLEN)) == NULL)
- ArgusLog (LOG_ERR, "ArgusCalloc error %s\n", strerror(errno));
-
- input->ArgusReadPtr = input->ArgusReadBuffer;
- input->ArgusConvPtr = input->ArgusConvBuffer;
-
- if (Cflag) {
- input->ArgusReadSocketState = ARGUS_READINGPREHDR;
-/*
- input->ArgusReadSize = k_maxFlowPacketSize;
-*/
- input->ArgusReadSize = 4;
-
- } else {
- if (major_version > 1)
- input->ArgusReadSocketState = ARGUS_READINGHDR;
- else {
- input->ArgusReadSocketState = ARGUS_READINGBLOCK;
- input->ArgusReadSize = 60;
- }
- }
-
- input->ArgusReadSocketSize = (input->ArgusReadSize < 0) ?
- sizeof(struct ArgusRecordHeader) : input->ArgusReadSize;
-
- if (!ArgusParseInit++)
- for (i = 0; i < ARGUS_MAX_REMOTE_CONN; i++)
- ArgusRemoteFDs[i] = NULL;
-
-#ifdef ARGUSDEBUG
- ArgusDebug (1, "ArgusParseInit (0x%x) returning\n", input);
-#endif
-}
-
-
-
-int ArgusPortNum = 0;
-char *getoptStr = "aAbB:cCd:D:E:e:f:F:gGhHiIL:lmM:nN:p:P:qr:RS:s:t:T:uU:vVw:zZ:";
-
-#define RaEnvItems 2
-
-char *RaResourceEnvStr [] = {
- "HOME",
- "ARGUSHOME",
-};
-
-
-int
-main (int argc, char **argv)
-{
- int i, cc, op, retn = 0, fd = 0, Scmdline = 0, rcmdline = 0;
- char *cmdbuf = NULL, *infile = NULL;
- char *envstr = NULL, *homepath = NULL;
- struct stat statbuf;
- static char path[MAXPATHNAMELEN];
- struct timeval now;
- struct timezone tz;
- extern char *optarg;
- extern int optind, opterr;
-
- opterr = 0;
-
- for (i = 0, cc = 0; i < argc; i++)
- cc += strlen(argv[i]);
-
- if (cc > 0) {
- int len = cc + (argc + 1);
-
- if ((cmdline = (char *) ArgusCalloc (len, sizeof(char))) != NULL) {
- for (i = 0, *cmdline = '\0'; i < argc; i++) {
- strcat (cmdline, argv[i]);
- strcat (cmdline, " ");
- }
- } else
- ArgusLog (LOG_ERR, "ArgusCalloc(%d, %d) failed %s\n", len, sizeof(char), strerror(errno));
- }
-
- if (strchr (argv[0], '/'))
- argv[0] = strrchr(argv[0], '/') + 1;
-
- if (gettimeofday(&now, &tz) < 0)
- error("gettimeofday");
-
- ArgusGlobalTime = now;
- ArgusNowTime = now;
-
- thiszone = tz.tz_minuteswest * -60;
-
- if ((RaTmStruct = localtime ((time_t *)&now.tv_sec))) {
- if (RaTmStruct->tm_isdst)
- thiszone += 3600;
- } else {
- fprintf (stderr, "%s: localtime: error %s \n", *argv, strerror(errno));
- exit (1);
- }
-
- ArgusProgramName = argv[0];
-
- snprintf (path, MAXPATHNAMELEN - 1, "/etc/ra.conf");
-
- if (stat (path, &statbuf) == 0)
- ArgusParseResourceFile (path);
-
- if ((homepath = getenv("ARGUSHOME")) != NULL) {
- snprintf (path, MAXPATHNAMELEN - 1, "%s/ra.conf", homepath);
- if (stat (path, &statbuf) == 0) {
- ArgusParseResourceFile (path);
- }
- }
-
- if ((envstr = getenv("ARGUSPATH")) != NULL) {
- while ((homepath = strtok(envstr, ":")) != NULL) {
- snprintf (path, MAXPATHNAMELEN - 1, "%s/.rarc", homepath);
- if (stat (path, &statbuf) == 0) {
- ArgusParseResourceFile (path);
- break;
- }
- envstr = NULL;
- }
-
- } else {
- for (i = 0; i < RaEnvItems; i++) {
- envstr = RaResourceEnvStr[i];
- if ((homepath = getenv(envstr)) != NULL) {
- sprintf (path, "%s/.rarc", homepath);
- if (stat (path, &statbuf) == 0) {
- ArgusParseResourceFile (path);
- break;
- }
- }
- }
- }
-
- if ((argv[optind]) != NULL)
- ArgusProgramOptions = strdup(copy_argv (&argv[optind]));
-
- while ((op = getopt (argc, argv, getoptStr)) != EOF) {
- switch (op) {
- case 'a': ++aflag; break;
- case 'A': ++Aflag; break;
- case 'b': ++bflag; break;
- case 'B': Bflag = atoi(optarg); break;
- case 'c': ++cflag; break;
- case 'C': ++Cflag; break;
- case 'D': Argusdflag = atoi (optarg); break;
- case 'd': ++dflag;
- if ((dataarg = optarg) != NULL) {
- if ((retn = parseUserDataArg (&dataarg, argv, optind)) < 0) {
- usage ();
- } else {
- optind += retn;
- }
- }
- break;
- case 'e':
- estr = optarg;
- if (strncmp(ArgusProgramName, "ragrep", 6)) {
- if (!(strncasecmp(optarg, "ascii", 5)))
- eflag = ARGUS_ENCODE_ASCII;
- else
- if (!(strncasecmp(optarg, "encode64", 8)))
- eflag = ARGUS_ENCODE_64;
- else
- usage();
- } else {
- ArgusGrepSource++;
- ArgusGrepDestination++;
-
- if ((estr[0] == 's') && (estr[1] == ':')) {
- ArgusGrepDestination = 0;
- estr = &estr[2];
- }
-
- if ((estr[0] == 'd') && (estr[1] == ':')) {
- ArgusGrepSource = 0;
- estr = &estr[2];
- }
- }
- break;
-
- case 'E': exceptfile = optarg; break;
- case 'f': ArgusFlowModelFile = optarg; break;
- case 'F':
- if (!(ArgusParseResourceFile (optarg)))
- ArgusLog (LOG_ERR, "ArgusParseResourceFile(%s) error. %s\n", optarg, strerror(errno));
- break;
- case 'g': ++gflag; Gflag = 0; break;
- case 'G': ++Gflag; gflag = 0; break;
- case 'H': ++Hflag; break;
- case 'i': ++idflag; break;
- case 'I': ++Iflag; break;
- case 'L':
- switch (Lflag = atoi(optarg)) {
- case 0: Lflag = -1; break;
- case -1: Lflag = 0; break;
- }
- break;
- case 'l': ++lflag; break;
- case 'm': ++mflag; break;
- case 'M': Mflag = optarg; break;
- case 'n': ++nflag; break;
- case 'N': Nflag = atoi (optarg); break;
- case 'p': pflag = atoi (optarg); break;
- case 'P': ArgusPortNum = atoi (optarg); break;
- case 'q': ++qflag; break;
- case 'r': ++rflag;
- Sflag = 0;
- if ((!rcmdline++) && (ArgusInputFileList != NULL))
- ArgusDeleteFileList();
-
- if (optarg == NULL)
- optarg = "-";
- do {
- if (!(ArgusAddFileList (optarg))) {
- fprintf (stderr, "%s: error: file arg %s \n", *argv, optarg);
- exit (1);
- }
- if ((optarg = argv[optind]) != NULL)
- if (*optarg != '-')
- optind++;
- } while (optarg && (*optarg != '-'));
- break;
-
- case 'R': ++Rflag; break;
- case 's':
- if (RaSortIndex < ARGUS_MAX_SORT_ALG)
- RaSortAlgorithmStrings[RaSortIndex++] = optarg;
- else
- ArgusLog (LOG_ERR, "usage: number of sort options exceeds %d\n", ARGUS_MAX_SORT_ALG);
- break;
- case 'S':
- ++Sflag;
- if ((!Scmdline++) && (ArgusRemoteHostList != NULL))
- ArgusDeleteHostList();
-
- if (!(ArgusAddHostList (optarg))) {
- fprintf (stderr, "%s: host %s unknown\n", *argv, optarg);
- exit (1);
- }
- break;
-
- case 't': ++tflag;
- if ((timearg = optarg) != NULL) {
- if ((retn = parseTimeArg (&timearg, argv, optind, RaTmStruct)) < 0) {
- usage ();
- } else {
- optind += retn;
- }
- }
- break;
- case 'T': Tflag = atoi(optarg); break;
- case 'u': uflag++; break;
- case 'U': ustr = optarg; break;
- case 'v': vflag++; break;
- case 'V': Vflag++; break;
- case 'w':
- if ((wfile = optarg) == NULL)
- if (!strcmp (argv[optind], "-")) {
- wfile = "-";
- }
- break;
- case 'z': ++zflag; break;
- case 'Z': Zflag = *optarg; break;
- case 'h':
- default:
- usage ();
- /* NOTREACHED */
- }
- }
-
- if (infile)
- cmdbuf = read_infile (infile);
- else {
- char *str;
-
- if ((str = argv[optind]) != NULL) {
- if (strcmp(str, "-") == 0)
- optind++;
- cmdbuf = copy_argv (&argv[optind]);
- }
- }
-
- if (cmdbuf) {
- if (RaInputFilter != NULL)
- ArgusFree(RaInputFilter);
-
- RaInputFilter = cmdbuf;
- }
-
- init_addrtoname (fflag, ArgusLocalNet, ArgusNetMask);
-
- bzero ((char *) &ArgusFilterCode, sizeof (ArgusFilterCode));
-
- if (!(ArgusFilterCompile (&ArgusFilterCode, RaInputFilter, 1, ArgusNetMask) < 0)) {
- if (cmdbuf)
- ArgusRemoteFilter = (unsigned char *) strdup(cmdbuf);
- else
- ArgusRemoteFilter = NULL;
- }
-
- if (bflag) {
- bpf_dump(&ArgusFilterCode, bflag);
- exit (0);
- }
-
- ArgusClientInit ();
-
- if (Sflag) {
- register struct ARGUS_INPUT *addr;
-
- if ((addr = ArgusRemoteHostList) != NULL) {
- while (addr != NULL) {
- if ((addr->fd = ArgusGetServerSocket (addr)) >= 0)
- if ((ArgusReadConnection (addr, NULL)) >= 0)
- ArgusRemoteFDs[ArgusActiveServers++] = addr;
-
- addr = addr->nxt;
- }
- }
-
- ArgusReadStream();
-
- } else {
- struct ARGUS_INPUT *addr;
-
- if (ArgusInputFileList == NULL)
- if (!(ArgusAddFileList ("-")))
- ArgusLog (LOG_ERR, "ArgusAddFilelist('-') error %s\n", strerror(errno));
-
- if ((addr = ArgusInputFileList) != NULL) {
- while (addr) {
- if (strcmp (addr->filename, "-")) {
- if ((addr->fd = open(addr->filename, O_RDONLY)) >= 0) {
- if (((ArgusReadConnection (addr, addr->filename)) >= 0)) {
- ArgusRemoteFDs[0] = addr;
- ArgusReadStream();
- close(addr->fd);
- }
- } else {
- fprintf (stderr, "%s: open '%s': %s\n", ArgusProgramName,
- addr->filename, strerror(errno));
- }
- } else {
- addr->fd = 0;
- if (((ArgusReadConnection (addr, NULL)) >= 0)) {
- ArgusRemoteFDs[0] = addr;
- ArgusReadStream();
- }
- }
- addr = addr->nxt;
- }
- } else {
- struct ARGUS_INPUT addrbuf, *addr = &addrbuf;
-
- bzero ((char *) addr, sizeof (*addr));
- addr->fd = 0;
-
- if (((ArgusReadConnection (addr, NULL)) >= 0)) {
- ArgusRemoteFDs[0] = addr;
- ArgusReadStream();
- }
- }
- }
-
- if (fd >= 0) {
- ArgusShutDown (0);
- } else
- retn = 1;
-
-#ifdef ARGUSDEBUG
- ArgusDebug (1, "main () exiting with %d\n", retn);
-#endif
-
- exit (retn);
-}
-
-
-void
-ArgusShutDown (int value)
-{
-
-#ifdef ARGUSDEBUG
- ArgusDebug (1, "ArgusShutDown (%d)\n", value);
-#endif
-
- if (value >= 0)
- RaParseComplete (value);
-
- _exit (value);
-}
-
-unsigned int ArgusTotalCount = 0;
-unsigned int ArgusTotalBytes = 0;
-static int firstWrite = 1;
-
-int
-ArgusHandleDatum (struct ArgusRecord *ptr, struct bpf_program *filter)
-{
- int retn = 0;
-
- if (ptr != NULL) {
- int len = ntohs(ptr->ahdr.length);
- struct bpf_insn *fcode = filter->bf_insns;
- u_char buf[MAXSTRLEN];
-
- totalrecords++;
-
- if (len > MAXSTRLEN)
- ArgusLog (LOG_ERR, "ArgusHandleDatum(0x%x) input record %d size = %d\n", totalrecords, len);
-
- bcopy ((char *)ptr, (char *)ArgusOriginal, len);
- bcopy ((char *)ptr, (char *)&buf, len);
-
- switch (ptr->ahdr.type) {
- case ARGUS_MAR:
- case (ARGUS_MAR | ARGUS_CISCO_NETFLOW):
- case ARGUS_INDEX:
- case ARGUS_EVENT:
- marrecords++;
- break;
-
- case ARGUS_FAR:
- case ARGUS_DATASUP:
- farrecords++;
- break;
- }
-
- if ((retn = argus_filter (fcode, (unsigned char *) ptr)) != 0) {
-#ifdef _LITTLE_ENDIAN
- ArgusNtoH ((struct ArgusRecord *)&buf);
-#endif
- ArgusThisFarStatus = ArgusIndexRecord ((struct ArgusRecord *)&buf, ArgusThisFarHdrs);
-
- if ((retn = check_time ((struct ArgusRecord *)&buf)) != 0) {
- struct ArgusRecord *argus = (struct ArgusRecord *)&buf;
-
- if (!(ptr->ahdr.type & ARGUS_MAR)) {
- unsigned int count, bytes;
-
-#define ARGUSMAXPACKETSIZE 65536 /* correct for 1.8x byte count bug */
-
- if ((count = argus->argus_far.src.count) > 0)
- if ((bytes = argus->argus_far.src.bytes) > 0)
- if ((bytes/count) > ARGUSMAXPACKETSIZE)
- argus->argus_far.src.bytes = 0;
- if ((count = argus->argus_far.dst.count) > 0)
- if ((bytes = argus->argus_far.dst.bytes) > 0)
- if ((bytes/count) > ARGUSMAXPACKETSIZE)
- argus->argus_far.dst.bytes = 0;
-
- ArgusTotalCount += (argus->argus_far.src.count + argus->argus_far.dst.count);
- if (Aflag)
- ArgusTotalBytes += (argus->argus_far.src.appbytes + argus->argus_far.dst.appbytes);
- else
- ArgusTotalBytes += (argus->argus_far.src.bytes + argus->argus_far.dst.bytes);
- }
-
- if (wfile) {
- if (RaWriteOut) {
- if (!(firstWrite && ((argus->ahdr.type & ARGUS_MAR) && (argus->ahdr.cause & ARGUS_START))))
- if (ArgusWriteNewLogfile (wfile, ArgusOriginal)) {
- fprintf (stderr, "ArgusWriteNewLogfile: error\n");
- exit (1);
- }
- } else
- ArgusProcessRecord ((struct ArgusRecord *)&buf);
- } else
- ArgusProcessRecord ((struct ArgusRecord *)&buf);
- }
- } else {
- if (exceptfile) {
- if (ArgusWriteNewLogfile (exceptfile, ArgusOriginal)) {
- fprintf (stderr, "ArgusWriteNewLogfile: error using file %s\n", exceptfile);
- exit (1);
- }
- }
- }
-
- retn = 0;
-
- if (ptr->ahdr.type & ARGUS_MAR) {
- switch (ptr->ahdr.cause) {
- case ARGUS_STOP:
- case ARGUS_SHUTDOWN:
- case ARGUS_ERROR: {
-#ifdef ARGUSDEBUG
- ArgusDebug (3, "ArgusHandleDatum (0x%x, 0x%x) received closing Mar\n", ptr, filter);
-#endif
- if (Sflag)
- retn = 1;
- break;
- }
- }
- }
- }
-
-#ifdef ARGUSDEBUG
- ArgusDebug (6, "ArgusHandleDatum (0x%x, 0x%x) returning %d\n", ptr, filter, retn);
-#endif
-
- return (retn);
-}
-
-
-#include <netinet/tcp.h>
-
-struct ArgusRecord *ArgusNetFlowCallRecord (u_char **);
-struct ArgusRecord *ArgusNetFlowDetailInt (u_char **);
-struct ArgusRecord *ArgusParseCiscoRecord (u_char **);
-
-struct ArgusRecord *ArgusParseCiscoRecordV1 (u_char **);
-struct ArgusRecord *ArgusParseCiscoRecordV5 (u_char **);
-struct ArgusRecord *ArgusParseCiscoRecordV6 (u_char **);
-
-unsigned char *ArgusNetFlowRecordHeader = NULL;
-
-unsigned char ArgusNetFlowArgusRecordBuf[1024];
-struct ArgusRecord *ArgusNetFlowArgusRecord = (struct ArgusRecord *) ArgusNetFlowArgusRecordBuf;
-
-struct ArgusRecord *
-ArgusParseCiscoRecordV1 (u_char **ptr)
-{
- CiscoFlowEntryV1_t *entryPtrV1 = (CiscoFlowEntryV1_t *) *ptr;
- CiscoFlowHeaderV1_t *hdrPtrV1 = (CiscoFlowHeaderV1_t *) ArgusNetFlowRecordHeader;
- struct ArgusRecord *argus = ArgusNetFlowArgusRecord;
- struct ArgusMacStruct mac;
-
- *ptr += sizeof(CiscoFlowEntryV1_t);
- bzero ((char *) argus, sizeof (*argus));
- argus->ahdr.type = ARGUS_FAR | ARGUS_CISCO_NETFLOW;
- argus->ahdr.cause = ARGUS_STATUS;
- argus->ahdr.length = sizeof(argus->ahdr) + sizeof(argus->argus_far);
-
- argus->ahdr.status |= ETHERTYPE_IP;
-
- argus->argus_far.type = ARGUS_FAR;
- argus->argus_far.length = sizeof(argus->argus_far);
-
- if (hdrPtrV1) {
- long time;
- time = ntohl(entryPtrV1->first);
- argus->argus_far.time.start.tv_sec = (time - (long)hdrPtrV1->sysUptime)/1000;
- argus->argus_far.time.start.tv_sec += hdrPtrV1->unix_secs;
-
- argus->argus_far.time.start.tv_usec = ((time - (long)hdrPtrV1->sysUptime)%1000) * 1000;
- argus->argus_far.time.start.tv_usec += hdrPtrV1->unix_nsecs/1000;
-
- if (argus->argus_far.time.start.tv_usec >= 1000000) {
- argus->argus_far.time.start.tv_sec++;
- argus->argus_far.time.start.tv_usec -= 1000000;
- }
- if (argus->argus_far.time.start.tv_usec < 0) {
- argus->argus_far.time.start.tv_sec--;
- argus->argus_far.time.start.tv_usec += 1000000;
- }
-
- time = ntohl(entryPtrV1->last);
- argus->argus_far.time.last.tv_sec = (time - (long)hdrPtrV1->sysUptime)/1000;
- argus->argus_far.time.last.tv_sec += hdrPtrV1->unix_secs;
-
- argus->argus_far.time.last.tv_usec = ((time - (long)hdrPtrV1->sysUptime)%1000) * 1000;
- argus->argus_far.time.last.tv_usec += hdrPtrV1->unix_nsecs/1000;
-
- if (argus->argus_far.time.last.tv_usec >= 1000000) {
- argus->argus_far.time.last.tv_sec++;
- argus->argus_far.time.last.tv_usec -= 1000000;
- }
- if (argus->argus_far.time.last.tv_usec < 0) {
- argus->argus_far.time.last.tv_sec--;
- argus->argus_far.time.last.tv_usec += 1000000;
- }
-
- argus->argus_far.time.start.tv_usec = (argus->argus_far.time.start.tv_usec / 1000) * 1000;
- argus->argus_far.time.last.tv_usec = (argus->argus_far.time.last.tv_usec / 1000) * 1000;
- }
-
- argus->argus_far.flow.ip_flow.ip_src = ntohl(entryPtrV1->srcaddr);
- argus->argus_far.flow.ip_flow.ip_dst = ntohl(entryPtrV1->dstaddr);
- argus->argus_far.flow.ip_flow.ip_p = entryPtrV1->prot;
- argus->argus_far.attr_ip.stos = entryPtrV1->tos;
- argus->argus_far.src.count = ntohl(entryPtrV1->pkts);
- argus->argus_far.src.bytes = ntohl(entryPtrV1->bytes);
- argus->argus_far.src.appbytes = 0;
-
- switch (argus->argus_far.flow.ip_flow.ip_p) {
- case IPPROTO_TCP: {
- struct ArgusTCPObject tcpbuf, *tcp = &tcpbuf;
-
- bzero ((char *) tcp, sizeof(*tcp));
- tcp->type = ARGUS_TCP_DSR;
- tcp->length = sizeof(struct ArgusTCPObject);
- tcp->src.flags = entryPtrV1->flags;
-
- if (tcp->src.flags & TH_RST) {
- if (argus->argus_far.src.count == 1) {
- if (tcp->src.flags == (TH_RST | TH_ACK))
- tcp->state |= ARGUS_DST_RESET;
- else
- tcp->state |= ARGUS_SRC_RESET;
- } else
- tcp->state |= ARGUS_RESET;
- }
-
- if (tcp->src.flags & TH_FIN)
- tcp->state |= ARGUS_FIN;
-
- if ((tcp->src.flags & TH_ACK) || (tcp->src.flags & TH_PUSH) || (tcp->src.flags & TH_URG))
- tcp->state |= ARGUS_CON_ESTABLISHED;
-
- switch (tcp->src.flags & (TH_SYN|TH_ACK|TH_FIN|TH_PUSH|TH_URG)) {
- case (TH_SYN):
- tcp->state |= ARGUS_SAW_SYN;
- break;
- case (TH_SYN|TH_ACK):
- if (argus->argus_far.src.count == 1)
- tcp->state |= ARGUS_SAW_SYN_SENT;
- break;
- }
-
- bcopy ((char *)tcp, &((char *)argus)[argus->ahdr.length], sizeof(*tcp));
- argus->ahdr.length += sizeof(*tcp);
- }
-
-/* fall through to UDP switch to get the ports */
-
- case IPPROTO_UDP:
- argus->argus_far.flow.ip_flow.sport = ntohs(entryPtrV1->srcport);
- argus->argus_far.flow.ip_flow.dport = ntohs(entryPtrV1->dstport);
- break;
-
- case IPPROTO_ICMP: {
- argus->argus_far.flow.icmp_flow.type = ((char *)&entryPtrV1->dstport)[0];
- argus->argus_far.flow.icmp_flow.code = ((char *)&entryPtrV1->dstport)[1];
- }
- break;
- }
-
- bzero ((char *)&mac, sizeof (mac));
- mac.type = ARGUS_MAC_DSR;
- mac.length = sizeof(mac);
- mac.status = 0;
- entryPtrV1->input = ntohs(entryPtrV1->input);
- entryPtrV1->output = ntohs(entryPtrV1->output);
-
- bcopy((char *)&entryPtrV1->input, (char *)&mac.phys_union.ether.ethersrc[4], 2);
- bcopy((char *)&entryPtrV1->output,(char *)&mac.phys_union.ether.etherdst[4], 2);
-
- bcopy ((char *)&mac, &((char *)argus)[argus->ahdr.length], sizeof(mac));
- argus->ahdr.length += sizeof(mac);
-
-#ifdef _LITTLE_ENDIAN
- ArgusHtoN(argus);
-#endif
-
-#ifdef ARGUSDEBUG
- ArgusDebug (5, "ArgusParseCiscoRecordV1 (0x%x) returning 0x%x\n", *ptr, argus);
-#endif
-
- return(argus);
-}
-
-
-struct ArgusRecord *
-ArgusParseCiscoRecordV5 (u_char **ptr)
-{
- CiscoFlowEntryV5_t *entryPtrV5 = ((CiscoFlowEntryV5_t *) *ptr);
- CiscoFlowHeaderV5_t *hdrPtrV5 = (CiscoFlowHeaderV5_t *) ArgusNetFlowRecordHeader;
- struct ArgusRecord *argus = ArgusNetFlowArgusRecord;
- struct ArgusMacStruct mac;
-
- *ptr += sizeof(CiscoFlowEntryV5_t);
- bzero ((char *) argus, sizeof (*argus));
- argus->ahdr.type = ARGUS_FAR | ARGUS_CISCO_NETFLOW;
- argus->ahdr.cause = ARGUS_STATUS;
- argus->ahdr.length = sizeof(argus->ahdr) + sizeof(argus->argus_far);
-
- argus->ahdr.status |= ETHERTYPE_IP;
-
- argus->argus_far.type = ARGUS_FAR;
- argus->argus_far.length = sizeof(argus->argus_far);
-
- if (hdrPtrV5) {
- long time;
- time = ntohl(entryPtrV5->first);
- argus->argus_far.time.start.tv_sec = (time - (long)hdrPtrV5->sysUptime)/1000;
- argus->argus_far.time.start.tv_sec += hdrPtrV5->unix_secs;
-
- argus->argus_far.time.start.tv_usec = ((time - (long)hdrPtrV5->sysUptime)%1000) * 1000;
- argus->argus_far.time.start.tv_usec += hdrPtrV5->unix_nsecs/1000;
-
- if (argus->argus_far.time.start.tv_usec >= 1000000) {
- argus->argus_far.time.start.tv_sec++;
- argus->argus_far.time.start.tv_usec -= 1000000;
- }
- if (argus->argus_far.time.start.tv_usec < 0) {
- argus->argus_far.time.start.tv_sec--;
- argus->argus_far.time.start.tv_usec += 1000000;
- }
-
- time = ntohl(entryPtrV5->last);
- argus->argus_far.time.last.tv_sec = (time - (long)hdrPtrV5->sysUptime)/1000;
- argus->argus_far.time.last.tv_sec += hdrPtrV5->unix_secs;
-
- argus->argus_far.time.last.tv_usec = ((time - (long)hdrPtrV5->sysUptime)%1000) * 1000;
- argus->argus_far.time.last.tv_usec += hdrPtrV5->unix_nsecs/1000;
-
- if (argus->argus_far.time.last.tv_usec >= 1000000) {
- argus->argus_far.time.last.tv_sec++;
- argus->argus_far.time.last.tv_usec -= 1000000;
- }
- if (argus->argus_far.time.last.tv_usec < 0) {
- argus->argus_far.time.last.tv_sec--;
- argus->argus_far.time.last.tv_usec += 1000000;
- }
-
- argus->argus_far.time.start.tv_usec = (argus->argus_far.time.start.tv_usec / 1000) * 1000;
- argus->argus_far.time.last.tv_usec = (argus->argus_far.time.last.tv_usec / 1000) * 1000;
- }
-
- argus->argus_far.flow.ip_flow.ip_src = ntohl(entryPtrV5->srcaddr);
- argus->argus_far.flow.ip_flow.ip_dst = ntohl(entryPtrV5->dstaddr);
- argus->argus_far.flow.ip_flow.sport = ntohs(entryPtrV5->srcport);
- argus->argus_far.flow.ip_flow.dport = ntohs(entryPtrV5->dstport);
- argus->argus_far.flow.ip_flow.ip_p = entryPtrV5->prot;
- argus->argus_far.attr_ip.stos = entryPtrV5->tos;
- argus->argus_far.src.count = ntohl(entryPtrV5->pkts);
- argus->argus_far.src.bytes = ntohl(entryPtrV5->bytes);
- argus->argus_far.src.appbytes = 0;
-
- switch (argus->argus_far.flow.ip_flow.ip_p) {
- case IPPROTO_TCP: {
- struct ArgusTCPObject tcpbuf, *tcp = &tcpbuf;
-
- bzero ((char *) tcp, sizeof(*tcp));
- tcp->type = ARGUS_TCP_DSR;
- tcp->length = sizeof(struct ArgusTCPObject);
- tcp->src.flags = entryPtrV5->tcp_flags;
-
- if (tcp->src.flags & TH_RST)
- tcp->status |= ARGUS_RESET;
-
- if (tcp->src.flags & TH_FIN)
- tcp->status |= ARGUS_FIN;
-
- if ((tcp->src.flags & TH_ACK) || (tcp->src.flags & TH_PUSH) || (tcp->src.flags & TH_URG))
- tcp->status |= ARGUS_CON_ESTABLISHED;
-
- switch (tcp->src.flags & (TH_SYN|TH_ACK|TH_FIN|TH_PUSH|TH_URG)) {
- case (TH_SYN):
- tcp->status |= ARGUS_SAW_SYN;
- break;
- }
-
- bcopy ((char *)tcp, &((char *)argus)[argus->ahdr.length], sizeof(*tcp));
- argus->ahdr.length += sizeof(*tcp);
- }
- break;
- }
-
- bzero ((char *)&mac, sizeof (mac));
- mac.type = ARGUS_MAC_DSR;
- mac.length = sizeof(mac);
- mac.status = 0;
- entryPtrV5->input = ntohs(entryPtrV5->input);
- entryPtrV5->output = ntohs(entryPtrV5->output);
-
- bcopy((char *)&entryPtrV5->input, (char *)&mac.phys_union.ether.ethersrc[4], 2);
- bcopy((char *)&entryPtrV5->output,(char *)&mac.phys_union.ether.etherdst[4], 2);
-
- bcopy ((char *)&mac, &((char *)argus)[argus->ahdr.length], sizeof(mac));
- argus->ahdr.length += sizeof(mac);
-
-#ifdef _LITTLE_ENDIAN
- ArgusHtoN(argus);
-#endif
-
-#ifdef ARGUSDEBUG
- ArgusDebug (5, "ArgusParseCiscoRecordV5 (0x%x) returning 0x%x\n", *ptr, argus);
-#endif
-
- return (argus);
-}
-
-
-struct ArgusRecord *
-ArgusParseCiscoRecordV6 (u_char **ptr)
-{
- CiscoFlowEntryV6_t *entryPtrV6 = (CiscoFlowEntryV6_t *) *ptr;
- CiscoFlowHeaderV6_t *hdrPtrV6 = (CiscoFlowHeaderV6_t *) ArgusNetFlowRecordHeader;
- struct ArgusRecord *argus = ArgusNetFlowArgusRecord;
- struct ArgusMacStruct mac;
-
- *ptr += sizeof(CiscoFlowEntryV6_t);
- bzero ((char *) argus, sizeof (*argus));
- argus->ahdr.type = ARGUS_FAR | ARGUS_CISCO_NETFLOW;
- argus->ahdr.cause = ARGUS_STATUS;
- argus->ahdr.length = sizeof(argus->ahdr) + sizeof(argus->argus_far);
-
- argus->ahdr.status |= ETHERTYPE_IP;
-
- argus->argus_far.type = ARGUS_FAR;
- argus->argus_far.length = sizeof(argus->argus_far);
-
- if (hdrPtrV6) {
- long time;
- time = ntohl(entryPtrV6->first);
- argus->argus_far.time.start.tv_sec = (time - (long)hdrPtrV6->sysUptime)/1000;
- argus->argus_far.time.start.tv_sec += hdrPtrV6->unix_secs;
-
- argus->argus_far.time.start.tv_usec = ((time - (long)hdrPtrV6->sysUptime)%1000) * 1000;
- argus->argus_far.time.start.tv_usec += hdrPtrV6->unix_nsecs/1000;
-
- if (argus->argus_far.time.start.tv_usec >= 1000000) {
- argus->argus_far.time.start.tv_sec++;
- argus->argus_far.time.start.tv_usec -= 1000000;
- }
- if (argus->argus_far.time.start.tv_usec < 0) {
- argus->argus_far.time.start.tv_sec--;
- argus->argus_far.time.start.tv_usec += 1000000;
- }
-
- time = ntohl(entryPtrV6->last);
- argus->argus_far.time.last.tv_sec = (time - (long)hdrPtrV6->sysUptime)/1000;
- argus->argus_far.time.last.tv_sec += hdrPtrV6->unix_secs;
-
- argus->argus_far.time.last.tv_usec = ((time - (long)hdrPtrV6->sysUptime)%1000) * 1000;
- argus->argus_far.time.last.tv_usec += hdrPtrV6->unix_nsecs/1000;
-
- if (argus->argus_far.time.last.tv_usec >= 1000000) {
- argus->argus_far.time.last.tv_sec++;
- argus->argus_far.time.last.tv_usec -= 1000000;
- }
- if (argus->argus_far.time.last.tv_usec < 0) {
- argus->argus_far.time.last.tv_sec--;
- argus->argus_far.time.last.tv_usec += 1000000;
- }
-
- argus->argus_far.time.start.tv_usec = (argus->argus_far.time.start.tv_usec / 1000) * 1000;
- argus->argus_far.time.last.tv_usec = (argus->argus_far.time.last.tv_usec / 1000) * 1000;
- }
-
- argus->argus_far.flow.ip_flow.ip_src = ntohl(entryPtrV6->srcaddr);
- argus->argus_far.flow.ip_flow.ip_dst = ntohl(entryPtrV6->dstaddr);
- argus->argus_far.flow.ip_flow.sport = ntohs(entryPtrV6->srcport);
- argus->argus_far.flow.ip_flow.dport = ntohs(entryPtrV6->dstport);
- argus->argus_far.flow.ip_flow.ip_p = entryPtrV6->prot;
- argus->argus_far.attr_ip.stos = entryPtrV6->tos;
- argus->argus_far.src.count = ntohl(entryPtrV6->pkts);
- argus->argus_far.src.bytes = ntohl(entryPtrV6->bytes);
- argus->argus_far.src.appbytes = 0;
-
- switch (argus->argus_far.flow.ip_flow.ip_p) {
- case IPPROTO_TCP: {
- struct ArgusTCPObject tcpbuf, *tcp = &tcpbuf;
-
- bzero ((char *) tcp, sizeof(*tcp));
- tcp->type = ARGUS_TCP_DSR;
- tcp->length = sizeof(struct ArgusTCPObject);
- tcp->src.flags = entryPtrV6->tcp_flags;
-
- if (tcp->src.flags & TH_RST)
- tcp->status |= ARGUS_RESET;
-
- if (tcp->src.flags & TH_FIN)
- tcp->status |= ARGUS_FIN;
-
- if ((tcp->src.flags & TH_ACK) || (tcp->src.flags & TH_PUSH) || (tcp->src.flags & TH_URG))
- tcp->status |= ARGUS_CON_ESTABLISHED;
-
- switch (tcp->src.flags & (TH_SYN|TH_ACK|TH_FIN|TH_PUSH|TH_URG)) {
- case (TH_SYN):
- tcp->status |= ARGUS_SAW_SYN;
- break;
- }
-
- bcopy ((char *)tcp, &((char *)argus)[argus->ahdr.length], sizeof(*tcp));
- argus->ahdr.length += sizeof(*tcp);
- }
- break;
- }
-
- bzero ((char *)&mac, sizeof (mac));
- mac.type = ARGUS_MAC_DSR;
- mac.length = sizeof(mac);
- mac.status = 0;
- entryPtrV6->input = ntohs(entryPtrV6->input);
- entryPtrV6->output = ntohs(entryPtrV6->output);
-
- bcopy((char *)&entryPtrV6->input, (char *)&mac.phys_union.ether.ethersrc[4], 2);
- bcopy((char *)&entryPtrV6->output,(char *)&mac.phys_union.ether.etherdst[4], 2);
-
- bcopy ((char *)&mac, &((char *)argus)[argus->ahdr.length], sizeof(mac));
- argus->ahdr.length += sizeof(mac);
-
-#ifdef _LITTLE_ENDIAN
- ArgusHtoN(argus);
-#endif
-
-#ifdef ARGUSDEBUG
- ArgusDebug (5, "ArgusParseCiscoRecord (0x%x) returning 0x%x\n", *ptr, argus);
-#endif
-
- return(argus);
-}
-
-struct ArgusRecord *
-ArgusParseCiscoRecord (u_char **ptr)
-{
- struct ArgusRecord *argus = ArgusNetFlowArgusRecord;
- unsigned short *sptr = (unsigned short *) *ptr;
-
-#ifdef ARGUSDEBUG
- ArgusDebug (5, "ArgusParseCiscoRecord (0x%x) version %h\n", *ptr, *sptr);
-#endif
-
- switch (*sptr) {
- case Version1: {
- CiscoFlowHeaderV1_t *hdrPtrV1 = (CiscoFlowHeaderV1_t *) *ptr;
- CiscoFlowEntryV1_t *entryPtrV1 = (CiscoFlowEntryV1_t *) (hdrPtrV1 + 1);
-
- bzero ((char *) argus, sizeof (*argus));
- argus->ahdr.type = ARGUS_FAR | ARGUS_CISCO_NETFLOW;
- argus->ahdr.cause = ARGUS_STATUS;
- argus->ahdr.length = sizeof(argus->ahdr) + sizeof(argus->argus_far);
-
- argus->ahdr.status |= ETHERTYPE_IP;
-
- argus->argus_far.type = ARGUS_FAR;
- argus->argus_far.length = sizeof(argus->argus_far);
-
- if (hdrPtrV1) {
- long time;
- time = ntohl(entryPtrV1->first);
- argus->argus_far.time.start.tv_sec = (time - (long)hdrPtrV1->sysUptime)/1000;
- argus->argus_far.time.start.tv_sec += hdrPtrV1->unix_secs;
-
- argus->argus_far.time.start.tv_usec = ((time - (long)hdrPtrV1->sysUptime)%1000) * 1000;
- argus->argus_far.time.start.tv_usec += hdrPtrV1->unix_nsecs/1000;
-
- if (argus->argus_far.time.start.tv_usec >= 1000000) {
- argus->argus_far.time.start.tv_sec++;
- argus->argus_far.time.start.tv_usec -= 1000000;
- }
- if (argus->argus_far.time.start.tv_usec < 0) {
- argus->argus_far.time.start.tv_sec--;
- argus->argus_far.time.start.tv_usec += 1000000;
- }
-
- time = ntohl(entryPtrV1->last);
- argus->argus_far.time.last.tv_sec = (time - (long)hdrPtrV1->sysUptime)/1000;
- argus->argus_far.time.last.tv_sec += hdrPtrV1->unix_secs;
-
- argus->argus_far.time.last.tv_usec = ((time - (long)hdrPtrV1->sysUptime)%1000) * 1000;
- argus->argus_far.time.last.tv_usec += hdrPtrV1->unix_nsecs/1000;
-
- if (argus->argus_far.time.last.tv_usec >= 1000000) {
- argus->argus_far.time.last.tv_sec++;
- argus->argus_far.time.last.tv_usec -= 1000000;
- }
- if (argus->argus_far.time.last.tv_usec < 0) {
- argus->argus_far.time.last.tv_sec--;
- argus->argus_far.time.last.tv_usec += 1000000;
- }
-
- argus->argus_far.time.start.tv_usec = (argus->argus_far.time.start.tv_usec / 1000) * 1000;
- argus->argus_far.time.last.tv_usec = (argus->argus_far.time.last.tv_usec / 1000) * 1000;
- }
-
- argus->argus_far.flow.ip_flow.ip_src = ntohl(entryPtrV1->srcaddr);
- argus->argus_far.flow.ip_flow.ip_dst = ntohl(entryPtrV1->dstaddr);
- argus->argus_far.flow.ip_flow.sport = ntohs(entryPtrV1->srcport);
- argus->argus_far.flow.ip_flow.dport = ntohs(entryPtrV1->dstport);
- argus->argus_far.flow.ip_flow.ip_p = entryPtrV1->prot;
- argus->argus_far.attr_ip.stos = entryPtrV1->tos;
- argus->argus_far.src.count = ntohl(entryPtrV1->pkts);
- argus->argus_far.src.bytes = ntohl(entryPtrV1->bytes);
-
-#ifdef _LITTLE_ENDIAN
- ArgusHtoN(argus);
-#endif
- break;
- }
-
- case Version5: {
- CiscoFlowHeaderV5_t *hdrPtrV5 = (CiscoFlowHeaderV5_t *) ptr;
- CiscoFlowEntryV5_t *entryPtrV5 = (CiscoFlowEntryV5_t *) (hdrPtrV5 + 1);
-
- bzero ((char *) argus, sizeof (*argus));
- argus->ahdr.type = ARGUS_FAR | ARGUS_CISCO_NETFLOW;
- argus->ahdr.cause = ARGUS_STATUS;
- argus->ahdr.length = sizeof(argus->ahdr) + sizeof(argus->argus_far);
-
- argus->ahdr.status |= ETHERTYPE_IP;
-
- argus->argus_far.type = ARGUS_FAR;
- argus->argus_far.length = sizeof(argus->argus_far);
-
- if (hdrPtrV5) {
- long time;
- time = ntohl(entryPtrV5->first);
- argus->argus_far.time.start.tv_sec = (time - (long)hdrPtrV5->sysUptime)/1000;
- argus->argus_far.time.start.tv_sec += hdrPtrV5->unix_secs;
-
- argus->argus_far.time.start.tv_usec = ((time - (long)hdrPtrV5->sysUptime)%1000) * 1000;
- argus->argus_far.time.start.tv_usec += hdrPtrV5->unix_nsecs/1000;
-
- if (argus->argus_far.time.start.tv_usec >= 1000000) {
- argus->argus_far.time.start.tv_sec++;
- argus->argus_far.time.start.tv_usec -= 1000000;
- }
- if (argus->argus_far.time.start.tv_usec < 0) {
- argus->argus_far.time.start.tv_sec--;
- argus->argus_far.time.start.tv_usec += 1000000;
- }
-
- time = ntohl(entryPtrV5->last);
- argus->argus_far.time.last.tv_sec = (time - (long)hdrPtrV5->sysUptime)/1000;
- argus->argus_far.time.last.tv_sec += hdrPtrV5->unix_secs;
-
- argus->argus_far.time.last.tv_usec = ((time - (long)hdrPtrV5->sysUptime)%1000) * 1000;
- argus->argus_far.time.last.tv_usec += hdrPtrV5->unix_nsecs/1000;
-
- if (argus->argus_far.time.last.tv_usec >= 1000000) {
- argus->argus_far.time.last.tv_sec++;
- argus->argus_far.time.last.tv_usec -= 1000000;
- }
- if (argus->argus_far.time.last.tv_usec < 0) {
- argus->argus_far.time.last.tv_sec--;
- argus->argus_far.time.last.tv_usec += 1000000;
- }
-
- argus->argus_far.time.start.tv_usec = (argus->argus_far.time.start.tv_usec / 1000) * 1000;
- argus->argus_far.time.last.tv_usec = (argus->argus_far.time.last.tv_usec / 1000) * 1000;
- }
-
- argus->argus_far.flow.ip_flow.ip_src = ntohl(entryPtrV5->srcaddr);
- argus->argus_far.flow.ip_flow.ip_dst = ntohl(entryPtrV5->dstaddr);
- argus->argus_far.flow.ip_flow.sport = ntohs(entryPtrV5->srcport);
- argus->argus_far.flow.ip_flow.dport = ntohs(entryPtrV5->dstport);
- argus->argus_far.flow.ip_flow.ip_p = entryPtrV5->prot;
- argus->argus_far.attr_ip.stos = entryPtrV5->tos;
- argus->argus_far.src.count = ntohl(entryPtrV5->pkts);
- argus->argus_far.src.bytes = ntohl(entryPtrV5->bytes);
- argus->argus_far.src.appbytes = 0;
-
-#ifdef _LITTLE_ENDIAN
- ArgusHtoN(argus);
-#endif
- break;
- }
-
- case Version6: {
- CiscoFlowHeaderV6_t *hdrPtrV6 = (CiscoFlowHeaderV6_t *) ptr;
- CiscoFlowEntryV6_t *entryPtrV6 = (CiscoFlowEntryV6_t *) (hdrPtrV6 + 1);
-
- bzero ((char *) argus, sizeof (*argus));
- argus->ahdr.type = ARGUS_FAR | ARGUS_CISCO_NETFLOW;
- argus->ahdr.cause = ARGUS_STATUS;
- argus->ahdr.length = sizeof(argus->ahdr) + sizeof(argus->argus_far);
-
- argus->ahdr.status |= ETHERTYPE_IP;
-
- argus->argus_far.type = ARGUS_FAR;
- argus->argus_far.length = sizeof(argus->argus_far);
-
- if (hdrPtrV6) {
- long time;
- time = ntohl(entryPtrV6->first);
- argus->argus_far.time.start.tv_sec = (time - (long)hdrPtrV6->sysUptime)/1000;
- argus->argus_far.time.start.tv_sec += hdrPtrV6->unix_secs;
-
- argus->argus_far.time.start.tv_usec = ((time - (long)hdrPtrV6->sysUptime)%1000) * 1000;
- argus->argus_far.time.start.tv_usec += hdrPtrV6->unix_nsecs/1000;
-
- if (argus->argus_far.time.start.tv_usec >= 1000000) {
- argus->argus_far.time.start.tv_sec++;
- argus->argus_far.time.start.tv_usec -= 1000000;
- }
- if (argus->argus_far.time.start.tv_usec < 0) {
- argus->argus_far.time.start.tv_sec--;
- argus->argus_far.time.start.tv_usec += 1000000;
- }
-
- time = ntohl(entryPtrV6->last);
- argus->argus_far.time.last.tv_sec = (time - (long)hdrPtrV6->sysUptime)/1000;
- argus->argus_far.time.last.tv_sec += hdrPtrV6->unix_secs;
-
- argus->argus_far.time.last.tv_usec = ((time - (long)hdrPtrV6->sysUptime)%1000) * 1000;
- argus->argus_far.time.last.tv_usec += hdrPtrV6->unix_nsecs/1000;
-
- if (argus->argus_far.time.last.tv_usec >= 1000000) {
- argus->argus_far.time.last.tv_sec++;
- argus->argus_far.time.last.tv_usec -= 1000000;
- }
- if (argus->argus_far.time.last.tv_usec < 0) {
- argus->argus_far.time.last.tv_sec--;
- argus->argus_far.time.last.tv_usec += 1000000;
- }
-
- argus->argus_far.time.start.tv_usec = (argus->argus_far.time.start.tv_usec / 1000) * 1000;
- argus->argus_far.time.last.tv_usec = (argus->argus_far.time.last.tv_usec / 1000) * 1000;
- }
-
- argus->argus_far.flow.ip_flow.ip_src = ntohl(entryPtrV6->srcaddr);
- argus->argus_far.flow.ip_flow.ip_dst = ntohl(entryPtrV6->dstaddr);
- argus->argus_far.flow.ip_flow.sport = ntohs(entryPtrV6->srcport);
- argus->argus_far.flow.ip_flow.dport = ntohs(entryPtrV6->dstport);
- argus->argus_far.flow.ip_flow.ip_p = entryPtrV6->prot;
- argus->argus_far.attr_ip.stos = entryPtrV6->tos;
- argus->argus_far.src.count = ntohl(entryPtrV6->pkts);
- argus->argus_far.src.bytes = ntohl(entryPtrV6->bytes);
- argus->argus_far.src.appbytes = 0;
-
-#ifdef _LITTLE_ENDIAN
- ArgusHtoN(argus);
-#endif
- break;
- }
-
- case Version8: {
- break;
- }
- }
-
-#ifdef ARGUSDEBUG
- ArgusDebug (5, "ArgusParseCiscoRecord (0x%x) returning 0x%x\n", *ptr, argus);
-#endif
-
- return (argus);
-}
-
-
-struct ArgusRecord *
-ArgusNetFlowCallRecord (u_char **ptr)
-{
- struct ArgusRecord *argus = ArgusNetFlowArgusRecord;
- BinaryRecord_CallRecord_V1 *call = (BinaryRecord_CallRecord_V1 *) *ptr;
-
- if (*ptr) {
- bzero ((char *) argus, sizeof (*argus));
- argus->ahdr.type = ARGUS_FAR | ARGUS_CISCO_NETFLOW;
- argus->ahdr.cause = ARGUS_STATUS;
- argus->ahdr.length = sizeof(argus->ahdr) + sizeof(argus->argus_far);
-
- argus->ahdr.status |= ETHERTYPE_IP;
-
- argus->argus_far.type = ARGUS_FAR;
- argus->argus_far.length = sizeof(argus->argus_far);
-
- argus->argus_far.time.start.tv_sec = ntohl(call->starttime);
- argus->argus_far.time.last.tv_sec = ntohl(call->endtime);
-
- argus->argus_far.time.last.tv_usec = ntohl(call->activetime) % 1000000;
- argus->argus_far.time.last.tv_sec += ntohl(call->activetime) / 1000000;
-
- argus->argus_far.flow.ip_flow.ip_src = ntohl(call->srcaddr);
- argus->argus_far.flow.ip_flow.ip_dst = ntohl(call->dstaddr);
- argus->argus_far.flow.ip_flow.sport = ntohs(call->srcport);
- argus->argus_far.flow.ip_flow.dport = ntohs(call->dstport);
- argus->argus_far.flow.ip_flow.ip_p = call->prot;
- argus->argus_far.attr_ip.stos = call->tos;
- argus->argus_far.src.count = ntohl(call->pkts);
- argus->argus_far.src.bytes = ntohl(call->octets);
- argus->argus_far.src.appbytes = 0;
-
-#ifdef _LITTLE_ENDIAN
- ArgusHtoN(argus);
-#endif
- }
-
-#ifdef ARGUSDEBUG
- ArgusDebug (6, "ArgusNetFlowCallRecord (0x%x) returns 0x%x\n", *ptr, argus);
-#endif
-
- return (argus);
-}
-
-
-struct ArgusRecord *
-ArgusNetFlowDetailInt (u_char **ptr)
-{
- struct ArgusRecord *argus = ArgusNetFlowArgusRecord;
- BinaryRecord_DetailInterface_V1 *dint = (BinaryRecord_DetailInterface_V1 *) *ptr;
-
- if (*ptr) {
- dint = NULL;
- bzero ((char *) argus, sizeof (*argus));
- }
-
-
-#ifdef ARGUSDEBUG
- ArgusDebug (1, "ArgusNetFlowDetailInt (0x%x) returns 0x%x\n", *ptr, argus);
-#endif
-
- return (argus);
-}
-
-
-ArgusNetFlowHandler ArgusLookUpNetFlow(struct ARGUS_INPUT *, int);
-
-struct ArgusNetFlowParsers {
- int type, size;
- ArgusNetFlowHandler proc;
-};
-
-struct ArgusNetFlowParsers ArgusNetFlowParsers [] = {
- { SourceNode, 0, NULL },
- { DestNode, 0, NULL },
- { HostMatrix, 0, NULL },
- { SourcePort, 0, NULL },
- { DestPort, 0, NULL },
- { Protocol, 0, NULL },
- { DetailDestNode, 0, NULL },
- { DetailHostMatrix, 0, NULL },
- { DetailInterface, sizeof(BinaryRecord_DetailInterface_V1), ArgusNetFlowDetailInt },
- { CallRecord, sizeof(BinaryRecord_CallRecord_V1), ArgusNetFlowCallRecord },
- { ASMatrix, 0, NULL },
- { NetMatrix, 0, NULL },
- { DetailSourceNode, 0, NULL },
- { DetailASMatrix, 0, NULL },
- { ASHostMatrix, 0, NULL },
- { HostMatrixInterface, 0, NULL },
- { DetailCallRecord, 0, NULL },
- { RouterAS, 0, NULL },
- { RouterProtoPort, 0, NULL },
- { RouterSrcPrefix, 0, NULL },
- { RouterDstPrefix, 0, NULL },
- { RouterPrefix, 0, NULL },
- { -1, 0, NULL },
-};
-
-ArgusNetFlowHandler ArgusCiscoNetFlowParse = NULL;
-int ArgusWriteConnection (struct ARGUS_INPUT *, unsigned char *, int);
-
-ArgusNetFlowHandler
-ArgusLookUpNetFlow(struct ARGUS_INPUT *input, int type)
-{
- ArgusNetFlowHandler retn = NULL;
- struct ArgusNetFlowParsers *p = ArgusNetFlowParsers;
-
- do {
- if (type == p->type) {
- retn = p->proc;
- input->ArgusReadSize = p->size;
- break;
- }
- p++;
- } while (p->type != -1);
-
-#ifdef ARGUSDEBUG
- ArgusDebug (1, "ArgusLookUpNetFlow (0x%x, %d) returning 0x%x\n", input, type, retn);
-#endif
-
- return (retn);
-}
-
-extern char *ArgusVersionStr;
-
-int
-ArgusReadConnection (struct ARGUS_INPUT *input, char *filename)
-{
- struct ArgusCanonicalRecord canonbuf, *canon = &canonbuf;
- struct ArgusRecord argus;
- u_char *ptr = (u_char *)&argus;
- unsigned char buf[MAXSTRLEN];
- int cnt, fd = -1;
-
- if (input != NULL)
- fd = input->fd;
- else
- fd = 0;
-
- if (fd >= 0) {
- switch (input->status & (ARGUS_DATA_SOURCE | ARGUS_CISCO_DATA_SOURCE)) {
- case ARGUS_DATA_SOURCE:
- bzero ((char *) &argus, sizeof(argus));
- if ((cnt = read (fd, &argus, sizeof(argus.ahdr))) == sizeof(argus.ahdr)) {
-#ifdef ARGUSDEBUG
- ArgusDebug (5, "ArgusReadConnection() read %d bytes\n", cnt);
-#endif
- if (filename) {
- if (((ptr[0] == 0x1F) && ((ptr[1] == 0x8B) || (ptr[1] == 0x9D))) ||
- ((ptr[0] == 'B') && (ptr[1] == 'Z') && (ptr[2] == 'h'))) {
- char cmd[256];
- bzero(cmd, 256);
- close(fd);
- if (ptr[0] == 'B')
- strcpy(cmd, "bzip2 -dc ");
- else
- if (ptr[1] == 0x8B)
- strcpy(cmd, "gzip -dc ");
- else
- strcpy(cmd, "zcat ");
-
- strcat(cmd, filename);
-
- if ((input->pipe = popen(cmd, "r")) == NULL) {
- ArgusLog (LOG_ERR, "ArgusReadConnection: popen(%s) failed. %s\n", cmd, strerror(errno));
-
- close (fd);
- return (-1);
- } else {
- fd = fileno(input->pipe);
- if ((cnt = read (fd, &argus, sizeof(argus.ahdr))) != sizeof(argus.ahdr)) {
- ArgusLog (LOG_ERR, "ArgusReadConnection: read from '%s' failed. %s\n", cmd, strerror(errno));
- pclose(input->pipe);
- input->pipe = NULL;
- close (fd);
- return (-1);
- }
- }
- }
- }
-
- if (argus.ahdr.type & ARGUS_MAR) {
- unsigned short length = ntohs(argus.ahdr.length);
- unsigned int argusid = ntohl(argus.ahdr.argusid);
- unsigned int sequence = ntohl(argus.ahdr.seqNumber);
- unsigned int status = ntohl(argus.ahdr.status);
-
- if (argus.ahdr.cause & ARGUS_ERROR) {
-#ifdef ARGUSDEBUG
- ArgusDebug (5, "ArgusReadConnection() ARGUS_ERROR Mar.\n");
-#endif
- if (status & ARGUS_MAXLISTENEXCD) {
- fprintf (stderr, "%s: remote exceed listen error.\n", ArgusProgramName);
- close (fd);
- return (-1);
- }
- }
-
- if (argus.ahdr.cause == ARGUS_START) {
-#ifdef ARGUSDEBUG
- ArgusDebug (5, "ArgusReadConnection() ARGUS_START Mar.\n");
-#endif
- input->status |= ARGUS_DATA_SOURCE;
- if ((argusid == ARGUS_COOKIE) && (sequence == 0)) {
- int size = length - sizeof(argus.ahdr);
-
- if ((cnt = read (fd, &argus.argus_mar, size)) != size) {
-#ifdef ARGUSDEBUG
- ArgusDebug (5, "ArgusReadConnection() read failed for ARGUS_START Mar %s.\n",
- strerror(errno));
-#endif
- close (fd);
- return (-1);
- }
-
- bcopy ((char *) &argus, (char *)&input->ArgusInitCon, sizeof (argus));
- bcopy ((char *) &argus, (char *) ArgusOriginal, length);
- ArgusInput = input;
-
- ArgusHandleDatum ((struct ArgusRecord *)&argus, &ArgusFilterCode);
-
-#ifdef _LITTLE_ENDIAN
- ArgusNtoH(&argus);
-#endif
-
- bcopy ((char *) &argus, (char *)&input->ArgusManStart, sizeof (argus));
- input->major_version = MAJOR_VERSION_2;
- input->minor_version = MINOR_VERSION_0;
- input->ArgusReadSize = argus.argus_mar.record_len;
-
- argus_parse_init (input);
-
- if (Sflag && (input->major_version >= MAJOR_VERSION_2)) {
- if (ntohl(argus.ahdr.status) & ARGUS_SASL_AUTHENTICATE) {
- if (!(ArgusAuthenticate(input))) {
- fprintf (stderr, "%s: incorrect password\n", ArgusProgramName);
- close(fd);
- return (-1);
- }
- }
-
- if ((ArgusRemoteFilter != NULL) && (filename == NULL) && (fd != 0)) {
- int len;
- snprintf ((char *) buf, MAXSTRLEN-1, "FILTER: man or %s", (char *) ArgusRemoteFilter);
- len = strlen((char *) buf);
- if ((cnt = write (fd, buf, len)) != len) {
- fprintf (stderr, "%s: write remote filter error %s.\n",
- ArgusProgramName, strerror(errno));
- close(fd);
- return (-1);
- }
- }
- }
- } else {
- fprintf (stderr, "%s: not Argus-2.0 data stream.\n", ArgusProgramName);
- close(fd);
- fd = -1;
- }
- } else {
-
- struct WriteStruct *ws = NULL;
- char *ptr;
- int size;
-
- bcopy ((char *)&argus, buf, sizeof(argus.ahdr));
-
- size = sizeof(*ws) - sizeof(argus.ahdr);
-
- if ((cnt = read (fd, &buf[sizeof(argus.ahdr)], size)) != size) {
- fprintf (stderr, "%s: reading %d bytes, got %d bytes. %s", ArgusProgramName, size, cnt, strerror(errno));
- close (fd);
- return (-1);
-
- } else
- ws = (struct WriteStruct *) buf;
-
- if ((ptr = strstr (ws->ws_init.initString, ArgusVersionStr)) != NULL) {
- ArgusConvertInitialWriteStruct (ws, &argus);
- input->major_version = argus.argus_mar.major_version;
- input->minor_version = argus.argus_mar.minor_version;
- input->ArgusReadSize = sizeof(*ws);
-
- if (initCon == NULL) {
- if ((initCon = (struct ArgusRecord *) calloc (1, sizeof (argus))) != NULL)
- bcopy ((char *) &argus, (char *) initCon, sizeof (argus));
- }
-
- bcopy ((char *) &argus, (char *)&input->ArgusInitCon, sizeof (argus));
- bcopy ((char *)&argus, (char *) ArgusOriginal, sizeof(argus));
-
- ArgusInput = input;
-
- ArgusHandleDatum ((struct ArgusRecord *)&argus, &ArgusFilterCode);
-#ifdef _LITTLE_ENDIAN
- ArgusNtoH(&argus);
-#endif
-
- argus_parse_init (input);
-
- input->status |= ARGUS_DATA_SOURCE;
-
- } else {
- fprintf (stderr, "%s: not Argus-2.0 data stream.\n", ArgusProgramName);
- close(fd);
- fd = -1;
- }
- }
- } else {
- char *ptr = (char *)&argus;
-
-#ifdef ARGUSDEBUG
- ArgusDebug (2, "ArgusReadConnection() testing for CISCO records\n");
-#endif
- if (!(strncmp(&ptr[3], "SOURCE", 6))) {
- BinaryHeaderF2 *ArgusNetFlow = (BinaryHeaderF2 *) buf;
- int size;
-
- bcopy ((char *)&argus, buf, sizeof(argus.ahdr));
- size = sizeof(*ArgusNetFlow) - sizeof(argus.ahdr);
-
- if ((cnt = read (fd, &buf[sizeof(argus.ahdr)], size)) != size) {
- fprintf (stderr, "%s: reading %d bytes, got %d bytes. %s", ArgusProgramName, size, cnt, strerror(errno));
- close (fd);
- return (-1);
-
- } else {
-#ifdef _LITTLE_ENDIAN
- ArgusNetFlow->starttime = ntohl(ArgusNetFlow->starttime);
- ArgusNetFlow->endtime = ntohl(ArgusNetFlow->endtime);
- ArgusNetFlow->flows = ntohl(ArgusNetFlow->flows);
- ArgusNetFlow->missed = ntohl(ArgusNetFlow->missed);
- ArgusNetFlow->records = ntohl(ArgusNetFlow->records);
-#endif
- bzero ((char *)&argus, sizeof(argus));
-
- argus.ahdr.type = ARGUS_MAR | ARGUS_CISCO_NETFLOW;
- argus.ahdr.length = sizeof (argus);
- argus.ahdr.cause = ARGUS_START;
- argus.ahdr.argusid = ARGUS_COOKIE;
- argus.argus_mar.startime.tv_sec = ArgusNetFlow->starttime;
- argus.argus_mar.now.tv_sec = ArgusNetFlow->starttime;
- argus.argus_mar.major_version = major_version;
- argus.argus_mar.minor_version = minor_version;
- argus.argus_mar.flows = ArgusNetFlow->flows;
- argus.argus_mar.pktsDrop = ArgusNetFlow->missed;
- argus.argus_mar.record_len = -1;
-
- input->major_version = argus.argus_mar.major_version;
- input->minor_version = argus.argus_mar.minor_version;
-
- if ((input->ArgusCiscoNetFlowParse =
- ArgusLookUpNetFlow(input, ArgusNetFlow->aggregation)) != NULL) {
-#ifdef _LITTLE_ENDIAN
- ArgusHtoN(&argus);
-#endif
- if (initCon == NULL) {
- if ((initCon = (struct ArgusRecord *) calloc (1, sizeof (argus))) != NULL)
- bcopy ((char *) &argus, (char *) initCon, sizeof (argus));
- }
-
- bcopy ((char *) &argus, (char *)&input->ArgusInitCon, sizeof (argus));
- bcopy ((char *) &argus, (char *) ArgusOriginal, sizeof(argus));
- ArgusInput = input;
-
- ArgusGenerateCanonicalRecord (&argus, canon);
-#ifdef _LITTLE_ENDIAN
- ArgusNtoH(&argus);
-#endif
- argus_parse_init (input);
-
- if (check_time (&argus)) {
- if (!(wfile) || !(wfile || RaWriteOut))
- ArgusProcessRecord(&argus);
- }
-
- input->status |= ARGUS_CISCO_DATA_SOURCE;
-
- } else {
- fprintf (stderr, "%s: not supported Cisco data stream.\n", ArgusProgramName);
- close(fd);
- fd = -1;
- }
- }
- } else {
- fprintf (stderr, "%s: not Argus-2.0 data stream.\n", ArgusProgramName);
- close(fd);
- fd = -1;
- }
- }
- } else {
- fprintf (stderr, "%s: no data in data stream.\n", ArgusProgramName);
- close(fd);
- fd = -1;
- }
- break;
-
- case ARGUS_CISCO_DATA_SOURCE:
-#ifdef ARGUSDEBUG
- ArgusDebug (2, "ArgusReadConnection(0x%x) reading from Cisco Router.\n", input);
-#endif
- bzero((char *)&argus, sizeof(argus));
-
- argus.ahdr.type = ARGUS_MAR | ARGUS_CISCO_NETFLOW;
- argus.ahdr.length = sizeof (argus);
- argus.ahdr.cause = ARGUS_START;
- argus.ahdr.argusid = ARGUS_COOKIE;
- argus.argus_mar.startime.tv_sec = ArgusGlobalTime.tv_sec;
- argus.argus_mar.now.tv_sec = ArgusGlobalTime.tv_sec;
- argus.argus_mar.major_version = major_version;
- argus.argus_mar.minor_version = minor_version;
- argus.argus_mar.record_len = -1;
-
- input->major_version = argus.argus_mar.major_version;
- input->minor_version = argus.argus_mar.minor_version;
-
-#ifdef _LITTLE_ENDIAN
- ArgusHtoN(&argus);
-#endif
- if (initCon == NULL) {
- if ((initCon = (struct ArgusRecord *) calloc (1, sizeof (argus))) != NULL)
- bcopy ((char *) &argus, (char *) initCon, sizeof (argus));
- }
-
- bcopy ((char *) &argus, (char *)&input->ArgusInitCon, sizeof (argus));
- bcopy ((char *) &argus, (char *) ArgusOriginal, sizeof(argus));
- ArgusInput = input;
-
- argus_parse_init (input);
- break;
- }
- }
-
-#ifdef ARGUSDEBUG
- ArgusDebug (3, "ArgusReadConnection() returning %d\n", fd);
-#endif
-
- return (fd);
-}
-
-
-void ArgusCloseInput(struct ARGUS_INPUT *);
-int ArgusReadStreamSocket (struct ARGUS_INPUT *);
-int ArgusReadCiscoStreamSocket (struct ARGUS_INPUT *);
-int ArgusReadCiscoDatagramSocket (struct ARGUS_INPUT *);
-
-
-void
-ArgusCloseInput(struct ARGUS_INPUT *input)
-{
- if (input->pipe) {
- pclose(input->pipe);
- input->pipe = NULL;
- }
-
- if (input->in != NULL)
- fclose(input->in);
-
- if (input->out != NULL)
- fclose(input->out);
-
- if (input->ArgusReadBuffer != NULL)
- ArgusFree(input->ArgusReadBuffer);
-
- if (input->ArgusConvBuffer != NULL)
- ArgusFree(input->ArgusConvBuffer);
-
- close (input->fd);
-
-#ifdef ARGUSDEBUG
- ArgusDebug (4, "ArgusCloseInput(0x%x) done\n", input);
-#endif
-}
-
-
-#ifdef ARGUS_SASL
-#include <saslint.h>
-
-int ArgusReadSaslStreamSocket (struct ARGUS_INPUT *);
-
-int
-ArgusReadSaslStreamSocket (struct ARGUS_INPUT *input)
-{
- int retn = 0, fd = input->fd, cnt;
- unsigned int value = 0, *pvalue = &value;
- struct ArgusRecord *argus = NULL;
- char *output = NULL, *end = NULL, *ptr = NULL;
- unsigned int outputlen = 0;
-
-
- if ((retn = sasl_getprop(input->sasl_conn, SASL_MAXOUTBUF, (void **) &pvalue)) != SASL_OK)
- ArgusLog (LOG_ERR, "ArgusReadSaslStreamSocket: sasl_getprop %s\n", strerror(errno));
-
- if (value == 0)
- value = MAXSTRLEN;
-
- if ((cnt = read (fd, input->ArgusSaslBuffer + input->ArgusSaslBufCnt, MAXSTRLEN)) > 0) {
- input->ArgusSaslBufCnt = cnt;
- ptr = input->ArgusSaslBuffer;
-
- do {
- cnt = (input->ArgusSaslBufCnt > value) ? value : input->ArgusSaslBufCnt;
-
- if (sasl_decode (input->sasl_conn, ptr, cnt, &output, &outputlen) == SASL_OK) {
-#ifdef ARGUSDEBUG
- ArgusDebug (5, "ArgusReadSaslStreamSocket (0x%x) sasl_decoded %d bytes\n", input, outputlen);
-#endif
- ptr += cnt;
-
- if (outputlen) {
- argus = (struct ArgusRecord *) output;
- end = output + outputlen;
-
- while ((char *)argus < end) {
- input->ArgusReadSocketCnt = ntohs(argus->ahdr.length);
- bcopy (argus, input->ArgusReadBuffer, input->ArgusReadSocketCnt);
-
- if (ArgusHandleDatum (argus, &ArgusFilterCode) == 1) {
- if (!input->filename)
- write (fd, "DONE: ", strlen("DONE: "));
-
- retn = 1;
- break;
-
- } else
- (char *)argus += input->ArgusReadSocketCnt;
- }
-
- free (output);
- input->ArgusSaslBufCnt -= cnt;
-
- } else {
- input->ArgusSaslBufCnt = 0;
- break;
- }
-
- } else {
- ArgusLog (LOG_ERR, "ArgusReadSaslStreamSocket: sasl_decode () failed");
- break;
- }
-
- } while (input->ArgusSaslBufCnt > 0);
-
- } else {
- retn = 1;
-
- if ((cnt < 0) && ((errno == EAGAIN) || (errno == EINTR))) {
- retn = 0;
- }
- }
-
-#ifdef ARGUSDEBUG
- ArgusDebug (5, "ArgusReadSaslStreamSocket (0x%x) returning %d\n", input, retn);
-#endif
-
- return (retn);
-}
-
-#endif /* ARGUS_SASL */
-
-
-int
-ArgusReadStreamSocket (struct ARGUS_INPUT *input)
-{
- int retn = 0, fd = input->fd, cnt = 0;
- unsigned short length;
-
-#ifdef ARGUSDEBUG
- ArgusDebug (8, "ArgusReadStreamSocket (0x%x) starting\n", input);
-#endif
-
- if ((cnt = read (fd, input->ArgusReadPtr + input->ArgusReadSocketCnt,
- (input->ArgusReadSocketSize - input->ArgusReadSocketCnt))) > 0) {
- input->ArgusReadSocketCnt += cnt;
-
-#ifdef ARGUSDEBUG
- ArgusDebug (8, "ArgusReadStreamSocket (0x%x) read %d bytes\n", input, cnt);
-#endif
-
- if (input->ArgusReadSocketCnt == input->ArgusReadSocketSize) {
- if (input->ArgusReadSocketState == ARGUS_READINGHDR) {
- input->ArgusReadSocketState = ARGUS_READINGBLOCK;
-
- bcopy ((char *)&((struct ArgusRecordHeader *)input->ArgusReadPtr)->length, (char *)&length, sizeof(length));
- input->ArgusReadSocketSize = ntohs(length) - sizeof(struct ArgusRecordHeader);
-
- input->ArgusReadPtr = &input->ArgusReadBuffer[input->ArgusReadSocketCnt];
- input->ArgusReadSocketCnt = 0;
-
- } else {
- if (input->major_version < 2) {
- ArgusConvertWriteStruct ((struct WriteStruct *)input->ArgusReadBuffer,
- (struct ArgusRecord *)input->ArgusConvBuffer);
- bcopy (input->ArgusConvBuffer, input->ArgusReadBuffer, MAXSTRLEN);
- }
-
- if (ArgusHandleDatum ((struct ArgusRecord *)input->ArgusReadBuffer, &ArgusFilterCode) == 1) {
- if (!input->filename) {
- write (fd, "DONE: ", strlen("DONE: "));
- retn = 1;
- }
- }
-
- if (input->major_version >= 2) {
- input->ArgusReadSocketState = ARGUS_READINGHDR;
- input->ArgusReadSocketSize = sizeof(struct ArgusRecordHeader);
- }
-
- input->ArgusReadPtr = input->ArgusReadBuffer;
- bzero (input->ArgusReadBuffer, MAXSTRLEN);
- input->ArgusReadSocketCnt = 0;
- }
- }
- } else {
-#ifdef ARGUSDEBUG
- ArgusDebug (3, "ArgusReadStreamSocket (0x%x) read returned %d\n", input, cnt);
-#endif
-
- retn = 1;
-
- if ((cnt < 0) && ((errno == EAGAIN) || (errno == EINTR))) {
- retn = 0;
- }
- }
-
-#ifdef ARGUSDEBUG
- ArgusDebug (5, "ArgusReadStreamSocket (0x%x) returning %d\n", input, retn);
-#endif
-
- return (retn);
-}
-
-
-int
-ArgusReadCiscoStreamSocket (struct ARGUS_INPUT *input)
-{
- int cnt = 0, retn = 0;
-
-#ifdef ARGUSDEBUG
- ArgusDebug (8, "ArgusReadCiscoStreamSocket (0x%x) starting\n", input);
-#endif
-
- if ((cnt = read (input->fd, input->ArgusReadPtr + input->ArgusReadSocketCnt,
- (input->ArgusReadSocketSize - input->ArgusReadSocketCnt))) > 0) {
- input->ArgusReadSocketCnt += cnt;
-
-#ifdef ARGUSDEBUG
- ArgusDebug (8, "ArgusReadCiscoStreamSocket (0x%x) read %d bytes, total %d need %d\n",
- input, cnt, input->ArgusReadSocketCnt, input->ArgusReadSocketSize);
-#endif
-
- if (input->ArgusReadSocketCnt == input->ArgusReadSocketSize) {
- switch (input->ArgusReadSocketState) {
-
- case ARGUS_READINGPREHDR: {
- unsigned short *sptr = (unsigned short *) input->ArgusReadPtr;
-
- input->ArgusReadCiscoVersion = ntohs(*sptr++);
- input->ArgusReadSocketNum = ntohs(*sptr);
-
-#define CISCO_VERSION_1 1
-#define CISCO_VERSION_5 5
-
- switch (input->ArgusReadCiscoVersion) {
- case CISCO_VERSION_1:
- input->ArgusReadSocketSize = sizeof(CiscoFlowHeaderV1_t) - 4;
- input->ArgusReadPtr = &input->ArgusReadBuffer[input->ArgusReadSocketCnt];
- break;
-
- case CISCO_VERSION_5:
- input->ArgusReadSocketSize = sizeof(CiscoFlowHeaderV5_t) - 4;
- input->ArgusReadPtr = &input->ArgusReadBuffer[input->ArgusReadSocketCnt];
- break;
-
- default: {
- fprintf (stderr, "input not Cisco wire format\n");
- return(1);
- }
- }
-
- input->ArgusReadSocketState = ARGUS_READINGHDR;
- input->ArgusReadSocketCnt = 0;
- break;
- }
-
- case ARGUS_READINGHDR: {
-#ifdef ARGUSDEBUG
- ArgusDebug (7, "ArgusReadCiscoStreamSocket (0x%x) read record header\n", input);
-#endif
- switch (input->ArgusReadCiscoVersion) {
- case CISCO_VERSION_1: {
- CiscoFlowHeaderV1_t *ArgusNetFlow = (CiscoFlowHeaderV1_t *) input->ArgusReadBuffer;
- CiscoFlowHeaderV1_t *nfptr = ArgusNetFlow;
-
- input->ArgusCiscoNetFlowParse = ArgusParseCiscoRecordV1;
- input->ArgusReadSocketSize = sizeof(CiscoFlowEntryV1_t);
- input->ArgusReadPtr = &input->ArgusReadBuffer[sizeof(CiscoFlowHeaderV1_t)];
-
- ArgusNetFlow->version = ntohs(nfptr->version);
- ArgusNetFlow->count = ntohs(nfptr->count);
- ArgusNetFlow->sysUptime = ntohl(nfptr->sysUptime);
- ArgusNetFlow->unix_secs = ntohl(nfptr->unix_secs);
- ArgusNetFlow->unix_nsecs = ntohl(nfptr->unix_nsecs);
- ArgusNetFlowRecordHeader = (unsigned char *)ArgusNetFlow;
- break;
- }
-
- case CISCO_VERSION_5: {
- CiscoFlowHeaderV5_t *ArgusNetFlow = (CiscoFlowHeaderV5_t *) input->ArgusReadBuffer;
- CiscoFlowHeaderV5_t *nfptr = ArgusNetFlow;
-
- input->ArgusCiscoNetFlowParse = ArgusParseCiscoRecordV5;
- input->ArgusReadSocketSize = sizeof(CiscoFlowEntryV5_t);
- input->ArgusReadPtr = &input->ArgusReadBuffer[sizeof(CiscoFlowHeaderV5_t)];
-
- ArgusNetFlow->version = ntohs(nfptr->version);
- ArgusNetFlow->count = ntohs(nfptr->count);
- ArgusNetFlow->sysUptime = ntohl(nfptr->sysUptime);
- ArgusNetFlow->unix_secs = ntohl(nfptr->unix_secs);
- ArgusNetFlow->unix_nsecs = ntohl(nfptr->unix_nsecs);
- ArgusNetFlow->flow_sequence = ntohl(nfptr->flow_sequence);
- ArgusNetFlowRecordHeader = (unsigned char *)ArgusNetFlow;
- break;
- }
-
- default: {
-#ifdef ARGUSDEBUG
- ArgusDebug (7, "ArgusReadCiscoStreamSocket (0x%x) read header\n", input);
-#endif
- }
- }
-
- input->ArgusReadSocketState = ARGUS_READINGBLOCK;
- input->ArgusReadBlockPtr = input->ArgusReadPtr;
- input->ArgusReadSocketCnt = 0;
- break;
- }
-
- default:
-#ifdef ARGUSDEBUG
- ArgusDebug (7, "ArgusReadCiscoStreamSocket (0x%x) read record complete\n", input);
-#endif
- if (ArgusHandleDatum (input->ArgusCiscoNetFlowParse (&input->ArgusReadPtr), &ArgusFilterCode))
- return(1);
-
- if (!(--input->ArgusReadSocketNum)) {
- input->ArgusReadPtr = input->ArgusReadBuffer;
- bzero (input->ArgusReadBuffer, k_maxFlowPacketSize);
- input->ArgusReadSocketState = ARGUS_READINGPREHDR;
- input->ArgusReadSocketSize = 4;
-
- } else {
- switch (input->ArgusReadCiscoVersion) {
- case CISCO_VERSION_1:
- input->ArgusReadPtr = &input->ArgusReadBuffer[sizeof(CiscoFlowHeaderV1_t)];
- break;
-
- case CISCO_VERSION_5:
- input->ArgusReadPtr = &input->ArgusReadBuffer[sizeof(CiscoFlowHeaderV5_t)];
- break;
-
- default: {
-#ifdef ARGUSDEBUG
- ArgusDebug (7, "ArgusReadCiscoStreamSocket (0x%x) read header\n", input);
-#endif
- }
- }
- }
-
- input->ArgusReadSocketCnt = 0;
- break;
- }
- }
-
- } else {
-#ifdef ARGUSDEBUG
- if (cnt < 0)
- ArgusDebug (3, "ArgusReadCiscoStreamSocket (0x%x) read returned %d error %s\n", input, cnt, strerror(errno));
- else
- ArgusDebug (3, "ArgusReadCiscoStreamSocket (0x%x) read returned %d\n", input, cnt);
-#endif
-
- retn = 1;
-
- if ((cnt < 0) && ((errno == EAGAIN) || (errno == EINTR))) {
- retn = 0;
- }
- }
-
-#ifdef ARGUSDEBUG
- ArgusDebug (5, "ArgusReadCiscoStreamSocket (0x%x) returning %d\n", input, retn);
-#endif
-
- return (retn);
-}
-
-
-int ArgusCiscoDatagramSocketStart = 1;
-int
-ArgusReadCiscoDatagramSocket (struct ARGUS_INPUT *input)
-{
- int retn = 0, cnt = 0, count = 0, i = 0;
- unsigned short *sptr = NULL;
- unsigned char *ptr = NULL;
-
-#ifdef ARGUSDEBUG
- ArgusDebug (8, "ArgusReadCiscoDatagramSocket (0x%x) starting\n", input);
-#endif
-
- if ((cnt = read (input->fd, input->ArgusReadPtr, input->ArgusReadSocketSize)) > 0) {
- input->ArgusReadSocketCnt = cnt;
- sptr = (unsigned short *) input->ArgusReadPtr;
- ptr = (unsigned char *) input->ArgusReadPtr;
-
-#ifdef ARGUSDEBUG
- ArgusDebug (8, "ArgusReadCiscoDatagramSocket (0x%x) read %d bytes, capacity %d\n",
- input, cnt, input->ArgusReadSocketCnt, input->ArgusReadSocketSize);
-#endif
-
-#define CISCO_VERSION_1 1
-#define CISCO_VERSION_5 5
-#define CISCO_VERSION_6 6
-#define CISCO_VERSION_8 8
-
- switch (input->ArgusReadCiscoVersion = ntohs(*sptr)) {
- case CISCO_VERSION_1: {
- CiscoFlowHeaderV1_t *ArgusNetFlow = (CiscoFlowHeaderV1_t *) ptr;
- CiscoFlowHeaderV1_t *nfptr = (CiscoFlowHeaderV1_t *) sptr;
-
- input->ArgusCiscoNetFlowParse = ArgusParseCiscoRecordV1;
- ArgusNetFlow->version = ntohs(nfptr->version);
- ArgusNetFlow->count = ntohs(nfptr->count);
- ArgusNetFlow->sysUptime = ntohl(nfptr->sysUptime);
- ArgusNetFlow->unix_secs = ntohl(nfptr->unix_secs);
- ArgusNetFlow->unix_nsecs = ntohl(nfptr->unix_nsecs);
- ArgusNetFlowRecordHeader = ptr;
- ptr = (unsigned char *) (nfptr + 1);
- count = ArgusNetFlow->count;
- }
- break;
-
- case CISCO_VERSION_5: {
- CiscoFlowHeaderV5_t *ArgusNetFlow = (CiscoFlowHeaderV5_t *) ptr;
- CiscoFlowHeaderV5_t *nfptr = (CiscoFlowHeaderV5_t *) sptr;
-
- input->ArgusCiscoNetFlowParse = ArgusParseCiscoRecordV5;
- ArgusNetFlow->version = ntohs(nfptr->version);
- ArgusNetFlow->count = ntohs(nfptr->count);
- ArgusNetFlow->sysUptime = ntohl(nfptr->sysUptime);
- ArgusNetFlow->unix_secs = ntohl(nfptr->unix_secs);
- ArgusNetFlow->unix_nsecs = ntohl(nfptr->unix_nsecs);
- ArgusNetFlow->flow_sequence = ntohl(nfptr->flow_sequence);
- ArgusNetFlowRecordHeader = ptr;
- ptr = (unsigned char *) (nfptr + 1);
- count = ArgusNetFlow->count;
- }
- break;
-
- case CISCO_VERSION_6: {
- CiscoFlowHeaderV6_t *ArgusNetFlow = (CiscoFlowHeaderV6_t *) ptr;
- CiscoFlowHeaderV6_t *nfptr = (CiscoFlowHeaderV6_t *) sptr;
-
- input->ArgusCiscoNetFlowParse = ArgusParseCiscoRecordV6;
- ArgusNetFlow->version = ntohs(nfptr->version);
- ArgusNetFlow->count = ntohs(nfptr->count);
- ArgusNetFlow->sysUptime = ntohl(nfptr->sysUptime);
- ArgusNetFlow->unix_secs = ntohl(nfptr->unix_secs);
- ArgusNetFlow->unix_nsecs = ntohl(nfptr->unix_nsecs);
- ArgusNetFlow->flow_sequence = ntohl(nfptr->flow_sequence);
- ArgusNetFlowRecordHeader = ptr;
- ptr = (unsigned char *) (nfptr + 1);
- count = ArgusNetFlow->count;
- }
- break;
-
- case CISCO_VERSION_8: {
- CiscoFlowHeaderV8_t *ArgusNetFlow = (CiscoFlowHeaderV8_t *) ptr;
- CiscoFlowHeaderV8_t *nfptr = (CiscoFlowHeaderV8_t *) sptr;
-
- ArgusNetFlow->version = ntohs(nfptr->version);
- ArgusNetFlow->count = ntohs(nfptr->count);
- ArgusNetFlow->sysUptime = ntohl(nfptr->sysUptime);
- ArgusNetFlow->unix_secs = ntohl(nfptr->unix_secs);
- ArgusNetFlow->unix_nsecs = ntohl(nfptr->unix_nsecs);
- ArgusNetFlow->flow_sequence = ntohl(nfptr->flow_sequence);
- ArgusNetFlowRecordHeader = ptr;
- ptr = (unsigned char *) (nfptr + 1);
- count = ArgusNetFlow->count;
-
- if ((input->ArgusCiscoNetFlowParse =
- ArgusLookUpNetFlow(input, ArgusNetFlow->agg_method)) != NULL) {
- }
- }
- break;
- }
-
- for (i = 0; i < count; i++) {
- if (ArgusHandleDatum (input->ArgusCiscoNetFlowParse (&ptr), &ArgusFilterCode))
- return(1);
- }
-
- } else {
-#ifdef ARGUSDEBUG
- ArgusDebug (3, "ArgusReadCiscoDatagramSocket (0x%x) read returned %d error %s\n", input, cnt, strerror(errno));
-#endif
-
-
- if ((cnt < 0) && ((errno == EAGAIN) || (errno == EINTR))) {
- retn = 0;
- } else
- retn = 1;
- }
-
-#ifdef ARGUSDEBUG
- ArgusDebug (5, "ArgusReadCiscoDatagramSocket (0x%x) returning %d\n", input, retn);
-#endif
-
- return (retn);
-}
-
-
-void
-ArgusReadStream ()
-{
- int retn = 0, width = -1, i;
- struct timeval now, wait, timeoutValue;
- struct ARGUS_INPUT *input = NULL;
- fd_set readmask;
-
- if (ArgusRemoteFDs[0] == NULL) {
-#ifdef ARGUSDEBUG
- ArgusDebug (4, "ArgusReadStream() ArgusRemoteFDs is empty\n");
-#endif
-
- return;
- }
-
- if (gettimeofday (&now, NULL) == 0) {
- ArgusAdjustGlobalTime(&now);
-
- FD_ZERO (&readmask);
- for (i = 0; i < ARGUS_MAX_REMOTE_CONN; i++)
- if (ArgusRemoteFDs[i] != NULL) {
- FD_SET (ArgusRemoteFDs[i]->fd, &readmask);
- width = (width < ArgusRemoteFDs[i]->fd) ? ArgusRemoteFDs[i]->fd : width;
- }
- width++;
-
- wait.tv_sec = 0;
- wait.tv_usec = 250000;
-
-#ifdef ARGUSDEBUG
- ArgusDebug (4, "ArgusReadStream() starting\n");
-#endif
-
- for (;;) {
- if ((retn = select (width, &readmask, NULL, NULL, &wait)) >= 0) {
- for (i = 0; i < ARGUS_MAX_REMOTE_CONN; i++) {
- if ((input = ArgusRemoteFDs[i]) != NULL) {
- if (FD_ISSET (input->fd, &readmask)) {
- ArgusInput = input;
- switch (input->status & (ARGUS_DATA_SOURCE | ARGUS_CISCO_DATA_SOURCE)) {
- case ARGUS_DATA_SOURCE:
-#ifdef ARGUS_SASL
- if (input->sasl_conn && (input->sasl_conn->oparams.decode != NULL)) {
- if (ArgusReadSaslStreamSocket (input)) {
- ArgusCloseInput(input);
- ArgusRemoteFDs[i] = NULL;
- }
- } else
-#endif
- if (ArgusReadStreamSocket (input)) {
- ArgusCloseInput(input);
- ArgusRemoteFDs[i] = NULL;
- }
- break;
-
- case ARGUS_CISCO_DATA_SOURCE:
- if (ArgusRemoteHostList)
- if (ArgusReadCiscoDatagramSocket (input)) {
- ArgusCloseInput(input);
- ArgusRemoteFDs[i] = NULL;
- }
-
- if (ArgusInputFileList)
- if (ArgusReadCiscoStreamSocket (input)) {
- ArgusCloseInput(input);
- ArgusRemoteFDs[i] = NULL;
- }
-
- break;
- }
- }
- }
- }
-
- if (Sflag) {
- gettimeofday (&now, NULL);
- ArgusAdjustGlobalTime(&now);
- } else
- now = ArgusGlobalTime;
-
- if (timeoutValue.tv_sec == 0) {
- timeoutValue = ArgusGlobalTime;
-
- timeoutValue.tv_sec += RaClientTimeout.tv_sec;
- timeoutValue.tv_usec += RaClientTimeout.tv_usec;
-
- if (timeoutValue.tv_usec >= 1000000) {
- timeoutValue.tv_sec += 1;
- timeoutValue.tv_usec -= 1000000;
- }
- }
-
- if ((now.tv_sec > timeoutValue.tv_sec) ||
- ((now.tv_sec == timeoutValue.tv_sec) &&
- (now.tv_usec > timeoutValue.tv_usec))) {
-
- ArgusClientTimeout ();
-
- if (Tflag) {
- if ((Tflag - 1) == 0) {
- ArgusShutDown(0);
- }
- Tflag--;
- }
-
- timeoutValue = now;
- timeoutValue.tv_sec += RaClientTimeout.tv_sec;
- timeoutValue.tv_usec += RaClientTimeout.tv_usec;
- }
-
- width = -1;
- FD_ZERO (&readmask);
- for (i = 0; i < ARGUS_MAX_REMOTE_CONN; i++)
- if (ArgusRemoteFDs[i] != NULL) {
- FD_SET (ArgusRemoteFDs[i]->fd, &readmask);
- width = (width < ArgusRemoteFDs[i]->fd) ? ArgusRemoteFDs[i]->fd : width;
- }
-
- if (width < 0)
- return;
- else
- width++;
-
- wait.tv_sec = 0;
- wait.tv_usec = 250000;
-
- } else {
-
-#ifdef ARGUSDEBUG
- ArgusDebug (3, "ArgusReadStream() select returned %s\n", strerror(errno));
-#endif
- if (errno != EINTR)
- break;
- }
- }
- }
-
-#ifdef ARGUSDEBUG
- ArgusDebug (5, "ArgusReadStream() returning\n");
-#endif
-}
-
-void
-ArgusProcessRecord (struct ArgusRecord *ptr)
-{
- if (ptr->ahdr.type & ARGUS_MAR)
- process_man (ptr);
-
- else {
-
- switch (ptr->ahdr.status & 0xFFFF) {
- case ETHERTYPE_IP:
- switch (ptr->argus_far.flow.ip_flow.ip_p) {
- case IPPROTO_TCP:
- process_tcp (ptr);
- break;
-
- case IPPROTO_UDP:
- process_udp (ptr);
- break;
-
- case IPPROTO_ICMP:
- process_icmp (ptr);
- break;
-
- default:
- process_ip (ptr);
- break;
- }
- break;
-
- case ETHERTYPE_ARP:
- case ETHERTYPE_REVARP:
- process_arp (ptr);
- break;
-
- default:
- process_non_ip (ptr);
- break;
- }
- }
-
-#ifdef ARGUSDEBUG
- ArgusDebug (6, "ArgusProcessRecord (0x%x) returning\n", ptr);
-#endif
-}
-
-
-
-#include <netdb.h>
-
-extern void ArgusLog (int, char *, ...);
-
-#define ARGUS_DEFAULTCISCOPORT 9995
-
-char *ArgusRecordType = NULL;
-
-extern int ArgusInitializeAuthentication(void);
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-int
-ArgusGetServerSocket (struct ARGUS_INPUT *input)
-{
- int retn = -1;
- struct sockaddr_in server;
- struct servent *sp;
- struct hostent *hp;
- int s, type = 0;
- unsigned short portnum = 0;
-
- switch (input->status & (ARGUS_DATA_SOURCE | ARGUS_CISCO_DATA_SOURCE)) {
- case ARGUS_DATA_SOURCE: {
- ArgusRecordType = "Argus";
- type = SOCK_STREAM;
- if (!input->portnum) {
- if (!ArgusPortNum) {
- if ((sp = getservbyname ("monitor", "tcp")) != NULL)
- portnum = sp->s_port;
- else
- portnum = htons(ARGUS_DEFAULTPORT);
- } else
- portnum = htons(ArgusPortNum);
-
- input->portnum = ntohs(portnum);
-
- } else
- portnum = htons(input->portnum);
- break;
- }
-
- case ARGUS_CISCO_DATA_SOURCE: {
- struct ArgusRecord argus;
-
- ArgusRecordType = "Netflow";
- type = SOCK_DGRAM;
- if (!input->portnum) {
- if (!ArgusPortNum)
- portnum = htons(ARGUS_DEFAULTCISCOPORT);
- else
- portnum = htons(ArgusPortNum);
-
- input->portnum = ntohs(portnum);
-
- } else
- portnum = htons(input->portnum);
-
- bzero ((char *)&argus, sizeof(argus));
- argus.ahdr.type = ARGUS_MAR | ARGUS_CISCO_NETFLOW;
- argus.ahdr.length = sizeof (argus);
- argus.ahdr.cause = ARGUS_START;
- argus.ahdr.argusid = ARGUS_COOKIE;
- argus.argus_mar.startime.tv_sec = ArgusGlobalTime.tv_sec;
- argus.argus_mar.now.tv_sec = ArgusGlobalTime.tv_sec;
- argus.argus_mar.major_version = major_version;
- argus.argus_mar.minor_version = minor_version;
- argus.argus_mar.record_len = -1;
-
- input->major_version = argus.argus_mar.major_version;
- input->minor_version = argus.argus_mar.minor_version;
-
- bcopy ((char *) &argus, (char *)&input->ArgusInitCon, sizeof (argus));
- bcopy ((char *) &argus, (char *) ArgusOriginal, sizeof(argus));
- ArgusInput = input;
- break;
- }
-
- default:
- ArgusLog (LOG_ERR, "ArgusGetServerSocket(0x%x) unknown type\n", input);
- }
-
- bzero ((char *) &server, sizeof (server));
-
- if ((s = socket (AF_INET, type, 0)) >= 0) {
- if (type == SOCK_DGRAM) {
- server.sin_addr.s_addr = INADDR_ANY;
- server.sin_family = AF_INET;
- server.sin_port = portnum;
- fprintf (stderr, "%s: Binding port %d Expecting %s records\n", ArgusProgramName,
- ntohs(portnum), ArgusRecordType);
- if ((bind (s, (struct sockaddr *)&server, sizeof(server))) < 0)
- ArgusLog (LOG_ERR, "bind (%d, %s:%hu, %d) failed %s\n", s, inet_ntoa(server.sin_addr),
- server.sin_port, sizeof(server), strerror(errno));
- } else {
- int optval = 1;
- if (setsockopt(s, SOL_SOCKET, SO_KEEPALIVE, (char *)&optval, sizeof(int)) < 0) {
-#ifdef ARGUSDEBUG
- ArgusDebug (2, "setsockopt(%d, SOL_SOCKET, SO_KEEPALIVE, 0x%x, %d) failed:", s, optval, sizeof(int));
-#endif
- }
-
- if ((hp = gethostbyaddr ((char *)&input->addr, sizeof (input->addr), AF_INET)) != NULL) {
- bcopy ((char *) hp->h_addr, (char *)&server.sin_addr, hp->h_length);
- server.sin_family = hp->h_addrtype;
- server.sin_port = portnum;
- fprintf (stderr, "%s: Trying %s port %d Expecting %s records\n", ArgusProgramName, (hp->h_name) ?
- (hp->h_name) : intoa (input->addr), ntohs(portnum), ArgusRecordType);
- } else {
- server.sin_addr.s_addr = input->addr;
- server.sin_family = AF_INET;
- server.sin_port = portnum;
- fprintf (stderr, "%s: Trying %s port %d Expecting %s records\n", ArgusProgramName,
- intoa (input->addr), ntohs(portnum), ArgusRecordType);
- }
-
- if ((connect (s, (struct sockaddr *)&server, sizeof(server))) < 0)
- ArgusLog (LOG_ERR, "connect (%d, %s:%hu, %d) failed %s\n", s, inet_ntoa(server.sin_addr),
- server.sin_port, sizeof(server), strerror(errno));
- }
-
- retn = s;
- input->fd = s;
-
- if (type == SOCK_DGRAM)
- fprintf (stderr, "%s: receiving\n", ArgusProgramName);
- else
- fprintf (stderr, "%s: connected\n", ArgusProgramName);
-
- } else {
- fprintf (stderr, "%s: socket() failed. %s\n", ArgusProgramName, strerror(errno));
- }
-
-#ifdef ARGUSDEBUG
- ArgusDebug (1, "ArgusGetServerSocket (0x%x) returning %d\n", input, retn);
-#endif
-
- return (retn);
-}
-
-
-int
-ArgusAddFileList (char *ptr)
-{
- register int retn = 0;
- register struct ARGUS_INPUT *file, *list;
-
- if (ptr) {
- if ((file = (struct ARGUS_INPUT *) ArgusCalloc (1, sizeof(struct ARGUS_INPUT))) != NULL) {
- if ((list = ArgusInputFileList) != NULL) {
- while (list->nxt) list = list->nxt;
- list->nxt = file;
- } else
- ArgusInputFileList = file;
-
- file->filename = strdup(ptr);
- file->status |= (Cflag ? ARGUS_CISCO_DATA_SOURCE : ARGUS_DATA_SOURCE);
- retn = 1;
- }
- }
-
-#ifdef ARGUSDEBUG
- ArgusDebug (2, "ArgusAddFileList (%s) returning %d\n", ptr, retn);
-#endif
-
- return (retn);
-}
-
-void
-ArgusDeleteFileList ()
-{
- struct ARGUS_INPUT *addr = ArgusInputFileList;
-
- while (addr) {
- if (addr->filename)
- free(addr->filename);
-
- addr = addr->nxt;
- ArgusFree(ArgusInputFileList);
- ArgusInputFileList = addr;
- }
-
-#ifdef ARGUSDEBUG
- ArgusDebug (2, "ArgusDeleteFileList () returning\n");
-#endif
-}
-
-
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-
-int
-ArgusAddHostList (char *str)
-{
- int retn = 0;
- struct ARGUS_INPUT *addr = NULL;
- unsigned int ipaddr, **name;
- long int portnum = 0;
- char *ptr = NULL, *endptr = NULL;
-
- if ((ptr = strchr (str, (int)':')) != NULL) {
- *ptr++ = '\0';
-
- portnum = strtol(ptr, &endptr, 10);
-
- if (endptr == ptr)
- usage();
- }
-
- if ((ipaddr = (unsigned int) inet_addr (str)) == (unsigned int) -1) {
- if ((name = (unsigned int **) argus_nametoaddr (str)) != NULL) {
- if (*name) {
- if ((addr = (struct ARGUS_INPUT *) ArgusCalloc (1, sizeof (struct ARGUS_INPUT))) != NULL) {
- addr->nxt = ArgusRemoteHostList;
- ArgusRemoteHostList = addr;
- addr->addr = ntohl(**name);
- addr->hostname = strdup(str);
- addr->portnum = portnum;
- retn = 1;
- }
- }
- }
- } else
- if ((addr = (struct ARGUS_INPUT *) ArgusCalloc (1, sizeof (struct ARGUS_INPUT))) != NULL) {
- addr->nxt = ArgusRemoteHostList;
- ArgusRemoteHostList = addr;
- addr->addr = ipaddr;
- addr->portnum = portnum;
- retn = 1;
- }
-
- if (addr)
- addr->status |= (Cflag ? ARGUS_CISCO_DATA_SOURCE : ARGUS_DATA_SOURCE);
-
-#ifdef ARGUSDEBUG
- ArgusDebug (2, "ArgusAddHostList (%s) returning %d\n", str, retn);
-#endif
-
- return (retn);
-}
-
-void
-ArgusDeleteHostList ()
-{
- struct ARGUS_INPUT *addr = ArgusRemoteHostList;
-
- while (addr) {
- if (addr->hostname)
- free(addr->hostname);
-
- addr = addr->nxt;
- ArgusFree(ArgusRemoteHostList);
- ArgusRemoteHostList = addr;
- }
-
-#ifdef ARGUSDEBUG
- ArgusDebug (2, "ArgusDeleteHostList () returning\n");
-#endif
-}
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-
-int
-ArgusWriteNewLogfile (char *file, struct ArgusRecord *argus)
-{
- int retn = 0, fd;
- struct stat buf;
-
- if (file) {
- if (strcmp (file, "-")) {
- if ((fd = open (file, O_WRONLY|O_CREAT|O_APPEND, 0644)) >= 0) {
- if (fstat (fd, &buf) >= 0) {
- if (buf.st_size == 0)
- if ((write (fd, (char *)&ArgusInput->ArgusInitCon, ntohs(ArgusInput->ArgusInitCon.ahdr.length))) < 0)
- ArgusLog (LOG_ERR, "ArgusWriteNewLogfile(%s, 0x%x) write error %s", file, argus, strerror(errno));
- } else {
- ArgusLog (LOG_ERR, "ArgusWriteNewLogfile(%s, 0x%x) fstat error %s",
- file, argus, strerror(errno));
- }
-
- if (argus != NULL) {
- if ((write (fd, argus, ntohs(argus->ahdr.length))) < 0)
- ArgusLog (LOG_ERR, "ArgusWriteNewLogfile(%s, 0x%x) write error %s",
- file, argus, strerror(errno));
- }
- close (fd);
-
- } else {
- ArgusLog (LOG_ERR, "ArgusWriteNewLogfile(%s, 0x%x) open error %s",
- file, argus, strerror(errno));
- }
-
- if (firstWrite)
- firstWrite = 0;
-
- } else {
- if (firstWrite) {
- if (!(fwrite ((char *)&ArgusInput->ArgusInitCon, ntohs(ArgusInput->ArgusInitCon.ahdr.length), 1, stdout)))
- ArgusLog (LOG_ERR, "ArgusWriteNewLogfile(%s, 0x%x) fwrite error %s", file, argus, strerror(errno));
-
- fflush (stdout);
- firstWrite = 0;
- }
- if (argus) {
- if (!(fwrite (argus, ntohs(argus->ahdr.length), 1, stdout)))
- retn++;
- fflush (stdout);
- }
- }
- }
-
-#ifdef ARGUSDEBUG
- ArgusDebug (4, "ArgusWriteNewLogFile (%s, 0x%x) returning %d\n", file, argus, retn);
-#endif
-
- return (retn);
-}
-
-
-int
-check_time (struct ArgusRecord *ptr)
-{
- struct tm tmbuf, *tm;
- int retn = 0;
- struct timeval *start, *last, lastbuf;
-
- if (ptr->ahdr.type & ARGUS_MAR) {
- start = &ptr->argus_mar.startime;
- last = &ptr->argus_mar.now;
- if (!(start->tv_sec))
- start = &ptr->argus_mar.now;
-
- } else {
- start = &ptr->argus_far.time.start;
- last = &ptr->argus_far.time.last;
-
- if (ArgusThisFarStatus & ARGUS_AGR_DSR_STATUS) {
- lastbuf = ((struct ArgusAGRStruct *)ArgusThisFarHdrs[ARGUS_AGR_DSR_INDEX])->lasttime;
- }
- }
-
- ArgusGlobalTime = *last;
- gettimeofday (&ArgusNowTime, 0L);
-
- if ((tm = localtime ((time_t *)&start->tv_sec)) != NULL)
- bcopy ((char *) tm, (char *)&tm_startime, sizeof (struct tm));
- else
- bzero ((char *)&tm_startime, sizeof (struct tm));
-
- if ((tm = localtime ((time_t *)&last->tv_sec)) != NULL)
- bcopy ((char *) tm, (char *)&tm_lasttime, sizeof (struct tm));
- else
- bzero ((char *)&tm_startime, sizeof (struct tm));
-
- if (tflag) {
- time_t *sec;
-
- if (!explicit_date) {
- sec = (time_t *)&start->tv_sec;
-
- tm = localtime(sec);
- if (tm->tm_yday != starTimeFilter.tm_yday) {
- bcopy ((char *) tm, (char *) &tmbuf, sizeof (struct tm));
- if (check_time_format (&tmbuf, timearg))
- ArgusLog (LOG_ERR, "time syntax error %s\n", timearg);
- }
- }
-
- if (ptr->ahdr.type & ARGUS_MAR) {
- if (ptr->ahdr.status & ARGUS_START) {
- if ((ptr->argus_mar.now.tv_sec >= startime_t) &&
- (ptr->argus_mar.now.tv_sec <= lasttime_t))
- retn++;
- } else {
- if ((ptr->argus_mar.now.tv_sec >= startime_t) &&
- (ptr->argus_mar.now.tv_sec <= lasttime_t))
- retn++;
- }
- } else {
- if (((start->tv_sec >= startime_t) && (start->tv_sec <= lasttime_t)) ||
- ((last->tv_sec >= startime_t) && (last->tv_sec <= lasttime_t)) ||
- ((start->tv_sec < startime_t) && (last->tv_sec > lasttime_t)))
- retn++;
- }
- } else
- retn++;
-
- return (retn);
-}
-
-
-#include <ctype.h>
-
-int
-parseUserDataArg (char **arg, char *args[], int ind)
-{
- int retn = -1;
- char buf[64], *ptr = buf;
-
- bzero (buf, 64);
- strcpy (buf, *arg);
- ptr += strlen (buf);
-
- if ((ptr = strchr(*arg, ':')) && (*(ptr + 1) != '\0')) {
- retn = 0;
- } else {
- if (args) {
- if (args[ind] && (*args[ind] == ':')) {
- if (strlen (args[ind]) == 1) {
- strcat (buf, ":");
- strcat (buf, args[ind + 1]);
- retn = 2;
- } else {
- ptr = args[ind];
- if (isdigit((int)*(ptr + 1))) {
- strcat (buf, args[ind]);
- retn = 1;
- } else
- retn = 0;
- }
- } else
- retn = 0;
- } else
- retn = 0;
- }
-
- *arg = savestr(buf);
-
- if ((ptr = strchr (buf, ':')) != NULL) {
- ptr++;
- if (*buf == 's')
- ArgusSrcUserDataLen = atoi(buf + 1);
- else
- ArgusLog (LOG_ERR, "user data syntax error %s\n", buf);
-
- if (*ptr == 'd')
- ArgusDstUserDataLen = atoi(ptr + 1);
- else
- ArgusLog (LOG_ERR, "user data syntax error %s\n", buf);
-
- } else {
- if (isdigit((int)*buf)) {
- ArgusSrcUserDataLen = atoi(buf);
- ArgusDstUserDataLen = atoi(buf);
- } else {
- if (*buf == 's')
- ArgusSrcUserDataLen = atoi(buf + 1);
-
- if (*buf == 'd')
- ArgusDstUserDataLen = atoi(buf + 1);
- }
- }
-
- if (retn < 0)
- ArgusLog (LOG_ERR, "user data syntax error %s\n", buf);
-
- return (retn);
-}
-
-int
-parseTimeArg ( char **arg, char *args[], int ind, struct tm *tm)
-{
- int retn = -1;
- char buf[64], *ptr = buf;
-
- bzero (buf, 64);
- strcpy (buf, *arg);
- ptr += strlen (buf);
- if ((ptr = strchr(*arg, '-')) && (*(ptr + 1) != '\0')) {
- retn = 0;
- } else {
- if (args) {
- if (args[ind] && (*args[ind] == '-')) {
- if (strlen (args[ind]) == 1) {
- strcat (buf, "-");
- strcat (buf, args[ind + 1]);
- retn = 2;
- } else {
- ptr = args[ind];
- if (isdigit((int)*(ptr + 1))) {
- strcat (buf, args[ind]);
- retn = 1;
- } else
- retn = 0;
- }
- } else
- retn = 0;
- }
- }
-
- if ((ptr = strchr(*arg, '.')) || (ptr = strchr(*arg, '/')))
- explicit_date++;
-
- if (check_time_format (tm, buf))
- ArgusLog (LOG_ERR, "time syntax error %s\n", buf);
-
- *arg = savestr(buf);
- return (retn);
-}
-
-
-#define ARGUS_YEAR 1
-#define ARGUS_MONTH 2
-#define ARGUS_DAY 3
-#define ARGUS_HOUR 4
-#define ARGUS_MIN 5
-#define ARGUS_SEC 6
-
-int RaDaysInAMonth[12] = {31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31};
-
-int
-check_time_format (struct tm *tm, char *str)
-{
- int retn = 0;
- char *ptr, buf[64];
-
- /*[[[yyyy/]mm/]dd.]hh[:mm[:ss]] - [[[yyyy/]mm/]dd.]hh[:mm[:ss]]*/
-
- strcpy (buf, str);
-
- if ((ptr = strchr(buf, '-')) != NULL) {
- *ptr = '\0';
- if ((retn = parseTime (&starTimeFilter, tm, buf)) > 0)
- if ((retn = parseTime (&lastTimeFilter, &starTimeFilter, ptr + 1)) > 0)
- retn = 0;
-
- } else {
- if ((retn = parseTime (&starTimeFilter, tm, buf)) > 0) {
- bcopy ((char *)&starTimeFilter, (char *)&lastTimeFilter, sizeof(struct tm));
- switch (retn) {
- case ARGUS_YEAR: lastTimeFilter.tm_year++; break;
- case ARGUS_MONTH: lastTimeFilter.tm_mon++; break;
- case ARGUS_DAY: lastTimeFilter.tm_mday++; break;
- case ARGUS_HOUR: lastTimeFilter.tm_hour++; break;
- case ARGUS_MIN: lastTimeFilter.tm_min++; break;
- case ARGUS_SEC: lastTimeFilter.tm_sec++; break;
- }
-
- while (tm->tm_sec > 59) {tm->tm_min++; tm->tm_sec -= 60;}
- while (tm->tm_min > 59) {tm->tm_hour++; tm->tm_min -= 60;}
- while (tm->tm_hour > 23) {tm->tm_mday++; tm->tm_hour -= 24;}
- while (tm->tm_mday > RaDaysInAMonth[tm->tm_mon]) {tm->tm_mday -= RaDaysInAMonth[tm->tm_mon]; tm->tm_mon++;}
- while (tm->tm_mon > 11) {tm->tm_year++; tm->tm_mon -= 12;}
-
- retn = 0;
- }
- }
-
- if (retn == 0) {
- startime_t = timelocal (&starTimeFilter);
- lasttime_t = timelocal (&lastTimeFilter);
-
- if (!(lasttime_t >= startime_t)) {
- fprintf (stderr, "error: invalid time range\n");
- retn++;
- }
- }
-
- return (retn);
-}
-
-int
-parseTime (struct tm *tm, struct tm *ctm, char *str)
-{
- char *hptr = NULL, *dptr = NULL, *mptr = NULL, *yptr = NULL;
- char *minptr = NULL, *secptr = NULL, *ptr;
- int retn = 0, hour = 0, mins = 0, sec = 0, i;
- time_t thistime;
-
- /*[[[yyyy/]mm/]dd].]hh[:mm[:ss]]*/
-
- bcopy ((u_char *) ctm, (u_char *) tm, sizeof (struct tm));
-
- if ((hptr = strchr (str, '.')) != NULL) {
- *hptr++ = '\0';
- if (!(isdigit((int)*hptr)))
- return -1;
- }
-
- if ((dptr = strrchr (str, '/')) != NULL) { /* mm/dd */
- /* ^ */
- *dptr++ = '\0';
- if ((mptr = strrchr (str, '/')) != NULL) { /* yyyy/mm/dd */
- /* ^ */
- *mptr++ = '\0';
- yptr = str;
- } else
- mptr = str;
- } else {
- if (hptr != NULL)
- dptr = str;
- else
- hptr = str;
- }
-
- if (yptr) {
- if (strlen(yptr) != 4)
- return -1;
- for (ptr = yptr, i = 0; i < strlen(yptr); i++)
- if (!(isdigit((int)*ptr++)))
- return -1;
- tm->tm_year = atoi(yptr) - 1900;
- retn = ARGUS_YEAR;
- }
- if (mptr) {
- if (strlen(mptr) != 2)
- return -1;
- for (ptr = mptr, i = 0; i < strlen(mptr); i++)
- if (!(isdigit((int)*ptr++)))
- return -1;
- tm->tm_mon = atoi(mptr) - 1;
- retn = ARGUS_MONTH;
- }
-
- if (dptr) {
- if (strlen(dptr) != 2)
- return -1;
- for (ptr = dptr, i = 0; i < strlen(dptr); i++)
- if (!(isdigit((int)*ptr++)))
- return -1;
- tm->tm_mday = atoi(dptr);
- retn = ARGUS_DAY;
- }
-
- if (hptr) {
- if ((minptr = strchr (hptr, ':')) != NULL) {
- *minptr++ = '\0';
- if ((secptr = strchr (minptr, ':')) != NULL) {
- *secptr++ = '\0';
- }
- }
-
- for (ptr = hptr, i = 0; i < strlen(hptr); i++)
- if (!(isdigit((int)*ptr++)))
- return -1;
-
- hour = atoi(hptr);
- retn = ARGUS_HOUR;
-
- if (minptr != NULL) {
- for (ptr = minptr, i = 0; i < strlen(minptr); i++)
- if (!(isdigit((int)*ptr++)))
- return -1;
-
- mins = atoi(minptr);
- retn = ARGUS_MIN;
- }
-
- if (secptr != NULL) {
- for (ptr = secptr, i = 0; i < strlen(secptr); i++)
- if (!(isdigit((int)*ptr++)))
- return -1;
-
- sec = atoi(secptr);
- retn = ARGUS_SEC;
- }
- }
-
- tm->tm_hour = hour;
- tm->tm_min = mins;
- tm->tm_sec = sec;
-
-#if !defined(HAVE_SOLARIS) && !defined(__sgi) && !defined(linux) && !defined(AIX) && !defined(CYGWIN)
- tm->tm_zone = NULL;
- tm->tm_gmtoff = 0;
-#endif
-
- if (tm->tm_year < 0)
- retn = -1;
- if ((tm->tm_mon > 11) || (tm->tm_mon < 0))
- retn = -1;
- if ((tm->tm_mday > 31) || (tm->tm_mday < 0))
- retn = -1;
- if ((tm->tm_hour > 23) || (tm->tm_hour < 0))
- retn = -1;
- if ((tm->tm_min > 60) || (tm->tm_min < 0))
- retn = -1;
- if ((tm->tm_sec > 60) || (tm->tm_sec < 0))
- retn = -1;
-
- if (retn >= 0) {
- thistime = timelocal (tm);
- tm = localtime ((time_t *)&thistime);
- }
-
- return (retn);
-}
-
-
-#define ARGUS_RCITEMS 41
-
-#define RA_ARGUS_SERVER 0
-#define RA_CISCONETFLOW_SOURCE 1
-#define RA_ARGUS_SERVERPORT 2
-#define RA_INPUT_FILE 3
-#define RA_NO_OUTPUT 4
-#define RA_USER_AUTH 5
-#define RA_AUTH_PASS 6
-#define RA_OUTPUT_FILE 7
-#define RA_EXCEPTION_OUTPUT_FILE 8
-#define RA_TIMERANGE 9
-#define RA_RUNTIME 10
-#define RA_FLOW_MODEL 11
-#define RA_FIELD_DELIMITER 12
-#define RA_TIME_FORMAT 13
-#define RA_USEC_PRECISION 14
-#define RA_PRINT_LABELS 15
-#define RA_PRINT_SUMMARY 16
-#define RA_PRINT_ARGUSID 17
-#define RA_PRINT_MACADDRS 18
-#define RA_PRINT_HOSTNAMES 19
-#define RA_PRINT_LOCALONLY 20
-#define RA_PRINT_COUNTS 21
-#define RA_PRINT_APPLICATION_BYTES 22
-#define RA_PRINT_RESPONSE_DATA 23
-#define RA_PRINT_UNIX_TIME 24
-#define RA_PRINT_STARTIME 25
-#define RA_PRINT_LASTIME 26
-#define RA_PRINT_INDICATORS 27
-#define RA_PRINT_DURATION 28
-#define RA_PRINT_TCPSTATES 29
-#define RA_PRINT_TCPFLAGS 30
-#define RAGATOR_TIME_SERIES 31
-#define RAGATOR_VALIDATE 32
-#define RAMON_MODE 33
-#define RAMON_NUMBER 34
-#define RA_DEBUG_LEVEL 35
-#define RA_PRINT_USERDATA 36
-#define RA_USERDATA_ENCODE 37
-#define RA_FILTER 38
-#define RA_HOST_FIELD_LENGTH 39
-#define RA_PORT_FIELD_LENGTH 40
-
-
-char *ArgusResourceFileStr [] = {
- "RA_ARGUS_SERVER=",
- "RA_CISCONETFLOW_SOURCE=",
- "RA_ARGUS_SERVERPORT=",
- "RA_INPUT_FILE=",
- "RA_NO_OUTPUT=",
- "RA_USER_AUTH=",
- "RA_AUTH_PASS=",
- "RA_OUTPUT_FILE=",
- "RA_EXCEPTION_OUTPUT_FILE=",
- "RA_TIMERANGE=",
- "RA_RUN_TIME=",
- "RA_FLOW_MODEL=",
- "RA_FIELD_DELIMITER=",
- "RA_TIME_FORMAT=",
- "RA_USEC_PRECISION=",
- "RA_PRINT_LABELS=",
- "RA_PRINT_SUMMARY=",
- "RA_PRINT_ARGUSID=",
- "RA_PRINT_MACADDRS=",
- "RA_PRINT_HOSTNAMES=",
- "RA_PRINT_LOCALONLY=",
- "RA_PRINT_COUNTS=",
- "RA_PRINT_APPLICATION_BYTES=",
- "RA_PRINT_RESPONSE_DATA=",
- "RA_PRINT_UNIX_TIME=",
- "RA_PRINT_STARTIME=",
- "RA_PRINT_LASTIME=",
- "RA_PRINT_INDICATORS=",
- "RA_PRINT_DURATION=",
- "RA_PRINT_TCPSTATES=",
- "RA_PRINT_TCPFLAGS=",
- "RAGATOR_TIME_SERIES=",
- "RAGATOR_VALIDATE=",
- "RAMON_MODE=",
- "RAMON_NUMBER=",
- "RA_DEBUG_LEVEL=",
- "RA_PRINT_USERDATA=",
- "RA_USERDATA_ENCODE=",
- "RA_FILTER=",
- "RA_HOST_FIELD_LENGTH=",
- "RA_PORT_FIELD_LENGTH=",
-};
-
-#include <ctype.h>
-
-int
-ArgusParseResourceFile (char *file)
-{
- int retn = 0, i, len, Soption = 0, roption = 0, found = 0, lines = 0;
- char strbuf[MAXSTRLEN], *str = strbuf, *optarg = NULL, *ptr = NULL;
- FILE *fd;
-
- if (file) {
- if ((fd = fopen (file, "r")) != NULL) {
- retn = 1;
- while ((fgets(str, MAXSTRLEN, fd)) != NULL) {
- lines++;
- while (*str && isspace((int)*str))
- str++;
-
- if (*str && (*str != '#') && (*str != '\n') && (*str != '!')) {
- found = 0;
- for (i = 0; i < ARGUS_RCITEMS; i++) {
- len = strlen(ArgusResourceFileStr[i]);
- if (!(strncmp (str, ArgusResourceFileStr[i], len))) {
-
- optarg = &str[len];
-
- if (optarg[strlen(optarg) - 1] == '\n')
- optarg[strlen(optarg) - 1] = '\0';
-
- if (*optarg == '\"')
- optarg++;
-
- if (optarg[strlen(optarg) - 1] == '\"')
- optarg[strlen(optarg) - 1] = '\0';
-
- if (*optarg == '\0')
- optarg = NULL;
-
- if (optarg) {
- switch (i) {
- case RA_ARGUS_SERVER:
- ++Sflag;
- if (!Soption++ && (ArgusRemoteHostList != NULL))
- ArgusDeleteHostList();
-
- if (!(ArgusAddHostList (optarg))) {
- fprintf (stderr, "%s: host %s unknown\n", ArgusProgramName, optarg);
- exit (1);
- }
- break;
-
- case RA_CISCONETFLOW_SOURCE:
- ++Sflag; ++Cflag;
- if (!Soption++ && (ArgusRemoteHostList != NULL))
- ArgusDeleteHostList();
-
- if (!(ArgusAddHostList (optarg))) {
- fprintf (stderr, "%s: host %s unknown\n", ArgusProgramName, optarg);
- exit (1);
- }
- break;
-
- case RA_ARGUS_SERVERPORT:
- ArgusPortNum = atoi (optarg); break;
- break;
-
- case RA_INPUT_FILE:
- if ((!roption++) && (ArgusInputFileList != NULL))
- ArgusDeleteFileList();
-
- if (!(ArgusAddFileList (optarg))) {
- fprintf (stderr, "%s: error: file arg %s\n", ArgusProgramName, optarg);
- exit (1);
- }
- break;
-
- case RA_NO_OUTPUT:
- if (!(strncasecmp(optarg, "yes", 3)))
- qflag++;
- else
- qflag = 0;
- break;
-
- case RA_USER_AUTH:
- ustr = strdup(optarg);
- break;
-
- case RA_AUTH_PASS:
- pstr = strdup(optarg);
- break;
-
- case RA_OUTPUT_FILE:
- wfile = strdup(optarg);
- break;
-
- case RA_EXCEPTION_OUTPUT_FILE:
- exceptfile = optarg;
- break;
-
- case RA_TIMERANGE:
- if ((parseTimeArg (&timearg, NULL, 0, RaTmStruct)) < 0)
- usage ();
- break;
-
- case RA_RUNTIME:
- Tflag = atoi (optarg);
- break;
-
- case RA_FIELD_DELIMITER:
- ptr = optarg;
- if ((ptr = strchr (optarg, '\'')) != NULL) {
- ptr++;
- if (ptr[0] == '\'')
- break;
- }
-
- if (ptr[0] == '\\') {
- switch (ptr[1]) {
- case 'a': RaFieldDelimiter = '\a'; break;
- case 'b': RaFieldDelimiter = '\b'; break;
- case 't': RaFieldDelimiter = '\t'; break;
- case 'n': RaFieldDelimiter = '\n'; break;
- case 'v': RaFieldDelimiter = '\v'; break;
- case 'f': RaFieldDelimiter = '\f'; break;
- case 'r': RaFieldDelimiter = '\r'; break;
- case '\\': RaFieldDelimiter = '\\'; break;
- }
- if (RaFieldDelimiter != '\0')
- break;
- } else
- RaFieldDelimiter = *ptr;
-
- break;
-
- case RA_TIME_FORMAT:
- RaTimeFormat = strdup(optarg);
-
- case RA_USEC_PRECISION:
- pflag = atoi (optarg);
- break;
-
- case RA_PRINT_SUMMARY:
- if (!(strncasecmp(optarg, "yes", 3)))
- aflag = 1;
- else
- aflag = 0;
- break;
-
- case RA_PRINT_ARGUSID:
- if (!(strncasecmp(optarg, "yes", 3)))
- idflag = 1;
- else
- idflag = 0;
- break;
-
- case RA_PRINT_MACADDRS:
- if (!(strncasecmp(optarg, "yes", 3)))
- mflag = 1;
- else
- mflag = 0;
- break;
-
- case RA_PRINT_HOSTNAMES:
- if (!(strncasecmp(optarg, "yes", 3)))
- nflag = 0;
- else
- nflag = 1;
- break;
-
- case RA_PRINT_LOCALONLY:
- if (!(strncasecmp(optarg, "yes", 3)))
- ++fflag;
- else
- fflag = 0;
- break;
-
- case RA_FLOW_MODEL:
- ArgusFlowModelFile = strdup(optarg);
- break;
-
- case RA_PRINT_LABELS:
- switch (Lflag = atoi(optarg)) {
- case 0: Lflag = -1; break;
- case -1: Lflag = 0; break;
- }
- break;
-
- case RA_PRINT_COUNTS:
- if (!(strncasecmp(optarg, "yes", 3)))
- ++cflag;
- else
- cflag = 0;
- break;
-
- case RA_PRINT_APPLICATION_BYTES:
- if (!(strncasecmp(optarg, "yes", 3)))
- ++Aflag;
- else
- Aflag = 0;
- break;
-
- case RA_PRINT_RESPONSE_DATA:
- if (!(strncasecmp(optarg, "yes", 3)))
- Rflag++;
- else
- Rflag = 0;
- break;
-
- case RA_PRINT_UNIX_TIME:
- if (!(strncasecmp(optarg, "yes", 3)))
- ++uflag;
- else
- uflag = 0;
- break;
-
- case RA_PRINT_STARTIME:
- if (!(strncasecmp(optarg, "yes", 3)))
- ++RaPrintStartTime;
- else
- RaPrintStartTime = 0;
- break;
-
- case RA_PRINT_LASTIME:
- if (!(strncasecmp(optarg, "yes", 3)))
- ++RaPrintLastTime;
- else
- RaPrintLastTime = 0;
- break;
-
- case RA_PRINT_INDICATORS:
- if (!(strncasecmp(optarg, "yes", 3)))
- Iflag++;
- else
- Iflag = 0;
- break;
-
- case RA_PRINT_DURATION:
- if (!(strncasecmp(optarg, "yes", 3)))
- gflag++;
- break;
-
- case RA_PRINT_TCPSTATES:
- if (!(strncasecmp(optarg, "yes", 3)))
- zflag++;
- else
- zflag = 0;
- break;
-
- case RA_PRINT_TCPFLAGS:
- Zflag = *optarg;
- break;
-
- case RAGATOR_TIME_SERIES:
- if (!(strncasecmp(optarg, "yes", 3)))
- Hflag++;
- else
- Hflag = 0;
- break;
-
- case RAGATOR_VALIDATE:
- if (!(strncasecmp(optarg, "yes", 3)))
- Vflag++;
- else
- Vflag = 0;
- break;
-
- case RAMON_MODE:
- Mflag = optarg;
- break;
-
- case RAMON_NUMBER:
- Nflag = atoi (optarg);
- break;
-
- case RA_DEBUG_LEVEL:
- Argusdflag = (atoi(optarg));
- break;
-
- case RA_PRINT_USERDATA:
- dflag++;
- if ((parseUserDataArg (&optarg, NULL, 0)) < 0)
- usage ();
- break;
-
- case RA_USERDATA_ENCODE:
- if (!(strncasecmp(optarg, "ascii", 5)))
- eflag = ARGUS_ENCODE_ASCII;
- else
- eflag = ARGUS_ENCODE_64;
- break;
-
- case RA_FILTER: {
- char *ptr;
-
- if ((RaInputFilter = ArgusCalloc (1, MAXSTRLEN)) != NULL) {
- ptr = RaInputFilter;
- str = optarg;
- while (*str) {
- if ((*str == '\\') && (str[1] == '\n')) {
- fgets(str, MAXSTRLEN, fd);
- while (*str && (isspace((int)*str) && (str[1] && isspace((int)str[1]))))
- str++;
- }
-
- if ((*str != '\n') && (*str != '"'))
- *ptr++ = *str++;
- else
- str++;
- }
- }
-#ifdef ARGUSDEBUG
- ArgusDebug (1, "ArgusParseResourceFile: ArgusFilter \"%s\" \n", RaInputFilter);
-#endif
- break;
- }
-
- case RA_HOST_FIELD_LENGTH:
- hfield = atoi (optarg);
- break;
-
- case RA_PORT_FIELD_LENGTH:
- pfield = atoi (optarg);
- break;
- }
-
- }
- found++;
- break;
- }
- }
- if (!found) {
- ArgusLog (LOG_ERR, "ArgusParseResourceFile (%s) syntax error line %d\n", file, lines);
- }
- }
- }
-
- } else {
-#ifdef ARGUSDEBUG
- ArgusDebug (1, "config file '%s' %s\n", file, strerror(errno));
-#endif
- }
-
- if (RaPrintStartTime && RaPrintLastTime)
- Gflag++;
- else
- if (RaPrintLastTime)
- lflag++;
- }
-
-#ifdef ARGUSDEBUG
- ArgusDebug (1, "ArgusParseResourceFile (%s) returning %d\n", file, retn);
-#endif
-
- return (retn);
-}
diff -NarU5 argus-2.0.6.fixes.1.orig/common/argus_util.c argus-2.0.6.fixes.1/common/argus_util.c
--- argus-2.0.6.fixes.1.orig/common/argus_util.c 2004-02-23 10:00:36.000000000 -0500
+++ argus-2.0.6.fixes.1/common/argus_util.c 1969-12-31 19:00:00.000000000 -0500
@@ -1,2512 +0,0 @@
-/*
- * Copyright (c) 2000-2004 QoSient, LLC
- * All rights reserved.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2, or (at your option)
- * any later version.
-
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
-
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
- *
- */
-
-/*
- * Copyright (c) 1988-1990 The Regents of the University of California.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that: (1) source code distributions
- * retain the above copyright notice and this paragraph in its entirety, (2)
- * distributions including binary code include the above copyright notice and
- * this paragraph in its entirety in the documentation or other materials
- * provided with the distribution, and (3) all advertising materials mentioning
- * features or use of this software display the following acknowledgement:
- * ``This product includes software developed by the University of California,
- * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
- * the University nor the names of its contributors may be used to endorse
- * or promote products derived from this software without specific prior
- * written permission.
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- */
-
-
-#ifndef ArgusUtil
-#define ArgusUtil
-#endif
-
-#include <stdio.h>
-#include <errno.h>
-#include <fcntl.h>
-
-#include <netinet/in.h>
-#include <string.h>
-#include <sys/stat.h>
-#include <ctype.h>
-
-#include <compat.h>
-#include <pcap.h>
-
-#include <interface.h>
-
-#include <argus_util.h>
-#include <argus_out.h>
-#include <argus_parse.h>
-#include <argus_filter.h>
-
-
-int target_flags = 0;
-
-void
-ArgusAdjustGlobalTime (struct timeval *now)
-{
- struct timeval ArgusTimeDelta;
-
- ArgusTimeDelta.tv_sec = ArgusNowTime.tv_sec - ArgusGlobalTime.tv_sec;
- ArgusTimeDelta.tv_usec = ArgusNowTime.tv_usec - ArgusGlobalTime.tv_usec;
-
- ArgusGlobalTime.tv_sec = now->tv_sec - ArgusTimeDelta.tv_sec;
- ArgusGlobalTime.tv_usec = now->tv_usec - ArgusTimeDelta.tv_usec;
-
- if (ArgusGlobalTime.tv_usec < 0) {
- ArgusGlobalTime.tv_sec--;
- ArgusGlobalTime.tv_usec += 1000000;
- } else {
- if (ArgusGlobalTime.tv_usec > 1000000) {
- ArgusGlobalTime.tv_sec++;
- ArgusGlobalTime.tv_usec -= 1000000;
- }
- }
- ArgusNowTime = *now;
-}
-
-char *ArgusVersionStr = "Argus Version ";
-
-int
-ArgusConvertInitialWriteStruct (struct WriteStruct *ws, struct ArgusRecord *argus)
-{
- int retn = 0;
- char *ptr;
-
- if (ws && argus) {
- bzero ((char *) argus, sizeof (*argus));
- if ((ptr = strstr (ws->ws_init.initString, ArgusVersionStr)) != NULL) {
- ptr = &ptr[strlen(ArgusVersionStr)];
- if (sscanf (ptr, "%d.%d", &major_version, &minor_version)) {
- argus->ahdr.type = ARGUS_MAR | ARGUS_WRITESTRUCT;
- argus->ahdr.length = sizeof (*argus);
- argus->ahdr.length = htons(argus->ahdr.length);
- argus->ahdr.cause = ARGUS_START;
- argus->ahdr.status = htonl(ARGUS_VERSION);
- argus->ahdr.argusid = htonl(ARGUS_COOKIE);
- argus->argus_mar.startime = ws->ws_init.startime;
- argus->argus_mar.now = ws->ws_init.now;
- argus->argus_mar.major_version = major_version;
- argus->argus_mar.minor_version = minor_version;
- argus->argus_mar.interfaceType = ws->ws_init.interfaceType;
- argus->argus_mar.interfaceStatus = ws->ws_init.interfaceStatus;
-
- argus->argus_mar.reportInterval = ws->ws_init.reportInterval;
- argus->argus_mar.argusMrInterval = ws->ws_init.dflagInterval;
- argus->argus_mar.record_len = -1;
- retn = 1;
- }
- }
- }
-
- return (retn);
-}
-
-#include <cons_def.h>
-
-#if !defined(__OpenBSD__) || !defined(_NETINET_IP_ICMP_H_)
-#include <netinet/ip_icmp.h>
-#define _NETINET_IP_ICMP_H_
-#endif
-
-extern int ArgusTotalBytes;
-extern int ArgusTotalCount;
-
-extern long long ntohll (long long);
-
-int
-ArgusConvertWriteStruct (struct WriteStruct *ws, struct ArgusRecord *argus)
-{
- int retn = 0;
- unsigned int status;
-
- if (ws && argus) {
- bzero ((char *) argus, sizeof (*argus));
- status = ntohl(ws->status);
-
- if (status & ARGUSCONTROL) {
- argus->ahdr.type = ARGUS_MAR | ARGUS_WRITESTRUCT;
- argus->ahdr.length = sizeof (*argus);
- argus->ahdr.argusid = 0;
- argus->ahdr.status = ARGUS_VERSION;
-
- argus->argus_mar.major_version = VERSION_MAJOR;
- argus->argus_mar.minor_version = VERSION_MINOR;
- argus->argus_mar.interfaceType = ws->ws_stat.interfaceType;
- argus->argus_mar.interfaceStatus = ws->ws_stat.interfaceStatus;
- argus->argus_mar.reportInterval = ntohs(ws->ws_stat.reportInterval);
- argus->argus_mar.argusMrInterval = ntohs(ws->ws_stat.dflagInterval);
-
- if (status & CLOSE) {
- argus->ahdr.cause = ARGUS_STOP;
- argus->argus_mar.startime.tv_sec = ws->ws_stat.startime.tv_sec;
- argus->argus_mar.startime.tv_usec = ws->ws_stat.startime.tv_usec;
- argus->argus_mar.now.tv_sec = ws->ws_stat.now.tv_sec;
- argus->argus_mar.now.tv_usec = ws->ws_stat.now.tv_usec;
- argus->argus_mar.pktsRcvd = ArgusTotalCount;
- argus->argus_mar.bytesRcvd = ArgusTotalBytes;
- argus->argus_mar.pktsDrop = ntohl(ws->ws_stat.pktsDrop);
- argus->argus_mar.actIPcons += ntohl(ws->ws_stat.actTCPcons);
- argus->argus_mar.actIPcons += ntohl(ws->ws_stat.actUDPcons);
- argus->argus_mar.actIPcons += ntohl(ws->ws_stat.actIPcons);
- argus->argus_mar.cloIPcons += ntohl(ws->ws_stat.cloTCPcons);
- argus->argus_mar.cloIPcons += ntohl(ws->ws_stat.cloUDPcons);
- argus->argus_mar.cloIPcons += ntohl(ws->ws_stat.cloIPcons);
- argus->argus_mar.actICMPcons = ntohl(ws->ws_stat.actICMPcons);
- argus->argus_mar.cloICMPcons = ntohl(ws->ws_stat.cloICMPcons);
- argus->argus_mar.actFRAGcons = ntohl(ws->ws_stat.actFRAGcons);
- argus->argus_mar.cloFRAGcons = ntohl(ws->ws_stat.cloFRAGcons);
-
- } else {
- argus->ahdr.cause = ARGUS_STATUS;
- argus->argus_mar.startime.tv_sec = ntohl(ws->ws_stat.startime.tv_sec);
- argus->argus_mar.startime.tv_usec = ntohl(ws->ws_stat.startime.tv_usec);
- argus->argus_mar.now.tv_sec = ntohl(ws->ws_stat.now.tv_sec);
- argus->argus_mar.now.tv_usec = ntohl(ws->ws_stat.now.tv_usec);
-
- argus->argus_mar.pktsRcvd = ntohl(ws->ws_stat.pktsRcvd);
- argus->argus_mar.bytesRcvd = ntohl(ws->ws_stat.bytesRcvd);
-
- argus->argus_mar.pktsDrop = ntohl(ws->ws_stat.pktsDrop);
- argus->argus_mar.actIPcons += ntohl(ws->ws_stat.actTCPcons);
- argus->argus_mar.actIPcons += ntohl(ws->ws_stat.actUDPcons);
- argus->argus_mar.actIPcons += ntohl(ws->ws_stat.actIPcons);
- argus->argus_mar.cloIPcons += ntohl(ws->ws_stat.cloTCPcons);
- argus->argus_mar.cloIPcons += ntohl(ws->ws_stat.cloUDPcons);
- argus->argus_mar.cloIPcons += ntohl(ws->ws_stat.cloIPcons);
- argus->argus_mar.actICMPcons = ntohl(ws->ws_stat.actICMPcons);
- argus->argus_mar.cloICMPcons = ntohl(ws->ws_stat.cloICMPcons);
- argus->argus_mar.actFRAGcons = ntohl(ws->ws_stat.actFRAGcons);
- argus->argus_mar.cloFRAGcons = ntohl(ws->ws_stat.cloFRAGcons);
- }
-
- argus->argus_mar.record_len = -1;
- retn = 1;
-
- } else {
- struct ArgusMacStruct macbuffer, *mac = &macbuffer;
- unsigned int lasttime = 0;
- unsigned short difftime = 0, ttl = 0;
-
- argus->ahdr.type = ARGUS_FAR | ARGUS_WRITESTRUCT;
- argus->ahdr.length = sizeof (argus->ahdr) + sizeof (argus->argus_far);
- argus->ahdr.cause = ARGUS_STATUS;
- argus->ahdr.status = ARGUS_VERSION;
- argus->ahdr.status |= ETHERTYPE_IP;
- argus->ahdr.argusid = 0;
- argus->argus_far.type = ARGUS_FAR;
- argus->argus_far.length = sizeof(argus->argus_far);
- argus->argus_far.status = 0;
- argus->argus_far.ArgusTransRefNum = 0;
-
- argus->argus_far.flow.ip_flow.ip_src = ntohl(ws->ws_ip.src.s_addr);
- argus->argus_far.flow.ip_flow.ip_dst = ntohl(ws->ws_ip.dst.s_addr);
-
- if (!(status & (ICMPPROTO | TCPPROTO | UDPPROTO)) && (status & FRAG_ONLY)) {
- struct ArgusFragObject fragbuf, *frag = &fragbuf;
-
- bzero ((char *) frag, sizeof (*frag));
- frag->type = ARGUS_FRG_DSR;
- frag->length = sizeof(*frag);
- frag->status = ntohs(ws->ws_ip_frag.status);
-
- argus->argus_far.flow.ip_flow.sport = ntohs(ws->ws_ip.sport);
- argus->argus_far.flow.ip_flow.dport = ntohs(ws->ws_ip.dport);
-
- frag->fragnum = ntohl(ws->ws_ip_frag.fragnum);
- frag->frag_id = ntohl(ws->ws_ip_frag.frag_id);
- frag->totlen = ntohs(ws->ws_ip_frag.totlen);
- frag->currlen = ntohs(ws->ws_ip_frag.currlen);
- frag->maxfraglen = ntohs(ws->ws_ip_frag.maxfraglen);
-
- argus->argus_far.status |= ARGUS_FRAGMENTS;
- argus->argus_far.attr_ip.soptions |= ARGUS_FRAGMENTS;
- argus->argus_far.src.count = frag->fragnum;
- argus->argus_far.src.bytes = frag->currlen;
-
- bcopy ((char *)frag, &((char *)argus)[argus->ahdr.length], sizeof(*frag));
- argus->ahdr.length += sizeof(*frag);
-
- } else {
- switch (status & (ICMPPROTO | TCPPROTO | UDPPROTO)) {
- case ICMPPROTO: {
- struct icmpWriteStruct *icmp = &ws->ws_ip_icmp;
- struct ArgusICMPFlow *icmpFlow = &argus->argus_far.flow.icmp_flow;
-
- argus->argus_far.flow.ip_flow.ip_p = IPPROTO_ICMP;
-
- argus->argus_far.src.count = ntohl(ws->ws_ip_udp.src_count);
- argus->argus_far.src.bytes = ntohl(ws->ws_ip_udp.src_bytes);
- argus->argus_far.dst.count = ntohl(ws->ws_ip_udp.dst_count);
- argus->argus_far.dst.bytes = ntohl(ws->ws_ip_udp.dst_bytes);
-
- if (!(status & (CON_ESTABLISHED | TIMED_OUT))) {
- icmpFlow->type = icmp->type;
- icmpFlow->code = icmp->code;
- icmpFlow->id = icmp->data;
- icmpFlow->id = ntohs(icmpFlow->id);
-
- } else {
- icmpFlow->type = ((unsigned char *) &ws->ws_ip_udp.src_bytes)[0];
- icmpFlow->code = ((unsigned char *) &ws->ws_ip_udp.src_bytes)[1];
- icmpFlow->id = ((unsigned short *)&ws->ws_ip_udp.src_bytes)[1];
- icmpFlow->id = ntohs(icmpFlow->id);
-
- argus->argus_far.src.bytes = 0;
- argus->argus_far.dst.bytes = 0;
- }
-
- if ((icmpFlow->type == ICMP_UNREACH) && (icmpFlow->code == ICMP_UNREACH_PORT))
- argus->argus_far.flow.ip_flow.tp_p = ((char *)&ws->ws_ip_icmp.gwaddr.s_addr)[3];
-
- break;
- }
-
- case TCPPROTO: {
- struct ArgusTCPObject tcpbuffer, *tcp = &tcpbuffer;
-
- bzero ((char *) tcp, sizeof (*tcp));
- tcp->type = ARGUS_TCP_DSR;
- tcp->length = sizeof(*tcp);
-
- if (status & SAW_SYN)
- tcp->state |= ARGUS_SAW_SYN;
- if (status & SAW_SYN_SENT)
- tcp->state |= ARGUS_SAW_SYN_SENT;
- if (status & CON_ESTABLISHED)
- tcp->state |= ARGUS_CON_ESTABLISHED;
- if (status & SRC_RESET)
- tcp->state |= ARGUS_SRC_RESET;
- if (status & DST_RESET)
- tcp->state |= ARGUS_DST_RESET;
- if (status & CLOSE_WAITING)
- tcp->state |= ARGUS_FIN;
- if (status & NORMAL_CLOSE)
- tcp->state |= ARGUS_NORMAL_CLOSE;
-
- if (status & PKTS_RETRANS) {
- if (status & SRC_PKTS_RETRANS)
- tcp->state |= ARGUS_SRC_PKTS_RETRANS;
- if (status & DST_PKTS_RETRANS)
- tcp->state |= ARGUS_DST_PKTS_RETRANS;
- }
-
- argus->argus_far.src.count = ntohl(ws->ws_ip_tcp.src_count);
- argus->argus_far.dst.count = ntohl(ws->ws_ip_tcp.dst_count);
-
- if ((status & SAW_SYN) &&
- !(status & (SAW_SYN_SENT|CON_ESTABLISHED|RESET))) {
- tcp->src.seqbase = ntohl(ws->ws_ip_inittcp.seq);
- } else {
- if ((status & (SAW_SYN | SAW_SYN_SENT)) &&
- !(status & (CON_ESTABLISHED))) {
- tcp->dst.seqbase = ntohl(ws->ws_ip_inittcp.seq);
- } else {
- argus->argus_far.src.bytes = ntohl(ws->ws_ip_tcp.src_bytes);
- argus->argus_far.dst.bytes = ntohl(ws->ws_ip_tcp.dst_bytes);
- }
- }
-
- bcopy ((char *)tcp, &((char *)argus)[argus->ahdr.length], sizeof(*tcp));
- argus->ahdr.length += sizeof(*tcp);
-
- argus->argus_far.flow.ip_flow.ip_p = IPPROTO_TCP;
- argus->argus_far.flow.ip_flow.sport = ntohs(ws->ws_ip.sport);
- argus->argus_far.flow.ip_flow.dport = ntohs(ws->ws_ip.dport);
- break;
- }
-
- case UDPPROTO:
- argus->argus_far.flow.ip_flow.ip_p = IPPROTO_UDP;
- argus->argus_far.flow.ip_flow.sport = ntohs(ws->ws_ip.sport);
- argus->argus_far.flow.ip_flow.dport = ntohs(ws->ws_ip.dport);
-
- default:
- argus->argus_far.src.count = ntohl(ws->ws_ip_udp.src_count);
- argus->argus_far.src.bytes = ntohl(ws->ws_ip_udp.src_bytes);
- argus->argus_far.dst.count = ntohl(ws->ws_ip_udp.dst_count);
- argus->argus_far.dst.bytes = ntohl(ws->ws_ip_udp.dst_bytes);
- break;
- }
- }
-
- if (status & TIMED_OUT)
- argus->ahdr.cause |= ARGUS_TIMEOUT;
-
- if (status & FRAGMENTS)
- argus->argus_far.status |= ARGUS_FRAGMENTS;
-
- if (status & IPOPTIONMASK) {
- argus->argus_far.status |= ARGUS_IPOPTIONS;
- if (status & SSRCROUTE) {
- argus->argus_far.attr_ip.soptions |= ARGUS_SSRCROUTE;
- argus->argus_far.attr_ip.doptions |= ARGUS_SSRCROUTE;
- }
- if (status & LSRCROUTE) {
- argus->argus_far.attr_ip.soptions |= ARGUS_LSRCROUTE;
- argus->argus_far.attr_ip.doptions |= ARGUS_LSRCROUTE;
- }
- if (status & TIMESTAMP) {
- argus->argus_far.attr_ip.soptions |= ARGUS_TIMESTAMP;
- argus->argus_far.attr_ip.doptions |= ARGUS_TIMESTAMP;
- }
- if (status & SECURITY) {
- argus->argus_far.attr_ip.soptions |= ARGUS_SECURITY;
- argus->argus_far.attr_ip.doptions |= ARGUS_SECURITY;
- }
- if (status & RECORDROUTE) {
- argus->argus_far.attr_ip.soptions |= ARGUS_RECORDROUTE;
- argus->argus_far.attr_ip.doptions |= ARGUS_RECORDROUTE;
- }
- if (status & SATNETID) {
- argus->argus_far.attr_ip.soptions |= ARGUS_SATNETID;
- argus->argus_far.attr_ip.doptions |= ARGUS_SATNETID;
- }
- }
-
- if (status & CON_ESTABLISHED)
- argus->ahdr.status |= ARGUS_CONNECTED;
-
- argus->argus_far.time.start.tv_sec = ntohl(ws->ws_ip.startime.tv_sec);
- argus->argus_far.time.start.tv_usec = ntohl(ws->ws_ip.startime.tv_usec);
-
- if ((major_version > 1) || (minor_version > 6)) {
- difftime = ntohs(((u_short *)&ws->ws_ip.lasttime.tv_sec)[1]);
- lasttime = ntohl(((arg_uint32)ws->ws_ip.startime.tv_sec)) + difftime;
- ttl = ((u_short *)&ws->ws_ip.lasttime.tv_sec)[0];
- ws->ws_ip.lasttime.tv_sec = lasttime;
- }
-
- argus->argus_far.time.last.tv_sec = ws->ws_ip.lasttime.tv_sec;
- argus->argus_far.time.last.tv_usec = ntohl(ws->ws_ip.lasttime.tv_usec);
- mac->type = ARGUS_MAC_DSR;
- mac->length = sizeof(*mac);
- bcopy((char *)&ws->ws_ip.ws_phys.ethersrc, (char *)&mac->phys_union.ether.ethersrc, 6);
- bcopy((char *)&ws->ws_ip.ws_phys.etherdst, (char *)&mac->phys_union.ether.etherdst, 6);
-
- bcopy ((char *)mac, &((char *)argus)[argus->ahdr.length], sizeof(*mac));
- argus->ahdr.length += sizeof(*mac);
- retn = 1;
- }
-
-#ifdef _LITTLE_ENDIAN
- ArgusHtoN(argus);
-#endif
- }
-
- return (retn);
-}
-
-
-extern char *ArgusProgramName;
-
-
-void
-print_date(struct ArgusRecord *argus, char *date)
-{
- struct ArgusAGRStruct *ArgusThisAgr = NULL;
- struct timeval *start = NULL, *last = NULL;
- struct timeval buf, *time = &buf;
- struct timeval zbuf, *ztime = &zbuf;
- struct tm *tm = NULL;
- char *sptr, *iptr, delim = ' ';
-
- bzero ((char *)ztime, sizeof(zbuf));
-
- if (argus->ahdr.type & ARGUS_MAR) {
- start = &argus->argus_mar.startime;
- last = &argus->argus_mar.now;
-
- } else {
- start = &argus->argus_far.time.start;
- last = &argus->argus_far.time.last;
- }
-
- if (lflag && !(Gflag))
- *time = *last;
- else
- *time = *start;
-
- tm = localtime ((time_t *)&time->tv_sec);
-
- if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0'))
- delim = RaFieldDelimiter;
-
- sprintf (date, " ");
- sprintf (date, "%s%c", print_time(time), delim);
-
- if (gflag) {
- ArgusThisAgr = (struct ArgusAGRStruct *)ArgusThisFarHdrs[ARGUS_AGR_DSR_INDEX];
- if (Hflag && (ArgusThisAgr && (ArgusThisAgr->type == ARGUS_AGR_DSR))) {
- int ArgusThisMultiplier = 1000;
-
- if (ArgusThisAgr->status & ARGUS_AGR_USECACTTIME)
- ArgusThisMultiplier = 1000000;
-
- time->tv_sec = ArgusThisAgr->act.mean / ArgusThisMultiplier;
- time->tv_usec = ArgusThisAgr->act.mean % ArgusThisMultiplier;
-
- } else {
- *time = *last;
- time->tv_sec -= start->tv_sec;
- time->tv_usec -= start->tv_usec;
-
- if (time->tv_usec < 0) {
- time->tv_sec--;
- time->tv_usec += 1000000;
- }
-
- if (time->tv_usec >= 1000000) {
- time->tv_sec++;
- time->tv_usec -= 1000000;
- }
- }
-
- iptr = &date[strlen(date)];
- sptr = &date[strlen(date)];
-
- if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0'))
- sprintf(sptr, "%u", (unsigned int) time->tv_sec);
- else
- sprintf(sptr, "%8u", (unsigned int) time->tv_sec);
-
- if (pflag) {
- sptr = &date[strlen(date)];
- sprintf(sptr, ".%06d", (int) time->tv_usec);
- sptr[pflag + 1] = '\0';
- }
-
- if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0'))
- sprintf(&date[strlen(date)], "%c", delim);
-
- } else
-
- if (Gflag) {
- if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0'))
- sprintf(&date[strlen(date)], "%s%c", print_time(last), RaFieldDelimiter);
- else
- sprintf(&date[strlen(date)], " %s", print_time(last));
- }
-}
-
-void ArgusGetIndicatorString (struct ArgusRecord *, char *);
-
-
-void
-ArgusGetIndicatorString (struct ArgusRecord *argus, char *buf)
-{
- char *ptr = buf;
-
- bzero (buf, 16);
-
- if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) {
- if (argus->ahdr.type & ARGUS_MAR) {
-
- } else {
- if (argus->ahdr.status & ARGUS_MPLS)
- *ptr++ = 'm';
-
- if (argus->ahdr.status & ARGUS_PPPoE)
- *ptr++ = 'p';
-
- if (argus->ahdr.status & ARGUS_VLAN)
- *ptr++ = 'q';
-
- if ((argus->ahdr.status & 0xFFFF) == ETHERTYPE_IP) {
- if (argus->argus_far.status & ARGUS_ICMP_MAPPED)
- *ptr++ = 'I';
-
- if ((argus->argus_far.attr_ip.soptions & ARGUS_FRAGMENTS) ||
- (argus->argus_far.attr_ip.doptions & ARGUS_FRAGMENTS)) {
-
- if (argus->argus_far.flow.ip_flow.tp_p == ARGUS_FRAG_FLOWTAG)
- *ptr++ = 'f';
- else
- *ptr++ = 'F';
-
- if (argus->argus_far.attr_ip.soptions & ARGUS_FRAGOVERLAP)
- *ptr++ = 'V';
- }
-
- if (argus->ahdr.status & ARGUS_MULTIADDR)
- *ptr++ = 'M';
-
- if (ArgusThisFarStatus & ARGUS_TCP_DSR_STATUS) {
- struct ArgusTCPObject *tcp = NULL;
- unsigned int status;
-
- tcp = (struct ArgusTCPObject *)ArgusThisFarHdrs[ARGUS_TCP_DSR_INDEX];
- if ((tcp != NULL) && ((status = tcp->state) != 0)) {
- if (status) {
- if (status & ARGUS_PKTS_RETRANS) {
- if ((status & ARGUS_SRC_PKTS_RETRANS) && (status & ARGUS_DST_PKTS_RETRANS))
- *ptr++ = '*';
- else {
- if (status & ARGUS_SRC_PKTS_RETRANS)
- *ptr++ = 's';
- if (status & ARGUS_DST_PKTS_RETRANS)
- *ptr++ = 'd';
- }
- }
- if (status & ARGUS_WINDOW_SHUT) {
- if ((status & ARGUS_SRC_WINDOW_SHUT) && (status & ARGUS_DST_WINDOW_SHUT))
- *ptr++ = '@';
- else {
- if (status & ARGUS_SRC_WINDOW_SHUT)
- *ptr++ = 'S';
- if (status & ARGUS_DST_WINDOW_SHUT)
- *ptr++ = 'D';
- }
- }
- if (status & ARGUS_ECN_CONGESTED)
- *ptr++ = 'E';
- }
- }
- }
- if (ArgusThisFarStatus & ARGUS_ESP_DSR_STATUS) {
- struct ArgusESPStruct *esp = NULL;
-
- if ((esp = (struct ArgusESPStruct *)ArgusThisFarHdrs[ARGUS_ESP_DSR_INDEX]) != NULL) {
- if ((esp->src.lostseq > 0) && (esp->dst.lostseq > 0))
- *ptr++ = '*';
- else {
- if (esp->src.lostseq > 0)
- *ptr++ = 's';
- if (esp->dst.lostseq > 0)
- *ptr++ = 'd';
- }
- }
- }
- }
- }
-
- *ptr = RaFieldDelimiter;
-
- } else {
- int encdone = 0;
-
- if (Iflag) {
- bcopy (" ", buf, 9);
- if (argus->ahdr.type & ARGUS_MAR) {
- } else {
- if (argus->ahdr.status & ARGUS_MPLS) {
- buf[1] = 'm';
- encdone++;
- }
-
- if (argus->ahdr.status & ARGUS_PPPoE) {
- buf[1] = 'p';
- encdone++;
- }
-
- if (argus->ahdr.status & ARGUS_VLAN) {
- buf[1] = 'q';
- encdone++;
- }
-
- if (encdone > 1)
- buf[1] = 'E';
-
- if ((argus->ahdr.status & 0xFFFF) == ETHERTYPE_IP) {
- if (ArgusThisFarStatus & ARGUS_TCP_DSR_STATUS) {
- struct ArgusTCPObject *tcp = NULL;
- unsigned int status;
-
- tcp = (struct ArgusTCPObject *)ArgusThisFarHdrs[ARGUS_TCP_DSR_INDEX];
-
- if ((tcp != NULL) && ((status = tcp->state) != 0)) {
- if (status) {
- if (status & ARGUS_WINDOW_SHUT) {
- if ((status & ARGUS_SRC_WINDOW_SHUT) && (status & ARGUS_DST_WINDOW_SHUT))
- buf[3] = '@';
- else {
- if (status & ARGUS_SRC_WINDOW_SHUT)
- buf[3] = 'S';
- if (status & ARGUS_DST_WINDOW_SHUT)
- buf[3] = 'D';
- }
- }
- if (status & ARGUS_PKTS_RETRANS) {
- if ((status & ARGUS_SRC_PKTS_RETRANS) && (status & ARGUS_DST_PKTS_RETRANS))
- buf[2] = '*';
- else {
- if (status & ARGUS_SRC_PKTS_RETRANS)
- buf[2] = 's';
- if (status & ARGUS_DST_PKTS_RETRANS)
- buf[2] = 'd';
- }
- }
- if (status & ARGUS_ECN_CONGESTED) {
- if ((status & ARGUS_SRC_CONGESTED) && (status & ARGUS_DST_CONGESTED))
- buf[3] = 'E';
- else {
- if (status & ARGUS_SRC_CONGESTED)
- buf[3] = 'e';
- if (status & ARGUS_DST_CONGESTED)
- buf[3] = 'e';
- }
- }
- }
- }
- }
-
- if (ArgusThisFarStatus & ARGUS_ESP_DSR_STATUS) {
- struct ArgusESPStruct *esp = NULL;
-
- if ((esp = (struct ArgusESPStruct *)ArgusThisFarHdrs[ARGUS_ESP_DSR_INDEX]) != NULL) {
- if ((esp->src.lostseq > 0) && (esp->dst.lostseq > 0))
- buf[2] = '*';
- else {
- if (esp->src.lostseq > 0)
- buf[2] = 's';
- if (esp->dst.lostseq > 0)
- buf[2] = 'd';
- }
- }
- }
-
- if (argus->ahdr.status & ARGUS_MULTIADDR)
- buf[4] = 'M';
-
- if (argus->argus_far.status & ARGUS_ICMP_MAPPED)
- buf[5] = 'I';
-
- if ((argus->argus_far.attr_ip.soptions & ARGUS_FRAGMENTS) ||
- (argus->argus_far.attr_ip.doptions & ARGUS_FRAGMENTS)) {
-
- if (argus->argus_far.flow.ip_flow.tp_p == ARGUS_FRAG_FLOWTAG)
- buf[6] = 'f';
- else
- buf[6] = 'F';
-
- if ((argus->argus_far.attr_ip.soptions & ARGUS_FRAGOVERLAP) ||
- (argus->argus_far.attr_ip.doptions & ARGUS_FRAGOVERLAP)) {
- buf[6] = 'V';
- }
- }
-
- if ((argus->argus_far.attr_ip.soptions & ARGUS_IPOPTIONS) ||
- (argus->argus_far.attr_ip.doptions & ARGUS_IPOPTIONS)) {
- switch ((argus->argus_far.attr_ip.soptions | argus->argus_far.attr_ip.doptions)
- & ARGUS_IPOPTIONS) {
- case SSRCROUTE: buf[7] = 'S'; break;
- case LSRCROUTE: buf[7] = 'L'; break;
- case TIMESTAMP: buf[7] = 'T'; break;
- case SECURITY: buf[7] = '+'; break;
- case RECORDROUTE: buf[7] = 'R'; break;
- case SATNETID: buf[7] = 'N'; break;
- case IPOPTIONMASK: buf[7] = 'E'; break;
- default: buf[7] = 'O'; break;
- }
- }
- }
- }
- }
- }
-
- return;
-}
-
-
-char RaUserDataStr[MAXSTRLEN];
-
-char *
-RaGetUserDataString (struct ArgusRecord *argus)
-{
- char *retn = RaUserDataStr;
- char strbuf[MAXSTRLEN], *str = strbuf;
- char delim = ' ';
- int len = 0;
-
- bzero (RaUserDataStr, MAXSTRLEN);
-
- if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0'))
- delim = RaFieldDelimiter;
-
- if (ArgusSrcUserDataLen > 0) {
- len = 0;
- if (ArgusThisFarStatus & ARGUS_SRCUSRDATA_DSR_STATUS) {
- struct ArgusUserStruct *user = (struct ArgusUserStruct *) ArgusThisFarHdrs[ARGUS_SRCUSRDATA_DSR_INDEX];
-
- len = (user->length - 1) * 4;
- len = (len < argus->argus_far.src.appbytes) ? len : argus->argus_far.src.appbytes;
- len = len > ArgusSrcUserDataLen ? ArgusSrcUserDataLen : len;
-
- if ((len = ArgusEncode (&user->data, len, str, sizeof(strbuf))) != 0)
- sprintf (RaUserDataStr, "%cs[%d]=%s", delim, len, str);
-
- } else
- if (delim != ' ')
- sprintf (&RaUserDataStr[strlen(RaUserDataStr)], "%c", delim);
-
- if (delim == ' ')
- sprintf (&RaUserDataStr[strlen(RaUserDataStr)], "%*s", (ArgusSrcUserDataLen - len) + 1, " ");
- }
-
-
- if (ArgusDstUserDataLen > 0) {
- len = 0;
- if (ArgusThisFarStatus & ARGUS_DSTUSRDATA_DSR_STATUS) {
- struct ArgusUserStruct *user = (struct ArgusUserStruct *) ArgusThisFarHdrs[ARGUS_DSTUSRDATA_DSR_INDEX];
-
- len = (user->length - 1) * 4;
- len = (len < argus->argus_far.dst.appbytes) ? len : argus->argus_far.dst.appbytes;
- len = len > ArgusDstUserDataLen ? ArgusDstUserDataLen : len;
-
- if ((len = ArgusEncode (&user->data, len, str, sizeof(strbuf))) != 0)
- sprintf (&RaUserDataStr[strlen(RaUserDataStr)], "%cd[%d]=%s", delim, len, str);
- } else
- if (delim != ' ')
- sprintf (&RaUserDataStr[strlen(RaUserDataStr)], "%c", delim);
- }
-
- return (retn);
-}
-
-extern void ArgusLog (int, char *, ...);
-
-
-static char basis_64[] =
- "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????";
-
-
-int
-ArgusEncode (const char *ptr, int len, char *str, int slen)
-{
- int retn = 0;
-
- switch (eflag) {
- case ARGUS_ENCODE_64:
- sprintf (str, "\"");
- retn = ArgusEncode64(ptr, len, &str[strlen(str)], slen - strlen(str));
- strcat (str, "\"");
- break;
-
- case ARGUS_ENCODE_ASCII:
- sprintf (str, "\"");
- retn = ArgusEncodeAscii(ptr, len, &str[strlen(str)], slen - strlen(str));
- strcat (str, "\"");
- break;
-
- default:
- ArgusLog (LOG_ERR, "ArgusEncode: error encode method %d unknown", eflag);
- break;
- }
-
- return (retn);
-}
-
-int
-ArgusEncode64 (const char *ptr, int len, char *str, int slen)
-{
- int retn = 0;
- const unsigned char *in = (const unsigned char *)ptr;
- unsigned char *buf = (unsigned char *) str;
- unsigned char oval;
- unsigned newlen;
-
- if (ptr && ((newlen = (len + 2) / 3 * 4) < slen)) {
- while (len >= 3) {
- *buf++ = basis_64[in[0] >> 2];
- *buf++ = basis_64[((in[0] << 4) & 0x30) | (in[1] >> 4)];
- *buf++ = basis_64[((in[1] << 2) & 0x3c) | (in[2] >> 6)];
- *buf++ = basis_64[in[2] & 0x3f];
- in += 3;
- len -= 3;
- }
- if (len > 0) {
- *buf++ = basis_64[in[0] >> 2];
- oval = (in[0] << 4) & 0x30;
- if (len > 1) oval |= in[1] >> 4;
- *buf++ = basis_64[oval];
- *buf++ = (len < 2) ? '=' : basis_64[(in[1] << 2) & 0x3c];
- *buf++ = '=';
- }
-
- if (newlen < slen)
- *buf = '\0';
-
- retn = newlen;
- }
-
- return (retn);
-}
-
-#include <ctype.h>
-
-int
-ArgusEncodeAscii (const char *ptr, int len, char *str, int slen)
-{
- int retn = 0, newlen = len;
- unsigned char *buf = (unsigned char *) str;
-
- if (ptr && (len < slen)) {
- while (len > 0) {
- if (isprint((int)*ptr))
- *buf = *ptr;
- else
- *buf = '.';
- buf++;
- ptr++;
- len--;
- }
-
- if (len < slen)
- *buf = '\0';
-
- retn = newlen;
- }
-
- return (retn);
-}
-
-
-
-struct ArgusInterfaceStruct interfacetypes [] = {
-{ 0, "DLT_NULL", "no link-layer encapsulation"},
-{ 1, "DLT_EN10MB", "Ethernet (10Mb)"},
-{ 2, "DLT_EN3MB", "Experimental Ethernet (3Mb)"},
-{ 3, "DLT_AX25", "Amateur Radio AX.25"},
-{ 4, "DLT_PRONET", "Proteon ProNET Token Ring"},
-{ 5, "DLT_CHAOS", "Chaos"},
-{ 6, "DLT_IEEE802", "IEEE 802 Networks"},
-{ 7, "DLT_ARCNET", "ARCNET"},
-{ 8, "DLT_SLIP", "Serial Line IP"},
-{ 9, "DLT_PPP", "Point-to-point Protocol"},
-{ 10,"DLT_FDDI", "FDDI"},
-{ 11, "DLT_ATM_RFC1483", "LLC/SNAP encapsulated atm"},
-{ 12, "DLT_LOOP", "loopback"},
-{100, "DLT_ATM_RFC1483", "LLC/SNAP encapsulated atm"},
-{101, "DLT_RAW", "raw IP"},
-{102, "DLT_SLIP_BSDOS", "BSD/OS Serial Line IP"},
-{103, "DLT_PPP_BSDOS", "BSD/OS Point-to-point Protocol"},
-{104, "DLT_CHDLC", "Cisco HDLC"},
-{-1, "Undefined", "Undefined"},
-};
-
-
-char argus_strbuf[MAXSTRLEN];
-
-char *
-get_man_string (struct ArgusRecord *ptr)
-{
- char protoStr[128], argusIDStrBuf[32], *argusIDStr = argusIDStrBuf;
- char probeIDStrBuf[128], *probeIDStr = probeIDStrBuf;
- char versionStrBuf[128];
- char date [128], fmtstr[MAXSTRLEN], indStr[16];
-
- bzero (argus_strbuf, MAXSTRLEN);
- bzero (fmtstr, MAXSTRLEN);
-
- print_date(ptr, date);
-
- if (mflag) {
- struct ArgusInterfaceStruct *interface = &interfacetypes[0];
- while (interface->value >= 0) {
- if (ptr->argus_mar.interfaceType == interface->value)
- break;
- interface++;
- }
- sprintf(protoStr, " man InterfaceType %-*.*s", hfield, hfield, interface->label);
-
- } else
- sprintf(protoStr, "man");
-
- if (ptr->ahdr.status & ARGUS_ID_IS_IPADDR)
- argusIDStr = strdup (ipaddr_string (&ptr->argus_mar.argusid));
- else
- sprintf (argusIDStr, "%u", ptr->argus_mar.argusid);
-
- if (idflag)
- sprintf(argus_strbuf, "%-15.15s ", argusIDStr);
-
- if (!cflag && ((ptr->ahdr.type & ARGUS_RMON) && (ptr->ahdr.status & ARGUS_TOPN)))
- sprintf (probeIDStr, " ");
- else
- sprintf (probeIDStr, "probeid=%-*.*s %*s", hfield, hfield, argusIDStr, pfield, " ");
-
- sprintf (versionStrBuf, "version=%d.%d", ptr->argus_mar.major_version,
- ptr->argus_mar.minor_version);
-
- if (ptr->ahdr.cause & ARGUS_START) {
-
- if (Iflag)
- strcpy (fmtstr, "%s%s%4s %-*.*s %s%*s");
- else
- strcpy (fmtstr, "%s %4s %-*.*s %s%*s");
-
- if (cflag) {
- if ((ptr->ahdr.type & ARGUS_RMON) && (ptr->ahdr.status & ARGUS_TOPN))
- strcat (fmtstr, " ");
- else
- strcat (fmtstr, " ");
- }
-
- } else {
- if (Iflag)
-#if defined(HAVE_SOLARIS) || defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__)
- strcpy (fmtstr, "%s%s%4s pkts %9lld bytes %12lld drops %5u ");
- else
- strcpy (fmtstr, "%s %4s pkts %9lld bytes %12lld drops %5u ");
-#else
- strcpy (fmtstr, "%s%s%4s pkts %9Ld bytes %12Ld drops %5u ");
- else
- strcpy (fmtstr, "%s %4s pkts %9Ld bytes %12Ld drops %5u ");
-#endif
-
- if (cflag)
- strcat (fmtstr, "flows %-8u closed %-8u ");
- }
-
- if (ptr->ahdr.cause & ARGUS_START) strcat (fmtstr, "STA");
- else if (ptr->ahdr.cause & ARGUS_STATUS) strcat (fmtstr, "CON");
- else if (ptr->ahdr.cause & ARGUS_STOP) strcat (fmtstr, "STP");
- else if (ptr->ahdr.cause & ARGUS_SHUTDOWN) strcat (fmtstr, "SHT");
- else if (ptr->ahdr.cause & ARGUS_ERROR) strcat (fmtstr, "ERR");
- else if (ptr->ahdr.cause & ARGUS_MAXLISTENEXCD) strcat (fmtstr, "MAX");
-
- ArgusGetIndicatorString (ptr, indStr);
-
- if (ptr->ahdr.cause & ARGUS_START) {
- if (Iflag) {
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr, hfield, hfield, versionStrBuf, probeIDStr, pfield, " ");
- } else {
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr, hfield, hfield, versionStrBuf, probeIDStr, pfield, " ");
- }
- } else {
- if (Iflag) {
- if (cflag) {
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr,
- ptr->argus_mar.pktsRcvd, ptr->argus_mar.bytesRcvd, ptr->argus_mar.pktsDrop,
- ptr->argus_mar.flows, ptr->argus_mar.flowsClosed);
- } else {
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr,
- ptr->argus_mar.pktsRcvd, ptr->argus_mar.bytesRcvd, ptr->argus_mar.pktsDrop);
- }
- } else {
- if (cflag) {
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr,
- ptr->argus_mar.pktsRcvd, ptr->argus_mar.bytesRcvd, ptr->argus_mar.pktsDrop,
- ptr->argus_mar.flows, ptr->argus_mar.flowsClosed);
- } else {
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr,
- ptr->argus_mar.pktsRcvd, ptr->argus_mar.bytesRcvd, ptr->argus_mar.pktsDrop);
- }
- }
- }
-
- if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) {
- char tmpbuf[128], *ptr = tmpbuf, *str = argus_strbuf, lastchr = ' ';
- int len = strlen(date) - 1;
- bzero (tmpbuf, sizeof(tmpbuf));
-
- bcopy (str, ptr, len);
- str += len;
- ptr += len;
-
- while (*str) {
- if (*str == ' ') {
- if (lastchr != RaFieldDelimiter)
- *ptr++ = RaFieldDelimiter;
- while (isspace((int)*str)) str++;
- }
- lastchr = *str;
-
- *ptr++ = *str++;
- }
- bzero (argus_strbuf, MAXSTRLEN);
- bcopy (tmpbuf, argus_strbuf, strlen(tmpbuf));
- }
-
- return (argus_strbuf);
-}
-
-
-char *ArgusTCPFlags [] = {
- "F", "S", "R", "P", "A", "U", "7", "8"
-};
-
-char *
-get_tcp_string (argus)
-struct ArgusRecord *argus;
-{
- struct ArgusFlow *flow;
-
- unsigned int status, rev = 0;
- int vc = 0, ahdrlen, farhdrlen;
- char *processStr = NULL;
- char statusbuf[MAXSTRLEN], *TCPStatusString = statusbuf;
- char SrcTCPFlagsStr[16], DstTCPFlagsStr[16], delim;
- char argusIDStrBuf[32], *argusIDStr = argusIDStrBuf;
- char *edstString = NULL, *esrcString = NULL;
- char dstString[256], srcString[256];
- char *protoStr, indStr[16], *blankStr = " ";
- char date[128], fmtstr[MAXSTRLEN], protoStrargus_strbuf[16];
- char portstr[128], portbuf[16];
- int src_count = 0, dst_count = 0, src_bytes = 0, dst_bytes = 0;
- u_char proto;
- struct ArgusTCPObject *tcp = NULL;
-
- bzero (protoStrargus_strbuf, 16);
- bzero (argus_strbuf, MAXSTRLEN);
- bzero (statusbuf, MAXSTRLEN);
- bzero (fmtstr, MAXSTRLEN);
- bzero (SrcTCPFlagsStr, 16);
- bzero (DstTCPFlagsStr, 16);
- bzero (argusIDStrBuf, 32);
- bzero (dstString, 256);
- bzero (srcString, 256);
- bzero (portbuf, 16);
- bzero (portstr, 128);
- bzero (indStr, 16);
- bzero (date, 128);
-
- flow = &argus->argus_far.flow;
-
- if (mflag) {
- if (ArgusThisFarStatus & ARGUS_MAC_DSR_STATUS) {
- struct ArgusMacStruct *mac = (struct ArgusMacStruct *) ArgusThisFarHdrs[ARGUS_MAC_DSR_INDEX];
-
- esrcString = etheraddr_string ((u_char *)&mac->phys_union.ether.ethersrc);
- edstString = etheraddr_string ((u_char *)&mac->phys_union.ether.etherdst);
-
- sprintf (srcString, "%17.17s %17.17s %*.*s",
- esrcString, edstString, hfield, hfield, ipaddr_string (&flow->ip_flow.ip_src));
- } else
- sprintf (srcString, "%17.17s %17.17s %*.*s",
- blankStr, blankStr, hfield, hfield, ipaddr_string (&flow->ip_flow.ip_src));
-
- } else
- sprintf (srcString, "%*.*s", hfield, hfield, ipaddr_string (&flow->ip_flow.ip_src));
-
- sprintf (dstString, "%*.*s", hfield, hfield, ipaddr_string (&flow->ip_flow.ip_dst));
-
- if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0'))
- delim = RaFieldDelimiter;
- else
- delim = '.';
-
- if (!((flow->ip_flow.sport == 0xFFFF) && (argus->ahdr.status & ARGUS_MERGED)))
- sprintf (portbuf, "%c%-*.*s", delim, pfield, pfield, tcpport_string(flow->ip_flow.sport));
- else
- if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) {
- sprintf (portbuf, "%c%s%c", RaFieldDelimiter, "*", RaFieldDelimiter);
- } else
- sprintf (portbuf, "%c%-*s", delim, pfield, "*");
-
- strcat (srcString, portbuf);
-
- if (!((flow->ip_flow.dport == 0xFFFF) && (argus->ahdr.status & ARGUS_MERGED))) {
- sprintf (portstr, " %-*.*s", hfield, hfield, tcpport_string(flow->ip_flow.dport));
- sprintf (portbuf, "%c%-*.*s", delim, pfield, pfield, tcpport_string(flow->ip_flow.dport));
- } else {
- if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) {
- sprintf (portstr, "%c%s%c", RaFieldDelimiter, "*", RaFieldDelimiter);
- sprintf (portbuf, "%c%s%c", RaFieldDelimiter, "*", RaFieldDelimiter);
- } else {
- sprintf (portstr, " %-*s", hfield, "*");
- sprintf (portbuf, "%c%-*s", delim, pfield, "*");
- }
- }
-
- strcat (dstString, portbuf);
-
- print_date (argus, date);
-
- if (idflag) {
- if (ArgusInput->ArgusManStart.ahdr.status & ARGUS_ID_IS_IPADDR)
- argusIDStr = strdup (ipaddr_string (&argus->ahdr.argusid));
- else
- sprintf (argusIDStr, "%u", argus->ahdr.argusid);
-
- sprintf(argus_strbuf, "%-15.15s ", argusIDStr);
- }
-
- if ((argus->ahdr.type & ARGUS_RMON) && (flow->ip_flow.ip_dst == 0)) {
- if (Iflag) {
- strcpy (fmtstr, "%s%s%4s %s - ");
- } else
- strcpy (fmtstr, "%s %4s %s - ");
- } else {
- if (Iflag) {
- strcpy (fmtstr, "%s%s%4s %s - %s ");
- } else
- strcpy (fmtstr, "%s %4s %s - %s ");
- }
-
- ahdrlen = sizeof(argus->ahdr);
- farhdrlen = sizeof(argus->argus_far);
-
- if (ArgusThisFarStatus & ARGUS_TCP_DSR_STATUS)
- tcp = (struct ArgusTCPObject *)ArgusThisFarHdrs[ARGUS_TCP_DSR_INDEX];
-
- src_count = argus->argus_far.src.count;
- dst_count = argus->argus_far.dst.count;
-
- if (Aflag) {
- src_bytes = argus->argus_far.src.appbytes;
- dst_bytes = argus->argus_far.dst.appbytes;
- } else {
- src_bytes = argus->argus_far.src.bytes;
- dst_bytes = argus->argus_far.dst.bytes;
- }
-
- if ((tcp != NULL) && ((status = tcp->state) != 0)) {
- if (!(status & (ARGUS_SAW_SYN | ARGUS_SAW_SYN_SENT))) {
- fmtstr[12 + vc] = '?';
- if (src_count) fmtstr[13 + vc] = '>';
- if (dst_count) fmtstr[11 + vc] = '<';
- }
-
- if (Rflag && (status & ARGUS_RESET)) {
- if (status & ARGUS_DST_RESET) {
- fmtstr[11 + vc] = '<';
- fmtstr[13 + vc] = ' ';
- }
- if (status & ARGUS_SRC_RESET) {
- fmtstr[11 + vc] = ' ';
- fmtstr[13 + vc] = '>';
- }
- fmtstr[12 + vc] = '|';
-
- } else
- if (status & ARGUS_RESET) {
- fmtstr[11 + vc] = ' '; fmtstr[13 + vc] = '>';
- processStr = process_state_strings[5];
- } else
- if (status & ARGUS_NORMAL_CLOSE) {
- fmtstr[11 + vc] = ' '; fmtstr[13 + vc] = '>';
- processStr = process_state_strings[3];
- } else
- if (status & (ARGUS_FIN | ARGUS_FIN_ACK)) {
- fmtstr[11 + vc] = ' '; fmtstr[13 + vc] = '>';
- processStr = process_state_strings[6];
- } else
- if (argus->ahdr.cause & ARGUS_TIMEOUT) {
- if (src_count) fmtstr[13 + vc] = '>';
- if (dst_count) fmtstr[11 + vc] = '<';
- processStr = process_state_strings[4];
- } else
- if (status & ARGUS_CON_ESTABLISHED) {
- fmtstr[11 + vc] = ' '; fmtstr[13 + vc] = '>';
- processStr = process_state_strings[2];
- } else
- if (status & ARGUS_SAW_SYN_SENT) {
- fmtstr[11 + vc] = '<';
- fmtstr[13 + vc] = ' ';
- processStr = process_state_strings[1];
- } else
- if (status & ARGUS_SAW_SYN) {
- fmtstr[13 + vc] = '>';
- fmtstr[11 + vc] = ' ';
- processStr = process_state_strings[0];
- }
-
- if (status & ARGUS_RESET)
- processStr = process_state_strings[5];
-
- if (zflag) {
- bzero ((char *)TCPStatusString, sizeof(statusbuf));
- if (status & ARGUS_SAW_SYN) strcat (TCPStatusString, "s");
- if (status & ARGUS_SAW_SYN_SENT) strcat (TCPStatusString, "S");
- if (status & ARGUS_CON_ESTABLISHED) strcat (TCPStatusString, "E");
- if (status & ARGUS_FIN) strcat (TCPStatusString, "f");
- if (status & ARGUS_FIN_ACK) strcat (TCPStatusString, "F");
- if (status & ARGUS_NORMAL_CLOSE) strcat (TCPStatusString, "C");
- if (status & ARGUS_RESET) strcat (TCPStatusString, "R");
- } else
-
- if (Zflag) {
- int i, index;
- bzero(SrcTCPFlagsStr, sizeof(SrcTCPFlagsStr));
- bzero(DstTCPFlagsStr, sizeof(DstTCPFlagsStr));
-
- for (i = 0, index = 1; i < 8; i++) {
- if (tcp->src.flags & index) {
- strcat (SrcTCPFlagsStr, ArgusTCPFlags[i]);
- }
- if (tcp->dst.flags & index) {
- strcat (DstTCPFlagsStr, ArgusTCPFlags[i]);
- }
- index <<= 1;
- }
- switch (Zflag) {
- case 'b':
- sprintf(TCPStatusString, "%s_%s", SrcTCPFlagsStr, DstTCPFlagsStr);
- break;
- case 's':
- sprintf(TCPStatusString, "%s", SrcTCPFlagsStr);
- break;
- case 'd':
- sprintf(TCPStatusString, "%s", DstTCPFlagsStr);
- break;
- }
- }
- } else {
- if (argus->ahdr.cause & ARGUS_START) processStr = "REQ";
- if (argus->ahdr.cause & ARGUS_STATUS) processStr = "CON";
- if (argus->ahdr.cause & ARGUS_STOP) processStr = "CLO";
- if (argus->ahdr.cause & ARGUS_TIMEOUT) processStr = "TIM";
- if (argus->ahdr.cause & ARGUS_ERROR) processStr = "ERR";
-
- if (src_count) fmtstr[13 + vc] = '>';
- if (dst_count) fmtstr[11 + vc] = '<';
- fmtstr[12 + vc] = '?';
-
- if (argus->ahdr.type & ARGUS_CISCO_NETFLOW) {
- if (argus->argus_far.flow.ip_flow.sport < argus->argus_far.flow.ip_flow.dport)
- rev++;
- }
- }
-
- if (rev) {
- int flag = 0;
- char tmpString[256];
- bcopy (srcString, tmpString, 256);
- bcopy (dstString, srcString, 256);
- bcopy (tmpString, dstString, 256);
-
- src_count = argus->argus_far.dst.count;
- dst_count = argus->argus_far.src.count;
-
- if (Aflag) {
- src_bytes = argus->argus_far.dst.appbytes;
- dst_bytes = argus->argus_far.src.appbytes;
- } else {
- src_bytes = argus->argus_far.dst.bytes;
- dst_bytes = argus->argus_far.src.bytes;
- }
-
- if (fmtstr[13 + vc] == '>')
- flag++;
-
- if (fmtstr[11 + vc] == '<')
- fmtstr[13 + vc] = '>';
- else
- fmtstr[13 + vc] = ' ';
-
- if (flag)
- fmtstr[11 + vc] = '<';
- else
- fmtstr[11 + vc] = ' ';
-
- }
-
- if (cflag)
- strcat (fmtstr, "%-8u %-8u %-12u %-12u");
-
- if (processStr == NULL) processStr = "UNK";
-
- if (zflag || Zflag)
- processStr = TCPStatusString;
-
- strcat (fmtstr, processStr);
-
- proto = flow->ip_flow.ip_p;
-
- sprintf (protoStrargus_strbuf, "%u", proto);
-
- protoStr = (nflag > 1) ? protoStrargus_strbuf :
- proto >= IPPROTOSTR ? "unas" : ip_proto_string[proto];
-
- ArgusGetIndicatorString (argus, indStr);
-
- if ((argus->ahdr.type & ARGUS_RMON) && (flow->ip_flow.ip_dst == 0)) {
- fmtstr[11 + vc] = ' ';
- fmtstr[12 + vc] = ' ';
- fmtstr[13 + vc] = ' ';
-
- if ((argus->ahdr.type & ARGUS_RMON) && (flow->ip_flow.ip_src == 0)) {
- if (Iflag) {
- if (cflag)
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr,
- portstr, src_count, dst_count,
- src_bytes, dst_bytes);
- else
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr,
- portstr);
- } else {
- if (cflag)
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr,
- portstr, src_count, dst_count,
- src_bytes, dst_bytes);
- else
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr,
- portstr);
- }
-
- } else {
- if (Iflag) {
- if (cflag)
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr,
- srcString, src_count, dst_count,
- src_bytes, dst_bytes);
- else
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr,
- srcString);
- } else {
- if (cflag)
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr,
- srcString, src_count, dst_count,
- src_bytes, dst_bytes);
- else
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr,
- srcString);
- }
- }
-
- } else {
- if (Iflag) {
- if (cflag)
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr,
- srcString, dstString,
- src_count, dst_count,
- src_bytes, dst_bytes);
- else
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr,
- srcString, dstString);
- } else {
- if (cflag)
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr,
- srcString, dstString,
- src_count, dst_count,
- src_bytes, dst_bytes);
- else
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr,
- srcString, dstString);
- }
- }
-
- if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) {
- char tmpbuf[128], *ptr = tmpbuf, *str = argus_strbuf, lastchr = ' ';
- int len = strlen(date) - 1;
- bzero (tmpbuf, sizeof(tmpbuf));
-
- bcopy (str, ptr, len);
- str += len;
- ptr += len;
-
- while (*str) {
- if (*str == ' ') {
- if (lastchr != RaFieldDelimiter)
- *ptr++ = RaFieldDelimiter;
- while (isspace((int)*str)) str++;
- }
- lastchr = *str;
-
- *ptr++ = *str++;
- }
- bzero (argus_strbuf, MAXSTRLEN);
- bcopy (tmpbuf, argus_strbuf, strlen(tmpbuf));
- }
-
- return (argus_strbuf);
-}
-
-
-
-char *
-get_icmp_string (ptr)
-struct ArgusRecord *ptr;
-{
- int vc = 0, rev = 0, srccnt = 0, dstcnt = 0;
- int ahdrlen, farhdrlen;
- struct ArgusICMPObject *icmp = NULL;
- char fmtstr[MAXSTRLEN], icmptype[32], icmpstr[128];
- char extendedstring[32], *blankStr = " ";
- char *edstString = NULL, *esrcString = NULL, *protoStr, indStr[16];
- char argusIDStrBuf[32], *argusIDStr = argusIDStrBuf;
- char dstString[256], srcString[256];
- char date[128];
-
- struct ArgusICMPFlow *icmpFlow = &ptr->argus_far.flow.icmp_flow;
- unsigned char ra_icmp_type = 0, ra_icmp_code = 0;
- unsigned short ra_icmp_data = 0;
- unsigned int ra_src_addr = 0, ra_dst_addr = 0, ra_gw_addr = 0;
-
- bzero (extendedstring, 32);
- bzero (argusIDStrBuf, 32);
- bzero (fmtstr, MAXSTRLEN);
- bzero (srcString, 256);
- bzero (dstString, 256);
- bzero (indStr, 16);
-
- if (ptr) {
- ahdrlen = sizeof(ptr->ahdr);
- farhdrlen = sizeof(ptr->argus_far);
- if (ArgusThisFarStatus & ARGUS_ICMP_DSR_STATUS) {
- icmp = (struct ArgusICMPObject *)ArgusThisFarHdrs[ARGUS_ICMP_DSR_INDEX];
- if (icmp->type != ARGUS_ICMP_DSR) {
- icmp = NULL;
- } else {
- ra_src_addr = icmp->isrcaddr;
- ra_dst_addr = icmp->idstaddr;
- ra_gw_addr = icmp->igwaddr;
- ra_icmp_type = icmp->icmp_type;
- ra_icmp_code = icmpFlow->code;
- }
- } else {
- ra_icmp_type = icmpFlow->type;
- ra_icmp_code = icmpFlow->code;
- }
-
- ra_icmp_data = icmpFlow->id;
-
- bzero (icmpstr, sizeof (icmpstr));
- bzero (icmptype, sizeof (icmptype));
- bzero (argus_strbuf, MAXSTRLEN);
- bzero (extendedstring, sizeof (extendedstring));
- bzero (icmptype, sizeof (icmptype));
- bzero (date, 128);
-
- print_date (ptr, date);
-
- if (idflag) {
- if (ArgusInput->ArgusManStart.ahdr.status & ARGUS_ID_IS_IPADDR)
- argusIDStr = strdup (ipaddr_string (&ptr->ahdr.argusid));
- else
- sprintf (argusIDStr, "%u", ptr->ahdr.argusid);
-
- sprintf(argus_strbuf, "%-15.15s ", argusIDStr);
- }
-
- if (ra_icmp_type < (unsigned char) (ICMP_MAXTYPE + 1))
- strcpy (icmptype, icmptypestr[ra_icmp_type]);
- else
- strcpy (icmptype, "UNK");
-
- switch (ra_icmp_type) {
- case ICMP_UNREACH:
- switch (ra_icmp_code) {
- case ICMP_UNREACH_NET:
- strcat (icmptype, "N");
- if (ra_dst_addr) {
- u_long addr = ra_dst_addr;
- sprintf (extendedstring, "net %s",
- ipaddr_string (&addr));
- }
- break;
- case ICMP_UNREACH_HOST:
- strcat (icmptype, "H");
-
- if (ra_dst_addr)
- sprintf (extendedstring, "host %s",
- ipaddr_string (&ra_dst_addr));
- break;
-
- case ICMP_UNREACH_PROTOCOL:
- strcat (icmptype, "O");
- if (ra_icmp_data && (ra_icmp_data < IPPROTOSTR))
- sprintf (extendedstring,"proto %s",
- ip_proto_string[ra_icmp_data]);
- break;
-
- case ICMP_UNREACH_PORT: {
- int index = icmpFlow->tp_p;
- strcat (icmptype, "P");
-
- if ((ra_icmp_data && ((index < IPPROTOSTR)) && (index > 0))) {
- sprintf (extendedstring, "%s_port %d", ip_proto_string[index], ra_icmp_data);
-
- } else if (ra_icmp_data)
- sprintf (extendedstring, "port %d", ra_icmp_data);
- break;
- }
- case ICMP_UNREACH_NEEDFRAG:
- strcat (icmptype, "F"); break;
- case ICMP_UNREACH_SRCFAIL:
- strcat (icmptype, "S"); break;
-
-#ifndef ICMP_UNREACH_NET_UNKNOWN
-#define ICMP_UNREACH_NET_UNKNOWN 6
-#endif
- case ICMP_UNREACH_NET_UNKNOWN:
- strcat (icmptype, "NU");
- sprintf (extendedstring, "dst_net unknown"); break;
-
-#ifndef ICMP_UNREACH_HOST_UNKNOWN
-#define ICMP_UNREACH_HOST_UNKNOWN 7
-#endif
- case ICMP_UNREACH_HOST_UNKNOWN:
- strcat (icmptype, "HU");
- sprintf (extendedstring, "dst_host unknown"); break;
-
-#ifndef ICMP_UNREACH_ISOLATED
-#define ICMP_UNREACH_ISOLATED 8
-#endif
- case ICMP_UNREACH_ISOLATED:
- strcat (icmptype, "ISO");
- sprintf (extendedstring, "src_host isolated"); break;
-
-#ifndef ICMP_UNREACH_NET_PROHIB
-#define ICMP_UNREACH_NET_PROHIB 9
-#endif
- case ICMP_UNREACH_NET_PROHIB:
- strcat (icmptype, "NPRO");
- sprintf (extendedstring, "admin_net prohib"); break;
-
-#ifndef ICMP_UNREACH_HOST_PROHIB
-#define ICMP_UNREACH_HOST_PROHIB 10
-#endif
- case ICMP_UNREACH_HOST_PROHIB:
- strcat (icmptype, "HPRO");
- sprintf (extendedstring, "admin_host prohib"); break;
-
-#ifndef ICMP_UNREACH_TOSNET
-#define ICMP_UNREACH_TOSNET 11
-#endif
- case ICMP_UNREACH_TOSNET:
- strcat (icmptype, "NTOS");
- sprintf (extendedstring, "tos_net prohib"); break;
-
-#ifndef ICMP_UNREACH_TOSHOST
-#define ICMP_UNREACH_TOSHOST 12
-#endif
- case ICMP_UNREACH_TOSHOST:
- strcat (icmptype, "HTOS");
- sprintf (extendedstring, "tos_host prohib"); break;
-
-#ifndef ICMP_UNREACH_FILTER_PROHIB
-#define ICMP_UNREACH_FILTER_PROHIB 13
-#endif
- case ICMP_UNREACH_FILTER_PROHIB:
- strcat (icmptype, "FIL");
- sprintf (extendedstring, "admin_filter prohib"); break;
-
-#ifndef ICMP_UNREACH_HOST_PRECEDENCE
-#define ICMP_UNREACH_HOST_PRECEDENCE 14
-#endif
- case ICMP_UNREACH_HOST_PRECEDENCE:
- strcat (icmptype, "PRE");
- sprintf (extendedstring, "precedence violation"); break;
-
-#ifndef ICMP_UNREACH_PRECEDENCE_CUTOFF
-#define ICMP_UNREACH_PRECEDENCE_CUTOFF 15
-#endif
- case ICMP_UNREACH_PRECEDENCE_CUTOFF:
- strcat (icmptype, "CUT");
- sprintf (extendedstring, "precedence cutoff"); break;
-
- }
- break;
-
- case ICMP_MASKREPLY:
- rev = 1;
- if (ra_src_addr)
- sprintf (extendedstring, "mask 0x%08x", ra_src_addr);
- break;
-
- case ICMP_REDIRECT:
- switch (ra_icmp_code) {
- case ICMP_REDIRECT_NET:
- (void) sprintf (extendedstring, "net %s",
- ipaddr_string (&ra_gw_addr));
- break;
-
- case ICMP_REDIRECT_HOST:
- (void) sprintf (extendedstring, "host %s",
- ipaddr_string (&ra_gw_addr));
- break;
-
- case ICMP_REDIRECT_TOSNET:
- (void) sprintf (extendedstring, "tosN %s",
- ipaddr_string (&ra_gw_addr));
- break;
-
- case ICMP_REDIRECT_TOSHOST:
- (void) sprintf (extendedstring, "tosH %s",
- ipaddr_string (&ra_gw_addr));
- break;
- }
- break;
-
-#ifndef ICMP_ROUTERADVERT
-#define ICMP_ROUTERADVERT 9 /* router advertisement */
-#endif
- case ICMP_ROUTERADVERT:
- sprintf (extendedstring, "router advertisement"); break;
-
-#ifndef ICMP_ROUTERSOLICIT
-#define ICMP_ROUTERSOLICIT 10 /* router solicitation */
-#endif
- case ICMP_ROUTERSOLICIT:
- sprintf (extendedstring, "router solicitation"); break;
-
-
- case ICMP_ECHOREPLY:
- case ICMP_TSTAMPREPLY:
- case ICMP_IREQREPLY:
- rev = 1;
- sprintf (extendedstring, "%-6d %-6d",
- ptr->argus_far.src.bytes, ptr->argus_far.dst.bytes);
- break;
-
- case ICMP_TIMXCEED:
- (void) sprintf (extendedstring, "timexceed %s",
- ra_icmp_code ? "reassembly" : "in-transit");
- break;
-
- case ICMP_PARAMPROB:
- case ICMP_SOURCEQUENCH:
- case ICMP_ECHO:
- case ICMP_TSTAMP:
- case ICMP_IREQ:
- case ICMP_MASKREQ:
- sprintf (extendedstring, "%-6d %-6d",
- ptr->argus_far.src.bytes, ptr->argus_far.dst.bytes);
- default:
- sprintf (extendedstring, "%-6d %-6d",
- ptr->argus_far.src.bytes, ptr->argus_far.dst.bytes);
- break;
- }
-
- if (!(Rflag)) {
- sprintf (extendedstring, "%-6d %-6d",
- ptr->argus_far.src.bytes, ptr->argus_far.dst.bytes);
- }
-
- protoStr = (nflag > 1) ? " 1" : "icmp";
-
- if (mflag) {
- if (ArgusThisFarStatus & ARGUS_MAC_DSR_STATUS) {
- struct ArgusMacStruct *mac = (struct ArgusMacStruct *) ArgusThisFarHdrs[ARGUS_MAC_DSR_INDEX];
-
- esrcString = etheraddr_string ((u_char *)&mac->phys_union.ether.ethersrc);
- edstString = etheraddr_string ((u_char *)&mac->phys_union.ether.etherdst);
- sprintf (srcString, "%17.17s %17.17s %*.*s",
- esrcString, edstString, hfield, hfield, ipaddr_string (&icmpFlow->ip_src));
-
- } else
- sprintf (srcString, "%17.17s %17.17s %*.*s",
- blankStr, blankStr, hfield, hfield, ipaddr_string (&icmpFlow->ip_src));
- } else
- sprintf (srcString, "%*.*s", hfield, hfield, ipaddr_string (&icmpFlow->ip_src));
-
- if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0'))
- sprintf (&srcString[strlen(srcString)], "%c%c", RaFieldDelimiter, RaFieldDelimiter);
- else
- sprintf (&srcString[strlen(srcString)] , " %*.*s", pfield, pfield, " ");
-
- sprintf (dstString, "%*.*s", hfield, hfield, ipaddr_string (&icmpFlow->ip_dst));
- if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0'))
- sprintf (&dstString[strlen(dstString)], "%c%c", RaFieldDelimiter, RaFieldDelimiter);
- else
- sprintf (&dstString[strlen(dstString)] , " %*.*s", pfield, pfield, " ");
-
- ArgusGetIndicatorString (ptr, indStr);
-
- if ((ptr->ahdr.type & ARGUS_RMON) && (icmpFlow->ip_dst == 0)) {
- if (Iflag) {
- strcpy (fmtstr, "%s%s%4s %s - ");
- } else
- strcpy (fmtstr, "%s %4s %s - ");
- } else {
- if (Iflag) {
- strcpy (fmtstr, "%s%s%4s %s - %s ");
- } else
- strcpy (fmtstr, "%s %4s %s - %s ");
- }
-
- if (cflag)
- strcat (fmtstr, "%-8u %-6u %-24.24s ");
-
- if (ptr->argus_far.src.count)
- fmtstr[13 + vc] = '>';
-
- if (ptr->argus_far.dst.count)
- fmtstr[11 + vc] = '<';
-
- srccnt = ptr->argus_far.src.count;
- dstcnt = ptr->argus_far.dst.count;
-
- strcat (fmtstr, icmptype);
- sprintf (icmpstr, " %-*s", hfield, " ");
-
- if ((ptr->ahdr.type & ARGUS_RMON) && (icmpFlow->ip_dst == 0)) {
- fmtstr[11 + vc] = ' ';
- fmtstr[12 + vc] = ' ';
- fmtstr[13 + vc] = ' ';
-
- if ((ptr->ahdr.type & ARGUS_RMON) && (icmpFlow->ip_src == 0)) {
- if (Iflag) {
- if (cflag)
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr,
- icmpstr, srccnt, dstcnt, extendedstring);
- else
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr,
- icmpstr);
- } else {
- if (cflag)
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr,
- icmpstr, srccnt, dstcnt, extendedstring);
- else
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr,
- icmpstr);
- }
-
- } else {
-
- if (Iflag) {
- if (cflag) {
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr,
- srcString, srccnt, dstcnt, extendedstring);
- } else
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr,
- srcString);
- } else {
- if (cflag) {
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr,
- srcString, srccnt, dstcnt, extendedstring);
- } else
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr,
- srcString);
- }
- }
-
- } else {
- if (Iflag) {
- if (cflag) {
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr,
- srcString, dstString, srccnt, dstcnt, extendedstring);
- } else
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr,
- srcString, dstString);
- } else {
- if (cflag) {
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr,
- srcString, dstString, srccnt, dstcnt, extendedstring);
- } else
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr,
- srcString, dstString);
- }
- }
- }
-
- if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) {
- char tmpbuf[128], *ptr = tmpbuf, *str = argus_strbuf, lastchr = ' ';
- int len = strlen(date) - 1;
- bzero (tmpbuf, sizeof(tmpbuf));
-
- bcopy (str, ptr, len);
- str += len;
- ptr += len;
-
- while (*str) {
- if (*str == ' ') {
- if (lastchr != RaFieldDelimiter)
- *ptr++ = RaFieldDelimiter;
- while (isspace((int)*str)) str++;
- }
- lastchr = *str;
-
- *ptr++ = *str++;
- }
- bzero (argus_strbuf, MAXSTRLEN);
- bcopy (tmpbuf, argus_strbuf, strlen(tmpbuf));
- }
-
- return (argus_strbuf);
-}
-
-
-char *
-get_udp_string (argus)
-struct ArgusRecord *argus;
-{
- return (get_ip_string (argus));
-}
-
-
-char *
-get_ip_string (argus)
-struct ArgusRecord *argus;
-{
- struct ArgusFlow *flow;
-
- int vc = 0;
- char *edstString = NULL, *esrcString = NULL;
- char dstString[128], srcString[128], delim;
- char protoStr[32], indStr[16], *blankStr = " ";
- char argusIDStrBuf[32], *argusIDStr = argusIDStrBuf;
- char date[128], fmtstr[MAXSTRLEN], protoStrargus_strbuf[16];
- char portbuf[16], portstr[128];
- int src_count, dst_count, src_bytes, dst_bytes;
- u_char proto;
-
- bzero (argus_strbuf, MAXSTRLEN);
- bzero (fmtstr, MAXSTRLEN);
- bzero (srcString, 128);
- bzero (dstString, 128);
- bzero (portbuf, 16);
- bzero (portstr, 128);
- bzero (date, 128);
-
- flow = &argus->argus_far.flow;
-
- proto = flow->ip_flow.ip_p;
-
- if (mflag) {
- if (ArgusThisFarStatus & ARGUS_MAC_DSR_STATUS) {
- struct ArgusMacStruct *mac = (struct ArgusMacStruct *) ArgusThisFarHdrs[ARGUS_MAC_DSR_INDEX];
-
- esrcString = etheraddr_string ((u_char *)&mac->phys_union.ether.ethersrc);
- edstString = etheraddr_string ((u_char *)&mac->phys_union.ether.etherdst);
-
- sprintf (srcString, "%17.17s %17.17s %*.*s",
- esrcString, edstString, hfield, hfield, ipaddr_string (&flow->ip_flow.ip_src));
- } else
- sprintf (srcString, "%17.17s %17.17s %*.*s",
- blankStr, blankStr, hfield, hfield, ipaddr_string (&flow->ip_flow.ip_src));
- } else
- sprintf (srcString, "%*.*s", hfield, hfield, ipaddr_string (&flow->ip_flow.ip_src));
-
- sprintf (dstString, "%*.*s", hfield, hfield, ipaddr_string (&flow->ip_flow.ip_dst));
-
- if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0'))
- delim = RaFieldDelimiter;
- else
- delim = '.';
-
- switch (proto) {
- case IPPROTO_TCP:
- if (flow->ip_flow.sport != 0xFFFF)
- sprintf (portbuf, "%c%-*s", delim, pfield, tcpport_string(flow->ip_flow.sport));
- else
- if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) {
- sprintf (portbuf, "%c%c", RaFieldDelimiter, RaFieldDelimiter);
- } else
- sprintf (portbuf, "%-*s ", pfield, " ");
-
- strcat (srcString, portbuf);
-
- if (flow->ip_flow.dport != 0xFFFF) {
- sprintf (portstr, " %-*s", hfield, tcpport_string(flow->ip_flow.dport));
- sprintf (portbuf, "%c%-*s", delim, pfield, tcpport_string(flow->ip_flow.dport));
- } else
- if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) {
- sprintf (portstr, "%c%c", RaFieldDelimiter, RaFieldDelimiter);
- sprintf (portbuf, "%c%c", RaFieldDelimiter, RaFieldDelimiter);
- } else {
- sprintf (portstr, "%-*s", hfield, " ");
- sprintf (portbuf, "%-*s ", pfield, " ");
- }
-
- strcat (dstString, portbuf);
- break;
-
- case IPPROTO_UDP:
- if (flow->ip_flow.sport != 0xFFFF)
- sprintf (portbuf, "%c%-*.*s", delim, pfield, pfield, udpport_string(flow->ip_flow.sport));
- else
- if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) {
- sprintf (portbuf, "%c%c", RaFieldDelimiter, RaFieldDelimiter);
- } else
- sprintf (portbuf, "%-*s ", pfield, " ");
-
- strcat (srcString, portbuf);
-
- if (flow->ip_flow.dport != 0xFFFF) {
- sprintf (portstr, " %-*.*s", hfield, hfield, udpport_string(flow->ip_flow.dport));
- sprintf (portbuf, "%c%-*.*s", delim, pfield, pfield, udpport_string(flow->ip_flow.dport));
-
- } else {
- if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) {
- sprintf (portstr, "%c%c", RaFieldDelimiter, RaFieldDelimiter);
- sprintf (portbuf, "%c%c", RaFieldDelimiter, RaFieldDelimiter);
- } else {
- sprintf (portstr, " %-*s", hfield, " ");
- sprintf (portbuf, "%-*s ", pfield, " ");
- }
- }
-
- strcat (dstString, portbuf);
- break;
-
- default:
- if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) {
- sprintf (portstr, "%c%c", RaFieldDelimiter, RaFieldDelimiter);
- sprintf (portbuf, "%c%c", RaFieldDelimiter, RaFieldDelimiter);
- } else {
- sprintf (portstr, " %*s", hfield, " ");
- sprintf (portbuf, "%*s ", pfield, " ");
- }
- strcat (srcString, portbuf);
- strcat (dstString, portbuf);
- break;
- }
-
- src_count = argus->argus_far.src.count;
- dst_count = argus->argus_far.dst.count;
-
- if (Aflag) {
- src_bytes = argus->argus_far.src.appbytes;
- dst_bytes = argus->argus_far.dst.appbytes;
- } else {
- src_bytes = argus->argus_far.src.bytes;
- dst_bytes = argus->argus_far.dst.bytes;
- }
-
- print_date (argus, date);
-
- if (idflag) {
- if (ArgusInput->ArgusManStart.ahdr.status & ARGUS_ID_IS_IPADDR)
- argusIDStr = strdup (ipaddr_string (&argus->ahdr.argusid));
- else
- sprintf (argusIDStr, "%u", argus->ahdr.argusid);
-
- sprintf(argus_strbuf, "%-15.15s ", argusIDStr);
- }
-
- if ((argus->ahdr.type & ARGUS_RMON) && (flow->ip_flow.ip_dst == 0)) {
- if (Iflag) {
- strcpy (fmtstr, "%s%s%4s %s - ");
- } else
- strcpy (fmtstr, "%s %4s %s - ");
- } else {
- if (Iflag) {
- strcpy (fmtstr, "%s%s%4s %s - %s ");
- } else
- strcpy (fmtstr, "%s %4s %s - %s ");
- }
-
- fmtstr[11 + vc] = (dst_count) ? '<' : ' ';
- fmtstr[13 + vc] = (src_count) ? '>' : ' ';
-
- if (cflag)
- strcat (fmtstr, "%-8u %-8u %-12u %-12u");
-
- if ((argus->ahdr.cause & ARGUS_TIMEOUT))
- strcat (fmtstr, "TIM");
- else
- if (argus->argus_far.src.count && argus->argus_far.dst.count) {
- if ((argus->argus_far.src.count == 1) && (argus->argus_far.dst.count == 1))
- strcat (fmtstr, "ACC");
- else
- strcat (fmtstr, "CON");
- } else
- if (argus->ahdr.type & ARGUS_START)
- strcat (fmtstr, "INT");
-
- sprintf (protoStrargus_strbuf, "%u", proto);
-
- if ((flow->ip_flow.tp_p == ARGUS_RTP_FLOWTAG) && ((src_count > 3) || (dst_count > 3)))
- sprintf (protoStr, "%s", ((nflag > 1) ? protoStrargus_strbuf : "rtp"));
- else
- sprintf (protoStr, "%s", ((nflag > 1) ? protoStrargus_strbuf :
- proto >= IPPROTOSTR ? "unas" : ip_proto_string[proto]));
-
- if ((strlen(protoStr) > 4) && !((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')))
- protoStr[4] = '\0';
-
- ArgusGetIndicatorString (argus, indStr);
-
- if ((argus->ahdr.type & ARGUS_RMON) && (flow->ip_flow.ip_dst == 0)) {
- fmtstr[11 + vc] = ' ';
- fmtstr[12 + vc] = ' ';
- fmtstr[13 + vc] = ' ';
-
- if ((argus->ahdr.type & ARGUS_RMON) && (flow->ip_flow.ip_src == 0)) {
- if (Iflag) {
- if (cflag)
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr,
- portstr, src_count, dst_count,
- src_bytes, dst_bytes);
- else
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr,
- portbuf);
- } else {
- if (cflag)
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr,
- portstr, src_count, dst_count,
- src_bytes, dst_bytes);
- else
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr,
- portstr);
- }
-
- } else {
- if (Iflag) {
- if (cflag)
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr,
- srcString, src_count, dst_count,
- src_bytes, dst_bytes);
- else
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr,
- srcString);
- } else {
- if (cflag)
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr,
- srcString, src_count, dst_count,
- src_bytes, dst_bytes);
- else
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr,
- srcString);
- }
- }
-
- } else {
- if (Iflag) {
- if (cflag)
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr,
- srcString, dstString,
- src_count, dst_count,
- src_bytes, dst_bytes);
- else
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr,
- srcString, dstString);
- } else {
- if (cflag)
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr,
- srcString, dstString,
- src_count, dst_count,
- src_bytes, dst_bytes);
- else
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr,
- srcString, dstString);
- }
- }
-
- if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) {
- char tmpbuf[128], *ptr = tmpbuf, *str = argus_strbuf, lastchr = ' ';
- int len = strlen(date) - 1;
- bzero (tmpbuf, sizeof(tmpbuf));
-
- bcopy (str, ptr, len);
- str += len;
- ptr += len;
-
- while (*str) {
- if (*str == ' ') {
- if (lastchr != RaFieldDelimiter)
- *ptr++ = RaFieldDelimiter;
- while (isspace((int)*str)) str++;
- }
- lastchr = *str;
-
- *ptr++ = *str++;
- }
- bzero (argus_strbuf, MAXSTRLEN);
- bcopy (tmpbuf, argus_strbuf, strlen(tmpbuf));
- }
-
- return (argus_strbuf);
-}
-
-
-char *
-get_arp_string (argus)
-struct ArgusRecord *argus;
-{
- struct ArgusFlow *flow;
-
- char *targetString, *sourceString, *protoStr, indStr[16];
- char *esrcString = NULL, *edstString = NULL;
- char srcString[256], dstString[256];
- char argusIDStrBuf[32], *argusIDStr = argusIDStrBuf;
- char date[128], fmtstr[256], *blankStr = " ";
- int src_count, dst_count, src_bytes, dst_bytes;
- int afield, xfield;
- unsigned short proto;
-
- bzero (argus_strbuf, MAXSTRLEN);
- bzero (date, 128);
-
- flow = &argus->argus_far.flow;
-
- src_count = argus->argus_far.src.count;
- dst_count = argus->argus_far.dst.count;
-
- if (Aflag) {
- src_bytes = argus->argus_far.src.appbytes;
- dst_bytes = argus->argus_far.dst.appbytes;
- } else {
- src_bytes = argus->argus_far.src.bytes;
- dst_bytes = argus->argus_far.dst.bytes;
- }
-
- print_date (argus, date);
-
- if (idflag) {
- if (ArgusInput->ArgusManStart.ahdr.status & ARGUS_ID_IS_IPADDR)
- argusIDStr = strdup (ipaddr_string (&argus->ahdr.argusid));
- else
- sprintf (argusIDStr, "%u", argus->ahdr.argusid);
-
- sprintf(argus_strbuf, "%-15.15s ", argusIDStr);
- }
-
- proto = argus->ahdr.status & 0xFFFF;
- protoStr = etherproto_string( proto);
-
- if (proto == ETHERTYPE_REVARP) {
- if (Rflag) {
- sourceString = etheraddr_string (flow->rarp_flow.tareaddr);
- targetString = ipaddr_string (&flow->rarp_flow.arp_tpa);
-
- if (Iflag) {
- strcpy (fmtstr, "%s%s%4s %s%*.*s is-at %*.*s %*.*s ");
- } else
- strcpy (fmtstr, "%s %4s %s%*.*s is-at %*.*s %*.*s ");
-
- } else {
- sourceString = etheraddr_string (flow->rarp_flow.srceaddr);
- targetString = etheraddr_string (flow->rarp_flow.tareaddr);
-
- if (Iflag) {
- strcpy (fmtstr, "%s%s%4s %s%*.*swho-has %*.*s %*.*s ");
- } else
- strcpy (fmtstr, "%s %4s %s%*.*swho-has %*.*s %*.*s ");
- }
- } else {
- if (Rflag) {
- sourceString = ipaddr_string (&flow->arp_flow.arp_tpa);
- targetString = etheraddr_string (argus->argus_far.attr_arp.response);
-
- if (Iflag) {
- strcpy (fmtstr, "%s%s%4s %s%*.*s is-at %*.*s %*.*s ");
- } else
- strcpy (fmtstr, "%s %4s %s%*.*s is-at %*.*s %*.*s ");
-
- } else {
- sourceString = ipaddr_string (&flow->arp_flow.arp_spa);
- targetString = ipaddr_string (&flow->arp_flow.arp_tpa);
-
- if (Iflag) {
- strcpy (fmtstr, "%s%s%4s %s%*.*swho-has %*.*s %*.*s ");
- } else
- strcpy (fmtstr, "%s %4s %s%*.*swho-has %*.*s %*.*s ");
- }
- }
-
- if (mflag) {
- if (ArgusThisFarStatus & ARGUS_MAC_DSR_STATUS) {
- struct ArgusMacStruct *mac = (struct ArgusMacStruct *) ArgusThisFarHdrs[ARGUS_MAC_DSR_INDEX];
-
- esrcString = etheraddr_string ((u_char *)&mac->phys_union.ether.ethersrc);
- edstString = etheraddr_string ((u_char *)&mac->phys_union.ether.etherdst);
-
- sprintf (srcString, "%17.17s %17.17s %*.*s",
- esrcString, edstString, hfield, hfield, sourceString);
- } else
- sprintf (srcString, "%17.17s %17.17s %*.*s",
- blankStr, blankStr, hfield, hfield, sourceString);
-
- } else
- sprintf (srcString, "%*.*s", hfield, hfield, sourceString);
-
- sprintf (dstString, "%s", targetString);
-
- if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) {
- sprintf (&srcString[strlen(srcString)], "%c%c", RaFieldDelimiter, RaFieldDelimiter);
- sprintf (&dstString[strlen(dstString)], "%c%c", RaFieldDelimiter, RaFieldDelimiter);
- }
-
- if (cflag)
- strcat (fmtstr, "%-8u %-8u %-12u %-12u");
-
- if ((argus->ahdr.cause & ARGUS_TIMEOUT))
- strcat (fmtstr, "TIM");
- else
- if (argus->argus_far.src.count && argus->argus_far.dst.count) {
- if ((argus->argus_far.src.count == 1) && (argus->argus_far.dst.count == 1))
- strcat (fmtstr, "ACC");
- else
- strcat (fmtstr, "CON");
- } else
- if (argus->ahdr.type & ARGUS_START)
- strcat (fmtstr, "INT");
-
- ArgusGetIndicatorString (argus, indStr);
-
- xfield = pfield;
- afield = hfield;
-
- if (Rflag) {
- afield += 2;
- xfield -= 2;
- }
-
- if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) {
- afield += 5;
- }
-
- if (Iflag) {
- if (cflag)
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr,
- srcString, pfield, pfield, " ", afield, afield, dstString, xfield, xfield, " ",
- src_count, dst_count,
- src_bytes, dst_bytes);
- else
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr,
- srcString, pfield, pfield, " ", afield, afield, dstString, xfield, xfield, " ");
- } else {
- if (cflag)
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr,
- srcString, pfield, pfield, " ", afield, afield, dstString, xfield, xfield, " ",
- src_count, dst_count,
- src_bytes, dst_bytes);
- else
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr,
- srcString, pfield, pfield, " ", afield, afield, dstString, xfield, xfield, " ");
- }
-
- if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) {
- char tmpbuf[128], *ptr = tmpbuf, *str = argus_strbuf, lastchr = ' ';
- int len = strlen(date) - 1;
- bzero (tmpbuf, sizeof(tmpbuf));
-
- bcopy (str, ptr, len);
- str += len;
- ptr += len;
-
- while (*str) {
- if (*str == ' ') {
- if (lastchr != RaFieldDelimiter)
- *ptr++ = RaFieldDelimiter;
- while (isspace((int)*str)) str++;
- }
- lastchr = *str;
-
- *ptr++ = *str++;
- }
- bzero (argus_strbuf, MAXSTRLEN);
- bcopy (tmpbuf, argus_strbuf, strlen(tmpbuf));
- }
-
- return (argus_strbuf);
-}
-
-
-
-char *
-get_nonip_string (argus)
-struct ArgusRecord *argus;
-{
- struct ArgusFlow *flow;
-
- int vc = 0;
- char srcString[256], dstString[256];
- char protoStr[32], indStr[16];
- char *edstString = NULL, *esrcString = NULL;
- char argusIDStrBuf[32], *argusIDStr = argusIDStrBuf;
- char date[128], fmtstr[MAXSTRLEN], *blankStr = " ";
- char sportbuf[16], dportbuf[16], delim;
- int src_count, dst_count, src_bytes, dst_bytes;
- unsigned short proto = 0;
-
- bzero (argus_strbuf, MAXSTRLEN);
- bzero (argusIDStrBuf, 32);
- bzero (fmtstr, MAXSTRLEN);
- bzero (srcString, 256);
- bzero (dstString, 256);
- bzero (protoStr, 32);
- bzero (sportbuf, 16);
- bzero (dportbuf, 16);
- bzero (indStr, 16);
- bzero (date, 128);
-
- flow = &argus->argus_far.flow;
-
- sprintf (srcString, "%17.17s", etheraddr_string((unsigned char *)&flow->mac_flow.ehdr.ether_shost));
- sprintf (dstString, "%17.17s", etheraddr_string((unsigned char *)&flow->mac_flow.ehdr.ether_dhost));
-
- src_count = argus->argus_far.src.count;
- dst_count = argus->argus_far.dst.count;
-
- if (Aflag) {
- src_bytes = argus->argus_far.src.appbytes;
- dst_bytes = argus->argus_far.dst.appbytes;
- } else {
- src_bytes = argus->argus_far.src.bytes;
- dst_bytes = argus->argus_far.dst.bytes;
- }
-
- print_date (argus, date);
-
- if (idflag) {
- if (ArgusInput->ArgusManStart.ahdr.status & ARGUS_ID_IS_IPADDR)
- argusIDStr = strdup (ipaddr_string (&argus->ahdr.argusid));
- else
- sprintf (argusIDStr, "%u", argus->ahdr.argusid);
-
- sprintf(argus_strbuf, "%-15.15s ", argusIDStr);
- }
-
- if (mflag) {
- if (ArgusThisFarStatus & ARGUS_MAC_DSR_STATUS) {
- struct ArgusMacStruct *mac = (struct ArgusMacStruct *) ArgusThisFarHdrs[ARGUS_MAC_DSR_INDEX];
-
- esrcString = etheraddr_string ((u_char *)&mac->phys_union.ether.ethersrc);
- edstString = etheraddr_string ((u_char *)&mac->phys_union.ether.etherdst);
-
- sprintf (srcString, "%17.17s %17.17s %*.*s",
- esrcString, edstString, hfield + 2, hfield + 2,
- etheraddr_string((unsigned char *)&flow->mac_flow.ehdr.ether_shost));
- } else
- sprintf (srcString, "%17.17s %17.17s %*.*s",
- blankStr, blankStr, hfield + 2, hfield + 2,
- etheraddr_string((unsigned char *)&flow->mac_flow.ehdr.ether_shost));
- }
-
- if (Iflag)
- strcpy (fmtstr, "%s%s%4s %s - %22.22s ");
- else
- strcpy (fmtstr, "%s %4s %s - %22.22s ");
-
- if (cflag)
- strcat (fmtstr, "%-8u %-8u %-12u %-12u");
-
- if ((argus->ahdr.cause & ARGUS_TIMEOUT))
- strcat (fmtstr, "TIM");
- else
- if (argus->argus_far.src.count && argus->argus_far.dst.count) {
- if ((argus->argus_far.src.count == 1) && (argus->argus_far.dst.count == 1))
- strcat (fmtstr, "ACC");
- else
- strcat (fmtstr, "CON");
- } else
- if (argus->ahdr.type & ARGUS_START)
- strcat (fmtstr, "INT");
-
- proto = argus->ahdr.status & 0xFFFF;
-
- sprintf (protoStr, "%s", etherproto_string(proto));
-
- if (src_count)
- fmtstr[12 + vc] = '>';
- if (dst_count)
- fmtstr[10 + vc] = '<';
-
-
- if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0'))
- delim = RaFieldDelimiter;
- else {
- if (proto == 0) {
- delim = '.';
- } else {
- delim = ' ';
- }
- }
-
- if (proto == 0) {
- sprintf (sportbuf, "%c%-4.4s", delim, llcsap_string((unsigned char) flow->mac_flow.ssap));
- sprintf (dportbuf, "%c%-4.4s", delim, llcsap_string((unsigned char) flow->mac_flow.dsap));
- } else {
- sprintf (sportbuf, "%c ", delim);
- sprintf (dportbuf, "%c ", delim);
-
- if (dst_count) {
- if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0'))
- fmtstr[9 + vc] = RaFieldDelimiter;
- } else
- if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0'))
- fmtstr[10 + vc] = RaFieldDelimiter;
-
- if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) {
- fmtstr[22 + vc] = RaFieldDelimiter;
- }
- }
-
- strcat (srcString, sportbuf);
- strcat (dstString, dportbuf);
-
- if ((strlen(protoStr) > 4) && !((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')))
- protoStr[4] = '\0';
-
- ArgusGetIndicatorString (argus, indStr);
-
- if (Iflag) {
- if (cflag)
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr,
- srcString, dstString,
- src_count, dst_count,
- src_bytes, dst_bytes);
- else
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, indStr, protoStr,
- srcString, dstString);
- } else {
- if (cflag)
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr,
- srcString, dstString,
- src_count, dst_count,
- src_bytes, dst_bytes);
- else
- sprintf (&argus_strbuf[strlen(argus_strbuf)], fmtstr, date, protoStr,
- srcString, dstString);
- }
-
- if ((RaFieldDelimiter != ' ') && (RaFieldDelimiter != '\0')) {
- char tmpbuf[128], *ptr = tmpbuf, *str = argus_strbuf, lastchr = ' ';
- int len = strlen(date) - 1;
- bzero (tmpbuf, sizeof(tmpbuf));
-
- bcopy (str, ptr, len);
- str += len;
- ptr += len;
-
- while (*str) {
- if (*str == ' ') {
- if (lastchr != RaFieldDelimiter)
- *ptr++ = RaFieldDelimiter;
- while (isspace((int)*str)) str++;
- }
- lastchr = *str;
-
- *ptr++ = *str++;
- }
- bzero (argus_strbuf, MAXSTRLEN);
- bcopy (tmpbuf, argus_strbuf, strlen(tmpbuf));
- }
-
- return (argus_strbuf);
-}
-
-
-
-#ifdef NOVFPRINTF
-/*
- * Stock 4.3 doesn't have vfprintf.
- * This routine is due to Chris Torek.
- */
-vfprintf(f, fmt, args)
- FILE *f;
- char *fmt;
- va_list args;
-{
- int ret;
-
- if ((f->_flag & _IOWRT) == 0) {
- if (f->_flag & _IORW)
- f->_flag |= _IOWRT;
- else
- return EOF;
- }
- ret = _doprnt(fmt, args, f);
- return ferror(f) ? EOF : ret;
-}
-#endif
-
diff -NarU5 argus-2.0.6.fixes.1.orig/common/gencode.c argus-2.0.6.fixes.1/common/gencode.c
--- argus-2.0.6.fixes.1.orig/common/gencode.c 2004-02-23 10:00:36.000000000 -0500
+++ argus-2.0.6.fixes.1/common/gencode.c 2006-04-21 14:57:52.000000000 -0400
@@ -57,11 +57,11 @@
#include <setjmp.h>
#include <stdarg.h>
#include <stdlib.h>
#include <syslog.h>
-#include <net/bpf.h>
+#include <pcap-bpf.h>
#include <argus_out.h>
#include <argus_filter.h>
#include <argus_def.h>
#include <ethertype.h>
diff -NarU5 argus-2.0.6.fixes.1.orig/server/ArgusOutput.c argus-2.0.6.fixes.1/server/ArgusOutput.c
--- argus-2.0.6.fixes.1.orig/server/ArgusOutput.c 2004-02-23 10:00:36.000000000 -0500
+++ argus-2.0.6.fixes.1/server/ArgusOutput.c 2006-04-21 14:57:52.000000000 -0400
@@ -1196,11 +1196,11 @@
void
ArgusCheckClientStatus ()
{
int retn, fd;
struct sockaddr from;
- int len = sizeof (from);
+ socklen_t len = sizeof (from);
if ((fd = accept (ArgusLfd, (struct sockaddr *)&from, &len)) > 0) {
if ((fcntl (fd, F_SETFL, O_NONBLOCK)) >= 0) {
if (ArgusTcpWrapper (fd, &from) >= 0) {
int i;