File: INTERNALS.old

package info (click to toggle)
tcpick 0.2.1-10
  • links: PTS, VCS
  • area: main
  • in suites: bookworm, bullseye, sid
  • size: 1,164 kB
  • sloc: ansic: 2,557; sh: 931; makefile: 16
file content (113 lines) | stat: -rw-r--r-- 3,541 bytes parent folder | download | duplicates (7)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
================
TCPICK INTERNALS
================
                                               updated to version 0.1.2

tcpick is a sniffer libcap-based.
tcpick keeps track of all connection using a special structure,
conn_t, used to keep in memory the connection:

 stack.c:
 struct conn_t
 {
   int status; /* 1 means SYN_SENT,
 		 2 means SYN_RECEIVED,
 		 3 means ESTABLISHED,
 		 4 ??? FIXME
 	      */
   u_int32_t client_ip; /* ip address of client */
   u_int32_t server_ip; /* ip address of server */
   u_int32_t client_seq;
   u_int32_t server_seq;
   u_int16_t client_port;
   u_int16_t server_port;
   u_int32_t client_seq_off;
   u_int32_t server_seq_off;
   int server_packets_num;
   int client_data_size; /* size of all data transmitted from client*/
   int server_data_size; /* size of all data transmitted from server*/
   char *client_data;    /* data */
   char *server_data;    /* data */
   FILE *client_file;
   FILE *server_file;
   char *client_filename;
   char *server_filename;
   FILE *both_file;
   int file_opened;
 };

All connection tracked are kept in a special "stack" (but isn't
properly a stack) that I declared in that way:

 stack.c:
 struct conn_t ** stack;

it is a pointer to the first address of a block of free data of size
MAXCONN, allocated with calloc. Every address of this structure points
to a conn_t structure (allocated when a new connection is tracked).

After capturing data tcpick finds the data offset (skipping tcp
options) and passes the packet to the function verify():
 
 stack.c: 
 int verify(struct ip *ippacket,     
	    struct tcphdr *tcppacket,
	    u_char *payload, /* pointer to the data(offset)*/
	    int payload_len) /* data lenght */

the function verify() analyzes the tcp flags and calls the function
match():

 stack.c: 
 int match(int status,
	  struct ip *ippacket,
	  struct tcphdr *tcppacket,
	  u_char *payload,
	  int payload_len)

the first argument is a "status" flag, that describes what kind of
flag are set. Then, there is a cycle that "scans" the "stack" seeking
for a conn_t that matches with the received packet. In that way, if
the packet matches with a conn_t structure, the status flag of the
structure is changed properly with this function:
 
 stack.c:
 int status_switch(struct conn_t * conn,int status)

status_switch, in that way, print on the terminal the new status of
the connection tracked, according to the status flag:

 status==1 => SYN-SENT
 status==2 => SYN-RECEIVED
 status==3 => ESTABLISHED
 status==4 => FIN-WAIT-1
 (other statuses should be developed soon!)

If the connection is just ESTABLISHED (conn_ptr->status_flag==0)
the packet is passed to the function data_write():
 
 stack.c:
 int data_write(struct conn_t * conn_ptr,
	       u_int32_t data_off, /* offset from beginning */
	       u_char * payload,
	       int payload_len,
	       int part /* client (1) or server (2) ? */
	       )

where data_off is the actual seq field minus the first minus one:
  data_off=(ntohl(tcppacket->seq)-ntohl((*stack_ptr)->server_seq))-1;

the purpose of data_write is simple: write the payload to memory.
Then, if the file_flag is set, these data are written to disk through
the function file_write():

 stack.c:
 int file_write(struct conn_t * conn_ptr,
	       u_int32_t data_off, /* offset from beginning */
	       u_char * payload,
	       int payload_len,
	       int part /* client (1) or server (2) ? */
	       )

Conclusions: tcpick requires people willing to debug/improve it,
             do you wanna get involved? :)