hello,
when compile this program not getting any result so did debug with GDB after debug getting this.............
(gdb) run descry
Starting program: /home/nasim/Desktop/ppro/descry descry
Descry 1.0 [TCP port scan detection tool]
usage /home/nasim/Desktop/ppro/descry [options] (-i and -f are mutually exclusive)
-a monitor all hosts in the same segment
-i interface specify device <or>
-f capture file specify tcpdump capture file
-s log to syslog instead of stderr
Program exited with code 01.
why not getting result. this code for your concern. please feedback me.......
#include <syslog.h>
#include <libnet.h>
#include <pcap.h>
#include <time.h>
/* misc defines */
#define MAX_STRING 0x100 /* default string length */
#define CON_REMOVED 0xFFFFFFFF /* tag a node for removal */
#define CLEANUP_INTERVAL 1000 /* how often the cleaner runs */
#define EXPIRE_TIME 11800 /* seconds that a connection should
* should linger in SYN-ACK state
* before it gets expired
*/
#define MAX_PACKET 1500 /* max packet size */
/* filter to catch SYN-ACK, FIN-ACK, and RST segments */
#define FILTER "((tcp[13] & 0x12) == 0x12) || ((tcp[13] & 0x11) == 0x11) || \
((tcp[13] & 0x14) == 0x14) || ((tcp[13] & 0x04) == 0x04)"
/* patricia key symbolic constants */
#define KEY_BYTES 12
#define MIN_KEY_BIT 0
#define MAX_KEY_BIT (KEY_BYTES * 8 - 1)
/*
* Simple way to subtract timeval based timers. Not every OS has this,
* so we'll just define it here.
*/
#define PTIMERSUB(tvp, uvp, vvp) \
do \
{ \
(vvp)->tv_sec = (tvp)->tv_sec - (uvp)->tv_sec; \
(vvp)->tv_usec = (tvp)->tv_usec - (uvp)->tv_usec; \
if ((vvp)->tv_usec < 0) \
{ \
(vvp)->tv_sec--; \
(vvp)->tv_usec += 1000000; \
} \
} \
while (0) \
/* code cleanup to set connection state */
#define SET_STATE(c, dip, dp, sip, sp, s) \
{ \
c->dst_addr.s_addr = dip;c->dst_port = dp; \
c->src_addr.s_addr = sip;c->src_port = sp; \
c->seq = s; \
}
/* TCP connection info */
struct tcp_connection
{
struct in_addr src_addr; /* source address */
struct in_addr dst_addr; /* destination address */
struct timeval ts; /* time value */
u_long seq; /* sequence number */
u_short src_port; /* source port */
u_short dst_port; /* destination port */
};
/* decision node within the patricia trie */
struct pt_node
{
int bit; /* decision bit */
struct pt_node *l; /* left node */
struct pt_node *r; /* right node */
struct tcp_connection *con; /* connection info */
};
/* patricia trie context */
struct pt_context
{
struct pt_node *head; /* head of the trie */
u_long n; /* number of existing nodes */
};
/* main descry control context */
struct descry_pack
{
pcap_t *p; /* libpcap context */
u_char flags; /* control flags */
#define ALL_HOSTS 0x1 /* monitor all hosts on segment */
#define DO_SYSLOG 0x02 /* log to syslog */
int offset; /* offset to IP header */
struct pt_context *pt; /* patricia trie context */
};
/********************************************************************/
/*Function Body*/
/********************************************************************/
int
descry_init(struct descry_pack **gp, char *device, char *capture_file,
u_char flags)
{
char *interface = NULL;
char error[PCAP_ERRBUF_SIZE];
struct bpf_program prog;
u_int32_t network, netmask;
*gp = malloc(sizeof(struct descry_pack));
if (*gp == NULL)
{
perror("descry_init(): malloc(): ");
return (0);
}
/* initialize the patricia trie */
if (pt_init(&((*gp)->pt)) == 0)
{
/* error set in pt_init() */
return (EXIT_FAILURE);
}
/* control flags */
(*gp)->flags = flags;
if (capture_file)
{
/* we have a capture file to analyze */
(*gp)->p = pcap_open_offline(capture_file, error);
if ((*gp)->p == NULL)
{
fprintf(stderr, "pcap_open_offline() %s\n", error);
return (0);
}
}
else
{
/* we're doing a live capture, do we have a device? */
if (device)
{
interface = device;
}
else
{
interface = pcap_lookupdev(error);
if (interface == NULL)
{
fprintf(stderr, "pcap_lookupdev(): %s\n", error);
return (0);
}
}
(*gp)->p = pcap_open_live(interface, MAX_PACKET,
((*gp)->flags & ALL_HOSTS), 0, error);
if ((*gp)->p == NULL)
{
fprintf(stderr, "pcap_open_live() %s\n", error);
return (0);
}
}
/* get the length of the link layer header */
switch (pcap_datalink((*gp)->p))
{
case DLT_SLIP:
/* a little SLIPstreaming! Whoops! There's Charlie! */
(*gp)->offset = 0x10;
break;
case DLT_PPP:
/* PPP y0 */
(*gp)->offset = 0x04;
break;
default:
case DLT_EN10MB:
/* good old ethernet or something like it I hope! */
(*gp)->offset = 0x0e;
break;
}
if (interface)
{
/* compile our filter and apply it to the interface */
if (pcap_lookupnet(interface, &network, &netmask, error) < 0)
{
fprintf(stderr, "pcap_lookupnet() %s\n", error);
return (0);
}
}
if (pcap_compile((*gp)->p, &prog, FILTER, 1, netmask) < 0)
{
fprintf(stderr, "pcap_compile(): \"%s\" failed\n", FILTER);
return (0);
}
if (pcap_setfilter((*gp)->p, &prog) < 0)
{
fprintf(stderr, "pcap_setfilter() failed\n");
return 0;
}
return (1);
}
/********************************************************************/
void
descry_destroy(struct descry_pack *gp)
{
/* do something someday*/
}
/********************************************************************/
void
descry(u_char *u, struct pcap_pkthdr *phdr, u_char *packet)
{
struct libnet_ipv4_hdr *ip;
struct libnet_tcp_hdr *tcp;
struct descry_pack *gp;
struct tcp_connection *c;
struct tcp_connection *rc;
static u_char cleanup = 0;
struct timeval ts;
rc = NULL;
c = NULL;
gp = (struct descry_pack *)u;
if (cleanup++ > CLEANUP_INTERVAL)
{
ts.tv_usec = phdr->ts.tv_usec;
ts.tv_sec = phdr->ts.tv_sec;
/* expire old connections */
pt_expire(gp, &ts);
cleanup = 0;
}
if (phdr->len < (gp->offset + LIBNET_IPV4_H + LIBNET_TCP_H))
{
return;
}
/* overlay IP and TCP headers */
ip = (struct libnet_ipv4_hdr *)(packet + gp->offset);
tcp = (struct libnet_tcp_hdr *)(packet + gp->offset +
(ip->ip_hl << 2));
/* shave off the lower order 6 bits containing the control flags */
switch (tcp->th_flags & 0x3F)
{
case (TH_SYN | TH_ACK):
/* this is a new connection to be added to the trie */
/* get memory for the connection state */
c = malloc(sizeof (struct tcp_connection ));
if (c == NULL)
{
return;
}
/* set connection state */
memcpy(&(c->ts), &(phdr->ts), sizeof(struct timeval));
SET_STATE(c, ip->ip_src.s_addr, tcp->th_sport,
ip->ip_dst.s_addr, tcp->th_dport, tcp->th_ack);
/* insert TCP connection into the trie */
if (pt_insert(gp->pt, c) == 0)
{
fprintf(stderr, "pt_insert() failed!\n");
}
break;
case (TH_FIN | TH_ACK):
case (TH_RST):
case (TH_RST | TH_ACK):
/* connection teardown */
/* get memory for the connection state */
c = malloc(sizeof (struct tcp_connection));
if (c == NULL)
{
return;
}
/* set connection state so we can search for the connection */
SET_STATE(c, ip->ip_dst.s_addr, tcp->th_dport,
ip->ip_src.s_addr, tcp->th_sport, tcp->th_seq);
if (pt_find(gp->pt, c, &rc))
{
check_state(gp, c, rc);
pt_delete(gp->pt, rc);
}
else
{
SET_STATE(c, ip->ip_src.s_addr, tcp->th_sport,
ip->ip_dst.s_addr, tcp->th_dport, tcp->th_ack);
pt_delete(gp->pt, c);
}
free(c);
break;
default:
break;
}
}
char *
get_time()
{
int i;
time_t t;
static char buf[26];
t = time((time_t *)NULL);
strcpy(buf, ctime(&t));
/* cut out the day, year and \n */
for (i = 0; i < 20; i++)
{
buf[i] = buf[i + 4];
}
buf[15] = 0;
return (buf);
}
void
check_state(struct descry_pack *gp, struct tcp_connection *con1,
struct tcp_connection *con2)
{
/* check sequence number delta to see if data was sent */
if (ntohl(con1->seq) >= ntohl(con2->seq) &&
ntohl(con1->seq) <= ntohl(con2->seq) + 2)
{
if (gp->flags & DO_SYSLOG)
{
syslog(LOG_NOTICE,
"Possible TCP port scan from %s:%d to %s:%d",
libnet_addr2name4(con1->src_addr.s_addr,
LIBNET_DONT_RESOLVE),
ntohs(con1->src_port),
libnet_addr2name4(con1->dst_addr.s_addr,
LIBNET_DONT_RESOLVE),
ntohs(con1->dst_port));
}
else
{
fprintf(stderr,
"[%s] TCP probe from %s:%d to %s:%d\n",
get_time(),
libnet_addr2name4(con1->src_addr.s_addr,
LIBNET_DONT_RESOLVE),
ntohs(con1->src_port),
libnet_addr2name4(con1->dst_addr.s_addr,
LIBNET_DONT_RESOLVE),
ntohs(con1->dst_port));
}
}
}
void
pt_make_key(u_char *key, struct tcp_connection *c)
{
if (c == NULL)
{
fprintf(stderr, "pt_make_key(): c is NULL!\n");
return;
}
/* create a key for the trie from connection info */
memcpy(key, &(c->src_addr.s_addr), 4);
memcpy(key + 4, &(c->src_port), 2);
memcpy(key + 6, &(c->dst_addr.s_addr), 4);
memcpy(key + 10, &(c->dst_port), 2);
}
struct pt_node *
pt_new(int bit, struct pt_node *l, struct pt_node *r,
struct tcp_connection *con)
{
struct pt_node *p = NULL;
p = malloc(sizeof(struct pt_node));
if (p)
{
p->bit = bit;
p->l = l;
p->r = r;
p->con = con;
}
return (p);
}
int
pt_init(struct pt_context **p)
{
*p = malloc(sizeof(struct pt_context));
if (*p == NULL)
{
perror("pt_init(): malloc(): ");
return (0);
}
(*p)->head = NULL;
(*p)->n = 0;
return (1);
}
int
get_bit(u_char *key, struct pt_node *n)
{
u_char conkey[KEY_BYTES];
memset(conkey, 0, KEY_BYTES);
if (n->bit < MIN_KEY_BIT || n->bit > MAX_KEY_BIT)
{
pt_make_key(conkey, n->con);
if (memcmp(key, conkey, KEY_BYTES) == 0)
{
return (2);
}
else
{
return (3);
}
}
return ((key[n->bit % 8] >> (7 - (n->bit % 8))) & 0x01);
}
int
pt_search_r(struct pt_node *n, u_char *key, struct pt_node **rc)
{
switch (get_bit(key, n))
{
case 0:
return (pt_search_r(n->l, key, rc));
case 1:
return (pt_search_r(n->r, key, rc));
case 2:
*rc = n;
return (1);
default:
*rc = n;
return (0);
}
}
int
pt_remove_r(struct pt_context *pt, struct pt_node *n, u_char *key,
struct pt_node *prev)
{
struct pt_node *tmp;
if (n == NULL)
{
return (0);
}
/* extract bit from the key */
switch (get_bit(key, n))
{
case 0:
/* recurse down the left of this node */
return (pt_remove_r(pt, n->l, key, n));
break;
case 1:
/* recurse down the right of this node */
return (pt_remove_r(pt, n->r, key, n));
break;
case 2:
/*
* Found the node to remove, deallocate its data and move
* the sibling data node up one.
*/
free(n->con);
n->con = (struct tcp_connection *)CON_REMOVED;
if (prev == NULL)
{
return (1);
}
if ((int)prev->l->con == CON_REMOVED)
{
tmp = prev->r->r;
free(prev->l);
prev->con = prev->r->con;
prev->bit = prev->r->bit;
prev->l = prev->r->l;
free(prev->r);
prev->r = tmp;
}
else
{
tmp = prev->l->l;
free(prev->r);
prev->con = prev->l->con;
prev->bit = prev->l->bit;
prev->r = prev->l->r;
free(prev->l);
prev->l = tmp;
}
pt->n -= 2;
return (1);
default:
return (0);
}
}
void
pt_delete(struct pt_context *pt, struct tcp_connection *c)
{
u_char key[KEY_BYTES];
/* if the trie is empty, just return */
if (pt->head == NULL)
{
return;
}
memset(key, 0, KEY_BYTES);
pt_make_key(key, c);
/* call the recursive search and delete function */
if (pt_remove_r(pt, pt->head, key, NULL))
{
/*
* If we just deleted the last connection record in the trie
* then remove the last node so we have a totally empty trie.
*/
if (pt->n == 1 && (int)(pt->head->con) == CON_REMOVED)
{
free(pt->head);
pt->head = NULL;
pt->n = 0;
}
}
}
int
pt_find(struct pt_context *pt, struct tcp_connection *c,
struct tcp_connection **rc)
{
u_char key[KEY_BYTES];
struct pt_node *rn;
int r;
if (pt->head == NULL)
{
*rc = NULL;
return (0);
}
/* get a key for this connection */
memset(key, 0, KEY_BYTES);
pt_make_key(key, c);
rn = NULL;
r = pt_search_r(pt->head, key, &rn);
*rc = rn->con;
return (r);
}
int
diff_bit(u_char *key1, u_char *key2, int *b)
{
int i, j;
unsigned char v;
/* iterate through all key bytes */
for (i = 0; i < KEY_BYTES; i++)
{
if ((v = key1[i] ^ key2[i]))
{
for (j = 0; j < 8; j++)
{
/* left shift with bitwise AND with a high bit mask */
if (v << j & 0x80)
{
*b = key1[i] >> (7 - j) & 0x01;
return (i * 8 + j);
}
}
}
}
return (MAX_KEY_BIT);
}
int
pt_insert(struct pt_context *pt, struct tcp_connection *c)
{
struct pt_node *rn = NULL;
u_char key1[KEY_BYTES], key2[KEY_BYTES];
int b;
if (pt->head == NULL)
{
/* make a new head node */
pt->head = pt_new(MIN_KEY_BIT -1, NULL, NULL, c);
if (pt->head == NULL)
{
perror("pt_insert(): malloc(): ");
return (0);
}
else
{
/* increment node counter and return success */
pt->n++;
return (1);
}
}
else
{
memset(key1, 0, KEY_BYTES);
pt_make_key(key1, c);
switch (pt_search_r(pt->head, key1, &rn))
{
case 0:
memset(key2, 0, KEY_BYTES);
pt_make_key(key2, rn->con);
/* find the first differing bit, and its value */
rn->bit = diff_bit(key1, key2, &b);
if (((b ? rn->r : rn->l) == pt_new(MIN_KEY_BIT - 1, NULL, NULL, c)) == 0)
{
return (0);
}
if (((b ? rn->l : rn->r) == pt_new(MIN_KEY_BIT - 1, NULL, NULL, rn->con)) == 0)
{
free(b ? rn->r : rn->l);
return (0);
}
rn->con = NULL;
pt->n += 2;
return (1);
case 1:
return (2);
}
}
return (0);
}
void
pt_walk_r(struct descry_pack *gp, struct pt_node *cur,
struct pt_node *pre, struct timeval* ts)
{
struct timeval tsdif;
if (cur == NULL || pre == NULL)
{
return;
}
/* if this is a decision node, then keep walking */
if (cur->bit >= MIN_KEY_BIT && cur->bit <= MAX_KEY_BIT)
{
pt_walk_r(gp, cur->l, cur, ts);
}
else if (NULL != cur->con)
{
PTIMERSUB(ts, &(cur->con->ts), &tsdif);
/*
* If the timestamp on the current connection is too old
* remove it.
*/
if (EXPIRE_TIME < tsdif.tv_sec)
{
pt_delete(gp->pt, cur->con);
}
/* return if we reach the far right or the root node */
if (cur == pre || cur == pre->r)
{
return;
}
pt_walk_r(gp, pre->r, pre, ts);
}
else
{
if (gp->flags & DO_SYSLOG)
{
syslog(LOG_WARNING, "Internal data structure corrupted!");
}
else
{
fprintf(stderr, "Internal data structure corrupted!\n");
}
abort();
}
}
void
usage(char* name)
{
fprintf(stderr,
"usage %s [options] (-i and -f are mutually exclusive)\n"
"-a\t\tmonitor all hosts in the same segment\n"
"-i interface\tspecify device <or>\n"
"-f capture file\tspecify tcpdump capture file\n"
"-s\t\tlog to syslog instead of stderr\n", name);
}
/*************************************************************************/
/*Main Program*/
/*************************************************************************/
int
main(int argc, char *argv[])
{
int c;
u_char flags;
char device[20];
char capture_file[50];
struct descry_pack *gp;
printf("Descry 1.0 [TCP port scan detection tool]\n");
flags = 0;
strcpy(device, " ");
strcpy(capture_file, " ");
while ((c = getopt(argc, argv, "ahf:i:vs")) != EOF)
{
switch (c)
{
case 'a':
flags |= ALL_HOSTS;
break;
case 'f':
strcpy(capture_file, optarg);
break;
case 'i':
strcpy(device, optarg);
break;
case 'v':
break;
case 's':
flags |= DO_SYSLOG;
break;
case 'h':
default:
usage(argv[0]);
return (EXIT_FAILURE);
}
}
/* either read from a capture file OR run on the network */
if (capture_file && device)
{
usage(argv[0]);
return (EXIT_FAILURE);
}
if (descry_init(&gp, device, capture_file, flags) == 0)
{
fprintf(stderr, "descry_init(): catastrophic failure\n");
return (EXIT_FAILURE);
}
while (pcap_dispatch(gp->p, 0, (pcap_handler)descry, (u_char*)gp));
descry_destroy(gp);
return (EXIT_SUCCESS);
}
Program exited with code 01.
