X-Git-Url: https://git.rrq.au/?a=blobdiff_plain;f=socket-sniff%2Fsocket-sniff.c;h=4256ee127efa32bb8b3a8027c54a81cd308ce513;hb=bf886807c380152f6798f68965cc1cd7536bd8c5;hp=3048c0d11b3864627c7c55f73bd34a965b57b25f;hpb=2c67ce1582980252594e3afaeba20b0ee7b60dd5;p=rrq%2Frrqmisc.git diff --git a/socket-sniff/socket-sniff.c b/socket-sniff/socket-sniff.c index 3048c0d..4256ee1 100644 --- a/socket-sniff/socket-sniff.c +++ b/socket-sniff/socket-sniff.c @@ -1,4 +1,5 @@ #include +#include #include #include #include @@ -6,142 +7,271 @@ #include #include #include +#include #include #include #include -#include + +#include +#include // Seconds between outputs -#define DELAY 5 +static int DELAY = 5; // Byte count fade-out between displays -#define FADE 10000 +static int FADE = 10000; // Number of top usage to report -#define WORST 20 +static int WORST = 20; + +// Drop-out age +static int OLD = 600; // Number of characters for text format IP holdings #define IPBUFMAX 40 +// Count record for IP -> length mapping typedef struct _Count { - struct _Count *next; - int ignore; - int last; - int accum; - int total; - char ip[ IPBUFMAX ]; + struct _Count *next; // Next Count in time order + struct _Count *prev; // Previous Count in time order + struct timeval when; // Last update time for this Count record + int ignore; // Flag to leave out from reports + int last; // The saved accumulation from the last report period + int accum; // Current accumulation + int total; // The total accumulation (reduced by fading) + char ip[ IPBUFMAX ]; // The IP concerned, in ascii } Count; +// Print message and exit static void die(char *m) { fprintf( stderr, "%s\n", m ); exit( 1 ); } -static int Count_hashcode(htable *table,unsigned char *key) { - int value = 0; - int i = 0; - while ( *key ) { - value += *(key++) + (i++); - value += i; - } - return value; +// Returns the hashcode for a key +static unsigned long Countp_hashcode(void *this,void *key) { + return HashVector_hashcode( key, IPBUFMAX ); } -static htable TBL = HTABLEINIT( Count, ip, Count_hashcode ); -static Count *last_add; -static char buffer[ IPBUFMAX ]; +// Return pointer a key for an item (could be temporary allocation) +static void *Countp_itemkey(void *this,void *item) { + return ((Count*) item)->ip; +} + +// Return 1 if the item has the key, or 0 otherwise. +static int Countp_haskey(void *this,void *item,void *key) { + return memcmp( key, Countp_itemkey( this, item ), IPBUFMAX ) == 0; +} + +#if 0 +// Releasing a key does nothing +static void Countp_releasekey(void *this,void *item) { +} +#endif + +static ItemKeyFun Countp_itemkeyfun = { + .hashcode = Countp_hashcode, + .haskey = Countp_haskey, + .itemkey = Countp_itemkey, + //.releasekey = Countp_releasekey, + //.tostring = Countp_tostring +}; -#include "ignores.i" +// The HashVector of seen IP +static HashVector TBL = { + .table = { Nibble_index_levels, 16, 0 }, + .fill = 0, + .holes = 0, + .type = &Countp_itemkeyfun, +}; +// The Count records in time order static struct { - Count *table[ WORST ]; - int fill; - int lowest; -} worst; + Count *head; + Count *tail; +} trail; -static int Countp_compare(const void *ax, const void *bx) { - Count *a = *(Count**) ax; - Count *b = *(Count**) bx; - int x = b->total - a->total; - if ( x != 0 ) { - if ( a->last == 0 ) { - return ( b->last == 0 )? x : -1; +// Temporary buffer for IP addresses in ascii +static char buffer[ IPBUFMAX ]; + +/*============================================================ + * Reading ignore lines. + */ +#if 0 +// Return pointer to the key for an item +static void *charp_itemkey(void *this,void *item) { + return item; +} + +// Return 1 if the item has the key, or 0 otherwise. +static int charp_haskey(void *this,void *item,void *key) { + return strcmp( key, item ) == 0; +} + +// Returns the hashcode for a key +static unsigned long charp_hashcode(void *this,void *key) { + return HashVector_hashcode( key, strlen( (const char *) key ) ); +} +#endif + +static HashVector IGN = { + .table = { Nibble_index_levels, 16, 0 }, + .fill = 0, + .holes = 0, + .type = &stringitem +}; + +static void read_ignore_file(char *filename) { + #define RDBLKSZ 1000000 + static char block[ RDBLKSZ ]; + static char *cur = block; + static char *end = block; + int fd = open( filename, O_RDONLY ); + if ( fd < 0 ) { + die( "Cannot load the ignare file." ); + } + for ( ;; ) { + char *p = cur; + size_t n; + for ( ;; ) { // move p to end of line + while ( p < end && *p != '\n' ) { + p++; + } + if ( p < end ) { + break; + } + if ( cur != block && cur != end ) { + memmove( cur, block, end - cur ); + end -= cur - block; + cur = block; + p = end; + } + n = RDBLKSZ - ( end - cur ); + n = read( fd, end, n ); + if ( n <= 0 ) { + return; // All done + } + end += n; } + // Line from cur to '\n' at p < end. + char *ip = calloc( 1, p - cur + 1 ); + memcpy( ip, cur, p - cur ); + cur = p + 1; + HashVector_add( &IGN, ip ); } - x = b->last - a->last; - return x; } -static void add_worst_ordered(Count *item) { - if ( worst.fill < WORST ) { - worst.table[ worst.fill++ ] = item; - if ( worst.fill == WORST ) { - qsort( worst.table, worst.fill, sizeof( Count* ), Countp_compare ); - } - return; +/*============================================================*/ + +static int Countp_compare(const void *ax, const void *bx) { + Count *a = (Count*) ax; + Count *b = (Count*) bx; + if ( b->ignore ) { + return 1; } - Count **repl = bsearch( - &item, worst.table, worst.fill, sizeof( Count* ), Countp_compare ); - if ( repl == 0 ) { - return; + if ( a->ignore ) { + return -1; + } + int x = a->total - b->total; + if ( x ) { + return x; } - int size = (char*) &worst.table[ worst.fill - 1 ] - (char*) repl; - if ( size > 0 ) { - memmove( repl + 1, repl, size ); + return a->last - b->last; +} + +static int Countp_fade_and_print(VectorIndex index,void *x,void *d) { + if ( x ) { + Count *item = (Count *) x; + item->last = item->accum; + item->total += item->last - FADE; + item->accum = 0; + if ( item->total <= 0 ) { + item->total = 0; + } else if ( index < WORST && item->ignore == 0 ) { + fprintf( stdout, "... %s %d %d\n", + item->ip, item->total, item->last ); + } } - *repl = item; + return 0; +} + +static int Countp_reclaim(Vector *pv,unsigned long ix,void *item,void *data) { + return 0; } + +// ip points to [ IPBUFMAX ] of ip address in text static void add_show_table(char *ip,size_t length) { static time_t show = 0; - Count *item; - int i = htfind( &TBL, ip, (unsigned char **) &item ); - if ( i == 0 ) { - item = (Count *) calloc( 1, sizeof( Count ) ); - memcpy( item->ip, ip, strlen( ip ) ); - item->accum = length; - item->ignore = ignored( ip ); - htadd( &TBL, (unsigned char *) item ); - item->next = last_add; - last_add = item; - } else { - item->accum += length; - } + Count *item = HashVector_find( &TBL, ip ); struct timeval now; if ( gettimeofday( &now, 0 ) ) { perror( "gettimeofday" ); exit( 1 ); } + if ( item == 0 ) { + item = (Count *) calloc( 1, sizeof( Count ) ); + memcpy( item->ip, ip, strlen( ip ) ); + HashVector_add( &TBL, item ); + item->ignore = (HashVector_find( &IGN, ip ) != 0); + int i; + for ( i = strlen( ip )-1; i > 1; i-- ) { + if ( ip[i] == '.' || ip[i] == ':' ) { + item->ignore |= (HashVector_find( &IGN, ip ) != 0); + } + ip[i] = 0; + } + fprintf( stdout, "add %s\n", item->ip ); + } else { + // Unlink item from the trail + if ( item->next ) { + item->next->prev = item->prev; + } + if ( item->prev ) { + item->prev->next = item->next; + } + if ( trail.head == item ) { + trail.head = item->next; + } + if ( trail.tail == item ) { + trail.tail = item->prev; + } + item->prev = item->next = 0; + } + item->accum += length; + item->when = now; + // Link in item to the trail end + if ( trail.head == 0 ) { + trail.head = item; + } else { + trail.tail->next = item; + item->prev = trail.tail; + } + trail.tail = item; + // Drop counters older than an hour + while ( trail.head->when.tv_sec + OLD < item->when.tv_sec ) { + Count *old = trail.head; + trail.head = old->next; + if ( trail.head ) { + trail.head->prev = 0; + } + fprintf( stdout, "drop %s\n", old->ip ); + HashVector_delete( &TBL, old ); + free( old ); + } if ( now.tv_sec < show ) { return; } if ( now.tv_sec - show > DELAY ) { show = now.tv_sec; } - show += 5; // Time for next output - // collate entries; Keep the X worst entries, but reduce all a bit - worst.fill = 0; - item = last_add; - for ( ; item; item = item->next ) { - item->last = item->accum; - item->total += item->last - FADE; - if ( item->total < 0 ) { - item->total = 0; - } - item->accum = 0; - if ( item->ignore == 0 ) { - add_worst_ordered( item ); - } - } - //fprintf( stdout, "" ); - for ( i = 0; i < worst.fill; i++ ) { - item = worst.table[ i ]; - if ( item->total && item->last ) { - fprintf( stdout, "... %s %d %d\n", - item->ip, item->total, item->last ); - } - } - fprintf( stdout, "==%d/%d/%d\n", TBL.fill, TBL.holes,TBL.size ); + show += DELAY; // Time for next output + Vector ordered = { Nibble_index_levels, 0, 0 }; + HashVector_contents( &TBL, Nibble_index_levels, &ordered ); + Vector_qsort( &ordered, Countp_compare ); + Vector_iterate( &ordered, 0, Countp_fade_and_print, 0 ); + Vector_resize( &ordered, 0, Countp_reclaim, 0 ); + fprintf( stdout, "==%ld/%ld/%ld\n", TBL.fill, TBL.holes, TBL.table.size ); } static char *ipv4_address(char *b) { @@ -160,12 +290,51 @@ static char *ipv6_address(short *b) { int main(int argc,char **argv) { static char packet[ 2048 ]; - if ( argc != 2 ) { + int ARG = 1; + // Check for -fN to set FADE + if ( ARG < argc && strncmp( argv[ ARG ], "-d", 2 ) == 0 ) { + if ( sscanf( argv[ ARG ]+2, "%d", &DELAY ) != 1 ) { + die( "Missing/bad delay value" ); + } + fprintf( stdout, "Delay is %d seconds between reports\n", DELAY ); + ARG++; + } + if ( ARG < argc && strncmp( argv[ ARG ], "-f", 2 ) == 0 ) { + if ( sscanf( argv[ ARG ]+2, "%d", &FADE ) != 1 ) { + die( "Missing/bad fade value" ); + } + fprintf( stdout, "Fading %d bytes before reports\n", FADE ); + ARG++; + } + if ( ARG < argc && strncmp( argv[ ARG ], "-n", 2 ) == 0 ) { + if ( sscanf( argv[ ARG ]+2, "%d", &WORST ) != 1 ) { + die( "Missing/bad number to display" ); + } + fprintf( stdout, "Displaying at most %d lines in reports\n", WORST ); + ARG++; + } + if ( ARG < argc && strncmp( argv[ ARG ], "-a", 2 ) == 0 ) { + if ( sscanf( argv[ ARG ]+2, "%d", &OLD ) != 1 ) { + die( "Missing/bad drop-out age (seconds)" ); + } + fprintf( stdout, "Displaying at most %d lines in reports\n", WORST ); + ARG++; + } + if ( ARG < argc && strncmp( argv[ ARG ], "-i", 2 ) == 0 ) { + char *filename = argv[ ARG ] + 2; + if ( (*filename) == 0 ) { + die( "Missing/bad ignore filename" ); + } + read_ignore_file( filename ); + fprintf( stdout, "ignoring ip prefixes from %s\n", filename ); + ARG++; + } + if ( ARG >= argc ) { die( "Please tell which interface to sniff" ); } setbuf( stdout, 0 ); int N; - char *iface = argv[ argc - 1 ]; + char *iface = argv[ ARG ]; int fd = socket( AF_PACKET, SOCK_RAW, htons( ETH_P_ALL ) ); char flags[4] = { 1,0,0,0 }; if ( fd < 0 ) { @@ -189,14 +358,19 @@ int main(int argc,char **argv) { int code = ntohs( *((short*)(packet+12)) ); if ( code == 0x0800 ) { // 14+12=src 14+16=dst - add_show_table( ipv4_address( packet+30 ), N ); + char *p = ipv4_address( packet+30 ); + if ( ( strncmp( p, "127.", 4 ) != 0 ) ) { + add_show_table( p, N ); + } } else if ( code == 0x86dd ) { // 14+8=src 14+24=dst - add_show_table( ipv6_address( (short*)(packet+38) ), N ); - } else if ( code == 0x0800 ) { - // ignore + char *p = ipv6_address( (short*)(packet+38) ); + if ( ( strncmp( p, "ff02:0:0:0:0:", 13 ) != 0 ) && + ( strncmp( p, "0:0:0:0:0:0:0:1", 15 ) != 0 ) ) { + add_show_table( p, N ); + } } else if ( code == 0x8100 ) { - // ignore + // ignore VLAN } else { // funny code }