argus-3.0.8.2/000755 000765 000024 00000000000 12723625057 013437 5ustar00carterstaff000000 000000 argus-3.0.8.2/.threads000444 000765 000024 00000000000 12513222401 015035 0ustar00carterstaff000000 000000 argus-3.0.8.2/aclocal.m4000444 000765 000024 00000001141 12513222401 015251 0ustar00carterstaff000000 000000 # generated automatically by aclocal 1.10 -*- Autoconf -*- # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, # 2005, 2006 Free Software Foundation, Inc. # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. m4_include([acsite.m4]) argus-3.0.8.2/acsite.m4000444 000765 000024 00000147363 12513222401 015144 0ustar00carterstaff000000 000000 dnl dnl Copyright (C) 2000-2015 QoSient, LLC. dnl dnl Copyright (c) 1995, 1996, 1997, 1998 dnl The Regents of the University of California. All rights reserved. dnl dnl Redistribution and use in source and binary forms, with or without dnl modification, are permitted provided that: (1) source code distributions dnl retain the above copyright notice and this paragraph in its entirety, (2) dnl distributions including binary code include the above copyright notice and dnl this paragraph in its entirety in the documentation or other materials dnl provided with the distribution, and (3) all advertising materials mentioning dnl features or use of this software display the following acknowledgement: dnl ``This product includes software developed by the University of California, dnl Lawrence Berkeley Laboratory and its contributors.'' Neither the name of dnl the University nor the names of its contributors may be used to endorse dnl or promote products derived from this software without specific prior dnl written permission. dnl THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED dnl WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF dnl MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. dnl dnl $Id: //depot/argus/argus/acsite.m4#24 $ dnl $DateTime: 2015/04/13 00:43:29 $ dnl $Change: 2982 $ dnl dnl QOSIENT and LBL autoconf macros dnl dnl dnl Check for flex require flex 2.4 or higher dnl Check for bison define the yy prefix string dnl dnl usage: dnl dnl AC_QOSIENT_LEX_AND_YACC(lex, yacc, yyprefix) dnl dnl results: dnl dnl $1 (lex set) dnl $2 (yacc appended) dnl $3 (optional flex and bison -P prefix) dnl AC_DEFUN([AC_QOSIENT_LEX_AND_YACC], [AC_CHECK_PROGS($1, flex, lex) if test "$$1" = flex ; then AC_MSG_CHECKING(for flex 2.4 or higher) AC_CACHE_VAL(ac_cv_lbl_flex_v24, if flex -V >/dev/null 2>&1; then ac_cv_lbl_flex_v24=yes else ac_cv_lbl_flex_v24=no fi) AC_MSG_RESULT($ac_cv_lbl_flex_v24) if test $ac_cv_lbl_flex_v24 = no ; then s="2.4 or higher required" AC_MSG_WARN(ignoring obsolete flex executable ($s)) $1=lex fi else AC_MSG_ERROR(flex not found. see the INSTALL for more info) fi AC_CHECK_PROGS([$2], bison, yacc) if test "$$2" = bison ; then $2="$$2 -y" else AC_MSG_ERROR(bison not found. see the INSTALL for more info) fi if test "$$1" = flex -a -n "$3" ; then $1="$$1 -P$3" $2="$$2 -p $3" fi]) dnl dnl Determine which compiler we're using (cc or gcc) dnl If using gcc, determine the version number dnl If using cc, require that it support ansi prototypes dnl If using gcc, use -O3 (otherwise use -O) dnl If using cc, explicitly specify /usr/local/include dnl dnl usage: dnl dnl AC_LBL_C_INIT(copt, incls) dnl dnl results: dnl dnl $1 (copt set) dnl $2 (incls set) dnl CC dnl LDFLAGS dnl ac_cv_lbl_gcc_vers dnl LBL_CFLAGS dnl m4_define([AC_LBL_C_INIT], [AC_PREREQ(2.12) AC_BEFORE([$0], [AC_PROG_CC]) AC_BEFORE([$0], [AC_LBL_FIXINCLUDES]) AC_BEFORE([$0], [AC_LBL_DEVEL]) AC_BEFORE([$0], [AC_QOSIENT_DEBUG]) AC_ARG_WITH(gcc, [ --without-gcc don't use gcc]) AC_ARG_WITH(examples, [ --without-examples don't compile examples]) AC_ARG_WITH(pluribus, [AC_HELP_STRING([--with-pluribus],[Compile for pluribus])], with_pluribus=yes, with_pluribus=no) $1="-O" $2="" if test "${srcdir}" != "." ; then $2="-I\$(srcdir)" fi if test "${CFLAGS+set}" = set; then LBL_CFLAGS="$CFLAGS" fi if test -z "$CC" ; then case "$target_os" in *darwin*) AC_CHECK_PROG(CLANG, clang, yes, no) if test $CLANG = yes ; then CC=cc export CC fi ;; bsdi*) AC_CHECK_PROG(SHLICC2, shlicc2, yes, no) if test $SHLICC2 = yes ; then CC=shlicc2 export CC fi ;; esac fi if test -z "$CC" -a "$with_gcc" = no ; then CC=cc export CC fi AC_PROG_CC if test "$GCC" = yes ; then if test "$SHLICC2" = yes ; then ac_cv_lbl_gcc_vers=2 $1="-O3" else ac_cv_lbl_gcc_vers=0 AC_MSG_CHECKING(gcc version) AC_CACHE_VAL(ac_cv_lbl_gcc_vers, ac_cv_lbl_gcc_vers=`$CC --version 2>&1 | \ sed -e '/^ version /!d' \ -e 's/^gcc version //' \ -e 's/ .*//' -e 's/^[[[^0-9]]]*//' \ -e 's/\..*//'`) AC_MSG_RESULT($ac_cv_lbl_gcc_vers) if test $ac_cv_lbl_gcc_vers -gt 0 ; then $1="-O3" fi fi else AC_MSG_CHECKING(that $CC handles ansi prototypes) AC_CACHE_VAL(ac_cv_lbl_cc_ansi_prototypes, AC_TRY_COMPILE( [#include ], [int frob(int, char *)], ac_cv_lbl_cc_ansi_prototypes=yes, ac_cv_lbl_cc_ansi_prototypes=no)) AC_MSG_RESULT($ac_cv_lbl_cc_ansi_prototypes) if test $ac_cv_lbl_cc_ansi_prototypes = no ; then case "$target_os" in hpux*) AC_MSG_CHECKING(for HP-UX ansi compiler ($CC -Aa -D_HPUX_SOURCE)) savedcflags="$CFLAGS" CFLAGS="-Aa -D_HPUX_SOURCE $CFLAGS" AC_CACHE_VAL(ac_cv_lbl_cc_hpux_cc_aa, AC_TRY_COMPILE( [#include ], [int frob(int, char *)], ac_cv_lbl_cc_hpux_cc_aa=yes, ac_cv_lbl_cc_hpux_cc_aa=no)) AC_MSG_RESULT($ac_cv_lbl_cc_hpux_cc_aa) if test $ac_cv_lbl_cc_hpux_cc_aa = no ; then AC_MSG_ERROR(see the INSTALL doc for more info) fi CFLAGS="$savedcflags" V_CCOPT="-Aa $V_CCOPT" AC_DEFINE(_HPUX_SOURCE,1,[needed on HP-UX]) ;; *) AC_MSG_ERROR(see the INSTALL doc for more info) ;; esac fi $2="$$2 -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" case "$target_os" in irix*) V_CCOPT="$V_CCOPT -xansi -signed -g3" ;; osf*) V_CCOPT="$V_CCOPT -std1 -g3" ;; ultrix*) AC_MSG_CHECKING(that Ultrix $CC hacks const in prototypes) AC_CACHE_VAL(ac_cv_lbl_cc_const_proto, AC_TRY_COMPILE( [#include ], [struct a { int b; }; void c(const struct a *)], ac_cv_lbl_cc_const_proto=yes, ac_cv_lbl_cc_const_proto=no)) AC_MSG_RESULT($ac_cv_lbl_cc_const_proto) if test $ac_cv_lbl_cc_const_proto = no ; then AC_DEFINE([const], [], [Description]) fi ;; esac fi ]) dnl dnl Check whether a given format can be used to print 64-bit integers dnl AC_DEFUN([AC_LBL_CHECK_64BIT_FORMAT], [ AC_MSG_CHECKING([whether %$1x can be used to format 64-bit integers]) AC_RUN_IFELSE( [ AC_LANG_SOURCE( [[ # ifdef HAVE_INTTYPES_H #include # endif # ifdef HAVE_SYS_BITYPES_H #include # endif #include #include main() { u_int64_t t = 1; char strbuf[16+1]; sprintf(strbuf, "%016$1x", t << 32); if (strcmp(strbuf, "0000000100000000") == 0) exit(0); else exit(1); } ]]) ], [ AC_DEFINE(PRId64, "$1d") AC_DEFINE(PRIo64, "$1o") AC_DEFINE(PRIx64, "$1x") AC_DEFINE(PRIu64, "$1u") AC_MSG_RESULT(yes) ], [ AC_MSG_RESULT(no) $2 ]) ]) dnl dnl Checks to see if unaligned memory accesses fail dnl dnl usage: dnl dnl AC_LBL_UNALIGNED_ACCESS dnl dnl results: dnl dnl LBL_ALIGN (DEFINED) dnl AC_DEFUN([AC_LBL_UNALIGNED_ACCESS], [AC_MSG_CHECKING(if unaligned accesses fail) AC_CACHE_VAL(ac_cv_lbl_unaligned_fail, [case "$target_cpu" in # XXX: should also check that they don't do weird things (like on arm) alpha*|arm*|hp*|mips|sparc) ac_cv_lbl_unaligned_fail=yes ;; *) cat >conftest.c < # include # include unsigned char a[[5]] = { 1, 2, 3, 4, 5 }; main() { unsigned int i; pid_t pid; int status; /* avoid "core dumped" message */ pid = fork(); if (pid < 0) exit(2); if (pid > 0) { /* parent */ pid = waitpid(pid, &status, 0); if (pid < 0) exit(3); exit(!WIFEXITED(status)); } /* child */ i = *(unsigned int *)&a[[1]]; printf("%d\n", i); exit(0); } EOF ${CC-cc} -o conftest $CFLAGS $CPPFLAGS $LDFLAGS \ conftest.c $LIBS >/dev/null 2>&1 if test ! -x conftest ; then dnl failed to compile for some reason ac_cv_lbl_unaligned_fail=yes else ./conftest >conftest.out if test ! -s conftest.out ; then ac_cv_lbl_unaligned_fail=yes else ac_cv_lbl_unaligned_fail=no fi fi rm -rf conftest* core core.conftest ;; esac]) AC_MSG_RESULT($ac_cv_lbl_unaligned_fail) if test $ac_cv_lbl_unaligned_fail = yes ; then AC_DEFINE([LBL_ALIGN], [], [Description]) fi]) dnl dnl If using gcc and the file .devel exists: dnl Compile with -g (if supported) and -Wall dnl If using gcc 2, do extra prototype checking dnl If an os prototype include exists, symlink os-proto.h to it dnl dnl usage: dnl dnl AC_LBL_DEVEL(copt) dnl dnl results: dnl dnl $1 (copt appended) dnl AC_DEFUN([AC_LBL_DEVEL], [rm -f os-proto.h if test "${LBL_CFLAGS+set}" = set; then $1="$$1 ${LBL_CFLAGS}" fi if test -f .devel ; then $1=`echo $$1 | sed -e 's/-O3//'` $1=`echo $$1 | sed -e 's/-O//'` if test "$GCC" = yes ; then if test "${LBL_CFLAGS+set}" != set; then if test "$ac_cv_prog_cc_g" = yes ; then $1="-g $$1" fi $1="$$1 -Wall" if test $ac_cv_lbl_gcc_vers -gt 1 ; then $1="$$1 -Wmissing-prototypes" fi fi else case "$target_os" in solaris*) $1="$$1 -g" ;; irix6*) V_CCOPT="$V_CCOPT -n32" ;; *) ;; esac fi fi]) dnl dnl If the file .debug exists: dnl Add ARGUS_DEBUG to the condefs.h file. dnl dnl usage: dnl dnl AC_QOSIENT_DEBUG(copt) dnl dnl results: dnl dnl $1 (copt appended) dnl AC_DEFUN([AC_QOSIENT_DEBUG], [ if test -f .debug ; then AC_DEFINE([ARGUSDEBUG], [], [Using Argus debug]) fi]) dnl dnl If the file .threads exists: dnl Add ARGUS_THREADS to the condefs.h file. dnl dnl usage: dnl dnl AC_QOSIENT_THREADS(copt) dnl dnl results: dnl dnl $1 (copt appended) dnl AC_DEFUN([AC_QOSIENT_THREADS], [AC_ARG_WITH(threads, [AC_HELP_STRING([--without-threads],[don't use native threads package])], with_threads="$withval", with_threads="yes") if test "$with_threads" != no; then case "$host_os" in *openbsd*) ;; *) AC_MSG_CHECKING(for .threads) if test -f .threads ; then AC_MSG_RESULT(yes) $1="" if test "$GCC" = yes ; then case "$host_os" in *darwin*) ;; cygwin*) ;; *) $1="-lpthread $$1" ;; esac else case "$host_os" in solaris*) $1="-mt -lpthread $$1" ;; cygwin*) ;; *darwin*) ;; *) $1="-lpthread $$1" ;; esac fi AC_DEFINE([ARGUS_THREADS], [], [Using Argus threads]) AC_CHECK_FUNCS(sched_get_priority_min) else AC_MSG_RESULT(no) fi ;; esac fi ]) dnl dnl dnl usage: dnl dnl AC_QOSIENT_READLINE(copt) dnl dnl results: dnl dnl $1 (copt appended) dnl dnl dnl usage: dnl dnl AC_QOSIENT_PCRE(pcrelib, incls) dnl dnl results: dnl dnl $1 (pcrelib set) dnl $2 (incls appended) dnl LIBS dnl LBL_LIBS dnl AC_DEFUN([AC_QOSIENT_PCRE], [ AC_ARG_WITH(libpcre, [AC_HELP_STRING([--with-libpcre=DIR],[Compile with libpcre in ])], with_libpcre="$withval", with_libpcre="no") if test ${with_libpcre} != "no"; then AC_MSG_CHECKING(for pcre library) AC_ARG_WITH(pcre-config, [AC_HELP_STRING([--with-pcre-config=PATH], [Location of PCRE pcre-config (auto)])], with_pcre_config="$withval", with_pcre_config="yes") if test ${with_pcre_config} != "no"; then if test -f $with_pcre_config ; then PCRE_CONFIG=$with_pcre_config else AC_CHECK_PROGS(PCRE_CONFIG, pcre-config) fi fi if test "x$PCRE_CONFIG" != "x"; then PCRE_CFLAGS=`$PCRE_CONFIG --cflags` PCRE_LIBS=`$PCRE_CONFIG --libs-posix` fi if test "x$PCRE_LIBS" != "x" ; then AC_DEFINE([ARGUS_PCRE], [], [Using System Pcre Library]) $1=$PCRE_LIBS; $2="$PCRE_CFLAGS $$2" else AC_CHECK_HEADERS(regex.h,, AC_ERROR(neither pcre nor regex found)) fi else AC_CHECK_HEADERS(regex.h,, AC_ERROR(regex not found)) fi ]) AC_DEFUN([AC_QOSIENT_READLINE], [ LBL_LIBS="$LIBS" LIBS="$LIBS $CURSESLIB" READLINELIB="" READLINEHOOK="" READLINEREPLACELINE="" AC_CHECK_HEADER(readline/readline.h, AC_CHECK_LIB(readline, readline, READLINELIB="-lreadline",,),) if test ! -z "$READLINELIB"; then AC_DEFINE([ARGUS_READLINE], [], [Using System Readline]) $1="$READLINELIB" AC_CHECK_LIB(readline, rl_event_hook, READLINEHOOK="yes",,) if test ! -z "$READLINEHOOK"; then AC_DEFINE([ARGUS_READLINE_EVENT_HOOK], [], [Using System Readline Event Hook]) AC_CHECK_LIB(readline, rl_replace_line, READLINEREPLACELINE="yes",,) if test ! -z "$READLINEREPLACELINE"; then AC_DEFINE([ARGUS_READLINE_REPLACE_LINE], [], [Using System Readline Replace Line]) fi fi fi LIBS="$LBL_LIBS" ]) dnl dnl If the file .memory exists: dnl Add ARGUSMEMDEBUG to the condefs.h file. dnl dnl usage: dnl dnl AC_QOSIENT_MEMORY(copt) dnl dnl results: dnl dnl $1 (copt appended) dnl AC_DEFUN([AC_QOSIENT_MEMORY], [ if test -f .memory ; then AC_DEFINE([ARGUSMEMDEBUG], [], [Using Argus memory]) fi]) dnl dnl Use pfopen.c if available and pfopen() not in standard libraries dnl Require libpcap dnl Look for libpcap in .. dnl Use the installed libpcap if there is no local version dnl dnl usage: dnl dnl AC_QOSIENT_LIBPCAP(pcapdep, incls) dnl AC_LBL_LIBPCAP(pcapdep, incls) with mods dnl dnl results: dnl dnl $1 (pcapdep set) dnl $2 (incls appended) dnl LIBS dnl LBL_LIBS dnl AC_DEFUN([AC_QOSIENT_LIBPCAP], [ AC_ARG_WITH(libpcap, [AC_HELP_STRING([--with-libpcap=DIR],[Compile with libpcap in ])], with_libpcap="$withval", with_libpcap="yes") AC_REQUIRE([AC_LBL_LIBRARY_NET]) dnl dnl save a copy before locating libpcap.a dnl LBL_LIBS="$LIBS" libpcap=FAIL lastdir=FAIL if test ${with_libpcap} != "yes"; then AC_MSG_CHECKING(for specified library) for dir in ${with_libpcap}; do if test -r $dir/libpcap.a ; then if test -x $dir/pcap-config ; then libpcap="$dir/libpcap.a `$dir/pcap-config --additional-libs --static`" else libpcap=$dir/libpcap.a fi AC_MSG_RESULT($libpcap) $1=$libpcap AC_MSG_CHECKING(for specified pcap.h) if test -r $dir/pcap.h; then d=$dir AC_MSG_RESULT(found) $2="-I$d $$2" else AC_MSG_WARN(not found) fi dnl continue and select the last one that exists fi done else pfopen=/usr/examples/packetfilter/pfopen.c if test -f $pfopen ; then AC_CHECK_FUNCS(pfopen) if test $ac_cv_func_pfopen = "no" ; then AC_MSG_RESULT(Using $pfopen) LIBS="$LIBS $pfopen" fi fi AC_MSG_CHECKING(for local pcap library) places=`ls $srcdir/.. | sed -e 's,/$,,' -e "s,^,$srcdir/../," | \ egrep '/libpcap-[[0-9]]*.[[0-9]]*(.[[0-9]]*)?([[ab]][[0-9]]*)?$'` for dir in $places $srcdir/../libpcap $srcdir/libpcap ; do basedir=`echo $dir | sed -e 's/[[ab]][[0-9]]*$//'` if test $lastdir = $basedir ; then dnl skip alphas when an actual release is present continue; fi lastdir=$dir if test -r $dir/libpcap.a ; then if test -r $dir/pcap.h ; then libpcap=$dir/libpcap.a d=$dir fi dnl continue and select the last one that exists fi done if ! test "$libpcap" = FAIL; then AC_MSG_RESULT($libpcap) $1=$libpcap $2="-I$d $$2" AC_PATH_PROG(PCAP_CONFIG, pcap-config,, $d) if test -n "$PCAP_CONFIG"; then # # The libpcap directory has a pcap-config script. # Use it to get any additioal libraries needed # to link with the libpcap archive library in # that directory # libpcap="$libpcap `$PCAP_CONFIG --additional-libs --static`" fi fi fi if test "$libpcap" = FAIL ; then AC_MSG_RESULT(not found) # # Look for pcap-config. # AC_PATH_PROG(PCAP_CONFIG, pcap-config) if test -n "$PCAP_CONFIG" ; then # # Found - use it to get the include flags for # libpcap and the flags to link with libpcap. # libpcap="`$PCAP_CONFIG --libs`" $2="`$PCAP_CONFIG --cflags` $$2" $1="$libpcap" else AC_CHECK_LIB(pcap, main, libpcap="-lpcap") if test $libpcap = FAIL ; then AC_MSG_RESULT(not found) AC_CHECK_LIB(pcap, main, libpcap="-lwpcap") if test $libpcap = FAIL ; then AC_MSG_CHECKING(for local wpcap library) dir="../WpdPack" if test -r $dir/Lib/libwpcap.a; then $1="$dir/Lib/libwpcap.a" else AC_MSG_RESULT(no) AC_MSG_ERROR(see the INSTALL doc for more info) fi else $1="$libpcap" fi else $1="$libpcap" fi dnl dnl Good old Red Hat Linux puts "pcap.h" in dnl "/usr/include/pcap"; had the LBL folks done so, dnl that would have been a good idea, but for dnl the Red Hat folks to do so just breaks source dnl compatibility with other systems. dnl dnl We work around this by assuming that, as we didn't dnl find a local libpcap, libpcap is in /usr/lib or dnl /usr/local/lib and that the corresponding header dnl file is under one of those directories; if we don't dnl find it in either of those directories, we check to dnl see if it's in a "pcap" subdirectory of them and, dnl if so, add that subdirectory to the "-I" list. dnl AC_MSG_CHECKING(for extraneous pcap header directories) if test \( ! -r /usr/local/include/pcap.h \) -a \ \( ! -r /usr/include/pcap.h \); then if test -r /usr/local/include/pcap/pcap.h; then d="/usr/local/include/pcap" elif test -r /usr/include/pcap/pcap.h; then d="/usr/include/pcap" elif test -r $dir/Include/pcap.h; then d=$dir/Include fi fi if test -z "$d" ; then AC_MSG_RESULT(not found) else $2="-I$d $$2" AC_MSG_RESULT(found -- -I$d added) fi fi fi $2=`echo $$2 | sed -e 's/\.\./..\/../'` LIBS="$LIBS $libpcap" case "$host_os" in aix*) pseexe="/lib/pse.exp" AC_MSG_CHECKING(for $pseexe) if test -f $pseexe ; then AC_MSG_RESULT(yes) LIBS="$LIBS -I:$pseexe" fi # # We need "-lodm" and "-lcfg", as libpcap requires them on # AIX, and we just build a static libpcap.a and thus can't # arrange that when you link with libpcap you automatically # link with those libraries. # LIBS="$LIBS -lodm -lcfg" ;; esac dnl dnl Check for "pcap_list_datalinks()", "pcap_set_datalink()", dnl and "pcap_datalink_name_to_val()", and use substitute versions dnl if they're not present. dnl AC_CHECK_FUNC(pcap_list_datalinks, AC_DEFINE([HAVE_PCAP_LIST_DATALINKS], [], [pcap list datalinks]), [ AC_LIBOBJ(datalinks) ]) AC_CHECK_FUNC(pcap_set_datalink, AC_DEFINE([HAVE_PCAP_SET_DATALINK], [], [pcap set datalink])) AC_CHECK_FUNC(pcap_datalink_name_to_val, [ AC_DEFINE([HAVE_PCAP_DATALINK_NAME_TO_VAL], [], [pcap datalink name]) AC_CHECK_FUNC(pcap_datalink_val_to_description, AC_DEFINE([HAVE_PCAP_DATALINK_VAL_TO_DESCRIPTION], [], [pcap datalink val to desc]), [ AC_LIBOBJ(dlnames) ]) ], [ AC_LIBOBJ(dlnames) ]) dnl dnl Check for vital pcap routines; you can't substitute for them if dnl they are absent (it has hooks into the live capture routines), dnl so just define the HAVE_ value if it's there. dnl AC_CHECK_FUNCS(pcap_set_buffer_size) AC_CHECK_FUNCS(pcap_fopen_offline) AC_CHECK_FUNCS(pcap_get_selectable_fd) AC_CHECK_FUNCS(pcap_next_ex) AC_CHECK_FUNCS(pcap_dump_ftell) AC_CHECK_FUNCS(pcap_dump_flush) LIBS="$LBL_LIBS" ]) dnl dnl Find libwrappers dnl Look for libwrappers in .. dnl Use the installed libwrappers if there is no local version dnl dnl usage: dnl dnl AC_QOSIENT_TCPWRAP(wrapdep, incls) dnl dnl results: dnl dnl $1 (wrapdep set) dnl $2 (incls appended) dnl LIBS dnl LBL_LIBS dnl AC_DEFUN([AC_QOSIENT_TCPWRAP], [ AC_ARG_WITH(tcpwrappers, [AC_HELP_STRING([--with-wrappers=DIR],[Compile with tcpwrappers in ])], with_wrappers="$withval", with_wrappers="yes") if test ${with_wrappers} != "no"; then saved_CPPFLAGS=$CPPFLAGS saved_LDFLAGS=$LDFLAGS saved_LIBS=$LIBS if test ${with_wrappers} != "yes"; then CPPFLAGS="${saved_CPPFLAGS} -I${with_wrappers}/include" LDFLAGS="${save_LDFLAGS} -L${with_wrappers}/lib" else AC_MSG_CHECKING(for local tcp_wrappers library) libwrap=FAIL lastdir=FAIL pwdir=`pwd` places=`ls .. | sed -e 's,/$,,' -e 's,^,../,' | egrep 'tcp_wrappers'` for dir in $places; do if test $lastdir = $dir ; then dnl skip alphas when an actual release is present continue; fi lastdir=$dir if test -r $dir/libwrap.a ; then libwrap=$dir/libwrap.a d=$dir dnl continue and select the last one that exists fi done if test $libwrap = FAIL ; then AC_MSG_RESULT(not found) AC_MSG_CHECKING(for system tcp_wrappers library) case "$target_os" in solaris*) dnl Workaround to look for wrappers on mac os x and solaris in /opt/local CPPFLAGS="${saved_CPPFLAGS} -I/opt/local/include" LDFLAGS="${save_LDFLAGS} -L/opt/local/lib" ;; darwin*) dnl Workaround to look for wrappers on mac os x and solaris in /opt/local CPPFLAGS="${saved_CPPFLAGS} -I/opt/local/include" LDFLAGS="${save_LDFLAGS} -L/opt/local/lib" ;; esac AC_CHECK_HEADERS(tcpd.h, AC_CHECK_DECLS([fromhost ], [] , [] , [ #include ]), ac_cv_found_wrappers=no) if test "$ac_cv_found_wrappers" != no; then $1="-lwrap" $2=$CPPFLAGS AC_DEFINE([ARGUS_WRAPPERS], [], [Using System TcpWrappers Library]) else LIBS=$saved_LIBS LDFLAGS=$saved_LDFLAGS CPPFLAGS=$saved_CPPFLAGS fi fi fi fi ]) dnl dnl Improved version of AC_CHECK_LIB dnl dnl Thanks to John Hawkinson (jhawk@mit.edu) dnl dnl usage: dnl dnl AC_LBL_CHECK_LIB(LIBRARY, FUNCTION [, ACTION-IF-FOUND [, dnl ACTION-IF-NOT-FOUND [, OTHER-LIBRARIES]]]) dnl dnl results: dnl dnl LIBS dnl AC_DEFUN([AC_LBL_CHECK_LIB], [AC_MSG_CHECKING([for $2 in -l$1]) dnl Use a cache variable name containing both the library and function name, dnl because the test really is for library $1 defining function $2, not dnl just for library $1. Separate tests with the same $1 and different $2's dnl may have different results. ac_lib_var=`echo $1['_']$2['_']$5 | sed 'y%./+- %__p__%'` AC_CACHE_VAL(ac_cv_lbl_lib_$ac_lib_var, [ac_save_LIBS="$LIBS" LIBS="-l$1 $5 $LIBS" AC_TRY_LINK(dnl ifelse([$2], [main], , dnl Avoid conflicting decl of main. [/* Override any gcc2 internal prototype to avoid an error. */ ]ifelse(AC_LANG, CPLUSPLUS, [#ifdef __cplusplus extern "C" #endif ])dnl [/* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ char $2(); ]), [$2()], eval "ac_cv_lbl_lib_$ac_lib_var=yes", eval "ac_cv_lbl_lib_$ac_lib_var=no") LIBS="$ac_save_LIBS" ])dnl if eval "test \"`echo '$ac_cv_lbl_lib_'$ac_lib_var`\" = yes"; then AC_MSG_RESULT(yes) ifelse([$3], , [changequote(, )dnl ac_tr_lib=HAVE_LIB`echo $1 | sed -e 's/[^a-zA-Z0-9_]/_/g' \ -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` changequote([, ])dnl AC_DEFINE_UNQUOTED($ac_tr_lib) LIBS="-l$1 $LIBS" ], [$3]) else AC_MSG_RESULT(no) ifelse([$4], , , [$4 ])dnl fi ]) dnl dnl AC_LBL_LIBRARY_NET dnl dnl This test is for network applications that need socket() and dnl gethostbyname() -ish functions. Under Solaris, those applications dnl need to link with "-lsocket -lnsl". Under IRIX, they need to link dnl with "-lnsl" but should *not* link with "-lsocket" because dnl libsocket.a breaks a number of things (for instance: dnl gethostbyname() under IRIX 5.2, and snoop sockets under most dnl versions of IRIX). dnl dnl Unfortunately, many application developers are not aware of this, dnl and mistakenly write tests that cause -lsocket to be used under dnl IRIX. It is also easy to write tests that cause -lnsl to be used dnl under operating systems where neither are necessary (or useful), dnl such as SunOS 4.1.4, which uses -lnsl for TLI. dnl dnl This test exists so that every application developer does not test dnl this in a different, and subtly broken fashion. dnl It has been argued that this test should be broken up into two dnl seperate tests, one for the resolver libraries, and one for the dnl libraries necessary for using Sockets API. Unfortunately, the two dnl are carefully intertwined and allowing the autoconf user to use dnl them independantly potentially results in unfortunate ordering dnl dependancies -- as such, such component macros would have to dnl carefully use indirection and be aware if the other components were dnl executed. Since other autoconf macros do not go to this trouble, dnl and almost no applications use sockets without the resolver, this dnl complexity has not been implemented. dnl dnl The check for libresolv is in case you are attempting to link dnl statically and happen to have a libresolv.a lying around (and no dnl libnsl.a). dnl AC_DEFUN([AC_LBL_LIBRARY_NET], [ # Most operating systems have gethostbyname() in the default searched # libraries (i.e. libc): # Some OSes (eg. Solaris) place it in libnsl # Some strange OSes (SINIX) have it in libsocket: AC_SEARCH_LIBS(gethostbyname, nsl socket resolv) # Unfortunately libsocket sometimes depends on libnsl and # AC_SEARCH_LIBS isn't up to the task of handling dependencies like this. if test "$ac_cv_search_gethostbyname" = "no" then AC_CHECK_LIB(socket, gethostbyname, LIBS="-lsocket -lnsl $LIBS", , -lnsl) fi AC_SEARCH_LIBS(socket, socket, , AC_CHECK_LIB(socket, socket, LIBS="-lsocket -lnsl $LIBS", , -lnsl)) # DLPI needs putmsg under HPUX so test for -lstr while we're at it AC_SEARCH_LIBS(putmsg, str) ]) dnl dnl If using gcc, make sure we have ANSI ioctl definitions dnl dnl usage: dnl dnl AC_LBL_FIXINCLUDES dnl AC_DEFUN([AC_LBL_FIXINCLUDES], [if test "$GCC" = yes ; then AC_MSG_CHECKING(for ANSI ioctl definitions) AC_CACHE_VAL(ac_cv_lbl_gcc_fixincludes, AC_TRY_COMPILE( [/* * This generates a "duplicate case value" when fixincludes * has not be run. */ # include # include # include # ifdef HAVE_SYS_IOCCOM_H # include # endif], [switch (0) { case _IO('A', 1):; case _IO('B', 1):; }], ac_cv_lbl_gcc_fixincludes=yes, ac_cv_lbl_gcc_fixincludes=no)) AC_MSG_RESULT($ac_cv_lbl_gcc_fixincludes) if test $ac_cv_lbl_gcc_fixincludes = no ; then # Don't cache failure unset ac_cv_lbl_gcc_fixincludes AC_MSG_ERROR(see the INSTALL for more info) fi fi]) AC_DEFUN([CMU_TEST_LIBPATH], [ changequote(<<, >>) define(<>, translit(ac_cv_found_$2_lib, <<- *>>, <<__p>>)) changequote([, ]) if test "$CMU_AC_CV_FOUND" = "yes"; then if test \! -r "$1/lib$2.a" -a \! -r "$1/lib$2.so" -a \! -r "$1/lib$2.sl" -a \! -r "$1/lib$2.dylib"; then CMU_AC_CV_FOUND=no fi fi ]) AC_DEFUN([CMU_TEST_INCPATH], [ changequote(<<, >>) define(<>, translit(ac_cv_found_$2_inc, [ *], [_p])) changequote([, ]) if test "$CMU_AC_CV_FOUND" = "yes"; then if test \! -r "$1/$2.h"; then CMU_AC_CV_FOUND=no fi fi ]) dnl CMU_CHECK_HEADER_NOCACHE(HEADER-FILE, [ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND]]) AC_DEFUN([CMU_CHECK_HEADER_NOCACHE], [dnl Do the transliteration at runtime so arg 1 can be a shell variable. ac_safe=`echo "$1" | sed 'y%./+-%__p_%'` AC_MSG_CHECKING([for $1]) AC_TRY_CPP([#include <$1>], eval "ac_cv_header_$ac_safe=yes", eval "ac_cv_header_$ac_safe=no") if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then AC_MSG_RESULT(yes) ifelse([$2], , :, [$2]) else AC_MSG_RESULT(no) ifelse([$3], , , [$3 ])dnl fi ]) AC_DEFUN([CMU_FIND_LIB_SUBDIR], [dnl AC_ARG_WITH([lib-subdir], AC_HELP_STRING([--with-lib-subdir=DIR],[Find libraries in DIR instead of lib])) AC_CHECK_SIZEOF(long) AC_CACHE_CHECK([what directory libraries are found in], [ac_cv_cmu_lib_subdir], [test "X$with_lib_subdir" = "Xyes" && with_lib_subdir= test "X$with_lib_subdir" = "Xno" && with_lib_subdir= if test "X$with_lib_subdir" = "X" ; then ac_cv_cmu_lib_subdir=lib if test $ac_cv_sizeof_long -eq 4 ; then test -d /usr/lib32 && ac_cv_cmu_lib_subdir=lib32 fi if test $ac_cv_sizeof_long -eq 8 ; then test -d /usr/lib64 && ac_cv_cmu_lib_subdir=lib64 fi else ac_cv_cmu_lib_subdir=$with_lib_subdir fi]) AC_SUBST(CMU_LIB_SUBDIR, $ac_cv_cmu_lib_subdir) ]) dnl sasl.m4--sasl libraries and includes dnl Derrick Brashear dnl from KTH sasl and Arla AC_DEFUN([CMU_SASL_INC_WHERE1], [ saved_CPPFLAGS=$CPPFLAGS CPPFLAGS="$saved_CPPFLAGS -I$1" CMU_CHECK_HEADER_NOCACHE(sasl.h, ac_cv_found_sasl_inc=yes, ac_cv_found_sasl_inc=no) CPPFLAGS=$saved_CPPFLAGS ]) AC_DEFUN([CMU_SASL_INC_WHERE], [ for i in $1; do CMU_SASL_INC_WHERE1($i) CMU_TEST_INCPATH($i, sasl) if test "$ac_cv_found_sasl_inc" = "yes"; then ac_cv_sasl_where_inc=$i break fi done ]) AC_DEFUN([CMU_SASL_LIB_WHERE1], [ saved_LIBS=$LIBS LIBS="$saved_LIBS -L$1 -lsasl" AC_TRY_LINK(, [sasl_getprop();], [ac_cv_found_sasl_lib=yes], ac_cv_found_sasl_lib=no) LIBS=$saved_LIBS ]) AC_DEFUN([CMU_SASL_LIB_WHERE], [ for i in $1; do CMU_SASL_LIB_WHERE1($i) dnl deal with false positives from implicit link paths CMU_TEST_LIBPATH($i, sasl) if test "$ac_cv_found_sasl_lib" = "yes" ; then ac_cv_sasl_where_lib=$i break fi done ]) AC_DEFUN([CMU_SASL], [ AC_REQUIRE([CMU_FIND_LIB_SUBDIR]) AC_ARG_WITH(sasl, [ --with-sasl=DIR|yes use with libsasl in no], with_sasl="$withval", with_sasl="no") if test ${with_sasl} != "no"; then SASLFLAGS="" LIB_SASL="" cmu_saved_CPPFLAGS=$CPPFLAGS cmu_saved_LDFLAGS=$LDFLAGS cmu_saved_LIBS=$LIBS if test -d ${with_sasl}; then ac_cv_sasl_where_lib=${with_sasl}/$CMU_LIB_SUBDIR ac_cv_sasl_where_inc=${with_sasl}/include SASLFLAGS="-I$ac_cv_sasl_where_inc" LIB_SASL="-L$ac_cv_sasl_where_lib" CPPFLAGS="${cmu_saved_CPPFLAGS} -I${ac_cv_sasl_where_inc}" LDFLAGS="${cmu_saved_LDFLAGS} -L${ac_cv_sasl_where_lib}" fi AC_CHECK_HEADER(sasl.h, AC_CHECK_LIB(sasl, sasl_getprop, ac_cv_found_sasl=yes, ac_cv_found_sasl=no), ac_cv_found_sasl=no) LIBS="$cmu_saved_LIBS" LDFLAGS="$cmu_saved_LDFLAGS" CPPFLAGS="$cmu_saved_CPPFLAGS" if test "$ac_cv_found_sasl" = yes; then LIB_SASL="$LIB_SASL -lsasl" else AC_ERROR( sasl not found ) LIB_SASL="" SASLFLAGS="" fi AC_SUBST(LIB_SASL) AC_SUBST(SASLFLAGS) fi ]) AC_DEFUN([CMU_SASL_REQUIRED], [AC_REQUIRE([CMU_SASL]) if test "$ac_cv_found_sasl" != "yes"; then AC_ERROR([Cannot continue without libsasl. Get it from ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/.]) fi]) # sasl2.m4--sasl2 libraries and includes # Rob Siemborski # SASL2_CRYPT_CHK # --------------- AC_DEFUN([SASL_GSSAPI_CHK], [AC_REQUIRE([SASL2_CRYPT_CHK]) AC_REQUIRE([CMU_SOCKETS]) AC_ARG_ENABLE([gssapi], [AC_HELP_STRING([--enable-gssapi=], [enable GSSAPI authentication [yes]])], [gssapi=$enableval], [gssapi=yes]) AC_ARG_WITH([gss_impl], [AC_HELP_STRING([--with-gss_impl={heimdal|mit|cybersafe|seam|auto}], [choose specific GSSAPI implementation [[auto]]])], [gss_impl=$withval], [gss_impl=auto]) if test "$gssapi" != no; then platform= case "${host}" in *-*-linux*) platform=__linux ;; *-*-hpux*) platform=__hpux ;; *-*-irix*) platform=__irix ;; *-*-solaris2*) # When should we use __sunos? platform=__solaris ;; *-*-aix*) ###_AIX platform=__aix ;; *) if test "$gss_impl" = "cybersafe"; then AC_ERROR([CyberSafe was forced, cannot continue as platform is not supported]) fi ;; esac cmu_saved_CPPFLAGS=$CPPFLAGS if test -d ${gssapi}; then CPPFLAGS="$CPPFLAGS -I$gssapi/include" # We want to keep -I in our CPPFLAGS, but only if we succeed cmu_saved_CPPFLAGS=$CPPFLAGS ### I am not sure how useful is this (and whether this is required at all ### especially when we have to provide two -L flags for new CyberSafe LDFLAGS="$LDFLAGS -L$gssapi/lib" if test -n "$platform"; then if test "$gss_impl" = "auto" -o "$gss_impl" = "cybersafe"; then CPPFLAGS="$CPPFLAGS -D$platform" if test -d "${gssapi}/appsec-sdk/include"; then CPPFLAGS="$CPPFLAGS -I${gssapi}/appsec-sdk/include" fi fi fi fi AC_CHECK_HEADER([gssapi.h], [AC_DEFINE(HAVE_GSSAPI_H,, [Define if you have the gssapi.h header file])], [AC_CHECK_HEADER([gssapi/gssapi.h],, [AC_WARN([Disabling GSSAPI - no include files found]); gssapi=no])]) CPPFLAGS=$cmu_saved_CPPFLAGS fi if test "$gssapi" != no; then # We need to find out which gssapi implementation we are # using. Supported alternatives are: MIT Kerberos 5, # Heimdal Kerberos 5 (http://www.pdc.kth.se/heimdal), # CyberSafe Kerberos 5 (http://www.cybersafe.com/) # and Sun SEAM (http://wwws.sun.com/software/security/kerberos/) # # The choice is reflected in GSSAPIBASE_LIBS AC_CHECK_LIB(resolv,res_search) if test -d ${gssapi}; then gssapi_dir="${gssapi}/lib" GSSAPIBASE_LIBS="-L$gssapi_dir" GSSAPIBASE_STATIC_LIBS="-L$gssapi_dir" else # FIXME: This is only used for building cyrus, and then only as # a real hack. it needs to be fixed. gssapi_dir="/usr/local/lib" fi # Check a full link against the Heimdal libraries. # If this fails, check a full link against the MIT libraries. # If this fails, check a full link against the CyberSafe libraries. # If this fails, check a full link against the Solaris 8 and up libgss. if test "$gss_impl" = "auto" -o "$gss_impl" = "heimdal"; then gss_failed=0 AC_CHECK_LIB(gssapi,gss_unwrap,gss_impl="heimdal",gss_failed=1, ${GSSAPIBASE_LIBS} -lgssapi -lkrb5 -lasn1 -lroken ${LIB_CRYPT} ${LIB_DES} -lcom_err ${LIB_SOCKET}) if test "$gss_impl" != "auto" -a "$gss_failed" = "1"; then gss_impl="failed" fi fi if test "$gss_impl" = "auto" -o "$gss_impl" = "mit"; then # check for libkrb5support first AC_CHECK_LIB(krb5support,krb5int_getspecific,K5SUP=-lkrb5support K5SUPSTATIC=$gssapi_dir/libkrb5support.a,,${LIB_SOCKET}) gss_failed=0 AC_CHECK_LIB(gssapi_krb5,gss_unwrap,gss_impl="mit",gss_failed=1, ${GSSAPIBASE_LIBS} -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err ${K5SUP} ${LIB_SOCKET}) if test "$gss_impl" != "auto" -a "$gss_failed" = "1"; then gss_impl="failed" fi fi # For Cybersafe one has to set a platform define in order to make compilation work if test "$gss_impl" = "auto" -o "$gss_impl" = "cybersafe"; then cmu_saved_CPPFLAGS=$CPPFLAGS cmu_saved_GSSAPIBASE_LIBS=$GSSAPIBASE_LIBS # FIXME - Note that the libraries are in .../lib64 for 64bit kernels if test -d "${gssapi}/appsec-rt/lib"; then GSSAPIBASE_LIBS="$GSSAPIBASE_LIBS -L${gssapi}/appsec-rt/lib" fi CPPFLAGS="$CPPFLAGS -D$platform" if test -d "${gssapi}/appsec-sdk/include"; then CPPFLAGS="$CPPFLAGS -I${gssapi}/appsec-sdk/include" fi gss_failed=0 # Check for CyberSafe with two libraries first, than fall back to a single # library (older CyberSafe) unset ac_cv_lib_gss_csf_gss_acq_user AC_CHECK_LIB(gss,csf_gss_acq_user,gss_impl="cybersafe03", [unset ac_cv_lib_gss_csf_gss_acq_user; AC_CHECK_LIB(gss,csf_gss_acq_user,gss_impl="cybersafe", gss_failed=1,$GSSAPIBASE_LIBS -lgss)], [${GSSAPIBASE_LIBS} -lgss -lcstbk5]) if test "$gss_failed" = "1"; then # Restore variables GSSAPIBASE_LIBS=$cmu_saved_GSSAPIBASE_LIBS CPPFLAGS=$cmu_saved_CPPFLAGS if test "$gss_impl" != "auto"; then gss_impl="failed" fi fi fi if test "$gss_impl" = "auto" -o "$gss_impl" = "seam"; then gss_failed=0 AC_CHECK_LIB(gss,gss_unwrap,gss_impl="seam",gss_failed=1,-lgss) if test "$gss_impl" != "auto" -a "$gss_failed" = "1"; then gss_impl="failed" fi fi if test "$gss_impl" = "mit"; then GSSAPIBASE_LIBS="$GSSAPIBASE_LIBS -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err ${K5SUP}" GSSAPIBASE_STATIC_LIBS="$GSSAPIBASE_LIBS $gssapi_dir/libgssapi_krb5.a $gssapi_dir/libkrb5.a $gssapi_dir/libk5crypto.a $gssapi_dir/libcom_err.a ${K5SUPSTATIC}" elif test "$gss_impl" = "heimdal"; then CPPFLAGS="$CPPFLAGS -DKRB5_HEIMDAL" GSSAPIBASE_LIBS="$GSSAPIBASE_LIBS -lgssapi -lkrb5 -lasn1 -lroken ${LIB_CRYPT} ${LIB_DES} -lcom_err" GSSAPIBASE_STATIC_LIBS="$GSSAPIBASE_STATIC_LIBS $gssapi_dir/libgssapi.a $gssapi_dir/libkrb5.a $gssapi_dir/libasn1.a $gssapi_dir/libroken.a $gssapi_dir/libcom_err.a ${LIB_CRYPT}" elif test "$gss_impl" = "cybersafe03"; then # Version of CyberSafe with two libraries CPPFLAGS="$CPPFLAGS -D$platform -I${gssapi}/appsec-sdk/include" GSSAPIBASE_LIBS="$GSSAPIBASE_LIBS -lgss -lcstbk5" # there is no static libgss for CyberSafe GSSAPIBASE_STATIC_LIBS=none elif test "$gss_impl" = "cybersafe"; then CPPFLAGS="$CPPFLAGS -D$platform -I${gssapi}/appsec-sdk/include" GSSAPIBASE_LIBS="$GSSAPIBASE_LIBS -lgss" # there is no static libgss for CyberSafe GSSAPIBASE_STATIC_LIBS=none elif test "$gss_impl" = "seam"; then GSSAPIBASE_LIBS=-lgss # there is no static libgss on Solaris 8 and up GSSAPIBASE_STATIC_LIBS=none elif test "$gss_impl" = "failed"; then gssapi="no" GSSAPIBASE_LIBS= GSSAPIBASE_STATIC_LIBS= AC_WARN([Disabling GSSAPI - specified library not found]) else gssapi="no" GSSAPIBASE_LIBS= GSSAPIBASE_STATIC_LIBS= AC_WARN([Disabling GSSAPI - no library]) fi fi # # Cybersafe defines both GSS_C_NT_HOSTBASED_SERVICE and GSS_C_NT_USER_NAME # in gssapi\rfckrb5.h # if test "$gssapi" != "no"; then if test "$gss_impl" = "cybersafe" -o "$gss_impl" = "cybersafe03"; then AC_EGREP_CPP(hostbased_service_gss_nt_yes, [#include #ifdef GSS_C_NT_HOSTBASED_SERVICE hostbased_service_gss_nt_yes #endif], [AC_DEFINE(HAVE_GSS_C_NT_HOSTBASED_SERVICE,, [Define if your GSSAPI implimentation defines GSS_C_NT_HOSTBASED_SERVICE])], [AC_WARN([Cybersafe define not found])]) elif test "$ac_cv_header_gssapi_h" = "yes"; then AC_EGREP_HEADER(GSS_C_NT_HOSTBASED_SERVICE, gssapi.h, [AC_DEFINE(HAVE_GSS_C_NT_HOSTBASED_SERVICE,, [Define if your GSSAPI implimentation defines GSS_C_NT_HOSTBASED_SERVICE])]) elif test "$ac_cv_header_gssapi_gssapi_h"; then AC_EGREP_HEADER(GSS_C_NT_HOSTBASED_SERVICE, gssapi/gssapi.h, [AC_DEFINE(HAVE_GSS_C_NT_HOSTBASED_SERVICE,, [Define if your GSSAPI implimentation defines GSS_C_NT_HOSTBASED_SERVICE])]) fi if test "$gss_impl" = "cybersafe" -o "$gss_impl" = "cybersafe03"; then AC_EGREP_CPP(user_name_yes_gss_nt, [#include #ifdef GSS_C_NT_USER_NAME user_name_yes_gss_nt #endif], [AC_DEFINE(HAVE_GSS_C_NT_USER_NAME,, [Define if your GSSAPI implimentation defines GSS_C_NT_USER_NAME])], [AC_WARN([Cybersafe define not found])]) elif test "$ac_cv_header_gssapi_h" = "yes"; then AC_EGREP_HEADER(GSS_C_NT_USER_NAME, gssapi.h, [AC_DEFINE(HAVE_GSS_C_NT_USER_NAME,, [Define if your GSSAPI implimentation defines GSS_C_NT_USER_NAME])]) elif test "$ac_cv_header_gssapi_gssapi_h"; then AC_EGREP_HEADER(GSS_C_NT_USER_NAME, gssapi/gssapi.h, [AC_DEFINE(HAVE_GSS_C_NT_USER_NAME,, [Define if your GSSAPI implimentation defines GSS_C_NT_USER_NAME])]) fi fi GSSAPI_LIBS="" AC_MSG_CHECKING([GSSAPI]) if test "$gssapi" != no; then AC_MSG_RESULT([with implementation ${gss_impl}]) AC_CHECK_LIB(resolv,res_search,GSSAPIBASE_LIBS="$GSSAPIBASE_LIBS -lresolv") SASL_MECHS="$SASL_MECHS libgssapiv2.la" SASL_STATIC_OBJS="$SASL_STATIC_OBJS gssapi.o" SASL_STATIC_SRCS="$SASL_STATIC_SRCS ../plugins/gssapi.c" cmu_save_LIBS="$LIBS" LIBS="$LIBS $GSSAPIBASE_LIBS" AC_CHECK_FUNCS(gsskrb5_register_acceptor_identity) LIBS="$cmu_save_LIBS" else AC_MSG_RESULT([disabled]) fi AC_SUBST(GSSAPI_LIBS) AC_SUBST(GSSAPIBASE_LIBS) ])# SASL_GSSAPI_CHK # SASL_SET_GSSAPI_LIBS # -------------------- AC_DEFUN([SASL_SET_GSSAPI_LIBS], [SASL_GSSAPI_LIBS_SET="yes" ]) # CMU_SASL2 # --------- # What we want to do here is setup LIB_SASL with what one would # generally want to have (e.g. if static is requested, make it that, # otherwise make it dynamic. # # We also want to create LIB_DYN_SASL and DYNSASLFLAGS. # # Also sets using_static_sasl to "no" "static" or "staticonly" # # $1 (incls appended) # # AC_DEFUN([CMU_SASL2], [ AC_ARG_WITH(sasl, [AC_HELP_STRING([--with-sasl=DIR],[Compile with libsasl2 in ])], with_sasl="$withval", with_sasl="no") AC_ARG_WITH(staticsasl, [AC_HELP_STRING([--with-staticsasl=DIR], [Compile with staticly linked libsasl in ])], [with_staticsasl="$withval"; if test $with_staticsasl != "no"; then using_static_sasl="static" fi], [with_staticsasl="no"; using_static_sasl="no"]) if test ${with_staticsasl} != "no" || test ${with_sasl} != "no"; then SASLFLAGS="" LIB_SASL="" cmu_saved_CPPFLAGS=$CPPFLAGS cmu_saved_LDFLAGS=$LDFLAGS cmu_saved_LIBS=$LIBS if test ${with_staticsasl} != "no"; then if test -d ${with_staticsasl}; then if test -d ${with_staticsasl}/lib64 ; then ac_cv_sasl_where_lib=${with_staticsasl}/lib64 else ac_cv_sasl_where_lib=${with_staticsasl}/lib fi ac_cv_sasl_where_lib=${with_staticsasl}/lib ac_cv_sasl_where_inc=${with_staticsasl}/include SASLFLAGS="-I$ac_cv_sasl_where_inc" LIB_SASL="-L$ac_cv_sasl_where_lib" CPPFLAGS="${cmu_saved_CPPFLAGS} -I${ac_cv_sasl_where_inc}" LDFLAGS="${cmu_saved_LDFLAGS} -L${ac_cv_sasl_where_lib}" else with_staticsasl="/usr" fi AC_CHECK_HEADER(sasl/sasl.h, [AC_CHECK_HEADER(sasl/saslutil.h, [for i42 in lib64 lib; do if test -r ${with_staticsasl}/$i42/libsasl2.a; then ac_cv_found_sasl=yes AC_MSG_CHECKING([for static libsasl]) LIB_SASL="$LIB_SASL ${with_staticsasl}/$i42/libsasl2.a" fi done if test ! "$ac_cv_found_sasl" = "yes"; then AC_MSG_CHECKING([for static libsasl]) AC_ERROR([Could not find ${with_staticsasl}/lib*/libsasl2.a]) fi])]) if test "$ac_cv_found_sasl" = "yes"; then AC_MSG_RESULT([found]) else AC_ERROR([Could not find ${with_staticsasl}/lib*/libsasl2.a]) fi fi if test -d ${with_sasl}; then ac_cv_sasl_where_lib=${with_sasl}/lib ac_cv_sasl_where_inc=${with_sasl}/include DYNSASLFLAGS="-I$ac_cv_sasl_where_inc" CPPFLAGS="${cmu_saved_CPPFLAGS} -I${ac_cv_sasl_where_inc}" LDFLAGS="${cmu_saved_LDFLAGS} -L${ac_cv_sasl_where_lib}" LIBS="-L$ac_cv_sasl_where_lib" fi # be sure to check for a SASLv2 specific function AC_CHECK_HEADER(sasl/sasl.h, [AC_CHECK_HEADER(sasl/saslutil.h, [AC_CHECK_LIB(sasl2, prop_get, ac_cv_found_sasl=yes, ac_cv_found_sasl=no)], ac_cv_found_sasl=no)], ac_cv_found_sasl=no) if test ${with_sasl} != "no"; then if test "$ac_cv_found_sasl" = "yes"; then if test "$ac_cv_sasl_where_lib" != ""; then DYNLIB_SASL="-L$ac_cv_sasl_where_lib" fi DYNLIB_SASL="$DYNLIB_SASL -lsasl2" if test "$using_static_sasl" != "static"; then LIB_SASL=$DYNLIB_SASL SASLFLAGS=$DYNSASLFLAGS fi CMU_SASL2_REQUIRE_VER(2,1,7) if test "$ac_cv_sasl_where_inc" != ""; then $1="-I$ac_cv_sasl_where_inc $$1" fi AC_DEFINE([ARGUS_SASL], [], [Description]) AC_SUBST(LIB_SASL) AC_SUBST(SASLFLAGS) else AC_ERROR([Could not find sasl2]) fi fi LIBS="$cmu_saved_LIBS" LDFLAGS="$cmu_saved_LDFLAGS" CPPFLAGS="$cmu_saved_CPPFLAGS" fi ])# CMU_SASL2 # CMU_SASL2_REQUIRE_VER # --------------------- AC_DEFUN([CMU_SASL2_REQUIRE_VER], [ cmu_saved_CPPFLAGS=$CPPFLAGS CPPFLAGS="$CPPFLAGS $SASLFLAGS" AC_TRY_CPP([ #include #ifndef SASL_VERSION_MAJOR #error SASL_VERSION_MAJOR not defined #endif #ifndef SASL_VERSION_MINOR #error SASL_VERSION_MINOR not defined #endif #ifndef SASL_VERSION_STEP #error SASL_VERSION_STEP not defined #endif #if SASL_VERSION_MAJOR < $1 || SASL_VERSION_MINOR < $2 || SASL_VERSION_STEP < $3 #error SASL version is less than $1.$2.$3 #endif ],, [AC_ERROR([Incorrect SASL headers found. This package requires SASL $1.$2.$3 or newer.])]) CPPFLAGS=$cmu_saved_CPPFLAGS ])# CMU_SASL2_REQUIRE_VER dnl dnl Additional macros for configure.in packaged up for easier theft. dnl tjs@andrew.cmu.edu 6-may-1998 dnl dnl It would be good if ANDREW_ADD_LIBPATH could detect if something was dnl already there and not redundantly add it if it is. dnl add -L(arg), and possibly (runpath switch)(arg), to LDFLAGS dnl (so the runpath for shared libraries is set). AC_DEFUN([CMU_ADD_LIBPATH], [ # this is CMU ADD LIBPATH if test "$andrew_runpath_switch" = "none" ; then LDFLAGS="-L$1 ${LDFLAGS}" else LDFLAGS="-L$1 $andrew_runpath_switch$1 ${LDFLAGS}" fi ]) dnl add -L(1st arg), and possibly (runpath switch)(1st arg), to (2nd arg) dnl (so the runpath for shared libraries is set). AC_DEFUN([CMU_ADD_LIBPATH_TO], [ # this is CMU ADD LIBPATH TO if test "$andrew_runpath_switch" = "none" ; then $2="-L$1 ${$2}" else $2="-L$1 ${$2} $andrew_runpath_switch$1" fi ]) dnl runpath initialization AC_DEFUN([CMU_GUESS_RUNPATH_SWITCH], [ # CMU GUESS RUNPATH SWITCH AC_CACHE_CHECK(for runpath switch, andrew_runpath_switch, [ # first, try -R SAVE_LDFLAGS="${LDFLAGS}" LDFLAGS="-R /usr/lib" AC_TRY_LINK([],[],[andrew_runpath_switch="-R"], [ LDFLAGS="-Wl,-rpath,/usr/lib" AC_TRY_LINK([],[],[andrew_runpath_switch="-Wl,-rpath,"], [andrew_runpath_switch="none"]) ]) LDFLAGS="${SAVE_LDFLAGS}" ])]) AC_DEFUN([SASL2_CRYPT_CHK],[ AC_CHECK_FUNC(crypt, cmu_have_crypt=yes, [ AC_CHECK_LIB(crypt, crypt, LIB_CRYPT="-lcrypt"; cmu_have_crypt=yes, cmu_have_crypt=no)]) AC_SUBST(LIB_CRYPT) ]) dnl bsd_sockets.m4--which socket libraries do we need? dnl Derrick Brashear dnl from Zephyr dnl Hacked on by Rob Earhart to not just toss stuff in LIBS dnl It now puts everything required for sockets into LIB_SOCKET AC_DEFUN([CMU_SOCKETS], [ save_LIBS="$LIBS" LIB_SOCKET="" AC_CHECK_FUNC(connect, :, AC_CHECK_LIB(nsl, gethostbyname, LIB_SOCKET="-lnsl $LIB_SOCKET") AC_CHECK_LIB(socket, connect, LIB_SOCKET="-lsocket $LIB_SOCKET") ) LIBS="$LIB_SOCKET $save_LIBS" AC_CHECK_FUNC(res_search, :, AC_CHECK_LIB(resolv, res_search, LIB_SOCKET="-lresolv $LIB_SOCKET") ) LIBS="$LIB_SOCKET $save_LIBS" AC_CHECK_FUNCS(dn_expand dns_lookup) LIBS="$save_LIBS" AC_SUBST(LIB_SOCKET) ]) dnl dnl Look for Perl distribution and executable. dnl dnl usage: dnl dnl AC_QOSIENT_PERL(perldep) dnl dnl results: dnl dnl $1 (geoipdep set) dnl AC_DEFUN([AC_QOSIENT_PERL], [ AC_ARG_WITH(perl, [AC_HELP_STRING([--with-perl=DIR],[Use perl in ])], with_perl="$withval", with_perl="yes") perl=FAIL if ! test ${with_perl} = "no"; then if test ${with_perl} = "yes"; then AC_MSG_CHECKING(for standard perl installation) for dir in /usr /usr/local /opt /opt/local; do if test -r $dir/bin/perl ; then perl=$dir/bin/perl AC_MSG_RESULT($perl) $1="$perl" break; else AC_MSG_RESULT(no) fi done else AC_MSG_CHECKING(for perl installation in ${with_perl}) if test -r ${with_perl}/perl ; then perl=${with_perl}/perl AC_MSG_RESULT($perl) $1="$perl" else AC_MSG_RESULT(no) fi fi fi ]) argus-3.0.8.2/argus/000755 000765 000024 00000000000 12723625057 014560 5ustar00carterstaff000000 000000 argus-3.0.8.2/AUTHORS000444 000765 000024 00000001003 12513224261 014464 0ustar00carterstaff000000 000000 # # Argus Software. # Copyright (c) 2000-2015 QoSient, LLC # All rights reserved. # # $Id: //depot/argus/argus/AUTHORS#8 $ # $DateTime: 2015/04/14 10:48:17 $ # $Change: 2998 $ Argus and its client software are written, maintained and copyrighted by Carter Bullard and QoSient, LLC. Many contributions of fixes, bug reports and design have been submitted to the argus developers mailing list over Argus's 32 years. Please see the ./CREDITS file for those that have contributed the most. argus-3.0.8.2/bin/000755 000765 000024 00000000000 12723621554 014205 5ustar00carterstaff000000 000000 argus-3.0.8.2/ChangeLog000444 000765 000024 00000021544 12723606230 015205 0ustar00carterstaff000000 000000 Mon Mar 21 14:08:52 EDT 2016 Snap encapsulation header processing fixes Wed Jan 13 09:32:04 EST 2016 ICMPv6 processing fixes Thu Oct 1 12:19:11 EDT 2015 Mods for duplicate processing in TCP Mon Jun 29 16:16:11 EDT 2015 Mods to remove use of ArgusLog(LOG_ERR, ...) in ArgusUdt.c Fri Apr 17 08:11:43 EDT 2015 Modify outer header parsing to deal with GRE arp packets. Sat Apr 11 11:39:22 EDT 2015 Fixes for specific syntax errors generating fault. Fri Apr 10 14:29:17 EDT 2015 Fixes for idle timer when no packets on interface Sat Apr 04 17:32:51 EDT 2015 Fixes to support Vmware using GRE Transparent Bridging encapsulations. Tue Jan 20 10:12:29 EST 2015 Fix for filter syntax error message in front of the filter. Tue Dec 23 16:47:41 EST 2014 Added dna zc and eth+@ to polling interfaces Thu Nov 20 08:13:22 EST 2014 Added pcap_set_buffer_size support in argus. Tue Jul 8 14:51:13 EDT 2014 Mods for packaging for ubuntu, redhat, etc.... Added debian and pkg directories, mods to spec file. Tue Jun 17 10:42:07 EDT 2014 Update and Fixes for remote argus data filter support Mon Jun 9 20:18:12 EDT 2014 Changes for netflow packet parsing to fix netflow in clients. Mon May 12 15:46:24 EDT 2014 Fixes for wild metric counts in new flow data. Update filter logic to be consistent with client filters. Modifications for timeout issues when in non-select polling. Wed Dec 11 16:50:25 EST 2013 Fix for source id type assignement from commandline Change for compiler timeout values Mon Nov 25 12:11:47 EST 2013 Fixes for ARP direction processing Back out of duplicate packet tracking logic Thu Oct 17 15:45:31 EDT 2013 Mods for duplicate packet reporting Thu Aug 22 08:39:26 EDT 2013 Modify configure.ac for pcap_dump_flush for older libpcaps Mon Jul 22 16:09:35 EDT 2013 Modify timeouts within "nonselectable" packet processing loop. Tue Jul 9 22:24:01 EDT 2013 Use VID for the VLAN identifer for the key. Tue Jun 18 23:39:12 EDT 2013 Fix syslog while daemonized Tue Jun 11 16:42:18 EDT 2013 Remove nanosleep() to improve performance. Thu Apr 4 16:38:50 EDT 2013 Major addtions for SDN tracking. New Flow model specifications in argus.conf. Wed Mar 6 16:33:47 EST 2013 Fixes for solaris port, to avoid scheduling problems with record timeouts Fri Oct 19 13:14:13 EDT 2012 Fix documentation in ./include/argus_def.h to get Cause and Vers in right order. Mon Oct 8 17:17:39 EDT 2012 Fix for argus TCP state machine issue with very out of order SYN, SYN_ACK, RST volleys. Thu Jun 21 15:33:22 EDT 2012 Fix for country code aggregation problem, where dst co would be zero'd out. Mon Jun 11 16:07:53 EDT 2012 Fix for ArgusOutput deadlock, when congested. Mon Jun 09 08:21:16 EDT 2012 Netflow V9 support transitioned and mostly integrated. Need more packet data. Tue Apr 10 08:19:44 EDT 2012 Prepare for argus-3.0.6 release. Modify usage to use stdout, instead of stderr Mon Feb 13 11:11:32 EST 2012 Fixed embedded comments parsing in argus.conf file. Updated argus client filter to be in sync with clients. Fixed issue with ArgusSourceID parsing. Wed Feb 1 22:25:37 EST 2012 Fixed loss reporting bug. Adjusted TCP PERF DSR to support gap estimates better. Need to modify for argus-3.1.0 so that we track retransmitted bytes, rather than packets (possibly). Tue Jan 3 18:47:20 EST 2012 Added better double quote handling in the argus resource file. Removed all options in the sample argus.conf file. Preliminary Juniper encapsulation support added Tue Dec 6 20:19:24 EST 2011 Fixed argus.conf parsing bug, when using `hostname`. Added some additional logging and packet dumping if the timestamps are wayyyy out of the wayyyy. Did a bit more cleanup on PSIZE DSR type reporting, due to error messages when using PF_RING. Thu Dec 1 17:32:30 EST 2011 Updated ifdef's for available pcap functions Added back support for pcap_dispatch() to support older version of Bivio. Mon Nov 14 14:29:08 EST 2011 Fixed problem with fragment tracking and reporting Added stub for process Juniper TTP protocol Mon Sep 19 10:01:48 EDT 2011 Modified output global status timer management to deal with sleeping laptops. Fri Jun 30 10:22:43 EDT 2011 Fixed pid file code to create correct pid files. Mon Jun 20 15:36:17 EDT 2011 Added 4 byte string and fixed int as probe id. Mon May 16 18:44:22 EDT 2011 Added v1, 5, and 6 to this list of cisco formats. Mon May 9 23:02:38 EDT 2011 Added parsing cisco flow records from packet payload (currently support v7). Mon Apr 18 19:38:02 EDT 2011 Fix for ArgusMallocListRecord when we've run out of memory Fri Feb 25 13:34:59 EST 2011 Added timeout variables to argus.conf, and removed the init timeout value. Fri Feb 25 11:08:49 EST 2011 Fixes for Argus events, DAG interface support and configure.ac Ready to go Tue Oct 12 14:58:13 EDT 2010 Tuning for timeout queues Mon Oct 11 15:53:47 EDT 2010 Updated for changes in argus-3.x.3.24 Merged in argus-3.0.3.17 into argus-3.x.3. Thu Sep 30 19:29:40 EDT 2010 An amazing set of bugs relating to List records. Should make argus much better under load Mon Aug 16 14:36:54 EDT 2010 Reimplemenation of keystroke algorithm Tue Aug 10 23:54:21 EDT 2010 Rework autoconf and autoheader support Tue Aug 10 01:33:30 EDT 2010 Mods from John's email and added debuging Thu Jul 29 14:04:51 EDT 2010 Finished first round implementation for keystroke algorithm Sat Jul 17 17:33:42 EDT 2010 Fix to get localnet and netmask back into management record Tue Jul 6 18:12:57 EDT 2010 Fix for fragmentation support Wed Jun 23 14:20:18 EDT 2010 Fix for jitter value reporting. Thu Jun 10 11:02:57 EDT 2010 Fix for "bond" interface support in ArgusSource. Wed Jun 2 15:31:54 EDT 2010 Added multiple bind address support Added udt packet stream processing Added control plane capture support using -C Fix for arp flow record reporting (missing answer) Correct AI_NUMERICSERV change to AI_NUMERICHOST Mon May 10 18:37:42 EDT 2010 Finishing threaded ArgusSource strategy. Added back ArgusOutput udp strategy. Updated argus.conf.5 man page. Updated argus.8 man page. Fixed gentoo configure support. Tue May 4 10:31:14 EDT 2010 Added back threaded ArgusSource strategy. Tue May 4 00:30:47 EDT 2010 Added gentoo bug reports for configure and compile Added better syslog support. Fri Apr 23 11:10:59 EDT 2010 Added ISIS flow generation for tony. Added backtrace for argus exiting, and added a few checks for pcap_dispatch() returning an ignorable error. Thu Apr 22 11:38:09 EDT 2010 Mods to fix TCP loss reporting error due to incomplete implementation of Mar 8 fixes for modifing the packet. Mod to fix TCP state machine when FIN alone is sent from dst. Mon Apr 12 22:45:54 EDT 2010 Mods to fix Teredo parsing error Mon Mar 8 23:40:34 EST 2010 Mods to not modify the packet itself while processing. Tue Feb 16 23:16:53 EST 2010 Modify teredo support to be turned on via argus.conf Indicate teredo tunnel encapsulation by default. Wed Feb 10 17:41:58 EST 2010 Added Teredo tunnel parsing. Exclude udp domain as candidate. Mon Feb 8 21:46:32 EST 2010 Starting argus-3.0.3 Added argus events data generation Fixed apple libpcap performance issues. Updated argusarchive with Peter's version (thanks Peter!!!) Changes from Argus-3.0.0 Thu Oct 15 12:15:17 EDT 2009 Mod to support Bivio7000 default device processing. Thu Sep 24 01:23:02 EDT 2009 Fixes for ipid roll-over and TCP loss detection Thu Aug 13 00:40:12 EDT 2009 Fixes for GRE flow reporting when the upper protocol is incomplete Fixes for over counting some fragments. Tue Aug 11 01:05:23 EDT 2009 Mods to fix retrans reporting for tcp when packets are out of order Sun Aug 9 19:32:27 EDT 2009 Mods to fix poor header parsing logic in pppoe protocols. Tue Jul 28 10:57:18 EDT 2009 Mods to support older libpcap libraries, aka Bivio 7500 Mods to fix loss reporting for ESP flows. Tue Jul 7 14:02:35 EDT 2009 OK, seems like a year has passed, and here we are for argus-3.0.2. The changes include: Syslog support fixes Modifications to rpm argus.spec file. Modificiations to support Bivio 7500. Fixes for arp processing. Fixes for icmpv6 processing. Restructure timeout queue processing. Attempted fixes for dealing with system time bug. Fixes for Radiotap header parsing. Mods to ArgusProcessEtherHdr logic for PPP processing. Reimplement ARGUS_SRC_MULTIPATH; Fix packet size reporting error. Set ARGUS_INITTIMEOUT from 0 to 5 seconds. Restructure Listen strategy. Minor changes to coping of timestruct from libpcap to us. Better handling of pcap fileno. Correct MAX_SNAPLEN byte length to 65535 Fix TCP flags reporting Fix TCP Reinitialization on RST. Corrections for long long variables by using LL in constants. Restructured source id porsing. Mods to ./common/Makefile.in for datarootdir. Fixed floating point reporting for stat DSR. Update aclocal.m4 Tue Jul 8 11:55:37 EDT 2008 Fixed LLC header parsing issues. Fixed argus.spec issue with man page installation Fixed argus.spec issue with argusbug argus-3.0.8.2/common/000755 000765 000024 00000000000 12723625057 014727 5ustar00carterstaff000000 000000 argus-3.0.8.2/config/000755 000765 000024 00000000000 12513222401 014663 5ustar00carterstaff000000 000000 argus-3.0.8.2/configure000755 000765 000024 00001045331 12723624615 015354 0ustar00carterstaff000000 000000 #! /bin/sh # Guess values for system-dependent variables and create Makefiles. # Generated by GNU Autoconf 2.69 for Argus Server Programs 3.0.8. # # Report bugs to . # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. # # # This configure script is free software; the Free Software Foundation # gives unlimited permission to copy, distribute and modify it. ## -------------------- ## ## M4sh Initialization. ## ## -------------------- ## # Be more Bourne compatible DUALCASE=1; export DUALCASE # for MKS sh if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then : emulate sh NULLCMD=: # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which # is contrary to our usage. Disable this feature. alias -g '${1+"$@"}'='"$@"' setopt NO_GLOB_SUBST else case `(set -o) 2>/dev/null` in #( *posix*) : set -o posix ;; #( *) : ;; esac fi as_nl=' ' export as_nl # Printing a long string crashes Solaris 7 /usr/bin/printf. as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo # Prefer a ksh shell builtin over an external printf program on Solaris, # but without wasting forks for bash or zsh. if test -z "$BASH_VERSION$ZSH_VERSION" \ && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then as_echo='print -r --' as_echo_n='print -rn --' elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then as_echo='printf %s\n' as_echo_n='printf %s' else if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"' as_echo_n='/usr/ucb/echo -n' else as_echo_body='eval expr "X$1" : "X\\(.*\\)"' as_echo_n_body='eval arg=$1; case $arg in #( *"$as_nl"*) expr "X$arg" : "X\\(.*\\)$as_nl"; arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; esac; expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl" ' export as_echo_n_body as_echo_n='sh -c $as_echo_n_body as_echo' fi export as_echo_body as_echo='sh -c $as_echo_body as_echo' fi # The user is always right. if test "${PATH_SEPARATOR+set}" != set; then PATH_SEPARATOR=: (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || PATH_SEPARATOR=';' } fi # IFS # We need space, tab and new line, in precisely that order. Quoting is # there to prevent editors from complaining about space-tab. # (If _AS_PATH_WALK were called with IFS unset, it would disable word # splitting by setting IFS to empty value.) IFS=" "" $as_nl" # Find who we are. Look in the path if we contain no directory separator. as_myself= case $0 in #(( *[\\/]* ) as_myself=$0 ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break done IFS=$as_save_IFS ;; esac # We did not find ourselves, most probably we were run as `sh COMMAND' # in which case we are not to be found in the path. if test "x$as_myself" = x; then as_myself=$0 fi if test ! -f "$as_myself"; then $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 exit 1 fi # Unset variables that we do not need and which cause bugs (e.g. in # pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1" # suppresses any "Segmentation fault" message there. '((' could # trigger a bug in pdksh 5.2.14. for as_var in BASH_ENV ENV MAIL MAILPATH do eval test x\${$as_var+set} = xset \ && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : done PS1='$ ' PS2='> ' PS4='+ ' # NLS nuisances. LC_ALL=C export LC_ALL LANGUAGE=C export LANGUAGE # CDPATH. (unset CDPATH) >/dev/null 2>&1 && unset CDPATH # Use a proper internal environment variable to ensure we don't fall # into an infinite loop, continuously re-executing ourselves. if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then _as_can_reexec=no; export _as_can_reexec; # We cannot yet assume a decent shell, so we have to provide a # neutralization value for shells without unset; and this also # works around shells that cannot unset nonexistent variables. # Preserve -v and -x to the replacement shell. BASH_ENV=/dev/null ENV=/dev/null (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV case $- in # (((( *v*x* | *x*v* ) as_opts=-vx ;; *v* ) as_opts=-v ;; *x* ) as_opts=-x ;; * ) as_opts= ;; esac exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} # Admittedly, this is quite paranoid, since all the known shells bail # out after a failed `exec'. $as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 as_fn_exit 255 fi # We don't want this to propagate to other subprocesses. { _as_can_reexec=; unset _as_can_reexec;} if test "x$CONFIG_SHELL" = x; then as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then : emulate sh NULLCMD=: # Pre-4.2 versions of Zsh do word splitting on \${1+\"\$@\"}, which # is contrary to our usage. Disable this feature. alias -g '\${1+\"\$@\"}'='\"\$@\"' setopt NO_GLOB_SUBST else case \`(set -o) 2>/dev/null\` in #( *posix*) : set -o posix ;; #( *) : ;; esac fi " as_required="as_fn_return () { (exit \$1); } as_fn_success () { as_fn_return 0; } as_fn_failure () { as_fn_return 1; } as_fn_ret_success () { return 0; } as_fn_ret_failure () { return 1; } exitcode=0 as_fn_success || { exitcode=1; echo as_fn_success failed.; } as_fn_failure && { exitcode=1; echo as_fn_failure succeeded.; } as_fn_ret_success || { exitcode=1; echo as_fn_ret_success failed.; } as_fn_ret_failure && { exitcode=1; echo as_fn_ret_failure succeeded.; } if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then : else exitcode=1; echo positional parameters were not saved. fi test x\$exitcode = x0 || exit 1 test -x / || exit 1" as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" && test \"x\`expr \$as_lineno_1'\$as_run' + 1\`\" = \"x\$as_lineno_2'\$as_run'\"' || exit 1 test \$(( 1 + 1 )) = 2 || exit 1" if (eval "$as_required") 2>/dev/null; then : as_have_required=yes else as_have_required=no fi if test x$as_have_required = xyes && (eval "$as_suggested") 2>/dev/null; then : else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR as_found=false for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. as_found=: case $as_dir in #( /*) for as_base in sh bash ksh sh5; do # Try only shells that exist, to save several forks. as_shell=$as_dir/$as_base if { test -f "$as_shell" || test -f "$as_shell.exe"; } && { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$as_shell"; } 2>/dev/null; then : CONFIG_SHELL=$as_shell as_have_required=yes if { $as_echo "$as_bourne_compatible""$as_suggested" | as_run=a "$as_shell"; } 2>/dev/null; then : break 2 fi fi done;; esac as_found=false done $as_found || { if { test -f "$SHELL" || test -f "$SHELL.exe"; } && { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$SHELL"; } 2>/dev/null; then : CONFIG_SHELL=$SHELL as_have_required=yes fi; } IFS=$as_save_IFS if test "x$CONFIG_SHELL" != x; then : export CONFIG_SHELL # We cannot yet assume a decent shell, so we have to provide a # neutralization value for shells without unset; and this also # works around shells that cannot unset nonexistent variables. # Preserve -v and -x to the replacement shell. BASH_ENV=/dev/null ENV=/dev/null (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV case $- in # (((( *v*x* | *x*v* ) as_opts=-vx ;; *v* ) as_opts=-v ;; *x* ) as_opts=-x ;; * ) as_opts= ;; esac exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} # Admittedly, this is quite paranoid, since all the known shells bail # out after a failed `exec'. $as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 exit 255 fi if test x$as_have_required = xno; then : $as_echo "$0: This script requires a shell more modern than all" $as_echo "$0: the shells that I found on your system." if test x${ZSH_VERSION+set} = xset ; then $as_echo "$0: In particular, zsh $ZSH_VERSION has bugs and should" $as_echo "$0: be upgraded to zsh 4.3.4 or later." else $as_echo "$0: Please tell bug-autoconf@gnu.org and $0: bug-report@qosient.com about your system, including any $0: error possibly output before this message. Then install $0: a modern shell, or manually run the script under such a $0: shell if you do have one." fi exit 1 fi fi fi SHELL=${CONFIG_SHELL-/bin/sh} export SHELL # Unset more variables known to interfere with behavior of common tools. CLICOLOR_FORCE= GREP_OPTIONS= unset CLICOLOR_FORCE GREP_OPTIONS ## --------------------- ## ## M4sh Shell Functions. ## ## --------------------- ## # as_fn_unset VAR # --------------- # Portably unset VAR. as_fn_unset () { { eval $1=; unset $1;} } as_unset=as_fn_unset # as_fn_set_status STATUS # ----------------------- # Set $? to STATUS, without forking. as_fn_set_status () { return $1 } # as_fn_set_status # as_fn_exit STATUS # ----------------- # Exit the shell with STATUS, even in a "trap 0" or "set -e" context. as_fn_exit () { set +e as_fn_set_status $1 exit $1 } # as_fn_exit # as_fn_mkdir_p # ------------- # Create "$as_dir" as a directory, including parents if necessary. as_fn_mkdir_p () { case $as_dir in #( -*) as_dir=./$as_dir;; esac test -d "$as_dir" || eval $as_mkdir_p || { as_dirs= while :; do case $as_dir in #( *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( *) as_qdir=$as_dir;; esac as_dirs="'$as_qdir' $as_dirs" as_dir=`$as_dirname -- "$as_dir" || $as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$as_dir" : 'X\(//\)[^/]' \| \ X"$as_dir" : 'X\(//\)$' \| \ X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || $as_echo X"$as_dir" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` test -d "$as_dir" && break done test -z "$as_dirs" || eval "mkdir $as_dirs" } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" } # as_fn_mkdir_p # as_fn_executable_p FILE # ----------------------- # Test if FILE is an executable regular file. as_fn_executable_p () { test -f "$1" && test -x "$1" } # as_fn_executable_p # as_fn_append VAR VALUE # ---------------------- # Append the text in VALUE to the end of the definition contained in VAR. Take # advantage of any shell optimizations that allow amortized linear growth over # repeated appends, instead of the typical quadratic growth present in naive # implementations. if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then : eval 'as_fn_append () { eval $1+=\$2 }' else as_fn_append () { eval $1=\$$1\$2 } fi # as_fn_append # as_fn_arith ARG... # ------------------ # Perform arithmetic evaluation on the ARGs, and store the result in the # global $as_val. Take advantage of shells that can avoid forks. The arguments # must be portable across $(()) and expr. if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then : eval 'as_fn_arith () { as_val=$(( $* )) }' else as_fn_arith () { as_val=`expr "$@" || test $? -eq 1` } fi # as_fn_arith # as_fn_error STATUS ERROR [LINENO LOG_FD] # ---------------------------------------- # Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are # provided, also output the error to LOG_FD, referencing LINENO. Then exit the # script with STATUS, using 1 if that was 0. as_fn_error () { as_status=$1; test $as_status -eq 0 && as_status=1 if test "$4"; then as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 fi $as_echo "$as_me: error: $2" >&2 as_fn_exit $as_status } # as_fn_error if expr a : '\(a\)' >/dev/null 2>&1 && test "X`expr 00001 : '.*\(...\)'`" = X001; then as_expr=expr else as_expr=false fi if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then as_basename=basename else as_basename=false fi if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then as_dirname=dirname else as_dirname=false fi as_me=`$as_basename -- "$0" || $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ X"$0" : 'X\(//\)$' \| \ X"$0" : 'X\(/\)' \| . 2>/dev/null || $as_echo X/"$0" | sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/ q } /^X\/\(\/\/\)$/{ s//\1/ q } /^X\/\(\/\).*/{ s//\1/ q } s/.*/./; q'` # Avoid depending upon Character Ranges. as_cr_letters='abcdefghijklmnopqrstuvwxyz' as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' as_cr_Letters=$as_cr_letters$as_cr_LETTERS as_cr_digits='0123456789' as_cr_alnum=$as_cr_Letters$as_cr_digits as_lineno_1=$LINENO as_lineno_1a=$LINENO as_lineno_2=$LINENO as_lineno_2a=$LINENO eval 'test "x$as_lineno_1'$as_run'" != "x$as_lineno_2'$as_run'" && test "x`expr $as_lineno_1'$as_run' + 1`" = "x$as_lineno_2'$as_run'"' || { # Blame Lee E. McMahon (1931-1989) for sed's syntax. :-) sed -n ' p /[$]LINENO/= ' <$as_myself | sed ' s/[$]LINENO.*/&-/ t lineno b :lineno N :loop s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/ t loop s/-\n.*// ' >$as_me.lineno && chmod +x "$as_me.lineno" || { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; } # If we had to re-execute with $CONFIG_SHELL, we're ensured to have # already done that, so ensure we don't try to do so again and fall # in an infinite loop. This has already happened in practice. _as_can_reexec=no; export _as_can_reexec # Don't try to exec as it changes $[0], causing all sort of problems # (the dirname of $[0] is not the place where we might find the # original and so on. Autoconf is especially sensitive to this). . "./$as_me.lineno" # Exit status is that of the last command. exit } ECHO_C= ECHO_N= ECHO_T= case `echo -n x` in #((((( -n*) case `echo 'xy\c'` in *c*) ECHO_T=' ';; # ECHO_T is single tab character. xy) ECHO_C='\c';; *) echo `echo ksh88 bug on AIX 6.1` > /dev/null ECHO_T=' ';; esac;; *) ECHO_N='-n';; esac rm -f conf$$ conf$$.exe conf$$.file if test -d conf$$.dir; then rm -f conf$$.dir/conf$$.file else rm -f conf$$.dir mkdir conf$$.dir 2>/dev/null fi if (echo >conf$$.file) 2>/dev/null; then if ln -s conf$$.file conf$$ 2>/dev/null; then as_ln_s='ln -s' # ... but there are two gotchas: # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. # In both cases, we have to default to `cp -pR'. ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || as_ln_s='cp -pR' elif ln conf$$.file conf$$ 2>/dev/null; then as_ln_s=ln else as_ln_s='cp -pR' fi else as_ln_s='cp -pR' fi rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file rmdir conf$$.dir 2>/dev/null if mkdir -p . 2>/dev/null; then as_mkdir_p='mkdir -p "$as_dir"' else test -d ./-p && rmdir ./-p as_mkdir_p=false fi as_test_x='test -x' as_executable_p=as_fn_executable_p # Sed expression to map a string onto a valid CPP name. as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" # Sed expression to map a string onto a valid variable name. as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" test -n "$DJDIR" || exec 7<&0 &1 # Name of the host. # hostname on some systems (SVR3.2, old GNU/Linux) returns a bogus exit status, # so uname gets run too. ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q` # # Initializations. # ac_default_prefix=/usr/local ac_clean_files= ac_config_libobj_dir=. LIBOBJS= cross_compiling=no subdirs= MFLAGS= MAKEFLAGS= # Identity of this package. PACKAGE_NAME='Argus Server Programs' PACKAGE_TARNAME='argus' PACKAGE_VERSION='3.0.8' PACKAGE_STRING='Argus Server Programs 3.0.8' PACKAGE_BUGREPORT='bug-report@qosient.com' PACKAGE_URL='http://qosient.com/argus' ac_unique_file="argus/argus.c" ac_default_prefix=/usr/local # Factoring default headers for most tests. ac_includes_default="\ #include #ifdef HAVE_SYS_TYPES_H # include #endif #ifdef HAVE_SYS_STAT_H # include #endif #ifdef STDC_HEADERS # include # include #else # ifdef HAVE_STDLIB_H # include # endif #endif #ifdef HAVE_STRING_H # if !defined STDC_HEADERS && defined HAVE_MEMORY_H # include # endif # include #endif #ifdef HAVE_STRINGS_H # include #endif #ifdef HAVE_INTTYPES_H # include #endif #ifdef HAVE_STDINT_H # include #endif #ifdef HAVE_UNISTD_H # include #endif" ac_header_list= ac_func_list= ac_subst_vars='LTLIBOBJS INSTALL_BIN INSTALL_LIB COMPATLIB WRAPLIBS V_THREADS V_PERL V_INCLS V_CCOPT INCLS PCAP_CONFIG POW_LIB LIBOBJS ALLOCA PCRE_CONFIG SASLFLAGS LIB_SASL EGREP GREP CPP V_YACC V_LEX V_RANLIB YFLAGS YACC RANLIB INSTALL_DATA INSTALL_SCRIPT INSTALL_PROGRAM LEXLIB LEX_OUTPUT_ROOT LEX LN_S SET_MAKE OBJEXT EXEEXT ac_ct_CC CPPFLAGS LDFLAGS CFLAGS CC SHLICC2 CLANG target_os target_vendor target_cpu target host_os host_vendor host_cpu host build_os build_vendor build_cpu build target_alias host_alias build_alias LIBS ECHO_T ECHO_N ECHO_C DEFS mandir localedir libdir psdir pdfdir dvidir htmldir infodir docdir oldincludedir includedir localstatedir sharedstatedir sysconfdir datadir datarootdir libexecdir sbindir bindir program_transform_name prefix exec_prefix PACKAGE_URL PACKAGE_BUGREPORT PACKAGE_STRING PACKAGE_VERSION PACKAGE_TARNAME PACKAGE_NAME PATH_SEPARATOR SHELL' ac_subst_files='' ac_user_opts=' enable_option_checking with_perl with_gcc with_examples with_pluribus with_sasl with_staticsasl with_libpcre with_pcre_config enable_largefile with_threads with_tcpwrappers with_libpcap ' ac_precious_vars='build_alias host_alias target_alias CC CFLAGS LDFLAGS LIBS CPPFLAGS YACC YFLAGS CPP' # Initialize some variables set by options. ac_init_help= ac_init_version=false ac_unrecognized_opts= ac_unrecognized_sep= # The variables have the same names as the options, with # dashes changed to underlines. cache_file=/dev/null exec_prefix=NONE no_create= no_recursion= prefix=NONE program_prefix=NONE program_suffix=NONE program_transform_name=s,x,x, silent= site= srcdir= verbose= x_includes=NONE x_libraries=NONE # Installation directory options. # These are left unexpanded so users can "make install exec_prefix=/foo" # and all the variables that are supposed to be based on exec_prefix # by default will actually change. # Use braces instead of parens because sh, perl, etc. also accept them. # (The list follows the same order as the GNU Coding Standards.) bindir='${exec_prefix}/bin' sbindir='${exec_prefix}/sbin' libexecdir='${exec_prefix}/libexec' datarootdir='${prefix}/share' datadir='${datarootdir}' sysconfdir='${prefix}/etc' sharedstatedir='${prefix}/com' localstatedir='${prefix}/var' includedir='${prefix}/include' oldincludedir='/usr/include' docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' infodir='${datarootdir}/info' htmldir='${docdir}' dvidir='${docdir}' pdfdir='${docdir}' psdir='${docdir}' libdir='${exec_prefix}/lib' localedir='${datarootdir}/locale' mandir='${datarootdir}/man' ac_prev= ac_dashdash= for ac_option do # If the previous option needs an argument, assign it. if test -n "$ac_prev"; then eval $ac_prev=\$ac_option ac_prev= continue fi case $ac_option in *=?*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;; *=) ac_optarg= ;; *) ac_optarg=yes ;; esac # Accept the important Cygnus configure options, so we can diagnose typos. case $ac_dashdash$ac_option in --) ac_dashdash=yes ;; -bindir | --bindir | --bindi | --bind | --bin | --bi) ac_prev=bindir ;; -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*) bindir=$ac_optarg ;; -build | --build | --buil | --bui | --bu) ac_prev=build_alias ;; -build=* | --build=* | --buil=* | --bui=* | --bu=*) build_alias=$ac_optarg ;; -cache-file | --cache-file | --cache-fil | --cache-fi \ | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c) ac_prev=cache_file ;; -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \ | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*) cache_file=$ac_optarg ;; --config-cache | -C) cache_file=config.cache ;; -datadir | --datadir | --datadi | --datad) ac_prev=datadir ;; -datadir=* | --datadir=* | --datadi=* | --datad=*) datadir=$ac_optarg ;; -datarootdir | --datarootdir | --datarootdi | --datarootd | --dataroot \ | --dataroo | --dataro | --datar) ac_prev=datarootdir ;; -datarootdir=* | --datarootdir=* | --datarootdi=* | --datarootd=* \ | --dataroot=* | --dataroo=* | --dataro=* | --datar=*) datarootdir=$ac_optarg ;; -disable-* | --disable-*) ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid feature name: $ac_useropt" ac_useropt_orig=$ac_useropt ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "enable_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--disable-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval enable_$ac_useropt=no ;; -docdir | --docdir | --docdi | --doc | --do) ac_prev=docdir ;; -docdir=* | --docdir=* | --docdi=* | --doc=* | --do=*) docdir=$ac_optarg ;; -dvidir | --dvidir | --dvidi | --dvid | --dvi | --dv) ac_prev=dvidir ;; -dvidir=* | --dvidir=* | --dvidi=* | --dvid=* | --dvi=* | --dv=*) dvidir=$ac_optarg ;; -enable-* | --enable-*) ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid feature name: $ac_useropt" ac_useropt_orig=$ac_useropt ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "enable_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--enable-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval enable_$ac_useropt=\$ac_optarg ;; -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \ | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \ | --exec | --exe | --ex) ac_prev=exec_prefix ;; -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \ | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \ | --exec=* | --exe=* | --ex=*) exec_prefix=$ac_optarg ;; -gas | --gas | --ga | --g) # Obsolete; use --with-gas. with_gas=yes ;; -help | --help | --hel | --he | -h) ac_init_help=long ;; -help=r* | --help=r* | --hel=r* | --he=r* | -hr*) ac_init_help=recursive ;; -help=s* | --help=s* | --hel=s* | --he=s* | -hs*) ac_init_help=short ;; -host | --host | --hos | --ho) ac_prev=host_alias ;; -host=* | --host=* | --hos=* | --ho=*) host_alias=$ac_optarg ;; -htmldir | --htmldir | --htmldi | --htmld | --html | --htm | --ht) ac_prev=htmldir ;; -htmldir=* | --htmldir=* | --htmldi=* | --htmld=* | --html=* | --htm=* \ | --ht=*) htmldir=$ac_optarg ;; -includedir | --includedir | --includedi | --included | --include \ | --includ | --inclu | --incl | --inc) ac_prev=includedir ;; -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \ | --includ=* | --inclu=* | --incl=* | --inc=*) includedir=$ac_optarg ;; -infodir | --infodir | --infodi | --infod | --info | --inf) ac_prev=infodir ;; -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*) infodir=$ac_optarg ;; -libdir | --libdir | --libdi | --libd) ac_prev=libdir ;; -libdir=* | --libdir=* | --libdi=* | --libd=*) libdir=$ac_optarg ;; -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \ | --libexe | --libex | --libe) ac_prev=libexecdir ;; -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \ | --libexe=* | --libex=* | --libe=*) libexecdir=$ac_optarg ;; -localedir | --localedir | --localedi | --localed | --locale) ac_prev=localedir ;; -localedir=* | --localedir=* | --localedi=* | --localed=* | --locale=*) localedir=$ac_optarg ;; -localstatedir | --localstatedir | --localstatedi | --localstated \ | --localstate | --localstat | --localsta | --localst | --locals) ac_prev=localstatedir ;; -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \ | --localstate=* | --localstat=* | --localsta=* | --localst=* | --locals=*) localstatedir=$ac_optarg ;; -mandir | --mandir | --mandi | --mand | --man | --ma | --m) ac_prev=mandir ;; -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*) mandir=$ac_optarg ;; -nfp | --nfp | --nf) # Obsolete; use --without-fp. with_fp=no ;; -no-create | --no-create | --no-creat | --no-crea | --no-cre \ | --no-cr | --no-c | -n) no_create=yes ;; -no-recursion | --no-recursion | --no-recursio | --no-recursi \ | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) no_recursion=yes ;; -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \ | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \ | --oldin | --oldi | --old | --ol | --o) ac_prev=oldincludedir ;; -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \ | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \ | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*) oldincludedir=$ac_optarg ;; -prefix | --prefix | --prefi | --pref | --pre | --pr | --p) ac_prev=prefix ;; -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*) prefix=$ac_optarg ;; -program-prefix | --program-prefix | --program-prefi | --program-pref \ | --program-pre | --program-pr | --program-p) ac_prev=program_prefix ;; -program-prefix=* | --program-prefix=* | --program-prefi=* \ | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*) program_prefix=$ac_optarg ;; -program-suffix | --program-suffix | --program-suffi | --program-suff \ | --program-suf | --program-su | --program-s) ac_prev=program_suffix ;; -program-suffix=* | --program-suffix=* | --program-suffi=* \ | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*) program_suffix=$ac_optarg ;; -program-transform-name | --program-transform-name \ | --program-transform-nam | --program-transform-na \ | --program-transform-n | --program-transform- \ | --program-transform | --program-transfor \ | --program-transfo | --program-transf \ | --program-trans | --program-tran \ | --progr-tra | --program-tr | --program-t) ac_prev=program_transform_name ;; -program-transform-name=* | --program-transform-name=* \ | --program-transform-nam=* | --program-transform-na=* \ | --program-transform-n=* | --program-transform-=* \ | --program-transform=* | --program-transfor=* \ | --program-transfo=* | --program-transf=* \ | --program-trans=* | --program-tran=* \ | --progr-tra=* | --program-tr=* | --program-t=*) program_transform_name=$ac_optarg ;; -pdfdir | --pdfdir | --pdfdi | --pdfd | --pdf | --pd) ac_prev=pdfdir ;; -pdfdir=* | --pdfdir=* | --pdfdi=* | --pdfd=* | --pdf=* | --pd=*) pdfdir=$ac_optarg ;; -psdir | --psdir | --psdi | --psd | --ps) ac_prev=psdir ;; -psdir=* | --psdir=* | --psdi=* | --psd=* | --ps=*) psdir=$ac_optarg ;; -q | -quiet | --quiet | --quie | --qui | --qu | --q \ | -silent | --silent | --silen | --sile | --sil) silent=yes ;; -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) ac_prev=sbindir ;; -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ | --sbi=* | --sb=*) sbindir=$ac_optarg ;; -sharedstatedir | --sharedstatedir | --sharedstatedi \ | --sharedstated | --sharedstate | --sharedstat | --sharedsta \ | --sharedst | --shareds | --shared | --share | --shar \ | --sha | --sh) ac_prev=sharedstatedir ;; -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \ | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \ | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \ | --sha=* | --sh=*) sharedstatedir=$ac_optarg ;; -site | --site | --sit) ac_prev=site ;; -site=* | --site=* | --sit=*) site=$ac_optarg ;; -srcdir | --srcdir | --srcdi | --srcd | --src | --sr) ac_prev=srcdir ;; -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*) srcdir=$ac_optarg ;; -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \ | --syscon | --sysco | --sysc | --sys | --sy) ac_prev=sysconfdir ;; -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \ | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*) sysconfdir=$ac_optarg ;; -target | --target | --targe | --targ | --tar | --ta | --t) ac_prev=target_alias ;; -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*) target_alias=$ac_optarg ;; -v | -verbose | --verbose | --verbos | --verbo | --verb) verbose=yes ;; -version | --version | --versio | --versi | --vers | -V) ac_init_version=: ;; -with-* | --with-*) ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid package name: $ac_useropt" ac_useropt_orig=$ac_useropt ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "with_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--with-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval with_$ac_useropt=\$ac_optarg ;; -without-* | --without-*) ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid package name: $ac_useropt" ac_useropt_orig=$ac_useropt ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "with_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--without-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval with_$ac_useropt=no ;; --x) # Obsolete; use --with-x. with_x=yes ;; -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \ | --x-incl | --x-inc | --x-in | --x-i) ac_prev=x_includes ;; -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \ | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*) x_includes=$ac_optarg ;; -x-libraries | --x-libraries | --x-librarie | --x-librari \ | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l) ac_prev=x_libraries ;; -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \ | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*) x_libraries=$ac_optarg ;; -*) as_fn_error $? "unrecognized option: \`$ac_option' Try \`$0 --help' for more information" ;; *=*) ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='` # Reject names that are not valid shell variable names. case $ac_envvar in #( '' | [0-9]* | *[!_$as_cr_alnum]* ) as_fn_error $? "invalid variable name: \`$ac_envvar'" ;; esac eval $ac_envvar=\$ac_optarg export $ac_envvar ;; *) # FIXME: should be removed in autoconf 3.0. $as_echo "$as_me: WARNING: you should use --build, --host, --target" >&2 expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null && $as_echo "$as_me: WARNING: invalid host type: $ac_option" >&2 : "${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}" ;; esac done if test -n "$ac_prev"; then ac_option=--`echo $ac_prev | sed 's/_/-/g'` as_fn_error $? "missing argument to $ac_option" fi if test -n "$ac_unrecognized_opts"; then case $enable_option_checking in no) ;; fatal) as_fn_error $? "unrecognized options: $ac_unrecognized_opts" ;; *) $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2 ;; esac fi # Check all directory arguments for consistency. for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ datadir sysconfdir sharedstatedir localstatedir includedir \ oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ libdir localedir mandir do eval ac_val=\$$ac_var # Remove trailing slashes. case $ac_val in */ ) ac_val=`expr "X$ac_val" : 'X\(.*[^/]\)' \| "X$ac_val" : 'X\(.*\)'` eval $ac_var=\$ac_val;; esac # Be sure to have absolute directory names. case $ac_val in [\\/$]* | ?:[\\/]* ) continue;; NONE | '' ) case $ac_var in *prefix ) continue;; esac;; esac as_fn_error $? "expected an absolute directory name for --$ac_var: $ac_val" done # There might be people who depend on the old broken behavior: `$host' # used to hold the argument of --host etc. # FIXME: To remove some day. build=$build_alias host=$host_alias target=$target_alias # FIXME: To remove some day. if test "x$host_alias" != x; then if test "x$build_alias" = x; then cross_compiling=maybe elif test "x$build_alias" != "x$host_alias"; then cross_compiling=yes fi fi ac_tool_prefix= test -n "$host_alias" && ac_tool_prefix=$host_alias- test "$silent" = yes && exec 6>/dev/null ac_pwd=`pwd` && test -n "$ac_pwd" && ac_ls_di=`ls -di .` && ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` || as_fn_error $? "working directory cannot be determined" test "X$ac_ls_di" = "X$ac_pwd_ls_di" || as_fn_error $? "pwd does not report name of working directory" # Find the source files, if location was not specified. if test -z "$srcdir"; then ac_srcdir_defaulted=yes # Try the directory containing this script, then the parent directory. ac_confdir=`$as_dirname -- "$as_myself" || $as_expr X"$as_myself" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$as_myself" : 'X\(//\)[^/]' \| \ X"$as_myself" : 'X\(//\)$' \| \ X"$as_myself" : 'X\(/\)' \| . 2>/dev/null || $as_echo X"$as_myself" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` srcdir=$ac_confdir if test ! -r "$srcdir/$ac_unique_file"; then srcdir=.. fi else ac_srcdir_defaulted=no fi if test ! -r "$srcdir/$ac_unique_file"; then test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .." as_fn_error $? "cannot find sources ($ac_unique_file) in $srcdir" fi ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work" ac_abs_confdir=`( cd "$srcdir" && test -r "./$ac_unique_file" || as_fn_error $? "$ac_msg" pwd)` # When building in place, set srcdir=. if test "$ac_abs_confdir" = "$ac_pwd"; then srcdir=. fi # Remove unnecessary trailing slashes from srcdir. # Double slashes in file names in object file debugging info # mess up M-x gdb in Emacs. case $srcdir in */) srcdir=`expr "X$srcdir" : 'X\(.*[^/]\)' \| "X$srcdir" : 'X\(.*\)'`;; esac for ac_var in $ac_precious_vars; do eval ac_env_${ac_var}_set=\${${ac_var}+set} eval ac_env_${ac_var}_value=\$${ac_var} eval ac_cv_env_${ac_var}_set=\${${ac_var}+set} eval ac_cv_env_${ac_var}_value=\$${ac_var} done # # Report the --help message. # if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF \`configure' configures Argus Server Programs 3.0.8 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... To assign environment variables (e.g., CC, CFLAGS...), specify them as VAR=VALUE. See below for descriptions of some of the useful variables. Defaults for the options are specified in brackets. Configuration: -h, --help display this help and exit --help=short display options specific to this package --help=recursive display the short help of all the included packages -V, --version display version information and exit -q, --quiet, --silent do not print \`checking ...' messages --cache-file=FILE cache test results in FILE [disabled] -C, --config-cache alias for \`--cache-file=config.cache' -n, --no-create do not create output files --srcdir=DIR find the sources in DIR [configure dir or \`..'] Installation directories: --prefix=PREFIX install architecture-independent files in PREFIX [$ac_default_prefix] --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX [PREFIX] By default, \`make install' will install all the files in \`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc. You can specify an installation prefix other than \`$ac_default_prefix' using \`--prefix', for instance \`--prefix=\$HOME'. For better control, use the options below. Fine tuning of the installation directories: --bindir=DIR user executables [EPREFIX/bin] --sbindir=DIR system admin executables [EPREFIX/sbin] --libexecdir=DIR program executables [EPREFIX/libexec] --sysconfdir=DIR read-only single-machine data [PREFIX/etc] --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] --localstatedir=DIR modifiable single-machine data [PREFIX/var] --libdir=DIR object code libraries [EPREFIX/lib] --includedir=DIR C header files [PREFIX/include] --oldincludedir=DIR C header files for non-gcc [/usr/include] --datarootdir=DIR read-only arch.-independent data root [PREFIX/share] --datadir=DIR read-only architecture-independent data [DATAROOTDIR] --infodir=DIR info documentation [DATAROOTDIR/info] --localedir=DIR locale-dependent data [DATAROOTDIR/locale] --mandir=DIR man documentation [DATAROOTDIR/man] --docdir=DIR documentation root [DATAROOTDIR/doc/argus] --htmldir=DIR html documentation [DOCDIR] --dvidir=DIR dvi documentation [DOCDIR] --pdfdir=DIR pdf documentation [DOCDIR] --psdir=DIR ps documentation [DOCDIR] _ACEOF cat <<\_ACEOF System types: --build=BUILD configure for building on BUILD [guessed] --host=HOST cross-compile to build programs to run on HOST [BUILD] --target=TARGET configure for building compilers for TARGET [HOST] _ACEOF fi if test -n "$ac_init_help"; then case $ac_init_help in short | recursive ) echo "Configuration of Argus Server Programs 3.0.8:";; esac cat <<\_ACEOF Optional Features: --disable-option-checking ignore unrecognized --enable/--with options --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) --enable-FEATURE[=ARG] include FEATURE [ARG=yes] --disable-largefile omit support for large files Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) --with-perl=DIR Use perl in --without-gcc don't use gcc --without-examples don't compile examples --with-pluribus Compile for pluribus --with-sasl=DIR Compile with libsasl2 in --with-staticsasl=DIR Compile with staticly linked libsasl in --with-libpcre=DIR Compile with libpcre in --with-pcre-config=PATH Location of PCRE pcre-config (auto) --without-threads don't use native threads package --with-wrappers=DIR Compile with tcpwrappers in --with-libpcap=DIR Compile with libpcap in Some influential environment variables: CC C compiler command CFLAGS C compiler flags LDFLAGS linker flags, e.g. -L if you have libraries in a nonstandard directory LIBS libraries to pass to the linker, e.g. -l CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I if you have headers in a nonstandard directory YACC The `Yet Another Compiler Compiler' implementation to use. Defaults to the first program found out of: `bison -y', `byacc', `yacc'. YFLAGS The list of arguments that will be passed by default to $YACC. This script will default YFLAGS to the empty string to avoid a default value of `-d' given by some make applications. CPP C preprocessor Use these variables to override the choices made by `configure' or to help it to find libraries and programs with nonstandard names/locations. Report bugs to . Argus Server Programs home page: . _ACEOF ac_status=$? fi if test "$ac_init_help" = "recursive"; then # If there are subdirs, report their specific --help. for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue test -d "$ac_dir" || { cd "$srcdir" && ac_pwd=`pwd` && srcdir=. && test -d "$ac_dir"; } || continue ac_builddir=. case "$ac_dir" in .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'` # A ".." for each directory in $ac_dir_suffix. ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` case $ac_top_builddir_sub in "") ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; esac ;; esac ac_abs_top_builddir=$ac_pwd ac_abs_builddir=$ac_pwd$ac_dir_suffix # for backward compatibility: ac_top_builddir=$ac_top_build_prefix case $srcdir in .) # We are building in place. ac_srcdir=. ac_top_srcdir=$ac_top_builddir_sub ac_abs_top_srcdir=$ac_pwd ;; [\\/]* | ?:[\\/]* ) # Absolute name. ac_srcdir=$srcdir$ac_dir_suffix; ac_top_srcdir=$srcdir ac_abs_top_srcdir=$srcdir ;; *) # Relative name. ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix ac_top_srcdir=$ac_top_build_prefix$srcdir ac_abs_top_srcdir=$ac_pwd/$srcdir ;; esac ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix cd "$ac_dir" || { ac_status=$?; continue; } # Check for guested configure. if test -f "$ac_srcdir/configure.gnu"; then echo && $SHELL "$ac_srcdir/configure.gnu" --help=recursive elif test -f "$ac_srcdir/configure"; then echo && $SHELL "$ac_srcdir/configure" --help=recursive else $as_echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2 fi || ac_status=$? cd "$ac_pwd" || { ac_status=$?; break; } done fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF Argus Server Programs configure 3.0.8 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. This configure script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it. _ACEOF exit fi ## ------------------------ ## ## Autoconf initialization. ## ## ------------------------ ## # ac_fn_c_try_compile LINENO # -------------------------- # Try to compile conftest.$ac_ext, and return whether this succeeded. ac_fn_c_try_compile () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack rm -f conftest.$ac_objext if { { ac_try="$ac_compile" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_compile") 2>conftest.err ac_status=$? if test -s conftest.err; then grep -v '^ *+' conftest.err >conftest.er1 cat conftest.er1 >&5 mv -f conftest.er1 conftest.err fi $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then : ac_retval=0 else $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=1 fi eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_compile # ac_fn_c_try_link LINENO # ----------------------- # Try to link conftest.$ac_ext, and return whether this succeeded. ac_fn_c_try_link () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack rm -f conftest.$ac_objext conftest$ac_exeext if { { ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_link") 2>conftest.err ac_status=$? if test -s conftest.err; then grep -v '^ *+' conftest.err >conftest.er1 cat conftest.er1 >&5 mv -f conftest.er1 conftest.err fi $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest$ac_exeext && { test "$cross_compiling" = yes || test -x conftest$ac_exeext }; then : ac_retval=0 else $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=1 fi # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would # interfere with the next link command; also delete a directory that is # left behind by Apple's compiler. We do this before executing the actions. rm -rf conftest.dSYM conftest_ipa8_conftest.oo eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_link # ac_fn_c_try_cpp LINENO # ---------------------- # Try to preprocess conftest.$ac_ext, and return whether this succeeded. ac_fn_c_try_cpp () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack if { { ac_try="$ac_cpp conftest.$ac_ext" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_cpp conftest.$ac_ext") 2>conftest.err ac_status=$? if test -s conftest.err; then grep -v '^ *+' conftest.err >conftest.er1 cat conftest.er1 >&5 mv -f conftest.er1 conftest.err fi $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } > conftest.i && { test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || test ! -s conftest.err }; then : ac_retval=0 else $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=1 fi eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_cpp # ac_fn_c_check_header_mongrel LINENO HEADER VAR INCLUDES # ------------------------------------------------------- # Tests whether HEADER exists, giving a warning if it cannot be compiled using # the include files in INCLUDES and setting the cache variable VAR # accordingly. ac_fn_c_check_header_mongrel () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack if eval \${$3+:} false; then : { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 $as_echo_n "checking for $2... " >&6; } if eval \${$3+:} false; then : $as_echo_n "(cached) " >&6 fi eval ac_res=\$$3 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } else # Is the header compilable? { $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 usability" >&5 $as_echo_n "checking $2 usability... " >&6; } cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 #include <$2> _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_header_compiler=yes else ac_header_compiler=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_compiler" >&5 $as_echo "$ac_header_compiler" >&6; } # Is the header present? { $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 presence" >&5 $as_echo_n "checking $2 presence... " >&6; } cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include <$2> _ACEOF if ac_fn_c_try_cpp "$LINENO"; then : ac_header_preproc=yes else ac_header_preproc=no fi rm -f conftest.err conftest.i conftest.$ac_ext { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_preproc" >&5 $as_echo "$ac_header_preproc" >&6; } # So? What about this header? case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in #(( yes:no: ) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&5 $as_echo "$as_me: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5 $as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;} ;; no:yes:* ) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: present but cannot be compiled" >&5 $as_echo "$as_me: WARNING: $2: present but cannot be compiled" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: check for missing prerequisite headers?" >&5 $as_echo "$as_me: WARNING: $2: check for missing prerequisite headers?" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: see the Autoconf documentation" >&5 $as_echo "$as_me: WARNING: $2: see the Autoconf documentation" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: section \"Present But Cannot Be Compiled\"" >&5 $as_echo "$as_me: WARNING: $2: section \"Present But Cannot Be Compiled\"" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5 $as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;} ( $as_echo "## ------------------------------------- ## ## Report this to bug-report@qosient.com ## ## ------------------------------------- ##" ) | sed "s/^/$as_me: WARNING: /" >&2 ;; esac { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 $as_echo_n "checking for $2... " >&6; } if eval \${$3+:} false; then : $as_echo_n "(cached) " >&6 else eval "$3=\$ac_header_compiler" fi eval ac_res=\$$3 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } fi eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_header_mongrel # ac_fn_c_try_run LINENO # ---------------------- # Try to link conftest.$ac_ext, and return whether this succeeded. Assumes # that executables *can* be run. ac_fn_c_try_run () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack if { { ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_link") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } && { ac_try='./conftest$ac_exeext' { { case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_try") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; }; then : ac_retval=0 else $as_echo "$as_me: program exited with status $ac_status" >&5 $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=$ac_status fi rm -rf conftest.dSYM conftest_ipa8_conftest.oo eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_run # ac_fn_c_check_header_compile LINENO HEADER VAR INCLUDES # ------------------------------------------------------- # Tests whether HEADER exists and can be compiled using the include files in # INCLUDES, setting the cache variable VAR accordingly. ac_fn_c_check_header_compile () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 $as_echo_n "checking for $2... " >&6; } if eval \${$3+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 #include <$2> _ACEOF if ac_fn_c_try_compile "$LINENO"; then : eval "$3=yes" else eval "$3=no" fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi eval ac_res=\$$3 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_header_compile # ac_fn_c_find_intX_t LINENO BITS VAR # ----------------------------------- # Finds a signed integer type with width BITS, setting cache variable VAR # accordingly. ac_fn_c_find_intX_t () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack { $as_echo "$as_me:${as_lineno-$LINENO}: checking for int$2_t" >&5 $as_echo_n "checking for int$2_t... " >&6; } if eval \${$3+:} false; then : $as_echo_n "(cached) " >&6 else eval "$3=no" # Order is important - never check a type that is potentially smaller # than half of the expected target width. for ac_type in int$2_t 'int' 'long int' \ 'long long int' 'short int' 'signed char'; do cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_includes_default enum { N = $2 / 2 - 1 }; int main () { static int test_array [1 - 2 * !(0 < ($ac_type) ((((($ac_type) 1 << N) << N) - 1) * 2 + 1))]; test_array [0] = 0; return test_array [0]; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_includes_default enum { N = $2 / 2 - 1 }; int main () { static int test_array [1 - 2 * !(($ac_type) ((((($ac_type) 1 << N) << N) - 1) * 2 + 1) < ($ac_type) ((((($ac_type) 1 << N) << N) - 1) * 2 + 2))]; test_array [0] = 0; return test_array [0]; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : else case $ac_type in #( int$2_t) : eval "$3=yes" ;; #( *) : eval "$3=\$ac_type" ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext if eval test \"x\$"$3"\" = x"no"; then : else break fi done fi eval ac_res=\$$3 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_find_intX_t # ac_fn_c_find_uintX_t LINENO BITS VAR # ------------------------------------ # Finds an unsigned integer type with width BITS, setting cache variable VAR # accordingly. ac_fn_c_find_uintX_t () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack { $as_echo "$as_me:${as_lineno-$LINENO}: checking for uint$2_t" >&5 $as_echo_n "checking for uint$2_t... " >&6; } if eval \${$3+:} false; then : $as_echo_n "(cached) " >&6 else eval "$3=no" # Order is important - never check a type that is potentially smaller # than half of the expected target width. for ac_type in uint$2_t 'unsigned int' 'unsigned long int' \ 'unsigned long long int' 'unsigned short int' 'unsigned char'; do cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_includes_default int main () { static int test_array [1 - 2 * !((($ac_type) -1 >> ($2 / 2 - 1)) >> ($2 / 2 - 1) == 3)]; test_array [0] = 0; return test_array [0]; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : case $ac_type in #( uint$2_t) : eval "$3=yes" ;; #( *) : eval "$3=\$ac_type" ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext if eval test \"x\$"$3"\" = x"no"; then : else break fi done fi eval ac_res=\$$3 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_find_uintX_t # ac_fn_c_check_type LINENO TYPE VAR INCLUDES # ------------------------------------------- # Tests whether TYPE exists after having included INCLUDES, setting cache # variable VAR accordingly. ac_fn_c_check_type () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 $as_echo_n "checking for $2... " >&6; } if eval \${$3+:} false; then : $as_echo_n "(cached) " >&6 else eval "$3=no" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main () { if (sizeof ($2)) return 0; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main () { if (sizeof (($2))) return 0; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : else eval "$3=yes" fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi eval ac_res=\$$3 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_type # ac_fn_c_check_member LINENO AGGR MEMBER VAR INCLUDES # ---------------------------------------------------- # Tries to find if the field MEMBER exists in type AGGR, after including # INCLUDES, setting cache variable VAR accordingly. ac_fn_c_check_member () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2.$3" >&5 $as_echo_n "checking for $2.$3... " >&6; } if eval \${$4+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $5 int main () { static $2 ac_aggr; if (ac_aggr.$3) return 0; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : eval "$4=yes" else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $5 int main () { static $2 ac_aggr; if (sizeof ac_aggr.$3) return 0; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : eval "$4=yes" else eval "$4=no" fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi eval ac_res=\$$4 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_member # ac_fn_c_check_decl LINENO SYMBOL VAR INCLUDES # --------------------------------------------- # Tests whether SYMBOL is declared in INCLUDES, setting cache variable VAR # accordingly. ac_fn_c_check_decl () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack as_decl_name=`echo $2|sed 's/ *(.*//'` as_decl_use=`echo $2|sed -e 's/(/((/' -e 's/)/) 0&/' -e 's/,/) 0& (/g'` { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $as_decl_name is declared" >&5 $as_echo_n "checking whether $as_decl_name is declared... " >&6; } if eval \${$3+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main () { #ifndef $as_decl_name #ifdef __cplusplus (void) $as_decl_use; #else (void) $as_decl_name; #endif #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : eval "$3=yes" else eval "$3=no" fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi eval ac_res=\$$3 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_decl # ac_fn_c_check_func LINENO FUNC VAR # ---------------------------------- # Tests whether FUNC exists, setting the cache variable VAR accordingly ac_fn_c_check_func () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 $as_echo_n "checking for $2... " >&6; } if eval \${$3+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Define $2 to an innocuous variant, in case declares $2. For example, HP-UX 11i declares gettimeofday. */ #define $2 innocuous_$2 /* System header to define __stub macros and hopefully few prototypes, which can conflict with char $2 (); below. Prefer to if __STDC__ is defined, since exists even on freestanding compilers. */ #ifdef __STDC__ # include #else # include #endif #undef $2 /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char $2 (); /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined __stub_$2 || defined __stub___$2 choke me #endif int main () { return $2 (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : eval "$3=yes" else eval "$3=no" fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext fi eval ac_res=\$$3 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_func cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. It was created by Argus Server Programs $as_me 3.0.8, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ _ACEOF exec 5>>config.log { cat <<_ASUNAME ## --------- ## ## Platform. ## ## --------- ## hostname = `(hostname || uname -n) 2>/dev/null | sed 1q` uname -m = `(uname -m) 2>/dev/null || echo unknown` uname -r = `(uname -r) 2>/dev/null || echo unknown` uname -s = `(uname -s) 2>/dev/null || echo unknown` uname -v = `(uname -v) 2>/dev/null || echo unknown` /usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null || echo unknown` /bin/uname -X = `(/bin/uname -X) 2>/dev/null || echo unknown` /bin/arch = `(/bin/arch) 2>/dev/null || echo unknown` /usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null || echo unknown` /usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown` /usr/bin/hostinfo = `(/usr/bin/hostinfo) 2>/dev/null || echo unknown` /bin/machine = `(/bin/machine) 2>/dev/null || echo unknown` /usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null || echo unknown` /bin/universe = `(/bin/universe) 2>/dev/null || echo unknown` _ASUNAME as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. $as_echo "PATH: $as_dir" done IFS=$as_save_IFS } >&5 cat >&5 <<_ACEOF ## ----------- ## ## Core tests. ## ## ----------- ## _ACEOF # Keep a trace of the command line. # Strip out --no-create and --no-recursion so they do not pile up. # Strip out --silent because we don't want to record it for future runs. # Also quote any args containing shell meta-characters. # Make two passes to allow for proper duplicate-argument suppression. ac_configure_args= ac_configure_args0= ac_configure_args1= ac_must_keep_next=false for ac_pass in 1 2 do for ac_arg do case $ac_arg in -no-create | --no-c* | -n | -no-recursion | --no-r*) continue ;; -q | -quiet | --quiet | --quie | --qui | --qu | --q \ | -silent | --silent | --silen | --sile | --sil) continue ;; *\'*) ac_arg=`$as_echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;; esac case $ac_pass in 1) as_fn_append ac_configure_args0 " '$ac_arg'" ;; 2) as_fn_append ac_configure_args1 " '$ac_arg'" if test $ac_must_keep_next = true; then ac_must_keep_next=false # Got value, back to normal. else case $ac_arg in *=* | --config-cache | -C | -disable-* | --disable-* \ | -enable-* | --enable-* | -gas | --g* | -nfp | --nf* \ | -q | -quiet | --q* | -silent | --sil* | -v | -verb* \ | -with-* | --with-* | -without-* | --without-* | --x) case "$ac_configure_args0 " in "$ac_configure_args1"*" '$ac_arg' "* ) continue ;; esac ;; -* ) ac_must_keep_next=true ;; esac fi as_fn_append ac_configure_args " '$ac_arg'" ;; esac done done { ac_configure_args0=; unset ac_configure_args0;} { ac_configure_args1=; unset ac_configure_args1;} # When interrupted or exit'd, cleanup temporary files, and complete # config.log. We remove comments because anyway the quotes in there # would cause problems or look ugly. # WARNING: Use '\'' to represent an apostrophe within the trap. # WARNING: Do not start the trap code with a newline, due to a FreeBSD 4.0 bug. trap 'exit_status=$? # Save into config.log some information that might help in debugging. { echo $as_echo "## ---------------- ## ## Cache variables. ## ## ---------------- ##" echo # The following way of writing the cache mishandles newlines in values, ( for ac_var in `(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'\''`; do eval ac_val=\$$ac_var case $ac_val in #( *${as_nl}*) case $ac_var in #( *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 $as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; esac case $ac_var in #( _ | IFS | as_nl) ;; #( BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( *) { eval $ac_var=; unset $ac_var;} ;; esac ;; esac done (set) 2>&1 | case $as_nl`(ac_space='\'' '\''; set) 2>&1` in #( *${as_nl}ac_space=\ *) sed -n \ "s/'\''/'\''\\\\'\'''\''/g; s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\''\\2'\''/p" ;; #( *) sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" ;; esac | sort ) echo $as_echo "## ----------------- ## ## Output variables. ## ## ----------------- ##" echo for ac_var in $ac_subst_vars do eval ac_val=\$$ac_var case $ac_val in *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; esac $as_echo "$ac_var='\''$ac_val'\''" done | sort echo if test -n "$ac_subst_files"; then $as_echo "## ------------------- ## ## File substitutions. ## ## ------------------- ##" echo for ac_var in $ac_subst_files do eval ac_val=\$$ac_var case $ac_val in *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; esac $as_echo "$ac_var='\''$ac_val'\''" done | sort echo fi if test -s confdefs.h; then $as_echo "## ----------- ## ## confdefs.h. ## ## ----------- ##" echo cat confdefs.h echo fi test "$ac_signal" != 0 && $as_echo "$as_me: caught signal $ac_signal" $as_echo "$as_me: exit $exit_status" } >&5 rm -f core *.core core.conftest.* && rm -f -r conftest* confdefs* conf$$* $ac_clean_files && exit $exit_status ' 0 for ac_signal in 1 2 13 15; do trap 'ac_signal='$ac_signal'; as_fn_exit 1' $ac_signal done ac_signal=0 # confdefs.h avoids OS command line length limits that DEFS can exceed. rm -f -r conftest* confdefs.h $as_echo "/* confdefs.h */" > confdefs.h # Predefined preprocessor variables. cat >>confdefs.h <<_ACEOF #define PACKAGE_NAME "$PACKAGE_NAME" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_TARNAME "$PACKAGE_TARNAME" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_VERSION "$PACKAGE_VERSION" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_STRING "$PACKAGE_STRING" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_URL "$PACKAGE_URL" _ACEOF # Let the site file select an alternate cache file if it wants to. # Prefer an explicitly selected file to automatically selected ones. ac_site_file1=NONE ac_site_file2=NONE if test -n "$CONFIG_SITE"; then # We do not want a PATH search for config.site. case $CONFIG_SITE in #(( -*) ac_site_file1=./$CONFIG_SITE;; */*) ac_site_file1=$CONFIG_SITE;; *) ac_site_file1=./$CONFIG_SITE;; esac elif test "x$prefix" != xNONE; then ac_site_file1=$prefix/share/config.site ac_site_file2=$prefix/etc/config.site else ac_site_file1=$ac_default_prefix/share/config.site ac_site_file2=$ac_default_prefix/etc/config.site fi for ac_site_file in "$ac_site_file1" "$ac_site_file2" do test "x$ac_site_file" = xNONE && continue if test /dev/null != "$ac_site_file" && test -r "$ac_site_file"; then { $as_echo "$as_me:${as_lineno-$LINENO}: loading site script $ac_site_file" >&5 $as_echo "$as_me: loading site script $ac_site_file" >&6;} sed 's/^/| /' "$ac_site_file" >&5 . "$ac_site_file" \ || { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "failed to load site script $ac_site_file See \`config.log' for more details" "$LINENO" 5; } fi done if test -r "$cache_file"; then # Some versions of bash will fail to source /dev/null (special files # actually), so we avoid doing that. DJGPP emulates it as a regular file. if test /dev/null != "$cache_file" && test -f "$cache_file"; then { $as_echo "$as_me:${as_lineno-$LINENO}: loading cache $cache_file" >&5 $as_echo "$as_me: loading cache $cache_file" >&6;} case $cache_file in [\\/]* | ?:[\\/]* ) . "$cache_file";; *) . "./$cache_file";; esac fi else { $as_echo "$as_me:${as_lineno-$LINENO}: creating cache $cache_file" >&5 $as_echo "$as_me: creating cache $cache_file" >&6;} >$cache_file fi as_fn_append ac_header_list " sys/time.h" as_fn_append ac_header_list " unistd.h" as_fn_append ac_func_list " alarm" # Check that the precious variables saved in the cache have kept the same # value. ac_cache_corrupted=false for ac_var in $ac_precious_vars; do eval ac_old_set=\$ac_cv_env_${ac_var}_set eval ac_new_set=\$ac_env_${ac_var}_set eval ac_old_val=\$ac_cv_env_${ac_var}_value eval ac_new_val=\$ac_env_${ac_var}_value case $ac_old_set,$ac_new_set in set,) { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5 $as_echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;} ac_cache_corrupted=: ;; ,set) { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was not set in the previous run" >&5 $as_echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;} ac_cache_corrupted=: ;; ,);; *) if test "x$ac_old_val" != "x$ac_new_val"; then # differences in whitespace do not lead to failure. ac_old_val_w=`echo x $ac_old_val` ac_new_val_w=`echo x $ac_new_val` if test "$ac_old_val_w" != "$ac_new_val_w"; then { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' has changed since the previous run:" >&5 $as_echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;} ac_cache_corrupted=: else { $as_echo "$as_me:${as_lineno-$LINENO}: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5 $as_echo "$as_me: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&2;} eval $ac_var=\$ac_old_val fi { $as_echo "$as_me:${as_lineno-$LINENO}: former value: \`$ac_old_val'" >&5 $as_echo "$as_me: former value: \`$ac_old_val'" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: current value: \`$ac_new_val'" >&5 $as_echo "$as_me: current value: \`$ac_new_val'" >&2;} fi;; esac # Pass precious variables to config.status. if test "$ac_new_set" = set; then case $ac_new_val in *\'*) ac_arg=$ac_var=`$as_echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;; *) ac_arg=$ac_var=$ac_new_val ;; esac case " $ac_configure_args " in *" '$ac_arg' "*) ;; # Avoid dups. Use of quotes ensures accuracy. *) as_fn_append ac_configure_args " '$ac_arg'" ;; esac fi done if $ac_cache_corrupted; then { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: error: changes in the environment can compromise the build" >&5 $as_echo "$as_me: error: changes in the environment can compromise the build" >&2;} as_fn_error $? "run \`make distclean' and/or \`rm $cache_file' and start over" "$LINENO" 5 fi ## -------------------- ## ## Main body of script. ## ## -------------------- ## ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu ac_aux_dir= for ac_dir in config "$srcdir"/config; do if test -f "$ac_dir/install-sh"; then ac_aux_dir=$ac_dir ac_install_sh="$ac_aux_dir/install-sh -c" break elif test -f "$ac_dir/install.sh"; then ac_aux_dir=$ac_dir ac_install_sh="$ac_aux_dir/install.sh -c" break elif test -f "$ac_dir/shtool"; then ac_aux_dir=$ac_dir ac_install_sh="$ac_aux_dir/shtool install -c" break fi done if test -z "$ac_aux_dir"; then as_fn_error $? "cannot find install-sh, install.sh, or shtool in config \"$srcdir\"/config" "$LINENO" 5 fi # These three variables are undocumented and unsupported, # and are intended to be withdrawn in a future Autoconf release. # They can cause serious problems if a builder's source tree is in a directory # whose full name contains unusual characters. ac_config_guess="$SHELL $ac_aux_dir/config.guess" # Please don't use this var. ac_config_sub="$SHELL $ac_aux_dir/config.sub" # Please don't use this var. ac_configure="$SHELL $ac_aux_dir/configure" # Please don't use this var. ac_config_headers="$ac_config_headers include/argus_config.h" # Make sure we can run config.sub. $SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 || as_fn_error $? "cannot run $SHELL $ac_aux_dir/config.sub" "$LINENO" 5 { $as_echo "$as_me:${as_lineno-$LINENO}: checking build system type" >&5 $as_echo_n "checking build system type... " >&6; } if ${ac_cv_build+:} false; then : $as_echo_n "(cached) " >&6 else ac_build_alias=$build_alias test "x$ac_build_alias" = x && ac_build_alias=`$SHELL "$ac_aux_dir/config.guess"` test "x$ac_build_alias" = x && as_fn_error $? "cannot guess build type; you must specify one" "$LINENO" 5 ac_cv_build=`$SHELL "$ac_aux_dir/config.sub" $ac_build_alias` || as_fn_error $? "$SHELL $ac_aux_dir/config.sub $ac_build_alias failed" "$LINENO" 5 fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_build" >&5 $as_echo "$ac_cv_build" >&6; } case $ac_cv_build in *-*-*) ;; *) as_fn_error $? "invalid value of canonical build" "$LINENO" 5;; esac build=$ac_cv_build ac_save_IFS=$IFS; IFS='-' set x $ac_cv_build shift build_cpu=$1 build_vendor=$2 shift; shift # Remember, the first character of IFS is used to create $*, # except with old shells: build_os=$* IFS=$ac_save_IFS case $build_os in *\ *) build_os=`echo "$build_os" | sed 's/ /-/g'`;; esac { $as_echo "$as_me:${as_lineno-$LINENO}: checking host system type" >&5 $as_echo_n "checking host system type... " >&6; } if ${ac_cv_host+:} false; then : $as_echo_n "(cached) " >&6 else if test "x$host_alias" = x; then ac_cv_host=$ac_cv_build else ac_cv_host=`$SHELL "$ac_aux_dir/config.sub" $host_alias` || as_fn_error $? "$SHELL $ac_aux_dir/config.sub $host_alias failed" "$LINENO" 5 fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_host" >&5 $as_echo "$ac_cv_host" >&6; } case $ac_cv_host in *-*-*) ;; *) as_fn_error $? "invalid value of canonical host" "$LINENO" 5;; esac host=$ac_cv_host ac_save_IFS=$IFS; IFS='-' set x $ac_cv_host shift host_cpu=$1 host_vendor=$2 shift; shift # Remember, the first character of IFS is used to create $*, # except with old shells: host_os=$* IFS=$ac_save_IFS case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac { $as_echo "$as_me:${as_lineno-$LINENO}: checking target system type" >&5 $as_echo_n "checking target system type... " >&6; } if ${ac_cv_target+:} false; then : $as_echo_n "(cached) " >&6 else if test "x$target_alias" = x; then ac_cv_target=$ac_cv_host else ac_cv_target=`$SHELL "$ac_aux_dir/config.sub" $target_alias` || as_fn_error $? "$SHELL $ac_aux_dir/config.sub $target_alias failed" "$LINENO" 5 fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_target" >&5 $as_echo "$ac_cv_target" >&6; } case $ac_cv_target in *-*-*) ;; *) as_fn_error $? "invalid value of canonical target" "$LINENO" 5;; esac target=$ac_cv_target ac_save_IFS=$IFS; IFS='-' set x $ac_cv_target shift target_cpu=$1 target_vendor=$2 shift; shift # Remember, the first character of IFS is used to create $*, # except with old shells: target_os=$* IFS=$ac_save_IFS case $target_os in *\ *) target_os=`echo "$target_os" | sed 's/ /-/g'`;; esac # The aliases save the names the user supplied, while $host etc. # will get canonicalized. test -n "$target_alias" && test "$program_prefix$program_suffix$program_transform_name" = \ NONENONEs,x,x, && program_prefix=${target_alias}- # Check whether --with-perl was given. if test "${with_perl+set}" = set; then : withval=$with_perl; with_perl="$withval" else with_perl="yes" fi perl=FAIL if ! test ${with_perl} = "no"; then if test ${with_perl} = "yes"; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for standard perl installation" >&5 $as_echo_n "checking for standard perl installation... " >&6; } for dir in /usr /usr/local /opt /opt/local; do if test -r $dir/bin/perl ; then perl=$dir/bin/perl { $as_echo "$as_me:${as_lineno-$LINENO}: result: $perl" >&5 $as_echo "$perl" >&6; } V_PERL="$perl" break; else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi done else { $as_echo "$as_me:${as_lineno-$LINENO}: checking for perl installation in ${with_perl}" >&5 $as_echo_n "checking for perl installation in ${with_perl}... " >&6; } if test -r ${with_perl}/perl ; then perl=${with_perl}/perl { $as_echo "$as_me:${as_lineno-$LINENO}: result: $perl" >&5 $as_echo "$perl" >&6; } V_PERL="$perl" else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi fi # Checks for programs. # Check whether --with-gcc was given. if test "${with_gcc+set}" = set; then : withval=$with_gcc; fi # Check whether --with-examples was given. if test "${with_examples+set}" = set; then : withval=$with_examples; fi # Check whether --with-pluribus was given. if test "${with_pluribus+set}" = set; then : withval=$with_pluribus; with_pluribus=yes else with_pluribus=no fi V_CCOPT="-O" V_INCLS="" if test "${srcdir}" != "." ; then V_INCLS="-I\$(srcdir)" fi if test "${CFLAGS+set}" = set; then LBL_CFLAGS="$CFLAGS" fi if test -z "$CC" ; then case "$target_os" in *darwin*) # Extract the first word of "clang", so it can be a program name with args. set dummy clang; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_CLANG+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$CLANG"; then ac_cv_prog_CLANG="$CLANG" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_CLANG="yes" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS test -z "$ac_cv_prog_CLANG" && ac_cv_prog_CLANG="no" fi fi CLANG=$ac_cv_prog_CLANG if test -n "$CLANG"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CLANG" >&5 $as_echo "$CLANG" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test $CLANG = yes ; then CC=cc export CC fi ;; bsdi*) # Extract the first word of "shlicc2", so it can be a program name with args. set dummy shlicc2; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_SHLICC2+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$SHLICC2"; then ac_cv_prog_SHLICC2="$SHLICC2" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_SHLICC2="yes" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS test -z "$ac_cv_prog_SHLICC2" && ac_cv_prog_SHLICC2="no" fi fi SHLICC2=$ac_cv_prog_SHLICC2 if test -n "$SHLICC2"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $SHLICC2" >&5 $as_echo "$SHLICC2" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test $SHLICC2 = yes ; then CC=shlicc2 export CC fi ;; esac fi if test -z "$CC" -a "$with_gcc" = no ; then CC=cc export CC fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args. set dummy ${ac_tool_prefix}gcc; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_CC="${ac_tool_prefix}gcc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 $as_echo "$CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$ac_cv_prog_CC"; then ac_ct_CC=$CC # Extract the first word of "gcc", so it can be a program name with args. set dummy gcc; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_CC"; then ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_CC="gcc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 $as_echo "$ac_ct_CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test "x$ac_ct_CC" = x; then CC="" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac CC=$ac_ct_CC fi else CC="$ac_cv_prog_CC" fi if test -z "$CC"; then if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args. set dummy ${ac_tool_prefix}cc; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_CC="${ac_tool_prefix}cc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 $as_echo "$CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi fi if test -z "$CC"; then # Extract the first word of "cc", so it can be a program name with args. set dummy cc; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else ac_prog_rejected=no as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then ac_prog_rejected=yes continue fi ac_cv_prog_CC="cc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS if test $ac_prog_rejected = yes; then # We found a bogon in the path, so make sure we never use it. set dummy $ac_cv_prog_CC shift if test $# != 0; then # We chose a different compiler from the bogus one. # However, it has the same basename, so the bogon will be chosen # first if we set CC to just the basename; use the full file name. shift ac_cv_prog_CC="$as_dir/$ac_word${1+' '}$@" fi fi fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 $as_echo "$CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$CC"; then if test -n "$ac_tool_prefix"; then for ac_prog in cl.exe do # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. set dummy $ac_tool_prefix$ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_CC="$ac_tool_prefix$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 $as_echo "$CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$CC" && break done fi if test -z "$CC"; then ac_ct_CC=$CC for ac_prog in cl.exe do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_CC"; then ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_CC="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 $as_echo "$ac_ct_CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$ac_ct_CC" && break done if test "x$ac_ct_CC" = x; then CC="" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac CC=$ac_ct_CC fi fi fi test -z "$CC" && { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "no acceptable C compiler found in \$PATH See \`config.log' for more details" "$LINENO" 5; } # Provide some information about the compiler. $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5 set X $ac_compile ac_compiler=$2 for ac_option in --version -v -V -qversion; do { { ac_try="$ac_compiler $ac_option >&5" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_compiler $ac_option >&5") 2>conftest.err ac_status=$? if test -s conftest.err; then sed '10a\ ... rest of stderr output deleted ... 10q' conftest.err >conftest.er1 cat conftest.er1 >&5 fi rm -f conftest.er1 conftest.err $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } done cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF ac_clean_files_save=$ac_clean_files ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out" # Try to create an executable without -o first, disregard a.out. # It will help us diagnose broken compilers, and finding out an intuition # of exeext. { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler works" >&5 $as_echo_n "checking whether the C compiler works... " >&6; } ac_link_default=`$as_echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'` # The possible output files: ac_files="a.out conftest.exe conftest a.exe a_out.exe b.out conftest.*" ac_rmfiles= for ac_file in $ac_files do case $ac_file in *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; * ) ac_rmfiles="$ac_rmfiles $ac_file";; esac done rm -f $ac_rmfiles if { { ac_try="$ac_link_default" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_link_default") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then : # Autoconf-2.13 could set the ac_cv_exeext variable to `no'. # So ignore a value of `no', otherwise this would lead to `EXEEXT = no' # in a Makefile. We should not override ac_cv_exeext if it was cached, # so that the user can short-circuit this test for compilers unknown to # Autoconf. for ac_file in $ac_files '' do test -f "$ac_file" || continue case $ac_file in *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; [ab].out ) # We found the default executable, but exeext='' is most # certainly right. break;; *.* ) if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no; then :; else ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` fi # We set ac_cv_exeext here because the later test for it is not # safe: cross compilers may not add the suffix if given an `-o' # argument, so we may need to know it at that point already. # Even if this section looks crufty: it has the advantage of # actually working. break;; * ) break;; esac done test "$ac_cv_exeext" = no && ac_cv_exeext= else ac_file='' fi if test -z "$ac_file"; then : { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error 77 "C compiler cannot create executables See \`config.log' for more details" "$LINENO" 5; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler default output file name" >&5 $as_echo_n "checking for C compiler default output file name... " >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_file" >&5 $as_echo "$ac_file" >&6; } ac_exeext=$ac_cv_exeext rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out ac_clean_files=$ac_clean_files_save { $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of executables" >&5 $as_echo_n "checking for suffix of executables... " >&6; } if { { ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_link") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then : # If both `conftest.exe' and `conftest' are `present' (well, observable) # catch `conftest.exe'. For instance with Cygwin, `ls conftest' will # work properly (i.e., refer to `conftest.exe'), while it won't with # `rm'. for ac_file in conftest.exe conftest conftest.*; do test -f "$ac_file" || continue case $ac_file in *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` break;; * ) break;; esac done else { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "cannot compute suffix of executables: cannot compile and link See \`config.log' for more details" "$LINENO" 5; } fi rm -f conftest conftest$ac_cv_exeext { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5 $as_echo "$ac_cv_exeext" >&6; } rm -f conftest.$ac_ext EXEEXT=$ac_cv_exeext ac_exeext=$EXEEXT cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main () { FILE *f = fopen ("conftest.out", "w"); return ferror (f) || fclose (f) != 0; ; return 0; } _ACEOF ac_clean_files="$ac_clean_files conftest.out" # Check that the compiler produces executables we can run. If not, either # the compiler is broken, or we cross compile. { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are cross compiling" >&5 $as_echo_n "checking whether we are cross compiling... " >&6; } if test "$cross_compiling" != yes; then { { ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_link") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } if { ac_try='./conftest$ac_cv_exeext' { { case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_try") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; }; then cross_compiling=no else if test "$cross_compiling" = maybe; then cross_compiling=yes else { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "cannot run C compiled programs. If you meant to cross compile, use \`--host'. See \`config.log' for more details" "$LINENO" 5; } fi fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $cross_compiling" >&5 $as_echo "$cross_compiling" >&6; } rm -f conftest.$ac_ext conftest$ac_cv_exeext conftest.out ac_clean_files=$ac_clean_files_save { $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of object files" >&5 $as_echo_n "checking for suffix of object files... " >&6; } if ${ac_cv_objext+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF rm -f conftest.o conftest.obj if { { ac_try="$ac_compile" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_compile") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then : for ac_file in conftest.o conftest.obj conftest.*; do test -f "$ac_file" || continue; case $ac_file in *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM ) ;; *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'` break;; esac done else $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "cannot compute suffix of object files: cannot compile See \`config.log' for more details" "$LINENO" 5; } fi rm -f conftest.$ac_cv_objext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_objext" >&5 $as_echo "$ac_cv_objext" >&6; } OBJEXT=$ac_cv_objext ac_objext=$OBJEXT { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using the GNU C compiler" >&5 $as_echo_n "checking whether we are using the GNU C compiler... " >&6; } if ${ac_cv_c_compiler_gnu+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { #ifndef __GNUC__ choke me #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_compiler_gnu=yes else ac_compiler_gnu=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ac_cv_c_compiler_gnu=$ac_compiler_gnu fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_compiler_gnu" >&5 $as_echo "$ac_cv_c_compiler_gnu" >&6; } if test $ac_compiler_gnu = yes; then GCC=yes else GCC= fi ac_test_CFLAGS=${CFLAGS+set} ac_save_CFLAGS=$CFLAGS { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5 $as_echo_n "checking whether $CC accepts -g... " >&6; } if ${ac_cv_prog_cc_g+:} false; then : $as_echo_n "(cached) " >&6 else ac_save_c_werror_flag=$ac_c_werror_flag ac_c_werror_flag=yes ac_cv_prog_cc_g=no CFLAGS="-g" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_prog_cc_g=yes else CFLAGS="" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : else ac_c_werror_flag=$ac_save_c_werror_flag CFLAGS="-g" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_prog_cc_g=yes fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ac_c_werror_flag=$ac_save_c_werror_flag fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_g" >&5 $as_echo "$ac_cv_prog_cc_g" >&6; } if test "$ac_test_CFLAGS" = set; then CFLAGS=$ac_save_CFLAGS elif test $ac_cv_prog_cc_g = yes; then if test "$GCC" = yes; then CFLAGS="-g -O2" else CFLAGS="-g" fi else if test "$GCC" = yes; then CFLAGS="-O2" else CFLAGS= fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C89" >&5 $as_echo_n "checking for $CC option to accept ISO C89... " >&6; } if ${ac_cv_prog_cc_c89+:} false; then : $as_echo_n "(cached) " >&6 else ac_cv_prog_cc_c89=no ac_save_CC=$CC cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include struct stat; /* Most of the following tests are stolen from RCS 5.7's src/conf.sh. */ struct buf { int x; }; FILE * (*rcsopen) (struct buf *, struct stat *, int); static char *e (p, i) char **p; int i; { return p[i]; } static char *f (char * (*g) (char **, int), char **p, ...) { char *s; va_list v; va_start (v,p); s = g (p, va_arg (v,int)); va_end (v); return s; } /* OSF 4.0 Compaq cc is some sort of almost-ANSI by default. It has function prototypes and stuff, but not '\xHH' hex character constants. These don't provoke an error unfortunately, instead are silently treated as 'x'. The following induces an error, until -std is added to get proper ANSI mode. Curiously '\x00'!='x' always comes out true, for an array size at least. It's necessary to write '\x00'==0 to get something that's true only with -std. */ int osf4_cc_array ['\x00' == 0 ? 1 : -1]; /* IBM C 6 for AIX is almost-ANSI by default, but it replaces macro parameters inside strings and character constants. */ #define FOO(x) 'x' int xlc6_cc_array[FOO(a) == 'x' ? 1 : -1]; int test (int i, double x); struct s1 {int (*f) (int a);}; struct s2 {int (*f) (double a);}; int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, int); int argc; char **argv; int main () { return f (e, argv, 0) != argv[0] || f (e, argv, 1) != argv[1]; ; return 0; } _ACEOF for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std \ -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__" do CC="$ac_save_CC $ac_arg" if ac_fn_c_try_compile "$LINENO"; then : ac_cv_prog_cc_c89=$ac_arg fi rm -f core conftest.err conftest.$ac_objext test "x$ac_cv_prog_cc_c89" != "xno" && break done rm -f conftest.$ac_ext CC=$ac_save_CC fi # AC_CACHE_VAL case "x$ac_cv_prog_cc_c89" in x) { $as_echo "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 $as_echo "none needed" >&6; } ;; xno) { $as_echo "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 $as_echo "unsupported" >&6; } ;; *) CC="$CC $ac_cv_prog_cc_c89" { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5 $as_echo "$ac_cv_prog_cc_c89" >&6; } ;; esac if test "x$ac_cv_prog_cc_c89" != xno; then : fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu if test "$GCC" = yes ; then if test "$SHLICC2" = yes ; then ac_cv_lbl_gcc_vers=2 V_CCOPT="-O3" else ac_cv_lbl_gcc_vers=0 { $as_echo "$as_me:${as_lineno-$LINENO}: checking gcc version" >&5 $as_echo_n "checking gcc version... " >&6; } if ${ac_cv_lbl_gcc_vers+:} false; then : $as_echo_n "(cached) " >&6 else ac_cv_lbl_gcc_vers=`$CC --version 2>&1 | \ sed -e '/^ version /!d' \ -e 's/^gcc version //' \ -e 's/ .*//' -e 's/^[^0-9]*//' \ -e 's/\..*//'` fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lbl_gcc_vers" >&5 $as_echo "$ac_cv_lbl_gcc_vers" >&6; } if test $ac_cv_lbl_gcc_vers -gt 0 ; then V_CCOPT="-O3" fi fi else { $as_echo "$as_me:${as_lineno-$LINENO}: checking that $CC handles ansi prototypes" >&5 $as_echo_n "checking that $CC handles ansi prototypes... " >&6; } if ${ac_cv_lbl_cc_ansi_prototypes+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main () { int frob(int, char *) ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_lbl_cc_ansi_prototypes=yes else ac_cv_lbl_cc_ansi_prototypes=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lbl_cc_ansi_prototypes" >&5 $as_echo "$ac_cv_lbl_cc_ansi_prototypes" >&6; } if test $ac_cv_lbl_cc_ansi_prototypes = no ; then case "$target_os" in hpux*) { $as_echo "$as_me:${as_lineno-$LINENO}: checking for HP-UX ansi compiler ($CC -Aa -D_HPUX_SOURCE)" >&5 $as_echo_n "checking for HP-UX ansi compiler ($CC -Aa -D_HPUX_SOURCE)... " >&6; } savedcflags="$CFLAGS" CFLAGS="-Aa -D_HPUX_SOURCE $CFLAGS" if ${ac_cv_lbl_cc_hpux_cc_aa+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main () { int frob(int, char *) ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_lbl_cc_hpux_cc_aa=yes else ac_cv_lbl_cc_hpux_cc_aa=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lbl_cc_hpux_cc_aa" >&5 $as_echo "$ac_cv_lbl_cc_hpux_cc_aa" >&6; } if test $ac_cv_lbl_cc_hpux_cc_aa = no ; then as_fn_error $? "see the INSTALL doc for more info" "$LINENO" 5 fi CFLAGS="$savedcflags" V_CCOPT="-Aa $V_CCOPT" $as_echo "#define _HPUX_SOURCE 1" >>confdefs.h ;; *) as_fn_error $? "see the INSTALL doc for more info" "$LINENO" 5 ;; esac fi V_INCLS="$V_INCLS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" case "$target_os" in irix*) V_CCOPT="$V_CCOPT -xansi -signed -g3" ;; osf*) V_CCOPT="$V_CCOPT -std1 -g3" ;; ultrix*) { $as_echo "$as_me:${as_lineno-$LINENO}: checking that Ultrix $CC hacks const in prototypes" >&5 $as_echo_n "checking that Ultrix $CC hacks const in prototypes... " >&6; } if ${ac_cv_lbl_cc_const_proto+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main () { struct a { int b; }; void c(const struct a *) ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_lbl_cc_const_proto=yes else ac_cv_lbl_cc_const_proto=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lbl_cc_const_proto" >&5 $as_echo "$ac_cv_lbl_cc_const_proto" >&6; } if test $ac_cv_lbl_cc_const_proto = no ; then $as_echo "#define const /**/" >>confdefs.h fi ;; esac fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ${MAKE-make} sets \$(MAKE)" >&5 $as_echo_n "checking whether ${MAKE-make} sets \$(MAKE)... " >&6; } set x ${MAKE-make} ac_make=`$as_echo "$2" | sed 's/+/p/g; s/[^a-zA-Z0-9_]/_/g'` if eval \${ac_cv_prog_make_${ac_make}_set+:} false; then : $as_echo_n "(cached) " >&6 else cat >conftest.make <<\_ACEOF SHELL = /bin/sh all: @echo '@@@%%%=$(MAKE)=@@@%%%' _ACEOF # GNU make sometimes prints "make[1]: Entering ...", which would confuse us. case `${MAKE-make} -f conftest.make 2>/dev/null` in *@@@%%%=?*=@@@%%%*) eval ac_cv_prog_make_${ac_make}_set=yes;; *) eval ac_cv_prog_make_${ac_make}_set=no;; esac rm -f conftest.make fi if eval test \$ac_cv_prog_make_${ac_make}_set = yes; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } SET_MAKE= else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } SET_MAKE="MAKE=${MAKE-make}" fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ln -s works" >&5 $as_echo_n "checking whether ln -s works... " >&6; } LN_S=$as_ln_s if test "$LN_S" = "ln -s"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no, using $LN_S" >&5 $as_echo "no, using $LN_S" >&6; } fi for ac_prog in flex lex do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_LEX+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$LEX"; then ac_cv_prog_LEX="$LEX" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_LEX="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi LEX=$ac_cv_prog_LEX if test -n "$LEX"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $LEX" >&5 $as_echo "$LEX" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$LEX" && break done test -n "$LEX" || LEX=":" if test "x$LEX" != "x:"; then cat >conftest.l <<_ACEOF %% a { ECHO; } b { REJECT; } c { yymore (); } d { yyless (1); } e { /* IRIX 6.5 flex 2.5.4 underquotes its yyless argument. */ yyless ((input () != 0)); } f { unput (yytext[0]); } . { BEGIN INITIAL; } %% #ifdef YYTEXT_POINTER extern char *yytext; #endif int main (void) { return ! yylex () + ! yywrap (); } _ACEOF { { ac_try="$LEX conftest.l" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$LEX conftest.l") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } { $as_echo "$as_me:${as_lineno-$LINENO}: checking lex output file root" >&5 $as_echo_n "checking lex output file root... " >&6; } if ${ac_cv_prog_lex_root+:} false; then : $as_echo_n "(cached) " >&6 else if test -f lex.yy.c; then ac_cv_prog_lex_root=lex.yy elif test -f lexyy.c; then ac_cv_prog_lex_root=lexyy else as_fn_error $? "cannot find output from $LEX; giving up" "$LINENO" 5 fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_lex_root" >&5 $as_echo "$ac_cv_prog_lex_root" >&6; } LEX_OUTPUT_ROOT=$ac_cv_prog_lex_root if test -z "${LEXLIB+set}"; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking lex library" >&5 $as_echo_n "checking lex library... " >&6; } if ${ac_cv_lib_lex+:} false; then : $as_echo_n "(cached) " >&6 else ac_save_LIBS=$LIBS ac_cv_lib_lex='none needed' for ac_lib in '' -lfl -ll; do LIBS="$ac_lib $ac_save_LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ `cat $LEX_OUTPUT_ROOT.c` _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_lex=$ac_lib fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext test "$ac_cv_lib_lex" != 'none needed' && break done LIBS=$ac_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_lex" >&5 $as_echo "$ac_cv_lib_lex" >&6; } test "$ac_cv_lib_lex" != 'none needed' && LEXLIB=$ac_cv_lib_lex fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether yytext is a pointer" >&5 $as_echo_n "checking whether yytext is a pointer... " >&6; } if ${ac_cv_prog_lex_yytext_pointer+:} false; then : $as_echo_n "(cached) " >&6 else # POSIX says lex can declare yytext either as a pointer or an array; the # default is implementation-dependent. Figure out which it is, since # not all implementations provide the %pointer and %array declarations. ac_cv_prog_lex_yytext_pointer=no ac_save_LIBS=$LIBS LIBS="$LEXLIB $ac_save_LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #define YYTEXT_POINTER 1 `cat $LEX_OUTPUT_ROOT.c` _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_prog_lex_yytext_pointer=yes fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_lex_yytext_pointer" >&5 $as_echo "$ac_cv_prog_lex_yytext_pointer" >&6; } if test $ac_cv_prog_lex_yytext_pointer = yes; then $as_echo "#define YYTEXT_POINTER 1" >>confdefs.h fi rm -f conftest.l $LEX_OUTPUT_ROOT.c fi # Find a good install program. We prefer a C program (faster), # so one script is as good as another. But avoid the broken or # incompatible versions: # SysV /etc/install, /usr/sbin/install # SunOS /usr/etc/install # IRIX /sbin/install # AIX /bin/install # AmigaOS /C/install, which installs bootblocks on floppy discs # AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag # AFS /usr/afsws/bin/install, which mishandles nonexistent args # SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff" # OS/2's system install, which has a completely different semantic # ./install, which can be erroneously created by make from ./install.sh. # Reject install programs that cannot install multiple files. { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a BSD-compatible install" >&5 $as_echo_n "checking for a BSD-compatible install... " >&6; } if test -z "$INSTALL"; then if ${ac_cv_path_install+:} false; then : $as_echo_n "(cached) " >&6 else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. # Account for people who put trailing slashes in PATH elements. case $as_dir/ in #(( ./ | .// | /[cC]/* | \ /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* | \ ?:[\\/]os2[\\/]install[\\/]* | ?:[\\/]OS2[\\/]INSTALL[\\/]* | \ /usr/ucb/* ) ;; *) # OSF1 and SCO ODT 3.0 have their own names for install. # Don't use installbsd from OSF since it installs stuff as root # by default. for ac_prog in ginstall scoinst install; do for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext"; then if test $ac_prog = install && grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then # AIX install. It has an incompatible calling convention. : elif test $ac_prog = install && grep pwplus "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then # program-specific install script used by HP pwplus--don't use. : else rm -rf conftest.one conftest.two conftest.dir echo one > conftest.one echo two > conftest.two mkdir conftest.dir if "$as_dir/$ac_prog$ac_exec_ext" -c conftest.one conftest.two "`pwd`/conftest.dir" && test -s conftest.one && test -s conftest.two && test -s conftest.dir/conftest.one && test -s conftest.dir/conftest.two then ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c" break 3 fi fi fi done done ;; esac done IFS=$as_save_IFS rm -rf conftest.one conftest.two conftest.dir fi if test "${ac_cv_path_install+set}" = set; then INSTALL=$ac_cv_path_install else # As a last resort, use the slow shell script. Don't cache a # value for INSTALL within a source directory, because that will # break other packages using the cache if that directory is # removed, or if the value is a relative name. INSTALL=$ac_install_sh fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $INSTALL" >&5 $as_echo "$INSTALL" >&6; } # Use test -z because SunOS4 sh mishandles braces in ${var-val}. # It thinks the first close brace ends the variable substitution. test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}' test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}' test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644' if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args. set dummy ${ac_tool_prefix}ranlib; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_RANLIB+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$RANLIB"; then ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi RANLIB=$ac_cv_prog_RANLIB if test -n "$RANLIB"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $RANLIB" >&5 $as_echo "$RANLIB" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$ac_cv_prog_RANLIB"; then ac_ct_RANLIB=$RANLIB # Extract the first word of "ranlib", so it can be a program name with args. set dummy ranlib; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_RANLIB+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_RANLIB"; then ac_cv_prog_ac_ct_RANLIB="$ac_ct_RANLIB" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_RANLIB="ranlib" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB if test -n "$ac_ct_RANLIB"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_RANLIB" >&5 $as_echo "$ac_ct_RANLIB" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test "x$ac_ct_RANLIB" = x; then RANLIB=":" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac RANLIB=$ac_ct_RANLIB fi else RANLIB="$ac_cv_prog_RANLIB" fi for ac_prog in 'bison -y' byacc do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_YACC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$YACC"; then ac_cv_prog_YACC="$YACC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_YACC="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi YACC=$ac_cv_prog_YACC if test -n "$YACC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $YACC" >&5 $as_echo "$YACC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$YACC" && break done test -n "$YACC" || YACC="yacc" for ac_prog in ranlib do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_V_RANLIB+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$V_RANLIB"; then ac_cv_prog_V_RANLIB="$V_RANLIB" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_V_RANLIB="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi V_RANLIB=$ac_cv_prog_V_RANLIB if test -n "$V_RANLIB"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $V_RANLIB" >&5 $as_echo "$V_RANLIB" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$V_RANLIB" && break done test -n "$V_RANLIB" || V_RANLIB="@true" for ac_prog in flex do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_V_LEX+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$V_LEX"; then ac_cv_prog_V_LEX="$V_LEX" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_V_LEX="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi V_LEX=$ac_cv_prog_V_LEX if test -n "$V_LEX"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $V_LEX" >&5 $as_echo "$V_LEX" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$V_LEX" && break done test -n "$V_LEX" || V_LEX="lex" if test "$V_LEX" = flex ; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for flex 2.4 or higher" >&5 $as_echo_n "checking for flex 2.4 or higher... " >&6; } if ${ac_cv_lbl_flex_v24+:} false; then : $as_echo_n "(cached) " >&6 else if flex -V >/dev/null 2>&1; then ac_cv_lbl_flex_v24=yes else ac_cv_lbl_flex_v24=no fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lbl_flex_v24" >&5 $as_echo "$ac_cv_lbl_flex_v24" >&6; } if test $ac_cv_lbl_flex_v24 = no ; then s="2.4 or higher required" { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: ignoring obsolete flex executable ($s)" >&5 $as_echo "$as_me: WARNING: ignoring obsolete flex executable ($s)" >&2;} V_LEX=lex fi else as_fn_error $? "flex not found. see the INSTALL for more info" "$LINENO" 5 fi for ac_prog in bison do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_V_YACC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$V_YACC"; then ac_cv_prog_V_YACC="$V_YACC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_V_YACC="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi V_YACC=$ac_cv_prog_V_YACC if test -n "$V_YACC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $V_YACC" >&5 $as_echo "$V_YACC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$V_YACC" && break done test -n "$V_YACC" || V_YACC="yacc" if test "$V_YACC" = bison ; then V_YACC="$V_YACC -y" else as_fn_error $? "bison not found. see the INSTALL for more info" "$LINENO" 5 fi if test "$V_LEX" = flex -a -n "argus_" ; then V_LEX="$V_LEX -Pargus_" V_YACC="$V_YACC -p argus_" fi # Checks for libraries. ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu { $as_echo "$as_me:${as_lineno-$LINENO}: checking how to run the C preprocessor" >&5 $as_echo_n "checking how to run the C preprocessor... " >&6; } # On Suns, sometimes $CPP names a directory. if test -n "$CPP" && test -d "$CPP"; then CPP= fi if test -z "$CPP"; then if ${ac_cv_prog_CPP+:} false; then : $as_echo_n "(cached) " >&6 else # Double quotes because CPP needs to be expanded for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp" do ac_preproc_ok=false for ac_c_preproc_warn_flag in '' yes do # Use a header file that comes with gcc, so configuring glibc # with a fresh cross-compiler works. # Prefer to if __STDC__ is defined, since # exists even on freestanding compilers. # On the NeXT, cc -E runs the code through the compiler's parser, # not just through cpp. "Syntax error" is here to catch this case. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #ifdef __STDC__ # include #else # include #endif Syntax error _ACEOF if ac_fn_c_try_cpp "$LINENO"; then : else # Broken: fails on valid input. continue fi rm -f conftest.err conftest.i conftest.$ac_ext # OK, works on sane cases. Now check whether nonexistent headers # can be detected and how. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF if ac_fn_c_try_cpp "$LINENO"; then : # Broken: success on invalid input. continue else # Passes both tests. ac_preproc_ok=: break fi rm -f conftest.err conftest.i conftest.$ac_ext done # Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. rm -f conftest.i conftest.err conftest.$ac_ext if $ac_preproc_ok; then : break fi done ac_cv_prog_CPP=$CPP fi CPP=$ac_cv_prog_CPP else ac_cv_prog_CPP=$CPP fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CPP" >&5 $as_echo "$CPP" >&6; } ac_preproc_ok=false for ac_c_preproc_warn_flag in '' yes do # Use a header file that comes with gcc, so configuring glibc # with a fresh cross-compiler works. # Prefer to if __STDC__ is defined, since # exists even on freestanding compilers. # On the NeXT, cc -E runs the code through the compiler's parser, # not just through cpp. "Syntax error" is here to catch this case. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #ifdef __STDC__ # include #else # include #endif Syntax error _ACEOF if ac_fn_c_try_cpp "$LINENO"; then : else # Broken: fails on valid input. continue fi rm -f conftest.err conftest.i conftest.$ac_ext # OK, works on sane cases. Now check whether nonexistent headers # can be detected and how. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF if ac_fn_c_try_cpp "$LINENO"; then : # Broken: success on invalid input. continue else # Passes both tests. ac_preproc_ok=: break fi rm -f conftest.err conftest.i conftest.$ac_ext done # Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. rm -f conftest.i conftest.err conftest.$ac_ext if $ac_preproc_ok; then : else { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "C preprocessor \"$CPP\" fails sanity check See \`config.log' for more details" "$LINENO" 5; } fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu { $as_echo "$as_me:${as_lineno-$LINENO}: checking for grep that handles long lines and -e" >&5 $as_echo_n "checking for grep that handles long lines and -e... " >&6; } if ${ac_cv_path_GREP+:} false; then : $as_echo_n "(cached) " >&6 else if test -z "$GREP"; then ac_path_GREP_found=false # Loop through the user's path and test for each of PROGNAME-LIST as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_prog in grep ggrep; do for ac_exec_ext in '' $ac_executable_extensions; do ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext" as_fn_executable_p "$ac_path_GREP" || continue # Check for GNU ac_path_GREP and select it if it is found. # Check for GNU $ac_path_GREP case `"$ac_path_GREP" --version 2>&1` in *GNU*) ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_found=:;; *) ac_count=0 $as_echo_n 0123456789 >"conftest.in" while : do cat "conftest.in" "conftest.in" >"conftest.tmp" mv "conftest.tmp" "conftest.in" cp "conftest.in" "conftest.nl" $as_echo 'GREP' >> "conftest.nl" "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break as_fn_arith $ac_count + 1 && ac_count=$as_val if test $ac_count -gt ${ac_path_GREP_max-0}; then # Best one so far, save it but keep looking for a better one ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_max=$ac_count fi # 10*(2^10) chars as input seems more than enough test $ac_count -gt 10 && break done rm -f conftest.in conftest.tmp conftest.nl conftest.out;; esac $ac_path_GREP_found && break 3 done done done IFS=$as_save_IFS if test -z "$ac_cv_path_GREP"; then as_fn_error $? "no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 fi else ac_cv_path_GREP=$GREP fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_GREP" >&5 $as_echo "$ac_cv_path_GREP" >&6; } GREP="$ac_cv_path_GREP" { $as_echo "$as_me:${as_lineno-$LINENO}: checking for egrep" >&5 $as_echo_n "checking for egrep... " >&6; } if ${ac_cv_path_EGREP+:} false; then : $as_echo_n "(cached) " >&6 else if echo a | $GREP -E '(a|b)' >/dev/null 2>&1 then ac_cv_path_EGREP="$GREP -E" else if test -z "$EGREP"; then ac_path_EGREP_found=false # Loop through the user's path and test for each of PROGNAME-LIST as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_prog in egrep; do for ac_exec_ext in '' $ac_executable_extensions; do ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext" as_fn_executable_p "$ac_path_EGREP" || continue # Check for GNU ac_path_EGREP and select it if it is found. # Check for GNU $ac_path_EGREP case `"$ac_path_EGREP" --version 2>&1` in *GNU*) ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;; *) ac_count=0 $as_echo_n 0123456789 >"conftest.in" while : do cat "conftest.in" "conftest.in" >"conftest.tmp" mv "conftest.tmp" "conftest.in" cp "conftest.in" "conftest.nl" $as_echo 'EGREP' >> "conftest.nl" "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break as_fn_arith $ac_count + 1 && ac_count=$as_val if test $ac_count -gt ${ac_path_EGREP_max-0}; then # Best one so far, save it but keep looking for a better one ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_max=$ac_count fi # 10*(2^10) chars as input seems more than enough test $ac_count -gt 10 && break done rm -f conftest.in conftest.tmp conftest.nl conftest.out;; esac $ac_path_EGREP_found && break 3 done done done IFS=$as_save_IFS if test -z "$ac_cv_path_EGREP"; then as_fn_error $? "no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 fi else ac_cv_path_EGREP=$EGREP fi fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_EGREP" >&5 $as_echo "$ac_cv_path_EGREP" >&6; } EGREP="$ac_cv_path_EGREP" { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5 $as_echo_n "checking for ANSI C header files... " >&6; } if ${ac_cv_header_stdc+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include #include #include int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_header_stdc=yes else ac_cv_header_stdc=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext if test $ac_cv_header_stdc = yes; then # SunOS 4.x string.h does not declare mem*, contrary to ANSI. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | $EGREP "memchr" >/dev/null 2>&1; then : else ac_cv_header_stdc=no fi rm -f conftest* fi if test $ac_cv_header_stdc = yes; then # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | $EGREP "free" >/dev/null 2>&1; then : else ac_cv_header_stdc=no fi rm -f conftest* fi if test $ac_cv_header_stdc = yes; then # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi. if test "$cross_compiling" = yes; then : : else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include #if ((' ' & 0x0FF) == 0x020) # define ISLOWER(c) ('a' <= (c) && (c) <= 'z') # define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c)) #else # define ISLOWER(c) \ (('a' <= (c) && (c) <= 'i') \ || ('j' <= (c) && (c) <= 'r') \ || ('s' <= (c) && (c) <= 'z')) # define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c)) #endif #define XOR(e, f) (((e) && !(f)) || (!(e) && (f))) int main () { int i; for (i = 0; i < 256; i++) if (XOR (islower (i), ISLOWER (i)) || toupper (i) != TOUPPER (i)) return 2; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO"; then : else ac_cv_header_stdc=no fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdc" >&5 $as_echo "$ac_cv_header_stdc" >&6; } if test $ac_cv_header_stdc = yes; then $as_echo "#define STDC_HEADERS 1" >>confdefs.h fi # On IRIX 5.3, sys/types and inttypes.h are conflicting. for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \ inttypes.h stdint.h unistd.h do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default " if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 _ACEOF fi done # Check whether --with-sasl was given. if test "${with_sasl+set}" = set; then : withval=$with_sasl; with_sasl="$withval" else with_sasl="no" fi # Check whether --with-staticsasl was given. if test "${with_staticsasl+set}" = set; then : withval=$with_staticsasl; with_staticsasl="$withval"; if test $with_staticsasl != "no"; then using_static_sasl="static" fi else with_staticsasl="no"; using_static_sasl="no" fi if test ${with_staticsasl} != "no" || test ${with_sasl} != "no"; then SASLFLAGS="" LIB_SASL="" cmu_saved_CPPFLAGS=$CPPFLAGS cmu_saved_LDFLAGS=$LDFLAGS cmu_saved_LIBS=$LIBS if test ${with_staticsasl} != "no"; then if test -d ${with_staticsasl}; then if test -d ${with_staticsasl}/lib64 ; then ac_cv_sasl_where_lib=${with_staticsasl}/lib64 else ac_cv_sasl_where_lib=${with_staticsasl}/lib fi ac_cv_sasl_where_lib=${with_staticsasl}/lib ac_cv_sasl_where_inc=${with_staticsasl}/include SASLFLAGS="-I$ac_cv_sasl_where_inc" LIB_SASL="-L$ac_cv_sasl_where_lib" CPPFLAGS="${cmu_saved_CPPFLAGS} -I${ac_cv_sasl_where_inc}" LDFLAGS="${cmu_saved_LDFLAGS} -L${ac_cv_sasl_where_lib}" else with_staticsasl="/usr" fi ac_fn_c_check_header_mongrel "$LINENO" "sasl/sasl.h" "ac_cv_header_sasl_sasl_h" "$ac_includes_default" if test "x$ac_cv_header_sasl_sasl_h" = xyes; then : ac_fn_c_check_header_mongrel "$LINENO" "sasl/saslutil.h" "ac_cv_header_sasl_saslutil_h" "$ac_includes_default" if test "x$ac_cv_header_sasl_saslutil_h" = xyes; then : for i42 in lib64 lib; do if test -r ${with_staticsasl}/$i42/libsasl2.a; then ac_cv_found_sasl=yes { $as_echo "$as_me:${as_lineno-$LINENO}: checking for static libsasl" >&5 $as_echo_n "checking for static libsasl... " >&6; } LIB_SASL="$LIB_SASL ${with_staticsasl}/$i42/libsasl2.a" fi done if test ! "$ac_cv_found_sasl" = "yes"; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for static libsasl" >&5 $as_echo_n "checking for static libsasl... " >&6; } as_fn_error $? "Could not find ${with_staticsasl}/lib*/libsasl2.a" "$LINENO" 5 fi fi fi if test "$ac_cv_found_sasl" = "yes"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: found" >&5 $as_echo "found" >&6; } else as_fn_error $? "Could not find ${with_staticsasl}/lib*/libsasl2.a" "$LINENO" 5 fi fi if test -d ${with_sasl}; then ac_cv_sasl_where_lib=${with_sasl}/lib ac_cv_sasl_where_inc=${with_sasl}/include DYNSASLFLAGS="-I$ac_cv_sasl_where_inc" CPPFLAGS="${cmu_saved_CPPFLAGS} -I${ac_cv_sasl_where_inc}" LDFLAGS="${cmu_saved_LDFLAGS} -L${ac_cv_sasl_where_lib}" LIBS="-L$ac_cv_sasl_where_lib" fi # be sure to check for a SASLv2 specific function ac_fn_c_check_header_mongrel "$LINENO" "sasl/sasl.h" "ac_cv_header_sasl_sasl_h" "$ac_includes_default" if test "x$ac_cv_header_sasl_sasl_h" = xyes; then : ac_fn_c_check_header_mongrel "$LINENO" "sasl/saslutil.h" "ac_cv_header_sasl_saslutil_h" "$ac_includes_default" if test "x$ac_cv_header_sasl_saslutil_h" = xyes; then : { $as_echo "$as_me:${as_lineno-$LINENO}: checking for prop_get in -lsasl2" >&5 $as_echo_n "checking for prop_get in -lsasl2... " >&6; } if ${ac_cv_lib_sasl2_prop_get+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lsasl2 $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char prop_get (); int main () { return prop_get (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_sasl2_prop_get=yes else ac_cv_lib_sasl2_prop_get=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_sasl2_prop_get" >&5 $as_echo "$ac_cv_lib_sasl2_prop_get" >&6; } if test "x$ac_cv_lib_sasl2_prop_get" = xyes; then : ac_cv_found_sasl=yes else ac_cv_found_sasl=no fi else ac_cv_found_sasl=no fi else ac_cv_found_sasl=no fi if test ${with_sasl} != "no"; then if test "$ac_cv_found_sasl" = "yes"; then if test "$ac_cv_sasl_where_lib" != ""; then DYNLIB_SASL="-L$ac_cv_sasl_where_lib" fi DYNLIB_SASL="$DYNLIB_SASL -lsasl2" if test "$using_static_sasl" != "static"; then LIB_SASL=$DYNLIB_SASL SASLFLAGS=$DYNSASLFLAGS fi cmu_saved_CPPFLAGS=$CPPFLAGS CPPFLAGS="$CPPFLAGS $SASLFLAGS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #ifndef SASL_VERSION_MAJOR #error SASL_VERSION_MAJOR not defined #endif #ifndef SASL_VERSION_MINOR #error SASL_VERSION_MINOR not defined #endif #ifndef SASL_VERSION_STEP #error SASL_VERSION_STEP not defined #endif #if SASL_VERSION_MAJOR < 2 || SASL_VERSION_MINOR < 1 || SASL_VERSION_STEP < 7 #error SASL version is less than 2.1.7 #endif _ACEOF if ac_fn_c_try_cpp "$LINENO"; then : else as_fn_error $? "Incorrect SASL headers found. This package requires SASL 2.1.7 or newer." "$LINENO" 5 fi rm -f conftest.err conftest.i conftest.$ac_ext CPPFLAGS=$cmu_saved_CPPFLAGS if test "$ac_cv_sasl_where_inc" != ""; then V_INCLS="-I$ac_cv_sasl_where_inc $V_INCLS" fi $as_echo "#define ARGUS_SASL /**/" >>confdefs.h else as_fn_error $? "Could not find sasl2" "$LINENO" 5 fi fi LIBS="$cmu_saved_LIBS" LDFLAGS="$cmu_saved_LDFLAGS" CPPFLAGS="$cmu_saved_CPPFLAGS" fi # Check whether --with-libpcre was given. if test "${with_libpcre+set}" = set; then : withval=$with_libpcre; with_libpcre="$withval" else with_libpcre="no" fi if test ${with_libpcre} != "no"; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pcre library" >&5 $as_echo_n "checking for pcre library... " >&6; } # Check whether --with-pcre-config was given. if test "${with_pcre_config+set}" = set; then : withval=$with_pcre_config; with_pcre_config="$withval" else with_pcre_config="yes" fi if test ${with_pcre_config} != "no"; then if test -f $with_pcre_config ; then PCRE_CONFIG=$with_pcre_config else for ac_prog in pcre-config do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_PCRE_CONFIG+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$PCRE_CONFIG"; then ac_cv_prog_PCRE_CONFIG="$PCRE_CONFIG" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_prog_PCRE_CONFIG="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi PCRE_CONFIG=$ac_cv_prog_PCRE_CONFIG if test -n "$PCRE_CONFIG"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PCRE_CONFIG" >&5 $as_echo "$PCRE_CONFIG" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$PCRE_CONFIG" && break done fi fi if test "x$PCRE_CONFIG" != "x"; then PCRE_CFLAGS=`$PCRE_CONFIG --cflags` PCRE_LIBS=`$PCRE_CONFIG --libs-posix` fi if test "x$PCRE_LIBS" != "x" ; then $as_echo "#define ARGUS_PCRE /**/" >>confdefs.h V_PCRE=$PCRE_LIBS; V_INCLS="$PCRE_CFLAGS $V_INCLS" else for ac_header in regex.h do : ac_fn_c_check_header_mongrel "$LINENO" "regex.h" "ac_cv_header_regex_h" "$ac_includes_default" if test "x$ac_cv_header_regex_h" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_REGEX_H 1 _ACEOF else as_fn_error $? "neither pcre nor regex found" "$LINENO" 5 fi done fi else for ac_header in regex.h do : ac_fn_c_check_header_mongrel "$LINENO" "regex.h" "ac_cv_header_regex_h" "$ac_includes_default" if test "x$ac_cv_header_regex_h" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_REGEX_H 1 _ACEOF else as_fn_error $? "regex not found" "$LINENO" 5 fi done fi # Checks for header files. ac_header_dirent=no for ac_hdr in dirent.h sys/ndir.h sys/dir.h ndir.h; do as_ac_Header=`$as_echo "ac_cv_header_dirent_$ac_hdr" | $as_tr_sh` { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_hdr that defines DIR" >&5 $as_echo_n "checking for $ac_hdr that defines DIR... " >&6; } if eval \${$as_ac_Header+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include <$ac_hdr> int main () { if ((DIR *) 0) return 0; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : eval "$as_ac_Header=yes" else eval "$as_ac_Header=no" fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi eval ac_res=\$$as_ac_Header { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_hdr" | $as_tr_cpp` 1 _ACEOF ac_header_dirent=$ac_hdr; break fi done # Two versions of opendir et al. are in -ldir and -lx on SCO Xenix. if test $ac_header_dirent = dirent.h; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing opendir" >&5 $as_echo_n "checking for library containing opendir... " >&6; } if ${ac_cv_search_opendir+:} false; then : $as_echo_n "(cached) " >&6 else ac_func_search_save_LIBS=$LIBS cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char opendir (); int main () { return opendir (); ; return 0; } _ACEOF for ac_lib in '' dir; do if test -z "$ac_lib"; then ac_res="none required" else ac_res=-l$ac_lib LIBS="-l$ac_lib $ac_func_search_save_LIBS" fi if ac_fn_c_try_link "$LINENO"; then : ac_cv_search_opendir=$ac_res fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext if ${ac_cv_search_opendir+:} false; then : break fi done if ${ac_cv_search_opendir+:} false; then : else ac_cv_search_opendir=no fi rm conftest.$ac_ext LIBS=$ac_func_search_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_opendir" >&5 $as_echo "$ac_cv_search_opendir" >&6; } ac_res=$ac_cv_search_opendir if test "$ac_res" != no; then : test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" fi else { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing opendir" >&5 $as_echo_n "checking for library containing opendir... " >&6; } if ${ac_cv_search_opendir+:} false; then : $as_echo_n "(cached) " >&6 else ac_func_search_save_LIBS=$LIBS cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char opendir (); int main () { return opendir (); ; return 0; } _ACEOF for ac_lib in '' x; do if test -z "$ac_lib"; then ac_res="none required" else ac_res=-l$ac_lib LIBS="-l$ac_lib $ac_func_search_save_LIBS" fi if ac_fn_c_try_link "$LINENO"; then : ac_cv_search_opendir=$ac_res fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext if ${ac_cv_search_opendir+:} false; then : break fi done if ${ac_cv_search_opendir+:} false; then : else ac_cv_search_opendir=no fi rm conftest.$ac_ext LIBS=$ac_func_search_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_opendir" >&5 $as_echo "$ac_cv_search_opendir" >&6; } ac_res=$ac_cv_search_opendir if test "$ac_res" != no; then : test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5 $as_echo_n "checking for ANSI C header files... " >&6; } if ${ac_cv_header_stdc+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include #include #include int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_header_stdc=yes else ac_cv_header_stdc=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext if test $ac_cv_header_stdc = yes; then # SunOS 4.x string.h does not declare mem*, contrary to ANSI. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | $EGREP "memchr" >/dev/null 2>&1; then : else ac_cv_header_stdc=no fi rm -f conftest* fi if test $ac_cv_header_stdc = yes; then # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | $EGREP "free" >/dev/null 2>&1; then : else ac_cv_header_stdc=no fi rm -f conftest* fi if test $ac_cv_header_stdc = yes; then # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi. if test "$cross_compiling" = yes; then : : else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include #if ((' ' & 0x0FF) == 0x020) # define ISLOWER(c) ('a' <= (c) && (c) <= 'z') # define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c)) #else # define ISLOWER(c) \ (('a' <= (c) && (c) <= 'i') \ || ('j' <= (c) && (c) <= 'r') \ || ('s' <= (c) && (c) <= 'z')) # define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c)) #endif #define XOR(e, f) (((e) && !(f)) || (!(e) && (f))) int main () { int i; for (i = 0; i < 256; i++) if (XOR (islower (i), ISLOWER (i)) || toupper (i) != TOUPPER (i)) return 2; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO"; then : else ac_cv_header_stdc=no fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdc" >&5 $as_echo "$ac_cv_header_stdc" >&6; } if test $ac_cv_header_stdc = yes; then $as_echo "#define STDC_HEADERS 1" >>confdefs.h fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for sys/wait.h that is POSIX.1 compatible" >&5 $as_echo_n "checking for sys/wait.h that is POSIX.1 compatible... " >&6; } if ${ac_cv_header_sys_wait_h+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include #ifndef WEXITSTATUS # define WEXITSTATUS(stat_val) ((unsigned int) (stat_val) >> 8) #endif #ifndef WIFEXITED # define WIFEXITED(stat_val) (((stat_val) & 255) == 0) #endif int main () { int s; wait (&s); s = WIFEXITED (s) ? WEXITSTATUS (s) : 1; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_header_sys_wait_h=yes else ac_cv_header_sys_wait_h=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_sys_wait_h" >&5 $as_echo "$ac_cv_header_sys_wait_h" >&6; } if test $ac_cv_header_sys_wait_h = yes; then $as_echo "#define HAVE_SYS_WAIT_H 1" >>confdefs.h fi for ac_header in sys/sockio.h string.h fcntl.h sys/file.h syslog.h zlib.h do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 _ACEOF fi done for ac_header in arpa/inet.h fcntl.h inttypes.h limits.h libintl.h malloc.h memory.h netdb.h do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 _ACEOF fi done for ac_header in net/if.h netinet/in.h netinet/if_ether.h netinet/ether.h netinet/in_systm.h do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 _ACEOF fi done for ac_header in netinet/ip.h netinet/udp.h netinet/tcp.h do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 _ACEOF fi done for ac_header in stdlib.h stddef.h string.h strings.h sys/file.h sys/ioctl.h sys/param.h sys/socket.h do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 _ACEOF fi done for ac_header in sys/time.h sys/vfs.h syslog.h termios.h unistd.h values.h features.h do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 _ACEOF fi done # Checks for typedefs, structures, and compiler characteristics. { $as_echo "$as_me:${as_lineno-$LINENO}: checking for an ANSI C-conforming const" >&5 $as_echo_n "checking for an ANSI C-conforming const... " >&6; } if ${ac_cv_c_const+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { #ifndef __cplusplus /* Ultrix mips cc rejects this sort of thing. */ typedef int charset[2]; const charset cs = { 0, 0 }; /* SunOS 4.1.1 cc rejects this. */ char const *const *pcpcc; char **ppc; /* NEC SVR4.0.2 mips cc rejects this. */ struct point {int x, y;}; static struct point const zero = {0,0}; /* AIX XL C 1.02.0.0 rejects this. It does not let you subtract one const X* pointer from another in an arm of an if-expression whose if-part is not a constant expression */ const char *g = "string"; pcpcc = &g + (g ? g-g : 0); /* HPUX 7.0 cc rejects these. */ ++pcpcc; ppc = (char**) pcpcc; pcpcc = (char const *const *) ppc; { /* SCO 3.2v4 cc rejects this sort of thing. */ char tx; char *t = &tx; char const *s = 0 ? (char *) 0 : (char const *) 0; *t++ = 0; if (s) return 0; } { /* Someone thinks the Sun supposedly-ANSI compiler will reject this. */ int x[] = {25, 17}; const int *foo = &x[0]; ++foo; } { /* Sun SC1.0 ANSI compiler rejects this -- but not the above. */ typedef const int *iptr; iptr p = 0; ++p; } { /* AIX XL C 1.02.0.0 rejects this sort of thing, saying "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */ struct s { int j; const int *ap[3]; } bx; struct s *b = &bx; b->j = 5; } { /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */ const int foo = 10; if (!foo) return 0; } return !cs[0] && !zero.x; #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_c_const=yes else ac_cv_c_const=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_const" >&5 $as_echo "$ac_cv_c_const" >&6; } if test $ac_cv_c_const = no; then $as_echo "#define const /**/" >>confdefs.h fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for inline" >&5 $as_echo_n "checking for inline... " >&6; } if ${ac_cv_c_inline+:} false; then : $as_echo_n "(cached) " >&6 else ac_cv_c_inline=no for ac_kw in inline __inline__ __inline; do cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #ifndef __cplusplus typedef int foo_t; static $ac_kw foo_t static_foo () {return 0; } $ac_kw foo_t foo () {return 0; } #endif _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_c_inline=$ac_kw fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext test "$ac_cv_c_inline" != no && break done fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_inline" >&5 $as_echo "$ac_cv_c_inline" >&6; } case $ac_cv_c_inline in inline | yes) ;; *) case $ac_cv_c_inline in no) ac_val=;; *) ac_val=$ac_cv_c_inline;; esac cat >>confdefs.h <<_ACEOF #ifndef __cplusplus #define inline $ac_val #endif _ACEOF ;; esac # Check whether --enable-largefile was given. if test "${enable_largefile+set}" = set; then : enableval=$enable_largefile; fi if test "$enable_largefile" != no; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for special C compiler options needed for large files" >&5 $as_echo_n "checking for special C compiler options needed for large files... " >&6; } if ${ac_cv_sys_largefile_CC+:} false; then : $as_echo_n "(cached) " >&6 else ac_cv_sys_largefile_CC=no if test "$GCC" != yes; then ac_save_CC=$CC while :; do # IRIX 6.2 and later do not support large files by default, # so use the C compiler's -n32 option if that helps. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include /* Check that off_t can represent 2**63 - 1 correctly. We can't simply define LARGE_OFF_T to be 9223372036854775807, since some C++ compilers masquerading as C compilers incorrectly reject 9223372036854775807. */ #define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62)) int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 && LARGE_OFF_T % 2147483647 == 1) ? 1 : -1]; int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : break fi rm -f core conftest.err conftest.$ac_objext CC="$CC -n32" if ac_fn_c_try_compile "$LINENO"; then : ac_cv_sys_largefile_CC=' -n32'; break fi rm -f core conftest.err conftest.$ac_objext break done CC=$ac_save_CC rm -f conftest.$ac_ext fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sys_largefile_CC" >&5 $as_echo "$ac_cv_sys_largefile_CC" >&6; } if test "$ac_cv_sys_largefile_CC" != no; then CC=$CC$ac_cv_sys_largefile_CC fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for _FILE_OFFSET_BITS value needed for large files" >&5 $as_echo_n "checking for _FILE_OFFSET_BITS value needed for large files... " >&6; } if ${ac_cv_sys_file_offset_bits+:} false; then : $as_echo_n "(cached) " >&6 else while :; do cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include /* Check that off_t can represent 2**63 - 1 correctly. We can't simply define LARGE_OFF_T to be 9223372036854775807, since some C++ compilers masquerading as C compilers incorrectly reject 9223372036854775807. */ #define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62)) int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 && LARGE_OFF_T % 2147483647 == 1) ? 1 : -1]; int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_sys_file_offset_bits=no; break fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #define _FILE_OFFSET_BITS 64 #include /* Check that off_t can represent 2**63 - 1 correctly. We can't simply define LARGE_OFF_T to be 9223372036854775807, since some C++ compilers masquerading as C compilers incorrectly reject 9223372036854775807. */ #define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62)) int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 && LARGE_OFF_T % 2147483647 == 1) ? 1 : -1]; int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_sys_file_offset_bits=64; break fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ac_cv_sys_file_offset_bits=unknown break done fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sys_file_offset_bits" >&5 $as_echo "$ac_cv_sys_file_offset_bits" >&6; } case $ac_cv_sys_file_offset_bits in #( no | unknown) ;; *) cat >>confdefs.h <<_ACEOF #define _FILE_OFFSET_BITS $ac_cv_sys_file_offset_bits _ACEOF ;; esac rm -rf conftest* if test $ac_cv_sys_file_offset_bits = unknown; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for _LARGE_FILES value needed for large files" >&5 $as_echo_n "checking for _LARGE_FILES value needed for large files... " >&6; } if ${ac_cv_sys_large_files+:} false; then : $as_echo_n "(cached) " >&6 else while :; do cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include /* Check that off_t can represent 2**63 - 1 correctly. We can't simply define LARGE_OFF_T to be 9223372036854775807, since some C++ compilers masquerading as C compilers incorrectly reject 9223372036854775807. */ #define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62)) int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 && LARGE_OFF_T % 2147483647 == 1) ? 1 : -1]; int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_sys_large_files=no; break fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #define _LARGE_FILES 1 #include /* Check that off_t can represent 2**63 - 1 correctly. We can't simply define LARGE_OFF_T to be 9223372036854775807, since some C++ compilers masquerading as C compilers incorrectly reject 9223372036854775807. */ #define LARGE_OFF_T (((off_t) 1 << 62) - 1 + ((off_t) 1 << 62)) int off_t_is_large[(LARGE_OFF_T % 2147483629 == 721 && LARGE_OFF_T % 2147483647 == 1) ? 1 : -1]; int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_sys_large_files=1; break fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ac_cv_sys_large_files=unknown break done fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sys_large_files" >&5 $as_echo "$ac_cv_sys_large_files" >&6; } case $ac_cv_sys_large_files in #( no | unknown) ;; *) cat >>confdefs.h <<_ACEOF #define _LARGE_FILES $ac_cv_sys_large_files _ACEOF ;; esac rm -rf conftest* fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking if unaligned accesses fail" >&5 $as_echo_n "checking if unaligned accesses fail... " >&6; } if ${ac_cv_lbl_unaligned_fail+:} false; then : $as_echo_n "(cached) " >&6 else case "$target_cpu" in # XXX: should also check that they don't do weird things (like on arm) alpha*|arm*|hp*|mips|sparc) ac_cv_lbl_unaligned_fail=yes ;; *) cat >conftest.c < # include # include unsigned char a[5] = { 1, 2, 3, 4, 5 }; main() { unsigned int i; pid_t pid; int status; /* avoid "core dumped" message */ pid = fork(); if (pid < 0) exit(2); if (pid > 0) { /* parent */ pid = waitpid(pid, &status, 0); if (pid < 0) exit(3); exit(!WIFEXITED(status)); } /* child */ i = *(unsigned int *)&a[1]; printf("%d\n", i); exit(0); } EOF ${CC-cc} -o conftest $CFLAGS $CPPFLAGS $LDFLAGS \ conftest.c $LIBS >/dev/null 2>&1 if test ! -x conftest ; then ac_cv_lbl_unaligned_fail=yes else ./conftest >conftest.out if test ! -s conftest.out ; then ac_cv_lbl_unaligned_fail=yes else ac_cv_lbl_unaligned_fail=no fi fi rm -rf conftest* core core.conftest ;; esac fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lbl_unaligned_fail" >&5 $as_echo "$ac_cv_lbl_unaligned_fail" >&6; } if test $ac_cv_lbl_unaligned_fail = yes ; then $as_echo "#define LBL_ALIGN /**/" >>confdefs.h fi rm -f os-proto.h if test "${LBL_CFLAGS+set}" = set; then V_CCOPT="$V_CCOPT ${LBL_CFLAGS}" fi if test -f .devel ; then V_CCOPT=`echo $V_CCOPT | sed -e 's/-O3//'` V_CCOPT=`echo $V_CCOPT | sed -e 's/-O//'` if test "$GCC" = yes ; then if test "${LBL_CFLAGS+set}" != set; then if test "$ac_cv_prog_cc_g" = yes ; then V_CCOPT="-g $V_CCOPT" fi V_CCOPT="$V_CCOPT -Wall" if test $ac_cv_lbl_gcc_vers -gt 1 ; then V_CCOPT="$V_CCOPT -Wmissing-prototypes" fi fi else case "$target_os" in solaris*) V_CCOPT="$V_CCOPT -g" ;; irix6*) V_CCOPT="$V_CCOPT -n32" ;; *) ;; esac fi fi if test -f .debug ; then $as_echo "#define ARGUSDEBUG /**/" >>confdefs.h fi if test -f .memory ; then $as_echo "#define ARGUSMEMDEBUG /**/" >>confdefs.h fi ac_fn_c_find_intX_t "$LINENO" "8" "ac_cv_c_int8_t" case $ac_cv_c_int8_t in #( no|yes) ;; #( *) cat >>confdefs.h <<_ACEOF #define int8_t $ac_cv_c_int8_t _ACEOF ;; esac ac_fn_c_find_uintX_t "$LINENO" "8" "ac_cv_c_uint8_t" case $ac_cv_c_uint8_t in #( no|yes) ;; #( *) $as_echo "#define _UINT8_T 1" >>confdefs.h cat >>confdefs.h <<_ACEOF #define uint8_t $ac_cv_c_uint8_t _ACEOF ;; esac ac_fn_c_find_intX_t "$LINENO" "16" "ac_cv_c_int16_t" case $ac_cv_c_int16_t in #( no|yes) ;; #( *) cat >>confdefs.h <<_ACEOF #define int16_t $ac_cv_c_int16_t _ACEOF ;; esac ac_fn_c_find_uintX_t "$LINENO" "16" "ac_cv_c_uint16_t" case $ac_cv_c_uint16_t in #( no|yes) ;; #( *) cat >>confdefs.h <<_ACEOF #define uint16_t $ac_cv_c_uint16_t _ACEOF ;; esac ac_fn_c_find_intX_t "$LINENO" "32" "ac_cv_c_int32_t" case $ac_cv_c_int32_t in #( no|yes) ;; #( *) cat >>confdefs.h <<_ACEOF #define int32_t $ac_cv_c_int32_t _ACEOF ;; esac ac_fn_c_find_uintX_t "$LINENO" "32" "ac_cv_c_uint32_t" case $ac_cv_c_uint32_t in #( no|yes) ;; #( *) $as_echo "#define _UINT32_T 1" >>confdefs.h cat >>confdefs.h <<_ACEOF #define uint32_t $ac_cv_c_uint32_t _ACEOF ;; esac { $as_echo "$as_me:${as_lineno-$LINENO}: checking for uid_t in sys/types.h" >&5 $as_echo_n "checking for uid_t in sys/types.h... " >&6; } if ${ac_cv_type_uid_t+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | $EGREP "uid_t" >/dev/null 2>&1; then : ac_cv_type_uid_t=yes else ac_cv_type_uid_t=no fi rm -f conftest* fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_type_uid_t" >&5 $as_echo "$ac_cv_type_uid_t" >&6; } if test $ac_cv_type_uid_t = no; then $as_echo "#define uid_t int" >>confdefs.h $as_echo "#define gid_t int" >>confdefs.h fi ac_fn_c_check_type "$LINENO" "pid_t" "ac_cv_type_pid_t" "$ac_includes_default" if test "x$ac_cv_type_pid_t" = xyes; then : else cat >>confdefs.h <<_ACEOF #define pid_t int _ACEOF fi ac_fn_c_check_type "$LINENO" "size_t" "ac_cv_type_size_t" "$ac_includes_default" if test "x$ac_cv_type_size_t" = xyes; then : else cat >>confdefs.h <<_ACEOF #define size_t unsigned int _ACEOF fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether time.h and sys/time.h may both be included" >&5 $as_echo_n "checking whether time.h and sys/time.h may both be included... " >&6; } if ${ac_cv_header_time+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include #include int main () { if ((struct tm *) 0) return 0; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_header_time=yes else ac_cv_header_time=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_time" >&5 $as_echo "$ac_cv_header_time" >&6; } if test $ac_cv_header_time = yes; then $as_echo "#define TIME_WITH_SYS_TIME 1" >>confdefs.h fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether struct tm is in sys/time.h or time.h" >&5 $as_echo_n "checking whether struct tm is in sys/time.h or time.h... " >&6; } if ${ac_cv_struct_tm+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include int main () { struct tm tm; int *p = &tm.tm_sec; return !p; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_struct_tm=time.h else ac_cv_struct_tm=sys/time.h fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_struct_tm" >&5 $as_echo "$ac_cv_struct_tm" >&6; } if test $ac_cv_struct_tm = sys/time.h; then $as_echo "#define TM_IN_SYS_TIME 1" >>confdefs.h fi ac_fn_c_check_member "$LINENO" "struct tm" "tm_zone" "ac_cv_member_struct_tm_tm_zone" "#include #include <$ac_cv_struct_tm> " if test "x$ac_cv_member_struct_tm_tm_zone" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_STRUCT_TM_TM_ZONE 1 _ACEOF fi if test "$ac_cv_member_struct_tm_tm_zone" = yes; then $as_echo "#define HAVE_TM_ZONE 1" >>confdefs.h else ac_fn_c_check_decl "$LINENO" "tzname" "ac_cv_have_decl_tzname" "#include " if test "x$ac_cv_have_decl_tzname" = xyes; then : ac_have_decl=1 else ac_have_decl=0 fi cat >>confdefs.h <<_ACEOF #define HAVE_DECL_TZNAME $ac_have_decl _ACEOF { $as_echo "$as_me:${as_lineno-$LINENO}: checking for tzname" >&5 $as_echo_n "checking for tzname... " >&6; } if ${ac_cv_var_tzname+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #if !HAVE_DECL_TZNAME extern char *tzname[]; #endif int main () { return tzname[0][0]; ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_var_tzname=yes else ac_cv_var_tzname=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_var_tzname" >&5 $as_echo "$ac_cv_var_tzname" >&6; } if test $ac_cv_var_tzname = yes; then $as_echo "#define HAVE_TZNAME 1" >>confdefs.h fi fi # Checks for library functions. # The Ultrix 4.2 mips builtin alloca declared by alloca.h only works # for constant arguments. Useless! { $as_echo "$as_me:${as_lineno-$LINENO}: checking for working alloca.h" >&5 $as_echo_n "checking for working alloca.h... " >&6; } if ${ac_cv_working_alloca_h+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main () { char *p = (char *) alloca (2 * sizeof (int)); if (p) return 0; ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_working_alloca_h=yes else ac_cv_working_alloca_h=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_working_alloca_h" >&5 $as_echo "$ac_cv_working_alloca_h" >&6; } if test $ac_cv_working_alloca_h = yes; then $as_echo "#define HAVE_ALLOCA_H 1" >>confdefs.h fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for alloca" >&5 $as_echo_n "checking for alloca... " >&6; } if ${ac_cv_func_alloca_works+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #ifdef __GNUC__ # define alloca __builtin_alloca #else # ifdef _MSC_VER # include # define alloca _alloca # else # ifdef HAVE_ALLOCA_H # include # else # ifdef _AIX #pragma alloca # else # ifndef alloca /* predefined by HP cc +Olibcalls */ void *alloca (size_t); # endif # endif # endif # endif #endif int main () { char *p = (char *) alloca (1); if (p) return 0; ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_func_alloca_works=yes else ac_cv_func_alloca_works=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_alloca_works" >&5 $as_echo "$ac_cv_func_alloca_works" >&6; } if test $ac_cv_func_alloca_works = yes; then $as_echo "#define HAVE_ALLOCA 1" >>confdefs.h else # The SVR3 libPW and SVR4 libucb both contain incompatible functions # that cause trouble. Some versions do not even contain alloca or # contain a buggy version. If you still want to use their alloca, # use ar to extract alloca.o from them instead of compiling alloca.c. ALLOCA=\${LIBOBJDIR}alloca.$ac_objext $as_echo "#define C_ALLOCA 1" >>confdefs.h { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether \`alloca.c' needs Cray hooks" >&5 $as_echo_n "checking whether \`alloca.c' needs Cray hooks... " >&6; } if ${ac_cv_os_cray+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #if defined CRAY && ! defined CRAY2 webecray #else wenotbecray #endif _ACEOF if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | $EGREP "webecray" >/dev/null 2>&1; then : ac_cv_os_cray=yes else ac_cv_os_cray=no fi rm -f conftest* fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_os_cray" >&5 $as_echo "$ac_cv_os_cray" >&6; } if test $ac_cv_os_cray = yes; then for ac_func in _getb67 GETB67 getb67; do as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" if eval test \"x\$"$as_ac_var"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define CRAY_STACKSEG_END $ac_func _ACEOF break fi done fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking stack direction for C alloca" >&5 $as_echo_n "checking stack direction for C alloca... " >&6; } if ${ac_cv_c_stack_direction+:} false; then : $as_echo_n "(cached) " >&6 else if test "$cross_compiling" = yes; then : ac_cv_c_stack_direction=0 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_includes_default int find_stack_direction (int *addr, int depth) { int dir, dummy = 0; if (! addr) addr = &dummy; *addr = addr < &dummy ? 1 : addr == &dummy ? 0 : -1; dir = depth ? find_stack_direction (addr, depth - 1) : 0; return dir + dummy; } int main (int argc, char **argv) { return find_stack_direction (0, argc + !argv + 20) < 0; } _ACEOF if ac_fn_c_try_run "$LINENO"; then : ac_cv_c_stack_direction=1 else ac_cv_c_stack_direction=-1 fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_stack_direction" >&5 $as_echo "$ac_cv_c_stack_direction" >&6; } cat >>confdefs.h <<_ACEOF #define STACK_DIRECTION $ac_cv_c_stack_direction _ACEOF fi for ac_func in vprintf do : ac_fn_c_check_func "$LINENO" "vprintf" "ac_cv_func_vprintf" if test "x$ac_cv_func_vprintf" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_VPRINTF 1 _ACEOF ac_fn_c_check_func "$LINENO" "_doprnt" "ac_cv_func__doprnt" if test "x$ac_cv_func__doprnt" = xyes; then : $as_echo "#define HAVE_DOPRNT 1" >>confdefs.h fi fi done { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether closedir returns void" >&5 $as_echo_n "checking whether closedir returns void... " >&6; } if ${ac_cv_func_closedir_void+:} false; then : $as_echo_n "(cached) " >&6 else if test "$cross_compiling" = yes; then : ac_cv_func_closedir_void=yes else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_includes_default #include <$ac_header_dirent> #ifndef __cplusplus int closedir (); #endif int main () { return closedir (opendir (".")) != 0; ; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO"; then : ac_cv_func_closedir_void=no else ac_cv_func_closedir_void=yes fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_closedir_void" >&5 $as_echo "$ac_cv_func_closedir_void" >&6; } if test $ac_cv_func_closedir_void = yes; then $as_echo "#define CLOSEDIR_VOID 1" >>confdefs.h fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for error_at_line" >&5 $as_echo_n "checking for error_at_line... " >&6; } if ${ac_cv_lib_error_at_line+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main () { error_at_line (0, 0, "", 0, "an error occurred"); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_error_at_line=yes else ac_cv_lib_error_at_line=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_error_at_line" >&5 $as_echo "$ac_cv_lib_error_at_line" >&6; } if test $ac_cv_lib_error_at_line = no; then case " $LIBOBJS " in *" error.$ac_objext "* ) ;; *) LIBOBJS="$LIBOBJS error.$ac_objext" ;; esac fi for ac_header in vfork.h do : ac_fn_c_check_header_mongrel "$LINENO" "vfork.h" "ac_cv_header_vfork_h" "$ac_includes_default" if test "x$ac_cv_header_vfork_h" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_VFORK_H 1 _ACEOF fi done for ac_func in fork vfork do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" if eval test \"x\$"$as_ac_var"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 _ACEOF fi done if test "x$ac_cv_func_fork" = xyes; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for working fork" >&5 $as_echo_n "checking for working fork... " >&6; } if ${ac_cv_func_fork_works+:} false; then : $as_echo_n "(cached) " >&6 else if test "$cross_compiling" = yes; then : ac_cv_func_fork_works=cross else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_includes_default int main () { /* By Ruediger Kuhlmann. */ return fork () < 0; ; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO"; then : ac_cv_func_fork_works=yes else ac_cv_func_fork_works=no fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_fork_works" >&5 $as_echo "$ac_cv_func_fork_works" >&6; } else ac_cv_func_fork_works=$ac_cv_func_fork fi if test "x$ac_cv_func_fork_works" = xcross; then case $host in *-*-amigaos* | *-*-msdosdjgpp*) # Override, as these systems have only a dummy fork() stub ac_cv_func_fork_works=no ;; *) ac_cv_func_fork_works=yes ;; esac { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: result $ac_cv_func_fork_works guessed because of cross compilation" >&5 $as_echo "$as_me: WARNING: result $ac_cv_func_fork_works guessed because of cross compilation" >&2;} fi ac_cv_func_vfork_works=$ac_cv_func_vfork if test "x$ac_cv_func_vfork" = xyes; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for working vfork" >&5 $as_echo_n "checking for working vfork... " >&6; } if ${ac_cv_func_vfork_works+:} false; then : $as_echo_n "(cached) " >&6 else if test "$cross_compiling" = yes; then : ac_cv_func_vfork_works=cross else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Thanks to Paul Eggert for this test. */ $ac_includes_default #include #ifdef HAVE_VFORK_H # include #endif /* On some sparc systems, changes by the child to local and incoming argument registers are propagated back to the parent. The compiler is told about this with #include , but some compilers (e.g. gcc -O) don't grok . Test for this by using a static variable whose address is put into a register that is clobbered by the vfork. */ static void #ifdef __cplusplus sparc_address_test (int arg) # else sparc_address_test (arg) int arg; #endif { static pid_t child; if (!child) { child = vfork (); if (child < 0) { perror ("vfork"); _exit(2); } if (!child) { arg = getpid(); write(-1, "", 0); _exit (arg); } } } int main () { pid_t parent = getpid (); pid_t child; sparc_address_test (0); child = vfork (); if (child == 0) { /* Here is another test for sparc vfork register problems. This test uses lots of local variables, at least as many local variables as main has allocated so far including compiler temporaries. 4 locals are enough for gcc 1.40.3 on a Solaris 4.1.3 sparc, but we use 8 to be safe. A buggy compiler should reuse the register of parent for one of the local variables, since it will think that parent can't possibly be used any more in this routine. Assigning to the local variable will thus munge parent in the parent process. */ pid_t p = getpid(), p1 = getpid(), p2 = getpid(), p3 = getpid(), p4 = getpid(), p5 = getpid(), p6 = getpid(), p7 = getpid(); /* Convince the compiler that p..p7 are live; otherwise, it might use the same hardware register for all 8 local variables. */ if (p != p1 || p != p2 || p != p3 || p != p4 || p != p5 || p != p6 || p != p7) _exit(1); /* On some systems (e.g. IRIX 3.3), vfork doesn't separate parent from child file descriptors. If the child closes a descriptor before it execs or exits, this munges the parent's descriptor as well. Test for this by closing stdout in the child. */ _exit(close(fileno(stdout)) != 0); } else { int status; struct stat st; while (wait(&status) != child) ; return ( /* Was there some problem with vforking? */ child < 0 /* Did the child fail? (This shouldn't happen.) */ || status /* Did the vfork/compiler bug occur? */ || parent != getpid() /* Did the file descriptor bug occur? */ || fstat(fileno(stdout), &st) != 0 ); } } _ACEOF if ac_fn_c_try_run "$LINENO"; then : ac_cv_func_vfork_works=yes else ac_cv_func_vfork_works=no fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_vfork_works" >&5 $as_echo "$ac_cv_func_vfork_works" >&6; } fi; if test "x$ac_cv_func_fork_works" = xcross; then ac_cv_func_vfork_works=$ac_cv_func_vfork { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: result $ac_cv_func_vfork_works guessed because of cross compilation" >&5 $as_echo "$as_me: WARNING: result $ac_cv_func_vfork_works guessed because of cross compilation" >&2;} fi if test "x$ac_cv_func_vfork_works" = xyes; then $as_echo "#define HAVE_WORKING_VFORK 1" >>confdefs.h else $as_echo "#define vfork fork" >>confdefs.h fi if test "x$ac_cv_func_fork_works" = xyes; then $as_echo "#define HAVE_WORKING_FORK 1" >>confdefs.h fi if test $ac_cv_c_compiler_gnu = yes; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC needs -traditional" >&5 $as_echo_n "checking whether $CC needs -traditional... " >&6; } if ${ac_cv_prog_gcc_traditional+:} false; then : $as_echo_n "(cached) " >&6 else ac_pattern="Autoconf.*'x'" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include Autoconf TIOCGETP _ACEOF if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | $EGREP "$ac_pattern" >/dev/null 2>&1; then : ac_cv_prog_gcc_traditional=yes else ac_cv_prog_gcc_traditional=no fi rm -f conftest* if test $ac_cv_prog_gcc_traditional = no; then cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include Autoconf TCGETA _ACEOF if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | $EGREP "$ac_pattern" >/dev/null 2>&1; then : ac_cv_prog_gcc_traditional=yes fi rm -f conftest* fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_gcc_traditional" >&5 $as_echo "$ac_cv_prog_gcc_traditional" >&6; } if test $ac_cv_prog_gcc_traditional = yes; then CC="$CC -traditional" fi fi for ac_header in stdlib.h do : ac_fn_c_check_header_mongrel "$LINENO" "stdlib.h" "ac_cv_header_stdlib_h" "$ac_includes_default" if test "x$ac_cv_header_stdlib_h" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_STDLIB_H 1 _ACEOF fi done { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GNU libc compatible malloc" >&5 $as_echo_n "checking for GNU libc compatible malloc... " >&6; } if ${ac_cv_func_malloc_0_nonnull+:} false; then : $as_echo_n "(cached) " >&6 else if test "$cross_compiling" = yes; then : ac_cv_func_malloc_0_nonnull=no else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #if defined STDC_HEADERS || defined HAVE_STDLIB_H # include #else char *malloc (); #endif int main () { return ! malloc (0); ; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO"; then : ac_cv_func_malloc_0_nonnull=yes else ac_cv_func_malloc_0_nonnull=no fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_malloc_0_nonnull" >&5 $as_echo "$ac_cv_func_malloc_0_nonnull" >&6; } if test $ac_cv_func_malloc_0_nonnull = yes; then : $as_echo "#define HAVE_MALLOC 1" >>confdefs.h else $as_echo "#define HAVE_MALLOC 0" >>confdefs.h case " $LIBOBJS " in *" malloc.$ac_objext "* ) ;; *) LIBOBJS="$LIBOBJS malloc.$ac_objext" ;; esac $as_echo "#define malloc rpl_malloc" >>confdefs.h fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for working memcmp" >&5 $as_echo_n "checking for working memcmp... " >&6; } if ${ac_cv_func_memcmp_working+:} false; then : $as_echo_n "(cached) " >&6 else if test "$cross_compiling" = yes; then : ac_cv_func_memcmp_working=no else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_includes_default int main () { /* Some versions of memcmp are not 8-bit clean. */ char c0 = '\100', c1 = '\200', c2 = '\201'; if (memcmp(&c0, &c2, 1) >= 0 || memcmp(&c1, &c2, 1) >= 0) return 1; /* The Next x86 OpenStep bug shows up only when comparing 16 bytes or more and with at least one buffer not starting on a 4-byte boundary. William Lewis provided this test program. */ { char foo[21]; char bar[21]; int i; for (i = 0; i < 4; i++) { char *a = foo + i; char *b = bar + i; strcpy (a, "--------01111111"); strcpy (b, "--------10000000"); if (memcmp (a, b, 16) >= 0) return 1; } return 0; } ; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO"; then : ac_cv_func_memcmp_working=yes else ac_cv_func_memcmp_working=no fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_memcmp_working" >&5 $as_echo "$ac_cv_func_memcmp_working" >&6; } test $ac_cv_func_memcmp_working = no && case " $LIBOBJS " in *" memcmp.$ac_objext "* ) ;; *) LIBOBJS="$LIBOBJS memcmp.$ac_objext" ;; esac for ac_header in $ac_header_list do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default " if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 _ACEOF fi done for ac_func in $ac_func_list do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" if eval test \"x\$"$as_ac_var"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 _ACEOF fi done { $as_echo "$as_me:${as_lineno-$LINENO}: checking for working mktime" >&5 $as_echo_n "checking for working mktime... " >&6; } if ${ac_cv_func_working_mktime+:} false; then : $as_echo_n "(cached) " >&6 else if test "$cross_compiling" = yes; then : ac_cv_func_working_mktime=no else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Test program from Paul Eggert and Tony Leneis. */ #ifdef TIME_WITH_SYS_TIME # include # include #else # ifdef HAVE_SYS_TIME_H # include # else # include # endif #endif #include #include #ifdef HAVE_UNISTD_H # include #endif #ifndef HAVE_ALARM # define alarm(X) /* empty */ #endif /* Work around redefinition to rpl_putenv by other config tests. */ #undef putenv static time_t time_t_max; static time_t time_t_min; /* Values we'll use to set the TZ environment variable. */ static const char *tz_strings[] = { (const char *) 0, "TZ=GMT0", "TZ=JST-9", "TZ=EST+3EDT+2,M10.1.0/00:00:00,M2.3.0/00:00:00" }; #define N_STRINGS (sizeof (tz_strings) / sizeof (tz_strings[0])) /* Return 0 if mktime fails to convert a date in the spring-forward gap. Based on a problem report from Andreas Jaeger. */ static int spring_forward_gap () { /* glibc (up to about 1998-10-07) failed this test. */ struct tm tm; /* Use the portable POSIX.1 specification "TZ=PST8PDT,M4.1.0,M10.5.0" instead of "TZ=America/Vancouver" in order to detect the bug even on systems that don't support the Olson extension, or don't have the full zoneinfo tables installed. */ putenv ((char*) "TZ=PST8PDT,M4.1.0,M10.5.0"); tm.tm_year = 98; tm.tm_mon = 3; tm.tm_mday = 5; tm.tm_hour = 2; tm.tm_min = 0; tm.tm_sec = 0; tm.tm_isdst = -1; return mktime (&tm) != (time_t) -1; } static int mktime_test1 (time_t now) { struct tm *lt; return ! (lt = localtime (&now)) || mktime (lt) == now; } static int mktime_test (time_t now) { return (mktime_test1 (now) && mktime_test1 ((time_t) (time_t_max - now)) && mktime_test1 ((time_t) (time_t_min + now))); } static int irix_6_4_bug () { /* Based on code from Ariel Faigon. */ struct tm tm; tm.tm_year = 96; tm.tm_mon = 3; tm.tm_mday = 0; tm.tm_hour = 0; tm.tm_min = 0; tm.tm_sec = 0; tm.tm_isdst = -1; mktime (&tm); return tm.tm_mon == 2 && tm.tm_mday == 31; } static int bigtime_test (int j) { struct tm tm; time_t now; tm.tm_year = tm.tm_mon = tm.tm_mday = tm.tm_hour = tm.tm_min = tm.tm_sec = j; now = mktime (&tm); if (now != (time_t) -1) { struct tm *lt = localtime (&now); if (! (lt && lt->tm_year == tm.tm_year && lt->tm_mon == tm.tm_mon && lt->tm_mday == tm.tm_mday && lt->tm_hour == tm.tm_hour && lt->tm_min == tm.tm_min && lt->tm_sec == tm.tm_sec && lt->tm_yday == tm.tm_yday && lt->tm_wday == tm.tm_wday && ((lt->tm_isdst < 0 ? -1 : 0 < lt->tm_isdst) == (tm.tm_isdst < 0 ? -1 : 0 < tm.tm_isdst)))) return 0; } return 1; } static int year_2050_test () { /* The correct answer for 2050-02-01 00:00:00 in Pacific time, ignoring leap seconds. */ unsigned long int answer = 2527315200UL; struct tm tm; time_t t; tm.tm_year = 2050 - 1900; tm.tm_mon = 2 - 1; tm.tm_mday = 1; tm.tm_hour = tm.tm_min = tm.tm_sec = 0; tm.tm_isdst = -1; /* Use the portable POSIX.1 specification "TZ=PST8PDT,M4.1.0,M10.5.0" instead of "TZ=America/Vancouver" in order to detect the bug even on systems that don't support the Olson extension, or don't have the full zoneinfo tables installed. */ putenv ((char*) "TZ=PST8PDT,M4.1.0,M10.5.0"); t = mktime (&tm); /* Check that the result is either a failure, or close enough to the correct answer that we can assume the discrepancy is due to leap seconds. */ return (t == (time_t) -1 || (0 < t && answer - 120 <= t && t <= answer + 120)); } int main () { time_t t, delta; int i, j; /* This test makes some buggy mktime implementations loop. Give up after 60 seconds; a mktime slower than that isn't worth using anyway. */ alarm (60); for (;;) { t = (time_t_max << 1) + 1; if (t <= time_t_max) break; time_t_max = t; } time_t_min = - ((time_t) ~ (time_t) 0 == (time_t) -1) - time_t_max; delta = time_t_max / 997; /* a suitable prime number */ for (i = 0; i < N_STRINGS; i++) { if (tz_strings[i]) putenv ((char*) tz_strings[i]); for (t = 0; t <= time_t_max - delta; t += delta) if (! mktime_test (t)) return 1; if (! (mktime_test ((time_t) 1) && mktime_test ((time_t) (60 * 60)) && mktime_test ((time_t) (60 * 60 * 24)))) return 1; for (j = 1; ; j <<= 1) if (! bigtime_test (j)) return 1; else if (INT_MAX / 2 < j) break; if (! bigtime_test (INT_MAX)) return 1; } return ! (irix_6_4_bug () && spring_forward_gap () && year_2050_test ()); } _ACEOF if ac_fn_c_try_run "$LINENO"; then : ac_cv_func_working_mktime=yes else ac_cv_func_working_mktime=no fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_working_mktime" >&5 $as_echo "$ac_cv_func_working_mktime" >&6; } if test $ac_cv_func_working_mktime = no; then case " $LIBOBJS " in *" mktime.$ac_objext "* ) ;; *) LIBOBJS="$LIBOBJS mktime.$ac_objext" ;; esac fi for ac_header in stdlib.h do : ac_fn_c_check_header_mongrel "$LINENO" "stdlib.h" "ac_cv_header_stdlib_h" "$ac_includes_default" if test "x$ac_cv_header_stdlib_h" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_STDLIB_H 1 _ACEOF fi done { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GNU libc compatible realloc" >&5 $as_echo_n "checking for GNU libc compatible realloc... " >&6; } if ${ac_cv_func_realloc_0_nonnull+:} false; then : $as_echo_n "(cached) " >&6 else if test "$cross_compiling" = yes; then : ac_cv_func_realloc_0_nonnull=no else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #if defined STDC_HEADERS || defined HAVE_STDLIB_H # include #else char *realloc (); #endif int main () { return ! realloc (0, 0); ; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO"; then : ac_cv_func_realloc_0_nonnull=yes else ac_cv_func_realloc_0_nonnull=no fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_realloc_0_nonnull" >&5 $as_echo "$ac_cv_func_realloc_0_nonnull" >&6; } if test $ac_cv_func_realloc_0_nonnull = yes; then : $as_echo "#define HAVE_REALLOC 1" >>confdefs.h else $as_echo "#define HAVE_REALLOC 0" >>confdefs.h case " $LIBOBJS " in *" realloc.$ac_objext "* ) ;; *) LIBOBJS="$LIBOBJS realloc.$ac_objext" ;; esac $as_echo "#define realloc rpl_realloc" >>confdefs.h fi for ac_header in sys/select.h sys/socket.h do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 _ACEOF fi done { $as_echo "$as_me:${as_lineno-$LINENO}: checking types of arguments for select" >&5 $as_echo_n "checking types of arguments for select... " >&6; } if ${ac_cv_func_select_args+:} false; then : $as_echo_n "(cached) " >&6 else for ac_arg234 in 'fd_set *' 'int *' 'void *'; do for ac_arg1 in 'int' 'size_t' 'unsigned long int' 'unsigned int'; do for ac_arg5 in 'struct timeval *' 'const struct timeval *'; do cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_includes_default #ifdef HAVE_SYS_SELECT_H # include #endif #ifdef HAVE_SYS_SOCKET_H # include #endif int main () { extern int select ($ac_arg1, $ac_arg234, $ac_arg234, $ac_arg234, $ac_arg5); ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_func_select_args="$ac_arg1,$ac_arg234,$ac_arg5"; break 3 fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext done done done # Provide a safe default value. : "${ac_cv_func_select_args=int,int *,struct timeval *}" fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_select_args" >&5 $as_echo "$ac_cv_func_select_args" >&6; } ac_save_IFS=$IFS; IFS=',' set dummy `echo "$ac_cv_func_select_args" | sed 's/\*/\*/g'` IFS=$ac_save_IFS shift cat >>confdefs.h <<_ACEOF #define SELECT_TYPE_ARG1 $1 _ACEOF cat >>confdefs.h <<_ACEOF #define SELECT_TYPE_ARG234 ($2) _ACEOF cat >>confdefs.h <<_ACEOF #define SELECT_TYPE_ARG5 ($3) _ACEOF rm -f conftest* { $as_echo "$as_me:${as_lineno-$LINENO}: checking return type of signal handlers" >&5 $as_echo_n "checking return type of signal handlers... " >&6; } if ${ac_cv_type_signal+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include int main () { return *(signal (0, 0)) (0) == 1; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_type_signal=int else ac_cv_type_signal=void fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_type_signal" >&5 $as_echo "$ac_cv_type_signal" >&6; } cat >>confdefs.h <<_ACEOF #define RETSIGTYPE $ac_cv_type_signal _ACEOF { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether lstat correctly handles trailing slash" >&5 $as_echo_n "checking whether lstat correctly handles trailing slash... " >&6; } if ${ac_cv_func_lstat_dereferences_slashed_symlink+:} false; then : $as_echo_n "(cached) " >&6 else rm -f conftest.sym conftest.file echo >conftest.file if test "$as_ln_s" = "ln -s" && ln -s conftest.file conftest.sym; then if test "$cross_compiling" = yes; then : ac_cv_func_lstat_dereferences_slashed_symlink=no else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_includes_default int main () { struct stat sbuf; /* Linux will dereference the symlink and fail, as required by POSIX. That is better in the sense that it means we will not have to compile and use the lstat wrapper. */ return lstat ("conftest.sym/", &sbuf) == 0; ; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO"; then : ac_cv_func_lstat_dereferences_slashed_symlink=yes else ac_cv_func_lstat_dereferences_slashed_symlink=no fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi else # If the `ln -s' command failed, then we probably don't even # have an lstat function. ac_cv_func_lstat_dereferences_slashed_symlink=no fi rm -f conftest.sym conftest.file fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_lstat_dereferences_slashed_symlink" >&5 $as_echo "$ac_cv_func_lstat_dereferences_slashed_symlink" >&6; } test $ac_cv_func_lstat_dereferences_slashed_symlink = yes && cat >>confdefs.h <<_ACEOF #define LSTAT_FOLLOWS_SLASHED_SYMLINK 1 _ACEOF if test "x$ac_cv_func_lstat_dereferences_slashed_symlink" = xno; then case " $LIBOBJS " in *" lstat.$ac_objext "* ) ;; *) LIBOBJS="$LIBOBJS lstat.$ac_objext" ;; esac fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether stat accepts an empty string" >&5 $as_echo_n "checking whether stat accepts an empty string... " >&6; } if ${ac_cv_func_stat_empty_string_bug+:} false; then : $as_echo_n "(cached) " >&6 else if test "$cross_compiling" = yes; then : ac_cv_func_stat_empty_string_bug=yes else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_includes_default int main () { struct stat sbuf; return stat ("", &sbuf) == 0; ; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO"; then : ac_cv_func_stat_empty_string_bug=no else ac_cv_func_stat_empty_string_bug=yes fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_stat_empty_string_bug" >&5 $as_echo "$ac_cv_func_stat_empty_string_bug" >&6; } if test $ac_cv_func_stat_empty_string_bug = yes; then case " $LIBOBJS " in *" stat.$ac_objext "* ) ;; *) LIBOBJS="$LIBOBJS stat.$ac_objext" ;; esac cat >>confdefs.h <<_ACEOF #define HAVE_STAT_EMPTY_STRING_BUG 1 _ACEOF fi for ac_func in strftime do : ac_fn_c_check_func "$LINENO" "strftime" "ac_cv_func_strftime" if test "x$ac_cv_func_strftime" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_STRFTIME 1 _ACEOF else # strftime is in -lintl on SCO UNIX. { $as_echo "$as_me:${as_lineno-$LINENO}: checking for strftime in -lintl" >&5 $as_echo_n "checking for strftime in -lintl... " >&6; } if ${ac_cv_lib_intl_strftime+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lintl $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char strftime (); int main () { return strftime (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_intl_strftime=yes else ac_cv_lib_intl_strftime=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_intl_strftime" >&5 $as_echo "$ac_cv_lib_intl_strftime" >&6; } if test "x$ac_cv_lib_intl_strftime" = xyes; then : $as_echo "#define HAVE_STRFTIME 1" >>confdefs.h LIBS="-lintl $LIBS" fi fi done { $as_echo "$as_me:${as_lineno-$LINENO}: checking for working strtod" >&5 $as_echo_n "checking for working strtod... " >&6; } if ${ac_cv_func_strtod+:} false; then : $as_echo_n "(cached) " >&6 else if test "$cross_compiling" = yes; then : ac_cv_func_strtod=no else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_includes_default #ifndef strtod double strtod (); #endif int main() { { /* Some versions of Linux strtod mis-parse strings with leading '+'. */ char *string = " +69"; char *term; double value; value = strtod (string, &term); if (value != 69 || term != (string + 4)) return 1; } { /* Under Solaris 2.4, strtod returns the wrong value for the terminating character under some conditions. */ char *string = "NaN"; char *term; strtod (string, &term); if (term != string && *(term - 1) == 0) return 1; } return 0; } _ACEOF if ac_fn_c_try_run "$LINENO"; then : ac_cv_func_strtod=yes else ac_cv_func_strtod=no fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_strtod" >&5 $as_echo "$ac_cv_func_strtod" >&6; } if test $ac_cv_func_strtod = no; then case " $LIBOBJS " in *" strtod.$ac_objext "* ) ;; *) LIBOBJS="$LIBOBJS strtod.$ac_objext" ;; esac ac_fn_c_check_func "$LINENO" "pow" "ac_cv_func_pow" if test "x$ac_cv_func_pow" = xyes; then : fi if test $ac_cv_func_pow = no; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pow in -lm" >&5 $as_echo_n "checking for pow in -lm... " >&6; } if ${ac_cv_lib_m_pow+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lm $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char pow (); int main () { return pow (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_m_pow=yes else ac_cv_lib_m_pow=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_m_pow" >&5 $as_echo "$ac_cv_lib_m_pow" >&6; } if test "x$ac_cv_lib_m_pow" = xyes; then : POW_LIB=-lm else { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cannot find library containing definition of pow" >&5 $as_echo "$as_me: WARNING: cannot find library containing definition of pow" >&2;} fi fi fi for ac_func in backtrace do : ac_fn_c_check_func "$LINENO" "backtrace" "ac_cv_func_backtrace" if test "x$ac_cv_func_backtrace" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_BACKTRACE 1 _ACEOF fi done for ac_func in openlog syslog do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" if eval test \"x\$"$as_ac_var"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 _ACEOF fi done for ac_func in vfprintf strlcpy do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" if eval test \"x\$"$as_ac_var"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 _ACEOF fi done for ac_func in strftime do : ac_fn_c_check_func "$LINENO" "strftime" "ac_cv_func_strftime" if test "x$ac_cv_func_strftime" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_STRFTIME 1 _ACEOF fi done for ac_func in inet_aton do : ac_fn_c_check_func "$LINENO" "inet_aton" "ac_cv_func_inet_aton" if test "x$ac_cv_func_inet_aton" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_INET_ATON 1 _ACEOF fi done for ac_func in setlinebuf do : ac_fn_c_check_func "$LINENO" "setlinebuf" "ac_cv_func_setlinebuf" if test "x$ac_cv_func_setlinebuf" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_SETLINEBUF 1 _ACEOF fi done for ac_func in strerror strtof do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" if eval test \"x\$"$as_ac_var"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 _ACEOF fi done for ac_func in floorf remainderf do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" if eval test \"x\$"$as_ac_var"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 _ACEOF fi done for ac_func in timegm do : ac_fn_c_check_func "$LINENO" "timegm" "ac_cv_func_timegm" if test "x$ac_cv_func_timegm" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_TIMEGM 1 _ACEOF fi done for ac_func in xdrmem_create do : ac_fn_c_check_func "$LINENO" "xdrmem_create" "ac_cv_func_xdrmem_create" if test "x$ac_cv_func_xdrmem_create" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_XDRMEM_CREATE 1 _ACEOF fi done if test "$ac_cv_func_xdrmem_create" = yes ; then $as_echo "#define HAVE_XDR /**/" >>confdefs.h else case "$target_cpu" in cygwin*) ;; esac fi needsnprintf=no for ac_func in vsnprintf snprintf do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" if eval test \"x\$"$as_ac_var"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 _ACEOF else needsnprintf=yes fi done if test $needsnprintf = yes; then case " $LIBOBJS " in *" snprintf.$ac_objext "* ) ;; *) LIBOBJS="$LIBOBJS snprintf.$ac_objext" ;; esac fi # # Do this before checking for ether_hostton(), as it's a # "gethostbyname() -ish function". # # Most operating systems have gethostbyname() in the default searched # libraries (i.e. libc): # Some OSes (eg. Solaris) place it in libnsl # Some strange OSes (SINIX) have it in libsocket: { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing gethostbyname" >&5 $as_echo_n "checking for library containing gethostbyname... " >&6; } if ${ac_cv_search_gethostbyname+:} false; then : $as_echo_n "(cached) " >&6 else ac_func_search_save_LIBS=$LIBS cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char gethostbyname (); int main () { return gethostbyname (); ; return 0; } _ACEOF for ac_lib in '' nsl socket resolv; do if test -z "$ac_lib"; then ac_res="none required" else ac_res=-l$ac_lib LIBS="-l$ac_lib $ac_func_search_save_LIBS" fi if ac_fn_c_try_link "$LINENO"; then : ac_cv_search_gethostbyname=$ac_res fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext if ${ac_cv_search_gethostbyname+:} false; then : break fi done if ${ac_cv_search_gethostbyname+:} false; then : else ac_cv_search_gethostbyname=no fi rm conftest.$ac_ext LIBS=$ac_func_search_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_gethostbyname" >&5 $as_echo "$ac_cv_search_gethostbyname" >&6; } ac_res=$ac_cv_search_gethostbyname if test "$ac_res" != no; then : test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" fi # Unfortunately libsocket sometimes depends on libnsl and # AC_SEARCH_LIBS isn't up to the task of handling dependencies like this. if test "$ac_cv_search_gethostbyname" = "no" then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gethostbyname in -lsocket" >&5 $as_echo_n "checking for gethostbyname in -lsocket... " >&6; } if ${ac_cv_lib_socket_gethostbyname+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lsocket -lnsl $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char gethostbyname (); int main () { return gethostbyname (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_socket_gethostbyname=yes else ac_cv_lib_socket_gethostbyname=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_socket_gethostbyname" >&5 $as_echo "$ac_cv_lib_socket_gethostbyname" >&6; } if test "x$ac_cv_lib_socket_gethostbyname" = xyes; then : LIBS="-lsocket -lnsl $LIBS" fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing socket" >&5 $as_echo_n "checking for library containing socket... " >&6; } if ${ac_cv_search_socket+:} false; then : $as_echo_n "(cached) " >&6 else ac_func_search_save_LIBS=$LIBS cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char socket (); int main () { return socket (); ; return 0; } _ACEOF for ac_lib in '' socket; do if test -z "$ac_lib"; then ac_res="none required" else ac_res=-l$ac_lib LIBS="-l$ac_lib $ac_func_search_save_LIBS" fi if ac_fn_c_try_link "$LINENO"; then : ac_cv_search_socket=$ac_res fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext if ${ac_cv_search_socket+:} false; then : break fi done if ${ac_cv_search_socket+:} false; then : else ac_cv_search_socket=no fi rm conftest.$ac_ext LIBS=$ac_func_search_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_socket" >&5 $as_echo "$ac_cv_search_socket" >&6; } ac_res=$ac_cv_search_socket if test "$ac_res" != no; then : test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" else { $as_echo "$as_me:${as_lineno-$LINENO}: checking for socket in -lsocket" >&5 $as_echo_n "checking for socket in -lsocket... " >&6; } if ${ac_cv_lib_socket_socket+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lsocket -lnsl $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char socket (); int main () { return socket (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_socket_socket=yes else ac_cv_lib_socket_socket=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_socket_socket" >&5 $as_echo "$ac_cv_lib_socket_socket" >&6; } if test "x$ac_cv_lib_socket_socket" = xyes; then : LIBS="-lsocket -lnsl $LIBS" fi fi # DLPI needs putmsg under HPUX so test for -lstr while we're at it { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing putmsg" >&5 $as_echo_n "checking for library containing putmsg... " >&6; } if ${ac_cv_search_putmsg+:} false; then : $as_echo_n "(cached) " >&6 else ac_func_search_save_LIBS=$LIBS cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char putmsg (); int main () { return putmsg (); ; return 0; } _ACEOF for ac_lib in '' str; do if test -z "$ac_lib"; then ac_res="none required" else ac_res=-l$ac_lib LIBS="-l$ac_lib $ac_func_search_save_LIBS" fi if ac_fn_c_try_link "$LINENO"; then : ac_cv_search_putmsg=$ac_res fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext if ${ac_cv_search_putmsg+:} false; then : break fi done if ${ac_cv_search_putmsg+:} false; then : else ac_cv_search_putmsg=no fi rm conftest.$ac_ext LIBS=$ac_func_search_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_putmsg" >&5 $as_echo "$ac_cv_search_putmsg" >&6; } ac_res=$ac_cv_search_putmsg if test "$ac_res" != no; then : test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" fi for ac_func in ether_hostton getaddrinfo gethostname do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" if eval test \"x\$"$as_ac_var"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 _ACEOF fi done if test "$ac_cv_func_ether_hostton" = yes; then # # OK, we have ether_hostton(). Do we have ? # if test "$ac_cv_header_netinet_if_ether_h" = yes; then # # Yes. Does it declare ether_hostton()? # ac_fn_c_check_decl "$LINENO" "ether_hostton" "ac_cv_have_decl_ether_hostton" " #include #include #include #include struct mbuf; struct rtentry; #include #include " if test "x$ac_cv_have_decl_ether_hostton" = xyes; then : $as_echo "#define NETINET_IF_ETHER_H_DECLARES_ETHER_HOSTTON /**/" >>confdefs.h fi fi # # Did that succeed? # if test "$ac_cv_have_decl_ether_hostton" != yes; then # # No, how about , as on Linux? # for ac_header in netinet/ether.h do : ac_fn_c_check_header_mongrel "$LINENO" "netinet/ether.h" "ac_cv_header_netinet_ether_h" "$ac_includes_default" if test "x$ac_cv_header_netinet_ether_h" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_NETINET_ETHER_H 1 _ACEOF fi done if test "$ac_cv_header_netinet_ether_h" = yes; then # # We have it - does it declare ether_hostton()? # Unset ac_cv_have_decl_ether_hostton so we don't # treat the previous failure as a cached value and # suppress the next test. # unset ac_cv_have_decl_ether_hostton ac_fn_c_check_decl "$LINENO" "ether_hostton" "ac_cv_have_decl_ether_hostton" " #include " if test "x$ac_cv_have_decl_ether_hostton" = xyes; then : $as_echo "#define NETINET_ETHER_H_DECLARES_ETHER_HOSTTON /**/" >>confdefs.h fi fi fi # # Is ether_hostton() declared? # if test "$ac_cv_have_decl_ether_hostton" != yes; then # # No, we'll have to declare it ourselves. # Do we have "struct ether_addr"? # ac_fn_c_check_type "$LINENO" "struct ether_addr" "ac_cv_type_struct_ether_addr" " #include #include #include #include struct mbuf; struct rtentry; #include #include " if test "x$ac_cv_type_struct_ether_addr" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_STRUCT_ETHER_ADDR 1 _ACEOF fi $as_echo "#define HAVE_DECL_ETHER_HOSTTON 0" >>confdefs.h else $as_echo "#define HAVE_DECL_ETHER_HOSTTON 1" >>confdefs.h fi fi if test "$ac_cv_type_struct_ether_addr" = yes ; then $as_echo "#define HAVE_STRUCT_ETHER_ADDR /**/" >>confdefs.h fi if test "$tcl_cv_member_tm_gmtoff" = yes ; then $as_echo "#define HAVE_TM_GMTOFF /**/" >>confdefs.h fi for ac_func in alarm bzero endgrent endpwent floor gethostbyaddr gethostbyname getpass gettimeofday inet_ntoa isascii localtime_r do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" if eval test \"x\$"$as_ac_var"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 _ACEOF fi done for ac_func in memchr memmove memset mkdir modf pow putenv realpath regcomp select setenv socket sqrt strcasecmp strchr do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" if eval test \"x\$"$as_ac_var"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 _ACEOF fi done for ac_func in strdup strlcat strncasecmp strpbrk strrchr strstr strtol srandomdev tzset do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" if eval test \"x\$"$as_ac_var"\" = x"yes"; then : cat >>confdefs.h <<_ACEOF #define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 _ACEOF fi done case "$target_os" in *darwin*) COMPATLIB="-lz" ;; *) if test "$ac_cv_header_zlib_h" = yes ; then COMPATLIB="-lm -lz" else COMPATLIB="-lm" fi ;; esac if test -f .memory ; then $as_echo "#define ARGUSMEMDEBUG /**/" >>confdefs.h fi # Check whether --with-threads was given. if test "${with_threads+set}" = set; then : withval=$with_threads; with_threads="$withval" else with_threads="yes" fi if test "$with_threads" != no; then case "$host_os" in *openbsd*) ;; *) { $as_echo "$as_me:${as_lineno-$LINENO}: checking for .threads" >&5 $as_echo_n "checking for .threads... " >&6; } if test -f .threads ; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } V_THREADS="" if test "$GCC" = yes ; then case "$host_os" in *darwin*) ;; cygwin*) ;; *) V_THREADS="-lpthread $V_THREADS" ;; esac else case "$host_os" in solaris*) V_THREADS="-mt -lpthread $V_THREADS" ;; cygwin*) ;; *darwin*) ;; *) V_THREADS="-lpthread $V_THREADS" ;; esac fi $as_echo "#define ARGUS_THREADS /**/" >>confdefs.h for ac_func in sched_get_priority_min do : ac_fn_c_check_func "$LINENO" "sched_get_priority_min" "ac_cv_func_sched_get_priority_min" if test "x$ac_cv_func_sched_get_priority_min" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_SCHED_GET_PRIORITY_MIN 1 _ACEOF fi done else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi ;; esac fi # Check whether --with-tcpwrappers was given. if test "${with_tcpwrappers+set}" = set; then : withval=$with_tcpwrappers; with_wrappers="$withval" else with_wrappers="yes" fi if test ${with_wrappers} != "no"; then saved_CPPFLAGS=$CPPFLAGS saved_LDFLAGS=$LDFLAGS saved_LIBS=$LIBS if test ${with_wrappers} != "yes"; then CPPFLAGS="${saved_CPPFLAGS} -I${with_wrappers}/include" LDFLAGS="${save_LDFLAGS} -L${with_wrappers}/lib" else { $as_echo "$as_me:${as_lineno-$LINENO}: checking for local tcp_wrappers library" >&5 $as_echo_n "checking for local tcp_wrappers library... " >&6; } libwrap=FAIL lastdir=FAIL pwdir=`pwd` places=`ls .. | sed -e 's,/$,,' -e 's,^,../,' | egrep 'tcp_wrappers'` for dir in $places; do if test $lastdir = $dir ; then continue; fi lastdir=$dir if test -r $dir/libwrap.a ; then libwrap=$dir/libwrap.a d=$dir fi done if test $libwrap = FAIL ; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5 $as_echo "not found" >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: checking for system tcp_wrappers library" >&5 $as_echo_n "checking for system tcp_wrappers library... " >&6; } case "$target_os" in solaris*) CPPFLAGS="${saved_CPPFLAGS} -I/opt/local/include" LDFLAGS="${save_LDFLAGS} -L/opt/local/lib" ;; darwin*) CPPFLAGS="${saved_CPPFLAGS} -I/opt/local/include" LDFLAGS="${save_LDFLAGS} -L/opt/local/lib" ;; esac for ac_header in tcpd.h do : ac_fn_c_check_header_mongrel "$LINENO" "tcpd.h" "ac_cv_header_tcpd_h" "$ac_includes_default" if test "x$ac_cv_header_tcpd_h" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_TCPD_H 1 _ACEOF ac_fn_c_check_decl "$LINENO" "fromhost " "ac_cv_have_decl_fromhost_" " #include " if test "x$ac_cv_have_decl_fromhost_" = xyes; then : ac_have_decl=1 else ac_have_decl=0 fi cat >>confdefs.h <<_ACEOF #define HAVE_DECL_FROMHOST_ $ac_have_decl _ACEOF if test $ac_have_decl = 1; then : fi else ac_cv_found_wrappers=no fi done if test "$ac_cv_found_wrappers" != no; then V_WRAPDEP="-lwrap" V_INCLS=$CPPFLAGS $as_echo "#define ARGUS_WRAPPERS /**/" >>confdefs.h else LIBS=$saved_LIBS LDFLAGS=$saved_LDFLAGS CPPFLAGS=$saved_CPPFLAGS fi fi fi fi if test ! -z "$V_WRAPDEP"; then if test -f "$V_WRAPDEP"; then if test -f lib/libwrap.a; then rm -rf lib/libwrap.a fi wrapdir=`echo $V_WRAPDEP | sed -e 's/^\.\./..\/../'` ln -s $wrapdir lib/libwrap.a V_WRAPDEP="../lib/libwrap.a" else if test "$V_WRAPDEP" = "-lwrap" ; then if test -f lib/libwrap.a; then rm -rf lib/libwrap.a fi case "$target_os" in linux*) V_WRAPDEP="$V_WRAPDEP -lnsl";; esac fi fi $as_echo "#define HAVE_TCP_WRAPPER /**/" >>confdefs.h WRAPLIBS="$V_WRAPDEP" fi # Check whether --with-libpcap was given. if test "${with_libpcap+set}" = set; then : withval=$with_libpcap; with_libpcap="$withval" else with_libpcap="yes" fi LBL_LIBS="$LIBS" libpcap=FAIL lastdir=FAIL if test ${with_libpcap} != "yes"; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for specified library" >&5 $as_echo_n "checking for specified library... " >&6; } for dir in ${with_libpcap}; do if test -r $dir/libpcap.a ; then if test -x $dir/pcap-config ; then libpcap="$dir/libpcap.a `$dir/pcap-config --additional-libs --static`" else libpcap=$dir/libpcap.a fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $libpcap" >&5 $as_echo "$libpcap" >&6; } V_PCAPDEP=$libpcap { $as_echo "$as_me:${as_lineno-$LINENO}: checking for specified pcap.h" >&5 $as_echo_n "checking for specified pcap.h... " >&6; } if test -r $dir/pcap.h; then d=$dir { $as_echo "$as_me:${as_lineno-$LINENO}: result: found" >&5 $as_echo "found" >&6; } V_INCLS="-I$d $V_INCLS" else { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: not found" >&5 $as_echo "$as_me: WARNING: not found" >&2;} fi fi done else pfopen=/usr/examples/packetfilter/pfopen.c if test -f $pfopen ; then for ac_func in pfopen do : ac_fn_c_check_func "$LINENO" "pfopen" "ac_cv_func_pfopen" if test "x$ac_cv_func_pfopen" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_PFOPEN 1 _ACEOF fi done if test $ac_cv_func_pfopen = "no" ; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: Using $pfopen" >&5 $as_echo "Using $pfopen" >&6; } LIBS="$LIBS $pfopen" fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for local pcap library" >&5 $as_echo_n "checking for local pcap library... " >&6; } places=`ls $srcdir/.. | sed -e 's,/$,,' -e "s,^,$srcdir/../," | \ egrep '/libpcap-[0-9]*.[0-9]*(.[0-9]*)?([ab][0-9]*)?$'` for dir in $places $srcdir/../libpcap $srcdir/libpcap ; do basedir=`echo $dir | sed -e 's/[ab][0-9]*$//'` if test $lastdir = $basedir ; then continue; fi lastdir=$dir if test -r $dir/libpcap.a ; then if test -r $dir/pcap.h ; then libpcap=$dir/libpcap.a d=$dir fi fi done if ! test "$libpcap" = FAIL; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $libpcap" >&5 $as_echo "$libpcap" >&6; } V_PCAPDEP=$libpcap V_INCLS="-I$d $V_INCLS" # Extract the first word of "pcap-config", so it can be a program name with args. set dummy pcap-config; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_path_PCAP_CONFIG+:} false; then : $as_echo_n "(cached) " >&6 else case $PCAP_CONFIG in [\\/]* | ?:[\\/]*) ac_cv_path_PCAP_CONFIG="$PCAP_CONFIG" # Let the user override the test with a path. ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $d do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_path_PCAP_CONFIG="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS ;; esac fi PCAP_CONFIG=$ac_cv_path_PCAP_CONFIG if test -n "$PCAP_CONFIG"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PCAP_CONFIG" >&5 $as_echo "$PCAP_CONFIG" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test -n "$PCAP_CONFIG"; then # # The libpcap directory has a pcap-config script. # Use it to get any additioal libraries needed # to link with the libpcap archive library in # that directory # libpcap="$libpcap `$PCAP_CONFIG --additional-libs --static`" fi fi fi if test "$libpcap" = FAIL ; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5 $as_echo "not found" >&6; } # # Look for pcap-config. # # Extract the first word of "pcap-config", so it can be a program name with args. set dummy pcap-config; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_path_PCAP_CONFIG+:} false; then : $as_echo_n "(cached) " >&6 else case $PCAP_CONFIG in [\\/]* | ?:[\\/]*) ac_cv_path_PCAP_CONFIG="$PCAP_CONFIG" # Let the user override the test with a path. ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then ac_cv_path_PCAP_CONFIG="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS ;; esac fi PCAP_CONFIG=$ac_cv_path_PCAP_CONFIG if test -n "$PCAP_CONFIG"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PCAP_CONFIG" >&5 $as_echo "$PCAP_CONFIG" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test -n "$PCAP_CONFIG" ; then # # Found - use it to get the include flags for # libpcap and the flags to link with libpcap. # libpcap="`$PCAP_CONFIG --libs`" V_INCLS="`$PCAP_CONFIG --cflags` $V_INCLS" V_PCAPDEP="$libpcap" else { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpcap" >&5 $as_echo_n "checking for main in -lpcap... " >&6; } if ${ac_cv_lib_pcap_main+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lpcap $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { return main (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_pcap_main=yes else ac_cv_lib_pcap_main=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pcap_main" >&5 $as_echo "$ac_cv_lib_pcap_main" >&6; } if test "x$ac_cv_lib_pcap_main" = xyes; then : libpcap="-lpcap" fi if test $libpcap = FAIL ; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5 $as_echo "not found" >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpcap" >&5 $as_echo_n "checking for main in -lpcap... " >&6; } if ${ac_cv_lib_pcap_main+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lpcap $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { return main (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_pcap_main=yes else ac_cv_lib_pcap_main=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pcap_main" >&5 $as_echo "$ac_cv_lib_pcap_main" >&6; } if test "x$ac_cv_lib_pcap_main" = xyes; then : libpcap="-lwpcap" fi if test $libpcap = FAIL ; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for local wpcap library" >&5 $as_echo_n "checking for local wpcap library... " >&6; } dir="../WpdPack" if test -r $dir/Lib/libwpcap.a; then V_PCAPDEP="$dir/Lib/libwpcap.a" else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } as_fn_error $? "see the INSTALL doc for more info" "$LINENO" 5 fi else V_PCAPDEP="$libpcap" fi else V_PCAPDEP="$libpcap" fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for extraneous pcap header directories" >&5 $as_echo_n "checking for extraneous pcap header directories... " >&6; } if test \( ! -r /usr/local/include/pcap.h \) -a \ \( ! -r /usr/include/pcap.h \); then if test -r /usr/local/include/pcap/pcap.h; then d="/usr/local/include/pcap" elif test -r /usr/include/pcap/pcap.h; then d="/usr/include/pcap" elif test -r $dir/Include/pcap.h; then d=$dir/Include fi fi if test -z "$d" ; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5 $as_echo "not found" >&6; } else V_INCLS="-I$d $V_INCLS" { $as_echo "$as_me:${as_lineno-$LINENO}: result: found -- -I$d added" >&5 $as_echo "found -- -I$d added" >&6; } fi fi fi V_INCLS=`echo $V_INCLS | sed -e 's/\.\./..\/../'` LIBS="$LIBS $libpcap" case "$host_os" in aix*) pseexe="/lib/pse.exp" { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $pseexe" >&5 $as_echo_n "checking for $pseexe... " >&6; } if test -f $pseexe ; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } LIBS="$LIBS -I:$pseexe" fi # # We need "-lodm" and "-lcfg", as libpcap requires them on # AIX, and we just build a static libpcap.a and thus can't # arrange that when you link with libpcap you automatically # link with those libraries. # LIBS="$LIBS -lodm -lcfg" ;; esac ac_fn_c_check_func "$LINENO" "pcap_list_datalinks" "ac_cv_func_pcap_list_datalinks" if test "x$ac_cv_func_pcap_list_datalinks" = xyes; then : $as_echo "#define HAVE_PCAP_LIST_DATALINKS /**/" >>confdefs.h else case " $LIBOBJS " in *" datalinks.$ac_objext "* ) ;; *) LIBOBJS="$LIBOBJS datalinks.$ac_objext" ;; esac fi ac_fn_c_check_func "$LINENO" "pcap_set_datalink" "ac_cv_func_pcap_set_datalink" if test "x$ac_cv_func_pcap_set_datalink" = xyes; then : $as_echo "#define HAVE_PCAP_SET_DATALINK /**/" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "pcap_datalink_name_to_val" "ac_cv_func_pcap_datalink_name_to_val" if test "x$ac_cv_func_pcap_datalink_name_to_val" = xyes; then : $as_echo "#define HAVE_PCAP_DATALINK_NAME_TO_VAL /**/" >>confdefs.h ac_fn_c_check_func "$LINENO" "pcap_datalink_val_to_description" "ac_cv_func_pcap_datalink_val_to_description" if test "x$ac_cv_func_pcap_datalink_val_to_description" = xyes; then : $as_echo "#define HAVE_PCAP_DATALINK_VAL_TO_DESCRIPTION /**/" >>confdefs.h else case " $LIBOBJS " in *" dlnames.$ac_objext "* ) ;; *) LIBOBJS="$LIBOBJS dlnames.$ac_objext" ;; esac fi else case " $LIBOBJS " in *" dlnames.$ac_objext "* ) ;; *) LIBOBJS="$LIBOBJS dlnames.$ac_objext" ;; esac fi for ac_func in pcap_set_buffer_size do : ac_fn_c_check_func "$LINENO" "pcap_set_buffer_size" "ac_cv_func_pcap_set_buffer_size" if test "x$ac_cv_func_pcap_set_buffer_size" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_PCAP_SET_BUFFER_SIZE 1 _ACEOF fi done for ac_func in pcap_fopen_offline do : ac_fn_c_check_func "$LINENO" "pcap_fopen_offline" "ac_cv_func_pcap_fopen_offline" if test "x$ac_cv_func_pcap_fopen_offline" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_PCAP_FOPEN_OFFLINE 1 _ACEOF fi done for ac_func in pcap_get_selectable_fd do : ac_fn_c_check_func "$LINENO" "pcap_get_selectable_fd" "ac_cv_func_pcap_get_selectable_fd" if test "x$ac_cv_func_pcap_get_selectable_fd" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_PCAP_GET_SELECTABLE_FD 1 _ACEOF fi done for ac_func in pcap_next_ex do : ac_fn_c_check_func "$LINENO" "pcap_next_ex" "ac_cv_func_pcap_next_ex" if test "x$ac_cv_func_pcap_next_ex" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_PCAP_NEXT_EX 1 _ACEOF fi done for ac_func in pcap_dump_ftell do : ac_fn_c_check_func "$LINENO" "pcap_dump_ftell" "ac_cv_func_pcap_dump_ftell" if test "x$ac_cv_func_pcap_dump_ftell" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_PCAP_DUMP_FTELL 1 _ACEOF fi done for ac_func in pcap_dump_flush do : ac_fn_c_check_func "$LINENO" "pcap_dump_flush" "ac_cv_func_pcap_dump_flush" if test "x$ac_cv_func_pcap_dump_flush" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_PCAP_DUMP_FLUSH 1 _ACEOF fi done LIBS="$LBL_LIBS" if test ! -z "$V_PCAPDEP"; then if test -f "$V_PCAPDEP"; then if test -f lib/libpcap.a; then rm -rf lib/libpcap.a fi pcapdir=`echo $V_PCAPDEP | sed -e 's/\.\./..\/../'` ln -s $pcapdir lib/libpcap.a V_PCAPDEP="../lib/libpcap.a" else if test "$V_PCAPDEP" = "-lpcap" ; then if test -f lib/libpcap.a; then rm -rf lib/libpcap.a fi fi if test "$V_PCAPDEP" = "-lwpcap" ; then if test -f lib/libpcap.a; then rm -rf lib/libpcap.a fi fi fi LIBS="$LIBS $V_PCAPDEP" fi case "$target_cpu" in *86) have_x86=yes; ;; powerpc-apple*) ;; powerpc64-*-linux-gnu) V_CCOPT="$V_CCOPT -m64 -fPIC" ;; esac case "$target_os" in aix*) have_sun=yes; ;; darwin*) have_darwin=yes; ;; hpux9*) have_hpux_nine=yes; ;; hpux10.0*) ;; hpux10.1*) ;; hpux*) have_hpux_ten=yes; ;; sinix*) { $as_echo "$as_me:${as_lineno-$LINENO}: checking if SINIX compiler defines sinix" >&5 $as_echo_n "checking if SINIX compiler defines sinix... " >&6; } if ${ac_cv_cc_sinix_defined+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { int i = sinix; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_cc_sinix_defined=yes else ac_cv_cc_sinix_defined=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_cc_sinix_defined" >&5 $as_echo "$ac_cv_cc_sinix_defined" >&6; } if test "$ac_cv_cc_sinix_defined" = "no" ; then $as_echo "#define sinix /**/" >>confdefs.h fi ;; solaris*) $as_echo "#define HAVE_SOLARIS 1" >>confdefs.h { $as_echo "$as_me:${as_lineno-$LINENO}: checking for LD_LIBRARY_PATH" >&5 $as_echo_n "checking for LD_LIBRARY_PATH... " >&6; } if test "x$LD_LIBRARY_PATH" != "x" ; then LIBS="$LIBS -R$LD_LIBRARY_PATH" { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes -- added LD_LIBRARY_PATH to run-time linker path" >&5 $as_echo "yes -- added LD_LIBRARY_PATH to run-time linker path" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no -- this may be a problem in a few seconds" >&5 $as_echo "no -- this may be a problem in a few seconds" >&6; } fi COMPATLIB="-lsocket -lnsl -lrt $COMPATLIB" ;; linux*) ;; cygwin*) have_cygwin=yes; V_INCLS="$V_INCLS -I../include/cygwin-include" ;; esac if test "$have_x86" = yes ; then $as_echo "#define CONFIG_X86_BSWAP /**/" >>confdefs.h fi if test "$have_darwin" = yes ; then $as_echo "#define HAVE_DARWIN /**/" >>confdefs.h fi if test "$have_hpux_nine" = yes ; then $as_echo "#define HAVE_HPUX9 /**/" >>confdefs.h fi if test "$have_hpux_ten" = yes ; then $as_echo "#define HAVE_HPUX10_20 /**/" >>confdefs.h fi if test "$have_sun" = yes ; then $as_echo "#define _SUN /**/" >>confdefs.h fi if test "$have_cygwin" = yes ; then $as_echo "#define CYGWIN /**/" >>confdefs.h fi if test "$with_pluribus" = yes ; then $as_echo "#define ARGUS_PLURIBUS /**/" >>confdefs.h fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking tm_gmtoff in struct tm" >&5 $as_echo_n "checking tm_gmtoff in struct tm... " >&6; } if ${tcl_cv_member_tm_gmtoff+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main () { struct tm tm; tm.tm_gmtoff; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : tcl_cv_member_tm_gmtoff=yes else tcl_cv_member_tm_gmtoff=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $tcl_cv_member_tm_gmtoff" >&5 $as_echo "$tcl_cv_member_tm_gmtoff" >&6; } if test $tcl_cv_member_tm_gmtoff = yes ; then $as_echo "#define HAVE_TM_GMTOFF /**/" >>confdefs.h fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking sys_errlist in stdio.h" >&5 $as_echo_n "checking sys_errlist in stdio.h... " >&6; } if ${arg_cv_sys_errlist+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main () { char *ptr = sys_errlist[0]; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : arg_cv_sys_errlist=yes else arg_cv_sys_errlist=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $arg_cv_sys_errlist" >&5 $as_echo "$arg_cv_sys_errlist" >&6; } if test $arg_cv_sys_errlist = yes ; then $as_echo "#define HAVE_SYS_ERRLIST /**/" >>confdefs.h fi INSTALL_LIB="../lib" INSTALL_BIN="../bin" ac_config_files="$ac_config_files Makefile ./common/Makefile ./argus/Makefile ./events/Makefile" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure # tests run on this system so they can be shared between configure # scripts and configure runs, see configure's option --config-cache. # It is not useful on other systems. If it contains results you don't # want to keep, you may remove or edit it. # # config.status only pays attention to the cache file if you give it # the --recheck option to rerun configure. # # `ac_cv_env_foo' variables (set or unset) will be overridden when # loading this file, other *unset* `ac_cv_foo' will be assigned the # following values. _ACEOF # The following way of writing the cache mishandles newlines in values, # but we know of no workaround that is simple, portable, and efficient. # So, we kill variables containing newlines. # Ultrix sh set writes to stderr and can't be redirected directly, # and sets the high bit in the cache file unless we assign to the vars. ( for ac_var in `(set) 2>&1 | sed -n 's/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'`; do eval ac_val=\$$ac_var case $ac_val in #( *${as_nl}*) case $ac_var in #( *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 $as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; esac case $ac_var in #( _ | IFS | as_nl) ;; #( BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( *) { eval $ac_var=; unset $ac_var;} ;; esac ;; esac done (set) 2>&1 | case $as_nl`(ac_space=' '; set) 2>&1` in #( *${as_nl}ac_space=\ *) # `set' does not quote correctly, so add quotes: double-quote # substitution turns \\\\ into \\, and sed turns \\ into \. sed -n \ "s/'/'\\\\''/g; s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p" ;; #( *) # `set' quotes correctly as required by POSIX, so do not add quotes. sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" ;; esac | sort ) | sed ' /^ac_cv_env_/b end t clear :clear s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/ t end s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/ :end' >>confcache if diff "$cache_file" confcache >/dev/null 2>&1; then :; else if test -w "$cache_file"; then if test "x$cache_file" != "x/dev/null"; then { $as_echo "$as_me:${as_lineno-$LINENO}: updating cache $cache_file" >&5 $as_echo "$as_me: updating cache $cache_file" >&6;} if test ! -f "$cache_file" || test -h "$cache_file"; then cat confcache >"$cache_file" else case $cache_file in #( */* | ?:*) mv -f confcache "$cache_file"$$ && mv -f "$cache_file"$$ "$cache_file" ;; #( *) mv -f confcache "$cache_file" ;; esac fi fi else { $as_echo "$as_me:${as_lineno-$LINENO}: not updating unwritable cache $cache_file" >&5 $as_echo "$as_me: not updating unwritable cache $cache_file" >&6;} fi fi rm -f confcache test "x$prefix" = xNONE && prefix=$ac_default_prefix # Let make expand exec_prefix. test "x$exec_prefix" = xNONE && exec_prefix='${prefix}' DEFS=-DHAVE_CONFIG_H ac_libobjs= ac_ltlibobjs= U= for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue # 1. Remove the extension, and $U if already installed. ac_script='s/\$U\././;s/\.o$//;s/\.obj$//' ac_i=`$as_echo "$ac_i" | sed "$ac_script"` # 2. Prepend LIBOBJDIR. When used with automake>=1.10 LIBOBJDIR # will be set to the directory where LIBOBJS objects are built. as_fn_append ac_libobjs " \${LIBOBJDIR}$ac_i\$U.$ac_objext" as_fn_append ac_ltlibobjs " \${LIBOBJDIR}$ac_i"'$U.lo' done LIBOBJS=$ac_libobjs LTLIBOBJS=$ac_ltlibobjs : "${CONFIG_STATUS=./config.status}" ac_write_fail=0 ac_clean_files_save=$ac_clean_files ac_clean_files="$ac_clean_files $CONFIG_STATUS" { $as_echo "$as_me:${as_lineno-$LINENO}: creating $CONFIG_STATUS" >&5 $as_echo "$as_me: creating $CONFIG_STATUS" >&6;} as_write_fail=0 cat >$CONFIG_STATUS <<_ASEOF || as_write_fail=1 #! $SHELL # Generated by $as_me. # Run this file to recreate the current configuration. # Compiler output produced by configure, useful for debugging # configure, is in config.log if it exists. debug=false ac_cs_recheck=false ac_cs_silent=false SHELL=\${CONFIG_SHELL-$SHELL} export SHELL _ASEOF cat >>$CONFIG_STATUS <<\_ASEOF || as_write_fail=1 ## -------------------- ## ## M4sh Initialization. ## ## -------------------- ## # Be more Bourne compatible DUALCASE=1; export DUALCASE # for MKS sh if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then : emulate sh NULLCMD=: # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which # is contrary to our usage. Disable this feature. alias -g '${1+"$@"}'='"$@"' setopt NO_GLOB_SUBST else case `(set -o) 2>/dev/null` in #( *posix*) : set -o posix ;; #( *) : ;; esac fi as_nl=' ' export as_nl # Printing a long string crashes Solaris 7 /usr/bin/printf. as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo # Prefer a ksh shell builtin over an external printf program on Solaris, # but without wasting forks for bash or zsh. if test -z "$BASH_VERSION$ZSH_VERSION" \ && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then as_echo='print -r --' as_echo_n='print -rn --' elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then as_echo='printf %s\n' as_echo_n='printf %s' else if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"' as_echo_n='/usr/ucb/echo -n' else as_echo_body='eval expr "X$1" : "X\\(.*\\)"' as_echo_n_body='eval arg=$1; case $arg in #( *"$as_nl"*) expr "X$arg" : "X\\(.*\\)$as_nl"; arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; esac; expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl" ' export as_echo_n_body as_echo_n='sh -c $as_echo_n_body as_echo' fi export as_echo_body as_echo='sh -c $as_echo_body as_echo' fi # The user is always right. if test "${PATH_SEPARATOR+set}" != set; then PATH_SEPARATOR=: (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || PATH_SEPARATOR=';' } fi # IFS # We need space, tab and new line, in precisely that order. Quoting is # there to prevent editors from complaining about space-tab. # (If _AS_PATH_WALK were called with IFS unset, it would disable word # splitting by setting IFS to empty value.) IFS=" "" $as_nl" # Find who we are. Look in the path if we contain no directory separator. as_myself= case $0 in #(( *[\\/]* ) as_myself=$0 ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break done IFS=$as_save_IFS ;; esac # We did not find ourselves, most probably we were run as `sh COMMAND' # in which case we are not to be found in the path. if test "x$as_myself" = x; then as_myself=$0 fi if test ! -f "$as_myself"; then $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 exit 1 fi # Unset variables that we do not need and which cause bugs (e.g. in # pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1" # suppresses any "Segmentation fault" message there. '((' could # trigger a bug in pdksh 5.2.14. for as_var in BASH_ENV ENV MAIL MAILPATH do eval test x\${$as_var+set} = xset \ && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : done PS1='$ ' PS2='> ' PS4='+ ' # NLS nuisances. LC_ALL=C export LC_ALL LANGUAGE=C export LANGUAGE # CDPATH. (unset CDPATH) >/dev/null 2>&1 && unset CDPATH # as_fn_error STATUS ERROR [LINENO LOG_FD] # ---------------------------------------- # Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are # provided, also output the error to LOG_FD, referencing LINENO. Then exit the # script with STATUS, using 1 if that was 0. as_fn_error () { as_status=$1; test $as_status -eq 0 && as_status=1 if test "$4"; then as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 fi $as_echo "$as_me: error: $2" >&2 as_fn_exit $as_status } # as_fn_error # as_fn_set_status STATUS # ----------------------- # Set $? to STATUS, without forking. as_fn_set_status () { return $1 } # as_fn_set_status # as_fn_exit STATUS # ----------------- # Exit the shell with STATUS, even in a "trap 0" or "set -e" context. as_fn_exit () { set +e as_fn_set_status $1 exit $1 } # as_fn_exit # as_fn_unset VAR # --------------- # Portably unset VAR. as_fn_unset () { { eval $1=; unset $1;} } as_unset=as_fn_unset # as_fn_append VAR VALUE # ---------------------- # Append the text in VALUE to the end of the definition contained in VAR. Take # advantage of any shell optimizations that allow amortized linear growth over # repeated appends, instead of the typical quadratic growth present in naive # implementations. if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then : eval 'as_fn_append () { eval $1+=\$2 }' else as_fn_append () { eval $1=\$$1\$2 } fi # as_fn_append # as_fn_arith ARG... # ------------------ # Perform arithmetic evaluation on the ARGs, and store the result in the # global $as_val. Take advantage of shells that can avoid forks. The arguments # must be portable across $(()) and expr. if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then : eval 'as_fn_arith () { as_val=$(( $* )) }' else as_fn_arith () { as_val=`expr "$@" || test $? -eq 1` } fi # as_fn_arith if expr a : '\(a\)' >/dev/null 2>&1 && test "X`expr 00001 : '.*\(...\)'`" = X001; then as_expr=expr else as_expr=false fi if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then as_basename=basename else as_basename=false fi if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then as_dirname=dirname else as_dirname=false fi as_me=`$as_basename -- "$0" || $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ X"$0" : 'X\(//\)$' \| \ X"$0" : 'X\(/\)' \| . 2>/dev/null || $as_echo X/"$0" | sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/ q } /^X\/\(\/\/\)$/{ s//\1/ q } /^X\/\(\/\).*/{ s//\1/ q } s/.*/./; q'` # Avoid depending upon Character Ranges. as_cr_letters='abcdefghijklmnopqrstuvwxyz' as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' as_cr_Letters=$as_cr_letters$as_cr_LETTERS as_cr_digits='0123456789' as_cr_alnum=$as_cr_Letters$as_cr_digits ECHO_C= ECHO_N= ECHO_T= case `echo -n x` in #((((( -n*) case `echo 'xy\c'` in *c*) ECHO_T=' ';; # ECHO_T is single tab character. xy) ECHO_C='\c';; *) echo `echo ksh88 bug on AIX 6.1` > /dev/null ECHO_T=' ';; esac;; *) ECHO_N='-n';; esac rm -f conf$$ conf$$.exe conf$$.file if test -d conf$$.dir; then rm -f conf$$.dir/conf$$.file else rm -f conf$$.dir mkdir conf$$.dir 2>/dev/null fi if (echo >conf$$.file) 2>/dev/null; then if ln -s conf$$.file conf$$ 2>/dev/null; then as_ln_s='ln -s' # ... but there are two gotchas: # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. # In both cases, we have to default to `cp -pR'. ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || as_ln_s='cp -pR' elif ln conf$$.file conf$$ 2>/dev/null; then as_ln_s=ln else as_ln_s='cp -pR' fi else as_ln_s='cp -pR' fi rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file rmdir conf$$.dir 2>/dev/null # as_fn_mkdir_p # ------------- # Create "$as_dir" as a directory, including parents if necessary. as_fn_mkdir_p () { case $as_dir in #( -*) as_dir=./$as_dir;; esac test -d "$as_dir" || eval $as_mkdir_p || { as_dirs= while :; do case $as_dir in #( *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( *) as_qdir=$as_dir;; esac as_dirs="'$as_qdir' $as_dirs" as_dir=`$as_dirname -- "$as_dir" || $as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$as_dir" : 'X\(//\)[^/]' \| \ X"$as_dir" : 'X\(//\)$' \| \ X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || $as_echo X"$as_dir" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` test -d "$as_dir" && break done test -z "$as_dirs" || eval "mkdir $as_dirs" } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" } # as_fn_mkdir_p if mkdir -p . 2>/dev/null; then as_mkdir_p='mkdir -p "$as_dir"' else test -d ./-p && rmdir ./-p as_mkdir_p=false fi # as_fn_executable_p FILE # ----------------------- # Test if FILE is an executable regular file. as_fn_executable_p () { test -f "$1" && test -x "$1" } # as_fn_executable_p as_test_x='test -x' as_executable_p=as_fn_executable_p # Sed expression to map a string onto a valid CPP name. as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" # Sed expression to map a string onto a valid variable name. as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" exec 6>&1 ## ----------------------------------- ## ## Main body of $CONFIG_STATUS script. ## ## ----------------------------------- ## _ASEOF test $as_write_fail = 0 && chmod +x $CONFIG_STATUS || ac_write_fail=1 cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # Save the log message, to keep $0 and so on meaningful, and to # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" This file was extended by Argus Server Programs $as_me 3.0.8, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES CONFIG_HEADERS = $CONFIG_HEADERS CONFIG_LINKS = $CONFIG_LINKS CONFIG_COMMANDS = $CONFIG_COMMANDS $ $0 $@ on `(hostname || uname -n) 2>/dev/null | sed 1q` " _ACEOF case $ac_config_files in *" "*) set x $ac_config_files; shift; ac_config_files=$*;; esac case $ac_config_headers in *" "*) set x $ac_config_headers; shift; ac_config_headers=$*;; esac cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 # Files that config.status was made for. config_files="$ac_config_files" config_headers="$ac_config_headers" _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 ac_cs_usage="\ \`$as_me' instantiates files and other configuration actions from templates according to the current configuration. Unless the files and actions are specified as TAGs, all are instantiated by default. Usage: $0 [OPTION]... [TAG]... -h, --help print this help, then exit -V, --version print version number and configuration settings, then exit --config print configuration, then exit -q, --quiet, --silent do not print progress messages -d, --debug don't remove temporary files --recheck update $as_me by reconfiguring in the same conditions --file=FILE[:TEMPLATE] instantiate the configuration file FILE --header=FILE[:TEMPLATE] instantiate the configuration header FILE Configuration files: $config_files Configuration headers: $config_headers Report bugs to . Argus Server Programs home page: ." _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ Argus Server Programs config.status 3.0.8 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" Copyright (C) 2012 Free Software Foundation, Inc. This config.status script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it." ac_pwd='$ac_pwd' srcdir='$srcdir' INSTALL='$INSTALL' test -n "\$AWK" || AWK=awk _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # The default lists apply if the user does not specify any file. ac_need_defaults=: while test $# != 0 do case $1 in --*=?*) ac_option=`expr "X$1" : 'X\([^=]*\)='` ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'` ac_shift=: ;; --*=) ac_option=`expr "X$1" : 'X\([^=]*\)='` ac_optarg= ac_shift=: ;; *) ac_option=$1 ac_optarg=$2 ac_shift=shift ;; esac case $ac_option in # Handling of the options. -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r) ac_cs_recheck=: ;; --version | --versio | --versi | --vers | --ver | --ve | --v | -V ) $as_echo "$ac_cs_version"; exit ;; --config | --confi | --conf | --con | --co | --c ) $as_echo "$ac_cs_config"; exit ;; --debug | --debu | --deb | --de | --d | -d ) debug=: ;; --file | --fil | --fi | --f ) $ac_shift case $ac_optarg in *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; '') as_fn_error $? "missing file argument" ;; esac as_fn_append CONFIG_FILES " '$ac_optarg'" ac_need_defaults=false;; --header | --heade | --head | --hea ) $ac_shift case $ac_optarg in *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; esac as_fn_append CONFIG_HEADERS " '$ac_optarg'" ac_need_defaults=false;; --he | --h) # Conflict between --help and --header as_fn_error $? "ambiguous option: \`$1' Try \`$0 --help' for more information.";; --help | --hel | -h ) $as_echo "$ac_cs_usage"; exit ;; -q | -quiet | --quiet | --quie | --qui | --qu | --q \ | -silent | --silent | --silen | --sile | --sil | --si | --s) ac_cs_silent=: ;; # This is an error. -*) as_fn_error $? "unrecognized option: \`$1' Try \`$0 --help' for more information." ;; *) as_fn_append ac_config_targets " $1" ac_need_defaults=false ;; esac shift done ac_configure_extra_args= if $ac_cs_silent; then exec 6>/dev/null ac_configure_extra_args="$ac_configure_extra_args --silent" fi _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 if \$ac_cs_recheck; then set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion shift \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6 CONFIG_SHELL='$SHELL' export CONFIG_SHELL exec "\$@" fi _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 exec 5>>config.log { echo sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX ## Running $as_me. ## _ASBOX $as_echo "$ac_log" } >&5 _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # Handling of arguments. for ac_config_target in $ac_config_targets do case $ac_config_target in "include/argus_config.h") CONFIG_HEADERS="$CONFIG_HEADERS include/argus_config.h" ;; "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;; "./common/Makefile") CONFIG_FILES="$CONFIG_FILES ./common/Makefile" ;; "./argus/Makefile") CONFIG_FILES="$CONFIG_FILES ./argus/Makefile" ;; "./events/Makefile") CONFIG_FILES="$CONFIG_FILES ./events/Makefile" ;; *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; esac done # If the user did not use the arguments to specify the items to instantiate, # then the envvar interface is used. Set only those that are not. # We use the long form for the default assignment because of an extremely # bizarre bug on SunOS 4.1.3. if $ac_need_defaults; then test "${CONFIG_FILES+set}" = set || CONFIG_FILES=$config_files test "${CONFIG_HEADERS+set}" = set || CONFIG_HEADERS=$config_headers fi # Have a temporary directory for convenience. Make it in the build tree # simply because there is no reason against having it here, and in addition, # creating and moving files from /tmp can sometimes cause problems. # Hook for its removal unless debugging. # Note that there is a small window in which the directory will not be cleaned: # after its creation but before its name has been assigned to `$tmp'. $debug || { tmp= ac_tmp= trap 'exit_status=$? : "${ac_tmp:=$tmp}" { test ! -d "$ac_tmp" || rm -fr "$ac_tmp"; } && exit $exit_status ' 0 trap 'as_fn_exit 1' 1 2 13 15 } # Create a (secure) tmp directory for tmp files. { tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` && test -d "$tmp" } || { tmp=./conf$$-$RANDOM (umask 077 && mkdir "$tmp") } || as_fn_error $? "cannot create a temporary directory in ." "$LINENO" 5 ac_tmp=$tmp # Set up the scripts for CONFIG_FILES section. # No need to generate them if there are no CONFIG_FILES. # This happens for instance with `./config.status config.h'. if test -n "$CONFIG_FILES"; then ac_cr=`echo X | tr X '\015'` # On cygwin, bash can eat \r inside `` if the user requested igncr. # But we know of no other shell where ac_cr would be empty at this # point, so we can use a bashism as a fallback. if test "x$ac_cr" = x; then eval ac_cr=\$\'\\r\' fi ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' /dev/null` if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then ac_cs_awk_cr='\\r' else ac_cs_awk_cr=$ac_cr fi echo 'BEGIN {' >"$ac_tmp/subs1.awk" && _ACEOF { echo "cat >conf$$subs.awk <<_ACEOF" && echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' && echo "_ACEOF" } >conf$$subs.sh || as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 ac_delim_num=`echo "$ac_subst_vars" | grep -c '^'` ac_delim='%!_!# ' for ac_last_try in false false false false false :; do . ./conf$$subs.sh || as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 ac_delim_n=`sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X` if test $ac_delim_n = $ac_delim_num; then break elif $ac_last_try; then as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 else ac_delim="$ac_delim!$ac_delim _$ac_delim!! " fi done rm -f conf$$subs.sh cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 cat >>"\$ac_tmp/subs1.awk" <<\\_ACAWK && _ACEOF sed -n ' h s/^/S["/; s/!.*/"]=/ p g s/^[^!]*!// :repl t repl s/'"$ac_delim"'$// t delim :nl h s/\(.\{148\}\)..*/\1/ t more1 s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/ p n b repl :more1 s/["\\]/\\&/g; s/^/"/; s/$/"\\/ p g s/.\{148\}// t nl :delim h s/\(.\{148\}\)..*/\1/ t more2 s/["\\]/\\&/g; s/^/"/; s/$/"/ p b :more2 s/["\\]/\\&/g; s/^/"/; s/$/"\\/ p g s/.\{148\}// t delim ' >$CONFIG_STATUS || ac_write_fail=1 rm -f conf$$subs.awk cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 _ACAWK cat >>"\$ac_tmp/subs1.awk" <<_ACAWK && for (key in S) S_is_set[key] = 1 FS = "" } { line = $ 0 nfields = split(line, field, "@") substed = 0 len = length(field[1]) for (i = 2; i < nfields; i++) { key = field[i] keylen = length(key) if (S_is_set[key]) { value = S[key] line = substr(line, 1, len) "" value "" substr(line, len + keylen + 3) len += length(value) + length(field[++i]) substed = 1 } else len += 1 + keylen } print line } _ACAWK _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g" else cat fi < "$ac_tmp/subs1.awk" > "$ac_tmp/subs.awk" \ || as_fn_error $? "could not setup config files machinery" "$LINENO" 5 _ACEOF # VPATH may cause trouble with some makes, so we remove sole $(srcdir), # ${srcdir} and @srcdir@ entries from VPATH if srcdir is ".", strip leading and # trailing colons and then remove the whole line if VPATH becomes empty # (actually we leave an empty line to preserve line numbers). if test "x$srcdir" = x.; then ac_vpsub='/^[ ]*VPATH[ ]*=[ ]*/{ h s/// s/^/:/ s/[ ]*$/:/ s/:\$(srcdir):/:/g s/:\${srcdir}:/:/g s/:@srcdir@:/:/g s/^:*// s/:*$// x s/\(=[ ]*\).*/\1/ G s/\n// s/^[^=]*=[ ]*$// }' fi cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 fi # test -n "$CONFIG_FILES" # Set up the scripts for CONFIG_HEADERS section. # No need to generate them if there are no CONFIG_HEADERS. # This happens for instance with `./config.status Makefile'. if test -n "$CONFIG_HEADERS"; then cat >"$ac_tmp/defines.awk" <<\_ACAWK || BEGIN { _ACEOF # Transform confdefs.h into an awk script `defines.awk', embedded as # here-document in config.status, that substitutes the proper values into # config.h.in to produce config.h. # Create a delimiter string that does not exist in confdefs.h, to ease # handling of long lines. ac_delim='%!_!# ' for ac_last_try in false false :; do ac_tt=`sed -n "/$ac_delim/p" confdefs.h` if test -z "$ac_tt"; then break elif $ac_last_try; then as_fn_error $? "could not make $CONFIG_HEADERS" "$LINENO" 5 else ac_delim="$ac_delim!$ac_delim _$ac_delim!! " fi done # For the awk script, D is an array of macro values keyed by name, # likewise P contains macro parameters if any. Preserve backslash # newline sequences. ac_word_re=[_$as_cr_Letters][_$as_cr_alnum]* sed -n ' s/.\{148\}/&'"$ac_delim"'/g t rset :rset s/^[ ]*#[ ]*define[ ][ ]*/ / t def d :def s/\\$// t bsnl s/["\\]/\\&/g s/^ \('"$ac_word_re"'\)\(([^()]*)\)[ ]*\(.*\)/P["\1"]="\2"\ D["\1"]=" \3"/p s/^ \('"$ac_word_re"'\)[ ]*\(.*\)/D["\1"]=" \2"/p d :bsnl s/["\\]/\\&/g s/^ \('"$ac_word_re"'\)\(([^()]*)\)[ ]*\(.*\)/P["\1"]="\2"\ D["\1"]=" \3\\\\\\n"\\/p t cont s/^ \('"$ac_word_re"'\)[ ]*\(.*\)/D["\1"]=" \2\\\\\\n"\\/p t cont d :cont n s/.\{148\}/&'"$ac_delim"'/g t clear :clear s/\\$// t bsnlc s/["\\]/\\&/g; s/^/"/; s/$/"/p d :bsnlc s/["\\]/\\&/g; s/^/"/; s/$/\\\\\\n"\\/p b cont ' >$CONFIG_STATUS || ac_write_fail=1 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 for (key in D) D_is_set[key] = 1 FS = "" } /^[\t ]*#[\t ]*(define|undef)[\t ]+$ac_word_re([\t (]|\$)/ { line = \$ 0 split(line, arg, " ") if (arg[1] == "#") { defundef = arg[2] mac1 = arg[3] } else { defundef = substr(arg[1], 2) mac1 = arg[2] } split(mac1, mac2, "(") #) macro = mac2[1] prefix = substr(line, 1, index(line, defundef) - 1) if (D_is_set[macro]) { # Preserve the white space surrounding the "#". print prefix "define", macro P[macro] D[macro] next } else { # Replace #undef with comments. This is necessary, for example, # in the case of _POSIX_SOURCE, which is predefined and required # on some systems where configure will not decide to define it. if (defundef == "undef") { print "/*", prefix defundef, macro, "*/" next } } } { print } _ACAWK _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 as_fn_error $? "could not setup config headers machinery" "$LINENO" 5 fi # test -n "$CONFIG_HEADERS" eval set X " :F $CONFIG_FILES :H $CONFIG_HEADERS " shift for ac_tag do case $ac_tag in :[FHLC]) ac_mode=$ac_tag; continue;; esac case $ac_mode$ac_tag in :[FHL]*:*);; :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5;; :[FH]-) ac_tag=-:-;; :[FH]*) ac_tag=$ac_tag:$ac_tag.in;; esac ac_save_IFS=$IFS IFS=: set x $ac_tag IFS=$ac_save_IFS shift ac_file=$1 shift case $ac_mode in :L) ac_source=$1;; :[FH]) ac_file_inputs= for ac_f do case $ac_f in -) ac_f="$ac_tmp/stdin";; *) # Look for the file first in the build tree, then in the source tree # (if the path is not absolute). The absolute path cannot be DOS-style, # because $ac_f cannot contain `:'. test -f "$ac_f" || case $ac_f in [\\/$]*) false;; *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";; esac || as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5;; esac case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac as_fn_append ac_file_inputs " '$ac_f'" done # Let's still pretend it is `configure' which instantiates (i.e., don't # use $as_me), people would be surprised to read: # /* config.h. Generated by config.status. */ configure_input='Generated from '` $as_echo "$*" | sed 's|^[^:]*/||;s|:[^:]*/|, |g' `' by configure.' if test x"$ac_file" != x-; then configure_input="$ac_file. $configure_input" { $as_echo "$as_me:${as_lineno-$LINENO}: creating $ac_file" >&5 $as_echo "$as_me: creating $ac_file" >&6;} fi # Neutralize special characters interpreted by sed in replacement strings. case $configure_input in #( *\&* | *\|* | *\\* ) ac_sed_conf_input=`$as_echo "$configure_input" | sed 's/[\\\\&|]/\\\\&/g'`;; #( *) ac_sed_conf_input=$configure_input;; esac case $ac_tag in *:-:* | *:-) cat >"$ac_tmp/stdin" \ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;; esac ;; esac ac_dir=`$as_dirname -- "$ac_file" || $as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$ac_file" : 'X\(//\)[^/]' \| \ X"$ac_file" : 'X\(//\)$' \| \ X"$ac_file" : 'X\(/\)' \| . 2>/dev/null || $as_echo X"$ac_file" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` as_dir="$ac_dir"; as_fn_mkdir_p ac_builddir=. case "$ac_dir" in .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'` # A ".." for each directory in $ac_dir_suffix. ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` case $ac_top_builddir_sub in "") ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; esac ;; esac ac_abs_top_builddir=$ac_pwd ac_abs_builddir=$ac_pwd$ac_dir_suffix # for backward compatibility: ac_top_builddir=$ac_top_build_prefix case $srcdir in .) # We are building in place. ac_srcdir=. ac_top_srcdir=$ac_top_builddir_sub ac_abs_top_srcdir=$ac_pwd ;; [\\/]* | ?:[\\/]* ) # Absolute name. ac_srcdir=$srcdir$ac_dir_suffix; ac_top_srcdir=$srcdir ac_abs_top_srcdir=$srcdir ;; *) # Relative name. ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix ac_top_srcdir=$ac_top_build_prefix$srcdir ac_abs_top_srcdir=$ac_pwd/$srcdir ;; esac ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix case $ac_mode in :F) # # CONFIG_FILE # case $INSTALL in [\\/$]* | ?:[\\/]* ) ac_INSTALL=$INSTALL ;; *) ac_INSTALL=$ac_top_build_prefix$INSTALL ;; esac _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # If the template does not know about datarootdir, expand it. # FIXME: This hack should be removed a few years after 2.60. ac_datarootdir_hack=; ac_datarootdir_seen= ac_sed_dataroot=' /datarootdir/ { p q } /@datadir@/p /@docdir@/p /@infodir@/p /@localedir@/p /@mandir@/p' case `eval "sed -n \"\$ac_sed_dataroot\" $ac_file_inputs"` in *datarootdir*) ac_datarootdir_seen=yes;; *@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5 $as_echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;} _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_datarootdir_hack=' s&@datadir@&$datadir&g s&@docdir@&$docdir&g s&@infodir@&$infodir&g s&@localedir@&$localedir&g s&@mandir@&$mandir&g s&\\\${datarootdir}&$datarootdir&g' ;; esac _ACEOF # Neutralize VPATH when `$srcdir' = `.'. # Shell code in configure.ac might set extrasub. # FIXME: do we really want to maintain this feature? cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_sed_extra="$ac_vpsub $extrasub _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 :t /@[a-zA-Z_][a-zA-Z_0-9]*@/!b s|@configure_input@|$ac_sed_conf_input|;t t s&@top_builddir@&$ac_top_builddir_sub&;t t s&@top_build_prefix@&$ac_top_build_prefix&;t t s&@srcdir@&$ac_srcdir&;t t s&@abs_srcdir@&$ac_abs_srcdir&;t t s&@top_srcdir@&$ac_top_srcdir&;t t s&@abs_top_srcdir@&$ac_abs_top_srcdir&;t t s&@builddir@&$ac_builddir&;t t s&@abs_builddir@&$ac_abs_builddir&;t t s&@abs_top_builddir@&$ac_abs_top_builddir&;t t s&@INSTALL@&$ac_INSTALL&;t t $ac_datarootdir_hack " eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$ac_tmp/subs.awk" \ >$ac_tmp/out || as_fn_error $? "could not create $ac_file" "$LINENO" 5 test -z "$ac_datarootdir_hack$ac_datarootdir_seen" && { ac_out=`sed -n '/\${datarootdir}/p' "$ac_tmp/out"`; test -n "$ac_out"; } && { ac_out=`sed -n '/^[ ]*datarootdir[ ]*:*=/p' \ "$ac_tmp/out"`; test -z "$ac_out"; } && { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable \`datarootdir' which seems to be undefined. Please make sure it is defined" >&5 $as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir' which seems to be undefined. Please make sure it is defined" >&2;} rm -f "$ac_tmp/stdin" case $ac_file in -) cat "$ac_tmp/out" && rm -f "$ac_tmp/out";; *) rm -f "$ac_file" && mv "$ac_tmp/out" "$ac_file";; esac \ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;; :H) # # CONFIG_HEADER # if test x"$ac_file" != x-; then { $as_echo "/* $configure_input */" \ && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs" } >"$ac_tmp/config.h" \ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 if diff "$ac_file" "$ac_tmp/config.h" >/dev/null 2>&1; then { $as_echo "$as_me:${as_lineno-$LINENO}: $ac_file is unchanged" >&5 $as_echo "$as_me: $ac_file is unchanged" >&6;} else rm -f "$ac_file" mv "$ac_tmp/config.h" "$ac_file" \ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 fi else $as_echo "/* $configure_input */" \ && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs" \ || as_fn_error $? "could not create -" "$LINENO" 5 fi ;; esac done # for ac_tag as_fn_exit 0 _ACEOF ac_clean_files=$ac_clean_files_save test $ac_write_fail = 0 || as_fn_error $? "write failure creating $CONFIG_STATUS" "$LINENO" 5 # configure is writing to config.log, and then calls config.status. # config.status does its own redirection, appending to config.log. # Unfortunately, on DOS this fails, as config.log is still kept open # by configure, so config.status won't be able to write to it; its # output is simply discarded. So we exec the FD to /dev/null, # effectively closing config.log, so it can be properly (re)opened and # appended to by config.status. When coming back to configure, we # need to make the FD available again. if test "$no_create" != yes; then ac_cs_success=: ac_config_status_args= test "$silent" = yes && ac_config_status_args="$ac_config_status_args --quiet" exec 5>/dev/null $SHELL $CONFIG_STATUS $ac_config_status_args || ac_cs_success=false exec 5>>config.log # Use ||, not &&, to avoid exiting from the if with $? = 1, which # would make configure fail if this is the last instruction. $ac_cs_success || as_fn_exit 1 fi if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: unrecognized options: $ac_unrecognized_opts" >&5 $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;} fi if test -f .devel ; then make depend fi argus-3.0.8.2/configure.ac000444 000765 000024 00000025317 12513222401 015712 0ustar00carterstaff000000 000000 # # Argus Software # Copyright (c) 2000-2015 QoSient, LLC # All rights reserved. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. # # $Id: //depot/argus/clients/configure.ac#7 $ # $DateTime: 2010/07/25 23:19:02 $ # $Change: 1967 $ # # # Process this file with autoconf to produce a configure script. AC_PREREQ(2.61) AC_INIT([Argus Server Programs], [3.0.8], [bug-report@qosient.com], [argus], [http://qosient.com/argus]) AC_CONFIG_SRCDIR([argus/argus.c]) AC_CONFIG_AUX_DIR([config]) AC_CONFIG_HEADER([include/argus_config.h]) AC_CANONICAL_TARGET AC_PREFIX_DEFAULT( /usr/local ) AC_QOSIENT_PERL(V_PERL) # Checks for programs. AC_LBL_C_INIT(V_CCOPT, V_INCLS) AC_PROG_MAKE_SET AC_PROG_LN_S AC_PROG_LEX AC_PROG_INSTALL AC_PROG_RANLIB AC_PROG_YACC AC_CHECK_PROGS(V_RANLIB, ranlib, @true) AC_QOSIENT_LEX_AND_YACC(V_LEX, V_YACC, argus_) # Checks for libraries. CMU_SASL2(V_INCLS) AC_QOSIENT_PCRE(V_PCRE, V_INCLS) # Checks for header files. AC_HEADER_DIRENT AC_HEADER_STDC AC_HEADER_SYS_WAIT AC_HAVE_HEADERS(sys/sockio.h string.h fcntl.h sys/file.h syslog.h zlib.h) AC_CHECK_HEADERS([arpa/inet.h fcntl.h inttypes.h limits.h libintl.h malloc.h memory.h netdb.h]) AC_CHECK_HEADERS([net/if.h netinet/in.h netinet/if_ether.h netinet/ether.h netinet/in_systm.h]) AC_CHECK_HEADERS([netinet/ip.h netinet/udp.h netinet/tcp.h]) AC_CHECK_HEADERS([stdlib.h stddef.h string.h strings.h sys/file.h sys/ioctl.h sys/param.h sys/socket.h]) AC_CHECK_HEADERS([sys/time.h sys/vfs.h syslog.h termios.h unistd.h values.h features.h]) # Checks for typedefs, structures, and compiler characteristics. AC_C_CONST AC_C_INLINE AC_SYS_LARGEFILE AC_LBL_UNALIGNED_ACCESS AC_LBL_DEVEL(V_CCOPT) AC_QOSIENT_DEBUG(V_CCOPT) AC_QOSIENT_MEMORY AC_TYPE_INT8_T AC_TYPE_UINT8_T AC_TYPE_INT16_T AC_TYPE_UINT16_T AC_TYPE_INT32_T AC_TYPE_UINT32_T AC_TYPE_UID_T AC_TYPE_PID_T AC_TYPE_SIZE_T AC_HEADER_TIME AC_STRUCT_TM AC_STRUCT_TIMEZONE # Checks for library functions. AC_FUNC_ALLOCA AC_FUNC_VPRINTF AC_FUNC_CLOSEDIR_VOID AC_FUNC_ERROR_AT_LINE AC_FUNC_FORK AC_PROG_GCC_TRADITIONAL AC_FUNC_MALLOC AC_FUNC_MEMCMP AC_FUNC_MKTIME AC_FUNC_REALLOC AC_FUNC_SELECT_ARGTYPES AC_TYPE_SIGNAL AC_FUNC_STAT AC_FUNC_STRFTIME AC_FUNC_STRTOD AC_CHECK_FUNCS(backtrace) AC_CHECK_FUNCS(openlog syslog) AC_CHECK_FUNCS(vfprintf strlcpy) AC_CHECK_FUNCS(strftime) AC_CHECK_FUNCS(inet_aton) AC_CHECK_FUNCS(setlinebuf) AC_CHECK_FUNCS(strerror strtof) AC_CHECK_FUNCS(floorf remainderf) AC_CHECK_FUNCS(timegm) AC_CHECK_FUNCS(xdrmem_create) if test "$ac_cv_func_xdrmem_create" = yes ; then AC_DEFINE([HAVE_XDR], [], [Using system XDR library]) else case "$target_cpu" in cygwin*) ;; esac fi needsnprintf=no AC_CHECK_FUNCS(vsnprintf snprintf,, [needsnprintf=yes]) if test $needsnprintf = yes; then AC_LIBOBJ(snprintf) fi # # Do this before checking for ether_hostton(), as it's a # "gethostbyname() -ish function". # AC_LBL_LIBRARY_NET AC_CHECK_FUNCS([ether_hostton getaddrinfo gethostname]) if test "$ac_cv_func_ether_hostton" = yes; then # # OK, we have ether_hostton(). Do we have ? # if test "$ac_cv_header_netinet_if_ether_h" = yes; then # # Yes. Does it declare ether_hostton()? # AC_CHECK_DECL(ether_hostton, [ AC_DEFINE(NETINET_IF_ETHER_H_DECLARES_ETHER_HOSTTON,, [Define to 1 if netinet/if_ether.h declares `ether_hostton']) ],, [ #include #include #include #include struct mbuf; struct rtentry; #include #include ]) fi # # Did that succeed? # if test "$ac_cv_have_decl_ether_hostton" != yes; then # # No, how about , as on Linux? # AC_CHECK_HEADERS(netinet/ether.h) if test "$ac_cv_header_netinet_ether_h" = yes; then # # We have it - does it declare ether_hostton()? # Unset ac_cv_have_decl_ether_hostton so we don't # treat the previous failure as a cached value and # suppress the next test. # unset ac_cv_have_decl_ether_hostton AC_CHECK_DECL(ether_hostton, [ AC_DEFINE(NETINET_ETHER_H_DECLARES_ETHER_HOSTTON,, [Define to 1 if netinet/ether.h declares `ether_hostton']) ],, [ #include ]) fi fi # # Is ether_hostton() declared? # if test "$ac_cv_have_decl_ether_hostton" != yes; then # # No, we'll have to declare it ourselves. # Do we have "struct ether_addr"? # AC_CHECK_TYPES(struct ether_addr,,, [ #include #include #include #include struct mbuf; struct rtentry; #include #include ]) AC_DEFINE(HAVE_DECL_ETHER_HOSTTON, 0, [Define to 1 if you have the declaration of `ether_hostton', and to 0 if you don't.]) else AC_DEFINE(HAVE_DECL_ETHER_HOSTTON, 1, [Define to 1 if you have the declaration of `ether_hostton', and to 0 if you don't.]) fi fi if test "$ac_cv_type_struct_ether_addr" = yes ; then AC_DEFINE([HAVE_STRUCT_ETHER_ADDR], [], [struct ether addr]) fi if test "$tcl_cv_member_tm_gmtoff" = yes ; then AC_DEFINE([HAVE_TM_GMTOFF], [], [tm_gmtoff in struct tm]) fi AC_CHECK_FUNCS([alarm bzero endgrent endpwent floor gethostbyaddr gethostbyname getpass gettimeofday inet_ntoa isascii localtime_r]) AC_CHECK_FUNCS([memchr memmove memset mkdir modf pow putenv realpath regcomp select setenv socket sqrt strcasecmp strchr]) AC_CHECK_FUNCS([strdup strlcat strncasecmp strpbrk strrchr strstr strtol srandomdev tzset]) case "$target_os" in *darwin*) COMPATLIB="-lz" ;; *) if test "$ac_cv_header_zlib_h" = yes ; then COMPATLIB="-lm -lz" else COMPATLIB="-lm" fi ;; esac AC_QOSIENT_MEMORY AC_QOSIENT_THREADS(V_THREADS) AC_QOSIENT_TCPWRAP(V_WRAPDEP, V_INCLS) if test ! -z "$V_WRAPDEP"; then if test -f "$V_WRAPDEP"; then if test -f lib/libwrap.a; then rm -rf lib/libwrap.a fi wrapdir=`echo $V_WRAPDEP | sed -e 's/^\.\./..\/../'` ln -s $wrapdir lib/libwrap.a V_WRAPDEP="../lib/libwrap.a" else if test "$V_WRAPDEP" = "-lwrap" ; then if test -f lib/libwrap.a; then rm -rf lib/libwrap.a fi case "$target_os" in linux*) V_WRAPDEP="$V_WRAPDEP -lnsl";; esac fi fi AC_DEFINE([HAVE_TCP_WRAPPER], [], [Using Tcp wrappers]) WRAPLIBS="$V_WRAPDEP" fi AC_QOSIENT_LIBPCAP(V_PCAPDEP, V_INCLS) if test ! -z "$V_PCAPDEP"; then if test -f "$V_PCAPDEP"; then if test -f lib/libpcap.a; then rm -rf lib/libpcap.a fi pcapdir=`echo $V_PCAPDEP | sed -e 's/\.\./..\/../'` ln -s $pcapdir lib/libpcap.a V_PCAPDEP="../lib/libpcap.a" else if test "$V_PCAPDEP" = "-lpcap" ; then if test -f lib/libpcap.a; then rm -rf lib/libpcap.a fi fi if test "$V_PCAPDEP" = "-lwpcap" ; then if test -f lib/libpcap.a; then rm -rf lib/libpcap.a fi fi fi LIBS="$LIBS $V_PCAPDEP" fi case "$target_cpu" in *86) have_x86=yes; ;; powerpc-apple*) ;; powerpc64-*-linux-gnu) V_CCOPT="$V_CCOPT -m64 -fPIC" ;; esac case "$target_os" in aix*) dnl Workaround to enable certain features have_sun=yes; ;; darwin*) have_darwin=yes; ;; hpux9*) have_hpux_nine=yes; ;; hpux10.0*) ;; hpux10.1*) ;; hpux*) dnl HPUX 10.20 and above is similar to HPUX 9... have_hpux_ten=yes; ;; sinix*) AC_MSG_CHECKING(if SINIX compiler defines sinix) AC_CACHE_VAL(ac_cv_cc_sinix_defined, AC_TRY_COMPILE( [], [int i = sinix;], ac_cv_cc_sinix_defined=yes, ac_cv_cc_sinix_defined=no)) AC_MSG_RESULT($ac_cv_cc_sinix_defined) if test "$ac_cv_cc_sinix_defined" = "no" ; then AC_DEFINE([sinix], [], [Description]) fi ;; solaris*) AC_DEFINE(HAVE_SOLARIS,1,[On solaris]) AC_MSG_CHECKING(for LD_LIBRARY_PATH, since you appear to be running Solaris) if test "x$LD_LIBRARY_PATH" != "x" ; then LIBS="$LIBS -R$LD_LIBRARY_PATH" AC_MSG_RESULT(yes -- added LD_LIBRARY_PATH to run-time linker path) else AC_MSG_RESULT(no -- this may be a problem in a few seconds) fi COMPATLIB="-lsocket -lnsl -lrt $COMPATLIB" ;; linux*) ;; cygwin*) have_cygwin=yes; V_INCLS="$V_INCLS -I../include/cygwin-include" ;; esac if test "$have_x86" = yes ; then AC_DEFINE([CONFIG_X86_BSWAP], [], [System has x86 endian support]) fi if test "$have_darwin" = yes ; then AC_DEFINE([HAVE_DARWIN], [], [Mac OS X]) fi if test "$have_hpux_nine" = yes ; then AC_DEFINE([HAVE_HPUX9], [], [HPUX 9]) fi if test "$have_hpux_ten" = yes ; then AC_DEFINE([HAVE_HPUX10_20], [], [HPUX 10]) fi if test "$have_sun" = yes ; then AC_DEFINE([_SUN], [], [Description]) fi if test "$have_cygwin" = yes ; then AC_DEFINE([CYGWIN], [], [Using cygwin]) fi if test "$with_pluribus" = yes ; then AC_DEFINE([ARGUS_PLURIBUS], [], [Using Pluribus]) fi AC_CACHE_CHECK([tm_gmtoff in struct tm], tcl_cv_member_tm_gmtoff, [ AC_TRY_COMPILE([#include ], [struct tm tm; tm.tm_gmtoff;], tcl_cv_member_tm_gmtoff=yes, tcl_cv_member_tm_gmtoff=no)]) if test $tcl_cv_member_tm_gmtoff = yes ; then AC_DEFINE([HAVE_TM_GMTOFF], [], [tm_gmtoff in struct tm]) fi AC_CACHE_CHECK([sys_errlist in stdio.h], arg_cv_sys_errlist, [ AC_TRY_COMPILE([#include ], [char *ptr = sys_errlist[0];], arg_cv_sys_errlist=yes, arg_cv_sys_errlist=no)]) if test $arg_cv_sys_errlist = yes ; then AC_DEFINE([HAVE_SYS_ERRLIST], [], [sys_errlist in stdio.h]) fi INSTALL_LIB="../lib" INSTALL_BIN="../bin" AC_SUBST(PACKAGE_VERSION) AC_SUBST(LIBS) AC_SUBST(INCLS) AC_SUBST(V_CCOPT) AC_SUBST(V_INCLS) AC_SUBST(V_RANLIB) AC_SUBST(V_YACC) AC_SUBST(V_LEX) AC_SUBST(V_PERL) AC_SUBST(V_THREADS) AC_SUBST(WRAPLIBS) AC_SUBST(COMPATLIB) AC_SUBST(LIB_SASL) AC_SUBST(INSTALL_LIB) AC_SUBST(INSTALL_BIN) AC_CONFIG_FILES([ Makefile ./common/Makefile ./argus/Makefile ./events/Makefile ]) AC_OUTPUT if test -f .devel ; then make depend fi argus-3.0.8.2/COPYING000444 000765 000024 00000077335 12513222401 014466 0ustar00carterstaff000000 000000 GNU General Public License ************************** GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007 Copyright (C) 2007 Free Software Foundation, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The GNU General Public License is a free, copyleft license for software and other kinds of works. The licenses for most software and other practical works are designed to take away your freedom to share and change the works. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change all versions of a program--to make sure it remains free software for all its users. We, the Free Software Foundation, use the GNU General Public License for most of our software; it applies also to any other work released this way by its authors. You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for them if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs, and that you know you can do these things. To protect your rights, we need to prevent others from denying you these rights or asking you to surrender the rights. Therefore, you have certain responsibilities if you distribute copies of the software, or if you modify it: responsibilities to respect the freedom of others. For example, if you distribute copies of such a program, whether gratis or for a fee, you must pass on to the recipients the same freedoms that you received. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. Developers that use the GNU GPL protect your rights with two steps: (1) assert copyright on the software, and (2) offer you this License giving you legal permission to copy, distribute and/or modify it. For the developers' and authors' protection, the GPL clearly explains that there is no warranty for this free software. For both users' and authors' sake, the GPL requires that modified versions be marked as changed, so that their problems will not be attributed erroneously to authors of previous versions. Some devices are designed to deny users access to install or run modified versions of the software inside them, although the manufacturer can do so. This is fundamentally incompatible with the aim of protecting users' freedom to change the software. The systematic pattern of such abuse occurs in the area of products for individuals to use, which is precisely where it is most unacceptable. Therefore, we have designed this version of the GPL to prohibit the practice for those products. If such problems arise substantially in other domains, we stand ready to extend this provision to those domains in future versions of the GPL, as needed to protect the freedom of users. Finally, every program is threatened constantly by software patents. States should not allow patents to restrict development and use of software on general-purpose computers, but in those that do, we wish to avoid the special danger that patents applied to a free program could make it effectively proprietary. To prevent this, the GPL assures that patents cannot be used to render the program non-free. The precise terms and conditions for copying, distribution and modification follow. TERMS AND CONDITIONS 0. Definitions. "This License" refers to version 3 of the GNU General Public License. "Copyright" also means copyright-like laws that apply to other kinds of works, such as semiconductor masks. "The Program" refers to any copyrightable work licensed under this License. Each licensee is addressed as "you". "Licensees" and "recipients" may be individuals or organizations. To "modify" a work means to copy from or adapt all or part of the work in a fashion requiring copyright permission, other than the making of an exact copy. The resulting work is called a "modified version" of the earlier work or a work "based on" the earlier work. A "covered work" means either the unmodified Program or a work based on the Program. To "propagate" a work means to do anything with it that, without permission, would make you directly or secondarily liable for infringement under applicable copyright law, except executing it on a computer or modifying a private copy. Propagation includes copying, distribution (with or without modification), making available to the public, and in some countries other activities as well. To "convey" a work means any kind of propagation that enables other parties to make or receive copies. Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying. An interactive user interface displays "Appropriate Legal Notices" to the extent that it includes a convenient and prominently visible feature that (1) displays an appropriate copyright notice, and (2) tells the user that there is no warranty for the work (except to the extent that warranties are provided), that licensees may convey the work under this License, and how to view a copy of this License. If the interface presents a list of user commands or options, such as a menu, a prominent item in the list meets this criterion. 1. Source Code. The "source code" for a work means the preferred form of the work for making modifications to it. "Object code" means any non-source form of a work. A "Standard Interface" means an interface that either is an official standard defined by a recognized standards body, or, in the case of interfaces specified for a particular programming language, one that is widely used among developers working in that language. The "System Libraries" of an executable work include anything, other than the work as a whole, that (a) is included in the normal form of packaging a Major Component, but which is not part of that Major Component, and (b) serves only to enable use of the work with that Major Component, or to implement a Standard Interface for which an implementation is available to the public in source code form. A "Major Component", in this context, means a major essential component (kernel, window system, and so on) of the specific operating system (if any) on which the executable work runs, or a compiler used to produce the work, or an object code interpreter used to run it. The "Corresponding Source" for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. However, it does not include the work's System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work. For example, Corresponding Source includes interface definition files associated with source files for the work, and the source code for shared libraries and dynamically linked subprograms that the work is specifically designed to require, such as by intimate data communication or control flow between those subprograms and other parts of the work. The Corresponding Source need not include anything that users can regenerate automatically from other parts of the Corresponding Source. The Corresponding Source for a work in source code form is that same work. 2. Basic Permissions. All rights granted under this License are granted for the term of copyright on the Program, and are irrevocable provided the stated conditions are met. This License explicitly affirms your unlimited permission to run the unmodified Program. The output from running a covered work is covered by this License only if the output, given its content, constitutes a covered work. This License acknowledges your rights of fair use or other equivalent, as provided by copyright law. You may make, run and propagate covered works that you do not convey, without conditions so long as your license otherwise remains in force. You may convey covered works to others for the sole purpose of having them make modifications exclusively for you, or provide you with facilities for running those works, provided that you comply with the terms of this License in conveying all material for which you do not control copyright. Those thus making or running the covered works for you must do so exclusively on your behalf, under your direction and control, on terms that prohibit them from making any copies of your copyrighted material outside their relationship with you. Conveying under any other circumstances is permitted solely under the conditions stated below. Sublicensing is not allowed; section 10 makes it unnecessary. 3. Protecting Users' Legal Rights From Anti-Circumvention Law. No covered work shall be deemed part of an effective technological measure under any applicable law fulfilling obligations under article 11 of the WIPO copyright treaty adopted on 20 December 1996, or similar laws prohibiting or restricting circumvention of such measures. When you convey a covered work, you waive any legal power to forbid circumvention of technological measures to the extent such circumvention is effected by exercising rights under this License with respect to the covered work, and you disclaim any intention to limit operation or modification of the work as a means of enforcing, against the work's users, your or third parties' legal rights to forbid circumvention of technological measures. 4. Conveying Verbatim Copies. You may convey verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice; keep intact all notices stating that this License and any non-permissive terms added in accord with section 7 apply to the code; keep intact all notices of the absence of any warranty; and give all recipients a copy of this License along with the Program. You may charge any price or no price for each copy that you convey, and you may offer support or warranty protection for a fee. 5. Conveying Modified Source Versions. You may convey a work based on the Program, or the modifications to produce it from the Program, in the form of source code under the terms of section 4, provided that you also meet all of these conditions: a) The work must carry prominent notices stating that you modified it, and giving a relevant date. b) The work must carry prominent notices stating that it is released under this License and any conditions added under section 7. This requirement modifies the requirement in section 4 to "keep intact all notices". c) You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy. This License will therefore apply, along with any applicable section 7 additional terms, to the whole of the work, and all its parts, regardless of how they are packaged. This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it. d) If the work has interactive user interfaces, each must display Appropriate Legal Notices; however, if the Program has interactive interfaces that do not display Appropriate Legal Notices, your work need not make them do so. A compilation of a covered work with other separate and independent works, which are not by their nature extensions of the covered work, and which are not combined with it such as to form a larger program, in or on a volume of a storage or distribution medium, is called an "aggregate" if the compilation and its resulting copyright are not used to limit the access or legal rights of the compilation's users beyond what the individual works permit. Inclusion of a covered work in an aggregate does not cause this License to apply to the other parts of the aggregate. 6. Conveying Non-Source Forms. You may convey a covered work in object code form under the terms of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source under the terms of this License, in one of these ways: a) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by the Corresponding Source fixed on a durable physical medium customarily used for software interchange. b) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by a written offer, valid for at least three years and valid for as long as you offer spare parts or customer support for that product model, to give anyone who possesses the object code either (1) a copy of the Corresponding Source for all the software in the product that is covered by this License, on a durable physical medium customarily used for software interchange, for a price no more than your reasonable cost of physically performing this conveying of source, or (2) access to copy the Corresponding Source from a network server at no charge. c) Convey individual copies of the object code with a copy of the written offer to provide the Corresponding Source. This alternative is allowed only occasionally and noncommercially, and only if you received the object code with such an offer, in accord with subsection 6b. d) Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source in the same way through the same place at no further charge. You need not require recipients to copy the Corresponding Source along with the object code. If the place to copy the object code is a network server, the Corresponding Source may be on a different server (operated by you or a third party) that supports equivalent copying facilities, provided you maintain clear directions next to the object code saying where to find the Corresponding Source. Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements. e) Convey the object code using peer-to-peer transmission, provided you inform other peers where the object code and Corresponding Source of the work are being offered to the general public at no charge under subsection 6d. A separable portion of the object code, whose source code is excluded from the Corresponding Source as a System Library, need not be included in conveying the object code work. A "User Product" is either (1) a "consumer product", which means any tangible personal property which is normally used for personal, family, or household purposes, or (2) anything designed or sold for incorporation into a dwelling. In determining whether a product is a consumer product, doubtful cases shall be resolved in favor of coverage. For a particular product received by a particular user, "normally used" refers to a typical or common use of that class of product, regardless of the status of the particular user or of the way in which the particular user actually uses, or expects or is expected to use, the product. A product is a consumer product regardless of whether the product has substantial commercial, industrial or non-consumer uses, unless such uses represent the only significant mode of use of the product. "Installation Information" for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made. If you convey an object code work under this section in, or with, or specifically for use in, a User Product, and the conveying occurs as part of a transaction in which the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term (regardless of how the transaction is characterized), the Corresponding Source conveyed under this section must be accompanied by the Installation Information. But this requirement does not apply if neither you nor any third party retains the ability to install modified object code on the User Product (for example, the work has been installed in ROM). The requirement to provide Installation Information does not include a requirement to continue to provide support service, warranty, or updates for a work that has been modified or installed by the recipient, or for the User Product in which it has been modified or installed. Access to a network may be denied when the modification itself materially and adversely affects the operation of the network or violates the rules and protocols for communication across the network. Corresponding Source conveyed, and Installation Information provided, in accord with this section must be in a format that is publicly documented (and with an implementation available to the public in source code form), and must require no special password or key for unpacking, reading or copying. 7. Additional Terms. "Additional permissions" are terms that supplement the terms of this License by making exceptions from one or more of its conditions. Additional permissions that are applicable to the entire Program shall be treated as though they were included in this License, to the extent that they are valid under applicable law. If additional permissions apply only to part of the Program, that part may be used separately under those permissions, but the entire Program remains governed by this License without regard to the additional permissions. When you convey a copy of a covered work, you may at your option remove any additional permissions from that copy, or from any part of it. (Additional permissions may be written to require their own removal in certain cases when you modify the work.) You may place additional permissions on material, added by you to a covered work, for which you have or can give appropriate copyright permission. Notwithstanding any other provision of this License, for material you add to a covered work, you may (if authorized by the copyright holders of that material) supplement the terms of this License with terms: a) Disclaiming warranty or limiting liability differently from the terms of sections 15 and 16 of this License; or b) Requiring preservation of specified reasonable legal notices or author attributions in that material or in the Appropriate Legal Notices displayed by works containing it; or c) Prohibiting misrepresentation of the origin of that material, or requiring that modified versions of such material be marked in reasonable ways as different from the original version; or d) Limiting the use for publicity purposes of names of licensors or authors of the material; or e) Declining to grant rights under trademark law for use of some trade names, trademarks, or service marks; or f) Requiring indemnification of licensors and authors of that material by anyone who conveys the material (or modified versions of it) with contractual assumptions of liability to the recipient, for any liability that these contractual assumptions directly impose on those licensors and authors. All other non-permissive additional terms are considered "further restrictions" within the meaning of section 10. If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term. If a license document contains a further restriction but permits relicensing or conveying under this License, you may add to a covered work material governed by the terms of that license document, provided that the further restriction does not survive such relicensing or conveying. If you add terms to a covered work in accord with this section, you must place, in the relevant source files, a statement of the additional terms that apply to those files, or a notice indicating where to find the applicable terms. Additional terms, permissive or non-permissive, may be stated in the form of a separately written license, or stated as exceptions; the above requirements apply either way. 8. Termination. You may not propagate or modify a covered work except as expressly provided under this License. Any attempt otherwise to propagate or modify it is void, and will automatically terminate your rights under this License (including any patent licenses granted under the third paragraph of section 11). However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation. Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice. Termination of your rights under this section does not terminate the licenses of parties who have received copies or rights from you under this License. If your rights have been terminated and not permanently reinstated, you do not qualify to receive new licenses for the same material under section 10. 9. Acceptance Not Required for Having Copies. You are not required to accept this License in order to receive or run a copy of the Program. Ancillary propagation of a covered work occurring solely as a consequence of using peer-to-peer transmission to receive a copy likewise does not require acceptance. However, nothing other than this License grants you permission to propagate or modify any covered work. These actions infringe copyright if you do not accept this License. Therefore, by modifying or propagating a covered work, you indicate your acceptance of this License to do so. 10. Automatic Licensing of Downstream Recipients. Each time you convey a covered work, the recipient automatically receives a license from the original licensors, to run, modify and propagate that work, subject to this License. You are not responsible for enforcing compliance by third parties with this License. An "entity transaction" is a transaction transferring control of an organization, or substantially all assets of one, or subdividing an organization, or merging organizations. If propagation of a covered work results from an entity transaction, each party to that transaction who receives a copy of the work also receives whatever licenses to the work the party's predecessor in interest had or could give under the previous paragraph, plus a right to possession of the Corresponding Source of the work from the predecessor in interest, if the predecessor has it or can get it with reasonable efforts. You may not impose any further restrictions on the exercise of the rights granted or affirmed under this License. For example, you may not impose a license fee, royalty, or other charge for exercise of rights granted under this License, and you may not initiate litigation (including a cross-claim or counterclaim in a lawsuit) alleging that any patent claim is infringed by making, using, selling, offering for sale, or importing the Program or any portion of it. 11. Patents. A "contributor" is a copyright holder who authorizes use under this License of the Program or a work on which the Program is based. The work thus licensed is called the contributor's "contributor version". A contributor's "essential patent claims" are all patent claims owned or controlled by the contributor, whether already acquired or hereafter acquired, that would be infringed by some manner, permitted by this License, of making, using, or selling its contributor version, but do not include claims that would be infringed only as a consequence of further modification of the contributor version. For purposes of this definition, "control" includes the right to grant patent sublicenses in a manner consistent with the requirements of this License. Each contributor grants you a non-exclusive, worldwide, royalty-free patent license under the contributor's essential patent claims, to make, use, sell, offer for sale, import and otherwise run, modify and propagate the contents of its contributor version. In the following three paragraphs, a "patent license" is any express agreement or commitment, however denominated, not to enforce a patent (such as an express permission to practice a patent or covenant not to sue for patent infringement). To "grant" such a patent license to a party means to make such an agreement or commitment not to enforce a patent against the party. If you convey a covered work, knowingly relying on a patent license, and the Corresponding Source of the work is not available for anyone to copy, free of charge and under the terms of this License, through a publicly available network server or other readily accessible means, then you must either (1) cause the Corresponding Source to be so available, or (2) arrange to deprive yourself of the benefit of the patent license for this particular work, or (3) arrange, in a manner consistent with the requirements of this License, to extend the patent license to downstream recipients. "Knowingly relying" means you have actual knowledge that, but for the patent license, your conveying the covered work in a country, or your recipient's use of the covered work in a country, would infringe one or more identifiable patents in that country that you have reason to believe are valid. If, pursuant to or in connection with a single transaction or arrangement, you convey, or propagate by procuring conveyance of, a covered work, and grant a patent license to some of the parties receiving the covered work authorizing them to use, propagate, modify or convey a specific copy of the covered work, then the patent license you grant is automatically extended to all recipients of the covered work and works based on it. A patent license is "discriminatory" if it does not include within the scope of its coverage, prohibits the exercise of, or is conditioned on the non-exercise of one or more of the rights that are specifically granted under this License. You may not convey a covered work if you are a party to an arrangement with a third party that is in the business of distributing software, under which you make payment to the third party based on the extent of your activity of conveying the work, and under which the third party grants, to any of the parties who would receive the covered work from you, a discriminatory patent license (a) in connection with copies of the covered work conveyed by you (or copies made from those copies), or (b) primarily for and in connection with specific products or compilations that contain the covered work, unless you entered into that arrangement, or that patent license was granted, prior to 28 March 2007. Nothing in this License shall be construed as excluding or limiting any implied license or other defenses to infringement that may otherwise be available to you under applicable patent law. 12. No Surrender of Others' Freedom. If conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot convey a covered work so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not convey it at all. For example, if you agree to terms that obligate you to collect a royalty for further conveying from those to whom you convey the Program, the only way you could satisfy both those terms and this License would be to refrain entirely from conveying the Program. 13. Use with the GNU Affero General Public License. Notwithstanding any other provision of this License, you have permission to link or combine any covered work with a work licensed under version 3 of the GNU Affero General Public License into a single combined work, and to convey the resulting work. The terms of this License will continue to apply to the part which is the covered work, but the special requirements of the GNU Affero General Public License, section 13, concerning interaction through a network will apply to the combination as such. 14. Revised Versions of this License. The Free Software Foundation may publish revised and/or new versions of the GNU General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies that a certain numbered version of the GNU General Public License "or any later version" applies to it, you have the option of following the terms and conditions either of that numbered version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of the GNU General Public License, you may choose any version ever published by the Free Software Foundation. If the Program specifies that a proxy can decide which future versions of the GNU General Public License can be used, that proxy's public statement of acceptance of a version permanently authorizes you to choose that version for the Program. Later license versions may give you additional or different permissions. However, no additional obligations are imposed on any author or copyright holder as a result of your choosing to follow a later version. 15. Disclaimer of Warranty. THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 16. Limitation of Liability. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 17. Interpretation of Sections 15 and 16. If the disclaimer of warranty and limitation of liability provided above cannot be given local legal effect according to their terms, reviewing courts shall apply local law that most closely approximates an absolute waiver of all civil liability in connection with the Program, unless a warranty or assumption of liability accompanies a copy of the Program in return for a fee. argus-3.0.8.2/CREDITS000444 000765 000024 00000015100 12513222401 014431 0ustar00carterstaff000000 000000 /* * Argus Software - README * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ CREDITS This list of people are just some of the people that contributed significantly to the Argus Project, over its 30 years. The individuals that have contributed the most to the theory of Argus and its applications in networking and computer science have been: Dr. Tony Przygienda Rob Coltun Lou Berger The great people at Carenegie Mellon Univeristy who provided great support with all things, emotion, time and resources: Mark Poepping Chas DiFatta The amazing group at Georgia Tech, where Argus got it start. Ron Hutchins Ed Coleman Mark Johnson Ted Hope The Stanford group that have provided the richest source for Argus innovation in the areas of behavior and dynamism over the last 10 years John Gerth MN Joseph Little Johan van Reijendam The group at GLORIAD that have implemented the largest geographic area covered by Argus ... the entire Planet !! Greg Cole Harika Tandra Academics and cyber security professionals that have used and written about Argus in their research, books, and work !! Richard Bejtilch CS Lee Doug Burk With the greatest thanks to the late Dr. Hank Dardy, Cheif Scientist of the U.S. Naval Research Laboratory for his amazing visonary support of flow monitoring and his group at NRL that provided support, opinions, suggestions, criticisms and/or attitude about flows: Basil Decina Chas Williams Eric Kinzie Heidi Hornstein Dharmesh Shah Much of the work on argus has been done by the members of the argus developers mailing list. All have contributed so much over all the years. But two stand out over the many. Peter Van Epp Russell Fulton Here is the remaining, very distinguished list, in alphabetical order. (I hope I didn't miss anyone): 0100 (four) Aashish Sharma Abdun Mahmood Adrian Bool Alfredo Laguna Vazquez Alexander Bochmann Andreas Ostling Andrew Kompanek Andrew Pollock Andrew Thompson Avi Freedman Ba Ru Bamm Visscher Berry Kolts Bart Roos Benet Leong Berkay Celik Bjoern Weiland Blake Mattern Borjz Marcos Brian Zeigler Can Desem Carl Andrews Carlw Cedric Vieau Charles Fair Charles King Chris Keladis Chris Sanders Chris Wakelin Chris Wilson Christoph Badura Christopher Jones Chungen Li Clauss Strauch Claudio Luck Conor McGrath Corey Smith Craig Merchant Darren Spruell Dave Plonka David A. J. Ripley David Binderman David Edelman Derek Ditch Dez Blanchfield Dietmar Goldbeck Digital Ninja dn1nj4 Douglas Pichardo Dustin E.J. Gamarro Earl El Draco Elof2 Eric Graham Eric Pancer Ernie Johanson Esteban G Estuardo Gamarro Fabrice Fothe Fopa Florenzi Alessandro Fyodor George Jones George Nychis Georgios Pallis Giles Chauvin Gilson Soares Glen Bojaza Graeme Russ Greg Lapchenko Guilsson Guy Dickinson Harry Hoffman Henrik Strom Ignas Kazlauskas Jaime Vargas Jaime Nebrera Jake Babbin James A Robinson James Grace Janusz Urbanowicz Jason Baekey Jason Carr Jason Cook Jason Ish Javier Almiliategul JD Durick Jean Michel Rizzardi Jean-Marc Pouchoulon Jeff Atkinson Jeff Wolf Jeroen Roovers Jesper Skou Jensen Jesse Bowling Jim Gargani Jim O'Gorman Johannes Russek Joel Bergstein Joel Ebrahimi John Jenkinson John Lauro John Kennedy John Nagro John Rodenbiker John Wade Jon Denton Jonathan Towne Joost Bijl Kevin Kadow Karl Schuster Karl Tatgenhorst Kaustubh Gadkari Keir Novik Kevin Branch Kieran Rhysling Kjell Tore Fossbakk Kulwant Sohi Laird Anglesey Lee Zelyck Lei Wei Makatesi Manaf Gharalbeh Mark Bartlett Mark Borrie Markus De Shon Martijn van Oosterhout Martin Bauer Martin Holste Martin Olsson Matt Brown Matthew Derenski Matthew Weiner mel Michael Arcamone Michael Hornung Michael Meisel Michael Sandee Michael Sanderson Michal Purzynaski Mike Iglesias Mike Patterson Mike Slifcak Mike Tancsa miodek (Michael) modversion morfoh (Chris) Morgan DeRodeff Morten Christensen Murali Raju Nate Hausrath Neal Welland Nenaudoti Ignas Kazlauskas Neil Long Neslog Niall Murphy Nichole K. Boscia Nick Diel Nick Giordano Ning Shi Nyuk Loong Kiw Oguz Yanmtepe Olaf Gellert OlRoy Pablo Rebollo-Sosa Patrick Forsberg Patrick Green Paul Halliday Paul Schmehl Pengiran Awang Pete Troxell Peter Hill Peter Moody Peter Volkov Phillip G Deneault Phillip Letschert Poncenby Smythe Prashanth Prahalad Rafael Barbosa Raphael Campos Silva Raffael Marty Rahimeh Kodadadi Ralf Spenneberg Ramon Kagan Real Melancon Reykjavik Hindisvik Riccardo Dias Riccardo Veraldi Richard Johnson Rick Denton Robert E. Smith Jr. Robert Kerr Robert Leyba Robin Gruyters Rodney McKee Russ Harvey Russ McRee Ruvin Gottlieb Sajeev Nair Sam Davis Saptarshi Guha Saya Peng Scott Dexter Scott McIntyre ScottO Sean Malone Sean McCreary Sebastian Garcia Sebastian Yepes Fernandez Sergio Luis Moreira De Silva Shaheen Bakhtiar Shahram Esfahani shailwe19 Silas Porterfield Stefan Esser Stephane Peters Steve McInerney Stewart Gray Sunjeet Singh Suraj M Susan Mcgill Terry Burton Tim Lavoie Tim Waters Timo Schilling Timo Suhl Tim-Fang Yen Todd Michael Tom Briglia Tony Stout Tony Webster Torbin Wictorin Tu Nguyen unFrigidaire Americain Urtho Vaibhav Kaware Vlad Grigorescu Wictorin Torbjorn William S. Cleveland William Setzer Wolfgang Barth Woody K. Wimmie Wolfgang Barth Yotam Rubin Zi Hu argus-3.0.8.2/debian/000755 000765 000024 00000000000 12513224633 014651 5ustar00carterstaff000000 000000 argus-3.0.8.2/doc/000755 000765 000024 00000000000 12513222401 014163 5ustar00carterstaff000000 000000 argus-3.0.8.2/events/000755 000765 000024 00000000000 12723625057 014743 5ustar00carterstaff000000 000000 argus-3.0.8.2/include/000755 000765 000024 00000000000 12723625057 015062 5ustar00carterstaff000000 000000 argus-3.0.8.2/INSTALL000444 000765 000024 00000030432 12513222401 014447 0ustar00carterstaff000000 000000 /* * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ QUICK MAKE If all things are ready, distribution untarred, and you have libpcap and bison installed on your system, you should be able to make argus by simply typing: % ./configure % make If you have any problems with this procedure, read further, if not congratulations. You can proceed to INSTALLATION. DEPENDENCIES The argus distribution is dependant on two public domain packages; libpcap, which provides the argus server's portable packet capture interface, and flex/bison() which are used for to build the filter compilers. Both of these sets of packages must be installed in order to compile argus. Most versions of Linux/Unix/Mac OS X/xBSD have these packages installed by default, so hopefully it won't be a problem. Below is the offical source of libpcap and current version: libpcap-1.5.3 http://www.tcpdump.org/release/libpcap-1.5.3.tar.gz The official site and current version of bison is: bison-3.0.1 http://ftp.gnu.org/gun/bison/ And the offical site for Flex: The Fast Lexical Analyzer is: flex-2.5.39 http://flex.sourceforge.net http://sourceforge.net/projects/flex/files Because argus is dependant on libpcap and flex/bison, you will need to have them available prior to building the package. Please refer to the individual packages for installation instructions. If you are not interested in performing a system installtion for libpcap, then you can simply untar libpcap in the same directory where you untared argus. Argus's ./configure will find the package and use it accordingly. For some operating systems, such as Fedora, you may have to install the developement versions of some packages in order to get all the supporting files. On Fedora, the libpcap library is provided, however, compilers etc... can't find the library at compile time. Installing libpcap-devel fixes this problem: yum install libpcap-devel apt-get install libpcap-devel Argus supports block compression for some of its functions. To support this, argus will look for a usable zlib. If not found, it will not use the functions. Argus can link to the public domain package tcp_wrappers to provide remote access control. At this time, the lastest version is tcp_wrappers-7.6. If tcp_wrappers in not installed on your system, then installing this package in the same directory as libpcap and argus is recommended. tcp_wrappers.7.6 Wietse Venema (wietse@wzv.win.tue.nl) Department of Mathematics and Computing Science Eindhoven University of Technology P.O. Box 513 5600 MB Eindhoven The Netherlands ftp://ftp.porcupine.org/pub/security Argus can also link to the cryptographic package SASL, the Simple Authentication and Security Layer, which provides strong authentication and wireline confidentiality for argus data. Because of its features and flexibility, we highly recommend using SASL, and becoming experienced with its administration. cyrus-sasl-2.1.23 Carnegie Mellon Univeristy http://ftp.andrew.cmu.edu/pub/cyrus-mail/ CONFIGURE The program, ./configure, will scan the file system, looking for a lot of things, including the libpcap and tcp_wrapper directories and libraries and make assumptions about the platform which will allow ./configure to choose between gcc, acc, cc, flex, lex, bison, yacc, pcre, sasl and where your specific version of Perl. If the libpcap or bison packages are not discovered, the ./configure script will fail, as these packages are required. Argus can be compiled with support for Sasl, to provide strong authentication and confidentiality protection for data "on the wire". This can be turned on using the option "--with-sasl[=DIR]". If you do not provide the optional directory, ./configure will guess where sasl could be, using the standard installation directories as a guide. You can also specify that ./configure should not use gcc as the compiler, which the default. For Solaris, the sun c compiler is much better for various reasons, and so providing the "--without-gcc" option may generate more efficient code, when a native compiler is available. Configure will create links for the libpcap.a and libwrap.a libraries in ./lib, and will create links to the distribution directories as ./libpcap and ./wrapper. Configure will attempt to find the libpcap and tcp_wrappers distribution directories, and their corresponding libraries. The path used to find these dependancies is ./libpcap, ./wrapper, /usr/lib, /usr/local/lib, ../libpcap, ../wrapper, ../tcp_wrappers, ../libpcap-[0-9]*.[0-9ab]*, and ../tcp_wrappers[-.][0-9]*.[0-9ab]*. Because of major changes between tcp_wrappers-6 and tcp_wrappers-7, ./configure needs to discover the tcp_wrappers version number. It does this by scanning the patchlevel.h file in the tcp_wrapper distribution, as a result, ./configure will attempt to find and then establish a link to your tcp_wrappers distribution directory. Again, we recommend that you install your libpcap and tcp_wrappers distribution directories, or links to them, in either the same directory as the Argus distribution, or as the directories ./libpcap and ./wrapper, in the Argus directory. BUILDING ARGUS So, after all that, to build Argus on a supported platform, first run ./configure. ./configure will determine your system attributes and generate subdirectories and the appropriate Makefiles from the Makefile.in files found in the distribution. After this, run "make". If everything goes well, appropriate libraries and binaries will be found in the ./bin and ./lib subdirectories. So, .... % ./configure % make The argus will be found as ./bin/argus. So, at this point you should have all the execuables needed. But, if you are having problems, it may be related to your compiler or the flex and bison utilities. So, ... You will need an ANSI C compiler to build argus. If your compiler is not ANSI compliant, we highly recommend using the GNU C compiler, available via anonymous ftp: ftp://prep.ai.mit.edu/pub/gnu/gcc-*.tar.gz Argus requires bison and flex. For flex, version 2.4.6 or higher is recommended. The current version of flex and bison are available via anonymous ftp: ftp://prep.ai.mit.edu/pub/gnu/bison-*.tar.gz ftp://prep.ai.mit.edu/pub/non-gnu/flex/flex-*.tar.gz Now, if you are still having problems, ..., well its hard to say from here what it might be. So, you may want to send us some mail. INSTALLATION QUICK INSTALL If all things are well at this point, and you will be using the installation strategy that we use, all you need do now is: # make install This will create the /usr/local/argus directory and move all the binaries, supporting programs, man pages and documenation into it. If you are unsure about the standard installtion, run % make -n install to review what make will try to do. If you would like to do something other than the standard install, then please continue to read through this file. If you are planning on running the argus as a persistant daemon on your machine, then one additional step is recommended, and that is setting up system wide argus configuration files; /etc/argus.conf.conf. # cp ./support/Config/argus.conf /etc You must edit /etc/argus.conf file for argus to work, as the default configuration will have argus do a lot of work but not output anything. Argus writes its data either to an output file, or if you intend argus to monitor traffic in realtime, to a socket port that client programs can attach to. You specify either, or both, in the argus.conf file, by uncommenting the appropriate line. At this point your ready to run the argus. But if you wanted to do something different, then read on. Argus does not have any installation retrictions, so you can install Argus anywhere. There are some conventions that have been established, and I'll present them here, but you can, of course, do your own thing. I have found it useful to have an argus home directory to hold the binaries, argus configuration files, the argus output file, and hold my argus data archive. If you would like to use this strategy, create your directory, and create the environment variable ARGUSHOME and set it to this directory. I use /usr/local/argus. I prefer putting the argus binary in /usr/local/sbin (system binaries). After making, as root, I just: # mkdir /usr/local/argus # cp bin/argusbug /usr/local/argus/bin # cp bin/argus /usr/local/sbin/argus It is convenient to chmod argus so that it is "setuid root", but many feel that this is a security problem, as any user could then start an argus on the system. Use this technique at at your discretion. # chown root /usr/local/sbin/argus # chmod 4755 /usr/local/sbin/argus Argus has a system configuration file that normally resides as /etc/argus.conf. You can install this file anywhere, but the scripts that are provided in the ./support directory will assume that the configuration is at /etc/argus.conf. # cp ./support/Config/argus.conf /etc/argus.conf You will want to edit this file to choose values of your liking. The sample has all the common values set and is a good suggestion. Copying the man and doc directories is nice. # tar cf - doc man | (cd /usr/local/argus; tar xvpf -) This should handle the basic installion. Any comments, patches, bug reports or additions should be sent to argus@lists.andrew.cmu.edu. PORTABILITY Argus and its supporting routines have been developed on Sparc architectures under SunOS 4.1.x and Solaris 2.7, and have been successfully ported to Solaris, SGI, Ultrix, Linux, OpenBSD and FreeBSD platforms. No claim is made as to the portability of Argus to other platforms, although it is much easier now that we've addressed the big endian little endian issues. If you make any modifications to support installing and running Argus in any other environment, please send us comments and/or patches. We will be most grateful. OPENWRT Argus has been ported to OpenWrt, and a specific configure program is provided to assist in making for OpenWrt. First, untar the argus distribution into your OpenWrt-SDK-Linux-i686-1/package directory. Be sure that the libpcap library is installed in the OpenWrt-SDK-Linux-i686-1/staging_dir_mipsel/usr/lib, and your ready. % ./configure.openwrt % make That should make an argus binary that can be installed on an openwrt system. You will still need to provide an /etc/argus.conf file, and any type of startup script to get argus going. CYGWIN Argus has been ported to Cygwin, the RedHat Linux environment for Windows. Cygwin can be found at http://www.cygwin.com. Install the latest version of Cygwin, modifying the default install to include the developement support. As noted above, you will need bison and flex and optionally tcpwrappers, which are available for Cygwin. On CYGWIN, the libpcap function is provided by the WinPcap Developers Pack. The current version can be found at: http://www.winpcap.org/devel.htm Place the unzipped WpdPack folder in the same directory that you untared argus, and the argus ./configure script will find it and do the right thing. At this point, to make argus: % ./configure % make That should make an argus binary that can be installed as a Windows service, using the cygrunsrv() program. Because interface names are so difficult to use on Windows, the Cygwin port of argus allows you to specify an index for the interface you want to monitor. By running argus without an interface specification, argus will print out the available interfaces, with thier indexes. Use the index number on the command line, or in the argus.conf file. To setup argus as a system service under CYGWIN, use the cygrunsvc() program. Argus will write its output to /var/log/argus.log, so check there is you have any problems. argus-3.0.8.2/lib/000755 000765 000024 00000000000 12723625057 014205 5ustar00carterstaff000000 000000 argus-3.0.8.2/Makefile.in000444 000765 000024 00000011676 12513222401 015474 0ustar00carterstaff000000 000000 # # Makefile for Argus # Copyright (C) 1996-2015 QoSient, LLC # All rights reserved # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. #### Start of system configuration section. #### @SET_MAKE@ CC = @CC@ INSTALL = @INSTALL@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_DATA = @INSTALL_DATA@ DEFS = @DEFS@ LIBS = @LIBS@ WRAPLIBS = @WRAPLIBS@ prefix = @prefix@ exec_prefix = @exec_prefix@ datarootdir = @datarootdir@ srcdir = @srcdir@ docdir = @datadir@/doc/argus-3.0 #### End of system configuration section. #### SHELL = /bin/sh DIRS = ./common ./argus ./events INSTDIRS = ./argus ./events DISTFILES = AUTHORS COPYING ChangeLog INSTALL MANIFEST Makefile.in\ CREDITS README VERSION bin common argus events doc include pkg debian\ lib man support aclocal.m4 acsite.m4 config configure configure.ac\ lib/argus.spec .threads .c.o: $(CC) -c $(CPPFLAGS) $(DEFS) $(CFLAGS) $< .PHONY: install installdirs all all: force @-for d in $(DIRS);\ do \ (cd $$d; echo "### Making in" `pwd`;\ $(MAKE) $(MFLAGS) ;\ echo "### Done with" `pwd`);\ done install: force $(MAKE) $(MFLAGS) installdirs [ -d $(DESTDIR)@prefix@ ] || \ (mkdir -p $(DESTDIR)@prefix@; chmod 755 $(DESTDIR)@prefix@) [ -d $(DESTDIR)@sbindir@ ] || \ (mkdir -p $(DESTDIR)@sbindir@; chmod 755 $(DESTDIR)@sbindir@) [ -d $(DESTDIR)@bindir@ ] || \ (mkdir -p $(DESTDIR)@bindir@; chmod 755 $(DESTDIR)@bindir@) [ -d $(DESTDIR)$(exec_prefix)/argus ] || \ (mkdir -p $(DESTDIR)$(exec_prefix)/argus; chmod 755 $(DESTDIR)$(exec_prefix)/argus) [ -d $(DESTDIR)$(exec_prefix)/argus/archive ] || \ (mkdir -p $(DESTDIR)$(exec_prefix)/argus/archive; chmod 755 $(DESTDIR)$(exec_prefix)/argus/archive) @-for d in $(DIRS); \ do \ (cd $$d; echo "### Make install in" `pwd`; \ $(MAKE) $(MFLAGS) install; \ echo "### Done with" `pwd`); \ done $(INSTALL) -m 0755 $(srcdir)/bin/argusbug $(DESTDIR)@bindir@/argusbug [ -d $(DESTDIR)@mandir@ ] || \ (mkdir -p $(DESTDIR)@mandir@; chmod 755 $(DESTDIR)@mandir@) [ -d $(DESTDIR)@mandir@/man5 ] || \ (mkdir -p $(DESTDIR)@mandir@/man5; chmod 755 $(DESTDIR)@mandir@/man5) [ -d $(DESTDIR)@mandir@/man8 ] || \ (mkdir -p $(DESTDIR)@mandir@/man8; chmod 755 $(DESTDIR)@mandir@/man8) $(INSTALL) -m 0644 $(srcdir)/man/man5/argus.conf.5 $(DESTDIR)@mandir@/man5/argus.conf.5 $(INSTALL) -m 0644 $(srcdir)/man/man8/argus.8 $(DESTDIR)@mandir@/man8/argus.8 install-doc: force $(MAKE) installdirs [ -d $(DESTDIR)@prefix@ ] || \ (mkdir -p $(DESTDIR)@prefix@; chmod 755 $(DESTDIR)@prefix@) [ -d $(DESTDIR)$(docdir) ] || \ (mkdir -p $(DESTDIR)$(docdir); chmod 755 $(DESTDIR)$(docdir)) $(INSTALL) -m 0644 $(srcdir)/README $(DESTDIR)$(docdir) $(INSTALL) -m 0644 $(srcdir)/COPYING $(DESTDIR)$(docdir) uninstall: rm -f $(DESTDIR)@mandir@/man5/argus.5 rm -f $(DESTDIR)@mandir@/man5/argus.conf.5 rm -f $(DESTDIR)@mandir@/man8/argus.8 rm -rf $(DESTDIR)$(docdir) @for i in $(INSTDIRS) ; do \ if [ -d $$i ] ; then \ cd $$i; \ $(MAKE) $(MFLAGS) uninstall; \ cd ..; \ fi; \ done rm -f $(DESTDIR)@bindir@/argusbug installdirs: ${srcdir}/config/mkinstalldirs $(DESTDIR)$(bindir) $(DESTDIR)$(mandir)\ $(DESTDIR)$(docdir) $(DESTDIR)$(exec_prefix)/argus/archive Makefile: Makefile.in config.status $(SHELL) config.status config.status: configure $(srcdir)/configure --no-create TAGS: $(SRCS) etags $(SRCS) .PHONY: clean mostlyclean distclean realclean dist clean: force @-for d in $(DIRS); \ do \ (cd $$d; echo "### Make clean in" `pwd`; \ $(MAKE) $(MFLAGS) clean; \ echo "### Done with" `pwd`); \ done mostlyclean: clean distclean: force @-for d in $(DIRS); \ do \ (cd $$d; echo "### Make distclean in" `pwd`; \ $(MAKE) $(MFLAGS) distclean; \ echo "### Done with" `pwd`); \ done rm -rf log rm -f config.* rm -f TAGS rm -f lib/*.a rm -f bin/*.exe rm -f include/argus_config.h clobber realclean: distclean rm -f ./Makefile dist: distclean echo argus-`cat VERSION` > .fname rm -rf `cat .fname` mkdir `cat .fname` tar cf - $(DISTFILES) | (cd `cat .fname`; tar xpf -) ls -lR `cat .fname` | fgrep CVS: | sed 's/:$///' > exfile tar -X exfile -chozf `cat .fname`.tar.gz `cat .fname` rm -rf `cat .fname` .fname exfile force: /tmp depend: force @for i in $(DIRS) ; do \ if [ -d $$i ] ; then \ cd $$i; \ $(MAKE) $(MFLAGS) depend || exit 1; \ cd ..; \ fi; \ done # Prevent GNU make v3 from overflowing arg limit on SysV. .NOEXPORT: argus-3.0.8.2/man/000755 000765 000024 00000000000 12513222401 014171 5ustar00carterstaff000000 000000 argus-3.0.8.2/MANIFEST000444 000765 000024 00000031412 12723624775 014575 0ustar00carterstaff000000 000000 /* * Argus Software * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ * */ Argus 3.0.8.2 distribution total 896 -r--r--r-- 1 carter staff 515 Apr 14 2015 AUTHORS -r--r--r-- 1 carter staff 32477 Apr 14 2015 COPYING -r--r--r-- 1 carter staff 6720 Apr 14 2015 CREDITS -r--r--r-- 1 carter staff 9060 Jun 1 12:26 ChangeLog -r--r--r-- 1 carter staff 12570 Apr 14 2015 INSTALL -r--r--r-- 1 carter staff 13066 Jun 1 14:31 MANIFEST -r--r--r-- 1 carter staff 5054 Apr 14 2015 Makefile.in -r--r--r-- 1 carter staff 3480 Apr 14 2015 README -r--r--r-- 1 carter staff 8 Jun 1 12:26 VERSION -r--r--r-- 1 carter staff 609 Apr 14 2015 aclocal.m4 -r--r--r-- 1 carter staff 52979 Apr 14 2015 acsite.m4 drwxr-xr-x 33 carter staff 1122 Jun 1 14:28 argus drwxr-xr-x 4 carter staff 136 Jun 1 14:03 bin drwxr-xr-x 9 carter staff 306 Jun 1 14:28 common drwxr-xr-x 6 carter staff 204 Apr 14 2015 config -rwxr-xr-x 1 carter staff 281305 Jun 1 14:29 configure -r--r--r-- 1 carter staff 10959 Apr 14 2015 configure.ac drwxr-xr-x 15 carter staff 510 Apr 14 2015 debian drwxr-xr-x 3 carter staff 102 Apr 14 2015 doc drwxr-xr-x 8 carter staff 272 Jun 1 14:28 events drwxr-xr-x 34 carter staff 1156 Jun 1 14:28 include drwxr-xr-x 3 carter staff 102 Jun 1 14:28 lib drwxr-xr-x 4 carter staff 136 Apr 14 2015 man drwxr-xr-x 5 carter staff 170 Apr 14 2015 pkg drwxr-xr-x 8 carter staff 272 Apr 14 2015 support ./argus: total 2056 -r--r--r-- 1 carter staff 9801 Apr 14 2015 Argus802.11.c -r--r--r-- 1 carter staff 21537 Jun 29 2015 ArgusApp.c -r--r--r-- 1 carter staff 9225 Apr 17 2015 ArgusArp.c -r--r--r-- 1 carter staff 9373 Apr 14 2015 ArgusAuth.c -r--r--r-- 1 carter staff 5201 Apr 14 2015 ArgusEsp.c -rw-r--r-- 1 carter staff 14155 Jun 1 11:21 ArgusEvents.c -r--r--r-- 1 carter staff 2762 Apr 14 2015 ArgusEvents.h -r--r--r-- 1 carter staff 19495 Apr 14 2015 ArgusFrag.c -r--r--r-- 1 carter staff 14838 Aug 5 2015 ArgusIcmp.c -r--r--r-- 1 carter staff 4205 Apr 14 2015 ArgusIgmp.c -r--r--r-- 1 carter staff 31630 Apr 14 2015 ArgusIsis.c -r--r--r-- 1 carter staff 3288 Apr 14 2015 ArgusLcp.c -r--r--r-- 1 carter staff 1573 Apr 14 2015 ArgusMac.c -rw-r--r-- 1 carter staff 175781 Jun 1 13:27 ArgusModeler.c -r--r--r-- 1 carter staff 28091 Jun 1 12:53 ArgusModeler.h -rw-r--r-- 1 carter staff 85787 Jun 1 11:42 ArgusNetflow.c -r--r--r-- 1 carter staff 2255 Apr 14 2015 ArgusNetflow.h -rw-r--r-- 1 carter staff 67242 Jun 1 11:50 ArgusOutput.c -r--r--r-- 1 carter staff 6081 Apr 14 2015 ArgusOutput.h -r--r--r-- 1 carter staff 46626 Apr 14 2015 ArgusSflow.c -r--r--r-- 1 carter staff 1185 Apr 14 2015 ArgusSflow.h -r--r--r-- 1 carter staff 152326 Apr 5 12:00 ArgusSource.c -r--r--r-- 1 carter staff 34985 Apr 14 2015 ArgusSource.h -rw-r--r-- 1 carter staff 41321 Jun 1 12:06 ArgusTcp.c -r--r--r-- 1 carter staff 2206 Apr 14 2015 ArgusUdp.c -r--r--r-- 1 carter staff 29329 Jun 29 2015 ArgusUdt.c -r--r--r-- 1 carter staff 81043 Aug 6 2015 ArgusUtil.c -r--r--r-- 1 carter staff 12345 Apr 14 2015 ArgusUtil.h -r--r--r-- 1 carter staff 3837 Apr 14 2015 Makefile.in -r--r--r-- 1 carter staff 65847 Jul 2 2015 argus.c -r--r--r-- 1 carter staff 3950 Apr 14 2015 argus.h ./bin: total 32 -r-xr-xr-x 1 carter staff 10073 Apr 14 2015 argusbug -r-xr-xr-x 1 carter staff 2395 Apr 14 2015 mkdep ./common: total 784 -r--r--r-- 1 carter staff 3659 Apr 14 2015 Makefile.in -r--r--r-- 1 carter staff 14197 Apr 14 2015 argus_auth.c -r--r--r-- 1 carter staff 147274 Apr 14 2015 argus_code.c -r--r--r-- 1 carter staff 87217 Apr 14 2015 argus_filter.c -r--r--r-- 1 carter staff 114617 Aug 5 2015 argus_util.c -r-xr-xr-x 1 carter staff 14718 Apr 14 2015 grammar.y -r-xr-xr-x 1 carter staff 11783 Apr 14 2015 scanner.l ./config: total 184 -r-xr-xr-x 1 carter staff 42856 Apr 14 2015 config.guess -r-xr-xr-x 1 carter staff 35740 Apr 14 2015 config.sub -r-xr-xr-x 1 carter staff 5585 Apr 14 2015 install-sh -r-xr-xr-x 1 carter staff 616 Apr 14 2015 mkinstalldirs ./debian: total 96 -rwxr-xr-x 1 carter staff 1058 Apr 14 2015 argus.postinst -rwxr-xr-x 1 carter staff 181 Apr 14 2015 argus.postrm -rwxr-xr-x 1 carter staff 719 Apr 14 2015 argus.preinst -rwxr-xr-x 1 carter staff 151 Apr 14 2015 argus.prerm -rw-r--r-- 1 carter staff 153 Apr 14 2015 changelog -rw-r--r-- 1 carter staff 2 Apr 14 2015 compat -rw-r--r-- 1 carter staff 611 Apr 14 2015 control -rw-r--r-- 1 carter staff 1812 Apr 14 2015 copyright -rw-r--r-- 1 carter staff 7 Apr 14 2015 docs -rw-r--r-- 1 carter staff 180 Apr 14 2015 install -rw-r--r-- 1 carter staff 64 Apr 14 2015 manpages -rwxr-xr-x 1 carter staff 538 Apr 14 2015 rules drwxr-xr-x 3 carter staff 102 Apr 14 2015 source ./debian/source: total 8 -rw-r--r-- 1 carter staff 12 Apr 14 2015 format ./doc: total 8 -r--r--r-- 1 carter staff 1333 Apr 14 2015 README ./events: total 48 -r--r--r-- 1 carter staff 3371 Dec 2 2015 Makefile.in -r--r--r-- 1 carter staff 3217 Apr 14 2015 README -r-xr-xr-x 1 carter staff 735 Dec 2 2015 argus-extip.pl -r-xr-xr-x 1 carter staff 596 Apr 14 2015 argus-lsof.pl -r-xr-xr-x 1 carter staff 1599 Apr 14 2015 argus-snmp.sh -r-xr-xr-x 1 carter staff 842 Apr 14 2015 argus-vmstat.sh ./include: total 832 -r--r--r-- 1 carter staff 17917 Apr 14 2015 CflowdFlowPdu.h drwxr-xr-x 16 carter staff 544 Apr 14 2015 argus -r--r--r-- 1 carter staff 3974 Apr 14 2015 argus-namedb.h -r--r--r-- 1 carter staff 12168 Apr 14 2015 argus_client.h -r--r--r-- 1 carter staff 6414 Apr 14 2015 argus_compat.h -r--r--r-- 1 carter staff 16500 Apr 14 2015 argus_config.h.in -r--r--r-- 1 carter staff 2326 Apr 14 2015 argus_dag.h -r--r--r-- 1 carter staff 2166 Apr 14 2015 argus_debug.h -r--r--r-- 1 carter staff 99194 Jul 2 2015 argus_def.h -r--r--r-- 1 carter staff 120 Apr 14 2015 argus_def_v2.h -r--r--r-- 1 carter staff 2987 Apr 14 2015 argus_dscodepoints.h -r--r--r-- 1 carter staff 3837 Jun 1 13:54 argus_encapsulations.h -r--r--r-- 1 carter staff 11827 Apr 14 2015 argus_ethernames.h -r--r--r-- 1 carter staff 4457 Jun 1 12:37 argus_ethertype.h -r--r--r-- 1 carter staff 8927 Apr 14 2015 argus_filter.h -r--r--r-- 1 carter staff 1039 Apr 14 2015 argus_gmpls.h -r--r--r-- 1 carter staff 1878 Apr 14 2015 argus_gre.h -r--r--r-- 1 carter staff 2704 Apr 14 2015 argus_int.h -r--r--r-- 1 carter staff 18623 Apr 14 2015 argus_isis.h -r--r--r-- 1 carter staff 4248 Apr 14 2015 argus_llc.h -r--r--r-- 1 carter staff 4010 Apr 14 2015 argus_namedb.h -r--r--r-- 1 carter staff 4559 Apr 14 2015 argus_os.h -r--r--r-- 1 carter staff 29477 Aug 5 2015 argus_out.h -r--r--r-- 1 carter staff 52784 Apr 14 2015 argus_parse.h -r--r--r-- 1 carter staff 4615 Apr 14 2015 argus_parser.h -r--r--r-- 1 carter staff 3237 Apr 14 2015 argus_udt.h -r--r--r-- 1 carter staff 5174 Apr 14 2015 argus_util.h -r--r--r-- 1 carter staff 43120 Apr 14 2015 argus_v3_def.h drwxr-xr-x 7 carter staff 238 Apr 14 2015 cygwin-include drwxr-xr-x 8 carter staff 272 Apr 14 2015 net drwxr-xr-x 3 carter staff 102 Apr 14 2015 netbsd-include drwxr-xr-x 4 carter staff 136 Apr 14 2015 netinet ./include/argus: total 248 -r--r--r-- 1 carter staff 23545 Apr 14 2015 CflowdFlowPdu.h -r--r--r-- 1 carter staff 3786 Apr 14 2015 bootp.h -r--r--r-- 1 carter staff 3262 Apr 14 2015 cflowd.h -r--r--r-- 1 carter staff 4553 Apr 14 2015 cons_def.h -r--r--r-- 1 carter staff 4368 Apr 14 2015 cons_out.h -r--r--r-- 1 carter staff 8596 Apr 14 2015 extract.h -r--r--r-- 1 carter staff 3781 Apr 14 2015 fddi.h -r--r--r-- 1 carter staff 9916 Apr 14 2015 gencode.h -r--r--r-- 1 carter staff 956 Apr 14 2015 global.h -r--r--r-- 1 carter staff 18685 Apr 14 2015 ieee802_11.h -r--r--r-- 1 carter staff 1470 Apr 14 2015 md5.h -r--r--r-- 1 carter staff 2424 Apr 14 2015 ppp.h -r--r--r-- 1 carter staff 4827 Apr 14 2015 saslint.h -r--r--r-- 1 carter staff 5667 Apr 14 2015 sll.h ./include/cygwin-include: total 0 drwxr-xr-x 4 carter staff 136 Apr 14 2015 linux drwxr-xr-x 3 carter staff 102 Apr 14 2015 net drwxr-xr-x 11 carter staff 374 Apr 14 2015 netinet drwxr-xr-x 3 carter staff 102 Apr 14 2015 protocols drwxr-xr-x 3 carter staff 102 Apr 14 2015 sys ./include/cygwin-include/linux: total 16 -r--r--r-- 1 carter staff 1728 Apr 14 2015 if_arp.h -r--r--r-- 1 carter staff 3092 Apr 14 2015 igmp.h ./include/cygwin-include/net: total 8 -r--r--r-- 1 carter staff 1734 Apr 14 2015 if_arp.h ./include/cygwin-include/netinet: total 104 -r--r--r-- 1 carter staff 8866 Apr 14 2015 icmp6.h -r--r--r-- 1 carter staff 1984 Apr 14 2015 if_ether.h -r--r--r-- 1 carter staff 3480 Apr 14 2015 igmp.h -r--r--r-- 1 carter staff 3729 Apr 14 2015 ip6.h -r--r--r-- 1 carter staff 5013 Apr 14 2015 ip_icmp.h -r--r--r-- 1 carter staff 3198 Apr 14 2015 ip_var.h -r--r--r-- 1 carter staff 6380 Apr 14 2015 tcp_var.h -r--r--r-- 1 carter staff 1033 Apr 14 2015 tcpip.h -r--r--r-- 1 carter staff 1086 Apr 14 2015 udp_var.h ./include/cygwin-include/protocols: total 8 -r--r--r-- 1 carter staff 2340 Apr 14 2015 routed.h ./include/cygwin-include/sys: total 8 -r--r--r-- 1 carter staff 49 Apr 14 2015 mbuf.h ./include/net: total 72 -r--r--r-- 1 carter staff 3222 Apr 14 2015 arcnet.h -r--r--r-- 1 carter staff 2172 Apr 14 2015 etherdefs.h -r--r--r-- 1 carter staff 12674 Apr 14 2015 nff.h -r--r--r-- 1 carter staff 3563 Apr 14 2015 ppp.h -r--r--r-- 1 carter staff 3873 Apr 14 2015 slcompress.h -r--r--r-- 1 carter staff 1103 Apr 14 2015 slip.h ./include/netbsd-include: total 0 drwxr-xr-x 3 carter staff 102 Apr 14 2015 netinet ./include/netbsd-include/netinet: total 8 -r--r--r-- 1 carter staff 1570 Apr 14 2015 rtp.h ./include/netinet: total 24 -r--r--r-- 1 carter staff 4892 Apr 14 2015 rtp.h -r--r--r-- 1 carter staff 2182 Apr 14 2015 tcp_fsm.h ./lib: total 8 -r--r--r-- 1 carter staff 2000 Jun 1 12:26 argus.spec ./man: total 0 drwxr-xr-x 3 carter staff 102 Apr 14 2015 man5 drwxr-xr-x 3 carter staff 102 Apr 14 2015 man8 ./man/man5: total 40 -r-xr-xr-x 1 carter staff 19826 Apr 14 2015 argus.conf.5 ./man/man8: total 24 -r-xr-xr-x 1 carter staff 11249 Apr 14 2015 argus.8 ./pkg: total 64 -r--r--r-- 1 carter staff 4201 Apr 14 2015 README -r--r--r-- 1 carter staff 21769 Apr 14 2015 argus.conf drwxr-xr-x 4 carter staff 136 Apr 14 2015 rhel ./pkg/rhel: total 0 drwxr-xr-x 3 carter staff 102 Apr 14 2015 init.d drwxr-xr-x 3 carter staff 102 Apr 14 2015 sysconfig ./pkg/rhel/init.d: total 8 -r-xr-xr-x 1 carter staff 2796 Apr 14 2015 argus ./pkg/rhel/sysconfig: total 8 -r--r--r-- 1 carter staff 551 Apr 14 2015 argus ./support: total 8 drwxr-xr-x 4 carter staff 136 Apr 14 2015 Archive drwxr-xr-x 3 carter staff 102 Apr 14 2015 Config drwxr-xr-x 3 carter staff 102 Apr 14 2015 Deployment -r--r--r-- 1 carter staff 2026 Apr 14 2015 README drwxr-xr-x 6 carter staff 204 Apr 14 2015 Startup drwxr-xr-x 4 carter staff 136 Apr 14 2015 System ./support/Archive: total 48 -r--r--r-- 1 carter staff 5181 Apr 14 2015 README.argusarchive -r-xr-xr-x 1 carter staff 14629 Apr 14 2015 argusarchive ./support/Config: total 48 -r-xr-xr-x 1 carter staff 21756 Apr 14 2015 argus.conf ./support/Deployment: total 16 -r-xr-xr-x 1 carter staff 7623 Apr 14 2015 sample ./support/Startup: total 32 -r--r--r-- 1 carter staff 3693 Apr 14 2015 README -r--r--r-- 1 carter staff 3104 Apr 14 2015 argus -r--r--r-- 1 carter staff 559 Apr 14 2015 argus.service -r--r--r-- 1 carter staff 723 Apr 14 2015 com.qosient.argus.plist ./support/System: total 16 -r-xr-xr-x 1 carter staff 1170 Apr 14 2015 crontab -r-xr-xr-x 1 carter staff 1094 Apr 14 2015 magic argus-3.0.8.2/pkg/000755 000765 000024 00000000000 12513222401 014177 5ustar00carterstaff000000 000000 argus-3.0.8.2/README000444 000765 000024 00000006630 12513222401 014301 0ustar00carterstaff000000 000000 /* * Argus Software - README * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ Argus 3.0.8 QoSient, LLC http://qosient.com/argus This directory contains source code for Argus, an IP network transaction auditing tool, that generates a network activity audit of all network transactions, their state, and their performance. The data that Argus generates can be used for a wide range of tasks including Network Operations, Security, Assurance and Performance Management. This package contains the network activity sensor, that takes in raw packet data, from either a file or from the network, and generates network flow activity status records. Argus is comprehensive, in that it accounts for all network activity,, not just IP traffic. Use the accompaning argus-clients-3.0.8 tools to collect, process, print, graph, store, archive and manage the data that Argus generates. To install the software and get started, see the ./INSTALL file. For answers to many questions, please see the argus web site at http://qosient.com/argus. The Argus 3.0 has been ported to SunOS, Solaris, Linux, FreeBSD, OpenBSD, NetBSD, BSD Unix, AIX, HPUX, Irix, Onix, UniCos, VxWorks, Cygwin and OpenWRT, to name just a few, and the argus client software has been successfully used under most if not all the same platforms. If you port Argus to another system, please let us know on the mailing list. ************************************************************ IMPORTANT: Please send problems, bug reports, questions and comments to the argus mailing list at Carnegie Mellon University: argus-info@lists.andrew.cmu.edu. We encourage you to use the './bin/argusbug' script when posting bug reports about Argus. Argusbug will gather some information about your system and start your editor with a form in which you can describe your problem. Delete information that you consider non- relevant to your problem. Bug reports not generated by Argusbug may be silently ignored by the Argus maintainers, so please use consider using the tool. Email that reports that 'Argus does not work. Why?' will be completely ignored. ************************************************************ Argus is the first netflow technology, started in 1984 at Georgia Tech, and adapted for cyber security operations in 1991 at Carengie Mellon University's Software Engineering Institute. While it has a long history, we still think of argus as innovative and leading edge. Comprehensive network transaction auditing is an extremely powerful network management tool, and a large number of sites do benefit from the prototype work that has been done through the Argus Project. Again, thank you for your interest in Argus. I hope that you find the software useful. Carter carter@qosient.com argus-3.0.8.2/support/000755 000765 000024 00000000000 12513222401 015132 5ustar00carterstaff000000 000000 argus-3.0.8.2/VERSION000444 000765 000024 00000000010 12723606267 014476 0ustar00carterstaff000000 000000 3.0.8.2 argus-3.0.8.2/support/Archive/000755 000765 000024 00000000000 12513222401 016513 5ustar00carterstaff000000 000000 argus-3.0.8.2/support/Config/000755 000765 000024 00000000000 12513222401 016337 5ustar00carterstaff000000 000000 argus-3.0.8.2/support/Deployment/000755 000765 000024 00000000000 12513222401 017252 5ustar00carterstaff000000 000000 argus-3.0.8.2/support/README000444 000765 000024 00000003752 12513222401 016017 0ustar00carterstaff000000 000000 /* * Argus Software * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * QOSIENT, LLC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS * SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND * FITNESS, IN NO EVENT SHALL QOSIENT, LLC BE LIABLE FOR ANY * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER * RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF * CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * */ The files in these directories are sample configuration, system startup scripts, filters, etc... to support the use of argus and its clients. These files are simple examples, and may need to be modified to support your specific system. These files have been tested primarily on Linux. Archive argusarchive - An sh shell script for moving the argus daemon's output file into a date based archive. The archive file system is created when needed and the output file is compressed and moved into the file system. Config excel.rc - Excel.rc is a ra configuration file to write output so that it can be imported by Microsoft's Excel. Basically generates a comma-separated-file (csv) with appropriate titles for the columns and a date format that Excel understands. fmodel.conf - A sample flow aggregation configuration for ragator(). Deployment sample - This is a description of a tradtional argus probe deployment strategy. Describes placement on an ethernet DMZ and interface configurations that address issues that you may find important. Startup argus - This is a system boot startup script that does a very nice job. System magic - magic file entry support file(1) recognizing argus data files. argus-3.0.8.2/support/Startup/000755 000765 000024 00000000000 12513222401 016574 5ustar00carterstaff000000 000000 argus-3.0.8.2/support/System/000755 000765 000024 00000000000 12513222401 016416 5ustar00carterstaff000000 000000 argus-3.0.8.2/support/System/crontab000555 000765 000024 00000002222 12513222401 017770 0ustar00carterstaff000000 000000 # # Argus Software # Copyright (c) 2000-2015 QoSient, LLC # All rights reserved. # # Permission to use, copy, modify, and distribute this software and # its documentation for any purpose and without fee is hereby granted, # provided that the above copyright notice appear in all copies and # that both that copyright notice and this permission notice appear # in supporting documentation, and that the name of QoSient not be # used in advertising or publicity pertaining to distribution of the # software without specific, written prior permission. # # QOSIENT, LLC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS # SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND # FITNESS, IN NO EVENT SHALL QOSIENT, LLC BE LIABLE FOR ANY # SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER # RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF # CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN # CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. # # # Archive argus data file every hour, on the hour. 0 * * * * /usr/local/bin/argusarchive >> /var/log/argus/archive.log 2>&1 argus-3.0.8.2/support/System/magic000555 000765 000024 00000002106 12513222401 017421 0ustar00carterstaff000000 000000 # # Argus Software # Copyright (c) 2000-2015 QoSient, LLC # All rights reserved. # # QOSIENT, LLC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS # SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND # FITNESS, IN NO EVENT SHALL QOSIENT, LLC BE LIABLE FOR ANY # SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER # RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF # CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN # CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. # # #------------------------------------------------------------------------------ # argus: file(1) magic for argus-3.*; # From: carter@qosient.com (Carter Bullard) # # Argus magic file entry for linux public domain file(1) command. # 8 belong 0xE5712DCB Argus data >40 byte x - version %d >41 byte x \b.%d 8 belong 0xE5617ACB Argus data >32 byte x - version %d >33 byte x \b.%d argus-3.0.8.2/support/Startup/argus000444 000765 000024 00000006040 12513222401 017636 0ustar00carterstaff000000 000000 #!/bin/sh # # Copyright (c) 2000-2015 QoSient, LLC # All rights reserved. # # Permission to use, copy, modify, and distribute this software and # its documentation for any purpose and without fee is hereby granted, # provided that the above copyright notice appear in all copies and # that both that copyright notice and this permission notice appear # in supporting documentation, and that the name of QoSient not be # used in advertising or publicity pertaining to distribution of the # software without specific, written prior permission. # # QOSIENT, LLC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS # SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND # FITNESS, IN NO EVENT SHALL QOSIENT, LLC BE LIABLE FOR ANY # SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER # RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF # CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN # CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. # # argus This shell script takes care of starting and stopping # argus, on RH Linux. Should be useful for other versions. # # chkconfig: 2345 55 45 # description: argus-3.0 generates network transaction audit records. # processname: argus # config: /etc/argus.conf # # The assumption here is that /etc/argus.conf specifies ARGUS_DAEMON=no. # If not the system will hang running argus. If this is not set to the # default, change "argus -d" below to "argus" # # Source function library. if [ -f /etc/init.d/functions ]; then . /etc/init.d/functions else if [ -f /etc/rc.d/init.d/functions ]; then . /etc/init.d/functions fi fi # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [ ${NETWORKING} = "no" ] && exit 1 # Set argus path by defining $ARGUSHOME for this script. # If argus was installed in another way, modify PATH to # include the directory where the argus binary was installed. ARGUSDIR=/usr/local/sbin ARGUSHOME=$ARGUSDIR export PATH=$ARGUSHOME:$PATH [ -f $ARGUSHOME/argus ] || exit 1 RETVAL=0 start() { # Start daemons. echo -n "Starting argus: " if [ ! -e /etc/argus.conf ] then if [ ! -d /var/log/argus ] then mkdir /var/log/argus fi argus -de `hostname` -w /var/log/argus/argus.out \ > /dev/null 2>&1 RETVAL=$? else argus -d > /dev/null 2>&1 && success || failure RETVAL=$? fi [ $RETVAL -eq 0 ] && touch /var/lock/subsys/argus echo } stop() { # Stop daemons. echo -n "Shutting down argus: " killproc argus RETVAL=$? [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/argus echo } # See how we were called. case "$1" in start) start ;; stop) stop ;; restart|reload) stop start RETVAL=$? ;; condrestart) if [ -f /var/lock/subsys/argus ]; then stop start RETVAL=$? fi ;; status) status argus RETVAL=$? ;; *) echo "Usage: argus {start|stop|restart|condrestart|status}" exit 1 ;; esac exit $RETVAL argus-3.0.8.2/support/Startup/argus.service000444 000765 000024 00000001057 12513222401 021300 0ustar00carterstaff000000 000000 [Unit] Description=Start Argus daemon After=network.target # You may need to change the ExecStartPre below to manage the # interface that argus is going to use. You may also need to # change the ExecStart line to point to where argus is installed # on your system, as well as any other arguments to argus. Note # that this assumes that you are not using -d or setting # ARGUS_DAEMON=yes in the config file. # # This was tested on Fedora 16 [Service] ExecStartPre=/sbin/ifconfig em2 up ExecStart=/usr/local/sbin/argus [Install] WantedBy=multi-user.target argus-3.0.8.2/support/Startup/com.qosient.argus.plist000444 000765 000024 00000001323 12513222401 023225 0ustar00carterstaff000000 000000 Description Argus Network Monitor OrderPreference Late Provides Argus Requires Network Uses SystemLog mDNSResponder KeepAlive Program /usr/local/sbin/argus Label com.qosient.argus Disabled argus-3.0.8.2/support/Startup/README000444 000765 000024 00000007155 12513222401 017462 0ustar00carterstaff000000 000000 /* * Argus Software * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * Permission to use, copy, modify, and distribute this software and * its documentation for any purpose and without fee is hereby granted, * provided that the above copyright notice appear in all copies and * that both that copyright notice and this permission notice appear * in supporting documentation, and that the name of QoSient not be * used in advertising or publicity pertaining to distribution of the * software without specific, written prior permission. * * QOSIENT, LLC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS * SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND * FITNESS, IN NO EVENT SHALL QOSIENT, LLC BE LIABLE FOR ANY * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER * RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF * CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * */ These scripts are intended to help manage the starting/stopping of Argus daemons, both during system boot as well as in normal operation, on a number of platforms, such as Linux, using the chkconfig system, and Mac OS X, with /Library/StartupItems packages. Under Linux Systemctl The argus.service file can be used on Fedora (and RedHat Linux?) to automatically start argus at boot time. Put the file argus.service in /lib/systemd/system, then run these two commands as root: # systemctl enable argus.service # systemctl start argus.service After that, argus should be automatically started when the system boots. Chkconfig The ./argus script takes one of four arguments, start, stop, restart and status. If the specific /etc configuration file is not found, the daemon will be run with some assumptions about the system configuration and writes its logs to /var/log/argus. For installation on Linux: The linux chkconfig system, assumes that the scripts that are run from the /etc/init.d directory return, as the boot process runs each script sequentially, and doesn't progress until each process returns. This means that argus and radium need to run as daemons, in the background. As a result, do check that the individual /etc/ configuration files, argus.conf and radium.conf, set the [ARGUS|RADIUM}_DAEMON variable to "yes". Edit the PATH variable in the script to the directory the binary is located in. Then, install the script in /etc/rc.d/init.d. After this, if your system supports the chkconfig() utility, you can use that to install argus and then have it start when the system boots. # cp argus /etc/rc.d/init.d # chkconfig --add argus # chkconfig --level 2345 argus on If your system doesn't have chkconfig(), then simply create a link to the /etc/rc.d/init.d/argus file in the run level that you want the daemon to run in. Most systems will have this as run level 3. # cd /etc/rc.d/rc3.d # ln -s ../init.d/argus argus Mac OS X Launchctl The com.qosient.argus.plist is a configuration file used with the Mac OS X launchctl system. This file should be installed into the /Library/LaunchDaemons directory on the target machine. This will allow Mac OS X to start argus when the machine boots, and to ensure that it is always running. The included scripts assume that argus has been installed in the default /usr/local/sbin directory, so if you have done something out of the ordinary, you will need to modify the scripts. For installation on Mac OS X: # cp com.qosient.argus.plist /Library/LaunchDaemons # launchctl load /Library/LaunchDaemons/com.qosient.argus.plist argus-3.0.8.2/support/Deployment/sample000555 000765 000024 00000016707 12513222401 020472 0ustar00carterstaff000000 000000 /* * Argus Software * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * Permission to use, copy, modify, and distribute this software and * its documentation for any purpose and without fee is hereby granted, * provided that the above copyright notice appear in all copies and * that both that copyright notice and this permission notice appear * in supporting documentation, and that the name of QoSient not be * used in advertising or publicity pertaining to distribution of the * software without specific, written prior permission. * * QOSIENT, LLC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS * SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND * FITNESS, IN NO EVENT SHALL QOSIENT, LLC BE LIABLE FOR ANY * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER * RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF * CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * */ Example Argus Deployments 1, Getting Started - Host Network Auditing and Saving the Records In the first and simplest configuration, the Argus daemon is run on a host with a single network interface and writes its network activity status flow records directly to a file on the local disk. argus -Xw /path/to/argus/argus.file.out The "-X" option is used to ignore any system Argus configurations, such as /etc/argus, and all options are the defaults. Argus will open the single interface, in promiscuous mode, and write the comprehensive argus network flow status records into the output file. With this strategy, argus will run forever, in the foreground of the shell where you ran it, and the file, argus.file.out, will grow as network traffic is monitored. In Argus-3.x, just like all earlier versions of Argus, the argus.file.out can be renamed or moved, and argus will simply recreate the missing file and continue to write Argus data records. In earlier versions of Argus a simple archive strategy was supported, where you would periodically move the single target output file into an archive directory structure, using commands like this: mv /var/log/argus/argus.out /var/log/argus/archive/argus.`date +%Y%m.%d.%H`:00 This command was usually run from a script, which cron(8) would run periodically. Today, there are a large number of support programs and strategies to provide much more sophisticated archive mechanisms. See the argus-clients distribution for details. One can simply examine the Argus audit records using ra(1), for example, ra -nr /var/log/argus/archive/argus.2010.03.04.10:00 - 2. Creating a Host Daemon and Saving the Records Today, the standard method of running argus in argus-3.x, is for argus to run as a daemon, providing socket access to its output data stream, and using argus client programs to collect the data. argus -X -d -P 561 To recreate the simple example above, and write argus data to a single target output file, you would use the argus client program radium.1, to collect and then distribute the data to the file. radium -X -d -S localhost -w /path/to/argus/argus.file.out With this configuration, Argus will run in the background as a daemon, and listen on port 561, the default argus port, for local or remote Argus client connections. Radium, will run in the background as a daemon, connecting to the argus data server, and write its data stream to the argus.file.out file. Like Argus, Radium will recreate the file, if you rename or move the file. This approach requires that the host's access control mechanism allow port 561/tcp connections. Note: example daemon startup files for both Argus and Radium can be found in the distribution under support/Startup. Argus Configuration Examples: 3. Creating an Argus Record Archive Standard Argus data collection systems normally do not write its output stream to a single target output file, but rather, it writes its data into a local argus archive using the program rasplit.1. rasplit -d -S localhost -M time 5m \ -w /archive/$srcid/%Y/%m/%d/argus.%Y.%m.%d.%H.%M.%S rasplit.1 will run as a daemon, connecting to the local argus, and it will distributed its data into a native OS file system that is structured to support 5 minute log files, organized by argus source id, year, month and day. This is a typical configuration for auditing a single host's traffic (such as a file server or mail host) and its internal ra.1 events. There are a number argus clients designed to support much more complex strategies, such as rastream.1 and rasqlinsert.1. Please see the argus-client distribution for detailed descriptions. 4. Auditing a DMZ - Creating a Argus Probe This example configuration is designed to monitor a network segment, rather than the traffic seen by a single host, generating network activity audit records for all the traffic. It can be used to perform critical functions such as verifying a DMZ network service policy. In this configuration the host is converted to an Argus probe. It is stripped of all non-essential network services and given additional network interface(s). The extra interface(s) is/are attached directly to the DMZ network by configuring the switch to mirror all interfaces attached to the DMZ VLAN to the Argus host's additional network interface(s). Argus is then configured to read data from the additional network interface(s) which are not assigned IP address(es). | ----------- | Gateway | | | ----------- | DMZ Network | 10.1.1.1 | |--------------------------------------------| [switch - port mirroring] | | | 10.1.1.2 | [no assigned addr.] | | ----------- ----------- | Gateway | | Argus | | | | Probe | ----------- ----------- | | | 192.0.0.1 | 192.0.0.2 | | |--------------------------------------------| Internal Network | | | _____________ | Argus | [using radium & rasplit(1)] | Archive | ------------- This configuration should be used with the configuration in example 2 where both Argus and Radium are used except Radium is not saving the files locally as it will act a an Argus record distribution daemon. This enable remote Argus clients can connect directly to observe Argus records in real-time or as in the above illustration, collecting and archiving the Argus records into an archive on a remote host using radium(1) and rasplit(1). argus-3.0.8.2/support/Config/argus.conf000555 000765 000024 00000052374 12513222401 020343 0ustar00carterstaff000000 000000 # # Argus Software # Copyright (c) 2000-2015 QoSient, LLC # All rights reserved. # # Example argus.conf # # Argus will open this argus.conf if its installed as /etc/argus.conf. # It will also search for this file as argus.conf in directories # specified in $ARGUSPATH, or $ARGUSHOME, $ARGUSHOME/lib, # or $HOME, $HOME/lib, and parse it to set common configuration # options. All values in this file can be overriden by command # line options, or other files of this format that can be read in # using the -F option. # # # Variable Syntax # # Variable assignments must be of the form: # # VARIABLE=value # VARIABLE="compound values" # # with no white space between the VARIABLE and the '=' sign. # # # Comments # # Comments are supported using a '#' as the first character # in the string, such as this string that you are reading. # # Embedded comments are supported preceeded by a " //" as you # see in the C language. The preceeding white space is very important. # The space or tab is absolutely required to delimit the end of the # variable values and the beginning of the comment. Without the space, # the comment will be included as a part of the configuration variable. # # VARIABLE=value // comment # VARIABLE="compound values" // comment # # # Variable Explanations # # The Argus can be configured to support a large number of # flow types. The Argus can provide either type, i.e. # uni-directional or bi-directional flow tracking and # the flow can be further defined by specifying the key. # The argus supports a set of well known key strategies, # such as 'CLASSIC_5_TUPLE', 'LAYER_2', 'LAYER_2_MATRIX', # 'LAYER_2_MATRIX', 'MPLS', and/or 'VLAN', or the argus can # be configured to # formulate key strategies from a list of # the specific objects that the Argus understands. See the # man page for a complete description. # # The default is the classic 5-tuple IP flow, CLASSIC_5_TUPLE. # ARGUS_FLOW_TYPE="Bidirectional" ARGUS_FLOW_KEY="CLASSIC_5_TUPLE" #ARGUS_FLOW_KEY="CLASSIC_5_TUPLE+LAYER_2" # Argus is capable of running as a daemon, doing all the right things # that daemons do. When this configuration is used for the system # daemon process, say for /etc/argus.conf, this variable should be # set to "yes". # # In the examples seen in the ./support/Startup/argus scripts, # this value is set to "yes", as the system startup strategy # requires the program to daemonize themselves, returning a value # to the system, hopefully quickly. Some systems, however, want # to daemonize the tasks themselves, and those cases, the value # must be set to "no". # # The default value is to not run as a daemon. # # Commandline equivalent -d # #ARGUS_DAEMON=no # Argus Monitor Data is uniquely identifiable based on the source # identifier that is included in each output record. This is to # allow you to work with Argus Data from multiple monitors at the # same time. The ID is 32 bits long, and argus suppors a number of # formats as legitimate values. Argus support unsigned ints, IPv4 # addresses and 4 bytes strings, as values. # # The formats are discerned from the values provided. Double-quoted # values are treated as strings, and are truncated to 4 characters. # Non-quoted values are tested for whether they are hostnames, and if # not, then they are tested wheter they are numbers. # # The configuration allows for you to use host names, however, do # have some understanding how `hostname` will be resolved by the # nameserver before commiting to this strategy completely. # # For convenience, argus supports the notion of "`hostname`" for # assigning the probe's id. This is to support management of # large deployments, so you can have one argus.conf file that works # for a lot of probes. # # For security, argus does not rely on system programs, like hostname.1. # It implements the logic of hostname itself, so don't try to run # arbitrary programs using this method, because it won't work. # # Commandline equivalent -e # #ARGUS_MONITOR_ID=`hostname` // IPv4 address returned #ARGUS_MONITOR_ID=10.2.45.3 // IPv4 address #ARGUS_MONITOR_ID=2435 // Number #ARGUS_MONITOR_ID="en0" // String # Argus monitors can provide a real-time remote access port # for collecting Argus data. This is a TCP based port service and # the default port number is tcp/561, the "experimental monitor" # service. This feature is disabled by default, and can be forced # off by setting it to zero (0). # # When you do want to enable this service, 561 is a good choice, # as all ra* clients are configured to try this port by default. # # Commandline equivalent -P # #ARGUS_ACCESS_PORT=561 # When remote access is enabled (see above), you can specify that Argus # should bind only to a specific IP address. This is useful, for example, # in restricting access to the local host, or binding to a private # interface while capturing from another. # # You can provide multiple addresses, separated by commas, or on multiple # lines. # # The default is to bind to any IP address. # # Commandline equivalent -B # #ARGUS_BIND_IP="::1,127.0.0.1" #ARGUS_BIND_IP="127.0.0.1" #ARGUS_BIND_IP="192.168.0.68" # By default, Argus will open the first appropriate interface on a # system that it encounters. For systems that have only one network # interface, this is a reasonable thing to do. But, when there are # more than one suitable interface, you should specify the # interface(s) Argus should use either on the command line or in this # file. # # Argus can track packets from any or all interfaces, concurrently. # The interfaces can be tracked as: # 1. independant - this is where argus tracks flows from each # interface independant from the packets seen on any other # interface. This is useful for hosts/routers that # have full-duplex interfaces, and you want to distinguish # flows based on their interface. There is an option to specify # a distinct srcid to each independant modeler. # # 2. duplex - where argus tracks packets from 2 interfaces # as if they were two half duplex streams of the same link. # Because there is a single modeler tracking the 2 # interfaces, there is a single srcid that can be passed as # an option. # # 3. bonded - where argus tracks packets from multiple interfaces # as if they were from the same stream. Because there is a # single modeler tracking the 2 interfaces, there is a single # srcid that can be passed as an option. # # Interfaces can be specified as groups using '[',']' notation, to build # flexible definitions of packet sources. However, each interface # should be referenced only once (this is due to performance and OS # limitations, so if your OS has no problem with this, go ahead). # # The lo (loopback) interface will be included only if it is specifically # indicated in the option. # # The syntax for specifying this either on the command line or in this file: # -i ind:all # -i dup:en0,en1/srcid # -i bond:en0,en1/srcid # -i dup:[bond:en0,en1],en2/srcid # -i en0/srcid -i en1/srcid (equivalent '-i ind:en0/srcid,en1/srcid') # -i en0 en1 (equivalent '-i bond:en0,en1') # -i en1(dlt)/srcid -i en1(dlt)/srcid # # In all cases, if there is a "-e srcid" provided, the srcid provided is used # as the default. If a srcid is specified using this option, it overrides # the default. # # Srcid's are specified using the notion used for ARGUS_MONITOR_ID, as above. # # Commandline equivalent -i # #ARGUS_INTERFACE=any #ARGUS_INTERFACE=ind:all #ARGUS_INTERFACE=ind:en0/192.168.0.68,en2/192.168.2.1 #ARGUS_INTERFACE=ind:en0/"en0",en2/19234 #ARGUS_INTERFACE=en0 # By default, Argus will put its interface in promiscuous mode # in order to monitor all the traffic that can be collected. # This can put an undo load on systems. # If the intent is to monitor only the network activity of # the specific system, say to measure the performance of # an HTTP service or DNS service, you'll want to turn # promiscuous mode off. # # The default value is goes into prmiscuous mode. # # Commandline equivalent -p # #ARGUS_GO_PROMISCUOUS=yes # Argus supports chroot(2) in order to control the file system that # argus exists in and can access. Generally used when argus is running # with privileges, this limits the negative impacts that argus could # inflict on its host machine. # # This option will cause the output file names to be relative to this # directory, and so consider this when trying to find your output files. # # Commandline equivalent -c dir # #ARGUS_CHROOT_DIR=/chroot_dir # Argus can be directed to change its user id using the setuid() system # call. This is can used when argus is started as root, in order to # access privileged resources, but then after the resources are opened, # this directive will cause argus to change its user id value to # a 'lesser' capable account. Recommended when argus is running as # daemon. # # Commandline equivalent -u # #ARGUS_SETUSER_ID=user # Argus can be directed to change its group id using the setgid() system # call. This is can used when argus is started as root, in order to # access privileged resources, but then after the resources are opened, # this directive can be used to change argu's group id value to # a 'lesser' capable account. Recommended when argus is running as # daemon. # # Commandline equivalent -g # #ARGUS_SETGROUP_ID=group # Argus can write its output to one or a number of files. # The default limit is 5 concurrent files, each with their # own independant filters. # # The format is: # ARGUS_OUTPUT_FILE=/full/path/file/name # ARGUS_OUTPUT_FILE="/full/path/file/name filter" # # Most sites will have argus write to a file, for reliablity. # The example file name is used here as supporting programs, # such as ./support/Archive/argusarchive are configured to use # this file (with any chroot'd directory prepended). # # Commandline equivalent -w # #ARGUS_OUTPUT_FILE=/var/log/argus/argus.out # Argus can push its output to one or a number of remote hosts. # The default limit is 5 concurrent output streams, each with their # own independant filters. # # The format is: # ARGUS_OUTPUT_STREAM="URI [filter]" # ARGUS_OUTPUT_STREAN="argus-udp://multicastGroup:port # ARGUS_OUTPUT_STREAN="argus-udp://host:port 'tcp and not udp'" # # Most sites will have argus listen() for remote sites to request argus data, # using a "pull" data model. But for some sites and applications, pushing # records without explicit registration is desired. This option will cause # argus to transmit records that match the optional filter, to the configured # targets using UDP as the transport mechanism. # # The primary purpose for this feature is to multicast argus records to # a number of listeners on an interface, but it is not limited to this # purpose. The multicast TTL is set to 128 by default, so that you can # send records some distance. # # Commandline equivalent -w argus-udp://host:port # #ARGUS_OUTPUT_STREAM=argus-udp://224.0.20.21:561 # When Argus is configured to run as a daemon, with the -d # option, Argus can store its pid in a file, to aid in # managing the running daemon. However, creating a system # pid file requires priviledges that may not be appropriate # for all cases. # # When configured to generate a pid file, if Argus cannot # create the pid file, it will fail to run. This variable # is available to override the default, in case this gets # in your way. # # The default value is to generate a pid. The default # path for the pid file, is '/var/run'. # # No Commandline equivalent # #ARGUS_SET_PID=yes #ARGUS_PID_PATH="/var/run" # Argus will periodically report on a flow's activity every # ARGUS_FLOW_STATUS_INTERVAL seconds, as long as there is # new activity on the flow. This is so that you can get a # multiple status reports into the activity of a flow. The # default is 5 seconds, but this number may be too low or # too high depending on your uses. Argus does suppport # a minimum value of 0.000001 seconds. Values under 1 sec # are very useful for doing measurements in a controlled # experimental environment where the number of flows is small. # # Because the status interval affects the memory utilization # of the monitor, find the minimum acceptable value is # recommended. # # Commandline equivalent -S # ARGUS_FLOW_STATUS_INTERVAL=5 # Argus will periodically report on a its own health, providing # interface status, total packet and bytes counts, packet drop # rates, and flow oriented statistics. # # These records can be used as "keep alives" for periods when # there is no network traffic to be monitored. # # The default value is 300 seconds, but a value of 60 seconds is # very common. # # Commandline equivalent -M # ARGUS_MAR_STATUS_INTERVAL=60 # Argus has a number of flow state timers that specify how long argus # will 'remember' the caches of specific flows after they have gone # idle. # # The default values have been chosen to aggresively timeout flow # caches to conserve memory utilization. Increasing values can have # an impact on argus memory use, so take care when modifying values. # # The maxium value for any timeout is 65534 seconds. # # If you think there is a flow type that doesn't have appropriate # timeout support, send email to the developer's list, we'll add one # for you. # #ARGUS_IP_TIMEOUT=30 #ARGUS_TCP_TIMEOUT=60 #ARGUS_ICMP_TIMEOUT=5 #ARGUS_IGMP_TIMEOUT=30 #ARGUS_FRAG_TIMEOUT=5 #ARGUS_ARP_TIMEOUT=5 #ARGUS_OTHER_TIMEOUT=30 # If compiled to support this option, Argus is capable of # generating a lot of debug information. # # The default value is zero (0). # # Commandline equivalent -D # #ARGUS_DEBUG_LEVEL=0 # Argus can be configured to report on flows in a manner than # provides the best information for calculating application # reponse times and network round trip times. # # The default value is to not generate this data. # # Commandline equivalent -R # #ARGUS_GENERATE_RESPONSE_TIME_DATA=no # Argus can be configured to generate packet size information # on a per flow basis, which provides the max and min packet # size seen . The default value is to not generate this data. # # Commandline equivalent -Z # #ARGUS_GENERATE_PACKET_SIZE=yes # Argus can be configured to generate packet jitter information # on a per flow basis. The default value is to not generate # this data. # # Commandline equivalent -J # #ARGUS_GENERATE_JITTER_DATA=no # Argus can be configured to provide MAC addresses in # it audit data. The default value is to not generate # this data. # # Commandline equivalent -m # #ARGUS_GENERATE_MAC_DATA=yes # Argus can be configured to generate metrics that include # the application byte counts as well as the packet count # and byte counters. # # Commandline equivalent -A # #ARGUS_GENERATE_APPBYTE_METRIC=yes # Argus by default, generates extended metrics for TCP # that include the connection setup time, window sizes, # base sequence numbers, and retransmission counters. # You can suppress this detailed information using this # variable. # # No commandline equivalent # #ARGUS_GENERATE_TCP_PERF_METRIC=yes # Argus by default, generates a single pair of timestamps, # for the first and last packet seen on a given flow, during # the obseration period. For bi-directional flows, this # results in loss of some information. By setting this # variable to 'yes', argus will store start and ending # timestamps for both directions of the flow. # # No commandline equivalent # #ARGUS_GENERATE_BIDIRECTIONAL_TIMESTAMPS=yes # Argus can be configured to capture a number of user data # bytes from the packet stream. # # The default value is to not generate this data. # # Commandline equivalent -U # #ARGUS_CAPTURE_DATA_LEN=32 # Argus uses the packet filter capabilities of libpcap. If # there is a need to not use the libpcap filter optimizer, # you can turn it off here. The default is to leave it on. # # Commandline equivalent -O # #ARGUS_FILTER_OPTIMIZER=yes # You can provide a filter expression here, if you like. # It should be limited to 2K in length. The default is to # not filter. # # The commandline filter will override this filter expression. # #ARGUS_FILTER="" # Argus allows you to capture packets in tcpdump() format if the source # of the packets is a tcpdump() formatted file or live packet source. # # Specify the path to the packet capture file here. # # Argus can be further configured to either capture all packets (default) that # it receives, or to capture only the packets that cause internal errors, # such as those that can't be classified into an appropritate flow model. # # Specify the path to the packet capture file here. # #ARGUS_PACKET_CAPTURE_FILE="/var/log/argus/packet.out" #ARGUS_PACKET_CAPTURE_ON_ERROR="no" # Argus supports the use of SASL to provide strong # authentication and confidentiality protection. # # The policy that argus uses is controlled through # the use of a minimum and maximum allowable protection # strength. Set these variable to control this policy. # #ARGUS_MIN_SSF=40 #ARGUS_MAX_SSF=128 # Argus supports setting the pcap buffer size. # You can use the abbreviations K, M, G to specify # thousands, millions or billions of bytes. # #ARGUS_PCAP_BUF_SIZE=1G # Argus supports setting environment variables to enable # functions required by the kernel or shared libraries. # This feature is intended to support libraries such as # the net pf_ring support for libpcap as supported by # code at http://public.lanl.gov/cpw/ # # Setting environment variables in this way does not affect # internal argus variable in any way. As a result, you # can't set ARGUS_PATH using this feature. # # Care should must be taken to assure that the value given # the variable conform's to your systems putenv.3 system call. # You can have as many of these directives as you like. # # The example below is intended to set a libpcap ring buffer # length to 300MB, if your system supports this feature. # #ARGUS_ENV="PCAP_MEMORY=300000" # Argus can be configured to discover tunneling protocols # above the UDP transport header, specifically Teredo # (IPv6 over UDP). The algorithm is simple and so, having # this on by default may generate false tunnel matching. # The default is to not turn this feature on. #ARGUS_TUNNEL_DISCOVERY="no" # Argus can be configured to identify and track duplicate # packets as a separate metric. While the algorithms are # traffic type specific, you can use this strategy to # identify problems within your packet collection infrastructure. # The default is to not turn this feature on. #ARGUS_TRACK_DUPLICATES="no" # Argus can be configured to be self synchronizing with other # argi. This involves using state from packets contents to # synchronize the flow reporting. # #ARGUS_SELF_SYNCHRONIZE=yes # Argus supports the generation of host originated processes # to gather additional data and statistics. These include # periodic processes to poll for SNMP data, as an example, or # to collect host statistics through reading procfs(). Or # single run programs that run at a specified time. # # These argus events, are generated from the complete list of # ARGUS_EVENT_DATA directives that are specified here. # # The syntax is: # Syntax is: "method:path|prog:interval[:postproc]" # Where: method = [ "file" | "prog" ] # pathname | program = "%s" # interval = %d[smhd] [ zero means run once ] # postproc = [ "compress" | "compress2" ] # #ARGUS_EVENT_DATA="prog:/usr/local/bin/argus-vms:20s:compress" #ARGUS_EVENT_DATA="prog:/usr/local/bin/argus-snmp:1m:compress" #ARGUS_EVENT_DATA="file:/proc/vmstat:30s:compress" #ARGUS_EVENT_DATA="prog:/usr/bin/uptime:30s" #ARGUS_EVENT_DATA="prog:/usr/local/bin/argus-lsof:30s:compress" # This version of Argus supports keystroke detection and counting for # TCP connections, with specific algoritmic support for SSH connections. # # The ARGUS_KEYSTROKE variable turns the feature on. Values for # this variable are: # ARGUS_KEYSTROKE="yes" - turn on TCP flow tracking # ARGUS_KEYSTROKE="tcp" - turn on TCP flow tracking # ARGUS_KEYSTROKE="ssh" - turn on SSH specific flow tracking # ARGUS_KEYSTROKE="no" [default] # # The algorithm uses a number of variables, all of which can be # modifed using the ARGUS_KEYSTROKE_CONF descriptor, which is a # semicolon (';') separated set of variable assignments. Here is # the list of supported variables: # # DC_MIN - (int) Minimum client datagram payload size in bytes (48) # DC_MAX - (int) Maximum client datagram payload size in bytes (128) # GS_MAX - (int) Maximum server packet gap (3) # DS_MIN - (int) Minimum server datagram payload size in bytes (24) # DS_MAX - (int) Maximum server datagram payload size in bytes (256) # IC_MIN - (int) Minimum client interpacket arrival time (50000 microseconds) # LCS_MAX - (int) Maximum something - Not sure what this is # GPC_MAX - (int) Maximum client packet gap (3) # ICR_MIN - (float) Minimum client/server interpacket arrival ratio (0.816) # ICR_MAX - (float) Maximum client/server interpacket arrival ratio (1.122) # # All variables have default values, this variable is used to override # those values. The syntax for the variable is: # # ARGUS_KEYSTROKE_CONF="DC_MIN=20;DS_MIN=20" # #ARGUS_KEYSTROKE="no" #ARGUS_KEYSTROKE_CONF="GPC_MAX=4" argus-3.0.8.2/support/Archive/argusarchive000555 000765 000024 00000034445 12513222401 021134 0ustar00carterstaff000000 000000 #!/bin/sh # Argus Software # Copyright (c) 2000-2015 QoSient, LLC # All rights reserved. # # QoSIENT, LLC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS # SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND # FITNESS, IN NO EVENT SHALL QoSIENT, LLC BE LIABLE FOR ANY # SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER # RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF # CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN # CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. # #*/ # 14 Jan 2010 - Peter Van Epp (vanepp@sfu.ca): # Modified for perl traffic scripts and to make it work again # In case we are running from cron set an appropriate PATH PATH=/bin:/usr/bin:/usr/local/bin # If there is an argument on the command line set it as the argus prefix which # will modify the names of the various data files (for the case where a machine # is collecting for more than one argus instance). If there is no argument, # then the prefix is set to argus so as to be compatible with the original # version of argusarchive. if [ "$1"x = x ]; then INSTANCE=argus else INSTANCE="$1_argus" fi # User setable options: # # Try to use $ARGUSDATA and $ARGUSARCHIVE where possible. # If these are available, the only thing that we need to # know is what is the name of the argus output file. # # If ARGUSDATA set then don't need to define below. For # cron scripts however, $ARGUSDATA may not be defined, so # lets do that here if it isn't already. # where to find the data argus is writing if [ "$ARGUSDATA"x = x ]; then ARGUSDATA=/var/log/argus # not set by user, so set it fi if [ "$ARGUSARCHIVE"x = x ]; then ARGUSARCHIVEBASE=/usr/local/argus # not set by user so set it else ARGUSARCHIVEBASE=$ARGUSARCHIVE # else us the user's value fi DATAFILE=${INSTANCE}.out # argus must be writing data in /$ARGUSDATA/$DATAFILE # set the program paths for your OS (this is FreeBSD) ARGUSBIN=/usr/local/bin # location of argus programs AWK=/usr/bin/awk MV=/bin/mv MKDIR=/bin/mkdir CHOWN=/usr/sbin/chown SU=/usr/bin/su TOUCH=/usr/bin/touch # Data file compression COMPRESS=yes # compress the archived data files yes or no # pick one of the below COMPRESSOR=/usr/bin/gzip # using this compression program COMPRESSFILEEX=gz #COMPRESSOR=/usr/bin/bzip2 # using this compression program #COMPRESSFILEEX=bz2 #COMPRESSOR=/usr/bin/compress # using this compression program #COMPRESSFILEEX=Z # options for perl traffic processing scripts ARGUSREPORTS=$ARGUSDATA # post processing directory POSTPROCESS=no # run the traffic scripts SPOOL=$ARGUSREPORTS/spool # spool directory name POSTPROG=/usr/local/bin/argus3_post_drv.pl POSTLOG=/var/log/argus.logs/argus3_post_drv.log ACCOUNT=argus # account used to run the post scripts (needs only # read access to the archive files) # optionally anonymize the argus data before post processing it ANONPOSTPROCESS=no # run the traffic scripts on the anon data as well ANONYMIZE=$ARGUSBIN/ranonymize # $ARGUSBIN/ranonymize or no ANONCONF=$ARGUSDATA/ranonymize.conf # using this config file if anonimizing ANONDATADIR=$ARGUSREPORTS/anondata # anonymized data storage directory name # end of options # Set ARGUSARCHIVE according to the settings above ARGUSARCHIVE=$ARGUSARCHIVEBASE/${INSTANCE}.archive # create the archive directory if [ ! -d $ARGUSARCHIVE ]; then $MKDIR $ARGUSARCHIVE if [ ! -d $ARGUSARCHIVE ]; then echo "Could not create archive directory $ARGUSARCHIVE" exit fi fi if [ -d $ARGUSDATA ] ; then cd $ARGUSDATA echo "cd $ARGUSDATA" if [ $ARGUSDATA != `pwd` ]; then echo "couldn't change to directory $ARGUSDATA, got `pwd` instead" exit fi else echo "argus data directory $ARGUSDATA not found" exit fi # If there is an argument on the command line set it as the argus prefix which # will modify the names of the various data files (for the case where a machine # is collecting for more than one argus instance). If there is no argument, # then the prefix is set to argus so as to be compatible with the original # version of argusarchive. if [ "$1"x = x ]; then INSTANCE=argus else INSTANCE="$1_argus" fi # In order to have the archive be date consistant (i.e. the first file of the # day starts at or close to midnight instead of 23:00 of the day before as # was originally the case), take the archive file name from a file called # $ARGUSDATA/${INSTANCE}.start.date (which is supposed to be created by the # startup scripts at boot, and every time this script is run). To provide for # the case where the file doesn't exist when this script runs, set the file # to the current time (with a .0 appended to the end) and the next cycles file # name to the current time with a .1 appended. This makes sure that the two # close to identically named files sort in the correct date order for processing # even after the compression suffix is tagged on the end. All the files need # to have the .0 appended to them so they remain the same length and thus # sort correctly. if [ ! -f $ARGUSDATA/${INSTANCE}.start.date ]; then # File doesn't exist so create a current archive file with the current time # and a .0 suffix, and the new archive file (for next cycle) with the current # time and a .1 suffix. The purpose of the suffixes is to maintain file # time order on a sort after the compression suffix is appended to the # file name. Without the suffixes at the next cycle the script would # overwrite the data we archived this time (bad!) because the file names # would be identical. echo "$ARGUSDATA/${INSTANCE}.start.date doesn't exist creating files" ARCHIVE=${INSTANCE}.`date '+%Y.%m.%d.%H.%M.%S'`.0 NEWARCHIVE=${INSTANCE}.`date '+%Y.%m.%d.%H.%M.%S'`.1 else # The file exists, so check the contents are of the form # $INSTANCE.yy.mm.hh.mm.ss.0|1 as it should be. If not set both file names # as above to create a correct pair of file names and log the invalid # contents of the file. ARCHIVE=`cat $ARGUSDATA/${INSTANCE}.start.date` # since I can't figure out how to escape the $ to match eol, cheat ... ESC=$ RESULT=`egrep -c "^$INSTANCE\.[0-9][0-9][0-9][0-9]\.[0-9][0-9]\.[0-9][0-9]\.[0-9][0-9]\.[0-9][0-9]\.[0-9][0-9]\.[0-9]$ESC" $ARGUSDATA/${INSTANCE}.start.date` if [ "$RESULT" = "1" ]; then # the file appears valid so use the contents as the current archive name # and create the next one from the current time with .0 appended. This # should be the normal case when all is well. NEWARCHIVE=${INSTANCE}.`date '+%Y.%m.%d.%H.%M.%S'`.0 else # The format of the saved file looks invalid (perhaps because someone # external messed with it), so recreate a proper current and new archive # file. Log the corrupted version. echo "$ARCHIVE is invalid, recreated" ARCHIVE=${INSTANCE}.`date '+%Y.%m.%d.%H.%M.%S'`.0 NEWARCHIVE=${INSTANCE}.`date '+%Y.%m.%d.%H.%M.%S'`.1 fi fi TIMESTAMP=`date '+%Y.%m.%d.%H.%M.%S'` # and write the next cycle's archive file name to file for the next cycle. `echo $NEWARCHIVE > $ARGUSDATA/${INSTANCE}.start.date` echo "$TIMESTAMP ${INSTANCE}_argusarchive started" YEAR=`echo $ARCHIVE | $AWK 'BEGIN {FS="."}{print $2}'` MONTH=`echo $ARCHIVE | $AWK 'BEGIN {FS="."}{print $3}'` DAY=`echo $ARCHIVE | $AWK 'BEGIN {FS="."}{print $4}'` if [ ! -d $ARGUSARCHIVE ] ; then $MKDIR $ARGUSARCHIVE if [ ! -d $ARGUSARCHIVE ] ; then echo "could not create archive directory $ARGUSARCHIVE" exit else echo "archive directory $ARGUSARCHIVE created" fi else echo "archive directory $ARGUSARCHIVE found" fi ARGUSARCHIVE=$ARGUSARCHIVE/$YEAR if [ ! -d $ARGUSARCHIVE ]; then $MKDIR $ARGUSARCHIVE if [ ! -d $ARGUSARCHIVE ]; then echo "could not create archive directory structure." exit fi fi ARGUSARCHIVE=$ARGUSARCHIVE/$MONTH if [ ! -d $ARGUSARCHIVE ]; then $MKDIR $ARGUSARCHIVE if [ ! -d $ARGUSARCHIVE ]; then echo "could not create archive directory structure." exit fi fi ARGUSARCHIVE=$ARGUSARCHIVE/$DAY if [ ! -d $ARGUSARCHIVE ]; then $MKDIR $ARGUSARCHIVE if [ ! -d $ARGUSARCHIVE ]; then echo "could not create archive directory structure." exit fi fi # Presumably this is for mysql, but I don't know how to create it so # it is currently commented out # if [ ! -d $ARGUSARCHIVE/$INDEX ]; then # $MKDIR $ARGUSARCHIVE/$INDEX # if [ ! -d $ARGUSARCHIVE/$INDEX ]; then # echo "could not create archive index directory." # exit # fi # fi if [ -f $ARGUSDATA/$DATAFILE ] ; then if [ -f $ARGUSARCHIVE/$ARCHIVE ] ; then echo "argus archive file $ARGUSARCHIVE/$ARCHIVE exists, leaving data" exit else $MV $ARGUSDATA/$DATAFILE $ARGUSARCHIVE/$ARCHIVE 2>/dev/null fi else echo "argus data file $ARGUSDATA/$DATAFILE not found" exit fi TIMESTAMP=`date '+%Y.%m.%d.%H.%M.%S'` if [ -f $ARGUSARCHIVE/$ARCHIVE ]; then echo "$TIMESTAMP argus data file $ARGUSARCHIVE/$ARCHIVE moved successfully" else echo "argus data file $ARGUSDATA/$DATAFILE move failed" exit fi # Now compress and/or post process the data file if that has been requested # save a copy of the archive filename (which will change and be updated if # compression is requested) for later processing ARCHIVEFILE=$ARCHIVE ARCHIVEPATHFILE=$ARGUSARCHIVE/$ARCHIVE # compression first if requested if [ $COMPRESS = yes ]; then if [ "$COMPRESSOR"x = x ]; then echo "Compression requested but COMPRESSOR not set" exit fi if [ -f $ARGUSARCHIVE/$ARCHIVE.$COMPRESSFILEEX ]; then echo "Compressed file $ARGUSARCHIVE/$ARCHIVE.$COMPRESSFILEEX already exists, leaving data file" exit fi $COMPRESSOR $ARGUSARCHIVE/$ARCHIVE TIMESTAMP=`date '+%Y.%m.%d.%H.%M.%S'` if [ -f $ARGUSARCHIVE/$ARCHIVE ]; then echo "$TIMESTAMP Original data file $ARGUSARCHIVE/$ARCHIVE still exists compression failed?" exit fi if [ -f $ARGUSARCHIVE/$ARCHIVE.$COMPRESSFILEEX ]; then echo "$TIMESTAMP $ARGUSARCHIVE/$ARCHIVE.$COMPRESSFILEEX compression completed" # so update the data file name for futher processing if requested ARCHIVE=$ARCHIVE.$COMPRESSFILEEX ARCHIVEPATHFILE=$ARGUSARCHIVE/$ARCHIVE else echo "$TIMESTAMP no compressed file $ARGUSARCHIVE/$ARCHIVE.$COMPRESSFILEEX compression failed?" exit fi fi # if we got this far things seem to have worked correctly so do the # anonymizing and post processing if requested if [ $POSTPROCESS = yes ] || [ $ANONPOSTPROCESS = yes ]; then # check the reports directories creating as needed and requested if [ ! -d $ARGUSREPORTS ] ; then $MKDIR $ARGUSREPORTS if [ ! -d $ARGUSREPORTS ] ; then echo "could not create reports directory $ARGUSREPORTS" exit else echo "report directory $ARGUSREPORTS created" fi fi # check and create the spool directory if needed if [ ! -d $SPOOL ] ; then $MKDIR $SPOOL if [ ! -d $SPOOL ] ; then echo "could not create reports directory $SPOOL" exit else echo "report directory $SPOOL created" fi fi fi if [ $POSTPROCESS = yes ]; then # If postprocessing of the unanonymized files has been requested create # the appropriate workfile in the spool directory. echo "$ARCHIVEPATHFILE" > $ARGUSREPORTS/spool/w$ARCHIVE fi # If anonymization has been requested, anonymize and (if requested) compress # the data file if [ $ANONYMIZE = $ARGUSBIN/ranonymize ]; then # Check and create the data directory as needed if [ ! -d $ANONDATADIR ] ; then $MKDIR $ANONDATADIR if [ ! -d $ANONDATADIR ] ; then echo "could not create reports directory $ANONDATADIR" exit else echo "report directory $ANONDATADIR created" fi fi # anonymize the data file as requested and save it (compressed if requestedi) # in to the anondata directory as anonfilename (to differentiate it from the # unanonympized data file) ARCHIVEFILE=anon$ARCHIVEFILE $ANONYMIZE -f $ANONCONF -r $ARGUSARCHIVE/$ARCHIVE -w $ANONDATADIR/$ARCHIVEFILE # update the full path to the now anonymized data file to pass to post # processing if requested ARCHIVEPATHFILE=$ANONDATADIR/$ARCHIVEFILE if [ $COMPRESS = yes ]; then if [ -f $ANONDATADIR/$ARCHIVEFILE.$COMPRESSFILEEX ]; then echo "Compressed file $ANONDATADIR/$ARCHIVEFILE.$COMPRESSFILEEX already exists, leaving data file" exit fi TIMESTAMP=`date '+%Y.%m.%d.%H.%M.%S'` echo "$TIMESTAMP starting compression of $ANONDATADIR/$ARCHIVEFILE" $COMPRESSOR $ANONDATADIR/$ARCHIVEFILE TIMESTAMP=`date '+%Y.%m.%d.%H.%M.%S'` if [ -f $ANONDATADIR/$ARCHIVEFILE ]; then echo "$TIMESTAMP Original data file $ANONDATADIR/$ARCHIVEFILE still exists compression failed?" exit fi if [ -f $ANONDATADIR/$ARCHIVEFILE.$COMPRESSFILEEX ]; then echo "$TIMESTAMP compression of $ANONDATADIR/$ARCHIVEFILE.$COMPRESSFILEEX completed" ARCHIVEFILE=$ARCHIVEFILE.$COMPRESSFILEEX else echo "$TIMESTAMP compression of $ANONDATADIR/$ARCHIVEFILE failed" exit fi # update the full path to the now anonymized data file to pass to post # processing if requested ARCHIVEPATHFILE=$ANONDATADIR/$ARCHIVEFILE fi # end of anon compression if [ $ANONPOSTPROCESS = yes ]; then # Write the workfile in to the spool directory to cause this file to be # post processed when the post processing script is run later. echo "$ARCHIVEPATHFILE" > $ARGUSREPORTS/spool/w$ARCHIVEFILE fi fi # At this point the appropriate work files have been written to the spool # directory so change the ownership of the files to the post processing # user and launch post processing if requested if [ $POSTPROCESS = yes ] || [ $ANONPOSTPROCESS = yes ]; then # Check for and try and create an appropriate log file if [ ! -f $POSTLOG ]; then $TOUCH $POSTLOG if [ ! -f $POSTLOG ]; then echo "Log file $POSTLOG can't be created" exit fi fi # Correct the ownership of the directories we have been writing as root to # the post processing user $CHOWN $ACCOUNT $POSTLOG $CHOWN -R $ACCOUNT $ARGUSREPORTS/spool $CHOWN -R $ACCOUNT $ANONDATADIR # then run the post processing command TIMESTAMP=`date '+%Y.%m.%d.%H.%M.%S'` echo "$TIMESTAMP Post processing started" $SU $ACCOUNT -c "$POSTPROG >> $POSTLOG" TIMESTAMP=`date '+%Y.%m.%d.%H.%M.%S'` echo "$TIMESTAMP Post processing completed" fi TIMESTAMP=`date '+%Y.%m.%d.%H.%M.%S'` echo "$TIMESTAMP argusarchive completed successfully" argus-3.0.8.2/support/Archive/README.argusarchive000444 000765 000024 00000012075 12513222401 022060 0ustar00carterstaff000000 000000 Feb 2010 Some minimal documentation for the argusarchive script. First off (ignoring the new options for post processing for now) the purpose of this script is to be run from cron on the argus archive machine (which may be the same as the sensor machine if the load is low enough) and create an archive of argus files (I usually use 1 hour, your link speed may need that to be much shorter). This is the cron entry I've been using for many years now (although parts of this script are new, I've been using one like it for 10 years or more): 0 * * * * /usr/local/bin/argusarchive >> /var/log/argus.logs/argusarchive.log 2>&1 which creates an archive like this: ls /usr/local/argus argus.archive ls /usr/local/argus/argus.archive 2009 2010 ls /usr/local/argus/argus.archive/2010 01 02 ls /usr/local/argus/argus.archive/2010/02 01 02 03 04 05 06 ls /usr/local/argus/argus.archive/2010/02/04 argus.2010.02.04.00.00.00.0.gz argus.2010.02.04.01.00.00.0.gz ... argus.2010.02.04.23.00.00.0.gz The script creates new directories as needed and via the use of a file (by default in /var/log/argus) remembers the start time of the file (because when the file is processed it only has the end time). The reason for that is so that the first file starts at midnight rather than 23:00 of the day before as using the time the script runs to set the file name does and ends at midnight (rather than 23:00). The starttime file is also the reason that there is a .0 in the file name before the .gz. In the case of a reboot or restart the startup script that starts argus should write a new start time file so to log a record that the restart happened and to mark the appropriate hour of the new data file (in case of an outage that crosses an hour boundary). As well the startup script needs to call argusarchive to move the current output file (using the current value in the start.date file) to the archive and then set the current time in to the argus.start.time file as the start time for the current record. If the crash / restart should occur just as the current file changed the file names may be identical. To fix that problem a ".0" is normally appended to the archive file name. If that file already exists when the restart happens the new file name is set to the ".1" extension so that the files will sort in the correct time order in the archive. This covers the case where the outage crosses an hour boundary as well, the first file will have the correct start time (but possibly less than an hour's data) and the new file will have the correct (possibly several hours later) start time and possibly less than an hour's data. In normal operation all files will end in the .0.gz. This is all that the original argus archive script used to do (although as noted it used the end time and thus ran from 23:00 on day-1 til 23:00 on day). This script by default matches (other than the times) the original script. I added some features to suit how I was running argus. You may or may not want to use some of them. First this script started in the days of argus 2.0.6 (or possibly earlier :-) around 2002 or so. There wasn't an argus ID option in 2.0.6 and I was running multiple argus instances on a single machine. Thus if you add an instance name to the command running from cron like this: 0 * * * * /usr/local/bin/argusarchive com >> /var/log/argus.logs/argusarchive.log 2>&1 then the instance supplied (com for commodity Internet as opposed to CA*net in this case) is appended to all the archive names so the data is separated by instance name (the "com" is replaced by "c4" for the Ca*net link in my case): ls /usr/local/argus argus.archive would become ls /usr/local/argus com_argus.archive and ls /usr/local/argus/argus.archive/2010/02/04 argus.2010.02.04.00.00.00.0.gz would become ls /usr/local/argus/com_argus.archive/2010/02/04 com_argus.2010.02.04.00.00.00.0.gz Then because processing an entire days worth of argus records at one time was taking too much time and memory I added the code to launch post processing code (perl in my case) against the file just archived when argusarchive runs. There is also the option to run the post processing on this machine (probably not advised if it is your capture machine as well) or to cause it to be transferred to a remote machine via ssh and processed there. You can modify this to your taste. New in this version is the option to anonymize the archive data using ranonymize and pass the anonymized data to the post processing programs (which incidentally can and should be run on an id that only has read access to the archived data!). This allows traffic analysis of the data to occur (as only the IPs are anonymized in my case) without the analyist knowing what machines are creating the data. This is useful when a client has a traffic problem but isn't comfortable (or possibly even allowed) to let the analyist see the real IP addresses. If the client runs the same non anonymized traffic through the post processing scripts, they should get the same reports with the real IP addresses from which they can take appropriate action. Peter Van Epp (vanepp@sfu.ca) argus-3.0.8.2/pkg/argus.conf000444 000765 000024 00000052411 12513222401 016170 0ustar00carterstaff000000 000000 # # Argus Software # Copyright (c) 2000-2015 QoSient, LLC # All rights reserved. # # Example argus.conf # # Argus will open this argus.conf if its installed as /etc/argus.conf. # It will also search for this file as argus.conf in directories # specified in $ARGUSPATH, or $ARGUSHOME, $ARGUSHOME/lib, # or $HOME, $HOME/lib, and parse it to set common configuration # options. All values in this file can be overriden by command # line options, or other files of this format that can be read in # using the -F option. # # # Variable Syntax # # Variable assignments must be of the form: # # VARIABLE=value # VARIABLE="compound values" # # with no white space between the VARIABLE and the '=' sign. # # # Comments # # Comments are supported using a '#' as the first character # in the string, such as this string that you are reading. # # Embedded comments are supported preceeded by a " //" as you # see in the C language. The preceeding white space is very important. # The space or tab is absolutely required to delimit the end of the # variable values and the beginning of the comment. Without the space, # the comment will be included as a part of the configuration variable. # # VARIABLE=value // comment # VARIABLE="compound values" // comment # # # Variable Explanations # # The Argus can be configured to support a large number of # flow types. The Argus can provide either type, i.e. # uni-directional or bi-directional flow tracking and # the flow can be further defined by specifying the key. # The argus supports a set of well known key strategies, # such as 'CLASSIC_5_TUPLE', 'LAYER_2', 'LAYER_2_MATRIX', # 'LAYER_2_MATRIX', 'MPLS', and/or 'VLAN', or the argus can # be configured to # formulate key strategies from a list of # the specific objects that the Argus understands. See the # man page for a complete description. # # The default is the classic 5-tuple IP flow, CLASSIC_5_TUPLE. # ARGUS_FLOW_TYPE="Bidirectional" ARGUS_FLOW_KEY="CLASSIC_5_TUPLE" #ARGUS_FLOW_KEY="CLASSIC_5_TUPLE+LAYER_2" # Argus is capable of running as a daemon, doing all the right things # that daemons do. When this configuration is used for the system # daemon process, say for /etc/argus.conf, this variable should be # set to "yes". # # The default value is to not run as a daemon. # # This example is to support the ./support/Startup/argus script # which works when this variable be set to "yes". # # Commandline equivalent -d # #ARGUS_DAEMON=no # Argus Monitor Data is uniquely identifiable based on the source # identifier that is included in each output record. This is to # allow you to work with Argus Data from multiple monitors at the # same time. The ID is 32 bits long, and argus suppors a number of # formats as legitimate values. Argus support unsigned ints, IPv4 # addresses and 4 bytes strings, as values. # # The formats are discerned from the values provided. Double-quoted # values are treated as strings, and are truncated to 4 characters. # Non-quoted values are tested for whether they are hostnames, and if # not, then they are tested wheter they are numbers. # # The configuration allows for you to use host names, however, do # have some understanding how `hostname` will be resolved by the # nameserver before commiting to this strategy completely. # # For convenience, argus supports the notion of "`hostname`" for # assigning the probe's id. This is to support management of # large deployments, so you can have one argus.conf file that works # for a lot of probes. # # For security, argus does not rely on system programs, like hostname.1. # It implements the logic of hostname itself, so don't try to run # arbitrary programs using this method, because it won't work. # # Commandline equivalent -e # #ARGUS_MONITOR_ID=`hostname` // IPv4 address returned #ARGUS_MONITOR_ID=10.2.45.3 // IPv4 address #ARGUS_MONITOR_ID=2435 // Number #ARGUS_MONITOR_ID="en0" // String # Argus monitors can provide a real-time remote access port # for collecting Argus data. This is a TCP based port service and # the default port number is tcp/561, the "experimental monitor" # service. This feature is disabled by default, and can be forced # off by setting it to zero (0). # # When you do want to enable this service, 561 is a good choice, # as all ra* clients are configured to try this port by default. # # Commandline equivalent -P # #ARGUS_ACCESS_PORT=561 # When remote access is enabled (see above), you can specify that Argus # should bind only to a specific IP address. This is useful, for example, # in restricting access to the local host, or binding to a private # interface while capturing from another. # # You can provide multiple addresses, separated by commas, or on multiple # lines. # # The default is to bind to any IP address. # # Commandline equivalent -B # #ARGUS_BIND_IP="::1,127.0.0.1" #ARGUS_BIND_IP="127.0.0.1" #ARGUS_BIND_IP="192.168.0.68" # By default, Argus will open the first appropriate interface on a # system that it encounters. For systems that have only one network # interface, this is a reasonable thing to do. But, when there are # more than one suitable interface, you should specify the # interface(s) Argus should use either on the command line or in this # file. # # Argus can track packets from any or all interfaces, concurrently. # The interfaces can be tracked as: # 1. independant - this is where argus tracks flows from each # interface independant from the packets seen on any other # interface. This is useful for hosts/routers that # have full-duplex interfaces, and you want to distinguish # flows based on their interface. There is an option to specify # a distinct srcid to each independant modeler. # # 2. duplex - where argus tracks packets from 2 interfaces # as if they were two half duplex streams of the same link. # Because there is a single modeler tracking the 2 # interfaces, there is a single srcid that can be passed as # an option. # # 3. bonded - where argus tracks packets from multiple interfaces # as if they were from the same stream. Because there is a # single modeler tracking the 2 interfaces, there is a single # srcid that can be passed as an option. # # Interfaces can be specified as groups using '[',']' notation, to build # flexible definitions of packet sources. However, each interface # should be referenced only once (this is due to performance and OS # limitations, so if your OS has no problem with this, go ahead). # # The lo (loopback) interface will be included only if it is specifically # indicated in the option. # # The syntax for specifying this either on the command line or in this file: # -i ind:all # -i dup:en0,en1/srcid # -i bond:en0,en1/srcid # -i dup:[bond:en0,en1],en2/srcid # -i en0/srcid -i en1/srcid (equivalent '-i ind:en0/srcid,en1/srcid') # -i en0 en1 (equivalent '-i bond:en0,en1') # -i en1(dlt)/srcid -i en1(dlt)/srcid # # In all cases, if there is a "-e srcid" provided, the srcid provided is used # as the default. If a srcid is specified using this option, it overrides # the default. # # Srcid's are specified using the notion used for ARGUS_MONITOR_ID, as above. # # Commandline equivalent -i # #ARGUS_INTERFACE=any #ARGUS_INTERFACE=ind:all #ARGUS_INTERFACE=ind:en0/192.168.0.68,en2/192.168.2.1 #ARGUS_INTERFACE=ind:en0/"en0",en2/19234 #ARGUS_INTERFACE=en0 # By default, Argus will put its interface in promiscuous mode # in order to monitor all the traffic that can be collected. # This can put an undo load on systems. # If the intent is to monitor only the network activity of # the specific system, say to measure the performance of # an HTTP service or DNS service, you'll want to turn # promiscuous mode off. # # The default value is go into prmiscuous mode. # # Commandline equivalent -p # #ARGUS_GO_PROMISCUOUS=yes # Argus supports chroot(2) in order to control the file system that # argus exists in and can access. Generally used when argus is running # with privileges, this limits the negative impacts that argus could # inflict on its host machine. # # This option will cause the output file names to be relative to this # directory, and so consider this when trying to find your output files. # # Commandline equivalent -c # #ARGUS_CHROOT_DIR=/chroot_dir # Argus can be configured to enable detailed control plane # flow monitoring for specific control plane protocols. # # This feature requires full packet capture for the monitored # interface in order to capture the complete control plane # protocol, and will have a performance impact on the sensor. # # The default is to not turn this feature on. # # Commandline equivalent -C # #ARGUS_CAPTURE_FULL_CONTROL_DATA=no # Argus can be directed to change its user id using the setuid() system # call. This is can used when argus is started as root, in order to # access privileged resources, but then after the resources are opened, # this directive will cause argus to change its user id value to # a 'lesser' capable account. Recommended when argus is running as # daemon. # # Commandline equivalent -u # #ARGUS_SETUSER_ID=user # Argus can be directed to change its group id using the setgid() system # call. This is can used when argus is started as root, in order to # access privileged resources, but then after the resources are opened, # this directive can be used to change argu's group id value to # a 'lesser' capable account. Recommended when argus is running as # daemon. # # Commandline equivalent -g # #ARGUS_SETGROUP_ID=group # Argus can write its output to one or a number of files. # The default limit is 5 concurrent files, each with their # own independant filters. # # The format is: # ARGUS_OUTPUT_FILE=/full/path/file/name # ARGUS_OUTPUT_FILE="/full/path/file/name filter" # # Most sites will have argus write to a file, for reliablity. # The example file name is used here as supporting programs, # such as ./support/Archive/argusarchive are configured to use # this file (with any chroot'd directory prepended). # # Commandline equivalent -w # #ARGUS_OUTPUT_FILE=/var/log/argus/argus.out # Argus can push its output to one or a number of remote hosts. # The default limit is 5 concurrent output streams, each with their # own independant filters. # # The format is: # ARGUS_OUTPUT_STREAM="URI [filter]" # ARGUS_OUTPUT_STREAN="argus-udp://multicastGroup:port # ARGUS_OUTPUT_STREAN="argus-udp://host:port 'tcp and not udp'" # # Most sites will have argus listen() for remote sites to request argus data, # using a "pull" data model. But for some sites and applications, pushing # records without explicit registration is desired. This option will cause # argus to transmit records that match the optional filter, to the configured # targets using UDP as the transport mechanism. # # The primary purpose for this feature is to multicast argus records to # a number of listeners on an interface, but it is not limited to this # purpose. The multicast TTL is set to 128 by default, so that you can # send records some distance. # # Commandline equivalent -w argus-udp://host:port # #ARGUS_OUTPUT_STREAM=argus-udp://224.0.20.21:561 # When Argus is configured to run as a daemon, with the -d # option, Argus can store its pid in a file, to aid in # managing the running daemon. However, creating a system # pid file requires priviledges that may not be appropriate # for all cases. # # When configured to generate a pid file, if Argus cannot # create the pid file, it will fail to run. This variable # is available to override the default, in case this gets # in your way. # # The default value is to generate a pid. The default # path for the pid file, is '/var/run'. # # No Commandline equivalent # #ARGUS_SET_PID=yes #ARGUS_PID_PATH="/var/run" # Argus will periodically report on a flow's activity every # ARGUS_FLOW_STATUS_INTERVAL seconds, as long as there is # new activity on the flow. This is so that you can get a # multiple status reports into the activity of a flow. The # default is 5 seconds, but this number may be too low or # too high depending on your uses. Argus does suppport # a minimum value of 0.000001 seconds. Values under 1 sec # are very useful for doing measurements in a controlled # experimental environment where the number of flows is small. # # Because the status interval affects the memory utilization # of the monitor, find the minimum acceptable value is # recommended. # # Commandline equivalent -S # ARGUS_FLOW_STATUS_INTERVAL=5 # Argus will periodically report on a its own health, providing # interface status, total packet and bytes counts, packet drop # rates, and flow oriented statistics. # # These records can be used as "keep alives" for periods when # there is no network traffic to be monitored. # # The default value is 300 seconds, but a value of 60 seconds is # very common. # # Commandline equivalent -M # ARGUS_MAR_STATUS_INTERVAL=60 # Argus has a number of flow state timers that specify how long argus # will 'remember' the caches of specific flows after they have gone # idle. # # The default values have been chosen to aggresively timeout flow # caches to conserve memory utilization. Increasing values can have # an impact on argus memory use, so take care when modifying values. # # The maxium value for any timeout is 65534 seconds. # # If you think there is a flow type that doesn't have appropriate # timeout support, send email to the developer's list, we'll add one # for you. # #ARGUS_IP_TIMEOUT=30 #ARGUS_TCP_TIMEOUT=60 #ARGUS_ICMP_TIMEOUT=5 #ARGUS_IGMP_TIMEOUT=30 #ARGUS_FRAG_TIMEOUT=5 #ARGUS_ARP_TIMEOUT=5 #ARGUS_OTHER_TIMEOUT=30 # If compiled to support this option, Argus is capable of # generating a lot of debug information. # # The default value is zero (0). # # Commandline equivalent -D # #ARGUS_DEBUG_LEVEL=0 # Argus can be configured to report on flows in a manner than # provides the best information for calculating application # reponse times and network round trip times. # # The default value is to not generate this data. # # Commandline equivalent -R # #ARGUS_GENERATE_RESPONSE_TIME_DATA=no # Argus can be configured to generate packet size information # on a per flow basis, which provides the max and min packet # size seen . The default value is to not generate this data. # # Commandline equivalent -Z # #ARGUS_GENERATE_PACKET_SIZE=yes # Argus can be configured to generate packet jitter information # on a per flow basis. The default value is to not generate # this data. # # Commandline equivalent -J # #ARGUS_GENERATE_JITTER_DATA=no # Argus can be configured to provide MAC addresses in # it audit data. The default value is to not generate # this data. # # Commandline equivalent -m # #ARGUS_GENERATE_MAC_DATA=yes # Argus can be configured to generate metrics that include # the application byte counts as well as the packet count # and byte counters. # # Commandline equivalent -A # #ARGUS_GENERATE_APPBYTE_METRIC=yes # Argus by default, generates extended metrics for TCP # that include the connection setup time, window sizes, # base sequence numbers, and retransmission counters. # You can suppress this detailed information using this # variable. # # No commandline equivalent # #ARGUS_GENERATE_TCP_PERF_METRIC=yes # Argus by default, generates a single pair of timestamps, # for the first and last packet seen on a given flow, during # the obseration period. For bi-directional flows, this # results in loss of some information. By setting this # variable to 'yes', argus will store start and ending # timestamps for both directions of the flow. # # No commandline equivalent # #ARGUS_GENERATE_BIDIRECTIONAL_TIMESTAMPS=yes # Argus can be configured to capture a number of user data # bytes from the packet stream. # # The default value is to not generate this data. # # Commandline equivalent -U # #ARGUS_CAPTURE_DATA_LEN=32 # Argus uses the packet filter capabilities of libpcap. If # there is a need to not use the libpcap filter optimizer, # you can turn it off here. The default is to leave it on. # # Commandline equivalent -O # #ARGUS_FILTER_OPTIMIZER=yes # You can provide a filter expression here, if you like. # It should be limited to 2K in length. The default is to # not filter. # # The commandline filter will override this filter expression. # #ARGUS_FILTER="" # Argus allows you to capture packets in tcpdump() format if the source # of the packets is a tcpdump() formatted file or live packet source. # # Specify the path to the packet capture file here. # # Argus can be further configured to either capture all packets (default) that # it receives, or to capture only the packets that cause internal errors, # such as those that can't be classified into an appropritate flow model. # # Specify the path to the packet capture file here. # #ARGUS_PACKET_CAPTURE_FILE="/var/log/argus/packet.out" #ARGUS_PACKET_CAPTURE_ON_ERROR="no" # Argus supports the use of SASL to provide strong # authentication and confidentiality protection. # # The policy that argus uses is controlled through # the use of a minimum and maximum allowable protection # strength. Set these variable to control this policy. # #ARGUS_MIN_SSF=40 #ARGUS_MAX_SSF=128 # Argus supports setting environment variables to enable # functions required by the kernel or shared libraries. # This feature is intended to support libraries such as # the net pf_ring support for libpcap as supported by # code at http://public.lanl.gov/cpw/ # # Setting environment variables in this way does not affect # internal argus variable in any way. As a result, you # can't set ARGUS_PATH using this feature. # # Care should must be taken to assure that the value given # the variable conform's to your systems putenv.3 system call. # You can have as many of these directives as you like. # # The example below is intended to set a libpcap ring buffer # length to 300MB, if your system supports this feature. # #ARGUS_ENV="PCAP_MEMORY=300000" # Argus can be configured to discover tunneling protocols # above the UDP transport header, specifically Teredo # (IPv6 over UDP). The algorithm is simple and so, having # this on by default may generate false tunnel matching. # The default is to not turn this feature on. #ARGUS_TUNNEL_DISCOVERY="no" # Argus can be configured to identify and track duplicate # packets as a separate metric. While the algorithms are # traffic type specific, you can use this strategy to # identify problems within your packet collection infrastructure. # The default is to not turn this feature on. #ARGUS_TRACK_DUPLICATES="no" # Argus can be configured to be self synchronizing with other # argi. This involves using state from packets contents to # synchronize the flow reporting. # #ARGUS_SELF_SYNCHRONIZE=yes # Argus supports the generation of host originated processes # to gather additional data and statistics. These include # periodic processes to poll for SNMP data, as an example, or # to collect host statistics through reading procfs(). Or # single run programs that run at a specified time. # # These argus events, are generated from the complete list of # ARGUS_EVENT_DATA directives that are specified here. # # The syntax is: # Syntax is: "method:path|prog:interval[:postproc]" # Where: method = [ "file" | "prog" ] # pathname | program = "%s" # interval = %d[smhd] [ zero means run once ] # postproc = [ "compress" | "compress2" ] # #ARGUS_EVENT_DATA="prog:/usr/local/bin/argus-vms:20s:compress" #ARGUS_EVENT_DATA="prog:/usr/local/bin/argus-snmp:1m:compress" #ARGUS_EVENT_DATA="file:/proc/vmstat:30s:compress" #ARGUS_EVENT_DATA="prog:/usr/bin/uptime:30s" #ARGUS_EVENT_DATA="prog:/usr/local/bin/argus-lsof:30s:compress" # This version of Argus supports keystroke detection and counting for # TCP connections, with specific algoritmic support for SSH connections. # # The ARGUS_KEYSTROKE variable turns the feature on. Values for # this variable are: # ARGUS_KEYSTROKE="yes" - turn on TCP flow tracking # ARGUS_KEYSTROKE="tcp" - turn on TCP flow tracking # ARGUS_KEYSTROKE="ssh" - turn on SSH specific flow tracking # ARGUS_KEYSTROKE="no" [default] # # The algorithm uses a number of variables, all of which can be # modifed using the ARGUS_KEYSTROKE_CONF descriptor, which is a # semicolon (';') separated set of variable assignments. Here is # the list of supported variables: # # DC_MIN - (int) Minimum client datagram payload size in bytes (48) # DC_MAX - (int) Maximum client datagram payload size in bytes (128) # GS_MAX - (int) Maximum server packet gap (3) # DS_MIN - (int) Minimum server datagram payload size in bytes (24) # DS_MAX - (int) Maximum server datagram payload size in bytes (256) # IC_MIN - (int) Minimum client interpacket arrival time (50000 microseconds) # LCS_MAX - (int) Maximum something - Not sure what this is # GPC_MAX - (int) Maximum client packet gap (3) # ICR_MIN - (float) Minimum client/server interpacket arrival ratio (0.816) # ICR_MAX - (float) Maximum client/server interpacket arrival ratio (1.122) # # All variables have default values, this variable is used to override # those values. The syntax for the variable is: # # ARGUS_KEYSTROKE_CONF="DC_MIN=20;DS_MIN=20" # #ARGUS_KEYSTROKE="no" #ARGUS_KEYSTROKE_CONF="GPC_MAX=4" argus-3.0.8.2/pkg/README000444 000765 000024 00000010151 12513222401 015053 0ustar00carterstaff000000 000000 ######################################################################## Note: These materials are a work-in-progress and not yet meant for production use. ######################################################################## /* * Argus Software. Tools to read, analyze and manage Argus data. * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ * */ Argus 3.0 QoSient, LLC argus@qosient.com http://qosient.com/argus This directory tree contains files used to create standard install materials for various operating system distributions. The idea is to be able to install and configure argus in the ways familiar to system administrators. Files that reside in this directory are default argus configurations which are common across all distributions. Files that differ by distribution are stored in sub-directories. For most distributions, the initial bootstrap for the packaging instructions lies in fixed directories at the root of the source tarball. In order to do packaging, one must install distribution-specific packaging tools in addition to the normal complement of development tools, e.g. compilers. The tools can be used to create both source and binary packages. The rest of this README discusses the individual distributions. Look also at the README files in the subdirectories. ######################################################################## RedHat Enterprise Linux (and derivatives such as Fedora and CentOS ) ######################################################################## subdirectory: rhel/ bootstrap packaging: lib/argus.spec default prefix: /usr argus has for some time provided the .spec file which can be used to build RPMs directly from the compressed tarball with: rpmbuild -ta argus-n.n.n.tar.gz Descriptions of RPM packaging for RHEL-based distibutions can be found at: http://docs.fedoraproject.org/en-US/Fedora_Draft_Documentation/0.1/html/RPM_Guide/index.html The .spec file is divided into a number of sections describing how to build binaries, where production binaries and configuration files will be placed, and commands to be executed pre- and post-installation. A single .spec file can describe building multiple RPMS ######################################################################## Debian Linux ( here the Ubuntu variant ) ######################################################################## subdirectory: ubuntu/ bootstrap packaging: debian/ default prefix: /usr Debian-based distribution use a directory of files to specify the build, install, pre- and post-installation commands. There can be multiple versions of the files describing multiple packages. To learn about the packaging files in the 'debian' directory, see: http://packaging.ubuntu.com/html/debian-dir-overview.html Note: The debian/control needs work, especially Build-Depends Note: Pay particular attention the formatting instructions for the debian/changelog file. In particular, the line describing the maintainer must *exactly* match your GPG-key when signing a package. Canonical, the overseer of Ubuntu, provides via Launchpad.net a place where one can practice building and distributing packages either as group projects or Personal Package Archives (PPA). For information and instructions, see: http://packaging.ubuntu.com/html/packaging-new-software.html and for package naming conventions https://help.launchpad.net/Packaging/PPA/BuildingASourcePackage argus-3.0.8.2/pkg/rhel/000755 000765 000024 00000000000 12513222401 015131 5ustar00carterstaff000000 000000 argus-3.0.8.2/pkg/rhel/init.d/000755 000765 000024 00000000000 12513222401 016316 5ustar00carterstaff000000 000000 argus-3.0.8.2/pkg/rhel/sysconfig/000755 000765 000024 00000000000 12513222401 017135 5ustar00carterstaff000000 000000 argus-3.0.8.2/pkg/rhel/sysconfig/argus000444 000765 000024 00000001047 12513222401 020201 0ustar00carterstaff000000 000000 # # Local configuration sample options for argus daemons # # This file is sourced by /etc/init.d/argus # # Sample values # Default option - just be a daemon and read config from /etc/argus.conf DAEMON_ARGS="-d" # # Monitoring with local-only ra client access on default port # # DAEMON_ARGS="-d -B 127.0.0.1 -P 561" # # Monitoring span port on eth1 with local-only access remapping port so radium can multiplex over default # # DAEMON_ARGS="-d -i eth1 -B 127.0.0.1 -P 562" # # Where argus is installed (override for testing) ARGUSDIR=/usr/sbin argus-3.0.8.2/pkg/rhel/init.d/argus000555 000765 000024 00000005354 12513222401 017372 0ustar00carterstaff000000 000000 #!/bin/sh # # Copyright (c) 2000-2015 QoSient, LLC # All rights reserved. # # Permission to use, copy, modify, and distribute this software and # its documentation for any purpose and without fee is hereby granted, # provided that the above copyright notice appear in all copies and # that both that copyright notice and this permission notice appear # in supporting documentation, and that the name of QoSient not be # used in advertising or publicity pertaining to distribution of the # software without specific, written prior permission. # # QOSIENT, LLC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS # SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND # FITNESS, IN NO EVENT SHALL QOSIENT, LLC BE LIABLE FOR ANY # SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER # RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF # CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN # CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. # # argus This shell script takes care of starting and stopping # argus, on RH Linux. Should be useful for other versions. # # chkconfig: 2345 55 45 # description: argus-3.0 generates network transaction audit records. # processname: argus # config: /etc/argus.conf # Source function library. if [ -f /etc/init.d/functions ]; then . /etc/init.d/functions fi # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [ ${NETWORKING} = "no" ] && exit 1 # # The assumption here is that /etc/argus.conf specifies ARGUS_DAEMON=no. # If not the system will hang running argus. If this is not set to the # default, change DAEMON_ARGS in /etc/sysconfig/argus # DAEMON_ARGS="-d" # Set argus path by defining $ARGUSHOME for this script. # If argus was installed in another way, modify /etc/sysconfig/argus # to specify ARGUSDIR where the argus binary was installed. ARGUSDIR=/usr/sbin # Source argus configuration. . /etc/sysconfig/argus ARGUSHOME=$ARGUSDIR export PATH=$ARGUSHOME:$PATH [ -f $ARGUSHOME/argus ] || exit 1 RETVAL=0 start() { # Start daemons. echo -n "Starting argus: " argus $DAEMON_ARGS > /dev/null 2>&1 && success || failure RETVAL=$? [ $RETVAL -eq 0 ] && touch /var/lock/subsys/argus echo } stop() { # Stop daemons. echo -n "Shutting down argus: " killproc argus RETVAL=$? [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/argus echo } # See how we were called. case "$1" in start) start ;; stop) stop ;; restart|reload) stop start RETVAL=$? ;; condrestart) if [ -f /var/lock/subsys/argus ]; then stop start RETVAL=$? fi ;; status) status argus RETVAL=$? ;; *) echo "Usage: argus {start|stop|restart|condrestart|status}" exit 1 ;; esac exit $RETVAL argus-3.0.8.2/man/man5/000755 000765 000024 00000000000 12513222401 015031 5ustar00carterstaff000000 000000 argus-3.0.8.2/man/man8/000755 000765 000024 00000000000 12513222401 015034 5ustar00carterstaff000000 000000 argus-3.0.8.2/man/man8/argus.8000555 000765 000024 00000025761 12513222401 016262 0ustar00carterstaff000000 000000 .\" .\" Argus Software .\" Copyright (c) 2000-2015 QoSient, LLC .\" All rights reserved. .\" .TH ARGUS 8 "10 November 2000" "argus 3.0.8" .SH NAME argus \- audit record generation and utilization system .SH SYNOPSIS .B argus [ .B options ] [ .B filter expression ] .SH COPYRIGHT Copyright (c) 2000-2015 QoSient, LLC All rights reserved. .SH DESCRIPTION .IX "argus command" "" "\fLargus\fP \(em Internet audit facility" .IX servers argus "" "\fLargus\fP \(em Internet audit facility" .LP .B Argus is a data network transaction auditing tool that categorizes and tracks network packets that match the libpcap filter .I expression into a protocol-specific network flow transaction model. .B Argus reports on the transactions that it discovers, as periodic network flow data, that is suitable for historical and near real-time processing for forensics, trending and alarm/alerting. .LP Designed to run as a daemon, .B argus reads packets directly from a network interface, classifies the packets into network transacations and appends the resulting network flow data to a log file or open socket connected to an .B argus client (such as .BR ra(1) ). .B Argus can also read packet information from .B tcpdump(1) , .B snoop(1) , .B NLANR's Moat Time Sequence Header or .B Endaces ERF raw packet files. \fBArgus\fP can also be configured to append its transaction logs to stdout. .LP .B Argus can provide address based access control for its socket connection facility using .B tcp_wrappers , and it can provide strong authentication and confidentiality protection using .B SASL2 technology. Refer to package documentation to enable each of these services. .SH OPTIONS .TP 5 5 .B \-A Generate application byte metrics in each audit record. .TP 5 5 .B \-b Dump the compiled packet-matching code to stdout and stop. This is used to debug filter expressions. .TP 5 5 .B \-B Specify the bind interface address for remote access. Acceptable values are IP version 4 addresses. The default is to bind to INADDR_ANY address. .TP 5 5 .BI \-c Specify a chroot directory to use after privilege access is complete. Must be super user to use this option. .TP 5 5 .BI \-C Run argus in control plane capture mode. This sets the interface packet snap length to capture full packets, and to enable detailed flow tracking for supported control plane protocols. .TP 5 5 .BI \-d Run argus as a daemon. This will cause argus to do the things that Unix daemons do and return, if there were no errors, with argus running as a detached process. .TP 5 5 .BI \-D Print debug messages to stderr. The higher the \fB\fP the more information printed. Acceptable levels are 1-8. .TP 5 5 .BI \-e Specify the source identifier for this \fBargus\fP. Acceptable values are numbers, strings, hostnames or ip address. Double quotes around the parameter are used to designate the string format. The longest supported string is 4 characeters long. Be sure and single quote or 'escape' the double quotes so that the shell doesn't gooble up the delimiters. This option sets a global Source identifier that can be overriden by specific -i options. .nf argus -e '"arg1"' argus -e \\"arg2\\" .fi .TP 5 5 .B \-f When reading packets from a packet capture file, the -f option causes argus to not stop when end of file is reached, but rather to wait for additional packets to be appended to the input. The -f option is ignored if the standard input is a pipe, but not if it is a FIFO. .TP 5 5 .B \-F Use \fIconffile\fP as a source of configuration information. Options set in this file override any other specification, and so this is the last word on option values. .TP 5 5 .B \-g Specify a group name to change to after privilege access is complete. .TP 5 5 .B \-h Print an explanation of all the arguments. .TP 5 5 .BI \-i Specify the physical network \fB\fP to be audited. The default is the first network interface that is up and running. The syntax for specifying the interface is the same format used in the argus.conf.5 file. The optional source id specification can be an IPv4 address, an integer, or a string denoted using double quotes. .nf -i interface[/srcid] -i all[/srcid] -i dup:en0,en1/"ap01" ( en0 and en1 are in ingress and egress interfaces ) -i bond:en0,en1/2.3.4.5 ( en0 and en1 are bonded interfaces ) -i en0 en1 ( equivalent '-i bond:en0,en1' ) -i dup:[bond:en0,en1],en2/3 ( in this case 3 is the srcid ) -i en0/"en0" -i en1/"en1" ( equivalent '-i ind:en0/srcid,en1/srcid' ) .fi .TP 5 5 .BI \-J\ Generate packet peformance data in each audit record. .TP 5 5 .B \-M Specify the interval in of argus status records. These records are used to report the internal status of argus itself. The default is 300 seconds. .TP 5 5 .B \-m Provide MAC addresses information in \fBargus\fP records. .TP 5 5 .B \-N | Specify the number of packets to process. You can give an absolute number, or a range with the syntax "start-stop". Examples are: -N 27 - read the first 27 packets. -N 1034-1434 - read 100 packets starting with 1034. .TP 5 5 .B \-O Turn off Berkeley Packet Filter optimizer. No reason to do this unless you think the optimizer generates bad code. .TP 5 5 .B \-p Do not set the physical network interface in promiscuous mode. If the interface is already in promiscuous mode, this option may have no effect. Do this to audit only the traffic coming to and from the system argus is running on. .TP 5 5 .BI \-P Specifies the \fB\fP for remote client connection. The default is to not support remote access. Setting the value to zero (0) will forceably turn off the facility. .TP 5 5 .B \-r <[type:]file [type:]file ... > Read from .B tcpdump(1) , .B snoop(1) or .B NLANR's Moat Time Sequence Header (tsh) packet capture files. If the packet capture file is a \fBtsh\fP format file, then the \fB-t\fP option must also be used. The file "-" specifies stdin as the source of packets. The \fBtype\fP provides the opportunity to specify what type of packet source to expect and process. Supported types are '' (default) and 'cisco', where argus will process the payload of packets as netflow records, when found. Argus will read from only one input packet file at a time, and will open the files in lexigraphic order. Care should be taken to ensure that the timestamps in the packets are ordered, or unexpected behavior may result. If the .B \-r option is specified, .B argus will not put down a .B listen(2) to support remote access. .TP 5 5 .BI \-R Generate argus records such that response times can be derived from transaction data. .TP 5 5 .B \-s Specify the packet snaplen. .TP 5 5 .B \-S Specify the status reporting interval in for all traffic flows. .TP 5 5 .B \-t Indicate that the expected packet capture input file is a .B NLANR's Moat Time Sequence Header (tsh) packet capture file. .TP 5 5 .B \-T timescale Specify a playback timescale for realtime processing of input packets. .TP 5 5 .B \-u Specify an account name to change to after privilege access is complete. .TP 5 5 .B \-U Specify the number of user bytes to capture. .TP 5 5 .B \-w Append transaction status records to \fIoutput-file\fP or write records to the URL based stream. Supported stream URLs are 'argus-udp://host[:port]', where the default port is 561. An \fIoutput-file\fP of '-' directs \fBargus\fP to write the resulting \fIargus-file\fP output to \fIstdout\fP. .TP 5 5 .B \-X Clear existing argus configuration. This removes any initialization done prior to encountering this flag. Allows you to eliminate the effects of the \fI/etc/argus.conf\fP file, or any argus.conf files that may have been loaded. .TP 5 5 .B \-Z Collect packet size information. This options turns on packet size reporting for all flows. Argus will provide the mean, max, min and standard deviation of the packet sizes seen during the flow status interval. .TP 5 5 .B \fIexpression\fP This .B tcpdump(1) expression specifies which transactions will be selected. If no \fIexpression\fP is given, all transactions are selected. Otherwise, only transactions for which \fIexpression\fP is `true' will be dumped. For a complete \fIexpression\fP format description, please refer to the .B tcpdump(1) man page. .SH SIGNALS \fBArgus\fP catches a number of \fBsignal(3)\fP events. The three signals \fBSIGHUP\fP, \fBSIGINT\fP, and \fBSIGTERM\fP cause \fBargus\fP to exit, writing TIMEDOUT status records for all currently active transactions. The signal \fBSIGUSR1\fP will turn on \fBdebug\fP reporting, and subsequent \fBSIGUSR1\fP signals, will increment the \fBdebug-level\fP. The signal \fBSIGUSR2\fP will cause \fBargus\fP to turn off all \fBdebug\fP reporting. .SH FILES .nf /etc/argus.conf - argus daemon configuration file /var/run/argus.#.#.pid - PID file .fi .SH EXAMPLES .LP Run \fBargus\fP as a daemon, writing all its transaction status reports to \fIoutput-file\fP. This is the typical mode. .RS .nf \fBargus -d -e `hostname` -w \fIoutput-file\fP .fi .RE .LP If ICMP traffic is not of interest to you, you can filter out ICMP packets on input. .RS .nf \fBargus -w \fIoutput-file\fP - ip and not icmp .fi .RE .LP Argus supports both input filtering and output filtering, and argus supports multiple output streams, each with their own independant filters. Output streams can be written to udp based sockets, to unicast or multicast addresses. If you are interested in tracking IP traffic only (input filter) and want to report ICMP traffic to one output stream, and all other IP traffic in another output stream. .RS .nf \fBargus -w \fIargus-udp://224.0.20.21:561\fP "icmp" \\ -w \fIargus-udp://224.0.20.21:562\fP "not icmp" - ip .fi .RE .LP Audit the network activity that is flowing between the two gateway routers, whose ethernet addresses are 00:08:03:2D:42:01 and 00:00:0C:18:29:F1. Without specifying an \fIoutput-file\fP, it is assumed that the transaction status reports will be written to a remote client. In this case we have changed the port that the remote client will use to port 430/tcp. .RS .nf \fBargus -P 430 ether host (0:8:3:2d:42:1 and 0:0:c:18:29:f1)\fP & .fi .RE .LP Audit each individual ICMP ECHO transaction from data in . You would do this to gather Round Trip Time (RTT) data within your network. Append the output to \fIoutput-file\fP. .RS .nf \fBargus -R dir -w \fIoutput-file\fP "echo" - icmp .fi .RE .LP Audit all NFS transactions involving the server \fIfileserver\fP and increase the reporting interval to 3600 seconds (to provide high data reduction). Append the output to \fIoutput-file\fP. .RS .nf \fBargus -S 3600 -w \fIoutput-file\fP - host fileserver and udp and port 2049\fP & .fi .RE .LP Import flow data from pcap file containing Cisco flow data packets. Write output to stdout, to a \fIra.1\fP instance. .RS .nf \fBargus -r \fIcisco:pcap-file\fP -w - | ra .f .RE .SH AUTHORS .nf Carter Bullard (carter@qosient.com) .SH SEE ALSO .BR hosts_access (5), .BR hosts_options (5), .BR tcpd (8), .BR tcpdump (1) argus-3.0.8.2/man/man5/argus.conf.5000555 000765 000024 00000046562 12513222401 017202 0ustar00carterstaff000000 000000 .\" .\" Argus Software .\" Copyright (c) 2000-2015 QoSient, LLC .\" All rights reserved. .\" .\" .TH ARGUS.CONF 5 "07 November 2000" "argus.conf 3.0.8" .SH NAME \fBargus.conf\fP \- \fBargus\fP resource file. .SH SYNOPSIS .B argus.conf .SH COPYRIGHT Copyright (c) 2000-2015 QoSient, LLC All rights reserved. .SH DESCRIPTION This is the canonical argus configuration file. All options that argus supports can be turned on or modified using this configuration format. Argus will search for a system /etc/argus.conf file and will open it and use it to seed all configuration options.conf. Previous versions of Argus supported searching for argus.conf in $ARGUSPATH, $ARGUSHOME, $ARGUSHOME/lib, $HOME, and $HOME/lib, but this support is deprecated. All values in this file can be overriden by command line options, or other configuration files of this format when specified in using the -F option. Argus will read any number of configuration files using the -F option, and command-line order is very important. .SH Variable Syntax Variable assignments must be of the form: .nf VARIABLE= .fi with no white space between the VARIABLE and the '=' sign. Quotes are optional for string arguments, but if you want to embed comments, then quotes are required. .SH ARGUS_FLOW_TYPE / ARGUS_FLOW_KEY The Argus can be configured to support a large number of flow types. The Argus can provide either type, i.e. uni-directional or bi-directional flow tracking and the flow can be further defined by specifying the key. The argus supports a set of well known key strategies, such as 'CLASSIC_5_TUPLE', 'LAYER_3_MATRIX', 'LAYER_2_MATRIX', 'MPLS', and/or 'VLAN', or the argus can be configured to formulate key strategies from a list of the specific objects that the Argus understands. See the man page for a complete description. The default is the classic 5-tuple IP flow, CLASSIC_5_TUPLE. There is no commandline equivalent. .nf \fBARGUS_FLOW_TYPE=\fP"Bidirectional" \fBARGUS_FLOW_KEY=\fP"CLASSIC_5_TUPLE" .fi .SH ARGUS_DAEMON Argus is capable of running as a daemon, doing all the right things that daemons do. When this configuration is used for the system daemon process, say for /etc/argus.conf, this variable should be set to "yes". In the examples seen in the ./support/Startup/argus scripts, this value is set to "yes", as the system startup strategy requires the program to daemonize themselves, returning a value to the system, hopefully quickly. Some systems, however, want to daemonize the tasks themselves, and those cases, the value must be set to "no". which requires that this variable be set to "yes". The default value is to not run as a daemon. Commandline equivalent -d \fBARGUS_DAEMON=\fPno .SH ARGUS_MONITOR_ID Argus Monitor Data is uniquely identifiable based on the source identifier that is included in each output record. This is to allow you to work with Argus Data from multiple monitors at the same time. The ID is 32 bits long, and argus suppors a number of formats as legitimate values. Argus support unsigned ints, IPv4 addresses and 4 bytes strings, as values. The formats are discerned from the values provided. Double-quoted values are treated as strings, and are truncated to 4 characters. Non-quoted values are tested for whether they are hostnames, and if not, then they are tested wheter they are numbers. The configuration allows for you to use host names, however, do have some understanding how `hostname` will be resolved by the nameserver before commiting to this strategy completely. For convenience, argus supports the notion of "`hostname`" for assigning the probe's id. This is to support management of large deployments, so you can have one argus.conf file that works for a lot of probes. For security, argus does not rely on system programs, like hostname.1. It implements the logic of hostname itself, so don't try to run arbitrary programs using this method, because it won't work. Commandline equivalent -e .nf \fBARGUS_MONITOR_ID\fP=`hostname` // IPv4 address returned \fBARGUS_MONITOR_ID\fP=10.2.45.3 // IPv4 address \fBARGUS_MONITOR_ID\fP=2435 // Number \fBARGUS_MONITOR_ID\fP="en0" // String .fi .SH ARGUS_ACCESS_PORT Argus monitors can provide a real-time remote access port for collecting Argus data. This is a TCP based port service and the default port number is tcp/561, the "experimental monitor" service. This feature is disabled by default, and can be forced off by setting it to zero (0). When you do want to enable this service, 561 is a good choice, as all ra* clients are configured to try this port by default. Commandline equivalent -P \fBARGUS_ACCESS_PORT=\fP561 .SH ARGUS_BIND_IP When remote access is enabled (see above), you can specify that Argus should bind only to a specific IP address. This is useful, for example, in restricting access to the local host, or binding to a private interface while capturing from another. You can provide multiple addresses, separated by commas, or on multiple lines. The default is to bind to any IP address. Commandline equivalent -B .nf \fBARGUS_BIND_IP=\fP"::1,127.0.0.1" \fBARGUS_BIND_IP=\fP"127.0.0.1" \fBARGUS_BIND_IP=\fP"192.168.0.68" .fi .SH ARGUS_INTERFACE By default, Argus will open the first appropriate interface on a system that it encounters. For systems that have only one network interface, this is a reasonable thing to do. But, when there are more than one suitable interface, you should specify the interface(s) Argus should use either on the command line or in this file. Argus can track packets from any or all interfaces, concurrently. The interfaces can be tracked as: 1. independant - this is where argus tracks flows from each interface independant from the packets seen on any other interface. This is useful for hosts/routers that have full-duplex interfaces, and you want to distinguish flows based on their interface. There is an option to specify a distinct srcid to each independant modeler. 2. duplex - where argus tracks packets from 2 interfaces as if they were two half duplex streams of the same link. Because there is a single modeler tracking the 2 interfaces, there is a single srcid that can be passed as an option. 3. bonded - where argus tracks packets from multiple interfaces as if they were from the same stream. Because there is a single modeler tracking the 2 interfaces, there is a single srcid that can be passed as an option. Interfaces can be specified as groups using '[',']' notation, to build flexible definitions of packet sources. However, each interface should be referenced only once (this is due to performance and OS limitations, so if your OS has no problem with this, go ahead). The lo (loopback) interface will be included only if it is specifically indicated in the option. The syntax for specifying this either on the command line or in this file: -i ind:all -i dup:en0,en1/srcid -i bond:en0,en1/srcid -i dup:[bond:en0,en1],en2/srcid -i en0/srcid -i en1/srcid (equivalent '-i ind:en0/srcid,en1/srcid') -i en0 en1 (equivalent '-i bond:en0,en1') In all cases, if there is a "-e srcid" provided, this is used as the default. If a srcid is specified using this option, it overrides the default. Srcid's are specified using the notion used for ARGUS_MONITOR_ID, as above. Commandline equivalent -i .nf \fBARGUS_INTERFACE\fP=any \fBARGUS_INTERFACE\fP=ind:all \fBARGUS_INTERFACE\fP=ind:en0/192.168.0.68,en2/192.168.2.1 \fBARGUS_INTERFACE\fP=ind:en0/"en0",en2/19234 \fBARGUS_INTERFACE\fP=en0 .fi .SH ARGUS_GO_PROMISCUOUS By default, Argus will put its interface in promiscuous mode in order to monitor all the traffic that can be collected. This can put an undo load on systems. If the intent is to monitor only the network activity of the specific system, say to measure the performance of an HTTP service or DNS service, you'll want to turn promiscuous mode off. The default value goes into prmiscuous mode. Commandline equivalent -p .nf \fBARGUS_GO_PROMISCUOUS=\fPyes .fi .SH ARGUS_CHROOT_DIR Argus supports chroot(2) in order to control the file system that argus exists in and can access. Generally used when argus is running with privileges, this limits the negative impacts that argus could inflict on its host machine. This option will cause the output file names to be relative to this directory, and so consider this when trying to find your output files. Commandline equivalent -c dir .nf \fBARGUS_CHROOT_DIR=\fP/chroot_dir .fi .SH ARGUS_SETUSER_ID Argus can be directed to change its user id using the setuid() system call. This is can used when argus is started as root, in order to access privileged resources, but then after the resources are opened, this directive will cause argus to change its user id value to a 'lesser' capable account. Recommended when argus is running as daemon. Commandline equivalent -u user .nf \fBARGUS_SETUSER_ID=\fPuser .ni .SH ARGUS_SETGROUP_ID Argus can be directed to change its group id using the setgid() system call. This is can used when argus is started as root, in order to access privileged resources, but then after the resources are opened, this directive can be used to change argu's group id value to a 'lesser' capable account. Recommended when argus is running as daemon. Commandline equivalent -g group .nf \fBARGUS_SETGROUP_ID=\fPgroup .fi .SH ARGUS_OUTPUT_FILE Argus can write its output to one or a number of files, default limit is 5 concurrent files, each with their own independant filters. The format is: .nf ARGUS_OUTPUT_FILE=/full/path/file/name ARGUS_OUTPUT_FILE=/full/path/file/name "filter" .fi Most sites will have argus write to a file, for reliablity and performance. The example file name is used here as supporting programs, such as ./support/Archive/argusarchive are configured to use this file. Commandline equivalent -w .nf \fBARGUS_OUTPUT_FILE=\fP/var/log/argus/argus.out .fi .SH ARGUS_OUTPUT_STREAM Argus can write its output to one or a number of remote hosts. The default limit is 5 concurrent output streams, each with their own independant filters. The format is: ARGUS_OUTPUT_STREAM="URI [filter]" ARGUS_OUTPUT_STREAN="argus-udp://host:port 'tcp and not udp'" Most sites will have argus listen() for remote sites to request argus data, but for some sites and applications sending records without registration is desired. This option will cause argus to transmit records that match the optional filter, to the configured targets using UDP as the transport mechanism. Commandline equivalent -w argus-udp://host:port .nf \fBARGUS_OUTPUT_STREAM=\fPargus-udp://224.0.20.21:561 .fi .SH ARGUS_SET_PID When Argus is configured to run as a daemon, with the -d option, Argus can store its pid in a file, to aid in managing the running daemon. However, creating a system pid file requires privileges that may not be appropriate for all cases. When configured to generate a pid file, if Argus cannot create the pid file, it will fail to run. This variable, and the directory the pid is written to, is available to override the default, in case this gets in your way. The default value is to generate a pid. The default path for the pid file, is '/var/run'. No Commandline equivalent .nf \fBARGUS_SET_PID=\fPyes \fBARGUS_PID_PATH=\fP/var/run .SH ARGUS_FLOW_STATUS_INTERVAL Argus will periodically report on a flow's activity every ARGUS_FLOW_STATUS_INTERVAL seconds, as long as there is new activity on the flow. This is so that you can get a view into the activity of very long lived flows. The default is 60 seconds, but this number may be too low or too high depending on your uses. The default value is 60 seconds, but argus does support a minimum value of 1. This is very useful for doing measurements in a controlled experimental environment where the number of flows is < 1000. Commandline equivalent -S \fBARGUS_FLOW_STATUS_INTERVAL=\fP60 .SH ARGUS_MAR_STATUS_INTERVAL Argus will periodically report on a its own health, providing interface status, total packet and bytes counts, packet drop rates, and flow oriented statistics. These records can be used as "keep alives" for periods when there is no network traffic to be monitored. The default value is 300 seconds, but a value of 60 seconds is very common. Commandline equivalent -M \fBARGUS_MAR_STATUS_INTERVAL=\fP300 .SH ARGUS_DEBUG_LEVEL If compiled to support this option, Argus is capable of generating a lot of debug information. The default value is zero (0). Commandline equivalent -D \fBARGUS_DEBUG_LEVEL=\fP0 .SH ARGUS_GENERATE_PACKET_SIZE Argus can be configured to generate packet size information on a per flow basis, which provides the max and min packet size seen . The default value is to not generate this data. Commandline equivalent -Z .nf \fBARGUS_GENERATE_PACKET_SIZE=\fPyes .fi .SH ARGUS_GENERATE_JITTER_DATA Argus can be configured to generate packet jitter information on a per flow basis. The default value is to not generate this data. Commandline equivalent -J \fBARGUS_GENERATE_JITTER_DATA=\fPno .SH ARGUS_GENERATE_MAC_DATA Argus can be configured to not provide MAC addresses in it audit data. This is available if MAC address tracking and audit is not a requirement. The default value is to not generate this data. Commandline equivalent -m .nf \fBARGUS_GENERATE_MAC_DATA=\fPno .fi .SH ARGUS_GENERATE_APPBYTE_METRIC Argus can be configured to generate metrics that include the application byte counts as well as the packet count and byte counters. Commandline equivalent -A .nf \fBARGUS_GENERATE_APPBYTE_METRIC=\fPno .fi .SH ARGUS_GENERATE_TCP_PERF_METRIC Argus by default, generates extended metrics for TCP that include the connection setup time, window sizes, base sequence numbers, and retransmission counters. You can suppress this detailed information using this variable. No commandline equivalent .nf \fBARGUS_GENERATE_TCP_PERF_METRIC=\fPyes .fi .SH ARGUS_GENERATE_BIDIRECTIONAL_TIMESTAMPS Argus by default, generates a single pair of timestamps, for the first and last packet seen on a given flow, during the obseration period. For bi-directional flows, this results in loss of some information. By setting this variable to 'yes', argus will store start and ending timestamps for both directions of the flow. No commandline equivalent .nf \fBARGUS_GENERATE_BIDIRECTIONAL_TIMESTAMPS=\fPno .fi .SH ARGUS_CAPTURE_DATA_LEN Argus can be configured to capture a number of user data bytes from the packet stream. The default value is to not generate this data. Commandline equivalent -U \fBARGUS_CAPTURE_DATA_LEN=\fP0 .SH ARGUS_FILTER_OPTIMIZER Argus uses the packet filter capabilities of libpcap. If there is a need to not use the libpcap filter optimizer, you can turn it off here. The default is to leave it on. Commandline equivalent -O \fBARGUS_FILTER_OPTIMIZER=\fPyes .SH ARGUS_FILTER You can provide a filter expression here, if you like. It should be limited to 2K in length. The default is to not filter. No Commandline equivalent \fBARGUS_FILTER=\fP"" .SH ARGUS_PACKET_CAPTURE_FILE Argus allows you to capture packets in tcpdump() format if the source of the packets is a tcpdump() formatted file or live packet source. Specify the path to the packet capture file here. .nf \fBARGUS_PACKET_CAPTURE_FILE=\fP"/var/log/argus/packet.out" .fi .SH ARGUS_SSF Argus supports the use of SASL to provide strong authentication and confidentiality protection. The policy that argus uses is controlled through the use of a minimum and maximum allowable protection strength, which is standard for SASL based appliations. Set these variable to control this policy. The default is no security policy. .nf \fBARGUS_MIN_SSF=\fP0 \fBARGUS_MAX_SSF=\fP0 .fi .SH ARGUS_PCAP_BUF_SIZE Argus supports setting the pcap buffer size. You can use the abbreviations K, M, G to specify thousands, millions or billions of bytes. .nf \fBARGUS_PCAP_BUF_SIZE=\fP1G .fi .SH ARGUS_ENV Argus supports setting environment variables to enable functions required by the kernel or shared libraries. This feature is intended to support libraries such as the net pf_ring support for libpcap as supported by code at http://public.lanl.gov/cpw/ Setting environment variables in this way does not affect internal argus variable in any way. As a result, you can't set ARGUS_PATH using this feature. Care should must be taken to assure that the value given the variable conform's to your systems putenv.3 system call. You can have as many of these directives as you like. The example below is intended to set a libpcap ring buffer length to 300MB, if your system supports this feature. .nf \fBARGUS_ENV=\fP"PCAP_MEMORY=300000" .fi .SH ARGUS_TUNNEL_DISCOVERY Argus can be configured to discover tunneling protocols above the UDP transport header, specifically Teredo (IPv6 over UDP). The algorithm is simple and so, having this on by default may generate false tunnel matching. The default is to not turn this feature on. .nf \fBARGUS_TUNNEL_DISCOVERY=\fPno .fi .SH ARGUS_EVENT_DATA Argus supports the generation of host originated processes to gather additional data and statistics. These include periodic processes to poll for SNMP data, as an example, or to collect host statistics through reading procfs(). Or single run programs that run at a specified time. These argus events, are generated from the complete list of ARGUS_EVENT_DATA directives that are specified here. .nf The syntax is: Syntax is: "method:path|prog:interval[:postproc]" Where: method = [ "file" | "prog" ] pathname | program = "%s" interval = %d[smhd] [ zero means run once ] postproc = [ "compress" | "compress2" ] \fBARGUS_EVENT_DATA=\fP"file:/proc/vmstat:30s:compress" \fBARGUS_EVENT_DATA=\fP"prog:/usr/local/bin/ralsof:30s:compress" .fi .SH ARGUS_KEYSTROKE This version of Argus supports keystroke detection and counting for TCP connections, with specific algorithmic support for SSH connections. The ARGUS_KEYSTROKE variable turns the feature on. Values for this variable are: .nf \fBARGUS_KEYSTROKE=\fP"yes" - turn on TCP flow tracking \fBARGUS_KEYSTROKE=\fP"tcp" - turn on TCP flow tracking \fBARGUS_KEYSTROKE=\fP"ssh" - turn on SSH specific flow tracking \fBARGUS_KEYSTROKE=\fP"no" [default] .fi The algorithm uses a number of variables, all of which can be modifed using the ARGUS_KEYSTROKE_CONF descriptor, which is a semicolon (';') separated set of variable assignments. Here is the list of supported variables: .nf \fBDC_MIN\fP - (int) Minimum client datagram payload size in bytes \fBDC_MAX\fP - (int) Maximum client datagram payload size in bytes \fBGS_MAX\fP - (int) Maximum server packet gap \fBDS_MIN\fP - (int) Minimum server datagram payload size in bytes \fBDS_MAX\fP - (int) Maximum server datagram payload size in bytes \fBIC_MIN\fP - (int) Minimum client interpacket arrival time (microseconds) \fBLCS_MAX\fP - (int) Maximum something - Not sure what this is \fBGPC_MAX\fP - (int) Maximum client packet gap \fBICR_MIN\fP - (float) Minimum client/server interpacket arrival ratio \fBICR_MAX\fP - (float) Maximum client/server interpacket arrival ratio .fi All variables have default values, this variable is used to override those values. The syntax for the variable is: .nf ARGUS_KEYSTROKE_CONF="DC_MIN=20;DS_MIN=20" \fBARGUS_KEYSTROKE\fP="no" \fBARGUS_KEYSTROKE_CONF\fP="" .fi .RE .SH SEE ALSO .BR argus (8) argus-3.0.8.2/lib/argus.spec000444 000765 000024 00000003720 12723606246 016201 0ustar00carterstaff000000 000000 %define ver 3.0 %if %{?rel:0}%{!?rel:1} %define rel 8.2 %endif %if %{?srcext:0}%{!?srcext:1} %define srcext .gz %endif Summary: ARGUS Software Name: argus Version: %ver Release: %{rel} License: see COPYING file Group: Applications/Internet Source: %{name}-%{version}.%{rel}.tar%{srcext} URL: http://qosient.com/argus Buildroot: %{_tmppath}/%{name}-%{version}-root %description The ARGUS (Audit Record Generation And Utilization System) is an data network transaction auditing system. The data generated by argus can be used for a wide range of tasks such as network operations, security and performance management. Copyright: (c) 2000-2015 QoSient, LLC %define argusdir /usr %define argusman /usr/share/man %define argusdocs /usr/share/doc/argus %define argusbin %{argusdir}/bin %define argussbin %{argusdir}/sbin %prep %setup -n %{name}-%{ver}.%{rel} %build ./configure --prefix=%{argusdir} make %install rm -rf $RPM_BUILD_ROOT make DESTDIR="$RPM_BUILD_ROOT" install install -D -m 0600 pkg/argus.conf $RPM_BUILD_ROOT/etc/argus.conf install -D -m 0644 pkg/rhel/sysconfig/argus $RPM_BUILD_ROOT/etc/sysconfig/argus install -D -m 0755 pkg/rhel/init.d/argus $RPM_BUILD_ROOT/etc/rc.d/init.d/argus install -D -m 0755 support/Archive/argusarchive $RPM_BUILD_ROOT/%{argusbin}/argusarchive install -d -m 0755 $RPM_BUILD_ROOT/%{argusdocs}/support cp -av support $RPM_BUILD_ROOT/%{argusdocs}/ %post /sbin/chkconfig --add argus service argus start >/dev/null 2>&1 %preun if [ "$1" = 0 ] ; then service argus stop >/dev/null 2>&1 /sbin/chkconfig --del argus fi %postun if [ "$1" -ge "1" ]; then service argus condrestart >/dev/null 2>&1 fi %clean rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root) %{argussbin}/argus %{argusbin}/argus-lsof %{argusbin}/argus-snmp %{argusbin}/argus-vmstat %{argusbin}/argusbug %{argusbin}/argusarchive %doc %{argusdocs} %{argusman}/man5/argus.conf.5.gz %{argusman}/man8/argus.8.gz /etc/rc.d/init.d/argus %config /etc/argus.conf %config /etc/sysconfig/argus argus-3.0.8.2/include/argus/000755 000765 000024 00000000000 12513222401 016162 5ustar00carterstaff000000 000000 argus-3.0.8.2/include/argus-namedb.h000444 000765 000024 00000007606 12513222401 017566 0ustar00carterstaff000000 000000 /* * Argus Software. Common include files. namedb * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * Copyright (c) 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the Computer Systems * Engineering Group at Lawrence Berkeley Laboratory. * 4. Neither the name of the University nor of the Laboratory may be used * to endorse or promote products derived from this software without * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * */ /* * $Id: //depot/argus/argus/include/argus-namedb.h#13 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ #if !defined(argus_namedb_h) #define argus_namedb_h /* * As returned by the argus_next_etherent() * XXX this stuff doesn't belong in this inteface, but this * library already must do name to address translation, so * on systems that don't have support for /etc/ethers, we * export these hooks since they'll */ struct pcap_etherent { u_char addr[6]; char name[122]; }; #if !defined(PCAP_ETHERS_FILE) #define PCAP_ETHERS_FILE "/etc/ethers" #endif struct pcap_etherent *argus_next_etherent(FILE *); u_char *argus_ether_hostton(char*); u_char *argus_ether_aton(char *); unsigned int **argus_nametoaddr(char *); unsigned int argus_nametonetaddr(char *); int argus_nametoport(char *, int *, int *); int argus_nametoproto(char *); int argus_nametoeproto(char *); /* * If a protocol is unknown, PROTO_UNDEF is returned. * Also, argus_nametoport() returns the protocol along with the port number. * If there are ambiguous entried in /etc/services (i.e. domain * can be either tcp or udp) PROTO_UNDEF is returned. */ #define PROTO_UNDEF -1 /* XXX move these to pcap-int.h? */ unsigned int __argus_atodn(char *); unsigned int __argus_atoin(char *, unsigned int *); u_short __argus_nametodnaddr(char *); #endif argus-3.0.8.2/include/argus_client.h000444 000765 000024 00000027610 12513222401 017675 0ustar00carterstaff000000 000000 /* * Argus Software. Common include files. Client * Copyright (C) 2000-2015 QoSient, LLC. * All Rights Reserved * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/include/argus_client.h#16 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ #if !defined(ArgusClient_h) #define ArgusClient_h #endif #include #include #include #include #include #include #include #include #include #include #include #ifdef ARGUS_SASL #include #endif #include #include #include #define RA_TRANSDURATION 1 #define RA_AVGDURATION 2 #define RA_DELTADURATION 3 #define RA_MODELNAMETAGSTR "RAGATOR_MODEL_NAME=" #define RA_PRESERVETAGSTR "RAGATOR_PRESERVE_FIELDS=" #define RA_REPORTTAGSTR "RAGATOR_REPORT_AGGREGATION=" #define RA_AUTOCORRECTSTR "RAGATOR_AUTO_CORRECTION=" #define RA_HISTOGRAM "RAGATOR_HISTOGRAM=" #define RA_MODELTAGSTR "Model" #define RA_FLOWTAGSTR "Flow" #define RA_MODELIST 1 #define RA_FLOWLIST 2 #define RA_FLOWPOLICYFIELDNUM 11 #define RA_MODELPOLICYFIELDNUM 8 #define RA_LABELSTRING 0 #define RA_POLICYID 1 #define RA_POLICYTYPE 2 #define RA_POLICYSRCADDR 3 #define RA_POLICYDSTADDR 4 #define RA_POLICYPROTO 5 #define RA_POLICYSRCPORT 6 #define RA_POLICYDSTPORT 7 #define RA_POLICYMODELST 8 #define RA_POLICYTIMEOUT 9 #define RA_POLICYIDLETIMEOUT 10 #define RA_MODIFIED 0x10000000 #define RA_CON 1 #define RA_DONE 2 #define RA_HASHTABLESIZE 0x1000 #define RA_SVCPASSED 0x010000 #define RA_SVCFAILED 0x020000 #define RA_SVCINCOMPLETE 0x040000 #define RA_SVCTEST (RA_SVCFAILED|RA_SVCPASSED|RA_SVCINCOMPLETE) #define RA_SVCDISCOVERY 0x080000 #define RA_SVCMULTICAST 0x100000 #define ARGUS_FAR_SRCADDR_MODIFIED 0x0100 #define ARGUS_FAR_DSTADDR_MODIFIED 0x0200 #define ARGUS_FAR_PROTO_MODIFIED 0x0400 #define ARGUS_FAR_SRCPORT_MODIFIED 0x0800 #define ARGUS_FAR_DSTPORT_MODIFIED 0x1000 #define ARGUS_FAR_TPVAL_MODIFIED 0x2000 #define ARGUS_FAR_RECORDREVERSE 0x4000 #define ARGUS_MAX_S_OPTIONS 34 #define ARGUS_MAX_SORT_ALG 34 #define MAX_SORT_ALG_TYPES 28 #define RASORTTIME 0 #define RASORTSTARTTIME 1 #define RASORTLASTTIME 2 #define RASORTTRANS 3 #define RASORTDURATION 4 #define RASORTAVGDURATION 5 #define RASORTSRCADDR 6 #define RASORTDSTADDR 7 #define RASORTPROTOCOL 8 #define RASORTIPID 9 #define RASORTSRCPORT 10 #define RASORTDSTPORT 11 #define RASORTSRCTOS 12 #define RASORTDSTTOS 13 #define RASORTSRCTTL 14 #define RASORTDSTTTL 15 #define RASORTBYTECOUNT 16 #define RASORTSRCBYTECOUNT 17 #define RASORTDSTBYTECOUNT 18 #define RASORTPKTSCOUNT 19 #define RASORTSRCPKTSCOUNT 20 #define RASORTDSTPKTSCOUNT 21 #define RASORTLOAD 22 #define RASORTRATE 23 #define RASORTLOSS 24 #define RASORTTRANREF 25 #define RASORTSEQ 26 #define RASORTSRCID 27 #define ARGUS_READINGPREHDR 1 #define ARGUS_READINGHDR 2 #define ARGUS_READINGBLOCK 4 #define ARGUS_READINGDATAGRAM 8 #define TSEQ_HASHSIZE 9029 #define ARGUS_MAX_PRINT_ALG 67 #define MAX_PRINT_ALG_TYPES 67 typedef struct ArgusRecord * (*ArgusNetFlowHandler)(u_char **); struct ArgusInput { struct ArgusInput *nxt; unsigned int status; int mode, fd, in, out, offset; int ostart, ostop; u_int addr; unsigned short portnum; char *hostname, *filename; FILE *pipe; int major_version, minor_version; unsigned int ArgusLocalNet, ArgusNetMask; struct timeval ArgusLastTime; int ArgusMarInterval; struct stat statbuf; unsigned char *ArgusReadBuffer, *ArgusConvBuffer; unsigned char *ArgusReadPtr, *ArgusConvPtr, *ArgusReadBlockPtr; int ArgusReadSocketCnt, ArgusReadSocketSize; int ArgusReadSocketState, ArgusReadCiscoVersion; int ArgusReadSocketNum, ArgusReadSize; ArgusNetFlowHandler ArgusCiscoNetFlowParse; #ifdef ARGUS_SASL sasl_conn_t *sasl_conn; int ArgusSaslBufCnt; unsigned char *ArgusSaslBuffer; #endif struct ArgusRecord ArgusInitCon, ArgusManStart; }; struct ArgusOutputStruct { char *filename; struct stat statbuf; FILE *fd; }; #define ARGUSMONITOR_EQUAL 0x01000000 #define ARGUSMONITOR_NOTEQUAL 0x02000000 struct RaFlowModelStruct { char *desc; int pindex, mindex; int preserve, report, autocorrect; int *histotimevalues; int histostart, histoend, histobins; int histotimeseries; struct RaPolicyStruct **policy; struct RaPolicyStruct **model; }; struct RaPolicyStruct { u_int RaEntryType, RaPolicyId; struct ArgusCIDRAddr src, dst; u_short type; u_char proto, pad; u_short sport, dport; u_int RaModelId, ArgusTimeout, ArgusIdleTimeout; char *str; }; #if defined(HAVE_SOLARIS) #include #endif #define RA_MODIFIED 0x10000000 extern void ArgusLog (int, char *, ...); #ifdef ArgusClient #if defined(ARGUS_SASL) int ArgusMaxSsf = 128; int ArgusMinSsf = 40; #endif char *appOptstring = NULL; char *RaPrintKeyWords[MAX_PRINT_ALG_TYPES] = { "time", "startime", "lasttime", "trans", "dur", "avgdur", "snet", "saddr", "dnet", "daddr", "proto", "sport", "dport", "tos", "stos", "dtos", "sttl", "dttl", "bytes", "sbytes", "dbytes", "pkts", "spkts", "dpkts", "sload", "dload", "load", "loss", "ploss", "srate", "drate", "rate", "srcid", "ind", "mac", "dir", "jitter", "sjitter", "djitter", "status", "ddur", "dstime", "dltime", "dspkts", "ddpkts", "dsbytes", "ddbytes", "pdspkts", "pddpkts", "pdsbytes", "pddbytes", "user", "tcpext", "win", "jdelay", "ldelay", "seq", "bins", "binnum", "mpls", "vlan", "vid", "vpri", "ipid", "srng", "erng", "svc", }; extern struct ArgusInput *ArgusInput; extern char *ArgusProgramName; extern char *ArgusProgramOptions; extern struct ArgusDSRHeader *ArgusThisDsrs[]; extern signed long long tcp_dst_bytes, tcp_src_bytes; extern signed long long udp_dst_bytes, udp_src_bytes; extern signed long long icmp_dst_bytes, icmp_src_bytes; extern signed long long ip_dst_bytes, ip_src_bytes; extern void ArgusDebug (int, char *, ...); extern int setArgusRemoteFilter(unsigned char *); void ArgusClientInit(struct ArgusParserStruct *); void RaArgusInputComplete (struct ArgusInput *); void RaParseComplete (int); int RaParseType (char *); void ArgusClientTimeout (void); void parse_arg (int, char**); void usage (void); struct ArgusRecordStruct *RaCopyArgusRecordStruct (struct ArgusRecordStruct *); signed long long RaGetActiveDuration (struct ArgusRecordStruct *); signed long long RaGetuSecDuration (struct ArgusRecordStruct *); signed long long RaGetuSecAvgDuration (struct ArgusRecordStruct *); char RaLabelStr[1024], *RaLabel; void RaProcessRecord (struct ArgusRecordStruct *); void RaProcessManRecord (struct ArgusRecordStruct *); void RaProcessFragRecord (struct ArgusRecordStruct *); void RaProcessTCPRecord (struct ArgusRecordStruct *); void RaProcessICMPRecord (struct ArgusRecordStruct *); void RaProcessIGMPRecord (struct ArgusRecordStruct *); void RaProcessUDPRecord (struct ArgusRecordStruct *); void RaProcessIPRecord (struct ArgusRecordStruct *); void RaProcessARPRecord (struct ArgusRecordStruct *); void RaProcessNonIPRecord (struct ArgusRecordStruct *); extern void ArgusLog (int, char *, ...); extern int RaSendArgusRecord(struct ArgusRecordStruct *); extern void ArgusClientTimeout (void); int ArgusWriteConnection (struct ArgusInput *, u_char *, int); char *RaGenerateLabel(struct ArgusParserStruct *, struct ArgusRecordStruct *); int RaParseProbeResourceFile (char **); int RaProbeMonitorsThisAddr (unsigned int, unsigned int); struct ArgusRecordStruct *ArgusGenerateRecordStruct (struct ArgusRecord *); struct ArgusRecord *ArgusGenerateRecord (struct ArgusRecordStruct *, unsigned char); void ArgusDeleteRecordStruct (struct ArgusRecordStruct *); struct ArgusListStruct *ArgusNewList (void); void ArgusDeleteList (struct ArgusListStruct *, int); int ArgusListEmpty (struct ArgusListStruct *); int ArgusGetListCount(struct ArgusListStruct *); void ArgusPushFrontList(struct ArgusListStruct *, void *, int); void ArgusPushBackList(struct ArgusListStruct *, void *, int); void *ArgusFrontList(struct ArgusListStruct *); void *ArgusBackList(struct ArgusListStruct *); void *ArgusPopBackList(struct ArgusListStruct *, int); void *ArgusPopFrontList(struct ArgusListStruct *, int); int ArgusCheckTime (struct ArgusRecordStruct *); #else /* ArgusClient */ #if defined(ARGUS_SASL) extern int ArgusMaxSsf; extern int ArgusMinSsf; #endif /* ARGUS_SASL */ extern char *appOptstring; extern char *RaPrintKeyWords[MAX_PRINT_ALG_TYPES]; extern char *ArgusProgramName; extern char *ArgusProgramOptions; extern void ArgusDebug (int, char *, ...); extern int setArgusRemoteFilter(unsigned char *); extern void ArgusClientInit(struct ArgusParserStruct *); extern void RaArgusInputComplete (struct ArgusInput *); extern void RaParseComplete (int); extern int RaParseType (char *); extern void ArgusClientTimeout (void); extern void parse_arg (int, char**); extern void usage (void); extern struct ArgusRecordStruct *RaCopyArgusRecordStruct (struct ArgusRecordStruct *); extern signed long long RaGetActiveDuration (struct ArgusRecordStruct *); extern signed long long RaGetuSecDuration (struct ArgusRecordStruct *); extern signed long long RaGetuSecAvgDuration (struct ArgusRecordStruct *); extern char RaLabelStr[1024], *RaLabel; extern void RaProcessRecord (struct ArgusRecordStruct *); extern void RaProcessManRecord (struct ArgusRecordStruct *); extern void RaProcessFragRecord (struct ArgusRecordStruct *); extern void RaProcessTCPRecord (struct ArgusRecordStruct *); extern void RaProcessICMPRecord (struct ArgusRecordStruct *); extern void RaProcessIGMPRecord (struct ArgusRecordStruct *); extern void RaProcessUDPRecord (struct ArgusRecordStruct *); extern void RaProcessIPRecord (struct ArgusRecordStruct *); extern void RaProcessARPRecord (struct ArgusRecordStruct *); extern void RaProcessNonIPRecord (struct ArgusRecordStruct *); extern void ArgusLog (int, char *, ...); extern char *RaGenerateLabel(struct ArgusParserStruct *, struct ArgusRecordStruct *); extern int RaSendArgusRecord(struct ArgusRecordStruct *); extern int RaProbeMonitorsThisAddr (unsigned int, unsigned int); extern struct ArgusRecordStruct *ArgusGenerateRecordStruct (struct ArgusRecord *); extern struct ArgusRecord *ArgusGenerateRecord (struct ArgusRecordStruct *, unsigned char); extern void ArgusDeleteRecordStruct (struct ArgusRecordStruct *); extern struct ArgusListStruct *ArgusNewList (void); extern void ArgusDeleteList (struct ArgusListStruct *, int); extern int ArgusListEmpty (struct ArgusListStruct *); extern int ArgusGetListCount(struct ArgusListStruct *); extern void ArgusPushFrontList(struct ArgusListStruct *, void *); extern void ArgusPushBackList(struct ArgusListStruct *, void *); extern void *ArgusFrontList(struct ArgusListStruct *); extern void *ArgusBackList(struct ArgusListStruct *); extern void *ArgusPopBackList(struct ArgusListStruct *); extern void *ArgusPopFrontList(struct ArgusListStruct *); extern int ArgusCheckTime (struct ArgusRecordStruct *); #endif argus-3.0.8.2/include/argus_compat.h000444 000765 000024 00000014416 12513222401 017702 0ustar00carterstaff000000 000000 /* * Argus Software * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/include/argus_compat.h#9 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ #if !defined(Argus_compat_h) #define Argus_compat_h #ifdef __cplusplus extern "C" { #endif #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #if defined(HAVE_SYS_TYPES_H) #include #endif #if defined(HAVE_SYS_WAIT_H) #include #endif #define argtimeval timeval #include #if defined(HAVE_SOLARIS) #include #include #endif #if defined(linux) #include #define __FAVOR_BSD #endif #if defined(CYGWIN) #define _LITTLE_ENDIAN #define USE_IPV6 #else #if defined(HAVE_SOLARIS) #include #else #if defined(__OpenBSD__) && !defined(__APPLE__) #include #endif #endif #include #if defined(__FreeBSD__) #if defined(BYTE_ORDER) #define __BYTE_ORDER BYTE_ORDER #endif #if defined(LITTLE_ENDIAN) #define __LITTLE_ENDIAN LITTLE_ENDIAN #endif #if defined(BIG_ENDIAN) #define __BIG_ENDIAN BIG_ENDIAN #endif #endif #if !defined(_LITTLE_ENDIAN) && !defined(_BIG_ENDIAN) #if __BYTE_ORDER == __LITTLE_ENDIAN #define _LITTLE_ENDIAN #else #define _BIG_ENDIAN #endif #endif #endif #if !defined(HAVE_STRTOF) && !defined(CYGWIN) //float strtof (char *, char **); #endif #if defined(__sgi__) || defined(HAVE_SOLARIS) || defined(ultrix) || defined(__osf__) || defined(linux) || defined(bsdi) || defined(AIX) | defined(CYGWIN) #define timelocal mktime #if defined(__sgi__) #include #include #if _MIPS_SZLONG == 64 #undef argtimeval #define argtimeval irix5_timeval #endif #undef TCPSTATES #endif #if defined(linux) #include #endif #if defined(__sgi) || defined(bsdi) struct ether_addr { u_char ether_addr_octet[6]; }; #endif #if defined(AIX) #define _SUN #include #include #endif #endif #define arg_uint8 u_char #define arg_int8 char #define arg_uint16 u_short #define arg_int16 short #if HOST_BITS_PER_INT == 32 #define arg_uint32 u_int #define arg_int32 int #else #define arg_uint32 u_long #define arg_int32 long #endif #if defined(__FreeBSD__) #include #include #endif #if !defined(ICMP_ROUTERADVERT) #define ICMP_ROUTERADVERT 9 /* router advertisement */ #endif #if !defined(ICMP_ROUTERSOLICIT) #define ICMP_ROUTERSOLICIT 10 /* router solicitation */ #endif #if !defined(TCPOPT_WSCALE) #define TCPOPT_WSCALE 3 /* window scale factor (rfc1072) */ #endif #if !defined(TCPOPT_SACKOK) #define TCPOPT_SACKOK 4 /* selective ack ok (rfc1072) */ #endif #if !defined(TCPOPT_SACK) #define TCPOPT_SACK 5 /* selective ack (rfc1072) */ #endif #if !defined(TCPOPT_ECHO) #define TCPOPT_ECHO 6 /* echo (rfc1072) */ #endif #if !defined(TCPOPT_ECHOREPLY) #define TCPOPT_ECHOREPLY 7 /* echo (rfc1072) */ #endif #if !defined(TCPOPT_TIMESTAMP) #define TCPOPT_TIMESTAMP 8 /* timestamps (rfc1323) */ #endif #if !defined(TCPOPT_CC) #define TCPOPT_CC 11 /* T/TCP CC options (rfc1644) */ #endif #if !defined(TCPOPT_CCNEW) #define TCPOPT_CCNEW 12 /* T/TCP CC options (rfc1644) */ #endif #if !defined(TCPOPT_CCECHO) #define TCPOPT_CCECHO 13 /* T/TCP CC options (rfc1644) */ #endif #if !defined(ETHERTYPE_SPRITE) #define ETHERTYPE_SPRITE 0x0500 #endif #if !defined(ETHERTYPE_NS) #define ETHERTYPE_NS 0x0600 #endif #if !defined(ETHERTYPE_IP) #define ETHERTYPE_IP 0x0800 #endif #if !defined(ETHERTYPE_X25L3) #define ETHERTYPE_X25L3 0x0805 #endif #if !defined(ETHERTYPE_ARP) #define ETHERTYPE_ARP 0x0806 #endif #if !defined(ETHERTYPE_VINES) #define ETHERTYPE_VINES 0x0bad #endif #if !defined(ETHERTYPE_TRAIL) #define ETHERTYPE_TRAIL 0x1000 #endif #if !defined(ETHERTYPE_TRAIN) #define ETHERTYPE_TRAIN 0x1984 #endif #if !defined(ETHERTYPE_3C_NBP_DGRAM) #define ETHERTYPE_3C_NBP_DGRAM 0x3c07 #endif #if !defined(ETHERTYPE_DEC) #define ETHERTYPE_DEC 0x6000 #endif #if !defined(ETHERTYPE_MOPDL) #define ETHERTYPE_MOPDL 0x6001 #endif #if !defined(ETHERTYPE_MOPRC) #define ETHERTYPE_MOPRC 0x6002 #endif #if !defined(ETHERTYPE_DN) #define ETHERTYPE_DN 0x6003 #endif #if !defined(ETHERTYPE_LAT) #define ETHERTYPE_LAT 0x6004 #endif #if !defined(ETHERTYPE_DEC_DIAG) #define ETHERTYPE_DEC_DIAG 0x6005 #endif #if !defined(ETHERTYPE_DEC_CUST) #define ETHERTYPE_DEC_CUST 0x6006 #endif #if !defined(ETHERTYPE_SCA) #define ETHERTYPE_SCA 0x6007 #endif #if !defined(ETHERTYPE_REVARP) #define ETHERTYPE_REVARP 0x8035 #endif #if !defined(ETHERTYPE_LANBRIDGE) #define ETHERTYPE_LANBRIDGE 0x8038 #endif #if !defined(ETHERTYPE_DECDNS) #define ETHERTYPE_DECDNS 0x803c #endif #if !defined(ETHERTYPE_DECDTS) #define ETHERTYPE_DECDTS 0x803e #endif #if !defined(ETHERTYPE_VEXP) #define ETHERTYPE_VEXP 0x805b #endif #if !defined(ETHERTYPE_VPROD) #define ETHERTYPE_VPROD 0x805c #endif #if !defined(ETHERTYPE_ATALK) #define ETHERTYPE_ATALK 0x809b #endif #if !defined(ETHERTYPE_AARP) #define ETHERTYPE_AARP 0x80f3 #endif #if !defined(ETHERTYPE_8021Q) #define ETHERTYPE_8021Q 0x8100 #endif #if !defined(ETHERTYPE_IPX) #define ETHERTYPE_IPX 0x8137 #endif #if !defined(ETHERTYPE_SNMP) #define ETHERTYPE_SNMP 0x814c #endif #if !defined(ETHERTYPE_IPV6) #define ETHERTYPE_IPV6 0x86dd #endif #if !defined(ETHERTYPE_MPLS) #define ETHERTYPE_MPLS 0x8847 #endif #if !defined(ETHERTYPE_MPLS_MULTI) #define ETHERTYPE_MPLS_MULTI 0x8848 #endif #if !defined(ETHERTYPE_PPPOED) #define ETHERTYPE_PPPOED 0x8863 #endif #if !defined(ETHERTYPE_PPPOES) #define ETHERTYPE_PPPOES 0x8864 #endif #if !defined(ETHERTYPE_LOOPBACK) #define ETHERTYPE_LOOPBACK 0x9000 #endif #ifdef __cplusplus } #endif #endif /* Argus_compat_h */ argus-3.0.8.2/include/argus_config.h.in000444 000765 000024 00000040164 12513222401 020270 0ustar00carterstaff000000 000000 /* include/argus_config.h.in. Generated from configure.ac by autoheader. */ /* Using Argus debug */ #undef ARGUSDEBUG /* Using Argus memory */ #undef ARGUSMEMDEBUG /* Using System Pcre Library */ #undef ARGUS_PCRE /* Using Pluribus */ #undef ARGUS_PLURIBUS /* Description */ #undef ARGUS_SASL /* Using Argus threads */ #undef ARGUS_THREADS /* Using System TcpWrappers Library */ #undef ARGUS_WRAPPERS /* Define to 1 if the `closedir' function returns void instead of `int'. */ #undef CLOSEDIR_VOID /* System has x86 endian support */ #undef CONFIG_X86_BSWAP /* Define to one of `_getb67', `GETB67', `getb67' for Cray-2 and Cray-YMP systems. This function is required for `alloca.c' support on those systems. */ #undef CRAY_STACKSEG_END /* Using cygwin */ #undef CYGWIN /* Define to 1 if using `alloca.c'. */ #undef C_ALLOCA /* Define to 1 if you have the `alarm' function. */ #undef HAVE_ALARM /* Define to 1 if you have `alloca', as a function or macro. */ #undef HAVE_ALLOCA /* Define to 1 if you have and it should be used (not on Ultrix). */ #undef HAVE_ALLOCA_H /* Define to 1 if you have the header file. */ #undef HAVE_ARPA_INET_H /* Define to 1 if you have the `backtrace' function. */ #undef HAVE_BACKTRACE /* Define to 1 if you have the `bzero' function. */ #undef HAVE_BZERO /* Mac OS X */ #undef HAVE_DARWIN /* Define to 1 if you have the declaration of `ether_hostton', and to 0 if you don't. */ #undef HAVE_DECL_ETHER_HOSTTON /* Define to 1 if you have the declaration of `fromhost ', and to 0 if you don't. */ #undef HAVE_DECL_FROMHOST_ /* Define to 1 if you have the declaration of `tzname', and to 0 if you don't. */ #undef HAVE_DECL_TZNAME /* Define to 1 if you have the header file, and it defines `DIR'. */ #undef HAVE_DIRENT_H /* Define to 1 if you don't have `vprintf' but do have `_doprnt.' */ #undef HAVE_DOPRNT /* Define to 1 if you have the `endgrent' function. */ #undef HAVE_ENDGRENT /* Define to 1 if you have the `endpwent' function. */ #undef HAVE_ENDPWENT /* Define to 1 if you have the `ether_hostton' function. */ #undef HAVE_ETHER_HOSTTON /* Define to 1 if you have the header file. */ #undef HAVE_FCNTL_H /* Define to 1 if you have the header file. */ #undef HAVE_FEATURES_H /* Define to 1 if you have the `floor' function. */ #undef HAVE_FLOOR /* Define to 1 if you have the `floorf' function. */ #undef HAVE_FLOORF /* Define to 1 if you have the `fork' function. */ #undef HAVE_FORK /* Define to 1 if you have the `getaddrinfo' function. */ #undef HAVE_GETADDRINFO /* Define to 1 if you have the `gethostbyaddr' function. */ #undef HAVE_GETHOSTBYADDR /* Define to 1 if you have the `gethostbyname' function. */ #undef HAVE_GETHOSTBYNAME /* Define to 1 if you have the `gethostname' function. */ #undef HAVE_GETHOSTNAME /* Define to 1 if you have the `getpass' function. */ #undef HAVE_GETPASS /* Define to 1 if you have the `gettimeofday' function. */ #undef HAVE_GETTIMEOFDAY /* HPUX 10 */ #undef HAVE_HPUX10_20 /* HPUX 9 */ #undef HAVE_HPUX9 /* Define to 1 if you have the `inet_aton' function. */ #undef HAVE_INET_ATON /* Define to 1 if you have the `inet_ntoa' function. */ #undef HAVE_INET_NTOA /* Define to 1 if you have the header file. */ #undef HAVE_INTTYPES_H /* Define to 1 if you have the `isascii' function. */ #undef HAVE_ISASCII /* Define to 1 if you have the header file. */ #undef HAVE_LIBINTL_H /* Define to 1 if you have the header file. */ #undef HAVE_LIMITS_H /* Define to 1 if you have the `localtime_r' function. */ #undef HAVE_LOCALTIME_R /* Define to 1 if your system has a GNU libc compatible `malloc' function, and to 0 otherwise. */ #undef HAVE_MALLOC /* Define to 1 if you have the header file. */ #undef HAVE_MALLOC_H /* Define to 1 if you have the `memchr' function. */ #undef HAVE_MEMCHR /* Define to 1 if you have the `memmove' function. */ #undef HAVE_MEMMOVE /* Define to 1 if you have the header file. */ #undef HAVE_MEMORY_H /* Define to 1 if you have the `memset' function. */ #undef HAVE_MEMSET /* Define to 1 if you have the `mkdir' function. */ #undef HAVE_MKDIR /* Define to 1 if you have the `modf' function. */ #undef HAVE_MODF /* Define to 1 if you have the header file, and it defines `DIR'. */ #undef HAVE_NDIR_H /* Define to 1 if you have the header file. */ #undef HAVE_NETDB_H /* Define to 1 if you have the header file. */ #undef HAVE_NETINET_ETHER_H /* Define to 1 if you have the header file. */ #undef HAVE_NETINET_IF_ETHER_H /* Define to 1 if you have the header file. */ #undef HAVE_NETINET_IN_H /* Define to 1 if you have the header file. */ #undef HAVE_NETINET_IN_SYSTM_H /* Define to 1 if you have the header file. */ #undef HAVE_NETINET_IP_H /* Define to 1 if you have the header file. */ #undef HAVE_NETINET_TCP_H /* Define to 1 if you have the header file. */ #undef HAVE_NETINET_UDP_H /* Define to 1 if you have the header file. */ #undef HAVE_NET_IF_H /* Define to 1 if you have the `openlog' function. */ #undef HAVE_OPENLOG /* pcap datalink name */ #undef HAVE_PCAP_DATALINK_NAME_TO_VAL /* pcap datalink val to desc */ #undef HAVE_PCAP_DATALINK_VAL_TO_DESCRIPTION /* Define to 1 if you have the `pcap_dump_flush' function. */ #undef HAVE_PCAP_DUMP_FLUSH /* Define to 1 if you have the `pcap_dump_ftell' function. */ #undef HAVE_PCAP_DUMP_FTELL /* Define to 1 if you have the `pcap_fopen_offline' function. */ #undef HAVE_PCAP_FOPEN_OFFLINE /* Define to 1 if you have the `pcap_get_selectable_fd' function. */ #undef HAVE_PCAP_GET_SELECTABLE_FD /* pcap list datalinks */ #undef HAVE_PCAP_LIST_DATALINKS /* Define to 1 if you have the `pcap_next_ex' function. */ #undef HAVE_PCAP_NEXT_EX /* Define to 1 if you have the `pcap_set_buffer_size' function. */ #undef HAVE_PCAP_SET_BUFFER_SIZE /* pcap set datalink */ #undef HAVE_PCAP_SET_DATALINK /* Define to 1 if you have the `pfopen' function. */ #undef HAVE_PFOPEN /* Define to 1 if you have the `pow' function. */ #undef HAVE_POW /* Define to 1 if you have the `putenv' function. */ #undef HAVE_PUTENV /* Define to 1 if your system has a GNU libc compatible `realloc' function, and to 0 otherwise. */ #undef HAVE_REALLOC /* Define to 1 if you have the `realpath' function. */ #undef HAVE_REALPATH /* Define to 1 if you have the `regcomp' function. */ #undef HAVE_REGCOMP /* Define to 1 if you have the header file. */ #undef HAVE_REGEX_H /* Define to 1 if you have the `remainderf' function. */ #undef HAVE_REMAINDERF /* Define to 1 if you have the `sched_get_priority_min' function. */ #undef HAVE_SCHED_GET_PRIORITY_MIN /* Define to 1 if you have the `select' function. */ #undef HAVE_SELECT /* Define to 1 if you have the `setenv' function. */ #undef HAVE_SETENV /* Define to 1 if you have the `setlinebuf' function. */ #undef HAVE_SETLINEBUF /* Define to 1 if you have the `snprintf' function. */ #undef HAVE_SNPRINTF /* Define to 1 if you have the `socket' function. */ #undef HAVE_SOCKET /* On solaris */ #undef HAVE_SOLARIS /* Define to 1 if you have the `sqrt' function. */ #undef HAVE_SQRT /* Define to 1 if you have the `srandomdev' function. */ #undef HAVE_SRANDOMDEV /* Define to 1 if `stat' has the bug that it succeeds when given the zero-length file name argument. */ #undef HAVE_STAT_EMPTY_STRING_BUG /* Define to 1 if you have the header file. */ #undef HAVE_STDDEF_H /* Define to 1 if you have the header file. */ #undef HAVE_STDINT_H /* Define to 1 if you have the header file. */ #undef HAVE_STDLIB_H /* Define to 1 if you have the `strcasecmp' function. */ #undef HAVE_STRCASECMP /* Define to 1 if you have the `strchr' function. */ #undef HAVE_STRCHR /* Define to 1 if you have the `strdup' function. */ #undef HAVE_STRDUP /* Define to 1 if you have the `strerror' function. */ #undef HAVE_STRERROR /* Define to 1 if you have the `strftime' function. */ #undef HAVE_STRFTIME /* Define to 1 if you have the header file. */ #undef HAVE_STRINGS_H /* Define to 1 if you have the header file. */ #undef HAVE_STRING_H /* Define to 1 if you have the `strlcat' function. */ #undef HAVE_STRLCAT /* Define to 1 if you have the `strlcpy' function. */ #undef HAVE_STRLCPY /* Define to 1 if you have the `strncasecmp' function. */ #undef HAVE_STRNCASECMP /* Define to 1 if you have the `strpbrk' function. */ #undef HAVE_STRPBRK /* Define to 1 if you have the `strrchr' function. */ #undef HAVE_STRRCHR /* Define to 1 if you have the `strstr' function. */ #undef HAVE_STRSTR /* Define to 1 if you have the `strtof' function. */ #undef HAVE_STRTOF /* Define to 1 if you have the `strtol' function. */ #undef HAVE_STRTOL /* struct ether addr */ #undef HAVE_STRUCT_ETHER_ADDR /* Define to 1 if `tm_zone' is a member of `struct tm'. */ #undef HAVE_STRUCT_TM_TM_ZONE /* Define to 1 if you have the `syslog' function. */ #undef HAVE_SYSLOG /* Define to 1 if you have the header file. */ #undef HAVE_SYSLOG_H /* Define to 1 if you have the header file, and it defines `DIR'. */ #undef HAVE_SYS_DIR_H /* sys_errlist in stdio.h */ #undef HAVE_SYS_ERRLIST /* Define to 1 if you have the header file. */ #undef HAVE_SYS_FILE_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_IOCTL_H /* Define to 1 if you have the header file, and it defines `DIR'. */ #undef HAVE_SYS_NDIR_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_PARAM_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_SELECT_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_SOCKET_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_SOCKIO_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_STAT_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_TIME_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_TYPES_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_VFS_H /* Define to 1 if you have that is POSIX.1 compatible. */ #undef HAVE_SYS_WAIT_H /* Define to 1 if you have the header file. */ #undef HAVE_TCPD_H /* Using Tcp wrappers */ #undef HAVE_TCP_WRAPPER /* Define to 1 if you have the header file. */ #undef HAVE_TERMIOS_H /* Define to 1 if you have the `timegm' function. */ #undef HAVE_TIMEGM /* tm_gmtoff in struct tm */ #undef HAVE_TM_GMTOFF /* Define to 1 if your `struct tm' has `tm_zone'. Deprecated, use `HAVE_STRUCT_TM_TM_ZONE' instead. */ #undef HAVE_TM_ZONE /* Define to 1 if you don't have `tm_zone' but do have the external array `tzname'. */ #undef HAVE_TZNAME /* Define to 1 if you have the `tzset' function. */ #undef HAVE_TZSET /* Define to 1 if you have the header file. */ #undef HAVE_UNISTD_H /* Define to 1 if you have the header file. */ #undef HAVE_VALUES_H /* Define to 1 if you have the `vfork' function. */ #undef HAVE_VFORK /* Define to 1 if you have the header file. */ #undef HAVE_VFORK_H /* Define to 1 if you have the `vfprintf' function. */ #undef HAVE_VFPRINTF /* Define to 1 if you have the `vprintf' function. */ #undef HAVE_VPRINTF /* Define to 1 if you have the `vsnprintf' function. */ #undef HAVE_VSNPRINTF /* Define to 1 if `fork' works. */ #undef HAVE_WORKING_FORK /* Define to 1 if `vfork' works. */ #undef HAVE_WORKING_VFORK /* Using system XDR library */ #undef HAVE_XDR /* Define to 1 if you have the `xdrmem_create' function. */ #undef HAVE_XDRMEM_CREATE /* Define to 1 if you have the header file. */ #undef HAVE_ZLIB_H /* Description */ #undef LBL_ALIGN /* Define to 1 if `lstat' dereferences a symlink specified with a trailing slash. */ #undef LSTAT_FOLLOWS_SLASHED_SYMLINK /* Define to 1 if netinet/ether.h declares `ether_hostton' */ #undef NETINET_ETHER_H_DECLARES_ETHER_HOSTTON /* Define to 1 if netinet/if_ether.h declares `ether_hostton' */ #undef NETINET_IF_ETHER_H_DECLARES_ETHER_HOSTTON /* Define to the address where bug reports for this package should be sent. */ #undef PACKAGE_BUGREPORT /* Define to the full name of this package. */ #undef PACKAGE_NAME /* Define to the full name and version of this package. */ #undef PACKAGE_STRING /* Define to the one symbol short name of this package. */ #undef PACKAGE_TARNAME /* Define to the home page for this package. */ #undef PACKAGE_URL /* Define to the version of this package. */ #undef PACKAGE_VERSION /* Define as the return type of signal handlers (`int' or `void'). */ #undef RETSIGTYPE /* Define to the type of arg 1 for `select'. */ #undef SELECT_TYPE_ARG1 /* Define to the type of args 2, 3 and 4 for `select'. */ #undef SELECT_TYPE_ARG234 /* Define to the type of arg 5 for `select'. */ #undef SELECT_TYPE_ARG5 /* If using the C implementation of alloca, define if you know the direction of stack growth for your system; otherwise it will be automatically deduced at runtime. STACK_DIRECTION > 0 => grows toward higher addresses STACK_DIRECTION < 0 => grows toward lower addresses STACK_DIRECTION = 0 => direction of growth unknown */ #undef STACK_DIRECTION /* Define to 1 if you have the ANSI C header files. */ #undef STDC_HEADERS /* Define to 1 if you can safely include both and . */ #undef TIME_WITH_SYS_TIME /* Define to 1 if your declares `struct tm'. */ #undef TM_IN_SYS_TIME /* Define to 1 if `lex' declares `yytext' as a `char *' by default, not a `char[]'. */ #undef YYTEXT_POINTER /* Enable large inode numbers on Mac OS X 10.5. */ #ifndef _DARWIN_USE_64_BIT_INODE # define _DARWIN_USE_64_BIT_INODE 1 #endif /* Number of bits in a file offset, on hosts where this is settable. */ #undef _FILE_OFFSET_BITS /* needed on HP-UX */ #undef _HPUX_SOURCE /* Define for large files, on AIX-style hosts. */ #undef _LARGE_FILES /* Description */ #undef _SUN /* Define for Solaris 2.5.1 so the uint32_t typedef from , , or is not used. If the typedef were allowed, the #define below would cause a syntax error. */ #undef _UINT32_T /* Define for Solaris 2.5.1 so the uint8_t typedef from , , or is not used. If the typedef were allowed, the #define below would cause a syntax error. */ #undef _UINT8_T /* Define to empty if `const' does not conform to ANSI C. */ #undef const /* Define to `int' if doesn't define. */ #undef gid_t /* Define to `__inline__' or `__inline' if that's what the C compiler calls it, or to nothing if 'inline' is not supported under any name. */ #ifndef __cplusplus #undef inline #endif /* Define to the type of a signed integer type of width exactly 16 bits if such a type exists and the standard includes do not define it. */ #undef int16_t /* Define to the type of a signed integer type of width exactly 32 bits if such a type exists and the standard includes do not define it. */ #undef int32_t /* Define to the type of a signed integer type of width exactly 8 bits if such a type exists and the standard includes do not define it. */ #undef int8_t /* Define to rpl_malloc if the replacement function should be used. */ #undef malloc /* Define to `int' if does not define. */ #undef pid_t /* Define to rpl_realloc if the replacement function should be used. */ #undef realloc /* Description */ #undef sinix /* Define to `unsigned int' if does not define. */ #undef size_t /* Define to `int' if doesn't define. */ #undef uid_t /* Define to the type of an unsigned integer type of width exactly 16 bits if such a type exists and the standard includes do not define it. */ #undef uint16_t /* Define to the type of an unsigned integer type of width exactly 32 bits if such a type exists and the standard includes do not define it. */ #undef uint32_t /* Define to the type of an unsigned integer type of width exactly 8 bits if such a type exists and the standard includes do not define it. */ #undef uint8_t /* Define as `fork' if `vfork' does not work. */ #undef vfork argus-3.0.8.2/include/argus_dag.h000444 000765 000024 00000004426 12513222401 017152 0ustar00carterstaff000000 000000 /* * Argus Software * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * Data structures required to define struct Dag Record. * Derived from Dag source code tree ./include/dagapi.h * * $Id: //depot/argus/argus/include/argus_dag.h#7 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ #define TYPE_LEGACY 0 #define TYPE_HDLC_POS 1 #define TYPE_ETH 2 #define TYPE_ATM 3 #define TYPE_AAL5 4 #define TYPE_MC_HDLC 5 #define TYPE_MC_RAW 6 #define TYPE_MC_ATM 7 #define TYPE_MC_RAW_CHANNEL 8 #define TYPE_MC_AAL5 9 #define TYPE_COLOR_HDLC_POS 10 #define TYPE_COLOR_ETH 11 #define TYPE_MC_AAL2 12 #define TYPE_IP_COUNTER 13 #define TYPE_TCP_FLOW_COUNTER 14 #define TYPE_DSM_COLOR_HDLC_POS 15 #define TYPE_DSM_COLOR_ETH 16 #define TYPE_COLOR_MC_HDLC_POS 17 #define TYPE_AAL2 18 #define TYPE_COLOR_HASH_POS 19 #define TYPE_COLOR_HASH_ETH 20 #define TYPE_INFINIBAND 21 #define TYPE_RAW_LINK 24 #define TYPE_PAD 48 #define TYPE_MIN 1 /* sanity checking */ #define TYPE_MAX 48 /* sanity checking */ #define dag_record_size 16 typedef struct flags { uint8_t iface:2; uint8_t vlen:1; uint8_t trunc:1; uint8_t rxerror:1; uint8_t dserror:1; uint8_t reserved:1; uint8_t direction:1; } flags_t; typedef struct dag_record { uint64_t ts; uint8_t type; flags_t flags; uint16_t rlen; uint16_t lctr; uint16_t wlen; } dag_record_t; argus-3.0.8.2/include/argus_debug.h000444 000765 000024 00000004166 12513222401 017506 0ustar00carterstaff000000 000000 /* * Argus Software * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/include/argus_debug.h#7 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ #ifndef ArgusDebug_h #define ArgusDebug_h #ifdef __cplusplus extern "C" { #endif #ifndef __GNUC__ #define inline #endif #define ARGUS_DEBUG_ALL 0xffffffff #define ARGUS_DEBUG_MAIN 0x00000001 /* 1 */ #define ARGUS_DEBUG_CORE 0x00000002 /* 2 */ #define ARGUS_DEBUG_INIT 0x00000004 /* 4 */ #define ARGUS_DEBUG_FILTER 0x00000008 /* 8 */ #define ARGUS_DEBUG_FILTERCOMPILE 0x00000010 /* 16 */ #define ARGUS_DEBUG_FILTERCORE 0x00000020 /* 32 */ #define ARGUS_DEBUG_AUTH 0x00000040 /* 64 */ #define ARGUS_DEBUG_DECODE 0x00000080 /* 128 */ #define ARGUS_DEBUG_MEMORY 0x00000100 /* 256 */ #define ARGUS_DEBUG_UTIL 0x00000200 /* 512 */ #define ARGUS_DEBUG_PARSE 0x00000400 /* 1024 */ #define ARGUS_DEBUG_PARSECORE 0x00000800 /* 2048 */ #define ARGUS_DEBUG_READ 0x00001000 /* 4096 */ #define ARGUS_DEBUG_WRITE 0x00002000 /* 8192 */ #define ARGUS_DEBUG_CLIENT 0x00004000 /* 16384 */ #define ARGUS_DEBUG_POLICY 0x00008000 /* 32768 */ #define ARGUS_DEBUG_APPLICATION 0x00010000 /* 65536 */ #define ARGUS_DEBUG_MERGE 0x00020000 /* 131072 */ #define ARGUS_DEBUG_TIME 0x00040000 /* 262144 */ #define ARGUS_DEBUG_SERVICES 0x00080000 /* 524288 */ extern void ArgusDebug (int, char *, ...); #ifdef __cplusplus } #endif #endif /* ArgusFilter_h */ argus-3.0.8.2/include/argus_def.h000444 000765 000024 00000301572 12545233164 017174 0ustar00carterstaff000000 000000 /* * Argus Software * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/include/argus_def.h#49 $ * $DateTime: 2015/07/02 09:02:44 $ * $Change: 3029 $ */ /* Argus_def.h */ /* * Argus_def.h is a reimplementation of the version 2 argus_def.h * for version 3. The new record structure and data types * are designed to provide flexible and efficient data * representation and transport; motivated to suport IPv6. * While the intent is to provide a clean room style reworking * of the complete argus architecture and data model, there is * continuity and compatibility with version 2 Argus data. * * The basic properties retained are a common fixed size * initial MAR *. The prinicpal difference is a 4 byte * ArgusRecord header with most data integrated into the * Data Supplement Records (DSR), support for 8, 16, 32 and * 64 bit counters, and new flow descriptor strategies. * */ #ifndef Argus_def_h #define Argus_def_h #ifdef __cplusplus extern "C" { #endif /* argus constants */ #define MINOR_VERSION_0 0 #define MINOR_VERSION_1 1 #define MINOR_VERSION_2 2 #define MINOR_VERSION_3 3 #define MINOR_VERSION_4 4 #define MINOR_VERSION_5 5 #define MINOR_VERSION_6 6 #define MINOR_VERSION_7 7 #define MINOR_VERSION_8 8 #define MINOR_VERSION_9 9 #define MAJOR_VERSION_1 1 #define MAJOR_VERSION_2 2 #define MAJOR_VERSION_3 3 #define MAJOR_VERSION_4 4 #define MAJOR_VERSION_5 5 #define VERSION_MAJOR MAJOR_VERSION_3 #define VERSION_MINOR MINOR_VERSION_0 #ifndef MAXPATHNAMELEN #define MAXPATHNAMELEN BUFSIZ #endif /* Argus Record Format The Argus has a short 32-bit header and then a collection of Data Specific Records, which have a TLV structure. This allows for a lot of options in representing data. The goal is to support explicit data alignment, extended key and non-key attributes, removeable transport identifiers, efficently reporting unidirectional flows, and supporting multi-length counters in the metrics. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Argus Record Header | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Argus Record Transport | O +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ p | | t | Argus Record Flow Key | i | | o +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ n | Argus Record Flow Non-Key | a | Attributes | l +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | D | Argus Metrics | S | . | R +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ s */ /* Argus Record Header Format The argus record is a 32-bit header that specifies the type of record, MAR or FAR, the standard cause indicator, a shorter version number, starting with 3, and a Options field. The Length field, which is the number of 4-byte integers in the record, supports 64K size argus records. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Vers | Cause | Opt | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ #define ARGUS_MAXRECORDSIZE 0x40000 /* Argus Record Header Type Field 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Version Record Field Note that one tick mark represents one bit position. */ /* Argus Record Type */ #define ARGUS_MAR 0x80 /* Normal Argus Management Record */ #define ARGUS_FAR 0x10 /* Normal Argus Data Record */ #define ARGUS_INDEX 0x20 /* New Argus Index Record */ #define ARGUS_NETFLOW 0x30 /* Argus Cisco Netflow Originated Record */ #define ARGUS_EVENT 0x40 /* New Argus Event/Message Record */ #define ARGUS_DATASUP 0x50 /* New Supplemental Argus Data Record */ #define ARGUS_ARCHIVAL 0x60 /* New Archival Argus Data Record */ /* Argus Record Header Version Field 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Vers | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Version Record Field Note that one tick mark represents one bit position. */ /* Record Version (Ver) */ #define ARGUS_VERSION_1 0x01 /* Version 1 */ #define ARGUS_VERSION_2 0x02 /* Version 2 */ #define ARGUS_VERSION_3 0x03 /* Version 3 */ #define ARGUS_VERSION_4 0x04 /* Version 4 */ #define ARGUS_VERSION ARGUS_VERSION_3 /* Version 3 */ /* Argus Record Header Version Field 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Cause | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Version Record Field Note that one tick mark represents one bit position. */ /* Argus Record Cause */ #define ARGUS_START 0x10 /* Initial Record */ #define ARGUS_STATUS 0x20 /* Continuation Record*/ #define ARGUS_STOP 0x30 /* Closed/Terminating Record */ #define ARGUS_TIMEOUT 0x40 /* Record Timed Out */ #define ARGUS_FLUSH 0x50 /* System Record Flush */ #define ARGUS_SHUTDOWN 0x60 /* Administrative Shutdown */ #define ARGUS_CLOSED 0x70 /* Argus Initiates Shutdown */ #define ARGUS_ERROR 0x80 /* Error - Major Problem */ #define ARGUS_SUPPLEMENTAL 0x90 /* Argus Supplemental Record */ /* Argus Record Header Option Field 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Opt | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Option Record Field Note that one tick mark represents one bit position. The values in the Argus Option Field are specific to each cause. */ /* Argus Start Option Messages */ /* Argus Status Option Messages */ /* Argus Supplemental Option Messages */ /* Argus Stop Option Messages */ /* Argus Timeout Option Messages */ /* Argus Flush Option Messages */ /* Argus Shutdown Option Messages */ /* Argus Error Option Messages */ #define ARGUS_ACCESSDENIED 0x01 #define ARGUS_MAXLISTENEXCD 0x02 /* Argus Record Header Length Field Number of 32-bit longwords, including the header. Unsigned 16 bit integer. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Length Record Field Note that one tick mark represents one bit position. */ #define MAXARGUSRECORD 0x40000 #define MAXSTRLEN 4096 /* Argus Data Argus Data is a collection of Argus Data Specific Records (DSRs) 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Argus Data Specific Records | | . | | . | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Data Record Field Note that one tick mark represents one bit position. */ /* Argus MAR Record Specific Defines */ #define ARGUS_COOKIE 0xE5712DCB #define ARGUS_V3_COOKIE ARGUS_COOKIE #define ARGUS_V2_COOKIE 0xE5617ACB #define ARGUS_SASL_AUTHENTICATE 0x00001000 #define ARGUS_IDIS_STRING 0x00200000 #define ARGUS_IDIS_INT 0x00400000 #define ARGUS_IDIS_IPV4 0x00800000 /* Argus Record Data Specific Record (DSR) Types */ #define ARGUSMAXDSRTYPE 21 /* Argus Data Specific Record (DSR) Formats There are two types of DSR, 1) a Type Value (TV) record with an explicit length of 4 bytes, and 2) a Type Length Value (TLV) record, that is longer than 4 bytes and supports variable length records. The fixed length record is distinquished from the variable length record with the most significant bit of the Type Field set to 1 (>= 0x80). All Argus DSRs are 32-bit aligned. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| Type | SubType | Qualifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Argus DSR Data | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |1| Type | SubType | Argus DSR Data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Data Specific Record (DSR) Field Note that one tick mark represents one bit position. */ /* Argus Record Data Type Field The DSR Type Field specifies the type and format of the DSR. The most significant bit indicates if the DSR is a TV or TLV type. A TV structure has a specific length of 4 bytes, which a TLV has a variable length indicator. The other bits specify highest level semantics for the DSR. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |x| Type | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ #define ARGUS_IMMEDIATE_DATA 0x80 #define ARGUS_TRANSPORT_DSR 0x01 #define ARGUS_FLOW_DSR 0x02 #define ARGUS_TIME_DSR 0x03 #define ARGUS_METER_DSR 0x10 #define ARGUS_PSIZE_DSR 0x12 #define ARGUS_ENCAPS_DSR 0x20 #define ARGUS_NETWORK_DSR 0x30 #define ARGUS_ICMP_DSR 0x34 #define ARGUS_IB_DSR 0x35 #define ARGUS_ISIS_DSR 0x36 #define ARGUS_RSVP_DSR 0x37 #define ARGUS_ESP_DSR 0x38 #define ARGUS_LCP_DSR 0x39 #define ARGUS_DATA_DSR 0x50 #define ARGUS_AGR_DSR 0x60 #define ARGUS_COR_DSR 0x62 #define ARGUS_COCODE_DSR 0x64 #define ARGUS_LABEL_DSR 0x66 /* Argus Record Data SubType Field The DSR SubType Field indicates the specific types for this DSR, and is specific for the DSR Type. The most significant bit of the subtype field indicates the width of the length, when it is present. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| |x| SubType | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |1| |0| SubType | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ #define ARGUS_LEN_16BITS 0x80 #define ARGUS_TIMEADJUST 0x01 /* Argus Record Data Qualifier Field TLV Data Records that have an 8 bit length field support an 8-bit Qualifier field, which is used to convey additional semantics for the DSR format and contents. In some situations, the qualifier may be used to further specify the actual DSR data format, in others it may provide addition semantics, or it can be used to provide the actual 8-bit data. How the Qualifier is parsed and used is specific to the DSR Type and SubType. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| |0| | Qualifier | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* Argus DSR Qualifier */ #define ARGUS_SRC 0x01 #define ARGUS_DST 0x02 #define ARGUS_SRC_CHANGED 0x04 #define ARGUS_DST_CHANGED 0x08 #define ARGUS_SRC_INT_CHANGED 0x10 #define ARGUS_DST_INT_CHANGED 0x20 #define ARGUS_TYPE_IPV4 0x01 #define ARGUS_TYPE_IPV6 0x02 #define ARGUS_TYPE_ETHER 0x03 #define ARGUS_TYPE_ARP 0x04 #define ARGUS_TYPE_RARP 0x05 #define ARGUS_TYPE_MPLS 0x06 #define ARGUS_TYPE_VLAN 0x07 #define ARGUS_TYPE_WLAN 0x08 #define ARGUS_TYPE_LCP 0x09 #define ARGUS_TYPE_ISIS 0x0A #define ARGUS_TYPE_IB_LOCAL 0x0B #define ARGUS_TYPE_IB_GLOBAL 0x0C #define ARGUS_TYPE_UDT 0x0D #define ARGUS_TYPE_INT 0x20 #define ARGUS_TYPE_STRING 0x21 /* Flow Descriptor Option Qualifiers */ #define ARGUS_ANON 0x20 /* Record Descriptor Qualifiers */ #define ARGUS_MERGED 0x40 /* Argus Record Data Length Field Number of 32-bit longwords, including the header. Data records that have a 0 as the most significant bit support variable length records, and as a result have a length field. Records with a 1 as the most significant bit are fixed length 4 byte records, and thus do not have a length field. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The Length field can equal 1. */ #define ARGUS_MAXDSRLEN 0xFF /* Argus Data Transport DSR The Transport DSR provides source probe identification and optionally a probe transport specific sequence number. The probe identifier can be a number of types including an IPv4, IPv6 address, an ethernet address, a unsigned 32-bit integer, and/or an arbitrary string, such as a URL. The probe identifier should be unique throughout the monitoring domain. */ #define ARGUS_MAR_INDEX 0 #define ARGUS_EVENT_INDEX 0 /* Argus Transport DSR Type */ #define ARGUS_TRANSPORT_INDEX 0 /* Argus Transport DSR SubType */ #define ARGUS_SRCID 0x01 #define ARGUS_SEQ 0x02 /* Argus Transport DSR Qualifier */ /* ARGUS_TYPE_IPV4 ARGUS_TYPE_IPV6 TAM_TYPE_ETHER ARGUS_TYPE_INT ARGUS_TYPE_STRING ARGUS_SRCID (with IPV4ADDR as the ID) 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x01 | 0x01 | 0x01 | 0x02 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Argus Source Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_SRCID (with IPV6ADDR as the ID) 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x01 | 0x01 | 0x02 | 0x05 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Argus Source Identifier | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_SRCID | ARGUS_SEQ (with 32-bin unsigned int as ID) 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x01 | 0x03 | 0x03 | 0x03 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Argus Source Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_SRCID | ARGUS_SEQ (with STRING as ID) 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x01 | 0x03 | 0x11 | 0x05 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Argus Source Identifier | | | | +---+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | PAD | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Transport Record Field Note that one tick mark represents one bit position. */ /* Argus Time Descriptor DSR The Argus Time Descriptor is an optional DSR that specifies time for packet related events. These can represent time ranges, single timestamps, or relative timestamps. If relative timestamps are used in an Argus record, there must be only one absolute timestamp to act as the unambiguous reference, and this should be the first timestamp in the record. This absolute reference can stand alone or be included in a composite structure that also contains relative time references. The scale must match, or there is an error. Unsigned 32-bit uSec relative time references can handle up to 71.58278 minutes, and nSec relative time refereces can handle up to 4.294967296 seconds, however there are many network events that can exceed these time ranges, and so when needed, absolute time ranges will be used. Flows are bounded in time with single packet events having a single reference, and multiple packet flows having additional time boundary references. In the case of uni-directional multi-packet flows, a time range indicates the time for the occurence of the first and last measured event for that flow. In bi-directional flows, the strategy is to represent the metrics as two uni- directional flows bound together by the flow descriptors, and some state. This strategy impacts how time will be reported. Each uni-directional flow can be composed of a single packet event or a multi-packet event, so there is a requirement to support up to 4 timestamps in a given record. */ /* Argus Time Descriptor DSR Types */ #define ARGUS_TIME_INDEX 2 /* Argus Time Descriptor DSR SubTypes */ #define ARGUS_TIME_ABSOLUTE_TIMESTAMP 0x01 #define ARGUS_TIME_ABSOLUTE_RANGE 0x02 #define ARGUS_TIME_ABSOLUTE_RELATIVE_RANGE 0x03 #define ARGUS_TIME_RELATIVE_TIMESTAMP 0x04 #define ARGUS_TIME_RELATIVE_RANGE 0x05 #define ARGUS_TIME_SRC_START 0x08 #define ARGUS_TIME_SRC_END 0x10 #define ARGUS_TIME_DST_START 0x20 #define ARGUS_TIME_DST_END 0x40 #define ARGUS_TIME_MASK (ARGUS_TIME_SRC_START | ARGUS_TIME_DST_START | ARGUS_TIME_SRC_END | ARGUS_TIME_DST_END) /* Argus Flow Descriptor DSR Qualifiers */ #define ARGUS_TYPE_UTC_MICROSECONDS 0x18 #define ARGUS_TYPE_UTC_NANOSECONDS 0x19 #define ARGUS_TYPE_MICROSECONDS 0x1A #define ARGUS_TYPE_NANOSECONDS 0x1B /* 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x03 | 0x01 | 0x18 | 0x03 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Seconds | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Fractional Seconds (usec) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x03 | 0x02 | 0x18 | 0x05 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Argus Record Start Time (UTC) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Argus Record Last Time (UTC) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x03 | 0x03 | 0x19 | 0x04 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Seconds | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Fractional Seconds (nsec) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Delta Fractional Seconds (nsec) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x03 | 0x04 | 0x1A | 0x02 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Delta Fractional Seconds (usec) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x03 | 0x05 | 0x1B | 0x03 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Start Delta Fractional Seconds (nsec) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Last Delta Fractional Seconds (nsec) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Time Record Field Note that one tick mark represents one bit position. */ /* Argus Time Adjustment Descriptor DSR The Argus Time Adjustment Descriptor is an optional DSR that specifies a time adjustment that is assigned/imposed by the NTAIS system. Generally added by either an intermediate RADIUM node or in the receiving NTAIS, this value is a single time adjustment value to bring the timestamps into synchronization in the system. The DSR is a composite DSR, and is composed of a mandatory Source Identifier, and a Timestamp, as specified above. The minimum record length is 24 bytes long (6 * 4). */ /* Argus Time Descriptor DSR Types */ #define ARGUS_TIME_ADJ_INDEX 16 /* 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x09 | 0x00 | 0x00 | 0x03 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Argus Transport Record | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Argus Time Record | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Time Adjustment Record Field Note that one tick mark represents one bit position. */ /* Argus Flow Descriptor DSR The Argus Flow Descriptor is an optional DSR that specifies the key and non-key attributes that apply to the flow record. Key attributes indicate the attributes that were used by the probe or aggregator to formulate the flow. This may involve any combination of identifiers that were contained in the packets themselves. A flow description is a collection of identifiers that were used to classify packets. All packets that contain the identifiers are considered a part of the same flow model. The Argus supports both uni and bi- directional flow modeling. Because flow descriptors can be directionally sensitive, a direction bit is included in the flow descriptor qualifier. The Argus supports a number of pre-defined complex flow descriptor groupings as specific data types, in order to be efficient. It also supports arbitrary flow descriptions, While most flows will be Type-P1 5-tuple Layer 3/4 flows, many applications will want to support Layer 2, unidirectional Layer 2.5 (MPLS), Layer 3 address, and Layer 3 CIDR address based flows. Aggregation experiments indicate that non-key attributes can be persistent during the life of some flows, and the ability to report these attributes is important for many analytical methods. So, indicating persistent and non-persistent/last attribute values is extremely important. It is important to propagte throught the life of the flow record, an indication that the RMON style of data, where only one set of the bi-directional flow key objects, are retained and being used as a key. Attributes that are used as keys are indicated in the most significant bit of the DSR. */ /* Argus Flow Descriptor DSR Types */ #define ARGUS_FLOW_INDEX 1 /* Argus Flow Descriptor DSR SubTypes */ #define ARGUS_FLOW_KEY_ATTRIBUTE 0x80 #define ARGUS_FLOW_CLASSIC5TUPLE 0x01 #define ARGUS_FLOW_LAYER_2_MATRIX 0x02 #define ARGUS_FLOW_LAYER_3_MATRIX 0x03 #define ARGUS_FLOW_MPLS 0x04 #define ARGUS_FLOW_VLAN 0x05 #define ARGUS_FLOW_ARP 0x06 #define ARGUS_FLOW_LAYER_2 0x07 #define ARGUS_FLOW_KEYS 0x00000007 #define ARGUS_FLOW_KEY_CLASSIC5TUPLE 0x00000001 #define ARGUS_FLOW_KEY_LAYER_2_MATRIX 0x00000002 #define ARGUS_FLOW_KEY_LAYER_3_MATRIX 0x00000004 #define ARGUS_FLOW_KEY_LOCAL_MPLS 0x00000008 #define ARGUS_FLOW_KEY_COMPLETE_MPLS 0x00000010 #define ARGUS_FLOW_KEY_VLAN 0x00000020 #define ARGUS_FLOW_KEY_LAYER_2 0x00000040 #define ARGUS_FLOW_COMPOSITE 0x08 #define ARGUS_FLOW_DLT_IANA 0x10 /* this is the layer 2 ifType */ #define ARGUS_FLOW_ETH_IANA 0x11 /* this is the layer 3 protocol ids */ #define ARGUS_FLOW_IP_IANA 0x12 /* this is the layer 4 protocol/nexthop number */ #define ARGUS_FLOW_RMON 0x40 /* this has been created usig RMON options */ /* Argus Flow Descriptor DSR Qualifiers */ #define ARGUS_SYSTEM_FLOW 0x20 #define ARGUS_REVERSE 0x40 #define ARGUS_UNIDIRECTIONAL 0x10 #define ARGUS_BIDIRECTIONAL 0x20 #define ARGUS_MASKLEN 0x40 #define ARGUS_FRAGMENT 0x80 /* ARGUS_FLOW_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |K|D| SubType | Qualifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Argus Flow Specific Data | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_FLOW_CLASSIC5TUPLE TYPE=ARGUS_FLOW SubType=ARGUS_CLASSIC5TUPLE Qual=ARGUS_TYPE_IPV4 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |1|D| 0x01 | 0x01 | 0x05 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP Proto | Trans Proto | Source Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination Port | Pad | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_FLOW_CLASSIC5TUPLE TYPE=ARGUS_FLOW SubType=ARGUS_CLASSIC5TUPLE Qual=ARGUS_TYPE_IPV6 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |1|D| 0x01 | 0x02 | 0x0B | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Source IPv4 Address | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Destination IPv4 Address | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP Proto | Trans Proto | Source Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination Port | Pad | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_FLOW_CLASSIC5TUPLE TYPE=FLOW SubType=ARGUS_CLASSIC5TUPLE Qual=ARGUS_TYPE_ETHER 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |1|D| 0x01 | 0x03 | 0x06 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source | | Ethernet +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Address | Destination | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Ethernet | | Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Ethernet Type | dsap | ssap | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_FLOW_CLASSIC5TUPLE TYPE=ARGUS_FLOW SubType=ARGUS_CLASSIC5TUPLE Qual=ARGUS_TYPE_IPV4 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |1|D| 0x01 | 0x01 | 0x06 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ICMP | Trans Proto | Type | Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identifier | IP Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ TYPE=ARGUS_FLOW SubType=ARGUS_CLASSIC5TUPLE Qual=ARGUS_TYPE_IPV4 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |1|D| 0x01 | 0x01 | 0x06 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IGMP | Trans Proto | Type | Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Pad | IP Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_FLOW_CLASSIC5TUPLE TYPE=ARGUS_FLOW SubType=ARGUS_CLASSIC5TUPLE Qual=ARGUS_TYPE_IPV4 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |1|D| 0x01 | 0x01 | 0x06 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ESP | Trans Proto | Pad | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Security Payload Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_FLOW_CLASSIC5TUPLE TYPE=FLOW SubType=ARGUS_CLASSIC5TUPLE Qual=ARGUS_TYPE_ARP 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |1|0| 0x01 | 0x07 | 0x06 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ARP SPA | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ARP TPA | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Ethernet Address +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Pad | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_FLOW_CLASSIC5TUPLE TYPE=FLOW SubType=ARGUS_CLASSIC5TUPLE Qual=ARGUS_TYPE_ARP (reverse) 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |1|1| 0x01 | 0x07 | 0x05 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ARP TPA | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source | | Ethernet +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Address | Target | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Ethernet | | Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* ARGUS_FLOW_COMPOSITE Composite argus flow descriptors allow for arbitrary identifiers to be used as flow key elements. The trick is to effeciently encode the flow descriptor so that clients can keep up. The concept is that anything in the packet should be fair game fair game, as they are observable identifiers. Practically there are limits, as some fields are arbitrary, or can be modified in the network. Composite flow keys are indicated using the ARGUS_FLOW_COMPOSITE DSR identifier, which is a header preceeding a set of IANA based packet content identifiers. The values of many of the constants are defined in other include files, and so if you see a value you are not familiar with, grep for in the set of include files provided. First the composite methods should be capable of representing the stanard flow defintiions efficiently. This is an example of how to indicate the classic IPv4 5-tuple flow spec for UDP traffic, using Composite Flow DSRs. Type=COMPOSITE SubType=IANA_LAYER3 Qual=IPv4 SubType=IANA_LAYER4 IANA Qual=UDP 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |K| 0x08 | 0x01 | 0x06 | Composite +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |K| 0x01 | 0x01 | 0x03 | IPv4 Matrix +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |K| 0x10 | 0x11 | 0x02 | UDP Matrix +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ This is an example of how to indicate a modified IPv4 flow spec for UDP traffic, using Composite Flow DSRs. This flow spec has src and dst address data and just the protocol field. Type=COMPOSITE SubType=IANA_LAYER3 Qual=IPv4 SubType=IANA_LAYER4 IANA Qual=UDP 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |K| 0x08 | 0x01 | 0x06 | Composite +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |K| 0x01 | 0x01 | 0x03 | IPv4 Matrix +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |K| 0x10 | 0x11 | UDP Protocol +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type=FLOW SubType=LAYER3 Qual=IPv4 Type=LAYER4 SubType=IANA Qual=TCP 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |K| 0x01 | 0x01 | 0x07 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |1|D| 0x01 | 0x01 | 0x05 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP Proto | Trans Proto | Source Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination Port | Pad | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |K| 0x10 | Source ToS | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_FLOW_IPV6_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |K| 0x02 | Qualifier | 0x0A | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Source IPv6 Address | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Destination IPv6 Address | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |K| 0x10 | 0x06 | 0x02 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* #define ARGUS_PROTO_DSR 0x04 ARGUS_PROTO_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |1| 0x04 |K| ProtoType | Protocol Data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x04 |K| Proto Type | Qualifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Argus Protocol Specific Data | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* #define ARGUS_PROTO_DLT_DSR 0x04 #define ARGUS_PROTO_DLT_BPF 0x01 #define ARGUS_PROTO_DLT_IANA 0x02 ARGUS_PROTO_DLT_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |1| 0x04 |K| DLT Value | Data Link Type Data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x04 |K| DLT Value | Qualifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_PROTO_DLT_802_1Q_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |1| 0x04 |K| 71 | 802.1Q Tag | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* ARGUS_PROTO_ETHER_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |1| 0x04 |K| ETH_IANA | Ethernet Protocol Value | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* #define ARGUS_PROTO_IP_DSR 0x10 #define ARGUS_PROTO_IP_ATTR_DSR 0x04 #define ARGUS_PROTO_IP_OPTIONS_DSR 0x05 */ /* ARGUS_PROTO_IP_DSR IP Qualifiers */ #define ARGUS_IP_V4 0x01 #define ARGUS_IP_V6 0x02 #define ARGUS_IP_OPTIONS 0x03 /* ARGUS_PROTO_IP_ATTR_DSR Status */ /* #define ARGUS_IP_TOS_MODIFIED 0x00001000 #define ARGUS_IP_TTL_MODIFIED 0x00002000 #define ARGUS_IP_OPTIONS_MODIFIED 0x00004000 */ #define ARGUS_ICMP_MAPPED 0x07 #define ARGUS_ICMPUNREACH_MAPPED 0x01 #define ARGUS_ICMPREDIREC_MAPPED 0x02 #define ARGUS_ICMPTIMXCED_MAPPED 0x04 /* IP Header Field Identifiers */ #define ARGUS_IP_SRC 0x01 #define ARGUS_IP_DST 0x02 #define ARGUS_IP_PROTO 0x04 #define ARGUS_IP_TOS 0x08 #define ARGUS_IP_TTL 0x10 #define ARGUS_IP_ID 0x20 /* IP Option Indicators */ #define ARGUS_RECORDROUTE 0x01 #define ARGUS_TIMESTAMP 0x02 #define ARGUS_SECURITY 0x04 #define ARGUS_LSRCROUTE 0x08 #define ARGUS_SATID 0x10 #define ARGUS_SSRCROUTE 0x20 #define ARGUS_RTRALERT 0x40 /* ARGUS_PROTO_IP_ATTR_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x10 |K| 0x04 | Qualifier | 0x03 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP ID | TTL | TOS | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Status | Options | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* ARGUS_PROTO_IP_OPTIONS_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x10 |K| 0x05 | Qualifier | 0x02 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP Options Indicator | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* #define ARGUS_PROTO_IP_PROTO_DSR 0x12 ARGUS_PROTO_IP_PROTO_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |1| 0x12 |K| 0x10 | Qualifier | Proto Num | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x12 |K| 0x10 | Proto Num | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | DSR Data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_PROTO_IP_DSR TCP Specific 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x12 |K| 0x10 | 0x06 | 0x03 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TCP State | TCP Options | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_PROTO_IP_DSR UDP Specific 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x12 |K| 0x10 | 0x11 | 0x02 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_PROTO_IP_DSR ICMP Specific 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x12 |K| 0x10 | 0x01 | 0x02 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ICMP Type | ICMP Code | ICMP ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_PROTO_IP_DSR ESP Specific 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x12 |K| 0x10 | 0x32 | 0x02 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ESP Security Payload Identifiier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_PROTO_IP_DSR IGMP Specific 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |1| 0x12 |1| 0x10 | 0x02 | 0x02 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IGMP Type | IGMP Code | Pad | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x20 | SubType | Qualifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Argus Meter Specific Data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* Argus Meter DSR Type */ #define ARGUS_METRIC_INDEX 3 /* Argus Meter DSR Subtype */ #define ARGUS_METER_PKTS_BYTES 0x01 #define ARGUS_METER_PKTS_BYTES_APP 0x04 /* Argus Meter DSR Qual */ #define ARGUS_SRCDST_BYTE 0x01 #define ARGUS_SRCDST_SHORT 0x02 #define ARGUS_SRCDST_INT 0x03 #define ARGUS_SRCDST_LONGLONG 0x04 #define ARGUS_SRC_BYTE 0x05 #define ARGUS_SRC_SHORT 0x06 #define ARGUS_SRC_INT 0x07 #define ARGUS_SRC_LONGLONG 0x08 #define ARGUS_DST_BYTE 0x09 #define ARGUS_DST_SHORT 0x0A #define ARGUS_DST_INT 0x0B #define ARGUS_DST_LONGLONG 0x0C /* #define ARGUS_METER_PKTS_BYTES 0x01 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x20 | 0x01 | 2 | 0x02 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | packets | bytes | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x20 | 0x01 | 3 | 0x03 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | packets | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | bytes | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x20 | 0x01 | 4 | 0x05 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + packets + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + bytes + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* Argus Packet Size DSR Type */ #define ARGUS_PSIZE_INDEX 10 /* Argus Packet Size DSR Subtype */ #define ARGUS_PSIZE_SRC_MAX_MIN 0x01 #define ARGUS_PSIZE_DST_MAX_MIN 0x02 #define ARGUS_PSIZE_HISTO 0x04 /* Argus Packet Size DSR Qual (same as Metric above) */ /* #define ARGUS_SRCDST_SHORT 0x02 #define ARGUS_SRCDST_INT 0x03 #define ARGUS_SRC_SHORT 0x06 #define ARGUS_SRC_INT 0x07 #define ARGUS_DST_SHORT 0x0A #define ARGUS_DST_INT 0x0B */ /* 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x20 | 0x01 | 0x06 | 0x03 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | src min size | src max size | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | dst min size | dst max size | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Standard Source and Destination max and min packet size report. */ #define ARGUS_DIRECTION 0x0000020 /* 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x20 |K| 0x04 | Qualifier | 0x04 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TCPQualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TCP Syn ACK uSec Response Timer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TCP ACK DATA uSec Response Timer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x20 |K| 0x05 | D | Qualifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TCP Sequence Base | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TCP Acknowledged Bytes | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TCP Total Bytes | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TCP Retransmitted Packets | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TCP Last Reported Window | TCP Flags | Pad | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* #define ARGUS_METER_IGMP_PERF 0x06 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x20 |K| 0x06 | D | Qualifier | 0x06 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IGMP Group | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IGMP Join Delay (Timeval) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IGMP Leave Delay (Timeval) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* #define ARGUS_METER_ESP_PERF 0x07 */ /* IP Sec AH Header Qualifier Bits */ /* #define ARGUS_AH_HDR 0x10 #define ARGUS_AH_REPLAY 0x08 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x20 |K| 0x07 | Qualifier | 0x03 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ESP Last Sequence | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ESP Lost Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ #define ARGUS_AGR_INDEX 4 /* 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x22 | 0x01 | Qualifier | 0x02 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | record count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x22 | 0x02 | Qualifier | 0x07 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | record count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | lastStartTime Seconds | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | lastStartTime uSeconds | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | lastTime Seconds | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | lastTime uSeconds | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* Argus Encapsulation DSR Type */ #define ARGUS_ENCAPS_INDEX 15 /* Argus Encapsulation DSR Qualifier */ #define ARGUS_ENCAPS_CHANGED 0x80 /* 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x20 | 0x00 | Qualifier | 0x03 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Src Encapsulation Mask | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Dst Encapsulation Mask | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* Argus Fragment DSR Type */ #define ARGUS_FRAG_INDEX 5 #define ARGUS_FRAGMENTS 0x01 #define ARGUS_FRAGOVERLAP 0x02 /* Fragment State Constants and Reporting Values */ #define ARGUS_FRAG_INIT 0x10 #define ARGUS_FRAG_OUT_OF_ORDER 0x20 #define ARGUS_TCPFRAGOFFSETERROR 0x40 /* 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x25 | 0x01 | Qualifier | 0x02 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | fragment number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | fragment identification | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Total Fragment Length | Current Fragment Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Maxiumum Fragment Length | pad | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* Argus Network DSR The Network DSR provides additional information regarding transport layer information. */ /* Argus Transport DSR Type */ #define ARGUS_NETWORK_INDEX 5 /* Argus Transport DSR Subtype */ #define ARGUS_TCP_INIT 0x03 #define ARGUS_TCP_STATUS 0x04 #define ARGUS_TCP_PERF 0x05 #define ARGUS_NETWORK_SUBTYPE_ARP 0x10 #define ARGUS_NETWORK_SUBTYPE_FRAG 0x45 /* RTP State Constants and Reporting Values */ #define ARGUS_RTP_SRCSILENCE 0x01 #define ARGUS_RTP_DSTSILENCE 0x02 #define ARGUS_HTTP_FLOWTAG 0x01 #define ARGUS_RTCP_FLOW 0x09 #define ARGUS_RTP_FLOW 0x0A /* UDT State Constants and Reporting Values */ #define ARGUS_UDT_FLOW 0x0D /* TCP State Constants and Reporting Values */ #define ARGUS_SAW_SYN 0x00000001 #define ARGUS_SAW_SYN_SENT 0x00000002 #define ARGUS_CON_ESTABLISHED 0x00000004 #define ARGUS_FIN 0x00000008 #define ARGUS_FIN_ACK 0x00000010 #define ARGUS_NORMAL_CLOSE 0x00000020 #define ARGUS_CLOSE_WAITING 0x00000040 #define ARGUS_PKTS_RETRANS 0x00000300 /* SRC_PKTS_RETRANS | DST_PK*/ #define ARGUS_SRC_PKTS_RETRANS 0x00000100 #define ARGUS_DST_PKTS_RETRANS 0x00000200 #define ARGUS_WINDOW_SHUT 0x00000C00 /* SRC_WINDOW_SHUT | DST_WIN*/ #define ARGUS_SRC_WINDOW_SHUT 0x00000400 #define ARGUS_DST_WINDOW_SHUT 0x00000800 #define ARGUS_RESET 0x00003000 /* SRC_RESET | DST_RESET */ #define ARGUS_SRC_RESET 0x00001000 #define ARGUS_DST_RESET 0x00002000 #define ARGUS_ECN_CONGESTED 0x0000C000 /* SRC_CONGESTED | DST_CONGESTED */ #define ARGUS_SRC_CONGESTED 0x00004000 #define ARGUS_DST_CONGESTED 0x00008000 #define ARGUS_PKTS_DROP 0x30 #define ARGUS_SRC_PKTS_DROP 0x10 #define ARGUS_DST_PKTS_DROP 0x20 #define ARGUS_OUTOFORDER 0x00030000 #define ARGUS_SRC_OUTOFORDER 0x00010000 #define ARGUS_DST_OUTOFORDER 0x00020000 #define ARGUS_DUPLICATES 0x000C0000 #define ARGUS_SRC_DUPLICATES 0x00040000 #define ARGUS_DST_DUPLICATES 0x00080000 #define ARGUS_TCP_OPTIONS 0xFFF00000 #define ARGUS_TCP_MAXSEG 0x00100000 #define ARGUS_TCP_WSCALE 0x00200000 #define ARGUS_TCP_SACKOK 0x00400000 #define ARGUS_TCP_SACK 0x00800000 #define ARGUS_TCP_ECHO 0x01000000 #define ARGUS_TCP_ECHOREPLY 0x02000000 #define ARGUS_TCP_TIMESTAMP 0x04000000 #define ARGUS_TCP_CC 0x08000000 #define ARGUS_TCP_CCNEW 0x10000000 #define ARGUS_TCP_CCECHO 0x20000000 #define ARGUS_TCP_SRC_ECN 0x40000000 #define ARGUS_TCP_DST_ECN 0x80000000 #define ARGUS_UDT_OPTIONS 0xFFF00000 #define ARGUS_UDT_BADVERSION 0x00100000 #define ARGUS_UDT_FIRSTDROPZERO 0x01000000 /* ESP State Constatans and Reporting Values */ #define ARGUS_ESP_ROLLOVER 0x1000 #define ARGUS_ESP_SEQFAILURE 0x2000 /* Vlan Transport DSR Type */ #define ARGUS_VLAN_DSR 0x40 #define ARGUS_VLAN_INDEX 6 #define ARGUS_SRC_VLAN 0x01 #define ARGUS_DST_VLAN 0x02 /* Mpls Transport DSR Type */ #define ARGUS_MPLS_DSR 0x44 #define ARGUS_MPLS_INDEX 7 /* Argus MPLS DSR SubType */ #define ARGUS_MPLS_SRC_LABEL 0x01 #define ARGUS_MPLS_DST_LABEL 0x02 /* Argus MPLS DSR Qualifier */ #define ARGUS_MPLS_SRC_LABEL_CHANGED 0x10 #define ARGUS_MPLS_DST_LABEL_CHANGED 0x20 /* Mac Layer Header DSR Type */ #define ARGUS_MAC_DSR 0x42 #define ARGUS_MAC_INDEX 13 /* Argus Mac Layer DSR Qualifier */ #define ARGUS_MULTIPATH 0x03 #define ARGUS_SRC_MULTIPATH 0x01 #define ARGUS_DST_MULTIPATH 0x02 /* Jitter Transport DSR Type */ #define ARGUS_JITTER_DSR 0x46 #define ARGUS_JITTER_INDEX 8 /* Argus Jitter DSR Qualifier */ #define ARGUS_SRC_ACTIVE_JITTER 0x01 #define ARGUS_SRC_IDLE_JITTER 0x02 #define ARGUS_DST_ACTIVE_JITTER 0x04 #define ARGUS_DST_IDLE_JITTER 0x08 /* Argus Histogram DSR Type */ #define ARGUS_HISTO_DSR 0x47 #define ARGUS_HISTO_INDEX 18 /* Argus Histogram DSR Subtype */ #define ARGUS_HISTO_EXP 0x01 #define ARGUS_HISTO_LINEAR 0x02 /* ARGUS_HISTO_LINEAR size:bins:start ARGUS_HISTO_EXPONENTIAL size:bins:start:base ARGUS_HISTO_SCALED ARGUS_HISTO_OUTLAYER_LOWER ARGUS_HISTO_OUTLAYER_UPPER */ /* Argus IP Attribute DSR Type */ #define ARGUS_IPATTR_DSR 0x48 #define ARGUS_IPATTR_INDEX 9 /* Argus IP Attribute DSR Qualifier */ #define ARGUS_IPATTR_SRC 0x01 #define ARGUS_IPATTR_DST 0x02 #define ARGUS_IPATTR_SRC_OPTIONS 0x04 #define ARGUS_IPATTR_DST_OPTIONS 0x08 #define ARGUS_IPATTR_SRC_FRAGMENTS 0x10 #define ARGUS_IPATTR_DST_FRAGMENTS 0x20 /* Argus Data DSR Type */ #define ARGUS_DATA_DSR 0x50 #define ARGUS_SRCUSERDATA_INDEX 11 #define ARGUS_DSTUSERDATA_INDEX 12 /* Argus Data DSR SubTypes */ #define ARGUS_TOTAL_PACKET 0x01 #define ARGUS_PACKET_HDR 0x02 #define ARGUS_USER_DATA 0x03 #define ARGUS_DATA_COMPRESS 0x08 #define ARGUS_SRC_DATA 0x10 #define ARGUS_DST_DATA 0x20 /* Argus ICMP DSR Type */ #define ARGUS_ICMP_DSR 0x34 #define ARGUS_ICMP_INDEX 14 /* Argus Behavior DSR Type */ #define ARGUS_BEHAVIOR_DSR 0x54 #define ARGUS_BEHAVIOR_INDEX 17 /* Argus Behavior DSR SubTypes */ #define ARGUS_TCP_KEYSTROKE 0x01 #define ARGUS_SSH_KEYSTROKE 0x02 /* Argus Correlation DSR Type */ #define ARGUS_COR_INDEX 17 /* Argus Country Code DSR */ #define ARGUS_COCODE_INDEX 18 /* Argus Label DSR */ #define ARGUS_LABEL_INDEX 19 /* Argus Label SubTypes */ #define ARGUS_SVC_LABEL 0x01 /* Argus ASN DSR */ #define ARGUS_ASN_DSR 0x32 #define ARGUS_ASN_INDEX 20 /* Argus ASN SubTypes */ #define ARGUS_ASN_ORIGIN 0x01 #define ARGUS_ASN_PEER 0x02 #define ARGUS_SRC_ADDR 0x01 #define ARGUS_DST_ADDR 0x02 #define ARGUS_INODE_ADDR 0x04 #define ARGUS_ADDR_MASK 0x07 /* 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x50 | 0x01 | Qualifier | 0x24 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | | Total Packet Contents | | | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Packet Contents Field Note that one tick mark represents one bit position. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x50 | 0x02 | Qualifier | 0x08 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Packet Header Contents | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Packet Header Contents Field Note that one tick mark represents one bit position. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x50 | 0x03 | Qualifier | 0x80 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | | Flow User Data Contents | | | | | | | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Packet Header Contents Field Note that one tick mark represents one bit position. */ /* Argus Record Examples Simple TCP 5-Tuple UDP flow record with transport identifier and sequence numbers with unidirectional Packet and Byte Load Metrics. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Cause | Vers | Opt | Length | Header +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x01 | 0x02 | 0x03 | 0x03 | Transport +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Identifier | Argus Source Identifier | and +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ sequence num | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |K| 0x01 | 0x01 | 0x03 | Flow Key +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ IPv4 Addrs | Source IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x12 |K| 0x10 | 0x11 | 0x02 | Flow Key +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ UDP and Ports | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x20 |K| 0x01 | Qualifier | 0x02 | Src Load Metrics +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 16-bit counters | packets | bytes | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Simple TCP 5-Tuple TCP flow record with TCP state and status indicators, with bidirectional Packet and Byte Metrics. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x1 | 0x2 | 0x03 | 0x0 | 0x000C | Header +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |K| 0x01 | 0x01 | 0x03 | Flow Key +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ IPv4 Addrs | Source IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x12 |K| 0x10 | 0x06 | 0x02 | Flow Key +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ TCP and Ports | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x16 |K| 0x10 | 0x06 | 0x02 | TCP State and Options +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Attributes | TCP State | TCP Options | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x20 |K| 0x01 | SRC Qual | 0x02 | Src Load Metrics +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 16-bit counters | packets | bytes | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x20 |K| 0x01 | DST Qual | 0x02 | Dst Load Metrics +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 16-bit counters | packets | bytes | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* argus_def_v2.h Legacy Argus Record Header Format 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Cause | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Ver | Opt | Status | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Argus Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Status | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Status Record Note that one tick mark represents one bit position. */ /* Argus Record Type */ #define ARGUS_V2_MAR 0x80 /* Normal Argus Management Record */ #define ARGUS_V2_INDEX 0xA0 /* New Argus Index Record */ #define ARGUS_V2_EVENT 0xC0 /* New Argus Event/Message Record */ #define ARGUS_V2_CISCO_NETFLOW 0x10 /* Argus CISCO Netflow Support */ #define ARGUS_V2_WRITESTRUCT 0x20 /* Argus 1.x Write Struct Conversion */ #define ARGUS_V2_RMON 0x40 /* New RMON style FAR Record Format */ #define ARGUS_V2_FAR 0x01 /* Normal Argus Data Record */ #define ARGUS_V2_DATASUP 0x02 /* New Supplemental Argus Data Record */ #define ARGUS_V2_ARCHIVE 0x03 /* New Archival Argus Data Record */ /* Argus Record Cause */ #define ARGUS_V2_START 0x01 /* INIT */ #define ARGUS_V2_STATUS 0x04 /* STATUS */ #define ARGUS_V2_STOP 0x08 /* CLOSE */ #define ARGUS_V2_SHUTDOWN 0x10 /* Administrative shutdown */ #define ARGUS_V2_TIMEOUT 0x20 /* TIMEOUT */ #define ARGUS_V2_ERROR 0x40 /* MAJOR PROBLEM */ /* Record Version (Ver) */ #define ARGUS_V2_VERSION 0x20000000 /* Version 2 */ /* Record Options (Opt)*/ #define ARGUS_V2_ANON 0x01000000 #define ARGUS_V2_MERGED 0x02000000 #define ARGUS_V2_TOPN 0x04000000 #define ARGUS_V2_MATRIX 0x08000000 /* Argus MAR Record Status */ #define ARGUS_V2_SASL_AUTHENTICATE 0x00001000 /* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Status Conditions | Proto | EtherType Field | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Record Status Field Note that one tick mark represents one bit position. */ #define ARGUS_V2_ETHERTYPE 0x00FFFF #define ARGUS_V2_MPLS 0x00010000 #define ARGUS_V2_VLAN 0x00020000 #define ARGUS_V2_PPPoE 0x00040000 #define ARGUS_V2_SNAPENCAPS 0x00080000 #define ARGUS_V2_CONNECTED 0x00100000 #define ARGUS_V2_ID_IS_IPADDR 0x00800000 #define ARGUS_V2_SRC_VLAN 0x0001 #define ARGUS_V2_DST_VLAN 0x0002 #define ARGUS_V2_SRC_MPLS 0x0001 #define ARGUS_V2_DST_MPLS 0x0002 #define ARGUS_V2_SRC_CHANGED 0x0010 #define ARGUS_V2_DST_CHANGED 0x0020 /* Argus Error Messages go into the status field when the Record Cause is ARGUS_V2_ERROR. */ #define ARGUS_V2_ACCESSDENIED 0x000010 #define ARGUS_V2_MAXLISTENEXCD 0x000020 /* Link Types */ #define ARGUS_V2_ETHERNET 0x01000000 #define ARGUS_V2_ATM 0x02000000 #define ARGUS_V2_FDDI 0x03000000 #define ARGUS_V2_TOKENRING 0x04000000 #define ARGUS_V2_SLIP 0x05000000 #define ARGUS_V2_PPP 0x06000000 #define ARGUS_V2_ESP 0x07000000 #define ARGUS_V2_RAW 0x08000000 #define ARGUS_V2_NULL 0x09000000 #define ARGUS_V2_SEND_FRAG_COMPLETE 0x10000000 /* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus FAR Status Field Note that one tick mark represents one bit position. */ /* ICMP Mapped Indicator */ /* argus_far.status indicator */ #define ARGUS_V2_ICMP_MAPPED 0x0007 #define ARGUS_V2_ICMPUNREACH_MAPPED 0x0001 #define ARGUS_V2_ICMPREDIREC_MAPPED 0x0002 #define ARGUS_V2_ICMPTIMXCED_MAPPED 0x0004 #define ARGUS_V2_FRAGMENTS 0x0008 #define ARGUS_V2_FRAGOVERLAP 0x0010 #define ARGUS_V2_TOS_MODIFIED 0x0020 #define ARGUS_V2_TTL_MODIFIED 0x0040 #define ARGUS_V2_OPTION_MODIFIED 0x0080 /* IP Option Indicators */ #define ARGUS_V2_IPOPTIONS 0x3F00 #define ARGUS_V2_TIMESTAMP 0x0100 #define ARGUS_V2_SECURITY 0x0200 #define ARGUS_V2_LSRCROUTE 0x0400 #define ARGUS_V2_RECORDROUTE 0x0800 #define ARGUS_V2_SSRCROUTE 0x1000 #define ARGUS_V2_SATNETID 0x2000 #define ARGUS_V2_MULTIADDR 0x4000 /* Type: DSR Cause: ANY */ #define ARGUS_V2_DSR_TYPES 20 #define ARGUS_V2_DSR_MAC 0 #define ARGUS_V2_DSR_TCP 1 #define ARGUS_V2_DSR_ICMP 2 #define ARGUS_V2_DSR_RTP 3 #define ARGUS_V2_DSR_RTCP 4 #define ARGUS_V2_DSR_IGMP 5 #define ARGUS_V2_DSR_ARP 6 #define ARGUS_V2_DSR_FRG 7 #define ARGUS_V2_DSR_ESP 8 #define ARGUS_V2_DSR_MPLS 9 #define ARGUS_V2_DSR_VLAN 10 #define ARGUS_V2_DSR_PPPOE 11 #define ARGUS_V2_DSR_AGR 12 #define ARGUS_V2_DSR_TIME 13 #define ARGUS_V2_DSR_SRCUSERDATA 14 #define ARGUS_V2_DSR_DSTUSERDATA 15 #define ARGUS_V2_DSR_SRCTIME 16 #define ARGUS_V2_DSR_DSTTIME 17 #define ARGUS_V2_MAC_DSR 0x08 #define ARGUS_V2_TCP_DSR 0x11 #define ARGUS_V2_ICMP_DSR 0x12 #define ARGUS_V2_RTP_DSR 0x14 #define ARGUS_V2_RTCP_DSR 0x15 #define ARGUS_V2_IGMP_DSR 0x18 #define ARGUS_V2_ARP_DSR 0x20 #define ARGUS_V2_FRG_DSR 0x21 #define ARGUS_V2_ESP_DSR 0x22 #define ARGUS_V2_MPLS_DSR 0x28 #define ARGUS_V2_VLAN_DSR 0x2a #define ARGUS_V2_PPPOE_DSR 0x2b #define ARGUS_V2_AGR_DSR 0x30 #define ARGUS_V2_TIME_DSR 0x40 #define ARGUS_V2_SRCUSRDATA_DSR 0x42 #define ARGUS_V2_DSTUSRDATA_DSR 0x43 #define ARGUS_V2_SRC_TIME_DSR 0x01 #define ARGUS_V2_DST_TIME_DSR 0x02 /* IP Sec AH Header Status Bits */ #define ARGUS_V2_AH_HDR 0x00000010 #define ARGUS_V2_AH_REPLAY 0x00000008 /* RTP State Constants and Reporting Values */ #define ARGUS_V2_RTP_SRCSILENCE 0x01 #define ARGUS_V2_RTP_DSTSILENCE 0x02 #define ARGUS_V2_RTCP_TAG 0x2000 #define ARGUS_V2_RTP_TAG 0x4000 #define ARGUS_V2_HTTP_FLOWTAG 0x01 #define ARGUS_V2_RTCP_FLOWTAG 0x10 #define ARGUS_V2_RTP_FLOWTAG 0x20 #define ARGUS_V2_FRAG_FLOWTAG 0xCB /* TCP State Constants and Reporting Values */ #define ARGUS_V2_SAW_SYN 0x00000001 #define ARGUS_V2_SAW_SYN_SENT 0x00000002 #define ARGUS_V2_CON_ESTABLISHED 0x00000004 #define ARGUS_V2_FIN 0x00000008 #define ARGUS_V2_FIN_ACK 0x00000010 #define ARGUS_V2_NORMAL_CLOSE 0x00000020 #define ARGUS_V2_CLOSE_WAITING 0x00000040 #define ARGUS_V2_PKTS_RETRANS 0x00000300 /* SRC_PKTS_RETRANS | DST_PK*/ #define ARGUS_V2_SRC_PKTS_RETRANS 0x00000100 #define ARGUS_V2_DST_PKTS_RETRANS 0x00000200 #define ARGUS_V2_WINDOW_SHUT 0x00000C00 /* SRC_WINDOW_SHUT | DST_WIN*/ #define ARGUS_V2_SRC_WINDOW_SHUT 0x00000400 #define ARGUS_V2_DST_WINDOW_SHUT 0x00000800 #define ARGUS_V2_RESET 0x00003000 /* SRC_RESET | DST_RESET */ #define ARGUS_V2_SRC_RESET 0x00001000 #define ARGUS_V2_DST_RESET 0x00002000 #define ARGUS_V2_ECN_CONGESTED 0x0000C000 /* SRC_CONGESTED | DST_CONGESTED */ #define ARGUS_V2_SRC_CONGESTED 0x00004000 #define ARGUS_V2_DST_CONGESTED 0x00008000 #define ARGUS_V2_TCP_OUTOFORDER 0x00030000 #define ARGUS_V2_SRC_OUTOFORDER 0x00010000 #define ARGUS_V2_DST_OUTOFORDER 0x00020000 #define ARGUS_V2_TCP_OPTIONS 0xFFF00000 #define ARGUS_V2_TCP_MAXSEG 0x00100000 #define ARGUS_V2_TCP_WSCALE 0x00200000 #define ARGUS_V2_TCP_SACKOK 0x00400000 #define ARGUS_V2_TCP_SACK 0x00800000 #define ARGUS_V2_TCP_ECHO 0x01000000 #define ARGUS_V2_TCP_ECHOREPLY 0x02000000 #define ARGUS_V2_TCP_TIMESTAMP 0x04000000 #define ARGUS_V2_TCP_CC 0x08000000 #define ARGUS_V2_TCP_CCNEW 0x10000000 #define ARGUS_V2_TCP_CCECHO 0x20000000 #define ARGUS_V2_TCP_SRC_ECN 0x40000000 #define ARGUS_V2_TCP_DST_ECN 0x80000000 /* Fragment State Constants and Reporting Values */ #define ARGUS_V2_FRAG_INIT 0x0001 #define ARGUS_V2_FRAG_OUT_OF_ORDER 0x0002 #define ARGUS_V2_TCPFRAGOFFSETERROR 0x0004 /* User Data Status Values */ #define ARGUS_V2_FAR_DSR_STATUS 0x00000001 #define ARGUS_V2_MAC_DSR_STATUS 0x00000010 #define ARGUS_V2_VLAN_DSR_STATUS 0x00000020 #define ARGUS_V2_MPLS_DSR_STATUS 0x00000040 #define ARGUS_V2_PPPOE_DSR_STATUS 0x00000080 #define ARGUS_V2_TCP_DSR_STATUS 0x00000100 #define ARGUS_V2_ICMP_DSR_STATUS 0x00000200 #define ARGUS_V2_RTP_DSR_STATUS 0x00000400 #define ARGUS_V2_RTCP_DSR_STATUS 0x00000800 #define ARGUS_V2_IGMP_DSR_STATUS 0x00001000 #define ARGUS_V2_ARP_DSR_STATUS 0x00002000 #define ARGUS_V2_FRG_DSR_STATUS 0x00004000 #define ARGUS_V2_TIME_DSR_STATUS 0x00100000 #define ARGUS_V2_SRCUSRDATA_DSR_STATUS 0x00200000 #define ARGUS_V2_DSTUSRDATA_DSR_STATUS 0x00400000 #define ARGUS_V2_ESP_DSR_STATUS 0x00800000 #define ARGUS_V2_SRCTIME_DSR_STATUS 0x01000000 #define ARGUS_V2_DSTTIME_DSR_STATUS 0x02000000 #define ARGUS_V2_AGR_DSR_STATUS 0x80000000 #define ARGUS_V2_MAX_DSR_INDEX 32 #define ARGUS_V2_FAR_DSR_INDEX 0 #define ARGUS_V2_MAC_DSR_INDEX 4 #define ARGUS_V2_VLAN_DSR_INDEX 5 #define ARGUS_V2_MPLS_DSR_INDEX 6 #define ARGUS_V2_PPPOE_DSR_INDEX 7 #define ARGUS_V2_TCP_DSR_INDEX 8 #define ARGUS_V2_ICMP_DSR_INDEX 9 #define ARGUS_V2_RTP_DSR_INDEX 10 #define ARGUS_V2_RTCP_DSR_INDEX 11 #define ARGUS_V2_IGMP_DSR_INDEX 12 #define ARGUS_V2_ARP_DSR_INDEX 13 #define ARGUS_V2_FRG_DSR_INDEX 14 #define ARGUS_V2_TIME_DSR_INDEX 20 #define ARGUS_V2_SRCUSRDATA_DSR_INDEX 21 #define ARGUS_V2_DSTUSRDATA_DSR_INDEX 22 #define ARGUS_V2_ESP_DSR_INDEX 23 #define ARGUS_V2_SRCTIME_DSR_INDEX 24 #define ARGUS_V2_DSTTIME_DSR_INDEX 25 #define ARGUS_V2_AGR_DSR_INDEX 31 #define ARGUS_V2_AGR_USECACTTIME 0x0010 #define ARGUS_V2_AGR_USECIDLETIME 0x0020 #define ARGUS_V2_AGR_MSECACTTIME 0x0040 #define ARGUS_V2_AGR_MSECIDLETIME 0x0080 #define ARGUS_V2_AGR_NORMALIZED 0x0100 #define IANA_IFT_OTHER 1 #define IANA_IFT_REGULAR1822 2 #define IANA_IFT_HDH1822 3 #define IANA_IFT_DDNX25 4 #define IANA_IFT_RFC877X25 5 #define IANA_IFT_ETHERNETCSMACD 6 #define IANA_IFT_ISO88023CSMACD 7 #define IANA_IFT_ISO88024TOKENBUS 8 #define IANA_IFT_ISO88025TOKENRING 9 #define IANA_IFT_ISO88026MAN 10 #define IANA_IFT_STARLAN 11 #define IANA_IFT_PROTEON10MBIT 12 #define IANA_IFT_PROTEON80MBIT 13 #define IANA_IFT_HYPERCHANNEL 14 #define IANA_IFT_FDDI 15 #define IANA_IFT_LAPB 16 #define IANA_IFT_SDLC 17 #define IANA_IFT_DS1 18 #define IANA_IFT_E1 19 #define IANA_IFT_BASICISDN 20 #define IANA_IFT_PRIMARYISDN 21 #define IANA_IFT_PROPPOINTTOPOINTSERIAL 22 #define IANA_IFT_PPP 23 #define IANA_IFT_SOFTWARELOOPBACK 24 #define IANA_IFT_EON 25 #define IANA_IFT_ETHERNET3MBIT 26 #define IANA_IFT_NSIP 27 #define IANA_IFT_SLIP 28 #define IANA_IFT_ULTRA 29 #define IANA_IFT_DS3 30 #define IANA_IFT_SIP 31 #define IANA_IFT_FRAMERELAY 32 #define IANA_IFT_RS232 33 #define IANA_IFT_PARA 34 #define IANA_IFT_ARCNET 35 #define IANA_IFT_ARCNETPLUS 36 #define IANA_IFT_ATM 37 #define IANA_IFT_MIOX25 38 #define IANA_IFT_SONET 39 #define IANA_IFT_X25PLE 40 #define IANA_IFT_ISO88022LLC 41 #define IANA_IFT_LOCALTALK 42 #define IANA_IFT_SMDSDXI 43 #define IANA_IFT_FRAMERELAYSERVICE 44 #define IANA_IFT_V35 45 #define IANA_IFT_HSSI 46 #define IANA_IFT_HIPPI 47 #define IANA_IFT_MODEM 48 #define IANA_IFT_AAL5 49 #define IANA_IFT_SONETPATH 50 #define IANA_IFT_SONETVT 51 #define IANA_IFT_SMDSICIP 52 #define IANA_IFT_PROPVIRTUAL 53 #define IANA_IFT_PROPMULTIPLEXOR 54 #define IANA_IFT_IEEE80212 55 #define IANA_IFT_FIBRECHANNEL 56 #define IANA_IFT_HIPPIINTERFACE 57 #define IANA_IFT_FRAMERELAYINTERCONNECT 58 #define IANA_IFT_AFLANE8023 59 #define IANA_IFT_AFLANE8025 60 #define IANA_IFT_CCTEMUL 61 #define IANA_IFT_FASTETHER 62 #define IANA_IFT_ISDN 63 #define IANA_IFT_V11 64 #define IANA_IFT_V36 65 #define IANA_IFT_G703AT64K 66 #define IANA_IFT_G703AT2MB 67 #define IANA_IFT_QLLC 68 #define IANA_IFT_FASTETHERFX 69 #define IANA_IFT_CHANNEL 70 #define IANA_IFT_IEEE80211 71 #define IANA_IFT_IBM370PARCHAN 72 #define IANA_IFT_ESCON 73 #define IANA_IFT_DLSW 74 #define IANA_IFT_ISDNS 75 #define IANA_IFT_ISDNU 76 #define IANA_IFT_LAPD 77 #define IANA_IFT_IPSWITCH 78 #define IANA_IFT_RSRB 79 #define IANA_IFT_ATMLOGICAL 80 #define IANA_IFT_DS0 81 #define IANA_IFT_DS0BUNDLE 82 #define IANA_IFT_BSC 83 #define IANA_IFT_ASYNC 84 #define IANA_IFT_CNR 85 #define IANA_IFT_ISO88025DTR 86 #define IANA_IFT_EPLRS 87 #define IANA_IFT_ARAP 88 #define IANA_IFT_PROPCNLS 89 #define IANA_IFT_HOSTPAD 90 #define IANA_IFT_TERMPAD 91 #define IANA_IFT_FRAMERELAYMPI 92 #define IANA_IFT_X213 93 #define IANA_IFT_ADSL 94 #define IANA_IFT_RADSL 95 #define IANA_IFT_SDSL 96 #define IANA_IFT_VDSL 97 #define IANA_IFT_ISO88025CRFPINT 98 #define IANA_IFT_MYRINET 99 #define IANA_IFT_VOICEEM 100 #define IANA_IFT_VOICEFXO 101 #define IANA_IFT_VOICEFXS 102 #define IANA_IFT_VOICEENCAP 103 #define IANA_IFT_VOICEOVERIP 104 #define IANA_IFT_ATMDXI 105 #define IANA_IFT_ATMFUNI 106 #define IANA_IFT_ATMIMA 107 #define IANA_IFT_PPPMULTILINKBUNDLE 108 #define IANA_IFT_IPOVERCDLC 109 #define IANA_IFT_IPOVERCLAW 110 #define IANA_IFT_STACKTOSTACK 111 #define IANA_IFT_VIRTUALIPADDRESS 112 #define IANA_IFT_MPC 113 #define IANA_IFT_IPOVERATM 114 #define IANA_IFT_ISO88025FIBER 115 #define IANA_IFT_TDLC 116 #define IANA_IFT_GIGABITETHERNET 117 #define IANA_IFT_HDLC 118 #define IANA_IFT_LAPF 119 #define IANA_IFT_V37 120 #define IANA_IFT_X25MLP 121 #define IANA_IFT_X25HUNTGROUP 122 #define IANA_IFT_TRASNPHDLC 123 #define IANA_IFT_INTERLEAVE 124 #define IANA_IFT_FAST 125 #define IANA_IFT_IP 126 #define IANA_IFT_DOCSCABLEMACLAYER 127 #define IANA_IFT_DOCSCABLEDOWNSTREAM 128 #define IANA_IFT_DOCSCABLEUPSTREAM 129 #define IANA_IFT_A12MPPSWITCH 130 #define IANA_IFT_TUNNEL 131 #define IANA_IFT_COFFEE 132 #define IANA_IFT_CES 133 #define IANA_IFT_ATMSUBINTERFACE 134 #define IANA_IFT_L2VLAN 135 #define IANA_IFT_L3IPVLAN 136 #define IANA_IFT_L3IPXVLAN 137 #define IANA_IFT_DIGITALPOWERLINE 138 #define IANA_IFT_MEDIAMAILOVERIP 139 #define IANA_IFT_DTM 140 #define IANA_IFT_DCN 141 #define IANA_IFT_IPFORWARD 142 #define IANA_IFT_MSDSL 143 #define IANA_IFT_IEEE1394 144 #define IANA_IFT_IF_GSN 145 #define IANA_IFT_DVBRCCMACLAYER 146 #define IANA_IFT_DVBRCCDOWNSTREAM 147 #define IANA_IFT_DVBRCCUPSTREAM 148 #define IANA_IFT_ATMVIRTUAL 149 #define IANA_IFT_MPLSTUNNEL 150 #define IANA_IFT_SRP 151 #define IANA_IFT_VOICEOVERATM 152 #define IANA_IFT_VOICEOVERFRAMERELAY 153 #define IANA_IFT_IDSL 154 #define IANA_IFT_COMPOSITELINK 155 #define IANA_IFT_SS7SIGLINK 156 #define IANA_IFT_PROPWIRELESSP2P 157 #define IANA_IFT_FRFORWARD 158 #define IANA_IFT_RFC1483 159 #define IANA_IFT_USB 160 #define IANA_IFT_IEEE8023ADLAG 161 #define IANA_IFT_BGPPOLICYACCOUNTING 162 #define IANA_IFT_FRF16MFRBUNDLE 163 #define IANA_IFT_H323GATEKEEPER 164 #define IANA_IFT_H323PROXY 165 #define IANA_IFT_MPLS 166 #define IANA_IFT_MFSIGLINK 167 #define IANA_IFT_HDSL2 168 #define IANA_IFT_SHDSL 169 #define IANA_IFT_DS1FDL 170 #define IANA_IFT_POS 171 #define IANA_IFT_DVBASIIN 172 #define IANA_IFT_DVBASIOUT 173 #define IANA_IFT_PLC 174 #define IANA_IFT_NFAS 175 #define IANA_IFT_TR008 176 #define IANA_IFT_GR303RDT 177 #define IANA_IFT_GR303IDT 178 #define IANA_IFT_ISUP 179 #define IANA_IFT_PROPDOCSWIRELESSMACLAYER 180 #define IANA_IFT_PROPDOCSWIRELESSDOWNSTREAM 181 #define IANA_IFT_PROPDOCSWIRELESSUPSTREAM 182 #define IANA_IFT_HIPERLAN2 183 #define IANA_IFT_PROPBWAP2MP 184 #define IANA_IFT_SONETOVERHEADCHANNEL 185 #define IANA_IFT_DIGITALWRAPPEROVERHEADCHANNEL 186 #define IANA_IFT_AAL2 187 #define IANA_IFT_RADIOMAC 188 #define IANA_IFT_ATMRADIO 189 #define IANA_IFT_IMT 190 #define IANA_IFT_MVL 191 #define IANA_IFT_REACHDSL 192 #define IANA_IFT_FRDLCIENDPT 193 #define IANA_IFT_ATMVCIENDPT 194 #define IANA_IFT_OPTICALCHANNEL 195 #define IANA_IFT_OPTICALTRANSPORT 196 #define IANA_IFT_PROPATM 197 #define IANA_IFT_VOICEOVERCABLE 198 #define IANA_IFT_INFINIBAND 199 #define IANA_IFT_TELINK 200 #define IANA_IFT_Q2931 201 #define IANA_IFT_VIRTUALTG 202 #define IANA_IFT_SIPTG 203 #define IANA_IFT_SIPSIG 204 #define IANA_IFT_DOCSCABLEUPSTREAMCHANNEL 205 #define IANA_IFT_ECONET 206 #define IANA_IFT_PON155 207 #define IANA_IFT_PON622 208 #define IANA_IFT_BRIDGE 209 #define IANA_IFT_LINEGROUP 210 #define IANA_IFT_VOICEEMFGD 211 #define IANA_IFT_VOICEFGDEANA 212 #define IANA_IFT_VOICEDID 213 #define IANA_IFT_MPEGTRANSPORT 214 #define IANA_IFT_SIXTOFOUR 215 #define IANA_IFT_GTP 216 #define IANA_IFT_PDNETHERLOOP1 217 #define IANA_IFT_PDNETHERLOOP2 218 #define IANA_IFT_OPTICALCHANNELGROUP 219 #ifdef __cplusplus } #endif #endif/*Argus_def_h*/ argus-3.0.8.2/include/argus_def_v2.h000444 000765 000024 00000000170 12513222401 017554 0ustar00carterstaff000000 000000 /* * $Id: //depot/argus/argus/include/argus_def_v2.h#3 $ * $DateTime: 2011/01/26 17:11:49 $ * $Change: 2087 $ */ argus-3.0.8.2/include/argus_dscodepoints.h000444 000765 000024 00000005653 12513222401 021120 0ustar00carterstaff000000 000000 /* * Argus Software * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/include/argus_dscodepoints.h#7 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ /* prepared from IANA DS codepoint definitions Wed Aug 16 11:45:21 EDT 2000 */ #ifndef DSCodePoints_h #define DSCodePoints_h #ifdef __cplusplus extern "C" { #endif #define ARGUS_IANA_DSCODES 0 #define ARGUS_DISA_DSCODES 1 struct ArgusDSCodePointStruct { char code, *label, *desc; }; #if defined(ArgusUtil) struct ArgusDSCodePointStruct *ArgusSelectDSCodesTable(struct ArgusParserStruct *); struct ArgusDSCodePointStruct argus_dscodepoints [] = { { 0x00, "cs0", "Pool 1 Recommended"}, { 0x08, "cs1", "Pool 1 Recommended"}, { 0x10, "cs2", "Pool 1 Recommended"}, { 0x18, "cs3", "Pool 1 Recommended"}, { 0x20, "cs4", "Pool 1 Recommended"}, { 0x28, "cs5", "Pool 1 Recommended"}, { 0x30, "cs6", "Pool 1 Recommended"}, { 0x38, "cs7", "Pool 1 Recommended"}, { 0x0A, "af11", ""}, { 0x0C, "af12", ""}, { 0x0E, "af13", ""}, { 0x12, "af21", ""}, { 0x14, "af22", ""}, { 0x16, "af23", ""}, { 0x1A, "af31", ""}, { 0x1C, "af32", ""}, { 0x1E, "af33", ""}, { 0x22, "af41", ""}, { 0x24, "af42", ""}, { 0x26, "af43", ""}, { 0x2E, "ef", ""}, { 0x00, (char *) 0, (char *) 0 }, }; struct ArgusDSCodePointStruct argus_disa_dscodepoints [] = { { 40, "US", "Tail Drop"}, { 46, "Voice", "Tail Drop"}, { 48, "NC", "Tail Drop"}, { 16, "OAM", "Tail Drop"}, { 38, "Video", "WRED-L"}, { 26, "SMMS", "WRED-M"}, { 28, "SMMS", "WRED-H"}, { 30, "SMMS", "WRED-H"}, { 32, "SM", "WRED-L"}, { 25, "HPMMS", "WRED-L"}, { 9, "HPHTD", "WRED-L"}, { 17, "HPLLD", "WRED-L"}, { 10, "SHTD", "WRED-L"}, { 12, "SHTD", "WRED-L"}, { 14, "SHTD", "WRED-L"}, { 18, "SHLLD", "WRED-L"}, { 20, "SHLLD", "WRED-L"}, { 22, "SHLLD", "WRED-L"}, { 0, "BE", "Tail Drop"}, { 0x00, (char *) 0, (char *) 0 }, }; #else extern struct ArgusDSCodePointStruct *ArgusSelectDSCodesTable(struct ArgusParserStruct *); extern struct ArgusDSCodePointStruct argus_dscodepoints []; extern struct ArgusDSCodePointStruct argus_disa_dscodepoints []; #endif #ifdef __cplusplus } #endif #endif argus-3.0.8.2/include/argus_encapsulations.h000444 000765 000024 00000007375 12723620532 021467 0ustar00carterstaff000000 000000 /* * Argus Software * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/include/argus_encapsulations.h#8 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ /* list of supported encapsulations for filter */ #ifndef Argus_Encapsulations_h #define Argus_Encapsulations_h #ifdef __cplusplus extern "C" { #endif struct ArgusEncapsulationStruct { unsigned int code; char *label, *desc; }; #define ARGUS_ENCAPS_TYPE 28 #define ARGUS_ENCAPS_MPLS 0x01 #define ARGUS_ENCAPS_ETHER 0x02 #define ARGUS_ENCAPS_8021Q 0x04 #define ARGUS_ENCAPS_LLC 0x08 #define ARGUS_ENCAPS_PPP 0x10 #define ARGUS_ENCAPS_ISL 0x20 #define ARGUS_ENCAPS_GRE 0x40 #define ARGUS_ENCAPS_AH 0x80 #define ARGUS_ENCAPS_IP 0x100 #define ARGUS_ENCAPS_IPV6 0x200 #define ARGUS_ENCAPS_HDLC 0x400 #define ARGUS_ENCAPS_CHDLC 0x800 #define ARGUS_ENCAPS_ATM 0x1000 #define ARGUS_ENCAPS_SLL 0x2000 #define ARGUS_ENCAPS_FDDI 0x4000 #define ARGUS_ENCAPS_SLIP 0x8000 #define ARGUS_ENCAPS_ARCNET 0x10000 #define ARGUS_ENCAPS_802_11 0x20000 #define ARGUS_ENCAPS_PRISM 0x40000 #define ARGUS_ENCAPS_AVS 0x80000 #define ARGUS_ENCAPS_IB_LRH 0x100000 #define ARGUS_ENCAPS_IB_GRH 0x200000 #define ARGUS_ENCAPS_TEREDO 0x400000 #define ARGUS_ENCAPS_UDT 0x800000 #define ARGUS_ENCAPS_SPI 0x1000000 #define ARGUS_ENCAPS_JUNIPER 0x2000000 #define ARGUS_ENCAPS_ERSPAN_II 0x4000000 #if defined(ArgusUtil) struct ArgusEncapsulationStruct argus_encapsulations [] = { { ARGUS_ENCAPS_MPLS, "mpls", "Multiprotocol Label Switching"}, { ARGUS_ENCAPS_ETHER, "eth", "Ethernet"}, { ARGUS_ENCAPS_8021Q, "802q", "802.1PQ"}, { ARGUS_ENCAPS_LLC, "llc", "Link Layer Control"}, { ARGUS_ENCAPS_PPP, "pppoe", "PPP Over Ethernet"}, { ARGUS_ENCAPS_ISL, "isl", "Inter-Switch Link"}, { ARGUS_ENCAPS_GRE, "gre", "Generic Routing Encapsulation"}, { ARGUS_ENCAPS_AH, "ah", "Authentication Header"}, { ARGUS_ENCAPS_IP, "ipnip", "IP Version 4"}, { ARGUS_ENCAPS_IPV6, "ipnip6", "IP Version 6"}, { ARGUS_ENCAPS_HDLC, "hdlc", "HDLC"}, { ARGUS_ENCAPS_CHDLC, "chdlc", "Cisco HDLC"}, { ARGUS_ENCAPS_ATM, "atm", "Atm"}, { ARGUS_ENCAPS_SLL, "sll", "Sll"}, { ARGUS_ENCAPS_FDDI, "fddi", "Fddi"}, { ARGUS_ENCAPS_SLIP, "slip", "Slip"}, { ARGUS_ENCAPS_ARCNET,"arc", "Arcnet"}, { ARGUS_ENCAPS_802_11,"wlan", "Wireless Lan"}, { ARGUS_ENCAPS_PRISM, "prism", "Prism Wireless Lan"}, { ARGUS_ENCAPS_AVS, "avs", "Avs"}, { ARGUS_ENCAPS_IB_LRH,"lrh", "Infiniband Local Route Header"}, { ARGUS_ENCAPS_IB_GRH,"grh", "Infiniband Global Route Header"}, { ARGUS_ENCAPS_TEREDO,"teredo", "Teredo IPV6 Tunneling"}, { ARGUS_ENCAPS_SPI, "enc", "IPsec Tunnel"}, { ARGUS_ENCAPS_JUNIPER, "juniper", "Juniper Ethernet"}, { ARGUS_ENCAPS_ERSPAN_II, "erspan_ii", "Cisco ERSPAN II"}, { 0, (char *) NULL, (char *) NULL }, }; #else extern struct ArgusEncapsulationStruct argus_encapsulations []; #endif #ifdef __cplusplus } #endif #endif argus-3.0.8.2/include/argus_ethernames.h000444 000765 000024 00000027063 12513222401 020554 0ustar00carterstaff000000 000000 /* * Argus Software * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/include/argus_ethernames.h#7 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ /* prepared from IANA Ether Types definitions Wed Aug 16 11:45:21 EDT 2000 */ #ifndef Argus_Ethernames_h #define Argus_Ethernames_h #ifdef __cplusplus extern "C" { #endif struct ArgusEtherTypeStruct { char *range, *tag, *description; }; #ifdef ArgusAddrtoName struct ArgusEtherTypeStruct argus_ethertype_names [] = { /* { "0000-1500", "802.3", "IEEE802.3 Length Field" }, */ /* Argus Pseudo Ethertypes */ { "0", "llc", "Argus Pseudo LLC Ethertype"}, { "0100", "ipx", "Argus Pseudo Ethertype"}, { "0129", "clns", "Spanning Tree Protocol" }, { "0130", "esis", "Spanning Tree Protocol" }, { "0131", "isis", "Intermediate System IS Protocol" }, { "0132", "nullns", "Spanning Tree Protocol" }, { "0257", "exp", "Experimental" }, { "0258", "drip", "Cisco SNAP ethertype for DRiP" }, { "0259-511", "exp", "Experimental" }, { "0512", "pup", "XEROX PUP (see 0A00)" }, { "0513", "pupat", "PUP Addr Trans (see 0A01)" }, { "1024", "nix", "Nixdorf" }, { "1536", "idp", "XEROX NS IDP" }, { "1632", "dlog", "DLOG" }, { "1633", "dlog", "DLOG" }, { "2048", "ip", "Internet IP (IPv4)" }, { "2049", "x75", "X.75 Internet" }, { "2050", "nbs", "NBS Internet" }, { "2051", "ecma", "ECMA Internet" }, { "2052", "chaos", "Chaosnet" }, { "2053", "x25", "X.25 Level 3" }, { "2054", "arp", "ARP" }, { "2055", "xnscp", "XNS Compatability" }, { "2056", "frarp", "Frame Relay ARP" }, { "2076", "symbl", "Symbolics Private" }, { "2184-2186", "xyplx", "Xyplex" }, { "2304", "ubdeb", "Ungermann-Bass net debugr" }, { "2560", "pup.3", "Xerox IEEE802.3 PUP" }, { "2561", "pupat", "PUP Addr Trans" }, { "2989", "vines", "Banyan VINES" }, { "2990", "vinlb", "VINES Loopback" }, { "2991", "vinec", "VINES Echo" }, { "4096", "brktn", "Berkeley Trailer nego" }, { "4097-4111", "brkte", "Berkeley Trailer encap/IP" }, { "5632", "valid", "Valid Systems" }, { "6532", "train", "MS Train" }, { "8192", "cdp", "Cisco Discovery Protocol" }, { "8193", "cgmp", "Cisco Group Management Protocol" }, { "8195", "vtp", "Cisco VLAN Trunk Protocol" }, { "9298", "cent", "Intel Centrino" }, { "15367", "nbp", "3Com NBP Datagram" }, { "16962", "pcs", "PCS Basic Block Protocol" }, { "21000", "bbn", "BBN Simnet" }, { "24576", "decun", "DEC Unassigned (Exp.)" }, { "24577", "decdl", "DEC MOP Dump/Load" }, { "24578", "decrc", "DEC MOP Remote Console" }, { "24579", "decro", "DEC DECNET Phase IV Route" }, { "24580", "lat", "DEC LAT" }, { "24581", "decdp", "DEC Diagnostic Protocol" }, { "24582", "deccp", "DEC Customer Protocol" }, { "24583", "lavc", "DEC LAVC, SCA" }, { "24584-24585", "decun", "DEC Unassigned" }, { "24586-24596", "3com", "3Com Corporation" }, { "25944", "trans", "Trans Ether Bridging" }, { "25945", "rawfr", "Raw Frame Relay" }, { "28672", "dbdwn", "Ungermann-Bass download" }, { "28674", "ubdia", "Ungermann-Bass dia/loop" }, { "28704-28713", "lrt", "LRT" }, { "28720", "prote", "Proteon" }, { "28724", "cable", "Cabletron" }, { "32771", "cronv", "Cronus VLN" }, { "32772", "crond", "Cronus Direct" }, { "32773", "hppro", "HP Probe" }, { "32774", "nesta", "Nestar" }, { "32776", "att", "AT&T" }, { "32784", "excel", "Excelan" }, { "32787", "sgid", "SGI diagnostics" }, { "32788", "sging", "SGI network games" }, { "32789", "sgres", "SGI reserved" }, { "32790", "sgibs", "SGI bounce server" }, { "32793", "apld", "Apollo Domain" }, { "32815", "tym", "Tymshare" }, { "32816", "tigan", "Tigan, Inc." }, { "32821", "rarp", "Reverse ARP" }, { "32822", "aeon", "Aeonic Systems" }, { "32824", "declb", "DEC LANBridge" }, { "32825-32828", "decun", "DEC Unassigned" }, { "32829", "decee", "DEC Ethernet Encryption" }, { "32830", "decun", "DEC Unassigned" }, { "32831", "dectm", "DEC LAN Traffic Monitor" }, { "32832-32834", "decun", "DEC Unassigned" }, { "32836", "plan", "Planning Research Corp." }, { "32838", "att", "AT&T" }, { "32839", "att", "AT&T" }, { "32841", "expd", "ExperData" }, { "32859", "Vexp", "Stanford V Kernel exp." }, { "32860", "Vprod", "Stanford V Kernel prod." }, { "32861", "es", "Evans & Sutherland" }, { "32864", "ltlm", "Little Machines" }, { "32866", "count", "Counterpoint Computers" }, { "32869", "um", "Univ. of Mass. @ Amherst" }, { "32870", "um", "Univ. of Mass. @ Amherst" }, { "32871", "veeco", "Veeco Integrated Auto." }, { "32872", "gd", "General Dynamics" }, { "32873", "att", "AT&T" }, { "32874", "autop", "Autophon" }, { "32876", "comd", "ComDesign" }, { "32877", "comgr", "Computgraphic Corp." }, { "32878-32887", "land", "Landmark Graphics Corp." }, { "32890", "matra", "Matra" }, { "32891", "dansk", "Dansk Data Elektronik" }, { "32892", "merit", "Merit Internodal" }, { "32893-32895", "vtlnk", "Vitalink Communications" }, { "32896", "vtlnk", "Vitalink TransLAN III" }, { "32897-32899", "count", "Counterpoint Computers" }, { "32923", "atalk", "Appletalk" }, { "32924-32926", "data", "Datability" }, { "32927", "spidr", "Spider Systems Ltd." }, { "32931", "nix", "Nixdorf Computers" }, { "32932-32947", "siem", "Siemens Gammasonics Inc." }, { "32960-32963", "dcaex", "DCA Data Exchange Cluster" }, { "32964", "ban", "Banyan Systems" }, { "32965", "ban", "Banyan Systems" }, { "32966", "pacer", "Pacer Software" }, { "32967", "appli", "Applitek Corporation" }, { "32968-32972", "intrg", "Intergraph Corporation" }, { "32973-32974", "haris", "Harris Corporation" }, { "32975-32978", "taylr", "Taylor Instrument" }, { "32979-32980", "rose", "Rosemount Corporation" }, { "32981", "sna", "IBM SNA Service on Ether" }, { "32989", "varin", "Varian Associates" }, { "32990-32991", "trfs", "Integrated Solutions TRFS" }, { "32992-32995", "allen", "Allen-Bradley" }, { "32996-33008", "data", "Datability" }, { "33010", "retix", "Retix" }, { "33011", "aarp", "AppleTalk AARP (Kinetics)" }, { "33012-33013", "kinet", "Kinetics" }, { "33015", "aplo", "Apollo Computer" }, { "33023", "wcp", "Wellfleet Compression Protocol" }, { "33024-33027", "well", "Wellfleet Communications" }, { "33031-33033", "symbl", "Symbolics Private" }, { "33072", "hayes", "Hayes Microcomputers" }, { "33073", "vglab", "VG Laboratory Systems" }, { "33074-33078", "brdg", "Bridge Communications" }, { "33079-33080", "ipx/spx", "Novell, Inc." }, { "33081-33085", "kti", "KTI" }, { "33096", "logic", "Logicraft" }, { "33097", "ncd", "Network Computing Devices" }, { "33098", "alpha", "Alpha Micro" }, { "33100", "snmp", "SNMP" }, { "33101", "biin", "BIIN" }, { "33104", "biin", "BIIN" }, { "33103", "elite", "Technically Elite Concept" }, { "33104", "ratnl", "Rational Corp" }, { "33105-33107", "qual", "Qualcomm" }, { "33108-33110", "cprot", "Computer Protocol Pty Ltd" }, { "33124-33126", "crd", "Charles River Data System" }, { "33149", "xtp", "XTP" }, { "33150", "sgitw", "SGI/Time Warner prop." }, { "33152", "hippi", "HIPPI-FP encapsulation" }, { "33153", "stp", "STP, HIPPI-ST" }, { "33154", "h6400", "Reserved for HIPPI-6400" }, { "33155", "h6400", "Reserved for HIPPI-6400" }, { "33156-33164", "sgi", "Silicon Graphics prop." }, { "33165", "mot", "Motorola Computer" }, { "33178-33187", "qual", "Qualcomm" }, { "33188", "arai", "ARAI Bunkichi" }, { "33189-33198", "rad", "RAD Network Devices" }, { "33207-33209", "xyplx", "Xyplex" }, { "33228-33237", "apri", "Apricot Computers" }, { "33238-33245", "arti", "Artisoft" }, { "33254-33263", "poly", "Polygon" }, { "33264-33266", "comst", "Comsat Labs" }, { "33267-33269", "saic", "SAIC" }, { "33270-33272", "vg", "VG Analytical" }, { "33277", "ismp", "Cabeltron Interswitch Message Protocol" }, { "33283-33285", "quant", "Quantum Software" }, { "33313-33314", "ascom", "Ascom Banking Systems" }, { "33342-33344", "aes", "Advanced Encryption System" }, { "33407-33410", "athen", "Athena Programming" }, { "33379-33386", "crd", "Charles River Data System" }, { "33434-33435", "iiit", "Inst Ind Info Tech" }, { "33436-33451", "tarus", "Taurus Controls" }, { "33452-34451", "wrq", "Walker Richer & Quinn" }, { "34452-34461", "ideac", "Idea Courier" }, { "34462-34465", "cnt", "Computer Network Tech" }, { "34467-34476", "gtway", "Gateway Communications" }, { "34523", "sectr", "SECTRA" }, { "34526", "delta", "Delta Controls" }, { "34525", "ipv6", "IPv6" }, { "34527", "atom", "ATOMIC" }, { "34528-34543", "lgp", "Landis & Gyr Powers" }, { "34560-34576", "mot", "Motorola" }, { "34605", "cwl", "Cisco Wireless (Aironet)" }, { "34667", "compr", "TCP/IP Compression" }, { "34668", "ipas", "IP Autonomous Systems" }, { "34669", "sdata", "Secure Data" }, { "34824", "mac", "MAC Control" }, { "34825", "slow", "SLOW Protocols" }, { "34827", "ppp", "PPP" }, { "34887", "mplsu", "MPLS Unicast" }, { "34888", "mplsm", "MPLS Multicast" }, { "34915", "pppoe", "PPP Over Ethernet" }, { "34916", "pppoe", "PPP Over Ethernet" }, { "34925", "ans", "Intel ANS (NIC teaming)" }, { "34927", "nlb", "MS Network Load Balancing" }, { "34945", "cdma", "CDMA2000(R) Based Wireless" }, { "34958", "eapol", "802.1x Authentication" }, { "34962", "prof", "PROFInet protocol" }, { "34970", "hscsi", "HyperSCSI protocol" }, { "34971", "csm", "Mindseed Technologies" }, { "34978", "aoe", "ATA Over Ethernet" }, { "34990", "brd", "MS Boardwalk" }, { "34999", "oui", "IEEE 802a OUI Extended" }, { "35000-35002", "gse", "IEC 61850" }, { "35015", "rsn", "802.11i Pre-Authentication" }, { "35018", "tipc", "Transparent InterProcess Communication" }, { "35020", "lldp", "IEEE 802.1 Link Layer Discovery Protocol" }, { "35026", "3gpp", "CDMA2000(R) Access Network" }, { "35478-35479", "invis", "Invisible Software" }, { "36864", "loop", "Loopback" }, { "36865", "xnssm", "3Com(Bridge) XNS Sys Mgmt" }, { "36866", "3coms", "3Com(Bridge) TCP-IP Sys" }, { "36867", "3coml", "3Com(Bridge) loop detect" }, { "36897", "rtmac", "Real-Time Media Access Control" }, { "36898", "rtcfg", "Real-Time Configuration Protocol" }, { "48879", "nrludt", "NRL (Eric Kinzie) UDT Protocol" }, { "64764", "fcft", "Cisco MDS Transport" }, { "65280-65295", "ramo", "ISC Bunker Ramo" }, { "65535", "*", "Merged" }, { (char *) 0, (char *) 0, (char *) 0 }, }; #else extern struct ArgusEtherTypeStruct argus_ethertype_names []; #endif #ifdef __cplusplus } #endif #endif argus-3.0.8.2/include/argus_ethertype.h000444 000765 000024 00000010551 12723607536 020447 0ustar00carterstaff000000 000000 /* * Copyright (c) 1993, 1994, 1996 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. * * @(#) $Header: //depot/argus/argus/include/argus_ethertype.h#11 $ (LBL) */ /* * $Id: //depot/argus/argus/include/argus_ethertype.h#11 $ * $DateTime: 2015/04/02 15:28:09 $ * $Change: 2971 $ */ #ifndef Argus_Ethertype_h #define Argus_Ethertype_h #ifdef __cplusplus extern "C" { #endif /* Types missing from some systems */ #ifndef ETHER_HDRLEN #define ETHER_HDRLEN 14 #endif #ifndef ETHERTYPE_JUMBO #define ETHERTYPE_JUMBO 0x8870 #endif #ifndef ETHERTYPE_ISIS #define ETHERTYPE_ISIS 0x0083 #endif #ifndef ETHERTYPE_GRE_ISO #define ETHERTYPE_GRE_ISO 0x00FE #endif #ifndef ETHERTYPE_PUP #define ETHERTYPE_PUP 0x0200 #endif #ifndef ETHERTYPE_SPRITE #define ETHERTYPE_SPRITE 0x0500 #endif #ifndef ETHERTYPE_NS #define ETHERTYPE_NS 0x0600 #endif #ifndef ETHERTYPE_IP #define ETHERTYPE_IP 0x0800 #endif #ifndef ETHERTYPE_X25L3 #define ETHERTYPE_X25L3 0x0805 #endif #ifndef ETHERTYPE_ARP #define ETHERTYPE_ARP 0x0806 #endif #ifndef ETHERTYPE_VINES #define ETHERTYPE_VINES 0x0bad #endif #ifndef ETHERTYPE_TRAIL #define ETHERTYPE_TRAIL 0x1000 #endif #ifndef ETHERTYPE_TRAIN #define ETHERTYPE_TRAIN 0x1984 #endif #ifndef ETHERTYPE_3C_NBP_DGRAM #define ETHERTYPE_3C_NBP_DGRAM 0x3c07 #endif #ifndef ETHERTYPE_DEC #define ETHERTYPE_DEC 0x6000 #endif #ifndef ETHERTYPE_MOPDL #define ETHERTYPE_MOPDL 0x6001 #endif #ifndef ETHERTYPE_MOPRC #define ETHERTYPE_MOPRC 0x6002 #endif #ifndef ETHERTYPE_DN #define ETHERTYPE_DN 0x6003 #endif #ifndef ETHERTYPE_LAT #define ETHERTYPE_LAT 0x6004 #endif #ifndef ETHERTYPE_DEC_DIAG #define ETHERTYPE_DEC_DIAG 0x6005 #endif #ifndef ETHERTYPE_DEC_CUST #define ETHERTYPE_DEC_CUST 0x6006 #endif #ifndef ETHERTYPE_SCA #define ETHERTYPE_SCA 0x6007 #endif #ifndef ETHERTYPE_TRANS_BRIDGE #define ETHERTYPE_TRANS_BRIDGE 0x6558 #endif #ifndef ETHERTYPE_REVARP #define ETHERTYPE_REVARP 0x8035 #endif #ifndef ETHERTYPE_LANBRIDGE #define ETHERTYPE_LANBRIDGE 0x8038 #endif #ifndef ETHERTYPE_DECDNS #define ETHERTYPE_DECDNS 0x803c #endif #ifndef ETHERTYPE_DECDTS #define ETHERTYPE_DECDTS 0x803e #endif #ifndef ETHERTYPE_VEXP #define ETHERTYPE_VEXP 0x805b #endif #ifndef ETHERTYPE_VPROD #define ETHERTYPE_VPROD 0x805c #endif #ifndef ETHERTYPE_ATALK #define ETHERTYPE_ATALK 0x809b #endif #ifndef ETHERTYPE_AARP #define ETHERTYPE_AARP 0x80f3 #endif #ifndef ETHERTYPE_8021Q #define ETHERTYPE_8021Q 0x8100 #endif #ifndef ETHERTYPE_IPX #define ETHERTYPE_IPX 0x8137 #endif #ifndef ETHERTYPE_SNMP #define ETHERTYPE_SNMP 0x814c #endif #ifndef ETHERTYPE_IPV6 #define ETHERTYPE_IPV6 0x86dd #endif #ifndef ETHERTYPE_PPP #define ETHERTYPE_PPP 0x880b #endif #ifndef ETHERTYPE_MPLS #define ETHERTYPE_MPLS 0x8847 #endif #ifndef ETHERTYPE_MPLS_MULTI #define ETHERTYPE_MPLS_MULTI 0x8848 #endif #ifndef ETHERTYPE_PPPOED #define ETHERTYPE_PPPOED 0x8863 #endif #ifndef ETHERTYPE_PPPOES #define ETHERTYPE_PPPOES 0x8864 #endif #ifndef ETHERTYPE_ERSPAN_II #define ETHERTYPE_ERSPAN_II 0x88BE #endif #ifndef ETHERTYPE_LOOPBACK #define ETHERTYPE_LOOPBACK 0x9000 #endif #ifndef ETHERTYPE_VMAN #define ETHERTYPE_VMAN 0x9100 #endif #ifndef ETHERTYPE_ISO #define ETHERTYPE_ISO 0xfefe #endif #ifndef ETHERTYPE_UDTOE #define ETHERTYPE_UDTOE 0xBEEF #endif #ifdef __cplusplus } #endif #endif argus-3.0.8.2/include/argus_filter.h000444 000765 000024 00000021337 12513222401 017704 0ustar00carterstaff000000 000000 /* * Argus Software * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * Copyright (c) 1990, 1991, 1992, 1993 * The Regents of the University of California. All rights reserved. * * This code is derived from the Stanford/CMU enet packet filter, * (net/enet.c) distributed as part of 4.3BSD, and code contributed * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence * Berkeley Laboratory. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)bpf.c 7.5 (Berkeley) 7/15/91 * */ /* * $Id: //depot/argus/argus/include/argus_filter.h#18 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ #ifndef ArgusFilter_h #define ArgusFilter_h #ifdef __cplusplus extern "C" { #endif #include #include #include #include #include #include #ifndef __GNUC__ #define inline #endif /* * If a protocol is unknown, PROTO_UNDEF is returned. * Also, s_nametoport() returns the protocol along with the port number. * If there are ambiguous entried in /etc/services (i.e. domain * can be either tcp or udp) PROTO_UNDEF is returned. */ #define PROTO_UNDEF -1 #ifdef ArgusFilter #include void ArgusPrintHex (const unsigned char *, unsigned int); int ArgusLookupNet(char *, unsigned int *, unsigned int *, char *); char *read_infile(char *); static inline int xdtoi(int c); int ArgusFilterRecord (struct nff_insn *pc, struct ArgusRecordStruct *); int ArgusFilterOrig (struct nff_insn *, struct ArgusRecordStruct *, int, int); static inline int skip_space(FILE *); static inline int skip_line(FILE *); static inline int skip_space(FILE *); static inline int skip_line(FILE *); struct argus_etherent *argus_next_etherent(FILE *fp); char *ArgusLookupDev(char *); char *argus_strerror(int); void Argusnff_optimize(struct ablock **); struct nff_insn *Argusicode_to_fcode(struct ablock *, int *); static char *nff_image(struct nff_insn *, int); int stoi( char *); int ArgusCurses = 0; #ifdef NOVFPRINTF int vfprintf( FILE *, char *, va_list); #endif void ArgusDebug (int, char *, ...); void *ArgusMalloc (int); void *ArgusCalloc (int, int); void ArgusFree (void *); void ArgusWindowClose(void); #if defined(__STDC__) void error(const char *fmt, ...); #else void error(const char *fmt, va_dcl); #endif char *savestr(const char *); char *copy_argv( char **); char *read_infile(char *); unsigned int ipaddrtonetmask(unsigned int); unsigned int getnetnumber(unsigned int); void nff_dump(struct nff_program *, char *, int, int); char *intoa(unsigned int); extern SIGRET nohostname(int); char *ArgusGetName(struct ArgusParserStruct *, unsigned char *); char *ArgusGetV6Name(struct ArgusParserStruct *, unsigned char *); extern inline struct enamemem *lookup_emem(const unsigned char *); extern inline struct enamemem *lookup_nsap(const unsigned char *); extern inline struct protoidmem *lookup_protoid(const unsigned char *); char *ArgusEtherProtoString(struct ArgusParserStruct *, unsigned short port); char *linkaddr_string(struct ArgusParserStruct *parser, unsigned char *, unsigned int); char *etheraddr_string(struct ArgusParserStruct *parser, unsigned char *); char *protoid_string(const unsigned char *); char *llcsap_string(unsigned char); char *isonsap_string(const unsigned char *, int); char *tcpport_string(unsigned short); char *udpport_string(unsigned short); extern void init_servarray(void); extern void init_eprotoarray(void); extern void init_protoidarray(void); extern void init_etherarray(void); extern void init_llcsaparray(void); void init_addrtoname(int, unsigned int, unsigned int); unsigned int **argus_nametoaddr(char *); unsigned int argus_nametonetaddr(char *); int argus_nametoport(char *, int *, int *); int argus_nametoproto(char *); int argus_nametoeproto(char *); unsigned int __argus_atoin(char *, unsigned int *); unsigned int __argus_atodn(char *); unsigned char *argus_ether_aton(char *); unsigned char *argus_ether_hostton(char *); unsigned short __argus_nametodnaddr(char *); #else extern void ArgusPrintHex (const unsigned char *, unsigned int); extern int ArgusLookupNet(char *, unsigned int *, unsigned int *, char *); extern char *read_infile(char *); extern int ArgusFilterRecord (struct nff_insn *pc, struct ArgusRecordStruct *); extern int ArgusFilterOrig (struct nff_insn *, u_char *, int, int); //extern struct argus_etherent *argus_next_etherent(FILE *fp); extern char *ArgusLookupDev(char *); extern char *argus_strerror(int); extern void Argusnff_optimize(struct ablock **); extern struct nff_insn *Argusicode_to_fcode(struct ablock *, int *); extern int stoi( char *); extern int ArgusCurses; extern void ArgusWindowClose(void); #ifdef NOVFPRINTF extern int vfprintf( FILE *, char *, va_list); #endif extern void *ArgusMalloc (int); extern void *ArgusCalloc (int, int); extern void ArgusFree (void *); /* extern void error(va_list); extern void warning(va_list); */ extern char *savestr(const char *); extern char *copy_argv( char **); extern char *read_infile(char *); extern unsigned int ipaddrtonetmask(unsigned int); extern unsigned int getnetnumber(unsigned int); extern void nff_dump(struct nff_program *, char *, int, int); extern char *intoa(unsigned int); extern char *ArgusGetName(struct ArgusParserStruct *, unsigned char *); extern char *ArgusGetV6Name(struct ArgusParserStruct *, unsigned char *); extern char *ArgusEtherProtoString(struct ArgusParserStruct *, unsigned short); extern char *linkaddr_string(struct ArgusParserStruct *parser, const unsigned char *, unsigned int); extern char *etheraddr_string(struct ArgusParserStruct *parser, unsigned char *); extern char *protoid_string(const unsigned char *); extern char *llcsap_string(unsigned char); extern char *isonsap_string(const unsigned char *, int); extern char *tcpport_string(unsigned short); extern char *udpport_string(unsigned short); extern void init_addrtoname(int, unsigned int, unsigned int); extern unsigned int **argus_nametoaddr(char *); extern unsigned int argus_nametonetaddr(char *); extern int argus_nametoport(char *, int *, int *); extern int argus_nametoproto(char *); extern int argus_nametoeproto(char *); extern unsigned int __argus_atoin(char *, unsigned int *); extern unsigned int __argus_atodn(char *); extern unsigned char *argus_ether_aton(char *); extern unsigned char *argus_ether_hostton(char *); extern unsigned short __argus_nametodnaddr(char *); #endif #ifdef __cplusplus } #endif #endif /* ArgusFilter_h */ argus-3.0.8.2/include/argus_gmpls.h000444 000765 000024 00000002017 12513222401 017533 0ustar00carterstaff000000 000000 /* * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code * distributions retain the above copyright notice and this paragraph * in its entirety, and (2) distributions including binary code include * the above copyright notice and this paragraph in its entirety in * the documentation or other materials provided with the distribution. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND * WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT * LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS * FOR A PARTICULAR PURPOSE. * * Original code by Hannes Gredler (hannes@juniper.net) */ /* * $Id: //depot/argus/argus/include/argus_gmpls.h#5 $ * $DateTime: 2011/01/26 17:11:49 $ * $Change: 2087 $ */ #if !defined(Argus_gmpls_h) #define Argus_gmpls_h extern struct tok gmpls_link_prot_values[]; extern struct tok gmpls_switch_cap_values[]; extern struct tok gmpls_encoding_values[]; extern struct tok gmpls_payload_values[]; #endif argus-3.0.8.2/include/argus_gre.h000444 000765 000024 00000003526 12513222401 017174 0ustar00carterstaff000000 000000 /* * Argus Software. Common include files - output structures * Copyright (C) 2000-2015 QoSient, LLC. * All Rights Reserved * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/include/argus_gre.h#13 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ #if !defined(Argus_gre_h) #define(Argus_gre_h) /* * A somewhat abstracted view of the GRE header */ struct gre { unsigned short vers, proto; }; #define GRE_CP 0x8000 /* checksum present */ #define GRE_RP 0x4000 /* routing present */ #define GRE_KP 0x2000 /* key present */ #define GRE_SP 0x1000 /* sequence# present */ #define GRE_RECRS 0x0700 /* recursion count */ #define GRE_AP 0x0080 /* acknowledgment# present */ #define GRE_VERS_MASK 0x0007 /* protocol version */ #define GRE_VERS 0x0007 /* protocol version */ #define GREPROTO_IP 0x0800 /* IP */ #define GREPROTO_PPP 0x880b /* PPTP */ #define GREPROTO_ISO 0x00fe /* OSI */ /* source route entry types */ #define GRESRE_IP 0x0800 /* IP */ #define GRESRE_ASN 0xfffe /* ASN */ #endif argus-3.0.8.2/include/argus_int.h000444 000765 000024 00000005220 12513222401 017202 0ustar00carterstaff000000 000000 /* * Argus Software. Common include files - interface * Copyright (C) 2000-2015 QoSient, LLC. * All Rights Reserved * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/include/argus_int.h#18 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ #if !defined(Argus_int_h) #define Argus_int_h #if !defined(__STDC__) #define const #endif #include /* os dependent stuff */ #if !defined(SIGRET) #define SIGRET void /* default */ #endif struct ArgusTokenStruct { int v; /* value */ char *s; /* string */ }; #define MIN_SNAPLEN 128 #if defined(ARGUS) double update_interval = 1.0, update_time = 0.0; int updatecounter = 0; extern pcap_handler lookup_pcap_callback (void); int lfd = -1; int snaplen = MIN_SNAPLEN; fd_set readmask, writemask, exceptmask; pcap_t *pd = NULL; #define ARGUS_PORT 561 #else extern int Cflag; /* print each ICMP packet */ extern int Rflag; /* print each ICMP record on response for RTT */ extern int dflag; /* print interval code */ extern int wflag; /* write tcp connection data */ extern int nflag; /* leave addresses as numbers*/ extern int debugflag; /* set debug level */ extern int Nflag; /* remove domains from printed host names */ extern double update_interval; extern int updatecounter; extern char *wfile; extern char *program_name; extern int lfd; extern int snaplen; extern fd_set readmask, writemask, exceptmask; #endif #if !defined(min) #define min(a,b) ((a)>(b)?(b):(a)) #define max(a,b) ((b)>(a)?(b):(a)) #endif extern char timestamp_fmt[]; extern long timestamp_scale; extern void timestampinit(void); extern int fn_print(const u_char *, const u_char *); extern int fn_printn(const u_char *, u_int, const u_char *); extern char *dnaddr_string(u_short); extern char *savestr(const char *); extern char *llcsap_string(u_char); extern char *protoid_string(const u_char *); extern char *dnname_string(u_short); extern char *dnnum_string(u_short); #endif /* Argus_out_h */ argus-3.0.8.2/include/argus_isis.h000444 000765 000024 00000044277 12513222401 017376 0ustar00carterstaff000000 000000 /* * Argus Software Common include files - output structures * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/include/argus_isis.h#8 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ #ifndef ArgusIsis_h #define ArgusIsis_h #include #if defined(HAVE_SOLARIS) || defined(CYGWIN) #include #endif #include /* * Copyright (c) 1992, 1993, 1994, 1995, 1996 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. * * Original code by Matt Thomas, Digital Equipment Corporation * * Extensively modified by Hannes Gredler (hannes@juniper.net) for more * complete IS-IS support. */ #define NLPID_CLNS 129 /* 0x81 */ #define NLPID_ISIS 131 /* 0x83 */ #define NLPID_IP6 0x8e #define NLPID_IP 0xcc #define NLPID_NULLNS 0 #define ISIS_IPV4 1 /* AFI value */ #define ISIS_IPV6 2 /* AFI value */ /* * IS-IS is defined in ISO 10589. Look there for protocol definitions. */ #define SYSTEM_ID_LEN ETHER_ADDR_LEN #define NODE_ID_LEN SYSTEM_ID_LEN+1 #define LSP_ID_LEN SYSTEM_ID_LEN+2 #define ISIS_VERSION 1 #define PDU_TYPE_MASK 0x1F #define PRIORITY_MASK 0x7F #define L1_LAN_IIH 15 #define L2_LAN_IIH 16 #define PTP_IIH 17 #define L1_LSP 18 #define L2_LSP 20 #define L1_CSNP 24 #define L2_CSNP 25 #define L1_PSNP 26 #define L2_PSNP 27 struct tok { int v; /* value */ const char *s; /* string */ }; #include /* * A TLV is a tuple of a type, length and a value and is normally used for * encoding information in all sorts of places. This is an enumeration of * the well known types. * * list taken from rfc3359 plus some memory from veterans ;-) */ #define TLV_AREA_ADDR 1 /* iso10589 */ #define TLV_IS_REACH 2 /* iso10589 */ #define TLV_ESNEIGH 3 /* iso10589 */ #define TLV_PART_DIS 4 /* iso10589 */ #define TLV_PREFIX_NEIGH 5 /* iso10589 */ #define TLV_ISNEIGH 6 /* iso10589 */ #define TLV_ISNEIGH_VARLEN 7 /* iso10589 */ #define TLV_PADDING 8 /* iso10589 */ #define TLV_LSP 9 /* iso10589 */ #define TLV_AUTH 10 /* iso10589, rfc3567 */ #define TLV_CHECKSUM 12 /* rfc3358 */ #define TLV_LSP_BUFFERSIZE 14 /* iso10589 rev2 */ #define TLV_EXT_IS_REACH 22 /* draft-ietf-isis-traffic-05 */ #define TLV_IS_ALIAS_ID 24 /* draft-ietf-isis-ext-lsp-frags-02 */ #define TLV_DECNET_PHASE4 42 #define TLV_LUCENT_PRIVATE 66 #define TLV_INT_IP_REACH 128 /* rfc1195, rfc2966 */ #define TLV_PROTOCOLS 129 /* rfc1195 */ #define TLV_EXT_IP_REACH 130 /* rfc1195, rfc2966 */ #define TLV_IDRP_INFO 131 /* rfc1195 */ #define TLV_IPADDR 132 /* rfc1195 */ #define TLV_IPAUTH 133 /* rfc1195 */ #define TLV_TE_ROUTER_ID 134 /* draft-ietf-isis-traffic-05 */ #define TLV_EXTD_IP_REACH 135 /* draft-ietf-isis-traffic-05 */ #define TLV_HOSTNAME 137 /* rfc2763 */ #define TLV_SHARED_RISK_GROUP 138 /* draft-ietf-isis-gmpls-extensions */ #define TLV_NORTEL_PRIVATE1 176 #define TLV_NORTEL_PRIVATE2 177 #define TLV_HOLDTIME 198 /* ES-IS */ #define TLV_RESTART_SIGNALING 211 /* draft-ietf-isis-restart-01 */ #define TLV_MT_IS_REACH 222 /* draft-ietf-isis-wg-multi-topology-05 */ #define TLV_MT_SUPPORTED 229 /* draft-ietf-isis-wg-multi-topology-05 */ #define TLV_IP6ADDR 232 /* draft-ietf-isis-ipv6-02 */ #define TLV_MT_IP_REACH 235 /* draft-ietf-isis-wg-multi-topology-05 */ #define TLV_IP6_REACH 236 /* draft-ietf-isis-ipv6-02 */ #define TLV_MT_IP6_REACH 237 /* draft-ietf-isis-wg-multi-topology-05 */ #define TLV_PTP_ADJ 240 /* rfc3373 */ #define TLV_IIH_SEQNR 241 /* draft-shen-isis-iih-sequence-00 */ #define TLV_VENDOR_PRIVATE 250 /* draft-ietf-isis-proprietary-tlv-00 */ /* static struct tok isis_tlv_values[] = { { TLV_AREA_ADDR, "Area address(es)"}, { TLV_IS_REACH, "IS Reachability"}, { TLV_ESNEIGH, "ES Neighbor(s)"}, { TLV_PART_DIS, "Partition DIS"}, { TLV_PREFIX_NEIGH, "Prefix Neighbors"}, { TLV_ISNEIGH, "IS Neighbor(s)"}, { TLV_ISNEIGH_VARLEN, "IS Neighbor(s) (variable length)"}, { TLV_PADDING, "Padding"}, { TLV_LSP, "LSP entries"}, { TLV_AUTH, "Authentication"}, { TLV_CHECKSUM, "Checksum"}, { TLV_LSP_BUFFERSIZE, "LSP Buffersize"}, { TLV_EXT_IS_REACH, "Extended IS Reachability"}, { TLV_IS_ALIAS_ID, "IS Alias ID"}, { TLV_DECNET_PHASE4, "DECnet Phase IV"}, { TLV_LUCENT_PRIVATE, "Lucent Proprietary"}, { TLV_INT_IP_REACH, "IPv4 Internal Reachability"}, { TLV_PROTOCOLS, "Protocols supported"}, { TLV_EXT_IP_REACH, "IPv4 External Reachability"}, { TLV_IDRP_INFO, "Inter-Domain Information Type"}, { TLV_IPADDR, "IPv4 Interface address(es)"}, { TLV_IPAUTH, "IPv4 authentication (deprecated)"}, { TLV_TE_ROUTER_ID, "Traffic Engineering Router ID"}, { TLV_EXTD_IP_REACH, "Extended IPv4 Reachability"}, { TLV_HOSTNAME, "Hostname"}, { TLV_SHARED_RISK_GROUP, "Shared Risk Link Group"}, { TLV_NORTEL_PRIVATE1, "Nortel Proprietary"}, { TLV_NORTEL_PRIVATE2, "Nortel Proprietary"}, { TLV_HOLDTIME, "Holdtime"}, { TLV_RESTART_SIGNALING, "Restart Signaling"}, { TLV_MT_IS_REACH, "Multi Topology IS Reachability"}, { TLV_MT_SUPPORTED, "Multi Topology"}, { TLV_IP6ADDR, "IPv6 Interface address(es)"}, { TLV_MT_IP_REACH, "Multi-Topology IPv4 Reachability"}, { TLV_IP6_REACH, "IPv6 reachability"}, { TLV_MT_IP6_REACH, "Multi-Topology IP6 Reachability"}, { TLV_PTP_ADJ, "Point-to-point Adjacency State"}, { TLV_IIH_SEQNR, "Hello PDU Sequence Number"}, { TLV_VENDOR_PRIVATE, "Vendor Private"}, { 0, NULL } }; */ #define SUBTLV_EXT_IS_REACH_ADMIN_GROUP 3 /* draft-ietf-isis-traffic-05 */ #define SUBTLV_EXT_IS_REACH_LINK_LOCAL_REMOTE_ID 4 /* draft-ietf-isis-gmpls-extensions */ #define SUBTLV_EXT_IS_REACH_LINK_REMOTE_ID 5 /* draft-ietf-isis-traffic-05 */ #define SUBTLV_EXT_IS_REACH_IPV4_INTF_ADDR 6 /* draft-ietf-isis-traffic-05 */ #define SUBTLV_EXT_IS_REACH_IPV4_NEIGHBOR_ADDR 8 /* draft-ietf-isis-traffic-05 */ #define SUBTLV_EXT_IS_REACH_MAX_LINK_BW 9 /* draft-ietf-isis-traffic-05 */ #define SUBTLV_EXT_IS_REACH_RESERVABLE_BW 10 /* draft-ietf-isis-traffic-05 */ #define SUBTLV_EXT_IS_REACH_UNRESERVED_BW 11 /* draft-ietf-isis-traffic-05 */ #define SUBTLV_EXT_IS_REACH_TE_METRIC 18 /* draft-ietf-isis-traffic-05 */ #define SUBTLV_EXT_IS_REACH_LINK_PROTECTION_TYPE 20 /* draft-ietf-isis-gmpls-extensions */ #define SUBTLV_EXT_IS_REACH_INTF_SW_CAP_DESCR 21 /* draft-ietf-isis-gmpls-extensions */ /* static struct tok isis_ext_is_reach_subtlv_values[] = { { SUBTLV_EXT_IS_REACH_ADMIN_GROUP, "Administrative groups" }, { SUBTLV_EXT_IS_REACH_LINK_LOCAL_REMOTE_ID, "Link Local/Remote Identifier" }, { SUBTLV_EXT_IS_REACH_LINK_REMOTE_ID, "Link Remote Identifier" }, { SUBTLV_EXT_IS_REACH_IPV4_INTF_ADDR, "IPv4 interface address" }, { SUBTLV_EXT_IS_REACH_IPV4_NEIGHBOR_ADDR, "IPv4 neighbor address" }, { SUBTLV_EXT_IS_REACH_MAX_LINK_BW, "Maximum link bandwidth" }, { SUBTLV_EXT_IS_REACH_RESERVABLE_BW, "Reservable link bandwidth" }, { SUBTLV_EXT_IS_REACH_UNRESERVED_BW, "Unreserved bandwidth" }, { SUBTLV_EXT_IS_REACH_TE_METRIC, "Traffic Engineering Metric" }, { SUBTLV_EXT_IS_REACH_LINK_PROTECTION_TYPE, "Link Protection Type" }, { SUBTLV_EXT_IS_REACH_INTF_SW_CAP_DESCR, "Interface Switching Capability" }, { 250, "Reserved for cisco specific extensions" }, { 251, "Reserved for cisco specific extensions" }, { 252, "Reserved for cisco specific extensions" }, { 253, "Reserved for cisco specific extensions" }, { 254, "Reserved for cisco specific extensions" }, { 255, "Reserved for future expansion" }, { 0, NULL } }; */ #define SUBTLV_EXTD_IP_REACH_ADMIN_TAG32 1 #define SUBTLV_EXTD_IP_REACH_ADMIN_TAG64 2 /* static struct tok isis_ext_ip_reach_subtlv_values[] = { { SUBTLV_EXTD_IP_REACH_ADMIN_TAG32, "32-Bit Administrative tag" }, { SUBTLV_EXTD_IP_REACH_ADMIN_TAG64, "64-Bit Administrative tag" }, { 0, NULL } }; */ #define SUBTLV_AUTH_SIMPLE 1 #define SUBTLV_AUTH_MD5 54 #define SUBTLV_AUTH_MD5_LEN 16 #define SUBTLV_AUTH_PRIVATE 255 /* static struct tok isis_subtlv_auth_values[] = { { SUBTLV_AUTH_SIMPLE, "simple text password"}, { SUBTLV_AUTH_MD5, "HMAC-MD5 password"}, { SUBTLV_AUTH_PRIVATE, "Routing Domain private password"}, { 0, NULL } }; */ #define SUBTLV_IDRP_RES 0 #define SUBTLV_IDRP_LOCAL 1 #define SUBTLV_IDRP_ASN 2 /* static struct tok isis_subtlv_idrp_values[] = { { SUBTLV_IDRP_RES, "Reserved"}, { SUBTLV_IDRP_LOCAL, "Routing-Domain Specific"}, { SUBTLV_IDRP_ASN, "AS Number Tag"}, { 0, NULL} }; */ #define ISIS_8BIT_MASK(x) ((x)&0xff) #define ISIS_MASK_LSP_OL_BIT(x) ((x)&0x4) #define ISIS_MASK_LSP_ISTYPE_BITS(x) ((x)&0x3) #define ISIS_MASK_LSP_PARTITION_BIT(x) ((x)&0x80) #define ISIS_MASK_LSP_ATT_BITS(x) ((x)&0x78) #define ISIS_MASK_LSP_ATT_ERROR_BIT(x) ((x)&0x40) #define ISIS_MASK_LSP_ATT_EXPENSE_BIT(x) ((x)&0x20) #define ISIS_MASK_LSP_ATT_DELAY_BIT(x) ((x)&0x10) #define ISIS_MASK_LSP_ATT_DEFAULT_BIT(x) ((x)&0x8) #define ISIS_MASK_MTID(x) ((x)&0x0fff) #define ISIS_MASK_MTFLAGS(x) ((x)&0xf000) /* static struct tok isis_mt_flag_values[] = { { 0x4000, "sub-TLVs present"}, { 0x8000, "ATT bit set"}, { 0, NULL} }; */ #define ISIS_MASK_TLV_EXTD_IP_UPDOWN(x) ((x)&0x80) #define ISIS_MASK_TLV_EXTD_IP_SUBTLV(x) ((x)&0x40) #define ISIS_MASK_TLV_EXTD_IP6_IE(x) ((x)&0x40) #define ISIS_MASK_TLV_EXTD_IP6_SUBTLV(x) ((x)&0x20) #define ISIS_LSP_TLV_METRIC_SUPPORTED(x) ((x)&0x80) #define ISIS_LSP_TLV_METRIC_IE(x) ((x)&0x40) #define ISIS_LSP_TLV_METRIC_UPDOWN(x) ((x)&0x80) #define ISIS_LSP_TLV_METRIC_VALUE(x) ((x)&0x3f) #define ISIS_MASK_TLV_SHARED_RISK_GROUP(x) ((x)&0x1) /* static struct tok isis_mt_values[] = { { 0, "IPv4 unicast"}, { 1, "In-Band Management"}, { 2, "IPv6 unicast"}, { 3, "Multicast"}, { 4095, "Development, Experimental or Proprietary"}, { 0, NULL } }; */ /* static struct tok isis_iih_circuit_type_values[] = { { 1, "Level 1 only"}, { 2, "Level 2 only"}, { 3, "Level 1, Level 2"}, { 0, NULL} }; */ #define ISIS_LSP_TYPE_UNUSED0 0 #define ISIS_LSP_TYPE_LEVEL_1 1 #define ISIS_LSP_TYPE_UNUSED2 2 #define ISIS_LSP_TYPE_LEVEL_2 3 /* static struct tok isis_lsp_istype_values[] = { { ISIS_LSP_TYPE_UNUSED0, "Unused 0x0 (invalid)"}, { ISIS_LSP_TYPE_LEVEL_1, "L1 IS"}, { ISIS_LSP_TYPE_UNUSED2, "Unused 0x2 (invalid)"}, { ISIS_LSP_TYPE_LEVEL_2, "L1L2 IS"}, { 0, NULL } }; static struct tok osi_nlpid_values[] = { { NLPID_CLNS, "CLNS"}, { NLPID_IP, "IPv4"}, { NLPID_IP6, "IPv6"}, { 0, NULL } }; */ /* * Katz's point to point adjacency TLV uses codes to tell us the state of * the remote adjacency. Enumerate them. */ #define ISIS_PTP_ADJ_UP 0 #define ISIS_PTP_ADJ_INIT 1 #define ISIS_PTP_ADJ_DOWN 2 /* static struct tok isis_ptp_adjancey_values[] = { { ISIS_PTP_ADJ_UP, "Up" }, { ISIS_PTP_ADJ_INIT, "Initializing" }, { ISIS_PTP_ADJ_DOWN, "Down" }, { 0, NULL} }; */ struct isis_tlv_ptp_adj { u_int8_t adjacency_state; u_int8_t extd_local_circuit_id[4]; u_int8_t neighbor_sysid[SYSTEM_ID_LEN]; u_int8_t neighbor_extd_local_circuit_id[4]; }; /* static int osi_cksum(const u_int8_t *, u_int); static int isis_print(const u_int8_t *, u_int); */ struct isis_metric_block { u_int8_t metric_default; u_int8_t metric_delay; u_int8_t metric_expense; u_int8_t metric_error; }; struct isis_tlv_is_reach { struct isis_metric_block isis_metric_block; u_int8_t neighbor_nodeid[NODE_ID_LEN]; }; struct isis_tlv_is_extd_reach { u_int8_t neighbor_nodeid[NODE_ID_LEN]; u_int8_t metric_default[3]; u_int8_t subtlv_len; #if defined(__GNUC__) u_int8_t subtlv[0]; #else u_int8_t subtlv[1]; #endif }; struct isis_tlv_extd_ip_reach { u_int32_t metric_default; u_int8_t up_down_bit : 1; u_int8_t subtlvs_present : 1; u_int8_t prefix_len : 6; #if defined(__GNUC__) u_int8_t prefix[0]; #else u_int8_t prefix[1]; #endif }; struct isis_tlv_es_reach { struct isis_metric_block isis_metric_block; u_int8_t neighbor_sysid[SYSTEM_ID_LEN]; }; struct isis_tlv_ip_reach { struct isis_metric_block isis_metric_block; u_int8_t prefix[4]; u_int8_t mask[4]; }; struct isis_tlv_name { #if defined(__GNUC__) char name[0]; #else char name[4]; #endif }; struct isis_tlv_csum { u_int16_t csum; }; /* static struct tok isis_is_reach_virtual_values[] = { { 0, "IsNotVirtual"}, { 1, "IsVirtual"}, { 0, NULL } }; static struct tok isis_restart_flag_values[] = { { 0x1, "Restart Request"}, { 0x2, "Restart Acknowledgement"}, { 0, NULL } }; */ struct isis_common_header { u_int8_t nlpid; u_int8_t fixed_len; u_int8_t version; /* Protocol version */ u_int8_t id_length; u_int8_t pdu_type; /* 3 MSbits are reserved */ u_int8_t pdu_version; /* Packet format version */ u_int8_t reserved; u_int8_t max_area; }; struct isis_iih_lan_header { u_int8_t circuit_type; u_int8_t source_id[SYSTEM_ID_LEN]; u_int8_t holding_time[2]; u_int8_t pdu_len[2]; u_int8_t priority; u_int8_t lan_id[NODE_ID_LEN]; }; struct isis_iih_ptp_header { u_int8_t circuit_type; u_int8_t source_id[SYSTEM_ID_LEN]; u_int8_t holding_time[2]; u_int8_t pdu_len[2]; u_int8_t circuit_id; }; struct isis_lsp_header { u_int8_t pdu_len[2]; u_int8_t remaining_lifetime[2]; u_int8_t lsp_id[LSP_ID_LEN]; u_int8_t sequence_number[4]; u_int8_t checksum[2]; u_int8_t typeblock; }; struct isis_csnp_header { u_int8_t pdu_len[2]; u_int8_t source_id[NODE_ID_LEN]; u_int8_t start_lsp_id[LSP_ID_LEN]; u_int8_t end_lsp_id[LSP_ID_LEN]; }; struct isis_psnp_header { u_int8_t pdu_len[2]; u_int8_t source_id[NODE_ID_LEN]; }; struct isis_tlv_lsp { u_int8_t remaining_lifetime[2]; u_int8_t lsp_id[LSP_ID_LEN]; u_int8_t sequence_number[4]; u_int8_t checksum[2]; }; #if defined(ArgusIsis) /* static struct tok isis_pdu_values[] = { { L1_LAN_IIH, "L1 Lan IIH"}, { L2_LAN_IIH, "L2 Lan IIH"}, { PTP_IIH, "p2p IIH"}, { L1_LSP, "L1 LSP"}, { L2_LSP, "L2 LSP"}, { L1_CSNP, "L1 CSNP"}, { L2_CSNP, "L2 CSNP"}, { L1_PSNP, "L1 PSNP"}, { L2_PSNP, "L2 PSNP"}, { 0, NULL} }; */ /* rfc3471 */ struct tok gmpls_link_prot_values[] = { { 0x01, "Extra Traffic"}, { 0x02, "Unprotected"}, { 0x04, "Shared"}, { 0x08, "Dedicated 1:1"}, { 0x10, "Dedicated 1+1"}, { 0x20, "Enhanced"}, { 0x40, "Reserved"}, { 0x80, "Reserved"}, { 0, NULL } }; /* rfc3471 */ struct tok gmpls_switch_cap_values[] = { { 1, "Packet-Switch Capable-1"}, { 2, "Packet-Switch Capable-2"}, { 3, "Packet-Switch Capable-3"}, { 4, "Packet-Switch Capable-4"}, { 51, "Layer-2 Switch Capable"}, { 100, "Time-Division-Multiplex"}, { 150, "Lambda-Switch Capable"}, { 200, "Fiber-Switch Capable"}, { 0, NULL } }; /* rfc3471 */ struct tok gmpls_encoding_values[] = { { 1, "Packet"}, { 2, "Ethernet V2/DIX"}, { 3, "ANSI/ETSI PDH"}, { 4, "Reserved"}, { 5, "SDH ITU-T G.707/SONET ANSI T1.105"}, { 6, "Reserved"}, { 7, "Digital Wrapper"}, { 8, "Lambda (photonic)"}, { 9, "Fiber"}, { 10, "Reserved"}, { 11, "FiberChannel"}, { 0, NULL } }; #endif /* ArgusIsis */ #endif /* ArgusIsis_h */ argus-3.0.8.2/include/argus_llc.h000444 000765 000024 00000010230 12513222401 017157 0ustar00carterstaff000000 000000 /* * Copyright (c) 1993, 1994, 1997 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. * */ /* * $Id: //depot/argus/argus/include/argus_llc.h#4 $ * $DateTime: 2011/01/26 17:11:49 $ * $Change: 2087 $ */ #if !defined(Argus_llc_h) #define Argus_llc_h /* * This stuff should come from a system header file, but there's no * obviously portable way to do that and it's not really going * to change from system to system. */ /* * A somewhat abstracted view of the LLC header */ struct llc { u_char dsap; u_char ssap; union { u_char u_ctl; u_short is_ctl; struct { u_char snap_ui; u_char snap_pi[5]; } snap; struct { u_char snap_ui; u_char snap_orgcode[3]; u_char snap_ethertype[2]; } snap_ether; } ctl; }; #define llcui ctl.snap.snap_ui #define llcpi ctl.snap.snap_pi #define orgcode ctl.snap_ether.snap_orgcode #define ethertype ctl.snap_ether.snap_ethertype #define llcis ctl.is_ctl #define llcu ctl.u_ctl #define LLC_U_FMT 3 #define LLC_GSAP 1 #define LLC_S_FMT 1 #define LLC_U_POLL 0x10 #define LLC_IS_POLL 0x0001 #define LLC_XID_FI 0x81 #define LLC_U_CMD(u) ((u) & 0xef) #define LLC_UI 0x03 #define LLC_UA 0x63 #define LLC_DISC 0x43 #define LLC_DM 0x0f #define LLC_SABME 0x6f #define LLC_TEST 0xe3 #define LLC_XID 0xaf #define LLC_FRMR 0x87 #define LLC_S_CMD(is) (((is) >> 10) & 0x03) #define LLC_RR 0x0100 #define LLC_RNR 0x0500 #define LLC_REJ 0x0900 #define LLC_IS_NR(is) (((is) >> 1) & 0x7f) #define LLC_I_NS(is) (((is) >> 9) & 0x7f) #if !defined(LLCSAP_NULL) #define LLCSAP_NULL 0x00 #endif #if !defined(LLCSAP_8021B_I) #define LLCSAP_8021B_I 0x02 #endif #if !defined(LLCSAP_8021B_G) #define LLCSAP_8021B_G 0x03 #endif #if !defined(LLCSAP_SNAPATH) #define LLCSAP_SNAPATH 0x04 #endif #if !defined(LLCSAP_IP) #define LLCSAP_IP 0x06 #endif #if !defined(LLCSAP_SNA1) #define LLCSAP_SNA1 0x08 #endif #if !defined(LLCSAP_SNA2) #define LLCSAP_SNA2 0x0c #endif #if !defined(LLCSAP_PROWAYNM) #define LLCSAP_PROWAYNM 0x0e #endif #if !defined(LLCSAP_TI) #define LLCSAP_TI 0x18 #endif #if !defined(LLCSAP_BPDU) #define LLCSAP_BPDU 0x42 #endif #if !defined(LLCSAP_RS511) #define LLCSAP_RS511 0x4e #endif #if !defined(LLCSAP_ISO8208) #define LLCSAP_ISO8208 0x7e #endif #if !defined(LLCSAP_XNS) #define LLCSAP_XNS 0x80 #endif #if !defined(LLCSAP_NESTAR) #define LLCSAP_NESTAR 0x86 #endif #if !defined(LLCSAP_PROWAYASLM) #define LLCSAP_PROWAYASLM 0x8e #endif #if !defined(LLCSAP_ARP) #define LLCSAP_ARP 0x98 #endif #if !defined(LLCSAP_SNAP) #define LLCSAP_SNAP 0xaa #endif #if !defined(LLCSAP_VINES1) #define LLCSAP_VINES1 0xba #endif #if !defined(LLCSAP_VINES2) #define LLCSAP_VINES2 0xbc #endif #if !defined(LLCSAP_NETWARE) #define LLCSAP_NETWARE 0xe0 #endif #if !defined(LLCSAP_NETBIOS) #define LLCSAP_NETBIOS 0xf0 #endif #if !defined(LLCSAP_IBMNM) #define LLCSAP_IBMNM 0xf4 #endif #if !defined(LLCSAP_RPL1) #define LLCSAP_RPL1 0xf8 #endif #if !defined(LLCSAP_UB) #define LLCSAP_UB 0xfa #endif #if !defined(LLCSAP_RPL2) #define LLCSAP_RPL2 0xfc #endif #if !defined(LLCSAP_ISONS) #define LLCSAP_ISONS 0xfe #endif #if !defined(LLCSAP_GLOBAL) #define LLCSAP_GLOBAL 0xff #endif #endif argus-3.0.8.2/include/argus_namedb.h000444 000765 000024 00000007652 12513222401 017651 0ustar00carterstaff000000 000000 /* * Argus Software Common include files - name database * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * Copyright (c) 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the Computer Systems * Engineering Group at Lawrence Berkeley Laboratory. * 4. Neither the name of the University nor of the Laboratory may be used * to endorse or promote products derived from this software without * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * */ /* * $Id: //depot/argus/argus/include/argus_namedb.h#13 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ #if !defined(Argus_namedb_h) #define Argus_namedb_h /* * As returned by the argus_next_etherent() * XXX this stuff doesn't belong in this inteface, but this * library already must do name to address translation, so * on systems that don't have support for /etc/ethers, we * export these hooks since they'll */ struct argus_etherent { unsigned char addr[6]; char name[122]; }; #if !defined(PCAP_ETHERS_FILE) #define PCAP_ETHERS_FILE "/etc/ethers" #endif struct argus_etherent *argus_next_etherent(FILE *); unsigned char *argus_ether_hostton(char*); unsigned char *argus_ether_aton(char *); unsigned int **argus_nametoaddr(char *); unsigned int argus_nametonetaddr(char *); int argus_nametoport(char *, int *, int *); int argus_nametoproto(char *); int argus_nametoeproto(char *); /* * If a protocol is unknown, PROTO_UNDEF is returned. * Also, argus_nametoport() returns the protocol along with the port number. * If there are ambiguous entried in /etc/services (i.e. domain * can be either tcp or udp) PROTO_UNDEF is returned. */ #define PROTO_UNDEF -1 /* XXX move these to pcap-int.h? */ unsigned int __argus_atodn(char *); unsigned int __argus_atoin(char *, unsigned int *); unsigned short __argus_nametodnaddr(char *); #endif argus-3.0.8.2/include/argus_os.h000444 000765 000024 00000010717 12513222401 017040 0ustar00carterstaff000000 000000 /* * Argus Software * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/include/argus_os.h#20 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ #ifndef ArgusOs_h #define ArgusOs_h #ifdef __cplusplus extern "C" { #endif #if !defined(Argus_os_h) #define Argus_os_h #if defined(HAVE_INTTYPES_H) #include #endif #if !defined(bsdi) #define ETHER_SERVICE #endif #if defined(__APPLE_CC__) || defined(__APPLE__) #define __OpenBSD__ 1 #endif #if defined(__OpenBSD__) #include #include #endif #if defined(ETHER_HEADER_HAS_EA) #define ESRC(ep) ((ep)->ether_shost.ether_addr_octet) #define EDST(ep) ((ep)->ether_dhost.ether_addr_octet) #else #define ESRC(ep) ((ep)->ether_shost) #define EDST(ep) ((ep)->ether_dhost) #endif #if defined(ETHER_ARP_HAS_X) #define SHA(ap) ((ap)->arp_xsha) #define THA(ap) ((ap)->arp_xtha) #define SPA(ap) ((ap)->arp_xspa) #define TPA(ap) ((ap)->arp_xtpa) #else #if defined(ETHER_ARP_HAS_EA) #define SHA(ap) ((ap)->arp_sha.ether_addr_octet) #define THA(ap) ((ap)->arp_tha.ether_addr_octet) #else #define SHA(ap) ((ap)->arp_sha) #define THA(ap) ((ap)->arp_tha) #endif #define SPA(ap) ((ap)->arp_spa) #define TPA(ap) ((ap)->arp_tpa) #endif #if defined(sun) #define ETHERPUP_IPTYPE ETHERTYPE_IP #define ETHERPUP_REVARPTYPE ETHERTYPE_REVARP #define ETHERPUP_ARPTYPE ETHERTYPE_ARP typedef uint8_t u_int8_t; typedef uint16_t u_int16_t; typedef uint32_t u_int32_t; typedef uint64_t u_int64_t; #endif #if defined(__sgi) #define SHA(ap) ((ap)->arp_sha) #define SPA(ap) ((ap)->arp_spa) #define THA(ap) ((ap)->arp_tha) #define TPA(ap) ((ap)->arp_tpa) #define EDST(ep) ((ep)->ether_dhost) #define ESRC(ep) ((ep)->ether_shost) #endif #if defined(__FreeBSD__) || defined(CYGWIN) #include #include #else #include #include #endif #include #if !defined(ICMP6_MEMBERSHIP_QUERY) #define ICMP6_MEMBERSHIP_QUERY 130 #endif #if !defined(ICMP6_MEMBERSHIP_REPORT) #define ICMP6_MEMBERSHIP_REPORT 131 #endif #if !defined(ICMP6_MEMBERSHIP_REDUCTION) #define ICMP6_MEMBERSHIP_REDUCTION 132 #endif #if !defined(ICMP6_HADISCOV_REQUEST) #define ICMP6_HADISCOV_REQUEST 202 #endif #if !defined(ICMP6_HADISCOV_REPLY) #define ICMP6_HADISCOV_REPLY 203 #endif #if !defined(IPPROTO_HOPOPTS) #define IPPROTO_HOPOPTS 0 #endif #if !defined(IPPROTO_ROUTING) #define IPPROTO_ROUTING 40 #endif #if !defined(IPPROTO_FRAGMENT) #define IPPROTO_FRAGMENT 44 #endif #if !defined(IPPROTO_GRE) #define IPPROTO_GRE 47 #endif #if !defined(IPPROTO_ESP) #define IPPROTO_ESP 50 #endif #if !defined(IPPROTO_AH) #define IPPROTO_AH 51 #endif #if !defined(IPPROTO_ICMPV6) #define IPPROTO_ICMPV6 58 #endif #if !defined(IPPROTO_DSTOPTS) #define IPPROTO_DSTOPTS 60 #endif #if !defined(IPPROTO_TTP) #define IPPROTO_TTP 84 #endif #if !defined(IPPROTO_OSPF) #define IPPROTO_OSPF 89 #endif #if !defined(ETHERTYPE_REVARP) #define ETHERTYPE_REVARP 0x8035 #endif #if !defined(IPPROTO_ND) #define IPPROTO_ND 77 #endif #if !defined(REVARP_REQUEST) #define REVARP_REQUEST 3 #endif #if !defined(REVARP_REPLY) #define REVARP_REPLY 4 #endif #endif #if !defined(IPPROTO_IB) #define IPPROTO_IB 253 #endif #if !defined(IPPROTO_RTP) #define IPPROTO_RTP 257 #endif #if !defined(IPPROTO_RTCP) #define IPPROTO_RTCP 258 #endif #if !defined(IPPROTO_UDT) #define IPPROTO_UDT 259 #endif /* newish RIP commands */ #if !defined(RIPCMD_POLL) #define RIPCMD_POLL 5 #endif #if !defined(RIPCMD_POLLENTRY) #define RIPCMD_POLLENTRY 6 #endif #if !defined(ICMP_SR_FAILED) #define ICMP_SR_FAILED 5 /* Source Route failed */ #endif #if !defined(ICMP_PARAMETERPROB) #define ICMP_PARAMETERPROB 12 /* Parameter Problem */ #endif #ifdef __cplusplus } #endif #endif argus-3.0.8.2/include/argus_out.h000444 000765 000024 00000071445 12560543556 017256 0ustar00carterstaff000000 000000 /* * Argus Software Common include files - output structures * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/include/argus_out.h#53 $ * $DateTime: 2015/08/05 22:33:18 $ * $Change: 3042 $ */ #if !defined(Argus_out_h) #define Argus_out_h #include #if defined(HAVE_SOLARIS) || defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) #include #include #include #endif #include #if defined(__OpenBSD__) #include #endif #include #include #include #include #include #include #pragma pack(2) struct ArgusDSRfixLen { unsigned short data; }; struct ArgusDSRvar8bitLen { unsigned char qual; unsigned char len; }; struct ArgusDSRvar16bitLen { unsigned short len; }; struct ArgusDSRHeader { unsigned char type; unsigned char subtype; union { struct ArgusDSRfixLen fl; struct ArgusDSRvar8bitLen vl8; struct ArgusDSRvar16bitLen vl16; } dsr_un; }; struct ArgusSystemDSRHeader { unsigned char type; unsigned char subtype; union { struct ArgusDSRfixLen fl; struct ArgusDSRvar8bitLen vl8; struct ArgusDSRvar16bitLen vl16; } dsr_un; #if defined(ALIGN_64BIT) int pad[3]; #endif }; struct ArgusTime { unsigned int tv_sec, tv_usec; }; #define argus_dsrfl dsr_un.fl #define argus_dsrvl8 dsr_un.vl8 #define argus_dsrvl16 dsr_un.vl16 struct ArgusICMPObject { unsigned char icmp_type, icmp_code; unsigned short iseq; unsigned int osrcaddr, odstaddr; unsigned int isrcaddr, idstaddr; unsigned int igwaddr; }; struct ArgusICMPv6Object { unsigned char icmp_type, icmp_code; unsigned short cksum; }; struct ArgusTCPInitStatus { unsigned int status, seqbase; unsigned int options; unsigned short win; unsigned char flags, winshift; }; struct ArgusTCPStatus { unsigned int status; unsigned char src, dst, pad[2]; }; struct ArgusTCPObjectMetrics { struct ArgusTime lasttime; unsigned int status, seqbase, seq, ack, winnum; unsigned int bytes, retrans, ackbytes, winbytes; unsigned short win; unsigned char flags, winshift; }; struct ArgusTCPObject { unsigned int status; unsigned int state, options; unsigned int synAckuSecs, ackDatauSecs; struct ArgusTCPObjectMetrics src, dst; }; struct ArgusUDTObjectMetrics { struct ArgusTime lasttime; unsigned int seq, tstamp, ack, rtt, var, bsize, rate, lcap; int solo, first, middle, last, drops, retrans, nacked; }; struct ArgusUDTObject { unsigned int state, status; struct udt_control_handshake hshake; struct ArgusUDTObjectMetrics src, dst; }; struct ArgusRTPObject { unsigned int state; struct rtphdr src, dst; unsigned short sdrop, ddrop; unsigned short ssdev, dsdev; }; struct ArgusRTCPObject { struct rtcphdr src, dst; unsigned short sdrop, ddrop; }; struct ArgusIGMPObjectV1 { unsigned char igmp_type, igmp_code; unsigned int igmp_group; }; struct ArgusIGMPObject { unsigned char igmp_type, igmp_code; unsigned int igmp_group; struct ArgusTime jdelay; struct ArgusTime ldelay; }; struct ArgusFragOffsetStruct { struct ArgusFragOffsetStruct *nxt; int start, end; }; struct ArgusFragObject { unsigned int fragnum, frag_id; unsigned int startbytes, bytes, totbytes; unsigned short totlen, currlen, maxfraglen, pad; struct ArgusFlowStruct *parent; struct ArgusFragOffsetStruct offsets; }; struct ArgusIsisLspFlow { unsigned char lspid[LSP_ID_LEN]; unsigned int seqnum; }; struct ArgusIsisHelloFlow { unsigned char srcid[SYSTEM_ID_LEN]; unsigned char lanid[NODE_ID_LEN]; u_int8_t circuit_id; /* for point-to-point */ }; struct ArgusIsisCsnpFlow { unsigned char srcid[NODE_ID_LEN]; }; struct ArgusIsisPsnpFlow { unsigned char srcid[NODE_ID_LEN]; }; struct ArgusIsisFlow { int pdu_type; char esrc[ETHER_ADDR_LEN], edst[ETHER_ADDR_LEN]; char proto_version, pad[3]; union { struct ArgusIsisHelloFlow hello; struct ArgusIsisLspFlow lsp; struct ArgusIsisCsnpFlow csnp; struct ArgusIsisPsnpFlow psnp; } isis_un; int chksum; }; struct ArgusESPObject { unsigned int status, spi, lastseq, lostseq; }; struct ArgusARPObject { unsigned char respaddr[6]; unsigned short pad; }; struct ArgusDHCPObject { unsigned int respaddr; }; struct ArgusAHObject { unsigned int src_spi, dst_spi; unsigned int src_replay, dst_replay; }; struct ArgusLcpFlow { struct ether_header ehdr; unsigned char code, id; }; struct ArgusEtherMacFlow { struct ether_header ehdr; unsigned char dsap, ssap; }; struct Argus80211MacFlow { struct ether_header ehdr; unsigned char dsap, ssap; }; struct ArgusMacFlow { union { struct ArgusEtherMacFlow ether; struct Argus80211MacFlow wlan; } mac_union; }; struct ArgusWlanFlow { unsigned char dhost[ETHER_ADDR_LEN]; unsigned char shost[ETHER_ADDR_LEN]; unsigned char bssid[ETHER_ADDR_LEN]; unsigned char ssid[32]; }; struct ArgusIPAttrObject { unsigned char ttl, tos; unsigned short ip_id; unsigned short status; unsigned short options; }; struct ArgusIsisObject { struct isis_common_header common; union { struct isis_iih_lan_header iih_lan; struct isis_iih_ptp_header iih_ptp; struct isis_lsp_header lsp; struct isis_csnp_header csnp; struct isis_psnp_header psnp; } isis_un; }; struct ArgusLCPObject { unsigned int status; unsigned int state, options; }; #include struct Argus80211Beacon { u_int8_t timestamp[IEEE802_11_TSTAMP_LEN]; u_char ap[IEEE802_11_AP_LEN]; u_int16_t beacon_interval, listen_interval; u_int16_t status_code, aid, reason_code; u_int16_t auth_alg, auth_trans_seq_num; u_int16_t capability_info; elem_status_t challenge_status; struct challenge_t challenge; elem_status_t ssid_status; struct ssid_t ssid; elem_status_t rates_status; struct rates_t rates; elem_status_t ds_status; struct ds_t ds; elem_status_t cf_status; struct cf_t cf; elem_status_t fh_status; struct fh_t fh; elem_status_t tim_status; struct tim_t tim; }; struct Argus80211Probe { }; struct Argus80211Object { union { struct Argus80211Beacon beacon; struct Argus80211Probe probe; } o_un; }; struct ArgusESPFlow { unsigned int ip_src, ip_dst; unsigned char ip_p, tp_p; unsigned short pad; unsigned int spi; }; struct ArgusESPv6Flow { unsigned int ip_src[4], ip_dst[4]; #if defined(_LITTLE_ENDIAN) unsigned int flow:20; unsigned int resv:4; unsigned int ip_p:8; #else unsigned int ip_p:8; unsigned int resv:4; unsigned int flow:20; #endif unsigned int spi; }; struct ArgusHAddr { union { unsigned char ethernet[6]; unsigned char ib[32]; unsigned char ieee1394[16]; unsigned char framerelay[4]; unsigned char tokenring[6]; unsigned char arcnet[1]; unsigned char fiberchannel[12]; unsigned char atm[20]; } h_un; }; struct ArgusArpFlow { unsigned short hrd; unsigned short pro; unsigned char hln; unsigned char pln; unsigned short op; unsigned int arp_spa; unsigned int arp_tpa; struct ArgusHAddr haddr; }; struct ArgusRarpFlow { unsigned short hrd; unsigned short pro; unsigned char hln; unsigned char pln; unsigned short op; unsigned int arp_tpa; struct ArgusHAddr shaddr; struct ArgusHAddr dhaddr; }; struct ArgusICMPFlow { unsigned int ip_src, ip_dst; unsigned char ip_p, tp_p; unsigned char type, code; unsigned short id, ip_id; }; struct ArgusICMPv6Flow { unsigned int ip_src[4], ip_dst[4]; #if defined(_LITTLE_ENDIAN) unsigned int flow:20; unsigned int resv:4; unsigned int ip_p:8; #else unsigned int ip_p:8; unsigned int resv:4; unsigned int flow:20; #endif unsigned char type, code; unsigned short id; }; struct ArgusIPFragFlow { unsigned int ip_src, ip_dst; unsigned char ip_p, tp_p; unsigned short pad[2]; unsigned short ip_id; }; struct ArgusIPv6FragFlow { unsigned int ip_src[4], ip_dst[4]; #if defined(_LITTLE_ENDIAN) unsigned int flow:20; unsigned int resv:4; unsigned int ip_p:8; #else unsigned int ip_p:8; unsigned int resv:4; unsigned int flow:20; #endif unsigned int ip_id; }; struct ArgusIGMPFlow { unsigned int ip_src, ip_dst; unsigned char ip_p, tp_p; unsigned char type, code; unsigned short pad, ip_id; }; struct ArgusIGMPv6Flow { unsigned int ip_src[4], ip_dst[4]; #if defined(_LITTLE_ENDIAN) unsigned int flow:20; unsigned int resv:4; unsigned int ip_p:8; #else unsigned int ip_p:8; unsigned int resv:4; unsigned int flow:20; #endif unsigned char type, code; unsigned short pad; }; struct ArgusIPFlow { unsigned int ip_src, ip_dst; unsigned char ip_p, tp_p; unsigned short sport, dport; unsigned char smask, dmask; }; struct ArgusIPv6Flow { unsigned int ip_src[4], ip_dst[4]; #if defined(_LITTLE_ENDIAN) unsigned int flow:20; unsigned int resv:4; unsigned int ip_p:8; #else unsigned int ip_p:8; unsigned int resv:4; unsigned int flow:20; #endif unsigned short sport, dport; }; struct ArgusUdtFlow { struct ArgusMacFlow mac; unsigned int sockid; }; struct ArgusFlow { struct ArgusDSRHeader hdr; union { struct ArgusIPv6Flow ipv6; struct ArgusIPFlow ip; struct ArgusEtherMacFlow mac; struct ArgusICMPv6Flow icmpv6; struct ArgusICMPFlow icmp; struct ArgusIGMPv6Flow igmpv6; struct ArgusIGMPFlow igmp; struct ArgusESPv6Flow espv6; struct ArgusESPFlow esp; struct ArgusArpFlow arp; struct ArgusRarpFlow rarp; struct ArgusIPv6FragFlow fragv6; struct ArgusIPFragFlow frag; struct ArgusLcpFlow lcp; struct ArgusIsisFlow isis; struct ArgusWlanFlow wlan; struct ArgusUdtFlow udt; } flow_un; }; struct ArgusSystemFlow { struct ArgusDSRHeader hdr; union { struct ArgusIPv6Flow ipv6; struct ArgusIPFlow ip; struct ArgusEtherMacFlow mac; struct ArgusICMPv6Flow icmpv6; struct ArgusICMPFlow icmp; struct ArgusIGMPv6Flow igmpv6; struct ArgusIGMPFlow igmp; struct ArgusESPv6Flow espv6; struct ArgusESPFlow esp; struct ArgusArpFlow arp; struct ArgusRarpFlow rarp; struct ArgusIPv6FragFlow fragv6; struct ArgusIPFragFlow frag; struct ArgusLcpFlow lcp; struct ArgusIsisFlow isis; struct ArgusWlanFlow wlan; struct ArgusUdtFlow udt; } flow_un; #if defined(ALIGN_64BIT) int tail[1]; #endif }; #define ipv6_flow flow_un.ipv6 #define ip_flow flow_un.ip #define icmpv6_flow flow_un.icmpv6 #define icmp_flow flow_un.icmp #define igmp_flow flow_un.igmp #define igmp6_flow flow_un.igmpv6 #define mac_flow flow_un.mac #define arp_flow flow_un.arp #define rarp_flow flow_un.rarp #define esp6_flow flow_un.espv6 #define esp_flow flow_un.esp #define fragv6_flow flow_un.fragv6 #define frag_flow flow_un.frag #define lcp_flow flow_un.lcp #define isis_flow flow_un.isis #define wlan_flow flow_un.wlan #define udt_flow flow_un.udt struct ArgusAddrStruct { union { unsigned int value; unsigned int ipv4; char str[4]; /* unsigned int ipv6[4]; unsigned char ethersrc[6]; */ } a_un; }; struct ArgusTransportStruct { struct ArgusDSRHeader hdr; struct ArgusAddrStruct srcid; unsigned int seqnum; }; struct ArgusTimeStruct { struct ArgusTime start, end; }; struct ArgusEncapsStruct { struct ArgusDSRHeader hdr; unsigned int src, dst; }; struct ArgusTimeObject { struct ArgusDSRHeader hdr; struct ArgusTimeStruct src, dst; }; struct ArgusEventObject { struct ArgusDSRHeader hdr; }; struct ArgusEventTimeStruct { struct ArgusDSRHeader hdr; struct ArgusTime start; unsigned int duration; }; struct ArgusUniStats { long long pkts, bytes, appbytes; }; struct ArgusStatObject { int n; float minval; float meanval; float stdev; float maxval; unsigned char fdist[8]; }; struct ArgusStatsObject { int n; float minval; float meanval; float stdev; float maxval; }; struct ArgusAgrStruct { struct ArgusDSRHeader hdr; unsigned int count; struct ArgusTime laststartime, lasttime; struct ArgusStatObject act, idle; }; struct ArgusPacketSizeObject { unsigned short psizemin, psizemax; }; struct ArgusPacketSizeStruct { struct ArgusDSRHeader hdr; struct ArgusPacketSizeObject src, dst; }; struct ArgusJitterObject { struct ArgusStatsObject src, dst; }; struct ArgusJitterStruct { struct ArgusDSRHeader hdr; struct ArgusJitterObject act, idle; }; struct ArgusMacStruct { struct ArgusDSRHeader hdr; struct ArgusMacFlow mac; }; struct ArgusVlanStruct { struct ArgusDSRHeader hdr; unsigned short sid, did; }; struct ArgusMplsStruct { struct ArgusDSRHeader hdr; unsigned int slabel; unsigned int dlabel; }; struct ArgusIPAttrStruct { struct ArgusDSRHeader hdr; struct ArgusIPAttrObject src, dst; }; struct ArgusMetricStruct { struct ArgusDSRHeader hdr; struct ArgusUniStats src, dst; }; struct ArgusServiceStruct { struct ArgusDSRHeader hdr; char name[16]; }; struct ArgusDataStruct { struct ArgusDSRHeader hdr; unsigned short size, count; char array[8]; }; struct ArgusIcmpv6Struct { struct ArgusDSRHeader hdr; unsigned char icmp_type, icmp_code; unsigned short cksum; }; struct ArgusIcmpStruct { struct ArgusDSRHeader hdr; unsigned char icmp_type, icmp_code; unsigned short iseq; unsigned int osrcaddr, odstaddr; unsigned int isrcaddr, idstaddr; unsigned int igwaddr; }; struct ArgusKeyStrokeMetrics { int n_strokes; }; struct ArgusKeyStrokeStruct { struct ArgusKeyStrokeMetrics src, dst; }; struct ArgusBehaviorStruct { struct ArgusDSRHeader hdr; union { struct ArgusKeyStrokeStruct keyStroke; } behavior_union; }; #define keyStroke behavior_union.keyStroke struct ArgusCorMetrics { struct ArgusAddrStruct srcid; int deltaDur, deltaStart, deltaLast; int deltaSrcPkts, deltaDstPkts; }; struct ArgusCorrelateStruct { struct ArgusDSRHeader hdr; struct ArgusCorMetrics metrics; }; struct ArgusCountryCodeStruct { struct ArgusDSRHeader hdr; char src[2], dst[2]; }; struct ArgusCoordinates { float lat, lon; }; struct ArgusCoordinateRange { struct ArgusCoordinates max, min; }; struct ArgusSiteLocation { unsigned int status; union { struct ArgusCoordinates cor; struct ArgusCoordinateRange range; } dist_union; }; struct ArgusGeoLocationStruct { struct ArgusDSRHeader hdr; struct ArgusSiteLocation src, dst; }; struct ArgusLabelStruct { struct ArgusDSRHeader hdr; union { char *svc; char *label; }l_un; }; struct ArgusIdStruct { int status; char name[64]; }; struct ArgusInputStruct { struct ArgusDSRHeader hdr; struct ArgusIdStruct id; }; struct ArgusEventStruct { struct ArgusDSRHeader event; /* immediate data */ struct ArgusTransportStruct trans; struct ArgusTimeObject time; struct ArgusDataStruct data; }; struct ArgusMarStruct { unsigned int status, argusid; unsigned int localnet, netmask, nextMrSequenceNum; struct ArgusTime startime, now; unsigned char major_version, minor_version; unsigned char interfaceType, interfaceStatus; unsigned short reportInterval, argusMrInterval; unsigned long long pktsRcvd, bytesRcvd; long long drift; unsigned int records, flows, dropped; unsigned int queue, output, clients; unsigned int bufs, bytes; unsigned short suserlen, duserlen; unsigned int pad[3]; unsigned int thisid, record_len; }; struct ArgusMarSupStruct { unsigned int status, argusid; struct ArgusTime startime, now; struct ArgusInputStruct input; }; struct ArgusFarStruct { struct ArgusFlow flow; }; /* The ArgusRecordHeader is composed of 4 4-bit fields, the type, version, cause and options fields. For the purpose of portability, we define them as two char values, so that little endian machines don't mess up the order, and to avoid compiler problems with using bit fields. unsigned char type:4; unsigned char vers:4; unsigned char cause:4; unsigned char opt:4; */ struct ArgusRecordHeader { unsigned char type; unsigned char cause; u_int16_t len; }; struct ArgusRecord { struct ArgusRecordHeader hdr; union { struct ArgusMarStruct mar; struct ArgusMarSupStruct sup; struct ArgusFarStruct far; struct ArgusEventStruct event; } ar_un; }; #define argus_mar ar_un.mar #define argus_sup ar_un.sup #define argus_far ar_un.far #define argus_event ar_un.event struct ArgusAsnStruct { struct ArgusDSRHeader hdr; uint32_t src_as; /* originating AS of source address */ uint32_t dst_as; /* originating AS of destination address */ uint32_t inode_as; /* originating AS of intermediate node address, if present */ }; struct ArgusNetworkStruct { struct ArgusDSRHeader hdr; union { struct ArgusTCPInitStatus tcpinit; struct ArgusTCPStatus tcpstatus; struct ArgusTCPObject tcp; struct ArgusICMPObject icmp; struct ArgusICMPv6Object icmpv6; struct ArgusUDTObject udt; struct ArgusRTPObject rtp; struct ArgusRTCPObject rtcp; struct ArgusIGMPObject igmp; struct ArgusDHCPObject dhcp; struct ArgusESPObject esp; struct ArgusARPObject arp; struct ArgusAHObject ah; struct ArgusFragObject frag; struct ArgusLCPObject lcp; struct ArgusIsisObject isis; } net_union; }; struct ArgusCanonRecord { struct ArgusRecordHeader hdr; struct ArgusFlow flow; struct ArgusTransportStruct trans; struct ArgusTimeObject time; struct ArgusEncapsStruct encaps; struct ArgusAsnStruct asn; struct ArgusIPAttrStruct attr; struct ArgusMetricStruct metric; struct ArgusNetworkStruct net; struct ArgusMacStruct mac; struct ArgusVlanStruct vlan; struct ArgusMplsStruct mpls; struct ArgusIcmpStruct icmp; struct ArgusAgrStruct agr; struct ArgusCorrelateStruct cor; struct ArgusJitterStruct jitter; struct ArgusPacketSizeStruct psize; struct ArgusBehaviorStruct actor; struct ArgusCountryCodeStruct cocode; struct ArgusLabelStruct label; struct ArgusDataStruct data; }; #define ARGUS_NSR_STICKY 0x00100000 #define ARGUS_RECORD_MODIFIED 0x0100 struct ArgusRecordStruct { struct ArgusQueueHeader qhdr; unsigned int status, dsrindex, trans, autoid; unsigned short timeout, idle; struct RaBinProcessStruct *bins; struct ArgusInput *input; struct ArgusDSRHeader *dsrs[ARGUSMAXDSRTYPE]; struct ArgusHashTableHdr *htblhdr; struct ArgusHashTableHdr *hinthdr; struct ArgusQueueStruct *nsq; struct ArgusRecordHeader hdr; struct ArgusCanonRecord canon; struct ArgusCorStruct *correlates; float srate, drate, sload, dload, dur, mean; float pcr, sploss, dploss; long long offset; }; struct ArgusV2ETHERObject { unsigned char ethersrc[6]; unsigned char etherdst[6]; }; struct ArgusV2MACFlow { struct ether_header ehdr; unsigned char dsap, ssap; }; struct ArgusV2ESPFlow { unsigned int ip_src, ip_dst; unsigned char ip_p, tp_p; unsigned short pad; unsigned int spi; }; struct ArgusV2ArpFlow { unsigned int arp_spa; unsigned int arp_tpa; unsigned char etheraddr[6]; unsigned short pad; }; struct ArgusV2RarpFlow { unsigned int arp_tpa; unsigned char srceaddr[6]; unsigned char tareaddr[6]; }; struct ArgusV2ICMPFlow { unsigned int ip_src, ip_dst; unsigned char ip_p, tp_p; unsigned char type, code; unsigned short id, ip_id; }; struct ArgusV2IGMPFlow { unsigned int ip_src, ip_dst; unsigned char ip_p, tp_p; unsigned char type, code; unsigned short pad, ip_id; }; struct ArgusV2IPFlow { unsigned int ip_src, ip_dst; unsigned char ip_p, tp_p; unsigned short sport, dport; unsigned short ip_id; }; struct ArgusV2LoadObject { int n; float minval; float meanval; float stdev; float maxval; }; struct ArgusV2LoadStruct { struct ArgusV2LoadObject pktsPerSec, bytesPerSec; }; struct ArgusV2TimeObject { int n; unsigned int minval; unsigned int meanval; unsigned int stdev; unsigned int maxval; }; struct ArgusV2TimeEntity { struct ArgusV2TimeObject act, idle; }; struct ArgusV2AHObject { unsigned int src_spi, dst_spi; unsigned int src_replay, dst_replay; }; struct ArgusV2ARPObject { unsigned char respaddr[6]; unsigned short pad; }; struct ArgusV2DHCPObject { unsigned int respaddr; }; struct ArgusV2FragObject { unsigned char type, length; unsigned short status; int fragnum, frag_id; unsigned short ip_id, totlen, currlen, maxfraglen; }; struct ArgusV2ICMPObject { unsigned char type, length; unsigned short status; unsigned char icmp_type, icmp_code; unsigned short iseq; unsigned int osrcaddr, odstaddr; unsigned int isrcaddr, idstaddr; unsigned int igwaddr; }; struct ArgusV2TCPObjectMetrics { unsigned int seqbase, ackbytes; unsigned int bytes, rpkts; unsigned short win; unsigned char flags, pad; }; struct ArgusV2TCPObject { unsigned char type, length; unsigned short status; unsigned int state; unsigned int options; unsigned int synAckuSecs, ackDatauSecs; struct ArgusV2TCPObjectMetrics src, dst; }; struct ArgusV2RTPObject { unsigned char type, length; unsigned short status; unsigned int state; struct rtphdr src, dst; unsigned short sdrop, ddrop; unsigned short ssdev, dsdev; }; struct ArgusV2RTCPObject { unsigned char type, length; unsigned short status; struct rtcphdr src, dst; unsigned short src_pkt_drop, dst_pkt_drop; }; struct ArgusV2IGMPObjectV1 { unsigned char type, length; unsigned short status; unsigned char igmp_type, igmp_code; unsigned int igmp_group; }; struct ArgusV2IGMPObject { unsigned char type, length; unsigned short status; unsigned char igmp_type, igmp_code; unsigned int igmp_group; struct ArgusTime jdelay; struct ArgusTime ldelay; }; struct ArgusV2FRAGObject { unsigned char type, length; unsigned short status; int fragnum, frag_id; unsigned short totlen, currlen, maxfraglen; }; struct ArgusV2ESPObject { unsigned int spi, lastseq, lostseq; }; struct ArgusV2ESPStruct { unsigned char type, length; u_short status; struct ArgusV2ESPObject src, dst; }; struct ArgusV2AGRStruct { unsigned char type, length; u_short status; unsigned int count; struct ArgusTime laststartime, lasttime; struct ArgusV2TimeObject act, idle; unsigned int startrange, endrange; }; struct ArgusV2PerfStruct { unsigned char type, length; u_short status; int count; struct ArgusV2LoadStruct src, dst; }; struct ArgusV2TimeStruct { unsigned char type, length; u_short status; struct ArgusV2TimeEntity src, dst; }; struct ArgusV2MacStruct { unsigned char type, length; unsigned short status; union { struct ArgusV2ETHERObject ether; } phys_union; }; #define ether_mac phys_union.ether struct ArgusV2VlanStruct { unsigned char type, length; unsigned short status; unsigned short sid, did; }; struct ArgusV2MplsStruct { unsigned char type, length; unsigned short status; unsigned int slabel; unsigned int dlabel; }; struct ArgusV2MarStruct { struct ArgusTime startime, now; unsigned char major_version, minor_version; unsigned char interfaceType, interfaceStatus; unsigned short reportInterval, argusMrInterval; unsigned int argusid, localnet, netmask, nextMrSequenceNum; unsigned long long pktsRcvd, bytesRcvd; unsigned int pktsDrop, flows, flowsClosed; unsigned int actIPcons, cloIPcons; unsigned int actICMPcons, cloICMPcons; unsigned int actIGMPcons, cloIGMPcons; unsigned int inputs, outputs; unsigned int qcount, qtime; int record_len; }; struct ArgusV2TimeDesc { struct ArgusTime start; struct ArgusTime last; }; struct ArgusV2Flow { union { struct ArgusV2IPFlow ip; struct ArgusV2ICMPFlow icmp; struct ArgusV2IGMPFlow igmp; struct ArgusV2MACFlow mac; struct ArgusV2ArpFlow arp; struct ArgusV2RarpFlow rarp; struct ArgusV2ESPFlow esp; } flow_union; }; struct ArgusV2UniAttributes { unsigned short options; unsigned char ttl, tos; }; struct ArgusV2IPAttributes { unsigned short soptions, doptions; unsigned char sttl, dttl; unsigned char stos, dtos; }; struct ArgusV2ARPAttributes { unsigned char response[8]; }; struct ArgusV2Attributes { union { struct ArgusV2IPAttributes ip; struct ArgusV2ARPAttributes arp; } attr_union; }; #define attr_ip attr.attr_union.ip #define attr_arp attr.attr_union.arp struct ArgusV2ArchiveMeter { unsigned int count, bytes; }; struct ArgusV2Meter { unsigned int count, bytes, appbytes; }; struct ArgusV2FarHeaderStruct { unsigned char type, length; unsigned short status; }; struct ArgusV2FarStruct { unsigned char type, length; unsigned short status; unsigned int ArgusV2TransRefNum; struct ArgusV2TimeDesc time; struct ArgusV2Flow flow; struct ArgusV2Attributes attr; struct ArgusV2Meter src, dst; }; struct ArgusV2CorrelateStruct { unsigned char type, length; unsigned short status; unsigned int argusid; int deltaDur, deltaStart, deltaLast; char deltaSrcToS, deltaSrcTTL; char deltaDstToS, deltaDstTTL; unsigned short deltaSrcIpId, deltaDstIpId; struct ArgusV2Meter deltaSrc, deltaDst; }; struct ArgusV2ServiceStruct { unsigned char type, length; u_short status; char name[16]; }; struct ArgusV2RecordArchiveHeader { unsigned char type, cause; unsigned short length; unsigned int status; }; struct ArgusV2RecordHeader { unsigned char type, cause; unsigned short length; unsigned int status; unsigned int argusid; unsigned int seqNumber; }; struct ArgusV2Record { struct ArgusV2RecordHeader ahdr; union { struct ArgusV2MarStruct mar; struct ArgusV2FarStruct far; } ar_un; }; struct ArgusV2CanonicalRecord { struct ArgusV2RecordHeader ahdr; struct ArgusV2FarStruct far; struct ArgusV2MacStruct mac; union { struct ArgusV2TCPObject tcp; struct ArgusV2ESPStruct esp; struct ArgusV2IGMPObject igmp; struct ArgusV2DHCPObject dhcp; struct ArgusV2RTPObject rtp; struct ArgusV2RTCPObject rtcp; struct ArgusV2ARPObject arp; struct ArgusV2AHObject ah; struct ArgusV2FRAGObject frag; } acr_union; struct ArgusV2AGRStruct agr; struct ArgusV2TimeStruct time; struct ArgusV2VlanStruct vlan; struct ArgusV2MplsStruct mpls; struct ArgusV2CorrelateStruct cor; struct ArgusV2ICMPObject icmp; struct ArgusV2ServiceStruct svc; }; struct ArgusV2ArchiveUniRecord { struct ArgusV2RecordArchiveHeader ahdr; unsigned int status; struct ArgusTime startime; unsigned int duration; struct ArgusV2Flow flow; struct ArgusV2UniAttributes attr; struct ArgusV2ArchiveMeter src; }; struct ArgusV2ArchiveRecord { struct ArgusV2RecordArchiveHeader ahdr; unsigned int status; struct ArgusTime startime; unsigned int duration; struct ArgusV2Flow flow; struct ArgusV2Attributes attr; struct ArgusV2ArchiveMeter src, dst; }; struct ArgusV2UserStruct { unsigned char type, length; u_short status; char data; }; #if PRAGMA_STRUCT_ALIGN //{ #pragma options align=reset //} #elif PRAGMA_STRUCT_PACKPUSH //}{ #pragma pack(pop) #elif PRAGMA_STRUCT_PACK //}{ #pragma pack() #endif //} #pragma pack() #endif /* Argus_out_h */ argus-3.0.8.2/include/argus_parse.h000444 000765 000024 00000147060 12513222401 017533 0ustar00carterstaff000000 000000 /* * Argus Software Common include files - parsing * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/include/argus_parse.h#17 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ #if !defined(Argus_parse_h) #define Argus_parse_h #include #include #include #include #include #include #include #if !defined(MAXPATHNAMELEN) #define MAXPATHNAMELEN BUFSIZ #endif #define ARGUS_DEFAULTPORT 561 #define ARGUS_ENCODE_ASCII 0 #define ARGUS_ENCODE_64 1 #define ARGUS_ENCODE_32 2 struct naddrmem { struct naddrmem *nxt; unsigned int addr; unsigned short port; }; struct ArgusInterfaceStruct { int value; char *label; char *desc; }; struct ArgusModeStruct { struct ArgusModeStruct *nxt; char *mode; }; #define MAXSTRLEN 4096 #define MAXTIME 100000 #define READ_REMOTE_CON 0x40000000 #define READ_LOCAL_CON 0x20000000 #define ARGUS_MAX_REMOTE_CONN 64 #define HASHNAMESIZE 4096 #if defined(ArgusParse) struct timeval RaClientTimeout = {1,0}; #define MAXPROCSTATE 7 char *process_state_strings [MAXPROCSTATE] = { "REQ", "ACC", "EST", "CLO", "TIM", "RST", "FIN", }; struct timeval ArgusGlobalTime; struct timeval ArgusNowTime; struct bpf_program ArgusFilterCode; char *RaInputFilter[] = {NULL, NULL}; struct tm *RaTmStruct = NULL, RaTmStructBuf; char *RaTimeFormat = "%d %b %y %T"; char RaFieldDelimiter = '\0'; int RaPrintStartTime = 0; int RaPrintLastTime = 0; int RaCloseInputFd = 1; struct ArgusFarHeaderStruct *ArgusThisFarHdrs[32]; struct naddrmem *naddrtable [HASHNAMESIZE]; void clearArgusWfile(void); void setArgusWfile(char *, char *); char *exceptfile = NULL, *wfile = NULL; struct ARGUS_INPUT *ArgusInput = NULL; struct ARGUS_INPUT *ArgusInputFileList = NULL; struct ARGUS_INPUT *ArgusRemoteHostList = NULL; struct ArgusModeStruct *ArgusModeList = NULL; char *tag_string = "Argus Version "; int major_version = VERSION_MAJOR; int minor_version = VERSION_MINOR; int read_size = 0, detail = 0; int read_mode = 0; struct ArgusRecord *initCon = NULL; unsigned int ArgusLocalNet, ArgusNetMask; char ArgusOriginalBuffer[MAXSTRLEN]; struct ArgusRecord *ArgusOriginal = (struct ArgusRecord *) ArgusOriginalBuffer; int totalrecords = 0; int farrecords = 0; int marrecords = 0; int explicit_date = 0; time_t starTimeFilter_t = 0; time_t lastTimeFilter_t = 0; time_t lasttime_t = 0; time_t startime_t = 0; struct tm starTimeFilter; struct tm lastTimeFilter; char *ArgusProgramName = NULL; char *ArgusProgramArgs = NULL; char *ArgusProgramOptions = NULL; char *dataarg = NULL; char *timearg = NULL; char *servicesfile = NULL; struct bpf_program ArgusFilterCode; int ArgusGrepSource = 0; int ArgusGrepDestination = 0; int RaWriteOut = 1; long long tcp_dst_count = 0; long long tcp_src_count = 0; long long udp_dst_count = 0; long long udp_src_count = 0; long long icmp_dst_count = 0; long long icmp_src_count = 0; long long ip_dst_count = 0; long long ip_src_count = 0; long long arp_dst_count = 0; long long arp_src_count = 0; long long nonip_dst_count = 0; long long nonip_src_count = 0; long long tcp_dst_bytes = 0; long long tcp_src_bytes = 0; long long udp_dst_bytes = 0; long long udp_src_bytes = 0; long long icmp_dst_bytes = 0; long long icmp_src_bytes = 0; long long ip_dst_bytes = 0; long long ip_src_bytes = 0; long long arp_dst_bytes = 0; long long arp_src_bytes = 0; long long nonip_dst_bytes = 0; long long nonip_src_bytes = 0; int hfield = 15; int pfield = 5; int Aflag = 0; int aflag = 0; int Bflag = 0; int bflag = 0; int eflag = 0; char *estr = NULL; int Dflag = 0; int Eflag = 0; int fflag = 0; int gflag = 0; int idflag = 0; int Gflag = 0; int cflag = 0; int Cflag = 0; int jflag = 0; int Lflag = -1; int lflag = 0; int mflag = 0; char *Mflag = NULL; int nflag = 0; int Nflag = 0; int Normflag = 0; int Netflag = 0; int notNetflag = 0; int oflag = 0; int Oflag = 0; int Wflag = 0; int Fflag = 0; int Hflag = 0; char *Hstr = NULL; int pflag = 0; int Pflag = 0; char *sflag = NULL; int dflag = 0; int qflag = 0; int tflag = 0; int uflag = 0; char *ustr = NULL; char *pstr = NULL; int Uflag = 6; int vflag = 0; int Vflag = 0; int iflag = 0; int Iflag = 0; int Tflag = 0; int rflag = 0; int Rflag = 0; int Sflag = 0; int xflag = 0; int Xflag = 0; int XMLflag = 0; int zflag = 0; int Zflag = 0; long thiszone; int total_nets = 0; int total_hosts = 0; struct ARGUS_INPUT *ArgusRemoteFDs[ARGUS_MAX_REMOTE_CONN]; int ArgusActiveServers = 0; extern int ArgusAuthenticate (struct ARGUS_INPUT *); extern void ArgusClientInit (void); extern void usage (void); extern void process_man (struct ArgusRecord *); extern void process_tcp (struct ArgusRecord *); extern void process_icmp (struct ArgusRecord *); extern void process_udp (struct ArgusRecord *); extern void process_ip (struct ArgusRecord *); extern void process_arp (struct ArgusRecord *); extern void process_non_ip (struct ArgusRecord *); void ArgusShutDown (int); extern void RaParseComplete (int); void argus_parse_init (struct ARGUS_INPUT *); char *argus_lookupdev(char *); void read_udp_services (char *); int ArgusHandleDatum (struct ArgusRecord *, struct bpf_program *); void ArgusReformatRecord (struct ArgusRecord *, struct ArgusRecord *); int ArgusReadConnection (struct ARGUS_INPUT *, char *); void ArgusReadStream (void); void ArgusProcessRecord (struct ArgusRecord *); void ArgusGenerateCanonicalRecord (struct ArgusRecord *, struct ArgusCanonicalRecord *); int ArgusGetServerSocket (struct ARGUS_INPUT *); int ArgusAddFileList (char *); void ArgusDeleteFileList (void); int ArgusAddHostList (char *, int); int ArgusAddModeList (char *); void ArgusDeleteHostList (void); int ArgusWriteNewLogfile (char *, struct ArgusRecord *); int check_time (struct ArgusRecord *); int parseUserDataArg (char **, char **, int); int parseTimeArg (char **, char **, int, struct tm *); int check_time_format (struct tm *tm, char *str); int parseTime (struct tm *, struct tm *, char *); #if defined(_LITTLE_ENDIAN) void ArgusNtoH (struct ArgusRecord *argus); void ArgusHtoN (struct ArgusRecord *argus); #endif #else /* ArgusParse */ extern char *ArgusProgramName; extern char *ArgusProgramArgs; extern char *process_state_strings []; extern int ArgusGrepSource; extern int ArgusGrepDestination; extern struct timeval ArgusGlobalTime; extern struct timeval ArgusNowTime; extern char *RaSortAlgorithmStrings[]; extern int RaSortIndex; extern struct tm *RaTmStruct; extern char *RaInputFilter[]; extern char *RaTimeFormat; extern char RaFieldDelimiter; extern int RaPrintStartTime; extern int RaPrintLastTime; extern int RaCloseInputFd; extern u_int ArgusThisFarStatus; extern struct ArgusFarHeaderStruct *ArgusThisFarHdrs[]; extern struct naddrmem *naddrtable [HASHNAMESIZE]; extern struct ArgusListStruct *ArgusWfileList; extern char *exceptfile, *wfile; extern struct ARGUS_INPUT *ArgusInput; extern struct ARGUS_INPUT *ArgusInputFileList; extern struct ARGUS_INPUT *ArgusRemoteHostList; extern struct ArgusModeStruct *ArgusModeList; extern char *tag_string; extern int major_version; extern int minor_version; extern int read_size; extern int read_mode; extern struct ArgusRecord *initCon; extern unsigned int ArgusLocalNet, ArgusNetMask; extern struct ArgusRecord *ArgusOriginal; extern int totalrecords; extern int farrecords; extern int marrecords; extern int explicit_date; extern time_t lasttime_t; extern time_t startime_t; extern struct tm starTimeFilter; extern struct tm lastTimeFilter; extern char *progname; extern char *dataarg; extern char *timearg; extern char *servicesfile; extern char *ArgusFlowModelFile; extern struct bpf_program ArgusFilterCode; extern char *cmdline; /* For David Brumley's amazingly long cmdlines ;o) */ extern int RaWriteOut; extern long long tcp_dst_count; extern long long tcp_src_count; extern long long udp_dst_count; extern long long udp_src_count; extern long long icmp_dst_count; extern long long icmp_src_count; extern long long ip_dst_count; extern long long ip_src_count; extern long long arp_dst_count; extern long long arp_src_count; extern long long nonip_dst_count; extern long long nonip_src_count; extern long long tcp_dst_bytes; extern long long tcp_src_bytes; extern long long udp_dst_bytes; extern long long udp_src_bytes; extern long long icmp_dst_bytes; extern long long icmp_src_bytes; extern long long ip_dst_bytes; extern long long ip_src_bytes; extern long long arp_dst_bytes; extern long long arp_src_bytes; extern long long nonip_dst_bytes; extern long long nonip_src_bytes; extern int hfield; extern int pfield; extern int Aflag; extern int aflag; extern int Bflag; extern int bflag; extern int eflag; extern char *estr; extern int Dflag; extern int Eflag; extern int fflag; extern int gflag; extern int idflag; extern int Gflag; extern int cflag; extern int Cflag; extern int jflag; extern int Lflag; extern int lflag; extern int mflag; extern char *Mflag; extern int nflag; extern int Nflag; extern int Normflag; extern int Netflag; extern int notNetflag; extern int oflag; extern int Oflag; extern int Wflag; extern int Fflag; extern int Hflag; extern char *Hstr; extern int pflag; extern int Pflag; extern char *sflag; extern int dflag; extern int qflag; extern int tflag; extern int uflag; extern char *ustr; extern char *pstr; extern int Uflag; extern int vflag; extern int Vflag; extern int iflag; extern int Iflag; extern int Tflag; extern int rflag; extern int Rflag; extern int Sflag; extern int xflag; extern int Xflag; extern int XMLflag; extern int zflag; extern int Zflag; extern long thiszone; extern int total_nets; extern int total_hosts; extern struct ARGUS_INPUT *ArgusRemoteFDs[ARGUS_MAX_REMOTE_CONN]; extern int ArgusActiveServers; extern void ArgusShutDown (int); extern void argus_parse_init (struct ARGUS_INPUT *); extern char *argus_lookupdev(char *); extern void read_udp_services (char *); extern int ArgusHandleDatum (struct ArgusRecord *, struct bpf_program *); extern void ArgusReformatRecord (struct ArgusRecord *, struct ArgusRecord *); extern int ArgusReadRemoteConnection (int, struct bpf_program *); extern int ArgusReadConnection (struct ARGUS_INPUT *, char *); extern void ArgusReadStream (void); extern void ArgusProcessRecord (struct ArgusRecord *); extern void ArgusReadRemote (int, struct bpf_program *); extern int read_file (int fd, struct bpf_program *); extern void ArgusProcessRecord (struct ArgusRecord *); extern void ArgusGenerateCanonicalRecord (struct ArgusRecord *, struct ArgusCanonicalRecord *); extern int ArgusGetServerSocket (struct ARGUS_INPUT *); extern int ArgusAddFileList (char *); extern void ArgusDeleteFileList (void); extern int ArgusAddHostList (char *, int); extern int ArgusAddModeList (char *); extern void ArgusDeleteHostList (void); extern int ArgusWriteNewLogfile (char *, struct ArgusRecord *); extern int check_time (struct ArgusRecord *); extern int parseUserDataArg (char **, char **, int); extern int parseTimeArg (char **, char **, int, struct tm *); extern int check_time_format (struct tm *tm, char *str); extern int parseTime (struct tm *, struct tm *, char *); #if defined(_LITTLE_ENDIAN) extern void ArgusNtoH (struct ArgusRecord *argus); extern void ArgusHtoN (struct ArgusRecord *argus); #endif #endif #if defined(RaMuxSource) || defined(RadiumSource) #if !defined(NFC_AGGREGATIONDEFINITION_H) #define NFC_AGGREGATIONDEFINITION_H /* $Id: //depot/argus/argus/include/argus_parse.h#17 $ * $Source: $ *------------------------------------------------------------------ * Definition of "Key" and "Value" fields used for purpose of * aggregation * * Cisco NetFlow FlowCollector 3.0 * * September 1998, Anders Fung * * Copyright (c) 1996-1998 by Cisco Systems, Inc. * All rights reserved. *------------------------------------------------------------------ * $Log: argus_parse.h,v $ * Revision 1.1 2003/04/16 20:53:57 qosient * Modified for argus to argus conversion * * Revision 1.12 2003/02/05 23:43:53 qosient * Updated for new year in the copyright * * Revision 1.11 2002/04/01 22:41:01 qosient * Updated * * Revision 1.10 2002/04/01 15:39:32 qosient * Update for handling loss of remote when connected to multiple remotes. * Increase ARGUS_MAX_REMOTE_NUM and RADIUM_MAX_REMOTE_NUM. * * Revision 1.9 2002/03/25 17:49:49 qosient * Updated for correct copyright * * Revision 1.8 2002/03/25 17:38:32 qosient * Updated for correct interface status reporting * * Revision 1.6 2002/02/02 16:01:27 qosient * Updated for next versions of DSRs * * Revision 1.5 2002/02/01 14:10:00 qosient * Updated for libpcap-0.7.1 port * * Revision 1.4 2002/01/04 22:15:08 qosient * Updated * * Revision 1.3 2001/12/17 18:12:45 qosient * Mods to move ramux to radium * * Revision 1.2 2001/10/24 20:47:53 qosient * Updated * * Revision 1.5 2001/10/22 20:20:07 qosient * Updated and fixed for Lflag having bad default value * * Revision 1.4 2001/10/18 17:15:29 qosient * Fixed for output file fd handling issues, primarily for rapop * * Revision 1.3 2001/10/15 20:07:29 qosient * Updated for ramux issues with authentication. Stopped erasing password. * * Revision 1.2 2001/09/12 05:09:30 qosient * Updated * * Revision 1.1.1.1 2001/09/08 22:01:48 qosient * Argus Clients 1.0 * * Revision 1.6 2001/09/03 04:58:51 argus * Lots of mods * * Revision 1.5 2001/07/17 12:38:45 argus * Updated * * Revision 1.4 2001/07/10 18:18:10 argus * Mods for ramon and rasort port * * Revision 1.3 2001/06/09 14:10:09 argus * Minor changes for -H option and formatting * * Revision 1.2 2001/06/07 19:50:45 argus * Updated * * Revision 1.1.1.1 2001/06/03 16:07:57 argus * Start of argus client distribution * * Revision 1.1.1.1 2001/03/24 05:14:27 argus * Imported from argus-2.0.0 * * Revision 1.39 2001/03/06 23:30:41 argus * Fix for Davids incredibly long command lines. * * Revision 1.38 2001/02/03 21:39:08 argus * Mods to support -d option * * Revision 1.37 2000/12/19 16:19:41 argus * Mods to get ramon() to the same level as ra() with regard to dynamic * labels. Also FreeBSD/NetBSD port support for racount(). * * Revision 1.36 2000/12/19 05:59:03 argus * Mods to help in getting pretty output when not using -n. * * Revision 1.35 2000/12/10 20:59:13 argus * Mods to add support for RA_AUTH_PASS (pstr) * * Revision 1.34 2000/12/07 19:00:39 argus * Mods to convert from ArgusError to ArgusLog * * Revision 1.33 2000/12/07 17:51:48 argus * Move Uflag (precision option) to -p option. * * Revision 1.32 2000/11/23 01:58:29 argus * Mods to support GSSAPI authentication * * Revision 1.31 2000/11/16 15:20:34 argus * Update for SASL * * Revision 1.30 2000/11/13 21:51:38 argus * Mods to support ragrep(). * * Revision 1.29 2000/11/13 15:05:14 argus * Fixes for raxml not printing out user data in all protocol types. * * Revision 1.28 2000/10/31 19:35:01 argus * Mods to support new timestats and user data. * * Revision 1.27 2000/10/27 13:45:42 argus * Fix support for multiple remote sources. * * Revision 1.26 2000/10/27 01:48:50 argus * Fixes for multiple source data. * * Revision 1.25 2000/10/26 15:38:09 argus * Mods for qflag defintions and some constants * * Revision 1.24 2000/10/25 22:23:30 argus * Mods to try to fix the LITTLE_ENDIAN issues for Neil. * * Revision 1.23 2000/10/16 21:55:48 argus * support for various .rc's. * * Revision 1.22 2000/10/11 12:51:37 argus * Added Zflag * * Revision 1.21 2000/10/10 14:50:51 argus * Fixes to support XML printing (print_time changes) and a bunch to support * TCP fixes. * * Revision 1.20 2000/10/05 15:04:47 argus * Addition of output labels for ra data. * * Revision 1.19 2000/10/03 23:04:29 argus * Mods for more complete cisco netflow parsing and -CS support. Needs testing. * * Revision 1.18 2000/10/01 14:27:45 argus * Put the filter in a global so we can all get to it. * * Revision 1.17 2000/09/30 15:03:13 argus * Addition of netflow record definitions. * *------------------------------------------------------------------ * $Endlog$ */ /* * AGGREGATION_DEFINITION describes the "Key" and "Value" fields seen in * the datafile. The definition comprise of keywords and delimiters. * By reading the AGGREGATION_DEFINITION, one can interpret what and in what * order are the "Key" and "Value" fields being presented in the datafile. * Datafile consumers can also deduce what aggregation scheme is used * by parsing AGGREGATION_DEFINITION.. * * The order of keywords seen in the AGGREGATION_DEFINITION represents the true * order of the "Key" and "Value" fields presented in the datafile. Each * keyword is delimited by either '|' or ','. * * As part of the new changes to the datafile header, the FORMAT field * will have a value of "B". Please note that the FORMAT may change * if there is any change to any of the existing keywords, definition format, * adding new keyword, or any other header changes. * Also, the delimiter used in the datafile will be prepended at the * beginning of each header. Since AGGREGATION_DEFINITION becomes the 2nd * line of the header, the 1st line of the header will append a * new field, namely "Header", which describes the total number of * lines in the header. * * The AGGREGATION_DEFINITION keywords have the following assignemnts ... * * keyword Description * ------- ----------------------- * srcaddr Source IP Address * dstaddr Destination IP Address * src_subnet Source SubNet * dst_subnet Destination SubNet * src_mask Source SubNet Mask * dst_mask Destination SubNet Mask * src_user_subnet Source User SubNet * dst_user_subnet Destination User SubNet * src_as Source AS * dst_as Destination AS * srcport Source Port * dstport Destination Port * prot Prot field * protocol Protocol (srcport, dstport, and prot lookup) * input Input Interface * output Output Interface * tos Type of Service * nexthop Next Hop IP Address * * pkts Packets * octets Octets * flows Flow Count * starttime First Flow Stamp (UTC sec) * endtime Last Flow Stamp (UTC sec) * activetime Total Active Time (msec) */ /* Key Fields */ #define SRC_ADDR "srcaddr" #define DST_ADDR "dstaddr" #define SRC_SUBNET "src_subnet" #define DST_SUBNET "dst_subnet" #define SRC_SUBNET_MASK "src_mask" #define DST_SUBNET_MASK "dst_mask" #define SRC_USER_SUBNET "src_user_subnet" #define DST_USER_SUBNET "dst_user_subnet" #define SRC_AS "src_as" #define DST_AS "dst_as" #define SRC_PORT "srcport" #define DST_PORT "dstport" #define PROT "prot" #define PROTOCOL_KEY "protocol" #define IN_INTF "input" #define OUT_INTF "output" #define TOS_BIT "tos" #define NEXT_HOP "nexthop" /* Value Fields */ #define PACKET "pkts" #define OCTET "octets" #define FLOW_CNT "flows" #define F_FLOW_STAMP "starttime" #define L_FLOW_STAMP "endtime" #define TOT_ACTIVE_TIME "activetime" /* Delimiter */ /* Could be either "|" or "," */ #define DEL "%c" /* Aggregation Mask */ const char * const SourceNodeDef = SRC_ADDR DEL PACKET DEL OCTET DEL FLOW_CNT; const char * const DestNodeDef = DST_ADDR DEL PACKET DEL OCTET DEL FLOW_CNT; const char * const HostMatrixDef = SRC_ADDR DEL DST_ADDR DEL PACKET DEL OCTET DEL FLOW_CNT; const char * const SourcePortDef = SRC_PORT DEL PACKET DEL OCTET DEL FLOW_CNT; const char * const DestPortDef = DST_PORT DEL PACKET DEL OCTET DEL FLOW_CNT; const char * const ProtocolDef = PROTOCOL_KEY DEL PACKET DEL OCTET DEL FLOW_CNT; const char * const DetailSourceNodeDef = SRC_ADDR DEL SRC_PORT DEL DST_PORT DEL PROTOCOL_KEY DEL PACKET DEL OCTET DEL FLOW_CNT; const char * const DetailDestNodeDef = DST_ADDR DEL SRC_PORT DEL DST_PORT DEL PROTOCOL_KEY DEL PACKET DEL OCTET DEL FLOW_CNT; const char * const DetailHostMatrixDef = SRC_ADDR DEL DST_ADDR DEL SRC_PORT DEL DST_PORT DEL PROTOCOL_KEY DEL PACKET DEL OCTET DEL FLOW_CNT DEL F_FLOW_STAMP DEL L_FLOW_STAMP; const char * const DetailInterfaceDef = SRC_ADDR DEL DST_ADDR DEL IN_INTF DEL OUT_INTF DEL NEXT_HOP DEL PACKET DEL OCTET DEL FLOW_CNT; const char * const CallRecordDef = SRC_ADDR DEL DST_ADDR DEL SRC_PORT DEL DST_PORT DEL PROT DEL TOS_BIT DEL PACKET DEL OCTET DEL FLOW_CNT DEL F_FLOW_STAMP DEL L_FLOW_STAMP DEL TOT_ACTIVE_TIME; const char * const ASMatrixDef = SRC_AS DEL DST_AS DEL PACKET DEL OCTET DEL FLOW_CNT; const char * const DetailASMatrixDef = SRC_ADDR DEL DST_ADDR DEL SRC_AS DEL DST_AS DEL IN_INTF DEL OUT_INTF DEL SRC_PORT DEL DST_PORT DEL PROTOCOL_KEY DEL PACKET DEL OCTET DEL FLOW_CNT; const char * const NetMatrixDef = SRC_SUBNET DEL SRC_SUBNET_MASK DEL IN_INTF DEL DST_SUBNET DEL DST_SUBNET_MASK DEL OUT_INTF DEL PACKET DEL OCTET DEL FLOW_CNT; const char * const ASHostMatrixDef = SRC_ADDR DEL DST_ADDR DEL SRC_AS DEL DST_AS DEL PACKET DEL OCTET DEL FLOW_CNT DEL F_FLOW_STAMP DEL L_FLOW_STAMP DEL TOT_ACTIVE_TIME; const char * const HostMatrixInterfaceDef = SRC_ADDR DEL DST_ADDR DEL IN_INTF DEL OUT_INTF DEL PROTOCOL_KEY DEL PACKET DEL OCTET DEL FLOW_CNT; const char * const DetailCallRecordDef = SRC_ADDR DEL DST_ADDR DEL SRC_PORT DEL DST_PORT DEL IN_INTF DEL OUT_INTF DEL PROTOCOL_KEY DEL TOS_BIT DEL PACKET DEL OCTET DEL FLOW_CNT DEL F_FLOW_STAMP DEL L_FLOW_STAMP DEL TOT_ACTIVE_TIME; const char * const RouterASDef = SRC_AS DEL DST_AS DEL IN_INTF DEL OUT_INTF DEL PACKET DEL OCTET DEL FLOW_CNT DEL F_FLOW_STAMP DEL L_FLOW_STAMP DEL TOT_ACTIVE_TIME; const char * const RouterProtoPortDef = SRC_PORT DEL DST_PORT DEL PROT DEL PACKET DEL OCTET DEL FLOW_CNT DEL F_FLOW_STAMP DEL L_FLOW_STAMP DEL TOT_ACTIVE_TIME; const char * const RouterSrcPrefixDef = SRC_SUBNET DEL SRC_SUBNET_MASK DEL IN_INTF DEL SRC_AS DEL PACKET DEL OCTET DEL FLOW_CNT DEL F_FLOW_STAMP DEL L_FLOW_STAMP DEL TOT_ACTIVE_TIME; const char * const RouterDstPrefixDef = DST_SUBNET DEL DST_SUBNET_MASK DEL OUT_INTF DEL DST_AS DEL PACKET DEL OCTET DEL FLOW_CNT DEL F_FLOW_STAMP DEL L_FLOW_STAMP DEL TOT_ACTIVE_TIME; const char * const RouterPrefixDef = SRC_SUBNET DEL DST_SUBNET DEL SRC_SUBNET_MASK DEL DST_SUBNET_MASK DEL IN_INTF DEL OUT_INTF DEL SRC_AS DEL DST_AS DEL PACKET DEL OCTET DEL FLOW_CNT DEL F_FLOW_STAMP DEL L_FLOW_STAMP DEL TOT_ACTIVE_TIME; #endif #if !defined(NFC_DATAFILE_H) #define NFC_DATAFILE_H /* *------------------------------------------------------------------ * $Id: //depot/argus/argus/include/argus_parse.h#17 $ * $Source: $ *------------------------------------------------------------------ * Definition of datafile formats. * * Binary datafile : Each binary datafiles contains a header and * a list of records. * * The header contains format, aggregation, * agg_version, source, period, starttime, endtime, * activetime, flows, missed, and records. * * Each record structure contains a set of "Keys" * and a "Values" that is specific to the * aggregation scheme being used. * * Cisco NetFlow FlowCollector 3.0 * * October 1998, Anders Fung * * Copyright (c) 1998 by Cisco Systems, Inc. * All rights reserved. *------------------------------------------------------------------ * $Log: argus_parse.h,v $ * Revision 1.1 2003/04/16 20:53:57 qosient * Modified for argus to argus conversion * * Revision 1.12 2003/02/05 23:43:53 qosient * Updated for new year in the copyright * * Revision 1.11 2002/04/01 22:41:01 qosient * Updated * * Revision 1.10 2002/04/01 15:39:32 qosient * Update for handling loss of remote when connected to multiple remotes. * Increase ARGUS_MAX_REMOTE_NUM and RADIUM_MAX_REMOTE_NUM. * * Revision 1.9 2002/03/25 17:49:49 qosient * Updated for correct copyright * * Revision 1.8 2002/03/25 17:38:32 qosient * Updated for correct interface status reporting * * Revision 1.6 2002/02/02 16:01:27 qosient * Updated for next versions of DSRs * * Revision 1.5 2002/02/01 14:10:00 qosient * Updated for libpcap-0.7.1 port * * Revision 1.4 2002/01/04 22:15:08 qosient * Updated * * Revision 1.3 2001/12/17 18:12:45 qosient * Mods to move ramux to radium * * Revision 1.2 2001/10/24 20:47:53 qosient * Updated * * Revision 1.5 2001/10/22 20:20:07 qosient * Updated and fixed for Lflag having bad default value * * Revision 1.4 2001/10/18 17:15:29 qosient * Fixed for output file fd handling issues, primarily for rapop * * Revision 1.3 2001/10/15 20:07:29 qosient * Updated for ramux issues with authentication. Stopped erasing password. * * Revision 1.2 2001/09/12 05:09:30 qosient * Updated * * Revision 1.1.1.1 2001/09/08 22:01:48 qosient * Argus Clients 1.0 * * Revision 1.6 2001/09/03 04:58:51 argus * Lots of mods * * Revision 1.5 2001/07/17 12:38:45 argus * Updated * * Revision 1.4 2001/07/10 18:18:10 argus * Mods for ramon and rasort port * * Revision 1.3 2001/06/09 14:10:09 argus * Minor changes for -H option and formatting * * Revision 1.2 2001/06/07 19:50:45 argus * Updated * * Revision 1.1.1.1 2001/06/03 16:07:57 argus * Start of argus client distribution * * Revision 1.1.1.1 2001/03/24 05:14:27 argus * Imported from argus-2.0.0 * * Revision 1.39 2001/03/06 23:30:41 argus * Fix for Davids incredibly long command lines. * * Revision 1.38 2001/02/03 21:39:08 argus * Mods to support -d option * * Revision 1.37 2000/12/19 16:19:41 argus * Mods to get ramon() to the same level as ra() with regard to dynamic * labels. Also FreeBSD/NetBSD port support for racount(). * * Revision 1.36 2000/12/19 05:59:03 argus * Mods to help in getting pretty output when not using -n. * * Revision 1.35 2000/12/10 20:59:13 argus * Mods to add support for RA_AUTH_PASS (pstr) * * Revision 1.34 2000/12/07 19:00:39 argus * Mods to convert from ArgusError to ArgusLog * * Revision 1.33 2000/12/07 17:51:48 argus * Move Uflag (precision option) to -p option. * * Revision 1.32 2000/11/23 01:58:29 argus * Mods to support GSSAPI authentication * * Revision 1.31 2000/11/16 15:20:34 argus * Update for SASL * * Revision 1.30 2000/11/13 21:51:38 argus * Mods to support ragrep(). * * Revision 1.29 2000/11/13 15:05:14 argus * Fixes for raxml not printing out user data in all protocol types. * * Revision 1.28 2000/10/31 19:35:01 argus * Mods to support new timestats and user data. * * Revision 1.27 2000/10/27 13:45:42 argus * Fix support for multiple remote sources. * * Revision 1.26 2000/10/27 01:48:50 argus * Fixes for multiple source data. * * Revision 1.25 2000/10/26 15:38:09 argus * Mods for qflag defintions and some constants * * Revision 1.24 2000/10/25 22:23:30 argus * Mods to try to fix the LITTLE_ENDIAN issues for Neil. * * Revision 1.23 2000/10/16 21:55:48 argus * support for various .rc's. * * Revision 1.22 2000/10/11 12:51:37 argus * Added Zflag * * Revision 1.21 2000/10/10 14:50:51 argus * Fixes to support XML printing (print_time changes) and a bunch to support * TCP fixes. * * Revision 1.20 2000/10/05 15:04:47 argus * Addition of output labels for ra data. * * Revision 1.19 2000/10/03 23:04:29 argus * Mods for more complete cisco netflow parsing and -CS support. Needs testing. * * Revision 1.18 2000/10/01 14:27:45 argus * Put the filter in a global so we can all get to it. * * Revision 1.17 2000/09/30 15:03:13 argus * Addition of netflow record definitions. * *------------------------------------------------------------------ * $Endlog$ */ #define LABEL_LEN 16 #define IP_LEN 15 #define ASCII_HEADER_LEN 511 #define BIN_FILE_SUFFIX ".bin" #if !defined(__NFC__) enum Aggregation { noAgg, /* reserved */ RawFlows, /* Not supported in binary files */ SourceNode, DestNode, HostMatrix, SourcePort, DestPort, Protocol, DetailDestNode, DetailHostMatrix, DetailInterface, CallRecord, ASMatrix, NetMatrix, DetailSourceNode, DetailASMatrix, ASHostMatrix, HostMatrixInterface, DetailCallRecord, RouterAS, RouterProtoPort, RouterSrcPrefix, RouterDstPrefix, RouterPrefix }; #endif typedef struct { u_short format; /* Header format, it is 2 in this round */ char newline; /* Newline character, '\n' */ char ascii_header[ASCII_HEADER_LEN]; /* Header in ASCII */ u_char aggregation; /* Aggregation scheme used */ u_char agg_version; /* Version of the aggregation scheme used */ char source[IP_LEN]; /* Source IP/Name */ u_char period; /* Aggregation period, 0 means PARTIAL */ u_long starttime; /* Beginning of aggregation period */ u_long endtime; /* End of aggregation period */ u_long flows; /* Number of flows aggregated */ int missed; /* Number of flows missed, -1 means not avail*/ u_long records; /* Number of records in this datafile */ } BinaryHeaderF2; #define HEADER_FORMAT_2 2 typedef struct { /* Keys */ u_long srcaddr; /* Source IP */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ } BinaryRecord_SourceNode_V1; #define SOURCENODE_V1 1 typedef struct { /* Keys */ u_long dstaddr; /* Destination IP */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ } BinaryRecord_DestNode_V1; #define DESTNODE_V1 1 typedef struct { /* Keys */ u_long srcaddr; /* Source IP */ u_long dstaddr; /* Destination IP */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ } BinaryRecord_HostMatrix_V1; #define HOSTMATRIX_V1 1 typedef struct { /* Keys */ char srcport[LABEL_LEN]; /* Source Port Key */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ } BinaryRecord_SourcePort_V1; #define SOURCEPORT_V1 1 typedef struct { /* Keys */ char dstport[LABEL_LEN]; /* Destination Port Key */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ } BinaryRecord_DestPort_V1; #define DESTPORT_V1 1 typedef struct { /* Keys */ char protocol[LABEL_LEN];/* Protocol Key */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ } BinaryRecord_Protocol_V1; #define PROTOCOL_V1 1 typedef struct { /* Keys */ u_long srcaddr; /* Source IP */ char srcport[LABEL_LEN]; /* Source Port Key */ char dstport[LABEL_LEN]; /* Destination Port Key */ char protocol[LABEL_LEN];/* Protocol Key */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ } BinaryRecord_DetailSourceNode_V1; #define DETAIL_SOURCENODE_V1 1 typedef struct { /* Keys */ u_long dstaddr; /* Destination IP */ char srcport[LABEL_LEN]; /* Source Port Key */ char dstport[LABEL_LEN]; /* Destination Port Key */ char protocol[LABEL_LEN];/* Protocol Key */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ } BinaryRecord_DetailDestNode_V1; #define DETAIL_DESTNODE_V1 1 typedef struct { /* Keys */ u_long srcaddr; /* Source IP */ u_long dstaddr; /* Destination IP */ char srcport[LABEL_LEN]; /* Source Port Key */ char dstport[LABEL_LEN]; /* Destination Port Key */ char protocol[LABEL_LEN];/* Protocol Key */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ u_long starttime; /* Start time */ u_long endtime; /* End time */ } BinaryRecord_DetailHostMatrix_V1; #define DETAIL_HOSTMATRIX_V1 1 typedef struct { /* Keys */ u_long srcaddr; /* Source IP */ u_long dstaddr; /* Destination IP */ u_short input; /* Input Interface Number */ u_short output; /* Output Interface Number */ u_long nexthop; /* Next Hop IP */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ } BinaryRecord_DetailInterface_V1; #define DETAIL_INTERFACE_V1 1 typedef struct { /* Keys */ u_long srcaddr; /* Source IP */ u_long dstaddr; /* Destination IP */ u_short srcport; /* Source Port Number */ u_short dstport; /* Destination Port Number */ u_char prot; /* Protocol Number */ u_char tos; /* Type of Service */ u_short reserved; /* Data alignment */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ u_long starttime; /* Start time */ u_long endtime; /* End time */ u_long activetime; /* Total Active Time */ } BinaryRecord_CallRecord_V1; #define CALLRECORD_V1 1 typedef struct { /* Keys */ char src_as[LABEL_LEN]; /* Source AS */ char dst_as[LABEL_LEN]; /* Destination AS */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ } BinaryRecord_ASMatrix_V1; #define ASMATRIX_V1 1 typedef struct { /* Keys */ u_long srcaddr; /* Source IP */ u_long dstaddr; /* Destination IP */ char src_as[LABEL_LEN]; /* Source AS */ char dst_as[LABEL_LEN]; /* Destination AS */ u_short input; /* Input Interface Number */ u_short output; /* Output Interface Number */ char srcport[LABEL_LEN]; /* Source Port Key */ char dstport[LABEL_LEN]; /* Destination Port Key */ char protocol[LABEL_LEN];/* Protocol Key */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ } BinaryRecord_DetailASMatrix_V1; #define DETAIL_ASMATRIX_V1 1 typedef struct { /* Keys */ u_long src_subnet; /* Source SubNet */ u_short src_mask; /* Source SubNet Mask */ u_short input; /* Input Interface Number */ u_long dst_subnet; /* Destination SubNet */ u_short dst_mask; /* Destination SubNet Mask */ u_short output; /* Output Interface Number */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ } BinaryRecord_NetMatrix_V1; #define NETMATRIX_V1 1 typedef struct { /* Keys */ char src_as[LABEL_LEN]; /* Source AS */ char dst_as[LABEL_LEN]; /* Destination AS */ u_short input; /* Input Interface Number */ u_short output; /* Output Interface Number */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ u_long starttime; /* Start time */ u_long endtime; /* End time */ u_long activetime; /* Total Active Time */ } BinaryRecord_RouterAS_V1; #define ROUTERAS_V1 1 typedef struct { /* Keys */ char srcport[LABEL_LEN]; /* Source Port Key */ char dstport[LABEL_LEN]; /* Destination Port Key */ u_char prot; /* Protocol Number */ u_char pad; /* Data alignment */ u_short reserved; /* Data alignment */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ u_long starttime; /* Start time */ u_long endtime; /* End time */ u_long activetime; /* Total Active Time */ } BinaryRecord_RouterProtoPort_V1; #define ROUTERPROTOPORT_V1 1 typedef struct { /* Keys */ u_long src_subnet; /* Source SubNet */ u_short src_mask; /* Source SubNet Mask */ u_short input; /* Input Interface Number */ char src_as[LABEL_LEN]; /* Source AS */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ u_long starttime; /* Start time */ u_long endtime; /* End time */ u_long activetime; /* Total Active Time */ } BinaryRecord_RouterSrcPrefix_V1; #define ROUTERSRCPREFIX_V1 1 typedef struct { /* Keys */ u_long dst_subnet; /* Destination SubNet */ u_short dst_mask; /* Destination SubNet Mask */ u_short output; /* Output Interface Number */ char dst_as[LABEL_LEN]; /* Destination AS */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ u_long starttime; /* Start time */ u_long endtime; /* End time */ u_long activetime; /* Total Active Time */ } BinaryRecord_RouterDstPrefix_V1; #define ROUTERDSTPREFIX_V1 1 typedef struct { /* Keys */ u_long src_subnet; /* Source SubNet */ u_long dst_subnet; /* Destination SubNet */ u_short src_mask; /* Source SubNet Mask */ u_short dst_mask; /* Destination SubNet Mask */ u_short input; /* Input Interface Number */ u_short output; /* Output Interface Number */ char src_as[LABEL_LEN]; /* Source AS */ char dst_as[LABEL_LEN]; /* Destination AS */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ u_long starttime; /* Start time */ u_long endtime; /* End time */ u_long activetime; /* Total Active Time */ } BinaryRecord_RouterPrefix_V1; #define ROUTERPREFIX_V1 1 typedef struct { /* Keys */ u_long srcaddr; /* Source IP */ u_long dstaddr; /* Destination IP */ char src_as[LABEL_LEN]; /* Source AS */ char dst_as[LABEL_LEN]; /* Destination AS */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ u_long starttime; /* Start time */ u_long endtime; /* End time */ u_long activetime; /* Total Active Time */ } BinaryRecord_ASHostMatrix_V1; #define ASHOSTMATRIX_V1 1 typedef struct { /* Keys */ u_long srcaddr; /* Source IP */ u_long dstaddr; /* Destination IP */ u_short input; /* Input Interface Number */ u_short output; /* Output Interface Number */ char protocol[LABEL_LEN];/* Protocol Key */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ } BinaryRecord_HostMatrixInterface_V1; #define HOSTMATRIXINTERFACE_V1 1 typedef struct { /* Keys */ u_long srcaddr; /* Source IP */ u_long dstaddr; /* Destination IP */ char srcport[LABEL_LEN]; /* Source Port Key */ char dstport[LABEL_LEN]; /* Destination Port Key */ u_short input; /* Input Interface Number */ u_short output; /* Output Interface Number */ char protocol[LABEL_LEN];/* Protocol Key */ u_char tos; /* Type of Service */ u_char pad; /* Data alignment */ u_short reserved; /* Data alignment */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ u_long starttime; /* Start time */ u_long endtime; /* End time */ u_long activetime; /* Total Active Time */ } BinaryRecord_DetailCallRecord_V1; #define DETAILCALLRECORD_V1 1 typedef struct { BinaryHeaderF2 header; union { BinaryRecord_SourceNode_V1 * srcnode; BinaryRecord_DestNode_V1 * dstnode; BinaryRecord_HostMatrix_V1 * hostmatrix; BinaryRecord_SourcePort_V1 * srcport; BinaryRecord_DestPort_V1 * dstport; BinaryRecord_Protocol_V1 * protocol; BinaryRecord_DetailSourceNode_V1 * detailsrcnode; BinaryRecord_DetailDestNode_V1 * detaildstnode; BinaryRecord_DetailHostMatrix_V1 * detailhostmatix; BinaryRecord_DetailInterface_V1 * detailinterface; BinaryRecord_CallRecord_V1 * callrecord; BinaryRecord_ASMatrix_V1 * asmatrix; BinaryRecord_DetailASMatrix_V1 * detailasmatrix; BinaryRecord_NetMatrix_V1 * netmatrix; BinaryRecord_ASHostMatrix_V1 * ashostmatrix; BinaryRecord_HostMatrixInterface_V1 * hostmatrixinterface; BinaryRecord_DetailCallRecord_V1 * detailcallrecord; BinaryRecord_RouterAS_V1 * routeras; BinaryRecord_RouterProtoPort_V1 * routerprotoport; BinaryRecord_RouterSrcPrefix_V1 * routersrcprefix; BinaryRecord_RouterDstPrefix_V1 * routerdstprefix; BinaryRecord_RouterPrefix_V1 * routerprefix; } record; } BinaryDatafile; #define MAX_BINARY_HEADER_F2 \ (sizeof(BinaryHeaderF2)) #define MAX_BINARY_RECORD_SOURCE_NODE_SIZE \ (sizeof(BinaryRecord_SourceNode_V1)) #define MAX_BINARY_RECORD_DESTINATION_NODE_SIZE \ (sizeof(BinaryRecord_DestNode_V1)) #define MAX_BINARY_RECORD_HOST_MATRIX_SIZE \ (sizeof(BinaryRecord_HostMatrix_V1)) #define MAX_BINARY_RECORD_SOURCE_PORT_SIZE \ (sizeof(BinaryRecord_SourcePort_V1)) #define MAX_BINARY_RECORD_DESTINATION_PORT_SIZE \ (sizeof(BinaryRecord_DestPort_V1)) #define MAX_BINARY_RECORD_PROTOCOL_SIZE \ (sizeof(BinaryRecord_Protocol_V1)) #define MAX_BINARY_RECORD_DETAIL_SOURCE_NODE_SIZE \ (sizeof(BinaryRecord_DetailSourceNode_V1)) #define MAX_BINARY_RECORD_DETAIL_DESTINATION_NODE_SIZE \ (sizeof(BinaryRecord_DetailDestNode_V1)) #define MAX_BINARY_RECORD_DETAIL_HOST_MATRIX_SIZE \ (sizeof(BinaryRecord_DetailHostMatrix_V1)) #define MAX_BINARY_RECORD_DETAIL_INTERFACE_SIZE \ (sizeof(BinaryRecord_DetailInterface_V1)) #define MAX_BINARY_RECORD_CALL_RECORD_SIZE \ (sizeof(BinaryRecord_CallRecord_V1)) #define MAX_BINARY_RECORD_AS_MATRIX_SIZE \ (sizeof(BinaryRecord_ASMatrix_V1)) #define MAX_BINARY_RECORD_DETAIL_AS_MATRIX_SIZE \ (sizeof(BinaryRecord_DetailASMatrix_V1)) #define MAX_BINARY_RECORD_NET_MATRIX_SIZE \ (sizeof(BinaryRecord_NetMatrix_V1)) #define MAX_BINARY_RECORD_AS_HOST_MATRIX_SIZE \ (sizeof(BinaryRecord_ASHostMatrix_V1)) #define MAX_BINARY_RECORD_HOST_MATRIX_INTERFACE_SIZE \ (sizeof(BinaryRecord_HostMatrixInterface_V1)) #define MAX_BINARY_RECORD_DETAIL_CALL_RECORD_SIZE \ (sizeof(BinaryRecord_DetailCallRecord_V1)) #define MAX_BINARY_RECORD_ROUTER_AS_SIZE \ (sizeof(BinaryRecord_RouterAS_V1)) #define MAX_BINARY_RECORD_ROUTER_PROTO_PORT_SIZE \ (sizeof(BinaryRecord_RouterProtoPort_V1)) #define MAX_BINARY_RECORD_ROUTER_SRC_PREFIX_SIZE \ (sizeof(BinaryRecord_RouterSrcPrefix_V1)) #define MAX_BINARY_RECORD_ROUTER_DST_PREFIX_SIZE \ (sizeof(BinaryRecord_RouterDstPrefix_V1)) #define MAX_BINARY_RECORD_ROUTER_PREFIX_SIZE \ (sizeof(BinaryRecord_RouterPrefix_V1)) #endif /* __NFC_DATAFILE_H__ */ #endif /* RaMuxSource || RadiumSource */ #endif /* ArgusParse_h */ argus-3.0.8.2/include/argus_parser.h000444 000765 000024 00000011007 12513222401 017704 0ustar00carterstaff000000 000000 /* * Argus Software Common include files - Parser * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/include/argus_parser.h#21 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ #if !defined(Argus_parser_h) #define Argus_parser_h #include #if defined(ARGUS_THREADS) #include #endif #ifdef ARGUS_SASL #include #endif #include #include #include #define ARGUS_PRINTSRC 0x0001 #define ARGUS_PRINTDST 0x0002 #define ARGUS_ACTTIME 0x0004 #define ARGUS_IDLETIME 0x0008 #define ARGUS_DIST 0x0010 #define ARGUS_PRINTGMT 0x0020 #define ARGUS_PRINTNET 0x0022 #define ARGUS_ENCODE_ASCII 0 #define ARGUS_ENCODE_64 1 #define ARGUS_ENCODE_32 2 #define ARGUS_MAX_S_OPTIONS 34 #define HASHNAMESIZE 256 #define ARGUS_FORCE_LOCAL_SRC 0x02 #define ARGUS_FORCE_LOCAL_DST 0x04 #define ARGUS_SUGGEST_LOCAL_SRC 0x08 #define ARGUS_SUGGEST_LOCAL_DST 0x10 #define ARGUS_PORT_SERVICES 0x100 #define ARGUS_PORT_WELLKNOWN 0x200 #define ARGUS_PORT_REGISTERED 0x400 #define ARGUS_ADDR_DIR_MASK (ARGUS_SUGGEST_LOCAL_SRC | ARGUS_SUGGEST_LOCAL_DST | ARGUS_FORCE_LOCAL_SRC | ARGUS_FORCE_LOCAL_DST) #define ARGUS_PORT_DIR_MASK (ARGUS_PORT_SERVICES | ARGUS_PORT_WELLKNOWN | ARGUS_PORT_REGISTERED) #include struct h6namemem { struct in6_addr addr; char *name; struct h6namemem *nxt; }; struct hnamemem { u_int addr; char *name; struct hnamemem *nxt; }; struct enamemem { u_short e_addr0; u_short e_addr1; u_short e_addr2; char *e_name; u_char *e_nsap; /* used only for nsaptable[] */ struct enamemem *e_nxt; }; struct protoidmem { u_int p_oui; u_short p_proto; char *p_name; struct protoidmem *p_nxt; }; struct ArgusCIDRAddr { u_char type, len, masklen, opmask; u_int addr[4], mask[4]; }; struct ArgusParserStruct { int status; char fflag, nflag, tflag, uflag, Wflag; char Iflag, Tflag, rflag, Rflag, Sflag, xflag; char Xflag, XMLflag, zflag, Zflag, pflag; int RaCumulativeMerge, RaFlowMajorModified; int RaAllocHashTableHealers, RaAllocArgusRecord; int RaThisActiveIndex, RaThisFlowNum; int RaThisModelNum, RaParseError; int ArgusSessionId, NonBlockingDNS, ArgusDSCodePoints; int ArgusDirectionFunction; char *RaFlowModelFile, *ArgusFlowModelFile, *ArgusRemoteFilter; struct RaFlowModelStruct *RaFlowModel; struct ArgusCIDRAddr ArgusCIDRBuffer, *ArgusCIDRPtr; struct ArgusModeStruct *ArgusModeList; struct ArgusInput *ArgusCurrentInput; int ArgusFilterFiledes[2]; int ArgusControlFiledes[2]; int ArgusSrvInit; unsigned int f_localnet, f_netmask; struct protoidmem protoidtable[HASHNAMESIZE]; struct enamemem enametable[HASHNAMESIZE]; struct enamemem nsaptable[HASHNAMESIZE]; #define ARGUS_MAXEPROTODB 0x10000 struct ArgusEtherTypeStruct *argus_eproto_db[ARGUS_MAXEPROTODB]; struct h6namemem h6nametable[HASHNAMESIZE]; struct hnamemem hnametable[HASHNAMESIZE]; struct hnamemem tporttable[HASHNAMESIZE]; struct hnamemem uporttable[HASHNAMESIZE]; struct hnamemem eprototable[HASHNAMESIZE]; struct hnamemem nnametable[HASHNAMESIZE]; struct hnamemem llcsaptable[HASHNAMESIZE]; }; #define ARGUSMONITOR_EQUAL 0x01 #define ARGUSMONITOR_NOTEQUAL 0x02 struct ArgusCIDRAddr *RaParseCIDRAddr (struct ArgusParserStruct *, char *); #if defined(Argus_Parser) struct ArgusParserStruct *ArgusNewParser(char *); void ArgusCloseParser(struct ArgusParserStruct *); struct ArgusParserStruct *ArgusParser; #else extern struct ArgusParserStruct *ArgusNewParser(char *); extern void ArgusCloseParser(struct ArgusParserStruct *); extern struct ArgusParserStruct *ArgusParser; #endif #endif argus-3.0.8.2/include/argus_udt.h000444 000765 000024 00000006245 12513222401 017214 0ustar00carterstaff000000 000000 /* * Argus Software. Common include files - UDT processing * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/include/argus_udt.h#8 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ #ifndef ArgusUdt_h #define ArgusUdt_h #define UDT_SEQNUMBER_MASK 0xEFFFFFFF #define UDT_MSGNUMBER_MASK 0x1FFFFFFF #define UDT_PACKET_MASK 0x8000 #define UDT_CONTROL_PACKET 0x8000 #define UDT_DATA_PACKET 0x0000 #define UDTOECONTROLPAD 48 #define UDT_CONTROL_TYPE_MASK 0x7FFF #define UDT_CONTROL_HANDSHAKE 0x0000 #define UDT_CONTROL_KEEPALIVE 0x0001 #define UDT_CONTROL_ACK 0x0002 #define UDT_CONTROL_NAK 0x0003 #define UDT_CONTROL_CONGEST 0x0004 #define UDT_CONTROL_SHUTDOWN 0x0005 #define UDT_CONTROL_ACKACK 0x0006 #define UDT_CONTROL_DROPREQ 0x0007 #define UDTOE_PACKET_MASK 0x80 #define UDTOE_CONTROL_PACKET 0x80 #define UDTOE_DATA_PACKET 0x00 #define UDTOE_CONTROL_TYPE_MASK 0x7F #define UDTOE_CONTROL_HANDSHAKE 0x00 #define UDTOE_CONTROL_KEEPALIVE 0x01 #define UDTOE_CONTROL_ACK 0x02 #define UDTOE_CONTROL_NAK 0x03 #define UDTOE_CONTROL_CONGEST 0x04 #define UDTOE_CONTROL_SHUTDOWN 0x05 #define UDTOE_CONTROL_ACKACK 0x06 #define UDTOE_CONTROL_DROPREQ 0x07 struct udtoe_control_hdr { unsigned char type, resv; unsigned short ackseq; unsigned int info; unsigned int tstamp; unsigned int sockid; }; struct udt_control_hdr { unsigned short type, resv; unsigned int info; unsigned int tstamp; unsigned int sockid; }; struct udt_control_handshake { unsigned int version; unsigned int socktype; unsigned int initseq; unsigned int psize; unsigned int wsize; unsigned int conntype; unsigned int sockid; }; struct udt_control_ack { unsigned int ackseqnum; unsigned int rtt; unsigned int var; unsigned int bsize; unsigned int rate; unsigned int lcap; }; struct udt_control_nak { unsigned int seqnum; }; struct udt_control_dropreq { unsigned int firstseqnum; unsigned int lastseqnum; }; struct udt_data_hdr { unsigned int seqnum; unsigned int msgnum; unsigned int tstamp; unsigned int sockid; }; struct udtoe_header { union { struct udtoe_control_hdr cntl; struct udt_data_hdr data; } un_udt; }; struct udt_header { union { struct udt_control_hdr cntl; struct udt_data_hdr data; } un_udt; }; #define udt_control un_udt.cntl #define udt_data un_udt.data #endif /* ArgusUdt_h */ argus-3.0.8.2/include/argus_util.h000444 000765 000024 00000012066 12513222401 017373 0ustar00carterstaff000000 000000 /* * Argus Software. Common include files - Utilities * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/include/argus_util.h#24 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ #if !defined(Argus_util_h) #define Argus_util_h #include #if defined(__OpenBSD__) || defined(HAVE_SOLARIS) #include #endif #include #include #include #include #include typedef void (*proc)(void); typedef char *(*strproc)(void); struct ArgusQueueHeader { struct ArgusQueueHeader *prv, *nxt; struct ArgusQueueStruct *queue; struct timeval lasttime, qtime; unsigned int status; }; struct ArgusQueueStruct { struct ArgusQueueHeader qhdr; int count, turns, timeout, status, reclaim; #if defined(ARGUS_THREADS) pthread_mutex_t lock; #endif struct ArgusQueueHeader *start, *end; struct ArgusFlowStruct **array; }; struct ArgusMemoryHeader { struct ArgusMemoryHeader *nxt, *prv; #if defined(__GNUC__) void *frame[3]; #endif unsigned int tag; unsigned short len; unsigned short offset; }; struct ArgusMemoryList { struct ArgusMemoryHeader *start, *end; #if defined(ARGUS_THREADS) pthread_mutex_t lock; #endif int total, count, size; int out, in, freed; }; #if defined(ARGUS_SASL) #include #endif #include #define ARGUS_DATA_SOURCE 0x01 #define ARGUS_CISCO_DATA_SOURCE 0x10 #define ARGUS_SFLOW_DATA_SOURCE 0x20 #define TSEQ_HASHSIZE 9029 #define ipaddr_string(p) ArgusGetName(ArgusParser, (u_char *)(p)) #if defined(argus_util) #define IPPROTOSTR 134 char *ip_proto_string [IPPROTOSTR] = {"ip", "icmp", "igmp", "ggp", "ipnip", "st", "tcp", "ucl", "egp", "igp", "bbn-rcc-mon", "nvp-ii", "pup", "argus", "emcon", "xnet", "chaos", "udp", "mux", "dcn-meas", "hmp", "prm", "xns-idp", "trunk-1", "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp", "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++", "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre", "mhrp", "bna", "esp", "ah", "i-nlsp", "swipe", "narp", "mobile", "tlsp", "skip", "ipv6-icmp", "ipv6-no", "ipv6-opts", "any", "cftp", "any", "sat-expak", "kryptolan", "rvd", "ippc", "any", "sat-mon", "visa", "ipcv", "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak", "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nsfnet-igp", "dgp", "tcf", "igrp", "ospfigp", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp", "aes-sp3-d", "etherip", "encap", "pri-enc", "gmtp", "ifmp", "pnni", "pim", "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-n-ip", "vrrp", "pgm", "zero", "l2tp", "ddx", "iatp", "stp", "srp", "uti", "smp", "ptp", "isis", "fire", "crtp", "crudp", "sccopmce", "iplt", "sps", "pipe", "sctp", "fc", }; #if defined(__OpenBSD__) #include #include #endif #include #undef ICMP_MAXTYPE #define ICMP_MAXTYPE 41 char *icmptypestr[ICMP_MAXTYPE + 1] = { "ECR", " ", " ", "UR" , "SRC", "RED", "AHA", " ", "ECO", "RTA", "RTS", "TXD", "PAR", "TST", "TSR", "IRQ", "IRR", "MAS", "MSR", "SEC", "ROB", "ROB", "ROB", "ROB", "ROB", "ROB", "ROB", "ROB", "ROB", "ROB", "TRC", "DCE", "MHR", "WAY", "IAH", "MRQ", "MRP", "DNQ", "DNP", "SKP", "PHO", }; int ArgusSrcUserDataLen = 0; int ArgusDstUserDataLen = 0; void ArgusAdjustGlobalTime (struct timeval *, struct timeval *); extern unsigned int thisnet, localaddr, localnet, netmask; extern char *RaTimeFormat; extern char RaFieldDelimiter; void *ArgusMalloc (int); void *ArgusCalloc (int, int); void ArgusFree (void *); void ArgusFreeListRecord (void *buf); void ArgusInitMallocList (int length); void ArgusDeleteMallocList (void); void *ArgusMallocListRecord (int length); void ArgusLog (int, char *, ...); void ArgusInitServarray(struct ArgusParserStruct *); #else extern void ArgusAdjustGlobalTime (struct timeval *); extern void *ArgusMalloc (int); extern void *ArgusCalloc (int, int); extern void ArgusFree (void *); extern void ArgusFreeListRecord (void *buf); extern void ArgusInitMallocList (int length); extern void ArgusDeleteMallocList (void); extern void *ArgusMallocListRecord (int length); extern void ArgusLog (int, char *, ...); #endif #endif /* Argus_util_h */ argus-3.0.8.2/include/argus_v3_def.h000444 000765 000024 00000124160 12513222401 017563 0ustar00carterstaff000000 000000 /* * Argus Software. Common include files - Version 3 definitions * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/include/argus_v3_def.h#12 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ /* Argus_def.h */ */ #if !defined(Argus_def_h) #define Argus_def_h /* Argus Record Format 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | | Argus Record Header | | | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Argus Data | | . | | . | | . | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ /* Argus Record Header Format 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Cause | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Version | Option | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Argus Record Start Time | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Argus Record Last Time | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* Argus Record Header Type Field 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Version Record Field Note that one tick mark represents one bit position. */ /* Argus Record Type */ #define ARGUS_V3_FAR 0x01 /* Normal Argus Data Record */ #define ARGUS_V3_MAR 0x80 /* Normal Argus Management Record */ /* Argus Derivative Types */ #define ARGUS_V1_WRITESTRUCT 0x10 /* Argus 1.x Write Struct Conversion */ #define ARGUS_V2_RECORD 0x20 /* Argus 2.x Argus Record Conversion */ #define ARGUS_V3_CISCO_NETFLOW 0x30 /* Argus CISCO Netflow Support */ /* Argus Record Header Type Field 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Cause | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Cause Record Field Note that one tick mark represents one bit position. */ /* Argus Record Cause */ #define ARGUS_V3_START 0x01 /* Initial Record */ #define ARGUS_V3_STATUS 0x02 /* Qualifier Record*/ #define ARGUS_V3_STOP 0x11 /* Closed/Terminating Record */ #define ARGUS_V3_TIMEOUT 0x12 /* Record Timed Out */ #define ARGUS_V3_SHUTDOWN 0x13 /* Administrative Shutdown */ #define ARGUS_V3_ERROR 0x14 /* Error - Major Problem */ /* Argus Record Header Length Field Number of 32-bit longwords, including the header. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Length Record Field Note that one tick mark represents one bit position. */ /* Argus Record Header Version Field 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Version | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Version Record Field Note that one tick mark represents one bit position. */ /* Record Version (Ver) */ #define ARGUS_VERSION_1 0x01 /* Version 1 */ #define ARGUS_VERSION_2 0x02 /* Version 2 */ #define ARGUS_VERSION_3 0x03 /* Version 3 */ #define ARGUS_VERSION ARGUS_VERSION_3 /* Version 3 */ /* Argus Record Header Option Field 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Option | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Option Record Field Note that one tick mark represents one bit position. */ /* Record Options (Opt)*/ #define ARGUS_V3_SASL_NEGOTIATION 0x80 /* Argus Record Header Qualifier Field 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Qualifier Record Note that one tick mark represents one bit position. */ /* Argus Record Qualifier */ #define ARGUSV3__CONNECTED 0x0001 #define ARGUS_V3_COROLATED 0x0002 #define ARGUS_V3_ANON 0x0010 #define ARGUS_V3_MERGED 0x0020 #define ARGUS_V3_RMON 0x0040 /* 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Seconds | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Fractional Seconds (usec) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Start/Last Time Record Field Note that one tick mark represents one bit position. */ /* Argus Data Argus Data is a collection of Argus Data Specific Records (DSRs) 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Argus Data Specific Records | | . | | . | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* Argus Data Specific Record (DSR) Formats All Argus DSRs are 32-bit aligned. In order to be size conservative, there are two DSR types, one being a Type Value (TV) record with an explicit length of 4 bytes, and a Type Length Value (TLV) record, that provides support for variable length records. The fixed length record does not support a length field. These DSR types are distinquished from the most significant bit in the DSR. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |1| Type | SubType | Argus DSR Data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| Type | Length | SubType | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Argus DSR Data | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Data Specific Record (DSR) Field Note that one tick mark represents one bit position. */ /* Argus Record Data Type Field The DSR Type Field specifies the format of the DSR. The most significant bit indicates if the DSR is a TV or TLV type. The other bits specify highest level semantics for the DSR. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* Argus Record Data Specific Record (DSR) Types */ #define ARGUS_SOURCE_DSR 0x01 #define ARGUS_FLOW_DSR 0x02 #define ARGUS_PROTO_DSR 0x03 #define ARGUS_PROTO_IP_DSR 0x04 #define ARGUS_METER_DSR 0x10 #define ARGUS_DSR_AGR 0x22 #define ARGUS_DSR_TIME 0x23 #define ARGUS_DSR_SRCUSERDATA 0x24 #define ARGUS_DSR_DSTUSERDATA 0x25 #define ARGUS_DSR_SRCTIME 0x26 #define ARGUS_DSR_DSTTIME 0x27 #define ARGUS_DSR_COROLATE 0x28 /* Argus Record Data Length Field Number of 32-bit longwords, including the header. Data records that have a 0 as the most significant bit support variable length records, and as a result have a length field. Records with a 1 as the most significant bit are fixed length 4 byte records, and thus do not require a length field. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| | Length | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The Length field can equal 1. */ /* Argus Record Data SubType Field Data Records that have a 0 as the most significant bit support variable length records. The Length field displaces the SubType field in these headers by 8 bits. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| | SubType | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |1| | SubType | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* Argus Record Data Qualifier Field TLV Data Records support an 8-bit Qualifier field, which is used to convey additional semantics for the DSR format and contents. In some situations, the qualifier may be used to further specify the actual DSR data format, in others it may provide addition semantics, or it can be used to provide the actual 8-bit data. How the Qualifier is parsed and used is specific to the DSR Type and SubType. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* Argus Source DSR The #define ARGUS_SOURCE_ID_DSR 0x01 #define ARGUS_SOURCE_TRANS_DSR 0x02 #define ARGUS_ID_IS_IPV4ADDR 0x01 #define ARGUS_ID_IS_IPV6ADDR 0x02 #define ARGUS_COOKIE 0xE5617ACB /* The Argus Source Record Identifier is an optional DSR that helps to identify a specific record. Many applications require the ability to discriminate the source of a specific record, and some have further requirements for the source to provide a unique sequence number for transactional processing and to assist in reliable transport. ARGUS_SOURCE_ID_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x10 | 0x02 | 0x01 | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Argus Source Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_SOURCE_TRANS_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x10 | 0x04 | 0x02 | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Argus Source Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Transaction Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Source Identifier Record Field Note that one tick mark represents one bit position. */ #define ARGUS_FLOW_DSR 0x01 #define ARGUS_FLOW_IPV4_DSR 0x01 #define ARGUS_FLOW_IPV6_DSR 0x02 #define ARGUS_FLOW_ARP_DSR 0x03 #define ARGUS_FLOW_RARP_DSR 0x04 #define ARGUS_FLOW_IP_FRG_DSR 0x05 /* The Argus Source Record Identifier is an optional DSR that helps to identify a specific record. Many applications require the ability to discriminate the source of a specific record, and some have further requirements for the source to provide a unique sequence number for transactional processing and to assist in reliable transport. ARGUS_FLOW_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x01 | Length | SubType | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Argus Flow Specific Data | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_FLOW_IPV4_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x01 | 0x03 | 0x01 | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_FLOW_IPV6_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x01 | 0x0B | 0x02 | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Priority | Flow Label | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Source IPv6 Address | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Destination IPv6 Address | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_FLOW_ARP_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x01 | 0x05 | 0x03 | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ARP SPA | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ARP TPA | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Ethernet Address +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Pad | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_FLOW_RARP_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x01 | 0x05 | 0x04 | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ARP TPA | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Source Ethernet Address +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Target Ethernet Address + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_FLOW_IP_FRG_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x01 | 0x05 | 0x05 | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Fragment Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Fragment Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IpId | Total Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Current Length | Maximum Frag Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ #define ARGUS_PROTO_DSR 0x04 /* ARGUS_PROTO_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x84 | ProtoType | Protocol Data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x04 | Length | Proto Type | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Argus Protocol Specific Data | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ #define ARGUS_PROTO_DLT_DSR 0x01 #define ARGUS_PROTO_SNAP_DSR 0x02 #define ARGUS_PROTO_MPLS_DSR 0x04 #define ARGUS_PROTO_802_1Q_DSR 0x03 #define ARGUS_PROTO_ISL_DSR 0x06 #define ARGUS_PROTO_PPPOE 0x07 #define ARGUS_PROTO_IP_DSR 0x10 #define ARGUS_PROTO_IP_EXT_ATTR_DSR 0x11 #define ARGUS_PROTO_IP_EXT_OPTIONS_DSR 0x12 /* ARGUS_PROTO_IP_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x84 | 0x10 | Proto Num | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x04 | Length | 0x10 | Proto Num | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* ARGUS_PROTO_IP_DSR TCP Specific 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x04 | 0x03 | 0x10 | 0x06 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TCP State | TCP Options | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_PROTO_IP_DSR UDP Specific 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x02 | 0x02 | 0x10 | 0x11 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_PROTO_IP_DSR ICMP Specific 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x02 | 0x02 | 0x10 | 0x01 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ICMP Type | ICMP Code | ICMP ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_PROTO_IP_DSR ESP Specific 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x02 | 0x02 | 0x10 | 0x32 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ESP Security Payload Identifiier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_PROTO_IP_DSR IGMP Specific 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x02 | 0x02 | 0x10 | 0x02 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IGMP Type | IGMP Code | Pad | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* ARGUS_PROTO_IP_EXT_ATTR_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x04 | 0x02 | 0x11 | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP ID | TTL | TOS | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_PROTO_IP_EXT_OPTIONS_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x04 | 0x02 | 0x12 | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP Options Indicator | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ #define ARGUS_PROTO_MPLS_DSR 0x01 /* 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x04 | Length | 0x01 | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Argus MPLS Label Data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Argus MPLS Label Data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ #define ARGUS_PROTO_802_1Q_DSR 0x02 /* 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x04 | 0x08 | 0x02 |1 1| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Src 802.1Q Tag | Dst 802.1Q Tag | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x84 | 0x04 | 802.1Q Tag | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ #define ARGUS_PROTO_SNAP_DSR 0x01 #define ARGUS_PROTO_VLAN_802_1Q_DSR 0x02 #define ARGUS_PROTO_VLAN_ISL_DSR 0x03 #define ARGUS_PROTO_PPPOE 11 #define ARGUS_DSR_AGR 12 #define ARGUS_DSR_TIME 13 #define ARGUS_DSR_SRCUSERDATA 14 #define ARGUS_DSR_DSTUSERDATA 15 #define ARGUS_DSR_SRCTIME 16 #define ARGUS_DSR_DSTTIME 17 #define ARGUS_DSR_COROLATE 18 #define ARGUS_METER_DSR 0x20 /* 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x20 | Length | SubType | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Argus Meter Specific Data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ #define ARGUS_METER_LOAD_DSR 0x01 #define ARGUS_METER_LOAD_BYTE_DSR 0x1 #define ARGUS_METER_LOAD_SHORT_DSR 0x2 #define ARGUS_METER_LOAD_LONG_DSR 0x3 #define ARGUS_METER_LOAD_LONGLONG_DSR 0x4 /* 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x20 | 0x08 | 0x01 | D | | 0x1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | packets | bytes | packets | bytes | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x20 | Length | 0x01 | D | | 0x2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | packets | bytes | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x20 | Length | 0x01 | D | | 0x3 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | packets | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | bytes | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x20 | Length | 0x01 | D | | 0x4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + packets + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + bytes + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ #define ARGUS_METER_TCP_STATUS_DSR 0x02 #define ARGUS_METER_TCP_PERF_DSR 0x03 /* 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x20 | 0x10 | 0x02 | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TCPQualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TCP Syn ACK uSec Response Timer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TCP ACK DATA uSec Response Timer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x20 | Length | 0x03 | D | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TCP Sequence Base | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TCP Acknowledged Bytes | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TCP Total Bytes | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TCP Retransmitted Packets | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TCP Last Reported Window | TCP Flags | Pad | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ #define ARGUS_METER_IGMP_PERF_DSR 0x04 /* 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x20 | 0x18 | 0x04 | D | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IGMP Group | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IGMP Join Delay (Timeval) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IGMP Leave Delay (Timeval) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ #define ARGUS_METER_ESP_PERF_DSR 0x05 /* 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x20 | 0x0C | 0x05 | D | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ESP Last Sequence | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ESP Lost Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ #define ARGUS_SRC_VLAN 0x0001 #define ARGUS_DST_VLAN 0x0002 #define ARGUS_SRC_MPLS 0x0001 #define ARGUS_DST_MPLS 0x0002 #define ARGUS_SRC_CHANGED 0x0010 #define ARGUS_DST_CHANGED 0x0020 /* Argus Error Messages go into the status field when the Record Cause is ARGUS_ERROR. */ #define ARGUS_ACCESSDENIED 0x000010 #define ARGUS_MAXLISTENEXCD 0x000020 /* Link Types */ #define ARGUS_ETHERNET 0x01000000 #define ARGUS_ATM 0x02000000 #define ARGUS_FDDI 0x03000000 #define ARGUS_TOKENRING 0x04000000 #define ARGUS_SLIP 0x05000000 #define ARGUS_PPP 0x06000000 #define ARGUS_ESP 0x07000000 #define ARGUS_RAW 0x08000000 #define ARGUS_NULL 0x09000000 #define ARGUS_SEND_FRAG_COMPLETE 0x10000000 /* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus FAR Qualifier Field Note that one tick mark represents one bit position. */ /* ICMP Mapped Indicator */ /* argus_far.status indicator */ #define ARGUS_ICMP_MAPPED 0x0007 #define ARGUS_ICMPUNREACH_MAPPED 0x0001 #define ARGUS_ICMPREDIREC_MAPPED 0x0002 #define ARGUS_ICMPTIMXCED_MAPPED 0x0004 #define ARGUS_FRAGMENTS 0x0008 #define ARGUS_FRAGOVERLAP 0x0010 #define ARGUS_TOS_MODIFIED 0x0020 #define ARGUS_TTL_MODIFIED 0x0040 #define ARGUS_OPTION_MODIFIED 0x0080 /* IP Option Indicators */ #define ARGUS_IPOPTIONS 0x3F00 #define ARGUS_TIMESTAMP 0x0100 #define ARGUS_SECURITY 0x0200 #define ARGUS_LSRCROUTE 0x0400 #define ARGUS_RECORDROUTE 0x0800 #define ARGUS_SSRCROUTE 0x1000 #define ARGUS_RTRALERT 0x2000 #define ARGUS_MULTIADDR 0x4000 /* Type: DSR Cause: ANY */ #define ARGUS_DSR_TYPES 19 #define ARGUS_DSR_MAC 0 #define ARGUS_DSR_TCP 1 #define ARGUS_DSR_ICMP 2 #define ARGUS_DSR_RTP 3 #define ARGUS_DSR_RTCP 4 #define ARGUS_DSR_IGMP 5 #define ARGUS_DSR_ARP 6 #define ARGUS_DSR_FRG 7 #define ARGUS_DSR_ESP 8 #define ARGUS_DSR_MPLS 9 #define ARGUS_DSR_VLAN 10 #define ARGUS_DSR_PPPOE 11 #define ARGUS_DSR_AGR 12 #define ARGUS_DSR_TIME 13 #define ARGUS_DSR_SRCUSERDATA 14 #define ARGUS_DSR_DSTUSERDATA 15 #define ARGUS_DSR_SRCTIME 16 #define ARGUS_DSR_DSTTIME 17 #define ARGUS_DSR_COROLATE 18 #define ARGUS_MAC_DSR 0x08 #define ARGUS_TCP_DSR 0x11 #define ARGUS_ICMP_DSR 0x12 #define ARGUS_RTP_DSR 0x14 #define ARGUS_RTCP_DSR 0x15 #define ARGUS_IGMP_DSR 0x18 #define ARGUS_ARP_DSR 0x20 #define ARGUS_FRG_DSR 0x21 #define ARGUS_ESP_DSR 0x22 #define ARGUS_MPLS_DSR 0x28 #define ARGUS_VLAN_DSR 0x2a #define ARGUS_PPPOE_DSR 0x2b #define ARGUS_AGR_DSR 0x30 #define ARGUS_TIME_DSR 0x40 #define ARGUS_SRCUSRDATA_DSR 0x42 #define ARGUS_DSTUSRDATA_DSR 0x43 #define ARGUS_COROLATE_DSR 0x50 #define ARGUS_SRC_TIME_DSR 0x01 #define ARGUS_DST_TIME_DSR 0x02 /* IP Sec AH Header Qualifier Bits */ #define ARGUS_AH_HDR 0x00000010 #define ARGUS_AH_REPLAY 0x00000008 /* RTP State Constants and Reporting Values */ #define ARGUS_RTP_SRCSILENCE 0x01 #define ARGUS_RTP_DSTSILENCE 0x02 #define ARGUS_RTCP_TAG 0x2000 #define ARGUS_RTP_TAG 0x4000 #define ARGUS_HTTP_FLOWTAG 0x01 #define ARGUS_RTCP_FLOWTAG 0x10 #define ARGUS_RTP_FLOWTAG 0x20 #define ARGUS_FRAG_FLOWTAG 0xCB /* TCP State Constants and Reporting Values */ #define ARGUS_SAW_SYN 0x00000001 #define ARGUS_SAW_SYN_SENT 0x00000002 #define ARGUS_CON_ESTABLISHED 0x00000004 #define ARGUS_FIN 0x00000008 #define ARGUS_FIN_ACK 0x00000010 #define ARGUS_NORMAL_CLOSE 0x00000020 #define ARGUS_CLOSE_WAITING 0x00000040 #define ARGUS_PKTS_RETRANS 0x00000300 /* SRC_PKTS_RETRANS | DST_PK*/ #define ARGUS_SRC_PKTS_RETRANS 0x00000100 #define ARGUS_DST_PKTS_RETRANS 0x00000200 #define ARGUS_WINDOW_SHUT 0x00000C00 /* SRC_WINDOW_SHUT | DST_WIN*/ #define ARGUS_SRC_WINDOW_SHUT 0x00000400 #define ARGUS_DST_WINDOW_SHUT 0x00000800 #define ARGUS_RESET 0x00003000 /* SRC_RESET | DST_RESET */ #define ARGUS_SRC_RESET 0x00001000 #define ARGUS_DST_RESET 0x00002000 #define ARGUS_ECN_CONGESTED 0x0000C000 /* SRC_CONGESTED | DST_CONGESTED */ #define ARGUS_SRC_CONGESTED 0x00004000 #define ARGUS_DST_CONGESTED 0x00008000 #define ARGUS_OUTOFORDER 0x00030000 #define ARGUS_SRC_OUTOFORDER 0x00010000 #define ARGUS_DST_OUTOFORDER 0x00020000 #define ARGUS_TCP_OPTIONS 0xFFF00000 #define ARGUS_TCP_MAXSEG 0x00100000 #define ARGUS_TCP_WSCALE 0x00200000 #define ARGUS_TCP_SACKOK 0x00400000 #define ARGUS_TCP_SACK 0x00800000 #define ARGUS_TCP_ECHO 0x01000000 #define ARGUS_TCP_ECHOREPLY 0x02000000 #define ARGUS_TCP_TIMESTAMP 0x04000000 #define ARGUS_TCP_CC 0x08000000 #define ARGUS_TCP_CCNEW 0x10000000 #define ARGUS_TCP_CCECHO 0x20000000 #define ARGUS_TCP_SRC_ECN 0x40000000 #define ARGUS_TCP_DST_ECN 0x80000000 /* Fragment State Constants and Reporting Values */ #define ARGUS_FRAG_INIT 0x0001 #define ARGUS_FRAG_OUT_OF_ORDER 0x0002 #define ARGUS_TCPFRAGOFFSETERROR 0x0004 /* User Data Qualifier Values */ #define ARGUS_FAR_DSR_STATUS 0x00000001 #define ARGUS_MAC_DSR_STATUS 0x00000010 #define ARGUS_VLAN_DSR_STATUS 0x00000020 #define ARGUS_MPLS_DSR_STATUS 0x00000040 #define ARGUS_PPPOE_DSR_STATUS 0x00000080 #define ARGUS_TCP_DSR_STATUS 0x00000100 #define ARGUS_ICMP_DSR_STATUS 0x00000200 #define ARGUS_RTP_DSR_STATUS 0x00000400 #define ARGUS_RCTP_DSR_STATUS 0x00000800 #define ARGUS_IGMP_DSR_STATUS 0x00001000 #define ARGUS_ARP_DSR_STATUS 0x00002000 #define ARGUS_FRG_DSR_STATUS 0x00004000 #define ARGUS_TIME_DSR_STATUS 0x00100000 #define ARGUS_SRCUSRDATA_DSR_STATUS 0x00200000 #define ARGUS_DSTUSRDATA_DSR_STATUS 0x00400000 #define ARGUS_ESP_DSR_STATUS 0x00800000 #define ARGUS_SRCTIME_DSR_STATUS 0x01000000 #define ARGUS_DSTTIME_DSR_STATUS 0x02000000 #define ARGUS_COROLATE_DSR_STATUS 0x04000000 #define ARGUS_AGR_DSR_STATUS 0x80000000 #define ARGUS_FAR_DSR_INDEX 0 #define ARGUS_MAC_DSR_INDEX 4 #define ARGUS_VLAN_DSR_INDEX 5 #define ARGUS_MPLS_DSR_INDEX 6 #define ARGUS_PPPOE_DSR_INDEX 7 #define ARGUS_TCP_DSR_INDEX 8 #define ARGUS_ICMP_DSR_INDEX 9 #define ARGUS_RTP_DSR_INDEX 10 #define ARGUS_RTCP_DSR_INDEX 11 #define ARGUS_IGMP_DSR_INDEX 12 #define ARGUS_ARP_DSR_INDEX 13 #define ARGUS_FRG_DSR_INDEX 14 #define ARGUS_TIME_DSR_INDEX 20 #define ARGUS_SRCUSRDATA_DSR_INDEX 21 #define ARGUS_DSTUSRDATA_DSR_INDEX 22 #define ARGUS_ESP_DSR_INDEX 23 #define ARGUS_SRCTIME_DSR_INDEX 24 #define ARGUS_DSTTIME_DSR_INDEX 25 #define ARGUS_COROLATE_DSR_INDEX 26 #define ARGUS_AGR_DSR_INDEX 31 #define ARGUS_AGR_USECACTTIME 0x0010 #define ARGUS_AGR_USECIDLETIME 0x0020 #define ARGUS_AGR_MSECACTTIME 0x0040 #define ARGUS_AGR_MSECIDLETIME 0x0080 #define ARGUS_AGR_NORMALIZED 0x0100 #endif /* Argus_def_h */ argus-3.0.8.2/include/CflowdFlowPdu.h000444 000765 000024 00000042775 12513222401 017746 0ustar00carterstaff000000 000000 /*=========================================================================== / CAIDA Copyright Notice / / By accessing this software, cflowd++, you are duly informed / of and agree to be bound by the conditions described below in this / notice: / / This software product, cflowd++, is developed by Daniel W. McRobb, and / copyrighted(C) 1998 by the University of California, San Diego / (UCSD), with all rights reserved. UCSD administers the CAIDA grant, / NCR-9711092, under which part of this code was developed. / / There is no charge for cflowd++ software. You can redistribute it / and/or modify it under the terms of the GNU General Public License, / v. 2 dated June 1991 which is incorporated by reference herein. / cflowd++ is distributed WITHOUT ANY WARRANTY, IMPLIED OR EXPRESS, OF / MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE or that the use / of it will not infringe on any third party's intellectual property / rights. / / You should have received a copy of the GNU GPL along with cflowd++. / Copies can also be obtained from: / / http://www.gnu.org/copyleft/gpl.html / / or by writing to: / / University of California, San Diego / / SDSC/CAIDA / 9500 Gilman Dr., MS-0505 / La Jolla, CA 92093 - 0505 USA / / Or contact: / / info@caida.org /=========================================================================== */ /* * $Id: //depot/argus/argus/include/CflowdFlowPdu.h#4 $ * $DateTime: 2011/01/26 17:11:49 $ * $Change: 2087 $ */ /*--------------------------------------------------------------------------- This header file contains the layout of flow-export packets for Cisco's flow-export. -------------------------------------------------------------------------*/ #if !defined(_FLOWPDU_H_) #define _FLOWPDU_H_ #define k_maxFlowPacketSize 2048 #ifndef uint8_t #define uint8_t unsigned char #endif #ifndef uint16_t #define uint16_t unsigned short #endif #ifndef uint32_t #define uint32_t unsigned int #endif #ifndef ipv4addr_t #define ipv4addr_t unsigned int #endif /*--------------------------------------------------------------------------- flow-export version 1 header -------------------------------------------------------------------------*/ typedef struct { uint16_t version; /* flow-export version number */ uint16_t count; /* number of flow entries */ uint32_t sysUptime; uint32_t unix_secs; uint32_t unix_nsecs; } CiscoFlowHeaderV1_t; #define k_maxFlowsPerV1Packet 24 /*--------------------------------------------------------------------------- flow-export version 1 flow entry -------------------------------------------------------------------------*/ typedef struct { ipv4addr_t srcaddr; /* source IP address */ ipv4addr_t dstaddr; /* destination IP address */ ipv4addr_t nexthop; /* next hop router's IP address */ uint16_t input; /* input interface index */ uint16_t output; /* output interface index */ uint32_t pkts; /* packets sent in duration */ uint32_t bytes; /* octets sent in duration */ uint32_t first; /* SysUptime at start of flow */ uint32_t last; /* and of last packet of flow */ uint16_t srcport; /* TCP/UDP source port number or equivalent */ uint16_t dstport; /* TCP/UDP destination port number or equivalent */ uint16_t pad0; uint8_t prot; /* IP protocol, e.g., 6=TCP, 17=UDP, ... */ uint8_t tos; /* IP Type-of-Service */ uint8_t flags; /* TCP flags */ uint8_t pad1, pad2, pad3; /* pads */ uint32_t pad4; } CiscoFlowEntryV1_t; /*--------------------------------------------------------------------------- flow-export version 5 header -------------------------------------------------------------------------*/ typedef struct { uint16_t version; /* flow-export version number */ uint16_t count; /* number of flow entries */ uint32_t sysUptime; uint32_t unix_secs; uint32_t unix_nsecs; uint32_t flow_sequence; /* sequence number */ uint8_t engine_type; /* no VIP = 0, VIP2 = 1 */ uint8_t engine_id; /* VIP2 slot number */ uint16_t reserved; /* unused */ } CiscoFlowHeaderV5_t; #define k_maxFlowsPerV5Packet 30 /*--------------------------------------------------------------------------- flow-export version 5 flow entry -------------------------------------------------------------------------*/ typedef struct { ipv4addr_t srcaddr; /* source IP address */ ipv4addr_t dstaddr; /* destination IP address */ ipv4addr_t nexthop; /* next hop router's IP address */ uint16_t input; /* input interface index */ uint16_t output; /* output interface index */ uint32_t pkts; /* packets sent in duration */ uint32_t bytes; /* octets sent in duration */ uint32_t first; /* SysUptime at start of flow */ uint32_t last; /* and of last packet of flow */ uint16_t srcport; /* TCP/UDP source port number or equivalent */ uint16_t dstport; /* TCP/UDP destination port number or equivalent */ uint8_t pad; uint8_t tcp_flags; /* bitwise OR of all TCP flags in flow; 0x10 */ /* for non-TCP flows */ uint8_t prot; /* IP protocol, e.g., 6=TCP, 17=UDP, ... */ uint8_t tos; /* IP Type-of-Service */ uint16_t src_as; /* originating AS of source address */ uint16_t dst_as; /* originating AS of destination address */ uint8_t src_mask; /* source address prefix mask bits */ uint8_t dst_mask; /* destination address prefix mask bits */ uint16_t reserved; } CiscoFlowEntryV5_t; /*--------------------------------------------------------------------------- flow-export version 6 header -------------------------------------------------------------------------*/ typedef struct { uint16_t version; /* version */ uint16_t count; /* the number of records in PDU */ uint32_t sysUptime; /* current time in msecs since router booted */ uint32_t unix_secs; /* current seconds since 0000 UTC 1970 */ uint32_t unix_nsecs; /* residual nanoseconds since 0000 UTC 1970 */ uint32_t flow_sequence; /* seq counter of total flows seen */ uint8_t engine_type; /* type of flow switching engine */ uint8_t engine_id; /* ID number of the flow switching engine */ uint16_t reserved; } CiscoFlowHeaderV6_t; #define k_maxFlowsPerV6Packet 27 /*--------------------------------------------------------------------------- flow-export version 6 flow entry -------------------------------------------------------------------------*/ typedef struct { ipv4addr_t srcaddr; /* source IP address */ ipv4addr_t dstaddr; /* destination IP address */ ipv4addr_t nexthop; /* next hop router's IP address */ uint16_t input; /* input interface index */ uint16_t output; /* output interface index */ uint32_t pkts; /* packets sent in duration */ uint32_t bytes; /* octets sent in duration */ uint32_t first; /* SysUptime at start of flow */ uint32_t last; /* and of last packet of flow */ uint16_t srcport; /* TCP/UDP source port number or equivalent */ uint16_t dstport; /* TCP/UDP destination port number or equivalent */ uint8_t rsvd; uint8_t tcp_flags; /* bitwise OR of all TCP flags seen in flow */ uint8_t prot; /* IP protocol, e.g., 6=TCP, 17=UDP, ... */ uint8_t tos; /* IP Type-of-Service */ uint16_t src_as; /* originating AS of source address */ uint16_t dst_as; /* originating AS of destination address */ uint8_t src_mask; /* source address prefix mask bits */ uint8_t dst_mask; /* destination address prefix mask bits */ uint8_t in_encaps; /* size in bytes of the input encapsulation */ uint8_t out_encaps; /* size in bytes of the output encapsulation */ uint32_t peer_nexthop; /* IP address of the nexthop w/in the peer (FIB) */ } CiscoFlowEntryV6_t; /*--------------------------------------------------------------------------- flow-export version 8 --------------------------------------------------------------------------- This is the first flow-export version to support multiple types of flow-export records. Each type is an aggregation, so that only specific types of data may be exported (saving processing and bandwidth). Obviously flow level granularity is gone, but this type of data reduction is useful on high-speed routers like the GSR. -------------------------------------------------------------------------*/ /*--------------------------------------------------------------------------- flow-export version 8 header -------------------------------------------------------------------------*/ typedef struct { uint16_t version; /* flow-export version number */ uint16_t count; /* number of flow entries */ uint32_t sysUptime; /* current time in msecs since router booted */ uint32_t unix_secs; /* current seconds since 0000 UTC 1970 */ uint32_t unix_nsecs; /* residual nanoseconds since 0000 UTC 1970 */ uint32_t flow_sequence; /* sequence number */ uint8_t engine_type; /* type of flow switching engine */ uint8_t engine_id; /* ID number of the flow switching engine */ uint8_t agg_method; /* aggregation method */ uint8_t agg_version; /* aggregation version */ uint32_t reserved; /* unused */ } CiscoFlowHeaderV8_t; /*--------------------------------------------------------------------------- V8 aggregation methods -------------------------------------------------------------------------*/ #define k_CiscoV8FlowExportASAggType 0x01 /* AS agg. */ #define k_CiscoV8FlowExportProtocolPortAggType 0x02 /* protocol/port agg. */ #define k_CiscoV8FlowExportSrcNetAggType 0x03 /* src network agg. */ #define k_CiscoV8FlowExportDstNetAggType 0x04 /* dst network agg. */ #define k_CiscoV8FlowExportNetMatrixAggType 0x05 /* net matrix agg. */ #define k_CiscoV8FlowExportMaxAggType k_CiscoV8FlowExportNetMatrixAggType #define k_CiscoV8FlowExportNumAggTypes k_CiscoV8FlowExportMaxAggType /*--------------------------------------------------------------------------- max flows per packet for each of the different V8 aggregation methods -------------------------------------------------------------------------*/ #define k_maxFlowsPerV8AsAggPacket 51 #define k_maxFlowsPerV8ProtocolPortAggPacket 51 #define k_maxFlowsPerV8SrcNetAggPacket 44 #define k_maxFlowsPerV8DstNetAggPacket 44 #define k_maxFlowsPerV8NetMatrixAggPacket 35 /*--------------------------------------------------------------------------- define max flows per packet, regardless of type of flows. -------------------------------------------------------------------------*/ #define k_maxFlowsPerAnyPacket 51 /*--------------------------------------------------------------------------- V8 AS aggregation flow entry version 2 -------------------------------------------------------------------------*/ typedef struct { uint32_t flows; /* number of flows */ uint32_t pkts; /* number of packets */ uint32_t bytes; /* number of bytes */ uint32_t first; /* sysUptime at start of flow */ uint32_t last; /* sysUptime at end of flow */ uint16_t src_as; /* source AS */ uint16_t dst_as; /* destination AS */ uint16_t input; /* input interface index */ uint16_t output; /* output interface index */ } CiscoFlowEntryV8AsAggV2_t; /*--------------------------------------------------------------------------- V8 protocol/port aggregation flow entry version 2 -------------------------------------------------------------------------*/ typedef struct { uint32_t flows; /* number of flows */ uint32_t pkts; /* number of packets */ uint32_t bytes; /* number of bytes */ uint32_t first; /* sysUptime at start of flow */ uint32_t last; /* sysUptime at end of flow */ uint8_t prot; /* IP protocol (TCP=6, UDP=17, etc.) */ uint8_t pad; uint16_t reserved; uint16_t srcport; /* source port */ uint16_t dstport; /* destination port */ } CiscoFlowEntryV8ProtocolPortAggV2_t; /*--------------------------------------------------------------------------- V8 net matrix aggregation flow entry version 2 -------------------------------------------------------------------------*/ typedef struct { uint32_t flows; /* number of flows */ uint32_t pkts; /* number of packets */ uint32_t bytes; /* number of bytes */ uint32_t first; /* sysUptime at start of flow */ uint32_t last; /* sysUptime at end of flow */ ipv4addr_t srcnet; /* source network */ ipv4addr_t dstnet; /* destination network */ uint8_t dst_mask; /* destination netmask length (bits) */ uint8_t src_mask; /* source netmask length (bits) */ uint16_t reserved; uint16_t src_as; /* source AS */ uint16_t dst_as; /* destination AS */ uint16_t input; /* input interface index */ uint16_t output; /* output interface index */ } CiscoFlowEntryV8NetMatrixAggV2_t; /*--------------------------------------------------------------------------- V8 source network aggregation flow entry version 2 -------------------------------------------------------------------------*/ typedef struct { uint32_t flows; /* number of flows */ uint32_t pkts; /* number of packets */ uint32_t bytes; /* number of bytes */ uint32_t first; /* sysUptime at start of flow */ uint32_t last; /* sysUptime at end of flow */ ipv4addr_t srcnet; /* source network */ uint8_t src_mask; /* source network mask length (bits) */ uint8_t pad; uint16_t src_as; /* source AS */ uint16_t input; /* input interface index */ uint16_t reserved; } CiscoFlowEntryV8SrcNetAggV2_t; /*--------------------------------------------------------------------------- V8 destination network aggregation flow entry version 2 -------------------------------------------------------------------------*/ typedef struct { uint32_t flows; /* number of flows */ uint32_t pkts; /* number of packets */ uint32_t bytes; /* number of bytes */ uint32_t first; /* sysUptime at start of flow */ uint32_t last; /* sysUptime at end of flow */ ipv4addr_t dst_net; /* destination network */ uint8_t dst_mask; /* destination network mask length (bits) */ uint8_t pad; uint16_t dst_as; /* destination AS */ uint16_t output; /* output interface index */ uint16_t reserved; } CiscoFlowEntryV8DstNetAggV2_t; /*--------------------------------------------------------------------------- flow-export version 7 header (Catalyst 5000) NOT USED, V7 FLOW-EXPORT HANDLING NOT IMPLEMENTED. -------------------------------------------------------------------------*/ typedef struct { uint16_t version; /* flow-export version number */ uint16_t count; /* number of flow entries */ uint32_t sysUptime; uint32_t unix_secs; uint32_t unix_nsecs; uint32_t flow_sequence; /* sequence number */ uint32_t reserved; /* unused */ } CiscoFlowHeaderV7_t; /*--------------------------------------------------------------------------- flow-export version 7 flow entry (Catalyst 5000) NOT USED, V7 FLOW-EXPORT HANDLING NOT IMPLEMENTED. -------------------------------------------------------------------------*/ typedef struct { ipv4addr_t srcaddr; /* source IP address (0 for dest-only flows) */ ipv4addr_t dstaddr; /* destination IP address */ ipv4addr_t nexthop; /* next hop router's IP address (always 0) */ uint16_t input; /* input interface index (always 0) */ uint16_t output; /* output interface index */ uint32_t pkts; /* packets sent in duration */ uint32_t bytes; /* octets sent in duration */ uint32_t first; /* SysUptime at start of flow */ uint32_t last; /* and of last packet of flow */ uint16_t srcport; /* TCP/UDP source port number or equivalent, */ /* 0 if flow mask is destination-only or */ /* source-destination. */ uint16_t dstport; /* TCP/UDP destination port number or equivalent, */ /* 0 if flow mask is destination-only or */ /* source-destination. */ uint8_t flags1; /* ???? */ uint8_t tcp_flags; /* bitwise OR of all TCP flags in flow (always 0) */ uint8_t prot; /* IP protocol, e.g., 6=TCP, 17=UDP, ... */ uint8_t tos; /* IP Type-of-Service */ uint16_t src_as; /* originating AS of source address (always 0) */ uint16_t dst_as; /* originating AS of destination address (always 0) */ uint8_t src_mask; /* source address prefix mask bits (always 0) */ uint8_t dst_mask; /* destination address prefix mask bits (always 0) */ uint16_t flags2; /* ???? */ uint32_t router_sc; /* IP address of shortcut router */ } CiscoFlowEntryV7_t; #endif /* _FLOWPDU_H_ */ argus-3.0.8.2/include/cygwin-include/000755 000765 000024 00000000000 12513222401 017762 5ustar00carterstaff000000 000000 argus-3.0.8.2/include/net/000755 000765 000024 00000000000 12513222401 015627 5ustar00carterstaff000000 000000 argus-3.0.8.2/include/netbsd-include/000755 000765 000024 00000000000 12513222401 017741 5ustar00carterstaff000000 000000 argus-3.0.8.2/include/netinet/000755 000765 000024 00000000000 12513222401 016507 5ustar00carterstaff000000 000000 argus-3.0.8.2/include/netinet/rtp.h000444 000765 000024 00000011434 12513222401 017466 0ustar00carterstaff000000 000000 /* * Argus Software. Argus files - main argus processing * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/include/netinet/rtp.h#7 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ #ifndef _netinet_rtp_h #define _netinet_rtp_h /* RTP Upper Layer Format Numbers */ #define IPPROTO_RTP 257 #define IPPROTO_RTCP 258 #define RTP_VERSION 2 #define RTP_PT_BVC 22 /* Berkeley video codec */ #define RTP_PT_RGB8 23 /* 8-bit dithered RGB */ #define RTP_PT_HDCC 24 /* SGI proprietary */ #define RTP_PT_CELLB 25 /* Sun CellB */ #define RTP_PT_JPEG 26 /* JPEG */ #define RTP_PT_CUSEEME 27 /* Cornell CU-SeeMe */ #define RTP_PT_NV 28 /* Xerox PARC nv */ #define RTP_PT_PICW 29 /* BB&N PictureWindow */ #define RTP_PT_CPV 30 /* Concept/Bolter/Viewpoint codec */ #define RTP_PT_H261 31 /* ITU H.261 */ #define RTP_PT_MPEG 32 /* MPEG-I & MPEG-II */ #define RTP_PT_MP2T 33 /* MPEG-II either audio or video */ #define RTP_PT_H263 34 /* backward compat hack for decoding RTPv1 ivs streams */ #define RTP_PT_H261_COMPAT 127 /* RTP standard content encodings for audio */ #define RTP_PT_PCMU 0 #define RTP_PT_CELP 1 #define RTP_PT_GSM 3 #define RTP_PT_G723 4 #define RTP_PT_DVI 5 #define RTP_PT_LPC 7 #define RTP_PT_PCMA 8 #define RTP_PT_G722 9 #define RTP_PT_G728 15 #define RTP_PT_G729 18 #define RTP_TIME_OFFSET 2208988800UL #define RTP_M 0x0080 #define RTP_P 0x2000 #define RTP_X 0x1000 #define RTCP_PT_SR 200 #define RTCP_PT_RR 201 #define RTCP_PT_SDES 202 #define RTCP_PT_BYE 203 #define RTCP_PT_APP 204 #define RTCP_SDES_MIN 1 #define RTCP_SDES_MAX 7 #define RTCP_SDES_CNAME 1 #define RTCP_SDES_NAME 2 #define RTCP_SDES_EMAIL 3 #define RTCP_SDES_PHONE 4 #define RTCP_SDES_LOC 5 #define RTCP_SDES_TOOL 6 #define RTCP_SDES_NOTE 7 /* RTP Header as defined in H.225 */ struct rtphdr { #ifdef _LITTLE_ENDIAN unsigned char rh_cc:4, /* CSRC count */ rh_x:1, /* extension */ rh_p:1, /* padding */ rh_ver:2; /* version */ #else unsigned char rh_ver:2, /* version */ rh_p:1, /* padding */ rh_x:1, /* extension */ rh_cc:4; /* CSRC count */ #endif #ifdef _LITTLE_ENDIAN unsigned char rh_pt:7, /* payload type */ rh_mark:1; /* marker */ #else unsigned char rh_mark:1, /* marker */ rh_pt:7; /* payload type */ #endif unsigned short rh_seq; unsigned int rh_time; unsigned int rh_ssrc; }; struct rtcphdr { #ifdef _LITTLE_ENDIAN unsigned char rh_rc:5, /* report count */ rh_p:1, /* padding */ rh_ver:2; /* version */ #else unsigned char rh_ver:2, /* version */ rh_p:1, /* padding */ rh_rc:5; /* report count */ #endif unsigned char rh_pt; /* payload type */ unsigned short rh_len; unsigned int rh_ssrc; }; struct rtpexthdr { unsigned short profile, length; }; typedef struct { unsigned int high; unsigned int low; } ntp64; /* * Sender report. */ struct rtcp_sr { ntp64 sr_ntp; /* 64-bit ntp timestamp */ unsigned int sr_ts; /* reference media timestamp */ unsigned int sr_np; /* no. packets sent */ unsigned int sr_nb; /* no. bytes sent */ }; /* * Receiver report. * Time stamps are middle 32-bits of ntp timestamp. */ struct rtcp_rr { unsigned int rr_srcid; /* sender being reported */ unsigned int rr_loss; /* loss stats (8:fraction, 24:cumulative)*/ unsigned int rr_ehsr; /* ext. highest seqno received */ unsigned int rr_dv; /* jitter (delay variance) */ unsigned int rr_lsr; /* orig. ts from last rr from this src */ unsigned int rr_dlsr; /* time from recpt of last rr to xmit time */ }; #endif /*!_netinet_rtp_h*/ argus-3.0.8.2/include/netinet/tcp_fsm.h000444 000765 000024 00000004206 12513222401 020313 0ustar00carterstaff000000 000000 /* @(#)tcp_fsm.h 1.7 88/08/19 SMI; from UCB 7.1 6/5/86 */ /* * Copyright (c) 1982, 1986 Regents of the University of California. * All rights reserved. The Berkeley software License Agreement * specifies the terms and conditions for redistribution. */ /* * $Id: //depot/argus/argus/include/netinet/tcp_fsm.h#3 $ * $DateTime: 2011/01/26 17:31:56 $ * $Change: 2094 $ */ /* * TCP FSM state definitions. * Per RFC793, September, 1981. */ #ifndef _netinet_tcp_fsm_h #define _netinet_tcp_fsm_h #define TCP_NSTATES 11 #define TCPS_CLOSED 0 /* closed */ #define TCPS_LISTEN 1 /* listening for connection */ #define TCPS_SYN_SENT 2 /* active, have sent syn */ #define TCPS_SYN_RECEIVED 3 /* have send and received syn */ /* states < TCPS_ESTABLISHED are those where connections not established */ #define TCPS_ESTABLISHED 4 /* established */ #define TCPS_CLOSE_WAIT 5 /* rcvd fin, waiting for close */ /* states > TCPS_CLOSE_WAIT are those where user has closed */ #define TCPS_FIN_WAIT_1 6 /* have closed, sent fin */ #define TCPS_CLOSING 7 /* closed xchd FIN; await FIN ACK */ #define TCPS_LAST_ACK 8 /* had fin and close; await FIN ACK */ /* states > TCPS_CLOSE_WAIT && < TCPS_FIN_WAIT_2 await ACK of FIN */ #define TCPS_FIN_WAIT_2 9 /* have closed, fin is acked */ #define TCPS_TIME_WAIT 10 /* in 2*msl quiet wait after close */ #define TCPS_HAVERCVDSYN(s) ((s) >= TCPS_SYN_RECEIVED) #define TCPS_HAVERCVDFIN(s) ((s) >= TCPS_TIME_WAIT) #ifdef TCPOUTFLAGS /* * Flags used when sending segments in tcp_output. * Basic flags (TH_RST,TH_ACK,TH_SYN,TH_FIN) are totally * determined by state, with the proviso that TH_FIN is sent only * if all data queued for output is included in the segment. */ u_char tcp_outflags[TCP_NSTATES] = { TH_RST|TH_ACK, 0, TH_SYN, TH_SYN|TH_ACK, TH_ACK, TH_ACK, TH_FIN|TH_ACK, TH_FIN|TH_ACK, TH_FIN|TH_ACK, TH_ACK, TH_ACK, }; #endif #ifdef KPROF int tcp_acounts[TCP_NSTATES][PRU_NREQ]; #endif #ifdef TCPSTATES char *tcpstates[] = { "CLOSED", "LISTEN", "SYN_SENT", "SYN_RCVD", "ESTABLISHED", "CLOSE_WAIT", "FIN_WAIT_1", "CLOSING", "LAST_ACK", "FIN_WAIT_2", "TIME_WAIT", }; #endif #endif /*!_netinet_tcp_fsm_h*/ argus-3.0.8.2/include/netbsd-include/netinet/000755 000765 000024 00000000000 12513222401 021407 5ustar00carterstaff000000 000000 argus-3.0.8.2/include/netbsd-include/netinet/rtp.h000444 000765 000024 00000003042 12513222401 022362 0ustar00carterstaff000000 000000 /* * $Id: $ * $DateTime: $ * $Change: $ */ #ifndef _netinet_rtp_h #define _netinet_rtp_h /* RTP Upper Layer Format Numbers H.225 */ #define IPPROTO_RTP 257 #define RTP_PCMU 0 #define RTP_PCMA 8 #define RTP_G722 9 #define RTP_G723 4 #define RTP_G728 15 #define RTP_G729 18 #define RTP_H261 31 #define RTP_H263 34 /* RTP Header as defined in H.225 */ struct rtphdr { #ifdef LITTLE_ENDIAN unsigned char rh_cc:4, /* CSRC count */ rh_x:1, /* extension */ rh_p:1, /* padding */ rh_ver:2; /* version */ #else unsigned char rh_ver:2, /* version */ rh_p:1, /* padding */ rh_x:1, /* extension */ rh_cc:4; /* CSRC count */ #endif #ifdef LITTLE_ENDIAN unsigned char rh_pt:7, /* payload type */ rh_mark:1; /* marker */ #else unsigned char rh_mark:1, /* marker */ rh_pt:7; /* payload type */ #endif unsigned short rh_seq; unsigned int rh_time; unsigned int rh_ssrc; }; struct rtcphdr { #ifdef LITTLE_ENDIAN unsigned char rh_rc:5, /* report count */ rh_p:1, /* padding */ rh_ver:2; /* version */ #else unsigned char rh_ver:2, /* version */ rh_p:1, /* padding */ rh_rc:5; /* report count */ #endif unsigned char rh_pt; /* payload type */ unsigned short rh_len; unsigned int rh_ssrc; }; struct rtpexthdr { unsigned short profile, length; }; #endif /*!_netinet_rtp_h*/ argus-3.0.8.2/include/net/arcnet.h000444 000765 000024 00000006226 12513222401 017260 0ustar00carterstaff000000 000000 /* * Copyright (c) 1982, 1986, 1993 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * * from: NetBSD: if_arc.h,v 1.13 1999/11/19 20:41:19 thorpej Exp */ /* * $Id: //depot/argus/argus/include/net/arcnet.h#3 $ * $DateTime: 2011/01/26 17:31:56 $ * $Change: 2094 $ */ /* * Structure of a 2.5MB/s Arcnet header. * as given to interface code. */ struct arc_header { u_int8_t arc_shost; u_int8_t arc_dhost; u_int8_t arc_type; /* * only present for newstyle encoding with LL fragmentation. * Don't use sizeof(anything), use ARC_HDR{,NEW}LEN instead. */ u_int8_t arc_flag; u_int16_t arc_seqid; /* * only present in exception packets (arc_flag == 0xff) */ u_int8_t arc_type2; /* same as arc_type */ u_int8_t arc_flag2; /* real flag value */ u_int16_t arc_seqid2; /* real seqid value */ } /* __attribute__((__packed__)) */; #define ARC_HDRLEN 3 #define ARC_HDRNEWLEN 6 #define ARC_HDRNEWLEN_EXC 10 /* RFC 1051 */ #define ARCTYPE_IP_OLD 240 /* IP protocol */ #define ARCTYPE_ARP_OLD 241 /* address resolution protocol */ /* RFC 1201 */ #define ARCTYPE_IP 212 /* IP protocol */ #define ARCTYPE_ARP 213 /* address resolution protocol */ #define ARCTYPE_REVARP 214 /* reverse addr resolution protocol */ #define ARCTYPE_ATALK 221 /* Appletalk */ #define ARCTYPE_BANIAN 247 /* Banyan Vines */ #define ARCTYPE_IPX 250 /* Novell IPX */ #define ARCTYPE_INET6 0xc4 /* IPng */ #define ARCTYPE_DIAGNOSE 0x80 /* as per ANSI/ATA 878.1 */ argus-3.0.8.2/include/net/etherdefs.h000444 000765 000024 00000004174 12513222401 017755 0ustar00carterstaff000000 000000 /* * Argus Software. Argus files - main argus processing * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/include/net/etherdefs.h#8 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ #ifndef _NET_ETHERNET_H_ #define _NET_ETHERNET_H_ #define ETHER_ADDR_LEN 6 #define ETHER_TYPE_LEN 2 #define ETHER_CRC_LEN 4 #define ETHER_HDR_LEN (ETHER_ADDR_LEN*2+ETHER_TYPE_LEN) #define ETHER_MIN_LEN 64 #define ETHER_MAX_LEN 1518 #ifndef ETHERTYPE_PUP #define ETHERTYPE_PUP 0x0200 /* PUP protocol */ #endif #ifndef ETHERTYPE_IP #define ETHERTYPE_IP 0x0800 /* IP protocol */ #endif #ifndef ETHERTYPE_ARP #define ETHERTYPE_ARP 0x0806 /* Addr. resolution protocol */ #endif #ifndef ETHERTYPE_REVARP #define ETHERTYPE_REVARP 0x8035 /* reverse Addr. resolution protocol */ #endif #ifndef ETHERTYPE_VLAN #define ETHERTYPE_VLAN 0x8100 /* IEEE 802.1Q VLAN tagging */ #endif #ifndef ETHERTYPE_IPV6 #define ETHERTYPE_IPV6 0x86dd /* IPv6 */ #endif #ifndef ETHERTYPE_LOOPBACK #define ETHERTYPE_LOOPBACK 0x9000 /* used to test interfaces */ #endif /* * The ETHERTYPE_NTRAILER packet types starting at ETHERTYPE_TRAIL have * (type-ETHERTYPE_TRAIL)*512 bytes of data followed * by an ETHER type (as given above) and then the (variable-length) header. */ #ifndef ETHERTYPE_TRAIL #define ETHERTYPE_TRAIL 0x1000 /* Trailer packet */ #endif #ifndef ETHERTYPE_NTRAILER #define ETHERTYPE_NTRAILER 16 #endif #endif /* !_NET_ETHERNET_H_ */ argus-3.0.8.2/include/net/nff.h000444 000765 000024 00000030602 12513222401 016550 0ustar00carterstaff000000 000000 /* * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 * The Regents of the University of California. All rights reserved. * * This code is derived from the Stanford/CMU enet packet filter, * (net/enet.c) distributed as part of 4.3BSD, and code contributed * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence * Berkeley Laboratory. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)nff.h 7.1 (Berkeley) 5/7/91 * */ /* * $Id: //depot/argus/argus-3.0/clients/include/net/nff.h#11 $ * $DateTime: 2006/04/08 16:37:11 $ * $Change: 816 $ */ #ifndef NFF_MAJOR_VERSION /* BSD style release date */ #define NFF_RELEASE 200611 typedef int nff_int32; typedef unsigned int nff_u_int32; typedef long long nff_int64; typedef unsigned long long nff_u_int64; /* * Alignment macros. NFF_WORDALIGN rounds up to the next * even multiple of NFF_ALIGNMENT. */ #ifndef __NetBSD__ #define NFF_ALIGNMENT sizeof(nff_int64) #else #define NFF_ALIGNMENT sizeof(long long) #endif #define NFF_WORDALIGN(x) (((x)+(NFF_ALIGNMENT-1))&~(NFF_ALIGNMENT-1)) #define NFF_MAXINSNS 1024 #define NFF_MAXBUFSIZE 0x8000 #define NFF_MINBUFSIZE 32 /* * Structure for BIOCSETF. */ struct nff_program { unsigned int bf_len; struct nff_insn *bf_insns; }; /* * Struct returned by BIOCGSTATS. */ struct nff_stat { unsigned int bs_recv; /* number of packets received */ unsigned int bs_drop; /* number of packets dropped */ }; /* * Struct return by BIOCVERSION. This represents the version number of * the filter language described by the instruction encodings below. * nff understands a program iff kernel_major == filter_major && * kernel_minor >= filter_minor, that is, if the value returned by the * running kernel has the same major number and a minor number equal * equal to or less than the filter being downloaded. Otherwise, the * results are undefined, meaning an error may be returned or packets * may be accepted haphazardly. * It has nothing to do with the source code version. */ struct nff_version { unsigned short bv_major; unsigned short bv_minor; }; /* Current version number of filter architecture. */ #define NFF_MAJOR_VERSION 3 #define NFF_MINOR_VERSION 0 /* * NFF ioctls * * The first set is for compatibility with Sun's pcc style * header files. If your using gcc, we assume that you * have run fixincludes so the latter set should work. */ #if (defined(sun) || defined(ibm032)) && !defined(__GNUC__) #endif /* * Structure prepended to each packet. */ struct nff_hdr { struct timeval bh_tstamp; /* time stamp */ nff_u_int32 bh_caplen; /* length of captured portion */ nff_u_int32 bh_datalen; /* original length of packet */ unsigned short bh_hdrlen; /* length of nff header (this struct plus alignment padding) */ }; /* * Data-link level type codes. */ /* * These are the types that are the same on all platforms; on other * platforms, a should be supplied that defines the additional * DLT_* codes appropriately for that platform (the BSDs, for example, * should not just pick up this version of "nff.h"; they should also define * the additional DLT_* codes used by their kernels, as well as the values * defined here - and, if the values they use for particular DLT_ types * differ from those here, they should use their values, not the ones * here). */ #if !defined(DLT_NULL) #define DLT_NULL 0 /* no link-layer encapsulation */ #endif #if !defined(DLT_EN10MB) #define DLT_EN10MB 1 /* Ethernet (10Mb) */ #endif #if !defined(DLT_EN3MB) #define DLT_EN3MB 2 /* Experimental Ethernet (3Mb) */ #endif #if !defined(DLT_AX25) #define DLT_AX25 3 /* Amateur Radio AX.25 */ #endif #if !defined(DLT_PRONET) #define DLT_PRONET 4 /* Proteon ProNET Token Ring */ #endif #if !defined(DLT_CHAOS) #define DLT_CHAOS 5 /* Chaos */ #endif #if !defined(DLT_IEE802) #define DLT_IEEE802 6 /* IEEE 802 Networks */ #endif #if !defined(DLT_ARCNET) #define DLT_ARCNET 7 /* ARCNET */ #endif #if !defined(DLT_SLIP) #define DLT_SLIP 8 /* Serial Line IP */ #endif #if !defined(DLT_PPP) #define DLT_PPP 9 /* Point-to-point Protocol */ #endif #if !defined(DLT_FDDI) #define DLT_FDDI 10 /* FDDI */ #endif /* * These are values from the traditional libpcap "nff.h". * Ports of this to particular platforms should replace these definitions * with the ones appropriate to that platform, if the values are * different on that platform. */ #if !defined(DLT_ATM_RFC1483) #define DLT_ATM_RFC1483 11 /* LLC/SNAP encapsulated atm */ #endif #if !defined(DLT_RAW) #define DLT_RAW 12 /* raw IP */ #endif /* * These are values from BSD/OS's "bpf.h". * These are not the same as the values from the traditional libpcap * "bpf.h"; however, these values shouldn't be generated by any * OS other than BSD/OS, so the correct values to use here are the * BSD/OS values. * * Platforms that have already assigned these values to other * DLT_ codes, however, should give these codes the values * from that platform, so that programs that use these codes will * continue to compile - even though they won't correctly read * files of these types. */ #if !defined(__NetBSD__) #if !defined(DLT_SLIP_BSDOS) #define DLT_SLIP_BSDOS 15 /* BSD/OS Serial Line IP */ #define DLT_PPP_BSDOS 16 /* BSD/OS Point-to-point Protocol */ #endif #if !defined(DLT_PPP_BSDOS) #define DLT_PPP_BSDOS 16 /* BSD/OS Point-to-point Protocol */ #endif #endif #if !defined(DLT_ATM_CLIP) #define DLT_ATM_CLIP 19 /* Linux Classical-IP over ATM */ #endif /* * This value is defined by NetBSD; other platforms should refrain from * using it for other purposes, so that NetBSD savefiles with a link * type of 50 can be read as this type on all platforms. */ #if !defined(DLT_PPP_SERIAL) #define DLT_PPP_SERIAL 50 /* PPP over serial with HDLC encapsulation */ #endif /* * This value was defined by libpcap 0.5; platforms that have defined * it with a different value should define it here with that value - * a link type of 104 in a save file will be mapped to DLT_C_HDLC, * whatever value that happens to be, so programs will correctly * handle files with that link type regardless of the value of * DLT_C_HDLC. * * The name DLT_C_HDLC was used by BSD/OS; we use that name for source * compatibility with programs written for BSD/OS. * * libpcap 0.5 defined it as DLT_CHDLC; we define DLT_CHDLC as well, * for source compatibility with programs written for libpcap 0.5. */ #if !defined(DLT_C_HDLC) #define DLT_C_HDLC 104 /* Cisco HDLC */ #endif #if !defined(DLT_CHDLC) #define DLT_CHDLC DLT_C_HDLC #endif /* * Reserved for future use. * Do not pick other numerical value for these unless you have also * picked up the tcpdump.org top-of-CVS-tree version of "savefile.c", * which will arrange that capture files for these DLT_ types have * the same "network" value on all platforms, regardless of what * value is chosen for their DLT_ type (thus allowing captures made * on one platform to be read on other platforms, even if the two * platforms don't use the same numerical values for all DLT_ types). */ #if !defined(DLT_IEEE802_11) #define DLT_IEEE802_11 105 /* IEEE 802.11 wireless */ #endif /* * Values between 106 and 107 are used in capture file headers as * link-layer types corresponding to DLT_ types that might differ * between platforms; don't use those values for new DLT_ new types. */ /* * OpenBSD DLT_LOOP, for loopback devices; it's like DLT_NULL, except * that the AF_ type in the link-layer header is in network byte order. * * OpenBSD defines it as 12, but that collides with DLT_RAW, so we * define it as 108 here. If OpenBSD picks up this file, it should * define DLT_LOOP as 12 in its version, as per the comment above - * and should not use 108 for any purpose. */ #if !defined(DLT_LOOP) #define DLT_LOOP 108 #endif /* * Values between 109 and 112 are used in capture file headers as * link-layer types corresponding to DLT_ types that might differ * between platforms; don't use those values for new DLT_ new types. */ /* * This is for Linux cooked sockets. */ #if !defined(DLT_LINUX_SLL) #define DLT_LINUX_SLL 113 #endif /* * The instruction encodings. */ /* instruction classes */ #define NFF_CLASS(code) ((code) & 0x0007) #define NFF_LD 0x0000 #define NFF_LDX 0x0001 #define NFF_ST 0x0002 #define NFF_STX 0x0003 #define NFF_ALU 0x0004 #define NFF_JMP 0x0005 #define NFF_RET 0x0006 #define NFF_MISC 0x0007 /* ld/ldx fields */ #define NFF_SIZE(code) ((code) & 0x004F) #define NFF_W 0x0000 #define NFF_H 0x0008 #define NFF_B 0x0010 #define NFF_L 0x0020 #define NFF_D 0x0040 #define NFF_F 0x0080 /* misc */ #define NFF_MISCOP(code) ((code) & 0x100) #define NFF_TAX 0x0000 #define NFF_TXA 0x0100 #define NFF_MODE(code) ((code) & 0x0e00) #define NFF_IMM 0x0000 #define NFF_ABS 0x0200 #define NFF_IND 0x0400 #define NFF_MEM 0x0600 #define NFF_LEN 0x0800 #define NFF_MSH 0x0a00 #define NFF_DSR 0x0c00 /* alu/jmp fields */ #define NFF_OP(code) ((code) & 0xf000) #define NFF_ADD 0x0000 #define NFF_SUB 0x1000 #define NFF_MUL 0x2000 #define NFF_DIV 0x3000 #define NFF_OR 0x4000 #define NFF_AND 0x5000 #define NFF_LSH 0x6000 #define NFF_RSH 0x7000 #define NFF_NEG 0x8000 #define NFF_JA 0x0000 #define NFF_JEQ 0x1000 #define NFF_JGT 0x2000 #define NFF_JGE 0x3000 #define NFF_JSET 0x4000 #define NFF_SRC(code) ((code) & 0x0008) #define NFF_K 0x0000 #define NFF_X 0x0008 /* ret - NFF_K and NFF_X also apply */ #define NFF_RVAL(code) ((code) & 0x0018) #define NFF_A 0x0010 /* * The instruction data structure. */ struct nff_insn { int dsr, type; unsigned short code; unsigned char jt; unsigned char jf; union { int i; float f; char s[8]; nff_int64 k; } data; }; /* * Macros for insn array initializers. */ #define NFF_STMT(code, k) { (unsigned short)(code), 0, 0, k } #define NFF_JUMP(code, k, jt, jf) { (unsigned short)(code), jt, jf, k } #if defined(BSD) && (defined(KERNEL) || defined(_KERNEL)) /* * Systems based on non-BSD kernels don't have ifnet's (or they don't mean * anything if it is in ) and won't work like this. */ # if __STDC__ extern void nff_tap(struct ifnet *, unsigned char *, unsigned int); extern void nff_mtap(struct ifnet *, struct mbuf *); extern void nffattach(struct ifnet *, unsigned int, unsigned int); extern void nffilterattach(int); # else extern void nff_tap(); extern void nff_mtap(); extern void nffattach(); extern void nffilterattach(); # endif /* __STDC__ */ #endif /* BSD && (_KERNEL || KERNEL) */ #if __STDC__ extern int nff_validate(struct nff_insn *, int); extern unsigned int nff_filter(struct nff_insn *, unsigned char *, unsigned int, unsigned int); #else extern int nff_validate(); extern unsigned int nff_filter(); #endif /* * Number of scratch memory words (for NFF_LD|NFF_MEM and NFF_ST). */ #define NFF_MEMWORDS 16 #endif argus-3.0.8.2/include/net/ppp.h000444 000765 000024 00000006753 12513222401 016610 0ustar00carterstaff000000 000000 /* * Point to Point Protocol (PPP) RFC1331 * * Copyright 1989 by Carnegie Mellon. * * Permission to use, copy, modify, and distribute this program for any * purpose and without fee is hereby granted, provided that this copyright * and permission notice appear on all copies and supporting documentation, * the name of Carnegie Mellon not be used in advertising or publicity * pertaining to distribution of the program without specific prior * permission, and notice be given in supporting documentation that copying * and distribution is by permission of Carnegie Mellon and Stanford * University. Carnegie Mellon makes no representations about the * suitability of this software for any purpose. It is provided "as is" * without express or implied warranty. */ /* * $Id: //depot/argus/argus/include/net/ppp.h#4 $ * $DateTime: 2011/01/26 17:31:56 $ * $Change: 2094 $ */ #if !defined(ARGUS_PPP_H) #define ARGUS_PPP_H #define PPP_HDRLEN 4 /* length of PPP header */ #define PPP_ADDRESS 0xff /* The address byte value */ #define PPP_CONTROL 0x03 /* The control byte value */ #define PPP_WITHDIRECTION_IN 0x00 /* non-standard for DLT_PPP_WITHDIRECTION */ #define PPP_WITHDIRECTION_OUT 0x01 /* non-standard for DLT_PPP_WITHDIRECTION */ /* Protocol numbers */ #define PPP_IP 0x0021 /* Raw IP */ #define PPP_OSI 0x0023 /* OSI Network Layer */ #define PPP_NS 0x0025 /* Xerox NS IDP */ #define PPP_DECNET 0x0027 /* DECnet Phase IV */ #define PPP_APPLE 0x0029 /* Appletalk */ #define PPP_IPX 0x002b /* Novell IPX */ #define PPP_VJC 0x002d /* Van Jacobson Compressed TCP/IP */ #define PPP_VJNC 0x002f /* Van Jacobson Uncompressed TCP/IP */ #define PPP_BRPDU 0x0031 /* Bridging PDU */ #define PPP_STII 0x0033 /* Stream Protocol (ST-II) */ #define PPP_VINES 0x0035 /* Banyan Vines */ #define PPP_IPV6 0x0057 /* IPv6 */ #define PPP_COMP 0x00fd /* Compressed Datagram */ #define PPP_HELLO 0x0201 /* 802.1d Hello Packets */ #define PPP_LUXCOM 0x0231 /* Luxcom */ #define PPP_SNS 0x0233 /* Sigma Network Systems */ #define PPP_MPLS_UCAST 0x0281 /* MPLS unicast */ #define PPP_MPLS_MCAST 0x0283 /* MPLS broadcast */ #define PPP_IPCP 0x8021 /* IP Control Protocol */ #define PPP_OSICP 0x8023 /* OSI Network Layer Control Protocol */ #define PPP_NSCP 0x8025 /* Xerox NS IDP Control Protocol */ #define PPP_DECNETCP 0x8027 /* DECnet Control Protocol */ #define PPP_APPLECP 0x8029 /* Appletalk Control Protocol */ #define PPP_IPXCP 0x802b /* Novell IPX Control Protocol */ #define PPP_STIICP 0x8033 /* Strean Protocol Control Protocol */ #define PPP_VINESCP 0x8035 /* Banyan Vines Control Protocol */ #define PPP_IPV6CP 0x8057 /* IPv6 Control Protocol */ #define PPP_CCP 0x80fd /* Compress Control Protocol */ #define PPP_LCP 0xc021 /* Link Control Protocol */ #define PPP_PAP 0xc023 /* Password Authentication Protocol */ #define PPP_LQM 0xc025 /* Link Quality Monitoring */ #define PPP_CHAP 0xc223 /* Challenge Handshake Authentication Protocol */ #define PPP_BACP 0xc02b /* Bandwidth Allocation Control Protocol */ #define PPP_BAP 0xc02d /* BAP */ #define PPP_MP 0xc03d /* Multi-Link */ #define PPP_LCP_CONF_REQ 1 #define PPP_LCP_CONF_ACK 2 #define PPP_LCP_CONF_NACK 3 #define PPP_LCP_CONF_REJ 4 #define PPP_LCP_TERM_REQ 5 #define PPP_LCP_TERM_ACK 6 #define PPP_LCP_CODE_REJ 7 #define PPP_LCP_PROTO_REJ 8 #define PPP_LCP_ECHO_REQ 9 #define PPP_LCP_ECHO_REPLY 10 #define PPP_LCP_DISCARD 11 struct lcp_hdr { unsigned char code, id; unsigned short length; }; #endif argus-3.0.8.2/include/net/slcompress.h000444 000765 000024 00000007441 12513222401 020176 0ustar00carterstaff000000 000000 /* * Definitions for tcp compression routines. * * Copyright (c) 1989, 1990, 1992, 1993 Regents of the University of * California. All rights reserved. * * Redistribution and use in source and binary forms are permitted * provided that the above copyright notice and this paragraph are * duplicated in all such forms and that any documentation, * advertising materials, and other materials related to such * distribution and use acknowledge that the software was developed * by the University of California, Berkeley. The name of the * University may not be used to endorse or promote products derived * from this software without specific prior written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * * Van Jacobson (van@ee.lbl.gov), Dec 31, 1989: * - Initial distribution. */ /* * $Id: //depot/argus/argus/include/net/slcompress.h#3 $ * $DateTime: 2011/01/26 17:31:56 $ * $Change: 2094 $ */ #define MAX_STATES 16 /* must be > 2 and < 256 */ #define MAX_HDR MLEN /* XXX 4bsd-ism: should really be 128 */ /* * Compressed packet format: * * The first octet contains the packet type (top 3 bits), TCP * 'push' bit, and flags that indicate which of the 4 TCP sequence * numbers have changed (bottom 5 bits). The next octet is a * conversation number that associates a saved IP/TCP header with * the compressed packet. The next two octets are the TCP checksum * from the original datagram. The next 0 to 15 octets are * sequence number changes, one change per bit set in the header * (there may be no changes and there are two special cases where * the receiver implicitly knows what changed -- see below). * * There are 5 numbers which can change (they are always inserted * in the following order): TCP urgent pointer, window, * acknowlegement, sequence number and IP ID. (The urgent pointer * is different from the others in that its value is sent, not the * change in value.) Since typical use of SLIP links is biased * toward small packets (see comments on MTU/MSS below), changes * use a variable length coding with one octet for numbers in the * range 1 - 255 and 3 octets (0, MSB, LSB) for numbers in the * range 256 - 65535 or 0. (If the change in sequence number or * ack is more than 65535, an uncompressed packet is sent.) */ /* * Packet types (must not conflict with IP protocol version) * * The top nibble of the first octet is the packet type. There are * three possible types: IP (not proto TCP or tcp with one of the * control flags set); uncompressed TCP (a normal IP/TCP packet but * with the 8-bit protocol field replaced by an 8-bit connection id -- * this type of packet syncs the sender & receiver); and compressed * TCP (described above). * * LSB of 4-bit field is TCP "PUSH" bit (a worthless anachronism) and * is logically part of the 4-bit "changes" field that follows. Top * three bits are actual packet type. For backward compatibility * and in the interest of conserving bits, numbers are chosen so the * IP protocol version number (4) which normally appears in this nibble * means "IP packet". */ /* packet types */ #define TYPE_IP 0x40 #define TYPE_UNCOMPRESSED_TCP 0x70 #define TYPE_COMPRESSED_TCP 0x80 #define TYPE_ERROR 0x00 /* Bits in first octet of compressed packet */ #define NEW_C 0x40 /* flag bits for what changed in a packet */ #define NEW_I 0x20 #define NEW_S 0x08 #define NEW_A 0x04 #define NEW_W 0x02 #define NEW_U 0x01 /* reserved, special-case values of above */ #define SPECIAL_I (NEW_S|NEW_W|NEW_U) /* echoed interactive traffic */ #define SPECIAL_D (NEW_S|NEW_A|NEW_W|NEW_U) /* unidirectional data */ #define SPECIALS_MASK (NEW_S|NEW_A|NEW_W|NEW_U) #define TCP_PUSH_BIT 0x10 argus-3.0.8.2/include/net/slip.h000444 000765 000024 00000002117 12513222401 016746 0ustar00carterstaff000000 000000 /* * Argus Software. Argus files - main argus processing * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/include/net/slip.h#7 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ /* linux does not give us the link level header */ #define SLIP_HDRLEN 16 #define SLX_DIR 0 #define SLX_CHDR 1 #define CHDR_LEN 15 #define SLIPDIR_IN 0 #define SLIPDIR_OUT 1 argus-3.0.8.2/include/cygwin-include/linux/000755 000765 000024 00000000000 12513222401 021121 5ustar00carterstaff000000 000000 argus-3.0.8.2/include/cygwin-include/net/000755 000765 000024 00000000000 12513222401 020550 5ustar00carterstaff000000 000000 argus-3.0.8.2/include/cygwin-include/netinet/000755 000765 000024 00000000000 12513222401 021430 5ustar00carterstaff000000 000000 argus-3.0.8.2/include/cygwin-include/protocols/000755 000765 000024 00000000000 12513222401 022006 5ustar00carterstaff000000 000000 argus-3.0.8.2/include/cygwin-include/sys/000755 000765 000024 00000000000 12513222401 020600 5ustar00carterstaff000000 000000 argus-3.0.8.2/include/cygwin-include/sys/mbuf.h000444 000765 000024 00000000061 12513222401 021675 0ustar00carterstaff000000 000000 /* * $Id: $ * $DateTime: $ * $Change: $ */ argus-3.0.8.2/include/cygwin-include/protocols/routed.h000444 000765 000024 00000004444 12513222401 023465 0ustar00carterstaff000000 000000 /* @(#)routed.h 1.9 88/08/19 SMI; from UCB 5.1 6/4/85 */ /* * Copyright (c) 1983 Regents of the University of California. * All rights reserved. The Berkeley software License Agreement * specifies the terms and conditions for redistribution. */ /* * $Id: $ * $DateTime: $ * $Change: $ */ /* * Routing Information Protocol * * Derived from Xerox NS Routing Information Protocol * by changing 32-bit net numbers to sockaddr's and * padding stuff to 32-bit boundaries. */ #ifndef _protocols_routed_h #define _protocols_routed_h #define RIPVERSION 1 struct netinfo { struct sockaddr rip_dst; /* destination net/host */ int rip_metric; /* cost of route */ }; struct rip { u_char rip_cmd; /* request/response */ u_char rip_vers; /* protocol version # */ u_char rip_res1[2]; /* pad to 32-bit boundary */ union { struct netinfo ru_nets[1]; /* variable length... */ char ru_tracefile[1]; /* ditto ... */ } ripun; #define rip_nets ripun.ru_nets #define rip_tracefile ripun.ru_tracefile }; struct entryinfo { struct sockaddr rtu_dst; struct sockaddr rtu_router; short rtu_flags; short rtu_state; int rtu_timer; int rtu_metric; int int_flags; char int_name[16]; }; /* * Packet types. */ #define RIPCMD_REQUEST 1 /* want info - from suppliers */ #define RIPCMD_RESPONSE 2 /* responding to request */ #define RIPCMD_TRACEON 3 /* turn tracing on */ #define RIPCMD_TRACEOFF 4 /* turn it off */ #define RIPCMD_POLL 5 /* like request, but anyone answers */ #define RIPCMD_POLLENTRY 6 /* like poll, but for entire entry */ #define RIPCMD_MAX 7 #ifdef RIPCMDS char *ripcmds[RIPCMD_MAX] = { "#0", "REQUEST", "RESPONSE", "TRACEON", "TRACEOFF", "POLL", "POLLENTRY" }; #endif #define HOPCNT_INFINITY 16 /* per Xerox NS */ #define MAXPACKETSIZE 512 /* max broadcast size */ /* * Timer values used in managing the routing table. * Every update forces an entry's timer to be reset. After * EXPIRE_TIME without updates, the entry is marked invalid, * but held onto until GARBAGE_TIME so that others may * see it "be deleted". */ #define TIMER_RATE 30 /* alarm clocks every 30 seconds */ #define SUPPLY_INTERVAL 30 /* time to supply tables */ #define EXPIRE_TIME 180 /* time to mark entry invalid */ #define GARBAGE_TIME 240 /* time to garbage collect */ #endif /*!_protocols_routed_h*/ argus-3.0.8.2/include/cygwin-include/netinet/icmp6.h000444 000765 000024 00000021242 12513222401 022616 0ustar00carterstaff000000 000000 /* Copyright (C) 1991,92,93,94,95,96,97,2000 Free Software Foundation, Inc. This file is part of the GNU C Library. The GNU C Library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. The GNU C Library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with the GNU C Library; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. */ /* * $Id: $ * $DateTime: $ * $Change: $ */ #ifndef _NETINET_ICMP6_H #define _NETINET_ICMP6_H 1 #include #include #include #include #define ICMP6_FILTER 1 #define ICMP6_FILTER_BLOCK 1 #define ICMP6_FILTER_PASS 2 #define ICMP6_FILTER_BLOCKOTHERS 3 #define ICMP6_FILTER_PASSONLY 4 struct icmp6_filter { uint32_t data[8]; }; struct icmp6_hdr { uint8_t icmp6_type; /* type field */ uint8_t icmp6_code; /* code field */ uint16_t icmp6_cksum; /* checksum field */ union { uint32_t icmp6_un_data32[1]; /* type-specific field */ uint16_t icmp6_un_data16[2]; /* type-specific field */ uint8_t icmp6_un_data8[4]; /* type-specific field */ } icmp6_dataun; }; #define icmp6_data32 icmp6_dataun.icmp6_un_data32 #define icmp6_data16 icmp6_dataun.icmp6_un_data16 #define icmp6_data8 icmp6_dataun.icmp6_un_data8 #define icmp6_pptr icmp6_data32[0] /* parameter prob */ #define icmp6_mtu icmp6_data32[0] /* packet too big */ #define icmp6_id icmp6_data16[0] /* echo request/reply */ #define icmp6_seq icmp6_data16[1] /* echo request/reply */ #define icmp6_maxdelay icmp6_data16[0] /* mcast group membership */ #define ICMP6_DST_UNREACH 1 #define ICMP6_PACKET_TOO_BIG 2 #define ICMP6_TIME_EXCEEDED 3 #define ICMP6_PARAM_PROB 4 #define ICMP6_INFOMSG_MASK 0x80 /* all informational messages */ #define ICMP6_ECHO_REQUEST 128 #define ICMP6_ECHO_REPLY 129 #define ICMP6_MEMBERSHIP_QUERY 130 #define ICMP6_MEMBERSHIP_REPORT 131 #define ICMP6_MEMBERSHIP_REDUCTION 132 #define ICMP6_DST_UNREACH_NOROUTE 0 /* no route to destination */ #define ICMP6_DST_UNREACH_ADMIN 1 /* communication with destination */ /* administratively prohibited */ #define ICMP6_DST_UNREACH_NOTNEIGHBOR 2 /* not a neighbor */ #define ICMP6_DST_UNREACH_ADDR 3 /* address unreachable */ #define ICMP6_DST_UNREACH_NOPORT 4 /* bad port */ #define ICMP6_TIME_EXCEED_TRANSIT 0 /* Hop Limit == 0 in transit */ #define ICMP6_TIME_EXCEED_REASSEMBLY 1 /* Reassembly time out */ #define ICMP6_PARAMPROB_HEADER 0 /* erroneous header field */ #define ICMP6_PARAMPROB_NEXTHEADER 1 /* unrecognized Next Header */ #define ICMP6_PARAMPROB_OPTION 2 /* unrecognized IPv6 option */ #define ICMP6_FILTER_WILLPASS(type, filterp) \ ((((filterp)->data[(type) >> 5]) & (1 << ((type) & 31))) == 0) #define ICMP6_FILTER_WILLBLOCK(type, filterp) \ ((((filterp)->data[(type) >> 5]) & (1 << ((type) & 31))) != 0) #define ICMP6_FILTER_SETPASS(type, filterp) \ ((((filterp)->data[(type) >> 5]) &= ~(1 << ((type) & 31)))) #define ICMP6_FILTER_SETBLOCK(type, filterp) \ ((((filterp)->data[(type) >> 5]) |= (1 << ((type) & 31)))) #define ICMP6_FILTER_SETPASSALL(filterp) \ memset (filterp, 0, sizeof (struct icmp6_filter)); #define ICMP6_FILTER_SETBLOCKALL(filterp) \ memset (filterp, 0xFF, sizeof (struct icmp6_filter)); #define ND_ROUTER_SOLICIT 133 #define ND_ROUTER_ADVERT 134 #define ND_NEIGHBOR_SOLICIT 135 #define ND_NEIGHBOR_ADVERT 136 #define ND_REDIRECT 137 struct nd_router_solicit /* router solicitation */ { struct icmp6_hdr nd_rs_hdr; /* could be followed by options */ }; #define nd_rs_type nd_rs_hdr.icmp6_type #define nd_rs_code nd_rs_hdr.icmp6_code #define nd_rs_cksum nd_rs_hdr.icmp6_cksum #define nd_rs_reserved nd_rs_hdr.icmp6_data32[0] struct nd_router_advert /* router advertisement */ { struct icmp6_hdr nd_ra_hdr; uint32_t nd_ra_reachable; /* reachable time */ uint32_t nd_ra_retransmit; /* retransmit timer */ /* could be followed by options */ }; #define nd_ra_type nd_ra_hdr.icmp6_type #define nd_ra_code nd_ra_hdr.icmp6_code #define nd_ra_cksum nd_ra_hdr.icmp6_cksum #define nd_ra_curhoplimit nd_ra_hdr.icmp6_data8[0] #define nd_ra_flags_reserved nd_ra_hdr.icmp6_data8[1] #define ND_RA_FLAG_MANAGED 0x80 #define ND_RA_FLAG_OTHER 0x40 #define ND_RA_FLAG_HOME_AGENT 0x20 #define nd_ra_router_lifetime nd_ra_hdr.icmp6_data16[1] struct nd_neighbor_solicit /* neighbor solicitation */ { struct icmp6_hdr nd_ns_hdr; struct in6_addr nd_ns_target; /* target address */ /* could be followed by options */ }; #define nd_ns_type nd_ns_hdr.icmp6_type #define nd_ns_code nd_ns_hdr.icmp6_code #define nd_ns_cksum nd_ns_hdr.icmp6_cksum #define nd_ns_reserved nd_ns_hdr.icmp6_data32[0] struct nd_neighbor_advert /* neighbor advertisement */ { struct icmp6_hdr nd_na_hdr; struct in6_addr nd_na_target; /* target address */ /* could be followed by options */ }; #define nd_na_type nd_na_hdr.icmp6_type #define nd_na_code nd_na_hdr.icmp6_code #define nd_na_cksum nd_na_hdr.icmp6_cksum #define nd_na_flags_reserved nd_na_hdr.icmp6_data32[0] #if BYTE_ORDER == BIG_ENDIAN #define ND_NA_FLAG_ROUTER 0x80000000 #define ND_NA_FLAG_SOLICITED 0x40000000 #define ND_NA_FLAG_OVERRIDE 0x20000000 #else /* BYTE_ORDER == LITTLE_ENDIAN */ #define ND_NA_FLAG_ROUTER 0x00000080 #define ND_NA_FLAG_SOLICITED 0x00000040 #define ND_NA_FLAG_OVERRIDE 0x00000020 #endif struct nd_redirect /* redirect */ { struct icmp6_hdr nd_rd_hdr; struct in6_addr nd_rd_target; /* target address */ struct in6_addr nd_rd_dst; /* destination address */ /* could be followed by options */ }; #define nd_rd_type nd_rd_hdr.icmp6_type #define nd_rd_code nd_rd_hdr.icmp6_code #define nd_rd_cksum nd_rd_hdr.icmp6_cksum #define nd_rd_reserved nd_rd_hdr.icmp6_data32[0] struct nd_opt_hdr /* Neighbor discovery option header */ { uint8_t nd_opt_type; uint8_t nd_opt_len; /* in units of 8 octets */ /* followed by option specific data */ }; #define ND_OPT_SOURCE_LINKADDR 1 #define ND_OPT_TARGET_LINKADDR 2 #define ND_OPT_PREFIX_INFORMATION 3 #define ND_OPT_REDIRECTED_HEADER 4 #define ND_OPT_MTU 5 #define ND_OPT_RTR_ADV_INTERVAL 7 #define ND_OPT_HOME_AGENT_INFO 8 struct nd_opt_prefix_info /* prefix information */ { uint8_t nd_opt_pi_type; uint8_t nd_opt_pi_len; uint8_t nd_opt_pi_prefix_len; uint8_t nd_opt_pi_flags_reserved; uint32_t nd_opt_pi_valid_time; uint32_t nd_opt_pi_preferred_time; uint32_t nd_opt_pi_reserved2; struct in6_addr nd_opt_pi_prefix; }; #define ND_OPT_PI_FLAG_ONLINK 0x80 #define ND_OPT_PI_FLAG_AUTO 0x40 #define ND_OPT_PI_FLAG_RADDR 0x20 struct nd_opt_rd_hdr /* redirected header */ { uint8_t nd_opt_rh_type; uint8_t nd_opt_rh_len; uint16_t nd_opt_rh_reserved1; uint32_t nd_opt_rh_reserved2; /* followed by IP header and data */ }; struct nd_opt_mtu /* MTU option */ { uint8_t nd_opt_mtu_type; uint8_t nd_opt_mtu_len; uint16_t nd_opt_mtu_reserved; uint32_t nd_opt_mtu_mtu; }; /* Mobile IPv6 extension: Advertisement Interval. */ struct nd_opt_adv_interval { uint8_t nd_opt_adv_interval_type; uint8_t nd_opt_adv_interval_len; uint16_t nd_opt_adv_interval_reserved; uint32_t nd_opt_adv_interval_ival; }; /* Mobile IPv6 extension: Home Agent Info. */ struct nd_opt_home_agent_info { uint8_t nd_opt_home_agent_info_type; uint8_t nd_opt_home_agent_info_len; uint16_t nd_opt_home_agent_info_reserved; int16_t nd_opt_home_agent_info_preference; uint16_t nd_opt_home_agent_info_lifetime; }; #endif /* netinet/icmpv6.h */ argus-3.0.8.2/include/cygwin-include/netinet/if_ether.h000444 000765 000024 00000003700 12513222401 023364 0ustar00carterstaff000000 000000 /* * Copyright (c) 1982, 1986 Regents of the University of California. * All rights reserved. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and that due credit is given * to the University of California at Berkeley. The name of the University * may not be used to endorse or promote products derived from this * software without specific prior written permission. This software * is provided ``as is'' without express or implied warranty. * * @(#)if_ether.h 1.28 89/08/04 SMI; from UCB 7.2 12/7/87 */ /* * $Id: $ * $DateTime: $ * $Change: $ */ #ifndef _netinet_if_ether_h #define _netinet_if_ether_h #if !defined(__OpenBSD__) #include #endif /* * Ethernet address - 6 octets */ struct ether_addr { u_char ether_addr_octet[6]; }; /* * Structure of a 10Mb/s Ethernet header. */ struct ether_header { u_char ether_dhost[6]; u_char ether_shost[6]; u_short ether_type; }; #define ETHERTYPE_PUP 0x0200 /* PUP protocol */ #define ETHERTYPE_IP 0x0800 /* IP protocol */ #define ETHERTYPE_ARP 0x0806 /* Addr. resolution protocol */ #define ETHERTYPE_REVARP 0x8035 /* Reverse ARP */ #define ETHERTYPE_TRAIL 0x1000 /* * Ethernet Address Resolution Protocol. * * See RFC 826 for protocol description. Structure below is adapted * to resolving internet addresses. Field names used correspond to * RFC 826. */ struct ether_arp { struct arphdr ea_hdr; /* fixed-size header */ struct ether_addr arp_sha; /* sender hardware address */ u_char arp_spa[4]; /* sender protocol address */ struct ether_addr arp_tha; /* target hardware address */ u_char arp_tpa[4]; /* target protocol address */ }; #define arp_hrd ea_hdr.ar_hrd #define arp_pro ea_hdr.ar_pro #define arp_hln ea_hdr.ar_hln #define arp_pln ea_hdr.ar_pln #define arp_op ea_hdr.ar_op #define ETHERMTU 1500 #endif argus-3.0.8.2/include/cygwin-include/netinet/igmp.h000444 000765 000024 00000006630 12513222401 022540 0ustar00carterstaff000000 000000 /* Copyright (C) 1997, 1999 Free Software Foundation, Inc. This file is part of the GNU C Library. The GNU C Library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. The GNU C Library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with the GNU C Library; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. */ /* * $Id: $ * $DateTime: $ * $Change: $ */ #ifndef _NETINET_IGMP_H #define _NETINET_IGMP_H 1 #include #include #include #include #include __BEGIN_DECLS /* * Copyright (c) 1988 Stephen Deering. * Copyright (c) 1992, 1993 * The Regents of the University of California. All rights reserved. * * This code is derived from software contributed to Berkeley by * Stephen Deering of Stanford University. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)igmp.h 8.1 (Berkeley) 6/10/93 * $FreeBSD$ */ struct igmp { u_int8_t igmp_type; /* IGMP type */ u_int8_t igmp_code; /* routing code */ u_int16_t igmp_cksum; /* checksum */ struct in_addr igmp_group; /* group address */ }; /* * Message types, including version number. */ #define IGMP_MEMBERSHIP_QUERY 0x11 /* membership query */ #define IGMP_V1_MEMBERSHIP_REPORT 0x12 /* Ver. 1 membership report */ #define IGMP_V2_MEMBERSHIP_REPORT 0x16 /* Ver. 2 membership report */ #define IGMP_V2_LEAVE_GROUP 0x17 /* Leave-group message */ __END_DECLS #endif /* netinet/igmp.h */ argus-3.0.8.2/include/cygwin-include/netinet/ip6.h000444 000765 000024 00000007221 12513222401 022277 0ustar00carterstaff000000 000000 /* Copyright (C) 1991-1997, 2001 Free Software Foundation, Inc. This file is part of the GNU C Library. The GNU C Library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. The GNU C Library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with the GNU C Library; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. */ /* * $Id: $ * $DateTime: $ * $Change: $ */ #ifndef _NETINET_IP6_H #define _NETINET_IP6_H 1 #include #include struct ip6_hdr { union { struct ip6_hdrctl { uint32_t ip6_un1_flow; /* 4 bits version, 8 bits TC, 20 bits flow-ID */ uint16_t ip6_un1_plen; /* payload length */ uint8_t ip6_un1_nxt; /* next header */ uint8_t ip6_un1_hlim; /* hop limit */ } ip6_un1; uint8_t ip6_un2_vfc; /* 4 bits version, top 4 bits tclass */ } ip6_ctlun; struct in6_addr ip6_src; /* source address */ struct in6_addr ip6_dst; /* destination address */ }; #define ip6_vfc ip6_ctlun.ip6_un2_vfc #define ip6_flow ip6_ctlun.ip6_un1.ip6_un1_flow #define ip6_plen ip6_ctlun.ip6_un1.ip6_un1_plen #define ip6_nxt ip6_ctlun.ip6_un1.ip6_un1_nxt #define ip6_hlim ip6_ctlun.ip6_un1.ip6_un1_hlim #define ip6_hops ip6_ctlun.ip6_un1.ip6_un1_hlim /* Hop-by-Hop options header. */ struct ip6_hbh { uint8_t ip6h_nxt; /* next hesder. */ uint8_t ip6h_len; /* length in units of 8 octets. */ /* followed by options */ }; /* Destination options header */ struct ip6_dest { uint8_t ip6d_nxt; /* next header */ uint8_t ip6d_len; /* length in units of 8 octets */ /* followed by options */ }; /* Routing header */ struct ip6_rthdr { uint8_t ip6r_nxt; /* next header */ uint8_t ip6r_len; /* length in units of 8 octets */ uint8_t ip6r_type; /* routing type */ uint8_t ip6r_segleft; /* segments left */ /* followed by routing type specific data */ }; /* Type 0 Routing header */ struct ip6_rthdr0 { uint8_t ip6r0_nxt; /* next header */ uint8_t ip6r0_len; /* length in units of 8 octets */ uint8_t ip6r0_type; /* always zero */ uint8_t ip6r0_segleft; /* segments left */ uint8_t ip6r0_reserved; /* reserved field */ uint8_t ip6r0_slmap[3]; /* strict/loose bit map */ struct in6_addr ip6r0_addr[1]; /* up to 23 addresses */ }; /* Fragment header */ struct ip6_frag { uint8_t ip6f_nxt; /* next header */ uint8_t ip6f_reserved; /* reserved field */ uint16_t ip6f_offlg; /* offset, reserved, and flag */ uint32_t ip6f_ident; /* identification */ }; #if BYTE_ORDER == BIG_ENDIAN #define IP6F_OFF_MASK 0xfff8 /* mask out offset from _offlg */ #define IP6F_RESERVED_MASK 0x0006 /* reserved bits in ip6f_offlg */ #define IP6F_MORE_FRAG 0x0001 /* more-fragments flag */ #else /* BYTE_ORDER == LITTLE_ENDIAN */ #define IP6F_OFF_MASK 0xf8ff /* mask out offset from _offlg */ #define IP6F_RESERVED_MASK 0x0600 /* reserved bits in ip6f_offlg */ #define IP6F_MORE_FRAG 0x0100 /* more-fragments flag */ #endif #endif /* netinet/ip6.h */ argus-3.0.8.2/include/cygwin-include/netinet/ip_icmp.h000444 000765 000024 00000011625 12513222401 023224 0ustar00carterstaff000000 000000 /* @(#)ip_icmp.h 1.9 88/08/19 SMI; from UCB 7.3 12/7/87 */ /* * Copyright (c) 1982, 1986 Regents of the University of California. * All rights reserved. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and that due credit is given * to the University of California at Berkeley. The name of the University * may not be used to endorse or promote products derived from this * software without specific prior written permission. This software * is provided ``as is'' without express or implied warranty. */ /* * $Id: $ * $DateTime: $ * $Change: $ */ /* * Interface Control Message Protocol Definitions. * Per RFC 792, September 1981. */ #ifndef _netinet_ip_icmp_h #define _netinet_ip_icmp_h /* * Structure of an icmp header. */ struct icmp { u_char icmp_type; /* type of message, see below */ u_char icmp_code; /* type sub code */ u_short icmp_cksum; /* ones complement cksum of struct */ union { u_char ih_pptr; /* ICMP_PARAMPROB */ struct in_addr ih_gwaddr; /* ICMP_REDIRECT */ struct ih_idseq { n_short icd_id; n_short icd_seq; } ih_idseq; int ih_void; } icmp_hun; #define icmp_pptr icmp_hun.ih_pptr #define icmp_gwaddr icmp_hun.ih_gwaddr #define icmp_id icmp_hun.ih_idseq.icd_id #define icmp_seq icmp_hun.ih_idseq.icd_seq #define icmp_void icmp_hun.ih_void union { struct id_ts { n_time its_otime; n_time its_rtime; n_time its_ttime; } id_ts; struct id_ip { struct ip idi_ip; /* options and then 64 bits of data */ } id_ip; u_long id_mask; char id_data[1]; } icmp_dun; #define icmp_otime icmp_dun.id_ts.its_otime #define icmp_rtime icmp_dun.id_ts.its_rtime #define icmp_ttime icmp_dun.id_ts.its_ttime #define icmp_ip icmp_dun.id_ip.idi_ip #define icmp_mask icmp_dun.id_mask #define icmp_data icmp_dun.id_data }; /* * Lower bounds on packet lengths for various types. * For the error advice packets must first insure that the * packet is large enought to contain the returned ip header. * Only then can we do the check to see if 64 bits of packet * data have been returned, since we need to check the returned * ip header length. */ #define ICMP_MINLEN 8 /* abs minimum */ #define ICMP_TSLEN (8 + 3 * sizeof (n_time)) /* timestamp */ #define ICMP_MASKLEN 12 /* address mask */ #define ICMP_ADVLENMIN (8 + sizeof (struct ip) + 8) /* min */ #define ICMP_ADVLEN(p) (8 + ((p)->icmp_ip.ip_hl << 2) + 8) /* N.B.: must separately check that ip_hl >= 5 */ /* * Definition of type and code field values. */ #define ICMP_ECHOREPLY 0 /* echo reply */ #define ICMP_UNREACH 3 /* dest unreachable, codes: */ #define ICMP_UNREACH_NET 0 /* bad net */ #define ICMP_UNREACH_HOST 1 /* bad host */ #define ICMP_UNREACH_PROTOCOL 2 /* bad protocol */ #define ICMP_UNREACH_PORT 3 /* bad port */ #define ICMP_UNREACH_NEEDFRAG 4 /* IP_DF caused drop */ #define ICMP_UNREACH_SRCFAIL 5 /* src route failed */ #define ICMP_UNREACH_NET_UNKNOWN 6 /* unknown net */ #define ICMP_UNREACH_HOST_UNKNOWN 7 /* unknown host */ #define ICMP_UNREACH_ISOLATED 8 /* src host isolated */ #define ICMP_UNREACH_NET_PROHIB 9 /* net denied */ #define ICMP_UNREACH_HOST_PROHIB 10 /* host denied */ #define ICMP_UNREACH_TOSNET 11 /* bad tos for net */ #define ICMP_UNREACH_TOSHOST 12 /* bad tos for host */ #define ICMP_UNREACH_FILTER_PROHIB 13 /* admin prohib */ #define ICMP_UNREACH_HOST_PRECEDENCE 14 /* host prec vio. */ #define ICMP_UNREACH_PRECEDENCE_CUTOFF 15 /* prec cutoff */ #define ICMP_SOURCEQUENCH 4 /* packet lost, slow down */ #define ICMP_REDIRECT 5 /* shorter route, codes: */ #define ICMP_REDIRECT_NET 0 /* for network */ #define ICMP_REDIRECT_HOST 1 /* for host */ #define ICMP_REDIRECT_TOSNET 2 /* for tos and net */ #define ICMP_REDIRECT_TOSHOST 3 /* for tos and host */ #define ICMP_ECHO 8 /* echo service */ #define ICMP_ROUTERADVERT 9 /* router advertisement */ #define ICMP_ROUTERSOLICIT 10 /* router solicitation */ #define ICMP_TIMXCEED 11 /* time exceeded, code: */ #define ICMP_TIMXCEED_INTRANS 0 /* ttl==0 in transit */ #define ICMP_TIMXCEED_REASS 1 /* ttl==0 in reass */ #define ICMP_PARAMPROB 12 /* ip header bad */ #define ICMP_PARAMPROB_OPTABSENT 1 /* req. opt. absent */ #define ICMP_TSTAMP 13 /* timestamp request */ #define ICMP_TSTAMPREPLY 14 /* timestamp reply */ #define ICMP_IREQ 15 /* information request */ #define ICMP_IREQREPLY 16 /* information reply */ #define ICMP_MASKREQ 17 /* address mask request */ #define ICMP_MASKREPLY 18 /* address mask reply */ #define ICMP_MAXTYPE 18 #define ICMP_INFOTYPE(type) \ ((type) == ICMP_ECHOREPLY || (type) == ICMP_ECHO || \ (type) == ICMP_ROUTERADVERT || (type) == ICMP_ROUTERSOLICIT || \ (type) == ICMP_TSTAMP || (type) == ICMP_TSTAMPREPLY || \ (type) == ICMP_IREQ || (type) == ICMP_IREQREPLY || \ (type) == ICMP_MASKREQ || (type) == ICMP_MASKREPLY) #endif /*!_netinet_ip_icmp_h*/ argus-3.0.8.2/include/cygwin-include/netinet/ip_var.h000444 000765 000024 00000006176 12513222401 023071 0ustar00carterstaff000000 000000 /* @(#)ip_var.h 1.11 88/08/19 SMI; from UCB 7.1 6/5/86 */ /* * Copyright (c) 1982, 1986 Regents of the University of California. * All rights reserved. The Berkeley software License Agreement * specifies the terms and conditions for redistribution. */ /* * $Id: $ * $DateTime: $ * $Change: $ */ /* * Overlay for ip header used by other protocols (tcp, udp). */ #ifndef _netinet_ip_var_h #define _netinet_ip_var_h struct ipovly { caddr_t ih_next, ih_prev; /* for protocol sequence q's */ u_char ih_x1; /* (unused) */ u_char ih_pr; /* protocol */ short ih_len; /* protocol length */ struct in_addr ih_src; /* source internet address */ struct in_addr ih_dst; /* destination internet address */ }; /* * Ip reassembly queue structure. Each fragment * being reassembled is attached to one of these structures. * They are timed out after ipq_ttl drops to 0, and may also * be reclaimed if memory becomes tight. */ struct ipq { struct ipq *next,*prev; /* to other reass headers */ u_char ipq_ttl; /* time for reass q to live */ u_char ipq_p; /* protocol of this fragment */ u_short ipq_id; /* sequence id for reassembly */ struct ipasfrag *ipq_next,*ipq_prev; /* to ip headers of fragments */ struct in_addr ipq_src,ipq_dst; }; /* * Ip header, when holding a fragment. * * Note: ipf_next must be at same offset as ipq_next above */ struct ipasfrag { #if __BYTE_ORDER == __LITTLE_ENDIAN u_char ip_hl:4, ip_v:4; #endif #if __BYTE_ORDER == __BIG_ENDIAN u_char ip_v:4, ip_hl:4; #endif u_char ipf_mff; /* copied from (ip_off&IP_MF) */ short ip_len; u_short ip_id; short ip_off; u_char ip_ttl; u_char ip_p; u_short ip_sum; struct ipasfrag *ipf_next; /* next fragment */ struct ipasfrag *ipf_prev; /* previous fragment */ }; /* * Structure stored in mbuf in inpcb.ip_options * and passed to ip_output when ip options are in use. * The actual length of the options (including ipopt_dst) * is in m_len. */ #define MAX_IPOPTLEN 40 struct ipoption { struct in_addr ipopt_dst; /* first-hop dst if source routed */ char ipopt_list[MAX_IPOPTLEN]; /* options proper */ }; struct ipstat { long ips_total; /* total packets received */ long ips_badsum; /* checksum bad */ long ips_tooshort; /* packet too short */ long ips_toosmall; /* not enough data */ long ips_badhlen; /* ip header length < data size */ long ips_badlen; /* ip length < ip header length */ long ips_fragments; /* fragments received */ long ips_fragdropped; /* frags dropped (dups, out of space) */ long ips_fragtimeout; /* fragments timed out */ long ips_forward; /* packets forwarded */ long ips_cantforward; /* packets rcvd for unreachable dest */ long ips_redirectsent; /* packets forwarded on same net */ }; #ifdef KERNEL /* flags passed to ip_output as last parameter */ #define IP_FORWARDING 0x1 /* most of ip header exists */ #define IP_ROUTETOIF SO_DONTROUTE /* bypass routing tables */ #define IP_ALLOWBROADCAST SO_BROADCAST /* can send broadcast packets */ struct ipstat ipstat; struct ipq ipq; /* ip reass. queue */ u_short ip_id; /* ip packet ctr, for ids */ struct mbuf *ip_srcroute(); #endif #endif /*!_netinet_ip_var_h*/ argus-3.0.8.2/include/cygwin-include/netinet/tcp_var.h000444 000765 000024 00000014354 12513222401 023244 0ustar00carterstaff000000 000000 /* @(#)tcp_var.h 1.11 88/08/19 SMI; from UCB 7.3 6/30/87 */ /* * Copyright (c) 1982, 1986 Regents of the University of California. * All rights reserved. The Berkeley software License Agreement * specifies the terms and conditions for redistribution. */ /* * $Id: $ * $DateTime: $ * $Change: $ */ /* * Kernel variables for tcp. */ #ifndef _netinet_tcp_var_h #define _netinet_tcp_var_h /* * Tcp control block, one per tcp; fields: */ struct tcpcb { struct tcpiphdr *seg_next; /* sequencing queue */ struct tcpiphdr *seg_prev; short t_state; /* state of this connection */ short t_timer[TCPT_NTIMERS]; /* tcp timers */ short t_rxtshift; /* log(2) of rexmt exp. backoff */ short t_rxtcur; /* current retransmit value */ short t_dupacks; /* consecutive dup acks recd */ u_short t_maxseg; /* maximum segment size */ char t_force; /* 1 if forcing out a byte */ u_char t_flags; #define TF_ACKNOW 0x01 /* ack peer immediately */ #define TF_DELACK 0x02 /* ack, but try to delay it */ #define TF_NODELAY 0x04 /* don't delay packets to coalesce */ #define TF_NOOPT 0x08 /* don't use tcp options */ #define TF_SENTFIN 0x10 /* have sent FIN */ struct tcpiphdr *t_template; /* skeletal packet for transmit */ struct inpcb *t_inpcb; /* back pointer to internet pcb */ /* * The following fields are used as in the protocol specification. * See RFC783, Dec. 1981, page 21. */ /* send sequence variables */ tcp_seq snd_una; /* send unacknowledged */ tcp_seq snd_nxt; /* send next */ tcp_seq snd_up; /* send urgent pointer */ tcp_seq snd_wl1; /* window update seg seq number */ tcp_seq snd_wl2; /* window update seg ack number */ tcp_seq iss; /* initial send sequence number */ u_short snd_wnd; /* send window */ /* receive sequence variables */ u_short rcv_wnd; /* receive window */ tcp_seq rcv_nxt; /* receive next */ tcp_seq rcv_up; /* receive urgent pointer */ tcp_seq irs; /* initial receive sequence number */ /* * Additional variables for this implementation. */ /* receive variables */ tcp_seq rcv_adv; /* advertised window */ /* retransmit variables */ tcp_seq snd_max; /* highest sequence number sent * used to recognize retransmits */ /* congestion control (for slow start, source quench, retransmit after loss) */ u_short snd_cwnd; /* congestion-controlled window */ u_short snd_ssthresh; /* snd_cwnd size threshhold for * for slow start exponential to * linear switch */ /* * transmit timing stuff. * srtt and rttvar are stored as fixed point; for convenience in smoothing, * srtt has 3 bits to the right of the binary point, rttvar has 2. * "Variance" is actually smoothed difference. */ short t_idle; /* inactivity time */ short t_rtt; /* round trip time */ tcp_seq t_rtseq; /* sequence number being timed */ short t_srtt; /* smoothed round-trip time */ short t_rttvar; /* variance in round-trip time */ u_short max_rcvd; /* most peer has sent into window */ u_short max_sndwnd; /* largest window peer has offered */ /* out-of-band data */ char t_oobflags; /* have some */ char t_iobc; /* input character */ #define TCPOOB_HAVEDATA 0x01 #define TCPOOB_HADDATA 0x02 }; #define intotcpcb(ip) ((struct tcpcb *)(ip)->inp_ppcb) #define sototcpcb(so) (intotcpcb(sotoinpcb(so))) /* * TCP statistics. * Many of these should be kept per connection, * but that's inconvenient at the moment. */ struct tcpstat { u_long tcps_connattempt; /* connections initiated */ u_long tcps_accepts; /* connections accepted */ u_long tcps_connects; /* connections established */ u_long tcps_drops; /* connections dropped */ u_long tcps_conndrops; /* embryonic connections dropped */ u_long tcps_closed; /* conn. closed (includes drops) */ u_long tcps_segstimed; /* segs where we tried to get rtt */ u_long tcps_rttupdated; /* times we succeeded */ u_long tcps_delack; /* delayed acks sent */ u_long tcps_timeoutdrop; /* conn. dropped in rxmt timeout */ u_long tcps_rexmttimeo; /* retransmit timeouts */ u_long tcps_persisttimeo; /* persist timeouts */ u_long tcps_keeptimeo; /* keepalive timeouts */ u_long tcps_keepprobe; /* keepalive probes sent */ u_long tcps_keepdrops; /* connections dropped in keepalive */ u_long tcps_sndtotal; /* total packets sent */ u_long tcps_sndpack; /* data packets sent */ u_long tcps_sndbyte; /* data bytes sent */ u_long tcps_sndrexmitpack; /* data packets retransmitted */ u_long tcps_sndrexmitbyte; /* data bytes retransmitted */ u_long tcps_sndacks; /* ack-only packets sent */ u_long tcps_sndprobe; /* window probes sent */ u_long tcps_sndurg; /* packets sent with URG only */ u_long tcps_sndwinup; /* window update-only packets sent */ u_long tcps_sndctrl; /* control (SYN|FIN|RST) packets sent */ u_long tcps_rcvtotal; /* total packets received */ u_long tcps_rcvpack; /* packets received in sequence */ u_long tcps_rcvbyte; /* bytes received in sequence */ u_long tcps_rcvbadsum; /* packets received with ccksum errs */ u_long tcps_rcvbadoff; /* packets received with bad offset */ u_long tcps_rcvshort; /* packets received too short */ u_long tcps_rcvduppack; /* duplicate-only packets received */ u_long tcps_rcvdupbyte; /* duplicate-only bytes received */ u_long tcps_rcvpartduppack; /* packets with some duplicate data */ u_long tcps_rcvpartdupbyte; /* dup. bytes in part-dup. packets */ u_long tcps_rcvoopack; /* out-of-order packets received */ u_long tcps_rcvoobyte; /* out-of-order bytes received */ u_long tcps_rcvpackafterwin; /* packets with data after window */ u_long tcps_rcvbyteafterwin; /* bytes rcvd after window */ u_long tcps_rcvafterclose; /* packets rcvd after "close" */ u_long tcps_rcvwinprobe; /* rcvd window probe packets */ u_long tcps_rcvdupack; /* rcvd duplicate acks */ u_long tcps_rcvacktoomuch; /* rcvd acks for unsent data */ u_long tcps_rcvackpack; /* rcvd ack packets */ u_long tcps_rcvackbyte; /* bytes acked by rcvd acks */ u_long tcps_rcvwinupd; /* rcvd window update packets */ }; #ifdef KERNEL struct inpcb tcb; /* head of queue of active tcpcb's */ struct tcpstat tcpstat; /* tcp statistics */ struct tcpiphdr *tcp_template(); struct tcpcb *tcp_close(), *tcp_drop(); struct tcpcb *tcp_timers(), *tcp_disconnect(), *tcp_usrclosed(); #endif #ifdef sun #define TCP_COMPAT_42 #endif #endif /*!_netinet_tcp_var_h*/ argus-3.0.8.2/include/cygwin-include/netinet/tcpip.h000444 000765 000024 00000002011 12513222401 022710 0ustar00carterstaff000000 000000 /* @(#)tcpip.h 1.7 88/08/19 SMI; from UCB 7.1 6/5/85 */ /* * Copyright (c) 1982, 1986 Regents of the University of California. * All rights reserved. The Berkeley software License Agreement * specifies the terms and conditions for redistribution. */ /* * $Id: $ * $DateTime: $ * $Change: $ */ /* * Tcp+ip header, after ip options removed. */ #ifndef _netinet_tcpip_h #define _netinet_tcpip_h struct tcpiphdr { struct ipovly ti_i; /* overlaid ip structure */ struct tcphdr ti_t; /* tcp header */ }; #define ti_next ti_i.ih_next #define ti_prev ti_i.ih_prev #define ti_x1 ti_i.ih_x1 #define ti_pr ti_i.ih_pr #define ti_len ti_i.ih_len #define ti_src ti_i.ih_src #define ti_dst ti_i.ih_dst #define ti_sport ti_t.th_sport #define ti_dport ti_t.th_dport #define ti_seq ti_t.th_seq #define ti_ack ti_t.th_ack #define ti_x2 ti_t.th_x2 #define ti_off ti_t.th_off #define ti_flags ti_t.th_flags #define ti_win ti_t.th_win #define ti_sum ti_t.th_sum #define ti_urp ti_t.th_urp #endif /*!_netinet_tcpip_h*/ argus-3.0.8.2/include/cygwin-include/netinet/udp_var.h000444 000765 000024 00000002076 12513222401 023244 0ustar00carterstaff000000 000000 /* @(#)udp_var.h 1.8 88/08/19 SMI; from UCB 7.1 6/5/86 */ /* * Copyright (c) 1982, 1986 Regents of the University of California. * All rights reserved. The Berkeley software License Agreement * specifies the terms and conditions for redistribution. */ /* * $Id: $ * $DateTime: $ * $Change: $ */ /* * UDP kernel structures and variables. */ #ifndef _netinet_udp_var_h #define _netinet_udp_var_h struct udpiphdr { struct ipovly ui_i; /* overlaid ip structure */ struct udphdr ui_u; /* udp header */ }; #define ui_next ui_i.ih_next #define ui_prev ui_i.ih_prev #define ui_x1 ui_i.ih_x1 #define ui_pr ui_i.ih_pr #define ui_len ui_i.ih_len #define ui_src ui_i.ih_src #define ui_dst ui_i.ih_dst #define ui_sport ui_u.uh_sport #define ui_dport ui_u.uh_dport #define ui_ulen ui_u.uh_ulen #define ui_sum ui_u.uh_sum struct udpstat { int udps_hdrops; int udps_badsum; int udps_badlen; int udps_fullsock; }; #define UDP_TTL 30 /* time to live for UDP packets */ #ifdef KERNEL struct inpcb udb; struct udpstat udpstat; #endif #endif /*!_netinet_udp_var_h*/ argus-3.0.8.2/include/cygwin-include/net/if_arp.h000444 000765 000024 00000003306 12513222401 022161 0ustar00carterstaff000000 000000 /* @(#)if_arp.h 1.5 88/08/19 SMI; from UCB 7.1 1/24/86 */ /* * Copyright (c) 1986 Regents of the University of California. * All rights reserved. The Berkeley software License Agreement * specifies the terms and conditions for redistribution. */ /* * $Id: $ * $DateTime: $ * $Change: $ */ #ifndef _net_if_arp_h #define _net_if_arp_h /* * Address Resolution Protocol. * * See RFC 826 for protocol description. ARP packets are variable * in size; the arphdr structure defines the fixed-length portion. * Protocol type values are the same as those for 10 Mb/s Ethernet. * It is followed by the variable-sized fields ar_sha, arp_spa, * arp_tha and arp_tpa in that order, according to the lengths * specified. Field names used correspond to RFC 826. */ struct arphdr { u_short ar_hrd; /* format of hardware address */ #define ARPHRD_ETHER 1 /* ethernet hardware address */ u_short ar_pro; /* format of protocol address */ u_char ar_hln; /* length of hardware address */ u_char ar_pln; /* length of protocol address */ u_short ar_op; /* one of: */ #define ARPOP_REQUEST 1 /* request to resolve address */ #define ARPOP_REPLY 2 /* response to previous request */ #define REVARP_REQUEST 3 /* Reverse ARP request */ #define REVARP_REPLY 4 /* Reverse ARP reply */ /* * The remaining fields are variable in size, * according to the sizes above, and are defined * as appropriate for specific hardware/protocol * combinations. (E.g., see .) */ #ifdef notdef u_char ar_sha[]; /* sender hardware address */ u_char ar_spa[]; /* sender protocol address */ u_char ar_tha[]; /* target hardware address */ u_char ar_tpa[]; /* target protocol address */ #endif /* notdef */ }; #endif argus-3.0.8.2/include/cygwin-include/linux/if_arp.h000444 000765 000024 00000003300 12513222401 022524 0ustar00carterstaff000000 000000 /* @(#)if_arp.h 1.5 88/08/19 SMI; from UCB 7.1 1/24/86 */ /* * Copyright (c) 1986 Regents of the University of California. * All rights reserved. The Berkeley software License Agreement * specifies the terms and conditions for redistribution. */ /* * $Id: $ * $DateTime: $ * $Change: $ */ #ifndef _net_if_arp_h #define _net_if_arp_h /* * Address Resolution Protocol. * * See RFC 826 for protocol description. ARP packets are variable * in size; the arphdr structure defines the fixed-length portion. * Protocol type values are the same as those for 10 Mb/s Ethernet. * It is followed by the variable-sized fields ar_sha, arp_spa, * arp_tha and arp_tpa in that order, according to the lengths * specified. Field names used correspond to RFC 826. */ struct arphdr { u_short ar_hrd; /* format of hardware address */ #define ARPHRD_ETHER 1 /* ethernet hardware address */ u_short ar_pro; /* format of protocol address */ u_char ar_hln; /* length of hardware address */ u_char ar_pln; /* length of protocol address */ u_short ar_op; /* one of: */ #define ARPOP_REQUEST 1 /* request to resolve address */ #define ARPOP_REPLY 2 /* response to previous request */ #define REVARP_REQUEST 3 /* Reverse ARP request */ #define REVARP_REPLY 4 /* Reverse ARP reply */ /* * The remaining fields are variable in size, * according to the sizes above, and are defined * as appropriate for specific hardware/protocol * combinations. (E.g., see .) */ #ifdef notdef u_char ar_sha[]; /* sender hardware address */ u_char ar_spa[]; /* sender protocol address */ u_char ar_tha[]; /* target hardware address */ u_char ar_tpa[]; /* target protocol address */ #endif notdef }; #endif argus-3.0.8.2/include/cygwin-include/linux/igmp.h000444 000765 000024 00000006024 12513222401 022226 0ustar00carterstaff000000 000000 /* * Linux NET3: Internet Group Management Protocol [IGMP] * * Authors: * Alan Cox * * Extended to talk the BSD extended IGMP protocol of mrouted 3.6 * * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version * 2 of the License, or (at your option) any later version. */ /* * $Id: $ * $DateTime: $ * $Change: $ */ #ifndef _LINUX_IGMP_H #define _LINUX_IGMP_H /* * IGMP protocol structures */ /* * Header in on cable format */ struct igmphdr { __u8 type; __u8 code; /* For newer IGMP */ __u16 csum; __u32 group; }; #define IGMP_HOST_MEMBERSHIP_QUERY 0x11 /* From RFC1112 */ #define IGMP_HOST_MEMBERSHIP_REPORT 0x12 /* Ditto */ #define IGMP_DVMRP 0x13 /* DVMRP routing */ #define IGMP_PIM 0x14 /* PIM routing */ #define IGMP_TRACE 0x15 #define IGMP_HOST_NEW_MEMBERSHIP_REPORT 0x16 /* New version of 0x11 */ #define IGMP_HOST_LEAVE_MESSAGE 0x17 #define IGMP_MTRACE_RESP 0x1e #define IGMP_MTRACE 0x1f /* * Use the BSD names for these for compatibility */ #define IGMP_DELAYING_MEMBER 0x01 #define IGMP_IDLE_MEMBER 0x02 #define IGMP_LAZY_MEMBER 0x03 #define IGMP_SLEEPING_MEMBER 0x04 #define IGMP_AWAKENING_MEMBER 0x05 #define IGMP_MINLEN 8 #define IGMP_MAX_HOST_REPORT_DELAY 10 /* max delay for response to */ /* query (in seconds) */ #define IGMP_TIMER_SCALE 10 /* denotes that the igmphdr->timer field */ /* specifies time in 10th of seconds */ #define IGMP_AGE_THRESHOLD 400 /* If this host don't hear any IGMP V1 */ /* message in this period of time, */ /* revert to IGMP v2 router. */ #define IGMP_ALL_HOSTS htonl(0xE0000001L) #define IGMP_ALL_ROUTER htonl(0xE0000002L) #define IGMP_LOCAL_GROUP htonl(0xE0000000L) #define IGMP_LOCAL_GROUP_MASK htonl(0xFFFFFF00L) /* * struct for keeping the multicast list in */ #ifdef __KERNEL__ /* ip_mc_socklist is real list now. Speed is not argument; this list never used in fast path code */ struct ip_mc_socklist { struct ip_mc_socklist *next; int count; struct ip_mreqn multi; }; struct ip_mc_list { struct in_device *interface; unsigned long multiaddr; struct ip_mc_list *next; struct timer_list timer; int users; atomic_t refcnt; spinlock_t lock; char tm_running; char reporter; char unsolicit_count; char loaded; }; extern int ip_check_mc(struct in_device *dev, u32 mc_addr); extern int igmp_rcv(struct sk_buff *); extern int ip_mc_join_group(struct sock *sk, struct ip_mreqn *imr); extern int ip_mc_leave_group(struct sock *sk, struct ip_mreqn *imr); extern void ip_mc_drop_socket(struct sock *sk); extern void ip_mr_init(void); extern void ip_mc_init_dev(struct in_device *); extern void ip_mc_destroy_dev(struct in_device *); extern void ip_mc_up(struct in_device *); extern void ip_mc_down(struct in_device *); extern int ip_mc_dec_group(struct in_device *in_dev, u32 addr); extern void ip_mc_inc_group(struct in_device *in_dev, u32 addr); #endif #endif argus-3.0.8.2/include/argus/bootp.h000444 000765 000024 00000007312 12513222401 017457 0ustar00carterstaff000000 000000 /* * Bootstrap Protocol (BOOTP). RFC951 and RFC1048. * * This file specifies the "implementation-independent" BOOTP protocol * information which is common to both client and server. * * Copyright 1988 by Carnegie Mellon. * * Permission to use, copy, modify, and distribute this program for any * purpose and without fee is hereby granted, provided that this copyright * and permission notice appear on all copies and supporting documentation, * the name of Carnegie Mellon not be used in advertising or publicity * pertaining to distribution of the program without specific prior * permission, and notice be given in supporting documentation that copying * and distribution is by permission of Carnegie Mellon and Stanford * University. Carnegie Mellon makes no representations about the * suitability of this software for any purpose. It is provided "as is" * without express or implied warranty. */ /* * $Id: //depot/argus/argus/include/argus/bootp.h#2 $ * $DateTime: 2011/01/26 17:16:43 $ * $Change: 2088 $ */ #if !defined(Argus_bootp_h) #define Argus_bootp_h struct bootp { unsigned char bp_op; /* packet opcode type */ unsigned char bp_htype; /* hardware addr type */ unsigned char bp_hlen; /* hardware addr length */ unsigned char bp_hops; /* gateway hops */ unsigned int bp_xid; /* transaction ID */ unsigned short bp_secs; /* seconds since boot began */ unsigned short bp_unused; struct in_addr bp_ciaddr; /* client IP address */ struct in_addr bp_yiaddr; /* 'your' IP address */ struct in_addr bp_siaddr; /* server IP address */ struct in_addr bp_giaddr; /* gateway IP address */ unsigned char bp_chaddr[16]; /* client hardware address */ unsigned char bp_sname[64]; /* server host name */ unsigned char bp_file[128]; /* boot file name */ unsigned char bp_vend[64]; /* vendor-specific area */ }; /* * UDP port numbers, server and client. */ #define IPPORT_BOOTPS 67 #define IPPORT_BOOTPC 68 #define BOOTREPLY 2 #define BOOTREQUEST 1 /* * Vendor magic cookie (v_magic) for CMU */ #define VM_CMU "CMU" /* * Vendor magic cookie (v_magic) for RFC1048 */ #define VM_RFC1048 { 99, 130, 83, 99 } /* * RFC1048 tag values used to specify what information is being supplied in * the vendor field of the packet. */ #define TAG_PAD ((unsigned char) 0) #define TAG_SUBNET_MASK ((unsigned char) 1) #define TAG_TIME_OFFSET ((unsigned char) 2) #define TAG_GATEWAY ((unsigned char) 3) #define TAG_TIME_SERVER ((unsigned char) 4) #define TAG_NAME_SERVER ((unsigned char) 5) #define TAG_DOMAIN_SERVER ((unsigned char) 6) #define TAG_LOG_SERVER ((unsigned char) 7) #define TAG_COOKIE_SERVER ((unsigned char) 8) #define TAG_LPR_SERVER ((unsigned char) 9) #define TAG_IMPRESS_SERVER ((unsigned char) 10) #define TAG_RLP_SERVER ((unsigned char) 11) #define TAG_HOSTNAME ((unsigned char) 12) #define TAG_BOOTSIZE ((unsigned char) 13) #define TAG_END ((unsigned char) 255) /* RFC1497 tags */ #define TAG_DUMPPATH ((unsigned char) 14) #define TAG_DOMAINNAME ((unsigned char) 15) #define TAG_SWAP_SERVER ((unsigned char) 16) #define TAG_ROOTPATH ((unsigned char) 17) #define TAG_EXTPATH ((unsigned char) 18) /* * "vendor" data permitted for CMU bootp clients. */ struct cmu_vend { unsigned char v_magic[4]; /* magic number */ unsigned int v_flags; /* flags/opcodes, etc. */ struct in_addr v_smask; /* Subnet mask */ struct in_addr v_dgate; /* Default gateway */ struct in_addr v_dns1, v_dns2; /* Domain name servers */ struct in_addr v_ins1, v_ins2; /* IEN-116 name servers */ struct in_addr v_ts1, v_ts2; /* Time servers */ unsigned char v_unused[24]; /* currently unused */ }; /* v_flags values */ #define VF_SMASK 1 /* Subnet mask field contains valid data */ #endif argus-3.0.8.2/include/argus/cflowd.h000444 000765 000024 00000006276 12513222401 017622 0ustar00carterstaff000000 000000 /* * Copyright (c) 2001 Mark Fullmer and The Ohio State University * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * */ /* * $Id: //depot/argus/argus-3.0/clients/include/cflowd.h#5 $ * $DateTime: 2006/02/23 13:25:52 $ * $Change: 627 $ */ /* Adapted from cflowd */ #define CF_ROUTERMASK 0x00000001 #define CF_SRCIPADDRMASK 0x00000002 #define CF_DSTIPADDRMASK 0x00000004 #define CF_INPUTIFINDEXMASK 0x00000008 #define CF_OUTPUTIFINDEXMASK 0x00000010 #define CF_SRCPORTMASK 0x00000020 #define CF_DSTPORTMASK 0x00000040 #define CF_PKTSMASK 0x00000080 #define CF_BYTESMASK 0x00000100 #define CF_IPNEXTHOPMASK 0x00000200 #define CF_STARTTIMEMASK 0x00000400 #define CF_ENDTIMEMASK 0x00000800 #define CF_PROTOCOLMASK 0x00001000 #define CF_TOSMASK 0x00002000 #define CF_SRCASMASK 0x00004000 #define CF_DSTASMASK 0x00008000 #define CF_SRCMASKLENMASK 0x00010000 #define CF_DSTMASKLENMASK 0x00020000 #define CF_TCPFLAGSMASK 0x00040000 #define CF_INPUTENCAPMASK 0x00080000 #define CF_OUTPUTENCAPMASK 0x00100000 #define CF_PEERNEXTHOPMASK 0x00200000 #define CF_ENGINETYPEMASK 0x00400000 #define CF_ENGINEIDMASK 0x00800000 #define CF_INDEX_V1_MASK 0x00043FFF #define CF_INDEX_V5_MASK 0x00C7FFFF #define CF_INDEX_V6_MASK 0x00FFFFFF #define CF_INDEX_V7_MASK 0x00C7FFFF #define CF_INDEX_V8_1_MASK 0x00C0CD99 #define CF_INDEX_V8_2_MASK 0x00C00DE1 #define CF_INDEX_V8_3_MASK 0x00C14D8B #define CF_INDEX_V8_4_MASK 0x00C28D95 #define CF_INDEX_V8_5_MASK 0x00C3CD9F #define CF_INDEX_V8_6_MASK 0x00C02D95 #define CF_INDEX_V8_7_MASK 0x00C02D9F #define CF_INDEX_V8_8_MASK 0x00C02DFF #define CF_INDEX_V8_9_MASK 0x00C0ED99 #define CF_INDEX_V8_10_MASK 0x00C02DE1 #define CF_INDEX_V8_11_MASK 0x00C16D8B #define CF_INDEX_V8_12_MASK 0x00C2AD95 #define CF_INDEX_V8_13_MASK 0x00C3ED9F #define CF_INDEX_V8_14_MASK 0x00C32DFF argus-3.0.8.2/include/argus/CflowdFlowPdu.h000444 000765 000024 00000055771 12513222401 021067 0ustar00carterstaff000000 000000 /* * Argus Software * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * This file is orignally from CAIDA's cflowd source code, but has been * amended and improved over the years. All attempts have been made to * keep the naming and type styles consistent with the original file. */ /*=========================================================================== / @(#) $Name: $ / @(#) $Id: //depot/argus/argus-3.0/clients/include/CflowdFlowPdu.h#5 $ /=========================================================================== / CAIDA Copyright Notice / / By accessing this software, cflowd++, you are duly informed / of and agree to be bound by the conditions described below in this / notice: / / This software product, cflowd++, is developed by Daniel W. McRobb, and / copyrighted(C) 1998 by the University of California, San Diego / (UCSD), with all rights reserved. UCSD administers the CAIDA grant, / NCR-9711092, under which part of this code was developed. / / There is no charge for cflowd++ software. You can redistribute it / and/or modify it under the terms of the GNU General Public License, / v. 2 dated June 1991 which is incorporated by reference herein. / cflowd++ is distributed WITHOUT ANY WARRANTY, IMPLIED OR EXPRESS, OF / MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE or that the use / of it will not infringe on any third party's intellectual property / rights. / / You should have received a copy of the GNU GPL along with cflowd++. / Copies can also be obtained from: / / http://www.gnu.org/copyleft/gpl.html / / or by writing to: / / University of California, San Diego / / SDSC/CAIDA / 9500 Gilman Dr., MS-0505 / La Jolla, CA 92093 - 0505 USA / / Or contact: / / info@caida.org /=========================================================================== */ /* * $Id: //depot/argus/argus-3.0/clients/include/CflowdFlowPdu.h#5 $ * $DateTime: 2006/02/23 13:25:52 $ * $Change: 627 $ */ /*--------------------------------------------------------------------------- This header file contains the layout of flow-export packets for Cisco's flow-export. -------------------------------------------------------------------------*/ #ifndef _FLOWPDU_H_ #define _FLOWPDU_H_ #define k_maxFlowPacketSize 2048 #ifndef uint8_t #define uint8_t unsigned char #endif #ifndef uint16_t #define uint16_t unsigned short #endif #ifndef uint32_t #define uint32_t unsigned int #endif #ifndef ipv4addr_t #define ipv4addr_t unsigned int #endif /*--------------------------------------------------------------------------- flow-export version 1 header -------------------------------------------------------------------------*/ typedef struct { uint16_t version; /* flow-export version number */ uint16_t count; /* number of flow entries */ uint32_t sysUptime; uint32_t unix_secs; uint32_t unix_nsecs; } CiscoFlowHeaderV1_t; #define k_maxFlowsPerV1Packet 24 /*--------------------------------------------------------------------------- flow-export version 1 flow entry -------------------------------------------------------------------------*/ typedef struct { ipv4addr_t srcaddr; /* source IP address */ ipv4addr_t dstaddr; /* destination IP address */ ipv4addr_t nexthop; /* next hop router's IP address */ uint16_t input; /* input interface index */ uint16_t output; /* output interface index */ uint32_t pkts; /* packets sent in duration */ uint32_t bytes; /* octets sent in duration */ uint32_t first; /* SysUptime at start of flow */ uint32_t last; /* and of last packet of flow */ uint16_t srcport; /* TCP/UDP source port number or equivalent */ uint16_t dstport; /* TCP/UDP destination port number or equivalent */ uint16_t pad0; uint8_t prot; /* IP protocol, e.g., 6=TCP, 17=UDP, ... */ uint8_t tos; /* IP Type-of-Service */ uint8_t flags; /* TCP flags */ uint8_t pad1, pad2, pad3; /* pads */ uint32_t pad4; } CiscoFlowEntryV1_t; /*--------------------------------------------------------------------------- flow-export version 5 header -------------------------------------------------------------------------*/ typedef struct { uint16_t version; /* flow-export version number */ uint16_t count; /* number of flow entries */ uint32_t sysUptime; uint32_t unix_secs; uint32_t unix_nsecs; uint32_t flow_sequence; /* sequence number */ uint8_t engine_type; /* no VIP = 0, VIP2 = 1 */ uint8_t engine_id; /* VIP2 slot number */ uint16_t reserved; /* unused */ } CiscoFlowHeaderV5_t; #define k_maxFlowsPerV5Packet 30 /*--------------------------------------------------------------------------- flow-export version 5 flow entry -------------------------------------------------------------------------*/ typedef struct { ipv4addr_t srcaddr; /* source IP address */ ipv4addr_t dstaddr; /* destination IP address */ ipv4addr_t nexthop; /* next hop router's IP address */ uint16_t input; /* input interface index */ uint16_t output; /* output interface index */ uint32_t pkts; /* packets sent in duration */ uint32_t bytes; /* octets sent in duration */ uint32_t first; /* SysUptime at start of flow */ uint32_t last; /* and of last packet of flow */ uint16_t srcport; /* TCP/UDP source port number or equivalent */ uint16_t dstport; /* TCP/UDP destination port number or equivalent */ uint8_t pad; uint8_t tcp_flags; /* bitwise OR of all TCP flags in flow; 0x10 */ /* for non-TCP flows */ uint8_t prot; /* IP protocol, e.g., 6=TCP, 17=UDP, ... */ uint8_t tos; /* IP Type-of-Service */ uint16_t src_as; /* originating AS of source address */ uint16_t dst_as; /* originating AS of destination address */ uint8_t src_mask; /* source address prefix mask bits */ uint8_t dst_mask; /* destination address prefix mask bits */ uint16_t reserved; } CiscoFlowEntryV5_t; /*--------------------------------------------------------------------------- flow-export version 6 header -------------------------------------------------------------------------*/ typedef struct { uint16_t version; /* version */ uint16_t count; /* the number of records in PDU */ uint32_t sysUptime; /* current time in msecs since router booted */ uint32_t unix_secs; /* current seconds since 0000 UTC 1970 */ uint32_t unix_nsecs; /* residual nanoseconds since 0000 UTC 1970 */ uint32_t flow_sequence; /* seq counter of total flows seen */ uint8_t engine_type; /* type of flow switching engine */ uint8_t engine_id; /* ID number of the flow switching engine */ uint16_t reserved; } CiscoFlowHeaderV6_t; #define k_maxFlowsPerV6Packet 27 /*--------------------------------------------------------------------------- flow-export version 6 flow entry -------------------------------------------------------------------------*/ typedef struct { ipv4addr_t srcaddr; /* source IP address */ ipv4addr_t dstaddr; /* destination IP address */ ipv4addr_t nexthop; /* next hop router's IP address */ uint16_t input; /* input interface index */ uint16_t output; /* output interface index */ uint32_t pkts; /* packets sent in duration */ uint32_t bytes; /* octets sent in duration */ uint32_t first; /* SysUptime at start of flow */ uint32_t last; /* and of last packet of flow */ uint16_t srcport; /* TCP/UDP source port number or equivalent */ uint16_t dstport; /* TCP/UDP destination port number or equivalent */ uint8_t rsvd; uint8_t tcp_flags; /* bitwise OR of all TCP flags seen in flow */ uint8_t prot; /* IP protocol, e.g., 6=TCP, 17=UDP, ... */ uint8_t tos; /* IP Type-of-Service */ uint16_t src_as; /* originating AS of source address */ uint16_t dst_as; /* originating AS of destination address */ uint8_t src_mask; /* source address prefix mask bits */ uint8_t dst_mask; /* destination address prefix mask bits */ uint8_t in_encaps; /* size in bytes of the input encapsulation */ uint8_t out_encaps; /* size in bytes of the output encapsulation */ uint32_t peer_nexthop; /* IP address of the nexthop w/in the peer (FIB) */ } CiscoFlowEntryV6_t; /*--------------------------------------------------------------------------- flow-export version 7 header (Catalyst 5000) NOT USED, V7 FLOW-EXPORT HANDLING NOT IMPLEMENTED. -------------------------------------------------------------------------*/ typedef struct { uint16_t version; /* flow-export version number */ uint16_t count; /* number of flow entries */ uint32_t sysUptime; uint32_t unix_secs; uint32_t unix_nsecs; uint32_t flow_sequence; /* sequence number */ uint32_t reserved; /* unused */ } CiscoFlowHeaderV7_t; /*--------------------------------------------------------------------------- flow-export version 7 flow entry (Catalyst 5000) NOT USED, V7 FLOW-EXPORT HANDLING NOT IMPLEMENTED. -------------------------------------------------------------------------*/ typedef struct { ipv4addr_t srcaddr; /* source IP address (0 for dest-only flows) */ ipv4addr_t dstaddr; /* destination IP address */ ipv4addr_t nexthop; /* next hop router's IP address (always 0) */ uint16_t input; /* input interface index (always 0) */ uint16_t output; /* output interface index */ uint32_t pkts; /* packets sent in duration */ uint32_t bytes; /* octets sent in duration */ uint32_t first; /* SysUptime at start of flow */ uint32_t last; /* and of last packet of flow */ uint16_t srcport; /* TCP/UDP source port number or equivalent, */ /* 0 if flow mask is destination-only or */ /* source-destination. */ uint16_t dstport; /* TCP/UDP destination port number or equivalent, */ /* 0 if flow mask is destination-only or */ /* source-destination. */ uint8_t flags1; /* ???? */ uint8_t tcp_flags; /* bitwise OR of all TCP flags in flow (always 0) */ uint8_t prot; /* IP protocol, e.g., 6=TCP, 17=UDP, ... */ uint8_t tos; /* IP Type-of-Service */ uint16_t src_as; /* originating AS of source address (always 0) */ uint16_t dst_as; /* originating AS of destination address (always 0) */ uint8_t src_mask; /* source address prefix mask bits (always 0) */ uint8_t dst_mask; /* destination address prefix mask bits (always 0) */ uint16_t flags2; /* ???? */ uint32_t router_sc; /* IP address of shortcut router */ } CiscoFlowEntryV7_t; /*--------------------------------------------------------------------------- flow-export version 8 --------------------------------------------------------------------------- This is the first flow-export version to support multiple types of flow-export records. Each type is an aggregation, so that only specific types of data may be exported (saving processing and bandwidth). Obviously flow level granularity is gone, but this type of data reduction is useful on high-speed routers like the GSR. -------------------------------------------------------------------------*/ /*--------------------------------------------------------------------------- flow-export version 8 header -------------------------------------------------------------------------*/ typedef struct { uint16_t version; /* flow-export version number */ uint16_t count; /* number of flow entries */ uint32_t sysUptime; /* current time in msecs since router booted */ uint32_t unix_secs; /* current seconds since 0000 UTC 1970 */ uint32_t unix_nsecs; /* residual nanoseconds since 0000 UTC 1970 */ uint32_t flow_sequence; /* sequence number */ uint8_t engine_type; /* type of flow switching engine */ uint8_t engine_id; /* ID number of the flow switching engine */ uint8_t agg_method; /* aggregation method */ uint8_t agg_version; /* aggregation version */ uint32_t reserved; /* unused */ } CiscoFlowHeaderV8_t; /*--------------------------------------------------------------------------- V8 aggregation methods -------------------------------------------------------------------------*/ #define k_CiscoV8FlowExportASAggType 0x01 /* AS agg. */ #define k_CiscoV8FlowExportProtocolPortAggType 0x02 /* protocol/port agg. */ #define k_CiscoV8FlowExportSrcNetAggType 0x03 /* src network agg. */ #define k_CiscoV8FlowExportDstNetAggType 0x04 /* dst network agg. */ #define k_CiscoV8FlowExportNetMatrixAggType 0x05 /* net matrix agg. */ #define k_CiscoV8FlowExportMaxAggType k_CiscoV8FlowExportNetMatrixAggType #define k_CiscoV8FlowExportNumAggTypes k_CiscoV8FlowExportMaxAggType /*--------------------------------------------------------------------------- max flows per packet for each of the different V8 aggregation methods -------------------------------------------------------------------------*/ #define k_maxFlowsPerV8AsAggPacket 51 #define k_maxFlowsPerV8ProtocolPortAggPacket 51 #define k_maxFlowsPerV8SrcNetAggPacket 44 #define k_maxFlowsPerV8DstNetAggPacket 44 #define k_maxFlowsPerV8NetMatrixAggPacket 35 /*--------------------------------------------------------------------------- define max flows per packet, regardless of type of flows. -------------------------------------------------------------------------*/ #define k_maxFlowsPerAnyPacket 51 /*--------------------------------------------------------------------------- V8 AS aggregation flow entry version 2 -------------------------------------------------------------------------*/ typedef struct { uint32_t flows; /* number of flows */ uint32_t pkts; /* number of packets */ uint32_t bytes; /* number of bytes */ uint32_t first; /* sysUptime at start of flow */ uint32_t last; /* sysUptime at end of flow */ uint16_t src_as; /* source AS */ uint16_t dst_as; /* destination AS */ uint16_t input; /* input interface index */ uint16_t output; /* output interface index */ } CiscoFlowEntryV8AsAggV2_t; /*--------------------------------------------------------------------------- V8 protocol/port aggregation flow entry version 2 -------------------------------------------------------------------------*/ typedef struct { uint32_t flows; /* number of flows */ uint32_t pkts; /* number of packets */ uint32_t bytes; /* number of bytes */ uint32_t first; /* sysUptime at start of flow */ uint32_t last; /* sysUptime at end of flow */ uint8_t prot; /* IP protocol (TCP=6, UDP=17, etc.) */ uint8_t pad; uint16_t reserved; uint16_t srcport; /* source port */ uint16_t dstport; /* destination port */ } CiscoFlowEntryV8ProtocolPortAggV2_t; /*--------------------------------------------------------------------------- V8 net matrix aggregation flow entry version 2 -------------------------------------------------------------------------*/ typedef struct { uint32_t flows; /* number of flows */ uint32_t pkts; /* number of packets */ uint32_t bytes; /* number of bytes */ uint32_t first; /* sysUptime at start of flow */ uint32_t last; /* sysUptime at end of flow */ ipv4addr_t srcnet; /* source network */ ipv4addr_t dstnet; /* destination network */ uint8_t dst_mask; /* destination netmask length (bits) */ uint8_t src_mask; /* source netmask length (bits) */ uint16_t reserved; uint16_t src_as; /* source AS */ uint16_t dst_as; /* destination AS */ uint16_t input; /* input interface index */ uint16_t output; /* output interface index */ } CiscoFlowEntryV8NetMatrixAggV2_t; /*--------------------------------------------------------------------------- V8 source network aggregation flow entry version 2 -------------------------------------------------------------------------*/ typedef struct { uint32_t flows; /* number of flows */ uint32_t pkts; /* number of packets */ uint32_t bytes; /* number of bytes */ uint32_t first; /* sysUptime at start of flow */ uint32_t last; /* sysUptime at end of flow */ ipv4addr_t srcnet; /* source network */ uint8_t src_mask; /* source network mask length (bits) */ uint8_t pad; uint16_t src_as; /* source AS */ uint16_t input; /* input interface index */ uint16_t reserved; } CiscoFlowEntryV8SrcNetAggV2_t; /*--------------------------------------------------------------------------- V8 destination network aggregation flow entry version 2 -------------------------------------------------------------------------*/ typedef struct { uint32_t flows; /* number of flows */ uint32_t pkts; /* number of packets */ uint32_t bytes; /* number of bytes */ uint32_t first; /* sysUptime at start of flow */ uint32_t last; /* sysUptime at end of flow */ ipv4addr_t dst_net; /* destination network */ uint8_t dst_mask; /* destination network mask length (bits) */ uint8_t pad; uint16_t dst_as; /* destination AS */ uint16_t output; /* output interface index */ uint16_t reserved; } CiscoFlowEntryV8DstNetAggV2_t; /*--------------------------------------------------------------------------- flow-export version 9 flow entry (NetflowV9) -------------------------------------------------------------------------*/ typedef struct { uint16_t version; /* flow-export version number */ uint16_t count; /* number of flow entries */ uint32_t sysUptime; uint32_t unix_secs; uint32_t package_sequence; /* sequence number */ uint32_t source_id; /* unused */ } CiscoFlowHeaderV9_t; typedef struct { u_int16_t flowset_id, length; } CiscoFlowEntryV9_t; typedef struct { u_int16_t template_id, count; } CiscoFlowTemplateHeaderV9_t; typedef struct { u_int16_t type, length; } CiscoFlowTemplateFlowEntryV9_t; #define k_CiscoV9TemplateFlowsetId 0 #define k_CiscoV9OptionsFlowsetId 1 #define k_CiscoV9MinRecordFlowsetId 256 /* Flowset record types the we care about */ #define k_CiscoV9InBytes 1 #define k_CiscoV9InPackets 2 #define k_CiscoV9Flows 3 #define k_CiscoV9InProtocol 4 #define k_CiscoV9SrcTos 5 #define k_CiscoV9TcpFlags 6 #define k_CiscoV9L4SrcPort 7 #define k_CiscoV9IpV4SrcAddr 8 #define k_CiscoV9SrcMask 9 #define k_CiscoV9InputSnmp 10 #define k_CiscoV9L4DstPort 11 #define k_CiscoV9IpV4DstAddr 12 #define k_CiscoV9DstMask 13 #define k_CiscoV9OutputSnmp 14 #define k_CiscoV9IpV4NextHop 15 #define k_CiscoV9SrcAS 16 #define k_CiscoV9DstAS 17 #define k_CiscoV9BgpIpV4NextHop 18 #define k_CiscoV9MulDstPkts 19 #define k_CiscoV9MulDstBytes 20 #define k_CiscoV9LastSwitched 21 #define k_CiscoV9FirstSwitched 22 #define k_CiscoV9OutBytes 23 #define k_CiscoV9OutPkts 24 #define k_CiscoV9MinPktLen 25 #define k_CiscoV9MaxPktLen 26 #define k_CiscoV9IpV6SrcAddr 27 #define k_CiscoV9IpV6DstAddr 28 #define k_CiscoV9IPV6SrcMask 29 #define k_CiscoV9IpV6DstMask 30 #define k_CiscoV9IpV6FlowLabel 31 #define k_CiscoV9IpV6IcmpType 32 #define k_CiscoV9IpV6MulIgmpType 33 #define k_CiscoV9IpV6SamplingInterval 34 #define k_CiscoV9IpV6SamplingAlgorithm 35 #define k_CiscoV9FlowActiveTimeout 36 #define k_CiscoV9FlowInactiveTimeout 37 #define k_CiscoV9EngineType 38 #define k_CiscoV9EngineID 39 #define k_CiscoV9TotalBytesExp 40 #define k_CiscoV9TotalPktsExp 41 #define k_CiscoV9TotalFlowsExp 42 /* ... */ #define k_CiscoV9MplsTopLabelType 46 #define k_CiscoV9MplsTopLabelIPAddr 47 #define k_CiscoV9FlowSamplerID 48 #define k_CiscoV9FlowSamplerMode 49 #define k_CiscoV9FlowSamplerRandomInt 50 /* ... */ #define k_CiscoV9MinTtl 52 #define k_CiscoV9MaxTtl 53 #define k_CiscoV9IPv4IpId 54 #define k_CiscoV9DstTos 55 #define k_CiscoV9SrcMac 56 #define k_CiscoV9DstMac 57 #define k_CiscoV9SrcVlan 58 #define k_CiscoV9DstVlan 59 #define k_CiscoV9IpProtocolVersion 60 #define k_CiscoV9Direction 61 #define k_CiscoV9IpV6NextHop 62 #define k_CiscoV9BgpIpV6NextHop 63 #define k_CiscoV9IpV6OptionHeaders 64 /* ... */ #define k_CiscoV9MplsLabel1 70 #define k_CiscoV9MplsLabel2 71 #define k_CiscoV9MplsLabel3 72 #define k_CiscoV9MplsLabel4 73 #define k_CiscoV9MplsLabel5 74 #define k_CiscoV9MplsLabel6 75 #define k_CiscoV9MplsLabel7 76 #define k_CiscoV9MplsLabel8 77 #define k_CiscoV9MplsLabel9 78 #define k_CiscoV9MplsLabel10 79 #define k_CiscoV9InDstMac 80 #define k_CiscoV9OutSrcMac 81 #define k_CiscoV9IfName 82 #define k_CiscoV9IfDesc 83 #define k_CiscoV9SampleName 84 #define k_CiscoV9InPermanentBytes 85 #define k_CiscoV9InPermanentPkts 86 /* ... */ #define k_CiscoV9FragmentOffset 88 #define k_CiscoV9ForwardingStatus 89 #define k_CiscoV9MplsPalRD 90 #define k_CiscoV9MplsPrefixLen 91 #define k_CiscoV9SrcTrafficIndex 92 #define k_CiscoV9DstTrafficIndex 93 #define k_CiscoV9ApplicationDesc 94 #define k_CiscoV9ApplicationTag 95 #define k_CiscoV9ApplicationName 96 /* ... */ #define k_CiscoV9PostDSCP 98 #define k_CiscoV9MulticastReplication 99 /* ... */ #define k_CiscoV9ConnId 148 /* ... */ #define k_CiscoV9IcmpType 176 #define k_CiscoV9IcmpCode 177 #define k_CiscoV9IcmpTypeV6 178 #define k_CiscoV9IcmpCodeV6 179 /* ... */ #define k_CiscoV9NatInsideGlobalAddr 225 #define k_CiscoV9NatOutsideGlobalAddr 226 #define k_CiscoV9postNatL4SrcPort 227 #define k_CiscoV9postNatL4DstPort 228 #define k_CiscoV9postNatEvent 230 /* ... */ #define k_CiscoV9IngressVRFID 234 /* ... */ #define k_CiscoEventTimeMilliSec 323 #define k_CiscoEventTimeMicroSec 324 #define k_CiscoEventTimeNanoSec 325 #endif /* _FlowPDU_H_ */ argus-3.0.8.2/include/argus/cons_def.h000444 000765 000024 00000010711 12513222401 020111 0ustar00carterstaff000000 000000 /* * Argus Software * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * Copyright (c) 1993, 1994 Carnegie Mellon University. * All rights reserved. * * Permission to use, copy, modify, and distribute this software and * its documentation for any purpose and without fee is hereby granted, * provided that the above copyright notice appear in all copies and * that both that copyright notice and this permission notice appear * in supporting documentation, and that the name of CMU not be * used in advertising or publicity pertaining to distribution of the * software without specific, written prior permission. * * CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING * ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL * CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR * ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, * WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, * ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS * SOFTWARE. * */ /* * $Id: //depot/argus/argus/include/argus/cons_def.h#6 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ /* 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| Protocol | L | IP Opt | Exp | State | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |1| Operation | Data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Status Field Format Note that one tick mark represents one bit position. */ /* Argus Operation */ #define ARGUSCONTROL 0x80000000 #define INIT 0x01000000 #define STATUS 0x02000000 #define CLOSE 0x04000000 /* Protocol Specification */ #define PROTOCONTROL 0x00000000 #define IPPROTO 0x01000000 #define UDPPROTO 0x02000000 #define ICMPPROTO 0x04000000 #define TCPPROTO 0x08000000 #define EPPROTO 0x10000000 #define ARPPROTO 0x20000000 #define PROTOMASK 0x7F000000 /* Link Dependant Bits (L) */ #define FRAGMENTS 0x400000 #define MULTIADDR 0x800000 /* IP Option Status Bits */ #define TIMESTAMP 0x010000 #define SECURITY 0x020000 #define LSRCROUTE 0x040000 #define RECORDROUTE 0x080000 #define SSRCROUTE 0x100000 #define RTRALERT 0x200000 #define IPOPTIONMASK 0x3F0000 /* Report Status Bits (Exp) */ #define REVERSE 0x1000 #define MODIFIED 0x2000 #define LOGGED 0x4000 #define DETAIL 0x8000 /* IP, TCP and UDP State Constants and Reporting Values */ #define IP_INIT 0x0001 #define UDP_INIT 0x0001 #define SAW_SYN 0x0001 #define SAW_SYN_SENT 0x0002 #define CON_ESTABLISHED 0x0004 #define CLOSE_WAITING 0x0008 #define PKTS_RETRANS 0x0410 /* SRC_PKTS_RETRANS | DST_PK*/ #define SRC_PKTS_RETRANS 0x0010 #define WINDOW_SHUT 0x0060 /* SRC_WINDOW_SHUT | DST_WIN*/ #define SRC_WINDOW_SHUT 0x0020 #define DST_WINDOW_SHUT 0x0040 #define NORMAL_CLOSE 0x0080 #define RESET 0x0900 /* SRC_RESET | DST_RESET */ #define SRC_RESET 0x0100 #define TIMED_OUT 0x0200 #define DST_PKTS_RETRANS 0x0400 #define DST_RESET 0x0800 /* Fragment State Constants and Reporting Values */ #define FRAG_INIT 0x0001 #define FRAG_OUT_OF_ORDER 0x0002 #define TCP_FRAG_OFFSET_PROBLEM 0x0008 #define FRAG_ONLY 0x0010 argus-3.0.8.2/include/argus/cons_out.h000444 000765 000024 00000010420 12513222401 020157 0ustar00carterstaff000000 000000 /* * Argus Software. Common include files. cons_out.h * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/include/argus/cons_out.h#7 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ #if !defined(cons_out_h) #define cons_out_h #if !defined(__OpenBSD__) || !defined(_NET_IF_H_) #define _NET_IF_H_ #include #endif #include #if !defined(__OpenBSD__) || !defined(_NETINET_IF_ETHER_H_) #define _NETINET_IP_ETHER_H_ #include #endif struct THA_OBJECT { arg_int32 size; unsigned char *buffer; }; struct tha { struct in_addr src; struct in_addr dst; arg_uint16 sport; arg_uint16 dport; }; struct icmptha { struct in_addr src; struct in_addr dst; arg_uint32 port; arg_uint32 addr; }; struct writeStruct { arg_uint32 status; struct argtimeval startime, lasttime; struct ether_addr ethersrc; struct ether_addr etherdst; struct tha addr; arg_int32 src_count, dst_count; arg_int32 src_bytes, dst_bytes; }; struct inittcpWriteStruct { arg_int32 src_count, dst_count; arg_uint32 addr, seq; }; struct tcpWriteStruct { arg_int32 src_count, dst_count; arg_int32 src_bytes, dst_bytes; }; struct udpWriteStruct { arg_int32 src_count, dst_count; arg_int32 src_bytes, dst_bytes; }; struct icmpWriteStruct { arg_uint8 type, code; arg_uint16 data; struct in_addr srcaddr, dstaddr, gwaddr; }; struct fragWriteStruct { int fragnum, frag_id; unsigned short status, totlen, currlen, maxfraglen; }; struct physWriteStruct { struct ether_addr ethersrc; struct ether_addr etherdst; }; struct arpWriteStruct { struct argtimeval time; struct physWriteStruct phys; struct ether_arp arp; }; struct ipWriteStruct { struct argtimeval startime, lasttime; struct physWriteStruct ws_phys; struct in_addr src; struct in_addr dst; arg_uint16 sport; arg_uint16 dport; union { struct inittcpWriteStruct inittcp; struct tcpWriteStruct tcp; struct udpWriteStruct udp; struct icmpWriteStruct icmp; struct fragWriteStruct frag; } ipws_trans_union; }; struct manInitStruct { struct argtimeval startime, now; arg_int8 initString[20]; arg_uint32 localnet, netmask; arg_uint16 reportInterval, dflagInterval; arg_uint8 interfaceType, interfaceStatus; }; struct manStatStruct { struct argtimeval startime, now; arg_uint16 reportInterval, dflagInterval; arg_uint8 interfaceType, interfaceStatus; arg_uint32 pktsRcvd, bytesRcvd, pktsDrop; arg_uint16 actTCPcons, cloTCPcons; arg_uint16 actUDPcons, cloUDPcons; arg_uint16 actIPcons, cloIPcons; arg_uint16 actICMPcons, cloICMPcons; arg_uint16 actFRAGcons, cloFRAGcons; }; struct WriteStruct { arg_uint32 status; union { struct ipWriteStruct ip; struct arpWriteStruct arp; struct manInitStruct man_init; struct manStatStruct man_stat; } ws_trans_union; }; #define ws_ip ws_trans_union.ip #define ws_arp ws_trans_union.arp #define ws_init ws_trans_union.man_init #define ws_stat ws_trans_union.man_stat #define ws_ip_phys ws_trans_union.ip.ws_phys #define ws_ip_src ws_trans_union.ip.src #define ws_ip_dst ws_trans_union.ip.dst #define ws_ip_port ws_trans_union.ip.port #define ws_ip_inittcp ws_trans_union.ip.ipws_trans_union.inittcp #define ws_ip_tcp ws_trans_union.ip.ipws_trans_union.tcp #define ws_ip_udp ws_trans_union.ip.ipws_trans_union.udp #define ws_ip_icmp ws_trans_union.ip.ipws_trans_union.icmp #define ws_ip_frag ws_trans_union.ip.ipws_trans_union.frag #endif argus-3.0.8.2/include/argus/extract.h000444 000765 000024 00000020624 12513222401 020007 0ustar00carterstaff000000 000000 /* * Argus Software * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * Copyright (c) 1992, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. * */ /* * $Id: //depot/argus/argus/include/argus/extract.h#7 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ #ifdef TCPDUMP_ALIGN #if BYTEORDER == LITTLE_ENDIAN #define EXTRACT_SHORT(p)\ ((u_short)\ ((u_short)*((u_char *)p+1)<<8|\ (u_short)*((u_char *)p+0)<<0)) #define EXTRACT_LONG(p)\ ((u_int32)*((u_char *)p+3)<<24|\ (u_int32)*((u_char *)p+2)<<16|\ (u_int32)*((u_char *)p+1)<<8|\ (u_int32)*((u_char *)p+0)<<0) #else #define EXTRACT_SHORT(p)\ ((u_short)\ ((u_short)*((u_char *)p+0)<<8|\ (u_short)*((u_char *)p+1)<<0)) #define EXTRACT_LONG(p)\ ((u_int32)*((u_char *)p+0)<<24|\ (u_int32)*((u_char *)p+1)<<16|\ (u_int32)*((u_char *)p+2)<<8|\ (u_int32)*((u_char *)p+3)<<0) #endif #else #define EXTRACT_SHORT(p) ((u_short)ntohs(*(u_short *)p)) #define EXTRACT_LONG(p) (ntohl(*(u_int32 *)p)) #endif /* * Copyright (c) 1992, 1993, 1994, 1995, 1996 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. * * @(#) $Header: //depot/argus/argus/include/argus/extract.h#7 $ (LBL) */ /* * Macros to extract possibly-unaligned big-endian integral values. */ #ifdef LBL_ALIGN /* * The processor doesn't natively handle unaligned loads. */ #ifdef HAVE___ATTRIBUTE__ /* * We have __attribute__; we assume that means we have __attribute__((packed)). * Declare packed structures containing a u_int16_t and a u_int32_t, * cast the pointer to point to one of those, and fetch through it; * the GCC manual doesn't appear to explicitly say that * __attribute__((packed)) causes the compiler to generate unaligned-safe * code, but it apppears to do so. * * We do this in case the compiler can generate, for this instruction set, * better code to do an unaligned load and pass stuff to "ntohs()" or * "ntohl()" than the code to fetch the bytes one at a time and * assemble them. (That might not be the case on a little-endian platform, * where "ntohs()" and "ntohl()" might not be done inline.) */ typedef struct { u_int16_t val; } __attribute__((packed)) unaligned_u_int16_t; typedef struct { u_int32_t val; } __attribute__((packed)) unaligned_u_int32_t; #define EXTRACT_16BITS(p) \ ((u_int16_t)ntohs(((const unaligned_u_int16_t *)(p))->val)) #define EXTRACT_32BITS(p) \ ((u_int32_t)ntohl(((const unaligned_u_int32_t *)(p))->val)) #define EXTRACT_64BITS(p) \ ((u_int64_t)(((u_int64_t)ntohl(((const unaligned_u_int32_t *)(p) + 0)->val)) << 32 | \ ((u_int64_t)ntohl(((const unaligned_u_int32_t *)(p) + 1)->val)) << 0)) #else /* HAVE___ATTRIBUTE__ */ /* * We don't have __attribute__, so do unaligned loads of big-endian * quantities the hard way - fetch the bytes one at a time and * assemble them. */ #define EXTRACT_16BITS(p) \ ((u_int16_t)((u_int16_t)*((const u_int8_t *)(p) + 0) << 8 | \ (u_int16_t)*((const u_int8_t *)(p) + 1))) #define EXTRACT_32BITS(p) \ ((u_int32_t)((u_int32_t)*((const u_int8_t *)(p) + 0) << 24 | \ (u_int32_t)*((const u_int8_t *)(p) + 1) << 16 | \ (u_int32_t)*((const u_int8_t *)(p) + 2) << 8 | \ (u_int32_t)*((const u_int8_t *)(p) + 3))) #define EXTRACT_64BITS(p) \ ((u_int64_t)((u_int64_t)*((const u_int8_t *)(p) + 0) << 56 | \ (u_int64_t)*((const u_int8_t *)(p) + 1) << 48 | \ (u_int64_t)*((const u_int8_t *)(p) + 2) << 40 | \ (u_int64_t)*((const u_int8_t *)(p) + 3) << 32 | \ (u_int64_t)*((const u_int8_t *)(p) + 4) << 24 | \ (u_int64_t)*((const u_int8_t *)(p) + 5) << 16 | \ (u_int64_t)*((const u_int8_t *)(p) + 6) << 8 | \ (u_int64_t)*((const u_int8_t *)(p) + 7))) #endif /* HAVE___ATTRIBUTE__ */ #else /* LBL_ALIGN */ /* * The processor natively handles unaligned loads, so we can just * cast the pointer and fetch through it. */ #define EXTRACT_16BITS(p) \ ((u_int16_t)ntohs(*(const u_int16_t *)(p))) #define EXTRACT_32BITS(p) \ ((u_int32_t)ntohl(*(const u_int32_t *)(p))) #define EXTRACT_64BITS(p) \ ((u_int64_t)(((u_int64_t)ntohl(*((const u_int32_t *)(p) + 0))) << 32 | \ ((u_int64_t)ntohl(*((const u_int32_t *)(p) + 1))) << 0)) #endif /* LBL_ALIGN */ #define EXTRACT_24BITS(p) \ ((u_int32_t)((u_int32_t)*((const u_int8_t *)(p) + 0) << 16 | \ (u_int32_t)*((const u_int8_t *)(p) + 1) << 8 | \ (u_int32_t)*((const u_int8_t *)(p) + 2))) /* * Macros to extract possibly-unaligned little-endian integral values. * XXX - do loads on little-endian machines that support unaligned loads? */ #define EXTRACT_LE_8BITS(p) (*(p)) #define EXTRACT_LE_16BITS(p) \ ((u_int16_t)((u_int16_t)*((const u_int8_t *)(p) + 1) << 8 | \ (u_int16_t)*((const u_int8_t *)(p) + 0))) #define EXTRACT_LE_32BITS(p) \ ((u_int32_t)((u_int32_t)*((const u_int8_t *)(p) + 3) << 24 | \ (u_int32_t)*((const u_int8_t *)(p) + 2) << 16 | \ (u_int32_t)*((const u_int8_t *)(p) + 1) << 8 | \ (u_int32_t)*((const u_int8_t *)(p) + 0))) #define EXTRACT_LE_24BITS(p) \ ((u_int32_t)((u_int32_t)*((const u_int8_t *)(p) + 2) << 16 | \ (u_int32_t)*((const u_int8_t *)(p) + 1) << 8 | \ (u_int32_t)*((const u_int8_t *)(p) + 0))) #define EXTRACT_LE_64BITS(p) \ ((u_int64_t)((u_int64_t)*((const u_int8_t *)(p) + 7) << 56 | \ (u_int64_t)*((const u_int8_t *)(p) + 6) << 48 | \ (u_int64_t)*((const u_int8_t *)(p) + 5) << 40 | \ (u_int64_t)*((const u_int8_t *)(p) + 4) << 32 | \ (u_int64_t)*((const u_int8_t *)(p) + 3) << 24 | \ (u_int64_t)*((const u_int8_t *)(p) + 2) << 16 | \ (u_int64_t)*((const u_int8_t *)(p) + 1) << 8 | \ (u_int64_t)*((const u_int8_t *)(p) + 0))) argus-3.0.8.2/include/argus/fddi.h000444 000765 000024 00000007305 12513222401 017244 0ustar00carterstaff000000 000000 /* * Argus Software. Common include files. fddi.h * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/include/argus/fddi.h#6 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ /* * Copyright (c) 1992, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. * */ #if !defined(fddi_h) #define fddi_h /* * Based on Ultrix if_fddi.h */ /* * This stuff should come from a system header file, but there's no * obviously portable way to do that and it's not really going * to change from system to system (except for the padding business). */ struct fddi_header { #if defined(ultrix) || defined(__alpha) /* Ultrix pads to make everything line up on a nice boundary */ #define FDDIPAD 3 u_char fddi_ph[FDDIPAD]; #else #define FDDIPAD 0 #endif u_char fddi_fc; /* frame control */ u_char fddi_dhost[6]; u_char fddi_shost[6]; }; /* Useful values for fddi_fc (frame control) field */ /* * FDDI Frame Control bits */ #define FDDIFC_C 0x80 /* Class bit */ #define FDDIFC_L 0x40 /* Address length bit */ #define FDDIFC_F 0x30 /* Frame format bits */ #define FDDIFC_Z 0x0f /* Control bits */ /* * FDDI Frame Control values. (48-bit addressing only). */ #define FDDIFC_VOID 0x40 /* Void frame */ #define FDDIFC_NRT 0x80 /* Nonrestricted token */ #define FDDIFC_RT 0xc0 /* Restricted token */ #define FDDIFC_SMT_INFO 0x41 /* SMT Info */ #define FDDIFC_SMT_NSA 0x4F /* SMT Next station adrs */ #define FDDIFC_MAC_BEACON 0xc2 /* MAC Beacon frame */ #define FDDIFC_MAC_CLAIM 0xc3 /* MAC Claim frame */ #define FDDIFC_LLC_ASYNC 0x50 /* Async. LLC frame */ #define FDDIFC_LLC_SYNC 0xd0 /* Sync. LLC frame */ #define FDDIFC_IMP_ASYNC 0x60 /* Implementor Async. */ #define FDDIFC_IMP_SYNC 0xe0 /* Implementor Synch. */ #define FDDIFC_SMT 0x40 /* SMT frame */ #define FDDIFC_MAC 0xc0 /* MAC frame */ #define FDDIFC_CLFF 0xF0 /* Class/Length/Format bits */ #define FDDIFC_ZZZZ 0x0F /* Control bits */ #endif argus-3.0.8.2/include/argus/gencode.h000444 000765 000024 00000023274 12513222401 017745 0ustar00carterstaff000000 000000 /* * Argus Software * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * Copyright (c) 1990, 1991, 1992, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. * */ /* * $Id: //depot/argus/argus/include/argus/gencode.h#8 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ /* * filter.h must be included before this file. */ #include /* Address qualifers. */ #define Q_HOST 1 #define Q_SRCID 2 #define Q_NET 3 #define Q_PORT 4 #define Q_GATEWAY 5 #define Q_PROTO 6 #define Q_IPID 7 #define Q_TTL 8 #define Q_TOS 9 #define Q_DSB 10 #define Q_VID 11 #define Q_VPRI 12 #define Q_MPLSID 13 #define Q_SERVICE 14 #define Q_BYTE 15 #define Q_PKT 16 #define Q_TCPBASE 17 #define Q_TRANS 18 #define Q_RATE 19 #define Q_LOAD 20 #define Q_INTER 21 #define Q_JITTER 22 #define Q_DUR 23 #define Q_AVGDUR 24 #define Q_DELTADUR 25 #define Q_DELTASTART 26 #define Q_DELTALAST 27 #define Q_DELTASPKTS 28 #define Q_DELTADPKTS 29 #define Q_SPI 30 #define Q_LOSS 31 #define Q_PLOSS 32 #define Q_ABR 139 #define Q_PCR 139 #define Q_APPBYTE 33 #define Q_CO 34 #define Q_COCODE 35 #define Q_INODE 36 #define Q_ASN 37 #define Q_SEQ 137 #define Q_STRING 138 #define Q_INTEGER 139 #define Q_FLOAT 140 #define Q_GAP 141 #define Q_DUP 142 /* Protocol qualifiers. */ #define Q_MAN 38 #define Q_FAR 132 #define Q_EVENT 133 #define Q_INDEX 134 /* Keystroke Behavior Keywords */ #define Q_NKEY 135 #define Q_NSTROKE 136 #define Q_LINK 39 #define Q_IP 40 #define Q_IPV6 41 #define Q_IPV4 42 #define Q_IB 43 #define Q_IBGBL 44 #define Q_IBLCL 45 #define Q_ISO 46 #define Q_SVC 47 #define Q_ETHER 48 #define Q_LLC 49 #define Q_ARP 50 #define Q_RARP 51 #define Q_TCP 52 #define Q_UDP 53 #define Q_ICMP 54 #define Q_IGMP 55 #define Q_IGRP 56 #define Q_UDT 57 #define Q_LID 58 #define Q_QP 59 #define Q_DECNET 60 #define Q_LAT 62 #define Q_MOPRC 63 #define Q_MOPDL 64 #define Q_ANON 65 #define Q_MERGED 66 /* TCP Protocol qualifiers. */ #define Q_NORMAL 67 #define Q_MULTIPATH 68 #define Q_RESET 69 #define Q_TIMEDOUT 70 #define Q_WINSHUT 71 #define Q_ESTABLISHED 72 #define Q_RETRANS 73 #define Q_SRCRETRANS 74 #define Q_DSTRETRANS 75 #define Q_OUTOFORDER 76 #define Q_SRCOUTOFORDER 77 #define Q_DSTOUTOFORDER 78 #define Q_FRAG 79 #define Q_SRCFRAG 80 #define Q_DSTFRAG 81 #define Q_FRAG_ONLY 82 #define Q_CONNECTED 83 #define Q_REJECT 84 #define Q_ECHO 85 #define Q_UNREACH 86 #define Q_REDIRECT 87 #define Q_TIMEXED 88 #define Q_LOOP 89 #define Q_CORRELATED 90 #define Q_ICMPMAP 91 #define Q_SYN 92 #define Q_SYNACK 93 #define Q_DATA 94 #define Q_SRCDATA 95 #define Q_DSTDATA 96 #define Q_FIN 97 #define Q_FINACK 98 #define Q_WAIT 99 #define Q_ACK 100 #define Q_URGENT 101 #define Q_PUSH 102 #define Q_ECE 103 #define Q_CWR 104 #define Q_TCPRTT 105 /* RTP Protocol qualifiers. */ #define Q_RTP 106 #define Q_RTCP 107 #define Q_ESP 108 #define Q_ECN 109 #define Q_MPLS 110 #define Q_VLAN 111 #define Q_RTR 112 #define Q_MBR 113 #define Q_LVG 114 /* Cause qualifers. */ #define Q_START 115 #define Q_STOP 116 #define Q_STATUS 117 #define Q_SHUTDOWN 118 #define Q_ERROR 119 /* Application Specific qualifers. */ #define Q_DNS 120 /* Encapsulations */ #define Q_ENCAPS 121 /* ISIS */ #define Q_ISIS 122 #define Q_HELLO 123 #define Q_LSP 124 #define Q_CSNP 125 #define Q_PSNP 126 #define Q_RSVP 127 /* Directional qualifers. */ #define Q_SRC 128 #define Q_DST 129 #define Q_OR 130 #define Q_AND 131 /* TCP Option qualifiers. */ #define Q_TCPOPT 143 #define Q_MSS 144 #define Q_WSCALE 145 #define Q_SELECTIVEACKOK 146 #define Q_SELECTIVEACK 147 #define Q_TCPECHO 148 #define Q_TCPECHOREPLY 149 #define Q_TCPTIMESTAMP 150 #define Q_TCPCC 151 #define Q_TCPCCNEW 152 #define Q_TCPCCECHO 153 #define Q_SECN 154 #define Q_DECN 155 #define Q_JITTERACTIVE 156 #define Q_JITTERIDLE 157 #define Q_INTERACTIVE 158 #define Q_INTERIDLE 159 #define Q_DEFAULT 0 #define Q_UNDEF 255 /* Operational qualifiers. */ #define Q_EQUAL 1 #define Q_LESS 2 #define Q_GREATER 3 #define Q_GEQ 4 #define Q_LEQ 5 /* DNS Opcode qualifiers. */ #define Q_AUTH 1 #define Q_RECURS 2 struct stmt { u_int dsr; int code, type; struct slist *jt; /*only for relative jump in ablock*/ struct slist *jf; /*only for relative jump in ablock*/ union { int i; float f; char s[8]; long long k; } data; }; struct slist { struct stmt s; struct slist *next; }; /* * A bit vector to represent definition sets. We assume TOT_REGISTERS * is smaller than 8*sizeof(atomset). */ typedef unsigned int atomset; #define ATOMMASK(n) (1 << (n)) #define ATOMELEM(d, n) (d & ATOMMASK(n)) /* * An unbounded set. */ typedef unsigned int *uset; /* * Total number of atomic entities, including accumulator (A) and index (X). * We treat all these guys similarly during flow analysis. */ #define N_ATOMS (NFF_MEMWORDS+2) struct edge { int id; int code; uset edom; struct ablock *succ; struct ablock *pred; struct edge *next; /* link list of incoming edges for a node */ }; struct ablock { int id; struct slist *stmts; /* side effect stmts */ struct stmt s; /* branch stmt */ int mark; int longjt; /* jt branch requires long jump */ int longjf; /* jf branch requires long jump */ int level; int offset; int sense; struct edge et; struct edge ef; struct ablock *head; struct ablock *link; /* link field used by optimizer */ uset dom; uset closure; struct edge *in_edges; atomset def, kill; atomset in_use; atomset out_use; long long oval; long long val[N_ATOMS]; }; struct arth { struct ablock *b; /* protocol checks */ struct slist *s; /* stmt list */ int regno; /* virtual register number of result */ }; struct qual { unsigned short type; /* is this IPv4 or IPv6; */ unsigned short proto; unsigned char dir; unsigned char addr; }; #define ARGUS_ADDR_VALUE 1 #define ARGUS_FLOAT_VALUE 2 #ifndef __GNUC__ #define volatile #endif /* #define yylex argus_lex #define yyparse argus_parse */ extern int argus_lex(void); extern int argus_parse (void); extern void argus_lex_init(char *buf); struct arth *ArgusLoadI(int); struct arth *ArgusLoad(int, struct arth *, int); struct arth *ArgusLoadLen(void); struct arth *ArgusArth(int, struct arth *, struct arth *); struct arth *ArgusNeg(struct arth *); void Argusgen_and(struct ablock *, struct ablock *); void Argusgen_or(struct ablock *, struct ablock *); void Argusgen_not(struct ablock *); struct ablock *Argusgen_stat(struct ablock *, struct ablock *, unsigned int); struct ablock *Argusgen_ocode(int, struct qual); struct ablock *Argusgen_scode(char *, struct qual); struct ablock *Argusgen_tcode(int, struct qual); struct ablock *Argusgen_ecode(unsigned char *, struct qual); struct ablock *Argusgen_mcode(char *, char *, int, struct qual); struct ablock *Argusgen_ncode(char *, int, struct qual, unsigned int); struct ablock *Argusgen_fcode(char *, float, struct qual, unsigned int); struct ablock *Argusgen_proto_abbrev(int); struct ablock *Argusgen_relation(int, struct arth *, struct arth *, int); struct ablock *Argusgen_less(int); struct ablock *Argusgen_greater(int); struct ablock *Argusgen_byteop(int, int, int); struct ablock *Argusgen_broadcast(int); struct ablock *Argusgen_multicast(int); struct ablock *Argusgen_inbound(int); struct ablock *Argusgen_dns(int, int, int); struct ablock *Argusgen_appbytes(int, int, u_int); void Argusnff_optimize(struct ablock **); void Argus_error(char *fmt, ...); void Argusfinish_parse(struct ablock *); char *Argussdup(char *); struct nff_insn *Argusicode_to_fcode(struct ablock *, int *); int Arguspcap_parse(void); void Arguslex_init(char *); void Argussappend(struct slist *, struct slist *); char *ArgusFilterCompile(struct nff_program *, char *, int); /* XXX */ #define JT(b) ((b)->et.succ) #define JF(b) ((b)->ef.succ) argus-3.0.8.2/include/argus/global.h000444 000765 000024 00000001674 12513222401 017601 0ustar00carterstaff000000 000000 /* GLOBAL.H - RSAREF types and constants */ /* * $Id: //depot/argus/argus-3.0/clients/include/global.h#5 $ * $DateTime: 2006/02/23 13:25:52 $ * $Change: 627 $ */ /* PROTOTYPES should be set to one if and only if the compiler supports function argument prototyping. The following makes PROTOTYPES default to 0 if it has not already been defined with C compiler flags. */ #ifndef GLOBAL_H #define GLOBAL_H 0 #ifndef PROTOTYPES #define PROTOTYPES 0 #endif /* POINTER defines a generic pointer type */ typedef unsigned char *POINTER; /* UINT2 defines a two byte word */ typedef unsigned short int UINT2; /* UINT4 defines a four byte word */ typedef unsigned long int UINT4; /* PROTO_LIST is defined depending on how PROTOTYPES is defined above. If using PROTOTYPES, then PROTO_LIST returns the list, otherwise it returns an empty list. */ #if PROTOTYPES #define PROTO_LIST(list) list #else #define PROTO_LIST(list) () #endif #endif argus-3.0.8.2/include/argus/ieee802_11.h000444 000765 000024 00000044375 12513222401 020010 0ustar00carterstaff000000 000000 /* @(#) $Header: /tcpdump/master/tcpdump/ieee802_11.h,v 1.9.4.2 2005/11/13 12:07:44 guy Exp $ (LBL) */ /* * Copyright (c) 2001 * Fortress Technologies * Charlie Lenahan ( clenahan@fortresstech.com ) * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ #if !defined(ARGUS_802_11) #define ARGUS_802_11 /* Lengths of 802.11 header components. */ #define IEEE802_11_FC_LEN 2 #define IEEE802_11_DUR_LEN 2 #define IEEE802_11_DA_LEN 6 #define IEEE802_11_SA_LEN 6 #define IEEE802_11_BSSID_LEN 6 #define IEEE802_11_RA_LEN 6 #define IEEE802_11_TA_LEN 6 #define IEEE802_11_SEQ_LEN 2 #define IEEE802_11_IV_LEN 3 #define IEEE802_11_KID_LEN 1 /* Frame check sequence length. */ #define IEEE802_11_FCS_LEN 4 /* Lengths of beacon components. */ #define IEEE802_11_TSTAMP_LEN 8 #define IEEE802_11_BCNINT_LEN 2 #define IEEE802_11_CAPINFO_LEN 2 #define IEEE802_11_LISTENINT_LEN 2 #define IEEE802_11_AID_LEN 2 #define IEEE802_11_STATUS_LEN 2 #define IEEE802_11_REASON_LEN 2 /* Length of previous AP in reassocation frame */ #define IEEE802_11_AP_LEN 6 #define T_MGMT 0x0 /* management */ #define T_CTRL 0x1 /* control */ #define T_DATA 0x2 /* data */ #define T_RESV 0x3 /* reserved */ #define ST_ASSOC_REQUEST 0x0 #define ST_ASSOC_RESPONSE 0x1 #define ST_REASSOC_REQUEST 0x2 #define ST_REASSOC_RESPONSE 0x3 #define ST_PROBE_REQUEST 0x4 #define ST_PROBE_RESPONSE 0x5 /* RESERVED 0x6 */ /* RESERVED 0x7 */ #define ST_BEACON 0x8 #define ST_ATIM 0x9 #define ST_DISASSOC 0xA #define ST_AUTH 0xB #define ST_DEAUTH 0xC /* RESERVED 0xD */ /* RESERVED 0xE */ /* RESERVED 0xF */ #define CTRL_PS_POLL 0xA #define CTRL_RTS 0xB #define CTRL_CTS 0xC #define CTRL_ACK 0xD #define CTRL_CF_END 0xE #define CTRL_END_ACK 0xF #define DATA_DATA 0x0 #define DATA_DATA_CF_ACK 0x1 #define DATA_DATA_CF_POLL 0x2 #define DATA_DATA_CF_ACK_POLL 0x3 #define DATA_NODATA 0x4 #define DATA_NODATA_CF_ACK 0x5 #define DATA_NODATA_CF_POLL 0x6 #define DATA_NODATA_CF_ACK_POLL 0x7 #define DATA_QOS_DATA 0x8 #define DATA_QOS_DATA_CF_ACK 0x9 #define DATA_QOS_DATA_CF_POLL 0xA #define DATA_QOS_DATA_CF_ACK_POLL 0xB #define DATA_QOS_NODATA 0xC #define DATA_QOS_CF_POLL_NODATA 0xE #define DATA_QOS_CF_ACK_POLL_NODATA 0xF /* * The subtype field of a data frame is, in effect, composed of 4 flag * bits - CF-Ack, CF-Poll, Null (means the frame doesn't actually have * any data), and QoS. */ #define DATA_FRAME_IS_CF_ACK(x) ((x) & 0x01) #define DATA_FRAME_IS_CF_POLL(x) ((x) & 0x02) #define DATA_FRAME_IS_NULL(x) ((x) & 0x04) #define DATA_FRAME_IS_QOS(x) ((x) & 0x08) /* * Bits in the frame control field. */ #define FC_VERSION(fc) ((fc) & 0x3) #define FC_TYPE(fc) (((fc) >> 2) & 0x3) #define FC_SUBTYPE(fc) (((fc) >> 4) & 0xF) #define FC_TO_DS(fc) ((fc) & 0x0100) #define FC_FROM_DS(fc) ((fc) & 0x0200) #define FC_MORE_FLAG(fc) ((fc) & 0x0400) #define FC_RETRY(fc) ((fc) & 0x0800) #define FC_POWER_MGMT(fc) ((fc) & 0x1000) #define FC_MORE_DATA(fc) ((fc) & 0x2000) #define FC_WEP(fc) ((fc) & 0x4000) #define FC_ORDER(fc) ((fc) & 0x8000) struct mgmt_header_t { u_int16_t fc; u_int16_t duration; u_int8_t da[6]; u_int8_t sa[6]; u_int8_t bssid[6]; u_int16_t seq_ctrl; }; #define MGMT_HDRLEN (IEEE802_11_FC_LEN+IEEE802_11_DUR_LEN+\ IEEE802_11_DA_LEN+IEEE802_11_SA_LEN+\ IEEE802_11_BSSID_LEN+IEEE802_11_SEQ_LEN) #define CAPABILITY_ESS(cap) ((cap) & 0x0001) #define CAPABILITY_IBSS(cap) ((cap) & 0x0002) #define CAPABILITY_CFP(cap) ((cap) & 0x0004) #define CAPABILITY_CFP_REQ(cap) ((cap) & 0x0008) #define CAPABILITY_PRIVACY(cap) ((cap) & 0x0010) typedef enum { NOT_PRESENT, PRESENT, TRUNCATED } elem_status_t; struct ssid_t { u_int8_t element_id; u_int8_t length; u_char ssid[33]; /* 32 + 1 for null */ }; struct rates_t { u_int8_t element_id; u_int8_t length; u_int8_t rate[16]; }; struct challenge_t { u_int8_t element_id; u_int8_t length; u_int8_t text[254]; /* 1-253 + 1 for null */ }; struct fh_t { u_int8_t element_id; u_int8_t length; u_int16_t dwell_time; u_int8_t hop_set; u_int8_t hop_pattern; u_int8_t hop_index; }; struct ds_t { u_int8_t element_id; u_int8_t length; u_int8_t channel; }; struct cf_t { u_int8_t element_id; u_int8_t length; u_int8_t count; u_int8_t period; u_int16_t max_duration; u_int16_t dur_remaing; }; struct tim_t { u_int8_t element_id; u_int8_t length; u_int8_t count; u_int8_t period; u_int8_t bitmap_control; u_int8_t bitmap[251]; }; #define E_SSID 0 #define E_RATES 1 #define E_FH 2 #define E_DS 3 #define E_CF 4 #define E_TIM 5 #define E_IBSS 6 /* reserved 7 */ /* reserved 8 */ /* reserved 9 */ /* reserved 10 */ /* reserved 11 */ /* reserved 12 */ /* reserved 13 */ /* reserved 14 */ /* reserved 15 */ /* reserved 16 */ #define E_CHALLENGE 16 /* reserved 17 */ /* reserved 18 */ /* reserved 19 */ /* reserved 16 */ /* reserved 16 */ struct mgmt_body_t { u_int8_t timestamp[IEEE802_11_TSTAMP_LEN]; u_int16_t beacon_interval; u_int16_t listen_interval; u_int16_t status_code; u_int16_t aid; u_char ap[IEEE802_11_AP_LEN]; u_int16_t reason_code; u_int16_t auth_alg; u_int16_t auth_trans_seq_num; elem_status_t challenge_status; struct challenge_t challenge; u_int16_t capability_info; elem_status_t ssid_status; struct ssid_t ssid; elem_status_t rates_status; struct rates_t rates; elem_status_t ds_status; struct ds_t ds; elem_status_t cf_status; struct cf_t cf; elem_status_t fh_status; struct fh_t fh; elem_status_t tim_status; struct tim_t tim; }; struct ctrl_rts_t { u_int16_t fc; u_int16_t duration; u_int8_t ra[6]; u_int8_t ta[6]; u_int8_t fcs[4]; }; #define CTRL_RTS_HDRLEN (IEEE802_11_FC_LEN+IEEE802_11_DUR_LEN+\ IEEE802_11_RA_LEN+IEEE802_11_TA_LEN) struct ctrl_cts_t { u_int16_t fc; u_int16_t duration; u_int8_t ra[6]; u_int8_t fcs[4]; }; #define CTRL_CTS_HDRLEN (IEEE802_11_FC_LEN+IEEE802_11_DUR_LEN+IEEE802_11_RA_LEN) struct ctrl_ack_t { u_int16_t fc; u_int16_t duration; u_int8_t ra[6]; u_int8_t fcs[4]; }; #define CTRL_ACK_HDRLEN (IEEE802_11_FC_LEN+IEEE802_11_DUR_LEN+IEEE802_11_RA_LEN) struct ctrl_ps_poll_t { u_int16_t fc; u_int16_t aid; u_int8_t bssid[6]; u_int8_t ta[6]; u_int8_t fcs[4]; }; #define CTRL_PS_POLL_HDRLEN (IEEE802_11_FC_LEN+IEEE802_11_AID_LEN+\ IEEE802_11_BSSID_LEN+IEEE802_11_TA_LEN) struct ctrl_end_t { u_int16_t fc; u_int16_t duration; u_int8_t ra[6]; u_int8_t bssid[6]; u_int8_t fcs[4]; }; #define CTRL_END_HDRLEN (IEEE802_11_FC_LEN+IEEE802_11_DUR_LEN+\ IEEE802_11_RA_LEN+IEEE802_11_BSSID_LEN) struct ctrl_end_ack_t { u_int16_t fc; u_int16_t duration; u_int8_t ra[6]; u_int8_t bssid[6]; u_int8_t fcs[4]; }; #define CTRL_END_ACK_HDRLEN (IEEE802_11_FC_LEN+IEEE802_11_DUR_LEN+\ IEEE802_11_RA_LEN+IEEE802_11_BSSID_LEN) #define IV_IV(iv) ((iv) & 0xFFFFFF) #define IV_PAD(iv) (((iv) >> 24) & 0x3F) #define IV_KEYID(iv) (((iv) >> 30) & 0x03) /* $FreeBSD: src/sys/net80211/ieee80211_radiotap.h,v 1.5 2005/01/22 20:12:05 sam Exp $ */ /* $NetBSD: ieee80211_radiotap.h,v 1.18 2007/03/26 21:22:35 dyoung Exp $ */ /*- * Copyright (c) 2003, 2004 David Young. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The name of David Young may not be used to endorse or promote * products derived from this software without specific prior * written permission. * * THIS SOFTWARE IS PROVIDED BY DAVID YOUNG ``AS IS'' AND ANY * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL DAVID * YOUNG BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY * OF SUCH DAMAGE. */ #ifndef _NET80211_IEEE80211_RADIOTAP_H_ #define _NET80211_IEEE80211_RADIOTAP_H_ /* A generic radio capture format is desirable. It must be * rigidly defined (e.g., units for fields should be given), * and easily extensible. * * The following is an extensible radio capture format. It is * based on a bitmap indicating which fields are present. * * I am trying to describe precisely what the application programmer * should expect in the following, and for that reason I tell the * units and origin of each measurement (where it applies), or else I * use sufficiently weaselly language ("is a monotonically nondecreasing * function of...") that I cannot set false expectations for lawyerly * readers. */ #if defined(__KERNEL__) || defined(_KERNEL) #ifndef DLT_IEEE802_11_RADIO #define DLT_IEEE802_11_RADIO 127 /* 802.11 plus WLAN header */ #endif #endif /* defined(__KERNEL__) || defined(_KERNEL) */ /* XXX tcpdump/libpcap do not tolerate variable-length headers, * yet, so we pad every radiotap header to 64 bytes. Ugh. */ #define IEEE80211_RADIOTAP_HDRLEN 64 /* * The radio capture header precedes the 802.11 header. * * Note well: all radiotap fields are little-endian. */ struct ieee80211_radiotap_header { uint8_t it_version; /* Version 0. Only increases * for drastic changes, * introduction of compatible * new fields does not count. */ uint8_t it_pad; uint16_t it_len; /* length of the whole * header in bytes, including * it_version, it_pad, * it_len, and data fields. */ uint32_t it_present; /* A bitmap telling which * fields are present. Set bit 31 * (0x80000000) to extend the * bitmap by another 32 bits. * Additional extensions are made * by setting bit 31. */ } __attribute__((__packed__, __aligned__(8))); struct ieee80211_xchannel { u_int32_t bitmap; u_int16_t mhz; u_int8_t channum; u_int8_t powercap; }; struct ieee80211_radiotap { struct ieee80211_radiotap_header hdr; u_int64_t tsft; u_int16_t txchan, rxchan; u_int16_t fhss; u_int8_t rate; u_int8_t dbm_antsignal; u_int8_t dbm_antnoise; u_int8_t db_antsignal; u_int8_t db_antnoise; u_int16_t lock_quality; u_int16_t tx_attenuation; u_int16_t db_tx_attenuation; u_int8_t dbm_tx_power; u_int8_t flags; u_int8_t antenna; struct ieee80211_xchannel xchan; }; /* * Name Data type Units * ---- --------- ----- * * IEEE80211_RADIOTAP_TSFT uint64_t microseconds * * Value in microseconds of the MAC's 64-bit 802.11 Time * Synchronization Function timer when the first bit of the * MPDU arrived at the MAC. For received frames, only. * * IEEE80211_RADIOTAP_CHANNEL 2 x uint16_t MHz, bitmap * * Tx/Rx frequency in MHz, followed by flags (see below). * * IEEE80211_RADIOTAP_FHSS uint16_t see below * * For frequency-hopping radios, the hop set (first byte) * and pattern (second byte). * * IEEE80211_RADIOTAP_RATE uint8_t 500kb/s * * Tx/Rx data rate * * IEEE80211_RADIOTAP_DBM_ANTSIGNAL int8_t decibels from * one milliwatt (dBm) * * RF signal power at the antenna, decibel difference from * one milliwatt. * * IEEE80211_RADIOTAP_DBM_ANTNOISE int8_t decibels from * one milliwatt (dBm) * * RF noise power at the antenna, decibel difference from one * milliwatt. * * IEEE80211_RADIOTAP_DB_ANTSIGNAL uint8_t decibel (dB) * * RF signal power at the antenna, decibel difference from an * arbitrary, fixed reference. * * IEEE80211_RADIOTAP_DB_ANTNOISE uint8_t decibel (dB) * * RF noise power at the antenna, decibel difference from an * arbitrary, fixed reference point. * * IEEE80211_RADIOTAP_LOCK_QUALITY uint16_t unitless * * Quality of Barker code lock. Unitless. Monotonically * nondecreasing with "better" lock strength. Called "Signal * Quality" in datasheets. (Is there a standard way to measure * this?) * * IEEE80211_RADIOTAP_TX_ATTENUATION uint16_t unitless * * Transmit power expressed as unitless distance from max * power set at factory calibration. 0 is max power. * Monotonically nondecreasing with lower power levels. * * IEEE80211_RADIOTAP_DB_TX_ATTENUATION uint16_t decibels (dB) * * Transmit power expressed as decibel distance from max power * set at factory calibration. 0 is max power. Monotonically * nondecreasing with lower power levels. * * IEEE80211_RADIOTAP_DBM_TX_POWER int8_t decibels from * one milliwatt (dBm) * * Transmit power expressed as dBm (decibels from a 1 milliwatt * reference). This is the absolute power level measured at * the antenna port. * * IEEE80211_RADIOTAP_FLAGS uint8_t bitmap * * Properties of transmitted and received frames. See flags * defined below. * * IEEE80211_RADIOTAP_ANTENNA uint8_t antenna index * * Unitless indication of the Rx/Tx antenna for this packet. * The first antenna is antenna 0. * * IEEE80211_RADIOTAP_RX_FLAGS uint16_t bitmap * * Properties of received frames. See flags defined below. * * IEEE80211_RADIOTAP_TX_FLAGS uint16_t bitmap * * Properties of transmitted frames. See flags defined below. * * IEEE80211_RADIOTAP_RTS_RETRIES uint8_t data * * Number of rts retries a transmitted frame used. * * IEEE80211_RADIOTAP_DATA_RETRIES uint8_t data * * Number of unicast retries a transmitted frame used. */ enum ieee80211_radiotap_type { IEEE80211_RADIOTAP_TSFT = 0, IEEE80211_RADIOTAP_FLAGS = 1, IEEE80211_RADIOTAP_RATE = 2, IEEE80211_RADIOTAP_CHANNEL = 3, IEEE80211_RADIOTAP_FHSS = 4, IEEE80211_RADIOTAP_DBM_ANTSIGNAL = 5, IEEE80211_RADIOTAP_DBM_ANTNOISE = 6, IEEE80211_RADIOTAP_LOCK_QUALITY = 7, IEEE80211_RADIOTAP_TX_ATTENUATION = 8, IEEE80211_RADIOTAP_DB_TX_ATTENUATION = 9, IEEE80211_RADIOTAP_DBM_TX_POWER = 10, IEEE80211_RADIOTAP_ANTENNA = 11, IEEE80211_RADIOTAP_DB_ANTSIGNAL = 12, IEEE80211_RADIOTAP_DB_ANTNOISE = 13, IEEE80211_RADIOTAP_RX_FLAGS = 14, IEEE80211_RADIOTAP_TX_FLAGS = 15, IEEE80211_RADIOTAP_RTS_RETRIES = 16, IEEE80211_RADIOTAP_DATA_RETRIES = 17, IEEE80211_RADIOTAP_XCHANNEL = 18, IEEE80211_RADIOTAP_EXT = 31 }; #ifndef _KERNEL /* Channel flags. */ #define IEEE80211_CHAN_TURBO 0x0010 /* Turbo channel */ #define IEEE80211_CHAN_CCK 0x0020 /* CCK channel */ #define IEEE80211_CHAN_OFDM 0x0040 /* OFDM channel */ #define IEEE80211_CHAN_2GHZ 0x0080 /* 2 GHz spectrum channel. */ #define IEEE80211_CHAN_5GHZ 0x0100 /* 5 GHz spectrum channel */ #define IEEE80211_CHAN_PASSIVE 0x0200 /* Only passive scan allowed */ #define IEEE80211_CHAN_DYN 0x0400 /* Dynamic CCK-OFDM channel */ #define IEEE80211_CHAN_GFSK 0x0800 /* GFSK channel (FHSS PHY) */ #endif /* !_KERNEL */ /* For IEEE80211_RADIOTAP_FLAGS */ #define IEEE80211_RADIOTAP_F_CFP 0x01 /* sent/received * during CFP */ #define IEEE80211_RADIOTAP_F_SHORTPRE 0x02 /* sent/received * with short * preamble */ #define IEEE80211_RADIOTAP_F_WEP 0x04 /* sent/received * with WEP encryption */ #define IEEE80211_RADIOTAP_F_FRAG 0x08 /* sent/received * with fragmentation */ #define IEEE80211_RADIOTAP_F_FCS 0x10 /* frame includes FCS */ #define IEEE80211_RADIOTAP_F_DATAPAD 0x20 /* frame has padding between * 802.11 header and payload * (to 32-bit boundary) */ #define IEEE80211_RADIOTAP_F_BADFCS 0x40 /* does not pass FCS check */ /* For IEEE80211_RADIOTAP_RX_FLAGS */ #define IEEE80211_RADIOTAP_F_RX_BADFCS 0x0001 /* Frame failed CRC check. * * Deprecated: use the flag * IEEE80211_RADIOTAP_F_BADFCS in * the IEEE80211_RADIOTAP_FLAGS * field, instead. */ /* For IEEE80211_RADIOTAP_TX_FLAGS */ #define IEEE80211_RADIOTAP_F_TX_FAIL 0x0001 /* failed due to excessive * retries */ #define IEEE80211_RADIOTAP_F_TX_CTS 0x0002 /* used cts 'protection' */ #define IEEE80211_RADIOTAP_F_TX_RTS 0x0004 /* used rts/cts handshake */ #endif /* !_NET80211_IEEE80211_RADIOTAP_H_ */ #endif argus-3.0.8.2/include/argus/md5.h000444 000765 000024 00000002676 12513222401 017031 0ustar00carterstaff000000 000000 /* MD5.H - header file for MD5C.C */ /* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All rights reserved. License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing the derived work. RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided "as is" without express or implied warranty of any kind. These notices must be retained in any copies of any part of this documentation and/or software. */ /* * $Id: //depot/argus/argus-3.0/clients/include/md5.h#5 $ * $DateTime: 2006/02/23 13:25:52 $ * $Change: 627 $ */ /* MD5 context. */ #ifndef MD5_H #define MD5_H 0 typedef struct { UINT4 state[4]; /* state (ABCD) */ UINT4 count[2]; /* number of bits, modulo 2^64 (lsb first) */ unsigned char buffer[64]; /* input buffer */ } MD5_CTX; void MD5Init (MD5_CTX *); void MD5Update (MD5_CTX *, unsigned char *, unsigned int); void MD5Final (unsigned char [16], MD5_CTX *); #endif argus-3.0.8.2/include/argus/ppp.h000444 000765 000024 00000004570 12513222401 017136 0ustar00carterstaff000000 000000 /* * Point to Point Protocol (PPP) RFC1331 * * Copyright 1989 by Carnegie Mellon. * * Permission to use, copy, modify, and distribute this program for any * purpose and without fee is hereby granted, provided that this copyright * and permission notice appear on all copies and supporting documentation, * the name of Carnegie Mellon not be used in advertising or publicity * pertaining to distribution of the program without specific prior * permission, and notice be given in supporting documentation that copying * and distribution is by permission of Carnegie Mellon and Stanford * University. Carnegie Mellon makes no representations about the * suitability of this software for any purpose. It is provided "as is" * without express or implied warranty. */ /* * $Id: //depot/argus/argus-3.0/clients/include/ppp.h#5 $ * $DateTime: 2006/02/23 13:25:52 $ * $Change: 627 $ */ #define PPP_ADDRESS 0xff /* The address byte value */ #define PPP_CONTROL 0x03 /* The control byte value */ /* Protocol numbers */ #define PPP_IP 0x0021 /* Raw IP */ #define PPP_OSI 0x0023 /* OSI Network Layer */ #define PPP_NS 0x0025 /* Xerox NS IDP */ #define PPP_DECNET 0x0027 /* DECnet Phase IV */ #define PPP_APPLE 0x0029 /* Appletalk */ #define PPP_IPX 0x002b /* Novell IPX */ #define PPP_VJC 0x002d /* Van Jacobson Compressed TCP/IP */ #define PPP_VJNC 0x002f /* Van Jacobson Uncompressed TCP/IP */ #define PPP_BRPDU 0x0031 /* Bridging PDU */ #define PPP_STII 0x0033 /* Stream Protocol (ST-II) */ #define PPP_VINES 0x0035 /* Banyan Vines */ #define PPP_HELLO 0x0201 /* 802.1d Hello Packets */ #define PPP_LUXCOM 0x0231 /* Luxcom */ #define PPP_SNS 0x0233 /* Sigma Network Systems */ #define PPP_IPCP 0x8021 /* IP Control Protocol */ #define PPP_OSICP 0x8023 /* OSI Network Layer Control Protocol */ #define PPP_NSCP 0x8025 /* Xerox NS IDP Control Protocol */ #define PPP_DECNETCP 0x8027 /* DECnet Control Protocol */ #define PPP_APPLECP 0x8029 /* Appletalk Control Protocol */ #define PPP_IPXCP 0x802b /* Novell IPX Control Protocol */ #define PPP_STIICP 0x8033 /* Strean Protocol Control Protocol */ #define PPP_VINESCP 0x8035 /* Banyan Vines Control Protocol */ #define PPP_LCP 0xc021 /* Link Control Protocol */ #define PPP_PAP 0xc023 /* Password Authentication Protocol */ #define PPP_LQM 0xc025 /* Link Quality Monitoring */ #define PPP_CHAP 0xc223 /* Challenge Handshake Authentication Protocol */ argus-3.0.8.2/include/argus/saslint.h000444 000765 000024 00000011333 12513222401 020007 0ustar00carterstaff000000 000000 /* saslint.h - internal SASL library definitions * Tim Martin */ /* * Copyright (c) 2000 Carnegie Mellon University. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The name "Carnegie Mellon University" must not be used to * endorse or promote products derived from this software without * prior written permission. For permission or any other legal * details, please contact * Office of Technology Transfer * Carnegie Mellon University * 5000 Forbes Avenue * Pittsburgh, PA 15213-3890 * (412) 268-4387, fax: (412) 268-7395 * tech-transfer@andrew.cmu.edu * * 4. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by Computing Services * at Carnegie Mellon University (http://www.cmu.edu/computing/)." * * CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY * AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE * FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ /* * $Id: //depot/argus/argus/include/argus/saslint.h#2 $ * $DateTime: 2011/01/26 17:16:43 $ * $Change: 2088 $ */ #if !defined(Saslint_h) #define Saslint_h #include typedef struct { const sasl_callback_t *callbacks; const char *appname; } sasl_global_callbacks_t; typedef struct sasl_mech_secret { unsigned long len; unsigned long mechoffset; /* 0 if plain mechanism */ unsigned long useroffset; char buf[1]; } sasl_mech_secret_t; typedef struct sasl_credentials sasl_credentials_t; typedef struct sasl_out_params { int doneflag; /* exchange complete */ sasl_ssf_t mech_ssf; /* security layer strength factor of mech */ unsigned maxoutbuf; /* max plain output to security layer */ /* mic functions differs from encode in that the output is intended to be * appended to the input rather than an encapsulated variant of it. * a plugin which supports getmic()/verifymic() but not * encode()/decode() should be exportable. Ditto for framework. * datalen param of verifymic returns length of data in buffer */ void *encode_context; int (*encode)(void *context, const char *input, unsigned inputlen, char **output, unsigned *outputlen); int (*getmic)(void *context, const char *input, unsigned inputlen, char **output, unsigned *outputlen); void *decode_context; int (*decode)(void *context, const char *input, unsigned inputlen, char **output, unsigned *outputlen); int (*verifymic)(void *context, const char *input, unsigned inputlen, unsigned *datalen); char *user; /* canonicalized user name */ char *authid; /* canonicalized authentication id */ char *realm; /* security realm */ /* set to 0 initially, this allows a plugin with extended parameters * to work with an older framework by updating version as parameters * are added. */ int param_version; /* Credentials passed by clients. NOTE: this should ONLY * be set by server plugins. */ sasl_credentials_t *credentials; } sasl_out_params_t; struct sasl_conn { void (*destroy_conn)(sasl_conn_t *); /* destroy function */ int open; /* connection open or not */ char *service; int secflags; /* security layer flags passed to sasl_*_new */ int got_ip_local, got_ip_remote; struct sockaddr_in ip_local, ip_remote; sasl_external_properties_t external; void *context; sasl_out_params_t oparams; sasl_security_properties_t props; sasl_secret_t *secret; int uses_sec_layer; /* if need to encrypt/decrpt all transmissions */ void *mutex; int (*idle_hook)(sasl_conn_t *conn); const sasl_callback_t *callbacks; const sasl_global_callbacks_t *global_callbacks; /* global callbacks * for this * connection */ char *serverFQDN; }; #endif /* SASLINT_H */ argus-3.0.8.2/include/argus/sll.h000444 000765 000024 00000013043 12513222401 017124 0ustar00carterstaff000000 000000 /*- * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 * The Regents of the University of California. All rights reserved. * * This code is derived from the Stanford/CMU enet packet filter, * (net/enet.c) distributed as part of 4.3BSD, and code contributed * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence * Berkeley Laboratory. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * */ /* * $Id: //depot/argus/argus/include/argus/sll.h#2 $ * $DateTime: 2011/01/26 17:16:43 $ * $Change: 2088 $ */ #if !defined(sll_h) #define sll_h /* * For captures on Linux cooked sockets, we construct a fake header * that includes: * * a 2-byte "packet type" which is one of: * * LINUX_SLL_HOST packet was sent to us * LINUX_SLL_BROADCAST packet was broadcast * LINUX_SLL_MULTICAST packet was multicast * LINUX_SLL_OTHERHOST packet was sent to somebody else * LINUX_SLL_OUTGOING packet was sent *by* us; * * a 2-byte Ethernet protocol field; * * a 2-byte link-layer type; * * a 2-byte link-layer address length; * * an 8-byte source link-layer address, whose actual length is * specified by the previous value. * * All fields except for the link-layer address are in network byte order. * * DO NOT change the layout of this structure, or change any of the * LINUX_SLL_ values below. If you must change the link-layer header * for a "cooked" Linux capture, introduce a new DLT_ type (ask * "tcpdump-workers@tcpdump.org" for one, so that you don't give it a * value that collides with a value already being used), and use the * new header in captures of that type, so that programs that can * handle DLT_LINUX_SLL captures will continue to handle them correctly * without any change, and so that capture files with different headers * can be told apart and programs that read them can dissect the * packets in them. * * This structure, and the #defines below, must be the same in the * libpcap and tcpdump versions of "sll.h". */ /* * A DLT_LINUX_SLL fake link-layer header. */ #define SLL_HDR_LEN 16 /* total header length */ #define SLL_ADDRLEN 8 /* length of address field */ struct sll_header { u_short sll_pkttype; /* packet type */ u_short sll_hatype; /* link-layer address type */ u_short sll_halen; /* link-layer address length */ u_char sll_addr[SLL_ADDRLEN]; /* link-layer address */ u_short sll_protocol; /* protocol */ }; /* * The LINUX_SLL_ values for "sll_pkttype"; these correspond to the * PACKET_ values on Linux, but are defined here so that they're * available even on systems other than Linux, and so that they * don't change even if the PACKET_ values change. */ #define LINUX_SLL_HOST 0 #define LINUX_SLL_BROADCAST 1 #define LINUX_SLL_MULTICAST 2 #define LINUX_SLL_OTHERHOST 3 #define LINUX_SLL_OUTGOING 4 /* * The LINUX_SLL_ values for "sll_protocol"; these correspond to the * ETH_P_ values on Linux, but are defined here so that they're * available even on systems other than Linux. We assume, for now, * that the ETH_P_ values won't change in Linux; if they do, then: * * if we don't translate them in "pcap-linux.c", capture files * won't necessarily be readable if captured on a system that * defines ETH_P_ values that don't match these values; * * if we do translate them in "pcap-linux.c", that makes life * unpleasant for the BPF code generator, as the values you test * for in the kernel aren't the values that you test for when * reading a capture file, so the fixup code run on BPF programs * handed to the kernel ends up having to do more work. * * Add other values here as necessary, for handling packet types that * might show up on non-Ethernet, non-802.x networks. (Not all the ones * in the Linux "if_ether.h" will, I suspect, actually show up in * captures.) */ #define LINUX_SLL_P_802_3 0x0001 /* Novell 802.3 frames without 802.2 LLC header */ #define LINUX_SLL_P_802_2 0x0004 /* 802.2 frames (not D/I/X Ethernet) */ #endif argus-3.0.8.2/events/argus-extip.pl000555 000765 000024 00000001337 12627617701 017555 0ustar00carterstaff000000 000000 #!@PERLBIN@ # # Argus Software # Copyright (c) 2006-2015 QoSient, LLC # All rights reserved. # # argus-lsof - Report open inet sockets and provide application names as # XML oriented argus events. # # Carter Bullard # QoSient, LLC # use POSIX; use strict; my $wget = `which wget`; my $host = "qosient.com/argus/argusPublicIP.php"; my $options = "-q -O -"; chomp($wget); my @args = "$wget $host $options"; my $data; print "\n"; print " \n"; open(SESAME, "@args |"); while ($data = ) { $data =~ s//>\n/gs; print "$data"; } close(SESAME); print " \n"; print "\n"; argus-3.0.8.2/events/argus-lsof.pl000555 000765 000024 00000001124 12513222401 017340 0ustar00carterstaff000000 000000 #!@PERLBIN@ # # Argus Software # Copyright (c) 2006-2015 QoSient, LLC # All rights reserved. # # argus-lsof - Report open inet sockets and provide application names as # XML oriented argus events. # # Carter Bullard # QoSient, LLC # use POSIX; use strict; my $lsof = `which lsof`; chomp($lsof); my @args = "$lsof -i -n -P "; my $data; print "\n"; print " \n"; open(SESAME, "@args |"); while ($data = ) { print " $data"; } close(SESAME); print " \n"; print "\n"; argus-3.0.8.2/events/argus-snmp.sh000555 000765 000024 00000003077 12513222401 017362 0ustar00carterstaff000000 000000 #!/bin/sh # # Argus Software # Copyright (c) 2006-2015 QoSient, LLC # All rights reserved. # # argus-snmp - collect snmp stats and report them as XML oriented argus events. # This program requires a lot of site specific customization, and # so, be sure and change the community string for snmp agent access # and pick the interfaces of interest. # # Carter Bullard # QoSient, LLC # # $Id: //depot/argus/argus/events/argus-snmp.sh#7 $ # $DateTime: 2015/04/06 10:38:44 $ # $Change: 2973 $ # prog="/usr/bin/snmpwalk -Os -c qosient -v 2c 10.0.1.1" stats="/usr/bin/snmpget -Os -c qosient -v 2c 10.0.1.1" interfaces="2 3 9" echo "" echo " " retn=`$prog ipNetToMediaPhysAddress | awk 'BEGIN{FS="="}{print " < Label = \""$1"\" Value = \""$2"\" />"}'`; echo "$retn" echo " " echo " " for i in $interfaces; do echo " "`$stats ifInUcastPkts.$i | awk 'BEGIN{FS="="}{print "< Label = \""$1"\" Value = \""$2"\" />"}'`; echo " "`$stats ifOutUcastPkts.$i | awk 'BEGIN{FS="="}{print "< Label = \""$1"\" Value = \""$2"\" />"}'`; echo " "`$stats ifInOctets.$i | awk 'BEGIN{FS="="}{print "< Label = \""$1"\" Value = \""$2"\" />"}'`; echo " "`$stats ifOutOctets.$i | awk 'BEGIN{FS="="}{print "< Label = \""$1"\" Value = \""$2"\" />"}'`; echo " "`$stats ifOutDiscards.$i | awk 'BEGIN{FS="="}{print "< Label = \""$1"\" Value = \""$2"\" />"}'`; done echo " " echo "" argus-3.0.8.2/events/argus-vmstat.sh000555 000765 000024 00000001512 12513222401 017713 0ustar00carterstaff000000 000000 #!/bin/bash # # Argus Software # Copyright (c) 2006-2015 QoSient, LLC # All rights reserved. # # vmstat - report vmstat output as XML oriented argus event. # This example is provided to show how you can format most programs # to get to the XML oriented output used by the argus events system. # # Carter Bullard # QoSient, LLC # # # $Id: //depot/argus/argus/events/argus-vmstat.sh#6 $ # $DateTime: 2015/04/06 10:38:44 $ # $Change: 2973 $ # output=`vm_stat | sed -e 's/"//g' -e 's/\.//' -e 's/: */:/' | \ awk 'BEGIN {FS = ":"}{ if ($1=="Mach Virtual Memory Statistics") \ print " " ; \ else print " < Label = \""$1"\" Value = \""$2"\" />"}'` # # echo "" echo "$output" echo " " echo "" argus-3.0.8.2/events/Makefile.in000444 000765 000024 00000006453 12627620157 017015 0ustar00carterstaff000000 000000 # # Argus Software # Copyright (c) 2000-2015 QoSient, LLC # All rights reserved. # # QOSIENT, LLC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS # SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY # AND FITNESS, IN NO EVENT SHALL QOSIENT, LLC BE LIABLE FOR ANY # SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER # IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, # ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF # THIS SOFTWARE. # # Various configurable paths (remember to edit Makefile.in, not Makefile) # NOOP = $(SHELL) -c true NOECHO = @ # Top level hierarchy prefix = @prefix@ exec_prefix = @exec_prefix@ datarootdir = @datarootdir@ # Pathname of directory to install the system binaries SBINDIR = @sbindir@ # Pathname of directory to install the system binaries BINDIR = @bindir@ # Pathname of directory to install the include files INCLDEST = @includedir@ # Pathname of directory to install the library LIBDEST = @libdir@ # Pathname of directory to install the man page MANDEST = @mandir@ # Pathname of preferred perl to use for perl scripts PERL = @V_PERL@ # VPATH srcdir = @srcdir@ VPATH = @srcdir@ COMPATLIB = @COMPATLIB@ WRAPLIBS = @WRAPLIBS@ # # You shouldn't need to edit anything below. # CC = @CC@ CCOPT = @V_CCOPT@ INCLS = -I$(srcdir) @V_INCLS@ -I$(srcdir)/../include DEFS = @DEFS@ #DEFS = -DARGUSPERFMETRICS=1 @DEFS@ # Standard CFLAGS CFLAGS = $(CCOPT) @LBL_CFLAGS@ $(INCLS) $(DEFS) LDFLAGS = @LDFLAGS@ INSTALL = @INSTALL@ RANLIB = @V_RANLIB@ # # Flex and bison allow you to specify the prefixes of the global symbols # used by the generated parser. This allows programs to use lex/yacc # and link against libpcap. If you don't have flex or bison, get them. # LEX = @V_LEX@ YACC = @V_YACC@ # Explicitly define compilation rule since SunOS 4's make doesn't like gcc. # Also, gcc does not remove the .o before forking 'as', which can be a # problem if you don't own the file but can write to the directory. .c.o: @rm -f $@ $(CC) $(CFLAGS) -c $< SRC = argus-extip.pl argus-lsof.pl argus-snmp.sh argus-vmstat.sh PROG = @INSTALL_BIN@/argus-extip @INSTALL_BIN@/argus-lsof @INSTALL_BIN@/argus-snmp @INSTALL_BIN@/argus-vmstat CLEANFILES = $(PROG) all: $(PROG) @INSTALL_BIN@/argus-extip: argus-extip.pl sed 's+@PERLBIN@+$(PERL)+' argus-extip.pl > $@ chmod +x $@ @INSTALL_BIN@/argus-lsof: argus-lsof.pl sed 's+@PERLBIN@+$(PERL)+' argus-lsof.pl > $@ chmod +x $@ @INSTALL_BIN@/argus-snmp: argus-snmp.sh cp -f argus-snmp.sh $@ @INSTALL_BIN@/argus-vmstat: argus-vmstat.sh cp -f argus-vmstat.sh $@ install: all force [ -d $(DESTDIR)$(SBINDIR) ] || \ (mkdir -p $(DESTDIR)$(SBINDIR); chmod 755 $(DESTDIR)$(SBINDIR)) $(INSTALL) $(srcdir)/../bin/argus-extip $(DESTDIR)$(BINDIR)/argus-extip $(INSTALL) $(srcdir)/../bin/argus-lsof $(DESTDIR)$(BINDIR)/argus-lsof $(INSTALL) $(srcdir)/../bin/argus-snmp $(DESTDIR)$(BINDIR)/argus-snmp $(INSTALL) $(srcdir)/../bin/argus-vmstat $(DESTDIR)$(BINDIR)/argus-vmstat uninstall: all force rm -f $(DESTDIR)$(BINDIR)/argus-extip rm -f $(DESTDIR)$(BINDIR)/argus-lsof rm -f $(DESTDIR)$(BINDIR)/argus-snmp rm -f $(DESTDIR)$(BINDIR)/argus-vmstat clean: rm -f $(CLEANFILES) distclean: rm -f $(CLEANFILES) Makefile force: /tmp depend: force $(NOECHO) $(NOOP) argus-3.0.8.2/events/README000444 000765 000024 00000006221 12513222401 015601 0ustar00carterstaff000000 000000 /* * Argus Software - README * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ Argus Event Examples 3.0 QoSient, LLC http://qosient.com/argus Argus, running as a daemon, can be configured to run programs periodically, and to transport the resulting output as an ARGUS_EVENT. This basic mechanism, allows argus to collect additional situational awareness data and insert it into the argus flow data stream. See the configuration support descriptions in argus.conf.5 for details on this feature. The types of information envisioned for this feature is SNMP collected data, system information, such as resource utilization, temperature, open files and syslog information. But it is not limited to these simple examples. The system is designed to collect and transport ASCII output, upto 64K in length, so it will support unstructured data. The examples below, however, implement a structured approach, to aid argus data collectors, mediators and analysis engines the ability to parse and use the data. This directory contains perl and shell scripts to generate the data for the argus events functions. These scripts were developed on Mac OS X Snow Leopard, and as such may not port cleanly. As a result, we do not install these programs in the automated installation process. Problems, bugs, questions, desirable enhancements, source code contributions, etc., should be sent to argus-info@lists.andrew.cmu.edu ************************************************************ IMPORTANT: Send problems, bug reports, questions and comments to the argus mailing list at Carnegie Mellon University: argus-info@lists.andrew.cmu.edu. Please use the './bin/argusbug' script when posting bug reports about Argus. Argusbug will gather some information about your system and start your editor with a form in which you can describe your problem. Delete information that you consider non-relevant to your problem. Bug reports not generated by Argusbug might be silently ignored by the Argus maintainers, so please use the tool. A report that says 'Argus does not work. Why?' will not be considered a valid bug report. ************************************************************ Comprehensive network transaction auditing is an extremely powerful network management tool, and a large number of sites can benefit from the prototype work that has been done through the Argus Project. Again, thank you for your interest in Argus. I hope that you find the software useful. Carter Bullard carter@qosient.com argus-3.0.8.2/doc/README000444 000765 000024 00000002465 12513222401 015050 0ustar00carterstaff000000 000000 /* * Argus Software * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * QOSIENT, LLC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS * SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND * FITNESS, IN NO EVENT SHALL QOSIENT, LLC BE LIABLE FOR ANY * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER * RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF * CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * */ All documenation for argus-3.0 can be found on the argus home website: http://qosient.com/argus/ If you find that any documentation is either not current, or incorrect, please don't hesitate to send email to the argus developers mailing list, or argus@qosient.com. Man page conversion to pdf's is done with the shell script below, using Ghostscript's ps2pdf on Linux and pstopdf on Mac OS X. Both use "man -t" to generates postscript output. This maybe the case on all Unix's but not sure about that. for i in man/*/*; \ do echo $i; \ man -t $i | ps2pdf - `echo $i | sed -e "s/man/doc\/pdf\/man/"`.pdf; \ done For Mac OS X, use pstopdf. for i in man/*/*; \ do echo $i; \ man -t $i | pstopdf -i -o `echo $i | sed -e "s/man/doc\/pdf\/man/"`.pdf; \ done argus-3.0.8.2/debian/argus.postinst000755 000765 000024 00000002042 12513222401 017567 0ustar00carterstaff000000 000000 #!/bin/sh # postinst script for argus # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `configure' # * `abort-upgrade' # * `abort-remove' `in-favour' # # * `abort-remove' # * `abort-deconfigure' `in-favour' # `removing' # # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package case "$1" in configure) if [ -x "/etc/init.d/argus" ]; then if [ ! -e "/etc/init/argus.conf" ]; then update-rc.d argus start 55 2 3 4 5 . stop 45 0 1 6 . >/dev/null fi invoke-rc.d argus start || exit $? fi exit 0 ;; abort-upgrade|abort-remove|abort-deconfigure) ;; *) echo "postinst called with unknown argument \`$1'" >&2 exit 1 ;; esac #DEBHELPER# exit 0 argus-3.0.8.2/debian/argus.postrm000755 000765 000024 00000000265 12513222401 017235 0ustar00carterstaff000000 000000 #!/bin/sh set -e # Automatically added by dh_installinit if [ "$1" = "purge" ] ; then update-rc.d argus remove >/dev/null fi # End automatically added section #DEBHELPER# exit 0 argus-3.0.8.2/debian/argus.preinst000755 000765 000024 00000001317 12513222401 017374 0ustar00carterstaff000000 000000 #!/bin/sh # preinst script for argus # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `install' # * `install' # * `upgrade' # * `abort-upgrade' # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package case "$1" in install|upgrade) # # stop the daemon before upgrade # if [ -x "/etc/init.d/argus" ]; then invoke-rc.d argus stop || exit $? fi ;; abort-upgrade) ;; *) echo "preinst called with unknown argument \`$1'" >&2 exit 1 ;; esac #DEBHELPER# exit 0 argus-3.0.8.2/debian/argus.prerm000755 000765 000024 00000000227 12513222401 017034 0ustar00carterstaff000000 000000 #!/bin/sh set -e # # stop the daemon before uninstall # if [ -x "/etc/init.d/argus" ]; then invoke-rc.d argus stop || exit $? fi #DEBHELPER# exit 0 argus-3.0.8.2/debian/changelog000644 000765 000024 00000000231 12513222401 016506 0ustar00carterstaff000000 000000 argus (3.0.8-1ppa1) precise; urgency=low * Initial release Argus 3.0.8 -- Ponsonby Britt Thu, 04 Jul 1776 13:38:40 -0400 argus-3.0.8.2/debian/compat000644 000765 000024 00000000002 12513222401 016036 0ustar00carterstaff000000 000000 9 argus-3.0.8.2/debian/control000644 000765 000024 00000001143 12513222401 016242 0ustar00carterstaff000000 000000 Source: argus Section: utils Priority: optional Maintainer: Carter Bullard Build-Depends: debhelper (>= 9.0.0), autotools-dev, flex, bison, libpcap-dev, libwrap0-dev, zlib1g-dev Standards-Version: 3.9.6 Homepage: http://qosient.com/argus Package: argus Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends} Description: network flow sensor The ARGUS (Audit Record Generation And Utilization System) is an data network transaction auditing system. The data generated by argus can be used for a wide range of tasks such as network operations, security and performance management. argus-3.0.8.2/debian/copyright000644 000765 000024 00000003424 12513223357 016611 0ustar00carterstaff000000 000000 Format: http://dep.debian.net/deps/dep5 Upstream-Name: argus Source: http://qosient.com/argus Files: * Copyright: 2000-2015 QoSient, LLC Carter Bullard License: GPL-2+ This package is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. . This package is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . You should have received a copy of the GNU General Public License along with this program. If not, see . # If you want to use GPL v2 or later for the /debian/* files use # the following clauses, or change it to suit. Delete these two lines Files: debian/* Copyright: 2015 QoSient, LLC Carter Bullard License: GPL-2+ This package is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. . This package is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . You should have received a copy of the GNU General Public License along with this program. If not, see . On Debian systems, the complete text of the GNU General Public License version 2 can be found in "/usr/share/common-licenses/GPL-2". argus-3.0.8.2/debian/docs000644 000765 000024 00000000007 12513222401 015510 0ustar00carterstaff000000 000000 README argus-3.0.8.2/debian/install000644 000765 000024 00000000264 12513222401 016233 0ustar00carterstaff000000 000000 pkg/argus.conf /etc/ pkg/ubuntu/init.d/argus /etc/init.d/ pkg/ubuntu/default/argus /etc/default/ debian/tmp/usr/bin/ usr/ debian/tmp/usr/sbin/ usr/ support/ usr/share/doc/argus argus-3.0.8.2/debian/manpages000644 000765 000024 00000000100 12513224633 016356 0ustar00carterstaff000000 000000 debian/tmp/usr/share/man/man5/* debian/tmp/usr/share/man/man8/* argus-3.0.8.2/debian/rules000755 000765 000024 00000001032 12513222401 015714 0ustar00carterstaff000000 000000 #!/usr/bin/make -f # -*- makefile -*- # Sample debian/rules that uses debhelper. # This file was originally written by Joey Hess and Craig Small. # As a special exception, when this file is copied by dh-make into a # dh-make output file, you may use that output file without restriction. # This special exception was added by Craig Small in version 0.37 of dh-make. # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 %: dh $@ --with autotools-dev override_dh_auto_install: dh_auto_install --destdir=$(CURDIR)/debian/tmp argus-3.0.8.2/debian/source/000755 000765 000024 00000000000 12513222401 016140 5ustar00carterstaff000000 000000 argus-3.0.8.2/debian/source/format000644 000765 000024 00000000014 12513222401 017346 0ustar00carterstaff000000 000000 3.0 (quilt) argus-3.0.8.2/config/config.guess000555 000765 000024 00000123550 12513222401 017207 0ustar00carterstaff000000 000000 #! /bin/sh # Attempt to guess a canonical system name. # Copyright 1992-2014 Free Software Foundation, Inc. timestamp='2014-03-23' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, see . # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a # configuration script generated by Autoconf, you may include it under # the same distribution terms that you use for the rest of that # program. This Exception is an additional permission under section 7 # of the GNU General Public License, version 3 ("GPLv3"). # # Originally written by Per Bothner. # # You can get the latest version of this script from: # http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD # # Please send patches with a ChangeLog entry to config-patches@gnu.org. me=`echo "$0" | sed -e 's,.*/,,'` usage="\ Usage: $0 [OPTION] Output the configuration name of the system \`$me' is run on. Operation modes: -h, --help print this help, then exit -t, --time-stamp print date of last modification, then exit -v, --version print version number, then exit Report bugs and patches to ." version="\ GNU config.guess ($timestamp) Originally written by Per Bothner. Copyright 1992-2014 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." help=" Try \`$me --help' for more information." # Parse command line while test $# -gt 0 ; do case $1 in --time-stamp | --time* | -t ) echo "$timestamp" ; exit ;; --version | -v ) echo "$version" ; exit ;; --help | --h* | -h ) echo "$usage"; exit ;; -- ) # Stop option processing shift; break ;; - ) # Use stdin as input. break ;; -* ) echo "$me: invalid option $1$help" >&2 exit 1 ;; * ) break ;; esac done if test $# != 0; then echo "$me: too many arguments$help" >&2 exit 1 fi trap 'exit 1' 1 2 15 # CC_FOR_BUILD -- compiler used by this script. Note that the use of a # compiler to aid in system detection is discouraged as it requires # temporary files to be created and, as you can see below, it is a # headache to deal with in a portable fashion. # Historically, `CC_FOR_BUILD' used to be named `HOST_CC'. We still # use `HOST_CC' if defined, but it is deprecated. # Portable tmp directory creation inspired by the Autoconf team. set_cc_for_build=' trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ; trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ; : ${TMPDIR=/tmp} ; { tmp=`(umask 077 && mktemp -d "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } || { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } || { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir $tmp) && echo "Warning: creating insecure temp directory" >&2 ; } || { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ; dummy=$tmp/dummy ; tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ; case $CC_FOR_BUILD,$HOST_CC,$CC in ,,) echo "int x;" > $dummy.c ; for c in cc gcc c89 c99 ; do if ($c -c -o $dummy.o $dummy.c) >/dev/null 2>&1 ; then CC_FOR_BUILD="$c"; break ; fi ; done ; if test x"$CC_FOR_BUILD" = x ; then CC_FOR_BUILD=no_compiler_found ; fi ;; ,,*) CC_FOR_BUILD=$CC ;; ,*,*) CC_FOR_BUILD=$HOST_CC ;; esac ; set_cc_for_build= ;' # This is needed to find uname on a Pyramid OSx when run in the BSD universe. # (ghazi@noc.rutgers.edu 1994-08-24) if (test -f /.attbin/uname) >/dev/null 2>&1 ; then PATH=$PATH:/.attbin ; export PATH fi UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown case "${UNAME_SYSTEM}" in Linux|GNU|GNU/*) # If the system lacks a compiler, then just pick glibc. # We could probably try harder. LIBC=gnu eval $set_cc_for_build cat <<-EOF > $dummy.c #include #if defined(__UCLIBC__) LIBC=uclibc #elif defined(__dietlibc__) LIBC=dietlibc #else LIBC=gnu #endif EOF eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC' | sed 's, ,,g'` ;; esac # Note: order is significant - the case branches are not exclusive. case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in *:NetBSD:*:*) # NetBSD (nbsd) targets should (where applicable) match one or # more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*, # *-*-netbsdecoff* and *-*-netbsd*. For targets that recently # switched to ELF, *-*-netbsd* would select the old # object file format. This provides both forward # compatibility and a consistent mechanism for selecting the # object file format. # # Note: NetBSD doesn't particularly care about the vendor # portion of the name. We always set it to "unknown". sysctl="sysctl -n hw.machine_arch" UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \ /usr/sbin/$sysctl 2>/dev/null || echo unknown)` case "${UNAME_MACHINE_ARCH}" in armeb) machine=armeb-unknown ;; arm*) machine=arm-unknown ;; sh3el) machine=shl-unknown ;; sh3eb) machine=sh-unknown ;; sh5el) machine=sh5le-unknown ;; *) machine=${UNAME_MACHINE_ARCH}-unknown ;; esac # The Operating System including object format, if it has switched # to ELF recently, or will in the future. case "${UNAME_MACHINE_ARCH}" in arm*|i386|m68k|ns32k|sh3*|sparc|vax) eval $set_cc_for_build if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ELF__ then # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout). # Return netbsd for either. FIX? os=netbsd else os=netbsdelf fi ;; *) os=netbsd ;; esac # The OS release # Debian GNU/NetBSD machines have a different userland, and # thus, need a distinct triplet. However, they do not need # kernel version information, so it can be replaced with a # suitable tag, in the style of linux-gnu. case "${UNAME_VERSION}" in Debian*) release='-gnu' ;; *) release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'` ;; esac # Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM: # contains redundant information, the shorter form: # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. echo "${machine}-${os}${release}" exit ;; *:Bitrig:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'` echo ${UNAME_MACHINE_ARCH}-unknown-bitrig${UNAME_RELEASE} exit ;; *:OpenBSD:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'` echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE} exit ;; *:ekkoBSD:*:*) echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE} exit ;; *:SolidBSD:*:*) echo ${UNAME_MACHINE}-unknown-solidbsd${UNAME_RELEASE} exit ;; macppc:MirBSD:*:*) echo powerpc-unknown-mirbsd${UNAME_RELEASE} exit ;; *:MirBSD:*:*) echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE} exit ;; alpha:OSF1:*:*) case $UNAME_RELEASE in *4.0) UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'` ;; *5.*) UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'` ;; esac # According to Compaq, /usr/sbin/psrinfo has been available on # OSF/1 and Tru64 systems produced since 1995. I hope that # covers most systems running today. This code pipes the CPU # types through head -n 1, so we only detect the type of CPU 0. ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^ The alpha \(.*\) processor.*$/\1/p' | head -n 1` case "$ALPHA_CPU_TYPE" in "EV4 (21064)") UNAME_MACHINE="alpha" ;; "EV4.5 (21064)") UNAME_MACHINE="alpha" ;; "LCA4 (21066/21068)") UNAME_MACHINE="alpha" ;; "EV5 (21164)") UNAME_MACHINE="alphaev5" ;; "EV5.6 (21164A)") UNAME_MACHINE="alphaev56" ;; "EV5.6 (21164PC)") UNAME_MACHINE="alphapca56" ;; "EV5.7 (21164PC)") UNAME_MACHINE="alphapca57" ;; "EV6 (21264)") UNAME_MACHINE="alphaev6" ;; "EV6.7 (21264A)") UNAME_MACHINE="alphaev67" ;; "EV6.8CB (21264C)") UNAME_MACHINE="alphaev68" ;; "EV6.8AL (21264B)") UNAME_MACHINE="alphaev68" ;; "EV6.8CX (21264D)") UNAME_MACHINE="alphaev68" ;; "EV6.9A (21264/EV69A)") UNAME_MACHINE="alphaev69" ;; "EV7 (21364)") UNAME_MACHINE="alphaev7" ;; "EV7.9 (21364A)") UNAME_MACHINE="alphaev79" ;; esac # A Pn.n version is a patched version. # A Vn.n version is a released version. # A Tn.n version is a released field test version. # A Xn.n version is an unreleased experimental baselevel. # 1.2 uses "1.2" for uname -r. echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` # Reset EXIT trap before exiting to avoid spurious non-zero exit code. exitcode=$? trap '' 0 exit $exitcode ;; Alpha\ *:Windows_NT*:*) # How do we know it's Interix rather than the generic POSIX subsystem? # Should we change UNAME_MACHINE based on the output of uname instead # of the specific Alpha model? echo alpha-pc-interix exit ;; 21064:Windows_NT:50:3) echo alpha-dec-winnt3.5 exit ;; Amiga*:UNIX_System_V:4.0:*) echo m68k-unknown-sysv4 exit ;; *:[Aa]miga[Oo][Ss]:*:*) echo ${UNAME_MACHINE}-unknown-amigaos exit ;; *:[Mm]orph[Oo][Ss]:*:*) echo ${UNAME_MACHINE}-unknown-morphos exit ;; *:OS/390:*:*) echo i370-ibm-openedition exit ;; *:z/VM:*:*) echo s390-ibm-zvmoe exit ;; *:OS400:*:*) echo powerpc-ibm-os400 exit ;; arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*) echo arm-acorn-riscix${UNAME_RELEASE} exit ;; arm*:riscos:*:*|arm*:RISCOS:*:*) echo arm-unknown-riscos exit ;; SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*) echo hppa1.1-hitachi-hiuxmpp exit ;; Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*) # akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE. if test "`(/bin/universe) 2>/dev/null`" = att ; then echo pyramid-pyramid-sysv3 else echo pyramid-pyramid-bsd fi exit ;; NILE*:*:*:dcosx) echo pyramid-pyramid-svr4 exit ;; DRS?6000:unix:4.0:6*) echo sparc-icl-nx6 exit ;; DRS?6000:UNIX_SV:4.2*:7* | DRS?6000:isis:4.2*:7*) case `/usr/bin/uname -p` in sparc) echo sparc-icl-nx7; exit ;; esac ;; s390x:SunOS:*:*) echo ${UNAME_MACHINE}-ibm-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; sun4H:SunOS:5.*:*) echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*) echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; i86pc:AuroraUX:5.*:* | i86xen:AuroraUX:5.*:*) echo i386-pc-auroraux${UNAME_RELEASE} exit ;; i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*) eval $set_cc_for_build SUN_ARCH="i386" # If there is a compiler, see if it is configured for 64-bit objects. # Note that the Sun cc does not turn __LP64__ into 1 like gcc does. # This test works for both compilers. if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \ (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ grep IS_64BIT_ARCH >/dev/null then SUN_ARCH="x86_64" fi fi echo ${SUN_ARCH}-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; sun4*:SunOS:6*:*) # According to config.sub, this is the proper way to canonicalize # SunOS6. Hard to guess exactly what SunOS6 will be like, but # it's likely to be more like Solaris than SunOS4. echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; sun4*:SunOS:*:*) case "`/usr/bin/arch -k`" in Series*|S4*) UNAME_RELEASE=`uname -v` ;; esac # Japanese Language versions have a version number like `4.1.3-JL'. echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'` exit ;; sun3*:SunOS:*:*) echo m68k-sun-sunos${UNAME_RELEASE} exit ;; sun*:*:4.2BSD:*) UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3 case "`/bin/arch`" in sun3) echo m68k-sun-sunos${UNAME_RELEASE} ;; sun4) echo sparc-sun-sunos${UNAME_RELEASE} ;; esac exit ;; aushp:SunOS:*:*) echo sparc-auspex-sunos${UNAME_RELEASE} exit ;; # The situation for MiNT is a little confusing. The machine name # can be virtually everything (everything which is not # "atarist" or "atariste" at least should have a processor # > m68000). The system name ranges from "MiNT" over "FreeMiNT" # to the lowercase version "mint" (or "freemint"). Finally # the system name "TOS" denotes a system which is actually not # MiNT. But MiNT is downward compatible to TOS, so this should # be no problem. atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*) echo m68k-atari-mint${UNAME_RELEASE} exit ;; atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*) echo m68k-atari-mint${UNAME_RELEASE} exit ;; *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*) echo m68k-atari-mint${UNAME_RELEASE} exit ;; milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*) echo m68k-milan-mint${UNAME_RELEASE} exit ;; hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*) echo m68k-hades-mint${UNAME_RELEASE} exit ;; *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*) echo m68k-unknown-mint${UNAME_RELEASE} exit ;; m68k:machten:*:*) echo m68k-apple-machten${UNAME_RELEASE} exit ;; powerpc:machten:*:*) echo powerpc-apple-machten${UNAME_RELEASE} exit ;; RISC*:Mach:*:*) echo mips-dec-mach_bsd4.3 exit ;; RISC*:ULTRIX:*:*) echo mips-dec-ultrix${UNAME_RELEASE} exit ;; VAX*:ULTRIX*:*:*) echo vax-dec-ultrix${UNAME_RELEASE} exit ;; 2020:CLIX:*:* | 2430:CLIX:*:*) echo clipper-intergraph-clix${UNAME_RELEASE} exit ;; mips:*:*:UMIPS | mips:*:*:RISCos) eval $set_cc_for_build sed 's/^ //' << EOF >$dummy.c #ifdef __cplusplus #include /* for printf() prototype */ int main (int argc, char *argv[]) { #else int main (argc, argv) int argc; char *argv[]; { #endif #if defined (host_mips) && defined (MIPSEB) #if defined (SYSTYPE_SYSV) printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0); #endif #if defined (SYSTYPE_SVR4) printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0); #endif #if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD) printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0); #endif #endif exit (-1); } EOF $CC_FOR_BUILD -o $dummy $dummy.c && dummyarg=`echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` && SYSTEM_NAME=`$dummy $dummyarg` && { echo "$SYSTEM_NAME"; exit; } echo mips-mips-riscos${UNAME_RELEASE} exit ;; Motorola:PowerMAX_OS:*:*) echo powerpc-motorola-powermax exit ;; Motorola:*:4.3:PL8-*) echo powerpc-harris-powermax exit ;; Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*) echo powerpc-harris-powermax exit ;; Night_Hawk:Power_UNIX:*:*) echo powerpc-harris-powerunix exit ;; m88k:CX/UX:7*:*) echo m88k-harris-cxux7 exit ;; m88k:*:4*:R4*) echo m88k-motorola-sysv4 exit ;; m88k:*:3*:R3*) echo m88k-motorola-sysv3 exit ;; AViiON:dgux:*:*) # DG/UX returns AViiON for all architectures UNAME_PROCESSOR=`/usr/bin/uname -p` if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ] then if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \ [ ${TARGET_BINARY_INTERFACE}x = x ] then echo m88k-dg-dgux${UNAME_RELEASE} else echo m88k-dg-dguxbcs${UNAME_RELEASE} fi else echo i586-dg-dgux${UNAME_RELEASE} fi exit ;; M88*:DolphinOS:*:*) # DolphinOS (SVR3) echo m88k-dolphin-sysv3 exit ;; M88*:*:R3*:*) # Delta 88k system running SVR3 echo m88k-motorola-sysv3 exit ;; XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3) echo m88k-tektronix-sysv3 exit ;; Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD) echo m68k-tektronix-bsd exit ;; *:IRIX*:*:*) echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'` exit ;; ????????:AIX?:[12].1:2) # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX. echo romp-ibm-aix # uname -m gives an 8 hex-code CPU id exit ;; # Note that: echo "'`uname -s`'" gives 'AIX ' i*86:AIX:*:*) echo i386-ibm-aix exit ;; ia64:AIX:*:*) if [ -x /usr/bin/oslevel ] ; then IBM_REV=`/usr/bin/oslevel` else IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE} fi echo ${UNAME_MACHINE}-ibm-aix${IBM_REV} exit ;; *:AIX:2:3) if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then eval $set_cc_for_build sed 's/^ //' << EOF >$dummy.c #include main() { if (!__power_pc()) exit(1); puts("powerpc-ibm-aix3.2.5"); exit(0); } EOF if $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` then echo "$SYSTEM_NAME" else echo rs6000-ibm-aix3.2.5 fi elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then echo rs6000-ibm-aix3.2.4 else echo rs6000-ibm-aix3.2 fi exit ;; *:AIX:*:[4567]) IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'` if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then IBM_ARCH=rs6000 else IBM_ARCH=powerpc fi if [ -x /usr/bin/oslevel ] ; then IBM_REV=`/usr/bin/oslevel` else IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE} fi echo ${IBM_ARCH}-ibm-aix${IBM_REV} exit ;; *:AIX:*:*) echo rs6000-ibm-aix exit ;; ibmrt:4.4BSD:*|romp-ibm:BSD:*) echo romp-ibm-bsd4.4 exit ;; ibmrt:*BSD:*|romp-ibm:BSD:*) # covers RT/PC BSD and echo romp-ibm-bsd${UNAME_RELEASE} # 4.3 with uname added to exit ;; # report: romp-ibm BSD 4.3 *:BOSX:*:*) echo rs6000-bull-bosx exit ;; DPX/2?00:B.O.S.:*:*) echo m68k-bull-sysv3 exit ;; 9000/[34]??:4.3bsd:1.*:*) echo m68k-hp-bsd exit ;; hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*) echo m68k-hp-bsd4.4 exit ;; 9000/[34678]??:HP-UX:*:*) HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` case "${UNAME_MACHINE}" in 9000/31? ) HP_ARCH=m68000 ;; 9000/[34]?? ) HP_ARCH=m68k ;; 9000/[678][0-9][0-9]) if [ -x /usr/bin/getconf ]; then sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` case "${sc_cpu_version}" in 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1 532) # CPU_PA_RISC2_0 case "${sc_kernel_bits}" in 32) HP_ARCH="hppa2.0n" ;; 64) HP_ARCH="hppa2.0w" ;; '') HP_ARCH="hppa2.0" ;; # HP-UX 10.20 esac ;; esac fi if [ "${HP_ARCH}" = "" ]; then eval $set_cc_for_build sed 's/^ //' << EOF >$dummy.c #define _HPUX_SOURCE #include #include int main () { #if defined(_SC_KERNEL_BITS) long bits = sysconf(_SC_KERNEL_BITS); #endif long cpu = sysconf (_SC_CPU_VERSION); switch (cpu) { case CPU_PA_RISC1_0: puts ("hppa1.0"); break; case CPU_PA_RISC1_1: puts ("hppa1.1"); break; case CPU_PA_RISC2_0: #if defined(_SC_KERNEL_BITS) switch (bits) { case 64: puts ("hppa2.0w"); break; case 32: puts ("hppa2.0n"); break; default: puts ("hppa2.0"); break; } break; #else /* !defined(_SC_KERNEL_BITS) */ puts ("hppa2.0"); break; #endif default: puts ("hppa1.0"); break; } exit (0); } EOF (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` test -z "$HP_ARCH" && HP_ARCH=hppa fi ;; esac if [ ${HP_ARCH} = "hppa2.0w" ] then eval $set_cc_for_build # hppa2.0w-hp-hpux* has a 64-bit kernel and a compiler generating # 32-bit code. hppa64-hp-hpux* has the same kernel and a compiler # generating 64-bit code. GNU and HP use different nomenclature: # # $ CC_FOR_BUILD=cc ./config.guess # => hppa2.0w-hp-hpux11.23 # $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess # => hppa64-hp-hpux11.23 if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | grep -q __LP64__ then HP_ARCH="hppa2.0w" else HP_ARCH="hppa64" fi fi echo ${HP_ARCH}-hp-hpux${HPUX_REV} exit ;; ia64:HP-UX:*:*) HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` echo ia64-hp-hpux${HPUX_REV} exit ;; 3050*:HI-UX:*:*) eval $set_cc_for_build sed 's/^ //' << EOF >$dummy.c #include int main () { long cpu = sysconf (_SC_CPU_VERSION); /* The order matters, because CPU_IS_HP_MC68K erroneously returns true for CPU_PA_RISC1_0. CPU_IS_PA_RISC returns correct results, however. */ if (CPU_IS_PA_RISC (cpu)) { switch (cpu) { case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break; case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break; case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break; default: puts ("hppa-hitachi-hiuxwe2"); break; } } else if (CPU_IS_HP_MC68K (cpu)) puts ("m68k-hitachi-hiuxwe2"); else puts ("unknown-hitachi-hiuxwe2"); exit (0); } EOF $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` && { echo "$SYSTEM_NAME"; exit; } echo unknown-hitachi-hiuxwe2 exit ;; 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* ) echo hppa1.1-hp-bsd exit ;; 9000/8??:4.3bsd:*:*) echo hppa1.0-hp-bsd exit ;; *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*) echo hppa1.0-hp-mpeix exit ;; hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* ) echo hppa1.1-hp-osf exit ;; hp8??:OSF1:*:*) echo hppa1.0-hp-osf exit ;; i*86:OSF1:*:*) if [ -x /usr/sbin/sysversion ] ; then echo ${UNAME_MACHINE}-unknown-osf1mk else echo ${UNAME_MACHINE}-unknown-osf1 fi exit ;; parisc*:Lites*:*:*) echo hppa1.1-hp-lites exit ;; C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*) echo c1-convex-bsd exit ;; C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*) if getsysinfo -f scalar_acc then echo c32-convex-bsd else echo c2-convex-bsd fi exit ;; C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*) echo c34-convex-bsd exit ;; C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*) echo c38-convex-bsd exit ;; C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*) echo c4-convex-bsd exit ;; CRAY*Y-MP:*:*:*) echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; CRAY*[A-Z]90:*:*:*) echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \ | sed -e 's/CRAY.*\([A-Z]90\)/\1/' \ -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \ -e 's/\.[^.]*$/.X/' exit ;; CRAY*TS:*:*:*) echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; CRAY*T3E:*:*:*) echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; CRAY*SV1:*:*:*) echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; *:UNICOS/mp:*:*) echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit ;; 5000:UNIX_System_V:4.*:*) FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'` echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit ;; i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE} exit ;; sparc*:BSD/OS:*:*) echo sparc-unknown-bsdi${UNAME_RELEASE} exit ;; *:BSD/OS:*:*) echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE} exit ;; *:FreeBSD:*:*) UNAME_PROCESSOR=`/usr/bin/uname -p` case ${UNAME_PROCESSOR} in amd64) echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; *) echo ${UNAME_PROCESSOR}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; esac exit ;; i*:CYGWIN*:*) echo ${UNAME_MACHINE}-pc-cygwin exit ;; *:MINGW64*:*) echo ${UNAME_MACHINE}-pc-mingw64 exit ;; *:MINGW*:*) echo ${UNAME_MACHINE}-pc-mingw32 exit ;; *:MSYS*:*) echo ${UNAME_MACHINE}-pc-msys exit ;; i*:windows32*:*) # uname -m includes "-pc" on this system. echo ${UNAME_MACHINE}-mingw32 exit ;; i*:PW*:*) echo ${UNAME_MACHINE}-pc-pw32 exit ;; *:Interix*:*) case ${UNAME_MACHINE} in x86) echo i586-pc-interix${UNAME_RELEASE} exit ;; authenticamd | genuineintel | EM64T) echo x86_64-unknown-interix${UNAME_RELEASE} exit ;; IA64) echo ia64-unknown-interix${UNAME_RELEASE} exit ;; esac ;; [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*) echo i${UNAME_MACHINE}-pc-mks exit ;; 8664:Windows_NT:*) echo x86_64-pc-mks exit ;; i*:Windows_NT*:* | Pentium*:Windows_NT*:*) # How do we know it's Interix rather than the generic POSIX subsystem? # It also conflicts with pre-2.0 versions of AT&T UWIN. Should we # UNAME_MACHINE based on the output of uname instead of i386? echo i586-pc-interix exit ;; i*:UWIN*:*) echo ${UNAME_MACHINE}-pc-uwin exit ;; amd64:CYGWIN*:*:* | x86_64:CYGWIN*:*:*) echo x86_64-unknown-cygwin exit ;; p*:CYGWIN*:*) echo powerpcle-unknown-cygwin exit ;; prep*:SunOS:5.*:*) echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; *:GNU:*:*) # the GNU system echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-${LIBC}`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'` exit ;; *:GNU/*:*:*) # other systems with GNU libc and userland echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC} exit ;; i*86:Minix:*:*) echo ${UNAME_MACHINE}-pc-minix exit ;; aarch64:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; aarch64_be:Linux:*:*) UNAME_MACHINE=aarch64_be echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; alpha:Linux:*:*) case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in EV5) UNAME_MACHINE=alphaev5 ;; EV56) UNAME_MACHINE=alphaev56 ;; PCA56) UNAME_MACHINE=alphapca56 ;; PCA57) UNAME_MACHINE=alphapca56 ;; EV6) UNAME_MACHINE=alphaev6 ;; EV67) UNAME_MACHINE=alphaev67 ;; EV68*) UNAME_MACHINE=alphaev68 ;; esac objdump --private-headers /bin/sh | grep -q ld.so.1 if test "$?" = 0 ; then LIBC="gnulibc1" ; fi echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; arc:Linux:*:* | arceb:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; arm*:Linux:*:*) eval $set_cc_for_build if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ARM_EABI__ then echo ${UNAME_MACHINE}-unknown-linux-${LIBC} else if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ARM_PCS_VFP then echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabi else echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabihf fi fi exit ;; avr32*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; cris:Linux:*:*) echo ${UNAME_MACHINE}-axis-linux-${LIBC} exit ;; crisv32:Linux:*:*) echo ${UNAME_MACHINE}-axis-linux-${LIBC} exit ;; frv:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; hexagon:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; i*86:Linux:*:*) echo ${UNAME_MACHINE}-pc-linux-${LIBC} exit ;; ia64:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; m32r*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; m68*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; mips:Linux:*:* | mips64:Linux:*:*) eval $set_cc_for_build sed 's/^ //' << EOF >$dummy.c #undef CPU #undef ${UNAME_MACHINE} #undef ${UNAME_MACHINE}el #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) CPU=${UNAME_MACHINE}el #else #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) CPU=${UNAME_MACHINE} #else CPU= #endif #endif EOF eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'` test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; } ;; openrisc*:Linux:*:*) echo or1k-unknown-linux-${LIBC} exit ;; or32:Linux:*:* | or1k*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; padre:Linux:*:*) echo sparc-unknown-linux-${LIBC} exit ;; parisc64:Linux:*:* | hppa64:Linux:*:*) echo hppa64-unknown-linux-${LIBC} exit ;; parisc:Linux:*:* | hppa:Linux:*:*) # Look for CPU level case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in PA7*) echo hppa1.1-unknown-linux-${LIBC} ;; PA8*) echo hppa2.0-unknown-linux-${LIBC} ;; *) echo hppa-unknown-linux-${LIBC} ;; esac exit ;; ppc64:Linux:*:*) echo powerpc64-unknown-linux-${LIBC} exit ;; ppc:Linux:*:*) echo powerpc-unknown-linux-${LIBC} exit ;; ppc64le:Linux:*:*) echo powerpc64le-unknown-linux-${LIBC} exit ;; ppcle:Linux:*:*) echo powerpcle-unknown-linux-${LIBC} exit ;; s390:Linux:*:* | s390x:Linux:*:*) echo ${UNAME_MACHINE}-ibm-linux-${LIBC} exit ;; sh64*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; sh*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; sparc:Linux:*:* | sparc64:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; tile*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; vax:Linux:*:*) echo ${UNAME_MACHINE}-dec-linux-${LIBC} exit ;; x86_64:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; xtensa*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; i*86:DYNIX/ptx:4*:*) # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. # earlier versions are messed up and put the nodename in both # sysname and nodename. echo i386-sequent-sysv4 exit ;; i*86:UNIX_SV:4.2MP:2.*) # Unixware is an offshoot of SVR4, but it has its own version # number series starting with 2... # I am not positive that other SVR4 systems won't match this, # I just have to hope. -- rms. # Use sysv4.2uw... so that sysv4* matches it. echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION} exit ;; i*86:OS/2:*:*) # If we were able to find `uname', then EMX Unix compatibility # is probably installed. echo ${UNAME_MACHINE}-pc-os2-emx exit ;; i*86:XTS-300:*:STOP) echo ${UNAME_MACHINE}-unknown-stop exit ;; i*86:atheos:*:*) echo ${UNAME_MACHINE}-unknown-atheos exit ;; i*86:syllable:*:*) echo ${UNAME_MACHINE}-pc-syllable exit ;; i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.[02]*:*) echo i386-unknown-lynxos${UNAME_RELEASE} exit ;; i*86:*DOS:*:*) echo ${UNAME_MACHINE}-pc-msdosdjgpp exit ;; i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*) UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'` if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL} else echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL} fi exit ;; i*86:*:5:[678]*) # UnixWare 7.x, OpenUNIX and OpenServer 6. case `/bin/uname -X | grep "^Machine"` in *486*) UNAME_MACHINE=i486 ;; *Pentium) UNAME_MACHINE=i586 ;; *Pent*|*Celeron) UNAME_MACHINE=i686 ;; esac echo ${UNAME_MACHINE}-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION} exit ;; i*86:*:3.2:*) if test -f /usr/options/cb.name; then UNAME_REL=`sed -n 's/.*Version //p' /dev/null >/dev/null ; then UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')` (/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486 (/bin/uname -X|grep '^Machine.*Pentium' >/dev/null) \ && UNAME_MACHINE=i586 (/bin/uname -X|grep '^Machine.*Pent *II' >/dev/null) \ && UNAME_MACHINE=i686 (/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \ && UNAME_MACHINE=i686 echo ${UNAME_MACHINE}-pc-sco$UNAME_REL else echo ${UNAME_MACHINE}-pc-sysv32 fi exit ;; pc:*:*:*) # Left here for compatibility: # uname -m prints for DJGPP always 'pc', but it prints nothing about # the processor, so we play safe by assuming i586. # Note: whatever this is, it MUST be the same as what config.sub # prints for the "djgpp" host, or else GDB configury will decide that # this is a cross-build. echo i586-pc-msdosdjgpp exit ;; Intel:Mach:3*:*) echo i386-pc-mach3 exit ;; paragon:*:*:*) echo i860-intel-osf1 exit ;; i860:*:4.*:*) # i860-SVR4 if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4 else # Add other i860-SVR4 vendors below as they are discovered. echo i860-unknown-sysv${UNAME_RELEASE} # Unknown i860-SVR4 fi exit ;; mini*:CTIX:SYS*5:*) # "miniframe" echo m68010-convergent-sysv exit ;; mc68k:UNIX:SYSTEM5:3.51m) echo m68k-convergent-sysv exit ;; M680?0:D-NIX:5.3:*) echo m68k-diab-dnix exit ;; M68*:*:R3V[5678]*:*) test -r /sysV68 && { echo 'm68k-motorola-sysv'; exit; } ;; 3[345]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0 | S7501*:*:4.0:3.0) OS_REL='' test -r /etc/.relid \ && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ && { echo i486-ncr-sysv4.3${OS_REL}; exit; } /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;; 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*) /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ && { echo i486-ncr-sysv4; exit; } ;; NCR*:*:4.2:* | MPRAS*:*:4.2:*) OS_REL='.3' test -r /etc/.relid \ && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ && { echo i486-ncr-sysv4.3${OS_REL}; exit; } /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ && { echo i586-ncr-sysv4.3${OS_REL}; exit; } /bin/uname -p 2>/dev/null | /bin/grep pteron >/dev/null \ && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;; m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*) echo m68k-unknown-lynxos${UNAME_RELEASE} exit ;; mc68030:UNIX_System_V:4.*:*) echo m68k-atari-sysv4 exit ;; TSUNAMI:LynxOS:2.*:*) echo sparc-unknown-lynxos${UNAME_RELEASE} exit ;; rs6000:LynxOS:2.*:*) echo rs6000-unknown-lynxos${UNAME_RELEASE} exit ;; PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.[02]*:*) echo powerpc-unknown-lynxos${UNAME_RELEASE} exit ;; SM[BE]S:UNIX_SV:*:*) echo mips-dde-sysv${UNAME_RELEASE} exit ;; RM*:ReliantUNIX-*:*:*) echo mips-sni-sysv4 exit ;; RM*:SINIX-*:*:*) echo mips-sni-sysv4 exit ;; *:SINIX-*:*:*) if uname -p 2>/dev/null >/dev/null ; then UNAME_MACHINE=`(uname -p) 2>/dev/null` echo ${UNAME_MACHINE}-sni-sysv4 else echo ns32k-sni-sysv fi exit ;; PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort # says echo i586-unisys-sysv4 exit ;; *:UNIX_System_V:4*:FTX*) # From Gerald Hewes . # How about differentiating between stratus architectures? -djm echo hppa1.1-stratus-sysv4 exit ;; *:*:*:FTX*) # From seanf@swdc.stratus.com. echo i860-stratus-sysv4 exit ;; i*86:VOS:*:*) # From Paul.Green@stratus.com. echo ${UNAME_MACHINE}-stratus-vos exit ;; *:VOS:*:*) # From Paul.Green@stratus.com. echo hppa1.1-stratus-vos exit ;; mc68*:A/UX:*:*) echo m68k-apple-aux${UNAME_RELEASE} exit ;; news*:NEWS-OS:6*:*) echo mips-sony-newsos6 exit ;; R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*) if [ -d /usr/nec ]; then echo mips-nec-sysv${UNAME_RELEASE} else echo mips-unknown-sysv${UNAME_RELEASE} fi exit ;; BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only. echo powerpc-be-beos exit ;; BeMac:BeOS:*:*) # BeOS running on Mac or Mac clone, PPC only. echo powerpc-apple-beos exit ;; BePC:BeOS:*:*) # BeOS running on Intel PC compatible. echo i586-pc-beos exit ;; BePC:Haiku:*:*) # Haiku running on Intel PC compatible. echo i586-pc-haiku exit ;; x86_64:Haiku:*:*) echo x86_64-unknown-haiku exit ;; SX-4:SUPER-UX:*:*) echo sx4-nec-superux${UNAME_RELEASE} exit ;; SX-5:SUPER-UX:*:*) echo sx5-nec-superux${UNAME_RELEASE} exit ;; SX-6:SUPER-UX:*:*) echo sx6-nec-superux${UNAME_RELEASE} exit ;; SX-7:SUPER-UX:*:*) echo sx7-nec-superux${UNAME_RELEASE} exit ;; SX-8:SUPER-UX:*:*) echo sx8-nec-superux${UNAME_RELEASE} exit ;; SX-8R:SUPER-UX:*:*) echo sx8r-nec-superux${UNAME_RELEASE} exit ;; Power*:Rhapsody:*:*) echo powerpc-apple-rhapsody${UNAME_RELEASE} exit ;; *:Rhapsody:*:*) echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE} exit ;; *:Darwin:*:*) UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown eval $set_cc_for_build if test "$UNAME_PROCESSOR" = unknown ; then UNAME_PROCESSOR=powerpc fi if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ grep IS_64BIT_ARCH >/dev/null then case $UNAME_PROCESSOR in i386) UNAME_PROCESSOR=x86_64 ;; powerpc) UNAME_PROCESSOR=powerpc64 ;; esac fi fi elif test "$UNAME_PROCESSOR" = i386 ; then # Avoid executing cc on OS X 10.9, as it ships with a stub # that puts up a graphical alert prompting to install # developer tools. Any system running Mac OS X 10.7 or # later (Darwin 11 and later) is required to have a 64-bit # processor. This is not true of the ARM version of Darwin # that Apple uses in portable devices. UNAME_PROCESSOR=x86_64 fi echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE} exit ;; *:procnto*:*:* | *:QNX:[0123456789]*:*) UNAME_PROCESSOR=`uname -p` if test "$UNAME_PROCESSOR" = "x86"; then UNAME_PROCESSOR=i386 UNAME_MACHINE=pc fi echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE} exit ;; *:QNX:*:4*) echo i386-pc-qnx exit ;; NEO-?:NONSTOP_KERNEL:*:*) echo neo-tandem-nsk${UNAME_RELEASE} exit ;; NSE-*:NONSTOP_KERNEL:*:*) echo nse-tandem-nsk${UNAME_RELEASE} exit ;; NSR-?:NONSTOP_KERNEL:*:*) echo nsr-tandem-nsk${UNAME_RELEASE} exit ;; *:NonStop-UX:*:*) echo mips-compaq-nonstopux exit ;; BS2000:POSIX*:*:*) echo bs2000-siemens-sysv exit ;; DS/*:UNIX_System_V:*:*) echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE} exit ;; *:Plan9:*:*) # "uname -m" is not consistent, so use $cputype instead. 386 # is converted to i386 for consistency with other x86 # operating systems. if test "$cputype" = "386"; then UNAME_MACHINE=i386 else UNAME_MACHINE="$cputype" fi echo ${UNAME_MACHINE}-unknown-plan9 exit ;; *:TOPS-10:*:*) echo pdp10-unknown-tops10 exit ;; *:TENEX:*:*) echo pdp10-unknown-tenex exit ;; KS10:TOPS-20:*:* | KL10:TOPS-20:*:* | TYPE4:TOPS-20:*:*) echo pdp10-dec-tops20 exit ;; XKL-1:TOPS-20:*:* | TYPE5:TOPS-20:*:*) echo pdp10-xkl-tops20 exit ;; *:TOPS-20:*:*) echo pdp10-unknown-tops20 exit ;; *:ITS:*:*) echo pdp10-unknown-its exit ;; SEI:*:*:SEIUX) echo mips-sei-seiux${UNAME_RELEASE} exit ;; *:DragonFly:*:*) echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` exit ;; *:*VMS:*:*) UNAME_MACHINE=`(uname -p) 2>/dev/null` case "${UNAME_MACHINE}" in A*) echo alpha-dec-vms ; exit ;; I*) echo ia64-dec-vms ; exit ;; V*) echo vax-dec-vms ; exit ;; esac ;; *:XENIX:*:SysV) echo i386-pc-xenix exit ;; i*86:skyos:*:*) echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE}` | sed -e 's/ .*$//' exit ;; i*86:rdos:*:*) echo ${UNAME_MACHINE}-pc-rdos exit ;; i*86:AROS:*:*) echo ${UNAME_MACHINE}-pc-aros exit ;; x86_64:VMkernel:*:*) echo ${UNAME_MACHINE}-unknown-esx exit ;; esac cat >&2 < in order to provide the needed information to handle your system. config.guess timestamp = $timestamp uname -m = `(uname -m) 2>/dev/null || echo unknown` uname -r = `(uname -r) 2>/dev/null || echo unknown` uname -s = `(uname -s) 2>/dev/null || echo unknown` uname -v = `(uname -v) 2>/dev/null || echo unknown` /usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null` /bin/uname -X = `(/bin/uname -X) 2>/dev/null` hostinfo = `(hostinfo) 2>/dev/null` /bin/universe = `(/bin/universe) 2>/dev/null` /usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null` /bin/arch = `(/bin/arch) 2>/dev/null` /usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null` /usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null` UNAME_MACHINE = ${UNAME_MACHINE} UNAME_RELEASE = ${UNAME_RELEASE} UNAME_SYSTEM = ${UNAME_SYSTEM} UNAME_VERSION = ${UNAME_VERSION} EOF exit 1 # Local variables: # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "timestamp='" # time-stamp-format: "%:y-%02m-%02d" # time-stamp-end: "'" # End: argus-3.0.8.2/config/config.sub000555 000765 000024 00000105634 12513222401 016655 0ustar00carterstaff000000 000000 #! /bin/sh # Configuration validation subroutine script. # Copyright 1992-2014 Free Software Foundation, Inc. timestamp='2014-05-01' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, see . # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a # configuration script generated by Autoconf, you may include it under # the same distribution terms that you use for the rest of that # program. This Exception is an additional permission under section 7 # of the GNU General Public License, version 3 ("GPLv3"). # Please send patches with a ChangeLog entry to config-patches@gnu.org. # # Configuration subroutine to validate and canonicalize a configuration type. # Supply the specified configuration type as an argument. # If it is invalid, we print an error message on stderr and exit with code 1. # Otherwise, we print the canonical config type on stdout and succeed. # You can get the latest version of this script from: # http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD # This file is supposed to be the same for all GNU packages # and recognize all the CPU types, system types and aliases # that are meaningful with *any* GNU software. # Each package is responsible for reporting which valid configurations # it does not support. The user should be able to distinguish # a failure to support a valid configuration from a meaningless # configuration. # The goal of this file is to map all the various variations of a given # machine specification into a single specification in the form: # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM # or in some cases, the newer four-part form: # CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM # It is wrong to echo any other type of specification. me=`echo "$0" | sed -e 's,.*/,,'` usage="\ Usage: $0 [OPTION] CPU-MFR-OPSYS $0 [OPTION] ALIAS Canonicalize a configuration name. Operation modes: -h, --help print this help, then exit -t, --time-stamp print date of last modification, then exit -v, --version print version number, then exit Report bugs and patches to ." version="\ GNU config.sub ($timestamp) Copyright 1992-2014 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." help=" Try \`$me --help' for more information." # Parse command line while test $# -gt 0 ; do case $1 in --time-stamp | --time* | -t ) echo "$timestamp" ; exit ;; --version | -v ) echo "$version" ; exit ;; --help | --h* | -h ) echo "$usage"; exit ;; -- ) # Stop option processing shift; break ;; - ) # Use stdin as input. break ;; -* ) echo "$me: invalid option $1$help" exit 1 ;; *local*) # First pass through any local machine types. echo $1 exit ;; * ) break ;; esac done case $# in 0) echo "$me: missing argument$help" >&2 exit 1;; 1) ;; *) echo "$me: too many arguments$help" >&2 exit 1;; esac # Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any). # Here we must recognize all the valid KERNEL-OS combinations. maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'` case $maybe_os in nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \ linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \ knetbsd*-gnu* | netbsd*-gnu* | \ kopensolaris*-gnu* | \ storm-chaos* | os2-emx* | rtmk-nova*) os=-$maybe_os basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` ;; android-linux) os=-linux-android basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown ;; *) basic_machine=`echo $1 | sed 's/-[^-]*$//'` if [ $basic_machine != $1 ] then os=`echo $1 | sed 's/.*-/-/'` else os=; fi ;; esac ### Let's recognize common machines as not being operating systems so ### that things like config.sub decstation-3100 work. We also ### recognize some manufacturers as not being operating systems, so we ### can provide default operating systems below. case $os in -sun*os*) # Prevent following clause from handling this invalid input. ;; -dec* | -mips* | -sequent* | -encore* | -pc532* | -sgi* | -sony* | \ -att* | -7300* | -3300* | -delta* | -motorola* | -sun[234]* | \ -unicom* | -ibm* | -next | -hp | -isi* | -apollo | -altos* | \ -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\ -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \ -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \ -apple | -axis | -knuth | -cray | -microblaze*) os= basic_machine=$1 ;; -bluegene*) os=-cnk ;; -sim | -cisco | -oki | -wec | -winbond) os= basic_machine=$1 ;; -scout) ;; -wrs) os=-vxworks basic_machine=$1 ;; -chorusos*) os=-chorusos basic_machine=$1 ;; -chorusrdb) os=-chorusrdb basic_machine=$1 ;; -hiux*) os=-hiuxwe2 ;; -sco6) os=-sco5v6 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco5) os=-sco3.2v5 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco4) os=-sco3.2v4 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco3.2.[4-9]*) os=`echo $os | sed -e 's/sco3.2./sco3.2v/'` basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco3.2v[4-9]*) # Don't forget version if it is 3.2v4 or newer. basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco5v6*) # Don't forget version if it is 3.2v4 or newer. basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco*) os=-sco3.2v2 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -udk*) basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -isc) os=-isc2.2 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -clix*) basic_machine=clipper-intergraph ;; -isc*) basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -lynx*178) os=-lynxos178 ;; -lynx*5) os=-lynxos5 ;; -lynx*) os=-lynxos ;; -ptx*) basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'` ;; -windowsnt*) os=`echo $os | sed -e 's/windowsnt/winnt/'` ;; -psos*) os=-psos ;; -mint | -mint[0-9]*) basic_machine=m68k-atari os=-mint ;; esac # Decode aliases for certain CPU-COMPANY combinations. case $basic_machine in # Recognize the basic CPU types without company name. # Some are omitted here because they have special meanings below. 1750a | 580 \ | a29k \ | aarch64 | aarch64_be \ | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \ | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \ | am33_2.0 \ | arc | arceb \ | arm | arm[bl]e | arme[lb] | armv[2-8] | armv[3-8][lb] | armv7[arm] \ | avr | avr32 \ | be32 | be64 \ | bfin \ | c4x | c8051 | clipper \ | d10v | d30v | dlx | dsp16xx \ | epiphany \ | fido | fr30 | frv \ | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ | hexagon \ | i370 | i860 | i960 | ia64 \ | ip2k | iq2000 \ | k1om \ | le32 | le64 \ | lm32 \ | m32c | m32r | m32rle | m68000 | m68k | m88k \ | maxq | mb | microblaze | microblazeel | mcore | mep | metag \ | mips | mipsbe | mipseb | mipsel | mipsle \ | mips16 \ | mips64 | mips64el \ | mips64octeon | mips64octeonel \ | mips64orion | mips64orionel \ | mips64r5900 | mips64r5900el \ | mips64vr | mips64vrel \ | mips64vr4100 | mips64vr4100el \ | mips64vr4300 | mips64vr4300el \ | mips64vr5000 | mips64vr5000el \ | mips64vr5900 | mips64vr5900el \ | mipsisa32 | mipsisa32el \ | mipsisa32r2 | mipsisa32r2el \ | mipsisa32r6 | mipsisa32r6el \ | mipsisa64 | mipsisa64el \ | mipsisa64r2 | mipsisa64r2el \ | mipsisa64r6 | mipsisa64r6el \ | mipsisa64sb1 | mipsisa64sb1el \ | mipsisa64sr71k | mipsisa64sr71kel \ | mipsr5900 | mipsr5900el \ | mipstx39 | mipstx39el \ | mn10200 | mn10300 \ | moxie \ | mt \ | msp430 \ | nds32 | nds32le | nds32be \ | nios | nios2 | nios2eb | nios2el \ | ns16k | ns32k \ | open8 | or1k | or1knd | or32 \ | pdp10 | pdp11 | pj | pjl \ | powerpc | powerpc64 | powerpc64le | powerpcle \ | pyramid \ | rl78 | rx \ | score \ | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ | sh64 | sh64le \ | sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \ | sparcv8 | sparcv9 | sparcv9b | sparcv9v \ | spu \ | tahoe | tic4x | tic54x | tic55x | tic6x | tic80 | tron \ | ubicom32 \ | v850 | v850e | v850e1 | v850e2 | v850es | v850e2v3 \ | we32k \ | x86 | xc16x | xstormy16 | xtensa \ | z8k | z80) basic_machine=$basic_machine-unknown ;; c54x) basic_machine=tic54x-unknown ;; c55x) basic_machine=tic55x-unknown ;; c6x) basic_machine=tic6x-unknown ;; m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | nvptx | picochip) basic_machine=$basic_machine-unknown os=-none ;; m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65 | z8k) ;; ms1) basic_machine=mt-unknown ;; strongarm | thumb | xscale) basic_machine=arm-unknown ;; xgate) basic_machine=$basic_machine-unknown os=-none ;; xscaleeb) basic_machine=armeb-unknown ;; xscaleel) basic_machine=armel-unknown ;; # We use `pc' rather than `unknown' # because (1) that's what they normally are, and # (2) the word "unknown" tends to confuse beginning users. i*86 | x86_64) basic_machine=$basic_machine-pc ;; # Object if more than one company name word. *-*-*) echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2 exit 1 ;; # Recognize the basic CPU types with company name. 580-* \ | a29k-* \ | aarch64-* | aarch64_be-* \ | alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \ | alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \ | alphapca5[67]-* | alpha64pca5[67]-* | arc-* | arceb-* \ | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ | avr-* | avr32-* \ | be32-* | be64-* \ | bfin-* | bs2000-* \ | c[123]* | c30-* | [cjt]90-* | c4x-* \ | c8051-* | clipper-* | craynv-* | cydra-* \ | d10v-* | d30v-* | dlx-* \ | elxsi-* \ | f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \ | h8300-* | h8500-* \ | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \ | hexagon-* \ | i*86-* | i860-* | i960-* | ia64-* \ | ip2k-* | iq2000-* \ | k1om-* \ | le32-* | le64-* \ | lm32-* \ | m32c-* | m32r-* | m32rle-* \ | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \ | m88110-* | m88k-* | maxq-* | mcore-* | metag-* \ | microblaze-* | microblazeel-* \ | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \ | mips16-* \ | mips64-* | mips64el-* \ | mips64octeon-* | mips64octeonel-* \ | mips64orion-* | mips64orionel-* \ | mips64r5900-* | mips64r5900el-* \ | mips64vr-* | mips64vrel-* \ | mips64vr4100-* | mips64vr4100el-* \ | mips64vr4300-* | mips64vr4300el-* \ | mips64vr5000-* | mips64vr5000el-* \ | mips64vr5900-* | mips64vr5900el-* \ | mipsisa32-* | mipsisa32el-* \ | mipsisa32r2-* | mipsisa32r2el-* \ | mipsisa32r6-* | mipsisa32r6el-* \ | mipsisa64-* | mipsisa64el-* \ | mipsisa64r2-* | mipsisa64r2el-* \ | mipsisa64r6-* | mipsisa64r6el-* \ | mipsisa64sb1-* | mipsisa64sb1el-* \ | mipsisa64sr71k-* | mipsisa64sr71kel-* \ | mipsr5900-* | mipsr5900el-* \ | mipstx39-* | mipstx39el-* \ | mmix-* \ | mt-* \ | msp430-* \ | nds32-* | nds32le-* | nds32be-* \ | nios-* | nios2-* | nios2eb-* | nios2el-* \ | none-* | np1-* | ns16k-* | ns32k-* \ | open8-* \ | or1k*-* \ | orion-* \ | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \ | pyramid-* \ | rl78-* | romp-* | rs6000-* | rx-* \ | sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \ | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ | sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \ | sparclite-* \ | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx?-* \ | tahoe-* \ | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \ | tile*-* \ | tron-* \ | ubicom32-* \ | v850-* | v850e-* | v850e1-* | v850es-* | v850e2-* | v850e2v3-* \ | vax-* \ | we32k-* \ | x86-* | x86_64-* | xc16x-* | xps100-* \ | xstormy16-* | xtensa*-* \ | ymp-* \ | z8k-* | z80-*) ;; # Recognize the basic CPU types without company name, with glob match. xtensa*) basic_machine=$basic_machine-unknown ;; # Recognize the various machine names and aliases which stand # for a CPU type and a company and sometimes even an OS. 386bsd) basic_machine=i386-unknown os=-bsd ;; 3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc) basic_machine=m68000-att ;; 3b*) basic_machine=we32k-att ;; a29khif) basic_machine=a29k-amd os=-udi ;; abacus) basic_machine=abacus-unknown ;; adobe68k) basic_machine=m68010-adobe os=-scout ;; alliant | fx80) basic_machine=fx80-alliant ;; altos | altos3068) basic_machine=m68k-altos ;; am29k) basic_machine=a29k-none os=-bsd ;; amd64) basic_machine=x86_64-pc ;; amd64-*) basic_machine=x86_64-`echo $basic_machine | sed 's/^[^-]*-//'` ;; amdahl) basic_machine=580-amdahl os=-sysv ;; amiga | amiga-*) basic_machine=m68k-unknown ;; amigaos | amigados) basic_machine=m68k-unknown os=-amigaos ;; amigaunix | amix) basic_machine=m68k-unknown os=-sysv4 ;; apollo68) basic_machine=m68k-apollo os=-sysv ;; apollo68bsd) basic_machine=m68k-apollo os=-bsd ;; aros) basic_machine=i386-pc os=-aros ;; aux) basic_machine=m68k-apple os=-aux ;; balance) basic_machine=ns32k-sequent os=-dynix ;; blackfin) basic_machine=bfin-unknown os=-linux ;; blackfin-*) basic_machine=bfin-`echo $basic_machine | sed 's/^[^-]*-//'` os=-linux ;; bluegene*) basic_machine=powerpc-ibm os=-cnk ;; c54x-*) basic_machine=tic54x-`echo $basic_machine | sed 's/^[^-]*-//'` ;; c55x-*) basic_machine=tic55x-`echo $basic_machine | sed 's/^[^-]*-//'` ;; c6x-*) basic_machine=tic6x-`echo $basic_machine | sed 's/^[^-]*-//'` ;; c90) basic_machine=c90-cray os=-unicos ;; cegcc) basic_machine=arm-unknown os=-cegcc ;; convex-c1) basic_machine=c1-convex os=-bsd ;; convex-c2) basic_machine=c2-convex os=-bsd ;; convex-c32) basic_machine=c32-convex os=-bsd ;; convex-c34) basic_machine=c34-convex os=-bsd ;; convex-c38) basic_machine=c38-convex os=-bsd ;; cray | j90) basic_machine=j90-cray os=-unicos ;; craynv) basic_machine=craynv-cray os=-unicosmp ;; cr16 | cr16-*) basic_machine=cr16-unknown os=-elf ;; crds | unos) basic_machine=m68k-crds ;; crisv32 | crisv32-* | etraxfs*) basic_machine=crisv32-axis ;; cris | cris-* | etrax*) basic_machine=cris-axis ;; crx) basic_machine=crx-unknown os=-elf ;; da30 | da30-*) basic_machine=m68k-da30 ;; decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn) basic_machine=mips-dec ;; decsystem10* | dec10*) basic_machine=pdp10-dec os=-tops10 ;; decsystem20* | dec20*) basic_machine=pdp10-dec os=-tops20 ;; delta | 3300 | motorola-3300 | motorola-delta \ | 3300-motorola | delta-motorola) basic_machine=m68k-motorola ;; delta88) basic_machine=m88k-motorola os=-sysv3 ;; dicos) basic_machine=i686-pc os=-dicos ;; djgpp) basic_machine=i586-pc os=-msdosdjgpp ;; dpx20 | dpx20-*) basic_machine=rs6000-bull os=-bosx ;; dpx2* | dpx2*-bull) basic_machine=m68k-bull os=-sysv3 ;; ebmon29k) basic_machine=a29k-amd os=-ebmon ;; elxsi) basic_machine=elxsi-elxsi os=-bsd ;; encore | umax | mmax) basic_machine=ns32k-encore ;; es1800 | OSE68k | ose68k | ose | OSE) basic_machine=m68k-ericsson os=-ose ;; fx2800) basic_machine=i860-alliant ;; genix) basic_machine=ns32k-ns ;; gmicro) basic_machine=tron-gmicro os=-sysv ;; go32) basic_machine=i386-pc os=-go32 ;; h3050r* | hiux*) basic_machine=hppa1.1-hitachi os=-hiuxwe2 ;; h8300hms) basic_machine=h8300-hitachi os=-hms ;; h8300xray) basic_machine=h8300-hitachi os=-xray ;; h8500hms) basic_machine=h8500-hitachi os=-hms ;; harris) basic_machine=m88k-harris os=-sysv3 ;; hp300-*) basic_machine=m68k-hp ;; hp300bsd) basic_machine=m68k-hp os=-bsd ;; hp300hpux) basic_machine=m68k-hp os=-hpux ;; hp3k9[0-9][0-9] | hp9[0-9][0-9]) basic_machine=hppa1.0-hp ;; hp9k2[0-9][0-9] | hp9k31[0-9]) basic_machine=m68000-hp ;; hp9k3[2-9][0-9]) basic_machine=m68k-hp ;; hp9k6[0-9][0-9] | hp6[0-9][0-9]) basic_machine=hppa1.0-hp ;; hp9k7[0-79][0-9] | hp7[0-79][0-9]) basic_machine=hppa1.1-hp ;; hp9k78[0-9] | hp78[0-9]) # FIXME: really hppa2.0-hp basic_machine=hppa1.1-hp ;; hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893) # FIXME: really hppa2.0-hp basic_machine=hppa1.1-hp ;; hp9k8[0-9][13679] | hp8[0-9][13679]) basic_machine=hppa1.1-hp ;; hp9k8[0-9][0-9] | hp8[0-9][0-9]) basic_machine=hppa1.0-hp ;; hppa-next) os=-nextstep3 ;; hppaosf) basic_machine=hppa1.1-hp os=-osf ;; hppro) basic_machine=hppa1.1-hp os=-proelf ;; i370-ibm* | ibm*) basic_machine=i370-ibm ;; i*86v32) basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` os=-sysv32 ;; i*86v4*) basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` os=-sysv4 ;; i*86v) basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` os=-sysv ;; i*86sol2) basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` os=-solaris2 ;; i386mach) basic_machine=i386-mach os=-mach ;; i386-vsta | vsta) basic_machine=i386-unknown os=-vsta ;; iris | iris4d) basic_machine=mips-sgi case $os in -irix*) ;; *) os=-irix4 ;; esac ;; isi68 | isi) basic_machine=m68k-isi os=-sysv ;; m68knommu) basic_machine=m68k-unknown os=-linux ;; m68knommu-*) basic_machine=m68k-`echo $basic_machine | sed 's/^[^-]*-//'` os=-linux ;; m88k-omron*) basic_machine=m88k-omron ;; magnum | m3230) basic_machine=mips-mips os=-sysv ;; merlin) basic_machine=ns32k-utek os=-sysv ;; microblaze*) basic_machine=microblaze-xilinx ;; mingw64) basic_machine=x86_64-pc os=-mingw64 ;; mingw32) basic_machine=i686-pc os=-mingw32 ;; mingw32ce) basic_machine=arm-unknown os=-mingw32ce ;; miniframe) basic_machine=m68000-convergent ;; *mint | -mint[0-9]* | *MiNT | *MiNT[0-9]*) basic_machine=m68k-atari os=-mint ;; mips3*-*) basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'` ;; mips3*) basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown ;; monitor) basic_machine=m68k-rom68k os=-coff ;; morphos) basic_machine=powerpc-unknown os=-morphos ;; msdos) basic_machine=i386-pc os=-msdos ;; ms1-*) basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'` ;; msys) basic_machine=i686-pc os=-msys ;; mvs) basic_machine=i370-ibm os=-mvs ;; nacl) basic_machine=le32-unknown os=-nacl ;; ncr3000) basic_machine=i486-ncr os=-sysv4 ;; netbsd386) basic_machine=i386-unknown os=-netbsd ;; netwinder) basic_machine=armv4l-rebel os=-linux ;; news | news700 | news800 | news900) basic_machine=m68k-sony os=-newsos ;; news1000) basic_machine=m68030-sony os=-newsos ;; news-3600 | risc-news) basic_machine=mips-sony os=-newsos ;; necv70) basic_machine=v70-nec os=-sysv ;; next | m*-next ) basic_machine=m68k-next case $os in -nextstep* ) ;; -ns2*) os=-nextstep2 ;; *) os=-nextstep3 ;; esac ;; nh3000) basic_machine=m68k-harris os=-cxux ;; nh[45]000) basic_machine=m88k-harris os=-cxux ;; nindy960) basic_machine=i960-intel os=-nindy ;; mon960) basic_machine=i960-intel os=-mon960 ;; nonstopux) basic_machine=mips-compaq os=-nonstopux ;; np1) basic_machine=np1-gould ;; neo-tandem) basic_machine=neo-tandem ;; nse-tandem) basic_machine=nse-tandem ;; nsr-tandem) basic_machine=nsr-tandem ;; op50n-* | op60c-*) basic_machine=hppa1.1-oki os=-proelf ;; openrisc | openrisc-*) basic_machine=or32-unknown ;; os400) basic_machine=powerpc-ibm os=-os400 ;; OSE68000 | ose68000) basic_machine=m68000-ericsson os=-ose ;; os68k) basic_machine=m68k-none os=-os68k ;; pa-hitachi) basic_machine=hppa1.1-hitachi os=-hiuxwe2 ;; paragon) basic_machine=i860-intel os=-osf ;; parisc) basic_machine=hppa-unknown os=-linux ;; parisc-*) basic_machine=hppa-`echo $basic_machine | sed 's/^[^-]*-//'` os=-linux ;; pbd) basic_machine=sparc-tti ;; pbb) basic_machine=m68k-tti ;; pc532 | pc532-*) basic_machine=ns32k-pc532 ;; pc98) basic_machine=i386-pc ;; pc98-*) basic_machine=i386-`echo $basic_machine | sed 's/^[^-]*-//'` ;; pentium | p5 | k5 | k6 | nexgen | viac3) basic_machine=i586-pc ;; pentiumpro | p6 | 6x86 | athlon | athlon_*) basic_machine=i686-pc ;; pentiumii | pentium2 | pentiumiii | pentium3) basic_machine=i686-pc ;; pentium4) basic_machine=i786-pc ;; pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*) basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'` ;; pentiumpro-* | p6-* | 6x86-* | athlon-*) basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` ;; pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*) basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` ;; pentium4-*) basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'` ;; pn) basic_machine=pn-gould ;; power) basic_machine=power-ibm ;; ppc | ppcbe) basic_machine=powerpc-unknown ;; ppc-* | ppcbe-*) basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppcle | powerpclittle | ppc-le | powerpc-little) basic_machine=powerpcle-unknown ;; ppcle-* | powerpclittle-*) basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppc64) basic_machine=powerpc64-unknown ;; ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppc64le | powerpc64little | ppc64-le | powerpc64-little) basic_machine=powerpc64le-unknown ;; ppc64le-* | powerpc64little-*) basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ps2) basic_machine=i386-ibm ;; pw32) basic_machine=i586-unknown os=-pw32 ;; rdos | rdos64) basic_machine=x86_64-pc os=-rdos ;; rdos32) basic_machine=i386-pc os=-rdos ;; rom68k) basic_machine=m68k-rom68k os=-coff ;; rm[46]00) basic_machine=mips-siemens ;; rtpc | rtpc-*) basic_machine=romp-ibm ;; s390 | s390-*) basic_machine=s390-ibm ;; s390x | s390x-*) basic_machine=s390x-ibm ;; sa29200) basic_machine=a29k-amd os=-udi ;; sb1) basic_machine=mipsisa64sb1-unknown ;; sb1el) basic_machine=mipsisa64sb1el-unknown ;; sde) basic_machine=mipsisa32-sde os=-elf ;; sei) basic_machine=mips-sei os=-seiux ;; sequent) basic_machine=i386-sequent ;; sh) basic_machine=sh-hitachi os=-hms ;; sh5el) basic_machine=sh5le-unknown ;; sh64) basic_machine=sh64-unknown ;; sparclite-wrs | simso-wrs) basic_machine=sparclite-wrs os=-vxworks ;; sps7) basic_machine=m68k-bull os=-sysv2 ;; spur) basic_machine=spur-unknown ;; st2000) basic_machine=m68k-tandem ;; stratus) basic_machine=i860-stratus os=-sysv4 ;; strongarm-* | thumb-*) basic_machine=arm-`echo $basic_machine | sed 's/^[^-]*-//'` ;; sun2) basic_machine=m68000-sun ;; sun2os3) basic_machine=m68000-sun os=-sunos3 ;; sun2os4) basic_machine=m68000-sun os=-sunos4 ;; sun3os3) basic_machine=m68k-sun os=-sunos3 ;; sun3os4) basic_machine=m68k-sun os=-sunos4 ;; sun4os3) basic_machine=sparc-sun os=-sunos3 ;; sun4os4) basic_machine=sparc-sun os=-sunos4 ;; sun4sol2) basic_machine=sparc-sun os=-solaris2 ;; sun3 | sun3-*) basic_machine=m68k-sun ;; sun4) basic_machine=sparc-sun ;; sun386 | sun386i | roadrunner) basic_machine=i386-sun ;; sv1) basic_machine=sv1-cray os=-unicos ;; symmetry) basic_machine=i386-sequent os=-dynix ;; t3e) basic_machine=alphaev5-cray os=-unicos ;; t90) basic_machine=t90-cray os=-unicos ;; tile*) basic_machine=$basic_machine-unknown os=-linux-gnu ;; tx39) basic_machine=mipstx39-unknown ;; tx39el) basic_machine=mipstx39el-unknown ;; toad1) basic_machine=pdp10-xkl os=-tops20 ;; tower | tower-32) basic_machine=m68k-ncr ;; tpf) basic_machine=s390x-ibm os=-tpf ;; udi29k) basic_machine=a29k-amd os=-udi ;; ultra3) basic_machine=a29k-nyu os=-sym1 ;; v810 | necv810) basic_machine=v810-nec os=-none ;; vaxv) basic_machine=vax-dec os=-sysv ;; vms) basic_machine=vax-dec os=-vms ;; vpp*|vx|vx-*) basic_machine=f301-fujitsu ;; vxworks960) basic_machine=i960-wrs os=-vxworks ;; vxworks68) basic_machine=m68k-wrs os=-vxworks ;; vxworks29k) basic_machine=a29k-wrs os=-vxworks ;; w65*) basic_machine=w65-wdc os=-none ;; w89k-*) basic_machine=hppa1.1-winbond os=-proelf ;; xbox) basic_machine=i686-pc os=-mingw32 ;; xps | xps100) basic_machine=xps100-honeywell ;; xscale-* | xscalee[bl]-*) basic_machine=`echo $basic_machine | sed 's/^xscale/arm/'` ;; ymp) basic_machine=ymp-cray os=-unicos ;; z8k-*-coff) basic_machine=z8k-unknown os=-sim ;; z80-*-coff) basic_machine=z80-unknown os=-sim ;; none) basic_machine=none-none os=-none ;; # Here we handle the default manufacturer of certain CPU types. It is in # some cases the only manufacturer, in others, it is the most popular. w89k) basic_machine=hppa1.1-winbond ;; op50n) basic_machine=hppa1.1-oki ;; op60c) basic_machine=hppa1.1-oki ;; romp) basic_machine=romp-ibm ;; mmix) basic_machine=mmix-knuth ;; rs6000) basic_machine=rs6000-ibm ;; vax) basic_machine=vax-dec ;; pdp10) # there are many clones, so DEC is not a safe bet basic_machine=pdp10-unknown ;; pdp11) basic_machine=pdp11-dec ;; we32k) basic_machine=we32k-att ;; sh[1234] | sh[24]a | sh[24]aeb | sh[34]eb | sh[1234]le | sh[23]ele) basic_machine=sh-unknown ;; sparc | sparcv8 | sparcv9 | sparcv9b | sparcv9v) basic_machine=sparc-sun ;; cydra) basic_machine=cydra-cydrome ;; orion) basic_machine=orion-highlevel ;; orion105) basic_machine=clipper-highlevel ;; mac | mpw | mac-mpw) basic_machine=m68k-apple ;; pmac | pmac-mpw) basic_machine=powerpc-apple ;; *-unknown) # Make sure to match an already-canonicalized machine name. ;; *) echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2 exit 1 ;; esac # Here we canonicalize certain aliases for manufacturers. case $basic_machine in *-digital*) basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'` ;; *-commodore*) basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'` ;; *) ;; esac # Decode manufacturer-specific aliases for certain operating systems. if [ x"$os" != x"" ] then case $os in # First match some system type aliases # that might get confused with valid system types. # -solaris* is a basic system type, with this one exception. -auroraux) os=-auroraux ;; -solaris1 | -solaris1.*) os=`echo $os | sed -e 's|solaris1|sunos4|'` ;; -solaris) os=-solaris2 ;; -svr4*) os=-sysv4 ;; -unixware*) os=-sysv4.2uw ;; -gnu/linux*) os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'` ;; # First accept the basic system types. # The portable systems comes first. # Each alternative MUST END IN A *, to match a version number. # -sysv* is not here because it comes later, after sysvr4. -gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \ | -*vms* | -sco* | -esix* | -isc* | -aix* | -cnk* | -sunos | -sunos[34]*\ | -hpux* | -unos* | -osf* | -luna* | -dgux* | -auroraux* | -solaris* \ | -sym* | -kopensolaris* | -plan9* \ | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \ | -aos* | -aros* \ | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \ | -bitrig* | -openbsd* | -solidbsd* \ | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \ | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ | -chorusos* | -chorusrdb* | -cegcc* \ | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \ | -linux-newlib* | -linux-musl* | -linux-uclibc* \ | -uxpv* | -beos* | -mpeix* | -udk* \ | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \ | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \ | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \ | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* | -tirtos*) # Remember, each alternative MUST END IN *, to match a version number. ;; -qnx*) case $basic_machine in x86-* | i*86-*) ;; *) os=-nto$os ;; esac ;; -nto-qnx*) ;; -nto*) os=`echo $os | sed -e 's|nto|nto-qnx|'` ;; -sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \ | -windows* | -osx | -abug | -netware* | -os9* | -beos* | -haiku* \ | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*) ;; -mac*) os=`echo $os | sed -e 's|mac|macos|'` ;; -linux-dietlibc) os=-linux-dietlibc ;; -linux*) os=`echo $os | sed -e 's|linux|linux-gnu|'` ;; -sunos5*) os=`echo $os | sed -e 's|sunos5|solaris2|'` ;; -sunos6*) os=`echo $os | sed -e 's|sunos6|solaris3|'` ;; -opened*) os=-openedition ;; -os400*) os=-os400 ;; -wince*) os=-wince ;; -osfrose*) os=-osfrose ;; -osf*) os=-osf ;; -utek*) os=-bsd ;; -dynix*) os=-bsd ;; -acis*) os=-aos ;; -atheos*) os=-atheos ;; -syllable*) os=-syllable ;; -386bsd) os=-bsd ;; -ctix* | -uts*) os=-sysv ;; -nova*) os=-rtmk-nova ;; -ns2 ) os=-nextstep2 ;; -nsk*) os=-nsk ;; # Preserve the version number of sinix5. -sinix5.*) os=`echo $os | sed -e 's|sinix|sysv|'` ;; -sinix*) os=-sysv4 ;; -tpf*) os=-tpf ;; -triton*) os=-sysv3 ;; -oss*) os=-sysv3 ;; -svr4) os=-sysv4 ;; -svr3) os=-sysv3 ;; -sysvr4) os=-sysv4 ;; # This must come after -sysvr4. -sysv*) ;; -ose*) os=-ose ;; -es1800*) os=-ose ;; -xenix) os=-xenix ;; -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) os=-mint ;; -aros*) os=-aros ;; -zvmoe) os=-zvmoe ;; -dicos*) os=-dicos ;; -nacl*) ;; -none) ;; *) # Get rid of the `-' at the beginning of $os. os=`echo $os | sed 's/[^-]*-//'` echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2 exit 1 ;; esac else # Here we handle the default operating systems that come with various machines. # The value should be what the vendor currently ships out the door with their # machine or put another way, the most popular os provided with the machine. # Note that if you're going to try to match "-MANUFACTURER" here (say, # "-sun"), then you have to tell the case statement up towards the top # that MANUFACTURER isn't an operating system. Otherwise, code above # will signal an error saying that MANUFACTURER isn't an operating # system, and we'll never get to this point. case $basic_machine in score-*) os=-elf ;; spu-*) os=-elf ;; *-acorn) os=-riscix1.2 ;; arm*-rebel) os=-linux ;; arm*-semi) os=-aout ;; c4x-* | tic4x-*) os=-coff ;; c8051-*) os=-elf ;; hexagon-*) os=-elf ;; tic54x-*) os=-coff ;; tic55x-*) os=-coff ;; tic6x-*) os=-coff ;; # This must come before the *-dec entry. pdp10-*) os=-tops20 ;; pdp11-*) os=-none ;; *-dec | vax-*) os=-ultrix4.2 ;; m68*-apollo) os=-domain ;; i386-sun) os=-sunos4.0.2 ;; m68000-sun) os=-sunos3 ;; m68*-cisco) os=-aout ;; mep-*) os=-elf ;; mips*-cisco) os=-elf ;; mips*-*) os=-elf ;; or32-*) os=-coff ;; *-tti) # must be before sparc entry or we get the wrong os. os=-sysv3 ;; sparc-* | *-sun) os=-sunos4.1.1 ;; *-be) os=-beos ;; *-haiku) os=-haiku ;; *-ibm) os=-aix ;; *-knuth) os=-mmixware ;; *-wec) os=-proelf ;; *-winbond) os=-proelf ;; *-oki) os=-proelf ;; *-hp) os=-hpux ;; *-hitachi) os=-hiux ;; i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent) os=-sysv ;; *-cbm) os=-amigaos ;; *-dg) os=-dgux ;; *-dolphin) os=-sysv3 ;; m68k-ccur) os=-rtu ;; m88k-omron*) os=-luna ;; *-next ) os=-nextstep ;; *-sequent) os=-ptx ;; *-crds) os=-unos ;; *-ns) os=-genix ;; i370-*) os=-mvs ;; *-next) os=-nextstep3 ;; *-gould) os=-sysv ;; *-highlevel) os=-bsd ;; *-encore) os=-bsd ;; *-sgi) os=-irix ;; *-siemens) os=-sysv4 ;; *-masscomp) os=-rtu ;; f30[01]-fujitsu | f700-fujitsu) os=-uxpv ;; *-rom68k) os=-coff ;; *-*bug) os=-coff ;; *-apple) os=-macos ;; *-atari*) os=-mint ;; *) os=-none ;; esac fi # Here we handle the case where we know the os, and the CPU type, but not the # manufacturer. We pick the logical manufacturer. vendor=unknown case $basic_machine in *-unknown) case $os in -riscix*) vendor=acorn ;; -sunos*) vendor=sun ;; -cnk*|-aix*) vendor=ibm ;; -beos*) vendor=be ;; -hpux*) vendor=hp ;; -mpeix*) vendor=hp ;; -hiux*) vendor=hitachi ;; -unos*) vendor=crds ;; -dgux*) vendor=dg ;; -luna*) vendor=omron ;; -genix*) vendor=ns ;; -mvs* | -opened*) vendor=ibm ;; -os400*) vendor=ibm ;; -ptx*) vendor=sequent ;; -tpf*) vendor=ibm ;; -vxsim* | -vxworks* | -windiss*) vendor=wrs ;; -aux*) vendor=apple ;; -hms*) vendor=hitachi ;; -mpw* | -macos*) vendor=apple ;; -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) vendor=atari ;; -vos*) vendor=stratus ;; esac basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"` ;; esac echo $basic_machine$os exit # Local variables: # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "timestamp='" # time-stamp-format: "%:y-%02m-%02d" # time-stamp-end: "'" # End: argus-3.0.8.2/config/install-sh000555 000765 000024 00000012721 12513222401 016670 0ustar00carterstaff000000 000000 #! /bin/sh # # install - install a program, script, or datafile # This comes from X11R5 (mit/util/scripts/install.sh). # # Copyright 1991 by the Massachusetts Institute of Technology # # Permission to use, copy, modify, distribute, and sell this software and its # documentation for any purpose is hereby granted without fee, provided that # the above copyright notice appear in all copies and that both that # copyright notice and this permission notice appear in supporting # documentation, and that the name of M.I.T. not be used in advertising or # publicity pertaining to distribution of the software without specific, # written prior permission. M.I.T. makes no representations about the # suitability of this software for any purpose. It is provided "as is" # without express or implied warranty. # # Calling this script install-sh is preferred over install.sh, to prevent # `make' implicit rules from creating a file called install from it # when there is no Makefile. # # This script is compatible with the BSD install script, but was written # from scratch. It can only install one file at a time, a restriction # shared with many OS's install programs. # set DOITPROG to echo to test this script # Don't use :- since 4.3BSD and earlier shells don't like it. doit="${DOITPROG-}" # put in absolute paths if you don't have them in your path; or use env. vars. mvprog="${MVPROG-mv}" cpprog="${CPPROG-cp}" chmodprog="${CHMODPROG-chmod}" chownprog="${CHOWNPROG-chown}" chgrpprog="${CHGRPPROG-chgrp}" stripprog="${STRIPPROG-strip}" rmprog="${RMPROG-rm}" mkdirprog="${MKDIRPROG-mkdir}" transformbasename="" transform_arg="" instcmd="$mvprog" chmodcmd="$chmodprog 0755" chowncmd="" chgrpcmd="" stripcmd="" rmcmd="$rmprog -f" mvcmd="$mvprog" src="" dst="" dir_arg="" while [ x"$1" != x ]; do case $1 in -c) instcmd="$cpprog" shift continue;; -d) dir_arg=true shift continue;; -m) chmodcmd="$chmodprog $2" shift shift continue;; -o) chowncmd="$chownprog $2" shift shift continue;; -g) chgrpcmd="$chgrpprog $2" shift shift continue;; -s) stripcmd="$stripprog" shift continue;; -t=*) transformarg=`echo $1 | sed 's/-t=//'` shift continue;; -b=*) transformbasename=`echo $1 | sed 's/-b=//'` shift continue;; *) if [ x"$src" = x ] then src=$1 else # this colon is to work around a 386BSD /bin/sh bug : dst=$1 fi shift continue;; esac done if [ x"$src" = x ] then echo "install: no input file specified" exit 1 else true fi if [ x"$dir_arg" != x ]; then dst=$src src="" if [ -d $dst ]; then instcmd=: else instcmd=mkdir fi else # Waiting for this to be detected by the "$instcmd $src $dsttmp" command # might cause directories to be created, which would be especially bad # if $src (and thus $dsttmp) contains '*'. if [ -f $src -o -d $src ] then true else echo "install: $src does not exist" exit 1 fi if [ x"$dst" = x ] then echo "install: no destination specified" exit 1 else true fi # If destination is a directory, append the input filename; if your system # does not like double slashes in filenames, you may need to add some logic if [ -d $dst ] then dst="$dst"/`basename $src` else true fi fi ## this sed command emulates the dirname command dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'` # Make sure that the destination directory exists. # this part is taken from Noah Friedman's mkinstalldirs script # Skip lots of stat calls in the usual case. if [ ! -d "$dstdir" ]; then defaultIFS=' ' IFS="${IFS-${defaultIFS}}" oIFS="${IFS}" # Some sh's can't handle IFS=/ for some reason. IFS='%' set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'` IFS="${oIFS}" pathcomp='' while [ $# -ne 0 ] ; do pathcomp="${pathcomp}${1}" shift if [ ! -d "${pathcomp}" ] ; then $mkdirprog "${pathcomp}" else true fi pathcomp="${pathcomp}/" done fi if [ x"$dir_arg" != x ] then $doit $instcmd $dst && if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi && if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi && if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi && if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi else # If we're going to rename the final executable, determine the name now. if [ x"$transformarg" = x ] then dstfile=`basename $dst` else dstfile=`basename $dst $transformbasename | sed $transformarg`$transformbasename fi # don't allow the sed command to completely eliminate the filename if [ x"$dstfile" = x ] then dstfile=`basename $dst` else true fi # Make a temp file name in the proper directory. dsttmp=$dstdir/#inst.$$# # Move or copy the file name to the temp name $doit $instcmd $src $dsttmp && trap "rm -f ${dsttmp}" 0 && # and set any options; do chmod last to preserve setuid bits # If any of these fail, we abort the whole thing. If we want to # ignore errors from any of these, just make sure not to ignore # errors from the above "$doit $instcmd $src $dsttmp" command. if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi && if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi && if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi && if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi && # Now rename the file to the real destination. $doit $rmcmd -f $dstdir/$dstfile && $doit $mvcmd $dsttmp $dstdir/$dstfile fi && exit 0 argus-3.0.8.2/config/mkinstalldirs000555 000765 000024 00000001150 12513222401 017464 0ustar00carterstaff000000 000000 #!/bin/sh # Make directory hierarchy. # Written by Noah Friedman # Public domain. defaultIFS=' ' IFS="${IFS-${defaultIFS}}" for file in ${1+"$@"} ; do oIFS="${IFS}" # Some sh's can't handle IFS=/ for some reason. IFS='%' set - `echo ${file} | sed -e 's@/@%@g' -e 's@^%@/@'` IFS="${oIFS}" test ".${1}" = "." && shift pathcomp='' while test $# -ne 0 ; do pathcomp="${pathcomp}${1}" shift if test ! -d "${pathcomp}"; then echo "mkdir $pathcomp" 1>&2 mkdir "${pathcomp}" fi pathcomp="${pathcomp}/" done done # eof argus-3.0.8.2/common/argus_auth.c000444 000765 000024 00000033565 12513222401 017226 0ustar00carterstaff000000 000000 /* * Argus Software. Common library routines - Authentication * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * QoSIENT, LLC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS * SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY * AND FITNESS, IN NO EVENT SHALL QoSIENT, LLC BE LIABLE FOR ANY * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER * IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, * ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF * THIS SOFTWARE. * */ /* * $Id: //depot/argus/argus/common/argus_auth.c#13 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ /* * Copyright (c) 2000 Carnegie Mellon University. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The name "Carnegie Mellon University" must not be used to * endorse or promote products derived from this software without * prior written permission. For permission or any other legal * details, please contact * Office of Technology Transfer * Carnegie Mellon University * 5000 Forbes Avenue * Pittsburgh, PA 15213-3890 * (412) 268-4387, fax: (412) 268-7395 * tech-transfer@andrew.cmu.edu * * 4. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by Computing Services * at Carnegie Mellon University (http://www.cmu.edu/computing/)." * * CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY * AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE * FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ /* * Written/Maintained/Modified by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/argus/argus/common/argus_auth.c#13 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #ifndef ArgusAuth #define ArgusAuth #endif #include #include #include #include #include #ifdef ARGUS_SASL #include #include #include #endif /* ARGUS_SASL */ #include #include #include #include #include #include #include extern void ArgusLog (int, char *, ...); int ArgusInitializeAuthentication (struct ARGUS_INPUT *); int ArgusAuthenticate (struct ARGUS_INPUT *); #ifdef ARGUS_SASL static int RaGetRealm(void *context, int, const char **, const char **); static int RaSimple(void *context, int, const char **, unsigned *); static int RaGetSecret(sasl_conn_t *, void *context, int, sasl_secret_t **); int RaSaslNegotiate(FILE *, FILE *, sasl_conn_t *); int RaGetSaslString (FILE *, char *, int); int RaSendSaslString (FILE *, const char *, int); /* RaCallBacks we support */ static sasl_callback_t RaCallBacks[] = { { SASL_CB_GETREALM, &RaGetRealm, NULL }, { SASL_CB_USER, &RaSimple, NULL }, { SASL_CB_AUTHNAME, &RaSimple, NULL }, { SASL_CB_PASS, &RaGetSecret, NULL }, { SASL_CB_LIST_END, NULL, NULL } }; char *RaSaslMech = NULL; #endif int ArgusInitializeAuthentication (struct ARGUS_INPUT *input) { int retn = 1; #ifdef ARGUS_SASL struct sockaddr_in localaddr, remoteaddr; int salen, fd = input->fd; char *localhostname = NULL; if ((retn = sasl_client_init(RaCallBacks)) != SASL_OK) ArgusLog (LOG_ERR, "ArgusInitializeAuthentication() sasl_client_init %d", retn); localhostname = ArgusCalloc (1, 1024); gethostname(localhostname, 1024); if (!strchr (localhostname, '.')) { strcat (localhostname, "."); getdomainname (&localhostname[strlen(localhostname)], 1024 - strlen(localhostname)); } if ((retn = sasl_client_new("argus", localhostname, NULL, SASL_SECURITY_LAYER, &input->sasl_conn)) != SASL_OK) ArgusLog (LOG_ERR, "ArgusInitializeAuthentication() sasl_client_new %d", retn); /* set external properties here sasl_setprop(input->sasl_conn, SASL_SSF_EXTERNAL, &extprops); */ /* set required security properties here sasl_setprop(input->sasl_conn, SASL_SEC_PROPS, &secprops); */ /* set ip addresses */ salen = sizeof(localaddr); if (getsockname(fd, (struct sockaddr *)&localaddr, &salen) < 0) perror("getsockname"); salen = sizeof(remoteaddr); if (getpeername(fd, (struct sockaddr *)&remoteaddr, &salen) < 0) perror("getpeername"); if ((retn = sasl_setprop(input->sasl_conn, SASL_IP_LOCAL, &localaddr)) != SASL_OK) ArgusLog (LOG_ERR, "ArgusInitializeAuthentication() error setting localaddr %d", retn); if ((retn = sasl_setprop(input->sasl_conn, SASL_IP_REMOTE, &remoteaddr)) != SASL_OK) ArgusLog (LOG_ERR, "ArgusInitializeAuthentication() error setting remoteaddr %d", retn); retn = 1; #endif #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusInitializeAuthentication () returning %d\n", retn); #endif return (retn); } int ArgusAuthenticate (struct ARGUS_INPUT *input) { int retn = 0; if (ArgusInitializeAuthentication(input)) { #ifdef ARGUS_SASL int fd = input->fd; if ((input->in = fdopen(fd, "r")) == NULL) ArgusLog (LOG_ERR, "ArgusAuthenticate(0x%x) fdopen in failed %s", strerror(errno)); if ((input->out = fdopen(fd, "w")) == NULL) ArgusLog (LOG_ERR, "ArgusAuthenticate(0x%x) fdopen out failed %s", strerror(errno)); if ((retn = RaSaslNegotiate(input->in, input->out, input->sasl_conn)) == SASL_OK) retn = 1; else retn = 0; #endif } #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusAuthenticate (0x%x) returning %d\n", input, retn); #endif return (retn); } #ifdef ARGUS_SASL static void RaChop (char *s) /* remove \r\n at end of the line */ { char *p; assert(s); p = s + strlen(s) - 1; if (p[0] == '\n') *p-- = '\0'; if (p >= s && p[0] == '\r') *p-- = '\0'; } static int RaGetRealm(void *context __attribute__((unused)), int id, const char **availrealms, const char **result) { static char buf[1024]; if (id != SASL_CB_GETREALM) return SASL_BADPARAM; if (!result) return SASL_BADPARAM; printf("please choose a realm (available:"); while (*availrealms) { printf(" %s", *availrealms); availrealms++; } printf("): "); fgets(buf, sizeof buf, stdin); RaChop(buf); *result = buf; return SASL_OK; } static char RaSimpleBuf[1024]; static int RaSimple(void *context __attribute__((unused)), int id, const char **result, unsigned *len) { char *ptr = NULL; if (! result) return SASL_BADPARAM; switch (id) { case SASL_CB_USER: if (ustr == NULL) { printf("please enter an authorization id: "); fgets(RaSimpleBuf, sizeof(RaSimpleBuf), stdin); } else { if ((ptr = strchr(ustr, '/')) != NULL) *ptr = '\0'; snprintf (RaSimpleBuf, sizeof(RaSimpleBuf), "%s", ustr); if (ptr) *ptr = '/'; } break; case SASL_CB_AUTHNAME: if (ustr != NULL) if ((ptr = strchr(ustr, '/')) != NULL) ptr++; if (ptr == NULL) { printf("please enter an authentication id: "); fgets(RaSimpleBuf, sizeof RaSimpleBuf, stdin); } else snprintf (RaSimpleBuf, sizeof(RaSimpleBuf), "%s", ptr); break; default: return SASL_BADPARAM; } RaChop(RaSimpleBuf); *result = RaSimpleBuf; if (len) *len = strlen(RaSimpleBuf); return SASL_OK; } #ifndef HAVE_GETPASSPHRASE static char * getpassphrase(const char *prompt) { return getpass(prompt); } #endif static int RaGetSecret(sasl_conn_t *conn, void *context __attribute__((unused)), int id, sasl_secret_t **psecret) { char *password; size_t len; static sasl_secret_t *x; if (! conn || ! psecret || id != SASL_CB_PASS) return SASL_BADPARAM; if (pstr != NULL) password = pstr; else password = getpassphrase("Password: "); if (! password) return SASL_FAIL; len = strlen(password); x = (sasl_secret_t *) realloc(x, sizeof(sasl_secret_t) + len); if (!x) { memset(password, 0, len); return SASL_NOMEM; } x->len = len; #if defined(HAVE_STRLCPY) strlcpy(x->data, password, len); #else memset(x->data, 0, len); strncpy(x->data, password, len); #endif memset(password, 0, len); *psecret = x; return SASL_OK; } int RaSaslNegotiate(FILE *in, FILE *out, sasl_conn_t *conn) { int retn = 0; char buf[8192]; char *data; const char *chosenmech; int len, c; #ifdef ARGUSDEBUG ArgusDebug (1, "RaSaslNegotiate(0x%x, 0x%x, 0x%x) receiving capability list... ", in, out, conn); #endif if ((len = RaGetSaslString(in, buf, sizeof(buf))) <= 0) ArgusLog (LOG_ERR, "RaSaslNegotiate: RaGetSaslString(0x%x, 0x%x, %d) error %s\n", in, buf, sizeof(buf), strerror(errno)); if (RaSaslMech) { /* make sure that 'RaSaslMech' appears in 'buf' */ if (!strstr(buf, RaSaslMech)) { printf("server doesn't offer mandatory mech '%s'\n", RaSaslMech); return 0; } } else RaSaslMech = buf; #ifdef ARGUSDEBUG ArgusDebug (1, "RaSaslNegotiate(0x%x, 0x%x, 0x%x) calling sasl_client_start()", in, out, conn); #endif retn = sasl_client_start(conn, RaSaslMech, NULL, NULL, &data, &len, &chosenmech); if ((retn != SASL_OK) && (retn != SASL_CONTINUE)) { fputc ('N', out); fflush(out); ArgusLog (LOG_ERR, "RaSaslNegotiate: error starting SASL negotiation"); } if (retn == SASL_INTERACT) ArgusLog (LOG_ERR, "RaSaslNegotiate: returned SASL_INTERACT\n"); #ifdef ARGUSDEBUG ArgusDebug (1, "RaSaslNegotiate: using mechanism %s\n", chosenmech); #endif /* we send two strings; the mechanism chosen and the initial response */ RaSendSaslString(out, chosenmech, strlen(chosenmech)); RaSendSaslString(out, data, len); for (;;) { #ifdef ARGUSDEBUG ArgusDebug (2, "waiting for server reply...\n"); #endif switch (c = fgetc(in)) { case 'O': goto done_ok; case 'N': goto done_no; case 'C': /* continue authentication */ break; default: printf("bad protocol from server (%c %x)\n", c, c); return 0; } if ((len = RaGetSaslString(in, buf, sizeof(buf))) <= 0) ArgusLog (LOG_ERR, "RaSaslNegotiate: RaGetSaslString(0x%x, 0x%x, %d) returned %d\n", in, buf, sizeof(buf), len); retn = sasl_client_step(conn, buf, len, NULL, &data, &len); if ((retn != SASL_OK) && (retn != SASL_CONTINUE)) { fputc ('N', out); fflush(out); ArgusLog (LOG_ERR, "RaSaslNegotiate: error performing SASL negotiation"); } if (data) { #ifdef ARGUSDEBUG ArgusDebug (2, "sending response length %d...\n", len); #endif RaSendSaslString(out, data, len); free(data); } else { #ifdef ARGUSDEBUG ArgusDebug (2, "sending null response...\n"); #endif RaSendSaslString(out, "", 0); } } done_ok: #ifdef ARGUSDEBUG ArgusDebug (1, "successful authentication"); #endif return SASL_OK; done_no: #ifdef ARGUSDEBUG ArgusDebug (1, "authentication failed"); #endif return -1; } /* send/recv library for IMAP4 style literals. */ int RaSendSaslString (FILE *f, const char *s, int l) { char saslbuf[MAXSTRLEN]; int len, al = 0; bzero (saslbuf, MAXSTRLEN); snprintf(saslbuf, MAXSTRLEN, "{%d}\r\n", l); len = strlen(saslbuf); bcopy (s, &saslbuf[len], l); len += l; al = fwrite(saslbuf, 1, len, f); fflush(f); #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusSendSaslString(0x%x, 0x%x, %d)\n", f, s, l); s = saslbuf; if (3 <= Argusdflag) { while (len--) { if (isprint((int)((unsigned char) *s))) { printf("%c ", *s); } else { printf("%x ", (unsigned char) *s); } s++; } printf("\n"); } #endif return al; } int RaGetSaslString (FILE *f, char *buf, int buflen) { int c, len, l; char *s; if ((c = fgetc(f)) != '{') return -1; /* read length */ len = 0; c = fgetc(f); while (isdigit(c)) { len = len * 10 + (c - '0'); c = fgetc(f); } if (c != '}') return -1; if ((c = fgetc(f)) != '\r') return -1; if ((c = fgetc(f)) != '\n') return -1; /* read string */ if (buflen <= len) { fread(buf, buflen - 1, 1, f); buf[buflen - 1] = '\0'; /* discard oversized string */ len -= buflen - 1; while (len--) (void)fgetc(f); len = buflen - 1; } else { fread(buf, len, 1, f); buf[len] = '\0'; } l = len; s = buf; #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusGetSaslString(0x%x, 0x%x, %d)\n", f, s, l); if (3 <= Argusdflag) { while (l--) { if (isprint((int)((unsigned char) *s))) { printf("%c ", *s); } else { printf("%X ", (unsigned char) *s); } s++; } printf("\n"); } #endif return len; } #endif argus-3.0.8.2/common/argus_code.c000444 000765 000024 00000437512 12513311426 017205 0ustar00carterstaff000000 000000 /* * Argus Software * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * Copyright (c) 1990, 1991, 1992, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ /* * $Id: //depot/argus/argus/common/argus_code.c#41 $ * $DateTime: 2015/04/14 18:22:14 $ * $Change: 3006 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #include #if defined(HAVE_SOLARIS) || (__FreeBSD__) || (__NetBSD__) || (__OpenBSD__) #include #include #endif #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include /* static u_int ArgusNetMask; */ static int fsnaplen; #ifndef __GNUC__ #define inline #endif #ifndef AF_INET6 #define AF_INET6 23 #endif #ifndef IPPROTO_IGRP #define IPPROTO_IGRP 9 #endif #define JMP(c) ((c)|NFF_JMP|NFF_K) #define ARGUSFORKFILTER 1 static u_int off_nl = 0; static int alloc_reg(void); static void free_reg(int); static struct ablock *root; #define NCHUNKS 16 #define CHUNK0SIZE 1024 struct chunk { u_int n_left; void *m; }; static struct chunk chunks[NCHUNKS]; static int cur_chunk; static void *newchunk(u_int); static void freechunks(void); static struct ablock *new_block(int); static struct slist *new_stmt(int); static struct ablock *Argusgen_retblk(int); static void syntax(void); #if defined(ARGUSFORKFILTER) static void deadman(pid_t); #endif static void backpatch(struct ablock *, struct ablock *); static void merge(struct ablock *, struct ablock *); static struct ablock *Argusgen_cmp(int, u_int, u_int, u_int, u_int, int); static struct ablock *Argusgen_mcmp(int, u_int, u_int, u_int, u_int, u_int, int); static struct ablock *Argusgen_bcmp(int, u_int, u_int, u_char *, int); static struct ablock *Argusgen_prototype(u_int, u_int); static struct ablock *Argusgen_hostop(u_int *, u_int *, int, int, u_int); static struct ablock *Argusgen_ehostop(u_char *, int); static struct ablock *Argusgen_host(u_int *, u_int *, int, int, int); static struct ablock *Argusgen_srcid(u_int, u_int, int); static struct ablock *Argusgen_inode(u_int, u_int, int); static struct ablock *Argusgen_gateway(u_char *, u_int *, int, int, int); static struct ablock *Argusgen_portatom(int, long, int); struct ablock *Argusgen_portop(int, int, int, u_int); static struct ablock *Argusgen_port(int, u_int, int, u_int); static int Arguslookup_proto(char *, int); static struct ablock *Argusgen_flow(int); static struct ablock *Argusgen_proto(int, int, int); static struct ablock *Argusgen_ipid(int, int, u_int); static struct ablock *Argusgen_ttl(int, int, u_int); static struct ablock *Argusgen_tos(int, int, u_int); static struct ablock *Argusgen_vid(int, int, u_int); static struct ablock *Argusgen_vpri(int, int, u_int); static struct ablock *Argusgen_mid(int, int, u_int); static struct ablock *Argusgen_byte(int, int, u_int); static struct ablock *Argusgen_pkt(int, int, u_int); static struct ablock *Argusgen_nstroke(int, int, u_int); static struct ablock *Argusgen_seq(int, int, u_int); //static struct ablock *Argusgen_dup(int, int, u_int); static struct ablock *Argusgen_tcpbase(int, int, u_int); static struct ablock *Argusgen_trans(int, int, u_int); static struct ablock *Argusgen_deltadur(int, int, u_int); static struct ablock *Argusgen_deltastart(int, int, u_int); static struct ablock *Argusgen_deltalast(int, int, u_int); static struct ablock *Argusgen_rate(float, int, u_int); static struct ablock *Argusgen_load(float, int, u_int); static struct ablock *Argusgen_inter(float, int, int, u_int); static struct ablock *Argusgen_jitter(float, int, int, u_int); static struct ablock *Argusgen_dur(float, int, u_int); static struct ablock *Argusgen_mean(float, int, u_int); static struct ablock *Argusgen_encaps(int, int, u_int); static u_int net_mask(u_int *); static struct slist *xfer_to_x(struct arth *); static struct slist *xfer_to_a(struct arth *); static struct ablock *Argusgen_len(int, int); static struct ablock *Argusgen_linktype(unsigned int); extern void ArgusLog (int, char *, ...); extern float RaDeltaFloatTime (struct timeval *, struct timeval *); static void * newchunk(n) u_int n; { struct chunk *cp; int k, size; /* XXX Round up to nearest long long. */ n = (n + sizeof(long long) - 1) & ~(sizeof(long long) - 1); cp = &chunks[cur_chunk]; if (n > cp->n_left) { ++cp, k = ++cur_chunk; if (k >= NCHUNKS) ArgusLog(LOG_ERR, "out of memory"); size = CHUNK0SIZE << k; cp->m = (void *)calloc(1, size); memset((char *)cp->m, 0, size); cp->n_left = size; if (n > size) ArgusLog(LOG_ERR, "out of memory"); } cp->n_left -= n; #if defined(ARGUSDEBUG) ArgusDebug (9, "newchunk (%d) returning 0x%x\n", n, (char *)cp->m + cp->n_left); #endif return (void *)((char *)cp->m + cp->n_left); } static void freechunks() { int i; for (i = 0; i < NCHUNKS; ++i) if (chunks[i].m) free(chunks[i].m); #if defined(ARGUSDEBUG) ArgusDebug (9, "freechunks () returning\n"); #endif } /* * A strdup whose allocations are freed after code generation is over. */ char * Argussdup(s) char *s; { int n = strlen(s) + 1; char *cp = newchunk(n); strncpy(cp, s, (n - 1)); #if defined(ARGUSDEBUG) ArgusDebug (7, "Argussdup (%s) returning 0x%x\n", s, cp); #endif return (cp); } static struct ablock * new_block(code) int code; { struct ablock *p; p = (struct ablock *)newchunk(sizeof(*p)); p->s.code = code; p->head = p; #if defined(ARGUSDEBUG) ArgusDebug (9, "new_block (%d) returning 0x%x\n", code, p); #endif return p; } static struct slist * new_stmt(code) int code; { struct slist *p; p = (struct slist *)newchunk(sizeof(*p)); p->s.code = code; #if defined(ARGUSDEBUG) ArgusDebug (9, "new_stmt (%d) returning 0x%x\n", code, p); #endif return p; } static struct ablock * Argusgen_retblk(int v) { struct ablock *b = new_block(NFF_RET|NFF_K); b->s.data.k = v; #if defined(ARGUSDEBUG) ArgusDebug (7, "Argusgen_retblk (%d) returning 0x%x\n", v, b); #endif return b; } #if defined(ARGUSFORKFILTER) static void deadman(pid_t pid) { // extern struct ArgusParserStruct *ArgusParser; char *errormsg = "ERROR: compiler timed out"; #if defined(ARGUSDEBUG) ArgusDebug (4, "ArgusFilterCompile deadman() %s\n", errormsg); #endif kill(pid, SIGTERM); /* if (ArgusParser->ArgusFilterFiledes[1] != -1) { if ((len = write (ArgusParser->ArgusFilterFiledes[1], errormsg, strlen(errormsg))) < 0) ArgusLog (LOG_ERR, "ArgusFilterCompile: write retn %s\n", strerror(errno)); if ((len = read (ArgusParser->ArgusControlFiledes[0], &response, 1)) < 0) ArgusLog (LOG_ERR, "ArgusFilterCompile: read retn %s\n", strerror(errno)); } else */ ArgusLog (LOG_INFO, errormsg); } #endif static void syntax() { extern struct ArgusParserStruct *ArgusParser; char response, *errormsg = "SYNTAX ERROR: filter expression"; int len; #if defined(ARGUSDEBUG) ArgusDebug (4, "ArgusFilterCompile syntax() %s\n", errormsg); #endif if (ArgusParser->ArgusFilterFiledes[1] != -1) { if ((len = write (ArgusParser->ArgusFilterFiledes[1], errormsg, 4)) < 0) ArgusLog (LOG_ERR, "ArgusFilterCompile: write retn %s\n", strerror(errno)); #if defined(ARGUSDEBUG) ArgusDebug (4, "ArgusFilterCompile () syntax error routine wrote %d bytes of error message\n", len); #endif if ((len = read (ArgusParser->ArgusControlFiledes[0], &response, 1)) < 0) ArgusLog (LOG_ERR, "ArgusFilterCompile: read retn %s\n", strerror(errno)); #if defined(ARGUSDEBUG) ArgusDebug (4, "ArgusFilterCompile () syntax error routine read %d bytes of response\n", len); #endif } else ArgusLog (LOG_ERR, errormsg); exit (1); } char * ArgusFilterCompile(struct nff_program *program, char *buf, int optimize) { extern int argus_n_errors; char *retn = NULL; int len; #if defined(ARGUSFORKFILTER) extern struct ArgusParserStruct *ArgusParser; int width, status = 0; char response; pid_t pid; if ((pipe (ArgusParser->ArgusFilterFiledes)) < 0) ArgusLog (LOG_ERR, "pipe %s", strerror(errno)); if ((pipe (ArgusParser->ArgusControlFiledes)) < 0) ArgusLog (LOG_ERR, "pipe %s", strerror(errno)); if ((pid = fork()) == 0) { #endif fsnaplen = 96; #if defined(ARGUSDEBUG) ArgusDebug (4, "ArgusFilterCompile () calling argus_lex_init(%s)\n", buf); #endif argus_lex_init(buf ? buf : ""); #if defined(ARGUSDEBUG) ArgusDebug (4, "ArgusFilterCompile () calling argus_parse()\n"); #endif argus_parse(); #if defined(ARGUSDEBUG) ArgusDebug (4, "ArgusFilterCompile () argus_parse() done\n"); #endif if (argus_n_errors) { retn = "SYNTAX ERROR: in filter expression"; len = strlen(retn); #if defined(ARGUSDEBUG) ArgusDebug (4, "ArgusFilterCompile syntax() %s\n", retn); #endif } else { if (root == NULL) root = Argusgen_retblk(fsnaplen); if (optimize) Argusnff_optimize(&root); if (!(root == NULL || (root->s.code == (NFF_RET|NFF_K) && root->s.data.k == 0))) { program->bf_insns = Argusicode_to_fcode(root, &len); program->bf_len = len; freechunks(); retn = (char *)&program->bf_len; } else { ArgusLog (LOG_ALERT, "ArgusFilterCompile: expression rejects all records"); retn = NULL; len = 0; } } #if defined(ARGUSFORKFILTER) if ((len = write (ArgusParser->ArgusFilterFiledes[1], retn, sizeof(program->bf_len))) < 0) ArgusLog (LOG_ERR, "ArgusFilterCompile: write retn %s\n", strerror(errno)); #if defined(ARGUSDEBUG) ArgusDebug (4, "ArgusFilterCompile () wrote %d bytes of program header", len); #endif if (!(argus_n_errors)) { if (program->bf_len > 0) { if ((len = write (ArgusParser->ArgusFilterFiledes[1], program->bf_insns, program->bf_len * sizeof(*program->bf_insns))) < 0) ArgusLog (LOG_ERR, "ArgusFilterCompile: write filter retn %s", strerror(errno)); #if defined(ARGUSDEBUG) ArgusDebug (4, "ArgusFilterCompile () wrote %d bytes of program body", len); #endif } } #if defined(ARGUSDEBUG) ArgusDebug (4, "ArgusFilterCompile () waiting for response from requestor"); #endif if ((len = read (ArgusParser->ArgusControlFiledes[0], &response, 1)) < 0) ArgusLog (LOG_ERR, "ArgusFilterCompile: read retn %s\n", strerror(errno)); #if defined(ARGUSDEBUG) ArgusDebug (4, "ArgusFilterCompile () received response"); #endif _exit(EXIT_SUCCESS); } else { struct timeval wait, now, then; float deltatime = 0.0; fd_set readmask; gettimeofday(&now, NULL); then = now; wait.tv_sec = 0; wait.tv_usec = 500000; FD_ZERO (&readmask); FD_SET (ArgusParser->ArgusFilterFiledes[0], &readmask); width = ArgusParser->ArgusFilterFiledes[0] + 1; #if defined(ARGUSDEBUG) ArgusDebug (4, "ArgusFilterCompile () waiting for filter process %d on pipe %d\n", pid, ArgusParser->ArgusFilterFiledes[0]); #endif #define ARGUS_COMPILER_TIMEOUT 1.5 while (((deltatime = RaDeltaFloatTime(&now, &then)) <= ARGUS_COMPILER_TIMEOUT) && (select (width, &readmask, NULL, NULL, &wait) >= 0)) { if (deltatime >= ARGUS_COMPILER_TIMEOUT) { deadman(pid); retn = "TI"; } else { if (FD_ISSET (ArgusParser->ArgusFilterFiledes[0], &readmask)) { if ((len = read (ArgusParser->ArgusFilterFiledes[0], &program->bf_len, sizeof(program->bf_len))) > 0) { if ((!(strstr ((char *)&program->bf_len, "ERR"))) && (!(strstr ((char *)&program->bf_len, "SYN")))) { #if defined(ARGUSDEBUG) ArgusDebug (4, "ArgusFilterCompile () read filter length %d\n", program->bf_len); #endif if (program->bf_len > 0) { if ((program->bf_insns = (void *) calloc (program->bf_len, sizeof(*program->bf_insns))) != NULL) { if ((len = read (ArgusParser->ArgusFilterFiledes[0], program->bf_insns, (program->bf_len * sizeof(*program->bf_insns)))) > 0) { #if defined(ARGUSDEBUG) ArgusDebug (4, "ArgusFilterCompile () read filter body %d\n", len); #endif retn = 0; status++; } } else ArgusLog(LOG_ERR, "ArgusFilterCompile: calloc error %s\n", strerror(errno)); } else { status++; #if defined(ARGUSDEBUG) ArgusDebug (4, "ArgusFilterCompile () no filter body %d\n", len); #endif } } else { if ((strstr ((char *)&program->bf_len, "SYN"))) retn = "SY"; else retn = "ER"; #if defined(ARGUSDEBUG) ArgusDebug (4, "ArgusFilterCompile () received Error from compiler\n"); #endif } } } } if (status || (retn != NULL)) break; FD_SET (ArgusParser->ArgusFilterFiledes[0], &readmask); width = ArgusParser->ArgusFilterFiledes[0] + 1; wait.tv_sec = 0; wait.tv_usec = 200000; gettimeofday(&now, NULL); } if (!status) { len = waitpid(pid, &status, WNOHANG); if ((len == pid) || (len == -1)) { #if defined(ARGUSDEBUG) ArgusDebug (4, "ArgusFilterCompile () filter process %d terminated\n", pid); if (WIFEXITED(status)) { ArgusDebug (4, "ArgusFilterCompile () child %d exited %d\n", pid, WEXITSTATUS(status)); } else if (WIFSIGNALED(status)) { ArgusDebug (4, "ArgusFilterCompile () child %d signaled %d\n", pid, WTERMSIG(status)); } else { ArgusDebug (4, "ArgusFilterCompile () filter process %d terminated\n", pid); return (NULL); } #endif if (len == -1) return (NULL); } } else { if (retn == NULL) retn = "OK"; } if ((len = write (ArgusParser->ArgusControlFiledes[1], retn, 2)) < 0) ArgusLog (LOG_ERR, "ArgusFilterCompile: write retn %s\n", strerror(errno)); // now block and wait for the child to be done len = waitpid(pid, &status, 0); } close(ArgusParser->ArgusFilterFiledes[0]); close(ArgusParser->ArgusFilterFiledes[1]); close(ArgusParser->ArgusControlFiledes[0]); close(ArgusParser->ArgusControlFiledes[1]); ArgusParser->ArgusFilterFiledes[0] = 0; ArgusParser->ArgusFilterFiledes[1] = 0; ArgusParser->ArgusControlFiledes[0] = 0; ArgusParser->ArgusControlFiledes[1] = 0; #endif /* ARGUSFORKFILTER */ #if defined(ARGUSDEBUG) ArgusDebug (2, "ArgusFilterCompile () done %d\n", retn); #endif return (retn); } /* * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates * which of the jt and jf fields has been resolved and which is a pointer * back to another unresolved block (or nil). At least one of the fields * in each block is already resolved. */ static void backpatch(list, target) struct ablock *list, *target; { struct ablock *next; while (list) { if (!list->sense) { next = JT(list); JT(list) = target; } else { next = JF(list); JF(list) = target; } list = next; } #if defined(ARGUSDEBUG) ArgusDebug (9, "backpatch (0x%x, 0x%x) returning 0x%x\n", list, target); #endif } /* * Merge the lists in b0 and b1, using the 'sense' field to indicate * which of jt and jf is the link. */ static void merge( struct ablock *b0, struct ablock *b1) { register struct ablock **p = &b0; /* Find end of list. */ while (*p) p = !((*p)->sense) ? &JT(*p) : &JF(*p); /* Concatenate the lists. */ *p = b1; #if defined(ARGUSDEBUG) ArgusDebug (9, "merge (0x%x, 0x%x)\n", b0, b1); #endif } void Argusfinish_parse(struct ablock *p) { if (p != NULL) { backpatch(p, Argusgen_retblk(fsnaplen)); p->sense = !p->sense; backpatch(p, Argusgen_retblk(0)); root = p->head; } #if defined(ARGUSDEBUG) ArgusDebug (3, "Argusfinish_parse (0x%x)\n", p); #endif } void Argusgen_and(b0, b1) struct ablock *b0, *b1; { if (b0 != b1) { backpatch(b0, b1->head); b0->sense = !b0->sense; b1->sense = !b1->sense; merge(b1, b0); b1->sense = !b1->sense; b1->head = b0->head; } #if defined(ARGUSDEBUG) ArgusDebug (7, "Argusgen_and (0x%x, 0x%x)\n", b0, b1); #endif } void Argusgen_or(b0, b1) struct ablock *b0, *b1; { if (b0 != b1) { b0->sense = !b0->sense; backpatch(b0, b1->head); b0->sense = !b0->sense; merge(b1, b0); b1->head = b0->head; } #if defined(ARGUSDEBUG) ArgusDebug (7, "Argusgen_or (0x%x, 0x%x)\n", b0, b1); #endif } void Argusgen_not(b) struct ablock *b; { b->sense = !b->sense; #if defined(ARGUSDEBUG) ArgusDebug (7, "Argusgen_not (0x%x, 0x%x)\n", b); #endif } static struct ablock * Argusgen_cmp(int dsr, u_int offset, u_int size, u_int v, u_int op, int type) { struct slist *s; struct ablock *b; s = new_stmt(NFF_LD|NFF_DSR|size); s->s.dsr = dsr; s->s.data.k = offset; switch (op) { case Q_EQUAL: b = new_block(JMP(NFF_JEQ)); break; case Q_LESS: b = new_block(JMP(NFF_JGE)); b->sense = !b->sense; break; case Q_GREATER: b = new_block(JMP(NFF_JGT)); break; case Q_GEQ: b = new_block(JMP(NFF_JGE)); break; case Q_LEQ: b = new_block(JMP(NFF_JGT)); b->sense = !b->sense; break; } b->stmts = s; b->s.data.k = v; b->s.type = type; #if defined(ARGUSDEBUG) ArgusDebug (7, "Argusgen_cmp (%d, %d, %d, %d, %d, %d) returns %p\n", dsr, offset, size, v, op, type, b); #endif return b; } static struct ablock * Argusgen_fcmp(int dsr, u_int offset, u_int size, float v, u_int op, int type) { struct slist *s; struct ablock *b; s = new_stmt(NFF_LD|NFF_DSR|size); s->s.dsr = dsr; s->s.data.k = offset; switch (op) { case Q_EQUAL: b = new_block(JMP(NFF_JEQ|NFF_F)); break; case Q_LESS: b = new_block(JMP(NFF_JGE|NFF_F)); b->sense = !b->sense; break; case Q_GREATER: b = new_block(JMP(NFF_JGT|NFF_F)); break; case Q_GEQ: b = new_block(JMP(NFF_JGE|NFF_F)); break; case Q_LEQ: b = new_block(JMP(NFF_JGT|NFF_F)); b->sense = !b->sense; break; } b->stmts = s; b->s.data.f = v; #if defined(ARGUSDEBUG) ArgusDebug (7, "Argusgen_fcmp (%d, %d, %f, %d, %d) returns %p\n", offset, size, v, op, type, b); #endif return b; } static struct ablock * Argusgen_mcmp(int dsr, u_int offset, u_int size, u_int v, u_int mask, u_int op, int type) { struct ablock *b = Argusgen_cmp(dsr, offset, size, (v & mask), op, type); struct slist *s; if (mask != 0xffffffff) { s = new_stmt(NFF_ALU|NFF_AND|NFF_K); s->s.data.k = mask; b->stmts->next = s; } #if defined(ARGUSDEBUG) ArgusDebug (7, "Argusgen_mcmp (%d, %d, %d, %d, 0x%x, %d) returns %p\n", dsr, offset, size, v, mask, op, b); #endif return b; } static struct ablock * Argusgen_bcmp(int dsr, u_int offset, u_int size, u_char *v, int type) { struct ablock *b, *tmp; b = NULL; while (size >= 4) { u_char *p = &v[size - 4]; u_int w; #if defined(_LITTLE_ENDIAN) w = (p[3] << 24) | (p[2] << 16) | (p[1] << 8) | p[0]; #else w = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]; #endif tmp = Argusgen_cmp(dsr, offset + size - 4, NFF_W, w, Q_EQUAL, type); if (b != NULL) Argusgen_and(b, tmp); b = tmp; size -= 4; } while (size >= 2) { u_char *p = &v[size - 2]; u_int w; #if defined(_LITTLE_ENDIAN) w = (p[1] << 8) | p[0]; #else w = (p[0] << 8) | p[1]; #endif tmp = Argusgen_cmp(dsr, offset + size - 2, NFF_H, w, Q_EQUAL, type); if (b != NULL) Argusgen_and(b, tmp); b = tmp; size -= 2; } if (size > 0) { tmp = Argusgen_cmp(dsr, offset, NFF_B, (u_int)v[0], Q_EQUAL, type); if (b != NULL) Argusgen_and(b, tmp); b = tmp; } #if defined(ARGUSDEBUG) ArgusDebug (7, "Argusgen_bcmp (%d, %d, %d) returns %p\n", offset, size, v, b); #endif return b; } struct ablock * Argusgen_dns(int v, int value, int dir) { struct ablock *b1 = NULL, *b2 = NULL; struct ArgusRecordStruct argus; /* struct ArgusDnsQueryStruct *sdns = &argus.srcappdata; struct ArgusDnsQueryStruct *ddns = &argus.dstappdata; */ struct ArgusDnsQueryStruct *sdns = (struct ArgusDnsQueryStruct *) &argus.srate; struct ArgusDnsQueryStruct *ddns = (struct ArgusDnsQueryStruct *) &argus.drate; int soffset = ((char *)&sdns - (char *)&argus); int doffset = ((char *)&ddns - (char *)&argus); switch (dir) { case Q_SRC: { b1 = Argusgen_mcmp(-1, soffset, NFF_W, value, value, Q_EQUAL, Q_DEFAULT); Argusgen_not(b1); break; } case Q_DST: { b1 = Argusgen_mcmp(-1, doffset, NFF_W, value, value, Q_EQUAL, Q_DEFAULT); Argusgen_not(b1); break; } case Q_OR: case Q_DEFAULT: b1 = Argusgen_mcmp(-1, doffset, NFF_W, value, value, Q_EQUAL, Q_DEFAULT); Argusgen_not(b1); b2 = Argusgen_mcmp(-1, soffset, NFF_W, value, value, Q_EQUAL, Q_DEFAULT); Argusgen_not(b2); Argusgen_or(b2, b1); break; case Q_AND: b1 = Argusgen_mcmp(-1, doffset, NFF_W, value, value, Q_EQUAL, Q_DEFAULT); Argusgen_not(b1); b2 = Argusgen_mcmp(-1, soffset, NFF_W, value, value, Q_EQUAL, Q_DEFAULT); Argusgen_not(b2); Argusgen_and(b2, b1); break; } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_dnsauth () returns %p\n", b1); #endif return (b1); } static struct ablock * Argusgen_espstatustype(unsigned int proto) { struct ablock *b0 = NULL, *b1 = NULL; struct ArgusNetworkStruct net; int offset = ((char *)&net.net_union.esp.status - (char *)&net); b1 = Argusgen_prototype(IPPROTO_ESP, Q_DEFAULT); switch (proto) { case ARGUS_SRC_PKTS_DROP: b0 = Argusgen_mcmp(ARGUS_NETWORK_INDEX, offset, NFF_W, ARGUS_SRC_PKTS_DROP, ARGUS_SRC_PKTS_DROP, Q_EQUAL, Q_DEFAULT); break; case ARGUS_DST_PKTS_DROP: b0 = Argusgen_mcmp(ARGUS_NETWORK_INDEX, offset, NFF_W, ARGUS_DST_PKTS_DROP, ARGUS_DST_PKTS_DROP, Q_EQUAL, Q_DEFAULT); break; } if (b0) Argusgen_and(b0, b1); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_espstatustype () returns %p\n", b1); #endif return (b1); } static struct ablock * Argusgen_ipstatustype(unsigned int proto) { struct ablock *b1 = NULL; switch (proto) { case ARGUS_CON_ESTABLISHED: { struct ablock *b2, *b3; b1 = Argusgen_linktype(ETHERTYPE_IP); b2 = Argusgen_pkt(0, Q_SRC, Q_GREATER); b3 = Argusgen_pkt(0, Q_DST, Q_GREATER); Argusgen_and(b2, b3); Argusgen_and(b3, b1); break; } } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_tcpstatustype () returns %p\n", b1); #endif return (b1); } static struct ablock * Argusgen_tcpstatustype(unsigned int proto) { struct ablock *b0, *b1; unsigned int value = proto; struct ArgusNetworkStruct net; int offset = ((char *)&net.net_union.tcp.status - (char *)&net); b0 = Argusgen_prototype(IPPROTO_TCP, Q_DEFAULT); switch (proto) { case ARGUS_SRC_CONGESTED: case ARGUS_DST_CONGESTED: case ARGUS_SRC_RESET: case ARGUS_DST_RESET: case ARGUS_SRC_WINDOW_SHUT: case ARGUS_DST_WINDOW_SHUT: case ARGUS_NORMAL_CLOSE: case ARGUS_SAW_SYN: case ARGUS_SAW_SYN_SENT: case ARGUS_CON_ESTABLISHED: case ARGUS_CLOSE_WAITING: case ARGUS_SRC_PKTS_RETRANS: case ARGUS_DST_PKTS_RETRANS: case ARGUS_SRC_OUTOFORDER: case ARGUS_DST_OUTOFORDER: default: b1 = Argusgen_mcmp(ARGUS_NETWORK_INDEX, offset, NFF_W, value, value, Q_EQUAL, Q_DEFAULT); break; } Argusgen_and(b0, b1); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_tcpstatustype () returns %p\n", b1); #endif return (b1); } static struct ablock * Argusgen_ipattrstatustype(unsigned int status) { struct ablock *b1; struct ArgusIPAttrStruct ipattr; int offset = ((char *)&ipattr.hdr.argus_dsrvl8.qual - (char *)&ipattr); b1 = Argusgen_mcmp(ARGUS_IPATTR_INDEX, offset, NFF_B, status, status, Q_EQUAL, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_ipattrstatustype (%d) returns %p\n", status, b1); #endif return (b1); } static struct ablock * Argusgen_causetype(unsigned int cause) { struct ablock *b0 = NULL; struct ArgusCanonRecord canon; int offset = ((char *)&canon.hdr.cause - (char *)&canon); switch (cause) { case ARGUS_START: case ARGUS_STATUS: case ARGUS_STOP: case ARGUS_TIMEOUT: case ARGUS_SHUTDOWN: b0 = Argusgen_mcmp(-1, offset, NFF_B, (u_int) cause, cause, Q_EQUAL, Q_DEFAULT); break; } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_causetype () returns %p\n", b0); #endif return (b0); } static struct ablock * Argusgen_recordtype(unsigned int type) { struct ablock *b0 = NULL; struct ArgusCanonRecord canon; int offset = ((char *)&canon.hdr.type - (char *)&canon); switch (type) { case ARGUS_MAR: case ARGUS_FAR: case ARGUS_EVENT: case ARGUS_INDEX: case ARGUS_DATASUP: b0 = Argusgen_mcmp(-1, offset, NFF_B, (u_int) type, type, Q_EQUAL, Q_DEFAULT); break; } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_recordtype () returns %p\n", b0); #endif return (b0); } static struct ablock * Argusgen_mpls(unsigned int proto) { struct ablock *b1 = NULL; struct ArgusMplsStruct mpls; int offset = ((char *)&mpls.hdr.type - (char *)&mpls); b1 = Argusgen_cmp(ARGUS_MPLS_INDEX, offset, NFF_B, (u_int) ARGUS_MPLS_DSR, Q_EQUAL, Q_DEFAULT); return(b1); } static struct ablock * Argusgen_vlan(unsigned int proto) { struct ablock *b1 = NULL; struct ArgusVlanStruct vlan; int offset = ((char *)&vlan.hdr.type - (char *)&vlan); b1 = Argusgen_cmp(ARGUS_VLAN_INDEX, offset, NFF_B, (u_int) ARGUS_VLAN_DSR, Q_EQUAL, Q_DEFAULT); return(b1); } static struct ablock * Argusgen_linktype(unsigned int proto) { struct ablock *b1 = NULL; struct ArgusFlow flow; int offset = ((char *)&flow.hdr.argus_dsrvl8.qual - (char *)&flow); switch (proto) { default: switch (proto) { case ETHERTYPE_REVARP: b1 = Argusgen_mcmp(ARGUS_FLOW_INDEX, offset, NFF_B, (u_int) ARGUS_TYPE_ARP, 0x1F, Q_EQUAL, Q_DEFAULT); break; case ETHERTYPE_ARP: b1 = Argusgen_mcmp(ARGUS_FLOW_INDEX, offset, NFF_B, (u_int) ARGUS_TYPE_ARP, 0x1F, Q_EQUAL, Q_DEFAULT); break; case ETHERTYPE_IP: b1 = Argusgen_mcmp(ARGUS_FLOW_INDEX, offset, NFF_B, (u_int) ARGUS_TYPE_IPV4, 0x1F, Q_EQUAL, Q_DEFAULT); break; case ETHERTYPE_IPV6: b1 = Argusgen_mcmp(ARGUS_FLOW_INDEX, offset, NFF_B, (u_int) ARGUS_TYPE_IPV6, 0x1F, Q_EQUAL, Q_DEFAULT); break; case ETHERTYPE_ISIS: b1 = Argusgen_mcmp(ARGUS_FLOW_INDEX, offset, NFF_B, (u_int) ARGUS_TYPE_ISIS, 0x1F, Q_EQUAL, Q_DEFAULT); break; default: { struct ablock *b0 = NULL; b0 = Argusgen_mcmp(ARGUS_FLOW_INDEX, offset, NFF_B, (u_int) ARGUS_TYPE_ETHER, 0x1F, Q_EQUAL, Q_DEFAULT); offset = ((char *)&flow.mac_flow.ehdr.ether_type - (char *)&flow); b1 = Argusgen_cmp(ARGUS_FLOW_INDEX, offset, NFF_H, (u_int) proto, Q_EQUAL, Q_DEFAULT); Argusgen_and(b0, b1); break; } } break; } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_linktype (0x%x) returns %p\n", proto, b1); #endif return (b1); } static struct ablock * Argusgen_prototype(unsigned int v, unsigned int proto) { struct ArgusFlow flow; struct ArgusNetworkStruct net; struct ablock *b0, *b1; int offset; switch (v) { default: switch (proto) { case Q_IPV4: offset = ((char *)&flow.ip_flow.ip_p - (char *)&flow); b0 = Argusgen_linktype(ETHERTYPE_IP); b1 = Argusgen_cmp(ARGUS_FLOW_INDEX, offset, NFF_B, v, Q_EQUAL, Q_DEFAULT); Argusgen_and(b0, b1); return b1; case Q_IPV6: #if defined(_LITTLE_ENDIAN) offset = ((char *)&flow.ipv6_flow - (char *)&flow) + 35; #else offset = ((char *)&flow.ipv6_flow - (char *)&flow) + 32; #endif b0 = Argusgen_linktype(ETHERTYPE_IPV6); b1 = Argusgen_cmp(ARGUS_FLOW_INDEX, offset, NFF_B, v, Q_EQUAL, Q_DEFAULT); Argusgen_and(b0, b1); return b1; case Q_IP: case Q_DEFAULT: b0 = Argusgen_prototype(v, Q_IPV4); b1 = Argusgen_prototype(v, Q_IPV6); Argusgen_or(b0, b1); return b1; } break; case IPPROTO_UDT: { offset = ((char *)&net.hdr.subtype - (char *)&net); b1 = Argusgen_cmp(ARGUS_NETWORK_INDEX, offset, NFF_B, (u_int) ARGUS_UDT_FLOW, Q_EQUAL, Q_DEFAULT); break; } case IPPROTO_RTP: { offset = ((char *)&flow.ip_flow.ip_p - (char *)&flow); b0 = Argusgen_cmp(ARGUS_FLOW_INDEX, offset, NFF_B, (u_int) IPPROTO_UDP, Q_EQUAL, Q_DEFAULT); offset = ((char *)&net.hdr.subtype - (char *)&net); b1 = Argusgen_cmp(ARGUS_NETWORK_INDEX, offset, NFF_B, (u_int) ARGUS_RTP_FLOW, Q_EQUAL, Q_DEFAULT); Argusgen_and(b0, b1); break; } case IPPROTO_RTCP: { offset = ((char *)&flow.ip_flow.ip_p - (char *)&flow); b0 = Argusgen_cmp(ARGUS_FLOW_INDEX, offset, NFF_B, (u_int) IPPROTO_UDP, Q_EQUAL, Q_DEFAULT); offset = ((char *)&net.hdr.subtype - (char *)&net); b1 = Argusgen_cmp(ARGUS_NETWORK_INDEX, offset, NFF_B, (u_int) ARGUS_RTCP_FLOW, Q_EQUAL, Q_DEFAULT); Argusgen_and(b0, b1); break; } } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_prototype (0x%x) returns %p\n", proto, b1); #endif return b1; } static struct ablock * Argusgen_hostop(unsigned int *addr, unsigned int *mask, int type, int dir, unsigned int proto) { int offset, src_off = 0, dst_off = 0, len = 0; struct ablock *b0 = NULL, *b1 = NULL; struct ArgusFlow flow; switch (proto) { case ETHERTYPE_IP: src_off = ((char *)&flow.ip_flow.ip_src - (char *)&flow); dst_off = ((char *)&flow.ip_flow.ip_dst - (char *)&flow); len = sizeof(flow.ip_flow.ip_src); break; case ETHERTYPE_IPV6: src_off = ((char *)&flow.ipv6_flow.ip_src - (char *)&flow); dst_off = ((char *)&flow.ipv6_flow.ip_dst - (char *)&flow); len = sizeof(flow.ipv6_flow.ip_src); break; case ETHERTYPE_ARP: src_off = ((char *)&flow.arp_flow.arp_spa - (char *)&flow); dst_off = ((char *)&flow.arp_flow.arp_tpa - (char *)&flow); len = sizeof(flow.arp_flow.arp_spa); break; case ETHERTYPE_REVARP: break; } switch (dir) { case Q_SRC: offset = src_off; break; case Q_DST: offset = dst_off; break; case Q_AND: b0 = Argusgen_hostop(addr, mask, type, Q_SRC, proto); b1 = Argusgen_hostop(addr, mask, type, Q_DST, proto); Argusgen_and(b0, b1); return b1; case Q_OR: case Q_DEFAULT: b0 = Argusgen_hostop(addr, mask, type, Q_SRC, proto); b1 = Argusgen_hostop(addr, mask, type, Q_DST, proto); Argusgen_or(b0, b1); return b1; default: abort(); } switch (len) { case 0: break; case 1: b1 = Argusgen_mcmp(ARGUS_FLOW_INDEX, offset, NFF_B, (u_int)*addr, (u_int)*mask, Q_EQUAL, Q_DEFAULT); break; case 2: b1 = Argusgen_mcmp(ARGUS_FLOW_INDEX, offset, NFF_H, (u_int)*addr, (u_int)*mask, Q_EQUAL, Q_DEFAULT); break; case 4: case 8: case 16: { int i; for (i = 0; i < len/4; i++) { if (mask[i] != 0) { if (b1 == NULL) { b1 = Argusgen_mcmp(ARGUS_FLOW_INDEX, offset + i*4, NFF_W, (u_int)addr[i], (u_int)mask[i], Q_EQUAL, Q_DEFAULT); } else { b0 = Argusgen_mcmp(ARGUS_FLOW_INDEX, offset + i*4, NFF_W, (u_int)addr[i], (u_int)mask[i], Q_EQUAL, Q_DEFAULT); Argusgen_and(b0, b1); } } } } } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_hostop (0x%x, 0x%x, %d, %d, 0x%x) returns %p\n", addr, mask, type, dir, proto, b1); #endif return b1; } static struct ablock * Argusgen_ehostop( u_char *eaddr, int dir) { struct ablock *b0 = NULL, *b1 = NULL; struct ArgusMacStruct mac; int offset; #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_ehostop (0x%x, %d)\n", eaddr, dir); #endif switch (dir) { case Q_SRC: { offset = ((char *)&mac.mac.mac_union.ether.ehdr.ether_shost - (char *)&mac); return Argusgen_bcmp (ARGUS_MAC_INDEX, offset, 6, eaddr, Q_DEFAULT); } case Q_DST: { offset = ((char *)&mac.mac.mac_union.ether.ehdr.ether_dhost - (char *)&mac); return Argusgen_bcmp (ARGUS_MAC_INDEX, offset, 6, eaddr, Q_DEFAULT); } case Q_AND: { b0 = Argusgen_ehostop(eaddr, Q_SRC); b1 = Argusgen_ehostop(eaddr, Q_DST); Argusgen_and(b0, b1); return b1; } case Q_DEFAULT: case Q_OR: { b0 = Argusgen_ehostop(eaddr, Q_SRC); b1 = Argusgen_ehostop(eaddr, Q_DST); Argusgen_or(b0, b1); return b1; } } abort(); /* NOTREACHED */ } extern struct ArgusParserStruct *ArgusParser; static struct ablock * Argusgen_host(u_int *addr, u_int *mask, int type, int proto, int dir) { struct ablock *b0 = NULL, *b1 = NULL; switch (proto) { case Q_DEFAULT: { struct ablock *b2 = NULL; b0 = Argusgen_linktype(ETHERTYPE_ARP); if (*mask > 0) { b1 = Argusgen_hostop(addr, mask, type, dir, ETHERTYPE_ARP); Argusgen_and(b0, b1); } else b1 = b0; if (!type || (type == Q_IPV4)) { b0 = Argusgen_linktype(ETHERTYPE_IP); if (*mask > 0) { b2 = Argusgen_hostop(addr, mask, type, dir, ETHERTYPE_IP); Argusgen_and(b0, b2); Argusgen_or(b2, b1); } else Argusgen_or(b0, b1); } if (!type || (type == Q_IPV6)) { b0 = Argusgen_linktype(ETHERTYPE_IPV6); if (*mask > 0) { b2 = Argusgen_hostop(addr, mask, type, dir, ETHERTYPE_IPV6); Argusgen_and(b0, b2); Argusgen_or(b2, b1); } else Argusgen_or(b0, b1); } break; } case Q_IP: { struct ablock *b2 = NULL; if (!type || (type == Q_IPV4)) { b0 = Argusgen_linktype(ETHERTYPE_IP); if (*mask > 0) { b1 = Argusgen_hostop(addr, mask, type, dir, ETHERTYPE_IP); Argusgen_and(b0, b1); } else b1 = b0; } if (!type || (type == Q_IPV6)) { b0 = Argusgen_linktype(ETHERTYPE_IPV6); if (*mask > 0) { b2 = Argusgen_hostop(addr, mask, type, dir, ETHERTYPE_IPV6); Argusgen_and(b0, b2); Argusgen_or(b2, b1); } else Argusgen_or(b0, b1); } break; } case Q_IPV6: { b0 = Argusgen_linktype(ETHERTYPE_IPV6); if (*mask > 0) { b1 = Argusgen_hostop(addr, mask, type, dir, ETHERTYPE_IPV6); Argusgen_and(b0, b1); } break; } case Q_IPV4: { b0 = Argusgen_linktype(ETHERTYPE_IP); if (*mask > 0) { b1 = Argusgen_hostop(addr, mask, type, dir, ETHERTYPE_IP); Argusgen_and(b0, b1); } else b1 = b0; break; } case Q_ARP: { b0 = Argusgen_flow(ARGUS_FLOW_ARP); if (*mask > 0) { b1 = Argusgen_hostop(addr, mask, type, dir, ETHERTYPE_ARP); Argusgen_and(b0, b1); } else b1 = b0; break; } case Q_RARP: { b0 = Argusgen_linktype(ETHERTYPE_REVARP); if (*mask > 0) { b1 = Argusgen_hostop(addr, mask, type, dir, ETHERTYPE_REVARP); Argusgen_and(b0, b1); } else b1 = b0; break; } case Q_TCP: ArgusLog(LOG_ERR, "'tcp' modifier applied to host"); case Q_UDP: ArgusLog(LOG_ERR, "'udp' modifier applied to host"); case Q_RTP: ArgusLog(LOG_ERR, "'rtp' modifier applied to host"); case Q_RTCP: ArgusLog(LOG_ERR, "'rtcp' modifier applied to host"); case Q_UDT: ArgusLog(LOG_ERR, "'udt' modifier applied to host"); case Q_ICMP: b0 = Argusgen_linktype(ETHERTYPE_IP); if (*mask > 0) { b1 = Argusgen_hostop(addr, mask, type, dir, ETHERTYPE_IP); Argusgen_and(b0, b1); } else b1 = b0; break; case Q_ISIS: ArgusLog(LOG_ERR, "'isis' modifier applied to host"); case Q_RSVP: ArgusLog(LOG_ERR, "'rsvp' modifier applied to host"); default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_host (0x%x, 0x%x, %d, 0x%x, %d) returns %p\n", addr, mask, type, proto, dir, b1); #endif return (b1); } static struct ablock * Argusgen_srcid(u_int addr, u_int mask, int type) { struct ablock *b1 = NULL, *b0 = NULL, *tmp; struct ArgusTransportStruct trans; struct ArgusRecord mar; int offset = ((char *)&mar.argus_mar.argusid - (char *)&mar); tmp = Argusgen_recordtype(ARGUS_MAR); b1 = Argusgen_mcmp(ARGUS_MAR_INDEX, offset, NFF_W, (u_int)addr, mask, Q_EQUAL, type); Argusgen_and(tmp, b1); offset = ((char *)&trans.srcid - (char *)&trans); tmp = Argusgen_recordtype(ARGUS_FAR); b0 = Argusgen_recordtype(ARGUS_EVENT); Argusgen_or(b0, tmp); b0 = Argusgen_mcmp(ARGUS_TRANSPORT_INDEX, offset, NFF_W, (u_int)addr, mask, Q_EQUAL, type); Argusgen_and(tmp, b0); Argusgen_or(b0, b1); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_srcid (0x%x, 0x%x) returns %p\n", addr, mask, b1); #endif return (b1); } static struct ablock * Argusgen_inode(u_int addr, u_int mask, int type) { struct ablock *b1 = NULL, *tmp; struct ArgusIcmpStruct icmp; int offset = ((char *)&icmp.osrcaddr - (char *)&icmp); tmp = Argusgen_recordtype(ARGUS_FAR); b1 = Argusgen_mcmp(ARGUS_ICMP_INDEX, offset, NFF_W, (u_int)addr, mask, Q_EQUAL, type); Argusgen_and(tmp, b1); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_inode (0x%x, 0x%x) returns %p\n", addr, mask, b1); #endif return (b1); } static struct ablock * Argusgen_gateway( u_char *eaddr, u_int *alist, int type, int proto, int dir) { struct ablock *b0, *b1 = NULL; u_int maskbuf[4], *mask = maskbuf; if (dir != 0) ArgusLog(LOG_ERR, "direction applied to 'gateway'"); switch (proto) { case Q_DEFAULT: case Q_IP: case Q_IPV4: case Q_ARP: case Q_RARP: *mask = 0xffffffffL; b0 = Argusgen_ehostop(eaddr, Q_OR); b1 = Argusgen_host(alist, mask, type, proto, Q_OR); Argusgen_not(b1); Argusgen_and(b0, b1); break; case Q_IPV6: default: ArgusLog(LOG_ERR, "illegal modifier of 'gateway'"); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_gateway (0x%x, 0x%x, %d, 0x%x, %d) returns %p\n", eaddr, alist, type, proto, dir, b1); #endif return b1; } #include struct ablock * Argusgen_proto_abbrev(proto) int proto; { struct ablock *b0, *b1 = NULL; switch (proto) { case Q_TCP: b1 = Argusgen_prototype(IPPROTO_TCP, Q_DEFAULT); break; case Q_ESP: b1 = Argusgen_prototype(IPPROTO_ESP, Q_DEFAULT); break; case Q_RTP: b1 = Argusgen_prototype(IPPROTO_RTP, Q_DEFAULT); break; case Q_RTCP: b1 = Argusgen_prototype(IPPROTO_RTCP, Q_DEFAULT); break; case Q_UDT: b1 = Argusgen_prototype(IPPROTO_UDT, Q_DEFAULT); break; case Q_UDP: b1 = Argusgen_prototype(IPPROTO_UDP, Q_DEFAULT); break; case Q_ICMP: b1 = Argusgen_prototype(IPPROTO_ICMP, Q_DEFAULT); break; case Q_IGMP: b1 = Argusgen_prototype(IPPROTO_IGMP, Q_DEFAULT); break; case Q_IGRP: b1 = Argusgen_prototype(IPPROTO_IGRP, Q_DEFAULT); break; case Q_ARP: b1 = Argusgen_flow(ARGUS_FLOW_ARP); break; case Q_MPLS: b1 = Argusgen_mpls(Q_DEFAULT); break; case Q_VLAN: b1 = Argusgen_vlan(Q_DEFAULT); break; case Q_RARP: b1 = Argusgen_linktype(ETHERTYPE_REVARP); break; case Q_IPV6: b1 = Argusgen_linktype(ETHERTYPE_IPV6); break; case Q_IPV4: b1 = Argusgen_linktype(ETHERTYPE_IP); break; case Q_IP: b0 = Argusgen_linktype(ETHERTYPE_IPV6); b1 = Argusgen_linktype(ETHERTYPE_IP); Argusgen_or(b0, b1); break; case Q_ISIS: b1 = Argusgen_linktype(ETHERTYPE_ISIS); break; case Q_MAN: b1 = Argusgen_recordtype(ARGUS_MAR); break; case Q_FAR: b1 = Argusgen_recordtype(ARGUS_FAR); break; case Q_EVENT: b1 = Argusgen_recordtype(ARGUS_EVENT); break; case Q_INDEX: b1 = Argusgen_recordtype(ARGUS_INDEX); break; case Q_CONNECTED: case Q_ESTABLISHED: b0 = Argusgen_ipstatustype(ARGUS_CON_ESTABLISHED); b1 = Argusgen_tcpstatustype(ARGUS_CON_ESTABLISHED); Argusgen_or(b0, b1); break; case Q_MERGED: case Q_ANON: break; case Q_ICMPMAP: { struct ArgusIcmpStruct icmp; int offset = ((char *)&icmp.hdr.argus_dsrvl8.qual - (char *)&icmp); b1 = Argusgen_mcmp(ARGUS_ICMP_INDEX, offset, NFF_B, 0, 0x07, Q_EQUAL, Q_DEFAULT); Argusgen_not(b1); break; } case Q_ECHO: { struct ArgusNetworkStruct net; int offset = ((char *)&net.net_union.icmp.icmp_type - (char *)&net); b0 = Argusgen_cmp(ARGUS_NETWORK_INDEX, offset, NFF_B, (u_int) 0x08, Q_EQUAL, Q_DEFAULT); b1 = Argusgen_cmp(ARGUS_NETWORK_INDEX, offset, NFF_B, (u_int) 0x00, Q_EQUAL, Q_DEFAULT); Argusgen_or(b0, b1); b0 = Argusgen_prototype(IPPROTO_ICMP, Q_DEFAULT); Argusgen_and(b0, b1); break; } case Q_UNREACH: { struct ArgusNetworkStruct net; struct ArgusIcmpStruct icmp; int offset = ((char *)&net.net_union.icmp.icmp_type - (char *)&net); b1 = Argusgen_prototype(IPPROTO_ICMP, Q_DEFAULT); b0 = Argusgen_cmp(ARGUS_NETWORK_INDEX, offset, NFF_B, (u_int) 0x03, Q_EQUAL, Q_DEFAULT); Argusgen_and(b0, b1); offset = ((char *)&icmp.hdr.argus_dsrvl8.qual - (char *)&icmp); b0 = Argusgen_cmp(ARGUS_ICMP_INDEX, offset, NFF_B, ARGUS_ICMPUNREACH_MAPPED, Q_EQUAL, Q_DEFAULT); Argusgen_or(b0, b1); break; } case Q_REDIRECT: { struct ArgusIcmpStruct icmp; int offset = ((char *)&icmp.icmp_type - (char *)&icmp); b1 = Argusgen_prototype(IPPROTO_ICMP, Q_DEFAULT); b0 = Argusgen_cmp(ARGUS_ICMP_INDEX, offset, NFF_B, (u_int) 0x05, Q_EQUAL, Q_DEFAULT); Argusgen_and(b0, b1); offset = ((char *)&icmp.hdr.argus_dsrvl8.qual - (char *)&icmp); b0 = Argusgen_cmp(ARGUS_ICMP_INDEX, offset, NFF_B, ARGUS_ICMPREDIREC_MAPPED, Q_EQUAL, Q_DEFAULT); Argusgen_or(b0, b1); break; } case Q_TIMEXED: { struct ArgusNetworkStruct net; struct ArgusIcmpStruct icmp; int offset = ((char *)&net.net_union.icmp.icmp_type - (char *)&net); b1 = Argusgen_prototype(IPPROTO_ICMP, Q_DEFAULT); b0 = Argusgen_cmp(ARGUS_NETWORK_INDEX, offset, NFF_B, (u_int) 0x0B, Q_EQUAL, Q_DEFAULT); Argusgen_and(b0, b1); offset = ((char *)&icmp.hdr.argus_dsrvl8.qual - (char *)&icmp); b0 = Argusgen_cmp(ARGUS_ICMP_INDEX, offset, NFF_B, ARGUS_ICMPTIMXCED_MAPPED, Q_EQUAL, Q_DEFAULT); Argusgen_or(b0, b1); break; } case Q_START: b1 = Argusgen_causetype(ARGUS_START); break; case Q_STOP: b1 = Argusgen_causetype(ARGUS_STOP); break; case Q_STATUS: b1 = Argusgen_causetype(ARGUS_STATUS); break; case Q_SHUTDOWN: b1 = Argusgen_causetype(ARGUS_SHUTDOWN); break; case Q_ERROR: b1 = Argusgen_causetype(ARGUS_ERROR); break; case Q_TIMEDOUT: b1 = Argusgen_causetype(ARGUS_TIMEOUT); break; case Q_RETRANS: b0 = Argusgen_espstatustype(ARGUS_SRC_PKTS_DROP); b1 = Argusgen_tcpstatustype(ARGUS_SRC_PKTS_RETRANS); Argusgen_or(b0, b1); b0 = Argusgen_espstatustype(ARGUS_DST_PKTS_DROP); Argusgen_or(b0, b1); b0 = Argusgen_tcpstatustype(ARGUS_DST_PKTS_RETRANS); Argusgen_or(b0, b1); break; case Q_SRCRETRANS: b0 = Argusgen_espstatustype(ARGUS_SRC_PKTS_DROP); b1 = Argusgen_tcpstatustype(ARGUS_SRC_PKTS_RETRANS); Argusgen_or(b0, b1); break; case Q_DSTRETRANS: b0 = Argusgen_espstatustype(ARGUS_DST_PKTS_DROP); b1 = Argusgen_tcpstatustype(ARGUS_DST_PKTS_RETRANS); Argusgen_or(b0, b1); break; case Q_FRAG: b0 = Argusgen_ipattrstatustype(ARGUS_IPATTR_SRC_FRAGMENTS); b1 = Argusgen_ipattrstatustype(ARGUS_IPATTR_DST_FRAGMENTS); Argusgen_or(b0, b1); b0 = Argusgen_linktype(ETHERTYPE_IP); Argusgen_and(b0, b1); break; case Q_SRCFRAG: b0 = Argusgen_linktype(ETHERTYPE_IP); b1 = Argusgen_ipattrstatustype(ARGUS_IPATTR_SRC_FRAGMENTS); Argusgen_and(b0, b1); break; case Q_DSTFRAG: b0 = Argusgen_linktype(ETHERTYPE_IP); b1 = Argusgen_ipattrstatustype(ARGUS_IPATTR_DST_FRAGMENTS); Argusgen_and(b0, b1); break; case Q_OUTOFORDER: b1 = Argusgen_tcpstatustype(ARGUS_SRC_OUTOFORDER); b0 = Argusgen_tcpstatustype(ARGUS_DST_OUTOFORDER); Argusgen_or(b0, b1); break; case Q_SRCOUTOFORDER: b1 = Argusgen_tcpstatustype(ARGUS_SRC_OUTOFORDER); break; case Q_DSTOUTOFORDER: b1 = Argusgen_tcpstatustype(ARGUS_DST_OUTOFORDER); break; case Q_SYN: b1 = Argusgen_tcpstatustype(ARGUS_SAW_SYN); break; case Q_SYNACK: b1 = Argusgen_tcpstatustype(ARGUS_SAW_SYN_SENT); break; case Q_FIN: b1 = Argusgen_tcpstatustype(ARGUS_FIN); break; case Q_FINACK: b1 = Argusgen_tcpstatustype(ARGUS_FIN_ACK); break; case Q_WAIT: b1 = Argusgen_tcpstatustype(ARGUS_CLOSE_WAITING); break; case Q_NORMAL: b1 = Argusgen_tcpstatustype(ARGUS_NORMAL_CLOSE); break; case Q_RTR: { struct ArgusFlow flow; int offset = ((char *)&flow.igmp_flow.type - (char *)&flow); b1 = Argusgen_prototype(IPPROTO_IGMP, Q_DEFAULT); b0 = Argusgen_cmp(ARGUS_FLOW_INDEX, offset, NFF_B, (u_int) IGMP_HOST_MEMBERSHIP_QUERY, Q_EQUAL, Q_DEFAULT); Argusgen_and(b0, b1); break; } case Q_LVG: { struct ArgusFlow flow; int offset = ((char *)&flow.igmp_flow.type - (char *)&flow); b1 = Argusgen_prototype(IPPROTO_IGMP, Q_DEFAULT); b0 = Argusgen_cmp(ARGUS_FLOW_INDEX, offset, NFF_B, (u_int) IGMP_HOST_LEAVE_MESSAGE, Q_EQUAL, Q_DEFAULT); Argusgen_and(b0, b1); break; } case Q_MBR: { struct ArgusFlow flow; int offset = ((char *)&flow.igmp_flow.type - (char *)&flow); b1 = Argusgen_prototype(IPPROTO_IGMP, Q_DEFAULT); b0 = Argusgen_cmp(ARGUS_FLOW_INDEX, offset, NFF_B, (u_int) IGMP_HOST_MEMBERSHIP_QUERY, Q_EQUAL, Q_DEFAULT); Argusgen_not(b0); Argusgen_and(b0, b1); break; } case Q_COCODE: { struct ArgusCountryCodeStruct cocode; int offset = ((char *)&cocode.src - (char *)&cocode); b1 = Argusgen_cmp(ARGUS_COCODE_INDEX, offset, NFF_H, 0, Q_EQUAL, Q_DEFAULT); Argusgen_not(b1); break; } case Q_LINK: ArgusLog(LOG_ERR, "link layer applied in wrong context"); default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_proto_abbrev (%d) returns 0x%x\n", proto, b1); #endif return b1; } static struct ablock * Argusgen_tcpoptatom(int off, u_int v) { struct ablock *b0; b0 = Argusgen_mcmp(ARGUS_NETWORK_INDEX, off, NFF_W, (u_int)v, (u_int)v, Q_EQUAL, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_tcpoptatom (%d, %d) returns %p\n", off, v, b0); #endif return b0; } static struct ablock * Argusgen_ipidatom(int off, u_int v, u_int op) { struct ablock *b0; b0 = Argusgen_cmp(ARGUS_IPATTR_INDEX, off, NFF_H, (u_int)v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_ipidatom (%d, 0x%x, %d) returns 0x%x\n", off, v, op, b0); #endif return b0; } static struct ablock * Argusgen_ttlatom(int off, u_int v, u_int op) { struct ablock *b0; b0 = Argusgen_cmp(ARGUS_IPATTR_INDEX, off, NFF_B, (u_int)v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_ttlatom (%d, 0x%x, %d) returns 0x%x\n", off, v, op, b0); #endif return b0; } static struct ablock * Argusgen_tosatom(int off, u_int v, u_int op) { struct ablock *b0; b0 = Argusgen_cmp(ARGUS_IPATTR_INDEX, off, NFF_B, v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_tosatom (%d, 0x%x) returns 0x%x\n", off, v, b0); #endif return b0; } static struct ablock * Argusgen_dsbatom(int off, u_int v, u_int op) { struct ablock *b0; v = (v << 2); b0 = Argusgen_mcmp(ARGUS_IPATTR_INDEX, off, NFF_B, v, 0xFC, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_dsbatom (%d, 0x%x) returns 0x%x\n", off, v, b0); #endif return b0; } static struct ablock * Argusgen_vidatom(int off, u_int v, u_int op) { struct ablock *b0; b0 = Argusgen_mcmp(ARGUS_VLAN_INDEX, off, NFF_H, v, 0x0FFF, Q_EQUAL, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_vidatom (%d, 0x%x) returns 0x%x\n", off, v, b0); #endif return b0; } static struct ablock * Argusgen_vpriatom(int off, u_int v, u_int op) { struct ablock *b0; b0 = Argusgen_mcmp(ARGUS_VLAN_INDEX, off, NFF_H, (v << 12), 0xF000, Q_EQUAL, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_vpriatom (%d, 0x%x) returns 0x%x\n", off, v, b0); #endif return b0; } static struct ablock * Argusgen_midatom(int off, u_int v, u_int op) { struct ablock *b0; unsigned int mask = 0xFFFFF000; unsigned int label = v << 12; b0 = Argusgen_mcmp(ARGUS_MPLS_INDEX, off, NFF_W, label, mask, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_midatom (%d, 0x%x) returns 0x%x\n", off, v, b0); #endif return b0; } static struct ablock * Argusgen_encapsatom(int off, u_int v, u_int op) { struct ablock *b0; b0 = Argusgen_mcmp(ARGUS_ENCAPS_INDEX, off, NFF_W, v, v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_encapsatom (%d, 0x%x) returns 0x%x\n", off, v, b0); #endif return b0; } static struct ablock * Argusgen_portatom( int off, long v, int op) { struct ablock *b0; b0 = Argusgen_cmp(ARGUS_FLOW_INDEX, off, NFF_H, (u_int)v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_portatom (%d, 0x%x) returns 0x%x\n", off, v, b0); #endif return b0; } static struct ablock * Argusgen_pktatom( int off, long v, int op) { struct ablock *b0; b0 = Argusgen_cmp(ARGUS_METRIC_INDEX, off, NFF_L, (u_int)v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_pktatom (%d, 0x%x) returns 0x%x\n", off, v, b0); #endif return b0; } static struct ablock * Argusgen_byteatom( int off, long v, int op) { struct ablock *b0; b0 = Argusgen_cmp(ARGUS_METRIC_INDEX, off, NFF_L, (u_int)v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_byteatom (%d, 0x%x) returns 0x%x\n", off, v, b0); #endif return b0; } static struct ablock * Argusgen_nstrokeatom( int off, long v, int op) { struct ablock *b0; b0 = Argusgen_cmp(ARGUS_BEHAVIOR_INDEX, off, NFF_W, (u_int)v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_nstrokeatom (%d, 0x%x) returns 0x%x\n", off, v, b0); #endif return b0; } /* static struct ablock * Argusgen_dupatom( int off, long v, int op) { struct ablock *b0; b0 = Argusgen_cmp(ARGUS_NETWORK_INDEX, off, NFF_W, (u_int)v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_dupatom (%d, 0x%x) returns 0x%x\n", off, v, b0); #endif return b0; } */ static struct ablock * Argusgen_tcpbaseatom( int off, long v, int op) { struct ablock *b0; b0 = Argusgen_cmp(ARGUS_NETWORK_INDEX, off, NFF_W, (u_int)v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_tcpbaseatom (%d, 0x%x) returns 0x%x\n", off, v, b0); #endif return b0; } static struct ablock * Argusgen_transatom( int off, long v, int op) { struct ablock *b0; b0 = Argusgen_cmp(ARGUS_AGR_INDEX, off, NFF_W, (u_int)v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_transatom (%d, 0x%x) returns 0x%x\n", off, v, b0); #endif return b0; } static struct ablock * Argusgen_rateatom( int off, float v, int op) { struct ablock *b0; b0 = Argusgen_fcmp(-1, off, NFF_F, v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_rateatom (%d, %f, %d) returns 0x%x\n", off, v, op, b0); #endif return b0; } static struct ablock * Argusgen_loadatom( int off, float v, int op) { struct ablock *b0; b0 = Argusgen_fcmp(-1, off, NFF_F, v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_loadatom (%d, %f, %d) returns 0x%x\n", off, v, op, b0); #endif return b0; } static struct ablock * Argusgen_plossatom( int off, float v, int op) { struct ablock *b0; b0 = Argusgen_fcmp(-1, off, NFF_F, v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_plossatom (%d, %f, %d) returns 0x%x\n", off, v, op, b0); #endif return b0; } static struct ablock * Argusgen_pcratom( int off, float v, int op) { struct ablock *b0; b0 = Argusgen_fcmp(-1, off, NFF_F, v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_pcratom (%d, %f, %d) returns 0x%x\n", off, v, op, b0); #endif return b0; } static struct ablock * Argusgen_duratom( int off, float v, int op) { struct ablock *b0; b0 = Argusgen_fcmp(-1, off, NFF_F, v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_duratom (%d, %f, %d) returns 0x%x\n", off, v, op, b0); #endif return b0; } static struct ablock * Argusgen_meanatom( int off, long v, int op) { struct ablock *b0; b0 = Argusgen_cmp(-1, off, NFF_L, (u_int)v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_meanatom (%d, 0x%x) returns 0x%x\n", off, v, b0); #endif return b0; } static struct ablock * Argusgen_deltaduratom( int off, long v, int op) { struct ablock *b0; b0 = Argusgen_cmp(ARGUS_COR_INDEX, off, NFF_W, (u_int)v*1000, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_deltaduratom (%d, 0x%x, %d) returns 0x%x\n", off, v, op, b0); #endif return b0; } static struct ablock * Argusgen_deltastartatom( int off, long v, int op) { struct ablock *b0; b0 = Argusgen_cmp(ARGUS_COR_INDEX, off, NFF_W, (u_int)v*1000, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_deltastartatom (%d, 0x%x, %d) returns 0x%x\n", off, v, op, b0); #endif return b0; } static struct ablock * Argusgen_deltalastatom( int off, long v, int op) { struct ablock *b0; b0 = Argusgen_cmp(ARGUS_COR_INDEX, off, NFF_W, (u_int)v*1000, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_deltalastatom (%d, 0x%x, %d) returns 0x%x\n", off, v, op, b0); #endif return b0; } static struct ablock * Argusgen_deltaspktsatom( int off, long v, int op) { struct ablock *b0; b0 = Argusgen_cmp(ARGUS_COR_INDEX, off, NFF_W, (u_int)v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_deltaspktsatom (%d, 0x%x, %d) returns 0x%x\n", off, v, op, b0); #endif return b0; } static struct ablock * Argusgen_deltadpktsatom( int off, long v, int op) { struct ablock *b0; b0 = Argusgen_cmp(ARGUS_COR_INDEX, off, NFF_W, (u_int)v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_deltadpktsatom (%d, 0x%x, %d) returns 0x%x\n", off, v, op, b0); #endif return b0; } static struct ablock * Argusgen_asnatom( int off, long v, int op) { struct ablock *b0; b0 = Argusgen_cmp(ARGUS_ASN_INDEX, off, NFF_W, (u_int)v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_asnatom (%d, 0x%x) returns 0x%x\n", off, v, b0); #endif return b0; } static struct ablock * Argusgen_coratom( int off, long v, int op) { struct ablock *b0; b0 = Argusgen_cmp(ARGUS_COR_INDEX, off, NFF_B, (u_int)v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_coratom (%d, 0x%x) returns 0x%x\n", off, v, b0); #endif return b0; } static struct ablock * Argusgen_spiatom( int off, long v, int op) { struct ablock *b0; b0 = Argusgen_cmp(ARGUS_FLOW_INDEX, off, NFF_W, (u_int)v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_spiatom (%d, 0x%x) returns 0x%x\n", off, v, b0); #endif return b0; } struct ablock * Argusgen_portop(int port, int proto, int dir, u_int op) { struct ArgusFlow flow; struct ablock *b0 = NULL, *b1 = NULL, *b2 = NULL; /* ip proto 'proto' */ switch (dir) { case Q_SRC: { int ip4offset = ((char *)&flow.ip_flow.sport - (char *)&flow); int ip6offset = ((char *)&flow.ipv6_flow.sport - (char *)&flow); b1 = Argusgen_prototype(proto, Q_IPV4); b0 = Argusgen_portatom(ip4offset, port, op); Argusgen_and(b0, b1); b2 = Argusgen_prototype(proto, Q_IPV6); b0 = Argusgen_portatom(ip6offset, port, op); Argusgen_and(b0, b2); Argusgen_or(b2, b1); break; } case Q_DST: { int ip4offset = ((char *)&flow.ip_flow.dport - (char *)&flow); int ip6offset = ((char *)&flow.ipv6_flow.dport - (char *)&flow); b1 = Argusgen_prototype(proto, Q_IPV4); b0 = Argusgen_portatom(ip4offset, port, op); Argusgen_and(b0, b1); b2 = Argusgen_prototype(proto, Q_IPV6); b0 = Argusgen_portatom(ip6offset, port, op); Argusgen_and(b0, b2); Argusgen_or(b2, b1); break; } case Q_OR: case Q_DEFAULT: b0 = Argusgen_portop(port, proto, Q_SRC, op); b1 = Argusgen_portop(port, proto, Q_DST, op); Argusgen_or(b0, b1); break; case Q_AND: b0 = Argusgen_portop(port, proto, Q_SRC, op); b1 = Argusgen_portop(port, proto, Q_DST, op); Argusgen_and(b0, b1); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_portop (0x%x, 0x%x, %d) returns 0x%x\n", port, proto, dir, b1); #endif return b1; } static struct ablock * Argusgen_port( int port, u_int ip_proto, int dir, u_int op) { struct ablock *b1, *b0; switch (ip_proto) { case IPPROTO_TCP: b1 = Argusgen_portop(port, IPPROTO_TCP, dir, op); break; case IPPROTO_UDP: b1 = Argusgen_portop(port, IPPROTO_UDP, dir, op); break; case IPPROTO_UDT: b1 = Argusgen_portop(port, IPPROTO_UDT, dir, op); break; case IPPROTO_RTP: b0 = Argusgen_portop(port, IPPROTO_UDP, dir, op); b1 = Argusgen_portop(port, IPPROTO_RTP, dir, op); Argusgen_and(b0, b1); break; case IPPROTO_RTCP: b0 = Argusgen_portop(port, IPPROTO_UDP, dir, op); b1 = Argusgen_portop(port, IPPROTO_RTCP, dir, op); Argusgen_and(b0, b1); break; case PROTO_UNDEF: b0 = Argusgen_portop(port, IPPROTO_TCP, dir, op); b1 = Argusgen_portop(port, IPPROTO_UDP, dir, op); Argusgen_or(b0, b1); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_port (0x%x, 0x%x, %d) returns 0x%x\n", port, ip_proto, dir, b1); #endif return b1; } static int Arguslookup_proto( char *name, int proto) { int v = 0; switch (proto) { case Q_DEFAULT: case Q_IP: case Q_IPV6: case Q_IPV4: v = argus_nametoproto(name); if (v == PROTO_UNDEF) ArgusLog(LOG_ERR, "unknown proto '%s'", name); break; case Q_LINK: /* XXX should look up h/w protocol type based on linktype */ v = argus_nametoeproto(name); if (v == PROTO_UNDEF) ArgusLog(LOG_ERR, "unknown ether proto '%s'", name); break; case Q_MAN: ArgusLog (LOG_ERR, "man proto called '%s'", name); break; default: v = PROTO_UNDEF; break; } #if defined(ARGUSDEBUG) ArgusDebug (4, "Arguslookup_proto (%s, 0x%x) returns 0x%x\n", name, proto, v); #endif return v; } static struct ablock * Argusgen_proto( int v, int proto, int dir) { struct ablock *b1; if (dir != Q_DEFAULT) ArgusLog(LOG_ERR, "direction applied to 'proto'"); switch (proto) { case Q_DEFAULT: case Q_IP: case Q_IPV6: case Q_IPV4: b1 = Argusgen_prototype(v, proto); break; case Q_ARP: b1 = Argusgen_linktype(ETHERTYPE_ARP); break; case Q_RARP: ArgusLog(LOG_ERR, "rarp does not encapsulate another protocol"); /* NOTREACHED */ case Q_MAN: b1 = Argusgen_recordtype(ARGUS_MAR); break; case Q_FAR: b1 = Argusgen_recordtype(ARGUS_FAR); break; case Q_EVENT: b1 = Argusgen_recordtype(ARGUS_EVENT); break; case Q_INDEX: b1 = Argusgen_recordtype(ARGUS_INDEX); break; case Q_LINK: b1 = Argusgen_linktype(v); break; case Q_UDP: ArgusLog(LOG_ERR, "'udp proto' is bogus"); /* NOTREACHED */ case Q_RTP: ArgusLog(LOG_ERR, "'rtp proto' is bogus"); /* NOTREACHED */ case Q_RTCP: ArgusLog(LOG_ERR, "'rtcp proto' is bogus"); /* NOTREACHED */ case Q_TCP: ArgusLog(LOG_ERR, "'tcp proto' is bogus"); /* NOTREACHED */ case Q_ICMP: ArgusLog(LOG_ERR, "'icmp proto' is bogus"); /* NOTREACHED */ case Q_IGMP: ArgusLog(LOG_ERR, "'igmp proto' is bogus"); /* NOTREACHED */ default: abort(); /* NOTREACHED */ } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_proto (0x%x, 0x%x, %d) returns 0x%x\n", v, proto, dir, b1); #endif return b1; } static struct ablock * Argusgen_flow(int tflow) { struct ablock *b0 = NULL, *b1 = NULL; struct ArgusFlow flow; int soffset = ((char *)&flow.hdr.subtype - (char *)&flow); b0 = Argusgen_recordtype(ARGUS_FAR); b1 = Argusgen_mcmp(ARGUS_FLOW_INDEX, soffset, NFF_B, tflow, tflow, Q_EQUAL, Q_DEFAULT); Argusgen_and(b0, b1); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_flow (%d) returns 0x%x\n", tflow, b1); #endif return b1; } static struct ablock * Argusgen_tcpopt(int v) { struct ablock *b0, *b1 = NULL; struct ArgusNetworkStruct net; unsigned int opt = 0; int offset = ((char *)&net.net_union.tcp.options - (char *)&net); b0 = Argusgen_linktype(ETHERTYPE_IP); switch (v) { case Q_TCPOPT: opt = ARGUS_TCP_OPTIONS; break; case Q_MSS: opt = ARGUS_TCP_MAXSEG; break; case Q_WSCALE: opt = ARGUS_TCP_WSCALE; break; case Q_SELECTIVEACKOK: opt = ARGUS_TCP_SACKOK; break; case Q_SELECTIVEACK: opt = ARGUS_TCP_SACK; break; case Q_TCPECHO: opt = ARGUS_TCP_ECHO; break; case Q_TCPECHOREPLY: opt = ARGUS_TCP_ECHOREPLY; break; case Q_TCPTIMESTAMP: opt = ARGUS_TCP_TIMESTAMP; break; case Q_TCPCC: opt = ARGUS_TCP_CC; break; case Q_TCPCCNEW: opt = ARGUS_TCP_CCNEW; break; case Q_TCPCCECHO: opt = ARGUS_TCP_CCECHO; break; case Q_SECN: opt = ARGUS_TCP_SRC_ECN; break; case Q_DECN: opt = ARGUS_TCP_DST_ECN; break; } b1 = Argusgen_tcpoptatom(offset, opt); Argusgen_and(b0, b1); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_tcpopt (%d) returns %p\n", v, b1); #endif return b1; } static struct ablock * Argusgen_ipid(int v, int dir, u_int op) { struct ablock *b0, *b1 = NULL, *tmp; struct ArgusIPAttrStruct attr; int soffset = ((char *)&attr.src.ip_id - (char *)&attr); int doffset = ((char *)&attr.dst.ip_id - (char *)&attr); b0 = Argusgen_prototype(IPPROTO_TCP, Q_DEFAULT); switch (dir) { case Q_SRC: b1 = Argusgen_ipidatom(soffset, (u_int)v, op); break; case Q_DST: b1 = Argusgen_ipidatom(doffset, (u_int)v, op); break; case Q_OR: case Q_DEFAULT: tmp = Argusgen_ipidatom(soffset, (u_int)v, op); b1 = Argusgen_ipidatom(doffset, (u_int)v, op); Argusgen_or(tmp, b1); break; case Q_AND: tmp = Argusgen_ipidatom(soffset, (u_int)v, op); b1 = Argusgen_ipidatom(doffset, (u_int)v, op); Argusgen_and(tmp, b1); break; default: abort(); } Argusgen_and(b0, b1); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_ipid (0x%x, %d) returns %p\n", v, dir, b1); #endif return b1; } static struct ablock * Argusgen_ttl(int v, int dir, u_int op) { struct ablock *b0, *b1 = NULL, *tmp; struct ArgusIPAttrStruct attr; int soffset = ((char *)&attr.src.ttl - (char *)&attr); int doffset = ((char *)&attr.dst.ttl - (char *)&attr); b0 = Argusgen_linktype(ETHERTYPE_IP); switch (dir) { case Q_SRC: { b1 = Argusgen_ttlatom(soffset, (u_int)v, op); break; } case Q_DST: { b1 = Argusgen_ttlatom(doffset, (u_int)v, op); break; } case Q_OR: case Q_DEFAULT: tmp = Argusgen_ttlatom(soffset, (u_int)v, op); b1 = Argusgen_ttlatom(doffset, (u_int)v, op); Argusgen_or(tmp, b1); break; case Q_AND: tmp = Argusgen_ttlatom(soffset, (u_int)v, op); b1 = Argusgen_ttlatom(doffset, (u_int)v, op); Argusgen_and(tmp, b1); break; default: abort(); } Argusgen_and(b0, b1); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_ttl (0x%x, %d, %d) returns %p\n", v, dir, op, b1); #endif return b1; } static struct ablock * Argusgen_tos(int v, int dir, u_int op) { struct ablock *b0, *b1 = NULL, *tmp; struct ArgusIPAttrStruct attr; int soffset = ((char *)&attr.src.tos - (char *)&attr); int doffset = ((char *)&attr.dst.tos - (char *)&attr); b0 = Argusgen_linktype(ETHERTYPE_IP); switch (dir) { case Q_SRC: b1 = Argusgen_tosatom(soffset, (u_int)v, op); break; case Q_DST: b1 = Argusgen_tosatom(doffset, (u_int)v, op); break; default: case Q_OR: case Q_DEFAULT: tmp = Argusgen_tosatom(soffset, (u_int)v, op); b1 = Argusgen_tosatom(doffset, (u_int)v, op); Argusgen_or(tmp, b1); break; case Q_AND: tmp = Argusgen_tosatom(soffset, (u_int)v, op); b1 = Argusgen_tosatom(doffset, (u_int)v, op); Argusgen_and(tmp, b1); break; } Argusgen_and(b0, b1); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_tos (0x%x, %d) returns %p\n", v, dir, b1); #endif return b1; } static struct ablock * Argusgen_dsb(int v, int dir, u_int op) { struct ablock *b0, *b1 = NULL, *tmp; struct ArgusIPAttrStruct attr; int soffset = ((char *)&attr.src.tos - (char *)&attr); int doffset = ((char *)&attr.dst.tos - (char *)&attr); b0 = Argusgen_linktype(ETHERTYPE_IP); switch (dir) { case Q_SRC: b1 = Argusgen_dsbatom(soffset, (u_int)v, op); break; case Q_DST: b1 = Argusgen_dsbatom(doffset, (u_int)v, op); break; default: case Q_OR: case Q_DEFAULT: tmp = Argusgen_dsbatom(soffset, (u_int)v, op); b1 = Argusgen_dsbatom(doffset, (u_int)v, op); Argusgen_or(tmp, b1); break; case Q_AND: tmp = Argusgen_dsbatom(soffset, (u_int)v, op); b1 = Argusgen_dsbatom(doffset, (u_int)v, op); Argusgen_and(tmp, b1); break; } Argusgen_and(b0, b1); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_dsb (0x%x, %d) returns %p\n", v, dir, b1); #endif return b1; } static struct ablock * Argusgen_cocode(char *v, int dir, u_int op) { extern struct ArgusParserStruct *ArgusParser; struct ablock *b0 = NULL, *b1 = NULL; struct ArgusCountryCodeStruct cocode; unsigned short val; int soffset = ((char *)&cocode.src - (char *)&cocode); int doffset = ((char *)&cocode.dst - (char *)&cocode); bcopy(v, (char *)&val, sizeof(val)); switch (dir) { case Q_SRC: b1 = Argusgen_cmp(ARGUS_COCODE_INDEX, soffset, NFF_H, val, Q_EQUAL, Q_DEFAULT); break; case Q_DST: b1 = Argusgen_cmp(ARGUS_COCODE_INDEX, doffset, NFF_H, val, Q_EQUAL, Q_DEFAULT); break; default: case Q_OR: case Q_DEFAULT: b1 = Argusgen_cmp(ARGUS_COCODE_INDEX, doffset, NFF_H, val, Q_EQUAL, Q_DEFAULT); b0 = Argusgen_cmp(ARGUS_COCODE_INDEX, soffset, NFF_H, val, Q_EQUAL, Q_DEFAULT); Argusgen_or(b0, b1); break; case Q_AND: b1 = Argusgen_cmp(ARGUS_COCODE_INDEX, doffset, NFF_H, val, Q_EQUAL, Q_DEFAULT); b0 = Argusgen_cmp(ARGUS_COCODE_INDEX, soffset, NFF_H, val, Q_EQUAL, Q_DEFAULT); Argusgen_and(b0, b1); break; } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_cocode (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } static struct ablock * Argusgen_vid(int v, int dir, u_int op) { struct ArgusVlanStruct vlan; struct ablock *b0, *b1 = NULL; int offset = 0; switch (dir) { case Q_SRC: offset = ((char *)&vlan.sid - (char *)&vlan); b1 = Argusgen_vidatom(offset, (u_int)v, op); break; case Q_DST: offset = ((char *)&vlan.did - (char *)&vlan); b1 = Argusgen_vidatom(offset, (u_int)v, op); break; case Q_OR: case Q_DEFAULT: offset = ((char *)&vlan.sid - (char *)&vlan); b0 = Argusgen_vidatom(offset, (u_int)v, op); offset = ((char *)&vlan.did - (char *)&vlan); b1 = Argusgen_vidatom(offset, (u_int)v, op); Argusgen_or(b0, b1); break; case Q_AND: offset = ((char *)&vlan.sid - (char *)&vlan); b0 = Argusgen_vidatom(offset, (u_int)v, op); offset = ((char *)&vlan.did - (char *)&vlan); b1 = Argusgen_vidatom(offset, (u_int)v, op); Argusgen_and(b0, b1); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_vid (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } static struct ablock * Argusgen_vpri(int v, int dir, u_int op) { struct ablock *b0, *b1 = NULL; struct ArgusVlanStruct vlan; int offset; switch (dir) { case Q_SRC: offset = ((char *)&vlan.sid - (char *)&vlan); b1 = Argusgen_vpriatom(offset, (u_int)v, op); break; case Q_DST: offset = ((char *)&vlan.did - (char *)&vlan); b1 = Argusgen_vpriatom(offset, (u_int)v, op); break; case Q_OR: case Q_DEFAULT: offset = ((char *)&vlan.sid - (char *)&vlan); b0 = Argusgen_vpriatom(offset, (u_int)v, op); offset = ((char *)&vlan.did - (char *)&vlan); b1 = Argusgen_vpriatom(offset, (u_int)v, op); Argusgen_or(b0, b1); break; case Q_AND: offset = ((char *)&vlan.sid - (char *)&vlan); b0 = Argusgen_vpriatom(offset, (u_int)v, op); offset = ((char *)&vlan.did - (char *)&vlan); b1 = Argusgen_vpriatom(offset, (u_int)v, op); Argusgen_and(b0, b1); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_vpri (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } static struct ablock * Argusgen_mid(int v, int dir, u_int op) { struct ablock *retn = NULL, *b0, *b1 = NULL; struct ArgusMplsStruct mpls; int offset; switch (dir) { case Q_SRC: offset = ((char *)&mpls.slabel - (char *)&mpls); b1 = Argusgen_midatom(offset, (u_int)v, op); break; case Q_DST: offset = ((char *)&mpls.dlabel - (char *)&mpls); b1 = Argusgen_midatom(offset, (u_int)v, op); break; case Q_OR: case Q_DEFAULT: offset = ((char *)&mpls.slabel - (char *)&mpls); b0 = Argusgen_midatom(offset, (u_int)v, op); offset = ((char *)&mpls.dlabel - (char *)&mpls); b1 = Argusgen_midatom(offset, (u_int)v, op); Argusgen_or(b0, b1); break; case Q_AND: offset = ((char *)&mpls.slabel - (char *)&mpls); b0 = Argusgen_midatom(offset, (u_int)v, op); offset = ((char *)&mpls.dlabel - (char *)&mpls); b1 = Argusgen_midatom(offset, (u_int)v, op); Argusgen_and(b0, b1); break; default: abort(); } if (retn != NULL) { Argusgen_or(b1, retn); } else retn = b1; #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_mid (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return retn; } static struct ablock * Argusgen_encaps(int v, int dir, u_int op) { struct ablock *b1 = NULL, *tmp; struct ArgusEncapsStruct encaps; int soffset = ((char *)&encaps.src - (char *)&encaps); int doffset = ((char *)&encaps.dst - (char *)&encaps); switch (dir) { case Q_SRC: b1 = Argusgen_encapsatom(soffset, (u_int)v, op); break; case Q_DST: b1 = Argusgen_encapsatom(doffset, (u_int)v, op); break; default: case Q_OR: case Q_DEFAULT: tmp = Argusgen_encapsatom(soffset, (u_int)v, op); b1 = Argusgen_encapsatom(doffset, (u_int)v, op); Argusgen_or(tmp, b1); break; case Q_AND: tmp = Argusgen_encapsatom(soffset, (u_int)v, op); b1 = Argusgen_encapsatom(doffset, (u_int)v, op); Argusgen_and(tmp, b1); break; } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_encaps (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } static struct ablock * Argusgen_trans(int v, int dir, u_int op) { struct ablock *b1 = NULL; struct ArgusAgrStruct agr; int offset; offset = ((char *)&agr.count - (char *)&agr); b1 = Argusgen_transatom(offset, (u_int)v, op); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_trans (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } static struct ablock * Argusgen_rate(float v, int dir, u_int op) { struct ablock *b0, *b1 = NULL; struct ArgusRecordStruct argus; int offset; switch (dir) { case Q_SRC: offset = ((char *)&argus.srate - (char *)&argus.hdr); b1 = Argusgen_rateatom(offset, v, op); break; case Q_DST: offset = ((char *)&argus.drate - (char *)&argus.hdr); b1 = Argusgen_rateatom(offset, v, op); break; case Q_OR: case Q_DEFAULT: offset = ((char *)&argus.srate - (char *)&argus.hdr); b0 = Argusgen_rateatom(offset, v, op); offset = ((char *)&argus.drate - (char *)&argus.hdr); b1 = Argusgen_rateatom(offset, v, op); Argusgen_or(b0, b1); break; case Q_AND: offset = ((char *)&argus.srate - (char *)&argus.hdr); b0 = Argusgen_rateatom(offset, v, op); offset = ((char *)&argus.drate - (char *)&argus.hdr); b1 = Argusgen_rateatom(offset, v, op); Argusgen_and(b0, b1); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_rate (%f, %d, %d) returns 0x%x\n", v, dir, op, b1); #endif return b1; } static struct ablock * Argusgen_load(float v, int dir, u_int op) { struct ablock *b0, *b1 = NULL; struct ArgusRecordStruct argus; int offset; switch (dir) { case Q_SRC: offset = ((char *)&argus.sload - (char *)&argus.hdr); b1 = Argusgen_loadatom(offset, v, op); break; case Q_DST: offset = ((char *)&argus.dload - (char *)&argus.hdr); b1 = Argusgen_loadatom(offset, v, op); break; case Q_OR: case Q_DEFAULT: offset = ((char *)&argus.sload - (char *)&argus.hdr); b0 = Argusgen_loadatom(offset, v, op); offset = ((char *)&argus.dload - (char *)&argus.hdr); b1 = Argusgen_loadatom(offset, v, op); Argusgen_or(b0, b1); break; case Q_AND: offset = ((char *)&argus.sload - (char *)&argus.hdr); b0 = Argusgen_loadatom(offset, v, op); offset = ((char *)&argus.dload - (char *)&argus.hdr); b1 = Argusgen_loadatom(offset, v, op); Argusgen_and(b0, b1); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_load (%f, %d, %d) returns 0x%x\n", v, dir, op, b1); #endif return b1; } /* static struct ablock * Argusgen_loss(float v, int dir, u_int op) { struct ablock *b0, *b1 = NULL; struct ArgusRecordStruct argus; int offset; switch (dir) { case Q_SRC: offset = ((char *)&argus.sloss - (char *)&argus.hdr); b1 = Argusgen_lossatom(offset, v, op); break; case Q_DST: offset = ((char *)&argus.dloss - (char *)&argus.hdr); b1 = Argusgen_lossatom(offset, v, op); break; case Q_OR: case Q_DEFAULT: offset = ((char *)&argus.sloss - (char *)&argus.hdr); b0 = Argusgen_lossatom(offset, v, op); offset = ((char *)&argus.dloss - (char *)&argus.hdr); b1 = Argusgen_lossatom(offset, v, op); Argusgen_or(b0, b1); break; case Q_AND: offset = ((char *)&argus.sloss - (char *)&argus.hdr); b0 = Argusgen_lossatom(offset, v, op); offset = ((char *)&argus.dloss - (char *)&argus.hdr); b1 = Argusgen_lossatom(offset, v, op); Argusgen_and(b0, b1); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_loss (%f, %d, %d) returns 0x%x\n", v, dir, op, b1); #endif return b1; } */ static struct ablock * Argusgen_ploss(float v, int dir, u_int op) { struct ablock *b0, *b1 = NULL; struct ArgusRecordStruct argus; int offset; switch (dir) { case Q_SRC: offset = ((char *)&argus.sploss - (char *)&argus.hdr); b1 = Argusgen_plossatom(offset, v, op); break; case Q_DST: offset = ((char *)&argus.dploss - (char *)&argus.hdr); b1 = Argusgen_plossatom(offset, v, op); break; case Q_OR: case Q_DEFAULT: offset = ((char *)&argus.sploss - (char *)&argus.hdr); b0 = Argusgen_plossatom(offset, v, op); offset = ((char *)&argus.dploss - (char *)&argus.hdr); b1 = Argusgen_plossatom(offset, v, op); Argusgen_or(b0, b1); break; case Q_AND: offset = ((char *)&argus.sploss - (char *)&argus.hdr); b0 = Argusgen_plossatom(offset, v, op); offset = ((char *)&argus.dploss - (char *)&argus.hdr); b1 = Argusgen_plossatom(offset, v, op); Argusgen_and(b0, b1); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_ploss (%f, %d, %d) returns 0x%x\n", v, dir, op, b1); #endif return b1; } static struct ablock * Argusgen_pcr(float v, int dir, u_int op) { struct ArgusRecordStruct argus; struct ablock *b1 = NULL, *b0 = NULL; int offset = ((char *)&argus.pcr - (char *)&argus.hdr); b0 = Argusgen_recordtype(ARGUS_FAR); b1 = Argusgen_pcratom(offset, v, op); Argusgen_and(b0, b1); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_pcr (%f, %d, %d) returns 0x%x\n", v, dir, op, b1); #endif return b1; } static struct ablock * Argusgen_inter(float v, int dir, int type, u_int op) { struct ablock *b1 = NULL, *b0 = NULL; struct ArgusJitterStruct jitter; float value = v * 1000.0; int offset; switch (dir) { case Q_SRC: switch (type) { case Q_INTER: offset = (char *)&jitter.act.src.meanval - (char *)&jitter; break; case Q_INTERACTIVE: offset = (char *)&jitter.act.src.meanval - (char *)&jitter; break; case Q_INTERIDLE: offset = (char *)&jitter.idle.src.meanval - (char *)&jitter; break; } b1 = Argusgen_fcmp(ARGUS_JITTER_INDEX, offset, NFF_F, value, op, Q_DEFAULT); break; case Q_DST: switch (type) { case Q_INTER: offset = (char *)&jitter.act.dst.meanval - (char *)&jitter; break; case Q_INTERACTIVE: offset = (char *)&jitter.act.dst.meanval - (char *)&jitter; break; case Q_INTERIDLE: offset = (char *)&jitter.idle.dst.meanval - (char *)&jitter; break; } b1 = Argusgen_fcmp(ARGUS_JITTER_INDEX, offset, NFF_F, value, op, Q_DEFAULT); break; case Q_OR: switch (type) { case Q_INTER: offset = (char *)&jitter.act.src.meanval - (char *)&jitter; break; case Q_INTERACTIVE: offset = (char *)&jitter.act.src.meanval - (char *)&jitter; break; case Q_INTERIDLE: offset = (char *)&jitter.idle.src.meanval - (char *)&jitter; break; } b0 = Argusgen_fcmp(ARGUS_JITTER_INDEX, offset, NFF_F, value, op, Q_DEFAULT); offset = (char *)&jitter.act.dst.meanval - (char *)&jitter; b1 = Argusgen_fcmp(ARGUS_JITTER_INDEX, offset, NFF_F, value, op, Q_DEFAULT); Argusgen_or(b0, b1); break; case Q_DEFAULT: case Q_AND: switch (type) { case Q_INTER: offset = (char *)&jitter.act.src.meanval - (char *)&jitter; break; case Q_INTERACTIVE: offset = (char *)&jitter.act.src.meanval - (char *)&jitter; break; case Q_INTERIDLE: offset = (char *)&jitter.idle.src.meanval - (char *)&jitter; break; } b0 = Argusgen_fcmp(ARGUS_JITTER_INDEX, offset, NFF_F, value, op, Q_DEFAULT); switch (type) { case Q_INTER: offset = (char *)&jitter.act.dst.meanval - (char *)&jitter; break; case Q_INTERACTIVE: offset = (char *)&jitter.act.dst.meanval - (char *)&jitter; break; case Q_INTERIDLE: offset = (char *)&jitter.idle.dst.meanval - (char *)&jitter; break; } b1 = Argusgen_fcmp(ARGUS_JITTER_INDEX, offset, NFF_F, value, op, Q_DEFAULT); Argusgen_and(b0, b1); break; } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_inter (%f, %d, %d) returns 0x%x\n", v, dir, op, b1); #endif return b1; } static struct ablock * Argusgen_jitter(float v, int dir, int type, u_int op) { struct ablock *b1 = NULL, *b0 = NULL; struct ArgusJitterStruct jitter; float value = v * 1000.0; int offset; switch (dir) { case Q_SRC: switch (type) { case Q_JITTER: offset = (char *)&jitter.act.src.stdev - (char *)&jitter; break; case Q_JITTERACTIVE: offset = (char *)&jitter.act.src.stdev - (char *)&jitter; break; case Q_JITTERIDLE: offset = (char *)&jitter.idle.src.stdev - (char *)&jitter; break; } b1 = Argusgen_fcmp(ARGUS_JITTER_INDEX, offset, NFF_F, value, op, Q_DEFAULT); break; case Q_DST: switch (type) { case Q_JITTER: offset = (char *)&jitter.act.dst.stdev - (char *)&jitter; break; case Q_JITTERACTIVE: offset = (char *)&jitter.act.dst.stdev - (char *)&jitter; break; case Q_JITTERIDLE: offset = (char *)&jitter.idle.dst.stdev - (char *)&jitter; break; } b1 = Argusgen_fcmp(ARGUS_JITTER_INDEX, offset, NFF_F, value, op, Q_DEFAULT); break; case Q_OR: switch (type) { case Q_JITTER: offset = (char *)&jitter.act.src.stdev - (char *)&jitter; break; case Q_JITTERACTIVE: offset = (char *)&jitter.act.src.stdev - (char *)&jitter; break; case Q_JITTERIDLE: offset = (char *)&jitter.idle.src.stdev - (char *)&jitter; break; } b0 = Argusgen_fcmp(ARGUS_JITTER_INDEX, offset, NFF_F, value, op, Q_DEFAULT); offset = (char *)&jitter.act.dst.stdev - (char *)&jitter; b1 = Argusgen_fcmp(ARGUS_JITTER_INDEX, offset, NFF_F, value, op, Q_DEFAULT); Argusgen_or(b0, b1); break; case Q_DEFAULT: case Q_AND: switch (type) { case Q_JITTER: offset = (char *)&jitter.act.src.stdev - (char *)&jitter; break; case Q_JITTERACTIVE: offset = (char *)&jitter.act.src.stdev - (char *)&jitter; break; case Q_JITTERIDLE: offset = (char *)&jitter.idle.src.stdev - (char *)&jitter; break; } b0 = Argusgen_fcmp(ARGUS_JITTER_INDEX, offset, NFF_F, value, op, Q_DEFAULT); switch (type) { case Q_JITTER: offset = (char *)&jitter.act.dst.stdev - (char *)&jitter; break; case Q_JITTERACTIVE: offset = (char *)&jitter.act.dst.stdev - (char *)&jitter; break; case Q_JITTERIDLE: offset = (char *)&jitter.idle.dst.stdev - (char *)&jitter; break; } b1 = Argusgen_fcmp(ARGUS_JITTER_INDEX, offset, NFF_F, value, op, Q_DEFAULT); Argusgen_and(b0, b1); break; } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_jitter (%f, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } static struct ablock * Argusgen_dur(float v, int dir, u_int op) { struct ablock *b1 = NULL; struct ArgusRecordStruct argus; int offset; switch (dir) { case Q_SRC: case Q_DST: case Q_OR: case Q_DEFAULT: case Q_AND: offset = ((char *)&argus.dur - (char *)&argus.hdr); b1 = Argusgen_duratom(offset, v, op); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_dur (%f, %d, %d) returns 0x%x\n", v, dir, op, b1); #endif return b1; } static struct ablock * Argusgen_mean(float v, int dir, u_int op) { struct ablock *b1 = NULL; struct ArgusRecordStruct argus; int offset; switch (dir) { case Q_SRC: case Q_DST: case Q_OR: case Q_DEFAULT: case Q_AND: offset = ((char *)&argus.mean - (char *)&argus.hdr); b1 = Argusgen_meanatom(offset, v, op); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_mean (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } static struct ablock * Argusgen_deltadur(int v, int dir, u_int op) { struct ablock *b1 = NULL; struct ArgusCorrelateStruct cor; int offset = ((char *)&cor.metrics.deltaDur - (char *)&cor); switch (dir) { case Q_SRC: case Q_DST: case Q_OR: case Q_DEFAULT: case Q_AND: b1 = Argusgen_deltaduratom(offset, v, op); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_deltadur (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } static struct ablock * Argusgen_deltastart(int v, int dir, u_int op) { struct ablock *b1 = NULL; struct ArgusCorrelateStruct cor; int offset = ((char *)&cor.metrics.deltaStart - (char *)&cor); switch (dir) { case Q_SRC: case Q_DST: case Q_OR: case Q_DEFAULT: case Q_AND: b1 = Argusgen_deltastartatom(offset, v, op); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_deltastart (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } static struct ablock * Argusgen_deltalast(int v, int dir, u_int op) { struct ablock *b1 = NULL; struct ArgusCorrelateStruct cor; int offset = ((char *)&cor.metrics.deltaLast - (char *)&cor); switch (dir) { case Q_SRC: case Q_DST: case Q_OR: case Q_DEFAULT: case Q_AND: b1 = Argusgen_deltalastatom(offset, v, op); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_deltalast (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } static struct ablock * Argusgen_deltasrcpkts(int v, int dir, u_int op) { struct ablock *b1 = NULL; struct ArgusCorrelateStruct cor; int offset = ((char *)&cor.metrics.deltaSrcPkts - (char *)&cor); switch (dir) { case Q_SRC: case Q_DST: case Q_OR: case Q_DEFAULT: case Q_AND: b1 = Argusgen_deltaspktsatom(offset, v, op); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_deltasrcpkts (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } static struct ablock * Argusgen_deltadstpkts(int v, int dir, u_int op) { struct ablock *b1 = NULL; struct ArgusCorrelateStruct cor; int offset = ((char *)&cor.metrics.deltaDstPkts - (char *)&cor); switch (dir) { case Q_SRC: case Q_DST: case Q_OR: case Q_DEFAULT: case Q_AND: b1 = Argusgen_deltadpktsatom(offset, v, op); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_deltadstpkts (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } static struct ablock * Argusgen_asn(u_int v, int dir, u_int op) { struct ablock *b1 = NULL, *b0 = NULL; struct ArgusAsnStruct asn; int offset; switch (dir) { case Q_SRC: offset = ((char *)&asn.src_as - (char *)&asn); b1 = Argusgen_asnatom(offset, (u_int)v, op); break; case Q_DST: offset = ((char *)&asn.dst_as - (char *)&asn); b1 = Argusgen_asnatom(offset, (u_int)v, op); break; case Q_OR: case Q_DEFAULT: offset = ((char *)&asn.src_as - (char *)&asn); b0 = Argusgen_asnatom(offset, (u_int)v, op); offset = ((char *)&asn.dst_as - (char *)&asn); b1 = Argusgen_asnatom(offset, (u_int)v, op); Argusgen_or(b0, b1); break; case Q_AND: offset = ((char *)&asn.src_as - (char *)&asn); b0 = Argusgen_asnatom(offset, (u_int)v, op); offset = ((char *)&asn.dst_as - (char *)&asn); b1 = Argusgen_asnatom(offset, (u_int)v, op); Argusgen_and(b0, b1); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_asn (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } static struct ablock * Argusgen_cor(u_int v, int dir, u_int op) { struct ablock *b1 = NULL; struct ArgusCorrelateStruct cor; int offset = ((char *)&cor.hdr.argus_dsrvl8.len - (char *)&cor); int value = (v * ((sizeof(struct ArgusCorMetrics) + 3 )/ 4)) + 1; if (value == 1) value = 0; b1 = Argusgen_coratom(offset, (u_int)value, op); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_cor (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } static struct ablock * Argusgen_spi(u_int v, int dir, u_int op) { struct ablock *b0 = NULL, *b1 = NULL; struct ArgusFlow flow; int offset = ((char *)&flow.flow_un.esp.spi - (char *)&flow); b1 = Argusgen_prototype(IPPROTO_ESP, Q_DEFAULT); b0 = Argusgen_spiatom(offset, v, op); if (b0) Argusgen_and(b0, b1); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_spi (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } /* static struct ablock * Argusgen_dup(int v, int dir, u_int op) { struct ablock *b0, *b1 = NULL; struct ArgusNetworkStruct net; int offset; switch (dir) { case Q_SRC: offset = ((char *)&net.net_union.tcp.sdups - (char *)&net); b1 = Argusgen_dupatom(offset, (u_int)v, op); break; case Q_DST: offset = ((char *)&net.net_union.tcp.ddups - (char *)&net); b1 = Argusgen_dupatom(offset, (u_int)v, op); break; case Q_OR: case Q_DEFAULT: offset = ((char *)&net.net_union.tcp.sdups - (char *)&net); b0 = Argusgen_dupatom(offset, (u_int)v, op); offset = ((char *)&net.net_union.tcp.ddups - (char *)&net); b1 = Argusgen_dupatom(offset, (u_int)v, op); Argusgen_or(b0, b1); break; case Q_AND: offset = ((char *)&net.net_union.tcp.sdups - (char *)&net); b0 = Argusgen_dupatom(offset, (u_int)v, op); offset = ((char *)&net.net_union.tcp.ddups - (char *)&net); b1 = Argusgen_dupatom(offset, (u_int)v, op); Argusgen_and(b0, b1); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_dup (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } */ static struct ablock * Argusgen_tcpbase(int v, int dir, u_int op) { struct ablock *b0, *b1 = NULL; struct ArgusNetworkStruct net; int offset; switch (dir) { case Q_SRC: offset = ((char *)&net.net_union.tcp.src.seqbase - (char *)&net); b1 = Argusgen_tcpbaseatom(offset, (u_int)v, op); break; case Q_DST: offset = ((char *)&net.net_union.tcp.dst.seqbase - (char *)&net); b1 = Argusgen_tcpbaseatom(offset, (u_int)v, op); break; case Q_OR: case Q_DEFAULT: offset = ((char *)&net.net_union.tcp.src.seqbase - (char *)&net); b0 = Argusgen_tcpbaseatom(offset, (u_int)v, op); offset = ((char *)&net.net_union.tcp.dst.seqbase - (char *)&net); b1 = Argusgen_tcpbaseatom(offset, (u_int)v, op); Argusgen_or(b0, b1); break; case Q_AND: offset = ((char *)&net.net_union.tcp.src.seqbase - (char *)&net); b0 = Argusgen_tcpbaseatom(offset, (u_int)v, op); offset = ((char *)&net.net_union.tcp.dst.seqbase - (char *)&net); b1 = Argusgen_tcpbaseatom(offset, (u_int)v, op); Argusgen_and(b0, b1); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_tcpbase (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } static struct ablock * Argusgen_pkt(int v, int dir, u_int op) { struct ablock *b0, *b1 = NULL; struct ArgusMetricStruct metric; int offset; switch (dir) { case Q_SRC: offset = ((char *)&metric.src.pkts - (char *)&metric); b1 = Argusgen_pktatom(offset, (u_int)v, op); break; case Q_DST: offset = ((char *)&metric.dst.pkts - (char *)&metric); b1 = Argusgen_pktatom(offset, (u_int)v, op); break; case Q_OR: case Q_DEFAULT: offset = ((char *)&metric.src.pkts - (char *)&metric); b0 = Argusgen_pktatom(offset, (u_int)v, op); offset = ((char *)&metric.dst.pkts - (char *)&metric); b1 = Argusgen_pktatom(offset, (u_int)v, op); Argusgen_or(b0, b1); break; case Q_AND: offset = ((char *)&metric.src.pkts - (char *)&metric); b0 = Argusgen_pktatom(offset, (u_int)v, op); offset = ((char *)&metric.dst.pkts - (char *)&metric); b1 = Argusgen_pktatom(offset, (u_int)v, op); Argusgen_and(b0, b1); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_pkt (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } static struct ablock * Argusgen_byte(int v, int dir, u_int op) { struct ablock *b0, *b1 = NULL; struct ArgusMetricStruct metric; int offset; switch (dir) { case Q_SRC: offset = ((char *)&metric.src.bytes - (char *)&metric); b1 = Argusgen_byteatom(offset, (u_int)v, op); break; case Q_DST: offset = ((char *)&metric.dst.bytes - (char *)&metric); b1 = Argusgen_byteatom(offset, (u_int)v, op); break; case Q_OR: case Q_DEFAULT: offset = ((char *)&metric.src.bytes - (char *)&metric); b0 = Argusgen_byteatom(offset, (u_int)v, op); offset = ((char *)&metric.dst.bytes - (char *)&metric); b1 = Argusgen_byteatom(offset, (u_int)v, op); Argusgen_or(b0, b1); break; case Q_AND: offset = ((char *)&metric.src.bytes - (char *)&metric); b0 = Argusgen_byteatom(offset, (u_int)v, op); offset = ((char *)&metric.dst.bytes - (char *)&metric); b1 = Argusgen_byteatom(offset, (u_int)v, op); Argusgen_and(b0, b1); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_byte (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } struct ablock * Argusgen_appbytes(int v, int dir, u_int op) { struct ablock *b0, *b1 = NULL; struct ArgusMetricStruct metric; int offset; switch (dir) { case Q_SRC: offset = ((char *)&metric.src.appbytes - (char *)&metric); b1 = Argusgen_byteatom(offset, (u_int)v, op); break; case Q_DST: offset = ((char *)&metric.dst.appbytes - (char *)&metric); b1 = Argusgen_byteatom(offset, (u_int)v, op); break; case Q_OR: case Q_DEFAULT: offset = ((char *)&metric.src.appbytes - (char *)&metric); b0 = Argusgen_byteatom(offset, (u_int)v, op); offset = ((char *)&metric.dst.appbytes - (char *)&metric); b1 = Argusgen_byteatom(offset, (u_int)v, op); Argusgen_or(b0, b1); break; case Q_AND: offset = ((char *)&metric.src.appbytes - (char *)&metric); b0 = Argusgen_byteatom(offset, (u_int)v, op); offset = ((char *)&metric.dst.appbytes - (char *)&metric); b1 = Argusgen_byteatom(offset, (u_int)v, op); Argusgen_and(b0, b1); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_appbytes (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } struct ablock * Argusgen_seq(int v, int dir, u_int op) { struct ablock *b1 = NULL, *b0 = NULL; struct ArgusTransportStruct trans; int offset; offset = ((char *)&trans.seqnum - (char *)&trans); b1 = Argusgen_recordtype(ARGUS_FAR); b0 = Argusgen_cmp(ARGUS_TRANSPORT_INDEX, offset, NFF_W, (u_int)v, op, Q_DEFAULT); Argusgen_and(b0, b1); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_seq (0x%x, %d, 0x%x) returns %p\n", v, dir, op ,b1); #endif return (b1); } static struct ablock * Argusgen_nstroke(int v, int dir, u_int op) { struct ablock *b0, *b1 = NULL; struct ArgusBehaviorStruct actor; int offset; switch (dir) { case Q_SRC: offset = ((char *)&actor.keyStroke.src.n_strokes - (char *)&actor); b1 = Argusgen_nstrokeatom(offset, (u_int)v, op); break; case Q_DST: offset = ((char *)&actor.keyStroke.dst.n_strokes - (char *)&actor); b1 = Argusgen_nstrokeatom(offset, (u_int)v, op); break; case Q_OR: case Q_DEFAULT: offset = ((char *)&actor.keyStroke.src.n_strokes - (char *)&actor); b0 = Argusgen_nstrokeatom(offset, (u_int)v, op); offset = ((char *)&actor.keyStroke.dst.n_strokes - (char *)&actor); b1 = Argusgen_nstrokeatom(offset, (u_int)v, op); Argusgen_or(b0, b1); break; case Q_AND: offset = ((char *)&actor.keyStroke.src.n_strokes - (char *)&actor); b0 = Argusgen_nstrokeatom(offset, (u_int)v, op); offset = ((char *)&actor.keyStroke.dst.n_strokes - (char *)&actor); b1 = Argusgen_nstrokeatom(offset, (u_int)v, op); Argusgen_and(b0, b1); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_nstroke (0x%x, %d, 0x%x) returns %p\n", v, dir, op, b1); #endif return b1; } /* * Left justify 'addr' and return its resulting network mask. */ #if !defined(TH_ECE) #define TH_ECE 0x40 #endif #if !defined(TH_CWR) #define TH_CWR 0x80 #endif static u_int net_mask(addr) u_int *addr; { register u_int m = 0xffffffff; if (*addr) while ((*addr & 0xff000000) == 0) *addr <<= 8, m <<= 8; #if defined(ARGUSDEBUG) ArgusDebug (9, "net_mask (0x%x) returns 0x%x\n", addr, m); #endif return m; } #include struct ablock * Argusgen_ocode(int name, struct qual q) { struct ablock *b1 = NULL; b1 = Argusgen_tcpopt(name); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_ocode (0x%x, 0x%x) returns %p\n", name, q, b1); #endif return b1; } struct ablock * Argusgen_tcode(int name, struct qual q) { int dir = q.dir; struct ablock *b0 = NULL, *b1 = NULL; switch (name) { case Q_OUTOFORDER: { switch (dir) { case Q_SRC: b1 = Argusgen_proto_abbrev(Q_SRCOUTOFORDER); break; case Q_DST: b1 = Argusgen_proto_abbrev(Q_DSTOUTOFORDER); break; case Q_AND: b0 = Argusgen_proto_abbrev(Q_SRCOUTOFORDER); b1 = Argusgen_proto_abbrev(Q_DSTOUTOFORDER); Argusgen_and(b0, b1); break; default: case Q_OR: b1 = Argusgen_proto_abbrev(Q_OUTOFORDER); break; } break; } case Q_RETRANS: { switch (dir) { case Q_SRC: b1 = Argusgen_proto_abbrev(Q_SRCRETRANS); break; case Q_DST: b1 = Argusgen_proto_abbrev(Q_DSTRETRANS); break; case Q_AND: b0 = Argusgen_proto_abbrev(Q_SRCRETRANS); b1 = Argusgen_proto_abbrev(Q_DSTRETRANS); Argusgen_and(b0, b1); break; default: case Q_OR: b1 = Argusgen_proto_abbrev(Q_RETRANS); break; } break; } case Q_FRAG: { switch (dir) { case Q_SRC: b1 = Argusgen_proto_abbrev(Q_SRCFRAG); break; case Q_DST: b1 = Argusgen_proto_abbrev(Q_DSTFRAG); break; default: case Q_OR: b1 = Argusgen_proto_abbrev(Q_FRAG); break; } break; } case Q_FRAG_ONLY: { break; } case Q_WINSHUT: { switch (dir) { case Q_SRC: b1 = Argusgen_tcpstatustype(ARGUS_SRC_WINDOW_SHUT); break; case Q_DST: b1 = Argusgen_tcpstatustype(ARGUS_DST_WINDOW_SHUT); break; case Q_AND: b0 = Argusgen_tcpstatustype(ARGUS_SRC_WINDOW_SHUT); b1 = Argusgen_tcpstatustype(ARGUS_DST_WINDOW_SHUT); Argusgen_and(b0, b1); break; default: case Q_OR: b0 = Argusgen_tcpstatustype(ARGUS_SRC_WINDOW_SHUT); b1 = Argusgen_tcpstatustype(ARGUS_DST_WINDOW_SHUT); Argusgen_or(b0, b1); break; } break; } case Q_ECN: { switch (dir) { case Q_SRC: b1 = Argusgen_tcpstatustype(ARGUS_SRC_CONGESTED); break; case Q_DST: b1 = Argusgen_tcpstatustype(ARGUS_DST_CONGESTED); break; case Q_AND: b0 = Argusgen_tcpstatustype(ARGUS_SRC_CONGESTED); b1 = Argusgen_tcpstatustype(ARGUS_DST_CONGESTED); Argusgen_and(b0, b1); break; default: case Q_OR: b0 = Argusgen_tcpstatustype(ARGUS_SRC_CONGESTED); b1 = Argusgen_tcpstatustype(ARGUS_DST_CONGESTED); Argusgen_or(b0, b1); break; } break; } case Q_SYN: case Q_ACK: case Q_PUSH: case Q_URGENT: case Q_RESET: case Q_ECE: case Q_CWR: case Q_FIN: { struct ArgusNetworkStruct net; int soffset = ((char *)&net.net_union.tcp.src.flags - (char *)&net); int doffset = ((char *)&net.net_union.tcp.dst.flags - (char *)&net); int value = 0; switch (name) { case Q_SYN: value = TH_SYN; break; case Q_ACK: value = TH_ACK; break; case Q_PUSH: value = TH_PUSH; break; case Q_URGENT: value = TH_URG; break; case Q_FIN: value = TH_FIN; break; case Q_RESET: value = TH_RST; break; case Q_ECE: value = TH_ECE; break; case Q_CWR: value = TH_CWR; break; } switch (dir) { case Q_SRC: b1 = Argusgen_mcmp(ARGUS_NETWORK_INDEX, soffset, NFF_B, value, value, Q_EQUAL, Q_DEFAULT); break; case Q_DST: b1 = Argusgen_mcmp(ARGUS_NETWORK_INDEX, doffset, NFF_B, value, value, Q_EQUAL, Q_DEFAULT); break; case Q_AND: b0 = Argusgen_mcmp(ARGUS_NETWORK_INDEX, doffset, NFF_B, value, value, Q_EQUAL, Q_DEFAULT); b1 = Argusgen_mcmp(ARGUS_NETWORK_INDEX, soffset, NFF_B, value, value, Q_EQUAL, Q_DEFAULT); Argusgen_and(b0, b1); break; default: case Q_OR: b0 = Argusgen_mcmp(ARGUS_NETWORK_INDEX, soffset, NFF_B, value, value, Q_EQUAL, Q_DEFAULT); b1 = Argusgen_mcmp(ARGUS_NETWORK_INDEX, doffset, NFF_B, value, value, Q_EQUAL, Q_DEFAULT); Argusgen_or(b0, b1); break; } b0 = Argusgen_prototype(IPPROTO_TCP, Q_DEFAULT); Argusgen_and(b0, b1); break; } case Q_MULTIPATH: { struct ArgusMacStruct mac; int offset = ((char *)&mac.hdr.argus_dsrvl8.qual - (char *)&mac); int value = 0; switch (dir) { case Q_SRC: { value = ARGUS_SRC_MULTIPATH; b1 = Argusgen_mcmp(ARGUS_MAC_INDEX, offset, NFF_B, value, value, Q_EQUAL, Q_DEFAULT); break; } case Q_DST: { value = ARGUS_DST_MULTIPATH; b1 = Argusgen_mcmp(ARGUS_MAC_INDEX, offset, NFF_B, value, value, Q_EQUAL, Q_DEFAULT); break; } case Q_AND: { value = ARGUS_MULTIPATH; b1 = Argusgen_mcmp(ARGUS_MAC_INDEX, offset, NFF_B, value, value, Q_EQUAL, Q_DEFAULT); break; } default: case Q_OR: { value = ARGUS_SRC_MULTIPATH; b0 = Argusgen_mcmp(ARGUS_MAC_INDEX, offset, NFF_B, value, value, Q_EQUAL, Q_DEFAULT); value = ARGUS_DST_MULTIPATH; b1 = Argusgen_mcmp(ARGUS_MAC_INDEX, offset, NFF_B, value, value, Q_EQUAL, Q_DEFAULT); Argusgen_or(b0, b1); break; } } break; } case Q_PSNP: { struct ArgusFlow flow; int offset = ((char *)&flow.isis_flow.pdu_type - (char *)&flow); int value = 0; value = L1_PSNP; b0 = Argusgen_cmp (ARGUS_FLOW_INDEX, offset, NFF_W, value, Q_EQUAL, Q_DEFAULT); value = L2_PSNP; b1 = Argusgen_cmp (ARGUS_FLOW_INDEX, offset, NFF_W, value, Q_EQUAL, Q_DEFAULT); Argusgen_or(b0, b1); b0 = Argusgen_linktype(ETHERTYPE_ISIS); Argusgen_and(b0, b1); break; } case Q_CSNP: { struct ArgusFlow flow; int offset = ((char *)&flow.isis_flow.pdu_type - (char *)&flow); int value = 0; value = L1_CSNP; b0 = Argusgen_cmp (ARGUS_FLOW_INDEX, offset, NFF_W, value, Q_EQUAL, Q_DEFAULT); value = L2_CSNP; b1 = Argusgen_cmp (ARGUS_FLOW_INDEX, offset, NFF_W, value, Q_EQUAL, Q_DEFAULT); Argusgen_or(b0, b1); b0 = Argusgen_linktype(ETHERTYPE_ISIS); Argusgen_and(b0, b1); break; } case Q_HELLO: { struct ArgusFlow flow; int offset = ((char *)&flow.isis_flow.pdu_type - (char *)&flow); int value = 0; value = L1_LAN_IIH; b0 = Argusgen_cmp (ARGUS_FLOW_INDEX, offset, NFF_W, value, Q_EQUAL, Q_DEFAULT); value = L2_LAN_IIH; b1 = Argusgen_cmp (ARGUS_FLOW_INDEX, offset, NFF_W, value, Q_EQUAL, Q_DEFAULT); Argusgen_or(b0, b1); b0 = Argusgen_linktype(ETHERTYPE_ISIS); Argusgen_and(b0, b1); break; } case Q_LSP: { struct ArgusFlow flow; int offset = ((char *)&flow.isis_flow.pdu_type - (char *)&flow); int value = 0; value = L1_LSP; b0 = Argusgen_cmp (ARGUS_FLOW_INDEX, offset, NFF_W, value, Q_EQUAL, Q_DEFAULT); value = L2_LSP; b1 = Argusgen_cmp (ARGUS_FLOW_INDEX, offset, NFF_W, value, Q_EQUAL, Q_DEFAULT); Argusgen_or(b0, b1); b0 = Argusgen_linktype(ETHERTYPE_ISIS); Argusgen_and(b0, b1); break; } } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_tcode (0x%x, 0x%x) returns %p\n", name, q, b1); #endif return b1; } #include struct ablock * Argusgen_scode(char *name, struct qual q) { int port, real_proto = -1, slen = 0, i; int type = q.type, proto = q.proto, dir = q.dir; u_int maskbuf[4], *mask = maskbuf; struct ablock *b = NULL, *tmp; #if HAVE_GETADDRINFO struct addrinfo *host = NULL; int retn; #else struct hostent *host = NULL; u_int **alist; #endif u_char *eaddr; slen = strlen(name); if ((name[0] == '\"') && (name[strlen(name) - 1] == '\"')) { name++; name[strlen(name) - 1] = '\0'; slen -= 2; } switch (q.addr) { case Q_NET: { #if defined(CYGWIN) ArgusLog(LOG_ERR, "cygwin does not support net"); #else u_int addr = 0; struct netent *np; if ((np = getnetbyname(name)) != NULL) if ((addr = np->n_net) == 0) ArgusLog(LOG_ERR, "unknown network '%s'", name); *mask = net_mask(&addr); b = Argusgen_host(&addr, mask, type, proto, dir); #endif break; } case Q_DEFAULT: case Q_HOST: switch (proto) { case Q_LINK: { eaddr = argus_ether_hostton(name); if (eaddr == NULL) ArgusLog(LOG_ERR, "unknown ether host '%s'", name); b = Argusgen_ehostop(eaddr, dir); break; } case Q_DECNET: { unsigned short dn_addr = __argus_nametodnaddr(name); b = (Argusgen_host((u_int *)&dn_addr, 0, type, proto, dir)); break; } case Q_DEFAULT: case Q_IPV6: case Q_IP: case Q_IPV4: { #if HAVE_GETADDRINFO if ((retn = getaddrinfo(name, NULL, NULL, &host)) == 0) { struct addrinfo *hptr = host; while (host) { struct sockaddr_in *sa = (struct sockaddr_in *)host->ai_addr; unsigned int addr[128]; bcopy ((char *)&sa->sin_addr, (char *)&addr, host->ai_addrlen); switch (host->ai_family) { case AF_INET: { proto = Q_IPV4; *mask = 0xffffffff; addr[0] = ntohl(addr[0]); tmp = Argusgen_host(&addr[0], mask, type, proto, dir); if (b != NULL) Argusgen_or(b, tmp); b = tmp; break; } case AF_INET6: { proto = Q_IPV6; for (i = 0; i < 4; i++) { mask[i] = 0xffffffff; addr[i] = ntohl(addr[i]); } tmp = Argusgen_host(addr, mask, type, proto, dir); if (b != NULL) Argusgen_or(b, tmp); b = tmp; break; } } host = host->ai_next; } freeaddrinfo(hptr); } else { switch (retn) { case EAI_AGAIN: ArgusLog(LOG_ERR, "dns server not available"); break; case EAI_NONAME: ArgusLog(LOG_ERR, "host %s unknown", name); break; #if defined(EAI_ADDRFAMILY) case EAI_ADDRFAMILY: ArgusLog(LOG_ERR, "host %s has no IP address", name); break; #endif case EAI_SYSTEM: ArgusLog(LOG_ERR, "host %s name server error %s", name, strerror(errno)); break; } } #else if ((host = gethostbyname(name)) != NULL) { alist = (unsigned int **) host->h_addr_list; while (*alist) { **alist = htonl(**alist); *alist++; } alist = (unsigned int **) host->h_addr_list; } if (alist == NULL || *alist == NULL) ArgusLog(LOG_ERR, "unknown host '%s'", name); switch (host->h_addrtype) { case AF_INET: proto = Q_IPV4; *mask = 0xffffffff; break; case AF_INET6: proto = Q_IPV6; for (i = 0; i < 4; i++) mask[i] = 0xffffffff; break; } b = Argusgen_host(*alist++, mask, type, proto, dir); while (*alist) { tmp = Argusgen_host(*alist++, mask, type, proto, dir); Argusgen_or(b, tmp); b = tmp; } #endif break; } } break; case Q_INODE: case Q_SRCID: { if (type == Q_STRING) { *mask = 0xffffffff; unsigned int addr = 0; if (slen > 4) slen = 4; bcopy(name, (char *)&addr, slen); switch (q.addr) { case Q_INODE: b = Argusgen_inode(addr, *mask, type); break; case Q_SRCID: b = Argusgen_srcid(addr, *mask, type); break; } break; } else { #if HAVE_GETADDRINFO struct addrinfo hints; bzero(&hints, sizeof(hints)); hints.ai_family = PF_INET; if ((retn = getaddrinfo(name, NULL, &hints, &host)) == 0) { struct addrinfo *hptr = host; while (host) { struct sockaddr_in *sa = (struct sockaddr_in *)host->ai_addr; unsigned int addr[4]; bcopy ((char *)&sa->sin_addr, (char *)&addr, host->ai_addrlen); switch (host->ai_family) { case AF_INET: { proto = Q_IPV4; *mask = 0xffffffff; addr[0] = ntohl(addr[0]); switch (q.addr) { case Q_INODE: tmp = Argusgen_inode(addr[0], *mask, type); break; case Q_SRCID: tmp = Argusgen_srcid(addr[0], *mask, type); break; } if (b != NULL) Argusgen_or(b, tmp); b = tmp; break; } } host = host->ai_next; } freeaddrinfo(hptr); } else { switch (retn) { case EAI_AGAIN: ArgusLog(LOG_ERR, "dns server not available"); break; case EAI_NONAME: ArgusLog(LOG_ERR, "srcid %s unknown", name); break; #if defined(EAI_ADDRFAMILY) case EAI_ADDRFAMILY: ArgusLog(LOG_ERR, "srcid %s has no IP address", name); break; #endif case EAI_SYSTEM: ArgusLog(LOG_ERR, "srcid %s name server error %s", name, strerror(errno)); break; } } #else if ((host = gethostbyname(name)) != NULL) { alist = (unsigned int **) host->h_addr_list; while (*alist) { **alist = htonl(**alist); *alist++; } alist = (unsigned int **) host->h_addr_list; } if (alist == NULL || *alist == NULL) ArgusLog(LOG_ERR, "unknown srcid '%s'", name); switch (q.addr) { case Q_INODE: { b = Argusgen_inode(**alist++, 0xffffffffL); while (*alist) { tmp = Argusgen_inode(**alist++, 0xffffffffL); Argusgen_or(b, tmp); b = tmp; } } case Q_SRCID: { b = Argusgen_srcid(**alist++, 0xffffffffL, type); while (*alist) { tmp = Argusgen_srcid(**alist++, 0xffffffffL, type); Argusgen_or(b, tmp); b = tmp; } } } #endif } break; } case Q_PORT: { char *ptr = NULL; if ((proto != Q_DEFAULT) && (proto != Q_UDP) && (proto != Q_TCP) && (proto != Q_UDT) && (proto != Q_RTP) && (proto != Q_RTCP)) ArgusLog(LOG_ERR, "illegal qualifier of 'port'"); if ((ptr = strchr(name, '-')) != NULL) { char *endptr; int port; *ptr++ = '\0'; port = strtol(name, (char **)&endptr, 10); if (endptr == name) break; b = Argusgen_ncode (ptr, port, q, Q_GEQ); port = strtol(ptr, (char **)&endptr, 10); if (endptr == ptr) break; tmp = Argusgen_ncode (ptr, port, q, Q_LEQ); Argusgen_and(tmp, b); } else { if (argus_nametoport(name, &port, &real_proto) == 0) ArgusLog(LOG_ERR, "unknown port '%s'", name); if ((proto == Q_UDP) || (proto == Q_RTP) || (proto == Q_RTCP) || (proto == Q_UDT)) { if (real_proto == IPPROTO_TCP) ArgusLog(LOG_ERR, "port '%s' is tcp", name); else { /* override PROTO_UNDEF */ real_proto = IPPROTO_UDP; } } if (proto == Q_TCP) { if (real_proto == IPPROTO_UDP) ArgusLog(LOG_ERR, "port '%s' is udp", name); else /* override PROTO_UNDEF */ real_proto = IPPROTO_TCP; } b = Argusgen_port(port, real_proto, dir, Q_EQUAL); if (ptr != NULL) { if (argus_nametoport(ptr, &port, &real_proto) == 0) ArgusLog(LOG_ERR, "unknown port '%s'", name); tmp = Argusgen_port(port, real_proto, dir, Q_EQUAL); ptr[-1] = '-'; } } break; } case Q_GATEWAY: eaddr = argus_ether_hostton(name); if (eaddr == NULL) ArgusLog(LOG_ERR, "unknown ether host: %s", name); #if HAVE_GETADDRINFO if ((retn = getaddrinfo(name, NULL, NULL, &host)) == 0) { struct addrinfo *hptr = host; while (host) { struct sockaddr_in *sa = (struct sockaddr_in *)host->ai_addr; unsigned int addr[4]; bcopy ((char *)&sa->sin_addr, (char *)&addr, host->ai_addrlen); switch (host->ai_family) { case AF_INET: { proto = Q_IPV4; *mask = 0xffffffff; addr[0] = ntohl(addr[0]); tmp = Argusgen_gateway(eaddr, &addr[0], type, proto, dir); if (b != NULL) Argusgen_or(b, tmp); b = tmp; break; } case AF_INET6: { proto = Q_IPV6; for (i = 0; i < 4; i++) { mask[i] = 0xffffffff; addr[i] = ntohl(addr[i]); } tmp = Argusgen_gateway(eaddr, addr, type, proto, dir); if (b != NULL) Argusgen_or(b, tmp); b = tmp; break; } } host = host->ai_next; } freeaddrinfo(hptr); } else { switch (retn) { case EAI_AGAIN: ArgusLog(LOG_ERR, "dns server not available"); break; case EAI_NONAME: ArgusLog(LOG_ERR, "srcid %s unknown", name); break; #if defined(EAI_ADDRFAMILY) case EAI_ADDRFAMILY: ArgusLog(LOG_ERR, "srcid %s has no IP address", name); break; #endif case EAI_SYSTEM: ArgusLog(LOG_ERR, "srcid %s name server error %s", name, strerror(errno)); break; } } #else if ((host = gethostbyname(name)) != NULL) alist = (unsigned int **) host->h_addr_list; if (alist == NULL || *alist == NULL) ArgusLog(LOG_ERR, "unknown host '%s'", name); b = Argusgen_gateway(eaddr, *alist, type, proto, dir); #endif break; case Q_PROTO: real_proto = Arguslookup_proto(name, proto); if (real_proto >= 0) b = Argusgen_proto(real_proto, proto, dir); else ArgusLog(LOG_ERR, "unknown protocol: %s", name); break; case Q_DSB: { struct ArgusDSCodePointStruct *dsctable = ArgusSelectDSCodesTable(ArgusParser); struct ArgusDSCodePointStruct *dscode = NULL; int i = 0, val = -1; if (dsctable && (dscode = &dsctable[i])) { while (dscode->label != NULL) { if (!(strncasecmp(dscode->label, name, strlen(dscode->label)))) { val = dscode->code; break; } dscode = &dsctable[++i]; } } if (val >= 0) b = Argusgen_dsb(val, dir, Q_EQUAL); break; } case Q_CO: { b = Argusgen_cocode(name, dir, Q_EQUAL); break; } case Q_ENCAPS: { int i = 0, val = -1; struct ArgusEncapsulationStruct *encaps = &argus_encapsulations[i]; while (encaps->label != NULL) { if (!(strncasecmp(encaps->label, name, strlen(encaps->label)))) { val = encaps->code; break; } encaps = &argus_encapsulations[++i]; } if (val >= 0) b = Argusgen_encaps(val, dir, Q_EQUAL); break; } case Q_UNDEF: syntax(); /* NOTREACHED */ } if (b == NULL) ArgusLog(LOG_ERR, "Argusgen_scode error"); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_scode (%s, 0x%x) returns %p\n", name, q, b); #endif return b; } struct ablock * Argusgen_mcode(char *s1, char *s2, int masklen, struct qual q) { struct ArgusCIDRAddr cidrbuf, *cidr = &cidrbuf, *cidraddr = NULL; struct ablock *b0 = NULL; char buf[128]; if (s1 != NULL) { if (snprintf (buf, 128, "%s/%d", s1, masklen) >= 128) ArgusLog(LOG_ERR, "Argusgen_mcode: addressmlength must be < 128 bytes"); if ((cidraddr = RaParseCIDRAddr (ArgusParser, buf)) == NULL) ArgusLog(LOG_ERR, "Argusgen_mcode: CIDR address format error"); bcopy ((char *)cidraddr, (char *)cidr, sizeof(*cidr)); if (s2 != NULL) { if (snprintf (buf, 128, "%s/%d", s2, masklen) >= 128) ArgusLog(LOG_ERR, "Argusgen_mcode: addressmlength must be < 128 bytes"); if ((cidraddr = RaParseCIDRAddr (ArgusParser, buf)) == NULL) ArgusLog(LOG_ERR, "Argusgen_mcode: CIDR address format error"); bcopy ((char *)&cidraddr->addr, (char *)&cidr->mask, sizeof(cidr->mask)); } switch (q.addr) { case Q_NET: b0 = Argusgen_host(cidr->addr, cidr->mask, q.type, q.proto, q.dir); break; default: ArgusLog(LOG_ERR, "Mask syntax for networks only"); /* NOTREACHED */ } } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_mcode (%s, %s, %d, 0x%x) returns %p\n", s1, s2, masklen, q, b0); #endif return b0; } struct ablock * Argusgen_ncode(char *s, int v, struct qual q, u_int op) { int dir = q.dir, vlen, proto = q.proto, type = q.type; u_int *addr = NULL, maskbuf[4], *mask = maskbuf; struct ablock *b; bzero(mask, sizeof(maskbuf)); switch (type) { case Q_IPV6: { vlen = 128; break; } case Q_IPV4: { if (s == NULL) vlen = 32; else vlen = __argus_atoin(s, (unsigned int *)&v); break; } } switch (q.addr) { case Q_DEFAULT: case Q_HOST: case Q_NET: switch (type) { case Q_LINK: ArgusLog(LOG_ERR, "illegal link layer address"); break; case Q_IPV6: { struct ArgusCIDRAddr *cidraddr = RaParseCIDRAddr (ArgusParser, s); int i, len; memset((char *)mask, 0, sizeof(maskbuf)); for (i = 0, len = cidraddr->masklen; i < len; i++) mask[i/32] |= (1 << (31 - (i % 32))); for (i = 0; i < 4; i++) mask[i] = ntohl(mask[i]); addr = (u_int*)&cidraddr->addr; break; } case Q_IP: case Q_IPV4: { *mask = 0xffffffff; if ((s == NULL) && (q.addr == Q_NET)) { /* Promote short net number */ while (v && (v & 0xff000000) == 0) { v <<= 8; *mask <<= 8; } } else { /* Promote short ipaddr */ v <<= 32 - vlen; *mask <<= 32 - vlen; } addr = (u_int *)&v; break; } } b = Argusgen_host(addr, mask, type, proto, dir); break; case Q_SRCID: *mask = 0xffffffff; b = Argusgen_srcid(v, *mask, type); break; case Q_INODE: *mask = 0xffffffff; b = Argusgen_inode(v, *mask, type); break; case Q_PORT: { switch (proto) { case Q_UDP: proto = IPPROTO_UDP; break; case Q_UDT: proto = IPPROTO_UDT; break; case Q_RTP: proto = IPPROTO_RTP; break; case Q_RTCP: proto = IPPROTO_RTCP; break; case Q_TCP: proto = IPPROTO_TCP; break; case Q_DEFAULT: proto = PROTO_UNDEF; break; default: ArgusLog(LOG_ERR, "illegal qualifier of 'port'"); } b = Argusgen_port((int)v, proto, dir, op); break; } case Q_GATEWAY: ArgusLog(LOG_ERR, "'gateway' requires a name"); /* NOTREACHED */ case Q_PROTO: b = Argusgen_proto((int)v, proto, dir); break; case Q_IPID: b = Argusgen_ipid((int)v, dir, op); break; case Q_TTL: b = Argusgen_ttl((int)v, dir, op); break; case Q_TOS: b = Argusgen_tos((int)v, dir, op); break; case Q_DSB: { b = Argusgen_dsb((int)v, dir, op); break; } case Q_VID: b = Argusgen_vid((int)v, dir, op); break; case Q_VPRI: b = Argusgen_vpri((int)v, dir, op); break; case Q_MPLSID: b = Argusgen_mid((int)v, dir, op); break; case Q_BYTE: b = Argusgen_byte((int)v, dir, op); break; case Q_PKT: b = Argusgen_pkt((int)v, dir, op); break; case Q_NSTROKE: b = Argusgen_nstroke((int)v, dir, op); break; case Q_SEQ: b = Argusgen_seq((int)v, dir, op); break; case Q_APPBYTE: b = Argusgen_appbytes((int)v, dir, op); break; case Q_TCPBASE: b = Argusgen_tcpbase((int)v, dir, op); break; case Q_TRANS: b = Argusgen_trans((int)v, dir, op); break; case Q_LOAD: b = Argusgen_load(v, dir, op); break; case Q_RATE: b = Argusgen_rate(v, dir, op); break; /* case Q_LOSS: b = Argusgen_loss(v, dir, op); break; */ case Q_PLOSS: b = Argusgen_ploss(v, dir, op); break; /* case Q_GAP: b = Argusgen_gap(v, dir, op); break; case Q_DUP: b = Argusgen_dup(v, dir, op); break; */ case Q_PCR: b = Argusgen_pcr(v, dir, op); break; case Q_INTER: case Q_INTERACTIVE: case Q_INTERIDLE: b = Argusgen_inter((int)v, dir, type, op); break; case Q_JITTER: case Q_JITTERACTIVE: case Q_JITTERIDLE: b = Argusgen_jitter(v, dir, type, op); break; case Q_DUR: b = Argusgen_dur(v, dir, op); break; case Q_AVGDUR: b = Argusgen_mean(v, dir, op); break; case Q_DELTADUR: b = Argusgen_deltadur(v, dir, op); break; case Q_DELTASTART: b = Argusgen_deltastart(v, dir, op); break; case Q_DELTALAST: b = Argusgen_deltalast(v, dir, op); break; case Q_DELTASPKTS: b = Argusgen_deltasrcpkts(v, dir, op); break; case Q_DELTADPKTS: b = Argusgen_deltadstpkts(v, dir, op); break; case Q_SPI: b = Argusgen_spi(v, dir, op); break; case Q_ASN: b = Argusgen_asn((int)v, dir, op); break; case Q_CORRELATED: b = Argusgen_cor((int)v, dir, op); break; case Q_UNDEF: syntax(); /* NOTREACHED */ default: abort(); /* NOTREACHED */ } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_ncode (%s, 0x%x, 0x%x, 0x%x) returns %p\n", s, v, &q, op, b); #endif return b; } struct ablock * Argusgen_fcode(char *s, float v, struct qual q, u_int op) { int dir = q.dir; struct ablock *b; switch (q.addr) { case Q_LOAD: b = Argusgen_load(v, dir, op); break; case Q_RATE: b = Argusgen_rate(v, dir, op); break; case Q_INTER: case Q_INTERACTIVE: case Q_INTERIDLE: b = Argusgen_inter(v, dir, q.addr, op); break; case Q_JITTER: case Q_JITTERACTIVE: case Q_JITTERIDLE: b = Argusgen_jitter(v, dir, q.addr, op); break; case Q_DUR: b = Argusgen_dur(v, dir, op); break; case Q_AVGDUR: b = Argusgen_mean(v, dir, op); break; case Q_PLOSS: b = Argusgen_ploss(v, dir, op); break; case Q_PCR: b = Argusgen_pcr(v, dir, op); break; case Q_UNDEF: syntax(); /* NOTREACHED */ default: abort(); /* NOTREACHED */ } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_fcode (%s, %f, 0x%x, 0x%x) returns %p\n", s, v, &q, op, b); #endif return b; } struct ablock * Argusgen_ecode( u_char *eaddr, struct qual q) { struct ablock *b0 = NULL, *b1 = NULL; struct ArgusFlow flow; int offset, len; switch (q.proto) { case Q_LINK: case Q_ETHER: if (q.addr == Q_HOST || q.addr == Q_DEFAULT) b0 = Argusgen_ehostop(eaddr, (int)q.dir); break; case Q_ARP: if (q.addr == Q_HOST) { b1 = Argusgen_linktype(ETHERTYPE_ARP); offset = ((char *)&flow.arp_flow.haddr.h_un.ethernet - (char *)&flow); len = sizeof(flow.arp_flow.haddr.h_un.ethernet); b0 = Argusgen_bcmp (ARGUS_FLOW_INDEX, offset, len, eaddr, Q_DEFAULT); Argusgen_and(b1, b0); } break; default: ArgusLog(LOG_ERR, "ethernet address used in non-ether expression"); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_ecode (0x%x, 0x%x) returns %p\n", eaddr, q, b0); #endif return b0; } void Argussappend(s0, s1) struct slist *s0, *s1; { /* * This is definitely not the best way to do this, but the * lists will rarely get long. */ while (s0->next) s0 = s0->next; s0->next = s1; #if defined(ARGUSDEBUG) ArgusDebug (7, "Argussappend (0x%x, 0x%x)\n", s0, s1); #endif } static struct slist * xfer_to_x(a) struct arth *a; { struct slist *s; s = new_stmt(NFF_LDX|NFF_MEM); s->s.data.k = a->regno; #if defined(ARGUSDEBUG) ArgusDebug (9, "xfer_to_x (0x%x) returns %p\n", a, s); #endif return s; } static struct slist * xfer_to_a(a) struct arth *a; { struct slist *s; s = new_stmt(NFF_LD|NFF_MEM); s->s.data.k = a->regno; #if defined(ARGUSDEBUG) ArgusDebug (9, "xfer_to_a (0x%x) returns %p\n", a, s); #endif return s; } struct arth * ArgusLoad(proto, index, size) int proto; struct arth *index; int size; { struct slist *s, *tmp; struct ablock *b; int regno = alloc_reg(); free_reg(index->regno); switch (size) { default: ArgusLog(LOG_ERR, "data size must be 1, 2, or 4"); case 1: size = NFF_B; break; case 2: size = NFF_H; break; case 4: size = NFF_W; break; case 8: size = NFF_L; break; } switch (proto) { default: ArgusLog(LOG_ERR, "unsupported index operation"); case Q_LINK: s = xfer_to_x(index); tmp = new_stmt(NFF_LD|NFF_IND|size); Argussappend(s, tmp); Argussappend(index->s, s); break; case Q_IP: case Q_IPV4: case Q_IPV6: case Q_ARP: case Q_RARP: s = xfer_to_x(index); tmp = new_stmt(NFF_LD|NFF_IND|size); tmp->s.data.k = off_nl; Argussappend(s, tmp); Argussappend(index->s, s); b = Argusgen_proto_abbrev(proto); if (index->b) Argusgen_and(index->b, b); index->b = b; break; case Q_TCP: case Q_RTP: case Q_RTCP: case Q_UDT: case Q_UDP: case Q_ICMP: case Q_IGMP: case Q_IGRP: s = new_stmt(NFF_LDX|NFF_MSH|NFF_B); s->s.data.k = off_nl; Argussappend(s, xfer_to_a(index)); Argussappend(s, new_stmt(NFF_ALU|NFF_ADD|NFF_X)); Argussappend(s, new_stmt(NFF_MISC|NFF_TAX)); Argussappend(s, tmp = new_stmt(NFF_LD|NFF_IND|size)); tmp->s.data.k = off_nl; Argussappend(index->s, s); b = Argusgen_proto_abbrev(proto); if (index->b) Argusgen_and(index->b, b); index->b = b; break; } index->regno = regno; s = new_stmt(NFF_ST); s->s.data.k = regno; Argussappend(index->s, s); #if defined(ARGUSDEBUG) ArgusDebug (5, "ArgusLoad (0x%x, 0x%x, 0x%x) returns %p\n", proto, index, size, index); #endif return index; } struct ablock * Argusgen_relation(code, a0, a1, reversed) int code; struct arth *a0, *a1; int reversed; { struct slist *s0, *s1, *s2; struct ablock *b, *tmp; s0 = xfer_to_x(a1); s1 = xfer_to_a(a0); s2 = new_stmt(NFF_ALU|NFF_SUB|NFF_X); b = new_block(JMP(code)); if (reversed) Argusgen_not(b); Argussappend(s1, s2); Argussappend(s0, s1); Argussappend(a1->s, s0); Argussappend(a0->s, a1->s); b->stmts = a0->s; free_reg(a0->regno); free_reg(a1->regno); /* 'and' together protocol checks */ if (a0->b) { if (a1->b) { Argusgen_and(a0->b, tmp = a1->b); } else tmp = a0->b; } else tmp = a1->b; if (tmp) Argusgen_and(tmp, b); #if defined(ARGUSDEBUG) ArgusDebug (5, "Argusgen_relation (0x%x, 0x%x, 0x%x, %d) returns %p\n", code, a0, a1, reversed, b); #endif return b; } struct arth * ArgusLoadLen() { int regno = alloc_reg(); struct arth *a = (struct arth *)newchunk(sizeof(*a)); struct slist *s; s = new_stmt(NFF_LD|NFF_LEN); s->next = new_stmt(NFF_ST); s->next->s.data.k = regno; a->s = s; a->regno = regno; #if defined(ARGUSDEBUG) ArgusDebug (5, "ArgusLoadLen () returns %p\n", a); #endif return a; } struct arth * ArgusLoadI(val) int val; { struct arth *a; struct slist *s; int reg; a = (struct arth *)newchunk(sizeof(*a)); reg = alloc_reg(); s = new_stmt(NFF_LD|NFF_IMM); s->s.data.k = val; s->next = new_stmt(NFF_ST); s->next->s.data.k = reg; a->s = s; a->regno = reg; #if defined(ARGUSDEBUG) ArgusDebug (5, "ArgusLoadI (0x%x) returns %p\n", val, a); #endif return a; } struct arth * ArgusNeg(a) struct arth *a; { struct slist *s; s = xfer_to_a(a); Argussappend(a->s, s); s = new_stmt(NFF_ALU|NFF_NEG); s->s.data.k = 0; Argussappend(a->s, s); s = new_stmt(NFF_ST); s->s.data.k = a->regno; Argussappend(a->s, s); #if defined(ARGUSDEBUG) ArgusDebug (4, "ArgusNeg (0x%x) returns %p\n", a, a); #endif return a; } struct arth * ArgusArth( int code, struct arth *a0, struct arth *a1) { struct slist *s0, *s1, *s2; s0 = xfer_to_x(a1); s1 = xfer_to_a(a0); s2 = new_stmt(NFF_ALU|NFF_X|code); Argussappend(s1, s2); Argussappend(s0, s1); Argussappend(a1->s, s0); Argussappend(a0->s, a1->s); free_reg(a1->regno); s0 = new_stmt(NFF_ST); a0->regno = s0->s.data.k = alloc_reg(); Argussappend(a0->s, s0); #if defined(ARGUSDEBUG) ArgusDebug (5, "Argusgen_arth (0x%x, 0x%x, 0x%x) returns %p\n", code, a0, a1, a0); #endif return a0; } /* * Here we handle simple allocation of the scratch registers. * If too many registers are alloc'd, the allocator punts. */ static int regused[NFF_MEMWORDS]; static int curreg; /* * Return the next free register. */ static int alloc_reg() { int retn = -1; int n = NFF_MEMWORDS; while (--n >= 0) { if (regused[curreg]) curreg = (curreg + 1) % NFF_MEMWORDS; else { regused[curreg] = 1; retn = curreg; break; } } if (retn == -1) ArgusLog(LOG_ERR, "too many registers needed to evaluate expression"); #if defined(ARGUSDEBUG) ArgusDebug (9, "alloc_reg () returns %p\n", retn); #endif return (retn); } /* * Return a register to the table so it can * be used later. */ static void free_reg(n) int n; { regused[n] = 0; #if defined(ARGUSDEBUG) ArgusDebug (9, "free_reg (%d)\n", n); #endif } static struct ablock * Argusgen_len(jmp, n) int jmp, n; { struct slist *s; struct ablock *b; s = new_stmt(NFF_LD|NFF_LEN); s->next = new_stmt(NFF_ALU|NFF_SUB|NFF_K); s->next->s.data.k = n; b = new_block(JMP(jmp)); b->stmts = s; #if defined(ARGUSDEBUG) ArgusDebug (6, "Argusgen_len (%d, %d) return %p\n", jmp, n, b); #endif return b; } struct ablock * Argusgen_greater(n) int n; { struct ablock *b; b = Argusgen_len(NFF_JGE, n); #if defined(ARGUSDEBUG) ArgusDebug (6, "Argusgen_greater (%d) return %p\n", n, b); #endif return b; } struct ablock * Argusgen_less(n) int n; { struct ablock *b; b = Argusgen_len(NFF_JGT, n); Argusgen_not(b); #if defined(ARGUSDEBUG) ArgusDebug (6, "Argusgen_less (%d) return %p\n", n, b); #endif return b; } struct ablock * Argusgen_byteop(op, idx, val) int op, idx, val; { struct ablock *b; struct slist *s; switch (op) { default: abort(); case '=': return Argusgen_cmp(-1, (u_int)idx, NFF_B, (u_int)val, Q_EQUAL, Q_DEFAULT); case '<': b = Argusgen_cmp(-1, (u_int)idx, NFF_B, (u_int)val, Q_EQUAL, Q_DEFAULT); b->s.code = JMP(NFF_JGE); Argusgen_not(b); return b; case '>': b = Argusgen_cmp(-1, (u_int)idx, NFF_B, (u_int)val, Q_EQUAL, Q_DEFAULT); b->s.code = JMP(NFF_JGT); return b; case '|': s = new_stmt(NFF_ALU|NFF_OR|NFF_K); break; case '&': s = new_stmt(NFF_ALU|NFF_AND|NFF_K); break; } s->s.data.k = val; b = new_block(JMP(NFF_JEQ)); b->stmts = s; Argusgen_not(b); #if defined(ARGUSDEBUG) ArgusDebug (6, "Argusgen_byteop (0x%x, 0x%x, 0x%x) return %p\n", op, idx, val, b); #endif return b; } struct ablock * Argusgen_broadcast(proto) int proto; { struct ablock *b0 = NULL, *b1 = NULL; static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; u_int netaddr = 0xffffffffL, mask; /* u_int classmask = 0xffffffffL; */ switch (proto) { case Q_LINK: b0 = Argusgen_ehostop(ebroadcast, Q_OR); break; case Q_IP: mask = 0xffffffffL; /* if (ArgusParser->ArgusCurrentInput) { netaddr = ArgusParser->ArgusLocalNet & ArgusParser->ArgusNetMask; classmask = ipaddrtonetmask(ArgusParser->ArgusLocalNet); b1 = Argusgen_host((u_int *)&netaddr, &mask, Q_IPV4, proto, Q_OR); netaddr |= ~(~0 & ArgusNetMask); b0 = Argusgen_host((u_int *)&netaddr, &mask, Q_IPV4, proto, Q_OR); Argusgen_or(b1, b0); if (classmask != ArgusNetMask) { netaddr = ArgusParser->ArgusLocalNet & classmask; b1 = Argusgen_host((u_int *)&netaddr, &mask, Q_IPV4, proto, Q_OR); Argusgen_or(b1, b0); } } */ netaddr = ~0; b1 = Argusgen_host( (u_int *)&netaddr, &mask, Q_IPV4, proto, Q_OR); if (b0 != NULL) Argusgen_or(b1, b0); else b0 = b1; break; case Q_DEFAULT: ArgusLog(LOG_ERR, "only ether/ip broadcast filters supported"); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_broadcast (0x%x) returns %p\n", proto, b0); #endif return b0; } struct ablock * Argusgen_multicast(proto) int proto; { register struct ablock *b0 = NULL, *b1 = NULL; register struct slist *s; switch (proto) { case Q_LINK: s = new_stmt(NFF_LD|NFF_B|NFF_ABS); s->s.data.k = 92; b0 = new_block(JMP(NFF_JSET)); b0->s.data.k = 1; b0->stmts = s; s = new_stmt(NFF_LD|NFF_B|NFF_ABS); s->s.data.k = 98; b1 = new_block(JMP(NFF_JSET)); b1->s.data.k = 1; b1->stmts = s; Argusgen_or(b0, b1); break; case Q_IP: case Q_DEFAULT: { struct ArgusFlow flow; int src_off = 0, dst_off = 0; src_off = ((char *)&flow.ip_flow.ip_src - (char *)&flow); dst_off = ((char *)&flow.ip_flow.ip_dst - (char *)&flow); b1 = Argusgen_mcmp(ARGUS_FLOW_INDEX, src_off, NFF_W, 0xe0000000, 0xf0000000, Q_EQUAL, Q_DEFAULT); b1->s.code = JMP(NFF_JGE); b0 = Argusgen_mcmp(ARGUS_FLOW_INDEX, dst_off, NFF_W, 0xe0000000, 0xf0000000, Q_EQUAL, Q_DEFAULT); b0->s.code = JMP(NFF_JGE); Argusgen_or(b0, b1); b0 = Argusgen_linktype(ETHERTYPE_IP); Argusgen_and(b0, b1); break; } } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_multicast (0x%x) returns %p\n", proto, b1); #endif return b1; } /* * generate command for inbound/outbound. It's here so we can * make it link-type specific. 'dir' = 0 implies "inbound", * = 1 implies "outbound". */ struct ablock * Argusgen_inbound(dir) int dir; { register struct ablock *b0; b0 = Argusgen_relation(NFF_JEQ, ArgusLoad(Q_LINK, ArgusLoadI(0), 1), ArgusLoadI(0), dir); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_multicast (0x%x) returns %p\n", dir, b0); #endif return (b0); } argus-3.0.8.2/common/argus_filter.c000444 000765 000024 00000252261 12513222401 017546 0ustar00carterstaff000000 000000 /* * Argus Software * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * Copyright (c) 1990, 1991, 1992, 1993 * The Regents of the University of California. All rights reserved. * * This code is derived from the Stanford/CMU enet packet filter, * (net/enet.c) distributed as part of 4.3BSD, and code contributed * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence * Berkeley Laboratory. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)nff.c 7.5 (Berkeley) 7/15/91 * */ /* * $Id: //depot/argus/argus/common/argus_filter.c#24 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #ifndef ArgusFilter #define ArgusFilter #endif #include #include #if defined(ARGUS_PLURIBUS) #define _STDC_C99 #else #if !defined(__USE_ISOC99) #define __USE_ISOC99 #endif #endif #include #include #include #include #include #include #include #if defined(HAVE_SOLARIS) #include #endif #include #include #include #include #include #include #include #include #include #include #include #include #include #ifdef sun #include #endif #include extern void ArgusLog (int, char *, ...); #define EXTRACT_SHORT(p) ((arg_uint16)*(arg_uint16 *)p) #define EXTRACT_LONG(p) (*(unsigned int *)p) #define EXTRACT_FLOAT(p) (*(float *)p) #define EXTRACT_DOUBLE(p) (*(double *)p) #define EXTRACT_LONGLONG(p) (*(unsigned long long *)p) static int floatisequal(double, double); static int floatisgreaterthan(double, double); static int floatislessthan(double, double); static int floatisgreaterthanequal(double, double); #include #if defined(ARGUS_PLURIBUS) #ifndef signbit #include inline int signbit(double x) { switch (fpclass(x)) { case FP_SNAN: case FP_QNAN: case FP_PZERO: case FP_PNORM: case FP_PDENORM: case FP_PINF: return(0); case FP_NDENORM: case FP_NZERO: case FP_NINF: case FP_NNORM: return(1); } } #endif #endif /* Hex digit to integer. */ int xdtoi(int c) { if (isdigit(c)) return c - '0'; else if (islower(c)) return c - 'a' + 10; else return c - 'A' + 10; } /* * Execute the filter program starting at pc on the packet p * buflen is the amount of data present */ int ArgusFilterRecord (struct nff_insn *, struct ArgusRecordStruct *); int ArgusFilterOrig (struct nff_insn *, struct ArgusRecordStruct *, int, int); int ArgusFilterRecord (struct nff_insn *pc, struct ArgusRecordStruct *argus) { int buflen = sizeof(*argus); if (pc) return ArgusFilterOrig (pc, argus, buflen, buflen); else return -1; } static int floatisequal(double F, double f) { extern struct ArgusParserStruct *ArgusParser; double epsilon = pow(0.1, ((ArgusParser->pflag + 1) * 1.0)); double pval = pow(10.0, ArgusParser->pflag); F = round(F * pval) / pval; f = round(f * pval) / pval; return ((fabs(F - f) <= epsilon) ? ((F == 0) ? (signbit(F) == signbit(f)) : 1) : 0); } static int floatisgreaterthan(double F, double f) { extern struct ArgusParserStruct *ArgusParser; double pval = pow(10.0, ArgusParser->pflag); F = round(F * pval) / pval; f = round(f * pval) / pval; return ((F > f) ? 1 : (((F == 0) && (f == 0)) ? ((!(signbit(F)) && signbit(f)) ? 1 : 0) : 0)); } static int floatislessthan(double F, double f) { extern struct ArgusParserStruct *ArgusParser; double pval = pow(10.0, ArgusParser->pflag); F = round(F * pval) / pval; f = round(f * pval) / pval; return ((F < f) ? 1 : (((F == 0) && (f == 0)) ? ((!(signbit(F)) && signbit(f)) ? 0 : 1) : 0)); } static int floatisgreaterthanequal(double F, double f) { return (!(floatislessthan(F, f))); } int ArgusFilterOrig (struct nff_insn *pc, struct ArgusRecordStruct *argus, int wirelen, int buflen) { nff_int64 A = 0, X = 0; nff_int64 mem [NFF_MEMWORDS]; int k, retn; u_char *p = (u_char *)argus; float F; --pc; while (1) { ++pc; switch (pc->code) { default: abort(); case NFF_RET|NFF_K: { retn = pc->data.k; return retn; } case NFF_RET|NFF_A: return (unsigned int)A; case NFF_LD|NFF_D|NFF_DSR: { if (pc->dsr >= 0) { struct ArgusDSRHeader *dsr; if ((dsr = argus->dsrs[pc->dsr]) != NULL) { u_char *ptr = (u_char *)dsr; k = pc->data.k; if (k + sizeof(double) > (dsr->argus_dsrvl8.len * 4)) A = -1; else A = EXTRACT_DOUBLE(&ptr[k]); } else A = -1; } else { if (argus != NULL) { u_char *ptr = (u_char *)&argus->hdr; k = pc->data.k; if ((k + sizeof(double)) > sizeof(struct ArgusRecordStruct)) A = -1; else A = EXTRACT_DOUBLE(&ptr[k]); } else A = -1; } continue; } case NFF_LD|NFF_D|NFF_ABS: { k = pc->data.k; if (k + sizeof(double) > buflen) { A = -1; } else A = EXTRACT_DOUBLE(&p[k]); continue; } case NFF_LD|NFF_F|NFF_DSR: { if (pc->dsr >= 0) { struct ArgusDSRHeader *dsr; if ((dsr = argus->dsrs[pc->dsr]) != NULL) { u_char *ptr = (u_char *)dsr; k = pc->data.k; if ((k + sizeof(float)) > (dsr->argus_dsrvl8.len * 4)) F = -10000000; else F = EXTRACT_FLOAT(&ptr[k]); } else F = -10000000; } else { if (argus != NULL) { u_char *ptr = (u_char *)&argus->hdr; k = pc->data.k; if ((k + sizeof(float)) > sizeof(struct ArgusRecordStruct)) F = -10000000; else F = EXTRACT_FLOAT(&ptr[k]); } else F = -10000000; } continue; } case NFF_LD|NFF_F|NFF_ABS: { k = pc->data.k; if (k + sizeof(float) > buflen) { F = -10000000; } else F = EXTRACT_FLOAT(&p[k]); continue; } case NFF_LD|NFF_L|NFF_DSR: { if (pc->dsr >= 0) { struct ArgusDSRHeader *dsr; if ((dsr = argus->dsrs[pc->dsr]) != NULL) { u_char *ptr = (u_char *)dsr; k = pc->data.k; if (k + sizeof(long long) > (dsr->argus_dsrvl8.len * 4)) A = -1; else A = EXTRACT_LONGLONG(&ptr[k]); } else A = -1; } else { if (argus != NULL) { u_char *ptr = (u_char *)&argus->hdr; k = pc->data.k; if ((k + sizeof(long long)) > sizeof(struct ArgusRecordStruct)) A = -1; else A = EXTRACT_LONGLONG(&ptr[k]); } else A = -1; } continue; } case NFF_LD|NFF_L|NFF_ABS: { k = pc->data.k; if ((k + sizeof(long long)) > buflen) { A = -1; } else A = EXTRACT_LONGLONG(&p[k]); continue; } case NFF_LD|NFF_W|NFF_DSR: { if (pc->dsr >= 0) { struct ArgusDSRHeader *dsr; if ((dsr = argus->dsrs[pc->dsr]) != NULL) { u_char *ptr = (u_char *)dsr; k = pc->data.k; if ((k + sizeof(int)) > (dsr->argus_dsrvl8.len * 4)) A = -1; else A = EXTRACT_LONG(&ptr[k]); } else A = -1; } else { if (argus != NULL) { u_char *ptr = (u_char *)&argus->hdr; k = pc->data.k; if ((k + sizeof(int)) > sizeof(struct ArgusRecordStruct)) A = -1; else A = EXTRACT_LONG(&ptr[k]); } else A = -1; } continue; } case NFF_LD|NFF_W|NFF_ABS: { k = pc->data.k; if ((k + sizeof(int)) > buflen) { A = -1; } else A = EXTRACT_LONG(&p[k]); continue; } case NFF_LD|NFF_H|NFF_DSR: { if (pc->dsr >= 0) { struct ArgusDSRHeader *dsr; if ((dsr = argus->dsrs[pc->dsr]) != NULL) { u_char *ptr = (u_char *)dsr; k = pc->data.k; if ((k + sizeof(short)) > (dsr->argus_dsrvl8.len * 4)) A = -1; else A = EXTRACT_SHORT(&ptr[k]); } else A = -1; } else { if (argus != NULL) { u_char *ptr = (u_char *)&argus->hdr; k = pc->data.k; if ((k + sizeof(short)) > sizeof(struct ArgusRecordStruct)) A = -1; else A = EXTRACT_SHORT(&ptr[k]); } else A = -1; } continue; } case NFF_LD|NFF_H|NFF_ABS: { k = pc->data.k; if ((k + sizeof(short)) > buflen) A = -1; else A = EXTRACT_SHORT(&p[k]); continue; } case NFF_LD|NFF_B|NFF_DSR: { if (pc->dsr >= 0) { struct ArgusDSRHeader *dsr; if ((dsr = argus->dsrs[pc->dsr]) != NULL) { u_char *ptr = (u_char *)dsr; k = pc->data.k; if (k > (dsr->argus_dsrvl8.len * 4)) A = -1; else A = ptr[k]; } else A = -1; } else { if (argus != NULL) { u_char *ptr = (u_char *)&argus->hdr; k = pc->data.k; if (k > sizeof(struct ArgusRecordStruct)) A = -1; else A = ptr[k]; } else A = -1; } continue; } case NFF_LD|NFF_B|NFF_ABS: { k = pc->data.k; if (k >= buflen) { A = -1; } else A = p[k]; continue; } case NFF_LD|NFF_W|NFF_LEN: { A = wirelen; continue; } case NFF_LDX|NFF_W|NFF_LEN: { X = wirelen; continue; } case NFF_LD|NFF_W|NFF_IND: { k = X + pc->data.k; if ((k + sizeof(int)) > buflen) { A = -1; } else A = EXTRACT_LONG(&p[k]); continue; } case NFF_LD|NFF_H|NFF_IND: { k = X + pc->data.k; if ((k + sizeof(short)) > buflen) { A = -1; } else A = EXTRACT_SHORT(&p[k]); continue; } case NFF_LD|NFF_B|NFF_IND: { k = X + pc->data.k; if (k >= buflen) { A = -1; } else A = p[k]; continue; } case NFF_LDX|NFF_MSH|NFF_B: { k = pc->data.k; if (k >= buflen) { X = -1; } else X = (p[k] & 0xf) << 2; continue; } case NFF_LD|NFF_IMM: { A = pc->data.k; continue; } case NFF_LDX|NFF_IMM: { X = pc->data.k; continue; } case NFF_LD|NFF_MEM: { k = pc->data.k; A = mem[k]; continue; } case NFF_LDX|NFF_MEM: { k = pc->data.k; X = mem[k]; continue; } case NFF_ST: { k = pc->data.k; mem[k] = A; continue; } case NFF_STX: { k = pc->data.k; mem[k] = X; continue; } case NFF_JMP|NFF_JA: { k = pc->data.k; pc += k; continue; } case NFF_JMP|NFF_JGT|NFF_K: { pc += ((A > pc->data.k) && (A != -1)) ? pc->jt : pc->jf; continue; } case NFF_JMP|NFF_JGE|NFF_K: { pc += ((A >= pc->data.k) && (A != -1)) ? pc->jt : pc->jf; continue; } case NFF_JMP|NFF_JEQ|NFF_K: { pc += ((A == pc->data.k) && (A != -1)) ? pc->jt : pc->jf; continue; } case NFF_JMP|NFF_JGT|NFF_F: { pc += ((floatisgreaterthan(F, pc->data.f)) && (F != -10000000)) ? pc->jt : pc->jf; continue; } case NFF_JMP|NFF_JGE|NFF_F: { pc += ((floatisgreaterthanequal(F, pc->data.f)) && (F != -10000000)) ? pc->jt : pc->jf; continue; } case NFF_JMP|NFF_JEQ|NFF_F: { pc += ((floatisequal(F, pc->data.f)) && (F != -10000000)) ? pc->jt : pc->jf; continue; } case NFF_JMP|NFF_JSET|NFF_K: { pc += ((A & pc->data.k) && (A != -1)) ? pc->jt : pc->jf; continue; } case NFF_JMP|NFF_JGT|NFF_X: { pc += ((A > X) && (A != -1)) ? pc->jt : pc->jf; continue; } case NFF_JMP|NFF_JGE|NFF_X: { pc += ((A >= X) && (A != -1)) ? pc->jt : pc->jf; continue; } case NFF_JMP|NFF_JEQ|NFF_X: { pc += ((A == X) && (A != -1)) ? pc->jt : pc->jf; continue; } case NFF_JMP|NFF_JSET|NFF_X: { pc += ((A & X) && (A != -1)) ? pc->jt : pc->jf; continue; } case NFF_ALU|NFF_ADD|NFF_X: { A += X; continue; } case NFF_ALU|NFF_SUB|NFF_X: { A -= X; continue; } case NFF_ALU|NFF_MUL|NFF_X: { A *= X; continue; } case NFF_ALU|NFF_DIV|NFF_X: { if (X == 0) return 0; A /= X; continue; } case NFF_ALU|NFF_AND|NFF_X: { A &= X; continue; } case NFF_ALU|NFF_OR|NFF_X: { A |= X; continue; } case NFF_ALU|NFF_LSH|NFF_X: { A <<= X; continue; } case NFF_ALU|NFF_RSH|NFF_X: { A >>= X; continue; } case NFF_ALU|NFF_ADD|NFF_K: { A += pc->data.k; continue; } case NFF_ALU|NFF_SUB|NFF_K: { A -= pc->data.k; continue; } case NFF_ALU|NFF_MUL|NFF_K: { A *= pc->data.k; continue; } case NFF_ALU|NFF_DIV|NFF_K: { A /= pc->data.k; continue; } case NFF_ALU|NFF_AND|NFF_K: { A &= pc->data.k; continue; } case NFF_ALU|NFF_OR|NFF_K: { A |= pc->data.k; continue; } case NFF_ALU|NFF_LSH|NFF_K: { A <<= pc->data.k; continue; } case NFF_ALU|NFF_RSH|NFF_K: { A >>= pc->data.k; continue; } case NFF_ALU|NFF_NEG: { A = -A; continue; } case NFF_MISC|NFF_TAX: { X = A; continue; } case NFF_MISC|NFF_TXA: { A = X; continue; } } } } /* * Copyright (c) 1990, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ #ifndef __GNUC__ #define inline #endif static inline int skip_space(FILE *); static inline int skip_line(FILE *); static inline int skip_space(f) FILE *f; { int c; do { c = getc(f); } while (isspace(c) && c != '\n'); return c; } static inline int skip_line(f) FILE *f; { int c; do c = getc(f); while (c != '\n' && c != EOF); return c; } #include struct argus_etherent * argus_next_etherent(FILE *fp) { int c, d, i; char *bp; static struct argus_etherent e; static int nline = 1; top: while (nline) { /* Find addr */ c = skip_space(fp); if (c == '\n') continue; /* If this is a comment, or first thing on line cannot be ethernet address, skip the line. */ else if (!isxdigit(c)) c = skip_line(fp); else { /* must be the start of an address */ for (i = 0; i < 6; i += 1) { d = xdtoi(c); c = getc(fp); if (c != ':') { d <<= 4; d |= xdtoi(c); c = getc(fp); } e.addr[i] = d; if (c != ':') break; c = getc(fp); } nline = 0; } if (c == EOF) return 0; } /* If we started a new line, 'c' holds the char past the ether addr, which we assume is white space. If we are continuing a line, 'c' is garbage. In either case, we can throw it away. */ c = skip_space(fp); if (c == '\n') { nline = 1; goto top; } else if (c == '#') { (void)skip_line(fp); nline = 1; goto top; } else if (c == EOF) return 0; /* Must be a name. */ bp = e.name; /* Use 'd' to prevent argus_strbuffer overflow. */ d = sizeof(e.name) - 1; do { *bp++ = c; c = getc(fp); } while (!isspace(c) && c != EOF && --d > 0); *bp = '\0'; if (c == '\n') nline = 1; return &e; } /* * Copyright (c) 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the Computer Systems * Engineering Group at Lawrence Berkeley Laboratory. * 4. Neither the name of the University nor of the Laboratory may be used * to endorse or promote products derived from this software without * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #if defined(HAVE_SOLARIS) #include #endif /* Not all systems have IFF_LOOPBACK */ #ifdef IFF_LOOPBACK #define ISLOOPBACK(p) ((p)->ifr_flags & IFF_LOOPBACK) #else #define ISLOOPBACK(p) (strcmp((p)->ifr_name, "lo0") == 0) #endif #if !defined(__OpenBSD__) #include #endif /* * Return the name of a network interface attached to the system, or NULL * if none can be found. The interface must be configured up; the * lowest unit number is preferred; loopback is ignored. */ char * ArgusLookupDev(ebuf) char *ebuf; { int fd, minunit, n; char *cp; struct ifreq *ifrp, *ifend, *ifnext, *mp; struct ifconf ifc; struct ifreq ibuf[16], ifr; static char device[sizeof(ifrp->ifr_name) + 1]; fd = socket(AF_INET, SOCK_DGRAM, 0); if (fd < 0) { (void)snprintf(ebuf, MAXSTRLEN, "socket: %s", argus_strerror(errno)); return (NULL); } ifc.ifc_len = sizeof ibuf; ifc.ifc_buf = (caddr_t)ibuf; if (ioctl(fd, SIOCGIFCONF, (char *)&ifc) < 0 || ifc.ifc_len < sizeof(struct ifreq)) { (void)snprintf(ebuf, MAXSTRLEN, "SIOCGIFCONF: %s", argus_strerror(errno)); (void)close(fd); return (NULL); } ifrp = ibuf; ifend = (struct ifreq *)((char *)ibuf + ifc.ifc_len); mp = NULL; minunit = 666; for (; ifrp < ifend; ifrp = ifnext) { #if BSD - 0 >= 199006 n = ifrp->ifr_addr.sa_len + sizeof(ifrp->ifr_name); if (n < sizeof(*ifrp)) ifnext = ifrp + 1; else ifnext = (struct ifreq *)((char *)ifrp + n); if (ifrp->ifr_addr.sa_family != AF_INET) continue; #else ifnext = ifrp + 1; #endif /* * Need a template to preserve address info that is * used below to locate the next entry. (Otherwise, * SIOCGIFFLAGS stomps over it because the requests * are returned in a union.) */ strncpy(ifr.ifr_name, ifrp->ifr_name, sizeof(ifr.ifr_name)); if (ioctl(fd, SIOCGIFFLAGS, (char *)&ifr) < 0) { (void)snprintf(ebuf, MAXSTRLEN, "SIOCGIFFLAGS: %s", argus_strerror(errno)); (void)close(fd); return (NULL); } /* Must be up and not the loopback */ if ((ifr.ifr_flags & IFF_UP) == 0 || ISLOOPBACK(&ifr)) continue; for (cp = ifrp->ifr_name; !isdigit((int)*cp); ++cp) continue; n = atoi(cp); if (n < minunit) { minunit = n; mp = ifrp; } } (void)close(fd); if (mp == NULL) { (void)strncpy(ebuf, "no suitable device found", MAXSTRLEN); return (NULL); } (void)strncpy(device, mp->ifr_name, sizeof(device) - 1); device[sizeof(device) - 1] = '\0'; return (device); } int ArgusLookupNet(char *device, unsigned int *netp, unsigned int *maskp, char *ebuf) { int fd; struct sockaddr_in *sin; struct ifreq ifr; fd = socket(AF_INET, SOCK_DGRAM, 0); if (fd < 0) { (void)snprintf(ebuf, MAXSTRLEN, "socket: %s", argus_strerror(errno)); return (-1); } (void)strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); if (ioctl(fd, SIOCGIFADDR, (char *)&ifr) < 0) { (void)snprintf(ebuf, MAXSTRLEN, "SIOCGIFADDR: %s: %s", device, argus_strerror(errno)); (void)close(fd); return (-1); } sin = (struct sockaddr_in *)&ifr.ifr_addr; *netp = sin->sin_addr.s_addr; if (ioctl(fd, SIOCGIFNETMASK, (char *)&ifr) < 0) { (void)snprintf(ebuf, MAXSTRLEN, "SIOCGIFNETMASK: %s: %s", device, argus_strerror(errno)); (void)close(fd); return (-1); } (void)close(fd); *maskp = sin->sin_addr.s_addr; if (*maskp == 0) { if (IN_CLASSA(*netp)) *maskp = IN_CLASSA_NET; else if (IN_CLASSB(*netp)) *maskp = IN_CLASSB_NET; else if (IN_CLASSC(*netp)) *maskp = IN_CLASSC_NET; else { (void)snprintf(ebuf, MAXSTRLEN, "inet class for 0x%x unknown", *netp); return (-1); } } *netp &= *maskp; return (0); } #if defined(ARGUS_SYS_ERRLIST) && defined(HAVE_SOLARIS) static char ArgusErrorString[128]; #endif char * argus_strerror(int errnum) { #if defined(ARGUS_SYS_ERRLIST) && defined(HAVE_SOLARIS) if ((unsigned int)errnum < sys_nerr) return ((char *) sys_errlist[errnum]); (void)snprintf(ArgusErrorString, 128, "Unknown error: %d", errnum); return (ArgusErrorString); #else return (strerror(errnum)); #endif } /* * Copyright (c) 1988, 1989, 1990, 1991, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. * * Optimization module for tcpdump intermediate representation. */ #ifdef __osf__ #include #endif #include #ifdef linux #include #endif #define A_ATOM NFF_MEMWORDS #define X_ATOM (NFF_MEMWORDS+1) #define NOP -1 /*#define BDEBUG*/ #if defined(BDEBUG) int dflag = 2; #endif /* * This define is used to represent *both* the accumulator and * x register in use-def computations. * Currently, the use-def code assumes only one definition per instruction. */ #define AX_ATOM N_ATOMS /* * A flag to indicate that further optimization is needed. * Iterative passes are continued until a given pass yields no * branch movement. */ static int done; /* * A ablock is marked if only if its mark equals the current mark. * Rather than traverse the code array, marking each item, 'cur_mark' is * incremented. This automatically makes each element unmarked. */ static int cur_mark; #define isMarked(p) ((p)->mark == cur_mark) #define unMarkAll() cur_mark += 1 #define Mark(p) ((p)->mark = cur_mark) static void opt_init(struct ablock *); static void opt_cleanup(void); static void make_marks(struct ablock *); static void mark_code(struct ablock *); static void intern_blocks(struct ablock *); static int eq_slist(struct slist *, struct slist *); static void find_levels_r(struct ablock *); static void find_levels(struct ablock *); static void find_dom(struct ablock *); static void propedom(struct edge *); static void find_edom(struct ablock *); static void find_closure(struct ablock *); static int atomuse(struct stmt *); static int atomdef(struct stmt *); static void compute_local_ud(struct ablock *); static void find_ud(struct ablock *); static void init_val(void); static long long F(int, unsigned long long, unsigned long long); static inline void vstore(struct stmt *, long long *, long long, int); static void opt_blk(struct ablock *, int); static int use_conflict(struct ablock *, struct ablock *); static void opt_j(struct edge *); static void or_pullup(struct ablock *); static void and_pullup(struct ablock *); static void opt_blks(struct ablock *, int); static inline void link_inedge(struct edge *, struct ablock *); static void find_inedges(struct ablock *); static void opt_root(struct ablock **); static void opt_loop(struct ablock *, int); static void fold_op(struct stmt *, long long, long long); static inline struct slist *this_op(struct slist *); static void opt_not(struct ablock *); static void opt_peep(struct ablock *); static void opt_stmt(struct stmt *, long long[], int); static void deadstmt(struct stmt *, struct stmt *[]); static void opt_deadstores(struct ablock *); static void opt_blk(struct ablock *, int); static int use_conflict(struct ablock *, struct ablock *); static void opt_j(struct edge *); static struct ablock *fold_edge(struct ablock *, struct edge *); static inline int eq_blk(struct ablock *, struct ablock *); static int slength(struct slist *); static int count_blocks(struct ablock *); static void number_blks_r(struct ablock *); static int count_stmts(struct ablock *); static int convert_code_r(struct ablock *); #ifdef BDEBUG static void opt_dump(struct ablock *); #endif static int n_blocks; struct ablock **blocks; static int n_edges; struct edge **edges; /* * A bit vector set representation of the dominators. * We round up the set size to the next power of two. */ static int nodewords; static int edgewords; struct ablock **levels; nff_u_int32 *space; #define BITS_PER_WORD (8*sizeof(nff_u_int32)) /* * True if a is in uset {p} */ #define SET_MEMBER(p, a) \ ((p)[(unsigned)(a) / BITS_PER_WORD] & (1 << ((unsigned)(a) % BITS_PER_WORD))) /* * Add 'a' to uset p. */ #define SET_INSERT(p, a) \ (p)[(unsigned)(a) / BITS_PER_WORD] |= (1 << ((unsigned)(a) % BITS_PER_WORD)) /* * Delete 'a' from uset p. */ #define SET_DELETE(p, a) \ (p)[(unsigned)(a) / BITS_PER_WORD] &= ~(1 << ((unsigned)(a) % BITS_PER_WORD)) /* * a := a intersect b */ #define SET_INTERSECT(a, b, n)\ {\ register nff_u_int32 *_x = a, *_y = b;\ register int _n = n;\ while (--_n >= 0) *_x++ &= *_y++;\ } /* * a := a - b */ #define SET_SUBTRACT(a, b, n)\ {\ register nff_u_int32 *_x = a, *_y = b;\ register int _n = n;\ while (--_n >= 0) *_x++ &=~ *_y++;\ } /* * a := a union b */ #define SET_UNION(a, b, n)\ {\ register nff_u_int32 *_x = a, *_y = b;\ register int _n = n;\ while (--_n >= 0) *_x++ |= *_y++;\ } static uset all_dom_sets; static uset all_closure_sets; static uset all_edge_sets; #ifndef MAX #define MAX(a,b) ((a)>(b)?(a):(b)) #endif static void find_levels_r(struct ablock *b) { int level; if (isMarked(b)) return; Mark(b); b->link = 0; if (JT(b)) { find_levels_r(JT(b)); find_levels_r(JF(b)); level = MAX(JT(b)->level, JF(b)->level) + 1; } else level = 0; b->level = level; b->link = levels[level]; levels[level] = b; } /* * Level graph. The levels go from 0 at the leaves to * N_LEVELS at the root. The levels[] array points to the * first node of the level list, whose elements are linked * with the 'link' field of the struct block. */ static void find_levels(struct ablock *root) { memset((char *)levels, 0, n_blocks * sizeof(*levels)); unMarkAll(); find_levels_r(root); } /* * Find dominator relationships. * Assumes graph has been leveled. */ static void find_dom(struct ablock *root) { int i; struct ablock *b; nff_u_int32 *x; /* * Initialize sets to contain all nodes. */ x = all_dom_sets; i = n_blocks * nodewords; while (--i >= 0) *x++ = ~0; /* Root starts off empty. */ for (i = nodewords; --i >= 0;) root->dom[i] = 0; /* root->level is the highest level no found. */ for (i = root->level; i >= 0; --i) { for (b = levels[i]; b; b = b->link) { SET_INSERT(b->dom, b->id); if (JT(b) == 0) continue; SET_INTERSECT(JT(b)->dom, b->dom, nodewords); SET_INTERSECT(JF(b)->dom, b->dom, nodewords); } } } static void propedom(struct edge *ep) { SET_INSERT(ep->edom, ep->id); if (ep->succ) { SET_INTERSECT(ep->succ->et.edom, ep->edom, edgewords); SET_INTERSECT(ep->succ->ef.edom, ep->edom, edgewords); } } /* * Compute edge dominators. * Assumes graph has been leveled and predecessors established. */ static void find_edom(struct ablock *root) { int i; uset x; struct ablock *b; x = all_edge_sets; for (i = n_edges * edgewords; --i >= 0; ) x[i] = ~0; /* root->level is the highest level no found. */ memset(root->et.edom, 0, edgewords * sizeof(*(uset)0)); memset(root->ef.edom, 0, edgewords * sizeof(*(uset)0)); for (i = root->level; i >= 0; --i) { for (b = levels[i]; b != 0; b = b->link) { propedom(&b->et); propedom(&b->ef); } } } /* * Find the backwards transitive closure of the flow graph. These sets * are backwards in the sense that we find the set of nodes that reach * a given node, not the set of nodes that can be reached by a node. * * Assumes graph has been leveled. */ static void find_closure(struct ablock *root) { int i; struct ablock *b; /* * Initialize sets to contain no nodes. */ memset((char *)all_closure_sets, 0, n_blocks * nodewords * sizeof(*all_closure_sets)); /* root->level is the highest level no found. */ for (i = root->level; i >= 0; --i) { for (b = levels[i]; b; b = b->link) { SET_INSERT(b->closure, b->id); if (JT(b) == 0) continue; SET_UNION(JT(b)->closure, b->closure, nodewords); SET_UNION(JF(b)->closure, b->closure, nodewords); } } } /* * Return the register number that is used by s. If A and X are both * used, return AX_ATOM. If no register is used, return -1. * * The implementation should probably change to an array access. */ static int atomuse(struct stmt *s) { register int c = s->code; if (c == NOP) return -1; switch (NFF_CLASS(c)) { case NFF_RET: return (NFF_RVAL(c) == NFF_A) ? A_ATOM : (NFF_RVAL(c) == NFF_X) ? X_ATOM : -1; case NFF_LD: case NFF_LDX: return (NFF_MODE(c) == NFF_IND) ? X_ATOM : (NFF_MODE(c) == NFF_MEM) ? s->data.k : -1; case NFF_ST: return A_ATOM; case NFF_STX: return X_ATOM; case NFF_JMP: case NFF_ALU: if (NFF_SRC(c) == NFF_X) return AX_ATOM; return A_ATOM; case NFF_MISC: return NFF_MISCOP(c) == NFF_TXA ? X_ATOM : A_ATOM; } abort(); /* NOTREACHED */ } /* * Return the register number that is defined by 's'. We assume that * a single stmt cannot define more than one register. If no register * is defined, return -1. * * The implementation should probably change to an array access. */ static int atomdef(struct stmt *s) { if (s->code == NOP) return -1; switch (NFF_CLASS(s->code)) { case NFF_LD: case NFF_ALU: return A_ATOM; case NFF_LDX: return X_ATOM; case NFF_ST: case NFF_STX: { int k = s->data.k; return k; } case NFF_MISC: return NFF_MISCOP(s->code) == NFF_TAX ? X_ATOM : A_ATOM; } return -1; } static void compute_local_ud(struct ablock *b) { struct slist *s; atomset def = 0, use = 0, kill = 0; int atom; for (s = b->stmts; s; s = s->next) { if (s->s.code == NOP) continue; atom = atomuse(&s->s); if (atom >= 0) { if (atom == AX_ATOM) { if (!ATOMELEM(def, X_ATOM)) use |= ATOMMASK(X_ATOM); if (!ATOMELEM(def, A_ATOM)) use |= ATOMMASK(A_ATOM); } else if (atom < N_ATOMS) { if (!ATOMELEM(def, atom)) use |= ATOMMASK(atom); } else abort(); } atom = atomdef(&s->s); if (atom >= 0) { if (!ATOMELEM(use, atom)) kill |= ATOMMASK(atom); def |= ATOMMASK(atom); } } if (!ATOMELEM(def, A_ATOM) && NFF_CLASS(b->s.code) == NFF_JMP) use |= ATOMMASK(A_ATOM); b->def = def; b->kill = kill; b->in_use = use; } /* * Assume graph is already leveled. */ static void find_ud(root) struct ablock *root; { int i, maxlevel; struct ablock *p; /* * root->level is the highest level no found; * count down from there. */ maxlevel = root->level; for (i = maxlevel; i >= 0; --i) for (p = levels[i]; p; p = p->link) { compute_local_ud(p); p->out_use = 0; } for (i = 1; i <= maxlevel; ++i) { for (p = levels[i]; p; p = p->link) { p->out_use |= JT(p)->in_use | JF(p)->in_use; p->in_use |= p->out_use &~ p->kill; } } } /* * These data structures are used in a Cocke and Shwarz style * value numbering scheme. Since the flowgraph is acyclic, * exit values can be propagated from a node's predecessors * provided it is uniquely defined. */ struct valnode { int code; unsigned long long v0, v1; unsigned long long val; struct valnode *next; }; #define MODULUS 213 static struct valnode *hashtbl[MODULUS]; static int curval; static int maxval; /* Integer constants mapped with the load immediate opcode. */ #define K(i) F(NFF_LD|NFF_IMM, i, 0L) struct vmapinfo { int is_const; unsigned long long const_val; }; struct vmapinfo *vmap; struct valnode *vnode_base; struct valnode *next_vnode; static void init_val() { curval = 0; next_vnode = vnode_base; memset((char *)vmap, 0, maxval * sizeof(*vmap)); memset((char *)hashtbl, 0, sizeof hashtbl); } /* Because we really don't have an IR, this stuff is a little messy. */ static long long F(int code, unsigned long long v0, unsigned long long v1) { u_int hash; long long val; struct valnode *p; hash = (u_int)code ^ (v0 << 4) ^ (v1 << 8); hash %= MODULUS; for (p = hashtbl[hash]; p; p = p->next) if (p->code == code && p->v0 == v0 && p->v1 == v1) return p->val; val = ++curval; if (NFF_MODE(code) == NFF_IMM && (NFF_CLASS(code) == NFF_LD || NFF_CLASS(code) == NFF_LDX)) { vmap[val].const_val = v0; vmap[val].is_const = 1; } p = next_vnode++; p->val = val; p->code = code; p->v0 = v0; p->v1 = v1; p->next = hashtbl[hash]; hashtbl[hash] = p; return val; } static inline void vstore( struct stmt *s, long long *valp, long long newval, int alter) { if (alter && *valp == newval) s->code = NOP; else *valp = newval; } static void fold_op(struct stmt *s, long long v0, long long v1) { long long a, b; a = vmap[v0].const_val; b = vmap[v1].const_val; switch (NFF_OP(s->code)) { case NFF_ADD: a += b; break; case NFF_SUB: a -= b; break; case NFF_MUL: a *= b; break; case NFF_DIV: if (b == 0) ArgusLog(LOG_ERR, "division by zero"); a /= b; break; case NFF_AND: a &= b; break; case NFF_OR: a |= b; break; case NFF_LSH: a <<= b; break; case NFF_RSH: a >>= b; break; case NFF_NEG: a = -a; break; default: abort(); } s->data.k = a; s->code = NFF_LD|NFF_IMM; done = 0; } static inline struct slist * this_op(struct slist *s) { while (s != 0 && s->s.code == NOP) s = s->next; return s; } static void opt_not(struct ablock *b) { struct ablock *tmp = JT(b); JT(b) = JF(b); JF(b) = tmp; } static void opt_peep(struct ablock *b) { struct slist *s; struct slist *next, *last; long long val; s = b->stmts; if (s == 0) return; last = s; while (1) { s = this_op(s); if (s == 0) break; next = this_op(s->next); if (next == 0) break; last = next; /* * st M[k] --> st M[k] * ldx M[k] tax */ if ((s->s.code == NFF_ST) && (next->s.code == (NFF_LDX|NFF_MEM)) && (s->s.data.k == next->s.data.k)) { done = 0; next->s.code = NFF_MISC|NFF_TAX; } /* * ld #k --> ldx #k * tax txa */ if ((s->s.code == (NFF_LD|NFF_IMM)) && (next->s.code == (NFF_MISC|NFF_TAX))) { s->s.code = NFF_LDX|NFF_IMM; next->s.code = NFF_MISC|NFF_TXA; done = 0; } /* * This is an ugly special case, but it happens * when you say tcp[k] or udp[k] where k is a constant. */ if (s->s.code == (NFF_LD|NFF_IMM)) { struct slist *add, *tax, *ild; /* * Check that X isn't used on exit from this * ablock (which the optimizer might cause). * We know the code generator won't generate * any local dependencies. */ if (ATOMELEM(b->out_use, X_ATOM)) break; if (next->s.code != (NFF_LDX|NFF_MSH|NFF_B)) add = next; else add = this_op(next->next); if (add == 0 || add->s.code != (NFF_ALU|NFF_ADD|NFF_X)) break; tax = this_op(add->next); if (tax == 0 || tax->s.code != (NFF_MISC|NFF_TAX)) break; ild = this_op(tax->next); if (ild == 0 || NFF_CLASS(ild->s.code) != NFF_LD || NFF_MODE(ild->s.code) != NFF_IND) break; /* * XXX We need to check that X is not * subsequently used. We know we can eliminate the * accumulator modifications since it is defined * by the last stmt of this sequence. * * We want to turn this sequence: * * (004) ldi #0x2 {s} * (005) ldxms [14] {next} -- optional * (006) addx {add} * (007) tax {tax} * (008) ild [x+0] {ild} * * into this sequence: * * (004) nop * (005) ldxms [14] * (006) nop * (007) nop * (008) ild [x+2] * */ ild->s.data.k += s->s.data.k; s->s.code = NOP; add->s.code = NOP; tax->s.code = NOP; done = 0; } s = next; } /* * If we have a subtract to do a comparison, and the X register * is a known constant, we can merge this value into the * comparison. */ if (last->s.code == (NFF_ALU|NFF_SUB|NFF_X) && !ATOMELEM(b->out_use, A_ATOM)) { val = b->val[X_ATOM]; if (vmap[val].is_const) { int op; b->s.data.k += vmap[val].const_val; op = NFF_OP(b->s.code); if (op == NFF_JGT || op == NFF_JGE) { struct ablock *t = JT(b); JT(b) = JF(b); JF(b) = t; b->s.data.k *= -1; } last->s.code = NOP; done = 0; } else if (b->s.data.k == 0) { /* * sub x -> nop * j #0 j x */ last->s.code = NOP; b->s.code = NFF_CLASS(b->s.code) | NFF_OP(b->s.code) |NFF_X; done = 0; } } /* * Likewise, a constant subtract can be simplified. */ else if (last->s.code == (NFF_ALU|NFF_SUB|NFF_K) && !ATOMELEM(b->out_use, A_ATOM)) { int op; b->s.data.k += last->s.data.k; last->s.code = NOP; op = NFF_OP(b->s.code); if (op == NFF_JGT || op == NFF_JGE) { struct ablock *t = JT(b); JT(b) = JF(b); JF(b) = t; b->s.data.k *= -1; } done = 0; } /* * and #k nop * jeq #0 -> jset #k */ if (last->s.code == (NFF_ALU|NFF_AND|NFF_K) && !ATOMELEM(b->out_use, A_ATOM) && b->s.data.k == 0) { b->s.data.k = last->s.data.k; b->s.code = NFF_JMP|NFF_K|NFF_JSET; last->s.code = NOP; done = 0; opt_not(b); } /* * If the accumulator is a known constant, we can compute the * comparison result. */ val = b->val[A_ATOM]; if (vmap[val].is_const && NFF_SRC(b->s.code) == NFF_K) { long long v = vmap[val].const_val; switch (NFF_OP(b->s.code)) { case NFF_JEQ: v = (v == b->s.data.k); break; case NFF_JGT: v = v > b->s.data.k; break; case NFF_JGE: v = v >= b->s.data.k; break; case NFF_JSET: v &= b->s.data.k; break; default: abort(); } if (JF(b) != JT(b)) done = 0; if (v) JF(b) = JT(b); else JT(b) = JF(b); } } /* * Compute the symbolic value of expression of 's', and update * anything it defines in the value table 'val'. If 'alter' is true, * do various optimizations. This code would be cleaner if symbolic * evaluation and code transformations weren't folded together. */ static void opt_stmt( struct stmt *s, long long val[], int alter) { int op; long long v; switch (s->code) { case NFF_LD|NFF_DSR|NFF_L: case NFF_LD|NFF_ABS|NFF_L: case NFF_LD|NFF_DSR|NFF_W: case NFF_LD|NFF_ABS|NFF_W: case NFF_LD|NFF_DSR|NFF_H: case NFF_LD|NFF_ABS|NFF_H: case NFF_LD|NFF_DSR|NFF_B: case NFF_LD|NFF_ABS|NFF_B: case NFF_LD|NFF_DSR|NFF_F: case NFF_LD|NFF_ABS|NFF_F: v = F(s->code, s->data.k, 0L); vstore(s, &val[A_ATOM], v, alter); break; case NFF_LD|NFF_IND|NFF_L: case NFF_LD|NFF_IND|NFF_W: case NFF_LD|NFF_IND|NFF_H: case NFF_LD|NFF_IND|NFF_B: case NFF_LD|NFF_IND|NFF_F: v = val[X_ATOM]; if (alter && vmap[v].is_const) { s->code = NFF_LD|NFF_ABS|NFF_SIZE(s->code); s->data.k += vmap[v].const_val; v = F(s->code, s->data.k, 0L); done = 0; } else v = F(s->code, s->data.k, v); vstore(s, &val[A_ATOM], v, alter); break; case NFF_LD|NFF_LEN: v = F(s->code, 0L, 0L); vstore(s, &val[A_ATOM], v, alter); break; case NFF_LD|NFF_IMM: v = K(s->data.k); vstore(s, &val[A_ATOM], v, alter); break; case NFF_LDX|NFF_IMM: v = K(s->data.k); vstore(s, &val[X_ATOM], v, alter); break; case NFF_LDX|NFF_MSH|NFF_B: v = F(s->code, s->data.k, 0L); vstore(s, &val[X_ATOM], v, alter); break; case NFF_ALU|NFF_NEG: if (alter && vmap[val[A_ATOM]].is_const) { s->code = NFF_LD|NFF_IMM; s->data.k = -vmap[val[A_ATOM]].const_val; val[A_ATOM] = K(s->data.k); } else val[A_ATOM] = F(s->code, val[A_ATOM], 0L); break; case NFF_ALU|NFF_ADD|NFF_K: case NFF_ALU|NFF_SUB|NFF_K: case NFF_ALU|NFF_MUL|NFF_K: case NFF_ALU|NFF_DIV|NFF_K: case NFF_ALU|NFF_AND|NFF_K: case NFF_ALU|NFF_OR|NFF_K: case NFF_ALU|NFF_LSH|NFF_K: case NFF_ALU|NFF_RSH|NFF_K: op = NFF_OP(s->code); if (alter) { if (s->data.k == 0) { /* don't optimize away "sub #0" * as it may be needed later to * fixup the generated math code */ if (op == NFF_ADD || op == NFF_LSH || op == NFF_RSH || op == NFF_OR) { s->code = NOP; break; } if (op == NFF_MUL || op == NFF_AND) { s->code = NFF_LD|NFF_IMM; val[A_ATOM] = K(s->data.k); break; } } if (vmap[val[A_ATOM]].is_const) { fold_op(s, val[A_ATOM], K(s->data.k)); val[A_ATOM] = K(s->data.k); break; } } val[A_ATOM] = F(s->code, val[A_ATOM], K(s->data.k)); break; case NFF_ALU|NFF_ADD|NFF_X: case NFF_ALU|NFF_SUB|NFF_X: case NFF_ALU|NFF_MUL|NFF_X: case NFF_ALU|NFF_DIV|NFF_X: case NFF_ALU|NFF_AND|NFF_X: case NFF_ALU|NFF_OR|NFF_X: case NFF_ALU|NFF_LSH|NFF_X: case NFF_ALU|NFF_RSH|NFF_X: op = NFF_OP(s->code); if (alter && vmap[val[X_ATOM]].is_const) { if (vmap[val[A_ATOM]].is_const) { fold_op(s, val[A_ATOM], val[X_ATOM]); val[A_ATOM] = K(s->data.k); } else { s->code = NFF_ALU|NFF_K|op; s->data.k = vmap[val[X_ATOM]].const_val; done = 0; val[A_ATOM] = F(s->code, val[A_ATOM], K(s->data.k)); } break; } /* * Check if we're doing something to an accumulator * that is 0, and simplify. This may not seem like * much of a simplification but it could open up further * optimizations. * XXX We could also check for mul by 1, and -1, etc. */ if (alter && vmap[val[A_ATOM]].is_const && vmap[val[A_ATOM]].const_val == 0) { if (op == NFF_ADD || op == NFF_OR || op == NFF_LSH || op == NFF_RSH || op == NFF_SUB) { s->code = NFF_MISC|NFF_TXA; vstore(s, &val[A_ATOM], val[X_ATOM], alter); break; } else if (op == NFF_MUL || op == NFF_DIV || op == NFF_AND) { s->code = NFF_LD|NFF_IMM; s->data.k = 0; vstore(s, &val[A_ATOM], K(s->data.k), alter); break; } else if (op == NFF_NEG) { s->code = NOP; break; } } val[A_ATOM] = F(s->code, val[A_ATOM], val[X_ATOM]); break; case NFF_MISC|NFF_TXA: vstore(s, &val[A_ATOM], val[X_ATOM], alter); break; case NFF_LD|NFF_MEM: v = val[s->data.k]; if (alter && vmap[v].is_const) { s->code = NFF_LD|NFF_IMM; s->data.k = vmap[v].const_val; done = 0; } vstore(s, &val[A_ATOM], v, alter); break; case NFF_MISC|NFF_TAX: vstore(s, &val[X_ATOM], val[A_ATOM], alter); break; case NFF_LDX|NFF_MEM: v = val[s->data.k]; if (alter && vmap[v].is_const) { s->code = NFF_LDX|NFF_IMM; s->data.k = vmap[v].const_val; done = 0; } vstore(s, &val[X_ATOM], v, alter); break; case NFF_ST: vstore(s, &val[s->data.k], val[A_ATOM], alter); break; case NFF_STX: vstore(s, &val[s->data.k], val[X_ATOM], alter); break; case NOP: break; default: ArgusLog(LOG_ERR, "opt_stmt: statement not in list"); break; } } static void deadstmt(struct stmt *s, struct stmt *last[]) { register int atom; atom = atomuse(s); if (atom >= 0) { if (atom == AX_ATOM) { last[X_ATOM] = 0; last[A_ATOM] = 0; } else last[atom] = 0; } atom = atomdef(s); if (atom >= 0) { if (last[atom]) { done = 0; last[atom]->code = NOP; } last[atom] = s; } } static void opt_deadstores(struct ablock *b) { register struct slist *s; register int atom; struct stmt *last[N_ATOMS]; memset((char *)last, 0, sizeof last); for (s = b->stmts; s != 0; s = s->next) deadstmt(&s->s, last); deadstmt(&b->s, last); for (atom = 0; atom < N_ATOMS; ++atom) if (last[atom] && !ATOMELEM(b->out_use, atom)) { last[atom]->code = NOP; done = 0; } } static void opt_blk( struct ablock *b, int do_stmts) { long long aval; struct slist *s; struct edge *p; int i; #if 0 for (s = b->stmts; s && s->next; s = s->next) if (NFF_CLASS(s->s.code) == NFF_JMP) { do_stmts = 0; break; } #endif /* * Initialize the atom values. * If we have no predecessors, everything is undefined. * Otherwise, we inherent our values from our predecessors. * If any register has an ambiguous value (i.e. control paths are * merging) give it the undefined value of 0. */ p = b->in_edges; if (p == 0) memset((char *)b->val, 0, sizeof(b->val)); else { memcpy((char *)b->val, (char *)p->pred->val, sizeof(b->val)); while ((p = p->next) != NULL) { for (i = 0; i < N_ATOMS; ++i) if (b->val[i] != p->pred->val[i]) b->val[i] = 0; } } aval = b->val[A_ATOM]; for (s = b->stmts; s; s = s->next) opt_stmt(&s->s, b->val, do_stmts); /* * This is a special case: if we don't use anything from this * block, and we load the accumulator with value that is * already there, or if this ablock is a return, * eliminate all the statements. */ if (do_stmts && ((b->out_use == 0 && aval != 0 &&b->val[A_ATOM] == aval) || NFF_CLASS(b->s.code) == NFF_RET)) { if (b->stmts != 0) { b->stmts = 0; done = 0; } } else { opt_peep(b); opt_deadstores(b); } /* * Set up values for branch optimizer. */ if (NFF_SRC(b->s.code) == NFF_K) b->oval = K(b->s.data.k); else b->oval = b->val[X_ATOM]; b->et.code = b->s.code; b->ef.code = -b->s.code; } /* * Return true if any register that is used on exit from 'succ', has * an exit value that is different from the corresponding exit value * from 'b'. */ static int use_conflict(struct ablock *b, struct ablock *succ) { int atom; atomset use = succ->out_use; if (use == 0) return 0; for (atom = 0; atom < N_ATOMS; ++atom) if (ATOMELEM(use, atom)) if (b->val[atom] != succ->val[atom]) return 1; return 0; } static struct ablock * fold_edge(struct ablock *child, struct edge *ep) { int sense; int code = ep->code; long long aval0, aval1, oval0, oval1; if (code < 0) { code = -code; sense = 0; } else sense = 1; if (child->s.code != code) return 0; aval0 = child->val[A_ATOM]; oval0 = child->oval; aval1 = ep->pred->val[A_ATOM]; oval1 = ep->pred->oval; if (aval0 != aval1) return 0; if (oval0 == oval1) /* * The operands are identical, so the * result is true if a true branch was * taken to get here, otherwise false. */ return sense ? JT(child) : JF(child); if (sense && code == (NFF_JMP|NFF_JEQ|NFF_K)) /* * At this point, we only know the comparison if we * came down the true branch, and it was an equality * comparison with a constant. We rely on the fact that * distinct constants have distinct value numbers. */ return JF(child); return 0; } static void opt_j(struct edge *ep) { register int i, k; register struct ablock *target = NULL; if (JT(ep->succ) == 0) return; if (JT(ep->succ) == JF(ep->succ)) { /* * Common branch targets can be eliminated, provided * there is no data dependency. */ if (!use_conflict(ep->pred, ep->succ->et.succ)) { done = 0; ep->succ = JT(ep->succ); } } /* * For each edge dominator that matches the successor of this * edge, promote the edge successor to the its grandchild. * * XXX We violate the set abstraction here in favor a reasonably * efficient loop. */ top: for (i = 0; i < edgewords; ++i) { register nff_u_int32 x = ep->edom[i]; while (x != 0) { k = ffs(x) - 1; x &=~ (1 << k); k += i * BITS_PER_WORD; target = fold_edge(ep->succ, edges[k]); /* * Check that there is no data dependency between * nodes that will be violated if we move the edge. */ if (target != 0 && !use_conflict(ep->pred, target)) { done = 0; ep->succ = target; if (JT(target) != 0) /* * Start over unless we hit a leaf. */ goto top; return; } } } } static void or_pullup(struct ablock *b) { long long val; int at_top; struct ablock *pull; struct ablock **diffp, **samep; struct edge *ep; ep = b->in_edges; if (ep == 0) return; /* * Make sure each predecessor loads the same value. * XXX why? */ val = ep->pred->val[A_ATOM]; for (ep = ep->next; ep != 0; ep = ep->next) if (val != ep->pred->val[A_ATOM]) return; if (JT(b->in_edges->pred) == b) diffp = &JT(b->in_edges->pred); else diffp = &JF(b->in_edges->pred); at_top = 1; while (1) { if (*diffp == 0) return; if (JT(*diffp) != JT(b)) return; if (!SET_MEMBER((*diffp)->dom, b->id)) return; if ((*diffp)->val[A_ATOM] != val) break; diffp = &JF(*diffp); at_top = 0; } samep = &JF(*diffp); while (1) { if (*samep == 0) return; if (JT(*samep) != JT(b)) return; if (!SET_MEMBER((*samep)->dom, b->id)) return; if ((*samep)->val[A_ATOM] == val) break; /* XXX Need to check that there are no data dependencies between dp0 and dp1. Currently, the code generator will not produce such dependencies. */ samep = &JF(*samep); } #ifdef notdef /* XXX This doesn't cover everything. */ for (i = 0; i < N_ATOMS; ++i) if ((*samep)->val[i] != pred->val[i]) return; #endif /* Pull up the node. */ pull = *samep; *samep = JF(pull); JF(pull) = *diffp; /* * At the top of the chain, each predecessor needs to point at the * pulled up node. Inside the chain, there is only one predecessor * to worry about. */ if (at_top) { for (ep = b->in_edges; ep != 0; ep = ep->next) { if (JT(ep->pred) == b) JT(ep->pred) = pull; else JF(ep->pred) = pull; } } else *diffp = pull; done = 0; } static void and_pullup(struct ablock *b) { long long val; int at_top; struct ablock *pull; struct ablock **diffp, **samep; struct edge *ep; ep = b->in_edges; if (ep == 0) return; /* * Make sure each predecessor loads the same value. */ val = ep->pred->val[A_ATOM]; for (ep = ep->next; ep != 0; ep = ep->next) if (val != ep->pred->val[A_ATOM]) return; if (JT(b->in_edges->pred) == b) diffp = &JT(b->in_edges->pred); else diffp = &JF(b->in_edges->pred); at_top = 1; while (1) { if (*diffp == 0) return; if (JF(*diffp) != JF(b)) return; if (!SET_MEMBER((*diffp)->dom, b->id)) return; if ((*diffp)->val[A_ATOM] != val) break; diffp = &JT(*diffp); at_top = 0; } samep = &JT(*diffp); while (1) { if (*samep == 0) return; if (JF(*samep) != JF(b)) return; if (!SET_MEMBER((*samep)->dom, b->id)) return; if ((*samep)->val[A_ATOM] == val) break; /* XXX Need to check that there are no data dependencies between diffp and samep. Currently, the code generator will not produce such dependencies. */ samep = &JT(*samep); } #ifdef notdef /* XXX This doesn't cover everything. */ for (i = 0; i < N_ATOMS; ++i) if ((*samep)->val[i] != pred->val[i]) return; #endif /* Pull up the node. */ pull = *samep; *samep = JT(pull); JT(pull) = *diffp; /* * At the top of the chain, each predecessor needs to point at the * pulled up node. Inside the chain, there is only one predecessor * to worry about. */ if (at_top) { for (ep = b->in_edges; ep != 0; ep = ep->next) { if (JT(ep->pred) == b) JT(ep->pred) = pull; else JF(ep->pred) = pull; } } else *diffp = pull; done = 0; } static void opt_blks( struct ablock *root, int do_stmts) { int i, maxlevel; struct ablock *p; init_val(); maxlevel = root->level; find_inedges(root); for (i = maxlevel; i >= 0; --i) for (p = levels[i]; p; p = p->link) opt_blk(p, do_stmts); if (do_stmts) /* * No point trying to move branches; it can't possibly * make a difference at this point. */ return; for (i = 1; i <= maxlevel; ++i) { for (p = levels[i]; p; p = p->link) { opt_j(&p->et); opt_j(&p->ef); } } find_inedges(root); for (i = 1; i <= maxlevel; ++i) { for (p = levels[i]; p; p = p->link) { or_pullup(p); and_pullup(p); } } } static inline void link_inedge(struct edge *parent, struct ablock *child) { parent->next = child->in_edges; child->in_edges = parent; } static void find_inedges(struct ablock *root) { int i; struct ablock *b; for (i = 0; i < n_blocks; ++i) blocks[i]->in_edges = 0; /* * Traverse the graph, adding each edge to the predecessor * list of its successors. Skip the leaves (i.e. level 0). */ for (i = root->level; i > 0; --i) { for (b = levels[i]; b != 0; b = b->link) { link_inedge(&b->et, JT(b)); link_inedge(&b->ef, JF(b)); } } } static void opt_root(struct ablock **b) { struct slist *tmp, *s; s = (*b)->stmts; (*b)->stmts = 0; while (NFF_CLASS((*b)->s.code) == NFF_JMP && JT(*b) == JF(*b)) *b = JT(*b); tmp = (*b)->stmts; if (tmp != 0) Argussappend(s, tmp); (*b)->stmts = s; /* * If the root node is a return, then there is no * point executing any statements (since the nff machine * has no side effects). */ if (NFF_CLASS((*b)->s.code) == NFF_RET) (*b)->stmts = 0; } static void opt_loop(struct ablock *root, int do_stmts) { #ifdef BDEBUG if (dflag > 1) { printf("opt_loop(root, %d) begin\n", do_stmts); opt_dump(root); } #endif do { done = 1; find_levels(root); find_dom(root); find_closure(root); find_ud(root); find_edom(root); opt_blks(root, do_stmts); #ifdef BDEBUG if (dflag > 1) { printf("opt_loop(root, %d) bottom, done=%d\n", do_stmts, done); opt_dump(root); } #endif } while (!done); } /* * Optimize the filter code in its dag representation. */ void Argusnff_optimize(struct ablock **rootp) { struct ablock *root; root = *rootp; opt_init(root); opt_loop(root, 0); opt_loop(root, 1); intern_blocks(root); #ifdef BDEBUG if (dflag > 1) { printf("after intern_blocks()\n"); opt_dump(root); } #endif opt_root(rootp); #ifdef BDEBUG if (dflag > 1) { printf("after opt_root()\n"); opt_dump(root); } #endif opt_cleanup(); #ifdef ARGUSDEBUG ArgusDebug (6, "Argusnff_optimize (0x%x)", rootp); #endif } static void make_marks(struct ablock *p) { if (!isMarked(p)) { Mark(p); if (NFF_CLASS(p->s.code) != NFF_RET) { make_marks(JT(p)); make_marks(JF(p)); } } } /* * Mark code array such that isMarked(i) is true * only for nodes that are alive. */ static void mark_code(struct ablock *p) { cur_mark += 1; make_marks(p); } /* * True iff the two stmt lists load the same value from the packet into * the accumulator. */ static int eq_slist(struct slist *x, struct slist *y) { while (1) { while (x && x->s.code == NOP) x = x->next; while (y && y->s.code == NOP) y = y->next; if (x == 0) return y == 0; if (y == 0) return x == 0; if (x->s.code != y->s.code || x->s.data.k != y->s.data.k) return 0; x = x->next; y = y->next; } } static inline int eq_blk(struct ablock *b0, struct ablock *b1) { if (b0->s.code == b1->s.code && b0->s.dsr == b1->s.dsr && b0->s.data.k == b1->s.data.k && b0->et.succ == b1->et.succ && b0->ef.succ == b1->ef.succ) return eq_slist(b0->stmts, b1->stmts); return 0; } static void intern_blocks(struct ablock *root) { struct ablock *p; int i, j; int done; top: done = 1; for (i = 0; i < n_blocks; ++i) blocks[i]->link = 0; mark_code(root); for (i = n_blocks - 1; --i >= 0; ) { if (!isMarked(blocks[i])) continue; for (j = i + 1; j < n_blocks; ++j) { if (!isMarked(blocks[j])) continue; if (eq_blk(blocks[i], blocks[j])) { blocks[i]->link = blocks[j]->link ? blocks[j]->link : blocks[j]; break; } } } for (i = 0; i < n_blocks; ++i) { p = blocks[i]; if (JT(p) == 0) continue; if (JT(p)->link) { done = 0; JT(p) = JT(p)->link; } if (JF(p)->link) { done = 0; JF(p) = JF(p)->link; } } if (!done) goto top; } static void opt_cleanup() { free((void *)vnode_base); free((void *)vmap); free((void *)edges); free((void *)space); free((void *)levels); free((void *)blocks); } /* * Return the number of stmts in 's'. */ static int slength(struct slist *s) { int n = 0; for (; s; s = s->next) if (s->s.code != NOP) ++n; return n; } /* * Return the number of nodes reachable by 'p'. * All nodes should be initially unmarked. */ static int count_blocks(struct ablock *p) { if (p == 0 || isMarked(p)) return 0; Mark(p); return count_blocks(JT(p)) + count_blocks(JF(p)) + 1; } /* * Do a depth first search on the flow graph, numbering the * the basic blocks, and entering them into the 'blocks' array.` */ static void number_blks_r(struct ablock *p) { int n; if (p == 0 || isMarked(p)) return; Mark(p); n = n_blocks++; p->id = n; blocks[n] = p; number_blks_r(JT(p)); number_blks_r(JF(p)); } /* * Return the number of stmts in the flowgraph reachable by 'p'. * The nodes should be unmarked before calling. * * Note that "stmts" means "instructions", and that this includes * * side-effect statements in 'p' (slength(p->stmts)); * * statements in the true branch from 'p' (count_stmts(JT(p))); * * statements in the false branch from 'p' (count_stmts(JF(p))); * * the conditional jump itself (1); * * an extra long jump if the true branch requires it (p->longjt); * * an extra long jump if the false branch requires it (p->longjf). */ static int count_stmts(struct ablock *p) { int n; if (p == 0 || isMarked(p)) return 0; Mark(p); n = count_stmts(JT(p)) + count_stmts(JF(p)); return slength(p->stmts) + n + 1 + p->longjt + p->longjf; } /* * Allocate memory. All allocation is done before optimization * is begun. A linear bound on the size of all data structures is computed * from the total number of blocks and/or statements. */ static void opt_init(struct ablock *root) { nff_u_int32 *p; int i, n, max_stmts; /* * First, count the blocks, so we can malloc an array to map * ablock number to block. Then, put the blocks into the array. */ unMarkAll(); n = count_blocks(root); blocks = (struct ablock **)malloc(n * sizeof(*blocks)); unMarkAll(); n_blocks = 0; number_blks_r(root); n_edges = 2 * n_blocks; edges = (struct edge **)malloc(n_edges * sizeof(*edges)); /* * The number of levels is bounded by the number of nodes. */ levels = (struct ablock **)malloc(n_blocks * sizeof(*levels)); edgewords = n_edges / (8 * sizeof(nff_u_int32)) + 1; nodewords = n_blocks / (8 * sizeof(nff_u_int32)) + 1; /* XXX */ space = (nff_u_int32 *)malloc(2 * n_blocks * nodewords * sizeof(*space) + n_edges * edgewords * sizeof(*space)); p = space; all_dom_sets = p; for (i = 0; i < n; ++i) { blocks[i]->dom = p; p += nodewords; } all_closure_sets = p; for (i = 0; i < n; ++i) { blocks[i]->closure = p; p += nodewords; } all_edge_sets = p; for (i = 0; i < n; ++i) { register struct ablock *b = blocks[i]; b->et.edom = p; p += edgewords; b->ef.edom = p; p += edgewords; b->et.id = i; edges[i] = &b->et; b->ef.id = n_blocks + i; edges[n_blocks + i] = &b->ef; b->et.pred = b; b->ef.pred = b; } max_stmts = 0; for (i = 0; i < n; ++i) max_stmts += slength(blocks[i]->stmts) + 1; /* * We allocate at most 3 value numbers per statement, * so this is an upper bound on the number of valnodes * we'll need. */ maxval = 3 * max_stmts; vmap = (struct vmapinfo *)malloc(maxval * sizeof(*vmap)); vnode_base = (struct valnode *)malloc(maxval * sizeof(*vnode_base)); } /* * Some pointers used to convert the basic ablock form of the code, * into the array form that NFF requires. 'fstart' will point to * the malloc'd array while 'ftail' is used during the recursive traversal. */ static struct nff_insn *fstart; static struct nff_insn *ftail; #ifdef BDEBUG int bids[1000]; #endif /* * Returns true if successful. Returns false if a branch has * an offset that is too large. If so, we have marked that * branch so that on a subsequent iteration, it will be treated * properly. */ static int convert_code_r(struct ablock *p) { struct nff_insn *dst; struct slist *src; int slen; u_int off; int extrajmps; /* number of extra jumps inserted */ struct slist **offset = NULL; if (p == 0 || isMarked(p)) return (1); Mark(p); if (convert_code_r(JF(p)) == 0) return (0); if (convert_code_r(JT(p)) == 0) return (0); slen = slength(p->stmts); dst = ftail -= (slen + 1 + p->longjt + p->longjf); /* inflate length by any extra jumps */ p->offset = dst - fstart; /* generate offset[] for convenience */ if (slen) { offset = (struct slist **)calloc(sizeof(struct slist *), slen); if (!offset) { ArgusLog(LOG_ERR, "not enough core"); /*NOTREACHED*/ } } src = p->stmts; for (off = 0; off < slen && src; off++) { #if 0 printf("off=%d src=%x\n", off, src); #endif offset[off] = src; src = src->next; } off = 0; for (src = p->stmts; src; src = src->next) { if (src->s.code == NOP) continue; dst->dsr = src->s.dsr; dst->code = (u_short)src->s.code; dst->type = src->s.type; dst->data.k = src->s.data.k; /* fill block-local relative jump */ if (NFF_CLASS(src->s.code) != NFF_JMP || src->s.code == (NFF_JMP|NFF_JA)) { #if 0 if (src->s.jt || src->s.jf) { ArgusLog(LOG_ERR, "illegal jmp destination"); /*NOTREACHED*/ } #endif goto filled; } if (off == slen - 2) /*???*/ goto filled; { int i; int jt, jf; char *ljerr = "%s for block-local relative jump: off=%d"; #if 0 printf("code=%x off=%d %x %x\n", src->s.code, off, src->s.jt, src->s.jf); #endif if (!src->s.jt || !src->s.jf) { ArgusLog(LOG_ERR, "no jmp destination %d, %d", ljerr, off); /*NOTREACHED*/ } jt = jf = 0; for (i = 0; i < slen; i++) { if (offset[i] == src->s.jt) { if (jt) { ArgusLog(LOG_ERR, "multiple matches %d, %d", ljerr, off); /*NOTREACHED*/ } dst->jt = i - off - 1; jt++; } if (offset[i] == src->s.jf) { if (jf) { ArgusLog(LOG_ERR, "multiple matches %d, %d", ljerr, off); /*NOTREACHED*/ } dst->jf = i - off - 1; jf++; } } if (!jt || !jf) { ArgusLog(LOG_ERR, "no destination found %d, %d", ljerr, off); /*NOTREACHED*/ } } filled: ++dst; ++off; } if (offset) free(offset); #ifdef BDEBUG bids[dst - fstart] = p->id + 1; #endif dst->dsr = p->s.dsr; dst->code = (u_short)p->s.code; dst->type = p->s.type; dst->data.k = p->s.data.k; if (JT(p)) { extrajmps = 0; off = JT(p)->offset - (p->offset + slen) - 1; if (off >= 256) { /* offset too large for branch, must add a jump */ if (p->longjt == 0) { /* mark this instruction and retry */ p->longjt++; return(0); } /* branch if T to following jump */ dst->jt = extrajmps; extrajmps++; dst[extrajmps].code = NFF_JMP|NFF_JA; dst[extrajmps].type = dst->type; dst[extrajmps].data.k = off - extrajmps; } else dst->jt = off; off = JF(p)->offset - (p->offset + slen) - 1; if (off >= 256) { /* offset too large for branch, must add a jump */ if (p->longjf == 0) { /* mark this instruction and retry */ p->longjf++; return(0); } /* branch if F to following jump */ /* if two jumps are inserted, F goes to second one */ dst->jf = extrajmps; extrajmps++; dst[extrajmps].code = NFF_JMP|NFF_JA; dst[extrajmps].type = dst->type; dst[extrajmps].data.k = off - extrajmps; } else dst->jf = off; } return (1); } /* * Convert flowgraph intermediate representation to the * NFF array representation. Set *lenp to the number of instructions. */ struct nff_insn * Argusicode_to_fcode(struct ablock *root, int *lenp) { int n; struct nff_insn *fp; /* * Loop doing convert_code_r() until no branches remain * with too-large offsets. */ while (1) { unMarkAll(); n = *lenp = count_stmts(root); fp = (struct nff_insn *)malloc(sizeof(*fp) * n); memset((char *)fp, 0, sizeof(*fp) * n); fstart = fp; ftail = fp + n; unMarkAll(); if (convert_code_r(root)) break; free(fp); } #ifdef ARGUSDEBUG ArgusDebug (10, "Argusicode_to_fcode () returning 0x%x", fp); #endif return fp; } #ifdef BDEBUG static void opt_dump(struct ablock *root) { struct nff_program f; char buf[MAXSTRLEN]; memset(bids, 0, sizeof bids); f.bf_insns = Argusicode_to_fcode(root, &f.bf_len); nff_dump(&f, buf, MAXSTRLEN, 1); printf("%s\n", buf); free((char *)f.bf_insns); } #endif extern void nff_dump(struct nff_program *, char *, int, int); static char *nff_image(struct nff_insn *p, int n); void nff_dump(struct nff_program *p, char *buf, int buflen, int option) { struct nff_insn *insn; int i, slen; int n = p->bf_len; insn = p->bf_insns; if (option > 2) { slen = strlen(buf); snprintf(&buf[slen], buflen - slen, "%d\n", n); for (i = 0; i < n; ++insn, ++i) { slen = strlen(buf); snprintf(&buf[slen], buflen - slen, "%lu %lu %lu %llu\n", (long)insn->code, (long)insn->jt, (long)insn->jf, insn->data.k); } return ; } if (option > 1) { for (i = 0; i < n; ++insn, ++i) slen = strlen(buf); snprintf(&buf[slen], buflen - slen, "{ 0x%x, %d, %d, 0x%08llx },\n", insn->code, insn->jt, insn->jf, insn->data.k); return; } for (i = 0; i < n; ++insn, ++i) { slen = strlen(buf); #ifdef BDEBUG extern int bids[]; snprintf(&buf[slen], buflen - slen, bids[i] > 0 ? "[%02d]" : " -- ", bids[i] - 1); #endif snprintf(&buf[slen], buflen - slen, "%s\n", nff_image(insn, i)); } } /* * Copyright (c) 1990, 1991, 1992, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ static char *nff_image(struct nff_insn *, int); static char * nff_image(struct nff_insn *p, int n) { int v, dsr; static char image[256]; char operand[64], op[32]; char *fmt, *s; float f; dsr = p->dsr; v = p->data.k; f = p->data.f; s = p->data.s; switch (p->code) { default: sprintf(op, "unimp"); fmt = "0x%x"; v = p->code; break; case NFF_RET|NFF_K: sprintf(op, "ret"); fmt = " #%d"; break; case NFF_RET|NFF_A: sprintf(op, "ret"); fmt = " "; break; case NFF_LD|NFF_F|NFF_DSR: if (dsr < 0) sprintf(op, "ldf hdr"); else sprintf(op, "ldf dsr[%d]", dsr); fmt = "[%d]"; break; case NFF_LD|NFF_F|NFF_ABS: sprintf(op, "ldf"); fmt = "[%d]"; break; case NFF_LD|NFF_L|NFF_DSR: if (dsr < 0) sprintf(op, "ldll hdr"); else sprintf(op, "ldll dsr[%d]", dsr); fmt = "[%Ld]"; break; case NFF_LD|NFF_L|NFF_ABS: sprintf(op, "ldll"); fmt = "[%Ld]"; break; case NFF_LD|NFF_W|NFF_DSR: if (dsr < 0) sprintf(op, "ld hdr"); else sprintf(op, "ld dsr[%d]", dsr); fmt = "[%d]"; break; case NFF_LD|NFF_W|NFF_ABS: sprintf(op, "ld"); fmt = "[%d]"; break; case NFF_LD|NFF_H|NFF_DSR: if (dsr < 0) sprintf(op, "ldh hdr"); else sprintf(op, "ldh dsr[%d]", dsr); fmt = "[%d]"; break; case NFF_LD|NFF_H|NFF_ABS: sprintf(op, "ldh"); fmt = "[%d]"; break; case NFF_LD|NFF_B|NFF_DSR: if (dsr < 0) sprintf(op, "ldb hdr"); else sprintf(op, "ldb dsr[%d]", dsr); fmt = "[%d]"; break; case NFF_LD|NFF_B|NFF_ABS: sprintf(op, "ldb"); fmt = "[%d]"; break; case NFF_LD|NFF_W|NFF_LEN: sprintf(op, "ld"); fmt = "#pktlen"; break; case NFF_LD|NFF_F|NFF_IND: sprintf(op, "ldf"); fmt = "[x + %d]"; break; case NFF_LD|NFF_L|NFF_IND: sprintf(op, "ldll"); fmt = "[x + %Ld]"; break; case NFF_LD|NFF_W|NFF_IND: sprintf(op, "ld"); fmt = "[x + %d]"; break; case NFF_LD|NFF_H|NFF_IND: sprintf(op, "ldh"); fmt = "[x + %d]"; break; case NFF_LD|NFF_B|NFF_IND: sprintf(op, "ldb"); fmt = "[x + %d]"; break; case NFF_LD|NFF_IMM: sprintf(op, "ld"); fmt = "#0x%x"; break; case NFF_LDX|NFF_IMM: sprintf(op, "ldx"); fmt = "#0x%x"; break; case NFF_LDX|NFF_MSH|NFF_B: sprintf(op, "ldxb"); fmt = "4*([%d]&0xf)"; break; case NFF_LD|NFF_MEM: sprintf(op, "ld"); fmt = "M[%d]"; break; case NFF_LDX|NFF_MEM: sprintf(op, "ldx"); fmt = "M[%d]"; break; case NFF_ST: sprintf(op, "st"); fmt = "M[%d]"; break; case NFF_STX: sprintf(op, "stx"); fmt = "M[%d]"; break; case NFF_JMP|NFF_JA: sprintf(op, "ja"); fmt = "%d"; v = n + p->data.k; break; case NFF_JMP|NFF_JGT|NFF_F: sprintf(op, "jgt"); fmt = "#%f"; break; case NFF_JMP|NFF_JGE|NFF_F: sprintf(op, "jge"); fmt = "#%f"; break; case NFF_JMP|NFF_JEQ|NFF_F: sprintf(op, "jeq"); fmt = "#%f"; break; case NFF_JMP|NFF_JGT|NFF_K: sprintf(op, "jgt"); fmt = "#0x%x"; break; case NFF_JMP|NFF_JGE|NFF_K: sprintf(op, "jge"); fmt = "#0x%x"; break; case NFF_JMP|NFF_JEQ|NFF_K: sprintf(op, "jeq"); switch (p->type) { case Q_STRING: fmt = "\"%s\""; break; case Q_DEFAULT: fmt = "#0x%x"; break; } break; case NFF_JMP|NFF_JSET|NFF_K: sprintf(op, "jset"); fmt = "#0x%x"; break; case NFF_JMP|NFF_JGT|NFF_X: sprintf(op, "jgt"); fmt = "x"; break; case NFF_JMP|NFF_JGE|NFF_X: sprintf(op, "jge"); fmt = "x"; break; case NFF_JMP|NFF_JEQ|NFF_X: sprintf(op, "jeq"); fmt = "x"; break; case NFF_JMP|NFF_JSET|NFF_X: sprintf(op, "jset"); fmt = "x"; break; case NFF_ALU|NFF_ADD|NFF_X: sprintf(op, "add"); fmt = "x"; break; case NFF_ALU|NFF_SUB|NFF_X: sprintf(op, "sub"); fmt = "x"; break; case NFF_ALU|NFF_MUL|NFF_X: sprintf(op, "mul"); fmt = "x"; break; case NFF_ALU|NFF_DIV|NFF_X: sprintf(op, "div"); fmt = "x"; break; case NFF_ALU|NFF_AND|NFF_X: sprintf(op, "and"); fmt = "x"; break; case NFF_ALU|NFF_OR|NFF_X: sprintf(op, "or"); fmt = "x"; break; case NFF_ALU|NFF_LSH|NFF_X: sprintf(op, "lsh"); fmt = "x"; break; case NFF_ALU|NFF_RSH|NFF_X: sprintf(op, "rsh"); fmt = "x"; break; case NFF_ALU|NFF_ADD|NFF_K: sprintf(op, "add"); fmt = " #%d"; break; case NFF_ALU|NFF_SUB|NFF_K: sprintf(op, "sub"); fmt = " #%d"; break; case NFF_ALU|NFF_MUL|NFF_K: sprintf(op, "mul"); fmt = " #%d"; break; case NFF_ALU|NFF_DIV|NFF_K: sprintf(op, "div"); fmt = " #%d"; break; case NFF_ALU|NFF_AND|NFF_K: sprintf(op, "and"); fmt = " #%d"; break; case NFF_ALU|NFF_OR|NFF_K: sprintf(op, "or"); fmt = " #%d"; break; case NFF_ALU|NFF_LSH|NFF_K: sprintf(op, "lsh"); fmt = " #%d"; break; case NFF_ALU|NFF_RSH|NFF_K: sprintf(op, "rsh"); fmt = " #%d"; break; case NFF_ALU|NFF_NEG: sprintf(op, "neg"); fmt = ""; break; case NFF_MISC|NFF_TAX: sprintf(op, "tax"); fmt = ""; break; case NFF_MISC|NFF_TXA: sprintf(op, "txa"); fmt = ""; break; } if (!(strcmp (fmt, "#%f"))) (void)snprintf(operand, 64, fmt, f); else if (!(strcmp (fmt, "\"%s\""))) { (void)snprintf(operand, 64, fmt, s); } else (void)snprintf(operand, 64, fmt, v); if ((NFF_CLASS(p->code) == NFF_JMP) && (NFF_OP(p->code) != NFF_JA)) (void)snprintf(image, 256, "(%03d) %-8s %-16s jt %d\tjf %d", n, op, operand, (n + 1 + p->jt), (n + 1 + p->jf)); else (void)snprintf(image, 256, "(%03d) %-8s%s", n, op, operand); return image; } argus-3.0.8.2/common/argus_util.c000444 000765 000024 00000337671 12560543556 017272 0ustar00carterstaff000000 000000 /* * Argus Software. Common library routines - Utilities * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/common/argus_util.c#85 $ * $DateTime: 2015/08/05 22:33:18 $ * $Change: 3042 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #ifndef argus_util #define argus_util #endif #include #include #include #include #include #include #if (HAVE_SYSLOG_H) #include #endif #include #include #include #include #include #include #include #if defined(HAVE_XDR) #include #endif #if defined(ARGUS_THREADS) #include #endif #include #include #include #include #include #include #include #include #include #if defined(AIX) #include #endif #ifndef AF_INET6 #define AF_INET6 23 #endif #ifdef HAVE_ETHER_HOSTTON /* * XXX - do we need any of this if doesn't declare * ether_hostton()? */ #ifdef HAVE_NETINET_IF_ETHER_H struct mbuf; /* Squelch compiler warnings on some platforms for */ struct rtentry; /* declarations in */ #include /* for "struct ifnet" in "struct arpcom" on Solaris */ #include #endif /* HAVE_NETINET_IF_ETHER_H */ #ifdef NETINET_ETHER_H_DECLARES_ETHER_HOSTTON #include #endif /* NETINET_ETHER_H_DECLARES_ETHER_HOSTTON */ #endif /* HAVE_ETHER_HOSTTON */ extern char *ArgusProgramName; void ArgusInitAddrtoname(struct ArgusParserStruct *, u_int, u_int); void ArgusInitServarray(struct ArgusParserStruct *); void ArgusInitEprotoarray(struct ArgusParserStruct *); void ArgusInitProtoidarray(struct ArgusParserStruct *); void ArgusInitEtherarray(struct ArgusParserStruct *); void ArgusInitLlcsaparray(struct ArgusParserStruct *); void ArgusFreeEtherarray(struct ArgusParserStruct *); void ArgusFreeServarray(struct ArgusParserStruct *); void ArgusFreeProtoidarray(struct ArgusParserStruct *); void ArgusFreeLlcsaparray(struct ArgusParserStruct *); u_int ipaddrtonetmask(u_int); u_int getnetnumber( u_int); struct ArgusParserStruct * ArgusNewParser(char *progname) { struct ArgusParserStruct *retn = NULL; if ((retn = (struct ArgusParserStruct *) ArgusCalloc(1, sizeof(*retn))) == NULL) ArgusLog (LOG_ERR, "ArgusNewParser(%s) ArgusCalloc error %s", progname, strerror(errno)); retn->ArgusCIDRPtr = &retn->ArgusCIDRBuffer; ArgusInitAddrtoname (retn, 0L, 0L); retn->pflag = 6; return (retn); } void ArgusCloseParser(struct ArgusParserStruct *parser) { ArgusFreeEtherarray(parser); ArgusFreeServarray(parser); ArgusFreeProtoidarray(parser); ArgusFreeLlcsaparray(parser); /* ArgusFreeEprotoarray(parser); ArgusFreeDSCodepointarray(parser); */ } void ArgusAdjustGlobalTime (struct timeval *global, struct timeval *now) { struct timeval ArgusTimeDelta; ArgusTimeDelta.tv_sec = now->tv_sec - global->tv_sec; ArgusTimeDelta.tv_usec = now->tv_usec - global->tv_usec; global->tv_sec = now->tv_sec - ArgusTimeDelta.tv_sec; global->tv_usec = now->tv_usec - ArgusTimeDelta.tv_usec; if (global->tv_usec < 0) { global->tv_sec--; global->tv_usec += 1000000; } else { if (global->tv_usec > 1000000) { global->tv_sec++; global->tv_usec -= 1000000; } } } extern char *print_time(struct timeval *); #ifdef ARGUSDEBUG void ArgusDebug (int d, char *fmt, ...); #include void ArgusDebug (int d, char *fmt, ...) { struct timeval now; extern int Argusdflag, daemonflag; char buf[MAXSTRLEN], *ptr; va_list ap; if (d <= Argusdflag) { va_start (ap, fmt); gettimeofday (&now, 0L); #if defined(ARGUS_THREADS) pthread_mutex_lock(&ArgusMainLock); { pthread_t ptid; char pbuf[128]; int i; bzero(pbuf, sizeof(pbuf)); ptid = pthread_self(); for (i = 0; i < sizeof(ptid); i++) { snprintf (&pbuf[i*2], 3, "%02hhx", ((char *)&ptid)[i]); } (void) snprintf (buf, MAXSTRLEN, "%s[%d.%s]: %s ", ArgusProgramName, (int)getpid(), pbuf, print_time(&now)); } ptr = &buf[strlen(buf)]; (void) vsnprintf (ptr, 1024, fmt, ap); ptr = &buf[strlen(buf)]; if (*fmt) { fmt += (int) strlen (fmt); if (fmt[-1] != '\n') snprintf (ptr, 2, "\n"); } if (daemonflag) { #ifdef HAVE_SYSLOG syslog (LOG_ALERT, "%s", buf); #endif } else fprintf (stderr, "%s", buf); pthread_mutex_unlock(&ArgusMainLock); #else (void) snprintf (buf, MAXSTRLEN, "%s[%d]: %s ", ArgusProgramName, (int)getpid(), print_time(&now)); ptr = &buf[strlen(buf)]; (void) vsnprintf (ptr, 1024, fmt, ap); ptr = &buf[strlen(buf)]; if (*fmt) { fmt += (int) strlen (fmt); if (fmt[-1] != '\n') snprintf (ptr, 2, "\n"); } if (daemonflag) { #ifdef HAVE_SYSLOG syslog (LOG_ALERT, "%s", buf); #endif } else fprintf (stderr, "%s", buf); #endif va_end (ap); } } #endif #include #if !defined(HAVE_STRTOF) && !defined(CYGWIN) float strtof (char *, char **); float strtof (char *str, char **ptr) { double ipart = 0.0, fpart = 0.0, multi = 0.0; float retn = 0.0; char *dptr; int i; if ((dptr = strchr (str, '.')) != NULL) { int len = 0; *dptr++ = 0; len = strlen(dptr); i = atoi(dptr); multi = pow(10.0, len * 1.0); fpart = i * 1.0/multi; } ipart = atoi(str); retn = ipart + fpart; return(retn); } #endif void ArgusPrintHex (const u_char *, u_int); #if !defined(ntohll) #if defined(_LITTLE_ENDIAN) #if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__sun__) #include #define ntohll(x) EXTRACT_64BITS(&x) #define htonll(x) EXTRACT_64BITS(&x) #else #include #define ntohll(x) bswap_64(x) #define htonll(x) bswap_64(x) #endif #else #define ntohll(x) x #define htonll(x) x #endif #endif void ArgusNtoH (struct ArgusRecord *); void ArgusHtoN (struct ArgusRecord *); #include void ArgusNtoH (struct ArgusRecord *argus) { #if defined(_LITTLE_ENDIAN) struct ArgusRecordHeader *hdr = &argus->hdr; struct ArgusDSRHeader *dsr = (struct ArgusDSRHeader *) (hdr + 1); switch (argus->hdr.type & 0xF0) { case ARGUS_MAR: { argus->hdr.len = ntohs(argus->hdr.len); argus->argus_mar.status = ntohl(argus->argus_mar.status); argus->argus_mar.argusid = ntohl(argus->argus_mar.argusid); argus->argus_mar.localnet = ntohl(argus->argus_mar.localnet); argus->argus_mar.netmask = ntohl(argus->argus_mar.netmask); argus->argus_mar.nextMrSequenceNum = ntohl(argus->argus_mar.nextMrSequenceNum); argus->argus_mar.startime.tv_sec = ntohl(argus->argus_mar.startime.tv_sec); argus->argus_mar.startime.tv_usec = ntohl(argus->argus_mar.startime.tv_usec); argus->argus_mar.now.tv_sec = ntohl(argus->argus_mar.now.tv_sec); argus->argus_mar.now.tv_usec = ntohl(argus->argus_mar.now.tv_usec); argus->argus_mar.reportInterval = ntohs(argus->argus_mar.reportInterval); argus->argus_mar.argusMrInterval = ntohs(argus->argus_mar.argusMrInterval); argus->argus_mar.pktsRcvd = ntohll(argus->argus_mar.pktsRcvd); argus->argus_mar.bytesRcvd = ntohll(argus->argus_mar.bytesRcvd); argus->argus_mar.drift = ntohll(argus->argus_mar.drift); argus->argus_mar.records = ntohl(argus->argus_mar.records); argus->argus_mar.flows = ntohl(argus->argus_mar.flows); argus->argus_mar.dropped = ntohl(argus->argus_mar.dropped); argus->argus_mar.queue = ntohl(argus->argus_mar.queue); argus->argus_mar.output = ntohl(argus->argus_mar.output); argus->argus_mar.clients = ntohl(argus->argus_mar.clients); argus->argus_mar.bufs = ntohl(argus->argus_mar.bufs); argus->argus_mar.bytes = ntohl(argus->argus_mar.bytes); argus->argus_mar.thisid = ntohl(argus->argus_mar.thisid); argus->argus_mar.record_len = ntohl(argus->argus_mar.record_len); break; } case ARGUS_EVENT: { struct ArgusDSRHeader *event = (struct ArgusDSRHeader *)&argus->argus_event.event; struct ArgusTransportStruct *trans = (struct ArgusTransportStruct *)&argus->argus_event.trans; struct ArgusEventTimeStruct *time = (struct ArgusEventTimeStruct *)&argus->argus_event.time; struct ArgusDataStruct *data = (struct ArgusDataStruct *)&argus->argus_event.data; event->argus_dsrfl.data = ntohs(event->argus_dsrfl.data); if (trans->hdr.subtype & ARGUS_SEQ) trans->seqnum = ntohl(trans->seqnum); if (trans->hdr.subtype & ARGUS_SRCID) { switch (trans->hdr.argus_dsrvl8.qual) { case ARGUS_TYPE_INT: trans->srcid.a_un.value = ntohl(trans->srcid.a_un.value); break; case ARGUS_TYPE_IPV4: trans->srcid.a_un.ipv4 = ntohl(trans->srcid.a_un.ipv4); break; case ARGUS_TYPE_IPV6: case ARGUS_TYPE_ETHER: case ARGUS_TYPE_STRING: break; } } time->start.tv_sec = ntohl(time->start.tv_sec); time->start.tv_usec = ntohl(time->start.tv_usec); time->duration = ntohl(time->duration); if (data->hdr.subtype & ARGUS_LEN_16BITS) data->hdr.argus_dsrvl16.len = ntohs(data->hdr.argus_dsrvl16.len); data->size = ntohs(data->size); data->count = ntohs(data->count); break; } case ARGUS_FAR: { hdr->len = ntohs(hdr->len); if (hdr->len > 1) { int cnt; while ((char *) dsr < ((char *) argus + (hdr->len * 4))) { switch (dsr->type & 0x7F) { case ARGUS_FLOW_DSR: { struct ArgusFlow *flow = (struct ArgusFlow *) dsr; switch (flow->hdr.subtype & 0x3F) { case ARGUS_FLOW_CLASSIC5TUPLE: { switch (flow->hdr.argus_dsrvl8.qual & 0x1F) { case ARGUS_TYPE_IPV4: flow->ip_flow.ip_src = ntohl(flow->ip_flow.ip_src); flow->ip_flow.ip_dst = ntohl(flow->ip_flow.ip_dst); switch (flow->ip_flow.ip_p) { case IPPROTO_TCP: case IPPROTO_UDP: flow->ip_flow.sport = ntohs(flow->ip_flow.sport); flow->ip_flow.dport = ntohs(flow->ip_flow.dport); break; case IPPROTO_ESP: flow->esp_flow.spi = ntohl(flow->esp_flow.spi); break; case IPPROTO_IGMP: flow->igmp_flow.ip_id = ntohs(flow->igmp_flow.ip_id); break; } break; case ARGUS_TYPE_IPV6: { unsigned int *iptr = (unsigned int *)&flow->ipv6_flow; iptr[8] = ntohl(iptr[8]); if (flow->hdr.argus_dsrvl8.qual & ARGUS_FRAGMENT) { flow->fragv6_flow.ip_id = ntohl(flow->fragv6_flow.ip_id); } else { switch (flow->ipv6_flow.ip_p) { case IPPROTO_TCP: case IPPROTO_UDP: flow->ipv6_flow.sport = ntohs(flow->ipv6_flow.sport); flow->ipv6_flow.dport = ntohs(flow->ipv6_flow.dport); break; case IPPROTO_ESP: flow->esp6_flow.spi = ntohl(flow->esp6_flow.spi); break; } } break; } case ARGUS_TYPE_ETHER: { struct ArgusEtherMacFlow *mac = (struct ArgusEtherMacFlow *) &flow->mac_flow; mac->ehdr.ether_type = ntohs(mac->ehdr.ether_type); break; } case ARGUS_TYPE_ISIS: { struct ArgusIsisFlow *isis = (struct ArgusIsisFlow *) &flow->isis_flow; switch (isis->pdu_type = ntohl(isis->pdu_type)) { case L1_LAN_IIH: case L2_LAN_IIH: break; case L1_CSNP: case L2_CSNP: break; case L1_PSNP: case L2_PSNP: break; case L1_LSP: case L2_LSP: isis->isis_un.lsp.seqnum = ntohl(isis->isis_un.lsp.seqnum); break; } isis->chksum = ntohl(isis->chksum); break; } } break; } case ARGUS_FLOW_ARP: { switch (flow->hdr.argus_dsrvl8.qual & 0x1F) { case ARGUS_TYPE_RARP: { struct ArgusRarpFlow *rarp = (struct ArgusRarpFlow *) &flow->rarp_flow; rarp->hrd = ntohs(rarp->hrd); rarp->pro = ntohs(rarp->pro); rarp->op = ntohs(rarp->op); if (rarp->pln == 4) { rarp->arp_tpa = ntohl(rarp->arp_tpa); } break; } case ARGUS_TYPE_ARP: { struct ArgusArpFlow *arp = (struct ArgusArpFlow *) &flow->arp_flow; arp->hrd = ntohs(arp->hrd); arp->pro = ntohs(arp->pro); arp->op = ntohs(arp->op); if (arp->pln == 4) { arp->arp_spa = ntohl(arp->arp_spa); arp->arp_tpa = ntohl(arp->arp_tpa); } break; } } break; } } break; } case ARGUS_ENCAPS_DSR: { struct ArgusEncapsStruct *encaps = (struct ArgusEncapsStruct *) dsr; encaps->src = ntohl(encaps->src); encaps->dst = ntohl(encaps->dst); break; } case ARGUS_IPATTR_DSR: { struct ArgusIPAttrStruct *attr = (struct ArgusIPAttrStruct *) dsr; unsigned int *dsrptr = (unsigned int *)(dsr + 1); if (attr->hdr.argus_dsrvl8.qual & ARGUS_IPATTR_SRC) { struct ArgusIPAttrObject *aobj = (struct ArgusIPAttrObject *) dsrptr; aobj->ip_id = ntohs(aobj->ip_id); dsrptr++; } if (attr->hdr.argus_dsrvl8.qual & ARGUS_IPATTR_SRC_OPTIONS) { *dsrptr = ntohl(*dsrptr); dsrptr++; } if (attr->hdr.argus_dsrvl8.qual & ARGUS_IPATTR_DST) { struct ArgusIPAttrObject *aobj = (struct ArgusIPAttrObject *) dsrptr; aobj->ip_id = ntohs(aobj->ip_id); dsrptr++; } if (attr->hdr.argus_dsrvl8.qual & ARGUS_IPATTR_DST_OPTIONS) { *dsrptr = ntohl(*dsrptr); dsrptr++; } break; } case ARGUS_ICMP_DSR: { struct ArgusIcmpStruct *icmp = (struct ArgusIcmpStruct *) dsr; icmp->iseq = ntohs(icmp->iseq); icmp->osrcaddr = ntohl(icmp->osrcaddr); icmp->odstaddr = ntohl(icmp->odstaddr); icmp->isrcaddr = ntohl(icmp->isrcaddr); icmp->idstaddr = ntohl(icmp->idstaddr); icmp->igwaddr = ntohl(icmp->igwaddr); break; } case ARGUS_TRANSPORT_DSR: { struct ArgusTransportStruct *trans = (struct ArgusTransportStruct *) dsr; if (trans->hdr.subtype & ARGUS_SEQ) trans->seqnum = ntohl(trans->seqnum); if (trans->hdr.subtype & ARGUS_SRCID) { switch (trans->hdr.argus_dsrvl8.qual) { case ARGUS_TYPE_INT: trans->srcid.a_un.value = ntohl(trans->srcid.a_un.value); break; case ARGUS_TYPE_IPV4: trans->srcid.a_un.value = ntohl(trans->srcid.a_un.value); break; case ARGUS_TYPE_IPV6: case ARGUS_TYPE_ETHER: case ARGUS_TYPE_STRING: break; } } break; } case ARGUS_TIME_DSR: { unsigned int x, *dtime = (unsigned int *) dsr; for (x = 1; x < dsr->argus_dsrvl8.len; x++) dtime[x] = ntohl(dtime[x]); break; } case ARGUS_METER_DSR: { if (dsr->subtype & ARGUS_METER_PKTS_BYTES) { switch (dsr->argus_dsrvl8.qual & 0x0F) { case ARGUS_SRCDST_BYTE: break; case ARGUS_SRCDST_SHORT: ((unsigned short *)(dsr + 1))[0] = ntohs(((unsigned short *)(dsr + 1))[0]); ((unsigned short *)(dsr + 1))[1] = ntohs(((unsigned short *)(dsr + 1))[1]); ((unsigned short *)(dsr + 1))[2] = ntohs(((unsigned short *)(dsr + 1))[2]); ((unsigned short *)(dsr + 1))[3] = ntohs(((unsigned short *)(dsr + 1))[3]); break; case ARGUS_SRCDST_INT: ((unsigned int *)(dsr + 1))[0] = ntohl(((unsigned int *)(dsr + 1))[0]); ((unsigned int *)(dsr + 1))[1] = ntohl(((unsigned int *)(dsr + 1))[1]); ((unsigned int *)(dsr + 1))[2] = ntohl(((unsigned int *)(dsr + 1))[2]); ((unsigned int *)(dsr + 1))[3] = ntohl(((unsigned int *)(dsr + 1))[3]); break; case ARGUS_SRC_SHORT: ((unsigned short *)(dsr + 1))[0] = ntohs(((unsigned short *)(dsr + 1))[0]); ((unsigned short *)(dsr + 1))[1] = ntohs(((unsigned short *)(dsr + 1))[1]); break; case ARGUS_SRC_INT: ((unsigned int *)(dsr + 1))[0] = ntohl(((unsigned int *)(dsr + 1))[0]); ((unsigned int *)(dsr + 1))[1] = ntohl(((unsigned int *)(dsr + 1))[1]); break; case ARGUS_SRC_LONGLONG: break; case ARGUS_DST_SHORT: ((unsigned short *)(dsr + 1))[0] = ntohs(((unsigned short *)(dsr + 1))[0]); ((unsigned short *)(dsr + 1))[1] = ntohs(((unsigned short *)(dsr + 1))[1]); break; case ARGUS_DST_INT: ((unsigned int *)(dsr + 1))[0] = ntohl(((unsigned int *)(dsr + 1))[0]); ((unsigned int *)(dsr + 1))[1] = ntohl(((unsigned int *)(dsr + 1))[1]); break; } } else if (dsr->subtype & ARGUS_METER_PKTS_BYTES_APP) { switch (dsr->argus_dsrvl8.qual & 0x0F) { case ARGUS_SRCDST_BYTE: case ARGUS_SRC_BYTE: case ARGUS_DST_BYTE: break; case ARGUS_SRCDST_SHORT: ((unsigned short *)(dsr + 1))[0] = ntohs(((unsigned short *)(dsr + 1))[0]); ((unsigned short *)(dsr + 1))[1] = ntohs(((unsigned short *)(dsr + 1))[1]); ((unsigned short *)(dsr + 1))[2] = ntohs(((unsigned short *)(dsr + 1))[2]); ((unsigned short *)(dsr + 1))[3] = ntohs(((unsigned short *)(dsr + 1))[3]); ((unsigned short *)(dsr + 1))[4] = ntohs(((unsigned short *)(dsr + 1))[4]); ((unsigned short *)(dsr + 1))[5] = ntohs(((unsigned short *)(dsr + 1))[5]); break; case ARGUS_SRCDST_INT: ((unsigned int *)(dsr + 1))[0] = ntohl(((unsigned int *)(dsr + 1))[0]); ((unsigned int *)(dsr + 1))[1] = ntohl(((unsigned int *)(dsr + 1))[1]); ((unsigned int *)(dsr + 1))[2] = ntohl(((unsigned int *)(dsr + 1))[2]); ((unsigned int *)(dsr + 1))[3] = ntohl(((unsigned int *)(dsr + 1))[3]); ((unsigned int *)(dsr + 1))[4] = ntohl(((unsigned int *)(dsr + 1))[4]); ((unsigned int *)(dsr + 1))[5] = ntohl(((unsigned int *)(dsr + 1))[5]); break; case ARGUS_SRC_SHORT: ((unsigned short *)(dsr + 1))[0] = ntohs(((unsigned short *)(dsr + 1))[0]); ((unsigned short *)(dsr + 1))[1] = ntohs(((unsigned short *)(dsr + 1))[1]); ((unsigned short *)(dsr + 1))[2] = ntohs(((unsigned short *)(dsr + 1))[2]); break; case ARGUS_SRC_INT: ((unsigned int *)(dsr + 1))[0] = ntohl(((unsigned int *)(dsr + 1))[0]); ((unsigned int *)(dsr + 1))[1] = ntohl(((unsigned int *)(dsr + 1))[1]); ((unsigned int *)(dsr + 1))[2] = ntohl(((unsigned int *)(dsr + 1))[2]); break; case ARGUS_SRC_LONGLONG: break; case ARGUS_DST_SHORT: ((unsigned short *)(dsr + 1))[0] = ntohs(((unsigned short *)(dsr + 1))[0]); ((unsigned short *)(dsr + 1))[1] = ntohs(((unsigned short *)(dsr + 1))[1]); ((unsigned short *)(dsr + 1))[2] = ntohs(((unsigned short *)(dsr + 1))[2]); break; case ARGUS_DST_INT: ((unsigned int *)(dsr + 1))[0] = ntohl(((unsigned int *)(dsr + 1))[0]); ((unsigned int *)(dsr + 1))[1] = ntohl(((unsigned int *)(dsr + 1))[1]); ((unsigned int *)(dsr + 1))[2] = ntohl(((unsigned int *)(dsr + 1))[2]); break; } } break; } case ARGUS_PSIZE_DSR: { switch (dsr->argus_dsrvl8.qual & 0x0F) { case ARGUS_SRCDST_SHORT: ((unsigned short *)(dsr + 1))[0] = ntohs(((unsigned short *)(dsr + 1))[0]); ((unsigned short *)(dsr + 1))[1] = ntohs(((unsigned short *)(dsr + 1))[1]); ((unsigned short *)(dsr + 1))[2] = ntohs(((unsigned short *)(dsr + 1))[2]); ((unsigned short *)(dsr + 1))[3] = ntohs(((unsigned short *)(dsr + 1))[3]); break; case ARGUS_SRC_SHORT: case ARGUS_DST_SHORT: ((unsigned short *)(dsr + 1))[0] = ntohs(((unsigned short *)(dsr + 1))[0]); ((unsigned short *)(dsr + 1))[1] = ntohs(((unsigned short *)(dsr + 1))[1]); break; case ARGUS_SRCDST_INT: ((unsigned int *)(dsr + 1))[0] = ntohl(((unsigned int *)(dsr + 1))[0]); ((unsigned int *)(dsr + 1))[1] = ntohl(((unsigned int *)(dsr + 1))[1]); ((unsigned int *)(dsr + 1))[2] = ntohl(((unsigned int *)(dsr + 1))[2]); ((unsigned int *)(dsr + 1))[3] = ntohl(((unsigned int *)(dsr + 1))[3]); break; case ARGUS_SRC_INT: case ARGUS_DST_INT: ((unsigned int *)(dsr + 1))[0] = ntohl(((unsigned int *)(dsr + 1))[0]); ((unsigned int *)(dsr + 1))[1] = ntohl(((unsigned int *)(dsr + 1))[1]); break; } break; } case ARGUS_NETWORK_DSR: { struct ArgusNetworkStruct *net = (struct ArgusNetworkStruct *)dsr; switch (net->hdr.subtype) { case ARGUS_TCP_INIT: { struct ArgusTCPInitStatus *tcp = (void *)&net->net_union.tcpstatus; tcp->status = ntohl(tcp->status); tcp->seqbase = ntohl(tcp->seqbase); tcp->options = ntohl(tcp->options); tcp->win = ntohs(tcp->win); break; } case ARGUS_TCP_STATUS: { struct ArgusTCPStatus *tcp = (struct ArgusTCPStatus *)&net->net_union.tcpstatus; tcp->status = ntohl(tcp->status); break; } case ARGUS_TCP_PERF: { struct ArgusTCPObject *tcp = (struct ArgusTCPObject *)&net->net_union.tcp; tcp->status = ntohl(tcp->status); tcp->state = ntohl(tcp->state); tcp->options = ntohl(tcp->options); tcp->synAckuSecs = ntohl(tcp->synAckuSecs); tcp->ackDatauSecs = ntohl(tcp->ackDatauSecs); tcp->src.lasttime.tv_sec = ntohl(tcp->src.lasttime.tv_sec); tcp->src.lasttime.tv_usec = ntohl(tcp->src.lasttime.tv_usec); tcp->src.status = ntohl(tcp->src.status); tcp->src.seqbase = ntohl(tcp->src.seqbase); tcp->src.seq = ntohl(tcp->src.seq); tcp->src.ack = ntohl(tcp->src.ack); tcp->src.winnum = ntohl(tcp->src.winnum); tcp->src.bytes = ntohl(tcp->src.bytes); tcp->src.retrans = ntohl(tcp->src.retrans); tcp->src.ackbytes = ntohl(tcp->src.ackbytes); tcp->src.winbytes = ntohl(tcp->src.winbytes); tcp->src.win = ntohs(tcp->src.win); if (dsr->argus_dsrvl8.len > (((sizeof(struct ArgusTCPObject) - sizeof(struct ArgusTCPObjectMetrics))+3)/4 + 1)) { tcp->dst.lasttime.tv_sec = ntohl(tcp->dst.lasttime.tv_sec); tcp->dst.lasttime.tv_usec = ntohl(tcp->dst.lasttime.tv_usec); tcp->dst.status = ntohl(tcp->dst.status); tcp->dst.seqbase = ntohl(tcp->dst.seqbase); tcp->dst.seq = ntohl(tcp->dst.seq); tcp->dst.ack = ntohl(tcp->dst.ack); tcp->dst.winnum = ntohl(tcp->dst.winnum); tcp->dst.bytes = ntohl(tcp->dst.bytes); tcp->dst.retrans = ntohl(tcp->dst.retrans); tcp->dst.ackbytes = ntohl(tcp->dst.ackbytes); tcp->dst.winbytes = ntohl(tcp->dst.winbytes); tcp->dst.win = ntohs(tcp->dst.win); } break; } case ARGUS_ESP_DSR: { struct ArgusESPObject *espObj = (struct ArgusESPObject *)&net->net_union.esp; espObj->status = ntohl(espObj->status); espObj->spi = ntohl(espObj->spi); espObj->lastseq = ntohl(espObj->lastseq); espObj->lostseq = ntohl(espObj->lostseq); break; } case ARGUS_RTP_FLOW: { struct ArgusRTPObject *rtpObj = (struct ArgusRTPObject *)&net->net_union.rtp; rtpObj->state = ntohl(rtpObj->state); rtpObj->src.rh_seq = ntohs(rtpObj->src.rh_seq); rtpObj->src.rh_time = ntohl(rtpObj->src.rh_time); rtpObj->src.rh_ssrc = ntohl(rtpObj->src.rh_ssrc); rtpObj->dst.rh_seq = ntohs(rtpObj->dst.rh_seq); rtpObj->dst.rh_time = ntohl(rtpObj->dst.rh_time); rtpObj->dst.rh_ssrc = ntohl(rtpObj->dst.rh_ssrc); rtpObj->sdrop = ntohs(rtpObj->sdrop); rtpObj->ddrop = ntohs(rtpObj->ddrop); rtpObj->ssdev = ntohs(rtpObj->ssdev); rtpObj->dsdev = ntohs(rtpObj->dsdev); break; } case ARGUS_RTCP_FLOW: { struct ArgusRTCPObject *rtcpObj = (struct ArgusRTCPObject *)&net->net_union.rtcp; rtcpObj->src.rh_len = ntohs(rtcpObj->src.rh_len); rtcpObj->src.rh_ssrc = ntohl(rtcpObj->src.rh_ssrc); rtcpObj->dst.rh_len = ntohs(rtcpObj->dst.rh_len); rtcpObj->dst.rh_ssrc = ntohl(rtcpObj->dst.rh_ssrc); rtcpObj->sdrop = ntohs(rtcpObj->sdrop); rtcpObj->ddrop = ntohs(rtcpObj->ddrop); break; } } break; } case ARGUS_VLAN_DSR: { struct ArgusVlanStruct *vlan = (struct ArgusVlanStruct *) dsr; vlan->sid = ntohs(vlan->sid); vlan->did = ntohs(vlan->did); break; } case ARGUS_MPLS_DSR: { struct ArgusMplsStruct *mpls = (struct ArgusMplsStruct *) dsr; unsigned int *label = (unsigned int *)(dsr + 1); int num, i; if ((num = ((mpls->hdr.argus_dsrvl8.qual & 0xF0) >> 4)) > 0) { for (i = 0; i < num; i++) { *label = ntohl(*label); label++; } } if ((num = (mpls->hdr.argus_dsrvl8.qual & 0x0F)) > 0) { for (i = 0; i < num; i++) { *label = ntohl(*label); label++; } } break; } case ARGUS_JITTER_DSR: { #if defined(HAVE_XDR) struct ArgusJitterStruct *jit = (struct ArgusJitterStruct *) dsr; struct ArgusStatsObject *stat = (struct ArgusStatsObject *) (dsr + 1); int len = (jit->hdr.argus_dsrvl8.len - 1) * 4; XDR xdrbuf, *xdrs = &xdrbuf; char buf[sizeof(*stat)]; while (len > 0) { bcopy ((char *)stat, buf, sizeof(*stat)); xdrmem_create(xdrs, buf, sizeof(*stat), XDR_DECODE); xdr_int(xdrs, &stat->n); xdr_float(xdrs, &stat->minval); xdr_float(xdrs, &stat->meanval); xdr_float(xdrs, &stat->stdev); xdr_float(xdrs, &stat->maxval); len -= sizeof (*stat); stat++; } #endif break; } case ARGUS_DATA_DSR: { struct ArgusDataStruct *data = (struct ArgusDataStruct *) dsr; data->size = ntohs(data->size); data->count = ntohs(data->count); break; } case ARGUS_BEHAVIOR_DSR: { struct ArgusBehaviorStruct *actor = (struct ArgusBehaviorStruct *) dsr; actor->keyStroke.src.n_strokes = ntohl(actor->keyStroke.src.n_strokes); actor->keyStroke.dst.n_strokes = ntohl(actor->keyStroke.dst.n_strokes); break; } } if ((cnt = ((dsr->type & 0x80) ? 1 : ((dsr->type == ARGUS_DATA_DSR) ? ntohs(dsr->argus_dsrvl16.len) : dsr->argus_dsrvl8.len)) * 4) > 0) { if (dsr->type == ARGUS_DATA_DSR) dsr->argus_dsrvl16.len = ntohs(dsr->argus_dsrvl16.len); dsr = (struct ArgusDSRHeader *)((char *)dsr + cnt); } else break; } } break; } } #endif } void ArgusHtoN (struct ArgusRecord *argus) { #if defined(_LITTLE_ENDIAN) struct ArgusRecordHeader *hdr = &argus->hdr; struct ArgusDSRHeader *dsr = (struct ArgusDSRHeader *) (hdr + 1); switch (argus->hdr.type & 0xF0) { case ARGUS_MAR: { argus->argus_mar.status = htonl(argus->argus_mar.status); argus->argus_mar.argusid = htonl(argus->argus_mar.argusid); argus->argus_mar.localnet = htonl(argus->argus_mar.localnet); argus->argus_mar.netmask = htonl(argus->argus_mar.netmask); argus->argus_mar.nextMrSequenceNum = htonl(argus->argus_mar.nextMrSequenceNum); argus->argus_mar.startime.tv_sec = htonl(argus->argus_mar.startime.tv_sec); argus->argus_mar.startime.tv_usec = htonl(argus->argus_mar.startime.tv_usec); argus->argus_mar.now.tv_sec = htonl(argus->argus_mar.now.tv_sec); argus->argus_mar.now.tv_usec = htonl(argus->argus_mar.now.tv_usec); argus->argus_mar.reportInterval = htons(argus->argus_mar.reportInterval); argus->argus_mar.argusMrInterval = htons(argus->argus_mar.argusMrInterval); argus->argus_mar.pktsRcvd = htonll(argus->argus_mar.pktsRcvd); argus->argus_mar.bytesRcvd = htonll(argus->argus_mar.bytesRcvd); argus->argus_mar.drift = htonll(argus->argus_mar.drift); argus->argus_mar.records = htonl(argus->argus_mar.records); argus->argus_mar.flows = htonl(argus->argus_mar.flows); argus->argus_mar.dropped = htonl(argus->argus_mar.dropped); argus->argus_mar.queue = htonl(argus->argus_mar.queue); argus->argus_mar.output = htonl(argus->argus_mar.output); argus->argus_mar.clients = htonl(argus->argus_mar.clients); argus->argus_mar.bufs = htonl(argus->argus_mar.bufs); argus->argus_mar.bytes = htonl(argus->argus_mar.bytes); argus->argus_mar.thisid = htonl(argus->argus_mar.thisid); argus->argus_mar.record_len = htonl(argus->argus_mar.record_len); break; } case ARGUS_EVENT: case ARGUS_NETFLOW: case ARGUS_FAR: { if (argus->hdr.len > 1) { int cnt; while ((char *) dsr < ((char *) argus + (hdr->len * 4))) { switch (dsr->type & 0x7F) { case ARGUS_FLOW_DSR: { struct ArgusFlow *flow = (struct ArgusFlow *) dsr; switch (flow->hdr.subtype & 0x3F) { case ARGUS_FLOW_CLASSIC5TUPLE: { switch (flow->hdr.argus_dsrvl8.qual & 0x1F) { case ARGUS_TYPE_IPV4: flow->ip_flow.ip_src = htonl(flow->ip_flow.ip_src); flow->ip_flow.ip_dst = htonl(flow->ip_flow.ip_dst); switch (flow->ip_flow.ip_p) { case IPPROTO_TCP: case IPPROTO_UDP: flow->ip_flow.sport = htons(flow->ip_flow.sport); flow->ip_flow.dport = htons(flow->ip_flow.dport); break; case IPPROTO_ESP: flow->esp_flow.spi = htonl(flow->esp_flow.spi); break; case IPPROTO_IGMP: flow->igmp_flow.ip_id = htons(flow->igmp_flow.ip_id); break; } break; case ARGUS_TYPE_IPV6: { unsigned int *iptr = (unsigned int *)&flow->ipv6_flow; if (flow->hdr.argus_dsrvl8.qual & ARGUS_FRAGMENT) { flow->fragv6_flow.ip_id = htonl(flow->fragv6_flow.ip_id); } else { switch (flow->ipv6_flow.ip_p) { case IPPROTO_TCP: case IPPROTO_UDP: flow->ipv6_flow.sport = htons(flow->ipv6_flow.sport); flow->ipv6_flow.dport = htons(flow->ipv6_flow.dport); break; case IPPROTO_ICMPV6: flow->icmpv6_flow.id = htons(flow->icmpv6_flow.id); break; case IPPROTO_ESP: flow->esp6_flow.spi = htonl(flow->esp6_flow.spi); break; } } iptr[8] = htonl(iptr[8]); break; } case ARGUS_TYPE_ETHER: { struct ArgusEtherMacFlow *mac = (struct ArgusEtherMacFlow *) &flow->mac_flow; mac->ehdr.ether_type = htons(mac->ehdr.ether_type); break; } case ARGUS_TYPE_ISIS: { struct ArgusIsisFlow *isis = (struct ArgusIsisFlow *) &flow->isis_flow; switch (isis->pdu_type = htonl(isis->pdu_type)) { case L1_LAN_IIH: case L2_LAN_IIH: break; case L1_CSNP: case L2_CSNP: break; case L1_PSNP: case L2_PSNP: break; case L1_LSP: case L2_LSP: isis->isis_un.lsp.seqnum = htonl(isis->isis_un.lsp.seqnum); break; } isis->chksum = htonl(isis->chksum); break; } case ARGUS_TYPE_RARP: { struct ArgusRarpFlow *rarp = (struct ArgusRarpFlow *) &flow->rarp_flow; rarp->arp_tpa = htonl(rarp->arp_tpa); break; } /* case ARGUS_TYPE_ARP: { struct ArgusArpLegacyFlow *arp = (struct ArgusArpLegacyFlow *) &flow->flow_un; arp->arp_spa = htonl(arp->arp_spa); arp->arp_tpa = htonl(arp->arp_tpa); break; } */ } break; } case ARGUS_FLOW_ARP: { switch (flow->hdr.argus_dsrvl8.qual & 0x1F) { case ARGUS_TYPE_RARP: { struct ArgusRarpFlow *rarp = (struct ArgusRarpFlow *) &flow->rarp_flow; rarp->hrd = htons(rarp->hrd); rarp->pro = htons(rarp->pro); rarp->op = htons(rarp->op); if (rarp->pln == 4) { rarp->arp_tpa = htonl(rarp->arp_tpa); } break; } case ARGUS_TYPE_ARP: { struct ArgusArpFlow *arp = (struct ArgusArpFlow *) &flow->arp_flow; arp->hrd = htons(arp->hrd); arp->pro = htons(arp->pro); arp->op = htons(arp->op); if (arp->pln == 4) { arp->arp_spa = htonl(arp->arp_spa); arp->arp_tpa = htonl(arp->arp_tpa); } break; } } break; } } break; } case ARGUS_ENCAPS_DSR: { struct ArgusEncapsStruct *encaps = (struct ArgusEncapsStruct *) dsr; encaps->src = htonl(encaps->src); encaps->dst = htonl(encaps->dst); break; } case ARGUS_IPATTR_DSR: { struct ArgusIPAttrStruct *attr = (struct ArgusIPAttrStruct *) dsr; unsigned int *dsrptr = (unsigned int *)(dsr + 1); if (attr->hdr.argus_dsrvl8.qual & ARGUS_IPATTR_SRC) { struct ArgusIPAttrObject *aobj = (struct ArgusIPAttrObject *) dsrptr; aobj->ip_id = htons(aobj->ip_id); dsrptr++; } if (attr->hdr.argus_dsrvl8.qual & ARGUS_IPATTR_SRC_OPTIONS) { *dsrptr = htonl(*dsrptr); dsrptr++; } if (attr->hdr.argus_dsrvl8.qual & ARGUS_IPATTR_DST) { struct ArgusIPAttrObject *aobj = (struct ArgusIPAttrObject *) dsrptr; aobj->ip_id = htons(aobj->ip_id); dsrptr++; } if (attr->hdr.argus_dsrvl8.qual & ARGUS_IPATTR_DST_OPTIONS) { *dsrptr = htonl(*dsrptr); dsrptr++; } break; } case ARGUS_ICMP_DSR: { struct ArgusIcmpStruct *icmp = (struct ArgusIcmpStruct *) dsr; icmp->iseq = htons(icmp->iseq); icmp->osrcaddr = htonl(icmp->osrcaddr); icmp->odstaddr = htonl(icmp->odstaddr); icmp->isrcaddr = htonl(icmp->isrcaddr); icmp->idstaddr = htonl(icmp->idstaddr); icmp->igwaddr = htonl(icmp->igwaddr); break; } case ARGUS_TRANSPORT_DSR: { struct ArgusTransportStruct *trans = (struct ArgusTransportStruct *) dsr; if (trans->hdr.subtype & ARGUS_SEQ) trans->seqnum = htonl(trans->seqnum); if (trans->hdr.subtype & ARGUS_SRCID) { switch (trans->hdr.argus_dsrvl8.qual) { case ARGUS_TYPE_INT: trans->srcid.a_un.value = htonl(trans->srcid.a_un.value); break; case ARGUS_TYPE_IPV4: trans->srcid.a_un.value = htonl(trans->srcid.a_un.value); break; case ARGUS_TYPE_IPV6: case ARGUS_TYPE_ETHER: case ARGUS_TYPE_STRING: break; } } break; } case ARGUS_TIME_DSR: { unsigned int x, *dtime = (unsigned int *) dsr; for (x = 1; x < dsr->argus_dsrvl8.len; x++) dtime[x] = htonl(dtime[x]); break; } case ARGUS_METER_DSR: { if (dsr->subtype & ARGUS_METER_PKTS_BYTES) { switch (dsr->argus_dsrvl8.qual & 0x0F) { case ARGUS_SRCDST_BYTE: break; case ARGUS_SRCDST_SHORT: ((unsigned short *)(dsr + 1))[0] = htons(((unsigned short *)(dsr + 1))[0]); ((unsigned short *)(dsr + 1))[1] = htons(((unsigned short *)(dsr + 1))[1]); ((unsigned short *)(dsr + 1))[2] = htons(((unsigned short *)(dsr + 1))[2]); ((unsigned short *)(dsr + 1))[3] = htons(((unsigned short *)(dsr + 1))[3]); break; case ARGUS_SRCDST_INT: ((unsigned int *)(dsr + 1))[0] = htonl(((unsigned int *)(dsr + 1))[0]); ((unsigned int *)(dsr + 1))[1] = htonl(((unsigned int *)(dsr + 1))[1]); ((unsigned int *)(dsr + 1))[2] = htonl(((unsigned int *)(dsr + 1))[2]); ((unsigned int *)(dsr + 1))[3] = htonl(((unsigned int *)(dsr + 1))[3]); break; case ARGUS_SRCDST_LONGLONG: break; case ARGUS_SRC_SHORT: ((unsigned short *)(dsr + 1))[0] = htons(((unsigned short *)(dsr + 1))[0]); ((unsigned short *)(dsr + 1))[1] = htons(((unsigned short *)(dsr + 1))[1]); break; case ARGUS_SRC_INT: ((unsigned int *)(dsr + 1))[0] = htonl(((unsigned int *)(dsr + 1))[0]); ((unsigned int *)(dsr + 1))[1] = htonl(((unsigned int *)(dsr + 1))[1]); break; case ARGUS_SRC_LONGLONG: break; case ARGUS_DST_SHORT: ((unsigned short *)(dsr + 1))[0] = htons(((unsigned short *)(dsr + 1))[0]); ((unsigned short *)(dsr + 1))[1] = htons(((unsigned short *)(dsr + 1))[1]); break; case ARGUS_DST_INT: ((unsigned int *)(dsr + 1))[0] = htonl(((unsigned int *)(dsr + 1))[0]); ((unsigned int *)(dsr + 1))[1] = htonl(((unsigned int *)(dsr + 1))[1]); break; case ARGUS_DST_LONGLONG: break; } } else if (dsr->subtype & ARGUS_METER_PKTS_BYTES_APP) { switch (dsr->argus_dsrvl8.qual & 0x0F) { case ARGUS_SRCDST_BYTE: case ARGUS_SRC_BYTE: case ARGUS_DST_BYTE: break; case ARGUS_SRCDST_SHORT: ((unsigned short *)(dsr + 1))[0] = htons(((unsigned short *)(dsr + 1))[0]); ((unsigned short *)(dsr + 1))[1] = htons(((unsigned short *)(dsr + 1))[1]); ((unsigned short *)(dsr + 1))[2] = htons(((unsigned short *)(dsr + 1))[2]); ((unsigned short *)(dsr + 1))[3] = htons(((unsigned short *)(dsr + 1))[3]); ((unsigned short *)(dsr + 1))[4] = htons(((unsigned short *)(dsr + 1))[4]); ((unsigned short *)(dsr + 1))[5] = htons(((unsigned short *)(dsr + 1))[5]); break; case ARGUS_SRCDST_INT: ((unsigned int *)(dsr + 1))[0] = htonl(((unsigned int *)(dsr + 1))[0]); ((unsigned int *)(dsr + 1))[1] = htonl(((unsigned int *)(dsr + 1))[1]); ((unsigned int *)(dsr + 1))[2] = htonl(((unsigned int *)(dsr + 1))[2]); ((unsigned int *)(dsr + 1))[3] = htonl(((unsigned int *)(dsr + 1))[3]); ((unsigned int *)(dsr + 1))[4] = htonl(((unsigned int *)(dsr + 1))[4]); ((unsigned int *)(dsr + 1))[5] = htonl(((unsigned int *)(dsr + 1))[5]); break; case ARGUS_SRC_SHORT: ((unsigned short *)(dsr + 1))[0] = htons(((unsigned short *)(dsr + 1))[0]); ((unsigned short *)(dsr + 1))[1] = htons(((unsigned short *)(dsr + 1))[1]); ((unsigned short *)(dsr + 1))[2] = htons(((unsigned short *)(dsr + 1))[2]); break; case ARGUS_SRC_INT: ((unsigned int *)(dsr + 1))[0] = htonl(((unsigned int *)(dsr + 1))[0]); ((unsigned int *)(dsr + 1))[1] = htonl(((unsigned int *)(dsr + 1))[1]); ((unsigned int *)(dsr + 1))[2] = htonl(((unsigned int *)(dsr + 1))[2]); break; case ARGUS_DST_SHORT: ((unsigned short *)(dsr + 1))[0] = htons(((unsigned short *)(dsr + 1))[0]); ((unsigned short *)(dsr + 1))[1] = htons(((unsigned short *)(dsr + 1))[1]); ((unsigned short *)(dsr + 1))[2] = htons(((unsigned short *)(dsr + 1))[2]); break; case ARGUS_DST_INT: ((unsigned int *)(dsr + 1))[0] = htonl(((unsigned int *)(dsr + 1))[0]); ((unsigned int *)(dsr + 1))[1] = htonl(((unsigned int *)(dsr + 1))[1]); ((unsigned int *)(dsr + 1))[2] = htonl(((unsigned int *)(dsr + 1))[2]); break; } } break; } case ARGUS_PSIZE_DSR: { switch (dsr->argus_dsrvl8.qual & 0x0F) { case ARGUS_SRCDST_SHORT: ((unsigned short *)(dsr + 1))[0] = htons(((unsigned short *)(dsr + 1))[0]); ((unsigned short *)(dsr + 1))[1] = htons(((unsigned short *)(dsr + 1))[1]); ((unsigned short *)(dsr + 1))[2] = htons(((unsigned short *)(dsr + 1))[2]); ((unsigned short *)(dsr + 1))[3] = htons(((unsigned short *)(dsr + 1))[3]); break; case ARGUS_SRC_SHORT: case ARGUS_DST_SHORT: ((unsigned short *)(dsr + 1))[0] = htons(((unsigned short *)(dsr + 1))[0]); ((unsigned short *)(dsr + 1))[1] = htons(((unsigned short *)(dsr + 1))[1]); break; case ARGUS_SRCDST_INT: ((unsigned int *)(dsr + 1))[0] = htonl(((unsigned int *)(dsr + 1))[0]); ((unsigned int *)(dsr + 1))[1] = htonl(((unsigned int *)(dsr + 1))[1]); ((unsigned int *)(dsr + 1))[2] = htonl(((unsigned int *)(dsr + 1))[2]); ((unsigned int *)(dsr + 1))[3] = htonl(((unsigned int *)(dsr + 1))[3]); break; case ARGUS_SRC_INT: case ARGUS_DST_INT: ((unsigned int *)(dsr + 1))[0] = htonl(((unsigned int *)(dsr + 1))[0]); ((unsigned int *)(dsr + 1))[1] = htonl(((unsigned int *)(dsr + 1))[1]); break; } break; } case ARGUS_NETWORK_DSR: { struct ArgusNetworkStruct *net = (struct ArgusNetworkStruct *)dsr; switch (net->hdr.subtype) { case ARGUS_TCP_INIT: { struct ArgusTCPInitStatus *tcp = (void *)&net->net_union.tcpinit; tcp->status = htonl(tcp->status); tcp->seqbase = htonl(tcp->seqbase); tcp->options = htonl(tcp->options); tcp->win = htons(tcp->win); break; } case ARGUS_TCP_STATUS: { struct ArgusTCPStatus *tcp = (struct ArgusTCPStatus *)&net->net_union.tcpstatus; tcp->status = htonl(tcp->status); break; } case ARGUS_TCP_PERF: { struct ArgusTCPObject *tcp = (struct ArgusTCPObject *)&net->net_union.tcp; tcp->status = htonl(tcp->status); tcp->state = htonl(tcp->state); tcp->options = htonl(tcp->options); tcp->synAckuSecs = htonl(tcp->synAckuSecs); tcp->ackDatauSecs = htonl(tcp->ackDatauSecs); tcp->src.lasttime.tv_sec = htonl(tcp->src.lasttime.tv_sec); tcp->src.lasttime.tv_usec = htonl(tcp->src.lasttime.tv_usec); tcp->src.status = htonl(tcp->src.status); tcp->src.seqbase = htonl(tcp->src.seqbase); tcp->src.seq = htonl(tcp->src.seq); tcp->src.ack = htonl(tcp->src.ack); tcp->src.winnum = htonl(tcp->src.winnum); tcp->src.bytes = htonl(tcp->src.bytes); tcp->src.retrans = htonl(tcp->src.retrans); tcp->src.ackbytes = htonl(tcp->src.ackbytes); tcp->src.winbytes = htonl(tcp->src.winbytes); tcp->src.win = htons(tcp->src.win); if (dsr->argus_dsrvl8.len > (((sizeof(struct ArgusTCPObject) - sizeof(struct ArgusTCPObjectMetrics))+3)/4 + 1)) { tcp->dst.lasttime.tv_sec = htonl(tcp->dst.lasttime.tv_sec); tcp->dst.lasttime.tv_usec = htonl(tcp->dst.lasttime.tv_usec); tcp->dst.status = htonl(tcp->dst.status); tcp->dst.seqbase = htonl(tcp->dst.seqbase); tcp->dst.seq = htonl(tcp->dst.seq); tcp->dst.ack = htonl(tcp->dst.ack); tcp->dst.winnum = htonl(tcp->dst.winnum); tcp->dst.bytes = htonl(tcp->dst.bytes); tcp->dst.retrans = htonl(tcp->dst.retrans); tcp->dst.ackbytes = htonl(tcp->dst.ackbytes); tcp->dst.winbytes = htonl(tcp->dst.winbytes); tcp->dst.win = htons(tcp->dst.win); } break; } case ARGUS_ESP_DSR: { struct ArgusESPObject *espObj = (struct ArgusESPObject *)&net->net_union.esp; espObj->status = htonl(espObj->status); espObj->spi = htonl(espObj->spi); espObj->lastseq = htonl(espObj->lastseq); espObj->lostseq = htonl(espObj->lostseq); break; } case ARGUS_RTP_FLOW: { struct ArgusRTPObject *rtpObj = (struct ArgusRTPObject *)&net->net_union.rtp; rtpObj->state = htonl(rtpObj->state); rtpObj->src.rh_seq = htons(rtpObj->src.rh_seq); rtpObj->src.rh_time = htonl(rtpObj->src.rh_time); rtpObj->src.rh_ssrc = htonl(rtpObj->src.rh_ssrc); rtpObj->dst.rh_seq = htons(rtpObj->dst.rh_seq); rtpObj->dst.rh_time = htonl(rtpObj->dst.rh_time); rtpObj->dst.rh_ssrc = htonl(rtpObj->dst.rh_ssrc); rtpObj->sdrop = htons(rtpObj->sdrop); rtpObj->ddrop = htons(rtpObj->ddrop); rtpObj->ssdev = htons(rtpObj->ssdev); rtpObj->dsdev = htons(rtpObj->dsdev); break; } case ARGUS_RTCP_FLOW: { struct ArgusRTCPObject *rtcpObj = (struct ArgusRTCPObject *)&net->net_union.rtcp; rtcpObj->src.rh_len = htons(rtcpObj->src.rh_len); rtcpObj->src.rh_ssrc = htonl(rtcpObj->src.rh_ssrc); rtcpObj->dst.rh_len = htons(rtcpObj->dst.rh_len); rtcpObj->dst.rh_ssrc = htonl(rtcpObj->dst.rh_ssrc); rtcpObj->sdrop = htons(rtcpObj->sdrop); rtcpObj->ddrop = htons(rtcpObj->ddrop); break; } } break; } case ARGUS_VLAN_DSR: { struct ArgusVlanStruct *vlan = (struct ArgusVlanStruct *) dsr; vlan->sid = htons(vlan->sid); vlan->did = htons(vlan->did); break; } case ARGUS_MPLS_DSR: { struct ArgusMplsStruct *mpls = (struct ArgusMplsStruct *) dsr; unsigned int *label = (unsigned int *)(dsr + 1); int num, i; if ((num = ((mpls->hdr.argus_dsrvl8.qual & 0xF0) >> 4)) > 0) { for (i = 0; i < num; i++) { *label = htonl(*label); label++; } } if ((num = (mpls->hdr.argus_dsrvl8.qual & 0x0F)) > 0) { for (i = 0; i < num; i++) { *label = htonl(*label); label++; } } break; } case ARGUS_JITTER_DSR: { #if defined(HAVE_XDR) struct ArgusJitterStruct *jit = (struct ArgusJitterStruct *) dsr; struct ArgusStatsObject *stat = (struct ArgusStatsObject *) (dsr + 1); int len = (jit->hdr.argus_dsrvl8.len - 1) * 4; XDR xdrbuf, *xdrs = &xdrbuf; char buf[sizeof(*stat)]; while (len > 0) { memset(buf, 0, sizeof(buf)); xdrmem_create(xdrs, buf, sizeof(*stat), XDR_ENCODE); xdr_int(xdrs, &stat->n); xdr_float(xdrs, &stat->minval); xdr_float(xdrs, &stat->meanval); xdr_float(xdrs, &stat->stdev); xdr_float(xdrs, &stat->maxval); bcopy(buf, stat, sizeof(*stat)); len -= sizeof (*stat); stat++; } #endif break; } case ARGUS_DATA_DSR: { struct ArgusDataStruct *data = (struct ArgusDataStruct *) dsr; data->size = htons(data->size); data->count = htons(data->count); break; } case ARGUS_BEHAVIOR_DSR: { struct ArgusBehaviorStruct *actor = (struct ArgusBehaviorStruct *) dsr; actor->keyStroke.src.n_strokes = htonl(actor->keyStroke.src.n_strokes); actor->keyStroke.dst.n_strokes = htonl(actor->keyStroke.dst.n_strokes); break; } } if ((cnt = ((dsr->type & 0x80) ? 1 : ((dsr->type == ARGUS_DATA_DSR) ? dsr->argus_dsrvl16.len : dsr->argus_dsrvl8.len)) * 4) > 0) { if (dsr->type == ARGUS_DATA_DSR) dsr->argus_dsrvl16.len = htons(dsr->argus_dsrvl16.len); dsr = (struct ArgusDSRHeader *)((char *)dsr + cnt); } else break; } } break; } } hdr->len = htons(hdr->len); #endif } void ArgusPrintHex (const u_char *bp, u_int length) { const u_short *sp; u_int i; int nshorts; sp = (u_short *)bp; nshorts = (u_int) length / sizeof(u_short); i = 0; while (--nshorts >= 0) { if ((i++ % 8) == 0) { (void)printf("\n\t"); } (void)printf(" %04x", ntohs(*sp++)); } if (length & 1) { if ((i % 8) == 0) (void)printf("\n\t"); (void)printf(" %02x", *(u_char *)sp); } (void)printf("\n"); fflush(stdout); } char *ArgusProcessStr = NULL; void ArgusPrintDirection (char *buf, struct ArgusRecordStruct *argus, int len) { switch (argus->hdr.type & 0xF0) { case ARGUS_MAR: break; case ARGUS_EVENT: case ARGUS_NETFLOW: case ARGUS_FAR: { struct ArgusMetricStruct *metric = (struct ArgusMetricStruct *)argus->dsrs[ARGUS_METRIC_INDEX]; struct ArgusFlow *flow = (struct ArgusFlow *)argus->dsrs[ARGUS_FLOW_INDEX]; struct ArgusNetworkStruct *net = (struct ArgusNetworkStruct *)argus->dsrs[ARGUS_NETWORK_INDEX]; int type, src_count = 0, dst_count = 0; if (metric == NULL) { sprintf (buf, "%*.*s ", len, len, " "); } else { char dirStr[16]; sprintf (dirStr, "%s", "<->"); if ((dst_count = metric->dst.pkts) == 0) dirStr[0] = ' '; if ((src_count = metric->src.pkts) == 0) dirStr[2] = ' '; if ((src_count == 0) && (dst_count == 0)) dirStr[1] = ' '; if (flow != NULL) { switch (flow->hdr.subtype & 0x3F) { case ARGUS_FLOW_CLASSIC5TUPLE: { switch (type = (flow->hdr.argus_dsrvl8.qual & 0x1F)) { case ARGUS_TYPE_IPV4: switch (flow->ip_flow.ip_p) { case IPPROTO_TCP: { if (net != NULL) { struct ArgusTCPObject *tcp = (struct ArgusTCPObject *)&net->net_union.tcp; if (!((tcp->status & ARGUS_SAW_SYN) || (tcp->status & ARGUS_SAW_SYN_SENT))) { dirStr[1] = '?'; } if ((tcp->status & ARGUS_SAW_SYN) || (tcp->status & ARGUS_SAW_SYN_SENT)) { if (flow->hdr.subtype & ARGUS_REVERSE) { dirStr[0] = '<'; dirStr[2] = ' '; } else { dirStr[0] = ' '; dirStr[2] = '>'; } } } } break; } break; case ARGUS_TYPE_IPV6: switch (flow->ipv6_flow.ip_p) { case IPPROTO_TCP: { if (net != NULL) { struct ArgusTCPObject *tcp = (struct ArgusTCPObject *)&net->net_union.tcp; if (!((tcp->status & ARGUS_SAW_SYN) || (tcp->status & ARGUS_SAW_SYN_SENT))) { dirStr[1] = '?'; } else { if ((tcp->status & ARGUS_SAW_SYN) || (tcp->status & ARGUS_SAW_SYN_SENT)) { if (flow->hdr.subtype & ARGUS_REVERSE) { dirStr[0] = '<'; dirStr[2] = ' '; } else { dirStr[0] = ' '; dirStr[2] = '>'; } } } } } break; } break; case ARGUS_TYPE_RARP: sprintf (dirStr, "%s", "tel"); break; case ARGUS_TYPE_ARP: sprintf (dirStr, "%s", "who"); break; } break; } case ARGUS_FLOW_ARP: { sprintf (dirStr, "%s", "who"); break; } } } } break; } } #ifdef ARGUSDEBUG ArgusDebug (10, "ArgusPrintDirection (%p, %p, %d)", buf, argus, len); #endif } int ArgusAllocMax = 0; int ArgusAllocBytes = 0; int ArgusAllocTotal = 0; int ArgusFreeTotal = 0; struct ArgusMemoryList memory = {NULL, 0}; #define ARGUS_ALLOC 0x45672381 /* #define ARGUS_ALIGN 128 */ void * ArgusMalloc (int bytes) { void *retn = NULL; int offset; if (bytes) { if (ArgusAllocTotal++ == 0) { #if defined(ARGUS_THREADS) pthread_mutex_init(&memory.lock, NULL); #endif } ArgusAllocBytes += bytes; if (ArgusAllocMax < ArgusAllocBytes) ArgusAllocMax = ArgusAllocBytes; #if defined(ARGUS_ALIGN) offset = ARGUS_ALIGN; #else offset = 0; #endif #if !defined(ARGUSMEMDEBUG) retn = (void *) malloc (bytes + offset); #else if ((retn = (u_int *) malloc (bytes + sizeof(struct ArgusMemoryHeader) + offset)) != NULL) { struct ArgusMemoryHeader *mem = (struct ArgusMemoryHeader *)retn; mem->tag = ARGUS_ALLOC; mem->len = bytes; mem->offset = offset; #if defined(__GNUC__) mem->frame[0] = __builtin_return_address(0); mem->frame[1] = __builtin_return_address(1); mem->frame[2] = __builtin_return_address(2); #endif #if defined(ARGUS_THREADS) pthread_mutex_lock(&memory.lock); #endif if (memory.start) { mem->nxt = memory.start; mem->prv = memory.end; mem->prv->nxt = mem; mem->nxt->prv = mem; memory.end = mem; } else { memory.start = mem; memory.end = mem; mem->nxt = mem; mem->prv = mem; } memory.count++; memory.total++; #if defined(ARGUS_THREADS) pthread_mutex_unlock(&memory.lock); #endif retn = (void *)(mem + 1); } #endif #if defined(ARGUS_ALIGN) if (retn != NULL) { unsigned short toff; toff = ((unsigned long)retn & (offset - 1)); toff = offset - toff; retn = (void *)((char *)retn + toff); ((unsigned short *)retn)[-1] = toff; } #endif } #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusMalloc (%d) returning %p\n", bytes, retn); #endif return (retn); } void * ArgusCalloc (int nitems, int bytes) { int offset, total = nitems * bytes; void *retn = NULL; if (total) { if (ArgusAllocTotal++ == 0) { #if defined(ARGUS_THREADS) pthread_mutex_init(&memory.lock, NULL); #endif } ArgusAllocBytes += total; if (ArgusAllocMax < ArgusAllocBytes) ArgusAllocMax = ArgusAllocBytes; #if defined(ARGUS_ALIGN) offset = ARGUS_ALIGN; #else offset = 0; #endif #if !defined(ARGUSMEMDEBUG) retn = calloc (1, total + offset); #else if ((retn = calloc (1, total + sizeof(struct ArgusMemoryHeader) + offset)) != NULL) { struct ArgusMemoryHeader *mem = retn; mem->tag = ARGUS_ALLOC; mem->len = total; mem->offset = offset; #if defined(__GNUC__) mem->frame[0] = __builtin_return_address(0); mem->frame[1] = __builtin_return_address(1); mem->frame[2] = __builtin_return_address(2); #endif #if defined(ARGUS_THREADS) pthread_mutex_lock(&memory.lock); #endif if (memory.start) { mem->nxt = memory.start; mem->prv = memory.start->prv; mem->prv->nxt = mem; mem->nxt->prv = mem; memory.end = mem; } else { memory.start = mem; memory.end = mem; mem->nxt = mem; mem->prv = mem; } memory.total++; memory.count++; #if defined(ARGUS_THREADS) pthread_mutex_unlock(&memory.lock); #endif retn = (void *)(mem + 1); } #endif #if defined(ARGUS_ALIGN) if (retn != NULL) { unsigned short toff; toff = ((unsigned long)retn & (offset - 1)); toff = offset - toff; retn = (void *)((char *)retn + toff); ((unsigned short *)retn)[-1] = toff; } #endif } #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusCalloc (%d, %d) returning %p\n", nitems, bytes, retn); #endif return (retn); } void ArgusFree (void *buf) { void *ptr = buf; if (ptr) { ArgusFreeTotal++; #if defined(ARGUSMEMDEBUG) { struct ArgusMemoryHeader *mem = ptr; #if defined(ARGUS_ALIGN) unsigned short offset = ((unsigned short *)mem)[-1]; mem = (void *)((char *)mem - offset); #endif mem--; if (mem->tag != ARGUS_ALLOC) ArgusLog (LOG_ERR, "ArgusFree: buffer error %p", ptr); #if defined(ARGUS_THREADS) pthread_mutex_lock(&memory.lock); #endif if (memory.count == 1) { memory.start = NULL; memory.end = NULL; } else { mem->prv->nxt = mem->nxt; mem->nxt->prv = mem->prv; if (mem == memory.start) { memory.start = mem->nxt; } else if (mem == memory.end) { memory.end = mem->prv; } } ArgusAllocBytes -= mem->len; memory.count--; #if defined(ARGUS_THREADS) pthread_mutex_unlock(&memory.lock); #endif ptr = mem; } #else #if defined(ARGUS_ALIGN) { unsigned short offset; if ((offset = ((unsigned short *)ptr)[-1]) > 0) ptr = (void *)((char *)ptr - offset); } #endif #endif free (ptr); } #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusFree (%p)\n", buf); #endif } /* the argus malloc list is the list of free MallocLists for the system. these are blocks that are used to convey flow data from the modeler to the output processor. They are fixed length blocks, and so no need to malloc and free, so just keep them in a list when they aren't being used. we keep 2000 in the list when demand goes below this, and we start with 20, when we initialize the modeler. no more than 1M records. so, when something asks for one, we take it off the list if there is one, and if not we just create one and return the buffer. The buffer has a memory header in front so that the records can be put in the list when they are freed, without corrupting the headers that were in the last block. Be sure and respect that so other routines don't stomp on our header. */ #define ARGUS_MEMORY_MAX 1000000 #define ARGUS_MEMORY_HI_THRESH 2000 #define ARGUS_MEMORY_LOW_THRESH 20 struct ArgusMemoryList *ArgusMallocList = NULL; void ArgusInitMallocList (int length) { struct ArgusMemoryList *retn = NULL; int memlen = length + sizeof(struct ArgusMemoryHeader); if (ArgusMallocList != NULL) { if (length == ArgusMallocList->size) return; else ArgusLog(LOG_ERR, "ArgusInitMallocList called with multiple sizes"); } #if defined(ARGUS_THREADS) if (ArgusModel) pthread_mutex_lock(&ArgusModel->lock); #endif if ((retn = (struct ArgusMemoryList *) ArgusCalloc(1, sizeof(*ArgusMallocList))) == NULL) ArgusLog(LOG_ERR, "ArgusInitMallocList ArgusCalloc %s", strerror(errno)); retn->size = length; #if defined(ARGUS_THREADS) pthread_mutex_init(&retn->lock, NULL); pthread_mutex_lock(&retn->lock); #endif ArgusMallocList = retn; while (ArgusMallocList->count < ARGUS_MEMORY_LOW_THRESH) { struct ArgusMemoryHeader *mem; if ((mem = (struct ArgusMemoryHeader *) ArgusCalloc (1, memlen)) != NULL) { if (ArgusMallocList->end) { ArgusMallocList->end->nxt = mem; } else { ArgusMallocList->start = mem; ArgusMallocList->count = 0; } ArgusMallocList->end = mem; ArgusMallocList->count++; ArgusMallocList->total++; } } #if defined(ARGUS_THREADS) pthread_mutex_unlock(&ArgusMallocList->lock); if (ArgusModel) pthread_mutex_unlock(&ArgusModel->lock); #endif #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusInitMallocList (%d) returning\n", length); #endif return; } void ArgusDeleteMallocList (void) { struct ArgusMemoryList *retn = NULL; struct ArgusMemoryHeader *crt, *rel; if (ArgusMallocList != NULL) { #if defined(ARGUS_THREADS) pthread_mutex_lock(&ArgusMallocList->lock); #endif retn = ArgusMallocList; ArgusMallocList = NULL; if ((crt = retn->start) != NULL) { while (crt != NULL) { rel = crt; crt = crt->nxt; ArgusFree(rel); } } #if defined(ARGUS_THREADS) pthread_mutex_destroy(&retn->lock); #endif ArgusFree(retn); } } void * ArgusMallocListRecord (int length) { struct ArgusMemoryHeader *mem = NULL; int memlen = length + sizeof(struct ArgusMemoryHeader); void *retn = NULL; if (ArgusMallocList == NULL) ArgusInitMallocList(length); if (length == ArgusMallocList->size) { #if defined(ARGUS_THREADS) pthread_mutex_lock(&ArgusMallocList->lock); #endif if (ArgusMallocList->start == NULL) { if (ArgusMallocList->total < ARGUS_MEMORY_MAX) { if ((mem = (struct ArgusMemoryHeader *) ArgusCalloc (1, memlen)) == NULL) ArgusLog(LOG_ERR, "ArgusMallocListRecord ArgusCalloc %s", strerror(errno)); mem->len = length; ArgusMallocList->total++; ArgusMallocList->out++; } else { #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusMallocList memory pool exhausted (%d : %d)\n", ArgusMallocList->total, ARGUS_MEMORY_MAX); #endif } } else { mem = ArgusMallocList->start; ArgusMallocList->start = mem->nxt; ArgusMallocList->out++; ArgusMallocList->count--; if (ArgusMallocList->start == NULL) { ArgusMallocList->end = NULL; ArgusMallocList->count = 0; } } #if defined(ARGUS_THREADS) pthread_mutex_unlock(&ArgusMallocList->lock); #endif } else { if ((mem = (struct ArgusMemoryHeader *) ArgusCalloc (1, length + sizeof(struct ArgusMemoryHeader))) == NULL) ArgusLog(LOG_ERR, "ArgusMallocListRecord ArgusCalloc %s", strerror(errno)); } if (mem != NULL) retn = (void *)(mem + 1); #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusMallocListRecord (%d) returning %p total %d out %d\n", length, retn, ArgusMallocList->total, ArgusMallocList->out); #endif return (retn); } void ArgusFreeListRecord (void *buf) { if (buf != NULL) { struct ArgusMemoryHeader *mem = (struct ArgusMemoryHeader *)buf; struct ArgusRecordStruct *rec = buf; /* struct ArgusHashTableHdr *htblhdr; struct ArgusQueueStruct *nsq; if ((htblhdr = rec->htblhdr) != NULL) { #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusFreeListRecord (0x%x) htbldr 0x%x\n", buf, htblhdr); #endif } if ((nsq = rec->nsq) != NULL) { #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusFreeListRecord (%p) nsq %p\n", buf, nsq); #endif } */ if (rec->dsrs[ARGUS_SRCUSERDATA_INDEX] != NULL) { ArgusFree(rec->dsrs[ARGUS_SRCUSERDATA_INDEX]); rec->dsrs[ARGUS_SRCUSERDATA_INDEX] = NULL; } if (rec->dsrs[ARGUS_DSTUSERDATA_INDEX] != NULL) { ArgusFree(rec->dsrs[ARGUS_DSTUSERDATA_INDEX]); rec->dsrs[ARGUS_DSTUSERDATA_INDEX] = NULL; } mem = mem - 1; if ((ArgusMallocList == NULL) || (mem->len != ArgusMallocList->size)) { ArgusFree(mem); } else { #if defined(ARGUS_THREADS) if (pthread_mutex_lock(&ArgusMallocList->lock) == 0) { #endif if (ArgusMallocList->count < ARGUS_MEMORY_HI_THRESH) { mem->nxt = NULL; if (ArgusMallocList->end != NULL) ArgusMallocList->end->nxt = mem; ArgusMallocList->end = mem; if (ArgusMallocList->start == NULL) ArgusMallocList->start = mem; ArgusMallocList->count++; } else { ArgusMallocList->total--; ArgusFree(mem); } ArgusMallocList->in++; #if defined(ARGUS_THREADS) pthread_mutex_unlock(&ArgusMallocList->lock); } #endif } } #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusFreeListRecord (%p) returning\n", buf); #endif return; } extern void ArgusShutDown (int); struct ArgusLogPriorityStruct { int priority; char *label; }; #define ARGUSPRIORITYSTR 8 struct ArgusLogPriorityStruct ArgusPriorityStr[ARGUSPRIORITYSTR] = { { LOG_EMERG, "ArgusEmergency" }, { LOG_ALERT, " ArgusAlert" }, { LOG_CRIT, " ArgusCritical" }, { LOG_ERR, " ArgusError" }, { LOG_WARNING, " ArgusWarning" }, { LOG_NOTICE, " ArgusNotice" }, { LOG_INFO, " ArgusInfo" }, { LOG_DEBUG, " ArgusDebug" }, }; #include void ArgusLog (int priority, char *fmt, ...) { va_list ap; char buf[1024], *ptr = buf; struct timeval now; #ifdef HAVE_SYSLOG gettimeofday (&now, 0L); (void) snprintf (buf, 1024, "%s ", print_time(&now)); ptr = &buf[strlen(buf)]; #else int i; char *label; if (priority == LOG_NOTICE) return; gettimeofday (&now, 0L); #if defined(ARGUS_THREADS) { pthread_t ptid; char pbuf[128]; int i; bzero(pbuf, sizeof(pbuf)); ptid = pthread_self(); for (i = 0; i < sizeof(ptid); i++) { snprintf (&pbuf[i*2], 3, "%02hhx", ((char *)&ptid)[i]); } (void) snprintf (buf, 1024, "%s[%d.%s]: %s ", ArgusProgramName, (int)getpid(), pbuf, print_time(&now)); } #else (void) snprintf (buf, 1024, "%s[%d]: %s ", ArgusProgramName, (int)getpid(), print_time(&now)); #endif ptr = &buf[strlen(buf)]; #endif va_start (ap, fmt); (void) vsnprintf (ptr, 1024, fmt, ap); ptr = &buf[strlen(buf)]; va_end (ap); if (daemonflag) { #ifdef HAVE_SYSLOG syslog (LOG_ALERT, "%s", buf); #endif } else { char *label = NULL; int i; if (*fmt) { fmt += (int) strlen (fmt); if (fmt[-1] != '\n') snprintf (ptr, 2, "\n"); } for (i = 0; i < ARGUSPRIORITYSTR; i++) if (ArgusPriorityStr[i].priority == priority) { label = ArgusPriorityStr[i].label; break; } fprintf (stderr, "%s: %s", label, buf); } switch (priority) { case LOG_ERR: ArgusShutDown(1); break; default: break; } } void ArgusRecordDump (struct ArgusRecord *); void ArgusDump (const u_char *, int); #define HEXDUMP_BYTES_PER_LINE 16 #define HEXDUMP_SHORTS_PER_LINE (HEXDUMP_BYTES_PER_LINE / 2) #define HEXDUMP_HEXSTUFF_PER_SHORT 5 /* 4 hex digits and a space */ #define HEXDUMP_HEXSTUFF_PER_LINE \ (HEXDUMP_HEXSTUFF_PER_SHORT * HEXDUMP_SHORTS_PER_LINE) void ArgusRecordDump (struct ArgusRecord *argus) { int length = argus->hdr.len; const u_char *cp = (const u_char *) argus; ArgusDump (cp, length); } #include void ArgusDump (const u_char *cp, int length) { u_int oset = 0; register u_int i; register int s1, s2; register int nshorts; char hexstuff[HEXDUMP_SHORTS_PER_LINE*HEXDUMP_HEXSTUFF_PER_SHORT+1], *hsp; char asciistuff[HEXDUMP_BYTES_PER_LINE+1], *asp; #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusDump (%p, %d)\n", cp, length); #endif nshorts = length / sizeof(u_short); i = 0; hsp = hexstuff; asp = asciistuff; while (--nshorts >= 0) { s1 = *cp++; s2 = *cp++; (void)snprintf(hsp, sizeof(hexstuff) - (hsp - hexstuff), " %02x%02x", s1, s2); hsp += HEXDUMP_HEXSTUFF_PER_SHORT; *(asp++) = (isgraph(s1) ? s1 : '.'); *(asp++) = (isgraph(s2) ? s2 : '.'); if (++i >= HEXDUMP_SHORTS_PER_LINE) { *hsp = *asp = '\0'; (void)printf("\n0x%04x\t%-*s\t%s", oset, HEXDUMP_HEXSTUFF_PER_LINE, hexstuff, asciistuff); i = 0; hsp = hexstuff; asp = asciistuff; oset += HEXDUMP_BYTES_PER_LINE; } } if (length & 1) { s1 = *cp++; (void)snprintf(hsp, sizeof(hexstuff) - (hsp - hexstuff), " %02x", s1); hsp += 3; *(asp++) = (isgraph(s1) ? s1 : '.'); ++i; } if (i > 0) { *hsp = *asp = '\0'; (void)printf("\n0x%04x\t%-*s\t%s", oset, HEXDUMP_HEXSTUFF_PER_LINE, hexstuff, asciistuff); } } extern char *ArgusProgramName; extern int uflag, pflag; char ArgusPrintTimeBuf[64]; char * print_time(struct timeval *tvp) { char timeZoneBuf[32]; char *retn = ArgusPrintTimeBuf, *ptr; struct tm *tm, tmbuf; bzero (timeZoneBuf, sizeof(timeZoneBuf)); bzero (ArgusPrintTimeBuf, sizeof(ArgusPrintTimeBuf)); if ((tm = localtime_r ((time_t *)&tvp->tv_sec, &tmbuf)) != NULL) { #if !defined(HAVE_STRFTIME) snprintf (retn, 32, "%9d", (int) tvp->tv_sec); #else if (uflag) snprintf (retn, 32, "%9d", (int) tvp->tv_sec); else strftime ((char *) retn, 64, RaTimeFormat, tm); #endif if (pflag) { ptr = &retn[strlen(retn)]; snprintf (ptr, 32, ".%06d", (int) tvp->tv_usec); ptr[pflag + 1] = '\0'; } } else retn = NULL; return (retn); } #define ArgusAddrtoName #include #include #include /* Find the hash node that corresponds the ether address 'ep'. */ static inline struct enamemem * lookup_emem(struct ArgusParserStruct *parser, const u_char *ep) { u_int i, j, k; struct enamemem *tp; k = (ep[0] << 8) | ep[1]; j = (ep[2] << 8) | ep[3]; i = (ep[4] << 8) | ep[5]; tp = &parser->enametable[(i ^ j) % (HASHNAMESIZE-1)]; while (tp->e_nxt) if (tp->e_addr0 == i && tp->e_addr1 == j && tp->e_addr2 == k) return tp; else tp = tp->e_nxt; tp->e_addr0 = i; tp->e_addr1 = j; tp->e_addr2 = k; tp->e_nxt = (struct enamemem *)calloc(1, sizeof(*tp)); return tp; } /* Find the hash node that corresponds the NSAP 'nsap'. static inline struct enamemem * lookup_nsap(struct ArgusParserStruct *parser, const u_char *nsap) { u_int i, j, k; int nlen = *nsap; struct enamemem *tp; const u_char *ensap = nsap + nlen - 6; if (nlen > 6) { k = (ensap[0] << 8) | ensap[1]; j = (ensap[2] << 8) | ensap[3]; i = (ensap[4] << 8) | ensap[5]; } else i = j = k = 0; tp = &parser->nsaptable[(i ^ j) % (HASHNAMESIZE-1)]; while (tp->e_nxt) if (tp->e_addr0 == i && tp->e_addr1 == j && tp->e_addr2 == k && tp->e_nsap[0] == nlen && bcmp((char *)&(nsap[1]), (char *)&(tp->e_nsap[1]), nlen) == 0) return tp; else tp = tp->e_nxt; tp->e_addr0 = i; tp->e_addr1 = j; tp->e_addr2 = k; tp->e_nsap = (u_char *) calloc(1, nlen + 1); bcopy(nsap, tp->e_nsap, nlen + 1); tp->e_nxt = (struct enamemem *)calloc(1, sizeof(*tp)); return tp; } */ /* Find the hash node that corresponds the protoid 'pi'. */ static inline struct protoidmem * lookup_protoid(struct ArgusParserStruct *parser, const u_char *pi) { u_int i, j; struct protoidmem *tp; /* 5 octets won't be aligned */ i = (((pi[0] << 8) + pi[1]) << 8) + pi[2]; j = (pi[3] << 8) + pi[4]; /* XXX should be endian-insensitive, but do big-endian testing XXX */ tp = &parser->protoidtable[(i ^ j) % (HASHNAMESIZE-1)]; while (tp->p_nxt) if (tp->p_oui == i && tp->p_proto == j) return tp; else tp = tp->p_nxt; tp->p_oui = i; tp->p_proto = j; tp->p_nxt = (struct protoidmem *)calloc(1, sizeof(*tp)); return tp; } void ArgusInitServarray(struct ArgusParserStruct *parser) { #if !defined(CYGWIN) struct servent *sv; struct hnamemem *table; int i; while ((sv = getservent()) != NULL) { int port = ntohs(sv->s_port); i = port % (HASHNAMESIZE-1); if (strcmp(sv->s_proto, "tcp") == 0) table = &parser->tporttable[i]; else if (strcmp(sv->s_proto, "udp") == 0) table = &parser->uporttable[i]; else continue; while (table->name) table = table->nxt; if (parser->nflag > 1) { char buf[32]; (void)snprintf(buf, 32, "%d", port); table->name = strdup(buf); } else table->name = strdup(sv->s_name); table->addr = port; table->nxt = (struct hnamemem *)calloc(1, sizeof(*table)); } parser->ArgusSrvInit = 1; endservent(); #endif } void ArgusFreeServarray(struct ArgusParserStruct *parser) { int i, x; for (i = 0; i < HASHNAMESIZE; i++) { struct hnamemem *table; for (x = 0; x < 2; x++) { switch (x) { case 0: table = parser->tporttable; break; case 1: table = parser->uporttable; break; } if ((struct hnamemem *)&table[i].name != NULL) { struct hnamemem *tp, *sp; free(table[i].name); if ((tp = (struct hnamemem *)table[i].nxt) != NULL) { do { if (tp->name != NULL) free (tp->name); sp = tp->nxt; free(tp); } while ((tp = sp) != NULL); } } } } } void ArgusInitEprotoarray(struct ArgusParserStruct *parser) { struct ArgusEtherTypeStruct *p = argus_ethertype_names; bzero ((char *)parser->argus_eproto_db, sizeof (parser->argus_eproto_db)); while (p->range != NULL) { int i, start, end; char *ptr; start = atoi(p->range); if ((ptr = strchr(p->range, '-')) != NULL) end = atoi(ptr + 1); else end = start; for (i = start; i < (end + 1); i++) parser->argus_eproto_db[i] = p; p++; } } /* * SNAP proto IDs with org code 0:0:0 are actually encapsulated Ethernet * types. */ void ArgusInitProtoidarray(struct ArgusParserStruct *parser) { struct ArgusEtherTypeStruct *p; struct protoidmem *tp; u_char protoid[5]; int i; bzero(&protoid, sizeof(protoid)); bzero(&parser->protoidtable, sizeof(parser->protoidtable)); for (i = 0; i < ARGUS_MAXEPROTODB; i++) { if ((p = parser->argus_eproto_db[i]) != NULL) { protoid[3] = i; tp = lookup_protoid(parser, protoid); tp->p_name = p->tag; } } } void ArgusFreeProtoidarray(struct ArgusParserStruct *parser) { int i; for (i = 0; i < HASHNAMESIZE; i++) { struct protoidmem *sp = &parser->protoidtable[i], *tp; if ((tp = sp->p_nxt) != NULL) { do { sp = tp->p_nxt; free(tp); } while ((tp = sp) != NULL); } } } static struct etherlist { u_char addr[6]; char *name; } etherlist[] = { {{ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, "Broadcast" }, {{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, NULL } }; /* * Initialize the ethers hash table. We take two different approaches * depending on whether or not the system provides the ethers name * service. If it does, we just wire in a few names at startup, * and etheraddr_string() fills in the table on demand. If it doesn't, * then we suck in the entire /etc/ethers file at startup. The idea * is that parsing the local file will be fast, but spinning through * all the ethers entries via NIS & next_etherent might be very slow. * * XXX argus_next_etherent doesn't belong in the pcap interface, but * since the pcap module already does name-to-address translation, * it's already does most of the work for the ethernet address-to-name * translation, so we just argus_next_etherent as a convenience. */ void ArgusInitEtherarray(struct ArgusParserStruct *parser) { struct etherlist *el; struct enamemem *tp; #ifndef ETHER_SERVICE struct argus_etherent *ep; FILE *fp; /* Suck in entire ethers file */ fp = fopen(PCAP_ETHERS_FILE, "r"); if (fp != NULL) { while ((ep = argus_next_etherent(fp)) != NULL) { tp = lookup_emem(parser, ep->addr); tp->e_name = strdup(ep->name); } (void)fclose(fp); } #endif /* Hardwire some ethernet names */ for (el = etherlist; el->name != NULL; ++el) { #if defined(ETHER_SERVICE) && !defined(linux) && !defined(CYGWIN) /* Use yp/nis version of name if available */ char wrk[256]; if (ether_ntohost(wrk, (struct ether_addr *)el->addr) == 0) { tp = lookup_emem(parser, el->addr); tp->e_name = strdup(wrk); } #else /* install if not already present */ tp = lookup_emem(parser, el->addr); if (tp->e_name == NULL) tp->e_name = el->name; #endif } } void ArgusFreeEtherarray(struct ArgusParserStruct *parser) { int i; for (i = 0; i < HASHNAMESIZE; i++) { struct enamemem *tp, *sp; if ((tp = (struct enamemem *)parser->enametable[i].e_nxt) != NULL) { do { sp = tp->e_nxt; free(tp); tp = sp; } while ((tp = sp) != NULL); } } } #include static struct ArgusTokenStruct llcsap_db[] = { { LLCSAP_NULL, "null" }, { LLCSAP_8021B_I, "gsap" }, { LLCSAP_8021B_G, "isap" }, { LLCSAP_SNAPATH, "snapath" }, { LLCSAP_IP, "ipsap" }, { LLCSAP_SNA1, "sna1" }, { LLCSAP_SNA2, "sna2" }, { LLCSAP_PROWAYNM, "p-nm" }, { LLCSAP_TI, "ti" }, { LLCSAP_BPDU, "stp" }, { LLCSAP_RS511, "eia" }, { LLCSAP_ISO8208, "x25" }, { LLCSAP_XNS, "xns" }, { LLCSAP_NESTAR, "nestar" }, { LLCSAP_PROWAYASLM, "p-aslm" }, { LLCSAP_ARP, "arp" }, { LLCSAP_SNAP, "snap" }, { LLCSAP_VINES1, "vine1" }, { LLCSAP_VINES2, "vine2" }, { LLCSAP_NETWARE, "netware" }, { LLCSAP_NETBIOS, "netbios" }, { LLCSAP_IBMNM, "ibmnm" }, { LLCSAP_RPL1, "rpl1" }, { LLCSAP_UB, "ub" }, { LLCSAP_RPL2, "rpl2" }, { LLCSAP_ISONS, "clns" }, { LLCSAP_GLOBAL, "gbl" }, { 0, NULL } }; void ArgusInitLlcsaparray(struct ArgusParserStruct *parser) { int i; struct hnamemem *table; for (i = 0; llcsap_db[i].s != NULL; i++) { table = &parser->llcsaptable[llcsap_db[i].v]; while (table->name) table = table->nxt; table->name = llcsap_db[i].s; table->addr = llcsap_db[i].v; table->nxt = (struct hnamemem *)calloc(1, sizeof(*table)); } } void ArgusFreeLlcsaparray(struct ArgusParserStruct *parser) { int i; struct hnamemem *table; for (i = 0; llcsap_db[i].s != NULL; i++) { struct hnamemem *ttbl; table = &parser->llcsaptable[llcsap_db[i].v]; if ((table = table->nxt) != NULL) { do { ttbl = table; table = table->nxt; free(ttbl); } while (table); } } } char *argus_dscodes[0x100]; void ArgusInitDSCodepointarray(struct ArgusParserStruct *); struct ArgusDSCodePointStruct *ArgusSelectDSCodesTable(struct ArgusParserStruct *); struct ArgusDSCodePointStruct * ArgusSelectDSCodesTable(struct ArgusParserStruct *parser) { struct ArgusDSCodePointStruct *retn = NULL; switch (parser->ArgusDSCodePoints) { case ARGUS_IANA_DSCODES: retn = argus_dscodepoints; break; case ARGUS_DISA_DSCODES: retn = argus_disa_dscodepoints; break; } return (retn); } void ArgusInitDSCodepointarray(struct ArgusParserStruct *parser) { struct ArgusDSCodePointStruct *argus_dsctable = argus_dscodepoints; int i; bzero (&argus_dscodes, sizeof(argus_dscodes)); if ((argus_dsctable = ArgusSelectDSCodesTable(parser)) != NULL) { for (i = 0; argus_dsctable[i].label != NULL; i++) argus_dscodes[(int)argus_dsctable[i].code] = argus_dsctable[i].label; } } /* * Initialize the address to name translation machinery. We map all * non-local IP addresses to numeric addresses if fflag is true (i.e., * to prevent blocking on the nameserver). localnet is the IP address * of the local network. mask is its subnet mask. */ void ArgusInitAddrtoname(struct ArgusParserStruct *parser, u_int localnet, u_int mask) { if (parser->fflag) { parser->f_localnet = localnet; parser->f_netmask = mask; } if (parser->nflag > 1) /* * Simplest way to suppress names. */ return; ArgusInitEtherarray(parser); ArgusInitServarray(parser); ArgusInitEprotoarray(parser); ArgusInitLlcsaparray(parser); ArgusInitProtoidarray(parser); ArgusInitDSCodepointarray(parser); } #ifndef __GNUC__ #define inline #endif /* * Convert a port name to its port and protocol numbers. * We assume only TCP or UDP. * Return 0 upon failure. */ int argus_nametoport(char *name, int *port, int *proto) { struct protoent *pp = NULL; struct servent *sp = NULL; char *pname = NULL, *other; #ifdef ARGUSDEBUG ArgusDebug (8, "argus_nametoport (%s, .., ..) starting\n", name); #endif if ((proto != NULL) && (*proto != -1)) { #ifdef ARGUSDEBUG ArgusDebug (8, "argus_nametoport (%s, .., %d) calling getprotobynumber\n", name, *proto); #endif if ((pp = getprotobynumber(*proto)) != NULL) { pname = pp->p_name; } else ArgusLog(LOG_ERR, "getprotobynumber(%d) returned NULL %s", *proto, strerror(errno)); } if (name != NULL) { #ifdef ARGUSDEBUG ArgusDebug (8, "argus_nametoport: calling getservbyname(%s, %s)\n", name, pname); #endif sp = getservbyname(name, pname); #ifdef ARGUSDEBUG ArgusDebug (8, "argus_nametoport: getservbyname() returned %p\n", sp); #endif } if (sp != NULL) { #ifdef ARGUSDEBUG ArgusDebug (8, "argus_nametoport: sp is %p\n", sp); #endif *port = ntohs(sp->s_port); #ifdef ARGUSDEBUG ArgusDebug (8, "argus_nametoport (%s, .., ..) calling argus_nametoproto(%s)\n", sp->s_proto); #endif *proto = argus_nametoproto(sp->s_proto); /* * We need to check /etc/services for ambiguous entries. * If we find the ambiguous entry, and it has the * same port number, change the proto to PROTO_UNDEF * so both TCP and UDP will be checked. */ if (*proto == IPPROTO_TCP) other = "udp"; else other = "tcp"; sp = getservbyname(name, other); if (sp != 0) { if (*port != ntohs(sp->s_port)) /* Can't handle ambiguous names that refer to different port numbers. */ ArgusLog(LOG_ERR, "ambiguous port %s in /etc/services values %d and %d", name, *port, ntohs(sp->s_port)); *proto = PROTO_UNDEF; } #ifdef ARGUSDEBUG ArgusDebug (8, "argus_nametoport (%s, %d, %d)\n", name, *port, *proto); #endif return 1; } #if defined(ultrix) || defined(__osf__) /* Special hack in case NFS isn't in /etc/services */ if (strcmp(name, "nfs") == 0) { *port = 2049; *proto = PROTO_UNDEF; return 1; } #endif #ifdef ARGUSDEBUG ArgusDebug (8, "argus_nametoport (%s, %d, %d)\n", name, *port, *proto); #endif return 0; } int argus_nametoproto(char *str) { struct protoent *p; p = getprotobyname(str); if (p != 0) return p->p_proto; else return PROTO_UNDEF; } int argus_nametoeproto(char *s) { struct ArgusEtherTypeStruct *p = argus_ethertype_names; while (p->tag != 0) { if (strcmp(p->tag, s) == 0) { return atoi(p->range); } p += 1; } return PROTO_UNDEF; } u_int __argus_atoin(char *s, u_int *addr) { u_int n; int len; *addr = 0; len = 0; while (1) { n = 0; while (*s && *s != '.') n = n * 10 + *s++ - '0'; *addr <<= 8; *addr |= n & 0xff; len += 8; if (*s == '\0') { *addr = *addr; return len; } ++s; } /* NOTREACHED */ } u_int __argus_atodn(char *s) { #define AREASHIFT 10 #define AREAMASK 0176000 #define NODEMASK 01777 u_int addr = 0; u_int node, area; if (sscanf((char *)s, "%d.%d", (int *) &area, (int *) &node) != 2) ArgusLog (LOG_ERR,"malformed decnet address '%s'", s); addr = (area << AREASHIFT) & AREAMASK; addr |= (node & NODEMASK); return(addr); } /* * Convert 's' which has the form "xx:xx:xx:xx:xx:xx" into a new * ethernet address. Assumes 's' is well formed. */ /* Hex digit to integer. */ int xdtoi(int); int xdtoi(int c) { if (isdigit(c)) return c - '0'; else if (islower(c)) return c - 'a' + 10; else return c - 'A' + 10; } u_char * argus_ether_aton(char *s) { register u_char *ep, *e; register u_int d; e = ep = (u_char *)malloc(6); while (*s) { if (*s == ':') s += 1; d = xdtoi(*s++); if (isxdigit((int)*s)) { d <<= 4; d |= xdtoi(*s++); } *ep++ = d; } return (e); } #ifndef HAVE_ETHER_HOSTTON u_char * argus_ether_hostton(char *name) { register struct argus_etherent *ep; register u_char *ap; static FILE *fp = NULL; static int init = 0; if (!init) { fp = fopen(PCAP_ETHERS_FILE, "r"); ++init; if (fp == NULL) return (NULL); } else if (fp == NULL) return (NULL); else rewind(fp); while ((ep = argus_next_etherent(fp)) != NULL) { if (strcmp(ep->name, name) == 0) { ap = (u_char *)malloc(6); if (ap != NULL) { memcpy(ap, ep->addr, 6); return (ap); } break; } } return (NULL); } #else #if !defined(HAVE_DECL_ETHER_HOSTTON) || !HAVE_DECL_ETHER_HOSTTON #ifndef HAVE_STRUCT_ETHER_ADDR struct ether_addr { unsigned char ether_addr_octet[6]; }; #endif #if !defined(__APPLE_CC__) && !defined(__APPLE__) extern int ether_hostton(const char *, struct ether_addr *); #endif #endif u_char * argus_ether_hostton(char *name) { register u_char *ap; u_char a[6]; ap = NULL; if (ether_hostton((char*)name, (struct ether_addr *)a) == 0) { ap = (u_char *)malloc(6); if (ap != NULL) memcpy(ap, a, 6); } return (ap); } #endif u_short __argus_nametodnaddr(char *name) { #ifndef DECNETLIB ArgusLog (LOG_ERR,"decnet name support not included, '%s' cannot be translated\n", name); return(0); #else struct nodeent *getnodebyname(); struct nodeent *nep; u_short res; nep = getnodebyname(name); if (nep == ((struct nodeent *)0)) ArgusLog (LOG_ERR,"unknown decnet host name '%s'\n", name); memcpy((char *)&res, (char *)nep->n_addr, sizeof(u_short)); return(res); #endif } u_int ipaddrtonetmask(u_int addr) { if (IN_CLASSA (addr)) return IN_CLASSA_NET; if (IN_CLASSB (addr)) return IN_CLASSB_NET; if (IN_CLASSC (addr)) return IN_CLASSC_NET; if (IN_CLASSD (addr)) return 0xFFFFFFFF; else return 0; } u_int getnetnumber( u_int addr) { if (IN_CLASSA (addr)) return (addr >> 24 ); if (IN_CLASSB (addr)) return (addr >> 16 ); if (IN_CLASSC (addr)) return (addr >> 8 ); if (IN_CLASSD (addr)) return (addr >> 0 ); else return 0; } static char hex[] = "0123456789abcdef"; char etheraddrbuf[32]; char * etheraddr_string(struct ArgusParserStruct *parser, u_char *ep) { char *cp = etheraddrbuf; u_int i, j; bzero (cp, sizeof(etheraddrbuf)); if ((j = *ep >> 4) != 0) *cp++ = hex[j]; *cp++ = hex[*ep++ & 0xf]; for (i = 5; (int)--i >= 0;) { *cp++ = ':'; if ((j = *ep >> 4) != 0) *cp++ = hex[j]; *cp++ = hex[*ep++ & 0xf]; } return (etheraddrbuf); } /* There are two types of addresses to parse, IPv4 and IPv6 addresses. An address is in the form: dd[.:][:][dd]/n where n is the number significant bits in the address. */ int ArgusNumTokens (char *, char); int ArgusNumTokens (char *str, char tok) { int retn = 0; if (str != NULL) { while ((str = strchr(str, tok)) != NULL) { retn++; str++; } } return (retn); } struct ArgusCIDRAddr * RaParseCIDRAddr (struct ArgusParserStruct *parser, char *addr) { struct ArgusCIDRAddr *retn = NULL; char *ptr = NULL, *mask = NULL, strbuf[128], *str = strbuf; snprintf (str, 128, "%s", addr); if (parser->ArgusCIDRPtr == NULL) parser->ArgusCIDRPtr = &parser->ArgusCIDRBuffer; retn = parser->ArgusCIDRPtr; retn->type = 0; retn->len = 0; retn->masklen = 0; memset(&retn->addr, 0, sizeof(retn->addr)); if ((ptr = strchr(str, '!')) != NULL) { retn->opmask = ARGUSMONITOR_NOTEQUAL; str = ptr + 1; } if ((mask = strchr (str, '/')) != NULL) { *mask++ = '\0'; retn->masklen = strtol((const char *)mask, (char **)&ptr, 10); if (ptr == mask) { #ifdef ARGUSDEBUG ArgusDebug (1, "RaParseCIDRAddr: format error: mask length incorrect.\n", retn); #endif return (NULL); } } if ((ptr = strchr (str, ':')) != NULL) retn->type = AF_INET6; else if ((ptr = strchr (str, '.')) != NULL) retn->type = AF_INET; if (!(retn->type)) retn->type = (retn->masklen > 32) ? AF_INET6 : AF_INET; switch (retn->type) { case AF_INET: { int i, len = sizeof(struct in_addr); retn->len = len; for (i = 0; (i < len) && str; i++) { long int tval = strtol(str, (char **)&ptr, 10); if (ptr != NULL) { if (strlen(ptr) > 0) { if (*ptr++ != '.') { #ifdef ARGUSDEBUG ArgusDebug (1, "RaParseCIDRAddr: format error: IPv4 addr format.\n"); #endif return(NULL); } } else ptr = NULL; retn->addr[0] |= (tval << ((len - (i + 1)) * 8)); } str = ptr; } if (!(retn->masklen)) retn->masklen = 32; retn->mask[0] = 0xFFFFFFFF << (32 - retn->masklen); break; } case AF_INET6: { unsigned short *val = (unsigned short *)&retn->addr; int ind = 0, len = sizeof(retn->addr)/sizeof(unsigned short); int fsecnum = 8, lsecnum = 0, rsecnum = 0, i, masklen; char *sstr = NULL, *ipv4addr = NULL; retn->len = sizeof(retn->addr); if ((sstr = strstr(str, "::")) != NULL) { *sstr++ = '\0'; *sstr++ = '\0'; if (strlen(str)) fsecnum = ArgusNumTokens(str, ':') + 1; if (strlen(sstr)) lsecnum = ArgusNumTokens(sstr, ':') + 1; if (!(retn->masklen)) retn->masklen = 128; } else sstr = str; if (strchr (sstr, '.')) { lsecnum += (lsecnum > 0) ? 1 : 2; if ((ipv4addr = strrchr(sstr, ':')) == NULL) { ipv4addr = sstr; sstr = NULL; } else { *ipv4addr++ = '\0'; } } if (fsecnum + lsecnum) { rsecnum = 8 - (fsecnum + lsecnum); if (fsecnum) { while (str && *str && (ind++ < len)) { *val++ = htons(strtol(str, (char **)&ptr, 16)); if (ptr != NULL) { if (strlen(ptr) > 0) { if (*ptr++ != ':') { #ifdef ARGUSDEBUG ArgusDebug (1, "RaParseCIDRAddr: format error: IPv4 addr format.\n"); #endif return(NULL); } } else ptr = NULL; } str = ptr; } } for (i = 0; i < rsecnum; i++) *val++ = 0; if (lsecnum) { if ((str = sstr) != NULL) { while (str && (ind++ < len)) { *val++ = htons(strtol(str, (char **)&ptr, 16)); if (ptr != NULL) { if (strlen(ptr) > 0) { if (*ptr++ != ':') { #ifdef ARGUSDEBUG ArgusDebug (1, "RaParseCIDRAddr: format error: IPv4 addr format.\n"); #endif return(NULL); } } else ptr = NULL; } str = ptr; } } } if (ipv4addr) { unsigned char *cval = (unsigned char *)&retn->addr[3]; int ind = 0, len = sizeof(struct in_addr); while (ipv4addr && (ind++ < len)) { *cval++ = strtol(ipv4addr, (char **)&ptr, 10); if (ptr != NULL) { if (strlen(ptr) > 0) { if (*ptr++ != '.') { #ifdef ARGUSDEBUG ArgusDebug (1, "RaParseCIDRAddr: format error: IPv4 addr format.\n"); #endif return(NULL); } } else ptr = NULL; } ipv4addr = ptr; } retn->masklen = 128; } } if (!(retn->masklen)) { retn->masklen = (((char *)val - (char *)&retn->addr)) * 8; } for (i = 0; i < 4; i++) retn->mask[i] = 0; if ((masklen = retn->masklen) > 0) { unsigned int *mask = &retn->mask[0]; while (masklen) { if (masklen > 32) { *mask++ = 0xFFFFFFFF; masklen -= 32; } else { *mask = 0xFFFFFFFF << masklen; masklen = 0; } } } break; } default: break; } #ifdef ARGUSDEBUG ArgusDebug (9, "RaParseCIDRAddr: returning %p \n", retn); #endif return (retn); } #if !defined(HAVE_FLOORF) /* floorf.c: Returns the integer smaller or equal than x Copyright (C) 2001, 2002 Jesus Calvino-Fraga, jesusc@ieee.org This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* Version 1.0 - Initial release */ float floorf (float x) { long r; r=x; if (r<=0) return (r+((r>x)?-1:0)); else return r; } #endif #if !defined(HAVE_REMAINDERF) /* no copyright on remainderf - Author LB */ float remainderf(float x, float y) { float r; r = x - ((int) (x/y+0.5)) * y; return r; } #endif argus-3.0.8.2/common/grammar.y000555 000765 000024 00000034576 12513222401 016546 0ustar00carterstaff000000 000000 %{ /* Argus Software * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * * $Id: //depot/argus/argus/common/grammar.y#23 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ /* * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994 * The Regents of the University of California. Af rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) af advertising materials mentioning * features or use of this software display the fofowing acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. * */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #include #include #if defined(HAVE_SOLARIS) || defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) #include #endif #include #include #include #include #include #include #include #include #include #include extern void ArgusLog (int, char *, ...); extern int argus_error (char *); #define YYDEBUG 1 #define QSET(q, p, d, a) (q).proto = (p),\ (q).dir = (d),\ (q).addr = (a) int argus_n_errors = 0; static struct qual qerr = { Q_UNDEF, Q_UNDEF, Q_UNDEF}; %} %union { int i; float f; u_long h; u_char *e; char *s; struct stmt *stmt; struct arth *a; struct { struct qual q; struct ablock *b; } blk; struct ablock *rblk; } %type expr id nid pid term rterm qid tid oid %type head thead %type pqual dqual aqual iqual ndaqual %type fqual %type arth narth %type oname pname sname tname pnum relop irelop %type fnum %type and or paren not nuf prog %type other %token START STOP STATUS SHUTDOWN ERROR %token MAN FAR EVENT INDEX %token DST SRC HOST INODE GATEWAY IPID TTL TOS DSB SRCID TCPBASE %token NET AMASK PORT EQUAL LESS GREATER PROTO BYTE PKT APPBYTE %token TRANS ARP RARP IP IPV4 IPV6 TCP UDP ICMP IGMP %token ISIS HELLO LSP CSNP PSNP %token UDT SVC TCPRTT TCPOPT %token MSS WSCALE SELECTIVEACKOK SELECTIVEACK TCPECHO TCPECHOREPLY %token TCPTIMESTAMP TCPCC TCPCCNEW TCPCCECHO SECN DECN %token ETHER MPLS VLAN ANON VID VPRI MPLSID SPI %token ENCAPS RTP RTCP ESP DECNET LAT MOPRC MOPDL %token TK_BROADCAST TK_MULTICAST FRAG FRAG_ONLY %token ABR PCR RATE LOAD LOSS PLOSS GAP DUP CO %token INTER INTERACTIVE INTERIDLE JITTER JITTERACTIVE JITTERIDLE %token DUR AVGDUR DELTADUR DELTASTART DELTALAST %token DELTASPKTS DELTADPKTS %token SEQ NSTROKE %token NUM FLOAT INBOUND OUTBOUND %token LINK AUTH RECURS REQ RSP %token GEQ LEQ NEQ %token ID EID HIDV4 HIDV6 STRING %token LSH RSH %token LEN %token OUTOFORDER RETRANS NORMAL WAIT MULTIPATH RESET TIMEDOUT WINSHUT %token SYN SYNACK ACK PUSH URGENT DATA ECE CWR FIN FINACK ICMPECHO ICMPMAP %token UNREACH REDIRECT ECN TIMEXED ESTABLISHED CONNECTED CORRELATED %token RTR MBR LVG COCODE ASN %type ID %type EID %type HIDV4 %type HIDV6 %type STRING %type NUM %type FLOAT %left OR AND %nonassoc '!' %left '|' %left '&' %left LSH RSH %left '+' '-' %left '*' '/' %nonassoc UMINUS %% prog: nuf expr { Argusfinish_parse($2.b); } | nuf ; nuf: /* nuf */ { $$.q = qerr; } ; expr: term | expr and term { Argusgen_and($1.b, $3.b); $$ = $3; } | expr and id { Argusgen_and($1.b, $3.b); $$ = $3; } | expr or term { Argusgen_or($1.b, $3.b); $$ = $3; } | expr or id { Argusgen_or($1.b, $3.b); $$ = $3; } ; and: AND { $$ = $0; } ; or: OR { $$ = $0; } ; id: nid | pnum { $$.b = Argusgen_ncode(NULL, (int)$1, $$.q = $0.q, Q_EQUAL); } | fnum { $$.b = Argusgen_fcode(NULL, (float)$1, $$.q = $0.q, Q_EQUAL); } | LESS pnum { $$.b = Argusgen_ncode(NULL, (int)$2, $$.q = $0.q, Q_LESS); } | GREATER pnum { $$.b = Argusgen_ncode(NULL, (int)$2, $$.q = $0.q, Q_GREATER); } | EQUAL pnum { $$.b = Argusgen_ncode(NULL, (int)$2, $$.q = $0.q, Q_EQUAL); } | GEQ pnum { $$.b = Argusgen_ncode(NULL, (int)$2, $$.q = $0.q, Q_GEQ); } | LEQ pnum { $$.b = Argusgen_ncode(NULL, (int)$2, $$.q = $0.q, Q_LEQ); } | LESS fnum { $$.b = Argusgen_fcode(NULL, (float)$2, $$.q = $0.q, Q_LESS); } | GREATER fnum { $$.b = Argusgen_fcode(NULL, (float)$2, $$.q = $0.q, Q_GREATER); } | EQUAL fnum { $$.b = Argusgen_fcode(NULL, (float)$2, $$.q = $0.q, Q_EQUAL); } | GEQ fnum { $$.b = Argusgen_fcode(NULL, (float)$2, $$.q = $0.q, Q_GEQ); } | LEQ fnum { $$.b = Argusgen_fcode(NULL, (float)$2, $$.q = $0.q, Q_LEQ); } | paren pid ')' { $$ = $2; } ; tid: tname { $$.b = Argusgen_tcode($1, $$.q = $0.q); } oid: oname { $$.b = Argusgen_ocode($1, $$.q = $0.q); } ; nid: ID { $$.b = Argusgen_scode($1, $$.q = $0.q); } | STRING { $$.q = $0.q; $$.q.type = Q_STRING; $$.b = Argusgen_scode($1, $$.q); } | HIDV4 '/' NUM { $$.q = $0.q; $$.q.type = Q_IPV4; $$.b = Argusgen_mcode($1, NULL, $3, $$.q); } | HIDV4 AMASK HIDV4 { $$.q = $0.q; $$.q.type = Q_IPV4; $$.b = Argusgen_mcode($1, (char *)$3, 0, $$.q); } | HIDV4 { $$.q = $0.q; $$.q.type = Q_IPV4; $$.b = Argusgen_ncode($1, 0, $$.q, Q_EQUAL); } | HIDV6 '/' NUM { $$.q = $0.q; $$.q.type = Q_IPV6; $$.b = Argusgen_mcode($1, NULL, $3, $$.q); } | HIDV6 { $$.q = $0.q; $$.q.type = Q_IPV6; $$.b = Argusgen_ncode($1, 0, $$.q, Q_EQUAL); } | EID { $$.q = $0.q; $$.q.type = Q_IPV6; $$.b = Argusgen_ecode($1, $$.q); } | not id { Argusgen_not($2.b); $$ = $2; } ; not: '!' { $$ = $0; } ; paren: '(' { $$ = $0; } ; pid: nid | qid and id { Argusgen_and($1.b, $3.b); $$ = $3; } | qid or id { Argusgen_or($1.b, $3.b); $$ = $3; } ; qid: pnum { $$.b = Argusgen_ncode(NULL, (int)$1, $$.q = $0.q, Q_EQUAL); } | fnum { $$.b = Argusgen_fcode(NULL, (float)$1, $$.q = $0.q, Q_EQUAL); } | pid ; term: rterm | not term { Argusgen_not($2.b); $$ = $2; } ; head: pqual dqual aqual { QSET($$.q, $1, $2, $3); } | pqual dqual { QSET($$.q, $1, $2, Q_DEFAULT); } | pqual aqual { QSET($$.q, $1, Q_DEFAULT, $2); } | pqual iqual { QSET($$.q, $1, Q_DEFAULT, $2); $$.q.type = Q_INTEGER; } | pqual fqual { QSET($$.q, $1, Q_DEFAULT, $2); $$.q.type = Q_FLOAT; } | pqual dqual iqual { QSET($$.q, $1, $2, $3); $$.q.type = Q_INTEGER; } | pqual dqual fqual { QSET($$.q, $1, $2, $3); $$.q.type = Q_FLOAT; } | pqual PROTO { QSET($$.q, $1, Q_DEFAULT, Q_PROTO); } | pqual ndaqual { QSET($$.q, $1, Q_DEFAULT, $2); } ; thead: pqual dqual { QSET($$.q, $1, $2, Q_DEFAULT); } ; rterm: head id { $$ = $2; } | thead tid { $$ = $2; } | paren expr ')' { $$.b = $2.b; $$.q = $1.q; } | pname { $$.b = Argusgen_proto_abbrev($1); $$.q = qerr; } | sname { $$.b = Argusgen_proto_abbrev($1); $$.q = qerr; } | tid { $$ = $1; } | oid { $$ = $1; } | arth relop arth { $$.b = Argusgen_relation($2, $1, $3, 0); $$.q = qerr; } | arth irelop arth { $$.b = Argusgen_relation($2, $1, $3, 1); $$.q = qerr; } | other { $$.b = $1; $$.q = qerr; } ; /* protocol level qualifiers */ pqual: pname | { $$ = Q_DEFAULT; } ; /* 'direction' qualifiers */ dqual: SRC { $$ = Q_SRC; } | DST { $$ = Q_DST; } | SRC OR DST { $$ = Q_OR; } | DST OR SRC { $$ = Q_OR; } | SRC AND DST { $$ = Q_AND; } | DST AND SRC { $$ = Q_AND; } ; /* address type qualifiers */ aqual: HOST { $$ = Q_HOST; } | SRCID { $$ = Q_SRCID; } | INODE { $$ = Q_INODE; } | NET { $$ = Q_NET; } ; /* identifier types */ iqual: PORT { $$ = Q_PORT; } | IPID { $$ = Q_IPID; } | TTL { $$ = Q_TTL; } | TOS { $$ = Q_TOS; } | DSB { $$ = Q_DSB; } | CO { $$ = Q_CO; } | ASN { $$ = Q_ASN; } | VID { $$ = Q_VID; } | VPRI { $$ = Q_VPRI; } | MPLSID { $$ = Q_MPLSID; } | BYTE { $$ = Q_BYTE; } | APPBYTE { $$ = Q_APPBYTE; } | PKT { $$ = Q_PKT; } | TRANS { $$ = Q_TRANS; } | TCPRTT { $$ = Q_TCPRTT; } | TCPBASE { $$ = Q_TCPBASE; } | LOSS { $$ = Q_LOSS; } | GAP { $$ = Q_GAP; } | DUP { $$ = Q_DUP; } | SPI { $$ = Q_SPI; } | ENCAPS { $$ = Q_ENCAPS; } | DELTADUR { $$ = Q_DELTADUR; } | DELTASTART { $$ = Q_DELTASTART; } | DELTALAST { $$ = Q_DELTALAST; } | NSTROKE { $$ = Q_NSTROKE; } | SEQ { $$ = Q_SEQ; } ; /* identifier types */ fqual: DUR { $$ = Q_DUR; } | AVGDUR { $$ = Q_AVGDUR; } | INTER { $$ = Q_INTER; } | INTERACTIVE { $$ = Q_INTERACTIVE; } | INTERIDLE { $$ = Q_INTERIDLE; } | JITTER { $$ = Q_JITTER; } | JITTERACTIVE { $$ = Q_JITTERACTIVE; } | JITTERIDLE { $$ = Q_JITTERIDLE; } | RATE { $$ = Q_RATE; } | LOAD { $$ = Q_LOAD; } | PLOSS { $$ = Q_PLOSS; } | ABR { $$ = Q_PCR; } | PCR { $$ = Q_PCR; } ; /* non-directional address type qualifiers */ ndaqual: GATEWAY { $$ = Q_GATEWAY; } ; sname: START { $$ = Q_START; } | STOP { $$ = Q_STOP; } | STATUS { $$ = Q_STATUS; } | SHUTDOWN { $$ = Q_SHUTDOWN; } | ERROR { $$ = Q_ERROR; } | MAN { $$ = Q_MAN; } | FAR { $$ = Q_FAR; } | EVENT { $$ = Q_EVENT; } | INDEX { $$ = Q_INDEX; } | SVC { $$ = Q_SVC; } | NORMAL { $$ = Q_NORMAL; } | WAIT { $$ = Q_WAIT; } | SYNACK { $$ = Q_SYNACK; } | FINACK { $$ = Q_FINACK; } | ESTABLISHED { $$ = Q_ESTABLISHED; } | CONNECTED { $$ = Q_CONNECTED; } | CORRELATED { $$ = Q_CORRELATED; } | TIMEDOUT { $$ = Q_TIMEDOUT; } | ICMPMAP { $$ = Q_ICMPMAP; } | ICMPECHO { $$ = Q_ECHO; } | UNREACH { $$ = Q_UNREACH; } | REDIRECT { $$ = Q_REDIRECT; } | TIMEXED { $$ = Q_TIMEXED; } | RTR { $$ = Q_RTR; } | MBR { $$ = Q_MBR; } | LVG { $$ = Q_LVG; } | COCODE { $$ = Q_COCODE; } ; pname: LINK { $$ = Q_LINK; } | ETHER { $$ = Q_ETHER; } | IP { $$ = Q_IP; } | IPV4 { $$ = Q_IPV4; } | IPV6 { $$ = Q_IPV6; } | ARP { $$ = Q_ARP; } | RARP { $$ = Q_RARP; } | ESP { $$ = Q_ESP; } | RTP { $$ = Q_RTP; } | RTCP { $$ = Q_RTCP; } | TCP { $$ = Q_TCP; } | UDP { $$ = Q_UDP; } | ICMP { $$ = Q_ICMP; } | IGMP { $$ = Q_IGMP; } | MPLS { $$ = Q_MPLS; } | ISIS { $$ = Q_ISIS; } | VLAN { $$ = Q_VLAN; } | UDT { $$ = Q_UDT; } | ANON { $$ = Q_ANON; } | DECNET { $$ = Q_DECNET; } | LAT { $$ = Q_LAT; } | MOPDL { $$ = Q_MOPDL; } | MOPRC { $$ = Q_MOPRC; } ; tname: OUTOFORDER { $$ = Q_OUTOFORDER; } | RETRANS { $$ = Q_RETRANS; } | WINSHUT { $$ = Q_WINSHUT; } | SYN { $$ = Q_SYN; } | FIN { $$ = Q_FIN; } | RESET { $$ = Q_RESET; } | ACK { $$ = Q_ACK; } | PUSH { $$ = Q_PUSH; } | URGENT { $$ = Q_URGENT; } | CWR { $$ = Q_CWR; } | ECE { $$ = Q_ECE; } | FRAG { $$ = Q_FRAG; } | FRAG_ONLY { $$ = Q_FRAG_ONLY; } | ECN { $$ = Q_ECN; } | MULTIPATH { $$ = Q_MULTIPATH; } | HELLO { $$ = Q_HELLO; } | LSP { $$ = Q_LSP; } | CSNP { $$ = Q_CSNP; } | PSNP { $$ = Q_PSNP; } ; oname: TCPOPT { $$ = Q_TCPOPT; } | MSS { $$ = Q_MSS; } | WSCALE { $$ = Q_WSCALE; } | SELECTIVEACKOK { $$ = Q_SELECTIVEACKOK; } | SELECTIVEACK { $$ = Q_SELECTIVEACK; } | TCPECHO { $$ = Q_TCPECHO; } | TCPECHOREPLY { $$ = Q_TCPECHOREPLY; } | TCPTIMESTAMP { $$ = Q_TCPTIMESTAMP; } | TCPCC { $$ = Q_TCPCC; } | TCPCCNEW { $$ = Q_TCPCCNEW; } | TCPCCECHO { $$ = Q_TCPCCECHO; } | SECN { $$ = Q_SECN; } | DECN { $$ = Q_DECN; } ; other: pqual TK_BROADCAST { $$ = Argusgen_broadcast($1); } | pqual TK_MULTICAST { $$ = Argusgen_multicast($1); } | INBOUND { $$ = Argusgen_inbound(0); } | OUTBOUND { $$ = Argusgen_inbound(1); } ; relop: '>' { $$ = NFF_JGT; } | GEQ { $$ = NFF_JGE; } | '=' { $$ = NFF_JEQ; } | EQUAL { $$ = NFF_JEQ; } ; irelop: LEQ { $$ = NFF_JGT; } | '<' { $$ = NFF_JGE; } | NEQ { $$ = NFF_JEQ; } ; arth: pnum { $$ = ArgusLoadI($1); } | narth ; narth: pname '[' arth ']' { $$ = ArgusLoad($1, $3, 1); } | pname '[' arth ':' NUM ']' { $$ = ArgusLoad($1, $3, $5); } | arth '+' arth { $$ = ArgusArth(NFF_ADD, $1, $3); } | arth '-' arth { $$ = ArgusArth(NFF_SUB, $1, $3); } | arth '*' arth { $$ = ArgusArth(NFF_MUL, $1, $3); } | arth '/' arth { $$ = ArgusArth(NFF_DIV, $1, $3); } | arth '&' arth { $$ = ArgusArth(NFF_AND, $1, $3); } | arth '|' arth { $$ = ArgusArth(NFF_OR, $1, $3); } | arth LSH arth { $$ = ArgusArth(NFF_LSH, $1, $3); } | arth RSH arth { $$ = ArgusArth(NFF_RSH, $1, $3); } | paren narth ')' { $$ = $2; } | LEN { $$ = ArgusLoadLen(); } ; pnum: NUM | paren pnum ')' { $$ = $2; } ; fnum: FLOAT | paren fnum ')' { $$ = $2; } ; %% int yyerror(char *msg) { ++argus_n_errors; return(1); } argus-3.0.8.2/common/Makefile.in000444 000765 000024 00000007113 12513222401 016753 0ustar00carterstaff000000 000000 # # Argus Software # Copyright (c) 2000-2015 QoSient, LLC # All rights reserved. # # QOSIENT, LLC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS # SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY # AND FITNESS, IN NO EVENT SHALL QOSIENT, LLC BE LIABLE FOR ANY # SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER # IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, # ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF # THIS SOFTWARE. # # Top level hierarchy prefix = @prefix@ exec_prefix = @exec_prefix@ datarootdir = @datarootdir@ # Pathname of directory to install the include files INCLDEST = @includedir@ # Pathname of directory to install the library LIBDEST = @libdir@ # Pathname of directory to install the man page MANDEST = @mandir@ # VPATH srcdir = @srcdir@ VPATH = @srcdir@ # # You shouldn't need to edit anything below. # CC = @CC@ CCOPT = @V_CCOPT@ INCLS = -I$(srcdir) @V_INCLS@ -I$(srcdir)/../include -I$(srcdir)/../argus DEFS = @DEFS@ # Standard CFLAGS CFLAGS = $(CCOPT) $(INCLS) $(DEFS) LDFLAGS = @LDFLAGS@ INSTALL = @INSTALL@ RANLIB = @V_RANLIB@ # # Flex and bison allow you to specify the prefixes of the global symbols # used by the generated parser. This allows programs to use lex/yacc # and link against libpcap. If you don't have flex or bison, get them. # LEX = @V_LEX@ YACC = @V_YACC@ # Explicitly define compilation rule since SunOS 4's make doesn't like gcc. # Also, gcc does not remove the .o before forking 'as', which can be a # problem if you don't own the file but can write to the directory. .c.o: @rm -f $@ $(CC) $(CFLAGS) -c $< # We would like to say "OBJ = $(SRC:.c=.o)" but Ultrix's make cannot # hack the extra indirection VSRC = version.c LSRC = scanner.l YSRC = grammar.y GENSRC = $(LSRC:.l=.c) $(YSRC:.y=.c) GENHDR = tokdefs.h TAGHDR = bpf/net/bpf.h TAGFILES = $(SRC) $(HDR) $(TAGHDR) LIBS = @INSTALL_LIB@/argus_common.a OBJ = $(COMMONOBJ) $(PARSEOBJ) CLEANFILES = $(LIBS) $(OBJ) $(GENSRC) $(GENHDR) $(VSRC) lex.yy.c COMMONSRC = argus_util.c argus_code.c argus_filter.c $(GENSRC) $(VSRC) COMMONOBJ = argus_util.o argus_code.o argus_filter.o grammar.o scanner.o version.o SRC = $(COMMONSRC) all: $(LIBS) @INSTALL_LIB@/argus_common.a: $(COMMONOBJ) rm -f $@; ar qc $@ $(COMMONOBJ) -$(RANLIB) $@ scanner.c: scanner.l @rm -f $@ $(LEX) -t $< > $$$$.$@; mv $$$$.$@ $@ scanner.o: scanner.c tokdefs.h tokdefs.h: grammar.c grammar.c: grammar.y @rm -f grammar.c tokdefs.h $(YACC) -d $< mv y.tab.c grammar.c mv y.tab.h tokdefs.h grammar.o: grammar.c $(CC) $(CFLAGS) -Dyylval=argus_lval -c grammar.c version.o: version.c version.c: $(srcdir)/../VERSION @rm -f $@ sed -e 's/.*/char version[] = "&";/' $(srcdir)/../VERSION > $@ install: all force uninstall: clean clean: rm -f $(CLEANFILES) distclean: rm -f $(CLEANFILES) Makefile config.cache config.log config.status \ gnuc.h os-proto.h bpf_filter.c net tags: $(TAGFILES) ctags -wtd $(TAGFILES) tar: force @cwd=`pwd` ; dir=`basename $$cwd` ; name=libpcap-`cat VERSION` ; \ list="" ; tar="tar chFFf" ; \ for i in `cat FILES` ; do list="$$list $$name/$$i" ; done; \ echo \ "rm -f ../$$name; ln -s $$dir ../$$name" ; \ rm -f ../$$name; ln -s $$dir ../$$name ; \ echo \ "(cd .. ; $$tar - [lots of files]) | compress > /tmp/$$name.tar.Z" ; \ (cd .. ; $$tar - $$list) | compress > /tmp/$$name.tar.Z ; \ echo \ "rm -f ../$$name" ; \ rm -f ../$$name force: /tmp depend: $(GENSRC) $(VSRC) force ../bin/mkdep -c $(CC) $(DEFS) $(INCLS) $(SRC) argus-3.0.8.2/common/scanner.l000555 000765 000024 00000027007 12513222401 016523 0ustar00carterstaff000000 000000 %{ /* Argus Software * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * $Id: //depot/argus/argus/common/scanner.l#32 $ * $DateTime: 2015/04/13 00:43:29 $ * $Change: 2982 $ */ /* * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ #define YY_NO_INPUT #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include extern void ArgusLog (int, char *, ...); #ifndef __GNUC__ #define inline #endif int argus_lex(void); int stoi(char *); float stof(char *); int xdtoi(int); #ifdef FLEX_SCANNER int argus_get_lineno (void); FILE *argus_get_in (void); FILE *argus_get_out (void); static YY_BUFFER_STATE in_buffer; #else static char *in_buffer; #undef getc #define getc(fp) (*in_buffer == 0 ? EOF : *in_buffer++) #endif #define yylval argus_lval extern YYSTYPE yylval; %} %option nounput N ([0-9]+|(0X|0x)[0-9A-Fa-f]+) B ([0-9A-Fa-f][0-9A-Fa-f]?) ISD [0-9A-Fa-f]{4} V6 ((([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4})|(([0-9A-Fa-f]{1,4}:){6}:[0-9A-Fa-f]{1,4})|(([0-9A-Fa-f]{1,4}:){5}:([0-9A-Fa-f]{1,4}:)?[0-9A-Fa-f]{1,4})|(([0-9A-Fa-f]{1,4}:){4}:([0-9A-Fa-f]{1,4}:){0,2}[0-9A-Fa-f]{1,4})|(([0-9A-Fa-f]{1,4}:){3}:([0-9A-Fa-f]{1,4}:){0,3}[0-9A-Fa-f]{1,4})|(([0-9A-Fa-f]{1,4}:){2}:([0-9A-Fa-f]{1,4}:){0,4}[0-9A-Fa-f]{1,4})|(([0-9A-Fa-f]{1,4}:){6}((\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b)\.){3}(\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b))|(([0-9A-Fa-f]{1,4}:){0,5}:((\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b)\.){3}(\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b))|(::([0-9A-Fa-f]{1,4}:){0,5}((\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b)\.){3}(\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b))|([0-9A-Fa-f]{1,4}::([0-9A-Fa-f]{1,4}:){0,5}[0-9A-Fa-f]{1,4})|(::([0-9A-Fa-f]{1,4}:){0,6}[0-9A-Fa-f]{1,4})|(([0-9A-Fa-f]{1,4}:){1,7}:)) %% start return START; init return START; stop return STOP; status return STATUS; shut return SHUTDOWN; error return ERROR; man return MAN; mar return MAN; far return FAR; event return EVENT; index return INDEX; dst return DST; src return SRC; seq return SEQ; auth return AUTH; recurs return RECURS; req return REQ; rsp return RSP; link|ppp|slip return LINK; fddi return LINK; ether return LINK; arp return ARP; rarp return RARP; ip return IP; ipv4 return IPV4; ipv6 return IPV6; tcp return TCP; udp return UDP; udt return UDT; rtp return RTP; rtcp return RTCP; icmp return ICMP; igmp return IGMP; mpls return MPLS; vlan return VLAN; vid return VID; vpri return VPRI; mid return MPLSID; ipid return IPID; anon return ANON; isis return ISIS; psnp return PSNP; csnp return CSNP; lsp return LSP; hello return HELLO; svc return SVC; spi return SPI; host return HOST; srcid return SRCID; inode return INODE; net return NET; mask return AMASK; port return PORT; proto return PROTO; encaps return ENCAPS; ttl return TTL; tos return TOS; dsb return DSB; dsbyte return DSB; co return CO; cocode return COCODE; as return ASN; asn return ASN; trans return TRANS; pkt return PKT; pkts return PKT; byte return BYTE; bytes return BYTE; data return APPBYTE; appbyte return APPBYTE; appbytes return APPBYTE; pcr return PCR; pcratio return PCR; abr return ABR; abratio return ABR; nstroke return NSTROKE; nstrokes return NSTROKE; tcpb return TCPBASE; base return TCPBASE; tcprtt return TCPRTT; tcpopt return TCPOPT; mss return MSS; wscale return WSCALE; selackok return SELECTIVEACKOK; selack return SELECTIVEACK; tcpecho return TCPECHO; tcpechoreply return TCPECHOREPLY; tcptimestamp return TCPTIMESTAMP; tcpcc return TCPCC; tcpccnew return TCPCCNEW; tcpccecho return TCPCCECHO; secn return SECN; decn return DECN; rate return RATE; load return LOAD; inter return INTER; intpkt return INTER; intpktact return INTERACTIVE; intpktidle return INTERIDLE; jit return JITTER; jitter return JITTER; jitact return JITTERACTIVE; jitidle return JITTERIDLE; dur return DUR; avgdur return AVGDUR; deldur return DELTADUR; delstime return DELTALAST; delltime return DELTALAST; loss return LOSS; ploss return PLOSS; gap return GAP; dup return DUP; gateway return GATEWAY; EQ return EQUAL; eq return EQUAL; equal return EQUAL; LT return LESS; lt return LESS; LTE return LEQ; lte return LEQ; LESS return LESS; less return LESS; GT return GREATER; gt return GREATER; GTE return GEQ; gte return GEQ; greater return GREATER; broadcast return TK_BROADCAST; multicast return TK_MULTICAST; AND return AND; OR return OR; NOT return '!'; and|"&&" return AND; or|"||" return OR; not return '!'; len|length return LEN; inbound return INBOUND; outbound return OUTBOUND; syn return SYN; synack return SYNACK; fin return FIN; finack return FINACK; rst return RESET; ack return ACK; urg return URGENT; ece return ECE; cwr return CWR; push return PUSH; reset return RESET; rtr return RTR; mbr return MBR; lvg return LVG; normal return NORMAL; wait return WAIT; timeout return TIMEDOUT; est return ESTABLISHED; con return CONNECTED; avail return CONNECTED; cor return CORRELATED; corolated return CORRELATED; ecn return ECN; drop return RETRANS; retrans return RETRANS; outoforder return OUTOFORDER; ooo return OUTOFORDER; multipath return MULTIPATH; mpath return MULTIPATH; winshut return WINSHUT; frag return FRAG; fragonly return FRAG_ONLY; icmpmap return ICMPMAP; echo return ICMPECHO; unreach return UNREACH; redirect return REDIRECT; timexed return TIMEXED; [ \n\t] ; [+\-*/:\[\]!<>()&|=] return yytext[0]; ">=" return GEQ; "<=" return LEQ; "!=" return NEQ; "==" return '='; "<<" return LSH; ">>" return RSH; \+?{N} { yylval.i = stoi((char *)yytext); return NUM; } -{N} { yylval.i = stoi((char *)yytext); return NUM; } -(\.{N}) { yylval.f = stof((char *)yytext); return FLOAT; } \+?(\.{N}) { yylval.f = stof((char *)yytext); return FLOAT; } -({N}\.{N}) { yylval.f = stof((char *)yytext); return FLOAT; } \+?({N}\.{N}) { yylval.f = stof((char *)yytext); return FLOAT; } ({N}\.{N}\.{N}\.{N}) { yylval.s = Argussdup((char *)yytext); return HIDV4; } {B}:{B}:{B}:{B}:{B}:{B} { yylval.e = argus_ether_aton((char *)yytext); return EID; } {V6} { yylval.s = Argussdup((char *)yytext); return HIDV6; } \"[^\*\n]*\" { yylval.s = Argussdup((char *)yytext); return STRING; } [A-Za-z0-9][-_.A-Za-z0-9]*[.A-Za-z0-9] { yylval.s = Argussdup((char *)yytext); return ID; } "\\"[^ !()\n\t]+ { yylval.s = Argussdup((char *)yytext + 1); return ID; } [^ \[\]\t\n\-_.A-Za-z0-9!<>()&|=]+i { ArgusLog(LOG_ERR, "illegal token: %s\n", yytext); } . { ArgusLog (LOG_ERR, "illegal char '%c'", *yytext); } %% void argus_lex_init(char *buf) { #ifdef FLEX_SCANNER in_buffer = yy_scan_string(buf); #else in_buffer = buf; #endif } /* * Also define a yywrap. Note that if we're using flex, it will * define a macro to map this identifier to pcap_wrap. */ int yywrap() { return 1; } /* Hex digit to integer. int xdtoi(c) int c; { if (isdigit(c)) return c - '0'; else if (islower(c)) return c - 'a' + 10; else return c - 'A' + 10; } */ /* * Convert string to integer. Just like atoi(), but checks for * preceding 0x or 0 and uses hex or octal instead of decimal. */ int stoi(char *s) { int base = 10; int n = 0; int sign = 0; /* Skip whitespace */ while (isspace(*s)) s++; /* Check for sign */ if (*s == '-') { sign = 1; s++; } else { if (*s == '+') s++; } if (*s == '0') { s++; if (*s == '\0') { } else { if (*s == 'x' || *s == 'X') { s++; base = 16; } else { base = 8; } } } while (*s) n = n * base + xdtoi(*s++); if (sign) n *= -1; return n; } /* * Convert string to float. Just like atof(), but checks for * preceding 0x or 0 and uses hex or octal instead of decimal. */ float stof(char* s) { float retn = 0.0, frac = 0.0; int sign = 0; /* Skip whitespace */ while (isspace(*s)) s++; /* Check for sign */ if (*s == '-') { sign = 1; s++; } else { if (*s == '+') s++; } /* Read integer part */ while (isdigit(*s)) retn = retn * 10 + (*(s++) - '0'); /* Read fractional part */ if (*s == '.') { float q; s++; while (isdigit(*s)) s++; s--; do { q = *s - '0'; frac = (frac + q) / 10; } while (isdigit(*(--s))); while (isdigit(*(++s))) s++; } /* Skip whitespace */ while (isspace(*s)) s++; /* Combine integer and fractional part, and apply sign */ retn += frac; if (sign) retn *= -1; /* Process E notation */ if (*s == 'e' || *s == 'E') { int i, j = atoi(++s); if (j == 0) return retn; for (i = 0; i != j; (j > 0) ? i++ : i--) retn *= (j > 0) ? 10 : -10; } return retn; } argus-3.0.8.2/bin/argusbug000555 000765 000024 00000023531 12513222401 015735 0ustar00carterstaff000000 000000 #!/bin/sh # Argus Software. Bug Report # Copyright (c) 2000-2015 QoSient, LLC # All rights reserved. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. # # Create a bug report and mail it to argus-info@lists.andrew.cmu.edu. # A completely plagaristic move on my part by using the # mysql bug reporting script. Thanks guys!!!! echo "Finding system information for a ARGUS bug report" VERSION="3.0" BUGARGUS="argus-info@lists.andrew.cmu.edu" LIBC_INFO="" for pat in /lib/libc.* /lib/libc-* /usr/lib/libc.* /usr/lib/libc-* do TMP=`ls -l $pat 2>/dev/null` if test $? = 0 then LIBC_INFO="$LIBC_INFO $TMP" fi done PATH=../:$PATH:/bin:/usr/bin:/usr/local/bin export PATH BUGADDR=${1-$BUGARGUS} ENVIRONMENT=`uname -a` : ${USER=${LOGNAME-`whoami`}} COMMAND=`echo $0|sed 's%.*/\([^/]*\)%\1%'` # Try to create a secure tmpfile umask 077 TEMPDIR=/tmp/argusbug-$$ mkdir $TEMPDIR || (echo "can not create directory in /tmp, aborting"; exit 1;) TEMP=${TEMPDIR}/argusbug trap 'rm -f $TEMP $TEMP.x; rmdir $TEMPDIR; exit 1' 1 2 3 13 15 trap 'rm -f $TEMP $TEMP.x; rmdir $TEMPDIR' 0 # How to read the passwd database. PASSWD="cat /etc/passwd" if test -f /usr/lib/sendmail then MAIL_AGENT="/usr/lib/sendmail -oi -t" elif test -f /usr/sbin/sendmail then MAIL_AGENT="/usr/sbin/sendmail -oi -t" else MAIL_AGENT="rmail $BUGARGUS" fi # Figure out how to echo a string without a trailing newline N=`echo 'hi there\c'` case "$N" in *c) ECHON1='echo -n' ECHON2= ;; *) ECHON1=echo ECHON2='\c' ;; esac # Find out the name of the originator of this PR. if test -n "$NAME" then ORIGINATOR="$NAME" elif test -f $HOME/.fullname then ORIGINATOR="`sed -e '1q' $HOME/.fullname`" else # Must use temp file due to incompatibilities in quoting behavior # and to protect shell metacharacters in the expansion of $LOGNAME $PASSWD | grep "^$LOGNAME:" | awk -F: '{print $5}' | sed -e 's/,.*//' > $TEMP ORIGINATOR="`cat $TEMP`" rm -f $TEMP fi if test -n "$ORGANIZATION" then if test -f "$ORGANIZATION" then ORGANIZATION="`cat $ORGANIZATION`" fi else if test -f $HOME/.organization then ORGANIZATION="`cat $HOME/.organization`" elif test -f $HOME/.signature then ORGANIZATION=`sed -e "s/^/ /" $HOME/.signature; echo ">"` fi fi PATH_DIRS=`echo $PATH | sed -e 's/^:/. /' -e 's/:$/ ./' -e 's/::/ . /g' -e 's/:/ /g' ` which_1 () { for cmd do # Absolute path ?. if expr "x$cmd" : "x/" > /dev/null then echo "$cmd" exit 0 else for d in $PATH_DIRS do file="$d/$cmd" if test -x "$file" -a ! -d "$file" then echo "$file" exit 0 fi done fi done exit 1 } change_editor () { echo "You can change editor by setting the environment variable VISUAL." echo "If your shell is a bourne shell (sh) do" echo "VISUAL=your_editors_name; export VISUAL" echo "If your shell is a C shell (csh) do" echo "setenv VISUAL your_editors_name" } # If they don't have a preferred editor set, then use vi if test -z "$VISUAL" then if test -z "$EDITOR" then EDIT=vi else EDIT="$EDITOR" fi else EDIT="$VISUAL" VISUALSET="true" fi #which_1 $EDIT used_editor=`which_1 $EDIT` echo "test -x $used_editor" if test -x "$used_editor" then echo "Using editor $used_editor"; change_editor sleep 2 else echo "Could not find a text editor. (tried $EDIT)" change_editor exit 1 fi # Find out some information. SYSTEM=`( test -f /bin/uname && /bin/uname -a ) || \ ( test -f /usr/bin/uname && /usr/bin/uname -a ) || echo ""` ARCH=`test -f /bin/arch && /bin/arch` MACHINE=`test -f /bin/machine && /bin/machine` FILE_PATHS= for cmd in argus ra libpcap.a make gmake gcc cc do file=`which_1 $cmd` if test $? = 0 then if test $cmd = "argus" then ARGUS_INFO=`$file -h 2>&1 | grep -i version 2>&1` elif test $cmd = "ra" then RA_INFO=`$file -h 2>&1 | grep -i version 2>&1` elif test $cmd = "tcpdump" then TCPDUMP_INFO=`$file -h 2>&1 | grep -i version 2>&1 | tr "\n" " "` elif test $cmd = "gcc" then GCC_INFO=`$file -v 2>&1` fi FILE_PATHS="$FILE_PATHS $file" fi done SUBJECT_C="ARGUSBug <50 character or so descriptive subject here (for reference)>" ORGANIZATION_C='' LICENCE_C='[none | licence | email support | extended email support ]' SYNOPSIS_C='' SEVERITY_C='<[ non-critical | serious | critical ] (one line)>' PRIORITY_C='<[ low | medium | high ] (one line)>' CLASS_C='<[ install-bug | sw-bug | doc-bug | change-request | support ] (one line)>' PRODUCT_C='<[ argus | ra | ratop | racluster | rasort | racount | raxml] (one line)>' RELEASE_C='' ENVIRONMENT_C='' DESCRIPTION_C='' INSTALL_C='' HOW_TO_REPEAT_C='' FIX_C='' cat > $TEMP <'). SEND-PR: From: ${USER} To: ${BUGADDR} Subject: $SUBJECT_C >Description: $DESCRIPTION_C $INSTALL_C >How-To-Repeat: $HOW_TO_REPEAT_C >Fix: $FIX_C >Submitter-Id: >Originator: ${ORIGINATOR} >Organization: ${ORGANIZATION- $ORGANIZATION_C} >ARGUS support: $LICENCE_C >Release: argus-${VERSION} >Product: $PRODUCT_C >Synopsis: $SYNOPSIS_C >Class: $CLASS_C >Severity: $SEVERITY_C >Priority: $PRIORITY_C >Environment: $ENVIRONMENT_C `test -n "$SYSTEM" && echo "System: $SYSTEM"` `test -n "$ARCH" && echo "Arch: $ARCH"` `test -n "$MACHINE" && echo "Mach: $MACHINE"` `test -n "$FILE_PATHS" && echo "Paths: $FILE_PATHS"` `test -n "$ARGUS_INFO" && echo "ARGUS: $ARGUS_INFO"` `test -n "$RA_INFO" && echo "RA: $RA_INFO"` `test -n "$TCPDUMP_INFO" && echo "TCPDUMP: $TCPDUMP_INFO"` `test -n "$GCC_INFO" && echo "GCC: $GCC_INFO"` `test -n "$LIBC_INFO" && echo "LIBC: $LIBC_INFO"` EOF chmod u+w $TEMP cp $TEMP $TEMP.x eval $EDIT $TEMP if cmp -s $TEMP $TEMP.x then echo "File not changed, no bug report submitted." echo "File saved as /tmp/argus-bugreport-template." mv $TEMP /tmp/argus-bugreport-template exit 1 fi # # Check the enumeration fields # This is a "sed-subroutine" with one keyword parameter # (with workaround for Sun sed bug) # SED_CMD=' /$PATTERN/{ s||| s|<.*>|| s|^[ ]*|| s|[ ]*$|| p q }' while :; do CNT=0 # # 1) Severity # PATTERN=">Severity:" SEVERITY=`eval sed -n -e "\"$SED_CMD\"" $TEMP` case "$SEVERITY" in ""|non-critical|serious|critical) CNT=`expr $CNT + 1` ;; *) echo "$COMMAND: \`$SEVERITY' is not a valid value for \`Severity'." esac # # 2) Priority # PATTERN=">Priority:" PRIORITY=`eval sed -n -e "\"$SED_CMD\"" $TEMP` case "$PRIORITY" in ""|low|medium|high) CNT=`expr $CNT + 1` ;; *) echo "$COMMAND: \`$PRIORITY' is not a valid value for \`Priority'." esac # # 3) Class # PATTERN=">Class:" CLASS=`eval sed -n -e "\"$SED_CMD\"" $TEMP` case "$CLASS" in ""|install-bug|sw-bug|doc-bug|change-request|support) CNT=`expr $CNT + 1` ;; *) echo "$COMMAND: \`$CLASS' is not a valid value for \`Class'." esac # # 4) Synopsis # VALUE=`grep "^>Synopsis:" $TEMP | sed 's/>Synopsis:[ ]*//'` case "$VALUE" in "$SYNOPSIS_C") echo "$COMMAND: \`$VALUE' is not a valid value for \`Synopsis'." ;; *) CNT=`expr $CNT + 1` esac test $CNT -lt 4 && echo "Errors were found with the problem report." # Check if subject of mail was changed, if not, use Synopsis field # subject=`grep "^Subject" $TEMP| sed 's/^Subject:[ ]*//'` if [ X"$subject" = X"$SUBJECT_C" -o X"$subject" = X"$SYNOPSIS_C" ]; then subject=`grep Synopsis $TEMP | sed 's/>Synopsis:[ ]*//'` sed "s/^Subject:[ ]*.*/Subject: $subject/" $TEMP > $TEMP.tmp mv -f $TEMP.tmp $TEMP fi while :; do $ECHON1 "a)bort, e)dit or s)end? $ECHON2" read input case "$input" in a*) echo "$COMMAND: problem report saved in $HOME/dead.argusbug." cat $TEMP >> $HOME/dead.argusbug xs=1; exit ;; e*) eval $EDIT $TEMP continue 2 ;; s*) break 2 ;; esac done done # # Remove comments and send the problem report # (we have to use patterns, where the comment contains regex chars) # # /^>Originator:/s;$ORIGINATOR;; sed -e " /^SEND-PR:/d /^>Organization:/,/^>[A-Za-z-]*:/s;$ORGANIZATION_C;; /^>Confidential:/s;<.*>;; /^>Synopsis:/s;$SYNOPSIS_C;; /^>Severity:/s;<.*>;; /^>Priority:/s;<.*>;; /^>Class:/s;<.*>;; /^>Release:/,/^>[A-Za-z-]*:/s;$RELEASE_C;; /^>Environment:/,/^>[A-Za-z-]*:/s;$ENVIRONMENT_C;; /^>Description:/,/^>[A-Za-z-]*:/s;$DESCRIPTION_C;; /^>How-To-Repeat:/,/^>[A-Za-z-]*:/s;$HOW_TO_REPEAT_C;; /^>Fix:/,/^>[A-Za-z-]*:/s;$FIX_C;; " $TEMP > $TEMP.x if $MAIL_AGENT < $TEMP.x then echo "$COMMAND: problem report sent" xs=0; exit else echo "$COMMAND: mysterious mail failure, report not sent." echo "$COMMAND: problem report saved in $HOME/dead.argusbug." cat $TEMP >> $HOME/dead.argusbug fi exit 0 argus-3.0.8.2/bin/mkdep000555 000765 000024 00000004533 12513222401 015217 0ustar00carterstaff000000 000000 #!/bin/sh - # # Copyright (c) 1987 Regents of the University of California. # All rights reserved. # # Redistribution and use in source and binary forms are permitted # provided that the above copyright notice and this paragraph are # duplicated in all such forms and that any documentation, # advertising materials, and other materials related to such # distribution and use acknowledge that the software was developed # by the University of California, Berkeley. The name of the # University may not be used to endorse or promote products derived # from this software without specific prior written permission. # THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR # IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED # WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. # # @(#)mkdep.sh 5.12 (Berkeley) 6/30/88 # MAKE=Makefile # default makefile name is "Makefile" CC=cc # default C compiler is "cc" while : do case "$1" in # -c allows you to specify the C compiler -c) CC=$2 shift; shift ;; # -f allows you to select a makefile name -f) MAKE=$2 shift; shift ;; # the -p flag produces "program: program.c" style dependencies # so .o's don't get produced -p) SED='s;\.o;;' shift ;; *) break ;; esac done if [ $# = 0 ] ; then echo 'usage: mkdep [-p] [-c cc] [-f makefile] [flags] file ...' exit 1 fi if [ ! -w $MAKE ]; then echo "mkdep: no writeable file \"$MAKE\"" exit 1 fi TMP=/tmp/mkdep$$ trap 'rm -f $TMP ; exit 1' 1 2 3 13 15 cp $MAKE ${MAKE}.bak sed -e '/DO NOT DELETE THIS LINE/,$d' < $MAKE > $TMP cat << _EOF_ >> $TMP # DO NOT DELETE THIS LINE -- mkdep uses it. # DO NOT PUT ANYTHING AFTER THIS LINE, IT WILL GO AWAY. _EOF_ # If your compiler doesn't have -M, add it. If you can't, the next two # lines will try and replace the "cc -M". The real problem is that this # hack can't deal with anything that requires a search path, and doesn't # even try for anything using bracket (<>) syntax. # # egrep '^#include[ ]*".*"' /dev/null $* | # sed -e 's/:[^"]*"\([^"]*\)".*/: \1/' -e 's/\.c/.o/' | $CC -MM $* | sed " s; \./; ;g $SED" >> $TMP cat << _EOF_ >> $TMP # IF YOU PUT ANYTHING HERE IT WILL GO AWAY _EOF_ # copy to preserve permissions cp $TMP $MAKE rm -f ${MAKE}.bak $TMP exit 0 argus-3.0.8.2/argus/argus.c000444 000765 000024 00000200467 12545246746 016062 0ustar00carterstaff000000 000000 /* * Argus Software. Argus files - main argus processing * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/argus/argus.c#101 $ * $DateTime: 2015/07/02 10:42:46 $ * $Change: 3030 $ */ /* * argus - Audit Record Generation and Utilization System * * written by Carter Bullard * QoSient LLC * */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #if !defined(Argus) #define Argus #endif #define _GNU_SOURCE #include #include #include #if defined(HAVE_SYS_TYPES_H) #include #endif #if defined(HAVE_SYS_WAIT_H) #include #endif #include #if defined(ARGUS_TILERA) #include #include #include #include #include #include void bind_proc(int); #endif void ArgusParseResourceFile (struct ArgusModelerStruct *, char *); char *ArgusPidFile = NULL; pid_t ArgusSessionId = 0; struct timeval ArgusNowTime; char *ArgusPidPath = NULL; int ArgusDaemon = 0; #if defined(ARGUS_THREADS) pthread_attr_t attrbuf, *ArgusAttr = &attrbuf; #endif void usage(void) { extern char version[]; fprintf (stdout, "Argus Version %s\n", version); fprintf (stdout, "usage: %s [options] [-i interface] [filter-expression] \n", ArgusProgramName); fprintf (stdout, "usage: %s [options] -r packetfile [filter-expression] \n\n", ArgusProgramName); fprintf (stdout, "options: -A Generate application byte metrics.\n"); fprintf (stdout, " -b dump filter compiler output.\n"); fprintf (stdout, " -B specify bind interface address(s).\n"); fprintf (stdout, " -c daemon chroot directory.\n"); fprintf (stdout, " -C run in control plane monitoring mode.\n"); fprintf (stdout, " -d run Argus in daemon mode.\n"); #if defined(ARGUSDEBUG) fprintf (stdout, " -D set debug reporting .\n"); #endif fprintf (stdout, " -e specify Argus Identifier .\n"); fprintf (stdout, " -f don't stop when EOF is seen, but wait for more\n"); fprintf (stdout, " packets to arrive in packet capture file.\n"); fprintf (stdout, " -F read configuration from .\n"); fprintf (stdout, " -h print help.\n"); fprintf (stdout, " -i specify interface to use as a packet source.\n"); fprintf (stdout, " Supported formats: \n"); fprintf (stdout, " -i ind:all open all as independent sources.\n"); fprintf (stdout, " -i dup:en0,en1/srcid use two as duplex sources. \n"); fprintf (stdout, " -i bond:en0,en1/srcid use two as bonded interfaces. \n"); fprintf (stdout, " -i dup:[bond:en0,en1],en2 complex specification. \n"); fprintf (stdout, " -i en0/srcid -i en1/srcid equivalent to '-i ind:en0/..' \n"); fprintf (stdout, " -i en0 en1 equivalent '-i bond:en0,en1') \n"); fprintf (stdout, " -J generate packet performance data.\n"); fprintf (stdout, " -M set MAR Status Report Time Interval (300s).\n"); fprintf (stdout, " -m turn on MAC Layer Reporting.\n"); fprintf (stdout, " -O turn off filter optimizer.\n"); fprintf (stdout, " -p don't go into promiscuous mode.\n"); fprintf (stdout, " -P enable remote access on (561).\n"); fprintf (stdout, " -r use packet file as data source.\n"); fprintf (stdout, " Supported formats: \n"); fprintf (stdout, " -r file file open files as, discover packet formats\n"); fprintf (stdout, " -r cisco:file open files and look for netflow records in packet payload\n"); fprintf (stdout, " -R generate response time data.\n"); fprintf (stdout, " -s set the packet snaplen size.\n"); fprintf (stdout, " -S set FAR Status Report Time Interval (60s).\n"); fprintf (stdout, " -t indicate that packetfile is MOAT Tsh format. \n"); fprintf (stdout, " -u specify user id for daemon.\n"); fprintf (stdout, " -g specify group id for daemon.\n"); fprintf (stdout, " -U specify the number of user bytes to capture.\n"); fprintf (stdout, " -w write output to , or '-', for stdout,\n"); fprintf (stdout, " against optional filter expression.\n"); fprintf (stdout, " -w write output to URL based stream.\n"); fprintf (stdout, " Supported formats: \n"); fprintf (stdout, " -w argus-udp://hostname[:port] default port is 561. \n"); fprintf (stdout, " -w udp://hostname[:port] \n"); fprintf (stdout, " -w - write to stdout \n"); fprintf (stdout, " -X reset argus configuration.\n"); fprintf (stdout, " -Z generate packet size data.\n"); fflush (stdout); exit (-1); } /* * Argus main routine * * Argus main will: * simply instantiate the source, modeler, and output tasks, * parse out the command line options, * initalize the tasks and then loop. * Afterwards, it will delete all the tasks and exit(); * */ #define ArgusEnvItems 2 char *ArgusResourceEnvStr [] = { "ARGUSHOME", "HOME", }; #include #include #include #include #include static char ArgusPidFileName[MAXPATHNAMELEN]; char * ArgusCreatePIDFile (struct ArgusSourceStruct *, char *, char *); void setArgusEventDataRecord (char *); extern void setArgusPcapBufSize (struct ArgusSourceStruct *, int); #define ARGUS_MAX_INSTANCES 5 char * ArgusCreatePIDFile (struct ArgusSourceStruct *src, char *pidpath, char *appname) { FILE *fd; char pidstrbuf[128], *pidstr = pidstrbuf; char *retn = NULL, *dev = NULL, *devstr = NULL; int i, pid; struct stat statbuf; if (pidpath == NULL) if (stat ("/var/run", &statbuf) == 0) pidpath = "/var/run"; #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusCreatePIDFile(%s, %s) pidpath is %s\n", pidpath, appname, pidpath); #endif if ((appname != NULL) && ((dev = getArgusDevice(src)) != NULL) && (pidpath != NULL)) { if ((devstr = strrchr(dev, (int)'/')) != NULL) devstr++; else devstr = dev; for (i = 0; i < ARGUS_MAX_INSTANCES; i++) { snprintf (ArgusPidFileName, MAXPATHNAMELEN - 1, "%s/%s.%s.%d.pid", pidpath, appname, devstr, i); retn = ArgusPidFileName; if ((stat (retn, &statbuf)) == 0) { if ((fd = fopen (ArgusPidFileName, "r")) != NULL) { if ((pidstr = fgets (pidstrbuf, 128, fd)) != NULL) { if ((pid = strtol(pidstr, (char **)NULL, 10)) > 0) { if (pid < 100000000) { if ((kill (pid, 0)) == 0) { #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusCreatePIDFile(%s, %s) pid %d is running\n", pidpath, appname, pid); #endif retn = NULL; } else { switch (errno) { case ESRCH: break; default: ArgusLog (LOG_ERR, "kill returned error: %s\n", strerror(errno)); } } } } } fclose (fd); } else { #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusCreatePIDFile(%s, %s) fopen error %s:%s\n", pidpath, appname, ArgusPidFileName, strerror(errno)); #endif } } if (retn != NULL) break; } if (retn && ((fd = fopen (retn, "w+")) != NULL)) { pid = getpid(); fprintf (fd, "%d\n", pid); fclose (fd); } else { #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusCreatePIDFile(%s, %s) fopen error %s\n", pidpath, appname, strerror(errno)); #endif retn = NULL; } } else { #ifdef ARGUSDEBUG if (dev == NULL) ArgusDebug (1, "ArgusCreatePIDFile(%s, %s) dev is null\n", pidpath, appname); #endif } #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusCreatePIDFile(%s, %s) returning %s\n", pidpath, appname, retn); #endif return (retn); } int main (int argc, char *argv[]) { int commandlinew = 0, doconf = 0; static char path[MAXPATHNAMELEN]; int dodebug = 0, i, pid = 0; char *tmparg, *filter; extern char *optarg; struct stat statbuf; extern int optind, opterr; int op, commandlinei = 0; #if defined(ARGUS_THREADS) sigset_t blocked_signals; #if defined(_POSIX_THREAD_PRIORITY_SCHEDULING) && !defined(sun) && !defined(CYGWIN) && !defined(OpenBSD) int thread_policy; struct sched_param thread_param; #if defined(HAVE_SCHED_GET_PRIORITY_MIN) int rr_min_priority, rr_max_priority; #endif #endif int status; #endif ArgusUid = getuid(); ArgusGid = getgid(); gettimeofday(&ArgusNowTime, 0L); uflag = 0; pflag = 6; if (strchr (argv[0], '/')) { #if defined(HAVE_STRLCPY) strlcpy(path, argv[0], MAXPATHNAMELEN - 1); #else bzero(path, MAXPATHNAMELEN); strncpy(path, argv[0], MAXPATHNAMELEN - 1); #endif argv[0] = strrchr(argv[0], '/') + 1; } ArgusProgramName = argv[0]; #ifdef HAVE_SYSLOG #ifndef LOG_PERROR #define LOG_PERROR LOG_CONS #endif openlog (ArgusProgramName, LOG_PID | LOG_PERROR, LOG_DAEMON); #endif for (i = 1; (i < argc); i++) { char *ptr = argv[i]; if (ptr != NULL) { if (*ptr == '-') { ptr++; if ((*ptr == 0) || (isspace((int)*ptr))) break; do { switch (*ptr) { case 'D': if (isdigit((int)*++ptr)) { setArgusdflag (ArgusModel, atoi (ptr)); } else { if (isdigit((int)*argv[i + 1])) setArgusdflag (ArgusModel, atoi (argv[++i])); else break; } break; case 'X': case 'F': doconf++; break; default: { if (dodebug) { if (isdigit((int)*ptr)) { setArgusdflag (ArgusModel, atoi (ptr)); dodebug = 0; } } } } } while (isalpha((int)*++ptr)); } } } if ((ArgusModel = ArgusNewModeler()) == NULL) ArgusLog (LOG_ERR, "Error Creating Modeler: Exiting.\n"); if ((ArgusSourceTask = ArgusNewSource(ArgusModel)) == NULL) ArgusLog (LOG_ERR, "Error Creating Source Task: Exiting.\n"); if ((ArgusOutputTask = ArgusNewOutput(ArgusSourceTask, ArgusModel)) == NULL) ArgusLog (LOG_ERR, "Error Creating Output Thread: Exiting.\n"); ArgusModel->ArgusSrc = ArgusSourceTask; setArgusFarReportInterval (ArgusModel, ARGUS_FARSTATUSTIMER); setArgusMarReportInterval (ArgusOutputTask,ARGUS_MARSTATUSTIMER); if (!doconf) { snprintf (path, MAXPATHNAMELEN - 1, "/etc/argus.conf"); if (stat (path, &statbuf) == 0) { ArgusParseResourceFile (ArgusModel, path); } } optind = 1, opterr = 0; while ((op = getopt (argc, argv, "AbB:c:CdD:e:fF:g:i:JmM:N:OP:pRr:S:s:tT:u:U:w:XZh")) != EOF) { switch (op) { case 'A': setArgusAflag(ArgusModel, 1); break; case 'b': setArgusbpflag (ArgusSourceTask, 1); break; case 'B': setArgusBindAddr (ArgusOutputTask, optarg); break; case 'c': if ((chroot_dir = strdup(optarg)) == NULL) ArgusLog (LOG_ERR, "strdup %s", strerror(errno)); break; case 'C': { setArgusCaptureFlag(ArgusSourceTask, 1); setArgusControlMonitor(ArgusModel); setArgusSnapLen(ArgusSourceTask, ARGUS_MAXSNAPLEN); break; } case 'd': ArgusDaemon = ArgusDaemon ? 0 : 1; break; case 'D': setArgusdflag (ArgusModel, atoi (optarg)); break; case 'e': ArgusParseSourceID(ArgusSourceTask, optarg); break; case 'f': setArgusfflag (ArgusSourceTask, 1); break; case 'F': ArgusParseResourceFile (ArgusModel, optarg); break; case 'g': { struct group *gr; if ((gr = getgrnam(optarg)) == NULL) ArgusLog (LOG_ERR, "unknown group \"%s\"\n", optarg); new_gid = gr->gr_gid; endgrent(); break; } case 'i': { char Istr[1024], *Iptr = Istr; if (!commandlinei++) clearArgusDevice(ArgusSourceTask); do { memset(Istr, 0, sizeof(Istr)); if (*optarg == '"') { if (Iptr[1] != '\0') snprintf (Istr, 1024, "%s ", (&Iptr[1])); while ((Iptr = strchr (Istr, '"')) == NULL) { if ((optarg = argv[optind]) != NULL) { snprintf (&Istr[strlen(Istr)], (1024 - strlen(Istr)), "%s ", optarg); optind++; } else break; } optarg = Istr; } else snprintf (&Istr[strlen(Istr)], (1024 - strlen(Istr)), "%s ", optarg); if ((optarg = argv[optind]) != NULL) if (*optarg != '-') optind++; } while (optarg && (*optarg != '-')); setArgusDevice (ArgusSourceTask, Istr, ARGUS_LIVE_DEVICE, 0); break; } case 'J': setArgusGenerateTime (ArgusModel, 1); break; case 'm': setArgusmflag (ArgusModel, 1); break; case 'M': setArgusMarReportInterval (ArgusOutputTask, optarg); break; case 'N': { char *ptr = NULL; if ((ptr = strchr (optarg, '-')) != NULL) { char *eptr = ptr + 1; ArgusSourceTask->sNflag = strtol(optarg, (char **)&ptr, 10); if (ptr == optarg) usage (); ArgusSourceTask->eNflag = strtol(eptr, (char **)&ptr, 10); if (ptr == eptr) usage (); } else { ArgusSourceTask->sNflag = 0; ArgusSourceTask->eNflag = strtol(optarg, (char **)&ptr, 10); if (ptr == optarg) usage (); } break; } case 'O': setArgusOflag (ArgusSourceTask, 0); break; case 'P': setArgusPortNum(ArgusOutputTask, atoi(optarg)); break; case 'p': setArguspflag (ArgusSourceTask, 1); break; case 'R': setArgusResponseStatus (ArgusModel, 1); break; case 'r': { char Rstr[1024], *Rptr = Rstr; do { if (*optarg == '"') { if (Rptr[1] != '\0') snprintf (Rstr, 1024, "%s ", (&Rptr[1])); while ((Rptr = strchr (Rstr, '"')) == NULL) { if ((optarg = argv[optind]) != NULL) { snprintf (&Rstr[strlen(Rstr)], (1024 - strlen(Rstr)), "%s ", optarg); optind++; } else break; } optarg = Rstr; } setArgusrfile (ArgusSourceTask, optarg); if ((optarg = argv[optind]) != NULL) if (*optarg != '-') optind++; } while (optarg && (*optarg != '-')); break; } case 'S': setArgusFarReportInterval (ArgusModel, optarg); break; case 's': setArgusSnapLen (ArgusSourceTask, atoi(optarg)); break; case 't': setArgusMoatTshFile (ArgusSourceTask, 1); break; case 'T': { float value; char *nptr = optarg, *endptr; value = strtod(nptr, &endptr); if (nptr != endptr) setArgusRealTime (ArgusSourceTask, value); else usage (); break; } case 'u': { struct passwd *pw; if ((pw = getpwnam(optarg)) == NULL) ArgusLog (LOG_ERR, "unknown user \"%s\"\n", optarg); new_uid = pw->pw_uid; endpwent(); break; } case 'U': setArgusUserDataLen (ArgusModel, atoi (optarg)); if (getArgusSnapLen(ArgusSourceTask) != ARGUS_MAXSNAPLEN) setArgusSnapLen (ArgusSourceTask, atoi(optarg) + ARGUS_MINSNAPLEN); break; case 'w': if (!commandlinew++) clearArgusWfile(); if ((tmparg = optarg) != NULL) { if ((*tmparg != '-') || ((*tmparg == '-') && (!(strcmp (tmparg, "-"))))) { if (argc == optind) filter = NULL; else { filter = argv[optind]; if (*filter == '-') { filter = NULL; } else optind++; } setArgusWfile (tmparg, filter); break; } } case 'X': clearArgusConfiguration (ArgusModel); break; case 'Z': setArgusGeneratePacketSize(ArgusModel, 1); break; case 'h': default: usage (); } } setArgusArgv (ArgusSourceTask, argv); setArgusOptind (ArgusSourceTask, optind); setArgusCmdBuf (ArgusSourceTask); if (ArgusSourceTask->ArgusCmdBuf != NULL) ArgusSourceTask->ArgusInputFilter = strdup(ArgusSourceTask->ArgusCmdBuf); if (getArgusrfile(ArgusSourceTask) != NULL) { if (!(getArgusRealTime(ArgusSourceTask))) { ArgusDaemon = 0; setArgusBindAddr(ArgusOutputTask, NULL); ArgusSourceTask->ArgusReadingOffLine++; if (getArgusfflag (ArgusSourceTask) == 0) { setArgusPortNum(ArgusOutputTask, 0); } } } setArgusInterfaceStatus(ArgusSourceTask, 1); if ((daemonflag = ArgusDaemon) != 0) { if ((pid = fork ()) < 0) { ArgusLog (LOG_ERR, "Can't fork daemon %s", strerror(errno)); } else { if (pid) { struct timespec ts = {0, 500000000}; int status; nanosleep(&ts, NULL); waitpid(pid, &status, WNOHANG); if (kill(pid, 0) < 0) { exit (1); } else exit (0); } else { ArgusSessionId = setsid(); ArgusLog(LOG_WARNING, "started"); if ((freopen ("/dev/null", "w", stdout)) == NULL) ArgusLog (LOG_ERR, "Cannot map stdout to /dev/null"); if ((freopen ("/dev/null", "w", stderr)) == NULL) ArgusLog (LOG_ERR, "Cannot map stderr to /dev/null"); #ifdef HAVE_SYSLOG closelog (); openlog (ArgusProgramName, LOG_PID, LOG_DAEMON); #endif } } } #if defined(ARGUS_THREADS) pthread_mutex_init(&ArgusMainLock, NULL); if ((status = pthread_attr_init(ArgusAttr)) != 0) ArgusLog (LOG_ERR, "pthreads init error"); #if defined(_POSIX_THREAD_PRIORITY_SCHEDULING) && !defined(sun) && !defined(CYGWIN) && !defined(OpenBSD) if ((pthread_attr_getschedpolicy(ArgusAttr, &thread_policy)) != 0) ArgusLog (LOG_ERR, "pthreads get policy error"); if ((pthread_attr_getschedparam(ArgusAttr, &thread_param)) != 0) ArgusLog (LOG_ERR, "pthreads get sched params error"); if ((pthread_attr_setschedpolicy(ArgusAttr, SCHED_RR)) != 0) ArgusLog (LOG_ERR, "pthreads set SCHED_RR error"); #if defined(HAVE_SCHED_GET_PRIORITY_MIN) if ((rr_min_priority = sched_get_priority_min(SCHED_RR)) == -1) ArgusLog (LOG_ERR, "pthreads get priority min error"); if ((rr_max_priority = sched_get_priority_max(SCHED_RR)) == -1) ArgusLog (LOG_ERR, "pthreads get priority max error"); thread_param.sched_priority = (rr_max_priority + rr_min_priority)/2 + 1; if (thread_param.sched_priority > rr_max_priority) thread_param.sched_priority = rr_max_priority; if (thread_param.sched_priority < (rr_max_priority - 8)) thread_param.sched_priority = rr_max_priority - 8; if ((pthread_attr_setschedparam(ArgusAttr, &thread_param)) != 0) ArgusLog (LOG_ERR, "pthreads set sched param error"); #endif #else #if defined(__sun__) pthread_attr_setschedpolicy(ArgusAttr, SCHED_RR); #endif #endif pthread_attr_setdetachstate(ArgusAttr, PTHREAD_CREATE_JOINABLE); #endif ArgusInitOutput (ArgusOutputTask); if (getArgusrfile(ArgusSourceTask) != NULL) { if (getArgusRealTime(ArgusSourceTask)) { ArgusInitEvents (ArgusEventsTask); } } else { ArgusInitEvents (ArgusEventsTask); } #if defined(ARGUS_THREADS) sigemptyset(&blocked_signals); pthread_sigmask(SIG_BLOCK, &blocked_signals, NULL); #endif #if defined(HAVE_SOLARIS) sigignore(SIGPIPE); #else (void) signal (SIGPIPE, SIG_IGN); #endif (void) signal (SIGHUP, (void (*)(int)) ArgusScheduleShutDown); (void) signal (SIGINT, (void (*)(int)) ArgusScheduleShutDown); (void) signal (SIGTERM, (void (*)(int)) ArgusScheduleShutDown); (void) signal (SIGUSR1, (void (*)(int)) ArgusUsr1Sig); (void) signal (SIGUSR2, (void (*)(int)) ArgusUsr2Sig); ArgusSourceProcess(ArgusSourceTask); #ifdef ARGUSDEBUG ArgusDebug (1, "main() ArgusSourceProcess returned: shuting down"); #endif ArgusShutDown(0); #ifdef HAVE_SYSLOG closelog(); #endif exit(0); } void ArgusComplete () { #define ARGUSPERFMETRICS 1 #if defined(ARGUSPERFMETRICS) long long ArgusTotalPkts = 0, ArgusTotalIPPkts = 0; long long ArgusTotalNonIPPkts = 0; struct timeval timediff; double totaltime; int i, len; char buf[256]; long long ArgusTotalNewFlows; long long ArgusTotalClosedFlows; long long ArgusTotalSends; long long ArgusTotalBadSends; long long ArgusTotalUpdates; long long ArgusTotalCacheHits; char *ArgusIntStr[ARGUS_MAXINTERFACE]; bzero(ArgusIntStr, sizeof(ArgusIntStr)); #endif #if defined(ARGUSPERFMETRICS) for (i = 0; i < ARGUS_MAXINTERFACE; i++) { if (ArgusSourceTask->ArgusInterface[i].ArgusDevice != NULL) { ArgusTotalPkts += ArgusSourceTask->ArgusInterface[i].ArgusTotalPkts; ArgusTotalIPPkts += ArgusSourceTask->ArgusInterface[i].ArgusTotalIPPkts; ArgusTotalNonIPPkts += ArgusSourceTask->ArgusInterface[i].ArgusTotalNonIPPkts; } } if (ArgusSourceTask->ArgusEndTime.tv_sec == 0) gettimeofday (&ArgusSourceTask->ArgusEndTime, 0L); if (ArgusSourceTask->ArgusStartTime.tv_sec == 0) ArgusSourceTask->ArgusStartTime = ArgusSourceTask->ArgusEndTime; bzero(buf, sizeof(buf)); timediff.tv_sec = ArgusSourceTask->ArgusEndTime.tv_sec - ArgusSourceTask->ArgusStartTime.tv_sec; timediff.tv_usec = ArgusSourceTask->ArgusEndTime.tv_usec - ArgusSourceTask->ArgusStartTime.tv_usec; if (timediff.tv_usec < 0) { timediff.tv_usec += 1000000; timediff.tv_sec--; } totaltime = (double) timediff.tv_sec + (((double) timediff.tv_usec)/1000000.0); for (i = 0; i < ARGUS_MAXINTERFACE; i++) { char sbuf[MAXSTRLEN]; if (ArgusSourceTask->ArgusInterface[i].ArgusDevice != NULL) { sprintf (sbuf, "%s\n Total Pkts %8lld Rate %f\n", ArgusSourceTask->ArgusInterface[i].ArgusDevice->name, ArgusSourceTask->ArgusInterface[i].ArgusTotalPkts, ArgusSourceTask->ArgusInterface[i].ArgusTotalPkts/totaltime); ArgusIntStr[i] = strdup(sbuf); } } #endif ArgusCloseSource (ArgusSourceTask); ArgusCloseEvents (ArgusEventsTask); ArgusCloseModeler (ArgusModel); ArgusCloseOutput (ArgusOutputTask); #if defined(ARGUSPERFMETRICS) ArgusTotalNewFlows = ArgusModel->ArgusTotalNewFlows; ArgusTotalClosedFlows = ArgusModel->ArgusTotalClosedFlows; ArgusTotalSends = ArgusModel->ArgusTotalSends; ArgusTotalBadSends = ArgusModel->ArgusTotalBadSends; ArgusTotalUpdates = ArgusModel->ArgusTotalUpdates; ArgusTotalCacheHits = ArgusModel->ArgusTotalCacheHits; #endif ArgusFree(ArgusOutputTask); ArgusFree(ArgusModel); ArgusDeleteSource(ArgusSourceTask); #if defined(ARGUSPERFMETRICS) len = strlen(ArgusProgramName); for (i = 0; i < len; i++) buf[i] = ' '; if (ArgusTotalNewFlows > 0) { extern int ArgusAllocTotal, ArgusFreeTotal, ArgusAllocMax; fprintf (stderr, "%s: Time %d.%06d Flows %-8lld Closed %-8lld Sends %-8lld BSends %-8lld\n", ArgusProgramName, (int)timediff.tv_sec, (int)timediff.tv_usec, ArgusTotalNewFlows, ArgusTotalClosedFlows, ArgusTotalSends, ArgusTotalBadSends); fprintf (stderr, "%*s Updates %-8lld Cache %-8lld\n", (int)strlen(ArgusProgramName), " ", ArgusTotalUpdates, ArgusTotalCacheHits); fprintf (stderr, "%*s Total Memory %-8d Free %-8d MaxBytes %d\n", (int)strlen(ArgusProgramName), " ", ArgusAllocTotal, ArgusFreeTotal, ArgusAllocMax); } for (i = 0; i < ARGUS_MAXINTERFACE; i++) { if (ArgusIntStr[i] != NULL) { fprintf (stderr, "Source: %s\n", ArgusIntStr[i]); free(ArgusIntStr[i]); } } #endif } char *ArgusSignalTable [] = { "Normal Shutdown", "SIGHUP", "SIGINT", "SIGQUIT", "SIGILL", "SIGTRAP", "SIGABRT", "SIGBUS", "SIGFPE", "SIGKILL", "SIGUSR1", "SIGSEGV", "SIGUSR2", "SIGPIPE", "SIGALRM", "SIGTERM", "SIGSTKFLT", "SIGCHLD", "SIGCONT", "SIGSTOP", "SIGTSTP", "SIGTTIN", "SIGTTOU", "SIGURG", "SIGXCPU", "SIGXFSZ", "SIGVTALRM", "SIGPROF", "SIGWINCH", "SIGIO", }; int ArgusShutDownFlag = 0; #if defined(HAVE_BACKTRACE) #include #endif void ArgusScheduleShutDown (int sig) { ArgusShutDownFlag++; #ifdef ARGUSDEBUG #if defined(HAVE_BACKTRACE) if (Argusdflag > 1) { void* callstack[128]; int i, frames = backtrace(callstack, 128); char** strs = backtrace_symbols(callstack, frames); ArgusLog(LOG_WARNING, "ArgusScheduleShutDown(%d)", sig); for (i = 0; i < frames; ++i) { ArgusLog(LOG_WARNING, "%s", strs[i]); } free(strs); } #endif ArgusDebug (1, "ArgusScheduleShutDown(%d)\n", sig); #endif } void ArgusShutDown (int sig) { ArgusShutDownFlag++; #if defined(ARGUSDEBUG) #if defined(HAVE_BACKTRACE) if (Argusdflag > 1) { void* callstack[128]; int i, frames = backtrace(callstack, 128); char** strs = backtrace_symbols(callstack, frames); ArgusLog(LOG_WARNING, "ArgusShutDown(%d)", sig); for (i = 0; i < frames; ++i) { ArgusLog(LOG_WARNING, "%s", strs[i]); } free(strs); } #endif #endif if (sig < 0) { #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusShutDown(ArgusError)\n"); #endif exit(0); } #ifdef ARGUSDEBUG if (Argusdflag >= 1) fprintf(stderr, "\n"); ArgusDebug (1, "ArgusShutDown(%s)\n\n", ArgusSignalTable[sig]); #endif if (!(ArgusShutDownStarted++)) { ArgusComplete (); } else { #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusShutDown() returning\n"); #endif return; } if (ArgusPidFile) unlink (ArgusPidFile); if (ArgusPidPath) free (ArgusPidPath); ArgusDeleteMallocList(); if (daemonflag) ArgusLog(LOG_WARNING, "stopped"); #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusShutDown()\n"); #endif exit(0); } void setArgusBindAddr (struct ArgusOutputStruct *output, char *value) { if (value) { if (output->ArgusBindAddrs == NULL) output->ArgusBindAddrs = ArgusNewList(); struct ArgusBindAddrStruct *baddr; char *tok, *ptr = value; while ((tok = strtok (ptr, ", \t")) != NULL) { if ((baddr = (struct ArgusBindAddrStruct *) ArgusCalloc(1, sizeof(*baddr))) == NULL) ArgusLog (LOG_ERR, "setArgusBindAddr ArgusCalloc %s\n", strerror(errno)); baddr->addr = strdup(tok); ArgusPushBackList(output->ArgusBindAddrs, (struct ArgusListRecord *) baddr, ARGUS_LOCK); ptr = NULL; } } else { if (output->ArgusBindAddrs != NULL) { ArgusDeleteList(output->ArgusBindAddrs, ARGUS_BIND_ADDR_LIST); output->ArgusBindAddrs = NULL; } } } char * getArgusBindAddr (struct ArgusOutputStruct *output) { char *retn = NULL; if (output->ArgusBindAddrs != NULL) { if (output->ArgusBindAddrs->start) { struct ArgusBindAddrStruct *baddr = (void *) output->ArgusBindAddrs->start; retn = baddr->addr; } } return(retn); } void setArguspidflag (int value) { pidflag = value; } int getArguspidflag () { return (pidflag); } #define ARGUS_RCITEMS 51 #define ARGUS_DAEMON 0 #define ARGUS_MONITOR_ID 1 #define ARGUS_ACCESS_PORT 2 #define ARGUS_INTERFACE 3 #define ARGUS_OUTPUT_FILE 4 #define ARGUS_SET_PID 5 #define ARGUS_PID_PATH 6 #define ARGUS_GO_PROMISCUOUS 7 #define ARGUS_FLOW_STATUS_INTERVAL 8 #define ARGUS_MAR_STATUS_INTERVAL 9 #define ARGUS_CAPTURE_DATA_LEN 10 #define ARGUS_GENERATE_START_RECORDS 11 #define ARGUS_GENERATE_RESPONSE_TIME_DATA 12 #define ARGUS_GENERATE_JITTER_DATA 13 #define ARGUS_GENERATE_MAC_DATA 14 #define ARGUS_DEBUG_LEVEL 15 #define ARGUS_FILTER_OPTIMIZER 16 #define ARGUS_FILTER 17 #define ARGUS_PACKET_CAPTURE_FILE 18 #define ARGUS_PACKET_CAPTURE_ON_ERROR 19 #define ARGUS_BIND_IP 20 #define ARGUS_MIN_SSF 21 #define ARGUS_MAX_SSF 22 #define ARGUS_COLLECTOR 23 #define ARGUS_FLOW_TYPE 24 #define ARGUS_FLOW_KEY 25 #define ARGUS_GENERATE_APPBYTE_METRIC 26 #define ARGUS_CHROOT_DIR 27 #define ARGUS_SETUSER_ID 28 #define ARGUS_SETGROUP_ID 29 #define ARGUS_GENERATE_TCP_PERF_METRIC 30 #define ARGUS_GENERATE_BIDIRECTIONAL_TIMESTAMPS 31 #define ARGUS_GENERATE_PACKET_SIZE 32 #define ARGUS_ENV 33 #define ARGUS_CAPTURE_FULL_CONTROL_DATA 34 #define ARGUS_SELF_SYNCHRONIZE 35 #define ARGUS_EVENT_DATA 36 #define ARGUS_JITTER_HISTOGRAM 37 #define ARGUS_OUTPUT_STREAM 38 #define ARGUS_KEYSTROKE 39 #define ARGUS_KEYSTROKE_CONF 40 #define ARGUS_TUNNEL_DISCOVERY 41 #define ARGUS_IP_TIMEOUT 42 #define ARGUS_TCP_TIMEOUT 43 #define ARGUS_ICMP_TIMEOUT 44 #define ARGUS_IGMP_TIMEOUT 45 #define ARGUS_FRAG_TIMEOUT 46 #define ARGUS_ARP_TIMEOUT 47 #define ARGUS_OTHER_TIMEOUT 48 #define ARGUS_TRACK_DUPLICATES 49 #define ARGUS_PCAP_BUF_SIZE 50 char *ArgusResourceFileStr [ARGUS_RCITEMS] = { "ARGUS_DAEMON=", "ARGUS_MONITOR_ID=", "ARGUS_ACCESS_PORT=", "ARGUS_INTERFACE=", "ARGUS_OUTPUT_FILE=", "ARGUS_SET_PID=", "ARGUS_PID_PATH=", "ARGUS_GO_PROMISCUOUS=", "ARGUS_FLOW_STATUS_INTERVAL=", "ARGUS_MAR_STATUS_INTERVAL=", "ARGUS_CAPTURE_DATA_LEN=", "ARGUS_GENERATE_START_RECORDS=", "ARGUS_GENERATE_RESPONSE_TIME_DATA=", "ARGUS_GENERATE_JITTER_DATA=", "ARGUS_GENERATE_MAC_DATA=", "ARGUS_DEBUG_LEVEL=", "ARGUS_FILTER_OPTIMIZER=", "ARGUS_FILTER=", "ARGUS_PACKET_CAPTURE_FILE=", "ARGUS_PACKET_CAPTURE_ON_ERROR=", "ARGUS_BIND_IP=", "ARGUS_MIN_SSF=", "ARGUS_MAX_SSF=", "ARGUS_COLLECTOR=", "ARGUS_FLOW_TYPE=", "ARGUS_FLOW_KEY=", "ARGUS_GENERATE_APPBYTE_METRIC=", "ARGUS_CHROOT_DIR=", "ARGUS_SETUSER_ID=", "ARGUS_SETGROUP_ID=", "ARGUS_GENERATE_TCP_PERF_METRIC=", "ARGUS_GENERATE_BIDIRECTIONAL_TIMESTAMPS=", "ARGUS_GENERATE_PACKET_SIZE=", "ARGUS_ENV=", "ARGUS_CAPTURE_FULL_CONTROL_DATA=", "ARGUS_SELF_SYNCHRONIZE=", "ARGUS_EVENT_DATA=", "ARGUS_JITTER_HISTOGRAM=", "ARGUS_OUTPUT_STREAM=", "ARGUS_KEYSTROKE=", "ARGUS_KEYSTROKE_CONF=", "ARGUS_TUNNEL_DISCOVERY=", "ARGUS_IP_TIMEOUT=", "ARGUS_TCP_TIMEOUT=", "ARGUS_ICMP_TIMEOUT=", "ARGUS_IGMP_TIMEOUT=", "ARGUS_FRAG_TIMEOUT=", "ARGUS_ARP_TIMEOUT=", "ARGUS_OTHER_TIMEOUT=", "ARGUS_TRACK_DUPLICATES=", "ARGUS_PCAP_BUF_SIZE=", }; extern pcap_dumper_t *ArgusPcapOutFile; extern char *ArgusWriteOutPacketFile; void ArgusParseResourceFile (struct ArgusModelerStruct *model, char *file) { FILE *fd; char strbuf[MAXSTRLEN], *str = strbuf, *optarg; char result[MAXSTRLEN], *qptr = NULL; int i, len, done = 0, linenum = 0; int interfaces = 0, outputfiles = 0; if (file) { if ((fd = fopen (file, "r")) != NULL) { while ((fgets(str, MAXSTRLEN, fd)) != NULL) { done = 0; linenum++; while (*str && isspace((int)*str)) str++; if (*str && (*str != '#') && (*str != '\n') && (*str != '!')) { for (i = 0; i < ARGUS_RCITEMS && !done; i++) { len = strlen(ArgusResourceFileStr[i]); if (!(strncmp (str, ArgusResourceFileStr[i], len))) { int quoted = 0; optarg = &str[len]; if (*optarg == '\"') { optarg++; if ((qptr = strchr(optarg, '"')) != NULL) *qptr++ = '\0'; else ArgusLog (LOG_ERR, "ArgusParseResourceFile(%s) string unterminated at line %d\n", file, linenum); quoted = 1; } // deal with potential embedded comments if (!quoted) { if (((qptr = strstr(optarg, " //")) != NULL) || ((qptr = strstr(optarg, "\t//")) != NULL)) *qptr++ = '\0'; } while (optarg[strlen(optarg) - 1] == '\n') optarg[strlen(optarg) - 1] = '\0'; switch (i) { case ARGUS_DAEMON: if (!(strncasecmp(optarg, "yes", 3))) ArgusDaemon = 1; else ArgusDaemon = 0; break; case ARGUS_MONITOR_ID: if (optarg && quoted) { // Argus ID is a string. Limit to date is 4 characters. int slen = strlen(optarg); if (slen > 4) optarg[4] = '\0'; setArgusID (ArgusSourceTask, optarg, ARGUS_TYPE_STRING); } else { if (optarg && (*optarg == '`')) { char *ptr = NULL; char *tptr = strchr((optarg + 1), '`'); if (tptr != NULL) { FILE *fd; optarg++; *tptr = '\0'; if (!(strcmp (optarg, "hostname"))) { if ((fd = popen("hostname", "r")) != NULL) { ptr = NULL; clearerr(fd); while ((ptr == NULL) && !(feof(fd))) ptr = fgets(result, MAXSTRLEN, fd); if (ptr == NULL) ArgusLog (LOG_ERR, "ArgusParseResourceFile(%s) `hostname` failed %s.\n", file, strerror(errno)); optarg = ptr; optarg[strlen(optarg) - 1] = '\0'; pclose(fd); if ((ptr = strstr(optarg, ".local")) != NULL) { if (strlen(ptr) == strlen(".local")) *ptr = '\0'; } } else ArgusLog (LOG_ERR, "ArgusParseResourceFile(%s) System error: popen() %s\n", file, strerror(errno)); } else ArgusLog (LOG_ERR, "ArgusParseResourceFile(%s) unsupported command `%s` at line %d.\n", file, optarg, linenum); } else ArgusLog (LOG_ERR, "ArgusParseResourceFile(%s) syntax error line %d\n", file, linenum); } ArgusParseSourceID(ArgusSourceTask, optarg); } break; case ARGUS_ACCESS_PORT: setArgusPortNum(ArgusOutputTask, atoi(optarg)); break; case ARGUS_OUTPUT_FILE: case ARGUS_OUTPUT_STREAM: { char *ptr = NULL; if ((ptr = strchr (optarg, '"')) != NULL) *ptr = '\0'; if ((ptr = strchr (optarg, ' ')) != NULL) { *ptr++ = '\0'; } if (!outputfiles++) clearArgusWfile(); setArgusWfile (optarg, ptr); break; } case ARGUS_INTERFACE: if (!interfaces++) clearArgusDevice(ArgusSourceTask); setArgusDevice (ArgusSourceTask, optarg, ARGUS_LIVE_DEVICE, 0); break; case ARGUS_SET_PID: if (!(strncasecmp(optarg, "yes", 3))) setArguspidflag (1); else setArguspidflag (0); break; case ARGUS_PID_PATH: { ArgusPidPath = strdup(optarg); break; } case ARGUS_GO_PROMISCUOUS: if ((strncasecmp(optarg, "yes", 3))) setArguspflag (ArgusSourceTask, 1); else setArguspflag (ArgusSourceTask, 0); break; case ARGUS_FLOW_STATUS_INTERVAL: setArgusFarReportInterval (model, optarg); break; case ARGUS_MAR_STATUS_INTERVAL: setArgusMarReportInterval (ArgusOutputTask, optarg); break; case ARGUS_CAPTURE_DATA_LEN: setArgusUserDataLen (model, atoi(optarg)); if (getArgusSnapLen(ArgusSourceTask) != ARGUS_MAXSNAPLEN) setArgusSnapLen (ArgusSourceTask, atoi(optarg) + ARGUS_MINSNAPLEN); break; case ARGUS_GENERATE_START_RECORDS: { extern int ArgusGenerateStartRecords; if ((!strncasecmp(optarg, "yes", 3))) ArgusGenerateStartRecords++; else ArgusGenerateStartRecords = 0; break; } case ARGUS_GENERATE_RESPONSE_TIME_DATA: if (!(strncasecmp(optarg, "yes", 3))) setArgusResponseStatus (model, 1); else setArgusResponseStatus (model, 0); break; case ARGUS_GENERATE_JITTER_DATA: if (!(strncasecmp(optarg, "yes", 3))) { #if !defined(HAVE_XDR) ArgusLog (LOG_ERR, "Jitter data generation not supported\n"); #endif setArgusGenerateTime (model, 1); } else setArgusGenerateTime (model, 0); break; case ARGUS_GENERATE_MAC_DATA: if (!(strncasecmp(optarg, "yes", 3))) setArgusmflag (model, 1); else setArgusmflag (model, 0); break; case ARGUS_DEBUG_LEVEL: setArgusdflag (model, atoi(optarg)); break; case ARGUS_FILTER_OPTIMIZER: if (!(strncasecmp(optarg, "yes", 3))) setArgusOflag (ArgusSourceTask, 1); else setArgusOflag (ArgusSourceTask, 0); break; case ARGUS_FILTER: if ((ArgusSourceTask->ArgusInputFilter = ArgusCalloc (1, MAXSTRLEN)) != NULL) { char *ptr = ArgusSourceTask->ArgusInputFilter; str = optarg; while (*str) { if ((*str == '\\') && (str[1] == '\n')) { if (fgets(str, MAXSTRLEN, fd) != NULL) while (*str && (isspace((int)*str) && (str[1] && isspace((int)str[1])))) str++; } if ((*str != '\n') && (*str != '"')) *ptr++ = *str++; else str++; } #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusParseResourceFile: ArgusFilter \"%s\" \n", ArgusSourceTask->ArgusInputFilter); #endif } break; case ARGUS_PACKET_CAPTURE_FILE: if (*optarg != '\0') { setArgusWriteOutPacketFile (ArgusSourceTask, optarg); ArgusSourceTask->ArgusDumpPacket = 1; } #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusParseResourceFile: ArgusPacketCaptureFile \"%s\" \n", ArgusSourceTask->ArgusWriteOutPacketFile); #endif break; case ARGUS_PACKET_CAPTURE_ON_ERROR: if (!(strncasecmp(optarg, "yes", 3))) { ArgusSourceTask->ArgusDumpPacketOnError = 1; ArgusSourceTask->ArgusDumpPacket = 0; } else { ArgusSourceTask->ArgusDumpPacketOnError = 0; } #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusParseResourceFile: ArgusPacketCaptureOnError \"%s\" \n", optarg); #endif break; case ARGUS_BIND_IP: if (*optarg != '\0') setArgusBindAddr (ArgusOutputTask, optarg); #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusParseResourceFile: ArgusBindAddr \"%s\" \n", ArgusBindAddr); #endif break; case ARGUS_MIN_SSF: if (*optarg != '\0') { #ifdef ARGUS_SASL ArgusMinSsf = atoi(optarg); #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusParseResourceFile: ArgusMinSsf \"%d\" \n", ArgusMinSsf); #endif #endif } break; case ARGUS_MAX_SSF: if (*optarg != '\0') { #ifdef ARGUS_SASL ArgusMaxSsf = atoi(optarg); #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusParseResourceFile: ArgusMaxSsf \"%d\" \n", ArgusMaxSsf); #endif #endif } break; case ARGUS_SELF_SYNCHRONIZE: if (!(strncasecmp(optarg, "yes", 3))) { setArgusSynchronize (ArgusModel, 1); } else { setArgusSynchronize (ArgusModel, 0); } break; case ARGUS_EVENT_DATA: { setArgusEventDataRecord (optarg); break; } case ARGUS_COLLECTOR: break; case ARGUS_FLOW_TYPE: if (!(strncasecmp(optarg, "Uni", 3))) setArgusFlowType (model, ARGUS_UNIDIRECTIONAL); else if (!(strncasecmp(optarg, "Bi", 2))) setArgusFlowType (model, ARGUS_BIDIRECTIONAL); break; case ARGUS_FLOW_KEY: { char *tok = NULL; while ((tok = strtok(optarg, " +\t")) != NULL) { if (!(strncasecmp(tok, "CLASSIC_5_TUPLE", 14))) setArgusFlowKey (model, ARGUS_FLOW_KEY_CLASSIC5TUPLE); else if (!(strncasecmp(tok, "LAYER_2", 10))) setArgusFlowKey (model, ARGUS_FLOW_KEY_LAYER_2); else if (!(strncasecmp(tok, "LOCAL_MPLS", 10))) setArgusFlowKey (model, ARGUS_FLOW_KEY_LOCAL_MPLS); else if (!(strncasecmp(tok, "COMPLETE_MPLS", 10))) setArgusFlowKey (model, ARGUS_FLOW_KEY_COMPLETE_MPLS); else if (!(strncasecmp(tok, "VLAN", 4))) setArgusFlowKey (model, ARGUS_FLOW_KEY_VLAN); else if (!(strncasecmp(tok, "LAYER_2_MATRIX", 14))) setArgusFlowKey (model, ARGUS_FLOW_KEY_LAYER_2_MATRIX); else if (!(strncasecmp(tok, "LAYER_3_MATRIX", 14))) setArgusFlowKey (model, ARGUS_FLOW_KEY_LAYER_3_MATRIX); optarg = NULL; } break; } case ARGUS_CAPTURE_FULL_CONTROL_DATA: if (!(strncasecmp(optarg, "yes", 3))) { setArgusCaptureFlag(ArgusSourceTask, 1); setArgusControlMonitor(ArgusModel); setArgusSnapLen(ArgusSourceTask, ARGUS_MAXSNAPLEN); } else { setArgusCaptureFlag (ArgusSourceTask, 0); } break; case ARGUS_GENERATE_TCP_PERF_METRIC: { if (!(strncasecmp(optarg, "yes", 3))) setArgusTCPflag(model, 1); else setArgusTCPflag(model, 0); break; } case ARGUS_GENERATE_BIDIRECTIONAL_TIMESTAMPS: { if (!(strncasecmp(optarg, "yes", 3))) setArgusTimeReport(model, 1); else setArgusTimeReport(model, 0); break; } case ARGUS_GENERATE_APPBYTE_METRIC: { if (!(strncasecmp(optarg, "yes", 3))) setArgusAflag(model, 1); else setArgusAflag(model, 0); break; } case ARGUS_GENERATE_PACKET_SIZE: { if (!(strncasecmp(optarg, "yes", 3))) setArgusGeneratePacketSize(model, 1); else setArgusGeneratePacketSize(model, 0); break; } case ARGUS_CHROOT_DIR: { if (chroot_dir != NULL) free(chroot_dir); chroot_dir = strdup(optarg); break; } case ARGUS_SETUSER_ID: { struct passwd *pw; if ((pw = getpwnam(optarg)) == NULL) ArgusLog (LOG_ERR, "unknown user \"%s\"\n", optarg); new_uid = pw->pw_uid; endpwent(); break; } case ARGUS_SETGROUP_ID: { struct group *gr; if ((gr = getgrnam(optarg)) == NULL) ArgusLog (LOG_ERR, "unknown group \"%s\"\n", optarg); new_gid = gr->gr_gid; endgrent(); break; } case ARGUS_ENV: { if (putenv(optarg)) ArgusLog (LOG_ERR, "Argus set env \"%s\" error %s\n", optarg, strerror(errno)); break; } case ARGUS_KEYSTROKE: { if (!(strncasecmp(optarg, "yes", 3))) setArgusKeystroke(model, ARGUS_TCP_KEYSTROKE); else if (!(strncasecmp(optarg, "tcp", 3))) setArgusKeystroke(model, ARGUS_TCP_KEYSTROKE); else if (!(strncasecmp(optarg, "ssh", 3))) setArgusKeystroke(model, ARGUS_SSH_KEYSTROKE); else setArgusKeystroke(model, 0); if (getArgusKeystroke(model)) { model->ArgusKeyStroke.n_min = 23; model->ArgusKeyStroke.dc_min = 48; model->ArgusKeyStroke.dc_max = 128; model->ArgusKeyStroke.gs_max = 3; model->ArgusKeyStroke.ds_min = 24; model->ArgusKeyStroke.ds_max = 256; model->ArgusKeyStroke.gpc_max = 3; model->ArgusKeyStroke.ic_min = 50000; model->ArgusKeyStroke.lcs_max = 50000; model->ArgusKeyStroke.icr_min = 0.892; model->ArgusKeyStroke.icr_max = 1.122; } break; } case ARGUS_KEYSTROKE_CONF: { char tokbuf[MAXSTRLEN], *ksptr = tokbuf, *kstok, *brkt; #if defined(HAVE_STRLCPY) strlcpy(tokbuf, optarg, MAXSTRLEN - 1); #else strncpy(tokbuf, optarg, MAXSTRLEN - 1); #endif while ((kstok = strtok_r(ksptr, ";", &brkt)) != NULL) { setArgusKeystrokeVariable(model, kstok); ksptr = NULL; } break; } case ARGUS_TUNNEL_DISCOVERY: { if (!(strncasecmp(optarg, "yes", 3))) setArgusTunnelDiscovery(model, 1); else setArgusTunnelDiscovery(model, 0); break; } case ARGUS_TRACK_DUPLICATES: { if (!(strncasecmp(optarg, "yes", 3))) setArgusTrackDuplicates(model, 1); else setArgusTrackDuplicates(model, 0); break; } case ARGUS_IP_TIMEOUT: { setArgusIpTimeout (model, atoi(optarg)); break; } case ARGUS_TCP_TIMEOUT: { setArgusTcpTimeout (model, atoi(optarg)); break; } case ARGUS_ICMP_TIMEOUT: { setArgusIcmpTimeout (model, atoi(optarg)); break; } case ARGUS_IGMP_TIMEOUT: { setArgusIgmpTimeout (model, atoi(optarg)); break; } case ARGUS_FRAG_TIMEOUT: { setArgusFragTimeout (model, atoi(optarg)); break; } case ARGUS_ARP_TIMEOUT: { setArgusArpTimeout (model, atoi(optarg)); break; } case ARGUS_OTHER_TIMEOUT: { setArgusOtherTimeout (model, atoi(optarg)); break; } case ARGUS_PCAP_BUF_SIZE: { int size = atoi(optarg); if (size > 0) { if (strchr(optarg, 'K')) size *= 1000; if (strchr(optarg, 'M')) size *= 1000000; if (strchr(optarg, 'G')) size *= 1000000000; setArgusPcapBufSize (ArgusSourceTask, size); } break; } } done = 1; break; } } } } fclose (fd); } else { #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusParseResourceFile: open %s %s\n", file, strerror(errno)); #endif } } #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusParseResourceFile (%s) returning\n", file); #endif } void clearArgusConfiguration (struct ArgusModelerStruct *model) { daemonflag = 0; setArgusID (ArgusSourceTask, 0, 0); clearArgusWfile (); clearArgusDevice (ArgusSourceTask); setArgusPortNum(ArgusOutputTask, 0); setArgusBindAddr (ArgusOutputTask, NULL); setArguspidflag (0); setArguspflag (ArgusSourceTask, 0); setArgusFarReportInterval (model, ARGUS_FARSTATUSTIMER); setArgusMarReportInterval (ArgusOutputTask, ARGUS_MARSTATUSTIMER); setArgusUserDataLen (model, 0); setArgusSnapLen (ArgusSourceTask, ARGUS_MINSNAPLEN); setArgusResponseStatus (model, 0); setArgusGenerateTime (model, 0); setArgusmflag (model, 0); setArgusOflag (ArgusSourceTask, 1); setArgusCaptureFlag (ArgusSourceTask, 0); setArgusAflag(model, 0); setArgusTimeReport(model, 0); if (ArgusSourceTask->ArgusWriteOutPacketFile) { if (ArgusSourceTask->ArgusPcapOutFile != NULL) { pcap_dump_close(ArgusSourceTask->ArgusPcapOutFile); ArgusSourceTask->ArgusPcapOutFile = NULL; } ArgusSourceTask->ArgusWriteOutPacketFile = NULL; } if (ArgusSourceTask->ArgusInputFilter) { ArgusFree(ArgusSourceTask->ArgusInputFilter); ArgusSourceTask->ArgusInputFilter = NULL; } #ifdef ARGUSDEBUG ArgusDebug (1, "clearArgusConfiguration () returning\n"); #endif } int getArgusPortNum(struct ArgusOutputStruct *output) { return(output->ArgusPortNum); } void setArgusPortNum(struct ArgusOutputStruct *output, int value) { output->ArgusPortNum = value; #ifdef ARGUSDEBUG ArgusDebug (2, "setArgusPortNum(%d) returning\n", value); #endif } void clearArgusWfile(void) { ArgusDeleteList (ArgusOutputTask->ArgusWfileList, ARGUS_WFILE_LIST); ArgusOutputTask->ArgusWfileList = NULL; } void setArgusWfile(char *file, char *filter) { struct ArgusWfileStruct *wfile = NULL; if (ArgusOutputTask->ArgusWfileList == NULL) ArgusOutputTask->ArgusWfileList = ArgusNewList(); if (file) { if ((wfile = (struct ArgusWfileStruct *) ArgusCalloc (1, sizeof (*wfile))) != NULL) { wfile->filename = strdup(file); if (filter) wfile->filter = strdup(filter); ArgusPushFrontList(ArgusOutputTask->ArgusWfileList, (struct ArgusListRecord *) wfile, ARGUS_LOCK); } else ArgusLog (LOG_ERR, "setArgusWfile, ArgusCalloc %s\n", strerror(errno)); } else ArgusLog (LOG_ERR, "setArgusWfile, file is null\n"); } void ArgusUsr1Sig (int sig) { #ifdef ARGUSDEBUG int value = 0, i; Argusdflag = (Argusdflag++ > 30) ? 30 : Argusdflag; if (Argusdflag == 1) { struct ArgusSourceStruct *src; for (i = 0; i < ARGUS_MAXINTERFACE; i++) { if ((src = ArgusSourceTask->srcs[i]) != NULL) { struct ArgusModelerStruct *model = src->ArgusModel; if ((value = getArgusKeystroke(model)) > 0) { ArgusDebug (0, "ArgusKeyStroke model[%d] %s: DC_MIN=%d, DC_MAX=%d, GS_MAX=%d, DS_MIN=%d, DS_MAX=%d, IC_MIN=%d, LCS_MAX=%d, GPC_MAX=%d, ICR_MIN=%f, ICR_MAX=%f\n", i, (value == ARGUS_TCP_KEYSTROKE) ? "\"tcp\"" : ((value == ARGUS_SSH_KEYSTROKE) ? "\"ssh\"" : "\"unknown\""), model->ArgusKeyStroke.dc_min, model->ArgusKeyStroke.dc_max, model->ArgusKeyStroke.gs_max, model->ArgusKeyStroke.ds_min, model->ArgusKeyStroke.ds_max, model->ArgusKeyStroke.ic_min, model->ArgusKeyStroke.lcs_max, model->ArgusKeyStroke.gpc_max, model->ArgusKeyStroke.icr_min, model->ArgusKeyStroke.icr_max); } } } } ArgusDebug (0, "ArgusUsr1Sig: debug %d enabled\n", Argusdflag); #endif } void ArgusUsr2Sig (int sig) { #ifdef ARGUSDEBUG Argusdflag = 0; ArgusDebug (0, "ArgusUsr2Sig: debug disabled\n"); #endif } int getArgusControlMonitor (struct ArgusModelerStruct *model) { return (model->ArgusControlMonitor); } void setArgusControlMonitor (struct ArgusModelerStruct *model) { model->ArgusControlMonitor++; } void clearArgusEventRecord(void) { ArgusDeleteList (ArgusEventsTask->ArgusEventsList, ARGUS_EVENT_LIST); ArgusEventsTask->ArgusEventsList = NULL; } /* Syntax is: "method:pathname:interval:postprocessor" Where: method = [ "file" | "prog" ] pathname = %s interval = %d postproc = [ "compress" | "encrypt" | "none" ] */ void setArgusEventDataRecord (char *ptr) { struct ArgusEventRecordStruct *event = NULL; char *sptr, *method = NULL, *file = NULL; char *tok = NULL, *pp = NULL, *tptr = NULL; int ind = 0, interval, elem = 0; if (ArgusEventsTask == NULL) ArgusEventsTask = ArgusNewEvents(); if (ArgusEventsTask->ArgusEventsList == NULL) ArgusEventsTask->ArgusEventsList = ArgusNewList(); if (ptr) { int i; sptr = strdup(ptr); while ((tok = strtok(sptr, ":")) != NULL) { switch (ind++) { case 0: method = tok; if (!((strncmp(method, "file", 4) == 0) || (strncmp(method, "prog", 4) == 0))) ArgusLog (LOG_ERR, "setArgusEventDataRecord, syntax error %s\n", ptr); elem++; break; case 1: file = tok; elem++; break; case 2: interval = strtol(tok, (char **)&tptr, 10); if (tptr == tok) ArgusLog (LOG_ERR, "setArgusEventDataRecord, syntax error %s\n", ptr); i = *tptr; if (strlen(tptr) && (isalpha(i))) { switch (*tptr) { case 's': break; case 'm': interval *= 60; break; case 'h': interval *= 60 * 60; break; case 'd': interval *= 60 * 60 * 24; break; case 'w': interval *= 60 * 60 * 24 * 7; break; case 'M': interval *= 60 * 60 * 24 * 30; break; case 'y': interval *= 60 * 60 * 24 * 365; break; } } elem++; break; case 3: pp = tok; if (!((strncmp(pp, "compress", 8) == 0) || (strncmp(pp, "compress2", 9) == 0))) ArgusLog (LOG_ERR, "setArgusEventDataRecord, syntax error %s\n", ptr); elem++; break; default: ArgusLog (LOG_ERR, "setArgusEventDataRecord, syntax error %s\n", ptr); break; } sptr = NULL; } if (elem < 3) ArgusLog (LOG_ERR, "setArgusEventDataRecord, syntax error %s\n", ptr); free (sptr); if ((event = (struct ArgusEventRecordStruct *) ArgusCalloc (1, sizeof (*event))) != NULL) { event->entry = strdup(ptr); event->method = strdup(method); event->filename = strdup(file); event->interval = interval; if (pp != NULL) { if (!(strncmp(pp, "compress", 8))) event->status |= ARGUS_ZLIB_COMPRESS; if (!(strncmp(pp, "compress2", 9))) event->status |= ARGUS_ZLIB_COMPRESS2; } ArgusPushFrontList(ArgusEventsTask->ArgusEventsList, (struct ArgusListRecord *) event, ARGUS_LOCK); } else ArgusLog (LOG_ERR, "setArgusEventDataRecord, ArgusCalloc %s\n", strerror(errno)); } else ArgusLog (LOG_ERR, "setArgusEventDataRecord, event is null\n"); #ifdef ARGUSDEBUG ArgusDebug (2, "setArgusEventDataRecord(%s)\n", ptr); #endif } void setArgusArgv(struct ArgusSourceStruct *src, char **value) { src->ArgusArgv = value; } void setArgusOptind (struct ArgusSourceStruct *src, int value) { src->ArgusOptind = value; } void setArgusCmdBuf (struct ArgusSourceStruct *src) { ArgusSourceTask->ArgusCmdBuf = ArgusCopyArgv(&src->ArgusArgv[src->ArgusOptind]); } char * ArgusCopyArgv (char **argv) { char **p; int len = 0; char *buf = NULL, *src, *dst; p = argv; if (*p == 0) return 0; while (*p) len += (int) strlen (*p++) + 1; if ((buf = (char *) malloc (len)) != NULL) { p = argv; dst = buf; while ((src = *p++) != NULL) { if (*src != '-') { while ((*dst++ = *src++) != '\0') ; dst[-1] = ' '; } } dst[-1] = '\0'; } #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusCopyArgv(%p) returning %p\n", argv, buf); #endif return buf; } argus-3.0.8.2/argus/argus.h000444 000765 000024 00000007556 12513222401 016044 0ustar00carterstaff000000 000000 /* * Argus Software. Argus files - main argus includes * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/argus/argus.h#20 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ /* argus.h */ #include #include #include #ifndef Argus_h #define Argus_h #include #include #include #include #include #include #include #if defined(ARGUS_NANOSECONDS) #define ARGUS_FRACTION_TIME 1000000000 #else #define ARGUS_FRACTION_TIME 1000000 #endif #define MINOR_VERSION_0 0 #define MINOR_VERSION_1 1 #define MINOR_VERSION_2 2 #define MINOR_VERSION_3 3 #define MINOR_VERSION_4 4 #define MINOR_VERSION_5 5 #define MINOR_VERSION_6 6 #define MINOR_VERSION_7 7 #define MINOR_VERSION_8 8 #define MINOR_VERSION_9 9 #define MAJOR_VERSION_1 1 #define MAJOR_VERSION_2 2 #define MAJOR_VERSION_3 3 #define MAJOR_VERSION_4 4 #define MAJOR_VERSION_5 5 #define VERSION_MAJOR MAJOR_VERSION_3 #define VERSION_MINOR MINOR_VERSION_0 #if defined(Argus) #include #include #include #include #ifndef MAXPATHNAMELEN #define MAXPATHNAMELEN BUFSIZ #endif #if defined(ARGUS_THREADS) pthread_mutex_t ArgusMainLock; #endif char *RaTimeFormat = "%d %b %y %T"; char RaFieldDelimiter = '.'; int nflag = 1, Nflag = -1, uflag = 1, gflag = 0; int Uflag = 6, XMLflag = 0, pflag = 0, pidflag = 0; int Dflag = 0, daemonflag = 0; uid_t new_uid = 0; gid_t new_gid = 0; char *chroot_dir = NULL; int Argusdflag = 0; int ArgusUid = 0; int ArgusGid = 0; int ArgusShutDownStarted = 0; int ArgusPortNum = 0; void ArgusUsr1Sig (int); void ArgusUsr2Sig (int); #if defined(ARGUS_SASL) int ArgusMaxSsf = 128; int ArgusMinSsf = 40; #endif char *ArgusProgramName = NULL; void ArgusLoop (void); void ArgusShutDown (int); void ArgusScheduleShutDown (int); void usage(void); void ArgusLog (int, char *, ...); void ArgusComplete (void); void setArguspidflag (int); int getArguspidflag (void); void setArgusArgv(struct ArgusSourceStruct *, char **); void setArgusOptind(struct ArgusSourceStruct *, int); void setArgusCmdBuf(struct ArgusSourceStruct *); char *ArgusCopyArgv (char **); void clearArgusWfile(void); void clearArgusEventRecord(void); char *ArgusBindAddr = NULL; struct ArgusListStruct *ArgusWfileList = NULL; #else /* defined(Argus) */ #if defined(ARGUS_THREADS) extern pthread_mutex_t ArgusMainLock; #endif extern int Argusdflag; extern char *ArgusProgramName; extern void ArgusLoop (void); extern void ArgusShutDown (int); extern void ArgusScheduleShutDown (int); extern int nflag, Nflag, uflag, gflag; extern int daemonflag; extern int ArgusUid; extern int ArgusGid; extern int ArgusShutDownStarted; extern char *ArgusBindAddr; extern void ArgusUsr1Sig (int); extern void ArgusUsr2Sig (int); extern struct ArgusListStruct *ArgusWfileList; #if defined(ARGUS_SASL) extern int ArgusMaxSsf; extern int ArgusMinSsf; #endif extern void usage(void); extern void ArgusLog (int, char *, ...); extern void ArgusComplete (void); #endif /* defined(Argus) */ #endif /* Argus_h */ argus-3.0.8.2/argus/Argus802.11.c000444 000765 000024 00000023111 12513222401 016432 0ustar00carterstaff000000 000000 /* * Argus Software. Argus files - Arp Procession * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/argus/Argus802.11.c#10 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #if !defined(Argus80211) #define Argus80211 #endif #include #include #include #include #include #include static void ArgusParse80211MgmtBody(struct mgmt_body_t *, const u_char *, int); int ArgusExtract802_11HeaderLength(u_int16_t); #if !defined(ETH_ALEN) #define ETH_ALEN 6 #endif struct ArgusSystemFlow * ArgusCreate80211Flow (struct ArgusModelerStruct *model, void *ptr) { struct ArgusSystemFlow *retn = NULL; struct mgmt_body_t pbody; const struct mgmt_header_t *hp = (const struct mgmt_header_t *) ptr; u_int16_t fc = EXTRACT_LE_16BITS(ptr); int hdrlen = ArgusExtract802_11HeaderLength(fc); u_char *p = (u_char *) ptr + hdrlen; bzero(&pbody, sizeof(pbody)); switch (FC_TYPE(fc)) { case T_MGMT: { int offset = 0; switch (FC_SUBTYPE(fc)) { case ST_ASSOC_REQUEST: case ST_REASSOC_REQUEST: pbody.capability_info = EXTRACT_LE_16BITS(p); offset += IEEE802_11_CAPINFO_LEN; pbody.listen_interval = EXTRACT_LE_16BITS(p+offset); offset += IEEE802_11_LISTENINT_LEN; ArgusParse80211MgmtBody(&pbody, p, offset); break; case ST_ASSOC_RESPONSE: case ST_REASSOC_RESPONSE: pbody.capability_info = EXTRACT_LE_16BITS(p); offset += IEEE802_11_CAPINFO_LEN; pbody.status_code = EXTRACT_LE_16BITS(p+offset); offset += IEEE802_11_STATUS_LEN; pbody.aid = EXTRACT_LE_16BITS(p+offset); offset += IEEE802_11_AID_LEN; ArgusParse80211MgmtBody(&pbody, p, offset); break; case ST_PROBE_REQUEST: ArgusParse80211MgmtBody(&pbody, p, offset); break; case ST_PROBE_RESPONSE: case ST_BEACON: { memcpy(&pbody.timestamp, p, IEEE802_11_TSTAMP_LEN); offset += IEEE802_11_TSTAMP_LEN; pbody.beacon_interval = EXTRACT_LE_16BITS(p+offset); offset += IEEE802_11_BCNINT_LEN; pbody.capability_info = EXTRACT_LE_16BITS(p+offset); offset += IEEE802_11_CAPINFO_LEN; ArgusParse80211MgmtBody(&pbody, p, offset); break; } case ST_ATIM: break; case ST_DISASSOC: break; case ST_AUTH: case ST_DEAUTH: break; } break; } case T_CTRL: { switch (FC_SUBTYPE(fc)) { case CTRL_PS_POLL: break; case CTRL_RTS: break; case CTRL_CTS: break; case CTRL_ACK: break; case CTRL_CF_END: break; case CTRL_END_ACK: break; default: break; } break; } case T_DATA: { if (FC_WEP(fc)) { } else { } break; } } if (STRUCTCAPTURED(model, *(char *)ptr)) { retn = model->ArgusThisFlow; retn->hdr.type = ARGUS_FLOW_DSR; retn->hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; retn->hdr.argus_dsrvl8.qual = ARGUS_TYPE_WLAN; retn->hdr.argus_dsrvl8.len = (sizeof(struct ArgusWlanFlow) + 3)/4 + 1; bcopy ((char *)&hp->da, (char *)&model->ArgusThisFlow->wlan_flow.dhost, ETH_ALEN); bcopy ((char *)&hp->sa, (char *)&model->ArgusThisFlow->wlan_flow.shost, ETH_ALEN); bcopy ((char *)&hp->bssid, (char *)&model->ArgusThisFlow->wlan_flow.bssid, ETH_ALEN); switch (FC_TYPE(fc)) { case T_MGMT: { switch (FC_SUBTYPE(fc)) { case ST_ASSOC_REQUEST: case ST_ASSOC_RESPONSE: case ST_REASSOC_REQUEST: case ST_REASSOC_RESPONSE: case ST_PROBE_REQUEST: case ST_PROBE_RESPONSE: case ST_BEACON: { if (pbody.ssid_status == PRESENT) { bcopy((char *)pbody.ssid.ssid, model->ArgusThisFlow->wlan_flow.ssid, pbody.ssid.length); } break; } } break; } } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusCreate80211Flow (0x%x, 0x%x) returning %d\n", model, ptr, retn); #endif return (retn); } int ArgusExtract802_11HeaderLength(u_int16_t fc) { switch (FC_TYPE(fc)) { case T_MGMT: return MGMT_HDRLEN; case T_CTRL: switch (FC_SUBTYPE(fc)) { case CTRL_PS_POLL: return CTRL_PS_POLL_HDRLEN; case CTRL_RTS: return CTRL_RTS_HDRLEN; case CTRL_CTS: return CTRL_CTS_HDRLEN; case CTRL_ACK: return CTRL_ACK_HDRLEN; case CTRL_CF_END: return CTRL_END_HDRLEN; case CTRL_END_ACK: return CTRL_END_ACK_HDRLEN; default: return 0; } case T_DATA: { int len = (FC_TO_DS(fc) && FC_FROM_DS(fc)) ? 30 : 24; if (DATA_FRAME_IS_QOS(FC_SUBTYPE(fc))) len += 2; return len; } default: return 0; } } static void ArgusParse80211MgmtBody(struct mgmt_body_t *pbody, const u_char *p, int offset) { /* * We haven't seen any elements yet. */ pbody->challenge_status = NOT_PRESENT; pbody->ssid_status = NOT_PRESENT; pbody->rates_status = NOT_PRESENT; pbody->ds_status = NOT_PRESENT; pbody->cf_status = NOT_PRESENT; pbody->tim_status = NOT_PRESENT; for (;;) { switch (*(p + offset)) { case E_SSID: /* Present, possibly truncated */ pbody->ssid_status = TRUNCATED; memcpy(&pbody->ssid, p + offset, 2); offset += 2; if (pbody->ssid.length != 0) { if (pbody->ssid.length > sizeof(pbody->ssid.ssid) - 1) return; memcpy(&pbody->ssid.ssid, p + offset, pbody->ssid.length); offset += pbody->ssid.length; } pbody->ssid.ssid[pbody->ssid.length] = '\0'; /* Present and not truncated */ pbody->ssid_status = PRESENT; break; case E_CHALLENGE: /* Present, possibly truncated */ pbody->challenge_status = TRUNCATED; memcpy(&pbody->challenge, p + offset, 2); offset += 2; if (pbody->challenge.length != 0) { if (pbody->challenge.length > sizeof(pbody->challenge.text) - 1) return; memcpy(&pbody->challenge.text, p + offset, pbody->challenge.length); offset += pbody->challenge.length; } pbody->challenge.text[pbody->challenge.length] = '\0'; /* Present and not truncated */ pbody->challenge_status = PRESENT; break; case E_RATES: /* Present, possibly truncated */ pbody->rates_status = TRUNCATED; memcpy(&(pbody->rates), p + offset, 2); offset += 2; if (pbody->rates.length != 0) { if (pbody->rates.length > sizeof pbody->rates.rate) return; memcpy(&pbody->rates.rate, p + offset, pbody->rates.length); offset += pbody->rates.length; } /* Present and not truncated */ pbody->rates_status = PRESENT; break; case E_DS: /* Present, possibly truncated */ pbody->ds_status = TRUNCATED; memcpy(&pbody->ds, p + offset, 3); offset += 3; /* Present and not truncated */ pbody->ds_status = PRESENT; break; case E_CF: /* Present, possibly truncated */ pbody->cf_status = TRUNCATED; memcpy(&pbody->cf, p + offset, 8); offset += 8; /* Present and not truncated */ pbody->cf_status = PRESENT; break; case E_TIM: /* Present, possibly truncated */ pbody->tim_status = TRUNCATED; memcpy(&pbody->tim, p + offset, 2); offset += 2; memcpy(&pbody->tim.count, p + offset, 3); offset += 3; if (pbody->tim.length <= 3) break; if (pbody->tim.length - 3 > (int)sizeof pbody->tim.bitmap) return; memcpy(pbody->tim.bitmap, p + (pbody->tim.length - 3), (pbody->tim.length - 3)); offset += pbody->tim.length - 3; /* Present and not truncated */ pbody->tim_status = PRESENT; break; default: return; } } } argus-3.0.8.2/argus/ArgusApp.c000444 000765 000024 00000052041 12544323725 016444 0ustar00carterstaff000000 000000 /* * Argus Software. Argus files - Application Level * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/argus/ArgusApp.c#29 $ * $DateTime: 2015/06/29 16:17:25 $ * $Change: 3027 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #if !defined(ArgusApp) #define ArgusApp #endif #include #include #include #include #include #include #include #define ARGUS_WELLKNOWN_PORT 1024 #define ARGUS_OFC_PORT 6633 #define ARGUS_AFS_PORT_MIN 7000 #define ARGUS_AFS_PORT_MAX 7010 #define ARGUS_UDT_PORT 9000 int ArgusControlPlaneProtocol (struct ArgusModelerStruct *, struct ArgusFlowStruct *); u_char ArgusUpdateHTTPState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char); u_char ArgusUpdateRTPState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char); void ArgusUpdateUDTState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char *); int ArgusParseRTCPBuffer (struct ArgusModelerStruct *, struct rtcphdr *); int ArgusRTCPBadVersion = 0; int ArgusRTCPBadPtr = 0; void ArgusParseRTCPSR (struct rtcphdr *); void ArgusParseRTCPRR (struct rtcphdr *); void ArgusParseRRRecs (struct rtcphdr *); void ArgusParseRTCPBYE (struct rtcphdr *); void ArgusParseRTCPSDES (struct rtcphdr *); int ArgusControlPlaneProtocol (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr) { int retn = 0; if (getArgusControlMonitor(model)) { struct ArgusSystemFlow *flow = (struct ArgusSystemFlow *)flowstr->dsrs[ARGUS_FLOW_INDEX]; unsigned short proto, sport, dport; unsigned char ip_p; switch (proto = (model->ArgusThisNetworkFlowType & 0xFFFF)) { case ETHERTYPE_IPV6: case ETHERTYPE_IP: { if (proto == ETHERTYPE_IPV6) { ip_p = flow->ipv6_flow.ip_p; sport = flow->ipv6_flow.sport; dport = flow->ipv6_flow.dport; } else { ip_p = flow->ip_flow.ip_p; sport = flow->ip_flow.sport; dport = flow->ip_flow.dport; } if ((ip_p == IPPROTO_TCP) && ((sport == ARGUS_OFC_PORT) || (dport == ARGUS_OFC_PORT))) retn = 1; } } } return (retn); } void ArgusParseRTCPSR (struct rtcphdr *rtcp) { /* unsigned int ssrc = ntohl(rtcp->rh_ssrc); */ } void ArgusParseRTCPRR (struct rtcphdr *rtcp) { /* unsigned int ssrc = ntohl(rtcp->rh_ssrc); unsigned short len = ntohs(rtcp->rh_len); */ } void ArgusParseRRRecs (struct rtcphdr *rtcp) { } void ArgusParseRTCPSDES (struct rtcphdr *rtcp) { /* unsigned int ssrc = ntohl(rtcp->rh_ssrc); unsigned short len = ntohs(rtcp->rh_len); */ } void ArgusParseRTCPBYE (struct rtcphdr *rtcp) { /* unsigned int ssrc = ntohl(rtcp->rh_ssrc); unsigned short len = ntohs(rtcp->rh_len); */ } int ArgusParseRTCPBuffer (struct ArgusModelerStruct *model, struct rtcphdr *rtcp) { int retn = 0; while (STRUCTCAPTURED(model, *rtcp)) { u_int len = (ntohs(rtcp->rh_len) << 2) + 4; unsigned char *ptr = ((unsigned char *)rtcp) + len; if (STRUCTCAPTURED(model, *rtcp)) { if (rtcp->rh_ver != RTP_VERSION) { ++ArgusRTCPBadVersion; } else { switch(rtcp->rh_pt) { case RTCP_PT_SR: ArgusParseRTCPSR (rtcp); retn++; break; case RTCP_PT_RR: ArgusParseRTCPRR (rtcp); retn++; break; case RTCP_PT_SDES: ArgusParseRTCPSDES (rtcp); break; case RTCP_PT_BYE: ArgusParseRTCPBYE (rtcp); break; default: ++ArgusRTCPBadPtr; break; } } } if (len > 4) rtcp = (struct rtcphdr *) ptr; else break; } return (retn); } #if !defined(FALSE) #define FALSE 0 #endif #if !defined(TRUE) #define TRUE 1 #endif void ArgusUpdateAppState (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, unsigned char state) { struct ArgusSystemFlow *flow = (struct ArgusSystemFlow *) flowstr->dsrs[ARGUS_FLOW_INDEX]; int mode = model->ArgusSrc->mode; if (model->ArgusThisLength > 0) { if (flow != NULL) { unsigned short proto, sport = 0, dport = 0; unsigned char ip_p; int len; if (!(model->ArgusThisFlow->hdr.argus_dsrvl8.qual & ARGUS_FRAGMENT)) { switch (proto = (model->ArgusThisNetworkFlowType & 0xFFFF)) { case ETHERTYPE_IPV6: case ETHERTYPE_IP: { if (proto == ETHERTYPE_IPV6) { ip_p = flow->ipv6_flow.ip_p; sport = flow->ipv6_flow.sport; dport = flow->ipv6_flow.dport; } else { ip_p = flow->ip_flow.ip_p; sport = flow->ip_flow.sport; dport = flow->ip_flow.dport; } switch (ip_p) { case IPPROTO_UDP: { switch (mode) { case ARGUS_CISCO_DATA_SOURCE: ArgusParseCiscoRecord(model, model->ArgusThisUpHdr); break; default: { if (state == ARGUS_START) { struct rtphdr *rtp = (struct rtphdr *) model->ArgusThisUpHdr; if (STRUCTCAPTURED(model, *rtp)) { if ((rtp->rh_ver == RTP_VERSION) && (!((sport < ARGUS_WELLKNOWN_PORT) || (dport < ARGUS_WELLKNOWN_PORT)) && !((sport >= ARGUS_AFS_PORT_MIN) && (sport <= ARGUS_AFS_PORT_MAX)) && !((dport >= ARGUS_AFS_PORT_MIN) && (dport <= ARGUS_AFS_PORT_MAX)))) { struct ArgusNetworkStruct *net = (struct ArgusNetworkStruct *) flowstr->dsrs[ARGUS_NETWORK_INDEX]; if (net == NULL) { net = (struct ArgusNetworkStruct *) &flowstr->canon.net; flowstr->dsrs[ARGUS_NETWORK_INDEX] = (struct ArgusDSRHeader *) net; } if (ArgusParseRTCPBuffer(model, (struct rtcphdr *) model->ArgusThisUpHdr)) { struct ArgusRTCPObject *rtcpObject = (struct ArgusRTCPObject *)(&net->hdr + 1); struct rtcphdr *rtcp = (struct rtcphdr *) model->ArgusThisUpHdr; net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_RTCP_FLOW; net->hdr.argus_dsrvl8.qual = 0; net->hdr.argus_dsrvl8.len = ((sizeof(struct ArgusRTCPObject) + 3)/4) + 1; if (model->ArgusThisDir) { bcopy ((char *) rtcp, (char *)&rtcpObject->src, sizeof(*rtcp)); } else { bcopy ((char *) rtcp, (char *)&rtcpObject->dst, sizeof(*rtcp)); } } else { if (rtp->rh_pt < 128) { struct ArgusRTPObject *rtpObject = (struct ArgusRTPObject *)(&net->hdr + 1); struct rtphdr trtpbuf, *trtp = &trtpbuf; net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_RTP_FLOW; net->hdr.argus_dsrvl8.qual = 0; net->hdr.argus_dsrvl8.len = ((sizeof(struct ArgusRTPObject) + 3)/4) + 1; bcopy(rtp, trtp, sizeof(*trtp)); trtp->rh_seq = ntohs(rtp->rh_seq); trtp->rh_time = ntohl(rtp->rh_time); trtp->rh_ssrc = ntohl(rtp->rh_ssrc); if (model->ArgusThisDir) { bcopy ((char *) trtp, (char *)&rtpObject->src, sizeof(*rtp)); } else { bcopy ((char *) trtp, (char *)&rtpObject->dst, sizeof(*rtp)); } } } } else { if ((sport == ARGUS_UDT_PORT) || (dport == ARGUS_UDT_PORT)) { unsigned int status = 0; if (ArgusParseUDTHeader (model, (struct udt_header *) model->ArgusThisUpHdr, &status)) { struct ArgusNetworkStruct *net = (struct ArgusNetworkStruct *) flowstr->dsrs[ARGUS_NETWORK_INDEX]; if (net == NULL) { net = (struct ArgusNetworkStruct *) &flowstr->canon.net; flowstr->dsrs[ARGUS_NETWORK_INDEX] = (struct ArgusDSRHeader *) net; } net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_UDT_FLOW; net->hdr.argus_dsrvl8.qual = 0; net->hdr.argus_dsrvl8.len = ((sizeof(struct ArgusUDTObject) + 3)/4) + 1; if (ArgusThisUdtHshake != NULL) { struct ArgusUDTObject *udtObject = (struct ArgusUDTObject *)(&net->hdr + 1); bcopy (ArgusThisUdtHshake, &udtObject->hshake, sizeof(*ArgusThisUdtHshake)); } if (status != 0) net->net_union.udt.status |= status; } } } } } else { struct ArgusNetworkStruct *net = (struct ArgusNetworkStruct *) flowstr->dsrs[ARGUS_NETWORK_INDEX]; if (net != NULL) { switch (net->hdr.subtype) { case ARGUS_RTP_FLOW: case ARGUS_RTCP_FLOW: { ArgusUpdateRTPState(model, flowstr, state); break; } case ARGUS_UDT_FLOW: { ArgusUpdateUDTState(model, flowstr, &state); break; } } } } } } break; } /* IPPROTO_UDP */ } break; } } } if (model->ArgusThisStats) model->ArgusThisStats->appbytes += model->ArgusThisLength; if ((len = flowstr->userlen) != 0) { struct ArgusDataStruct *user = NULL; int ind, tlen; if (model->ArgusThisDir) ind = ARGUS_SRCUSERDATA_INDEX; else ind = ARGUS_DSTUSERDATA_INDEX; if (len == -1) len = model->ArgusThisLength; tlen = ((len + 3)/4) + 2; if (state == ARGUS_START) { if ((user = (struct ArgusDataStruct *) flowstr->dsrs[ind]) != NULL) { if (len != user->size) { ArgusFree(flowstr->dsrs[ind]); flowstr->dsrs[ind] = NULL; } else { user->count = 0; memset(user->array, 0, len); } } } if ((user = (struct ArgusDataStruct *) flowstr->dsrs[ind]) == NULL) { if ((user = (void *) ArgusCalloc(tlen, 4)) != NULL) { flowstr->dsrs[ind] = (void *) user; user->size = len; user->hdr.type = ARGUS_DATA_DSR; user->hdr.subtype = ARGUS_LEN_16BITS; user->hdr.argus_dsrvl16.len = tlen; if (ind == ARGUS_SRCUSERDATA_INDEX) user->hdr.subtype |= ARGUS_SRC_DATA; else user->hdr.subtype |= ARGUS_DST_DATA; flowstr->dsrindex |= (0x1 << ind); } } if (user && (user->count < user->size)) { int thislen = user->size - user->count; int bytes = 0, ArgusThisUserLength = (model->ArgusThisLength < model->ArgusSnapLength) ? model->ArgusThisLength : model->ArgusSnapLength; if ((thislen > 0) && (ArgusThisUserLength > 0)) { if (ArgusThisUserLength < thislen) thislen = ArgusThisUserLength; if ((bytes = model->ArgusThisSnapEnd - model->ArgusThisUpHdr) > 0) { thislen = (thislen > bytes) ? bytes : thislen; bcopy (model->ArgusThisUpHdr, &((char *)&user->array)[user->count], thislen); user->count += thislen; } } } } } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusUpdateAppState(0x%x, %d) returning\n", flowstr, state); #endif } u_char ArgusUpdateHTTPState (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, unsigned char state) { u_char retn = 0; #ifdef ARGUSDEBUG ArgusDebug (7, "ArgusUpdateHTTPState(0x%x, 0x%x, %d) returning\n", flowstr, state); #endif return(retn); } u_char ArgusUpdateRTPState (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, unsigned char state) { struct ArgusNetworkStruct *net = (struct ArgusNetworkStruct *) flowstr->dsrs[ARGUS_NETWORK_INDEX]; u_char retn = 0; if (net == NULL) return(retn); switch (net->hdr.subtype) { case ARGUS_RTP_FLOW: { struct ArgusRTPObject *rtpObject = (struct ArgusRTPObject *)(&net->hdr + 1); struct rtphdr *rtp = (struct rtphdr *) model->ArgusThisUpHdr; struct rtphdr trtpbuf, *trtp = &trtpbuf; struct rtphdr *ArgusThisRtpHdr = NULL; bcopy(rtp, trtp, sizeof(*trtp)); trtp->rh_seq = ntohs(rtp->rh_seq); trtp->rh_time = ntohl(rtp->rh_time); trtp->rh_ssrc = ntohl(rtp->rh_ssrc); if (model->ArgusThisDir) ArgusThisRtpHdr = &rtpObject->src; else ArgusThisRtpHdr = &rtpObject->dst; if (!(ArgusThisRtpHdr->rh_seq)) { if (rtp->rh_ver == 2) bcopy ((char *) trtp, (char *)ArgusThisRtpHdr, sizeof(*rtp)); } else { if (rtp->rh_ver == 2) { if (!(trtp->rh_ssrc) || (ArgusThisRtpHdr->rh_ssrc != trtp->rh_ssrc)) flowstr->dsrs[ARGUS_NETWORK_INDEX] = NULL; else if (trtp->rh_x) { struct rtpexthdr *xhdr = (struct rtpexthdr *) (rtp + 1); if ((xhdr->length > model->ArgusThisLength) || (xhdr->length < (model->ArgusThisLength - 4))) flowstr->dsrs[ARGUS_NETWORK_INDEX] = NULL; } if (flowstr->dsrs[ARGUS_NETWORK_INDEX] != NULL) { int offset = ((trtp->rh_cc > 15) ? 15 : trtp->rh_cc) << 2; if (ArgusThisRtpHdr->rh_seq != (trtp->rh_seq - 1)) { if (trtp->rh_seq < ArgusThisRtpHdr->rh_seq) { if ((ArgusThisRtpHdr->rh_seq - trtp->rh_seq) < 0x7FFFFFFF) { if (model->ArgusThisDir) { if (rtpObject->sdrop > 0) { rtpObject->sdrop--; rtpObject->state |= ARGUS_SRC_OUTOFORDER; } } else { if (rtpObject->ddrop > 0) { rtpObject->ddrop--; rtpObject->state |= ARGUS_DST_OUTOFORDER; } } } } else { if (trtp->rh_seq > ArgusThisRtpHdr->rh_seq) { if (model->ArgusThisDir) { rtpObject->sdrop += trtp->rh_seq - (ArgusThisRtpHdr->rh_seq + 1); } else { rtpObject->ddrop += trtp->rh_seq - (ArgusThisRtpHdr->rh_seq + 1); } } } } bcopy ((char *) trtp, (char *) ArgusThisRtpHdr, sizeof(*rtp)); if (offset < model->ArgusThisLength) { model->ArgusThisUpHdr = (unsigned char *)(rtp + 1) + offset; model->ArgusThisLength -= (sizeof(struct rtphdr) + offset); model->ArgusSnapLength -= (sizeof(struct rtphdr) + offset); if (trtp->rh_x) { struct rtpexthdr *ext = (struct rtpexthdr *)model->ArgusThisUpHdr; if (STRUCTCAPTURED(model,*ext)) { offset = sizeof(struct rtpexthdr) + ntohs(ext->length); model->ArgusThisLength -= offset; model->ArgusSnapLength -= offset; model->ArgusThisUpHdr += offset; } } switch (trtp->rh_pt) { case ARGUS_RTP_PCMU: case ARGUS_RTP_PCMA: case ARGUS_RTP_G722: case ARGUS_RTP_G728: case ARGUS_RTP_G729: if ((model->ArgusThisLength == 0) || ((model->ArgusThisLength % 10) != 0)) { model->ArgusInProtocol = 0; if (model->ArgusThisDir) { net->hdr.argus_dsrvl8.qual |= ARGUS_RTP_SRCSILENCE; }else { net->hdr.argus_dsrvl8.qual |= ARGUS_RTP_DSTSILENCE; } } else if (trtp->rh_mark) model->ArgusInProtocol = 0; break; case ARGUS_RTP_G723: if ((model->ArgusThisLength == 0) || (model->ArgusThisLength == 4)) { model->ArgusInProtocol = 0; if (model->ArgusThisDir) { net->hdr.argus_dsrvl8.qual |= ARGUS_RTP_SRCSILENCE; } else { net->hdr.argus_dsrvl8.qual |= ARGUS_RTP_DSTSILENCE; } } else if (trtp->rh_mark) model->ArgusInProtocol = 0; break; case ARGUS_RTP_H261: case ARGUS_RTP_H263: break; } } } } } break; } case ARGUS_RTCP_FLOW: { break; } } if (flowstr->dsrs[ARGUS_NETWORK_INDEX] == NULL) *(unsigned int *)&flowstr->canon.net.hdr = 0; #ifdef ARGUSDEBUG ArgusDebug (7, "ArgusUpdateRTPState(0x%x, 0x%x, %d) returning\n", model, flowstr, state); #endif return(retn); } argus-3.0.8.2/argus/ArgusArp.c000444 000765 000024 00000022011 12514174150 016431 0ustar00carterstaff000000 000000 /* * Argus Software. Argus files - Arp Procession * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/argus/ArgusArp.c#32 $ * $DateTime: 2015/04/17 08:10:46 $ * $Change: 3011 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #if !defined(ArgusArp) #define ArgusArp #endif #include #include #include #if !defined(__OpenBSD__) #include #endif #include #include #define argus_ar_sha(ap) (((const u_char *)((ap)+1))+0) #define argus_ar_spa(ap) (((const u_char *)((ap)+1))+ (ap)->ar_hln) #define argus_ar_tha(ap) (((const u_char *)((ap)+1))+ (ap)->ar_hln+(ap)->ar_pln) #define argus_ar_tpa(ap) (((const u_char *)((ap)+1))+2*(ap)->ar_hln+(ap)->ar_pln) #define ARP_HDRLEN 8 #define HRD(ap) EXTRACT_16BITS(&(ap)->ar_hrd) #define HLN(ap) ((ap)->ar_hln) #define PLN(ap) ((ap)->ar_pln) #define OP(ap) EXTRACT_16BITS(&(ap)->ar_op) #define PRO(ap) EXTRACT_16BITS(&(ap)->ar_pro) #if defined(SHA) #undef SHA #endif #define SHA(ap) (argus_ar_sha(ap)) #if defined(SPA) #undef SPA #endif #define SPA(ap) (argus_ar_spa(ap)) #if defined(THA) #undef THA #endif #define THA(ap) (argus_ar_tha(ap)) #if defined(TPA) #undef TPA #endif #define TPA(ap) (argus_ar_tpa(ap)) #if !defined(REVARP_REQUEST) #define REVARP_REQUEST 3 #endif #if !defined(REVARP_REPLY) #define REVARP_REPLY 4 #endif void ArgusUpdateArpState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char *); /* struct ArgusHAddr { union { unsigned char ethernet[6]; unsigned char ib[32]; unsigned char ieee1394[16]; unsigned char framerelay[4]; unsigned char tokenring[6]; unsigned char arcnet[1]; unsigned char fiberchannel[12]; unsigned char atm[20]; } haddr_un; }; struct ArgusArpFlow { unsigned short hrd; unsigned short pro; unsigned char hln; unsigned char pln; unsigned short op; unsigned int arp_spa; unsigned int arp_tpa; struct ArgusHAddr haddr; }; struct ArgusRarpFlow { unsigned short hrd; unsigned short pro; unsigned char hln; unsigned char pln; unsigned short op; unsigned int arp_tpa; struct ArgusHAddr shaddr; struct ArgusHAddr dhaddr; }; */ #define ARP_ETHERNET 1 #define ARP_IEEE802 6 #define ARP_ARCNET 7 #define ARP_FRELAY 15 #define ARP_ATM 19 #define ARP_STRIP 23 #define ARP_IEEE1394 24 #define ARP_INFINIBAND 32 struct ArgusSystemFlow * ArgusCreateArpFlow (struct ArgusModelerStruct *model, struct ether_header *ep) { struct arphdr *ahdr = (struct arphdr *)model->ArgusThisUpHdr; struct ArgusSystemFlow *retn = NULL; unsigned int arp_tpa, arp_spa; if (STRUCTCAPTURED(model, *ahdr)) { retn = model->ArgusThisFlow; retn->hdr.type = ARGUS_FLOW_DSR; retn->hdr.subtype = ARGUS_FLOW_ARP; switch (OP(ahdr)) { case ARPOP_REQUEST: { retn->hdr.argus_dsrvl8.len = sizeof(struct ArgusArpFlow)/4 + 1; retn->hdr.argus_dsrvl8.qual = ARGUS_TYPE_ARP; if (PLN(ahdr) == sizeof(arp_spa)) { bcopy (SPA(ahdr), &arp_spa, sizeof(arp_spa)); bcopy (TPA(ahdr), &arp_tpa, sizeof(arp_tpa)); #ifdef _LITTLE_ENDIAN arp_spa = ntohl(arp_spa); arp_tpa = ntohl(arp_tpa); #endif // if (arp_spa > arp_tpa) // model->state |= ARGUS_DIRECTION; retn->arp_flow.hrd = HRD(ahdr); retn->arp_flow.pro = PRO(ahdr); retn->arp_flow.hln = HLN(ahdr); retn->arp_flow.pln = PLN(ahdr); retn->arp_flow.op = OP(ahdr); retn->arp_flow.arp_tpa = arp_tpa; retn->arp_flow.arp_spa = arp_spa; bcopy (SHA(ahdr), (char *)&retn->arp_flow.haddr, HLN(ahdr)); } break; } case ARPOP_REPLY: { retn->hdr.argus_dsrvl8.len = sizeof(struct ArgusArpFlow)/4 + 1; retn->hdr.argus_dsrvl8.qual = ARGUS_TYPE_ARP; if (PLN(ahdr) == sizeof(arp_spa)) { bcopy (SPA(ahdr), &arp_spa, sizeof(arp_spa)); bcopy (TPA(ahdr), &arp_tpa, sizeof(arp_tpa)); #ifdef _LITTLE_ENDIAN arp_spa = ntohl(arp_spa); arp_tpa = ntohl(arp_tpa); #endif // if (arp_spa > arp_tpa) model->state |= ARGUS_DIRECTION; retn->arp_flow.hrd = HRD(ahdr); retn->arp_flow.pro = PRO(ahdr); retn->arp_flow.hln = HLN(ahdr); retn->arp_flow.pln = PLN(ahdr); retn->arp_flow.op = ARPOP_REQUEST; retn->arp_flow.arp_tpa = arp_spa; retn->arp_flow.arp_spa = arp_tpa; bcopy (THA(ahdr), (char *)&retn->arp_flow.haddr, HLN(ahdr)); } break; } case REVARP_REQUEST: { retn->hdr.argus_dsrvl8.len = sizeof(struct ArgusRarpFlow)/4 + 1; retn->hdr.argus_dsrvl8.qual = ARGUS_TYPE_RARP; #ifdef _LITTLE_ENDIAN arp_tpa = ntohl(arp_tpa); #endif retn->rarp_flow.hrd = HRD(ahdr); retn->rarp_flow.pro = PRO(ahdr); retn->rarp_flow.hln = HLN(ahdr); retn->rarp_flow.pln = PLN(ahdr); retn->rarp_flow.op = OP(ahdr); bcopy (THA(ahdr), &retn->rarp_flow.shaddr, HLN(ahdr)); bcopy (SHA(ahdr), &retn->rarp_flow.dhaddr, HLN(ahdr)); break; } case REVARP_REPLY: { retn->hdr.argus_dsrvl8.len = sizeof(struct ArgusRarpFlow)/4 + 1; retn->hdr.argus_dsrvl8.qual = ARGUS_TYPE_RARP; bcopy (TPA(ahdr), &arp_tpa, sizeof(arp_tpa)); #ifdef _LITTLE_ENDIAN arp_tpa = ntohl(arp_tpa); #endif retn->rarp_flow.hrd = HRD(ahdr); retn->rarp_flow.pro = PRO(ahdr); retn->rarp_flow.hln = HLN(ahdr); retn->rarp_flow.pln = PLN(ahdr); retn->rarp_flow.op = REVARP_REQUEST; bcopy ((char *)&arp_tpa, &retn->rarp_flow.arp_tpa, sizeof(arp_tpa)); bcopy (SHA(ahdr), &retn->rarp_flow.shaddr, HLN(ahdr)); bcopy (THA(ahdr), &retn->rarp_flow.dhaddr, HLN(ahdr)); break; } } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusCreateArpFlow (%p) returning %p\n", ep, retn); #endif return (retn); } /* struct arphdr { u_short ar_hrd; #define ARPHRD_ETHER 1 #define ARPHRD_IEEE802 6 #define ARPHRD_FRELAY 15 #define ARPHRD_IEEE1394 24 #define ARPHRD_IEEE1394_EUI64 27 u_short ar_pro; u_char ar_hln; u_char ar_pln; u_short ar_op; #define ARPOP_REQUEST 1 #define ARPOP_REPLY 2 #define ARPOP_REVREQUEST 3 #define ARPOP_REVREPLY 4 #define ARPOP_INVREQUEST 8 #define ARPOP_INVREPLY 9 #ifdef COMMENT_ONLY u_char ar_sha[]; u_char ar_spa[]; u_char ar_tha[]; u_char ar_tpa[]; #endif }; */ void ArgusUpdateArpState (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, unsigned char *state) { struct ArgusARPObject *arpobj = NULL; struct ether_arp *arp = NULL; struct arphdr *ahdr = NULL; if (model->ArgusThisEpHdr == NULL) return; arp = (struct ether_arp *)(model->ArgusThisEpHdr + 1); ahdr = &arp->ea_hdr; if (STRUCTCAPTURED(model, *arp)) { model->ArgusThisLength -= sizeof(*arp); model->ArgusSnapLength -= sizeof(*arp); model->ArgusThisUpHdr = (unsigned char *)(arp + 1); switch (OP(ahdr)) { case ARPOP_REQUEST: break; case ARPOP_REPLY: { struct ArgusNetworkStruct *net = (struct ArgusNetworkStruct *) flowstr->dsrs[ARGUS_NETWORK_INDEX]; if (net == NULL) { net = (struct ArgusNetworkStruct *) &flowstr->canon.net; flowstr->dsrs[ARGUS_NETWORK_INDEX] = (struct ArgusDSRHeader *) net; } net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_NETWORK_SUBTYPE_ARP; net->hdr.argus_dsrvl8.qual = 0; net->hdr.argus_dsrvl8.len = ((sizeof(struct ArgusUDTObject) + 3)/4) + 1; arpobj = &net->net_union.arp; bcopy ((unsigned char *)SHA(ahdr), arpobj->respaddr, 6); break; } } } } argus-3.0.8.2/argus/ArgusAuth.c000444 000765 000024 00000022235 12513222401 016610 0ustar00carterstaff000000 000000 /* * Argus Software. Argus files - Authentication * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ /* * $Id: //depot/argus/argus/argus/ArgusAuth.c#18 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ /* * Copyright (c) 2000 Carnegie Mellon University. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The name "Carnegie Mellon University" must not be used to * endorse or promote products derived from this software without * prior written permission. For permission or any other legal * details, please contact * Office of Technology Transfer * Carnegie Mellon University * 5000 Forbes Avenue * Pittsburgh, PA 15213-3890 * (412) 268-4387, fax: (412) 268-7395 * tech-transfer@andrew.cmu.edu * * 4. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by Computing Services * at Carnegie Mellon University (http://www.cmu.edu/computing/)." * * CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY * AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE * FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ /* * * modified by Carter Bullard * QoSient, LLC * */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #if !defined(ArgusSasl) #define ArgusSasl #endif #include #include #include #include int ArgusAuthenticateClient (struct ArgusClientData *); int ArgusGetSaslString(FILE *, char *, int); int ArgusSendSaslString(FILE *, const char *, int, int); int ArgusAuthenticateClient (struct ArgusClientData *client) { int retn = 1; #ifdef ARGUS_SASL unsigned int rlen = 0; int len, mechnum = 0; char buf[8192], chosenmech[512]; const char *data; sasl_conn_t *conn = NULL; // int SASLOpts = (SASL_SEC_NOPLAINTEXT | SASL_SEC_NOANONYMOUS); FILE *in, *out; conn = client->sasl_conn; if ((retn = sasl_listmech(conn, NULL, "{", ", ", "}", &data, &rlen, &mechnum)) != SASL_OK) ArgusLog (LOG_ERR, "ArgusAuthenticateClient: Error generating mechanism list"); if ((in = fdopen (client->fd, "r")) < 0) ArgusLog (LOG_ERR, "ArgusAuthenticateClient: fdopen() error %s", strerror(errno)); if ((out = fdopen (client->fd, "w")) < 0) ArgusLog (LOG_ERR, "ArgusAuthenticateClient: fdopen() error %s", strerror(errno)); ArgusSendSaslString (out, data, rlen, SASL_OK); if ((len = ArgusGetSaslString (in, chosenmech, sizeof(chosenmech))) <= 0) { #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusAuthenticateClient: Error ArgusGetSaslString returned %d\n", len); #endif return 0; } if ((len = ArgusGetSaslString (in, buf, sizeof(buf))) <= 0) { #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusAuthenticateClient: Error ArgusGetSaslString returned %d\n", len); #endif return 0; } if (*buf == 'Y') { if ((len = ArgusGetSaslString (in, buf, sizeof(buf))) <= 0) { #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusAuthenticateClient: Error ArgusGetSaslString returned %d\n", len); #endif return 0; } retn = sasl_server_start(conn, chosenmech, buf, len, &data, &rlen); } else { retn = sasl_server_start(conn, chosenmech, NULL, 0, &data, &rlen); } if ((retn != SASL_OK) && (retn != SASL_CONTINUE)) { sprintf (buf, "%s", sasl_errstring(retn, NULL, NULL)); #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusAuthenticateClient: Error starting SASL negotiation"); #endif ArgusSendSaslString(out, buf, strlen(buf), retn); return 0; } while (retn == SASL_CONTINUE) { if (data) { #ifdef ARGUSDEBUG ArgusDebug(2, "sending response length %d...\n", rlen); #endif ArgusSendSaslString(out, data, rlen, retn); } else { #ifdef ARGUSDEBUG ArgusDebug(2, "no data to send? ...\n"); #endif } #ifdef ARGUSDEBUG ArgusDebug(2, "waiting for client reply...\n"); #endif len = ArgusGetSaslString(in, buf, sizeof(buf)); if (len < 0) { #ifdef ARGUSDEBUG ArgusDebug(2, "client disconnected ...\n"); #endif return 0; } retn = sasl_server_step(conn, buf, len, &data, &rlen); if ((retn != SASL_OK) && (retn != SASL_CONTINUE)) { sprintf (buf, "%s", sasl_errstring(retn, NULL, NULL)); #ifdef ARGUSDEBUG ArgusDebug(2, "Authentication failed %s\n", sasl_errstring(retn, NULL, NULL)); #endif ArgusSendSaslString(out, buf, strlen(buf), retn); return 0; } } if (retn == SASL_OK) ArgusSendSaslString(out, NULL, 0, SASL_OK); #endif #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusAuthenticateClient() returning %d\n", retn); #endif return (retn); } #ifdef ARGUS_SASL #include #include #include #include #include #include /* send/recv library for IMAP4 style literals. */ int ArgusSendSaslString(FILE *f, const char *s, int l, int mode) { char *buf = NULL, *ptr = NULL, error[128]; unsigned int al, len; int result, size, tsize; switch (mode) { case SASL_OK: { if ((s == NULL) || (l == 0)) { ptr = "D: "; tsize = 3; break; } } case SASL_CONTINUE: { ptr = "S: "; tsize = 3; break; } default: { sprintf (error, "E: [%d]", mode); ptr = error; tsize = strlen(error); break; } } if (ferror(f)) clearerr(f); while ((size = fwrite(ptr, 1, tsize, f)) != tsize) { if (size >= 0) { tsize -= size; ptr += size; } else { if (ferror(f)) ArgusLog (LOG_ERR, "ArgusSendSaslString: error %d", ferror(f)); } } if (l > 0) { al = (((l / 3) + 1) * 4) + 1; if ((buf = malloc(al)) == NULL) ArgusLog (LOG_ERR, "malloc: error %s", strerror(errno)); if ((ptr = buf) != NULL) { result = sasl_encode64(s, l, buf, al, &len); if (result == SASL_OK) { tsize = len; while ((size = fwrite(ptr, 1, tsize, f)) != tsize) { if (size >= 0) { tsize -= size; ptr += size; } else { if (ferror(f)) ArgusLog (LOG_ERR, "ArgusSendSaslString: error %d", ferror(f)); } } } } free(buf); } ptr = "\n"; tsize = 1; while ((size = fwrite(ptr, 1, tsize, f)) != tsize) { if (size >= 0) { tsize -= size; ptr += size; } else { if (ferror(f)) ArgusLog (LOG_ERR, "ArgusSendSaslString: error %d", ferror(f)); } } fflush(f); #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusSendSaslString(0x%x, 0x%x, %d) %s", f, s, l, s); #endif return len; } int ArgusGetSaslString(FILE *f, char *buf, int buflen) { unsigned int len = -1; char *s = NULL; int result; if (ferror(f)) clearerr(f); if ((s = fgets(buf, buflen, f)) != NULL) { switch (*buf) { case 'C': { if (!(strncmp(buf, "C: ", 3))) { buf[strlen(buf) - 1] = '\0'; result = sasl_decode64(buf + 3, (unsigned) strlen(buf + 3), buf, buflen, &len); if (result != SASL_OK) ArgusLog (LOG_ERR, "ArgusGetSaslString: sasl_decode64 error"); buf[len] = '\0'; } else ArgusLog (LOG_ERR, "ArgusGetSaslString: error %s", strerror(errno)); break; } default: case 'N': len = -1; break; } } #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusGetSaslString(0x%x, 0x%x, %d) %s", f, buf, buflen, buf); #endif return len; } #endif argus-3.0.8.2/argus/ArgusEsp.c000444 000765 000024 00000012121 12513222401 016427 0ustar00carterstaff000000 000000 /* * Argus Software. Argus files - ESP layer processing * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ /* * $Id: //depot/argus/argus/argus/ArgusEsp.c#22 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #if !defined(ArgusEsp) #define ArgusEsp #endif #include #include #include #include #include struct esphdr { unsigned int spi, seq; }; struct ArgusSystemFlow * ArgusCreateESPv6Flow (struct ArgusModelerStruct *model, struct ip6_hdr *ip) { struct ArgusSystemFlow *retn = NULL; /* struct esphdr *esp = (struct esphdr *) model->ArgusThisUpHdr; struct ArgusESPv6Flow { unsigned int ip_src[4], ip_dst[4]; #if defined(_LITTLE_ENDIAN) unsigned int flow:20; unsigned int resv:4; unsigned int ip_p:8; #else unsigned int ip_p:8; unsigned int resv:4; unsigned int flow:20; #endif unsigned int spi; }; */ #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusCreateESPv6Flow(0x%x) returning %d\n", ip, retn); #endif return (retn); } struct ArgusSystemFlow * ArgusCreateESPFlow (struct ArgusModelerStruct *model, struct ip *ip) { struct ArgusSystemFlow *retn = NULL; struct esphdr *esp = (struct esphdr *) model->ArgusThisUpHdr; if (STRUCTCAPTURED(model, *esp)) { struct ArgusESPFlow *espFlow = &model->ArgusThisFlow->esp_flow; retn = model->ArgusThisFlow; model->state &= ~ARGUS_DIRECTION; retn->hdr.type = ARGUS_FLOW_DSR; retn->hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; retn->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; retn->hdr.argus_dsrvl8.len = 5; espFlow->ip_src = ntohl(ip->ip_src.s_addr); espFlow->ip_dst = ntohl(ip->ip_dst.s_addr); espFlow->ip_p = ip->ip_p; espFlow->pad = 0; espFlow->spi = ntohl(esp->spi); } #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusCreateESPFlow(0x%x) returning 0x%x\n", ip, retn); #endif return (retn); } void ArgusUpdateESPState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char *); void ArgusUpdateESPState (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, unsigned char *state) { struct ArgusNetworkStruct *net = (struct ArgusNetworkStruct *) &flowstr->canon.net; struct esphdr *esp = (struct esphdr *) model->ArgusThisUpHdr; struct ArgusESPObject *espObj = &net->net_union.esp; if (STRUCTCAPTURED(model, *esp)) { #ifdef _LITTLE_ENDIAN esp->spi = ntohl(esp->spi); esp->seq = ntohl(esp->seq); #endif if (*state == ARGUS_START) { net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_ESP_DSR; net->hdr.argus_dsrvl8.qual = 0; net->hdr.argus_dsrvl8.len = ((sizeof(struct ArgusESPObject)+3))/4 + 1; flowstr->dsrs[ARGUS_NETWORK_INDEX] = (void *) net; bzero ((char *)espObj, sizeof(*espObj)); flowstr->timeout = ARGUS_IPTIMEOUT; espObj->spi = esp->spi; espObj->lastseq = esp->seq; } else { if (!(espObj->status & ARGUS_ESP_SEQFAILURE)) { #define ARGUS_ESP_WINDOW 0x10000 int diff = esp->seq - espObj->lastseq; if (esp->seq < espObj->lastseq) { if (diff > 0) espObj->status |= ARGUS_ESP_ROLLOVER; } if (diff != 1) { if ((diff == 0) || (abs(diff) > ARGUS_ESP_WINDOW)) { espObj->status |= ARGUS_ESP_SEQFAILURE; if (diff) espObj->lastseq = esp->seq; } else { if (diff > 0) { espObj->status |= ARGUS_SRC_PKTS_DROP; espObj->lostseq += (diff - 1); espObj->lastseq = esp->seq; } else { espObj->lostseq--; espObj->status |= ARGUS_SRC_OUTOFORDER; } } } else espObj->lastseq = esp->seq; } } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusUpdateESPState(0x%x, %d) returning\n", flowstr, *state); #endif } #include void ArgusESPFlowRecord (struct ArgusNetworkStruct *net, unsigned char state); void ArgusESPFlowRecord (struct ArgusNetworkStruct *net, unsigned char state) { #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusESPFlowRecord(0x%x, %d) returning\n", net, state); #endif } argus-3.0.8.2/argus/ArgusEvents.c000644 000765 000024 00000033513 12723576606 017204 0ustar00carterstaff000000 000000 /* * Argus Software. Argus files - Modeler * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/argus/argus/argus/ArgusEvents.c#15 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #if !defined(ArgusEvents) #define ArgusEvents #endif #include #include #include #include #if defined(HAVE_ZLIB_H) #include #endif #include #include #include #include #include #include #if defined(ARGUS_THREADS) #include void *ArgusEventsProcess(void *); #endif struct ArgusEventsStruct * ArgusNewEvents () { struct ArgusEventsStruct *retn = NULL; if ((retn = (struct ArgusEventsStruct *) ArgusCalloc (1, sizeof (struct ArgusEventsStruct))) == NULL) ArgusLog (LOG_ERR, "ArgusNewEvents() ArgusCalloc error %s\n", strerror(errno)); if ((retn->ArgusEventsList = ArgusNewList()) == NULL) ArgusLog (LOG_ERR, "ArgusNewEvents() ArgusNewList %s\n", strerror(errno)); #if defined(ARGUS_THREADS) pthread_mutex_init(&retn->lock, NULL); #endif #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusNewEvents() returning retn 0x%x\n", retn); #endif return (retn); } void ArgusInitEvents (struct ArgusEventsStruct *events) { if (events == NULL) return; events->ArgusModel = ArgusModel; events->ArgusSrc = ArgusSourceTask; events->ArgusOutputList = ArgusOutputTask->ArgusOutputList; #if defined(ARGUS_THREADS) if ((events->ArgusEventsList != NULL) && (!(ArgusListEmpty(events->ArgusEventsList)))) if ((pthread_create(&events->thread, NULL, ArgusEventsProcess, (void *) events)) != 0) ArgusLog (LOG_ERR, "ArgusNewEventProcessor() pthread_create error %s\n", strerror(errno)); #endif /* ARGUS_THREADS */ #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusInitEvents() done\n"); #endif } void ArgusCloseEvents (struct ArgusEventsStruct *events) { if (events != NULL) { events->status |= ARGUS_SHUTDOWN; #if defined(ARGUS_THREADS) if (events->thread) pthread_cancel(events->thread); #endif } #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusCloseEvents() done\n"); #endif } #if defined(ARGUS_THREADS) struct ArgusRecordStruct *ArgusGenerateEventRecord (struct ArgusEventsStruct *, struct ArgusEventRecordStruct *, unsigned char); int ArgusSortEventList (const void *item1, const void *item2) { struct ArgusEventRecordStruct *event1 = *(struct ArgusEventRecordStruct **) item1; struct ArgusEventRecordStruct *event2 = *(struct ArgusEventRecordStruct **) item2; int retn = 0; if ((retn = (event1->poptime.tv_sec - event2->poptime.tv_sec)) == 0) retn = (event1->poptime.tv_nsec - event2->poptime.tv_nsec); return (retn); } #if !defined(TIMEVAL_TO_TIMESPEC) void TIMEVAL_TO_TIMESPEC (struct timeval *, struct timespec *); void TIMEVAL_TO_TIMESPEC (struct timeval *tvp, struct timespec *ts) { ts->tv_sec = tvp->tv_sec; ts->tv_nsec = tvp->tv_usec * 1000; } #endif void * ArgusEventsProcess(void *arg) { struct ArgusEventsStruct *events = (struct ArgusEventsStruct *) arg; struct ArgusEventRecordStruct *evtarray[1024]; struct ArgusEventRecordStruct *evt; struct timeval tvpbuf, *tvp = &tvpbuf; void *retn = NULL; int cnt, i; do { struct ArgusRecordStruct *rec = NULL; struct timespec tsbuf, *ts = &tsbuf; struct timespec rmtpb, *rmtp = &rmtpb; if (events->status & ARGUS_SHUTDOWN) break; if (!(ArgusListEmpty(events->ArgusEventsList))) { cnt = ArgusGetListCount(events->ArgusEventsList); memset(evtarray, 0, sizeof(evtarray)); for (i = 0; i < cnt; i++) { if ((evt = (void *)ArgusPopFrontList(events->ArgusEventsList, ARGUS_LOCK)) != NULL) { evtarray[i] = evt; if (evt->poptime.tv_sec == 0) { gettimeofday(tvp, 0L); TIMEVAL_TO_TIMESPEC(tvp, &evt->poptime); evt->poptime.tv_sec += evt->interval; evt->remaining.tv_sec = evt->interval; } else { struct timeval tvpbuf, *tvp = &tvpbuf; gettimeofday(tvp, 0L); TIMEVAL_TO_TIMESPEC(tvp, ts); evt->remaining.tv_sec = evt->poptime.tv_sec - ts->tv_sec; evt->remaining.tv_nsec = evt->poptime.tv_nsec - ts->tv_nsec; while ((evt->remaining.tv_nsec < 0) && (evt->remaining.tv_sec > 0)) { evt->remaining.tv_sec -= 1; evt->remaining.tv_nsec += 1000000000; } } ArgusPushBackList(events->ArgusEventsList, (struct ArgusListRecord *) evt, ARGUS_LOCK); } } qsort (evtarray, cnt, sizeof(evt), ArgusSortEventList); evt = evtarray[0]; *ts = evt->remaining; if (events->status & ARGUS_SHUTDOWN) break; if ((ts->tv_sec > 0) || ((ts->tv_sec == 0) && (ts->tv_nsec > 100))) { while (nanosleep (ts, rmtp)) { *ts = *rmtp; if ((rmtp->tv_sec == 0) && (rmtp->tv_nsec == 0)) break; if (events->status & ARGUS_SHUTDOWN) break; } } if (events->status & ARGUS_SHUTDOWN) break; if ((rec = ArgusGenerateEventRecord(events, evt, ARGUS_STATUS)) != NULL) ArgusPushBackList (events->ArgusOutputList, (struct ArgusListRecord *) rec, ARGUS_LOCK); if (evt->interval > 0) { gettimeofday(tvp, 0L); TIMEVAL_TO_TIMESPEC(tvp, &evt->poptime); evt->poptime.tv_sec += evt->interval; evt->remaining.tv_sec = evt->interval; } else { evtarray[0] = NULL; if (evt->entry) free(evt->entry); if (evt->method) free(evt->method); if (evt->filename) free(evt->filename); ArgusFree(evt); } } #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusEventsProcess circuit done\n"); #endif } while (!(events->status & ARGUS_SHUTDOWN)); #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusEventsProcess() exiting\n"); #endif pthread_exit(retn); return(retn); } #define ARGUS_MAX_OS_STATUS 64512 #define ARGUS_MAX_OS_BUF 65536 struct ArgusRecordStruct * ArgusGenerateEventRecord (struct ArgusEventsStruct *events, struct ArgusEventRecordStruct *evt, unsigned char status) { struct ArgusRecordStruct *retn = NULL; struct ArgusRecord *rec = NULL; int ocnt = 0, cnt = 0, tcnt = 0, len = ARGUS_MAX_OS_BUF; struct timeval now, then; if ((retn = (struct ArgusRecordStruct *) ArgusMallocListRecord (len)) == NULL) ArgusLog (LOG_ERR, "ArgusMallocListRecord returned NULL\n"); memset ((char *)retn, 0, ARGUS_MAX_OS_STATUS); retn->hdr.type = ARGUS_EVENT | ARGUS_VERSION; retn->hdr.cause = status; gettimeofday(&then, 0L); rec = (struct ArgusRecord *) &retn->canon; if (strncmp(evt->method, "file", 4) == 0) { int fd = 0; if ((fd = open(evt->filename, O_RDONLY)) > 0) { #if defined(HAVE_ZLIB_H) if (evt->status & ARGUS_ZLIB_COMPRESS) { char buf[ARGUS_MAX_OS_STATUS], *ptr = buf; snprintf (buf, ARGUS_MAX_OS_STATUS - 1, "file:%s\n", evt->filename); tcnt = strlen(buf); if ((cnt = read(fd, &ptr[tcnt], (ARGUS_MAX_OS_STATUS - tcnt))) > 0) { uLong slen = cnt, dlen = (ARGUS_MAX_OS_STATUS - tcnt); if (compress((Bytef *) &rec->argus_event.data.array, &dlen, (Bytef *)&buf, slen) != Z_OK) ArgusLog (LOG_ERR, "compress problem %s", strerror(errno)); ocnt = cnt; cnt = dlen; } } else { #endif char buf[ARGUS_MAX_OS_STATUS]; snprintf(buf, ARGUS_MAX_OS_STATUS - 1, "file:%s\n", evt->filename); strcpy(rec->argus_event.data.array, buf); tcnt = strlen(rec->argus_event.data.array); cnt = read(fd, &rec->argus_event.data.array[tcnt], len - tcnt); ocnt = cnt; #if defined(HAVE_ZLIB_H) } #endif close(fd); } } else if (strncmp(evt->method, "prog", 4) == 0) { char result[ARGUS_MAX_OS_STATUS], *ptr = NULL; int terror = 0, len = ARGUS_MAX_OS_STATUS; FILE *fd = NULL; memset(result, 0, sizeof(result)); snprintf(result, ARGUS_MAX_OS_STATUS - 1, "prog:%s\n", evt->filename); tcnt = strlen(result); if ((fd = popen(evt->filename, "r")) != NULL) { ptr = NULL; clearerr(fd); while ((!(feof(fd))) && (!(ferror(fd))) && (len > tcnt)) { if ((ptr = fgets(&result[tcnt], len - tcnt, fd)) == NULL) { if (ferror(fd)) { terror++; break; } } else { tcnt += strlen(ptr); if (strlen(ptr) == 0) break; } } if (terror == 0) ptr = result; else ptr = NULL; pclose(fd); } else ArgusLog (LOG_WARNING, "ArgusGenerateEvent: System error: popen(%s) %s\n", evt->filename, strerror(errno)); if (ptr != NULL) { char buf[ARGUS_MAX_OS_STATUS]; #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusGenerateEventRecord(%s:%s) returned %d bytes", evt->method, evt->filename, strlen(ptr)); #endif #if defined(HAVE_ZLIB_H) if (evt->status & ARGUS_ZLIB_COMPRESS) { unsigned long slen = tcnt, dlen = ARGUS_MAX_OS_STATUS; if (compress((Bytef *) &rec->argus_event.data.array, &dlen, (Bytef *)ptr, slen) != Z_OK) ArgusLog (LOG_ERR, "compress problem %s", strerror(errno)); ocnt = slen; cnt = dlen; #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusGenerateEventRecord(%s:%s) compress ratio %f", evt->method, evt->filename, cnt*1.0/ocnt*1.0); #endif } else { #endif ocnt = tcnt; strncpy(buf, ptr, ARGUS_MAX_OS_STATUS); strcpy((char *)&rec->argus_event.data.array, buf); cnt = strlen((char *)&rec->argus_event.data.array); #if defined(HAVE_ZLIB_H) } #endif } } /* struct ArgusEventStruct { struct ArgusDSRHeader event; struct ArgusTransportStruct trans; struct ArgusEventTimeStruct time; struct ArgusDataStruct data; }; struct ArgusFarStruct { struct ArgusFlow flow; }; struct ArgusRecord { struct ArgusRecordHeader hdr; union { struct ArgusMarStruct mar; struct ArgusFarStruct far; struct ArgusEventStruct event; } ar_un; }; */ if (cnt > 0) { struct ArgusTimeObject *time = &rec->argus_event.time; struct ArgusTransportStruct *trans = &rec->argus_event.trans; struct ArgusDataStruct *data = &rec->argus_event.data; int tlen = 1; gettimeofday(&now, 0L); time->hdr.type = ARGUS_TIME_DSR; time->hdr.subtype = ARGUS_TIME_ABSOLUTE_TIMESTAMP | ARGUS_TIME_SRC_START | ARGUS_TIME_SRC_END; time->hdr.argus_dsrvl8.qual = ARGUS_TYPE_UTC_MICROSECONDS; time->hdr.argus_dsrvl8.len = 5; tlen += time->hdr.argus_dsrvl8.len; retn->dsrs[ARGUS_TIME_INDEX] = &time->hdr; retn->dsrindex |= 1 << ARGUS_TIME_INDEX; time->src.start.tv_sec = then.tv_sec; time->src.start.tv_usec = then.tv_usec; time->src.end.tv_sec = now.tv_sec; time->src.end.tv_usec = now.tv_usec; trans->hdr.type = ARGUS_TRANSPORT_DSR; trans->hdr.subtype = ARGUS_SRCID | ARGUS_SEQ; trans->hdr.argus_dsrvl8.qual = events->ArgusSrc->type; trans->hdr.argus_dsrvl8.len = 3; tlen += trans->hdr.argus_dsrvl8.len; retn->dsrs[ARGUS_TRANSPORT_INDEX] = &trans->hdr; retn->dsrindex |= 1 << ARGUS_TRANSPORT_INDEX; trans->srcid.a_un.value = getArgusID(events->ArgusSrc); trans->seqnum = events->ArgusSrc->ArgusModel->ArgusSeqNum++; data->hdr.type = ARGUS_DATA_DSR; data->hdr.subtype = ARGUS_LEN_16BITS | ARGUS_SRC_DATA; if (evt->status & ARGUS_ZLIB_COMPRESS) data->hdr.subtype |= ARGUS_DATA_COMPRESS; len = 2 + ((cnt + 3)/4); data->hdr.argus_dsrvl16.len = len; data->count = cnt; data->size = ocnt; tlen += len; if ((retn->dsrs[ARGUS_SRCUSERDATA_INDEX] = ArgusCalloc(1, len * 4)) == NULL) ArgusLog (LOG_ERR, "ArgusGenerateEventRecord() ArgusCalloc error %s\n", strerror(errno)); bcopy((char *)data, (char *)retn->dsrs[ARGUS_SRCUSERDATA_INDEX], len * 4); retn->dsrindex |= 1 << ARGUS_SRCUSERDATA_INDEX; retn->hdr.len = tlen; bcopy((char *)&retn->hdr, &rec->hdr, sizeof(rec->hdr)); #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusGenerateEventRecord(%s:%s) retn 0x%x cnt %d ocnt %d", evt->method, evt->filename, retn, cnt, ocnt); #endif } #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusGenerateEventRecord(0x%x, %d) returning 0x%x", events, status, retn); #endif return (retn); } #endif /* ARGUS_THREADS */ argus-3.0.8.2/argus/ArgusEvents.h000444 000765 000024 00000005312 12513222401 017155 0ustar00carterstaff000000 000000 /* * Argus Software. Argus files - Modeler * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/argus/argus/argus/ArgusEvents.h#7 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ #ifndef ArgusEvents_h #define ArgusEvents_h #include #include #include #include #include #include #include #include #include #include #if defined(__NetBSD__) #include #else #include #endif #include #include #if defined(ARGUS_TILERA) #include #else #include #endif #include #include #ifdef ARGUS_SASL #include #endif #define ARGUS_EVENT_OS_STATUS 0x00000001 #define ARGUS_ZLIB_COMPRESS 0x00000001 #define ARGUS_ZLIB_COMPRESS2 0x00000002 struct ArgusEventRecordStruct { struct ArgusListObjectStruct *nxt; struct timespec poptime, remaining; char *entry; int status, interval; char *method; char *filename; long long runs; }; struct ArgusEventsStruct { int status; #if defined(ARGUS_THREADS) pthread_t thread; pthread_mutex_t lock; #endif struct ArgusListStruct *ArgusEventsList; struct ArgusListStruct *ArgusOutputList; struct ArgusModelerStruct *ArgusModel; struct ArgusSourceStruct *ArgusSrc; }; #if defined(ArgusEvents) struct ArgusEventsStruct *ArgusEventsTask = NULL; void ArgusInitEvents (struct ArgusEventsStruct *); void ArgusCloseEvents (struct ArgusEventsStruct *); int ArgusSortEventList (const void *, const void *); struct ArgusEventsStruct *ArgusNewEvents (void); #else extern struct ArgusEventsStruct *ArgusEventsTask; extern void ArgusInitEvents (struct ArgusEventsStruct *); extern void ArgusCloseEvents (struct ArgusEventsStruct *); extern int ArgusSortEventList (const void *, const void *); extern struct ArgusEventsStruct *ArgusNewEvents (void); #endif #endif /* #ifndef ArgusEvents_h */ argus-3.0.8.2/argus/ArgusFrag.c000444 000765 000024 00000046047 12513222401 016575 0ustar00carterstaff000000 000000 /* * Argus Software. Argus files - Fragment processing * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/argus/ArgusFrag.c#30 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #if !defined(ArgusFrag) #define ArgusFrag #endif #include #include #include #include #include #include struct ArgusSystemFlow *ArgusCreateFRAGFlow (struct ArgusModelerStruct *, void *, unsigned short); int ArgusUpdateFRAGState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char, unsigned short); int ArgusUpdateParentFlow (struct ArgusModelerStruct *, struct ArgusFlowStruct *); void ArgusZeroRecord (struct ArgusFlowStruct *); struct ArgusSystemFlow * ArgusCreateFRAGFlow (struct ArgusModelerStruct *model, void *ptr, unsigned short proto) { struct ArgusSystemFlow *retn = NULL; switch (proto) { case ETHERTYPE_IP: { struct ip tipbuf, *tip = &tipbuf; struct ip *ip = (struct ip *) ptr; #ifdef _LITTLE_ENDIAN bzero(tip, sizeof(*tip)); tip->ip_len = ntohs(ip->ip_len); tip->ip_id = ntohs(ip->ip_id); tip->ip_off = ntohs(ip->ip_off); tip->ip_p = ip->ip_p; tip->ip_src.s_addr = ntohl(ip->ip_src.s_addr); tip->ip_dst.s_addr = ntohl(ip->ip_dst.s_addr); #else tip = ip; #endif model->state &= ~ARGUS_DIRECTION; if (STRUCTCAPTURED(model, *ip)) { if (model->ArgusFlowType == ARGUS_BIDIRECTIONAL) { if (tip->ip_src.s_addr > tip->ip_dst.s_addr) { model->state |= ARGUS_DIRECTION; model->ArgusThisFlow->hdr.argus_dsrvl8.qual |= ARGUS_DIRECTION; model->ArgusThisFlow->hdr.subtype |= ARGUS_REVERSE; } } model->ArgusThisFlow->hdr.argus_dsrvl8.qual |= ARGUS_FRAGMENT; if (model->state & ARGUS_DIRECTION) { model->ArgusThisFlow->ip_flow.ip_src = tip->ip_dst.s_addr; model->ArgusThisFlow->ip_flow.ip_dst = tip->ip_src.s_addr; } else { model->ArgusThisFlow->frag_flow.ip_src = tip->ip_src.s_addr; model->ArgusThisFlow->frag_flow.ip_dst = tip->ip_dst.s_addr; } model->ArgusThisFlow->frag_flow.ip_p = tip->ip_p; model->ArgusThisFlow->frag_flow.ip_id = tip->ip_id; model->ArgusThisFlow->frag_flow.pad[0] = 0; model->ArgusThisFlow->frag_flow.pad[1] = 0; retn = model->ArgusThisFlow; } break; } case ETHERTYPE_IPV6: { struct ip6_frag *frag = model->ArgusThisIpv6Frag; model->state &= ~ARGUS_DIRECTION; if (STRUCTCAPTURED(model, *frag)) { if (model->ArgusFlowType == ARGUS_BIDIRECTIONAL) { } else { } model->ArgusThisFlow->fragv6_flow.ip_id = frag->ip6f_ident; model->ArgusThisFlow->hdr.argus_dsrvl8.qual |= ARGUS_FRAGMENT; retn = model->ArgusThisFlow; } break; } } #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusCreateFRAGFlow(0x%x, 0x%x, %d)", model, ptr, proto); #endif return (retn); } /* struct ArgusFragObject { unsigned int fragnum, frag_id; unsigned short totlen, currlen, maxfraglen, pad; }; */ int ArgusUpdateFRAGState (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, unsigned char state, unsigned short proto) { int retn = 0, up_p = 0; struct ArgusNetworkStruct *net = NULL; struct ArgusFragObject *frag = NULL; struct ArgusFragOffsetStruct *fragOffset = NULL; struct ArgusFragOffsetStruct *thisFragOffset = NULL; struct ArgusFragOffsetStruct *prvfragOffset = NULL; struct ArgusFragOffsetStruct *nxtfragOffset = NULL; int offset = 0, length = 0, end = 0, newbytes = 1, found = 0; /* so the trick is to deal with out of order and missing fragments */ /* so lets figure out if this is the next chunk and get out fast if it is */ switch (proto) { case ETHERTYPE_IP: { struct ip *ip = (struct ip *)model->ArgusThisIpHdr; up_p = ip->ip_p; offset = (ntohs(ip->ip_off) & 0x1fff) << 3; length = ntohs(ip->ip_len) - (ip->ip_hl * 4); end = offset + length; break; } case ETHERTYPE_IPV6: { struct ip6_frag *tfrag = model->ArgusThisIpv6Frag; up_p = tfrag->ip6f_nxt; offset = ntohs(tfrag->ip6f_offlg & IP6F_OFF_MASK); length = model->ArgusThisLength; end = offset + length; break; } } if ((net = (struct ArgusNetworkStruct *) flowstr->dsrs[ARGUS_FRAG_INDEX]) != NULL) { if (net->hdr.subtype != ARGUS_NETWORK_SUBTYPE_FRAG) { if (state == ARGUS_START) { memset (net, 0, sizeof(struct ArgusFragObject) + 4); net->hdr.subtype = ARGUS_NETWORK_SUBTYPE_FRAG; net->hdr.argus_dsrvl8.qual = 0; net->hdr.argus_dsrvl8.len = ((sizeof(struct ArgusFragObject) + 3)/4) + 1; } } frag = &net->net_union.frag; frag->totbytes += model->ArgusThisLength; /* is this the first fragment chunk seen ?*/ if (!(frag->offsets.end)) { frag->offsets.start = offset; frag->offsets.end = end; found = 1; } else { /* if not lets see if we've seen this data before */ fragOffset = &frag->offsets; while ((fragOffset != NULL) && !(found)) { /* this frag is past this frag chunk, so continue */ if (offset > fragOffset->end) { prvfragOffset = fragOffset; fragOffset = fragOffset->nxt; } else /* if frag is contiguous with previously frag, then update end */ if (offset == fragOffset->end) { /* check that we don't overlap next frag, prediction is that there is no nxt frag */ if ((nxtfragOffset = fragOffset->nxt) == NULL) { fragOffset->end = end; found = 1; } else { /* this frag connects the two frags so account and remove nxt chunk */ if (end == nxtfragOffset->start) { fragOffset->nxt = nxtfragOffset->nxt; fragOffset->end = nxtfragOffset->end; free(nxtfragOffset); found = 1; } else /* this frag ends before the next chunk, i.e. we missed several frags */ if (end < nxtfragOffset->start) { fragOffset->end = end; found = 1; } else { /* this frag overlaps, so chop this frag, set overlap, and then continue */ offset = nxtfragOffset->start; fragOffset->end = nxtfragOffset->start; flowstr->canon.net.hdr.argus_dsrvl8.qual |= ARGUS_FRAGOVERLAP; prvfragOffset = fragOffset; fragOffset = nxtfragOffset; } } } else /* so this offset is before or in this chunk, so check if this is before or previous */ if (offset < fragOffset->start) { if (end == fragOffset->start) { fragOffset->start = offset; found = 1; } else { if (end < fragOffset->start) { fragOffset = NULL; } else { /* so end is in or past this frag, if past, then remove the smaller frag in list and start over */ if (end > fragOffset->end) { flowstr->canon.net.hdr.argus_dsrvl8.qual |= ARGUS_FRAGOVERLAP; frag->bytes -= (fragOffset->end - fragOffset->start); /* if there is a nxt fragment, replace the overlaping frag (fragOffset) with it */ if (fragOffset->nxt != NULL) { if (prvfragOffset != NULL) { prvfragOffset->nxt = fragOffset->nxt; } else { bcopy((char *) fragOffset->nxt , (char *)&frag->offsets, sizeof(frag->offsets)); } /* else just update the prv fragments pointer to toss this one */ } else { if (prvfragOffset != NULL) { prvfragOffset->nxt = NULL; } else { /* else we're the first chunk just update this chunk */ fragOffset->start = offset; fragOffset->end = end; found = 1; } } if (fragOffset != &frag->offsets) free(fragOffset); prvfragOffset = NULL; fragOffset = &frag->offsets; } else { /* so (end < fragOffset->end), overlap but account for previous missing chunk */ flowstr->canon.net.hdr.argus_dsrvl8.qual |= ARGUS_FRAGOVERLAP; end = fragOffset->start; fragOffset->start = offset; found = 1; } } } } else /* if frag is coincidental with this frag, then retransmission or overlap */ if (offset >= fragOffset->start) { if (end <= fragOffset->end) { if ((offset == fragOffset->start) && (end == fragOffset->end)) flowstr->canon.net.hdr.argus_dsrvl8.qual |= ARGUS_SRC_PKTS_RETRANS; else flowstr->canon.net.hdr.argus_dsrvl8.qual |= ARGUS_FRAGOVERLAP; newbytes = 0; found = 1; } else { /* this end extends beyond this frag, so clip and continue */ flowstr->canon.net.hdr.argus_dsrvl8.qual |= ARGUS_FRAGOVERLAP; /* if we do, chop this frag, set overlap, and then continue */ if ((fragOffset->nxt != NULL) && (fragOffset->nxt->start < end)) { offset = fragOffset->nxt->start; fragOffset->end = fragOffset->nxt->start; } else offset = fragOffset->end; prvfragOffset = fragOffset; fragOffset = fragOffset->nxt; } } } if (flowstr->canon.net.hdr.argus_dsrvl8.qual & ARGUS_FRAGOVERLAP) /* first check the TCP header overlap condition */ if ((up_p == IPPROTO_TCP) && ((offset > 0) && (offset < 2))) flowstr->canon.net.hdr.argus_dsrvl8.qual |= ARGUS_TCPFRAGOFFSETERROR; } /* if its new data update byte counters */ if (newbytes) frag->bytes += end - offset; frag->fragnum++; if (model->ArgusThisLength > frag->maxfraglen) frag->maxfraglen = model->ArgusThisLength; switch (proto) { case ETHERTYPE_IP: { struct ip *iphdr = (struct ip *)model->ArgusThisIpHdr; if (!(ntohs(iphdr->ip_off) & IP_MF)) frag->totlen = ((ntohs(iphdr->ip_off) & 0x1fff) << 3) + (ntohs(iphdr->ip_len) - (iphdr->ip_hl << 2)); break; } case ETHERTYPE_IPV6: { struct ip6_frag *tfrag = model->ArgusThisIpv6Frag; struct ip6_hdr *iphdr = (struct ip6_hdr *)model->ArgusThisIpHdr; if (!(tfrag->ip6f_offlg & IP6F_MORE_FRAG)) frag->totlen = (ntohs(tfrag->ip6f_offlg & IP6F_OFF_MASK) + (ntohs(iphdr->ip6_plen) - 8)); break; } } /* so if we've seen the first fragment we can know how many bytes to expect */ if (frag->totlen) { /* so if we've seen all the bytes */ if (frag->totlen == frag->bytes) { if (!(ArgusUpdateParentFlow (model, flowstr))) ArgusSendFlowRecord(model, flowstr, ARGUS_STOP); /* don't try to deallocate the non-malloc first chunk */ if ((fragOffset = frag->offsets.nxt) != NULL) { struct ArgusFragOffsetStruct *toffset = fragOffset->nxt; do { toffset = fragOffset->nxt; free(fragOffset); fragOffset = toffset; } while (fragOffset); } memset(&frag->offsets, 0, sizeof(frag->offsets)); retn = 1; } else { /* we could wait, thinking we'll get some fragments out of order may just want to finish up here with reported packet loss ? the option is to wait for the timeout */ } } else { /* test if we need add this chunk */ if (!found) { /* test if we've used the base frag offset */ if (fragOffset || prvfragOffset) { /* yes so we're going to add a new chunk */ if (fragOffset == NULL) fragOffset = prvfragOffset; if ((thisFragOffset = (struct ArgusFragOffsetStruct *) malloc(sizeof(*thisFragOffset))) != NULL) { thisFragOffset->nxt = NULL; thisFragOffset->start = offset; thisFragOffset->end = end; /* so does this go as the next chunk or the first chunk */ /* the idea is that fragOffset is the pointer to the new previous chunk */ /* so add it as its nxt pointer */ if (fragOffset->nxt == NULL) fragOffset->nxt = thisFragOffset; else { if ((fragOffset = &frag->offsets) != NULL) { while (fragOffset->nxt != NULL) fragOffset = fragOffset->nxt; fragOffset->nxt = thisFragOffset; } } } } else { } } } } else { #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateFRAGState (0x%x, %d) no frag struct\n", flowstr, state); #endif } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusUpdateFRAGState(0x%x, 0x%x, %d) returns %d\n", model, flowstr, state, retn); #endif return (retn); } int ArgusUpdateParentFlow (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr) { struct ArgusNetworkStruct *net = NULL; struct ArgusFragObject *frag = NULL; struct ArgusFlowStruct *parent; int retn = 0, found = 0; if (flowstr->canon.metric.src.pkts || flowstr->canon.metric.dst.pkts) { if ((net = (struct ArgusNetworkStruct *) flowstr->dsrs[ARGUS_FRAG_INDEX]) != NULL) { frag = &net->net_union.frag; if ((parent = frag->parent) != NULL) { if (flowstr->qhdr.queue == &parent->frag) { found++; } else { } } } else { #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusUpdateFRAGState(0x%x, 0x%x) parent has no frag struct", model, flowstr); #endif return (retn); } if (found) { struct ArgusTimeObject *ftime = NULL, *ptime = NULL; struct ArgusSystemFlow *flow = NULL; struct ArgusMetricStruct *metrics = NULL; if (parent->status & ARGUS_RECORD_WRITTEN) ArgusZeroRecord(parent); flow = (struct ArgusSystemFlow *)parent->dsrs[ARGUS_FLOW_INDEX]; metrics = (struct ArgusMetricStruct *) parent->dsrs[ARGUS_METRIC_INDEX]; #define ARGUS_TYPES (ARGUS_TYPE_IPV4 | ARGUS_TYPE_IPV6 | ARGUS_TYPE_ARP | ARGUS_TYPE_ETHER) if (flow && metrics) { switch (flow->hdr.argus_dsrvl8.qual & ARGUS_TYPES) { case ARGUS_TYPE_IPV4: case ARGUS_TYPE_IPV6: { struct ArgusIPAttrStruct *attr = (struct ArgusIPAttrStruct *) parent->dsrs[ARGUS_IPATTR_INDEX]; if ((parent->state & ARGUS_DIRECTION) != (flowstr->state & ARGUS_DIRECTION)) { metrics->dst.pkts += flowstr->canon.metric.src.pkts; metrics->dst.bytes += flowstr->canon.metric.src.bytes; flowstr->canon.metric.src.pkts = 0; flowstr->canon.metric.src.bytes = 0; if (attr != NULL) attr->hdr.argus_dsrvl8.qual |= ARGUS_IPATTR_DST_FRAGMENTS; } else { metrics->src.pkts += flowstr->canon.metric.src.pkts; metrics->src.bytes += flowstr->canon.metric.src.bytes; flowstr->canon.metric.src.pkts = 0; flowstr->canon.metric.src.bytes = 0; if (attr != NULL) attr->hdr.argus_dsrvl8.qual |= ARGUS_IPATTR_SRC_FRAGMENTS; } break; } } } ftime = (struct ArgusTimeObject *) flowstr->dsrs[ARGUS_TIME_INDEX]; ptime = (struct ArgusTimeObject *) parent->dsrs[ARGUS_TIME_INDEX]; if (ftime && ptime) { struct ArgusTimeStruct *pstime; if ((parent->state & ARGUS_DIRECTION) != (flowstr->state & ARGUS_DIRECTION)) { pstime = &ptime->dst; } else { pstime = &ptime->src; } if (ptime->hdr.subtype == ARGUS_TIME_ABSOLUTE_TIMESTAMP) { ptime->hdr.subtype = ARGUS_TIME_ABSOLUTE_RANGE; ptime->hdr.argus_dsrvl8.qual = ARGUS_TYPE_UTC_MICROSECONDS; ptime->hdr.argus_dsrvl8.len = 5; if ((pstime->start.tv_sec > ftime->src.start.tv_sec) || ((pstime->start.tv_sec == ftime->src.start.tv_sec) && (pstime->start.tv_usec > ftime->src.start.tv_usec))) { pstime->start = ftime->src.start; } pstime->end = ftime->src.end; } else { if ((pstime->end.tv_sec < ftime->src.end.tv_sec) || ((pstime->end.tv_sec == ftime->src.end.tv_sec) && (pstime->end.tv_usec < ftime->src.end.tv_usec))) { pstime->end = ftime->src.end; } } parent->dsrindex |= 1 << ARGUS_TIME_INDEX; } retn = 1; } else { #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusUpdateParentFlow(0x%x) did not find parent 0x%x\n", flowstr, parent); #endif } } #ifdef ARGUSDEBUG ArgusDebug (7, "ArgusUpdateParentFlow(0x%x) returning 0x%x\n", flowstr, retn); #endif return (retn); } argus-3.0.8.2/argus/ArgusIcmp.c000444 000765 000024 00000034766 12560543556 016636 0ustar00carterstaff000000 000000 /* * Argus Software. Argus files - ICMP protocol processing * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/argus/ArgusIcmp.c#23 $ * $DateTime: 2015/08/05 22:33:18 $ * $Change: 3042 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #if !defined(ArgusIcmp) #define ArgusIcmp #endif #include #include #include #include #include struct ArgusSystemFlow * ArgusCreateICMPv6Flow (struct ArgusModelerStruct *model, struct icmp6_hdr *icmp) { struct ArgusSystemFlow *retn = NULL; if (STRUCTCAPTURED(model, *icmp)) { struct ArgusICMPv6Flow *icmpv6Flow = &model->ArgusThisFlow->icmpv6_flow; icmpv6Flow->type = icmp->icmp6_type; switch (icmp->icmp6_type & ICMP6_INFOMSG_MASK) { case ICMP6_INFOMSG_MASK: switch (icmp->icmp6_type) { case ICMP6_ECHO_REPLY: if (model->ArgusFlowType == ARGUS_BIDIRECTIONAL) icmpv6Flow->type = ICMP6_ECHO_REQUEST; break; case ICMP6_MEMBERSHIP_REPORT: case ICMP6_MEMBERSHIP_REDUCTION: if (model->ArgusFlowType == ARGUS_BIDIRECTIONAL) icmpv6Flow->type = ICMP6_MEMBERSHIP_QUERY; break; case ND_ROUTER_ADVERT: if (model->ArgusFlowType == ARGUS_BIDIRECTIONAL) icmpv6Flow->type = ND_ROUTER_SOLICIT; break; case ND_NEIGHBOR_ADVERT: if (model->ArgusFlowType == ARGUS_BIDIRECTIONAL) icmpv6Flow->type = ND_NEIGHBOR_SOLICIT; break; case ICMP6_HADISCOV_REPLY: if (model->ArgusFlowType == ARGUS_BIDIRECTIONAL) icmpv6Flow->type = ICMP6_HADISCOV_REQUEST; break; } icmpv6Flow->code = icmp->icmp6_code; break; default: { switch (icmp->icmp6_type) { case ICMP6_DST_UNREACH: case ICMP6_PACKET_TOO_BIG: case ICMP6_TIME_EXCEEDED: case ICMP6_PARAM_PROB: break; } icmpv6Flow->type = icmp->icmp6_type; icmpv6Flow->code = icmp->icmp6_code; break; } } if (model->state & ARGUS_DIRECTION) { } retn = (struct ArgusSystemFlow *) model->ArgusThisFlow; } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusCreateICMPFlow(0x%x) returning %d\n", icmp, retn); #endif return (retn); } struct ArgusSystemFlow * ArgusCreateICMPFlow (struct ArgusModelerStruct *model, struct ip *ip) { struct ArgusSystemFlow *retn = NULL; struct icmp *icmp = (struct icmp *) model->ArgusThisUpHdr; if (STRUCTCAPTURED(model, icmp->icmp_type)) { struct ArgusICMPFlow *icmpFlow = &model->ArgusThisFlow->icmp_flow; retn = model->ArgusThisFlow; model->state &= ~ARGUS_DIRECTION; retn->hdr.type = ARGUS_FLOW_DSR; retn->hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; retn->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; retn->hdr.argus_dsrvl8.len = 5; icmpFlow->ip_src = ntohl(ip->ip_src.s_addr); icmpFlow->ip_dst = ntohl(ip->ip_dst.s_addr); icmpFlow->type = icmp->icmp_type; icmpFlow->ip_p = ip->ip_p; icmpFlow->tp_p = 0; icmpFlow->id = 0; icmpFlow->ip_id = 0; if (ICMP_INFOTYPE(icmp->icmp_type)) { switch (icmp->icmp_type) { case ICMP_ECHOREPLY: model->state |= ARGUS_DIRECTION; case ICMP_ECHO: icmpFlow->type = ICMP_ECHO; if (STRUCTCAPTURED(model, icmp->icmp_id)) icmpFlow->id = ntohs(icmp->icmp_id); if (STRUCTCAPTURED(model, icmp->icmp_seq)) icmpFlow->ip_id = ntohs(icmp->icmp_seq); break; case ICMP_TSTAMPREPLY: model->state |= ARGUS_DIRECTION; case ICMP_TSTAMP: icmpFlow->type = ICMP_TSTAMP; break; case ICMP_IREQREPLY: model->state |= ARGUS_DIRECTION; case ICMP_IREQ: icmpFlow->type = ICMP_IREQ; break; case ICMP_MASKREPLY: model->state |= ARGUS_DIRECTION; case ICMP_MASKREQ: icmpFlow->type = ICMP_MASKREQ; break; } } else { if (STRUCTCAPTURED(model, icmp->icmp_code)) { icmpFlow->code = icmp->icmp_code; if (STRUCTCAPTURED(model, icmp->icmp_ip)) { struct ip *oip = &icmp->icmp_ip; switch (icmp->icmp_type) { case ICMP_UNREACH: switch (icmp->icmp_code) { case ICMP_UNREACH_PROTOCOL: icmpFlow->id = (unsigned short) icmp->icmp_ip.ip_p; break; case ICMP_UNREACH_PORT: { struct ip *oip = &icmp->icmp_ip; struct udphdr *ouh; int hlen = oip->ip_hl << 2; ouh = (struct udphdr *) (((u_char *) oip) + hlen); icmpFlow->tp_p = oip->ip_p; icmpFlow->id = ntohs((unsigned short) ouh->uh_dport); break; } case ICMP_UNREACH_NET: case ICMP_UNREACH_HOST: bcopy ((char *) &icmp->icmp_ip.ip_dst.s_addr, (char *)&icmpFlow->id, sizeof (int)); break; } break; case ICMP_REDIRECT: switch (icmp->icmp_code) { case ICMP_REDIRECT_TOSNET: case ICMP_REDIRECT_TOSHOST: icmpFlow->tp_p = oip->ip_tos; break; case ICMP_REDIRECT_NET: case ICMP_REDIRECT_HOST: bcopy ((char *) &icmp->icmp_ip.ip_dst.s_addr, (char *)&icmpFlow->id, sizeof (int)); break; } break; default: break; } } } } if (model->state & ARGUS_DIRECTION) { unsigned int addr = icmpFlow->ip_src; icmpFlow->ip_src = icmpFlow->ip_dst; icmpFlow->ip_dst = addr; model->ArgusThisFlow->hdr.argus_dsrvl8.qual |= ARGUS_DIRECTION; } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusCreateICMPFlow(0x%x) returning %d\n", ip, retn); #endif return (retn); } #include #include void ArgusUpdateICMPState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char *); void ArgusUpdateICMPv6State (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char *); void ArgusUpdateICMPState (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, unsigned char *state) { struct ArgusNetworkStruct *net = (struct ArgusNetworkStruct *) &flowstr->canon.net; struct ArgusICMPObject *icmpObj = &net->net_union.icmp; struct icmp *icmp = (struct icmp *) model->ArgusThisUpHdr; if (STRUCTCAPTURED(model, *icmp)) { if (*state == ARGUS_START) { net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_ICMP_DSR; net->hdr.argus_dsrvl8.qual = 0; net->hdr.argus_dsrvl8.len = ((sizeof(struct ArgusICMPObject)+3))/4 + 1; bzero ((char *)icmpObj, sizeof(*icmpObj)); icmpObj->icmp_type = icmp->icmp_type; icmpObj->icmp_code = icmp->icmp_code; icmpObj->iseq = ntohs(icmp->icmp_seq); icmpObj->osrcaddr = ntohl(((struct ip *)model->ArgusThisIpHdr)->ip_src.s_addr); icmpObj->odstaddr = ntohl(((struct ip *)model->ArgusThisIpHdr)->ip_dst.s_addr); if (ICMP_INFOTYPE(icmp->icmp_type)) { switch (icmp->icmp_type) { case ICMP_ECHO: case ICMP_IREQ: case ICMP_MASKREQ: case ICMP_TSTAMP: break; case ICMP_MASKREPLY: icmp->icmp_mask = ntohl(icmp->icmp_mask); icmpObj->isrcaddr = icmp->icmp_mask; case ICMP_ECHOREPLY: case ICMP_IREQREPLY: case ICMP_TSTAMPREPLY: break; } } else { struct ip *oip = &icmp->icmp_ip; if (STRUCTCAPTURED(model, *oip)) { icmpObj->isrcaddr = ntohl(oip->ip_src.s_addr); icmpObj->idstaddr = ntohl(oip->ip_dst.s_addr); icmpObj->igwaddr = ntohl(icmp->icmp_gwaddr.s_addr); } } } else { if (ICMP_INFOTYPE(icmp->icmp_type)) { if ((flowstr->canon.metric.src.pkts == 0) && (flowstr->canon.metric.dst.pkts == 0)) icmpObj->icmp_type = icmp->icmp_type; switch (icmp->icmp_type) { case ICMP_ECHO: case ICMP_IREQ: case ICMP_TSTAMP: case ICMP_MASKREQ: *state = ARGUS_START; icmpObj->icmp_type = icmp->icmp_type; break; case ICMP_ECHOREPLY: case ICMP_IREQREPLY: case ICMP_TSTAMPREPLY: case ICMP_MASKREPLY: model->ArgusInProtocol = 1; break; default: break; } } } if (!(ICMP_INFOTYPE(icmp->icmp_type))) { struct ArgusSystemFlow *tflow = NULL; struct ArgusFlowStruct *flow; struct ArgusHashStruct hstruct; struct ip *oip = &icmp->icmp_ip; if (STRUCTCAPTURED(model, *oip)) { model->ArgusThisIpHdr = oip; model->ArgusThisUpHdr = (unsigned char *) oip; if ((tflow = ArgusCreateFlow(model, oip, model->ArgusThisLength)) != NULL) { ArgusCreateFlowKey (model, tflow, &hstruct); if ((flow = ArgusFindFlow (model, &hstruct)) != NULL) { struct ArgusDSRHeader *dsr = &flow->canon.icmp.hdr; struct ArgusTimeObject *time = &flow->canon.time; dsr->type = ARGUS_ICMP_DSR; dsr->subtype = 0; switch (icmp->icmp_type) { case ICMP_UNREACH: dsr->argus_dsrvl8.qual = ARGUS_ICMPUNREACH_MAPPED; break; case ICMP_REDIRECT: dsr->argus_dsrvl8.qual = ARGUS_ICMPREDIREC_MAPPED; break; case ICMP_TIMXCEED: dsr->argus_dsrvl8.qual = ARGUS_ICMPTIMXCED_MAPPED; break; } dsr->argus_dsrvl8.len = (sizeof (struct ArgusIcmpStruct) + 3)/4 + 1; bcopy ((char *) icmpObj, (char *) (dsr + 1), sizeof (*icmpObj)); flow->dsrs[ARGUS_ICMP_INDEX] = dsr; flow->dsrindex |= 1 << ARGUS_ICMP_INDEX; if (time->src.start.tv_sec == 0) { time->hdr.subtype = ARGUS_TIME_ABSOLUTE_TIMESTAMP; time->hdr.argus_dsrvl8.qual = ARGUS_TYPE_UTC_MICROSECONDS; time->hdr.argus_dsrvl8.len = 3; time->src.start.tv_sec = model->ArgusGlobalTime.tv_sec; time->src.start.tv_usec = model->ArgusGlobalTime.tv_usec; } else { if (time->hdr.argus_dsrvl8.len != 5) { time->hdr.subtype = ARGUS_TIME_ABSOLUTE_RANGE; time->hdr.argus_dsrvl8.qual = ARGUS_TYPE_UTC_MICROSECONDS; time->hdr.argus_dsrvl8.len = 5; } time->src.end.tv_sec = model->ArgusGlobalTime.tv_sec; time->src.end.tv_usec = model->ArgusGlobalTime.tv_usec; } } } } } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusUpdateICMPState(0x%x, %d) returning\n", flowstr, state); #endif } void ArgusUpdateICMPv6State (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, unsigned char *state) { struct ArgusNetworkStruct *net = (struct ArgusNetworkStruct *) &flowstr->canon.net; struct ArgusICMPv6Object *icmpObj = &net->net_union.icmpv6; struct icmp6_hdr *icmpv6 = (struct icmp6_hdr *) model->ArgusThisUpHdr; if (STRUCTCAPTURED(model, *icmpv6)) { if (*state == ARGUS_START) { net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_ICMP_DSR; net->hdr.argus_dsrvl8.qual = 0; net->hdr.argus_dsrvl8.len = ((sizeof(struct ArgusICMPObject)+3))/4 + 1; bzero ((char *)icmpObj, sizeof(*icmpObj)); icmpObj->icmp_type = icmpv6->icmp6_type; icmpObj->icmp_code = icmpv6->icmp6_code; icmpObj->cksum = ntohs(icmpv6->icmp6_cksum); if (icmpv6->icmp6_type & ICMP6_INFOMSG_MASK) { } else { switch (icmpv6->icmp6_type) { case ICMP6_DST_UNREACH: case ICMP6_PACKET_TOO_BIG: case ICMP6_TIME_EXCEEDED: case ICMP6_PARAM_PROB: break; } } } else { if (icmpv6->icmp6_type & ICMP6_INFOMSG_MASK) { if ((flowstr->canon.metric.src.pkts == 0) && (flowstr->canon.metric.dst.pkts == 0)) icmpObj->icmp_type = icmpv6->icmp6_type; switch (icmpv6->icmp6_type) { default: break; } } } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusUpdateICMPState(0x%x, %d) returning\n", flowstr, state); #endif } argus-3.0.8.2/argus/ArgusIgmp.c000444 000765 000024 00000010155 12513222401 016601 0ustar00carterstaff000000 000000 /* * Argus Software. Argus files - IGMP protocol processing * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/argus/ArgusIgmp.c#17 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #if !defined(ArgusIgmp) #define ArgusIgmp #endif #include #include #include #include #include #if !defined(IGMP_MEMBERSHIP_QUERY) #define IGMP_MEMBERSHIP_QUERY 0x11 #endif #if !defined(IGMP_V1_MEMBERSHIP_REPORT) #define IGMP_V1_MEMBERSHIP_REPORT 0x12 #endif #if !defined(IGMP_V2_MEMBERSHIP_REPORT) #define IGMP_V2_MEMBERSHIP_REPORT 0x16 #endif #if !defined(IGMP_V2_LEAVE_GROUP) #define IGMP_V2_LEAVE_GROUP 0x17 #endif struct ArgusFlow *ArgusCreateIGMPv6Flow (struct ArgusModelerStruct *, struct igmp *); struct ArgusFlow *ArgusCreateIGMPFlow (struct ArgusModelerStruct *, struct ip *); struct ArgusFlow * ArgusCreateIGMPv6Flow (struct ArgusModelerStruct *model, struct igmp *igmp) { struct ArgusFlow *retn = NULL; struct ArgusIGMPFlow *igmpFlow = &model->ArgusThisFlow->igmp_flow; if (STRUCTCAPTURED(model, *igmp)) { igmpFlow->type = igmp->igmp_type; igmpFlow->code = igmp->igmp_code; igmpFlow->pad = 0; switch (igmp->igmp_type) { case IGMP_HOST_MEMBERSHIP_QUERY: if (igmp->igmp_group.s_addr != 0) igmpFlow->ip_dst = ntohl(igmp->igmp_group.s_addr); break; case IGMP_V1_MEMBERSHIP_REPORT: case IGMP_V2_MEMBERSHIP_REPORT: case IGMP_V2_LEAVE_GROUP: default: igmpFlow->ip_dst = ntohl(igmp->igmp_group.s_addr); break; } retn = (struct ArgusFlow *) model->ArgusThisFlow; } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusCreateIGMPFlow(0x%x) returning %d\n", igmp, retn); #endif return (retn); } struct ArgusFlow * ArgusCreateIGMPFlow (struct ArgusModelerStruct *model, struct ip *ip) { struct ArgusFlow *retn = NULL; unsigned int *igmphdr = (unsigned int *) model->ArgusThisUpHdr; struct igmp *igmp = (struct igmp *) igmphdr; struct ArgusIGMPFlow *igmpFlow = &model->ArgusThisFlow->igmp_flow; model->state &= ~ARGUS_DIRECTION; if (STRUCTCAPTURED(model, *igmphdr)) { model->ArgusThisFlow->hdr.type = ARGUS_FLOW_DSR; model->ArgusThisFlow->hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; model->ArgusThisFlow->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; model->ArgusThisFlow->hdr.argus_dsrvl8.len = 5; igmpFlow->ip_src = ntohl(ip->ip_src.s_addr); igmpFlow->ip_dst = ntohl(ip->ip_dst.s_addr); igmpFlow->ip_p = ip->ip_p; igmpFlow->type = igmp->igmp_type; igmpFlow->code = igmp->igmp_code; igmpFlow->ip_id = ntohs(ip->ip_id); igmpFlow->pad = 0; switch (igmp->igmp_type) { case IGMP_HOST_MEMBERSHIP_QUERY: if (igmp->igmp_group.s_addr != 0) igmpFlow->ip_dst = ntohl(igmp->igmp_group.s_addr); break; case IGMP_V1_MEMBERSHIP_REPORT: case IGMP_V2_MEMBERSHIP_REPORT: case IGMP_V2_LEAVE_GROUP: default: igmpFlow->ip_dst = ntohl(igmp->igmp_group.s_addr); break; } retn = (struct ArgusFlow *) model->ArgusThisFlow; } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusCreateIGMPFlow(0x%x) returning %d\n", ip, retn); #endif return (retn); } argus-3.0.8.2/argus/ArgusIsis.c000444 000765 000024 00000075616 12513222401 016631 0ustar00carterstaff000000 000000 /* * Argus Software. Argus files - Modeler * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/argus/argus/argus/ArgusIsis.c#11 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #ifndef ArgusIsis #define ArgusIsis #endif #include void ArgusUpdateIsisState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char); void ArgusInitializeIsis (struct ArgusModelerStruct *, struct ArgusFlowStruct *); void ArgusIsisFlowRecord (struct ArgusFlowStruct *, struct ArgusRecord *, unsigned char); static int isis_cksum(const u_int16_t *, u_int); #define ISIS_COMMON_HEADER_SIZE (sizeof(struct isis_common_header)) #define ISIS_IIH_LAN_HEADER_SIZE (sizeof(struct isis_iih_lan_header)) #define ISIS_IIH_PTP_HEADER_SIZE (sizeof(struct isis_iih_ptp_header)) #define ISIS_LSP_HEADER_SIZE (sizeof(struct isis_lsp_header)) #define ISIS_CSNP_HEADER_SIZE (sizeof(struct isis_csnp_header)) #define ISIS_PSNP_HEADER_SIZE (sizeof(struct isis_psnp_header)) int mask2plen (u_int32_t); struct ArgusSystemFlow *ArgusCreateEtherFlow (struct ArgusModelerStruct *, struct ether_header *); struct ArgusSystemFlow * ArgusCreateEtherFlow (struct ArgusModelerStruct *model, struct ether_header *ep) { struct ArgusSystemFlow *retn = NULL; if (ep != NULL) { int dstgteq = 1, i; model->ArgusThisFlow->hdr.type = ARGUS_FLOW_DSR; model->ArgusThisFlow->hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; model->ArgusThisFlow->hdr.argus_dsrvl8.qual = ARGUS_TYPE_ETHER; model->ArgusThisFlow->hdr.argus_dsrvl8.len = 5; #ifndef ETH_ALEN #define ETH_ALEN 6 #endif for (i = 0; i < ETH_ALEN; i++) { if (((unsigned char *)&ep->ether_shost)[i] != ((unsigned char *)&ep->ether_dhost)[i]) if (((unsigned char *)&ep->ether_shost)[i] > ((unsigned char *)&ep->ether_dhost)[i]) dstgteq = 0; break; } if (dstgteq) { bcopy ((char *) ep, (char *)&model->ArgusThisFlow->mac_flow.ehdr, sizeof (struct ether_header)); } else { model->state |= ARGUS_DIRECTION; bcopy ((char *)&ep->ether_shost, (char *)&model->ArgusThisFlow->mac_flow.ehdr.ether_dhost, ETH_ALEN); bcopy ((char *)&ep->ether_dhost, (char *)&model->ArgusThisFlow->mac_flow.ehdr.ether_shost, ETH_ALEN); } model->ArgusThisFlow->mac_flow.ehdr.ether_type = ep->ether_type; if (model->ArgusThisEncaps & ARGUS_ENCAPS_LLC) { model->ArgusThisFlow->mac_flow.ehdr.ether_type = 0; switch (model->ArgusThisNetworkFlowType & 0xFFFF) { case ARGUS_ISIS: model->ArgusThisFlow->mac_flow.ehdr.ether_type = ARGUS_ISIS; break; case ARGUS_CLNS: case ARGUS_ESIS: case ARGUS_NULLNS: break; default: model->ArgusThisNetworkFlowType &= ~(0xFFFF); break; } if (dstgteq) { model->ArgusThisFlow->mac_flow.ssap = model->ArgusThisLLC->ssap; model->ArgusThisFlow->mac_flow.dsap = model->ArgusThisLLC->dsap; } else { model->ArgusThisFlow->mac_flow.ssap = model->ArgusThisLLC->dsap; model->ArgusThisFlow->mac_flow.dsap = model->ArgusThisLLC->ssap; } } else { model->ArgusThisFlow->mac_flow.ssap = 0; model->ArgusThisFlow->mac_flow.dsap = 0; } retn = model->ArgusThisFlow; } return (retn); } /* extern char *etheraddr_string(u_char *); static char *isis_print_id(const u_int8_t *, int); */ char *bittok2str(const struct tok *, const char *, int); const char *tok2str(const struct tok *lp, const char *fmt, int); int print_unknown_data(const u_char *, const char *, int); struct ArgusSystemFlow * ArgusCreateIsisFlow (struct ArgusModelerStruct *model, struct isis_common_header *header) { struct ArgusSystemFlow *retn = NULL; struct ether_header *ep = model->ArgusThisEpHdr; u_int8_t pdu_type, *optr, *pptr; int length; if (header && STRUCTCAPTURED(ArgusModel, *header)) { length = model->ArgusThisLength; optr = (unsigned char *)header; pptr = optr + (ISIS_COMMON_HEADER_SIZE); if ((header->version == ISIS_VERSION) && (header->pdu_version == ISIS_VERSION) && ((header->id_length == SYSTEM_ID_LEN) || (header->id_length == 0))) { struct ArgusIsisFlow *isis = &model->ArgusThisFlow->isis_flow; /* id_length = (header->id_length == 0) ? 6 : header->id_length; max_area = (header->max_area == 0) ? 3 : header->max_area; */ model->ArgusThisFlow->hdr.type = ARGUS_FLOW_DSR; model->ArgusThisFlow->hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; model->ArgusThisFlow->hdr.argus_dsrvl8.qual = ARGUS_TYPE_ISIS; model->ArgusThisFlow->hdr.argus_dsrvl8.len = ((sizeof(*isis) + 3)/4) + 1; bcopy ((char *)&ep->ether_shost, (char *)&isis->esrc, 6); bcopy ((char *)&ep->ether_dhost, (char *)&isis->edst, 6); isis->proto_version = header->version; switch (pdu_type = header->pdu_type) { case L1_LAN_IIH: case L2_LAN_IIH: { const struct isis_iih_lan_header *header_iih_lan = (const struct isis_iih_lan_header *)pptr; if (header->fixed_len == (ISIS_COMMON_HEADER_SIZE+ISIS_IIH_LAN_HEADER_SIZE)) { isis->pdu_type = pdu_type; bzero ((char *)&isis->isis_un.hello.srcid, sizeof(isis->isis_un.hello.srcid)); bzero ((char *)&isis->isis_un.hello.lanid, sizeof(isis->isis_un.hello.lanid)); bcopy ((char *)&header_iih_lan->source_id, (char *)&isis->isis_un.hello.srcid, SYSTEM_ID_LEN); bcopy ((char *)&header_iih_lan->lan_id, (char *)&isis->isis_un.hello.lanid, NODE_ID_LEN); retn = model->ArgusThisFlow; { u_int16_t *ptr = (u_int16_t *) (((long)pptr & 0x01) ? (pptr - 1) : pptr); int tlen = (length - ISIS_COMMON_HEADER_SIZE); if (BYTESCAPTURED(ArgusModel, ptr, tlen)) isis->chksum = isis_cksum(ptr, tlen); else isis->chksum = 0; } } break; } case L1_LSP: case L2_LSP: { const struct isis_lsp_header *header_lsp = (const struct isis_lsp_header *)pptr; if (header->fixed_len == (ISIS_COMMON_HEADER_SIZE+ISIS_LSP_HEADER_SIZE)) { isis->pdu_type = pdu_type; bcopy ((char *)&header_lsp->lsp_id, (char *)&isis->isis_un.lsp.lspid, LSP_ID_LEN); isis->isis_un.lsp.seqnum = EXTRACT_32BITS(header_lsp->sequence_number); isis->chksum = EXTRACT_16BITS(header_lsp->checksum); retn = model->ArgusThisFlow; } break; } case PTP_IIH: { u_int16_t *ptr = (u_int16_t *) (((long)pptr & 0x01) ? (pptr - 1) : pptr); int tlen = (length - ISIS_COMMON_HEADER_SIZE); if (BYTESCAPTURED(ArgusModel, ptr, tlen)) isis->chksum = isis_cksum(ptr, tlen); else isis->chksum = 0; break; } case L1_CSNP: case L2_CSNP: { const struct isis_csnp_header *header_csnp = (const struct isis_csnp_header *)pptr; if (header->fixed_len == (ISIS_COMMON_HEADER_SIZE+ISIS_CSNP_HEADER_SIZE)) { isis->pdu_type = pdu_type; bcopy ((char *)&header_csnp->source_id, (char *)&isis->isis_un.csnp.srcid, NODE_ID_LEN); { u_int16_t *ptr = (u_int16_t *) (((long)pptr & 0x01) ? (pptr - 1) : pptr); int tlen = (length - ISIS_COMMON_HEADER_SIZE); if (BYTESCAPTURED(ArgusModel, ptr, tlen)) isis->chksum = isis_cksum(ptr, tlen); else isis->chksum = 0; } retn = model->ArgusThisFlow; } break; } case L1_PSNP: case L2_PSNP: { const struct isis_psnp_header *header_psnp = (const struct isis_psnp_header *)pptr; if (header->fixed_len == (ISIS_COMMON_HEADER_SIZE+ISIS_PSNP_HEADER_SIZE)) { isis->pdu_type = pdu_type; bcopy ((char *)&header_psnp->source_id, (char *)&isis->isis_un.psnp.srcid, NODE_ID_LEN); retn = model->ArgusThisFlow; { u_int16_t *ptr = (u_int16_t *) (((long)pptr & 0x01) ? (pptr - 1) : pptr); int tlen = (length - ISIS_COMMON_HEADER_SIZE); if (BYTESCAPTURED(ArgusModel, ptr, tlen)) isis->chksum = isis_cksum(ptr, tlen); else isis->chksum = 0; } } break; } default: break; } } } if (retn == NULL) retn = ArgusCreateEtherFlow (model, ep); #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusCreateIsisFlow (0x%x) returning %d\n", ep, retn); #endif return (retn); } void ArgusUpdateIsisState (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, unsigned char state) { const struct isis_common_header *header = (const struct isis_common_header *) model->ArgusThisUpHdr; const u_int8_t *pptr; if (flowstr) { if (header && STRUCTCAPTURED(model, *header)) { pptr = model->ArgusThisUpHdr + (ISIS_COMMON_HEADER_SIZE); model->ArgusThisLength += 5; /* fudge ? */ model->ArgusSnapLength += 5; /* fudge ? */ if (state == ARGUS_START) { struct ArgusNetworkStruct *net = (struct ArgusNetworkStruct *) &flowstr->canon.net; net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_ISIS_DSR; net->hdr.argus_dsrvl8.qual = 0; net->hdr.argus_dsrvl8.len = (sizeof (struct ArgusIsisObject) + 3)/4; flowstr->dsrs[ARGUS_NETWORK_INDEX] = &flowstr->canon.net.hdr; bcopy ((char *)header, (char *)&flowstr->canon.net.net_union.isis.common, sizeof(*header)); switch (header->pdu_type) { case L1_LAN_IIH: case L2_LAN_IIH: { const struct isis_iih_lan_header *header_iih_lan; header_iih_lan = (const struct isis_iih_lan_header *)pptr; bcopy ((char *)header_iih_lan, (char *)&flowstr->canon.net.net_union.isis.isis_un.iih_lan, sizeof(*header_iih_lan)); break; } case L1_LSP: case L2_LSP: { const struct isis_lsp_header *header_lsp; header_lsp = (const struct isis_lsp_header *)pptr; bcopy ((char *)header_lsp, (char *)&flowstr->canon.net.net_union.isis.isis_un.lsp, sizeof(*header_lsp)); break; } case PTP_IIH: break; case L1_CSNP: case L2_CSNP: { const struct isis_csnp_header *header_csnp; header_csnp = (const struct isis_csnp_header *)pptr; bcopy ((char *)header_csnp, (char *)&flowstr->canon.net.net_union.isis.isis_un.csnp, sizeof(*header_csnp)); break; } case L1_PSNP: case L2_PSNP: { const struct isis_psnp_header *header_psnp; header_psnp = (const struct isis_psnp_header *)pptr; bcopy ((char *)header_psnp, (char *)&flowstr->canon.net.net_union.isis.isis_un.psnp, sizeof(*header_psnp)); break; } } } else { flowstr->userlen = 0; } } } /* isis_print(model->ArgusThisUpHdr, model->ArgusThisLength); printf ("\n"); */ } void ArgusInitializeIsis (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flow) { /* unsigned char rev = flow->state.rev, dir = flow->state.dir; flow->ArgusTransactionNum = ArgusTransactionNum++; bzero ((char *)&flow->state, sizeof(flow->state)); flow->state.rev = rev; flow->state.dir = dir; flow->state.src.active.minval = 0x7FFFFFFF; flow->state.dst.active.minval = 0x7FFFFFFF; */ flow->qhdr.lasttime.tv_sec = 0; flow->qhdr.lasttime.tv_usec = 0; if (model->ArgusSrc->ArgusReadingOffLine) flow->qhdr.qtime = ArgusModel->ArgusGlobalTime; else gettimeofday(&flow->qhdr.qtime, 0L); ArgusUpdateFlow (model, flow, ARGUS_START, 1); } void ArgusIsisFlowRecord (struct ArgusFlowStruct *flow, struct ArgusRecord *argus, unsigned char state) { } /* static char * print_nsap(register const u_int8_t *pptr, register int nsap_length) { int nsap_idx; static char nsap_ascii_output[sizeof("xx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xx")]; char *junk_buf = nsap_ascii_output; if (nsap_length < 1 || nsap_length > 20) { snprintf(nsap_ascii_output, sizeof(nsap_ascii_output), "illegal length"); return (nsap_ascii_output); } for (nsap_idx = 0; nsap_idx < nsap_length; nsap_idx++) { snprintf(junk_buf, sizeof(nsap_ascii_output) - (junk_buf - nsap_ascii_output), "%02x", *pptr++); junk_buf += strlen(junk_buf); if (((nsap_idx & 1) == 0) && (nsap_idx + 1 < nsap_length)) { *junk_buf++ = '.'; } } *(junk_buf) = '\0'; return (nsap_ascii_output); } */ /* shared routine for printing system, node and lsp-ids */ /* static char * isis_print_id(const u_int8_t *cp, int id_len) { int i; static char id[sizeof("xxxx.xxxx.xxxx.yy-zz")]; char *pos = id; for (i = 1; i <= SYSTEM_ID_LEN; i++) { snprintf(pos, sizeof(id) - (pos - id), "%02x", *cp++); pos += strlen(pos); if (i == 2 || i == 4) *pos++ = '.'; } if (id_len >= NODE_ID_LEN) { snprintf(pos, sizeof(id) - (pos - id), ".%02x", *cp++); pos += strlen(pos); } if (id_len == LSP_ID_LEN) snprintf(pos, sizeof(id) - (pos - id), "-%02x", *cp); return (id); } */ /* print the 4-byte metric block which is common found in the old-style TLVs */ /* static int isis_print_metric_block (const struct isis_metric_block *isis_metric_block) { printf(", Default Metric: %d, %s", ISIS_LSP_TLV_METRIC_VALUE(isis_metric_block->metric_default), ISIS_LSP_TLV_METRIC_IE(isis_metric_block->metric_default) ? "External" : "Internal"); if (!ISIS_LSP_TLV_METRIC_SUPPORTED(isis_metric_block->metric_delay)) printf("\n\t\t Delay Metric: %d, %s", ISIS_LSP_TLV_METRIC_VALUE(isis_metric_block->metric_delay), ISIS_LSP_TLV_METRIC_IE(isis_metric_block->metric_delay) ? "External" : "Internal"); if (!ISIS_LSP_TLV_METRIC_SUPPORTED(isis_metric_block->metric_expense)) printf("\n\t\t Expense Metric: %d, %s", ISIS_LSP_TLV_METRIC_VALUE(isis_metric_block->metric_expense), ISIS_LSP_TLV_METRIC_IE(isis_metric_block->metric_expense) ? "External" : "Internal"); if (!ISIS_LSP_TLV_METRIC_SUPPORTED(isis_metric_block->metric_error)) printf("\n\t\t Error Metric: %d, %s", ISIS_LSP_TLV_METRIC_VALUE(isis_metric_block->metric_error), ISIS_LSP_TLV_METRIC_IE(isis_metric_block->metric_error) ? "External" : "Internal"); return(1); } static int isis_print_tlv_ip_reach (const u_int8_t *cp, const char *ident, int length) { int prefix_len; const struct isis_tlv_ip_reach *tlv_ip_reach; tlv_ip_reach = (const struct isis_tlv_ip_reach *)cp; while (length > 0) { if ((size_t)length < sizeof(*tlv_ip_reach)) { printf("short IPv4 Reachability (%d vs %lu)", length, (unsigned long)sizeof(*tlv_ip_reach)); return (0); } prefix_len = mask2plen(EXTRACT_32BITS(tlv_ip_reach->mask)); if (prefix_len == -1) printf("%sIPv4 prefix: %s mask %s", ident, ipaddr_string((tlv_ip_reach->prefix)), ipaddr_string((tlv_ip_reach->mask))); else printf("%sIPv4 prefix: %15s/%u", ident, ipaddr_string((tlv_ip_reach->prefix)), prefix_len); printf(", Distribution: %s, Metric: %u, %s", ISIS_LSP_TLV_METRIC_UPDOWN(tlv_ip_reach->isis_metric_block.metric_default) ? "down" : "up", ISIS_LSP_TLV_METRIC_VALUE(tlv_ip_reach->isis_metric_block.metric_default), ISIS_LSP_TLV_METRIC_IE(tlv_ip_reach->isis_metric_block.metric_default) ? "External" : "Internal"); if (!ISIS_LSP_TLV_METRIC_SUPPORTED(tlv_ip_reach->isis_metric_block.metric_delay)) printf("%s Delay Metric: %u, %s", ident, ISIS_LSP_TLV_METRIC_VALUE(tlv_ip_reach->isis_metric_block.metric_delay), ISIS_LSP_TLV_METRIC_IE(tlv_ip_reach->isis_metric_block.metric_delay) ? "External" : "Internal"); if (!ISIS_LSP_TLV_METRIC_SUPPORTED(tlv_ip_reach->isis_metric_block.metric_expense)) printf("%s Expense Metric: %u, %s", ident, ISIS_LSP_TLV_METRIC_VALUE(tlv_ip_reach->isis_metric_block.metric_expense), ISIS_LSP_TLV_METRIC_IE(tlv_ip_reach->isis_metric_block.metric_expense) ? "External" : "Internal"); if (!ISIS_LSP_TLV_METRIC_SUPPORTED(tlv_ip_reach->isis_metric_block.metric_error)) printf("%s Error Metric: %u, %s", ident, ISIS_LSP_TLV_METRIC_VALUE(tlv_ip_reach->isis_metric_block.metric_error), ISIS_LSP_TLV_METRIC_IE(tlv_ip_reach->isis_metric_block.metric_error) ? "External" : "Internal"); length -= sizeof(struct isis_tlv_ip_reach); tlv_ip_reach++; } return (1); } */ /* * this is the common IP-REACH subTLV decoder it is called * from various EXTD-IP REACH TLVs (135,235,236,237) */ /* static int isis_print_ip_reach_subtlv (const u_int8_t *tptr,int subt,int subl,const char *ident) { printf ("%s%s subTLV #%u, length: %u", ident, tok2str(isis_ext_ip_reach_subtlv_values, "unknown", subt), subt, subl); switch(subt) { case SUBTLV_EXTD_IP_REACH_ADMIN_TAG32: while (subl >= 4) { printf (", 0x%08x (=%u)", EXTRACT_32BITS(tptr), EXTRACT_32BITS(tptr)); tptr += 4; subl -= 4; } break; case SUBTLV_EXTD_IP_REACH_ADMIN_TAG64: while (subl >= 8) { printf (", 0x%08x%08x", EXTRACT_32BITS(tptr), EXTRACT_32BITS(tptr+4)); tptr += 8; subl -= 8; } break; default: if (!print_unknown_data (tptr,"\n\t\t ", subl)) return (0); break; } return (1); trunctlv: printf ("%spacket exceeded snapshot", ident); return (0); } */ /* * this is the common IS-REACH subTLV decoder it is called * from isis_print_ext_is_reach() */ /* static int isis_print_is_reach_subtlv (const u_int8_t *tptr,int subt,int subl,const char *ident) { int priority_level; union { float f; u_int32_t i; } bw; printf("%s%s subTLV #%u, length: %u", ident, tok2str(isis_ext_is_reach_subtlv_values, "unknown", subt), subt, subl); switch(subt) { case SUBTLV_EXT_IS_REACH_ADMIN_GROUP: case SUBTLV_EXT_IS_REACH_LINK_LOCAL_REMOTE_ID: case SUBTLV_EXT_IS_REACH_LINK_REMOTE_ID: if (subl >= 4) { printf(", 0x%08x", EXTRACT_32BITS(tptr)); if (subl == 8) printf(", 0x%08x", EXTRACT_32BITS(tptr+4)); } break; case SUBTLV_EXT_IS_REACH_IPV4_INTF_ADDR: case SUBTLV_EXT_IS_REACH_IPV4_NEIGHBOR_ADDR: if (subl >= 4) printf(", %s", ipaddr_string(tptr)); break; case SUBTLV_EXT_IS_REACH_MAX_LINK_BW : case SUBTLV_EXT_IS_REACH_RESERVABLE_BW: if (subl >= 4) { bw.i = EXTRACT_32BITS(tptr); printf(", %.3f Mbps", bw.f*8/1000000 ); } break; case SUBTLV_EXT_IS_REACH_UNRESERVED_BW : if (subl >= 32) { for (priority_level = 0; priority_level < 8; priority_level++) { bw.i = EXTRACT_32BITS(tptr); printf("%s priority level %d: %.3f Mbps", ident, priority_level, bw.f*8/1000000 ); tptr += 4; } } break; case SUBTLV_EXT_IS_REACH_TE_METRIC: if (subl >= 3) printf(", %u", EXTRACT_24BITS(tptr)); break; case SUBTLV_EXT_IS_REACH_LINK_PROTECTION_TYPE: if (subl >= 2) { printf(", %s, Priority %u", bittok2str(gmpls_link_prot_values, "none", *tptr), *(tptr+1)); } break; case SUBTLV_EXT_IS_REACH_INTF_SW_CAP_DESCR: if (subl >= 36) { printf("%s Interface Switching Capability:%s", ident, tok2str(gmpls_switch_cap_values, "Unknown", *(tptr))); printf(", LSP Encoding: %s", tok2str(gmpls_encoding_values, "Unknown", *(tptr+1))); tptr+=4; printf("%s Max LSP Bandwidth:",ident); for (priority_level = 0; priority_level < 8; priority_level++) { bw.i = EXTRACT_32BITS(tptr); printf("%s priority level %d: %.3f Mbps", ident, priority_level, bw.f*8/1000000 ); tptr+=4; } subl-=36; if(subl>0){ if(!print_unknown_data(tptr,"\n\t\t ", subl-36)) return(0); } } break; default: if(!print_unknown_data(tptr,"\n\t\t ", subl)) return(0); break; } return(1); trunctlv: printf("%spacket exceeded snapshot",ident); return(0); } */ /* * this is the common IS-REACH decoder it is called * from various EXTD-IS REACH style TLVs (22,24,222) */ /* static int isis_print_ext_is_reach (const u_int8_t *tptr,const char *ident, int tlv_type) { char ident_buffer[20]; int subtlv_type,subtlv_len,subtlv_sum_len; int proc_bytes = 0; printf("%sIS Neighbor: %s", ident, isis_print_id(tptr, NODE_ID_LEN)); tptr+=(NODE_ID_LEN); if (tlv_type != TLV_IS_ALIAS_ID) { printf(", Metric: %d",EXTRACT_24BITS(tptr)); tptr += 3; } subtlv_sum_len = *(tptr++); proc_bytes = NODE_ID_LEN + 3 + 1; printf(", %ssub-TLVs present",subtlv_sum_len ? "" : "no "); if (subtlv_sum_len) { printf(" (%u)",subtlv_sum_len); while (subtlv_sum_len>0) { subtlv_type = *(tptr++); subtlv_len = *(tptr++); snprintf (ident_buffer, sizeof(ident_buffer), "%s ",ident); if (!isis_print_is_reach_subtlv(tptr,subtlv_type,subtlv_len,ident_buffer)) return (0); tptr += subtlv_len; subtlv_sum_len -= (subtlv_len+2); proc_bytes += (subtlv_len+2); } } return(proc_bytes); } */ /* * this is the common Multi Topology ID decoder * it is called from various MT-TLVs (222,229,235,237) */ /* static int isis_print_mtid (const u_int8_t *tptr,const char *ident) { printf("%s%s", ident, tok2str(isis_mt_values, "Reserved for IETF Consensus", ISIS_MASK_MTID(EXTRACT_16BITS(tptr)))); printf(" Topology (0x%03x), Flags: [%s]", ISIS_MASK_MTID(EXTRACT_16BITS(tptr)), bittok2str(isis_mt_flag_values, "none",ISIS_MASK_MTFLAGS(EXTRACT_16BITS(tptr)))); return(2); } */ /* * this is the common extended IP reach decoder * it is called from TLVs (135,235,236,237) * we process the TLV and optional subTLVs and return * the amount of processed bytes */ /* static int isis_print_extd_ip_reach (const u_int8_t *tptr, const char *ident, u_int16_t afi) { char ident_buffer[20]; u_int8_t prefix[16]; u_int metric, status_byte, bit_length, byte_length, sublen, processed, subtlvtype, subtlvlen; metric = EXTRACT_32BITS(tptr); processed=4; tptr+=4; if (afi == IPV4) { status_byte=*(tptr++); bit_length = status_byte&0x3f; processed++; #ifdef INET6 } else if (afi == IPV6) { status_byte=*(tptr++); bit_length=*(tptr++); processed+=2; #endif } else return (0); byte_length = (bit_length + 7) / 8; memset(prefix, 0, 16); memcpy(prefix,tptr,byte_length); tptr+=byte_length; processed+=byte_length; if (afi == IPV4) printf("%sIPv4 prefix: %15s/%u", ident, ipaddr_string(prefix), bit_length); #ifdef INET6 if (afi == IPV6) printf("%sIPv6 prefix: %s/%u", ident, ip6addr_string(prefix), bit_length); #endif printf(", Distribution: %s, Metric: %u", ISIS_MASK_TLV_EXTD_IP_UPDOWN(status_byte) ? "down" : "up", metric); if (afi == IPV4 && ISIS_MASK_TLV_EXTD_IP_SUBTLV(status_byte)) printf(", sub-TLVs present"); #ifdef INET6 if (afi == IPV6) printf(", %s%s", ISIS_MASK_TLV_EXTD_IP6_IE(status_byte) ? "External" : "Internal", ISIS_MASK_TLV_EXTD_IP6_SUBTLV(status_byte) ? ", sub-TLVs present" : ""); #endif if ((ISIS_MASK_TLV_EXTD_IP_SUBTLV(status_byte) && afi == IPV4) || (ISIS_MASK_TLV_EXTD_IP6_SUBTLV(status_byte) && afi == IPV6)) { sublen=*(tptr++); processed+=sublen+1; printf(" (%u)",sublen); while (sublen>0) { subtlvtype=*(tptr++); subtlvlen=*(tptr++); snprintf(ident_buffer, sizeof(ident_buffer), "%s ",ident); if(!isis_print_ip_reach_subtlv(tptr,subtlvtype,subtlvlen,ident_buffer)) return(0); tptr+=subtlvlen; sublen-=(subtlvlen+2); } } return (processed); } */ static int isis_cksum(const u_int16_t *tptr, u_int len) { int32_t c0 = 0, c1 = 0; len = (len + 1) / 2; while ((int)--len >= 0) { #if defined(_LITTLE_ENDIAN) c0 += htons(*tptr++); #else c0 += *tptr++; #endif c0 %= 0xffff; c1 += c0; c1 %= 0xffff; } return (c0 | c1); } /* * Verify the checksum. See 8473-1, Appendix C, section C.4. static int osi_cksum(const u_int8_t *tptr, u_int len) { int32_t c0 = 0, c1 = 0; while ((int)--len >= 0) { c0 += *tptr++; c0 %= 255; c1 += c0; c1 %= 255; } return (c0 | c1); } */ /* * Convert a 32-bit netmask to prefixlen if possible * the function returns the prefix-len; if plen == -1 * then conversion was not possible; */ int mask2plen (u_int32_t mask) { u_int32_t bitmasks[33] = { 0x00000000, 0x80000000, 0xc0000000, 0xe0000000, 0xf0000000, 0xf8000000, 0xfc000000, 0xfe000000, 0xff000000, 0xff800000, 0xffc00000, 0xffe00000, 0xfff00000, 0xfff80000, 0xfffc0000, 0xfffe0000, 0xffff0000, 0xffff8000, 0xffffc000, 0xffffe000, 0xfffff000, 0xfffff800, 0xfffffc00, 0xfffffe00, 0xffffff00, 0xffffff80, 0xffffffc0, 0xffffffe0, 0xfffffff0, 0xfffffff8, 0xfffffffc, 0xfffffffe, 0xffffffff }; int prefix_len = 32; /* let's see if we can transform the mask into a prefixlen */ while (prefix_len >= 0) { if (bitmasks[prefix_len] == mask) break; prefix_len--; } return (prefix_len); } /* * this is a generic routine for printing unknown data; * we pass on the linefeed plus indentation string to * get a proper output - returns 0 on error */ int print_unknown_data(const u_char *cp, const char *ident, int len) { printf ("%s\n", ident); ArgusPrintHex(cp, len); return(1); /* everything is ok */ } /* * Convert a token value to a string; use "fmt" if not found. */ const char * tok2str(const struct tok *lp, const char *fmt, int v) { static char buf[128]; while (lp->s != NULL) { if (lp->v == v) return (lp->s); ++lp; } if (fmt == NULL) fmt = "#%d"; (void)snprintf(buf, sizeof(buf), fmt, v); return (buf); } /* * Convert a bit token value to a string; use "fmt" if not found. * this is useful for parsing bitfields, the output strings are comma seperated */ char * bittok2str(const struct tok *lp, const char *fmt, int v) { static char buf[256]; /* our stringbuffer */ int buflen=0; register int rotbit; /* this is the bit we rotate through all bitpositions */ register int tokval; while (lp->s != NULL) { tokval=lp->v; /* load our first value */ rotbit=1; while (rotbit != 0) { /* * lets AND the rotating bit with our token value * and see if we have got a match */ if (tokval == (v&rotbit)) { /* ok we have found something */ buflen+=snprintf(buf+buflen, sizeof(buf)-buflen, "%s, ",lp->s); break; } rotbit=rotbit<<1; /* no match - lets shift and try again */ } lp++; } if (buflen != 0) { /* did we find anything */ /* yep, set the the trailing zero 2 bytes before to eliminate the last comma & whitespace */ buf[buflen-2] = '\0'; return (buf); } else { /* bummer - lets print the "unknown" message as advised in the fmt string if we got one */ if (fmt == NULL) fmt = "#%d"; (void)snprintf(buf, sizeof(buf), fmt, v); return (buf); } } argus-3.0.8.2/argus/ArgusLcp.c000444 000765 000024 00000006330 12513222401 016423 0ustar00carterstaff000000 000000 /* * Argus Software. Argus files - main argus processing * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/argus/ArgusLcp.c#8 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #ifndef ArgusLcp #define ArgusLcp #endif #include #include #include #include struct ArgusSystemFlow * ArgusCreateLcpFlow (struct ArgusModelerStruct *model, struct lcp_hdr *lcp) { struct ArgusSystemFlow *retn = NULL; if (STRUCTCAPTURED(model, *lcp)) { struct ArgusLcpFlow *lcpFlow = &model->ArgusThisFlow->lcp_flow; retn = model->ArgusThisFlow; model->state &= ~ARGUS_DIRECTION; retn->hdr.type = ARGUS_FLOW_DSR; retn->hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; retn->hdr.argus_dsrvl8.qual = ARGUS_TYPE_LCP; retn->hdr.argus_dsrvl8.len = 5; lcpFlow->code = lcp->code; lcpFlow->id = lcp->id; } #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusCreateLcpFlow(0x%x, 0x%x) returning 0x%x\n", model, lcp, retn); #endif return (retn); } void ArgusUpdateLCPState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char *); void ArgusUpdateLCPState (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, unsigned char *state) { struct ArgusNetworkStruct *net = (struct ArgusNetworkStruct *) &flowstr->canon.net; struct lcp_hdr *lcp = (struct lcp_hdr *) model->ArgusThisUpHdr; struct ArgusLCPObject *lcpObj = &net->net_union.lcp; if (STRUCTCAPTURED(model, *lcp)) { #ifdef _LITTLE_ENDIAN #endif if (*state == ARGUS_START) { net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_LCP_DSR; net->hdr.argus_dsrvl8.qual = 0; net->hdr.argus_dsrvl8.len = ((sizeof(struct ArgusLCPObject)+3))/4 + 1; /* struct ArgusLCPObject { unsigned int status; unsigned int state, options; }; */ flowstr->dsrs[ARGUS_NETWORK_INDEX] = (void *) net; bzero ((char *)lcpObj, sizeof(*lcpObj)); flowstr->timeout = ARGUS_IPTIMEOUT; } else { } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusUpdateLCPState(0x%x, %d) returning\n", flowstr, *state); #endif } #include void ArgusLCPFlowRecord (struct ArgusNetworkStruct *net, unsigned char state); void ArgusLCPFlowRecord (struct ArgusNetworkStruct *net, unsigned char state) { #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusLCPFlowRecord(0x%x, %d) returning\n", net, state); #endif } argus-3.0.8.2/argus/ArgusMac.c000444 000765 000024 00000003045 12513222401 016405 0ustar00carterstaff000000 000000 /* * Argus Software. Argus files - Layer 2 processing * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/argus/ArgusMac.c#15 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #if !defined(ArgusMac) #define ArgusMac #endif #include #include #include #include #include #include void ArgusMacFlowRecord (struct ArgusFlowStruct *flowstr, struct ArgusRecord *argus, unsigned char state) { int length = 0; struct ArgusMacStruct *mac = (struct ArgusMacStruct *) flowstr->MacDSRBuffer; if (mac && ((length = argus->ahdr.length) > 0)) { bcopy ((char *)mac, &((char *)argus)[argus->ahdr.length], sizeof(*mac)); argus->ahdr.length += sizeof(*mac); } } argus-3.0.8.2/argus/ArgusModeler.c000644 000765 000024 00000527245 12723615350 017327 0ustar00carterstaff000000 000000 /* * Argus Software. Argus files - Modeler * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/argus/argus/argus/ArgusModeler.c#137 $ * $DateTime: 2016/04/05 12:00:14 $ * $Change: 3135 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #if !defined(ArgusModeler) #define ArgusModeler #endif #include #include #include #include #include #include #include #include #include #include #include #include extern int ArgusShutDownFlag; extern struct ArgusHashTable *ArgusNewHashTable (size_t, int); extern int ArgusUpdateParentFlow (struct ArgusModelerStruct *, struct ArgusFlowStruct *); extern int ArgusControlPlaneProtocol (struct ArgusModelerStruct *, struct ArgusFlowStruct *); unsigned short ArgusProcessUdpHdr (struct ArgusModelerStruct *, struct ip *, int); unsigned short ArgusProcessTtpHdr (struct ArgusModelerStruct *, struct ip *, int); int ArgusProcessGreHdr (struct ArgusModelerStruct *, struct ip *, int); int ArgusProcessPPPHdr (struct ArgusModelerStruct *, char *, int); extern void ArgusTCPKeystroke (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char *); struct ArgusModelerStruct * ArgusCloneModeler(struct ArgusModelerStruct *src) { struct ArgusModelerStruct *retn; if ((retn = (struct ArgusModelerStruct *) ArgusCalloc (1, sizeof (struct ArgusModelerStruct))) == NULL) ArgusLog (LOG_ERR, "ArgusCloneModeler () ArgusCalloc error %s\n", strerror(errno)); bcopy((char *)src, (char *)retn, sizeof(*src)); retn->ArgusSrc = NULL; retn->ArgusHashTable = NULL; retn->hstruct = NULL; retn->ArgusStatusQueue = NULL; retn->ArgusTimeOutQueues = NULL; retn->ArgusThisFlow = NULL; retn->ArgusOutputList = NULL; bzero (retn->ArgusTimeOutQueue, sizeof(retn->ArgusTimeOutQueue)); #if defined(ARGUS_THREADS) pthread_mutex_init(&retn->lock, NULL); #endif return (retn); } struct ArgusModelerStruct * ArgusNewModeler() { struct ArgusModelerStruct *retn = NULL; if ((retn = (struct ArgusModelerStruct *) ArgusCalloc (1, sizeof (struct ArgusModelerStruct))) == NULL) ArgusLog (LOG_ERR, "ArgusNewModeler () ArgusCalloc error %s\n", strerror(errno)); #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusNewModeler() returning %p\n", retn); #endif return (retn); } void *ArgusQueueManager(void *); void ArgusInitModeler(struct ArgusModelerStruct *model) { struct timeval *tvp = NULL; #if defined(ARGUS_HASH_DEBUG) int debug = ARGUSHASHTABLETRACK; #else int debug = 0; #endif bzero (model->ArgusTimeOutQueue, sizeof(model->ArgusTimeOutQueue)); model->ArgusInProtocol = 1; model->ArgusMajorVersion = VERSION_MAJOR; model->ArgusMinorVersion = VERSION_MINOR; model->ArgusSnapLen = ARGUS_MINSNAPLEN; model->ArgusUpdateInterval.tv_usec = 200000; model->ival = ((model->ArgusUpdateInterval.tv_sec * 1000000LL) + model->ArgusUpdateInterval.tv_usec); if ((model->ArgusHashTable = ArgusNewHashTable(ARGUS_HASHTABLESIZE, debug)) == NULL) ArgusLog (LOG_ERR, "ArgusNewModeler () ArgusNewHashTable error %s\n", strerror(errno)); if ((model->hstruct = (struct ArgusHashStruct *) ArgusCalloc (1, sizeof (struct ArgusHashStruct))) == NULL) ArgusLog (LOG_ERR, "ArgusNewModeler () ArgusCalloc error %s\n", strerror(errno)); if ((model->ArgusStatusQueue = ArgusNewQueue()) == NULL) ArgusLog (LOG_ERR, "ArgusNewModeler () ArgusNewQueue error %s\n", strerror(errno)); if ((model->ArgusTimeOutQueues = ArgusNewQueue()) == NULL) ArgusLog (LOG_ERR, "ArgusNewModeler () ArgusNewQueue error %s\n", strerror(errno)); /* align the ArgusThisFlow buffer */ if ((model->ArgusThisFlow = (struct ArgusSystemFlow *) ArgusCalloc (1, sizeof (struct ArgusSystemFlow) + 32)) == NULL) ArgusLog (LOG_ERR, "ArgusNewModeler () ArgusCalloc error %s\n", strerror(errno)); model->ArgusOutputList = ArgusOutputTask->ArgusInputList; gettimeofday (&model->ArgusGlobalTime, 0L); ArgusModel->ArgusGlobalTime = model->ArgusGlobalTime; if ((model->ArgusThisLLC = (struct llc *) ArgusCalloc (1, sizeof (struct llc ) + 32)) == NULL) ArgusLog (LOG_ERR, "ArgusInitModeler () ArgusCalloc error %s\n", strerror(errno)); model->ArgusSeqNum = 1; model->ArgusReportAllTime = 1; if (!(model->ArgusFlowKey)) model->ArgusFlowKey = ARGUS_FLOW_KEY_CLASSIC5TUPLE; if (!(model->ArgusFlowType)) { if (model->ArgusFlowKey == ARGUS_FLOW_KEY_CLASSIC5TUPLE) model->ArgusFlowType = ARGUS_BIDIRECTIONAL; else model->ArgusFlowType = ARGUS_UNIDIRECTIONAL; } model->ArgusQueueInterval.tv_usec = 50000; model->ArgusListenInterval.tv_usec = 250000; model->ArgusIPTimeout = (model->ArgusIPTimeout == 0) ? ARGUS_IPTIMEOUT : model->ArgusIPTimeout; model->ArgusTCPTimeout = (model->ArgusTCPTimeout == 0) ? ARGUS_TCPTIMEOUT : model->ArgusTCPTimeout; model->ArgusICMPTimeout = (model->ArgusICMPTimeout == 0) ? ARGUS_ICMPTIMEOUT : model->ArgusICMPTimeout; model->ArgusIGMPTimeout = (model->ArgusIGMPTimeout == 0) ? ARGUS_IGMPTIMEOUT : model->ArgusIGMPTimeout; model->ArgusFRAGTimeout = (model->ArgusFRAGTimeout == 0) ? ARGUS_FRAGTIMEOUT : model->ArgusFRAGTimeout; model->ArgusARPTimeout = (model->ArgusARPTimeout == 0) ? ARGUS_ARPTIMEOUT : model->ArgusARPTimeout; model->ArgusOtherTimeout = (model->ArgusOtherTimeout == 0) ? ARGUS_OTHERTIMEOUT : model->ArgusOtherTimeout; if ((tvp = getArgusFarReportInterval(model)) != NULL) model->ArgusStatusQueue->timeout = tvp->tv_sec; model->ArgusTCPflag = 1; model->ArgusThisDir = 0; ArgusInitMallocList(sizeof(struct ArgusRecordStruct)); #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusInitModeler(%p) done\n", model); #endif } void ArgusCloseModeler(struct ArgusModelerStruct *model) { struct ArgusRecordStruct *argus = NULL; if (model) { ArgusModelerCleanUp (model); if (model->ArgusHashTable) { struct ArgusHashTable *htbl = model->ArgusHashTable; if (htbl->array) ArgusFree(htbl->array); ArgusFree(htbl); model->ArgusHashTable = NULL; } if (model->ArgusOutputList) { if ((argus = ArgusGenerateListRecord (model, NULL, ARGUS_STOP)) != NULL) { model->ArgusTotalSends++; ArgusPushBackList (model->ArgusOutputList, (struct ArgusListRecord *) argus, ARGUS_LOCK); #if defined(ARGUS_THREADS) pthread_mutex_lock(&model->ArgusOutputList->lock); pthread_cond_signal(&model->ArgusOutputList->cond); pthread_mutex_unlock(&model->ArgusOutputList->lock); #endif #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusCloseModeler(%p) pushing close record %p as rec %d\n", model, argus, ArgusGetListCount(model->ArgusOutputList)); #endif } else ArgusLog (LOG_ERR, "ArgusCloseModeler(%p) ArgusGenerateListRecord failed\n", model); } if (model->hstruct != NULL) { ArgusFree(model->hstruct); model->hstruct = NULL; } if (model->ArgusThisFlow != NULL) { ArgusFree(model->ArgusThisFlow); model->ArgusThisFlow = NULL; } if (model->ArgusStatusQueue != NULL) { ArgusDeleteQueue(model->ArgusStatusQueue); model->ArgusStatusQueue = NULL; } if (model->ArgusTimeOutQueues != NULL) { ArgusDeleteQueue(model->ArgusTimeOutQueues); model->ArgusTimeOutQueues = NULL; } if (model->ArgusThisLLC != NULL) { ArgusFree(model->ArgusThisLLC); model->ArgusThisLLC = NULL; } } #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusCloseModeler(%p) Total Sends %d\n", model, model->ArgusTotalSends); #endif } void ArgusProcessQueueTimeout (struct ArgusModelerStruct *, struct ArgusQueueStruct *); int ArgusQMTurns = 0; void * ArgusQueueManager(void *param) { struct ArgusModelerStruct *model = param; struct ArgusQueueStruct *queue = NULL; void *retn = NULL; /* * so there are two things to do. * 1. process the status queue. this is a FIFO * queue, and any object at the end of the queue * is printed and moved to the timeout queue. * (objects can be moved by the packet handler, * so locking is important here. * * 2. process the timeout queue. this queue we can * get to on a slower time scale, until resources * are getting used up. */ ArgusQMTurns++; if (model->ArgusStatusQueue != NULL) ArgusProcessQueueTimeout (model, model->ArgusStatusQueue); else return (retn); if ((model->ArgusTimeOutQueues != NULL) && (model->ArgusTimeOutQueues->count > 0)) { int i, cnt = model->ArgusTimeOutQueues->count; for (i = 0; i < cnt; i++) { queue = (struct ArgusQueueStruct *)ArgusPopQueue (model->ArgusTimeOutQueues, ARGUS_LOCK); ArgusProcessQueueTimeout (model, queue); ArgusAddToQueue (model->ArgusTimeOutQueues, &queue->qhdr, ARGUS_LOCK); } } #ifdef ARGUSDEBUG /* { struct timeval now, testime = {0,0}, update = {1,0}; gettimeofday(&now, 0L); if (testime.tv_sec == 0) { testime = now; } if ((now.tv_sec > testime.tv_sec) || ((now.tv_sec == testime.tv_sec) && (now.tv_usec >= testime.tv_usec)) ) { unsigned int qs = 0, count = 0, reclaim = 0; int i, cnt = model->ArgusTimeOutQueues->count; for (i = 0; i < cnt; i++) { queue = (struct ArgusQueueStruct *)ArgusPopQueue (model->ArgusTimeOutQueues, ARGUS_LOCK); qs++; count += queue->count; reclaim += queue->reclaim; ArgusAddToQueue (model->ArgusTimeOutQueues, &queue->qhdr, ARGUS_LOCK); } ArgusDebug (7, "ArgusQueueManager() turns %-4d statusQueue %-4d qs %-2d items %-4d cache %-6lld resort %-6d reclaim %-6d new %-6lld sends %-8lld bsends %-8lld\n", ArgusQMTurns, model->ArgusStatusQueue->count, qs, count, model->ArgusTotalCacheHits, model->ArgusStatusQueue->reclaim, reclaim, model->ArgusTotalNewFlows, model->ArgusTotalSends, model->ArgusTotalBadSends); testime.tv_sec += update.tv_sec; testime.tv_usec += update.tv_usec; if (testime.tv_usec > 1000000) { testime.tv_sec++; testime.tv_usec -= 1000000; } } } */ #endif return (retn); } void ArgusProcessQueueTimeout (struct ArgusModelerStruct *model, struct ArgusQueueStruct *queue) { struct ArgusFlowStruct *last = NULL; int done = 0, timedout = 0; queue->turns++; #if defined(ARGUS_THREADS) pthread_mutex_lock(&queue->lock); #endif while ((!done)) { if (queue->start != NULL) { if ((last = (struct ArgusFlowStruct *) queue->start->prv) != NULL) { if (queue == model->ArgusStatusQueue) { struct timeval nowbuf, *now; if (ArgusSourceTask->ArgusReadingOffLine) { now = &model->ArgusGlobalTime; } else { now = &nowbuf; gettimeofday(now, 0L); } if (ArgusCheckTimeout(model, &last->qhdr.qtime, getArgusFarReportInterval(model))) { struct ArgusFlowStruct *frag; timedout++; ArgusRemoveFromQueue(queue, &last->qhdr, ARGUS_NOLOCK); if ((frag = (struct ArgusFlowStruct *)last->frag.start) != NULL) { struct timeval timeout = {2,0}; do { struct ArgusFlowStruct *nxt = (struct ArgusFlowStruct *)frag->qhdr.nxt; ArgusUpdateParentFlow(model, frag); if (ArgusCheckTimeout(model, &frag->qhdr.qtime, &timeout)) ArgusDeleteObject(frag); frag = nxt; } while (last->frag.start && (frag != (struct ArgusFlowStruct *)last->frag.start)); } if (!(last->status & ARGUS_RECORD_WRITTEN)) { ArgusSendFlowRecord (model, last, last->status); } if (last->timeout > 0) { if (last->timeout > ARGUSTIMEOUTQS) last->timeout = ARGUSTIMEOUTQS; if (model->ArgusTimeOutQueue[last->timeout] == NULL) { model->ArgusTimeOutQueue[last->timeout] = ArgusNewQueue(); model->ArgusTimeOutQueue[last->timeout]->timeout = last->timeout; ArgusPushQueue(model->ArgusTimeOutQueues, &model->ArgusTimeOutQueue[last->timeout]->qhdr, ARGUS_LOCK); } ArgusPushQueue(model->ArgusTimeOutQueue[last->timeout], &last->qhdr, ARGUS_LOCK); } else ArgusDeleteObject(last); } else { #ifdef ARGUSDEBUG ArgusDebug (10, "ArgusProcessQueueTimeout(%p, %p) done with %d records\n", model, queue, queue->count); #endif done++; } } else { struct timeval timeout = {0,0}; timeout.tv_sec = queue->timeout; if (ArgusCheckTimeout(model, &last->qhdr.qtime, &timeout)) { ArgusRemoveFromQueue(queue, &last->qhdr, ARGUS_NOLOCK); ArgusDeleteObject(last); timedout++; } else { done++; } } } else done++; } else done++; } #if defined(ARGUS_THREADS) pthread_mutex_unlock(&queue->lock); #endif #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusProcessQueueTimeout(%p, %d) timedout %d remaining %d\n", model, queue->timeout, timedout, queue->count); #endif } void ArgusModelerStats(struct ArgusModelerStruct *); void ArgusModelerStats(struct ArgusModelerStruct *model) { } #include #if !defined(__OpenBSD__) #include #endif int ArgusProcessISLHdr (struct ArgusModelerStruct *, struct ether_header *, int); int ArgusProcessNetbeuiHdr (struct ArgusModelerStruct *, struct ether_header *, int); int ArgusProcessNetbiosHdr (struct ArgusModelerStruct *, struct ether_header *, int); int ArgusProcessIsoclnsHdr (struct ArgusModelerStruct *, struct ether_header *, int); #define ARGUS_ISL_ETHERHDR_LEN 26 int ArgusProcessISLHdr (struct ArgusModelerStruct *model, struct ether_header *ep, int length) { int type = (((unsigned char *)ep)[5] >> 4) & 0x0F; int retn = 0; #define ARGUS_ISLTYPE_ETHER 0x0 #define ARGUS_ISLTYPE_TR 0x0 #define ARGUS_ISLTYPE_FDDI 0x2 #define ARGUS_ISLTYPE_ATM 0x3 switch (type) { case ARGUS_ISLTYPE_ETHER: model->ArgusThisLength -= ARGUS_ISL_ETHERHDR_LEN; model->ArgusSnapLength -= ARGUS_ISL_ETHERHDR_LEN; model->ArgusThisUpHdr = ((unsigned char *)ep + ARGUS_ISL_ETHERHDR_LEN); model->ArgusThisEncaps |= ARGUS_ENCAPS_ISL; ep = (struct ether_header *) ((unsigned char *)ep + ARGUS_ISL_ETHERHDR_LEN); retn = ArgusProcessEtherHdr(model, ep, length - ARGUS_ISL_ETHERHDR_LEN); } return (retn); } int ArgusProcessNetbeuiHdr (struct ArgusModelerStruct *model, struct ether_header *ep, int length) { int retn = 0; return (retn); } int ArgusProcessNetbiosHdr (struct ArgusModelerStruct *model, struct ether_header *ep, int length) { int retn = 0; return (retn); } int ArgusProcessIsoclnsHdr (struct ArgusModelerStruct *model, struct ether_header *ep, int length) { int retn = 0; unsigned char *ptr = (unsigned char *)ep; ptr += 3; switch (*ptr) { case ARGUS_CLNS: model->ArgusThisNetworkFlowType = ARGUS_CLNS; break; case ARGUS_ESIS: model->ArgusThisNetworkFlowType = ARGUS_ESIS; break; case ARGUS_ISIS: model->ArgusThisNetworkFlowType = ARGUS_ISIS; break; case 0: model->ArgusThisNetworkFlowType = ARGUS_NULLNS; break; default: model->ArgusThisNetworkFlowType = ARGUS_CLNS; break; } /* model->ArgusThisLength -= sizeof(struct llc); model->ArgusSnapLength -= sizeof(struct llc); model->ArgusThisUpHdr = (ptr + sizeof(struct llc)); */ model->ArgusThisLength -= 3; model->ArgusSnapLength -= 3; model->ArgusThisUpHdr = ptr; model->ArgusThisEncaps |= ARGUS_ENCAPS_LLC; return (retn); } #if !defined(IPV6_VERSION_MASK) #define IPV6_VERSION_MASK 0xF0 #define IPV6_VERSION 0x60 #endif unsigned short ArgusDiscoverNetworkProtocol (unsigned char *ptr) { unsigned short retn = ETHERTYPE_MPLS; /* test for IPv4, IPv6, and vlan tags */ if (ptr != NULL) { if ((((struct ip *)ptr)->ip_v == 4) && (((struct ip *)ptr)->ip_hl >= 5) && (ntohs(((struct ip *)ptr)->ip_len) >= 20)) { retn = ETHERTYPE_IP; } else { if (((((struct ip6_hdr *)ptr)->ip6_vfc & IPV6_VERSION_MASK) == IPV6_VERSION) && (ntohs(((struct ip6_hdr *)ptr)->ip6_plen) <= 2048)) { retn = ETHERTYPE_IPV6; } else { switch (ntohs(*(unsigned short *)(ptr + 2))) { case ETHERTYPE_IP: case ETHERTYPE_IPV6: retn = ETHERTYPE_8021Q; break; default: retn = ARGUS_ETHER_HDR; } } } } return (retn); } void ArgusParseMPLSLabel (unsigned int value, unsigned int *label, unsigned char *exp, unsigned char *bos, unsigned char *ttl) { *label = value >> 12; *exp = (value >> 9) & 0x07; *bos = (value >> 8) & 0x01; *ttl = value & 0xFF; } /* ArgusProcessPacketHdrs - this routine should take in a pointer and a packet header type and process that header, returning the next layer type, or zero if the routine has found the IP layer. This is the entry point for handling packets from any of the source interface layers. */ int ArgusProcessPacketHdrs (struct ArgusModelerStruct *, char *, int, int); int ArgusProcessPPPoEHdr (struct ArgusModelerStruct *, char *, int); int ArgusProcessLLCHdr (struct ArgusModelerStruct *, char *, int); int ArgusProcess80211Hdr (struct ArgusModelerStruct *, char *, int); int ArgusProcessUDToEHdr (struct ArgusModelerStruct *, char *, int); int ArgusProcessErspanIIHdr (struct ArgusModelerStruct *, char *, int); int ArgusProcessPacketHdrs (struct ArgusModelerStruct *model, char *p, int length, int type) { int retn = 0; switch (type) { case ETHERTYPE_ERSPAN_II: model->ArgusThisNetworkFlowType = ETHERTYPE_ERSPAN_II; if ((retn = ArgusProcessErspanIIHdr(model, p, length)) < 0) model->ArgusThisUpHdr = (void *)p; break; case ETHERTYPE_TRANS_BRIDGE: case ARGUS_ETHER_HDR: model->ArgusThisNetworkFlowType = ARGUS_ETHER_HDR; if ((retn = ArgusProcessEtherHdr(model, (struct ether_header *)p, length)) < 0) model->ArgusThisUpHdr = (void *)p; break; case ARGUS_802_11_HDR: model->ArgusThisNetworkFlowType = type; if ((retn = ArgusProcess80211Hdr(model, p, length)) < 0) model->ArgusThisUpHdr = (void *)p; break; case ETHERTYPE_PPP: model->ArgusThisNetworkFlowType = type; if ((retn = ArgusProcessPPPHdr(model, p, length)) < 0) model->ArgusThisUpHdr = (void *)p; break; case ETHERTYPE_PPPOED: case ETHERTYPE_PPPOES: model->ArgusThisNetworkFlowType = type; if ((retn = ArgusProcessPPPoEHdr(model, p, length)) < 0) model->ArgusThisUpHdr = (void *)p; break; case ETHERTYPE_UDTOE: model->ArgusThisNetworkFlowType = type; if ((retn = ArgusProcessUDToEHdr (model, p, length)) < 0) model->ArgusThisUpHdr = (void *)p; break; case ETHERTYPE_8021Q: { model->ArgusThisNetworkFlowType = type; model->ArgusThisPacket8021QEncaps = ntohs(*(unsigned short *)(p)); model->ArgusThisEncaps |= ARGUS_ENCAPS_8021Q; retn = ntohs(*(unsigned short *)(p + 2)); if (retn <= ETHERMTU) { /* 802.3 Encapsulation */ if (p[0] == 0x01 && p[1] == 0x00 && p[2] == 0x0C && p[3] == 0x00 && p[4] == 0x00) { return (ArgusProcessISLHdr (model, (struct ether_header *)p, length)); } model->ArgusThisUpHdr += 4; model->ArgusThisLength -= 4; model->ArgusSnapLength -= 4; p = (void *) model->ArgusThisUpHdr; if ((retn = ArgusProcessLLCHdr(model, p, length)) < 0) model->ArgusThisUpHdr = (void *)p; } else { model->ArgusThisUpHdr += 4; model->ArgusThisLength -= 4; model->ArgusSnapLength -= 4; } break; } case ETHERTYPE_MPLS_MULTI: case ETHERTYPE_MPLS: { unsigned char exp, bos = 0, ttl; unsigned int labelbuf, *label = &labelbuf; model->ArgusThisNetworkFlowType = type; while (!(bos)) { unsigned int tlabel = ntohl(*(unsigned int *)(model->ArgusThisUpHdr)); if (!(model->ArgusThisMplsLabelIndex)) { model->ArgusThisMplsLabel = tlabel; model->ArgusThisMplsLabelIndex++; } ArgusParseMPLSLabel (tlabel, label, &exp, &bos, &ttl); model->ArgusThisUpHdr += 4; model->ArgusThisLength -= 4; model->ArgusSnapLength -= 4; model->ArgusThisEncaps |= ARGUS_ENCAPS_MPLS; retn = ArgusDiscoverNetworkProtocol(model->ArgusThisUpHdr); } break; } case ETHERTYPE_IP: { struct ip *ip = (struct ip *) p; if (STRUCTCAPTURED(model,*ip)) { if ((ntohs(ip->ip_len)) >= 20) { if (ip->ip_v == 4) model->ArgusThisNetworkFlowType = ETHERTYPE_IP; else if (ip->ip_v == 6) model->ArgusThisNetworkFlowType = ETHERTYPE_IPV6; model->ArgusThisIpHdr = (void *)ip; switch (ip->ip_p) { case IPPROTO_TTP: { /* Preparation for Juniper TTP */ retn = ArgusProcessTtpHdr(model, ip, length); break; } case IPPROTO_UDP: { /* RCP 4380 */ if (getArgusTunnelDiscovery(model)) retn = ArgusProcessUdpHdr(model, ip, length); break; } case IPPROTO_GRE: { /* RFC 2784 */ retn = ArgusProcessGreHdr(model, ip, length); break; } default: retn = 0; break; } } else break; } break; } case ETHERTYPE_IPV6: model->ArgusThisIpHdr = (void *)p; case ETHERTYPE_ARP: case ETHERTYPE_REVARP: { model->ArgusThisNetworkFlowType = type; retn = 0; break; } default: retn = -1; break; } #ifdef ARGUSDEBUG ArgusDebug (9, "ArgusProcessPacketHdrs(%p, %p, %d, %d) returning %d\n", model, p, length, type, retn); #endif return (retn); } struct teredoAuthHeader { unsigned char idlen, aulen; }; struct teredoOriginHdr { unsigned char idlen, aulen; }; #include struct teredo { unsigned short tid; struct teredoAuthHeader tauth; }; struct ttp_header { u_char type; u_char priority; u_char proto; u_char queue; u_int ifl_input; u_short len; u_short destmask; u_int nh_index; u_int hint; }; unsigned short ArgusProcessTtpHdr (struct ArgusModelerStruct *model, struct ip *ip, int length) { int retn = 0; int hlen = ip->ip_hl << 2; struct ttp_header *ttp = (struct ttp_header *) ((char *)ip + hlen); if (STRUCTCAPTURED(model, *ttp)) { ttp->ifl_input = ntohl(ttp->ifl_input); ttp->len = ntohs(ttp->len); ttp->destmask = ntohs(ttp->destmask); ttp->nh_index = ntohl(ttp->nh_index); ttp->hint = ntohl(ttp->hint); switch(ttp->type) { case 0x1: case 0x2: { int slen = (hlen + sizeof(*ttp)); length -= slen; model->ArgusThisUpHdr += slen; model->ArgusSnapLength -= slen; model->ArgusThisLength -= slen; retn = ArgusProcessPacketHdrs (model, (char *)(ttp + 1), length, ARGUS_ETHER_HDR); break; } case 0x3: case 0x4: { int slen = (hlen + sizeof(*ttp)); length -= slen; model->ArgusThisUpHdr += slen; model->ArgusSnapLength -= slen; model->ArgusThisLength -= slen; retn = ArgusProcessPacketHdrs (model, (char *)(ttp + 1), length, ETHERTYPE_IP); break; } case 0x0: default: break; } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusProcessTtpHdr(%p, %p, %d) returning 0x%x\n", model, ip, length, retn); #endif return (retn); } unsigned short ArgusProcessUdpHdr (struct ArgusModelerStruct *model, struct ip *ip, int length) { int retn = 0; int len = 0, hlen = ip->ip_hl << 2; char *bp = ((char *)ip + hlen); struct udphdr *up = (struct udphdr *) bp; if (STRUCTCAPTURED(model, *up)) { unsigned short dport, sport; sport = ntohs(up->uh_sport); dport = ntohs(up->uh_dport); if (!((sport == 53) || (dport == 53))) { char *ptr = (char *) (up + 1); struct ip6_hdr *ipv6 = (struct ip6_hdr *) ptr; int isipv6 = 0; len += sizeof (*up); if (STRUCTCAPTURED(model, *ipv6)) { if ((isipv6 = (ipv6->ip6_vfc & IPV6_VERSION_MASK)) == IPV6_VERSION) { retn = ETHERTYPE_IPV6; len = ((char *) ipv6 - (char *)ip); model->ArgusThisEncaps |= ARGUS_ENCAPS_TEREDO; model->ArgusThisUpHdr = (unsigned char *) ipv6; model->ArgusThisLength -= len; model->ArgusSnapLength -= len; } else { struct teredo *tptr = (struct teredo *) (up + 1); if (STRUCTCAPTURED(model, *tptr)) { u_short type = ntohs(tptr->tid); int offset = 0; switch (type) { case 0x0000: offset = 8; break; case 0x0001: offset = (4 + (tptr->tauth.idlen + tptr->tauth.aulen) + 8 + 1); break; default: isipv6 = -1; } if (isipv6 == 0) { ipv6 = (struct ip6_hdr *)(((u_char *)tptr) + offset); if (STRUCTCAPTURED(model, *ipv6)) { if ((isipv6 = (ipv6->ip6_vfc & IPV6_VERSION_MASK)) == IPV6_VERSION) { retn = ETHERTYPE_IPV6; len = ((char *) ipv6 - (char *)ip); model->ArgusThisEncaps |= ARGUS_ENCAPS_TEREDO; model->ArgusThisUpHdr = (unsigned char *) ipv6; model->ArgusThisLength -= len; model->ArgusSnapLength -= len; } else { struct teredo *iptr = (struct teredo *) ((char *)tptr + offset); if (STRUCTCAPTURED(model, *iptr)) { u_short type = ntohs(iptr->tid); int offset = 0; switch (type) { case 0x0000: offset = 8; break; case 0x0001: offset = (4 + (iptr->tauth.idlen + iptr->tauth.aulen) + 8 + 1); break; default: isipv6 = -1; } if (isipv6 == 0) { ipv6 = (struct ip6_hdr *)(((u_char *)iptr) + offset); if ((isipv6 = (ipv6->ip6_vfc & IPV6_VERSION_MASK)) == IPV6_VERSION) { retn = ETHERTYPE_IPV6; len = ((char *) ipv6 - (char *)ip); model->ArgusThisEncaps |= ARGUS_ENCAPS_TEREDO; model->ArgusThisUpHdr = (unsigned char *) ipv6; model->ArgusThisLength -= len; model->ArgusSnapLength -= len; } } } } } } } } } } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusProcessUdpHdr(%p, %p, %d) returning 0x%x\n", model, ip, length, retn); #endif return (retn); } #define GRE_VERS_MASK 0x0007 /* protocol version */ #define GRESRE_IP 0x0800 /* IP */ #define GRESRE_ASN 0xfffe /* ASN */ #define GRE_CP 0x8000 /* checksum present */ #define GRE_RP 0x4000 /* routing present */ #define GRE_KP 0x2000 /* key present */ #define GRE_SP 0x1000 /* sequence# present */ #define GRE_sP 0x0800 /* source routing */ #define GRE_RECRS 0x0700 /* recursion count */ #define GRE_AP 0x0080 /* acknowledgment# present */ int ArgusProcessGreHdr (struct ArgusModelerStruct *model, struct ip *ip, int length) { int retn = 0, grelen = 4, hlen = ip->ip_hl << 2; char *bp = ((char *)ip + hlen); unsigned short flags; model->ArgusThisLength -= hlen; model->ArgusSnapLength -= hlen; length -= hlen; if (BYTESCAPTURED(model, *bp, 4)) { flags = EXTRACT_16BITS(bp); bp += sizeof(unsigned short); retn = EXTRACT_16BITS(bp); bp += sizeof(unsigned short); model->ArgusThisEncaps |= ARGUS_ENCAPS_GRE; switch(flags & GRE_VERS_MASK) { case 0: if ((flags & GRE_CP) | (flags & GRE_RP)) { grelen += 4; bp += 4; } if (flags & GRE_KP) { bp += 4; grelen -= 4; } if (flags & GRE_SP) { bp += 4; grelen += 4; } if (flags & GRE_RP) { for (;;) { u_int16_t af; u_int8_t srelen; if (BYTESCAPTURED(model, *bp, 4)) { af = EXTRACT_16BITS(bp); srelen = *(bp + 3); bp += 4; grelen -= 4; if (af == 0 && srelen == 0) break; bp += srelen; grelen += srelen; } else break; } } break; case 1: if (flags & GRE_KP) { bp += 4; grelen -= 4; } if (flags & GRE_SP) { bp += 4; grelen += 4; } if (flags & GRE_AP) { bp += 4; grelen += 4; } break; } model->ArgusThisUpHdr = (unsigned char *) bp; model->ArgusThisLength -= grelen; model->ArgusSnapLength -= grelen; length -= grelen; } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusProcessGreHdr(%p, %p, %d) returning 0x%x\n", model, ip, length, retn); #endif return (retn); } int ArgusProcessEtherHdr (struct ArgusModelerStruct *model, struct ether_header *ep, int length) { int len = sizeof(struct ether_header); unsigned char *ptr; int retn = 0; length -= len; model->ArgusThisEpHdr = ep; model->ArgusThisUpHdr = (unsigned char *) (ep + 1); model->ArgusThisLength -= len; model->ArgusSnapLength -= len; model->ArgusThisIpHdr = NULL; model->ArgusThisEncaps |= ARGUS_ENCAPS_ETHER; retn = ntohs(ep->ether_type); if (retn <= ETHERMTU) { /* 802.3 Encapsulation */ struct llc *llc = NULL; unsigned short ether_type = 0; ptr = (unsigned char *) ep; if (ptr[0] == 0x01 && ptr[1] == 0x00 && ptr[2] == 0x0C && ptr[3] == 0x00 && ptr[4] == 0x00) { return (ArgusProcessISLHdr (model, ep, length)); } ptr = (unsigned char *) model->ArgusThisUpHdr; llc = (struct llc *) ptr; if (BYTESCAPTURED(model,*llc, 3) && ((llc = model->ArgusThisLLC) != NULL)) { model->ArgusThisEncaps |= ARGUS_ENCAPS_LLC; bcopy((char *) ptr, (char *) llc, sizeof (struct llc)); #define ARGUS_IPX_TAG 100 if (llc->ssap == LLCSAP_GLOBAL && llc->dsap == LLCSAP_GLOBAL) { model->ArgusThisNetworkFlowType = ARGUS_IPX_TAG; return (retn); } if ((((u_char *)ep)[0] == 0xf0) && (((u_char *)ep)[1] == 0xf0)) return (ArgusProcessNetbeuiHdr (model, ep, length)); if ((llc->ssap == LLCSAP_ISONS) && (llc->dsap == LLCSAP_ISONS) && (llc->llcui == LLC_UI)) return(ArgusProcessIsoclnsHdr(model, (struct ether_header *)ptr, length)); if ((llc->ssap == LLCSAP_SNAP) && (llc->dsap == LLCSAP_SNAP)) { if (llc->llcui == LLC_UI) { ((unsigned char *)ðer_type)[0] = ((unsigned char *)&llc->ethertype)[0]; ((unsigned char *)ðer_type)[1] = ((unsigned char *)&llc->ethertype)[1]; model->ArgusThisNetworkFlowType = ntohs(ether_type); retn = model->ArgusThisNetworkFlowType; model->ArgusThisLength -= sizeof(struct llc); model->ArgusSnapLength -= sizeof(struct llc); model->ArgusThisUpHdr = (ptr + sizeof(struct llc)); } } else { if ((llc->llcu & LLC_U_FMT) == LLC_U_FMT) { model->ArgusThisUpHdr += 3; model->ArgusThisLength -= 3; model->ArgusSnapLength -= 3; if ((llc->llcu & ~LLC_U_POLL) == LLC_XID) { if (*model->ArgusThisUpHdr == LLC_XID_FI) { model->ArgusThisUpHdr += 3; model->ArgusThisLength -= 3; model->ArgusSnapLength -= 3; } } } else { model->ArgusThisUpHdr += 4; model->ArgusThisLength -= 4; model->ArgusSnapLength -= 4; } } } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusProcessEtherHdr(%p, %d) returning 0x%x\n", ep, length, retn); #endif return (retn); } #include extern int ArgusExtract802_11HeaderLength(u_int16_t); int ArgusProcess80211Hdr (struct ArgusModelerStruct *model, char *p, int length) { int retn = 0, hdrlen; u_int16_t fc; fc = EXTRACT_LE_16BITS(p); hdrlen = ArgusExtract802_11HeaderLength(fc); switch (FC_TYPE(fc)) { case T_MGMT: case T_CTRL: break; case T_DATA: { if (!(DATA_FRAME_IS_NULL(FC_SUBTYPE(fc)))) { if (model->ArgusSrc->ArgusThisRadioTap.flags & IEEE80211_RADIOTAP_F_DATAPAD) hdrlen = ((hdrlen + 3) / 4) * 4; if (FC_WEP(fc)) { } else { retn = ArgusProcessLLCHdr(model, p + hdrlen, length - hdrlen); } } break; } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusProcess80211Hdr(%p, %p, %d) returning 0x%x\n", model, p, length, retn); #endif return(retn); } int ArgusProcessLLCHdr (struct ArgusModelerStruct *model, char *p, int length) { int retn = 0; struct llc *llc = NULL; unsigned short ether_type = 0; unsigned char *ptr = (unsigned char *) p; /* ptr = (unsigned char *) model->ArgusThisUpHdr; */ llc = (struct llc *) ptr; if (BYTESCAPTURED(model,*llc,3)) { model->ArgusThisEncaps |= ARGUS_ENCAPS_LLC; llc = model->ArgusThisLLC; bcopy((char *) ptr, (char *) llc, sizeof (struct llc)); #define ARGUS_IPX_TAG 100 if (llc->ssap == LLCSAP_GLOBAL && llc->dsap == LLCSAP_GLOBAL) { model->ArgusThisNetworkFlowType = ARGUS_IPX_TAG; return (retn); } if ((((u_char *)p)[0] == 0xf0) && (((u_char *)p)[1] == 0xf0)) return (ArgusProcessNetbeuiHdr (model, (struct ether_header *)p, length)); if ((llc->ssap == LLCSAP_ISONS) && (llc->dsap == LLCSAP_ISONS) && (llc->llcui == LLC_UI)) return(ArgusProcessIsoclnsHdr(model, (struct ether_header *)ptr, length)); if ((llc->ssap == LLCSAP_SNAP) && (llc->dsap == LLCSAP_SNAP)) { if (llc->llcui == LLC_UI) { ((unsigned char *)ðer_type)[0] = ((unsigned char *)&llc->ethertype)[0]; ((unsigned char *)ðer_type)[1] = ((unsigned char *)&llc->ethertype)[1]; retn = ntohs(ether_type); model->ArgusThisLength -= sizeof(struct llc); model->ArgusSnapLength -= sizeof(struct llc); model->ArgusThisUpHdr = (ptr + sizeof(struct llc)); } } else { if ((llc->llcu & LLC_U_FMT) == LLC_U_FMT) { model->ArgusThisUpHdr += 3; model->ArgusThisLength -= 3; model->ArgusSnapLength -= 3; if ((llc->llcu & ~LLC_U_POLL) == LLC_XID) { if (*model->ArgusThisUpHdr == LLC_XID_FI) { model->ArgusThisUpHdr += 3; model->ArgusThisLength -= 3; model->ArgusSnapLength -= 3; } } } else { model->ArgusThisUpHdr += 4; model->ArgusThisLength -= 4; model->ArgusSnapLength -= 4; } } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusProcessLLCHdr(%p, %p, %d) returning 0x%x\n", model, p, length, retn); #endif return(retn); } int ArgusProcessPPPHdr (struct ArgusModelerStruct *model, char *p, int length) { u_int proto = 0; int retn = 0, hdr_len = 0; if (length >= PPP_HDRLEN) { model->ArgusThisEncaps |= ARGUS_ENCAPS_PPP; switch (EXTRACT_16BITS(p)) { case (PPP_WITHDIRECTION_IN << 8 | PPP_CONTROL): p += 2; length -= 2; hdr_len += 2; break; case (PPP_WITHDIRECTION_OUT << 8 | PPP_CONTROL): p += 2; length -= 2; hdr_len += 2; break; case (PPP_ADDRESS << 8 | PPP_CONTROL): p += 2; /* ACFC not used */ length -= 2; hdr_len += 2; break; default: break; } if (*p % 2) { proto = *p; p++; length--; hdr_len++; } else { proto = EXTRACT_16BITS(p); p += 2; /* ACFC not used */ length -= 2; hdr_len += 2; } switch (proto) { case PPP_IP: model->ArgusThisNetworkFlowType = PPP_IP; retn = ETHERTYPE_IP; break; case PPP_IPV6: model->ArgusThisNetworkFlowType = PPP_IPV6; retn = ETHERTYPE_IPV6; break; case PPP_OSI: case PPP_NS: case PPP_DECNET: case PPP_APPLE: case PPP_IPX: case PPP_VJC: case PPP_VJNC: case PPP_BRPDU: case PPP_STII: case PPP_VINES: case PPP_MPLS_UCAST: case PPP_MPLS_MCAST: case PPP_COMP: case PPP_HELLO: case PPP_LUXCOM: case PPP_SNS: case PPP_IPCP: case PPP_OSICP: case PPP_NSCP: case PPP_DECNETCP: case PPP_APPLECP: case PPP_IPXCP: case PPP_STIICP: case PPP_VINESCP: case PPP_IPV6CP: case PPP_CCP: break; case PPP_LCP: case PPP_PAP: case PPP_LQM: case PPP_CHAP: case PPP_BACP: case PPP_BAP: case PPP_MP: break; } model->ArgusThisUpHdr += hdr_len; model->ArgusThisLength -= hdr_len; model->ArgusSnapLength -= hdr_len; } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusProcessPPPHdr(%p, %p, %d) returning %d\n", model, p, length, retn); #endif return (retn); } #define PPPOE_HDRLEN 6 int ArgusProcessPPPoEHdr (struct ArgusModelerStruct *model, char *p, int length) { const u_char *pload = (u_char *)p + PPPOE_HDRLEN; int retn = 0, hdr_len = PPPOE_HDRLEN; u_int proto; model->ArgusThisEncaps |= ARGUS_ENCAPS_ETHER | ARGUS_ENCAPS_PPP; if (!p[1]) { switch(EXTRACT_16BITS(p)) { case (PPP_WITHDIRECTION_IN << 8 | PPP_CONTROL): pload += 2; hdr_len += 2; break; case (PPP_WITHDIRECTION_OUT << 8 | PPP_CONTROL): pload += 2; hdr_len += 2; break; case (PPP_ADDRESS << 8 | PPP_CONTROL): pload += 2; /* ACFC not used */ hdr_len += 2; break; default: break; } if (*pload % 2) { proto = *pload; /* PFC is used */ pload++; hdr_len++; } else { proto = EXTRACT_16BITS(pload); pload += 2; hdr_len += 2; } switch (proto) { case PPP_IP: model->ArgusThisNetworkFlowType = PPP_IP; retn = ETHERTYPE_IP; break; case PPP_IPV6: model->ArgusThisNetworkFlowType = PPP_IPV6; retn = ETHERTYPE_IPV6; break; case PPP_OSI: case PPP_NS: case PPP_DECNET: case PPP_APPLE: case PPP_IPX: case PPP_VJC: case PPP_VJNC: case PPP_BRPDU: case PPP_STII: case PPP_VINES: case PPP_MPLS_UCAST: case PPP_MPLS_MCAST: case PPP_COMP: case PPP_HELLO: case PPP_LUXCOM: case PPP_SNS: case PPP_IPCP: case PPP_OSICP: case PPP_NSCP: case PPP_DECNETCP: case PPP_APPLECP: case PPP_IPXCP: case PPP_STIICP: case PPP_VINESCP: case PPP_IPV6CP: case PPP_CCP: case PPP_LCP: case PPP_PAP: case PPP_LQM: case PPP_CHAP: case PPP_BACP: case PPP_BAP: case PPP_MP: break; } model->ArgusThisUpHdr += hdr_len; model->ArgusThisLength -= hdr_len; model->ArgusSnapLength -= hdr_len; } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusProcessPPPoEHdr(%p, %p, %d) returning %d\n", model, p, length, retn); #endif return (retn); } #define UDT2_DATA_PACKET 0x00 #define UDT2_CONTROL_PACKET 0x80 #define UDT2_PACKET_MASK 0x80 #define UDT2_HANDSHAKE 0x00 #define UDT2_KEEPALIVE 0x01 #define UDT2_ACK 0x02 #define UDT2_NACK 0x03 #define UDT2_ACK2 0x06 int ArgusProcessUDToEHdr (struct ArgusModelerStruct *model, char *p, int length) { int retn = 0; p += 2; // add 2 byte pad model->ArgusThisEncaps |= ARGUS_ENCAPS_UDT; model->ArgusThisUpHdr += 2; model->ArgusThisLength -= 2; model->ArgusSnapLength -= 2; #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusProcessUDToEHdr(%p, %p, %d) returning %d\n", model, p, length, retn); #endif return (retn); } int ArgusProcessErspanIIHdr(struct ArgusModelerStruct *model, char *p, int length) { int retn = 0; struct erspan_ii_header *erspan; if ((erspan = (struct erspan_ii_header *) p) != NULL) { if (length <= sizeof (struct erspan_ii_header)) return retn; if ( ERSPAN_VER(erspan) != 0x1) return retn; model->ArgusThisEncaps |= ARGUS_ENCAPS_ERSPAN_II; model->ArgusThisUpHdr = (unsigned char *)p + sizeof(struct erspan_ii_header); model->ArgusThisLength -= sizeof(struct erspan_ii_header); model->ArgusSnapLength -= sizeof(struct erspan_ii_header); retn = ARGUS_ETHER_HDR; } return retn; } int ArgusProcessLcpPacket (struct ArgusSourceStruct *, struct lcp_hdr *, int, struct timeval *); int ArgusProcessLcpPacket (struct ArgusSourceStruct *src, struct lcp_hdr *lcp, int length, struct timeval *tvp) { struct ArgusModelerStruct *model = src->ArgusModel; struct ArgusSystemFlow *tflow = NULL; struct ArgusFlowStruct *flow; int retn = 0, status = 0; model->ArgusTotalPacket++; model->state &= ~ARGUS_DIRECTION; if (!(length) && !(tvp) && !(lcp)) ArgusModelerCleanUp (model); else { if ((tflow = ArgusCreateLcpFlow(model, lcp)) != NULL) { ArgusCreateFlowKey(model, tflow, model->hstruct); if ((flow = ArgusFindFlow (model, model->hstruct)) == NULL) { if ((flow = ArgusNewFlow(model, model->ArgusThisFlow, model->hstruct, model->ArgusStatusQueue)) != NULL) { if (getArgusControlMonitor(model)) flow->userlen = ARGUS_MAXSNAPLEN; status = ARGUS_START; } } else status = ARGUS_STATUS; if (flow != NULL) { switch (lcp->code) { case PPP_LCP_CONF_REQ: break; case PPP_LCP_CONF_ACK: break; case PPP_LCP_CONF_NACK: break; case PPP_LCP_CONF_REJ: break; case PPP_LCP_TERM_REQ: break; case PPP_LCP_TERM_ACK: break; case PPP_LCP_CODE_REJ: break; case PPP_LCP_PROTO_REJ: break; case PPP_LCP_ECHO_REQ: break; case PPP_LCP_ECHO_REPLY: break; case PPP_LCP_DISCARD: break; } ArgusUpdateFlow (model, flow, status, 1); } } } if (ArgusUpdateTime (model)) { ArgusQueueManager(model); #if !defined(ARGUS_THREADS) ArgusOutputProcess(ArgusOutputTask); #endif } if (ArgusShutDownFlag) ArgusShutDown(0); #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusProcessLcpPacket(%p, %p, %d, %p) returning %d\n", model, lcp, length, tvp, retn); #endif return (retn); } int ArgusProcessPacket (struct ArgusSourceStruct *, char *, int, struct timeval *, int); int ArgusProcessPacket (struct ArgusSourceStruct *src, char *p, int length, struct timeval *tvp, int type) { struct ArgusModelerStruct *model = src->ArgusModel; struct ArgusSystemFlow *tflow = NULL; struct ArgusFlowStruct *flow = NULL; char *ptr = p; float value; int retn = 0; model->ArgusTotalPacket++; if (model->ArgusSrc->sNflag >= model->ArgusTotalPacket) return (retn); model->ArgusThisInterface = src->ArgusThisIndex; model->ArgusThisStats = NULL; model->ArgusThisEpHdr = NULL; model->ArgusThisIpHdr = NULL; model->ArgusThisMplsLabelIndex = 0; model->ArgusThisNetworkFlowType = 0; model->ArgusInProtocol = 1; if ((value = getArgusRealTime (model->ArgusSrc)) > 0) { long long tdiff, rtdiff; int tvalue; gettimeofday(&model->ArgusNowTime, 0L); /* #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusProcessPacket: now %d.%06d global %d.%06d \n", model->ArgusNowTime.tv_sec, model->ArgusNowTime.tv_usec, model->ArgusGlobalTime.tv_sec, model->ArgusGlobalTime.tv_usec); #endif */ if (model->ArgusLastPacketTimer.tv_sec) { tdiff = ArgusTimeDiff (tvp, &model->ArgusLastPacketTimer); rtdiff = ArgusTimeDiff (&model->ArgusNowTime, &model->ArgusAdjustedTimer); tvalue = (int)(rtdiff * value); if (tvalue > 0) { struct timespec tsbuf, *ts = &tsbuf; if (tvalue < 100000) { ts->tv_sec = 0; ts->tv_nsec = tvalue * 1000; } else { ts->tv_sec = 0; ts->tv_nsec = 100000000; } nanosleep (ts, NULL); while (((tdiff - tvalue) > 0) && !(ArgusShutDownFlag)) { #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusProcessPacket: stalling tdiff %lld rtdiff %lld tvalue %d\n", tdiff, rtdiff, tvalue); #endif model->ArgusGlobalTime = model->ArgusLastPacketTimer; model->ArgusGlobalTime.tv_sec += (tvalue / 1000000); model->ArgusGlobalTime.tv_usec += (tvalue % 1000000); while (model->ArgusGlobalTime.tv_usec > 1000000) { model->ArgusGlobalTime.tv_sec++; model->ArgusGlobalTime.tv_usec -= 1000000; } if (ArgusUpdateTime (model)) { ArgusQueueManager(model); ArgusModelerStats(model); #if !defined(ARGUS_THREADS) ArgusOutputProcess(ArgusOutputTask); #endif } gettimeofday(&model->ArgusNowTime, 0L); rtdiff = ArgusTimeDiff (&model->ArgusNowTime, &model->ArgusAdjustedTimer); tvalue = (long long)(rtdiff * value); } } } model->ArgusGlobalTime = *tvp; model->ArgusLastPacketTimer = *tvp; model->ArgusAdjustedTimer = model->ArgusNowTime; } if (!(length) && !(tvp) && !(p) && !(ArgusShutDownFlag)) ArgusModelerCleanUp (model); else { model->ArgusThisUpHdr = (unsigned char *)p; model->ArgusThisBytes = length; while (type > 0) if ((type = ArgusProcessPacketHdrs (model, ptr, model->ArgusThisLength, type)) >= 0) ptr = (char *)model->ArgusThisUpHdr; if (model->ArgusThisEpHdr) ptr = (char *)model->ArgusThisEpHdr; if ((tflow = ArgusCreateFlow(model, ptr, length)) != NULL) { ArgusCreateFlowKey(model, tflow, model->hstruct); if ((flow = ArgusFindFlow (model, model->hstruct)) != NULL) { struct ArgusQueueStruct *queue; if ((queue = flow->qhdr.queue) != NULL) { model->ArgusTotalCacheHits++; if (queue == model->ArgusStatusQueue) { if (ArgusCheckTimeout(model, &flow->qhdr.qtime, getArgusFarReportInterval(model))) { ArgusProcessQueueTimeout (model, model->ArgusStatusQueue); ArgusRemoveFromQueue(flow->qhdr.queue, &flow->qhdr, ARGUS_LOCK); ArgusPushQueue(model->ArgusStatusQueue, &flow->qhdr, ARGUS_LOCK); queue->reclaim++; } } else { if (!(tflow->hdr.argus_dsrvl8.qual & ARGUS_FRAGMENT)) { ArgusRemoveFromQueue(queue, &flow->qhdr, ARGUS_LOCK); ArgusPushQueue(model->ArgusStatusQueue, &flow->qhdr, ARGUS_LOCK); } } if ((flow->qhdr.lasttime.tv_sec < model->ArgusGlobalTime.tv_sec) || ((flow->qhdr.lasttime.tv_sec == model->ArgusGlobalTime.tv_sec) && (flow->qhdr.lasttime.tv_usec < model->ArgusGlobalTime.tv_usec))) { flow->qhdr.lasttime.tv_sec = model->ArgusGlobalTime.tv_sec; flow->qhdr.lasttime.tv_usec = model->ArgusGlobalTime.tv_usec; } ArgusUpdateFlow (model, flow, ARGUS_STATUS, 1); } else { struct ArgusFlowStruct *nflow; ArgusRemoveHashEntry(flow->htblhdr); flow->htblhdr = NULL; if ((nflow = ArgusNewFlow(model, (struct ArgusSystemFlow *)flow->dsrs[ARGUS_FLOW_INDEX], model->hstruct, model->ArgusStatusQueue)) != NULL) ArgusUpdateFlow (model, nflow, ARGUS_STATUS, 1); } } else { if ((flow = ArgusNewFlow(model, model->ArgusThisFlow, model->hstruct, model->ArgusStatusQueue)) != NULL) ArgusUpdateFlow (model, flow, ARGUS_START, 1); } } if (flow == NULL) retn = 1; } if (ArgusUpdateTime (model)) { ArgusQueueManager (model); #if !defined(ARGUS_THREADS) ArgusOutputProcess(ArgusOutputTask); #endif } if (ArgusShutDownFlag) ArgusShutDown(0); #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusProcessPacket(%p, %p, %d, %p, %d) returning %d\n", model, p, length, tvp, type, retn); #endif return (retn); } int ArgusProcessIpPacket (struct ArgusModelerStruct *model, struct ip *ip, int length, struct timeval *tvp) { struct ArgusSystemFlow *tflow = NULL; struct ArgusFlowStruct *flow = NULL; char *ptr = (char *)ip; int retn = 0, pass = 0, type = ETHERTYPE_IP; model->ArgusTotalPacket++; while (type > 0) if ((type = ArgusProcessPacketHdrs (model, ptr, model->ArgusThisLength, type)) >= 0) ptr = (char *)model->ArgusThisUpHdr; ip = model->ArgusThisIpHdr; if (model->ArgusSrc->sNflag >= model->ArgusTotalPacket) return (retn); model->state &= ~ARGUS_DIRECTION; if (!(length) && !(tvp) && !(ip)) ArgusModelerCleanUp (model); else { if (ip->ip_v == 4) { model->ArgusThisNetworkFlowType = ETHERTYPE_IP; pass = STRUCTCAPTURED(model,*ip); } else { struct ip6_hdr *ipv6 = (struct ip6_hdr *) ip; model->ArgusThisNetworkFlowType = ETHERTYPE_IPV6; pass = STRUCTCAPTURED(model,*ipv6); } /* model->ArgusThisIpHdr = (unsigned char *)ip; model->ArgusThisUpHdr = (unsigned char *)ip; */ model->ArgusThisBytes = length; if (pass) { if ((tflow = ArgusCreateFlow(model, ip, length)) != NULL) { ArgusCreateFlowKey (model, tflow, model->hstruct); if ((flow = ArgusFindFlow (model, model->hstruct)) != NULL) { struct ArgusQueueStruct *queue; if ((queue = flow->qhdr.queue) != NULL) { model->ArgusTotalCacheHits++; if ((queue = flow->qhdr.queue) == model->ArgusStatusQueue) { if (ArgusCheckTimeout(model, &flow->qhdr.qtime, getArgusFarReportInterval(model))) { if (flow != (struct ArgusFlowStruct *) queue->start->prv) ArgusProcessQueueTimeout (model, model->ArgusStatusQueue); // if this record is timed out, all entries in status queue need to be timed out if (!(flow->status & ARGUS_RECORD_WRITTEN)) ArgusSendFlowRecord (model, flow, flow->status); ArgusRemoveFromQueue(flow->qhdr.queue, &flow->qhdr, ARGUS_LOCK); ArgusPushQueue(model->ArgusStatusQueue, &flow->qhdr, ARGUS_LOCK); queue->reclaim++; } } else { if (queue) { ArgusRemoveFromQueue(queue, &flow->qhdr, ARGUS_LOCK); ArgusPushQueue(model->ArgusStatusQueue, &flow->qhdr, ARGUS_LOCK); } } if ((flow->qhdr.lasttime.tv_sec < model->ArgusGlobalTime.tv_sec) || ((flow->qhdr.lasttime.tv_sec == model->ArgusGlobalTime.tv_sec) && (flow->qhdr.lasttime.tv_usec < model->ArgusGlobalTime.tv_usec))) { flow->qhdr.lasttime.tv_sec = model->ArgusGlobalTime.tv_sec; flow->qhdr.lasttime.tv_usec = model->ArgusGlobalTime.tv_usec; } ArgusUpdateFlow (model, flow, ARGUS_STATUS, 1); } else { struct ArgusFlowStruct *nflow; ArgusRemoveHashEntry(flow->htblhdr); flow->htblhdr = NULL; if ((nflow = ArgusNewFlow(model, (struct ArgusSystemFlow *)flow->dsrs[ARGUS_FLOW_INDEX], model->hstruct, model->ArgusStatusQueue)) != NULL) ArgusUpdateFlow (model, nflow, ARGUS_STATUS, 1); } } else { if ((flow = ArgusNewFlow(model, model->ArgusThisFlow, model->hstruct, model->ArgusStatusQueue)) != NULL) ArgusUpdateFlow (model, flow, ARGUS_START, 1); } } } if (flow == NULL) retn = 1; } if (ArgusUpdateTime (model)) { ArgusQueueManager (model); #if !defined(ARGUS_THREADS) ArgusOutputProcess(ArgusOutputTask); #endif } if (ArgusShutDownFlag) ArgusShutDown(0); #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusProcessIpPacket(%p, %d, %p) returning %d\n", ip, length, tvp, retn); #endif return (retn); } int ArgusProcessEtherPacket (struct ArgusModelerStruct *model, struct ether_header *ep, int length, struct timeval *tvp) { struct ArgusSystemFlow *tflow = NULL; struct ArgusFlowStruct *flow = NULL; int retn = 0, type; char *ptr = (char *)ep; model->ArgusTotalPacket++; if (model->ArgusSrc->sNflag >= model->ArgusTotalPacket) return (retn); model->state &= ~ARGUS_DIRECTION; if (!(length) && !(tvp) && !(ep)) ArgusModelerCleanUp (model); else { if (STRUCTCAPTURED(model,*ep)) { type = ARGUS_ETHER_HDR; model->ArgusThisBytes = length; while (type) { type = ArgusProcessPacketHdrs (model, ptr, model->ArgusThisLength, type); ptr = (char *)model->ArgusThisUpHdr; } if ((tflow = ArgusCreateFlow(model, model->ArgusThisEpHdr, length)) != NULL) { ArgusCreateFlowKey(model, tflow, model->hstruct); if ((flow = ArgusFindFlow (model, model->hstruct)) != NULL) { struct ArgusQueueStruct *queue; if ((queue = flow->qhdr.queue) != NULL) { model->ArgusTotalCacheHits++; if ((queue = flow->qhdr.queue) == model->ArgusStatusQueue) { if (ArgusCheckTimeout(model, &flow->qhdr.qtime, getArgusFarReportInterval(model))) { if (flow != (struct ArgusFlowStruct *) queue->start->prv) ArgusProcessQueueTimeout (model, model->ArgusStatusQueue); // if this record is not last, other entries in status queue need to be timed out if (!(flow->status & ARGUS_RECORD_WRITTEN)) ArgusSendFlowRecord (model, flow, flow->status); ArgusRemoveFromQueue(flow->qhdr.queue, &flow->qhdr, ARGUS_LOCK); ArgusPushQueue(model->ArgusStatusQueue, &flow->qhdr, ARGUS_LOCK); queue->reclaim++; } } else { if (queue) { ArgusRemoveFromQueue(queue, &flow->qhdr, ARGUS_LOCK); ArgusPushQueue(model->ArgusStatusQueue, &flow->qhdr, ARGUS_LOCK); } } if ((flow->qhdr.lasttime.tv_sec < model->ArgusGlobalTime.tv_sec) || ((flow->qhdr.lasttime.tv_sec == model->ArgusGlobalTime.tv_sec) && (flow->qhdr.lasttime.tv_usec < model->ArgusGlobalTime.tv_usec))) { flow->qhdr.lasttime.tv_sec = model->ArgusGlobalTime.tv_sec; flow->qhdr.lasttime.tv_usec = model->ArgusGlobalTime.tv_usec; } ArgusUpdateFlow (model, flow, ARGUS_STATUS, 1); } else { struct ArgusFlowStruct *nflow; ArgusRemoveHashEntry(flow->htblhdr); flow->htblhdr = NULL; if ((nflow = ArgusNewFlow(model, (struct ArgusSystemFlow *)flow->dsrs[ARGUS_FLOW_INDEX], model->hstruct, model->ArgusStatusQueue)) != NULL) ArgusUpdateFlow (model, nflow, ARGUS_STATUS, 1); } } else { if ((flow = ArgusNewFlow(model, model->ArgusThisFlow, model->hstruct, model->ArgusStatusQueue)) != NULL) ArgusUpdateFlow (model, flow, ARGUS_START, 1); } } } if (flow == NULL) retn = 1; } if (ArgusUpdateTime (model)) { ArgusQueueManager (model); #if !defined(ARGUS_THREADS) ArgusOutputProcess(ArgusOutputTask); #endif } if (ArgusShutDownFlag) ArgusShutDown(0); #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusProcessEtherPacket(%p, %d, %p) returning %d\n", ep, length, tvp, retn); #endif return (retn); } void * ArgusCreateFlow (struct ArgusModelerStruct *model, void *ptr, int length) { void *retn = model->ArgusThisFlow; struct ether_header *ep = ptr; unsigned int keys = model->ArgusFlowKey; unsigned int index = 0; int i; model->state &= ~ARGUS_DIRECTION; memset (model->ArgusThisFlow, 0, sizeof(*model->ArgusThisFlow)); for (i = 0; (keys && (i < ARGUS_FLOW_KEYS)); i++) { index = 0x01 << i; if (keys & index) { switch (index) { case ARGUS_FLOW_KEY_CLASSIC5TUPLE: case ARGUS_FLOW_KEY_LAYER_3_MATRIX: switch (model->ArgusThisNetworkFlowType & 0xFFFF) { case ETHERTYPE_IP: { retn = ArgusCreateIPv4Flow (model, (struct ip *)model->ArgusThisIpHdr); return (retn); } case ETHERTYPE_IPV6: { retn = ArgusCreateIPv6Flow (model, (struct ip6_hdr *)model->ArgusThisIpHdr); return (retn); } case ETHERTYPE_ARP: case ETHERTYPE_REVARP: { model->ArgusThisLength = length; retn = ArgusCreateArpFlow (model, ep); return (retn); } case ARGUS_802_11_HDR: { model->ArgusThisLength = length; retn = ArgusCreate80211Flow (model, ptr); return (retn); } case ARGUS_ISIS: retn = ArgusCreateIsisFlow (model, (struct isis_common_header *) model->ArgusThisUpHdr); return (retn); case ETHERTYPE_UDTOE: retn = ArgusCreateUDTFlow (model, (struct udt_header *) model->ArgusThisUpHdr); return (retn); } if (model->ArgusThisIpHdr) { model->ArgusThisNetworkFlowType &= 0xFFFF0000; model->ArgusThisNetworkFlowType |= ETHERTYPE_IP; retn = ArgusCreateIPv4Flow (model, (struct ip *)model->ArgusThisIpHdr); break; } /* drop through to here if above protocols didn't do it */ case ARGUS_FLOW_KEY_LAYER_2_MATRIX: if (ep != NULL) { int dstgteq = 1, i; model->ArgusThisLength = length; model->ArgusThisFlow->hdr.type = ARGUS_FLOW_DSR; model->ArgusThisFlow->hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; model->ArgusThisFlow->hdr.argus_dsrvl8.qual = ARGUS_TYPE_ETHER; model->ArgusThisFlow->hdr.argus_dsrvl8.len = 5; #if !defined(ETH_ALEN) #define ETH_ALEN 6 #endif if (model->ArgusFlowType == ARGUS_BIDIRECTIONAL) { for (i = 0; i < ETH_ALEN; i++) { if (((unsigned char *)&ep->ether_shost)[i] != ((unsigned char *)&ep->ether_dhost)[i]) { if (((unsigned char *)&ep->ether_shost)[i] > ((unsigned char *)&ep->ether_dhost)[i]) dstgteq = 0; break; } } } if (dstgteq) { bcopy ((char *) ep, (char *)&model->ArgusThisFlow->mac_flow.ehdr, sizeof (struct ether_header)); } else { model->state |= ARGUS_DIRECTION; bcopy ((char *)&ep->ether_shost, (char *)&model->ArgusThisFlow->mac_flow.ehdr.ether_dhost, ETH_ALEN); bcopy ((char *)&ep->ether_dhost, (char *)&model->ArgusThisFlow->mac_flow.ehdr.ether_shost, ETH_ALEN); } model->ArgusThisFlow->mac_flow.ehdr.ether_type = ntohs(ep->ether_type); if (model->ArgusThisEncaps & ARGUS_ENCAPS_LLC) { model->ArgusThisFlow->mac_flow.ehdr.ether_type = 0; switch (model->ArgusThisNetworkFlowType & 0xFFFF) { case ARGUS_CLNS: case ARGUS_ESIS: case ARGUS_NULLNS: break; default: model->ArgusThisNetworkFlowType &= ~(0xFFFF); break; } if (dstgteq) { model->ArgusThisFlow->mac_flow.ssap = model->ArgusThisLLC->ssap; model->ArgusThisFlow->mac_flow.dsap = model->ArgusThisLLC->dsap; } else { model->ArgusThisFlow->mac_flow.ssap = model->ArgusThisLLC->dsap; model->ArgusThisFlow->mac_flow.dsap = model->ArgusThisLLC->ssap; } } else { model->ArgusThisFlow->mac_flow.ssap = 0; model->ArgusThisFlow->mac_flow.dsap = 0; } } break; case ARGUS_FLOW_KEY_LOCAL_MPLS: case ARGUS_FLOW_KEY_COMPLETE_MPLS: break; case ARGUS_FLOW_KEY_VLAN: break; } } } #ifdef ARGUSDEBUG ArgusDebug (9, "ArgusCreateFlow() returning %p\n", retn); #endif return (retn); } int ArgusGenerateStartRecords = 0; struct ArgusFlowStruct * ArgusNewFlow (struct ArgusModelerStruct *model, struct ArgusSystemFlow *flow, struct ArgusHashStruct *hstruct, struct ArgusQueueStruct *queue) { struct ArgusFlowStruct *retn = NULL; int timeout = ARGUS_OTHERTIMEOUT, userlen = 0; int len = flow->hdr.argus_dsrvl8.len; if (len > 0) { model->ArgusTotalNewFlows++; userlen = getArgusUserDataLen(model); if ((retn = (struct ArgusFlowStruct *) ArgusCalloc (1, sizeof(*retn))) != NULL) { int value; retn->status = ARGUS_START; retn->state = model->state & ARGUS_DIRECTION; retn->trans = model->ArgusTransactionNum++; retn->userlen = userlen; retn->srcint = -1; retn->dstint = -1; if (queue != NULL) { retn->qhdr.lasttime.tv_sec = model->ArgusGlobalTime.tv_sec; retn->qhdr.lasttime.tv_usec = model->ArgusGlobalTime.tv_usec; } retn->dsrs[ARGUS_FLOW_INDEX] = (struct ArgusDSRHeader *) &retn->canon.flow.hdr; retn->canon.flow.hdr = flow->hdr; bcopy ((char *)&flow->flow_un, (char *)&retn->canon.flow.flow_un, (flow->hdr.argus_dsrvl8.len - 1) * 4); retn->dsrindex |= 1 << ARGUS_FLOW_INDEX; if (retn->state & ARGUS_DIRECTION) retn->dsrs[ARGUS_FLOW_INDEX]->subtype |= ARGUS_REVERSE; if (hstruct != NULL) { if ((retn->htblhdr = ArgusAddHashEntry (model->ArgusHashTable, retn, hstruct)) != NULL) { if (queue != NULL) ArgusPushQueue(queue, &retn->qhdr, ARGUS_LOCK); } else ArgusLog (LOG_ERR, "ArgusNewFlow() ArgusAddHashEntry error %s.\n", strerror(errno)); } if ((value = getArgusKeystroke(model)) > 0) { if (value & ARGUS_SSH_KEYSTROKE) retn->status |= ARGUS_SSH_MONITOR; retn->skey.prev_pno = 0 - model->ArgusKeyStroke.gpc_max; } } else ArgusLog (LOG_WARNING, "ArgusNewFlow() ArgusMalloc error %s.\n", strerror(errno)); switch (model->ArgusThisNetworkFlowType & 0xFFFF) { case ETHERTYPE_IPV6: case ETHERTYPE_IP: timeout = model->ArgusIPTimeout; model->ArgusTotalIPFlows++; if (ArgusControlPlaneProtocol(model, retn)) retn->userlen = ARGUS_MAXSNAPLEN; break; case ETHERTYPE_ARP: case ETHERTYPE_REVARP: timeout = model->ArgusARPTimeout; model->ArgusTotalNonIPFlows++; if (getArgusControlMonitor(model)) retn->userlen = ARGUS_MAXSNAPLEN; break; case ARGUS_ISIS: timeout = ARGUS_OTHERTIMEOUT; model->ArgusTotalNonIPFlows++; if (getArgusControlMonitor(model)) retn->userlen = ARGUS_MAXSNAPLEN; break; default: model->ArgusTotalNonIPFlows++; timeout = ARGUS_OTHERTIMEOUT; break; } retn->timeout = timeout; } else ArgusLog (LOG_WARNING, "ArgusNewFlow() flow key is not correct len equals zero\n"); #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusNewFlow() returning %p\n", retn); #endif return (retn); } extern void ArgusZeroRecord(struct ArgusFlowStruct *); void ArgusUpdateBasicFlow (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char); void ArgusUpdateBasicFlow (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flow, unsigned char state) { struct ArgusTransportStruct *trans; struct ArgusTimeStruct *dtime, *otime = NULL; struct ArgusEncapsStruct *encaps; struct ArgusMetricStruct *metric; struct ArgusNetworkStruct *net; struct ArgusMplsStruct *mpls; struct ArgusVlanStruct *vlan; struct ArgusTimeObject *time; struct ArgusJitterStruct *jitter; model->ArgusTotalUpdates++; if (flow->status & ARGUS_RECORD_WRITTEN) ArgusZeroRecord(flow); model->ArgusThisDir = ((flow->state & ARGUS_DIRECTION) == (model->state & ARGUS_DIRECTION)); if ((trans = (struct ArgusTransportStruct *) flow->dsrs[ARGUS_TRANSPORT_INDEX]) == NULL) { struct ArgusDeviceStruct *device = model->ArgusSrc->ArgusInterface[model->ArgusSrc->ArgusThisIndex].ArgusDevice; flow->dsrs[ARGUS_TRANSPORT_INDEX] = &flow->canon.trans.hdr; trans = (struct ArgusTransportStruct *) flow->dsrs[ARGUS_TRANSPORT_INDEX]; trans->hdr.type = ARGUS_TRANSPORT_DSR; trans->hdr.subtype = ARGUS_SRCID | ARGUS_SEQ; trans->hdr.argus_dsrvl8.len = 3; trans->srcid.a_un.value = device->ArgusID.a_un.value; trans->hdr.argus_dsrvl8.qual = device->idtype; flow->dsrindex |= 0x01 << ARGUS_TRANSPORT_INDEX; } if (model->ArgusThisDir) { if (flow->srcint >= 0) { if (flow->srcint != model->ArgusThisInterface) { flow->canon.encaps.hdr.argus_dsrvl8.qual |= ARGUS_SRC_INT_CHANGED; } } else flow->srcint = model->ArgusThisInterface; } else { if (flow->dstint >= 0) { if (flow->dstint != model->ArgusThisInterface) { flow->canon.encaps.hdr.argus_dsrvl8.qual |= ARGUS_DST_INT_CHANGED; } } else flow->dstint = model->ArgusThisInterface; } if ((encaps = (struct ArgusEncapsStruct *) flow->dsrs[ARGUS_ENCAPS_INDEX]) == NULL) { flow->dsrs[ARGUS_ENCAPS_INDEX] = (struct ArgusDSRHeader *) &flow->canon.encaps.hdr; encaps = (struct ArgusEncapsStruct *) flow->dsrs[ARGUS_ENCAPS_INDEX]; memset(encaps, 0, sizeof(*encaps)); encaps->hdr.type = ARGUS_ENCAPS_DSR; encaps->hdr.argus_dsrvl8.len = 3; flow->dsrindex |= 0x01 << ARGUS_ENCAPS_INDEX; if (model->ArgusThisDir) encaps->src = model->ArgusThisEncaps; else encaps->dst = model->ArgusThisEncaps; } else { if (model->ArgusThisDir) { if (flow->canon.encaps.src != model->ArgusThisEncaps) { if (flow->canon.encaps.src) flow->canon.encaps.hdr.argus_dsrvl8.qual |= ARGUS_SRC_CHANGED; flow->canon.encaps.src |= model->ArgusThisEncaps; } } else { if (flow->canon.encaps.dst != model->ArgusThisEncaps) { if (flow->canon.encaps.dst) flow->canon.encaps.hdr.argus_dsrvl8.qual |= ARGUS_DST_CHANGED; flow->canon.encaps.dst |= model->ArgusThisEncaps; } } } if ((metric = (struct ArgusMetricStruct *) flow->dsrs[ARGUS_METRIC_INDEX]) == NULL) { metric = (struct ArgusMetricStruct *)&flow->canon.metric.hdr; memset(metric, 0, sizeof(*metric)); flow->dsrs[ARGUS_METRIC_INDEX] = (struct ArgusDSRHeader *) metric; metric->hdr.type = ARGUS_METER_DSR; metric->hdr.argus_dsrvl8.len = (sizeof(struct ArgusMetricStruct) + 3) / 4; flow->dsrindex |= 1 << ARGUS_METRIC_INDEX; } if ((time = (struct ArgusTimeObject *) flow->dsrs[ARGUS_TIME_INDEX]) == NULL) { time = &flow->canon.time; memset(time, 0, sizeof(*time)); flow->dsrs[ARGUS_TIME_INDEX] = (struct ArgusDSRHeader *) time; time->hdr.type = ARGUS_TIME_DSR; time->hdr.subtype = ARGUS_TIME_ABSOLUTE_TIMESTAMP; time->hdr.argus_dsrvl8.qual = ARGUS_TYPE_UTC_MICROSECONDS; time->hdr.argus_dsrvl8.len = 3; if (model->ArgusThisDir) { dtime = &time->src; otime = &time->dst; } else { dtime = &time->dst; otime = &time->src; } dtime->start.tv_sec = model->ArgusGlobalTime.tv_sec; dtime->start.tv_usec = model->ArgusGlobalTime.tv_usec; } else { if (model->ArgusThisDir) { dtime = &time->src; otime = &time->dst; } else { dtime = &time->dst; otime = &time->src; } if (dtime->start.tv_sec == 0) { dtime->start.tv_sec = model->ArgusGlobalTime.tv_sec; dtime->start.tv_usec = model->ArgusGlobalTime.tv_usec; if (otime->start.tv_sec) { time->hdr.subtype = ARGUS_TIME_ABSOLUTE_RANGE; } } else { dtime->end.tv_sec = model->ArgusGlobalTime.tv_sec; dtime->end.tv_usec = model->ArgusGlobalTime.tv_usec; time->hdr.subtype = ARGUS_TIME_ABSOLUTE_RANGE; } } flow->dsrindex |= 1 << ARGUS_TIME_INDEX; if (getArgusmflag (model)) { struct ArgusMacStruct *mac; if ((mac = (struct ArgusMacStruct *) flow->dsrs[ARGUS_MAC_INDEX]) == NULL) { if (model->ArgusThisEpHdr != NULL) { mac = (struct ArgusMacStruct *) &flow->canon.mac.hdr; memset(mac, 0, sizeof(*mac)); flow->dsrs[ARGUS_MAC_INDEX] = &mac->hdr; mac->hdr.type = ARGUS_MAC_DSR; mac->hdr.subtype = 0; mac->hdr.argus_dsrvl8.qual = 0; mac->hdr.argus_dsrvl8.len = 5; if (model->ArgusThisDir) { bcopy ((char *)model->ArgusThisEpHdr, (char *)&mac->mac.mac_union.ether, sizeof(struct ether_header)); } else { bcopy ((char *)&model->ArgusThisEpHdr->ether_dhost, (char *)&mac->mac.mac_union.ether.ehdr.ether_shost, sizeof(struct ether_addr)); bcopy ((char *)&model->ArgusThisEpHdr->ether_shost, (char *)&mac->mac.mac_union.ether.ehdr.ether_dhost, sizeof(struct ether_header)); } mac->mac.mac_union.ether.ehdr.ether_type = ntohs(model->ArgusThisEpHdr->ether_type); flow->dsrindex |= 1 << ARGUS_MAC_INDEX; } } else { if (model->ArgusThisDir) { if (bcmp ((char *)&model->ArgusThisEpHdr->ether_shost, (char *)&mac->mac.mac_union.ether.ehdr.ether_shost, sizeof(struct ether_addr)) || bcmp ((char *)&model->ArgusThisEpHdr->ether_dhost, (char *)&mac->mac.mac_union.ether.ehdr.ether_dhost, sizeof(struct ether_addr)) || mac->mac.mac_union.ether.ehdr.ether_type != ntohs(model->ArgusThisEpHdr->ether_type)) mac->hdr.argus_dsrvl8.qual |= ARGUS_SRC_MULTIPATH; } else { if (bcmp ((char *)&model->ArgusThisEpHdr->ether_dhost, (char *)&mac->mac.mac_union.ether.ehdr.ether_shost, sizeof(struct ether_addr)) || bcmp ((char *)&model->ArgusThisEpHdr->ether_shost, (char *)&mac->mac.mac_union.ether.ehdr.ether_dhost, sizeof(struct ether_addr)) || mac->mac.mac_union.ether.ehdr.ether_type != ntohs(model->ArgusThisEpHdr->ether_type)) mac->hdr.argus_dsrvl8.qual |= ARGUS_DST_MULTIPATH; } } } if ((net = (struct ArgusNetworkStruct *) flow->dsrs[ARGUS_NETWORK_INDEX]) == NULL) { net = (struct ArgusNetworkStruct *) &flow->canon.net; memset(net, 0, sizeof(*net)); flow->dsrs[ARGUS_NETWORK_INDEX] = (struct ArgusDSRHeader *) net; if ((state == ARGUS_START) && (model->ArgusThisFlow->hdr.argus_dsrvl8.qual & ARGUS_FRAGMENT)) { net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_NETWORK_SUBTYPE_FRAG; net->hdr.argus_dsrvl8.qual = 0; net->hdr.argus_dsrvl8.len = ((sizeof(struct ArgusFragObject) + 3)/4) + 1; } else { net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.argus_dsrvl8.len = 1; flow->dsrindex |= 1 << ARGUS_NETWORK_INDEX; } } if (model->ArgusThisEncaps & ARGUS_ENCAPS_MPLS) { int test = 0, value; if ((mpls = (struct ArgusMplsStruct *) flow->dsrs[ARGUS_MPLS_INDEX]) == NULL) { mpls = (struct ArgusMplsStruct *) &flow->canon.mpls; memset(mpls, 0, sizeof(*mpls)); flow->dsrs[ARGUS_MPLS_INDEX] = (struct ArgusDSRHeader *) mpls; mpls->hdr.type = ARGUS_MPLS_DSR; mpls->hdr.subtype = 0; mpls->hdr.argus_dsrvl8.qual = 0; mpls->hdr.argus_dsrvl8.len = 1; flow->dsrindex |= 1 << ARGUS_MPLS_INDEX; } else test++; if (model->ArgusThisDir) { value = mpls->hdr.argus_dsrvl8.qual & 0x0F; mpls->hdr.argus_dsrvl8.qual = ((model->ArgusThisMplsLabelIndex & 0x0F) << 4) | value; mpls->slabel = model->ArgusThisMplsLabel; } else { value = mpls->hdr.argus_dsrvl8.qual & 0xF0; mpls->hdr.argus_dsrvl8.qual = (model->ArgusThisMplsLabelIndex & 0x0F) | value; mpls->dlabel = model->ArgusThisMplsLabel; } } if (model->ArgusThisEncaps & ARGUS_ENCAPS_8021Q) { if ((vlan = (struct ArgusVlanStruct *) flow->dsrs[ARGUS_VLAN_INDEX]) == NULL) { vlan = (struct ArgusVlanStruct *) &flow->canon.vlan; memset(vlan, 0, sizeof(*vlan)); flow->dsrs[ARGUS_VLAN_INDEX] = (struct ArgusDSRHeader *) vlan; vlan->hdr.type = ARGUS_VLAN_DSR; vlan->hdr.subtype = 0; vlan->hdr.argus_dsrvl8.qual = 0; vlan->hdr.argus_dsrvl8.len = 2; flow->dsrindex |= 1 << ARGUS_VLAN_INDEX; } if (model->ArgusThisDir) { vlan->sid = model->ArgusThisPacket8021QEncaps; vlan->hdr.argus_dsrvl8.qual |= ARGUS_SRC_VLAN; } else { vlan->did = model->ArgusThisPacket8021QEncaps; vlan->hdr.argus_dsrvl8.qual |= ARGUS_DST_VLAN; } } if (model->ArgusGenerateTime) { if ((jitter = (struct ArgusJitterStruct *) flow->dsrs[ARGUS_JITTER_INDEX]) == NULL) { jitter = (struct ArgusJitterStruct *) &flow->canon.jitter; memset(jitter, 0, sizeof(*jitter)); flow->dsrs[ARGUS_JITTER_INDEX] = (struct ArgusDSRHeader *) jitter; jitter->hdr.type = ARGUS_JITTER_DSR; jitter->hdr.subtype = 0; jitter->hdr.argus_dsrvl8.len = 1; flow->dsrindex |= 1 << ARGUS_JITTER_INDEX; bzero((char *)&jitter->act, sizeof(struct ArgusJitterObject)); bzero((char *)&jitter->idle, sizeof(struct ArgusJitterObject)); memset(&flow->stime.act, 0, sizeof(flow->stime.act)); memset(&flow->stime.idle, 0, sizeof(flow->stime.idle)); memset(&flow->dtime.act, 0, sizeof(flow->dtime.act)); memset(&flow->dtime.idle, 0, sizeof(flow->dtime.idle)); flow->stime.act.minval = 0xffffffff; flow->stime.idle.minval = 0xffffffff; flow->dtime.act.minval = 0xffffffff; flow->dtime.idle.minval = 0xffffffff; } } } struct ArgusFlowStruct * ArgusUpdateFlow (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flow, unsigned char state, unsigned char update) { struct ArgusFlowStruct *retn = flow; ArgusUpdateBasicFlow (model, flow, state); if (model->ArgusThisIpHdr) { struct ArgusIPAttrStruct *attr = NULL; if ((attr = (struct ArgusIPAttrStruct *) flow->dsrs[ARGUS_IPATTR_INDEX]) == NULL) { flow->dsrs[ARGUS_IPATTR_INDEX] = &flow->canon.attr.hdr; attr = &flow->canon.attr; memset(attr, 0, sizeof(*attr)); attr->hdr.type = ARGUS_IPATTR_DSR; attr->hdr.subtype = 0; attr->hdr.argus_dsrvl8.qual = 0; attr->hdr.argus_dsrvl8.len = 1; flow->dsrindex |= 1 << ARGUS_IPATTR_INDEX; } #if !defined(IPTOS_CE) #define IPTOS_CE 0x01 /* congestion experienced */ #define IPTOS_ECT 0x02 /* ECN-capable transport */ #endif switch (model->ArgusThisNetworkFlowType & 0xFFFF) { case ETHERTYPE_IP: { struct ip *iphdr = (struct ip *) model->ArgusThisIpHdr; u_short ip_off = ntohs(iphdr->ip_off); if (model->ArgusThisDir) { if (!(attr->hdr.argus_dsrvl8.qual & ARGUS_IPATTR_SRC)) { attr->hdr.argus_dsrvl8.qual |= ARGUS_IPATTR_SRC; } attr->src.ttl = iphdr->ip_ttl; attr->src.tos = iphdr->ip_tos; attr->src.ip_id = iphdr->ip_id; if ((attr->src.options = model->ArgusOptionIndicator) != 0) attr->hdr.argus_dsrvl8.qual |= ARGUS_IPATTR_SRC_OPTIONS; if ((attr->src.tos & (IPTOS_CE | IPTOS_ECT)) == (IPTOS_CE | IPTOS_ECT)) attr->src.status |= ARGUS_ECN_CONGESTED; } else { if (!(attr->hdr.argus_dsrvl8.qual & ARGUS_IPATTR_DST)) { attr->hdr.argus_dsrvl8.qual |= ARGUS_IPATTR_DST; } attr->dst.ttl = iphdr->ip_ttl; attr->dst.tos = iphdr->ip_tos; attr->dst.ip_id = iphdr->ip_id; if ((attr->dst.options = model->ArgusOptionIndicator) != 0) attr->hdr.argus_dsrvl8.qual |= ARGUS_IPATTR_DST_OPTIONS; if ((attr->dst.tos & (IPTOS_CE | IPTOS_ECT)) == (IPTOS_CE | IPTOS_ECT)) attr->dst.status |= ARGUS_ECN_CONGESTED; } retn = ArgusUpdateState (model, flow, state, update); if ((model->ArgusFlowKey & ARGUS_FLOW_KEY_CLASSIC5TUPLE) && (((ip_off & 0x1fff) == 0) && (ip_off & IP_MF))) { /* This is also a fragment, so we need to setup the expected fragment cache, so we can find the fragments that will be coming in. So get the fragment flow descriptor, and either find the flow or install one. If the fragment descriptor exists, then we're now able to update the parent flow, if it hasn't been done. Add this fragment to the parents fragment list, so we can find them if we have to deallocate the parent. */ struct ArgusSystemFlow *fflow = NULL; struct ArgusFlowStruct *frag = NULL; int tstate = model->state; if ((fflow = ArgusCreateFRAGFlow (model, iphdr, ETHERTYPE_IP)) == NULL) ArgusLog (LOG_ERR, "ArgusCreateFRAGFlow() returned NULL.\n"); ArgusCreateFlowKey(model, fflow, model->hstruct); if ((frag = ArgusFindFlow (model, model->hstruct)) == NULL) { if ((frag = ArgusNewFlow (model, fflow, model->hstruct, &flow->frag)) == NULL) ArgusLog (LOG_ERR, "ArgusNewFragFlow() returned NULL.\n"); memset (&frag->canon.net, 0, sizeof(struct ArgusFragObject) + 4); frag->canon.net.hdr.type = ARGUS_NETWORK_DSR; frag->canon.net.hdr.subtype = ARGUS_NETWORK_SUBTYPE_FRAG; frag->canon.net.hdr.argus_dsrvl8.qual = 0; frag->canon.net.hdr.argus_dsrvl8.len = ((sizeof(struct ArgusFragObject) + 3)/4) + 1; frag->dsrs[ARGUS_FRAG_INDEX] = (struct ArgusDSRHeader *) &frag->canon.net.hdr; frag->canon.net.net_union.frag.parent = flow; frag->canon.net.net_union.frag.frag_id = iphdr->ip_id; ArgusUpdateBasicFlow (model, frag, state); } else { struct ArgusNetworkStruct *net = (struct ArgusNetworkStruct *)frag->dsrs[ARGUS_FRAG_INDEX]; struct ArgusFragObject *ofrag = &net->net_union.frag; net->hdr.argus_dsrvl8.qual |= ARGUS_FRAG_OUT_OF_ORDER; if (ofrag->parent == NULL) { ofrag->parent = flow; if (frag->qhdr.queue != &flow->frag) { ArgusRemoveFromQueue(frag->qhdr.queue, &frag->qhdr, ARGUS_LOCK); ArgusAddToQueue(&flow->frag, &frag->qhdr, ARGUS_LOCK); } } } if (ArgusUpdateFRAGState (model, frag, state, ETHERTYPE_IP)) ArgusDeleteObject (frag); model->state = tstate; if (model->ArgusThisDir) attr->hdr.argus_dsrvl8.qual |= ARGUS_IPATTR_SRC_FRAGMENTS; else attr->hdr.argus_dsrvl8.qual |= ARGUS_IPATTR_DST_FRAGMENTS; } break; } case ETHERTYPE_IPV6: { struct ip6_hdr *iphdr = (struct ip6_hdr *) model->ArgusThisIpHdr; unsigned int flowid = iphdr->ip6_flow; unsigned short ftos = (flowid >> 16); unsigned char tos = ((ntohs(ftos) >> 4) & 0x00FF); unsigned char ttl = iphdr->ip6_hlim; struct ip6_frag *tfrag = NULL; if (model->ArgusThisDir) { if (!(attr->hdr.argus_dsrvl8.qual & ARGUS_IPATTR_SRC)) { attr->hdr.argus_dsrvl8.qual |= ARGUS_IPATTR_SRC; } attr->src.ttl = ttl; attr->src.tos = tos; attr->src.ip_id = 0; if ((attr->src.options = model->ArgusOptionIndicator) != 0) attr->hdr.argus_dsrvl8.qual |= ARGUS_IPATTR_SRC_OPTIONS; if ((attr->src.tos & (IPTOS_CE | IPTOS_ECT)) == (IPTOS_CE | IPTOS_ECT)) attr->src.status |= ARGUS_ECN_CONGESTED; } else { if (!(attr->hdr.argus_dsrvl8.qual & ARGUS_IPATTR_DST)) { attr->hdr.argus_dsrvl8.qual |= ARGUS_IPATTR_DST; } attr->dst.ttl = ttl; attr->dst.tos = tos; attr->dst.ip_id = 0; if ((attr->dst.options = model->ArgusOptionIndicator) != 0) attr->hdr.argus_dsrvl8.qual |= ARGUS_IPATTR_DST_OPTIONS; if ((attr->dst.tos & (IPTOS_CE | IPTOS_ECT)) == (IPTOS_CE | IPTOS_ECT)) attr->dst.status |= ARGUS_ECN_CONGESTED; } retn = ArgusUpdateState (model, flow, state, update); if ((model->ArgusFlowKey & ARGUS_FLOW_KEY_CLASSIC5TUPLE) && (((tfrag = model->ArgusThisIpv6Frag) != NULL) && (((ntohs(tfrag->ip6f_offlg) & IP6F_OFF_MASK) == 0) && (tfrag->ip6f_offlg & IP6F_MORE_FRAG)))) { /* This is also a fragment, so we need to setup the expected fragment cache, so we can find the fragments that will be coming in. So get the fragment flow descriptor, and either find the flow or install one. If the fragment descriptor exists, then we're now able to update the parent flow, if it hasn't been done. Add this fragment to the parents fragment list, so we can find them if we have to deallocate the parent. */ struct ArgusSystemFlow *fflow = NULL; struct ArgusFlowStruct *frag = NULL; int tstate = model->state; if ((fflow = ArgusCreateFRAGFlow (model, iphdr, ETHERTYPE_IPV6)) != NULL) { ArgusCreateFlowKey(model, fflow, model->hstruct); if ((frag = ArgusFindFlow (model, model->hstruct)) == NULL) { /* ok so here things are correct, we're going to schedule the expected frag struct onto the parent flow, and proceed */ if ((frag = ArgusNewFlow (model, fflow, model->hstruct, &flow->frag)) == NULL) ArgusLog (LOG_ERR, "ArgusNewFragFlow() returned NULL.\n"); memset (&frag->canon.net, 0, sizeof(struct ArgusFragObject) + 4); frag->canon.net.hdr.type = ARGUS_NETWORK_DSR; frag->canon.net.hdr.subtype = ARGUS_NETWORK_SUBTYPE_FRAG; frag->canon.net.hdr.argus_dsrvl8.qual = 0; frag->canon.net.hdr.argus_dsrvl8.len = (sizeof(struct ArgusFragObject) + 3)/4 + 1; frag->dsrs[ARGUS_FRAG_INDEX] = (struct ArgusDSRHeader *) &frag->canon.net.hdr; frag->canon.net.net_union.frag.parent = flow; ArgusUpdateBasicFlow (model, frag, state); } else { /* oops, here we've seen parts of the fragment and are just now seeing the 0 offset fragment, so need to move the frag from the general run queue and put it on this parent frag queue */ if (frag->dsrs[ARGUS_FRAG_INDEX] != NULL) frag->dsrs[ARGUS_FRAG_INDEX]->argus_dsrvl8.qual |= ARGUS_FRAG_OUT_OF_ORDER; if (frag->qhdr.queue != &flow->frag) { ArgusRemoveFromQueue(frag->qhdr.queue, &frag->qhdr, ARGUS_LOCK); ArgusAddToQueue(&flow->frag, &frag->qhdr, ARGUS_LOCK); } } if (ArgusUpdateFRAGState (model, frag, state, ETHERTYPE_IPV6)) ArgusDeleteObject (frag); model->state = tstate; if (model->ArgusThisDir) attr->hdr.argus_dsrvl8.qual |= ARGUS_IPATTR_SRC_FRAGMENTS; else attr->hdr.argus_dsrvl8.qual |= ARGUS_IPATTR_DST_FRAGMENTS; } } } } } else retn = ArgusUpdateState (model, flow, state, update); if ((state == ARGUS_START) && ArgusGenerateStartRecords) ArgusSendFlowRecord(model, flow, ARGUS_START); #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusUpdateFlow (%p, %d) returning %p\n", flow, state, retn); #endif return (retn); } void ArgusTallyStats (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flow) { struct ArgusMetricStruct *metric = (void *)flow->dsrs[ARGUS_METRIC_INDEX]; int bytes = model->ArgusThisBytes; if (metric != NULL) { if (model->ArgusThisDir) model->ArgusThisStats = &metric->src; else model->ArgusThisStats = &metric->dst; model->ArgusThisStats->pkts++; model->ArgusThisStats->bytes += bytes; } if (model->ArgusGeneratePacketSize) { struct ArgusPacketSizeStruct *psize = (void *)flow->dsrs[ARGUS_PSIZE_INDEX]; struct ArgusPacketSizeObject *tpsize; if (psize == NULL) { psize = &flow->canon.psize; memset (psize, 0, sizeof(*psize)); psize->hdr.type = ARGUS_PSIZE_DSR; psize->src.psizemin = 0xFFFF; psize->dst.psizemin = 0xFFFF; flow->dsrs[ARGUS_PSIZE_INDEX] = &flow->canon.psize.hdr; flow->dsrindex |= 1 << ARGUS_PSIZE_INDEX; } if (model->ArgusThisDir) tpsize = &psize->src; else tpsize = &psize->dst; if (bytes > tpsize->psizemax) tpsize->psizemax = bytes; if (bytes < tpsize->psizemin) tpsize->psizemin = bytes; } if (model->ArgusGenerateTime) { struct ArgusTimeStat *ArgusThisTime; struct ArgusTimeStats *ArgusThisTimeStat; unsigned long long ArgusThisInterval, tout; struct timeval timeout; if (model->ArgusThisDir) { ArgusThisTime = &flow->stime; } else { ArgusThisTime = &flow->dtime; } if (model->ArgusInProtocol) ArgusThisTimeStat = &ArgusThisTime->act; else ArgusThisTimeStat = &ArgusThisTime->idle; if ((ArgusThisTime->lasttime.tv_sec < model->ArgusGlobalTime.tv_sec) || ((ArgusThisTime->lasttime.tv_sec == model->ArgusGlobalTime.tv_sec) && (ArgusThisTime->lasttime.tv_usec < model->ArgusGlobalTime.tv_usec))) { if (ArgusThisTime->lasttime.tv_sec > 0) { if ((ArgusThisInterval = ArgusAbsTimeDiff (&model->ArgusGlobalTime, &ArgusThisTime->lasttime)) > 0) { timeout = *getArgusFarReportInterval (model); tout = (timeout.tv_sec * 1000000LL) + timeout.tv_usec; if (tout > 0) { if (ArgusThisInterval < (tout * 2)) { if (ArgusThisTimeStat->minval > ArgusThisInterval) ArgusThisTimeStat->minval = ArgusThisInterval; if (ArgusThisTimeStat->maxval < ArgusThisInterval) ArgusThisTimeStat->maxval = ArgusThisInterval; ArgusThisTimeStat->sum += ArgusThisInterval; ArgusThisTimeStat->sumsqrd += (double)ArgusThisInterval * (double)ArgusThisInterval; ArgusThisTimeStat->n++; } } } } ArgusThisTime->lasttime.tv_sec = model->ArgusGlobalTime.tv_sec; ArgusThisTime->lasttime.tv_usec = model->ArgusGlobalTime.tv_usec; } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusTallyStats (0x%x, 0x%x) returning\n", model, flow); #endif } void ArgusUpdateMACState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char *); void ArgusUpdateMACState (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, unsigned char *state) { } int ArgusUpdateICMPState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char *); int ArgusUpdateICMPv6State (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char *); struct ArgusFlowStruct * ArgusUpdateState (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, unsigned char state, unsigned char update) { struct ArgusFlowStruct *retn = flowstr; struct ArgusSystemFlow *flow; unsigned short proto; unsigned char ip_p; if ((flowstr->status & 0xF0) == 0) { flowstr->status |= state & 0xF0; } else { switch (state & 0xF0) { case ARGUS_START: case ARGUS_STOP: case ARGUS_TIMEOUT: case ARGUS_SHUTDOWN: case ARGUS_CLOSED: case ARGUS_ERROR: flowstr->status &= ~0xF0; flowstr->status |= state & 0xF0; break; } } ArgusUpdateMACState(model, flowstr, &state); flow = (struct ArgusSystemFlow *) flowstr->dsrs[ARGUS_FLOW_INDEX]; switch (proto = (model->ArgusThisNetworkFlowType & 0xFFFF)) { case ETHERTYPE_IPV6: case ETHERTYPE_IP: { if (proto == ETHERTYPE_IPV6) ip_p = flow->ipv6_flow.ip_p; else ip_p = flow->ip_flow.ip_p; if (model->ArgusThisFlow->hdr.argus_dsrvl8.qual & ARGUS_FRAGMENT) { ArgusTallyStats (model, flowstr); if (ArgusUpdateFRAGState (model, flowstr, state, proto)) { ArgusDeleteObject(flowstr); return(NULL); } } else { switch (ip_p) { case IPPROTO_TCP: { if (model->ArgusKeyStroke.status) ArgusTCPKeystroke(model, flowstr, &state); ArgusUpdateTCPState (model, flowstr, &state); if (flowstr->timeout != model->ArgusTCPTimeout) flowstr->timeout = model->ArgusTCPTimeout; break; } case IPPROTO_ICMP: ArgusUpdateICMPState (model, flowstr, &state); if (flowstr->timeout != model->ArgusICMPTimeout) flowstr->timeout = model->ArgusICMPTimeout; break; case IPPROTO_ICMPV6: ArgusUpdateICMPv6State (model, flowstr, &state); if (flowstr->timeout != model->ArgusICMPTimeout) flowstr->timeout = model->ArgusICMPTimeout; break; case IPPROTO_IGMP: if (flowstr->timeout == model->ArgusIGMPTimeout) flowstr->timeout = model->ArgusIGMPTimeout; break; case IPPROTO_UDP: ArgusUpdateUDPState (model, flowstr, &state); if (flowstr->timeout == model->ArgusIPTimeout) flowstr->timeout = model->ArgusIPTimeout; break; case IPPROTO_ESP: ArgusUpdateESPState (model, flowstr, &state); if (flowstr->timeout == model->ArgusIPTimeout) flowstr->timeout = model->ArgusIPTimeout; break; default: if (flowstr->timeout == model->ArgusIPTimeout) flowstr->timeout = model->ArgusIPTimeout; break; } } break; } case ETHERTYPE_ARP: case ETHERTYPE_REVARP: ArgusUpdateArpState (model, flowstr, &state); break; default: break; } if (update) { if (!(model->ArgusThisFlow->hdr.argus_dsrvl8.qual & ARGUS_FRAGMENT)) ArgusTallyStats (model, flowstr); ArgusUpdateAppState (model, flowstr, state); } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusUpdateState (%p, %d) returning %d\n", flowstr, state, retn); #endif return (retn); } /* ArgusGenerateRecord Build the contiguous argus output record for output. Struct ArgusRecord is really just an array of 32-bit values, so lets build it that way to deal with 32 and 64-bit machines. */ struct ArgusRecord * ArgusGenerateRecord (struct ArgusModelerStruct *model, struct ArgusRecordStruct *rec, unsigned char state, struct ArgusRecord *retn) { if (rec) { switch (rec->hdr.type & 0xF0) { case ARGUS_FAR: case ARGUS_EVENT: case ARGUS_NETFLOW: { unsigned int ind, dsrindex, *dsrptr; int i, x, len = 0, dsrlen = 1; struct ArgusDSRHeader *dsr; bcopy ((char *)&rec->hdr, (char *)&retn->hdr, sizeof(retn->hdr)); dsrptr = (unsigned int *)&retn->ar_un.mar; dsrindex = rec->dsrindex; if (!(dsrindex & (0x01 << ARGUS_TIME_INDEX))) ArgusLog (LOG_ERR, "ArgusGenerateRecord: time dsr not set"); for (i = 0, ind = 1; (dsrindex && (i < ARGUSMAXDSRTYPE)); i++, ind <<= 1) { if ((dsr = rec->dsrs[i]) != NULL) { len = ((dsr->type & 0x80) ? 1 : ((dsr->type == ARGUS_DATA_DSR) ? dsr->argus_dsrvl16.len : dsr->argus_dsrvl8.len )); switch (i) { default: for (x = 0; x < len; x++) *dsrptr++ = ((unsigned int *)rec->dsrs[i])[x]; break; case ARGUS_FLOW_INDEX: { switch (dsr->subtype) { case ARGUS_FLOW_ARP: switch (dsr->argus_dsrvl8.qual & 0x1F) { case ARGUS_TYPE_RARP: { struct ArgusRarpFlow *rarp = &((struct ArgusFlow *)dsr)->flow_un.rarp; dsr->argus_dsrvl8.len = 4 + ((rarp->hln * 2) + 3)/4; len = dsr->argus_dsrvl8.len; dsrptr[0] = ((unsigned int *)dsr)[0]; dsrptr[1] = ((unsigned int *)dsr)[1]; dsrptr[2] = ((unsigned int *)dsr)[2]; dsrptr[3] = ((unsigned int *)dsr)[3]; bcopy (&rarp->shaddr, &((char *)&dsrptr[4])[0], rarp->hln); bcopy (&rarp->dhaddr, &((char *)&dsrptr[4])[rarp->hln], rarp->hln); dsrptr += dsr->argus_dsrvl8.len; break; } case ARGUS_TYPE_ARP: { struct ArgusArpFlow *arp = &((struct ArgusFlow *)dsr)->flow_un.arp; dsr->argus_dsrvl8.len = 4 + (arp->hln + 3)/4; len = dsr->argus_dsrvl8.len; dsrptr[0] = ((unsigned int *)dsr)[0]; dsrptr[1] = ((unsigned int *)dsr)[1]; dsrptr[2] = ((unsigned int *)dsr)[2]; dsrptr[3] = ((unsigned int *)dsr)[3]; dsrptr[4] = ((unsigned int *)dsr)[4]; bcopy (&arp->haddr, &((char *)&dsrptr[5])[0], arp->hln); dsrptr += dsr->argus_dsrvl8.len; break; } } break; default: for (x = 0; x < len; x++) *dsrptr++ = ((unsigned int *)rec->dsrs[i])[x]; break; } break; } case ARGUS_NETWORK_INDEX: { switch (dsr->subtype) { case ARGUS_TCP_INIT: { struct ArgusNetworkStruct *net = (struct ArgusNetworkStruct *)rec->dsrs[i]; struct ArgusTCPObject *tobj = &net->net_union.tcp; struct ArgusTCPInitStatus *tcp = (void *)(dsrptr + 1); *dsrptr = *(unsigned int *)&net->hdr; tcp->status = tobj->status; tcp->seqbase = tobj->src.seqbase; tcp->options = tobj->options; tcp->flags = tobj->src.flags; tcp->winshift = tobj->src.winshift; dsrptr += len; break; } case ARGUS_TCP_STATUS: { struct ArgusNetworkStruct *net = (struct ArgusNetworkStruct *)rec->dsrs[i]; struct ArgusTCPObject *tobj = &net->net_union.tcp; struct ArgusTCPStatus *tcp = (struct ArgusTCPStatus *)(dsrptr + 1); *dsrptr = *(unsigned int *)&net->hdr; tcp->status = tobj->status; tcp->src = tobj->src.flags; tcp->dst = tobj->dst.flags; bzero(&tcp->pad, sizeof(tcp->pad)); dsrptr += len; break; } default: for (x = 0; x < len; x++) *dsrptr++ = ((unsigned int *)rec->dsrs[i])[x]; break; } break; } case ARGUS_TIME_INDEX: { struct ArgusTimeObject *dtime = (struct ArgusTimeObject *) dsr; struct ArgusTime *mint, *maxt; unsigned char subtype = 0; unsigned char tlen = 1; if (model->ArgusReportAllTime) { if (dtime->src.start.tv_sec) { subtype |= ARGUS_TIME_SRC_START; tlen += 2; } if (dtime->src.end.tv_sec) { subtype |= ARGUS_TIME_SRC_END; tlen += 2; } if (dtime->dst.start.tv_sec) { subtype |= ARGUS_TIME_DST_START; tlen += 2; } if (dtime->dst.end.tv_sec) { subtype |= ARGUS_TIME_DST_END; tlen += 2; } dtime->hdr.argus_dsrvl8.len = tlen; dtime->hdr.subtype &= ~(0x78); dtime->hdr.subtype |= subtype; *dsrptr++ = ((unsigned int *)rec->dsrs[i])[0]; for (x = 0; x < 4; x++) { if (subtype & (ARGUS_TIME_SRC_START << x)) { switch (ARGUS_TIME_SRC_START << x) { case ARGUS_TIME_SRC_START: *dsrptr++ = dtime->src.start.tv_sec; *dsrptr++ = dtime->src.start.tv_usec; break; case ARGUS_TIME_SRC_END: *dsrptr++ = dtime->src.end.tv_sec; *dsrptr++ = dtime->src.end.tv_usec; break; case ARGUS_TIME_DST_START: *dsrptr++ = dtime->dst.start.tv_sec; *dsrptr++ = dtime->dst.start.tv_usec; break; case ARGUS_TIME_DST_END: *dsrptr++ = dtime->dst.end.tv_sec; *dsrptr++ = dtime->dst.end.tv_usec; break; } } } len = tlen; } else { struct ArgusTime tmax = {0, 0}, tmin = {0xEFFFFFFF,0}; struct ArgusTime *atime; for (x = 0; x < 4; x++) { switch (ARGUS_TIME_SRC_START << x) { case ARGUS_TIME_SRC_START: atime = &dtime->src.start; break; case ARGUS_TIME_SRC_END: atime = &dtime->src.end; break; case ARGUS_TIME_DST_START: atime = &dtime->dst.start; break; case ARGUS_TIME_DST_END: atime = &dtime->dst.end; break; } if (atime->tv_sec) { if ((tmax.tv_sec < atime->tv_sec) || ((tmax.tv_sec == atime->tv_sec) && (tmax.tv_usec < atime->tv_usec))) { tmax = *atime; } if ((tmin.tv_sec > atime->tv_sec) || ((tmin.tv_sec == atime->tv_sec) && (tmin.tv_sec > atime->tv_sec))) { tmin = *atime; } } } maxt = &tmax; mint = &tmin; if ((maxt->tv_sec != mint->tv_sec) || ((maxt->tv_sec == mint->tv_sec) && (maxt->tv_usec != mint->tv_usec))) { dsr->argus_dsrvl8.len = 5; len = 5; } else { dsr->argus_dsrvl8.len = 3; len = 3; } *dsrptr++ = ((unsigned int *)rec->dsrs[i])[0]; *dsrptr++ = mint->tv_sec; *dsrptr++ = mint->tv_usec; if (len == 5) { *dsrptr++ = maxt->tv_sec; *dsrptr++ = maxt->tv_usec; } } break; } case ARGUS_METRIC_INDEX: { struct ArgusMetricStruct *metric = (struct ArgusMetricStruct *) dsr; unsigned char type = 0; if ((metric->src.pkts + metric->dst.pkts) > 0) { if (metric->src.pkts && metric->dst.pkts) { if ((0xFF >= metric->src.pkts) && (0xFF >= metric->dst.pkts) && (0xFF >= metric->src.bytes) && (0xFF >= metric->dst.bytes)) type = ARGUS_SRCDST_BYTE; else if ((0xFFFF >= metric->src.bytes) && (0xFFFF >= metric->dst.bytes)) type = ARGUS_SRCDST_SHORT; else if ((0xFFFFFFFF >= metric->src.bytes) && (0xFFFFFFFF >= metric->dst.bytes)) type = ARGUS_SRCDST_INT; else type = ARGUS_SRCDST_LONGLONG; } else { if (metric->src.pkts) { if (0xFFFF >= metric->src.bytes) type = ARGUS_SRC_SHORT; else if (0xFFFFFFFF >= metric->src.bytes) type = ARGUS_SRC_INT; else type = ARGUS_SRC_LONGLONG; } else { if (0xFFFF >= metric->dst.bytes) type = ARGUS_DST_SHORT; else if (0xFFFFFFFF >= metric->dst.bytes) type = ARGUS_DST_INT; else type = ARGUS_DST_LONGLONG; } } } dsr = (struct ArgusDSRHeader *)dsrptr; dsr->type = ARGUS_METER_DSR; if (getArgusAflag(model) && (metric->src.appbytes || metric->dst.appbytes)) { dsr->subtype = ARGUS_METER_PKTS_BYTES_APP; switch (type) { case ARGUS_SRCDST_BYTE: dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 3; ((unsigned char *)(dsr + 1))[0] = (unsigned char) metric->src.pkts; ((unsigned char *)(dsr + 1))[1] = (unsigned char) metric->src.bytes; ((unsigned char *)(dsr + 1))[2] = (unsigned char) metric->src.appbytes; ((unsigned char *)(dsr + 1))[3] = (unsigned char) metric->dst.pkts; ((unsigned char *)(dsr + 1))[4] = (unsigned char) metric->dst.bytes; ((unsigned char *)(dsr + 1))[5] = (unsigned char) metric->dst.appbytes; break; case ARGUS_SRCDST_SHORT: dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 4; ((unsigned short *)(dsr + 1))[0] = ((unsigned short) metric->src.pkts); ((unsigned short *)(dsr + 1))[1] = ((unsigned short) metric->src.bytes); ((unsigned short *)(dsr + 1))[2] = ((unsigned short) metric->src.appbytes); ((unsigned short *)(dsr + 1))[3] = ((unsigned short) metric->dst.pkts); ((unsigned short *)(dsr + 1))[4] = ((unsigned short) metric->dst.bytes); ((unsigned short *)(dsr + 1))[5] = ((unsigned short) metric->dst.appbytes); break; case ARGUS_SRCDST_INT: dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 7; ((unsigned int *)(dsr + 1))[0] = ((unsigned int) metric->src.pkts); ((unsigned int *)(dsr + 1))[1] = ((unsigned int) metric->src.bytes); ((unsigned int *)(dsr + 1))[2] = ((unsigned int) metric->src.appbytes); ((unsigned int *)(dsr + 1))[3] = ((unsigned int) metric->dst.pkts); ((unsigned int *)(dsr + 1))[4] = ((unsigned int) metric->dst.bytes); ((unsigned int *)(dsr + 1))[5] = ((unsigned int) metric->dst.appbytes); break; case ARGUS_SRC_BYTE: { dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 2; ((unsigned char *)(dsr + 1))[0] = ((unsigned char) metric->src.pkts); ((unsigned char *)(dsr + 1))[1] = ((unsigned char) metric->src.bytes); ((unsigned char *)(dsr + 1))[2] = ((unsigned char) metric->src.appbytes); break; } case ARGUS_SRC_SHORT: { dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 3; ((unsigned short *)(dsr + 1))[0] = ((unsigned short) metric->src.pkts); ((unsigned short *)(dsr + 1))[1] = ((unsigned short) metric->src.bytes); ((unsigned short *)(dsr + 1))[2] = ((unsigned short) metric->src.appbytes); break; } case ARGUS_SRC_INT: dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 4; ((unsigned int *)(dsr + 1))[0] = ((unsigned int) metric->src.pkts); ((unsigned int *)(dsr + 1))[1] = ((unsigned int) metric->src.bytes); ((unsigned int *)(dsr + 1))[2] = ((unsigned int) metric->src.appbytes); break; case ARGUS_DST_BYTE: dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 2; ((unsigned char *)(dsr + 1))[0] = ((unsigned char) metric->dst.pkts); ((unsigned char *)(dsr + 1))[1] = ((unsigned char) metric->dst.bytes); ((unsigned char *)(dsr + 1))[2] = ((unsigned char) metric->dst.appbytes); break; case ARGUS_DST_SHORT: dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 3; ((unsigned short *)(dsr + 1))[0] = ((unsigned short) metric->dst.pkts); ((unsigned short *)(dsr + 1))[1] = ((unsigned short) metric->dst.bytes); ((unsigned short *)(dsr + 1))[2] = ((unsigned short) metric->dst.appbytes); break; case ARGUS_DST_INT: dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 4; ((unsigned int *)(dsr + 1))[0] = ((unsigned int) metric->dst.pkts); ((unsigned int *)(dsr + 1))[1] = ((unsigned int) metric->dst.bytes); ((unsigned int *)(dsr + 1))[2] = ((unsigned int) metric->dst.appbytes); break; } } else { dsr->subtype = ARGUS_METER_PKTS_BYTES; switch (type) { case ARGUS_SRCDST_BYTE: dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 2; ((unsigned char *)(dsr + 1))[0] = (unsigned char) metric->src.pkts; ((unsigned char *)(dsr + 1))[1] = (unsigned char) metric->src.bytes; ((unsigned char *)(dsr + 1))[2] = (unsigned char) metric->dst.pkts; ((unsigned char *)(dsr + 1))[3] = (unsigned char) metric->dst.bytes; break; case ARGUS_SRCDST_SHORT: dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 3; ((unsigned short *)(dsr + 1))[0] = ((unsigned short) metric->src.pkts); ((unsigned short *)(dsr + 1))[1] = ((unsigned short) metric->src.bytes); ((unsigned short *)(dsr + 1))[2] = ((unsigned short) metric->dst.pkts); ((unsigned short *)(dsr + 1))[3] = ((unsigned short) metric->dst.bytes); break; case ARGUS_SRCDST_INT: dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 5; ((unsigned int *)(dsr + 1))[0] = ((unsigned int) metric->src.pkts); ((unsigned int *)(dsr + 1))[1] = ((unsigned int) metric->src.bytes); ((unsigned int *)(dsr + 1))[2] = ((unsigned int) metric->dst.pkts); ((unsigned int *)(dsr + 1))[3] = ((unsigned int) metric->dst.bytes); break; case ARGUS_SRCDST_LONGLONG: dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 9; break; case ARGUS_SRC_SHORT: { unsigned short value; dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 2; value = metric->src.pkts; ((unsigned short *)(dsr + 1))[0] = value; value = metric->src.bytes; ((unsigned short *)(dsr + 1))[1] = value; break; } case ARGUS_SRC_INT: dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 3; ((unsigned int *)(dsr + 1))[0] = ((unsigned int) metric->src.pkts); ((unsigned int *)(dsr + 1))[1] = ((unsigned int) metric->src.bytes); break; case ARGUS_SRC_LONGLONG: dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 5; break; case ARGUS_DST_SHORT: dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 2; ((unsigned short *)(dsr + 1))[0] = ((unsigned short) metric->dst.pkts); ((unsigned short *)(dsr + 1))[1] = ((unsigned short) metric->dst.bytes); break; case ARGUS_DST_INT: dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 3; ((unsigned int *)(dsr + 1))[0] = ((unsigned int) metric->dst.pkts); ((unsigned int *)(dsr + 1))[1] = ((unsigned int) metric->dst.bytes); break; case ARGUS_DST_LONGLONG: dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 5; ((unsigned int *)(dsr + 1))[0] = (((unsigned int *)&metric->dst.pkts)[0]); ((unsigned int *)(dsr + 1))[1] = (((unsigned int *)&metric->dst.pkts)[1]); ((unsigned int *)(dsr + 1))[2] = (((unsigned int *)&metric->dst.bytes)[0]); ((unsigned int *)(dsr + 1))[3] = (((unsigned int *)&metric->dst.bytes)[1]); break; } } len = dsr->argus_dsrvl8.len; dsrptr += len; break; } case ARGUS_PSIZE_INDEX: { struct ArgusPacketSizeStruct *psize = (struct ArgusPacketSizeStruct *) dsr; unsigned char type = 0; if ((psize->src.psizemax > 0) && (psize->dst.psizemax > 0)) type = ARGUS_SRCDST_SHORT; else if (psize->src.psizemax > 0) type = ARGUS_SRC_SHORT; else if (psize->dst.psizemax > 0) type = ARGUS_DST_SHORT; if (type != 0) { dsr = (struct ArgusDSRHeader *)dsrptr; dsr->type = ARGUS_PSIZE_DSR; dsr->subtype = 0; switch (type) { case ARGUS_SRCDST_SHORT: dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 3; ((unsigned short *)(dsr + 1))[0] = psize->src.psizemin; ((unsigned short *)(dsr + 1))[1] = psize->src.psizemax; ((unsigned short *)(dsr + 1))[2] = psize->dst.psizemin; ((unsigned short *)(dsr + 1))[3] = psize->dst.psizemax; break; case ARGUS_SRC_SHORT: dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 2; ((unsigned short *)(dsr + 1))[0] = psize->src.psizemin; ((unsigned short *)(dsr + 1))[1] = psize->src.psizemax; break; case ARGUS_DST_SHORT: dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 2; ((unsigned short *)(dsr + 1))[0] = psize->dst.psizemin; ((unsigned short *)(dsr + 1))[1] = psize->dst.psizemax; break; default: ArgusLog (LOG_ERR, "ArgusGenerateRecord: packet size type not defined"); break; } dsr->argus_dsrvl8.qual = type; len = dsr->argus_dsrvl8.len; dsrptr += len; } else len = 0; break; } case ARGUS_MPLS_INDEX: { struct ArgusMplsStruct *mpls = (struct ArgusMplsStruct *) dsr; struct ArgusMplsStruct *tmpls = (struct ArgusMplsStruct *) dsrptr; unsigned char subtype = mpls->hdr.subtype & ~(ARGUS_MPLS_SRC_LABEL | ARGUS_MPLS_DST_LABEL); *dsrptr++ = *(unsigned int *)dsr; tmpls->hdr.argus_dsrvl8.len = 1; if (((mpls->hdr.argus_dsrvl8.qual & 0xF0) >> 4) > 0) { subtype |= ARGUS_MPLS_SRC_LABEL; *dsrptr++ = mpls->slabel; tmpls->hdr.argus_dsrvl8.len++; } if ((mpls->hdr.argus_dsrvl8.qual & 0x0F) > 0) { subtype |= ARGUS_MPLS_DST_LABEL; *dsrptr++ = mpls->dlabel; tmpls->hdr.argus_dsrvl8.len++; } tmpls->hdr.subtype = subtype; len = tmpls->hdr.argus_dsrvl8.len; break; } case ARGUS_JITTER_INDEX: { struct ArgusJitterStruct *jitter = (struct ArgusJitterStruct *) dsr; struct ArgusJitterStruct *tjit = (struct ArgusJitterStruct *) dsrptr; int size = sizeof(jitter->act.src)/4; *dsrptr++ = *(unsigned int *)dsr; tjit->hdr.argus_dsrvl8.len = 1; if (jitter->hdr.argus_dsrvl8.qual & ARGUS_SRC_ACTIVE_JITTER) { unsigned int *tptr = (unsigned int *)&jitter->act.src; for (x = 0; x < size; x++) *dsrptr++ = *tptr++; tjit->hdr.argus_dsrvl8.len += size; } if (jitter->hdr.argus_dsrvl8.qual & ARGUS_SRC_IDLE_JITTER) { unsigned int *tptr = (unsigned int *)&jitter->idle.src; for (x = 0; x < size; x++) *dsrptr++ = *tptr++; tjit->hdr.argus_dsrvl8.len += size; } if (jitter->hdr.argus_dsrvl8.qual & ARGUS_DST_ACTIVE_JITTER) { unsigned int *tptr = (unsigned int *)&jitter->act.dst; for (x = 0; x < size; x++) *dsrptr++ = *tptr++; tjit->hdr.argus_dsrvl8.len += size; } if (jitter->hdr.argus_dsrvl8.qual & ARGUS_DST_IDLE_JITTER) { unsigned int *tptr = (unsigned int *)&jitter->idle.dst; for (x = 0; x < size; x++) *dsrptr++ = *tptr++; tjit->hdr.argus_dsrvl8.len += size; } len = tjit->hdr.argus_dsrvl8.len; break; } case ARGUS_IPATTR_INDEX: { struct ArgusIPAttrStruct *attr = (struct ArgusIPAttrStruct *) dsr; struct ArgusIPAttrStruct *tattr = (struct ArgusIPAttrStruct *) dsrptr; *dsrptr++ = *(unsigned int *)dsr; tattr->hdr.argus_dsrvl8.len = 1; if (attr->hdr.argus_dsrvl8.qual & ARGUS_IPATTR_SRC) { *dsrptr++ = *(unsigned int *)&attr->src; tattr->hdr.argus_dsrvl8.len++; } if (attr->hdr.argus_dsrvl8.qual & ARGUS_IPATTR_SRC_OPTIONS) { *dsrptr++ = attr->src.options; tattr->hdr.argus_dsrvl8.len++; } if (attr->hdr.argus_dsrvl8.qual & ARGUS_IPATTR_DST) { *dsrptr++ = *(unsigned int *)&attr->dst; tattr->hdr.argus_dsrvl8.len++; } if (attr->hdr.argus_dsrvl8.qual & ARGUS_IPATTR_DST_OPTIONS) { *dsrptr++ = attr->dst.options; tattr->hdr.argus_dsrvl8.len++; } len = tattr->hdr.argus_dsrvl8.len; break; } /* user capture data buffers are passed to the output model as (struct ArgusDataStruct *) buffers, not as pointers to sections of the canonical record. Seems wierd but is saves us a few copies */ case ARGUS_SRCUSERDATA_INDEX: case ARGUS_DSTUSERDATA_INDEX: { unsigned short *sptr; struct ArgusDataStruct *user = (struct ArgusDataStruct *) dsr; len = 2 + (user->count + 3)/4; sptr = (unsigned short *)&user->hdr.argus_dsrvl8; *sptr = len; for (x = 0; x < len; x++) *dsrptr++ = ((unsigned int *)user)[x]; break; } } dsrlen += len; } dsrindex &= ~ind; } retn->hdr.len = dsrlen; break; } case ARGUS_MAR: { bcopy ((char *)&rec->canon, (char *) retn, rec->hdr.len * 4); retn->hdr = rec->hdr; if (state) retn->hdr.cause = (state & 0xF0) | (retn->hdr.cause & 0x0F); break; } } } else { retn->hdr.type = ARGUS_MAR; retn->hdr.type |= ARGUS_VERSION; retn->hdr.cause = state & 0xF0; retn->hdr.len = 1; } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusGenerateRecord (0x%x, %d) done\n", rec, state); #endif return (retn); } struct ArgusRecordStruct *ArgusCopyRecordStruct (struct ArgusRecordStruct *); #define ARGUS_MAX_OS_STATUS 4204 struct ArgusRecordStruct * ArgusCopyRecordStruct (struct ArgusRecordStruct *rec) { struct ArgusRecordStruct *retn = NULL; int i; if (rec) { switch (rec->hdr.type & 0xF0) { case ARGUS_EVENT: { if ((retn = (struct ArgusRecordStruct *) ArgusMallocListRecord (ARGUS_MAX_OS_STATUS)) != NULL) bcopy ((char *)rec, (char *)retn, ARGUS_MAX_OS_STATUS); break; } case ARGUS_FAR: { if ((retn = (struct ArgusRecordStruct *) ArgusMallocListRecord (sizeof(*retn))) != NULL) { bcopy ((char *)&rec->hdr, (char *)&retn->hdr, sizeof (rec->hdr)); bcopy ((char *)&rec->canon, (char *)&retn->canon, sizeof (rec->canon)); retn->status = rec->status; retn->trans = rec->trans; retn->timeout = rec->timeout; if ((retn->dsrindex = rec->dsrindex)) { for (i = 0; i < ARGUSMAXDSRTYPE; i++) { if (rec->dsrs[i] != NULL) { switch (i) { case ARGUS_TRANSPORT_INDEX: retn->dsrs[i] = &retn->canon.trans.hdr; break; case ARGUS_TIME_INDEX: retn->dsrs[i] = &retn->canon.time.hdr; break; case ARGUS_FLOW_INDEX: retn->dsrs[i] = &retn->canon.flow.hdr; break; case ARGUS_METRIC_INDEX: retn->dsrs[i] = &retn->canon.metric.hdr; break; case ARGUS_NETWORK_INDEX: retn->dsrs[i] = &retn->canon.net.hdr; break; case ARGUS_IPATTR_INDEX: retn->dsrs[i] = &retn->canon.attr.hdr; break; case ARGUS_JITTER_INDEX: retn->dsrs[i] = &retn->canon.jitter.hdr; break; case ARGUS_ICMP_INDEX: retn->dsrs[i] = &retn->canon.icmp.hdr; break; case ARGUS_ENCAPS_INDEX: retn->dsrs[i] = &retn->canon.encaps.hdr; break; case ARGUS_PSIZE_INDEX: retn->dsrs[i] = &retn->canon.psize.hdr; break; case ARGUS_MAC_INDEX: retn->dsrs[i] = &retn->canon.mac.hdr; break; case ARGUS_VLAN_INDEX: retn->dsrs[i] = &retn->canon.vlan.hdr; break; case ARGUS_MPLS_INDEX: retn->dsrs[i] = &retn->canon.mpls.hdr; break; case ARGUS_SRCUSERDATA_INDEX: case ARGUS_DSTUSERDATA_INDEX: { struct ArgusDataStruct *user = (struct ArgusDataStruct *) rec->dsrs[i]; if (user->count > 0) { if ((retn->dsrs[i] = (void *) ArgusCalloc(1, (8 + user->size))) != NULL) { bcopy ((char *)rec->dsrs[i], (char *)retn->dsrs[i], 8 + user->count); } else { retn->dsrindex &= ~(0x01 << i); } break; } } } } else { switch (i) { case ARGUS_SRCUSERDATA_INDEX: case ARGUS_DSTUSERDATA_INDEX: if (retn->dsrs[i] != NULL) ArgusFree(retn->dsrs[i]); break; } retn->dsrs[i] = NULL; retn->dsrindex &= ~(0x01 << i); } } } retn->srate = rec->srate; retn->drate = rec->drate; retn->sload = rec->sload; retn->dload = rec->dload; retn->pcr = rec->pcr; retn->sploss = rec->sploss; retn->dploss = rec->dploss; } break; } } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusCopyRecordStruct (0x%x) done\n", rec); #endif return (retn); } struct ArgusRecordStruct * ArgusGenerateListRecord (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flow, unsigned char state) { struct ArgusRecordStruct *retn = NULL; int dsrlen = 1, i; if ((retn = (struct ArgusRecordStruct *) ArgusMallocListRecord (sizeof(*retn))) != NULL) { if (flow) { bcopy ((char *)&flow->canon, (char *)&retn->canon, sizeof (flow->canon)); if ((retn->dsrindex = flow->dsrindex) != 0) { for (i = 0; i < ARGUSMAXDSRTYPE; i++) { if (flow->dsrs[i] != NULL) { switch (i) { case ARGUS_TRANSPORT_INDEX: retn->dsrs[i] = &retn->canon.trans.hdr; break; case ARGUS_TIME_INDEX: retn->dsrs[i] = &retn->canon.time.hdr; break; case ARGUS_ENCAPS_INDEX: retn->dsrs[i] = &retn->canon.encaps.hdr; break; case ARGUS_FLOW_INDEX: retn->dsrs[i] = &retn->canon.flow.hdr; break; case ARGUS_METRIC_INDEX: retn->dsrs[i] = &retn->canon.metric.hdr; break; case ARGUS_PSIZE_INDEX: retn->dsrs[i] = &retn->canon.psize.hdr; break; case ARGUS_IPATTR_INDEX: retn->dsrs[i] = &retn->canon.attr.hdr; break; case ARGUS_MAC_INDEX: retn->dsrs[i] = &retn->canon.mac.hdr; break; case ARGUS_ICMP_INDEX: retn->dsrs[i] = &retn->canon.icmp.hdr; break; /* pass the user data buffer into the list record */ case ARGUS_SRCUSERDATA_INDEX: case ARGUS_DSTUSERDATA_INDEX: { struct ArgusDataStruct *data = (struct ArgusDataStruct *) retn->dsrs[i]; retn->dsrs[i] = flow->dsrs[i]; flow->dsrs[i] = NULL; if (data != NULL) { ArgusFree(data); } break; } case ARGUS_NETWORK_INDEX: { switch (retn->canon.net.hdr.subtype & 0x7F) { case ARGUS_TCP_STATUS: case ARGUS_TCP_PERF: ArgusTCPFlowRecord (&retn->canon.net, state); retn->dsrs[i] = &retn->canon.net.hdr; break; case ARGUS_ESP_DSR: ArgusESPFlowRecord (&retn->canon.net, state); retn->dsrs[i] = &retn->canon.net.hdr; break; default: retn->dsrs[i] = &retn->canon.net.hdr; break; } break; } case ARGUS_MPLS_INDEX: retn->dsrs[i] = &retn->canon.mpls.hdr; break; case ARGUS_VLAN_INDEX: retn->dsrs[i] = &retn->canon.vlan.hdr; break; case ARGUS_JITTER_INDEX: { struct ArgusJitterStruct *jitter = &retn->canon.jitter; if ((flow->stime.act.n || flow->dtime.act.n) ||(flow->stime.idle.n || flow->dtime.idle.n)) { jitter->hdr.argus_dsrvl8.qual = 0; jitter->hdr.argus_dsrvl8.len = 1; if (flow->stime.act.n) { struct ArgusStatsObject *tjit = (struct ArgusStatsObject *) (&jitter->act.src); tjit->n = flow->stime.act.n; tjit->minval = flow->stime.act.minval; tjit->maxval = flow->stime.act.maxval; tjit->meanval = flow->stime.act.sum/flow->stime.act.n; tjit->stdev = (sqrt ((flow->stime.act.sumsqrd/flow->stime.act.n) - pow ((flow->stime.act.sum)/flow->stime.act.n, 2.0))) * 1; jitter->hdr.argus_dsrvl8.qual |= ARGUS_SRC_ACTIVE_JITTER; jitter->hdr.argus_dsrvl8.len += sizeof(*tjit)/4; tjit++; } if (flow->stime.idle.n) { struct ArgusStatsObject *tjit = (struct ArgusStatsObject *) (&jitter->idle.src); tjit->n = flow->stime.idle.n; tjit->minval = flow->stime.idle.minval; tjit->maxval = flow->stime.idle.maxval; tjit->meanval = flow->stime.idle.sum/flow->stime.idle.n; tjit->stdev = (sqrt ((flow->stime.idle.sumsqrd/flow->stime.idle.n) - pow ((flow->stime.idle.sum)/flow->stime.idle.n, 2.0))) * 1; jitter->hdr.argus_dsrvl8.qual |= ARGUS_SRC_IDLE_JITTER; jitter->hdr.argus_dsrvl8.len += sizeof(*tjit)/4; tjit++; } if (flow->dtime.act.n) { struct ArgusStatsObject *tjit = (struct ArgusStatsObject *) (&jitter->act.dst); tjit->n = flow->dtime.act.n; tjit->minval = flow->dtime.act.minval; tjit->maxval = flow->dtime.act.maxval; tjit->meanval = flow->dtime.act.sum/flow->dtime.act.n; tjit->stdev = (sqrt ((flow->dtime.act.sumsqrd/flow->dtime.act.n) - pow ((flow->dtime.act.sum)/flow->dtime.act.n, 2.0))) * 1; jitter->hdr.argus_dsrvl8.qual |= ARGUS_DST_ACTIVE_JITTER; jitter->hdr.argus_dsrvl8.len += sizeof(*tjit)/4; tjit++; } if (flow->dtime.idle.n) { struct ArgusStatsObject *tjit = (struct ArgusStatsObject *) (&jitter->idle.dst); tjit->n = flow->dtime.act.n; tjit->n = flow->dtime.idle.n; tjit->minval = flow->dtime.idle.minval; tjit->maxval = flow->dtime.idle.maxval; tjit->meanval = flow->dtime.idle.sum/flow->dtime.idle.n; tjit->stdev = (sqrt ((flow->dtime.idle.sumsqrd/flow->dtime.idle.n) - pow ((flow->dtime.idle.sum)/flow->dtime.idle.n, 2.0))) * 1; jitter->hdr.argus_dsrvl8.qual |= ARGUS_DST_IDLE_JITTER; jitter->hdr.argus_dsrvl8.len += sizeof(*tjit)/4; tjit++; } retn->dsrs[i] = (struct ArgusDSRHeader *)jitter; } else { retn->dsrindex &= ~ARGUS_JITTER_INDEX; retn->dsrs[i] = NULL; } break; } case ARGUS_BEHAVIOR_INDEX: { struct ArgusBehaviorStruct *actor = &retn->canon.actor; retn->dsrs[i] = NULL; int value; if ((value = getArgusKeystroke(model)) > 0) { actor->hdr.type = ARGUS_BEHAVIOR_DSR; actor->hdr.subtype = 0; actor->hdr.argus_dsrvl8.len = sizeof(*actor)/4; actor->keyStroke.src.n_strokes = flow->skey.n_strokes; actor->keyStroke.dst.n_strokes = 0; if (flow->skey.n_pkts >= model->ArgusKeyStroke.n_min) { if ((value == ARGUS_SSH_KEYSTROKE) && (flow->status & ARGUS_SSH_MONITOR)) { actor->hdr.subtype = ARGUS_SSH_KEYSTROKE; retn->dsrs[i] = (struct ArgusDSRHeader *)actor; } else if (value == ARGUS_TCP_KEYSTROKE) { actor->hdr.subtype = ARGUS_TCP_KEYSTROKE; retn->dsrs[i] = (struct ArgusDSRHeader *)actor; } } } if (retn->dsrs[i] == NULL) { actor->keyStroke.src.n_strokes = 0; actor->keyStroke.dst.n_strokes = 0; retn->dsrindex &= ~ARGUS_BEHAVIOR_INDEX; } break; } } if (retn->dsrs[i]) { dsrlen += ((retn->dsrs[i]->type & 0x80) ? 1 : ((retn->dsrs[i]->type == ARGUS_DATA_DSR) ? retn->dsrs[i]->argus_dsrvl16.len : retn->dsrs[i]->argus_dsrvl8.len )); } } else { switch (i) { case ARGUS_SRCUSERDATA_INDEX: case ARGUS_DSTUSERDATA_INDEX: if (retn->dsrs[i] != NULL) ArgusFree(retn->dsrs[i]); } retn->dsrs[i] = NULL; retn->dsrindex &= ~(0x01 << i); } } } else { if (retn->dsrs[ARGUS_SRCUSERDATA_INDEX] != NULL) { ArgusFree(retn->dsrs[ARGUS_SRCUSERDATA_INDEX]); retn->dsrs[ARGUS_SRCUSERDATA_INDEX] = NULL; retn->dsrindex &= ~(0x01 << ARGUS_SRCUSERDATA_INDEX); } if (retn->dsrs[ARGUS_DSTUSERDATA_INDEX] != NULL) { ArgusFree(retn->dsrs[ARGUS_DSTUSERDATA_INDEX]); retn->dsrs[ARGUS_DSTUSERDATA_INDEX] = NULL; retn->dsrindex &= ~(0x01 << ARGUS_DSTUSERDATA_INDEX); } } retn->srate = ArgusFetchSrcRate(retn); retn->drate = ArgusFetchDstRate(retn); retn->sload = ArgusFetchSrcLoad(retn); retn->dload = ArgusFetchDstRate(retn); retn->pcr = ArgusFetchAppByteRatio(retn); retn->sploss = ArgusFetchPercentSrcLoss(retn); retn->dploss = ArgusFetchPercentDstLoss(retn); } else { retn->dsrindex = 0; bzero ((char *)&retn->canon, sizeof(retn->canon)); bzero ((char *)&retn->dsrs, sizeof(retn->dsrs)); } if (!(flow) && ((state == ARGUS_STOP) || (state == ARGUS_ERROR))) { retn->hdr.type = ARGUS_MAR; retn->status = 0; retn->trans = 0; retn->timeout = 0; } else { retn->hdr.type = flow->canon.hdr.type | ARGUS_FAR; retn->status = flow->status; retn->trans = flow->trans; retn->timeout = flow->timeout; } retn->hdr.type |= ARGUS_VERSION; retn->hdr.cause = state & 0xF0; retn->hdr.len = dsrlen; } else { #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusMallocListRecord (%d) returned NULL\n", sizeof(*retn)); #endif } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusGenerateListRecord (%p, %p, %d) returning %p\n", model, flow, state, retn); #endif return (retn); } void ArgusSendFlowRecord (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flow, unsigned char state) { struct ArgusRecordStruct *argus; #ifdef ARGUSDEBUG int scheduled = 0; #endif if (flow != NULL) { if (model->ArgusOutputList) { struct ArgusFlowStruct *frag; if ((frag = (struct ArgusFlowStruct *)flow->frag.start) != NULL) { do { ArgusUpdateParentFlow(model, frag); frag = (struct ArgusFlowStruct *)frag->qhdr.nxt; } while (frag != (struct ArgusFlowStruct *)flow->frag.start); } if (flow->canon.metric.src.pkts || flow->canon.metric.dst.pkts) { if (flow->canon.trans.seqnum == 0) { if ((flow->canon.trans.seqnum = model->ArgusSeqNum++) == 0xFFFFFFFF) flow->canon.trans.seqnum = model->ArgusSeqNum++; } if ((argus = ArgusGenerateListRecord (model, flow, state)) != NULL) { ArgusPushBackList (model->ArgusOutputList, (struct ArgusListRecord *) argus, ARGUS_LOCK); flow->status |= ARGUS_RECORD_WRITTEN; model->ArgusTotalSends++; #ifdef ARGUSDEBUG scheduled = 1; #endif #if defined(ARGUS_THREADS) pthread_mutex_lock(&model->ArgusOutputList->lock); pthread_cond_signal(&model->ArgusOutputList->cond); pthread_mutex_unlock(&model->ArgusOutputList->lock); #endif } #ifdef ARGUSDEBUG if (scheduled) ArgusDebug (9, "ArgusSendFlowRecord (%p, %p, %d) scheduled %p\n", model, flow, state, argus); else ArgusDebug (9, "ArgusSendFlowRecord (%p, %p, %d) done\n", model, flow, state); #endif } else { model->ArgusTotalBadSends++; } } else { #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusSendFlowRecord (%p, %p, %d) no model->ArgusOutputList\n", model, flow, state); #endif } } else { #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusSendFlowRecord (%p, %p, %d) no flow provided\n", model, flow, state); #endif } } void ArgusModelerCleanUp (struct ArgusModelerStruct *model) { struct ArgusQueueStruct *queue; if ((model->ArgusTimeOutQueues != NULL) && (model->ArgusTimeOutQueues->count > 0)) { int i, cnt = model->ArgusTimeOutQueues->count; for (i = 0; i < cnt; i++) { queue = (struct ArgusQueueStruct *)ArgusPopQueue (model->ArgusTimeOutQueues, ARGUS_LOCK); if (queue->count) { #ifdef ARGUSDEBUG ArgusDebug (9, "ArgusModelerCleanUp(%p) ArgusProcessQueue(%p) timeout queue with %d records\n", model, queue, queue->count); #endif ArgusProcessQueue (model, queue, ARGUS_SHUTDOWN); } ArgusDeleteQueue (queue); } ArgusDeleteQueue (model->ArgusTimeOutQueues); model->ArgusTimeOutQueues = NULL; } if (model->ArgusStatusQueue) { queue = model->ArgusStatusQueue; #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusModelerCleanUp(%p) ArgusProcessQueue(%p) status queue with %d records %d sent\n", model, queue, queue->count, model->ArgusTotalSends); #endif if (queue->count) ArgusProcessQueue (model, queue, ARGUS_SHUTDOWN); ArgusDeleteQueue (queue); model->ArgusStatusQueue = NULL; } #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusModelerCleanUp (%p) returning\n", model); #endif } int ArgusCmp(void *, void *, int); int ArgusCmp(void *p1, void *p2, int len) { unsigned int *c1 = p1, *c2 = p2; int retn = 0, i = 0; for (; i < len; i++, c1++, c2++) if (*c1 != *c2) break; if (i != len) retn = c1[i] - c2[i]; return(retn); } void * ArgusCreateIPv6Flow (struct ArgusModelerStruct *model, struct ip6_hdr *ip) { void *retn = NULL; struct ArgusSystemFlow *tflow; if ((ip != NULL) && STRUCTCAPTURED(model, *ip)) { int nxt, done = 0, i = 0; unsigned int *sp = (unsigned int*) &ip->ip6_src; unsigned int *dp = (unsigned int*) &ip->ip6_dst; unsigned short alen, sport = 0, dport = 0; unsigned int *rsp, *rdp; #ifdef _LITTLE_ENDIAN // unsigned plen; // plen = ntohs(ip->ip6_plen); #endif tflow = model->ArgusThisFlow; rsp = (unsigned int *)&tflow->ipv6_flow.ip_src; rdp = (unsigned int *)&tflow->ipv6_flow.ip_dst; tflow->ipv6_flow.flow = 0; nxt = ip->ip6_nxt; model->ArgusThisIpHdr = ip; alen = sizeof(ip->ip6_src)/sizeof(int); if (model->ArgusFlowType == ARGUS_BIDIRECTIONAL) { while ((i < alen) && (*dp == *sp)) { /* copy while they are equal */ *rsp++ = *sp++; /* leave pointers where they are not */ *rdp++ = *dp++; i++; } if (i < alen) { if (ntohl(*sp) < ntohl(*dp)) { unsigned int *tmp = rdp; rdp = rsp; rsp = tmp; model->state |= ARGUS_DIRECTION; } while (i < alen) { *rsp++ = *sp++; *rdp++ = *dp++; i++; } } } else { for (i = 0; i < alen; i++) { *rsp++ = *sp++; *rdp++ = *dp++; } } model->ArgusThisIpv6Frag = NULL; model->ArgusThisLength -= sizeof(*ip); model->ArgusSnapLength -= sizeof(*ip); model->ArgusThisUpHdr = (unsigned char *)(ip + 1); ip++; while (!done) { switch (nxt) { case IPPROTO_FRAGMENT: { int offset = ((((struct ip6_hbh *)ip)->ip6h_len + 1) << 3); struct ip6_frag *tfrag = (struct ip6_frag *) ip; model->ArgusThisIpv6Frag = tfrag; nxt = *(char *)ip; if ((ntohs(tfrag->ip6f_offlg & IP6F_OFF_MASK)) != 0) done++; ip = (struct ip6_hdr *)((char *)ip + offset); model->ArgusThisLength -= offset; model->ArgusSnapLength -= offset; model->ArgusThisUpHdr += offset; break; } case IPPROTO_HOPOPTS: case IPPROTO_DSTOPTS: case IPPROTO_ROUTING: { int offset = ((((struct ip6_hbh *)ip)->ip6h_len + 1) << 3); nxt = *(char *)ip; ip = (struct ip6_hdr *)((char *)ip + offset); model->ArgusThisLength -= offset; model->ArgusSnapLength -= offset; model->ArgusThisUpHdr += offset; break; } default: done++; break; } } tflow->hdr.type = ARGUS_FLOW_DSR; retn = tflow; if (model->ArgusFlowKey & ARGUS_FLOW_KEY_CLASSIC5TUPLE) { tflow->hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; tflow->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV6; tflow->hdr.argus_dsrvl8.len = 11; tflow->ipv6_flow.ip_p = nxt; if ((model->ArgusThisIpv6Frag) && ((ntohs(model->ArgusThisIpv6Frag->ip6f_offlg & IP6F_OFF_MASK)) != 0)) { tflow->fragv6_flow.ip_id = model->ArgusThisIpv6Frag->ip6f_ident; tflow->hdr.argus_dsrvl8.qual |= ARGUS_FRAGMENT; } else { if (nxt == IPPROTO_AH) { struct AHHeader *ah = (struct AHHeader *) model->ArgusThisUpHdr; model->ArgusThisEncaps |= ARGUS_ENCAPS_AH; if (STRUCTCAPTURED(model, *ah)) { nxt = ah->nxt; model->ArgusThisUpHdr = (unsigned char *)(ah + 1); tflow->ipv6_flow.ip_p = nxt; } } switch (nxt) { case IPPROTO_TCP: { struct tcphdr *tp = (struct tcphdr *) model->ArgusThisUpHdr; if (model->state & ARGUS_DIRECTION) { dport = ntohs(tp->th_sport); sport = ntohs(tp->th_dport); } else { sport = ntohs(tp->th_sport); dport = ntohs(tp->th_dport); } tflow->ipv6_flow.sport = sport; tflow->ipv6_flow.dport = dport; break; } case IPPROTO_UDP: { struct udphdr *up = (struct udphdr *) model->ArgusThisUpHdr; if (model->state & ARGUS_DIRECTION) { dport = ntohs(up->uh_sport); sport = ntohs(up->uh_dport); } else { sport = ntohs(up->uh_sport); dport = ntohs(up->uh_dport); } tflow->ipv6_flow.sport = sport; tflow->ipv6_flow.dport = dport; break; } case IPPROTO_ESP: retn = ArgusCreateESPv6Flow(model, ip); break; case IPPROTO_ICMPV6: retn = ArgusCreateICMPv6Flow(model, (struct icmp6_hdr *)model->ArgusThisUpHdr); break; case IPPROTO_IGMP: retn = ArgusCreateIGMPv6Flow(model, (struct igmp *)model->ArgusThisUpHdr); break; default: tflow->ipv6_flow.sport = sport; tflow->ipv6_flow.dport = dport; break; } } } else { if (model->ArgusFlowKey & ARGUS_FLOW_KEY_LAYER_3_MATRIX) { tflow->hdr.subtype = ARGUS_FLOW_LAYER_3_MATRIX; tflow->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV6; tflow->hdr.argus_dsrvl8.len = 9; tflow->ipv6_flow.sport = 0; tflow->ipv6_flow.dport = 0; tflow->ipv6_flow.ip_p = 0; } } } #ifdef ARGUSDEBUG ArgusDebug (9, "ArgusCreateIPv6Flow (0x%x, 0x%x) returning %d\n", model, ip, retn); #endif return (retn); } void * ArgusCreateIPv4Flow (struct ArgusModelerStruct *model, struct ip *ip) { void *retn = model->ArgusThisFlow; unsigned char *nxtHdr = (unsigned char *)((char *)ip + (ip->ip_hl << 2)); struct ip tipbuf, *tip = &tipbuf; arg_uint16 sport = 0, dport = 0; arg_uint8 proto, tp_p = 0; arg_uint32 len; int hlen, ArgusOptionLen; if ((ip != NULL) && STRUCTCAPTURED(model, *ip)) { model->ArgusThisIpHdr = ip; #ifdef _LITTLE_ENDIAN bzero(tip, sizeof(*tip)); tip->ip_len = ntohs(ip->ip_len); tip->ip_id = ntohs(ip->ip_id); tip->ip_v = ip->ip_v; tip->ip_hl = ip->ip_hl; tip->ip_off = ntohs(ip->ip_off); tip->ip_src.s_addr = ntohl(ip->ip_src.s_addr); tip->ip_dst.s_addr = ntohl(ip->ip_dst.s_addr); #else tip = ip; #endif hlen = tip->ip_hl << 2; len = (tip->ip_len - hlen); model->ArgusOptionIndicator = '\0'; if ((ArgusOptionLen = (hlen - sizeof (struct ip))) > 0) model->ArgusOptionIndicator = ArgusParseIPOptions ((unsigned char *) (ip + 1), ArgusOptionLen); else model->ArgusOptionIndicator = 0; model->ArgusThisLength = len; model->ArgusSnapLength -= hlen; if (model->ArgusFlowKey & ARGUS_FLOW_KEY_CLASSIC5TUPLE) { bzero ((char *)model->ArgusThisFlow, sizeof(*model->ArgusThisFlow)); model->ArgusThisFlow->hdr.type = ARGUS_FLOW_DSR; model->ArgusThisFlow->hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; model->ArgusThisFlow->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; model->ArgusThisFlow->hdr.argus_dsrvl8.len = 5; proto = ip->ip_p; if (!(tip->ip_off & 0x1fff)) { if (proto == IPPROTO_AH) { struct AHHeader *ah = (struct AHHeader *) nxtHdr; model->ArgusThisEncaps |= ARGUS_ENCAPS_AH; if (STRUCTCAPTURED(model, *ah)) { proto = ah->nxt; nxtHdr = (unsigned char *)(ah + 1); } } model->ArgusThisUpHdr = nxtHdr; switch (proto) { case IPPROTO_ESP: retn = ArgusCreateESPFlow (model, ip); return (retn); case IPPROTO_ICMP: retn = ArgusCreateICMPFlow (model, ip); return (retn); case IPPROTO_IGMP: retn = ArgusCreateIGMPFlow (model, ip); return (retn); case IPPROTO_TCP: { model->ArgusThisFlow->ip_flow.smask = 0; model->ArgusThisFlow->ip_flow.dmask = 0; if (len >= sizeof (struct tcphdr)) { struct tcphdr *tp = (struct tcphdr *) nxtHdr; if (BYTESCAPTURED(model, *tp, 4)) { sport = ntohs(tp->th_sport); dport = ntohs(tp->th_dport); } } break; } case IPPROTO_UDP: { model->ArgusThisFlow->ip_flow.smask = 0; model->ArgusThisFlow->ip_flow.dmask = 0; if (len >= sizeof (struct udphdr)) { struct udphdr *up = (struct udphdr *) nxtHdr; if (BYTESCAPTURED(model, *up, 4)) { sport = ntohs(up->uh_sport); dport = ntohs(up->uh_dport); } if ((sport == 53) || (dport == 53)) { unsigned short pad = ntohs(*(u_int16_t *)(up + 1)); bcopy(&pad, &model->ArgusThisFlow->ip_flow.smask, 2); } } break; } default: break; } if (model->ArgusFlowType == ARGUS_BIDIRECTIONAL) if ((tip->ip_src.s_addr > tip->ip_dst.s_addr) || ((tip->ip_src.s_addr == tip->ip_dst.s_addr) && sport > dport)) model->state |= ARGUS_DIRECTION; if (model->state & ARGUS_DIRECTION) { model->ArgusThisFlow->hdr.subtype |= ARGUS_REVERSE; model->ArgusThisFlow->ip_flow.ip_src = tip->ip_dst.s_addr; model->ArgusThisFlow->ip_flow.ip_dst = tip->ip_src.s_addr; model->ArgusThisFlow->ip_flow.sport = dport; model->ArgusThisFlow->ip_flow.dport = sport; } else { model->ArgusThisFlow->ip_flow.ip_src = tip->ip_src.s_addr; model->ArgusThisFlow->ip_flow.ip_dst = tip->ip_dst.s_addr; model->ArgusThisFlow->ip_flow.sport = sport; model->ArgusThisFlow->ip_flow.dport = dport; } model->ArgusThisFlow->ip_flow.ip_p = proto; model->ArgusThisFlow->ip_flow.tp_p = tp_p; } else { if (model->ArgusFlowType == ARGUS_BIDIRECTIONAL) { if (tip->ip_src.s_addr > tip->ip_dst.s_addr) { model->state |= ARGUS_DIRECTION; model->ArgusThisFlow->hdr.argus_dsrvl8.qual |= ARGUS_DIRECTION; model->ArgusThisFlow->hdr.subtype |= ARGUS_REVERSE; } } model->ArgusThisFlow->hdr.argus_dsrvl8.qual |= ARGUS_FRAGMENT; if (model->state & ARGUS_DIRECTION) { model->ArgusThisFlow->frag_flow.ip_dst = tip->ip_src.s_addr; model->ArgusThisFlow->frag_flow.ip_src = tip->ip_dst.s_addr; } else { model->ArgusThisFlow->frag_flow.ip_src = tip->ip_src.s_addr; model->ArgusThisFlow->frag_flow.ip_dst = tip->ip_dst.s_addr; } model->ArgusThisFlow->frag_flow.ip_p = proto; model->ArgusThisFlow->frag_flow.ip_id = tip->ip_id; } } else { if (model->ArgusFlowKey & ARGUS_FLOW_KEY_LAYER_3_MATRIX) { model->ArgusThisFlow->hdr.type = ARGUS_FLOW_DSR; model->ArgusThisFlow->hdr.subtype = ARGUS_FLOW_LAYER_3_MATRIX; model->ArgusThisFlow->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; model->ArgusThisFlow->hdr.argus_dsrvl8.len = 3; switch (model->ArgusFlowType) { case ARGUS_UNIDIRECTIONAL: break; case ARGUS_BIDIRECTIONAL: { if (tip->ip_src.s_addr > tip->ip_dst.s_addr) model->state |= ARGUS_DIRECTION; break; } } if (model->state & ARGUS_DIRECTION) { model->ArgusThisFlow->ip_flow.ip_src = tip->ip_dst.s_addr; model->ArgusThisFlow->ip_flow.ip_dst = tip->ip_src.s_addr; } else { model->ArgusThisFlow->ip_flow.ip_src = tip->ip_src.s_addr; model->ArgusThisFlow->ip_flow.ip_dst = tip->ip_dst.s_addr; } } } } #ifdef ARGUSDEBUG ArgusDebug (9, "ArgusCreateIPv4Flow (0x%x, 0x%x) returning 0x%x\n", model, ip, retn); #endif return (retn); } #if !defined(IPOPT_RA) #define IPOPT_RA 148 #endif unsigned short ArgusParseIPOptions (unsigned char *ptr, int len) { unsigned short retn = 0; int offset = 0; for (; len > 0; ptr += offset, len -= offset) { switch (*ptr) { case IPOPT_EOL: break; case IPOPT_NOP: break; case IPOPT_RA: retn |= ARGUS_RTRALERT; break; case IPOPT_TS: retn |= ARGUS_TIMESTAMP; break; case IPOPT_RR: retn |= ARGUS_RECORDROUTE; break; case IPOPT_SECURITY: retn |= ARGUS_SECURITY; break; case IPOPT_LSRR: retn |= ARGUS_LSRCROUTE; break; case IPOPT_SSRR: retn |= ARGUS_SSRCROUTE; break; case IPOPT_SATID: retn |= ARGUS_SATID; break; default: break; } if ((*ptr == IPOPT_EOL) || (*ptr == IPOPT_NOP)) offset = 1; else { offset = ptr[1]; if (!(offset && (offset <= len))) break; } } return (retn); } void setArgusIpTimeout (struct ArgusModelerStruct *model, int value) { if (model != NULL) { model->ArgusIPTimeout = value; } } void setArgusTcpTimeout (struct ArgusModelerStruct *model, int value) { if (model != NULL) { model->ArgusTCPTimeout = value; } } void setArgusIcmpTimeout (struct ArgusModelerStruct *model, int value) { if (model != NULL) { model->ArgusICMPTimeout = value; } } void setArgusIgmpTimeout (struct ArgusModelerStruct *model, int value) { if (model != NULL) { model->ArgusIGMPTimeout = value; } } void setArgusFragTimeout (struct ArgusModelerStruct *model, int value) { if (model != NULL) { model->ArgusFRAGTimeout = value; } } void setArgusArpTimeout (struct ArgusModelerStruct *model, int value) { if (model != NULL) { model->ArgusARPTimeout = value; } } void setArgusOtherTimeout (struct ArgusModelerStruct *model, int value) { if (model != NULL) { model->ArgusOtherTimeout = value; } } int getArgusmflag (struct ArgusModelerStruct *model) { return(model->Argusmflag); } void setArgusFlowType (struct ArgusModelerStruct *model, int value) { model->ArgusFlowType = value; } void setArgusFlowKey (struct ArgusModelerStruct *model, int value) { model->ArgusFlowKey |= value; } void setArgusSynchronize (struct ArgusModelerStruct *model, int value) { model->ArgusSelfSynchronize = value; } void setArgusmflag (struct ArgusModelerStruct *model, int value) { model->Argusmflag = value; } int getArgusGenerateTime(struct ArgusModelerStruct *model) { return (model->ArgusGenerateTime); } void setArgusGenerateTime(struct ArgusModelerStruct *model, int value) { model->ArgusGenerateTime = value; } int getArgusGeneratePacketSize(struct ArgusModelerStruct *model) { return (model->ArgusGeneratePacketSize); } void setArgusGeneratePacketSize(struct ArgusModelerStruct *model, int value) { model->ArgusGeneratePacketSize = value; } int getArgusKeystroke(struct ArgusModelerStruct *model) { return (model->ArgusKeyStroke.status); } void setArgusKeystroke(struct ArgusModelerStruct *model, int value) { model->ArgusKeyStroke.status = value; } #if !defined(HAVE_STRTOF) && !defined(CYGWIN) float strtof (char *, char **); #endif void setArgusKeystrokeVariable(struct ArgusModelerStruct *model, char *kstok) { float fval = 0; long ival = 0; char *tptr; if (!(strncasecmp(kstok, "DC_MIN=", 6))) { ival = strtol(&kstok[7], (char **)&tptr, 10); model->ArgusKeyStroke.dc_min = ival; } else if (!(strncasecmp(kstok, "DC_MAX=", 6))) { ival = strtol(&kstok[7], (char **)&tptr, 10); model->ArgusKeyStroke.dc_max = ival; } else if (!(strncasecmp(kstok, "GS_MAX=", 6))) { ival = strtol(&kstok[7], (char **)&tptr, 10); model->ArgusKeyStroke.gs_max = ival; } else if (!(strncasecmp(kstok, "DS_MIN=", 6))) { ival = strtol(&kstok[7], (char **)&tptr, 10); model->ArgusKeyStroke.ds_min = ival; } else if (!(strncasecmp(kstok, "DS_MAX=", 6))) { ival = strtol(&kstok[7], (char **)&tptr, 10); model->ArgusKeyStroke.ds_max = ival; } else if (!(strncasecmp(kstok, "IC_MIN=", 6))) { ival = strtol(&kstok[7], (char **)&tptr, 10); model->ArgusKeyStroke.ic_min = ival; } else if (!(strncasecmp(kstok, "LCS_MAX=", 7))) { ival = strtol(&kstok[8], (char **)&tptr, 10); model->ArgusKeyStroke.lcs_max = ival; } else if (!(strncasecmp(kstok, "GPC_MAX=", 7))) { ival = strtol(&kstok[8], (char **)&tptr, 10); model->ArgusKeyStroke.gpc_max = ival; } else if (!(strncasecmp(kstok, "ICR_MIN=", 7))) { fval = strtof(&kstok[8], (char **)&tptr); model->ArgusKeyStroke.icr_min = fval; } else if (!(strncasecmp(kstok, "ICR_MAX=", 7))) { fval = strtof(&kstok[8], (char **)&tptr); model->ArgusKeyStroke.icr_max = fval; } } int getArgusTunnelDiscovery (struct ArgusModelerStruct *model) { return(model->ArgusTunnelDiscovery); } void setArgusTunnelDiscovery (struct ArgusModelerStruct *model, int value) { model->ArgusTunnelDiscovery = value; } int getArgusTrackDuplicates (struct ArgusModelerStruct *model) { return(model->ArgusTrackDuplicates); } void setArgusTrackDuplicates (struct ArgusModelerStruct *model, int value) { model->ArgusTrackDuplicates = value; } int getArgusUserDataLen (struct ArgusModelerStruct *model) { return (model->ArgusUserDataLen); } void setArgusUserDataLen (struct ArgusModelerStruct *model, int value) { model->ArgusUserDataLen = value; } int getArgusMajorVersion(struct ArgusModelerStruct *model) { return (model->ArgusMajorVersion); } void setArgusMajorVersion(struct ArgusModelerStruct *model, int value) { model->ArgusMajorVersion = value; } int getArgusMinorVersion(struct ArgusModelerStruct *model) { return (model->ArgusMinorVersion); } void setArgusMinorVersion(struct ArgusModelerStruct *model, int value) { model->ArgusMinorVersion = value; } struct timeval * getArgusFarReportInterval(struct ArgusModelerStruct *model) { return (&model->ArgusFarReportInterval); } unsigned int getArgusLocalNet(struct ArgusModelerStruct *model) { return (model->ArgusLocalNet); } unsigned int getArgusNetMask(struct ArgusModelerStruct *model) { return (model->ArgusNetMask); } void setArgusLocalNet(struct ArgusModelerStruct *model, unsigned int value) { model->ArgusLocalNet = value; } int getArgusResponseStatus(struct ArgusModelerStruct *model) { return (model->ArgusResponseStatus); } void setArgusResponseStatus(struct ArgusModelerStruct *model, int value) { model->ArgusResponseStatus = value; } int getArgusIpTimeout(struct ArgusModelerStruct *model) { return (model->ArgusIPTimeout); } int getArgusTcpTimeout(struct ArgusModelerStruct *model) { return (model->ArgusTCPTimeout); } int getArgusIcmpTimeout(struct ArgusModelerStruct *model) { return (model->ArgusICMPTimeout); } int getArgusIgmpTimeout(struct ArgusModelerStruct *model) { return (model->ArgusIGMPTimeout); } int getArgusFragTimeout(struct ArgusModelerStruct *model) { return (model->ArgusFRAGTimeout); } int getArgusArpTimeout(struct ArgusModelerStruct *model) { return (model->ArgusFRAGTimeout); } int getArgusOtherTimeout(struct ArgusModelerStruct *model) { return (model->ArgusFRAGTimeout); } struct timeval * getArgusQueueInterval(struct ArgusModelerStruct *model) { return (&model->ArgusQueueInterval); } struct timeval * getArgusListenInterval(struct ArgusModelerStruct *model) { return (&model->ArgusListenInterval); } #include #include #include void setArgusFarReportInterval (struct ArgusModelerStruct *model, char *value) { float fvalue; char *ptr; int i = *value; if (((ptr = strchr(value, '.')) != NULL) || isdigit(i)) { int ivalue = 0; if (ptr != NULL) { fvalue = atof(value); model->ArgusFarReportInterval.tv_sec = floorf(fvalue); model->ArgusFarReportInterval.tv_usec = fabs(remainderf(fvalue, 1.0) * 1000000); } else { if (isdigit(i)) { ivalue = atoi(value); model->ArgusFarReportInterval.tv_sec = ivalue; } } } } int getArgusAflag (struct ArgusModelerStruct *model) { return (model->ArgusAflag); } void setArgusAflag(struct ArgusModelerStruct *model, int value) { model->ArgusAflag = value; } int getArgusTCPflag(struct ArgusModelerStruct *model) { return (model->ArgusTCPflag); } void setArgusTCPflag(struct ArgusModelerStruct *model, int value) { model->ArgusTCPflag = value; } int getArgusdflag(struct ArgusModelerStruct *model) { return (Argusdflag); } void setArgusdflag(struct ArgusModelerStruct *model, int value) { if (Argusdflag && !(value)) { } if (value) { } Argusdflag = value; } void setArgusLink(struct ArgusModelerStruct *model, unsigned int value) { model->ArgusLink = value; } void setArgusNetMask(struct ArgusModelerStruct *model, unsigned int value) { model->ArgusNetMask = value; } void setArgusTimeReport(struct ArgusModelerStruct *model, int value) { model->ArgusReportAllTime = value; } argus-3.0.8.2/argus/ArgusModeler.h000444 000765 000024 00000066673 12723611420 017327 0ustar00carterstaff000000 000000 /* * Argus Software. Argus files - Modeler includes * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/argus/ArgusModeler.h#60 $ * $DateTime: 2015/06/29 16:17:25 $ * $Change: 3027 $ */ #ifndef ArgusModeler_h #define ArgusModeler_h #define ARGUS_MARSTATUSTIMER "60" #define ARGUS_FARSTATUSTIMER "5" #define ARGUS_INITIMEOUT 5 #define ARGUS_IPTIMEOUT 30 #define ARGUS_ARPTIMEOUT 5 #define ARGUS_TCPTIMEOUT 60 #define ARGUS_ICMPTIMEOUT 5 #define ARGUS_IGMPTIMEOUT 30 #define ARGUS_OTHERTIMEOUT 30 #define ARGUS_FRAGTIMEOUT 5 #define ARGUS_MINSNAPLEN 96 #define ARGUS_MINIPHDRLEN 20 #define ARGUS_HASHTABLESIZE 0x10000 #define ARGUS_REQUEST 0x01 #define ARGUS_REPLY 0x02 #define ARGUS_RTP_PCMU 0 #define ARGUS_RTP_1016 1 #define ARGUS_RTP_G726 2 #define ARGUS_RTP_GSM 3 #define ARGUS_RTP_G723 4 #define ARGUS_RTP_DVI4_8K 5 #define ARGUS_RTP_DVI4_16K 6 #define ARGUS_RTP_PCMA 8 #define ARGUS_RTP_G722 9 #define ARGUS_RTP_L16_STEREO 10 #define ARGUS_RTP_L16_MONO 11 #define ARGUS_RTP_QCELP 12 #define ARGUS_RTP_MPA 14 #define ARGUS_RTP_G728 15 #define ARGUS_RTP_DVI4_11K 16 #define ARGUS_RTP_DVI4_22K 17 #define ARGUS_RTP_G729 18 #define ARGUS_RTP_CELB 25 #define ARGUS_RTP_JPEG 26 #define ARGUS_RTP_NV 28 #define ARGUS_RTP_H261 31 #define ARGUS_RTP_MPV 32 #define ARGUS_RTP_MP2T 33 #define ARGUS_RTP_H263 34 #define ARGUS_SSH_MONITOR 0x20000 #define ARGUS_ETHER_HDR 1 #define ARGUS_802_11_HDR 2 #define ARGUS_DEBUG 0xFF #define ARGUS_RECORD_WRITTEN 0x00000001 #define ARGUSTIMEOUTQS 65534 #define ARGUS_CLNS 129 #define ARGUS_ESIS 130 #define ARGUS_ISIS 131 #define ARGUS_NULLNS 132 /* True if "l" bytes of "var" were captured */ #define BYTESCAPTURED(m, var, l) ((u_char *)&(var) <= m->ArgusThisSnapEnd - (l)) /* True if "var" was captured */ #define STRUCTCAPTURED(m, var) BYTESCAPTURED(m, var, sizeof(var)) /* Bail if "l" bytes of "var" were not captured */ #define BYTESCHECK(m, var, l) if (!BYTESCAPTURED(m, var, l)) goto trunc /* Bail if "var" was not captured */ #define STRUCTCHECK(m, var) BYTESCHECK(m, var, sizeof(var)) #define LENCHECK(m, l) { if ((l) > len) goto bad; BYTESCHECK(m, *cp, l); } #if defined(ARGUS_THREADS) #include #endif #include #include #include #include #include #include #include #if defined(HAVE_SOLARIS) || defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) #include #if !defined(__OpenBSD__) || (defined(__OpenBSD__) && !defined(_NET_IF_H_)) #include #define _NET_IF_H_ #endif #endif #if !defined(__OpenBSD__) || (defined(__OpenBSD__) && !defined(_NETINET_IF_SYSTEM_H_)) #include #define _NETINET_IF_SYSTEM_H_ #endif #if !defined(__OpenBSD__) #include #endif #ifndef _NETINET_IP_H_ #include #define _NETINET_IP_H_ #endif #ifndef _NETINET_IPV6_H_ #include #include #define _NETINET_IPV6_H_ #endif #ifndef _NETINET_UDP_H_ #include #define _NETINET_UDP_H_ #endif #include #include #include #include #include #include struct AHHeader { unsigned char nxt, len; unsigned short pad; unsigned int spi, replay, data; }; struct ArgusHashStruct { unsigned int len, hash; #if defined(__APPLE_CC__) || defined(__APPLE__) unsigned int pad[2]; unsigned int key[24]; #else unsigned int key[24]; #endif }; struct ArgusHashTableHeader { struct ArgusHashTableHeader *nxt, *prv; struct ArgusHashTable *htbl; struct ArgusHashStruct hstruct; void *object; }; #define ARGUSHASHTABLETRACK 0x01 struct ArgusHashTable { unsigned int size; int status; int bins, items; #if defined(ARGUS_THREADS) pthread_mutex_t lock; #endif struct ArgusHashTableHeader **array; }; #define ARGUS_MAX_MPLS_LABELS 4 struct ArgusKeyStrokeConf { int status, state, n_min; int dc_min, dc_max, gs_max; int ds_min, ds_max, gpc_max; int ic_min, lcs_max; float icr_min, icr_max; }; struct ArgusModelerStruct { int state, status; #if defined(ARGUS_THREADS) pthread_t thread; pthread_mutex_t lock; #endif struct ArgusSourceStruct *ArgusSrc; struct ArgusQueueStruct *ArgusStatusQueue; struct ArgusQueueStruct *ArgusTimeOutQueues; struct ArgusQueueStruct *ArgusTimeOutQueue[ARGUSTIMEOUTQS]; struct ArgusListStruct *ArgusOutputList; struct ArgusHashTable *ArgusHashTable; struct ArgusSystemFlow *ArgusThisFlow; struct ArgusHashStruct *hstruct; unsigned int ArgusTransactionNum; unsigned int ArgusThisInterface; unsigned int ArgusThisEncaps; unsigned int ArgusThisNetworkFlowType; struct llc *ArgusThisLLC; unsigned int ArgusThisAppFlowType; int ArgusThisMplsLabelIndex; unsigned int ArgusThisMplsLabel; unsigned int ArgusThisPacket8021QEncaps; unsigned char ArgusFlowType, ArgusFlowKey; unsigned short ArgusOptionIndicator; int ArgusInProtocol, ArgusThisDir, ArgusTrackDuplicates; struct ArgusKeyStrokeConf ArgusKeyStroke; struct ArgusUniStats *ArgusThisStats; struct ether_header *ArgusThisEpHdr; void *ArgusThisMacHdr; void *ArgusThisIpHdr; struct ip6_frag *ArgusThisIpv6Frag; void *ArgusThisNetworkHdr; unsigned char *ArgusThisUpHdr; unsigned char *ArgusThisSnapEnd; int ArgusControlMonitor; int ArgusSnapLength; int ArgusGenerateTime; int ArgusGeneratePacketSize; int ArgusThisLength; int ArgusThisBytes; struct timeval ArgusGlobalTime; struct timeval ArgusStartTime; struct timeval ArgusNowTime; struct timeval ArgusUpdateInterval; struct timeval ArgusUpdateTimer; long long ival; long long ArgusTotalPacket; long long ArgusTotalFrags; long long ArgusTotalIPPkts; long long ArgusLastIPPkts; long long ArgusTotalNonIPPkts; long long ArgusLastNonIPPkts; long long ArgusTotalNewFlows; long long ArgusLastNewFlows; long long ArgusTotalClosedFlows; long long ArgusLastClosedFlows; long long ArgusTotalIPFlows; long long ArgusLastIPFlows; long long ArgusTotalNonIPFlows; long long ArgusLastNonIPFlows; long long ArgusTotalCacheHits; long long ArgusTotalRecords; long long ArgusTotalSends; long long ArgusTotalQueued; long long ArgusTotalBadSends; long long ArgusLastRecords; long long ArgusTotalUpdates; long long ArgusLastUpdates; struct timeval ArgusLastPacketTimer; struct timeval ArgusAdjustedTimer; int ArgusMajorVersion; int ArgusMinorVersion; int ArgusSnapLen; int ArgusTunnelDiscovery; int ArgusUserDataLen; int ArgusAflag, ArgusTCPflag, Argusmflag; int ArgusSelfSynchronize, vflag; int ArgusIPTimeout; int ArgusTCPTimeout; int ArgusICMPTimeout; int ArgusIGMPTimeout; int ArgusFRAGTimeout; int ArgusARPTimeout; int ArgusOtherTimeout; int ArgusReportAllTime; int ArgusResponseStatus; struct timeval ArgusFarReportInterval; struct timeval ArgusQueueInterval; struct timeval ArgusListenInterval; unsigned int ArgusSeqNum; unsigned int ArgusLocalNet; unsigned int ArgusNetMask; unsigned int ArgusLink; }; #include #include #include #include struct ArgusTimeStats { unsigned int n; float minval, maxval, sum; long long sumsqrd; }; struct ArgusTimeStat { struct timeval lasttime; struct ArgusTimeStats act, idle; }; #define ARGUS_NUM_KEYSTROKE_PKTS 8 #define ARGUS_KEYSTROKE_NONE 0 #define ARGUS_KEYSTROKE_TENTATIVE 1 #define ARGUS_KEYSTROKE_KNOWN 2 struct ArgusKeyStrokePacket { int status, n_pno; struct ArgusTime ts; unsigned int seq; long long intpkt; }; struct ArgusKeyStrokeData { struct ArgusKeyStrokePacket pkts[ARGUS_NUM_KEYSTROKE_PKTS]; }; struct ArgusKeyStrokeState { int status, n_pkts, n_strokes, prev_pno; struct ArgusKeyStrokeData data; struct ArgusTime prev_c_ts, prev_s_ts; }; struct ArgusFlowStruct { struct ArgusQueueHeader qhdr; struct ArgusHashTableHeader htblbuf, *htblhdr; struct ArgusDSRHeader *dsrs[ARGUSMAXDSRTYPE]; struct ArgusQueueStruct frag; unsigned int state, status, dsrindex; unsigned int ArgusEncaps; unsigned short trans, timeout; unsigned short userlen; signed char srcint, dstint; unsigned short sipid, dipid; struct ArgusTimeStat stime, dtime; struct ArgusKeyStrokeState skey; struct ArgusCanonRecord canon; }; struct erspan_ii_header { u_int16_t ver_vlan; u_int16_t cos_ent_session; u_int32_t resvert_index; }; #define ERSPAN_VER(x) ( ntohs(((struct erspan_ii_header *) x)->ver_vlan) >> 12 ) #if defined(ArgusModeler) #if defined(LBL_ALIGN) #define ARGUS_MAXALIGNBUF 65536 unsigned char ArgusAlignBuffer[ARGUS_MAXALIGNBUF], *ArgusAlignBuf = ArgusAlignBuffer; #endif struct ArgusModelerStruct *ArgusModel = NULL; struct llc ArgusThisLLCBuffer; unsigned char argusDSRTypes [ARGUSMAXDSRTYPE] = { ARGUS_TRANSPORT_DSR, ARGUS_FLOW_DSR, ARGUS_TIME_DSR, ARGUS_METER_DSR, ARGUS_AGR_DSR, }; struct timeval ArgusQueueTime = {0, 0}; struct timeval ArgusQueueInterval = {0, 50000}; struct timeval ArgusListenTime = {0, 0}; struct timeval ArgusListenInterval = {0, 250000}; struct ArgusModelerStruct *ArgusNewModeler(void); struct ArgusModelerStruct *ArgusCloneModeler(struct ArgusModelerStruct *); void ArgusInitModeler(struct ArgusModelerStruct *); void ArgusCloseModeler(struct ArgusModelerStruct *); int ArgusProcessEtherPacket (struct ArgusModelerStruct *, struct ether_header *, int, struct timeval *); int ArgusProcessIpPacket (struct ArgusModelerStruct *, struct ip *, int, struct timeval *); extern int ArgusProcessEtherHdr (struct ArgusModelerStruct *, struct ether_header *, int); unsigned short ArgusDiscoverNetworkProtocol (unsigned char *); void ArgusParseMPLSLabel (unsigned int, unsigned int *, unsigned char *, unsigned char *, unsigned char *); void ArgusSendFlowRecord (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char); struct ArgusFlowStruct *ArgusNewFlow (struct ArgusModelerStruct *, struct ArgusSystemFlow *, struct ArgusHashStruct *, struct ArgusQueueStruct *); extern struct ArgusFlowStruct *ArgusNewFragFlow (void); void ArgusTallyStats (struct ArgusModelerStruct *, struct ArgusFlowStruct *); void ArgusTallyTime (struct ArgusFlowStruct *, unsigned char); unsigned short ArgusParseIPOptions (unsigned char *, int); void setArgusIpTimeout (struct ArgusModelerStruct *model, int value); void setArgusTcpTimeout (struct ArgusModelerStruct *model, int value); void setArgusIcmpTimeout (struct ArgusModelerStruct *model, int value); void setArgusIgmpTimeout (struct ArgusModelerStruct *model, int value); void setArgusFragTimeout (struct ArgusModelerStruct *model, int value); void setArgusArpTimeout (struct ArgusModelerStruct *model, int value); void setArgusOtherTimeout (struct ArgusModelerStruct *model, int value); void setArgusSynchronize (struct ArgusModelerStruct *, int); int getArgusKeystroke(struct ArgusModelerStruct *); void setArgusKeystroke(struct ArgusModelerStruct *, int); void setArgusKeystrokeVariable(struct ArgusModelerStruct *, char *); int getArgusTunnelDiscovery (struct ArgusModelerStruct *); void setArgusTunnelDiscovery (struct ArgusModelerStruct *, int); int getArgusTrackDuplicates (struct ArgusModelerStruct *); void setArgusTrackDuplicates (struct ArgusModelerStruct *, int); void setArgusFlowKey(struct ArgusModelerStruct *, int); void setArgusFlowType(struct ArgusModelerStruct *, int); int getArgusAflag(struct ArgusModelerStruct *); void setArgusAflag(struct ArgusModelerStruct *, int); int getArgusTCPflag(struct ArgusModelerStruct *); void setArgusTCPflag(struct ArgusModelerStruct *, int); int getArgusmflag(struct ArgusModelerStruct *); void setArgusmflag(struct ArgusModelerStruct *, int); int getArgusUserDataLen(struct ArgusModelerStruct *); void setArgusUserDataLen(struct ArgusModelerStruct *, int); int getArgusControlMonitor(struct ArgusModelerStruct *); void setArgusControlMonitor(struct ArgusModelerStruct *); int getArgusGenerateTime(struct ArgusModelerStruct *); void setArgusGenerateTime(struct ArgusModelerStruct *, int); int getArgusGeneratePacketSize(struct ArgusModelerStruct *); void setArgusGeneratePacketSize(struct ArgusModelerStruct *, int); void setArgusTimeReport(struct ArgusModelerStruct *, int); struct timeval *getArgusQueueInterval(struct ArgusModelerStruct *); struct timeval *getArgusListenInterval(struct ArgusModelerStruct *); extern struct udt_control_handshake *ArgusThisUdtHshake; extern int ArgusParseUDTHeader (struct ArgusModelerStruct *, struct udt_header *, unsigned int *); int getArgusdflag(struct ArgusModelerStruct *); void setArgusdflag(struct ArgusModelerStruct *, int); void setArgusLink(struct ArgusModelerStruct *, unsigned int); void ArgusModelerCleanUp (struct ArgusModelerStruct *); void *ArgusCreateFlow (struct ArgusModelerStruct *, void *, int); struct ArgusSystemFlow *ArgusCreateArpFlow (struct ArgusModelerStruct *, struct ether_header *); void *ArgusCreateIPv4Flow (struct ArgusModelerStruct *, struct ip *); void *ArgusCreateIPv6Flow (struct ArgusModelerStruct *, struct ip6_hdr *); struct ArgusSystemFlow *ArgusCreateESPv6Flow (struct ArgusModelerStruct *, struct ip6_hdr *); struct ArgusSystemFlow *ArgusCreateESPFlow (struct ArgusModelerStruct *, struct ip *); struct ArgusSystemFlow *ArgusCreateLcpFlow (struct ArgusModelerStruct *, struct lcp_hdr *); struct ArgusSystemFlow *ArgusCreateICMPv6Flow (struct ArgusModelerStruct *, struct icmp6_hdr *); struct ArgusSystemFlow *ArgusCreateICMPFlow (struct ArgusModelerStruct *, struct ip *); struct ArgusSystemFlow *ArgusCreateIGMPv6Flow (struct ArgusModelerStruct *, struct igmp *); struct ArgusSystemFlow *ArgusCreateIGMPFlow (struct ArgusModelerStruct *, struct ip *); struct ArgusSystemFlow *ArgusCreateFRAGFlow (struct ArgusModelerStruct *, void *, unsigned short); struct ArgusSystemFlow *ArgusCreateIsisFlow (struct ArgusModelerStruct *model, struct isis_common_header *header); struct ArgusSystemFlow *ArgusCreateUDTFlow (struct ArgusModelerStruct *, struct udt_header *); struct ArgusSystemFlow *ArgusCreate80211Flow (struct ArgusModelerStruct *model, void *ptr); void ArgusUpdateBasicFlow (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char); void *ArgusQueueManager(void *); int ArgusCreateFlowKey (struct ArgusModelerStruct *, struct ArgusSystemFlow *, struct ArgusHashStruct *); struct ArgusFlowStruct *ArgusFindFlow (struct ArgusModelerStruct *, struct ArgusHashStruct *); void ArgusICMPMappedFlowRecord (struct ArgusFlowStruct *, struct ArgusRecord *, unsigned char); struct ArgusFlowStruct *ArgusUpdateState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char, unsigned char); struct ArgusFlowStruct *ArgusUpdateFlow (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char, unsigned char); void ArgusUpdateAppState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char); void ArgusModelTransmit (void); int ArgusUpdateTime (struct ArgusModelerStruct *); void ArgusTimeOut(struct ArgusFlowStruct *); int getArgusMajorVersion(struct ArgusModelerStruct *); void setArgusMajorVersion(struct ArgusModelerStruct *, int); int getArgusMinorVersion(struct ArgusModelerStruct *); void setArgusMinorVersion(struct ArgusModelerStruct *, int); int getArgusManReportInterval(struct ArgusModelerStruct *); void setArgusManReportInterval(struct ArgusModelerStruct *, int); struct timeval *getArgusFarReportInterval(struct ArgusModelerStruct *); void setArgusFarReportInterval(struct ArgusModelerStruct *, char *); int getArgusResponseStatus(struct ArgusModelerStruct *); void setArgusResponseStatus(struct ArgusModelerStruct *, int value); int getArgusIpTimeout(struct ArgusModelerStruct *); void setArgusIpTimeout(struct ArgusModelerStruct *, int); int getArgusTcpTimeout(struct ArgusModelerStruct *); void setArgusTcpTimeout(struct ArgusModelerStruct *, int); int getArgusIcmpTimeout(struct ArgusModelerStruct *); void setArgusIcmpTimeout(struct ArgusModelerStruct *, int); int getArgusIgmpTimeout(struct ArgusModelerStruct *); void setArgusIgmpTimeout(struct ArgusModelerStruct *, int); int getArgusFragTimeout(struct ArgusModelerStruct *); void setArgusFragTimeout(struct ArgusModelerStruct *, int); int getArgusArpTimeout(struct ArgusModelerStruct *); void setArgusArpTimeout(struct ArgusModelerStruct *, int); int getArgusOtherTimeout(struct ArgusModelerStruct *); void setArgusOtherTimeout(struct ArgusModelerStruct *, int); unsigned int getArgusLocalNet(struct ArgusModelerStruct *); void setArgusLocalNet(struct ArgusModelerStruct *, unsigned int); unsigned int getArgusNetMask(struct ArgusModelerStruct *); void setArgusNetMask(struct ArgusModelerStruct *, unsigned int); void ArgusSystemTimeout (struct ArgusModelerStruct *); struct ArgusRecord *ArgusGenerateRecord (struct ArgusModelerStruct *, struct ArgusRecordStruct *, unsigned char, struct ArgusRecord *); struct ArgusRecordStruct *ArgusGenerateListRecord (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char); struct ArgusRecordStruct *ArgusCopyRecordStruct (struct ArgusRecordStruct *); extern void ArgusTCPFlowRecord (struct ArgusNetworkStruct *, unsigned char); extern void ArgusIBFlowRecord (struct ArgusNetworkStruct *, unsigned char); extern void ArgusESPFlowRecord (struct ArgusNetworkStruct *, unsigned char); extern void ArgusLCPFlowRecord (struct ArgusNetworkStruct *, unsigned char); extern void ArgusUpdateTCPState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char *); extern void ArgusUpdateUDPState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char *); extern void ArgusUpdateArpState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char *); extern int ArgusUpdateFRAGState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char, unsigned short); extern void ArgusUpdateESPState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char *); #else /* #if defined(ArgusModeler) */ extern struct ArgusModelerStruct *ArgusModel; extern struct llc ArgusThisLLCBuffer; #if defined(LBL_ALIGN) extern unsigned char *ArgusAlignBuf; #endif #if defined(Argus) void clearArgusConfiguration (struct ArgusModelerStruct *); #endif extern struct ArgusModelerStruct *ArgusNewModeler(void); extern struct ArgusModelerStruct *ArgusCloneModeler(struct ArgusModelerStruct *); extern void ArgusInitModeler(struct ArgusModelerStruct *); extern void ArgusCloseModeler(struct ArgusModelerStruct *); extern int ArgusProcessEtherPacket (struct ArgusModelerStruct *, struct ether_header *, int, struct timeval *); extern int ArgusProcessIpPacket (struct ArgusModelerStruct *, struct ip *, int, struct timeval *); extern int ArgusProcessEtherHdr (struct ArgusModelerStruct *, struct ether_header *, int); extern unsigned short ArgusDiscoverNetworkProtocol (unsigned char *); extern void ArgusParseMPLSLabel (unsigned int, unsigned int *, unsigned char *, unsigned char *, unsigned char *); extern void ArgusSendFlowRecord (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char); extern struct ArgusFlowStruct *ArgusNewFlow (struct ArgusModelerStruct *, struct ArgusSystemFlow *, struct ArgusHashStruct *, struct ArgusQueueStruct *); extern struct ArgusFlowStruct *ArgusNewFragFlow (void); extern void ArgusTallyStats (struct ArgusModelerStruct *, struct ArgusFlowStruct *); extern void ArgusTallyTime (struct ArgusFlowStruct *, unsigned char); extern unsigned short ArgusParseIPOptions (unsigned char *, int); extern void setArgusIpTimeout (struct ArgusModelerStruct *model, int value); extern void setArgusTcpTimeout (struct ArgusModelerStruct *model, int value); extern void setArgusIcmpTimeout (struct ArgusModelerStruct *model, int value); extern void setArgusIgmpTimeout (struct ArgusModelerStruct *model, int value); extern void setArgusFragTimeout (struct ArgusModelerStruct *model, int value); extern void setArgusArpTimeout (struct ArgusModelerStruct *model, int value); extern void setArgusOtherTimeout (struct ArgusModelerStruct *model, int value); extern void setArgusSynchronize (struct ArgusModelerStruct *, int); extern int getArgusKeystroke(struct ArgusModelerStruct *); extern void setArgusKeystroke(struct ArgusModelerStruct *, int); extern void setArgusKeystrokeVariable(struct ArgusModelerStruct *, char *); extern int getArgusTunnelDiscovery(struct ArgusModelerStruct *); extern void setArgusTunnelDiscovery(struct ArgusModelerStruct *, int); extern int getArgusTrackDuplicates (struct ArgusModelerStruct *); extern void setArgusTrackDuplicates (struct ArgusModelerStruct *, int); extern void setArgusFlowKey(struct ArgusModelerStruct *, int); extern void setArgusFlowType(struct ArgusModelerStruct *, int); extern void setArgusCollector(struct ArgusModelerStruct *, int); extern int getArgusAflag(struct ArgusModelerStruct *); extern void setArgusAflag(struct ArgusModelerStruct *, int); extern int getArgusTCPflag(struct ArgusModelerStruct *); extern void setArgusTCPflag(struct ArgusModelerStruct *, int); extern int getArgusmflag(struct ArgusModelerStruct *); extern void setArgusmflag(struct ArgusModelerStruct *, int); extern int getArgusUserDataLen(struct ArgusModelerStruct *); extern void setArgusUserDataLen(struct ArgusModelerStruct *, int); extern int getArgusControlMonitor(struct ArgusModelerStruct *); extern void setArgusControlMonitor(struct ArgusModelerStruct *); extern struct timeval ArgusQueueInterval; extern struct timeval *getArgusQueueInterval(void); extern struct timeval ArgusListenInterval; extern struct timeval *getArgusListenInterval(void); extern struct udt_control_handshake *ArgusThisUdtHshake; extern int ArgusParseUDTHeader (struct ArgusModelerStruct *, struct udt_header *, unsigned int *); extern int getArgusGenerateTime(struct ArgusModelerStruct *); extern void setArgusGenerateTime(struct ArgusModelerStruct *, int); extern int getArgusGeneratePacketSize(struct ArgusModelerStruct *); extern void setArgusGeneratePacketSize(struct ArgusModelerStruct *, int); extern void setArgusTimeReport(struct ArgusModelerStruct *, int); extern int getArgusKeystroke(struct ArgusModelerStruct *); extern void setArgusKeystroke(struct ArgusModelerStruct *, int); extern int getArgusdflag(struct ArgusModelerStruct *); extern struct timeval *getArgusFarReportInterval(struct ArgusModelerStruct *); extern void setArgusdflag(struct ArgusModelerStruct *, int); extern void setArgusFarReportInterval(struct ArgusModelerStruct *, char *); extern void setArgusLink(struct ArgusModelerStruct *, unsigned int); extern void ArgusModelerCleanUp (struct ArgusModelerStruct *); extern struct ArgusSystemFlow *ArgusCreateFlow (struct ArgusModelerStruct *, void *, int); extern struct ArgusSystemFlow *ArgusCreateArpFlow (struct ArgusModelerStruct *, struct ether_header *); extern struct ArgusSystemFlow *ArgusCreatev4IPFlow (struct ArgusModelerStruct *, struct ip *); extern struct ArgusSystemFlow *ArgusCreatev6IPFlow (struct ArgusModelerStruct *, struct ip *); extern struct ArgusSystemFlow *ArgusCreateESPv6Flow (struct ArgusModelerStruct *, struct ip6_hdr *); extern struct ArgusSystemFlow *ArgusCreateESPFlow (struct ArgusModelerStruct *, struct ip *); extern struct ArgusSystemFlow *ArgusCreateLcpFlow (struct ArgusModelerStruct *, struct lcp_hdr *); extern struct ArgusSystemFlow *ArgusCreateICMPv6Flow (struct ArgusModelerStruct *, struct icmp6_hdr *); extern struct ArgusSystemFlow *ArgusCreateICMPFlow (struct ArgusModelerStruct *, struct ip *); extern struct ArgusSystemFlow *ArgusCreateFRAGFlow (struct ArgusModelerStruct *, void *, unsigned short); extern struct ArgusSystemFlow *ArgusCreateIsisFlow (struct ArgusModelerStruct *model, struct isis_common_header *header); extern struct ArgusSystemFlow *ArgusCreateUDTFlow (struct ArgusModelerStruct *, struct udt_header *); extern struct ArgusSystemFlow *ArgusCreate80211Flow (struct ArgusModelerStruct *model, void *ptr); extern void ArgusUpdateBasicFlow (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char); extern void *ArgusQueueManager(void *); extern struct ArgusFlowStruct *ArgusFindFlow (struct ArgusModelerStruct *, struct ArgusHashStruct *); extern int ArgusCreateFlowKey (struct ArgusModelerStruct *, struct ArgusSystemFlow *, struct ArgusHashStruct *); extern void ArgusICMPMappedFlowRecord (struct ArgusFlowStruct *, struct ArgusRecord *, unsigned char); extern struct ArgusFlowStruct *ArgusUpdateState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char, unsigned char); extern struct ArgusFlowStruct *ArgusUpdateFlow (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char, unsigned char); extern void ArgusUpdateAppState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char); extern void ArgusModelTransmit (void); extern int ArgusUpdateTime (struct ArgusModelerStruct *); extern void ArgusTimeOut(struct ArgusFlowStruct *); extern int getArgusMajorVersion(struct ArgusModelerStruct *); extern void setArgusMajorVersion(struct ArgusModelerStruct *, int); extern int getArgusMinorVersion(struct ArgusModelerStruct *); extern void setArgusMinorVersion(struct ArgusModelerStruct *, int); extern int getArgusManReportInterval(struct ArgusModelerStruct *); extern void setArgusManReportInterval(struct ArgusModelerStruct *, int); extern int getArgusStatusReportInterval(struct ArgusModelerStruct *); extern void setArgusStatusReportInterval(struct ArgusModelerStruct *, int); extern int getArgusResponseStatus(struct ArgusModelerStruct *); extern void setArgusResponseStatus(struct ArgusModelerStruct *, int value); extern int getArgusIPTimeout(struct ArgusModelerStruct *); extern void setArgusIPTimeout(struct ArgusModelerStruct *, int); extern int getArgusTCPTimeout(struct ArgusModelerStruct *); extern void setArgusTCPTimeout(struct ArgusModelerStruct *, int); extern int getArgusICMPTimeout(struct ArgusModelerStruct *); extern void setArgusICMPTimeout(struct ArgusModelerStruct *, int); extern int getArgusIGMPTimeout(struct ArgusModelerStruct *); extern void setArgusIGMPTimeout(struct ArgusModelerStruct *, int); extern int getArgusFRAGTimeout(struct ArgusModelerStruct *); extern void setArgusFRAGTimeout(struct ArgusModelerStruct *, int); extern unsigned int getArgusLocalNet(struct ArgusModelerStruct *); extern void setArgusLocalNet(struct ArgusModelerStruct *, unsigned int); extern unsigned int getArgusNetMask(struct ArgusModelerStruct *); extern void setArgusNetMask(struct ArgusModelerStruct *, unsigned int); extern void ArgusSystemTimeout (struct ArgusModelerStruct *); extern struct ArgusRecord *ArgusGenerateRecord (struct ArgusModelerStruct *, struct ArgusRecordStruct *, unsigned char, struct ArgusRecord *); extern struct ArgusRecordStruct *ArgusGenerateListRecord (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char); extern struct ArgusRecordStruct *ArgusCopyRecordStruct (struct ArgusRecordStruct *); #endif /* #if defined(ArgusModeler) else */ #endif /* #ifndef ArgusModeler_h */ argus-3.0.8.2/argus/ArgusNetflow.c000644 000765 000024 00000247433 12723601170 017347 0ustar00carterstaff000000 000000 /* * Argus Software. Argus files - Fragment processing * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/argus/ArgusNetflow.c#23 $ * $DateTime: 2011/01/26 17:21:20 $ * $Change: 2089 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #if !defined(ArgusNetflow) #define ArgusNetflow #include #include #include #include #include #include #include #include #include #include #include struct ArgusRecord *ArgusParseCiscoRecordV9Data (struct ArgusParserStruct *, struct ArgusModelerStruct *, struct ArgusQueueStruct *, u_char *, int *); struct ArgusRecord *ArgusParseCiscoRecordV9Template (struct ArgusModelerStruct *, struct ArgusQueueStruct *, u_char *, int); struct ArgusRecord *ArgusParseCiscoRecordV9OptionTemplate (struct ArgusModelerStruct *, struct ArgusQueueStruct *, u_char *, int); unsigned char *ArgusNetFlowRecordHeader = NULL; unsigned char ArgusNetFlowArgusRecordBuf[4098]; struct ArgusRecord *ArgusNetFlowArgusRecord = (struct ArgusRecord *) ArgusNetFlowArgusRecordBuf; struct ArgusCiscoTemplateStruct { int length, count; struct timeval lasttime; CiscoFlowTemplateFlowEntryV9_t **tHdr; }; struct ArgusCiscoSourceStruct { struct ArgusQueueHeader qhdr; struct ArgusHashTableHeader htblbuf, *htblhdr; unsigned int srcid, saddr; struct timeval startime, lasttime; struct ArgusCiscoTemplateStruct templates[0x10000]; }; int ArgusCounter; unsigned int ArgusFlowSeq = 0; unsigned int ArgusCiscoSrcId = 0; unsigned int ArgusCiscoSrcAddr = 0; unsigned int ArgusSysUptime = 0; struct timeval ArgusCiscoTvpBuf, *ArgusCiscoTvp = &ArgusCiscoTvpBuf; struct ArgusQueueStruct *ArgusTemplateQueue = NULL; void ArgusParseCiscoRecord (struct ArgusModelerStruct *model, void *ptr) { int ArgusReadSocketState = ARGUS_READINGPREHDR; int ArgusReadSocketSize = 0; unsigned short ArgusReadCiscoVersion; // unsigned short ArgusReadSocketNum; if (ArgusTemplateQueue == NULL) if ((ArgusTemplateQueue = ArgusNewQueue()) == NULL) ArgusLog (LOG_ERR, "ArgusParseCiscoRecord () ArgusNewQueue error %s\n", strerror(errno)); while ((char *)ptr < (char *)model->ArgusThisSnapEnd) { switch (ArgusReadSocketState) { case ARGUS_READINGPREHDR: { unsigned short *sptr = (unsigned short *) ptr; ArgusReadCiscoVersion = ntohs(*sptr++); // ArgusReadSocketNum = ntohs(*sptr); ArgusReadSocketState = ARGUS_READINGHDR; break; } case ARGUS_READINGHDR: { #ifdef ARGUSDEBUG ArgusDebug (7, "ArgusReadCiscoStreamSocket (%p, %p) read record header\n", model, ptr); #endif switch (ArgusReadCiscoVersion) { case CISCO_VERSION_1: { CiscoFlowHeaderV1_t *ArgusNetFlow = (CiscoFlowHeaderV1_t *) ptr; ArgusReadSocketSize = sizeof(*ArgusNetFlow); ArgusSysUptime = ntohl(ArgusNetFlow->sysUptime); ArgusCounter = ntohs(ArgusNetFlow->count); ArgusCiscoTvp->tv_sec = ntohl(ArgusNetFlow->unix_secs); ArgusCiscoTvp->tv_usec = ntohl(ArgusNetFlow->unix_nsecs)/1000; break; } case CISCO_VERSION_5: { CiscoFlowHeaderV5_t *ArgusNetFlow = (CiscoFlowHeaderV5_t *) ptr; ArgusReadSocketSize = sizeof(*ArgusNetFlow); ArgusSysUptime = ntohl(ArgusNetFlow->sysUptime); ArgusFlowSeq = ntohl(ArgusNetFlow->flow_sequence); ArgusCounter = ntohs(ArgusNetFlow->count); ArgusCiscoTvp->tv_sec = ntohl(ArgusNetFlow->unix_secs); ArgusCiscoTvp->tv_usec = ntohl(ArgusNetFlow->unix_nsecs)/1000; break; } case CISCO_VERSION_6: { CiscoFlowHeaderV6_t *ArgusNetFlow = (CiscoFlowHeaderV6_t *) ptr; ArgusReadSocketSize = sizeof(*ArgusNetFlow); ArgusSysUptime = ntohl(ArgusNetFlow->sysUptime); ArgusFlowSeq = ntohl(ArgusNetFlow->flow_sequence); ArgusCounter = 0; ArgusCiscoTvp->tv_sec = ntohl(ArgusNetFlow->unix_secs); ArgusCiscoTvp->tv_usec = ntohl(ArgusNetFlow->unix_nsecs)/1000; break; } case CISCO_VERSION_7: { CiscoFlowHeaderV7_t *ArgusNetFlow = (CiscoFlowHeaderV7_t *) ptr; ArgusReadSocketSize = sizeof(*ArgusNetFlow); ArgusSysUptime = ntohl(ArgusNetFlow->sysUptime); ArgusFlowSeq = ntohl(ArgusNetFlow->flow_sequence); ArgusCounter = 0; ArgusCiscoTvp->tv_sec = ntohl(ArgusNetFlow->unix_secs); ArgusCiscoTvp->tv_usec = ntohl(ArgusNetFlow->unix_nsecs)/1000; break; } case CISCO_VERSION_8: { CiscoFlowHeaderV8_t *ArgusNetFlow = (CiscoFlowHeaderV8_t *) ptr; ArgusReadSocketSize = sizeof(*ArgusNetFlow); break; } case CISCO_VERSION_9: { CiscoFlowHeaderV9_t *ArgusNetFlow = (CiscoFlowHeaderV9_t *) ptr; ArgusReadSocketSize = sizeof(*ArgusNetFlow); ArgusSysUptime = ntohl(ArgusNetFlow->sysUptime); ArgusCiscoTvp->tv_sec = ntohl(ArgusNetFlow->unix_secs); ArgusCiscoTvp->tv_usec = 0; ArgusFlowSeq = ntohl(ArgusNetFlow->package_sequence); ArgusCounter = ntohs(ArgusNetFlow->count); ArgusCiscoSrcId = ntohl(ArgusNetFlow->source_id); if (model->state & ARGUS_REVERSE) ArgusCiscoSrcAddr = model->ArgusThisFlow->flow_un.ip.ip_src; else ArgusCiscoSrcAddr = model->ArgusThisFlow->flow_un.ip.ip_dst; break; } default: { #ifdef ARGUSDEBUG ArgusDebug (7, "ArgusReadCiscoStreamSocket (%p) read header\n", ptr); #endif } } ptr += ArgusReadSocketSize; ArgusReadSocketState = ARGUS_READINGBLOCK; break; } case ARGUS_READINGBLOCK: { struct ArgusSystemFlow flowbuf, *sflow = &flowbuf; struct ArgusHashStruct hbuf, *hstruct = &hbuf; struct ArgusFlowStruct *flow = NULL; #ifdef ARGUSDEBUG ArgusDebug (7, "ArgusReadCiscoStreamSocket (%p, %p) read record complete\n", model, ptr); #endif switch (ArgusReadCiscoVersion) { case CISCO_VERSION_1: { CiscoFlowEntryV1_t *ArgusNetFlow = (CiscoFlowEntryV1_t *) ptr; bzero(sflow, sizeof(*sflow)); bzero(hstruct, sizeof(*hstruct)); sflow->hdr.type = ARGUS_FLOW_DSR; sflow->hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; sflow->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; sflow->hdr.argus_dsrvl8.len = 5; sflow->ip_flow.ip_src = ntohl(ArgusNetFlow->srcaddr); sflow->ip_flow.ip_dst = ntohl(ArgusNetFlow->dstaddr); switch (sflow->ip_flow.ip_p = ArgusNetFlow->prot) { case IPPROTO_TCP: case IPPROTO_UDP: sflow->ip_flow.sport = ntohs(ArgusNetFlow->srcport); sflow->ip_flow.dport = ntohs(ArgusNetFlow->dstport); break; case IPPROTO_ICMP: sflow->icmp_flow.type = ((char *)&ArgusNetFlow->dstport)[0]; sflow->icmp_flow.code = ((char *)&ArgusNetFlow->dstport)[1]; break; } ArgusCreateFlowKey(model, sflow, hstruct); if ((flow = ArgusNewFlow(model, sflow, NULL, NULL)) != NULL) { struct ArgusTimeObject *time = &flow->canon.time; long timeval; flow->canon.hdr.type = ARGUS_FAR | ARGUS_NETFLOW | ARGUS_VERSION; time->hdr.type = ARGUS_TIME_DSR; time->hdr.subtype = ARGUS_TIME_ABSOLUTE_RANGE; time->hdr.argus_dsrvl8.qual = ARGUS_TYPE_UTC_MICROSECONDS; time->hdr.argus_dsrvl8.len = 5; timeval = ntohl(ArgusNetFlow->first); time->src.start.tv_sec = (timeval - (long)ArgusSysUptime)/1000; time->src.start.tv_sec += ArgusCiscoTvp->tv_sec; time->src.start.tv_usec = ((timeval - (long)ArgusSysUptime)%1000) * 1000; time->src.start.tv_usec += ArgusCiscoTvp->tv_usec; if (time->src.start.tv_usec >= 1000000) { time->src.start.tv_sec++; time->src.start.tv_usec -= 1000000; } timeval = ntohl(ArgusNetFlow->last); time->src.end.tv_sec = (timeval - (long)ArgusSysUptime)/1000; time->src.end.tv_sec += ArgusCiscoTvp->tv_sec; time->src.end.tv_usec = ((timeval - (long)ArgusSysUptime)%1000) * 1000; time->src.end.tv_usec += ArgusCiscoTvp->tv_usec; if (time->src.end.tv_usec >= 1000000) { time->src.end.tv_sec++; time->src.end.tv_usec -= 1000000; } time->src.start.tv_usec = (time->src.start.tv_usec / 1000) * 1000; time->src.end.tv_usec = (time->src.end.tv_usec / 1000) * 1000; flow->dsrindex |= 1 << ARGUS_TIME_INDEX; flow->dsrs[ARGUS_TIME_INDEX] = (void *)time; { struct ArgusMetricStruct *metric = &flow->canon.metric; metric->hdr.type = ARGUS_METER_DSR; metric->hdr.subtype = ARGUS_METER_PKTS_BYTES; metric->hdr.argus_dsrvl8.qual = ARGUS_SRC_INT; metric->hdr.argus_dsrvl8.len = 3; metric->src.pkts = ntohl(ArgusNetFlow->pkts); metric->src.bytes = ntohl(ArgusNetFlow->bytes); flow->dsrindex |= 1 << ARGUS_METRIC_INDEX; flow->dsrs[ARGUS_METRIC_INDEX] = (void *)metric; } { struct ArgusMacStruct *mac = &flow->canon.mac; mac->hdr.type = ARGUS_MAC_DSR; mac->hdr.subtype = 0; mac->hdr.argus_dsrvl8.len = 5; ArgusNetFlow->input = ntohs(ArgusNetFlow->input); ArgusNetFlow->output = ntohs(ArgusNetFlow->output); #if defined(HAVE_SOLARIS) bcopy((char *)&ArgusNetFlow->input, (char *)&mac->mac.mac_union.ether.ehdr.ether_shost.ether_addr_octet[4], 2); bcopy((char *)&ArgusNetFlow->output,(char *)&mac->mac.mac_union.ether.ehdr.ether_dhost.ether_addr_octet[4], 2); #else bcopy((char *)&ArgusNetFlow->input, (char *)&mac->mac.mac_union.ether.ehdr.ether_shost[4], 2); bcopy((char *)&ArgusNetFlow->output,(char *)&mac->mac.mac_union.ether.ehdr.ether_dhost[4], 2); #endif flow->dsrindex |= 1 << ARGUS_MAC_INDEX; flow->dsrs[ARGUS_MAC_INDEX] = (void *)mac; } { if (ArgusNetFlow->prot == IPPROTO_TCP) { struct ArgusNetworkStruct *net = &flow->canon.net; struct ArgusTCPStatus *tcp = (struct ArgusTCPStatus *)&net->net_union.tcpstatus; net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_TCP_STATUS; net->hdr.argus_dsrvl8.len = 3; net->net_union.tcpstatus.src = ArgusNetFlow->flags; if (ArgusNetFlow->flags & TH_RST) tcp->status |= ARGUS_RESET; if (ArgusNetFlow->flags & TH_FIN) tcp->status |= ARGUS_FIN; if ((ArgusNetFlow->flags & TH_ACK) || (ArgusNetFlow->flags & TH_PUSH) || (ArgusNetFlow->flags & TH_URG)) tcp->status |= ARGUS_CON_ESTABLISHED; switch (ArgusNetFlow->flags & (TH_SYN|TH_ACK)) { case (TH_SYN): tcp->status |= ARGUS_SAW_SYN; break; case (TH_SYN|TH_ACK): tcp->status |= ARGUS_SAW_SYN_SENT; if (ntohl(ArgusNetFlow->pkts) > 1) tcp->status &= ~(ARGUS_CON_ESTABLISHED); break; } flow->dsrindex |= 1 << ARGUS_NETWORK_INDEX; flow->dsrs[ARGUS_NETWORK_INDEX] = (void *)net; } } if (model->ArgusThisFlow && (model->ArgusThisFlow->ip_flow.ip_src != 0)) { struct ArgusTransportStruct *trans = &flow->canon.trans; trans->hdr.type = ARGUS_TRANSPORT_DSR; trans->hdr.subtype = ARGUS_SRCID | ARGUS_SEQ; trans->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; trans->hdr.argus_dsrvl8.len = 3; trans->srcid.a_un.ipv4 = (model->ArgusThisFlow->hdr.subtype & ARGUS_REVERSE) ? model->ArgusThisFlow->ip_flow.ip_dst : model->ArgusThisFlow->ip_flow.ip_src ; trans->seqnum = ArgusFlowSeq + ArgusCounter++; flow->dsrindex |= 1 << ARGUS_TRANSPORT_INDEX; flow->dsrs[ARGUS_TRANSPORT_INDEX] = (void *)trans; } { struct ArgusIPAttrStruct *attr = &flow->canon.attr; attr->hdr.type = ARGUS_IPATTR_DSR; attr->hdr.subtype = 0; attr->hdr.argus_dsrvl8.qual = ARGUS_IPATTR_SRC; attr->hdr.argus_dsrvl8.len = 2; attr->src.tos = ArgusNetFlow->tos; attr->src.ttl = 0; attr->src.ip_id = 0; flow->dsrindex |= 1 << ARGUS_IPATTR_INDEX; flow->dsrs[ARGUS_IPATTR_INDEX] = (void *)attr; } ArgusSendFlowRecord (model, flow, ARGUS_STATUS); } ptr += sizeof(*ArgusNetFlow); break; } case CISCO_VERSION_5: { CiscoFlowEntryV5_t *ArgusNetFlow = (CiscoFlowEntryV5_t *) ptr; bzero(sflow, sizeof(*sflow)); bzero(hstruct, sizeof(*hstruct)); sflow->hdr.type = ARGUS_FLOW_DSR; sflow->hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; sflow->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; sflow->hdr.argus_dsrvl8.len = 5; sflow->ip_flow.ip_src = ntohl(ArgusNetFlow->srcaddr); sflow->ip_flow.ip_dst = ntohl(ArgusNetFlow->dstaddr); sflow->ip_flow.smask = ArgusNetFlow->src_mask; sflow->ip_flow.dmask = ArgusNetFlow->dst_mask; switch (sflow->ip_flow.ip_p = ArgusNetFlow->prot) { case IPPROTO_TCP: case IPPROTO_UDP: sflow->ip_flow.sport = ntohs(ArgusNetFlow->srcport); sflow->ip_flow.dport = ntohs(ArgusNetFlow->dstport); break; case IPPROTO_ICMP: sflow->icmp_flow.type = ((char *)&ArgusNetFlow->dstport)[0]; sflow->icmp_flow.code = ((char *)&ArgusNetFlow->dstport)[1]; break; } ArgusCreateFlowKey(model, sflow, hstruct); if ((flow = ArgusNewFlow(model, sflow, NULL, NULL)) != NULL) { struct ArgusTimeObject *time = &flow->canon.time; int timeval, secs, usecs; flow->canon.hdr.type = ARGUS_FAR | ARGUS_NETFLOW | ARGUS_VERSION; time->hdr.type = ARGUS_TIME_DSR; time->hdr.subtype = ARGUS_TIME_ABSOLUTE_RANGE; time->hdr.argus_dsrvl8.qual = ARGUS_TYPE_UTC_MICROSECONDS; time->hdr.argus_dsrvl8.len = 5; timeval = ntohl(ArgusNetFlow->first); secs = ArgusCiscoTvp->tv_sec + ((timeval - (int)ArgusSysUptime) / 1000); usecs = ArgusCiscoTvp->tv_usec + ((timeval - (int)ArgusSysUptime) % 1000) * 1000; time->src.start.tv_sec = secs; if (usecs < 0) { time->src.start.tv_sec--; usecs += 1000000; } else if (usecs > 1000000) { time->src.start.tv_sec++; usecs -= 1000000; } time->src.start.tv_usec = usecs; timeval = ntohl(ArgusNetFlow->last); secs = ArgusCiscoTvp->tv_sec + ((timeval - (int)ArgusSysUptime) / 1000); usecs = ArgusCiscoTvp->tv_usec + ((timeval - (int)ArgusSysUptime) % 1000) * 1000; time->src.end.tv_sec = secs; if (usecs < 0) { time->src.end.tv_sec--; usecs += 1000000; } else if (usecs > 1000000) { time->src.end.tv_sec++; usecs -= 1000000; } time->src.end.tv_usec = usecs; flow->dsrindex |= 1 << ARGUS_TIME_INDEX; flow->dsrs[ARGUS_TIME_INDEX] = (void *)time; { struct ArgusAsnStruct *asn = &flow->canon.asn; asn->hdr.type = ARGUS_ASN_DSR; asn->hdr.subtype = 0; asn->hdr.argus_dsrvl8.qual = 0; asn->hdr.argus_dsrvl8.len = 3; asn->src_as = ArgusNetFlow->src_as; asn->dst_as = ArgusNetFlow->dst_as; flow->dsrindex |= 1 << ARGUS_ASN_INDEX; flow->dsrs[ARGUS_ASN_INDEX] = (void *)asn; } { struct ArgusMetricStruct *metric = &flow->canon.metric; metric->hdr.type = ARGUS_METER_DSR; metric->hdr.subtype = ARGUS_METER_PKTS_BYTES; metric->hdr.argus_dsrvl8.qual = ARGUS_SRC_INT; metric->hdr.argus_dsrvl8.len = 3; metric->src.pkts = ntohl(ArgusNetFlow->pkts); metric->src.bytes = ntohl(ArgusNetFlow->bytes); flow->dsrindex |= 1 << ARGUS_METRIC_INDEX; flow->dsrs[ARGUS_METRIC_INDEX] = (void *)metric; } { struct ArgusMacStruct *mac = &flow->canon.mac; mac->hdr.type = ARGUS_MAC_DSR; mac->hdr.subtype = 0; mac->hdr.argus_dsrvl8.len = 5; ArgusNetFlow->input = ntohs(ArgusNetFlow->input); ArgusNetFlow->output = ntohs(ArgusNetFlow->output); #if defined(HAVE_SOLARIS) bcopy((char *)&ArgusNetFlow->input, (char *)&mac->mac.mac_union.ether.ehdr.ether_shost.ether_addr_octet[4], 2); bcopy((char *)&ArgusNetFlow->output,(char *)&mac->mac.mac_union.ether.ehdr.ether_dhost.ether_addr_octet[4], 2); #else bcopy((char *)&ArgusNetFlow->input, (char *)&mac->mac.mac_union.ether.ehdr.ether_shost[4], 2); bcopy((char *)&ArgusNetFlow->output,(char *)&mac->mac.mac_union.ether.ehdr.ether_dhost[4], 2); #endif flow->dsrindex |= 1 << ARGUS_MAC_INDEX; flow->dsrs[ARGUS_MAC_INDEX] = (void *)mac; } { if (ArgusNetFlow->prot == IPPROTO_TCP) { struct ArgusNetworkStruct *net = &flow->canon.net; struct ArgusTCPStatus *tcp = (struct ArgusTCPStatus *)&net->net_union.tcpstatus; net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_TCP_STATUS; net->hdr.argus_dsrvl8.len = 3; net->net_union.tcpstatus.src = ArgusNetFlow->tcp_flags; if (ArgusNetFlow->tcp_flags & TH_RST) tcp->status |= ARGUS_RESET; if (ArgusNetFlow->tcp_flags & TH_FIN) tcp->status |= ARGUS_FIN; if ((ArgusNetFlow->tcp_flags & TH_ACK) || (ArgusNetFlow->tcp_flags & TH_PUSH) || (ArgusNetFlow->tcp_flags & TH_URG)) tcp->status |= ARGUS_CON_ESTABLISHED; switch (ArgusNetFlow->tcp_flags & (TH_SYN|TH_ACK)) { case (TH_SYN): tcp->status |= ARGUS_SAW_SYN; break; case (TH_SYN|TH_ACK): tcp->status |= ARGUS_SAW_SYN_SENT; if (ntohl(ArgusNetFlow->pkts) > 1) tcp->status &= ~(ARGUS_CON_ESTABLISHED); break; } flow->dsrindex |= 1 << ARGUS_NETWORK_INDEX; flow->dsrs[ARGUS_NETWORK_INDEX] = (void *)net; } } if (model->ArgusThisFlow && (model->ArgusThisFlow->ip_flow.ip_src != 0)) { struct ArgusTransportStruct *trans = &flow->canon.trans; trans->hdr.type = ARGUS_TRANSPORT_DSR; trans->hdr.subtype = ARGUS_SRCID | ARGUS_SEQ; trans->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; trans->hdr.argus_dsrvl8.len = 3; trans->srcid.a_un.ipv4 = (model->ArgusThisFlow->hdr.subtype & ARGUS_REVERSE) ? model->ArgusThisFlow->ip_flow.ip_dst : model->ArgusThisFlow->ip_flow.ip_src ; trans->seqnum = ArgusFlowSeq + ArgusCounter++; flow->dsrindex |= 1 << ARGUS_TRANSPORT_INDEX; flow->dsrs[ARGUS_TRANSPORT_INDEX] = (void *)trans; } { struct ArgusIPAttrStruct *attr = &flow->canon.attr; attr->hdr.type = ARGUS_IPATTR_DSR; attr->hdr.subtype = 0; attr->hdr.argus_dsrvl8.qual = ARGUS_IPATTR_SRC; attr->hdr.argus_dsrvl8.len = 2; attr->src.tos = ArgusNetFlow->tos; attr->src.ttl = 0; attr->src.ip_id = 0; flow->dsrindex |= 1 << ARGUS_IPATTR_INDEX; flow->dsrs[ARGUS_IPATTR_INDEX] = (void *)attr; } ArgusSendFlowRecord (model, flow, ARGUS_STATUS); } ptr += sizeof(*ArgusNetFlow); break; } case CISCO_VERSION_6: { CiscoFlowEntryV6_t *ArgusNetFlow = (CiscoFlowEntryV6_t *) ptr; bzero(sflow, sizeof(*sflow)); bzero(hstruct, sizeof(*hstruct)); sflow->hdr.type = ARGUS_FLOW_DSR; sflow->hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; sflow->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; sflow->hdr.argus_dsrvl8.len = 5; sflow->ip_flow.ip_src = ntohl(ArgusNetFlow->srcaddr); sflow->ip_flow.ip_dst = ntohl(ArgusNetFlow->dstaddr); sflow->ip_flow.smask = ArgusNetFlow->src_mask; sflow->ip_flow.dmask = ArgusNetFlow->dst_mask; switch (sflow->ip_flow.ip_p = ArgusNetFlow->prot) { case IPPROTO_TCP: case IPPROTO_UDP: sflow->ip_flow.sport = ntohs(ArgusNetFlow->srcport); sflow->ip_flow.dport = ntohs(ArgusNetFlow->dstport); break; case IPPROTO_ICMP: sflow->icmp_flow.type = ((char *)&ArgusNetFlow->dstport)[0]; sflow->icmp_flow.code = ((char *)&ArgusNetFlow->dstport)[1]; break; } ArgusCreateFlowKey(model, sflow, hstruct); if ((flow = ArgusNewFlow(model, sflow, NULL, NULL)) != NULL) { struct ArgusTimeObject *time = &flow->canon.time; long timeval; flow->canon.hdr.type = ARGUS_FAR | ARGUS_NETFLOW | ARGUS_VERSION; time->hdr.type = ARGUS_TIME_DSR; time->hdr.subtype = ARGUS_TIME_ABSOLUTE_RANGE; time->hdr.argus_dsrvl8.qual = ARGUS_TYPE_UTC_MICROSECONDS; time->hdr.argus_dsrvl8.len = 5; timeval = ntohl(ArgusNetFlow->first); time->src.start.tv_sec = (timeval - (long)ArgusSysUptime)/1000; time->src.start.tv_sec += ArgusCiscoTvp->tv_sec; time->src.start.tv_usec = ((timeval - (long)ArgusSysUptime)%1000) * 1000; time->src.start.tv_usec += ArgusCiscoTvp->tv_usec; if (time->src.start.tv_usec >= 1000000) { time->src.start.tv_sec++; time->src.start.tv_usec -= 1000000; } timeval = ntohl(ArgusNetFlow->last); time->src.end.tv_sec = (timeval - (long)ArgusSysUptime)/1000; time->src.end.tv_sec += ArgusCiscoTvp->tv_sec; time->src.end.tv_usec = ((timeval - (long)ArgusSysUptime)%1000) * 1000; time->src.end.tv_usec += ArgusCiscoTvp->tv_usec; if (time->src.end.tv_usec >= 1000000) { time->src.end.tv_sec++; time->src.end.tv_usec -= 1000000; } time->src.start.tv_usec = (time->src.start.tv_usec / 1000) * 1000; time->src.end.tv_usec = (time->src.end.tv_usec / 1000) * 1000; flow->dsrindex |= 1 << ARGUS_TIME_INDEX; flow->dsrs[ARGUS_TIME_INDEX] = (void *)time; { struct ArgusAsnStruct *asn = &flow->canon.asn; asn->hdr.type = ARGUS_ASN_DSR; asn->hdr.subtype = 0; asn->hdr.argus_dsrvl8.qual = 0; asn->hdr.argus_dsrvl8.len = 3; asn->src_as = ArgusNetFlow->src_as; asn->dst_as = ArgusNetFlow->dst_as; flow->dsrindex |= 1 << ARGUS_ASN_INDEX; flow->dsrs[ARGUS_ASN_INDEX] = (void *)asn; } { struct ArgusMetricStruct *metric = &flow->canon.metric; metric->hdr.type = ARGUS_METER_DSR; metric->hdr.subtype = ARGUS_METER_PKTS_BYTES; metric->hdr.argus_dsrvl8.qual = ARGUS_SRC_INT; metric->hdr.argus_dsrvl8.len = 3; metric->src.pkts = ntohl(ArgusNetFlow->pkts); metric->src.bytes = ntohl(ArgusNetFlow->bytes); flow->dsrindex |= 1 << ARGUS_METRIC_INDEX; flow->dsrs[ARGUS_METRIC_INDEX] = (void *)metric; } { struct ArgusMacStruct *mac = &flow->canon.mac; mac->hdr.type = ARGUS_MAC_DSR; mac->hdr.subtype = 0; mac->hdr.argus_dsrvl8.len = 5; ArgusNetFlow->input = ntohs(ArgusNetFlow->input); ArgusNetFlow->output = ntohs(ArgusNetFlow->output); #if defined(HAVE_SOLARIS) bcopy((char *)&ArgusNetFlow->input, (char *)&mac->mac.mac_union.ether.ehdr.ether_shost.ether_addr_octet[4], 2); bcopy((char *)&ArgusNetFlow->output,(char *)&mac->mac.mac_union.ether.ehdr.ether_dhost.ether_addr_octet[4], 2); #else bcopy((char *)&ArgusNetFlow->input, (char *)&mac->mac.mac_union.ether.ehdr.ether_shost[4], 2); bcopy((char *)&ArgusNetFlow->output,(char *)&mac->mac.mac_union.ether.ehdr.ether_dhost[4], 2); #endif flow->dsrindex |= 1 << ARGUS_MAC_INDEX; flow->dsrs[ARGUS_MAC_INDEX] = (void *)mac; } { if (ArgusNetFlow->prot == IPPROTO_TCP) { struct ArgusNetworkStruct *net = &flow->canon.net; struct ArgusTCPStatus *tcp = (struct ArgusTCPStatus *)&net->net_union.tcpstatus; net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_TCP_STATUS; net->hdr.argus_dsrvl8.len = 3; net->net_union.tcpstatus.src = ArgusNetFlow->tcp_flags; if (ArgusNetFlow->tcp_flags & TH_RST) tcp->status |= ARGUS_RESET; if (ArgusNetFlow->tcp_flags & TH_FIN) tcp->status |= ARGUS_FIN; if ((ArgusNetFlow->tcp_flags & TH_ACK) || (ArgusNetFlow->tcp_flags & TH_PUSH) || (ArgusNetFlow->tcp_flags & TH_URG)) tcp->status |= ARGUS_CON_ESTABLISHED; switch (ArgusNetFlow->tcp_flags & (TH_SYN|TH_ACK)) { case (TH_SYN): tcp->status |= ARGUS_SAW_SYN; break; case (TH_SYN|TH_ACK): tcp->status |= ARGUS_SAW_SYN_SENT; if (ntohl(ArgusNetFlow->pkts) > 1) tcp->status &= ~(ARGUS_CON_ESTABLISHED); break; } flow->dsrindex |= 1 << ARGUS_NETWORK_INDEX; flow->dsrs[ARGUS_NETWORK_INDEX] = (void *)net; } } if (model->ArgusThisFlow && (model->ArgusThisFlow->ip_flow.ip_src != 0)) { struct ArgusTransportStruct *trans = &flow->canon.trans; trans->hdr.type = ARGUS_TRANSPORT_DSR; trans->hdr.subtype = ARGUS_SRCID | ARGUS_SEQ; trans->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; trans->hdr.argus_dsrvl8.len = 3; trans->srcid.a_un.ipv4 = (model->ArgusThisFlow->hdr.subtype & ARGUS_REVERSE) ? model->ArgusThisFlow->ip_flow.ip_dst : model->ArgusThisFlow->ip_flow.ip_src ; trans->seqnum = ArgusFlowSeq + ArgusCounter++; flow->dsrindex |= 1 << ARGUS_TRANSPORT_INDEX; flow->dsrs[ARGUS_TRANSPORT_INDEX] = (void *)trans; } { struct ArgusIPAttrStruct *attr = &flow->canon.attr; attr->hdr.type = ARGUS_IPATTR_DSR; attr->hdr.subtype = 0; attr->hdr.argus_dsrvl8.qual = ARGUS_IPATTR_SRC; attr->hdr.argus_dsrvl8.len = 2; attr->src.tos = ArgusNetFlow->tos; attr->src.ttl = 0; attr->src.ip_id = 0; flow->dsrindex |= 1 << ARGUS_IPATTR_INDEX; flow->dsrs[ARGUS_IPATTR_INDEX] = (void *)attr; } ArgusSendFlowRecord (model, flow, ARGUS_STATUS); } ptr += sizeof(*ArgusNetFlow); break; } case CISCO_VERSION_7: { CiscoFlowEntryV7_t *ArgusNetFlow = (CiscoFlowEntryV7_t *) ptr; bzero(sflow, sizeof(*sflow)); bzero(hstruct, sizeof(*hstruct)); sflow->hdr.type = ARGUS_FLOW_DSR; sflow->hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; sflow->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; sflow->hdr.argus_dsrvl8.len = 5; sflow->ip_flow.ip_src = ntohl(ArgusNetFlow->srcaddr); sflow->ip_flow.ip_dst = ntohl(ArgusNetFlow->dstaddr); sflow->ip_flow.smask = ArgusNetFlow->src_mask; sflow->ip_flow.dmask = ArgusNetFlow->dst_mask; switch (sflow->ip_flow.ip_p = ArgusNetFlow->prot) { case IPPROTO_TCP: case IPPROTO_UDP: sflow->ip_flow.sport = ntohs(ArgusNetFlow->srcport); sflow->ip_flow.dport = ntohs(ArgusNetFlow->dstport); break; case IPPROTO_ICMP: sflow->icmp_flow.type = ((char *)&ArgusNetFlow->dstport)[0]; sflow->icmp_flow.code = ((char *)&ArgusNetFlow->dstport)[1]; break; } ArgusCreateFlowKey(model, sflow, hstruct); if ((flow = ArgusNewFlow(model, sflow, NULL, NULL)) != NULL) { struct ArgusTimeObject *time = &flow->canon.time; long timeval; flow->canon.hdr.type = ARGUS_FAR | ARGUS_NETFLOW | ARGUS_VERSION; time->hdr.type = ARGUS_TIME_DSR; time->hdr.subtype = ARGUS_TIME_ABSOLUTE_RANGE; time->hdr.argus_dsrvl8.qual = ARGUS_TYPE_UTC_MICROSECONDS; time->hdr.argus_dsrvl8.len = 5; timeval = ntohl(ArgusNetFlow->first); time->src.start.tv_sec = (timeval - (long)ArgusSysUptime)/1000; time->src.start.tv_sec += ArgusCiscoTvp->tv_sec; time->src.start.tv_usec = ((timeval - (long)ArgusSysUptime)%1000) * 1000; time->src.start.tv_usec += ArgusCiscoTvp->tv_usec; if (time->src.start.tv_usec >= 1000000) { time->src.start.tv_sec++; time->src.start.tv_usec -= 1000000; } timeval = ntohl(ArgusNetFlow->last); time->src.end.tv_sec = (timeval - (long)ArgusSysUptime)/1000; time->src.end.tv_sec += ArgusCiscoTvp->tv_sec; time->src.end.tv_usec = ((timeval - (long)ArgusSysUptime)%1000) * 1000; time->src.end.tv_usec += ArgusCiscoTvp->tv_usec; if (time->src.end.tv_usec >= 1000000) { time->src.end.tv_sec++; time->src.end.tv_usec -= 1000000; } time->src.start.tv_usec = (time->src.start.tv_usec / 1000) * 1000; time->src.end.tv_usec = (time->src.end.tv_usec / 1000) * 1000; flow->dsrindex |= 1 << ARGUS_TIME_INDEX; flow->dsrs[ARGUS_TIME_INDEX] = (void *)time; { struct ArgusAsnStruct *asn = &flow->canon.asn; asn->hdr.type = ARGUS_ASN_DSR; asn->hdr.subtype = 0; asn->hdr.argus_dsrvl8.qual = 0; asn->hdr.argus_dsrvl8.len = 3; asn->src_as = ArgusNetFlow->src_as; asn->dst_as = ArgusNetFlow->dst_as; flow->dsrindex |= 1 << ARGUS_ASN_INDEX; flow->dsrs[ARGUS_ASN_INDEX] = (void *)asn; } { struct ArgusMetricStruct *metric = &flow->canon.metric; metric->hdr.type = ARGUS_METER_DSR; metric->hdr.subtype = ARGUS_METER_PKTS_BYTES; metric->hdr.argus_dsrvl8.qual = ARGUS_SRC_INT; metric->hdr.argus_dsrvl8.len = 3; metric->src.pkts = ntohl(ArgusNetFlow->pkts); metric->src.bytes = ntohl(ArgusNetFlow->bytes); flow->dsrindex |= 1 << ARGUS_METRIC_INDEX; flow->dsrs[ARGUS_METRIC_INDEX] = (void *)metric; } { struct ArgusMacStruct *mac = &flow->canon.mac; mac->hdr.type = ARGUS_MAC_DSR; mac->hdr.subtype = 0; mac->hdr.argus_dsrvl8.len = 5; ArgusNetFlow->input = ntohs(ArgusNetFlow->input); ArgusNetFlow->output = ntohs(ArgusNetFlow->output); #if defined(HAVE_SOLARIS) bcopy((char *)&ArgusNetFlow->input, (char *)&mac->mac.mac_union.ether.ehdr.ether_shost.ether_addr_octet[4], 2); bcopy((char *)&ArgusNetFlow->output,(char *)&mac->mac.mac_union.ether.ehdr.ether_dhost.ether_addr_octet[4], 2); #else bcopy((char *)&ArgusNetFlow->input, (char *)&mac->mac.mac_union.ether.ehdr.ether_shost[4], 2); bcopy((char *)&ArgusNetFlow->output,(char *)&mac->mac.mac_union.ether.ehdr.ether_dhost[4], 2); #endif flow->dsrindex |= 1 << ARGUS_MAC_INDEX; flow->dsrs[ARGUS_MAC_INDEX] = (void *)mac; } { if (ArgusNetFlow->prot == IPPROTO_TCP) { struct ArgusNetworkStruct *net = &flow->canon.net; struct ArgusTCPStatus *tcp = (struct ArgusTCPStatus *)&net->net_union.tcpstatus; net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_TCP_STATUS; net->hdr.argus_dsrvl8.len = 3; net->net_union.tcpstatus.src = ArgusNetFlow->tcp_flags; if (ArgusNetFlow->tcp_flags & TH_RST) tcp->status |= ARGUS_RESET; if (ArgusNetFlow->tcp_flags & TH_FIN) tcp->status |= ARGUS_FIN; if ((ArgusNetFlow->tcp_flags & TH_ACK) || (ArgusNetFlow->tcp_flags & TH_PUSH) || (ArgusNetFlow->tcp_flags & TH_URG)) tcp->status |= ARGUS_CON_ESTABLISHED; switch (ArgusNetFlow->tcp_flags & (TH_SYN|TH_ACK)) { case (TH_SYN): tcp->status |= ARGUS_SAW_SYN; break; case (TH_SYN|TH_ACK): tcp->status |= ARGUS_SAW_SYN_SENT; if (ntohl(ArgusNetFlow->pkts) > 1) tcp->status &= ~(ARGUS_CON_ESTABLISHED); break; } flow->dsrindex |= 1 << ARGUS_NETWORK_INDEX; flow->dsrs[ARGUS_NETWORK_INDEX] = (void *)net; } } if (model->ArgusThisFlow && (model->ArgusThisFlow->ip_flow.ip_src != 0)) { struct ArgusTransportStruct *trans = &flow->canon.trans; trans->hdr.type = ARGUS_TRANSPORT_DSR; trans->hdr.subtype = ARGUS_SRCID | ARGUS_SEQ; trans->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; trans->hdr.argus_dsrvl8.len = 3; trans->srcid.a_un.ipv4 = (model->ArgusThisFlow->hdr.subtype & ARGUS_REVERSE) ? model->ArgusThisFlow->ip_flow.ip_dst : model->ArgusThisFlow->ip_flow.ip_src ; trans->seqnum = ArgusFlowSeq + ArgusCounter++; flow->dsrindex |= 1 << ARGUS_TRANSPORT_INDEX; flow->dsrs[ARGUS_TRANSPORT_INDEX] = (void *)trans; } { struct ArgusIPAttrStruct *attr = &flow->canon.attr; attr->hdr.type = ARGUS_IPATTR_DSR; attr->hdr.subtype = 0; attr->hdr.argus_dsrvl8.qual = ARGUS_IPATTR_SRC; attr->hdr.argus_dsrvl8.len = 2; attr->src.tos = ArgusNetFlow->tos; attr->src.ttl = 0; attr->src.ip_id = 0; flow->dsrindex |= 1 << ARGUS_IPATTR_INDEX; flow->dsrs[ARGUS_IPATTR_INDEX] = (void *)attr; } ArgusSendFlowRecord (model, flow, ARGUS_STATUS); } ptr += sizeof(*ArgusNetFlow); break; } case CISCO_VERSION_8: { // ptr += sizeof(CiscoFlowEntryV8_t); break; } case CISCO_VERSION_9: { CiscoFlowEntryV9_t *ArgusNetFlow = (CiscoFlowEntryV9_t *) ptr; int done = 0, flowset_id, flowset_len; flowset_id = ntohs(ArgusNetFlow->flowset_id); if ((flowset_len = ntohs(ArgusNetFlow->length)) > 0) { switch (flowset_id) { case k_CiscoV9TemplateFlowsetId: { if (ArgusParseCiscoRecordV9Template(model, ArgusTemplateQueue, (u_char *)(ArgusNetFlow + 1), (flowset_len - sizeof(*ArgusNetFlow))) == NULL) { } break; } case k_CiscoV9OptionsFlowsetId: { if (ArgusParseCiscoRecordV9OptionTemplate(model, ArgusTemplateQueue, (u_char *)(ArgusNetFlow + 1), (flowset_len - sizeof(*ArgusNetFlow))) == NULL) { } break; } default: { if (flowset_id >= k_CiscoV9MinRecordFlowsetId) { ArgusParseCiscoRecordV9Data(ArgusParser, model, ArgusTemplateQueue, (u_char *) ptr, &ArgusCounter); } break; } } ptr += flowset_len; break; } else done++; } } break; } } } #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusParseCiscoRecord(%p, %p)", model, ptr); #endif } void ArgusParseCiscoRecordV5 (struct ArgusModelerStruct *model, void *ptr) { #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusParseCiscoRecordV5 (%p, %p)\n", model, ptr); #endif } void ArgusParseCiscoRecordV6 (struct ArgusModelerStruct *model, void *ptr) { #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusParseCiscoRecordV6 (%p, %p)\n", model, ptr); #endif } extern long long ArgusDiffTime (struct ArgusTime *, struct ArgusTime *, struct timeval *); typedef struct value { union { uint8_t val8[16]; uint16_t val16[8]; uint32_t val32[4]; uint64_t val64[2]; uint64_t val128[2]; }; } value_t; struct ArgusRecord * ArgusParseCiscoRecordV9Data (struct ArgusParserStruct *parser, struct ArgusModelerStruct *model, struct ArgusQueueStruct *tqueue, u_char *ptr, int *cnt) { struct ArgusRecord *retn = NULL; struct ArgusCiscoTemplateStruct *templates = NULL; struct ArgusCiscoSourceStruct *src; int ArgusParsingIPv6 = 0; u_char *tptr = ptr; if (tqueue != NULL) { int i, count = tqueue->count; for (i = 0; (i < count) && (templates == NULL); i++) { src = (struct ArgusCiscoSourceStruct *)ArgusPopQueue (tqueue, ARGUS_LOCK); if ((src->srcid == ArgusCiscoSrcId) && (src->saddr == ArgusCiscoSrcAddr)) templates = src->templates; ArgusAddToQueue(tqueue, &src->qhdr, ARGUS_LOCK); } } if (templates == NULL) return(retn); // using the matching template, parse out a single record. we need to update ptr and // len so that they represent marching through the buffer, parsing out the records. // { CiscoFlowEntryV9_t *cflow = (CiscoFlowEntryV9_t *) tptr; CiscoFlowTemplateHeaderV9_t *tHdr = NULL; CiscoFlowTemplateFlowEntryV9_t *tData; int flowset_id = ntohs(cflow->flowset_id); int length = ntohs(cflow->length); if (length) { #define ARGUS_TEMPLATE_TIMEOUT 1800 if ((tHdr = (CiscoFlowTemplateHeaderV9_t *) templates[flowset_id].tHdr) != NULL) { if ((templates[flowset_id].lasttime.tv_sec + ARGUS_TEMPLATE_TIMEOUT) > model->ArgusGlobalTime.tv_sec) { int i, count = tHdr->count, nflowPad = 3; struct ArgusFlowStruct flowbuf, *flow = &flowbuf; u_char *sptr = (u_char *)(cflow + 1); u_char *eptr = sptr + (length - sizeof(*cflow)); // process an entire flow set while (sptr < (eptr - nflowPad)) { struct ArgusDSRHeader *dsr = (struct ArgusDSRHeader *) &ArgusNetFlowArgusRecordBuf[4]; bzero(flow, sizeof(*flow)); tData = (CiscoFlowTemplateFlowEntryV9_t *)(tHdr + 1); retn = NULL; for (i = 0; i < count; i++) { value_t value; bzero(&value, sizeof(value)); switch (tData->length) { case 1: value.val8[0] = *sptr; break; case 2: value.val16[0] = EXTRACT_16BITS(sptr); break; case 4: value.val32[0] = EXTRACT_32BITS(sptr); break; case 8: value.val64[0] = EXTRACT_64BITS(sptr); break; case 16: bcopy(sptr, &value.val128, 16); break; } sptr += tData->length; switch (tData->type) { case k_CiscoV9InBytes: { flow->canon.metric.src.bytes = value.val32[0]; flow->dsrindex |= 1 << ARGUS_METRIC_INDEX; flow->dsrs[ARGUS_METRIC_INDEX] = &flow->canon.metric.hdr; break; } case k_CiscoV9InPackets: { flow->canon.metric.src.pkts = value.val32[0]; flow->dsrindex |= 1 << ARGUS_METRIC_INDEX; flow->dsrs[ARGUS_METRIC_INDEX] = &flow->canon.metric.hdr; break; } case k_CiscoV9Flows: { break; } case k_CiscoV9InProtocol: { flow->canon.flow.flow_un.ipv6.ip_p = value.val8[0]; flow->dsrindex |= 1 << ARGUS_FLOW_INDEX; flow->dsrs[ARGUS_FLOW_INDEX] = &flow->canon.flow.hdr; break; } case k_CiscoV9SrcTos: { flow->canon.attr.src.tos = value.val8[0]; flow->dsrindex |= 1 << ARGUS_IPATTR_INDEX; flow->dsrs[ARGUS_IPATTR_INDEX] = &flow->canon.attr.hdr; break; } case k_CiscoV9TcpFlags: { struct ArgusNetworkStruct *net = &flow->canon.net; struct ArgusTCPStatus *tcp = (struct ArgusTCPStatus *)&net->net_union.tcpstatus; unsigned char flags = value.val8[0]; net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_TCP_STATUS; net->hdr.argus_dsrvl8.len = 3; net->net_union.tcpstatus.src = flags; if (flags & TH_RST) tcp->status |= ARGUS_RESET; if (flags & TH_FIN) tcp->status |= ARGUS_FIN; if ((flags & TH_ACK) || (flags & TH_PUSH) || (flags & TH_URG)) tcp->status |= ARGUS_CON_ESTABLISHED; switch (flags & (TH_SYN|TH_ACK)) { case (TH_SYN): tcp->status |= ARGUS_SAW_SYN; break; case (TH_SYN|TH_ACK): break; } flow->dsrindex |= 1 << ARGUS_NETWORK_INDEX; flow->dsrs[ARGUS_NETWORK_INDEX] = (void *)net; break; } case k_CiscoV9L4SrcPort: { flow->canon.flow.flow_un.ipv6.sport = value.val16[0]; flow->dsrindex |= 1 << ARGUS_FLOW_INDEX; flow->dsrs[ARGUS_FLOW_INDEX] = &flow->canon.flow.hdr; break; } case k_CiscoV9IpV4SrcAddr: { flow->canon.flow.flow_un.ipv6.ip_src[0] = value.val32[0]; flow->dsrindex |= 1 << ARGUS_FLOW_INDEX; flow->dsrs[ARGUS_FLOW_INDEX] = &flow->canon.flow.hdr; break; } case k_CiscoV9SrcMask: { uint32_t mask = 0xffffffff << (32 - value.val8[0]); flow->canon.flow.flow_un.ipv6.ip_src[3] = mask; flow->dsrindex |= 1 << ARGUS_FLOW_INDEX; flow->dsrs[ARGUS_FLOW_INDEX] = &flow->canon.flow.hdr; break; } case k_CiscoV9InputSnmp: { break; } case k_CiscoV9L4DstPort: { flow->canon.flow.flow_un.ipv6.dport = value.val16[0]; flow->dsrindex |= 1 << ARGUS_FLOW_INDEX; flow->dsrs[ARGUS_FLOW_INDEX] = &flow->canon.flow.hdr; break; } case k_CiscoV9IpV4DstAddr: { flow->canon.flow.flow_un.ipv6.ip_dst[0] = value.val32[0]; flow->dsrindex |= 1 << ARGUS_FLOW_INDEX; flow->dsrs[ARGUS_FLOW_INDEX] = &flow->canon.flow.hdr; break; } case k_CiscoV9DstMask: { uint32_t mask = 0xffffffff << (32 - value.val8[0]); flow->canon.flow.flow_un.ipv6.ip_dst[3] = mask; flow->dsrindex |= 1 << ARGUS_FLOW_INDEX; flow->dsrs[ARGUS_FLOW_INDEX] = &flow->canon.flow.hdr; break; } case k_CiscoV9OutputSnmp: { break; } case k_CiscoV9IpV4NextHop: { break; } case k_CiscoV9SrcAS: { flow->canon.asn.src_as = (tData->length == 2) ? value.val16[0] : value.val32[0]; flow->dsrindex |= 1 << ARGUS_ASN_INDEX; flow->dsrs[ARGUS_ASN_INDEX] = &flow->canon.asn.hdr; break; } case k_CiscoV9DstAS: { flow->canon.asn.dst_as = (tData->length == 2) ? value.val16[0] : value.val32[0]; flow->dsrindex |= 1 << ARGUS_ASN_INDEX; flow->dsrs[ARGUS_ASN_INDEX] = &flow->canon.asn.hdr; break; } case k_CiscoV9BgpIpV4NextHop: { break; } case k_CiscoV9MulDstPkts: { break; } case k_CiscoV9MulDstBytes: { break; } case k_CiscoV9LastSwitched: { long timeval = (tData->length == 2) ? value.val16[0] : value.val32[0]; int secs, usecs; secs = ((timeval - ArgusSysUptime) / 1000); usecs = ((timeval - ArgusSysUptime) % 1000) * 1000; flow->canon.time.src.end.tv_sec = ArgusCiscoTvp->tv_sec + secs; if (usecs < 0) { flow->canon.time.src.end.tv_sec--; usecs += 1000000; } flow->canon.time.src.end.tv_usec = ArgusCiscoTvp->tv_usec + usecs; flow->dsrindex |= 1 << ARGUS_TIME_INDEX; flow->dsrs[ARGUS_TIME_INDEX] = &flow->canon.time.hdr; break; } case k_CiscoV9FirstSwitched: { long timeval = (tData->length == 2) ? value.val16[0] : value.val32[0]; int secs, usecs; secs = ((timeval - ArgusSysUptime) / 1000); usecs = ((timeval - ArgusSysUptime) % 1000) * 1000; flow->canon.time.src.start.tv_sec = ArgusCiscoTvp->tv_sec + secs; if (usecs < 0) { flow->canon.time.src.start.tv_sec--; usecs += 1000000; } flow->canon.time.src.start.tv_usec = ArgusCiscoTvp->tv_usec + usecs; flow->dsrindex |= 1 << ARGUS_TIME_INDEX; flow->dsrs[ARGUS_TIME_INDEX] = &flow->canon.time.hdr; break; } case k_CiscoV9OutBytes: { /* flow->canon.metric.dst.bytes = value.val32[0]; flow->dsrindex |= 1 << ARGUS_METRIC_INDEX; flow->dsrs[ARGUS_METRIC_INDEX] = &flow->canon.metric.hdr; */ break; } case k_CiscoV9OutPkts: { /* flow->canon.metric.dst.pkts = value.val32[0]; flow->dsrindex |= 1 << ARGUS_METRIC_INDEX; flow->dsrs[ARGUS_METRIC_INDEX] = &flow->canon.metric.hdr; */ break; } case k_CiscoV9MinPktLen: { flow->canon.psize.src.psizemin = value.val16[0]; flow->dsrindex |= 1 << ARGUS_PSIZE_INDEX; flow->dsrs[ARGUS_PSIZE_INDEX] = &flow->canon.psize.hdr; break; } case k_CiscoV9MaxPktLen: { flow->canon.psize.src.psizemax = value.val16[0]; flow->dsrindex |= 1 << ARGUS_PSIZE_INDEX; flow->dsrs[ARGUS_PSIZE_INDEX] = &flow->canon.psize.hdr; break; } case k_CiscoV9IpV6SrcAddr: { bcopy (&value, &flow->canon.flow.flow_un.ipv6.ip_src, 16); flow->dsrindex |= 1 << ARGUS_FLOW_INDEX; flow->dsrs[ARGUS_FLOW_INDEX] = &flow->canon.flow.hdr; ArgusParsingIPv6 = 1; break; } case k_CiscoV9IpV6DstAddr: { bcopy (&value, &flow->canon.flow.flow_un.ipv6.ip_dst, 16); flow->dsrindex |= 1 << ARGUS_FLOW_INDEX; flow->dsrs[ARGUS_FLOW_INDEX] = &flow->canon.flow.hdr; ArgusParsingIPv6 = 1; break; } case k_CiscoV9IPV6SrcMask: { break; } case k_CiscoV9IpV6DstMask: { break; } case k_CiscoV9IpV6FlowLabel: { break; } case k_CiscoV9IpV6IcmpType: { struct ArgusICMPv6Flow *icmpv6Flow = &flow->canon.flow.icmpv6_flow; icmpv6Flow->type = value.val8[0]; flow->dsrindex |= 1 << ARGUS_FLOW_INDEX; flow->dsrs[ARGUS_FLOW_INDEX] = &flow->canon.flow.hdr; break; } case k_CiscoV9IpV6MulIgmpType: { break; } case k_CiscoV9IpV6SamplingInterval: { break; } case k_CiscoV9IpV6SamplingAlgorithm: { break; } case k_CiscoV9FlowActiveTimeout: { break; } case k_CiscoV9FlowInactiveTimeout: { break; } case k_CiscoV9EngineType: { break; } case k_CiscoV9EngineID: { break; } case k_CiscoV9TotalBytesExp: { break; } case k_CiscoV9TotalPktsExp: { break; } case k_CiscoV9TotalFlowsExp: { break; } case k_CiscoV9MplsTopLabelType: { break; } case k_CiscoV9MplsTopLabelIPAddr: { break; } case k_CiscoV9FlowSamplerID: { break; } case k_CiscoV9FlowSamplerMode: { break; } case k_CiscoV9FlowSamplerRandomInt: { break; } case k_CiscoV9MinTtl: { flow->canon.attr.src.ttl = value.val8[0]; flow->dsrindex |= 1 << ARGUS_IPATTR_INDEX; flow->dsrs[ARGUS_IPATTR_INDEX] = &flow->canon.attr.hdr; break; } case k_CiscoV9MaxTtl: { flow->canon.attr.src.ttl = value.val8[0]; flow->dsrindex |= 1 << ARGUS_IPATTR_INDEX; flow->dsrs[ARGUS_IPATTR_INDEX] = &flow->canon.attr.hdr; break; } case k_CiscoV9IPv4IpId: { flow->canon.attr.src.ip_id = value.val16[0]; flow->dsrindex |= 1 << ARGUS_IPATTR_INDEX; flow->dsrs[ARGUS_IPATTR_INDEX] = &flow->canon.attr.hdr; break; } case k_CiscoV9DstTos: { flow->canon.attr.dst.tos = value.val8[0]; flow->dsrindex |= 1 << ARGUS_IPATTR_INDEX; flow->dsrs[ARGUS_IPATTR_INDEX] = &flow->canon.attr.hdr; break; } case k_CiscoV9SrcMac: { flow->dsrindex |= 1 << ARGUS_MAC_INDEX; flow->dsrs[ARGUS_MAC_INDEX] = &flow->canon.mac.hdr; break; } case k_CiscoV9DstMac: { flow->dsrindex |= 1 << ARGUS_MAC_INDEX; flow->dsrs[ARGUS_MAC_INDEX] = &flow->canon.mac.hdr; break; } case k_CiscoV9SrcVlan: { flow->canon.vlan.sid = value.val16[0]; flow->dsrindex |= 1 << ARGUS_VLAN_INDEX; flow->dsrs[ARGUS_VLAN_INDEX] = &flow->canon.vlan.hdr; break; } case k_CiscoV9DstVlan: { flow->canon.vlan.did = value.val16[0]; flow->dsrindex |= 1 << ARGUS_VLAN_INDEX; flow->dsrs[ARGUS_VLAN_INDEX] = &flow->canon.vlan.hdr; break; } case k_CiscoV9IpProtocolVersion: { break; } case k_CiscoV9Direction: { break; } case k_CiscoV9IpV6NextHop: { break; } case k_CiscoV9BgpIpV6NextHop: { break; } case k_CiscoV9IpV6OptionHeaders: { break; } case k_CiscoV9MplsLabel1: { break; } case k_CiscoV9MplsLabel2: { break; } case k_CiscoV9MplsLabel3: { break; } case k_CiscoV9MplsLabel4: { break; } case k_CiscoV9MplsLabel5: { break; } case k_CiscoV9MplsLabel6: { break; } case k_CiscoV9MplsLabel7: { break; } case k_CiscoV9MplsLabel8: { break; } case k_CiscoV9MplsLabel9: { break; } case k_CiscoV9MplsLabel10: { break; } case k_CiscoV9InDstMac: { flow->dsrindex |= 1 << ARGUS_MAC_INDEX; flow->dsrs[ARGUS_MAC_INDEX] = &flow->canon.mac.hdr; break; } case k_CiscoV9OutSrcMac: { flow->dsrindex |= 1 << ARGUS_MAC_INDEX; flow->dsrs[ARGUS_MAC_INDEX] = &flow->canon.mac.hdr; break; } case k_CiscoV9IfName: { break; } case k_CiscoV9IfDesc: { break; } case k_CiscoV9SampleName: { break; } case k_CiscoV9InPermanentBytes: { flow->canon.metric.src.bytes = value.val32[0]; flow->dsrindex |= 1 << ARGUS_METRIC_INDEX; flow->dsrs[ARGUS_METRIC_INDEX] = &flow->canon.metric.hdr; break; } case k_CiscoV9InPermanentPkts: { break; } case k_CiscoV9FragmentOffset: { break; } case k_CiscoV9ForwardingStatus: { break; } case k_CiscoV9PostDSCP: { break; } case k_CiscoV9NatInsideGlobalAddr: { break; } case k_CiscoV9NatOutsideGlobalAddr: { break; } case k_CiscoV9postNatL4SrcPort: { break; } case k_CiscoV9postNatL4DstPort: { break; } case k_CiscoV9postNatEvent: { break; } case k_CiscoV9IngressVRFID: { break; } case k_CiscoV9ConnId: { break; } case k_CiscoV9IcmpType: { break; } case k_CiscoV9IcmpCode: { break; } case k_CiscoV9IcmpTypeV6: { struct ArgusICMPv6Flow *icmpv6Flow = &flow->canon.flow.icmpv6_flow; icmpv6Flow->type = value.val8[0]; flow->dsrindex |= 1 << ARGUS_FLOW_INDEX; flow->dsrs[ARGUS_FLOW_INDEX] = &flow->canon.flow.hdr; break; } case k_CiscoV9IcmpCodeV6: { struct ArgusICMPv6Flow *icmpv6Flow = &flow->canon.flow.icmpv6_flow; icmpv6Flow->code = value.val8[0]; flow->dsrindex |= 1 << ARGUS_FLOW_INDEX; flow->dsrs[ARGUS_FLOW_INDEX] = &flow->canon.flow.hdr; break; } case k_CiscoEventTimeMilliSec: { break; } case k_CiscoEventTimeMicroSec: { break; } case k_CiscoEventTimeNanoSec: { break; } } tData++; } { struct timeval tdiffbuf, *tdiff = &tdiffbuf; flow->canon.hdr.type = ARGUS_FAR | ARGUS_NETFLOW | ARGUS_VERSION; flow->canon.hdr.cause = ARGUS_STATUS; flow->canon.hdr.len = 1; if (!(flow->dsrindex & (1 << ARGUS_TIME_INDEX))) { struct ArgusTimeObject *ato = &flow->canon.time; ato->src.start.tv_sec = ArgusCiscoTvp->tv_sec; ato->src.start.tv_usec = ((long)(ArgusSysUptime)%1000) * 1000; if (ato->src.start.tv_usec >= 1000000) { ato->src.start.tv_sec++; ato->src.start.tv_usec -= 1000000; } ato->src.end = ato->src.start; flow->dsrindex |= 1 << ARGUS_TIME_INDEX; flow->dsrs[ARGUS_TIME_INDEX] = (void *)ato; } if (ArgusDiffTime(&flow->canon.time.src.end, &flow->canon.time.src.start, tdiff) == 0) { struct ArgusMetricStruct *metric = &flow->canon.metric; #define ARGUS_DEFAULT_RATE 1000000.0f if (metric->src.pkts > 1) { double dtime = (metric->src.pkts * 1.0) / ARGUS_DEFAULT_RATE; double itime; double ftime = modf(dtime, &itime); flow->canon.time.src.end.tv_sec = flow->canon.time.src.start.tv_sec + (itime); flow->canon.time.src.end.tv_usec = flow->canon.time.src.start.tv_usec + (ftime * 1000000); if (flow->canon.time.src.end.tv_usec >= 1000000) { flow->canon.time.src.end.tv_usec -= 1000000; flow->canon.time.src.end.tv_sec++; } } } for (i = 0; i < ARGUSMAXDSRTYPE; i++) { if (flow->dsrindex & (1 << i)) { switch(i) { case ARGUS_FLOW_INDEX: { flow->canon.flow.hdr.type = ARGUS_FLOW_DSR; flow->canon.flow.hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; if (ArgusParsingIPv6) { flow->canon.flow.hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV6; flow->canon.flow.hdr.argus_dsrvl8.len = 11; } else { struct ArgusFlow tflow; bzero(&tflow, sizeof(tflow)); tflow.flow_un.ip.ip_src = flow->canon.flow.flow_un.ipv6.ip_src[0]; tflow.flow_un.ip.ip_dst = flow->canon.flow.flow_un.ipv6.ip_dst[0]; tflow.flow_un.ip.ip_p = flow->canon.flow.flow_un.ipv6.ip_p; tflow.flow_un.ip.sport = flow->canon.flow.flow_un.ipv6.sport; tflow.flow_un.ip.dport = flow->canon.flow.flow_un.ipv6.dport; tflow.flow_un.ip.smask = flow->canon.flow.flow_un.ipv6.ip_src[3]; tflow.flow_un.ip.dmask = flow->canon.flow.flow_un.ipv6.ip_dst[3]; flow->canon.flow.hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; flow->canon.flow.hdr.argus_dsrvl8.len = 5; bcopy(&tflow.flow_un.ip, &flow->canon.flow.flow_un.ip, sizeof(tflow.flow_un.ip)); } bcopy(&flow->canon.flow, dsr, flow->canon.flow.hdr.argus_dsrvl8.len * 4); dsr += flow->canon.flow.hdr.argus_dsrvl8.len; flow->canon.hdr.len += flow->canon.flow.hdr.argus_dsrvl8.len; break; } case ARGUS_TIME_INDEX: { struct ArgusTimeObject *time = &flow->canon.time; time->hdr.type = ARGUS_TIME_DSR; time->hdr.subtype = ARGUS_TIME_ABSOLUTE_RANGE; time->hdr.argus_dsrvl8.qual = ARGUS_TYPE_UTC_MICROSECONDS; time->hdr.argus_dsrvl8.len = 5; bcopy(time, dsr, time->hdr.argus_dsrvl8.len * 4); dsr += time->hdr.argus_dsrvl8.len; flow->canon.hdr.len += time->hdr.argus_dsrvl8.len; break; } case ARGUS_ASN_INDEX: { struct ArgusAsnStruct *asn = &flow->canon.asn; asn->hdr.type = ARGUS_ASN_DSR; asn->hdr.subtype = 0; asn->hdr.argus_dsrvl8.qual = 0; asn->hdr.argus_dsrvl8.len = 3; bcopy(asn, dsr, asn->hdr.argus_dsrvl8.len * 4); dsr += asn->hdr.argus_dsrvl8.len; flow->canon.hdr.len += asn->hdr.argus_dsrvl8.len; break; } case ARGUS_METRIC_INDEX: { struct ArgusMetricStruct *metric = &flow->canon.metric; int pkts, bytes; metric->hdr.type = ARGUS_METER_DSR; metric->hdr.subtype = ARGUS_METER_PKTS_BYTES; metric->hdr.argus_dsrvl8.qual = ARGUS_SRC_INT; metric->hdr.argus_dsrvl8.len = 3; pkts = metric->src.pkts; bytes = metric->src.bytes; bcopy(&metric->hdr, dsr, 4); bcopy(&pkts, dsr+1, 4); bcopy(&bytes, dsr+2, 4); dsr += metric->hdr.argus_dsrvl8.len; flow->canon.hdr.len += metric->hdr.argus_dsrvl8.len; break; } case ARGUS_NETWORK_INDEX: { struct ArgusNetworkStruct *net = &flow->canon.net; bcopy(net, dsr, net->hdr.argus_dsrvl8.len * 4); dsr += net->hdr.argus_dsrvl8.len; flow->canon.hdr.len += net->hdr.argus_dsrvl8.len; break; } case ARGUS_MAC_INDEX: { struct ArgusMacStruct *mac = &flow->canon.mac; mac->hdr.type = ARGUS_MAC_DSR; mac->hdr.subtype = 0; mac->hdr.argus_dsrvl8.len = 5; bcopy(mac, dsr, mac->hdr.argus_dsrvl8.len * 4); dsr += mac->hdr.argus_dsrvl8.len; flow->canon.hdr.len += mac->hdr.argus_dsrvl8.len; break; } case ARGUS_IPATTR_INDEX: { struct ArgusIPAttrStruct *attr = &flow->canon.attr; attr->hdr.type = ARGUS_IPATTR_DSR; attr->hdr.subtype = 0; attr->hdr.argus_dsrvl8.qual = ARGUS_IPATTR_SRC; attr->hdr.argus_dsrvl8.len = 2; bcopy(attr, dsr, attr->hdr.argus_dsrvl8.len * 4); dsr += attr->hdr.argus_dsrvl8.len; flow->canon.hdr.len += attr->hdr.argus_dsrvl8.len; } } } } ArgusSendFlowRecord (model, flow, ARGUS_STATUS); #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusParseCiscoRecordV9Data (%p, %p, %p, %p, %d) new flow %p\n", parser, model, tqueue, ptr, *cnt, retn); #endif } ArgusParsingIPv6 = 0; *cnt = *cnt - 1; } src->lasttime = model->ArgusGlobalTime; } else { if (templates[flowset_id].tHdr != NULL) { ArgusFree(templates[flowset_id].tHdr); bzero(&templates[flowset_id], sizeof(struct ArgusCiscoTemplateStruct)); templates[flowset_id].tHdr = NULL; } } } } } #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusParseCiscoRecordV9Data (%p, %p, %p, %p, %d) returning %p\n", parser, model, tqueue, ptr, *cnt, retn); #endif return(retn); } struct ArgusRecord * ArgusParseCiscoRecordV9Template (struct ArgusModelerStruct *model, struct ArgusQueueStruct *tqueue, u_char *ptr, int len) { struct ArgusCiscoTemplateStruct *templates = NULL; struct ArgusRecord *retn = NULL; struct ArgusCiscoSourceStruct *src; int i, done = 0; if (tqueue != NULL) { int cnt = tqueue->count; for (i = 0; (i < cnt) && (templates == NULL); i++) { src = (struct ArgusCiscoSourceStruct *)ArgusPopQueue (tqueue, ARGUS_LOCK); if ((src->srcid == ArgusCiscoSrcId) && (src->saddr == ArgusCiscoSrcAddr)) templates = src->templates; ArgusAddToQueue(tqueue, &src->qhdr, ARGUS_LOCK); } } if (templates == NULL) { if ((src = (struct ArgusCiscoSourceStruct *)ArgusCalloc (1, sizeof(*src))) == NULL) ArgusLog(LOG_ERR, "ArgusParseCiscoRecordV9Template: ArgusCalloc(%d, %d) error %s\n", 1, sizeof(*src), strerror(errno)); src->srcid = ArgusCiscoSrcId; src->saddr = ArgusCiscoSrcAddr; src->startime = model->ArgusGlobalTime; src->lasttime = model->ArgusGlobalTime; templates = src->templates; ArgusAddToQueue (tqueue, &src->qhdr, ARGUS_LOCK); } if (templates) { while (!done) { CiscoFlowTemplateHeaderV9_t *tHdr = (CiscoFlowTemplateHeaderV9_t *) ptr; CiscoFlowTemplateFlowEntryV9_t *tData = (CiscoFlowTemplateFlowEntryV9_t *)(tHdr + 1); CiscoFlowTemplateFlowEntryV9_t **dArray = NULL; int slen = 0; tHdr->template_id = ntohs(tHdr->template_id); tHdr->count = ntohs(tHdr->count); slen = (sizeof(*tData) * tHdr->count) + sizeof(*tHdr); if (templates[tHdr->template_id].tHdr != NULL) { #ifdef ARGUSDEBUG unsigned long addr = htonl(ArgusCiscoSrcAddr); char *srcAddr = (inet_ntoa(*(struct in_addr *)&addr)); ArgusDebug (3, "ArgusParseCiscoRecordV9Template: pkt %d changing template src %s srcid %d tid %d \n", model->ArgusTotalPacket, srcAddr, ArgusCiscoSrcId, tHdr->template_id); #endif ArgusFree(templates[tHdr->template_id].tHdr); templates[tHdr->template_id].tHdr = NULL; templates[tHdr->template_id].length = slen + 4; templates[tHdr->template_id].count = tHdr->count; } else { #ifdef ARGUSDEBUG unsigned long addr = htonl(ArgusCiscoSrcAddr); char *srcAddr = (inet_ntoa(*(struct in_addr *)&addr)); ArgusDebug (3, "ArgusParseCiscoRecordV9Template: pkt %d new template src %s srcid %d tid %d \n", model->ArgusTotalPacket, srcAddr, ArgusCiscoSrcId, tHdr->template_id); #endif } if ((dArray = ArgusCalloc(1, slen + 4)) == NULL) ArgusLog(LOG_ERR, "ArgusCalloc(%d, %d) error %s\n", tHdr->count, sizeof(*tData), strerror(errno)); for (i = 0; i < tHdr->count; i++) { tData->type = ntohs(tData->type); tData->length = ntohs(tData->length); tData++; } bcopy(tHdr, dArray, slen); templates[tHdr->template_id].tHdr = dArray; templates[tHdr->template_id].lasttime = model->ArgusGlobalTime; if ((len - slen) > 0) { ptr += slen; len -= slen; } else done = 1; } } #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusParseCiscoRecordV9Template (%p, %p, %d, %p) returning %p\n", model, templates, ptr, len); #endif return(retn); } struct ArgusRecord * ArgusParseCiscoRecordV9OptionTemplate (struct ArgusModelerStruct *model, struct ArgusQueueStruct *tqueue, u_char *ptr, int len) { struct ArgusCiscoTemplateStruct *templates = NULL; struct ArgusRecord *retn = NULL; struct ArgusCiscoSourceStruct *src; int i; if (tqueue != NULL) { int cnt = tqueue->count; for (i = 0; (i < cnt) && (templates == NULL); i++) { src = (struct ArgusCiscoSourceStruct *)ArgusPopQueue (tqueue, ARGUS_LOCK); if ((src->srcid == ArgusCiscoSrcId) && (src->saddr == ArgusCiscoSrcAddr)) templates = src->templates; ArgusAddToQueue(tqueue, &src->qhdr, ARGUS_LOCK); } } if (templates) { } #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusParseCiscoRecordV9OptionTemplate (%p, %p) returning %p\n", model, ptr, retn); #endif return(retn); } #endif argus-3.0.8.2/argus/ArgusNetflow.h000444 000765 000024 00000004317 12513222401 017333 0ustar00carterstaff000000 000000 /* * Argus Software. Argus files - Modeler * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/argus/argus/argus/ArgusNetflow.h#1 $ * $DateTime: 2011/01/26 17:21:20 $ * $Change: 2089 $ */ #define CISCO_VERSION_1 1 #define CISCO_VERSION_5 5 #define CISCO_VERSION_6 6 #define CISCO_VERSION_7 7 #define CISCO_VERSION_8 8 #define CISCO_VERSION_9 9 #ifndef ArgusNetflow_h #define ArgusNetflow_h #include void ArgusParseCiscoRecord (struct ArgusModelerStruct *, void *); void ArgusParseCiscoRecordV1 (struct ArgusModelerStruct *, void *); void ArgusParseCiscoRecordV5 (struct ArgusModelerStruct *, void *); void ArgusParseCiscoRecordV6 (struct ArgusModelerStruct *, void *); void ArgusParseCiscoRecordV7 (struct ArgusModelerStruct *, void *); void ArgusParseCiscoRecordV8 (struct ArgusModelerStruct *, void *); void ArgusParseCiscoRecordV9 (struct ArgusModelerStruct *, void *); #else extern void ArgusParseCiscoRecord (struct ArgusModelerStruct *, void *); extern void ArgusParseCiscoRecordV1 (struct ArgusModelerStruct *, void *); extern void ArgusParseCiscoRecordV5 (struct ArgusModelerStruct *, void *); extern void ArgusParseCiscoRecordV6 (struct ArgusModelerStruct *, void *); extern void ArgusParseCiscoRecordV7 (struct ArgusModelerStruct *, void *); extern void ArgusParseCiscoRecordV8 (struct ArgusModelerStruct *, void *); extern void ArgusParseCiscoRecordV9 (struct ArgusModelerStruct *, void *); #endif argus-3.0.8.2/argus/ArgusOutput.c000644 000765 000024 00000203252 12723602123 017217 0ustar00carterstaff000000 000000 /* * Argus Software. Argus files - Modeler * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/argus/argus/argus/ArgusOutput.c#81 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #if !defined(ArgusOutput) #define ArgusOutput #endif #include #include #include #include #include #if defined(HAVE_ZLIB_H) #include #endif #include #include #include #if defined(ARGUS_THREADS) #include #endif void *ArgusOutputProcess(void *); #if defined(ARGUS_TILERA) extern int ArgusFirstTile; #endif struct timeval *getArgusMarReportInterval(struct ArgusOutputStruct *); void setArgusMarReportInterval(struct ArgusOutputStruct *, char *); struct ArgusRecord *ArgusGenerateInitialMar (struct ArgusOutputStruct *); struct ArgusRecordStruct *ArgusGenerateSupplementalMarRecord (struct ArgusOutputStruct *, unsigned char); struct ArgusRecordStruct *ArgusGenerateStatusMarRecord (struct ArgusOutputStruct *, unsigned char); int RaDiffTime (struct timeval *, struct timeval *, struct timeval *); struct ArgusOutputStruct * ArgusNewOutput (struct ArgusSourceStruct *src, struct ArgusModelerStruct *model) { struct ArgusOutputStruct *retn = NULL; if ((retn = (struct ArgusOutputStruct *) ArgusCalloc (1, sizeof (struct ArgusOutputStruct))) == NULL) ArgusLog (LOG_ERR, "ArgusNewOutput() ArgusCalloc error %s\n", strerror(errno)); gettimeofday (&retn->ArgusGlobalTime, 0L); #if defined(ARGUS_NANOSECONDS) retn->ArgusGlobalTime.tv_usec *= 1000; #endif retn->ArgusStartTime = retn->ArgusGlobalTime; retn->ArgusReportTime.tv_sec = retn->ArgusGlobalTime.tv_sec + retn->ArgusMarReportInterval.tv_sec; retn->ArgusReportTime.tv_usec += retn->ArgusMarReportInterval.tv_usec; retn->ArgusLastMarUpdateTime = retn->ArgusGlobalTime; if ((retn->ArgusClients = ArgusNewQueue()) == NULL) ArgusLog (LOG_ERR, "ArgusNewOutput: clients queue %s", strerror(errno)); if ((retn->ArgusOutputList = ArgusNewList()) == NULL) ArgusLog (LOG_ERR, "ArgusNewOutput: ArgusNewList %s", strerror(errno)); if ((retn->ArgusInputList = ArgusNewList()) == NULL) ArgusLog (LOG_ERR, "ArgusNewOutput: ArgusNewList %s", strerror(errno)); retn->ArgusSrc = src; retn->ArgusModel = model; #if defined(ARGUS_THREADS) pthread_mutex_init(&retn->lock, NULL); #endif #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusNewOutput() returning retn %p\n", retn); #endif return (retn); } #ifdef ARGUS_SASL int iptostring(const struct sockaddr *, socklen_t, char *, unsigned); static int ArgusSaslLog (void *context __attribute__((unused)), int priority, const char *message) { const char *label; if (! message) return SASL_BADPARAM; switch (priority) { case SASL_LOG_ERR: label = "Error"; break; case SASL_LOG_NOTE: label = "Info"; break; default: label = "Other"; break; } #ifdef ARGUSDEBUG ArgusDebug(1, "ArgusSaslLog %s: %s", label, message); #endif return SASL_OK; } //#ifdef _LP64 //#define PLUGINDIR "/usr/lib64/sasl2" //#else #define PLUGINDIR "/usr/lib/sasl2" //#endif char *searchpath = NULL; static int ArgusSaslGetPath(void *context __attribute__((unused)), char ** path) { if (! path) return SASL_BADPARAM; if (searchpath) *path = searchpath; else *path = PLUGINDIR; #ifdef ARGUSDEBUG ArgusDebug(2, "SASL path %s", *path); #endif return SASL_OK; } //typedef struct sasl_callback { // /* Identifies the type of the callback function. // * Mechanisms must ignore callbacks with id's they don't recognize. // */ // unsigned long id; // int (*proc)(void); /* Callback function. Types of arguments vary by 'id' */ // void *context; //} sasl_callback_t; typedef int (*funcptr)(); static const struct sasl_callback argus_cb[] = { { SASL_CB_LOG, (funcptr)&ArgusSaslLog, NULL }, { SASL_CB_LIST_END, NULL, NULL } }; #endif void ArgusInitOutput (struct ArgusOutputStruct *output) { struct ArgusWfileStruct *wfile; extern char *chroot_dir; extern uid_t new_uid; extern gid_t new_gid; int i, len = 0, retn = 0; #if defined(ARGUS_THREADS) extern pthread_attr_t *ArgusAttr; #endif ArgusParser = ArgusNewParser(ArgusProgramName); if (output->ArgusInitMar != NULL) ArgusFree (output->ArgusInitMar); if ((output->ArgusInitMar = ArgusGenerateInitialMar(output)) == NULL) ArgusLog (LOG_ERR, "ArgusInitOutput: ArgusGenerateInitialMar error %s", strerror(errno)); len = ntohs(output->ArgusInitMar->hdr.len) * 4; for (i = 0; i < ARGUS_MAXLISTEN; i++) output->ArgusLfd[i] = -1; if (output->ArgusPortNum != 0) { char errbuf[256]; if (ArgusEstablishListen (output, errbuf) < 0) ArgusLog (LOG_ERR, "%s", errbuf); } if (chroot_dir != NULL) ArgusSetChroot(chroot_dir); if (new_gid > 0) { if (setegid(new_gid) < 0) ArgusLog (LOG_ERR, "ArgusInitOutput: setgid error %s", strerror(errno)); } if (new_uid > 0) { if (seteuid(new_uid) < 0) ArgusLog (LOG_ERR, "ArgusInitOutput: setuid error %s", strerror(errno)); } if (output->ArgusWfileList) { struct ArgusListRecord *sfile= output->ArgusWfileList->start->obj; do { if ((wfile = (struct ArgusWfileStruct *) ArgusPopFrontList(output->ArgusWfileList, ARGUS_LOCK)) != NULL) { struct ArgusClientData *client = (void *) ArgusCalloc (1, sizeof(struct ArgusClientData)); if (client == NULL) ArgusLog (LOG_ERR, "ArgusInitOutput: ArgusCalloc %s", strerror(errno)); if (strcmp (wfile->filename, "-")) { if ((!(strncmp (wfile->filename, "argus-udp://", 12))) || (!(strncmp (wfile->filename, "udp://", 6)))) { char *baddr = strstr (wfile->filename, "udp://"); baddr = &baddr[6]; #if defined(HAVE_GETADDRINFO) struct addrinfo hints, *hp = NULL, *bhp = NULL; int retn = 0, numerichost = 1; char *port, *ptr; if ((port = strchr(baddr, ':')) != NULL) { *port++ = '\0'; } else { port = "561"; } if (output->ArgusBindAddrs || output->ArgusBindPort) { char *ArgusBindAddr = NULL; memset(&hints, 0, sizeof(hints)); hints.ai_family = AF_INET; hints.ai_socktype = SOCK_DGRAM; hints.ai_protocol = IPPROTO_UDP; hints.ai_flags |= AI_PASSIVE; if (ArgusBindAddr && (!strcmp(ArgusBindAddr, "any"))) ArgusBindAddr = NULL; getaddrinfo(ArgusBindAddr, output->ArgusBindPort, NULL, &bhp); } memset(&hints, 0, sizeof(hints)); hints.ai_family = AF_INET; hints.ai_socktype = SOCK_DGRAM; hints.ai_protocol = IPPROTO_UDP; for (ptr = port; *ptr != '\0'; ptr++) { int c = *ptr; if (!isdigit(c)) numerichost = 0; } #if defined(AI_NUMERICHOST) if (numerichost) hints.ai_flags |= AI_NUMERICHOST; #endif if ((retn = getaddrinfo(baddr, port, &hints, &client->host)) != 0) { switch (retn) { case EAI_AGAIN: ArgusLog(LOG_ERR, "dns server not available"); break; case EAI_NONAME: ArgusLog(LOG_ERR, "bind address %s unknown", optarg); break; #if defined(EAI_ADDRFAMILY) case EAI_ADDRFAMILY: ArgusLog(LOG_ERR, "bind address %s has no IP address", optarg); break; #endif case EAI_SYSTEM: ArgusLog(LOG_ERR, "bind address %s name server error %s", optarg, strerror(errno)); break; } } hp = client->host; do { if ((client->fd = socket (hp->ai_family, hp->ai_socktype, hp->ai_protocol)) >= 0) { unsigned char ttl = 128; int ttl_size = sizeof(ttl); if (setsockopt(client->fd, IPPROTO_IP, IP_MULTICAST_TTL, &ttl, ttl_size) < 0) ArgusLog (LOG_INFO, "ArgusInitOutput: setsockopt set multicast TTL: %s", strerror(errno)); if (bhp != NULL) { #if defined(SO_REUSEPORT) int on = 1; #endif if (bind (client->fd, bhp->ai_addr, sizeof(struct sockaddr_in)) < 0) ArgusLog (LOG_ERR, "ArgusInitOutput: bind %s", strerror(errno)); #if defined(SO_REUSEPORT) if (setsockopt(client->fd, SOL_SOCKET, SO_REUSEPORT, &on, sizeof(on)) < 0) ArgusLog (LOG_INFO, "ArgusInitOutput: setsockopt set reuseport %s", strerror(errno)); #endif } } else ArgusLog (LOG_ERR, "ArgusInitOutput: socket %s: %s", wfile->filename, strerror(errno)); hp = hp->ai_next; } while (hp != NULL); #endif } else if ((client->fd = open (wfile->filename, O_WRONLY|O_APPEND|O_CREAT|O_NONBLOCK, 0x1a4)) < 0) ArgusLog (LOG_ERR, "ArgusInitOutput: open %s: %s", wfile->filename, strerror(errno)); } else { client->fd = 1; output->ArgusWriteStdOut++; } if (wfile->filter != NULL) { if (ArgusFilterCompile (&client->ArgusNFFcode, wfile->filter, 1) < 0) ArgusLog (LOG_ERR, "ArgusInitOutput: ArgusFilter syntax error: %s", wfile->filter); client->ArgusFilterInitialized++; #ifdef ARGUSDEBUG { char buf[MAXSTRLEN]; bzero(buf, MAXSTRLEN); nff_dump(&client->ArgusNFFcode, buf, MAXSTRLEN, 1); ArgusDebug (5, "ArgusInitOutput: ArgusFilterCompile returned: \n%s\n", buf); } #endif } if ((client->sock = ArgusNewSocket(client->fd)) == NULL) ArgusLog (LOG_ERR, "ArgusInitOutput: ArgusNewSocket error %s", strerror(errno)); if (client->host != NULL) { if ((retn = sendto(client->fd, (char *) output->ArgusInitMar, len, 0, client->host->ai_addr, client->host->ai_addrlen)) < 0) ArgusLog (LOG_ERR, "ArgusInitOutput: sendto(): retn %d %s", retn, strerror(errno)); } else { while ((retn = write (client->fd, (char *) output->ArgusInitMar, len)) != len) { if (!output->ArgusWriteStdOut) { close (client->fd); unlink (wfile->filename); } ArgusLog (LOG_ERR, "ArgusInitOutput: write(): retn %d %s", retn, strerror(errno)); } } if (strcmp(wfile->filename, "/dev/null")) client->sock->filename = strdup(wfile->filename); ArgusAddToQueue(output->ArgusClients, &client->qhdr, ARGUS_LOCK); client->ArgusClientStart++; ArgusPushBackList (output->ArgusWfileList, (struct ArgusListRecord *) wfile, ARGUS_LOCK); } } while (output->ArgusWfileList->start->obj != sfile); ArgusDeleteList(output->ArgusWfileList, ARGUS_WFILE_LIST); output->ArgusWfileList = NULL; } if (new_gid > 0) if (setegid(ArgusGid) < 0) ArgusLog (LOG_ERR, "ArgusInitOutput: setgid error %s", strerror(errno)); if (new_uid > 0) if (seteuid(ArgusUid) < 0) ArgusLog (LOG_ERR, "ArgusInitOutput: setuid error %s", strerror(errno)); #ifdef ARGUS_SASL if ((retn = sasl_server_init(argus_cb, ArgusProgramName)) != SASL_OK) ArgusLog (LOG_ERR, "ArgusInitOutput() sasl_server_init failed %d\n", retn); #endif /* ARGUS_SASL */ #if defined(ARGUS_THREADS) if ((pthread_create(&output->thread, ArgusAttr, ArgusOutputProcess, (void *) output)) != 0) ArgusLog (LOG_ERR, "ArgusInitOutput() pthread_create error %s\n", strerror(errno)); #endif /* ARGUS_THREADS */ #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusInitOutput() done"); #endif } void ArgusCloseOutput(struct ArgusOutputStruct *output) { #if defined(ARGUS_THREADS) void *retn = NULL; #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusCloseOutput(%p) scheduling closure after %d records\n", output, output->ArgusInputList->count); #endif if ((output != NULL) && (output->thread != 0)) { output->status |= ARGUS_SHUTDOWN; if (output->thread) pthread_join(output->thread, &retn); } else { #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusCloseOutput(%p) no output or output->thread available\n", output); #endif } #else if (output != NULL) { output->status |= ARGUS_SHUTDOWN; #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusCloseOutput(%p) scheduling closure after writing records\n", output); #endif ArgusOutputProcess(output); } #endif /* ARGUS_THREADS */ ArgusDeleteList(output->ArgusInputList, ARGUS_OUTPUT_LIST); ArgusDeleteList(output->ArgusOutputList, ARGUS_OUTPUT_LIST); ArgusDeleteQueue(output->ArgusClients); if (output->ArgusInitMar != NULL) ArgusFree (output->ArgusInitMar); if (ArgusParser != NULL) { ArgusCloseParser(ArgusParser); ArgusFree(ArgusParser); ArgusParser = NULL; } #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusCloseOutput(%p) done\n", output); #endif } void ArgusCheckClientStatus (struct ArgusOutputStruct *, int); int ArgusCheckClientMessage (struct ArgusOutputStruct *, struct ArgusClientData *); int ArgusCongested = 0; int ArgusOutputStatusTime(struct ArgusOutputStruct *); int ArgusOutputStatusTime(struct ArgusOutputStruct *output) { int retn = 0; if ((output->ArgusReportTime.tv_sec < output->ArgusGlobalTime.tv_sec) || ((output->ArgusReportTime.tv_sec == output->ArgusGlobalTime.tv_sec) && (output->ArgusReportTime.tv_usec < output->ArgusGlobalTime.tv_usec))) { long long dtime = ArgusTimeDiff(&output->ArgusGlobalTime, &output->ArgusReportTime); if (dtime > 1000000) output->ArgusReportTime = output->ArgusGlobalTime; output->ArgusReportTime.tv_sec += getArgusMarReportInterval(output)->tv_sec; output->ArgusReportTime.tv_usec += getArgusMarReportInterval(output)->tv_usec; if (output->ArgusReportTime.tv_usec > ARGUS_FRACTION_TIME) { output->ArgusReportTime.tv_sec++; output->ArgusReportTime.tv_usec -= ARGUS_FRACTION_TIME; } retn++; } #ifdef ARGUSDEBUG ArgusDebug (7, "ArgusOutputStatusTime(%p) done", output); #endif return (retn); } void * ArgusOutputProcess(void *arg) { struct ArgusOutputStruct *output = (struct ArgusOutputStruct *) arg; struct timeval ArgusUpDate = {0, 500000}, ArgusNextUpdate = {0,0}; struct ArgusListStruct *list = NULL; int val, count; void *retn = NULL; #if defined(ARGUS_THREADS) sigset_t blocked_signals; #endif /* ARGUS_THREADS */ #ifdef ARGUSDEBUG #if defined(ARGUS_THREADS) ArgusDebug (1, "ArgusOutputProcess(%p) starting\n", output); #else ArgusDebug (6, "ArgusOutputProcess(%p) starting\n", output); #endif #endif #if defined(ARGUS_TILERA) bind_proc(ArgusFirstTile + 1); #endif #if defined(ARGUS_THREADS) sigfillset(&blocked_signals); pthread_sigmask(SIG_BLOCK, &blocked_signals, NULL); #if defined(HAVE_SOLARIS) sigignore(SIGPIPE); #else (void) signal (SIGPIPE, SIG_IGN); #endif while ((list = output->ArgusInputList) == NULL) { struct timespec tsbuf = {0, 10000000}, *ts = &tsbuf; #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusOutputProcess(%p) waiting for ArgusOutputList\n", output); #endif nanosleep (ts, NULL); } while (!(output->status & ARGUS_SHUTDOWN) || ((output->status & ARGUS_SHUTDOWN) && !ArgusListEmpty(list))) { #else if ((list = output->ArgusInputList) != NULL) { #endif struct ArgusRecordStruct *rec = NULL; gettimeofday (&output->ArgusGlobalTime, 0L); #if defined(ARGUS_NANOSECONDS) output->ArgusGlobalTime.tv_usec *= 1000; #endif #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusOutputProcess() looping\n"); #endif /* check to see if there are any new clients */ if ((output->ArgusPortNum != 0) && ((output->ArgusGlobalTime.tv_sec > ArgusNextUpdate.tv_sec) || ((output->ArgusGlobalTime.tv_sec == ArgusNextUpdate.tv_sec) && (output->ArgusGlobalTime.tv_usec > ArgusNextUpdate.tv_usec)))) { if (output->ArgusListens) { struct timeval wait = {0, 0}; fd_set readmask; int i, width = 0; FD_ZERO(&readmask); for (i = 0; i < output->ArgusListens; i++) { if (output->ArgusLfd[i] != -1) { FD_SET(output->ArgusLfd[i], &readmask); width = (output->ArgusLfd[i] > width) ? output->ArgusLfd[i] : width; } } if (output->ArgusClients) { #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusOutputProcess() checking for remotes\n"); #endif #if defined(ARGUS_THREADS) pthread_mutex_lock(&output->ArgusClients->lock); #endif if (output->ArgusClients->count) { struct ArgusClientData *client = (void *)output->ArgusClients->start; do { if (client->sock && !(client->sock->filename)) { FD_SET(client->fd, &readmask); width = (client->fd > width) ? client->fd : width; } client = (void *) client->qhdr.nxt; } while (client != (void *)output->ArgusClients->start); } if ((val = select (width + 1, &readmask, NULL, NULL, &wait)) >= 0) { if (val > 0) { struct ArgusClientData *client = (void *)output->ArgusClients->start; int done = 0; #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusOutputProcess() select returned with tasks\n"); #endif for (i = 0; (i < output->ArgusListens) && (!done); i++) { if (FD_ISSET(output->ArgusLfd[i], &readmask)) ArgusCheckClientStatus(output, output->ArgusLfd[i]); if (client != NULL) { do { if (client->fd != -1) { if (FD_ISSET(client->fd, &readmask)) { if (ArgusCheckClientMessage(output, client) < 0) { ArgusDeleteSocket(output, client); } else { done++; break; } } } client = (void *) client->qhdr.nxt; } while (client != (void *)output->ArgusClients->start); } } } } #if defined(ARGUS_THREADS) pthread_mutex_unlock(&output->ArgusClients->lock); #endif #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusOutputProcess() done checking for remotes\n"); #endif } ArgusNextUpdate.tv_usec += ArgusUpDate.tv_usec; ArgusNextUpdate.tv_sec += ArgusUpDate.tv_sec; if (ArgusNextUpdate.tv_usec > ARGUS_FRACTION_TIME) { ArgusNextUpdate.tv_sec++; ArgusNextUpdate.tv_usec -= ARGUS_FRACTION_TIME; } } } #if defined(ARGUS_THREADS) if (ArgusListEmpty(list)) { struct timeval tvp; struct timespec tsbuf, *ts = &tsbuf; gettimeofday (&tvp, 0L); ts->tv_sec = tvp.tv_sec + 0; ts->tv_nsec = tvp.tv_usec * 1000; ts->tv_nsec += 100000000; while (ts->tv_nsec > 1000000000) { ts->tv_sec++; ts->tv_nsec -= 1000000000; } #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusOutputProcess() waiting for input list\n"); #endif if (pthread_mutex_lock(&list->lock)) { #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusOutputProcess() pthread_mutex_lock error %s\n", strerror(errno)); #endif } if (pthread_cond_timedwait(&list->cond, &list->lock, ts) == EINVAL) { #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusOutputProcess() pthread_cond_timedwait error bad value\n"); #endif } if (pthread_mutex_unlock(&list->lock)) { #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusOutputProcess() pthread_mutex_lock error %s\n", strerror(errno)); #endif } } #endif if (ArgusOutputStatusTime(output)) { if ((rec = ArgusGenerateStatusMarRecord(output, ARGUS_STATUS)) != NULL) { if (output->ArgusClients) { #if defined(ARGUS_THREADS) pthread_mutex_lock(&output->ArgusClients->lock); #endif if (output->ArgusClients->count) { struct ArgusClientData *client = (void *)output->ArgusClients->start; do { if ((client->fd != -1) && (client->sock != NULL) && client->ArgusClientStart) { if (ArgusWriteSocket (output, client, rec) < 0) { ArgusDeleteSocket(output, client); } } client = (void *) client->qhdr.nxt; } while (client != (void *)output->ArgusClients->start); } #if defined(ARGUS_THREADS) pthread_mutex_unlock(&output->ArgusClients->lock); #endif } ArgusFreeListRecord (rec); output->ArgusLastMarUpdateTime = output->ArgusGlobalTime; } } if (output->ArgusOutputList && !(ArgusListEmpty(list))) { int done = 0; ArgusLoadList(list, output->ArgusOutputList); while (!done && ((rec = (struct ArgusRecordStruct *) ArgusPopFrontList(output->ArgusOutputList, ARGUS_LOCK)) != NULL)) { output->ArgusTotalRecords++; output->ArgusOutputSequence = rec->canon.trans.seqnum; count = 0; #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusOutputProcess() received rec %p totals %lld seq %d\n", rec, output->ArgusTotalRecords, output->ArgusOutputSequence); #endif if (((rec->hdr.type & 0xF0) == ARGUS_MAR) && ((rec->hdr.cause & 0xF0) == ARGUS_STOP)) { done++; output->status |= ARGUS_SHUTDOWN; ArgusFreeListRecord(rec); if ((rec = ArgusGenerateStatusMarRecord(output, ARGUS_STOP)) == NULL) { } #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusOutputProcess(%p) rec %d received as stop record \n", output, output->ArgusTotalRecords); #endif } if (output->ArgusClients) { #if defined(ARGUS_THREADS) pthread_mutex_lock(&output->ArgusClients->lock); #endif if (output->ArgusClients->count) { struct ArgusClientData *client = (void *)output->ArgusClients->start; int i, ArgusWriteRecord = 0; #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusOutputProcess() %d client(s) for record %p\n", output->ArgusClients->count, rec); #endif for (i = 0; i < output->ArgusClients->count; i++) { if ((client->fd != -1) && (client->sock != NULL) && client->ArgusClientStart) { #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusOutputProcess() client %p ready fd %d sock %p start %d", client, client->fd, client->sock, client->ArgusClientStart); #endif ArgusWriteRecord = 1; if (client->ArgusFilterInitialized) { bcopy(&rec->hdr, &rec->canon.hdr, sizeof(rec->hdr)); if (!(ArgusFilterRecord ((struct nff_insn *)client->ArgusNFFcode.bf_insns, rec))) ArgusWriteRecord = 0; } if (ArgusWriteRecord) { if (ArgusWriteSocket (output, client, rec) < 0) { ArgusDeleteSocket(output, client); } else { if (ArgusWriteOutSocket (output, client) < 0) { ArgusDeleteSocket(output, client); } } } else { #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusOutputProcess() client %p filter blocks fd %d sock %p start %d", client, client->fd, client->sock, client->ArgusClientStart); #endif } } else { struct timeval tvbuf, *tvp = &tvbuf; #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusOutputProcess() %d client(s) not ready fd %d sock 0x%x start %d", output->ArgusClients->count, client->fd, client->sock, client->ArgusClientStart); #endif RaDiffTime (&output->ArgusGlobalTime, &client->startime, tvp); if (tvp->tv_sec >= ARGUS_CLIENT_STARTUP_TIMEOUT) { if (client->sock != NULL) { ArgusDeleteSocket(output, client); ArgusLog (LOG_WARNING, "ArgusCheckClientMessage: client %s never started: timed out", (client->hostname != NULL) ? client->hostname : "noname"); } client->ArgusClientStart = 1; } } client = (void *) client->qhdr.nxt; } } #if defined(ARGUS_THREADS) pthread_mutex_unlock(&output->ArgusClients->lock); #endif } else { #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusOutputProcess() no client for record %p\n", rec); #endif } ArgusFreeListRecord(rec); } if (output->ArgusWriteStdOut) fflush (stdout); } #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusOutputProcess() checking out clients\n"); #endif #if defined(ARGUS_THREADS) pthread_mutex_lock(&output->ArgusClients->lock); #endif if ((output->ArgusPortNum != 0) && (output->ArgusClients->count)) { struct ArgusClientData *client = (void *)output->ArgusClients->start; int i; for (i = 0; i < output->ArgusClients->count; i++) { if ((client->fd != -1) && (client->sock != NULL)) { if (output->status & ARGUS_SHUTDOWN) { ArgusWriteOutSocket (output, client); ArgusDeleteSocket(output, client); } else { if (ArgusWriteOutSocket (output, client) < 0) { ArgusDeleteSocket(output, client); } } } client = (void *) client->qhdr.nxt; } for (i = 0, count = output->ArgusClients->count; (i < count) && output->ArgusClients->count; i++) { if ((client->fd == -1) && (client->sock == NULL) && client->ArgusClientStart) { if (ArgusRemoveFromQueue(output->ArgusClients, &client->qhdr, ARGUS_NOLOCK) != NULL) ArgusFree(client); i = 0; count = output->ArgusClients->count; client = (void *)output->ArgusClients->start; } else client = (void *)client->qhdr.nxt; } } #if defined(ARGUS_THREADS) pthread_mutex_unlock(&output->ArgusClients->lock); #endif #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusOutputProcess() done with clients\n"); #endif #if !defined(ARGUS_THREADS) } #else } #endif /* ARGUS_THREADS */ #ifdef ARGUSDEBUG #if defined(ARGUS_THREADS) ArgusDebug (6, "ArgusOutputProcess(%p) shuting down %d\n", output, output->ArgusInputList->count); #else ArgusDebug (6, "ArgusOutputProcess(%p) done count %d\n", output, output->ArgusInputList->count); #endif /* ARGUS_THREADS */ #endif #if defined(ARGUS_THREADS) { struct ArgusClientData *client; while ((client = (void *) output->ArgusClients->start) != NULL) { if ((client->fd != -1) && (client->sock != NULL)) ArgusWriteOutSocket (output, client); ArgusDeleteSocket(output, client); if (ArgusRemoveFromQueue(output->ArgusClients, &client->qhdr, ARGUS_LOCK) != NULL) ArgusFree(client); } } #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusOutputProcess(%p) exiting\n", output); #endif pthread_exit(retn); #endif /* ARGUS_THREADS */ return (retn); } #include int ArgusEstablishListen (struct ArgusOutputStruct *output, char *errbuf) { int port = output->ArgusPortNum; struct ArgusBindAddrStruct *ArgusBindAddrs = NULL; char *baddr = NULL; int s = -1; if (port > 0) { if (output->ArgusListens > 0) { int i = output->ArgusListens; for (i = 0; i < output->ArgusListens; i++) { close(output->ArgusLfd[i]); output->ArgusLfd[i] = -1; } } output->ArgusListens = 0; if (output->ArgusBindAddrs != NULL) { ArgusBindAddrs = (struct ArgusBindAddrStruct *)output->ArgusBindAddrs->start; baddr = ArgusBindAddrs->addr; } do { #if defined(HAVE_GETADDRINFO) { struct addrinfo hints, *host, *hp; char portbuf[32]; int retn = 0; memset(&hints, 0, sizeof(hints)); if (output->ArgusAddrInfo.ai_socktype || output->ArgusAddrInfo.ai_protocol) { hints.ai_family = output->ArgusAddrInfo.ai_family; hints.ai_socktype = output->ArgusAddrInfo.ai_socktype; hints.ai_protocol = output->ArgusAddrInfo.ai_protocol; } else { hints.ai_family = PF_UNSPEC; hints.ai_socktype = SOCK_STREAM; hints.ai_protocol = IPPROTO_TCP; hints.ai_flags = AI_PASSIVE; } snprintf(portbuf, 32, "%d", port); if ((retn = getaddrinfo(baddr, portbuf, &hints, &host)) != 0) { switch (retn) { case EAI_AGAIN: ArgusLog(LOG_ERR, "dns server not available"); break; case EAI_NONAME: ArgusLog(LOG_ERR, "bind address %s unknown", optarg); break; #if defined(EAI_ADDRFAMILY) case EAI_ADDRFAMILY: ArgusLog(LOG_ERR, "bind address %s has no IP address", optarg); break; #endif case EAI_SYSTEM: ArgusLog(LOG_ERR, "bind address %s name server error %s", optarg, strerror(errno)); break; } } hp = host; do { retn = -1; if ((s = socket (hp->ai_family, hp->ai_socktype, hp->ai_protocol)) >= 0) { int flags = fcntl (s, F_GETFL, 0L); if ((fcntl (s, F_SETFL, flags | O_NDELAY)) >= 0) { int on = 1; if (setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) < 0) ArgusLog (LOG_INFO, "ArgusInitOutput: setsockopt set reuseaddr %s", strerror(errno)); #ifdef ARGUSDEBUG if (baddr) ArgusDebug (1, "ArgusEstablishListen(%p, %p) binding: %s:%d family: %d\n", output, errbuf, baddr, port, hp->ai_family); else { #if defined(__OpenBSD__) switch (hp->ai_family) { case AF_INET6: ((struct sockaddr_in6 *)hp->ai_addr)->sin6_addr = in6addr_any; break; } #endif ArgusDebug (1, "ArgusEstablishListen(%d, %p) binding: any:%d family: %d\n", port, errbuf, port, hp->ai_family); } #endif if (!(bind (s, hp->ai_addr, hp->ai_addrlen))) { switch (hp->ai_socktype) { case SOCK_STREAM: if ((retn = listen (s, ARGUS_MAXLISTEN)) >= 0) { output->ArgusLfd[output->ArgusListens++] = s; } else { snprintf(errbuf, 1024, "%s: ArgusEstablishListen: listen() failure", ArgusProgramName); } break; case SOCK_DGRAM: retn = 0; break; } } else { snprintf(errbuf, 256, "%s: ArgusEstablishListen: bind() error", ArgusProgramName); } } else snprintf(errbuf, 256, "%s: ArgusEstablishListen: fcntl() error", ArgusProgramName); if (retn == -1) { close (s); s = -1; } } else snprintf(errbuf, 256, "%s: ArgusEstablishListen: socket() error", ArgusProgramName); hp = hp->ai_next; } while ((hp != NULL) && (retn == -1)); freeaddrinfo(host); } #else struct sockaddr_in sin; struct hostent *host; sin.sin_addr.s_addr = INADDR_ANY; if (baddr) { #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusEstablishListen(%d, %s, %p)\n", port, baddr, errbuf); #endif if ((host = gethostbyname (baddr)) != NULL) { if ((host->h_addrtype == AF_INET) && (host->h_length == 4)) { bcopy ((char *) *host->h_addr_list, (char *)&sin.sin_addr.s_addr, host->h_length); } else ArgusLog (LOG_ERR, "ArgusEstablishListen() unsupported bind address %s", baddr); } else ArgusLog (LOG_ERR, "ArgusEstablishListen() bind address %s error %s", baddr, strerror(errno)); } sin.sin_port = htons((u_short) port); sin.sin_family = AF_INET; #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusEstablishListen(%p, %p) binding: %d:%d\n", output, errbuf, sin.sin_addr.s_addr, port); #endif if ((s = socket (AF_INET, SOCK_STREAM, 0)) != -1) { int flags = fcntl (s, F_GETFL, 0L); if ((fcntl (s, F_SETFL, flags | O_NDELAY)) >= 0) { int on = 1; if (setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) < 0) ArgusLog (LOG_INFO, "ArgusInitOutput: setsockopt set reuseaddr %s", strerror(errno)); if (!(bind (s, (struct sockaddr *)&sin, sizeof(sin)))) { if ((listen (s, ARGUS_MAXLISTEN)) >= 0) { output->ArgusLfd[output->ArgusListens++] = s; } else { close (s); s = -1; snprintf(errbuf, 1024, "%s: ArgusEstablishListen: listen() failure", ArgusProgramName); } } else { close (s); s = -1; snprintf(errbuf, 256, "%s: ArgusEstablishListen: bind() error", ArgusProgramName); } } else snprintf(errbuf, 256, "%s: ArgusEstablishListen: fcntl() error", ArgusProgramName); } else snprintf(errbuf, 256, "%s: ArgusEstablishListen: socket() error", ArgusProgramName); #endif if (ArgusBindAddrs) { if ((ArgusBindAddrs = (struct ArgusBindAddrStruct *)ArgusBindAddrs->nxt) != NULL) { baddr = ArgusBindAddrs->addr; } else baddr = NULL; } } while (baddr != NULL); } #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusEstablishListen(%p, %p) returning %d\n", output, errbuf, s); #endif return (s); } int ArgusAuthenticateClient (struct ArgusClientData *); #ifdef ARGUS_SASL static sasl_ssf_t extprops_ssf = 0; static char clienthost[NI_MAXHOST*2+1] = "[local]"; sasl_security_properties_t *mysasl_secprops(int); #endif void ArgusCheckClientStatus (struct ArgusOutputStruct *output, int s) { struct sockaddr from; int len = sizeof (from), bytes; int fd; #ifdef ARGUS_SASL #define SASL_SEC_MASK 0x0fff struct sockaddr_storage localaddr, remoteaddr; int retn, argus_have_addr = 0; char localhostname[1024]; sasl_conn_t *conn = NULL; socklen_t salen; sasl_security_properties_t *secprops = NULL; char localip[60], remoteip[60]; #endif if ((fd = accept (s, (struct sockaddr *)&from, (socklen_t *)&len)) > 0) { int flags = fcntl (fd, F_GETFL, 0L); if ((fcntl (fd, F_SETFL, flags | O_NONBLOCK)) >= 0) { if (ArgusTcpWrapper (fd, &from) >= 0) { if (output->ArgusClients && (output->ArgusClients->count < ARGUS_MAXLISTEN)) { struct ArgusClientData *client = (void *) ArgusCalloc (1, sizeof(struct ArgusClientData)); if (client == NULL) ArgusLog (LOG_ERR, "ArgusCheckClientStatus: ArgusCalloc %s", strerror(errno)); client->fd = fd; client->startime = output->ArgusGlobalTime; #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusCheckClientStatus() new client\n"); #endif if ((client->sock = ArgusNewSocket(fd)) == NULL) ArgusLog (LOG_ERR, "ArgusInitOutput: ArgusNewSocket error %s", strerror(errno)); if (output->ArgusInitMar != NULL) ArgusFree(output->ArgusInitMar); if ((output->ArgusInitMar = ArgusGenerateInitialMar(output)) == NULL) ArgusLog (LOG_ERR, "ArgusCheckClientStatus: ArgusGenerateInitialMar error %s", strerror(errno)); #ifdef ARGUS_SASL #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusCheckClientStatus: SASL enabled\n"); #endif { char hbuf[NI_MAXHOST]; int niflags; salen = sizeof(remoteaddr); bzero(hbuf, sizeof(hbuf)); if (getpeername(fd, (struct sockaddr *)&remoteaddr, &salen) == 0 && (remoteaddr.ss_family == AF_INET || remoteaddr.ss_family == AF_INET6)) { if (getnameinfo((struct sockaddr *)&remoteaddr, salen, hbuf, sizeof(hbuf), NULL, 0, NI_NAMEREQD) == 0) { strncpy(clienthost, hbuf, sizeof(hbuf)); } else { clienthost[0] = '\0'; } niflags = NI_NUMERICHOST; #ifdef NI_WITHSCOPEID if (((struct sockaddr *)&remoteaddr)->sa_family == AF_INET6) niflags |= NI_WITHSCOPEID; #endif if (getnameinfo((struct sockaddr *)&remoteaddr, salen, hbuf, sizeof(hbuf), NULL, 0, niflags) != 0) strncpy(hbuf, "unknown", sizeof(hbuf)); sprintf(&clienthost[strlen(clienthost)], "[%s]", hbuf); salen = sizeof(localaddr); if (getsockname(fd, (struct sockaddr *)&localaddr, &salen) == 0) { if(iptostring((struct sockaddr *)&remoteaddr, salen, remoteip, sizeof(remoteip)) == 0 && iptostring((struct sockaddr *)&localaddr, salen, localip, sizeof(localip)) == 0) { argus_have_addr = 1; } } } } gethostname(localhostname, 1024); if (!strchr (localhostname, '.')) { char domainname[256]; strcat (localhostname, "."); if (getdomainname (domainname, 256)) { snprintf (&localhostname[strlen(localhostname)], 1024 - strlen(localhostname), "%s", domainname); } } if ((retn = sasl_server_new("argus", NULL, NULL, localip, remoteip, NULL, 0, &client->sasl_conn)) != SASL_OK) ArgusLog (LOG_ERR, "ArgusCheckClientStatus: sasl_server_new failed %d", retn); conn = client->sasl_conn; /* set required security properties here */ if (extprops_ssf) sasl_setprop(conn, SASL_SSF_EXTERNAL, &extprops_ssf); secprops = mysasl_secprops(0); sasl_setprop(conn, SASL_SEC_PROPS, secprops); /* set ip addresses */ if (argus_have_addr) { sasl_setprop(conn, SASL_IPREMOTEPORT, remoteip); if (client->saslprops.ipremoteport != NULL) free(client->saslprops.ipremoteport); client->saslprops.ipremoteport = strdup(remoteip); sasl_setprop(conn, SASL_IPLOCALPORT, localip); if (client->saslprops.iplocalport != NULL) free(client->saslprops.iplocalport); client->saslprops.iplocalport = strdup(localip); } output->ArgusInitMar->argus_mar.status |= htonl(ARGUS_SASL_AUTHENTICATE); #endif len = ntohs(output->ArgusInitMar->hdr.len) * 4; if ((bytes = write (client->fd, (char *) output->ArgusInitMar, len)) != len) { close (client->fd); ArgusLog (LOG_ALERT, "ArgusInitOutput: write(): %s", strerror(errno)); } else { #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusCheckClientStatus: wrote %d bytes to client\n", bytes); #endif } #ifdef ARGUS_SASL if (ArgusMaxSsf > 0) { int flags = fcntl (fd, F_GETFL, 0); fcntl (fd, F_SETFL, flags & ~O_NONBLOCK); if (ArgusAuthenticateClient (client)) { ArgusDeleteSocket(output, client); ArgusLog (LOG_ALERT, "ArgusCheckClientStatus: ArgusAuthenticateClient failed\n"); } else { ArgusAddToQueue(output->ArgusClients, &client->qhdr, ARGUS_NOLOCK); fcntl (fd, F_SETFL, flags); } } else { } #else ArgusAddToQueue(output->ArgusClients, &client->qhdr, ARGUS_NOLOCK); #endif } else { char buf[256]; struct ArgusRecord *argus = (struct ArgusRecord *) &buf; if ((argus = ArgusGenerateRecord (output->ArgusModel, NULL, ARGUS_ERROR, (struct ArgusRecord *) &buf)) != NULL) { len = argus->hdr.len * 4; argus->hdr.len = ntohs(argus->hdr.len); argus->hdr.cause |= ARGUS_MAXLISTENEXCD; if (write (fd, (char *) argus, len) != len) { ArgusLog (LOG_ERR, "ArgusInitOutput: write(): %s", strerror(errno)); } else { #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusCheckClientStatus: wrote %d bytes to client fd %d\n", len, fd); #endif } close(fd); } } } else { ArgusLog (LOG_WARNING, "ArgusCheckClientStatus: ArgusTcpWrapper rejects"); close (fd); } } else { ArgusLog (LOG_WARNING, "ArgusCheckClientStatus: fcntl: %s", strerror(errno)); close (fd); } } else ArgusLog (LOG_WARNING, "ArgusCheckClientStatus: accept: %s", strerror(errno)); #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusCheckClientStatus() returning\n"); #endif } #define ARGUSMAXCLIENTCOMMANDS 6 #define RADIUM_START 0 #define RADIUM_DONE 1 #define RADIUM_FILTER 2 #define RADIUM_MODEL 3 #define RADIUM_PROJECT 4 #define RADIUM_FILE 5 char *ArgusClientCommands[ARGUSMAXCLIENTCOMMANDS] = { "START: ", "DONE: ", "FILTER: ", "MODEL: ", "PROJECT: ", "FILE: ", }; int ArgusCheckClientMessage (struct ArgusOutputStruct *output, struct ArgusClientData *client) { int retn = 0, cnt = 0, i, found, fd = client->fd; char buf[MAXSTRLEN], *ptr = buf; unsigned int value = 0; #ifdef ARGUS_SASL const char *outputbuf = NULL; unsigned int outputlen = 0; #endif /* ARGUS_SASL */ bzero(buf, MAXSTRLEN); if (value == 0) value = MAXSTRLEN; if ((cnt = recv (fd, buf, value, 0)) <= 0) { if (cnt < 0) { #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusCheckClientMessage (%p, %p) recv(%d) returned error %s\n", output, client, fd, strerror(errno)); #endif return (-1); } else { #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusCheckClientMessage (%p, %p) recv(%d) returned %d bytes\n", output, client, fd, cnt); #endif return(-3); } } else { #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusCheckClientMessage (%p, %p) recv(%d) returned %d bytes\n", output, client, fd, cnt); #endif } #ifdef ARGUS_SASL if ((client->sasl_conn)) { const int *ssfp; int result; if ((result = sasl_getprop(client->sasl_conn, SASL_SSF, (const void **) &ssfp)) != SASL_OK) ArgusLog (LOG_ERR, "sasl_getprop: error %s\n", sasl_errdetail(client->sasl_conn)); if (ssfp && (*ssfp > 0)) { if (sasl_decode (client->sasl_conn, buf, cnt, &outputbuf, &outputlen) != SASL_OK) { ArgusLog (LOG_WARNING, "ArgusCheckClientMessage(%p, %d) sasl_decode (%p, %p, %d, %p, %d) failed", client, fd, client->sasl_conn, buf, cnt, &outputbuf, outputlen); return(-1); } else { #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusCheckClientMessage (%p, %p) sasl_decode(%d) returned %d bytes\n", output, client, fd, outputlen); #endif } if (outputlen > 0) { if (outputlen < MAXSTRLEN) { bzero (buf, MAXSTRLEN); bcopy (outputbuf, buf, outputlen); cnt = outputlen; } else ArgusLog (LOG_ERR, "ArgusCheckClientMessage(%p, %d) sasl_decode returned %d bytes\n", client, fd, outputlen); } else { return (0); } } } #endif /* ARGUS_SASL */ #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusCheckClientMessage (%p, %p) read '%s' from remote\n", output, client, ptr); #endif for (i = 0, found = 0; i < ARGUSMAXCLIENTCOMMANDS; i++) { if (!(strncmp (ptr, ArgusClientCommands[i], strlen(ArgusClientCommands[i])))) { found++; switch (i) { case RADIUM_START: client->ArgusClientStart++; retn = 0; break; case RADIUM_DONE: retn = -4; break; case RADIUM_FILTER: { char *reply = NULL; reply = ArgusFilterCompile (&client->ArgusNFFcode, &ptr[7], 1); if (reply == NULL) { retn = -2; if ((cnt = send (fd, "ER", 2, 0)) != 2) { #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusCheckClientMessage: send error %s\n", strerror(errno)); #endif } #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusCheckClientMessage: ArgusFilter filter error: %s\n", &ptr[7]); #endif } else if (strcmp(reply, "OK")) { retn = -3; if ((cnt = send (fd, reply, 2, 0)) != 2) { #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusCheckClientMessage: send error %s\n", strerror(errno)); #endif } } else { #ifdef ARGUSDEBUG char buf[MAXSTRLEN]; bzero(buf, MAXSTRLEN); nff_dump(&client->ArgusNFFcode, buf, MAXSTRLEN, 1); ArgusDebug (3, "ArgusInitOutput: ArgusFilterCompile returned: \n%s\n", buf); #endif client->ArgusFilterInitialized++; if ((cnt = send (fd, "OK", 2, 0)) != 2) { retn = -3; #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusCheckClientMessage: send error %s\n", strerror(errno)); #endif } else { retn = 0; #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusCheckClientMessage: ArgusFilter %s initialized.\n", &ptr[7]); #endif } } break; } case RADIUM_PROJECT: case RADIUM_MODEL: break; case RADIUM_FILE: { #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusCheckClientMessage: ArgusFile %s initialized.\n", &ptr[6]); #endif retn = 0; } break; default: ArgusLog (LOG_WARNING, "ArgusCheckClientMessage: received %s", ptr); break; } break; } } if (!found) ArgusLog (LOG_WARNING, "ArgusCheckClientMessage: received %s", ptr); #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusCheckClientMessage: returning %d\n", retn); #endif return (retn); } struct ArgusRecord * ArgusGenerateInitialMar (struct ArgusOutputStruct *output) { struct ArgusSourceStruct *ArgusSrc, *aSrc; struct ArgusRecord *retn; struct timeval now; int x, done; if ((retn = (struct ArgusRecord *) ArgusCalloc (1, sizeof(struct ArgusRecord))) == NULL) ArgusLog (LOG_ERR, "ArgusGenerateInitialMar(%p) ArgusCalloc error %s\n", output, strerror(errno)); retn->hdr.type = ARGUS_MAR | ARGUS_VERSION; retn->hdr.cause = ARGUS_START; retn->hdr.len = sizeof(struct ArgusRecord) / 4; retn->argus_mar.argusid = ARGUS_COOKIE; retn->argus_mar.thisid = getArgusID(ArgusSourceTask); switch (getArgusIDType(ArgusSourceTask)) { case ARGUS_TYPE_STRING: retn->argus_mar.status |= ARGUS_IDIS_STRING; break; case ARGUS_TYPE_INT: retn->argus_mar.status |= ARGUS_IDIS_INT; break; case ARGUS_TYPE_IPV4: retn->argus_mar.status |= ARGUS_IDIS_IPV4; break; } retn->argus_mar.startime.tv_sec = output->ArgusStartTime.tv_sec; retn->argus_mar.startime.tv_usec = output->ArgusStartTime.tv_usec; gettimeofday (&now, 0L); retn->argus_mar.now.tv_sec = now.tv_sec; retn->argus_mar.now.tv_usec = now.tv_usec; retn->argus_mar.major_version = VERSION_MAJOR; retn->argus_mar.minor_version = VERSION_MINOR; retn->argus_mar.reportInterval = getArgusFarReportInterval(output->ArgusModel)->tv_sec; retn->argus_mar.argusMrInterval = getArgusMarReportInterval(output)->tv_sec; if ((ArgusSrc = output->ArgusSrc) != NULL) { for (x = 0, done = 0; x < ARGUS_MAXINTERFACE && !done; x++) { if ((aSrc = ArgusSrc->srcs[x]) != NULL) { if (aSrc->ArgusInterface[0].ArgusLocalNet != 0) { retn->argus_mar.localnet = aSrc->ArgusInterface[0].ArgusLocalNet; retn->argus_mar.netmask = aSrc->ArgusInterface[0].ArgusNetMask; done = 1; } } } } retn->argus_mar.nextMrSequenceNum = output->ArgusOutputSequence; retn->argus_mar.record_len = -1; #if defined(_LITTLE_ENDIAN) ArgusHtoN(retn); #endif #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusGenerateInitialMar() returning\n"); #endif return (retn); } // The supplemental mar record is designed to extend the descriptions of the sensors, their inputs, // providing interfaces, names, interface types, extended argus identifiers (> 4 bytes), // and stats, if appropriate, // // This will be the way we provide long argus id's, IPv6, ethernet, and long strings. // // Minimally it should provide the argusid, used in all records, and the list of input descriptions, // as well as the extended argus id itself. struct ArgusRecordStruct * ArgusGenerateSupplementalMarRecord (struct ArgusOutputStruct *output, unsigned char status) { struct ArgusRecordStruct *retn = NULL; struct ArgusRecord *rec = NULL; while ((retn = (struct ArgusRecordStruct *) ArgusMallocListRecord (sizeof(*retn))) == NULL) { if (output && output->ArgusInputList) { if ((retn = (struct ArgusRecordStruct *) ArgusPopFrontList(output->ArgusInputList, ARGUS_LOCK)) != NULL) { ArgusFreeListRecord (retn); } else break; } else break; } if (retn) { struct ArgusSourceStruct *ArgusSrc = NULL, *aSrc = NULL; struct timeval now; memset(retn, 0, sizeof(*retn)); retn->hdr.type = ARGUS_MAR | ARGUS_VERSION; retn->hdr.cause = ARGUS_SUPPLEMENTAL; retn->hdr.len = (sizeof(struct ArgusMarSupStruct)/4) + 1; // have size for one interface, and add as you go rec = (struct ArgusRecord *) &retn->canon; rec->hdr = retn->hdr; rec->argus_sup.argusid = getArgusID(ArgusSourceTask); switch (getArgusIDType(ArgusSourceTask)) { case ARGUS_TYPE_STRING: rec->argus_sup.status |= ARGUS_IDIS_STRING; break; case ARGUS_TYPE_INT: rec->argus_sup.status |= ARGUS_IDIS_INT; break; case ARGUS_TYPE_IPV4: rec->argus_sup.status |= ARGUS_IDIS_IPV4; break; } gettimeofday (&now, 0L); rec->argus_sup.startime.tv_sec = output->ArgusLastMarUpdateTime.tv_sec; rec->argus_sup.startime.tv_usec = output->ArgusLastMarUpdateTime.tv_usec; rec->argus_sup.now.tv_sec = now.tv_sec; rec->argus_sup.now.tv_usec = now.tv_usec; if ((ArgusSrc = output->ArgusSrc) != NULL) { int x; for (x = 0; x < ARGUS_MAXINTERFACE; x++) { if ((aSrc = ArgusSrc->srcs[x]) != NULL) { if (aSrc->ArgusInterface[0].ArgusPd != NULL) { int i; rec->argus_mar.interfaceType = pcap_datalink(aSrc->ArgusInterface[0].ArgusPd); rec->argus_mar.interfaceStatus = getArgusInterfaceStatus(aSrc); rec->argus_mar.pktsRcvd = 0; rec->argus_mar.bytesRcvd = 0; rec->argus_mar.dropped = 0; for (i = 0; i < ARGUS_MAXINTERFACE; i++) { rec->argus_mar.pktsRcvd += aSrc->ArgusInterface[i].ArgusTotalPkts - aSrc->ArgusInterface[i].ArgusLastPkts; rec->argus_mar.bytesRcvd += aSrc->ArgusInterface[i].ArgusTotalBytes - aSrc->ArgusInterface[i].ArgusLastBytes; rec->argus_mar.dropped += aSrc->ArgusInterface[i].ArgusStat.ps_drop - aSrc->ArgusInterface[i].ArgusLastDrop; aSrc->ArgusInterface[i].ArgusLastPkts = aSrc->ArgusInterface[i].ArgusTotalPkts; aSrc->ArgusInterface[i].ArgusLastDrop = aSrc->ArgusInterface[i].ArgusStat.ps_drop; aSrc->ArgusInterface[i].ArgusLastBytes = aSrc->ArgusInterface[i].ArgusTotalBytes; } } } } } } #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusGenerateStatusMar(%p, %d) returning 0x%x", output, status, retn); #endif return (retn); } struct ArgusRecordStruct * ArgusGenerateStatusMarRecord (struct ArgusOutputStruct *output, unsigned char status) { struct ArgusRecordStruct *retn = NULL; struct ArgusRecord *rec = NULL; while ((retn = (struct ArgusRecordStruct *) ArgusMallocListRecord (sizeof(*retn))) == NULL) { if (output && output->ArgusInputList) { if ((retn = (struct ArgusRecordStruct *) ArgusPopFrontList(output->ArgusInputList, ARGUS_LOCK)) != NULL) { ArgusFreeListRecord (retn); } else break; } else break; } if (retn) { extern int ArgusAllocTotal, ArgusFreeTotal, ArgusAllocBytes; struct ArgusSourceStruct *ArgusSrc = NULL, *aSrc = NULL; struct timeval now; memset(retn, 0, sizeof(*retn)); retn->hdr.type = ARGUS_MAR | ARGUS_VERSION; retn->hdr.cause = status; retn->hdr.len = (sizeof(struct ArgusMarStruct)/4) + 1; rec = (struct ArgusRecord *) &retn->canon; rec->hdr = retn->hdr; rec->argus_mar.argusid = getArgusID(ArgusSourceTask); switch (getArgusIDType(ArgusSourceTask)) { case ARGUS_TYPE_STRING: rec->argus_mar.status |= ARGUS_IDIS_STRING; break; case ARGUS_TYPE_INT: rec->argus_mar.status |= ARGUS_IDIS_INT; break; case ARGUS_TYPE_IPV4: rec->argus_mar.status |= ARGUS_IDIS_IPV4; break; } gettimeofday (&now, 0L); rec->argus_mar.startime.tv_sec = output->ArgusLastMarUpdateTime.tv_sec; rec->argus_mar.startime.tv_usec = output->ArgusLastMarUpdateTime.tv_usec; rec->argus_mar.now.tv_sec = now.tv_sec; rec->argus_mar.now.tv_usec = now.tv_usec; rec->argus_mar.major_version = VERSION_MAJOR; rec->argus_mar.minor_version = VERSION_MINOR; rec->argus_mar.reportInterval = getArgusFarReportInterval(output->ArgusModel)->tv_sec; rec->argus_mar.argusMrInterval = getArgusMarReportInterval(ArgusOutputTask)->tv_sec; rec->argus_mar.localnet = output->ArgusSrc->ArgusInterface[0].ArgusLocalNet; rec->argus_mar.netmask = output->ArgusSrc->ArgusInterface[0].ArgusNetMask; rec->argus_mar.nextMrSequenceNum = output->ArgusOutputSequence; rec->argus_mar.record_len = -1; if ((ArgusSrc = output->ArgusSrc) != NULL) { int x; for (x = 0; x < ARGUS_MAXINTERFACE; x++) { if ((aSrc = ArgusSrc->srcs[x]) != NULL) { if (aSrc->ArgusInterface[0].ArgusPd != NULL) { int i; rec->argus_mar.interfaceType = pcap_datalink(aSrc->ArgusInterface[0].ArgusPd); rec->argus_mar.interfaceStatus = getArgusInterfaceStatus(aSrc); rec->argus_mar.pktsRcvd = 0; rec->argus_mar.bytesRcvd = 0; rec->argus_mar.dropped = 0; for (i = 0; i < ARGUS_MAXINTERFACE; i++) { rec->argus_mar.pktsRcvd += aSrc->ArgusInterface[i].ArgusTotalPkts - aSrc->ArgusInterface[i].ArgusLastPkts; rec->argus_mar.bytesRcvd += aSrc->ArgusInterface[i].ArgusTotalBytes - aSrc->ArgusInterface[i].ArgusLastBytes; rec->argus_mar.dropped += aSrc->ArgusInterface[i].ArgusStat.ps_drop - aSrc->ArgusInterface[i].ArgusLastDrop; aSrc->ArgusInterface[i].ArgusLastPkts = aSrc->ArgusInterface[i].ArgusTotalPkts; aSrc->ArgusInterface[i].ArgusLastDrop = aSrc->ArgusInterface[i].ArgusStat.ps_drop; aSrc->ArgusInterface[i].ArgusLastBytes = aSrc->ArgusInterface[i].ArgusTotalBytes; } } } } } rec->argus_mar.records = output->ArgusTotalRecords - output->ArgusLastRecords; output->ArgusLastRecords = output->ArgusTotalRecords; rec->argus_mar.flows = output->ArgusModel->ArgusTotalNewFlows - output->ArgusModel->ArgusLastNewFlows; output->ArgusModel->ArgusLastNewFlows = output->ArgusModel->ArgusTotalNewFlows; if (output->ArgusModel && output->ArgusModel->ArgusStatusQueue) rec->argus_mar.queue = output->ArgusModel->ArgusStatusQueue->count; else rec->argus_mar.queue = 0; if (output->ArgusOutputList) rec->argus_mar.output = output->ArgusOutputList->count; else rec->argus_mar.output = 0; rec->argus_mar.clients = output->ArgusClients->count; rec->argus_mar.bufs = ArgusAllocTotal - ArgusFreeTotal; rec->argus_mar.bytes = ArgusAllocBytes; rec->argus_mar.suserlen = getArgusUserDataLen(ArgusModel); rec->argus_mar.duserlen = getArgusUserDataLen(ArgusModel); } #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusGenerateStatusMarRecord(%p, %d) returning 0x%x", output, status, retn); #endif return (retn); } struct timeval * getArgusMarReportInterval(struct ArgusOutputStruct *output) { return (&output->ArgusMarReportInterval); } #include #include void setArgusMarReportInterval(struct ArgusOutputStruct *output, char *value) { struct timeval *tvp = getArgusMarReportInterval(output); struct timeval ovalue, now; double thisvalue = 0.0, iptr, fptr; int ivalue = 0; char *ptr = NULL;; if (tvp != NULL) { ovalue = *tvp; tvp->tv_sec = 0; tvp->tv_usec = 0; } else { ovalue.tv_sec = 0; ovalue.tv_usec = 0; } if (((ptr = strchr (value, '.')) != NULL) || isdigit((int)*value)) { if (ptr != NULL) { thisvalue = atof(value); } else { if (isdigit((int)*value)) { ivalue = atoi(value); thisvalue = ivalue * 1.0; } } fptr = modf(thisvalue, &iptr); tvp->tv_sec = iptr; tvp->tv_usec = fptr * ARGUS_FRACTION_TIME; gettimeofday(&now, 0L); #if defined(ARGUS_NANOSECONDS) now.tv_usec *= 1000; #endif output->ArgusReportTime.tv_sec = now.tv_sec + tvp->tv_sec; output->ArgusReportTime.tv_usec = tvp->tv_usec; } else *tvp = ovalue; #ifdef ARGUSDEBUG ArgusDebug (4, "setArgusMarReportInterval(%s) returning\n", value); #endif } #if defined HAVE_TCP_WRAPPER #if defined(HAVE_SYSLOG_H) #include #endif #include #if !defined(MAXPATHNAMELEN) #define MAXPATHNAMELEN BUFSIZ #endif #define PARANOID 1 #define KILL_IP_OPTIONS 1 #define HOSTS_ACCESS 1 int allow_severity = LOG_INFO; /* run-time adjustable */ int deny_severity = LOG_WARNING; /* ditto */ void fix_options(struct request_info *); #endif int ArgusTcpWrapper (int fd, struct sockaddr *from) { #if defined(HAVE_TCP_WRAPPER) int retn = 0; struct request_info request; /* * Find out the endpoint addresses of this conversation. Host name * lookups and double checks will be done on demand. */ request_init(&request, RQ_DAEMON, ArgusProgramName, RQ_FILE, STDIN_FILENO, 0); request.fd = fd; fromhost(&request); /* * Optionally look up and double check the remote host name. Sites * concerned with security may choose to refuse connections from hosts * that pretend to have someone elses host name. */ #ifdef PARANOID if (STR_EQ(eval_hostname(request.client), paranoid)) { ArgusLog (deny_severity, "refused connect from %s", eval_client(&request)); if (request.sink) request.sink(request.fd); return -1; } #endif /* * The BSD rlogin and rsh daemons that came out after 4.3 BSD disallow * socket options at the IP level. They do so for a good reason. * Unfortunately, we cannot use this with SunOS 4.1.x because the * getsockopt() system call can panic the system. */ #if defined(KILL_IP_OPTIONS) fix_options(&request); #endif /* KILL_IP_OPTIONS */ /* * Find out and verify the remote host name. Sites concerned with * security may choose to refuse connections from hosts that pretend to * have someone elses host name. */ #ifdef HOSTS_ACCESS if (!hosts_access(&request)) { ArgusLog (deny_severity, "refused connect from %s", eval_client(&request)); if (request.sink) request.sink(request.fd); return -1; } else #endif /* Report remote client */ ArgusLog (allow_severity, "connect from %s", eval_client(&request)); return (retn); #else return (1); #endif /* HAVE_TCP_WRAPPER */ } #if defined(ARGUS_SASL) /* This creates a structure that defines the allowable * security properties */ #define PROT_BUFSIZE 4096 sasl_security_properties_t * mysasl_secprops(int flags) { static sasl_security_properties_t ret; bzero((char *)&ret, sizeof(ret)); ret.maxbufsize = PROT_BUFSIZE; ret.min_ssf = ArgusMinSsf; /* minimum allowable security strength */ ret.max_ssf = ArgusMaxSsf; /* maximum allowable security strength */ ret.security_flags = flags; ret.property_names = NULL; ret.property_values = NULL; return &ret; } int iptostring(const struct sockaddr *addr, socklen_t addrlen, char *out, unsigned outlen) { char hbuf[NI_MAXHOST], pbuf[NI_MAXSERV]; int niflags; if(!addr || !out) { errno = EINVAL; return -1; } niflags = NI_NUMERICHOST | NI_NUMERICSERV; #ifdef NI_WITHSCOPEID if (addr->sa_family == AF_INET6) niflags |= NI_WITHSCOPEID; #endif if (getnameinfo(addr, addrlen, hbuf, sizeof(hbuf), pbuf, sizeof(pbuf), niflags) != 0) { errno = EINVAL; return -1; } if(outlen < strlen(hbuf) + strlen(pbuf) + 2) { errno = ENOMEM; return -1; } snprintf(out, outlen, "%s;%s", hbuf, pbuf); return 0; } #endif argus-3.0.8.2/argus/ArgusOutput.h000444 000765 000024 00000013701 12513222401 017212 0ustar00carterstaff000000 000000 /* * Argus Software. Argus files - Output include file * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/argus/ArgusOutput.h#23 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ #ifndef ArgusOutput_h #define ArgusOutput_h #define ARGUS_MONITORPORT 561 #define ARGUS_MAXLISTEN 10 #define ARGUS_CLIENT_STARTUP_TIMEOUT 5 #include #if defined(HAVE_STDLIB_H) #include #endif #include #include #include #include #include #include #include #include #include #include #if defined(__NetBSD__) #include #else #include #endif #include #include #if !defined(ARGUS_TILERA) #include #endif #include #ifdef ARGUS_SASL #include #endif struct ArgusClientData { struct ArgusQueueHeader qhdr; int fd, type, ArgusClientStart; int ArgusFilterInitialized; struct timeval startime, lasttime; struct ArgusSocketStruct *sock; struct nff_program ArgusNFFcode; char *filename, *hostname, *filter; #if defined(HAVE_GETADDRINFO) struct addrinfo *host; #endif #ifdef ARGUS_SASL sasl_conn_t *sasl_conn; struct { char *ipremoteport; char *iplocalport; sasl_ssf_t ssf; char *authid; } saslprops; #endif }; struct ArgusBindAddrStruct { struct ArgusListObjectStruct *nxt; char *addr; }; struct ArgusOutputStruct { struct ArgusSourceStruct *ArgusSrc; struct ArgusModelerStruct *ArgusModel; struct ArgusListStruct *ArgusWfileList; struct ArgusListStruct *ArgusOutputList; struct ArgusListStruct *ArgusInputList; struct ArgusQueueStruct *ArgusClients; struct ArgusListStruct *ArgusBindAddrs; struct ArgusRecord *ArgusInitMar; long long ArgusTotalRecords, ArgusLastRecords; int status; #if defined(ARGUS_THREADS) pthread_t thread; pthread_mutex_t lock; #endif int ArgusWriteStdOut; int ArgusOutputSequence; #if defined(HAVE_GETADDRINFO) struct addrinfo ArgusAddrInfo; #endif int ArgusPortNum; int ArgusLfd[ARGUS_MAXLISTEN]; int ArgusListens, nflag; char *ArgusBindPort; struct timeval ArgusGlobalTime; struct timeval ArgusStartTime; struct timeval ArgusReportTime; struct timeval ArgusLastMarUpdateTime; struct timeval ArgusMarReportInterval; }; struct ArgusWfileStruct { struct ArgusListObjectStruct *nxt; char *filename; char *filter; }; #if defined(ArgusOutput) struct ArgusOutputStruct *ArgusOutputTask = NULL; struct ArgusOutputStruct *ArgusNewOutput (struct ArgusSourceStruct *, struct ArgusModelerStruct *); void ArgusCloseOutput (struct ArgusOutputStruct *); void ArgusInitOutput (struct ArgusOutputStruct *); void ArgusInitOutputProcess(void); void *ArgusOutputProcess(void *); int ArgusEstablishListen (struct ArgusOutputStruct *, char *); int ArgusTcpWrapper (int, struct sockaddr *); void ArgusUsr1Sig (int); void ArgusUsr2Sig (int); void ArgusChildExit (int); void ArgusClientError(void); void ArgusInitClientProcess(struct ArgusClientData *, struct ArgusWfileStruct *); #if defined(ARGUS_TILERA) #else extern char *ArgusFilterCompile(struct nff_program *, char *, int); extern unsigned int argus_filter (struct bpf_insn *, unsigned char *); #endif extern int getArgusPortNum(void); #else #if defined(Argus) int getArgusPortNum(struct ArgusOutputStruct *); int getArgusPortType(struct ArgusOutputStruct *); void setArgusPortNum(struct ArgusOutputStruct *, int); void setArgusBindAddr (struct ArgusOutputStruct *, char *); void setArgusBindPort (struct ArgusOutputStruct *, char *); char *getArgusBindAddr (struct ArgusOutputStruct *); char *getArgusBindPort (struct ArgusOutputStruct *); #endif extern struct timeval ArgusReportTime; extern int ArgusPortNum; extern char *ArgusBindAddr; extern int ArgusOutfd; extern struct ArgusOutputStruct *ArgusOutputTask; extern struct ArgusOutputStruct *ArgusNewOutput (struct ArgusSourceStruct *, struct ArgusModelerStruct *); extern void ArgusCloseOutput (struct ArgusOutputStruct *); extern void ArgusInitOutput (struct ArgusOutputStruct *); extern void ArgusInitOutputProcess(void); extern void ArgusSendOutputData(int, struct ArgusRecord *); extern int ArgusHandleData(struct ArgusSocketStruct *, unsigned char *, int, void *); extern int ArgusHandleClientData(struct ArgusSocketStruct *, unsigned char *, int, void *); extern void ArgusOutputProcess(void *); extern void *ArgusClientProcess(struct ArgusClientData *, struct ArgusWfileStruct *); extern char *getArgusWfile(void); extern void setArgusWfile(char *, char *); extern struct timeval *getArgusMarReportInterval(struct ArgusOutputStruct *); extern void setArgusMarReportInterval(struct ArgusOutputStruct *, char *); extern void ArgusCheckClientStatus (struct ArgusOutputStruct *, int); extern int ArgusEstablishListen (struct ArgusOutputStruct *, char *); extern int ArgusTcpWrapper (int, struct sockaddr *); extern void ArgusCloseSocket (int); extern void ArgusCloseClients (void); extern void ArgusUsr1Sig (int); extern void ArgusUsr2Sig (int); extern void ArgusClientError(void); extern void ArgusInitClientProcess(struct ArgusClientData *, struct ArgusWfileStruct *); #endif #endif /* #ifndef ArgusOutput_h */ argus-3.0.8.2/argus/ArgusSflow.c000444 000765 000024 00000133042 12513222401 017000 0ustar00carterstaff000000 000000 /* * Argus Software. Argus files - Fragment processing * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/argus/ArgusSflow.c#6 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #if !defined(ArgusSflow) #define ArgusSflow #include #include #include #include #include #include #include #include #include void ArgusParseSflowRecord (struct ArgusModelerStruct *model, void *ptr) { /* int ArgusReadSocketState = ARGUS_READINGPREHDR; int ArgusReadSocketSize = 0; unsigned int ArgusFlowSeq = 0, ArgusCounter, ArgusSourceId; unsigned int ArgusSysUptime = 0; unsigned short ArgusReadCiscoVersion, ArgusReadSocketNum; struct timeval tvpbuf, *tvp = &tvpbuf; void **templates = NULL; while ((char *)ptr < (char *)model->ArgusThisSnapEnd) { switch (ArgusReadSocketState) { case ARGUS_READINGPREHDR: { unsigned short *sptr = (unsigned short *) ptr; ArgusReadCiscoVersion = ntohs(*sptr++); ArgusReadSocketNum = ntohs(*sptr); ArgusReadSocketState = ARGUS_READINGHDR; break; } case ARGUS_READINGHDR: { #ifdef ARGUSDEBUG ArgusDebug (7, "ArgusReadCiscoStreamSocket (%p, %p) read record header\n", model, ptr); #endif switch (ArgusReadCiscoVersion) { case CISCO_VERSION_1: { CiscoFlowHeaderV1_t *ArgusNetFlow = (CiscoFlowHeaderV1_t *) ptr; ArgusReadSocketSize = sizeof(*ArgusNetFlow); ArgusSysUptime = ntohl(ArgusNetFlow->sysUptime); ArgusCounter = ntohs(ArgusNetFlow->count); tvp->tv_sec = ntohl(ArgusNetFlow->unix_secs); tvp->tv_usec = ntohl(ArgusNetFlow->unix_nsecs)/1000; break; } case CISCO_VERSION_5: { CiscoFlowHeaderV5_t *ArgusNetFlow = (CiscoFlowHeaderV5_t *) ptr; ArgusReadSocketSize = sizeof(*ArgusNetFlow); ArgusSysUptime = ntohl(ArgusNetFlow->sysUptime); ArgusFlowSeq = ntohl(ArgusNetFlow->flow_sequence); ArgusCounter = ntohs(ArgusNetFlow->count); tvp->tv_sec = ntohl(ArgusNetFlow->unix_secs); tvp->tv_usec = ntohl(ArgusNetFlow->unix_nsecs)/1000; break; } case CISCO_VERSION_6: { CiscoFlowHeaderV6_t *ArgusNetFlow = (CiscoFlowHeaderV6_t *) ptr; ArgusReadSocketSize = sizeof(*ArgusNetFlow); ArgusSysUptime = ntohl(ArgusNetFlow->sysUptime); ArgusFlowSeq = ntohl(ArgusNetFlow->flow_sequence); ArgusCounter = 0; tvp->tv_sec = ntohl(ArgusNetFlow->unix_secs); tvp->tv_usec = ntohl(ArgusNetFlow->unix_nsecs)/1000; break; } case CISCO_VERSION_7: { CiscoFlowHeaderV7_t *ArgusNetFlow = (CiscoFlowHeaderV7_t *) ptr; ArgusReadSocketSize = sizeof(*ArgusNetFlow); ArgusSysUptime = ntohl(ArgusNetFlow->sysUptime); ArgusFlowSeq = ntohl(ArgusNetFlow->flow_sequence); ArgusCounter = 0; tvp->tv_sec = ntohl(ArgusNetFlow->unix_secs); tvp->tv_usec = ntohl(ArgusNetFlow->unix_nsecs)/1000; break; } case CISCO_VERSION_8: { CiscoFlowHeaderV8_t *ArgusNetFlow = (CiscoFlowHeaderV8_t *) ptr; ArgusReadSocketSize = sizeof(*ArgusNetFlow); break; } case CISCO_VERSION_9: { CiscoFlowHeaderV9_t *ArgusNetFlow = (CiscoFlowHeaderV9_t *) ptr; ArgusReadSocketSize = sizeof(*ArgusNetFlow); ArgusCounter = ntohs(ArgusNetFlow->count); ArgusSysUptime = ntohl(ArgusNetFlow->sysUptime); tvp->tv_sec = ntohl(ArgusNetFlow->unix_secs); tvp->tv_usec = 0; ArgusFlowSeq = ntohl(ArgusNetFlow->package_sequence); ArgusSourceId = ntohl(ArgusNetFlow->source_id); break; } default: { #ifdef ARGUSDEBUG ArgusDebug (7, "ArgusReadCiscoStreamSocket (%p) read header\n", ptr); #endif } } ptr += ArgusReadSocketSize; ArgusReadSocketState = ARGUS_READINGBLOCK; break; } case ARGUS_READINGBLOCK: { struct ArgusSystemFlow flowbuf, *sflow = &flowbuf; struct ArgusHashStruct hbuf, *hstruct = &hbuf; struct ArgusFlowStruct *flow = NULL; #ifdef ARGUSDEBUG ArgusDebug (7, "ArgusReadCiscoStreamSocket (%p, %p) read record complete\n", model, ptr); #endif switch (ArgusReadCiscoVersion) { case CISCO_VERSION_1: { CiscoFlowEntryV1_t *ArgusNetFlow = (CiscoFlowEntryV1_t *) ptr; bzero(sflow, sizeof(*sflow)); bzero(hstruct, sizeof(*hstruct)); sflow->hdr.type = ARGUS_FLOW_DSR; sflow->hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; sflow->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; sflow->hdr.argus_dsrvl8.len = 5; sflow->ip_flow.ip_src = ntohl(ArgusNetFlow->srcaddr); sflow->ip_flow.ip_dst = ntohl(ArgusNetFlow->dstaddr); switch (sflow->ip_flow.ip_p = ArgusNetFlow->prot) { case IPPROTO_TCP: case IPPROTO_UDP: sflow->ip_flow.sport = ntohs(ArgusNetFlow->srcport); sflow->ip_flow.dport = ntohs(ArgusNetFlow->dstport); break; case IPPROTO_ICMP: sflow->icmp_flow.type = ((char *)&ArgusNetFlow->dstport)[0]; sflow->icmp_flow.code = ((char *)&ArgusNetFlow->dstport)[1]; break; } ArgusCreateFlowKey(model, sflow, hstruct); if ((flow = ArgusNewFlow(model, sflow, NULL, NULL)) != NULL) { struct ArgusTimeObject *time = &flow->canon.time; long timeval; flow->canon.hdr.type = ARGUS_FAR | ARGUS_NETFLOW | ARGUS_VERSION; time->hdr.type = ARGUS_TIME_DSR; time->hdr.subtype = ARGUS_TIME_ABSOLUTE_RANGE; time->hdr.argus_dsrvl8.qual = ARGUS_TYPE_UTC_MICROSECONDS; time->hdr.argus_dsrvl8.len = 5; timeval = ntohl(ArgusNetFlow->first); time->src.start.tv_sec = (timeval - (long)ArgusSysUptime)/1000; time->src.start.tv_sec += tvp->tv_sec; time->src.start.tv_usec = ((timeval - (long)ArgusSysUptime)%1000) * 1000; time->src.start.tv_usec += tvp->tv_usec; if (time->src.start.tv_usec >= 1000000) { time->src.start.tv_sec++; time->src.start.tv_usec -= 1000000; } if (time->src.start.tv_usec < 0) { time->src.start.tv_sec--; time->src.start.tv_usec += 1000000; } timeval = ntohl(ArgusNetFlow->last); time->src.end.tv_sec = (timeval - (long)ArgusSysUptime)/1000; time->src.end.tv_sec += tvp->tv_sec; time->src.end.tv_usec = ((timeval - (long)ArgusSysUptime)%1000) * 1000; time->src.end.tv_usec += tvp->tv_usec; if (time->src.end.tv_usec >= 1000000) { time->src.end.tv_sec++; time->src.end.tv_usec -= 1000000; } if (time->src.end.tv_usec < 0) { time->src.end.tv_sec--; time->src.end.tv_usec += 1000000; } time->src.start.tv_usec = (time->src.start.tv_usec / 1000) * 1000; time->src.end.tv_usec = (time->src.end.tv_usec / 1000) * 1000; flow->dsrindex |= 1 << ARGUS_TIME_INDEX; flow->dsrs[ARGUS_TIME_INDEX] = (void *)time; { struct ArgusMetricStruct *metric = &flow->canon.metric; metric->hdr.type = ARGUS_METER_DSR; metric->hdr.subtype = ARGUS_METER_PKTS_BYTES; metric->hdr.argus_dsrvl8.qual = ARGUS_SRC_INT; metric->hdr.argus_dsrvl8.len = 3; metric->src.pkts = ntohl(ArgusNetFlow->pkts); metric->src.bytes = ntohl(ArgusNetFlow->bytes); flow->dsrindex |= 1 << ARGUS_METRIC_INDEX; flow->dsrs[ARGUS_METRIC_INDEX] = (void *)metric; } { struct ArgusMacStruct *mac = &flow->canon.mac; mac->hdr.type = ARGUS_MAC_DSR; mac->hdr.subtype = 0; mac->hdr.argus_dsrvl8.len = 5; ArgusNetFlow->input = ntohs(ArgusNetFlow->input); ArgusNetFlow->output = ntohs(ArgusNetFlow->output); #if defined(HAVE_SOLARIS) bcopy((char *)&ArgusNetFlow->input, (char *)&mac->mac.mac_union.ether.ehdr.ether_shost.ether_addr_octet[4], 2); bcopy((char *)&ArgusNetFlow->output,(char *)&mac->mac.mac_union.ether.ehdr.ether_dhost.ether_addr_octet[4], 2); #else bcopy((char *)&ArgusNetFlow->input, (char *)&mac->mac.mac_union.ether.ehdr.ether_shost[4], 2); bcopy((char *)&ArgusNetFlow->output,(char *)&mac->mac.mac_union.ether.ehdr.ether_dhost[4], 2); #endif flow->dsrindex |= 1 << ARGUS_MAC_INDEX; flow->dsrs[ARGUS_MAC_INDEX] = (void *)mac; } { if (ArgusNetFlow->prot == IPPROTO_TCP) { struct ArgusNetworkStruct *net = &flow->canon.net; struct ArgusTCPStatus *tcp = (struct ArgusTCPStatus *)&net->net_union.tcpstatus; net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_TCP_STATUS; net->hdr.argus_dsrvl8.len = 3; net->net_union.tcpstatus.src = ArgusNetFlow->flags; if (ArgusNetFlow->flags & TH_RST) tcp->status |= ARGUS_RESET; if (ArgusNetFlow->flags & TH_FIN) tcp->status |= ARGUS_FIN; if ((ArgusNetFlow->flags & TH_ACK) || (ArgusNetFlow->flags & TH_PUSH) || (ArgusNetFlow->flags & TH_URG)) tcp->status |= ARGUS_CON_ESTABLISHED; switch (ArgusNetFlow->flags & (TH_SYN|TH_ACK)) { case (TH_SYN): tcp->status |= ARGUS_SAW_SYN; break; case (TH_SYN|TH_ACK): tcp->status |= ARGUS_SAW_SYN_SENT; if (ntohl(ArgusNetFlow->pkts) > 1) tcp->status &= ~(ARGUS_CON_ESTABLISHED); break; } flow->dsrindex |= 1 << ARGUS_NETWORK_INDEX; flow->dsrs[ARGUS_NETWORK_INDEX] = (void *)net; } } if (model->ArgusThisFlow && (model->ArgusThisFlow->ip_flow.ip_src != 0)) { struct ArgusTransportStruct *trans = &flow->canon.trans; trans->hdr.type = ARGUS_TRANSPORT_DSR; trans->hdr.subtype = ARGUS_SRCID | ARGUS_SEQ; trans->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; trans->hdr.argus_dsrvl8.len = 3; trans->srcid.a_un.ipv4 = (model->ArgusThisFlow->hdr.subtype & ARGUS_REVERSE) ? model->ArgusThisFlow->ip_flow.ip_dst : model->ArgusThisFlow->ip_flow.ip_src ; trans->seqnum = ArgusFlowSeq + ArgusCounter++; flow->dsrindex |= 1 << ARGUS_TRANSPORT_INDEX; flow->dsrs[ARGUS_TRANSPORT_INDEX] = (void *)trans; } { struct ArgusIPAttrStruct *attr = &flow->canon.attr; attr->hdr.type = ARGUS_IPATTR_DSR; attr->hdr.subtype = 0; attr->hdr.argus_dsrvl8.qual = ARGUS_IPATTR_SRC; attr->hdr.argus_dsrvl8.len = 2; attr->src.tos = ArgusNetFlow->tos; attr->src.ttl = 0; attr->src.ip_id = 0; flow->dsrindex |= 1 << ARGUS_IPATTR_INDEX; flow->dsrs[ARGUS_IPATTR_INDEX] = (void *)attr; } ArgusSendFlowRecord (model, flow, ARGUS_STATUS); } ptr += sizeof(*ArgusNetFlow); break; } case CISCO_VERSION_5: { CiscoFlowEntryV5_t *ArgusNetFlow = (CiscoFlowEntryV5_t *) ptr; bzero(sflow, sizeof(*sflow)); bzero(hstruct, sizeof(*hstruct)); sflow->hdr.type = ARGUS_FLOW_DSR; sflow->hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; sflow->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; sflow->hdr.argus_dsrvl8.len = 5; sflow->ip_flow.ip_src = ntohl(ArgusNetFlow->srcaddr); sflow->ip_flow.ip_dst = ntohl(ArgusNetFlow->dstaddr); sflow->ip_flow.smask = ArgusNetFlow->src_mask; sflow->ip_flow.dmask = ArgusNetFlow->dst_mask; switch (sflow->ip_flow.ip_p = ArgusNetFlow->prot) { case IPPROTO_TCP: case IPPROTO_UDP: sflow->ip_flow.sport = ntohs(ArgusNetFlow->srcport); sflow->ip_flow.dport = ntohs(ArgusNetFlow->dstport); break; case IPPROTO_ICMP: sflow->icmp_flow.type = ((char *)&ArgusNetFlow->dstport)[0]; sflow->icmp_flow.code = ((char *)&ArgusNetFlow->dstport)[1]; break; } ArgusCreateFlowKey(model, sflow, hstruct); if ((flow = ArgusNewFlow(model, sflow, NULL, NULL)) != NULL) { struct ArgusTimeObject *time = &flow->canon.time; long timeval; flow->canon.hdr.type = ARGUS_FAR | ARGUS_NETFLOW | ARGUS_VERSION; time->hdr.type = ARGUS_TIME_DSR; time->hdr.subtype = ARGUS_TIME_ABSOLUTE_RANGE; time->hdr.argus_dsrvl8.qual = ARGUS_TYPE_UTC_MICROSECONDS; time->hdr.argus_dsrvl8.len = 5; timeval = ntohl(ArgusNetFlow->first); time->src.start.tv_sec = (timeval - (long)ArgusSysUptime)/1000; time->src.start.tv_sec += tvp->tv_sec; time->src.start.tv_usec = ((timeval - (long)ArgusSysUptime)%1000) * 1000; time->src.start.tv_usec += tvp->tv_usec; if (time->src.start.tv_usec >= 1000000) { time->src.start.tv_sec++; time->src.start.tv_usec -= 1000000; } if (time->src.start.tv_usec < 0) { time->src.start.tv_sec--; time->src.start.tv_usec += 1000000; } timeval = ntohl(ArgusNetFlow->last); time->src.end.tv_sec = (timeval - (long)ArgusSysUptime)/1000; time->src.end.tv_sec += tvp->tv_sec; time->src.end.tv_usec = ((timeval - (long)ArgusSysUptime)%1000) * 1000; time->src.end.tv_usec += tvp->tv_usec; if (time->src.end.tv_usec >= 1000000) { time->src.end.tv_sec++; time->src.end.tv_usec -= 1000000; } if (time->src.end.tv_usec < 0) { time->src.end.tv_sec--; time->src.end.tv_usec += 1000000; } time->src.start.tv_usec = (time->src.start.tv_usec / 1000) * 1000; time->src.end.tv_usec = (time->src.end.tv_usec / 1000) * 1000; flow->dsrindex |= 1 << ARGUS_TIME_INDEX; flow->dsrs[ARGUS_TIME_INDEX] = (void *)time; { struct ArgusAsnStruct *asn = &flow->canon.asn; asn->hdr.type = ARGUS_ASN_DSR; asn->hdr.subtype = 0; asn->hdr.argus_dsrvl8.qual = 0; asn->hdr.argus_dsrvl8.len = 3; asn->src_as = ArgusNetFlow->src_as; asn->dst_as = ArgusNetFlow->dst_as; flow->dsrindex |= 1 << ARGUS_ASN_INDEX; flow->dsrs[ARGUS_ASN_INDEX] = (void *)asn; } { struct ArgusMetricStruct *metric = &flow->canon.metric; metric->hdr.type = ARGUS_METER_DSR; metric->hdr.subtype = ARGUS_METER_PKTS_BYTES; metric->hdr.argus_dsrvl8.qual = ARGUS_SRC_INT; metric->hdr.argus_dsrvl8.len = 3; metric->src.pkts = ntohl(ArgusNetFlow->pkts); metric->src.bytes = ntohl(ArgusNetFlow->bytes); flow->dsrindex |= 1 << ARGUS_METRIC_INDEX; flow->dsrs[ARGUS_METRIC_INDEX] = (void *)metric; } { struct ArgusMacStruct *mac = &flow->canon.mac; mac->hdr.type = ARGUS_MAC_DSR; mac->hdr.subtype = 0; mac->hdr.argus_dsrvl8.len = 5; ArgusNetFlow->input = ntohs(ArgusNetFlow->input); ArgusNetFlow->output = ntohs(ArgusNetFlow->output); #if defined(HAVE_SOLARIS) bcopy((char *)&ArgusNetFlow->input, (char *)&mac->mac.mac_union.ether.ehdr.ether_shost.ether_addr_octet[4], 2); bcopy((char *)&ArgusNetFlow->output,(char *)&mac->mac.mac_union.ether.ehdr.ether_dhost.ether_addr_octet[4], 2); #else bcopy((char *)&ArgusNetFlow->input, (char *)&mac->mac.mac_union.ether.ehdr.ether_shost[4], 2); bcopy((char *)&ArgusNetFlow->output,(char *)&mac->mac.mac_union.ether.ehdr.ether_dhost[4], 2); #endif flow->dsrindex |= 1 << ARGUS_MAC_INDEX; flow->dsrs[ARGUS_MAC_INDEX] = (void *)mac; } { if (ArgusNetFlow->prot == IPPROTO_TCP) { struct ArgusNetworkStruct *net = &flow->canon.net; struct ArgusTCPStatus *tcp = (struct ArgusTCPStatus *)&net->net_union.tcpstatus; net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_TCP_STATUS; net->hdr.argus_dsrvl8.len = 3; net->net_union.tcpstatus.src = ArgusNetFlow->tcp_flags; if (ArgusNetFlow->tcp_flags & TH_RST) tcp->status |= ARGUS_RESET; if (ArgusNetFlow->tcp_flags & TH_FIN) tcp->status |= ARGUS_FIN; if ((ArgusNetFlow->tcp_flags & TH_ACK) || (ArgusNetFlow->tcp_flags & TH_PUSH) || (ArgusNetFlow->tcp_flags & TH_URG)) tcp->status |= ARGUS_CON_ESTABLISHED; switch (ArgusNetFlow->tcp_flags & (TH_SYN|TH_ACK)) { case (TH_SYN): tcp->status |= ARGUS_SAW_SYN; break; case (TH_SYN|TH_ACK): tcp->status |= ARGUS_SAW_SYN_SENT; if (ntohl(ArgusNetFlow->pkts) > 1) tcp->status &= ~(ARGUS_CON_ESTABLISHED); break; } flow->dsrindex |= 1 << ARGUS_NETWORK_INDEX; flow->dsrs[ARGUS_NETWORK_INDEX] = (void *)net; } } if (model->ArgusThisFlow && (model->ArgusThisFlow->ip_flow.ip_src != 0)) { struct ArgusTransportStruct *trans = &flow->canon.trans; trans->hdr.type = ARGUS_TRANSPORT_DSR; trans->hdr.subtype = ARGUS_SRCID | ARGUS_SEQ; trans->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; trans->hdr.argus_dsrvl8.len = 3; trans->srcid.a_un.ipv4 = (model->ArgusThisFlow->hdr.subtype & ARGUS_REVERSE) ? model->ArgusThisFlow->ip_flow.ip_dst : model->ArgusThisFlow->ip_flow.ip_src ; trans->seqnum = ArgusFlowSeq + ArgusCounter++; flow->dsrindex |= 1 << ARGUS_TRANSPORT_INDEX; flow->dsrs[ARGUS_TRANSPORT_INDEX] = (void *)trans; } { struct ArgusIPAttrStruct *attr = &flow->canon.attr; attr->hdr.type = ARGUS_IPATTR_DSR; attr->hdr.subtype = 0; attr->hdr.argus_dsrvl8.qual = ARGUS_IPATTR_SRC; attr->hdr.argus_dsrvl8.len = 2; attr->src.tos = ArgusNetFlow->tos; attr->src.ttl = 0; attr->src.ip_id = 0; flow->dsrindex |= 1 << ARGUS_IPATTR_INDEX; flow->dsrs[ARGUS_IPATTR_INDEX] = (void *)attr; } ArgusSendFlowRecord (model, flow, ARGUS_STATUS); } ptr += sizeof(*ArgusNetFlow); break; } case CISCO_VERSION_6: { CiscoFlowEntryV6_t *ArgusNetFlow = (CiscoFlowEntryV6_t *) ptr; bzero(sflow, sizeof(*sflow)); bzero(hstruct, sizeof(*hstruct)); sflow->hdr.type = ARGUS_FLOW_DSR; sflow->hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; sflow->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; sflow->hdr.argus_dsrvl8.len = 5; sflow->ip_flow.ip_src = ntohl(ArgusNetFlow->srcaddr); sflow->ip_flow.ip_dst = ntohl(ArgusNetFlow->dstaddr); sflow->ip_flow.smask = ArgusNetFlow->src_mask; sflow->ip_flow.dmask = ArgusNetFlow->dst_mask; switch (sflow->ip_flow.ip_p = ArgusNetFlow->prot) { case IPPROTO_TCP: case IPPROTO_UDP: sflow->ip_flow.sport = ntohs(ArgusNetFlow->srcport); sflow->ip_flow.dport = ntohs(ArgusNetFlow->dstport); break; case IPPROTO_ICMP: sflow->icmp_flow.type = ((char *)&ArgusNetFlow->dstport)[0]; sflow->icmp_flow.code = ((char *)&ArgusNetFlow->dstport)[1]; break; } ArgusCreateFlowKey(model, sflow, hstruct); if ((flow = ArgusNewFlow(model, sflow, NULL, NULL)) != NULL) { struct ArgusTimeObject *time = &flow->canon.time; long timeval; flow->canon.hdr.type = ARGUS_FAR | ARGUS_NETFLOW | ARGUS_VERSION; time->hdr.type = ARGUS_TIME_DSR; time->hdr.subtype = ARGUS_TIME_ABSOLUTE_RANGE; time->hdr.argus_dsrvl8.qual = ARGUS_TYPE_UTC_MICROSECONDS; time->hdr.argus_dsrvl8.len = 5; timeval = ntohl(ArgusNetFlow->first); time->src.start.tv_sec = (timeval - (long)ArgusSysUptime)/1000; time->src.start.tv_sec += tvp->tv_sec; time->src.start.tv_usec = ((timeval - (long)ArgusSysUptime)%1000) * 1000; time->src.start.tv_usec += tvp->tv_usec; if (time->src.start.tv_usec >= 1000000) { time->src.start.tv_sec++; time->src.start.tv_usec -= 1000000; } if (time->src.start.tv_usec < 0) { time->src.start.tv_sec--; time->src.start.tv_usec += 1000000; } timeval = ntohl(ArgusNetFlow->last); time->src.end.tv_sec = (timeval - (long)ArgusSysUptime)/1000; time->src.end.tv_sec += tvp->tv_sec; time->src.end.tv_usec = ((timeval - (long)ArgusSysUptime)%1000) * 1000; time->src.end.tv_usec += tvp->tv_usec; if (time->src.end.tv_usec >= 1000000) { time->src.end.tv_sec++; time->src.end.tv_usec -= 1000000; } if (time->src.end.tv_usec < 0) { time->src.end.tv_sec--; time->src.end.tv_usec += 1000000; } time->src.start.tv_usec = (time->src.start.tv_usec / 1000) * 1000; time->src.end.tv_usec = (time->src.end.tv_usec / 1000) * 1000; flow->dsrindex |= 1 << ARGUS_TIME_INDEX; flow->dsrs[ARGUS_TIME_INDEX] = (void *)time; { struct ArgusAsnStruct *asn = &flow->canon.asn; asn->hdr.type = ARGUS_ASN_DSR; asn->hdr.subtype = 0; asn->hdr.argus_dsrvl8.qual = 0; asn->hdr.argus_dsrvl8.len = 3; asn->src_as = ArgusNetFlow->src_as; asn->dst_as = ArgusNetFlow->dst_as; flow->dsrindex |= 1 << ARGUS_ASN_INDEX; flow->dsrs[ARGUS_ASN_INDEX] = (void *)asn; } { struct ArgusMetricStruct *metric = &flow->canon.metric; metric->hdr.type = ARGUS_METER_DSR; metric->hdr.subtype = ARGUS_METER_PKTS_BYTES; metric->hdr.argus_dsrvl8.qual = ARGUS_SRC_INT; metric->hdr.argus_dsrvl8.len = 3; metric->src.pkts = ntohl(ArgusNetFlow->pkts); metric->src.bytes = ntohl(ArgusNetFlow->bytes); flow->dsrindex |= 1 << ARGUS_METRIC_INDEX; flow->dsrs[ARGUS_METRIC_INDEX] = (void *)metric; } { struct ArgusMacStruct *mac = &flow->canon.mac; mac->hdr.type = ARGUS_MAC_DSR; mac->hdr.subtype = 0; mac->hdr.argus_dsrvl8.len = 5; ArgusNetFlow->input = ntohs(ArgusNetFlow->input); ArgusNetFlow->output = ntohs(ArgusNetFlow->output); #if defined(HAVE_SOLARIS) bcopy((char *)&ArgusNetFlow->input, (char *)&mac->mac.mac_union.ether.ehdr.ether_shost.ether_addr_octet[4], 2); bcopy((char *)&ArgusNetFlow->output,(char *)&mac->mac.mac_union.ether.ehdr.ether_dhost.ether_addr_octet[4], 2); #else bcopy((char *)&ArgusNetFlow->input, (char *)&mac->mac.mac_union.ether.ehdr.ether_shost[4], 2); bcopy((char *)&ArgusNetFlow->output,(char *)&mac->mac.mac_union.ether.ehdr.ether_dhost[4], 2); #endif flow->dsrindex |= 1 << ARGUS_MAC_INDEX; flow->dsrs[ARGUS_MAC_INDEX] = (void *)mac; } { if (ArgusNetFlow->prot == IPPROTO_TCP) { struct ArgusNetworkStruct *net = &flow->canon.net; struct ArgusTCPStatus *tcp = (struct ArgusTCPStatus *)&net->net_union.tcpstatus; net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_TCP_STATUS; net->hdr.argus_dsrvl8.len = 3; net->net_union.tcpstatus.src = ArgusNetFlow->tcp_flags; if (ArgusNetFlow->tcp_flags & TH_RST) tcp->status |= ARGUS_RESET; if (ArgusNetFlow->tcp_flags & TH_FIN) tcp->status |= ARGUS_FIN; if ((ArgusNetFlow->tcp_flags & TH_ACK) || (ArgusNetFlow->tcp_flags & TH_PUSH) || (ArgusNetFlow->tcp_flags & TH_URG)) tcp->status |= ARGUS_CON_ESTABLISHED; switch (ArgusNetFlow->tcp_flags & (TH_SYN|TH_ACK)) { case (TH_SYN): tcp->status |= ARGUS_SAW_SYN; break; case (TH_SYN|TH_ACK): tcp->status |= ARGUS_SAW_SYN_SENT; if (ntohl(ArgusNetFlow->pkts) > 1) tcp->status &= ~(ARGUS_CON_ESTABLISHED); break; } flow->dsrindex |= 1 << ARGUS_NETWORK_INDEX; flow->dsrs[ARGUS_NETWORK_INDEX] = (void *)net; } } if (model->ArgusThisFlow && (model->ArgusThisFlow->ip_flow.ip_src != 0)) { struct ArgusTransportStruct *trans = &flow->canon.trans; trans->hdr.type = ARGUS_TRANSPORT_DSR; trans->hdr.subtype = ARGUS_SRCID | ARGUS_SEQ; trans->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; trans->hdr.argus_dsrvl8.len = 3; trans->srcid.a_un.ipv4 = (model->ArgusThisFlow->hdr.subtype & ARGUS_REVERSE) ? model->ArgusThisFlow->ip_flow.ip_dst : model->ArgusThisFlow->ip_flow.ip_src ; trans->seqnum = ArgusFlowSeq + ArgusCounter++; flow->dsrindex |= 1 << ARGUS_TRANSPORT_INDEX; flow->dsrs[ARGUS_TRANSPORT_INDEX] = (void *)trans; } { struct ArgusIPAttrStruct *attr = &flow->canon.attr; attr->hdr.type = ARGUS_IPATTR_DSR; attr->hdr.subtype = 0; attr->hdr.argus_dsrvl8.qual = ARGUS_IPATTR_SRC; attr->hdr.argus_dsrvl8.len = 2; attr->src.tos = ArgusNetFlow->tos; attr->src.ttl = 0; attr->src.ip_id = 0; flow->dsrindex |= 1 << ARGUS_IPATTR_INDEX; flow->dsrs[ARGUS_IPATTR_INDEX] = (void *)attr; } ArgusSendFlowRecord (model, flow, ARGUS_STATUS); } ptr += sizeof(*ArgusNetFlow); break; } case CISCO_VERSION_7: { CiscoFlowEntryV7_t *ArgusNetFlow = (CiscoFlowEntryV7_t *) ptr; bzero(sflow, sizeof(*sflow)); bzero(hstruct, sizeof(*hstruct)); sflow->hdr.type = ARGUS_FLOW_DSR; sflow->hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; sflow->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; sflow->hdr.argus_dsrvl8.len = 5; sflow->ip_flow.ip_src = ntohl(ArgusNetFlow->srcaddr); sflow->ip_flow.ip_dst = ntohl(ArgusNetFlow->dstaddr); sflow->ip_flow.smask = ArgusNetFlow->src_mask; sflow->ip_flow.dmask = ArgusNetFlow->dst_mask; switch (sflow->ip_flow.ip_p = ArgusNetFlow->prot) { case IPPROTO_TCP: case IPPROTO_UDP: sflow->ip_flow.sport = ntohs(ArgusNetFlow->srcport); sflow->ip_flow.dport = ntohs(ArgusNetFlow->dstport); break; case IPPROTO_ICMP: sflow->icmp_flow.type = ((char *)&ArgusNetFlow->dstport)[0]; sflow->icmp_flow.code = ((char *)&ArgusNetFlow->dstport)[1]; break; } ArgusCreateFlowKey(model, sflow, hstruct); if ((flow = ArgusNewFlow(model, sflow, NULL, NULL)) != NULL) { struct ArgusTimeObject *time = &flow->canon.time; long timeval; flow->canon.hdr.type = ARGUS_FAR | ARGUS_NETFLOW | ARGUS_VERSION; time->hdr.type = ARGUS_TIME_DSR; time->hdr.subtype = ARGUS_TIME_ABSOLUTE_RANGE; time->hdr.argus_dsrvl8.qual = ARGUS_TYPE_UTC_MICROSECONDS; time->hdr.argus_dsrvl8.len = 5; timeval = ntohl(ArgusNetFlow->first); time->src.start.tv_sec = (timeval - (long)ArgusSysUptime)/1000; time->src.start.tv_sec += tvp->tv_sec; time->src.start.tv_usec = ((timeval - (long)ArgusSysUptime)%1000) * 1000; time->src.start.tv_usec += tvp->tv_usec; if (time->src.start.tv_usec >= 1000000) { time->src.start.tv_sec++; time->src.start.tv_usec -= 1000000; } if (time->src.start.tv_usec < 0) { time->src.start.tv_sec--; time->src.start.tv_usec += 1000000; } timeval = ntohl(ArgusNetFlow->last); time->src.end.tv_sec = (timeval - (long)ArgusSysUptime)/1000; time->src.end.tv_sec += tvp->tv_sec; time->src.end.tv_usec = ((timeval - (long)ArgusSysUptime)%1000) * 1000; time->src.end.tv_usec += tvp->tv_usec; if (time->src.end.tv_usec >= 1000000) { time->src.end.tv_sec++; time->src.end.tv_usec -= 1000000; } if (time->src.end.tv_usec < 0) { time->src.end.tv_sec--; time->src.end.tv_usec += 1000000; } time->src.start.tv_usec = (time->src.start.tv_usec / 1000) * 1000; time->src.end.tv_usec = (time->src.end.tv_usec / 1000) * 1000; flow->dsrindex |= 1 << ARGUS_TIME_INDEX; flow->dsrs[ARGUS_TIME_INDEX] = (void *)time; { struct ArgusAsnStruct *asn = &flow->canon.asn; asn->hdr.type = ARGUS_ASN_DSR; asn->hdr.subtype = 0; asn->hdr.argus_dsrvl8.qual = 0; asn->hdr.argus_dsrvl8.len = 3; asn->src_as = ArgusNetFlow->src_as; asn->dst_as = ArgusNetFlow->dst_as; flow->dsrindex |= 1 << ARGUS_ASN_INDEX; flow->dsrs[ARGUS_ASN_INDEX] = (void *)asn; } { struct ArgusMetricStruct *metric = &flow->canon.metric; metric->hdr.type = ARGUS_METER_DSR; metric->hdr.subtype = ARGUS_METER_PKTS_BYTES; metric->hdr.argus_dsrvl8.qual = ARGUS_SRC_INT; metric->hdr.argus_dsrvl8.len = 3; metric->src.pkts = ntohl(ArgusNetFlow->pkts); metric->src.bytes = ntohl(ArgusNetFlow->bytes); flow->dsrindex |= 1 << ARGUS_METRIC_INDEX; flow->dsrs[ARGUS_METRIC_INDEX] = (void *)metric; } { struct ArgusMacStruct *mac = &flow->canon.mac; mac->hdr.type = ARGUS_MAC_DSR; mac->hdr.subtype = 0; mac->hdr.argus_dsrvl8.len = 5; ArgusNetFlow->input = ntohs(ArgusNetFlow->input); ArgusNetFlow->output = ntohs(ArgusNetFlow->output); #if defined(HAVE_SOLARIS) bcopy((char *)&ArgusNetFlow->input, (char *)&mac->mac.mac_union.ether.ehdr.ether_shost.ether_addr_octet[4], 2); bcopy((char *)&ArgusNetFlow->output,(char *)&mac->mac.mac_union.ether.ehdr.ether_dhost.ether_addr_octet[4], 2); #else bcopy((char *)&ArgusNetFlow->input, (char *)&mac->mac.mac_union.ether.ehdr.ether_shost[4], 2); bcopy((char *)&ArgusNetFlow->output,(char *)&mac->mac.mac_union.ether.ehdr.ether_dhost[4], 2); #endif flow->dsrindex |= 1 << ARGUS_MAC_INDEX; flow->dsrs[ARGUS_MAC_INDEX] = (void *)mac; } { if (ArgusNetFlow->prot == IPPROTO_TCP) { struct ArgusNetworkStruct *net = &flow->canon.net; struct ArgusTCPStatus *tcp = (struct ArgusTCPStatus *)&net->net_union.tcpstatus; net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_TCP_STATUS; net->hdr.argus_dsrvl8.len = 3; net->net_union.tcpstatus.src = ArgusNetFlow->tcp_flags; if (ArgusNetFlow->tcp_flags & TH_RST) tcp->status |= ARGUS_RESET; if (ArgusNetFlow->tcp_flags & TH_FIN) tcp->status |= ARGUS_FIN; if ((ArgusNetFlow->tcp_flags & TH_ACK) || (ArgusNetFlow->tcp_flags & TH_PUSH) || (ArgusNetFlow->tcp_flags & TH_URG)) tcp->status |= ARGUS_CON_ESTABLISHED; switch (ArgusNetFlow->tcp_flags & (TH_SYN|TH_ACK)) { case (TH_SYN): tcp->status |= ARGUS_SAW_SYN; break; case (TH_SYN|TH_ACK): tcp->status |= ARGUS_SAW_SYN_SENT; if (ntohl(ArgusNetFlow->pkts) > 1) tcp->status &= ~(ARGUS_CON_ESTABLISHED); break; } flow->dsrindex |= 1 << ARGUS_NETWORK_INDEX; flow->dsrs[ARGUS_NETWORK_INDEX] = (void *)net; } } if (model->ArgusThisFlow && (model->ArgusThisFlow->ip_flow.ip_src != 0)) { struct ArgusTransportStruct *trans = &flow->canon.trans; trans->hdr.type = ARGUS_TRANSPORT_DSR; trans->hdr.subtype = ARGUS_SRCID | ARGUS_SEQ; trans->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; trans->hdr.argus_dsrvl8.len = 3; trans->srcid.a_un.ipv4 = (model->ArgusThisFlow->hdr.subtype & ARGUS_REVERSE) ? model->ArgusThisFlow->ip_flow.ip_dst : model->ArgusThisFlow->ip_flow.ip_src ; trans->seqnum = ArgusFlowSeq + ArgusCounter++; flow->dsrindex |= 1 << ARGUS_TRANSPORT_INDEX; flow->dsrs[ARGUS_TRANSPORT_INDEX] = (void *)trans; } { struct ArgusIPAttrStruct *attr = &flow->canon.attr; attr->hdr.type = ARGUS_IPATTR_DSR; attr->hdr.subtype = 0; attr->hdr.argus_dsrvl8.qual = ARGUS_IPATTR_SRC; attr->hdr.argus_dsrvl8.len = 2; attr->src.tos = ArgusNetFlow->tos; attr->src.ttl = 0; attr->src.ip_id = 0; flow->dsrindex |= 1 << ARGUS_IPATTR_INDEX; flow->dsrs[ARGUS_IPATTR_INDEX] = (void *)attr; } ArgusSendFlowRecord (model, flow, ARGUS_STATUS); } ptr += sizeof(*ArgusNetFlow); break; } case CISCO_VERSION_8: { // ptr += sizeof(CiscoFlowEntryV8_t); break; } case CISCO_VERSION_9: { CiscoFlowEntryV9_t *ArgusNetFlow = (CiscoFlowEntryV9_t *) ptr; int done = 0, flowset_id, flowset_len; flowset_id = ntohs(ArgusNetFlow->flowset_id); flowset_len = ntohs(ArgusNetFlow->length); switch (flowset_id) { case k_CiscoV9TemplateFlowsetId: { if (ArgusParseCiscoRecordV9Template(model, templates, (u_char *)(ArgusNetFlow + 1), (flowset_len - sizeof(*ArgusNetFlow))) == NULL) { } break; } case k_CiscoV9OptionsFlowsetId: { done++; break; } default: { if (flowset_id >= k_CiscoV9MinRecordFlowsetId) { if (ArgusParseCiscoRecordV9Data(model, templates, (u_char *)ArgusNetFlow, flowset_len) == NULL) { } } done++; break; } } ptr += flowset_len; break; } } break; } } } */ #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusParseSflowRecord(%p, %p)", model, ptr); #endif } #endif argus-3.0.8.2/argus/ArgusSflow.h000444 000765 000024 00000002241 12513222401 017001 0ustar00carterstaff000000 000000 /* * Argus Software. Argus files - Modeler * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/argus/argus/argus/ArgusSflow.h#6 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ #ifndef ArgusSflow_h #define ArgusSflow_h #include void ArgusParseSflowRecord (struct ArgusModelerStruct *, void *); #else extern void ArgusParseSflowRecord (struct ArgusModelerStruct *, void *); #endif argus-3.0.8.2/argus/ArgusSource.c000444 000765 000024 00000451406 12700760416 017170 0ustar00carterstaff000000 000000 /* * Argus Software. Argus files - Input processing * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/argus/ArgusSource.c#134 $ * $DateTime: 2016/04/05 12:00:14 $ * $Change: 3135 $ */ /* * ArgusSource.c - Argus packet source routines. * * written by Carter Bullard * QoSient, LLC * Tue Aug 8 08:13:36 EDT 2000 * */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #define ARGUS_NEW_INTERFACE_STRATEGY 1 #if !defined(ArgusSource) #define ArgusSource #endif #include #if defined(__APPLE_CC__) || defined(__APPLE__) #define PCAP_DONT_INCLUDE_PCAP_BPF_H #include #include #endif #if defined(HAVE_NETINET_IN_H) #include #endif #if defined(HAVE_ARPA_INET_H) #include #endif #include #include #include #include #include #include #include #if !defined(PPP_HDRLEN) #define PPP_HDRLEN 4 /* length of PPP header */ #endif void ArgusGetInterfaceStatus (struct ArgusSourceStruct *src); void setArgusPcapBufSize (struct ArgusSourceStruct *, int); struct ArgusDeviceStruct * ArgusCloneDevice(struct ArgusDeviceStruct *dev) { struct ArgusDeviceStruct *retn = NULL; if ((retn = (void *) ArgusCalloc(1, sizeof(*retn))) == NULL) ArgusLog (LOG_ERR, "ArgusCloseDevice: ArgusCalloc error %s\n", strerror(errno)); retn->status = dev->status; retn->type = dev->type; retn->link = dev->link; bcopy((char *)&dev->ArgusID, (char *)&retn->ArgusID, sizeof(dev->ArgusID)); retn->idtype = dev->idtype; retn->name = strdup(dev->name); return (retn); } struct ArgusSourceStruct * ArgusCloneSource(struct ArgusSourceStruct *src) { struct ArgusSourceStruct *retn = NULL; int i; if ((retn = (struct ArgusSourceStruct *) ArgusCalloc (1, sizeof (struct ArgusSourceStruct))) == NULL) ArgusLog (LOG_ERR, "ArgusCloneSource: ArgusCalloc error %s\n", strerror(errno)); retn->state = src->state; retn->status = src->status; retn->mode = src->mode; retn->ArgusPcapBufSize = src->ArgusPcapBufSize; if (src->ArgusDeviceList) { int i, count = src->ArgusDeviceList->count; retn->ArgusDeviceList = ArgusNewList(); for (i = 0; i < count; i++) { struct ArgusDeviceStruct *dev, *device = (struct ArgusDeviceStruct *) ArgusPopFrontList(src->ArgusDeviceList, ARGUS_LOCK); if ((dev = ArgusCloneDevice(device)) == NULL) ArgusLog (LOG_ERR, "ArgusCloneSource: ArgusCloneDevice error %s\n", strerror(errno)); ArgusPushBackList(retn->ArgusDeviceList, (struct ArgusListRecord *) dev, ARGUS_LOCK); ArgusPushBackList(src->ArgusDeviceList, (struct ArgusListRecord *) device, ARGUS_LOCK); } } if (src->ArgusInputFilter) retn->ArgusInputFilter = strdup(src->ArgusInputFilter); if (src->ArgusWriteOutPacketFile) retn->ArgusWriteOutPacketFile = strdup(src->ArgusWriteOutPacketFile); retn->ArgusDumpPacket = src->ArgusDumpPacket; retn->ArgusDumpPacketOnError = src->ArgusDumpPacketOnError; retn->ArgusStartTime = src->ArgusStartTime; retn->ArgusEndTime = src->ArgusEndTime; retn->lasttime = retn->lasttime; retn->ArgusSnapLength = src->ArgusSnapLength; retn->ArgusThisLength = src->ArgusThisLength; retn->ArgusInterfaceType = src->ArgusInterfaceType; retn->ArgusInterfaceStatus = src->ArgusInterfaceStatus; retn->Argustflag = src->Argustflag; retn->sNflag = src->sNflag; retn->eNflag = src->eNflag; retn->kflag = src->kflag; retn->pflag = src->pflag; retn->uflag = src->uflag; retn->Tflag = src->Tflag; retn->ArgusInterfaceIndex = src->ArgusInterfaceIndex; retn->ArgusThisIndex = src->ArgusThisIndex; retn->ArgusInterfaces = src->ArgusInterfaces; for (i = 0; i < src->ArgusInterfaceIndex; i++) bcopy(&src->ArgusInterface[i], &retn->ArgusInterface[i], sizeof(src->ArgusInterface[i])); retn->ArgusInputPacketFileType = src->ArgusInputPacketFileType; retn->ArgusReadingOffLine = src->ArgusReadingOffLine; retn->Argusbpflag = src->Argusbpflag; retn->ArgusCaptureFlag = src->ArgusCaptureFlag; retn->ArgusSnapLen = src->ArgusSnapLen; retn->Argusfflag = src->Argusfflag; retn->ArgusOflag = src->ArgusOflag; retn->Arguspflag = src->Arguspflag; retn->ArgusArgv = src->ArgusArgv; retn->ArgusOptind = src->ArgusOptind; #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusCloneSource(%p) returning %p\n", src, retn); #endif return (retn); } struct ArgusSourceStruct * ArgusNewSource(struct ArgusModelerStruct *model) { struct ArgusSourceStruct *retn = NULL; if ((retn = (struct ArgusSourceStruct *) ArgusCalloc (1, sizeof (struct ArgusSourceStruct))) == NULL) ArgusLog (LOG_ERR, "ArgusNewSource: ArgusCalloc error %s\n", strerror(errno)); retn->ArgusModel = model; retn->sNflag = -1; retn->eNflag = -1; retn->ArgusSnapLen = ARGUS_MINSNAPLEN; #if defined(ARGUS_THREADS) if (pthread_mutex_init(&retn->lock, NULL)) ArgusLog (LOG_ERR, "ArgusNewSource: pthread_mutex_init error\n"); if (pthread_cond_init(&retn->cond, NULL)) ArgusLog (LOG_ERR, "ArgusNewSource: pthread_cond_init errors\n"); #endif #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusNewSource(%p) returning %p\n", model, retn); #endif return (retn); } void setArgusThreadCount (struct ArgusSourceStruct *, char *); int getArgusThreadCount (struct ArgusSourceStruct *); #define ARGUS_MAX_THREADS 64 int getArgusThreadCount (struct ArgusSourceStruct *src) { return(src->tflag); } void setArgusThreadCount (struct ArgusSourceStruct *src, char *arg) { char *ptr = NULL; int num = 0; if (src != NULL) { num = (int)strtol(arg, (char **)&ptr, 10); if (ptr == arg) ArgusLog (LOG_ERR, "setArgusThreadCount format error %s not integer\n", arg); if ((src->tflag = num) > ARGUS_MAX_THREADS) ArgusLog (LOG_ERR, "setArgusThreadCount error %d tooo many threads\n", num); } #ifdef ARGUSDEBUG ArgusDebug (1, "setArgusThreadCount(%p, %d)\n", src, num); #endif } #include #include #include #include int ArgusOpenDevice(struct ArgusSourceStruct *, struct ArgusDeviceStruct *, struct ArgusInterfaceStruct *); int ArgusOpenInterface(struct ArgusSourceStruct *, struct ArgusDeviceStruct *, struct ArgusInterfaceStruct *); int ArgusOpenDevice(struct ArgusSourceStruct *src, struct ArgusDeviceStruct *device, struct ArgusInterfaceStruct *inf) { int retn = 0, count, i, cnt = src->ArgusInterfaces; if (device) { if (device->list && (count = device->list->count)) { for (i = 0; i < count; i++) { struct ArgusDeviceStruct *dev = (struct ArgusDeviceStruct *) ArgusPopFrontList(device->list, ARGUS_LOCK); src->ArgusInterfaces += ArgusOpenInterface(src, dev, &src->ArgusInterface[src->ArgusInterfaces]); ArgusPushBackList(device->list, (struct ArgusListRecord *) device, ARGUS_LOCK); } } else { src->ArgusInterfaces += ArgusOpenInterface(src, device, &src->ArgusInterface[src->ArgusInterfaces]); } } retn = (src->ArgusInterfaces - cnt); return retn; } int ArgusOpenInterface(struct ArgusSourceStruct *src, struct ArgusDeviceStruct *device, struct ArgusInterfaceStruct *inf) { char errbuf[PCAP_ERRBUF_SIZE]; int type, retn = 0; extern int ArgusShutDownFlag; if (ArgusShutDownFlag) { ArgusShutDown(0); return retn; } if ((device == NULL) || (device->name == NULL)) { if (inf->ArgusDevice) device = inf->ArgusDevice; else return retn; } inf->ArgusDevice = device; #ifdef HAVE_PCAP_SET_BUFFER_SIZE if ((inf->ArgusPd = pcap_create(device->name, errbuf)) != NULL) { pcap_set_snaplen(inf->ArgusPd, src->ArgusSnapLen); pcap_set_promisc(inf->ArgusPd, !src->Arguspflag); pcap_set_timeout(inf->ArgusPd, 100); if (src->ArgusPcapBufSize > 0) { pcap_set_buffer_size(inf->ArgusPd, src->ArgusPcapBufSize); #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusOpenInterface() pcap_set_buffer_size(%p, %d)\n", src, src->ArgusPcapBufSize); #endif } switch (retn = pcap_activate(inf->ArgusPd)) { case PCAP_ERROR_ACTIVATED: case PCAP_ERROR_NO_SUCH_DEVICE: case PCAP_ERROR_PERM_DENIED: #if defined(PCAP_ERROR_PROMISC_PERM_DENIED) case PCAP_ERROR_PROMISC_PERM_DENIED: #endif case PCAP_ERROR: { ArgusLog (LOG_WARNING, "ArgusOpenInterface %s: %s\n", device->name, pcap_geterr(inf->ArgusPd)); pcap_close(inf->ArgusPd); inf->ArgusPd = NULL; retn = 0; break; } case PCAP_ERROR_IFACE_NOT_UP: case PCAP_WARNING_PROMISC_NOTSUP: #if defined(PCAP_WARNING_TSTAMP_TYPE_NOTSUP) case PCAP_WARNING_TSTAMP_TYPE_NOTSUP: #endif case PCAP_WARNING: default: retn = 1; } #else if ((inf->ArgusPd = pcap_open_live(device->name, src->ArgusSnapLen, !src->Arguspflag, 100, errbuf)) != NULL) { #endif if (inf->ArgusPd != NULL) { pcap_setnonblock(inf->ArgusPd, 1, errbuf); if (device->dltname != NULL) { #ifdef HAVE_PCAP_SET_DATALINK if (pcap_set_datalink(inf->ArgusPd, device->dlt) < 0) ArgusLog(LOG_ERR, "%s", pcap_geterr(inf->ArgusPd)); #else /* * We don't actually support changing the * data link type, so we only let them * set it to what it already is. */ if (device->dlt != pcap_datalink(inf->ArgusPd)) ArgusLog(LOG_ERR, "%s is not one of the DLTs supported by this device\n", device->dltname); #endif } #if defined(__APPLE_CC__) || defined(__APPLE__) { int v = 1; ioctl(pcap_fileno(inf->ArgusPd), BIOCIMMEDIATE, &v); } #endif src->ArgusInputPacketFileType = ARGUSLIBPPKTFILE; inf->ArgusInterfaceType = ARGUSLIBPPKTFILE; memset((char *)&inf->ifr, 0, sizeof(inf->ifr)); strncpy(inf->ifr.ifr_name, device->name, sizeof(inf->ifr.ifr_name)); if (!((pcap_lookupnet (device->name, (u_int *)&inf->ArgusLocalNet, (u_int *)&inf->ArgusNetMask, errbuf)) < 0)) { #if defined(_LITTLE_ENDIAN) inf->ArgusLocalNet = ntohl(inf->ArgusLocalNet); inf->ArgusNetMask = ntohl(inf->ArgusNetMask); #endif } type = pcap_datalink(inf->ArgusPd); if ((inf->ArgusCallBack = Arguslookup_pcap_callback(type)) == NULL) ArgusLog (LOG_ERR, "unsupported device type %d\n", type); retn = 1; } #ifdef HAVE_PCAP_SET_BUFFER_SIZE } #else } #endif #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusOpenInterface(%p, '%s') returning %d\n", src, inf->ArgusDevice->name, retn); #endif return retn; } #if defined(CYGWIN) #include #endif #define MAX_RECEIVE_PACKETS (2000) int ArgusInitSource (struct ArgusSourceStruct *src) { char errbuf[PCAP_ERRBUF_SIZE]; char *cmdbuf = NULL; int retn = 0, i = 0; src->ArgusInterfaces = 0; bzero ((char *)&src->ArgusInterface, sizeof(src->ArgusInterface)); if (src->ArgusDeviceList == NULL) { pcap_if_t *d; if (pcap_findalldevs(&src->ArgusPacketDevices, errbuf) == -1) ArgusLog (LOG_ERR, "ArgusInitSource: pcap_findalldevs_ex %s\n", errbuf); for (d = src->ArgusPacketDevices; d != NULL; d = d->next) { #if defined(CYGWIN) printf ("%d. %s", ++i, d->name); if (d->description) printf (" (%s)\n", d->description); else printf ("\n"); #else i++; #if defined(ARGUS_NEW_INTERFACE_STRATEGY) setArgusDevice (src, d->name, ARGUS_LIVE_DEVICE, 0); #endif #endif } #if defined(ARGUS_NEW_INTERFACE_STRATEGY) if (i == 0) ArgusLog (LOG_ERR, "ArgusInitSource: no interfaces\n"); #endif pcap_freealldevs(src->ArgusPacketDevices); #if defined(CYGWIN) exit(1); #else #if !defined(ARGUS_NEW_INTERFACE_STRATEGY) setArgusDevice (src, pcap_lookupdev (errbuf), ARGUS_LIVE_DEVICE, 0); #endif #endif } if (src->ArgusDeviceList) { int count = src->ArgusDeviceList->count; for (i = 0; i < count; i++) { struct ArgusDeviceStruct *device = (struct ArgusDeviceStruct *) ArgusPopFrontList(src->ArgusDeviceList, ARGUS_LOCK); if (device != NULL) { switch (device->type) { case ARGUS_LIVE_DEVICE: src->ArgusInterfaces += ArgusOpenDevice(src, device, &src->ArgusInterface[src->ArgusInterfaces]); break; case ARGUS_FILE_DEVICE: src->ArgusInterfaces += ArgusOpenInputPacketFile(src, device, &src->ArgusInterface[i]); break; } ArgusPushBackList(src->ArgusDeviceList, (struct ArgusListRecord *) device, ARGUS_LOCK); } } } if (src->ArgusInterfaces > 0) { if (setuid(getuid()) != 0) ArgusLog (LOG_ERR, "ArgusInitSource: setuid %s\n", strerror(errno)); cmdbuf = ArgusCopyArgv(&src->ArgusArgv[src->ArgusOptind]); if (cmdbuf) { if (src->ArgusInputFilter) ArgusFree(src->ArgusInputFilter); src->ArgusInputFilter = cmdbuf; } if (src->ArgusInputFilter != NULL) { for (i = 0; i < src->ArgusInterfaces; i++) { if (src->ArgusInterface[i].ArgusPd) { bzero ((char *) &src->ArgusInterface[i].ArgusFilter, sizeof (struct bpf_program)); if (pcap_compile (src->ArgusInterface[i].ArgusPd, &src->ArgusInterface[i].ArgusFilter, src->ArgusInputFilter, getArgusOflag(src), src->ArgusInterface[i].ArgusNetMask) < 0) ArgusLog (LOG_ERR, "%s\n", pcap_geterr (src->ArgusInterface[i].ArgusPd)); if (src->Argusbpflag) { Argusbpf_dump (&src->ArgusInterface[i].ArgusFilter, src->Argusbpflag); exit(0); } if (src->ArgusInputPacketFileType == ARGUSLIBPPKTFILE) { if (src->ArgusInputFilter != NULL) { if (pcap_setfilter (src->ArgusInterface[i].ArgusPd, &src->ArgusInterface[i].ArgusFilter) < 0) ArgusLog (LOG_ERR, "%s\n", pcap_geterr (src->ArgusInterface[i].ArgusPd)); } } } } } if (src->ArgusWriteOutPacketFile) { if ((src->ArgusPcapOutFile = pcap_dump_open(src->ArgusInterface[0].ArgusPd, src->ArgusWriteOutPacketFile)) == NULL) ArgusLog (LOG_ERR, "%s\n", pcap_geterr (src->ArgusInterface[0].ArgusPd)); } src->ArgusModel = ArgusCloneModeler(ArgusModel); src->ArgusModel->ArgusSrc = src; ArgusInitModeler(src->ArgusModel); #if defined(ARGUS_THREADS) if (pthread_mutex_init(&src->lock, NULL)) ArgusLog (LOG_ERR, "ArgusInitSource: pthread_mutex_init error\n"); if (pthread_cond_init(&src->cond, NULL)) ArgusLog (LOG_ERR, "ArgusInitSource: pthread_cond_init error\n"); #endif retn = 1; } else { #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusInitSource: no packet sources for this device."); #endif } #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusInitSource(%p) returning %d\n", src, retn); #endif return retn; } int ArgusCloseSource(struct ArgusSourceStruct *src) { int i; if (src) { #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusCloseSource(%p) starting\n", src); #endif for (i = 0; i < ARGUS_MAXINTERFACE; i++) { if (src->srcs[i] != NULL) { ArgusCloseSource (src->srcs[i]); } } #if defined(ARGUS_THREADS) if (src->thread) pthread_join(src->thread, NULL); #endif for (i = 0; i < src->ArgusInterfaces; i++) { if (src->ArgusInterface[i].ArgusPd) { pcap_close(src->ArgusInterface[i].ArgusPd); src->ArgusInterface[i].ArgusPd = NULL; } } if (src->ArgusPcapOutFile) pcap_dump_close(src->ArgusPcapOutFile); if (src->ArgusInputFilter) ArgusFree (src->ArgusInputFilter); if (src->ArgusDeviceList) { ArgusDeleteList(src->ArgusDeviceList, ARGUS_DEVICE_LIST); } if (src->ArgusRfileList != NULL) ArgusDeleteList (src->ArgusRfileList, ARGUS_RFILE_LIST); if (src->ArgusModel != NULL) ArgusCloseModeler(src->ArgusModel); src->status |= ARGUS_SHUTDOWN; #if defined(ARGUS_THREADS) pthread_mutex_lock(&src->lock); pthread_cond_signal(&src->cond); pthread_mutex_unlock(&src->lock); #endif } #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusCloseSource(%p) done\n", src); #endif return (0); } void ArgusDeleteSource(struct ArgusSourceStruct *src) { int i; if (src) { #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusDeleteSource(%p) starting\n", src); #endif for (i = 0; i < ARGUS_MAXINTERFACE; i++) { if (src->srcs[i] != NULL) { if (src->srcs[i]->ArgusModel != NULL) ArgusFree (src->srcs[i]->ArgusModel); ArgusFree (src->srcs[i]); src->srcs[i] = NULL; } else break; } ArgusFree (src); } #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusCloseSource(%p) done\n", src); #endif } unsigned int getArgusID(struct ArgusSourceStruct *src) { #ifdef ARGUSDEBUG ArgusDebug (7, "getArgusID(%p) done\n", src); #endif return (src->ArgusID.a_un.value); } unsigned int getArgusIDType(struct ArgusSourceStruct *src) { #ifdef ARGUSDEBUG ArgusDebug (7, "getArgusIDType(%p) done\n", src); #endif return (src->type); } void setArgusID(struct ArgusSourceStruct *src, void *ptr, unsigned int type) { src->ArgusID.a_un.value = 0; switch (type) { case ARGUS_TYPE_STRING: bcopy((char *)ptr, &src->ArgusID.a_un.str, strlen((char *)ptr)); break; case ARGUS_TYPE_INT: src->ArgusID.a_un.value = atoi((char *)ptr); break; case ARGUS_TYPE_IPV4: src->ArgusID.a_un.ipv4 = ntohl(*(unsigned int *)ptr); break; } src->type = type; #ifdef ARGUSDEBUG ArgusDebug (1, "setArgusID(%p, %p, 0x%x) done", src, ptr, type); #endif } void setArgusPcapBufSize (struct ArgusSourceStruct *src, int size) { if (src != NULL) { src->ArgusPcapBufSize = size; } #ifdef ARGUSDEBUG ArgusDebug (3, "setArgusPcapBufSize(%p, %d)\n", src, size); #endif } unsigned char getArgusInterfaceStatus(struct ArgusSourceStruct *src) { return (src->ArgusInterfaceStatus); } void setArgusInterfaceStatus(struct ArgusSourceStruct *src, unsigned char value) { src->ArgusInterfaceStatus = value; #ifdef ARGUSDEBUG ArgusDebug (1, "setArgusInterfaceStatus(%p, %d)\n", src, value); #endif } int getArgusSnapLen(struct ArgusSourceStruct *src) { return (src->ArgusSnapLen); } void setArgusSnapLen(struct ArgusSourceStruct *src, int value) { src->ArgusSnapLen = value; } int getArgusfflag(struct ArgusSourceStruct *src) { return (src->Argusfflag); } int getArgusbpflag(struct ArgusSourceStruct *src) { return (src->Argusbpflag); } int getArguspflag(struct ArgusSourceStruct *src) { return (src->Arguspflag); } int getArgusOflag(struct ArgusSourceStruct *src) { return (src->ArgusOflag); } void setArgusfflag(struct ArgusSourceStruct *src, int value) { src->Argusfflag = value; } void setArgusbpflag(struct ArgusSourceStruct *src, int value) { src->Argusbpflag = value; } void setArguspflag(struct ArgusSourceStruct *src, int value) { src->Arguspflag = value; } void setArgusOflag(struct ArgusSourceStruct *src, int value) { src->ArgusOflag = value; } void setArgusCaptureFlag(struct ArgusSourceStruct *src, int value) { src->ArgusCaptureFlag = value; } char * getArgusDevice (struct ArgusSourceStruct *src) { struct ArgusDeviceStruct *device = NULL; char *retn = NULL; if (src->ArgusDeviceList != NULL) { if ((device = (struct ArgusDeviceStruct *) ArgusPopFrontList(src->ArgusDeviceList, ARGUS_LOCK)) != NULL) ArgusPushFrontList(src->ArgusDeviceList, (struct ArgusListRecord *) device, ARGUS_LOCK); } else { #ifdef ARGUSDEBUG ArgusDebug (1, "getArgusDevice(%p) src->ArgusDeviceList is NULL\n", src); #endif } if (device != NULL) retn = device->name; #ifdef ARGUSDEBUG ArgusDebug (1, "getArgusDevice(%p) returning %s\n", src, retn); #endif return (retn); } /* * The syntax for specifying this either on the command line or in this file: * -i ind:all * -i dup:en0,en1 * -i bond:en0,en1 * -i dup:[bond:en0,en1],en2 * -i en0 -i en1 (equivalent '-i ind:en0,en1') * -i en0 en1 (equivalent '-i bond:en0,en1') * */ int ArgusCheckPcapDevices(pcap_if_t *, char *); int ArgusCheckPcapDevices(pcap_if_t *alldevs, char *tok) { int retn = 0; pcap_if_t *d; if (!(strncmp("all", tok, 3))) { if (alldevs != NULL) retn = 1; } else { for (d = alldevs; d != NULL; d = d->next) { if (!strcmp(tok, d->name)) { retn = 1; break; } } } return(retn); } // The syntax for specifying this either on the command line or in this file: // -i ind:all // -i dup:en0,en1/srcid // -i bond:en0,en1/srcid // -i dup:[bond:en0,en1],en2/srcid // -i en0/srcid -i en1/srcid (equivalent '-i ind:en0/srcid,en1/srcid') // -i en0 en1 (equivalent '-i bond:en0,en1') void setArgusDevice (struct ArgusSourceStruct *src, char *cmd, int type, int mode) { if (src->ArgusDeviceList == NULL) src->ArgusDeviceList = ArgusNewList(); if (cmd) { struct ArgusDeviceStruct *device = NULL; char errbuf[PCAP_ERRBUF_SIZE]; char *params = strdup(cmd); pcap_if_t *alldevs = NULL, *d; char *ptr = NULL; #if defined(CYGWIN) int i = 0, num, ref = 0; #else struct ArgusDeviceStruct *dev = NULL; int cnt = 0, status; char *tok; #endif // if (type == ARGUS_LIVE_DEVICE) // if (pcap_findalldevs(&alldevs, errbuf) == -1) // ArgusLog (LOG_ERR, "setArgusDevice: pcap_findalldevs %s\n", errbuf); #if !defined(CYGWIN) // we need to parse this bad thing and construct the devices struct if (!(strncmp("ind:", params, 4))) { ptr = ¶ms[4]; status = ARGUS_TYPE_IND; } else if (!(strncmp("dup:", params, 4))) { ptr = ¶ms[4]; status = ARGUS_TYPE_DUPLEX; } else if (!(strncmp("bond:", params, 5))) { ptr = ¶ms[5]; status = ARGUS_TYPE_BOND; } else { ptr = params; status = ARGUS_TYPE_IND; } while ((tok = strtok(ptr, " ,")) != NULL) { char *srcid = NULL, *dlt = NULL, *sptr = NULL; cnt++; switch (type) { case ARGUS_LIVE_DEVICE: { if ((sptr = strchr (tok, '/')) != NULL) { *sptr++ = '\0'; srcid = sptr; } if ((sptr = strchr (tok, '(')) != NULL) { *sptr++ = '\0'; dlt = sptr; if ((sptr = strchr (dlt, ')')) != NULL) *sptr = '\0'; } if (!(strncmp("any", tok, 3))) { setArgusDevice (src, pcap_lookupdev (errbuf), ARGUS_LIVE_DEVICE, 0); break; } else if (!(strncmp("all", tok, 3))) { if (alldevs != NULL) { for (d = alldevs; d != NULL; d = d->next) { if (!(d->flags & PCAP_IF_LOOPBACK)) { if ((dev = (struct ArgusDeviceStruct *) ArgusCalloc(1, sizeof(*device))) == NULL) ArgusLog (LOG_ERR, "setArgusDevice ArgusCalloc %s\n", strerror(errno)); dev->name = strdup(d->name); dev->status = status; dev->type = type; if (dlt != NULL) { #if defined(HAVE_PCAP_DATALINK_NAME_TO_VAL) dev->dlt = pcap_datalink_name_to_val(dlt); #else dev->dlt = 0; #endif dev->dltname = strdup(dlt); } switch (status) { case ARGUS_TYPE_IND: ArgusPushFrontList(src->ArgusDeviceList, (struct ArgusListRecord *) dev, ARGUS_LOCK); break; case ARGUS_TYPE_BOND: case ARGUS_TYPE_DUPLEX: if (device == NULL) { if ((device = (struct ArgusDeviceStruct *) ArgusCalloc(1, sizeof(*device))) == NULL) ArgusLog (LOG_ERR, "setArgusDevice ArgusCalloc %s\n", strerror(errno)); device->name = strdup(cmd); device->status = status; device->type = type; device->list = ArgusNewList(); } ArgusPushFrontList(device->list, (struct ArgusListRecord *) dev, ARGUS_LOCK); break; } } } } break; } // Deliberate fall through to process specific interface name } case ARGUS_FILE_DEVICE: { if ((dev = (struct ArgusDeviceStruct *) ArgusCalloc(1, sizeof(*device))) == NULL) ArgusLog (LOG_ERR, "setArgusDevice ArgusCalloc %s\n", strerror(errno)); dev->name = strdup(tok); dev->status = status; dev->type = type; dev->mode = mode; if (dlt != NULL) { #if defined(HAVE_PCAP_DATALINK_NAME_TO_VAL) dev->dlt = pcap_datalink_name_to_val(dlt); #else dev->dlt = 0; #endif dev->dltname = strdup(dlt); } switch (status) { case ARGUS_TYPE_IND: ArgusPushFrontList(src->ArgusDeviceList, (struct ArgusListRecord *) dev, ARGUS_LOCK); break; case ARGUS_TYPE_BOND: case ARGUS_TYPE_DUPLEX: if (device == NULL) { if ((device = (struct ArgusDeviceStruct *) ArgusCalloc(1, sizeof(*device))) == NULL) ArgusLog (LOG_ERR, "setArgusDevice ArgusCalloc %s\n", strerror(errno)); device->name = strdup(cmd); device->status = status; device->type = type; device->list = ArgusNewList(); } ArgusPushFrontList(device->list, (struct ArgusListRecord *) dev, ARGUS_LOCK); break; } break; } } if (dev != NULL) { if (srcid != NULL) { struct ArgusAddrStruct ArgusID = ArgusSourceTask->ArgusID; int type = ArgusSourceTask->type; ArgusParseSourceID (ArgusSourceTask, srcid); dev->ArgusID = ArgusSourceTask->ArgusID; dev->idtype = ArgusSourceTask->type; ArgusSourceTask->type = type; ArgusSourceTask->ArgusID = ArgusID; } else { dev->ArgusID = ArgusSourceTask->ArgusID; dev->idtype = ArgusSourceTask->type; } } ptr = NULL; } if (device != NULL) ArgusPushFrontList(src->ArgusDeviceList, (struct ArgusListRecord *) device, ARGUS_LOCK); #else // on cygwin, you get integers not interface names if (device == NULL) { if ((device = (struct ArgusDeviceStruct *) ArgusCalloc(1, sizeof(*device))) == NULL) ArgusLog (LOG_ERR, "setArgusDevice ArgusCalloc %s\n", strerror(errno)); device->type = type; } device->status = ARGUS_TYPE_IND; num = (int)strtol(cmd, (char **)&ptr, 10); if (ptr != cmd) ref = 1; if (!(strncmp(cmd, "any", 3))) { ref = 1; num = 1; } for (d = alldevs; d != NULL; d = d->next) { i++; if (ref) { if (i == num) { device->name = strdup(d->name); break; } } else { if (!strcmp(cmd, d->name)) { device->name = strdup(d->name); break; } } } if (i == 0) ArgusLog (LOG_ERR, "setArgusDevice: no interfaces\n"); ArgusPushFrontList(src->ArgusDeviceList, (struct ArgusListRecord *) device, ARGUS_LOCK); #endif free(params); if (alldevs != NULL) pcap_freealldevs(alldevs); } #ifdef ARGUSDEBUG ArgusDebug (3, "setArgusDevice(%s) returning\n", cmd); #endif } void clearArgusDevice (struct ArgusSourceStruct *src) { struct ArgusListStruct *list; struct ArgusListRecord *retn; if ((list = src->ArgusDeviceList) != NULL) { while ((retn = ArgusPopFrontList(list, ARGUS_LOCK)) != NULL) { struct ArgusDeviceStruct *device = (struct ArgusDeviceStruct *) retn; if (device->list && device->list->count) { struct ArgusListRecord *lrec; while ((lrec = ArgusPopFrontList(device->list, ARGUS_LOCK)) != NULL) { struct ArgusDeviceStruct *tdev = (struct ArgusDeviceStruct *) lrec; if (tdev->name != NULL) free(tdev->name); ArgusFree(lrec); } } if (device->name != NULL) free(device->name); ArgusFree(retn); } } #ifdef ARGUSDEBUG ArgusDebug (3, "clearArgusDevice(%p) returning\n", src); #endif } char * getArgusrfile (struct ArgusSourceStruct *src) { struct ArgusRfileStruct *rfile = NULL; char *retn = NULL; if (src->ArgusRfileList != NULL) { rfile = (struct ArgusRfileStruct *) src->ArgusRfileList->start; retn = rfile->name; } return (retn); } void ArgusSortFileList (struct ArgusListStruct *); void setArgusrfile (struct ArgusSourceStruct *src, char *value) { if (src->ArgusRfileList == NULL) src->ArgusRfileList = ArgusNewList(); if (value) { struct ArgusRfileStruct *rfile; struct stat statbuf; char *tok, *ptr = value; while ((tok = strtok (ptr, " \t")) != NULL) { char *tptr; int mode = 0; if (strcmp("-", tok)) { if ((tptr = strstr (tok, "cisco:")) != NULL) { mode = ARGUS_CISCO_DATA_SOURCE; tok = tptr + 6; } else if ((tptr = strstr (tok, "sflow:")) != NULL) { mode = ARGUS_SFLOW_DATA_SOURCE; tok = tptr + 6; } if (stat(tok, &statbuf) < 0) ArgusLog (LOG_ERR, "input file '%s': %s", tok, strerror(errno)); } if ((rfile = (struct ArgusRfileStruct *) ArgusCalloc(1, sizeof(*rfile))) == NULL) ArgusLog (LOG_ERR, "setArgusrfile ArgusCalloc %s\n", strerror(errno)); rfile->name = strdup(tok); rfile->mode = mode; ArgusPushBackList(src->ArgusRfileList, (struct ArgusListRecord *) rfile, ARGUS_LOCK); // setArgusDevice(src, tok, ARGUS_FILE_DEVICE, rfile->mode); ptr = NULL; } ArgusSortFileList (src->ArgusRfileList); } } int getArgusMoatTshFile (struct ArgusSourceStruct *src) { return(src->Argustflag); } void setArgusMoatTshFile (struct ArgusSourceStruct *src, int value) { src->Argustflag = value; } float getArgusRealTime (struct ArgusSourceStruct *src) { return(src->Tflag); } void setArgusRealTime (struct ArgusSourceStruct *src, float value) { src->Tflag = value; } void setArgusWriteOutPacketFile (struct ArgusSourceStruct *src, char *file) { src->ArgusWriteOutPacketFile = strdup(file); } #define ARGUSMOATLEN 44 #define ARGUSMOATTSHTCPLEN 40 int ArgusMoatTshRead (struct ArgusSourceStruct *); int ArgusMoatTshRead (struct ArgusSourceStruct *src) { struct ArgusMoatTshPktHdr MoatTshBuffer[2], *ArgusMoatPktHdr = &MoatTshBuffer[0]; int retn = 0, length = 0; struct ip *iphdr = NULL; bzero (ArgusMoatPktHdr, sizeof(MoatTshBuffer)); if ((retn = read(pcap_fileno(src->ArgusInterface[0].ArgusPd), ArgusMoatPktHdr, ARGUSMOATLEN)) == ARGUSMOATLEN) { ArgusMoatPktHdr->interface = 0; #if defined(_LITTLE_ENDIAN) src->ArgusModel->ArgusGlobalTime.tv_sec = ntohl(ArgusMoatPktHdr->sec); src->ArgusModel->ArgusGlobalTime.tv_usec = ntohl(*((int *)&ArgusMoatPktHdr->interface)); #else src->ArgusModel->ArgusGlobalTime.tv_sec = ArgusMoatPktHdr->sec; #endif #if defined(ARGUS_NANOSECONDS) src->ArgusModel->ArgusGlobalTime.tv_usec *= 1000; #endif ArgusModel->ArgusGlobalTime = src->ArgusModel->ArgusGlobalTime; iphdr = &ArgusMoatPktHdr->ip; #if defined(_LITTLE_ENDIAN) length = ntohs(iphdr->ip_len); #else length = iphdr->ip_len; #endif src->ArgusThisLength = length; switch (iphdr->ip_p) { case IPPROTO_ICMP: case IPPROTO_TCP: default: src->ArgusSnapLength = ARGUSMOATTSHTCPLEN; break; } src->ArgusThisSnapEnd = (((unsigned char *)iphdr) + src->ArgusSnapLength); if ((src->ArgusInputFilter == NULL) || (bpf_filter(src->ArgusInterface[0].ArgusFilter.bf_insns, (u_char *)iphdr, src->ArgusSnapLength, src->ArgusSnapLen))) { ArgusProcessIpPacket (src->ArgusModel, iphdr, length, &src->ArgusModel->ArgusGlobalTime); } } else close(pcap_fileno(src->ArgusInterface[0].ArgusPd)); #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusMoatTshRead() returning %d\n", retn); #endif return (retn); } int ArgusSnoopRead (struct ArgusSourceStruct *src) { int retn = 0, len = 0; struct pcap_pkthdr pcap_pkthdr; struct ArgusSnoopPktHdr SnoopPktHdr; unsigned char ArgusPacketBuf[1540]; if ((retn = read(pcap_fileno(src->ArgusInterface[0].ArgusPd), &SnoopPktHdr, sizeof(SnoopPktHdr))) == sizeof(SnoopPktHdr)) { #if defined(_LITTLE_ENDIAN) SnoopPktHdr.len = ntohl(SnoopPktHdr.len); SnoopPktHdr.tlen = ntohl(SnoopPktHdr.tlen); SnoopPktHdr.argtvp.tv_sec = ntohl(SnoopPktHdr.argtvp.tv_sec); SnoopPktHdr.argtvp.tv_usec = ntohl(SnoopPktHdr.argtvp.tv_usec); #endif if ((len = ((SnoopPktHdr.tlen + 3) & 0xFFFFFFC)) < 1500) { if ((retn = read(pcap_fileno(src->ArgusInterface[0].ArgusPd), ArgusPacketBuf, len)) == len) { pcap_pkthdr.ts.tv_sec = SnoopPktHdr.argtvp.tv_sec; pcap_pkthdr.ts.tv_usec = SnoopPktHdr.argtvp.tv_usec; pcap_pkthdr.caplen = SnoopPktHdr.tlen; pcap_pkthdr.len = SnoopPktHdr.len; if ((src->ArgusInputFilter == NULL) || (bpf_filter(src->ArgusInterface[0].ArgusFilter.bf_insns, ArgusPacketBuf, SnoopPktHdr.tlen, src->ArgusSnapLen))) { src->ArgusInterface[0].ArgusCallBack (NULL, &pcap_pkthdr, ArgusPacketBuf); } } } } else close(pcap_fileno(src->ArgusInterface[0].ArgusPd)); #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusSnoopRead() returning %d\n", retn); #endif return (retn); } #include #define ERF_REC_LEN_MAX (1<<16) int ArgusErfRead (struct ArgusSourceStruct *); int ArgusErfRead (struct ArgusSourceStruct *src) { int retn = 0, len = 0; unsigned char *ArgusPacketBuf = NULL; dag_record_t DagPktHdr; #define DAG_REC_SIZE 16 if (src->ArgusInterface[0].ArgusPacketBuffer == NULL) src->ArgusInterface[0].ArgusPacketBuffer = src->ArgusInterface[0].ArgusPacketBufferBuffer; if ((ArgusPacketBuf = src->ArgusInterface[0].ArgusPacketBuffer) != NULL) { if ((retn = read(src->ArgusInterface[0].ArgusPcap.fd, &DagPktHdr, DAG_REC_SIZE)) == DAG_REC_SIZE) { len = ntohs(DagPktHdr.rlen) - DAG_REC_SIZE; if ((retn = read(src->ArgusInterface[0].ArgusPcap.fd, ArgusPacketBuf, len)) == len) { ArgusDagPacket ((void *)src, (void *)&DagPktHdr, (const u_char *)ArgusPacketBuf); } else { if (retn == 0) close(src->ArgusInterface[0].ArgusPcap.fd); else ArgusLog(LOG_ERR, "ArgusErfRead: read error %s", strerror(errno)); } } else if (retn == 0) close(src->ArgusInterface[0].ArgusPcap.fd); else ArgusLog(LOG_ERR, "ArgusErfRead: read error %s", strerror(errno)); } else close(src->ArgusInterface[0].ArgusPcap.fd); #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusErfRead() returning %d\n", retn); #endif return (retn); } pcap_handler Arguslookup_dag_callback (int type) { pcap_handler retn = NULL; struct callback *callback; #ifdef ARGUSDEBUG char *name = NULL; #endif for (callback = ArgusSourceCallbacks; callback->function; ++callback) if (type == callback->type) { retn = callback->function; #ifdef ARGUSDEBUG name = callback->fname; #endif break; } #ifdef ARGUSDEBUG ArgusDebug (3, "Arguslookup_dag_callback(%d) returning %s: %p\n", type, name, retn); #endif return (retn); } pcap_handler Arguslookup_pcap_callback (int type) { pcap_handler retn = NULL; struct callback *callback; for (callback = ArgusSourceCallbacks; callback->function; ++callback) if (type == callback->type) { retn = callback->function; break; } #ifdef ARGUSDEBUG ArgusDebug (3, "Arguslookup_pcap_callback(%d) returning %p\n", type, retn); #endif return (retn); } void ArgusParseSourceID (struct ArgusSourceStruct *src, char *optarg) { if (optarg && (*optarg == '"')) { int slen; optarg++; if (optarg[strlen(optarg) - 1] == '\n') optarg[strlen(optarg) - 1] = '\0'; if (optarg[strlen(optarg) - 1] == '\"') optarg[strlen(optarg) - 1] = '\0'; slen = strlen(optarg); if (slen > 4) optarg[4] = '\0'; setArgusID (src, optarg, ARGUS_TYPE_STRING); } else if (optarg && isalnum((int)*optarg)) { char *ptr; long num; if ((num = strtol(optarg, (char **)&ptr, 10)) == 0) if (errno == EINVAL) ArgusLog(LOG_ERR, "ArgusParseSourceID error: %s format incorrect", optarg); if (ptr == &optarg[strlen(optarg)]) { setArgusID (src, optarg, ARGUS_TYPE_INT); } else { int retn, done = 0; #if defined(HAVE_INET_ATON) struct in_addr pin; if (inet_aton(optarg, &pin)) { setArgusID (src, &pin.s_addr, ARGUS_TYPE_IPV4); done++; } #endif if (!done) { #if defined(HAVE_GETADDRINFO) struct addrinfo *host, hints; bzero(&hints, sizeof(hints)); hints.ai_family = AF_INET; if ((retn = getaddrinfo(optarg, NULL, NULL, &host)) == 0) { struct addrinfo *hptr = host; do { switch (host->ai_family) { case AF_INET: { struct sockaddr_in *sa = (struct sockaddr_in *) host->ai_addr; unsigned int value; bcopy ((char *)&sa->sin_addr, (char *)&value, 4); setArgusID (src, &value, ARGUS_TYPE_IPV4); done++; break; } } host = host->ai_next; } while (host != NULL); freeaddrinfo(hptr); } else { switch (retn) { case EAI_AGAIN: ArgusLog(LOG_ERR, "dns server not available"); break; case EAI_NONAME: { ArgusLog(LOG_ERR, "srcid %s unknown", optarg); break; } #if defined(EAI_ADDRFAMILY) case EAI_ADDRFAMILY: ArgusLog(LOG_ERR, "srcid %s has no IP address", optarg); break; #endif case EAI_SYSTEM: ArgusLog(LOG_ERR, "srcid %s name server error %s", optarg, strerror(errno)); break; } } #else // HAVE_GETADDRINFO struct hostent *host; if ((host = gethostbyname(optarg)) != NULL) { if ((host->h_addrtype == 2) && (host->h_length == 4)) { unsigned int value; bcopy ((char *) *host->h_addr_list, (char *)&value, host->h_length); setArgusID (src, &value, ARGUS_TYPE_IPV4); } else ArgusLog (LOG_ERR, "Probe ID %s error %s\n", optarg, strerror(errno)); } else { if (optarg && isdigit((int)*optarg)) { setArgusID (src, optarg, ARGUS_TYPE_INT); } else ArgusLog (LOG_ERR, "Probe ID value %s is not appropriate (%s)\n", optarg, strerror(errno)); } #endif } } } else ArgusLog (LOG_ERR, "Probe ID value %s is not appropriate\n", optarg); } #if !defined(ARGUS_TILERA) int ArgusProcessLcpPacket (struct ArgusSourceStruct *, struct lcp_hdr *, int, struct timeval *); int ArgusProcessPacket (struct ArgusSourceStruct *, char *, int, struct timeval *, int); void ArgusEtherPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p) { struct ArgusSourceStruct *src = (struct ArgusSourceStruct *) user; unsigned int caplen = h->caplen; unsigned int length = h->len; struct timeval tvpbuf, *tvp = &tvpbuf; struct stat statbuf; tvp->tv_sec = h->ts.tv_sec; tvp->tv_usec = h->ts.tv_usec; #if defined(ARGUS_NANOSECONDS) tvp->tv_usec *= 1000; #endif if (p != NULL) { unsigned int ind = src->ArgusThisIndex; #define ARGUS_TIME_THRESHOLD 30 if ((src->marktime.tv_sec) && !(src->ArgusReadingOffLine)) { if ((tvp->tv_sec < (src->marktime.tv_sec - ARGUS_TIME_THRESHOLD)) || (tvp->tv_sec > (src->marktime.tv_sec + (10 * ARGUS_TIME_THRESHOLD)))) { // ArgusLog (LOG_WARNING, "ArgusInterface timestamps wayyy out of order: now %d then %d\n", tvp->tv_sec, src->lasttime.tv_sec); if (src->ArgusDumpPacketOnError && (src->ArgusWriteOutPacketFile != NULL)) { if (stat(src->ArgusWriteOutPacketFile, &statbuf) < 0) { if (src->ArgusPcapOutFile != NULL) { pcap_dump_close(src->ArgusPcapOutFile); src->ArgusPcapOutFile = NULL; } if ((src->ArgusPcapOutFile = pcap_dump_open(src->ArgusInterface[0].ArgusPd, src->ArgusWriteOutPacketFile)) == NULL) ArgusLog (LOG_ERR, "%s\n", pcap_geterr (src->ArgusInterface[0].ArgusPd)); } #if defined(HAVE_PCAP_DUMP_FTELL) src->ArgusPacketOffset = pcap_dump_ftell(src->ArgusPcapOutFile); #endif pcap_dump((u_char *)src->ArgusPcapOutFile, h, p); #if defined(HAVE_PCAP_DUMP_FLUSH) pcap_dump_flush(src->ArgusPcapOutFile); #endif } return; } } if (src->ArgusReadingOffLine) src->ArgusInputOffset = ftell(src->ArgusPacketInput); ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusGlobalTime = *tvp; src->lasttime = *tvp; if (src->ArgusDumpPacket && (src->ArgusWriteOutPacketFile != NULL)) { if (stat(src->ArgusWriteOutPacketFile, &statbuf) < 0) { if (src->ArgusPcapOutFile != NULL) { pcap_dump_close(src->ArgusPcapOutFile); src->ArgusPcapOutFile = NULL; } if ((src->ArgusPcapOutFile = pcap_dump_open(src->ArgusInterface[0].ArgusPd, src->ArgusWriteOutPacketFile)) == NULL) ArgusLog (LOG_ERR, "%s\n", pcap_geterr (src->ArgusInterface[0].ArgusPd)); } #if defined(HAVE_PCAP_DUMP_FTELL) src->ArgusPacketOffset = pcap_dump_ftell(src->ArgusPcapOutFile); #endif pcap_dump((u_char *)src->ArgusPcapOutFile, h, p); } if (p && (length >= sizeof(struct ether_header))) { struct ether_header *ep; src->ArgusInterface[ind].ArgusTotalPkts++; src->ArgusInterface[ind].ArgusTotalBytes += length; src->ArgusInterface[ind].ArgusPacketBuffer = (u_char *) p; ep = (struct ether_header *) p; src->ArgusModel->ArgusThisLength = length; src->ArgusModel->ArgusSnapLength = caplen; src->ArgusModel->ArgusThisSnapEnd = ((u_char *)ep) + caplen; src->ArgusModel->ArgusThisEncaps = ARGUS_ENCAPS_ETHER; if (ArgusProcessPacket (src, (char *)ep, length, tvp, ARGUS_ETHER_HDR)) if (src->ArgusDumpPacketOnError && (src->ArgusPcapOutFile != NULL)) pcap_dump((u_char *)src->ArgusPcapOutFile, h, p); } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusEtherPacket (%p, %p, %p) returning\n", user, h, p); #endif } #define TYPE_LEGACY 0 #define TYPE_HDLC_POS 1 #define TYPE_ETH 2 #define TYPE_ATM 3 #define TYPE_AAL5 4 #if !defined(ntohll) #if defined(_LITTLE_ENDIAN) #if defined(__FreeBSD__) || defined(__OpenBSD__) || defined(__NetBSD__) || defined(__APPLE__) || defined(__sun__) #include #define ntohll(x) EXTRACT_64BITS(&x) #define htonll(x) EXTRACT_64BITS(&x) #else #if defined(HAVE_SOLARIS) #include #define ntohll(x) bswap_64(x) #define htonll(x) bswap_64(x) #endif #endif #else #define ntohll(x) x #define htonll(x) x #endif #endif void ArgusDagPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p) { struct ArgusSourceStruct *src = (void *) user; dag_record_t *hdr = (void *) h; struct timeval tvpbuf, *tvp = &tvpbuf; unsigned int length, caplen; unsigned long long ts; struct stat statbuf; int ind = src->ArgusThisIndex; length = ntohs(hdr->wlen); caplen = ntohs(hdr->rlen) - DAG_REC_SIZE; src->ArgusInterface[ind].ArgusTotalPkts++; src->ArgusInterface[ind].ArgusTotalBytes += length; ts = hdr->ts; tvp->tv_sec = (ts >> 32); #if defined(ARGUS_NANOSECONDS) ts = (ts & 0xfffffffcULL) * 1000000000; tvp->tv_usec = (int)(ts >> 32); #else ts = (ts & 0xffffffffULL) * 1000000; ts += 0x80000000; /* rounding */ tvp->tv_usec = (int)(ts >> 32); if (tvp->tv_usec >= 1000000) { tvp->tv_usec -= 1000000; tvp->tv_sec++; } #endif if ((src->marktime.tv_sec) && !(src->ArgusReadingOffLine)) { if ((tvp->tv_sec < (src->marktime.tv_sec - ARGUS_TIME_THRESHOLD)) || (tvp->tv_sec > (src->marktime.tv_sec + ARGUS_TIME_THRESHOLD))) { // ArgusLog (LOG_WARNING, "ArgusInterface timestamps wayyy out of order: now %d then %d\n", tvp->tv_sec, src->lasttime.tv_sec); if (src->ArgusDumpPacketOnError && (src->ArgusWriteOutPacketFile != NULL)) { if (stat(src->ArgusWriteOutPacketFile, &statbuf) < 0) { if (src->ArgusPcapOutFile != NULL) { pcap_dump_close(src->ArgusPcapOutFile); src->ArgusPcapOutFile = NULL; } if ((src->ArgusPcapOutFile = pcap_dump_open(src->ArgusInterface[0].ArgusPd, src->ArgusWriteOutPacketFile)) == NULL) ArgusLog (LOG_ERR, "%s\n", pcap_geterr (src->ArgusInterface[0].ArgusPd)); } #if defined(HAVE_PCAP_DUMP_FTELL) src->ArgusPacketOffset = pcap_dump_ftell(src->ArgusPcapOutFile); #endif pcap_dump((u_char *)src->ArgusPcapOutFile, h, p); #if defined(HAVE_PCAP_DUMP_FLUSH) pcap_dump_flush(src->ArgusPcapOutFile); #endif } return; } } if (src->ArgusReadingOffLine) src->ArgusInputOffset = ftell(src->ArgusPacketInput); ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusGlobalTime = *tvp; src->lasttime = *tvp; if (p && length) { switch (hdr->type) { case TYPE_LEGACY: break; case TYPE_HDLC_POS: { int retn = 0, offset = 0, linktype = 0; unsigned short proto = 0; unsigned short value; #if defined(_LITTLE_ENDIAN) value = ntohs(*(unsigned short *)p); #else value = (*(unsigned short *)p); #endif if (value == 0xFF03) { linktype = DLT_PPP_SERIAL; if ((p[0] == PPP_ADDRESS) && (p[1] == PPP_CONTROL)) { p += 2; length -= 2; } if (*p & 01) { proto = *p; p++; length -= 1; } else { #if defined(_LITTLE_ENDIAN) proto = ntohs(*(u_short *)p); #else proto = *(u_short *)p; #endif p += 2; length -= 2; } } else { linktype = DLT_CHDLC; #if defined(_LITTLE_ENDIAN) proto = ntohs(*(u_short *)&p[2]); #else proto = *(u_short *)p; #endif #if !defined(CHDLC_HDRLEN) #define CHDLC_HDRLEN 4 #endif offset = CHDLC_HDRLEN; p = src->ArgusInterface[ind].ArgusPacketBuffer + offset; length -= offset; } if (src->ArgusInterface[ind].ArgusTotalPkts == 1) src->ArgusInterface[ind].ArgusPcap.linktype = linktype; src->ArgusModel->ArgusThisLength = length; src->ArgusModel->ArgusSnapLength = caplen; src->ArgusModel->ArgusThisSnapEnd = src->ArgusInterface[ind].ArgusPacketBuffer + caplen; switch (proto) { case PPP_LCP: retn = ArgusProcessLcpPacket (src, (struct lcp_hdr *)p, length, tvp); break; case ETHERTYPE_IP: /*XXX*/ case PPP_IP: retn = ArgusProcessPacket (src, (char *)p, length, tvp, ETHERTYPE_IP); break; case PPP_IPV6: case ETHERTYPE_IPV6: /*XXX*/ retn = ArgusProcessPacket (src, (char *)p, length, tvp, ETHERTYPE_IPV6); break; case ETHERTYPE_MPLS: retn = ArgusProcessPacket (src, (char *)p, length, tvp, ETHERTYPE_MPLS); break; case ETHERTYPE_MPLS_MULTI: retn = ArgusProcessPacket (src, (char *)p, length, tvp, ETHERTYPE_MPLS_MULTI); break; default: break; } if (retn) if (src->ArgusDumpPacketOnError && (src->ArgusPcapOutFile != NULL)) pcap_dump((u_char *)src->ArgusPcapOutFile, h, p); break; } case TYPE_ETH: { if (src->ArgusInterface[ind].ArgusTotalPkts == 1) src->ArgusInterface[ind].ArgusPcap.linktype = DLT_EN10MB; p += 2; src->ArgusModel->ArgusThisLength = length - 2; src->ArgusModel->ArgusSnapLength = caplen - 2; src->ArgusModel->ArgusThisSnapEnd = (u_char *)p + (caplen - 2); if (ArgusProcessPacket (src, (char *)p, length, tvp, ARGUS_ETHER_HDR)) if (src->ArgusDumpPacketOnError && (src->ArgusPcapOutFile != NULL)) pcap_dump((u_char *)src->ArgusPcapOutFile, h, p); break; } case TYPE_ATM: case TYPE_AAL5: { if (src->ArgusInterface[ind].ArgusTotalPkts == 1) src->ArgusInterface[ind].ArgusPcap.linktype = DLT_ATM_RFC1483; break; } default: { if (src->ArgusInterface[ind].ArgusTotalPkts == 1) src->ArgusInterface[ind].ArgusPcap.linktype = DLT_NULL; break; } } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusDagPacket (%p, %p) returning\n", src, hdr); #endif } void ArgusTokenPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p) { #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusTokenPacket (%p, %p, %p) returning\n", user, h, p); #endif } #include void ArgusArcnetPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p) { struct ArgusSourceStruct *src = (struct ArgusSourceStruct *) user; struct ether_header *ep = (struct ether_header *) src->ArgusInterface[src->ArgusThisIndex].ArgusPacketBufferBuffer; struct arc_header *ap = (struct arc_header *) p; u_char arc_type = ap->arc_type; struct stat statbuf; int archdrlen = 0; struct timeval tvpbuf, *tvp = &tvpbuf; unsigned int length = h->len; unsigned int caplen = h->caplen; tvp->tv_sec = h->ts.tv_sec; tvp->tv_usec = h->ts.tv_usec; #if defined(ARGUS_NANOSECONDS) tvp->tv_usec *= 1000; #endif if (src->ArgusWriteOutPacketFile) { if (stat(src->ArgusWriteOutPacketFile, &statbuf) < 0) { if (src->ArgusPcapOutFile != NULL) { pcap_dump_close(src->ArgusPcapOutFile); src->ArgusPcapOutFile = NULL; } if ((src->ArgusPcapOutFile = pcap_dump_open(src->ArgusInterface[0].ArgusPd, src->ArgusWriteOutPacketFile)) == NULL) ArgusLog (LOG_ERR, "%s\n", pcap_geterr (src->ArgusInterface[0].ArgusPd)); } if (src->ArgusDumpPacket && (src->ArgusPcapOutFile != NULL)) { #if defined(HAVE_PCAP_DUMP_FTELL) src->ArgusPacketOffset = pcap_dump_ftell(src->ArgusPcapOutFile); #endif pcap_dump((u_char *)src->ArgusPcapOutFile, h, p); } } if (src->ArgusReadingOffLine) src->ArgusInputOffset = ftell(src->ArgusPacketInput); ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusGlobalTime = *tvp; if (src->ArgusModel->ArgusGlobalTime.tv_sec < 0) { ArgusLog (LOG_ERR, "ArgusArcnetPacket (%p, %p, %p) libpcap timestamp out of range %d.%d\n", user, h, p, src->ArgusModel->ArgusGlobalTime.tv_sec, src->ArgusModel->ArgusGlobalTime.tv_usec); } src->ArgusInterface[src->ArgusThisIndex].ArgusPacketBuffer = src->ArgusInterface[src->ArgusThisIndex].ArgusPacketBufferBuffer; switch (arc_type) { case ARCTYPE_IP_OLD: case ARCTYPE_ARP_OLD: case ARCTYPE_DIAGNOSE: archdrlen = ARC_HDRLEN; break; default: if (ap->arc_flag == 0xff) { archdrlen = ARC_HDRNEWLEN_EXC; } else { archdrlen = ARC_HDRNEWLEN; } break; } length -= archdrlen; caplen -= archdrlen; p += archdrlen; bcopy (p, (char *)ep, caplen); src->ArgusModel->ArgusThisLength = length; src->ArgusModel->ArgusSnapLength = caplen; src->ArgusModel->ArgusThisSnapEnd = ((u_char *)ep) + caplen; src->ArgusModel->ArgusThisEncaps = ARGUS_ENCAPS_ARCNET; if (ArgusProcessPacket (src, (char *)ep, length, tvp, ARGUS_ETHER_HDR)) if (src->ArgusDumpPacketOnError && (src->ArgusPcapOutFile != NULL)) pcap_dump((u_char *)src->ArgusPcapOutFile, h, p); #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusArcnetPacket (%p, %p, %p) returning\n", user, h, p); #endif } void ArgusAtmClipPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p) { #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusAtmClipPacket (%p, %p, %p) returning\n", user, h, p); #endif } void ArgusLoopPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p) { #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusLoopPacket (%p, %p, %p) returning\n", user, h, p); #endif } void ArgusHdlcPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p) { struct ArgusSourceStruct *src = (struct ArgusSourceStruct *) user; int ind = src->ArgusThisIndex; struct stat statbuf; struct timeval tvpbuf, *tvp = &tvpbuf; unsigned int caplen = h->caplen; unsigned int length = h->len; tvp->tv_sec = h->ts.tv_sec; tvp->tv_usec = h->ts.tv_usec; #if defined(ARGUS_NANOSECONDS) tvp->tv_usec *= 1000; #endif if (src->ArgusWriteOutPacketFile) { if (stat(src->ArgusWriteOutPacketFile, &statbuf) < 0) { if (src->ArgusPcapOutFile != NULL) { pcap_dump_close(src->ArgusPcapOutFile); src->ArgusPcapOutFile = NULL; } if ((src->ArgusPcapOutFile = pcap_dump_open(src->ArgusInterface[0].ArgusPd, src->ArgusWriteOutPacketFile)) == NULL) ArgusLog (LOG_ERR, "%s\n", pcap_geterr (src->ArgusInterface[0].ArgusPd)); } if (src->ArgusDumpPacket && (src->ArgusPcapOutFile != NULL)) { #if defined(HAVE_PCAP_DUMP_FTELL) src->ArgusPacketOffset = pcap_dump_ftell(src->ArgusPcapOutFile); #endif pcap_dump((u_char *)src->ArgusPcapOutFile, h, p); } } src->ArgusInterface[ind].ArgusTotalPkts++; src->ArgusInterface[ind].ArgusTotalBytes += length; src->ArgusInterface[ind].ArgusPacketBuffer = (u_char *) p; if (src->ArgusReadingOffLine) src->ArgusInputOffset = ftell(src->ArgusPacketInput); ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusGlobalTime = *tvp; if (p && length) { int retn = 0, offset = 0; unsigned short proto = 0; unsigned short value; #define CHDLC_UNICAST 0x0f #define CHDLC_BCAST 0x8f #define CHDLC_TYPE_SLARP 0x8035 #define CHDLC_TYPE_CDP 0x2000 #if defined(_LITTLE_ENDIAN) value = ntohs(*(unsigned short *)p); #else value = (*(unsigned short *)p); #endif switch (value) { case CHDLC_UNICAST: case CHDLC_BCAST: case CHDLC_TYPE_SLARP: case CHDLC_TYPE_CDP: default: src->ArgusModel->ArgusThisEncaps = ARGUS_ENCAPS_CHDLC; break; } #if defined(_LITTLE_ENDIAN) proto = ntohs(*(u_short *)&p[2]); #else proto = *(u_short *)&p[2]; #endif #if !defined(CHDLC_HDRLEN) #define CHDLC_HDRLEN 4 #endif offset = CHDLC_HDRLEN; p = (unsigned char *) (src->ArgusInterface[ind].ArgusPacketBuffer + offset); length -= offset; src->ArgusModel->ArgusThisLength = length; src->ArgusModel->ArgusSnapLength = caplen; src->ArgusModel->ArgusThisSnapEnd = (src->ArgusInterface[ind].ArgusPacketBuffer + caplen); switch (proto) { case ETHERTYPE_IP: retn = ArgusProcessPacket (src, (char *)p, length, tvp, ETHERTYPE_IP); break; case ETHERTYPE_IPV6: retn = ArgusProcessPacket (src, (char *)p, length, tvp, ETHERTYPE_IPV6); break; case ETHERTYPE_MPLS: retn = ArgusProcessPacket (src, (char *)p, length, tvp, ETHERTYPE_MPLS); break; case ETHERTYPE_MPLS_MULTI: retn = ArgusProcessPacket (src, (char *)p, length, tvp, ETHERTYPE_MPLS_MULTI); break; } if (retn) if (src->ArgusDumpPacketOnError && (src->ArgusPcapOutFile != NULL)) pcap_dump((u_char *)src->ArgusPcapOutFile, h, p); } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusHdlcPacket (%p, %p, %p) returning\n", user, h, p); #endif } void ArgusPppHdlcPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p) { struct ArgusSourceStruct *src = (struct ArgusSourceStruct *) user; int ind = src->ArgusThisIndex; struct stat statbuf; struct timeval tvpbuf, *tvp = &tvpbuf; unsigned int caplen = h->caplen; unsigned int length = h->len; tvp->tv_sec = h->ts.tv_sec; tvp->tv_usec = h->ts.tv_usec; #if defined(ARGUS_NANOSECONDS) tvp->tv_usec *= 1000; #endif if (src->ArgusWriteOutPacketFile) { if (stat(src->ArgusWriteOutPacketFile, &statbuf) < 0) { if (src->ArgusPcapOutFile != NULL) { pcap_dump_close(src->ArgusPcapOutFile); src->ArgusPcapOutFile = NULL; } if ((src->ArgusPcapOutFile = pcap_dump_open(src->ArgusInterface[0].ArgusPd, src->ArgusWriteOutPacketFile)) == NULL) ArgusLog (LOG_ERR, "%s\n", pcap_geterr (src->ArgusInterface[0].ArgusPd)); } if (src->ArgusDumpPacket && (src->ArgusPcapOutFile != NULL)) { #if defined(HAVE_PCAP_DUMP_FTELL) src->ArgusPacketOffset = pcap_dump_ftell(src->ArgusPcapOutFile); #endif pcap_dump((u_char *)src->ArgusPcapOutFile, h, p); } } src->ArgusInterface[ind].ArgusTotalPkts++; src->ArgusInterface[ind].ArgusTotalBytes += length; src->ArgusInterface[ind].ArgusPacketBuffer = (u_char *) p; if (src->ArgusReadingOffLine) src->ArgusInputOffset = ftell(src->ArgusPacketInput); ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusThisEncaps = ARGUS_ENCAPS_HDLC; if (p && length) { unsigned short proto = 0; unsigned short value; int offset = 0; #if defined(_LITTLE_ENDIAN) value = ntohs(*(unsigned short *)p); #else value = (*(unsigned short *)p); #endif if (value == 0xFF03) { src->ArgusModel->ArgusThisEncaps |= ARGUS_ENCAPS_PPP; if ((p[0] == PPP_ADDRESS) && (p[1] == PPP_CONTROL)) { p += 2; length -= 2; } if (*p & 01) { proto = *p; p++; length -= 1; } else { #if defined(_LITTLE_ENDIAN) proto = ntohs(*(u_short *)p); #else proto = *(u_short *)p; #endif p += 2; length -= 2; } } else { #if defined(_LITTLE_ENDIAN) proto = ntohs(*(u_short *)&p[2]); #else proto = *(u_short *)p; #endif #if !defined(CHDLC_HDRLEN) #define CHDLC_HDRLEN 4 #endif src->ArgusModel->ArgusThisEncaps = ARGUS_ENCAPS_CHDLC; offset = CHDLC_HDRLEN; p = (unsigned char *) (src->ArgusInterface[ind].ArgusPacketBuffer + offset); length -= offset; } src->ArgusModel->ArgusThisLength = length; src->ArgusModel->ArgusSnapLength = caplen; src->ArgusModel->ArgusThisSnapEnd = (src->ArgusInterface[ind].ArgusPacketBuffer + caplen); switch (proto) { case PPP_LCP: ArgusProcessLcpPacket (src, (struct lcp_hdr *)p, length, tvp); break; case ETHERTYPE_IP: /*XXX*/ case PPP_IP: ArgusProcessPacket (src, (char *)p, length, tvp, ETHERTYPE_IP); break; case PPP_IPV6: case ETHERTYPE_IPV6: /*XXX*/ ArgusProcessPacket (src, (char *)p, length, tvp, ETHERTYPE_IPV6); break; case PPP_MPLS_UCAST: case ETHERTYPE_MPLS: ArgusProcessPacket (src, (char *)p, length, tvp, ETHERTYPE_MPLS); break; case PPP_MPLS_MCAST: case ETHERTYPE_MPLS_MULTI: ArgusProcessPacket (src, (char *)p, length, tvp, ETHERTYPE_MPLS_MULTI); break; case PPP_OSI: case PPP_NS: case PPP_DECNET: case PPP_APPLE: case PPP_IPX: case PPP_VJC: case PPP_VJNC: case PPP_BRPDU: case PPP_STII: case PPP_VINES: case PPP_COMP: case PPP_HELLO: case PPP_LUXCOM: case PPP_SNS: case PPP_IPCP: case PPP_OSICP: case PPP_NSCP: case PPP_DECNETCP: case PPP_APPLECP: case PPP_IPXCP: case PPP_STIICP: case PPP_VINESCP: case PPP_IPV6CP: case PPP_CCP: case PPP_PAP: case PPP_LQM: case PPP_CHAP: case PPP_BACP: case PPP_BAP: case PPP_MP: default: break; } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusPppHdlcPacket (%p, %p, %p) returning\n", user, h, p); #endif } void ArgusPppEtherPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p) { #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusPppEtherPacket (%p, %p, %p) returning\n", user, h, p); #endif } void Argus802_11Packet (u_char *user, const struct pcap_pkthdr *h, const u_char *p) { struct ArgusSourceStruct *src = (struct ArgusSourceStruct *) user; struct timeval tvpbuf, *tvp = &tvpbuf; unsigned int length = h->len; unsigned int caplen = h->caplen; struct stat statbuf; tvp->tv_sec = h->ts.tv_sec; tvp->tv_usec = h->ts.tv_usec; #if defined(ARGUS_NANOSECONDS) tvp->tv_usec *= 1000; #endif if (src->ArgusWriteOutPacketFile) { if (stat(src->ArgusWriteOutPacketFile, &statbuf) < 0) { if (src->ArgusPcapOutFile != NULL) { pcap_dump_close(src->ArgusPcapOutFile); src->ArgusPcapOutFile = NULL; } if ((src->ArgusPcapOutFile = pcap_dump_open(src->ArgusInterface[0].ArgusPd, src->ArgusWriteOutPacketFile)) == NULL) ArgusLog (LOG_ERR, "%s\n", pcap_geterr (src->ArgusInterface[0].ArgusPd)); } if (src->ArgusDumpPacket && (src->ArgusPcapOutFile != NULL)) { #if defined(HAVE_PCAP_DUMP_FTELL) src->ArgusPacketOffset = pcap_dump_ftell(src->ArgusPcapOutFile); #endif pcap_dump((u_char *)src->ArgusPcapOutFile, h, p); } } if (src->ArgusReadingOffLine) src->ArgusInputOffset = ftell(src->ArgusPacketInput); ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusThisLength = length; src->ArgusModel->ArgusSnapLength = caplen; src->ArgusModel->ArgusThisSnapEnd = ((u_char *)p) + caplen; src->ArgusModel->ArgusThisEncaps = ARGUS_ENCAPS_802_11; if (ArgusProcessPacket (src, (char *)p, length, tvp, ARGUS_802_11_HDR)) if (src->ArgusDumpPacketOnError && (src->ArgusPcapOutFile != NULL)) pcap_dump((u_char *)src->ArgusPcapOutFile, h, p); #ifdef ARGUSDEBUG ArgusDebug (8, "Argus802_11Packet (%p, %p, %p) returning\n", user, h, p); #endif } void ArgusLtalkPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p) { #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusLtalkPacket (%p, %p, %p) returning\n", user, h, p); #endif } void ArgusJuniperPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p) { struct ArgusSourceStruct *src = (struct ArgusSourceStruct *) user; struct timeval tvpbuf, *tvp = &tvpbuf; struct juniper_l2info_t l2info; unsigned int length = h->len; unsigned int caplen = h->caplen; struct stat statbuf; tvp->tv_sec = h->ts.tv_sec; tvp->tv_usec = h->ts.tv_usec; #if defined(ARGUS_NANOSECONDS) tvp->tv_usec *= 1000; #endif if (src->ArgusWriteOutPacketFile) { if (stat(src->ArgusWriteOutPacketFile, &statbuf) < 0) { if (src->ArgusPcapOutFile != NULL) { pcap_dump_close(src->ArgusPcapOutFile); src->ArgusPcapOutFile = NULL; } if ((src->ArgusPcapOutFile = pcap_dump_open(src->ArgusInterface[0].ArgusPd, src->ArgusWriteOutPacketFile)) == NULL) ArgusLog (LOG_ERR, "%s\n", pcap_geterr (src->ArgusInterface[0].ArgusPd)); } if (src->ArgusDumpPacket && (src->ArgusPcapOutFile != NULL)) pcap_dump((u_char *)src->ArgusPcapOutFile, h, p); } if (src->ArgusReadingOffLine) src->ArgusInputOffset = ftell(src->ArgusPacketInput); ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusGlobalTime = *tvp; if (juniper_parse_header(p, h, &l2info) != 0) { src->ArgusModel->ArgusThisLength = length - l2info.header_len; src->ArgusModel->ArgusSnapLength = caplen; src->ArgusModel->ArgusThisSnapEnd = ((u_char *)p) + caplen; src->ArgusModel->ArgusThisEncaps = ARGUS_ENCAPS_JUNIPER; p += l2info.header_len; if (ArgusProcessPacket (src, (char *)p, length, tvp, ARGUS_ETHER_HDR)) if (src->ArgusDumpPacketOnError && (src->ArgusPcapOutFile != NULL)) pcap_dump((u_char *)src->ArgusPcapOutFile, h, p); } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusJuniperPacket (%p, %p, %p) returning\n", user, h, p); #endif } void ArgusIpNetPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p) { #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusIpNetPacket (%p, %p, %p) returning\n", user, h, p); #endif } int ip_heuristic_guess(register const u_char *p, u_int length) { switch(p[0]) { case 0x45: case 0x46: case 0x47: case 0x48: case 0x49: case 0x4a: case 0x4b: case 0x4c: case 0x4d: case 0x4e: case 0x4f: // ip_print(gndo, p, length); break; #ifdef INET6 case 0x60: case 0x61: case 0x62: case 0x63: case 0x64: case 0x65: case 0x66: case 0x67: case 0x68: case 0x69: case 0x6a: case 0x6b: case 0x6c: case 0x6d: case 0x6e: case 0x6f: // ip6_print(p, length); break; #endif default: return 0; /* did not find a ip header */ break; } return 1; /* we printed an v4/v6 packet */ } int juniper_read_tlv_value(const u_char *p, u_int tlv_type, u_int tlv_len) { int tlv_value; /* TLVs < 128 are little endian encoded */ if (tlv_type < 128) { switch (tlv_len) { case 1: tlv_value = *p; break; case 2: tlv_value = EXTRACT_LE_16BITS(p); break; case 3: tlv_value = EXTRACT_LE_24BITS(p); break; case 4: tlv_value = EXTRACT_LE_32BITS(p); break; default: tlv_value = -1; break; } } else { /* TLVs >= 128 are big endian encoded */ switch (tlv_len) { case 1: tlv_value = *p; break; case 2: tlv_value = EXTRACT_16BITS(p); break; case 3: tlv_value = EXTRACT_24BITS(p); break; case 4: tlv_value = EXTRACT_32BITS(p); break; default: tlv_value = -1; break; } } return tlv_value; } static int juniper_parse_header (const u_char *p, const struct pcap_pkthdr *h, struct juniper_l2info_t *l2info) { struct juniper_cookie_table_t *lp = juniper_cookie_table; u_int idx, jnx_ext_len, jnx_header_len = 0; u_int8_t tlv_type,tlv_len; #ifdef DLT_JUNIPER_ATM2 u_int32_t control_word; #endif const u_char *tptr; l2info->header_len = 0; l2info->cookie_len = 0; l2info->proto = 0; l2info->length = h->len; l2info->caplen = h->caplen; // TCHECK2(p[0],4); l2info->flags = p[3]; l2info->direction = p[3]&JUNIPER_BPF_PKT_IN; if (EXTRACT_24BITS(p) != JUNIPER_MGC_NUMBER) { /* magic number found ? */ return 0; } /* magic number + flags */ jnx_header_len = 4; /* extensions present ? - calculate how much bytes to skip */ if ((l2info->flags & JUNIPER_BPF_EXT ) == JUNIPER_BPF_EXT ) { tptr = p+jnx_header_len; /* ok to read extension length ? */ /// TCHECK2(tptr[0], 2); jnx_ext_len = EXTRACT_16BITS(tptr); jnx_header_len += 2; tptr +=2; /* nail up the total length - * just in case something goes wrong * with TLV parsing */ jnx_header_len += jnx_ext_len; // TCHECK2(tptr[0], jnx_ext_len); while (jnx_ext_len > JUNIPER_EXT_TLV_OVERHEAD) { tlv_type = *(tptr++); tlv_len = *(tptr++); /* sanity check */ if (tlv_type == 0 || tlv_len == 0) break; juniper_read_tlv_value(tptr, tlv_type, tlv_len); switch (tlv_type) { case JUNIPER_EXT_TLV_IFD_NAME: /* FIXME */ break; case JUNIPER_EXT_TLV_IFD_MEDIATYPE: case JUNIPER_EXT_TLV_TTP_IFD_MEDIATYPE: break; case JUNIPER_EXT_TLV_IFL_ENCAPS: case JUNIPER_EXT_TLV_TTP_IFL_ENCAPS: break; case JUNIPER_EXT_TLV_IFL_IDX: /* fall through */ case JUNIPER_EXT_TLV_IFL_UNIT: case JUNIPER_EXT_TLV_IFD_IDX: default: break; } tptr+=tlv_len; jnx_ext_len -= tlv_len+JUNIPER_EXT_TLV_OVERHEAD; } } if ((l2info->flags & JUNIPER_BPF_NO_L2 ) == JUNIPER_BPF_NO_L2 ) { /* there is no link-layer present - * perform the v4/v6 heuristics * to figure out what it is */ // TCHECK2(p[jnx_header_len+4],1); if(ip_heuristic_guess(p+jnx_header_len+4,l2info->length-(jnx_header_len+4)) == 0) printf("no IP-hdr found!"); l2info->header_len=jnx_header_len+4; return 0; /* stop parsing the output further */ } l2info->header_len = jnx_header_len; p+=l2info->header_len; l2info->length -= l2info->header_len; l2info->caplen -= l2info->header_len; /* search through the cookie table and copy values matching for our PIC type */ while (lp->s != NULL) { if (lp->pictype == l2info->pictype) { l2info->cookie_len += lp->cookie_len; switch (p[0]) { case LS_COOKIE_ID: l2info->cookie_type = LS_COOKIE_ID; l2info->cookie_len += 2; break; case AS_COOKIE_ID: l2info->cookie_type = AS_COOKIE_ID; l2info->cookie_len = 8; break; default: l2info->bundle = l2info->cookie[0]; break; } #ifdef DLT_JUNIPER_MFR /* MFR child links don't carry cookies */ if (l2info->pictype == DLT_JUNIPER_MFR && (p[0] & MFR_BE_MASK) == MFR_BE_MASK) { l2info->cookie_len = 0; } #endif l2info->header_len += l2info->cookie_len; l2info->length -= l2info->cookie_len; l2info->caplen -= l2info->cookie_len; if (l2info->cookie_len > 0) { // TCHECK2(p[0],l2info->cookie_len); for (idx = 0; idx < l2info->cookie_len; idx++) { l2info->cookie[idx] = p[idx]; /* copy cookie data */ } } l2info->proto = EXTRACT_16BITS(p+l2info->cookie_len); break; } ++lp; } p+=l2info->cookie_len; /* DLT_ specific parsing */ switch(l2info->pictype) { #ifdef DLT_JUNIPER_MLPPP case DLT_JUNIPER_MLPPP: switch (l2info->cookie_type) { case LS_COOKIE_ID: l2info->bundle = l2info->cookie[1]; break; case AS_COOKIE_ID: l2info->bundle = (EXTRACT_16BITS(&l2info->cookie[6])>>3)&0xfff; l2info->proto = (l2info->cookie[5])&JUNIPER_LSQ_L3_PROTO_MASK; break; default: l2info->bundle = l2info->cookie[0]; break; } break; #endif #ifdef DLT_JUNIPER_MLFR case DLT_JUNIPER_MLFR: switch (l2info->cookie_type) { case LS_COOKIE_ID: l2info->bundle = l2info->cookie[1]; l2info->proto = EXTRACT_16BITS(p); l2info->header_len += 2; l2info->length -= 2; l2info->caplen -= 2; break; case AS_COOKIE_ID: l2info->bundle = (EXTRACT_16BITS(&l2info->cookie[6])>>3)&0xfff; l2info->proto = (l2info->cookie[5])&JUNIPER_LSQ_L3_PROTO_MASK; break; default: l2info->bundle = l2info->cookie[0]; l2info->header_len += 2; l2info->length -= 2; l2info->caplen -= 2; break; } break; #endif #ifdef DLT_JUNIPER_MFR case DLT_JUNIPER_MFR: switch (l2info->cookie_type) { case LS_COOKIE_ID: l2info->bundle = l2info->cookie[1]; l2info->proto = EXTRACT_16BITS(p); l2info->header_len += 2; l2info->length -= 2; l2info->caplen -= 2; break; case AS_COOKIE_ID: l2info->bundle = (EXTRACT_16BITS(&l2info->cookie[6])>>3)&0xfff; l2info->proto = (l2info->cookie[5])&JUNIPER_LSQ_L3_PROTO_MASK; break; default: l2info->bundle = l2info->cookie[0]; break; } break; #endif #ifdef DLT_JUNIPER_ATM2 case DLT_JUNIPER_ATM2: // TCHECK2(p[0],4); /* ATM cell relay control word present ? */ if (l2info->cookie[7] & ATM2_PKT_TYPE_MASK) { control_word = EXTRACT_32BITS(p); /* some control word heuristics */ switch(control_word) { case 0: /* zero control word */ case 0x08000000: /* < JUNOS 7.4 control-word */ case 0x08380000: /* cntl word plus cell length (56) >= JUNOS 7.4*/ l2info->header_len += 4; break; default: break; } } break; #endif #ifdef DLT_JUNIPER_GGSN case DLT_JUNIPER_GGSN: break; #endif #ifdef DLT_JUNIPER_ATM1 case DLT_JUNIPER_ATM1: break; #endif #ifdef DLT_JUNIPER_PPP case DLT_JUNIPER_PPP: break; #endif #ifdef DLT_JUNIPER_CHDLC case DLT_JUNIPER_CHDLC: break; #endif #ifdef DLT_JUNIPER_ETHER case DLT_JUNIPER_ETHER: break; #endif #ifdef DLT_JUNIPER_FRELAY case DLT_JUNIPER_FRELAY: break; #endif default: break; } return 1; /* everything went ok so far. continue parsing */ } #define PRISM_HDR_LEN 144 #define WLANCAP_MAGIC_COOKIE_V1 0x80211001 #define DIDmsg_lnxind_wlansniffrm 0x0041 #define DIDmsg_lnxind_wlansniffrm_hosttime 0x1041 #define DIDmsg_lnxind_wlansniffrm_mactime 0x2041 #define DIDmsg_lnxind_wlansniffrm_channel 0x3041 #define DIDmsg_lnxind_wlansniffrm_rssi 0x4041 #define DIDmsg_lnxind_wlansniffrm_sq 0x5041 #define DIDmsg_lnxind_wlansniffrm_signal 0x6041 #define DIDmsg_lnxind_wlansniffrm_noise 0x7041 #define DIDmsg_lnxind_wlansniffrm_rate 0x8041 #define DIDmsg_lnxind_wlansniffrm_istx 0x9041 #define DIDmsg_lnxind_wlansniffrm_frmlen 0xA041 struct prism_value { u_int32_t did; u_int16_t status, len; u_int32_t data; }; struct prism_header { u_int32_t msgcode, msglen; u_char devname[16]; struct prism_value hosttime; struct prism_value mactime; struct prism_value channel; struct prism_value rssi; struct prism_value sq; struct prism_value signal; struct prism_value noise; struct prism_value rate; struct prism_value istx; struct prism_value frmlen; }; /* * For DLT_PRISM_HEADER; like DLT_IEEE802_11, but with an extra header, * containing information such as radio information, which we * currently ignore. * * If, however, the packet begins with WLANCAP_MAGIC_COOKIE_V1, it's * really DLT_IEEE802_11_RADIO (currently, on Linux, there's no * ARPHRD_ type for DLT_IEEE802_11_RADIO, as there is a * ARPHRD_IEEE80211_PRISM for DLT_PRISM_HEADER, so * ARPHRD_IEEE80211_PRISM is used for DLT_IEEE802_11_RADIO, and * the first 4 bytes of the header are used to indicate which it is). */ void ArgusPrismPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p) { struct prism_header *phdr = (struct prism_header *) p; u_int caplen = h->caplen, phdrlen = sizeof (*phdr); if (caplen < 4) return; if (EXTRACT_32BITS(p) == WLANCAP_MAGIC_COOKIE_V1) Argus802_11RadioPacket (user, h, p + PRISM_HDR_LEN); if (caplen < PRISM_HDR_LEN) return; /* ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusThisLength = length; src->ArgusModel->ArgusSnapLength = caplen; src->ArgusModel->ArgusThisSnapEnd = ((u_char *)ep) + caplen; src->ArgusModel->ArgusThisEncaps = ARGUS_ENCAPS_PRISM; */ if (phdr->hosttime.len != 4) { #define swapl(n) (((((unsigned long)(n) & 0xFF)) << 24) | \ ((((unsigned long)(n) & 0xFF00)) << 8) | \ ((((unsigned long)(n) & 0xFF0000)) >> 8) | \ ((((unsigned long)(n) & 0xFF000000)) >> 24)) #define swaps(n) (((((unsigned short)(n) & 0xFF)) << 8) | (((unsigned short)(n) & 0xFF00) >> 8)) phdr->msgcode = swapl(phdr->msgcode); phdr->msglen = swapl(phdr->msglen); phdr->hosttime.did = swapl(phdr->hosttime.did); phdr->hosttime.status = swaps(phdr->hosttime.status); phdr->hosttime.len = swaps(phdr->hosttime.len); phdr->hosttime.data = swapl(phdr->hosttime.data); phdr->mactime.did = swapl(phdr->mactime.did); phdr->mactime.status = swaps(phdr->mactime.status); phdr->mactime.len = swaps(phdr->mactime.len); phdr->mactime.data = swapl(phdr->mactime.data); phdr->channel.did = swapl(phdr->channel.did); phdr->channel.status = swaps(phdr->channel.status); phdr->channel.len = swaps(phdr->channel.len); phdr->channel.data = swapl(phdr->channel.data); phdr->rssi.did = swapl(phdr->rssi.did); phdr->rssi.status = swaps(phdr->rssi.status); phdr->rssi.len = swaps(phdr->rssi.len); phdr->rssi.data = swapl(phdr->rssi.data); phdr->sq.did = swapl(phdr->sq.did); phdr->sq.status = swaps(phdr->sq.status); phdr->sq.len = swaps(phdr->sq.len); phdr->sq.data = swapl(phdr->sq.data); phdr->signal.did = swapl(phdr->signal.did); phdr->signal.status = swaps(phdr->signal.status); phdr->signal.len = swaps(phdr->signal.len); phdr->signal.data = swapl(phdr->signal.data); phdr->noise.did = swapl(phdr->noise.did); phdr->noise.status = swaps(phdr->noise.status); phdr->noise.len = swaps(phdr->noise.len); phdr->noise.data = swapl(phdr->noise.data); phdr->rate.did = swapl(phdr->rate.did); phdr->rate.status = swaps(phdr->rate.status); phdr->rate.len = swaps(phdr->rate.len); phdr->rate.data = swapl(phdr->rate.data); phdr->istx.did = swapl(phdr->istx.did); phdr->istx.status = swaps(phdr->istx.status); phdr->istx.len = swaps(phdr->istx.len); phdr->istx.data = swapl(phdr->istx.data); phdr->frmlen.did = swapl(phdr->frmlen.did); phdr->frmlen.status = swaps(phdr->frmlen.status); phdr->frmlen.len = swaps(phdr->frmlen.len); phdr->frmlen.data = swapl(phdr->frmlen.data); } if ((phdrlen == PRISM_HDR_LEN) && ((void *)(phdr + 1) == (p + PRISM_HDR_LEN))) Argus802_11Packet (user, h, p + PRISM_HDR_LEN); #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusPrismPacket (%p, %p, %p) returning\n", user, h, p); #endif } struct avs_header { u_int32_t version, length; u_int64_t mactime, hosttime; u_int32_t phytype, channel; u_int32_t datarate, antenna; u_int32_t priority, ssi_type; u_int32_t ssi_signal, ssi_noise; u_int32_t preamble, encoding; }; void Argus802_11RadioAvsPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p) { struct avs_header *ahdr = (struct avs_header *) p; u_int32_t caplen = h->caplen, caphdr_len; caphdr_len = EXTRACT_32BITS(p + 4); if (caphdr_len < 8) return; if (caplen < caphdr_len) return; Argus802_11Packet (user, h, (u_char *)(ahdr + 1)); #ifdef ARGUSDEBUG ArgusDebug (8, "Argus802_11RadioAvsPacket (%p, %p, %p) returning\n", user, h, p); #endif } static int ArgusParseRadioTapField(struct cpack_state *, u_int32_t, struct ieee80211_radiotap *); void Argus802_11RadioPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p) { struct ArgusSourceStruct *src = (struct ArgusSourceStruct *) user; struct ieee80211_radiotap_header *rthdr = (struct ieee80211_radiotap_header *) p; struct pcap_pkthdr phdr = *h; u_int32_t rthdr_len; #define BITNO_32(x) (((x) >> 16) ? 16 + BITNO_16((x) >> 16) : BITNO_16((x))) #define BITNO_16(x) (((x) >> 8) ? 8 + BITNO_8((x) >> 8) : BITNO_8((x))) #define BITNO_8(x) (((x) >> 4) ? 4 + BITNO_4((x) >> 4) : BITNO_4((x))) #define BITNO_4(x) (((x) >> 2) ? 2 + BITNO_2((x) >> 2) : BITNO_2((x))) #define BITNO_2(x) (((x) & 2) ? 1 : 0) #define BIT(n) (1U << n) #define IS_EXTENDED(__p) \ (EXTRACT_LE_32BITS(__p) & BIT(IEEE80211_RADIOTAP_EXT)) != 0 struct cpack_state cpacker; u_int32_t present, next_present; u_int32_t *presentp, *last_presentp; enum ieee80211_radiotap_type bit; int bit0; u_char *iter; if ((rthdr_len = rthdr->it_len) < 8) return; bzero(&src->ArgusThisRadioTap, sizeof(src->ArgusThisRadioTap)); if (h->caplen < rthdr_len) return; for (last_presentp = &rthdr->it_present; IS_EXTENDED(last_presentp) && (u_char*)(last_presentp + 1) <= p + rthdr_len; last_presentp++); /* are there more bitmap extensions than bytes in header? */ if (IS_EXTENDED(last_presentp)) return; iter = (u_char*)(last_presentp + 1); if (cpack_init(&cpacker, (u_int8_t *)iter, rthdr_len - (iter - p)) != 0) return; /* Assume no flags */ /* Assume no Atheros padding between 802.11 header and body */ for (bit0 = 0, presentp = &rthdr->it_present; presentp <= last_presentp; presentp++, bit0 += 32) { for (present = EXTRACT_LE_32BITS(presentp); present; present = next_present) { /* clear the least significant bit that is set */ next_present = present & (present - 1); /* extract the least significant bit that is set */ bit = (enum ieee80211_radiotap_type) (bit0 + BITNO_32(present ^ next_present)); if (ArgusParseRadioTapField(&cpacker, bit, &src->ArgusThisRadioTap) != 0) goto out; } } out: phdr.len -= rthdr_len; phdr.caplen -= rthdr_len; Argus802_11Packet (user, (const struct pcap_pkthdr *)&phdr, ((u_char *)rthdr + rthdr_len)); #undef BITNO_32 #undef BITNO_16 #undef BITNO_8 #undef BITNO_4 #undef BITNO_2 #undef BIT #ifdef ARGUSDEBUG ArgusDebug (3, "Argus802_11RadioPacket (%p, %p, %p) returning\n", user, h, p); #endif } void ArgusIpPacket(u_char *user, const struct pcap_pkthdr *h, const u_char *p) { struct ArgusSourceStruct *src = (struct ArgusSourceStruct *) user; struct timeval tvpbuf, *tvp = &tvpbuf; struct ip *ip = (struct ip *) p; unsigned int length = h->len; unsigned int caplen = h->caplen; struct stat statbuf; tvp->tv_sec = h->ts.tv_sec; tvp->tv_usec = h->ts.tv_usec; #if defined(ARGUS_NANOSECONDS) tvp->tv_usec *= 1000; #endif if (src->ArgusWriteOutPacketFile) { if (stat(src->ArgusWriteOutPacketFile, &statbuf) < 0) { if (src->ArgusPcapOutFile != NULL) { pcap_dump_close(src->ArgusPcapOutFile); src->ArgusPcapOutFile = NULL; } if ((src->ArgusPcapOutFile = pcap_dump_open(src->ArgusInterface[0].ArgusPd, src->ArgusWriteOutPacketFile)) == NULL) ArgusLog (LOG_ERR, "%s\n", pcap_geterr (src->ArgusInterface[0].ArgusPd)); } if (src->ArgusDumpPacket && (src->ArgusPcapOutFile != NULL)) { #if defined(HAVE_PCAP_DUMP_FTELL) src->ArgusPacketOffset = pcap_dump_ftell(src->ArgusPcapOutFile); #endif pcap_dump((u_char *)src->ArgusPcapOutFile, h, p); } } if (src->ArgusReadingOffLine) src->ArgusInputOffset = ftell(src->ArgusPacketInput); ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusSnapLength = caplen; src->ArgusModel->ArgusThisSnapEnd = ((u_char *) ip) + caplen; src->ArgusModel->ArgusThisEncaps = 0; if (p) { src->ArgusModel->ArgusThisIpHdr = ip; src->ArgusModel->ArgusThisLength = length; ArgusProcessIpPacket (src->ArgusModel, ip, length, tvp); } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusIpPacket (%p, %p, %p) returning\n", user, h, p); #endif } #define ENC_HDRLEN 12 /* From $OpenBSD: mbuf.h,v 1.56 2002/01/25 15:50:23 art Exp $ */ #define M_CONF 0x0400 /* packet was encrypted (ESP-transport) */ #define M_AUTH 0x0800 /* packet was authenticated (AH) */ struct enchdr { u_int32_t af; u_int32_t spi; u_int32_t flags; }; void ArgusEncPacket(u_char *user, const struct pcap_pkthdr *h, const u_char *p) { struct ArgusSourceStruct *src = (struct ArgusSourceStruct *) user; struct timeval tvpbuf, *tvp = &tvpbuf; struct ip *ip = (struct ip *) (p + ENC_HDRLEN); unsigned int caplen = h->caplen - ENC_HDRLEN; unsigned int length = h->len - ENC_HDRLEN; struct stat statbuf; tvp->tv_sec = h->ts.tv_sec; tvp->tv_usec = h->ts.tv_usec; #if defined(ARGUS_NANOSECONDS) tvp->tv_usec *= 1000; #endif if (src->ArgusWriteOutPacketFile) { if (stat(src->ArgusWriteOutPacketFile, &statbuf) < 0) { if (src->ArgusPcapOutFile != NULL) { pcap_dump_close(src->ArgusPcapOutFile); src->ArgusPcapOutFile = NULL; } if ((src->ArgusPcapOutFile = pcap_dump_open(src->ArgusInterface[0].ArgusPd, src->ArgusWriteOutPacketFile)) == NULL) ArgusLog (LOG_ERR, "%s\n", pcap_geterr (src->ArgusInterface[0].ArgusPd)); } if (src->ArgusDumpPacket && (src->ArgusPcapOutFile != NULL)) { #if defined(HAVE_PCAP_DUMP_FTELL) src->ArgusPacketOffset = pcap_dump_ftell(src->ArgusPcapOutFile); #endif pcap_dump((u_char *)src->ArgusPcapOutFile, h, p); } } if (src->ArgusReadingOffLine) src->ArgusInputOffset = ftell(src->ArgusPacketInput); ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusSnapLength = caplen; src->ArgusModel->ArgusThisSnapEnd = ((u_char *) ip) + caplen; src->ArgusModel->ArgusThisEncaps |= ARGUS_ENCAPS_SPI; if (p) { src->ArgusModel->ArgusThisIpHdr = ip; src->ArgusModel->ArgusThisLength = length; if (ArgusProcessPacket (src, (char *)p, length, tvp, ETHERTYPE_IP)) if (src->ArgusDumpPacketOnError && (src->ArgusPcapOutFile != NULL)) pcap_dump((u_char *)src->ArgusPcapOutFile, h, p); } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusEncPacket (%p, %p, %p) returning\n", user, h, p); #endif } #if defined(ultrix) || defined(__alpha) static int fddi_bitswap = 0; #else static int fddi_bitswap = 1; #endif int fddipad = FDDIPAD; #define FDDI_HDRLEN (sizeof(struct fddi_header)) static u_char fddi_bit_swap[] = { 0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0, 0x10, 0x90, 0x50, 0xd0, 0x30, 0xb0, 0x70, 0xf0, 0x08, 0x88, 0x48, 0xc8, 0x28, 0xa8, 0x68, 0xe8, 0x18, 0x98, 0x58, 0xd8, 0x38, 0xb8, 0x78, 0xf8, 0x04, 0x84, 0x44, 0xc4, 0x24, 0xa4, 0x64, 0xe4, 0x14, 0x94, 0x54, 0xd4, 0x34, 0xb4, 0x74, 0xf4, 0x0c, 0x8c, 0x4c, 0xcc, 0x2c, 0xac, 0x6c, 0xec, 0x1c, 0x9c, 0x5c, 0xdc, 0x3c, 0xbc, 0x7c, 0xfc, 0x02, 0x82, 0x42, 0xc2, 0x22, 0xa2, 0x62, 0xe2, 0x12, 0x92, 0x52, 0xd2, 0x32, 0xb2, 0x72, 0xf2, 0x0a, 0x8a, 0x4a, 0xca, 0x2a, 0xaa, 0x6a, 0xea, 0x1a, 0x9a, 0x5a, 0xda, 0x3a, 0xba, 0x7a, 0xfa, 0x06, 0x86, 0x46, 0xc6, 0x26, 0xa6, 0x66, 0xe6, 0x16, 0x96, 0x56, 0xd6, 0x36, 0xb6, 0x76, 0xf6, 0x0e, 0x8e, 0x4e, 0xce, 0x2e, 0xae, 0x6e, 0xee, 0x1e, 0x9e, 0x5e, 0xde, 0x3e, 0xbe, 0x7e, 0xfe, 0x01, 0x81, 0x41, 0xc1, 0x21, 0xa1, 0x61, 0xe1, 0x11, 0x91, 0x51, 0xd1, 0x31, 0xb1, 0x71, 0xf1, 0x09, 0x89, 0x49, 0xc9, 0x29, 0xa9, 0x69, 0xe9, 0x19, 0x99, 0x59, 0xd9, 0x39, 0xb9, 0x79, 0xf9, 0x05, 0x85, 0x45, 0xc5, 0x25, 0xa5, 0x65, 0xe5, 0x15, 0x95, 0x55, 0xd5, 0x35, 0xb5, 0x75, 0xf5, 0x0d, 0x8d, 0x4d, 0xcd, 0x2d, 0xad, 0x6d, 0xed, 0x1d, 0x9d, 0x5d, 0xdd, 0x3d, 0xbd, 0x7d, 0xfd, 0x03, 0x83, 0x43, 0xc3, 0x23, 0xa3, 0x63, 0xe3, 0x13, 0x93, 0x53, 0xd3, 0x33, 0xb3, 0x73, 0xf3, 0x0b, 0x8b, 0x4b, 0xcb, 0x2b, 0xab, 0x6b, 0xeb, 0x1b, 0x9b, 0x5b, 0xdb, 0x3b, 0xbb, 0x7b, 0xfb, 0x07, 0x87, 0x47, 0xc7, 0x27, 0xa7, 0x67, 0xe7, 0x17, 0x97, 0x57, 0xd7, 0x37, 0xb7, 0x77, 0xf7, 0x0f, 0x8f, 0x4f, 0xcf, 0x2f, 0xaf, 0x6f, 0xef, 0x1f, 0x9f, 0x5f, 0xdf, 0x3f, 0xbf, 0x7f, 0xff, }; static inline void Argusextract_fddi_addrs(const struct fddi_header *fp, struct ether_header *ehdr) { char *fsrc = (char *)&ehdr->ether_shost; char *fdst = (char *)&ehdr->ether_dhost; int i; if (fddi_bitswap) { for (i = 0; i < 6; ++i) fdst[i] = fddi_bit_swap[fp->fddi_dhost[i]]; for (i = 0; i < 6; ++i) fsrc[i] = fddi_bit_swap[fp->fddi_shost[i]]; } else { bcopy ((char *) fp->fddi_dhost, fdst, 6); bcopy ((char *) fp->fddi_shost, fsrc, 6); } } int ArgusCreatePktFromFddi(const struct fddi_header *fp, struct ether_header *ep, int length) { unsigned char *ptr; unsigned int retn = 0; struct llc *llc; if ((fp->fddi_fc & FDDIFC_CLFF) == FDDIFC_LLC_ASYNC) { Argusextract_fddi_addrs (fp, ep); llc = (struct llc *)(fp + 1); if (llc->ssap == LLCSAP_SNAP && llc->dsap == LLCSAP_SNAP && llc->llcui == LLC_UI) { ((struct ether_header *) ep)->ether_type = EXTRACT_16BITS(&llc->ethertype[0]); ptr = (unsigned char *)(llc + 1); length -= (sizeof(struct fddi_header) + sizeof(struct llc)); bcopy ((char *)ptr, (char *)(ep + 1), length); retn = length + sizeof(struct ether_header); } } return (retn); } void ArgusFddiPacket(u_char *user, const struct pcap_pkthdr *h, const u_char *p) { struct ArgusSourceStruct *src = (struct ArgusSourceStruct *) user; const struct fddi_header *fp = (struct fddi_header *)p; struct timeval tvpbuf, *tvp = &tvpbuf; unsigned int length = h->len; unsigned int caplen = h->caplen; int ind = src->ArgusThisIndex; struct ether_header *ep; struct stat statbuf; tvp->tv_sec = h->ts.tv_sec; tvp->tv_usec = h->ts.tv_usec; #if defined(ARGUS_NANOSECONDS) tvp->tv_usec *= 1000; #endif if (src->ArgusWriteOutPacketFile) { if (stat(src->ArgusWriteOutPacketFile, &statbuf) < 0) { if (src->ArgusPcapOutFile != NULL) { pcap_dump_close(src->ArgusPcapOutFile); src->ArgusPcapOutFile = NULL; } if ((src->ArgusPcapOutFile = pcap_dump_open(src->ArgusInterface[0].ArgusPd, src->ArgusWriteOutPacketFile)) == NULL) ArgusLog (LOG_ERR, "%s\n", pcap_geterr (src->ArgusInterface[0].ArgusPd)); } if (src->ArgusDumpPacket && (src->ArgusPcapOutFile != NULL)) { #if defined(HAVE_PCAP_DUMP_FTELL) src->ArgusPacketOffset = pcap_dump_ftell(src->ArgusPcapOutFile); #endif pcap_dump((u_char *)src->ArgusPcapOutFile, h, p); } } ep = (struct ether_header *) src->ArgusInterface[ind].ArgusPacketBuffer; if (src->ArgusReadingOffLine) src->ArgusInputOffset = ftell(src->ArgusPacketInput); ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusThisLength = length; src->ArgusModel->ArgusSnapLength = caplen; src->ArgusModel->ArgusThisSnapEnd = ((u_char *)ep) + caplen; src->ArgusModel->ArgusThisEncaps = ARGUS_ENCAPS_FDDI; src->ArgusInterface[ind].ArgusPacketBuffer = src->ArgusInterface[ind].ArgusPacketBufferBuffer; if (p && (length = ArgusCreatePktFromFddi(fp, ep, length))) { if (p && length) ArgusProcessPacket (src, (char *)ep, length, tvp, ARGUS_ETHER_HDR); } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusFddiPacket (%p, %p, %p) returning\n", user, h, p); #endif } #define ARGUS_802_6_MAC_HDR_LEN 20 #define ARGUS_ATM_HDR_OFFSET 8 void ArgusATMPacket(u_char *user, const struct pcap_pkthdr *h, const u_char *p) { struct ArgusSourceStruct *src = (struct ArgusSourceStruct *) user; struct timeval tvpbuf, *tvp = &tvpbuf; unsigned int caplen = h->caplen; unsigned int length = h->len; int ind = src->ArgusThisIndex; struct ether_header *ep; struct stat statbuf; tvp->tv_sec = h->ts.tv_sec; tvp->tv_usec = h->ts.tv_usec; #if defined(ARGUS_NANOSECONDS) tvp->tv_usec *= 1000; #endif if (src->ArgusWriteOutPacketFile) { if (stat(src->ArgusWriteOutPacketFile, &statbuf) < 0) { if (src->ArgusPcapOutFile != NULL) { pcap_dump_close(src->ArgusPcapOutFile); src->ArgusPcapOutFile = NULL; } if ((src->ArgusPcapOutFile = pcap_dump_open(src->ArgusInterface[0].ArgusPd, src->ArgusWriteOutPacketFile)) == NULL) ArgusLog (LOG_ERR, "%s\n", pcap_geterr (src->ArgusInterface[0].ArgusPd)); } if (src->ArgusDumpPacket && (src->ArgusPcapOutFile != NULL)) { #if defined(HAVE_PCAP_DUMP_FTELL) src->ArgusPacketOffset = pcap_dump_ftell(src->ArgusPcapOutFile); #endif pcap_dump((u_char *)src->ArgusPcapOutFile, h, p); } } ep = (struct ether_header *) src->ArgusInterface[ind].ArgusPacketBuffer; if (src->ArgusReadingOffLine) src->ArgusInputOffset = ftell(src->ArgusPacketInput); ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusGlobalTime = *tvp; src->ArgusInterface[ind].ArgusPacketBuffer = src->ArgusInterface[ind].ArgusPacketBufferBuffer; if (caplen > 8) { if (p[0] != 0xaa || p[1] != 0xaa || p[2] != 0x03) { if (caplen > 28) { p += ARGUS_802_6_MAC_HDR_LEN; length -= ARGUS_802_6_MAC_HDR_LEN; caplen -= ARGUS_802_6_MAC_HDR_LEN; } else return; } } else return; ep->ether_type = ((p[6] << 8) | p[7]); length -= ARGUS_ATM_HDR_OFFSET; caplen -= ARGUS_ATM_HDR_OFFSET; p += ARGUS_ATM_HDR_OFFSET; bcopy (p, (char *)(ep + 1), caplen); length += sizeof(*ep); caplen += sizeof(*ep); src->ArgusModel->ArgusThisLength = length; src->ArgusModel->ArgusSnapLength = caplen; src->ArgusModel->ArgusThisSnapEnd = ((u_char *)ep) + caplen; src->ArgusModel->ArgusThisEncaps = ARGUS_ENCAPS_ATM; ArgusProcessPacket (src, (char *)ep, length, tvp, ARGUS_ETHER_HDR); #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusATMPacket (%p, %p, %p) returning\n", user, h, p); #endif } void ArgusPppPacket(u_char *user, const struct pcap_pkthdr *h, const u_char *p) { struct ArgusSourceStruct *src = (struct ArgusSourceStruct *) user; struct timeval tvpbuf, *tvp = &tvpbuf; struct ip *ip = (struct ip *) (p + PPP_HDRLEN); unsigned int length = h->len; unsigned int caplen = h->caplen; struct stat statbuf; tvp->tv_sec = h->ts.tv_sec; tvp->tv_usec = h->ts.tv_usec; #if defined(ARGUS_NANOSECONDS) tvp->tv_usec *= 1000; #endif if (src->ArgusWriteOutPacketFile) { if (stat(src->ArgusWriteOutPacketFile, &statbuf) < 0) { if (src->ArgusPcapOutFile != NULL) { pcap_dump_close(src->ArgusPcapOutFile); src->ArgusPcapOutFile = NULL; } if ((src->ArgusPcapOutFile = pcap_dump_open(src->ArgusInterface[0].ArgusPd, src->ArgusWriteOutPacketFile)) == NULL) ArgusLog (LOG_ERR, "%s\n", pcap_geterr (src->ArgusInterface[0].ArgusPd)); } if (src->ArgusDumpPacket && (src->ArgusPcapOutFile != NULL)) { #if defined(HAVE_PCAP_DUMP_FTELL) src->ArgusPacketOffset = pcap_dump_ftell(src->ArgusPcapOutFile); #endif pcap_dump((u_char *)src->ArgusPcapOutFile, h, p); } } if (src->ArgusReadingOffLine) src->ArgusInputOffset = ftell(src->ArgusPacketInput); if (p && (length > PPP_HDRLEN)) { ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusSnapLength = caplen; src->ArgusModel->ArgusThisSnapEnd = ((u_char *)ip) + (caplen - PPP_HDRLEN); src->ArgusModel->ArgusThisEncaps = ARGUS_ENCAPS_PPP; length -= PPP_HDRLEN; src->ArgusModel->ArgusThisLength = length; ArgusProcessIpPacket (src->ArgusModel, ip, length, tvp); } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusPppPacket (%p, %p, %p) returning\n", user, h, p); #endif } #define ARGUS_PPPBSDOS_HDR_LEN 24 void ArgusPppBsdosPacket(u_char *user, const struct pcap_pkthdr *h, const u_char *p) { struct ArgusSourceStruct *src = (struct ArgusSourceStruct *) user; struct timeval tvpbuf, *tvp = &tvpbuf; unsigned int length = h->len, hdrlen = 0; unsigned int caplen = h->caplen; unsigned short ptype = 0; struct stat statbuf; tvp->tv_sec = h->ts.tv_sec; tvp->tv_usec = h->ts.tv_usec; #if defined(ARGUS_NANOSECONDS) tvp->tv_usec *= 1000; #endif if (src->ArgusWriteOutPacketFile) { if (stat(src->ArgusWriteOutPacketFile, &statbuf) < 0) { if (src->ArgusPcapOutFile != NULL) { pcap_dump_close(src->ArgusPcapOutFile); src->ArgusPcapOutFile = NULL; } if ((src->ArgusPcapOutFile = pcap_dump_open(src->ArgusInterface[0].ArgusPd, src->ArgusWriteOutPacketFile)) == NULL) ArgusLog (LOG_ERR, "%s\n", pcap_geterr (src->ArgusInterface[0].ArgusPd)); } if (src->ArgusDumpPacket && (src->ArgusPcapOutFile != NULL)) { #if defined(HAVE_PCAP_DUMP_FTELL) src->ArgusPacketOffset = pcap_dump_ftell(src->ArgusPcapOutFile); #endif pcap_dump((u_char *)src->ArgusPcapOutFile, h, p); } } if (src->ArgusReadingOffLine) src->ArgusInputOffset = ftell(src->ArgusPacketInput); ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusSnapLength = caplen; src->ArgusModel->ArgusThisSnapEnd = (u_char *) p + caplen; src->ArgusModel->ArgusThisEncaps = ARGUS_ENCAPS_PPP; if (p[0] == PPP_ADDRESS && p[1] == PPP_CONTROL) { p += 2; hdrlen = 2; } if (*p & 01) { /* Retrieve the protocol type */ ptype = *p; /* Compressed protocol field */ p++; hdrlen += 1; } else { #if defined(_LITTLE_ENDIAN) ptype = ntohs(*(u_short *)p); #else ptype = *(u_short *)p; #endif p += 2; hdrlen += 2; } length -= hdrlen; if (ptype == PPP_IP) if (p && (length > 0)) { src->ArgusModel->ArgusThisLength = length; ArgusProcessIpPacket (src->ArgusModel, (struct ip *) p, length, tvp); } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusPppBsdosPacket (%p, %p, %p) returning\n", user, h, p); #endif } #if defined(__NetBSD__) || defined(__FreeBSD__) #include #include #endif #include #include /* XXX BSD/OS 2.1 compatibility */ #if !defined(ARGUS_SLIP_HDR_LEN) && defined(SLC_BPFHDR) #define SLIP_HDRLEN SLC_BPFHDR #define SLX_DIR 0 #define SLX_CHDR (SLC_BPFHDRLEN - 1) #define CHDR_LEN (SLC_BPFHDR - SLC_BPFHDRLEN) #else #endif void ArgusSlipPacket(u_char *user, const struct pcap_pkthdr *h, const u_char *p) { struct ArgusSourceStruct *src = (struct ArgusSourceStruct *) user; struct timeval tvpbuf, *tvp = &tvpbuf; struct ip *ip = (struct ip *) (p + SLIP_HDRLEN); unsigned int length = h->len; unsigned int caplen = h->caplen; struct stat statbuf; tvp->tv_sec = h->ts.tv_sec; tvp->tv_usec = h->ts.tv_usec; #if defined(ARGUS_NANOSECONDS) tvp->tv_usec *= 1000; #endif if (src->ArgusWriteOutPacketFile) { if (stat(src->ArgusWriteOutPacketFile, &statbuf) < 0) { if (src->ArgusPcapOutFile != NULL) { pcap_dump_close(src->ArgusPcapOutFile); src->ArgusPcapOutFile = NULL; } if ((src->ArgusPcapOutFile = pcap_dump_open(src->ArgusInterface[0].ArgusPd, src->ArgusWriteOutPacketFile)) == NULL) ArgusLog (LOG_ERR, "%s\n", pcap_geterr (src->ArgusInterface[0].ArgusPd)); } if (src->ArgusDumpPacket && (src->ArgusPcapOutFile != NULL)) { #if defined(HAVE_PCAP_DUMP_FTELL) src->ArgusPacketOffset = pcap_dump_ftell(src->ArgusPcapOutFile); #endif pcap_dump((u_char *)src->ArgusPcapOutFile, h, p); } } if (src->ArgusReadingOffLine) src->ArgusInputOffset = ftell(src->ArgusPacketInput); ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusSnapLength = caplen; src->ArgusModel->ArgusThisSnapEnd = ((u_char *)ip) + (caplen - SLIP_HDRLEN); src->ArgusModel->ArgusThisEncaps = ARGUS_ENCAPS_SLIP; if (p && (length > SLIP_HDRLEN)) { length -= SLIP_HDRLEN; src->ArgusModel->ArgusThisLength = length; ArgusProcessIpPacket (src->ArgusModel, ip, length, tvp); } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusSlipPacket (%p, %p, %p) returning\n", user, h, p); #endif } #include #if !defined(ETHER_ADDR_LEN) #define ETHER_ADDR_LEN 6 #endif void ArgusSllPacket(u_char *user, const struct pcap_pkthdr *h, const u_char *p) { struct ArgusSourceStruct *src = (struct ArgusSourceStruct *) user; struct ArgusModelerStruct *model = src->ArgusModel; unsigned int length = h->len; unsigned int caplen = h->caplen; const struct sll_header *sllp = NULL; struct timeval tvpbuf, *tvp = &tvpbuf; unsigned char buf[2048]; struct ether_header *ep = (struct ether_header *)buf; struct stat statbuf; u_short pkttype; tvp->tv_sec = h->ts.tv_sec; tvp->tv_usec = h->ts.tv_usec; #if defined(ARGUS_NANOSECONDS) tvp->tv_usec *= 1000; #endif if (src->ArgusReadingOffLine) src->ArgusInputOffset = ftell(src->ArgusPacketInput); ArgusModel->ArgusGlobalTime = *tvp; model->ArgusGlobalTime = *tvp; if (src->ArgusWriteOutPacketFile) { if (stat(src->ArgusWriteOutPacketFile, &statbuf) < 0) { if (src->ArgusPcapOutFile != NULL) { pcap_dump_close(src->ArgusPcapOutFile); src->ArgusPcapOutFile = NULL; } if ((src->ArgusPcapOutFile = pcap_dump_open(src->ArgusInterface[0].ArgusPd, src->ArgusWriteOutPacketFile)) == NULL) ArgusLog (LOG_ERR, "%s\n", pcap_geterr (src->ArgusInterface[0].ArgusPd)); } if (src->ArgusDumpPacket && (src->ArgusPcapOutFile != NULL)) { #if defined(HAVE_PCAP_DUMP_FTELL) src->ArgusPacketOffset = pcap_dump_ftell(src->ArgusPcapOutFile); #endif pcap_dump((u_char *)src->ArgusPcapOutFile, h, p); } } sllp = (const struct sll_header *)p; memcpy((void *)&ep->ether_shost, sllp->sll_addr, ETHER_ADDR_LEN); #if defined(_LITTLE_ENDIAN) pkttype = ntohs(sllp->sll_pkttype); #else pkttype = sllp->sll_pkttype; #endif if (pkttype != LINUX_SLL_OUTGOING) { if (pkttype == LINUX_SLL_BROADCAST) memset((void *)&ep->ether_dhost, 0xFF, ETHER_ADDR_LEN); else { memset((void *)&ep->ether_dhost, 0, ETHER_ADDR_LEN); if (pkttype == LINUX_SLL_MULTICAST) #if defined(HAVE_SOLARIS) ep->ether_dhost.ether_addr_octet[0] = 0x01; #else ep->ether_dhost[0] = 0x01; #endif else #if defined(HAVE_SOLARIS) ep->ether_dhost.ether_addr_octet[ETHER_ADDR_LEN-1] = 0x01; #else ep->ether_dhost[ETHER_ADDR_LEN-1] = 0x01; #endif } } else { /* * We sent this packet; we don't know whether it's * broadcast, multicast, or unicast, so just make * the destination address all 0's. */ memset((void *)&ep->ether_dhost, 0, ETHER_ADDR_LEN); } length -= SLL_HDR_LEN; caplen -= SLL_HDR_LEN; p += SLL_HDR_LEN; ep->ether_type = sllp->sll_protocol; memcpy((ep + 1), p, caplen); model->ArgusThisSnapEnd = (unsigned char *)(ep + caplen); model->ArgusThisLength = length; model->ArgusSnapLength = caplen; model->ArgusThisEncaps = ARGUS_ENCAPS_SLL; ArgusProcessPacket (src, (char *)ep, length, tvp, ARGUS_ETHER_HDR); #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusSllPacket (%p, %p, %p) returning\n", user, h, p); #endif } /* * Byte-swap a 32-bit number. * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on * big-endian platforms.) */ #define SWAPLONG(y) \ ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) #define NULL_HDRLEN 4 #define BSD_AF_INET 2 #define BSD_AF_NS 6 /* XEROX NS protocols */ #define BSD_AF_ISO 7 #define BSD_AF_APPLETALK 16 #define BSD_AF_IPX 23 #define BSD_AF_INET6_BSD 24 /* OpenBSD (and probably NetBSD), BSD/OS */ #define BSD_AF_INET6_FREEBSD 28 #define BSD_AF_INET6_DARWIN 30 void ArgusNullPacket(u_char *user, const struct pcap_pkthdr *h, const u_char *p) { struct ArgusSourceStruct *src = (struct ArgusSourceStruct *) user; struct pcap_pkthdr hbuf; unsigned int family; if (src->ArgusWriteOutPacketFile) { struct stat statbuf; if (stat(src->ArgusWriteOutPacketFile, &statbuf) < 0) { if (src->ArgusPcapOutFile != NULL) { pcap_dump_close(src->ArgusPcapOutFile); src->ArgusPcapOutFile = NULL; } if ((src->ArgusPcapOutFile = pcap_dump_open(src->ArgusInterface[0].ArgusPd, src->ArgusWriteOutPacketFile)) == NULL) ArgusLog (LOG_ERR, "%s\n", pcap_geterr (src->ArgusInterface[0].ArgusPd)); } if (src->ArgusDumpPacket && (src->ArgusPcapOutFile != NULL)) { #if defined(HAVE_PCAP_DUMP_FTELL) src->ArgusPacketOffset = pcap_dump_ftell(src->ArgusPcapOutFile); #endif pcap_dump((u_char *)src->ArgusPcapOutFile, h, p); } } memcpy((char *)&family, (char *)p, sizeof(family)); memcpy((char *)&hbuf, (char *)h, sizeof(*h)); if ((family & 0xFFFF0000) != 0) family = SWAPLONG(family); hbuf.len -= NULL_HDRLEN; hbuf.caplen -= NULL_HDRLEN; p += NULL_HDRLEN; switch (family) { case BSD_AF_INET: case BSD_AF_INET6_BSD: case BSD_AF_INET6_FREEBSD: case BSD_AF_INET6_DARWIN: ArgusIpPacket (user, &hbuf, p); break; } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusNullPacket (%p, %p, %p) returning\n", user, h, p); #endif } #endif #include #if defined(HAVE_SOLARIS) #include #endif void *ArgusEventsProcess(void *); extern int getArguspidflag (void); extern char * ArgusCreatePIDFile (struct ArgusSourceStruct *, char *, char *); extern char *ArgusPidFile; extern char *ArgusPidPath; void ArgusSourceProcess (struct ArgusSourceStruct *stask) { #if defined(ARGUS_THREADS) struct timeval tvp; struct timespec tsbuf, *ts = &tsbuf; int ArgusThreadCount = 0, ArgusThreads = 0; #endif extern uid_t new_uid; extern gid_t new_gid; if (stask->ArgusRfileList != NULL) { struct ArgusRfileStruct *rfile = (struct ArgusRfileStruct *) stask->ArgusRfileList->start; int i, count = stask->ArgusRfileList->count; if (setuid(getuid()) != 0) ArgusLog (LOG_ERR, "ArgusInitSource: setuid %s\n", strerror(errno)); if (stask->ArgusDeviceList) clearArgusDevice(stask); for (i = 0; i < count; i++) { stask->mode = rfile->mode; setArgusDevice(stask, rfile->name, ARGUS_FILE_DEVICE, rfile->mode); rfile = (struct ArgusRfileStruct *) rfile->nxt; } } else if (!(stask->ArgusDeviceList)) setArgusDevice (stask, "any", ARGUS_LIVE_DEVICE, 0); if (stask->ArgusDeviceList) { #if defined(ARGUS_THREADS) int i, count = stask->ArgusDeviceList->count; ArgusThreadCount = 0; #endif if (!(stask->ArgusReadingOffLine)) ArgusLog(LOG_ALERT, "started"); if (daemonflag) if (getArguspidflag() && ((ArgusPidFile = ArgusCreatePIDFile (ArgusSourceTask, ArgusPidPath, ArgusProgramName)) == NULL)) ArgusLog (LOG_ERR, "daemon cannot create pid file"); #if defined(ARGUS_THREADS) for (i = 0; i < count; i++) { struct ArgusDeviceStruct *device = (struct ArgusDeviceStruct *) ArgusPopFrontList(stask->ArgusDeviceList, ARGUS_LOCK); if (device != NULL) { struct ArgusSourceStruct *src = NULL; src = ArgusCloneSource(stask); clearArgusDevice(src); gettimeofday (&src->marktime, 0L); if (device->ArgusID.a_un.value != 0) { src->ArgusID = device->ArgusID; } else { device->ArgusID = stask->ArgusID; device->idtype = stask->type; src->ArgusID = stask->ArgusID; src->type = stask->type; } src->type = device->type; ArgusPushBackList(src->ArgusDeviceList, (struct ArgusListRecord *) device, ARGUS_LOCK); if (ArgusInitSource (src) > 0) { stask->srcs[ArgusThreads] = src; if (new_gid > 0) { if (setgid(new_gid) < 0) ArgusLog (LOG_ERR, "ArgusInitOutput: setgid error %s", strerror(errno)); } if (new_uid > 0) { if (setuid(new_uid) < 0) ArgusLog (LOG_ERR, "ArgusInitOutput: setuid error %s", strerror(errno)); } if ((pthread_create(&src->thread, NULL, ArgusGetPackets, (void *) src)) != 0) ArgusLog (LOG_ERR, "ArgusNewEventProcessor() pthread_create error %s\n", strerror(errno)); ArgusThreads++; ArgusThreadCount++; } } } #else ArgusInitSource (stask); if (new_gid > 0) { if (setgid(new_gid) < 0) ArgusLog (LOG_ERR, "ArgusInitOutput: setgid error %s", strerror(errno)); } if (new_uid > 0) { if (setuid(new_uid) < 0) ArgusLog (LOG_ERR, "ArgusInitOutput: setuid error %s", strerror(errno)); } ArgusGetPackets (stask); #endif /* ARGUS_THREADS */ } #if defined(ARGUS_THREADS) do { int retn = 0, i; gettimeofday (&tvp, 0L); ts->tv_sec = tvp.tv_sec + 0; ts->tv_nsec = (tvp.tv_usec * 1000) + 0; ts->tv_sec++; if ((retn = pthread_mutex_lock(&stask->lock))) { switch (retn) { case EINVAL: ArgusLog(LOG_ERR, "ArgusSourceProcess: pthread_mutex_lock() error EINVAL\n"); break; case EDEADLK: ArgusLog(LOG_ERR, "ArgusSourceProcess: pthread_mutex_lock() error EDEADLK\n"); break; } } if ((retn = pthread_cond_timedwait(&stask->cond, &stask->lock, ts))) { switch (retn) { case EINVAL: ArgusLog(LOG_ERR, "ArgusSourceProcess: pthread_cond_timedwait() error EINVAL\n"); break; case ETIMEDOUT: break; } } for (i = 0; i < ArgusThreadCount; i++) { gettimeofday (&stask->srcs[i]->marktime, 0L); if (stask->srcs[i]->status & ARGUS_SHUTDOWN) { pthread_t thread; void *ptr = NULL; if ((thread = stask->srcs[i]->thread) != 0) pthread_join(thread, &ptr); #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusSourceProcess: ArgusGetPackets[%d] done\n", i); #endif ArgusThreads--; stask->srcs[i]->status &= ~ARGUS_SHUTDOWN; } } pthread_mutex_unlock(&stask->lock); } while (!(stask->status & ARGUS_SHUTDOWN) && (ArgusThreads > 0)); #endif /* ARGUS_THREADS */ } void * ArgusGetPackets (void *arg) { void *retn = NULL; struct ArgusSourceStruct *src = arg; fd_set ArgusReadMask, ArgusWriteMask, ArgusExceptMask; int noerror = 1; struct timeval wait; int tmp, width = 0, fd; int i, fds[ARGUS_MAXINTERFACE]; #if defined(ARGUS_PLURIBUS) int notselectable = 1; #else int notselectable = 0; #endif #if defined(ARGUS_THREADS) sigset_t blocked_signals; sigfillset(&blocked_signals); pthread_sigmask(SIG_BLOCK, &blocked_signals, NULL); #endif /* ARGUS_THREADS */ if (src != NULL) { #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusGetPackets (%p) starting\n", src); #endif #if defined(HAVE_SOLARIS) sigignore (SIGPIPE); #else signal (SIGPIPE, SIG_IGN); #endif FD_ZERO(&ArgusReadMask); FD_ZERO(&ArgusWriteMask); FD_ZERO(&ArgusExceptMask); wait.tv_sec = 0; wait.tv_usec = 200000; ArgusGetInterfaceStatus(src); gettimeofday (&src->ArgusStartTime, 0L); #if defined(ARGUS_NANOSECONDS) src->ArgusModel->ArgusStartTime.tv_usec *= 1000; #endif for (i = 0; i < ARGUS_MAXINTERFACE; i++) fds[i] = -1; if (src->ArgusInterface[0].ArgusPd) { int found = 0, up = 0; switch (src->ArgusInterface[0].ArgusInterfaceType) { case ARGUSERFPKTFILE: { if (src->ArgusInterface[0].ArgusPcap.fd) { for (i = 0; i < src->ArgusInterfaces; i++) { do { FD_SET(src->ArgusInterface[i].ArgusPcap.fd, &ArgusReadMask); width = src->ArgusInterface[i].ArgusPcap.fd + 1; if (select (width + 1, &ArgusReadMask, NULL, NULL, &wait) > 0) { ArgusErfRead(src); if (src->eNflag > 0) src->eNflag--; } else break; } while (noerror && (src->eNflag != 0) && (!(ArgusShutDownStarted))); } } break; } default: { for (i = 0; i < src->ArgusInterfaces; i++) { if (src->ArgusInterface[i].ArgusPd) { found++; #if !defined(CYGWIN) && !defined(WIN32) && !defined(MSDOS) #if defined(HAVE_PCAP_GET_SELECTABLE_FD) if (pcap_get_selectable_fd(src->ArgusInterface[i].ArgusPd) < 0) #endif notselectable++; #endif #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusGetPackets: interface %s %s selectable\n", src->ArgusInterface[i].ifr.ifr_name, (notselectable ? "is not" : "is")); #endif if ((src->ArgusInterface[i].ifr.ifr_flags & IFF_UP) != 0) { up++; if ((fd = pcap_fileno(src->ArgusInterface[i].ArgusPd)) >= 0) { fds[i] = fd; setArgusInterfaceStatus(src, 1); FD_SET(pcap_fileno(src->ArgusInterface[i].ArgusPd), &ArgusReadMask); if (width < fd) width = fd; } } else setArgusInterfaceStatus(src, 0); } else setArgusInterfaceStatus(src, 0); } if (!(src->ArgusReadingOffLine)) { do { #if defined(CYGWIN) struct pcap_pkthdr *header; const u_char *pkt_data; if ((tmp = pcap_next_ex(src->ArgusInterface[0].ArgusPd, &header, &pkt_data)) >= 0) { if ( tmp > 0) { src->ArgusThisIndex = 0; src->ArgusInterface[0].ArgusCallBack((char *)src, header, pkt_data); } else gettimeofday (&src->ArgusModel->ArgusGlobalTime, NULL); } else { gettimeofday (&src->ArgusModel->ArgusGlobalTime, NULL); noerror = 0; } ArgusModel->ArgusGlobalTime = src->ArgusModel->ArgusGlobalTime; #else if (notselectable) { int pkts = 0; for (i = 0; i < src->ArgusInterfaces; i++) { int cnt = 0; if (src->ArgusInterface[i].ArgusPd) { src->ArgusThisIndex = i; { #if defined(HAVE_PCAP_NEXT_EX) struct pcap_pkthdr *header; const u_char *pkt_data; if ((cnt = pcap_next_ex(src->ArgusInterface[i].ArgusPd, &header, &pkt_data)) >= 0) { if (cnt > 0) { pkts++; src->ArgusInterface[i].ArgusCallBack((u_char *)src, header, pkt_data); } else break; } else noerror = 0; #else if ((cnt = pcap_dispatch(src->ArgusInterface[i].ArgusPd, 1, src->ArgusInterface[i].ArgusCallBack, (u_char *)src)) > 0) { pkts++; } else { if (cnt < 0) noerror = 0; } #endif } found++; } } if (pkts == 0) { struct timespec tsbuf = {0, 50000}, *ts = &tsbuf; gettimeofday (&src->ArgusModel->ArgusGlobalTime, NULL); #if defined(ARGUS_NANOSECONDS) src->ArgusModel->ArgusGlobalTime.tv_usec *= 1000; #endif ArgusModel->ArgusGlobalTime = src->ArgusModel->ArgusGlobalTime; nanosleep(ts, NULL); } } else { if (up && ((tmp = select (width + 1, &ArgusReadMask, NULL, NULL, &wait)) >= 0)) { found = 0; #ifdef ARGUSDEBUG ArgusDebug (10, "ArgusGetPackets: select() returned %d\n", tmp); #endif if (tmp > 0) { for (i = 0; i < src->ArgusInterfaces; i++) { if ((fd = fds[i]) != -1) { if (FD_ISSET(fd, &ArgusReadMask)) { found++; src->ArgusThisIndex = i; switch (src->ArgusInterface[i].ArgusInterfaceType) { case ARGUSLIBPPKTFILE: if ((pcap_dispatch (src->ArgusInterface[i].ArgusPd, 1, src->ArgusInterface[i].ArgusCallBack, (u_char *)src)) < 0) { if (!(strncmp (pcap_geterr(src->ArgusInterface[i].ArgusPd), "recvfrom", 8))) { #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusGetPackets: pcap_dispatch() returned %s\n", pcap_geterr(src->ArgusInterface[i].ArgusPd)); #endif } else noerror = 0; } else { #ifdef ARGUSDEBUG ArgusDebug (9, "ArgusGetPackets: pcap_dispatch() interface %s %d up\n", src->ArgusInterface[i].ArgusDevice, up); #endif } break; case ARGUSERFPKTFILE: if (ArgusErfRead (src) < 0) noerror = 0; break; case ARGUSSNOOPKTFILE: if (ArgusSnoopRead (src) < 0) noerror = 0; break; case ARGUSMOATTSHPKTFILE: if (ArgusMoatTshRead (src) < 0) noerror = 0; break; } if (src->eNflag > 0) src->eNflag--; } } } } else { gettimeofday (&src->ArgusModel->ArgusGlobalTime, NULL); #if defined(ARGUS_NANOSECONDS) src->ArgusModel->ArgusGlobalTime.tv_usec *= 1000; #endif ArgusModel->ArgusGlobalTime = src->ArgusModel->ArgusGlobalTime; #if defined(ARGUS_NEEDS_LIBPCAP_WORKAROUND) /* libpcap workaround */ int pkts = 0, cnt, ret; do { cnt = 0; for (i = 0; i < src->ArgusInterfaces; i++) { if ((fd = fds[i]) != -1) { #if defined(HAVE_PCAP_NEXT_EX) struct pcap_pkthdr *header; const u_char *pkt_data; if ((ret = pcap_next_ex(src->ArgusInterface[i].ArgusPd, &header, &pkt_data)) > 0) { pkts++; cnt += ret; src->ArgusThisIndex = i; src->ArgusInterface[i].ArgusCallBack((u_char *)src, header, pkt_data); } else if (ret < 0) noerror = 0; #else src->ArgusThisIndex = i; if ((ret = pcap_dispatch(src->ArgusInterface[i].ArgusPd, 1, src->ArgusInterface[i].ArgusCallBack, (u_char *)src)) > 0) { pkts++; cnt += ret; } else { if (ret < 0) noerror = 0; } #endif } } } while (cnt > 0); if (!pkts) { struct timespec tsbuf = {0, 50000}, *ts = &tsbuf; nanosleep(ts, NULL); gettimeofday (&src->ArgusModel->ArgusGlobalTime, NULL); #if defined(ARGUS_NANOSECONDS) src->ArgusModel->ArgusGlobalTime.tv_usec *= 1000; #endif ArgusModel->ArgusGlobalTime = src->ArgusModel->ArgusGlobalTime; #ifdef ARGUSDEBUG ArgusDebug (9, "ArgusGetPackets: select() timeout %d up interfaces\n", up); #endif } #endif } } else { gettimeofday (&src->ArgusModel->ArgusGlobalTime, NULL); #if defined(ARGUS_NANOSECONDS) src->ArgusModel->ArgusGlobalTime.tv_usec *= 1000; #endif ArgusModel->ArgusGlobalTime = src->ArgusModel->ArgusGlobalTime; if (up) { #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusGetPackets: select() returned %s\n", strerror(errno)); #endif } else { struct timespec tsbuf = {0, 250000000}, *ts = &tsbuf; #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusGetPackets: no interfaces up: sleeping\n"); #endif nanosleep(ts, NULL); } } width = 0; found = 0; up = 0; FD_ZERO(&ArgusReadMask); for (i = 0; i < src->ArgusInterfaces; i++) { if (src->ArgusInterface[i].ArgusPd && ((fd = pcap_fileno(src->ArgusInterface[i].ArgusPd)) >= 0)) { found++; fds[i] = fd; if (src->ArgusInterface[i].ifr.ifr_flags & IFF_UP) { up++; FD_SET(pcap_fileno(src->ArgusInterface[i].ArgusPd), &ArgusReadMask); if (width < pcap_fileno(src->ArgusInterface[i].ArgusPd)) width = pcap_fileno(src->ArgusInterface[i].ArgusPd); } } else { fds[i] = -1; ArgusOpenInterface(src, NULL, &src->ArgusInterface[i]); found++; } } wait.tv_sec = 0; wait.tv_usec = 500000; } #endif if (ArgusUpdateTime (src->ArgusModel)) { ArgusGetInterfaceStatus(src); ArgusQueueManager(src->ArgusModel); #if !defined(ARGUS_THREADS) ArgusOutputProcess(ArgusOutputTask); #endif } } while (noerror && (src->eNflag != 0) && (!(ArgusShutDownStarted))); } else { extern int ArgusShutDownFlag; long ioffset = 0, offset = 0; ioffset = ftell(src->ArgusPacketInput); offset = ioffset; for (i = 0; i < src->ArgusInterfaces; i++) { int retn = 0; src->ArgusThisIndex = i; if (getArgusfflag(src)) { // reading the tail of the file, so be ready to sleep if nothing there do { char *estr; if (offset > 0) fseek(src->ArgusPacketInput, offset, SEEK_SET); if ((retn = pcap_dispatch (src->ArgusInterface[i].ArgusPd, 1, src->ArgusInterface[i].ArgusCallBack, (u_char *)src)) < 0) { if ((estr = pcap_geterr(src->ArgusInterface[i].ArgusPd)) != NULL) { #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusGetPackets () pcap_dispatch returned %s\n", estr); #endif } } if (retn > 0) { if (src->eNflag > 0) src->eNflag -= retn; #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusGetPackets () pcap_dispatch read %d packets\n", retn); #endif offset = src->ArgusInputOffset; } else { struct timespec tsbuf = {0, 100000000}, *ts = &tsbuf; #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusGetPackets () pcap_dispatch read 0 packets...sleeping", retn); #endif nanosleep(ts, NULL); gettimeofday (&src->ArgusModel->ArgusGlobalTime, NULL); #if defined(ARGUS_NANOSECONDS) src->ArgusModel->ArgusGlobalTime.tv_usec *= 1000; #endif ArgusModel->ArgusGlobalTime = src->ArgusModel->ArgusGlobalTime; } #if !defined(ARGUS_THREADS) ArgusOutputProcess(ArgusOutputTask); #endif } while (getArgusfflag(src) && (src->eNflag != 0) && !ArgusShutDownFlag); } else { for (i = 0; i < src->ArgusInterfaces; i++) { src->ArgusThisIndex = i; if ((pcap_dispatch (src->ArgusInterface[i].ArgusPd, src->eNflag, src->ArgusInterface[i].ArgusCallBack, (u_char *)src)) < 0) { if (!(strncmp (pcap_geterr(src->ArgusInterface[i].ArgusPd), "recvfrom", 8))) { ArgusLog (LOG_ERR, "ArgusGetPackets: pcap_dispatch() returned %s\n", pcap_geterr(src->ArgusInterface[i].ArgusPd)); } } #if !defined(ARGUS_THREADS) ArgusOutputProcess(ArgusOutputTask); #endif } } } } } } } setArgusFarReportInterval (src->ArgusModel, "0"); ArgusQueueManager(src->ArgusModel); #if !defined(ARGUS_THREADS) ArgusOutputProcess(ArgusOutputTask); #endif gettimeofday (&src->ArgusEndTime, 0L); #if defined(ARGUS_NANOSECONDS) src->ArgusEndTime.tv_usec *= 1000; #endif } #if defined(ARGUS_THREADS) #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusGetPackets () returning\n"); #endif if (src != NULL) src->status |= ARGUS_SHUTDOWN; pthread_exit(retn); #endif /* ARGUS_THREADS */ return (retn); } void Argusbpf_dump(struct bpf_program *p, int option) { struct bpf_insn *insn; int i, n = p->bf_len; insn = p->bf_insns; if (option > 2) { fprintf(stdout, "%d\n", n); for (i = 0; i < n; ++insn, ++i) { fprintf(stdout, "%lu %lu %lu %lu\n", (long) insn->code, (long) insn->jt, (long) insn->jf, (long) insn->k); } return; } if (option > 1) { for (i = 0; i < n; ++insn, ++i) { fprintf(stdout, "{ 0x%x, %d, %d, 0x%08x },\n", insn->code, insn->jt, insn->jf, (int) insn->k); } return; } for (i = 0; i < n; ++insn, ++i) fprintf (stdout, "%s\n", bpf_image(insn, i)); } #include #include #if defined(HAVE_FCNTL_H) #include #endif #define ARGUSSNOOPTAG "snoop" int ArgusOpenInputPacketFile(struct ArgusSourceStruct *src, struct ArgusDeviceStruct *device, struct ArgusInterfaceStruct *inf) { char readbuf[256], errbuf[256]; int ch, rlen, type; int retn = 0; if (device != NULL) { inf->ArgusDevice = device; if (strcmp(device->name, "-")) { if ((src->ArgusPacketInput = fopen(device->name, "r")) == NULL) { snprintf (errbuf, PCAP_ERRBUF_SIZE - 1, "%s: %s\n", device->name, strerror(errno)); } } else src->ArgusPacketInput = stdin; #if defined(HAVE_PCAP_FOPEN_OFFLINE) inf->ArgusPd = pcap_fopen_offline(src->ArgusPacketInput, errbuf); #else inf->ArgusPd = pcap_open_offline(device->name, errbuf); #endif if (inf->ArgusPd != NULL) { src->ArgusInputPacketFileType = ARGUSLIBPPKTFILE; inf->ArgusInterfaceType = ARGUSLIBPPKTFILE; inf->ArgusDevice = (struct ArgusDeviceStruct *) device; type = pcap_datalink(inf->ArgusPd); if ((inf->ArgusCallBack = Arguslookup_pcap_callback(type)) == NULL) ArgusLog(LOG_ERR, "ArgusOpenInputPacketFile(%s) unsupported device type %d\n", device->name, type); inf->ArgusLocalNet = 0; inf->ArgusNetMask = 0; src->ArgusReadingOffLine++; retn = 1; } else { if (strcmp(device->name, "-")) { if ((src->ArgusPacketInput = fopen(device->name, "r")) == NULL) { snprintf (errbuf, PCAP_ERRBUF_SIZE - 1, "%s: %s\n", device->name, strerror(errno)); } } else src->ArgusPacketInput = stdin; if (src->ArgusPacketInput) { if ((strstr (device->name, ".erf")) != NULL) { if ((inf->ArgusPcap.fd = open (device->name, O_RDONLY, NULL)) >= 0) { inf->ArgusPcap.snapshot = 1500; inf->ArgusPcap.linktype = DLT_EN10MB; inf->ArgusInterfaceType = ARGUSERFPKTFILE; src->ArgusInputPacketFileType = ARGUSERFPKTFILE; inf->ArgusDevice = device; src->ArgusReadingOffLine++; retn = 1; } else ArgusLog(LOG_ERR, "ArgusOpenInputPacketFile(%s) error. %s\n", device->name, strerror(errno)); } else if (getArgusMoatTshFile(src)) { if (src->ArgusPacketInput == stdin) { inf->ArgusPcap.fd = 0; inf->ArgusPcap.snapshot = 1500; inf->ArgusPcap.linktype = DLT_EN10MB; inf->ArgusInterfaceType = ARGUSMOATTSHPKTFILE; src->ArgusInputPacketFileType = ARGUSMOATTSHPKTFILE; inf->ArgusDevice = device; src->ArgusReadingOffLine++; retn = 1; } else if ((inf->ArgusPcap.fd = open (device->name, O_RDONLY, NULL)) >= 0) { inf->ArgusPcap.snapshot = 1500; inf->ArgusPcap.linktype = DLT_EN10MB; inf->ArgusInterfaceType = ARGUSMOATTSHPKTFILE; src->ArgusInputPacketFileType = ARGUSMOATTSHPKTFILE; inf->ArgusDevice = device; src->ArgusReadingOffLine++; retn = 1; } else ArgusLog(LOG_ERR, "ArgusOpenInputPacketFile(%s) error. %s\n", device->name, strerror(errno)); } else if ((ch = fgetc(src->ArgusPacketInput)) != EOF) { ungetc(ch, src->ArgusPacketInput); if ((rlen = fread ((char *)readbuf, 1, sizeof(ARGUSSNOOPTAG), src->ArgusPacketInput)) == sizeof(ARGUSSNOOPTAG)) { if ((strncmp((char *)readbuf, ARGUSSNOOPTAG, sizeof(ARGUSSNOOPTAG)) == 0)) { fclose(src->ArgusPacketInput); if ((inf->ArgusPcap.fd = open (device->name, O_RDONLY, NULL)) >= 0) { lseek(inf->ArgusPcap.fd, 16, SEEK_SET); inf->ArgusPcap.snapshot = 1500; inf->ArgusPcap.linktype = DLT_EN10MB; src->ArgusInputPacketFileType = ARGUSSNOOPKTFILE; inf->ArgusDevice = device; src->ArgusReadingOffLine++; retn = 1; } } else { snprintf (errbuf, PCAP_ERRBUF_SIZE - 1, "%s, unknown packet file format", device->name); } } else { snprintf (errbuf, PCAP_ERRBUF_SIZE - 1, "Error reading %s. Read %d bytes", device->name, rlen); } } else { snprintf (errbuf, PCAP_ERRBUF_SIZE - 1, "Error reading %s. stream empty", device->name); } inf->ArgusLocalNet = 0; inf->ArgusNetMask = 0; } if (retn == 0) ArgusLog (LOG_ALERT, "ArgusOpenInputPacketFile: pcap_open_offline: %s", errbuf); } } #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusOpenInputPacketFile(%p) returning %d\n", errbuf, retn); #endif return (retn); } #include #include #include #include int ArgusGetInterfaceFD = -1; void ArgusGetInterfaceStatus (struct ArgusSourceStruct *src) { struct ArgusDeviceStruct *device = NULL; char errbuf[PCAP_ERRBUF_SIZE]; struct ifreq ifr; int fd, i; extern int ArgusShutDownFlag; if (ArgusShutDownFlag) { ArgusShutDown(0); return; } if (src && src->ArgusDeviceList) if ((device = (struct ArgusDeviceStruct *) ArgusPopFrontList(src->ArgusDeviceList, ARGUS_LOCK)) != NULL) ArgusPushFrontList(src->ArgusDeviceList, (struct ArgusListRecord *) device, ARGUS_LOCK); if (device == NULL) return; if ((strstr(device->name, "dag")) || (strstr(device->name, "napa")) || (strstr(device->name, "dna")) || (strstr(device->name, "zc")) || ((strstr(device->name, "eth")) && (strstr(device->name, "@")))) { for (i = 0; i < src->ArgusInterfaces; i++) { if (src->ArgusInterface[i].ArgusPd) bzero ((char *)&src->ArgusInterface[i].ifr, sizeof(ifr)); src->ArgusInterface[i].ifr.ifr_flags |= IFF_UP; setArgusInterfaceStatus(src, 1); } return; } if (strstr(device->name, "default")) { for (i = 0; i < src->ArgusInterfaces; i++) { if (src->ArgusInterface[i].ArgusPd && (pcap_fileno(src->ArgusInterface[i].ArgusPd) > 0)) bzero ((char *)&src->ArgusInterface[i].ifr, sizeof(ifr)); src->ArgusInterface[i].ifr.ifr_flags |= IFF_UP; setArgusInterfaceStatus(src, 1); } return; } if (ArgusGetInterfaceFD < 0) if ((ArgusGetInterfaceFD = socket(PF_INET, SOCK_DGRAM, 0)) < 0) ArgusLog(LOG_ERR, "ArgusGetInterfaceStatus: socket %s", strerror(errno)); fd = ArgusGetInterfaceFD; for (i = 0; i < src->ArgusInterfaces; i++) { if (src->ArgusInterface[i].ArgusPd && (pcap_fileno(src->ArgusInterface[i].ArgusPd) > 0)) { memcpy ((char *)&ifr, (char *)&src->ArgusInterface[i].ifr, sizeof(ifr)); #if !defined(CYGWIN) if ((ioctl(fd, SIOCGIFFLAGS, (char *)&src->ArgusInterface[i].ifr)) < 0) { if (src->ArgusInterface[i].ArgusPd) { pcap_close(src->ArgusInterface[i].ArgusPd); src->ArgusInterface[i].ArgusPd = NULL; return; } } #else src->ArgusInterface[i].ifr.ifr_flags |= IFF_UP; setArgusInterfaceStatus(src, 1); #endif if ((ifr.ifr_flags & IFF_UP) != (src->ArgusInterface[i].ifr.ifr_flags & IFF_UP)) { setArgusInterfaceStatus(src, (src->ArgusInterface[i].ifr.ifr_flags & IFF_UP) ? 1 : 0); if (!((pcap_lookupnet (src->ArgusInterface[i].ArgusDevice->name, (u_int *)&src->ArgusInterface[i].ArgusLocalNet, (u_int *)&src->ArgusInterface[i].ArgusNetMask, errbuf)) < 0)) { #if defined(_LITTLE_ENDIAN) src->ArgusInterface[i].ArgusLocalNet = ntohl(src->ArgusInterface[i].ArgusLocalNet); src->ArgusInterface[i].ArgusNetMask = ntohl(src->ArgusInterface[i].ArgusNetMask); #endif } ArgusLog (LOG_ALERT, "ArgusGetInterfaceStatus: interface %s is %s\n", src->ArgusInterface[i].ifr.ifr_name, (src->ArgusInterface[i].ifr.ifr_flags & IFF_UP) ? "up" : "down"); } pcap_stats (src->ArgusInterface[i].ArgusPd, &src->ArgusInterface[i].ArgusStat); } else { } } return; } int RaSortFileList (const void *, const void *); int RaSortFileList (const void *item1, const void *item2) { struct ArgusRfileStruct *file1 = *(struct ArgusRfileStruct **) item1; struct ArgusRfileStruct *file2 = *(struct ArgusRfileStruct **) item2; return (strcmp (file1->name, file2->name)); } void ArgusSortFileList (struct ArgusListStruct *list) { struct ArgusRfileStruct *rfile; void **array = NULL; int i = 0, count = 0; if ((list != NULL) && (count = list->count)) { if ((array = ArgusCalloc (count, sizeof(rfile))) == NULL) ArgusLog (LOG_ERR, "ArgusSortFileList: ArgusCalloc %s", strerror(errno)); while ((rfile = (void *)ArgusPopFrontList(list, ARGUS_LOCK)) != NULL) array[i++] = rfile; if (i != count) ArgusLog (LOG_ERR, "ArgusSortFileList: integrity failure"); qsort (array, i, sizeof(rfile), RaSortFileList); for (i = 0; i < count; i++) ArgusPushFrontList(list, (struct ArgusListRecord *) array[i], ARGUS_LOCK); ArgusFree (array); } #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusSortFileList(%p)\n", list); #endif } static int ArgusParseRadioTapField(struct cpack_state *s, u_int32_t bit, struct ieee80211_radiotap *rtap) { union { int8_t i8; u_int8_t u8; int16_t i16; u_int16_t u16; u_int32_t u32; u_int64_t u64; } u, u2, u3, u4; int rc; switch (bit) { case IEEE80211_RADIOTAP_FLAGS: rc = cpack_uint8(s, &u.u8); break; case IEEE80211_RADIOTAP_RATE: case IEEE80211_RADIOTAP_DB_ANTSIGNAL: case IEEE80211_RADIOTAP_DB_ANTNOISE: case IEEE80211_RADIOTAP_ANTENNA: rc = cpack_uint8(s, &u.u8); break; case IEEE80211_RADIOTAP_DBM_ANTSIGNAL: case IEEE80211_RADIOTAP_DBM_ANTNOISE: rc = cpack_int8(s, &u.i8); break; case IEEE80211_RADIOTAP_CHANNEL: rc = cpack_uint16(s, &u.u16); if (rc != 0) break; rc = cpack_uint16(s, &u2.u16); break; case IEEE80211_RADIOTAP_FHSS: case IEEE80211_RADIOTAP_LOCK_QUALITY: case IEEE80211_RADIOTAP_TX_ATTENUATION: rc = cpack_uint16(s, &u.u16); break; case IEEE80211_RADIOTAP_DB_TX_ATTENUATION: rc = cpack_uint8(s, &u.u8); break; case IEEE80211_RADIOTAP_DBM_TX_POWER: rc = cpack_int8(s, &u.i8); break; case IEEE80211_RADIOTAP_TSFT: rc = cpack_uint64(s, &u.u64); break; case IEEE80211_RADIOTAP_XCHANNEL: rc = cpack_uint32(s, &u.u32); if (rc != 0) break; rc = cpack_uint16(s, &u2.u16); if (rc != 0) break; rc = cpack_uint8(s, &u3.u8); if (rc != 0) break; rc = cpack_uint8(s, &u4.u8); break; default: /* this bit indicates a field whose * size we do not know, so we cannot * proceed. Just print the bit number. */ return -1; } if (rc != 0) return rc; /* struct ieee80211_radiotap { struct ieee80211_radiotap_header hdr; u_int64_t tsft; u_int16_t txchan, rxchan; u_int16_t fhss; u_int8_t rate; u_int8_t dbm_antsignal; u_int8_t dbm_antnoise; u_int8_t db_antsignal; u_int8_t db_antnoise; u_int16_t lock_quality; u_int16_t tx_attenuation; u_int16_t db_tx_attenuation; u_int8_t dbm_tx_power; u_int8_t flags; u_int8_t antenna; struct ieee80211_xchannel xchan; }; */ switch (bit) { case IEEE80211_RADIOTAP_TSFT: rtap->tsft = u.u64; break; case IEEE80211_RADIOTAP_CHANNEL: break; case IEEE80211_RADIOTAP_FHSS: rtap->fhss = u.u16; break; case IEEE80211_RADIOTAP_RATE: rtap->rate = u.u8; break; case IEEE80211_RADIOTAP_DBM_ANTSIGNAL: rtap->dbm_antsignal = u.u8; break; case IEEE80211_RADIOTAP_DBM_ANTNOISE: rtap->dbm_antnoise = u.u8; break; case IEEE80211_RADIOTAP_DB_ANTSIGNAL: rtap->db_antsignal = u.u8; break; case IEEE80211_RADIOTAP_DB_ANTNOISE: rtap->db_antnoise = u.u8; break; case IEEE80211_RADIOTAP_LOCK_QUALITY: rtap->lock_quality = u.u16; break; case IEEE80211_RADIOTAP_TX_ATTENUATION: rtap->tx_attenuation = u.u16; break; case IEEE80211_RADIOTAP_DB_TX_ATTENUATION: rtap->db_tx_attenuation = u.u16; break; case IEEE80211_RADIOTAP_DBM_TX_POWER: rtap->dbm_tx_power = u.u8; break; case IEEE80211_RADIOTAP_FLAGS: rtap->flags = u.u8; break; case IEEE80211_RADIOTAP_ANTENNA: rtap->antenna = u.u8; break; case IEEE80211_RADIOTAP_XCHANNEL: break; } return 0; } /*- * Copyright (c) 2003, 2004 David Young. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The name of David Young may not be used to endorse or promote * products derived from this software without specific prior * written permission. * * THIS SOFTWARE IS PROVIDED BY DAVID YOUNG ``AS IS'' AND ANY * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL DAVID * YOUNG BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY * OF SUCH DAMAGE. */ #include #include static u_int8_t * cpack_next_boundary(u_int8_t *buf, u_int8_t *p, size_t alignment) { size_t misalignment = (size_t)(p - buf) % alignment; if (misalignment == 0) return p; return p + (alignment - misalignment); } /* Advance to the next wordsize boundary. Return NULL if fewer than * wordsize bytes remain in the buffer after the boundary. Otherwise, * return a pointer to the boundary. */ static u_int8_t * cpack_align_and_reserve(struct cpack_state *cs, size_t wordsize) { u_int8_t *next; /* Ensure alignment. */ next = cpack_next_boundary(cs->c_buf, cs->c_next, wordsize); /* Too little space for wordsize bytes? */ if (next - cs->c_buf + wordsize > cs->c_len) return NULL; return next; } int cpack_init(struct cpack_state *cs, u_int8_t *buf, size_t buflen) { memset(cs, 0, sizeof(*cs)); cs->c_buf = buf; cs->c_len = buflen; cs->c_next = cs->c_buf; return 0; } /* Unpack a 64-bit unsigned integer. */ int cpack_uint64(struct cpack_state *cs, u_int64_t *u) { u_int8_t *next; if ((next = cpack_align_and_reserve(cs, sizeof(*u))) == NULL) return -1; *u = EXTRACT_LE_64BITS(next); /* Move pointer past the u_int64_t. */ cs->c_next = next + sizeof(*u); return 0; } /* Unpack a 32-bit unsigned integer. */ int cpack_uint32(struct cpack_state *cs, u_int32_t *u) { u_int8_t *next; if ((next = cpack_align_and_reserve(cs, sizeof(*u))) == NULL) return -1; *u = EXTRACT_LE_32BITS(next); /* Move pointer past the u_int32_t. */ cs->c_next = next + sizeof(*u); return 0; } /* Unpack a 16-bit unsigned integer. */ int cpack_uint16(struct cpack_state *cs, u_int16_t *u) { u_int8_t *next; if ((next = cpack_align_and_reserve(cs, sizeof(*u))) == NULL) return -1; *u = EXTRACT_LE_16BITS(next); /* Move pointer past the u_int16_t. */ cs->c_next = next + sizeof(*u); return 0; } /* Unpack an 8-bit unsigned integer. */ int cpack_uint8(struct cpack_state *cs, u_int8_t *u) { /* No space left? */ if ((size_t)(cs->c_next - cs->c_buf) >= cs->c_len) return -1; *u = *cs->c_next; /* Move pointer past the u_int8_t. */ cs->c_next++; return 0; } argus-3.0.8.2/argus/ArgusSource.h000444 000765 000024 00000104251 12513222401 017153 0ustar00carterstaff000000 000000 /* * Argus Software. Argus files - Input includes * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/argus/ArgusSource.h#47 $ * $DateTime: 2015/04/13 00:43:29 $ * $Change: 2982 $ */ /* ArgusSource.h */ #ifndef ArgusSource_h #define ArgusSource_h #include #include #include #include #include #if defined(ARGUS_TILERA) #include #include #include #include #include #include #include #include #include #include #else #include #endif /*- * Copyright (c) 2003, 2004 David Young. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The name of David Young may not be used to endorse or promote * products derived from this software without specific prior * written permission. * * THIS SOFTWARE IS PROVIDED BY DAVID YOUNG ``AS IS'' AND ANY * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL DAVID * YOUNG BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY * OF SUCH DAMAGE. */ #ifndef _CPACK_H #define _CPACK_H struct cpack_state { u_int8_t *c_buf; u_int8_t *c_next; size_t c_len; }; int cpack_init(struct cpack_state *, u_int8_t *, size_t); int cpack_uint8(struct cpack_state *, u_int8_t *); int cpack_uint16(struct cpack_state *, u_int16_t *); int cpack_uint32(struct cpack_state *, u_int32_t *); int cpack_uint64(struct cpack_state *, u_int64_t *); #define cpack_int8(__s, __p) cpack_uint8((__s), (u_int8_t*)(__p)) #define cpack_int16(__s, __p) cpack_uint16((__s), (u_int16_t*)(__p)) #define cpack_int32(__s, __p) cpack_uint32((__s), (u_int32_t*)(__p)) #define cpack_int64(__s, __p) cpack_uint64((__s), (u_int64_t*)(__p)) #endif /* _CPACK_H */ int pcap_read(pcap_t *, int cnt, pcap_handler, u_char *); int pcap_offline_read(pcap_t *, int, pcap_handler, u_char *); #include #include #include #include #include #include #include #if defined(__NetBSD__) #include #endif #if !defined(__OpenBSD__) #include #endif #include #if !defined(__OpenBSD__) || (defined(__OpenBSD__) && !defined(_NETINET_IF_SYSTEM_H_)) #define _NETINET_IF_SYSTEM_H_ #include #endif #ifndef _NETINET_IP_H_ #include #define _NETINET_IP_H_ #endif #ifndef _NETINET_UDP_H_ #include #define _NETINET_UDP_H_ #endif #include #define ARGUSLIBPPKTFILE 1 #define ARGUSSNOOPKTFILE 2 #define ARGUSMOATTSHPKTFILE 3 #define ARGUSDAGLINK 4 #define ARGUSERFPKTFILE 5 #define ARGUS_FILE_DEVICE 1 #define ARGUS_LIVE_DEVICE 2 #define ARGUS_MAXINTERFACE 64 #define ARGUS_TYPE_IND 0x01 #define ARGUS_TYPE_BOND 0x02 #define ARGUS_TYPE_DUPLEX 0x04 struct ArgusDeviceStruct { struct ArgusListObjectStruct *nxt; int status, type, mode, link, idtype, dlt; struct ArgusAddrStruct ArgusID; char *name, *dltname; struct ArgusListStruct *list; #if defined(ARGUS_TILERA) netio_input_config_t config; #endif }; struct ArgusRfileStruct { struct ArgusListObjectStruct *nxt; int mode; char *name; }; struct arguspcap_sf { FILE *rfile; int swapped; int hdrsize; int version_major; int version_minor; u_char *base; }; struct arguspcap_md { struct pcap_stat stat; /*XXX*/ int use_bpf; /* using kernel filter */ u_long TotPkts; /* can't oflow for 79 hrs on ether */ u_long TotAccepted; /* count accepted by filter */ u_long TotDrops; /* count of dropped packets */ long TotMissed; /* missed by i/f during this run */ long OrigMissed; /* missed by i/f before this run */ #ifdef linux int sock_packet; /* using Linux 2.0 compatible interface */ int timeout; /* timeout specified to pcap_open_live */ int clear_promisc; /* must clear promiscuous mode when we close */ int cooked; /* using SOCK_DGRAM rather than SOCK_RAW */ int lo_ifindex; /* interface index of the loopback device */ char *device; /* device name */ struct pcap *next; /* list of open promiscuous sock_packet pcaps */ #endif }; struct arguspcap { int fd; int snapshot; int linktype; int tzoff; /* timezone offset */ int offset; /* offset for proper alignment */ struct arguspcap_sf sf; struct arguspcap_md md; /* * Read buffer. */ int bufsize; u_char *buffer; u_char *bp; int cc; /* * Place holder for pcap_next(). */ u_char *pkt; /* * Placeholder for filter code if bpf not in kernel. */ struct bpf_program fcode; char errbuf[PCAP_ERRBUF_SIZE]; }; #define MAXSTRSIZE 1024 #define ARGUS_MAXSNAPLEN 65535 struct ArgusInterfaceStruct { struct ArgusDeviceStruct *ArgusDevice; struct ifreq ifr; pcap_t *ArgusPd; struct bpf_program ArgusFilter; int state, index, ArgusInterfaceType; pcap_handler ArgusCallBack; struct arguspcap ArgusPcap; unsigned int ArgusLocalNet, ArgusNetMask; struct pcap_stat ArgusStat; long ArgusPacketOffset; long long ArgusTotalPkts; long long ArgusTotalIPPkts; long long ArgusTotalNonIPPkts; long long ArgusLastPkts; long long ArgusTotalDrop; long long ArgusLastDrop; long long ArgusTotalBytes; long long ArgusLastBytes; u_char *ArgusPacketBuffer; u_char ArgusPacketBufferBuffer[ARGUS_MAXSNAPLEN]; }; struct ArgusMoatTshPktHdr { unsigned int sec; char interface; char usec[3]; struct ip ip; struct tcphdr tcp; }; #define SNOOP_FILE_OFFSET 16 struct ArgusSnoopPktHdr { unsigned int len; unsigned int tlen; unsigned int pad[2]; struct timeval argtvp; }; #if defined(ArgusSource) #define JUNIPER_BPF_OUT 0 /* Outgoing packet */ #define JUNIPER_BPF_IN 1 /* Incoming packet */ #define JUNIPER_BPF_PKT_IN 0x1 /* Incoming packet */ #define JUNIPER_BPF_NO_L2 0x2 /* L2 header stripped */ #define JUNIPER_BPF_IIF 0x4 /* IIF is valid */ #define JUNIPER_BPF_FILTER 0x40 /* BPF filtering is supported */ #define JUNIPER_BPF_EXT 0x80 /* extensions present */ #define JUNIPER_MGC_NUMBER 0x4d4743 /* = "MGC" */ #define JUNIPER_LSQ_COOKIE_RE (1 << 3) #define JUNIPER_LSQ_COOKIE_DIR (1 << 2) #define JUNIPER_LSQ_L3_PROTO_SHIFT 4 #define JUNIPER_LSQ_L3_PROTO_MASK (0x17 << JUNIPER_LSQ_L3_PROTO_SHIFT) #define JUNIPER_LSQ_L3_PROTO_IPV4 (0 << JUNIPER_LSQ_L3_PROTO_SHIFT) #define JUNIPER_LSQ_L3_PROTO_IPV6 (1 << JUNIPER_LSQ_L3_PROTO_SHIFT) #define JUNIPER_LSQ_L3_PROTO_MPLS (2 << JUNIPER_LSQ_L3_PROTO_SHIFT) #define JUNIPER_LSQ_L3_PROTO_ISO (3 << JUNIPER_LSQ_L3_PROTO_SHIFT) #define AS_PIC_COOKIE_LEN 8 #define JUNIPER_IPSEC_O_ESP_ENCRYPT_ESP_AUTHEN_TYPE 1 #define JUNIPER_IPSEC_O_ESP_ENCRYPT_AH_AUTHEN_TYPE 2 #define JUNIPER_IPSEC_O_ESP_AUTHENTICATION_TYPE 3 #define JUNIPER_IPSEC_O_AH_AUTHENTICATION_TYPE 4 #define JUNIPER_IPSEC_O_ESP_ENCRYPTION_TYPE 5 /* codepoints for encoding extensions to a .pcap file */ enum { JUNIPER_EXT_TLV_IFD_IDX = 1, JUNIPER_EXT_TLV_IFD_NAME = 2, JUNIPER_EXT_TLV_IFD_MEDIATYPE = 3, JUNIPER_EXT_TLV_IFL_IDX = 4, JUNIPER_EXT_TLV_IFL_UNIT = 5, JUNIPER_EXT_TLV_IFL_ENCAPS = 6, JUNIPER_EXT_TLV_TTP_IFD_MEDIATYPE = 7, JUNIPER_EXT_TLV_TTP_IFL_ENCAPS = 8 }; /* 1 byte type and 1-byte length */ #define JUNIPER_EXT_TLV_OVERHEAD 2 struct tok jnx_ext_tlv_values[] = { { JUNIPER_EXT_TLV_IFD_IDX, "Device Interface Index" }, { JUNIPER_EXT_TLV_IFD_NAME,"Device Interface Name" }, { JUNIPER_EXT_TLV_IFD_MEDIATYPE, "Device Media Type" }, { JUNIPER_EXT_TLV_IFL_IDX, "Logical Interface Index" }, { JUNIPER_EXT_TLV_IFL_UNIT,"Logical Unit Number" }, { JUNIPER_EXT_TLV_IFL_ENCAPS, "Logical Interface Encapsulation" }, { JUNIPER_EXT_TLV_TTP_IFD_MEDIATYPE, "TTP derived Device Media Type" }, { JUNIPER_EXT_TLV_TTP_IFL_ENCAPS, "TTP derived Logical Interface Encapsulation" }, { 0, NULL } }; struct tok jnx_flag_values[] = { { JUNIPER_BPF_EXT, "Ext" }, { JUNIPER_BPF_FILTER, "Filter" }, { JUNIPER_BPF_IIF, "IIF" }, { JUNIPER_BPF_NO_L2, "no-L2" }, { JUNIPER_BPF_PKT_IN, "In" }, { 0, NULL } }; #define JUNIPER_IFML_ETHER 1 #define JUNIPER_IFML_FDDI 2 #define JUNIPER_IFML_TOKENRING 3 #define JUNIPER_IFML_PPP 4 #define JUNIPER_IFML_FRAMERELAY 5 #define JUNIPER_IFML_CISCOHDLC 6 #define JUNIPER_IFML_SMDSDXI 7 #define JUNIPER_IFML_ATMPVC 8 #define JUNIPER_IFML_PPP_CCC 9 #define JUNIPER_IFML_FRAMERELAY_CCC 10 #define JUNIPER_IFML_IPIP 11 #define JUNIPER_IFML_GRE 12 #define JUNIPER_IFML_PIM 13 #define JUNIPER_IFML_PIMD 14 #define JUNIPER_IFML_CISCOHDLC_CCC 15 #define JUNIPER_IFML_VLAN_CCC 16 #define JUNIPER_IFML_MLPPP 17 #define JUNIPER_IFML_MLFR 18 #define JUNIPER_IFML_ML 19 #define JUNIPER_IFML_LSI 20 #define JUNIPER_IFML_DFE 21 #define JUNIPER_IFML_ATM_CELLRELAY_CCC 22 #define JUNIPER_IFML_CRYPTO 23 #define JUNIPER_IFML_GGSN 24 #define JUNIPER_IFML_LSI_PPP 25 #define JUNIPER_IFML_LSI_CISCOHDLC 26 #define JUNIPER_IFML_PPP_TCC 27 #define JUNIPER_IFML_FRAMERELAY_TCC 28 #define JUNIPER_IFML_CISCOHDLC_TCC 29 #define JUNIPER_IFML_ETHERNET_CCC 30 #define JUNIPER_IFML_VT 31 #define JUNIPER_IFML_EXTENDED_VLAN_CCC 32 #define JUNIPER_IFML_ETHER_OVER_ATM 33 #define JUNIPER_IFML_MONITOR 34 #define JUNIPER_IFML_ETHERNET_TCC 35 #define JUNIPER_IFML_VLAN_TCC 36 #define JUNIPER_IFML_EXTENDED_VLAN_TCC 37 #define JUNIPER_IFML_CONTROLLER 38 #define JUNIPER_IFML_MFR 39 #define JUNIPER_IFML_LS 40 #define JUNIPER_IFML_ETHERNET_VPLS 41 #define JUNIPER_IFML_ETHERNET_VLAN_VPLS 42 #define JUNIPER_IFML_ETHERNET_EXTENDED_VLAN_VPLS 43 #define JUNIPER_IFML_LT 44 #define JUNIPER_IFML_SERVICES 45 #define JUNIPER_IFML_ETHER_VPLS_OVER_ATM 46 #define JUNIPER_IFML_FR_PORT_CCC 47 #define JUNIPER_IFML_FRAMERELAY_EXT_CCC 48 #define JUNIPER_IFML_FRAMERELAY_EXT_TCC 49 #define JUNIPER_IFML_FRAMERELAY_FLEX 50 #define JUNIPER_IFML_GGSNI 51 #define JUNIPER_IFML_ETHERNET_FLEX 52 #define JUNIPER_IFML_COLLECTOR 53 #define JUNIPER_IFML_AGGREGATOR 54 #define JUNIPER_IFML_LAPD 55 #define JUNIPER_IFML_PPPOE 56 #define JUNIPER_IFML_PPP_SUBORDINATE 57 #define JUNIPER_IFML_CISCOHDLC_SUBORDINATE 58 #define JUNIPER_IFML_DFC 59 #define JUNIPER_IFML_PICPEER 60 struct tok juniper_ifmt_values[] = { { JUNIPER_IFML_ETHER, "Ethernet" }, { JUNIPER_IFML_FDDI, "FDDI" }, { JUNIPER_IFML_TOKENRING, "Token-Ring" }, { JUNIPER_IFML_PPP, "PPP" }, { JUNIPER_IFML_PPP_SUBORDINATE, "PPP-Subordinate" }, { JUNIPER_IFML_FRAMERELAY, "Frame-Relay" }, { JUNIPER_IFML_CISCOHDLC, "Cisco-HDLC" }, { JUNIPER_IFML_SMDSDXI, "SMDS-DXI" }, { JUNIPER_IFML_ATMPVC, "ATM-PVC" }, { JUNIPER_IFML_PPP_CCC, "PPP-CCC" }, { JUNIPER_IFML_FRAMERELAY_CCC, "Frame-Relay-CCC" }, { JUNIPER_IFML_FRAMERELAY_EXT_CCC, "Extended FR-CCC" }, { JUNIPER_IFML_IPIP, "IP-over-IP" }, { JUNIPER_IFML_GRE, "GRE" }, { JUNIPER_IFML_PIM, "PIM-Encapsulator" }, { JUNIPER_IFML_PIMD, "PIM-Decapsulator" }, { JUNIPER_IFML_CISCOHDLC_CCC, "Cisco-HDLC-CCC" }, { JUNIPER_IFML_VLAN_CCC, "VLAN-CCC" }, { JUNIPER_IFML_EXTENDED_VLAN_CCC, "Extended-VLAN-CCC" }, { JUNIPER_IFML_MLPPP, "Multilink-PPP" }, { JUNIPER_IFML_MLFR, "Multilink-FR" }, { JUNIPER_IFML_MFR, "Multilink-FR-UNI-NNI" }, { JUNIPER_IFML_ML, "Multilink" }, { JUNIPER_IFML_LS, "LinkService" }, { JUNIPER_IFML_LSI, "LSI" }, { JUNIPER_IFML_ATM_CELLRELAY_CCC, "ATM-CCC-Cell-Relay" }, { JUNIPER_IFML_CRYPTO, "IPSEC-over-IP" }, { JUNIPER_IFML_GGSN, "GGSN" }, { JUNIPER_IFML_PPP_TCC, "PPP-TCC" }, { JUNIPER_IFML_FRAMERELAY_TCC, "Frame-Relay-TCC" }, { JUNIPER_IFML_FRAMERELAY_EXT_TCC, "Extended FR-TCC" }, { JUNIPER_IFML_CISCOHDLC_TCC, "Cisco-HDLC-TCC" }, { JUNIPER_IFML_ETHERNET_CCC, "Ethernet-CCC" }, { JUNIPER_IFML_VT, "VPN-Loopback-tunnel" }, { JUNIPER_IFML_ETHER_OVER_ATM, "Ethernet-over-ATM" }, { JUNIPER_IFML_ETHER_VPLS_OVER_ATM, "Ethernet-VPLS-over-ATM" }, { JUNIPER_IFML_MONITOR, "Monitor" }, { JUNIPER_IFML_ETHERNET_TCC, "Ethernet-TCC" }, { JUNIPER_IFML_VLAN_TCC, "VLAN-TCC" }, { JUNIPER_IFML_EXTENDED_VLAN_TCC, "Extended-VLAN-TCC" }, { JUNIPER_IFML_CONTROLLER, "Controller" }, { JUNIPER_IFML_ETHERNET_VPLS, "VPLS" }, { JUNIPER_IFML_ETHERNET_VLAN_VPLS, "VLAN-VPLS" }, { JUNIPER_IFML_ETHERNET_EXTENDED_VLAN_VPLS, "Extended-VLAN-VPLS" }, { JUNIPER_IFML_LT, "Logical-tunnel" }, { JUNIPER_IFML_SERVICES, "General-Services" }, { JUNIPER_IFML_PPPOE, "PPPoE" }, { JUNIPER_IFML_ETHERNET_FLEX, "Flexible-Ethernet-Services" }, { JUNIPER_IFML_FRAMERELAY_FLEX, "Flexible-FrameRelay" }, { JUNIPER_IFML_COLLECTOR, "Flow-collection" }, { JUNIPER_IFML_PICPEER, "PIC Peer" }, { JUNIPER_IFML_DFC, "Dynamic-Flow-Capture" }, {0, NULL} }; #define JUNIPER_IFLE_ATM_SNAP 2 #define JUNIPER_IFLE_ATM_NLPID 3 #define JUNIPER_IFLE_ATM_VCMUX 4 #define JUNIPER_IFLE_ATM_LLC 5 #define JUNIPER_IFLE_ATM_PPP_VCMUX 6 #define JUNIPER_IFLE_ATM_PPP_LLC 7 #define JUNIPER_IFLE_ATM_PPP_FUNI 8 #define JUNIPER_IFLE_ATM_CCC 9 #define JUNIPER_IFLE_FR_NLPID 10 #define JUNIPER_IFLE_FR_SNAP 11 #define JUNIPER_IFLE_FR_PPP 12 #define JUNIPER_IFLE_FR_CCC 13 #define JUNIPER_IFLE_ENET2 14 #define JUNIPER_IFLE_IEEE8023_SNAP 15 #define JUNIPER_IFLE_IEEE8023_LLC 16 #define JUNIPER_IFLE_PPP 17 #define JUNIPER_IFLE_CISCOHDLC 18 #define JUNIPER_IFLE_PPP_CCC 19 #define JUNIPER_IFLE_IPIP_NULL 20 #define JUNIPER_IFLE_PIM_NULL 21 #define JUNIPER_IFLE_GRE_NULL 22 #define JUNIPER_IFLE_GRE_PPP 23 #define JUNIPER_IFLE_PIMD_DECAPS 24 #define JUNIPER_IFLE_CISCOHDLC_CCC 25 #define JUNIPER_IFLE_ATM_CISCO_NLPID 26 #define JUNIPER_IFLE_VLAN_CCC 27 #define JUNIPER_IFLE_MLPPP 28 #define JUNIPER_IFLE_MLFR 29 #define JUNIPER_IFLE_LSI_NULL 30 #define JUNIPER_IFLE_AGGREGATE_UNUSED 31 #define JUNIPER_IFLE_ATM_CELLRELAY_CCC 32 #define JUNIPER_IFLE_CRYPTO 33 #define JUNIPER_IFLE_GGSN 34 #define JUNIPER_IFLE_ATM_TCC 35 #define JUNIPER_IFLE_FR_TCC 36 #define JUNIPER_IFLE_PPP_TCC 37 #define JUNIPER_IFLE_CISCOHDLC_TCC 38 #define JUNIPER_IFLE_ETHERNET_CCC 39 #define JUNIPER_IFLE_VT 40 #define JUNIPER_IFLE_ATM_EOA_LLC 41 #define JUNIPER_IFLE_EXTENDED_VLAN_CCC 42 #define JUNIPER_IFLE_ATM_SNAP_TCC 43 #define JUNIPER_IFLE_MONITOR 44 #define JUNIPER_IFLE_ETHERNET_TCC 45 #define JUNIPER_IFLE_VLAN_TCC 46 #define JUNIPER_IFLE_EXTENDED_VLAN_TCC 47 #define JUNIPER_IFLE_MFR 48 #define JUNIPER_IFLE_ETHERNET_VPLS 49 #define JUNIPER_IFLE_ETHERNET_VLAN_VPLS 50 #define JUNIPER_IFLE_ETHERNET_EXTENDED_VLAN_VPLS 51 #define JUNIPER_IFLE_SERVICES 52 #define JUNIPER_IFLE_ATM_ETHER_VPLS_ATM_LLC 53 #define JUNIPER_IFLE_FR_PORT_CCC 54 #define JUNIPER_IFLE_ATM_MLPPP_LLC 55 #define JUNIPER_IFLE_ATM_EOA_CCC 56 #define JUNIPER_IFLE_LT_VLAN 57 #define JUNIPER_IFLE_COLLECTOR 58 #define JUNIPER_IFLE_AGGREGATOR 59 #define JUNIPER_IFLE_LAPD 60 #define JUNIPER_IFLE_ATM_PPPOE_LLC 61 #define JUNIPER_IFLE_ETHERNET_PPPOE 62 #define JUNIPER_IFLE_PPPOE 63 #define JUNIPER_IFLE_PPP_SUBORDINATE 64 #define JUNIPER_IFLE_CISCOHDLC_SUBORDINATE 65 #define JUNIPER_IFLE_DFC 66 #define JUNIPER_IFLE_PICPEER 67 struct tok juniper_ifle_values[] = { { JUNIPER_IFLE_AGGREGATOR, "Aggregator" }, { JUNIPER_IFLE_ATM_CCC, "CCC over ATM" }, { JUNIPER_IFLE_ATM_CELLRELAY_CCC, "ATM CCC Cell Relay" }, { JUNIPER_IFLE_ATM_CISCO_NLPID, "CISCO compatible NLPID" }, { JUNIPER_IFLE_ATM_EOA_CCC, "Ethernet over ATM CCC" }, { JUNIPER_IFLE_ATM_EOA_LLC, "Ethernet over ATM LLC" }, { JUNIPER_IFLE_ATM_ETHER_VPLS_ATM_LLC, "Ethernet VPLS over ATM LLC" }, { JUNIPER_IFLE_ATM_LLC, "ATM LLC" }, { JUNIPER_IFLE_ATM_MLPPP_LLC, "MLPPP over ATM LLC" }, { JUNIPER_IFLE_ATM_NLPID, "ATM NLPID" }, { JUNIPER_IFLE_ATM_PPPOE_LLC, "PPPoE over ATM LLC" }, { JUNIPER_IFLE_ATM_PPP_FUNI, "PPP over FUNI" }, { JUNIPER_IFLE_ATM_PPP_LLC, "PPP over ATM LLC" }, { JUNIPER_IFLE_ATM_PPP_VCMUX, "PPP over ATM VCMUX" }, { JUNIPER_IFLE_ATM_SNAP, "ATM SNAP" }, { JUNIPER_IFLE_ATM_SNAP_TCC, "ATM SNAP TCC" }, { JUNIPER_IFLE_ATM_TCC, "ATM VCMUX TCC" }, { JUNIPER_IFLE_ATM_VCMUX, "ATM VCMUX" }, { JUNIPER_IFLE_CISCOHDLC, "C-HDLC" }, { JUNIPER_IFLE_CISCOHDLC_CCC, "C-HDLC CCC" }, { JUNIPER_IFLE_CISCOHDLC_SUBORDINATE, "C-HDLC via dialer" }, { JUNIPER_IFLE_CISCOHDLC_TCC, "C-HDLC TCC" }, { JUNIPER_IFLE_COLLECTOR, "Collector" }, { JUNIPER_IFLE_CRYPTO, "Crypto" }, { JUNIPER_IFLE_ENET2, "Ethernet" }, { JUNIPER_IFLE_ETHERNET_CCC, "Ethernet CCC" }, { JUNIPER_IFLE_ETHERNET_EXTENDED_VLAN_VPLS, "Extended VLAN VPLS" }, { JUNIPER_IFLE_ETHERNET_PPPOE, "PPPoE over Ethernet" }, { JUNIPER_IFLE_ETHERNET_TCC, "Ethernet TCC" }, { JUNIPER_IFLE_ETHERNET_VLAN_VPLS, "VLAN VPLS" }, { JUNIPER_IFLE_ETHERNET_VPLS, "VPLS" }, { JUNIPER_IFLE_EXTENDED_VLAN_CCC, "Extended VLAN CCC" }, { JUNIPER_IFLE_EXTENDED_VLAN_TCC, "Extended VLAN TCC" }, { JUNIPER_IFLE_FR_CCC, "FR CCC" }, { JUNIPER_IFLE_FR_NLPID, "FR NLPID" }, { JUNIPER_IFLE_FR_PORT_CCC, "FR CCC" }, { JUNIPER_IFLE_FR_PPP, "FR PPP" }, { JUNIPER_IFLE_FR_SNAP, "FR SNAP" }, { JUNIPER_IFLE_FR_TCC, "FR TCC" }, { JUNIPER_IFLE_GGSN, "GGSN" }, { JUNIPER_IFLE_GRE_NULL, "GRE NULL" }, { JUNIPER_IFLE_GRE_PPP, "PPP over GRE" }, { JUNIPER_IFLE_IPIP_NULL, "IPIP" }, { JUNIPER_IFLE_LAPD, "LAPD" }, { JUNIPER_IFLE_LSI_NULL, "LSI Null" }, { JUNIPER_IFLE_LT_VLAN, "LT VLAN" }, { JUNIPER_IFLE_MFR, "MFR" }, { JUNIPER_IFLE_MLFR, "MLFR" }, { JUNIPER_IFLE_MLPPP, "MLPPP" }, { JUNIPER_IFLE_MONITOR, "Monitor" }, { JUNIPER_IFLE_PIMD_DECAPS, "PIMd" }, { JUNIPER_IFLE_PIM_NULL, "PIM Null" }, { JUNIPER_IFLE_PPP, "PPP" }, { JUNIPER_IFLE_PPPOE, "PPPoE" }, { JUNIPER_IFLE_PPP_CCC, "PPP CCC" }, { JUNIPER_IFLE_PPP_SUBORDINATE, "" }, { JUNIPER_IFLE_PPP_TCC, "PPP TCC" }, { JUNIPER_IFLE_SERVICES, "General Services" }, { JUNIPER_IFLE_VLAN_CCC, "VLAN CCC" }, { JUNIPER_IFLE_VLAN_TCC, "VLAN TCC" }, { JUNIPER_IFLE_VT, "VT" }, {0, NULL} }; struct juniper_cookie_table_t { u_int32_t pictype; /* pic type */ u_int8_t cookie_len; /* cookie len */ const char *s; /* pic name */ }; static struct juniper_cookie_table_t juniper_cookie_table[] = { #ifdef DLT_JUNIPER_ATM1 { DLT_JUNIPER_ATM1, 4, "ATM1"}, #endif #ifdef DLT_JUNIPER_ATM2 { DLT_JUNIPER_ATM2, 8, "ATM2"}, #endif #ifdef DLT_JUNIPER_MLPPP { DLT_JUNIPER_MLPPP, 2, "MLPPP"}, #endif #ifdef DLT_JUNIPER_MLFR { DLT_JUNIPER_MLFR, 2, "MLFR"}, #endif #ifdef DLT_JUNIPER_MFR { DLT_JUNIPER_MFR, 4, "MFR"}, #endif #ifdef DLT_JUNIPER_PPPOE { DLT_JUNIPER_PPPOE, 0, "PPPoE"}, #endif #ifdef DLT_JUNIPER_PPPOE_ATM { DLT_JUNIPER_PPPOE_ATM, 0, "PPPoE ATM"}, #endif #ifdef DLT_JUNIPER_GGSN { DLT_JUNIPER_GGSN, 8, "GGSN"}, #endif #ifdef DLT_JUNIPER_MONITOR { DLT_JUNIPER_MONITOR, 8, "MONITOR"}, #endif #ifdef DLT_JUNIPER_SERVICES { DLT_JUNIPER_SERVICES, 8, "AS"}, #endif #ifdef DLT_JUNIPER_ES { DLT_JUNIPER_ES, 0, "ES"}, #endif { 0, 0, NULL } }; struct juniper_l2info_t { u_int32_t length; u_int32_t caplen; u_int32_t pictype; u_int8_t direction; u_int8_t header_len; u_int8_t cookie_len; u_int8_t cookie_type; u_int8_t cookie[8]; u_int8_t bundle; u_int16_t proto; u_int8_t flags; }; #define LS_COOKIE_ID 0x54 #define AS_COOKIE_ID 0x47 #define LS_MLFR_COOKIE_LEN 4 #define ML_MLFR_COOKIE_LEN 2 #define LS_MFR_COOKIE_LEN 6 #define ATM1_COOKIE_LEN 4 #define ATM2_COOKIE_LEN 8 #define ATM2_PKT_TYPE_MASK 0x70 #define ATM2_GAP_COUNT_MASK 0x3F #define JUNIPER_PROTO_NULL 1 #define JUNIPER_PROTO_IPV4 2 #define JUNIPER_PROTO_IPV6 6 #define MFR_BE_MASK 0xc0 /* static struct tok juniper_protocol_values[] = { { JUNIPER_PROTO_NULL, "Null" }, { JUNIPER_PROTO_IPV4, "IPv4" }, { JUNIPER_PROTO_IPV6, "IPv6" }, { 0, NULL} }; */ int ip_heuristic_guess(register const u_char *, u_int); int juniper_ppp_heuristic_guess(register const u_char *, u_int); int juniper_read_tlv_value(const u_char *, u_int, u_int); static int juniper_parse_header (const u_char *, const struct pcap_pkthdr *, struct juniper_l2info_t *); #endif #define ARGUS_HOLDING 1 struct ArgusSourceStruct { int state, status, proc; struct ArgusListStruct *ArgusDeviceList; struct ArgusListStruct *ArgusRfileList; struct ArgusModelerStruct *ArgusModel; char *ArgusInputFilter; struct ArgusAddrStruct ArgusID; int ArgusPcapBufSize, type, mode; struct timeval ArgusStartTime, ArgusEndTime, marktime, lasttime; int ArgusSnapLength, ArgusThisLength; unsigned char *ArgusThisSnapEnd; struct ieee80211_radiotap ArgusThisRadioTap; unsigned char ArgusInterfaceType; unsigned char ArgusInterfaceStatus; int Argustflag, sNflag, eNflag, kflag, pflag, uflag, tflag; float Tflag; pcap_if_t *ArgusPacketDevices; pcap_if_t *ArgusDevice; int ArgusInterfaceIndex, ArgusThisIndex, ArgusInterfaces; struct ArgusInterfaceStruct ArgusInterface[ARGUS_MAXINTERFACE]; struct ArgusSourceStruct *srcs[ARGUS_MAXINTERFACE]; #if defined(ARGUS_THREADS) pthread_t thread; pthread_mutex_t lock; pthread_cond_t cond; #endif #if defined(ARGUS_TILERA) netio_queue_t queue; #endif int ArgusInputPacketFileType; int ArgusReadingOffLine; int Argusbpflag, ArgusCaptureFlag; int Argusfflag, ArgusDumpPacket; int ArgusDumpPacketOnError; unsigned long ArgusPacketOffset; FILE *ArgusPacketInput; long ArgusInputOffset; int ArgusSnapLen, ArgusOflag, Arguspflag; char **ArgusArgv; int ArgusOptind; char *ArgusCmdBuf; char *ArgusWriteOutPacketFile; pcap_dumper_t *ArgusPcapOutFile; }; void ArgusParseSourceID (struct ArgusSourceStruct *, char *); int ArgusSnoopRead (struct ArgusSourceStruct *); void ArgusIpPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusArcnetPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusEtherPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusTokenPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusAtmClipPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusLoopPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusHdlcPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusSlipPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusPppPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusPppBsdosPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusFddiPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusATMPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusSllPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusPppHdlcPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusPppEtherPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void Argus802_11Packet (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusLtalkPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusPrismPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void Argus802_11RadioPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void Argus802_11RadioAvsPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusEncPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusDagPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusJuniperPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusIpNetPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusNullPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); struct callback { pcap_handler function; int type; char *fname; }; void ArgusSourceProcess (struct ArgusSourceStruct *); void *ArgusGetPackets (void *); struct ArgusDeviceStruct *ArgusCloneDevice(struct ArgusDeviceStruct *); int ArgusOpenInputPacketFile(struct ArgusSourceStruct *, struct ArgusDeviceStruct *, struct ArgusInterfaceStruct *); pcap_handler Arguslookup_pcap_callback (int); pcap_handler Arguslookup_dag_callback (int); void Argusbpf_dump(struct bpf_program *, int); void setArgusRealTime (struct ArgusSourceStruct *, float value); float getArgusRealTime (struct ArgusSourceStruct *); unsigned int getArgusID(struct ArgusSourceStruct *); unsigned int getArgusIDType(struct ArgusSourceStruct *); void setArgusID(struct ArgusSourceStruct *src, void *ptr, unsigned int type); void setArgusMoatTshFile (struct ArgusSourceStruct *, int value); int getArgusMoatTshFile (struct ArgusSourceStruct *); void setArgusWriteOutPacketFile (struct ArgusSourceStruct *, char *); unsigned char getArgusInterfaceType(struct ArgusSourceStruct *); void setArgusInterfaceType(struct ArgusSourceStruct *, unsigned char); unsigned char getArgusInterfaceStatus(struct ArgusSourceStruct *); void setArgusInterfaceStatus(struct ArgusSourceStruct *, unsigned char); #if defined(ArgusSource) static struct callback ArgusSourceCallbacks[] = { #if defined(ARGUS_TILERA) #else { ArgusArcnetPacket, DLT_ARCNET, "ArgusArcnetPacket()" }, { ArgusEtherPacket, DLT_EN10MB, "ArgusEtherPacket()" }, { ArgusTokenPacket, DLT_IEEE802, "ArgusTokenPacket()" }, { ArgusSlipPacket, DLT_SLIP, "ArgusSlipPacket()" }, { ArgusSlipPacket, DLT_SLIP_BSDOS, "ArgusSlipPacket()" }, { ArgusPppPacket, DLT_PPP, "ArgusPppPacket()" }, { ArgusPppBsdosPacket, DLT_PPP_BSDOS, "ArgusPppBsdosPacket()" }, { ArgusFddiPacket, DLT_FDDI, "ArgusFddiPacket()" }, { ArgusATMPacket, DLT_ATM_RFC1483, "ArgusATMPacket()" }, { ArgusIpPacket, DLT_RAW, "ArgusIpPacket()" }, { ArgusNullPacket, DLT_NULL, "ArgusNullPacket()" }, #ifdef DLT_ENC { ArgusEncPacket, DLT_ENC, "ArgusEncPacket()" }, #endif #ifdef DLT_LANE8023 { ArgusLanePacket, DLT_LANE8023, "ArgusLanePacket()" }, #endif #ifdef DLT_CIP { ArgusCipPacket, DLT_CIP, "ArgusCipPacket()" }, #endif #ifdef DLT_ATM_CLIP { ArgusAtmClipPacket, DLT_ATM_CLIP, "ArgusAtmClipPacket()" }, #endif #ifdef DLT_LINUX_SLL { ArgusSllPacket, DLT_LINUX_SLL, "ArgusSllPacket()" }, #endif #ifdef DLT_LOOP { ArgusLoopPacket, DLT_LOOP, "ArgusLoopPacket()" }, #endif #ifdef DLT_C_HDLC { ArgusHdlcPacket, DLT_C_HDLC, "ArgusHdlcPacket()" }, #endif #ifdef DLT_HDLC { ArgusHdlcPacket, DLT_HDLC, "ArgusHdlcPacket()" }, #endif #ifdef DLT_PPP_SERIAL { ArgusPppHdlcPacket, DLT_PPP_SERIAL, "ArgusPppHdlcPacket()" }, #endif #ifdef DLT_PPP_ETHER { ArgusPppEtherPacket, DLT_PPP_ETHER, "ArgusPppEtherPacket()" }, #endif #ifdef DLT_LINUX_SLL { ArgusSllPacket, DLT_LINUX_SLL, "ArgusSllPacket()" }, #endif #ifdef DLT_IEEE802_11 { Argus802_11Packet, DLT_IEEE802_11, "Argus802_11Packet()"}, #endif #ifdef DLT_PRISM_HEADER { ArgusPrismPacket, DLT_PRISM_HEADER, "ArgusPrismPacket()" }, #endif #ifdef DLT_IEEE802_11_RADIO { Argus802_11RadioPacket, DLT_IEEE802_11_RADIO, "Argus802_11RadioPacket()" }, #endif #ifdef DLT_IEEE802_11_RADIO_AVS { Argus802_11RadioAvsPacket, DLT_IEEE802_11_RADIO_AVS, "Argus802_11RadioAvsPacket()" }, #endif #ifdef DLT_LTALK { ArgusLtalkPacket, DLT_LTALK, "ArgusLtalkPacket()" }, #endif #ifdef DLT_JUNIPER_ETHER { ArgusJuniperPacket, DLT_JUNIPER_ETHER, "ArgusJuniperPacket()" }, #endif #ifdef DLT_IPNET { ArgusIpNetPacket, DLT_IPNET, "ArgusIpNetPacket()" }, #endif { NULL, DLT_NULL, "" }, #endif { NULL, 0, NULL}, }; extern int Argustflag; struct ArgusSourceStruct *ArgusSourceTask = NULL; struct ArgusSourceStruct *ArgusNewSource(struct ArgusModelerStruct *); struct ArgusSourceStruct *ArgusCloneSource(struct ArgusSourceStruct *); int ArgusInitSource(struct ArgusSourceStruct *); int ArgusCloseSource(struct ArgusSourceStruct *); void ArgusDeleteSource(struct ArgusSourceStruct *); extern char *ArgusCopyArgv (char **argv); void setArgusOutputTask(void); void setArgusModeler(struct ArgusSourceStruct *); struct ArgusOutputStruct *getArgusOutputTask(void); struct ArgusModelerStruct *getArgusModeler(struct ArgusSourceStruct *); int getArgusSnapLen(struct ArgusSourceStruct *); void setArgusSnapLen(struct ArgusSourceStruct *, int); int getArgusbpflag(struct ArgusSourceStruct *); int getArgusfflag(struct ArgusSourceStruct *); int getArguspflag(struct ArgusSourceStruct *); int getArgusOflag(struct ArgusSourceStruct *); void setArgusbpflag(struct ArgusSourceStruct *, int); void setArgusfflag(struct ArgusSourceStruct *, int); void setArguspflag(struct ArgusSourceStruct *, int); void setArgusOflag(struct ArgusSourceStruct *, int); void setArgusCaptureFlag(struct ArgusSourceStruct *, int); void setArgusDevice(struct ArgusSourceStruct *, char *, int, int); void setArgusInfile(struct ArgusSourceStruct *, char *); void setArgusrfile(struct ArgusSourceStruct *, char *); void setArgusrFile(struct ArgusSourceStruct *, char *); char *getArgusDevice(struct ArgusSourceStruct *); char *getArgusInfile(struct ArgusSourceStruct *); char *getArgusrfile(struct ArgusSourceStruct *); void clearArgusDevice(struct ArgusSourceStruct *); int ArgusCreatePktFromFddi(const struct fddi_header *, struct ether_header *, int); #else /* defined(ArgusSource) */ extern struct ArgusSourceStruct *ArgusSourceTask; extern long long ArgusTotalPkts; extern long long ArgusLastPkts; extern long long ArgusTotalDrop; extern long long ArgusLastDrop; extern long long ArgusTotalBytes; extern long long ArgusLastBytes; extern struct ArgusSourceStruct *ArgusSourceTask; extern struct ArgusSourceStruct *ArgusNewSource(struct ArgusModelerStruct *); extern struct ArgusSourceStruct *ArgusCloneSource(struct ArgusSourceStruct *); extern int ArgusInitSource(struct ArgusSourceStruct *); extern int ArgusCloseSource(struct ArgusSourceStruct *); extern void ArgusDeleteSource(struct ArgusSourceStruct *); extern struct ArgusOutputStruct *getArgusOutputTask(struct ArgusSourceStruct *); extern void setArgusOutputTask(struct ArgusSourceStruct *); extern struct ArgusModelerStruct *getArgusModeler(struct ArgusSourceStruct *); extern void setArgusModeler(struct ArgusSourceStruct *); extern int getArgusSnapLen(struct ArgusSourceStruct *); extern void setArgusSnapLen(struct ArgusSourceStruct *, int); extern int getArgusbpflag(struct ArgusSourceStruct *); extern int getArgusfflag(struct ArgusSourceStruct *); extern int getArguspflag(struct ArgusSourceStruct *); extern int getArgusOflag(struct ArgusSourceStruct *); extern int getArgusMoatTshFile (struct ArgusSourceStruct *); extern void setArgusbpflag(struct ArgusSourceStruct *, int); extern void setArgusfflag(struct ArgusSourceStruct *, int); extern void setArguspflag(struct ArgusSourceStruct *, int); extern void setArgusOflag(struct ArgusSourceStruct *, int); extern void setArgusCaptureFlag(struct ArgusSourceStruct *, int); extern void setArgusMoatTshFile (struct ArgusSourceStruct *, int value); extern void setArgusWriteOutPacketFile (struct ArgusSourceStruct *, char *); extern void setArgusDevice(struct ArgusSourceStruct *, char *, int, int); extern void setArgusInfile(struct ArgusSourceStruct *, char *); extern void setArgusrfile(struct ArgusSourceStruct *, char *); extern char *getArgusDevice(struct ArgusSourceStruct *); extern char *getArgusInfile(struct ArgusSourceStruct *); extern char *getArgusrfile(struct ArgusSourceStruct *); extern void clearArgusDevice(struct ArgusSourceStruct *); #endif #endif /* #ifndef ArgusSource_h */ argus-3.0.8.2/argus/ArgusTcp.c000644 000765 000024 00000120551 12723604010 016442 0ustar00carterstaff000000 000000 /* * Argus Software. Argus files - TCP protocol * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/argus/ArgusTcp.c#51 $ * $DateTime: 2015/07/02 10:42:46 $ * $Change: 3030 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #if !defined(ArgusTcp) #define ArgusTcp #endif #include #include #include #include extern void ArgusZeroRecord(struct ArgusFlowStruct *); /* These tcp optinos do not have the size octet */ #define ZEROLENOPT(o) ((o) == TCPOPT_EOL || (o) == TCPOPT_NOP) #if !defined(TH_ECE) #define TH_ECE 0x40 #endif #if !defined(TH_CWR) #define TH_CWR 0x80 #endif void ArgusParseTCPOptions(struct ArgusModelerStruct *, struct tcphdr *, int, u_int *, struct ArgusTCPObjectMetrics *); void ArgusInitializeTCP (struct ArgusModelerStruct *, struct ArgusFlowStruct *); void ArgusUpdateTCPState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char *); int ArgusUpdateTCPSequence (struct ArgusModelerStruct *, struct ArgusFlowStruct *, struct tcphdr *); void ArgusTCPKeystroke (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char *); int ArgusUpdateTCPStateMachine (struct ArgusModelerStruct *, struct ArgusFlowStruct *, struct tcphdr *); void ArgusTCPFlowRecord (struct ArgusNetworkStruct *, unsigned char); long long ArgusDiffTime (struct ArgusTime *, struct ArgusTime *, struct timeval *); #include #include void ArgusUpdateTCPState (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, unsigned char *state) { struct ArgusTCPObjectMetrics *ArgusThisTCPsrc, *ArgusThisTCPdst; struct tcphdr *thdr = (struct tcphdr *) model->ArgusThisUpHdr; struct tcphdr tcpbuf, *tcp = &tcpbuf; struct ArgusTCPObject *tcpExt = NULL; if (thdr && STRUCTCAPTURED(model, *thdr)) { int tcplen = model->ArgusThisLength; int tcphlen = thdr->th_off * 4; int tcpdatalen = tcplen - tcphlen; unsigned char flags = thdr->th_flags; #ifdef _LITTLE_ENDIAN bzero ((char *)tcp, sizeof(tcpbuf)); tcp->th_dport = ntohs(thdr->th_dport); tcp->th_sport = ntohs(thdr->th_sport); tcp->th_seq = ntohl(thdr->th_seq); tcp->th_ack = ntohl(thdr->th_ack); tcp->th_win = ntohs(thdr->th_win); tcp->th_flags = thdr->th_flags; #else bcopy ((char *) thdr, (char *)tcp, sizeof(tcpbuf)); #endif if (*state == ARGUS_START) { struct ArgusNetworkStruct *net = (struct ArgusNetworkStruct *) &flowstr->canon.net; net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_TCP_INIT; net->hdr.argus_dsrvl8.len = ((sizeof(struct ArgusTCPInitStatus)+3))/4 + 1; net->hdr.argus_dsrvl8.qual = 0; flowstr->dsrs[ARGUS_NETWORK_INDEX] = (struct ArgusDSRHeader *) net; tcpExt = &net->net_union.tcp; bzero ((char *)tcpExt, sizeof(*tcpExt)); model->ArgusSnapLength -= tcphlen; model->ArgusThisLength = tcpdatalen; model->ArgusThisUpHdr += tcphlen; if (model->ArgusThisDir) { ArgusThisTCPsrc = &tcpExt->src; ArgusThisTCPdst = &tcpExt->dst; } else { ArgusThisTCPsrc = &tcpExt->dst; ArgusThisTCPdst = &tcpExt->src; } if ((tcphlen -= sizeof(*tcp)) > 0) ArgusParseTCPOptions (model, thdr, tcphlen, &tcpExt->options, ArgusThisTCPsrc); if (flags & TH_RST) { tcpExt->status |= ARGUS_RESET; ArgusThisTCPsrc->status |= ARGUS_RESET; tcpExt->state = TCPS_LISTEN; ArgusThisTCPsrc->bytes += model->ArgusThisLength; ArgusThisTCPsrc->flags |= flags; if (tcp->th_seq) { ArgusThisTCPsrc->seqbase = tcp->th_seq - 1; ArgusThisTCPsrc->seq = tcp->th_seq + model->ArgusThisLength; } else { ArgusThisTCPsrc->seqbase = tcp->th_ack - 1; ArgusThisTCPsrc->seq = tcp->th_ack - 1; } ArgusThisTCPdst->ack = tcp->th_ack - 1; ArgusThisTCPsrc->lasttime.tv_sec = model->ArgusGlobalTime.tv_sec; ArgusThisTCPsrc->lasttime.tv_usec = model->ArgusGlobalTime.tv_usec; } else { switch (flags & (TH_SYN|TH_ACK|TH_FIN|TH_PUSH|TH_URG)) { case (TH_SYN): tcpExt->status |= ARGUS_SAW_SYN; tcpExt->state = TCPS_SYN_SENT; ArgusThisTCPsrc->bytes += model->ArgusThisLength; ArgusThisTCPsrc->seqbase = tcp->th_seq; ArgusThisTCPsrc->seq = tcp->th_seq; ArgusThisTCPsrc->win = tcp->th_win; ArgusThisTCPsrc->flags |= flags; if ((flags & (TH_ECE|TH_CWR)) == (TH_ECE|TH_CWR)) tcpExt->options |= ARGUS_TCP_SRC_ECN; break; case (TH_SYN|TH_ACK): { tcpExt->status |= ARGUS_SAW_SYN_SENT; tcpExt->state = TCPS_SYN_RECEIVED; ArgusThisTCPsrc->bytes += model->ArgusThisLength; ArgusThisTCPsrc->seqbase = tcp->th_seq; ArgusThisTCPsrc->seq = tcp->th_seq; ArgusThisTCPsrc->win = tcp->th_win; ArgusThisTCPsrc->flags |= flags; ArgusThisTCPdst->ack = tcp->th_ack - 1; if ((tcp->th_flags & (TH_ECE|TH_CWR)) == TH_ECE) tcpExt->options |= ARGUS_TCP_DST_ECN; break; } case (TH_ACK): case (TH_PUSH|TH_ACK): case (TH_URG|TH_ACK): case (TH_PUSH|TH_URG|TH_ACK): ArgusThisTCPdst->ack = tcp->th_ack - 1; case (TH_PUSH): case (TH_URG): case (TH_PUSH|TH_URG): tcpExt->status |= ARGUS_CON_ESTABLISHED; tcpExt->state = TCPS_ESTABLISHED; ArgusThisTCPsrc->bytes += model->ArgusThisLength; ArgusThisTCPsrc->flags |= flags; ArgusThisTCPsrc->seqbase = tcp->th_seq - 1; ArgusThisTCPsrc->seq = tcp->th_seq + model->ArgusThisLength; ArgusThisTCPsrc->win = tcp->th_win; break; case (TH_FIN): case (TH_FIN|TH_ACK): tcpExt->status |= ARGUS_FIN; tcpExt->state = TCPS_FIN_WAIT_1; ArgusThisTCPsrc->bytes += model->ArgusThisLength; ArgusThisTCPsrc->flags |= flags; ArgusThisTCPsrc->seqbase = tcp->th_seq - 1; ArgusThisTCPsrc->seq = tcp->th_seq + model->ArgusThisLength; ArgusThisTCPsrc->win = tcp->th_win; break; default: tcpExt->status |= ARGUS_CON_ESTABLISHED; tcpExt->state = TCPS_CLOSING; ArgusThisTCPsrc->bytes += model->ArgusThisLength; ArgusThisTCPsrc->flags |= flags; ArgusThisTCPsrc->seqbase = tcp->th_seq - 1; ArgusThisTCPsrc->seq = tcp->th_seq + model->ArgusThisLength; if (!(flags & TH_RST)) ArgusThisTCPsrc->win = tcp->th_win; break; } ArgusThisTCPsrc->lasttime.tv_sec = model->ArgusGlobalTime.tv_sec; ArgusThisTCPsrc->lasttime.tv_usec = model->ArgusGlobalTime.tv_usec; } } else { #define ARGUS_ECN_FLAGS (ARGUS_TCP_SRC_ECN | ARGUS_TCP_DST_ECN) tcpExt = (struct ArgusTCPObject *)&flowstr->canon.net.net_union.tcp; if (model->ArgusThisDir) { ArgusThisTCPsrc = &tcpExt->src; ArgusThisTCPdst = &tcpExt->dst; } else { ArgusThisTCPsrc = &tcpExt->dst; ArgusThisTCPdst = &tcpExt->src; } switch (tcpExt->state) { case TCPS_LISTEN: { if (flags & TH_SYN) { ArgusSendFlowRecord (model, flowstr, ARGUS_STOP); ArgusInitializeTCP (model, flowstr); ArgusRemoveFromQueue(flowstr->qhdr.queue, &flowstr->qhdr, ARGUS_LOCK); ArgusPushQueue(model->ArgusStatusQueue, &flowstr->qhdr, ARGUS_LOCK); *state = ARGUS_START; // ArgusUpdateBasicFlow (model, flowstr, ARGUS_START); // ArgusUpdateTCPState (model, flowstr, state); } ArgusThisTCPsrc->flags |= flags; break; } default: { if (getArgusTCPflag(model)) { flowstr->canon.net.hdr.subtype = ARGUS_TCP_PERF; flowstr->canon.net.hdr.argus_dsrvl8.len = ((sizeof(struct ArgusTCPObject)+3))/4 + 1; } else { flowstr->canon.net.hdr.subtype = ARGUS_TCP_STATUS; } model->ArgusSnapLength -= tcphlen; model->ArgusThisLength = tcpdatalen; model->ArgusThisUpHdr += tcphlen; if ((tcphlen - sizeof(*tcp)) > 0) ArgusParseTCPOptions (model, thdr, (tcphlen - sizeof(*tcp)), &tcpExt->options, ArgusThisTCPsrc); ArgusThisTCPsrc->flags |= flags; if ((tcpExt->options & ARGUS_ECN_FLAGS) && (flags & TH_ECE)) { if (flags & TH_ACK) { if (model->ArgusThisDir) { tcpExt->status |= ARGUS_SRC_CONGESTED; } else { tcpExt->status |= ARGUS_DST_CONGESTED; } } } if (ArgusUpdateTCPSequence(model, flowstr, tcp)) { switch (ArgusUpdateTCPStateMachine(model, flowstr, tcp)) { case TCPS_LISTEN: if (flags == TH_SYN) { ArgusThisTCPsrc->bytes -= model->ArgusThisLength; model->ArgusThisUpHdr -= tcphlen; model->ArgusThisLength = tcplen; model->ArgusSnapLength += tcphlen; ArgusRemoveFromQueue (flowstr->qhdr.queue, &flowstr->qhdr, ARGUS_LOCK); ArgusSendFlowRecord (model, flowstr, ARGUS_STOP); ArgusInitializeTCP (model, flowstr); ArgusPushQueue(model->ArgusStatusQueue, &flowstr->qhdr, ARGUS_LOCK); return; } break; case TCPS_CLOSED: case TCPS_TIME_WAIT: if (!(tcpExt->status & ARGUS_RESET)) tcpExt->status |= ARGUS_NORMAL_CLOSE; flowstr->timeout = 10; break; } } } ArgusThisTCPsrc->lasttime.tv_sec = model->ArgusGlobalTime.tv_sec; ArgusThisTCPsrc->lasttime.tv_usec = model->ArgusGlobalTime.tv_usec; } } } } void ArgusInitializeTCP (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flow) { struct ArgusSystemFlow *fdsr = (struct ArgusSystemFlow *)flow->dsrs[ARGUS_FLOW_INDEX]; struct ArgusTCPObject *tcpExt = (struct ArgusTCPObject *)&flow->canon.net.net_union.tcp; bzero ((char *)tcpExt, sizeof(*tcpExt)); if (fdsr) { if (!(model->ArgusThisDir)) { fdsr->hdr.argus_dsrvl8.qual &= ~ARGUS_DIRECTION; fdsr->hdr.subtype &= ~ARGUS_REVERSE; } } flow->state = model->state & ARGUS_DIRECTION; model->ArgusThisDir = 1; flow->qhdr.lasttime = model->ArgusGlobalTime; ArgusUpdateFlow (model, flow, ARGUS_START, 0); } int ArgusUpdateTCPStateMachine (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, struct tcphdr *tcp) { struct ArgusTCPObjectMetrics *ArgusThisTCPsrc, *ArgusThisTCPdst; unsigned char flags = tcp->th_flags; struct ArgusTCPObject *tcpExt = (struct ArgusTCPObject *)&flowstr->canon.net.net_union.tcp; unsigned int state = tcpExt->state; int len = model->ArgusThisLength; if (model->ArgusThisDir) { ArgusThisTCPsrc = &tcpExt->src; ArgusThisTCPdst = &tcpExt->dst; } else { ArgusThisTCPsrc = &tcpExt->dst; ArgusThisTCPdst = &tcpExt->src; } if (flags & TH_RST) { tcpExt->status |= ARGUS_RESET; ArgusThisTCPsrc->status |= ARGUS_RESET; if (state == TCPS_SYN_SENT) { if (ArgusThisTCPdst->seq == ArgusThisTCPsrc->ack) state = TCPS_LISTEN; else state = TCPS_CLOSING; } else { if ((tcp->th_seq >= ArgusThisTCPsrc->ack) && (tcp->th_seq < (ArgusThisTCPsrc->ack + (ArgusThisTCPsrc->win >> ArgusThisTCPsrc->winshift)))) state = TCPS_CLOSED; else state = TCPS_CLOSING; } } else { switch (state) { case TCPS_LISTEN: case TCPS_SYN_SENT: if (flags == TH_SYN) { ArgusThisTCPsrc->status |= ARGUS_PKTS_RETRANS; ArgusThisTCPsrc->retrans++; } else if (flags == (TH_SYN|TH_ACK)) { if (ArgusThisTCPsrc->status & ARGUS_SAW_SYN) { state = TCPS_LISTEN; tcpExt->status |= ARGUS_SAW_SYN_SENT; ArgusThisTCPsrc->status |= ARGUS_SAW_SYN_SENT; } else { state = TCPS_SYN_RECEIVED; tcpExt->status |= ARGUS_SAW_SYN_SENT; ArgusThisTCPsrc->status |= ARGUS_SAW_SYN_SENT; if (ArgusThisTCPdst->seq == ArgusThisTCPsrc->ack) { struct timeval lasttime; lasttime.tv_sec = ArgusThisTCPdst->lasttime.tv_sec; lasttime.tv_usec = ArgusThisTCPdst->lasttime.tv_usec; tcpExt->synAckuSecs = ArgusAbsTimeDiff (&model->ArgusGlobalTime, &lasttime); } } } else if (flags & TH_FIN) { state = TCPS_FIN_WAIT_1; tcpExt->status |= ARGUS_FIN; ArgusThisTCPsrc->status |= ARGUS_FIN; } else if (flags & TH_ACK) { state = TCPS_ESTABLISHED; tcpExt->status |= ARGUS_CON_ESTABLISHED; ArgusThisTCPsrc->status |= ARGUS_CON_ESTABLISHED; /* flowstr->ArgusTimeout = ARGUS_IPTIMEOUT; */ } break; case TCPS_SYN_RECEIVED: if (flags & TH_FIN) { state = TCPS_FIN_WAIT_1; tcpExt->status |= ARGUS_FIN; ArgusThisTCPsrc->status |= ARGUS_FIN; } else if (!(flags & TH_SYN)) { if (flags & TH_ACK) { state = TCPS_ESTABLISHED; tcpExt->status |= ARGUS_CON_ESTABLISHED; /* flowstr->ArgusTimeout = ARGUS_IPTIMEOUT; */ ArgusThisTCPsrc->status |= ARGUS_CON_ESTABLISHED; if (ArgusThisTCPsrc->seq == ArgusThisTCPdst->ack) { struct timeval lasttime; lasttime.tv_sec = ArgusThisTCPdst->lasttime.tv_sec; lasttime.tv_usec = ArgusThisTCPdst->lasttime.tv_usec; tcpExt->ackDatauSecs = ArgusAbsTimeDiff (&model->ArgusGlobalTime, &lasttime); } } } else { ArgusThisTCPsrc->status |= ARGUS_PKTS_RETRANS; ArgusThisTCPsrc->retrans++; } break; case TCPS_ESTABLISHED: if (flags & TH_FIN) { state = TCPS_FIN_WAIT_1; tcpExt->status |= ARGUS_FIN; ArgusThisTCPsrc->status |= ARGUS_FIN; } else { if (flags & TH_SYN) { if (flags & TH_ACK) { tcpExt->status |= ARGUS_SAW_SYN_SENT; tcpExt->status |= ARGUS_CON_ESTABLISHED; } ArgusThisTCPsrc->status |= ARGUS_PKTS_RETRANS; ArgusThisTCPsrc->retrans++; } } break; case TCPS_CLOSE_WAIT: case TCPS_FIN_WAIT_1: if ((flags & TH_SYN) && !(flags & TH_ACK)) { state = TCPS_LISTEN; } else case TCPS_LAST_ACK: case TCPS_FIN_WAIT_2: if (flags & TH_FIN) { if (!(flags & TH_ACK)) { if (ArgusThisTCPdst->status & ARGUS_FIN_ACK) { ArgusThisTCPsrc->status |= ARGUS_PKTS_RETRANS; ArgusThisTCPsrc->retrans++; } } else { tcpExt->status |= ARGUS_FIN; ArgusThisTCPsrc->status |= ARGUS_FIN; } } if ((flags & TH_ACK) && !(len)) { if (ArgusThisTCPdst->status & ARGUS_FIN) { if (ArgusThisTCPdst->seq == ArgusThisTCPsrc->ack) { state = TCPS_FIN_WAIT_2; tcpExt->status |= ARGUS_FIN_ACK; ArgusThisTCPdst->status |= ARGUS_FIN_ACK; } } } break; case TCPS_CLOSING: case TCPS_TIME_WAIT: if ((flags & TH_SYN) && !(flags & TH_ACK)) state = TCPS_LISTEN; else if (flags & TH_ACK) if ((ArgusThisTCPsrc->seq == ArgusThisTCPsrc->ack) && (ArgusThisTCPdst->seq == ArgusThisTCPsrc->ack)) state = TCPS_CLOSED; break; case TCPS_CLOSED: if ((flags & TH_SYN) && !(flags & TH_ACK)) state = TCPS_LISTEN; break; } } if (state != TCPS_LISTEN) tcpExt->state = state; return (state); } int ArgusUpdateTCPSequence (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, struct tcphdr *tcp) { struct ArgusTCPObjectMetrics *ArgusThisTCPsrc, *ArgusThisTCPdst; struct ArgusTCPObject *tcpExt = (struct ArgusTCPObject *)&flowstr->canon.net.net_union.tcp; unsigned char flags = tcp->th_flags; int len = model->ArgusThisLength; int retn = 1, win, ArgusDuplicatePacket = 0; unsigned int maxseq = 0; unsigned int seq = tcp->th_seq; unsigned int newseq = seq + len; struct ArgusIPAttrStruct *attr = NULL; unsigned short ipid = 0, *tipid; if (model->ArgusThisDir) { ArgusThisTCPsrc = &tcpExt->src; ArgusThisTCPdst = &tcpExt->dst; } else { ArgusThisTCPsrc = &tcpExt->dst; ArgusThisTCPdst = &tcpExt->src; } if ((attr = (struct ArgusIPAttrStruct *) flowstr->dsrs[ARGUS_IPATTR_INDEX]) != NULL) { if (model->ArgusThisDir) { if (attr->hdr.argus_dsrvl8.qual & ARGUS_IPATTR_SRC) ipid = attr->src.ip_id; tipid = &flowstr->sipid; } else { if (attr->hdr.argus_dsrvl8.qual & ARGUS_IPATTR_DST) ipid = attr->dst.ip_id; tipid = &flowstr->dipid; } } if (flags == TH_SYN) /* we started over */ return (retn); model->ArgusInProtocol = 1; if (!(tcp->th_win) && !(flags & (TH_FIN|TH_RST))) { ArgusThisTCPsrc->status |= ARGUS_WINDOW_SHUT; model->ArgusInProtocol = 0; } else { if (!(flags & (TH_FIN|TH_RST))) { ArgusThisTCPsrc->win = tcp->th_win; } } if (len && (ArgusThisTCPdst->win != 0)) { ArgusThisTCPsrc->bytes += len; if (ArgusThisTCPsrc->winbytes == 0) model->ArgusInProtocol = 0; if (ArgusThisTCPsrc->flags & TH_FIN) { if (tcp->th_seq < ArgusThisTCPsrc->seq) { ArgusThisTCPsrc->retrans++; ArgusThisTCPsrc->status |= ARGUS_PKTS_RETRANS; } else if (!(flags & TH_FIN)) ArgusThisTCPsrc->status |= ARGUS_OUTOFORDER; } if (!(flags & TH_SYN)) ArgusThisTCPsrc->winbytes += len; } else model->ArgusInProtocol = 0; if (newseq < seq) { /* we rolled over */ ArgusThisTCPsrc->ackbytes += ArgusThisTCPsrc->seq - ArgusThisTCPsrc->seqbase; /* ackbytes holds the number of rollover bytes */ ArgusThisTCPsrc->seqbase = newseq; ArgusThisTCPsrc->seq = newseq; } else { if (!ArgusThisTCPsrc->seqbase) { /* first packet in this direction */ ArgusThisTCPsrc->seqbase = seq; ArgusThisTCPsrc->seq = newseq; } else { if (len) { if (model->ArgusTrackDuplicates && (tipid && ((ipid != 0) && (*tipid == ipid)))) { if (model->ArgusThisDir) ArgusThisTCPsrc->status |= ARGUS_SRC_DUPLICATES; else ArgusThisTCPdst->status |= ARGUS_DST_DUPLICATES; ArgusDuplicatePacket = 1; } else { if (ArgusThisTCPdst->win != 0) { /* not first packet seen in this direction */ if (tcp->th_seq < ArgusThisTCPdst->ack) { if ((ArgusThisTCPdst->ack - tcp->th_seq) < (ArgusThisTCPsrc->win >> ArgusThisTCPsrc->winshift)) { ArgusThisTCPsrc->retrans++; ArgusThisTCPsrc->status |= ARGUS_PKTS_RETRANS; ArgusThisTCPsrc->winbytes -= len; model->ArgusInProtocol = 0; } } else { if (newseq > ArgusThisTCPsrc->seq) { maxseq = newseq; } else { maxseq = ArgusThisTCPsrc->seq; } if (ArgusThisTCPsrc->win) { int dipid; if (*tipid && ((dipid = (ipid - *tipid)) < 0) && (dipid > -5000)) { ArgusThisTCPsrc->status |= ARGUS_OUTOFORDER; } else if (ArgusThisTCPsrc->winbytes > ((maxseq - 1) - ArgusThisTCPdst->ack)) { ArgusThisTCPsrc->retrans++; ArgusThisTCPsrc->status |= ARGUS_PKTS_RETRANS; ArgusThisTCPsrc->winbytes -= len; model->ArgusInProtocol = 0; } else { if (newseq < ArgusThisTCPsrc->seq) { if (tcp->th_seq == (ArgusThisTCPdst->ack + 1)) { ArgusThisTCPsrc->retrans++; ArgusThisTCPsrc->status |= ARGUS_PKTS_RETRANS; ArgusThisTCPsrc->winbytes -= len; } else { ArgusThisTCPsrc->status |= ARGUS_OUTOFORDER; } } } } ArgusThisTCPsrc->seq = maxseq; } } *tipid = ipid; } } else { } } } if (!(ArgusDuplicatePacket)) { if (tcp->th_ack && (flags & TH_ACK)) { if (ArgusThisTCPsrc->ack) { if (ArgusThisTCPdst->seq > ArgusThisTCPsrc->ack) ArgusThisTCPdst->winbytes = (ArgusThisTCPdst->seq - 1) - ArgusThisTCPsrc->ack; } if (!(ArgusThisTCPsrc->ack == (tcp->th_ack - 1))) { if (!(ArgusThisTCPsrc->ack) || (ArgusThisTCPdst->seq == tcp->th_ack)) { ArgusThisTCPdst->winbytes = 0; if (!(ArgusThisTCPsrc->ack == (tcp->th_ack - 1))) if (ArgusThisTCPdst->seq == tcp->th_ack) ArgusThisTCPdst->winnum++; } else { if (!(flags & TH_SYN)) if (ArgusThisTCPsrc->ack) { win = (tcp->th_ack - 1) - ArgusThisTCPsrc->ack; win = (ArgusThisTCPdst->winbytes < win) ? ArgusThisTCPdst->winbytes : win; ArgusThisTCPdst->winbytes -= win; ArgusThisTCPdst->winnum++; } } ArgusThisTCPsrc->ack = tcp->th_ack - 1; } } } else retn = 0; /* ArgusInProtocol = 1; */ return (retn); } void ArgusTCPKeystroke (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, unsigned char *state) { struct ArgusKeyStrokeConf *ArgusKeyStroke = &model->ArgusKeyStroke; struct tcphdr *thdr = (struct tcphdr *) model->ArgusThisUpHdr; struct tcphdr tcpbuf, *tcp = &tcpbuf; if (thdr && STRUCTCAPTURED(model, *thdr)) { int tcplen = model->ArgusThisLength; int tcphlen = thdr->th_off * 4; int tcpdatalen = tcplen - tcphlen; if (ArgusKeyStroke->status & ARGUS_SSH_KEYSTROKE) if (!(flowstr->status & ARGUS_SSH_MONITOR)) return; if (++flowstr->skey.n_pkts < ArgusKeyStroke->n_min) { #ifdef ARGUSDEBUG ArgusDebug (7, "ArgusTCPKeystroke: flow %p packet %lld flow_n_pkts(%d) < n_min(%d)\n", flowstr, model->ArgusTotalPacket, flowstr->skey.n_pkts, ArgusKeyStroke->n_min); #endif return; } else { #ifdef ARGUSDEBUG ArgusDebug (7, "ArgusTCPKeystroke: flow %p packet %lld flow_n_pkts(%d)\n", flowstr, model->ArgusTotalPacket, flowstr->skey.n_pkts); #endif } if (tcpdatalen > 0) { #ifdef _LITTLE_ENDIAN bzero ((char *)tcp, sizeof(tcpbuf)); tcp->th_dport = ntohs(thdr->th_dport); tcp->th_sport = ntohs(thdr->th_sport); tcp->th_seq = ntohl(thdr->th_seq); tcp->th_ack = ntohl(thdr->th_ack); tcp->th_win = ntohs(thdr->th_win); tcp->th_flags = thdr->th_flags; #else bcopy ((char *) thdr, (char *)tcp, sizeof(tcpbuf)); #endif if (ArgusKeyStroke->status & ARGUS_SSH_KEYSTROKE) { if (tcpdatalen % 4) { flowstr->status &= ~ARGUS_SSH_MONITOR; #ifdef ARGUSDEBUG ArgusDebug (7, "ArgusTCPKeystroke: packet %lld flow %p ssh monitor and tcpdatalen(%d) not mod 4\n", flowstr->skey.n_pkts, flowstr, tcpdatalen); #endif return; } } if (flowstr->dsrs[ARGUS_BEHAVIOR_INDEX] == NULL) { flowstr->dsrs[ARGUS_BEHAVIOR_INDEX] = (struct ArgusDSRHeader *) &flowstr->canon.actor.hdr; flowstr->dsrindex |= 1 << ARGUS_BEHAVIOR_INDEX; } #define CLIENT 1 #define SERVER 0 switch (model->ArgusThisDir) { case CLIENT: { if ((tcpdatalen >= ArgusKeyStroke->dc_min) && (tcpdatalen <= ArgusKeyStroke->dc_max)) { int i = 0, found = 0; #ifdef ARGUSDEBUG ArgusDebug (7, "ArgusTCPKeystroke: flow %p packet %lld client packet seq(%u) size(%d) OK\n", flowstr, flowstr->skey.n_pkts, tcp->th_seq, tcpdatalen); #endif for (i = 0; i < ARGUS_NUM_KEYSTROKE_PKTS && !found; i++) { struct ArgusKeyStrokePacket *pkt = &flowstr->skey.data.pkts[i]; if (pkt->n_pno == 0) { // this is an empty slot, so use it struct timeval tvpbuf, *tvp = &tvpbuf; pkt->ts.tv_sec = model->ArgusGlobalTime.tv_sec; pkt->ts.tv_usec = model->ArgusGlobalTime.tv_usec; pkt->intpkt = ArgusDiffTime (&pkt->ts, &flowstr->skey.prev_c_ts, tvp); pkt->seq = tcp->th_seq + tcpdatalen; pkt->n_pno = flowstr->skey.n_pkts; found = 1; } } if (!found) { // don't have an empty slot, so create one. clear earliest packet number client packet. keep tentatives int lpno = 0x7FFFFFFF, npkt = -1; for (i = 0; i < ARGUS_NUM_KEYSTROKE_PKTS; i++) { struct ArgusKeyStrokePacket *pkt = &flowstr->skey.data.pkts[i]; if (pkt->status != ARGUS_KEYSTROKE_TENTATIVE) { if (pkt->n_pno < lpno) { npkt = i; lpno = pkt->n_pno; } } } if (npkt < 0) { // nothing but tentatives, so lets clear the tentative at index = 0 #ifdef ARGUSDEBUG ArgusDebug (7, "ArgusTCPKeystroke: flow %p packet %lld no non-tentative packets to reject, clearing first\n", flowstr, flowstr->skey.n_pkts); #endif npkt = 0; } { struct ArgusKeyStrokePacket *pkt = &flowstr->skey.data.pkts[npkt]; struct timeval tvpbuf, *tvp = &tvpbuf; #ifdef ARGUSDEBUG ArgusDebug (7, "ArgusTCPKeystroke: flow %p packet %lld clearing client %d seq(%u)\n", flowstr, flowstr->skey.n_pkts, npkt, pkt->seq); #endif pkt->ts.tv_sec = model->ArgusGlobalTime.tv_sec; pkt->ts.tv_usec = model->ArgusGlobalTime.tv_usec; pkt->intpkt = ArgusDiffTime (&pkt->ts, &flowstr->skey.prev_c_ts, tvp); pkt->seq = tcp->th_seq + tcpdatalen; pkt->n_pno = flowstr->skey.n_pkts; } } } #ifdef ARGUSDEBUG else { ArgusDebug (7, "ArgusTCPKeystroke: flow %p packet %lld client packet size(%d) NOK reset\n", flowstr, flowstr->skey.n_pkts, tcpdatalen); } #endif break; } case SERVER: { struct ArgusKeyStrokePacket *pkt = NULL; int i, found = 0, reject = 1; for (i = 0; i < ARGUS_NUM_KEYSTROKE_PKTS && !found; i++) { pkt = &flowstr->skey.data.pkts[i]; if ((pkt->status == 0) && (pkt->seq == tcp->th_ack)) found++; } if (found) { struct ArgusTime stime; stime.tv_sec = model->ArgusGlobalTime.tv_sec; stime.tv_usec = model->ArgusGlobalTime.tv_usec; if ((flowstr->skey.n_pkts - pkt->n_pno) <= ArgusKeyStroke->gs_max) { if ((tcpdatalen >= ArgusKeyStroke->ds_min) && (tcpdatalen <= ArgusKeyStroke->ds_max)) { struct timeval tvpbuf, *tvp = &tvpbuf; if (pkt->intpkt >= ArgusKeyStroke->ic_min) { long long slint = ArgusDiffTime (&stime, &flowstr->skey.prev_s_ts, tvp); float ic_ratio = (pkt->intpkt * 1.0) / (slint * 1.0); if ((ic_ratio >= ArgusKeyStroke->icr_min) && (ic_ratio <= ArgusKeyStroke->icr_max)) { if ((pkt->n_pno - flowstr->skey.prev_pno) <= ArgusKeyStroke->gpc_max) { int i; #ifdef ARGUSDEBUG ArgusDebug (7, "ArgusTCPKeystroke: flow %p packet %lld server keystroke ", flowstr, flowstr->skey.n_pkts); #endif flowstr->skey.n_strokes++; for (i = 0; i < ARGUS_NUM_KEYSTROKE_PKTS; i++) { struct ArgusKeyStrokePacket *tpkt = &flowstr->skey.data.pkts[i]; if (tpkt->status == ARGUS_KEYSTROKE_TENTATIVE) { #ifdef ARGUSDEBUG ArgusDebug (7, "ArgusTCPKeystroke: flow %p packet %lld TENTATIVE packet %lld keystroke ", flowstr, flowstr->skey.n_pkts, tpkt->n_pno); #endif flowstr->skey.n_strokes++; bzero(tpkt, sizeof(*tpkt)); } } flowstr->skey.prev_pno = pkt->n_pno; flowstr->skey.prev_c_ts = pkt->ts; flowstr->skey.prev_s_ts = stime; bzero(pkt, sizeof(*pkt)); } else { for (i = 0; i < ARGUS_NUM_KEYSTROKE_PKTS; i++) { struct ArgusKeyStrokePacket *tpkt = &flowstr->skey.data.pkts[i]; if (tpkt->status == ARGUS_KEYSTROKE_TENTATIVE) bzero(tpkt, sizeof(*tpkt)); } pkt->status = ARGUS_KEYSTROKE_TENTATIVE; #ifdef ARGUSDEBUG ArgusDebug (7, "ArgusTCPKeystroke: flow %p packet %lld server packet pc_gap(%d) > gpc_max(%d) TENTATIVE\n", flowstr, flowstr->skey.n_pkts, (pkt->n_pno - flowstr->skey.prev_pno) , ArgusKeyStroke->gpc_max); #endif flowstr->skey.prev_pno = pkt->n_pno; flowstr->skey.prev_c_ts = pkt->ts; flowstr->skey.prev_s_ts = stime; } reject = 0; } #ifdef ARGUSDEBUG else { ArgusDebug (7, "ArgusTCPKeystroke: flow %p packet %lld server ic_ratio(%f) out of range\n", flowstr, flowstr->skey.n_pkts, ic_ratio); } #endif } #ifdef ARGUSDEBUG else { ArgusDebug (7, "ArgusTCPKeystroke: flow %p packet %lld rejected server IPA(%lld) < ic_min(%d)\n", flowstr, flowstr->skey.n_pkts, pkt->intpkt, ArgusKeyStroke->ic_min); } #endif } #ifdef ARGUSDEBUG else { ArgusDebug (7, "ArgusTCPKeystroke: flow %p packet %lld rejected server packet size(%d)\n", flowstr, flowstr->skey.n_pkts, tcpdatalen); } #endif } #ifdef ARGUSDEBUG else { ArgusDebug (7, "ArgusTCPKeystroke: flow %p packet %lld rejected server packet flow s_gap(%d) > gs_gap(%d)\n", flowstr, flowstr->skey.n_pkts, (flowstr->skey.n_pkts - pkt->n_pno), ArgusKeyStroke->gs_max); } #endif if (reject) { for (i = 0; i < ARGUS_NUM_KEYSTROKE_PKTS; i++) { struct ArgusKeyStrokePacket *tpkt = &flowstr->skey.data.pkts[i]; if (tpkt->status == ARGUS_KEYSTROKE_TENTATIVE) bzero(tpkt, sizeof(*tpkt)); } bzero(pkt, sizeof(*pkt)); } } #ifdef ARGUSDEBUG else { ArgusDebug (7, "ArgusTCPKeystroke: flow %p packet %lld server packet ack(%u) no match\n", flowstr, flowstr->skey.n_pkts, tcp->th_ack); } #endif } } } #ifdef ARGUSDEBUG else { ArgusDebug (7, "ArgusTCPKeystroke: flow %p packet %lld %s packet rejected tcpdatalen(%d)\n", flowstr, flowstr->skey.n_pkts, (model->ArgusThisDir ? "server" : "client"), tcpdatalen); } #endif } } #include void ArgusTCPFlowRecord (struct ArgusNetworkStruct *net, unsigned char state) { struct ArgusTCPObject *tcp = (struct ArgusTCPObject *)&net->net_union.tcp; net->hdr.argus_dsrvl8.qual = 0; tcp->status &= ~(ARGUS_RESET | ARGUS_PKTS_RETRANS | ARGUS_WINDOW_SHUT | ARGUS_OUTOFORDER | ARGUS_DUPLICATES); if (tcp->src.status & ARGUS_RESET) tcp->status |= ARGUS_SRC_RESET; if (tcp->dst.status & ARGUS_RESET) tcp->status |= ARGUS_DST_RESET; if (tcp->src.status & ARGUS_PKTS_RETRANS) tcp->status |= ARGUS_SRC_PKTS_RETRANS; if (tcp->dst.status & ARGUS_PKTS_RETRANS) tcp->status |= ARGUS_DST_PKTS_RETRANS; if (tcp->src.status & ARGUS_WINDOW_SHUT) tcp->status |= ARGUS_SRC_WINDOW_SHUT; if (tcp->dst.status & ARGUS_WINDOW_SHUT) tcp->status |= ARGUS_DST_WINDOW_SHUT; if (tcp->src.status & ARGUS_OUTOFORDER) tcp->status |= ARGUS_SRC_OUTOFORDER; if (tcp->dst.status & ARGUS_OUTOFORDER) tcp->status |= ARGUS_DST_OUTOFORDER; if (tcp->src.status & ARGUS_DUPLICATES) tcp->status |= ARGUS_SRC_DUPLICATES; if (tcp->dst.status & ARGUS_DUPLICATES) tcp->status |= ARGUS_DST_DUPLICATES; switch (net->hdr.subtype) { case ARGUS_TCP_INIT: net->hdr.argus_dsrvl8.len = ((sizeof(struct ArgusTCPInitStatus)+3))/4 + 1; break; case ARGUS_TCP_STATUS: net->hdr.argus_dsrvl8.len = ((sizeof(struct ArgusTCPStatus)+3))/4 + 1; break; case ARGUS_TCP_PERF: net->hdr.argus_dsrvl8.len = ((sizeof(struct ArgusTCPObject)+3))/4 + 1; break; } } void ArgusParseTCPOptions(struct ArgusModelerStruct *model, struct tcphdr *tcp, int len, u_int *options, struct ArgusTCPObjectMetrics *ArgusThisTCPsrc) { register const u_char *cp; register int i, opt, alen, datalen; if ((tcp != NULL)) { cp = (const u_char *)tcp + sizeof(*tcp); while (len > 0) { opt = *cp++; if (ZEROLENOPT(opt)) alen = 1; else { alen = *cp++; /* total including type, len */ if (alen < 2 || alen > len) goto bad; --len; /* account for length byte */ } --len; /* account for type byte */ datalen = 0; switch (opt) { case TCPOPT_MAXSEG: *options |= ARGUS_TCP_MAXSEG; datalen = 2; LENCHECK(model, datalen); break; case TCPOPT_EOL: break; case TCPOPT_NOP: break; case TCPOPT_WSCALE: *options |= ARGUS_TCP_WSCALE; datalen = 1; LENCHECK(model, datalen); ArgusThisTCPsrc->winshift = *cp; break; case TCPOPT_SACKOK: *options |= ARGUS_TCP_SACKOK; break; case TCPOPT_SACK: *options |= ARGUS_TCP_SACK; datalen = alen - 2; for (i = 0; i < datalen; i += 4) { LENCHECK(model, i + 4); } break; case TCPOPT_ECHO: *options |= ARGUS_TCP_ECHO; datalen = 4; LENCHECK(model, datalen); break; case TCPOPT_ECHOREPLY: *options |= ARGUS_TCP_ECHOREPLY; datalen = 4; LENCHECK(model, datalen); break; case TCPOPT_TIMESTAMP: *options |= ARGUS_TCP_TIMESTAMP; datalen = 8; LENCHECK(model, 4); LENCHECK(model, datalen); break; case TCPOPT_CC: *options |= ARGUS_TCP_CC; datalen = 4; LENCHECK(model, datalen); break; case TCPOPT_CCNEW: *options |= ARGUS_TCP_CCNEW; datalen = 4; LENCHECK(model, datalen); break; case TCPOPT_CCECHO: *options |= ARGUS_TCP_CCECHO; datalen = 4; LENCHECK(model, datalen); break; default: datalen = alen - 2; for (i = 0; i < datalen; ++i) LENCHECK(model, i); break; } cp += datalen; len -= datalen; ++datalen; /* option octet */ if (!ZEROLENOPT(opt)) ++datalen; /* size octet */ if (opt == TCPOPT_EOL) break; } } bad: trunc: { } } argus-3.0.8.2/argus/ArgusUdp.c000444 000765 000024 00000004236 12513222401 016440 0ustar00carterstaff000000 000000 /* * Argus Software. Argus files - UDP protocol * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/argus/ArgusUdp.c#16 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #if !defined(ArgusUdp) #define ArgusUdp #endif #include #include #include #include #include #include struct bootp *bp; void ArgusUpdateUDPState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char *); void ArgusUpdateUDPState (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, unsigned char *state) { struct udphdr *up = (struct udphdr *) model->ArgusThisUpHdr; u_char *nxtHdr = (u_char *)(up + 1); if (STRUCTCAPTURED(model, *up)) { model->ArgusThisLength -= sizeof(*up); model->ArgusSnapLength -= sizeof(*up); model->ArgusThisUpHdr = nxtHdr; if (*state == ARGUS_START) { } else { if ((flowstr->canon.metric.src.pkts + flowstr->canon.metric.dst.pkts) > 2) { flowstr->timeout = ARGUS_IPTIMEOUT; } } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusUpdateUDPState(0x%x, %d) returning\n", flowstr, state); #endif } #include void ArgusUDPFlowRecord (struct ArgusFlowStruct *, struct ArgusRecord *, unsigned char); void ArgusUDPFlowRecord (struct ArgusFlowStruct *flow, struct ArgusRecord *argus, unsigned char state) { } argus-3.0.8.2/argus/ArgusUdt.c000444 000765 000024 00000071221 12544323725 016461 0ustar00carterstaff000000 000000 /* * Argus Software. Argus files - Udt protocol processing * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/argus/ArgusUdt.c#10 $ * $DateTime: 2015/06/29 16:17:25 $ * $Change: 3027 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #if !defined(ArgusUdt) #define ArgusUdt #endif #include #include #include #include #include #include struct bootp *bp; struct ArgusSystemFlow * ArgusCreateUDTFlow (struct ArgusModelerStruct *model, struct udt_header *udt) { struct ArgusSystemFlow *retn = NULL; struct ArgusSystemFlow *tflow = model->ArgusThisFlow; if (STRUCTCAPTURED(model, *udt)) { struct ether_header *ep = model->ArgusThisMacHdr; if (ep != NULL) { if (model->ArgusFlowType == ARGUS_BIDIRECTIONAL) { int dstgteq = 1, i; tflow->hdr.type = ARGUS_FLOW_DSR; tflow->hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; tflow->hdr.argus_dsrvl8.qual = ARGUS_TYPE_UDT; tflow->hdr.argus_dsrvl8.len = 6; #ifndef ETH_ALEN #define ETH_ALEN 6 #endif for (i = 0; i < ETH_ALEN; i++) { if (((unsigned char *)&ep->ether_shost)[i] != ((unsigned char *)&ep->ether_dhost)[i]) { if (((unsigned char *)&ep->ether_shost)[i] > ((unsigned char *)&ep->ether_dhost)[i]) dstgteq = 0; break; } } if (dstgteq) { bcopy ((char *) ep, (char *)&tflow->udt_flow.mac.mac_union.ether.ehdr, sizeof (struct ether_header)); } else { model->state |= ARGUS_DIRECTION; bcopy ((char *)&ep->ether_shost, (char *)&tflow->udt_flow.mac.mac_union.ether.ehdr.ether_dhost, ETH_ALEN); bcopy ((char *)&ep->ether_dhost, (char *)&tflow->udt_flow.mac.mac_union.ether.ehdr.ether_shost, ETH_ALEN); tflow->udt_flow.mac.mac_union.ether.ehdr.ether_type = ep->ether_type; } if (model->ArgusThisEncaps & ARGUS_ENCAPS_LLC) { tflow->udt_flow.mac.mac_union.ether.ehdr.ether_type = 0; switch (model->ArgusThisNetworkFlowType & 0xFFFF) { case ARGUS_ISIS: tflow->udt_flow.mac.mac_union.ether.ehdr.ether_type = ARGUS_ISIS; break; default: model->ArgusThisNetworkFlowType &= ~(0xFFFF); break; } if (dstgteq) { tflow->udt_flow.mac.mac_union.ether.ssap = model->ArgusThisLLC->ssap; tflow->udt_flow.mac.mac_union.ether.dsap = model->ArgusThisLLC->dsap; } else { tflow->udt_flow.mac.mac_union.ether.ssap = model->ArgusThisLLC->dsap; tflow->udt_flow.mac.mac_union.ether.dsap = model->ArgusThisLLC->ssap; } } else { tflow->udt_flow.mac.mac_union.ether.ssap = 0; tflow->udt_flow.mac.mac_union.ether.dsap = 0; } switch (ntohs(udt->un_udt.cntl.type) & UDT_PACKET_MASK) { case UDT_CONTROL_PACKET: { struct udtoe_control_hdr *udtc = (void *) ((char *)udt + UDTOECONTROLPAD); tflow->udt_flow.sockid = EXTRACT_32BITS(&udtc->sockid); break; } case UDT_DATA_PACKET: { struct udt_data_hdr *udtd = (void *) udt; tflow->udt_flow.sockid = EXTRACT_32BITS(&udtd->sockid); break; } } if (model->state & ARGUS_DIRECTION) { tflow->hdr.argus_dsrvl8.qual |= ARGUS_DIRECTION; tflow->hdr.subtype |= ARGUS_REVERSE; } retn = tflow; } } } return (retn); } void ArgusUpdateUDToEState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char *); void ArgusUpdateUDTState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char *); void ArgusUpdateUDToEState (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, unsigned char *state) { struct udtoe_header *udt = (struct udtoe_header *) model->ArgusThisUpHdr; u_char *nxtHdr = (u_char *)(udt + 1); if (STRUCTCAPTURED(model, *udt)) { model->ArgusThisLength -= sizeof(*udt); model->ArgusSnapLength -= sizeof(*udt); model->ArgusThisUpHdr = nxtHdr; if (*state == ARGUS_START) { } else { struct ArgusNetworkStruct *net = (struct ArgusNetworkStruct *) flowstr->dsrs[ARGUS_NETWORK_INDEX]; struct ArgusUDTObjectMetrics *ArgusThisUdtMetric; if (model->ArgusThisDir) { ArgusThisUdtMetric = &net->net_union.udt.src; } else { ArgusThisUdtMetric = &net->net_union.udt.dst; } if ((flowstr->canon.metric.src.pkts + flowstr->canon.metric.dst.pkts) > 2) flowstr->timeout = ARGUS_IPTIMEOUT; switch (udt->un_udt.cntl.type & UDTOE_PACKET_MASK) { case UDTOE_CONTROL_PACKET: { struct udtoe_control_hdr *udtc = (void *) ((char *)udt + UDTOECONTROLPAD); unsigned char type = ((udtc->type & 0x7F) >> 3); model->ArgusThisLength -= 48; switch (type & UDTOE_CONTROL_TYPE_MASK) { case UDTOE_CONTROL_HANDSHAKE: { struct udt_control_handshake *hshake = (void *) (udtc + 1); if (ntohl(hshake->version) == 4) { ArgusThisUdtHshake = hshake; hshake->version = ntohl(hshake->version); hshake->socktype = ntohl(hshake->socktype); hshake->initseq = ntohl(hshake->initseq); hshake->psize = ntohl(hshake->psize); hshake->wsize = ntohl(hshake->wsize); hshake->conntype = ntohl(hshake->conntype); hshake->sockid = ntohl(hshake->sockid); } #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateUDToEState(%p, %d) UDT_CONTROL_HANDSHAKE type %d seqNum %d size %d maxWin %d conn %d sockid 0x%x\n", flowstr, *state, hshake->socktype, hshake->initseq, hshake->psize, hshake->wsize, hshake->conntype, hshake->sockid); #endif break; } case UDTOE_CONTROL_KEEPALIVE: { #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateUDToEState(%p, %d) UDT_CONTROL_KEEPALIVE\n", flowstr, *state); #endif break; } case UDTOE_CONTROL_ACK: { struct udt_control_ack *ack = (void *) (udtc + 1); int len = model->ArgusThisLength/4; if (len--) { ArgusThisUdtMetric->ack = ntohl(ack->ackseqnum); if (len--) { ArgusThisUdtMetric->rtt = ntohl(ack->rtt); if (len--) { ArgusThisUdtMetric->var = ntohl(ack->var); if (len--) { ArgusThisUdtMetric->bsize = ntohl(ack->bsize); if (ack->bsize == 0) { net->net_union.udt.status |= ARGUS_WINDOW_SHUT; } if (len--) { ArgusThisUdtMetric->rate = ntohl(ack->rate); if (len--) { ArgusThisUdtMetric->lcap = ntohl(ack->lcap); }}}}}} #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateUDToEState(%p, %d) UDT_CONTROL_ACK, sockid 0x%x ack = 0x%x\n", flowstr, *state, ntohl(udtc->sockid), net->net_union.udt.src.ack); #endif break; } case UDTOE_CONTROL_NAK: { struct udt_control_nak *nak = (void *) (udtc + 1); int num = 0, len = model->ArgusThisLength/4; unsigned int *sptr = &nak->seqnum; int i, fitem, sseq, eseq, range; #ifdef ARGUSDEBUG char buf[256]; *buf = '\0'; #endif for (i = 0, fitem = 0; i < len; i++, sptr++) { *sptr = ntohl(*sptr); if (*sptr & 0x80000000) { sseq = *sptr & 0x7FFFFFFF; range = 1; } else { eseq = *sptr; if (range) { #ifdef ARGUSDEBUG if (fitem++) sprintf(&buf[strlen(buf)], ",0x%x-0x%x", sseq, eseq); else sprintf(&buf[strlen(buf)], "0x%x-0x%x", sseq, eseq); #endif num += (eseq - sseq) + 1; range = 0; } else { #ifdef ARGUSDEBUG if (fitem++) sprintf(&buf[strlen(buf)], ",0x%x", eseq); else sprintf(&buf[strlen(buf)], "0x%x", eseq); #endif fitem++; num++; } } } #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateUDToEState(%p, %d) UDT_CONTROL_NAK, sockid 0x%x nak.comp[%d] num %d %s", flowstr, *state, ntohl(udtc->sockid), len, num, buf); #endif if (num) ArgusThisUdtMetric->nacked += num; break; } case UDTOE_CONTROL_CONGEST: { net->net_union.udt.status |= ARGUS_ECN_CONGESTED; #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateUDToEState(%p, %d) UDT_CONTROL_CONGEST, sockid 0x%x", flowstr, *state, ntohl(udtc->sockid)); #endif break; } case UDTOE_CONTROL_SHUTDOWN: { #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateUDToEState(%p, %d) UDT_CONTROL_SHUTDOWN\n", flowstr, *state); #endif break; } case UDTOE_CONTROL_ACKACK: { #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateUDToEState(%p, %d) UDT_CONTROL_ACKACK\n", flowstr, *state); #endif break; } case UDTOE_CONTROL_DROPREQ: { struct udt_control_dropreq *drop = (void *)(udtc + 1); if (drop->firstseqnum == 0) if (net != NULL) net->net_union.udt.status |= ARGUS_UDT_FIRSTDROPZERO; #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateUDToEState(%p, %d) UDT_CONTROL_DROPREQ\n", flowstr, *state); #endif break; } default: { #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateUDToEState(%p, %d) UDT_CONTROL_UNKNOWN\n", flowstr, *state); #endif break; } } break; } /* struct ArgusUDTObjectMetrics { struct ArgusTime lasttime; unsigned int seq, tstamp, ack, rtt, var, bsize, rate, lcap; int solo, first, middle, last, drops, retrans, nacked; }; struct ArgusUDTObject { unsigned int state, status; struct udt_control_handshake hshake; struct ArgusUDTObjectMetrics src; }; */ case UDT_DATA_PACKET: { struct udt_data_hdr *udtd = (void *) udt; unsigned int seqnum = ntohl(udtd->seqnum); unsigned int msgnum = ntohl(udtd->msgnum); unsigned int tstamp = ntohl(udtd->tstamp); #ifdef ARGUSDEBUG unsigned int sockid = ntohl(udtd->sockid); #endif int seq = ArgusThisUdtMetric->seq; int loss = 0;; #define ARGUS_UDT_MSGTYPE 0xC0000000 #define ARGUS_UDT_SOLO_MSG 0xC0000000 #define ARGUS_UDT_FIRST_MSG 0x80000000 #define ARGUS_UDT_MIDDLE_MSG 0x00000000 #define ARGUS_UDT_LAST_MSG 0x40000000 switch (msgnum & ARGUS_UDT_MSGTYPE) { case ARGUS_UDT_SOLO_MSG: ArgusThisUdtMetric->solo++; break; case ARGUS_UDT_FIRST_MSG: ArgusThisUdtMetric->first++; break; case ARGUS_UDT_MIDDLE_MSG: ArgusThisUdtMetric->middle++; break; case ARGUS_UDT_LAST_MSG: ArgusThisUdtMetric->last++; break; } /* msgnum &= 0x1FFFFFFF; */ if (seqnum == (seq + 1)) { ArgusThisUdtMetric->lasttime.tv_sec = model->ArgusGlobalTime.tv_sec; ArgusThisUdtMetric->lasttime.tv_usec = model->ArgusGlobalTime.tv_usec; ArgusThisUdtMetric->tstamp = tstamp; ArgusThisUdtMetric->seq = seqnum; } else { if (seq > 0) { if (seqnum > (seq + 2)) { loss = seqnum - (seq + 1); ArgusThisUdtMetric->drops += loss; net->net_union.udt.status |= ARGUS_PKTS_DROP; ArgusThisUdtMetric->seq = seqnum; } else { if (seqnum != (seq + 1)) { ArgusThisUdtMetric->retrans++; net->net_union.udt.status |= ARGUS_PKTS_RETRANS; } else { ArgusThisUdtMetric->lasttime.tv_sec = model->ArgusGlobalTime.tv_sec; ArgusThisUdtMetric->lasttime.tv_usec = model->ArgusGlobalTime.tv_usec; ArgusThisUdtMetric->tstamp = tstamp; ArgusThisUdtMetric->seq = seqnum; } } } else { ArgusThisUdtMetric->lasttime.tv_sec = model->ArgusGlobalTime.tv_sec; ArgusThisUdtMetric->lasttime.tv_usec = model->ArgusGlobalTime.tv_usec; ArgusThisUdtMetric->tstamp = tstamp; ArgusThisUdtMetric->seq = seqnum; } } #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateUDToEState(%p, %d) UDT_DATA_PACKET seq 0x%x msgnum 0x%x tstmp 0x%x sockid 0x%x loss %d\n", flowstr, *state, seqnum, msgnum, tstamp, sockid, loss); #endif break; } } } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusUpdateUDToEState(%p, %d) returning\n", flowstr, *state); #endif } void ArgusUpdateUDTState (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, unsigned char *state) { struct udt_header *udt = (struct udt_header *) model->ArgusThisUpHdr; u_char *nxtHdr = (u_char *)(udt + 1); if (STRUCTCAPTURED(model, *udt)) { model->ArgusThisLength -= sizeof(*udt); model->ArgusSnapLength -= sizeof(*udt); model->ArgusThisUpHdr = nxtHdr; if (*state == ARGUS_START) { } else { struct ArgusNetworkStruct *net = (struct ArgusNetworkStruct *) flowstr->dsrs[ARGUS_NETWORK_INDEX]; if ((flowstr->canon.metric.src.pkts + flowstr->canon.metric.dst.pkts) > 2) flowstr->timeout = ARGUS_IPTIMEOUT; switch (ntohs(udt->un_udt.cntl.type) & UDT_PACKET_MASK) { case UDT_CONTROL_PACKET: { struct udt_control_hdr *udtc = (void *) udt; unsigned short type = EXTRACT_16BITS(&udtc->type); switch (type & UDT_CONTROL_TYPE_MASK) { case UDT_CONTROL_HANDSHAKE: { struct udt_control_handshake *hshake = (void *) (udtc + 1); if (ntohl(hshake->version) == 4) { ArgusThisUdtHshake = hshake; } else { } #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateUDTState(%p, %d) UDT_CONTROL_HANDSHAKE\n", flowstr, *state); #endif break; } case UDT_CONTROL_KEEPALIVE: { #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateUDTState(%p, %d) UDT_CONTROL_KEEPALIVE\n", flowstr, *state); #endif break; } case UDT_CONTROL_ACK: { struct udt_control_ack *ack = (void *) (udtc + 1); int len = model->ArgusThisLength/4; if (len--) { net->net_union.udt.src.ack = ntohl(ack->ackseqnum); if (len--) { net->net_union.udt.src.rtt = ntohl(ack->rtt); if (len--) { net->net_union.udt.src.var = ntohl(ack->var); if (len--) { net->net_union.udt.src.bsize = ntohl(ack->bsize); if (ack->bsize == 0) { net->net_union.udt.status |= ARGUS_WINDOW_SHUT; } if (len--) { net->net_union.udt.src.rate = ntohl(ack->rate); if (len--) { net->net_union.udt.src.lcap = ntohl(ack->lcap); }}}}}} #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateUDTState(%p, %d) UDT_CONTROL_ACK, sockid 0x%x ack = 0x%x\n", flowstr, *state, udtc->sockid, net->net_union.udt.src.ack); #endif break; } case UDT_CONTROL_NAK: { struct udt_control_nak *nak = (void *) (udtc + 1); int num = 0, len = model->ArgusThisLength/4; unsigned int *sptr = &nak->seqnum, value; int i, fitem, sseq, eseq, range; #ifdef ARGUSDEBUG char buf[256]; *buf = '\0'; #endif for (i = 0, fitem = 0; i < len; i++, sptr++) { if (BYTESCAPTURED(ArgusModel, sptr, 4)) { value = ntohl(*sptr); if (value & 0x80000000) { sseq = value & 0x7FFFFFFF; range = 1; } else { #ifdef ARGUSDEBUG int slen = sizeof(buf) - strlen(buf); #endif eseq = value; if (range) { #ifdef ARGUSDEBUG if (fitem++) snprintf(&buf[strlen(buf)], slen, ",0x%x-0x%x", sseq, eseq); else snprintf(&buf[strlen(buf)], slen, "0x%x-0x%x", sseq, eseq); #endif num += (eseq - sseq) + 1; range = 0; } else { #ifdef ARGUSDEBUG if (fitem++) snprintf(&buf[strlen(buf)], slen, ",0x%x", eseq); else snprintf(&buf[strlen(buf)], slen, "0x%x", eseq); #endif fitem++; num++; } } } else break; } #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateUDTState(%p, %d) UDT_CONTROL_NAK, sockid 0x%x nak.comp[%d] num %d %s", flowstr, *state, udtc->sockid, len, num, buf); #endif if (num) net->net_union.udt.src.nacked += num; break; } case UDT_CONTROL_CONGEST: { net->net_union.udt.status |= ARGUS_ECN_CONGESTED; break; } case UDT_CONTROL_SHUTDOWN: { #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateUDTState(%p, %d) UDT_CONTROL_SHUTDOWN\n", flowstr, *state); #endif break; } case UDT_CONTROL_ACKACK: { #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateUDTState(%p, %d) UDT_CONTROL_ACKACK\n", flowstr, *state); #endif break; } case UDT_CONTROL_DROPREQ: { struct udt_control_dropreq *drop = (void *)(udtc + 1); if (drop->firstseqnum == 0) if (net != NULL) net->net_union.udt.status |= ARGUS_UDT_FIRSTDROPZERO; #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateUDTState(%p, %d) UDT_CONTROL_DROPREQ\n", flowstr, *state); #endif break; } default: { #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateUDTState(%p, %d) UDT_CONTROL_UNKNOWN\n", flowstr, *state); #endif break; } } break; } /* struct ArgusUDTObjectMetrics { struct ArgusTime lasttime; unsigned int seq, tstamp, ack, rtt, var, bsize, rate, lcap; int solo, first, middle, last, drops, retrans, nacked; }; struct ArgusUDTObject { unsigned int state, status; struct udt_control_handshake hshake; struct ArgusUDTObjectMetrics src; }; */ case UDT_DATA_PACKET: { struct udt_data_hdr *udtd = (void *) udt; unsigned int seqnum = ntohl(udtd->seqnum); unsigned int msgnum = ntohl(udtd->msgnum); unsigned int tstamp = ntohl(udtd->tstamp); #ifdef ARGUSDEBUG unsigned int sockid = ntohl(udtd->sockid); #endif int loss = 0; #define ARGUS_UDT_MSGTYPE 0xC0000000 #define ARGUS_UDT_SOLO_MSG 0xC0000000 #define ARGUS_UDT_FIRST_MSG 0x80000000 #define ARGUS_UDT_MIDDLE_MSG 0x00000000 #define ARGUS_UDT_LAST_MSG 0x40000000 switch (msgnum & ARGUS_UDT_MSGTYPE) { case ARGUS_UDT_SOLO_MSG: net->net_union.udt.src.solo++; break; case ARGUS_UDT_FIRST_MSG: net->net_union.udt.src.first++; break; case ARGUS_UDT_MIDDLE_MSG: net->net_union.udt.src.middle++; break; case ARGUS_UDT_LAST_MSG: net->net_union.udt.src.last++; break; } /* msgnum &= 0x1FFFFFFF; */ if (net->net_union.udt.src.seq > 0) { if (seqnum > (net->net_union.udt.src.seq + 2)) { loss = seqnum - (net->net_union.udt.src.seq + 1); net->net_union.udt.src.drops += loss; net->net_union.udt.status |= ARGUS_PKTS_DROP; net->net_union.udt.src.seq = seqnum; } else { if (seqnum != (net->net_union.udt.src.seq + 1)) { net->net_union.udt.src.retrans++; net->net_union.udt.status |= ARGUS_PKTS_RETRANS; } else { net->net_union.udt.src.lasttime.tv_sec = model->ArgusGlobalTime.tv_sec; net->net_union.udt.src.lasttime.tv_usec = model->ArgusGlobalTime.tv_usec; net->net_union.udt.src.tstamp = tstamp; net->net_union.udt.src.seq = seqnum; } } } else { net->net_union.udt.src.lasttime.tv_sec = model->ArgusGlobalTime.tv_sec; net->net_union.udt.src.lasttime.tv_usec = model->ArgusGlobalTime.tv_usec; net->net_union.udt.src.tstamp = tstamp; net->net_union.udt.src.seq = seqnum; } #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateUDTState(%p, %d) UDT_DATA_PACKET seq 0x%x msgnum 0x%x tstmp 0x%x sockid 0x%x loss %d\n", flowstr, *state, seqnum, msgnum, tstamp, sockid, loss); #endif break; } } } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusUpdateUDTState(%p, %d) returning\n", flowstr, *state); #endif } #include void ArgusUDTFlowRecord (struct ArgusFlowStruct *, struct ArgusRecord *, unsigned char); void ArgusUDTFlowRecord (struct ArgusFlowStruct *flow, struct ArgusRecord *argus, unsigned char state) { } struct udt_control_handshake *ArgusThisUdtHshake = NULL; int ArgusParseUDToEHeader (struct ArgusModelerStruct *, struct udt_header *, unsigned int *); int ArgusParseUDToEHeader (struct ArgusModelerStruct *model, struct udt_header *udt, unsigned int *status) { int retn = 0; ArgusThisUdtHshake = NULL; if (STRUCTCAPTURED(model, *udt)) { switch (udt->un_udt.cntl.type & UDTOE_PACKET_MASK) { case UDTOE_CONTROL_PACKET: { struct udtoe_control_hdr *udtc = (void *) ((char *)udt + UDTOECONTROLPAD); switch ((udtc->type & 0x7F) >> 3) { case UDTOE_CONTROL_HANDSHAKE: { struct udt_control_handshake *hshake = (void *) (udtc + 1); if (ntohl(hshake->version) == 4) { ArgusThisUdtHshake = hshake; retn = 1; } else *status |= ARGUS_UDT_BADVERSION; break; } case UDTOE_CONTROL_KEEPALIVE: retn = 1; break; case UDTOE_CONTROL_ACK: { retn = 1; break; } case UDTOE_CONTROL_NAK: retn = 1; break; case UDTOE_CONTROL_SHUTDOWN: retn = 1; break; case UDTOE_CONTROL_ACKACK: retn = 1; break; case UDTOE_CONTROL_DROPREQ: { struct udt_control_dropreq *drop = (void *)(udtc + 1); if (drop->firstseqnum == 0) *status |= ARGUS_UDT_FIRSTDROPZERO; retn = 1; break; } } break; } case UDT_DATA_PACKET: retn = 1; break; } } return (retn); } int ArgusParseUDTHeader (struct ArgusModelerStruct *model, struct udt_header *udt, unsigned int *status) { int retn = 0; ArgusThisUdtHshake = NULL; if (STRUCTCAPTURED(model, *udt)) { switch (ntohs(udt->un_udt.cntl.type) & UDT_PACKET_MASK) { case UDT_CONTROL_PACKET: { struct udt_control_hdr *udtc = (void *) udt; switch ((ntohs(udtc->type) & 0x78) >> 3) { case UDT_CONTROL_HANDSHAKE: { struct udt_control_handshake *hshake = (void *) (udt + 1); if (ntohl(hshake->version) == 4) { ArgusThisUdtHshake = hshake; retn = 1; } else *status |= ARGUS_UDT_BADVERSION; break; } case UDT_CONTROL_KEEPALIVE: retn = 1; break; case UDT_CONTROL_ACK: { /* struct udt_control_ack *ack = (void *) (udt + 1); */ retn = 1; break; } case UDT_CONTROL_NAK: retn = 1; break; case UDT_CONTROL_SHUTDOWN: retn = 1; break; case UDT_CONTROL_ACKACK: retn = 1; break; case UDT_CONTROL_DROPREQ: { struct udt_control_dropreq *drop = (void *)(udt + 1); if (drop->firstseqnum == 0) *status |= ARGUS_UDT_FIRSTDROPZERO; retn = 1; break; } } break; } case UDT_DATA_PACKET: retn = 1; break; } } return (retn); } argus-3.0.8.2/argus/ArgusUtil.c000444 000765 000024 00000236223 12560744055 016650 0ustar00carterstaff000000 000000 /* * Argus Software. Argus files - Utilities * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/argus/argus/argus/ArgusUtil.c#88 $ * $DateTime: 2015/08/06 16:35:55 $ * $Change: 3044 $ */ /* ArgusUtil.c */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #define _GNU_SOURCE #if !defined(ArgusUtil) #define ArgusUtil #endif #include #include #include #include #if defined(HAVE_SYS_VFS_H) #include #else #include #include #endif #if defined(ARGUS_THREADS) #include #endif #if defined(ARGUS_SASL) #include #endif #define Argus_Parser #include #include #include #include #include long long ArgusTimeDiff (struct timeval *start, struct timeval *stop) { long long retn, stime, etime; stime = (start->tv_sec * 1000000LL) + start->tv_usec; etime = (stop->tv_sec * 1000000LL) + stop->tv_usec; retn = stime - etime; return (retn); } unsigned long long ArgusAbsTimeDiff (struct timeval *start, struct timeval *stop) { unsigned long long retn = 0; struct timeval *t1 = start, *t2 = stop; if ((stop->tv_sec < start->tv_sec) || ((stop->tv_sec == start->tv_sec) && (stop->tv_usec < start->tv_usec))) { t2 = start; t1 = stop; } retn = ((t2->tv_sec * 1000000LL) + t2->tv_usec) - ((t1->tv_sec * 1000000LL) + t1->tv_usec); return (retn); } struct ArgusListStruct * ArgusNewList () { struct ArgusListStruct *retn = NULL; if ((retn = (struct ArgusListStruct *) ArgusCalloc (1, sizeof (struct ArgusListStruct))) != NULL) { retn->start = NULL; retn->count = 0; #if defined(ARGUS_THREADS) pthread_mutex_init(&retn->lock, NULL); pthread_cond_init(&retn->cond, NULL); #endif } #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusNewList () returning %p\n", retn); #endif return (retn); } void ArgusDeleteList (struct ArgusListStruct *list, int type) { if (list) { #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusDeleteList (%p, %d) %d items on list\n", list, type, list->count); #endif while (list->start) { struct ArgusListRecord *retn = ArgusPopFrontList(list, ARGUS_LOCK); switch (type) { case ARGUS_RFILE_LIST: { struct ArgusRfileStruct *rfile = (struct ArgusRfileStruct *) retn; if (rfile->name != NULL) free(rfile->name); ArgusFree(retn); break; } case ARGUS_WFILE_LIST: { struct ArgusWfileStruct *wfile = (struct ArgusWfileStruct *) retn; if (wfile->filename != NULL) free(wfile->filename); if (wfile->filter != NULL) free(wfile->filter); ArgusFree(retn); break; } case ARGUS_DEVICE_LIST: { struct ArgusDeviceStruct *device = (struct ArgusDeviceStruct *) retn; if (device->name != NULL) free(device->name); ArgusFree(retn); break; } case ARGUS_OUTPUT_LIST: ArgusFreeListRecord(retn); break; case ARGUS_EVENT_LIST: { struct ArgusListObjectStruct *lobj = (struct ArgusListObjectStruct *) retn; if (lobj->obj != NULL) { ArgusFree(lobj); } ArgusFree(retn); break; } case ARGUS_BIND_ADDR_LIST: { struct ArgusBindAddrStruct *baddr = (struct ArgusBindAddrStruct *) retn; if (baddr->addr != NULL) { free(baddr->addr); } ArgusFree(retn); break; } } } #if defined(ARGUS_THREADS) pthread_cond_destroy(&list->cond); pthread_mutex_destroy(&list->lock); #endif ArgusFree (list); } #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusDeleteList (%p, %d) returning\n", list, type); #endif } int ArgusListEmpty (struct ArgusListStruct *list) { return (list->count == 0); } int ArgusGetListCount(struct ArgusListStruct *list) { return (list->count); } int ArgusPushFrontList(struct ArgusListStruct *list, struct ArgusListRecord *rec, int lstat) { int retn = 0; if (list && rec) { #if defined(ARGUS_THREADS) if (lstat) pthread_mutex_lock(&list->lock); #endif if (list->start) { rec->nxt = list->start; } else { rec->nxt = NULL; } list->start = (struct ArgusListObjectStruct *) rec; if (list->end == NULL) list->end = (struct ArgusListObjectStruct *) rec; list->count++; list->pushed++; #if defined(ARGUS_THREADS) if (lstat) pthread_mutex_unlock(&list->lock); #endif retn++; } #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusPushFrontList (%p, %p, %d) returning %p\n", list, rec, lstat); #endif return (retn); } int ArgusPushBackList(struct ArgusListStruct *list, struct ArgusListRecord *rec, int lstat) { int retn = 0; if (list && rec) { rec->nxt = NULL; #if defined(ARGUS_THREADS) if (lstat) pthread_mutex_lock(&list->lock); #endif if (list->end) { list->end->nxt = (struct ArgusListObjectStruct *) rec; } else { list->start = (struct ArgusListObjectStruct *) rec; } list->end = (struct ArgusListObjectStruct *) rec; list->count++; list->pushed++; #if defined(ARGUS_THREADS) if (lstat) pthread_mutex_unlock(&list->lock); #endif retn++; } #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusPushBackList (%p, %p, %d) returning %d\n", list, rec, lstat, retn); #endif return (retn); } void ArgusLoadList(struct ArgusListStruct *l1, struct ArgusListStruct *l2) { if (l1 && l2) { int count; #if defined(ARGUS_THREADS) pthread_mutex_lock(&l1->lock); pthread_mutex_lock(&l2->lock); #endif count = l1->count; if (l2->start == NULL) l2->start = l1->start; else l2->end->nxt = l1->start; l2->end = l1->end; l2->count += count; l1->start = NULL; l1->end = NULL; l1->loaded += count; l1->count = 0; #if defined(ARGUS_THREADS) pthread_mutex_unlock(&l2->lock); pthread_mutex_unlock(&l1->lock); #endif #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusLoadList (%p, %p) load %d objects\n", l1, l2, count); #endif } } struct ArgusListRecord * ArgusPopFrontList(struct ArgusListStruct *list, int lstat) { struct ArgusListRecord *retn = NULL; #if defined(ARGUS_THREADS) if (lstat) pthread_mutex_lock(&list->lock); #endif if ((retn = (struct ArgusListRecord *) list->start)) { list->start = retn->nxt; list->count--; list->popped++; if (list->start == NULL) { list->end = NULL; if (list->count != 0) ArgusLog (LOG_ERR, "ArgusPopFrontList(%p, %d) list empty count is %d\n", list, lstat, list->count); } } #if defined(ARGUS_THREADS) if (lstat) pthread_mutex_unlock(&list->lock); #endif #ifdef ARGUSDEBUG ArgusDebug (9, "ArgusPopFrontList (%p) returning\n", retn); #endif return (retn); } struct ArgusQueueStruct * ArgusNewQueue () { struct ArgusQueueStruct *retn = NULL; if ((retn = (struct ArgusQueueStruct *) ArgusCalloc (1, sizeof (struct ArgusQueueStruct))) != NULL) { retn->count = 0; #if defined(ARGUS_THREADS) pthread_mutex_init(&retn->lock, NULL); #endif retn->start = NULL; retn->end = NULL; } #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusNewQueue () returning %p\n", retn); #endif return (retn); } void ArgusDeleteQueue (struct ArgusQueueStruct *queue) { struct ArgusQueueHeader *obj = NULL; if (queue != NULL) { #if defined(ARGUS_THREADS) pthread_mutex_lock(&queue->lock); #endif #ifdef ARGUSDEBUG if (queue->count > 0) ArgusDebug (1, "ArgusDeleteQueue (%p) contains %d items\n", queue, queue->count); #endif while ((obj = ArgusPopQueue(queue, ARGUS_LOCK))) ArgusFree(obj); if (queue->array != NULL) { ArgusFree(queue->array); queue->array = NULL; } #if defined(ARGUS_THREADS) pthread_mutex_unlock(&queue->lock); #endif #if defined(ARGUS_THREADS) pthread_mutex_destroy(&queue->lock); #endif ArgusFree(queue); } #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusDeleteQueue (%p) returning\n", queue); #endif } int ArgusGetQueueCount(struct ArgusQueueStruct *queue) { #ifdef ARGUSDEBUG ArgusDebug (10, "ArgusGetQueueCount (%p) returning %d\n", queue, queue->count); #endif return (queue->count); } void ArgusPushQueue(struct ArgusQueueStruct *queue, struct ArgusQueueHeader *obj, int type) { #if defined(ARGUS_THREADS) if (type == ARGUS_LOCK) pthread_mutex_lock(&queue->lock); #endif if ((ArgusAddToQueue (queue, obj, ARGUS_NOLOCK)) > 0) { queue->start = queue->start->prv; queue->end = queue->start->prv; } #if defined(ARGUS_THREADS) if (type == ARGUS_LOCK) pthread_mutex_unlock(&queue->lock); #endif #ifdef ARGUSDEBUG ArgusDebug (10, "ArgusPushQueue (%p, %p) returning\n", queue, obj); #endif } int ArgusAddToQueue(struct ArgusQueueStruct *queue, struct ArgusQueueHeader *obj, int type) { int retn = 0; if (queue && obj) { if (obj->queue == NULL) { #if defined(ARGUS_THREADS) if (type == ARGUS_LOCK) pthread_mutex_lock(&queue->lock); #endif if (queue->start != NULL) { obj->prv = queue->start->prv; queue->start->prv = obj; obj->nxt = queue->start; obj->prv->nxt = obj; } else { queue->start = obj; obj->nxt = obj; obj->prv = obj; } queue->end = obj; queue->count++; #if defined(ARGUS_THREADS) if (type == ARGUS_LOCK) pthread_mutex_unlock(&queue->lock); #endif obj->queue = queue; if (ArgusSourceTask->ArgusReadingOffLine) obj->qtime = ArgusModel->ArgusGlobalTime; else gettimeofday(&obj->qtime, 0L); retn = 1; } else ArgusLog (LOG_ERR, "ArgusAddToQueue (%p, %p) obj in queue %p\n", queue, obj, obj->queue); } else ArgusLog (LOG_ERR, "ArgusAddToQueue (%p, %p) parameter error\n", queue, obj); #ifdef ARGUSDEBUG ArgusDebug (10, "ArgusAddToQueue (%p, %p) returning %d\n", queue, obj, retn); #endif return (retn); } struct ArgusQueueHeader * ArgusPopQueue (struct ArgusQueueStruct *queue, int type) { struct ArgusQueueHeader *retn = NULL; struct ArgusQueueHeader *obj = NULL; if (queue && queue->count) { #if defined(ARGUS_THREADS) if (type == ARGUS_LOCK) pthread_mutex_lock(&queue->lock); #endif if ((obj = (struct ArgusQueueHeader *) queue->start) != NULL) { queue->count--; if (queue->count) { if (queue->start == obj) queue->start = obj->nxt; obj->prv->nxt = obj->nxt; obj->nxt->prv = obj->prv; queue->end = queue->start->prv; } else { queue->start = NULL; queue->end = NULL; } } #if defined(ARGUS_THREADS) if (type == ARGUS_LOCK) pthread_mutex_unlock(&queue->lock); #endif if (obj != NULL) { obj->prv = NULL; obj->nxt = NULL; obj->queue = NULL; retn = obj; } } #ifdef ARGUSDEBUG ArgusDebug (10, "ArgusPopQueue (%p) returning %p\n", queue, retn); #endif return(retn); } struct ArgusQueueHeader * ArgusPopBackQueue (struct ArgusQueueStruct *queue, int type) { struct ArgusQueueHeader *retn = NULL; struct ArgusQueueHeader *obj = NULL; if (queue && queue->count) { #if defined(ARGUS_THREADS) if (type == ARGUS_LOCK) pthread_mutex_lock(&queue->lock); #endif if ((obj = (struct ArgusQueueHeader *) queue->end) != NULL) { queue->count--; if (queue->count) { if (queue->start == obj) queue->start = obj->nxt; obj->prv->nxt = obj->nxt; obj->nxt->prv = obj->prv; queue->end = queue->start->prv; } else { queue->start = NULL; queue->end = NULL; } } #if defined(ARGUS_THREADS) if (type == ARGUS_LOCK) pthread_mutex_unlock(&queue->lock); #endif if (obj != NULL) { obj->prv = NULL; obj->nxt = NULL; obj->queue = NULL; retn = obj; } } #ifdef ARGUSDEBUG ArgusDebug (10, "ArgusPopBackQueue (%p) returning %p\n", queue, retn); #endif return(retn); } struct ArgusQueueHeader * ArgusRemoveFromQueue(struct ArgusQueueStruct *queue, struct ArgusQueueHeader *obj, int type) { struct ArgusQueueHeader *retn = NULL; if ((queue != NULL) && (obj != NULL)) { #if defined(ARGUS_THREADS) if (type == ARGUS_LOCK) pthread_mutex_lock(&queue->lock); #endif if (obj->queue == queue) { if (queue->count) { queue->count--; if (queue->count) { if (queue->start == obj) queue->start = obj->nxt; obj->prv->nxt = obj->nxt; obj->nxt->prv = obj->prv; queue->end = queue->start->prv; } else { queue->start = NULL; queue->end = NULL; } } obj->prv = NULL; obj->nxt = NULL; obj->queue = NULL; retn = obj; } #if defined(ARGUS_THREADS) if (type == ARGUS_LOCK) pthread_mutex_unlock(&queue->lock); #endif } #ifdef ARGUSDEBUG ArgusDebug (10, "ArgusRemoveFromQueue (%p, %p) returning %p\n", queue, obj, obj); #endif return (retn); } #include #include void ArgusProcessQueue(struct ArgusModelerStruct *model, struct ArgusQueueStruct *queue, int status) { struct ArgusFlowStruct *obj = NULL; switch (status) { case ARGUS_STOP: case ARGUS_SHUTDOWN: #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusProcessQueue (%p, %d) Shuting Down with %d records\n", queue, status, queue->count); #endif while (queue->count) { if ((obj = (struct ArgusFlowStruct *) ArgusPopBackQueue(queue, ARGUS_LOCK)) != NULL) { if (!(obj->status & ARGUS_RECORD_WRITTEN)) ArgusSendFlowRecord(model, obj, status); ArgusDeleteObject (obj); } } break; } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusProcessQueue (%p, %d) returning\n", queue, status); #endif } int ArgusCheckTimeout(struct ArgusModelerStruct *model, struct timeval *ts, struct timeval *timeout) { long long diff = 0, tdiff = 0; int retn; if (timeout->tv_sec < 0) // if timeout is set to less that zero, then we never timeout. retn = 0; else { if ((timeout->tv_sec > 0) || (timeout->tv_usec > 0)) { diff = ArgusTimeDiff (&model->ArgusGlobalTime, ts); tdiff = (timeout->tv_sec * 1000000LL + timeout->tv_usec); if (diff >= tdiff) retn = 1; else retn = 0; } else retn = 1; } #ifdef ARGUSDEBUG ArgusDebug (11, "ArgusCheckTimeout (%p, %d.%06d, %d.%06d) diff %f returning %d\n", model, ts->tv_sec, ts->tv_usec, timeout->tv_sec, timeout->tv_usec, (diff / 1000000.0), retn); #endif return (retn); } void ArgusDeleteObject(struct ArgusFlowStruct *obj) { if (obj) { struct ArgusHashTableHeader *htblhdr; struct ArgusNetworkStruct *net = NULL; struct ArgusQueueStruct *queue; if ((queue = obj->qhdr.queue) != NULL) { if (ArgusRemoveFromQueue (queue, &obj->qhdr, ARGUS_LOCK)) { obj->qhdr.queue = NULL; } else ArgusLog (LOG_ERR, "ArgusDeleteObject: race condition on queue %p\n", queue); } if ((htblhdr = obj->htblhdr) != NULL) { ArgusRemoveHashEntry(htblhdr); obj->htblhdr = NULL; } if ((net = (struct ArgusNetworkStruct *) obj->dsrs[ARGUS_FRAG_INDEX]) != NULL) { if (net->hdr.subtype == ARGUS_NETWORK_SUBTYPE_FRAG) { struct ArgusFragObject *frag = &net->net_union.frag; struct ArgusFragOffsetStruct *fragOffset = frag->offsets.nxt; while ((fragOffset = frag->offsets.nxt) != NULL) { frag->offsets.nxt = fragOffset->nxt; free(fragOffset); } net->hdr.type = 0; } } if (obj->dsrs[ARGUS_SRCUSERDATA_INDEX] != NULL) { ArgusFree(obj->dsrs[ARGUS_SRCUSERDATA_INDEX]); obj->dsrs[ARGUS_SRCUSERDATA_INDEX] = NULL; } if (obj->dsrs[ARGUS_DSTUSERDATA_INDEX] != NULL) { ArgusFree(obj->dsrs[ARGUS_DSTUSERDATA_INDEX]); obj->dsrs[ARGUS_DSTUSERDATA_INDEX] = NULL; } if (obj->frag.start != NULL) { struct ArgusFlowStruct *frag; while ((frag = (void *) ArgusPopQueue(&obj->frag, ARGUS_LOCK))) { ArgusSendFlowRecord(ArgusModel, frag, ARGUS_TIMEOUT); ArgusDeleteObject(frag); } } ArgusFree(obj); ArgusModel->ArgusTotalClosedFlows++; } #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusDeleteObject (%p) returning\n", obj); #endif } int ArgusUpdateTime (struct ArgusModelerStruct *model) { long long ival = model->ival; long long diff; int retn = 0; if (model->ArgusUpdateTimer.tv_sec == 0) model->ArgusUpdateTimer = model->ArgusGlobalTime; diff = ArgusTimeDiff(&model->ArgusGlobalTime, &model->ArgusUpdateTimer); if (diff >= 0) { retn = 1; if (diff > ival) model->ArgusUpdateTimer = model->ArgusGlobalTime; model->ArgusUpdateTimer.tv_sec += model->ArgusUpdateInterval.tv_sec; model->ArgusUpdateTimer.tv_usec += model->ArgusUpdateInterval.tv_usec; while (model->ArgusUpdateTimer.tv_usec >= 1000000) { model->ArgusUpdateTimer.tv_sec++; model->ArgusUpdateTimer.tv_usec -= 1000000; } } else { if (ArgusSourceTask != NULL) { if (!(ArgusSourceTask->ArgusReadingOffLine)) { if (llabs(diff) > (ival * 2)) { // something is wrong, so try to figure out if ArgusGlobalTime needs to be adjusted. // Must be kernel time bug, so try to reset the ArgusUpdateTimer, and declare // that the timer has popped. Redefine global timer if needed. unsigned long long tdiff; struct timeval now; retn = 1; gettimeofday(&now, 0L); tdiff = ArgusAbsTimeDiff(&now, &model->ArgusGlobalTime); if (tdiff > (ival * 2)) model->ArgusGlobalTime = now; model->ArgusUpdateTimer = model->ArgusGlobalTime; model->ArgusUpdateTimer.tv_sec += model->ArgusUpdateInterval.tv_sec; model->ArgusUpdateTimer.tv_usec += model->ArgusUpdateInterval.tv_usec; while (model->ArgusUpdateTimer.tv_usec >= 1000000) { model->ArgusUpdateTimer.tv_sec++; model->ArgusUpdateTimer.tv_usec -= 1000000; } } } } } #ifdef ARGUSDEBUG if (retn) { ArgusDebug (8, "ArgusUpdateTime (%p) global time %d.%06d update %d.%06d returning %d\n", model, model->ArgusGlobalTime.tv_sec, model->ArgusGlobalTime.tv_usec, model->ArgusUpdateTimer.tv_sec, model->ArgusUpdateTimer.tv_usec, retn); } else ArgusDebug (8, "ArgusUpdateTime (%p) not time\n", model); #endif return (retn); } struct ArgusHashStats { int n, max; }; struct ArgusHashTable *ArgusNewHashTable (size_t, int); struct ArgusHashStats *ArgusHashTableStats = NULL; int ArgusHashTableMax = 0; void ArgusEmptyHashTable (struct ArgusHashTable *); void ArgusDeleteHashTable (struct ArgusHashTable *); struct ArgusHashTable * ArgusNewHashTable (size_t size, int status) { struct ArgusHashTable *retn = NULL; if ((retn = (struct ArgusHashTable *) ArgusCalloc (1, sizeof(*retn))) == NULL) ArgusLog (LOG_ERR, "ArgusNewHashTable: ArgusCalloc(1, %d) error %s\n", size, strerror(errno)); if ((retn->array = (struct ArgusHashTableHeader **) ArgusCalloc (size, sizeof (struct ArgusHashTableHeader *))) == NULL) ArgusLog (LOG_ERR, "RaMergeQueue: ArgusCalloc error %s\n", strerror(errno)); retn->size = size; #if defined(ARGUS_HASH_DEBUG) if ((retn->status = status) == ARGUSHASHTABLETRACK) { if (ArgusHashTableStats == NULL) { if ((ArgusHashTableStats = (struct ArgusHashStats *) ArgusCalloc (size, sizeof(struct ArgusHashStats))) == NULL) ArgusLog (LOG_ERR, "ArgusHashTableStats: ArgusCalloc(%d, %d) error %s\n", size, sizeof(struct ArgusStatsObject), strerror(errno)); } } #endif #if defined(ARGUS_THREADS) pthread_mutex_init(&retn->lock, NULL); #endif #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusNewHashTable (%d) returning %p\n", size, retn); #endif return (retn); } void ArgusDeleteHashTable (struct ArgusHashTable *htbl) { if (htbl != NULL) { ArgusEmptyHashTable (htbl); if (htbl->array != NULL) ArgusFree(htbl->array); ArgusFree(htbl); } #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusDeleteHashTable (%p)\n", htbl); #endif } void ArgusEmptyHashTable (struct ArgusHashTable *htbl) { struct ArgusHashTableHeader *htblhdr = NULL, *tmp; int i, count = 0, bins = 0; #if defined(ARGUS_THREADS) pthread_mutex_lock(&htbl->lock); #endif for (i = 0; i < htbl->size; i++) { if ((htblhdr = htbl->array[i]) != NULL) { htblhdr->prv->nxt = NULL; while ((tmp = htblhdr) != NULL) { htblhdr = htblhdr->nxt; ArgusFree (tmp); htbl->items--; count++; } htbl->array[i] = NULL; htbl->bins--; bins++; } } #if defined(ARGUS_THREADS) pthread_mutex_unlock(&htbl->lock); #endif #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusEmptyHashTable (%p) cleared %d bins %d items\n", htbl, bins, count); #endif } int ArgusCreateFlowKey (struct ArgusModelerStruct *model, struct ArgusSystemFlow *flow, struct ArgusHashStruct *hstruct) { unsigned int *ptr = (unsigned int *)&flow->flow_un; unsigned int *key = (unsigned int *) hstruct->key; int retn = 0, i, len = flow->hdr.argus_dsrvl8.len - 1; memset (hstruct, 0, sizeof(*hstruct)); if (len > 0) { for (i = 0; i < len; i++) *key++ = *ptr++; hstruct->len = len; if (model->ArgusFlowKey & ARGUS_FLOW_KEY_VLAN) { *key++ = model->ArgusThisPacket8021QEncaps & 0x0FFF; hstruct->len++; } if (model->ArgusFlowKey & (ARGUS_FLOW_KEY_LOCAL_MPLS | ARGUS_FLOW_KEY_COMPLETE_MPLS)) { *key++ = model->ArgusThisMplsLabel; hstruct->len++; } if (model->ArgusFlowKey & (ARGUS_FLOW_KEY_LAYER_2 | ARGUS_FLOW_KEY_LAYER_2_MATRIX)) { struct ether_header *ep = model->ArgusThisEpHdr; if (ep) { int klen = (sizeof(*ep) + (sizeof(*key) - 1)) / sizeof(*key); if (model->state & ARGUS_DIRECTION) { #ifndef ETH_ALEN #define ETH_ALEN 6 #endif char *kptr = (char *) key; bcopy ((char *)&ep->ether_shost, kptr, ETH_ALEN); kptr += ETH_ALEN; bcopy ((char *)&ep->ether_dhost, kptr, ETH_ALEN); kptr += ETH_ALEN; bcopy ((char *)&ep->ether_type, kptr, sizeof(ep->ether_type)); } else bcopy (ep, key, sizeof(*ep)); key += klen; hstruct->len += klen; } } ptr = hstruct->key; for (i = 0; i < hstruct->len; i++) hstruct->hash ^= *ptr++; hstruct->hash ^= hstruct->hash >> 16; hstruct->hash ^= hstruct->hash >> 8; } return (retn); } struct ArgusFlowStruct * ArgusFindFlow (struct ArgusModelerStruct *model, struct ArgusHashStruct *hstruct) { struct ArgusFlowStruct *retn = NULL; struct ArgusHashTableHeader *hashEntry = NULL, *target, *head; struct ArgusHashTable *table = model->ArgusHashTable; if (table && hstruct) { unsigned int hash = hstruct->hash; unsigned int ind = (hash % (table->size - 1)), i; if ((target = table->array[ind]) != NULL) { unsigned int *ptr3 = hstruct->key; int len = hstruct->len; head = target; do { if ((target->hstruct.hash == hash) && (target->hstruct.len == hstruct->len)) { unsigned int *ptr1 = target->hstruct.key; unsigned int *ptr2 = ptr3; if (len > 0) { for (i = 0; i < len; i++) if (*ptr1++ != *ptr2++) break; if (i == len) { hashEntry = target; break; } } else hashEntry = target; } target = target->nxt; } while (target && (target != head) && (hashEntry == NULL)); if (hashEntry != NULL) { if (hashEntry != head) table->array[ind] = hashEntry; retn = hashEntry->object; } } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusFindFlow () returning %p\n", retn); #endif return (retn); } #define ARGUS_HASH_DEBUG 1 struct ArgusHashTableHeader * ArgusAddHashEntry (struct ArgusHashTable *table, struct ArgusFlowStruct *flow, struct ArgusHashStruct *hstruct) { struct ArgusHashTableHeader *retn = NULL, *start = NULL; if (table != NULL) { unsigned int hash = hstruct->hash; int ind; retn = &flow->htblbuf; memcpy(&retn->hstruct, hstruct, sizeof(*hstruct)); retn->object = flow; ind = (hash % (table->size - 1)); if ((start = table->array[ind]) != NULL) { retn->nxt = start; retn->prv = start->prv; retn->prv->nxt = retn; retn->nxt->prv = retn; } else { retn->prv = retn; retn->nxt = retn; table->bins++; } table->items++; table->array[ind] = retn; retn->htbl = table; #if defined(ARGUS_HASH_DEBUG) if (table->status & ARGUSHASHTABLETRACK) { ArgusHashTableStats[ind].n++; if (ArgusHashTableStats[ind].max < ArgusHashTableStats[ind].n) ArgusHashTableStats[ind].max = ArgusHashTableStats[ind].n; if (ArgusHashTableMax < ArgusHashTableStats[ind].n) ArgusHashTableMax = ArgusHashTableStats[ind].n; } #endif } #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusAddHashEntry (%p) returning %p\n", flow, retn); #endif return (retn); } void ArgusRemoveHashEntry (struct ArgusHashTableHeader *htblhdr) { if (htblhdr != NULL) { unsigned int hash = htblhdr->hstruct.hash; struct ArgusHashTable *table = htblhdr->htbl; if (table != NULL) { int ind = (hash % (table->size - 1)); htblhdr->prv->nxt = htblhdr->nxt; htblhdr->nxt->prv = htblhdr->prv; if (htblhdr == table->array[ind]) { if (htblhdr == htblhdr->nxt) { table->array[ind] = NULL; table->bins--; } else table->array[ind] = htblhdr->nxt; } table->items--; #if defined(ARGUS_HASH_DEBUG) if (table->status & ARGUSHASHTABLETRACK) ArgusHashTableStats[ind].n--; #endif } } #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusRemoveHashEntry (%p) returning\n", htblhdr); #endif } void ArgusZeroRecord (struct ArgusFlowStruct *); void ArgusZeroRecord (struct ArgusFlowStruct *flow) { int i; flow->status &= ~ARGUS_RECORD_WRITTEN; flow->status &= ~0xF0; for (i = 0; i < ARGUSMAXDSRTYPE; i++) { if (flow->dsrs[i] != NULL) { switch (i) { default: flow->dsrs[i] = NULL; break; case ARGUS_FLOW_INDEX: { struct ArgusFlow *tflow = (struct ArgusFlow *)flow->dsrs[i]; tflow->hdr.argus_dsrvl8.qual &= ~ARGUS_FRAGMENT; break; } case ARGUS_TRANSPORT_INDEX: case ARGUS_MAC_INDEX: break; case ARGUS_JITTER_INDEX: { struct ArgusJitterStruct *jit = (void *)flow->dsrs[i]; bzero ((char *)&jit->act, sizeof(struct ArgusJitterObject)); bzero ((char *)&jit->idle, sizeof(struct ArgusJitterObject)); jit->act.src.minval = -1.0; jit->idle.src.minval = -1.0; jit->act.dst.minval = -1.0; jit->idle.dst.minval = -1.0; break; } case ARGUS_IPATTR_INDEX: { struct ArgusIPAttrStruct *attr = (void *)flow->dsrs[i]; attr->hdr.argus_dsrvl8.qual &= ~(ARGUS_IPATTR_SRC_FRAGMENTS | ARGUS_IPATTR_DST_FRAGMENTS); attr->src.status = 0; attr->src.options = 0; attr->dst.status = 0; attr->dst.options = 0; break; } case ARGUS_TIME_INDEX: { struct ArgusTimeObject *tim = (void *)flow->dsrs[i]; bzero(&tim->src, sizeof(*tim) - 4); break; } case ARGUS_METRIC_INDEX: { struct ArgusMetricStruct *metric = (void *) flow->dsrs[i]; bzero((&metric->hdr + 1), sizeof(*metric) - 4); break; } case ARGUS_NETWORK_INDEX: { struct ArgusNetworkStruct *net = NULL; if ((net = (struct ArgusNetworkStruct *) flow->dsrs[ARGUS_NETWORK_INDEX]) != NULL) { switch (net->hdr.type) { case ARGUS_NETWORK_DSR: { switch (net->hdr.subtype) { case ARGUS_NETWORK_SUBTYPE_FRAG: { struct ArgusFragObject *frag = &net->net_union.frag; struct ArgusFragOffsetStruct *fragOffset = frag->offsets.nxt; while ((fragOffset = frag->offsets.nxt) != NULL) { frag->offsets.nxt = fragOffset->nxt; free(fragOffset); } bzero((char *)frag, sizeof(struct ArgusFragObject)); break; } case ARGUS_TCP_INIT: case ARGUS_TCP_STATUS: case ARGUS_TCP_PERF: { struct ArgusTCPObject *tcp = &net->net_union.tcp; tcp->src.status &= ~(ARGUS_RESET|ARGUS_PKTS_RETRANS|ARGUS_WINDOW_SHUT|ARGUS_OUTOFORDER|ARGUS_ECN_CONGESTED); tcp->dst.status &= ~(ARGUS_RESET|ARGUS_PKTS_RETRANS|ARGUS_WINDOW_SHUT|ARGUS_OUTOFORDER|ARGUS_ECN_CONGESTED); tcp->src.retrans = 0; tcp->dst.retrans = 0; tcp->src.flags = 0; tcp->dst.flags = 0; tcp->src.bytes = 0; tcp->dst.bytes = 0; tcp->src.winbytes = 0; tcp->dst.winbytes = 0; tcp->src.ackbytes = 0; tcp->dst.ackbytes = 0; tcp->src.seqbase = tcp->src.seq; tcp->dst.seqbase = tcp->dst.seq; break; } case ARGUS_RTP_FLOW: { struct ArgusRTPObject *rtp = &net->net_union.rtp; rtp->sdrop = 0; rtp->ddrop = 0; break; } case ARGUS_ESP_DSR: { struct ArgusESPObject *esp = &net->net_union.esp; esp->status = 0; esp->lostseq = 0; break; } } break; } } net->hdr.argus_dsrvl8.qual = 0; } break; } case ARGUS_SRCUSERDATA_INDEX: case ARGUS_DSTUSERDATA_INDEX: { struct ArgusDataStruct *user = (struct ArgusDataStruct *) flow->dsrs[i]; user->count = 0; memset (user->array, 0, user->size); break; } } } } memset(&flow->stime.act, 0, sizeof(flow->stime.act)); memset(&flow->stime.idle, 0, sizeof(flow->stime.idle)); memset(&flow->dtime.act, 0, sizeof(flow->dtime.act)); memset(&flow->dtime.idle, 0, sizeof(flow->dtime.idle)); flow->stime.act.minval = 0xffffffff; flow->stime.idle.minval = 0xffffffff; flow->dtime.act.minval = 0xffffffff; flow->dtime.idle.minval = 0xffffffff; flow->sipid = 0; flow->dipid = 0; flow->skey.n_strokes = 0; #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusZeroRecord (%p) returning\n", flow); #endif } /* struct ArgusSocketStruct { struct ArgusListStruct *ArgusSocketList; int fd, status, cnt, expectedSize, errornum; int ArgusLastRecord, ArgusReadState; struct timeval lastwrite; struct ArgusRecordStruct *rec; int length, writen; struct sockaddr sock; char *filename; void *obj; unsigned char *ptr, buf[ARGUS_MAXRECORD]; }; */ struct ArgusSocketStruct * ArgusNewSocket (int fd) { struct ArgusSocketStruct *retn = NULL; int flags; if ((retn = ((struct ArgusSocketStruct *) ArgusCalloc (1, sizeof (struct ArgusSocketStruct)))) != NULL) { if ((retn->ArgusSocketList = ArgusNewList()) != NULL) { retn->fd = fd; flags = fcntl (fd, F_GETFL, 0); flags |= O_NONBLOCK; fcntl (fd, F_SETFL, flags); } else ArgusLog(LOG_ERR, "ArgusNewSocket: ArgusNewList failed %s", strerror(errno)); } else ArgusLog(LOG_ERR, "ArgusNewSocket: ArgusCalloc failed %s", strerror(errno)); #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusNewSocket (%d) returning %p\n", fd, retn); #endif return (retn); } void ArgusDeleteSocket (struct ArgusOutputStruct *output, struct ArgusClientData *client) { struct ArgusSocketStruct *asock = client->sock; if (asock != NULL) { struct ArgusListStruct *list = asock->ArgusSocketList; while (!(ArgusListEmpty (list))) if (ArgusWriteOutSocket(output, client) < 0) break; #ifdef ARGUSDEBUG if (!(ArgusListEmpty (list))) ArgusDebug(2, "ArgusDeleteSocket: list not empty"); #endif ArgusDeleteList(asock->ArgusSocketList, ARGUS_OUTPUT_LIST); close(asock->fd); asock->fd = -1; if (asock->filename) { free(asock->filename); asock->filename = NULL; } ArgusFree (asock); client->sock = NULL; client->fd = -1; } #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusDeleteSocket (%p) returning\n", asock); #endif } void ArgusSetChroot(char *dir) { if (chdir(dir) < 0) ArgusLog(LOG_ERR, "ArgusSetChroot: failed to chdir to \"%s\": %s", dir, strerror(errno)); if (chroot(dir) < 0) ArgusLog(LOG_ERR, "ArgusSetChroot: failed to chroot to \"%s\": %s", dir, strerror(errno)); if (chdir("/") < 0) ArgusLog(LOG_ERR, "ArgusSetChroot: failed to chdir to \"/\" after chroot: %s", dir, strerror(errno)); #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusSetChroot (%s) returning\n", dir); #endif } #include #include #define ARGUS_MAXERROR 200000 #define ARGUS_MAXWRITENUM 10000 int ArgusMaxListLength = 100000; int ArgusCloseFile = 0; extern struct ArgusRecord *ArgusGenerateInitialMar (struct ArgusOutputStruct *); int ArgusWriteSocket (struct ArgusOutputStruct *output, struct ArgusClientData *client, struct ArgusRecordStruct *rec) { struct ArgusSocketStruct *asock = client->sock; struct ArgusListStruct *list = asock->ArgusSocketList; struct stat statbuf; int retn = 0, ocnt; #if defined(HAVE_SOLARIS) struct statvfs statfsbuf; #else struct statfs statfsbuf; #endif if (ArgusListEmpty (list) && (asock->rec == NULL)) { #ifdef ARGUSDEBUG if (asock->writen || asock->length) ArgusDebug (6, "ArgusWriteSocket: asock stats error %d %d\n", asock->writen, asock->length); #endif if (client->host == NULL) { if (!(output->ArgusWriteStdOut) && (asock->filename)) { if (asock->lastwrite.tv_sec < output->ArgusModel->ArgusGlobalTime.tv_sec) { if (((stat (asock->filename, &statbuf)) < 0) || (ArgusCloseFile)) { if (asock->fd != -1) close(asock->fd); if ((asock->fd = open (asock->filename, O_WRONLY|O_APPEND|O_CREAT|O_NONBLOCK, 0x1a4)) < 0) ArgusLog (LOG_ERR, "ArgusWriteSocket: open(%s, flags, 0x1a4) failed %s\n", asock->filename, strerror(errno)); #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusWriteSocket: created outfile %s\n", asock->filename); #endif } #if defined(HAVE_SOLARIS) retn = statvfs (asock->filename, &statfsbuf); #else retn = statfs (asock->filename, &statfsbuf); #endif if (retn == 0) { if (statfsbuf.f_bfree > 100) { if ((stat (asock->filename, &statbuf)) == 0) { if (statbuf.st_size == 0) { if (output->ArgusInitMar != NULL) ArgusFree(output->ArgusInitMar); output->ArgusInitMar = ArgusGenerateInitialMar(output); ocnt = ntohs(output->ArgusInitMar->hdr.len) * 4; #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusWriteSocket: write initial mar (%d, %p, %d)\n", asock->fd, output->ArgusInitMar, ocnt); #endif if (((retn = write (asock->fd, output->ArgusInitMar, ocnt))) < ocnt) ArgusLog (LOG_ERR, "ArgusWriteSocket: write %s failed %s\n", asock->filename, strerror(errno)); ArgusFree(output->ArgusInitMar); output->ArgusInitMar = NULL; } } } else { close(asock->fd); asock->fd = -1; } } asock->lastwrite = output->ArgusModel->ArgusGlobalTime; } } } if (asock->fd != -1) { if (ArgusGenerateRecord (output->ArgusModel, rec, 0, (struct ArgusRecord *)&asock->buf)) { int cnt = ((struct ArgusRecord *)&asock->buf)->hdr.len * 4; #if defined(_LITTLE_ENDIAN) ArgusHtoN((struct ArgusRecord *)&asock->buf); #endif #ifdef ARGUS_SASL if (client->sasl_conn) { unsigned int outputlen = 0; const char *output = NULL; const int *ssfp; int result; if ((result = sasl_getprop(client->sasl_conn, SASL_SSF, (const void **) &ssfp)) != SASL_OK) ArgusLog (LOG_ERR, "sasl_getprop: error %s\n", sasl_errdetail(client->sasl_conn)); if (ssfp && (*ssfp > 0)) { #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusHandleClientData: sasl_encode(%p, %p, %d, %p, %p)\n", client->sasl_conn, rec, cnt, &output, &outputlen); #endif if ((retn = sasl_encode(client->sasl_conn, (const char *) asock->buf, (unsigned int) cnt, &output, &outputlen)) == SASL_OK) { #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusHandleClientData: sasl_encode returned %d bytes\n", outputlen); #endif if (outputlen < ARGUS_MAXRECORD) { bcopy(output, asock->buf, outputlen); cnt = outputlen; } else ArgusLog (LOG_ERR, "sasl_encode: returned too many bytes %d\n", outputlen); } else ArgusLog (LOG_ERR, "sasl_encode: failed returned %d\n", retn); } } #endif #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusWriteSocket: write record (%d, %p, %d)\n", asock->fd, &asock->buf, cnt); #endif if (client->host != NULL) { retn = sendto (asock->fd, &asock->buf, cnt, 0, client->host->ai_addr, client->host->ai_addrlen); #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusWriteSocket: sendto (%d, %p, %d, ...) %d\n", asock->fd, &asock->buf, cnt, retn); #endif } else { retn = write (asock->fd, &asock->buf, cnt); #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusWriteSocket: write (%d, %p, %d, ...) %d\n", asock->fd, &asock->buf, cnt, retn); #endif } if (retn >= 0) { asock->status |= ARGUS_WAS_FUNCTIONAL; asock->errornum = 0; if (retn != cnt) { #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusWriteSocket: write returned %d, scheduled record\n", retn); #endif asock->writen = retn; asock->length = cnt; asock->rec = ArgusCopyRecordStruct(rec); } else { asock->writen = 0; asock->length = 0; #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusWriteSocket: write successful %d\n", retn); #endif } } else { #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusWriteSocket: write returned %d, errno %d\n", retn, errno); #endif asock->writen = 0; asock->length = cnt; asock->rec = ArgusCopyRecordStruct(rec); switch (errno) { case ENOSPC: if (asock->filename != NULL) { close(asock->fd); asock->fd = -1; asock->rec = NULL; asock->writen = 0; asock->length = 0; ArgusFreeListRecord(rec); while ((rec = (struct ArgusRecordStruct *) ArgusPopFrontList(list, ARGUS_LOCK)) != NULL) ArgusFreeListRecord(rec); } break; case EAGAIN: case EINTR: retn = 0; break; case EPIPE: { if (!(asock->status & ARGUS_WAS_FUNCTIONAL)) { retn = 0; } break; } default: break; } } } else { #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusWriteSocket: ArgusGenerateRecord returned zero\n"); #endif } } } else { if (list->count >= ArgusMaxListLength) { if (ArgusWriteOutSocket(output, client) < 0) { #if defined(ARGUS_THREADS) pthread_mutex_lock(&list->lock); #endif if (list->count >= ArgusMaxListLength) { struct ArgusRecordStruct *trec; int i; #define ARGUS_MAX_TOSS_RECORD 64 ArgusLog (LOG_WARNING, "ArgusWriteSocket: ArgusWriteOutSocket tossing records\n"); for (i = 0; i < ARGUS_MAX_TOSS_RECORD; i++) if ((trec = (struct ArgusRecordStruct *) ArgusPopFrontList(list, ARGUS_NOLOCK)) != NULL) ArgusFreeListRecord(trec); } #if defined(ARGUS_THREADS) pthread_mutex_unlock(&list->lock); #endif } } if (asock->rec == NULL) asock->rec = (struct ArgusRecordStruct *) ArgusPopFrontList(list, ARGUS_LOCK); #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusWriteSocket (%p, %p, %p) schedule record\n", output, asock, rec); #endif ArgusPushBackList (list, (struct ArgusListRecord *) ArgusCopyRecordStruct(rec), ARGUS_LOCK); retn = 0; } #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusWriteSocket (%p, %p, %p) returning %d\n", output, asock, rec, retn); #endif return (retn); } #define ARGUS_LISTREPORTLEN 50000 #define ARGUS_LISTREPORTTIME 30 int ArgusWriteOutSocket (struct ArgusOutputStruct *output, struct ArgusClientData *client) { struct ArgusSocketStruct *asock = client->sock; struct ArgusListStruct *list = NULL; struct ArgusRecordStruct *rec = NULL; int retn = 0, count = 1, len, ocnt; struct stat statbuf; unsigned char *ptr; if ((list = asock->ArgusSocketList) != NULL) { if ((count = ArgusGetListCount(list)) > 0) { if (count > ARGUS_MAXWRITENUM) count = ARGUS_MAXWRITENUM; if (count == 1) count = 2; #if defined(ARGUS_THREADS) pthread_mutex_lock(&list->lock); #endif while ((asock->fd != -1 ) && count--) { if ((rec = asock->rec) != NULL) { ptr = (unsigned char *)&asock->buf; if (!(asock->writen)) { if (!(output->ArgusWriteStdOut) && (asock->filename)) { if (asock->lastwrite.tv_sec < output->ArgusModel->ArgusGlobalTime.tv_sec) { if (((stat (asock->filename, &statbuf)) < 0) || (ArgusCloseFile)) { close(asock->fd); if ((asock->fd = open (asock->filename, O_WRONLY|O_APPEND|O_CREAT|O_NONBLOCK, 0x1a4)) < 0) ArgusLog (LOG_ERR, "ArgusWriteSocket: open(%s, O_WRONLY|O_APPEND|O_CREAT|O_NONBLOCK, 0x1a4) failed %s\n", asock->filename, strerror(errno)); #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusWriteOutSocket: created outfile %s\n", asock->filename); #endif } if ((stat (asock->filename, &statbuf)) == 0) { if (statbuf.st_size == 0) { if (output->ArgusInitMar != NULL) ArgusFree(output->ArgusInitMar); output->ArgusInitMar = ArgusGenerateInitialMar(output); ocnt = sizeof(struct ArgusRecord); if (((retn = write (asock->fd, output->ArgusInitMar, ocnt))) < ocnt) ArgusLog (LOG_ERR, "ArgusWriteSocket: write %s failed %s\n", asock->filename, strerror(errno)); ArgusFree(output->ArgusInitMar); output->ArgusInitMar = NULL; } } asock->lastwrite = output->ArgusModel->ArgusGlobalTime; } } } if ((asock->writen < asock->length) && ( asock->writen >= 0)) { len = asock->length - asock->writen; if (client->host != NULL) { retn = sendto (asock->fd, (unsigned char *)&ptr[asock->writen], len, 0, client->host->ai_addr, client->host->ai_addrlen); #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusWriteSocket: sendto (%d, %p, %d, ...) %d\n", asock->fd, &asock->buf, len, retn); #endif } else { retn = write(asock->fd, (unsigned char *)&ptr[asock->writen], len); #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusWriteSocket: write (%d, %p, %d, ...) %d\n", asock->fd, &asock->buf, len, retn); #endif } if (retn >= 0) { asock->errornum = 0; asock->writen += retn; } else { switch (errno) { case ENOSPC: { if (asock->filename != NULL) { close(asock->fd); asock->fd = -1; asock->rec = NULL; asock->writen = 0; asock->length = 0; ArgusFreeListRecord(rec); while ((rec = (struct ArgusRecordStruct *) ArgusPopFrontList(list, ARGUS_NOLOCK)) != NULL) ArgusFreeListRecord(rec); } break; } case EAGAIN: case EINTR: { if (!(output->ArgusWriteStdOut) && (asock->filename == NULL)) { if (asock->errornum++ < ARGUS_MAXERROR) { retn = 0; } else { } } else { retn = 0; } break; } case EPIPE: break; default: if (asock->errornum++ == 0) ArgusLog (LOG_WARNING, "ArgusWriteOutSocket: write() %s\n", strerror(errno)); break; } } } if (asock->writen >= asock->length) { gettimeofday(&list->outputTime, 0L); ArgusFreeListRecord(rec); #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusWriteOutSocket: rec %p complete, %d count\n", rec, count); #endif asock->rec = NULL; asock->writen = 0; asock->length = 0; if ((rec = (struct ArgusRecordStruct *) ArgusPopFrontList(list, ARGUS_NOLOCK)) != NULL) { if (ArgusGenerateRecord (output->ArgusModel, rec, 0, (struct ArgusRecord *)&asock->buf)) { int cnt = ((struct ArgusRecord *)&asock->buf)->hdr.len * 4; #if defined(_LITTLE_ENDIAN) ArgusHtoN((struct ArgusRecord *)&asock->buf); #endif #ifdef ARGUS_SASL if (client->sasl_conn) { unsigned int outputlen = 0; const char *output = NULL; #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusHandleClientData: sasl_encode(%p, %p, %d, %p, %p)\n", client->sasl_conn, rec, cnt, &output, &outputlen); #endif if ((retn = sasl_encode(client->sasl_conn, (const char *) asock->buf, (unsigned int) cnt, &output, &outputlen)) == SASL_OK) { #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusWriteOutSocket: sasl_encode returned %d bytes\n", outputlen); #endif if (outputlen < ARGUS_MAXRECORD) { bcopy(output, asock->buf, outputlen); cnt = outputlen; } else ArgusLog (LOG_ERR, "sasl_encode: returned too many bytes %d\n", outputlen); } else ArgusLog (LOG_ERR, "sasl_encode: failed returned %d\n", retn); } #endif asock->writen = 0; asock->length = cnt; asock->rec = rec; #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusWriteOutSocket: posted record %p", rec); #endif } else { #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusWriteOutSocket: ArgusGenerateRecord error! deleting record"); #endif ArgusFreeListRecord(rec); } } else { #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusWriteOutSocket: list %p is now empty", list); #endif } } else { #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusWriteOutSocket: still work to be done for %p, len %d writen %d", rec, asock->length, asock->writen); #endif break; } } else { #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusWriteOutSocket: nothing to be done for %p, len %d writen %d", rec, asock->length, asock->writen); #endif } } #if defined(ARGUS_THREADS) pthread_mutex_unlock(&list->lock); #endif #ifdef ARGUSDEBUG ArgusDebug (9, "ArgusWriteOutSocket(%p): queue empty\n", asock); #endif if (asock->errornum >= ARGUS_MAXERROR) { ArgusLog (LOG_WARNING, "ArgusWriteOutSocket(%p) maximum errors exceeded %d\n", asock, asock->errornum); retn = -1; } if ((count = ArgusGetListCount(list)) > ArgusMaxListLength) { ArgusLog (LOG_WARNING, "ArgusWriteOutSocket(%p) max queue exceeded %d\n", asock, count); retn = -1; } #ifdef ARGUSDEBUG if (list) { ArgusDebug (6, "ArgusWriteOutSocket (%p) %d records waiting. returning %d\n", asock, count, retn); } else { ArgusDebug (6, "ArgusWriteOutSocket (%p) no list. returning %d\n", asock, count, retn); } #endif } } else { #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusWriteOutSocket (%p, %p) no list returning %d\n", output, client, retn); #endif } #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusWriteOutSocket (%p, %p) returning %d\n", output, client, retn); #endif return retn; } #if !defined(ArgusAddrtoName) #define ArgusAddrtoName #endif #include #include #include #include #ifdef ETHER_SERVICE struct ether_addr; #ifdef HAVE_ETHER_HOSTTON /* * XXX - do we need any of this if doesn't declare * ether_hostton()? */ #ifdef HAVE_NETINET_IF_ETHER_H struct mbuf; /* Squelch compiler warnings on some platforms for */ struct rtentry; /* declarations in */ #include /* for "struct ifnet" in "struct arpcom" on Solaris */ #include #endif /* HAVE_NETINET_IF_ETHER_H */ #ifdef NETINET_ETHER_H_DECLARES_ETHER_HOSTTON #include #endif /* NETINET_ETHER_H_DECLARES_ETHER_HOSTTON */ #endif /* HAVE_ETHER_HOSTTON */ #endif /* * hash tables for whatever-to-name translations #define HASHNAMESIZE 4096 struct h6namemem { struct in6_addr addr; char *name; struct h6namemem *nxt; }; struct hnamemem { u_int addr; char *name; struct hnamemem *nxt; }; struct h6namemem h6nametable[HASHNAMESIZE]; struct hnamemem hnametable[HASHNAMESIZE]; struct hnamemem tporttable[HASHNAMESIZE]; struct hnamemem uporttable[HASHNAMESIZE]; struct hnamemem eprototable[HASHNAMESIZE]; struct hnamemem nnametable[HASHNAMESIZE]; struct hnamemem llcsaptable[HASHNAMESIZE]; struct enamemem { u_short e_addr0; u_short e_addr1; u_short e_addr2; char *e_name; u_char *e_nsap; struct enamemem *e_nxt; }; struct enamemem enametable[HASHNAMESIZE]; struct enamemem nsaptable[HASHNAMESIZE]; struct protoidmem { u_int p_oui; arg_uint16 p_proto; char *p_name; struct protoidmem *p_nxt; }; struct protoidmem protoidtable[HASHNAMESIZE]; */ /* * A faster replacement for inet_ntoa(). */ char * intoa(u_int addr) { char *cp; u_int byte; int n; static char buf[sizeof(".xxx.xxx.xxx.xxx")]; /* addr = htonl(addr); */ cp = &buf[sizeof buf]; *--cp = '\0'; n = 4; do { byte = addr & 0xff; *--cp = byte % 10 + '0'; byte /= 10; if (byte > 0) { *--cp = byte % 10 + '0'; byte /= 10; if (byte > 0) *--cp = byte + '0'; } *--cp = '.'; addr >>= 8; } while (--n > 0); return cp + 1; } /* * Return a name for the IP address pointed to by ap. This address * is assumed to be in network byte order. */ char * ArgusGetName(struct ArgusParserStruct *parser, u_char *ap) { static struct hnamemem *p; /* static for longjmp() */ u_int addr; #if !defined(TCPDUMP_ALIGN) addr = *(const u_int *)ap; #else /* * Deal with alignment. */ switch ((int)ap & 3) { case 0: addr = *(u_int *)ap; break; case 2: addr = ((u_int)*(u_short *)ap << 16) | (u_int)*(u_short *)(ap + 2); break; default: addr = ((u_int)ap[3] << 24) | ((u_int)ap[2] << 16) | ((u_int)ap[1] << 8) | (u_int)ap[0]; break; } #endif p = &parser->hnametable[addr % (HASHNAMESIZE-1)]; for (; p->nxt; p = p->nxt) { if (p->addr == addr) if (p->name != NULL) return (p->name); } p->addr = addr; p->nxt = (struct hnamemem *)calloc(1, sizeof (*p)); return (intoa(addr)); } #include #include #if !defined(INET6_ADDRSTRLEN) #define INET6_ADDRSTRLEN 46 #endif #if !defined(AF_INET6) #define AF_INET6 23 #endif char * ArgusGetV6Name(struct ArgusParserStruct *parser, u_char *ap) { struct in6_addr addr; char ntop_buf[INET6_ADDRSTRLEN]; struct h6namemem *p; /* static for longjmp() */ const char *cp; memcpy(&addr, ap, sizeof(addr)); p = &parser->h6nametable[*(u_int16_t *)&addr.s6_addr[14] & (HASHNAMESIZE-1)]; for (; p->nxt; p = p->nxt) { if (memcmp(&p->addr, &addr, sizeof(addr)) == 0) return (p->name); } p->addr = addr; p->nxt = (struct h6namemem *)calloc(1, sizeof (*p)); if ((cp = inet_ntop(AF_INET6, (const void *) &addr, ntop_buf, sizeof(ntop_buf))) != NULL) p->name = strdup(cp); return (p->name); } struct timeval * RaMinTime (struct timeval *s1, struct timeval *s2) { struct timeval *retn = s2; if ((s1->tv_sec < s2->tv_sec) || ((s1->tv_sec == s2->tv_sec) && (s1->tv_usec < s2->tv_usec))) retn = s1; return (retn); } struct timeval * RaMaxTime (struct timeval *s1, struct timeval *s2) { struct timeval *retn = s2; if ((s1->tv_sec > s2->tv_sec) || ((s1->tv_sec == s2->tv_sec) && (s1->tv_usec > s2->tv_usec))) retn = s1; return (retn); } float RaDeltaFloatTime (struct timeval *s1, struct timeval *s2) { float retn = 0.0; if (s1 && s2) { double v1 = (s1->tv_sec * 1.0) + (s1->tv_usec / 1000000.0); double v2 = (s2->tv_sec * 1.0) + (s2->tv_usec / 1000000.0); retn = v1 - v2; } return (retn); } int RaDiffTime (struct timeval *s1, struct timeval *s2, struct timeval *diff) { int retn = 0; if (s1 && s2 && diff) { bzero ((char *)diff, sizeof(*diff)); double v1 = (s1->tv_sec * 1.0) + (s1->tv_usec / 1000000.0); double v2 = (s2->tv_sec * 1.0) + (s2->tv_usec / 1000000.0); double f, i; v1 -= v2; f = modf(v1, &i); diff->tv_sec = i; diff->tv_usec = f * 1000000; retn = 1; } return (retn); } long long ArgusDiffTime (struct ArgusTime *, struct ArgusTime *, struct timeval *); long long ArgusDiffTime (struct ArgusTime *s1, struct ArgusTime *s2, struct timeval *diff) { long long v1 = 0, v2 = 0; if (s1 && s2 && diff) { v1 = (s1->tv_sec * 1000000LL) + s1->tv_usec; v2 = (s2->tv_sec * 1000000LL) + s2->tv_usec; v1 -= v2; diff->tv_sec = v1 / 1000000; diff->tv_usec = v1 % 1000000; } return (v1); } float RaGetFloatDuration (struct ArgusRecordStruct *argus) { float retn = 0; int sec = 0, usec = 0; if (argus->hdr.type & ARGUS_MAR) { struct ArgusRecord *rec = (struct ArgusRecord *) &argus->canon; sec = rec->argus_mar.now.tv_sec - rec->argus_mar.startime.tv_sec; usec = rec->argus_mar.now.tv_usec - rec->argus_mar.startime.tv_usec; } else { struct ArgusTimeObject *dtime = &argus->canon.time; struct timeval *stime = NULL, *ltime = NULL; struct timeval srctime, dsttime; unsigned int subtype = dtime->hdr.subtype & (ARGUS_TIME_SRC_START | ARGUS_TIME_DST_START | ARGUS_TIME_SRC_END | ARGUS_TIME_DST_END); if (subtype) { switch (subtype) { case ARGUS_TIME_SRC_START | ARGUS_TIME_DST_START | ARGUS_TIME_SRC_END | ARGUS_TIME_DST_END: { srctime.tv_sec = dtime->src.start.tv_sec; srctime.tv_usec = dtime->src.start.tv_usec; dsttime.tv_sec = dtime->dst.start.tv_sec; dsttime.tv_usec = dtime->dst.start.tv_usec; stime = RaMinTime(&srctime, &dsttime); srctime.tv_sec = dtime->src.end.tv_sec; srctime.tv_usec = dtime->src.end.tv_usec; dsttime.tv_sec = dtime->dst.end.tv_sec; dsttime.tv_usec = dtime->dst.end.tv_usec; ltime = RaMaxTime(&srctime, &dsttime); break; } case ARGUS_TIME_SRC_START: case ARGUS_TIME_SRC_START | ARGUS_TIME_SRC_END: { srctime.tv_sec = dtime->src.start.tv_sec; srctime.tv_usec = dtime->src.start.tv_usec; dsttime.tv_sec = dtime->src.end.tv_sec; dsttime.tv_usec = dtime->src.end.tv_usec; stime = &srctime; ltime = &dsttime; break; } case ARGUS_TIME_DST_START: case ARGUS_TIME_DST_START | ARGUS_TIME_DST_END: { srctime.tv_sec = dtime->dst.start.tv_sec; srctime.tv_usec = dtime->dst.start.tv_usec; dsttime.tv_sec = dtime->dst.end.tv_sec; dsttime.tv_usec = dtime->dst.end.tv_usec; stime = &srctime; ltime = &dsttime; break; } case ARGUS_TIME_SRC_START | ARGUS_TIME_DST_END: { srctime.tv_sec = dtime->src.start.tv_sec; srctime.tv_usec = dtime->src.start.tv_usec; dsttime.tv_sec = dtime->dst.end.tv_sec; dsttime.tv_usec = dtime->dst.end.tv_usec; stime = &srctime; ltime = &dsttime; break; } default: break; } } else { srctime.tv_sec = dtime->src.start.tv_sec; srctime.tv_usec = dtime->src.start.tv_usec; dsttime.tv_sec = dtime->src.end.tv_sec; dsttime.tv_usec = dtime->src.end.tv_usec; stime = &srctime; ltime = &dsttime; } if (stime && ltime) { sec = ltime->tv_sec - stime->tv_sec; usec = ltime->tv_usec - stime->tv_usec; } } retn = (sec * 1.0) + usec/1000000.0; return (retn); } float RaGetFloatSrcDuration (struct ArgusRecordStruct *argus) { float retn = 0.0; int sec = 0, usec = 0; if (argus->hdr.type & ARGUS_MAR) { } else { struct ArgusTimeObject *dtime = &argus->canon.time; struct ArgusTime *stime = &dtime->src.start; struct ArgusTime *ltime = &dtime->src.end; sec = ltime->tv_sec - stime->tv_sec; usec = ltime->tv_usec - stime->tv_usec; retn = (sec * 1.0) + usec/1000000.0; } return (retn); } float RaGetFloatDstDuration (struct ArgusRecordStruct *argus) { float retn = 0.0; int sec = 0, usec = 0; if (argus->hdr.type & ARGUS_MAR) { } else { struct ArgusTimeObject *dtime = &argus->canon.time; struct ArgusTime *stime = &dtime->dst.start; struct ArgusTime *ltime = &dtime->dst.end; sec = ltime->tv_sec - stime->tv_sec; usec = ltime->tv_usec - stime->tv_usec; retn = (sec * 1.0) + usec/1000000.0; } return (retn); } double ArgusFetchDuration (struct ArgusRecordStruct *ns) { double retn = RaGetFloatDuration(ns); return (retn); } double ArgusFetchSrcDuration (struct ArgusRecordStruct *ns) { double retn = RaGetFloatSrcDuration(ns); return (retn); } double ArgusFetchDstDuration (struct ArgusRecordStruct *ns) { double retn = RaGetFloatDstDuration(ns); return (retn); } double ArgusFetchSrcLoad (struct ArgusRecordStruct *ns) { struct ArgusMetricStruct *m1 = NULL; float dur = 0.0; long long cnt1; double retn = 0.0; dur = ArgusFetchSrcDuration(ns); if ((m1 = (struct ArgusMetricStruct *) ns->dsrs[ARGUS_METRIC_INDEX]) != NULL) { cnt1 = m1->src.pkts; } else { cnt1 = 0; } if (dur > 0.0) retn = (cnt1 * 1.0)/dur; return (retn); } double ArgusFetchDstLoad (struct ArgusRecordStruct *ns) { struct ArgusMetricStruct *m1 = NULL; struct timeval ts1buf, *ts1 = &ts1buf; struct timeval t1buf, *t1d = &t1buf; long long cnt1 = 0; float d1 = 0.0; double retn = 0; ts1->tv_sec = ns->canon.time.src.start.tv_sec; ts1->tv_usec = ns->canon.time.src.start.tv_usec; t1d->tv_sec = ns->canon.time.src.end.tv_sec; t1d->tv_usec = ns->canon.time.src.end.tv_usec; t1d->tv_sec -= ts1->tv_sec; t1d->tv_usec -= ts1->tv_usec; if (t1d->tv_usec < 0) {t1d->tv_sec--; t1d->tv_usec += 1000000;} d1 = ((t1d->tv_sec * 1.0) + (t1d->tv_usec/1000000.0)); if ((m1 = (struct ArgusMetricStruct *) ns->dsrs[ARGUS_METRIC_INDEX]) != NULL) cnt1 = m1->dst.pkts; if (d1 > 0.0) retn = (cnt1 * 1.0)/d1; return (retn); } double ArgusFetchLoad (struct ArgusRecordStruct *ns) { struct ArgusMetricStruct *m1 = NULL; struct timeval ts1buf, *ts1 = &ts1buf; struct timeval t1buf, *t1d = &t1buf; long long cnt1 = 0; float d1 = 0.0; double retn = 0; ts1->tv_sec = ns->canon.time.src.start.tv_sec; ts1->tv_usec = ns->canon.time.src.start.tv_usec; t1d->tv_sec = ns->canon.time.src.end.tv_sec; t1d->tv_usec = ns->canon.time.src.end.tv_usec; t1d->tv_sec -= ts1->tv_sec; t1d->tv_usec -= ts1->tv_usec; if (t1d->tv_usec < 0) {t1d->tv_sec--; t1d->tv_usec += 1000000;} d1 = ((t1d->tv_sec * 1.0) + (t1d->tv_usec/1000000.0)); if ((m1 = (struct ArgusMetricStruct *) ns->dsrs[ARGUS_METRIC_INDEX]) != NULL) cnt1 = m1->src.pkts + m1->dst.pkts; if ((cnt1 > 0) && (d1 > 0.0)) retn = (cnt1 * 1.0)/d1; return (retn); } double ArgusFetchLoss (struct ArgusRecordStruct *ns) { double retn = 0.0; if (ns) { if (ns->hdr.type & ARGUS_MAR) { } else { struct ArgusFlow *flow = (struct ArgusFlow *)&ns->canon.flow; switch (flow->hdr.subtype & 0x3F) { case ARGUS_FLOW_CLASSIC5TUPLE: { switch ((flow->hdr.argus_dsrvl8.qual & 0x1F)) { case ARGUS_TYPE_IPV4: { switch (ns->canon.flow.ip_flow.ip_p) { case IPPROTO_UDP: { if (ns->canon.net.hdr.subtype == ARGUS_RTP_FLOW) { struct ArgusRTPObject *rtp = (void *)&ns->canon.net.net_union.rtp; retn = (rtp->sdrop + rtp->ddrop) * 1.0; } break; } case IPPROTO_ICMP: { break; } case IPPROTO_TCP: { struct ArgusTCPObject *tcp = (void *)&ns->canon.net.net_union.tcp; if ((tcp != NULL) && (tcp->state != 0)) { if (ns->canon.metric.src.pkts) retn = (tcp->src.retrans + tcp->dst.retrans) * 1.0; } break; } case IPPROTO_ESP: { struct ArgusESPObject *esp = (void *)&ns->canon.net.net_union.esp; if (esp != NULL) { if (ns->canon.metric.src.pkts) retn = esp->lostseq * 1.0; } break; } } break; } case ARGUS_TYPE_IPV6: { switch (flow->ipv6_flow.ip_p) { case IPPROTO_UDP: { if (ns->canon.net.hdr.subtype == ARGUS_RTP_FLOW) { struct ArgusRTPObject *rtp = (void *)&ns->canon.net.net_union.rtp; retn = (rtp->sdrop + rtp->ddrop) * 1.0; } break; } case IPPROTO_ICMP: { break; } case IPPROTO_TCP: { struct ArgusTCPObject *tcp = (void *)&ns->canon.net.net_union.tcp; if ((tcp != NULL) && (tcp->state != 0)) { if (ns->canon.metric.src.pkts) retn = (tcp->src.retrans + tcp->dst.retrans) * 1.0; } break; } } } } break; } } } } return (retn); } double ArgusFetchSrcLoss (struct ArgusRecordStruct *ns) { double retn = 0.0; if (ns) { if (ns->hdr.type & ARGUS_MAR) { } else { struct ArgusFlow *flow = (struct ArgusFlow *)&ns->canon.flow; switch (flow->hdr.subtype & 0x3F) { case ARGUS_FLOW_CLASSIC5TUPLE: { switch ((flow->hdr.argus_dsrvl8.qual & 0x1F)) { case ARGUS_TYPE_IPV4: { switch (ns->canon.flow.ip_flow.ip_p) { case IPPROTO_UDP: { if (ns->canon.net.hdr.subtype == ARGUS_RTP_FLOW) { struct ArgusRTPObject *rtp = (void *)&ns->canon.net.net_union.rtp; retn = rtp->sdrop * 1.0; } break; } case IPPROTO_ICMP: { break; } case IPPROTO_TCP: { struct ArgusTCPObject *tcp = (void *)&ns->canon.net.net_union.tcp; if ((tcp != NULL) && (tcp->state != 0)) { if (ns->canon.metric.src.pkts) retn = tcp->src.retrans * 1.0; } break; } case IPPROTO_ESP: { struct ArgusESPObject *esp = (void *)&ns->canon.net.net_union.esp; if (esp != NULL) { if (ns->canon.metric.src.pkts) retn = esp->lostseq * 1.0; } break; } } break; } case ARGUS_TYPE_IPV6: { switch (flow->ipv6_flow.ip_p) { case IPPROTO_UDP: { if (ns->canon.net.hdr.subtype == ARGUS_RTP_FLOW) { struct ArgusRTPObject *rtp = (void *)&ns->canon.net.net_union.rtp; retn = rtp->sdrop * 1.0; } break; } case IPPROTO_ICMP: { break; } case IPPROTO_TCP: { struct ArgusTCPObject *tcp = (void *)&ns->canon.net.net_union.tcp; if ((tcp != NULL) && (tcp->state != 0)) { if (ns->canon.metric.src.pkts) retn = tcp->src.retrans * 1.0; } break; } } } } break; } } } } return (retn); } double ArgusFetchDstLoss (struct ArgusRecordStruct *ns) { double retn = 0.0; if (ns) { if (ns->hdr.type & ARGUS_MAR) { } else { struct ArgusFlow *flow = (struct ArgusFlow *)&ns->canon.flow; switch (flow->hdr.subtype & 0x3F) { case ARGUS_FLOW_CLASSIC5TUPLE: { switch ((flow->hdr.argus_dsrvl8.qual & 0x1F)) { case ARGUS_TYPE_IPV4: { switch (ns->canon.flow.ip_flow.ip_p) { case IPPROTO_UDP: { if (ns->canon.net.hdr.subtype == ARGUS_RTP_FLOW) { struct ArgusRTPObject *rtp = (void *)&ns->canon.net.net_union.rtp; retn = rtp->ddrop * 1.0; } } case IPPROTO_ICMP: { break; } case IPPROTO_TCP: { struct ArgusTCPObject *tcp = (void *)&ns->canon.net.net_union.tcp; if ((tcp != NULL) && (tcp->state != 0)) { if (ns->canon.metric.dst.pkts) retn = tcp->dst.retrans * 1.0; } break; } case IPPROTO_ESP: { struct ArgusESPObject *esp = (void *)&ns->canon.net.net_union.esp; if (esp != NULL) { if (ns->canon.metric.dst.pkts) retn = esp->lostseq * 1.0; } } } break; } case ARGUS_TYPE_IPV6: { switch (flow->ipv6_flow.ip_p) { case IPPROTO_UDP: { if (ns->canon.net.hdr.subtype == ARGUS_RTP_FLOW) { struct ArgusRTPObject *rtp = (void *)&ns->canon.net.net_union.rtp; retn = rtp->ddrop * 1.0; } break; } case IPPROTO_ICMP: { break; } case IPPROTO_TCP: { struct ArgusTCPObject *tcp = (void *)&ns->canon.net.net_union.tcp; if ((tcp != NULL) && (tcp->state != 0)) { if (ns->canon.metric.dst.pkts) retn = tcp->dst.retrans * 1.0; } break; } } } } break; } } } } return (retn); } double ArgusFetchPercentLoss (struct ArgusRecordStruct *ns) { double retn = 0.0; int pkts = 0; if (ns) { retn = ArgusFetchLoss(ns); pkts = ns->canon.metric.src.pkts + ns->canon.metric.dst.pkts; if (pkts > 0) { retn = (retn * 100.0)/((pkts * 1.0 )+ retn); } else retn = 0.0; } return (retn); } double ArgusFetchPercentSrcLoss (struct ArgusRecordStruct *ns) { double retn = 0.0; int pkts = 0; if (ns) { retn = ArgusFetchSrcLoss(ns); pkts = ns->canon.metric.src.pkts; if (pkts > 0) { retn = (retn * 100.0)/((pkts * 1.0) + retn); } else retn = 0.0; } return (retn); } double ArgusFetchPercentDstLoss (struct ArgusRecordStruct *ns) { double retn = 0.0; int pkts = 0; if (ns) { retn = ArgusFetchDstLoss(ns); pkts = ns->canon.metric.dst.pkts; if (pkts > 0) { retn = (retn * 100.0)/((pkts * 1.0) + retn); } else retn = 0.0; } return (retn); } double ArgusFetchSrcRate (struct ArgusRecordStruct *ns) { struct ArgusMetricStruct *m1 = NULL; struct timeval ts1buf, *ts1 = &ts1buf; struct timeval t1buf, *t1d = &t1buf; long long cnt1 = 0; float d1, r1 = 0.0; double retn = 0; ts1->tv_sec = ns->canon.time.src.start.tv_sec; ts1->tv_usec = ns->canon.time.src.start.tv_usec; t1d->tv_sec = ns->canon.time.src.end.tv_sec; t1d->tv_usec = ns->canon.time.src.end.tv_usec; t1d->tv_sec -= ts1->tv_sec; t1d->tv_usec -= ts1->tv_usec; if (t1d->tv_usec < 0) {t1d->tv_sec--; t1d->tv_usec += 1000000;} d1 = ((t1d->tv_sec * 1.0) + (t1d->tv_usec/1000000.0)); if ((m1 = (struct ArgusMetricStruct *) ns->dsrs[ARGUS_METRIC_INDEX]) != NULL) cnt1 = m1->src.bytes * 8; if ((cnt1 > 0) && (d1 > 0.0)) r1 = (cnt1 * 1.0)/d1; retn = r1; return (retn); } double ArgusFetchDstRate (struct ArgusRecordStruct *ns) { struct ArgusMetricStruct *m1 = NULL; struct timeval ts1buf, *ts1 = &ts1buf; struct timeval t1buf, *t1d = &t1buf; float d1, r1 = 0.0; long long cnt1 = 0; double retn = 0; ts1->tv_sec = ns->canon.time.src.start.tv_sec; ts1->tv_usec = ns->canon.time.src.start.tv_usec; t1d->tv_sec = ns->canon.time.src.end.tv_sec; t1d->tv_usec = ns->canon.time.src.end.tv_usec; t1d->tv_sec -= ts1->tv_sec; t1d->tv_usec -= ts1->tv_usec; if (t1d->tv_usec < 0) {t1d->tv_sec--; t1d->tv_usec += 1000000;} d1 = ((t1d->tv_sec * 1.0) + (t1d->tv_usec/1000000.0)); if ((m1 = (struct ArgusMetricStruct *) ns->dsrs[ARGUS_METRIC_INDEX]) != NULL) cnt1 = m1->dst.bytes * 8; if ((cnt1 > 0) && (d1 > 0.0)) r1 = (cnt1 * 1.0)/d1; retn = r1; return (retn); } double ArgusFetchRate (struct ArgusRecordStruct *ns) { struct ArgusMetricStruct *m1 = NULL; struct timeval ts1buf, *ts1 = &ts1buf; struct timeval t1buf, *t1d = &t1buf; long long cnt1 = 0; float d1, r1 = 0.0; double retn = 0; ts1->tv_sec = ns->canon.time.src.start.tv_sec; ts1->tv_usec = ns->canon.time.src.start.tv_usec; t1d->tv_sec = ns->canon.time.src.end.tv_sec; t1d->tv_usec = ns->canon.time.src.end.tv_usec; t1d->tv_sec -= ts1->tv_sec; t1d->tv_usec -= ts1->tv_usec; if (t1d->tv_usec < 0) {t1d->tv_sec--; t1d->tv_usec += 1000000;} d1 = ((t1d->tv_sec * 1.0) + (t1d->tv_usec/1000000.0)); if ((m1 = (struct ArgusMetricStruct *) ns->dsrs[ARGUS_METRIC_INDEX]) != NULL) cnt1 = (m1->src.bytes + m1->dst.bytes) * 8; if ((cnt1 > 0) && (d1 > 0.0)) r1 = (cnt1 * 1.0)/d1; retn = r1; return (retn); } double ArgusFetchAppByteRatio (struct ArgusRecordStruct *ns) { struct ArgusMetricStruct *m1 = NULL; double retn = 0.0; if ((m1 = (struct ArgusMetricStruct *) ns->dsrs[ARGUS_METRIC_INDEX]) != NULL) { double nvalue = (m1->src.appbytes - m1->dst.appbytes) * 1.0; double dvalue = (m1->src.appbytes + m1->dst.appbytes) * 1.0; if (dvalue > 0) retn = nvalue / dvalue; else retn = -0.0; } return (retn); } argus-3.0.8.2/argus/ArgusUtil.h000444 000765 000024 00000030071 12513222401 016626 0ustar00carterstaff000000 000000 /* * Argus Software. Argus files - Utilities include files * Copyright (c) 2000-2015 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * Copyright (c) 1993, 1994 Carnegie Mellon University. * All rights reserved. * * Permission to use, copy, modify, and distribute this software and * its documentation for any purpose and without fee is hereby granted, * provided that the above copyright notice appear in all copies and * that both that copyright notice and this permission notice appear * in supporting documentation, and that the name of CMU not be * used in advertising or publicity pertaining to distribution of the * software without specific, written prior permission. * * CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING * ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL * CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR * ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, * WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, * ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS * SOFTWARE. * */ /* * $Id: //depot/argus/argus/argus/ArgusUtil.h#33 $ * $DateTime: 2015/04/06 10:38:44 $ * $Change: 2973 $ */ /* ArgusUtil.h */ #ifndef ArgusUtil_h #define ArgusUtil_h #if defined(HAVE_STDLIB_H) #include #endif #if defined(HAVE_STRINGS_H) #include #endif #include #include #include #include #include #include #include #define ARGUS_NOLOCK 0 #define ARGUS_LOCK 1 #define ARGUS_RFILE_LIST 1 #define ARGUS_WFILE_LIST 2 #define ARGUS_DEVICE_LIST 3 #define ARGUS_OUTPUT_LIST 4 #define ARGUS_EVENT_LIST 5 #define ARGUS_BIND_ADDR_LIST 6 struct ArgusListObjectStruct { struct ArgusListObjectStruct *nxt; void *obj; }; struct ArgusListRecord { struct ArgusListObjectStruct *nxt; struct ArgusRecordHeader argus; }; struct ArgusListStruct { struct ArgusListObjectStruct *start; struct ArgusListObjectStruct *end; #if defined(ARGUS_THREADS) pthread_mutex_t lock; pthread_cond_t cond; #endif unsigned int count, pushed, popped, loaded; struct timeval outputTime, reportTime; }; #define ARGUS_PROCESS_NEXT_PASS 0x10 /* struct ArgusQueueHeader { struct ArgusQueueHeader *prv, *nxt; struct ArgusQueueStruct *queue; struct timeval lasttime, qtime; unsigned int status; }; struct ArgusQueueStruct { struct ArgusQueueHeader qhdr; int count, turns, timeout, status, reclaim; #if defined(ARGUS_THREADS) pthread_mutex_t lock; #endif struct ArgusQueueHeader *start, *end; struct ArgusFlowStruct **array; }; */ #include #define ARGUS_READINGPREHDR 1 #define ARGUS_READINGHDR 2 #define ARGUS_READINGBLOCK 4 #define ARGUS_WAS_FUNCTIONAL 0x10 #define ARGUS_SOCKET_COMPLETE 0x20 #define ARGUS_MAXRECORD 0x40000 struct ArgusSocketStruct { struct ArgusListStruct *ArgusSocketList; int fd, status, cnt, expectedSize, errornum; int ArgusLastRecord, ArgusReadState; struct timeval lastwrite; struct ArgusRecordStruct *rec; int length, writen; struct sockaddr sock; char *filename; void *obj; unsigned char *ptr, buf[ARGUS_MAXRECORD]; }; typedef int (*ArgusHandler)(struct ArgusSocketStruct *, unsigned char *, int, void *); #if defined(ArgusUtil) #if defined(_LITTLE_ENDIAN) void ArgusNtoH (struct ArgusRecord *); void ArgusHtoN (struct ArgusRecord *); #endif long long ArgusTimeDiff (struct timeval *, struct timeval *); unsigned long long ArgusAbsTimeDiff (struct timeval *, struct timeval *); struct ArgusListStruct *ArgusNewList(void); void ArgusDeleteList(struct ArgusListStruct *, int); int ArgusListEmpty (struct ArgusListStruct *); int ArgusGetListCount (struct ArgusListStruct *); int ArgusPushFrontList(struct ArgusListStruct *, struct ArgusListRecord *, int); int ArgusPushBackList (struct ArgusListStruct *, struct ArgusListRecord *, int); struct ArgusListRecord *ArgusPopFrontList (struct ArgusListStruct *, int); void ArgusLoadList(struct ArgusListStruct *, struct ArgusListStruct *); struct ArgusQueueStruct *ArgusNewQueue (void); void ArgusDeleteQueue (struct ArgusQueueStruct *); int ArgusGetQueueCount(struct ArgusQueueStruct *); void ArgusPushQueue(struct ArgusQueueStruct *, struct ArgusQueueHeader *, int); int ArgusAddToQueue(struct ArgusQueueStruct *, struct ArgusQueueHeader *, int); struct ArgusQueueHeader *ArgusPopQueue(struct ArgusQueueStruct *, int); struct ArgusQueueHeader *ArgusPopBackQueue (struct ArgusQueueStruct *queue, int type); struct ArgusQueueHeader *ArgusRemoveFromQueue(struct ArgusQueueStruct *, struct ArgusQueueHeader *, int); int ArgusCheckTimeout(struct ArgusModelerStruct *, struct timeval *, struct timeval *); void ArgusProcessQueue(struct ArgusModelerStruct *, struct ArgusQueueStruct *, int); void ArgusEmptyQueue(struct ArgusQueueStruct *); void ArgusDeleteObject(struct ArgusFlowStruct *); struct ArgusHashTableHeader *ArgusFindHashObject (struct ArgusHashTable *, struct ArgusSystemFlow *, unsigned short); extern struct ArgusHashTableHeader *ArgusAddHashEntry (struct ArgusHashTable *, struct ArgusFlowStruct *, struct ArgusHashStruct *); void ArgusRemoveHashEntry (struct ArgusHashTableHeader *); struct ArgusSocketStruct * ArgusNewSocket (int fd); void ArgusDeleteSocket (struct ArgusOutputStruct *, struct ArgusClientData *); int ArgusReadSocket (struct ArgusSocketStruct *, ArgusHandler, void *); int ArgusWriteSocket (struct ArgusOutputStruct *, struct ArgusClientData *, struct ArgusRecordStruct *); int ArgusWriteOutSocket (struct ArgusOutputStruct *, struct ArgusClientData *); char *ArgusGetFlowString (struct ArgusFlowStruct *); char *ArgusGetName(struct ArgusParserStruct *, unsigned char *); char *ArgusGetV6Name(struct ArgusParserStruct *, unsigned char *); void ArgusSetChroot(char *); #ifdef ARGUSDEBUG extern void ArgusDebug (int, char *, ...); #endif struct timeval *RaMinTime (struct timeval *, struct timeval *); struct timeval *RaMaxTime (struct timeval *, struct timeval *); float RaDeltaFloatTime (struct timeval *, struct timeval *); int RaDiffTime (struct timeval *, struct timeval *, struct timeval *); float RaGetFloatDuration (struct ArgusRecordStruct *); float RaGetFloatSrcDuration (struct ArgusRecordStruct *); float RaGetFloatDstDuration (struct ArgusRecordStruct *); double ArgusFetchDuration (struct ArgusRecordStruct *); double ArgusFetchSrcDuration (struct ArgusRecordStruct *); double ArgusFetchDstDuration (struct ArgusRecordStruct *); double ArgusFetchLoad (struct ArgusRecordStruct *); double ArgusFetchSrcLoad (struct ArgusRecordStruct *); double ArgusFetchDstLoad (struct ArgusRecordStruct *); double ArgusFetchLoss (struct ArgusRecordStruct *); double ArgusFetchSrcLoss (struct ArgusRecordStruct *); double ArgusFetchDstLoss (struct ArgusRecordStruct *); double ArgusFetchPercentLoss (struct ArgusRecordStruct *); double ArgusFetchPercentSrcLoss (struct ArgusRecordStruct *); double ArgusFetchPercentDstLoss (struct ArgusRecordStruct *); double ArgusFetchRate (struct ArgusRecordStruct *); double ArgusFetchSrcRate (struct ArgusRecordStruct *); double ArgusFetchDstRate (struct ArgusRecordStruct *); double ArgusFetchAppByteRatio (struct ArgusRecordStruct *); #else #if defined(_LITTLE_ENDIAN) extern void ArgusNtoH (struct ArgusRecord *); extern void ArgusHtoN (struct ArgusRecord *); #endif extern long long ArgusTimeDiff (struct timeval *, struct timeval *); extern unsigned long long ArgusAbsTimeDiff (struct timeval *, struct timeval *); extern struct ArgusListStruct *ArgusNewList(void); extern void ArgusDeleteList(struct ArgusListStruct *, int); extern int ArgusListEmpty (struct ArgusListStruct *); extern int ArgusGetListCount (struct ArgusListStruct *); extern int ArgusPushFrontList(struct ArgusListStruct *, struct ArgusListRecord *, int); extern int ArgusPushBackList (struct ArgusListStruct *, struct ArgusListRecord *, int); extern struct ArgusListRecord *ArgusPopFrontList (struct ArgusListStruct *, int); extern void ArgusLoadList(struct ArgusListStruct *, struct ArgusListStruct *); extern struct ArgusQueueStruct *ArgusNewQueue (void); extern int ArgusDeleteQueue (struct ArgusQueueStruct *); extern int ArgusGetQueueCount(struct ArgusQueueStruct *); extern void ArgusPushQueue(struct ArgusQueueStruct *, struct ArgusQueueHeader *, int); extern int ArgusAddToQueue(struct ArgusQueueStruct *, struct ArgusQueueHeader *, int); extern struct ArgusQueueHeader *ArgusPopQueue(struct ArgusQueueStruct *, int); struct ArgusQueueHeader *ArgusPopBackQueue (struct ArgusQueueStruct *queue, int type); extern struct ArgusQueueHeader *ArgusRemoveFromQueue(struct ArgusQueueStruct *, struct ArgusQueueHeader *, int); extern int ArgusCheckTimeout(struct ArgusModelerStruct *, struct timeval *, struct timeval *); extern void ArgusProcessQueue(struct ArgusModelerStruct *, struct ArgusQueueStruct *, int); extern void ArgusEmptyQueue(struct ArgusQueueStruct *); extern void ArgusDeleteObject(struct ArgusFlowStruct *obj); struct ArgusHashTableHeader *ArgusFindHashObject (struct ArgusHashTable *, struct ArgusSystemFlow *, unsigned short); extern struct ArgusHashTableHeader *ArgusAddHashEntry (struct ArgusHashTable *, struct ArgusFlowStruct *, struct ArgusHashStruct *); extern void ArgusRemoveHashEntry (struct ArgusHashTableHeader *); extern struct ArgusSocketStruct * ArgusNewSocket (int fd); extern void ArgusDeleteSocket (struct ArgusOutputStruct *, struct ArgusClientData *); extern int ArgusWriteSocket (struct ArgusOutputStruct *, struct ArgusClientData *, struct ArgusRecordStruct *); extern int ArgusWriteOutSocket (struct ArgusOutputStruct *, struct ArgusClientData *); extern char *ArgusGetFlowString (struct ArgusFlowStruct *); extern char *ArgusGetName(struct ArgusParserStruct *, unsigned char *); extern char *ArgusGetV6Name(struct ArgusParserStruct *, unsigned char *); extern void ArgusSetChroot(char *); #ifdef ARGUSDEBUG extern void ArgusDebug (int, char *, ...); #endif extern struct timeval *RaMinTime (struct timeval *, struct timeval *); extern struct timeval *RaMaxTime (struct timeval *, struct timeval *); extern float RaDeltaFloatTime (struct timeval *, struct timeval *); extern int RaDiffTime (struct timeval *, struct timeval *, struct timeval *); extern float RaGetFloatDuration (struct ArgusRecordStruct *); extern float RaGetFloatSrcDuration (struct ArgusRecordStruct *); extern float RaGetFloatDstDuration (struct ArgusRecordStruct *); extern double ArgusFetchDuration (struct ArgusRecordStruct *); extern double ArgusFetchSrcDuration (struct ArgusRecordStruct *); extern double ArgusFetchDstDuration (struct ArgusRecordStruct *); extern double ArgusFetchLoad (struct ArgusRecordStruct *); extern double ArgusFetchSrcLoad (struct ArgusRecordStruct *); extern double ArgusFetchDstLoad (struct ArgusRecordStruct *); extern double ArgusFetchLoss (struct ArgusRecordStruct *); extern double ArgusFetchSrcLoss (struct ArgusRecordStruct *); extern double ArgusFetchDstLoss (struct ArgusRecordStruct *); extern double ArgusFetchPercentLoss (struct ArgusRecordStruct *); extern double ArgusFetchPercentSrcLoss (struct ArgusRecordStruct *); extern double ArgusFetchPercentDstLoss (struct ArgusRecordStruct *); extern double ArgusFetchRate (struct ArgusRecordStruct *); extern double ArgusFetchSrcRate (struct ArgusRecordStruct *); extern double ArgusFetchDstRate (struct ArgusRecordStruct *); extern double ArgusFetchAppByteRatio (struct ArgusRecordStruct *); #endif #endif argus-3.0.8.2/argus/Makefile.in000444 000765 000024 00000007375 12513222401 016616 0ustar00carterstaff000000 000000 # # Argus Software # Copyright (c) 2000-2015 QoSient, LLC # All rights reserved. # # QOSIENT, LLC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS # SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY # AND FITNESS, IN NO EVENT SHALL QOSIENT, LLC BE LIABLE FOR ANY # SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER # IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, # ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF # THIS SOFTWARE. # # Various configurable paths (remember to edit Makefile.in, not Makefile) # Top level hierarchy prefix = @prefix@ exec_prefix = @exec_prefix@ datarootdir = @datarootdir@ # Pathname of directory to install the system binaries SBINDIR = @sbindir@ # Pathname of directory to install the system binaries BINDIR = @bindir@ # Pathname of directory to install the include files INCLDEST = @includedir@ # Pathname of directory to install the library LIBDEST = @libdir@ # Pathname of directory to install the man page MANDEST = @mandir@ # VPATH srcdir = @srcdir@ VPATH = @srcdir@ COMPATLIB = @COMPATLIB@ WRAPLIBS = @WRAPLIBS@ SASLLIBS = @LIB_SASL@ # # You shouldn't need to edit anything below. # CC = @CC@ CCOPT = @V_CCOPT@ INCLS = -I$(srcdir) @V_INCLS@ -I$(srcdir)/../include DEFS = @DEFS@ #DEFS = -DARGUSPERFMETRICS=1 @DEFS@ # Standard CFLAGS CFLAGS = $(CCOPT) $(INCLS) $(DEFS) LDFLAGS = @LDFLAGS@ INSTALL = @INSTALL@ RANLIB = @V_RANLIB@ # # Flex and bison allow you to specify the prefixes of the global symbols # used by the generated parser. This allows programs to use lex/yacc # and link against libpcap. If you don't have flex or bison, get them. # LEX = @V_LEX@ YACC = @V_YACC@ # Explicitly define compilation rule since SunOS 4's make doesn't like gcc. # Also, gcc does not remove the .o before forking 'as', which can be a # problem if you don't own the file but can write to the directory. .c.o: @rm -f $@ $(CC) $(CFLAGS) -c $< SRC = argus.c ArgusModeler.c ArgusSource.c ArgusUtil.c ArgusOutput.c ArgusUdp.c \ ArgusTcp.c ArgusIcmp.c ArgusIgmp.c ArgusEsp.c ArgusArp.c ArgusFrag.c ArgusUdt.c \ ArgusLcp.c ArgusIsis.c ArgusAuth.c Argus802.11.c ArgusApp.c ArgusEvents.c \ ArgusNetflow.c ArgusSflow.c PROG = @INSTALL_BIN@/argus # We would like to say "OBJ = $(SRC:.c=.o)" but Ultrix's make cannot # hack the extra indirection OBJ = $(SRC:.c=.o) LIB = @LIBS@ @V_THREADS@ $(WRAPLIBS) $(SASLLIBS) $(COMPATLIB) ../lib/argus_common.a -lm HDR = pcap.h pcap-int.h pcap-namedb.h pcap-nit.h pcap-pf.h \ ethertype.h gencode.h gnuc.h TAGHDR = \ bpf/net/bpf.h TAGFILES = \ $(SRC) $(HDR) $(TAGHDR) CLEANFILES = $(OBJ) $(PROG) all: $(PROG) @INSTALL_BIN@/argus: $(OBJ) ../lib/argus_common.a $(CC) $(CFLAGS) -o $@ $(OBJ) $(LDFLAGS) $(LIB) install: force all [ -d $(DESTDIR)$(SBINDIR) ] || \ (mkdir -p $(DESTDIR)$(SBINDIR); chmod 755 $(DESTDIR)$(SBINDIR)) $(INSTALL) $(srcdir)/../bin/argus $(DESTDIR)$(SBINDIR)/argus uninstall: force rm -f $(DESTDIR)$(SBINDIR)/argus clean: rm -f $(CLEANFILES) distclean: rm -f $(CLEANFILES) Makefile config.cache config.log config.status \ gnuc.h os-proto.h bpf_filter.c net tags: $(TAGFILES) ctags -wtd $(TAGFILES) tar: force @cwd=`pwd` ; dir=`basename $$cwd` ; name=libpcap-`cat VERSION` ; \ list="" ; tar="tar chFFf" ; \ for i in `cat FILES` ; do list="$$list $$name/$$i" ; done; \ echo \ "rm -f ../$$name; ln -s $$dir ../$$name" ; \ rm -f ../$$name; ln -s $$dir ../$$name ; \ echo \ "(cd .. ; $$tar - [lots of files]) | compress > /tmp/$$name.tar.Z" ; \ (cd .. ; $$tar - $$list) | compress > /tmp/$$name.tar.Z ; \ echo \ "rm -f ../$$name" ; \ rm -f ../$$name force: /tmp depend: force ../bin/mkdep -c $(CC) $(CFLAGS) $(DEFS) $(INCLS) $(SRC)