|
Program exited with code 01.
hello,
when compile this program not getting any result so did debug with GDB after debug getting this............. (gdb) run descry Starting program: /home/nasim/Desktop/ppro/descry descry Descry 1.0 [TCP port scan detection tool] usage /home/nasim/Desktop/ppro/descry [options] (-i and -f are mutually exclusive) -a monitor all hosts in the same segment -i interface specify device <or> -f capture file specify tcpdump capture file -s log to syslog instead of stderr Program exited with code 01. why not getting result. this code for your concern. please feedback me....... #include <syslog.h> #include <libnet.h> #include <pcap.h> #include <time.h> /* misc defines */ #define MAX_STRING 0x100 /* default string length */ #define CON_REMOVED 0xFFFFFFFF /* tag a node for removal */ #define CLEANUP_INTERVAL 1000 /* how often the cleaner runs */ #define EXPIRE_TIME 11800 /* seconds that a connection should * should linger in SYN-ACK state * before it gets expired */ #define MAX_PACKET 1500 /* max packet size */ /* filter to catch SYN-ACK, FIN-ACK, and RST segments */ #define FILTER "((tcp[13] & 0x12) == 0x12) || ((tcp[13] & 0x11) == 0x11) || \ ((tcp[13] & 0x14) == 0x14) || ((tcp[13] & 0x04) == 0x04)" /* patricia key symbolic constants */ #define KEY_BYTES 12 #define MIN_KEY_BIT 0 #define MAX_KEY_BIT (KEY_BYTES * 8 - 1) /* * Simple way to subtract timeval based timers. Not every OS has this, * so we'll just define it here. */ #define PTIMERSUB(tvp, uvp, vvp) \ do \ { \ (vvp)->tv_sec = (tvp)->tv_sec - (uvp)->tv_sec; \ (vvp)->tv_usec = (tvp)->tv_usec - (uvp)->tv_usec; \ if ((vvp)->tv_usec < 0) \ { \ (vvp)->tv_sec--; \ (vvp)->tv_usec += 1000000; \ } \ } \ while (0) \ /* code cleanup to set connection state */ #define SET_STATE(c, dip, dp, sip, sp, s) \ { \ c->dst_addr.s_addr = dip;c->dst_port = dp; \ c->src_addr.s_addr = sip;c->src_port = sp; \ c->seq = s; \ } /* TCP connection info */ struct tcp_connection { struct in_addr src_addr; /* source address */ struct in_addr dst_addr; /* destination address */ struct timeval ts; /* time value */ u_long seq; /* sequence number */ u_short src_port; /* source port */ u_short dst_port; /* destination port */ }; /* decision node within the patricia trie */ struct pt_node { int bit; /* decision bit */ struct pt_node *l; /* left node */ struct pt_node *r; /* right node */ struct tcp_connection *con; /* connection info */ }; /* patricia trie context */ struct pt_context { struct pt_node *head; /* head of the trie */ u_long n; /* number of existing nodes */ }; /* main descry control context */ struct descry_pack { pcap_t *p; /* libpcap context */ u_char flags; /* control flags */ #define ALL_HOSTS 0x1 /* monitor all hosts on segment */ #define DO_SYSLOG 0x02 /* log to syslog */ int offset; /* offset to IP header */ struct pt_context *pt; /* patricia trie context */ }; /********************************************************************/ /*Function Body*/ /********************************************************************/ int descry_init(struct descry_pack **gp, char *device, char *capture_file, u_char flags) { char *interface = NULL; char error[PCAP_ERRBUF_SIZE]; struct bpf_program prog; u_int32_t network, netmask; *gp = malloc(sizeof(struct descry_pack)); if (*gp == NULL) { perror("descry_init(): malloc(): "); return (0); } /* initialize the patricia trie */ if (pt_init(&((*gp)->pt)) == 0) { /* error set in pt_init() */ return (EXIT_FAILURE); } /* control flags */ (*gp)->flags = flags; if (capture_file) { /* we have a capture file to analyze */ (*gp)->p = pcap_open_offline(capture_file, error); if ((*gp)->p == NULL) { fprintf(stderr, "pcap_open_offline() %s\n", error); return (0); } } else { /* we're doing a live capture, do we have a device? */ if (device) { interface = device; } else { interface = pcap_lookupdev(error); if (interface == NULL) { fprintf(stderr, "pcap_lookupdev(): %s\n", error); return (0); } } (*gp)->p = pcap_open_live(interface, MAX_PACKET, ((*gp)->flags & ALL_HOSTS), 0, error); if ((*gp)->p == NULL) { fprintf(stderr, "pcap_open_live() %s\n", error); return (0); } } /* get the length of the link layer header */ switch (pcap_datalink((*gp)->p)) { case DLT_SLIP: /* a little SLIPstreaming! Whoops! There's Charlie! */ (*gp)->offset = 0x10; break; case DLT_PPP: /* PPP y0 */ (*gp)->offset = 0x04; break; default: case DLT_EN10MB: /* good old ethernet or something like it I hope! */ (*gp)->offset = 0x0e; break; } if (interface) { /* compile our filter and apply it to the interface */ if (pcap_lookupnet(interface, &network, &netmask, error) < 0) { fprintf(stderr, "pcap_lookupnet() %s\n", error); return (0); } } if (pcap_compile((*gp)->p, &prog, FILTER, 1, netmask) < 0) { fprintf(stderr, "pcap_compile(): \"%s\" failed\n", FILTER); return (0); } if (pcap_setfilter((*gp)->p, &prog) < 0) { fprintf(stderr, "pcap_setfilter() failed\n"); return 0; } return (1); } /********************************************************************/ void descry_destroy(struct descry_pack *gp) { /* do something someday*/ } /********************************************************************/ void descry(u_char *u, struct pcap_pkthdr *phdr, u_char *packet) { struct libnet_ipv4_hdr *ip; struct libnet_tcp_hdr *tcp; struct descry_pack *gp; struct tcp_connection *c; struct tcp_connection *rc; static u_char cleanup = 0; struct timeval ts; rc = NULL; c = NULL; gp = (struct descry_pack *)u; if (cleanup++ > CLEANUP_INTERVAL) { ts.tv_usec = phdr->ts.tv_usec; ts.tv_sec = phdr->ts.tv_sec; /* expire old connections */ pt_expire(gp, &ts); cleanup = 0; } if (phdr->len < (gp->offset + LIBNET_IPV4_H + LIBNET_TCP_H)) { return; } /* overlay IP and TCP headers */ ip = (struct libnet_ipv4_hdr *)(packet + gp->offset); tcp = (struct libnet_tcp_hdr *)(packet + gp->offset + (ip->ip_hl << 2)); /* shave off the lower order 6 bits containing the control flags */ switch (tcp->th_flags & 0x3F) { case (TH_SYN | TH_ACK): /* this is a new connection to be added to the trie */ /* get memory for the connection state */ c = malloc(sizeof (struct tcp_connection )); if (c == NULL) { return; } /* set connection state */ memcpy(&(c->ts), &(phdr->ts), sizeof(struct timeval)); SET_STATE(c, ip->ip_src.s_addr, tcp->th_sport, ip->ip_dst.s_addr, tcp->th_dport, tcp->th_ack); /* insert TCP connection into the trie */ if (pt_insert(gp->pt, c) == 0) { fprintf(stderr, "pt_insert() failed!\n"); } break; case (TH_FIN | TH_ACK): case (TH_RST): case (TH_RST | TH_ACK): /* connection teardown */ /* get memory for the connection state */ c = malloc(sizeof (struct tcp_connection)); if (c == NULL) { return; } /* set connection state so we can search for the connection */ SET_STATE(c, ip->ip_dst.s_addr, tcp->th_dport, ip->ip_src.s_addr, tcp->th_sport, tcp->th_seq); if (pt_find(gp->pt, c, &rc)) { check_state(gp, c, rc); pt_delete(gp->pt, rc); } else { SET_STATE(c, ip->ip_src.s_addr, tcp->th_sport, ip->ip_dst.s_addr, tcp->th_dport, tcp->th_ack); pt_delete(gp->pt, c); } free(c); break; default: break; } } char * get_time() { int i; time_t t; static char buf[26]; t = time((time_t *)NULL); strcpy(buf, ctime(&t)); /* cut out the day, year and \n */ for (i = 0; i < 20; i++) { buf[i] = buf[i + 4]; } buf[15] = 0; return (buf); } void check_state(struct descry_pack *gp, struct tcp_connection *con1, struct tcp_connection *con2) { /* check sequence number delta to see if data was sent */ if (ntohl(con1->seq) >= ntohl(con2->seq) && ntohl(con1->seq) <= ntohl(con2->seq) + 2) { if (gp->flags & DO_SYSLOG) { syslog(LOG_NOTICE, "Possible TCP port scan from %s:%d to %s:%d", libnet_addr2name4(con1->src_addr.s_addr, LIBNET_DONT_RESOLVE), ntohs(con1->src_port), libnet_addr2name4(con1->dst_addr.s_addr, LIBNET_DONT_RESOLVE), ntohs(con1->dst_port)); } else { fprintf(stderr, "[%s] TCP probe from %s:%d to %s:%d\n", get_time(), libnet_addr2name4(con1->src_addr.s_addr, LIBNET_DONT_RESOLVE), ntohs(con1->src_port), libnet_addr2name4(con1->dst_addr.s_addr, LIBNET_DONT_RESOLVE), ntohs(con1->dst_port)); } } } void pt_make_key(u_char *key, struct tcp_connection *c) { if (c == NULL) { fprintf(stderr, "pt_make_key(): c is NULL!\n"); return; } /* create a key for the trie from connection info */ memcpy(key, &(c->src_addr.s_addr), 4); memcpy(key + 4, &(c->src_port), 2); memcpy(key + 6, &(c->dst_addr.s_addr), 4); memcpy(key + 10, &(c->dst_port), 2); } struct pt_node * pt_new(int bit, struct pt_node *l, struct pt_node *r, struct tcp_connection *con) { struct pt_node *p = NULL; p = malloc(sizeof(struct pt_node)); if (p) { p->bit = bit; p->l = l; p->r = r; p->con = con; } return (p); } int pt_init(struct pt_context **p) { *p = malloc(sizeof(struct pt_context)); if (*p == NULL) { perror("pt_init(): malloc(): "); return (0); } (*p)->head = NULL; (*p)->n = 0; return (1); } int get_bit(u_char *key, struct pt_node *n) { u_char conkey[KEY_BYTES]; memset(conkey, 0, KEY_BYTES); if (n->bit < MIN_KEY_BIT || n->bit > MAX_KEY_BIT) { pt_make_key(conkey, n->con); if (memcmp(key, conkey, KEY_BYTES) == 0) { return (2); } else { return (3); } } return ((key[n->bit % 8] >> (7 - (n->bit % 8))) & 0x01); } int pt_search_r(struct pt_node *n, u_char *key, struct pt_node **rc) { switch (get_bit(key, n)) { case 0: return (pt_search_r(n->l, key, rc)); case 1: return (pt_search_r(n->r, key, rc)); case 2: *rc = n; return (1); default: *rc = n; return (0); } } int pt_remove_r(struct pt_context *pt, struct pt_node *n, u_char *key, struct pt_node *prev) { struct pt_node *tmp; if (n == NULL) { return (0); } /* extract bit from the key */ switch (get_bit(key, n)) { case 0: /* recurse down the left of this node */ return (pt_remove_r(pt, n->l, key, n)); break; case 1: /* recurse down the right of this node */ return (pt_remove_r(pt, n->r, key, n)); break; case 2: /* * Found the node to remove, deallocate its data and move * the sibling data node up one. */ free(n->con); n->con = (struct tcp_connection *)CON_REMOVED; if (prev == NULL) { return (1); } if ((int)prev->l->con == CON_REMOVED) { tmp = prev->r->r; free(prev->l); prev->con = prev->r->con; prev->bit = prev->r->bit; prev->l = prev->r->l; free(prev->r); prev->r = tmp; } else { tmp = prev->l->l; free(prev->r); prev->con = prev->l->con; prev->bit = prev->l->bit; prev->r = prev->l->r; free(prev->l); prev->l = tmp; } pt->n -= 2; return (1); default: return (0); } } void pt_delete(struct pt_context *pt, struct tcp_connection *c) { u_char key[KEY_BYTES]; /* if the trie is empty, just return */ if (pt->head == NULL) { return; } memset(key, 0, KEY_BYTES); pt_make_key(key, c); /* call the recursive search and delete function */ if (pt_remove_r(pt, pt->head, key, NULL)) { /* * If we just deleted the last connection record in the trie * then remove the last node so we have a totally empty trie. */ if (pt->n == 1 && (int)(pt->head->con) == CON_REMOVED) { free(pt->head); pt->head = NULL; pt->n = 0; } } } int pt_find(struct pt_context *pt, struct tcp_connection *c, struct tcp_connection **rc) { u_char key[KEY_BYTES]; struct pt_node *rn; int r; if (pt->head == NULL) { *rc = NULL; return (0); } /* get a key for this connection */ memset(key, 0, KEY_BYTES); pt_make_key(key, c); rn = NULL; r = pt_search_r(pt->head, key, &rn); *rc = rn->con; return (r); } int diff_bit(u_char *key1, u_char *key2, int *b) { int i, j; unsigned char v; /* iterate through all key bytes */ for (i = 0; i < KEY_BYTES; i++) { if ((v = key1[i] ^ key2[i])) { for (j = 0; j < 8; j++) { /* left shift with bitwise AND with a high bit mask */ if (v << j & 0x80) { *b = key1[i] >> (7 - j) & 0x01; return (i * 8 + j); } } } } return (MAX_KEY_BIT); } int pt_insert(struct pt_context *pt, struct tcp_connection *c) { struct pt_node *rn = NULL; u_char key1[KEY_BYTES], key2[KEY_BYTES]; int b; if (pt->head == NULL) { /* make a new head node */ pt->head = pt_new(MIN_KEY_BIT -1, NULL, NULL, c); if (pt->head == NULL) { perror("pt_insert(): malloc(): "); return (0); } else { /* increment node counter and return success */ pt->n++; return (1); } } else { memset(key1, 0, KEY_BYTES); pt_make_key(key1, c); switch (pt_search_r(pt->head, key1, &rn)) { case 0: memset(key2, 0, KEY_BYTES); pt_make_key(key2, rn->con); /* find the first differing bit, and its value */ rn->bit = diff_bit(key1, key2, &b); if (((b ? rn->r : rn->l) == pt_new(MIN_KEY_BIT - 1, NULL, NULL, c)) == 0) { return (0); } if (((b ? rn->l : rn->r) == pt_new(MIN_KEY_BIT - 1, NULL, NULL, rn->con)) == 0) { free(b ? rn->r : rn->l); return (0); } rn->con = NULL; pt->n += 2; return (1); case 1: return (2); } } return (0); } void pt_walk_r(struct descry_pack *gp, struct pt_node *cur, struct pt_node *pre, struct timeval* ts) { struct timeval tsdif; if (cur == NULL || pre == NULL) { return; } /* if this is a decision node, then keep walking */ if (cur->bit >= MIN_KEY_BIT && cur->bit <= MAX_KEY_BIT) { pt_walk_r(gp, cur->l, cur, ts); } else if (NULL != cur->con) { PTIMERSUB(ts, &(cur->con->ts), &tsdif); /* * If the timestamp on the current connection is too old * remove it. */ if (EXPIRE_TIME < tsdif.tv_sec) { pt_delete(gp->pt, cur->con); } /* return if we reach the far right or the root node */ if (cur == pre || cur == pre->r) { return; } pt_walk_r(gp, pre->r, pre, ts); } else { if (gp->flags & DO_SYSLOG) { syslog(LOG_WARNING, "Internal data structure corrupted!"); } else { fprintf(stderr, "Internal data structure corrupted!\n"); } abort(); } } void usage(char* name) { fprintf(stderr, "usage %s [options] (-i and -f are mutually exclusive)\n" "-a\t\tmonitor all hosts in the same segment\n" "-i interface\tspecify device <or>\n" "-f capture file\tspecify tcpdump capture file\n" "-s\t\tlog to syslog instead of stderr\n", name); } /*************************************************************************/ /*Main Program*/ /*************************************************************************/ int main(int argc, char *argv[]) { int c; u_char flags; char device[20]; char capture_file[50]; struct descry_pack *gp; printf("Descry 1.0 [TCP port scan detection tool]\n"); flags = 0; strcpy(device, " "); strcpy(capture_file, " "); while ((c = getopt(argc, argv, "ahf:i:vs")) != EOF) { switch (c) { case 'a': flags |= ALL_HOSTS; break; case 'f': strcpy(capture_file, optarg); break; case 'i': strcpy(device, optarg); break; case 'v': break; case 's': flags |= DO_SYSLOG; break; case 'h': default: usage(argv[0]); return (EXIT_FAILURE); } } /* either read from a capture file OR run on the network */ if (capture_file && device) { usage(argv[0]); return (EXIT_FAILURE); } if (descry_init(&gp, device, capture_file, flags) == 0) { fprintf(stderr, "descry_init(): catastrophic failure\n"); return (EXIT_FAILURE); } while (pcap_dispatch(gp->p, 0, (pcap_handler)descry, (u_char*)gp)); descry_destroy(gp); return (EXIT_SUCCESS); } |
sort it out! use code tags!
|
| All times are GMT -5. The time now is 12:18 PM. |