HLBR: actions/action_dump_packet.c Source File

00001 #include "action_dump_packet.h"
00002 #include <stdio.h>
00003 #include "../engine/message.h"
00004 #include <stdlib.h>
00005 #include <string.h>
00006 #include <sys/time.h>
00007 #include <netinet/in.h>
00008 #include <sys/stat.h>
00009 #ifdef _SOLARIS_
00010 #include <strings.h>
00011 #endif
00012 
00013 //#define DEBUG
00014 
00015 /*struct out of libpcap to output to tcpdump format*/
00016 struct dump_pcap_pkthdr {
00017         struct                  timeval ts;     /* time stamp */
00018         unsigned int    caplen; /* length of portion present */
00019         unsigned int    len;    /* length this packet (off wire) */
00020 };
00021 
00022 #define DUMP_PCAP_VERSION_MAJOR 2
00023 #define DUMP_PCAP_VERSION_MINOR 4
00024 
00025 /*struct out of libpcap to output to tcpdump format*/
00026 struct dump_pcap_file_header {
00027         unsigned int    magic;
00028         unsigned short  version_major;
00029         unsigned short  version_minor;
00030         int                             thiszone;       /* gmt to local correction */
00031         unsigned int    sigfigs;        /* accuracy of timestamps */
00032         unsigned int    snaplen;        /* max length saved portion of each pkt */
00033         unsigned int    linktype;       /* data link type (LINKTYPE_*) */
00034 };
00035 
00036 
00037 
00038 typedef struct dump_packet_rec{
00039         char            fname[1024];
00040 } DumpPacketRec;
00041 
00042 extern GlobalVars       Globals;
00043 
00044 FILE*   fp;
00045 
00046 /*****************************************
00047 * Write out the TCPDump Header
00048 *****************************************/
00049 int InitTCPDumpFile(char* FName){
00050         struct dump_pcap_file_header    Header;
00051         FILE*                                                   fp;
00052 #ifdef DEBUGPATH
00053         printf("In InitTCPDumpFile\n");
00054 #endif
00055 
00056         fp=fopen(FName, "w+");
00057         if (!fp){
00058                 printf("Couldn't open \"%s\" for writing\n",FName);
00059                 return FALSE;
00060         }
00061 
00062         bzero(&Header,sizeof(struct dump_pcap_file_header));
00063         Header.magic=htonl(0xd4c3b2a1);
00064         Header.version_major=DUMP_PCAP_VERSION_MAJOR;
00065         Header.version_minor=DUMP_PCAP_VERSION_MINOR;
00066         Header.snaplen=1600;
00067         Header.linktype=1;
00068         
00069 #ifdef DEBUG
00070         printf("Writing out header\n");
00071 #endif  
00072 
00073         fwrite(&Header, sizeof(struct dump_pcap_file_header), 1, fp);   
00074         fclose(fp);
00075 
00076         return TRUE;
00077 }
00078 
00079 /******************************************
00080 * Parse the args for this action
00081 ******************************************/
00082 void* DumpPacketParseArgs(char* Args){
00083         DumpPacketRec*  data;
00084         char                    FileName[1024];
00085         struct stat             st;
00086 #ifdef DEBUGPATH
00087         printf("In DumpPacketParseArgs\n");
00088 #endif
00089 
00090 #ifdef DEBUG
00091         printf("Parsing args for action_dump_packet\n");
00092 #endif  
00093 
00094         snprintf(FileName,1024,"%s%s",Globals.LogDir, Args);
00095         data=(DumpPacketRec*)calloc(sizeof(DumpPacketRec),1);
00096         snprintf(data->fname, 1024, "%s", FileName);
00097         
00098         if (stat(FileName, &st)==-1){
00099 #ifdef DEBUG
00100                 printf("%s: File doesn't exist.  Creating\n", FileName);
00101 #endif  
00102                 if (!InitTCPDumpFile(FileName)){
00103                         printf("Couldn't create packet dump \"%s\"\n",FileName);
00104                         return NULL;
00105                 }
00106         }
00107         
00108         return data;
00109 }
00110 
00111 
00112 /******************************************
00113 * save this packet into the packet dump
00114 ******************************************/
00115 int DumpPacketAction(int RuleNum, int PacketSlot, void* Data){
00116         FILE*                                   fp;
00117         DumpPacketRec*                  data;
00118         PacketRec*                              p;
00119         struct dump_pcap_pkthdr Header;
00120         
00121 #ifdef DEBUGPATH
00122         printf("In AlsertFileAction\n");
00123 #endif
00124 
00125 #ifdef DEBUG
00126         printf("Writing to the Packet Dump File\n");
00127 #endif
00128 
00129         if (!Data){
00130 #ifdef DEBUG
00131                 printf("I must have a filename to write to\n");
00132 #endif  
00133                 return FALSE;
00134         }
00135         
00136         
00137         p=&Globals.Packets[PacketSlot];
00138         data=(DumpPacketRec*)Data;
00139 
00140         Header.ts=p->tv;
00141         Header.caplen=p->PacketLen;
00142         Header.len=p->PacketLen;
00143 
00144         fp=fopen(data->fname, "a");
00145         if (!fp){
00146 #ifdef DEBUG    
00147                 printf("Couldn't open \"%s\" for appending\n",data->fname);
00148 #endif          
00149                 return FALSE;
00150         }
00151 
00152         fwrite(&Header, sizeof(struct dump_pcap_pkthdr),1,fp);
00153         fwrite(p->RawPacket, p->PacketLen, 1, fp);
00154         
00155         fclose(fp);
00156         
00157         return TRUE;
00158 }
00159 
00160 /********************************
00161 * Set up the packet dump stuffg
00162 ********************************/
00163 int InitActionDumpPacket(){
00164         int ActionID;
00165 
00166 #ifdef DEBUGPATH
00167         printf("In InitActionDumpPacket\n");
00168 #endif
00169 
00170         ActionID=CreateAction("dump packet");
00171         if (ActionID==ACTION_NONE){
00172 #ifdef DEBUG
00173                 printf("Couldn't allocation action dump packet\n");
00174 #endif  
00175                 return FALSE;
00176         }
00177         
00178         Globals.ActionItems[ActionID].ActionFunc=DumpPacketAction;
00179         Globals.ActionItems[ActionID].ParseArgs=DumpPacketParseArgs;
00180 
00181         return TRUE;
00182 }