pax_global_header00006660000000000000000000000064147154125360014522gustar00rootroot0000000000000052 comment=b1312f51826a53912db1e88d3b9a879b841158b5 argus-5.0.2/000077500000000000000000000000001471541253600126475ustar00rootroot00000000000000argus-5.0.2/.gitignore000066400000000000000000000023401471541253600146360ustar00rootroot00000000000000# xcode noise build/* *.pbxuser *.mode1v3 # old skool .svn # osx noise .DS_Store profile argus-clients.xcodeproj/project.xcworkspace/ argus-clients.xcodeproj/xcuserdata/ .gitattributes .gitignore .debug .devel .nfs* *.o *.swp Makefile lib/argus-clients.pc pkg/rhel/systemd/rasqlinsert-setup bin/* !bin/argusclientbug !bin/mkdep /config.log /config.status include/argus_config.h /common/grammar.c /common/scanner.c /common/tokdefs.h /common/version.c /lib/*.a /autom4te.cache /argus-clients-*.tar.gz /lib/argus-clients.spec /pkg/win7/argus-clients.wxs /pkg/osx/BUILDROOT /examples/radhcp/radhcp-query /examples/rahisto/rahisto-delsql /examples/rahisto/rahisto-querysql /examples/rahisto/rahisto-updatesql /man/man5/ramanage.conf.5 # compiled perl library /perllib/qosient /perllib/swig.stamp /perllib/swig_ArgusParseTime_wrap.c /perllib/util.so /perllib/util.dylib # rasql_udf_ intermediates /examples/rasql_udf_cidr/.libs/ /examples/rasql_udf_cidr/.deps/ /examples/rasql_udf_cidr/autom4te.cache /examples/rasql_udf_cidr/libtool /examples/rasql_udf_cidr/config.log /examples/rasql_udf_cidr/config.status /examples/rasql_udf_cidr/config.h /examples/rasql_udf_cidr/rasql_udf_cidr.la /examples/rasql_udf_cidr/rasql_udf_cidr_la-rasql_udf_cidr.lo argus-5.0.2/.threads000066400000000000000000000000001471541253600142700ustar00rootroot00000000000000argus-5.0.2/AUTHORS000066400000000000000000000010311471541253600137120ustar00rootroot00000000000000# # Argus-5.0 Software. # Copyright (c) 2000-2024 QoSient, LLC # All rights reserved. # # $Id: //depot/gargoyle/argus/AUTHORS#5 $ # $DateTime: 2015/04/13 00:39:28 $ # $Change: 2980 $ Argus and its client software are written, maintained and copyrighted by Carter Bullard and Eric Kinzie of QoSient, LLC. Many contributions of fixes, bug reports and design have been submitted to the argus developers mailing list over Argus's 30 years. Please see the ./CREDITS file for those that have contributed the most. argus-5.0.2/CODE_OF_CONDUCT.md000066400000000000000000000121441471541253600154500ustar00rootroot00000000000000# Contributor Covenant Code of Conduct ## Our Pledge We as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for everyone, regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation. We pledge to act and interact in ways that contribute to an open, welcoming, diverse, inclusive, and healthy community. ## Our Standards Examples of behavior that contributes to a positive environment for our community include: * Demonstrating empathy and kindness toward other people * Being respectful of differing opinions, viewpoints, and experiences * Giving and gracefully accepting constructive feedback * Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience * Focusing on what is best not just for us as individuals, but for the overall community Examples of unacceptable behavior include: * The use of sexualized language or imagery, and sexual attention or advances of any kind * Trolling, insulting or derogatory comments, and personal or political attacks * Public or private harassment * Publishing others' private information, such as a physical or email address, without their explicit permission * Other conduct which could reasonably be considered inappropriate in a professional setting ## Enforcement Responsibilities Community leaders are responsible for clarifying and enforcing our standards of acceptable behavior and will take appropriate and fair corrective action in response to any behavior that they deem inappropriate, threatening, offensive, or harmful. Community leaders have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, and will communicate reasons for moderation decisions when appropriate. ## Scope This Code of Conduct applies within all community spaces, and also applies when an individual is officially representing the community in public spaces. Examples of representing our community include using an official e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. ## Enforcement Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the community leaders responsible for enforcement at carter@qosient.com. All complaints will be reviewed and investigated promptly and fairly. All community leaders are obligated to respect the privacy and security of the reporter of any incident. ## Enforcement Guidelines Community leaders will follow these Community Impact Guidelines in determining the consequences for any action they deem in violation of this Code of Conduct: ### 1. Correction **Community Impact**: Use of inappropriate language or other behavior deemed unprofessional or unwelcome in the community. **Consequence**: A private, written warning from community leaders, providing clarity around the nature of the violation and an explanation of why the behavior was inappropriate. A public apology may be requested. ### 2. Warning **Community Impact**: A violation through a single incident or series of actions. **Consequence**: A warning with consequences for continued behavior. No interaction with the people involved, including unsolicited interaction with those enforcing the Code of Conduct, for a specified period of time. This includes avoiding interactions in community spaces as well as external channels like social media. Violating these terms may lead to a temporary or permanent ban. ### 3. Temporary Ban **Community Impact**: A serious violation of community standards, including sustained inappropriate behavior. **Consequence**: A temporary ban from any sort of interaction or public communication with the community for a specified period of time. No public or private interaction with the people involved, including unsolicited interaction with those enforcing the Code of Conduct, is allowed during this period. Violating these terms may lead to a permanent ban. ### 4. Permanent Ban **Community Impact**: Demonstrating a pattern of violation of community standards, including sustained inappropriate behavior, harassment of an individual, or aggression toward or disparagement of classes of individuals. **Consequence**: A permanent ban from any sort of public interaction within the community. ## Attribution This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 2.0, available at https://www.contributor-covenant.org/version/2/0/code_of_conduct.html. Community Impact Guidelines were inspired by [Mozilla's code of conduct enforcement ladder](https://github.com/mozilla/diversity). [homepage]: https://www.contributor-covenant.org For answers to common questions about this code of conduct, see the FAQ at https://www.contributor-covenant.org/faq. Translations are available at https://www.contributor-covenant.org/translations. argus-5.0.2/COPYING000066400000000000000000000773351471541253600137210ustar00rootroot00000000000000GNU General Public License ************************** GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007 Copyright (C) 2007 Free Software Foundation, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The GNU General Public License is a free, copyleft license for software and other kinds of works. The licenses for most software and other practical works are designed to take away your freedom to share and change the works. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change all versions of a program--to make sure it remains free software for all its users. We, the Free Software Foundation, use the GNU General Public License for most of our software; it applies also to any other work released this way by its authors. You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for them if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs, and that you know you can do these things. To protect your rights, we need to prevent others from denying you these rights or asking you to surrender the rights. Therefore, you have certain responsibilities if you distribute copies of the software, or if you modify it: responsibilities to respect the freedom of others. For example, if you distribute copies of such a program, whether gratis or for a fee, you must pass on to the recipients the same freedoms that you received. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. Developers that use the GNU GPL protect your rights with two steps: (1) assert copyright on the software, and (2) offer you this License giving you legal permission to copy, distribute and/or modify it. For the developers' and authors' protection, the GPL clearly explains that there is no warranty for this free software. For both users' and authors' sake, the GPL requires that modified versions be marked as changed, so that their problems will not be attributed erroneously to authors of previous versions. Some devices are designed to deny users access to install or run modified versions of the software inside them, although the manufacturer can do so. This is fundamentally incompatible with the aim of protecting users' freedom to change the software. The systematic pattern of such abuse occurs in the area of products for individuals to use, which is precisely where it is most unacceptable. Therefore, we have designed this version of the GPL to prohibit the practice for those products. If such problems arise substantially in other domains, we stand ready to extend this provision to those domains in future versions of the GPL, as needed to protect the freedom of users. Finally, every program is threatened constantly by software patents. States should not allow patents to restrict development and use of software on general-purpose computers, but in those that do, we wish to avoid the special danger that patents applied to a free program could make it effectively proprietary. To prevent this, the GPL assures that patents cannot be used to render the program non-free. The precise terms and conditions for copying, distribution and modification follow. TERMS AND CONDITIONS 0. Definitions. "This License" refers to version 3 of the GNU General Public License. "Copyright" also means copyright-like laws that apply to other kinds of works, such as semiconductor masks. "The Program" refers to any copyrightable work licensed under this License. Each licensee is addressed as "you". "Licensees" and "recipients" may be individuals or organizations. To "modify" a work means to copy from or adapt all or part of the work in a fashion requiring copyright permission, other than the making of an exact copy. The resulting work is called a "modified version" of the earlier work or a work "based on" the earlier work. A "covered work" means either the unmodified Program or a work based on the Program. To "propagate" a work means to do anything with it that, without permission, would make you directly or secondarily liable for infringement under applicable copyright law, except executing it on a computer or modifying a private copy. Propagation includes copying, distribution (with or without modification), making available to the public, and in some countries other activities as well. To "convey" a work means any kind of propagation that enables other parties to make or receive copies. Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying. An interactive user interface displays "Appropriate Legal Notices" to the extent that it includes a convenient and prominently visible feature that (1) displays an appropriate copyright notice, and (2) tells the user that there is no warranty for the work (except to the extent that warranties are provided), that licensees may convey the work under this License, and how to view a copy of this License. If the interface presents a list of user commands or options, such as a menu, a prominent item in the list meets this criterion. 1. Source Code. The "source code" for a work means the preferred form of the work for making modifications to it. "Object code" means any non-source form of a work. A "Standard Interface" means an interface that either is an official standard defined by a recognized standards body, or, in the case of interfaces specified for a particular programming language, one that is widely used among developers working in that language. The "System Libraries" of an executable work include anything, other than the work as a whole, that (a) is included in the normal form of packaging a Major Component, but which is not part of that Major Component, and (b) serves only to enable use of the work with that Major Component, or to implement a Standard Interface for which an implementation is available to the public in source code form. A "Major Component", in this context, means a major essential component (kernel, window system, and so on) of the specific operating system (if any) on which the executable work runs, or a compiler used to produce the work, or an object code interpreter used to run it. The "Corresponding Source" for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. However, it does not include the work's System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work. For example, Corresponding Source includes interface definition files associated with source files for the work, and the source code for shared libraries and dynamically linked subprograms that the work is specifically designed to require, such as by intimate data communication or control flow between those subprograms and other parts of the work. The Corresponding Source need not include anything that users can regenerate automatically from other parts of the Corresponding Source. The Corresponding Source for a work in source code form is that same work. 2. Basic Permissions. All rights granted under this License are granted for the term of copyright on the Program, and are irrevocable provided the stated conditions are met. This License explicitly affirms your unlimited permission to run the unmodified Program. The output from running a covered work is covered by this License only if the output, given its content, constitutes a covered work. This License acknowledges your rights of fair use or other equivalent, as provided by copyright law. You may make, run and propagate covered works that you do not convey, without conditions so long as your license otherwise remains in force. You may convey covered works to others for the sole purpose of having them make modifications exclusively for you, or provide you with facilities for running those works, provided that you comply with the terms of this License in conveying all material for which you do not control copyright. Those thus making or running the covered works for you must do so exclusively on your behalf, under your direction and control, on terms that prohibit them from making any copies of your copyrighted material outside their relationship with you. Conveying under any other circumstances is permitted solely under the conditions stated below. Sublicensing is not allowed; section 10 makes it unnecessary. 3. Protecting Users' Legal Rights From Anti-Circumvention Law. No covered work shall be deemed part of an effective technological measure under any applicable law fulfilling obligations under article 11 of the WIPO copyright treaty adopted on 20 December 1996, or similar laws prohibiting or restricting circumvention of such measures. When you convey a covered work, you waive any legal power to forbid circumvention of technological measures to the extent such circumvention is effected by exercising rights under this License with respect to the covered work, and you disclaim any intention to limit operation or modification of the work as a means of enforcing, against the work's users, your or third parties' legal rights to forbid circumvention of technological measures. 4. Conveying Verbatim Copies. You may convey verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice; keep intact all notices stating that this License and any non-permissive terms added in accord with section 7 apply to the code; keep intact all notices of the absence of any warranty; and give all recipients a copy of this License along with the Program. You may charge any price or no price for each copy that you convey, and you may offer support or warranty protection for a fee. 5. Conveying Modified Source Versions. You may convey a work based on the Program, or the modifications to produce it from the Program, in the form of source code under the terms of section 4, provided that you also meet all of these conditions: a) The work must carry prominent notices stating that you modified it, and giving a relevant date. b) The work must carry prominent notices stating that it is released under this License and any conditions added under section 7. This requirement modifies the requirement in section 4 to "keep intact all notices". c) You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy. This License will therefore apply, along with any applicable section 7 additional terms, to the whole of the work, and all its parts, regardless of how they are packaged. This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it. d) If the work has interactive user interfaces, each must display Appropriate Legal Notices; however, if the Program has interactive interfaces that do not display Appropriate Legal Notices, your work need not make them do so. A compilation of a covered work with other separate and independent works, which are not by their nature extensions of the covered work, and which are not combined with it such as to form a larger program, in or on a volume of a storage or distribution medium, is called an "aggregate" if the compilation and its resulting copyright are not used to limit the access or legal rights of the compilation's users beyond what the individual works permit. Inclusion of a covered work in an aggregate does not cause this License to apply to the other parts of the aggregate. 6. Conveying Non-Source Forms. You may convey a covered work in object code form under the terms of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source under the terms of this License, in one of these ways: a) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by the Corresponding Source fixed on a durable physical medium customarily used for software interchange. b) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by a written offer, valid for at least three years and valid for as long as you offer spare parts or customer support for that product model, to give anyone who possesses the object code either (1) a copy of the Corresponding Source for all the software in the product that is covered by this License, on a durable physical medium customarily used for software interchange, for a price no more than your reasonable cost of physically performing this conveying of source, or (2) access to copy the Corresponding Source from a network server at no charge. c) Convey individual copies of the object code with a copy of the written offer to provide the Corresponding Source. This alternative is allowed only occasionally and noncommercially, and only if you received the object code with such an offer, in accord with subsection 6b. d) Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source in the same way through the same place at no further charge. You need not require recipients to copy the Corresponding Source along with the object code. If the place to copy the object code is a network server, the Corresponding Source may be on a different server (operated by you or a third party) that supports equivalent copying facilities, provided you maintain clear directions next to the object code saying where to find the Corresponding Source. Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements. e) Convey the object code using peer-to-peer transmission, provided you inform other peers where the object code and Corresponding Source of the work are being offered to the general public at no charge under subsection 6d. A separable portion of the object code, whose source code is excluded from the Corresponding Source as a System Library, need not be included in conveying the object code work. A "User Product" is either (1) a "consumer product", which means any tangible personal property which is normally used for personal, family, or household purposes, or (2) anything designed or sold for incorporation into a dwelling. In determining whether a product is a consumer product, doubtful cases shall be resolved in favor of coverage. For a particular product received by a particular user, "normally used" refers to a typical or common use of that class of product, regardless of the status of the particular user or of the way in which the particular user actually uses, or expects or is expected to use, the product. A product is a consumer product regardless of whether the product has substantial commercial, industrial or non-consumer uses, unless such uses represent the only significant mode of use of the product. "Installation Information" for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made. If you convey an object code work under this section in, or with, or specifically for use in, a User Product, and the conveying occurs as part of a transaction in which the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term (regardless of how the transaction is characterized), the Corresponding Source conveyed under this section must be accompanied by the Installation Information. But this requirement does not apply if neither you nor any third party retains the ability to install modified object code on the User Product (for example, the work has been installed in ROM). The requirement to provide Installation Information does not include a requirement to continue to provide support service, warranty, or updates for a work that has been modified or installed by the recipient, or for the User Product in which it has been modified or installed. Access to a network may be denied when the modification itself materially and adversely affects the operation of the network or violates the rules and protocols for communication across the network. Corresponding Source conveyed, and Installation Information provided, in accord with this section must be in a format that is publicly documented (and with an implementation available to the public in source code form), and must require no special password or key for unpacking, reading or copying. 7. Additional Terms. "Additional permissions" are terms that supplement the terms of this License by making exceptions from one or more of its conditions. Additional permissions that are applicable to the entire Program shall be treated as though they were included in this License, to the extent that they are valid under applicable law. If additional permissions apply only to part of the Program, that part may be used separately under those permissions, but the entire Program remains governed by this License without regard to the additional permissions. When you convey a copy of a covered work, you may at your option remove any additional permissions from that copy, or from any part of it. (Additional permissions may be written to require their own removal in certain cases when you modify the work.) You may place additional permissions on material, added by you to a covered work, for which you have or can give appropriate copyright permission. Notwithstanding any other provision of this License, for material you add to a covered work, you may (if authorized by the copyright holders of that material) supplement the terms of this License with terms: a) Disclaiming warranty or limiting liability differently from the terms of sections 15 and 16 of this License; or b) Requiring preservation of specified reasonable legal notices or author attributions in that material or in the Appropriate Legal Notices displayed by works containing it; or c) Prohibiting misrepresentation of the origin of that material, or requiring that modified versions of such material be marked in reasonable ways as different from the original version; or d) Limiting the use for publicity purposes of names of licensors or authors of the material; or e) Declining to grant rights under trademark law for use of some trade names, trademarks, or service marks; or f) Requiring indemnification of licensors and authors of that material by anyone who conveys the material (or modified versions of it) with contractual assumptions of liability to the recipient, for any liability that these contractual assumptions directly impose on those licensors and authors. All other non-permissive additional terms are considered "further restrictions" within the meaning of section 10. If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term. If a license document contains a further restriction but permits relicensing or conveying under this License, you may add to a covered work material governed by the terms of that license document, provided that the further restriction does not survive such relicensing or conveying. If you add terms to a covered work in accord with this section, you must place, in the relevant source files, a statement of the additional terms that apply to those files, or a notice indicating where to find the applicable terms. Additional terms, permissive or non-permissive, may be stated in the form of a separately written license, or stated as exceptions; the above requirements apply either way. 8. Termination. You may not propagate or modify a covered work except as expressly provided under this License. Any attempt otherwise to propagate or modify it is void, and will automatically terminate your rights under this License (including any patent licenses granted under the third paragraph of section 11). However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation. Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice. Termination of your rights under this section does not terminate the licenses of parties who have received copies or rights from you under this License. If your rights have been terminated and not permanently reinstated, you do not qualify to receive new licenses for the same material under section 10. 9. Acceptance Not Required for Having Copies. You are not required to accept this License in order to receive or run a copy of the Program. Ancillary propagation of a covered work occurring solely as a consequence of using peer-to-peer transmission to receive a copy likewise does not require acceptance. However, nothing other than this License grants you permission to propagate or modify any covered work. These actions infringe copyright if you do not accept this License. Therefore, by modifying or propagating a covered work, you indicate your acceptance of this License to do so. 10. Automatic Licensing of Downstream Recipients. Each time you convey a covered work, the recipient automatically receives a license from the original licensors, to run, modify and propagate that work, subject to this License. You are not responsible for enforcing compliance by third parties with this License. An "entity transaction" is a transaction transferring control of an organization, or substantially all assets of one, or subdividing an organization, or merging organizations. If propagation of a covered work results from an entity transaction, each party to that transaction who receives a copy of the work also receives whatever licenses to the work the party's predecessor in interest had or could give under the previous paragraph, plus a right to possession of the Corresponding Source of the work from the predecessor in interest, if the predecessor has it or can get it with reasonable efforts. You may not impose any further restrictions on the exercise of the rights granted or affirmed under this License. For example, you may not impose a license fee, royalty, or other charge for exercise of rights granted under this License, and you may not initiate litigation (including a cross-claim or counterclaim in a lawsuit) alleging that any patent claim is infringed by making, using, selling, offering for sale, or importing the Program or any portion of it. 11. Patents. A "contributor" is a copyright holder who authorizes use under this License of the Program or a work on which the Program is based. The work thus licensed is called the contributor's "contributor version". A contributor's "essential patent claims" are all patent claims owned or controlled by the contributor, whether already acquired or hereafter acquired, that would be infringed by some manner, permitted by this License, of making, using, or selling its contributor version, but do not include claims that would be infringed only as a consequence of further modification of the contributor version. For purposes of this definition, "control" includes the right to grant patent sublicenses in a manner consistent with the requirements of this License. Each contributor grants you a non-exclusive, worldwide, royalty-free patent license under the contributor's essential patent claims, to make, use, sell, offer for sale, import and otherwise run, modify and propagate the contents of its contributor version. In the following three paragraphs, a "patent license" is any express agreement or commitment, however denominated, not to enforce a patent (such as an express permission to practice a patent or covenant not to sue for patent infringement). To "grant" such a patent license to a party means to make such an agreement or commitment not to enforce a patent against the party. If you convey a covered work, knowingly relying on a patent license, and the Corresponding Source of the work is not available for anyone to copy, free of charge and under the terms of this License, through a publicly available network server or other readily accessible means, then you must either (1) cause the Corresponding Source to be so available, or (2) arrange to deprive yourself of the benefit of the patent license for this particular work, or (3) arrange, in a manner consistent with the requirements of this License, to extend the patent license to downstream recipients. "Knowingly relying" means you have actual knowledge that, but for the patent license, your conveying the covered work in a country, or your recipient's use of the covered work in a country, would infringe one or more identifiable patents in that country that you have reason to believe are valid. If, pursuant to or in connection with a single transaction or arrangement, you convey, or propagate by procuring conveyance of, a covered work, and grant a patent license to some of the parties receiving the covered work authorizing them to use, propagate, modify or convey a specific copy of the covered work, then the patent license you grant is automatically extended to all recipients of the covered work and works based on it. A patent license is "discriminatory" if it does not include within the scope of its coverage, prohibits the exercise of, or is conditioned on the non-exercise of one or more of the rights that are specifically granted under this License. You may not convey a covered work if you are a party to an arrangement with a third party that is in the business of distributing software, under which you make payment to the third party based on the extent of your activity of conveying the work, and under which the third party grants, to any of the parties who would receive the covered work from you, a discriminatory patent license (a) in connection with copies of the covered work conveyed by you (or copies made from those copies), or (b) primarily for and in connection with specific products or compilations that contain the covered work, unless you entered into that arrangement, or that patent license was granted, prior to 28 March 2007. Nothing in this License shall be construed as excluding or limiting any implied license or other defenses to infringement that may otherwise be available to you under applicable patent law. 12. No Surrender of Others' Freedom. If conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot convey a covered work so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not convey it at all. For example, if you agree to terms that obligate you to collect a royalty for further conveying from those to whom you convey the Program, the only way you could satisfy both those terms and this License would be to refrain entirely from conveying the Program. 13. Use with the GNU Affero General Public License. Notwithstanding any other provision of this License, you have permission to link or combine any covered work with a work licensed under version 3 of the GNU Affero General Public License into a single combined work, and to convey the resulting work. The terms of this License will continue to apply to the part which is the covered work, but the special requirements of the GNU Affero General Public License, section 13, concerning interaction through a network will apply to the combination as such. 14. Revised Versions of this License. The Free Software Foundation may publish revised and/or new versions of the GNU General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies that a certain numbered version of the GNU General Public License "or any later version" applies to it, you have the option of following the terms and conditions either of that numbered version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of the GNU General Public License, you may choose any version ever published by the Free Software Foundation. If the Program specifies that a proxy can decide which future versions of the GNU General Public License can be used, that proxy's public statement of acceptance of a version permanently authorizes you to choose that version for the Program. Later license versions may give you additional or different permissions. However, no additional obligations are imposed on any author or copyright holder as a result of your choosing to follow a later version. 15. Disclaimer of Warranty. THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 16. Limitation of Liability. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 17. Interpretation of Sections 15 and 16. If the disclaimer of warranty and limitation of liability provided above cannot be given local legal effect according to their terms, reviewing courts shall apply local law that most closely approximates an absolute waiver of all civil liability in connection with the Program, unless a warranty or assumption of liability accompanies a copy of the Program in return for a fee. argus-5.0.2/CREDITS000066400000000000000000000155121471541253600136730ustar00rootroot00000000000000/* * Argus-5.0 Software - README * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ CREDITS This list of people are just some of the people that contributed significantly to the Argus Project, over its 30 years. Little QoSient, LLC which made Argus the core of its business Carter Bullard Eric Kinzie The individuals that have contributed the most to the theory of Argus and its applications in networking and computer science are: Dr. Tony Przygienda - Juniper Rob Coltun Lou Berger - LabN The great people at Carenegie Mellon Univeristy who provided support with all things, emotion, time and resources: Mark Poepping Chas DiFatta The amazing group at Georgia Tech, where Argus got it start. Ron Hutchins Ed Coleman Mark Johnson Ted Hope The Stanford group that have provided the richest source for Argus innovation in the areas of behavior and dynamism over the last 20 years John Gerth MN Joseph Little Johan van Reijendam The group at GLORIAD that implemented the largest geographic area covered by Argus ... the entire Planet !! Greg Cole Harika Tandra Academics and cyber security professionals that have used and written about Argus in their research, books, and work !! Richard Bejtilch CS Lee Doug Burk With the greatest thanks to the late Dr. Hank Dardy, Chief Scientist of the U.S. Naval Research Laboratory for his amazing visonary support of flow monitoring and his group at NRL that provided support, opinions, suggestions, criticisms and/or attitude about flows: Basil Decina Chas Williams Eric Kinzie Heidi Hornstein Dharmesh Shah Much of the work on argus has been done by the members of the argus developers mailing list. All have contributed so much over all the years. But two stand out over the many. Peter Van Epp Russell Fulton Here is the remaining, very distinguished list, in alphabetical order. (I hope I didn't miss anyone): 0100 (four) Aashish Sharma Abdun Mahmood Adrian Bool Alfredo Laguna Vazquez Alexander Bochmann Andreas Ostling Andrew Kompanek Andrew Pollock Andrew Thompson Avi Freedman Ba Ru Bamm Visscher Berry Kolts Bart Roos Benet Leong Berkay Celik Bjoern Weiland Blake Mattern Borjz Marcos Brian Zeigler Can Desem Carl Andrews Carlw Cedric Vieau Charles Fair Charles King Chris Keladis Chris Sanders Chris Wakelin Chris Wilson Christoph Badura Christopher Jones Chungen Li Clauss Strauch Claudio Luck Conor McGrath Corey Smith Craig Merchant Darren Spruell Dave Plonka David A. J. Ripley David Binderman David Edelman Derek Ditch Dez Blanchfield Dietmar Goldbeck Digital Ninja dn1nj4 Douglas Pichardo Dustin E.J. Gamarro Earl El Draco Elof2 Eric Graham Eric Pancer Ernie Johanson Esteban G Estuardo Gamarro Fabrice Fothe Fopa Florenzi Alessandro Florian Weimer Fyodor George Jones George Nychis Georgios Pallis Giles Chauvin Gilson Soares Glen Bojaza Graeme Russ Greg Lapchenko Guilsson Guy Dickinson Harry Hoffman Henrik Strom Ignas Kazlauskas Jaime Vargas Jaime Nebrera Jake Babbin James A Robinson James Grace Janusz Urbanowicz Jason Baekey Jason Carr Jason Cook Jason Ish Javier Almiliategul JD Durick Jean Michel Rizzardi Jean-Marc Pouchoulon Jeff Atkinson Jeff Wolf Jeroen Roovers Jesper Skou Jensen Jesse Bowling Jim Gargani Jim O'Gorman Johannes Russek Joel Bergstein Joel Ebrahimi John Jenkinson John Lauro John Kennedy John Nagro John Rodenbiker John Wade Jon Denton Jonathan Towne Joost Bijl Kevin Kadow Karl Schuster Karl Tatgenhorst Kaustubh Gadkari Keir Novik Kevin Branch Kieran Rhysling Kjell Tore Fossbakk Kulwant Sohi Laird Anglesey Lee Zelyck Lei Wei Luke Whitworth Makatesi Manaf Gharalbeh Mark Bartlett Mark Borrie Markus De Shon Martijn van Oosterhout Martin Bauer Martin Holste Martin Olsson Matt Brown Matthew Derenski Matthew Weiner mel Michael Arcamone Michael Hornung Michael Meisel Michael Sandee Michael Sanderson Michal Purzynaski Miel Verkerken Mike Iglesias Mike Patterson Mike Slifcak Mike Tancsa miodek (Michael) Ming Fu modversion morfoh (Chris) Morgan DeRodeff Morten Christensen Murali Raju Nate Hausrath Neal Welland Nenaudoti Ignas Kazlauskas Neil Long Neslog Niall Murphy Nichole K. Boscia Nick Diel Nick Giordano Ning Shi Nyuk Loong Kiw Oguz Yanmtepe Olaf Gellert OlRoy Pablo Rebollo-Sosa Patrick Forsberg Patrick Green Paul Halliday Paul Schmehl Pengiran Awang Pete Troxell Peter Hill Peter Moody Peter Volkov Phillip G Deneault Phillip Letschert Poncenby Smythe Prashanth Prahalad Rafael Barbosa Raphael Campos Silva Raphael Isemann Raffael Marty Rahimeh Kodadadi Ralf Spenneberg Ramon Kagan Real Melancon Reykjavik Hindisvik Riccardo Dias Riccardo Veraldi Richard Johnson Rick Denton Robert E. Smith Jr. Robert Kerr Robert Leyba Robin Gruyters Rodney McKee Russ Harvey Russ McRee Ruvin Gottlieb Sajeev Nair Sam Davis Saptarshi Guha Saya Peng Scott Dexter Scott McIntyre ScottO Sean Malone Sean McCreary Sebastian Garcia Sebastian Yepes Fernandez Sergio Luis Moreira De Silva Shaheen Bakhtiar Shahram Esfahani shailwe19 Silas Porterfield Stefan Esser Stephane Peters Steve McInerney Stewart Gray Sunjeet Singh Suraj M Susan Mcgill Terry Burton Tim Lavoie Tim Waters Timo Schilling Timo Suhl Tim-Fang Yen Todd Michael Tom Briglia Tony Stout Tony Webster Torbin Wictorin Tu Nguyen unFrigidaire Americain Urtho Vaibhav Kaware Vlad Grigorescu Wictorin Torbjorn William S. Cleveland William Setzer Wolfgang Barth Woody K. Wimmie Wolfgang Barth Yotam Rubin Zi Hu argus-5.0.2/ChangeLog000066400000000000000000000001641471541253600144220ustar00rootroot00000000000000Thu Nov 14 10:08:17 EST 2024 See https://github.com/openargus/argus for a full history of commits for this project. argus-5.0.2/Dockerfile000066400000000000000000000025331471541253600146440ustar00rootroot00000000000000# Stage 1: Build FROM debian:bookworm-slim AS build # Set environment variables for non-interactive installation and versions ENV DEBIAN_FRONTEND=noninteractive \ ARGUS_VERSION=5.0.0 \ CLIENTS_VERSION=5.0.0 # Install dependencies RUN apt-get update && \ apt-get install -y gcc make flex bison zlib1g-dev libpcap-dev wget WORKDIR /argus # Download and extract source code from GitHub releases RUN wget https://github.com/openargus/clients/archive/refs/tags/v${CLIENTS_VERSION}.tar.gz -O clients-${CLIENTS_VERSION}.tar.gz && \ tar -xvf clients-${CLIENTS_VERSION}.tar.gz && \ wget https://github.com/openargus/argus/archive/refs/tags/v${ARGUS_VERSION}.tar.gz -O argus-${ARGUS_VERSION}.tar.gz && \ tar -xvf argus-${ARGUS_VERSION}.tar.gz # Build and install argus and clients RUN cd clients-${CLIENTS_VERSION} && \ LIBS="-lz" ./configure && \ make && \ make install && \ cd ../argus-${ARGUS_VERSION} && \ LIBS="-lz" ./configure && \ make && \ make install # Stage 2: Runtime FROM debian:bookworm-slim # Install runtime dependencies RUN apt-get update && \ apt-get install -y zlib1g libpcap0.8 libtirpc3 && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* WORKDIR /argus # Copy the built files from the build stage COPY --from=build /usr/local /usr/local # Set a default command (optional) CMD ["bash"] argus-5.0.2/INSTALL000066400000000000000000000321231471541253600137010ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus flow data generation * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Date: Thu Jan 11 15:35:49 EST 2024 */ QUICK MAKE If all things are ready, distribution untarred, and you have libpcap and bison installed on your system, you should be able to make argus by simply typing: % ./configure % make If you have any problems with this procedure, read further, if not congratulations. You can proceed to INSTALLATION. DEPENDENCIES The argus distribution is dependant on two public domain packages; libpcap, which provides the argus server's portable packet capture interface, and flex/bison() which are used for to build the filter compilers. Both of these sets of packages must be installed in order to compile argus. Most versions of Linux/Unix/Mac OS X/xBSD have these packages installed by default, so hopefully it won't be a problem. Below is the offical source of libpcap and current version: libpcap-1.10.4 http://www.tcpdump.org/release/libpcap-1.10.4.tar.gz The official site and current version of bison is: bison-3.8 http://ftp.gnu.org/gun/bison/ And the offical site for Flex: The Fast Lexical Analyzer is: flex-2.6.4 https://github.com/westes/flex Because argus is dependant on libpcap and flex/bison, you will need to have them available prior to building the package. Please refer to the individual packages for installation instructions. If you are not interested in performing a system installtion for libpcap, then you can simply untar libpcap in the same directory where you untared argus. Argus's ./configure will find the package and use it accordingly. For some operating systems, such as Fedora, you may have to install the developement versions of some packages in order to get all the supporting files. On Fedora, the libpcap library is provided, however, compilers etc... can't find the library at compile time. Installing libpcap-devel fixes this problem: yum install libpcap-devel apt-get install libpcap-devel In order to support some specific DSR metrics, argus needs the XDR library, which is now provided in the libtirpc-devel package on Linux. Without the XDR functions, argus will not be able to generate the ARGUS_JITTER_DSR metrics, but argus will build without the library. Getting this library can be different for most any platform. For Centos Stream 9, as an example, libtirpc is available in the Base OS repository, but the needed libtirpc-devel package in is the CRB repository. You will need to configure 'dnf' to add CRB to the repo lists. dnf config-manager --set-enabled crb For all Linux platforms, you will use either yum, apt-get, or dnf ... dnf install libtirpc-devel Argus supports block compression for some of its functions. To support this, argus will look for a usable zlib. If not found, it will not use the functions. Argus can link to the public domain package tcp_wrappers to provide remote access control. At this time, the lastest version is tcp_wrappers-7.6. If tcp_wrappers in not installed on your system, then installing this package in the same directory as libpcap and argus is recommended. tcp_wrappers.7.6 Wietse Venema (wietse@wzv.win.tue.nl) Department of Mathematics and Computing Science Eindhoven University of Technology P.O. Box 513 5600 MB Eindhoven The Netherlands ftp://ftp.porcupine.org/pub/security Argus can also link to the cryptographic package SASL, the Simple Authentication and Security Layer, which provides strong authentication and wireline confidentiality for argus data. Because of its features and flexibility, we highly recommend using SASL, and becoming experienced with its administration. cyrus-sasl-2.1.23 Carnegie Mellon Univeristy http://ftp.andrew.cmu.edu/pub/cyrus-mail/ CONFIGURE The program, ./configure, will scan the file system, looking for a lot of things, including the libpcap and tcp_wrapper directories and libraries and make assumptions about the platform which will allow ./configure to choose between gcc, acc, cc, flex, lex, bison, yacc, pcre, sasl and where your specific version of Perl. If the libpcap or bison packages are not discovered, the ./configure script will fail, as these packages are required. Argus can be compiled with support for Sasl, to provide strong authentication and confidentiality protection for data "on the wire". This can be turned on using the option "--with-sasl[=DIR]". If you do not provide the optional directory, ./configure will guess where sasl could be, using the standard installation directories as a guide. You can also specify that ./configure should not use gcc as the compiler, which the default. For Solaris, the sun c compiler is much better for various reasons, and so providing the "--without-gcc" option may generate more efficient code, when a native compiler is available. Configure will create links for the libpcap.a and libwrap.a libraries in ./lib, and will create links to the distribution directories as ./libpcap and ./wrapper. Configure will attempt to find the libpcap and tcp_wrappers distribution directories, and their corresponding libraries. The path used to find these dependancies is ./libpcap, ./wrapper, /usr/lib, /usr/local/lib, ../libpcap, ../wrapper, ../tcp_wrappers, ../libpcap-[0-9]*.[0-9ab]*, and ../tcp_wrappers[-.][0-9]*.[0-9ab]*. Because of major changes between tcp_wrappers-6 and tcp_wrappers-7, ./configure needs to discover the tcp_wrappers version number. It does this by scanning the patchlevel.h file in the tcp_wrapper distribution, as a result, ./configure will attempt to find and then establish a link to your tcp_wrappers distribution directory. Again, we recommend that you install your libpcap and tcp_wrappers distribution directories, or links to them, in either the same directory as the Argus distribution, or as the directories ./libpcap and ./wrapper, in the Argus directory. BUILDING ARGUS So, after all that, to build Argus on a supported platform, first run ./configure. ./configure will determine your system attributes and generate subdirectories and the appropriate Makefiles from the Makefile.in files found in the distribution. After this, run "make". If everything goes well, appropriate libraries and binaries will be found in the ./bin and ./lib subdirectories. So, .... % ./configure % make The argus will be found as ./bin/argus. So, at this point you should have all the execuables needed. But, if you are having problems, it may be related to your compiler or the flex and bison utilities. So, ... You will need an ANSI C compiler to build argus. If your compiler is not ANSI compliant, we highly recommend using the GNU C compiler, available via anonymous ftp: ftp://prep.ai.mit.edu/pub/gnu/gcc-*.tar.gz Argus requires bison and flex. For flex, version 2.4.6 or higher is recommended. The current version of flex and bison are available via anonymous ftp: ftp://prep.ai.mit.edu/pub/gnu/bison-*.tar.gz ftp://prep.ai.mit.edu/pub/non-gnu/flex/flex-*.tar.gz Now, if you are still having problems, ..., well its hard to say from here what it might be. So, you may want to send us some mail. INSTALLATION QUICK INSTALL If all things are well at this point, and you will be using the installation strategy that we use, all you need do now is: # make install This will create the /usr/local/argus directory and move all the binaries, supporting programs, man pages and documenation into it. If you are unsure about the standard installtion, run % make -n install to review what make will try to do. If you would like to do something other than the standard install, then please continue to read through this file. If you are planning on running the argus as a persistant daemon on your machine, then one additional step is recommended, and that is setting up system wide argus configuration files; /etc/argus.conf.conf. # cp ./support/Config/argus.conf /etc You must edit /etc/argus.conf file for argus to work, as the default configuration will have argus do a lot of work but not output anything. Argus writes its data either to an output file, or if you intend argus to monitor traffic in realtime, to a socket port that client programs can attach to. You specify either, or both, in the argus.conf file, by uncommenting the appropriate line. At this point your ready to run the argus. But if you wanted to do something different, then read on. Argus does not have any installation retrictions, so you can install Argus anywhere. There are some conventions that have been established, and I'll present them here, but you can, of course, do your own thing. I have found it useful to have an argus home directory to hold the binaries, argus configuration files, the argus output file, and hold my argus data archive. If you would like to use this strategy, create your directory, and create the environment variable ARGUSHOME and set it to this directory. I use /usr/local/argus. I prefer putting the argus binary in /usr/local/sbin (system binaries). After making, as root, I just: # mkdir /usr/local/argus # cp bin/argusbug /usr/local/argus/bin # cp bin/argus /usr/local/sbin/argus It is convenient to chmod argus so that it is "setuid root", but many feel that this is a security problem, as any user could then start an argus on the system. Use this technique at at your discretion. # chown root /usr/local/sbin/argus # chmod 4755 /usr/local/sbin/argus Argus has a system configuration file that normally resides as /etc/argus.conf. You can install this file anywhere, but the scripts that are provided in the ./support directory will assume that the configuration is at /etc/argus.conf. # cp ./support/Config/argus.conf /etc/argus.conf You will want to edit this file to choose values of your liking. The sample has all the common values set and is a good suggestion. Copying the man and doc directories is nice. # tar cf - doc man | (cd /usr/local/argus; tar xvpf -) This should handle the basic installion. Any comments, patches, bug reports or additions should be sent to argus@lists.andrew.cmu.edu. PORTABILITY Argus and its supporting routines have been developed on Sparc architectures under SunOS 4.1.x and Solaris 2.7, and have been successfully ported to Solaris, SGI, Ultrix, Linux, OpenBSD and FreeBSD platforms. No claim is made as to the portability of Argus to other platforms, although it is much easier now that we've addressed the big endian little endian issues. If you make any modifications to support installing and running Argus in any other environment, please send us comments and/or patches. We will be most grateful. OPENWRT Argus has been ported to OpenWrt, and a specific configure program is provided to assist in making for OpenWrt. First, untar the argus distribution into your OpenWrt-SDK-Linux-i686-1/package directory. Be sure that the libpcap library is installed in the OpenWrt-SDK-Linux-i686-1/staging_dir_mipsel/usr/lib, and your ready. % ./configure.openwrt % make That should make an argus binary that can be installed on an openwrt system. You will still need to provide an /etc/argus.conf file, and any type of startup script to get argus going. CYGWIN Argus has been ported to Cygwin, the RedHat Linux environment for Windows. Cygwin can be found at http://www.cygwin.com. Install the latest version of Cygwin, modifying the default install to include the developement support. As noted above, you will need bison and flex and optionally tcpwrappers, which are available for Cygwin. On CYGWIN, the libpcap function is provided by the WinPcap Developers Pack. The current version can be found at: http://www.winpcap.org/devel.htm Place the unzipped WpdPack folder in the same directory that you untared argus, and the argus ./configure script will find it and do the right thing. At this point, to make argus: % ./configure % make That should make an argus binary that can be installed as a Windows service, using the cygrunsrv() program. Because interface names are so difficult to use on Windows, the Cygwin port of argus allows you to specify an index for the interface you want to monitor. By running argus without an interface specification, argus will print out the available interfaces, with thier indexes. Use the index number on the command line, or in the argus.conf file. To setup argus as a system service under CYGWIN, use the cygrunsvc() program. Argus will write its output to /var/log/argus.log, so check there is you have any problems. argus-5.0.2/MANIFEST000066400000000000000000000364111471541253600140050ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus flow data generation. * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ Argus-5.0.2 distribution total 1040 -rw-r--r--@ 1 carter staff 525 Jun 21 12:41 AUTHORS -rw-r--r-- 1 carter staff 5220 Jun 21 12:41 CODE_OF_CONDUCT.md -rw-r--r--@ 1 carter staff 32477 Jun 21 12:41 COPYING -rw-r--r-- 1 carter staff 6805 Jun 21 12:41 CREDITS -rw-r--r--@ 1 carter staff 8404 Jun 21 12:41 ChangeLog -rw-r--r-- 1 carter staff 1371 Nov 12 10:51 Dockerfile -rw-r--r--@ 1 carter staff 13395 Jun 21 12:41 INSTALL -rw-r--r-- 1 carter staff 15625 Nov 14 10:06 MANIFEST -rw-r--r-- 1 carter staff 5516 Nov 3 09:27 Makefile -rw-r--r-- 1 carter staff 5308 Jun 21 12:41 Makefile.in -rw-r--r--@ 1 carter staff 4121 Nov 14 10:04 README -rw-r--r-- 1 carter staff 4854 Jun 21 12:41 README.rst -rw-r--r-- 1 carter staff 6 Nov 14 10:04 VERSION -rw-r--r-- 1 carter staff 609 Jun 21 12:41 aclocal.m4 -rw-r--r-- 1 carter staff 55958 Jun 21 12:41 acsite.m4 drwxr-xr-x 45 carter staff 1440 Nov 14 10:05 argus drwxr-xr-x 4 carter staff 128 Nov 14 10:05 bin drwxr-xr-x 9 carter staff 288 Nov 14 10:05 common drwxr-xr-x 6 carter staff 192 Jun 21 12:41 config -rwxr-xr-x 1 carter staff 318929 Jun 21 12:41 configure -rw-r--r-- 1 carter staff 12042 Jun 21 12:41 configure.ac drwxr-xr-x 15 carter staff 480 Jun 21 12:41 debian drwxr-xr-x 3 carter staff 96 Jun 21 12:41 doc drwxr-xr-x 14 carter staff 448 Nov 14 10:05 events drwxr-xr-x 35 carter staff 1120 Nov 14 10:05 include drwxr-xr-x 4 carter staff 128 Nov 14 10:05 lib drwxr-xr-x 3 carter staff 96 Jun 21 12:41 logo drwxr-xr-x 4 carter staff 128 Jun 21 12:41 man drwxr-xr-x 9 carter staff 288 Jun 21 12:41 pkg drwxr-xr-x 8 carter staff 256 Jun 21 12:41 support ./argus: total 2368 -rw-r--r-- 1 carter staff 9948 Jun 21 12:41 Argus802.11.c -rw-r--r-- 1 carter staff 22039 Jun 21 12:41 ArgusApp.c -rw-r--r-- 1 carter staff 9491 Jun 21 12:41 ArgusArp.c -rw-r--r-- 1 carter staff 9586 Jun 21 12:41 ArgusAuth.c -rw-r--r-- 1 carter staff 5339 Jun 21 12:41 ArgusEsp.c -rw-r--r-- 1 carter staff 16147 Jun 21 12:41 ArgusEvents.c -rw-r--r-- 1 carter staff 2977 Jun 21 12:41 ArgusEvents.h -rw-r--r-- 1 carter staff 20945 Jun 21 12:41 ArgusFrag.c -rw-r--r-- 1 carter staff 4088 Nov 12 10:54 ArgusGeneve.c -rw-r--r-- 1 carter staff 1257 Nov 12 10:54 ArgusGeneve.h -rw-r--r-- 1 carter staff 1557 Jun 21 12:41 ArgusGetTimeOfDay.h -rw-r--r-- 1 carter staff 3761 Jul 19 15:49 ArgusGre.c -rw-r--r-- 1 carter staff 1270 Jul 19 15:49 ArgusGre.h -rw-r--r-- 1 carter staff 15220 Jun 21 12:41 ArgusIcmp.c -rw-r--r-- 1 carter staff 3701 Jun 21 12:41 ArgusIfnam.c -rw-r--r-- 1 carter staff 1365 Jun 21 12:41 ArgusIfnam.h -rw-r--r-- 1 carter staff 4341 Jun 21 12:41 ArgusIgmp.c -rw-r--r-- 1 carter staff 30701 Jun 21 12:41 ArgusIsis.c -rw-r--r-- 1 carter staff 2683 Jun 21 12:41 ArgusL2TP.c -rw-r--r-- 1 carter staff 6461 Jun 21 12:41 ArgusL2TP.h -rw-r--r-- 1 carter staff 3424 Jun 21 12:41 ArgusLcp.c -rw-r--r-- 1 carter staff 1709 Jun 21 12:41 ArgusMac.c -rw-r--r-- 1 carter staff 202832 Nov 14 10:03 ArgusModeler.c -rw-r--r-- 1 carter staff 32096 Nov 12 10:58 ArgusModeler.h -rw-r--r-- 1 carter staff 86344 Jun 21 12:41 ArgusNetflow.c -rw-r--r-- 1 carter staff 2362 Jun 21 12:41 ArgusNetflow.h -rw-r--r-- 1 carter staff 79047 Nov 14 10:03 ArgusOutput.c -rw-r--r-- 1 carter staff 6827 Jun 21 12:41 ArgusOutput.h -rw-r--r-- 1 carter staff 47236 Jun 21 12:41 ArgusSflow.c -rw-r--r-- 1 carter staff 1293 Jun 21 12:41 ArgusSflow.h -rw-r--r-- 1 carter staff 190560 Nov 12 10:58 ArgusSource.c -rw-r--r-- 1 carter staff 36582 Nov 12 10:54 ArgusSource.h -rw-r--r-- 1 carter staff 42292 Nov 12 10:58 ArgusTcp.c -rw-r--r-- 1 carter staff 2284 Jun 21 12:41 ArgusTimeDiff.h -rw-r--r-- 1 carter staff 2335 Jun 21 12:41 ArgusUdp.c -rw-r--r-- 1 carter staff 29337 Jun 21 12:41 ArgusUdt.c -rw-r--r-- 1 carter staff 82900 Nov 12 10:58 ArgusUtil.c -rw-r--r-- 1 carter staff 12009 Jun 21 12:41 ArgusUtil.h -rw-r--r-- 1 carter staff 2265 Nov 12 10:58 ArgusVxLan.c -rw-r--r-- 1 carter staff 1335 Nov 12 10:54 ArgusVxLan.h -rwxr-xr-x 1 carter staff 4279 Jul 19 15:49 Makefile.in -rw-r--r-- 1 carter staff 80414 Nov 12 10:58 argus.c -rw-r--r-- 1 carter staff 4018 Jun 21 12:41 argus.h ./bin: total 32 -rwxr-xr-x 1 carter staff 10043 Jun 21 12:41 argusbug -rwxr-xr-x 1 carter staff 2395 Jun 21 12:41 mkdep ./common: total 736 -rwxr-xr-x 1 carter staff 4064 Jun 21 12:41 Makefile.in -rw-r--r-- 1 carter staff 14550 Nov 12 10:58 argus_auth.c -rw-r--r-- 1 carter staff 147408 Jun 28 09:16 argus_code.c -rw-r--r-- 1 carter staff 87557 Nov 12 10:58 argus_filter.c -rw-r--r-- 1 carter staff 87930 Nov 12 10:58 argus_util.c -rwxr-xr-x 1 carter staff 14858 Jun 21 12:41 grammar.y -rwxr-xr-x 1 carter staff 11831 Jun 21 12:41 scanner.l ./config: total 184 -rwxr-xr-x 1 carter staff 42856 Jun 21 12:41 config.guess -rwxr-xr-x 1 carter staff 35740 Jun 21 12:41 config.sub -rwxr-xr-x 1 carter staff 5585 Jun 21 12:41 install-sh -rwxr-xr-x 1 carter staff 616 Jun 21 12:41 mkinstalldirs ./debian: total 96 -rwxr-xr-x 1 carter staff 1058 Jun 21 12:41 argus.postinst -rwxr-xr-x 1 carter staff 181 Jun 21 12:41 argus.postrm -rwxr-xr-x 1 carter staff 719 Jun 21 12:41 argus.preinst -rwxr-xr-x 1 carter staff 151 Jun 21 12:41 argus.prerm -rw-r--r-- 1 carter staff 153 Jun 21 12:41 changelog -rw-r--r-- 1 carter staff 2 Jun 21 12:41 compat -rw-r--r-- 1 carter staff 611 Jun 21 12:41 control -rw-r--r-- 1 carter staff 1786 Jun 21 12:41 copyright -rw-r--r-- 1 carter staff 7 Jun 21 12:41 docs -rw-r--r-- 1 carter staff 180 Jun 21 12:41 install -rw-r--r-- 1 carter staff 64 Jun 21 12:41 manpages -rwxr-xr-x 1 carter staff 538 Jun 21 12:41 rules drwxr-xr-x 3 carter staff 96 Jun 21 12:41 source ./debian/source: total 8 -rw-r--r-- 1 carter staff 12 Jun 21 12:41 format ./doc: total 8 -rw-r--r--@ 1 carter staff 1711 Jun 21 12:41 README ./events: total 112 -rwxr-xr-x 1 carter staff 5115 Jun 21 12:41 Makefile.in -rw-r--r--@ 1 carter staff 2598 Jun 21 12:41 README -rwxr-xr-x 1 carter staff 1456 Jun 21 12:41 argus-airport.sh -rwxr-xr-x 1 carter staff 1519 Jun 21 12:41 argus-extip.pl -rwxr-xr-x 1 carter staff 1417 Jun 21 12:41 argus-ipaddr.pl -rwxr-xr-x 1 carter staff 1447 Jun 21 12:41 argus-ipmitool.pl -rwxr-xr-x 1 carter staff 1414 Jun 21 12:41 argus-lsof.pl -rwxr-xr-x 1 carter staff 4150 Jun 21 12:41 argus-netstat.pl -rwxr-xr-x 1 carter staff 2410 Jun 21 12:41 argus-snmp.sh -rwxr-xr-x 1 carter staff 1404 Jun 21 12:41 argus-stumble.pl -rwxr-xr-x 1 carter staff 3181 Jun 21 12:41 argus-stumbler.pl -rwxr-xr-x 1 carter staff 1653 Jun 21 12:41 argus-vmstat.sh ./include: total 888 -rw-r--r-- 1 carter staff 17920 Jun 21 12:41 CflowdFlowPdu.h drwxr-xr-x 16 carter staff 512 Jun 21 12:41 argus -rw-r--r-- 1 carter staff 4110 Jun 21 12:41 argus-namedb.h -rw-r--r-- 1 carter staff 12304 Jun 21 12:41 argus_client.h -rw-r--r-- 1 carter staff 6709 Jun 21 12:41 argus_compat.h -rw-r--r-- 1 carter staff 17862 Jun 21 12:41 argus_config.h.in -rw-r--r-- 1 carter staff 2504 Jun 21 12:41 argus_dag.h -rw-r--r-- 1 carter staff 2342 Jun 21 12:41 argus_debug.h -rw-r--r-- 1 carter staff 103873 Nov 12 10:58 argus_def.h -rw-r--r-- 1 carter staff 1083 Jun 21 12:41 argus_def_v2.h -rw-r--r-- 1 carter staff 3162 Jun 21 12:41 argus_dscodepoints.h -rw-r--r-- 1 carter staff 4209 Jul 19 15:49 argus_encapsulations.h -rw-r--r-- 1 carter staff 12000 Jun 21 12:41 argus_ethernames.h -rw-r--r-- 1 carter staff 4391 Jun 21 12:41 argus_ethertype.h -rw-r--r-- 1 carter staff 8889 Jun 21 12:41 argus_filter.h -rw-r--r-- 1 carter staff 3436 Jul 19 15:49 argus_geneve.h -rw-r--r-- 1 carter staff 1042 Jun 21 12:41 argus_gmpls.h -rw-r--r-- 1 carter staff 3329 Jul 19 15:49 argus_gre.h -rw-r--r-- 1 carter staff 2845 Jun 21 12:41 argus_int.h -rw-r--r-- 1 carter staff 18756 Jun 21 12:41 argus_isis.h -rw-r--r-- 1 carter staff 5263 Jun 21 12:41 argus_llc.h -rw-r--r-- 1 carter staff 4145 Jun 21 12:41 argus_namedb.h -rw-r--r-- 1 carter staff 5986 Jun 21 12:41 argus_os.h -rw-r--r-- 1 carter staff 33153 Nov 12 10:58 argus_out.h -rw-r--r-- 1 carter staff 52828 Jun 21 12:41 argus_parse.h -rw-r--r-- 1 carter staff 4759 Jun 21 12:41 argus_parser.h -rw-r--r-- 1 carter staff 3374 Jun 21 12:41 argus_udt.h -rw-r--r-- 1 carter staff 5505 Jun 21 12:41 argus_util.h -rw-r--r-- 1 carter staff 43456 Jun 21 12:41 argus_v3_def.h drwxr-xr-x 7 carter staff 224 Jun 21 12:41 cygwin-include drwxr-xr-x 8 carter staff 256 Jun 21 12:41 net drwxr-xr-x 3 carter staff 96 Jun 21 12:41 netbsd-include drwxr-xr-x 4 carter staff 128 Jun 21 12:41 netinet ./include/argus: total 248 -rw-r--r-- 1 carter staff 23710 Jun 21 12:41 CflowdFlowPdu.h -rw-r--r-- 1 carter staff 3789 Jun 21 12:41 bootp.h -rw-r--r-- 1 carter staff 3262 Jun 21 12:41 cflowd.h -rw-r--r-- 1 carter staff 4724 Jun 21 12:41 cons_def.h -rw-r--r-- 1 carter staff 4505 Jun 21 12:41 cons_out.h -rw-r--r-- 1 carter staff 8776 Jun 21 12:41 extract.h -rw-r--r-- 1 carter staff 3918 Jun 21 12:41 fddi.h -rw-r--r-- 1 carter staff 10088 Jun 21 12:41 gencode.h -rw-r--r-- 1 carter staff 956 Jun 21 12:41 global.h -rw-r--r-- 1 carter staff 18690 Jun 21 12:41 ieee802_11.h -rw-r--r-- 1 carter staff 1470 Jun 21 12:41 md5.h -rw-r--r-- 1 carter staff 2424 Jun 21 12:41 ppp.h -rw-r--r-- 1 carter staff 4830 Jun 21 12:41 saslint.h -rw-r--r-- 1 carter staff 5670 Jun 21 12:41 sll.h ./include/cygwin-include: total 0 drwxr-xr-x 4 carter staff 128 Jun 21 12:41 linux drwxr-xr-x 3 carter staff 96 Jun 21 12:41 net drwxr-xr-x 11 carter staff 352 Jun 21 12:41 netinet drwxr-xr-x 3 carter staff 96 Jun 21 12:41 protocols drwxr-xr-x 3 carter staff 96 Jun 21 12:41 sys ./include/cygwin-include/linux: total 16 -rw-r--r-- 1 carter staff 1728 Jun 21 12:41 if_arp.h -rw-r--r-- 1 carter staff 3092 Jun 21 12:41 igmp.h ./include/cygwin-include/net: total 8 -rw-r--r-- 1 carter staff 1734 Jun 21 12:41 if_arp.h ./include/cygwin-include/netinet: total 104 -rw-r--r-- 1 carter staff 8866 Jun 21 12:41 icmp6.h -rw-r--r-- 1 carter staff 1984 Jun 21 12:41 if_ether.h -rw-r--r-- 1 carter staff 3480 Jun 21 12:41 igmp.h -rw-r--r-- 1 carter staff 3729 Jun 21 12:41 ip6.h -rw-r--r-- 1 carter staff 5013 Jun 21 12:41 ip_icmp.h -rw-r--r-- 1 carter staff 3198 Jun 21 12:41 ip_var.h -rw-r--r-- 1 carter staff 6380 Jun 21 12:41 tcp_var.h -rw-r--r-- 1 carter staff 1033 Jun 21 12:41 tcpip.h -rw-r--r-- 1 carter staff 1086 Jun 21 12:41 udp_var.h ./include/cygwin-include/protocols: total 8 -rw-r--r-- 1 carter staff 2340 Jun 21 12:41 routed.h ./include/cygwin-include/sys: total 8 -rw-r--r-- 1 carter staff 49 Jun 21 12:41 mbuf.h ./include/net: total 72 -rw-r--r-- 1 carter staff 3225 Jun 21 12:41 arcnet.h -rw-r--r-- 1 carter staff 2175 Jun 21 12:41 etherdefs.h -rw-r--r-- 1 carter staff 12674 Jun 21 12:41 nff.h -rw-r--r-- 1 carter staff 3566 Jun 21 12:41 ppp.h -rw-r--r-- 1 carter staff 3876 Jun 21 12:41 slcompress.h -rw-r--r-- 1 carter staff 1106 Jun 21 12:41 slip.h ./include/netbsd-include: total 0 drwxr-xr-x 3 carter staff 96 Jun 21 12:41 netinet ./include/netbsd-include/netinet: total 8 -rw-r--r-- 1 carter staff 1570 Jun 21 12:41 rtp.h ./include/netinet: total 24 -rw-r--r-- 1 carter staff 4895 Jun 21 12:41 rtp.h -rw-r--r-- 1 carter staff 2185 Jun 21 12:41 tcp_fsm.h ./lib: total 32 -rw-r--r-- 1 carter staff 4580 Nov 3 09:27 argus.spec -rw-r--r-- 1 carter staff 4606 Jun 21 12:41 argus.spec.in ./logo: total 8 -rw-r--r-- 1 carter staff 2491 Jun 21 12:41 argus_logo_medium-6aac34a9.png ./man: total 0 drwxr-xr-x 3 carter staff 96 Nov 14 10:03 man5 drwxr-xr-x 3 carter staff 96 Jun 21 12:41 man8 ./man/man5: total 72 -rwxr-xr-x 1 carter staff 33359 Nov 14 10:03 argus.conf.5 ./man/man8: total 24 -rwxr-xr-x 1 carter staff 11795 Jun 21 12:41 argus.8 ./pkg: total 64 -rw-r--r--@ 1 carter staff 1346 Jun 21 12:41 README -rw-r--r-- 1 carter staff 27003 Jun 21 12:41 argus.conf drwxr-xr-x 3 carter staff 96 Jun 21 12:41 init.d drwxr-xr-x 3 carter staff 96 Jun 21 12:41 osx drwxr-xr-x 3 carter staff 96 Jun 21 12:41 sysconfig drwxr-xr-x 3 carter staff 96 Jun 21 12:41 systemd drwxr-xr-x 3 carter staff 96 Jun 21 12:41 win ./pkg/init.d: total 8 -rwxr-xr-x 1 carter staff 2798 Jun 21 12:41 argus ./pkg/osx: total 0 drwxr-xr-x 3 carter staff 96 Jun 21 12:41 osx-pkg ./pkg/osx/osx-pkg: total 0 drwxr-xr-x 3 carter staff 96 Jun 21 12:41 Contents ./pkg/osx/osx-pkg/Contents: total 0 drwxr-xr-x 3 carter staff 96 Jun 21 12:41 MacOS ./pkg/osx/osx-pkg/Contents/MacOS: total 0 drwxr-xr-x 3 carter staff 96 Jun 21 13:09 etc ./pkg/osx/osx-pkg/Contents/MacOS/etc: total 56 -rwxr-xr-x 1 carter staff 27614 Jun 21 13:09 argus.conf ./pkg/sysconfig: total 8 -rw-r--r-- 1 carter staff 271 Jun 21 12:41 argus ./pkg/systemd: total 8 -rw-r--r-- 1 carter staff 264 Jun 21 12:41 argus.service ./pkg/win: total 0 drwxr-xr-x 3 carter staff 96 Jun 21 12:41 etc ./pkg/win/etc: total 8 -rw-r--r-- 1 carter staff 674 Jun 21 12:41 argus.conf ./support: total 8 drwxr-xr-x 4 carter staff 128 Jun 21 12:41 Archive drwxr-xr-x 3 carter staff 96 Nov 14 10:03 Config drwxr-xr-x 3 carter staff 96 Jun 21 12:41 Deployment -rw-r--r--@ 1 carter staff 2390 Jun 21 12:41 README drwxr-xr-x 6 carter staff 192 Jun 21 12:41 Startup drwxr-xr-x 4 carter staff 128 Jun 21 12:41 System ./support/Archive: total 48 -rw-r--r-- 1 carter staff 5181 Jun 21 12:41 README.argusarchive -rwxr-xr-x 1 carter staff 14984 Jun 21 12:41 argusarchive ./support/Config: total 64 -rwxr-xr-x 1 carter staff 29451 Nov 14 10:03 argus.conf ./support/Deployment: total 16 -rwxr-xr-x 1 carter staff 7521 Jun 21 12:41 sample ./support/Startup: total 32 -rw-r--r--@ 1 carter staff 3577 Jun 21 12:41 README -rw-r--r-- 1 carter staff 3008 Jun 21 12:41 argus -rw-r--r-- 1 carter staff 559 Jun 21 12:41 argus.service -rw-r--r-- 1 carter staff 723 Jun 21 12:41 com.qosient.argus.plist ./support/System: total 16 -rwxr-xr-x 1 carter staff 1053 Jun 21 12:41 crontab -rwxr-xr-x 1 carter staff 705 Jun 21 12:41 magic argus-5.0.2/Makefile.in000066400000000000000000000122741471541253600147220ustar00rootroot00000000000000# # Argus-5.0 Software. Argus flow data generation. # Copyright (c) 2000-2024 QoSient, LLC # All rights reserved. # # This program is free software, released under the GNU General # Public License; you can redistribute it and/or modify it under the terms # of the GNU General Public License as published by the Free Software # Foundation; either version 3, or any later version. # # Other licenses are available through QoSient, LLC. # Inquire at info@qosient.com. # # This program is distributed WITHOUT ANY WARRANTY; without even the # implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # See the * GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. # # Makefile for Argus-5.0 # Copyright (C) 1996-2024 QoSient, LLC # All rights reserved # #### Start of system configuration section. #### @SET_MAKE@ CC = @CC@ INSTALL = @INSTALL@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_DATA = @INSTALL_DATA@ DEFS = @DEFS@ LIBS = @LIBS@ WRAPLIBS = @WRAPLIBS@ VERSION = @PACKAGE_VERSION@.@PACKAGE_RELEASE@ prefix = @prefix@ exec_prefix = @exec_prefix@ datarootdir = @datarootdir@ srcdir = @srcdir@ docdir = @datadir@/doc/argus-5.0 #### End of system configuration section. #### SHELL = /bin/sh DIRS = ./common ./argus ./events INSTDIRS = ./argus ./events DISTFILES = AUTHORS INSTALL MANIFEST CREDITS README VERSION Makefile.in \ bin common argus events lib man support doc include pkg debian \ aclocal.m4 acsite.m4 config configure configure.ac lib/argus.spec \ .threads .c.o: $(CC) -c $(CPPFLAGS) $(DEFS) $(CFLAGS) $< .PHONY: install installdirs all all: force @-for d in $(DIRS);\ do \ (cd $$d; echo "### Making in" `pwd`;\ $(MAKE) $(MFLAGS) ;\ echo "### Done with" `pwd`);\ done install: force $(MAKE) $(MFLAGS) installdirs [ -d $(DESTDIR)@prefix@ ] || \ (mkdir -p $(DESTDIR)@prefix@; chmod 755 $(DESTDIR)@prefix@) [ -d $(DESTDIR)@sbindir@ ] || \ (mkdir -p $(DESTDIR)@sbindir@; chmod 755 $(DESTDIR)@sbindir@) [ -d $(DESTDIR)@bindir@ ] || \ (mkdir -p $(DESTDIR)@bindir@; chmod 755 $(DESTDIR)@bindir@) [ -d $(DESTDIR)$(exec_prefix)/argus ] || \ (mkdir -p $(DESTDIR)$(exec_prefix)/argus; chmod 755 $(DESTDIR)$(exec_prefix)/argus) [ -d $(DESTDIR)$(exec_prefix)/argus/archive ] || \ (mkdir -p $(DESTDIR)$(exec_prefix)/argus/archive; chmod 755 $(DESTDIR)$(exec_prefix)/argus/archive) @-for d in $(DIRS); \ do \ (cd $$d; echo "### Make install in" `pwd`; \ $(MAKE) $(MFLAGS) install; \ echo "### Done with" `pwd`); \ done $(INSTALL) -m 0755 $(srcdir)/bin/argusbug $(DESTDIR)@bindir@/argusbug [ -d $(DESTDIR)@mandir@ ] || \ (mkdir -p $(DESTDIR)@mandir@; chmod 755 $(DESTDIR)@mandir@) [ -d $(DESTDIR)@mandir@/man5 ] || \ (mkdir -p $(DESTDIR)@mandir@/man5; chmod 755 $(DESTDIR)@mandir@/man5) [ -d $(DESTDIR)@mandir@/man8 ] || \ (mkdir -p $(DESTDIR)@mandir@/man8; chmod 755 $(DESTDIR)@mandir@/man8) $(INSTALL) -m 0644 $(srcdir)/man/man5/argus.conf.5 $(DESTDIR)@mandir@/man5/argus.conf.5 $(INSTALL) -m 0644 $(srcdir)/man/man8/argus.8 $(DESTDIR)@mandir@/man8/argus.8 install-doc: force $(MAKE) installdirs [ -d $(DESTDIR)@prefix@ ] || \ (mkdir -p $(DESTDIR)@prefix@; chmod 755 $(DESTDIR)@prefix@) [ -d $(DESTDIR)$(docdir) ] || \ (mkdir -p $(DESTDIR)$(docdir); chmod 755 $(DESTDIR)$(docdir)) $(INSTALL) -m 0644 $(srcdir)/README $(DESTDIR)$(docdir) uninstall: rm -f $(DESTDIR)@mandir@/man5/argus.5 rm -f $(DESTDIR)@mandir@/man5/argus.conf.5 rm -f $(DESTDIR)@mandir@/man8/argus.8 rm -rf $(DESTDIR)$(docdir) @for i in $(INSTDIRS) ; do \ if [ -d $$i ] ; then \ cd $$i; \ $(MAKE) $(MFLAGS) uninstall; \ cd ..; \ fi; \ done rm -f $(DESTDIR)@bindir@/argusbug installdirs: ${srcdir}/config/mkinstalldirs $(DESTDIR)$(bindir) $(DESTDIR)$(mandir)\ $(DESTDIR)$(docdir) $(DESTDIR)$(exec_prefix)/argus/archive Makefile: Makefile.in config.status $(SHELL) config.status config.status: configure $(srcdir)/configure --no-create TAGS: $(SRCS) etags $(SRCS) .PHONY: clean mostlyclean distclean realclean dist clean: force @-for d in $(DIRS); \ do \ (cd $$d; echo "### Make clean in" `pwd`; \ $(MAKE) $(MFLAGS) clean; \ echo "### Done with" `pwd`); \ done mostlyclean: clean distclean: force @-for d in $(DIRS); \ do \ (cd $$d; echo "### Make distclean in" `pwd`; \ $(MAKE) $(MFLAGS) distclean; \ echo "### Done with" `pwd`); \ done rm -rf log rm -f config.* rm -rf autom4te.cache rm -f TAGS rm -f lib/*.a rm -f bin/*.exe rm -f include/argus_config.h rm -f include/*~ clobber realclean: distclean rm -f ./Makefile rm -f ./*~ dist: distclean echo argus-`cat VERSION` > .fname rm -rf `cat .fname` mkdir `cat .fname` tar cf - $(DISTFILES) | (cd `cat .fname`; tar xpf -) ls -lR `cat .fname` | fgrep CVS: | sed 's/:$///' > exfile env COPYFILE_DISABLE=1 tar -X exfile -chzf `cat .fname`.tar.gz `cat .fname` rm -rf `cat .fname` .fname exfile force: /tmp depend: force @for i in $(DIRS) ; do \ if [ -d $$i ] ; then \ cd $$i; \ $(MAKE) $(MFLAGS) depend || exit 1; \ cd ..; \ fi; \ done # Prevent GNU make v3 from overflowing arg limit on SysV. .NOEXPORT: argus-5.0.2/README000066400000000000000000000100311471541253600135220ustar00rootroot00000000000000/* * Argus Software - README * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; version 3, or (at your option) any later * version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ Argus 5.0 Open Argus http://openargus.org This directory contains source code for Argus, an IP network transaction auditing tool, that generates comprehensive network flow data from a network traffic stream. Argus strives to be the advanced network flow data generator, capturing more network traffic features than other systems. The primary design goal of Argus is to generate network traffic audit data to enable leading edge network analysis, include modern AI/ML strategies, for any scale needed. The data that Argus generates has been used for a wide range of tasks including Network Operations, Security, Assurance and Performance Monitoring and Management, with an emphasis on network traffic auditing and forensics analysis. It is designed to generate network status data suitable for real-time network situtional awareness as well as historic analysis, to enable network baseline development, and anomaly detection strategies for network operations, performance and cyber security. This package contains the network activity sensor, that takes in raw packet data, from either a file or from the network, and generates network flow activity status records. Argus is comprehensive, in that it accounts for all network activity, not just IP (Layer 3) traffic. Use the accompaning argus-clients-5.0.0 tools to collect, process, print, graph, store, process, analyze, archive and manage the data that Argus generates. To install the software and get started, see the ./INSTALL file. For answers to many questions, please see the argus web site at http://qosient.com/argus. The Argus 5.0 has been ported to MacOS, Windows, SunOS, Solaris, Linux, FreeBSD, OpenBSD, NetBSD, BSD Unix, AIX, HPUX, Irix, Onix, UniCos, VxWorks, Cygwin and OpenWRT, to name just a few, and the argus client software has been successfully used under most if not all the same platforms. If you port Argus to another system, please let us know on the mailing list. ************************************************************ IMPORTANT: Please send problems, bug reports, questions and comments to the argus mailing list at Carnegie Mellon University: argus-info@lists.andrew.cmu.edu. We encourage you to use the './bin/argusbug' script when posting bug reports about Argus. Argusbug will gather some information about your system and start your editor with a form in which you can describe your problem. Delete information that you consider non- relevant to your problem. Bug reports not generated by Argusbug may be silently ignored by the Argus maintainers, so please use consider using the tool. Email that reports that 'Argus does not work. Why?' will be completely ignored. ************************************************************ Argus is the first netflow technology, started in 1984 at Georgia Tech, and adapted for cyber security operations in 1991 at Carengie Mellon University's Software Engineering Institute. While it has a long history, we still think of argus as innovative and leading edge. Comprehensive network transaction auditing is an extremely powerful network management tool, and a large number of sites do benefit from the prototype work that has been done through the Argus Project. Again, thank you for your interest in Argus. I hope that you find the software useful. Carter carter@qosient.com argus-5.0.2/README.rst000066400000000000000000000113661471541253600143450ustar00rootroot00000000000000.. image:: logo/argus_logo_medium-6aac34a9.png :alt: Argus Argus is the first network flow technology, developed by Carter Bullard in 1984 at the Georgia Instiute of Technology. Argus became a dedicated realtime network operations and performance monitor for the NSFnet backbone and the GaTech network by 1985, getting data from packet taps from IBMs core NSFnet routers and GaTech's campus edge switches. Network flow monitoring got its cyber security debut in 1986-1987 when Argus was used to detect the Legion of Doom's breakins of Equifax and Bell South. Argus provided critical network visibility during the infamous Morris Worm attack that devastated the ArpaNet and NSFnet in 1988, revealing the network techniques used by the worm. Carter continued developing Argus when he moved to the Computer Emergency Response Team (CERT) at Carnegie Mellon University's Software Engineering Institute in late 1989, where it was adapted for incident analysis and forensics data development. Argus was released as open source in 1994, and Carter has maintained the project since then. There have been a number of network flow technologies developed, primarily by US Federally Funded Research and Development Centers (FFRDC), and network equipment manufacturers like Cisco and Juniper et.al, which are fondly referred to as the 'Alphabet' flows. Standards orgs have developed several flow systems. The ITU has developed IPDR, and ETSI TS 132 297 V8.1.0 uses IPDR for 3GPP, and the IETF has developed an RFC for representing the data generated by flow systems, IPFIX. Each of these systems have their strengths and limitaions. The goal of the Argus project is to provide proof of concept innovative and leading edge capabilities for network flow technology. The Argus project provides for a network flow data generator, collection, distribution, analytics for a number of network operations, performance and security efforts. Argus was the first bi-directional flow sensor, it was the first flow technology to capture packet content, it was first to provide IP fragmentation tracking, it was the first FDDI, ATM and Infiniband flow sensor, it was first to generate IPv6 flow records, it was the first flow technology to capture packet dynamic metrics, first routing protocol flow sensor (ISIS), first for behavioral metrics such as keystroke detection, and during its 40 year lifetime, Argus was the first 1M, 10M, 100M, 1G, 10G and also the first demonstrated 100G non-statistical flow sensor. Some of these first's are still powerful distinquishing features not seen in other flow systems today. Primarily, Argus is a comprehensive network flow system, in that it classifies and accounts for any and all network activity, not just IP traffic, or just DNS or HTTP traffic. Argus based comprehensive network flow monitoring has been successfully deployed at scale throughout the US DoD, the US Gov't in projects such as the US National Science Foundation GLORIAD network, as well as in a large number of private enterprise networks, using the open source software provided by this site. This package contains the argus network audit sensor that processes raw packet data, from either a file or from network inteface(s), and generates network flow activity status records. The status records can be made available for near real-time analytic processing, as you would want for operational fault analysis or real-time intrusion detection, or can be stored and used to generate a network activity audit information system. Use the accompaning argus-clients-5.0 tools to collect, process, print, graph, store, filter, compare, archive and manage the data that Argus generates. To install the software and get started, see the ./INSTALL file. For answers to many questions, please see the argus web site at http://qosient.com/argus. The Argus 5.0 has been ported to MacOS, VxWorks, AIX, HPUX, Irix, Onix, SunOS, Solaris, Linux, FreeBSD, OpenBSD, NetBSD, BSD Unix, UniCos, Cygwin and OpenWRT, to name just a few, and the argus client software has been successfully used under most if not all the same platforms. If you port Argus to another system, please let us know on the mailing list. We encourage you to use the './bin/argusbug' script when posting bug reports about Argus. Argusbug will gather some information about your system and start your editor with a form in which you can describe your problem. Delete information that you consider non-relevant to your problem. Bug reports not generated by Argusbug may be silently ignored by the Argus maintainers, so please use consider using the tool. Email that reports that 'Argus does not work. Why?' will be completely ignored. Again, thank you for your interest in Argus. I hope that you find the software useful. :Authors: Carter Bullard :Version: 5.0 as of 2023/11/20 argus-5.0.2/VERSION000066400000000000000000000000061471541253600137130ustar00rootroot000000000000005.0.2 argus-5.0.2/aclocal.m4000066400000000000000000000011411471541253600145040ustar00rootroot00000000000000# generated automatically by aclocal 1.10 -*- Autoconf -*- # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, # 2005, 2006 Free Software Foundation, Inc. # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. m4_include([acsite.m4]) argus-5.0.2/acsite.m4000066400000000000000000001552261471541253600143740ustar00rootroot00000000000000dnl dnl Argus-5.0 Software. Argus flow data generation. dnl Copyright (c) 2000-2024 QoSient, LLC dnl All rights reserved. dnl dnl This program is free software, released under the GNU General dnl Public License; you can redistribute it and/or modify it under the terms dnl of the GNU General Public License as published by the Free Software dnl Foundation; either version 3, or any later version. dnl dnl Other licenses are available through QoSient, LLC. dnl Inquire at info@qosient.com. dnl dnl This program is distributed WITHOUT ANY WARRANTY; without even the dnl implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. dnl See the * GNU General Public License for more details. dnl dnl You should have received a copy of the GNU General Public License dnl along with this program; if not, write to the Free Software dnl Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. dnl dnl Copyright (c) 1995, 1996, 1997, 1998 dnl The Regents of the University of California. All rights reserved. dnl dnl $Id: //depot/gargoyle/argus/acsite.m4#6 $ dnl $DateTime: 2015/04/13 14:26:55 $ dnl $Change: 2989 $ dnl dnl QOSIENT and LBL autoconf macros dnl dnl dnl Check for flex require flex 2.4 or higher dnl Check for bison define the yy prefix string dnl dnl usage: dnl dnl AC_QOSIENT_LEX_AND_YACC(lex, yacc, yyprefix) dnl dnl results: dnl dnl $1 (lex set) dnl $2 (yacc appended) dnl $3 (optional flex and bison -P prefix) dnl AC_DEFUN([AC_QOSIENT_LEX_AND_YACC], [AC_CHECK_PROGS([$1], flex, lex) if test "$$1" = flex ; then AC_MSG_CHECKING(for flex 2.4 or higher) AC_CACHE_VAL(ac_cv_lbl_flex_v24, if flex -V >/dev/null 2>&1; then ac_cv_lbl_flex_v24=yes else ac_cv_lbl_flex_v24=no fi) AC_MSG_RESULT($ac_cv_lbl_flex_v24) if test $ac_cv_lbl_flex_v24 = no ; then s="2.4 or higher required" AC_MSG_WARN(ignoring obsolete flex executable ($s)) $1=lex fi else AC_MSG_ERROR(flex not found. see the INSTALL for more info) fi AC_CHECK_PROGS([$2], bison, yacc) if test "$$2" = bison ; then AC_MSG_CHECKING(for bison parameter set) $2="$$2 -y" AC_MSG_RESULT(yes) else AC_MSG_ERROR(bison not found. see the INSTALL for more info) fi if test "$$1" = flex -a -n "$3" ; then $1="$$1 -P$3" $2="$$2 -p $3" fi]) dnl dnl Determine which compiler we're using (cc or gcc) dnl If using gcc, determine the version number dnl If using cc, require that it support ansi prototypes dnl If using gcc, use -O3 (otherwise use -O) dnl If using cc, explicitly specify /usr/local/include dnl dnl usage: dnl dnl AC_LBL_C_INIT(copt, incls) dnl dnl results: dnl dnl $1 (copt set) dnl $2 (incls set) dnl CC dnl LDFLAGS dnl ac_cv_lbl_gcc_vers dnl LBL_CFLAGS dnl m4_define([AC_LBL_C_INIT], [AC_PREREQ(2.12) AC_BEFORE([$0], [AC_PROG_CC]) AC_BEFORE([$0], [AC_LBL_FIXINCLUDES]) AC_BEFORE([$0], [AC_LBL_DEVEL]) AC_BEFORE([$0], [AC_QOSIENT_DEBUG]) AC_ARG_WITH(gcc, [ --without-gcc don't use gcc]) AC_ARG_WITH(examples, [ --without-examples don't compile examples]) AC_ARG_WITH(pluribus, [AS_HELP_STRING([--with-pluribus],[Compile for pluribus])], with_pluribus=yes, with_pluribus=no) $1="-O" $2="" if test "${srcdir}" != "." ; then $2="-I\$(srcdir)" fi if test "${CFLAGS+set}" = set; then LBL_CFLAGS="$CFLAGS" fi if test -z "$CC" ; then case "$target_os" in *darwin*) AC_CHECK_PROG(CLANG, clang, yes, no) if test $CLANG = yes ; then CC=cc export CC fi ;; bsdi*) AC_CHECK_PROG(SHLICC2, shlicc2, yes, no) if test $SHLICC2 = yes ; then CC=shlicc2 export CC fi ;; esac fi if test -z "$CC" -a "$with_gcc" = no ; then CC=cc export CC fi AC_PROG_CC if test "$GCC" = yes ; then if test "$SHLICC2" = yes ; then ac_cv_lbl_gcc_vers=2 $1="-O3" else ac_cv_lbl_gcc_vers=0 AC_MSG_CHECKING(gcc version) AC_CACHE_VAL(ac_cv_lbl_gcc_vers, ac_cv_lbl_gcc_vers=`$CC -v 2>&1 | \ sed -e '/^gcc version /!d' \ -e 's/^gcc version //' \ -e 's/ .*//' -e 's/^[[[^0-9]]]*//' \ -e 's/\..*//'`) AC_MSG_RESULT($ac_cv_lbl_gcc_vers) if test $ac_cv_lbl_gcc_vers -gt 1 ; then $1="-O3" fi fi else AC_MSG_CHECKING(that $CC handles ansi prototypes) AC_CACHE_VAL(ac_cv_lbl_cc_ansi_prototypes, AC_COMPILE_IFELSE([AC_LANG_PROGRAM([#include ], [int frob(int, char *)])], ac_cv_lbl_cc_ansi_prototypes=yes, ac_cv_lbl_cc_ansi_prototypes=no)) AC_MSG_RESULT($ac_cv_lbl_cc_ansi_prototypes) if test $ac_cv_lbl_cc_ansi_prototypes = no ; then case "$target_os" in hpux*) AC_MSG_CHECKING(for HP-UX ansi compiler ($CC -Aa -D_HPUX_SOURCE)) savedcflags="$CFLAGS" CFLAGS="-Aa -D_HPUX_SOURCE $CFLAGS" AC_CACHE_VAL(ac_cv_lbl_cc_hpux_cc_aa, AC_COMPILE_IFELSE( [AC_LANG_PROGRAM([#include ], [int frob(int, char *)])], [ac_cv_lbl_cc_hpux_cc_aa=yes], [ac_cv_lbl_cc_hpux_cc_aa=no])) AC_MSG_RESULT($ac_cv_lbl_cc_hpux_cc_aa) if test $ac_cv_lbl_cc_hpux_cc_aa = no ; then AC_MSG_ERROR("see the INSTALL doc for more info") fi CFLAGS="$savedcflags" V_CCOPT="-Aa $V_CCOPT" AC_DEFINE(_HPUX_SOURCE,1,[needed on HP-UX]) ;; *) AC_MSG_ERROR(see the INSTALL doc for more info) ;; esac fi $2="$$2 -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" case "$target_os" in irix*) V_CCOPT="$V_CCOPT -xansi -signed -g3" ;; osf*) V_CCOPT="$V_CCOPT -std1 -g3" ;; ultrix*) AC_MSG_CHECKING(that Ultrix $CC hacks const in prototypes) AC_CACHE_VAL(ac_cv_lbl_cc_const_proto, AC_COMPILE_IFELSE([AC_LANG_PROGRAM([#include ], [struct a { int b; }; void c(const struct a *)])], ac_cv_lbl_cc_const_proto=yes, ac_cv_lbl_cc_const_proto=no)) AC_MSG_RESULT($ac_cv_lbl_cc_const_proto) if test $ac_cv_lbl_cc_const_proto = no ; then AC_DEFINE([const], [], [Description]) fi ;; esac fi ]) dnl dnl Check whether a given format can be used to print 64-bit integers dnl AC_DEFUN([AC_LBL_CHECK_64BIT_FORMAT], [ AC_MSG_CHECKING([whether %$1x can be used to format 64-bit integers]) AC_RUN_IFELSE( [ AC_LANG_SOURCE( [[ # ifdef HAVE_INTTYPES_H #include # endif # ifdef HAVE_SYS_BITYPES_H #include # endif #include #include main() { u_int64_t t = 1; char strbuf[16+1]; sprintf(strbuf, "%016$1x", t << 32); if (strcmp(strbuf, "0000000100000000") == 0) exit(0); else exit(1); } ]]) ], [ AC_DEFINE(PRId64, "$1d") AC_DEFINE(PRIo64, "$1o") AC_DEFINE(PRIx64, "$1x") AC_DEFINE(PRIu64, "$1u") AC_MSG_RESULT(yes) ], [ AC_MSG_RESULT(no) $2 ]) ]) dnl dnl Checks to see if unaligned memory accesses fail dnl dnl usage: dnl dnl AC_LBL_UNALIGNED_ACCESS dnl dnl results: dnl dnl LBL_ALIGN (DEFINED) dnl AC_DEFUN([AC_LBL_UNALIGNED_ACCESS], [AC_MSG_CHECKING(if unaligned accesses fail) AC_CACHE_VAL(ac_cv_lbl_unaligned_fail, [case "$target_cpu" in # XXX: should also check that they don't do weird things (like on arm) alpha*|arm*|hp*|mips|sparc) ac_cv_lbl_unaligned_fail=yes ;; *) cat >conftest.c < # include # include unsigned char a[[5]] = { 1, 2, 3, 4, 5 }; main() { unsigned int i; pid_t pid; int status; /* avoid "core dumped" message */ pid = fork(); if (pid < 0) exit(2); if (pid > 0) { /* parent */ pid = waitpid(pid, &status, 0); if (pid < 0) exit(3); exit(!WIFEXITED(status)); } /* child */ i = *(unsigned int *)&a[[1]]; printf("%d\n", i); exit(0); } EOF ${CC-cc} -o conftest $CFLAGS $CPPFLAGS $LDFLAGS \ conftest.c $LIBS >/dev/null 2>&1 if test ! -x conftest ; then dnl failed to compile for some reason ac_cv_lbl_unaligned_fail=yes else ./conftest >conftest.out if test ! -s conftest.out ; then ac_cv_lbl_unaligned_fail=yes else ac_cv_lbl_unaligned_fail=no fi fi rm -rf conftest* core core.conftest ;; esac]) AC_MSG_RESULT($ac_cv_lbl_unaligned_fail) if test $ac_cv_lbl_unaligned_fail = yes ; then AC_DEFINE([LBL_ALIGN], [], [Description]) fi]) dnl dnl If using gcc and the file .devel exists: dnl Compile with -g (if supported) and -Wall dnl If using gcc 2, do extra prototype checking dnl If an os prototype include exists, symlink os-proto.h to it dnl dnl usage: dnl dnl AC_LBL_DEVEL(copt) dnl dnl results: dnl dnl $1 (copt appended) dnl AC_DEFUN([AC_LBL_DEVEL], [rm -f os-proto.h if test "${LBL_CFLAGS+set}" = set; then $1="$$1 ${LBL_CFLAGS}" fi if test -f .devel ; then $1=`echo $$1 | sed -e 's/-O3//'` $1=`echo $$1 | sed -e 's/-O//'` if test "$GCC" = yes ; then if test "${LBL_CFLAGS+set}" != set; then if test "$ac_cv_prog_cc_g" = yes ; then $1="-g $$1" fi $1="$$1 -Wall" if test $ac_cv_lbl_gcc_vers -gt 1 ; then $1="$$1 -Wmissing-prototypes" fi fi else case "$target_os" in solaris*) $1="$$1 -g" ;; irix6*) V_CCOPT="$V_CCOPT -n32" ;; *) ;; esac fi fi]) dnl dnl If the file .debug exists: dnl Add ARGUS_DEBUG to the condefs.h file. dnl dnl usage: dnl dnl AC_QOSIENT_DEBUG(copt) dnl dnl results: dnl dnl $1 (copt appended) dnl AC_DEFUN([AC_QOSIENT_DEBUG], [ if test -f .debug ; then AC_DEFINE([ARGUSDEBUG], [], [Using Argus debug]) fi]) dnl dnl Option to provide location of Flexnet Publisher libraries & source dnl dnl usage: dnl dnl AC_QOSIENT_FLEXLM(dirvariable) dnl dnl results: dnl dnl $1 (flexlm directory set) dnl $2 (flexlm architecture) dnl AC_DEFUN([AC_QOSIENT_FLEXLM], [AC_ARG_WITH(flexlm, [AS_HELP_STRING([--with-flexlm=DIR],[location of Flexnet Publisher distribution])], [ with_flexlm="$withval" AC_DEFINE([ARGUS_FLEXLM], [], [Using FlexLM]) $1="$withval" case $target in x86_64-*-linux-gnu) $2=x64_lsb ;; *-apple-darwin*) $2=universal_mac10 ;; i686-pc-cygwin) $2=i86_n3 ;; esac ] )]) dnl dnl If the file .threads exists: dnl Add ARGUS_THREADS to the condefs.h file. dnl dnl usage: dnl dnl AC_QOSIENT_THREADS(copt) dnl dnl results: dnl dnl $1 (copt appended) dnl AC_DEFUN([AC_QOSIENT_THREADS], [AC_ARG_WITH(threads, [AS_HELP_STRING([--without-threads],[don't use native threads package])], with_threads="$withval", with_threads="yes") if test "$with_threads" != no; then case "$host_os" in *openbsd*) ;; *) AC_MSG_CHECKING(for .threads) if test -f .threads ; then AC_MSG_RESULT(yes) $1="" if test "$GCC" = yes ; then case "$host_os" in *darwin*) ;; cygwin*) ;; *) $1="-lpthread $$1" ;; esac else case "$host_os" in solaris*) $1="-mt -lpthread $$1" ;; cygwin*) ;; *darwin*) ;; *) $1="-lpthread $$1" ;; esac fi AC_DEFINE([ARGUS_THREADS], [], [Using Argus threads]) AC_CHECK_FUNCS(sched_get_priority_min) else AC_MSG_RESULT(no) fi ;; esac fi ]) dnl dnl By default: dnl Add ARGUS_NANOSECONDS to the condefs.h file. dnl dnl usage: dnl dnl AC_QOSIENT_NANOSECONDS(copt) dnl dnl results: dnl dnl $1 (copt appended) dnl AC_DEFUN([AC_QOSIENT_HASHDEBUG], [AC_ARG_WITH(hashdebug, [AS_HELP_STRING([--with-hashdebug],[enable hash table debugging ])], with_hashdebug="$withval", with_hashdebug="no") if test "$with_hashdebug" != no; then AC_DEFINE([ARGUS_HASH_DEBUG], [], [Enabling hashtable debugging]) fi ]) dnl dnl By default: dnl Add ARGUS_NANOSECONDS to the condefs.h file. dnl dnl usage: dnl dnl AC_QOSIENT_NANOSECONDS(copt) dnl dnl results: dnl dnl $1 (copt appended) dnl AC_DEFUN([AC_QOSIENT_NANOSECONDS], [AC_ARG_WITH(nanoseconds, [AS_HELP_STRING([--without-nanoseconds],[don't use nanosecond timestamps])], with_nanoseconds="$withval", with_nanoseconds="yes") AC_MSG_CHECKING(for nanosecond timestamps) if test "$with_nanoseconds" != no; then AC_DEFINE([ARGUS_NANOSECONDS], [], [Using nanosecond timestamps]) AC_MSG_RESULT(yes) else AC_MSG_RESULT(no) fi ]) dnl dnl dnl usage: dnl dnl AC_QOSIENT_READLINE(copt) dnl dnl results: dnl dnl $1 (copt appended) dnl dnl dnl usage: dnl dnl AC_QOSIENT_PCRE(pcrelib, incls) dnl dnl results: dnl dnl $1 (pcrelib set) dnl $2 (incls appended) dnl LIBS dnl LBL_LIBS dnl AC_DEFUN([AC_QOSIENT_PCRE], [ AC_ARG_WITH(libpcre, [AS_HELP_STRING([--with-libpcre=DIR],[Compile with libpcre in ])], with_libpcre="$withval", with_libpcre="no") if test ${with_libpcre} != "no"; then AC_MSG_CHECKING(for pcre library) AC_ARG_WITH(pcre-config, [AS_HELP_STRING([--with-pcre-config=PATH], [Location of PCRE pcre-config (auto)])], with_pcre_config="$withval", with_pcre_config="yes") if test ${with_pcre_config} != "no"; then if test -f $with_pcre_config ; then PCRE_CONFIG=$with_pcre_config else AC_CHECK_PROGS(PCRE_CONFIG, pcre-config) fi fi if test "x$PCRE_CONFIG" != "x"; then PCRE_CFLAGS=`$PCRE_CONFIG --cflags` PCRE_LIBS=`$PCRE_CONFIG --libs-posix` fi if test "x$PCRE_LIBS" != "x" ; then AC_DEFINE([ARGUS_PCRE], [], [Using System Pcre Library]) $1=$PCRE_LIBS; $2="$PCRE_CFLAGS $$2" else AC_CHECK_HEADERS(regex.h,, AC_MSG_ERROR(neither pcre nor regex found)) fi else AC_CHECK_HEADERS(regex.h,, AC_MSG_ERROR(regex not found)) fi ]) AC_DEFUN([AC_QOSIENT_READLINE], [ LBL_LIBS="$LIBS" LIBS="$LIBS $CURSESLIB" READLINELIB="" READLINEHOOK="" READLINEREPLACELINE="" AC_CHECK_HEADER(readline/readline.h, AC_CHECK_LIB(readline, readline, READLINELIB="-lreadline",,),) if test ! -z "$READLINELIB"; then AC_DEFINE([ARGUS_READLINE], [], [Using System Readline]) $1="$READLINELIB" AC_CHECK_LIB(readline, rl_event_hook, READLINEHOOK="yes",,) if test ! -z "$READLINEHOOK"; then AC_DEFINE([ARGUS_READLINE_EVENT_HOOK], [], [Using System Readline Event Hook]) AC_CHECK_LIB(readline, rl_replace_line, READLINEREPLACELINE="yes",,) if test ! -z "$READLINEREPLACELINE"; then AC_DEFINE([ARGUS_READLINE_REPLACE_LINE], [], [Using System Readline Replace Line]) fi fi fi LIBS="$LBL_LIBS" ]) dnl dnl If the file .memory exists: dnl Add ARGUSMEMDEBUG to the condefs.h file. dnl dnl usage: dnl dnl AC_QOSIENT_MEMORY(copt) dnl dnl results: dnl dnl $1 (copt appended) dnl AC_DEFUN([AC_QOSIENT_MEMORY], [ if test -f .memory ; then AC_DEFINE([ARGUSMEMDEBUG], [], [Using Argus memory]) fi]) dnl dnl Use pfopen.c if available and pfopen() not in standard libraries dnl Require libpcap dnl Look for libpcap in .. dnl Use the installed libpcap if there is no local version dnl dnl usage: dnl dnl AC_QOSIENT_LIBPCAP(pcapdep, incls) dnl AC_LBL_LIBPCAP(pcapdep, incls) with mods dnl dnl results: dnl dnl $1 (pcapdep set) dnl $2 (incls appended) dnl LIBS dnl LBL_LIBS dnl AC_DEFUN([AC_QOSIENT_LIBPCAP], [ AC_ARG_WITH(libpcap, [AS_HELP_STRING([--with-libpcap=DIR],[Compile with libpcap in ])], with_libpcap="$withval", with_libpcap="yes") AC_REQUIRE([AC_LBL_LIBRARY_NET]) dnl dnl save a copy before locating libpcap.a dnl LBL_LIBS="$LIBS" libpcap=FAIL lastdir=FAIL if test ${with_libpcap} != "yes"; then AC_MSG_CHECKING(for specified library) for dir in ${with_libpcap}; do if test -r $dir/libpcap.a ; then if test -x $dir/pcap-config ; then libpcap="$dir/libpcap.a `$dir/pcap-config --additional-libs --static`" else libpcap=$dir/libpcap.a fi AC_MSG_RESULT($libpcap) $1=$libpcap AC_MSG_CHECKING(for specified pcap.h) if test -r $dir/pcap.h; then d=$dir AC_MSG_RESULT(found) $2="-I$d $$2" else AC_MSG_WARN(not found) fi dnl continue and select the last one that exists fi done else pfopen=/usr/examples/packetfilter/pfopen.c if test -f $pfopen ; then AC_CHECK_FUNCS(pfopen) if test $ac_cv_func_pfopen = "no" ; then AC_MSG_RESULT(Using $pfopen) LIBS="$LIBS $pfopen" fi fi AC_MSG_CHECKING(for local pcap library) places=`ls $srcdir/.. | sed -e 's,/$,,' -e "s,^,$srcdir/../," | \ grep -E '/libpcap-[[0-9]]*.[[0-9]]*(.[[0-9]]*)?([[ab]][[0-9]]*)?$'` for dir in $places $srcdir/../libpcap $srcdir/libpcap ; do basedir=`echo $dir | sed -e 's/[[ab]][[0-9]]*$//'` if test $lastdir = $basedir ; then dnl skip alphas when an actual release is present continue; fi lastdir=$dir if test -r $dir/libpcap.a ; then if test -r $dir/pcap.h ; then libpcap=$dir/libpcap.a d=$dir fi dnl continue and select the last one that exists fi done if ! test "$libpcap" = FAIL; then AC_MSG_RESULT($libpcap) $1=$libpcap $2="-I$d $$2" AC_PATH_PROG(PCAP_CONFIG, pcap-config,, $d) if test -n "$PCAP_CONFIG"; then # # The libpcap directory has a pcap-config script. # Use it to get any additioal libraries needed # to link with the libpcap archive library in # that directory # libpcap="$libpcap `$PCAP_CONFIG --additional-libs --static`" fi fi fi if test "$libpcap" = FAIL ; then AC_MSG_RESULT(not found) # # Look for pcap-config. # AC_PATH_PROG(PCAP_CONFIG, pcap-config) if test -n "$PCAP_CONFIG" ; then # # Found - use it to get the include flags for # libpcap and the flags to link with libpcap. # libpcap="`$PCAP_CONFIG --libs`" $2="`$PCAP_CONFIG --cflags` $$2" $1="$libpcap" else AC_CHECK_LIB(pcap, main, libpcap="-lpcap") if test $libpcap = FAIL ; then AC_MSG_RESULT(not found) AC_CHECK_LIB(pcap, main, libpcap="-lwpcap") if test $libpcap = FAIL ; then AC_MSG_CHECKING(for local wpcap library) dir="../WpdPack" if test -r $dir/Lib/libwpcap.a; then libpcap="$dir/Lib/libwpcap.a" $1="$libpcap" elif test -r ../npcap/Lib/x64/wpcap.lib; then dir="../npcap" libpcap="../npcap/Lib/x64/wpcap.lib" $1="$libpcap" else AC_MSG_RESULT(no) AC_MSG_ERROR(see the INSTALL doc for more info) fi else $1="$libpcap" fi else $1="$libpcap" fi dnl dnl Good old Red Hat Linux puts "pcap.h" in dnl "/usr/include/pcap"; had the LBL folks done so, dnl that would have been a good idea, but for dnl the Red Hat folks to do so just breaks source dnl compatibility with other systems. dnl dnl We work around this by assuming that, as we didn't dnl find a local libpcap, libpcap is in /usr/lib or dnl /usr/local/lib and that the corresponding header dnl file is under one of those directories; if we don't dnl find it in either of those directories, we check to dnl see if it's in a "pcap" subdirectory of them and, dnl if so, add that subdirectory to the "-I" list. dnl AC_MSG_CHECKING(for extraneous pcap header directories) if test \( ! -r /usr/local/include/pcap.h \) -a \ \( ! -r /usr/include/pcap.h \); then if test -r /usr/local/include/pcap/pcap.h; then d="/usr/local/include/pcap" elif test -r /usr/include/pcap/pcap.h; then d="/usr/include/pcap" elif test -r $dir/Include/pcap.h; then d=$dir/Include fi fi if test -z "$d" ; then AC_MSG_RESULT(not found) else $2="-I$d $$2" AC_MSG_RESULT(found -- -I$d added) fi fi fi $2=`echo $$2 | sed -e 's/\.\./..\/../'` LIBS="$LIBS $libpcap" case "$host_os" in aix*) pseexe="/lib/pse.exp" AC_MSG_CHECKING(for $pseexe) if test -f $pseexe ; then AC_MSG_RESULT(yes) LIBS="$LIBS -I:$pseexe" fi # # We need "-lodm" and "-lcfg", as libpcap requires them on # AIX, and we just build a static libpcap.a and thus can't # arrange that when you link with libpcap you automatically # link with those libraries. # LIBS="$LIBS -lodm -lcfg" ;; esac dnl dnl Check for "pcap_list_datalinks()", "pcap_set_datalink()", dnl and "pcap_datalink_name_to_val()", and use substitute versions dnl if they're not present. dnl AC_CHECK_FUNC(pcap_list_datalinks, AC_DEFINE([HAVE_PCAP_LIST_DATALINKS], [], [pcap list datalinks]), [ AC_LIBOBJ(datalinks) ]) AC_CHECK_FUNC(pcap_set_datalink, AC_DEFINE([HAVE_PCAP_SET_DATALINK], [], [pcap set datalink])) AC_CHECK_FUNC(pcap_datalink_name_to_val, [ AC_DEFINE([HAVE_PCAP_DATALINK_NAME_TO_VAL], [], [pcap datalink name]) AC_CHECK_FUNC(pcap_datalink_val_to_description, AC_DEFINE([HAVE_PCAP_DATALINK_VAL_TO_DESCRIPTION], [], [pcap datalink val to desc]), [ AC_LIBOBJ(dlnames) ]) ], [ AC_LIBOBJ(dlnames) ]) AC_CHECK_FUNC(pcap_findalldevs_nochecks, AC_DEFINE([HAVE_PCAP_FINDALLDEVS_NOCHECKS], [], [pcap list datalinks])) dnl dnl Check for vital pcap routines; you can't substitute for them if dnl they are absent (it has hooks into the live capture routines), dnl so just define the HAVE_ value if it's there. dnl AC_CHECK_FUNCS(pcap_set_buffer_size) AC_CHECK_FUNCS(pcap_fopen_offline) AC_CHECK_FUNCS(pcap_get_selectable_fd) AC_CHECK_FUNCS(pcap_next_ex) AC_CHECK_FUNCS(pcap_dump_ftell) AC_CHECK_FUNCS(pcap_dump_flush) AC_CHECK_FUNCS(pcap_open_offline_with_tstamp_precision) AC_CHECK_FUNCS(pcap_fopen_offline_with_tstamp_precision) AC_CHECK_FUNCS(pcap_set_tstamp_type) AC_CHECK_FUNCS(pcap_set_tstamp_precision) LIBS="$LBL_LIBS" ]) dnl dnl Find libwrappers dnl Look for libwrappers in .. dnl Use the installed libwrappers if there is no local version dnl dnl usage: dnl dnl AC_QOSIENT_TCPWRAP(wrapdep, incls) dnl dnl results: dnl dnl $1 (wrapdep set) dnl $2 (incls appended) dnl LIBS dnl LBL_LIBS dnl AC_DEFUN([AC_QOSIENT_TCPWRAP], [ AC_ARG_WITH(tcpwrappers, [AS_HELP_STRING([--with-wrappers=DIR],[Compile with tcpwrappers in ])], with_wrappers="$withval", with_wrappers="yes") if test ${with_wrappers} != "no"; then saved_CPPFLAGS=$CPPFLAGS saved_LDFLAGS=$LDFLAGS saved_LIBS=$LIBS if test ${with_wrappers} != "yes"; then CPPFLAGS="${saved_CPPFLAGS} -I${with_wrappers}/include" LDFLAGS="${save_LDFLAGS} -L${with_wrappers}/lib" else AC_MSG_CHECKING(for local tcp_wrappers library) libwrap=FAIL lastdir=FAIL pwdir=`pwd` places=`ls .. | sed -e 's,/$,,' -e 's,^,../,' | grep -E 'tcp_wrappers'` for dir in $places; do if test $lastdir = $dir ; then dnl skip alphas when an actual release is present continue; fi lastdir=$dir if test -r $dir/libwrap.a ; then libwrap=$dir/libwrap.a d=$dir dnl continue and select the last one that exists fi done if test $libwrap = FAIL ; then AC_MSG_RESULT(not found) AC_MSG_CHECKING(for system tcp_wrappers library) case "$target_os" in solaris*) dnl Workaround to look for wrappers on mac os x and solaris in /opt/local CPPFLAGS="${saved_CPPFLAGS} -I/opt/local/include" LDFLAGS="${save_LDFLAGS} -L/opt/local/lib" ;; darwin*) dnl Workaround to look for wrappers on mac os x and solaris in /opt/local CPPFLAGS="${saved_CPPFLAGS} -I/opt/local/include" LDFLAGS="${save_LDFLAGS} -L/opt/local/lib" ;; esac AC_CHECK_HEADERS(tcpd.h, AC_CHECK_DECLS([fromhost ], [] , [] , [ #include ]), ac_cv_found_wrappers=no) if test "$ac_cv_found_wrappers" != no; then $1="-lwrap" $2=$CPPFLAGS AC_DEFINE([ARGUS_WRAPPERS], [], [Using System TcpWrappers Library]) else LIBS=$saved_LIBS LDFLAGS=$saved_LDFLAGS CPPFLAGS=$saved_CPPFLAGS fi fi fi fi ]) dnl dnl Improved version of AC_CHECK_LIB dnl dnl Thanks to John Hawkinson (jhawk@mit.edu) dnl dnl usage: dnl dnl AC_LBL_CHECK_LIB(LIBRARY, FUNCTION [, ACTION-IF-FOUND [, dnl ACTION-IF-NOT-FOUND [, OTHER-LIBRARIES]]]) dnl dnl results: dnl dnl LIBS dnl AC_DEFUN([AC_LBL_CHECK_LIB], [AC_MSG_CHECKING([for $2 in -l$1]) dnl Use a cache variable name containing both the library and function name, dnl because the test really is for library $1 defining function $2, not dnl just for library $1. Separate tests with the same $1 and different $2's dnl may have different results. ac_lib_var=`echo $1['_']$2['_']$5 | sed 'y%./+- %__p__%'` AC_CACHE_VAL(ac_cv_lbl_lib_$ac_lib_var, [ac_save_LIBS="$LIBS" LIBS="-l$1 $5 $LIBS" AC_TRY_LINK(dnl ifelse([$2], [main], , dnl Avoid conflicting decl of main. [/* Override any gcc2 internal prototype to avoid an error. */ ]ifelse(AC_LANG, CPLUSPLUS, [#ifdef __cplusplus extern "C" #endif ])dnl [/* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ char $2(); ]), [$2()], eval "ac_cv_lbl_lib_$ac_lib_var=yes", eval "ac_cv_lbl_lib_$ac_lib_var=no") LIBS="$ac_save_LIBS" ])dnl if eval "test \"`echo '$ac_cv_lbl_lib_'$ac_lib_var`\" = yes"; then AC_MSG_RESULT(yes) ifelse([$3], , [changequote(, )dnl ac_tr_lib=HAVE_LIB`echo $1 | sed -e 's/[^a-zA-Z0-9_]/_/g' \ -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` changequote([, ])dnl AC_DEFINE_UNQUOTED($ac_tr_lib) LIBS="-l$1 $LIBS" ], [$3]) else AC_MSG_RESULT(no) ifelse([$4], , , [$4 ])dnl fi ]) dnl dnl AC_LBL_LIBRARY_NET dnl dnl This test is for network applications that need socket() and dnl gethostbyname() -ish functions. Under Solaris, those applications dnl need to link with "-lsocket -lnsl". Under IRIX, they need to link dnl with "-lnsl" but should *not* link with "-lsocket" because dnl libsocket.a breaks a number of things (for instance: dnl gethostbyname() under IRIX 5.2, and snoop sockets under most dnl versions of IRIX). dnl dnl Unfortunately, many application developers are not aware of this, dnl and mistakenly write tests that cause -lsocket to be used under dnl IRIX. It is also easy to write tests that cause -lnsl to be used dnl under operating systems where neither are necessary (or useful), dnl such as SunOS 4.1.4, which uses -lnsl for TLI. dnl dnl This test exists so that every application developer does not test dnl this in a different, and subtly broken fashion. dnl It has been argued that this test should be broken up into two dnl seperate tests, one for the resolver libraries, and one for the dnl libraries necessary for using Sockets API. Unfortunately, the two dnl are carefully intertwined and allowing the autoconf user to use dnl them independantly potentially results in unfortunate ordering dnl dependancies -- as such, such component macros would have to dnl carefully use indirection and be aware if the other components were dnl executed. Since other autoconf macros do not go to this trouble, dnl and almost no applications use sockets without the resolver, this dnl complexity has not been implemented. dnl dnl The check for libresolv is in case you are attempting to link dnl statically and happen to have a libresolv.a lying around (and no dnl libnsl.a). dnl AC_DEFUN([AC_LBL_LIBRARY_NET], [ # Most operating systems have gethostbyname() in the default searched # libraries (i.e. libc): # Some OSes (eg. Solaris) place it in libnsl # Some strange OSes (SINIX) have it in libsocket: AC_SEARCH_LIBS(gethostbyname, nsl socket resolv) # Unfortunately libsocket sometimes depends on libnsl and # AC_SEARCH_LIBS isn't up to the task of handling dependencies like this. if test "$ac_cv_search_gethostbyname" = "no" then AC_CHECK_LIB(socket, gethostbyname, LIBS="-lsocket -lnsl $LIBS", , -lnsl) fi AC_SEARCH_LIBS(socket, socket, , AC_CHECK_LIB(socket, socket, LIBS="-lsocket -lnsl $LIBS", , -lnsl)) # DLPI needs putmsg under HPUX so test for -lstr while we're at it AC_SEARCH_LIBS(putmsg, str) ]) dnl dnl If using gcc, make sure we have ANSI ioctl definitions dnl dnl usage: dnl dnl AC_LBL_FIXINCLUDES dnl AC_DEFUN([AC_LBL_FIXINCLUDES], [if test "$GCC" = yes ; then AC_MSG_CHECKING(for ANSI ioctl definitions) AC_CACHE_VAL(ac_cv_lbl_gcc_fixincludes, AC_COMPILE_IFELSE([AC_LANG_PROGRAM( [/* * This generates a "duplicate case value" when fixincludes * has not be run. */ # include # include # include # ifdef HAVE_SYS_IOCCOM_H # include # endif], [switch (0) { case _IO('A', 1):; case _IO('B', 1):; }])]), ac_cv_lbl_gcc_fixincludes=yes, ac_cv_lbl_gcc_fixincludes=no) AC_MSG_RESULT($ac_cv_lbl_gcc_fixincludes) if test $ac_cv_lbl_gcc_fixincludes = no ; then # Don't cache failure unset ac_cv_lbl_gcc_fixincludes AC_MSG_ERROR(see the INSTALL for more info) fi fi]) AC_DEFUN([CMU_TEST_LIBPATH], [ changequote(<<, >>) define(<>, translit(ac_cv_found_$2_lib, <<- *>>, <<__p>>)) changequote([, ]) if test "$CMU_AC_CV_FOUND" = "yes"; then if test \! -r "$1/lib$2.a" -a \! -r "$1/lib$2.so" -a \! -r "$1/lib$2.sl" -a \! -r "$1/lib$2.dylib"; then CMU_AC_CV_FOUND=no fi fi ]) AC_DEFUN([CMU_TEST_INCPATH], [ changequote(<<, >>) define(<>, translit(ac_cv_found_$2_inc, [ *], [_p])) changequote([, ]) if test "$CMU_AC_CV_FOUND" = "yes"; then if test \! -r "$1/$2.h"; then CMU_AC_CV_FOUND=no fi fi ]) dnl CMU_CHECK_HEADER_NOCACHE(HEADER-FILE, [ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND]]) AC_DEFUN([CMU_CHECK_HEADER_NOCACHE], [dnl Do the transliteration at runtime so arg 1 can be a shell variable. ac_safe=`echo "$1" | sed 'y%./+-%__p_%'` AC_MSG_CHECKING([for $1]) AC_PREPROC_IFELSE([AC_LANG_SOURCE([#include <$1>])], eval "ac_cv_header_$ac_safe=yes", eval "ac_cv_header_$ac_safe=no") if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then AC_MSG_RESULT(yes) ifelse([$2], , :, [$2]) else AC_MSG_RESULT(no) ifelse([$3], , , [$3 ])dnl fi ]) AC_DEFUN([CMU_FIND_LIB_SUBDIR], [dnl AC_ARG_WITH([lib-subdir], AS_HELP_STRING([--with-lib-subdir=DIR],[Find libraries in DIR instead of lib])) AC_CHECK_SIZEOF(long) AC_CACHE_CHECK([what directory libraries are found in], [ac_cv_cmu_lib_subdir], [test "X$with_lib_subdir" = "Xyes" && with_lib_subdir= test "X$with_lib_subdir" = "Xno" && with_lib_subdir= if test "X$with_lib_subdir" = "X" ; then ac_cv_cmu_lib_subdir=lib if test $ac_cv_sizeof_long -eq 4 ; then test -d /usr/lib32 && ac_cv_cmu_lib_subdir=lib32 fi if test $ac_cv_sizeof_long -eq 8 ; then test -d /usr/lib64 && ac_cv_cmu_lib_subdir=lib64 fi else ac_cv_cmu_lib_subdir=$with_lib_subdir fi]) AC_SUBST(CMU_LIB_SUBDIR, $ac_cv_cmu_lib_subdir) ]) dnl sasl.m4--sasl libraries and includes dnl Derrick Brashear dnl from KTH sasl and Arla AC_DEFUN([CMU_SASL_INC_WHERE1], [ saved_CPPFLAGS=$CPPFLAGS CPPFLAGS="$saved_CPPFLAGS -I$1" CMU_CHECK_HEADER_NOCACHE(sasl.h, ac_cv_found_sasl_inc=yes, ac_cv_found_sasl_inc=no) CPPFLAGS=$saved_CPPFLAGS ]) AC_DEFUN([CMU_SASL_INC_WHERE], [ for i in $1; do CMU_SASL_INC_WHERE1($i) CMU_TEST_INCPATH($i, sasl) if test "$ac_cv_found_sasl_inc" = "yes"; then ac_cv_sasl_where_inc=$i break fi done ]) AC_DEFUN([CMU_SASL_LIB_WHERE1], [ saved_LIBS=$LIBS LIBS="$saved_LIBS -L$1 -lsasl" AC_TRY_LINK(, [sasl_getprop();], [ac_cv_found_sasl_lib=yes], ac_cv_found_sasl_lib=no) LIBS=$saved_LIBS ]) AC_DEFUN([CMU_SASL_LIB_WHERE], [ for i in $1; do CMU_SASL_LIB_WHERE1($i) dnl deal with false positives from implicit link paths CMU_TEST_LIBPATH($i, sasl) if test "$ac_cv_found_sasl_lib" = "yes" ; then ac_cv_sasl_where_lib=$i break fi done ]) AC_DEFUN([CMU_SASL], [ AC_REQUIRE([CMU_FIND_LIB_SUBDIR]) AC_ARG_WITH(sasl, [ --with-sasl=DIR|yes use with libsasl in no], with_sasl="$withval", with_sasl="no") if test ${with_sasl} != "no"; then SASLFLAGS="" LIB_SASL="" cmu_saved_CPPFLAGS=$CPPFLAGS cmu_saved_LDFLAGS=$LDFLAGS cmu_saved_LIBS=$LIBS if test -d ${with_sasl}; then ac_cv_sasl_where_lib=${with_sasl}/$CMU_LIB_SUBDIR ac_cv_sasl_where_inc=${with_sasl}/include SASLFLAGS="-I$ac_cv_sasl_where_inc" LIB_SASL="-L$ac_cv_sasl_where_lib" CPPFLAGS="${cmu_saved_CPPFLAGS} -I${ac_cv_sasl_where_inc}" LDFLAGS="${cmu_saved_LDFLAGS} -L${ac_cv_sasl_where_lib}" fi AC_CHECK_HEADER(sasl.h, AC_CHECK_LIB(sasl, sasl_getprop, ac_cv_found_sasl=yes, ac_cv_found_sasl=no), ac_cv_found_sasl=no) LIBS="$cmu_saved_LIBS" LDFLAGS="$cmu_saved_LDFLAGS" CPPFLAGS="$cmu_saved_CPPFLAGS" if test "$ac_cv_found_sasl" = yes; then LIB_SASL="$LIB_SASL -lsasl" else AC_MSG_ERROR( sasl not found ) LIB_SASL="" SASLFLAGS="" fi AC_SUBST(LIB_SASL) AC_SUBST(SASLFLAGS) fi ]) AC_DEFUN([CMU_SASL_REQUIRED], [AC_REQUIRE([CMU_SASL]) if test "$ac_cv_found_sasl" != "yes"; then AC_MSG_ERROR([Cannot continue without libsasl. Get it from ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/.]) fi]) # sasl2.m4--sasl2 libraries and includes # Rob Siemborski # SASL2_CRYPT_CHK # --------------- AC_DEFUN([SASL_GSSAPI_CHK], [AC_REQUIRE([SASL2_CRYPT_CHK]) AC_REQUIRE([CMU_SOCKETS]) AC_ARG_ENABLE([gssapi], [AS_HELP_STRING([--enable-gssapi=], [enable GSSAPI authentication [yes]])], [gssapi=$enableval], [gssapi=yes]) AC_ARG_WITH([gss_impl], [AS_HELP_STRING([--with-gss_impl={heimdal|mit|cybersafe|seam|auto}], [choose specific GSSAPI implementation [[auto]]])], [gss_impl=$withval], [gss_impl=auto]) if test "$gssapi" != no; then platform= case "${host}" in *-*-linux*) platform=__linux ;; *-*-hpux*) platform=__hpux ;; *-*-irix*) platform=__irix ;; *-*-solaris2*) # When should we use __sunos? platform=__solaris ;; *-*-aix*) ###_AIX platform=__aix ;; *) if test "$gss_impl" = "cybersafe"; then AC_MSG_ERROR([CyberSafe was forced, cannot continue as platform is not supported]) fi ;; esac cmu_saved_CPPFLAGS=$CPPFLAGS if test -d ${gssapi}; then CPPFLAGS="$CPPFLAGS -I$gssapi/include" # We want to keep -I in our CPPFLAGS, but only if we succeed cmu_saved_CPPFLAGS=$CPPFLAGS ### I am not sure how useful is this (and whether this is required at all ### especially when we have to provide two -L flags for new CyberSafe LDFLAGS="$LDFLAGS -L$gssapi/lib" if test -n "$platform"; then if test "$gss_impl" = "auto" -o "$gss_impl" = "cybersafe"; then CPPFLAGS="$CPPFLAGS -D$platform" if test -d "${gssapi}/appsec-sdk/include"; then CPPFLAGS="$CPPFLAGS -I${gssapi}/appsec-sdk/include" fi fi fi fi AC_CHECK_HEADER([gssapi.h], [AC_DEFINE(HAVE_GSSAPI_H,, [Define if you have the gssapi.h header file])], [AC_CHECK_HEADER([gssapi/gssapi.h],, [AC_WARN([Disabling GSSAPI - no include files found]); gssapi=no])]) CPPFLAGS=$cmu_saved_CPPFLAGS fi if test "$gssapi" != no; then # We need to find out which gssapi implementation we are # using. Supported alternatives are: MIT Kerberos 5, # Heimdal Kerberos 5 (http://www.pdc.kth.se/heimdal), # CyberSafe Kerberos 5 (http://www.cybersafe.com/) # and Sun SEAM (http://wwws.sun.com/software/security/kerberos/) # # The choice is reflected in GSSAPIBASE_LIBS AC_CHECK_LIB(resolv,res_search) if test -d ${gssapi}; then gssapi_dir="${gssapi}/lib" GSSAPIBASE_LIBS="-L$gssapi_dir" GSSAPIBASE_STATIC_LIBS="-L$gssapi_dir" else # FIXME: This is only used for building cyrus, and then only as # a real hack. it needs to be fixed. gssapi_dir="/usr/local/lib" fi # Check a full link against the Heimdal libraries. # If this fails, check a full link against the MIT libraries. # If this fails, check a full link against the CyberSafe libraries. # If this fails, check a full link against the Solaris 8 and up libgss. if test "$gss_impl" = "auto" -o "$gss_impl" = "heimdal"; then gss_failed=0 AC_CHECK_LIB(gssapi,gss_unwrap,gss_impl="heimdal",gss_failed=1, ${GSSAPIBASE_LIBS} -lgssapi -lkrb5 -lasn1 -lroken ${LIB_CRYPT} ${LIB_DES} -lcom_err ${LIB_SOCKET}) if test "$gss_impl" != "auto" -a "$gss_failed" = "1"; then gss_impl="failed" fi fi if test "$gss_impl" = "auto" -o "$gss_impl" = "mit"; then # check for libkrb5support first AC_CHECK_LIB(krb5support,krb5int_getspecific,K5SUP=-lkrb5support K5SUPSTATIC=$gssapi_dir/libkrb5support.a,,${LIB_SOCKET}) gss_failed=0 AC_CHECK_LIB(gssapi_krb5,gss_unwrap,gss_impl="mit",gss_failed=1, ${GSSAPIBASE_LIBS} -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err ${K5SUP} ${LIB_SOCKET}) if test "$gss_impl" != "auto" -a "$gss_failed" = "1"; then gss_impl="failed" fi fi # For Cybersafe one has to set a platform define in order to make compilation work if test "$gss_impl" = "auto" -o "$gss_impl" = "cybersafe"; then cmu_saved_CPPFLAGS=$CPPFLAGS cmu_saved_GSSAPIBASE_LIBS=$GSSAPIBASE_LIBS # FIXME - Note that the libraries are in .../lib64 for 64bit kernels if test -d "${gssapi}/appsec-rt/lib"; then GSSAPIBASE_LIBS="$GSSAPIBASE_LIBS -L${gssapi}/appsec-rt/lib" fi CPPFLAGS="$CPPFLAGS -D$platform" if test -d "${gssapi}/appsec-sdk/include"; then CPPFLAGS="$CPPFLAGS -I${gssapi}/appsec-sdk/include" fi gss_failed=0 # Check for CyberSafe with two libraries first, than fall back to a single # library (older CyberSafe) unset ac_cv_lib_gss_csf_gss_acq_user AC_CHECK_LIB(gss,csf_gss_acq_user,gss_impl="cybersafe03", [unset ac_cv_lib_gss_csf_gss_acq_user; AC_CHECK_LIB(gss,csf_gss_acq_user,gss_impl="cybersafe", gss_failed=1,$GSSAPIBASE_LIBS -lgss)], [${GSSAPIBASE_LIBS} -lgss -lcstbk5]) if test "$gss_failed" = "1"; then # Restore variables GSSAPIBASE_LIBS=$cmu_saved_GSSAPIBASE_LIBS CPPFLAGS=$cmu_saved_CPPFLAGS if test "$gss_impl" != "auto"; then gss_impl="failed" fi fi fi if test "$gss_impl" = "auto" -o "$gss_impl" = "seam"; then gss_failed=0 AC_CHECK_LIB(gss,gss_unwrap,gss_impl="seam",gss_failed=1,-lgss) if test "$gss_impl" != "auto" -a "$gss_failed" = "1"; then gss_impl="failed" fi fi if test "$gss_impl" = "mit"; then GSSAPIBASE_LIBS="$GSSAPIBASE_LIBS -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err ${K5SUP}" GSSAPIBASE_STATIC_LIBS="$GSSAPIBASE_LIBS $gssapi_dir/libgssapi_krb5.a $gssapi_dir/libkrb5.a $gssapi_dir/libk5crypto.a $gssapi_dir/libcom_err.a ${K5SUPSTATIC}" elif test "$gss_impl" = "heimdal"; then CPPFLAGS="$CPPFLAGS -DKRB5_HEIMDAL" GSSAPIBASE_LIBS="$GSSAPIBASE_LIBS -lgssapi -lkrb5 -lasn1 -lroken ${LIB_CRYPT} ${LIB_DES} -lcom_err" GSSAPIBASE_STATIC_LIBS="$GSSAPIBASE_STATIC_LIBS $gssapi_dir/libgssapi.a $gssapi_dir/libkrb5.a $gssapi_dir/libasn1.a $gssapi_dir/libroken.a $gssapi_dir/libcom_err.a ${LIB_CRYPT}" elif test "$gss_impl" = "cybersafe03"; then # Version of CyberSafe with two libraries CPPFLAGS="$CPPFLAGS -D$platform -I${gssapi}/appsec-sdk/include" GSSAPIBASE_LIBS="$GSSAPIBASE_LIBS -lgss -lcstbk5" # there is no static libgss for CyberSafe GSSAPIBASE_STATIC_LIBS=none elif test "$gss_impl" = "cybersafe"; then CPPFLAGS="$CPPFLAGS -D$platform -I${gssapi}/appsec-sdk/include" GSSAPIBASE_LIBS="$GSSAPIBASE_LIBS -lgss" # there is no static libgss for CyberSafe GSSAPIBASE_STATIC_LIBS=none elif test "$gss_impl" = "seam"; then GSSAPIBASE_LIBS=-lgss # there is no static libgss on Solaris 8 and up GSSAPIBASE_STATIC_LIBS=none elif test "$gss_impl" = "failed"; then gssapi="no" GSSAPIBASE_LIBS= GSSAPIBASE_STATIC_LIBS= AC_WARN([Disabling GSSAPI - specified library not found]) else gssapi="no" GSSAPIBASE_LIBS= GSSAPIBASE_STATIC_LIBS= AC_WARN([Disabling GSSAPI - no library]) fi fi # # Cybersafe defines both GSS_C_NT_HOSTBASED_SERVICE and GSS_C_NT_USER_NAME # in gssapi\rfckrb5.h # if test "$gssapi" != "no"; then if test "$gss_impl" = "cybersafe" -o "$gss_impl" = "cybersafe03"; then AC_EGREP_CPP(hostbased_service_gss_nt_yes, [#include #ifdef GSS_C_NT_HOSTBASED_SERVICE hostbased_service_gss_nt_yes #endif], [AC_DEFINE(HAVE_GSS_C_NT_HOSTBASED_SERVICE,, [Define if your GSSAPI implimentation defines GSS_C_NT_HOSTBASED_SERVICE])], [AC_WARN([Cybersafe define not found])]) elif test "$ac_cv_header_gssapi_h" = "yes"; then AC_EGREP_HEADER(GSS_C_NT_HOSTBASED_SERVICE, gssapi.h, [AC_DEFINE(HAVE_GSS_C_NT_HOSTBASED_SERVICE,, [Define if your GSSAPI implimentation defines GSS_C_NT_HOSTBASED_SERVICE])]) elif test "$ac_cv_header_gssapi_gssapi_h"; then AC_EGREP_HEADER(GSS_C_NT_HOSTBASED_SERVICE, gssapi/gssapi.h, [AC_DEFINE(HAVE_GSS_C_NT_HOSTBASED_SERVICE,, [Define if your GSSAPI implimentation defines GSS_C_NT_HOSTBASED_SERVICE])]) fi if test "$gss_impl" = "cybersafe" -o "$gss_impl" = "cybersafe03"; then AC_EGREP_CPP(user_name_yes_gss_nt, [#include #ifdef GSS_C_NT_USER_NAME user_name_yes_gss_nt #endif], [AC_DEFINE(HAVE_GSS_C_NT_USER_NAME,, [Define if your GSSAPI implimentation defines GSS_C_NT_USER_NAME])], [AC_WARN([Cybersafe define not found])]) elif test "$ac_cv_header_gssapi_h" = "yes"; then AC_EGREP_HEADER(GSS_C_NT_USER_NAME, gssapi.h, [AC_DEFINE(HAVE_GSS_C_NT_USER_NAME,, [Define if your GSSAPI implimentation defines GSS_C_NT_USER_NAME])]) elif test "$ac_cv_header_gssapi_gssapi_h"; then AC_EGREP_HEADER(GSS_C_NT_USER_NAME, gssapi/gssapi.h, [AC_DEFINE(HAVE_GSS_C_NT_USER_NAME,, [Define if your GSSAPI implimentation defines GSS_C_NT_USER_NAME])]) fi fi GSSAPI_LIBS="" AC_MSG_CHECKING([GSSAPI]) if test "$gssapi" != no; then AC_MSG_RESULT([with implementation ${gss_impl}]) AC_CHECK_LIB(resolv,res_search,GSSAPIBASE_LIBS="$GSSAPIBASE_LIBS -lresolv") SASL_MECHS="$SASL_MECHS libgssapiv2.la" SASL_STATIC_OBJS="$SASL_STATIC_OBJS gssapi.o" SASL_STATIC_SRCS="$SASL_STATIC_SRCS ../plugins/gssapi.c" cmu_save_LIBS="$LIBS" LIBS="$LIBS $GSSAPIBASE_LIBS" AC_CHECK_FUNCS(gsskrb5_register_acceptor_identity) LIBS="$cmu_save_LIBS" else AC_MSG_RESULT([disabled]) fi AC_SUBST(GSSAPI_LIBS) AC_SUBST(GSSAPIBASE_LIBS) ])# SASL_GSSAPI_CHK # SASL_SET_GSSAPI_LIBS # -------------------- AC_DEFUN([SASL_SET_GSSAPI_LIBS], [SASL_GSSAPI_LIBS_SET="yes" ]) # AC_QOSIENT_MACHINE_ID # -------------------- AC_DEFUN([AC_QOSIENT_MACHINE_ID],[ case "$target_os" in linux*) AC_MSG_CHECKING([whether machine_id is found]); AC_CHECK_FILE("/var/lib/dbus/machine-id", [AC_DEFINE([HAVE_MACHINE_ID], [], [Description])], no) ;; cygwin*) ;; *bsd*) AC_MSG_CHECKING([whether machine_id is found]); AC_CHECK_FILE("/etc/machine-id", [AC_DEFINE([HAVE_MACHINE_ID], [], [Description])], no) ;; esac ]) # CMU_SASL2 # --------- # What we want to do here is setup LIB_SASL with what one would # generally want to have (e.g. if static is requested, make it that, # otherwise make it dynamic. # # We also want to create LIB_DYN_SASL and DYNSASLFLAGS. # # Also sets using_static_sasl to "no" "static" or "staticonly" # # $1 (incls appended) # # AC_DEFUN([CMU_SASL2], [ AC_ARG_WITH(sasl, [AS_HELP_STRING([--with-sasl=DIR],[Compile with libsasl2 in ])], with_sasl="$withval", with_sasl="no") AC_ARG_WITH(staticsasl, [AS_HELP_STRING([--with-staticsasl=DIR], [Compile with staticly linked libsasl in ])], [with_staticsasl="$withval"; if test $with_staticsasl != "no"; then using_static_sasl="static" fi], [with_staticsasl="no"; using_static_sasl="no"]) if test ${with_staticsasl} != "no" || test ${with_sasl} != "no"; then SASLFLAGS="" LIB_SASL="" cmu_saved_CPPFLAGS=$CPPFLAGS cmu_saved_LDFLAGS=$LDFLAGS cmu_saved_LIBS=$LIBS if test ${with_staticsasl} != "no"; then if test -d ${with_staticsasl}; then if test -d ${with_staticsasl}/lib64 ; then ac_cv_sasl_where_lib=${with_staticsasl}/lib64 else ac_cv_sasl_where_lib=${with_staticsasl}/lib fi ac_cv_sasl_where_lib=${with_staticsasl}/lib ac_cv_sasl_where_inc=${with_staticsasl}/include SASLFLAGS="-I$ac_cv_sasl_where_inc" LIB_SASL="-L$ac_cv_sasl_where_lib" CPPFLAGS="${cmu_saved_CPPFLAGS} -I${ac_cv_sasl_where_inc}" LDFLAGS="${cmu_saved_LDFLAGS} -L${ac_cv_sasl_where_lib}" else with_staticsasl="/usr" fi AC_CHECK_HEADER(sasl/sasl.h, [AC_CHECK_HEADER(sasl/saslutil.h, [for i42 in lib64 lib; do if test -r ${with_staticsasl}/$i42/libsasl2.a; then ac_cv_found_sasl=yes AC_MSG_CHECKING([for static libsasl]) LIB_SASL="$LIB_SASL ${with_staticsasl}/$i42/libsasl2.a" fi done if test ! "$ac_cv_found_sasl" = "yes"; then AC_MSG_CHECKING([for static libsasl]) AC_MSG_ERROR([Could not find ${with_staticsasl}/lib*/libsasl2.a]) fi])]) if test "$ac_cv_found_sasl" = "yes"; then AC_MSG_RESULT([found]) else AC_MSG_ERROR([Could not find ${with_staticsasl}/lib*/libsasl2.a]) fi fi if test -d ${with_sasl}; then ac_cv_sasl_where_lib=${with_sasl}/lib ac_cv_sasl_where_inc=${with_sasl}/include DYNSASLFLAGS="-I$ac_cv_sasl_where_inc" CPPFLAGS="${cmu_saved_CPPFLAGS} -I${ac_cv_sasl_where_inc}" LDFLAGS="${cmu_saved_LDFLAGS} -L${ac_cv_sasl_where_lib}" LIBS="-L$ac_cv_sasl_where_lib" fi # be sure to check for a SASLv2 specific function AC_CHECK_HEADER(sasl/sasl.h, [AC_CHECK_HEADER(sasl/saslutil.h, [AC_CHECK_LIB(sasl2, prop_get, ac_cv_found_sasl=yes, ac_cv_found_sasl=no)], ac_cv_found_sasl=no)], ac_cv_found_sasl=no) if test ${with_sasl} != "no"; then if test "$ac_cv_found_sasl" = "yes"; then if test "$ac_cv_sasl_where_lib" != ""; then DYNLIB_SASL="-L$ac_cv_sasl_where_lib" fi DYNLIB_SASL="$DYNLIB_SASL -lsasl2" if test "$using_static_sasl" != "static"; then LIB_SASL=$DYNLIB_SASL SASLFLAGS=$DYNSASLFLAGS fi CMU_SASL2_REQUIRE_VER(2,1,7) if test "$ac_cv_sasl_where_inc" != ""; then $1="-I$ac_cv_sasl_where_inc $$1" fi AC_DEFINE([ARGUS_SASL], [], [Description]) AC_SUBST(LIB_SASL) AC_SUBST(SASLFLAGS) else AC_MSG_ERROR([Could not find sasl2]) fi fi LIBS="$cmu_saved_LIBS" LDFLAGS="$cmu_saved_LDFLAGS" CPPFLAGS="$cmu_saved_CPPFLAGS" fi ])# CMU_SASL2 # CMU_SASL2_REQUIRE_VER # --------------------- AC_DEFUN([CMU_SASL2_REQUIRE_VER], [ cmu_saved_CPPFLAGS=$CPPFLAGS CPPFLAGS="$CPPFLAGS $SASLFLAGS" AC_PREPROC_IFELSE([AC_LANG_SOURCE([ #include #ifndef SASL_VERSION_MAJOR #error SASL_VERSION_MAJOR not defined #endif #ifndef SASL_VERSION_MINOR #error SASL_VERSION_MINOR not defined #endif #ifndef SASL_VERSION_STEP #error SASL_VERSION_STEP not defined #endif #if SASL_VERSION_MAJOR < $1 || SASL_VERSION_MINOR < $2 || SASL_VERSION_STEP < $3 #error SASL version is less than $1.$2.$3 #endif ])],, [AC_MSG_ERROR([Incorrect SASL headers found. This package requires SASL $1.$2.$3 or newer.])]) CPPFLAGS=$cmu_saved_CPPFLAGS ])# CMU_SASL2_REQUIRE_VER dnl dnl Additional macros for configure.in packaged up for easier theft. dnl tjs@andrew.cmu.edu 6-may-1998 dnl dnl It would be good if ANDREW_ADD_LIBPATH could detect if something was dnl already there and not redundantly add it if it is. dnl add -L(arg), and possibly (runpath switch)(arg), to LDFLAGS dnl (so the runpath for shared libraries is set). AC_DEFUN([CMU_ADD_LIBPATH], [ # this is CMU ADD LIBPATH if test "$andrew_runpath_switch" = "none" ; then LDFLAGS="-L$1 ${LDFLAGS}" else LDFLAGS="-L$1 $andrew_runpath_switch$1 ${LDFLAGS}" fi ]) dnl add -L(1st arg), and possibly (runpath switch)(1st arg), to (2nd arg) dnl (so the runpath for shared libraries is set). AC_DEFUN([CMU_ADD_LIBPATH_TO], [ # this is CMU ADD LIBPATH TO if test "$andrew_runpath_switch" = "none" ; then $2="-L$1 ${$2}" else $2="-L$1 ${$2} $andrew_runpath_switch$1" fi ]) dnl runpath initialization AC_DEFUN([CMU_GUESS_RUNPATH_SWITCH], [ # CMU GUESS RUNPATH SWITCH AC_CACHE_CHECK(for runpath switch, andrew_runpath_switch, [ # first, try -R SAVE_LDFLAGS="${LDFLAGS}" LDFLAGS="-R /usr/lib" AC_TRY_LINK([],[],[andrew_runpath_switch="-R"], [ LDFLAGS="-Wl,-rpath,/usr/lib" AC_TRY_LINK([],[],[andrew_runpath_switch="-Wl,-rpath,"], [andrew_runpath_switch="none"]) ]) LDFLAGS="${SAVE_LDFLAGS}" ])]) AC_DEFUN([SASL2_CRYPT_CHK],[ AC_CHECK_FUNC(crypt, cmu_have_crypt=yes, [ AC_CHECK_LIB(crypt, crypt, LIB_CRYPT="-lcrypt"; cmu_have_crypt=yes, cmu_have_crypt=no)]) AC_SUBST(LIB_CRYPT) ]) dnl bsd_sockets.m4--which socket libraries do we need? dnl Derrick Brashear dnl from Zephyr dnl Hacked on by Rob Earhart to not just toss stuff in LIBS dnl It now puts everything required for sockets into LIB_SOCKET AC_DEFUN([CMU_SOCKETS], [ save_LIBS="$LIBS" LIB_SOCKET="" AC_CHECK_FUNC(connect, :, AC_CHECK_LIB(nsl, gethostbyname, LIB_SOCKET="-lnsl $LIB_SOCKET") AC_CHECK_LIB(socket, connect, LIB_SOCKET="-lsocket $LIB_SOCKET") ) LIBS="$LIB_SOCKET $save_LIBS" AC_CHECK_FUNC(res_search, :, AC_CHECK_LIB(resolv, res_search, LIB_SOCKET="-lresolv $LIB_SOCKET") ) LIBS="$LIB_SOCKET $save_LIBS" AC_CHECK_FUNCS(dn_expand dns_lookup) LIBS="$save_LIBS" AC_SUBST(LIB_SOCKET) ]) dnl dnl Look for Perl distribution and executable. dnl dnl usage: dnl dnl AC_QOSIENT_PERL(perldep) dnl dnl results: dnl dnl $1 (geoipdep set) dnl AC_DEFUN([AC_QOSIENT_PERL], [ AC_ARG_WITH(perl, [AS_HELP_STRING([--with-perl=DIR],[Use perl in ])], with_perl="$withval", with_perl="yes") perl=FAIL if ! test ${with_perl} = "no"; then if test ${with_perl} = "yes"; then AC_MSG_CHECKING(for standard perl installation) for dir in /usr /usr/local /opt /opt/local; do if test -r $dir/bin/perl ; then perl=$dir/bin/perl AC_MSG_RESULT($perl) $1="$perl" break; else AC_MSG_RESULT(no) fi done else AC_MSG_CHECKING(for perl installation in ${with_perl}) if test -r ${with_perl}/perl ; then perl=${with_perl}/perl AC_MSG_RESULT($perl) $1="$perl" else AC_MSG_RESULT(no) fi fi fi ]) argus-5.0.2/argus/000077500000000000000000000000001471541253600137705ustar00rootroot00000000000000argus-5.0.2/argus/Argus802.11.c000066400000000000000000000233341471541253600156740ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - 802.11 Wireless processing * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/argus/Argus802.11.c#4 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #if !defined(Argus80211) #define Argus80211 #endif #include #include #include #include #include #include static void ArgusParse80211MgmtBody(struct mgmt_body_t *, const u_char *, int); int ArgusExtract802_11HeaderLength(u_int16_t); #if !defined(ETH_ALEN) #define ETH_ALEN 6 #endif struct ArgusSystemFlow * ArgusCreate80211Flow (struct ArgusModelerStruct *model, void *ptr) { struct ArgusSystemFlow *retn = NULL; struct mgmt_body_t pbody; const struct mgmt_header_t *hp = (const struct mgmt_header_t *) ptr; u_int16_t fc = EXTRACT_LE_16BITS(ptr); int hdrlen = ArgusExtract802_11HeaderLength(fc); u_char *p = (u_char *) ptr + hdrlen; bzero(&pbody, sizeof(pbody)); switch (FC_TYPE(fc)) { case T_MGMT: { int offset = 0; switch (FC_SUBTYPE(fc)) { case ST_ASSOC_REQUEST: case ST_REASSOC_REQUEST: pbody.capability_info = EXTRACT_LE_16BITS(p); offset += IEEE802_11_CAPINFO_LEN; pbody.listen_interval = EXTRACT_LE_16BITS(p+offset); offset += IEEE802_11_LISTENINT_LEN; ArgusParse80211MgmtBody(&pbody, p, offset); break; case ST_ASSOC_RESPONSE: case ST_REASSOC_RESPONSE: pbody.capability_info = EXTRACT_LE_16BITS(p); offset += IEEE802_11_CAPINFO_LEN; pbody.status_code = EXTRACT_LE_16BITS(p+offset); offset += IEEE802_11_STATUS_LEN; pbody.aid = EXTRACT_LE_16BITS(p+offset); offset += IEEE802_11_AID_LEN; ArgusParse80211MgmtBody(&pbody, p, offset); break; case ST_PROBE_REQUEST: ArgusParse80211MgmtBody(&pbody, p, offset); break; case ST_PROBE_RESPONSE: case ST_BEACON: { memcpy(&pbody.timestamp, p, IEEE802_11_TSTAMP_LEN); offset += IEEE802_11_TSTAMP_LEN; pbody.beacon_interval = EXTRACT_LE_16BITS(p+offset); offset += IEEE802_11_BCNINT_LEN; pbody.capability_info = EXTRACT_LE_16BITS(p+offset); offset += IEEE802_11_CAPINFO_LEN; ArgusParse80211MgmtBody(&pbody, p, offset); break; } case ST_ATIM: break; case ST_DISASSOC: break; case ST_AUTH: case ST_DEAUTH: break; } break; } case T_CTRL: { switch (FC_SUBTYPE(fc)) { case CTRL_PS_POLL: break; case CTRL_RTS: break; case CTRL_CTS: break; case CTRL_ACK: break; case CTRL_CF_END: break; case CTRL_END_ACK: break; default: break; } break; } case T_DATA: { if (FC_WEP(fc)) { } else { } break; } } if (STRUCTCAPTURED(model, *(char *)ptr)) { retn = model->ArgusThisFlow; retn->hdr.type = ARGUS_FLOW_DSR; retn->hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; retn->hdr.argus_dsrvl8.qual = ARGUS_TYPE_WLAN; retn->hdr.argus_dsrvl8.len = (sizeof(struct ArgusWlanFlow) + 3)/4 + 1; bcopy ((char *)&hp->da, (char *)&model->ArgusThisFlow->wlan_flow.dhost, ETH_ALEN); bcopy ((char *)&hp->sa, (char *)&model->ArgusThisFlow->wlan_flow.shost, ETH_ALEN); bcopy ((char *)&hp->bssid, (char *)&model->ArgusThisFlow->wlan_flow.bssid, ETH_ALEN); switch (FC_TYPE(fc)) { case T_MGMT: { switch (FC_SUBTYPE(fc)) { case ST_ASSOC_REQUEST: case ST_ASSOC_RESPONSE: case ST_REASSOC_REQUEST: case ST_REASSOC_RESPONSE: case ST_PROBE_REQUEST: case ST_PROBE_RESPONSE: case ST_BEACON: { if (pbody.ssid_status == PRESENT) { bcopy((char *)pbody.ssid.ssid, model->ArgusThisFlow->wlan_flow.ssid, pbody.ssid.length); } break; } } break; } } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusCreate80211Flow (0x%x, 0x%x) returning %d\n", model, ptr, retn); #endif return (retn); } int ArgusExtract802_11HeaderLength(u_int16_t fc) { switch (FC_TYPE(fc)) { case T_MGMT: return MGMT_HDRLEN; case T_CTRL: switch (FC_SUBTYPE(fc)) { case CTRL_PS_POLL: return CTRL_PS_POLL_HDRLEN; case CTRL_RTS: return CTRL_RTS_HDRLEN; case CTRL_CTS: return CTRL_CTS_HDRLEN; case CTRL_ACK: return CTRL_ACK_HDRLEN; case CTRL_CF_END: return CTRL_END_HDRLEN; case CTRL_END_ACK: return CTRL_END_ACK_HDRLEN; default: return 0; } case T_DATA: { int len = (FC_TO_DS(fc) && FC_FROM_DS(fc)) ? 30 : 24; if (DATA_FRAME_IS_QOS(FC_SUBTYPE(fc))) len += 2; return len; } default: return 0; } } static void ArgusParse80211MgmtBody(struct mgmt_body_t *pbody, const u_char *p, int offset) { /* * We haven't seen any elements yet. */ pbody->challenge_status = NOT_PRESENT; pbody->ssid_status = NOT_PRESENT; pbody->rates_status = NOT_PRESENT; pbody->ds_status = NOT_PRESENT; pbody->cf_status = NOT_PRESENT; pbody->tim_status = NOT_PRESENT; for (;;) { switch (*(p + offset)) { case E_SSID: /* Present, possibly truncated */ pbody->ssid_status = TRUNCATED; memcpy(&pbody->ssid, p + offset, 2); offset += 2; if (pbody->ssid.length != 0) { if (pbody->ssid.length > sizeof(pbody->ssid.ssid) - 1) return; memcpy(&pbody->ssid.ssid, p + offset, pbody->ssid.length); offset += pbody->ssid.length; } pbody->ssid.ssid[pbody->ssid.length] = '\0'; /* Present and not truncated */ pbody->ssid_status = PRESENT; break; case E_CHALLENGE: /* Present, possibly truncated */ pbody->challenge_status = TRUNCATED; memcpy(&pbody->challenge, p + offset, 2); offset += 2; if (pbody->challenge.length != 0) { if (pbody->challenge.length > sizeof(pbody->challenge.text) - 1) return; memcpy(&pbody->challenge.text, p + offset, pbody->challenge.length); offset += pbody->challenge.length; } pbody->challenge.text[pbody->challenge.length] = '\0'; /* Present and not truncated */ pbody->challenge_status = PRESENT; break; case E_RATES: /* Present, possibly truncated */ pbody->rates_status = TRUNCATED; memcpy(&(pbody->rates), p + offset, 2); offset += 2; if (pbody->rates.length != 0) { if (pbody->rates.length > sizeof pbody->rates.rate) return; memcpy(&pbody->rates.rate, p + offset, pbody->rates.length); offset += pbody->rates.length; } /* Present and not truncated */ pbody->rates_status = PRESENT; break; case E_DS: /* Present, possibly truncated */ pbody->ds_status = TRUNCATED; memcpy(&pbody->ds, p + offset, 3); offset += 3; /* Present and not truncated */ pbody->ds_status = PRESENT; break; case E_CF: /* Present, possibly truncated */ pbody->cf_status = TRUNCATED; memcpy(&pbody->cf, p + offset, 8); offset += 8; /* Present and not truncated */ pbody->cf_status = PRESENT; break; case E_TIM: /* Present, possibly truncated */ pbody->tim_status = TRUNCATED; memcpy(&pbody->tim, p + offset, 2); offset += 2; memcpy(&pbody->tim.count, p + offset, 3); offset += 3; if (pbody->tim.length <= 3) break; if (pbody->tim.length - 3 > (int)sizeof pbody->tim.bitmap) return; memcpy(pbody->tim.bitmap, p + (pbody->tim.length - 3), (pbody->tim.length - 3)); offset += pbody->tim.length - 3; /* Present and not truncated */ pbody->tim_status = PRESENT; break; default: return; } } } argus-5.0.2/argus/ArgusApp.c000066400000000000000000000530271471541253600156650ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - Application Level * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/argus/ArgusApp.c#8 $ * $DateTime: 2016/02/23 00:04:12 $ * $Change: 3099 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #if !defined(ArgusApp) #define ArgusApp #endif #include #include #include #include #include #include #include #define ARGUS_WELLKNOWN_PORT 1024 #define ARGUS_DNS_PORT 53 #define ARGUS_OFC_PORT 6633 #define ARGUS_AFS_PORT_MIN 7000 #define ARGUS_AFS_PORT_MAX 7010 #define ARGUS_UDT_PORT 9000 int ArgusControlPlaneProtocol (struct ArgusModelerStruct *, struct ArgusFlowStruct *); u_char ArgusUpdateHTTPState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char); u_char ArgusUpdateRTPState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char); void ArgusUpdateUDTState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char *); int ArgusParseRTCPBuffer (struct ArgusModelerStruct *, struct rtcphdr *); int ArgusRTCPBadVersion = 0; int ArgusRTCPBadPtr = 0; void ArgusParseRTCPSR (struct rtcphdr *); void ArgusParseRTCPRR (struct rtcphdr *); void ArgusParseRRRecs (struct rtcphdr *); void ArgusParseRTCPBYE (struct rtcphdr *); void ArgusParseRTCPSDES (struct rtcphdr *); int ArgusControlPlaneProtocol (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr) { int retn = 0; if (getArgusControlMonitor(model)) { struct ArgusSystemFlow *flow = (struct ArgusSystemFlow *)flowstr->dsrs[ARGUS_FLOW_INDEX]; struct ArgusControlProtocols *cps = model->cps; unsigned short proto, sport, dport; unsigned char ip_p; if (cps != NULL) { switch (proto = (model->ArgusThisNetworkFlowType & 0xFFFF)) { case ETHERTYPE_IPV6: case ETHERTYPE_IP: { if (proto == ETHERTYPE_IPV6) { ip_p = flow->ipv6_flow.ip_p; sport = flow->ipv6_flow.sport; dport = flow->ipv6_flow.dport; } else { ip_p = flow->ip_flow.ip_p; sport = flow->ip_flow.sport; dport = flow->ip_flow.dport; } switch (ip_p) { case IPPROTO_TCP: retn = (cps->tcpport[sport] || cps->tcpport[dport]); break; case IPPROTO_UDP: retn = (cps->udpport[sport] || cps->udpport[dport]); break; } } } } } return (retn); } void ArgusParseRTCPSR (struct rtcphdr *rtcp) { /* unsigned int ssrc = ntohl(rtcp->rh_ssrc); */ } void ArgusParseRTCPRR (struct rtcphdr *rtcp) { /* unsigned int ssrc = ntohl(rtcp->rh_ssrc); unsigned short len = ntohs(rtcp->rh_len); */ } void ArgusParseRRRecs (struct rtcphdr *rtcp) { } void ArgusParseRTCPSDES (struct rtcphdr *rtcp) { /* unsigned int ssrc = ntohl(rtcp->rh_ssrc); unsigned short len = ntohs(rtcp->rh_len); */ } void ArgusParseRTCPBYE (struct rtcphdr *rtcp) { /* unsigned int ssrc = ntohl(rtcp->rh_ssrc); unsigned short len = ntohs(rtcp->rh_len); */ } int ArgusParseRTCPBuffer (struct ArgusModelerStruct *model, struct rtcphdr *rtcp) { int retn = 0; while (STRUCTCAPTURED(model, *rtcp)) { u_int len = (ntohs(rtcp->rh_len) << 2) + 4; unsigned char *ptr = ((unsigned char *)rtcp) + len; if (STRUCTCAPTURED(model, *rtcp)) { if (rtcp->rh_ver != RTP_VERSION) { ++ArgusRTCPBadVersion; } else { switch(rtcp->rh_pt) { case RTCP_PT_SR: ArgusParseRTCPSR (rtcp); retn++; break; case RTCP_PT_RR: ArgusParseRTCPRR (rtcp); retn++; break; case RTCP_PT_SDES: ArgusParseRTCPSDES (rtcp); break; case RTCP_PT_BYE: ArgusParseRTCPBYE (rtcp); break; default: ++ArgusRTCPBadPtr; break; } } } if (len > 4) rtcp = (struct rtcphdr *) ptr; else break; } return (retn); } #if !defined(FALSE) #define FALSE 0 #endif #if !defined(TRUE) #define TRUE 1 #endif void ArgusUpdateAppState (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, unsigned char state) { struct ArgusSystemFlow *flow = (struct ArgusSystemFlow *) flowstr->dsrs[ARGUS_FLOW_INDEX]; int mode = model->ArgusSrc->mode; if (model->ArgusThisLength > 0) { if (flow != NULL) { unsigned short proto, sport = 0, dport = 0; unsigned char ip_p; int len; if (!(model->ArgusThisFlow->hdr.argus_dsrvl8.qual & ARGUS_FRAGMENT)) { switch (proto = (model->ArgusThisNetworkFlowType & 0xFFFF)) { case ETHERTYPE_IPV6: case ETHERTYPE_IP: { if (proto == ETHERTYPE_IPV6) { ip_p = flow->ipv6_flow.ip_p; sport = flow->ipv6_flow.sport; dport = flow->ipv6_flow.dport; } else { ip_p = flow->ip_flow.ip_p; sport = flow->ip_flow.sport; dport = flow->ip_flow.dport; } switch (ip_p) { case IPPROTO_UDP: { switch (mode) { case ARGUS_CISCO_DATA_SOURCE: ArgusParseCiscoRecord(model, model->ArgusThisUpHdr); break; default: { if (state == ARGUS_START) { struct rtphdr *rtp = (struct rtphdr *) model->ArgusThisUpHdr; if (STRUCTCAPTURED(model, *rtp)) { if ((rtp->rh_ver == RTP_VERSION) && (!((sport < ARGUS_WELLKNOWN_PORT) || (dport < ARGUS_WELLKNOWN_PORT)) && !((sport >= ARGUS_AFS_PORT_MIN) && (sport <= ARGUS_AFS_PORT_MAX)) && !((dport >= ARGUS_AFS_PORT_MIN) && (dport <= ARGUS_AFS_PORT_MAX)))) { struct ArgusNetworkStruct *net = (struct ArgusNetworkStruct *) flowstr->dsrs[ARGUS_NETWORK_INDEX]; if (net == NULL) { net = (struct ArgusNetworkStruct *) &flowstr->canon.net; flowstr->dsrs[ARGUS_NETWORK_INDEX] = (struct ArgusDSRHeader *) net; } if (ArgusParseRTCPBuffer(model, (struct rtcphdr *) model->ArgusThisUpHdr)) { struct ArgusRTCPObject *rtcpObject = (struct ArgusRTCPObject *)(&net->hdr + 1); struct rtcphdr *rtcp = (struct rtcphdr *) model->ArgusThisUpHdr; net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_RTCP_FLOW; net->hdr.argus_dsrvl8.qual = 0; net->hdr.argus_dsrvl8.len = ((sizeof(struct ArgusRTCPObject) + 3)/4) + 1; if (model->ArgusThisDir) { bcopy ((char *) rtcp, (char *)&rtcpObject->src, sizeof(*rtcp)); } else { bcopy ((char *) rtcp, (char *)&rtcpObject->dst, sizeof(*rtcp)); } } else { if (rtp->rh_pt < 128) { struct ArgusRTPObject *rtpObject = (struct ArgusRTPObject *)(&net->hdr + 1); struct rtphdr trtpbuf, *trtp = &trtpbuf; net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_RTP_FLOW; net->hdr.argus_dsrvl8.qual = 0; net->hdr.argus_dsrvl8.len = ((sizeof(struct ArgusRTPObject) + 3)/4) + 1; bcopy(rtp, trtp, sizeof(*trtp)); trtp->rh_seq = ntohs(rtp->rh_seq); trtp->rh_time = ntohl(rtp->rh_time); trtp->rh_ssrc = ntohl(rtp->rh_ssrc); if (model->ArgusThisDir) { bcopy ((char *) trtp, (char *)&rtpObject->src, sizeof(*rtp)); } else { bcopy ((char *) trtp, (char *)&rtpObject->dst, sizeof(*rtp)); } } } } else { if ((sport == ARGUS_UDT_PORT) || (dport == ARGUS_UDT_PORT)) { unsigned int status = 0; if (ArgusParseUDTHeader (model, (struct udt_header *) model->ArgusThisUpHdr, &status)) { struct ArgusNetworkStruct *net = (struct ArgusNetworkStruct *) flowstr->dsrs[ARGUS_NETWORK_INDEX]; if (net == NULL) { net = (struct ArgusNetworkStruct *) &flowstr->canon.net; flowstr->dsrs[ARGUS_NETWORK_INDEX] = (struct ArgusDSRHeader *) net; } net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_UDT_FLOW; net->hdr.argus_dsrvl8.qual = 0; net->hdr.argus_dsrvl8.len = ((sizeof(struct ArgusUDTObject) + 3)/4) + 1; if (ArgusThisUdtHshake != NULL) { struct ArgusUDTObject *udtObject = (struct ArgusUDTObject *)(&net->hdr + 1); bcopy (ArgusThisUdtHshake, &udtObject->hshake, sizeof(*ArgusThisUdtHshake)); } if (status != 0) net->net_union.udt.status |= status; } } } } } else { struct ArgusNetworkStruct *net = (struct ArgusNetworkStruct *) flowstr->dsrs[ARGUS_NETWORK_INDEX]; if (net != NULL) { switch (net->hdr.subtype) { case ARGUS_RTP_FLOW: case ARGUS_RTCP_FLOW: { ArgusUpdateRTPState(model, flowstr, state); break; } case ARGUS_UDT_FLOW: { ArgusUpdateUDTState(model, flowstr, &state); break; } } } } } } break; } /* IPPROTO_UDP */ } break; } } } if (model->ArgusThisStats) model->ArgusThisStats->appbytes += model->ArgusThisLength; if ((len = flowstr->userlen) != 0) { struct ArgusDataStruct *user = NULL; int ind, tlen; if (model->ArgusThisDir) ind = ARGUS_SRCUSERDATA_INDEX; else ind = ARGUS_DSTUSERDATA_INDEX; if (len == -1) len = model->ArgusThisLength; tlen = ((len + 3)/4) + 2; if (state == ARGUS_START) { if ((user = (struct ArgusDataStruct *) flowstr->dsrs[ind]) != NULL) { if (len != user->size) { ArgusFree(flowstr->dsrs[ind]); flowstr->dsrs[ind] = NULL; } else { user->count = 0; memset(user->array, 0, len); } } } if ((user = (struct ArgusDataStruct *) flowstr->dsrs[ind]) == NULL) { if ((user = (void *) ArgusCalloc(tlen, 4)) != NULL) { flowstr->dsrs[ind] = (void *) user; user->size = len; user->hdr.type = ARGUS_DATA_DSR; user->hdr.subtype = ARGUS_LEN_16BITS; user->hdr.argus_dsrvl16.len = tlen; if (ind == ARGUS_SRCUSERDATA_INDEX) user->hdr.subtype |= ARGUS_SRC_DATA; else user->hdr.subtype |= ARGUS_DST_DATA; flowstr->dsrindex |= (0x1 << ind); } } if (user && (user->count < user->size)) { int thislen = user->size - user->count; int bytes = 0, ArgusThisUserLength = (model->ArgusThisLength < model->ArgusSnapLength) ? model->ArgusThisLength : model->ArgusSnapLength; if ((thislen > 0) && (ArgusThisUserLength > 0)) { if (ArgusThisUserLength < thislen) thislen = ArgusThisUserLength; if ((bytes = model->ArgusThisSnapEnd - model->ArgusThisUpHdr) > 0) { thislen = (thislen > bytes) ? bytes : thislen; bcopy (model->ArgusThisUpHdr, &((char *)&user->array)[user->count], thislen); user->count += thislen; } } } } } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusUpdateAppState(0x%x, %d) returning\n", flowstr, state); #endif } u_char ArgusUpdateHTTPState (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, unsigned char state) { u_char retn = 0; #ifdef ARGUSDEBUG ArgusDebug (7, "ArgusUpdateHTTPState(0x%x, 0x%x, %d) returning\n", flowstr, state); #endif return(retn); } u_char ArgusUpdateRTPState (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, unsigned char state) { struct ArgusNetworkStruct *net = (struct ArgusNetworkStruct *) flowstr->dsrs[ARGUS_NETWORK_INDEX]; u_char retn = 0; if (net == NULL) return(retn); switch (net->hdr.subtype) { case ARGUS_RTP_FLOW: { struct ArgusRTPObject *rtpObject = (struct ArgusRTPObject *)(&net->hdr + 1); struct rtphdr *rtp = (struct rtphdr *) model->ArgusThisUpHdr; struct rtphdr trtpbuf, *trtp = &trtpbuf; struct rtphdr *ArgusThisRtpHdr = NULL; bcopy(rtp, trtp, sizeof(*trtp)); trtp->rh_seq = ntohs(rtp->rh_seq); trtp->rh_time = ntohl(rtp->rh_time); trtp->rh_ssrc = ntohl(rtp->rh_ssrc); if (model->ArgusThisDir) ArgusThisRtpHdr = &rtpObject->src; else ArgusThisRtpHdr = &rtpObject->dst; if (!(ArgusThisRtpHdr->rh_seq)) { if (rtp->rh_ver == 2) bcopy ((char *) trtp, (char *)ArgusThisRtpHdr, sizeof(*rtp)); } else { if (rtp->rh_ver == 2) { if (!(trtp->rh_ssrc) || (ArgusThisRtpHdr->rh_ssrc != trtp->rh_ssrc)) flowstr->dsrs[ARGUS_NETWORK_INDEX] = NULL; else if (trtp->rh_x) { struct rtpexthdr *xhdr = (struct rtpexthdr *) (rtp + 1); if ((xhdr->length > model->ArgusThisLength) || (xhdr->length < (model->ArgusThisLength - 4))) flowstr->dsrs[ARGUS_NETWORK_INDEX] = NULL; } if (flowstr->dsrs[ARGUS_NETWORK_INDEX] != NULL) { int offset = ((trtp->rh_cc > 15) ? 15 : trtp->rh_cc) << 2; if (ArgusThisRtpHdr->rh_seq != (trtp->rh_seq - 1)) { if (trtp->rh_seq < ArgusThisRtpHdr->rh_seq) { if ((ArgusThisRtpHdr->rh_seq - trtp->rh_seq) < 0x7FFFFFFF) { if (model->ArgusThisDir) { if (rtpObject->sdrop > 0) { rtpObject->sdrop--; rtpObject->state |= ARGUS_SRC_OUTOFORDER; } } else { if (rtpObject->ddrop > 0) { rtpObject->ddrop--; rtpObject->state |= ARGUS_DST_OUTOFORDER; } } } } else { if (trtp->rh_seq > ArgusThisRtpHdr->rh_seq) { if (model->ArgusThisDir) { rtpObject->sdrop += trtp->rh_seq - (ArgusThisRtpHdr->rh_seq + 1); } else { rtpObject->ddrop += trtp->rh_seq - (ArgusThisRtpHdr->rh_seq + 1); } } } } bcopy ((char *) trtp, (char *) ArgusThisRtpHdr, sizeof(*rtp)); if (offset < model->ArgusThisLength) { model->ArgusThisUpHdr = (unsigned char *)(rtp + 1) + offset; model->ArgusThisLength -= (sizeof(struct rtphdr) + offset); model->ArgusSnapLength -= (sizeof(struct rtphdr) + offset); if (trtp->rh_x) { struct rtpexthdr *ext = (struct rtpexthdr *)model->ArgusThisUpHdr; if (STRUCTCAPTURED(model,*ext)) { offset = sizeof(struct rtpexthdr) + ntohs(ext->length); model->ArgusThisLength -= offset; model->ArgusSnapLength -= offset; model->ArgusThisUpHdr += offset; } } switch (trtp->rh_pt) { case ARGUS_RTP_PCMU: case ARGUS_RTP_PCMA: case ARGUS_RTP_G722: case ARGUS_RTP_G728: case ARGUS_RTP_G729: if ((model->ArgusThisLength == 0) || ((model->ArgusThisLength % 10) != 0)) { model->ArgusInProtocol = 0; if (model->ArgusThisDir) { net->hdr.argus_dsrvl8.qual |= ARGUS_RTP_SRCSILENCE; }else { net->hdr.argus_dsrvl8.qual |= ARGUS_RTP_DSTSILENCE; } } else if (trtp->rh_mark) model->ArgusInProtocol = 0; break; case ARGUS_RTP_G723: if ((model->ArgusThisLength == 0) || (model->ArgusThisLength == 4)) { model->ArgusInProtocol = 0; if (model->ArgusThisDir) { net->hdr.argus_dsrvl8.qual |= ARGUS_RTP_SRCSILENCE; } else { net->hdr.argus_dsrvl8.qual |= ARGUS_RTP_DSTSILENCE; } } else if (trtp->rh_mark) model->ArgusInProtocol = 0; break; case ARGUS_RTP_H261: case ARGUS_RTP_H263: break; } } } } } break; } case ARGUS_RTCP_FLOW: { break; } } if (flowstr->dsrs[ARGUS_NETWORK_INDEX] == NULL) *(unsigned int *)&flowstr->canon.net.hdr = 0; #ifdef ARGUSDEBUG ArgusDebug (7, "ArgusUpdateRTPState(0x%x, 0x%x, %d) returning\n", model, flowstr, state); #endif return(retn); } argus-5.0.2/argus/ArgusArp.c000066400000000000000000000224231471541253600156630ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - Arp Processing * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/argus/ArgusArp.c#4 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #if !defined(ArgusArp) #define ArgusArp #endif #include #include #include #if !defined(__OpenBSD__) #include #endif #include #include #define argus_ar_sha(ap) (((const u_char *)((ap)+1))+0) #define argus_ar_spa(ap) (((const u_char *)((ap)+1))+ (ap)->ar_hln) #define argus_ar_tha(ap) (((const u_char *)((ap)+1))+ (ap)->ar_hln+(ap)->ar_pln) #define argus_ar_tpa(ap) (((const u_char *)((ap)+1))+2*(ap)->ar_hln+(ap)->ar_pln) #define ARP_HDRLEN 8 #define HRD(ap) EXTRACT_16BITS(&(ap)->ar_hrd) #define HLN(ap) ((ap)->ar_hln) #define PLN(ap) ((ap)->ar_pln) #define OP(ap) EXTRACT_16BITS(&(ap)->ar_op) #define PRO(ap) EXTRACT_16BITS(&(ap)->ar_pro) #if defined(SHA) #undef SHA #endif #define SHA(ap) (argus_ar_sha(ap)) #if defined(SPA) #undef SPA #endif #define SPA(ap) (argus_ar_spa(ap)) #if defined(THA) #undef THA #endif #define THA(ap) (argus_ar_tha(ap)) #if defined(TPA) #undef TPA #endif #define TPA(ap) (argus_ar_tpa(ap)) #if !defined(REVARP_REQUEST) #define REVARP_REQUEST 3 #endif #if !defined(REVARP_REPLY) #define REVARP_REPLY 4 #endif void ArgusUpdateArpState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char *); /* struct ArgusHAddr { union { unsigned char ethernet[6]; unsigned char ib[32]; unsigned char ieee1394[16]; unsigned char framerelay[4]; unsigned char tokenring[6]; unsigned char arcnet[1]; unsigned char fiberchannel[12]; unsigned char atm[20]; } haddr_un; }; struct ArgusArpFlow { unsigned short hrd; unsigned short pro; unsigned char hln; unsigned char pln; unsigned short op; unsigned int arp_spa; unsigned int arp_tpa; struct ArgusHAddr haddr; }; struct ArgusRarpFlow { unsigned short hrd; unsigned short pro; unsigned char hln; unsigned char pln; unsigned short op; unsigned int arp_tpa; struct ArgusHAddr shaddr; struct ArgusHAddr dhaddr; }; */ #define ARP_ETHERNET 1 #define ARP_IEEE802 6 #define ARP_ARCNET 7 #define ARP_FRELAY 15 #define ARP_ATM 19 #define ARP_STRIP 23 #define ARP_IEEE1394 24 #define ARP_INFINIBAND 32 struct ArgusSystemFlow * ArgusCreateArpFlow (struct ArgusModelerStruct *model, struct ether_header *ep) { struct arphdr *ahdr = (struct arphdr *)model->ArgusThisUpHdr; struct ArgusSystemFlow *retn = NULL; unsigned int arp_tpa, arp_spa; if (STRUCTCAPTURED(model, *ahdr)) { retn = model->ArgusThisFlow; switch (OP(ahdr)) { case ARPOP_REQUEST: { retn->hdr.argus_dsrvl8.len = sizeof(struct ArgusArpFlow)/4 + 1; retn->hdr.argus_dsrvl8.qual = ARGUS_TYPE_ARP; if (PLN(ahdr) == sizeof(arp_spa)) { bcopy (SPA(ahdr), &arp_spa, sizeof(arp_spa)); bcopy (TPA(ahdr), &arp_tpa, sizeof(arp_tpa)); #ifdef _LITTLE_ENDIAN arp_spa = ntohl(arp_spa); arp_tpa = ntohl(arp_tpa); #endif // if (arp_spa > arp_tpa) // model->state |= ARGUS_DIRECTION; retn->arp_flow.hrd = HRD(ahdr); retn->arp_flow.pro = PRO(ahdr); retn->arp_flow.hln = HLN(ahdr); retn->arp_flow.pln = PLN(ahdr); retn->arp_flow.op = OP(ahdr); retn->arp_flow.arp_tpa = arp_tpa; retn->arp_flow.arp_spa = arp_spa; bcopy (SHA(ahdr), (char *)&retn->arp_flow.haddr, HLN(ahdr)); } break; } case ARPOP_REPLY: { retn->hdr.argus_dsrvl8.len = sizeof(struct ArgusArpFlow)/4 + 1; retn->hdr.argus_dsrvl8.qual = ARGUS_TYPE_ARP; if (PLN(ahdr) == sizeof(arp_spa)) { bcopy (SPA(ahdr), &arp_spa, sizeof(arp_spa)); bcopy (TPA(ahdr), &arp_tpa, sizeof(arp_tpa)); #ifdef _LITTLE_ENDIAN arp_spa = ntohl(arp_spa); arp_tpa = ntohl(arp_tpa); #endif // if (arp_spa > arp_tpa) model->state |= ARGUS_DIRECTION; retn->arp_flow.hrd = HRD(ahdr); retn->arp_flow.pro = PRO(ahdr); retn->arp_flow.hln = HLN(ahdr); retn->arp_flow.pln = PLN(ahdr); retn->arp_flow.op = ARPOP_REQUEST; retn->arp_flow.arp_tpa = arp_spa; retn->arp_flow.arp_spa = arp_tpa; bcopy (THA(ahdr), (char *)&retn->arp_flow.haddr, HLN(ahdr)); } break; } case REVARP_REQUEST: { retn->hdr.argus_dsrvl8.len = sizeof(struct ArgusRarpFlow)/4 + 1; retn->hdr.argus_dsrvl8.qual = ARGUS_TYPE_RARP; bcopy (TPA(ahdr), &arp_tpa, sizeof(arp_tpa)); #ifdef _LITTLE_ENDIAN arp_tpa = ntohl(arp_tpa); #endif retn->rarp_flow.hrd = HRD(ahdr); retn->rarp_flow.pro = PRO(ahdr); retn->rarp_flow.hln = HLN(ahdr); retn->rarp_flow.pln = PLN(ahdr); retn->rarp_flow.op = OP(ahdr); bcopy (THA(ahdr), &retn->rarp_flow.shaddr, HLN(ahdr)); bcopy (SHA(ahdr), &retn->rarp_flow.dhaddr, HLN(ahdr)); break; } case REVARP_REPLY: { retn->hdr.argus_dsrvl8.len = sizeof(struct ArgusRarpFlow)/4 + 1; retn->hdr.argus_dsrvl8.qual = ARGUS_TYPE_RARP; bcopy (TPA(ahdr), &arp_tpa, sizeof(arp_tpa)); #ifdef _LITTLE_ENDIAN arp_tpa = ntohl(arp_tpa); #endif retn->rarp_flow.hrd = HRD(ahdr); retn->rarp_flow.pro = PRO(ahdr); retn->rarp_flow.hln = HLN(ahdr); retn->rarp_flow.pln = PLN(ahdr); retn->rarp_flow.op = REVARP_REQUEST; bcopy ((char *)&arp_tpa, &retn->rarp_flow.arp_tpa, sizeof(arp_tpa)); bcopy (SHA(ahdr), &retn->rarp_flow.shaddr, HLN(ahdr)); bcopy (THA(ahdr), &retn->rarp_flow.dhaddr, HLN(ahdr)); break; } default: retn = NULL; goto out; } retn->hdr.type = ARGUS_FLOW_DSR; retn->hdr.subtype = ARGUS_FLOW_ARP; } out: #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusCreateArpFlow (0x%x) returning %d\n", ep, retn); #endif return (retn); } /* struct arphdr { u_short ar_hrd; #define ARPHRD_ETHER 1 #define ARPHRD_IEEE802 6 #define ARPHRD_FRELAY 15 #define ARPHRD_IEEE1394 24 #define ARPHRD_IEEE1394_EUI64 27 u_short ar_pro; u_char ar_hln; u_char ar_pln; u_short ar_op; #define ARPOP_REQUEST 1 #define ARPOP_REPLY 2 #define ARPOP_REVREQUEST 3 #define ARPOP_REVREPLY 4 #define ARPOP_INVREQUEST 8 #define ARPOP_INVREPLY 9 #ifdef COMMENT_ONLY u_char ar_sha[]; u_char ar_spa[]; u_char ar_tha[]; u_char ar_tpa[]; #endif }; */ void ArgusUpdateArpState (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, unsigned char *state) { struct ArgusARPObject *arpobj = NULL; struct ether_arp *arp = NULL; struct arphdr *ahdr = NULL; if (model->ArgusThisEpHdr == NULL) return; arp = (struct ether_arp *)(model->ArgusThisEpHdr + 1); ahdr = &arp->ea_hdr; if (STRUCTCAPTURED(model, *arp)) { model->ArgusThisLength -= sizeof(*arp); model->ArgusSnapLength -= sizeof(*arp); model->ArgusThisUpHdr = (unsigned char *)(arp + 1); switch (OP(ahdr)) { case ARPOP_REQUEST: break; case ARPOP_REPLY: { struct ArgusNetworkStruct *net = (struct ArgusNetworkStruct *) flowstr->dsrs[ARGUS_NETWORK_INDEX]; if (net == NULL) { net = (struct ArgusNetworkStruct *) &flowstr->canon.net; flowstr->dsrs[ARGUS_NETWORK_INDEX] = (struct ArgusDSRHeader *) net; } net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_NETWORK_SUBTYPE_ARP; net->hdr.argus_dsrvl8.qual = 0; net->hdr.argus_dsrvl8.len = ((sizeof(struct ArgusUDTObject) + 3)/4) + 1; arpobj = &net->net_union.arp; bcopy ((unsigned char *)SHA(ahdr), arpobj->respaddr, 6); break; } } } } argus-5.0.2/argus/ArgusAuth.c000066400000000000000000000225621471541253600160460ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - Authentication * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/argus/ArgusAuth.c#5 $ * $DateTime: 2016/09/20 14:50:14 $ * $Change: 3197 $ */ /* * Copyright (c) 2000 Carnegie Mellon University. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The name "Carnegie Mellon University" must not be used to * endorse or promote products derived from this software without * prior written permission. For permission or any other legal * details, please contact * Office of Technology Transfer * Carnegie Mellon University * 5000 Forbes Avenue * Pittsburgh, PA 15213-3890 * (412) 268-4387, fax: (412) 268-7395 * tech-transfer@andrew.cmu.edu * * 4. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by Computing Services * at Carnegie Mellon University (http://www.cmu.edu/computing/)." * * CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY * AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE * FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ /* * * modified by Carter Bullard * QoSient, LLC * */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #if !defined(ArgusSasl) #define ArgusSasl #endif #include #include #include #include #include int ArgusAuthenticateClient (struct ArgusClientData *); int ArgusGetSaslString(FILE *, char *, int); int ArgusSendSaslString(FILE *, const char *, int, int); int ArgusAuthenticateClient (struct ArgusClientData *client) { int retn = 1; #ifdef ARGUS_SASL unsigned int rlen = 0; int len, mechnum = 0; char buf[8192], chosenmech[512]; const char *data; sasl_conn_t *conn = NULL; // int SASLOpts = (SASL_SEC_NOPLAINTEXT | SASL_SEC_NOANONYMOUS); FILE *in, *out; if (ArgusMaxSsf == 0) goto no_auth; conn = client->sasl_conn; if ((retn = sasl_listmech(conn, NULL, "{", ", ", "}", &data, &rlen, &mechnum)) != SASL_OK) ArgusLog (LOG_ERR, "ArgusAuthenticateClient: Error generating mechanism list"); if ((in = fdopen (client->fd, "r")) < 0) ArgusLog (LOG_ERR, "ArgusAuthenticateClient: fdopen() error %s", strerror(errno)); if ((out = fdopen (client->fd, "w")) < 0) ArgusLog (LOG_ERR, "ArgusAuthenticateClient: fdopen() error %s", strerror(errno)); ArgusSendSaslString (out, data, rlen, SASL_OK); if ((len = ArgusGetSaslString (in, chosenmech, sizeof(chosenmech))) <= 0) { #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusAuthenticateClient: Error ArgusGetSaslString returned %d\n", len); #endif return 0; } if ((len = ArgusGetSaslString (in, buf, sizeof(buf))) <= 0) { #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusAuthenticateClient: Error ArgusGetSaslString returned %d\n", len); #endif return 0; } if (*buf == 'Y') { if ((len = ArgusGetSaslString (in, buf, sizeof(buf))) <= 0) { #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusAuthenticateClient: Error ArgusGetSaslString returned %d\n", len); #endif return 0; } retn = sasl_server_start(conn, chosenmech, buf, len, &data, &rlen); } else { retn = sasl_server_start(conn, chosenmech, NULL, 0, &data, &rlen); } if ((retn != SASL_OK) && (retn != SASL_CONTINUE)) { sprintf (buf, "%s", sasl_errstring(retn, NULL, NULL)); #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusAuthenticateClient: Error starting SASL negotiation"); #endif ArgusSendSaslString(out, buf, strlen(buf), retn); return 0; } while (retn == SASL_CONTINUE) { if (data) { #ifdef ARGUSDEBUG ArgusDebug(2, "sending response length %d...\n", rlen); #endif ArgusSendSaslString(out, data, rlen, retn); } else { #ifdef ARGUSDEBUG ArgusDebug(2, "no data to send? ...\n"); #endif } #ifdef ARGUSDEBUG ArgusDebug(2, "waiting for client reply...\n"); #endif len = ArgusGetSaslString(in, buf, sizeof(buf)); if (len < 0) { #ifdef ARGUSDEBUG ArgusDebug(2, "client disconnected ...\n"); #endif return 0; } retn = sasl_server_step(conn, buf, len, &data, &rlen); if ((retn != SASL_OK) && (retn != SASL_CONTINUE)) { sprintf (buf, "%s", sasl_errstring(retn, NULL, NULL)); #ifdef ARGUSDEBUG ArgusDebug(2, "Authentication failed %s\n", sasl_errstring(retn, NULL, NULL)); #endif ArgusSendSaslString(out, buf, strlen(buf), retn); return 0; } } if (retn == SASL_OK) ArgusSendSaslString(out, NULL, 0, SASL_OK); no_auth: #endif #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusAuthenticateClient() returning %d\n", retn); #endif return (retn); } #ifdef ARGUS_SASL #include #include #include #include #include #include /* send/recv library for IMAP4 style literals. */ int ArgusSendSaslString(FILE *f, const char *s, int l, int mode) { char *buf = NULL, *ptr = NULL, error[128]; unsigned int al, len; int result, size, tsize; switch (mode) { case SASL_OK: { if ((s == NULL) || (l == 0)) { ptr = "D: "; tsize = 3; break; } } case SASL_CONTINUE: { ptr = "S: "; tsize = 3; break; } default: { sprintf (error, "E: [%d]", mode); ptr = error; tsize = strlen(error); break; } } if (ferror(f)) clearerr(f); while ((size = fwrite(ptr, 1, tsize, f)) != tsize) { if (size >= 0) { tsize -= size; ptr += size; } else { if (ferror(f)) ArgusLog (LOG_ERR, "ArgusSendSaslString: error %d", ferror(f)); } } if (l > 0) { al = (((l / 3) + 1) * 4) + 1; if ((buf = malloc(al)) == NULL) ArgusLog (LOG_ERR, "malloc: error %s", strerror(errno)); if ((ptr = buf) != NULL) { result = sasl_encode64(s, l, buf, al, &len); if (result == SASL_OK) { tsize = len; while ((size = fwrite(ptr, 1, tsize, f)) != tsize) { if (size >= 0) { tsize -= size; ptr += size; } else { if (ferror(f)) ArgusLog (LOG_ERR, "ArgusSendSaslString: error %d", ferror(f)); } } } } free(buf); } ptr = "\n"; tsize = 1; while ((size = fwrite(ptr, 1, tsize, f)) != tsize) { if (size >= 0) { tsize -= size; ptr += size; } else { if (ferror(f)) ArgusLog (LOG_ERR, "ArgusSendSaslString: error %d", ferror(f)); } } fflush(f); #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusSendSaslString(0x%x, 0x%x, %d) %s", f, s, l, s); #endif return len; } int ArgusGetSaslString(FILE *f, char *buf, int buflen) { unsigned int len = -1; char *s = NULL; int result; if (ferror(f)) clearerr(f); if ((s = fgets(buf, buflen, f)) != NULL) { switch (*buf) { case 'C': { if (!(strncmp(buf, "C: ", 3))) { buf[strlen(buf) - 1] = '\0'; result = sasl_decode64(buf + 3, (unsigned) strlen(buf + 3), buf, buflen, &len); if (result != SASL_OK) ArgusLog (LOG_ERR, "ArgusGetSaslString: sasl_decode64 error"); buf[len] = '\0'; } else ArgusLog (LOG_ERR, "ArgusGetSaslString: error %s", strerror(errno)); break; } default: case 'N': len = -1; break; } } #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusGetSaslString(0x%x, 0x%x, %d) %s", f, buf, buflen, buf); #endif return len; } #endif argus-5.0.2/argus/ArgusEsp.c000066400000000000000000000123331471541253600156670ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - ESP layer processing * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/argus/ArgusEsp.c#4 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #if !defined(ArgusEsp) #define ArgusEsp #endif #include #include #include #include #include struct esphdr { unsigned int spi, seq; }; struct ArgusSystemFlow * ArgusCreateESPv6Flow (struct ArgusModelerStruct *model, struct ip6_hdr *ip) { struct ArgusSystemFlow *retn = NULL; /* struct esphdr *esp = (struct esphdr *) model->ArgusThisUpHdr; struct ArgusESPv6Flow { unsigned int ip_src[4], ip_dst[4]; #if defined(_LITTLE_ENDIAN) unsigned int flow:20; unsigned int resv:4; unsigned int ip_p:8; #else unsigned int ip_p:8; unsigned int resv:4; unsigned int flow:20; #endif unsigned int spi; }; */ #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusCreateESPv6Flow(0x%x) returning %d\n", ip, retn); #endif return (retn); } struct ArgusSystemFlow * ArgusCreateESPFlow (struct ArgusModelerStruct *model, struct ip *ip) { struct ArgusSystemFlow *retn = NULL; struct esphdr *esp = (struct esphdr *) model->ArgusThisUpHdr; if (STRUCTCAPTURED(model, *esp)) { struct ArgusESPFlow *espFlow = &model->ArgusThisFlow->esp_flow; retn = model->ArgusThisFlow; model->state &= ~ARGUS_DIRECTION; retn->hdr.type = ARGUS_FLOW_DSR; retn->hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; retn->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; retn->hdr.argus_dsrvl8.len = 5; espFlow->ip_src = ntohl(ip->ip_src.s_addr); espFlow->ip_dst = ntohl(ip->ip_dst.s_addr); espFlow->ip_p = ip->ip_p; espFlow->pad = 0; espFlow->spi = ntohl(esp->spi); } #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusCreateESPFlow(0x%x) returning 0x%x\n", ip, retn); #endif return (retn); } void ArgusUpdateESPState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char *); void ArgusUpdateESPState (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, unsigned char *state) { struct ArgusNetworkStruct *net = (struct ArgusNetworkStruct *) &flowstr->canon.net; struct esphdr *esp = (struct esphdr *) model->ArgusThisUpHdr; struct ArgusESPObject *espObj = &net->net_union.esp; if (STRUCTCAPTURED(model, *esp)) { #ifdef _LITTLE_ENDIAN esp->spi = ntohl(esp->spi); esp->seq = ntohl(esp->seq); #endif if (*state == ARGUS_START) { net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_ESP_DSR; net->hdr.argus_dsrvl8.qual = 0; net->hdr.argus_dsrvl8.len = ((sizeof(struct ArgusESPObject)+3))/4 + 1; flowstr->dsrs[ARGUS_NETWORK_INDEX] = (void *) net; bzero ((char *)espObj, sizeof(*espObj)); flowstr->timeout = ARGUS_IPTIMEOUT; espObj->spi = esp->spi; espObj->lastseq = esp->seq; } else { if (!(espObj->status & ARGUS_ESP_SEQFAILURE)) { #define ARGUS_ESP_WINDOW 0x10000 int diff = esp->seq - espObj->lastseq; if (esp->seq < espObj->lastseq) { if (diff > 0) espObj->status |= ARGUS_ESP_ROLLOVER; } if (diff != 1) { if ((diff == 0) || (abs(diff) > ARGUS_ESP_WINDOW)) { espObj->status |= ARGUS_ESP_SEQFAILURE; if (diff) espObj->lastseq = esp->seq; } else { if (diff > 0) { espObj->status |= ARGUS_SRC_PKTS_DROP; espObj->lostseq += (diff - 1); espObj->lastseq = esp->seq; } else { espObj->lostseq--; espObj->status |= ARGUS_SRC_OUTOFORDER; } } } else espObj->lastseq = esp->seq; } } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusUpdateESPState(0x%x, %d) returning\n", flowstr, *state); #endif } #include void ArgusESPFlowRecord (struct ArgusNetworkStruct *net, unsigned char state); void ArgusESPFlowRecord (struct ArgusNetworkStruct *net, unsigned char state) { #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusESPFlowRecord(0x%x, %d) returning\n", net, state); #endif } argus-5.0.2/argus/ArgusEvents.c000066400000000000000000000374231471541253600164130ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - Events processing * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/argus/ArgusEvents.c#10 $ * $DateTime: 2016/10/03 10:25:27 $ * $Change: 3209 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #if !defined(ArgusEvents) #define ArgusEvents #endif #include #include #include #include #if defined(HAVE_ZLIB_H) #include #endif #include #include #include #include #include #include #if defined(ARGUS_THREADS) #include void *ArgusEventsProcess(void *); #endif struct ArgusEventsStruct * ArgusNewEvents () { struct ArgusEventsStruct *retn = NULL; if ((retn = (struct ArgusEventsStruct *) ArgusCalloc (1, sizeof (struct ArgusEventsStruct))) == NULL) ArgusLog (LOG_ERR, "ArgusNewEvents() ArgusCalloc error %s\n", strerror(errno)); if ((retn->ArgusEventsList = ArgusNewList()) == NULL) ArgusLog (LOG_ERR, "ArgusNewEvents() ArgusNewList %s\n", strerror(errno)); #if defined(ARGUS_THREADS) pthread_mutex_init(&retn->lock, NULL); #endif #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusNewEvents() returning retn 0x%x\n", retn); #endif return (retn); } void ArgusDeleteEvents (struct ArgusEventsStruct *events) { struct ArgusEventsStruct *retn = NULL; if (events != NULL) { pthread_mutex_destroy(&events->lock); if (events->ArgusEventsList != NULL) { ArgusDeleteList (events->ArgusEventsList, ARGUS_EVENT_LIST); events->ArgusEventsList = NULL; } ArgusFree (events); } #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusDeleteEvents() returning retn 0x%x\n", retn); #endif } void ArgusInitEvents (struct ArgusEventsStruct *events) { if (events == NULL) return; events->ArgusModel = ArgusModel; events->ArgusSrc = ArgusSourceTask; events->ArgusOutputList = ArgusOutputTask->ArgusInputList; #if defined(ARGUS_THREADS) if ((events->ArgusEventsList != NULL) && (!(ArgusListEmpty(events->ArgusEventsList)))) if ((pthread_create(&events->thread, NULL, ArgusEventsProcess, (void *) events)) != 0) ArgusLog (LOG_ERR, "ArgusNewEventProcessor() pthread_create error %s\n", strerror(errno)); #endif /* ARGUS_THREADS */ #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusInitEvents() done\n"); #endif } void ArgusCloseEvents (struct ArgusEventsStruct *events) { if (events != NULL) { events->status |= ARGUS_SHUTDOWN; #if defined(ARGUS_THREADS) if (events->thread) { pthread_cancel(events->thread); pthread_join(events->thread, NULL); events->thread = 0; } #endif } #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusCloseEvents() done\n"); #endif } #if defined(ARGUS_THREADS) struct ArgusRecordStruct *ArgusGenerateEventRecord (struct ArgusEventsStruct *, struct ArgusEventRecordStruct *, unsigned char); int ArgusSortEventList (const void *item1, const void *item2) { struct ArgusEventRecordStruct *event1 = *(struct ArgusEventRecordStruct **) item1; struct ArgusEventRecordStruct *event2 = *(struct ArgusEventRecordStruct **) item2; int retn = 0; if ((retn = (event1->poptime.tv_sec - event2->poptime.tv_sec)) == 0) retn = (event1->poptime.tv_nsec - event2->poptime.tv_nsec); return (retn); } #if !defined(TIMEVAL_TO_TIMESPEC) void TIMEVAL_TO_TIMESPEC (struct timeval *, struct timespec *); void TIMEVAL_TO_TIMESPEC (struct timeval *tvp, struct timespec *ts) { ts->tv_sec = tvp->tv_sec; ts->tv_nsec = tvp->tv_usec * 1000; } #endif void * ArgusEventsProcess(void *arg) { struct ArgusEventsStruct *events = (struct ArgusEventsStruct *) arg; struct ArgusEventRecordStruct *evtarray[1024]; struct ArgusEventRecordStruct *evt; struct timeval tvpbuf, *tvp = &tvpbuf; void *retn = NULL; int cnt, i; do { struct ArgusRecordStruct *rec = NULL; struct timespec tsbuf, *ts = &tsbuf; struct timespec rmtpb, *rmtp = &rmtpb; if (events->status & ARGUS_SHUTDOWN) break; if (!(ArgusListEmpty(events->ArgusEventsList))) { cnt = ArgusGetListCount(events->ArgusEventsList); memset(evtarray, 0, sizeof(evtarray)); for (i = 0; i < cnt; i++) { if ((evt = (void *)ArgusPopFrontList(events->ArgusEventsList, ARGUS_LOCK)) != NULL) { evtarray[i] = evt; if (evt->poptime.tv_sec == 0) { gettimeofday(tvp, 0L); TIMEVAL_TO_TIMESPEC(tvp, &evt->poptime); evt->poptime.tv_sec += evt->interval; evt->remaining.tv_sec = evt->interval; } else { struct timeval tvpbuf, *tvp = &tvpbuf; gettimeofday(tvp, 0L); TIMEVAL_TO_TIMESPEC(tvp, ts); evt->remaining.tv_sec = evt->poptime.tv_sec - ts->tv_sec; evt->remaining.tv_nsec = evt->poptime.tv_nsec - ts->tv_nsec; while ((evt->remaining.tv_nsec < 0) && (evt->remaining.tv_sec > 0)) { evt->remaining.tv_sec -= 1; evt->remaining.tv_nsec += 1000000000; } } ArgusPushBackList(events->ArgusEventsList, (struct ArgusListRecord *) evt, ARGUS_LOCK); } } qsort (evtarray, cnt, sizeof(evt), ArgusSortEventList); evt = evtarray[0]; *ts = evt->remaining; if (events->status & ARGUS_SHUTDOWN) break; if ((ts->tv_sec > 0) || ((ts->tv_sec == 0) && (ts->tv_nsec > 100))) { while (nanosleep (ts, rmtp)) { *ts = *rmtp; if ((rmtp->tv_sec == 0) && (rmtp->tv_nsec == 0)) break; if (events->status & ARGUS_SHUTDOWN) break; } } if (events->status & ARGUS_SHUTDOWN) break; if ((rec = ArgusGenerateEventRecord(events, evt, ARGUS_STATUS)) != NULL) ArgusPushBackList (events->ArgusOutputList, (struct ArgusListRecord *) rec, ARGUS_LOCK); if (evt->interval > 0) { gettimeofday(tvp, 0L); TIMEVAL_TO_TIMESPEC(tvp, &evt->poptime); evt->poptime.tv_sec += evt->interval; evt->remaining.tv_sec = evt->interval; } else { evtarray[0] = NULL; if (evt->entry) free(evt->entry); if (evt->method) free(evt->method); if (evt->filename) free(evt->filename); ArgusFree(evt); } } #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusEventsProcess circuit done\n"); #endif } while (!(events->status & ARGUS_SHUTDOWN)); #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusEventsProcess() exiting\n"); #endif pthread_exit(retn); return(retn); } #define ARGUS_MAX_OS_STATUS 64512 #define ARGUS_MAX_OS_BUF 65536 struct ArgusRecordStruct * ArgusGenerateEventRecord (struct ArgusEventsStruct *events, struct ArgusEventRecordStruct *evt, unsigned char status) { struct ArgusRecordStruct *retn = NULL; struct ArgusRecord *rec = NULL; int ocnt = 0, cnt = 0, tcnt = 0, len = ARGUS_MAX_OS_BUF; struct timeval now, then; if ((retn = (struct ArgusRecordStruct *) ArgusMallocListRecord (len)) == NULL) ArgusLog (LOG_ERR, "ArgusMallocListRecord returned NULL\n"); memset ((char *)retn, 0, ARGUS_MAX_OS_STATUS); retn->hdr.type = ARGUS_EVENT | ARGUS_VERSION; retn->hdr.cause = status; gettimeofday(&then, 0L); rec = (struct ArgusRecord *) &retn->canon; if (strncmp(evt->method, "file", 4) == 0) { int fd = 0; if ((fd = open(evt->filename, O_RDONLY)) > 0) { #if defined(HAVE_ZLIB_H) if (evt->status & ARGUS_ZLIB_COMPRESS) { char buf[ARGUS_MAX_OS_STATUS], *ptr = buf; snprintf (buf, ARGUS_MAX_OS_STATUS - 1, "file=%s\n", evt->filename); tcnt = strlen(buf); if ((cnt = read(fd, &ptr[tcnt], (ARGUS_MAX_OS_STATUS - tcnt))) > 0) { uLong slen = cnt, dlen = (ARGUS_MAX_OS_STATUS - tcnt); if (compress((Bytef *) &rec->argus_event.data.array, &dlen, (Bytef *)&buf, slen) != Z_OK) ArgusLog (LOG_ERR, "compress problem %s", strerror(errno)); ocnt = cnt; cnt = dlen; } } else { #endif char buf[ARGUS_MAX_OS_STATUS]; snprintf(buf, ARGUS_MAX_OS_STATUS - 1, "file=%s\n", evt->filename); strcpy(rec->argus_event.data.array, buf); tcnt = strlen(rec->argus_event.data.array); cnt = read(fd, &rec->argus_event.data.array[tcnt], len - tcnt); ocnt = cnt; #if defined(HAVE_ZLIB_H) } #endif close(fd); } } else if (strncmp(evt->method, "prog", 4) == 0) { char result[ARGUS_MAX_OS_STATUS], *ptr = NULL; int terror = 0, len = ARGUS_MAX_OS_STATUS; FILE *fd = NULL; memset(result, 0, sizeof(result)); snprintf(result, ARGUS_MAX_OS_STATUS - 1, "prog=%s\n", evt->filename); tcnt = strlen(result); if ((fd = popen(evt->filename, "r")) != NULL) { ptr = NULL; clearerr(fd); while ((!(feof(fd))) && (!(ferror(fd))) && (len > tcnt)) { if ((ptr = fgets(&result[tcnt], len - tcnt, fd)) == NULL) { if (ferror(fd)) { terror++; break; } } else { tcnt += strlen(ptr); if (strlen(ptr) == 0) break; } } if (terror == 0) ptr = result; else ptr = NULL; pclose(fd); } else ArgusLog (LOG_WARNING, "ArgusGenerateEvent: System error: popen(%s) %s\n", evt->filename, strerror(errno)); if (ptr != NULL) { char buf[ARGUS_MAX_OS_STATUS]; #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusGenerateEventRecord(%s:%s) returned %d bytes", evt->method, evt->filename, strlen(ptr)); #endif #if defined(HAVE_ZLIB_H) if (evt->status & ARGUS_ZLIB_COMPRESS) { unsigned long slen = tcnt, dlen = ARGUS_MAX_OS_STATUS; if (compress((Bytef *) &rec->argus_event.data.array, &dlen, (Bytef *)ptr, slen) != Z_OK) ArgusLog (LOG_ERR, "compress problem %s", strerror(errno)); ocnt = slen; cnt = dlen; #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusGenerateEventRecord(%s:%s) compress ratio %f", evt->method, evt->filename, cnt*1.0/ocnt*1.0); #endif } else { #endif ocnt = tcnt; strncpy(buf, ptr, ARGUS_MAX_OS_STATUS); strcpy((char *)&rec->argus_event.data.array, buf); cnt = strlen((char *)&rec->argus_event.data.array); #if defined(HAVE_ZLIB_H) } #endif } } /* struct ArgusEventStruct { struct ArgusDSRHeader event; struct ArgusTransportStruct trans; struct ArgusEventTimeStruct time; struct ArgusDataStruct data; }; struct ArgusFarStruct { struct ArgusFlow flow; }; struct ArgusRecord { struct ArgusRecordHeader hdr; union { struct ArgusMarStruct mar; struct ArgusFarStruct far; struct ArgusEventStruct event; } ar_un; }; */ if (cnt > 0) { struct ArgusSourceStruct *src = events->ArgusSrc; struct ArgusTimeObject *time = &rec->argus_event.time; struct ArgusTransportStruct *trans = &rec->argus_event.trans; struct ArgusDataStruct *data = &rec->argus_event.data; char *inf = NULL; int tlen = 1; gettimeofday(&now, 0L); time->hdr.type = ARGUS_TIME_DSR; time->hdr.subtype = ARGUS_TIME_ABSOLUTE_TIMESTAMP | ARGUS_TIME_SRC_START | ARGUS_TIME_SRC_END; time->hdr.argus_dsrvl8.qual = ARGUS_TYPE_UTC_MICROSECONDS; time->hdr.argus_dsrvl8.len = 5; tlen += time->hdr.argus_dsrvl8.len; retn->dsrs[ARGUS_TIME_INDEX] = &time->hdr; retn->dsrindex |= 1 << ARGUS_TIME_INDEX; time->src.start.tv_sec = then.tv_sec; time->src.start.tv_usec = then.tv_usec; time->src.end.tv_sec = now.tv_sec; time->src.end.tv_usec = now.tv_usec; trans->hdr.type = ARGUS_TRANSPORT_DSR; trans->hdr.subtype = ARGUS_SRCID | ARGUS_SEQ; trans->hdr.argus_dsrvl8.qual = src->type & ~ARGUS_TYPE_INTERFACE; switch (src->type & ~ARGUS_TYPE_INTERFACE) { case ARGUS_TYPE_STRING: { tlen = strlen((const char *)&src->trans.srcid.a_un.str); bcopy(&src->trans.srcid.a_un.str, trans->srcid.a_un.str, tlen); break; } case ARGUS_TYPE_INT: { tlen = sizeof(src->trans.srcid.a_un.value); trans->srcid.a_un.value = src->trans.srcid.a_un.value; break; } case ARGUS_TYPE_IPV4: { tlen = sizeof(src->trans.srcid.a_un.ipv4); trans->srcid.a_un.ipv4 = src->trans.srcid.a_un.ipv4; break; } case ARGUS_TYPE_IPV6: { tlen = sizeof(src->trans.srcid.a_un.ipv6); bcopy(&src->trans.srcid.a_un.ipv6, trans->srcid.a_un.ipv6, tlen); break; } case ARGUS_TYPE_UUID : { tlen = sizeof(src->trans.srcid.a_un.uuid); bcopy(&src->trans.srcid.a_un.uuid, trans->srcid.a_un.uuid, tlen); break; } } if ((inf = getArgusManInf(src)) != NULL) { trans->hdr.argus_dsrvl8.qual |= ARGUS_TYPE_INTERFACE; bcopy("evt0", &trans->srcid.inf, 4); tlen +=4; } trans->seqnum = events->ArgusSrc->ArgusModel->ArgusSeqNum++; trans->hdr.argus_dsrvl8.len = tlen + 2; retn->dsrs[ARGUS_TRANSPORT_INDEX] = &trans->hdr; retn->dsrindex |= 1 << ARGUS_TRANSPORT_INDEX; tlen += trans->hdr.argus_dsrvl8.len; data->hdr.type = ARGUS_DATA_DSR; data->hdr.subtype = ARGUS_LEN_16BITS | ARGUS_SRC_DATA; if (evt->status & ARGUS_ZLIB_COMPRESS) data->hdr.subtype |= ARGUS_DATA_COMPRESS; len = 2 + ((cnt + 3)/4); data->hdr.argus_dsrvl16.len = len; data->count = cnt; data->size = ocnt; tlen += len; if ((retn->dsrs[ARGUS_SRCUSERDATA_INDEX] = ArgusCalloc(1, len * 4)) == NULL) ArgusLog (LOG_ERR, "ArgusGenerateEventRecord() ArgusCalloc error %s\n", strerror(errno)); bcopy((char *)data, (char *)retn->dsrs[ARGUS_SRCUSERDATA_INDEX], len * 4); retn->dsrindex |= 1 << ARGUS_SRCUSERDATA_INDEX; retn->hdr.len = tlen; bcopy((char *)&retn->hdr, &rec->hdr, sizeof(rec->hdr)); #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusGenerateEventRecord(%s:%s) retn 0x%x cnt %d ocnt %d", evt->method, evt->filename, retn, cnt, ocnt); #endif } #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusGenerateEventRecord(0x%x, %d) returning 0x%x", events, status, retn); #endif return (retn); } #endif /* ARGUS_THREADS */ argus-5.0.2/argus/ArgusEvents.h000066400000000000000000000056411471541253600164150ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - Events include files * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/argus/ArgusEvents.h#4 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ #ifndef ArgusEvents_h #define ArgusEvents_h #include #include #include #include #include #include #include #include #include #include #if defined(__NetBSD__) #include #else #include #endif #include #include #if defined(ARGUS_TILERA) #include #else #include #endif #include #include #ifdef ARGUS_SASL #include #endif #define ARGUS_EVENT_OS_STATUS 0x00000001 #define ARGUS_ZLIB_COMPRESS 0x00000001 #define ARGUS_ZLIB_COMPRESS2 0x00000002 struct ArgusEventRecordStruct { struct ArgusListObjectStruct *nxt; struct timespec poptime, remaining; char *entry; int status, interval; char *method; char *filename; long long runs; }; struct ArgusEventsStruct { int status; #if defined(ARGUS_THREADS) pthread_t thread; pthread_mutex_t lock; #endif struct ArgusListStruct *ArgusEventsList; struct ArgusListStruct *ArgusOutputList; struct ArgusModelerStruct *ArgusModel; struct ArgusSourceStruct *ArgusSrc; }; #if defined(ArgusEvents) struct ArgusEventsStruct *ArgusEventsTask = NULL; void ArgusInitEvents (struct ArgusEventsStruct *); void ArgusDeleteEvents (struct ArgusEventsStruct *); void ArgusCloseEvents (struct ArgusEventsStruct *); int ArgusSortEventList (const void *, const void *); struct ArgusEventsStruct *ArgusNewEvents (void); #else extern struct ArgusEventsStruct *ArgusEventsTask; extern void ArgusInitEvents (struct ArgusEventsStruct *); extern void ArgusDeleteEvents (struct ArgusEventsStruct *); extern void ArgusCloseEvents (struct ArgusEventsStruct *); extern int ArgusSortEventList (const void *, const void *); extern struct ArgusEventsStruct *ArgusNewEvents (void); #endif #endif /* #ifndef ArgusEvents_h */ argus-5.0.2/argus/ArgusFrag.c000066400000000000000000000507211471541253600160220ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - Fragment processing * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/argus/ArgusFrag.c#4 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #if !defined(ArgusFrag) #define ArgusFrag #endif #include #include #include #include #include #include struct ArgusSystemFlow *ArgusCreateFRAGFlow (struct ArgusModelerStruct *, void *, unsigned short); int ArgusUpdateFRAGState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char, unsigned short); int ArgusUpdateParentFlow (struct ArgusModelerStruct *, struct ArgusFlowStruct *); void ArgusZeroRecord (struct ArgusFlowStruct *); struct ArgusSystemFlow * ArgusCreateFRAGFlow (struct ArgusModelerStruct *model, void *ptr, unsigned short proto) { struct ArgusSystemFlow *retn = NULL; switch (proto) { case ETHERTYPE_IP: { struct ip tipbuf, *tip = &tipbuf; struct ip *ip = (struct ip *) ptr; #ifdef _LITTLE_ENDIAN bzero(tip, sizeof(*tip)); tip->ip_len = ntohs(ip->ip_len); tip->ip_id = ntohs(ip->ip_id); tip->ip_off = ntohs(ip->ip_off); tip->ip_p = ip->ip_p; tip->ip_src.s_addr = ntohl(ip->ip_src.s_addr); tip->ip_dst.s_addr = ntohl(ip->ip_dst.s_addr); #else tip = ip; #endif model->state &= ~ARGUS_DIRECTION; if (STRUCTCAPTURED(model, *ip)) { if (model->ArgusFlowType == ARGUS_BIDIRECTIONAL) { if (tip->ip_src.s_addr > tip->ip_dst.s_addr) { model->state |= ARGUS_DIRECTION; model->ArgusThisFlow->hdr.argus_dsrvl8.qual |= ARGUS_DIRECTION; model->ArgusThisFlow->hdr.subtype |= ARGUS_REVERSE; } } model->ArgusThisFlow->hdr.argus_dsrvl8.qual |= ARGUS_FRAGMENT; if (model->state & ARGUS_DIRECTION) { model->ArgusThisFlow->ip_flow.ip_src = tip->ip_dst.s_addr; model->ArgusThisFlow->ip_flow.ip_dst = tip->ip_src.s_addr; } else { model->ArgusThisFlow->frag_flow.ip_src = tip->ip_src.s_addr; model->ArgusThisFlow->frag_flow.ip_dst = tip->ip_dst.s_addr; } model->ArgusThisFlow->frag_flow.ip_p = tip->ip_p; model->ArgusThisFlow->frag_flow.ip_id = tip->ip_id; model->ArgusThisFlow->frag_flow.pad[0] = 0; model->ArgusThisFlow->frag_flow.pad[1] = 0; retn = model->ArgusThisFlow; } break; } case ETHERTYPE_IPV6: { struct ip6_frag *frag = model->ArgusThisIpv6Frag; model->state &= ~ARGUS_DIRECTION; if (STRUCTCAPTURED(model, *frag)) { if (model->ArgusFlowType == ARGUS_BIDIRECTIONAL) { } else { } model->ArgusThisFlow->fragv6_flow.ip_id = frag->ip6f_ident; model->ArgusThisFlow->hdr.argus_dsrvl8.qual |= ARGUS_FRAGMENT; retn = model->ArgusThisFlow; } break; } } #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusCreateFRAGFlow(0x%x, 0x%x, %d)", model, ptr, proto); #endif return (retn); } /* struct ArgusFragObject { unsigned int fragnum, frag_id; unsigned short totlen, currlen, maxfraglen, pad; }; */ int ArgusUpdateFRAGState (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, unsigned char state, unsigned short proto) { int retn = 0, up_p = 0; struct ArgusNetworkStruct *net = NULL; struct ArgusFragObject *frag = NULL; struct ArgusFragOffsetStruct *fragOffset = NULL; struct ArgusFragOffsetStruct *thisFragOffset = NULL; struct ArgusFragOffsetStruct *prvfragOffset = NULL; struct ArgusFragOffsetStruct *nxtfragOffset = NULL; int offset = 0, length = 0, end = 0, newbytes = 1, found = 0; /* so the trick is to deal with out of order and missing fragments */ /* so lets figure out if this is the next chunk and get out fast if it is */ switch (proto) { case ETHERTYPE_IP: { struct ip *ip = (struct ip *)model->ArgusThisIpHdr; up_p = ip->ip_p; offset = (ntohs(ip->ip_off) & 0x1fff) << 3; length = ntohs(ip->ip_len) - (ip->ip_hl * 4); end = offset + length; break; } case ETHERTYPE_IPV6: { struct ip6_frag *tfrag = model->ArgusThisIpv6Frag; up_p = tfrag->ip6f_nxt; offset = ntohs(tfrag->ip6f_offlg & IP6F_OFF_MASK); length = model->ArgusThisLength; end = offset + length; break; } } if ((net = (struct ArgusNetworkStruct *) flowstr->dsrs[ARGUS_FRAG_INDEX]) != NULL) { if (net->hdr.subtype != ARGUS_NETWORK_SUBTYPE_FRAG) { if (state == ARGUS_START) { memset (net, 0, sizeof(struct ArgusFragObject) + 4); net->hdr.subtype = ARGUS_NETWORK_SUBTYPE_FRAG; net->hdr.argus_dsrvl8.qual = 0; net->hdr.argus_dsrvl8.len = ((sizeof(struct ArgusFragObject) + 3)/4) + 1; } } frag = &net->net_union.frag; frag->totbytes += model->ArgusThisLength; /* is this the first fragment chunk seen ?*/ if (!(frag->offsets.end)) { frag->offsets.start = offset; frag->offsets.end = end; found = 1; } else { /* if not lets see if we've seen this data before */ fragOffset = &frag->offsets; while ((fragOffset != NULL) && !(found)) { /* this frag is past this frag chunk, so continue */ if (offset > fragOffset->end) { prvfragOffset = fragOffset; fragOffset = fragOffset->nxt; } else /* if frag is contiguous with previously frag, then update end */ if (offset == fragOffset->end) { /* check that we don't overlap next frag, prediction is that there is no nxt frag */ if ((nxtfragOffset = fragOffset->nxt) == NULL) { fragOffset->end = end; found = 1; } else { /* this frag connects the two frags so account and remove nxt chunk */ if (end == nxtfragOffset->start) { fragOffset->nxt = nxtfragOffset->nxt; fragOffset->end = nxtfragOffset->end; free(nxtfragOffset); found = 1; } else /* this frag ends before the next chunk, i.e. we missed several frags */ if (end < nxtfragOffset->start) { fragOffset->end = end; found = 1; } else { /* this frag overlaps, so chop this frag, set overlap, and then continue */ offset = nxtfragOffset->start; fragOffset->end = nxtfragOffset->start; flowstr->canon.net.hdr.argus_dsrvl8.qual |= ARGUS_FRAGOVERLAP; prvfragOffset = fragOffset; fragOffset = nxtfragOffset; } } } else /* so this offset is before or in this chunk, so check if this is before or previous */ if (offset < fragOffset->start) { if (end == fragOffset->start) { fragOffset->start = offset; found = 1; } else { if (end < fragOffset->start) { fragOffset = NULL; } else { /* so end is in or past this frag, if past, then remove the smaller frag in list and start over */ if (end > fragOffset->end) { flowstr->canon.net.hdr.argus_dsrvl8.qual |= ARGUS_FRAGOVERLAP; frag->bytes -= (fragOffset->end - fragOffset->start); /* if there is a nxt fragment, replace the overlaping frag (fragOffset) with it */ if (fragOffset->nxt != NULL) { if (prvfragOffset != NULL) { prvfragOffset->nxt = fragOffset->nxt; } else { bcopy((char *) fragOffset->nxt , (char *)&frag->offsets, sizeof(frag->offsets)); } /* else just update the prv fragments pointer to toss this one */ } else { if (prvfragOffset != NULL) { prvfragOffset->nxt = NULL; } else { /* else we're the first chunk just update this chunk */ fragOffset->start = offset; fragOffset->end = end; found = 1; } } if (fragOffset != &frag->offsets) free(fragOffset); prvfragOffset = NULL; fragOffset = &frag->offsets; } else { /* so (end < fragOffset->end), overlap but account for previous missing chunk */ flowstr->canon.net.hdr.argus_dsrvl8.qual |= ARGUS_FRAGOVERLAP; end = fragOffset->start; fragOffset->start = offset; found = 1; } } } } else /* if frag is coincidental with this frag, then retransmission or overlap */ if (offset >= fragOffset->start) { if (end <= fragOffset->end) { if ((offset == fragOffset->start) && (end == fragOffset->end)) flowstr->canon.net.hdr.argus_dsrvl8.qual |= ARGUS_SRC_PKTS_RETRANS; else flowstr->canon.net.hdr.argus_dsrvl8.qual |= ARGUS_FRAGOVERLAP; newbytes = 0; found = 1; } else { /* this end extends beyond this frag, so clip and continue */ flowstr->canon.net.hdr.argus_dsrvl8.qual |= ARGUS_FRAGOVERLAP; /* if we do, chop this frag, set overlap, and then continue */ if ((fragOffset->nxt != NULL) && (fragOffset->nxt->start < end)) { offset = fragOffset->nxt->start; fragOffset->end = fragOffset->nxt->start; } else offset = fragOffset->end; prvfragOffset = fragOffset; fragOffset = fragOffset->nxt; } } } if (flowstr->canon.net.hdr.argus_dsrvl8.qual & ARGUS_FRAGOVERLAP) /* first check the TCP header overlap condition */ if ((up_p == IPPROTO_TCP) && ((offset > 0) && (offset < 2))) flowstr->canon.net.hdr.argus_dsrvl8.qual |= ARGUS_TCPFRAGOFFSETERROR; } /* if its new data update byte counters */ if (newbytes) frag->bytes += end - offset; frag->fragnum++; if (model->ArgusThisLength > frag->maxfraglen) frag->maxfraglen = model->ArgusThisLength; switch (proto) { case ETHERTYPE_IP: { struct ip *iphdr = (struct ip *)model->ArgusThisIpHdr; if (!(ntohs(iphdr->ip_off) & IP_MF)) frag->totlen = ((ntohs(iphdr->ip_off) & 0x1fff) << 3) + (ntohs(iphdr->ip_len) - (iphdr->ip_hl << 2)); break; } case ETHERTYPE_IPV6: { struct ip6_frag *tfrag = model->ArgusThisIpv6Frag; struct ip6_hdr *iphdr = (struct ip6_hdr *)model->ArgusThisIpHdr; if (!(tfrag->ip6f_offlg & IP6F_MORE_FRAG)) { frag->totlen = (ntohs(tfrag->ip6f_offlg & IP6F_OFF_MASK) + (ntohs(iphdr->ip6_plen) - 16)); } break; } } /* so if we've seen the first fragment we can know how many bytes to expect */ if (frag->totlen) { /* so if we've seen all the bytes */ if (frag->totlen == frag->bytes) { if (!(ArgusUpdateParentFlow (model, flowstr))) ArgusSendFlowRecord(model, flowstr, ARGUS_STOP); /* don't try to deallocate the non-malloc first chunk */ if ((fragOffset = frag->offsets.nxt) != NULL) { struct ArgusFragOffsetStruct *toffset = fragOffset->nxt; do { toffset = fragOffset->nxt; free(fragOffset); fragOffset = toffset; } while (fragOffset); } memset(&frag->offsets, 0, sizeof(frag->offsets)); retn = 1; } else { /* we could wait, thinking we'll get some fragments out of order may just want to finish up here with reported packet loss ? the option is to wait for the timeout */ } } else { /* test if we need add this chunk */ if (!found) { /* test if we've used the base frag offset */ if (fragOffset || prvfragOffset) { /* yes so we're going to add a new chunk */ if (fragOffset == NULL) fragOffset = prvfragOffset; if ((thisFragOffset = (struct ArgusFragOffsetStruct *) malloc(sizeof(*thisFragOffset))) != NULL) { thisFragOffset->nxt = NULL; thisFragOffset->start = offset; thisFragOffset->end = end; /* so does this go as the next chunk or the first chunk */ /* the idea is that fragOffset is the pointer to the new previous chunk */ /* so add it as its nxt pointer */ if (fragOffset->nxt == NULL) fragOffset->nxt = thisFragOffset; else { if ((fragOffset = &frag->offsets) != NULL) { while (fragOffset->nxt != NULL) fragOffset = fragOffset->nxt; fragOffset->nxt = thisFragOffset; } } } } else { } } } } else { #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateFRAGState (0x%x, %d) no frag struct\n", flowstr, state); #endif } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusUpdateFRAGState(0x%x, 0x%x, %d) returns %d\n", model, flowstr, state, retn); #endif return (retn); } int ArgusUpdateParentFlow (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr) { struct ArgusNetworkStruct *net = NULL; struct ArgusFragObject *frag = NULL; struct ArgusFlowStruct *parent; int retn = 0, found = 0; if (flowstr->canon.metric.src.pkts || flowstr->canon.metric.dst.pkts) { if ((net = (struct ArgusNetworkStruct *) flowstr->dsrs[ARGUS_FRAG_INDEX]) != NULL) { frag = &net->net_union.frag; if ((parent = frag->parent) != NULL) { if (flowstr->qhdr.queue == &parent->frag) { found++; } else { } } } else { #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusUpdateFRAGState(0x%x, 0x%x) parent has no frag struct", model, flowstr); #endif return (retn); } if (found) { struct ArgusTimeObject *ftime = NULL, *ptime = NULL; struct ArgusSystemFlow *flow = NULL; struct ArgusMetricStruct *metrics = NULL; if (parent->status & ARGUS_RECORD_WRITTEN) ArgusZeroRecord(parent); flow = (struct ArgusSystemFlow *)parent->dsrs[ARGUS_FLOW_INDEX]; metrics = (struct ArgusMetricStruct *) parent->dsrs[ARGUS_METRIC_INDEX]; #define ARGUS_TYPES (ARGUS_TYPE_IPV4 | ARGUS_TYPE_IPV6 | ARGUS_TYPE_ARP | ARGUS_TYPE_ETHER) if (flow && metrics) { switch (flow->hdr.argus_dsrvl8.qual & ARGUS_TYPES) { case ARGUS_TYPE_IPV4: case ARGUS_TYPE_IPV6: { struct ArgusIPAttrStruct *attr = (struct ArgusIPAttrStruct *) parent->dsrs[ARGUS_IPATTR_INDEX]; if ((parent->state & ARGUS_DIRECTION) != (flowstr->state & ARGUS_DIRECTION)) { if (flowstr->canon.metric.src.pkts) { metrics->dst.pkts += flowstr->canon.metric.src.pkts; metrics->dst.bytes += flowstr->canon.metric.src.bytes; metrics->dst.appbytes += flowstr->canon.metric.src.bytes; flowstr->canon.metric.src.pkts = 0; flowstr->canon.metric.src.bytes = 0; } else { metrics->src.pkts += flowstr->canon.metric.dst.pkts; metrics->src.bytes += flowstr->canon.metric.dst.bytes; metrics->src.appbytes += flowstr->canon.metric.dst.bytes; flowstr->canon.metric.dst.pkts = 0; flowstr->canon.metric.dst.bytes = 0; } if (attr != NULL) attr->hdr.argus_dsrvl8.qual |= ARGUS_IPATTR_DST_FRAGMENTS; } else { if (flowstr->canon.metric.src.pkts) { metrics->src.pkts += flowstr->canon.metric.src.pkts; metrics->src.bytes += flowstr->canon.metric.src.bytes; metrics->src.appbytes += flowstr->canon.metric.src.bytes; flowstr->canon.metric.src.pkts = 0; flowstr->canon.metric.src.bytes = 0; } else { metrics->dst.pkts += flowstr->canon.metric.dst.pkts; metrics->dst.bytes += flowstr->canon.metric.dst.bytes; metrics->dst.appbytes += flowstr->canon.metric.dst.bytes; flowstr->canon.metric.dst.pkts = 0; flowstr->canon.metric.dst.bytes = 0; } if (attr != NULL) attr->hdr.argus_dsrvl8.qual |= ARGUS_IPATTR_SRC_FRAGMENTS; } break; } } } ftime = (struct ArgusTimeObject *) flowstr->dsrs[ARGUS_TIME_INDEX]; ptime = (struct ArgusTimeObject *) parent->dsrs[ARGUS_TIME_INDEX]; if (ftime && ptime) { struct ArgusTimeStruct *pstime; if ((parent->state & ARGUS_DIRECTION) != (flowstr->state & ARGUS_DIRECTION)) { pstime = &ptime->dst; } else { pstime = &ptime->src; } if (ptime->hdr.subtype == ARGUS_TIME_ABSOLUTE_TIMESTAMP) { ptime->hdr.subtype = ARGUS_TIME_ABSOLUTE_RANGE; #if defined(ARGUS_NANOSECONDS) ptime->hdr.argus_dsrvl8.qual = ARGUS_TYPE_UTC_NANOSECONDS; #else ptime->hdr.argus_dsrvl8.qual = ARGUS_TYPE_UTC_MICROSECONDS; #endif ptime->hdr.argus_dsrvl8.len = 5; if ((pstime->start.tv_sec > ftime->src.start.tv_sec) || ((pstime->start.tv_sec == ftime->src.start.tv_sec) && (pstime->start.tv_usec > ftime->src.start.tv_usec))) { pstime->start = ftime->src.start; } pstime->end = ftime->src.end; } else { if ((pstime->end.tv_sec < ftime->src.end.tv_sec) || ((pstime->end.tv_sec == ftime->src.end.tv_sec) && (pstime->end.tv_usec < ftime->src.end.tv_usec))) { pstime->end = ftime->src.end; } } parent->dsrindex |= 1 << ARGUS_TIME_INDEX; } retn = 1; } else { #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusUpdateParentFlow(0x%x) did not find parent 0x%x\n", flowstr, parent); #endif } } #ifdef ARGUSDEBUG ArgusDebug (7, "ArgusUpdateParentFlow(0x%x) returning 0x%x\n", flowstr, retn); #endif return (retn); } argus-5.0.2/argus/ArgusGeneve.c000066400000000000000000000077701471541253600163620ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - UDP Protocol processing - Geneve * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ #if !defined(ArgusGeneve) #define ArgusGeneve #include unsigned short ArgusParseGeneve (struct ArgusModelerStruct *, void *); /* * Geneve header, draft-ietf-nvo3-geneve * * 0 1 2 3 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * |Ver| Opt Len |O|C| Rsvd. | Protocol Type | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | Virtual Network Identifier (VNI) | Reserved | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | Variable Length Options | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * * Options: * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | Option Class | Type |R|R|R| Length | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | Variable Option Data | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ struct genevehdr { unsigned char ver_opt; unsigned char flags; unsigned short ptype; unsigned int vni; }; #define VER_SHIFT 6 #define HDR_OPTS_LEN_MASK 0x3F #define OPT_LEN_MASK 0x1F extern void *ArgusCreateIPv4Flow (struct ArgusModelerStruct *, struct ip *); extern void *ArgusCreateIPv6Flow (struct ArgusModelerStruct *, struct ip6_hdr *); unsigned short ArgusParseGeneve (struct ArgusModelerStruct *model, void *ptr) { unsigned short retn = 0; struct argus_geneve *gen = model->ArgusThisGeneve; struct genevehdr *genhdr = ptr; struct ip *ip = (struct ip *) model->ArgusThisUpHdr; int len, optlen; if (ip->ip_v == 4) { ArgusCreateIPv4Flow (model, (struct ip *)model->ArgusThisUpHdr); bcopy(model->ArgusThisFlow, model->ArgusThisGeneve->tflow, sizeof(*model->ArgusThisFlow)); } else { ArgusCreateIPv6Flow (model, (struct ip6_hdr *)model->ArgusThisUpHdr); bcopy(model->ArgusThisFlow, model->ArgusThisGeneve->tflow, sizeof(*model->ArgusThisFlow)); } if (STRUCTCAPTURED(model, *genhdr)) { optlen = (genhdr->ver_opt & OPT_LEN_MASK) << 2; gen->ver_opt = genhdr->ver_opt; gen->flags = genhdr->flags; gen->ptype = retn = ntohs(genhdr->ptype); gen->vni = ntohl(genhdr->vni) >> 8; len = ((unsigned char *) (genhdr + 1) + optlen) - model->ArgusThisUpHdr; model->ArgusThisEncaps |= ARGUS_ENCAPS_GENEVE; model->ArgusThisUpHdr = (unsigned char *)(genhdr + 1) + optlen; model->ArgusThisLength -= len; model->ArgusSnapLength -= len; if (ArgusDumpTask->ppc && (ArgusDumpTask->ppc[ARGUS_GENEVE_PROTO] == 1)) model->ArgusMatchProtocol++; #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusParseGeneve(%p, %p) vni is %d\n", model, ptr, gen->vni); #endif } #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusParseGeneve(%p, %p) returning %d\n", model, ptr, retn); #endif return (retn); } #endif argus-5.0.2/argus/ArgusGeneve.h000066400000000000000000000023511471541253600163550ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - Geneve Includes * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #ifndef ArgusGeneve_h #define ArgusGeneve_h #include #include #include #include #include #include unsigned short ArgusParseGeneve (struct ArgusModelerStruct *, void *); #endif argus-5.0.2/argus/ArgusGetTimeOfDay.h000066400000000000000000000030251471541253600174240ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - Events include files * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ #ifndef __ARGUSGETTIMEOFDAY_H # define __ARGUSGETTIMEOFDAY_H # ifdef HAVE_CONFIG_H # include "argus_config.h" # endif # include # include # include "argus_def.h" /* call gettimeofday and convert to nanoseconds if required */ # ifdef __GNUC__ __attribute__((always_inline)) # endif inline static int ArgusGetTimeOfDay(const struct ArgusSourceStruct * const src, struct timeval *tv) { int rv; rv = gettimeofday(tv, 0); if (rv == 0) { if (src->timeStampType == ARGUS_TYPE_UTC_NANOSECONDS) tv->tv_usec *= 1000; } return rv; } #endif argus-5.0.2/argus/ArgusGre.c000066400000000000000000000072611471541253600156610ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - GRE Tunnel processing * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id$ * $DateTime: 2014/05/14 12:53:31 $ * $Change: 2827 $ */ #if !defined(ArgusGre) #define ArgusGre #include unsigned short ArgusParseGre (struct ArgusModelerStruct *, struct ip *, int); unsigned short ArgusParseGre (struct ArgusModelerStruct *model, struct ip *ip, int length) { struct argus_gre *gre = model->ArgusThisGre; int retn = 0, grelen = 4, hlen = 0, pass = 0; if (ip->ip_v == 4) { model->ArgusThisNetworkFlowType = ETHERTYPE_IP; pass = STRUCTCAPTURED(model,*ip); hlen = ip->ip_hl << 2; } else { struct ip6_hdr *ipv6 = (struct ip6_hdr *) ip; model->ArgusThisNetworkFlowType = ETHERTYPE_IPV6; pass = STRUCTCAPTURED(model,*ipv6); hlen += sizeof(*ipv6); } if (pass) { char *bp = ((char *)ip + hlen); unsigned short flags; /* model->ArgusThisLength -= hlen; model->ArgusSnapLength -= hlen; */ length -= hlen; flags = EXTRACT_16BITS(bp); bp += sizeof(unsigned short); retn = EXTRACT_16BITS(bp); bp += sizeof(unsigned short); model->ArgusThisEncaps |= ARGUS_ENCAPS_GRE; switch(flags & GRE_VERS_MASK) { case 0: { if ((flags & GRE_CP) | (flags & GRE_RP)) { grelen += 4; bp += 4; } if (flags & GRE_KP) { bp += 4; grelen -= 4; } if (flags & GRE_SP) { bp += 4; grelen += 4; } if (flags & GRE_RP) { for (;;) { u_int16_t af; u_int8_t srelen; if (BYTESCAPTURED(model, *bp, 4)) { af = EXTRACT_16BITS(bp); srelen = *(bp + 3); bp += 4; grelen -= 4; if (af == 0 && srelen == 0) break; bp += srelen; grelen += srelen; } else break; } } break; } case 1: { if (flags & GRE_KP) { bp += 4; grelen -= 4; } if (flags & GRE_SP) { bp += 4; grelen += 4; } if (flags & GRE_AP) { bp += 4; grelen += 4; } break; } } gre->flags = flags; gre->proto = retn; model->ArgusThisUpHdr = (unsigned char *) bp; model->ArgusThisLength -= grelen; model->ArgusSnapLength -= grelen; } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusParseGre(%p, %p, %d) returning 0x%x\n", model, ip, length, retn); #endif return (retn); } #endif argus-5.0.2/argus/ArgusGre.h000066400000000000000000000023661471541253600156670ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - UDP Protocol processing * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #ifndef ArgusVxLan_h #define ArgusVxLan_h #include #include #include #include #include #include unsigned short ArgusParseGre (struct ArgusModelerStruct *, struct ip *, int); #endif argus-5.0.2/argus/ArgusIcmp.c000066400000000000000000000355641471541253600160430ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - ICMP protocol processing * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/argus/ArgusIcmp.c#5 $ * $DateTime: 2016/04/01 14:32:31 $ * $Change: 3134 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #if !defined(ArgusIcmp) #define ArgusIcmp #endif #include #include #include #include #include struct ArgusSystemFlow * ArgusCreateICMPv6Flow (struct ArgusModelerStruct *model, struct icmp6_hdr *icmp) { struct ArgusSystemFlow *retn = NULL; if (STRUCTCAPTURED(model, *icmp)) { struct ArgusICMPv6Flow *icmpv6Flow = &model->ArgusThisFlow->icmpv6_flow; icmpv6Flow->type = icmp->icmp6_type; switch (icmp->icmp6_type & ICMP6_INFOMSG_MASK) { case ICMP6_INFOMSG_MASK: switch (icmp->icmp6_type) { case ICMP6_ECHO_REPLY: if (model->ArgusFlowType == ARGUS_BIDIRECTIONAL) icmpv6Flow->type = ICMP6_ECHO_REQUEST; break; case ICMP6_MEMBERSHIP_REPORT: case ICMP6_MEMBERSHIP_REDUCTION: if (model->ArgusFlowType == ARGUS_BIDIRECTIONAL) icmpv6Flow->type = ICMP6_MEMBERSHIP_QUERY; break; case ND_ROUTER_ADVERT: if (model->ArgusFlowType == ARGUS_BIDIRECTIONAL) icmpv6Flow->type = ND_ROUTER_SOLICIT; break; case ND_NEIGHBOR_ADVERT: if (model->ArgusFlowType == ARGUS_BIDIRECTIONAL) icmpv6Flow->type = ND_NEIGHBOR_SOLICIT; break; case ICMP6_HADISCOV_REPLY: if (model->ArgusFlowType == ARGUS_BIDIRECTIONAL) icmpv6Flow->type = ICMP6_HADISCOV_REQUEST; break; } icmpv6Flow->code = icmp->icmp6_code; break; default: { switch (icmp->icmp6_type) { case ICMP6_DST_UNREACH: case ICMP6_PACKET_TOO_BIG: case ICMP6_TIME_EXCEEDED: case ICMP6_PARAM_PROB: break; } icmpv6Flow->type = icmp->icmp6_type; icmpv6Flow->code = icmp->icmp6_code; break; } } if (model->state & ARGUS_DIRECTION) { } retn = (struct ArgusSystemFlow *) model->ArgusThisFlow; } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusCreateICMPFlow(0x%x) returning %d\n", icmp, retn); #endif return (retn); } struct ArgusSystemFlow * ArgusCreateICMPFlow (struct ArgusModelerStruct *model, struct ip *ip) { struct ArgusSystemFlow *retn = NULL; struct icmp *icmp = (struct icmp *) model->ArgusThisUpHdr; if (STRUCTCAPTURED(model, icmp->icmp_type)) { struct ArgusICMPFlow *icmpFlow = &model->ArgusThisFlow->icmp_flow; retn = model->ArgusThisFlow; model->state &= ~ARGUS_DIRECTION; retn->hdr.type = ARGUS_FLOW_DSR; retn->hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; retn->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; retn->hdr.argus_dsrvl8.len = 5; icmpFlow->ip_src = ntohl(ip->ip_src.s_addr); icmpFlow->ip_dst = ntohl(ip->ip_dst.s_addr); icmpFlow->type = icmp->icmp_type; icmpFlow->ip_p = ip->ip_p; icmpFlow->tp_p = 0; icmpFlow->id = 0; icmpFlow->ip_id = 0; if (ICMP_INFOTYPE(icmp->icmp_type)) { switch (icmp->icmp_type) { case ICMP_ECHOREPLY: model->state |= ARGUS_DIRECTION; case ICMP_ECHO: icmpFlow->type = ICMP_ECHO; if (STRUCTCAPTURED(model, icmp->icmp_id)) icmpFlow->id = ntohs(icmp->icmp_id); if (STRUCTCAPTURED(model, icmp->icmp_seq)) icmpFlow->ip_id = ntohs(icmp->icmp_seq); break; case ICMP_TSTAMPREPLY: model->state |= ARGUS_DIRECTION; case ICMP_TSTAMP: icmpFlow->type = ICMP_TSTAMP; break; case ICMP_IREQREPLY: model->state |= ARGUS_DIRECTION; case ICMP_IREQ: icmpFlow->type = ICMP_IREQ; break; case ICMP_MASKREPLY: model->state |= ARGUS_DIRECTION; case ICMP_MASKREQ: icmpFlow->type = ICMP_MASKREQ; break; } } else { if (STRUCTCAPTURED(model, icmp->icmp_code)) { icmpFlow->code = icmp->icmp_code; if (STRUCTCAPTURED(model, icmp->icmp_ip)) { struct ip *oip = &icmp->icmp_ip; switch (icmp->icmp_type) { case ICMP_UNREACH: switch (icmp->icmp_code) { case ICMP_UNREACH_PROTOCOL: icmpFlow->id = (unsigned short) icmp->icmp_ip.ip_p; break; case ICMP_UNREACH_PORT: { struct ip *oip = &icmp->icmp_ip; struct udphdr *ouh; int hlen = oip->ip_hl << 2; ouh = (struct udphdr *) (((u_char *) oip) + hlen); icmpFlow->tp_p = oip->ip_p; icmpFlow->id = ntohs((unsigned short) ouh->uh_dport); break; } case ICMP_UNREACH_NET: case ICMP_UNREACH_HOST: bcopy ((char *) &icmp->icmp_ip.ip_dst.s_addr, (char *)&icmpFlow->id, sizeof (int)); break; } break; case ICMP_REDIRECT: switch (icmp->icmp_code) { case ICMP_REDIRECT_TOSNET: case ICMP_REDIRECT_TOSHOST: icmpFlow->tp_p = oip->ip_tos; break; case ICMP_REDIRECT_NET: case ICMP_REDIRECT_HOST: bcopy ((char *) &icmp->icmp_ip.ip_dst.s_addr, (char *)&icmpFlow->id, sizeof (int)); break; } break; default: break; } } } } if (model->state & ARGUS_DIRECTION) { unsigned int addr = icmpFlow->ip_src; icmpFlow->ip_src = icmpFlow->ip_dst; icmpFlow->ip_dst = addr; model->ArgusThisFlow->hdr.argus_dsrvl8.qual |= ARGUS_DIRECTION; } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusCreateICMPFlow(0x%x) returning %d\n", ip, retn); #endif return (retn); } #include #include void ArgusUpdateICMPState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char *); void ArgusUpdateICMPv6State (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char *); void ArgusUpdateICMPState (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, unsigned char *state) { struct ArgusNetworkStruct *net = (struct ArgusNetworkStruct *) &flowstr->canon.net; struct ArgusICMPObject *icmpObj = &net->net_union.icmp; struct icmp *icmp = (struct icmp *) model->ArgusThisUpHdr; if (STRUCTCAPTURED(model, *icmp)) { if (*state == ARGUS_START) { net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_ICMP_DSR; net->hdr.argus_dsrvl8.qual = 0; net->hdr.argus_dsrvl8.len = ((sizeof(struct ArgusICMPObject)+3))/4 + 1; bzero ((char *)icmpObj, sizeof(*icmpObj)); icmpObj->icmp_type = icmp->icmp_type; icmpObj->icmp_code = icmp->icmp_code; icmpObj->iseq = ntohs(icmp->icmp_seq); icmpObj->osrcaddr = ntohl(((struct ip *)model->ArgusThisIpHdr)->ip_src.s_addr); icmpObj->odstaddr = ntohl(((struct ip *)model->ArgusThisIpHdr)->ip_dst.s_addr); if (ICMP_INFOTYPE(icmp->icmp_type)) { switch (icmp->icmp_type) { case ICMP_ECHO: case ICMP_IREQ: case ICMP_MASKREQ: case ICMP_TSTAMP: break; case ICMP_MASKREPLY: icmp->icmp_mask = ntohl(icmp->icmp_mask); icmpObj->isrcaddr = icmp->icmp_mask; case ICMP_ECHOREPLY: case ICMP_IREQREPLY: case ICMP_TSTAMPREPLY: break; } } else { struct ip *oip = &icmp->icmp_ip; if (STRUCTCAPTURED(model, *oip)) { icmpObj->isrcaddr = ntohl(oip->ip_src.s_addr); icmpObj->idstaddr = ntohl(oip->ip_dst.s_addr); icmpObj->igwaddr = ntohl(icmp->icmp_gwaddr.s_addr); } } } else { if (ICMP_INFOTYPE(icmp->icmp_type)) { if ((flowstr->canon.metric.src.pkts == 0) && (flowstr->canon.metric.dst.pkts == 0)) icmpObj->icmp_type = icmp->icmp_type; switch (icmp->icmp_type) { case ICMP_ECHO: case ICMP_IREQ: case ICMP_TSTAMP: case ICMP_MASKREQ: *state = ARGUS_START; icmpObj->icmp_type = icmp->icmp_type; break; case ICMP_ECHOREPLY: case ICMP_IREQREPLY: case ICMP_TSTAMPREPLY: case ICMP_MASKREPLY: model->ArgusInProtocol = 1; break; default: break; } } } if (!(ICMP_INFOTYPE(icmp->icmp_type))) { struct ArgusSystemFlow *tflow = NULL; struct ArgusFlowStruct *flow; struct ArgusHashStruct hstruct; struct ip *oip = &icmp->icmp_ip; if (STRUCTCAPTURED(model, *oip)) { model->ArgusThisIpHdr = oip; model->ArgusThisUpHdr = (unsigned char *) oip; if ((tflow = ArgusCreateFlow(model, oip, model->ArgusThisLength)) != NULL) { ArgusCreateFlowKey (model, tflow, &hstruct); if ((flow = ArgusFindFlow (model, &hstruct)) != NULL) { struct ArgusDSRHeader *dsr = &flow->canon.icmp.hdr; struct ArgusTimeObject *time = &flow->canon.time; dsr->type = ARGUS_ICMP_DSR; dsr->subtype = 0; switch (icmp->icmp_type) { case ICMP_UNREACH: dsr->argus_dsrvl8.qual = ARGUS_ICMPUNREACH_MAPPED; break; case ICMP_REDIRECT: dsr->argus_dsrvl8.qual = ARGUS_ICMPREDIREC_MAPPED; break; case ICMP_TIMXCEED: dsr->argus_dsrvl8.qual = ARGUS_ICMPTIMXCED_MAPPED; break; } dsr->argus_dsrvl8.len = (sizeof (struct ArgusIcmpStruct) + 3)/4 + 1; bcopy ((char *) icmpObj, (char *) (dsr + 1), sizeof (*icmpObj)); flow->dsrs[ARGUS_ICMP_INDEX] = dsr; flow->dsrindex |= 1 << ARGUS_ICMP_INDEX; if (time->src.start.tv_sec == 0) { time->hdr.subtype = ARGUS_TIME_ABSOLUTE_TIMESTAMP; #if defined(ARGUS_NANOSECONDS) time->hdr.argus_dsrvl8.qual = ARGUS_TYPE_UTC_NANOSECONDS; #else time->hdr.argus_dsrvl8.qual = ARGUS_TYPE_UTC_MICROSECONDS; #endif time->hdr.argus_dsrvl8.len = 3; time->src.start.tv_sec = model->ArgusGlobalTime.tv_sec; time->src.start.tv_usec = model->ArgusGlobalTime.tv_usec; } else { if (time->hdr.argus_dsrvl8.len != 5) { time->hdr.subtype = ARGUS_TIME_ABSOLUTE_RANGE; #if defined(ARGUS_NANOSECONDS) time->hdr.argus_dsrvl8.qual = ARGUS_TYPE_UTC_NANOSECONDS; #else time->hdr.argus_dsrvl8.qual = ARGUS_TYPE_UTC_MICROSECONDS; #endif time->hdr.argus_dsrvl8.len = 5; } time->src.end.tv_sec = model->ArgusGlobalTime.tv_sec; time->src.end.tv_usec = model->ArgusGlobalTime.tv_usec; } } } } } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusUpdateICMPState(0x%x, %d) returning\n", flowstr, state); #endif } void ArgusUpdateICMPv6State (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, unsigned char *state) { struct ArgusNetworkStruct *net = (struct ArgusNetworkStruct *) &flowstr->canon.net; struct ArgusICMPv6Object *icmpObj = &net->net_union.icmpv6; struct icmp6_hdr *icmpv6 = (struct icmp6_hdr *) model->ArgusThisUpHdr; if (STRUCTCAPTURED(model, *icmpv6)) { if (*state == ARGUS_START) { net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_ICMP_DSR; net->hdr.argus_dsrvl8.qual = 0; net->hdr.argus_dsrvl8.len = ((sizeof(struct ArgusICMPObject)+3))/4 + 1; bzero ((char *)icmpObj, sizeof(*icmpObj)); icmpObj->icmp_type = icmpv6->icmp6_type; icmpObj->icmp_code = icmpv6->icmp6_code; icmpObj->cksum = ntohs(icmpv6->icmp6_cksum); if (icmpv6->icmp6_type & ICMP6_INFOMSG_MASK) { } else { switch (icmpv6->icmp6_type) { case ICMP6_DST_UNREACH: case ICMP6_PACKET_TOO_BIG: case ICMP6_TIME_EXCEEDED: case ICMP6_PARAM_PROB: break; } } } else { if (icmpv6->icmp6_type & ICMP6_INFOMSG_MASK) { if ((flowstr->canon.metric.src.pkts == 0) && (flowstr->canon.metric.dst.pkts == 0)) icmpObj->icmp_type = icmpv6->icmp6_type; switch (icmpv6->icmp6_type) { default: break; } } } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusUpdateICMPState(0x%x, %d) returning\n", flowstr, state); #endif } argus-5.0.2/argus/ArgusIfnam.c000066400000000000000000000071651471541253600162010ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - Interface naming * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #include #include #include #include #include "argus_compat.h" #include "ArgusModeler.h" #include "ArgusSource.h" #include "ArgusIfnam.h" #define __NAMELENGTH 4 static inline int __rot26(int c) { if (!isalpha(c)) return -1; if (c == 'z') c = 'a'; else if (c == 'Z') c = 'A'; else c++; return c; } static inline void __shortname_next(char *ifnam) { *ifnam = __rot26(*ifnam); } /* out := first letter of *in followed by the last 3 chars of *in */ static int shortname_ethdev(char *in, char *out, size_t outlen) { int nullterm; size_t inlen; if (outlen < __NAMELENGTH) return -ENOSPC; if (outlen == __NAMELENGTH) nullterm = 0; else nullterm = 1; while (outlen > 0) out[--outlen] = '\0'; inlen = strlen(in); if (inlen <= __NAMELENGTH) { while (inlen > 0) { inlen--; out[inlen] = in[inlen]; } } else { out[0] = *in; out[1] = in[inlen-3]; out[2] = in[inlen-2]; out[3] = in[inlen-1]; } if (nullterm) out[4] = '\0'; return 0; } static int shortname_ethdev_check(char *ifnam, struct ArgusListStruct *ArgusDeviceList) { struct ArgusDeviceStruct *dev; int ret = 0; pthread_mutex_lock(&ArgusDeviceList->lock); dev = (struct ArgusDeviceStruct *)ArgusDeviceList->start; if (dev) { for (; dev; dev = (struct ArgusDeviceStruct *)dev->nxt) { size_t ifnamlen = strlen(ifnam); if (!memcmp(ifnam, dev->trans.srcid.inf, ifnamlen < __NAMELENGTH ? ifnamlen : __NAMELENGTH)) { /* oops, this name is already on the list */ ret = -1; break; } } } pthread_mutex_unlock(&ArgusDeviceList->lock); return ret; } /* out := first letter of *in followed by the last 3 alnum chars of *in */ int shortname_ethdev_unique(char *in, char *out, size_t outlen, struct ArgusListStruct *ArgusDeviceList) { unsigned count = 0; int done = 0; int ret = 0; char *incopy; size_t inlen; /* Really only needed for Windows Transport Names */ while (*in && !isalpha((int)*in)) in++; incopy = strdup(in); if (incopy == NULL) return -1; inlen = strlen(incopy); while (inlen > 0 && !isalnum((int)incopy[inlen-1])) incopy[--inlen] = '\0'; ret = shortname_ethdev(incopy, out, outlen); free(incopy); if (ret < 0) return ret; do { ret = shortname_ethdev_check(out, ArgusDeviceList); if (++count < 25 && ret < 0) __shortname_next(out); else done = 1; } while (!done); return ret; } argus-5.0.2/argus/ArgusIfnam.h000066400000000000000000000025251471541253600162010ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - Events include files * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ #ifndef __ARGUS_IFNAM_H # define __ARGUS_IFNAM_H # ifdef HAVE_CONFIG_H # include "argus_config.h" # endif # include "argus_compat.h" # include "ArgusModeler.h" # include "ArgusSource.h" int shortname_ethdev_unique(char *in, char *out, size_t outlen, struct ArgusListStruct *ArgusDeviceList); #else extern int shortname_ethdev_unique(char *, char *, size_t, struct ArgusListStruct *); #endif argus-5.0.2/argus/ArgusIgmp.c000066400000000000000000000103651471541253600160370ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - IGMP protocol processing * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/argus/ArgusIgmp.c#4 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #if !defined(ArgusIgmp) #define ArgusIgmp #endif #include #include #include #include #include #if !defined(IGMP_MEMBERSHIP_QUERY) #define IGMP_MEMBERSHIP_QUERY 0x11 #endif #if !defined(IGMP_V1_MEMBERSHIP_REPORT) #define IGMP_V1_MEMBERSHIP_REPORT 0x12 #endif #if !defined(IGMP_V2_MEMBERSHIP_REPORT) #define IGMP_V2_MEMBERSHIP_REPORT 0x16 #endif #if !defined(IGMP_V2_LEAVE_GROUP) #define IGMP_V2_LEAVE_GROUP 0x17 #endif struct ArgusFlow *ArgusCreateIGMPv6Flow (struct ArgusModelerStruct *, struct igmp *); struct ArgusFlow *ArgusCreateIGMPFlow (struct ArgusModelerStruct *, struct ip *); struct ArgusFlow * ArgusCreateIGMPv6Flow (struct ArgusModelerStruct *model, struct igmp *igmp) { struct ArgusFlow *retn = NULL; struct ArgusIGMPFlow *igmpFlow = &model->ArgusThisFlow->igmp_flow; if (STRUCTCAPTURED(model, *igmp)) { igmpFlow->type = igmp->igmp_type; igmpFlow->code = igmp->igmp_code; igmpFlow->pad = 0; switch (igmp->igmp_type) { case IGMP_HOST_MEMBERSHIP_QUERY: if (igmp->igmp_group.s_addr != 0) igmpFlow->ip_dst = ntohl(igmp->igmp_group.s_addr); break; case IGMP_V1_MEMBERSHIP_REPORT: case IGMP_V2_MEMBERSHIP_REPORT: case IGMP_V2_LEAVE_GROUP: default: igmpFlow->ip_dst = ntohl(igmp->igmp_group.s_addr); break; } retn = (struct ArgusFlow *) model->ArgusThisFlow; } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusCreateIGMPFlow(0x%x) returning %d\n", igmp, retn); #endif return (retn); } struct ArgusFlow * ArgusCreateIGMPFlow (struct ArgusModelerStruct *model, struct ip *ip) { struct ArgusFlow *retn = NULL; unsigned int *igmphdr = (unsigned int *) model->ArgusThisUpHdr; struct igmp *igmp = (struct igmp *) igmphdr; struct ArgusIGMPFlow *igmpFlow = &model->ArgusThisFlow->igmp_flow; model->state &= ~ARGUS_DIRECTION; if (STRUCTCAPTURED(model, *igmphdr)) { model->ArgusThisFlow->hdr.type = ARGUS_FLOW_DSR; model->ArgusThisFlow->hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; model->ArgusThisFlow->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; model->ArgusThisFlow->hdr.argus_dsrvl8.len = 5; igmpFlow->ip_src = ntohl(ip->ip_src.s_addr); igmpFlow->ip_dst = ntohl(ip->ip_dst.s_addr); igmpFlow->ip_p = ip->ip_p; igmpFlow->type = igmp->igmp_type; igmpFlow->code = igmp->igmp_code; igmpFlow->ip_id = ntohs(ip->ip_id); igmpFlow->pad = 0; switch (igmp->igmp_type) { case IGMP_HOST_MEMBERSHIP_QUERY: if (igmp->igmp_group.s_addr != 0) igmpFlow->ip_dst = ntohl(igmp->igmp_group.s_addr); break; case IGMP_V1_MEMBERSHIP_REPORT: case IGMP_V2_MEMBERSHIP_REPORT: case IGMP_V2_LEAVE_GROUP: default: igmpFlow->ip_dst = ntohl(igmp->igmp_group.s_addr); break; } retn = (struct ArgusFlow *) model->ArgusThisFlow; } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusCreateIGMPFlow(0x%x) returning %d\n", ip, retn); #endif return (retn); } argus-5.0.2/argus/ArgusIsis.c000066400000000000000000000737551471541253600160660ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - ISIS flow tracking * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/argus/ArgusIsis.c#4 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #ifndef ArgusIsis #define ArgusIsis #endif #include void ArgusUpdateIsisState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char); void ArgusInitializeIsis (struct ArgusModelerStruct *, struct ArgusFlowStruct *); void ArgusIsisFlowRecord (struct ArgusFlowStruct *, struct ArgusRecord *, unsigned char); static int isis_cksum(const u_int16_t *, u_int); #define ISIS_COMMON_HEADER_SIZE (sizeof(struct isis_common_header)) #define ISIS_IIH_LAN_HEADER_SIZE (sizeof(struct isis_iih_lan_header)) #define ISIS_IIH_PTP_HEADER_SIZE (sizeof(struct isis_iih_ptp_header)) #define ISIS_LSP_HEADER_SIZE (sizeof(struct isis_lsp_header)) #define ISIS_CSNP_HEADER_SIZE (sizeof(struct isis_csnp_header)) #define ISIS_PSNP_HEADER_SIZE (sizeof(struct isis_psnp_header)) int mask2plen (u_int32_t); struct ArgusSystemFlow *ArgusCreateEtherFlow (struct ArgusModelerStruct *, struct ether_header *); struct ArgusSystemFlow * ArgusCreateEtherFlow (struct ArgusModelerStruct *model, struct ether_header *ep) { struct ArgusSystemFlow *retn = NULL; if (ep != NULL) { int dstgteq = 1, i; model->ArgusThisFlow->hdr.type = ARGUS_FLOW_DSR; model->ArgusThisFlow->hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; model->ArgusThisFlow->hdr.argus_dsrvl8.qual = ARGUS_TYPE_ETHER; model->ArgusThisFlow->hdr.argus_dsrvl8.len = 5; #ifndef ETH_ALEN #define ETH_ALEN 6 #endif for (i = 0; i < ETH_ALEN; i++) { if (((unsigned char *)&ep->ether_shost)[i] != ((unsigned char *)&ep->ether_dhost)[i]) { if (((unsigned char *)&ep->ether_shost)[i] > ((unsigned char *)&ep->ether_dhost)[i]) dstgteq = 0; break; } } if (dstgteq) { bcopy ((char *) ep, (char *)&model->ArgusThisFlow->mac_flow.ehdr, sizeof (struct ether_header)); } else { model->state |= ARGUS_DIRECTION; bcopy ((char *)&ep->ether_shost, (char *)&model->ArgusThisFlow->mac_flow.ehdr.ether_dhost, ETH_ALEN); bcopy ((char *)&ep->ether_dhost, (char *)&model->ArgusThisFlow->mac_flow.ehdr.ether_shost, ETH_ALEN); } model->ArgusThisFlow->mac_flow.ehdr.ether_type = ep->ether_type; if (model->ArgusThisEncaps & ARGUS_ENCAPS_LLC) { model->ArgusThisFlow->mac_flow.ehdr.ether_type = 0; switch (model->ArgusThisNetworkFlowType & 0xFFFF) { case ARGUS_ISIS: model->ArgusThisFlow->mac_flow.ehdr.ether_type = ARGUS_ISIS; break; case ARGUS_CLNS: case ARGUS_ESIS: case ARGUS_NULLNS: break; default: model->ArgusThisNetworkFlowType &= ~(0xFFFF); break; } if (dstgteq) { model->ArgusThisFlow->mac_flow.ssap = model->ArgusThisLLC->ssap; model->ArgusThisFlow->mac_flow.dsap = model->ArgusThisLLC->dsap; } else { model->ArgusThisFlow->mac_flow.ssap = model->ArgusThisLLC->dsap; model->ArgusThisFlow->mac_flow.dsap = model->ArgusThisLLC->ssap; } } else { model->ArgusThisFlow->mac_flow.ssap = 0; model->ArgusThisFlow->mac_flow.dsap = 0; } retn = model->ArgusThisFlow; } return (retn); } /* extern char *etheraddr_string(u_char *); static char *isis_print_id(const u_int8_t *, int); */ char *bittok2str(const struct tok *, const char *, int); const char *tok2str(const struct tok *lp, const char *fmt, int); int print_unknown_data(const u_char *, const char *, int); struct ArgusSystemFlow * ArgusCreateIsisFlow (struct ArgusModelerStruct *model, struct isis_common_header *header) { struct ArgusSystemFlow *retn = NULL; struct ether_header *ep = model->ArgusThisEpHdr; u_int8_t pdu_type, *optr, *pptr; int length; if (header && STRUCTCAPTURED(ArgusModel, *header)) { length = model->ArgusThisLength; optr = (unsigned char *)header; pptr = optr + (ISIS_COMMON_HEADER_SIZE); if ((header->version == ISIS_VERSION) && (header->pdu_version == ISIS_VERSION) && ((header->id_length == SYSTEM_ID_LEN) || (header->id_length == 0))) { struct ArgusIsisFlow *isis = &model->ArgusThisFlow->isis_flow; /* id_length = (header->id_length == 0) ? 6 : header->id_length; max_area = (header->max_area == 0) ? 3 : header->max_area; */ model->ArgusThisFlow->hdr.type = ARGUS_FLOW_DSR; model->ArgusThisFlow->hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; model->ArgusThisFlow->hdr.argus_dsrvl8.qual = ARGUS_TYPE_ISIS; model->ArgusThisFlow->hdr.argus_dsrvl8.len = ((sizeof(*isis) + 3)/4) + 1; bcopy ((char *)&ep->ether_shost, (char *)&isis->esrc, 6); bcopy ((char *)&ep->ether_dhost, (char *)&isis->edst, 6); isis->proto_version = header->version; switch (pdu_type = header->pdu_type) { case L1_LAN_IIH: case L2_LAN_IIH: { const struct isis_iih_lan_header *header_iih_lan = (const struct isis_iih_lan_header *)pptr; if (header->fixed_len == (ISIS_COMMON_HEADER_SIZE+ISIS_IIH_LAN_HEADER_SIZE)) { isis->pdu_type = pdu_type; bzero ((char *)&isis->isis_un.hello.srcid, sizeof(isis->isis_un.hello.srcid)); bzero ((char *)&isis->isis_un.hello.lanid, sizeof(isis->isis_un.hello.lanid)); bcopy ((char *)&header_iih_lan->source_id, (char *)&isis->isis_un.hello.srcid, SYSTEM_ID_LEN); bcopy ((char *)&header_iih_lan->lan_id, (char *)&isis->isis_un.hello.lanid, NODE_ID_LEN); retn = model->ArgusThisFlow; { u_int16_t *ptr = (u_int16_t *) (((long)pptr & 0x01) ? (pptr - 1) : pptr); int tlen = (length - ISIS_COMMON_HEADER_SIZE); if (BYTESCAPTURED(ArgusModel, ptr, tlen)) isis->chksum = isis_cksum(ptr, tlen); else isis->chksum = 0; } } break; } case L1_LSP: case L2_LSP: { const struct isis_lsp_header *header_lsp = (const struct isis_lsp_header *)pptr; if (header->fixed_len == (ISIS_COMMON_HEADER_SIZE+ISIS_LSP_HEADER_SIZE)) { isis->pdu_type = pdu_type; bcopy ((char *)&header_lsp->lsp_id, (char *)&isis->isis_un.lsp.lspid, LSP_ID_LEN); isis->isis_un.lsp.seqnum = EXTRACT_32BITS(header_lsp->sequence_number); isis->chksum = EXTRACT_16BITS(header_lsp->checksum); retn = model->ArgusThisFlow; } break; } case PTP_IIH: { u_int16_t *ptr = (u_int16_t *) (((long)pptr & 0x01) ? (pptr - 1) : pptr); int tlen = (length - ISIS_COMMON_HEADER_SIZE); if (BYTESCAPTURED(ArgusModel, ptr, tlen)) isis->chksum = isis_cksum(ptr, tlen); else isis->chksum = 0; break; } case L1_CSNP: case L2_CSNP: { const struct isis_csnp_header *header_csnp = (const struct isis_csnp_header *)pptr; if (header->fixed_len == (ISIS_COMMON_HEADER_SIZE+ISIS_CSNP_HEADER_SIZE)) { isis->pdu_type = pdu_type; bcopy ((char *)&header_csnp->source_id, (char *)&isis->isis_un.csnp.srcid, NODE_ID_LEN); { u_int16_t *ptr = (u_int16_t *) (((long)pptr & 0x01) ? (pptr - 1) : pptr); int tlen = (length - ISIS_COMMON_HEADER_SIZE); if (BYTESCAPTURED(ArgusModel, ptr, tlen)) isis->chksum = isis_cksum(ptr, tlen); else isis->chksum = 0; } retn = model->ArgusThisFlow; } break; } case L1_PSNP: case L2_PSNP: { const struct isis_psnp_header *header_psnp = (const struct isis_psnp_header *)pptr; if (header->fixed_len == (ISIS_COMMON_HEADER_SIZE+ISIS_PSNP_HEADER_SIZE)) { isis->pdu_type = pdu_type; bcopy ((char *)&header_psnp->source_id, (char *)&isis->isis_un.psnp.srcid, NODE_ID_LEN); retn = model->ArgusThisFlow; { u_int16_t *ptr = (u_int16_t *) (((long)pptr & 0x01) ? (pptr - 1) : pptr); int tlen = (length - ISIS_COMMON_HEADER_SIZE); if (BYTESCAPTURED(ArgusModel, ptr, tlen)) isis->chksum = isis_cksum(ptr, tlen); else isis->chksum = 0; } } break; } default: break; } } } if (retn == NULL) retn = ArgusCreateEtherFlow (model, ep); #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusCreateIsisFlow (0x%x) returning %d\n", ep, retn); #endif return (retn); } void ArgusUpdateIsisState (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, unsigned char state) { const struct isis_common_header *header = (const struct isis_common_header *) model->ArgusThisUpHdr; const u_int8_t *pptr; if (flowstr) { if (header && STRUCTCAPTURED(model, *header)) { pptr = model->ArgusThisUpHdr + (ISIS_COMMON_HEADER_SIZE); model->ArgusThisLength += 5; /* fudge ? */ model->ArgusSnapLength += 5; /* fudge ? */ if (state == ARGUS_START) { struct ArgusNetworkStruct *net = (struct ArgusNetworkStruct *) &flowstr->canon.net; net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_ISIS_DSR; net->hdr.argus_dsrvl8.qual = 0; net->hdr.argus_dsrvl8.len = (sizeof (struct ArgusIsisObject) + 3)/4; flowstr->dsrs[ARGUS_NETWORK_INDEX] = &flowstr->canon.net.hdr; bcopy ((char *)header, (char *)&flowstr->canon.net.net_union.isis.common, sizeof(*header)); switch (header->pdu_type) { case L1_LAN_IIH: case L2_LAN_IIH: { const struct isis_iih_lan_header *header_iih_lan; header_iih_lan = (const struct isis_iih_lan_header *)pptr; bcopy ((char *)header_iih_lan, (char *)&flowstr->canon.net.net_union.isis.isis_un.iih_lan, sizeof(*header_iih_lan)); break; } case L1_LSP: case L2_LSP: { const struct isis_lsp_header *header_lsp; header_lsp = (const struct isis_lsp_header *)pptr; bcopy ((char *)header_lsp, (char *)&flowstr->canon.net.net_union.isis.isis_un.lsp, sizeof(*header_lsp)); break; } case PTP_IIH: break; case L1_CSNP: case L2_CSNP: { const struct isis_csnp_header *header_csnp; header_csnp = (const struct isis_csnp_header *)pptr; bcopy ((char *)header_csnp, (char *)&flowstr->canon.net.net_union.isis.isis_un.csnp, sizeof(*header_csnp)); break; } case L1_PSNP: case L2_PSNP: { const struct isis_psnp_header *header_psnp; header_psnp = (const struct isis_psnp_header *)pptr; bcopy ((char *)header_psnp, (char *)&flowstr->canon.net.net_union.isis.isis_un.psnp, sizeof(*header_psnp)); break; } } } else { flowstr->userlen = 0; } } } /* isis_print(model->ArgusThisUpHdr, model->ArgusThisLength); printf ("\n"); */ } void ArgusInitializeIsis (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flow) { ArgusUpdateFlow (model, flow, ARGUS_START, 1); } void ArgusIsisFlowRecord (struct ArgusFlowStruct *flow, struct ArgusRecord *argus, unsigned char state) { } /* static char * print_nsap(register const u_int8_t *pptr, register int nsap_length) { int nsap_idx; static char nsap_ascii_output[sizeof("xx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xx")]; char *junk_buf = nsap_ascii_output; if (nsap_length < 1 || nsap_length > 20) { snprintf(nsap_ascii_output, sizeof(nsap_ascii_output), "illegal length"); return (nsap_ascii_output); } for (nsap_idx = 0; nsap_idx < nsap_length; nsap_idx++) { snprintf(junk_buf, sizeof(nsap_ascii_output) - (junk_buf - nsap_ascii_output), "%02x", *pptr++); junk_buf += strlen(junk_buf); if (((nsap_idx & 1) == 0) && (nsap_idx + 1 < nsap_length)) { *junk_buf++ = '.'; } } *(junk_buf) = '\0'; return (nsap_ascii_output); } */ /* shared routine for printing system, node and lsp-ids */ /* static char * isis_print_id(const u_int8_t *cp, int id_len) { int i; static char id[sizeof("xxxx.xxxx.xxxx.yy-zz")]; char *pos = id; for (i = 1; i <= SYSTEM_ID_LEN; i++) { snprintf(pos, sizeof(id) - (pos - id), "%02x", *cp++); pos += strlen(pos); if (i == 2 || i == 4) *pos++ = '.'; } if (id_len >= NODE_ID_LEN) { snprintf(pos, sizeof(id) - (pos - id), ".%02x", *cp++); pos += strlen(pos); } if (id_len == LSP_ID_LEN) snprintf(pos, sizeof(id) - (pos - id), "-%02x", *cp); return (id); } */ /* print the 4-byte metric block which is common found in the old-style TLVs */ /* static int isis_print_metric_block (const struct isis_metric_block *isis_metric_block) { printf(", Default Metric: %d, %s", ISIS_LSP_TLV_METRIC_VALUE(isis_metric_block->metric_default), ISIS_LSP_TLV_METRIC_IE(isis_metric_block->metric_default) ? "External" : "Internal"); if (!ISIS_LSP_TLV_METRIC_SUPPORTED(isis_metric_block->metric_delay)) printf("\n\t\t Delay Metric: %d, %s", ISIS_LSP_TLV_METRIC_VALUE(isis_metric_block->metric_delay), ISIS_LSP_TLV_METRIC_IE(isis_metric_block->metric_delay) ? "External" : "Internal"); if (!ISIS_LSP_TLV_METRIC_SUPPORTED(isis_metric_block->metric_expense)) printf("\n\t\t Expense Metric: %d, %s", ISIS_LSP_TLV_METRIC_VALUE(isis_metric_block->metric_expense), ISIS_LSP_TLV_METRIC_IE(isis_metric_block->metric_expense) ? "External" : "Internal"); if (!ISIS_LSP_TLV_METRIC_SUPPORTED(isis_metric_block->metric_error)) printf("\n\t\t Error Metric: %d, %s", ISIS_LSP_TLV_METRIC_VALUE(isis_metric_block->metric_error), ISIS_LSP_TLV_METRIC_IE(isis_metric_block->metric_error) ? "External" : "Internal"); return(1); } static int isis_print_tlv_ip_reach (const u_int8_t *cp, const char *ident, int length) { int prefix_len; const struct isis_tlv_ip_reach *tlv_ip_reach; tlv_ip_reach = (const struct isis_tlv_ip_reach *)cp; while (length > 0) { if ((size_t)length < sizeof(*tlv_ip_reach)) { printf("short IPv4 Reachability (%d vs %lu)", length, (unsigned long)sizeof(*tlv_ip_reach)); return (0); } prefix_len = mask2plen(EXTRACT_32BITS(tlv_ip_reach->mask)); if (prefix_len == -1) printf("%sIPv4 prefix: %s mask %s", ident, ipaddr_string((tlv_ip_reach->prefix)), ipaddr_string((tlv_ip_reach->mask))); else printf("%sIPv4 prefix: %15s/%u", ident, ipaddr_string((tlv_ip_reach->prefix)), prefix_len); printf(", Distribution: %s, Metric: %u, %s", ISIS_LSP_TLV_METRIC_UPDOWN(tlv_ip_reach->isis_metric_block.metric_default) ? "down" : "up", ISIS_LSP_TLV_METRIC_VALUE(tlv_ip_reach->isis_metric_block.metric_default), ISIS_LSP_TLV_METRIC_IE(tlv_ip_reach->isis_metric_block.metric_default) ? "External" : "Internal"); if (!ISIS_LSP_TLV_METRIC_SUPPORTED(tlv_ip_reach->isis_metric_block.metric_delay)) printf("%s Delay Metric: %u, %s", ident, ISIS_LSP_TLV_METRIC_VALUE(tlv_ip_reach->isis_metric_block.metric_delay), ISIS_LSP_TLV_METRIC_IE(tlv_ip_reach->isis_metric_block.metric_delay) ? "External" : "Internal"); if (!ISIS_LSP_TLV_METRIC_SUPPORTED(tlv_ip_reach->isis_metric_block.metric_expense)) printf("%s Expense Metric: %u, %s", ident, ISIS_LSP_TLV_METRIC_VALUE(tlv_ip_reach->isis_metric_block.metric_expense), ISIS_LSP_TLV_METRIC_IE(tlv_ip_reach->isis_metric_block.metric_expense) ? "External" : "Internal"); if (!ISIS_LSP_TLV_METRIC_SUPPORTED(tlv_ip_reach->isis_metric_block.metric_error)) printf("%s Error Metric: %u, %s", ident, ISIS_LSP_TLV_METRIC_VALUE(tlv_ip_reach->isis_metric_block.metric_error), ISIS_LSP_TLV_METRIC_IE(tlv_ip_reach->isis_metric_block.metric_error) ? "External" : "Internal"); length -= sizeof(struct isis_tlv_ip_reach); tlv_ip_reach++; } return (1); } */ /* * this is the common IP-REACH subTLV decoder it is called * from various EXTD-IP REACH TLVs (135,235,236,237) */ /* static int isis_print_ip_reach_subtlv (const u_int8_t *tptr,int subt,int subl,const char *ident) { printf ("%s%s subTLV #%u, length: %u", ident, tok2str(isis_ext_ip_reach_subtlv_values, "unknown", subt), subt, subl); switch(subt) { case SUBTLV_EXTD_IP_REACH_ADMIN_TAG32: while (subl >= 4) { printf (", 0x%08x (=%u)", EXTRACT_32BITS(tptr), EXTRACT_32BITS(tptr)); tptr += 4; subl -= 4; } break; case SUBTLV_EXTD_IP_REACH_ADMIN_TAG64: while (subl >= 8) { printf (", 0x%08x%08x", EXTRACT_32BITS(tptr), EXTRACT_32BITS(tptr+4)); tptr += 8; subl -= 8; } break; default: if (!print_unknown_data (tptr,"\n\t\t ", subl)) return (0); break; } return (1); trunctlv: printf ("%spacket exceeded snapshot", ident); return (0); } */ /* * this is the common IS-REACH subTLV decoder it is called * from isis_print_ext_is_reach() */ /* static int isis_print_is_reach_subtlv (const u_int8_t *tptr,int subt,int subl,const char *ident) { int priority_level; union { float f; u_int32_t i; } bw; printf("%s%s subTLV #%u, length: %u", ident, tok2str(isis_ext_is_reach_subtlv_values, "unknown", subt), subt, subl); switch(subt) { case SUBTLV_EXT_IS_REACH_ADMIN_GROUP: case SUBTLV_EXT_IS_REACH_LINK_LOCAL_REMOTE_ID: case SUBTLV_EXT_IS_REACH_LINK_REMOTE_ID: if (subl >= 4) { printf(", 0x%08x", EXTRACT_32BITS(tptr)); if (subl == 8) printf(", 0x%08x", EXTRACT_32BITS(tptr+4)); } break; case SUBTLV_EXT_IS_REACH_IPV4_INTF_ADDR: case SUBTLV_EXT_IS_REACH_IPV4_NEIGHBOR_ADDR: if (subl >= 4) printf(", %s", ipaddr_string(tptr)); break; case SUBTLV_EXT_IS_REACH_MAX_LINK_BW : case SUBTLV_EXT_IS_REACH_RESERVABLE_BW: if (subl >= 4) { bw.i = EXTRACT_32BITS(tptr); printf(", %.3f Mbps", bw.f*8/1000000 ); } break; case SUBTLV_EXT_IS_REACH_UNRESERVED_BW : if (subl >= 32) { for (priority_level = 0; priority_level < 8; priority_level++) { bw.i = EXTRACT_32BITS(tptr); printf("%s priority level %d: %.3f Mbps", ident, priority_level, bw.f*8/1000000 ); tptr += 4; } } break; case SUBTLV_EXT_IS_REACH_TE_METRIC: if (subl >= 3) printf(", %u", EXTRACT_24BITS(tptr)); break; case SUBTLV_EXT_IS_REACH_LINK_PROTECTION_TYPE: if (subl >= 2) { printf(", %s, Priority %u", bittok2str(gmpls_link_prot_values, "none", *tptr), *(tptr+1)); } break; case SUBTLV_EXT_IS_REACH_INTF_SW_CAP_DESCR: if (subl >= 36) { printf("%s Interface Switching Capability:%s", ident, tok2str(gmpls_switch_cap_values, "Unknown", *(tptr))); printf(", LSP Encoding: %s", tok2str(gmpls_encoding_values, "Unknown", *(tptr+1))); tptr+=4; printf("%s Max LSP Bandwidth:",ident); for (priority_level = 0; priority_level < 8; priority_level++) { bw.i = EXTRACT_32BITS(tptr); printf("%s priority level %d: %.3f Mbps", ident, priority_level, bw.f*8/1000000 ); tptr+=4; } subl-=36; if(subl>0){ if(!print_unknown_data(tptr,"\n\t\t ", subl-36)) return(0); } } break; default: if(!print_unknown_data(tptr,"\n\t\t ", subl)) return(0); break; } return(1); trunctlv: printf("%spacket exceeded snapshot",ident); return(0); } */ /* * this is the common IS-REACH decoder it is called * from various EXTD-IS REACH style TLVs (22,24,222) */ /* static int isis_print_ext_is_reach (const u_int8_t *tptr,const char *ident, int tlv_type) { char ident_buffer[20]; int subtlv_type,subtlv_len,subtlv_sum_len; int proc_bytes = 0; printf("%sIS Neighbor: %s", ident, isis_print_id(tptr, NODE_ID_LEN)); tptr+=(NODE_ID_LEN); if (tlv_type != TLV_IS_ALIAS_ID) { printf(", Metric: %d",EXTRACT_24BITS(tptr)); tptr += 3; } subtlv_sum_len = *(tptr++); proc_bytes = NODE_ID_LEN + 3 + 1; printf(", %ssub-TLVs present",subtlv_sum_len ? "" : "no "); if (subtlv_sum_len) { printf(" (%u)",subtlv_sum_len); while (subtlv_sum_len>0) { subtlv_type = *(tptr++); subtlv_len = *(tptr++); snprintf (ident_buffer, sizeof(ident_buffer), "%s ",ident); if (!isis_print_is_reach_subtlv(tptr,subtlv_type,subtlv_len,ident_buffer)) return (0); tptr += subtlv_len; subtlv_sum_len -= (subtlv_len+2); proc_bytes += (subtlv_len+2); } } return(proc_bytes); } */ /* * this is the common Multi Topology ID decoder * it is called from various MT-TLVs (222,229,235,237) */ /* static int isis_print_mtid (const u_int8_t *tptr,const char *ident) { printf("%s%s", ident, tok2str(isis_mt_values, "Reserved for IETF Consensus", ISIS_MASK_MTID(EXTRACT_16BITS(tptr)))); printf(" Topology (0x%03x), Flags: [%s]", ISIS_MASK_MTID(EXTRACT_16BITS(tptr)), bittok2str(isis_mt_flag_values, "none",ISIS_MASK_MTFLAGS(EXTRACT_16BITS(tptr)))); return(2); } */ /* * this is the common extended IP reach decoder * it is called from TLVs (135,235,236,237) * we process the TLV and optional subTLVs and return * the amount of processed bytes */ /* static int isis_print_extd_ip_reach (const u_int8_t *tptr, const char *ident, u_int16_t afi) { char ident_buffer[20]; u_int8_t prefix[16]; u_int metric, status_byte, bit_length, byte_length, sublen, processed, subtlvtype, subtlvlen; metric = EXTRACT_32BITS(tptr); processed=4; tptr+=4; if (afi == IPV4) { status_byte=*(tptr++); bit_length = status_byte&0x3f; processed++; #ifdef INET6 } else if (afi == IPV6) { status_byte=*(tptr++); bit_length=*(tptr++); processed+=2; #endif } else return (0); byte_length = (bit_length + 7) / 8; memset(prefix, 0, 16); memcpy(prefix,tptr,byte_length); tptr+=byte_length; processed+=byte_length; if (afi == IPV4) printf("%sIPv4 prefix: %15s/%u", ident, ipaddr_string(prefix), bit_length); #ifdef INET6 if (afi == IPV6) printf("%sIPv6 prefix: %s/%u", ident, ip6addr_string(prefix), bit_length); #endif printf(", Distribution: %s, Metric: %u", ISIS_MASK_TLV_EXTD_IP_UPDOWN(status_byte) ? "down" : "up", metric); if (afi == IPV4 && ISIS_MASK_TLV_EXTD_IP_SUBTLV(status_byte)) printf(", sub-TLVs present"); #ifdef INET6 if (afi == IPV6) printf(", %s%s", ISIS_MASK_TLV_EXTD_IP6_IE(status_byte) ? "External" : "Internal", ISIS_MASK_TLV_EXTD_IP6_SUBTLV(status_byte) ? ", sub-TLVs present" : ""); #endif if ((ISIS_MASK_TLV_EXTD_IP_SUBTLV(status_byte) && afi == IPV4) || (ISIS_MASK_TLV_EXTD_IP6_SUBTLV(status_byte) && afi == IPV6)) { sublen=*(tptr++); processed+=sublen+1; printf(" (%u)",sublen); while (sublen>0) { subtlvtype=*(tptr++); subtlvlen=*(tptr++); snprintf(ident_buffer, sizeof(ident_buffer), "%s ",ident); if(!isis_print_ip_reach_subtlv(tptr,subtlvtype,subtlvlen,ident_buffer)) return(0); tptr+=subtlvlen; sublen-=(subtlvlen+2); } } return (processed); } */ static int isis_cksum(const u_int16_t *tptr, u_int len) { int32_t c0 = 0, c1 = 0; len = (len + 1) / 2; while ((int)--len >= 0) { #if defined(_LITTLE_ENDIAN) c0 += htons(*tptr++); #else c0 += *tptr++; #endif c0 %= 0xffff; c1 += c0; c1 %= 0xffff; } return (c0 | c1); } /* * Verify the checksum. See 8473-1, Appendix C, section C.4. static int osi_cksum(const u_int8_t *tptr, u_int len) { int32_t c0 = 0, c1 = 0; while ((int)--len >= 0) { c0 += *tptr++; c0 %= 255; c1 += c0; c1 %= 255; } return (c0 | c1); } */ /* * Convert a 32-bit netmask to prefixlen if possible * the function returns the prefix-len; if plen == -1 * then conversion was not possible; */ int mask2plen (u_int32_t mask) { u_int32_t bitmasks[33] = { 0x00000000, 0x80000000, 0xc0000000, 0xe0000000, 0xf0000000, 0xf8000000, 0xfc000000, 0xfe000000, 0xff000000, 0xff800000, 0xffc00000, 0xffe00000, 0xfff00000, 0xfff80000, 0xfffc0000, 0xfffe0000, 0xffff0000, 0xffff8000, 0xffffc000, 0xffffe000, 0xfffff000, 0xfffff800, 0xfffffc00, 0xfffffe00, 0xffffff00, 0xffffff80, 0xffffffc0, 0xffffffe0, 0xfffffff0, 0xfffffff8, 0xfffffffc, 0xfffffffe, 0xffffffff }; int prefix_len = 32; /* let's see if we can transform the mask into a prefixlen */ while (prefix_len >= 0) { if (bitmasks[prefix_len] == mask) break; prefix_len--; } return (prefix_len); } /* * this is a generic routine for printing unknown data; * we pass on the linefeed plus indentation string to * get a proper output - returns 0 on error */ int print_unknown_data(const u_char *cp, const char *ident, int len) { printf ("%s\n", ident); ArgusPrintHex(cp, len); return(1); /* everything is ok */ } /* * Convert a token value to a string; use "fmt" if not found. */ const char * tok2str(const struct tok *lp, const char *fmt, int v) { static char buf[128]; while (lp->s != NULL) { if (lp->v == v) return (lp->s); ++lp; } if (fmt == NULL) fmt = "#%d"; (void)snprintf(buf, sizeof(buf), fmt, v); return (buf); } /* * Convert a bit token value to a string; use "fmt" if not found. * this is useful for parsing bitfields, the output strings are comma seperated */ char * bittok2str(const struct tok *lp, const char *fmt, int v) { static char buf[256]; /* our stringbuffer */ int buflen=0; register int rotbit; /* this is the bit we rotate through all bitpositions */ register int tokval; while (lp->s != NULL) { tokval=lp->v; /* load our first value */ rotbit=1; while (rotbit != 0) { /* * lets AND the rotating bit with our token value * and see if we have got a match */ if (tokval == (v&rotbit)) { /* ok we have found something */ buflen+=snprintf(buf+buflen, sizeof(buf)-buflen, "%s, ",lp->s); break; } rotbit=rotbit<<1; /* no match - lets shift and try again */ } lp++; } if (buflen != 0) { /* did we find anything */ /* yep, set the the trailing zero 2 bytes before to eliminate the last comma & whitespace */ buf[buflen-2] = '\0'; return (buf); } else { /* bummer - lets print the "unknown" message as advised in the fmt string if we got one */ if (fmt == NULL) fmt = "#%d"; (void)snprintf(buf, sizeof(buf), fmt, v); return (buf); } } argus-5.0.2/argus/ArgusL2TP.c000066400000000000000000000051731471541253600156650ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - UDP Protocol processing * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id$ * $DateTime: 2014/05/14 12:53:31 $ * $Change: 2827 $ */ #if !defined(ArgusL2TP) #define ArgusL2TP #include unsigned short ArgusParseL2TP (struct ArgusModelerStruct *, void *); unsigned short ArgusParseL2TP (struct ArgusModelerStruct *model, void *vptr) { unsigned short retn = 0; u_int16_t *ptr = vptr; int len = 0; struct l2tphdr *l2tp = (struct l2tphdr *) vptr; struct l2tphdr l2tpbuf, *ltptr = &l2tpbuf; if (STRUCTCAPTURED(model, *l2tp)) { ltptr->opts = EXTRACT_16BITS(ptr); ptr++; len += 2; if (((ltptr->opts & L2TP_VERSION_MASK) == L2TP_VERSION_L2F) || ((ltptr->opts & L2TP_VERSION_MASK) != L2TP_VERSION_L2TP)) return (retn); if (ltptr->opts & L2TP_FLAG_LENGTH) { ltptr->len = EXTRACT_16BITS(ptr); ptr++; len += 2; } ltptr->tunid = EXTRACT_16BITS(ptr); ptr++; len += 2; ltptr->sessid = EXTRACT_16BITS(ptr); ptr++; len += 2; if (ltptr->opts & L2TP_FLAG_SEQUENCE) { ltptr->ns = EXTRACT_16BITS(ptr); ptr++; len += 2; ltptr->nr = EXTRACT_16BITS(ptr); ptr++; len += 2; } if (ltptr->opts & L2TP_FLAG_OFFSET) { ltptr->offP = EXTRACT_16BITS(ptr); ptr++; len += 2; ptr += ltptr->offP / sizeof(*ptr); len += ltptr->offP; } if (!(ltptr->opts & L2TP_FLAG_TYPE)) { retn = ETHERTYPE_PPP; model->ArgusThisEncaps |= ARGUS_ENCAPS_L2TP; model->ArgusThisUpHdr = (unsigned char *)ptr; model->ArgusThisLength -= len; model->ArgusSnapLength -= len; } } #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusParseL2TP(%p, %p) returning %d\n", model, ptr, retn); #endif return (retn); } #endif argus-5.0.2/argus/ArgusL2TP.h000066400000000000000000000144751471541253600156770ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - UDP Protocol processing * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id$ * $DateTime: 2014/05/14 12:53:31 $ * $Change: 2827 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #ifndef ArgusL2TP_h #define ArgusL2TP_h #include #include #include #include #include #include struct bootp *bp; unsigned short ArgusParseL2TP (struct ArgusModelerStruct *, void *); #define L2TP_FLAG_TYPE 0x8000 /* Type (0=Data, 1=Control) */ #define L2TP_FLAG_LENGTH 0x4000 /* Length */ #define L2TP_FLAG_SEQUENCE 0x0800 /* Sequence */ #define L2TP_FLAG_OFFSET 0x0200 /* Offset */ #define L2TP_FLAG_PRIORITY 0x0100 /* Priority */ #define L2TP_VERSION_MASK 0x000f /* Version Mask */ #define L2TP_VERSION_L2F 0x0001 /* L2F */ #define L2TP_VERSION_L2TP 0x0002 /* L2TP */ #define L2TP_AVP_HDR_FLAG_MANDATORY 0x8000 /* Mandatory Flag */ #define L2TP_AVP_HDR_FLAG_HIDDEN 0x4000 /* Hidden Flag */ #define L2TP_AVP_HDR_LEN_MASK 0x03ff /* Length Mask */ #define L2TP_FRAMING_CAP_SYNC_MASK 0x00000001 /* Synchronous */ #define L2TP_FRAMING_CAP_ASYNC_MASK 0x00000002 /* Asynchronous */ #define L2TP_FRAMING_TYPE_SYNC_MASK 0x00000001 /* Synchronous */ #define L2TP_FRAMING_TYPE_ASYNC_MASK 0x00000002 /* Asynchronous */ #define L2TP_BEARER_CAP_DIGITAL_MASK 0x00000001 /* Digital */ #define L2TP_BEARER_CAP_ANALOG_MASK 0x00000002 /* Analog */ #define L2TP_BEARER_TYPE_DIGITAL_MASK 0x00000001 /* Digital */ #define L2TP_BEARER_TYPE_ANALOG_MASK 0x00000002 /* Analog */ /* Authen Type */ #define L2TP_AUTHEN_TYPE_RESERVED 0x0000 /* Reserved */ #define L2TP_AUTHEN_TYPE_TEXTUAL 0x0001 /* Textual username/password exchange */ #define L2TP_AUTHEN_TYPE_CHAP 0x0002 /* PPP CHAP */ #define L2TP_AUTHEN_TYPE_PAP 0x0003 /* PPP PAP */ #define L2TP_AUTHEN_TYPE_NO_AUTH 0x0004 /* No Authentication */ #define L2TP_AUTHEN_TYPE_MSCHAPv1 0x0005 /* MSCHAPv1 */ #define L2TP_PROXY_AUTH_ID_MASK 0x00ff #define L2TP_MSGTYPE_SCCRQ 1 /* Start-Control-Connection-Request */ #define L2TP_MSGTYPE_SCCRP 2 /* Start-Control-Connection-Reply */ #define L2TP_MSGTYPE_SCCCN 3 /* Start-Control-Connection-Connected */ #define L2TP_MSGTYPE_STOPCCN 4 /* Stop-Control-Connection-Notification */ #define L2TP_MSGTYPE_HELLO 6 /* Hello */ #define L2TP_MSGTYPE_OCRQ 7 /* Outgoing-Call-Request */ #define L2TP_MSGTYPE_OCRP 8 /* Outgoing-Call-Reply */ #define L2TP_MSGTYPE_OCCN 9 /* Outgoing-Call-Connected */ #define L2TP_MSGTYPE_ICRQ 10 /* Incoming-Call-Request */ #define L2TP_MSGTYPE_ICRP 11 /* Incoming-Call-Reply */ #define L2TP_MSGTYPE_ICCN 12 /* Incoming-Call-Connected */ #define L2TP_MSGTYPE_CDN 14 /* Call-Disconnect-Notify */ #define L2TP_MSGTYPE_WEN 15 /* WAN-Error-Notify */ #define L2TP_MSGTYPE_SLI 16 /* Set-Link-Info */ #define L2TP_AVP_MSGTYPE 0 /* Message Type */ #define L2TP_AVP_RESULT_CODE 1 /* Result Code */ #define L2TP_AVP_PROTO_VER 2 /* Protocol Version */ #define L2TP_AVP_FRAMING_CAP 3 /* Framing Capabilities */ #define L2TP_AVP_BEARER_CAP 4 /* Bearer Capabilities */ #define L2TP_AVP_TIE_BREAKER 5 /* Tie Breaker */ #define L2TP_AVP_FIRM_VER 6 /* Firmware Revision */ #define L2TP_AVP_HOST_NAME 7 /* Host Name */ #define L2TP_AVP_VENDOR_NAME 8 /* Vendor Name */ #define L2TP_AVP_ASSND_TUN_ID 9 /* Assigned Tunnel ID */ #define L2TP_AVP_RECV_WIN_SIZE 10 /* Receive Window Size */ #define L2TP_AVP_CHALLENGE 11 /* Challenge */ #define L2TP_AVP_Q931_CC 12 /* Q.931 Cause Code */ #define L2TP_AVP_CHALLENGE_RESP 13 /* Challenge Response */ #define L2TP_AVP_ASSND_SESS_ID 14 /* Assigned Session ID */ #define L2TP_AVP_CALL_SER_NUM 15 /* Call Serial Number */ #define L2TP_AVP_MINIMUM_BPS 16 /* Minimum BPS */ #define L2TP_AVP_MAXIMUM_BPS 17 /* Maximum BPS */ #define L2TP_AVP_BEARER_TYPE 18 /* Bearer Type */ #define L2TP_AVP_FRAMING_TYPE 19 /* Framing Type */ #define L2TP_AVP_PACKET_PROC_DELAY 20 /* Packet Processing Delay (OBSOLETE) */ #define L2TP_AVP_CALLED_NUMBER 21 /* Called Number */ #define L2TP_AVP_CALLING_NUMBER 22 /* Calling Number */ #define L2TP_AVP_SUB_ADDRESS 23 /* Sub-Address */ #define L2TP_AVP_TX_CONN_SPEED 24 /* (Tx) Connect Speed */ #define L2TP_AVP_PHY_CHANNEL_ID 25 /* Physical Channel ID */ #define L2TP_AVP_INI_RECV_LCP 26 /* Initial Received LCP CONFREQ */ #define L2TP_AVP_LAST_SENT_LCP 27 /* Last Sent LCP CONFREQ */ #define L2TP_AVP_LAST_RECV_LCP 28 /* Last Received LCP CONFREQ */ #define L2TP_AVP_PROXY_AUTH_TYPE 29 /* Proxy Authen Type */ #define L2TP_AVP_PROXY_AUTH_NAME 30 /* Proxy Authen Name */ #define L2TP_AVP_PROXY_AUTH_CHAL 31 /* Proxy Authen Challenge */ #define L2TP_AVP_PROXY_AUTH_ID 32 /* Proxy Authen ID */ #define L2TP_AVP_PROXY_AUTH_RESP 33 /* Proxy Authen Response */ #define L2TP_AVP_CALL_ERRORS 34 /* Call Errors */ #define L2TP_AVP_ACCM 35 /* ACCM */ #define L2TP_AVP_RANDOM_VECTOR 36 /* Random Vector */ #define L2TP_AVP_PRIVATE_GRP_ID 37 /* Private Group ID */ #define L2TP_AVP_RX_CONN_SPEED 38 /* (Rx) Connect Speed */ #define L2TP_AVP_SEQ_REQUIRED 39 /* Sequencing Required */ #define L2TP_AVP_PPP_DISCON_CC 46 /* PPP Disconnect Cause Code */ struct l2tphdr { unsigned short opts, len; unsigned short tunid, sessid; unsigned short ns, nr; unsigned short offS, offP; }; #endif argus-5.0.2/argus/ArgusLcp.c000066400000000000000000000065401471541253600156610ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - Lcp flow processing * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/argus/ArgusLcp.c#4 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #ifndef ArgusLcp #define ArgusLcp #endif #include #include #include #include struct ArgusSystemFlow * ArgusCreateLcpFlow (struct ArgusModelerStruct *model, struct lcp_hdr *lcp) { struct ArgusSystemFlow *retn = NULL; if (STRUCTCAPTURED(model, *lcp)) { struct ArgusLcpFlow *lcpFlow = &model->ArgusThisFlow->lcp_flow; retn = model->ArgusThisFlow; model->state &= ~ARGUS_DIRECTION; retn->hdr.type = ARGUS_FLOW_DSR; retn->hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; retn->hdr.argus_dsrvl8.qual = ARGUS_TYPE_LCP; retn->hdr.argus_dsrvl8.len = 5; lcpFlow->code = lcp->code; lcpFlow->id = lcp->id; } #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusCreateLcpFlow(0x%x, 0x%x) returning 0x%x\n", model, lcp, retn); #endif return (retn); } void ArgusUpdateLCPState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char *); void ArgusUpdateLCPState (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, unsigned char *state) { struct ArgusNetworkStruct *net = (struct ArgusNetworkStruct *) &flowstr->canon.net; struct lcp_hdr *lcp = (struct lcp_hdr *) model->ArgusThisUpHdr; struct ArgusLCPObject *lcpObj = &net->net_union.lcp; if (STRUCTCAPTURED(model, *lcp)) { #ifdef _LITTLE_ENDIAN #endif if (*state == ARGUS_START) { net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_LCP_DSR; net->hdr.argus_dsrvl8.qual = 0; net->hdr.argus_dsrvl8.len = ((sizeof(struct ArgusLCPObject)+3))/4 + 1; /* struct ArgusLCPObject { unsigned int status; unsigned int state, options; }; */ flowstr->dsrs[ARGUS_NETWORK_INDEX] = (void *) net; bzero ((char *)lcpObj, sizeof(*lcpObj)); flowstr->timeout = ARGUS_IPTIMEOUT; } else { } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusUpdateLCPState(0x%x, %d) returning\n", flowstr, *state); #endif } #include void ArgusLCPFlowRecord (struct ArgusNetworkStruct *net, unsigned char state); void ArgusLCPFlowRecord (struct ArgusNetworkStruct *net, unsigned char state) { #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusLCPFlowRecord(0x%x, %d) returning\n", net, state); #endif } argus-5.0.2/argus/ArgusMac.c000066400000000000000000000032551471541253600156430ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - Layer 2 processing * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/argus/ArgusMac.c#4 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #if !defined(ArgusMac) #define ArgusMac #endif #include #include #include #include #include #include void ArgusMacFlowRecord (struct ArgusFlowStruct *flowstr, struct ArgusRecord *argus, unsigned char state) { int length = 0; struct ArgusMacStruct *mac = (struct ArgusMacStruct *) flowstr->MacDSRBuffer; if (mac && ((length = argus->ahdr.length) > 0)) { bcopy ((char *)mac, &((char *)argus)[argus->ahdr.length], sizeof(*mac)); argus->ahdr.length += sizeof(*mac); } } argus-5.0.2/argus/ArgusModeler.c000066400000000000000000006141201471541253600165310ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - Modeler * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/argus/ArgusModeler.c#19 $ * $DateTime: 2016/10/04 10:36:36 $ * $Change: 3213 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #if !defined(ArgusModeler) #define ArgusModeler #endif #include "ArgusTimeDiff.h" #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "ArgusGetTimeOfDay.h" extern int ArgusShutDownFlag; extern int ArgusDeDup; extern struct ArgusHashTable *ArgusNewHashTable (size_t, int); extern int ArgusUpdateParentFlow (struct ArgusModelerStruct *, struct ArgusFlowStruct *); extern int ArgusControlPlaneProtocol (struct ArgusModelerStruct *, struct ArgusFlowStruct *); int ArgusProcessPacket (struct ArgusSourceStruct *, char *, int, struct timeval *, int); unsigned short ArgusProcessUdpHdr (struct ArgusModelerStruct *, struct ip *, int); unsigned short ArgusProcessTtpHdr (struct ArgusModelerStruct *, struct ip *, int); int ArgusProcessGreHdr (struct ArgusModelerStruct *, struct ip *, int); int ArgusProcessPPPHdr (struct ArgusModelerStruct *, char *, int); extern void ArgusTCPKeystroke (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char *); void *ArgusCreateIPv4Flow (struct ArgusModelerStruct *, struct ip *); void *ArgusCreateIPv6Flow (struct ArgusModelerStruct *, struct ip6_hdr *); static int ArgusCheckTimeout(const struct ArgusModelerStruct * const model, const struct timeval * const ts1, const struct timeval * const ts2, const struct timeval * const timeout) { long long diff, tdiff; int retn; #ifdef ARGUSDEBUG diff = 0; tdiff = 0; #endif if (timeout->tv_sec < 0) // if timeout is set to less that zero, then we never timeout. retn = 0; else { if ((timeout->tv_sec > 0) || (timeout->tv_usec > 0)) { diff = ArgusTimeDiff (ts1, ts2); #if defined(ARGUS_NANOSECONDS) tdiff = (timeout->tv_sec * 1000000000LL + timeout->tv_usec); #else tdiff = (timeout->tv_sec * 1000000LL + timeout->tv_usec); #endif if (diff >= tdiff) retn = 1; else retn = 0; } else retn = 1; } #ifdef ARGUSDEBUG #if defined(ARGUS_NANOSECONDS) ArgusDebug (11, "ArgusCheckTimeout (%p, %d.%09d, %d.%09d) diff %f returning %d\n", model, ts1->tv_sec, ts1->tv_usec, timeout->tv_sec, timeout->tv_usec, (diff / 1000000000.0), retn); #else ArgusDebug (11, "ArgusCheckTimeout (%p, %d.%06d, %d.%06d) diff %f returning %d\n", model, ts1->tv_sec, ts1->tv_usec, timeout->tv_sec, timeout->tv_usec, (diff / 1000000.0), retn); #endif #endif return (retn); } struct ArgusModelerStruct * ArgusCloneModeler(struct ArgusModelerStruct *src) { struct ArgusModelerStruct *retn; if ((retn = (struct ArgusModelerStruct *) ArgusCalloc (1, sizeof (struct ArgusModelerStruct))) == NULL) ArgusLog (LOG_ERR, "ArgusCloneModeler () ArgusCalloc error %s\n", strerror(errno)); bcopy((char *)src, (char *)retn, sizeof(*src)); retn->status |= ARGUS_MODELER_CLONE; retn->ArgusSrc = NULL; retn->ArgusHashTable = NULL; retn->hstruct = NULL; retn->ArgusStatusQueue = NULL; retn->ArgusTimeOutQueues = NULL; retn->ArgusThisFlow = NULL; retn->ArgusOutputList = NULL; bzero (retn->ArgusTimeOutQueue, sizeof(retn->ArgusTimeOutQueue)); #if defined(ARGUS_THREADS) pthread_mutex_init(&retn->lock, NULL); #endif return (retn); } struct ArgusModelerStruct * ArgusNewModeler() { struct ArgusModelerStruct *retn = NULL; if ((retn = (struct ArgusModelerStruct *) ArgusCalloc (1, sizeof (struct ArgusModelerStruct))) == NULL) ArgusLog (LOG_ERR, "ArgusNewModeler () ArgusCalloc error %s\n", strerror(errno)); retn->ArgusHashTableSize = ARGUS_HASHTABLESIZE; setArgusFlowKey (retn, ARGUS_FLOW_KEY_CLASSIC5TUPLE); setArgusFlowType (retn, ARGUS_BIDIRECTIONAL); #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusNewModeler() returning %p\n", retn); #endif return (retn); } void *ArgusQueueManager(void *); void ArgusInitModeler(struct ArgusModelerStruct *model) { struct timeval *tvp = NULL; #if defined(ARGUS_HASH_DEBUG) int debug = ARGUSHASHTABLETRACK; #else int debug = 0; #endif bzero (model->ArgusTimeOutQueue, sizeof(model->ArgusTimeOutQueue)); model->ArgusInProtocol = 1; model->ArgusMajorVersion = VERSION_MAJOR; model->ArgusMinorVersion = VERSION_MINOR; model->ArgusSnapLen = ARGUS_MINSNAPLEN; ArgusGetTimeOfDay(model->ArgusSrc, &model->ArgusGlobalTime); if (model->ArgusSrc->timeStampType == ARGUS_TYPE_UTC_NANOSECONDS) { model->ArgusUpdateInterval.tv_usec = 500000000; model->ival = ((model->ArgusUpdateInterval.tv_sec * 1000000000LL) + model->ArgusUpdateInterval.tv_usec); } else { model->ArgusUpdateInterval.tv_usec = 500000; model->ival = ((model->ArgusUpdateInterval.tv_sec * 1000000LL) + model->ArgusUpdateInterval.tv_usec); } ArgusModel->ArgusGlobalTime = model->ArgusGlobalTime; if ((model->ArgusHashTable = ArgusNewHashTable(model->ArgusHashTableSize, debug)) == NULL) ArgusLog(LOG_ERR, "%s () ArgusNewHashTable error %s\n", __func__, strerror(errno)); if ((model->hstruct = (struct ArgusHashStruct *) ArgusCalloc (1, sizeof (struct ArgusHashStruct))) == NULL) ArgusLog(LOG_ERR, "%s () ArgusCalloc error %s\n", __func__, strerror(errno)); if ((model->ArgusStatusQueue = ArgusNewQueue()) == NULL) ArgusLog(LOG_ERR, "%s () ArgusNewQueue error %s\n", __func__, strerror(errno)); if ((model->ArgusTimeOutQueues = ArgusNewQueue()) == NULL) ArgusLog(LOG_ERR, "%s () ArgusNewQueue error %s\n", __func__, strerror(errno)); /* align the ArgusThisFlow buffer */ if ((model->ArgusThisFlow = (struct ArgusSystemFlow *) ArgusCalloc (1, sizeof (struct ArgusSystemFlow) + 32)) == NULL) ArgusLog(LOG_ERR, "%s () ArgusCalloc error %s\n", __func__, strerror(errno)); model->ArgusOutputList = ArgusOutputTask->ArgusInputList; if ((model->ArgusThisLLC = (struct argus_llc *) ArgusCalloc (1, sizeof (struct argus_llc ) + 32)) == NULL) ArgusLog (LOG_ERR, "ArgusInitModeler () ArgusCalloc error %s\n", strerror(errno)); if ((model->ArgusThisGre = (struct argus_gre *) ArgusCalloc (1, sizeof (struct argus_gre ))) == NULL) ArgusLog (LOG_ERR, "ArgusInitModeler () ArgusCalloc error %s\n", strerror(errno)); if ((model->ArgusThisGre->tflow = (struct ArgusSystemFlow *) ArgusCalloc (1, sizeof (struct ArgusSystemFlow ))) == NULL) ArgusLog (LOG_ERR, "ArgusInitModeler () ArgusCalloc error %s\n", strerror(errno)); if ((model->ArgusThisGeneve = (struct argus_geneve *) ArgusCalloc (1, sizeof (struct argus_geneve ))) == NULL) ArgusLog (LOG_ERR, "ArgusInitModeler () ArgusCalloc error %s\n", strerror(errno)); if ((model->ArgusThisGeneve->tflow = (struct ArgusSystemFlow *) ArgusCalloc (1, sizeof (struct ArgusSystemFlow ))) == NULL) ArgusLog (LOG_ERR, "ArgusInitModeler () ArgusCalloc error %s\n", strerror(errno)); model->ArgusSeqNum = 1; model->ArgusReportAllTime = 1; if (!(model->ArgusFlowType)) { if (model->ArgusFlowKey & ARGUS_FLOW_KEY_CLASSIC5TUPLE) setArgusFlowType (model, ARGUS_BIDIRECTIONAL); else setArgusFlowType (model, ARGUS_UNIDIRECTIONAL); } model->ArgusQueueInterval.tv_usec = 250000; model->ArgusListenInterval.tv_usec = 250000; model->ArgusIPTimeout = (model->ArgusIPTimeout == 0) ? ARGUS_IPTIMEOUT : model->ArgusIPTimeout; model->ArgusTCPTimeout = (model->ArgusTCPTimeout == 0) ? ARGUS_TCPTIMEOUT : model->ArgusTCPTimeout; model->ArgusICMPTimeout = (model->ArgusICMPTimeout == 0) ? ARGUS_ICMPTIMEOUT : model->ArgusICMPTimeout; model->ArgusIGMPTimeout = (model->ArgusIGMPTimeout == 0) ? ARGUS_IGMPTIMEOUT : model->ArgusIGMPTimeout; model->ArgusFRAGTimeout = (model->ArgusFRAGTimeout == 0) ? ARGUS_FRAGTIMEOUT : model->ArgusFRAGTimeout; model->ArgusARPTimeout = (model->ArgusARPTimeout == 0) ? ARGUS_ARPTIMEOUT : model->ArgusARPTimeout; model->ArgusOtherTimeout = (model->ArgusOtherTimeout == 0) ? ARGUS_OTHERTIMEOUT : model->ArgusOtherTimeout; if ((tvp = getArgusFarReportInterval(model)) != NULL) model->ArgusStatusQueue->timeout = tvp->tv_sec; model->ArgusTCPflag = 1; model->ArgusThisDir = 0; ArgusInitMallocList(sizeof(struct ArgusRecordStruct)); if (getArgusTunnelDiscovery(model)) ArgusInitTunnelPortNumbers (); #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusInitModeler(%p) done\n", model); #endif } extern struct ArgusHashStats *ArgusHashTableStats; void ArgusCloseModeler(struct ArgusModelerStruct *model) { struct ArgusRecordStruct *argus = NULL; if (model) { struct ArgusHashTable *htbl = model->ArgusHashTable; if (htbl && (htbl->status & ARGUSHASHTABLETRACK)) { #ifdef ARGUSDEBUG extern int ArgusHashTableMax; int i, size = htbl->size; int occupied = 0; for (i = 0; i < size; i++) { if (htbl->array[i] != NULL) { occupied++; } } ArgusDebug (1, "ArgusHashTracking: ArgusHashTableMax %d Occupied %d Size %d\n", ArgusHashTableMax, occupied, size); #endif } ArgusModelerCleanUp (model); if (model->ArgusHashTable) { struct ArgusHashTable *htbl = model->ArgusHashTable; if (htbl != NULL) { if (htbl->array) ArgusFree(htbl->array); ArgusFree(htbl); } model->ArgusHashTable = NULL; } if (model->ArgusOutputList) { if ((argus = ArgusGenerateListRecord (model, NULL, ARGUS_STOP)) != NULL) { model->ArgusTotalSends++; ArgusPushBackList (model->ArgusOutputList, (struct ArgusListRecord *) argus, ARGUS_LOCK); #if defined(ARGUS_THREADS) pthread_mutex_lock(&model->ArgusOutputList->lock); pthread_cond_signal(&model->ArgusOutputList->cond); pthread_mutex_unlock(&model->ArgusOutputList->lock); #endif #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusCloseModeler(%p) pushing close record %p as rec %d\n", model, argus, ArgusGetListCount(model->ArgusOutputList)); #endif } else ArgusLog (LOG_ERR, "ArgusCloseModeler(%p) ArgusGenerateListRecord failed\n", model); } /* retn->ArgusSrc = NULL; retn->ArgusHashTable = NULL; retn->ArgusThisFlow = NULL; retn->ArgusOutputList = NULL; */ if (model->hstruct != NULL) { ArgusFree(model->hstruct); model->hstruct = NULL; } if (model->ArgusThisFlow != NULL) { ArgusFree(model->ArgusThisFlow); model->ArgusThisFlow = NULL; } if (model->ArgusStatusQueue != NULL) { ArgusDeleteQueue(model->ArgusStatusQueue); model->ArgusStatusQueue = NULL; } if (model->ArgusTimeOutQueues != NULL) { ArgusDeleteQueue(model->ArgusTimeOutQueues); model->ArgusTimeOutQueues = NULL; } if (model->ArgusThisLLC != NULL) { ArgusFree(model->ArgusThisLLC); model->ArgusThisLLC = NULL; } if (model->ArgusThisGre != NULL) { ArgusFree(model->ArgusThisGre->tflow); ArgusFree(model->ArgusThisGre); model->ArgusThisGre = NULL; } if (model->ArgusThisGeneve != NULL) { ArgusFree(model->ArgusThisGeneve->tflow); ArgusFree(model->ArgusThisGeneve); model->ArgusThisGeneve = NULL; } if (!(model->status & ARGUS_MODELER_CLONE)) { if (model->cps != NULL) { ArgusFree(model->cps); model->cps = NULL; } } } #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusCloseModeler(%p) Total Sends %d\n", model, model->ArgusTotalSends); #endif } void ArgusProcessQueueTimeout (struct ArgusModelerStruct *, struct ArgusQueueStruct *); int ArgusQMTurns = 0; void * ArgusQueueManager(void *param) { struct ArgusModelerStruct *model = param; struct ArgusQueueStruct *queue = NULL; void *retn = NULL; /* * so there are two things to do. * 1. process the status queue. this is a FIFO * queue, and any object at the end of the queue * is printed and moved to the timeout queue. * (objects can be moved by the packet handler, * so locking is important here. * * 2. process the timeout queue. this queue we can * get to on a slower time scale, until resources * are getting used up. */ ArgusQMTurns++; if (model->ArgusStatusQueue != NULL) ArgusProcessQueueTimeout (model, model->ArgusStatusQueue); else return (retn); if ((model->ArgusTimeOutQueues != NULL) && (model->ArgusTimeOutQueues->count > 0)) { int i, cnt = model->ArgusTimeOutQueues->count; for (i = 0; i < cnt; i++) { queue = (struct ArgusQueueStruct *)ArgusPopQueue (model->ArgusTimeOutQueues, ARGUS_LOCK); ArgusProcessQueueTimeout (model, queue); ArgusAddToQueue (model->ArgusTimeOutQueues, &queue->qhdr, ARGUS_LOCK); } } #ifdef ARGUSDEBUG if (7 <= Argusdflag) { struct timeval now, testime = {0,0}, update = {1,0}; gettimeofday(&now, 0L); if (testime.tv_sec == 0) { testime = now; } if ((now.tv_sec > testime.tv_sec) || ((now.tv_sec == testime.tv_sec) && (now.tv_usec >= testime.tv_usec)) ) { unsigned int qs = 0, count = 0, reclaim = 0; int i, cnt = model->ArgusTimeOutQueues->count; for (i = 0; i < cnt; i++) { queue = (struct ArgusQueueStruct *)ArgusPopQueue (model->ArgusTimeOutQueues, ARGUS_LOCK); qs++; count += queue->count; reclaim += queue->reclaim; ArgusAddToQueue (model->ArgusTimeOutQueues, &queue->qhdr, ARGUS_LOCK); } ArgusDebug (7, "ArgusQueueManager() turns %-4d statusQueue %-4d qs %-2d items %-4d cache %-6lld resort %-6d reclaim %-6d new %-6lld sends %-8lld bsends %-8lld\n", ArgusQMTurns, model->ArgusStatusQueue->count, qs, count, model->ArgusTotalCacheHits, model->ArgusStatusQueue->reclaim, reclaim, model->ArgusTotalNewFlows, model->ArgusTotalSends, model->ArgusTotalBadSends); testime.tv_sec += update.tv_sec; testime.tv_usec += update.tv_usec; if (model->ArgusSrc->timeStampType == ARGUS_TYPE_UTC_NANOSECONDS) { if (testime.tv_usec >= 1000000000) { testime.tv_sec++; testime.tv_usec -= 1000000000; } } else { if (testime.tv_usec >= 1000000) { testime.tv_sec++; testime.tv_usec -= 1000000; } } } } #endif return (retn); } void ArgusProcessQueueTimeout (struct ArgusModelerStruct *model, struct ArgusQueueStruct *queue) { struct ArgusFlowStruct *last = NULL; int done = 0, count = 0; queue->turns++; #if defined(ARGUS_THREADS) pthread_mutex_lock(&queue->lock); #endif while ((!done)) { if (queue->start != NULL) { if ((last = (struct ArgusFlowStruct *) queue->start->prv) != NULL) { struct timeval *now; now = &model->ArgusGlobalTime; if (queue == model->ArgusStatusQueue) { if (ArgusCheckTimeout(model, &last->qhdr.qtime, now, getArgusFarReportInterval(model))) { struct ArgusFlowStruct *frag; count++; ArgusRemoveFromQueue(queue, &last->qhdr, ARGUS_NOLOCK); if ((frag = (struct ArgusFlowStruct *)last->frag.start) != NULL) { struct timeval timeout = {2,0}; do { struct ArgusFlowStruct *nxt = (struct ArgusFlowStruct *)frag->qhdr.nxt; ArgusUpdateParentFlow(model, frag); if (ArgusCheckTimeout(model, &frag->qhdr.qtime, now, &timeout)) ArgusDeleteObject(frag); frag = nxt; } while (last->frag.start && (frag != (struct ArgusFlowStruct *)last->frag.start)); } if (!(last->status & ARGUS_RECORD_WRITTEN)) { ArgusSendFlowRecord (model, last, last->status); } if (last->timeout > 0) { if (last->timeout > ARGUSTIMEOUTQS) last->timeout = ARGUSTIMEOUTQS; if (model->ArgusTimeOutQueue[last->timeout] == NULL) { model->ArgusTimeOutQueue[last->timeout] = ArgusNewQueue(); model->ArgusTimeOutQueue[last->timeout]->timeout = last->timeout; ArgusPushQueue(model->ArgusTimeOutQueues, &model->ArgusTimeOutQueue[last->timeout]->qhdr, ARGUS_LOCK); } ArgusPushQueue(model->ArgusTimeOutQueue[last->timeout], &last->qhdr, ARGUS_LOCK); } else ArgusDeleteObject(last); } else { done++; } } else { struct timeval timeout = {0,0}; timeout.tv_sec = queue->timeout; if (ArgusCheckTimeout(model, &last->qhdr.qtime, now, &timeout)) { ArgusRemoveFromQueue(queue, &last->qhdr, ARGUS_NOLOCK); ArgusDeleteObject(last); } else { done++; } } } else done++; } else done++; } #if defined(ARGUS_THREADS) pthread_mutex_unlock(&queue->lock); #endif #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusProcessQueueTimeout(%p, %p) timeout %d, remaining %d records\n", model, queue, count, queue->count); #endif } void ArgusModelerStats(struct ArgusModelerStruct *); void ArgusModelerStats(struct ArgusModelerStruct *model) { } #include #if !defined(__OpenBSD__) #include #endif int ArgusProcessISLHdr (struct ArgusModelerStruct *, struct ether_header *, int); int ArgusProcessNetbeuiHdr (struct ArgusModelerStruct *, struct ether_header *, int); int ArgusProcessNetbiosHdr (struct ArgusModelerStruct *, struct ether_header *, int); int ArgusProcessIsoclnsHdr (struct ArgusModelerStruct *, struct ether_header *, int); #define ARGUS_ISL_ETHERHDR_LEN 26 int ArgusProcessISLHdr (struct ArgusModelerStruct *model, struct ether_header *ep, int length) { int type = (((unsigned char *)ep)[5] >> 4) & 0x0F; int retn = 0; #define ARGUS_ISLTYPE_ETHER 0x0 #define ARGUS_ISLTYPE_TR 0x0 #define ARGUS_ISLTYPE_FDDI 0x2 #define ARGUS_ISLTYPE_ATM 0x3 switch (type) { case ARGUS_ISLTYPE_ETHER: model->ArgusThisLength -= ARGUS_ISL_ETHERHDR_LEN; model->ArgusSnapLength -= ARGUS_ISL_ETHERHDR_LEN; model->ArgusThisUpHdr = ((unsigned char *)ep + ARGUS_ISL_ETHERHDR_LEN); model->ArgusThisEncaps |= ARGUS_ENCAPS_ISL; ep = (struct ether_header *) ((unsigned char *)ep + ARGUS_ISL_ETHERHDR_LEN); retn = ArgusProcessEtherHdr(model, ep, length - ARGUS_ISL_ETHERHDR_LEN); } return (retn); } int ArgusProcessNetbeuiHdr (struct ArgusModelerStruct *model, struct ether_header *ep, int length) { int retn = 0; return (retn); } int ArgusProcessNetbiosHdr (struct ArgusModelerStruct *model, struct ether_header *ep, int length) { int retn = 0; return (retn); } int ArgusProcessIsoclnsHdr (struct ArgusModelerStruct *model, struct ether_header *ep, int length) { int retn = 0; unsigned char *ptr = (unsigned char *)ep; ptr += 3; switch (*ptr) { case ARGUS_CLNS: model->ArgusThisNetworkFlowType = ARGUS_CLNS; break; case ARGUS_ESIS: model->ArgusThisNetworkFlowType = ARGUS_ESIS; break; case ARGUS_ISIS: model->ArgusThisNetworkFlowType = ARGUS_ISIS; break; case 0: model->ArgusThisNetworkFlowType = ARGUS_NULLNS; break; default: model->ArgusThisNetworkFlowType = ARGUS_CLNS; break; } /* model->ArgusThisLength -= sizeof(struct argus_llc); model->ArgusSnapLength -= sizeof(struct argus_llc); model->ArgusThisUpHdr = (ptr + sizeof(struct argus_llc)); */ model->ArgusThisLength -= 3; model->ArgusSnapLength -= 3; model->ArgusThisUpHdr = ptr; model->ArgusThisEncaps |= ARGUS_ENCAPS_LLC; return (retn); } #if !defined(IPV6_VERSION_MASK) #define IPV6_VERSION_MASK 0xF0 #define IPV6_VERSION 0x60 #endif unsigned short ArgusDiscoverNetworkProtocol (unsigned char *ptr) { unsigned short retn = ETHERTYPE_MPLS; /* test for IPv4, IPv6, and vlan tags */ if (ptr != NULL) { if ((((struct ip *)ptr)->ip_v == 4) && (((struct ip *)ptr)->ip_hl >= 5) && (ntohs(((struct ip *)ptr)->ip_len) >= 20)) { retn = ETHERTYPE_IP; } else { if (((((struct ip6_hdr *)ptr)->ip6_vfc & IPV6_VERSION_MASK) == IPV6_VERSION) && (ntohs(((struct ip6_hdr *)ptr)->ip6_plen) <= 2048)) { retn = ETHERTYPE_IPV6; } else { switch (ntohs(*(unsigned short *)(ptr + 2))) { case ETHERTYPE_IP: case ETHERTYPE_IPV6: retn = ETHERTYPE_8021Q; break; default: retn = ARGUS_ETHER_HDR; } } } } return (retn); } void ArgusParseMPLSLabel (unsigned int value, unsigned int *label, unsigned char *exp, unsigned char *bos, unsigned char *ttl) { *label = value >> 12; *exp = (value >> 9) & 0x07; *bos = (value >> 8) & 0x01; *ttl = value & 0xFF; } /* ArgusProcessPacketHdrs - this routine should take in a pointer and a packet header type and process that header, returning the next layer type, or zero if the routine has found the IP layer. This is the entry point for handling packets from any of the source interface layers. */ int ArgusProcessPacketHdrs (struct ArgusModelerStruct *, char *, int, int); int ArgusProcessPPPoEHdr (struct ArgusModelerStruct *, char *, int); int ArgusProcessLLCHdr (struct ArgusModelerStruct *, char *, int); int ArgusProcess80211Hdr (struct ArgusModelerStruct *, char *, int); int ArgusProcessUDToEHdr (struct ArgusModelerStruct *, char *, int); int ArgusProcessPacketHdrs (struct ArgusModelerStruct *model, char *p, int length, int type) { int retn = 0; switch (type) { case ETHERTYPE_TRANS_BRIDGE: case ARGUS_ETHER_HDR: model->ArgusThisNetworkFlowType = ARGUS_ETHER_HDR; if ((retn = ArgusProcessEtherHdr(model, (struct ether_header *)p, length)) < 0) model->ArgusThisUpHdr = (void *)p; break; case ARGUS_802_11_HDR: model->ArgusThisNetworkFlowType = type; if ((retn = ArgusProcess80211Hdr(model, p, length)) < 0) model->ArgusThisUpHdr = (void *)p; break; case ETHERTYPE_PPP: model->ArgusThisNetworkFlowType = type; if ((retn = ArgusProcessPPPHdr(model, p, length)) < 0) model->ArgusThisUpHdr = (void *)p; break; case ETHERTYPE_PPPOED: case ETHERTYPE_PPPOES: model->ArgusThisNetworkFlowType = type; if ((retn = ArgusProcessPPPoEHdr(model, p, length)) < 0) model->ArgusThisUpHdr = (void *)p; break; case ETHERTYPE_UDTOE: model->ArgusThisNetworkFlowType = type; if ((retn = ArgusProcessUDToEHdr (model, p, length)) < 0) model->ArgusThisUpHdr = (void *)p; break; case ETHERTYPE_8021Q: { model->ArgusThisNetworkFlowType = type; model->ArgusThisPacket8021QEncaps = ntohs(*(unsigned short *)(p)); model->ArgusThisEncaps |= ARGUS_ENCAPS_8021Q; retn = ntohs(*(unsigned short *)(p + 2)); if (retn <= ETHERMTU) { /* 802.3 Encapsulation */ if (p[0] == 0x01 && p[1] == 0x00 && p[2] == 0x0C && p[3] == 0x00 && p[4] == 0x00) { return (ArgusProcessISLHdr (model, (struct ether_header *)p, length)); } model->ArgusThisUpHdr += 4; model->ArgusThisLength -= 4; model->ArgusSnapLength -= 4; p = (void *) model->ArgusThisUpHdr; if ((retn = ArgusProcessLLCHdr(model, p, length)) < 0) model->ArgusThisUpHdr = (void *)p; } else { model->ArgusThisUpHdr += 4; model->ArgusThisLength -= 4; model->ArgusSnapLength -= 4; } break; } case ETHERTYPE_MPLS_MULTI: case ETHERTYPE_MPLS: { unsigned char exp, bos = 0, ttl; unsigned int labelbuf, *label = &labelbuf; model->ArgusThisNetworkFlowType = type; while (!(bos)) { unsigned int tlabel = ntohl(*(unsigned int *)(model->ArgusThisUpHdr)); if (!(model->ArgusThisMplsLabelIndex)) { model->ArgusThisMplsLabel = tlabel; model->ArgusThisMplsLabelIndex++; } ArgusParseMPLSLabel (tlabel, label, &exp, &bos, &ttl); model->ArgusThisUpHdr += 4; model->ArgusThisLength -= 4; model->ArgusSnapLength -= 4; model->ArgusThisEncaps |= ARGUS_ENCAPS_MPLS; retn = ArgusDiscoverNetworkProtocol(model->ArgusThisUpHdr); } break; } case IPPROTO_IPIP: case ETHERTYPE_IP: { struct ip *ip = (struct ip *) p; if (ip->ip_v == 4) { if (STRUCTCAPTURED(model,*ip)) { model->ArgusThisNetworkFlowType = ETHERTYPE_IP; if (ArgusDumpTask->ppc && (ArgusDumpTask->ppc[0] == 1)) model->ArgusMatchProtocol++; if ((ip->ip_len == 0) || (ntohs(ip->ip_len) >= 20)) { model->ArgusThisIpHdr = (void *)ip; if (ArgusDumpTask->ppc && (ArgusDumpTask->ppc[ip->ip_p] == 1)) model->ArgusMatchProtocol++; switch (ip->ip_p) { case IPPROTO_TTP: { /* Preparation for Juniper TTP */ model->ArgusThisEncaps |= ARGUS_ENCAPS_IP; retn = ArgusProcessTtpHdr(model, ip, length); break; } case IPPROTO_UDP: { /* RCP 4380 */ if (getArgusTunnelDiscovery(model)) { model->ArgusThisEncaps |= ARGUS_ENCAPS_IP; retn = ArgusProcessUdpHdr(model, ip, length); } break; } case IPPROTO_GRE: { /* RFC 2784 */ model->ArgusThisEncaps |= ARGUS_ENCAPS_IP; retn = ArgusProcessGreHdr(model, ip, length); break; } default: retn = 0; break; } } } break; } // FALL THROUGH TO V6 } case ETHERTYPE_IPV6: { struct ip6_hdr *ipv6 = (struct ip6_hdr *) p; model->ArgusThisNetworkFlowType = type; model->ArgusThisIpHdr = (void *)p; switch (ipv6->ip6_nxt) { case IPPROTO_IPIP: { // IPNIP model->ArgusThisUpHdr += sizeof(*ipv6); model->ArgusThisLength -= sizeof(*ipv6); model->ArgusSnapLength -= sizeof(*ipv6); model->ArgusThisEncaps |= ARGUS_ENCAPS_IPV6; retn = ipv6->ip6_nxt; break; } case IPPROTO_TTP: { /* Preparation for Juniper TTP */ model->ArgusThisEncaps |= ARGUS_ENCAPS_IPV6; retn = ArgusProcessTtpHdr(model, (void *)p, length); break; } case IPPROTO_UDP: { /* RCP 4380 */ if (getArgusTunnelDiscovery(model)) { model->ArgusThisEncaps |= ARGUS_ENCAPS_IPV6; retn = ArgusProcessUdpHdr(model, (void *)p, length); } break; } case IPPROTO_GRE: { /* RFC 2784 */ model->ArgusThisEncaps |= ARGUS_ENCAPS_IPV6; retn = ArgusProcessGreHdr(model, (void *)p, length); break; } default: retn = 0; break; } break; } case ETHERTYPE_ARP: case ETHERTYPE_REVARP: { model->ArgusThisNetworkFlowType = type; retn = 0; break; } default: model->ArgusThisUpHdr = (void *)p; retn = 0; break; } #ifdef ARGUSDEBUG ArgusDebug (9, "ArgusProcessPacketHdrs(%p, %p, %d, %d) returning %d\n", model, p, length, type, retn); #endif return (retn); } struct teredoAuthHeader { unsigned char idlen, aulen; }; struct teredoOriginHdr { unsigned char idlen, aulen; }; #include struct teredo { unsigned short tid; struct teredoAuthHeader tauth; }; struct ttp_header { u_char type; u_char priority; u_char proto; u_char queue; u_int ifl_input; u_short len; u_short destmask; u_int nh_index; u_int hint; }; unsigned short ArgusProcessTtpHdr (struct ArgusModelerStruct *model, struct ip *ip, int length) { int retn = 0; int hlen = ip->ip_hl << 2; struct ttp_header *ttp = (struct ttp_header *) ((char *)ip + hlen); if (STRUCTCAPTURED(model, *ttp)) { ttp->ifl_input = ntohl(ttp->ifl_input); ttp->len = ntohs(ttp->len); ttp->destmask = ntohs(ttp->destmask); ttp->nh_index = ntohl(ttp->nh_index); ttp->hint = ntohl(ttp->hint); switch(ttp->type) { case 0x1: case 0x2: { int slen = (hlen + sizeof(*ttp)); length -= slen; model->ArgusThisUpHdr += slen; model->ArgusSnapLength -= slen; model->ArgusThisLength -= slen; retn = ArgusProcessPacketHdrs (model, (char *)(ttp + 1), length, ARGUS_ETHER_HDR); break; } case 0x3: case 0x4: { int slen = (hlen + sizeof(*ttp)); length -= slen; model->ArgusThisUpHdr += slen; model->ArgusSnapLength -= slen; model->ArgusThisLength -= slen; retn = ArgusProcessPacketHdrs (model, (char *)(ttp + 1), length, ETHERTYPE_IP); break; } case 0x0: default: break; } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusProcessTtpHdr(%p, %p, %d) returning 0x%x\n", model, ip, length, retn); #endif return (retn); } void ArgusInitUDPTunnelPortNumbers (void); void ArgusInitTunnelPortNumbers (void) { int i = 0; bzero (ArgusTransportParseRoutines, sizeof(ArgusTransportParseRoutines)); for (i = 0; i < MAX_PORT_ALG_TYPES; i++) { ArgusTransportParseRoutines[RaPortAlgorithmTable[i].port] = RaPortAlgorithmTable[i].parse; } } unsigned short ArgusProcessUdpHdr (struct ArgusModelerStruct *model, struct ip *ip, int length) { int retn = 0, pass = 0, hlen = 0; if (ip->ip_v == 4) { model->ArgusThisNetworkFlowType = ETHERTYPE_IP; pass = STRUCTCAPTURED(model,*ip); hlen = ip->ip_hl << 2; } else { struct ip6_hdr *ipv6 = (struct ip6_hdr *) ip; model->ArgusThisNetworkFlowType = ETHERTYPE_IPV6; pass = STRUCTCAPTURED(model,*ipv6); hlen = sizeof(*ipv6); } if (pass) { char *bp = ((char *)ip + hlen); struct udphdr *up = (struct udphdr *) bp; if (STRUCTCAPTURED(model, *up)) { unsigned short dport, sport; sport = ntohs(up->uh_sport); dport = ntohs(up->uh_dport); if ((ArgusTransportParseRoutines[sport] != NULL) || (ArgusTransportParseRoutines[dport] != NULL)) { if (ArgusTransportParseRoutines[dport] != NULL) retn = ArgusTransportParseRoutines[dport](model, up + 1); else retn = ArgusTransportParseRoutines[sport](model, up + 1); #ifdef ARGUSDEBUG if (retn < 0) ArgusDebug (4, "ArgusTransportParseRoutines(%p, %p, %d) error %d\n", model, ip, length, retn); #endif } } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusProcessUdpHdr(%p, %p, %d) returning 0x%x\n", model, ip, length, retn); #endif return (retn); } extern unsigned short ArgusParseGre (struct ArgusModelerStruct *, struct ip *, int); extern unsigned short ArgusParseGeneve (struct ArgusModelerStruct *, void *); int ArgusProcessGreHdr (struct ArgusModelerStruct *model, struct ip *ip, int length) { int retn = 0, hlen = ip->ip_hl << 2; char *bp = ((char *)ip + hlen); if (BYTESCAPTURED(model, *bp, 4)) { switch (model->ArgusThisNetworkFlowType & 0xFFFF) { case ETHERTYPE_IP: { ArgusCreateIPv4Flow (model, (struct ip *)model->ArgusThisIpHdr); bcopy(model->ArgusThisFlow, model->ArgusThisGre->tflow, sizeof(*model->ArgusThisFlow)); break; } case ETHERTYPE_IPV6: { ArgusCreateIPv6Flow (model, (struct ip6_hdr *)model->ArgusThisIpHdr); bcopy(model->ArgusThisFlow, model->ArgusThisGre->tflow, sizeof(*model->ArgusThisFlow)); break; } } retn = ArgusParseGre(model, ip, length); } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusProcessGreHdr(%p, %p, %d) returning 0x%x\n", model, ip, length, retn); #endif return (retn); } int ArgusProcessEtherHdr (struct ArgusModelerStruct *model, struct ether_header *ep, int length) { int len = sizeof(struct ether_header); unsigned char *ptr; int retn = 0; length -= len; model->ArgusThisEpHdr = ep; model->ArgusThisUpHdr = (unsigned char *) (ep + 1); model->ArgusThisLength -= len; model->ArgusSnapLength -= len; model->ArgusThisIpHdr = NULL; model->ArgusThisEncaps |= ARGUS_ENCAPS_ETHER; if ((retn = ntohs(ep->ether_type)) < ETHERMTU) { /* 802.3 Encapsulation */ struct argus_llc *llc = NULL; unsigned short ether_type = 0; ptr = (unsigned char *) ep; if (ptr[0] == 0x01 && ptr[1] == 0x00 && ptr[2] == 0x0C && ptr[3] == 0x00 && ptr[4] == 0x00) { return (ArgusProcessISLHdr (model, ep, length)); } ptr = (unsigned char *) model->ArgusThisUpHdr; llc = (struct argus_llc *) ptr; if (BYTESCAPTURED(model,*llc, 3) && ((llc = model->ArgusThisLLC) != NULL)) { model->ArgusThisEncaps |= ARGUS_ENCAPS_LLC; bcopy((char *) ptr, (char *) llc, sizeof (struct argus_llc)); #define ARGUS_IPX_TAG 100 if (llc->ssap == LLCSAP_GLOBAL && llc->dsap == LLCSAP_GLOBAL) { model->ArgusThisNetworkFlowType = ARGUS_IPX_TAG; retn = ARGUS_IPX_TAG; return (retn); } if ((((u_char *)ep)[0] == 0xf0) && (((u_char *)ep)[1] == 0xf0)) return (ArgusProcessNetbeuiHdr (model, ep, length)); if ((llc->ssap == LLCSAP_ISONS) && (llc->dsap == LLCSAP_ISONS) && (llc->llcui == LLC_UI)) return(ArgusProcessIsoclnsHdr(model, (struct ether_header *)ptr, length)); if ((llc->ssap == LLCSAP_SNAP) && (llc->dsap == LLCSAP_SNAP)) { if (llc->llcui == LLC_UI) { ((unsigned char *)ðer_type)[0] = ((unsigned char *)&llc->ethertype)[0]; ((unsigned char *)ðer_type)[1] = ((unsigned char *)&llc->ethertype)[1]; retn = ntohs(ether_type); model->ArgusThisNetworkFlowType = retn; model->ArgusThisLength -= sizeof(struct argus_llc); model->ArgusSnapLength -= sizeof(struct argus_llc); model->ArgusThisUpHdr = (ptr + sizeof(struct argus_llc)); } } else { if ((llc->llcu & LLC_U_FMT) == LLC_U_FMT) { model->ArgusThisUpHdr += 3; model->ArgusThisLength -= 3; model->ArgusSnapLength -= 3; if ((llc->llcu & ~LLC_U_POLL) == LLC_XID) { if (*model->ArgusThisUpHdr == LLC_XID_FI) { model->ArgusThisUpHdr += 3; model->ArgusThisLength -= 3; model->ArgusSnapLength -= 3; } } } else { model->ArgusThisUpHdr += 4; model->ArgusThisLength -= 4; model->ArgusSnapLength -= 4; } } } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusProcessEtherHdr(%p, %d) returning 0x%x\n", ep, length, retn); #endif return (retn); } #include extern int ArgusExtract802_11HeaderLength(u_int16_t); int ArgusProcess80211Hdr (struct ArgusModelerStruct *model, char *p, int length) { int retn = 0, hdrlen; u_int16_t fc; fc = EXTRACT_LE_16BITS(p); hdrlen = ArgusExtract802_11HeaderLength(fc); switch (FC_TYPE(fc)) { case T_MGMT: case T_CTRL: break; case T_DATA: { if (!(DATA_FRAME_IS_NULL(FC_SUBTYPE(fc)))) { if (model->ArgusSrc->ArgusThisRadioTap.flags & IEEE80211_RADIOTAP_F_DATAPAD) hdrlen = ((hdrlen + 3) / 4) * 4; if (FC_WEP(fc)) { } else { retn = ArgusProcessLLCHdr(model, p + hdrlen, length - hdrlen); } } break; } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusProcess80211Hdr(%p, %p, %d) returning 0x%x\n", model, p, length, retn); #endif return(retn); } int ArgusProcessLLCHdr (struct ArgusModelerStruct *model, char *p, int length) { int retn = 0; struct argus_llc *llc = NULL; unsigned short ether_type = 0; unsigned char *ptr = (unsigned char *) p; /* ptr = (unsigned char *) model->ArgusThisUpHdr; */ llc = (struct argus_llc *) ptr; if (BYTESCAPTURED(model,*llc,3)) { model->ArgusThisEncaps |= ARGUS_ENCAPS_LLC; llc = model->ArgusThisLLC; bcopy((char *) ptr, (char *) llc, sizeof (struct argus_llc)); #define ARGUS_IPX_TAG 100 if (llc->ssap == LLCSAP_GLOBAL && llc->dsap == LLCSAP_GLOBAL) { model->ArgusThisNetworkFlowType = ARGUS_IPX_TAG; return (retn); } if ((((u_char *)p)[0] == 0xf0) && (((u_char *)p)[1] == 0xf0)) return (ArgusProcessNetbeuiHdr (model, (struct ether_header *)p, length)); if ((llc->ssap == LLCSAP_ISONS) && (llc->dsap == LLCSAP_ISONS) && (llc->llcui == LLC_UI)) return(ArgusProcessIsoclnsHdr(model, (struct ether_header *)ptr, length)); if ((llc->ssap == LLCSAP_SNAP) && (llc->dsap == LLCSAP_SNAP)) { if (llc->llcui == LLC_UI) { ((unsigned char *)ðer_type)[0] = ((unsigned char *)&llc->ethertype)[0]; ((unsigned char *)ðer_type)[1] = ((unsigned char *)&llc->ethertype)[1]; retn = ntohs(ether_type); model->ArgusThisLength -= sizeof(struct argus_llc); model->ArgusSnapLength -= sizeof(struct argus_llc); model->ArgusThisUpHdr = (ptr + sizeof(struct argus_llc)); } } else { if ((llc->llcu & LLC_U_FMT) == LLC_U_FMT) { model->ArgusThisUpHdr += 3; model->ArgusThisLength -= 3; model->ArgusSnapLength -= 3; if ((llc->llcu & ~LLC_U_POLL) == LLC_XID) { if (*model->ArgusThisUpHdr == LLC_XID_FI) { model->ArgusThisUpHdr += 3; model->ArgusThisLength -= 3; model->ArgusSnapLength -= 3; } } } else { model->ArgusThisUpHdr += 4; model->ArgusThisLength -= 4; model->ArgusSnapLength -= 4; } } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusProcessLLCHdr(%p, %p, %d) returning 0x%x\n", model, p, length, retn); #endif return(retn); } int ArgusProcessPPPHdr (struct ArgusModelerStruct *model, char *p, int length) { u_int proto = 0; int retn = 0, hdr_len = 0; if (length >= PPP_HDRLEN) { model->ArgusThisEncaps |= ARGUS_ENCAPS_PPP; switch (EXTRACT_16BITS(p)) { case (PPP_WITHDIRECTION_IN << 8 | PPP_CONTROL): p += 2; length -= 2; hdr_len += 2; break; case (PPP_WITHDIRECTION_OUT << 8 | PPP_CONTROL): p += 2; length -= 2; hdr_len += 2; break; case (PPP_ADDRESS << 8 | PPP_CONTROL): p += 2; /* ACFC not used */ length -= 2; hdr_len += 2; break; default: break; } if (*p % 2) { proto = *p; p++; length--; hdr_len++; } else { proto = EXTRACT_16BITS(p); p += 2; /* ACFC not used */ length -= 2; hdr_len += 2; } switch (proto) { case PPP_IP: model->ArgusThisNetworkFlowType = PPP_IP; retn = ETHERTYPE_IP; break; case PPP_IPV6: model->ArgusThisNetworkFlowType = PPP_IPV6; retn = ETHERTYPE_IPV6; break; case PPP_OSI: case PPP_NS: case PPP_DECNET: case PPP_APPLE: case PPP_IPX: case PPP_VJC: case PPP_VJNC: case PPP_BRPDU: case PPP_STII: case PPP_VINES: case PPP_MPLS_UCAST: case PPP_MPLS_MCAST: case PPP_COMP: case PPP_HELLO: case PPP_LUXCOM: case PPP_SNS: case PPP_IPCP: case PPP_OSICP: case PPP_NSCP: case PPP_DECNETCP: case PPP_APPLECP: case PPP_IPXCP: case PPP_STIICP: case PPP_VINESCP: case PPP_IPV6CP: case PPP_CCP: break; case PPP_LCP: case PPP_PAP: case PPP_LQM: case PPP_CHAP: case PPP_BACP: case PPP_BAP: case PPP_MP: break; } model->ArgusThisUpHdr += hdr_len; model->ArgusThisLength -= hdr_len; model->ArgusSnapLength -= hdr_len; } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusProcessPPPHdr(%p, %p, %d) returning %d\n", model, p, length, retn); #endif return (retn); } #define PPPOE_HDRLEN 6 int ArgusProcessPPPoEHdr (struct ArgusModelerStruct *model, char *p, int length) { const u_char *pload = (u_char *)p + PPPOE_HDRLEN; int retn = 0, hdr_len = PPPOE_HDRLEN; u_int proto; model->ArgusThisEncaps |= ARGUS_ENCAPS_ETHER | ARGUS_ENCAPS_PPP; if (!p[1]) { switch(EXTRACT_16BITS(p)) { case (PPP_WITHDIRECTION_IN << 8 | PPP_CONTROL): pload += 2; hdr_len += 2; break; case (PPP_WITHDIRECTION_OUT << 8 | PPP_CONTROL): pload += 2; hdr_len += 2; break; case (PPP_ADDRESS << 8 | PPP_CONTROL): pload += 2; /* ACFC not used */ hdr_len += 2; break; default: break; } if (*pload % 2) { proto = *pload; /* PFC is used */ pload++; hdr_len++; } else { proto = EXTRACT_16BITS(pload); hdr_len += 2; } switch (proto) { case PPP_IP: model->ArgusThisNetworkFlowType = PPP_IP; retn = ETHERTYPE_IP; break; case PPP_IPV6: model->ArgusThisNetworkFlowType = PPP_IPV6; retn = ETHERTYPE_IPV6; break; case PPP_OSI: case PPP_NS: case PPP_DECNET: case PPP_APPLE: case PPP_IPX: case PPP_VJC: case PPP_VJNC: case PPP_BRPDU: case PPP_STII: case PPP_VINES: case PPP_MPLS_UCAST: case PPP_MPLS_MCAST: case PPP_COMP: case PPP_HELLO: case PPP_LUXCOM: case PPP_SNS: case PPP_IPCP: case PPP_OSICP: case PPP_NSCP: case PPP_DECNETCP: case PPP_APPLECP: case PPP_IPXCP: case PPP_STIICP: case PPP_VINESCP: case PPP_IPV6CP: case PPP_CCP: case PPP_LCP: case PPP_PAP: case PPP_LQM: case PPP_CHAP: case PPP_BACP: case PPP_BAP: case PPP_MP: break; } model->ArgusThisUpHdr += hdr_len; model->ArgusThisLength -= hdr_len; model->ArgusSnapLength -= hdr_len; } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusProcessPPPoEHdr(%p, %p, %d) returning %d\n", model, p, length, retn); #endif return (retn); } #define UDT2_DATA_PACKET 0x00 #define UDT2_CONTROL_PACKET 0x80 #define UDT2_PACKET_MASK 0x80 #define UDT2_HANDSHAKE 0x00 #define UDT2_KEEPALIVE 0x01 #define UDT2_ACK 0x02 #define UDT2_NACK 0x03 #define UDT2_ACK2 0x06 int ArgusProcessUDToEHdr (struct ArgusModelerStruct *model, char *p, int length) { int retn = 0; model->ArgusThisEncaps |= ARGUS_ENCAPS_UDT; model->ArgusThisUpHdr += 2; model->ArgusThisLength -= 2; model->ArgusSnapLength -= 2; #ifdef ARGUSDEBUG p += 2; // add 2 byte pad ArgusDebug (8, "ArgusProcessUDToEHdr(%p, %p, %d) returning %d\n", model, p, length, retn); #endif return (retn); } int ArgusProcessLcpPacket (struct ArgusSourceStruct *, struct lcp_hdr *, int, struct timeval *); int ArgusProcessLcpPacket (struct ArgusSourceStruct *src, struct lcp_hdr *lcp, int length, struct timeval *tvp) { struct ArgusModelerStruct *model = src->ArgusModel; struct ArgusSystemFlow *tflow = NULL; struct ArgusFlowStruct *flow; int retn = 0, status = 0; model->ArgusTotalPacket++; model->state &= ~ARGUS_DIRECTION; if (!(length) && !(tvp) && !(lcp)) ArgusModelerCleanUp (model); else { if ((tflow = ArgusCreateLcpFlow(model, lcp)) != NULL) { ArgusCreateFlowKey(model, tflow, model->hstruct); if ((flow = ArgusFindFlow (model, model->hstruct)) == NULL) { if ((flow = ArgusNewFlow(model, model->ArgusThisFlow, model->hstruct, model->ArgusStatusQueue)) != NULL) { if (getArgusControlMonitor(model)) flow->userlen = ARGUS_MAXSNAPLEN; status = ARGUS_START; } } else status = ARGUS_STATUS; if (flow != NULL) { switch (lcp->code) { case PPP_LCP_CONF_REQ: break; case PPP_LCP_CONF_ACK: break; case PPP_LCP_CONF_NACK: break; case PPP_LCP_CONF_REJ: break; case PPP_LCP_TERM_REQ: break; case PPP_LCP_TERM_ACK: break; case PPP_LCP_CODE_REJ: break; case PPP_LCP_PROTO_REJ: break; case PPP_LCP_ECHO_REQ: break; case PPP_LCP_ECHO_REPLY: break; case PPP_LCP_DISCARD: break; } ArgusUpdateFlow (model, flow, status, 1); } } } if (ArgusUpdateTime (model)) { ArgusQueueManager(model); #if !defined(ARGUS_THREADS) ArgusOutputProcess(ArgusOutputTask); #endif } #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusProcessLcpPacket(%p, %p, %d, %p) returning %d\n", model, lcp, length, tvp, retn); #endif return (retn); } int ArgusProcessPacket (struct ArgusSourceStruct *src, char *p, int length, struct timeval *tvp, int type) { struct ArgusModelerStruct *model = src->ArgusModel; struct ArgusSystemFlow *tflow = NULL; struct ArgusFlowStruct *flow = NULL; char *ptr = p; float value; int retn = 0; model->ArgusTotalPacket++; if (model->ArgusSrc->sNflag >= model->ArgusTotalPacket) return (retn); model->ArgusThisInterface = src->ArgusThisIndex; model->ArgusThisStats = NULL; model->ArgusThisEpHdr = NULL; model->ArgusThisIpHdr = NULL; model->ArgusThisMplsLabelIndex = 0; model->ArgusThisNetworkFlowType = 0; model->ArgusInProtocol = 1; if ((value = getArgusRealTime (model->ArgusSrc)) > 0) { long long tdiff, rtdiff; int tvalue; gettimeofday(&model->ArgusNowTime, 0L); /* #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusProcessPacket: now %d.%06d global %d.%06d \n", model->ArgusNowTime.tv_sec, model->ArgusNowTime.tv_usec, model->ArgusGlobalTime.tv_sec, model->ArgusGlobalTime.tv_usec); #endif */ if (model->ArgusLastPacketTimer.tv_sec) { tdiff = ArgusTimeDiff (&model->ArgusLastPacketTimer, tvp); rtdiff = ArgusTimeDiff (&model->ArgusAdjustedTimer, &model->ArgusNowTime); tvalue = (int)(rtdiff * value); if (tvalue > 0) { struct timespec tsbuf, *ts = &tsbuf; if (tvalue < 100000) { ts->tv_sec = 0; ts->tv_nsec = tvalue * 1000; } else { ts->tv_sec = 0; ts->tv_nsec = 100000000; } nanosleep (ts, NULL); while (((tdiff - tvalue) > 0) && !(ArgusShutDownFlag)) { #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusProcessPacket: stalling tdiff %lld rtdiff %lld tvalue %d\n", tdiff, rtdiff, tvalue); #endif model->ArgusGlobalTime = model->ArgusLastPacketTimer; if (model->ArgusSrc->timeStampType == ARGUS_TYPE_UTC_NANOSECONDS) { model->ArgusGlobalTime.tv_sec += (tvalue / 1000000000); model->ArgusGlobalTime.tv_usec += (tvalue % 1000000000); while (model->ArgusGlobalTime.tv_usec >= 1000000000) { model->ArgusGlobalTime.tv_sec++; model->ArgusGlobalTime.tv_usec -= 1000000000; } } else { model->ArgusGlobalTime.tv_sec += (tvalue / 1000000); model->ArgusGlobalTime.tv_usec += (tvalue % 1000000); while (model->ArgusGlobalTime.tv_usec >= 1000000) { model->ArgusGlobalTime.tv_sec++; model->ArgusGlobalTime.tv_usec -= 1000000; } } if (ArgusUpdateTime (model)) { ArgusQueueManager(model); ArgusModelerStats(model); #if !defined(ARGUS_THREADS) ArgusOutputProcess(ArgusOutputTask); #endif } gettimeofday(&model->ArgusNowTime, 0L); rtdiff = ArgusTimeDiff (&model->ArgusAdjustedTimer, &model->ArgusNowTime); tvalue = (long long)(rtdiff * value); } } } model->ArgusGlobalTime = *tvp; model->ArgusLastPacketTimer = *tvp; model->ArgusAdjustedTimer = model->ArgusNowTime; } if (!(length) && !(tvp) && !(p) && !(ArgusShutDownFlag)) ArgusModelerCleanUp (model); else { model->ArgusThisUpHdr = (unsigned char *)p; model->ArgusThisBytes = length; while (type > 0) { if (type < 512) { if (ArgusDumpTask->ppc && (ArgusDumpTask->ppc[type])) model->ArgusMatchProtocol++; } if ((type = ArgusProcessPacketHdrs (model, ptr, model->ArgusThisLength, type)) >= 0) ptr = (char *)model->ArgusThisUpHdr; } model->ArgusThisPacket = (unsigned char *) p; model->ArgusThisEncapsLength = (ptr - p); if (model->ArgusThisEpHdr) ptr = (char *)model->ArgusThisEpHdr; if ((tflow = ArgusCreateFlow(model, ptr, length)) != NULL) { ArgusCreateFlowKey(model, tflow, model->hstruct); if ((flow = ArgusFindFlow (model, model->hstruct)) != NULL) { struct ArgusQueueStruct *queue; if (ArgusDeDup != 0) { if (ArgusFlowPacketDuplicate(model, flow)) return (retn); } if ((queue = flow->qhdr.queue) != NULL) { model->ArgusTotalCacheHits++; if (queue == model->ArgusStatusQueue) { if (ArgusCheckTimeout(model, &flow->qhdr.qtime, &model->ArgusGlobalTime, getArgusFarReportInterval(model))) { ArgusProcessQueueTimeout (model, model->ArgusStatusQueue); ArgusRemoveFromQueue(flow->qhdr.queue, &flow->qhdr, ARGUS_LOCK); ArgusPushQueue(model->ArgusStatusQueue, &flow->qhdr, ARGUS_LOCK); queue->reclaim++; } } else { if (!(tflow->hdr.argus_dsrvl8.qual & ARGUS_FRAGMENT)) { ArgusRemoveFromQueue(queue, &flow->qhdr, ARGUS_LOCK); ArgusPushQueue(model->ArgusStatusQueue, &flow->qhdr, ARGUS_LOCK); } } if ((flow->qhdr.lasttime.tv_sec < model->ArgusGlobalTime.tv_sec) || ((flow->qhdr.lasttime.tv_sec == model->ArgusGlobalTime.tv_sec) && (flow->qhdr.lasttime.tv_usec < model->ArgusGlobalTime.tv_usec))) { flow->qhdr.lasttime.tv_sec = model->ArgusGlobalTime.tv_sec; flow->qhdr.lasttime.tv_usec = model->ArgusGlobalTime.tv_usec; } ArgusUpdateFlow (model, flow, ARGUS_STATUS, 1); } else { struct ArgusFlowStruct *nflow; ArgusRemoveHashEntry(flow->htblhdr); flow->htblhdr = NULL; if ((nflow = ArgusNewFlow(model, (struct ArgusSystemFlow *)flow->dsrs[ARGUS_FLOW_INDEX], model->hstruct, model->ArgusStatusQueue)) != NULL) ArgusUpdateFlow (model, nflow, ARGUS_STATUS, 1); } } else { if ((flow = ArgusNewFlow(model, model->ArgusThisFlow, model->hstruct, model->ArgusStatusQueue)) != NULL) ArgusUpdateFlow (model, flow, ARGUS_START, 1); } } if (flow == NULL) retn = 1; } if (ArgusUpdateTime (model)) { ArgusQueueManager (model); #if !defined(ARGUS_THREADS) ArgusOutputProcess(ArgusOutputTask); #endif } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusProcessPacket(%p, %p, %d, %p, %d) returning %d\n", model, p, length, tvp, type, retn); #endif return (retn); } int ArgusProcessIpPacket (struct ArgusModelerStruct *model, struct ip *ip, int length, struct timeval *tvp) { struct ArgusSystemFlow *tflow = NULL; struct ArgusFlowStruct *flow = NULL; char *ptr = (char *)ip; int retn = 0, pass = 0, type = ETHERTYPE_IP; model->ArgusTotalPacket++; while (type > 0) if ((type = ArgusProcessPacketHdrs (model, ptr, model->ArgusThisLength, type)) >= 0) ptr = (char *)model->ArgusThisUpHdr; ip = model->ArgusThisIpHdr; if (model->ArgusSrc->sNflag >= model->ArgusTotalPacket) return (retn); model->state &= ~ARGUS_DIRECTION; if (!(length) && !(tvp) && !(ip)) ArgusModelerCleanUp (model); else { if (ip->ip_v == 4) { model->ArgusThisNetworkFlowType = ETHERTYPE_IP; pass = STRUCTCAPTURED(model,*ip); } else { struct ip6_hdr *ipv6 = (struct ip6_hdr *) ip; model->ArgusThisNetworkFlowType = ETHERTYPE_IPV6; pass = STRUCTCAPTURED(model,*ipv6); } model->ArgusThisBytes = length; if (pass) { if ((tflow = ArgusCreateFlow(model, ip, length)) != NULL) { ArgusCreateFlowKey (model, tflow, model->hstruct); if ((flow = ArgusFindFlow (model, model->hstruct)) != NULL) { struct ArgusQueueStruct *queue; if ((queue = flow->qhdr.queue) != NULL) { model->ArgusTotalCacheHits++; if ((queue = flow->qhdr.queue) == model->ArgusStatusQueue) { if (ArgusCheckTimeout(model, &flow->qhdr.qtime, &model->ArgusGlobalTime, getArgusFarReportInterval(model))) { if (flow != (struct ArgusFlowStruct *) queue->start->prv) ArgusProcessQueueTimeout (model, model->ArgusStatusQueue); // if this record is timed out, all entries in status queue need to be timed out if (!(flow->status & ARGUS_RECORD_WRITTEN)) ArgusSendFlowRecord (model, flow, flow->status); ArgusRemoveFromQueue(flow->qhdr.queue, &flow->qhdr, ARGUS_LOCK); ArgusPushQueue(model->ArgusStatusQueue, &flow->qhdr, ARGUS_LOCK); queue->reclaim++; } } else { if (queue) { ArgusRemoveFromQueue(queue, &flow->qhdr, ARGUS_LOCK); ArgusPushQueue(model->ArgusStatusQueue, &flow->qhdr, ARGUS_LOCK); } } if ((flow->qhdr.lasttime.tv_sec < model->ArgusGlobalTime.tv_sec) || ((flow->qhdr.lasttime.tv_sec == model->ArgusGlobalTime.tv_sec) && (flow->qhdr.lasttime.tv_usec < model->ArgusGlobalTime.tv_usec))) { flow->qhdr.lasttime.tv_sec = model->ArgusGlobalTime.tv_sec; flow->qhdr.lasttime.tv_usec = model->ArgusGlobalTime.tv_usec; } ArgusUpdateFlow (model, flow, ARGUS_STATUS, 1); } else { struct ArgusFlowStruct *nflow; ArgusRemoveHashEntry(flow->htblhdr); flow->htblhdr = NULL; if ((nflow = ArgusNewFlow(model, (struct ArgusSystemFlow *)flow->dsrs[ARGUS_FLOW_INDEX], model->hstruct, model->ArgusStatusQueue)) != NULL) ArgusUpdateFlow (model, nflow, ARGUS_STATUS, 1); } } else { if ((flow = ArgusNewFlow(model, model->ArgusThisFlow, model->hstruct, model->ArgusStatusQueue)) != NULL) ArgusUpdateFlow (model, flow, ARGUS_START, 1); } } } if (flow == NULL) retn = 1; } if (ArgusUpdateTime (model)) { ArgusQueueManager (model); #if !defined(ARGUS_THREADS) ArgusOutputProcess(ArgusOutputTask); #endif } #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusProcessIpPacket(%p, %d, %p) returning %d\n", ip, length, tvp, retn); #endif return (retn); } int ArgusProcessEtherPacket (struct ArgusModelerStruct *model, struct ether_header *ep, int length, struct timeval *tvp) { struct ArgusSystemFlow *tflow = NULL; struct ArgusFlowStruct *flow = NULL; int retn = 0, type; char *ptr = (char *)ep; model->ArgusTotalPacket++; if (model->ArgusSrc->sNflag >= model->ArgusTotalPacket) return (retn); model->state &= ~ARGUS_DIRECTION; if (!(length) && !(tvp) && !(ep)) ArgusModelerCleanUp (model); else { if (STRUCTCAPTURED(model,*ep)) { type = ARGUS_ETHER_HDR; model->ArgusThisBytes = length; while (type) { type = ArgusProcessPacketHdrs (model, ptr, model->ArgusThisLength, type); ptr = (char *)model->ArgusThisUpHdr; } if ((tflow = ArgusCreateFlow(model, model->ArgusThisEpHdr, length)) != NULL) { ArgusCreateFlowKey(model, tflow, model->hstruct); if ((flow = ArgusFindFlow (model, model->hstruct)) != NULL) { struct ArgusQueueStruct *queue; if ((queue = flow->qhdr.queue) != NULL) { model->ArgusTotalCacheHits++; if ((queue = flow->qhdr.queue) == model->ArgusStatusQueue) { if (ArgusCheckTimeout(model, &flow->qhdr.qtime, &model->ArgusGlobalTime, getArgusFarReportInterval(model))) { if (flow != (struct ArgusFlowStruct *) queue->start->prv) ArgusProcessQueueTimeout (model, model->ArgusStatusQueue); // if this record is not last, other entries in status queue need to be timed out if (!(flow->status & ARGUS_RECORD_WRITTEN)) ArgusSendFlowRecord (model, flow, flow->status); ArgusRemoveFromQueue(flow->qhdr.queue, &flow->qhdr, ARGUS_LOCK); ArgusPushQueue(model->ArgusStatusQueue, &flow->qhdr, ARGUS_LOCK); queue->reclaim++; } } else { if (queue) { ArgusRemoveFromQueue(queue, &flow->qhdr, ARGUS_LOCK); ArgusPushQueue(model->ArgusStatusQueue, &flow->qhdr, ARGUS_LOCK); } } if ((flow->qhdr.lasttime.tv_sec < model->ArgusGlobalTime.tv_sec) || ((flow->qhdr.lasttime.tv_sec == model->ArgusGlobalTime.tv_sec) && (flow->qhdr.lasttime.tv_usec < model->ArgusGlobalTime.tv_usec))) { flow->qhdr.lasttime.tv_sec = model->ArgusGlobalTime.tv_sec; flow->qhdr.lasttime.tv_usec = model->ArgusGlobalTime.tv_usec; } ArgusUpdateFlow (model, flow, ARGUS_STATUS, 1); } else { struct ArgusFlowStruct *nflow; ArgusRemoveHashEntry(flow->htblhdr); flow->htblhdr = NULL; if ((nflow = ArgusNewFlow(model, (struct ArgusSystemFlow *)flow->dsrs[ARGUS_FLOW_INDEX], model->hstruct, model->ArgusStatusQueue)) != NULL) ArgusUpdateFlow (model, nflow, ARGUS_STATUS, 1); } } else { if ((flow = ArgusNewFlow(model, model->ArgusThisFlow, model->hstruct, model->ArgusStatusQueue)) != NULL) ArgusUpdateFlow (model, flow, ARGUS_START, 1); } } } if (flow == NULL) retn = 1; } if (ArgusUpdateTime (model)) { ArgusQueueManager (model); #if !defined(ARGUS_THREADS) ArgusOutputProcess(ArgusOutputTask); #endif } #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusProcessEtherPacket(%p, %d, %p) returning %d\n", ep, length, tvp, retn); #endif return (retn); } void * ArgusCreateFlow (struct ArgusModelerStruct *model, void *ptr, int length) { void *retn = model->ArgusThisFlow; struct ether_header *ep = ptr; unsigned int keys = model->ArgusFlowKey; unsigned int index = 0; int i; model->state &= ~ARGUS_DIRECTION; memset (model->ArgusThisFlow, 0, sizeof(*model->ArgusThisFlow)); for (i = 0; (keys && (i < ARGUS_FLOW_KEYS)); i++) { index = 0x01 << i; if (keys & index) { switch (index) { case ARGUS_FLOW_KEY_CLASSIC5TUPLE: case ARGUS_FLOW_KEY_LAYER_3_MATRIX: switch (model->ArgusThisNetworkFlowType & 0xFFFF) { case ETHERTYPE_IP: { retn = ArgusCreateIPv4Flow (model, (struct ip *)model->ArgusThisIpHdr); return (retn); } case ETHERTYPE_IPV6: { retn = ArgusCreateIPv6Flow (model, (struct ip6_hdr *)model->ArgusThisIpHdr); return (retn); } case ETHERTYPE_ARP: case ETHERTYPE_REVARP: { model->ArgusThisLength = length; retn = ArgusCreateArpFlow (model, ep); return (retn); } case ARGUS_802_11_HDR: { model->ArgusThisLength = length; retn = ArgusCreate80211Flow (model, ptr); return (retn); } case ARGUS_ISIS: retn = ArgusCreateIsisFlow (model, (struct isis_common_header *) model->ArgusThisUpHdr); return (retn); case ETHERTYPE_UDTOE: retn = ArgusCreateUDTFlow (model, (struct udt_header *) model->ArgusThisUpHdr); return (retn); } if (model->ArgusThisIpHdr) { model->ArgusThisNetworkFlowType &= 0xFFFF0000; model->ArgusThisNetworkFlowType |= ETHERTYPE_IP; retn = ArgusCreateIPv4Flow (model, (struct ip *)model->ArgusThisIpHdr); break; } /* drop through to here if above protocols didn't do it */ case ARGUS_FLOW_KEY_LAYER_2_MATRIX: if (ep != NULL) { int dstgteq = 1, i; model->ArgusThisLength = length; model->ArgusThisFlow->hdr.type = ARGUS_FLOW_DSR; model->ArgusThisFlow->hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; model->ArgusThisFlow->hdr.argus_dsrvl8.qual = ARGUS_TYPE_ETHER; model->ArgusThisFlow->hdr.argus_dsrvl8.len = 5; #if !defined(ETH_ALEN) #define ETH_ALEN 6 #endif if (model->ArgusFlowType == ARGUS_BIDIRECTIONAL) { for (i = 0; i < ETH_ALEN; i++) { if (((unsigned char *)&ep->ether_shost)[i] != ((unsigned char *)&ep->ether_dhost)[i]) { if (((unsigned char *)&ep->ether_shost)[i] > ((unsigned char *)&ep->ether_dhost)[i]) dstgteq = 0; break; } } } if (dstgteq) { bcopy ((char *) ep, (char *)&model->ArgusThisFlow->mac_flow.ehdr, sizeof (struct ether_header)); } else { model->state |= ARGUS_DIRECTION; bcopy ((char *)&ep->ether_shost, (char *)&model->ArgusThisFlow->mac_flow.ehdr.ether_dhost, ETH_ALEN); bcopy ((char *)&ep->ether_dhost, (char *)&model->ArgusThisFlow->mac_flow.ehdr.ether_shost, ETH_ALEN); } model->ArgusThisFlow->mac_flow.ehdr.ether_type = ntohs(ep->ether_type); if (model->ArgusThisEncaps & ARGUS_ENCAPS_LLC) { model->ArgusThisFlow->mac_flow.ehdr.ether_type = 0; switch (model->ArgusThisNetworkFlowType & 0xFFFF) { case ARGUS_CLNS: case ARGUS_ESIS: case ARGUS_NULLNS: break; default: model->ArgusThisNetworkFlowType &= ~(0xFFFF); break; } if (dstgteq) { model->ArgusThisFlow->mac_flow.ssap = model->ArgusThisLLC->ssap; model->ArgusThisFlow->mac_flow.dsap = model->ArgusThisLLC->dsap; } else { model->ArgusThisFlow->mac_flow.ssap = model->ArgusThisLLC->dsap; model->ArgusThisFlow->mac_flow.dsap = model->ArgusThisLLC->ssap; } } else { model->ArgusThisFlow->mac_flow.ssap = 0; model->ArgusThisFlow->mac_flow.dsap = 0; } } break; case ARGUS_FLOW_KEY_LOCAL_MPLS: case ARGUS_FLOW_KEY_COMPLETE_MPLS: break; case ARGUS_FLOW_KEY_VLAN: break; } } } #ifdef ARGUSDEBUG ArgusDebug (9, "ArgusCreateFlow() returning %p\n", retn); #endif return (retn); } int ArgusGenerateStartRecords = 0; struct ArgusFlowStruct * ArgusNewFlow (struct ArgusModelerStruct *model, struct ArgusSystemFlow *flow, struct ArgusHashStruct *hstruct, struct ArgusQueueStruct *queue) { struct ArgusFlowStruct *retn = NULL; int timeout = ARGUS_OTHERTIMEOUT, userlen = 0; int len = flow->hdr.argus_dsrvl8.len; if (len > 0) { model->ArgusTotalNewFlows++; userlen = getArgusUserDataLen(model); retn = (struct ArgusFlowStruct *) ArgusMallocAligned(sizeof(*retn), 64); if (retn != NULL) { int value; memset(retn, 0, sizeof(*retn)); retn->status = ARGUS_START; retn->state = model->state & ARGUS_DIRECTION; retn->trans = model->ArgusTransactionNum++; retn->userlen = userlen; retn->srcint = -1; retn->dstint = -1; if (queue != NULL) { retn->qhdr.lasttime.tv_sec = model->ArgusGlobalTime.tv_sec; retn->qhdr.lasttime.tv_usec = model->ArgusGlobalTime.tv_usec; } retn->dsrs[ARGUS_FLOW_INDEX] = (struct ArgusDSRHeader *) &retn->canon.flow.hdr; retn->canon.flow.hdr = flow->hdr; bcopy ((char *)&flow->flow_un, (char *)&retn->canon.flow.flow_un, (flow->hdr.argus_dsrvl8.len - 1) * 4); retn->dsrindex |= 1 << ARGUS_FLOW_INDEX; if (retn->state & ARGUS_DIRECTION) retn->dsrs[ARGUS_FLOW_INDEX]->subtype |= ARGUS_REVERSE; if (hstruct != NULL) { if ((retn->htblhdr = ArgusAddHashEntry (model->ArgusHashTable, retn, hstruct)) != NULL) { if (queue != NULL) ArgusPushQueue(queue, &retn->qhdr, ARGUS_LOCK); } else ArgusLog (LOG_ERR, "ArgusNewFlow() ArgusAddHashEntry error %s.\n", strerror(errno)); } if ((value = getArgusKeystroke(model)) > 0) { if (value & ARGUS_SSH_KEYSTROKE) retn->status |= ARGUS_SSH_MONITOR; retn->skey.prev_pno = 0 - model->ArgusKeyStroke.gpc_max; } } else ArgusLog (LOG_WARNING, "ArgusNewFlow() ArgusMalloc error %s.\n", strerror(errno)); switch (model->ArgusThisNetworkFlowType & 0xFFFF) { case ETHERTYPE_IPV6: case ETHERTYPE_IP: timeout = model->ArgusIPTimeout; model->ArgusTotalIPFlows++; if (ArgusControlPlaneProtocol(model, retn)) retn->userlen = ARGUS_MAXSNAPLEN; break; case ETHERTYPE_ARP: case ETHERTYPE_REVARP: timeout = model->ArgusARPTimeout; model->ArgusTotalNonIPFlows++; if (getArgusControlMonitor(model)) retn->userlen = ARGUS_MAXSNAPLEN; break; case ARGUS_ISIS: timeout = ARGUS_OTHERTIMEOUT; model->ArgusTotalNonIPFlows++; if (getArgusControlMonitor(model)) retn->userlen = ARGUS_MAXSNAPLEN; break; default: model->ArgusTotalNonIPFlows++; timeout = ARGUS_OTHERTIMEOUT; break; } retn->timeout = timeout; } else ArgusLog (LOG_WARNING, "ArgusNewFlow() flow key is not correct len equals zero\n"); #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusNewFlow() returning %p\n", retn); #endif return (retn); } extern void ArgusZeroRecord(struct ArgusFlowStruct *); void ArgusUpdateBasicFlow (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char); void ArgusUpdateBasicFlow (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flow, unsigned char state) { struct ArgusTransportStruct *trans; struct ArgusTimeStruct *dtime, *otime = NULL; struct ArgusEncapsStruct *encaps; struct ArgusMetricStruct *metric; struct ArgusNetworkStruct *net; struct ArgusMplsStruct *mpls; struct ArgusVlanStruct *vlan; struct ArgusVxLanStruct *vxlan; struct ArgusGreStruct *gre; struct ArgusGeneveStruct *gen; struct ArgusTimeObject *time; struct ArgusJitterStruct *jitter; model->ArgusTotalUpdates++; if (flow->status & ARGUS_RECORD_WRITTEN) ArgusZeroRecord(flow); model->ArgusThisDir = ((flow->state & ARGUS_DIRECTION) == (model->state & ARGUS_DIRECTION)); if ((trans = (struct ArgusTransportStruct *) flow->dsrs[ARGUS_TRANSPORT_INDEX]) == NULL) { struct ArgusDeviceStruct *device = model->ArgusSrc->ArgusInterface[model->ArgusSrc->ArgusThisIndex].ArgusDevice; flow->dsrs[ARGUS_TRANSPORT_INDEX] = &flow->canon.trans.hdr; trans = (struct ArgusTransportStruct *) flow->dsrs[ARGUS_TRANSPORT_INDEX]; trans->hdr = device->trans.hdr; trans->srcid = device->trans.srcid; flow->dsrindex |= 0x01 << ARGUS_TRANSPORT_INDEX; } if (model->ArgusThisDir) { if (flow->srcint >= 0) { if (flow->srcint != model->ArgusThisInterface) { flow->canon.encaps.hdr.argus_dsrvl8.qual |= ARGUS_SRC_INT_CHANGED; } } else flow->srcint = model->ArgusThisInterface; } else { if (flow->dstint >= 0) { if (flow->dstint != model->ArgusThisInterface) { flow->canon.encaps.hdr.argus_dsrvl8.qual |= ARGUS_DST_INT_CHANGED; } } else flow->dstint = model->ArgusThisInterface; } if ((encaps = (struct ArgusEncapsStruct *) flow->dsrs[ARGUS_ENCAPS_INDEX]) == NULL) { flow->dsrs[ARGUS_ENCAPS_INDEX] = (struct ArgusDSRHeader *) &flow->canon.encaps.hdr; encaps = (struct ArgusEncapsStruct *) flow->dsrs[ARGUS_ENCAPS_INDEX]; memset(encaps, 0, sizeof(*encaps)); encaps->hdr.type = ARGUS_ENCAPS_DSR; encaps->hdr.argus_dsrvl8.len = 3; flow->dsrindex |= 0x01 << ARGUS_ENCAPS_INDEX; if (model->ArgusThisDir) { encaps->src = model->ArgusThisEncaps; if (model->ArgusEncapsCapture) { if ((encaps->slen = model->ArgusThisEncapsLength) > 0) { if ((encaps->sbuf = (void *) ArgusCalloc(1, encaps->slen)) != NULL) { memcpy(encaps->sbuf, model->ArgusThisPacket, encaps->slen); } } } } else { encaps->dst = model->ArgusThisEncaps; if (model->ArgusEncapsCapture) { if ((encaps->dlen = model->ArgusThisEncapsLength) > 0) { if ((encaps->dbuf = (void *) ArgusCalloc(1, encaps->dlen)) != NULL) { memcpy(encaps->dbuf, model->ArgusThisPacket, encaps->dlen); } } } } } else { if (model->ArgusThisDir) { if (flow->canon.encaps.src != model->ArgusThisEncaps) { if (flow->canon.encaps.src) flow->canon.encaps.hdr.argus_dsrvl8.qual |= ARGUS_SRC_CHANGED; flow->canon.encaps.src |= model->ArgusThisEncaps; } if (model->ArgusEncapsCapture) { if (encaps->slen == 0) { if ((encaps->slen = model->ArgusThisEncapsLength) > 0) { if ((encaps->sbuf = (void *) ArgusCalloc(1, encaps->slen)) != NULL) { memcpy(encaps->sbuf, model->ArgusThisPacket, encaps->slen); } } } } } else { if (flow->canon.encaps.dst != model->ArgusThisEncaps) { if (flow->canon.encaps.dst) flow->canon.encaps.hdr.argus_dsrvl8.qual |= ARGUS_DST_CHANGED; flow->canon.encaps.dst |= model->ArgusThisEncaps; } if (model->ArgusEncapsCapture) { if (encaps->dlen == 0) { if ((encaps->dlen = model->ArgusThisEncapsLength) > 0) { if ((encaps->dbuf = (void *) ArgusCalloc(1, encaps->dlen)) != NULL) { memcpy(encaps->dbuf, model->ArgusThisPacket, encaps->dlen); } } } } } } if ((metric = (struct ArgusMetricStruct *) flow->dsrs[ARGUS_METRIC_INDEX]) == NULL) { metric = (struct ArgusMetricStruct *)&flow->canon.metric.hdr; memset(metric, 0, sizeof(*metric)); flow->dsrs[ARGUS_METRIC_INDEX] = (struct ArgusDSRHeader *) metric; metric->hdr.type = ARGUS_METER_DSR; metric->hdr.argus_dsrvl8.len = (sizeof(struct ArgusMetricStruct) + 3) / 4; flow->dsrindex |= 1 << ARGUS_METRIC_INDEX; } if ((time = (struct ArgusTimeObject *) flow->dsrs[ARGUS_TIME_INDEX]) == NULL) { time = &flow->canon.time; memset(time, 0, sizeof(*time)); flow->dsrs[ARGUS_TIME_INDEX] = (struct ArgusDSRHeader *) time; time->hdr.type = ARGUS_TIME_DSR; time->hdr.subtype = ARGUS_TIME_ABSOLUTE_TIMESTAMP; /* The global time precision must be independent of pcap device * precision. ArgusGlobalTime is always scaled to nanoseconds, * if argus is compiled with nanosecond support, and always scaled * to microseconds otherwise. */ #if defined(ARGUS_NANOSECONDS) time->hdr.argus_dsrvl8.qual = ARGUS_TYPE_UTC_NANOSECONDS; #else time->hdr.argus_dsrvl8.qual = ARGUS_TYPE_UTC_MICROSECONDS; #endif time->hdr.argus_dsrvl8.len = 3; if (model->ArgusThisDir) { dtime = &time->src; otime = &time->dst; } else { dtime = &time->dst; otime = &time->src; } dtime->start.tv_sec = model->ArgusGlobalTime.tv_sec; dtime->start.tv_usec = model->ArgusGlobalTime.tv_usec; } else { if (model->ArgusThisDir) { dtime = &time->src; otime = &time->dst; } else { dtime = &time->dst; otime = &time->src; } if (dtime->start.tv_sec == 0) { dtime->start.tv_sec = model->ArgusGlobalTime.tv_sec; dtime->start.tv_usec = model->ArgusGlobalTime.tv_usec; if (otime->start.tv_sec) { time->hdr.subtype = ARGUS_TIME_ABSOLUTE_RANGE; } } else { dtime->end.tv_sec = model->ArgusGlobalTime.tv_sec; dtime->end.tv_usec = model->ArgusGlobalTime.tv_usec; time->hdr.subtype = ARGUS_TIME_ABSOLUTE_RANGE; } } flow->dsrindex |= 1 << ARGUS_TIME_INDEX; if (getArgusHashflag (model)) { struct ArgusFlowHashStruct *hash; if ((hash = (struct ArgusFlowHashStruct *) flow->dsrs[ARGUS_FLOW_HASH_INDEX]) == NULL) { hash = (struct ArgusFlowHashStruct *) &flow->canon.hash.hdr; memset(hash, 0, sizeof(*hash)); flow->dsrs[ARGUS_FLOW_HASH_INDEX] = &hash->hdr; hash->hdr.type = ARGUS_FLOW_HASH_DSR; // hash->hdr.subtype = 0; // hash->hdr.argus_dsrvl8.qual = 0; hash->hdr.argus_dsrvl8.len = 3; if (model->hstruct != NULL) { hash->hash = model->hstruct->hash; hash->ind = model->hstruct->ind; } flow->dsrindex |= 1 << ARGUS_FLOW_HASH_INDEX; } } if (getArgusmflag (model)) { struct ArgusMacStruct *mac; if ((mac = (struct ArgusMacStruct *) flow->dsrs[ARGUS_MAC_INDEX]) == NULL) { if (model->ArgusThisEpHdr != NULL) { mac = (struct ArgusMacStruct *) &flow->canon.mac.hdr; memset(mac, 0, sizeof(*mac)); flow->dsrs[ARGUS_MAC_INDEX] = &mac->hdr; mac->hdr.type = ARGUS_MAC_DSR; mac->hdr.subtype = 0; mac->hdr.argus_dsrvl8.qual = 0; mac->hdr.argus_dsrvl8.len = 5; if (model->ArgusThisDir) { bcopy ((char *)model->ArgusThisEpHdr, (char *)&mac->mac.mac_union.ether, sizeof(struct ether_header)); } else { bcopy ((char *)&model->ArgusThisEpHdr->ether_dhost, (char *)&mac->mac.mac_union.ether.ehdr.ether_shost, sizeof(struct ether_addr)); bcopy ((char *)&model->ArgusThisEpHdr->ether_shost, (char *)&mac->mac.mac_union.ether.ehdr.ether_dhost, sizeof(struct ether_header)); } mac->mac.mac_union.ether.ehdr.ether_type = ntohs(model->ArgusThisEpHdr->ether_type); flow->dsrindex |= 1 << ARGUS_MAC_INDEX; } } else { if (model->ArgusThisDir) { if (bcmp ((char *)&model->ArgusThisEpHdr->ether_shost, (char *)&mac->mac.mac_union.ether.ehdr.ether_shost, sizeof(struct ether_addr)) || bcmp ((char *)&model->ArgusThisEpHdr->ether_dhost, (char *)&mac->mac.mac_union.ether.ehdr.ether_dhost, sizeof(struct ether_addr)) || mac->mac.mac_union.ether.ehdr.ether_type != ntohs(model->ArgusThisEpHdr->ether_type)) mac->hdr.argus_dsrvl8.qual |= ARGUS_SRC_MULTIPATH; } else { if (bcmp ((char *)&model->ArgusThisEpHdr->ether_dhost, (char *)&mac->mac.mac_union.ether.ehdr.ether_shost, sizeof(struct ether_addr)) || bcmp ((char *)&model->ArgusThisEpHdr->ether_shost, (char *)&mac->mac.mac_union.ether.ehdr.ether_dhost, sizeof(struct ether_addr)) || mac->mac.mac_union.ether.ehdr.ether_type != ntohs(model->ArgusThisEpHdr->ether_type)) mac->hdr.argus_dsrvl8.qual |= ARGUS_DST_MULTIPATH; } } } if ((net = (struct ArgusNetworkStruct *) flow->dsrs[ARGUS_NETWORK_INDEX]) == NULL) { net = (struct ArgusNetworkStruct *) &flow->canon.net; memset(net, 0, sizeof(*net)); flow->dsrs[ARGUS_NETWORK_INDEX] = (struct ArgusDSRHeader *) net; if ((state == ARGUS_START) && (model->ArgusThisFlow->hdr.argus_dsrvl8.qual & ARGUS_FRAGMENT)) { net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_NETWORK_SUBTYPE_FRAG; net->hdr.argus_dsrvl8.qual = 0; net->hdr.argus_dsrvl8.len = ((sizeof(struct ArgusFragObject) + 3)/4) + 1; } else { net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.argus_dsrvl8.len = 1; flow->dsrindex |= 1 << ARGUS_NETWORK_INDEX; } } if (model->ArgusThisEncaps & ARGUS_ENCAPS_MPLS) { int value; if ((mpls = (struct ArgusMplsStruct *) flow->dsrs[ARGUS_MPLS_INDEX]) == NULL) { mpls = (struct ArgusMplsStruct *) &flow->canon.mpls; memset(mpls, 0, sizeof(*mpls)); flow->dsrs[ARGUS_MPLS_INDEX] = (struct ArgusDSRHeader *) mpls; mpls->hdr.type = ARGUS_MPLS_DSR; mpls->hdr.subtype = 0; mpls->hdr.argus_dsrvl8.qual = 0; mpls->hdr.argus_dsrvl8.len = 1; flow->dsrindex |= 1 << ARGUS_MPLS_INDEX; } if (model->ArgusThisDir) { value = mpls->hdr.argus_dsrvl8.qual & 0x0F; mpls->hdr.argus_dsrvl8.qual = ((model->ArgusThisMplsLabelIndex & 0x0F) << 4) | value; mpls->slabel = model->ArgusThisMplsLabel; } else { value = mpls->hdr.argus_dsrvl8.qual & 0xF0; mpls->hdr.argus_dsrvl8.qual = (model->ArgusThisMplsLabelIndex & 0x0F) | value; mpls->dlabel = model->ArgusThisMplsLabel; } } if (model->ArgusThisEncaps & ARGUS_ENCAPS_8021Q) { if ((vlan = (struct ArgusVlanStruct *) flow->dsrs[ARGUS_VLAN_INDEX]) == NULL) { vlan = (struct ArgusVlanStruct *) &flow->canon.vlan; memset(vlan, 0, sizeof(*vlan)); flow->dsrs[ARGUS_VLAN_INDEX] = (struct ArgusDSRHeader *) vlan; vlan->hdr.type = ARGUS_VLAN_DSR; vlan->hdr.subtype = 0; vlan->hdr.argus_dsrvl8.qual = 0; vlan->hdr.argus_dsrvl8.len = 2; flow->dsrindex |= 1 << ARGUS_VLAN_INDEX; } if (model->ArgusThisDir) { vlan->sid = model->ArgusThisPacket8021QEncaps; vlan->hdr.argus_dsrvl8.qual |= ARGUS_SRC_VLAN; } else { vlan->did = model->ArgusThisPacket8021QEncaps; vlan->hdr.argus_dsrvl8.qual |= ARGUS_DST_VLAN; } } if (model->ArgusThisEncaps & ARGUS_ENCAPS_VXLAN) { if ((vxlan = (struct ArgusVxLanStruct *) flow->dsrs[ARGUS_VXLAN_INDEX]) == NULL) { vxlan = (struct ArgusVxLanStruct *) &flow->canon.vxlan; memset(vxlan, 0, sizeof(*vxlan)); flow->dsrs[ARGUS_VXLAN_INDEX] = (struct ArgusDSRHeader *) vxlan; vxlan->hdr.type = ARGUS_VXLAN_DSR; vxlan->hdr.subtype = 0; vxlan->hdr.argus_dsrvl8.qual = 0; vxlan->hdr.argus_dsrvl8.len = 3; flow->dsrindex |= 1 << ARGUS_VXLAN_INDEX; } if (model->ArgusThisDir) { vxlan->svnid = model->ArgusThisVxLanVni; vxlan->hdr.argus_dsrvl8.qual |= ARGUS_SRC_VXLAN; } else { vxlan->dvnid = model->ArgusThisVxLanVni; vxlan->hdr.argus_dsrvl8.qual |= ARGUS_DST_VXLAN; } } if (model->ArgusThisEncaps & ARGUS_ENCAPS_GENEVE) { if ((gen = (struct ArgusGeneveStruct *) flow->dsrs[ARGUS_GENEVE_INDEX]) == NULL) { gen = (struct ArgusGeneveStruct *) &flow->canon.gen; memset(gen, 0, sizeof(*gen)); flow->dsrs[ARGUS_GENEVE_INDEX] = (struct ArgusDSRHeader *) gen; gen->hdr.type = ARGUS_GENEVE_DSR; gen->hdr.subtype = 0; gen->hdr.argus_dsrvl8.qual = 0; flow->dsrindex |= 1 << ARGUS_GENEVE_INDEX; gen->flags = model->ArgusThisGeneve->flags; gen->ptype = model->ArgusThisGeneve->ptype; bcopy(model->ArgusThisGeneve->tflow, &gen->tflow, sizeof(gen->tflow)); gen->hdr.argus_dsrvl8.len = gen->tflow.hdr.argus_dsrvl8.len + 3; } } if (model->ArgusThisEncaps & ARGUS_ENCAPS_GRE) { if ((gre = (struct ArgusGreStruct *) flow->dsrs[ARGUS_GRE_INDEX]) == NULL) { gre = (struct ArgusGreStruct *) &flow->canon.gre; memset(gre, 0, sizeof(*gre)); flow->dsrs[ARGUS_GRE_INDEX] = (struct ArgusDSRHeader *) gre; gre->hdr.type = ARGUS_GRE_DSR; gre->hdr.subtype = 0; gre->hdr.argus_dsrvl8.qual = 0; flow->dsrindex |= 1 << ARGUS_GRE_INDEX; gre->flags = model->ArgusThisGre->flags; gre->proto = model->ArgusThisGre->proto; bcopy(model->ArgusThisGre->tflow, &gre->tflow, sizeof(gre->tflow)); gre->hdr.argus_dsrvl8.len = gre->tflow.hdr.argus_dsrvl8.len + 2; } if (model->ArgusThisDir) { } else { } } if (model->ArgusGenerateTime) { if ((jitter = (struct ArgusJitterStruct *) flow->dsrs[ARGUS_JITTER_INDEX]) == NULL) { jitter = (struct ArgusJitterStruct *) &flow->canon.jitter; memset(jitter, 0, sizeof(*jitter)); flow->dsrs[ARGUS_JITTER_INDEX] = (struct ArgusDSRHeader *) jitter; jitter->hdr.type = ARGUS_JITTER_DSR; jitter->hdr.subtype = 0; jitter->hdr.argus_dsrvl8.len = 1; flow->dsrindex |= 1 << ARGUS_JITTER_INDEX; flow->stime.act.minval = FLT_MAX; flow->stime.idle.minval = FLT_MAX; flow->dtime.act.minval = FLT_MAX; flow->dtime.idle.minval = FLT_MAX; } } } int ArgusFlowPacketDuplicate (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flow) { int retn = 0; if (model->ArgusThisIpHdr) { /* struct ArgusIPAttrStruct *attr; if ((attr = (struct ArgusIPAttrStruct *) flow->dsrs[ARGUS_IPATTR_INDEX]) != NULL) { switch (model->ArgusThisNetworkFlowType & 0xFFFF) { case ETHERTYPE_IP: { struct ip *iphdr = (struct ip *) model->ArgusThisIpHdr; if (model->ArgusThisDir) { if ((attr->src.ip_id == iphdr->ip_id) && (attr->src.tos == iphdr->ip_tos) && (attr->src.options == model->ArgusOptionIndicator)) match = 1; } else { if ((attr->dst.ip_id == iphdr->ip_id) && (attr->dst.tos == iphdr->ip_tos) && (attr->dst.options == model->ArgusOptionIndicator)) match = 1; } break; } case ETHERTYPE_IPV6: { struct ip6_hdr *iphdr = (struct ip6_hdr *) model->ArgusThisIpHdr; unsigned int flowid = iphdr->ip6_flow; unsigned short ftos = (flowid >> 16); unsigned char tos = ((ntohs(ftos) >> 4) & 0x00FF); unsigned char ttl = iphdr->ip6_hlim; if (model->ArgusThisDir) { if ((attr->src.ttl == ttl) && (attr->src.tos == tos) && (attr->src.options == model->ArgusOptionIndicator)) match = 1; } else { if ((attr->dst.ttl == ttl) && (attr->dst.tos == tos) && (attr->dst.options == model->ArgusOptionIndicator)) match = 1; } break; } } } */ } #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusFlowPacketDuplicate (%p, %p) returning %d\n", model, flow, retn); #endif return (retn); } struct ArgusFlowStruct * ArgusUpdateFlow (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flow, unsigned char state, unsigned char update) { struct ArgusFlowStruct *retn = flow; ArgusUpdateBasicFlow (model, flow, state); if (model->ArgusThisIpHdr) { struct ArgusIPAttrStruct *attr = NULL; if ((attr = (struct ArgusIPAttrStruct *) flow->dsrs[ARGUS_IPATTR_INDEX]) == NULL) { flow->dsrs[ARGUS_IPATTR_INDEX] = &flow->canon.attr.hdr; attr = &flow->canon.attr; memset(attr, 0, sizeof(*attr)); attr->hdr.type = ARGUS_IPATTR_DSR; attr->hdr.subtype = 0; attr->hdr.argus_dsrvl8.qual = 0; attr->hdr.argus_dsrvl8.len = 1; flow->dsrindex |= 1 << ARGUS_IPATTR_INDEX; } #if !defined(IPTOS_CE) #define IPTOS_CE 0x01 /* congestion experienced */ #define IPTOS_ECT 0x02 /* ECN-capable transport */ #endif switch (model->ArgusThisNetworkFlowType & 0xFFFF) { case ETHERTYPE_IP: { struct ip *iphdr = (struct ip *) model->ArgusThisIpHdr; u_short ip_off = ntohs(iphdr->ip_off); if (model->ArgusThisDir) { if (!(attr->hdr.argus_dsrvl8.qual & ARGUS_IPATTR_SRC)) { attr->hdr.argus_dsrvl8.qual |= ARGUS_IPATTR_SRC; } attr->src.ttl = iphdr->ip_ttl; attr->src.tos = iphdr->ip_tos; attr->src.ip_id = iphdr->ip_id; if ((attr->src.options = model->ArgusOptionIndicator) != 0) attr->hdr.argus_dsrvl8.qual |= ARGUS_IPATTR_SRC_OPTIONS; if ((attr->src.tos & (IPTOS_CE | IPTOS_ECT)) == (IPTOS_CE | IPTOS_ECT)) attr->src.status |= ARGUS_ECN_CONGESTED; } else { if (!(attr->hdr.argus_dsrvl8.qual & ARGUS_IPATTR_DST)) { attr->hdr.argus_dsrvl8.qual |= ARGUS_IPATTR_DST; } attr->dst.ttl = iphdr->ip_ttl; attr->dst.tos = iphdr->ip_tos; attr->dst.ip_id = iphdr->ip_id; if ((attr->dst.options = model->ArgusOptionIndicator) != 0) attr->hdr.argus_dsrvl8.qual |= ARGUS_IPATTR_DST_OPTIONS; if ((attr->dst.tos & (IPTOS_CE | IPTOS_ECT)) == (IPTOS_CE | IPTOS_ECT)) attr->dst.status |= ARGUS_ECN_CONGESTED; } retn = ArgusUpdateState (model, flow, state, update); if ((model->ArgusFlowKey & ARGUS_FLOW_KEY_CLASSIC5TUPLE) && (((ip_off & 0x1fff) == 0) && (ip_off & IP_MF))) { /* This is also a fragment, so we need to setup the expected fragment cache, so we can find the fragments that will be coming in. So get the fragment flow descriptor, and either find the flow or install one. If the fragment descriptor exists, then we're now able to update the parent flow, if it hasn't been done. Add this fragment to the parents fragment list, so we can find them if we have to deallocate the parent. */ struct ArgusSystemFlow *fflow = NULL; struct ArgusFlowStruct *frag = NULL; int tstate = model->state; if ((fflow = ArgusCreateFRAGFlow (model, iphdr, ETHERTYPE_IP)) == NULL) ArgusLog (LOG_ERR, "ArgusCreateFRAGFlow() returned NULL.\n"); ArgusCreateFlowKey(model, fflow, model->hstruct); if ((frag = ArgusFindFlow (model, model->hstruct)) == NULL) { if ((frag = ArgusNewFlow (model, fflow, model->hstruct, &flow->frag)) == NULL) ArgusLog (LOG_ERR, "ArgusNewFlow() returned NULL.\n"); memset (&frag->canon.net, 0, sizeof(struct ArgusFragObject) + 4); frag->canon.net.hdr.type = ARGUS_NETWORK_DSR; frag->canon.net.hdr.subtype = ARGUS_NETWORK_SUBTYPE_FRAG; frag->canon.net.hdr.argus_dsrvl8.qual = 0; frag->canon.net.hdr.argus_dsrvl8.len = ((sizeof(struct ArgusFragObject) + 3)/4) + 1; frag->dsrs[ARGUS_FRAG_INDEX] = (struct ArgusDSRHeader *) &frag->canon.net.hdr; frag->canon.net.net_union.frag.parent = flow; frag->canon.net.net_union.frag.frag_id = iphdr->ip_id; ArgusUpdateBasicFlow (model, frag, state); } else { struct ArgusNetworkStruct *net = (struct ArgusNetworkStruct *)frag->dsrs[ARGUS_FRAG_INDEX]; struct ArgusFragObject *ofrag = &net->net_union.frag; net->hdr.argus_dsrvl8.qual |= ARGUS_FRAG_OUT_OF_ORDER; if (ofrag->parent == NULL) { ofrag->parent = flow; if (frag->qhdr.queue != &flow->frag) { ArgusRemoveFromQueue(frag->qhdr.queue, &frag->qhdr, ARGUS_LOCK); ArgusAddToQueue(&flow->frag, &frag->qhdr, ARGUS_LOCK); } } } if (ArgusUpdateFRAGState (model, frag, state, ETHERTYPE_IP)) ArgusDeleteObject (frag); model->state = tstate; if (model->ArgusThisDir) attr->hdr.argus_dsrvl8.qual |= ARGUS_IPATTR_SRC_FRAGMENTS; else attr->hdr.argus_dsrvl8.qual |= ARGUS_IPATTR_DST_FRAGMENTS; } break; } case ETHERTYPE_IPV6: { struct ip6_hdr *iphdr = (struct ip6_hdr *) model->ArgusThisIpHdr; unsigned int flowid = iphdr->ip6_flow; unsigned short ftos = (flowid >> 16); unsigned char tos = ((ntohs(ftos) >> 4) & 0x00FF); unsigned char ttl = iphdr->ip6_hlim; struct ip6_frag *tfrag = NULL; if (model->ArgusThisDir) { if (!(attr->hdr.argus_dsrvl8.qual & ARGUS_IPATTR_SRC)) { attr->hdr.argus_dsrvl8.qual |= ARGUS_IPATTR_SRC; } attr->src.ttl = ttl; attr->src.tos = tos; attr->src.ip_id = 0; if ((attr->src.options = model->ArgusOptionIndicator) != 0) attr->hdr.argus_dsrvl8.qual |= ARGUS_IPATTR_SRC_OPTIONS; if ((attr->src.tos & (IPTOS_CE | IPTOS_ECT)) == (IPTOS_CE | IPTOS_ECT)) attr->src.status |= ARGUS_ECN_CONGESTED; } else { if (!(attr->hdr.argus_dsrvl8.qual & ARGUS_IPATTR_DST)) { attr->hdr.argus_dsrvl8.qual |= ARGUS_IPATTR_DST; } attr->dst.ttl = ttl; attr->dst.tos = tos; attr->dst.ip_id = 0; if ((attr->dst.options = model->ArgusOptionIndicator) != 0) attr->hdr.argus_dsrvl8.qual |= ARGUS_IPATTR_DST_OPTIONS; if ((attr->dst.tos & (IPTOS_CE | IPTOS_ECT)) == (IPTOS_CE | IPTOS_ECT)) attr->dst.status |= ARGUS_ECN_CONGESTED; } retn = ArgusUpdateState (model, flow, state, update); if (model->ArgusFlowKey & ARGUS_FLOW_KEY_CLASSIC5TUPLE) { if ((tfrag = model->ArgusThisIpv6Frag) != NULL) { if ((tfrag->ip6f_offlg & IP6F_OFF_MASK) == 0) { if ( tfrag->ip6f_offlg & IP6F_MORE_FRAG) { /* This is also a fragment, so we need to setup the expected fragment cache, so we can find the fragments that will be coming in. So get the fragment flow descriptor, and either find the flow or install one. If the fragment descriptor exists, then we're now able to update the parent flow, if it hasn't been done. Add this fragment to the parents fragment list, so we can find them if we have to deallocate the parent. */ struct ArgusSystemFlow *fflow = NULL; struct ArgusFlowStruct *frag = NULL; int tstate = model->state; if ((fflow = ArgusCreateFRAGFlow (model, iphdr, ETHERTYPE_IPV6)) != NULL) { ArgusCreateFlowKey(model, fflow, model->hstruct); if ((frag = ArgusFindFlow (model, model->hstruct)) == NULL) { /* ok so here things are correct, we're going to schedule the expected frag struct onto the parent flow, and proceed */ if ((frag = ArgusNewFlow (model, fflow, model->hstruct, &flow->frag)) == NULL) ArgusLog (LOG_ERR, "ArgusNewFlow() returned NULL.\n"); memset (&frag->canon.net, 0, sizeof(struct ArgusFragObject) + 4); frag->canon.net.hdr.type = ARGUS_NETWORK_DSR; frag->canon.net.hdr.subtype = ARGUS_NETWORK_SUBTYPE_FRAG; frag->canon.net.hdr.argus_dsrvl8.qual = 0; frag->canon.net.hdr.argus_dsrvl8.len = (sizeof(struct ArgusFragObject) + 3)/4 + 1; frag->dsrs[ARGUS_FRAG_INDEX] = (struct ArgusDSRHeader *) &frag->canon.net.hdr; frag->canon.net.net_union.frag.parent = flow; ArgusUpdateBasicFlow (model, frag, state); } else { /* oops, here we've seen parts of the fragment and are just now seeing the 0 offset fragment, so need to move the frag from the general run queue and put it on this parent frag queue */ if (frag->dsrs[ARGUS_FRAG_INDEX] != NULL) frag->dsrs[ARGUS_FRAG_INDEX]->argus_dsrvl8.qual |= ARGUS_FRAG_OUT_OF_ORDER; if (frag->qhdr.queue != &flow->frag) { ArgusRemoveFromQueue(frag->qhdr.queue, &frag->qhdr, ARGUS_LOCK); ArgusAddToQueue(&flow->frag, &frag->qhdr, ARGUS_LOCK); } } if (ArgusUpdateFRAGState (model, frag, state, ETHERTYPE_IPV6)) ArgusDeleteObject (frag); model->state = tstate; if (model->ArgusThisDir) attr->hdr.argus_dsrvl8.qual |= ARGUS_IPATTR_SRC_FRAGMENTS; else attr->hdr.argus_dsrvl8.qual |= ARGUS_IPATTR_DST_FRAGMENTS; } } } } } break; } } } else retn = ArgusUpdateState (model, flow, state, update); if ((state == ARGUS_START) && ArgusGenerateStartRecords) ArgusSendFlowRecord(model, flow, ARGUS_START); #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusUpdateFlow (%p, %d) returning %p\n", flow, state, retn); #endif return (retn); } void ArgusTallyStats (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flow) { struct ArgusMetricStruct *metric = (void *)flow->dsrs[ARGUS_METRIC_INDEX]; int bytes = model->ArgusThisBytes; if (metric != NULL) { if (model->ArgusThisDir) model->ArgusThisStats = &metric->src; else model->ArgusThisStats = &metric->dst; model->ArgusThisStats->pkts++; model->ArgusThisStats->bytes += bytes; } if (getArgusGeneratePacketSize(model)) { struct ArgusPacketSizeStruct *psize = (void *)flow->dsrs[ARGUS_PSIZE_INDEX]; struct ArgusPacketSizeObject *tpsize; if (psize == NULL) { psize = &flow->canon.psize; memset (psize, 0, sizeof(*psize)); psize->hdr.type = ARGUS_PSIZE_DSR; psize->src.psizemin = 0xFFFF; psize->dst.psizemin = 0xFFFF; flow->dsrs[ARGUS_PSIZE_INDEX] = &flow->canon.psize.hdr; flow->dsrindex |= 1 << ARGUS_PSIZE_INDEX; } if (model->ArgusThisDir) tpsize = &psize->src; else tpsize = &psize->dst; if (bytes > 0) { if (bytes > tpsize->psizemax) tpsize->psizemax = bytes; if (bytes < tpsize->psizemin) tpsize->psizemin = bytes; if (getArgusGeneratePacketSizeHisto(model)) { double value = log2(bytes - 40); double integral; modf(value, &integral); integral -= 4; if (integral < 0) integral = 0; if (integral > 7) integral = 7; tpsize->psize[(int)integral]++; if (tpsize->psize[(int)integral] >= 254) { for (int i = 0; i < 8; i++) { if (tpsize->psize[i] > 1) tpsize->psize[i] <<= 1; } } } } } if (model->ArgusGenerateTime) { struct ArgusTimeStat *ArgusThisTime; struct ArgusTimeStats *ArgusThisTimeStat; unsigned long long ArgusThisInterval, tout; struct timeval timeout; if (model->ArgusThisDir) { ArgusThisTime = &flow->stime; } else { ArgusThisTime = &flow->dtime; } if (model->ArgusInProtocol) ArgusThisTimeStat = &ArgusThisTime->act; else ArgusThisTimeStat = &ArgusThisTime->idle; if ((ArgusThisTime->lasttime.tv_sec < model->ArgusGlobalTime.tv_sec) || ((ArgusThisTime->lasttime.tv_sec == model->ArgusGlobalTime.tv_sec) && (ArgusThisTime->lasttime.tv_usec < model->ArgusGlobalTime.tv_usec))) { if (ArgusThisTime->lasttime.tv_sec > 0) { if ((ArgusThisInterval = ArgusAbsTimeDiff (&model->ArgusGlobalTime, &ArgusThisTime->lasttime)) > 0) { timeout = *getArgusFarReportInterval (model); if (model->ArgusSrc->timeStampType == ARGUS_TYPE_UTC_NANOSECONDS) tout = (timeout.tv_sec * 1000000000LL) + timeout.tv_usec; else tout = (timeout.tv_sec * 1000000LL) + timeout.tv_usec; if (tout > 0) { if (ArgusThisInterval < (tout * 2)) { if (ArgusThisTimeStat->minval > ArgusThisInterval) ArgusThisTimeStat->minval = ArgusThisInterval; if (ArgusThisTimeStat->maxval < ArgusThisInterval) ArgusThisTimeStat->maxval = ArgusThisInterval; ArgusThisTimeStat->sum += ArgusThisInterval; ArgusThisTimeStat->sumsqrd += (double)ArgusThisInterval * (double)ArgusThisInterval; ArgusThisTimeStat->n++; } } } } ArgusThisTime->lasttime.tv_sec = model->ArgusGlobalTime.tv_sec; ArgusThisTime->lasttime.tv_usec = model->ArgusGlobalTime.tv_usec; } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusTallyStats (0x%x, 0x%x) returning\n", model, flow); #endif } void ArgusUpdateMACState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char *); void ArgusUpdateMACState (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, unsigned char *state) { } int ArgusUpdateICMPState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char *); int ArgusUpdateICMPv6State (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char *); struct ArgusFlowStruct * ArgusUpdateState (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, unsigned char state, unsigned char update) { struct ArgusFlowStruct *retn = flowstr; struct ArgusSystemFlow *flow; unsigned short proto; unsigned char ip_p; if ((flowstr->status & 0xF0) == 0) { flowstr->status |= state & 0xF0; } else { switch (state & 0xF0) { case ARGUS_START: case ARGUS_STOP: case ARGUS_TIMEOUT: case ARGUS_SHUTDOWN: case ARGUS_CLOSED: case ARGUS_ERROR: flowstr->status &= ~0xF0; flowstr->status |= state & 0xF0; break; } } ArgusUpdateMACState(model, flowstr, &state); flow = (struct ArgusSystemFlow *) flowstr->dsrs[ARGUS_FLOW_INDEX]; switch (proto = (model->ArgusThisNetworkFlowType & 0xFFFF)) { case ETHERTYPE_IPV6: case ETHERTYPE_IP: { if (proto == ETHERTYPE_IPV6) ip_p = flow->ipv6_flow.ip_p; else ip_p = flow->ip_flow.ip_p; if (model->ArgusThisFlow->hdr.argus_dsrvl8.qual & ARGUS_FRAGMENT) { ArgusTallyStats (model, flowstr); if (ArgusUpdateFRAGState (model, flowstr, state, proto)) { ArgusDeleteObject(flowstr); return(NULL); } } else { switch (ip_p) { case IPPROTO_TCP: { if (model->ArgusKeyStroke.status) ArgusTCPKeystroke(model, flowstr, &state); ArgusUpdateTCPState (model, flowstr, &state); if (flowstr->timeout != model->ArgusTCPTimeout) flowstr->timeout = model->ArgusTCPTimeout; break; } case IPPROTO_ICMP: ArgusUpdateICMPState (model, flowstr, &state); if (flowstr->timeout != model->ArgusICMPTimeout) flowstr->timeout = model->ArgusICMPTimeout; break; case IPPROTO_ICMPV6: ArgusUpdateICMPv6State (model, flowstr, &state); if (flowstr->timeout != model->ArgusICMPTimeout) flowstr->timeout = model->ArgusICMPTimeout; break; case IPPROTO_IGMP: if (flowstr->timeout == model->ArgusIGMPTimeout) flowstr->timeout = model->ArgusIGMPTimeout; break; case IPPROTO_UDP: ArgusUpdateUDPState (model, flowstr, &state); if (flowstr->timeout == model->ArgusIPTimeout) flowstr->timeout = model->ArgusIPTimeout; break; case IPPROTO_ESP: ArgusUpdateESPState (model, flowstr, &state); if (flowstr->timeout == model->ArgusIPTimeout) flowstr->timeout = model->ArgusIPTimeout; break; default: if (flowstr->timeout == model->ArgusIPTimeout) flowstr->timeout = model->ArgusIPTimeout; break; } } break; } case ETHERTYPE_ARP: case ETHERTYPE_REVARP: ArgusUpdateArpState (model, flowstr, &state); break; default: break; } if (update) { if (!(model->ArgusThisFlow->hdr.argus_dsrvl8.qual & ARGUS_FRAGMENT)) ArgusTallyStats (model, flowstr); ArgusUpdateAppState (model, flowstr, state); } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusUpdateState (%p, %d) returning %d\n", flowstr, state, retn); #endif return (retn); } /* ArgusGenerateRecord Build the contiguous argus output record for output. Struct ArgusRecord is really just an array of 32-bit values, so lets build it that way to deal with 32 and 64-bit machines. */ struct ArgusRecord * ArgusGenerateRecord (struct ArgusModelerStruct *model, struct ArgusRecordStruct *rec, unsigned char state, struct ArgusRecord *retn) { if (rec) { switch (rec->hdr.type & 0xF0) { case ARGUS_FAR: case ARGUS_EVENT: case ARGUS_NETFLOW: { unsigned int ind, dsrindex, *dsrptr; int i, x, len = 0, dsrlen = 1; struct ArgusDSRHeader *dsr; bcopy ((char *)&rec->hdr, (char *)&retn->hdr, sizeof(retn->hdr)); dsrptr = (unsigned int *)&retn->ar_un.far; dsrindex = rec->dsrindex; for (i = 0, ind = 1; (dsrindex && (i < ARGUSMAXDSRTYPE)); i++, ind <<= 1) { if ((dsr = rec->dsrs[i]) != NULL) { len = ((dsr->type & 0x80) ? 1 : ((dsr->type == ARGUS_DATA_DSR) ? dsr->argus_dsrvl16.len : dsr->argus_dsrvl8.len )); switch (i) { default: for (x = 0; x < len; x++) *dsrptr++ = ((unsigned int *)rec->dsrs[i])[x]; break; case ARGUS_GRE_INDEX: for (x = 0; x < len; x++) *dsrptr++ = ((unsigned int *)rec->dsrs[i])[x]; break; case ARGUS_GENEVE_INDEX: for (x = 0; x < len; x++) *dsrptr++ = ((unsigned int *)rec->dsrs[i])[x]; break; case ARGUS_VXLAN_INDEX: for (x = 0; x < len; x++) *dsrptr++ = ((unsigned int *)rec->dsrs[i])[x]; break; case ARGUS_FLOW_HASH_INDEX: for (x = 0; x < len; x++) *dsrptr++ = ((unsigned int *)rec->dsrs[i])[x]; break; case ARGUS_TRANSPORT_INDEX: { struct ArgusTransportStruct *trans = (struct ArgusTransportStruct *)rec->dsrs[i]; unsigned int *sptr = (unsigned int *)&trans->srcid; int z, tlen = 0; switch (trans->hdr.argus_dsrvl8.qual & ~ARGUS_TYPE_INTERFACE) { case ARGUS_TYPE_STRING: case ARGUS_TYPE_INT: case ARGUS_TYPE_IPV4: tlen = 4; break; case ARGUS_TYPE_IPV6: case ARGUS_TYPE_UUID: tlen = 16; break; } len = 1 + (tlen / 4) + ((trans->hdr.argus_dsrvl8.qual & ARGUS_TYPE_INTERFACE) ? 1 : 0) + ((trans->hdr.subtype & ARGUS_SEQ) ? 1 : 0); trans->hdr.argus_dsrvl8.len = len; *dsrptr++ = *(unsigned int *)&trans->hdr; for (z = 0; z < (tlen / 4); z++) *dsrptr++ = *sptr++; if (trans->hdr.argus_dsrvl8.qual & ARGUS_TYPE_INTERFACE) { bcopy(&trans->srcid.inf, dsrptr++, sizeof(trans->srcid.inf)); } if (trans->hdr.subtype & ARGUS_SEQ) *dsrptr++ = trans->seqnum; break; } case ARGUS_FLOW_INDEX: { switch (dsr->subtype) { case ARGUS_FLOW_ARP: switch (dsr->argus_dsrvl8.qual & 0x1F) { case ARGUS_TYPE_RARP: { struct ArgusRarpFlow *rarp = &((struct ArgusFlow *)dsr)->flow_un.rarp; dsr->argus_dsrvl8.len = 4 + ((rarp->hln * 2) + 3)/4; len = dsr->argus_dsrvl8.len; dsrptr[0] = ((unsigned int *)dsr)[0]; dsrptr[1] = ((unsigned int *)dsr)[1]; dsrptr[2] = ((unsigned int *)dsr)[2]; dsrptr[3] = ((unsigned int *)dsr)[3]; bcopy (&rarp->shaddr, &((char *)&dsrptr[4])[0], rarp->hln); bcopy (&rarp->dhaddr, &((char *)&dsrptr[4])[rarp->hln], rarp->hln); dsrptr += dsr->argus_dsrvl8.len; break; } case ARGUS_TYPE_ARP: { struct ArgusArpFlow *arp = &((struct ArgusFlow *)dsr)->flow_un.arp; dsr->argus_dsrvl8.len = 4 + (arp->hln + 3)/4; len = dsr->argus_dsrvl8.len; dsrptr[0] = ((unsigned int *)dsr)[0]; dsrptr[1] = ((unsigned int *)dsr)[1]; dsrptr[2] = ((unsigned int *)dsr)[2]; dsrptr[3] = ((unsigned int *)dsr)[3]; dsrptr[4] = ((unsigned int *)dsr)[4]; bcopy (&arp->haddr, &((char *)&dsrptr[5])[0], arp->hln); dsrptr += dsr->argus_dsrvl8.len; break; } } break; default: for (x = 0; x < len; x++) *dsrptr++ = ((unsigned int *)rec->dsrs[i])[x]; break; } break; } case ARGUS_NETWORK_INDEX: { switch (dsr->subtype) { case ARGUS_TCP_INIT: { struct ArgusNetworkStruct *net = (struct ArgusNetworkStruct *)rec->dsrs[i]; struct ArgusTCPObject *tobj = &net->net_union.tcp; struct ArgusTCPInitStatus *tcp = (void *)(dsrptr + 1); *dsrptr = *(unsigned int *)&net->hdr; tcp->status = tobj->status; tcp->seqbase = tobj->src.seqbase; tcp->options = tobj->options; tcp->flags = tobj->src.flags; tcp->winshift = tobj->src.winshift; tcp->maxseg = tobj->src.maxseg; dsrptr += len; break; } case ARGUS_TCP_STATUS: { struct ArgusNetworkStruct *net = (struct ArgusNetworkStruct *)rec->dsrs[i]; struct ArgusTCPObject *tobj = &net->net_union.tcp; struct ArgusTCPStatus *tcp = (struct ArgusTCPStatus *)(dsrptr + 1); *dsrptr = *(unsigned int *)&net->hdr; tcp->status = tobj->status; tcp->src = tobj->src.flags; tcp->dst = tobj->dst.flags; bzero(&tcp->pad, sizeof(tcp->pad)); dsrptr += len; break; } default: { /* struct ArgusNetworkStruct *net = (struct ArgusNetworkStruct *)rec->dsrs[i]; struct ArgusTCPObject *tobj = &net->net_union.tcp; if (tobj->status & ARGUS_DUPLICATES) { */ for (x = 0; x < len; x++) *dsrptr++ = ((unsigned int *)rec->dsrs[i])[x]; /* } else { unsigned int *iptr; int dlen = ((sizeof(struct ArgusTCPObjectMetrics) - 4) + 3)/4; len = 2 * dlen + 6; rec->dsrs[i]->argus_dsrvl8.len = len; for (x = 0; x < 6; x++) *dsrptr++ = ((unsigned int *)rec->dsrs[i])[x]; iptr = (unsigned int *) &tobj->src; for (x = 0; x < dlen; x++) *dsrptr++ = *iptr++; iptr = (unsigned int *) &tobj->dst; for (x = 0; x < dlen; x++) *dsrptr++ = *iptr++; } */ break; } } break; } case ARGUS_TIME_INDEX: { struct ArgusTimeObject *dtime = (struct ArgusTimeObject *) dsr; struct ArgusTime *mint, *maxt; unsigned char subtype = 0; unsigned char tlen = 1; if (model->ArgusReportAllTime) { if (dtime->src.start.tv_sec) { subtype |= ARGUS_TIME_SRC_START; tlen += 2; } if (dtime->src.end.tv_sec) { subtype |= ARGUS_TIME_SRC_END; tlen += 2; } if (dtime->dst.start.tv_sec) { subtype |= ARGUS_TIME_DST_START; tlen += 2; } if (dtime->dst.end.tv_sec) { subtype |= ARGUS_TIME_DST_END; tlen += 2; } dtime->hdr.argus_dsrvl8.len = tlen; dtime->hdr.subtype &= ~(0x78); dtime->hdr.subtype |= subtype; *dsrptr++ = ((unsigned int *)rec->dsrs[i])[0]; for (x = 0; x < 4; x++) { if (subtype & (ARGUS_TIME_SRC_START << x)) { switch (ARGUS_TIME_SRC_START << x) { case ARGUS_TIME_SRC_START: *dsrptr++ = dtime->src.start.tv_sec; *dsrptr++ = dtime->src.start.tv_usec; break; case ARGUS_TIME_SRC_END: *dsrptr++ = dtime->src.end.tv_sec; *dsrptr++ = dtime->src.end.tv_usec; break; case ARGUS_TIME_DST_START: *dsrptr++ = dtime->dst.start.tv_sec; *dsrptr++ = dtime->dst.start.tv_usec; break; case ARGUS_TIME_DST_END: *dsrptr++ = dtime->dst.end.tv_sec; *dsrptr++ = dtime->dst.end.tv_usec; break; } } } len = tlen; } else { struct ArgusTime tmax = {0, 0}, tmin = {0xEFFFFFFF,0}; struct ArgusTime *atime; for (x = 0; x < 4; x++) { switch (ARGUS_TIME_SRC_START << x) { case ARGUS_TIME_SRC_START: atime = &dtime->src.start; break; case ARGUS_TIME_SRC_END: atime = &dtime->src.end; break; case ARGUS_TIME_DST_START: atime = &dtime->dst.start; break; case ARGUS_TIME_DST_END: atime = &dtime->dst.end; break; } if (atime->tv_sec) { if ((tmax.tv_sec < atime->tv_sec) || ((tmax.tv_sec == atime->tv_sec) && (tmax.tv_usec < atime->tv_usec))) { tmax = *atime; } if ((tmin.tv_sec > atime->tv_sec) || ((tmin.tv_sec == atime->tv_sec) && (tmin.tv_sec > atime->tv_sec))) { tmin = *atime; } } } maxt = &tmax; mint = &tmin; if ((maxt->tv_sec != mint->tv_sec) || ((maxt->tv_sec == mint->tv_sec) && (maxt->tv_usec != mint->tv_usec))) { dsr->argus_dsrvl8.len = 5; len = 5; } else { dsr->argus_dsrvl8.len = 3; len = 3; } /* This function confuses the gcc optimizer. * Access this memory (subtype) before * serialization below so that the resulting * packet has the correct contents. */ dtime->hdr.subtype &= ~(0x78); *dsrptr++ = ((unsigned int *)rec->dsrs[i])[0]; *dsrptr++ = mint->tv_sec; *dsrptr++ = mint->tv_usec; if (len == 5) { *dsrptr++ = maxt->tv_sec; *dsrptr++ = maxt->tv_usec; } } break; } case ARGUS_METRIC_INDEX: { struct ArgusMetricStruct *metric = (struct ArgusMetricStruct *) dsr; unsigned char type = 0; if ((metric->src.pkts + metric->dst.pkts) > 0) { if (metric->src.pkts && metric->dst.pkts) { if ((0xFF >= metric->src.pkts) && (0xFF >= metric->dst.pkts) && (0xFF >= metric->src.bytes) && (0xFF >= metric->dst.bytes)) type = ARGUS_SRCDST_BYTE; else if ((0xFFFF >= metric->src.bytes) && (0xFFFF >= metric->dst.bytes)) type = ARGUS_SRCDST_SHORT; else if ((0xFFFFFFFF >= metric->src.bytes) && (0xFFFFFFFF >= metric->dst.bytes)) type = ARGUS_SRCDST_INT; else type = ARGUS_SRCDST_LONGLONG; } else { if (metric->src.pkts) { if (0xFFFF >= metric->src.bytes) type = ARGUS_SRC_SHORT; else if (0xFFFFFFFF >= metric->src.bytes) type = ARGUS_SRC_INT; else type = ARGUS_SRC_LONGLONG; } else { if (0xFFFF >= metric->dst.bytes) type = ARGUS_DST_SHORT; else if (0xFFFFFFFF >= metric->dst.bytes) type = ARGUS_DST_INT; else type = ARGUS_DST_LONGLONG; } } } dsr = (struct ArgusDSRHeader *)dsrptr; dsr->type = ARGUS_METER_DSR; if (getArgusAflag(model) && (metric->src.appbytes || metric->dst.appbytes)) { dsr->subtype = ARGUS_METER_PKTS_BYTES_APP; switch (type) { case ARGUS_SRCDST_BYTE: dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 3; ((unsigned char *)(dsr + 1))[0] = (unsigned char) metric->src.pkts; ((unsigned char *)(dsr + 1))[1] = (unsigned char) metric->src.bytes; ((unsigned char *)(dsr + 1))[2] = (unsigned char) metric->src.appbytes; ((unsigned char *)(dsr + 1))[3] = (unsigned char) metric->dst.pkts; ((unsigned char *)(dsr + 1))[4] = (unsigned char) metric->dst.bytes; ((unsigned char *)(dsr + 1))[5] = (unsigned char) metric->dst.appbytes; break; case ARGUS_SRCDST_SHORT: dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 4; ((unsigned short *)(dsr + 1))[0] = ((unsigned short) metric->src.pkts); ((unsigned short *)(dsr + 1))[1] = ((unsigned short) metric->src.bytes); ((unsigned short *)(dsr + 1))[2] = ((unsigned short) metric->src.appbytes); ((unsigned short *)(dsr + 1))[3] = ((unsigned short) metric->dst.pkts); ((unsigned short *)(dsr + 1))[4] = ((unsigned short) metric->dst.bytes); ((unsigned short *)(dsr + 1))[5] = ((unsigned short) metric->dst.appbytes); break; case ARGUS_SRCDST_INT: dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 7; ((unsigned int *)(dsr + 1))[0] = ((unsigned int) metric->src.pkts); ((unsigned int *)(dsr + 1))[1] = ((unsigned int) metric->src.bytes); ((unsigned int *)(dsr + 1))[2] = ((unsigned int) metric->src.appbytes); ((unsigned int *)(dsr + 1))[3] = ((unsigned int) metric->dst.pkts); ((unsigned int *)(dsr + 1))[4] = ((unsigned int) metric->dst.bytes); ((unsigned int *)(dsr + 1))[5] = ((unsigned int) metric->dst.appbytes); break; case ARGUS_SRCDST_LONGLONG: { long long *dptr = (void *)(dsr + 1); dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 13; bcopy(&metric->src.pkts, dptr++, sizeof(*dptr)); bcopy(&metric->src.bytes, dptr++, sizeof(*dptr)); bcopy(&metric->src.appbytes, dptr++, sizeof(*dptr)); bcopy(&metric->dst.pkts, dptr++, sizeof(*dptr)); bcopy(&metric->dst.bytes, dptr++, sizeof(*dptr)); bcopy(&metric->dst.appbytes, dptr++, sizeof(*dptr)); break; } case ARGUS_SRC_BYTE: { dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 2; ((unsigned char *)(dsr + 1))[0] = ((unsigned char) metric->src.pkts); ((unsigned char *)(dsr + 1))[1] = ((unsigned char) metric->src.bytes); ((unsigned char *)(dsr + 1))[2] = ((unsigned char) metric->src.appbytes); break; } case ARGUS_SRC_SHORT: { dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 3; ((unsigned short *)(dsr + 1))[0] = ((unsigned short) metric->src.pkts); ((unsigned short *)(dsr + 1))[1] = ((unsigned short) metric->src.bytes); ((unsigned short *)(dsr + 1))[2] = ((unsigned short) metric->src.appbytes); break; } case ARGUS_SRC_INT: dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 4; ((unsigned int *)(dsr + 1))[0] = ((unsigned int) metric->src.pkts); ((unsigned int *)(dsr + 1))[1] = ((unsigned int) metric->src.bytes); ((unsigned int *)(dsr + 1))[2] = ((unsigned int) metric->src.appbytes); break; case ARGUS_SRC_LONGLONG: { long long *dptr = (void *)(dsr + 1); dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 7; bcopy(&metric->src.pkts, dptr++, sizeof(*dptr)); bcopy(&metric->src.bytes, dptr++, sizeof(*dptr)); bcopy(&metric->src.appbytes, dptr++, sizeof(*dptr)); break; } case ARGUS_DST_BYTE: dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 2; ((unsigned char *)(dsr + 1))[0] = ((unsigned char) metric->dst.pkts); ((unsigned char *)(dsr + 1))[1] = ((unsigned char) metric->dst.bytes); ((unsigned char *)(dsr + 1))[2] = ((unsigned char) metric->dst.appbytes); break; case ARGUS_DST_SHORT: dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 3; ((unsigned short *)(dsr + 1))[0] = ((unsigned short) metric->dst.pkts); ((unsigned short *)(dsr + 1))[1] = ((unsigned short) metric->dst.bytes); ((unsigned short *)(dsr + 1))[2] = ((unsigned short) metric->dst.appbytes); break; case ARGUS_DST_INT: dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 4; ((unsigned int *)(dsr + 1))[0] = ((unsigned int) metric->dst.pkts); ((unsigned int *)(dsr + 1))[1] = ((unsigned int) metric->dst.bytes); ((unsigned int *)(dsr + 1))[2] = ((unsigned int) metric->dst.appbytes); break; case ARGUS_DST_LONGLONG: { long long *dptr = (void *)(dsr + 1); dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 7; bcopy(&metric->dst.pkts, dptr++, sizeof(*dptr)); bcopy(&metric->dst.bytes, dptr++, sizeof(*dptr)); bcopy(&metric->dst.appbytes, dptr++, sizeof(*dptr)); break; } } } else { dsr->subtype = ARGUS_METER_PKTS_BYTES; switch (type) { case ARGUS_SRCDST_BYTE: dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 2; ((unsigned char *)(dsr + 1))[0] = (unsigned char) metric->src.pkts; ((unsigned char *)(dsr + 1))[1] = (unsigned char) metric->src.bytes; ((unsigned char *)(dsr + 1))[2] = (unsigned char) metric->dst.pkts; ((unsigned char *)(dsr + 1))[3] = (unsigned char) metric->dst.bytes; break; case ARGUS_SRCDST_SHORT: dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 3; ((unsigned short *)(dsr + 1))[0] = ((unsigned short) metric->src.pkts); ((unsigned short *)(dsr + 1))[1] = ((unsigned short) metric->src.bytes); ((unsigned short *)(dsr + 1))[2] = ((unsigned short) metric->dst.pkts); ((unsigned short *)(dsr + 1))[3] = ((unsigned short) metric->dst.bytes); break; case ARGUS_SRCDST_INT: dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 5; ((unsigned int *)(dsr + 1))[0] = ((unsigned int) metric->src.pkts); ((unsigned int *)(dsr + 1))[1] = ((unsigned int) metric->src.bytes); ((unsigned int *)(dsr + 1))[2] = ((unsigned int) metric->dst.pkts); ((unsigned int *)(dsr + 1))[3] = ((unsigned int) metric->dst.bytes); break; case ARGUS_SRCDST_LONGLONG: { long long *dptr = (void *)(dsr + 1); dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 9; bcopy(&metric->src.pkts, dptr++, sizeof(*dptr)); bcopy(&metric->src.bytes, dptr++, sizeof(*dptr)); bcopy(&metric->dst.pkts, dptr++, sizeof(*dptr)); bcopy(&metric->dst.bytes, dptr++, sizeof(*dptr)); break; } case ARGUS_SRC_SHORT: { unsigned short value; dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 2; value = metric->src.pkts; ((unsigned short *)(dsr + 1))[0] = value; value = metric->src.bytes; ((unsigned short *)(dsr + 1))[1] = value; break; } case ARGUS_SRC_INT: dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 3; ((unsigned int *)(dsr + 1))[0] = ((unsigned int) metric->src.pkts); ((unsigned int *)(dsr + 1))[1] = ((unsigned int) metric->src.bytes); break; case ARGUS_SRC_LONGLONG: { long long *dptr = (void *)(dsr + 1); dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 5; bcopy(&metric->src.pkts, dptr++, sizeof(*dptr)); bcopy(&metric->src.bytes, dptr++, sizeof(*dptr)); break; } case ARGUS_DST_SHORT: dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 2; ((unsigned short *)(dsr + 1))[0] = ((unsigned short) metric->dst.pkts); ((unsigned short *)(dsr + 1))[1] = ((unsigned short) metric->dst.bytes); break; case ARGUS_DST_INT: dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 3; ((unsigned int *)(dsr + 1))[0] = ((unsigned int) metric->dst.pkts); ((unsigned int *)(dsr + 1))[1] = ((unsigned int) metric->dst.bytes); break; case ARGUS_DST_LONGLONG: { long long *dptr = (void *)(dsr + 1); dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 5; bcopy(&metric->dst.pkts, dptr++, sizeof(*dptr)); bcopy(&metric->dst.bytes, dptr++, sizeof(*dptr)); break; } } } len = dsr->argus_dsrvl8.len; dsrptr += len; break; } case ARGUS_PSIZE_INDEX: { struct ArgusPacketSizeStruct *psize = (struct ArgusPacketSizeStruct *) dsr; unsigned char type = 0; if ((psize->src.psizemax > 0) && (psize->dst.psizemax > 0)) type = ARGUS_SRCDST_SHORT; else if (psize->src.psizemax > 0) type = ARGUS_SRC_SHORT; else if (psize->dst.psizemax > 0) type = ARGUS_DST_SHORT; if (type) { unsigned char value = 0, tmp = 0, *ptr; int max, i; dsr = (struct ArgusDSRHeader *)dsrptr; dsr->type = ARGUS_PSIZE_DSR; dsr->subtype = 0; switch (type) { case ARGUS_SRCDST_SHORT: dsr->subtype = ARGUS_PSIZE_SRC_MAX_MIN | ARGUS_PSIZE_DST_MAX_MIN; dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 3; ((unsigned short *)(dsr + 1))[0] = psize->src.psizemin; ((unsigned short *)(dsr + 1))[1] = psize->src.psizemax; ((unsigned short *)(dsr + 1))[2] = psize->dst.psizemin; ((unsigned short *)(dsr + 1))[3] = psize->dst.psizemax; break; case ARGUS_SRC_SHORT: dsr->subtype = ARGUS_PSIZE_SRC_MAX_MIN; dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 2; ((unsigned short *)(dsr + 1))[0] = psize->src.psizemin; ((unsigned short *)(dsr + 1))[1] = psize->src.psizemax; break; case ARGUS_DST_SHORT: dsr->subtype = ARGUS_PSIZE_DST_MAX_MIN; dsr->argus_dsrvl8.qual = type; dsr->argus_dsrvl8.len = 2; ((unsigned short *)(dsr + 1))[0] = psize->dst.psizemin; ((unsigned short *)(dsr + 1))[1] = psize->dst.psizemax; break; default: break; } if (getArgusGeneratePacketSizeHisto(model)) { if (dsr->subtype & ARGUS_PSIZE_SRC_MAX_MIN) { ptr = (unsigned char *)(dsr + dsr->argus_dsrvl8.len); dsr->subtype |= ARGUS_PSIZE_HISTO; dsr->argus_dsrvl8.len++; *((unsigned int *)(dsr + dsr->argus_dsrvl8.len)) = 0; for (i = 0, max = 0; i < 8; i++) if (max < psize->src.psize[i]) max = psize->src.psize[i]; for (i = 0; i < 8; i++) { if ((tmp = psize->src.psize[i])) { if (i & 0x01) { if (max > 15) tmp = ((tmp * 15)/max); if (!tmp) tmp++; value |= tmp; *ptr++ = value; } else { if (max > 15) tmp = ((tmp * 15)/max); if (!tmp) tmp++; value = (tmp << 4); } } else { if (i & 0x01) { value &= 0xF0; *ptr++ = value; } else { value = 0; } } } } if (dsr->subtype & ARGUS_PSIZE_DST_MAX_MIN) { ptr = (unsigned char *)(dsr + dsr->argus_dsrvl8.len); dsr->subtype |= ARGUS_PSIZE_HISTO; dsr->argus_dsrvl8.len++; *((unsigned int *)(dsr + dsr->argus_dsrvl8.len)) = 0; for (i = 0, max = 0; i < 8; i++) if (max < psize->dst.psize[i]) max = psize->dst.psize[i]; for (i = 0; i < 8; i++) { if ((tmp = psize->dst.psize[i])) { if (i & 0x01) { if (max > 15) tmp = ((tmp * 15)/max); if (!tmp) tmp++; value |= tmp; *ptr++ = value; } else { if (max > 15) tmp = ((tmp * 15)/max); if (!tmp) tmp++; value = (tmp << 4); } } else { if (i & 0x01) { value &= 0xF0; *ptr++ = value; } else { value = 0; } } } } } dsr->argus_dsrvl8.qual = type; len = dsr->argus_dsrvl8.len; dsrptr += len; } else len = 0; break; } case ARGUS_MPLS_INDEX: { struct ArgusMplsStruct *mpls = (struct ArgusMplsStruct *) dsr; struct ArgusMplsStruct *tmpls = (struct ArgusMplsStruct *) dsrptr; unsigned char subtype = mpls->hdr.subtype & ~(ARGUS_MPLS_SRC_LABEL | ARGUS_MPLS_DST_LABEL); *dsrptr++ = *(unsigned int *)dsr; tmpls->hdr.argus_dsrvl8.len = 1; if (((mpls->hdr.argus_dsrvl8.qual & 0xF0) >> 4) > 0) { subtype |= ARGUS_MPLS_SRC_LABEL; *dsrptr++ = mpls->slabel; tmpls->hdr.argus_dsrvl8.len++; } if ((mpls->hdr.argus_dsrvl8.qual & 0x0F) > 0) { subtype |= ARGUS_MPLS_DST_LABEL; *dsrptr++ = mpls->dlabel; tmpls->hdr.argus_dsrvl8.len++; } tmpls->hdr.subtype = subtype; len = tmpls->hdr.argus_dsrvl8.len; break; } case ARGUS_JITTER_INDEX: { struct ArgusJitterStruct *jitter = (struct ArgusJitterStruct *) dsr; struct ArgusJitterStruct *tjit = (struct ArgusJitterStruct *) dsrptr; int size = sizeof(jitter->src.act)/4; *dsrptr++ = *(unsigned int *)dsr; tjit->hdr.argus_dsrvl8.len = 1; if (jitter->hdr.argus_dsrvl8.qual & ARGUS_SRC_ACTIVE_JITTER) { unsigned int *tptr = (unsigned int *)&jitter->src.act; for (x = 0; x < size; x++) *dsrptr++ = *tptr++; tjit->hdr.argus_dsrvl8.len += size; } if (jitter->hdr.argus_dsrvl8.qual & ARGUS_SRC_IDLE_JITTER) { unsigned int *tptr = (unsigned int *)&jitter->src.idle; for (x = 0; x < size; x++) *dsrptr++ = *tptr++; tjit->hdr.argus_dsrvl8.len += size; } if (jitter->hdr.argus_dsrvl8.qual & ARGUS_DST_ACTIVE_JITTER) { unsigned int *tptr = (unsigned int *)&jitter->dst.act; for (x = 0; x < size; x++) *dsrptr++ = *tptr++; tjit->hdr.argus_dsrvl8.len += size; } if (jitter->hdr.argus_dsrvl8.qual & ARGUS_DST_IDLE_JITTER) { unsigned int *tptr = (unsigned int *)&jitter->dst.idle; for (x = 0; x < size; x++) *dsrptr++ = *tptr++; tjit->hdr.argus_dsrvl8.len += size; } len = tjit->hdr.argus_dsrvl8.len; break; } case ARGUS_IPATTR_INDEX: { struct ArgusIPAttrStruct *attr = (struct ArgusIPAttrStruct *) dsr; struct ArgusIPAttrStruct *tattr = (struct ArgusIPAttrStruct *) dsrptr; *dsrptr++ = *(unsigned int *)dsr; tattr->hdr.argus_dsrvl8.len = 1; if (attr->hdr.argus_dsrvl8.qual & ARGUS_IPATTR_SRC) { *dsrptr++ = *(unsigned int *)&attr->src; tattr->hdr.argus_dsrvl8.len++; } if (attr->hdr.argus_dsrvl8.qual & ARGUS_IPATTR_SRC_OPTIONS) { *dsrptr++ = attr->src.options; tattr->hdr.argus_dsrvl8.len++; } if (attr->hdr.argus_dsrvl8.qual & ARGUS_IPATTR_DST) { *dsrptr++ = *(unsigned int *)&attr->dst; tattr->hdr.argus_dsrvl8.len++; } if (attr->hdr.argus_dsrvl8.qual & ARGUS_IPATTR_DST_OPTIONS) { *dsrptr++ = attr->dst.options; tattr->hdr.argus_dsrvl8.len++; } len = tattr->hdr.argus_dsrvl8.len; break; } case ARGUS_ENCAPS_INDEX: { struct ArgusEncapsStruct *encaps = (struct ArgusEncapsStruct *) dsr; unsigned char *elen = (unsigned char *)&encaps->hdr.argus_dsrvl8.len; int x, i, slen = 0, dlen = 0; if ((encaps->slen > 0) || (encaps->dlen > 0)) { slen = ((encaps->slen + 3) / 4); dlen = ((encaps->dlen + 3) / 4); *elen += (1 + slen + dlen); } len = 3; for (x = 0; x < 3; x++) *dsrptr++ = ((unsigned int *)encaps)[x]; // get the standard encaps hdr and contents if ((slen > 0) || (dlen > 0)) { *dsrptr++ = ((unsigned int *)encaps)[x++]; // add the slen and dlen shorts len++; if (slen > 0) { for (i = 0; i < slen; i++) { *dsrptr++ = ((unsigned int *)encaps->sbuf)[i]; // get the standard encaps len len++; } } if (dlen > 0) { for (i = 0; i < dlen; i++) { *dsrptr++ = ((unsigned int *)encaps->dbuf)[i]; // get the standard encaps len len++; } } } break; } /* user capture data buffers are passed to the output model as (struct ArgusDataStruct *) buffers, not as pointers to sections of the canonical record. Seems wierd but is saves us a few copies */ case ARGUS_SRCUSERDATA_INDEX: case ARGUS_DSTUSERDATA_INDEX: { unsigned short *sptr; struct ArgusDataStruct *user = (struct ArgusDataStruct *) dsr; len = 2 + (user->count + 3)/4; sptr = (unsigned short *)&user->hdr.argus_dsrvl8; *sptr = len; for (x = 0; x < len; x++) *dsrptr++ = ((unsigned int *)user)[x]; break; } } dsrlen += len; } dsrindex &= ~ind; } retn->hdr.len = dsrlen; break; } case ARGUS_MAR: { bcopy ((char *)&rec->canon, (char *) retn, rec->hdr.len * 4); retn->hdr = rec->hdr; if (state) retn->hdr.cause = (state & 0xF0) | (retn->hdr.cause & 0x0F); break; } } } else { retn->hdr.type = ARGUS_MAR; retn->hdr.type |= ARGUS_VERSION; retn->hdr.cause = state & 0xF0; retn->hdr.len = 1; } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusGenerateRecord (0x%x, %d) done\n", rec, state); #endif return (retn); } struct ArgusRecordStruct *ArgusCopyRecordStruct (struct ArgusRecordStruct *); #define ARGUS_MAX_OS_STATUS 4204 struct ArgusRecordStruct * ArgusCopyRecordStruct (struct ArgusRecordStruct *rec) { struct ArgusRecordStruct *retn = NULL; int i; if (rec) { switch (rec->hdr.type & 0xF0) { case ARGUS_EVENT: { if ((retn = (struct ArgusRecordStruct *) ArgusMallocListRecord (ARGUS_MAX_OS_STATUS)) != NULL) bcopy ((char *)rec, (char *)retn, ARGUS_MAX_OS_STATUS); break; } case ARGUS_FAR: { if ((retn = (struct ArgusRecordStruct *) ArgusMallocListRecord (sizeof(*retn))) != NULL) { bcopy ((char *)&rec->hdr, (char *)&retn->hdr, sizeof (rec->hdr)); bcopy ((char *)&rec->canon, (char *)&retn->canon, sizeof (rec->canon)); retn->status = rec->status; retn->trans = rec->trans; retn->timeout = rec->timeout; if ((retn->dsrindex = rec->dsrindex)) { for (i = 0; i < ARGUSMAXDSRTYPE; i++) { if (rec->dsrs[i] != NULL) { switch (i) { case ARGUS_TRANSPORT_INDEX: retn->dsrs[i] = &retn->canon.trans.hdr; break; case ARGUS_TIME_INDEX: retn->dsrs[i] = &retn->canon.time.hdr; break; case ARGUS_FLOW_INDEX: retn->dsrs[i] = &retn->canon.flow.hdr; break; case ARGUS_FLOW_HASH_INDEX: retn->dsrs[i] = &retn->canon.hash.hdr; break; case ARGUS_METRIC_INDEX: retn->dsrs[i] = &retn->canon.metric.hdr; break; case ARGUS_NETWORK_INDEX: retn->dsrs[i] = &retn->canon.net.hdr; break; case ARGUS_IPATTR_INDEX: retn->dsrs[i] = &retn->canon.attr.hdr; break; case ARGUS_JITTER_INDEX: retn->dsrs[i] = &retn->canon.jitter.hdr; break; case ARGUS_ICMP_INDEX: retn->dsrs[i] = &retn->canon.icmp.hdr; break; case ARGUS_ENCAPS_INDEX: retn->dsrs[i] = &retn->canon.encaps.hdr; break; case ARGUS_PSIZE_INDEX: retn->dsrs[i] = &retn->canon.psize.hdr; break; case ARGUS_MAC_INDEX: retn->dsrs[i] = &retn->canon.mac.hdr; break; case ARGUS_VLAN_INDEX: retn->dsrs[i] = &retn->canon.vlan.hdr; break; case ARGUS_GENEVE_INDEX: retn->dsrs[i] = &retn->canon.gen.hdr; break; case ARGUS_GRE_INDEX: retn->dsrs[i] = &retn->canon.gre.hdr; break; case ARGUS_VXLAN_INDEX: retn->dsrs[i] = &retn->canon.vxlan.hdr; break; case ARGUS_MPLS_INDEX: retn->dsrs[i] = &retn->canon.mpls.hdr; break; case ARGUS_SRCUSERDATA_INDEX: case ARGUS_DSTUSERDATA_INDEX: { struct ArgusDataStruct *user = (struct ArgusDataStruct *) rec->dsrs[i]; if (user->count > 0) { if ((retn->dsrs[i] = (void *) ArgusCalloc(1, (8 + user->size))) != NULL) { bcopy ((char *)rec->dsrs[i], (char *)retn->dsrs[i], 8 + user->count); } else { retn->dsrindex &= ~(0x01 << i); } break; } } } } else { switch (i) { case ARGUS_SRCUSERDATA_INDEX: case ARGUS_DSTUSERDATA_INDEX: if (retn->dsrs[i] != NULL) ArgusFree(retn->dsrs[i]); break; } retn->dsrs[i] = NULL; retn->dsrindex &= ~(0x01 << i); } } } retn->srate = rec->srate; retn->drate = rec->drate; retn->sload = rec->sload; retn->dload = rec->dload; retn->dur = rec->dur; retn->pcr = rec->pcr; retn->sploss = rec->sploss; retn->dploss = rec->dploss; } break; } } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusCopyRecordStruct (0x%x) done\n", rec); #endif return (retn); } struct ArgusRecordStruct * ArgusGenerateListRecord (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flow, unsigned char state) { struct ArgusRecordStruct *retn = NULL; int dsrlen = 1, i; if ((retn = (struct ArgusRecordStruct *) ArgusMallocListRecord (sizeof(*retn))) != NULL) { if (flow) { bcopy ((char *)&flow->canon, (char *)&retn->canon, sizeof (flow->canon)); if ((retn->dsrindex = flow->dsrindex) != 0) { for (i = 0; i < ARGUSMAXDSRTYPE; i++) { if (flow->dsrs[i] != NULL) { switch (i) { case ARGUS_TRANSPORT_INDEX: retn->dsrs[i] = &retn->canon.trans.hdr; break; case ARGUS_TIME_INDEX: retn->dsrs[i] = &retn->canon.time.hdr; break; case ARGUS_ENCAPS_INDEX: retn->dsrs[i] = &retn->canon.encaps.hdr; break; case ARGUS_FLOW_INDEX: retn->dsrs[i] = &retn->canon.flow.hdr; break; case ARGUS_FLOW_HASH_INDEX: retn->dsrs[i] = &retn->canon.hash.hdr; break; case ARGUS_METRIC_INDEX: retn->dsrs[i] = &retn->canon.metric.hdr; break; case ARGUS_PSIZE_INDEX: retn->dsrs[i] = &retn->canon.psize.hdr; break; case ARGUS_IPATTR_INDEX: retn->dsrs[i] = &retn->canon.attr.hdr; break; case ARGUS_MAC_INDEX: retn->dsrs[i] = &retn->canon.mac.hdr; break; case ARGUS_ICMP_INDEX: retn->dsrs[i] = &retn->canon.icmp.hdr; break; /* pass the user data buffer into the list record */ case ARGUS_SRCUSERDATA_INDEX: case ARGUS_DSTUSERDATA_INDEX: { struct ArgusDataStruct *data = (struct ArgusDataStruct *) retn->dsrs[i]; retn->dsrs[i] = flow->dsrs[i]; flow->dsrs[i] = NULL; if (data != NULL) { ArgusFree(data); } break; } case ARGUS_NETWORK_INDEX: { switch (retn->canon.net.hdr.subtype & 0x7F) { case ARGUS_TCP_STATUS: case ARGUS_TCP_PERF: ArgusTCPFlowRecord (&retn->canon.net, state); retn->dsrs[i] = &retn->canon.net.hdr; break; case ARGUS_ESP_DSR: ArgusESPFlowRecord (&retn->canon.net, state); retn->dsrs[i] = &retn->canon.net.hdr; break; default: retn->dsrs[i] = &retn->canon.net.hdr; break; } break; } case ARGUS_MPLS_INDEX: retn->dsrs[i] = &retn->canon.mpls.hdr; break; case ARGUS_VLAN_INDEX: retn->dsrs[i] = &retn->canon.vlan.hdr; break; case ARGUS_VXLAN_INDEX: retn->dsrs[i] = &retn->canon.vxlan.hdr; break; case ARGUS_GENEVE_INDEX: retn->dsrs[i] = &retn->canon.gen.hdr; break; case ARGUS_GRE_INDEX: retn->dsrs[i] = &retn->canon.gre.hdr; break; case ARGUS_JITTER_INDEX: { struct ArgusJitterStruct *jitter = &retn->canon.jitter; if ((flow->stime.act.n || flow->dtime.act.n) ||(flow->stime.idle.n || flow->dtime.idle.n)) { jitter->hdr.argus_dsrvl8.qual = 0; jitter->hdr.argus_dsrvl8.len = 1; if (flow->stime.act.n) { struct ArgusStatsObject *tjit = (struct ArgusStatsObject *) (&jitter->src.act); tjit->n = flow->stime.act.n; tjit->minval = flow->stime.act.minval; tjit->maxval = flow->stime.act.maxval; tjit->meanval = (float)flow->stime.act.sum / flow->stime.act.n; tjit->stdev = sqrtf (((float)flow->stime.act.sumsqrd/flow->stime.act.n) - pow (((float)flow->stime.act.sum)/flow->stime.act.n, 2.0)); jitter->hdr.argus_dsrvl8.qual |= ARGUS_SRC_ACTIVE_JITTER; jitter->hdr.argus_dsrvl8.len += sizeof(*tjit)/4; tjit++; } if (flow->stime.idle.n) { struct ArgusStatsObject *tjit = (struct ArgusStatsObject *) (&jitter->src.idle); tjit->n = flow->stime.idle.n; tjit->minval = flow->stime.idle.minval; tjit->maxval = flow->stime.idle.maxval; tjit->meanval = (float)flow->stime.idle.sum / flow->stime.idle.n; tjit->stdev = (float)sqrtf ((flow->stime.idle.sumsqrd/flow->stime.idle.n) - pow ((flow->stime.idle.sum)/flow->stime.idle.n, 2.0)); jitter->hdr.argus_dsrvl8.qual |= ARGUS_SRC_IDLE_JITTER; jitter->hdr.argus_dsrvl8.len += sizeof(*tjit)/4; tjit++; } if (flow->dtime.act.n) { struct ArgusStatsObject *tjit = (struct ArgusStatsObject *) (&jitter->dst.act); tjit->n = flow->dtime.act.n; tjit->minval = flow->dtime.act.minval; tjit->maxval = flow->dtime.act.maxval; tjit->meanval = (float)flow->dtime.act.sum / flow->dtime.act.n; tjit->stdev = (float)sqrtf (((float)flow->dtime.act.sumsqrd/flow->dtime.act.n) - pow (((float)flow->dtime.act.sum)/flow->dtime.act.n, 2.0)); jitter->hdr.argus_dsrvl8.qual |= ARGUS_DST_ACTIVE_JITTER; jitter->hdr.argus_dsrvl8.len += sizeof(*tjit)/4; tjit++; } if (flow->dtime.idle.n) { struct ArgusStatsObject *tjit = (struct ArgusStatsObject *) (&jitter->dst.idle); tjit->n = flow->dtime.act.n; tjit->n = flow->dtime.idle.n; tjit->minval = flow->dtime.idle.minval; tjit->maxval = flow->dtime.idle.maxval; tjit->meanval = (float)flow->dtime.idle.sum/flow->dtime.idle.n; tjit->stdev = (float)(sqrtf (((float)flow->dtime.idle.sumsqrd/flow->dtime.idle.n) - pow (((float)flow->dtime.idle.sum)/flow->dtime.idle.n, 2.0))); jitter->hdr.argus_dsrvl8.qual |= ARGUS_DST_IDLE_JITTER; jitter->hdr.argus_dsrvl8.len += sizeof(*tjit)/4; tjit++; } retn->dsrindex |= ARGUS_JITTER_INDEX; retn->dsrs[i] = (struct ArgusDSRHeader *)jitter; } else { retn->dsrindex &= ~ARGUS_JITTER_INDEX; retn->dsrs[i] = NULL; } break; } case ARGUS_BEHAVIOR_INDEX: { struct ArgusBehaviorStruct *actor = &retn->canon.actor; retn->dsrs[i] = NULL; int value; if ((value = getArgusKeystroke(model)) > 0) { actor->hdr.type = ARGUS_BEHAVIOR_DSR; actor->hdr.subtype = 0; actor->hdr.argus_dsrvl8.len = sizeof(*actor)/4; actor->keyStroke.src.n_strokes = flow->skey.n_strokes; actor->keyStroke.dst.n_strokes = 0; if (flow->skey.n_pkts >= model->ArgusKeyStroke.n_min) { if ((value == ARGUS_SSH_KEYSTROKE) && (flow->status & ARGUS_SSH_MONITOR)) { actor->hdr.subtype = ARGUS_SSH_KEYSTROKE; retn->dsrs[i] = (struct ArgusDSRHeader *)actor; } else if (value == ARGUS_TCP_KEYSTROKE) { actor->hdr.subtype = ARGUS_TCP_KEYSTROKE; retn->dsrs[i] = (struct ArgusDSRHeader *)actor; } } } if (retn->dsrs[i] == NULL) { actor->keyStroke.src.n_strokes = 0; actor->keyStroke.dst.n_strokes = 0; retn->dsrindex &= ~ARGUS_BEHAVIOR_INDEX; } break; } } if (retn->dsrs[i]) { dsrlen += ((retn->dsrs[i]->type & 0x80) ? 1 : ((retn->dsrs[i]->type == ARGUS_DATA_DSR) ? retn->dsrs[i]->argus_dsrvl16.len : retn->dsrs[i]->argus_dsrvl8.len )); } } else { switch (i) { case ARGUS_SRCUSERDATA_INDEX: case ARGUS_DSTUSERDATA_INDEX: if (retn->dsrs[i] != NULL) ArgusFree(retn->dsrs[i]); } retn->dsrs[i] = NULL; retn->dsrindex &= ~(0x01 << i); } } } else { if (retn->dsrs[ARGUS_SRCUSERDATA_INDEX] != NULL) { ArgusFree(retn->dsrs[ARGUS_SRCUSERDATA_INDEX]); retn->dsrs[ARGUS_SRCUSERDATA_INDEX] = NULL; retn->dsrindex &= ~(0x01 << ARGUS_SRCUSERDATA_INDEX); } if (retn->dsrs[ARGUS_DSTUSERDATA_INDEX] != NULL) { ArgusFree(retn->dsrs[ARGUS_DSTUSERDATA_INDEX]); retn->dsrs[ARGUS_DSTUSERDATA_INDEX] = NULL; retn->dsrindex &= ~(0x01 << ARGUS_DSTUSERDATA_INDEX); } } retn->srate = ArgusFetchSrcRate(retn); retn->drate = ArgusFetchDstRate(retn); retn->sload = ArgusFetchSrcLoad(retn); retn->dload = ArgusFetchDstRate(retn); retn->dur = ArgusFetchDuration(retn); retn->pcr = ArgusFetchAppByteRatio(retn); retn->sploss = ArgusFetchPercentSrcLoss(retn); retn->dploss = ArgusFetchPercentDstLoss(retn); } else { retn->dsrindex = 0; bzero ((char *)&retn->canon, sizeof(retn->canon)); bzero ((char *)&retn->dsrs, sizeof(retn->dsrs)); } if (!(flow) && ((state == ARGUS_STOP) || (state == ARGUS_ERROR))) { retn->hdr.type = ARGUS_MAR; retn->status = 0; retn->trans = 0; retn->timeout = 0; } else { retn->hdr.type = flow->canon.hdr.type | ARGUS_FAR; retn->status = flow->status; retn->trans = flow->trans; retn->timeout = flow->timeout; } retn->hdr.type |= ARGUS_VERSION; retn->hdr.cause = state & 0xF0; retn->hdr.len = dsrlen; } else { #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusMallocListRecord (%d) returned NULL\n", sizeof(*retn)); #endif } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusGenerateListRecord (%p, %p, %d) returning %p\n", model, flow, state, retn); #endif return (retn); } void ArgusSendFlowRecord (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flow, unsigned char state) { struct ArgusRecordStruct *argus; #ifdef ARGUSDEBUG int scheduled = 0; #endif if (flow != NULL) { if (model->ArgusOutputList) { struct ArgusFlowStruct *frag; if ((frag = (struct ArgusFlowStruct *)flow->frag.start) != NULL) { do { ArgusUpdateParentFlow(model, frag); frag = (struct ArgusFlowStruct *)frag->qhdr.nxt; } while (frag != (struct ArgusFlowStruct *)flow->frag.start); } if (flow->canon.metric.src.pkts || flow->canon.metric.dst.pkts) { if ((flow->canon.trans.seqnum = model->ArgusSeqNum++) == 0xFFFFFFFF) flow->canon.trans.seqnum = model->ArgusSeqNum++; if ((argus = ArgusGenerateListRecord (model, flow, state)) != NULL) { ArgusPushBackList (model->ArgusOutputList, (struct ArgusListRecord *) argus, ARGUS_LOCK); flow->status |= ARGUS_RECORD_WRITTEN; model->ArgusTotalSends++; #ifdef ARGUSDEBUG scheduled = 1; #endif #if defined(ARGUS_THREADS) pthread_mutex_lock(&model->ArgusOutputList->lock); pthread_cond_signal(&model->ArgusOutputList->cond); pthread_mutex_unlock(&model->ArgusOutputList->lock); #endif } #ifdef ARGUSDEBUG if (scheduled) ArgusDebug (9, "ArgusSendFlowRecord (%p, %p, %d) scheduled %p\n", model, flow, state, argus); else ArgusDebug (9, "ArgusSendFlowRecord (%p, %p, %d) done\n", model, flow, state); #endif } else { model->ArgusTotalBadSends++; } } else { #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusSendFlowRecord (%p, %p, %d) no model->ArgusOutputList\n", model, flow, state); #endif } } else { #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusSendFlowRecord (%p, %p, %d) no flow provided\n", model, flow, state); #endif } } void ArgusModelerCleanUp (struct ArgusModelerStruct *model) { struct ArgusQueueStruct *queue; if ((model->ArgusTimeOutQueues != NULL) && (model->ArgusTimeOutQueues->count > 0)) { int i, cnt = model->ArgusTimeOutQueues->count; for (i = 0; i < cnt; i++) { queue = (struct ArgusQueueStruct *)ArgusPopQueue (model->ArgusTimeOutQueues, ARGUS_LOCK); if (queue->count) { #ifdef ARGUSDEBUG ArgusDebug (9, "ArgusModelerCleanUp(%p) ArgusProcessQueue(%p) timeout queue with %d records\n", model, queue, queue->count); #endif ArgusProcessQueue (model, queue, ARGUS_SHUTDOWN); } ArgusDeleteQueue (queue); } ArgusDeleteQueue (model->ArgusTimeOutQueues); model->ArgusTimeOutQueues = NULL; } if (model->ArgusStatusQueue) { queue = model->ArgusStatusQueue; #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusModelerCleanUp(%p) ArgusProcessQueue(%p) status queue with %d records %d sent\n", model, queue, queue->count, model->ArgusTotalSends); #endif if (queue->count) ArgusProcessQueue (model, queue, ARGUS_SHUTDOWN); ArgusDeleteQueue (queue); model->ArgusStatusQueue = NULL; } #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusModelerCleanUp (%p) returning\n", model); #endif } int ArgusCmp(void *, void *, int); int ArgusCmp(void *p1, void *p2, int len) { unsigned int *c1 = p1, *c2 = p2; int retn = 0, i = 0; for (; i < len; i++, c1++, c2++) if (*c1 != *c2) break; if (i != len) retn = c1[i] - c2[i]; return(retn); } void * ArgusCreateIPv6Flow (struct ArgusModelerStruct *model, struct ip6_hdr *ip) { void *retn = NULL; struct ArgusSystemFlow *tflow; if ((ip != NULL) && STRUCTCAPTURED(model, *ip)) { int nxt = 0, done = 0, i = 0; unsigned int saddr[4], *sp = saddr; unsigned int daddr[4], *dp = daddr; unsigned short alen, sport = 0, dport = 0; unsigned int *rsp, *rdp; tflow = model->ArgusThisFlow; bcopy(&ip->ip6_src, sp, sizeof(ip->ip6_src)); bcopy(&ip->ip6_dst, dp, sizeof(ip->ip6_dst)); model->ArgusThisIpv6Frag = NULL; model->ArgusThisLength -= sizeof(*ip); model->ArgusSnapLength -= sizeof(*ip); model->ArgusThisUpHdr = (unsigned char *)(ip + 1); nxt = ip->ip6_nxt; ip++; while (!done) { switch (nxt) { case IPPROTO_FRAGMENT: { int offset = ((((struct ip6_hbh *)ip)->ip6h_len + 1) << 3); struct ip6_frag *tfrag = (struct ip6_frag *) ip; model->ArgusThisIpv6Frag = tfrag; nxt = *(char *)ip; if ((ntohs(tfrag->ip6f_offlg & IP6F_OFF_MASK)) != 0) done++; ip = (struct ip6_hdr *)((char *)ip + offset); model->ArgusThisLength -= offset; model->ArgusSnapLength -= offset; model->ArgusThisUpHdr += offset; break; } case IPPROTO_HOPOPTS: case IPPROTO_DSTOPTS: case IPPROTO_ROUTING: { int offset = ((((struct ip6_hbh *)ip)->ip6h_len + 1) << 3); nxt = *(char *)ip; ip = (struct ip6_hdr *)((char *)ip + offset); model->ArgusThisLength -= offset; model->ArgusSnapLength -= offset; model->ArgusThisUpHdr += offset; break; } default: done++; break; } } tflow->hdr.type = ARGUS_FLOW_DSR; retn = tflow; if (model->ArgusFlowKey & ARGUS_FLOW_KEY_CLASSIC5TUPLE) { tflow->hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; tflow->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV6; tflow->hdr.argus_dsrvl8.len = 11; tflow->ipv6_flow.ip_p = nxt; tflow->ipv6_flow.flow = 0; model->ArgusThisIpHdr = ip; if ((model->ArgusThisIpv6Frag) && ((ntohs(model->ArgusThisIpv6Frag->ip6f_offlg & IP6F_OFF_MASK)) != 0)) { tflow->fragv6_flow.ip_id = model->ArgusThisIpv6Frag->ip6f_ident; tflow->hdr.argus_dsrvl8.qual |= ARGUS_FRAGMENT; } else { if (nxt == IPPROTO_AH) { struct AHHeader *ah = (struct AHHeader *) model->ArgusThisUpHdr; model->ArgusThisEncaps |= ARGUS_ENCAPS_AH; if (STRUCTCAPTURED(model, *ah)) { nxt = ah->nxt; model->ArgusThisUpHdr = (unsigned char *)(ah + 1); tflow->ipv6_flow.ip_p = nxt; } } switch (nxt) { case IPPROTO_TCP: { struct tcphdr *tp = (struct tcphdr *) model->ArgusThisUpHdr; sport = ntohs(tp->th_sport); dport = ntohs(tp->th_dport); break; } case IPPROTO_UDP: { struct udphdr *up = (struct udphdr *) model->ArgusThisUpHdr; sport = ntohs(up->uh_sport); dport = ntohs(up->uh_dport); if ((sport == 53) || (dport == 53)) { unsigned short pad = ntohs(*(u_int16_t *)(up + 1)); bcopy(&pad, &model->ArgusThisFlow->ipv6_flow.smask, 2); } break; } case IPPROTO_ESP: { retn = ArgusCreateESPv6Flow(model, ip); return (retn); break; } case IPPROTO_ICMPV6: { retn = ArgusCreateICMPv6Flow(model, (struct icmp6_hdr *)model->ArgusThisUpHdr); return (retn); break; } case IPPROTO_IGMP: { retn = ArgusCreateIGMPv6Flow(model, (struct igmp *)model->ArgusThisUpHdr); return (retn); break; } default: break; } } if (model->ArgusFlowType == ARGUS_BIDIRECTIONAL) { rsp = (unsigned int *)&tflow->ipv6_flow.ip_src; rdp = (unsigned int *)&tflow->ipv6_flow.ip_dst; alen = sizeof(ip->ip6_src)/sizeof(int); while ((i < alen) && (*dp == *sp)) { /* copy while they are equal */ *rsp++ = *sp++; /* leave pointers where they are not */ *rdp++ = *dp++; i++; } if (i < alen) { if (ntohl(*sp) > ntohl(*dp)) { unsigned int *tmp = rdp; rdp = rsp; rsp = tmp; model->state |= ARGUS_DIRECTION; } while (i < alen) { *rsp++ = *sp++; *rdp++ = *dp++; i++; } } else { if (sport < dport) model->state |= ARGUS_DIRECTION; } if (model->state & ARGUS_DIRECTION) { tflow->hdr.subtype |= ARGUS_REVERSE; tflow->ipv6_flow.sport = dport; tflow->ipv6_flow.dport = sport; } else { tflow->ipv6_flow.sport = sport; tflow->ipv6_flow.dport = dport; } } } else { if (model->ArgusFlowKey & ARGUS_FLOW_KEY_LAYER_3_MATRIX) { tflow->hdr.subtype = ARGUS_FLOW_LAYER_3_MATRIX; tflow->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV6; tflow->hdr.argus_dsrvl8.len = 9; tflow->ipv6_flow.sport = 0; tflow->ipv6_flow.dport = 0; tflow->ipv6_flow.ip_p = 0; } } } #ifdef ARGUSDEBUG ArgusDebug (9, "ArgusCreateIPv6Flow (0x%x, 0x%x) returning %d\n", model, ip, retn); #endif return (retn); } void * ArgusCreateIPv4Flow (struct ArgusModelerStruct *model, struct ip *ip) { void *retn = model->ArgusThisFlow; unsigned char *nxtHdr = (unsigned char *)((char *)ip + (ip->ip_hl << 2)); struct ip tipbuf, *tip = &tipbuf; arg_uint16 sport = 0, dport = 0; arg_uint8 proto, tp_p = 0; arg_uint32 len; int hlen, ArgusOptionLen; if ((ip != NULL) && STRUCTCAPTURED(model, *ip)) { model->ArgusThisIpHdr = ip; #ifdef _LITTLE_ENDIAN bzero(tip, sizeof(*tip)); tip->ip_len = ntohs(ip->ip_len); tip->ip_id = ntohs(ip->ip_id); tip->ip_v = ip->ip_v; tip->ip_hl = ip->ip_hl; tip->ip_off = ntohs(ip->ip_off); tip->ip_src.s_addr = ntohl(ip->ip_src.s_addr); tip->ip_dst.s_addr = ntohl(ip->ip_dst.s_addr); #else tip = ip; #endif hlen = tip->ip_hl << 2; len = (tip->ip_len - hlen); model->ArgusOptionIndicator = '\0'; if ((ArgusOptionLen = (hlen - sizeof (struct ip))) > 0) model->ArgusOptionIndicator = ArgusParseIPOptions ((unsigned char *) (ip + 1), ArgusOptionLen); else model->ArgusOptionIndicator = 0; model->ArgusThisLength = len; model->ArgusSnapLength -= hlen; if (model->ArgusFlowKey & ARGUS_FLOW_KEY_CLASSIC5TUPLE) { bzero ((char *)model->ArgusThisFlow, sizeof(*model->ArgusThisFlow)); model->ArgusThisFlow->hdr.type = ARGUS_FLOW_DSR; model->ArgusThisFlow->hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; model->ArgusThisFlow->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; model->ArgusThisFlow->hdr.argus_dsrvl8.len = 5; proto = ip->ip_p; if (!(tip->ip_off & 0x1fff)) { if (proto == IPPROTO_AH) { struct AHHeader *ah = (struct AHHeader *) nxtHdr; model->ArgusThisEncaps |= ARGUS_ENCAPS_AH; if (STRUCTCAPTURED(model, *ah)) { proto = ah->nxt; nxtHdr = (unsigned char *)(ah + 1); } } model->ArgusThisUpHdr = nxtHdr; switch (proto) { case IPPROTO_TCP: { model->ArgusThisFlow->ip_flow.smask = 0; model->ArgusThisFlow->ip_flow.dmask = 0; if (len >= sizeof (struct tcphdr)) { struct tcphdr *tp = (struct tcphdr *) nxtHdr; if (BYTESCAPTURED(model, *tp, 4)) { sport = ntohs(tp->th_sport); dport = ntohs(tp->th_dport); } } break; } case IPPROTO_UDP: { model->ArgusThisFlow->ip_flow.smask = 0; model->ArgusThisFlow->ip_flow.dmask = 0; if (len >= sizeof (struct udphdr)) { struct udphdr *up = (struct udphdr *) nxtHdr; if (BYTESCAPTURED(model, *up, 4)) { sport = ntohs(up->uh_sport); dport = ntohs(up->uh_dport); } if ((sport == 53) || (dport == 53)) { unsigned short pad = ntohs(*(u_int16_t *)(up + 1)); bcopy(&pad, &model->ArgusThisFlow->ip_flow.smask, 2); } } break; } case IPPROTO_ESP: retn = ArgusCreateESPFlow (model, ip); return (retn); case IPPROTO_ICMP: retn = ArgusCreateICMPFlow (model, ip); return (retn); case IPPROTO_IGMP: retn = ArgusCreateIGMPFlow (model, ip); return (retn); default: break; } if (model->ArgusFlowType == ARGUS_BIDIRECTIONAL) if ((tip->ip_src.s_addr > tip->ip_dst.s_addr) || ((tip->ip_src.s_addr == tip->ip_dst.s_addr) && sport < dport)) model->state |= ARGUS_DIRECTION; if (model->state & ARGUS_DIRECTION) { model->ArgusThisFlow->hdr.subtype |= ARGUS_REVERSE; model->ArgusThisFlow->ip_flow.ip_src = tip->ip_dst.s_addr; model->ArgusThisFlow->ip_flow.ip_dst = tip->ip_src.s_addr; model->ArgusThisFlow->ip_flow.sport = dport; model->ArgusThisFlow->ip_flow.dport = sport; } else { model->ArgusThisFlow->ip_flow.ip_src = tip->ip_src.s_addr; model->ArgusThisFlow->ip_flow.ip_dst = tip->ip_dst.s_addr; model->ArgusThisFlow->ip_flow.sport = sport; model->ArgusThisFlow->ip_flow.dport = dport; } model->ArgusThisFlow->ip_flow.ip_p = proto; model->ArgusThisFlow->ip_flow.tp_p = tp_p; } else { if (model->ArgusFlowType == ARGUS_BIDIRECTIONAL) { if (tip->ip_src.s_addr > tip->ip_dst.s_addr) { model->state |= ARGUS_DIRECTION; model->ArgusThisFlow->hdr.argus_dsrvl8.qual |= ARGUS_DIRECTION; model->ArgusThisFlow->hdr.subtype |= ARGUS_REVERSE; } } model->ArgusThisFlow->hdr.argus_dsrvl8.qual |= ARGUS_FRAGMENT; if (model->state & ARGUS_DIRECTION) { model->ArgusThisFlow->frag_flow.ip_dst = tip->ip_src.s_addr; model->ArgusThisFlow->frag_flow.ip_src = tip->ip_dst.s_addr; } else { model->ArgusThisFlow->frag_flow.ip_src = tip->ip_src.s_addr; model->ArgusThisFlow->frag_flow.ip_dst = tip->ip_dst.s_addr; } model->ArgusThisFlow->frag_flow.ip_p = proto; model->ArgusThisFlow->frag_flow.ip_id = tip->ip_id; } } else { if (model->ArgusFlowKey & ARGUS_FLOW_KEY_LAYER_3_MATRIX) { model->ArgusThisFlow->hdr.type = ARGUS_FLOW_DSR; model->ArgusThisFlow->hdr.subtype = ARGUS_FLOW_LAYER_3_MATRIX; model->ArgusThisFlow->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; model->ArgusThisFlow->hdr.argus_dsrvl8.len = 3; switch (model->ArgusFlowType) { case ARGUS_UNIDIRECTIONAL: break; case ARGUS_BIDIRECTIONAL: { if (tip->ip_src.s_addr > tip->ip_dst.s_addr) model->state |= ARGUS_DIRECTION; break; } } if (model->state & ARGUS_DIRECTION) { model->ArgusThisFlow->ip_flow.ip_src = tip->ip_dst.s_addr; model->ArgusThisFlow->ip_flow.ip_dst = tip->ip_src.s_addr; } else { model->ArgusThisFlow->ip_flow.ip_src = tip->ip_src.s_addr; model->ArgusThisFlow->ip_flow.ip_dst = tip->ip_dst.s_addr; } } } } #ifdef ARGUSDEBUG ArgusDebug (9, "ArgusCreateIPv4Flow (0x%x, 0x%x) returning 0x%x\n", model, ip, retn); #endif return (retn); } #if !defined(IPOPT_RA) #define IPOPT_RA 148 #endif unsigned short ArgusParseIPOptions (unsigned char *ptr, int len) { unsigned short retn = 0; int offset = 0; for (; len > 0; ptr += offset, len -= offset) { switch (*ptr) { case IPOPT_EOL: break; case IPOPT_NOP: break; case IPOPT_RA: retn |= ARGUS_RTRALERT; break; case IPOPT_TS: retn |= ARGUS_TIMESTAMP; break; case IPOPT_RR: retn |= ARGUS_RECORDROUTE; break; case IPOPT_SECURITY: retn |= ARGUS_SECURITY; break; case IPOPT_LSRR: retn |= ARGUS_LSRCROUTE; break; case IPOPT_SSRR: retn |= ARGUS_SSRCROUTE; break; case IPOPT_SATID: retn |= ARGUS_SATID; break; default: break; } if ((*ptr == IPOPT_EOL) || (*ptr == IPOPT_NOP)) offset = 1; else { offset = ptr[1]; if (!(offset && (offset <= len))) break; } } return (retn); } void setArgusHashTableSize (struct ArgusModelerStruct *model, int value) { if (model != NULL) { model->ArgusHashTableSize = value; } } void setArgusIpTimeout (struct ArgusModelerStruct *model, int value) { if (model != NULL) { model->ArgusIPTimeout = value; } } void setArgusTcpTimeout (struct ArgusModelerStruct *model, int value) { if (model != NULL) { model->ArgusTCPTimeout = value; } } void setArgusIcmpTimeout (struct ArgusModelerStruct *model, int value) { if (model != NULL) { model->ArgusICMPTimeout = value; } } void setArgusIgmpTimeout (struct ArgusModelerStruct *model, int value) { if (model != NULL) { model->ArgusIGMPTimeout = value; } } void setArgusFragTimeout (struct ArgusModelerStruct *model, int value) { if (model != NULL) { model->ArgusFRAGTimeout = value; } } void setArgusArpTimeout (struct ArgusModelerStruct *model, int value) { if (model != NULL) { model->ArgusARPTimeout = value; } } void setArgusOtherTimeout (struct ArgusModelerStruct *model, int value) { if (model != NULL) { model->ArgusOtherTimeout = value; } } void setArgusTunnelParsing(struct ArgusModelerStruct *model, char *optarg) { if (model != NULL) { if (optarg && strlen(optarg)) { if (!(strcasecmp(optarg, "yes"))) { model->ArgusTunnelParsing = 1; } else { model->ArgusTunnelParsing = 0; } } } #ifdef ARGUSDEBUG ArgusDebug(4, "setArgusTunnelParsing(%p, '%s'): called\n", model, optarg); #endif } void setArgusTunnelInformation(struct ArgusModelerStruct *model, char *optarg) { if (model != NULL) { if (optarg && strlen(optarg)) { if (!(strcasecmp(optarg, "yes"))) { model->ArgusTunnelInfo = 1; } else { model->ArgusTunnelInfo = 0; } } } #ifdef ARGUSDEBUG ArgusDebug(4, "setArgusTunnelInformation(%p, '%s'): called\n", model, optarg); #endif } int getArgusHashTableSize (struct ArgusModelerStruct *model) { return(model->ArgusHashflag); } int getArgusmflag (struct ArgusModelerStruct *model) { return(model->Argusmflag); } void setArgusFlowType (struct ArgusModelerStruct *model, int value) { model->ArgusFlowType = value; } void setArgusFlowKey (struct ArgusModelerStruct *model, int value) { model->ArgusFlowKey |= value; } void setArgusSynchronize (struct ArgusModelerStruct *model, int value) { model->ArgusSelfSynchronize = value; } void setArgusmflag (struct ArgusModelerStruct *model, int value) { model->Argusmflag = value; } int getArgusGenerateTime(struct ArgusModelerStruct *model) { return (model->ArgusGenerateTime); } void setArgusGenerateTime(struct ArgusModelerStruct *model, int value) { model->ArgusGenerateTime = value; } int getArgusGeneratePacketSize(struct ArgusModelerStruct *model) { return (model->ArgusGeneratePacketSize); } void setArgusGeneratePacketSize(struct ArgusModelerStruct *model, int value) { model->ArgusGeneratePacketSize = value; } int getArgusGeneratePacketSizeHisto(struct ArgusModelerStruct *model) { return (model->ArgusGeneratePacketSizeHisto); } void setArgusGeneratePacketSizeHisto(struct ArgusModelerStruct *model, int value) { model->ArgusGeneratePacketSizeHisto = value; } int getArgusKeystroke(struct ArgusModelerStruct *model) { return (model->ArgusKeyStroke.status); } void setArgusKeystroke(struct ArgusModelerStruct *model, int value) { model->ArgusKeyStroke.status = value; } #if !defined(HAVE_STRTOF) && !defined(CYGWIN) float strtof (char *, char **); #endif void setArgusKeystrokeVariable(struct ArgusModelerStruct *model, char *kstok) { float fval = 0; long ival = 0; char *tptr; if (!(strncasecmp(kstok, "DC_MIN=", 6))) { ival = strtol(&kstok[7], (char **)&tptr, 10); model->ArgusKeyStroke.dc_min = ival; } else if (!(strncasecmp(kstok, "DC_MAX=", 6))) { ival = strtol(&kstok[7], (char **)&tptr, 10); model->ArgusKeyStroke.dc_max = ival; } else if (!(strncasecmp(kstok, "GS_MAX=", 6))) { ival = strtol(&kstok[7], (char **)&tptr, 10); model->ArgusKeyStroke.gs_max = ival; } else if (!(strncasecmp(kstok, "DS_MIN=", 6))) { ival = strtol(&kstok[7], (char **)&tptr, 10); model->ArgusKeyStroke.ds_min = ival; } else if (!(strncasecmp(kstok, "DS_MAX=", 6))) { ival = strtol(&kstok[7], (char **)&tptr, 10); model->ArgusKeyStroke.ds_max = ival; } else if (!(strncasecmp(kstok, "IC_MIN=", 6))) { ival = strtol(&kstok[7], (char **)&tptr, 10); model->ArgusKeyStroke.ic_min = ival; } else if (!(strncasecmp(kstok, "LCS_MAX=", 7))) { ival = strtol(&kstok[8], (char **)&tptr, 10); model->ArgusKeyStroke.lcs_max = ival; } else if (!(strncasecmp(kstok, "GPC_MAX=", 7))) { ival = strtol(&kstok[8], (char **)&tptr, 10); model->ArgusKeyStroke.gpc_max = ival; } else if (!(strncasecmp(kstok, "ICR_MIN=", 7))) { fval = strtof(&kstok[8], (char **)&tptr); model->ArgusKeyStroke.icr_min = fval; } else if (!(strncasecmp(kstok, "ICR_MAX=", 7))) { fval = strtof(&kstok[8], (char **)&tptr); model->ArgusKeyStroke.icr_max = fval; } } int getArgusOSFingerPrinting (struct ArgusModelerStruct *model) { return(model->ArgusOSFingerPrinting); } void setArgusOSFingerPrinting (struct ArgusModelerStruct *model, int value) { model->ArgusOSFingerPrinting = value; } int getArgusEncapsCapture (struct ArgusModelerStruct *model) { return(model->ArgusEncapsCapture); } void setArgusEncapsCapture (struct ArgusModelerStruct *model, char *optarg) { if (model != NULL) { if (optarg && strlen(optarg)) { if (!(strcasecmp(optarg, "yes"))) { model->ArgusEncapsCapture = 1; } else { model->ArgusEncapsCapture = 0; } } } } void setArgusControlPlaneProtocols(struct ArgusModelerStruct *model, char *optarg) { if (model->cps == NULL) if ((model->cps = (struct ArgusControlProtocols *) ArgusCalloc (1, sizeof (struct ArgusControlProtocols))) == NULL) ArgusLog (LOG_ERR, "setArgusControlPlaneProtocols () ArgusCalloc error %s\n", strerror(errno)); if (optarg && strlen(optarg)) { char *str = strdup(optarg); char *sptr = str, *tok; while ((tok = strtok(sptr, ",\t\n")) != NULL) { char *proto = NULL; int port = 0; char *ptr; if ((ptr = strchr(tok, ':')) != NULL) { proto = tok; *ptr++ = '\0'; tok = ptr; } if (isdigit((int)*tok)) { if (sscanf((char *)tok, "%d", (int *) &port) != 1) ArgusLog (LOG_ERR, "setArgusControlPlaneProtocols () format error %s\n", optarg); } else { #if !defined(CYGWIN) struct servent *sv = NULL; if ((sv = getservbyname(tok, proto)) != NULL) { port = ntohs(sv->s_port); } #endif } if (proto) { if (!(strncmp(proto, "tcp", 3))) model->cps->tcpport[port] = 1; else if (!(strncmp(proto, "udp", 3))) model->cps->udpport[port] = 1; } else { model->cps->tcpport[port] = 1; model->cps->udpport[port] = 1; } sptr = NULL; } free(str); } } int getArgusTunnelDiscovery (struct ArgusModelerStruct *model) { return(model->ArgusTunnelDiscovery); } void setArgusTunnelDiscovery (struct ArgusModelerStruct *model, int value) { model->ArgusTunnelDiscovery = value; } int getArgusTrackDuplicates (struct ArgusModelerStruct *model) { return(model->ArgusTrackDuplicates); } void setArgusTrackDuplicates (struct ArgusModelerStruct *model, int value) { model->ArgusTrackDuplicates = value; } int getArgusUserDataLen (struct ArgusModelerStruct *model) { return (model->ArgusUserDataLen); } void setArgusUserDataLen (struct ArgusModelerStruct *model, int value) { model->ArgusUserDataLen = value; } int getArgusMajorVersion(struct ArgusModelerStruct *model) { return (model->ArgusMajorVersion); } void setArgusMajorVersion(struct ArgusModelerStruct *model, int value) { model->ArgusMajorVersion = value; } int getArgusMinorVersion(struct ArgusModelerStruct *model) { return (model->ArgusMinorVersion); } void setArgusMinorVersion(struct ArgusModelerStruct *model, int value) { model->ArgusMinorVersion = value; } struct timeval * getArgusFarReportInterval(struct ArgusModelerStruct *model) { return (&model->ArgusFarReportInterval); } unsigned int getArgusLocalNet(struct ArgusModelerStruct *model) { return (model->ArgusLocalNet); } unsigned int getArgusNetMask(struct ArgusModelerStruct *model) { return (model->ArgusNetMask); } void setArgusLocalNet(struct ArgusModelerStruct *model, unsigned int value) { model->ArgusLocalNet = value; } int getArgusResponseStatus(struct ArgusModelerStruct *model) { return (model->ArgusResponseStatus); } void setArgusResponseStatus(struct ArgusModelerStruct *model, int value) { model->ArgusResponseStatus = value; } int getArgusIpTimeout(struct ArgusModelerStruct *model) { return (model->ArgusIPTimeout); } int getArgusTcpTimeout(struct ArgusModelerStruct *model) { return (model->ArgusTCPTimeout); } int getArgusIcmpTimeout(struct ArgusModelerStruct *model) { return (model->ArgusICMPTimeout); } int getArgusIgmpTimeout(struct ArgusModelerStruct *model) { return (model->ArgusIGMPTimeout); } int getArgusFragTimeout(struct ArgusModelerStruct *model) { return (model->ArgusFRAGTimeout); } int getArgusArpTimeout(struct ArgusModelerStruct *model) { return (model->ArgusFRAGTimeout); } int getArgusOtherTimeout(struct ArgusModelerStruct *model) { return (model->ArgusFRAGTimeout); } struct timeval * getArgusQueueInterval(struct ArgusModelerStruct *model) { return (&model->ArgusQueueInterval); } struct timeval * getArgusListenInterval(struct ArgusModelerStruct *model) { return (&model->ArgusListenInterval); } #include #include #include void setArgusFarReportInterval (struct ArgusModelerStruct *model, char *value) { float fvalue; char *ptr; int i = *value; if (((ptr = strchr(value, '.')) != NULL) || isdigit(i)) { int ivalue = 0; if (ptr != NULL) { fvalue = atof(value); model->ArgusFarReportInterval.tv_sec = floorf(fvalue); if (model->ArgusSrc->timeStampType == ARGUS_TYPE_UTC_NANOSECONDS) model->ArgusFarReportInterval.tv_usec = fabs(remainderf(fvalue, 1.0) * 1000000000); else model->ArgusFarReportInterval.tv_usec = fabs(remainderf(fvalue, 1.0) * 1000000); } else { if (isdigit(i)) { ivalue = atoi(value); model->ArgusFarReportInterval.tv_sec = ivalue; } } } } int getArgusAflag (struct ArgusModelerStruct *model) { return (model->ArgusAflag); } void setArgusAflag(struct ArgusModelerStruct *model, int value) { model->ArgusAflag = value; } int getArgusTCPflag(struct ArgusModelerStruct *model) { return (model->ArgusTCPflag); } void setArgusTCPflag(struct ArgusModelerStruct *model, int value) { model->ArgusTCPflag = value; } int getArgusHashflag(struct ArgusModelerStruct *model) { return (model->ArgusHashflag); } void setArgusHashflag(struct ArgusModelerStruct *model, int value) { model->ArgusHashflag = value; } int getArgusdflag(struct ArgusModelerStruct *model) { return (Argusdflag); } void setArgusdflag(struct ArgusModelerStruct *model, int value) { if (Argusdflag && !(value)) { } if (value) { } Argusdflag = value; } void setArgusLink(struct ArgusModelerStruct *model, unsigned int value) { model->ArgusLink = value; } void setArgusNetMask(struct ArgusModelerStruct *model, unsigned int value) { model->ArgusNetMask = value; } void setArgusTimeReport(struct ArgusModelerStruct *model, int value) { model->ArgusReportAllTime = value; } argus-5.0.2/argus/ArgusModeler.h000066400000000000000000000765401471541253600165460ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - Modeler Includes * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/argus/ArgusModeler.h#8 $ * $DateTime: 2016/02/23 00:04:12 $ * $Change: 3099 $ */ #ifndef ArgusModeler_h #define ArgusModeler_h #define ARGUS_MODELER_CLONE 0x40000 #define ARGUS_MARSTATUSTIMER "60" #define ARGUS_MARINTERFACETIMER "60" #define ARGUS_FARSTATUSTIMER "5" #define ARGUS_INITIMEOUT 5 #define ARGUS_IPTIMEOUT 30 #define ARGUS_ARPTIMEOUT 5 #define ARGUS_TCPTIMEOUT 60 #define ARGUS_ICMPTIMEOUT 5 #define ARGUS_IGMPTIMEOUT 30 #define ARGUS_OTHERTIMEOUT 30 #define ARGUS_FRAGTIMEOUT 5 #define ARGUS_MINSNAPLEN 96 #define ARGUS_MINIPHDRLEN 20 #define ARGUS_HASHTABLESIZE 0x1000000 #define ARGUS_REQUEST 0x01 #define ARGUS_REPLY 0x02 #define ARGUS_RTP_PCMU 0 #define ARGUS_RTP_1016 1 #define ARGUS_RTP_G726 2 #define ARGUS_RTP_GSM 3 #define ARGUS_RTP_G723 4 #define ARGUS_RTP_DVI4_8K 5 #define ARGUS_RTP_DVI4_16K 6 #define ARGUS_RTP_PCMA 8 #define ARGUS_RTP_G722 9 #define ARGUS_RTP_L16_STEREO 10 #define ARGUS_RTP_L16_MONO 11 #define ARGUS_RTP_QCELP 12 #define ARGUS_RTP_MPA 14 #define ARGUS_RTP_G728 15 #define ARGUS_RTP_DVI4_11K 16 #define ARGUS_RTP_DVI4_22K 17 #define ARGUS_RTP_G729 18 #define ARGUS_RTP_CELB 25 #define ARGUS_RTP_JPEG 26 #define ARGUS_RTP_NV 28 #define ARGUS_RTP_H261 31 #define ARGUS_RTP_MPV 32 #define ARGUS_RTP_MP2T 33 #define ARGUS_RTP_H263 34 #define ARGUS_SSH_MONITOR 0x20000 #define ARGUS_ETHER_HDR 1 #define ARGUS_802_11_HDR 2 #define ARGUS_DEBUG 0xFF #define ARGUS_RECORD_WRITTEN 0x00000001 #define ARGUSTIMEOUTQS 65534 #define ARGUS_CLNS 129 #define ARGUS_ESIS 130 #define ARGUS_ISIS 131 #define ARGUS_NULLNS 132 #define ARGUS_L2TP_PROTO 384 #define ARGUS_VXLAN_PROTO 385 #define ARGUS_GENEVE_PROTO 386 /* True if "l" bytes of "var" were captured */ #define BYTESCAPTURED(m, var, l) ((u_char *)&(var) <= m->ArgusThisSnapEnd - (l)) /* True if "var" was captured */ #define STRUCTCAPTURED(m, var) BYTESCAPTURED(m, var, sizeof(var)) /* Bail if "l" bytes of "var" were not captured */ #define BYTESCHECK(m, var, l) if (!BYTESCAPTURED(m, var, l)) goto trunc /* Bail if "var" was not captured */ #define STRUCTCHECK(m, var) BYTESCHECK(m, var, sizeof(var)) #define LENCHECK(m, l) { if ((l) > len) goto bad; BYTESCHECK(m, *cp, l); } #define ARGUS_MAX_PROTOCOLS 512 #if defined(ARGUS_THREADS) #include #endif #include #include #include #include #include #include #include #if defined(HAVE_SOLARIS) || defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) #include #if !defined(__OpenBSD__) || (defined(__OpenBSD__) && !defined(_NET_IF_H_)) #include #define _NET_IF_H_ #endif #endif #if !defined(__OpenBSD__) || (defined(__OpenBSD__) && !defined(_NETINET_IF_SYSTEM_H_)) #include #define _NETINET_IF_SYSTEM_H_ #endif #if !defined(__OpenBSD__) #include #endif #ifndef _NETINET_IP_H_ #include #define _NETINET_IP_H_ #endif #ifndef _NETINET_IPV6_H_ #include #include #define _NETINET_IPV6_H_ #endif #ifndef _NETINET_UDP_H_ #include #define _NETINET_UDP_H_ #endif #include #include #include #include #include #include struct AHHeader { unsigned char nxt, len; unsigned short pad; unsigned int spi, replay, data; }; struct ArgusHashStruct { unsigned int len, hash; unsigned int ind; unsigned int pad; unsigned int key[24]; }; struct ArgusHashTableHeader { struct ArgusHashTableHeader *nxt, *prv; struct ArgusHashTable *htbl; void *object; char pad[32]; struct ArgusHashStruct hstruct; char pad1[16]; }; #define ARGUSHASHTABLETRACK 0x01 struct ArgusHashTable { unsigned int size; int status; int bins, items; struct ArgusHashTableHeader **array; #if defined(ARGUS_THREADS) pthread_mutex_t lock; #endif }; #define ARGUS_MAX_MPLS_LABELS 4 struct ArgusKeyStrokeConf { int status, state, n_min; int dc_min, dc_max, gs_max; int ds_min, ds_max, gpc_max; int ic_min, lcs_max; float icr_min, icr_max; }; struct ArgusControlProtocols { char tcpport[0x10000]; char udpport[0x10000]; }; struct ArgusModelerStruct { int state, status; #if defined(ARGUS_THREADS) pthread_t thread; pthread_mutex_t lock; #endif struct ArgusSourceStruct *ArgusSrc; struct ArgusQueueStruct *ArgusStatusQueue; struct ArgusListStruct *ArgusOutputList; struct ArgusHashTable *ArgusHashTable; struct ArgusSystemFlow *ArgusThisFlow; struct ArgusHashStruct *hstruct; unsigned int ArgusTransactionNum; unsigned int ArgusThisInterface; unsigned int ArgusThisEncaps; unsigned int ArgusThisEncapsLength; unsigned int ArgusThisNetworkFlowType; unsigned int ArgusThisAppFlowType; int ArgusThisMplsLabelIndex; unsigned int ArgusThisMplsLabel; unsigned int ArgusThisVxLanVni; unsigned int ArgusThisPacket8021QEncaps; unsigned char ArgusFlowType, ArgusFlowKey; unsigned short ArgusOptionIndicator; int ArgusInProtocol, ArgusMatchProtocol; int ArgusThisDir, ArgusTrackDuplicates; struct ArgusKeyStrokeConf ArgusKeyStroke; struct ArgusUniStats *ArgusThisStats; struct ether_header *ArgusThisEpHdr; struct argus_llc *ArgusThisLLC; struct argus_gre *ArgusThisGre; struct argus_geneve *ArgusThisGeneve; void *ArgusThisMacHdr; void *ArgusThisIpHdr; struct ip6_frag *ArgusThisIpv6Frag; void *ArgusThisNetworkHdr; unsigned char *ArgusThisPacket; unsigned char *ArgusThisUpHdr; unsigned char *ArgusThisSnapEnd; int ArgusControlMonitor; struct ArgusControlProtocols *cps; int ArgusHashTableSize; int ArgusSnapLength; int ArgusGenerateTime; int ArgusGeneratePacketSize; int ArgusGeneratePacketSizeHisto; int ArgusThisLength; int ArgusThisBytes; struct timeval ArgusGlobalTime; struct timeval ArgusStartTime; struct timeval ArgusNowTime; struct timeval ArgusUpdateInterval; struct timeval ArgusUpdateTimer; long long ival; long long ArgusTotalPacket; long long ArgusTotalFrags; long long ArgusTotalIPPkts; long long ArgusLastIPPkts; long long ArgusTotalNonIPPkts; long long ArgusLastNonIPPkts; long long ArgusTotalNewFlows; long long ArgusLastNewFlows; long long ArgusTotalClosedFlows; long long ArgusLastClosedFlows; long long ArgusTotalIPFlows; long long ArgusLastIPFlows; long long ArgusTotalNonIPFlows; long long ArgusLastNonIPFlows; long long ArgusTotalCacheHits; long long ArgusTotalRecords; long long ArgusTotalSends; long long ArgusTotalQueued; long long ArgusTotalBadSends; long long ArgusLastRecords; long long ArgusTotalUpdates; long long ArgusLastUpdates; struct timeval ArgusLastPacketTimer; struct timeval ArgusAdjustedTimer; int ArgusMajorVersion; int ArgusMinorVersion; int ArgusSnapLen; int ArgusEncapsCapture; int ArgusTunnelParsing; int ArgusTunnelInfo; int ArgusTunnelDiscovery; int ArgusOSFingerPrinting; int ArgusUserDataLen; int ArgusAflag, ArgusTCPflag, Argusmflag; int ArgusHashflag; int ArgusSelfSynchronize, vflag; int ArgusIPTimeout; int ArgusTCPTimeout; int ArgusICMPTimeout; int ArgusIGMPTimeout; int ArgusFRAGTimeout; int ArgusARPTimeout; int ArgusOtherTimeout; int ArgusReportAllTime; int ArgusResponseStatus; struct timeval ArgusFarReportInterval; struct timeval ArgusQueueInterval; struct timeval ArgusListenInterval; unsigned int ArgusSeqNum; unsigned int ArgusLocalNet; unsigned int ArgusNetMask; unsigned int ArgusLink; struct ArgusQueueStruct *ArgusTimeOutQueues; struct ArgusQueueStruct *ArgusTimeOutQueue[ARGUSTIMEOUTQS]; }; #include #include #include #include struct ArgusTimeStats { unsigned int n; float minval, maxval, sum; long long sumsqrd; }; struct ArgusTimeStat { struct timeval lasttime; struct ArgusTimeStats act, idle; }; #define ARGUS_NUM_KEYSTROKE_PKTS 8 #define ARGUS_KEYSTROKE_NONE 0 #define ARGUS_KEYSTROKE_TENTATIVE 1 #define ARGUS_KEYSTROKE_KNOWN 2 struct ArgusKeyStrokePacket { int status, n_pno; struct ArgusTime ts; unsigned int seq; long long intpkt; }; struct ArgusKeyStrokeData { struct ArgusKeyStrokePacket pkts[ARGUS_NUM_KEYSTROKE_PKTS]; }; struct ArgusKeyStrokeState { int status, n_pkts, n_strokes, prev_pno; struct ArgusKeyStrokeData data; struct ArgusTime prev_c_ts, prev_s_ts; }; struct ArgusFlowStruct { struct ArgusQueueHeader qhdr; struct ArgusHashTableHeader htblbuf; unsigned int state, status, dsrindex; unsigned int ArgusEncaps; struct ArgusHashTableHeader *htblhdr; struct ArgusDSRHeader *dsrs[ARGUSMAXDSRTYPE]; struct ArgusQueueStruct frag; unsigned short trans, timeout; unsigned short userlen; signed char srcint, dstint; unsigned short sipid, dipid; struct ArgusTimeStat stime, dtime; struct ArgusKeyStrokeState skey; struct ArgusCanonRecord canon; }; #define MAX_PORT_ALG_TYPES 4 struct ArgusTransportRoutines { char *field; int proto; unsigned short type, port; unsigned short (*parse)(struct ArgusModelerStruct *, void *ptr); }; #if defined(ArgusModeler) #if defined(LBL_ALIGN) #define ARGUS_MAXALIGNBUF 65536 unsigned char ArgusAlignBuffer[ARGUS_MAXALIGNBUF], *ArgusAlignBuf = ArgusAlignBuffer; #endif struct ArgusModelerStruct *ArgusModel = NULL; struct argus_llc ArgusThisLLCBuffer; unsigned char argusDSRTypes [ARGUSMAXDSRTYPE] = { ARGUS_TRANSPORT_DSR, ARGUS_FLOW_DSR, ARGUS_TIME_DSR, ARGUS_METER_DSR, ARGUS_AGR_DSR, }; struct timeval ArgusQueueTime = {0, 0}; struct timeval ArgusQueueInterval = {0, 50000}; struct timeval ArgusListenTime = {0, 0}; struct timeval ArgusListenInterval = {0, 250000}; typedef unsigned short (*pproc)(struct ArgusModelerStruct *, void *ptr); pproc ArgusTransportParseRoutines [0x10000]; void ArgusInitTunnelPortNumbers (void); struct ArgusModelerStruct *ArgusNewModeler(void); struct ArgusModelerStruct *ArgusCloneModeler(struct ArgusModelerStruct *); void ArgusInitModeler(struct ArgusModelerStruct *); void ArgusCloseModeler(struct ArgusModelerStruct *); int ArgusProcessEtherPacket (struct ArgusModelerStruct *, struct ether_header *, int, struct timeval *); int ArgusProcessIpPacket (struct ArgusModelerStruct *, struct ip *, int, struct timeval *); extern int ArgusProcessEtherHdr (struct ArgusModelerStruct *, struct ether_header *, int); unsigned short ArgusDiscoverNetworkProtocol (unsigned char *); void ArgusParseMPLSLabel (unsigned int, unsigned int *, unsigned char *, unsigned char *, unsigned char *); void ArgusSendFlowRecord (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char); struct ArgusFlowStruct *ArgusNewFlow (struct ArgusModelerStruct *, struct ArgusSystemFlow *, struct ArgusHashStruct *, struct ArgusQueueStruct *); extern struct ArgusFlowStruct *ArgusNewFragFlow (void); void ArgusTallyStats (struct ArgusModelerStruct *, struct ArgusFlowStruct *); void ArgusTallyTime (struct ArgusFlowStruct *, unsigned char); unsigned short ArgusParseIPOptions (unsigned char *, int); void setArgusHashTableSize (struct ArgusModelerStruct *model, int value); void setArgusIpTimeout (struct ArgusModelerStruct *model, int value); void setArgusTcpTimeout (struct ArgusModelerStruct *model, int value); void setArgusIcmpTimeout (struct ArgusModelerStruct *model, int value); void setArgusIgmpTimeout (struct ArgusModelerStruct *model, int value); void setArgusFragTimeout (struct ArgusModelerStruct *model, int value); void setArgusArpTimeout (struct ArgusModelerStruct *model, int value); void setArgusOtherTimeout (struct ArgusModelerStruct *model, int value); void setArgusEncapsCapture (struct ArgusModelerStruct *model, char *); int getArgusEncapsCapture (struct ArgusModelerStruct *model); void setArgusTunnelParsing (struct ArgusModelerStruct *model, char *); void setArgusTunnelInformation (struct ArgusModelerStruct *model, char *); int getArgusHashTableSize (struct ArgusModelerStruct *model); void setArgusSynchronize (struct ArgusModelerStruct *, int); int getArgusKeystroke(struct ArgusModelerStruct *); void setArgusKeystroke(struct ArgusModelerStruct *, int); void setArgusKeystrokeVariable(struct ArgusModelerStruct *, char *); int getArgusOSFingerPrinting (struct ArgusModelerStruct *); void setArgusOSFingerPrinting (struct ArgusModelerStruct *, int); extern void setArgusPacketCaptureProtocols(struct ArgusDumpStruct *, char *); void setArgusControlPlaneProtocols(struct ArgusModelerStruct *, char *); int getArgusTunnelDiscovery (struct ArgusModelerStruct *); void setArgusTunnelDiscovery (struct ArgusModelerStruct *, int); int getArgusTrackDuplicates (struct ArgusModelerStruct *); void setArgusTrackDuplicates (struct ArgusModelerStruct *, int); void setArgusFlowKey(struct ArgusModelerStruct *, int); void setArgusFlowType(struct ArgusModelerStruct *, int); int getArgusAflag(struct ArgusModelerStruct *); void setArgusAflag(struct ArgusModelerStruct *, int); int getArgusTCPflag(struct ArgusModelerStruct *); void setArgusTCPflag(struct ArgusModelerStruct *, int); int getArgusHashflag(struct ArgusModelerStruct *); void setArgusHashflag(struct ArgusModelerStruct *, int); int getArgusmflag(struct ArgusModelerStruct *); void setArgusmflag(struct ArgusModelerStruct *, int); int getArgusUserDataLen(struct ArgusModelerStruct *); void setArgusUserDataLen(struct ArgusModelerStruct *, int); int getArgusControlMonitor(struct ArgusModelerStruct *); void setArgusControlMonitor(struct ArgusModelerStruct *); int getArgusGenerateTime(struct ArgusModelerStruct *); void setArgusGenerateTime(struct ArgusModelerStruct *, int); int getArgusGeneratePacketSize(struct ArgusModelerStruct *); void setArgusGeneratePacketSize(struct ArgusModelerStruct *, int); int getArgusGeneratePacketSizeHisto(struct ArgusModelerStruct *); void setArgusGeneratePacketSizeHisto(struct ArgusModelerStruct *, int); void setArgusTimeReport(struct ArgusModelerStruct *, int); struct timeval *getArgusQueueInterval(struct ArgusModelerStruct *); struct timeval *getArgusListenInterval(struct ArgusModelerStruct *); extern struct udt_control_handshake *ArgusThisUdtHshake; extern int ArgusParseUDTHeader (struct ArgusModelerStruct *, struct udt_header *, unsigned int *); int getArgusdflag(struct ArgusModelerStruct *); void setArgusdflag(struct ArgusModelerStruct *, int); void setArgusLink(struct ArgusModelerStruct *, unsigned int); void ArgusModelerCleanUp (struct ArgusModelerStruct *); void *ArgusCreateFlow (struct ArgusModelerStruct *, void *, int); struct ArgusSystemFlow *ArgusCreateArpFlow (struct ArgusModelerStruct *, struct ether_header *); struct ArgusSystemFlow *ArgusCreateESPv6Flow (struct ArgusModelerStruct *, struct ip6_hdr *); struct ArgusSystemFlow *ArgusCreateESPFlow (struct ArgusModelerStruct *, struct ip *); struct ArgusSystemFlow *ArgusCreateLcpFlow (struct ArgusModelerStruct *, struct lcp_hdr *); struct ArgusSystemFlow *ArgusCreateICMPv6Flow (struct ArgusModelerStruct *, struct icmp6_hdr *); struct ArgusSystemFlow *ArgusCreateICMPFlow (struct ArgusModelerStruct *, struct ip *); struct ArgusSystemFlow *ArgusCreateIGMPv6Flow (struct ArgusModelerStruct *, struct igmp *); struct ArgusSystemFlow *ArgusCreateIGMPFlow (struct ArgusModelerStruct *, struct ip *); struct ArgusSystemFlow *ArgusCreateFRAGFlow (struct ArgusModelerStruct *, void *, unsigned short); struct ArgusSystemFlow *ArgusCreateIsisFlow (struct ArgusModelerStruct *model, struct isis_common_header *header); struct ArgusSystemFlow *ArgusCreateUDTFlow (struct ArgusModelerStruct *, struct udt_header *); struct ArgusSystemFlow *ArgusCreate80211Flow (struct ArgusModelerStruct *model, void *ptr); void ArgusUpdateBasicFlow (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char); void *ArgusQueueManager(void *); int ArgusCreateFlowKey (struct ArgusModelerStruct *, struct ArgusSystemFlow *, struct ArgusHashStruct *); struct ArgusFlowStruct *ArgusFindFlow (struct ArgusModelerStruct *, struct ArgusHashStruct *); void ArgusICMPMappedFlowRecord (struct ArgusFlowStruct *, struct ArgusRecord *, unsigned char); int ArgusFlowPacketDuplicate (struct ArgusModelerStruct *, struct ArgusFlowStruct *); struct ArgusFlowStruct *ArgusUpdateState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char, unsigned char); struct ArgusFlowStruct *ArgusUpdateFlow (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char, unsigned char); void ArgusUpdateAppState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char); void ArgusModelTransmit (void); int ArgusUpdateTime (struct ArgusModelerStruct *); void ArgusTimeOut(struct ArgusFlowStruct *); int getArgusMajorVersion(struct ArgusModelerStruct *); void setArgusMajorVersion(struct ArgusModelerStruct *, int); int getArgusMinorVersion(struct ArgusModelerStruct *); void setArgusMinorVersion(struct ArgusModelerStruct *, int); int getArgusManReportInterval(struct ArgusModelerStruct *); void setArgusManReportInterval(struct ArgusModelerStruct *, int); struct timeval *getArgusFarReportInterval(struct ArgusModelerStruct *); void setArgusFarReportInterval(struct ArgusModelerStruct *, char *); int getArgusResponseStatus(struct ArgusModelerStruct *); void setArgusResponseStatus(struct ArgusModelerStruct *, int value); int getArgusIpTimeout(struct ArgusModelerStruct *); void setArgusIpTimeout(struct ArgusModelerStruct *, int); int getArgusTcpTimeout(struct ArgusModelerStruct *); void setArgusTcpTimeout(struct ArgusModelerStruct *, int); int getArgusIcmpTimeout(struct ArgusModelerStruct *); void setArgusIcmpTimeout(struct ArgusModelerStruct *, int); int getArgusIgmpTimeout(struct ArgusModelerStruct *); void setArgusIgmpTimeout(struct ArgusModelerStruct *, int); int getArgusFragTimeout(struct ArgusModelerStruct *); void setArgusFragTimeout(struct ArgusModelerStruct *, int); int getArgusArpTimeout(struct ArgusModelerStruct *); void setArgusArpTimeout(struct ArgusModelerStruct *, int); int getArgusOtherTimeout(struct ArgusModelerStruct *); void setArgusOtherTimeout(struct ArgusModelerStruct *, int); int getArgusHashTableSize (struct ArgusModelerStruct *); unsigned int getArgusLocalNet(struct ArgusModelerStruct *); void setArgusLocalNet(struct ArgusModelerStruct *, unsigned int); unsigned int getArgusNetMask(struct ArgusModelerStruct *); void setArgusNetMask(struct ArgusModelerStruct *, unsigned int); void setArgusEncapsCapture (struct ArgusModelerStruct *model, char *); int getArgusEncapsCapture (struct ArgusModelerStruct *model); void ArgusSystemTimeout (struct ArgusModelerStruct *); struct ArgusRecord *ArgusGenerateRecord (struct ArgusModelerStruct *, struct ArgusRecordStruct *, unsigned char, struct ArgusRecord *); struct ArgusRecordStruct *ArgusGenerateListRecord (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char); struct ArgusRecordStruct *ArgusCopyRecordStruct (struct ArgusRecordStruct *); extern void ArgusTCPFlowRecord (struct ArgusNetworkStruct *, unsigned char); extern void ArgusIBFlowRecord (struct ArgusNetworkStruct *, unsigned char); extern void ArgusESPFlowRecord (struct ArgusNetworkStruct *, unsigned char); extern void ArgusLCPFlowRecord (struct ArgusNetworkStruct *, unsigned char); extern void ArgusUpdateTCPState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char *); extern void ArgusUpdateUDPState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char *); extern void ArgusUpdateArpState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char *); extern int ArgusUpdateFRAGState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char, unsigned short); extern void ArgusUpdateESPState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char *); extern unsigned short ArgusParseVxLan (struct ArgusModelerStruct *, void *); extern unsigned short ArgusParseGeneve (struct ArgusModelerStruct *, void *); extern unsigned short ArgusParseL2TP (struct ArgusModelerStruct *, void *); struct ArgusTransportRoutines RaPortAlgorithmTable[MAX_PORT_ALG_TYPES] = { #define ARGUS_PARSE_L2TP 0 { "l2tp", ARGUS_L2TP_PROTO, ARGUS_PARSE_L2TP, 1701, ArgusParseL2TP}, #define ARGUS_PARSE_VXLAN 1 { "vxlan", ARGUS_VXLAN_PROTO, ARGUS_PARSE_VXLAN, 4789, ArgusParseVxLan}, { "vxlan", ARGUS_VXLAN_PROTO, ARGUS_PARSE_VXLAN, 8472, ArgusParseVxLan}, #define ARGUS_PARSE_GENEVE 2 { "geneve", ARGUS_GENEVE_PROTO, ARGUS_PARSE_GENEVE, 6081, ArgusParseGeneve}, }; #else /* #if defined(ArgusModeler) */ extern struct ArgusModelerStruct *ArgusModel; extern struct argus_llc ArgusThisLLCBuffer; extern struct ArgusTransportRoutines RaPortAlgorithmTable[]; #if defined(LBL_ALIGN) extern unsigned char *ArgusAlignBuf; #endif #if defined(Argus) void clearArgusConfiguration (struct ArgusModelerStruct *); #endif typedef unsigned short (*pproc)(void *ptr); extern pproc ArgusTransportParseRoutines []; extern struct ArgusModelerStruct *ArgusNewModeler(void); extern struct ArgusModelerStruct *ArgusCloneModeler(struct ArgusModelerStruct *); extern void ArgusInitModeler(struct ArgusModelerStruct *); extern void ArgusCloseModeler(struct ArgusModelerStruct *); extern int ArgusProcessEtherPacket (struct ArgusModelerStruct *, struct ether_header *, int, struct timeval *); extern int ArgusProcessIpPacket (struct ArgusModelerStruct *, struct ip *, int, struct timeval *); extern int ArgusProcessEtherHdr (struct ArgusModelerStruct *, struct ether_header *, int); extern unsigned short ArgusDiscoverNetworkProtocol (unsigned char *); extern void ArgusParseMPLSLabel (unsigned int, unsigned int *, unsigned char *, unsigned char *, unsigned char *); extern void ArgusSendFlowRecord (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char); extern struct ArgusFlowStruct *ArgusNewFlow (struct ArgusModelerStruct *, struct ArgusSystemFlow *, struct ArgusHashStruct *, struct ArgusQueueStruct *); extern struct ArgusFlowStruct *ArgusNewFragFlow (void); extern void ArgusTallyStats (struct ArgusModelerStruct *, struct ArgusFlowStruct *); extern void ArgusTallyTime (struct ArgusFlowStruct *, unsigned char); extern unsigned short ArgusParseIPOptions (unsigned char *, int); extern void setArgusIpTimeout (struct ArgusModelerStruct *model, int value); extern void setArgusTcpTimeout (struct ArgusModelerStruct *model, int value); extern void setArgusIcmpTimeout (struct ArgusModelerStruct *model, int value); extern void setArgusIgmpTimeout (struct ArgusModelerStruct *model, int value); extern void setArgusFragTimeout (struct ArgusModelerStruct *model, int value); extern void setArgusArpTimeout (struct ArgusModelerStruct *model, int value); extern void setArgusOtherTimeout (struct ArgusModelerStruct *model, int value); extern int getArgusHashTableSize (struct ArgusModelerStruct *model); extern void setArgusSynchronize (struct ArgusModelerStruct *, int); extern int getArgusKeystroke(struct ArgusModelerStruct *); extern void setArgusKeystroke(struct ArgusModelerStruct *, int); extern void setArgusKeystrokeVariable(struct ArgusModelerStruct *, char *); extern int getArgusOSFingerPrinting (struct ArgusModelerStruct *); extern void setArgusOSFingerPrinting (struct ArgusModelerStruct *, int); extern void setArgusPacketCaptureProtocols(struct ArgusDumpStruct *, char *); extern void setArgusControlPlaneProtocols(struct ArgusModelerStruct *, char *); extern void setArgusEncapsCapture (struct ArgusModelerStruct *model, char *); extern int getArgusEncapsCapture (struct ArgusModelerStruct *model); extern int getArgusTunnelDiscovery(struct ArgusModelerStruct *); extern void setArgusTunnelDiscovery(struct ArgusModelerStruct *, int); extern int getArgusTrackDuplicates (struct ArgusModelerStruct *); extern void setArgusTrackDuplicates (struct ArgusModelerStruct *, int); extern void setArgusFlowKey(struct ArgusModelerStruct *, int); extern void setArgusFlowType(struct ArgusModelerStruct *, int); extern void setArgusCollector(struct ArgusModelerStruct *, int); extern int getArgusAflag(struct ArgusModelerStruct *); extern void setArgusAflag(struct ArgusModelerStruct *, int); extern int getArgusTCPflag(struct ArgusModelerStruct *); extern void setArgusTCPflag(struct ArgusModelerStruct *, int); extern int getArgusHashflag(struct ArgusModelerStruct *); extern void setArgusHashflag(struct ArgusModelerStruct *, int); extern int getArgusmflag(struct ArgusModelerStruct *); extern void setArgusmflag(struct ArgusModelerStruct *, int); extern int getArgusUserDataLen(struct ArgusModelerStruct *); extern void setArgusUserDataLen(struct ArgusModelerStruct *, int); extern int getArgusControlMonitor(struct ArgusModelerStruct *); extern void setArgusControlMonitor(struct ArgusModelerStruct *); extern struct timeval ArgusQueueInterval; extern struct timeval *getArgusQueueInterval(void); extern struct timeval ArgusListenInterval; extern struct timeval *getArgusListenInterval(void); extern struct udt_control_handshake *ArgusThisUdtHshake; extern int ArgusParseUDTHeader (struct ArgusModelerStruct *, struct udt_header *, unsigned int *); extern int getArgusGenerateTime(struct ArgusModelerStruct *); extern void setArgusGenerateTime(struct ArgusModelerStruct *, int); extern int getArgusGeneratePacketSize(struct ArgusModelerStruct *); extern void setArgusGeneratePacketSize(struct ArgusModelerStruct *, int); extern int getArgusGeneratePacketSizeHisto(struct ArgusModelerStruct *); extern void setArgusGeneratePacketSizeHisto(struct ArgusModelerStruct *, int); extern void setArgusTimeReport(struct ArgusModelerStruct *, int); extern int getArgusKeystroke(struct ArgusModelerStruct *); extern void setArgusKeystroke(struct ArgusModelerStruct *, int); extern int getArgusdflag(struct ArgusModelerStruct *); extern struct timeval *getArgusFarReportInterval(struct ArgusModelerStruct *); extern void setArgusdflag(struct ArgusModelerStruct *, int); extern void setArgusFarReportInterval(struct ArgusModelerStruct *, char *); extern void setArgusLink(struct ArgusModelerStruct *, unsigned int); extern void ArgusModelerCleanUp (struct ArgusModelerStruct *); extern struct ArgusSystemFlow *ArgusCreateFlow (struct ArgusModelerStruct *, void *, int); extern struct ArgusSystemFlow *ArgusCreateArpFlow (struct ArgusModelerStruct *, struct ether_header *); extern struct ArgusSystemFlow *ArgusCreatev4IPFlow (struct ArgusModelerStruct *, struct ip *); extern struct ArgusSystemFlow *ArgusCreatev6IPFlow (struct ArgusModelerStruct *, struct ip *); extern struct ArgusSystemFlow *ArgusCreateESPv6Flow (struct ArgusModelerStruct *, struct ip6_hdr *); extern struct ArgusSystemFlow *ArgusCreateESPFlow (struct ArgusModelerStruct *, struct ip *); extern struct ArgusSystemFlow *ArgusCreateLcpFlow (struct ArgusModelerStruct *, struct lcp_hdr *); extern struct ArgusSystemFlow *ArgusCreateICMPv6Flow (struct ArgusModelerStruct *, struct icmp6_hdr *); extern struct ArgusSystemFlow *ArgusCreateICMPFlow (struct ArgusModelerStruct *, struct ip *); extern struct ArgusSystemFlow *ArgusCreateFRAGFlow (struct ArgusModelerStruct *, void *, unsigned short); extern struct ArgusSystemFlow *ArgusCreateIsisFlow (struct ArgusModelerStruct *model, struct isis_common_header *header); extern struct ArgusSystemFlow *ArgusCreateUDTFlow (struct ArgusModelerStruct *, struct udt_header *); extern struct ArgusSystemFlow *ArgusCreate80211Flow (struct ArgusModelerStruct *model, void *ptr); extern void ArgusUpdateBasicFlow (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char); extern void *ArgusQueueManager(void *); extern struct ArgusFlowStruct *ArgusFindFlow (struct ArgusModelerStruct *, struct ArgusHashStruct *); extern int ArgusCreateFlowKey (struct ArgusModelerStruct *, struct ArgusSystemFlow *, struct ArgusHashStruct *); extern void ArgusICMPMappedFlowRecord (struct ArgusFlowStruct *, struct ArgusRecord *, unsigned char); extern int ArgusFlowPacketDuplicate (struct ArgusModelerStruct *, struct ArgusFlowStruct *); extern struct ArgusFlowStruct *ArgusUpdateState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char, unsigned char); extern struct ArgusFlowStruct *ArgusUpdateFlow (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char, unsigned char); extern void ArgusUpdateAppState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char); extern void ArgusModelTransmit (void); extern int ArgusUpdateTime (struct ArgusModelerStruct *); extern void ArgusTimeOut(struct ArgusFlowStruct *); extern int getArgusMajorVersion(struct ArgusModelerStruct *); extern void setArgusMajorVersion(struct ArgusModelerStruct *, int); extern int getArgusMinorVersion(struct ArgusModelerStruct *); extern void setArgusMinorVersion(struct ArgusModelerStruct *, int); extern int getArgusManReportInterval(struct ArgusModelerStruct *); extern void setArgusManReportInterval(struct ArgusModelerStruct *, int); extern int getArgusStatusReportInterval(struct ArgusModelerStruct *); extern void setArgusStatusReportInterval(struct ArgusModelerStruct *, int); extern int getArgusResponseStatus(struct ArgusModelerStruct *); extern void setArgusResponseStatus(struct ArgusModelerStruct *, int value); extern int getArgusHashTableSize (struct ArgusModelerStruct *model); extern void setArgusHashTableSize (struct ArgusModelerStruct *model, int value); extern int getArgusIPTimeout(struct ArgusModelerStruct *); extern void setArgusIPTimeout(struct ArgusModelerStruct *, int); extern int getArgusTCPTimeout(struct ArgusModelerStruct *); extern void setArgusTCPTimeout(struct ArgusModelerStruct *, int); extern int getArgusICMPTimeout(struct ArgusModelerStruct *); extern void setArgusICMPTimeout(struct ArgusModelerStruct *, int); extern int getArgusIGMPTimeout(struct ArgusModelerStruct *); extern void setArgusIGMPTimeout(struct ArgusModelerStruct *, int); extern int getArgusFRAGTimeout(struct ArgusModelerStruct *); extern void setArgusFRAGTimeout(struct ArgusModelerStruct *, int); extern unsigned int getArgusLocalNet(struct ArgusModelerStruct *); extern void setArgusLocalNet(struct ArgusModelerStruct *, unsigned int); extern unsigned int getArgusNetMask(struct ArgusModelerStruct *); extern void setArgusNetMask(struct ArgusModelerStruct *, unsigned int); extern void ArgusSystemTimeout (struct ArgusModelerStruct *); extern struct ArgusRecord *ArgusGenerateRecord (struct ArgusModelerStruct *, struct ArgusRecordStruct *, unsigned char, struct ArgusRecord *); extern struct ArgusRecordStruct *ArgusGenerateListRecord (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char); extern struct ArgusRecordStruct *ArgusCopyRecordStruct (struct ArgusRecordStruct *); #endif /* #if defined(ArgusModeler) else */ #endif /* #ifndef ArgusModeler_h */ argus-5.0.2/argus/ArgusNetflow.c000066400000000000000000002505101471541253600165570ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - Netflow processing * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/argus/argus/argus/ArgusNetflow.c#23 $ * $DateTime: 2011/01/26 17:21:20 $ * $Change: 2089 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #if !defined(ArgusNetflow) #define ArgusNetflow #include #include #include #include #include #include #include #include #include #include #include struct ArgusRecord *ArgusParseCiscoRecordV9Data (struct ArgusParserStruct *, struct ArgusModelerStruct *, struct ArgusQueueStruct *, u_char *, int *); struct ArgusRecord *ArgusParseCiscoRecordV9Template (struct ArgusModelerStruct *, struct ArgusQueueStruct *, u_char *, int); struct ArgusRecord *ArgusParseCiscoRecordV9OptionTemplate (struct ArgusModelerStruct *, struct ArgusQueueStruct *, u_char *, int); unsigned char *ArgusNetFlowRecordHeader = NULL; unsigned char ArgusNetFlowArgusRecordBuf[4098]; struct ArgusRecord *ArgusNetFlowArgusRecord = (struct ArgusRecord *) ArgusNetFlowArgusRecordBuf; struct ArgusCiscoTemplateStruct { int length, count; struct timeval lasttime; CiscoFlowTemplateFlowEntryV9_t **tHdr; }; struct ArgusCiscoSourceStruct { struct ArgusQueueHeader qhdr; struct ArgusHashTableHeader htblbuf, *htblhdr; unsigned int srcid, saddr; struct timeval startime, lasttime; struct ArgusCiscoTemplateStruct templates[0x10000]; }; int ArgusCounter; unsigned int ArgusFlowSeq = 0; unsigned int ArgusCiscoSrcId = 0; unsigned int ArgusCiscoSrcAddr = 0; unsigned int ArgusSysUptime = 0; struct timeval ArgusCiscoTvpBuf, *ArgusCiscoTvp = &ArgusCiscoTvpBuf; struct ArgusQueueStruct *ArgusTemplateQueue = NULL; void ArgusParseCiscoRecord (struct ArgusModelerStruct *model, void *ptr) { int ArgusReadSocketState = ARGUS_READINGPREHDR; int ArgusReadSocketSize = 0; unsigned short ArgusReadCiscoVersion; // unsigned short ArgusReadSocketNum; if (ArgusTemplateQueue == NULL) if ((ArgusTemplateQueue = ArgusNewQueue()) == NULL) ArgusLog (LOG_ERR, "ArgusParseCiscoRecord () ArgusNewQueue error %s\n", strerror(errno)); while ((char *)ptr < (char *)model->ArgusThisSnapEnd) { switch (ArgusReadSocketState) { case ARGUS_READINGPREHDR: { unsigned short *sptr = (unsigned short *) ptr; ArgusReadCiscoVersion = ntohs(*sptr++); // ArgusReadSocketNum = ntohs(*sptr); ArgusReadSocketState = ARGUS_READINGHDR; break; } case ARGUS_READINGHDR: { #ifdef ARGUSDEBUG ArgusDebug (7, "ArgusReadCiscoStreamSocket (%p, %p) read record header\n", model, ptr); #endif switch (ArgusReadCiscoVersion) { case CISCO_VERSION_1: { CiscoFlowHeaderV1_t *ArgusNetFlow = (CiscoFlowHeaderV1_t *) ptr; ArgusReadSocketSize = sizeof(*ArgusNetFlow); ArgusSysUptime = ntohl(ArgusNetFlow->sysUptime); ArgusCounter = ntohs(ArgusNetFlow->count); ArgusCiscoTvp->tv_sec = ntohl(ArgusNetFlow->unix_secs); ArgusCiscoTvp->tv_usec = ntohl(ArgusNetFlow->unix_nsecs)/1000; break; } case CISCO_VERSION_5: { CiscoFlowHeaderV5_t *ArgusNetFlow = (CiscoFlowHeaderV5_t *) ptr; ArgusReadSocketSize = sizeof(*ArgusNetFlow); ArgusSysUptime = ntohl(ArgusNetFlow->sysUptime); ArgusFlowSeq = ntohl(ArgusNetFlow->flow_sequence); ArgusCounter = ntohs(ArgusNetFlow->count); ArgusCiscoTvp->tv_sec = ntohl(ArgusNetFlow->unix_secs); ArgusCiscoTvp->tv_usec = ntohl(ArgusNetFlow->unix_nsecs)/1000; break; } case CISCO_VERSION_6: { CiscoFlowHeaderV6_t *ArgusNetFlow = (CiscoFlowHeaderV6_t *) ptr; ArgusReadSocketSize = sizeof(*ArgusNetFlow); ArgusSysUptime = ntohl(ArgusNetFlow->sysUptime); ArgusFlowSeq = ntohl(ArgusNetFlow->flow_sequence); ArgusCounter = 0; ArgusCiscoTvp->tv_sec = ntohl(ArgusNetFlow->unix_secs); ArgusCiscoTvp->tv_usec = ntohl(ArgusNetFlow->unix_nsecs)/1000; break; } case CISCO_VERSION_7: { CiscoFlowHeaderV7_t *ArgusNetFlow = (CiscoFlowHeaderV7_t *) ptr; ArgusReadSocketSize = sizeof(*ArgusNetFlow); ArgusSysUptime = ntohl(ArgusNetFlow->sysUptime); ArgusFlowSeq = ntohl(ArgusNetFlow->flow_sequence); ArgusCounter = 0; ArgusCiscoTvp->tv_sec = ntohl(ArgusNetFlow->unix_secs); ArgusCiscoTvp->tv_usec = ntohl(ArgusNetFlow->unix_nsecs)/1000; break; } case CISCO_VERSION_8: { CiscoFlowHeaderV8_t *ArgusNetFlow = (CiscoFlowHeaderV8_t *) ptr; ArgusReadSocketSize = sizeof(*ArgusNetFlow); break; } case CISCO_VERSION_9: { CiscoFlowHeaderV9_t *ArgusNetFlow = (CiscoFlowHeaderV9_t *) ptr; ArgusReadSocketSize = sizeof(*ArgusNetFlow); ArgusSysUptime = ntohl(ArgusNetFlow->sysUptime); ArgusCiscoTvp->tv_sec = ntohl(ArgusNetFlow->unix_secs); ArgusCiscoTvp->tv_usec = 0; ArgusFlowSeq = ntohl(ArgusNetFlow->package_sequence); ArgusCounter = ntohs(ArgusNetFlow->count); ArgusCiscoSrcId = ntohl(ArgusNetFlow->source_id); if (model->state & ARGUS_REVERSE) ArgusCiscoSrcAddr = model->ArgusThisFlow->flow_un.ip.ip_src; else ArgusCiscoSrcAddr = model->ArgusThisFlow->flow_un.ip.ip_dst; break; } default: { #ifdef ARGUSDEBUG ArgusDebug (7, "ArgusReadCiscoStreamSocket (%p) read header\n", ptr); #endif } } ptr += ArgusReadSocketSize; ArgusReadSocketState = ARGUS_READINGBLOCK; break; } case ARGUS_READINGBLOCK: { struct ArgusSystemFlow flowbuf, *sflow = &flowbuf; struct ArgusHashStruct hbuf, *hstruct = &hbuf; struct ArgusFlowStruct *flow = NULL; #ifdef ARGUSDEBUG ArgusDebug (7, "ArgusReadCiscoStreamSocket (%p, %p) read record complete\n", model, ptr); #endif switch (ArgusReadCiscoVersion) { case CISCO_VERSION_1: { CiscoFlowEntryV1_t *ArgusNetFlow = (CiscoFlowEntryV1_t *) ptr; bzero(sflow, sizeof(*sflow)); bzero(hstruct, sizeof(*hstruct)); sflow->hdr.type = ARGUS_FLOW_DSR; sflow->hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; sflow->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; sflow->hdr.argus_dsrvl8.len = 5; sflow->ip_flow.ip_src = ntohl(ArgusNetFlow->srcaddr); sflow->ip_flow.ip_dst = ntohl(ArgusNetFlow->dstaddr); switch (sflow->ip_flow.ip_p = ArgusNetFlow->prot) { case IPPROTO_TCP: case IPPROTO_UDP: sflow->ip_flow.sport = ntohs(ArgusNetFlow->srcport); sflow->ip_flow.dport = ntohs(ArgusNetFlow->dstport); break; case IPPROTO_ICMP: sflow->icmp_flow.type = ((char *)&ArgusNetFlow->dstport)[0]; sflow->icmp_flow.code = ((char *)&ArgusNetFlow->dstport)[1]; break; } ArgusCreateFlowKey(model, sflow, hstruct); if ((flow = ArgusNewFlow(model, sflow, NULL, NULL)) != NULL) { struct ArgusTimeObject *time = &flow->canon.time; long timeval; flow->canon.hdr.type = ARGUS_FAR | ARGUS_NETFLOW | ARGUS_VERSION; time->hdr.type = ARGUS_TIME_DSR; time->hdr.subtype = ARGUS_TIME_ABSOLUTE_RANGE; time->hdr.argus_dsrvl8.qual = ARGUS_TYPE_UTC_MICROSECONDS; time->hdr.argus_dsrvl8.len = 5; timeval = ntohl(ArgusNetFlow->first); time->src.start.tv_sec = (timeval - (long)ArgusSysUptime)/1000; time->src.start.tv_sec += ArgusCiscoTvp->tv_sec; time->src.start.tv_usec = ((timeval - (long)ArgusSysUptime)%1000) * 1000; time->src.start.tv_usec += ArgusCiscoTvp->tv_usec; if (time->src.start.tv_usec >= 1000000) { time->src.start.tv_sec++; time->src.start.tv_usec -= 1000000; } timeval = ntohl(ArgusNetFlow->last); time->src.end.tv_sec = (timeval - (long)ArgusSysUptime)/1000; time->src.end.tv_sec += ArgusCiscoTvp->tv_sec; time->src.end.tv_usec = ((timeval - (long)ArgusSysUptime)%1000) * 1000; time->src.end.tv_usec += ArgusCiscoTvp->tv_usec; if (time->src.end.tv_usec >= 1000000) { time->src.end.tv_sec++; time->src.end.tv_usec -= 1000000; } time->src.start.tv_usec = (time->src.start.tv_usec / 1000) * 1000; time->src.end.tv_usec = (time->src.end.tv_usec / 1000) * 1000; flow->dsrindex |= 1 << ARGUS_TIME_INDEX; flow->dsrs[ARGUS_TIME_INDEX] = (void *)time; { struct ArgusMetricStruct *metric = &flow->canon.metric; metric->hdr.type = ARGUS_METER_DSR; metric->hdr.subtype = ARGUS_METER_PKTS_BYTES; metric->hdr.argus_dsrvl8.qual = ARGUS_SRC_INT; metric->hdr.argus_dsrvl8.len = 3; metric->src.pkts = ntohl(ArgusNetFlow->pkts); metric->src.bytes = ntohl(ArgusNetFlow->bytes); flow->dsrindex |= 1 << ARGUS_METRIC_INDEX; flow->dsrs[ARGUS_METRIC_INDEX] = (void *)metric; } { struct ArgusMacStruct *mac = &flow->canon.mac; mac->hdr.type = ARGUS_MAC_DSR; mac->hdr.subtype = 0; mac->hdr.argus_dsrvl8.len = 5; ArgusNetFlow->input = ntohs(ArgusNetFlow->input); ArgusNetFlow->output = ntohs(ArgusNetFlow->output); #if defined(HAVE_SOLARIS) bcopy((char *)&ArgusNetFlow->input, (char *)&mac->mac.mac_union.ether.ehdr.ether_shost.ether_addr_octet[4], 2); bcopy((char *)&ArgusNetFlow->output,(char *)&mac->mac.mac_union.ether.ehdr.ether_dhost.ether_addr_octet[4], 2); #else bcopy((char *)&ArgusNetFlow->input, (char *)&mac->mac.mac_union.ether.ehdr.ether_shost[4], 2); bcopy((char *)&ArgusNetFlow->output,(char *)&mac->mac.mac_union.ether.ehdr.ether_dhost[4], 2); #endif flow->dsrindex |= 1 << ARGUS_MAC_INDEX; flow->dsrs[ARGUS_MAC_INDEX] = (void *)mac; } { if (ArgusNetFlow->prot == IPPROTO_TCP) { struct ArgusNetworkStruct *net = &flow->canon.net; struct ArgusTCPStatus *tcp = (struct ArgusTCPStatus *)&net->net_union.tcpstatus; net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_TCP_STATUS; net->hdr.argus_dsrvl8.len = 3; net->net_union.tcpstatus.src = ArgusNetFlow->flags; if (ArgusNetFlow->flags & TH_RST) tcp->status |= ARGUS_RESET; if (ArgusNetFlow->flags & TH_FIN) tcp->status |= ARGUS_FIN; if ((ArgusNetFlow->flags & TH_ACK) || (ArgusNetFlow->flags & TH_PUSH) || (ArgusNetFlow->flags & TH_URG)) tcp->status |= ARGUS_CON_ESTABLISHED; switch (ArgusNetFlow->flags & (TH_SYN|TH_ACK)) { case (TH_SYN): tcp->status |= ARGUS_SAW_SYN; break; case (TH_SYN|TH_ACK): tcp->status |= ARGUS_SAW_SYN_SENT; if (ntohl(ArgusNetFlow->pkts) > 1) tcp->status &= ~(ARGUS_CON_ESTABLISHED); break; } flow->dsrindex |= 1 << ARGUS_NETWORK_INDEX; flow->dsrs[ARGUS_NETWORK_INDEX] = (void *)net; } } if (model->ArgusThisFlow && (model->ArgusThisFlow->ip_flow.ip_src != 0)) { struct ArgusV3TransportStruct *trans = (struct ArgusV3TransportStruct *)&flow->canon.trans; trans->hdr.type = ARGUS_TRANSPORT_DSR; trans->hdr.subtype = ARGUS_SRCID | ARGUS_SEQ; trans->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; trans->hdr.argus_dsrvl8.len = 3; trans->srcid.a_un.ipv4 = (model->ArgusThisFlow->hdr.subtype & ARGUS_REVERSE) ? model->ArgusThisFlow->ip_flow.ip_dst : model->ArgusThisFlow->ip_flow.ip_src ; trans->seqnum = ArgusFlowSeq + ArgusCounter++; flow->dsrindex |= 1 << ARGUS_TRANSPORT_INDEX; flow->dsrs[ARGUS_TRANSPORT_INDEX] = (void *)trans; } { struct ArgusIPAttrStruct *attr = &flow->canon.attr; attr->hdr.type = ARGUS_IPATTR_DSR; attr->hdr.subtype = 0; attr->hdr.argus_dsrvl8.qual = ARGUS_IPATTR_SRC; attr->hdr.argus_dsrvl8.len = 2; attr->src.tos = ArgusNetFlow->tos; attr->src.ttl = 0; attr->src.ip_id = 0; flow->dsrindex |= 1 << ARGUS_IPATTR_INDEX; flow->dsrs[ARGUS_IPATTR_INDEX] = (void *)attr; } ArgusSendFlowRecord (model, flow, ARGUS_STATUS); } ptr += sizeof(*ArgusNetFlow); break; } case CISCO_VERSION_5: { CiscoFlowEntryV5_t *ArgusNetFlow = (CiscoFlowEntryV5_t *) ptr; bzero(sflow, sizeof(*sflow)); bzero(hstruct, sizeof(*hstruct)); sflow->hdr.type = ARGUS_FLOW_DSR; sflow->hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; sflow->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; sflow->hdr.argus_dsrvl8.len = 5; sflow->ip_flow.ip_src = ntohl(ArgusNetFlow->srcaddr); sflow->ip_flow.ip_dst = ntohl(ArgusNetFlow->dstaddr); sflow->ip_flow.smask = ArgusNetFlow->src_mask; sflow->ip_flow.dmask = ArgusNetFlow->dst_mask; switch (sflow->ip_flow.ip_p = ArgusNetFlow->prot) { case IPPROTO_TCP: case IPPROTO_UDP: sflow->ip_flow.sport = ntohs(ArgusNetFlow->srcport); sflow->ip_flow.dport = ntohs(ArgusNetFlow->dstport); break; case IPPROTO_ICMP: sflow->icmp_flow.type = ((char *)&ArgusNetFlow->dstport)[0]; sflow->icmp_flow.code = ((char *)&ArgusNetFlow->dstport)[1]; break; } ArgusCreateFlowKey(model, sflow, hstruct); if ((flow = ArgusNewFlow(model, sflow, NULL, NULL)) != NULL) { struct ArgusTimeObject *time = &flow->canon.time; int timeval, secs, usecs; flow->canon.hdr.type = ARGUS_FAR | ARGUS_NETFLOW | ARGUS_VERSION; time->hdr.type = ARGUS_TIME_DSR; time->hdr.subtype = ARGUS_TIME_ABSOLUTE_RANGE; time->hdr.argus_dsrvl8.qual = ARGUS_TYPE_UTC_MICROSECONDS; time->hdr.argus_dsrvl8.len = 5; timeval = ntohl(ArgusNetFlow->first); secs = ArgusCiscoTvp->tv_sec + ((timeval - (int)ArgusSysUptime) / 1000); usecs = ArgusCiscoTvp->tv_usec + ((timeval - (int)ArgusSysUptime) % 1000) * 1000; time->src.start.tv_sec = secs; if (usecs < 0) { time->src.start.tv_sec--; usecs += 1000000; } else if (usecs > 1000000) { time->src.start.tv_sec++; usecs -= 1000000; } time->src.start.tv_usec = usecs; timeval = ntohl(ArgusNetFlow->last); secs = ArgusCiscoTvp->tv_sec + ((timeval - (int)ArgusSysUptime) / 1000); usecs = ArgusCiscoTvp->tv_usec + ((timeval - (int)ArgusSysUptime) % 1000) * 1000; time->src.end.tv_sec = secs; if (usecs < 0) { time->src.end.tv_sec--; usecs += 1000000; } else if (usecs > 1000000) { time->src.end.tv_sec++; usecs -= 1000000; } time->src.end.tv_usec = usecs; flow->dsrindex |= 1 << ARGUS_TIME_INDEX; flow->dsrs[ARGUS_TIME_INDEX] = (void *)time; { struct ArgusAsnStruct *asn = &flow->canon.asn; asn->hdr.type = ARGUS_ASN_DSR; asn->hdr.subtype = 0; asn->hdr.argus_dsrvl8.qual = 0; asn->hdr.argus_dsrvl8.len = 3; asn->src_as = ArgusNetFlow->src_as; asn->dst_as = ArgusNetFlow->dst_as; flow->dsrindex |= 1 << ARGUS_ASN_INDEX; flow->dsrs[ARGUS_ASN_INDEX] = (void *)asn; } { struct ArgusMetricStruct *metric = &flow->canon.metric; metric->hdr.type = ARGUS_METER_DSR; metric->hdr.subtype = ARGUS_METER_PKTS_BYTES; metric->hdr.argus_dsrvl8.qual = ARGUS_SRC_INT; metric->hdr.argus_dsrvl8.len = 3; metric->src.pkts = ntohl(ArgusNetFlow->pkts); metric->src.bytes = ntohl(ArgusNetFlow->bytes); flow->dsrindex |= 1 << ARGUS_METRIC_INDEX; flow->dsrs[ARGUS_METRIC_INDEX] = (void *)metric; } { struct ArgusMacStruct *mac = &flow->canon.mac; mac->hdr.type = ARGUS_MAC_DSR; mac->hdr.subtype = 0; mac->hdr.argus_dsrvl8.len = 5; ArgusNetFlow->input = ntohs(ArgusNetFlow->input); ArgusNetFlow->output = ntohs(ArgusNetFlow->output); #if defined(HAVE_SOLARIS) bcopy((char *)&ArgusNetFlow->input, (char *)&mac->mac.mac_union.ether.ehdr.ether_shost.ether_addr_octet[4], 2); bcopy((char *)&ArgusNetFlow->output,(char *)&mac->mac.mac_union.ether.ehdr.ether_dhost.ether_addr_octet[4], 2); #else bcopy((char *)&ArgusNetFlow->input, (char *)&mac->mac.mac_union.ether.ehdr.ether_shost[4], 2); bcopy((char *)&ArgusNetFlow->output,(char *)&mac->mac.mac_union.ether.ehdr.ether_dhost[4], 2); #endif flow->dsrindex |= 1 << ARGUS_MAC_INDEX; flow->dsrs[ARGUS_MAC_INDEX] = (void *)mac; } { if (ArgusNetFlow->prot == IPPROTO_TCP) { struct ArgusNetworkStruct *net = &flow->canon.net; struct ArgusTCPStatus *tcp = (struct ArgusTCPStatus *)&net->net_union.tcpstatus; net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_TCP_STATUS; net->hdr.argus_dsrvl8.len = 3; net->net_union.tcpstatus.src = ArgusNetFlow->tcp_flags; if (ArgusNetFlow->tcp_flags & TH_RST) tcp->status |= ARGUS_RESET; if (ArgusNetFlow->tcp_flags & TH_FIN) tcp->status |= ARGUS_FIN; if ((ArgusNetFlow->tcp_flags & TH_ACK) || (ArgusNetFlow->tcp_flags & TH_PUSH) || (ArgusNetFlow->tcp_flags & TH_URG)) tcp->status |= ARGUS_CON_ESTABLISHED; switch (ArgusNetFlow->tcp_flags & (TH_SYN|TH_ACK)) { case (TH_SYN): tcp->status |= ARGUS_SAW_SYN; break; case (TH_SYN|TH_ACK): tcp->status |= ARGUS_SAW_SYN_SENT; if (ntohl(ArgusNetFlow->pkts) > 1) tcp->status &= ~(ARGUS_CON_ESTABLISHED); break; } flow->dsrindex |= 1 << ARGUS_NETWORK_INDEX; flow->dsrs[ARGUS_NETWORK_INDEX] = (void *)net; } } if (model->ArgusThisFlow && (model->ArgusThisFlow->ip_flow.ip_src != 0)) { struct ArgusV3TransportStruct *trans = (struct ArgusV3TransportStruct *)&flow->canon.trans; trans->hdr.type = ARGUS_TRANSPORT_DSR; trans->hdr.subtype = ARGUS_SRCID | ARGUS_SEQ; trans->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; trans->hdr.argus_dsrvl8.len = 3; trans->srcid.a_un.ipv4 = (model->ArgusThisFlow->hdr.subtype & ARGUS_REVERSE) ? model->ArgusThisFlow->ip_flow.ip_dst : model->ArgusThisFlow->ip_flow.ip_src ; trans->seqnum = ArgusFlowSeq + ArgusCounter++; flow->dsrindex |= 1 << ARGUS_TRANSPORT_INDEX; flow->dsrs[ARGUS_TRANSPORT_INDEX] = (void *)trans; } { struct ArgusIPAttrStruct *attr = &flow->canon.attr; attr->hdr.type = ARGUS_IPATTR_DSR; attr->hdr.subtype = 0; attr->hdr.argus_dsrvl8.qual = ARGUS_IPATTR_SRC; attr->hdr.argus_dsrvl8.len = 2; attr->src.tos = ArgusNetFlow->tos; attr->src.ttl = 0; attr->src.ip_id = 0; flow->dsrindex |= 1 << ARGUS_IPATTR_INDEX; flow->dsrs[ARGUS_IPATTR_INDEX] = (void *)attr; } ArgusSendFlowRecord (model, flow, ARGUS_STATUS); } ptr += sizeof(*ArgusNetFlow); break; } case CISCO_VERSION_6: { CiscoFlowEntryV6_t *ArgusNetFlow = (CiscoFlowEntryV6_t *) ptr; bzero(sflow, sizeof(*sflow)); bzero(hstruct, sizeof(*hstruct)); sflow->hdr.type = ARGUS_FLOW_DSR; sflow->hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; sflow->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; sflow->hdr.argus_dsrvl8.len = 5; sflow->ip_flow.ip_src = ntohl(ArgusNetFlow->srcaddr); sflow->ip_flow.ip_dst = ntohl(ArgusNetFlow->dstaddr); sflow->ip_flow.smask = ArgusNetFlow->src_mask; sflow->ip_flow.dmask = ArgusNetFlow->dst_mask; switch (sflow->ip_flow.ip_p = ArgusNetFlow->prot) { case IPPROTO_TCP: case IPPROTO_UDP: sflow->ip_flow.sport = ntohs(ArgusNetFlow->srcport); sflow->ip_flow.dport = ntohs(ArgusNetFlow->dstport); break; case IPPROTO_ICMP: sflow->icmp_flow.type = ((char *)&ArgusNetFlow->dstport)[0]; sflow->icmp_flow.code = ((char *)&ArgusNetFlow->dstport)[1]; break; } ArgusCreateFlowKey(model, sflow, hstruct); if ((flow = ArgusNewFlow(model, sflow, NULL, NULL)) != NULL) { struct ArgusTimeObject *time = &flow->canon.time; long timeval; flow->canon.hdr.type = ARGUS_FAR | ARGUS_NETFLOW | ARGUS_VERSION; time->hdr.type = ARGUS_TIME_DSR; time->hdr.subtype = ARGUS_TIME_ABSOLUTE_RANGE; time->hdr.argus_dsrvl8.qual = ARGUS_TYPE_UTC_MICROSECONDS; time->hdr.argus_dsrvl8.len = 5; timeval = ntohl(ArgusNetFlow->first); time->src.start.tv_sec = (timeval - (long)ArgusSysUptime)/1000; time->src.start.tv_sec += ArgusCiscoTvp->tv_sec; time->src.start.tv_usec = ((timeval - (long)ArgusSysUptime)%1000) * 1000; time->src.start.tv_usec += ArgusCiscoTvp->tv_usec; if (time->src.start.tv_usec >= 1000000) { time->src.start.tv_sec++; time->src.start.tv_usec -= 1000000; } timeval = ntohl(ArgusNetFlow->last); time->src.end.tv_sec = (timeval - (long)ArgusSysUptime)/1000; time->src.end.tv_sec += ArgusCiscoTvp->tv_sec; time->src.end.tv_usec = ((timeval - (long)ArgusSysUptime)%1000) * 1000; time->src.end.tv_usec += ArgusCiscoTvp->tv_usec; if (time->src.end.tv_usec >= 1000000) { time->src.end.tv_sec++; time->src.end.tv_usec -= 1000000; } time->src.start.tv_usec = (time->src.start.tv_usec / 1000) * 1000; time->src.end.tv_usec = (time->src.end.tv_usec / 1000) * 1000; flow->dsrindex |= 1 << ARGUS_TIME_INDEX; flow->dsrs[ARGUS_TIME_INDEX] = (void *)time; { struct ArgusAsnStruct *asn = &flow->canon.asn; asn->hdr.type = ARGUS_ASN_DSR; asn->hdr.subtype = 0; asn->hdr.argus_dsrvl8.qual = 0; asn->hdr.argus_dsrvl8.len = 3; asn->src_as = ArgusNetFlow->src_as; asn->dst_as = ArgusNetFlow->dst_as; flow->dsrindex |= 1 << ARGUS_ASN_INDEX; flow->dsrs[ARGUS_ASN_INDEX] = (void *)asn; } { struct ArgusMetricStruct *metric = &flow->canon.metric; metric->hdr.type = ARGUS_METER_DSR; metric->hdr.subtype = ARGUS_METER_PKTS_BYTES; metric->hdr.argus_dsrvl8.qual = ARGUS_SRC_INT; metric->hdr.argus_dsrvl8.len = 3; metric->src.pkts = ntohl(ArgusNetFlow->pkts); metric->src.bytes = ntohl(ArgusNetFlow->bytes); flow->dsrindex |= 1 << ARGUS_METRIC_INDEX; flow->dsrs[ARGUS_METRIC_INDEX] = (void *)metric; } { struct ArgusMacStruct *mac = &flow->canon.mac; mac->hdr.type = ARGUS_MAC_DSR; mac->hdr.subtype = 0; mac->hdr.argus_dsrvl8.len = 5; ArgusNetFlow->input = ntohs(ArgusNetFlow->input); ArgusNetFlow->output = ntohs(ArgusNetFlow->output); #if defined(HAVE_SOLARIS) bcopy((char *)&ArgusNetFlow->input, (char *)&mac->mac.mac_union.ether.ehdr.ether_shost.ether_addr_octet[4], 2); bcopy((char *)&ArgusNetFlow->output,(char *)&mac->mac.mac_union.ether.ehdr.ether_dhost.ether_addr_octet[4], 2); #else bcopy((char *)&ArgusNetFlow->input, (char *)&mac->mac.mac_union.ether.ehdr.ether_shost[4], 2); bcopy((char *)&ArgusNetFlow->output,(char *)&mac->mac.mac_union.ether.ehdr.ether_dhost[4], 2); #endif flow->dsrindex |= 1 << ARGUS_MAC_INDEX; flow->dsrs[ARGUS_MAC_INDEX] = (void *)mac; } { if (ArgusNetFlow->prot == IPPROTO_TCP) { struct ArgusNetworkStruct *net = &flow->canon.net; struct ArgusTCPStatus *tcp = (struct ArgusTCPStatus *)&net->net_union.tcpstatus; net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_TCP_STATUS; net->hdr.argus_dsrvl8.len = 3; net->net_union.tcpstatus.src = ArgusNetFlow->tcp_flags; if (ArgusNetFlow->tcp_flags & TH_RST) tcp->status |= ARGUS_RESET; if (ArgusNetFlow->tcp_flags & TH_FIN) tcp->status |= ARGUS_FIN; if ((ArgusNetFlow->tcp_flags & TH_ACK) || (ArgusNetFlow->tcp_flags & TH_PUSH) || (ArgusNetFlow->tcp_flags & TH_URG)) tcp->status |= ARGUS_CON_ESTABLISHED; switch (ArgusNetFlow->tcp_flags & (TH_SYN|TH_ACK)) { case (TH_SYN): tcp->status |= ARGUS_SAW_SYN; break; case (TH_SYN|TH_ACK): tcp->status |= ARGUS_SAW_SYN_SENT; if (ntohl(ArgusNetFlow->pkts) > 1) tcp->status &= ~(ARGUS_CON_ESTABLISHED); break; } flow->dsrindex |= 1 << ARGUS_NETWORK_INDEX; flow->dsrs[ARGUS_NETWORK_INDEX] = (void *)net; } } if (model->ArgusThisFlow && (model->ArgusThisFlow->ip_flow.ip_src != 0)) { struct ArgusV3TransportStruct *trans = (struct ArgusV3TransportStruct *)&flow->canon.trans; trans->hdr.type = ARGUS_TRANSPORT_DSR; trans->hdr.subtype = ARGUS_SRCID | ARGUS_SEQ; trans->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; trans->hdr.argus_dsrvl8.len = 3; trans->srcid.a_un.ipv4 = (model->ArgusThisFlow->hdr.subtype & ARGUS_REVERSE) ? model->ArgusThisFlow->ip_flow.ip_dst : model->ArgusThisFlow->ip_flow.ip_src ; trans->seqnum = ArgusFlowSeq + ArgusCounter++; flow->dsrindex |= 1 << ARGUS_TRANSPORT_INDEX; flow->dsrs[ARGUS_TRANSPORT_INDEX] = (void *)trans; } { struct ArgusIPAttrStruct *attr = &flow->canon.attr; attr->hdr.type = ARGUS_IPATTR_DSR; attr->hdr.subtype = 0; attr->hdr.argus_dsrvl8.qual = ARGUS_IPATTR_SRC; attr->hdr.argus_dsrvl8.len = 2; attr->src.tos = ArgusNetFlow->tos; attr->src.ttl = 0; attr->src.ip_id = 0; flow->dsrindex |= 1 << ARGUS_IPATTR_INDEX; flow->dsrs[ARGUS_IPATTR_INDEX] = (void *)attr; } ArgusSendFlowRecord (model, flow, ARGUS_STATUS); } ptr += sizeof(*ArgusNetFlow); break; } case CISCO_VERSION_7: { CiscoFlowEntryV7_t *ArgusNetFlow = (CiscoFlowEntryV7_t *) ptr; bzero(sflow, sizeof(*sflow)); bzero(hstruct, sizeof(*hstruct)); sflow->hdr.type = ARGUS_FLOW_DSR; sflow->hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; sflow->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; sflow->hdr.argus_dsrvl8.len = 5; sflow->ip_flow.ip_src = ntohl(ArgusNetFlow->srcaddr); sflow->ip_flow.ip_dst = ntohl(ArgusNetFlow->dstaddr); sflow->ip_flow.smask = ArgusNetFlow->src_mask; sflow->ip_flow.dmask = ArgusNetFlow->dst_mask; switch (sflow->ip_flow.ip_p = ArgusNetFlow->prot) { case IPPROTO_TCP: case IPPROTO_UDP: sflow->ip_flow.sport = ntohs(ArgusNetFlow->srcport); sflow->ip_flow.dport = ntohs(ArgusNetFlow->dstport); break; case IPPROTO_ICMP: sflow->icmp_flow.type = ((char *)&ArgusNetFlow->dstport)[0]; sflow->icmp_flow.code = ((char *)&ArgusNetFlow->dstport)[1]; break; } ArgusCreateFlowKey(model, sflow, hstruct); if ((flow = ArgusNewFlow(model, sflow, NULL, NULL)) != NULL) { struct ArgusTimeObject *time = &flow->canon.time; long timeval; flow->canon.hdr.type = ARGUS_FAR | ARGUS_NETFLOW | ARGUS_VERSION; time->hdr.type = ARGUS_TIME_DSR; time->hdr.subtype = ARGUS_TIME_ABSOLUTE_RANGE; time->hdr.argus_dsrvl8.qual = ARGUS_TYPE_UTC_MICROSECONDS; time->hdr.argus_dsrvl8.len = 5; timeval = ntohl(ArgusNetFlow->first); time->src.start.tv_sec = (timeval - (long)ArgusSysUptime)/1000; time->src.start.tv_sec += ArgusCiscoTvp->tv_sec; time->src.start.tv_usec = ((timeval - (long)ArgusSysUptime)%1000) * 1000; time->src.start.tv_usec += ArgusCiscoTvp->tv_usec; if (time->src.start.tv_usec >= 1000000) { time->src.start.tv_sec++; time->src.start.tv_usec -= 1000000; } timeval = ntohl(ArgusNetFlow->last); time->src.end.tv_sec = (timeval - (long)ArgusSysUptime)/1000; time->src.end.tv_sec += ArgusCiscoTvp->tv_sec; time->src.end.tv_usec = ((timeval - (long)ArgusSysUptime)%1000) * 1000; time->src.end.tv_usec += ArgusCiscoTvp->tv_usec; if (time->src.end.tv_usec >= 1000000) { time->src.end.tv_sec++; time->src.end.tv_usec -= 1000000; } time->src.start.tv_usec = (time->src.start.tv_usec / 1000) * 1000; time->src.end.tv_usec = (time->src.end.tv_usec / 1000) * 1000; flow->dsrindex |= 1 << ARGUS_TIME_INDEX; flow->dsrs[ARGUS_TIME_INDEX] = (void *)time; { struct ArgusAsnStruct *asn = &flow->canon.asn; asn->hdr.type = ARGUS_ASN_DSR; asn->hdr.subtype = 0; asn->hdr.argus_dsrvl8.qual = 0; asn->hdr.argus_dsrvl8.len = 3; asn->src_as = ArgusNetFlow->src_as; asn->dst_as = ArgusNetFlow->dst_as; flow->dsrindex |= 1 << ARGUS_ASN_INDEX; flow->dsrs[ARGUS_ASN_INDEX] = (void *)asn; } { struct ArgusMetricStruct *metric = &flow->canon.metric; metric->hdr.type = ARGUS_METER_DSR; metric->hdr.subtype = ARGUS_METER_PKTS_BYTES; metric->hdr.argus_dsrvl8.qual = ARGUS_SRC_INT; metric->hdr.argus_dsrvl8.len = 3; metric->src.pkts = ntohl(ArgusNetFlow->pkts); metric->src.bytes = ntohl(ArgusNetFlow->bytes); flow->dsrindex |= 1 << ARGUS_METRIC_INDEX; flow->dsrs[ARGUS_METRIC_INDEX] = (void *)metric; } { struct ArgusMacStruct *mac = &flow->canon.mac; mac->hdr.type = ARGUS_MAC_DSR; mac->hdr.subtype = 0; mac->hdr.argus_dsrvl8.len = 5; ArgusNetFlow->input = ntohs(ArgusNetFlow->input); ArgusNetFlow->output = ntohs(ArgusNetFlow->output); #if defined(HAVE_SOLARIS) bcopy((char *)&ArgusNetFlow->input, (char *)&mac->mac.mac_union.ether.ehdr.ether_shost.ether_addr_octet[4], 2); bcopy((char *)&ArgusNetFlow->output,(char *)&mac->mac.mac_union.ether.ehdr.ether_dhost.ether_addr_octet[4], 2); #else bcopy((char *)&ArgusNetFlow->input, (char *)&mac->mac.mac_union.ether.ehdr.ether_shost[4], 2); bcopy((char *)&ArgusNetFlow->output,(char *)&mac->mac.mac_union.ether.ehdr.ether_dhost[4], 2); #endif flow->dsrindex |= 1 << ARGUS_MAC_INDEX; flow->dsrs[ARGUS_MAC_INDEX] = (void *)mac; } { if (ArgusNetFlow->prot == IPPROTO_TCP) { struct ArgusNetworkStruct *net = &flow->canon.net; struct ArgusTCPStatus *tcp = (struct ArgusTCPStatus *)&net->net_union.tcpstatus; net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_TCP_STATUS; net->hdr.argus_dsrvl8.len = 3; net->net_union.tcpstatus.src = ArgusNetFlow->tcp_flags; if (ArgusNetFlow->tcp_flags & TH_RST) tcp->status |= ARGUS_RESET; if (ArgusNetFlow->tcp_flags & TH_FIN) tcp->status |= ARGUS_FIN; if ((ArgusNetFlow->tcp_flags & TH_ACK) || (ArgusNetFlow->tcp_flags & TH_PUSH) || (ArgusNetFlow->tcp_flags & TH_URG)) tcp->status |= ARGUS_CON_ESTABLISHED; switch (ArgusNetFlow->tcp_flags & (TH_SYN|TH_ACK)) { case (TH_SYN): tcp->status |= ARGUS_SAW_SYN; break; case (TH_SYN|TH_ACK): tcp->status |= ARGUS_SAW_SYN_SENT; if (ntohl(ArgusNetFlow->pkts) > 1) tcp->status &= ~(ARGUS_CON_ESTABLISHED); break; } flow->dsrindex |= 1 << ARGUS_NETWORK_INDEX; flow->dsrs[ARGUS_NETWORK_INDEX] = (void *)net; } } if (model->ArgusThisFlow && (model->ArgusThisFlow->ip_flow.ip_src != 0)) { struct ArgusV3TransportStruct *trans = (struct ArgusV3TransportStruct *)&flow->canon.trans; trans->hdr.type = ARGUS_TRANSPORT_DSR; trans->hdr.subtype = ARGUS_SRCID | ARGUS_SEQ; trans->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; trans->hdr.argus_dsrvl8.len = 3; trans->srcid.a_un.ipv4 = (model->ArgusThisFlow->hdr.subtype & ARGUS_REVERSE) ? model->ArgusThisFlow->ip_flow.ip_dst : model->ArgusThisFlow->ip_flow.ip_src ; trans->seqnum = ArgusFlowSeq + ArgusCounter++; flow->dsrindex |= 1 << ARGUS_TRANSPORT_INDEX; flow->dsrs[ARGUS_TRANSPORT_INDEX] = (void *)trans; } { struct ArgusIPAttrStruct *attr = &flow->canon.attr; attr->hdr.type = ARGUS_IPATTR_DSR; attr->hdr.subtype = 0; attr->hdr.argus_dsrvl8.qual = ARGUS_IPATTR_SRC; attr->hdr.argus_dsrvl8.len = 2; attr->src.tos = ArgusNetFlow->tos; attr->src.ttl = 0; attr->src.ip_id = 0; flow->dsrindex |= 1 << ARGUS_IPATTR_INDEX; flow->dsrs[ARGUS_IPATTR_INDEX] = (void *)attr; } ArgusSendFlowRecord (model, flow, ARGUS_STATUS); } ptr += sizeof(*ArgusNetFlow); break; } case CISCO_VERSION_8: { // ptr += sizeof(CiscoFlowEntryV8_t); break; } case CISCO_VERSION_9: { CiscoFlowEntryV9_t *ArgusNetFlow = (CiscoFlowEntryV9_t *) ptr; int flowset_id, flowset_len; flowset_id = ntohs(ArgusNetFlow->flowset_id); if ((flowset_len = ntohs(ArgusNetFlow->length)) > 0) { switch (flowset_id) { case k_CiscoV9TemplateFlowsetId: { if (ArgusParseCiscoRecordV9Template(model, ArgusTemplateQueue, (u_char *)(ArgusNetFlow + 1), (flowset_len - sizeof(*ArgusNetFlow))) == NULL) { } break; } case k_CiscoV9OptionsFlowsetId: { if (ArgusParseCiscoRecordV9OptionTemplate(model, ArgusTemplateQueue, (u_char *)(ArgusNetFlow + 1), (flowset_len - sizeof(*ArgusNetFlow))) == NULL) { } break; } default: { if (flowset_id >= k_CiscoV9MinRecordFlowsetId) { ArgusParseCiscoRecordV9Data(ArgusParser, model, ArgusTemplateQueue, (u_char *) ptr, &ArgusCounter); } break; } } ptr += flowset_len; break; } } } break; } } } #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusParseCiscoRecord(%p, %p)", model, ptr); #endif } void ArgusParseCiscoRecordV5 (struct ArgusModelerStruct *model, void *ptr) { #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusParseCiscoRecordV5 (%p, %p)\n", model, ptr); #endif } void ArgusParseCiscoRecordV6 (struct ArgusModelerStruct *model, void *ptr) { #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusParseCiscoRecordV6 (%p, %p)\n", model, ptr); #endif } extern long long ArgusDiffTime (struct ArgusTime *, struct ArgusTime *, struct timeval *); typedef struct value { union { uint8_t val8[16]; uint16_t val16[8]; uint32_t val32[4]; uint64_t val64[2]; uint64_t val128[2]; }; } value_t; struct ArgusRecord * ArgusParseCiscoRecordV9Data (struct ArgusParserStruct *parser, struct ArgusModelerStruct *model, struct ArgusQueueStruct *tqueue, u_char *ptr, int *cnt) { struct ArgusRecord *retn = NULL; struct ArgusCiscoTemplateStruct *templates = NULL; struct ArgusCiscoSourceStruct *src; int ArgusParsingIPv6 = 0; u_char *tptr = ptr; if (tqueue != NULL) { int i, count = tqueue->count; for (i = 0; (i < count) && (templates == NULL); i++) { src = (struct ArgusCiscoSourceStruct *)ArgusPopQueue (tqueue, ARGUS_LOCK); if ((src->srcid == ArgusCiscoSrcId) && (src->saddr == ArgusCiscoSrcAddr)) templates = src->templates; ArgusAddToQueue(tqueue, &src->qhdr, ARGUS_LOCK); } } if (templates == NULL) return(retn); // using the matching template, parse out a single record. we need to update ptr and // len so that they represent marching through the buffer, parsing out the records. // { CiscoFlowEntryV9_t *cflow = (CiscoFlowEntryV9_t *) tptr; CiscoFlowTemplateHeaderV9_t *tHdr = NULL; CiscoFlowTemplateFlowEntryV9_t *tData; int flowset_id = ntohs(cflow->flowset_id); int length = ntohs(cflow->length); if (length) { #define ARGUS_TEMPLATE_TIMEOUT 1800 if ((tHdr = (CiscoFlowTemplateHeaderV9_t *) templates[flowset_id].tHdr) != NULL) { if ((templates[flowset_id].lasttime.tv_sec + ARGUS_TEMPLATE_TIMEOUT) > model->ArgusGlobalTime.tv_sec) { int i, count = tHdr->count, nflowPad = 3; struct ArgusFlowStruct flowbuf, *flow = &flowbuf; u_char *sptr = (u_char *)(cflow + 1); u_char *eptr = sptr + (length - sizeof(*cflow)); // process an entire flow set while (sptr < (eptr - nflowPad)) { struct ArgusDSRHeader *dsr = (struct ArgusDSRHeader *) &ArgusNetFlowArgusRecordBuf[4]; bzero(flow, sizeof(*flow)); tData = (CiscoFlowTemplateFlowEntryV9_t *)(tHdr + 1); retn = NULL; for (i = 0; i < count; i++) { value_t value; bzero(&value, sizeof(value)); switch (tData->length) { case 1: value.val8[0] = *sptr; break; case 2: value.val16[0] = EXTRACT_16BITS(sptr); break; case 4: value.val32[0] = EXTRACT_32BITS(sptr); break; case 8: value.val64[0] = EXTRACT_64BITS(sptr); break; case 16: bcopy(sptr, &value.val128, 16); break; } sptr += tData->length; switch (tData->type) { case k_CiscoV9InBytes: { flow->canon.metric.src.bytes = value.val32[0]; flow->dsrindex |= 1 << ARGUS_METRIC_INDEX; flow->dsrs[ARGUS_METRIC_INDEX] = &flow->canon.metric.hdr; break; } case k_CiscoV9InPackets: { flow->canon.metric.src.pkts = value.val32[0]; flow->dsrindex |= 1 << ARGUS_METRIC_INDEX; flow->dsrs[ARGUS_METRIC_INDEX] = &flow->canon.metric.hdr; break; } case k_CiscoV9Flows: { break; } case k_CiscoV9InProtocol: { flow->canon.flow.flow_un.ipv6.ip_p = value.val8[0]; flow->dsrindex |= 1 << ARGUS_FLOW_INDEX; flow->dsrs[ARGUS_FLOW_INDEX] = &flow->canon.flow.hdr; break; } case k_CiscoV9SrcTos: { flow->canon.attr.src.tos = value.val8[0]; flow->dsrindex |= 1 << ARGUS_IPATTR_INDEX; flow->dsrs[ARGUS_IPATTR_INDEX] = &flow->canon.attr.hdr; break; } case k_CiscoV9TcpFlags: { struct ArgusNetworkStruct *net = &flow->canon.net; struct ArgusTCPStatus *tcp = (struct ArgusTCPStatus *)&net->net_union.tcpstatus; unsigned char flags = value.val8[0]; net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_TCP_STATUS; net->hdr.argus_dsrvl8.len = 3; net->net_union.tcpstatus.src = flags; if (flags & TH_RST) tcp->status |= ARGUS_RESET; if (flags & TH_FIN) tcp->status |= ARGUS_FIN; if ((flags & TH_ACK) || (flags & TH_PUSH) || (flags & TH_URG)) tcp->status |= ARGUS_CON_ESTABLISHED; switch (flags & (TH_SYN|TH_ACK)) { case (TH_SYN): tcp->status |= ARGUS_SAW_SYN; break; case (TH_SYN|TH_ACK): break; } flow->dsrindex |= 1 << ARGUS_NETWORK_INDEX; flow->dsrs[ARGUS_NETWORK_INDEX] = (void *)net; break; } case k_CiscoV9L4SrcPort: { flow->canon.flow.flow_un.ipv6.sport = value.val16[0]; flow->dsrindex |= 1 << ARGUS_FLOW_INDEX; flow->dsrs[ARGUS_FLOW_INDEX] = &flow->canon.flow.hdr; break; } case k_CiscoV9IpV4SrcAddr: { flow->canon.flow.flow_un.ipv6.ip_src[0] = value.val32[0]; flow->dsrindex |= 1 << ARGUS_FLOW_INDEX; flow->dsrs[ARGUS_FLOW_INDEX] = &flow->canon.flow.hdr; break; } case k_CiscoV9SrcMask: { uint32_t mask = 0xffffffff << (32 - value.val8[0]); flow->canon.flow.flow_un.ipv6.ip_src[3] = mask; flow->dsrindex |= 1 << ARGUS_FLOW_INDEX; flow->dsrs[ARGUS_FLOW_INDEX] = &flow->canon.flow.hdr; break; } case k_CiscoV9InputSnmp: { break; } case k_CiscoV9L4DstPort: { flow->canon.flow.flow_un.ipv6.dport = value.val16[0]; flow->dsrindex |= 1 << ARGUS_FLOW_INDEX; flow->dsrs[ARGUS_FLOW_INDEX] = &flow->canon.flow.hdr; break; } case k_CiscoV9IpV4DstAddr: { flow->canon.flow.flow_un.ipv6.ip_dst[0] = value.val32[0]; flow->dsrindex |= 1 << ARGUS_FLOW_INDEX; flow->dsrs[ARGUS_FLOW_INDEX] = &flow->canon.flow.hdr; break; } case k_CiscoV9DstMask: { uint32_t mask = 0xffffffff << (32 - value.val8[0]); flow->canon.flow.flow_un.ipv6.ip_dst[3] = mask; flow->dsrindex |= 1 << ARGUS_FLOW_INDEX; flow->dsrs[ARGUS_FLOW_INDEX] = &flow->canon.flow.hdr; break; } case k_CiscoV9OutputSnmp: { break; } case k_CiscoV9IpV4NextHop: { break; } case k_CiscoV9SrcAS: { flow->canon.asn.src_as = (tData->length == 2) ? value.val16[0] : value.val32[0]; flow->dsrindex |= 1 << ARGUS_ASN_INDEX; flow->dsrs[ARGUS_ASN_INDEX] = &flow->canon.asn.hdr; break; } case k_CiscoV9DstAS: { flow->canon.asn.dst_as = (tData->length == 2) ? value.val16[0] : value.val32[0]; flow->dsrindex |= 1 << ARGUS_ASN_INDEX; flow->dsrs[ARGUS_ASN_INDEX] = &flow->canon.asn.hdr; break; } case k_CiscoV9BgpIpV4NextHop: { break; } case k_CiscoV9MulDstPkts: { break; } case k_CiscoV9MulDstBytes: { break; } case k_CiscoV9LastSwitched: { long timeval = (tData->length == 2) ? value.val16[0] : value.val32[0]; int secs, usecs; secs = ((timeval - ArgusSysUptime) / 1000); usecs = ((timeval - ArgusSysUptime) % 1000) * 1000; flow->canon.time.src.end.tv_sec = ArgusCiscoTvp->tv_sec + secs; if (usecs < 0) { flow->canon.time.src.end.tv_sec--; usecs += 1000000; } flow->canon.time.src.end.tv_usec = ArgusCiscoTvp->tv_usec + usecs; flow->dsrindex |= 1 << ARGUS_TIME_INDEX; flow->dsrs[ARGUS_TIME_INDEX] = &flow->canon.time.hdr; break; } case k_CiscoV9FirstSwitched: { long timeval = (tData->length == 2) ? value.val16[0] : value.val32[0]; int secs, usecs; secs = ((timeval - ArgusSysUptime) / 1000); usecs = ((timeval - ArgusSysUptime) % 1000) * 1000; flow->canon.time.src.start.tv_sec = ArgusCiscoTvp->tv_sec + secs; if (usecs < 0) { flow->canon.time.src.start.tv_sec--; usecs += 1000000; } flow->canon.time.src.start.tv_usec = ArgusCiscoTvp->tv_usec + usecs; flow->dsrindex |= 1 << ARGUS_TIME_INDEX; flow->dsrs[ARGUS_TIME_INDEX] = &flow->canon.time.hdr; break; } case k_CiscoV9OutBytes: { /* flow->canon.metric.dst.bytes = value.val32[0]; flow->dsrindex |= 1 << ARGUS_METRIC_INDEX; flow->dsrs[ARGUS_METRIC_INDEX] = &flow->canon.metric.hdr; */ break; } case k_CiscoV9OutPkts: { /* flow->canon.metric.dst.pkts = value.val32[0]; flow->dsrindex |= 1 << ARGUS_METRIC_INDEX; flow->dsrs[ARGUS_METRIC_INDEX] = &flow->canon.metric.hdr; */ break; } case k_CiscoV9MinPktLen: { flow->canon.psize.src.psizemin = value.val16[0]; flow->dsrindex |= 1 << ARGUS_PSIZE_INDEX; flow->dsrs[ARGUS_PSIZE_INDEX] = &flow->canon.psize.hdr; break; } case k_CiscoV9MaxPktLen: { flow->canon.psize.src.psizemax = value.val16[0]; flow->dsrindex |= 1 << ARGUS_PSIZE_INDEX; flow->dsrs[ARGUS_PSIZE_INDEX] = &flow->canon.psize.hdr; break; } case k_CiscoV9IpV6SrcAddr: { bcopy (&value, &flow->canon.flow.flow_un.ipv6.ip_src, 16); flow->dsrindex |= 1 << ARGUS_FLOW_INDEX; flow->dsrs[ARGUS_FLOW_INDEX] = &flow->canon.flow.hdr; ArgusParsingIPv6 = 1; break; } case k_CiscoV9IpV6DstAddr: { bcopy (&value, &flow->canon.flow.flow_un.ipv6.ip_dst, 16); flow->dsrindex |= 1 << ARGUS_FLOW_INDEX; flow->dsrs[ARGUS_FLOW_INDEX] = &flow->canon.flow.hdr; ArgusParsingIPv6 = 1; break; } case k_CiscoV9IPV6SrcMask: { break; } case k_CiscoV9IpV6DstMask: { break; } case k_CiscoV9IpV6FlowLabel: { break; } case k_CiscoV9IpV6IcmpType: { struct ArgusICMPv6Flow *icmpv6Flow = &flow->canon.flow.icmpv6_flow; icmpv6Flow->type = value.val8[0]; flow->dsrindex |= 1 << ARGUS_FLOW_INDEX; flow->dsrs[ARGUS_FLOW_INDEX] = &flow->canon.flow.hdr; break; } case k_CiscoV9IpV6MulIgmpType: { break; } case k_CiscoV9IpV6SamplingInterval: { break; } case k_CiscoV9IpV6SamplingAlgorithm: { break; } case k_CiscoV9FlowActiveTimeout: { break; } case k_CiscoV9FlowInactiveTimeout: { break; } case k_CiscoV9EngineType: { break; } case k_CiscoV9EngineID: { break; } case k_CiscoV9TotalBytesExp: { break; } case k_CiscoV9TotalPktsExp: { break; } case k_CiscoV9TotalFlowsExp: { break; } case k_CiscoV9MplsTopLabelType: { break; } case k_CiscoV9MplsTopLabelIPAddr: { break; } case k_CiscoV9FlowSamplerID: { break; } case k_CiscoV9FlowSamplerMode: { break; } case k_CiscoV9FlowSamplerRandomInt: { break; } case k_CiscoV9MinTtl: { flow->canon.attr.src.ttl = value.val8[0]; flow->dsrindex |= 1 << ARGUS_IPATTR_INDEX; flow->dsrs[ARGUS_IPATTR_INDEX] = &flow->canon.attr.hdr; break; } case k_CiscoV9MaxTtl: { flow->canon.attr.src.ttl = value.val8[0]; flow->dsrindex |= 1 << ARGUS_IPATTR_INDEX; flow->dsrs[ARGUS_IPATTR_INDEX] = &flow->canon.attr.hdr; break; } case k_CiscoV9IPv4IpId: { flow->canon.attr.src.ip_id = value.val16[0]; flow->dsrindex |= 1 << ARGUS_IPATTR_INDEX; flow->dsrs[ARGUS_IPATTR_INDEX] = &flow->canon.attr.hdr; break; } case k_CiscoV9DstTos: { flow->canon.attr.dst.tos = value.val8[0]; flow->dsrindex |= 1 << ARGUS_IPATTR_INDEX; flow->dsrs[ARGUS_IPATTR_INDEX] = &flow->canon.attr.hdr; break; } case k_CiscoV9SrcMac: { flow->dsrindex |= 1 << ARGUS_MAC_INDEX; flow->dsrs[ARGUS_MAC_INDEX] = &flow->canon.mac.hdr; break; } case k_CiscoV9DstMac: { flow->dsrindex |= 1 << ARGUS_MAC_INDEX; flow->dsrs[ARGUS_MAC_INDEX] = &flow->canon.mac.hdr; break; } case k_CiscoV9SrcVlan: { flow->canon.vlan.sid = value.val16[0]; flow->dsrindex |= 1 << ARGUS_VLAN_INDEX; flow->dsrs[ARGUS_VLAN_INDEX] = &flow->canon.vlan.hdr; break; } case k_CiscoV9DstVlan: { flow->canon.vlan.did = value.val16[0]; flow->dsrindex |= 1 << ARGUS_VLAN_INDEX; flow->dsrs[ARGUS_VLAN_INDEX] = &flow->canon.vlan.hdr; break; } case k_CiscoV9IpProtocolVersion: { break; } case k_CiscoV9Direction: { break; } case k_CiscoV9IpV6NextHop: { break; } case k_CiscoV9BgpIpV6NextHop: { break; } case k_CiscoV9IpV6OptionHeaders: { break; } case k_CiscoV9MplsLabel1: { break; } case k_CiscoV9MplsLabel2: { break; } case k_CiscoV9MplsLabel3: { break; } case k_CiscoV9MplsLabel4: { break; } case k_CiscoV9MplsLabel5: { break; } case k_CiscoV9MplsLabel6: { break; } case k_CiscoV9MplsLabel7: { break; } case k_CiscoV9MplsLabel8: { break; } case k_CiscoV9MplsLabel9: { break; } case k_CiscoV9MplsLabel10: { break; } case k_CiscoV9InDstMac: { flow->dsrindex |= 1 << ARGUS_MAC_INDEX; flow->dsrs[ARGUS_MAC_INDEX] = &flow->canon.mac.hdr; break; } case k_CiscoV9OutSrcMac: { flow->dsrindex |= 1 << ARGUS_MAC_INDEX; flow->dsrs[ARGUS_MAC_INDEX] = &flow->canon.mac.hdr; break; } case k_CiscoV9IfName: { break; } case k_CiscoV9IfDesc: { break; } case k_CiscoV9SampleName: { break; } case k_CiscoV9InPermanentBytes: { flow->canon.metric.src.bytes = value.val32[0]; flow->dsrindex |= 1 << ARGUS_METRIC_INDEX; flow->dsrs[ARGUS_METRIC_INDEX] = &flow->canon.metric.hdr; break; } case k_CiscoV9InPermanentPkts: { break; } case k_CiscoV9FragmentOffset: { break; } case k_CiscoV9ForwardingStatus: { break; } case k_CiscoV9PostDSCP: { break; } case k_CiscoV9NatInsideGlobalAddr: { break; } case k_CiscoV9NatOutsideGlobalAddr: { break; } case k_CiscoV9postNatL4SrcPort: { break; } case k_CiscoV9postNatL4DstPort: { break; } case k_CiscoV9postNatEvent: { break; } case k_CiscoV9IngressVRFID: { break; } case k_CiscoV9ConnId: { break; } case k_CiscoV9IcmpType: { break; } case k_CiscoV9IcmpCode: { break; } case k_CiscoV9IcmpTypeV6: { struct ArgusICMPv6Flow *icmpv6Flow = &flow->canon.flow.icmpv6_flow; icmpv6Flow->type = value.val8[0]; flow->dsrindex |= 1 << ARGUS_FLOW_INDEX; flow->dsrs[ARGUS_FLOW_INDEX] = &flow->canon.flow.hdr; break; } case k_CiscoV9IcmpCodeV6: { struct ArgusICMPv6Flow *icmpv6Flow = &flow->canon.flow.icmpv6_flow; icmpv6Flow->code = value.val8[0]; flow->dsrindex |= 1 << ARGUS_FLOW_INDEX; flow->dsrs[ARGUS_FLOW_INDEX] = &flow->canon.flow.hdr; break; } case k_CiscoEventTimeMilliSec: { break; } case k_CiscoEventTimeMicroSec: { break; } case k_CiscoEventTimeNanoSec: { break; } } tData++; } { struct timeval tdiffbuf, *tdiff = &tdiffbuf; flow->canon.hdr.type = ARGUS_FAR | ARGUS_NETFLOW | ARGUS_VERSION; flow->canon.hdr.cause = ARGUS_STATUS; flow->canon.hdr.len = 1; if (!(flow->dsrindex & (1 << ARGUS_TIME_INDEX))) { struct ArgusTimeObject *ato = &flow->canon.time; ato->src.start.tv_sec = ArgusCiscoTvp->tv_sec; ato->src.start.tv_usec = ((long)(ArgusSysUptime)%1000) * 1000; if (ato->src.start.tv_usec >= 1000000) { ato->src.start.tv_sec++; ato->src.start.tv_usec -= 1000000; } ato->src.end = ato->src.start; flow->dsrindex |= 1 << ARGUS_TIME_INDEX; flow->dsrs[ARGUS_TIME_INDEX] = (void *)ato; } if (ArgusDiffTime(&flow->canon.time.src.end, &flow->canon.time.src.start, tdiff) == 0) { struct ArgusMetricStruct *metric = &flow->canon.metric; #define ARGUS_DEFAULT_RATE 1000000.0f if (metric->src.pkts > 1) { double dtime = (metric->src.pkts * 1.0) / ARGUS_DEFAULT_RATE; double itime; double ftime = modf(dtime, &itime); flow->canon.time.src.end.tv_sec = flow->canon.time.src.start.tv_sec + (itime); flow->canon.time.src.end.tv_usec = flow->canon.time.src.start.tv_usec + (ftime * 1000000); if (flow->canon.time.src.end.tv_usec >= 1000000) { flow->canon.time.src.end.tv_usec -= 1000000; flow->canon.time.src.end.tv_sec++; } } } for (i = 0; i < ARGUSMAXDSRTYPE; i++) { if (flow->dsrindex & (1 << i)) { switch(i) { case ARGUS_FLOW_INDEX: { flow->canon.flow.hdr.type = ARGUS_FLOW_DSR; flow->canon.flow.hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; if (ArgusParsingIPv6) { flow->canon.flow.hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV6; flow->canon.flow.hdr.argus_dsrvl8.len = 11; } else { struct ArgusFlow tflow; bzero(&tflow, sizeof(tflow)); tflow.flow_un.ip.ip_src = flow->canon.flow.flow_un.ipv6.ip_src[0]; tflow.flow_un.ip.ip_dst = flow->canon.flow.flow_un.ipv6.ip_dst[0]; tflow.flow_un.ip.ip_p = flow->canon.flow.flow_un.ipv6.ip_p; tflow.flow_un.ip.sport = flow->canon.flow.flow_un.ipv6.sport; tflow.flow_un.ip.dport = flow->canon.flow.flow_un.ipv6.dport; tflow.flow_un.ip.smask = flow->canon.flow.flow_un.ipv6.ip_src[3]; tflow.flow_un.ip.dmask = flow->canon.flow.flow_un.ipv6.ip_dst[3]; flow->canon.flow.hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; flow->canon.flow.hdr.argus_dsrvl8.len = 5; bcopy(&tflow.flow_un.ip, &flow->canon.flow.flow_un.ip, sizeof(tflow.flow_un.ip)); } bcopy(&flow->canon.flow, dsr, flow->canon.flow.hdr.argus_dsrvl8.len * 4); dsr += flow->canon.flow.hdr.argus_dsrvl8.len; flow->canon.hdr.len += flow->canon.flow.hdr.argus_dsrvl8.len; break; } case ARGUS_TIME_INDEX: { struct ArgusTimeObject *time = &flow->canon.time; time->hdr.type = ARGUS_TIME_DSR; time->hdr.subtype = ARGUS_TIME_ABSOLUTE_RANGE; time->hdr.argus_dsrvl8.qual = ARGUS_TYPE_UTC_MICROSECONDS; time->hdr.argus_dsrvl8.len = 5; bcopy(time, dsr, time->hdr.argus_dsrvl8.len * 4); dsr += time->hdr.argus_dsrvl8.len; flow->canon.hdr.len += time->hdr.argus_dsrvl8.len; break; } case ARGUS_ASN_INDEX: { struct ArgusAsnStruct *asn = &flow->canon.asn; asn->hdr.type = ARGUS_ASN_DSR; asn->hdr.subtype = 0; asn->hdr.argus_dsrvl8.qual = 0; asn->hdr.argus_dsrvl8.len = 3; bcopy(asn, dsr, asn->hdr.argus_dsrvl8.len * 4); dsr += asn->hdr.argus_dsrvl8.len; flow->canon.hdr.len += asn->hdr.argus_dsrvl8.len; break; } case ARGUS_METRIC_INDEX: { struct ArgusMetricStruct *metric = &flow->canon.metric; int pkts, bytes; metric->hdr.type = ARGUS_METER_DSR; metric->hdr.subtype = ARGUS_METER_PKTS_BYTES; metric->hdr.argus_dsrvl8.qual = ARGUS_SRC_INT; metric->hdr.argus_dsrvl8.len = 3; pkts = metric->src.pkts; bytes = metric->src.bytes; bcopy(&metric->hdr, dsr, 4); bcopy(&pkts, dsr+1, 4); bcopy(&bytes, dsr+2, 4); dsr += metric->hdr.argus_dsrvl8.len; flow->canon.hdr.len += metric->hdr.argus_dsrvl8.len; break; } case ARGUS_NETWORK_INDEX: { struct ArgusNetworkStruct *net = &flow->canon.net; bcopy(net, dsr, net->hdr.argus_dsrvl8.len * 4); dsr += net->hdr.argus_dsrvl8.len; flow->canon.hdr.len += net->hdr.argus_dsrvl8.len; break; } case ARGUS_MAC_INDEX: { struct ArgusMacStruct *mac = &flow->canon.mac; mac->hdr.type = ARGUS_MAC_DSR; mac->hdr.subtype = 0; mac->hdr.argus_dsrvl8.len = 5; bcopy(mac, dsr, mac->hdr.argus_dsrvl8.len * 4); dsr += mac->hdr.argus_dsrvl8.len; flow->canon.hdr.len += mac->hdr.argus_dsrvl8.len; break; } case ARGUS_IPATTR_INDEX: { struct ArgusIPAttrStruct *attr = &flow->canon.attr; attr->hdr.type = ARGUS_IPATTR_DSR; attr->hdr.subtype = 0; attr->hdr.argus_dsrvl8.qual = ARGUS_IPATTR_SRC; attr->hdr.argus_dsrvl8.len = 2; bcopy(attr, dsr, attr->hdr.argus_dsrvl8.len * 4); dsr += attr->hdr.argus_dsrvl8.len; flow->canon.hdr.len += attr->hdr.argus_dsrvl8.len; } } } } ArgusSendFlowRecord (model, flow, ARGUS_STATUS); #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusParseCiscoRecordV9Data (%p, %p, %p, %p, %d) new flow %p\n", parser, model, tqueue, ptr, *cnt, retn); #endif } ArgusParsingIPv6 = 0; *cnt = *cnt - 1; } src->lasttime = model->ArgusGlobalTime; } else { if (templates[flowset_id].tHdr != NULL) { ArgusFree(templates[flowset_id].tHdr); bzero(&templates[flowset_id], sizeof(struct ArgusCiscoTemplateStruct)); templates[flowset_id].tHdr = NULL; } } } } } #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusParseCiscoRecordV9Data (%p, %p, %p, %p, %d) returning %p\n", parser, model, tqueue, ptr, *cnt, retn); #endif return(retn); } struct ArgusRecord * ArgusParseCiscoRecordV9Template (struct ArgusModelerStruct *model, struct ArgusQueueStruct *tqueue, u_char *ptr, int len) { struct ArgusCiscoTemplateStruct *templates = NULL; struct ArgusRecord *retn = NULL; struct ArgusCiscoSourceStruct *src; int i, done = 0; if (tqueue != NULL) { int cnt = tqueue->count; for (i = 0; (i < cnt) && (templates == NULL); i++) { src = (struct ArgusCiscoSourceStruct *)ArgusPopQueue (tqueue, ARGUS_LOCK); if ((src->srcid == ArgusCiscoSrcId) && (src->saddr == ArgusCiscoSrcAddr)) templates = src->templates; ArgusAddToQueue(tqueue, &src->qhdr, ARGUS_LOCK); } } if (templates == NULL) { if ((src = (struct ArgusCiscoSourceStruct *)ArgusCalloc (1, sizeof(*src))) == NULL) ArgusLog(LOG_ERR, "ArgusParseCiscoRecordV9Template: ArgusCalloc(%d, %d) error %s\n", 1, sizeof(*src), strerror(errno)); src->srcid = ArgusCiscoSrcId; src->saddr = ArgusCiscoSrcAddr; src->startime = model->ArgusGlobalTime; src->lasttime = model->ArgusGlobalTime; templates = src->templates; ArgusAddToQueue (tqueue, &src->qhdr, ARGUS_LOCK); } if (templates) { while (!done) { CiscoFlowTemplateHeaderV9_t *tHdr = (CiscoFlowTemplateHeaderV9_t *) ptr; CiscoFlowTemplateFlowEntryV9_t *tData = (CiscoFlowTemplateFlowEntryV9_t *)(tHdr + 1); CiscoFlowTemplateFlowEntryV9_t **dArray = NULL; int slen = 0; tHdr->template_id = ntohs(tHdr->template_id); tHdr->count = ntohs(tHdr->count); slen = (sizeof(*tData) * tHdr->count) + sizeof(*tHdr); if (templates[tHdr->template_id].tHdr != NULL) { #ifdef ARGUSDEBUG unsigned long addr = htonl(ArgusCiscoSrcAddr); char *srcAddr = (inet_ntoa(*(struct in_addr *)&addr)); ArgusDebug (3, "ArgusParseCiscoRecordV9Template: pkt %d changing template src %s srcid %d tid %d \n", model->ArgusTotalPacket, srcAddr, ArgusCiscoSrcId, tHdr->template_id); #endif ArgusFree(templates[tHdr->template_id].tHdr); templates[tHdr->template_id].tHdr = NULL; templates[tHdr->template_id].length = slen + 4; templates[tHdr->template_id].count = tHdr->count; } else { #ifdef ARGUSDEBUG unsigned long addr = htonl(ArgusCiscoSrcAddr); char *srcAddr = (inet_ntoa(*(struct in_addr *)&addr)); ArgusDebug (3, "ArgusParseCiscoRecordV9Template: pkt %d new template src %s srcid %d tid %d \n", model->ArgusTotalPacket, srcAddr, ArgusCiscoSrcId, tHdr->template_id); #endif } if ((dArray = ArgusCalloc(1, slen + 4)) == NULL) ArgusLog(LOG_ERR, "ArgusCalloc(%d, %d) error %s\n", tHdr->count, sizeof(*tData), strerror(errno)); for (i = 0; i < tHdr->count; i++) { tData->type = ntohs(tData->type); tData->length = ntohs(tData->length); tData++; } bcopy(tHdr, dArray, slen); templates[tHdr->template_id].tHdr = dArray; templates[tHdr->template_id].lasttime = model->ArgusGlobalTime; if ((len - slen) > 0) { ptr += slen; len -= slen; } else done = 1; } } #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusParseCiscoRecordV9Template (%p, %p, %d, %p) returning %p\n", model, templates, ptr, len); #endif return(retn); } struct ArgusRecord * ArgusParseCiscoRecordV9OptionTemplate (struct ArgusModelerStruct *model, struct ArgusQueueStruct *tqueue, u_char *ptr, int len) { struct ArgusCiscoTemplateStruct *templates = NULL; struct ArgusRecord *retn = NULL; struct ArgusCiscoSourceStruct *src; int i; if (tqueue != NULL) { int cnt = tqueue->count; for (i = 0; (i < cnt) && (templates == NULL); i++) { src = (struct ArgusCiscoSourceStruct *)ArgusPopQueue (tqueue, ARGUS_LOCK); if ((src->srcid == ArgusCiscoSrcId) && (src->saddr == ArgusCiscoSrcAddr)) templates = src->templates; ArgusAddToQueue(tqueue, &src->qhdr, ARGUS_LOCK); } } if (templates) { } #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusParseCiscoRecordV9OptionTemplate (%p, %p) returning %p\n", model, ptr, retn); #endif return(retn); } #endif argus-5.0.2/argus/ArgusNetflow.h000066400000000000000000000044721471541253600165700ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - Netflow processing includes * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/argus/argus/argus/ArgusNetflow.h#1 $ * $DateTime: 2011/01/26 17:21:20 $ * $Change: 2089 $ */ #define CISCO_VERSION_1 1 #define CISCO_VERSION_5 5 #define CISCO_VERSION_6 6 #define CISCO_VERSION_7 7 #define CISCO_VERSION_8 8 #define CISCO_VERSION_9 9 #ifndef ArgusNetflow_h #define ArgusNetflow_h #include void ArgusParseCiscoRecord (struct ArgusModelerStruct *, void *); void ArgusParseCiscoRecordV1 (struct ArgusModelerStruct *, void *); void ArgusParseCiscoRecordV5 (struct ArgusModelerStruct *, void *); void ArgusParseCiscoRecordV6 (struct ArgusModelerStruct *, void *); void ArgusParseCiscoRecordV7 (struct ArgusModelerStruct *, void *); void ArgusParseCiscoRecordV8 (struct ArgusModelerStruct *, void *); void ArgusParseCiscoRecordV9 (struct ArgusModelerStruct *, void *); #else extern void ArgusParseCiscoRecord (struct ArgusModelerStruct *, void *); extern void ArgusParseCiscoRecordV1 (struct ArgusModelerStruct *, void *); extern void ArgusParseCiscoRecordV5 (struct ArgusModelerStruct *, void *); extern void ArgusParseCiscoRecordV6 (struct ArgusModelerStruct *, void *); extern void ArgusParseCiscoRecordV7 (struct ArgusModelerStruct *, void *); extern void ArgusParseCiscoRecordV8 (struct ArgusModelerStruct *, void *); extern void ArgusParseCiscoRecordV9 (struct ArgusModelerStruct *, void *); #endif argus-5.0.2/argus/ArgusOutput.c000066400000000000000000002323071471541253600164450ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - Output processor * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/argus/ArgusOutput.c#16 $ * $DateTime: 2016/10/27 18:40:41 $ * $Change: 3232 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #if !defined(ArgusOutput) #define ArgusOutput #endif #include #include #include #include #include #if defined(HAVE_ZLIB_H) #include #endif #include #include #include #include "ArgusTimeDiff.h" #if defined(ARGUS_THREADS) #include #endif #include "ArgusGetTimeOfDay.h" void *ArgusOutputProcess(void *); #define ARGUS_SOCKET_PATH "/tmp/argus.sock" #if defined(ARGUS_TILERA) extern int ArgusFirstTile; #endif static int ArgusEstablishListen(struct ArgusOutputStruct *output, char *errbuf, size_t errbuflen); struct timeval *getArgusMarReportInterval(struct ArgusOutputStruct *); void setArgusMarReportInterval(struct ArgusOutputStruct *, char *); struct ArgusRecord *ArgusGenerateInitialMar (struct ArgusOutputStruct *); struct ArgusRecordStruct *ArgusGenerateMarInterfaceRecord (struct ArgusOutputStruct *, unsigned char); struct ArgusRecordStruct *ArgusGenerateStatusMarRecord (struct ArgusOutputStruct *, unsigned char); int RaDiffTime (struct timeval *, struct timeval *, struct timeval *); struct ArgusOutputStruct * ArgusNewOutput (struct ArgusSourceStruct *src, struct ArgusModelerStruct *model) { struct ArgusOutputStruct *retn = NULL; if ((retn = (struct ArgusOutputStruct *) ArgusCalloc (1, sizeof (struct ArgusOutputStruct))) == NULL) ArgusLog (LOG_ERR, "ArgusNewOutput() ArgusCalloc error %s\n", strerror(errno)); ArgusGetTimeOfDay(src, &retn->ArgusGlobalTime); retn->ArgusStartTime = retn->ArgusGlobalTime; retn->ArgusReportTime.tv_sec = retn->ArgusGlobalTime.tv_sec + retn->ArgusMarReportInterval.tv_sec; retn->ArgusReportTime.tv_usec += retn->ArgusMarReportInterval.tv_usec; retn->ArgusLastMarUpdateTime = retn->ArgusGlobalTime; if ((retn->ArgusClients = ArgusNewQueue()) == NULL) ArgusLog (LOG_ERR, "ArgusNewOutput: clients queue %s", strerror(errno)); if ((retn->ArgusOutputList = ArgusNewList()) == NULL) ArgusLog (LOG_ERR, "ArgusNewOutput: ArgusNewList %s", strerror(errno)); if ((retn->ArgusInputList = ArgusNewList()) == NULL) ArgusLog (LOG_ERR, "ArgusNewOutput: ArgusNewList %s", strerror(errno)); retn->ArgusSrc = src; retn->ArgusModel = model; #if defined(ARGUS_THREADS) pthread_mutex_init(&retn->lock, NULL); #endif #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusNewOutput() returning retn %p\n", retn); #endif return (retn); } #ifdef ARGUS_SASL int iptostring(const struct sockaddr *, socklen_t, char *, unsigned); static int ArgusSaslLog (void *context __attribute__((unused)), int priority, const char *message) { const char *label; if (! message) return SASL_BADPARAM; switch (priority) { case SASL_LOG_ERR: label = "Error"; break; case SASL_LOG_NOTE: label = "Info"; break; default: label = "Other"; break; } #ifdef ARGUSDEBUG ArgusDebug(1, "ArgusSaslLog %s: %s", label, message); #endif return SASL_OK; } //#ifdef _LP64 //#define PLUGINDIR "/usr/lib64/sasl2" //#else #define PLUGINDIR "/usr/lib/sasl2" //#endif char *searchpath = NULL; static int ArgusSaslGetPath(void *context __attribute__((unused)), char ** path) { if (! path) return SASL_BADPARAM; if (searchpath) *path = searchpath; else *path = PLUGINDIR; #ifdef ARGUSDEBUG ArgusDebug(2, "SASL path %s", *path); #endif return SASL_OK; } //typedef struct sasl_callback { // /* Identifies the type of the callback function. // * Mechanisms must ignore callbacks with id's they don't recognize. // */ // unsigned long id; // int (*proc)(void); /* Callback function. Types of arguments vary by 'id' */ // void *context; //} sasl_callback_t; typedef int (*funcptr)(); static const struct sasl_callback argus_cb[] = { { SASL_CB_LOG, (funcptr)&ArgusSaslLog, NULL }, { SASL_CB_LIST_END, NULL, NULL } }; #endif void ArgusInitOutput (struct ArgusOutputStruct *output) { struct ArgusWfileStruct *wfile; extern char *chroot_dir; extern uid_t new_uid; extern gid_t new_gid; int i, len = 0, retn = 0; #if defined(ARGUS_THREADS) extern pthread_attr_t *ArgusAttr; #endif ArgusParser = ArgusNewParser(ArgusProgramName); if (output->ArgusInitMar != NULL) ArgusFree (output->ArgusInitMar); if ((output->ArgusInitMar = ArgusGenerateInitialMar(output)) == NULL) ArgusLog (LOG_ERR, "ArgusInitOutput: ArgusGenerateInitialMar error %s", strerror(errno)); len = ntohs(output->ArgusInitMar->hdr.len) * 4; for (i = 0; i < ARGUS_MAXLISTEN; i++) output->ArgusLfd[i] = -1; if (output->ArgusPortNum != 0) { char errbuf[256]; if (ArgusEstablishListen (output, errbuf, sizeof(errbuf)) < 0) ArgusLog (LOG_ERR, "%s", errbuf); } if (chroot_dir != NULL) ArgusSetChroot(chroot_dir); if (new_gid > 0) { if (setegid(new_gid) < 0) ArgusLog (LOG_ERR, "ArgusInitOutput: setgid error %s", strerror(errno)); } if (new_uid > 0) { if (seteuid(new_uid) < 0) ArgusLog (LOG_ERR, "ArgusInitOutput: setuid error %s", strerror(errno)); } if (output->ArgusWfileList) { struct ArgusListRecord *sfile= output->ArgusWfileList->start->obj; do { if ((wfile = (struct ArgusWfileStruct *) ArgusPopFrontList(output->ArgusWfileList, ARGUS_LOCK)) != NULL) { struct ArgusClientData *client = (void *) ArgusCalloc (1, sizeof(struct ArgusClientData)); if (client == NULL) ArgusLog (LOG_ERR, "ArgusInitOutput: ArgusCalloc %s", strerror(errno)); if (strcmp (wfile->filename, "-")) { if ((!(strncmp (wfile->filename, "argus-udp://", 12))) || (!(strncmp (wfile->filename, "udp://", 6)))) { char *baddr = strstr (wfile->filename, "udp://"); baddr = &baddr[6]; client->type = ARGUS_DATA_SOURCE; #if defined(HAVE_GETADDRINFO) struct addrinfo hints, *hp = NULL, *bhp = NULL; int retn = 0, numerichost = 1; char *port, *ptr; if ((port = strchr(baddr, ':')) != NULL) { *port++ = '\0'; } else { port = "561"; } if (output->ArgusBindAddrs || output->ArgusBindPort) { char *ArgusBindAddr = NULL; memset(&hints, 0, sizeof(hints)); hints.ai_family = AF_INET; hints.ai_socktype = SOCK_DGRAM; hints.ai_protocol = IPPROTO_UDP; hints.ai_flags |= AI_PASSIVE; if (ArgusBindAddr && (!strcmp(ArgusBindAddr, "any"))) ArgusBindAddr = NULL; getaddrinfo(ArgusBindAddr, output->ArgusBindPort, NULL, &bhp); } memset(&hints, 0, sizeof(hints)); hints.ai_family = AF_INET; hints.ai_socktype = SOCK_DGRAM; hints.ai_protocol = IPPROTO_UDP; for (ptr = port; *ptr != '\0'; ptr++) { int c = *ptr; if (!isdigit(c)) numerichost = 0; } #if defined(AI_NUMERICHOST) if (numerichost) hints.ai_flags |= AI_NUMERICHOST; #endif if ((retn = getaddrinfo(baddr, port, &hints, &client->host)) != 0) { switch (retn) { case EAI_AGAIN: ArgusLog(LOG_ERR, "dns server not available"); break; case EAI_NONAME: ArgusLog(LOG_ERR, "bind address %s unknown", optarg); break; #if defined(EAI_ADDRFAMILY) case EAI_ADDRFAMILY: ArgusLog(LOG_ERR, "bind address %s has no IP address", optarg); break; #endif case EAI_SYSTEM: ArgusLog(LOG_ERR, "bind address %s name server error %s", optarg, strerror(errno)); break; } } hp = client->host; do { if ((client->fd = socket (hp->ai_family, hp->ai_socktype, hp->ai_protocol)) >= 0) { unsigned char ttl = 128; int ttl_size = sizeof(ttl); if (setsockopt(client->fd, IPPROTO_IP, IP_MULTICAST_TTL, &ttl, ttl_size) < 0) ArgusLog (LOG_INFO, "ArgusInitOutput: setsockopt set multicast TTL: %s", strerror(errno)); if (bhp != NULL) { #if defined(SO_REUSEPORT) int on = 1; #endif if (bind (client->fd, bhp->ai_addr, sizeof(struct sockaddr_in)) < 0) ArgusLog (LOG_ERR, "ArgusInitOutput: bind %s", strerror(errno)); #if defined(SO_REUSEPORT) if (setsockopt(client->fd, SOL_SOCKET, SO_REUSEPORT, &on, sizeof(on)) < 0) ArgusLog (LOG_INFO, "ArgusInitOutput: setsockopt set reuseport %s", strerror(errno)); #endif } } else ArgusLog (LOG_ERR, "ArgusInitOutput: socket %s: %s", wfile->filename, strerror(errno)); hp = hp->ai_next; } while (hp != NULL); #endif } else if (!(strncmp (wfile->filename, "domain://", 9))) { client->type = ARGUS_DOMAIN_SOURCE; output->type = ARGUS_DOMAIN_SOURCE; } else { if ((client->fd = open (wfile->filename, O_WRONLY|O_APPEND|O_CREAT|O_NONBLOCK, 0x1a4)) < 0) ArgusLog (LOG_ERR, "ArgusInitOutput: open %s: %s", wfile->filename, strerror(errno)); } } else { client->fd = 1; output->ArgusWriteStdOut++; } if (wfile->filter != NULL) { if (ArgusFilterCompile (&client->ArgusNFFcode, wfile->filter, 1) < 0) ArgusLog (LOG_ERR, "ArgusInitOutput: ArgusFilter syntax error: %s", wfile->filter); client->ArgusFilterInitialized++; #ifdef ARGUSDEBUG { char *code = NULL; if ((code = ArgusCalloc (1, MAXSTRLEN)) == NULL) ArgusLog (LOG_ERR, "ArgusInitOutput:ArgusCalloc error %s\n", strerror(errno)); nff_dump(&client->ArgusNFFcode, code, MAXSTRLEN, 1); ArgusDebug (5, "ArgusInitOutput: ArgusFilterCompile returned: \n%s\n", code); ArgusFree (code); } #endif } if ((client->sock = ArgusNewSocket(client->fd)) == NULL) ArgusLog (LOG_ERR, "ArgusInitOutput: ArgusNewSocket error %s", strerror(errno)); if (client->host != NULL) { if ((retn = sendto(client->fd, (char *) output->ArgusInitMar, len, 0, client->host->ai_addr, client->host->ai_addrlen)) < 0) ArgusLog (LOG_ERR, "ArgusInitOutput: sendto(): retn %d %s", retn, strerror(errno)); } else { while ((retn = write (client->fd, (char *) output->ArgusInitMar, len)) != len) { if (!output->ArgusWriteStdOut) { close (client->fd); unlink (wfile->filename); } ArgusLog (LOG_ERR, "ArgusInitOutput: write(): retn %d %s", retn, strerror(errno)); } } if (strcmp(wfile->filename, "/dev/null")) client->sock->filename = strdup(wfile->filename); ArgusAddToQueue(output->ArgusClients, &client->qhdr, ARGUS_LOCK); client->ArgusClientStart++; ArgusPushBackList (output->ArgusWfileList, (struct ArgusListRecord *) wfile, ARGUS_LOCK); } } while (output->ArgusWfileList->start->obj != sfile); ArgusDeleteList(output->ArgusWfileList, ARGUS_WFILE_LIST); output->ArgusWfileList = NULL; } if (new_gid > 0) if (setegid(ArgusGid) < 0) ArgusLog (LOG_ERR, "ArgusInitOutput: setgid error %s", strerror(errno)); if (new_uid > 0) if (seteuid(ArgusUid) < 0) ArgusLog (LOG_ERR, "ArgusInitOutput: setuid error %s", strerror(errno)); #ifdef ARGUS_SASL if ((retn = sasl_server_init(argus_cb, ArgusProgramName)) != SASL_OK) ArgusLog (LOG_ERR, "ArgusInitOutput() sasl_server_init failed %d\n", retn); #endif /* ARGUS_SASL */ #if defined(ARGUS_THREADS) if ((pthread_create(&output->thread, ArgusAttr, ArgusOutputProcess, (void *) output)) != 0) ArgusLog (LOG_ERR, "ArgusInitOutput() pthread_create error %s\n", strerror(errno)); #endif /* ARGUS_THREADS */ #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusInitOutput() done"); #endif } void ArgusCloseOutput(struct ArgusOutputStruct *output) { #if defined(ARGUS_THREADS) void *retn = NULL; #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusCloseOutput(%p) scheduling closure after %d records\n", output, output->ArgusInputList->count); #endif if ((output != NULL) && (output->thread != 0)) { output->status |= ARGUS_SHUTDOWN; if (output->thread) pthread_join(output->thread, &retn); } else { #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusCloseOutput(%p) no output or output->thread available\n", output); #endif } #else if (output != NULL) { output->status |= ARGUS_SHUTDOWN; #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusCloseOutput(%p) scheduling closure after writing records\n", output); #endif ArgusOutputProcess(output); } #endif /* ARGUS_THREADS */ ArgusDeleteList(output->ArgusInputList, ARGUS_OUTPUT_LIST); ArgusDeleteList(output->ArgusOutputList, ARGUS_OUTPUT_LIST); ArgusDeleteList(output->ArgusBindAddrs, ARGUS_BIND_ADDR_LIST); ArgusDeleteQueue(output->ArgusClients); if (output->ArgusInitMar != NULL) ArgusFree (output->ArgusInitMar); if (ArgusParser != NULL) { ArgusCloseParser(ArgusParser); ArgusFree(ArgusParser); ArgusParser = NULL; } #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusCloseOutput(%p) done\n", output); #endif } void ArgusCheckClientStatus (struct ArgusOutputStruct *, int); int ArgusCheckClientMessage (struct ArgusOutputStruct *, struct ArgusClientData *); int ArgusCongested = 0; int ArgusOutputStatusTime(struct ArgusOutputStruct *); int ArgusOutputStatusTime(struct ArgusOutputStruct *output) { long long dtime; int retn = 0; if ((dtime = ArgusTimeDiff(&output->ArgusReportTime, &output->ArgusGlobalTime)) >= 0) { retn = 1; output->ArgusReportTime = output->ArgusGlobalTime; output->ArgusReportTime.tv_sec += getArgusMarReportInterval(output)->tv_sec; output->ArgusReportTime.tv_usec += getArgusMarReportInterval(output)->tv_usec; if (output->ArgusReportTime.tv_usec > ARGUS_FRACTION_TIME) { output->ArgusReportTime.tv_sec++; output->ArgusReportTime.tv_usec -= ARGUS_FRACTION_TIME; } } #ifdef ARGUSDEBUG ArgusDebug (7, "ArgusOutputStatusTime(%p) done", output); #endif return (retn); } int ArgusOutputMarInfTime(struct ArgusOutputStruct *output) { long long dtime; int retn = 0; if ((dtime = ArgusTimeDiff(&output->ArgusMarInfTime, &output->ArgusGlobalTime)) >= 0) { // For now always return 0. // retn = 1; output->ArgusMarInfTime = output->ArgusGlobalTime; output->ArgusMarInfTime.tv_sec += getArgusMarInfReportInterval(output)->tv_sec; output->ArgusMarInfTime.tv_usec += getArgusMarInfReportInterval(output)->tv_usec; if (output->ArgusMarInfTime.tv_usec > ARGUS_FRACTION_TIME) { output->ArgusMarInfTime.tv_sec++; output->ArgusReportTime.tv_usec -= ARGUS_FRACTION_TIME; } } #ifdef ARGUSDEBUG ArgusDebug (7, "ArgusOutputMarInfTime(%p) done", output); #endif return (retn); } void * ArgusOutputProcess(void *arg) { struct ArgusOutputStruct *output = (struct ArgusOutputStruct *) arg; struct timeval ArgusUpDate = {0, 500000}, ArgusNextUpdate = {0,0}; struct ArgusListStruct *list = NULL; int val, count; void *retn = NULL; #if defined(ARGUS_THREADS) sigset_t blocked_signals; #endif /* ARGUS_THREADS */ #ifdef ARGUSDEBUG #if defined(ARGUS_THREADS) ArgusDebug (1, "ArgusOutputProcess(%p) starting\n", output); #else ArgusDebug (6, "ArgusOutputProcess(%p) starting\n", output); #endif #endif #if defined(ARGUS_TILERA) bind_proc(ArgusFirstTile + 1); #endif #if defined(ARGUS_THREADS) sigfillset(&blocked_signals); pthread_sigmask(SIG_BLOCK, &blocked_signals, NULL); #if defined(HAVE_SOLARIS) sigignore(SIGPIPE); #else (void) signal (SIGPIPE, SIG_IGN); #endif while ((list = output->ArgusInputList) == NULL) { struct timespec tsbuf = {0, 10000000}, *ts = &tsbuf; #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusOutputProcess(%p) waiting for ArgusOutputList\n", output); #endif nanosleep (ts, NULL); } while (!(output->status & ARGUS_SHUTDOWN) || ((output->status & ARGUS_SHUTDOWN) && !ArgusListEmpty(list))) { #else if ((list = output->ArgusInputList) != NULL) { #endif struct ArgusRecordStruct *rec = NULL; gettimeofday (&output->ArgusGlobalTime, 0L); if (output->ArgusSrc->timeStampType == ARGUS_TYPE_UTC_NANOSECONDS) output->ArgusGlobalTime.tv_usec *= 1000; #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusOutputProcess() looping\n"); #endif /* check to see if there are any new clients */ if ((output->ArgusPortNum != 0) && ((output->ArgusGlobalTime.tv_sec > ArgusNextUpdate.tv_sec) || ((output->ArgusGlobalTime.tv_sec == ArgusNextUpdate.tv_sec) && (output->ArgusGlobalTime.tv_usec > ArgusNextUpdate.tv_usec)))) { if (output->ArgusListens) { struct timeval wait = {0, 0}; fd_set readmask; int i, width = 0; FD_ZERO(&readmask); for (i = 0; i < output->ArgusListens; i++) { if (output->ArgusLfd[i] != -1) { FD_SET(output->ArgusLfd[i], &readmask); width = (output->ArgusLfd[i] > width) ? output->ArgusLfd[i] : width; } } if (output->ArgusClients) { #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusOutputProcess() checking for remotes\n"); #endif #if defined(ARGUS_THREADS) pthread_mutex_lock(&output->ArgusClients->lock); #endif if (output->ArgusClients->count) { struct ArgusClientData *client = (void *)output->ArgusClients->start; do { if (client->sock && !(client->sock->filename)) { FD_SET(client->fd, &readmask); width = (client->fd > width) ? client->fd : width; } client = (void *) client->qhdr.nxt; } while (client != (void *)output->ArgusClients->start); } if ((val = select (width + 1, &readmask, NULL, NULL, &wait)) >= 0) { if (val > 0) { struct ArgusClientData *client = (void *)output->ArgusClients->start; int done = 0; #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusOutputProcess() select returned with tasks\n"); #endif for (i = 0; (i < output->ArgusListens) && (!done); i++) { if (FD_ISSET(output->ArgusLfd[i], &readmask)) ArgusCheckClientStatus(output, output->ArgusLfd[i]); if (client != NULL) { do { if (client->fd != -1) { if (FD_ISSET(client->fd, &readmask)) { if (ArgusCheckClientMessage(output, client) < 0) { ArgusDeleteSocket(output, client); } else { done++; break; } } } client = (void *) client->qhdr.nxt; } while (client != (void *)output->ArgusClients->start); } } } } #if defined(ARGUS_THREADS) pthread_mutex_unlock(&output->ArgusClients->lock); #endif #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusOutputProcess() done checking for remotes\n"); #endif } ArgusNextUpdate.tv_usec += ArgusUpDate.tv_usec; ArgusNextUpdate.tv_sec += ArgusUpDate.tv_sec; if (ArgusNextUpdate.tv_usec > ARGUS_FRACTION_TIME) { ArgusNextUpdate.tv_sec++; ArgusNextUpdate.tv_usec -= ARGUS_FRACTION_TIME; } } } #if defined(ARGUS_THREADS) if (ArgusListEmpty(list)) { struct timeval tvp; struct timespec tsbuf, *ts = &tsbuf; gettimeofday (&tvp, 0L); ts->tv_sec = tvp.tv_sec + 0; ts->tv_nsec = tvp.tv_usec * 1000; ts->tv_nsec += 100000000; while (ts->tv_nsec >= 1000000000) { ts->tv_sec++; ts->tv_nsec -= 1000000000; } #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusOutputProcess() waiting for input list\n"); #endif if (pthread_mutex_lock(&list->lock)) { #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusOutputProcess() pthread_mutex_lock error %s\n", strerror(errno)); #endif } if (pthread_cond_timedwait(&list->cond, &list->lock, ts) == EINVAL) { #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusOutputProcess() pthread_cond_timedwait error bad value\n"); #endif } if (pthread_mutex_unlock(&list->lock)) { #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusOutputProcess() pthread_mutex_lock error %s\n", strerror(errno)); #endif } } #endif if (ArgusOutputStatusTime(output)) { if ((rec = ArgusGenerateStatusMarRecord(output, ARGUS_STATUS)) != NULL) { if (output->ArgusClients) { #if defined(ARGUS_THREADS) pthread_mutex_lock(&output->ArgusClients->lock); #endif if (output->ArgusClients->count) { struct ArgusClientData *client = (void *)output->ArgusClients->start; do { if ((client->fd != -1) && (client->sock != NULL) && client->ArgusClientStart) { if (ArgusWriteSocket (output, client, rec) < 0) { ArgusDeleteSocket(output, client); } } client = (void *) client->qhdr.nxt; } while (client != (void *)output->ArgusClients->start); } #if defined(ARGUS_THREADS) pthread_mutex_unlock(&output->ArgusClients->lock); #endif } ArgusFreeListRecord (rec); } } if (ArgusOutputMarInfTime(output)) { if ((rec = ArgusGenerateMarInterfaceRecord(output, ARGUS_STATUS)) != NULL) { if (output->ArgusClients) { #if defined(ARGUS_THREADS) pthread_mutex_lock(&output->ArgusClients->lock); #endif if (output->ArgusClients->count) { struct ArgusClientData *client = (void *)output->ArgusClients->start; do { if ((client->fd != -1) && (client->sock != NULL) && client->ArgusClientStart) { if (ArgusWriteSocket (output, client, rec) < 0) { ArgusDeleteSocket(output, client); } } client = (void *) client->qhdr.nxt; } while (client != (void *)output->ArgusClients->start); } #if defined(ARGUS_THREADS) pthread_mutex_unlock(&output->ArgusClients->lock); #endif } ArgusFreeListRecord (rec); } } if (output->ArgusOutputList && !(ArgusListEmpty(list))) { int done = 0; ArgusLoadList(list, output->ArgusOutputList); while (!done && ((rec = (struct ArgusRecordStruct *) ArgusPopFrontList(output->ArgusOutputList, ARGUS_LOCK)) != NULL)) { output->ArgusTotalRecords++; switch (rec->hdr.type & 0xF0) { case ARGUS_FAR: case ARGUS_NETFLOW: { output->ArgusOutputSequence = rec->canon.trans.seqnum; break; } } count = 0; #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusOutputProcess() received rec %p totals %lld seq %d\n", rec, output->ArgusTotalRecords, output->ArgusOutputSequence); #endif if (((rec->hdr.type & 0xF0) == ARGUS_MAR) && ((rec->hdr.cause & 0xF0) == ARGUS_STOP)) { done++; output->status |= ARGUS_SHUTDOWN; ArgusFreeListRecord(rec); if ((rec = ArgusGenerateStatusMarRecord(output, ARGUS_STOP)) == NULL) { } #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusOutputProcess(%p) rec %d received as stop record \n", output, output->ArgusTotalRecords); #endif } if (output->ArgusClients) { #if defined(ARGUS_THREADS) pthread_mutex_lock(&output->ArgusClients->lock); #endif if (output->ArgusClients->count) { struct ArgusClientData *client = (void *)output->ArgusClients->start; int i, ArgusWriteRecord = 0; #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusOutputProcess() %d client(s) for record %p\n", output->ArgusClients->count, rec); #endif for (i = 0; i < output->ArgusClients->count; i++) { if ((client->fd != -1) && (client->sock != NULL) && client->ArgusClientStart) { #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusOutputProcess() client %p ready fd %d sock %p start %d", client, client->fd, client->sock, client->ArgusClientStart); #endif ArgusWriteRecord = 1; if (client->ArgusFilterInitialized) { bcopy(&rec->hdr, &rec->canon.hdr, sizeof(rec->hdr)); if (!(ArgusFilterRecord ((struct nff_insn *)client->ArgusNFFcode.bf_insns, rec))) ArgusWriteRecord = 0; } if (ArgusWriteRecord) { if (ArgusWriteSocket (output, client, rec) < 0) { ArgusDeleteSocket(output, client); } else { if (ArgusWriteOutSocket (output, client) < 0) { ArgusDeleteSocket(output, client); } } } else { #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusOutputProcess() client %p filter blocks fd %d sock %p start %d", client, client->fd, client->sock, client->ArgusClientStart); #endif } } else { struct timeval tvbuf, *tvp = &tvbuf; #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusOutputProcess() %d client(s) not ready fd %d sock 0x%x start %d", output->ArgusClients->count, client->fd, client->sock, client->ArgusClientStart); #endif RaDiffTime (&output->ArgusGlobalTime, &client->startime, tvp); if (tvp->tv_sec >= ARGUS_CLIENT_STARTUP_TIMEOUT) { if (client->sock != NULL) { ArgusDeleteSocket(output, client); ArgusLog (LOG_WARNING, "ArgusCheckClientMessage: client %s never started: timed out", (client->hostname != NULL) ? client->hostname : "noname"); } client->ArgusClientStart = 1; } } client = (void *) client->qhdr.nxt; } } #if defined(ARGUS_THREADS) pthread_mutex_unlock(&output->ArgusClients->lock); #endif } else { #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusOutputProcess() no client for record %p\n", rec); #endif } ArgusFreeListRecord(rec); } if (output->ArgusWriteStdOut) fflush (stdout); } else { #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusOutputProcess() no records to output\n"); #endif } #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusOutputProcess() checking out clients\n"); #endif #if defined(ARGUS_THREADS) pthread_mutex_lock(&output->ArgusClients->lock); #endif if ((output->ArgusPortNum != 0) && (output->ArgusClients->count)) { struct ArgusClientData *client = (void *)output->ArgusClients->start; int i; for (i = 0; i < output->ArgusClients->count; i++) { if ((client->fd != -1) && (client->sock != NULL)) { if (output->status & ARGUS_SHUTDOWN) { ArgusWriteOutSocket (output, client); ArgusDeleteSocket(output, client); } else { if (ArgusWriteOutSocket (output, client) < 0) { ArgusDeleteSocket(output, client); } } } client = (void *) client->qhdr.nxt; } for (i = 0, count = output->ArgusClients->count; (i < count) && output->ArgusClients->count; i++) { if ((client->fd == -1) && (client->sock == NULL) && client->ArgusClientStart) { if (ArgusRemoveFromQueue(output->ArgusClients, &client->qhdr, ARGUS_NOLOCK) != NULL) ArgusFree(client); i = 0; count = output->ArgusClients->count; client = (void *)output->ArgusClients->start; } else client = (void *)client->qhdr.nxt; } } #if defined(ARGUS_THREADS) pthread_mutex_unlock(&output->ArgusClients->lock); #endif #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusOutputProcess() done with clients\n"); #endif #if !defined(ARGUS_THREADS) } #else } #endif /* ARGUS_THREADS */ #ifdef ARGUSDEBUG #if defined(ARGUS_THREADS) ArgusDebug (6, "ArgusOutputProcess(%p) shuting down %d\n", output, output->ArgusInputList->count); #else ArgusDebug (6, "ArgusOutputProcess(%p) done count %d\n", output, output->ArgusInputList->count); #endif /* ARGUS_THREADS */ #endif #if defined(ARGUS_THREADS) { struct ArgusClientData *client; while ((client = (void *) output->ArgusClients->start) != NULL) { if ((client->fd != -1) && (client->sock != NULL)) ArgusWriteOutSocket (output, client); ArgusDeleteSocket(output, client); if (ArgusRemoveFromQueue(output->ArgusClients, &client->qhdr, ARGUS_LOCK) != NULL) ArgusFree(client); } } #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusOutputProcess(%p) exiting\n", output); #endif pthread_exit(retn); #endif /* ARGUS_THREADS */ return (retn); } #include #include static int ArgusEstablishListen (struct ArgusOutputStruct *output, char *errbuf, size_t errbuflen) { int port = output->ArgusPortNum; struct ArgusBindAddrStruct *ArgusBindAddrs = NULL; char *baddr = NULL; int s = -1; if (port > 0) { if (output->ArgusListens > 0) { int i = output->ArgusListens; for (i = 0; i < output->ArgusListens; i++) { close(output->ArgusLfd[i]); output->ArgusLfd[i] = -1; } } output->ArgusListens = 0; if (output->ArgusBindAddrs != NULL) { ArgusBindAddrs = (struct ArgusBindAddrStruct *)output->ArgusBindAddrs->start; baddr = ArgusBindAddrs->addr; } do { #if defined(HAVE_GETADDRINFO) { struct addrinfo hints, *host, *hp; char portbuf[32]; int retn = 0; memset(&hints, 0, sizeof(hints)); if (output->ArgusAddrInfo.ai_socktype || output->ArgusAddrInfo.ai_protocol) { hints.ai_family = output->ArgusAddrInfo.ai_family; hints.ai_socktype = output->ArgusAddrInfo.ai_socktype; hints.ai_protocol = output->ArgusAddrInfo.ai_protocol; } else { hints.ai_family = PF_UNSPEC; hints.ai_socktype = SOCK_STREAM; hints.ai_protocol = IPPROTO_TCP; hints.ai_flags = AI_PASSIVE; } snprintf(portbuf, 32, "%d", port); if ((retn = getaddrinfo(baddr, portbuf, &hints, &host)) != 0) { switch (retn) { case EAI_AGAIN: ArgusLog(LOG_ERR, "dns server not available"); break; case EAI_NONAME: ArgusLog(LOG_ERR, "bind address %s unknown", optarg); break; #if defined(EAI_ADDRFAMILY) case EAI_ADDRFAMILY: ArgusLog(LOG_ERR, "bind address %s has no IP address", optarg); break; #endif case EAI_SYSTEM: ArgusLog(LOG_ERR, "bind address %s name server error %s", optarg, strerror(errno)); break; } } hp = host; do { retn = -1; if ((s = socket (hp->ai_family, hp->ai_socktype, hp->ai_protocol)) >= 0) { int flags = fcntl (s, F_GETFL, 0L); if ((fcntl (s, F_SETFL, flags | O_NDELAY)) >= 0) { int on = 1; if (setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) < 0) ArgusLog (LOG_INFO, "ArgusInitOutput: setsockopt set reuseaddr %s", strerror(errno)); #ifdef ARGUSDEBUG if (baddr) ArgusDebug (1, "ArgusEstablishListen(%p, %p) binding: %s:%d family: %d\n", output, errbuf, baddr, port, hp->ai_family); else { #if defined(__OpenBSD__) switch (hp->ai_family) { case AF_INET6: ((struct sockaddr_in6 *)hp->ai_addr)->sin6_addr = in6addr_any; break; } #endif ArgusDebug (1, "ArgusEstablishListen(%d, %p) binding: any:%d family: %d\n", port, errbuf, port, hp->ai_family); } #endif if (!(bind (s, hp->ai_addr, hp->ai_addrlen))) { switch (hp->ai_socktype) { case SOCK_STREAM: if ((retn = listen (s, ARGUS_MAXLISTEN)) >= 0) { output->ArgusLfd[output->ArgusListens++] = s; } else { snprintf(errbuf, errbuflen, "%s: ArgusEstablishListen: listen() failure", ArgusProgramName); } break; case SOCK_DGRAM: retn = 0; break; } } else { snprintf(errbuf, errbuflen, "%s: ArgusEstablishListen: bind() error", ArgusProgramName); } } else snprintf(errbuf, errbuflen, "%s: ArgusEstablishListen: fcntl() error", ArgusProgramName); if (retn == -1) { close (s); s = -1; } } else snprintf(errbuf, errbuflen, "%s: ArgusEstablishListen: socket() error", ArgusProgramName); hp = hp->ai_next; } while ((hp != NULL) && (retn == -1)); freeaddrinfo(host); } #else struct sockaddr_in sin; struct hostent *host; sin.sin_addr.s_addr = INADDR_ANY; if (baddr) { #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusEstablishListen(%d, %s, %p)\n", port, baddr, errbuf); #endif if ((host = gethostbyname (baddr)) != NULL) { if ((host->h_addrtype == AF_INET) && (host->h_length == 4)) { bcopy ((char *) *host->h_addr_list, (char *)&sin.sin_addr.s_addr, host->h_length); } else ArgusLog (LOG_ERR, "ArgusEstablishListen() unsupported bind address %s", baddr); } else ArgusLog (LOG_ERR, "ArgusEstablishListen() bind address %s error %s", baddr, strerror(errno)); } sin.sin_port = htons((u_short) port); sin.sin_family = AF_INET; #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusEstablishListen(%p, %p) binding: %d:%d\n", output, errbuf, sin.sin_addr.s_addr, port); #endif if ((s = socket (AF_INET, SOCK_STREAM, 0)) != -1) { int flags = fcntl (s, F_GETFL, 0L); if ((fcntl (s, F_SETFL, flags | O_NDELAY)) >= 0) { int on = 1; if (setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) < 0) ArgusLog (LOG_INFO, "ArgusInitOutput: setsockopt set reuseaddr %s", strerror(errno)); if (!(bind (s, (struct sockaddr *)&sin, sizeof(sin)))) { if ((listen (s, ARGUS_MAXLISTEN)) >= 0) { output->ArgusLfd[output->ArgusListens++] = s; } else { close (s); s = -1; snprintf(errbuf, errbuflen, "%s: ArgusEstablishListen: listen() failure", ArgusProgramName); } } else { close (s); s = -1; snprintf(errbuf, errbuflen, "%s: ArgusEstablishListen: bind() error", ArgusProgramName); } } else snprintf(errbuf, errbuflen, "%s: ArgusEstablishListen: fcntl() error", ArgusProgramName); } else snprintf(errbuf, errbuflen, "%s: ArgusEstablishListen: socket() error", ArgusProgramName); #endif if (ArgusBindAddrs) { if ((ArgusBindAddrs = (struct ArgusBindAddrStruct *)ArgusBindAddrs->nxt) != NULL) { baddr = ArgusBindAddrs->addr; } else baddr = NULL; } } while (baddr != NULL); } else { struct stat statbuf; struct sockaddr_un server; int retn = -1; output->type = ARGUS_DOMAIN_SOURCE; switch (stat(ARGUS_SOCKET_PATH, &statbuf)) { case 0: if (unlink(ARGUS_SOCKET_PATH)) snprintf(errbuf, errbuflen, "%s: ArgusEstablishListen: unlink() %s", ArgusProgramName, strerror(errno)); break; case ENOENT: break; } if ((s = socket (AF_UNIX, SOCK_STREAM, 0)) >= 0) { int flags = fcntl (s, F_GETFL, 0L); if ((fcntl (s, F_SETFL, flags | O_NDELAY)) >= 0) { server.sun_family = AF_UNIX; strcpy(server.sun_path, ARGUS_SOCKET_PATH); if (!(bind (s, (struct sockaddr *) &server, sizeof(struct sockaddr_un)))) { if ((retn = listen (s, ARGUS_MAXLISTEN)) >= 0) { output->ArgusLfd[output->ArgusListens++] = s; } else { snprintf(errbuf, errbuflen, "%s: ArgusEstablishListen: listen() %s", ArgusProgramName, strerror(errno)); } } else { snprintf(errbuf, errbuflen, "%s: ArgusEstablishListen: bind() %s", ArgusProgramName, strerror(errno)); } } else snprintf(errbuf, errbuflen, "%s: ArgusEstablishListen: fcntl() %s", ArgusProgramName, strerror(errno)); if (retn == -1) { close (s); s = -1; } } else snprintf(errbuf, errbuflen, "%s: ArgusEstablishListen: socket() error", ArgusProgramName); } #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusEstablishListen(%p, %p) returning %d\n", output, errbuf, s); #endif return (s); } int ArgusAuthenticateClient (struct ArgusClientData *); #ifdef ARGUS_SASL static sasl_ssf_t extprops_ssf = 0; static char clienthost[NI_MAXHOST*2+1] = "[local]"; sasl_security_properties_t *mysasl_secprops(int); #endif void ArgusCheckClientStatus (struct ArgusOutputStruct *output, int s) { struct sockaddr from; int len = sizeof (from), bytes; int fd; #ifdef ARGUS_SASL #define SASL_SEC_MASK 0x0fff struct sockaddr_storage localaddr, remoteaddr; int retn, argus_have_addr = 0; char localhostname[1024]; sasl_conn_t *conn = NULL; socklen_t salen; sasl_security_properties_t *secprops = NULL; char localip[60], remoteip[60]; #endif if ((fd = accept (s, (struct sockaddr *)&from, (socklen_t *)&len)) > 0) { int flags = fcntl (fd, F_GETFL, 0L); int retn = 0; if ((fcntl (fd, F_SETFL, flags | O_NONBLOCK)) >= 0) { if (output->type != ARGUS_DOMAIN_SOURCE) { /* if ((retn = ArgusTcpWrapper (fd, &from)) < 0) { ArgusLog (LOG_WARNING, "ArgusCheckClientStatus: ArgusTcpWrapper rejects"); close (fd); } */ } else retn = 0; if (retn >= 0) { if (output->ArgusClients && (output->ArgusClients->count < ARGUS_MAXLISTEN)) { struct ArgusClientData *client = (void *) ArgusCalloc (1, sizeof(struct ArgusClientData)); if (client == NULL) ArgusLog (LOG_ERR, "ArgusCheckClientStatus: ArgusCalloc %s", strerror(errno)); client->fd = fd; client->startime = output->ArgusGlobalTime; #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusCheckClientStatus() new client\n"); #endif if ((client->sock = ArgusNewSocket(fd)) == NULL) ArgusLog (LOG_ERR, "ArgusInitOutput: ArgusNewSocket error %s", strerror(errno)); if (output->ArgusInitMar != NULL) ArgusFree(output->ArgusInitMar); if ((output->ArgusInitMar = ArgusGenerateInitialMar(output)) == NULL) ArgusLog (LOG_ERR, "ArgusCheckClientStatus: ArgusGenerateInitialMar error %s", strerror(errno)); #ifdef ARGUS_SASL if (ArgusMaxSsf == 0) goto no_auth; #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusCheckClientStatus: SASL enabled\n"); #endif { char hbuf[NI_MAXHOST]; int niflags; salen = sizeof(remoteaddr); bzero(hbuf, sizeof(hbuf)); if (getpeername(fd, (struct sockaddr *)&remoteaddr, &salen) == 0 && (remoteaddr.ss_family == AF_INET || remoteaddr.ss_family == AF_INET6)) { if (getnameinfo((struct sockaddr *)&remoteaddr, salen, hbuf, sizeof(hbuf), NULL, 0, NI_NAMEREQD) == 0) { strncpy(clienthost, hbuf, sizeof(hbuf)); } else { clienthost[0] = '\0'; } niflags = NI_NUMERICHOST; #ifdef NI_WITHSCOPEID if (((struct sockaddr *)&remoteaddr)->sa_family == AF_INET6) niflags |= NI_WITHSCOPEID; #endif if (getnameinfo((struct sockaddr *)&remoteaddr, salen, hbuf, sizeof(hbuf), NULL, 0, niflags) != 0) strncpy(hbuf, "unknown", sizeof(hbuf)); sprintf(&clienthost[strlen(clienthost)], "[%s]", hbuf); salen = sizeof(localaddr); if (getsockname(fd, (struct sockaddr *)&localaddr, &salen) == 0) { if ((iptostring((struct sockaddr *)&remoteaddr, salen, remoteip, sizeof(remoteip)) == 0) && (iptostring((struct sockaddr *)&localaddr, salen, localip, sizeof(localip)) == 0)) { argus_have_addr = 1; } } } } gethostname(localhostname, 1024); if (!strchr (localhostname, '.')) { char domainname[256]; strcat (localhostname, "."); if (getdomainname (domainname, 256)) { snprintf (&localhostname[strlen(localhostname)], 1024 - strlen(localhostname), "%s", domainname); } } if ((retn = sasl_server_new("argus", NULL, NULL, localip, remoteip, NULL, 0, &client->sasl_conn)) != SASL_OK) ArgusLog (LOG_ERR, "ArgusCheckClientStatus: sasl_server_new failed %d", retn); conn = client->sasl_conn; /* set required security properties here */ if (extprops_ssf) sasl_setprop(conn, SASL_SSF_EXTERNAL, &extprops_ssf); secprops = mysasl_secprops(0); sasl_setprop(conn, SASL_SEC_PROPS, secprops); /* set ip addresses */ if (argus_have_addr) { sasl_setprop(conn, SASL_IPREMOTEPORT, remoteip); if (client->saslprops.ipremoteport != NULL) free(client->saslprops.ipremoteport); client->saslprops.ipremoteport = strdup(remoteip); sasl_setprop(conn, SASL_IPLOCALPORT, localip); if (client->saslprops.iplocalport != NULL) free(client->saslprops.iplocalport); client->saslprops.iplocalport = strdup(localip); } output->ArgusInitMar->argus_mar.status |= htonl(ARGUS_SASL_AUTHENTICATE); no_auth: #endif len = ntohs(output->ArgusInitMar->hdr.len) * 4; if ((bytes = write (client->fd, (char *) output->ArgusInitMar, len)) != len) { close (client->fd); ArgusLog (LOG_ALERT, "ArgusInitOutput: write(): %s", strerror(errno)); } else { #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusCheckClientStatus: wrote %d bytes to client\n", bytes); #endif } #ifdef ARGUS_SASL if (ArgusMaxSsf > 0) { int flags = fcntl (fd, F_GETFL, 0); fcntl (fd, F_SETFL, flags & ~O_NONBLOCK); if (ArgusAuthenticateClient (client)) { ArgusDeleteSocket(output, client); ArgusLog (LOG_ALERT, "ArgusCheckClientStatus: ArgusAuthenticateClient failed\n"); } else { ArgusAddToQueue(output->ArgusClients, &client->qhdr, ARGUS_NOLOCK); fcntl (fd, F_SETFL, flags); } } else { ArgusAddToQueue(output->ArgusClients, &client->qhdr, ARGUS_NOLOCK); } #else ArgusAddToQueue(output->ArgusClients, &client->qhdr, ARGUS_NOLOCK); #endif } else { char buf[256]; struct ArgusRecord *argus = (struct ArgusRecord *) &buf; if ((argus = ArgusGenerateRecord (output->ArgusModel, NULL, ARGUS_ERROR, (struct ArgusRecord *) &buf)) != NULL) { len = argus->hdr.len * 4; argus->hdr.len = ntohs(argus->hdr.len); argus->hdr.cause |= ARGUS_MAXLISTENEXCD; if (write (fd, (char *) argus, len) != len) { ArgusLog (LOG_ERR, "ArgusInitOutput: write(): %s", strerror(errno)); } else { #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusCheckClientStatus: wrote %d bytes to client fd %d\n", len, fd); #endif } close(fd); } } } } else { ArgusLog (LOG_WARNING, "ArgusCheckClientStatus: fcntl: %s", strerror(errno)); close (fd); } } else ArgusLog (LOG_WARNING, "ArgusCheckClientStatus: accept: %s", strerror(errno)); #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusCheckClientStatus() returning\n"); #endif } #define ARGUSMAXCLIENTCOMMANDS 6 #define RADIUM_START 0 #define RADIUM_DONE 1 #define RADIUM_FILTER 2 #define RADIUM_MODEL 3 #define RADIUM_PROJECT 4 #define RADIUM_FILE 5 char *ArgusClientCommands[ARGUSMAXCLIENTCOMMANDS] = { "START: ", "DONE: ", "FILTER: ", "MODEL: ", "PROJECT: ", "FILE: ", }; int ArgusCheckClientMessage (struct ArgusOutputStruct *output, struct ArgusClientData *client) { int retn = 0, cnt = 0, found = 0; char *buf = NULL, *ptr = NULL; int i, fd = client->fd; unsigned int value = 0; #ifdef ARGUS_SASL const char *outputbuf = NULL; unsigned int outputlen = 0; #endif /* ARGUS_SASL */ if ((buf = ArgusCalloc (1, MAXSTRLEN)) != NULL) { ptr = buf; value = MAXSTRLEN; if ((cnt = recv (fd, buf, value, 0)) > 0) { #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusCheckClientMessage (0x%x, %d) recv() returned %d bytes\n", client, fd, cnt); #endif #ifdef ARGUS_SASL if ((client->sasl_conn)) { const int *ssfp; int result; if ((result = sasl_getprop(client->sasl_conn, SASL_SSF, (const void **) &ssfp)) != SASL_OK) ArgusLog (LOG_ERR, "sasl_getprop: error %s\n", sasl_errdetail(client->sasl_conn)); if (ssfp && (*ssfp > 0)) { if (sasl_decode (client->sasl_conn, buf, cnt, &outputbuf, &outputlen) != SASL_OK) { ArgusLog (LOG_WARNING, "ArgusCheckClientMessage(0x%x, %d) sasl_decode (0x%x, 0x%x, %d, 0x%x, %d) failed", client, fd, client->sasl_conn, buf, cnt, &outputbuf, outputlen); retn = -1; } else { #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusCheckClientMessage (0x%x, %d) sasl_decode() returned %d bytes\n", client, fd, outputlen); #endif if (outputlen > 0) { if (outputlen < MAXSTRLEN) { memcpy (buf, outputbuf, outputlen); memset (&buf[outputlen], 0, MAXSTRLEN - outputlen); cnt = outputlen; } else { ArgusLog (LOG_ERR, "ArgusCheckClientMessage(0x%x, %d) sasl_decode returned %d bytes\n", client, fd, outputlen); retn = -1; } } } } } #endif /* ARGUS_SASL */ if (retn == 0) { int isprintable = 1; for (i = 0; i < cnt; i++) { int c = ptr[i]; if (isprint(c) == 0) { isprintable = 0; break; } } if (isprintable) { #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusCheckClientMessage (%p, %p) read '%s' from remote\n", output, client, ptr); #endif for (i = 0, found = 0; i < ARGUSMAXCLIENTCOMMANDS; i++) { if (!(strncmp (ptr, ArgusClientCommands[i], strlen(ArgusClientCommands[i])))) { found++; switch (i) { case RADIUM_START: { client->ArgusClientStart++; retn = 0; break; } case RADIUM_DONE: { if (client->hostname != NULL) ArgusLog (LOG_INFO, "ArgusCheckClientMessage: client %s sent DONE", client->hostname); else ArgusLog (LOG_INFO, "ArgusCheckClientMessage: received DONE"); retn = -4; break; } case RADIUM_FILTER: { char *reply = NULL; if ((reply = ArgusFilterCompile (&client->ArgusNFFcode, &ptr[7], 1)) == NULL) { retn = -2; if ((cnt = send (fd, "ER", 2, 0)) != 2) { #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusCheckClientMessage: send error %s\n", strerror(errno)); #endif } #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusCheckClientMessage: ArgusFilter filter error: %s\n", &ptr[7]); #endif } else { if (strcmp(reply, "OK")) { retn = -3; if ((cnt = send (fd, reply, 2, 0)) != 2) { #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusCheckClientMessage: send error %s\n", strerror(errno)); #endif } } else { #ifdef ARGUSDEBUG char *code = NULL; if ((code = ArgusCalloc (1, MAXSTRLEN)) == NULL) ArgusLog (LOG_ERR, "ArgusInitOutput:ArgusCalloc error %s\n", strerror(errno)); nff_dump(&client->ArgusNFFcode, code, MAXSTRLEN, 1); ArgusDebug (5, "ArgusInitOutput: ArgusFilterCompile returned: \n%s\n", code); ArgusFree (code); #endif client->ArgusFilterInitialized++; if ((cnt = send (fd, "OK", 2, 0)) != 2) { retn = -3; #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusCheckClientMessage: send error %s\n", strerror(errno)); #endif } else { retn = 0; #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusCheckClientMessage: ArgusFilter %s initialized.\n", &ptr[7]); #endif } } } break; } case RADIUM_PROJECT: case RADIUM_MODEL: break; case RADIUM_FILE: { #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusCheckClientMessage: ArgusFile %s initialized.\n", &ptr[6]); #endif retn = 0; break; } default: ArgusLog (LOG_WARNING, "ArgusCheckClientMessage: received %s", ptr); break; } } } if (!found) { if (client->hostname) ArgusLog (LOG_INFO, "ArgusCheckClientMessage: client %s sent %s\n", client->hostname, ptr); else ArgusLog (LOG_INFO, "ArgusCheckClientMessage: received %s\n", ptr); } } else { ArgusLog (LOG_INFO, "ArgusCheckClientMessage: client %s sent unprintable chars\n", client->hostname); retn = -1; } } } else { if (cnt == 0) { #ifdef ARGUSDEBUG ArgusDebug (3, "%s (0x%x, %d) recv() found no connection\n", __func__, client, fd); #endif } else { switch(errno) { default: case EBADF: case EINVAL: case EIO: case ENOMEM: case ECONNREFUSED: #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusCheckClientMessage (0x%x, %d) recv() returned error %s\n", client, fd, strerror(errno)); #endif break; case EINTR: case ENOTSOCK: case EWOULDBLOCK: break; } } retn = -1; } ArgusFree(buf); } else ArgusLog (LOG_ERR, "ArgusCheckClientMessage(%p, %p) ArgusCalloc error %s\n", output, client, strerror(errno)); #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusCheckClientMessage: returning %d\n", retn); #endif return (retn); } struct ArgusRecord * ArgusGenerateInitialMar (struct ArgusOutputStruct *output) { struct ArgusSourceStruct *ArgusSrc, *aSrc; struct ArgusAddrStruct asbuf, *asptr = &asbuf; struct ArgusRecord *retn; struct timeval now; int x, done; if ((retn = (struct ArgusRecord *) ArgusCalloc (1, sizeof(struct ArgusRecord))) == NULL) ArgusLog (LOG_ERR, "ArgusGenerateInitialMar(%p) ArgusCalloc error %s\n", output, strerror(errno)); retn->hdr.type = ARGUS_MAR | ARGUS_VERSION; retn->hdr.cause = ARGUS_START; retn->hdr.len = sizeof(struct ArgusRecord) / 4; retn->argus_mar.argusid = ARGUS_COOKIE; if (getArgusID(ArgusSourceTask, asptr)) { switch (getArgusIDType(ArgusSourceTask) & ~ARGUS_TYPE_INTERFACE) { case ARGUS_TYPE_STRING: { retn->argus_mar.status |= ARGUS_IDIS_STRING; bcopy (&asptr->a_un.str, &retn->argus_mar.str, strlen((const char *)retn->argus_mar.str)); break; } case ARGUS_TYPE_INT: { retn->argus_mar.status |= ARGUS_IDIS_INT; bcopy (&asptr->a_un.value, &retn->argus_mar.value, sizeof(retn->argus_mar.value)); break; } case ARGUS_TYPE_IPV4: { retn->argus_mar.status |= ARGUS_IDIS_IPV4; bcopy (&asptr->a_un.ipv4, &retn->argus_mar.ipv4, sizeof(retn->argus_mar.ipv4)); break; } case ARGUS_TYPE_IPV6: { retn->argus_mar.status |= ARGUS_IDIS_IPV6; bcopy (&asptr->a_un.ipv6, &retn->argus_mar.ipv6, sizeof(retn->argus_mar.ipv6)); break; } case ARGUS_TYPE_UUID: { retn->argus_mar.status |= ARGUS_IDIS_UUID; bcopy (&asptr->a_un.uuid, &retn->argus_mar.uuid, sizeof(retn->argus_mar.uuid)); break; } } if (getArgusManInf(ArgusSourceTask) != NULL) retn->argus_mar.status |= ARGUS_ID_INC_INF; } retn->argus_mar.startime.tv_sec = output->ArgusStartTime.tv_sec; retn->argus_mar.startime.tv_usec = output->ArgusStartTime.tv_usec; gettimeofday (&now, 0L); retn->argus_mar.now.tv_sec = now.tv_sec; retn->argus_mar.now.tv_usec = now.tv_usec; retn->argus_mar.major_version = VERSION_MAJOR; retn->argus_mar.minor_version = VERSION_MINOR; retn->argus_mar.reportInterval = getArgusFarReportInterval(output->ArgusModel)->tv_sec; retn->argus_mar.argusMrInterval = getArgusMarReportInterval(output)->tv_sec; if ((ArgusSrc = output->ArgusSrc) != NULL) { for (x = 0, done = 0; x < ARGUS_MAXINTERFACE && !done; x++) { if ((aSrc = ArgusSrc->srcs[x]) != NULL) { if (aSrc->ArgusInterface[0].ArgusLocalNet != 0) { retn->argus_mar.localnet = aSrc->ArgusInterface[0].ArgusLocalNet; retn->argus_mar.netmask = aSrc->ArgusInterface[0].ArgusNetMask; done = 1; } } } } retn->argus_mar.nextMrSequenceNum = output->ArgusOutputSequence + 1; retn->argus_mar.record_len = -1; #if defined(_LITTLE_ENDIAN) ArgusHtoN(retn); #endif #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusGenerateInitialMar() returning\n"); #endif return (retn); } // The supplemental mar record is designed to provide extended management information, // such as extending the descriptions of the sensors, their inputs, providing interfaces, // names, interface types, extended argus identifiers (> 4 bytes), and stats, if appropriate, // // Minimally it should provide the argusid, used in all records, and the list of input descriptions, // as well as the extended argus id itself. struct ArgusRecordStruct * ArgusGenerateSupplementalMarRecord (struct ArgusOutputStruct *output, unsigned char status) { struct ArgusRecordStruct *retn = NULL; #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusGenerateSupplementalMarRecord(%p, %d) returning 0x%x", output, status, retn); #endif return (retn); } // The mar interface record is designed to provide the hardware and internet addresses assigned // to the monitored interfaces on this node. // // Minimally it should provide the argusid, the inf, the interface type, hardware address and // the configured internet addresses. // // such as extending the descriptions of the sensors, their inputs, providing interfaces, // names, interface types, extended argus identifiers (> 4 bytes), and stats, if appropriate, // /* struct ArgusIPv4Addr { unsigned int addr, mask; }; struct ArgusIPv6Addr { unsigned int addr[4]; unsigned int prefixlen; }; struct ArgusAddressStruct { unsigned char type, length; unsigned short status; union { struct ArgusHAddr l2addr; struct ArgusIPv4Addr ipv4; struct ArgusIPv6Addr ipv6; } addr; }; struct ArgusMarInterfaceStruct { unsigned char type, length; unsigned short status; unsigned char inf[4]; short mtu; struct ArgusAddressStruct addr[]; }; struct ArgusMarInfStruct { unsigned int status; struct ArgusAddrStruct srcid; struct ArgusMarInterfaceStruct inf[]; }; */ struct ArgusRecordStruct * ArgusGenerateMarInterfaceRecord (struct ArgusOutputStruct *output, unsigned char status) { struct ArgusRecordStruct *retn = NULL; struct ArgusRecord *rec = NULL; while ((retn = (struct ArgusRecordStruct *) ArgusMallocListRecord (sizeof(*retn))) == NULL) { if (output && output->ArgusInputList) { if ((retn = (struct ArgusRecordStruct *) ArgusPopFrontList(output->ArgusInputList, ARGUS_LOCK)) != NULL) { ArgusFreeListRecord (retn); } else break; } else break; } if (retn) { struct ArgusAddrStruct asbuf, *asptr = &asbuf; struct timeval now; memset(retn, 0, sizeof(*retn)); retn->hdr.type = ARGUS_MAR | ARGUS_VERSION; retn->hdr.cause = ARGUS_MAR_INTERFACE; retn->hdr.len = (sizeof(struct ArgusMarInfStruct)/4) + 1; // have size for one interface, and add as you go rec = (struct ArgusRecord *) &retn->canon; rec->hdr = retn->hdr; if (getArgusID(ArgusSourceTask, asptr)) bcopy (&asptr->a_un.value, &rec->argus_inf.srcid, sizeof(rec->argus_inf.srcid)); switch (getArgusIDType(ArgusSourceTask)) { case ARGUS_TYPE_STRING: rec->argus_inf.status |= ARGUS_IDIS_STRING; break; case ARGUS_TYPE_INT: rec->argus_inf.status |= ARGUS_IDIS_INT; break; case ARGUS_TYPE_IPV4: rec->argus_inf.status |= ARGUS_IDIS_IPV4; break; case ARGUS_TYPE_IPV6: rec->argus_inf.status |= ARGUS_IDIS_IPV6; break; case ARGUS_TYPE_UUID: rec->argus_inf.status |= ARGUS_IDIS_UUID; break; } gettimeofday (&now, 0L); rec->argus_inf.startime.tv_sec = output->ArgusLastMarUpdateTime.tv_sec; rec->argus_inf.startime.tv_usec = output->ArgusLastMarUpdateTime.tv_usec; rec->argus_inf.now.tv_sec = now.tv_sec; rec->argus_inf.now.tv_usec = now.tv_usec; } #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusGenerateMarInterfaceRecord(%p, %d) returning 0x%x", output, status, retn); #endif return (retn); } struct ArgusRecordStruct * ArgusGenerateStatusMarRecord (struct ArgusOutputStruct *output, unsigned char status) { struct ArgusRecordStruct *retn = NULL; struct ArgusRecord *rec = NULL; while ((retn = (struct ArgusRecordStruct *) ArgusMallocListRecord (sizeof(*retn))) == NULL) { if (output && output->ArgusInputList) { if ((retn = (struct ArgusRecordStruct *) ArgusPopFrontList(output->ArgusInputList, ARGUS_LOCK)) != NULL) { ArgusFreeListRecord (retn); } else break; } else break; } if (retn) { extern int ArgusAllocTotal, ArgusFreeTotal; struct ArgusAddrStruct asbuf, *asptr = &asbuf; struct ArgusSourceStruct *aSrc = NULL; struct timeval now; memset(retn, 0, sizeof(*retn)); retn->hdr.type = ARGUS_MAR | ARGUS_VERSION; retn->hdr.cause = status; retn->hdr.len = (sizeof(struct ArgusMarStruct)/4) + 1; rec = (struct ArgusRecord *) &retn->canon; rec->hdr = retn->hdr; rec->argus_mar.argusid = ARGUS_COOKIE; if (getArgusID(ArgusSourceTask, asptr)) { switch (getArgusIDType(ArgusSourceTask) & ~ARGUS_TYPE_INTERFACE) { case ARGUS_TYPE_STRING: { rec->argus_mar.status |= ARGUS_IDIS_STRING; bcopy (&asptr->a_un.str, &rec->argus_mar.str, strlen((const char *)rec->argus_mar.str)); break; } case ARGUS_TYPE_INT: { rec->argus_mar.status |= ARGUS_IDIS_INT; bcopy (&asptr->a_un.value, &rec->argus_mar.value, sizeof(rec->argus_mar.value)); break; } case ARGUS_TYPE_IPV4: { rec->argus_mar.status |= ARGUS_IDIS_IPV4; bcopy (&asptr->a_un.ipv4, &rec->argus_mar.ipv4, sizeof(rec->argus_mar.ipv4)); break; } case ARGUS_TYPE_IPV6: { rec->argus_mar.status |= ARGUS_IDIS_IPV6; bcopy (&asptr->a_un.ipv6, &rec->argus_mar.ipv6, sizeof(rec->argus_mar.ipv6)); break; } case ARGUS_TYPE_UUID: { rec->argus_mar.status |= ARGUS_IDIS_UUID; bcopy (&asptr->a_un.uuid, &rec->argus_mar.uuid, sizeof(rec->argus_mar.uuid)); break; } } if (getArgusManInf(ArgusSourceTask) != NULL) rec->argus_mar.status |= ARGUS_ID_INC_INF; } gettimeofday (&now, 0L); rec->argus_mar.startime.tv_sec = output->ArgusLastMarUpdateTime.tv_sec; rec->argus_mar.startime.tv_usec = output->ArgusLastMarUpdateTime.tv_usec; rec->argus_mar.now.tv_sec = now.tv_sec; rec->argus_mar.now.tv_usec = now.tv_usec; rec->argus_mar.major_version = VERSION_MAJOR; rec->argus_mar.minor_version = VERSION_MINOR; rec->argus_mar.reportInterval = getArgusFarReportInterval(output->ArgusModel)->tv_sec; rec->argus_mar.argusMrInterval = getArgusMarReportInterval(ArgusOutputTask)->tv_sec; rec->argus_mar.localnet = output->ArgusSrc->ArgusInterface[0].ArgusLocalNet; rec->argus_mar.netmask = output->ArgusSrc->ArgusInterface[0].ArgusNetMask; rec->argus_mar.nextMrSequenceNum = output->ArgusOutputSequence + 1; rec->argus_mar.record_len = -1; if (ArgusSourceTask != NULL) { int x; rec->argus_mar.pktsRcvd = 0; rec->argus_mar.bytesRcvd = 0; rec->argus_mar.dropped = 0; for (x = 0; x < ARGUS_MAXINTERFACE; x++) { if ((aSrc = ArgusSourceTask->srcs[x]) != NULL) { if (aSrc->ArgusInterface[0].ArgusPd != NULL) { int i; rec->argus_mar.interfaceType = pcap_datalink(aSrc->ArgusInterface[0].ArgusPd); rec->argus_mar.interfaceStatus = getArgusInterfaceStatus(aSrc); for (i = 0; i < ARGUS_MAXINTERFACE; i++) { if (aSrc->ArgusInterface[i].ArgusPd != NULL) { rec->argus_mar.pktsRcvd += aSrc->ArgusInterface[i].ArgusTotalPkts - aSrc->ArgusInterface[i].ArgusLastPkts; rec->argus_mar.bytesRcvd += aSrc->ArgusInterface[i].ArgusTotalBytes - aSrc->ArgusInterface[i].ArgusLastBytes; rec->argus_mar.dropped += aSrc->ArgusInterface[i].ArgusStat.ps_drop - aSrc->ArgusInterface[i].ArgusLastDrop; aSrc->ArgusInterface[i].ArgusLastPkts = aSrc->ArgusInterface[i].ArgusTotalPkts; aSrc->ArgusInterface[i].ArgusLastDrop = aSrc->ArgusInterface[i].ArgusStat.ps_drop; aSrc->ArgusInterface[i].ArgusLastBytes = aSrc->ArgusInterface[i].ArgusTotalBytes; } else break; } } } } } rec->argus_mar.records = output->ArgusTotalRecords - output->ArgusLastRecords; output->ArgusLastRecords = output->ArgusTotalRecords; rec->argus_mar.flows = output->ArgusModel->ArgusTotalNewFlows - output->ArgusModel->ArgusLastNewFlows; output->ArgusModel->ArgusLastNewFlows = output->ArgusModel->ArgusTotalNewFlows; if (output->ArgusModel && output->ArgusModel->ArgusStatusQueue) rec->argus_mar.queue = output->ArgusModel->ArgusStatusQueue->count; else rec->argus_mar.queue = 0; if (output->ArgusOutputList) rec->argus_mar.output = output->ArgusOutputList->count; else rec->argus_mar.output = 0; rec->argus_mar.clients = output->ArgusClients->count; rec->argus_mar.bufs = ArgusAllocTotal - ArgusFreeTotal; rec->argus_mar.suserlen = getArgusUserDataLen(ArgusModel); rec->argus_mar.duserlen = getArgusUserDataLen(ArgusModel); gettimeofday (&now, 0L); output->ArgusLastMarUpdateTime.tv_sec = now.tv_sec; output->ArgusLastMarUpdateTime.tv_usec = now.tv_usec; } #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusGenerateStatusMarRecord(%p, %d) returning 0x%x", output, status, retn); #endif return (retn); } struct timeval * getArgusMarReportInterval(struct ArgusOutputStruct *output) { return (&output->ArgusMarReportInterval); } struct timeval * getArgusMarInfReportInterval(struct ArgusOutputStruct *output) { return (&output->ArgusMarInfReportInterval); } #include #include void setArgusMarReportInterval(struct ArgusOutputStruct *output, char *value) { struct timeval *tvp = getArgusMarReportInterval(output); struct timeval ovalue, now; double thisvalue = 0.0, iptr, fptr; int ivalue = 0; char *ptr = NULL; if (tvp != NULL) { ovalue = *tvp; tvp->tv_sec = 0; tvp->tv_usec = 0; } else { ovalue.tv_sec = 0; ovalue.tv_usec = 0; } if (((ptr = strchr (value, '.')) != NULL) || isdigit((int)*value)) { if (ptr != NULL) { thisvalue = atof(value); } else { if (isdigit((int)*value)) { ivalue = atoi(value); thisvalue = ivalue * 1.0; } } fptr = modf(thisvalue, &iptr); tvp->tv_sec = iptr; tvp->tv_usec = fptr * ARGUS_FRACTION_TIME; gettimeofday(&now, 0L); if (output->ArgusSrc->timeStampType == ARGUS_TYPE_UTC_NANOSECONDS) now.tv_usec *= 1000; output->ArgusReportTime.tv_sec = now.tv_sec + tvp->tv_sec; output->ArgusReportTime.tv_usec = tvp->tv_usec; } else *tvp = ovalue; #ifdef ARGUSDEBUG ArgusDebug (4, "setArgusMarReportInterval(%s) returning\n", value); #endif } void setArgusMarInfReportInterval(struct ArgusOutputStruct *output, char *value) { struct timeval *tvp = getArgusMarInfReportInterval(output); struct timeval ovalue, now; double thisvalue = 0.0, iptr, fptr; int ivalue = 0; char *ptr = NULL; if (tvp != NULL) { ovalue = *tvp; tvp->tv_sec = 0; tvp->tv_usec = 0; } else { ovalue.tv_sec = 0; ovalue.tv_usec = 0; } if (((ptr = strchr (value, '.')) != NULL) || isdigit((int)*value)) { if (ptr != NULL) { thisvalue = atof(value); } else { if (isdigit((int)*value)) { ivalue = atoi(value); thisvalue = ivalue * 1.0; } } fptr = modf(thisvalue, &iptr); tvp->tv_sec = iptr; tvp->tv_usec = fptr * ARGUS_FRACTION_TIME; gettimeofday(&now, 0L); if (output->ArgusSrc->timeStampType == ARGUS_TYPE_UTC_NANOSECONDS) now.tv_usec *= 1000; output->ArgusMarInfTime.tv_sec = now.tv_sec + tvp->tv_sec; output->ArgusMarInfTime.tv_usec = tvp->tv_usec; } else *tvp = ovalue; #ifdef ARGUSDEBUG ArgusDebug (4, "setArgusMarInfReportInterval(%s) returning\n", value); #endif } #if defined HAVE_TCP_WRAPPER #if defined(HAVE_SYSLOG_H) #include #endif #include #if !defined(MAXPATHNAMELEN) #define MAXPATHNAMELEN BUFSIZ #endif #define PARANOID 1 #define KILL_IP_OPTIONS 1 #define HOSTS_ACCESS 1 int allow_severity = LOG_INFO; /* run-time adjustable */ int deny_severity = LOG_WARNING; /* ditto */ void fix_options(struct request_info *); #endif int ArgusTcpWrapper (int fd, struct sockaddr *from) { #if defined(HAVE_TCP_WRAPPER) int retn = 0; struct request_info request; /* * Find out the endpoint addresses of this conversation. Host name * lookups and double checks will be done on demand. */ request_init(&request, RQ_DAEMON, ArgusProgramName, RQ_FILE, STDIN_FILENO, 0); request.fd = fd; fromhost(&request); /* * Optionally look up and double check the remote host name. Sites * concerned with security may choose to refuse connections from hosts * that pretend to have someone elses host name. */ #ifdef PARANOID if (STR_EQ(eval_hostname(request.client), paranoid)) { ArgusLog (deny_severity, "refused connect from %s", eval_client(&request)); if (request.sink) request.sink(request.fd); return -1; } #endif /* * The BSD rlogin and rsh daemons that came out after 4.3 BSD disallow * socket options at the IP level. They do so for a good reason. * Unfortunately, we cannot use this with SunOS 4.1.x because the * getsockopt() system call can panic the system. */ #if defined(KILL_IP_OPTIONS) fix_options(&request); #endif /* KILL_IP_OPTIONS */ /* * Find out and verify the remote host name. Sites concerned with * security may choose to refuse connections from hosts that pretend to * have someone elses host name. */ #ifdef HOSTS_ACCESS if (!hosts_access(&request)) { ArgusLog (deny_severity, "refused connect from %s", eval_client(&request)); if (request.sink) request.sink(request.fd); return -1; } else #endif /* Report remote client */ ArgusLog (allow_severity, "connect from %s", eval_client(&request)); return (retn); #else return (1); #endif /* HAVE_TCP_WRAPPER */ } #if defined(ARGUS_SASL) /* This creates a structure that defines the allowable * security properties */ #define PROT_BUFSIZE 4096 sasl_security_properties_t * mysasl_secprops(int flags) { static sasl_security_properties_t ret; bzero((char *)&ret, sizeof(ret)); ret.maxbufsize = PROT_BUFSIZE; ret.min_ssf = ArgusMinSsf; /* minimum allowable security strength */ ret.max_ssf = ArgusMaxSsf; /* maximum allowable security strength */ ret.security_flags = flags; ret.property_names = NULL; ret.property_values = NULL; return &ret; } int iptostring(const struct sockaddr *addr, socklen_t addrlen, char *out, unsigned outlen) { char hbuf[NI_MAXHOST], pbuf[NI_MAXSERV]; int niflags; if(!addr || !out) { errno = EINVAL; return -1; } niflags = NI_NUMERICHOST | NI_NUMERICSERV; #ifdef NI_WITHSCOPEID if (addr->sa_family == AF_INET6) niflags |= NI_WITHSCOPEID; #endif if (getnameinfo(addr, addrlen, hbuf, sizeof(hbuf), pbuf, sizeof(pbuf), niflags) != 0) { errno = EINVAL; return -1; } if(outlen < strlen(hbuf) + strlen(pbuf) + 2) { errno = ENOMEM; return -1; } snprintf(out, outlen, "%s;%s", hbuf, pbuf); return 0; } #endif argus-5.0.2/argus/ArgusOutput.h000066400000000000000000000152531471541253600164510ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - Output include files * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/argus/ArgusOutput.h#7 $ * $DateTime: 2015/04/21 19:24:29 $ * $Change: 3018 $ */ #ifndef ArgusOutput_h #define ArgusOutput_h #define ARGUS_MONITORPORT 561 #define ARGUS_MAXLISTEN 10 #define ARGUS_CLIENT_STARTUP_TIMEOUT 5 #include #if defined(HAVE_STDLIB_H) #include #endif #include #include #include #include #include #include #include #include #include #include #if defined(__NetBSD__) #include #else #include #endif #include #include #if !defined(ARGUS_TILERA) #include #endif #include #ifdef ARGUS_SASL #include #endif struct ArgusClientData { struct ArgusQueueHeader qhdr; int fd, type, ArgusClientStart; int ArgusFilterInitialized; struct timeval startime, lasttime; struct ArgusSocketStruct *sock; struct nff_program ArgusNFFcode; char *filename, *hostname, *filter; #if defined(HAVE_GETADDRINFO) struct addrinfo *host; #endif #ifdef ARGUS_SASL sasl_conn_t *sasl_conn; struct { char *ipremoteport; char *iplocalport; sasl_ssf_t ssf; char *authid; } saslprops; #endif }; struct ArgusBindAddrStruct { struct ArgusListObjectStruct *nxt; char *addr; }; struct ArgusOutputStruct { int type, status; #if defined(ARGUS_THREADS) pthread_t thread; pthread_mutex_t lock; #endif struct ArgusSourceStruct *ArgusSrc; struct ArgusModelerStruct *ArgusModel; struct ArgusListStruct *ArgusWfileList; struct ArgusListStruct *ArgusOutputList; struct ArgusListStruct *ArgusInputList; struct ArgusQueueStruct *ArgusClients; struct ArgusListStruct *ArgusBindAddrs; struct ArgusRecord *ArgusInitMar; long long ArgusTotalRecords, ArgusLastRecords; int ArgusWriteStdOut; int ArgusOutputSequence; #if defined(HAVE_GETADDRINFO) struct addrinfo ArgusAddrInfo; #endif int ArgusPortNum; int ArgusLfd[ARGUS_MAXLISTEN]; int ArgusListens, nflag; char *ArgusBindPort; struct timeval ArgusGlobalTime; struct timeval ArgusStartTime; struct timeval ArgusReportTime; struct timeval ArgusLastMarUpdateTime; struct timeval ArgusMarReportInterval; struct timeval ArgusMarInfTime; struct timeval ArgusLastMarInfUpdateTime; struct timeval ArgusMarInfReportInterval; }; struct ArgusWfileStruct { struct ArgusListObjectStruct *nxt; char *filename; char *filter; }; #if defined(ArgusOutput) struct ArgusOutputStruct *ArgusOutputTask = NULL; struct ArgusOutputStruct *ArgusNewOutput (struct ArgusSourceStruct *, struct ArgusModelerStruct *); void ArgusCloseOutput (struct ArgusOutputStruct *); void ArgusInitOutput (struct ArgusOutputStruct *); void ArgusInitOutputProcess(void); void *ArgusOutputProcess(void *); int ArgusTcpWrapper (int, struct sockaddr *); void ArgusUsr1Sig (int); void ArgusUsr2Sig (int); void ArgusChildExit (int); void ArgusClientError(void); void ArgusInitClientProcess(struct ArgusClientData *, struct ArgusWfileStruct *); struct ArgusRecordStruct *ArgusGenerateSupplementalMarRecord (struct ArgusOutputStruct *, unsigned char); int ArgusOutputMarInfTime(struct ArgusOutputStruct *); struct timeval *getArgusMarReportInterval(struct ArgusOutputStruct *); void setArgusMarReportInterval(struct ArgusOutputStruct *, char *); struct timeval *getArgusMarInfReportInterval(struct ArgusOutputStruct *); void setArgusMarInfReportInterval(struct ArgusOutputStruct *, char *); #if defined(ARGUS_TILERA) #else extern char *ArgusFilterCompile(struct nff_program *, char *, int); extern unsigned int argus_filter (struct bpf_insn *, unsigned char *); #endif extern int getArgusPortNum(void); #else #if defined(Argus) int getArgusPortNum(struct ArgusOutputStruct *); int getArgusPortType(struct ArgusOutputStruct *); void setArgusPortNum(struct ArgusOutputStruct *, int); void setArgusBindAddr (struct ArgusOutputStruct *, char *); void setArgusBindPort (struct ArgusOutputStruct *, char *); char *getArgusBindAddr (struct ArgusOutputStruct *); char *getArgusBindPort (struct ArgusOutputStruct *); #endif extern struct timeval ArgusReportTime; extern int ArgusPortNum; extern char *ArgusBindAddr; extern int ArgusOutfd; extern struct ArgusOutputStruct *ArgusOutputTask; extern struct ArgusOutputStruct *ArgusNewOutput (struct ArgusSourceStruct *, struct ArgusModelerStruct *); extern void ArgusCloseOutput (struct ArgusOutputStruct *); extern void ArgusInitOutput (struct ArgusOutputStruct *); extern void ArgusInitOutputProcess(void); extern void ArgusSendOutputData(int, struct ArgusRecord *); extern int ArgusHandleData(struct ArgusSocketStruct *, unsigned char *, int, void *); extern int ArgusHandleClientData(struct ArgusSocketStruct *, unsigned char *, int, void *); extern void ArgusOutputProcess(void *); extern void *ArgusClientProcess(struct ArgusClientData *, struct ArgusWfileStruct *); extern char *getArgusWfile(void); extern void setArgusWfile(char *, char *); extern struct timeval *getArgusMarReportInterval(struct ArgusOutputStruct *); extern void setArgusMarReportInterval(struct ArgusOutputStruct *, char *); extern struct timeval *getArgusMarInfReportInterval(struct ArgusOutputStruct *); extern void setArgusMarInfReportInterval(struct ArgusOutputStruct *, char *); extern void ArgusCheckClientStatus (struct ArgusOutputStruct *, int); extern int ArgusTcpWrapper (int, struct sockaddr *); extern void ArgusCloseSocket (int); extern void ArgusCloseClients (void); extern void ArgusUsr1Sig (int); extern void ArgusUsr2Sig (int); extern void ArgusClientError(void); extern void ArgusInitClientProcess(struct ArgusClientData *, struct ArgusWfileStruct *); #endif #endif /* #ifndef ArgusOutput_h */ argus-5.0.2/argus/ArgusSflow.c000066400000000000000000001342041471541253600162340ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - Sflow record processing * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/argus/ArgusSflow.c#5 $ * $DateTime: 2016/02/16 17:07:05 $ * $Change: 3096 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #if !defined(ArgusSflow) #define ArgusSflow #include #include #include #include #include #include #include #include #include void ArgusParseSflowRecord (struct ArgusModelerStruct *model, void *ptr) { /* int ArgusReadSocketState = ARGUS_READINGPREHDR; int ArgusReadSocketSize = 0; unsigned int ArgusFlowSeq = 0, ArgusCounter, ArgusSourceId; unsigned int ArgusSysUptime = 0; unsigned short ArgusReadCiscoVersion, ArgusReadSocketNum; struct timeval tvpbuf, *tvp = &tvpbuf; void **templates = NULL; while ((char *)ptr < (char *)model->ArgusThisSnapEnd) { switch (ArgusReadSocketState) { case ARGUS_READINGPREHDR: { unsigned short *sptr = (unsigned short *) ptr; ArgusReadCiscoVersion = ntohs(*sptr++); ArgusReadSocketNum = ntohs(*sptr); ArgusReadSocketState = ARGUS_READINGHDR; break; } case ARGUS_READINGHDR: { #ifdef ARGUSDEBUG ArgusDebug (7, "ArgusReadCiscoStreamSocket (%p, %p) read record header\n", model, ptr); #endif switch (ArgusReadCiscoVersion) { case CISCO_VERSION_1: { CiscoFlowHeaderV1_t *ArgusNetFlow = (CiscoFlowHeaderV1_t *) ptr; ArgusReadSocketSize = sizeof(*ArgusNetFlow); ArgusSysUptime = ntohl(ArgusNetFlow->sysUptime); ArgusCounter = ntohs(ArgusNetFlow->count); tvp->tv_sec = ntohl(ArgusNetFlow->unix_secs); tvp->tv_usec = ntohl(ArgusNetFlow->unix_nsecs)/1000; break; } case CISCO_VERSION_5: { CiscoFlowHeaderV5_t *ArgusNetFlow = (CiscoFlowHeaderV5_t *) ptr; ArgusReadSocketSize = sizeof(*ArgusNetFlow); ArgusSysUptime = ntohl(ArgusNetFlow->sysUptime); ArgusFlowSeq = ntohl(ArgusNetFlow->flow_sequence); ArgusCounter = ntohs(ArgusNetFlow->count); tvp->tv_sec = ntohl(ArgusNetFlow->unix_secs); tvp->tv_usec = ntohl(ArgusNetFlow->unix_nsecs)/1000; break; } case CISCO_VERSION_6: { CiscoFlowHeaderV6_t *ArgusNetFlow = (CiscoFlowHeaderV6_t *) ptr; ArgusReadSocketSize = sizeof(*ArgusNetFlow); ArgusSysUptime = ntohl(ArgusNetFlow->sysUptime); ArgusFlowSeq = ntohl(ArgusNetFlow->flow_sequence); ArgusCounter = 0; tvp->tv_sec = ntohl(ArgusNetFlow->unix_secs); tvp->tv_usec = ntohl(ArgusNetFlow->unix_nsecs)/1000; break; } case CISCO_VERSION_7: { CiscoFlowHeaderV7_t *ArgusNetFlow = (CiscoFlowHeaderV7_t *) ptr; ArgusReadSocketSize = sizeof(*ArgusNetFlow); ArgusSysUptime = ntohl(ArgusNetFlow->sysUptime); ArgusFlowSeq = ntohl(ArgusNetFlow->flow_sequence); ArgusCounter = 0; tvp->tv_sec = ntohl(ArgusNetFlow->unix_secs); tvp->tv_usec = ntohl(ArgusNetFlow->unix_nsecs)/1000; break; } case CISCO_VERSION_8: { CiscoFlowHeaderV8_t *ArgusNetFlow = (CiscoFlowHeaderV8_t *) ptr; ArgusReadSocketSize = sizeof(*ArgusNetFlow); break; } case CISCO_VERSION_9: { CiscoFlowHeaderV9_t *ArgusNetFlow = (CiscoFlowHeaderV9_t *) ptr; ArgusReadSocketSize = sizeof(*ArgusNetFlow); ArgusCounter = ntohs(ArgusNetFlow->count); ArgusSysUptime = ntohl(ArgusNetFlow->sysUptime); tvp->tv_sec = ntohl(ArgusNetFlow->unix_secs); tvp->tv_usec = 0; ArgusFlowSeq = ntohl(ArgusNetFlow->package_sequence); ArgusSourceId = ntohl(ArgusNetFlow->source_id); break; } default: { #ifdef ARGUSDEBUG ArgusDebug (7, "ArgusReadCiscoStreamSocket (%p) read header\n", ptr); #endif } } ptr += ArgusReadSocketSize; ArgusReadSocketState = ARGUS_READINGBLOCK; break; } case ARGUS_READINGBLOCK: { struct ArgusSystemFlow flowbuf, *sflow = &flowbuf; struct ArgusHashStruct hbuf, *hstruct = &hbuf; struct ArgusFlowStruct *flow = NULL; #ifdef ARGUSDEBUG ArgusDebug (7, "ArgusReadCiscoStreamSocket (%p, %p) read record complete\n", model, ptr); #endif switch (ArgusReadCiscoVersion) { case CISCO_VERSION_1: { CiscoFlowEntryV1_t *ArgusNetFlow = (CiscoFlowEntryV1_t *) ptr; bzero(sflow, sizeof(*sflow)); bzero(hstruct, sizeof(*hstruct)); sflow->hdr.type = ARGUS_FLOW_DSR; sflow->hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; sflow->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; sflow->hdr.argus_dsrvl8.len = 5; sflow->ip_flow.ip_src = ntohl(ArgusNetFlow->srcaddr); sflow->ip_flow.ip_dst = ntohl(ArgusNetFlow->dstaddr); switch (sflow->ip_flow.ip_p = ArgusNetFlow->prot) { case IPPROTO_TCP: case IPPROTO_UDP: sflow->ip_flow.sport = ntohs(ArgusNetFlow->srcport); sflow->ip_flow.dport = ntohs(ArgusNetFlow->dstport); break; case IPPROTO_ICMP: sflow->icmp_flow.type = ((char *)&ArgusNetFlow->dstport)[0]; sflow->icmp_flow.code = ((char *)&ArgusNetFlow->dstport)[1]; break; } ArgusCreateFlowKey(model, sflow, hstruct); if ((flow = ArgusNewFlow(model, sflow, NULL, NULL)) != NULL) { struct ArgusTimeObject *time = &flow->canon.time; long timeval; flow->canon.hdr.type = ARGUS_FAR | ARGUS_NETFLOW | ARGUS_VERSION; time->hdr.type = ARGUS_TIME_DSR; time->hdr.subtype = ARGUS_TIME_ABSOLUTE_RANGE; time->hdr.argus_dsrvl8.qual = ARGUS_TYPE_UTC_MICROSECONDS; time->hdr.argus_dsrvl8.len = 5; timeval = ntohl(ArgusNetFlow->first); time->src.start.tv_sec = (timeval - (long)ArgusSysUptime)/1000; time->src.start.tv_sec += tvp->tv_sec; time->src.start.tv_usec = ((timeval - (long)ArgusSysUptime)%1000) * 1000; time->src.start.tv_usec += tvp->tv_usec; if (time->src.start.tv_usec >= 1000000) { time->src.start.tv_sec++; time->src.start.tv_usec -= 1000000; } if (time->src.start.tv_usec < 0) { time->src.start.tv_sec--; time->src.start.tv_usec += 1000000; } timeval = ntohl(ArgusNetFlow->last); time->src.end.tv_sec = (timeval - (long)ArgusSysUptime)/1000; time->src.end.tv_sec += tvp->tv_sec; time->src.end.tv_usec = ((timeval - (long)ArgusSysUptime)%1000) * 1000; time->src.end.tv_usec += tvp->tv_usec; if (time->src.end.tv_usec >= 1000000) { time->src.end.tv_sec++; time->src.end.tv_usec -= 1000000; } if (time->src.end.tv_usec < 0) { time->src.end.tv_sec--; time->src.end.tv_usec += 1000000; } time->src.start.tv_usec = (time->src.start.tv_usec / 1000) * 1000; time->src.end.tv_usec = (time->src.end.tv_usec / 1000) * 1000; flow->dsrindex |= 1 << ARGUS_TIME_INDEX; flow->dsrs[ARGUS_TIME_INDEX] = (void *)time; { struct ArgusMetricStruct *metric = &flow->canon.metric; metric->hdr.type = ARGUS_METER_DSR; metric->hdr.subtype = ARGUS_METER_PKTS_BYTES; metric->hdr.argus_dsrvl8.qual = ARGUS_SRC_INT; metric->hdr.argus_dsrvl8.len = 3; metric->src.pkts = ntohl(ArgusNetFlow->pkts); metric->src.bytes = ntohl(ArgusNetFlow->bytes); flow->dsrindex |= 1 << ARGUS_METRIC_INDEX; flow->dsrs[ARGUS_METRIC_INDEX] = (void *)metric; } { struct ArgusMacStruct *mac = &flow->canon.mac; mac->hdr.type = ARGUS_MAC_DSR; mac->hdr.subtype = 0; mac->hdr.argus_dsrvl8.len = 5; ArgusNetFlow->input = ntohs(ArgusNetFlow->input); ArgusNetFlow->output = ntohs(ArgusNetFlow->output); #if defined(HAVE_SOLARIS) bcopy((char *)&ArgusNetFlow->input, (char *)&mac->mac.mac_union.ether.ehdr.ether_shost.ether_addr_octet[4], 2); bcopy((char *)&ArgusNetFlow->output,(char *)&mac->mac.mac_union.ether.ehdr.ether_dhost.ether_addr_octet[4], 2); #else bcopy((char *)&ArgusNetFlow->input, (char *)&mac->mac.mac_union.ether.ehdr.ether_shost[4], 2); bcopy((char *)&ArgusNetFlow->output,(char *)&mac->mac.mac_union.ether.ehdr.ether_dhost[4], 2); #endif flow->dsrindex |= 1 << ARGUS_MAC_INDEX; flow->dsrs[ARGUS_MAC_INDEX] = (void *)mac; } { if (ArgusNetFlow->prot == IPPROTO_TCP) { struct ArgusNetworkStruct *net = &flow->canon.net; struct ArgusTCPStatus *tcp = (struct ArgusTCPStatus *)&net->net_union.tcpstatus; net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_TCP_STATUS; net->hdr.argus_dsrvl8.len = 3; net->net_union.tcpstatus.src = ArgusNetFlow->flags; if (ArgusNetFlow->flags & TH_RST) tcp->status |= ARGUS_RESET; if (ArgusNetFlow->flags & TH_FIN) tcp->status |= ARGUS_FIN; if ((ArgusNetFlow->flags & TH_ACK) || (ArgusNetFlow->flags & TH_PUSH) || (ArgusNetFlow->flags & TH_URG)) tcp->status |= ARGUS_CON_ESTABLISHED; switch (ArgusNetFlow->flags & (TH_SYN|TH_ACK)) { case (TH_SYN): tcp->status |= ARGUS_SAW_SYN; break; case (TH_SYN|TH_ACK): tcp->status |= ARGUS_SAW_SYN_SENT; if (ntohl(ArgusNetFlow->pkts) > 1) tcp->status &= ~(ARGUS_CON_ESTABLISHED); break; } flow->dsrindex |= 1 << ARGUS_NETWORK_INDEX; flow->dsrs[ARGUS_NETWORK_INDEX] = (void *)net; } } if (model->ArgusThisFlow && (model->ArgusThisFlow->ip_flow.ip_src != 0)) { struct ArgusV3TransportStruct *trans = (struct ArgusV3TransportStruct *)&flow->canon.trans; trans->hdr.type = ARGUS_TRANSPORT_DSR; trans->hdr.subtype = ARGUS_SRCID | ARGUS_SEQ; trans->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; trans->hdr.argus_dsrvl8.len = 3; trans->srcid.a_un.ipv4 = (model->ArgusThisFlow->hdr.subtype & ARGUS_REVERSE) ? model->ArgusThisFlow->ip_flow.ip_dst : model->ArgusThisFlow->ip_flow.ip_src ; trans->seqnum = ArgusFlowSeq + ArgusCounter++; flow->dsrindex |= 1 << ARGUS_TRANSPORT_INDEX; flow->dsrs[ARGUS_TRANSPORT_INDEX] = (void *)trans; } { struct ArgusIPAttrStruct *attr = &flow->canon.attr; attr->hdr.type = ARGUS_IPATTR_DSR; attr->hdr.subtype = 0; attr->hdr.argus_dsrvl8.qual = ARGUS_IPATTR_SRC; attr->hdr.argus_dsrvl8.len = 2; attr->src.tos = ArgusNetFlow->tos; attr->src.ttl = 0; attr->src.ip_id = 0; flow->dsrindex |= 1 << ARGUS_IPATTR_INDEX; flow->dsrs[ARGUS_IPATTR_INDEX] = (void *)attr; } ArgusSendFlowRecord (model, flow, ARGUS_STATUS); } ptr += sizeof(*ArgusNetFlow); break; } case CISCO_VERSION_5: { CiscoFlowEntryV5_t *ArgusNetFlow = (CiscoFlowEntryV5_t *) ptr; bzero(sflow, sizeof(*sflow)); bzero(hstruct, sizeof(*hstruct)); sflow->hdr.type = ARGUS_FLOW_DSR; sflow->hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; sflow->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; sflow->hdr.argus_dsrvl8.len = 5; sflow->ip_flow.ip_src = ntohl(ArgusNetFlow->srcaddr); sflow->ip_flow.ip_dst = ntohl(ArgusNetFlow->dstaddr); sflow->ip_flow.smask = ArgusNetFlow->src_mask; sflow->ip_flow.dmask = ArgusNetFlow->dst_mask; switch (sflow->ip_flow.ip_p = ArgusNetFlow->prot) { case IPPROTO_TCP: case IPPROTO_UDP: sflow->ip_flow.sport = ntohs(ArgusNetFlow->srcport); sflow->ip_flow.dport = ntohs(ArgusNetFlow->dstport); break; case IPPROTO_ICMP: sflow->icmp_flow.type = ((char *)&ArgusNetFlow->dstport)[0]; sflow->icmp_flow.code = ((char *)&ArgusNetFlow->dstport)[1]; break; } ArgusCreateFlowKey(model, sflow, hstruct); if ((flow = ArgusNewFlow(model, sflow, NULL, NULL)) != NULL) { struct ArgusTimeObject *time = &flow->canon.time; long timeval; flow->canon.hdr.type = ARGUS_FAR | ARGUS_NETFLOW | ARGUS_VERSION; time->hdr.type = ARGUS_TIME_DSR; time->hdr.subtype = ARGUS_TIME_ABSOLUTE_RANGE; time->hdr.argus_dsrvl8.qual = ARGUS_TYPE_UTC_MICROSECONDS; time->hdr.argus_dsrvl8.len = 5; timeval = ntohl(ArgusNetFlow->first); time->src.start.tv_sec = (timeval - (long)ArgusSysUptime)/1000; time->src.start.tv_sec += tvp->tv_sec; time->src.start.tv_usec = ((timeval - (long)ArgusSysUptime)%1000) * 1000; time->src.start.tv_usec += tvp->tv_usec; if (time->src.start.tv_usec >= 1000000) { time->src.start.tv_sec++; time->src.start.tv_usec -= 1000000; } if (time->src.start.tv_usec < 0) { time->src.start.tv_sec--; time->src.start.tv_usec += 1000000; } timeval = ntohl(ArgusNetFlow->last); time->src.end.tv_sec = (timeval - (long)ArgusSysUptime)/1000; time->src.end.tv_sec += tvp->tv_sec; time->src.end.tv_usec = ((timeval - (long)ArgusSysUptime)%1000) * 1000; time->src.end.tv_usec += tvp->tv_usec; if (time->src.end.tv_usec >= 1000000) { time->src.end.tv_sec++; time->src.end.tv_usec -= 1000000; } if (time->src.end.tv_usec < 0) { time->src.end.tv_sec--; time->src.end.tv_usec += 1000000; } time->src.start.tv_usec = (time->src.start.tv_usec / 1000) * 1000; time->src.end.tv_usec = (time->src.end.tv_usec / 1000) * 1000; flow->dsrindex |= 1 << ARGUS_TIME_INDEX; flow->dsrs[ARGUS_TIME_INDEX] = (void *)time; { struct ArgusAsnStruct *asn = &flow->canon.asn; asn->hdr.type = ARGUS_ASN_DSR; asn->hdr.subtype = 0; asn->hdr.argus_dsrvl8.qual = 0; asn->hdr.argus_dsrvl8.len = 3; asn->src_as = ArgusNetFlow->src_as; asn->dst_as = ArgusNetFlow->dst_as; flow->dsrindex |= 1 << ARGUS_ASN_INDEX; flow->dsrs[ARGUS_ASN_INDEX] = (void *)asn; } { struct ArgusMetricStruct *metric = &flow->canon.metric; metric->hdr.type = ARGUS_METER_DSR; metric->hdr.subtype = ARGUS_METER_PKTS_BYTES; metric->hdr.argus_dsrvl8.qual = ARGUS_SRC_INT; metric->hdr.argus_dsrvl8.len = 3; metric->src.pkts = ntohl(ArgusNetFlow->pkts); metric->src.bytes = ntohl(ArgusNetFlow->bytes); flow->dsrindex |= 1 << ARGUS_METRIC_INDEX; flow->dsrs[ARGUS_METRIC_INDEX] = (void *)metric; } { struct ArgusMacStruct *mac = &flow->canon.mac; mac->hdr.type = ARGUS_MAC_DSR; mac->hdr.subtype = 0; mac->hdr.argus_dsrvl8.len = 5; ArgusNetFlow->input = ntohs(ArgusNetFlow->input); ArgusNetFlow->output = ntohs(ArgusNetFlow->output); #if defined(HAVE_SOLARIS) bcopy((char *)&ArgusNetFlow->input, (char *)&mac->mac.mac_union.ether.ehdr.ether_shost.ether_addr_octet[4], 2); bcopy((char *)&ArgusNetFlow->output,(char *)&mac->mac.mac_union.ether.ehdr.ether_dhost.ether_addr_octet[4], 2); #else bcopy((char *)&ArgusNetFlow->input, (char *)&mac->mac.mac_union.ether.ehdr.ether_shost[4], 2); bcopy((char *)&ArgusNetFlow->output,(char *)&mac->mac.mac_union.ether.ehdr.ether_dhost[4], 2); #endif flow->dsrindex |= 1 << ARGUS_MAC_INDEX; flow->dsrs[ARGUS_MAC_INDEX] = (void *)mac; } { if (ArgusNetFlow->prot == IPPROTO_TCP) { struct ArgusNetworkStruct *net = &flow->canon.net; struct ArgusTCPStatus *tcp = (struct ArgusTCPStatus *)&net->net_union.tcpstatus; net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_TCP_STATUS; net->hdr.argus_dsrvl8.len = 3; net->net_union.tcpstatus.src = ArgusNetFlow->tcp_flags; if (ArgusNetFlow->tcp_flags & TH_RST) tcp->status |= ARGUS_RESET; if (ArgusNetFlow->tcp_flags & TH_FIN) tcp->status |= ARGUS_FIN; if ((ArgusNetFlow->tcp_flags & TH_ACK) || (ArgusNetFlow->tcp_flags & TH_PUSH) || (ArgusNetFlow->tcp_flags & TH_URG)) tcp->status |= ARGUS_CON_ESTABLISHED; switch (ArgusNetFlow->tcp_flags & (TH_SYN|TH_ACK)) { case (TH_SYN): tcp->status |= ARGUS_SAW_SYN; break; case (TH_SYN|TH_ACK): tcp->status |= ARGUS_SAW_SYN_SENT; if (ntohl(ArgusNetFlow->pkts) > 1) tcp->status &= ~(ARGUS_CON_ESTABLISHED); break; } flow->dsrindex |= 1 << ARGUS_NETWORK_INDEX; flow->dsrs[ARGUS_NETWORK_INDEX] = (void *)net; } } if (model->ArgusThisFlow && (model->ArgusThisFlow->ip_flow.ip_src != 0)) { struct ArgusV3TransportStruct *trans = (struct ArgusV3TransportStruct *)&flow->canon.trans; trans->hdr.type = ARGUS_TRANSPORT_DSR; trans->hdr.subtype = ARGUS_SRCID | ARGUS_SEQ; trans->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; trans->hdr.argus_dsrvl8.len = 3; trans->srcid.a_un.ipv4 = (model->ArgusThisFlow->hdr.subtype & ARGUS_REVERSE) ? model->ArgusThisFlow->ip_flow.ip_dst : model->ArgusThisFlow->ip_flow.ip_src ; trans->seqnum = ArgusFlowSeq + ArgusCounter++; flow->dsrindex |= 1 << ARGUS_TRANSPORT_INDEX; flow->dsrs[ARGUS_TRANSPORT_INDEX] = (void *)trans; } { struct ArgusIPAttrStruct *attr = &flow->canon.attr; attr->hdr.type = ARGUS_IPATTR_DSR; attr->hdr.subtype = 0; attr->hdr.argus_dsrvl8.qual = ARGUS_IPATTR_SRC; attr->hdr.argus_dsrvl8.len = 2; attr->src.tos = ArgusNetFlow->tos; attr->src.ttl = 0; attr->src.ip_id = 0; flow->dsrindex |= 1 << ARGUS_IPATTR_INDEX; flow->dsrs[ARGUS_IPATTR_INDEX] = (void *)attr; } ArgusSendFlowRecord (model, flow, ARGUS_STATUS); } ptr += sizeof(*ArgusNetFlow); break; } case CISCO_VERSION_6: { CiscoFlowEntryV6_t *ArgusNetFlow = (CiscoFlowEntryV6_t *) ptr; bzero(sflow, sizeof(*sflow)); bzero(hstruct, sizeof(*hstruct)); sflow->hdr.type = ARGUS_FLOW_DSR; sflow->hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; sflow->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; sflow->hdr.argus_dsrvl8.len = 5; sflow->ip_flow.ip_src = ntohl(ArgusNetFlow->srcaddr); sflow->ip_flow.ip_dst = ntohl(ArgusNetFlow->dstaddr); sflow->ip_flow.smask = ArgusNetFlow->src_mask; sflow->ip_flow.dmask = ArgusNetFlow->dst_mask; switch (sflow->ip_flow.ip_p = ArgusNetFlow->prot) { case IPPROTO_TCP: case IPPROTO_UDP: sflow->ip_flow.sport = ntohs(ArgusNetFlow->srcport); sflow->ip_flow.dport = ntohs(ArgusNetFlow->dstport); break; case IPPROTO_ICMP: sflow->icmp_flow.type = ((char *)&ArgusNetFlow->dstport)[0]; sflow->icmp_flow.code = ((char *)&ArgusNetFlow->dstport)[1]; break; } ArgusCreateFlowKey(model, sflow, hstruct); if ((flow = ArgusNewFlow(model, sflow, NULL, NULL)) != NULL) { struct ArgusTimeObject *time = &flow->canon.time; long timeval; flow->canon.hdr.type = ARGUS_FAR | ARGUS_NETFLOW | ARGUS_VERSION; time->hdr.type = ARGUS_TIME_DSR; time->hdr.subtype = ARGUS_TIME_ABSOLUTE_RANGE; time->hdr.argus_dsrvl8.qual = ARGUS_TYPE_UTC_MICROSECONDS; time->hdr.argus_dsrvl8.len = 5; timeval = ntohl(ArgusNetFlow->first); time->src.start.tv_sec = (timeval - (long)ArgusSysUptime)/1000; time->src.start.tv_sec += tvp->tv_sec; time->src.start.tv_usec = ((timeval - (long)ArgusSysUptime)%1000) * 1000; time->src.start.tv_usec += tvp->tv_usec; if (time->src.start.tv_usec >= 1000000) { time->src.start.tv_sec++; time->src.start.tv_usec -= 1000000; } if (time->src.start.tv_usec < 0) { time->src.start.tv_sec--; time->src.start.tv_usec += 1000000; } timeval = ntohl(ArgusNetFlow->last); time->src.end.tv_sec = (timeval - (long)ArgusSysUptime)/1000; time->src.end.tv_sec += tvp->tv_sec; time->src.end.tv_usec = ((timeval - (long)ArgusSysUptime)%1000) * 1000; time->src.end.tv_usec += tvp->tv_usec; if (time->src.end.tv_usec >= 1000000) { time->src.end.tv_sec++; time->src.end.tv_usec -= 1000000; } if (time->src.end.tv_usec < 0) { time->src.end.tv_sec--; time->src.end.tv_usec += 1000000; } time->src.start.tv_usec = (time->src.start.tv_usec / 1000) * 1000; time->src.end.tv_usec = (time->src.end.tv_usec / 1000) * 1000; flow->dsrindex |= 1 << ARGUS_TIME_INDEX; flow->dsrs[ARGUS_TIME_INDEX] = (void *)time; { struct ArgusAsnStruct *asn = &flow->canon.asn; asn->hdr.type = ARGUS_ASN_DSR; asn->hdr.subtype = 0; asn->hdr.argus_dsrvl8.qual = 0; asn->hdr.argus_dsrvl8.len = 3; asn->src_as = ArgusNetFlow->src_as; asn->dst_as = ArgusNetFlow->dst_as; flow->dsrindex |= 1 << ARGUS_ASN_INDEX; flow->dsrs[ARGUS_ASN_INDEX] = (void *)asn; } { struct ArgusMetricStruct *metric = &flow->canon.metric; metric->hdr.type = ARGUS_METER_DSR; metric->hdr.subtype = ARGUS_METER_PKTS_BYTES; metric->hdr.argus_dsrvl8.qual = ARGUS_SRC_INT; metric->hdr.argus_dsrvl8.len = 3; metric->src.pkts = ntohl(ArgusNetFlow->pkts); metric->src.bytes = ntohl(ArgusNetFlow->bytes); flow->dsrindex |= 1 << ARGUS_METRIC_INDEX; flow->dsrs[ARGUS_METRIC_INDEX] = (void *)metric; } { struct ArgusMacStruct *mac = &flow->canon.mac; mac->hdr.type = ARGUS_MAC_DSR; mac->hdr.subtype = 0; mac->hdr.argus_dsrvl8.len = 5; ArgusNetFlow->input = ntohs(ArgusNetFlow->input); ArgusNetFlow->output = ntohs(ArgusNetFlow->output); #if defined(HAVE_SOLARIS) bcopy((char *)&ArgusNetFlow->input, (char *)&mac->mac.mac_union.ether.ehdr.ether_shost.ether_addr_octet[4], 2); bcopy((char *)&ArgusNetFlow->output,(char *)&mac->mac.mac_union.ether.ehdr.ether_dhost.ether_addr_octet[4], 2); #else bcopy((char *)&ArgusNetFlow->input, (char *)&mac->mac.mac_union.ether.ehdr.ether_shost[4], 2); bcopy((char *)&ArgusNetFlow->output,(char *)&mac->mac.mac_union.ether.ehdr.ether_dhost[4], 2); #endif flow->dsrindex |= 1 << ARGUS_MAC_INDEX; flow->dsrs[ARGUS_MAC_INDEX] = (void *)mac; } { if (ArgusNetFlow->prot == IPPROTO_TCP) { struct ArgusNetworkStruct *net = &flow->canon.net; struct ArgusTCPStatus *tcp = (struct ArgusTCPStatus *)&net->net_union.tcpstatus; net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_TCP_STATUS; net->hdr.argus_dsrvl8.len = 3; net->net_union.tcpstatus.src = ArgusNetFlow->tcp_flags; if (ArgusNetFlow->tcp_flags & TH_RST) tcp->status |= ARGUS_RESET; if (ArgusNetFlow->tcp_flags & TH_FIN) tcp->status |= ARGUS_FIN; if ((ArgusNetFlow->tcp_flags & TH_ACK) || (ArgusNetFlow->tcp_flags & TH_PUSH) || (ArgusNetFlow->tcp_flags & TH_URG)) tcp->status |= ARGUS_CON_ESTABLISHED; switch (ArgusNetFlow->tcp_flags & (TH_SYN|TH_ACK)) { case (TH_SYN): tcp->status |= ARGUS_SAW_SYN; break; case (TH_SYN|TH_ACK): tcp->status |= ARGUS_SAW_SYN_SENT; if (ntohl(ArgusNetFlow->pkts) > 1) tcp->status &= ~(ARGUS_CON_ESTABLISHED); break; } flow->dsrindex |= 1 << ARGUS_NETWORK_INDEX; flow->dsrs[ARGUS_NETWORK_INDEX] = (void *)net; } } if (model->ArgusThisFlow && (model->ArgusThisFlow->ip_flow.ip_src != 0)) { struct ArgusV3TransportStruct *trans = (struct ArgusV3TransportStruct *)&flow->canon.trans; trans->hdr.type = ARGUS_TRANSPORT_DSR; trans->hdr.subtype = ARGUS_SRCID | ARGUS_SEQ; trans->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; trans->hdr.argus_dsrvl8.len = 3; trans->srcid.a_un.ipv4 = (model->ArgusThisFlow->hdr.subtype & ARGUS_REVERSE) ? model->ArgusThisFlow->ip_flow.ip_dst : model->ArgusThisFlow->ip_flow.ip_src ; trans->seqnum = ArgusFlowSeq + ArgusCounter++; flow->dsrindex |= 1 << ARGUS_TRANSPORT_INDEX; flow->dsrs[ARGUS_TRANSPORT_INDEX] = (void *)trans; } { struct ArgusIPAttrStruct *attr = &flow->canon.attr; attr->hdr.type = ARGUS_IPATTR_DSR; attr->hdr.subtype = 0; attr->hdr.argus_dsrvl8.qual = ARGUS_IPATTR_SRC; attr->hdr.argus_dsrvl8.len = 2; attr->src.tos = ArgusNetFlow->tos; attr->src.ttl = 0; attr->src.ip_id = 0; flow->dsrindex |= 1 << ARGUS_IPATTR_INDEX; flow->dsrs[ARGUS_IPATTR_INDEX] = (void *)attr; } ArgusSendFlowRecord (model, flow, ARGUS_STATUS); } ptr += sizeof(*ArgusNetFlow); break; } case CISCO_VERSION_7: { CiscoFlowEntryV7_t *ArgusNetFlow = (CiscoFlowEntryV7_t *) ptr; bzero(sflow, sizeof(*sflow)); bzero(hstruct, sizeof(*hstruct)); sflow->hdr.type = ARGUS_FLOW_DSR; sflow->hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; sflow->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; sflow->hdr.argus_dsrvl8.len = 5; sflow->ip_flow.ip_src = ntohl(ArgusNetFlow->srcaddr); sflow->ip_flow.ip_dst = ntohl(ArgusNetFlow->dstaddr); sflow->ip_flow.smask = ArgusNetFlow->src_mask; sflow->ip_flow.dmask = ArgusNetFlow->dst_mask; switch (sflow->ip_flow.ip_p = ArgusNetFlow->prot) { case IPPROTO_TCP: case IPPROTO_UDP: sflow->ip_flow.sport = ntohs(ArgusNetFlow->srcport); sflow->ip_flow.dport = ntohs(ArgusNetFlow->dstport); break; case IPPROTO_ICMP: sflow->icmp_flow.type = ((char *)&ArgusNetFlow->dstport)[0]; sflow->icmp_flow.code = ((char *)&ArgusNetFlow->dstport)[1]; break; } ArgusCreateFlowKey(model, sflow, hstruct); if ((flow = ArgusNewFlow(model, sflow, NULL, NULL)) != NULL) { struct ArgusTimeObject *time = &flow->canon.time; long timeval; flow->canon.hdr.type = ARGUS_FAR | ARGUS_NETFLOW | ARGUS_VERSION; time->hdr.type = ARGUS_TIME_DSR; time->hdr.subtype = ARGUS_TIME_ABSOLUTE_RANGE; time->hdr.argus_dsrvl8.qual = ARGUS_TYPE_UTC_MICROSECONDS; time->hdr.argus_dsrvl8.len = 5; timeval = ntohl(ArgusNetFlow->first); time->src.start.tv_sec = (timeval - (long)ArgusSysUptime)/1000; time->src.start.tv_sec += tvp->tv_sec; time->src.start.tv_usec = ((timeval - (long)ArgusSysUptime)%1000) * 1000; time->src.start.tv_usec += tvp->tv_usec; if (time->src.start.tv_usec >= 1000000) { time->src.start.tv_sec++; time->src.start.tv_usec -= 1000000; } if (time->src.start.tv_usec < 0) { time->src.start.tv_sec--; time->src.start.tv_usec += 1000000; } timeval = ntohl(ArgusNetFlow->last); time->src.end.tv_sec = (timeval - (long)ArgusSysUptime)/1000; time->src.end.tv_sec += tvp->tv_sec; time->src.end.tv_usec = ((timeval - (long)ArgusSysUptime)%1000) * 1000; time->src.end.tv_usec += tvp->tv_usec; if (time->src.end.tv_usec >= 1000000) { time->src.end.tv_sec++; time->src.end.tv_usec -= 1000000; } if (time->src.end.tv_usec < 0) { time->src.end.tv_sec--; time->src.end.tv_usec += 1000000; } time->src.start.tv_usec = (time->src.start.tv_usec / 1000) * 1000; time->src.end.tv_usec = (time->src.end.tv_usec / 1000) * 1000; flow->dsrindex |= 1 << ARGUS_TIME_INDEX; flow->dsrs[ARGUS_TIME_INDEX] = (void *)time; { struct ArgusAsnStruct *asn = &flow->canon.asn; asn->hdr.type = ARGUS_ASN_DSR; asn->hdr.subtype = 0; asn->hdr.argus_dsrvl8.qual = 0; asn->hdr.argus_dsrvl8.len = 3; asn->src_as = ArgusNetFlow->src_as; asn->dst_as = ArgusNetFlow->dst_as; flow->dsrindex |= 1 << ARGUS_ASN_INDEX; flow->dsrs[ARGUS_ASN_INDEX] = (void *)asn; } { struct ArgusMetricStruct *metric = &flow->canon.metric; metric->hdr.type = ARGUS_METER_DSR; metric->hdr.subtype = ARGUS_METER_PKTS_BYTES; metric->hdr.argus_dsrvl8.qual = ARGUS_SRC_INT; metric->hdr.argus_dsrvl8.len = 3; metric->src.pkts = ntohl(ArgusNetFlow->pkts); metric->src.bytes = ntohl(ArgusNetFlow->bytes); flow->dsrindex |= 1 << ARGUS_METRIC_INDEX; flow->dsrs[ARGUS_METRIC_INDEX] = (void *)metric; } { struct ArgusMacStruct *mac = &flow->canon.mac; mac->hdr.type = ARGUS_MAC_DSR; mac->hdr.subtype = 0; mac->hdr.argus_dsrvl8.len = 5; ArgusNetFlow->input = ntohs(ArgusNetFlow->input); ArgusNetFlow->output = ntohs(ArgusNetFlow->output); #if defined(HAVE_SOLARIS) bcopy((char *)&ArgusNetFlow->input, (char *)&mac->mac.mac_union.ether.ehdr.ether_shost.ether_addr_octet[4], 2); bcopy((char *)&ArgusNetFlow->output,(char *)&mac->mac.mac_union.ether.ehdr.ether_dhost.ether_addr_octet[4], 2); #else bcopy((char *)&ArgusNetFlow->input, (char *)&mac->mac.mac_union.ether.ehdr.ether_shost[4], 2); bcopy((char *)&ArgusNetFlow->output,(char *)&mac->mac.mac_union.ether.ehdr.ether_dhost[4], 2); #endif flow->dsrindex |= 1 << ARGUS_MAC_INDEX; flow->dsrs[ARGUS_MAC_INDEX] = (void *)mac; } { if (ArgusNetFlow->prot == IPPROTO_TCP) { struct ArgusNetworkStruct *net = &flow->canon.net; struct ArgusTCPStatus *tcp = (struct ArgusTCPStatus *)&net->net_union.tcpstatus; net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_TCP_STATUS; net->hdr.argus_dsrvl8.len = 3; net->net_union.tcpstatus.src = ArgusNetFlow->tcp_flags; if (ArgusNetFlow->tcp_flags & TH_RST) tcp->status |= ARGUS_RESET; if (ArgusNetFlow->tcp_flags & TH_FIN) tcp->status |= ARGUS_FIN; if ((ArgusNetFlow->tcp_flags & TH_ACK) || (ArgusNetFlow->tcp_flags & TH_PUSH) || (ArgusNetFlow->tcp_flags & TH_URG)) tcp->status |= ARGUS_CON_ESTABLISHED; switch (ArgusNetFlow->tcp_flags & (TH_SYN|TH_ACK)) { case (TH_SYN): tcp->status |= ARGUS_SAW_SYN; break; case (TH_SYN|TH_ACK): tcp->status |= ARGUS_SAW_SYN_SENT; if (ntohl(ArgusNetFlow->pkts) > 1) tcp->status &= ~(ARGUS_CON_ESTABLISHED); break; } flow->dsrindex |= 1 << ARGUS_NETWORK_INDEX; flow->dsrs[ARGUS_NETWORK_INDEX] = (void *)net; } } if (model->ArgusThisFlow && (model->ArgusThisFlow->ip_flow.ip_src != 0)) { struct ArgusV3TransportStruct *trans = (struct ArgusV3TransportStruct *)&flow->canon.trans; trans->hdr.type = ARGUS_TRANSPORT_DSR; trans->hdr.subtype = ARGUS_SRCID | ARGUS_SEQ; trans->hdr.argus_dsrvl8.qual = ARGUS_TYPE_IPV4; trans->hdr.argus_dsrvl8.len = 3; trans->srcid.a_un.ipv4 = (model->ArgusThisFlow->hdr.subtype & ARGUS_REVERSE) ? model->ArgusThisFlow->ip_flow.ip_dst : model->ArgusThisFlow->ip_flow.ip_src ; trans->seqnum = ArgusFlowSeq + ArgusCounter++; flow->dsrindex |= 1 << ARGUS_TRANSPORT_INDEX; flow->dsrs[ARGUS_TRANSPORT_INDEX] = (void *)trans; } { struct ArgusIPAttrStruct *attr = &flow->canon.attr; attr->hdr.type = ARGUS_IPATTR_DSR; attr->hdr.subtype = 0; attr->hdr.argus_dsrvl8.qual = ARGUS_IPATTR_SRC; attr->hdr.argus_dsrvl8.len = 2; attr->src.tos = ArgusNetFlow->tos; attr->src.ttl = 0; attr->src.ip_id = 0; flow->dsrindex |= 1 << ARGUS_IPATTR_INDEX; flow->dsrs[ARGUS_IPATTR_INDEX] = (void *)attr; } ArgusSendFlowRecord (model, flow, ARGUS_STATUS); } ptr += sizeof(*ArgusNetFlow); break; } case CISCO_VERSION_8: { // ptr += sizeof(CiscoFlowEntryV8_t); break; } case CISCO_VERSION_9: { CiscoFlowEntryV9_t *ArgusNetFlow = (CiscoFlowEntryV9_t *) ptr; int done = 0, flowset_id, flowset_len; flowset_id = ntohs(ArgusNetFlow->flowset_id); flowset_len = ntohs(ArgusNetFlow->length); switch (flowset_id) { case k_CiscoV9TemplateFlowsetId: { if (ArgusParseCiscoRecordV9Template(model, templates, (u_char *)(ArgusNetFlow + 1), (flowset_len - sizeof(*ArgusNetFlow))) == NULL) { } break; } case k_CiscoV9OptionsFlowsetId: { done++; break; } default: { if (flowset_id >= k_CiscoV9MinRecordFlowsetId) { if (ArgusParseCiscoRecordV9Data(model, templates, (u_char *)ArgusNetFlow, flowset_len) == NULL) { } } done++; break; } } ptr += flowset_len; break; } } break; } } } */ #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusParseSflowRecord(%p, %p)", model, ptr); #endif } #endif argus-5.0.2/argus/ArgusSflow.h000066400000000000000000000024151471541253600162370ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - Sflow processing includes * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/argus/ArgusSflow.h#4 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ #ifndef ArgusSflow_h #define ArgusSflow_h #include void ArgusParseSflowRecord (struct ArgusModelerStruct *, void *); #else extern void ArgusParseSflowRecord (struct ArgusModelerStruct *, void *); #endif argus-5.0.2/argus/ArgusSource.c000066400000000000000000005641401471541253600164100ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - Source processor * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/argus/ArgusSource.c#24 $ * $DateTime: 2016/10/10 23:36:26 $ * $Change: 3221 $ */ /* * ArgusSource.c - Argus packet source routines. * * written by Carter Bullard * QoSient, LLC * Tue Aug 8 08:13:36 EDT 2000 * */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #define ARGUS_NEW_INTERFACE_STRATEGY 1 #if !defined(ArgusSource) #define ArgusSource #endif #include #include #include #include #if defined(__FreeBSD__) || defined(__OpenBSD__) || defined(__NetBSD__) || defined(__APPLE__) || defined(__sun__) #define PCAP_DONT_INCLUDE_PCAP_BPF_H #include #include #else #if !defined(CYGWIN) #include #endif #endif #include #if defined(HAVE_NETINET_IN_H) #include #endif #if defined(HAVE_ARPA_INET_H) #include #endif #include #include #include #include #include #include #include #include #include /* basename */ #include #include #include #if !defined(PPP_HDRLEN) #define PPP_HDRLEN 4 /* length of PPP header */ #endif #include #include "ArgusIfnam.h" #include "ArgusGetTimeOfDay.h" void ArgusGetInterfaceStatus (struct ArgusSourceStruct *src); void setArgusPcapBufSize (struct ArgusSourceStruct *, int); void setArgusPcapDispatchNumber (struct ArgusSourceStruct *, int); int ArgusGetInterfaceFD = -1; extern int ArgusShutDownFlag; struct anamemem { struct anamemem *n_nxt; unsigned int status, hashval; char *name; }; struct anamemem interfacetable[HASHNAMESIZE]; char *get_interface(const u_char *, struct anamemem *); struct anamemem *lookup_interface(struct anamemem *, const u_char *); unsigned int getnamehash(const u_char *); void delete_interface(const u_char *); void setArgusInterfaceScanInterval (struct ArgusSourceStruct *, int); int ArgusCloseOneSource(struct ArgusSourceStruct *); struct ArgusMarInterfaceStruct *ArgusGenerateMarInfStruct(struct ArgusDeviceStruct *, pcap_if_t *); unsigned int getnamehash(const u_char *np) { unsigned int retn = 0; if (np != NULL) { retn = 5381; int c; while ((c = tolower(*np++)) != '\0') retn = ((retn << 5) + retn) ^ c; // (retn * 33) ^ c } return retn; } char * get_interface(const u_char *inf, struct anamemem *table) { char *retn = NULL; struct anamemem *ap = NULL; if (inf != NULL) { u_int hash; hash = getnamehash(inf); hash %= (HASHNAMESIZE - 1); ap = &table[hash]; while (ap->n_nxt && (retn == NULL)) { if (!strcmp((char *)inf, ap->name)) retn = ap->name; else ap = ap->n_nxt; } } #ifdef ARGUSDEBUG ArgusDebug (6, "get_interface(%s)\n", inf); #endif return (retn); } void delete_interface(const u_char *inf) { struct anamemem *table = interfacetable; struct anamemem *fap = NULL, *ap = NULL; if (inf != NULL) { u_int hash; hash = getnamehash(inf); hash %= (HASHNAMESIZE - 1); ap = &table[hash]; while (ap->n_nxt && (fap == NULL)) { if (!strcmp((char *)inf, ap->name)) fap = ap; else ap = ap->n_nxt; } } if (fap != NULL) { free(fap->name); if (fap->n_nxt) { ap = fap->n_nxt; bcopy(fap->n_nxt, fap, sizeof(*fap)); if (ap->n_nxt == NULL) free (ap); } else { bzero(fap, sizeof(*fap)); } } #ifdef ARGUSDEBUG ArgusDebug (2, "delete_interface(%s)\n", inf); #endif } struct anamemem * lookup_interface(struct anamemem *table, const u_char *inf) { struct anamemem *ap = NULL; if (inf != NULL) { u_int hash; hash = getnamehash(inf); hash %= (HASHNAMESIZE - 1); ap = &table[hash]; while (ap->n_nxt) { if (!strcmp((char *)inf, ap->name)) return ap; else ap = ap->n_nxt; } ap->name = strdup((char *)inf); ap->hashval = hash; ap->n_nxt = (struct anamemem *)calloc(1, sizeof(*ap)); } #ifdef ARGUSDEBUG ArgusDebug (2, "lookup_interface(%s) return %p, %s\n", inf, ap, ap->name); #endif return (ap); } static void ArgusGetPcapPkthdrTime(const struct ArgusSourceStruct * const src, const struct pcap_pkthdr * const hdr, struct timeval *tvp) { #if defined(CYGWIN) struct timeval32 *tvp32 = (struct timeval32 *)&hdr->ts; tvp->tv_sec = tvp32->tv_sec; tvp->tv_usec = tvp32->tv_usec; #else tvp->tv_sec = hdr->ts.tv_sec; tvp->tv_usec = hdr->ts.tv_usec; #endif #if defined(ARGUS_NANOSECONDS) /* If we have nanosecond support compiled in, times are stored * with nanosecond precision. However, if libpcap doesn't support * nanosecond precision for this interface it will return times * in microseconds and we need to scale this value. */ if (src->timeStampType == ARGUS_TYPE_UTC_MICROSECONDS) tvp->tv_usec *= 1000; #endif } struct ArgusDeviceStruct * ArgusCloneDevice(struct ArgusDeviceStruct *dev) { struct ArgusDeviceStruct *retn = NULL; if ((retn = (void *) ArgusCalloc(1, sizeof(*retn))) == NULL) ArgusLog (LOG_ERR, "%s: ArgusCalloc error %s\n", __func__, strerror(errno)); retn->status = dev->status; retn->type = dev->type; retn->link = dev->link; bcopy((char *)&dev->trans, (char *)&retn->trans, sizeof(dev->trans)); retn->idtype = dev->idtype; retn->name = strdup(dev->name); return (retn); } struct ArgusSourceStruct * ArgusCloneSource(struct ArgusSourceStruct *src) { struct ArgusSourceStruct *retn = NULL; int i; if ((retn = (struct ArgusSourceStruct *) ArgusCalloc (1, sizeof (struct ArgusSourceStruct))) == NULL) ArgusLog (LOG_ERR, "ArgusCloneSource: ArgusCalloc error %s\n", strerror(errno)); retn->state = src->state; retn->status = src->status; retn->mode = src->mode; retn->ArgusPcapBufSize = src->ArgusPcapBufSize; retn->ArgusPcapDispatchNum = src->ArgusPcapDispatchNum; retn->ArgusInterfaceScanInterval = src->ArgusInterfaceScanInterval; if (src->ArgusDeviceList) { struct ArgusDeviceStruct *device; pthread_mutex_lock(&src->ArgusDeviceList->lock); retn->ArgusDeviceList = ArgusNewList(); for (device = (struct ArgusDeviceStruct *)src->ArgusDeviceList->start; device; device = (struct ArgusDeviceStruct *)device->nxt) { struct ArgusDeviceStruct *dev; if ((dev = ArgusCloneDevice(device)) == NULL) ArgusLog (LOG_ERR, "%s: ArgusCloneDevice error %s\n", __func__, strerror(errno)); /* nobody is using this list yet, don't bother locking */ ArgusPushBackList(retn->ArgusDeviceList, (struct ArgusListRecord *)dev, ARGUS_NOLOCK); } pthread_mutex_unlock(&src->ArgusDeviceList->lock); } if (src->ArgusInputFilter) retn->ArgusInputFilter = strdup(src->ArgusInputFilter); retn->timeStampType = src->timeStampType; retn->ArgusStartTime = src->ArgusStartTime; retn->ArgusEndTime = src->ArgusEndTime; retn->lasttime = retn->lasttime; retn->ArgusSnapLength = src->ArgusSnapLength; retn->ArgusThisLength = src->ArgusThisLength; retn->ArgusInterfaceType = src->ArgusInterfaceType; retn->ArgusInterfaceStatus = src->ArgusInterfaceStatus; retn->Argustflag = src->Argustflag; retn->sNflag = src->sNflag; retn->eNflag = src->eNflag; retn->kflag = src->kflag; retn->pflag = src->pflag; retn->uflag = src->uflag; retn->Tflag = src->Tflag; retn->ArgusInterfaceIndex = src->ArgusInterfaceIndex; retn->ArgusThisIndex = src->ArgusThisIndex; retn->ArgusInterfaces = src->ArgusInterfaces; for (i = 0; i < src->ArgusInterfaceIndex; i++) bcopy(&src->ArgusInterface[i], &retn->ArgusInterface[i], sizeof(src->ArgusInterface[i])); retn->ArgusInputPacketFileType = src->ArgusInputPacketFileType; retn->ArgusReadingOffLine = src->ArgusReadingOffLine; retn->Argusbpflag = src->Argusbpflag; retn->ArgusCaptureFlag = src->ArgusCaptureFlag; retn->ArgusSnapLen = src->ArgusSnapLen; retn->Argusfflag = src->Argusfflag; retn->ArgusOflag = src->ArgusOflag; retn->Arguspflag = src->Arguspflag; retn->ArgusArgv = src->ArgusArgv; retn->ArgusOptind = src->ArgusOptind; #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusCloneSource(%p) returning %p\n", src, retn); #endif return (retn); } struct ArgusSourceStruct * ArgusNewSource(struct ArgusModelerStruct *model) { struct ArgusSourceStruct *retn = NULL; if ((retn = (struct ArgusSourceStruct *) ArgusCalloc (1, sizeof (struct ArgusSourceStruct))) == NULL) ArgusLog (LOG_ERR, "ArgusNewSource: ArgusCalloc error %s\n", strerror(errno)); retn->ArgusModel = model; retn->sNflag = -1; retn->eNflag = -1; retn->ArgusSnapLen = ARGUS_MINSNAPLEN; retn->ArgusPcapDispatchNum = 1; retn->ArgusInterfaceScanInterval = 2; #if defined(ARGUS_THREADS) if (pthread_mutex_init(&retn->lock, NULL)) ArgusLog (LOG_ERR, "ArgusNewSource: pthread_mutex_init error\n"); if (pthread_cond_init(&retn->cond, NULL)) ArgusLog (LOG_ERR, "ArgusNewSource: pthread_cond_init errors\n"); #endif #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusNewSource(%p) returning %p\n", model, retn); #endif return (retn); } #include #include #include #include int ArgusOpenDevice(struct ArgusSourceStruct *, struct ArgusDeviceStruct *, struct ArgusInterfaceStruct *); int ArgusOpenInterface(struct ArgusSourceStruct *, struct ArgusDeviceStruct *, struct ArgusInterfaceStruct *); int ArgusOpenDevice(struct ArgusSourceStruct *src, struct ArgusDeviceStruct *device, struct ArgusInterfaceStruct *inf) { int retn = 0, count, i, cnt = src->ArgusInterfaces; if (device) { int infs = 0; if (device->list && (count = device->list->count)) { for (i = 0; i < count; i++) { struct ArgusDeviceStruct *dev = (struct ArgusDeviceStruct *) ArgusPopFrontList(device->list, ARGUS_LOCK); if (!(dev->status & ARGUS_DONT_OPEN)) { if ((infs = ArgusOpenInterface(src, dev, &src->ArgusInterface[src->ArgusInterfaces])) > 0) { src->ArgusInterfaces += infs; } else { device->status |= ARGUS_DONT_OPEN; } } ArgusPushBackList(device->list, (struct ArgusListRecord *) dev, ARGUS_LOCK); } } else { if (!(device->status & ARGUS_DONT_OPEN)) { if ((infs = ArgusOpenInterface(src, device, &src->ArgusInterface[src->ArgusInterfaces])) > 0) src->ArgusInterfaces += infs; else device->status |= ARGUS_DONT_OPEN; } } } retn = (src->ArgusInterfaces - cnt); return retn; } // // Set pcap timestamp type ... there are 3 components: // 1) precision - high, low // 2) sync - synchronized, unsynchronized // 3) source - host, adpater // // So we want to support a format that allows us to set priorities using tokens ... // hiprec // lowprec // adapter // host // sync // unsync // default // // So, lets pass a string with tokens, and take them as a priority list. // ARGUS_TIMESTAMP_TYPE="token[,token[,token]...]" // // Allowed are strings like: // "hiprec, adpater, sync". // "host, sync" // "lowprec" // #define ARGUS_TIMESTAMP_LOWPREC 0x01 #define ARGUS_TIMESTAMP_HIPREC 0x02 #define ARGUS_TIMESTAMP_ADAPTER 0x04 #define ARGUS_TIMESTAMP_HOST 0x08 #define ARGUS_TIMESTAMP_UNSYNCH 0x10 #define ARGUS_TIMESTAMP_SYNCH 0x20 int ArgusTimeStampType = 0; int setArgusTimestampType(char *optarg) { int retn = 0; char *str, *ptr, *tok; if (optarg && strlen(optarg)) { str = strdup(optarg); ptr = str; #if defined(HAVE_PCAP_SET_TSTAMP_TYPE) while ((tok = strtok(ptr, " ,\r\n")) != NULL) { if (!(strcasecmp(tok, "hiprec"))) { ArgusTimeStampType |= ARGUS_TIMESTAMP_HIPREC; } else if (!(strcasecmp(tok, "lowprec"))) { ArgusTimeStampType |= ARGUS_TIMESTAMP_LOWPREC; } else if (!(strcasecmp(tok, "adapter"))) { ArgusTimeStampType |= ARGUS_TIMESTAMP_ADAPTER; } else if (!(strcasecmp(tok, "host"))) { ArgusTimeStampType |= ARGUS_TIMESTAMP_HOST; } else if (!(strcasecmp(tok, "sync"))) { ArgusTimeStampType |= ARGUS_TIMESTAMP_SYNCH; } else if (!(strcasecmp(tok, "unsync"))) { ArgusTimeStampType |= ARGUS_TIMESTAMP_UNSYNCH; } else if (!(strcasecmp(tok, "any"))) { ArgusTimeStampType = ARGUS_TIMESTAMP_HIPREC | ARGUS_TIMESTAMP_LOWPREC | ARGUS_TIMESTAMP_ADAPTER | ARGUS_TIMESTAMP_HOST | ARGUS_TIMESTAMP_SYNCH | ARGUS_TIMESTAMP_UNSYNCH; } else if (!(strcasecmp(tok, "default"))) { ArgusTimeStampType = 0; } ptr = NULL; } #endif free(str); } #ifdef ARGUSDEBUG ArgusDebug(4, "setArgusTimestampType('%s'): called\n", optarg); #endif return retn; } int ArgusDeDup = 0; int setArgusDeDup(char *optarg) { int retn = 0; if (optarg && strlen(optarg)) { if (!(strcasecmp(optarg, "yes"))) { ArgusDeDup = 1; } } #ifdef ARGUSDEBUG ArgusDebug(4, "setArgusDeDup('%s'): called\n", optarg); #endif return retn; } int setArgusListInterfaces (struct ArgusSourceStruct *src, int status) { pcap_if_t *devs = NULL, *d = NULL; char *errbuf; int i = 0; src->ArgusInterfaces = 0; bzero ((char *)&src->ArgusInterface, sizeof(src->ArgusInterface)); if ((errbuf = (char *) ArgusMalloc (PCAP_ERRBUF_SIZE+1)) != NULL) { #if defined(HAVE_PCAP_FINDALLDEVS_NOCHECKS) if (pcap_findalldevs_nochecks(&devs, errbuf) == -1) ArgusLog (LOG_ERR, "%s: pcap_findalldevs_nochecks %s\n", __func__, errbuf); #else if (pcap_findalldevs(&devs, errbuf) == -1) ArgusLog (LOG_ERR, "%s: pcap_findalldevs %s\n", __func__, errbuf); #endif ArgusFree(errbuf); } else ArgusLog (LOG_ERR, "%s: ArgusMalloc %s\n", __func__, strerror(errno)); for (d = devs; d != NULL; d = d->next) { printf ("%d. %s", ++i, d->name); if (d->description) printf (" (%s)\n", d->description); else printf ("\n"); } pcap_freealldevs(devs); exit(1); } int ArgusOpenInterface(struct ArgusSourceStruct *src, struct ArgusDeviceStruct *device, struct ArgusInterfaceStruct *inf) { int type, retn = 0; char *errbuf; if (ArgusShutDownFlag) return retn; if ((device == NULL) || (device->name == NULL)) { if (inf->ArgusDevice) device = inf->ArgusDevice; else return retn; } if ((errbuf = (char *) ArgusMalloc (PCAP_ERRBUF_SIZE+1)) == NULL) ArgusLog (LOG_ERR, "%s: ArgusMalloc %s\n", __func__, strerror(errno)); inf->ArgusDevice = device; src->timeStampType = ARGUS_TYPE_UTC_MICROSECONDS; if ((inf->ArgusPd = pcap_create(device->name, errbuf)) != NULL) { pcap_set_snaplen(inf->ArgusPd, src->ArgusSnapLen); pcap_set_promisc(inf->ArgusPd, src->Arguspflag); pcap_set_timeout(inf->ArgusPd, 100); #if defined(HAVE_PCAP_SET_TSTAMP_TYPE) { int *tstamp_types = NULL, cnt, i; if ((cnt = pcap_list_tstamp_types(inf->ArgusPd, &tstamp_types)) > 0) { int hiprec = 0, lowprec = 0, adapter = 0, adapterUnsync = 0; int type = 0; for (i = 0; i < cnt; i++) { if (tstamp_types[i] == PCAP_TSTAMP_ADAPTER) { adapter = 1; } else if (tstamp_types[i] == PCAP_TSTAMP_ADAPTER_UNSYNCED) { adapterUnsync = 1; } else if (tstamp_types[i] == PCAP_TSTAMP_HOST_HIPREC) { hiprec = 1; } else if (tstamp_types[i] == PCAP_TSTAMP_HOST_LOWPREC) { lowprec = 1; } } pcap_free_tstamp_types(tstamp_types); if (hiprec && (ArgusTimeStampType & ARGUS_TIMESTAMP_HIPREC)) { type = PCAP_TSTAMP_HOST_HIPREC; } else if (adapter && (ArgusTimeStampType & ARGUS_TIMESTAMP_ADAPTER)) { type = PCAP_TSTAMP_ADAPTER; } else if (lowprec && (ArgusTimeStampType & ARGUS_TIMESTAMP_LOWPREC)) { type = PCAP_TSTAMP_HOST_LOWPREC; } else if (adapterUnsync && ((ArgusTimeStampType & ARGUS_TIMESTAMP_ADAPTER) && (ArgusTimeStampType & ARGUS_TIMESTAMP_UNSYNCH))) { type = PCAP_TSTAMP_ADAPTER_UNSYNCED; } if (type != 0) { pcap_set_tstamp_type(inf->ArgusPd, type); #ifdef ARGUSDEBUG ArgusDebug(4, "pcap_set_tstamp_type: set to %s\n", pcap_tstamp_type_val_to_name(type)); #endif } } else { if (cnt < 0) { ArgusLog (LOG_INFO, "ArgusOpenInterface pcap_list_tstamp_types: %s: %s\n", device->name, pcap_geterr(inf->ArgusPd)); } } } #endif #if defined(ARGUS_NANOSECONDS) && defined(HAVE_PCAP_SET_TSTAMP_PRECISION) switch (pcap_set_tstamp_precision(inf->ArgusPd, PCAP_TSTAMP_PRECISION_NANO)) { case PCAP_ERROR_TSTAMP_PRECISION_NOTSUP: case PCAP_ERROR_ACTIVATED: #ifdef ARGUSDEBUG ArgusDebug(4, "Cannot set pcap timestamp precision to nanoseconds for %s\n", device->name); #endif break; case 0: src->timeStampType = ARGUS_TYPE_UTC_NANOSECONDS; break; } #endif #ifdef HAVE_PCAP_SET_BUFFER_SIZE if (src->ArgusPcapBufSize > 0) { pcap_set_buffer_size(inf->ArgusPd, src->ArgusPcapBufSize); #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusOpenInterface() pcap_set_buffer_size(%p, %d)\n", src, src->ArgusPcapBufSize); #endif } #endif switch (retn = pcap_activate(inf->ArgusPd)) { case PCAP_ERROR_ACTIVATED: case PCAP_ERROR_NO_SUCH_DEVICE: case PCAP_ERROR_PERM_DENIED: #if defined(PCAP_ERROR_PROMISC_PERM_DENIED) case PCAP_ERROR_PROMISC_PERM_DENIED: #endif case PCAP_ERROR: { ArgusLog (LOG_INFO, "ArgusOpenInterface %s: %s\n", device->name, pcap_geterr(inf->ArgusPd)); pcap_close(inf->ArgusPd); inf->ArgusPd = NULL; retn = 0; break; } case PCAP_ERROR_IFACE_NOT_UP: case PCAP_WARNING_PROMISC_NOTSUP: #if defined(PCAP_WARNING_TSTAMP_TYPE_NOTSUP) case PCAP_WARNING_TSTAMP_TYPE_NOTSUP: #endif case PCAP_WARNING: default: retn = 1; } if (inf->ArgusPd != NULL) { pcap_setnonblock(inf->ArgusPd, 1, errbuf); if (device->dltname != NULL) { #ifdef HAVE_PCAP_SET_DATALINK if (pcap_set_datalink(inf->ArgusPd, device->dlt) < 0) ArgusLog(LOG_ERR, "%s: %s", __func__, pcap_geterr(inf->ArgusPd)); #else /* * We don't actually support changing the * data link type, so we only let them * set it to what it already is. */ if (device->dlt != pcap_datalink(inf->ArgusPd)) ArgusLog(LOG_ERR, "%s: %s is not one of the DLTs supported by this device\n", __func__, device->dltname); #endif } #if defined(__APPLE_CC__) || defined(__APPLE__) #if !defined(HAVE_PCAP_FINDALLDEVS_NOCHECKS) #if defined(BIOCIMMEDIATE) { int v = 1; ioctl(pcap_fileno(inf->ArgusPd), BIOCIMMEDIATE, &v); } #endif #endif #endif src->ArgusInputPacketFileType = ARGUSLIBPPKTFILE; inf->ArgusInterfaceType = ARGUSLIBPPKTFILE; memset((char *)&inf->ifr, 0, sizeof(inf->ifr)); strncpy(inf->ifr.ifr_name, device->name, sizeof(inf->ifr.ifr_name)); if (!((pcap_lookupnet (device->name, (u_int *)&inf->ArgusLocalNet, (u_int *)&inf->ArgusNetMask, errbuf)) < 0)) { #if defined(_LITTLE_ENDIAN) inf->ArgusLocalNet = ntohl(inf->ArgusLocalNet); inf->ArgusNetMask = ntohl(inf->ArgusNetMask); #endif } if ((type = pcap_datalink(inf->ArgusPd)) >= 0) inf->ArgusCallBack = Arguslookup_pcap_callback(type); if (inf->ArgusCallBack == NULL) { if (type > 0) { #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusOpenInterface(%p, '%s') unsupported device type %d\n", src, inf->ArgusDevice->name, type); #endif } device->status |= ARGUS_DONT_OPEN; pcap_close(inf->ArgusPd); inf->ArgusPd = NULL; retn = 0; } else retn = 1; if (inf->ArgusPd != NULL) inf->ArgusDump = ArgusNewDump(src, inf); } } ArgusFree(errbuf); #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusOpenInterface(%p, '%s') returning %d\n", src, inf->ArgusDevice->name, retn); #endif return retn; } #define MAX_RECEIVE_PACKETS (2000) int ArgusInitSource (struct ArgusSourceStruct *src) { char *cmdbuf = NULL; int retn = 0, i = 0; src->ArgusInterfaces = 0; if (src->ArgusDeviceList == NULL) { pcap_if_t *d; char *errbuf; if ((errbuf = (char *) ArgusMalloc (PCAP_ERRBUF_SIZE+1)) != NULL) { #if defined(HAVE_PCAP_FINDALLDEVS_NOCHECKS) if (pcap_findalldevs_nochecks(&src->ArgusPacketDevices, errbuf) == -1) ArgusLog (LOG_ERR, "ArgusInitSource: pcap_findalldevs_nochecks %s\n", errbuf); #else if (pcap_findalldevs(&src->ArgusPacketDevices, errbuf) == -1) ArgusLog (LOG_ERR, "ArgusInitSource: pcap_findalldevs %s\n", errbuf); #endif ArgusFree(errbuf); } for (d = src->ArgusPacketDevices; d != NULL; d = d->next) { #if defined(CYGWIN) printf ("%d. %s", ++i, d->name); if (d->description) printf (" (%s)\n", d->description); else printf ("\n"); #else i++; #if defined(ARGUS_NEW_INTERFACE_STRATEGY) setArgusDevice (src, d->name, ARGUS_LIVE_DEVICE, 0); #endif #endif } #if defined(ARGUS_NEW_INTERFACE_STRATEGY) if (i == 0) ArgusLog (LOG_ERR, "ArgusInitSource: no interfaces\n"); #endif #if defined(CYGWIN) pcap_freealldevs(src->ArgusPacketDevices); exit(1); #else #if !defined(ARGUS_NEW_INTERFACE_STRATEGY) setArgusDevice (src, src->ArgusPacketDevices->name, ARGUS_LIVE_DEVICE, 0); #endif pcap_freealldevs(src->ArgusPacketDevices); #endif } if (src->ArgusDeviceList) { struct ArgusDeviceStruct *device; pthread_mutex_lock(&src->ArgusDeviceList->lock); for (device = (struct ArgusDeviceStruct *)src->ArgusDeviceList->start; device; device = (struct ArgusDeviceStruct *)device->nxt) { bzero ((char *)&src->ArgusInterface[src->ArgusInterfaces], sizeof(src->ArgusInterface[0])); switch (device->type) { case ARGUS_LIVE_DEVICE: src->ArgusInterfaces += ArgusOpenDevice(src, device, &src->ArgusInterface[src->ArgusInterfaces]); break; case ARGUS_FILE_DEVICE: src->ArgusInterfaces += ArgusOpenInputPacketFile(src, device, &src->ArgusInterface[i]); break; } } pthread_mutex_unlock(&src->ArgusDeviceList->lock); } if (src->ArgusInterfaces > 0) { if (setuid(getuid()) != 0) ArgusLog (LOG_ERR, "ArgusInitSource: setuid %s\n", strerror(errno)); cmdbuf = ArgusCopyArgv(&src->ArgusArgv[src->ArgusOptind]); if (cmdbuf) { if (src->ArgusInputFilter) ArgusFree(src->ArgusInputFilter); src->ArgusInputFilter = cmdbuf; } if (src->ArgusInputFilter != NULL) { for (i = 0; i < src->ArgusInterfaces; i++) { if (src->ArgusInterface[i].ArgusPd) { bzero ((char *) &src->ArgusInterface[i].ArgusFilter, sizeof (struct bpf_program)); if (pcap_compile (src->ArgusInterface[i].ArgusPd, &src->ArgusInterface[i].ArgusFilter, src->ArgusInputFilter, getArgusOflag(src), src->ArgusInterface[i].ArgusNetMask) < 0) ArgusLog (LOG_ERR, "%s\n", pcap_geterr (src->ArgusInterface[i].ArgusPd)); if (src->Argusbpflag) { Argusbpf_dump (&src->ArgusInterface[i].ArgusFilter, src->Argusbpflag); exit(0); } if (src->ArgusInputPacketFileType == ARGUSLIBPPKTFILE) { if (src->ArgusInputFilter != NULL) { if (pcap_setfilter (src->ArgusInterface[i].ArgusPd, &src->ArgusInterface[i].ArgusFilter) < 0) ArgusLog (LOG_ERR, "%s\n", pcap_geterr (src->ArgusInterface[i].ArgusPd)); } } } } } src->ArgusModel = ArgusCloneModeler(ArgusModel); src->ArgusModel->ArgusSrc = src; ArgusInitModeler(src->ArgusModel); #if defined(ARGUS_THREADS) if (pthread_mutex_init(&src->lock, NULL)) ArgusLog (LOG_ERR, "ArgusInitSource: pthread_mutex_init error\n"); if (pthread_cond_init(&src->cond, NULL)) ArgusLog (LOG_ERR, "ArgusInitSource: pthread_cond_init error\n"); #endif retn = 1; } else { src->status |= ARGUS_NOSOURCES; #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusInitSource: no packet sources for device %s.", src->ArgusDeviceStr ? src->ArgusDeviceStr : "(unknown)"); #endif } #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusInitSource(%p) returning %d\n", src, retn); #endif return retn; } int ArgusCloseOneSource(struct ArgusSourceStruct *src) { if (src != NULL) { int j; #ifdef ARGUSDEBUG char *str = src->ArgusDeviceStr; ArgusDebug (1, "%s(%p) %s starting\n", __func__, src, str); #endif #if defined(ARGUS_THREADS) if (src->thread) { pthread_join(src->thread, NULL); src->thread = 0; } #endif for (j = 0; j < src->ArgusInterfaces; j++) { if (src->ArgusInterface[j].ArgusPd) { pcap_close(src->ArgusInterface[j].ArgusPd); src->ArgusInterface[j].ArgusPd = NULL; } } if (src->ArgusInputFilter) { ArgusFree (src->ArgusInputFilter); src->ArgusInputFilter = NULL; } if (src->ArgusDeviceStr) { free(src->ArgusDeviceStr); src->ArgusDeviceStr = NULL; } if (src->ArgusMarIncludeInterface) { free(src->ArgusMarIncludeInterface); src->ArgusMarIncludeInterface = NULL; } if (src->ArgusDeviceList) { ArgusDeleteList(src->ArgusDeviceList, ARGUS_DEVICE_LIST); src->ArgusDeviceList = NULL; } if (src->ArgusRfileList != NULL) { ArgusDeleteList (src->ArgusRfileList, ARGUS_RFILE_LIST); src->ArgusRfileList = NULL; } if (src->ArgusModel != NULL) { ArgusCloseModeler(src->ArgusModel); ArgusFree(src->ArgusModel); src->ArgusModel = NULL; } src->status |= ARGUS_SHUTDOWN; #if defined(ARGUS_THREADS) pthread_mutex_lock(&src->lock); pthread_cond_signal(&src->cond); pthread_mutex_unlock(&src->lock); #endif } #ifdef ARGUSDEBUG ArgusDebug (2, "%s(%p) done, returning %d\n", __func__, src, 0); #endif return (0); } int ArgusCloseSource(struct ArgusSourceStruct *stask) { int ret = 0; int err; int i; struct ArgusSourceStruct *src; if (stask == NULL) /* nothing to do */ return 0; #ifdef ARGUSDEBUG ArgusDebug (1, "%s(%p) starting\n", __func__, stask); #endif for (i = 0; i < ARGUS_MAXINTERFACE; i++) { src = stask->srcs[i]; if (src == NULL) break; err = ArgusCloseOneSource(src); if (err < 0) ret = -1; } if (stask->ArgusModel == ArgusModel) stask->ArgusModel = NULL; ArgusCloseOneSource(stask); #ifdef ARGUSDEBUG ArgusDebug (2, "%s(%p) done, returning %d\n", __func__, stask, ret); #endif return ret; } void ArgusDeleteSource(struct ArgusSourceStruct *src) { int i; if (src) { #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusDeleteSource(%p) starting\n", src); #endif for (i = 0; i < ARGUS_MAXINTERFACE; i++) { if (src->srcs[i] != NULL) { if (src->srcs[i]->ArgusModel != NULL) ArgusFree (src->srcs[i]->ArgusModel); ArgusFree (src->srcs[i]); src->srcs[i] = NULL; } else break; } #if defined(ARGUS_THREADS) pthread_mutex_destroy(&src->lock); #endif ArgusFree (src); } #ifdef ARGUSDEBUG ArgusDebug (2, "%s(%p) done\n", __func__, src); #endif } int getArgusID(struct ArgusSourceStruct *src, struct ArgusAddrStruct *addr) { int retn = 0; if ((src != NULL) && (addr != NULL)) { bcopy((char *)&src->trans.srcid, (char *)addr, sizeof(*addr)); retn = 1; } #ifdef ARGUSDEBUG ArgusDebug (7, "getArgusID(%p) done\n", src); #endif return (retn); } unsigned int getArgusIDType(struct ArgusSourceStruct *src) { #ifdef ARGUSDEBUG ArgusDebug (7, "getArgusIDType(%p) done\n", src); #endif return (src->type); } void setArgusID(struct ArgusSourceStruct *src, void *ptr, int len, unsigned int type) { struct ArgusTransportStruct *trans = &src->trans; bzero (trans, sizeof(*trans)); if (len > 0) { int offset = 0; trans->hdr.type = ARGUS_TRANSPORT_DSR; trans->hdr.subtype = ARGUS_SRCID | ARGUS_SEQ; trans->hdr.argus_dsrvl8.qual = type; switch (type & ~ARGUS_TYPE_INTERFACE) { case ARGUS_TYPE_STRING: bcopy((char *)ptr, &trans->srcid.a_un.str, strlen((char *)ptr)); break; case ARGUS_TYPE_INT: trans->srcid.a_un.value = *(unsigned int *)ptr; offset = sizeof(unsigned int); break; case ARGUS_TYPE_IPV4: trans->srcid.a_un.ipv4 = ntohl(*(unsigned int *)ptr); offset = sizeof(unsigned int); break; case ARGUS_TYPE_IPV6: bcopy((char *)ptr, &trans->srcid.a_un.ipv6, 16); offset = sizeof(trans->srcid.a_un.ipv6); break; case ARGUS_TYPE_UUID: bcopy((char *)ptr, &trans->srcid.a_un.uuid, 16); offset = sizeof(trans->srcid.a_un.uuid); break; } trans->hdr.argus_dsrvl8.len = (offset + 3)/4 + 1; if (type & ARGUS_TYPE_INTERFACE) { char *iptr = NULL, *buf = NULL; trans->hdr.subtype |= ARGUS_TYPE_INTERFACE; iptr = (char *)ptr + offset; buf = (char *)&trans->srcid + offset; bcopy(iptr, (char *)buf, 4); trans->hdr.argus_dsrvl8.len += 1; } } src->type = type; #ifdef ARGUSDEBUG ArgusDebug (1, "setArgusID(%p, %p, 0x%x) done", src, ptr, type); #endif } void setArgusPcapBufSize (struct ArgusSourceStruct *src, int size) { if (src != NULL) { src->ArgusPcapBufSize = size; } #ifdef ARGUSDEBUG ArgusDebug (3, "setArgusPcapBufSize(%p, %d)\n", src, size); #endif } void setArgusPcapDispatchNumber (struct ArgusSourceStruct *src, int num) { if (src != NULL) { src->ArgusPcapDispatchNum = num; } #ifdef ARGUSDEBUG ArgusDebug (3, "setArgusPcapDispatchNumber(%p, %d)\n", src, num); #endif } void setArgusInterfaceScanInterval (struct ArgusSourceStruct *src, int num) { if (src != NULL) src->ArgusInterfaceScanInterval = num; #ifdef ARGUSDEBUG ArgusDebug (3, "setArgusInterfaceScanInterval(%p, %d)\n", src, num); #endif } unsigned char getArgusInterfaceStatus(struct ArgusSourceStruct *src) { return (src->ArgusInterfaceStatus); } void setArgusInterfaceStatus(struct ArgusSourceStruct *src, unsigned char value) { src->ArgusInterfaceStatus = value; #ifdef ARGUSDEBUG ArgusDebug (6, "setArgusInterfaceStatus(%p, %d)\n", src, value); #endif } int getArgusSnapLen(struct ArgusSourceStruct *src) { return (src->ArgusSnapLen); } void setArgusSnapLen(struct ArgusSourceStruct *src, int value) { src->ArgusSnapLen = value; } int getArgusfflag(struct ArgusSourceStruct *src) { return (src->Argusfflag); } int getArgusbpflag(struct ArgusSourceStruct *src) { return (src->Argusbpflag); } int getArguspflag(struct ArgusSourceStruct *src) { return (src->Arguspflag); } int getArgusOflag(struct ArgusSourceStruct *src) { return (src->ArgusOflag); } void setArgusfflag(struct ArgusSourceStruct *src, int value) { src->Argusfflag = value; } void setArgusbpflag(struct ArgusSourceStruct *src, int value) { src->Argusbpflag = value; } void setArguspflag(struct ArgusSourceStruct *src, int value) { src->Arguspflag = value; } void setArgusOflag(struct ArgusSourceStruct *src, int value) { src->ArgusOflag = value; } void setArgusCaptureFlag(struct ArgusSourceStruct *src, int value) { src->ArgusCaptureFlag = value; } /* getArgusDevice: caller is responsible for freeing return value */ char * getArgusDevice (struct ArgusSourceStruct *src) { struct ArgusDeviceStruct *device = NULL; char *retn = NULL; if (src->ArgusDeviceList != NULL) { pthread_mutex_lock(&src->ArgusDeviceList->lock); device = (struct ArgusDeviceStruct *)src->ArgusDeviceList->start; if (device) retn = strdup(device->name); pthread_mutex_unlock(&src->ArgusDeviceList->lock); } else { #ifdef ARGUSDEBUG ArgusDebug (1, "getArgusDevice(%p) src->ArgusDeviceList is NULL\n", src); #endif } #ifdef ARGUSDEBUG ArgusDebug (1, "getArgusDevice(%p) returning %s\n", src, retn ? retn : "NULL"); #endif return (retn); } /* * The syntax for specifying this either on the command line or in this file: * -i ind:all * -i dup:en0,en1 * -i bond:en0,en1 * -i dup:[bond:en0,en1],en2 * -i en0 -i en1 (equivalent '-i ind:en0,en1') * -i en0 en1 (equivalent '-i bond:en0,en1') * */ int ArgusCheckPcapDevices(pcap_if_t *, char *); int ArgusCheckPcapDevices(pcap_if_t *alldevs, char *tok) { int retn = 0; pcap_if_t *d; if (!(strncmp("all", tok, 3))) { if (alldevs != NULL) retn = 1; } else { for (d = alldevs; d != NULL; d = d->next) { if (!strcmp(tok, d->name)) { retn = 1; break; } } } return(retn); } #ifdef CYGWIN static int __pcap_findalldevs(pcap_if_t **alldevsp, char *errbuf, const char *funcname) { int severity = 0; int retrycount = 5; struct timespec t = {0, 100000000}; int retn = -1; while (retrycount-- > 0 && retn == -1) { if ((retn = pcap_findalldevs(alldevsp, errbuf)) == -1) { if (severity != 0) { ArgusLog (severity, "%s: pcap_findalldevs %s\n", funcname, errbuf); } } if (retrycount == 1) severity = LOG_INFO; else if (retn == -1) nanosleep(&t, NULL); } return (retn); } #else static inline int __pcap_findalldevs(pcap_if_t **alldevsp, char *errbuf, const char *funcname __attribute__((unused))) { return pcap_findalldevs(alldevsp, errbuf); } #endif #define ARGUS_INTERFACE_TYPE 0x01 struct ArgusMarInterfaceStruct * ArgusGenerateMarInfStruct(struct ArgusDeviceStruct *dev, pcap_if_t *d) { struct ArgusMarInterfaceStruct *retn = NULL; pcap_addr_t *dev_addr; #if !defined(CYGWIN) struct ifreq ifr; #endif char *tptr; if ((dev_addr = d->addresses) != NULL) { if ((retn = (struct ArgusMarInterfaceStruct *) ArgusCalloc(1, 4096)) == NULL) ArgusLog (LOG_ERR, "ArgusGenerateMarInfStruct ArgusCalloc %s\n", strerror(errno)); retn->type = ARGUS_INTERFACE_TYPE; retn->length = sizeof(*retn) / 4; bcopy(dev->trans.srcid.inf, retn->inf, sizeof(retn->inf)); tptr = (char *)&retn->addr; while (dev_addr != NULL) { struct sockaddr *sa = dev_addr->addr; struct ArgusAddressStruct taddrbuf, *taddr = &taddrbuf; int len = 0; bzero(taddr, sizeof(*taddr)); /* struct ArgusAddressStruct { unsigned char type, length; unsigned short status; union { struct ArgusHAddr l2addr; struct ArgusIPv4Addr ipv4; struct ArgusIPv6Addr ipv6; } addr; }; */ if (sa != NULL) { switch (sa->sa_family) { #if defined(__FreeBSD__) || defined(__OpenBSD__) || defined(__NetBSD__) || defined(__APPLE__) || defined(__sun__) case AF_LINK: { struct sockaddr_dl *dl = (struct sockaddr_dl *) sa; char *addr = (char *)&taddr->addr.l2addr; taddr->type = IANA_AF_802; len = dl->sdl_alen; memcpy(addr, LLADDR(dl), len); break; } #else # if !defined(CYGWIN) case AF_PACKET: { struct sockaddr_ll *ll = (struct sockaddr_ll *) sa; char *addr = (char *)&taddr->addr.l2addr; taddr->type = IANA_AF_802; len = ll->sll_halen; bcopy(&ll->sll_addr, addr, len); break; } # endif #endif case AF_INET: { struct sockaddr_in *sin = (struct sockaddr_in *)sa; char *addr = (char *)&taddr->addr.ipv4.addr; char *mask = (char *)&taddr->addr.ipv4.mask; taddr->type = IANA_AF_IP; len = sizeof(sin->sin_addr.s_addr); if (dev_addr->addr) { bcopy(&((struct sockaddr_in *)dev_addr->addr)->sin_addr.s_addr, addr, len); } if (dev_addr->netmask) { bcopy(&((struct sockaddr_in *)dev_addr->netmask)->sin_addr.s_addr, mask, len); } len = 2 * len; break; } case AF_INET6: { struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)dev_addr->addr; struct sockaddr_in6 *mask6 = (struct sockaddr_in6 *)dev_addr->netmask; char *addr = (char *)&taddr->addr.ipv6.addr; char *c = (char *)&mask6->sin6_addr.s6_addr; unsigned char n = 0; int i = 0, j = 0; taddr->type = IANA_AF_IP6; len = sizeof(sin6->sin6_addr.s6_addr); bcopy((char *)sin6->sin6_addr.s6_addr, addr, len); while (i < 16) { n = c[i]; while (n > 0) { if (n & 1) j++; n = n/2; } i++; } taddr->addr.ipv6.prefixlen = j; len += sizeof(taddr->addr.ipv6.prefixlen); break; } } taddr->length = ((len + 3) / 4) + 1; bcopy(taddr, tptr, taddr->length * 4); tptr += taddr->length * 4; retn->length += taddr->length; } dev_addr = dev_addr->next; } #if !defined(CYGWIN) if (strlen(dev->name) < sizeof(ifr.ifr_name)) { int fd; if (ArgusGetInterfaceFD < 0) if ((ArgusGetInterfaceFD = socket(PF_INET, SOCK_DGRAM, 0)) < 0) ArgusLog(LOG_ERR, "ArgusGetInterfaceStatus: socket %s", strerror(errno)); fd = ArgusGetInterfaceFD; strcpy(ifr.ifr_name, dev->name); if ((ioctl(fd, SIOCGIFFLAGS, (char *)&ifr)) == 0) { retn->flags = ifr.ifr_flags; } if ((ioctl(fd, SIOCGIFMTU, (char *)&ifr)) == 0) { retn->mtu = ifr.ifr_mtu; } } #endif } #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusGenerateMarInfStruct(%p, %p) returning %p\n", dev, d, retn); #endif return (retn); } // The syntax for specifying this either on the command line or in this file: // -i ind:all // -i dup:en0,en1/srcid // -i bond:en0,en1/srcid // -i dup:[bond:en0,en1],en2/srcid // -i en0/srcid -i en1/srcid (equivalent '-i ind:en0/srcid,en1/srcid') // -i en0 en1 (equivalent '-i bond:en0,en1') // [{ind,dup,bond,dup}:]inf[/srcid] // inf syntax is: // any // all // inf[,inf...] void setArgusDevice (struct ArgusSourceStruct *src, char *cmd, int type, int mode) { if (src->ArgusDeviceList == NULL) src->ArgusDeviceList = ArgusNewList(); if (cmd && (strlen(cmd) > 0)) { struct ArgusDeviceStruct *device = NULL; char *errbuf, *tok, *stok, *params = NULL; pcap_if_t *alldevs = NULL, *d; char *ptr = NULL; struct ArgusDeviceStruct *dev = NULL; int status = 0; if ((params = strdup(cmd)) == NULL) ArgusLog (LOG_ERR, "setArgusDevice strdup %s\n", strerror(errno)); if (src->ArgusDeviceStr != NULL) { free(src->ArgusDeviceStr); src->ArgusDeviceStr = NULL; } if ((errbuf = (char *) ArgusMalloc (PCAP_ERRBUF_SIZE+1)) != NULL) { if (type == ARGUS_LIVE_DEVICE) { src->ArgusDeviceStr = strdup(cmd); if (__pcap_findalldevs(&alldevs, errbuf, __func__) == -1) ArgusLog (LOG_INFO, "setArgusDevice: __pcap_findalldevs %s\n", errbuf); } else { /* forward slashes cause confusion later since they are assumed * to separate srcid and inf. Remove directory path elements. */ src->ArgusDeviceStr = strdup(basename(cmd)); } ArgusFree(errbuf); } // we need to parse this bad thing and construct the devices struct if (!(strncmp("ind:", params, 4))) { ptr = ¶ms[4]; status = ARGUS_TYPE_IND; } else if (!(strncmp("dup:", params, 4))) { ptr = ¶ms[4]; status = ARGUS_TYPE_DUPLEX; } else if (!(strncmp("bond:", params, 5))) { ptr = ¶ms[5]; status = ARGUS_TYPE_BOND; } else { ptr = params; status = ARGUS_TYPE_IND; } while ((tok = strtok(ptr, " ")) != NULL) { char *srcid = NULL, *dlt = NULL, *sptr = NULL; switch (type) { case ARGUS_LIVE_DEVICE: { if ((sptr = strchr (tok, '/')) != NULL) { srcid = strdup(sptr); *sptr = '\0'; } if ((sptr = strchr (tok, '(')) != NULL) { *sptr++ = '\0'; dlt = sptr; if ((sptr = strchr (dlt, ')')) != NULL) *sptr = '\0'; } if (!(strncmp("any", tok, 3))) { setArgusDevice (src, alldevs->name, ARGUS_LIVE_DEVICE, 0); break; } else if (!(strncmp("all", tok, 3))) { if (alldevs != NULL) { for (d = alldevs; d != NULL; d = d->next) { if (!(d->flags & PCAP_IF_LOOPBACK)) { if ((dev = (struct ArgusDeviceStruct *) ArgusCalloc(1, sizeof(*device))) == NULL) ArgusLog (LOG_ERR, "setArgusDevice ArgusCalloc %s\n", strerror(errno)); dev->name = strdup(d->name); dev->status = status; dev->type = type; dev->mode = mode; if (dlt != NULL) { #if defined(HAVE_PCAP_DATALINK_NAME_TO_VAL) dev->dlt = pcap_datalink_name_to_val(dlt); #endif dev->dltname = strdup(dlt); } if (dev != NULL) { if (srcid != NULL) { int type = ArgusSourceTask->type; ArgusParseSourceID (ArgusSourceTask, dev, srcid); dev->trans = ArgusSourceTask->trans; dev->idtype = ArgusSourceTask->type; ArgusSourceTask->type = type; } else { char inf[5] = {0,}; dev->trans = ArgusSourceTask->trans; dev->idtype = ArgusSourceTask->type | ARGUS_TYPE_INTERFACE; if (dev && (dev->name != NULL)) { char buffer[128]; shortname_ethdev_unique(dev->name, inf, sizeof(inf), src->ArgusDeviceList); bcopy(inf, dev->trans.srcid.inf, 4); dev->trans.hdr.argus_dsrvl8.qual |= ARGUS_TYPE_INTERFACE; snprintf(buffer, 128, "mapping interface name %s -> %s\n", dev->name, inf); ArgusLog(LOG_INFO, "%s\n", buffer); } } dev->inf = ArgusGenerateMarInfStruct(dev, d); } switch (status) { case ARGUS_TYPE_IND: ArgusPushFrontList(src->ArgusDeviceList, (struct ArgusListRecord *) dev, ARGUS_LOCK); break; case ARGUS_TYPE_BOND: case ARGUS_TYPE_DUPLEX: if (device == NULL) { if ((device = (struct ArgusDeviceStruct *) ArgusCalloc(1, sizeof(*device))) == NULL) ArgusLog (LOG_ERR, "setArgusDevice ArgusCalloc %s\n", strerror(errno)); device->name = strdup(cmd); device->status = status; device->type = type; device->trans = dev->trans; device->list = ArgusNewList(); } ArgusPushFrontList(device->list, (struct ArgusListRecord *) dev, ARGUS_LOCK); break; } if (!(strcmp(dev->name, "any"))) dev->status |= ARGUS_DONT_OPEN; } } } break; } // Deliberate fall through to process specific interface name } case ARGUS_FILE_DEVICE: { while ((stok = strtok(tok, ",")) != NULL) { if ((dev = (struct ArgusDeviceStruct *) ArgusCalloc(1, sizeof(*device))) == NULL) ArgusLog (LOG_ERR, "setArgusDevice ArgusCalloc %s\n", strerror(errno)); dev->name = strdup(stok); dev->status = status; dev->type = type; dev->mode = mode; if (dlt != NULL) { #if defined(HAVE_PCAP_DATALINK_NAME_TO_VAL) dev->dlt = pcap_datalink_name_to_val(dlt); #endif dev->dltname = strdup(dlt); } if (dev != NULL) { if (srcid != NULL) { int type = ArgusSourceTask->type; ArgusParseSourceID (ArgusSourceTask, dev, srcid); dev->trans = ArgusSourceTask->trans; dev->idtype = ArgusSourceTask->type; ArgusSourceTask->type = type; } else { char inf[5] = {0,}; dev->trans = ArgusSourceTask->trans; dev->idtype = ArgusSourceTask->type | ARGUS_TYPE_INTERFACE; if (dev && (dev->name != NULL)) { shortname_ethdev_unique(dev->name, inf, sizeof(inf), src->ArgusDeviceList); bcopy(inf, dev->trans.srcid.inf, 4); dev->trans.hdr.argus_dsrvl8.qual |= ARGUS_TYPE_INTERFACE; ArgusLog(LOG_INFO, "mapping interface name %s -> %s\n", dev->name, inf); } } } switch (status) { case ARGUS_TYPE_IND: ArgusPushFrontList(src->ArgusDeviceList, (struct ArgusListRecord *) dev, ARGUS_LOCK); break; case ARGUS_TYPE_BOND: case ARGUS_TYPE_DUPLEX: if (device == NULL) { if ((device = (struct ArgusDeviceStruct *) ArgusCalloc(1, sizeof(*device))) == NULL) ArgusLog (LOG_ERR, "setArgusDevice ArgusCalloc %s\n", strerror(errno)); device->name = strdup(cmd); device->status = status; device->type = type; device->list = ArgusNewList(); } ArgusPushFrontList(device->list, (struct ArgusListRecord *) dev, ARGUS_LOCK); break; } tok = NULL; } break; } } if (srcid != NULL) { free(srcid); srcid = NULL; } ptr = NULL; } if (device != NULL) ArgusPushFrontList(src->ArgusDeviceList, (struct ArgusListRecord *) device, ARGUS_LOCK); if (alldevs != NULL) pcap_freealldevs(alldevs); } #ifdef ARGUSDEBUG ArgusDebug (3, "setArgusDevice(%s) returning\n", cmd); #endif } void clearArgusDevice (struct ArgusSourceStruct *src) { struct ArgusListStruct *list; struct ArgusListRecord *retn; if ((list = src->ArgusDeviceList) != NULL) { while ((retn = ArgusPopFrontList(list, ARGUS_LOCK)) != NULL) { struct ArgusDeviceStruct *device = (struct ArgusDeviceStruct *) retn; if (device->list && device->list->count) { struct ArgusListRecord *lrec; while ((lrec = ArgusPopFrontList(device->list, ARGUS_LOCK)) != NULL) { struct ArgusDeviceStruct *tdev = (struct ArgusDeviceStruct *) lrec; if (tdev->name != NULL) free(tdev->name); ArgusFree(lrec); } } if (device->inf != NULL) ArgusFree(device->inf); if (device->name != NULL) free(device->name); ArgusFree(retn); } } #ifdef ARGUSDEBUG ArgusDebug (3, "clearArgusDevice(%p) returning\n", src); #endif } char * getArgusrfile (struct ArgusSourceStruct *src) { struct ArgusRfileStruct *rfile = NULL; char *retn = NULL; if (src->ArgusRfileList != NULL) { rfile = (struct ArgusRfileStruct *) src->ArgusRfileList->start; retn = rfile->name; } return (retn); } void ArgusSortFileList (struct ArgusListStruct *); void setArgusrfile (struct ArgusSourceStruct *src, char *value) { if (src->ArgusRfileList == NULL) src->ArgusRfileList = ArgusNewList(); if (value) { struct ArgusRfileStruct *rfile; struct stat statbuf; char *tok, *ptr = value; while ((tok = strtok (ptr, " \t")) != NULL) { char *tptr; int mode = 0; if (strcmp("-", tok)) { if ((tptr = strstr (tok, "cisco:")) != NULL) { mode = ARGUS_CISCO_DATA_SOURCE; tok = tptr + 6; } else if ((tptr = strstr (tok, "sflow:")) != NULL) { mode = ARGUS_SFLOW_DATA_SOURCE; tok = tptr + 6; } if (stat(tok, &statbuf) < 0) ArgusLog (LOG_ERR, "input file '%s': %s", tok, strerror(errno)); } if ((rfile = (struct ArgusRfileStruct *) ArgusCalloc(1, sizeof(*rfile))) == NULL) ArgusLog (LOG_ERR, "setArgusrfile ArgusCalloc %s\n", strerror(errno)); rfile->name = strdup(tok); rfile->mode = mode; ArgusPushBackList(src->ArgusRfileList, (struct ArgusListRecord *) rfile, ARGUS_LOCK); // setArgusDevice(src, tok, ARGUS_FILE_DEVICE, rfile->mode); ptr = NULL; } ArgusSortFileList (src->ArgusRfileList); } } int getArgusMoatTshFile (struct ArgusSourceStruct *src) { return(src->Argustflag); } void setArgusMoatTshFile (struct ArgusSourceStruct *src, int value) { src->Argustflag = value; } float getArgusRealTime (struct ArgusSourceStruct *src) { return(src->Tflag); } void setArgusRealTime (struct ArgusSourceStruct *src, float value) { src->Tflag = value; } void setArgusWriteOutPacketFile (struct ArgusDumpStruct *dump, char *file) { dump->ArgusWriteOutPacketFile = strdup(file); } #define ARGUSMOATLEN 44 #define ARGUSMOATTSHTCPLEN 40 int ArgusMoatTshRead (struct ArgusSourceStruct *); int ArgusMoatTshRead (struct ArgusSourceStruct *src) { struct ArgusMoatTshPktHdr *MoatTshBuffer, *ArgusMoatPktHdr; int retn = 0, length = 0; struct ip *iphdr = NULL; if ((MoatTshBuffer = (void *) ArgusMalloc (sizeof(struct ArgusMoatTshPktHdr) * 2)) == NULL) ArgusLog (LOG_ERR, "%s: ArgusMalloc %s\n", __func__, strerror(errno)); ArgusMoatPktHdr = MoatTshBuffer; bzero (ArgusMoatPktHdr, sizeof(*ArgusMoatPktHdr)); if ((retn = read(pcap_fileno(src->ArgusInterface[0].ArgusPd), ArgusMoatPktHdr, ARGUSMOATLEN)) == ARGUSMOATLEN) { ArgusMoatPktHdr->interface = 0; #if defined(_LITTLE_ENDIAN) src->ArgusModel->ArgusGlobalTime.tv_sec = ntohl(ArgusMoatPktHdr->sec); src->ArgusModel->ArgusGlobalTime.tv_usec = ntohl(*((int *)&ArgusMoatPktHdr->interface)); #else src->ArgusModel->ArgusGlobalTime.tv_sec = ArgusMoatPktHdr->sec; src->ArgusModel->ArgusGlobalTime.tv_usec = *((int *)&ArgusMoatPktHdr->interface); #endif if (src->timeStampType == ARGUS_TYPE_UTC_NANOSECONDS) src->ArgusModel->ArgusGlobalTime.tv_usec *= 1000; ArgusModel->ArgusGlobalTime = src->ArgusModel->ArgusGlobalTime; iphdr = &ArgusMoatPktHdr->ip; #if defined(_LITTLE_ENDIAN) length = ntohs(iphdr->ip_len); #else length = iphdr->ip_len; #endif src->ArgusThisLength = length; switch (iphdr->ip_p) { case IPPROTO_ICMP: case IPPROTO_TCP: default: src->ArgusSnapLength = ARGUSMOATTSHTCPLEN; break; } src->ArgusThisSnapEnd = (((unsigned char *)iphdr) + src->ArgusSnapLength); if ((src->ArgusInputFilter == NULL) || (bpf_filter(src->ArgusInterface[0].ArgusFilter.bf_insns, (u_char *)iphdr, src->ArgusSnapLength, src->ArgusSnapLen))) { ArgusProcessIpPacket (src->ArgusModel, iphdr, length, &src->ArgusModel->ArgusGlobalTime); } } else close(pcap_fileno(src->ArgusInterface[0].ArgusPd)); ArgusFree(MoatTshBuffer); #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusMoatTshRead() returning %d\n", retn); #endif return (retn); } int ArgusSnoopRead (struct ArgusSourceStruct *src) { int retn = 0, len = 0; struct pcap_pkthdr pcap_pkthdr; struct ArgusSnoopPktHdr SnoopPktHdr; unsigned char ArgusPacketBuf[1540]; if ((retn = read(pcap_fileno(src->ArgusInterface[0].ArgusPd), &SnoopPktHdr, sizeof(SnoopPktHdr))) == sizeof(SnoopPktHdr)) { #if defined(_LITTLE_ENDIAN) SnoopPktHdr.len = ntohl(SnoopPktHdr.len); SnoopPktHdr.tlen = ntohl(SnoopPktHdr.tlen); SnoopPktHdr.argtvp.tv_sec = ntohl(SnoopPktHdr.argtvp.tv_sec); SnoopPktHdr.argtvp.tv_usec = ntohl(SnoopPktHdr.argtvp.tv_usec); #endif if ((len = ((SnoopPktHdr.tlen + 3) & 0xFFFFFFC)) < 1500) { if ((retn = read(pcap_fileno(src->ArgusInterface[0].ArgusPd), ArgusPacketBuf, len)) == len) { pcap_pkthdr.ts.tv_sec = SnoopPktHdr.argtvp.tv_sec; pcap_pkthdr.ts.tv_usec = SnoopPktHdr.argtvp.tv_usec; pcap_pkthdr.caplen = SnoopPktHdr.tlen; pcap_pkthdr.len = SnoopPktHdr.len; if ((src->ArgusInputFilter == NULL) || (bpf_filter(src->ArgusInterface[0].ArgusFilter.bf_insns, ArgusPacketBuf, SnoopPktHdr.tlen, src->ArgusSnapLen))) { src->ArgusInterface[0].ArgusCallBack (NULL, &pcap_pkthdr, ArgusPacketBuf); } } } } else close(pcap_fileno(src->ArgusInterface[0].ArgusPd)); #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusSnoopRead() returning %d\n", retn); #endif return (retn); } #include #define ERF_REC_LEN_MAX (1<<16) int ArgusErfRead (struct ArgusSourceStruct *); int ArgusErfRead (struct ArgusSourceStruct *src) { int retn = 0, len = 0; unsigned char *ArgusPacketBuf = NULL; dag_record_t DagPktHdr; #define DAG_REC_SIZE 16 if (src->ArgusInterface[0].ArgusPacketBuffer == NULL) src->ArgusInterface[0].ArgusPacketBuffer = src->ArgusInterface[0].ArgusPacketBufferBuffer; if ((ArgusPacketBuf = src->ArgusInterface[0].ArgusPacketBuffer) != NULL) { if ((retn = read(src->ArgusInterface[0].ArgusPcap.fd, &DagPktHdr, DAG_REC_SIZE)) == DAG_REC_SIZE) { len = ntohs(DagPktHdr.rlen) - DAG_REC_SIZE; if ((retn = read(src->ArgusInterface[0].ArgusPcap.fd, ArgusPacketBuf, len)) == len) { ArgusDagPacket ((void *)src, (void *)&DagPktHdr, (const u_char *)ArgusPacketBuf); } else { if (retn == 0) close(src->ArgusInterface[0].ArgusPcap.fd); else ArgusLog(LOG_ERR, "ArgusErfRead: read error %s", strerror(errno)); } } else if (retn == 0) close(src->ArgusInterface[0].ArgusPcap.fd); else ArgusLog(LOG_ERR, "ArgusErfRead: read error %s", strerror(errno)); } else close(src->ArgusInterface[0].ArgusPcap.fd); #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusErfRead() returning %d\n", retn); #endif return (retn); } pcap_handler Arguslookup_dag_callback (int type) { pcap_handler retn = NULL; struct callback *callback; #ifdef ARGUSDEBUG char *name = NULL; #endif for (callback = ArgusSourceCallbacks; callback->function; ++callback) if (type == callback->type) { retn = callback->function; #ifdef ARGUSDEBUG name = callback->fname; #endif break; } #ifdef ARGUSDEBUG ArgusDebug (3, "Arguslookup_dag_callback(%d) returning %s: %p\n", type, name, retn); #endif return (retn); } pcap_handler Arguslookup_pcap_callback (int type) { pcap_handler retn = NULL; struct callback *callback; for (callback = ArgusSourceCallbacks; callback->function; ++callback) if (type == callback->type) { retn = callback->function; break; } #ifdef ARGUSDEBUG ArgusDebug (3, "Arguslookup_pcap_callback(%d) returning %p\n", type, retn); #endif return (retn); } /* SourceID Syntax: [type:/]sid[/inf] where type can be: int, str, ipv4, ipv6, uuid where sid can be: int, "string", ipv4, ipv6, uuid where inf is: char[4] */ void ArgusParseSourceID (struct ArgusSourceStruct *src, struct ArgusDeviceStruct *dev, char *optarg) { int retn = 0, type = 0, slen = 0, subsid = 0; char *ptr = NULL, *sptr = NULL, *iptr = NULL; unsigned char buf[32]; char *prefix = NULL; if (optarg == NULL) return; bzero(buf, sizeof(buf)); if ((sptr = strdup(optarg)) != NULL) { optarg = sptr; // process the optional type part. if ((ptr = strstr(optarg, ":/")) != NULL) { prefix = optarg; *ptr++ = '\0'; *ptr++ = '\0'; optarg = ptr; if (!(strcmp(prefix, "uuid"))) { type = ARGUS_TYPE_UUID; } else if (!(strcmp(prefix, "ipv4"))) { type = ARGUS_TYPE_IPV4; } else if (!(strcmp(prefix, "ipv6"))) { type = ARGUS_TYPE_IPV6; } else if (!(strcmp(prefix, "int"))) { type = ARGUS_TYPE_INT; } else if (!(strcmp(prefix, "str"))) { type = ARGUS_TYPE_STRING; } } // test for dev srcid substitution if (optarg[0] == '/') { if (optarg[1] == '/') subsid = 1; optarg++; } // process the optional inf part. if ((iptr = strchr(optarg, '/')) != NULL) { if (strlen(iptr + 1) > 4) ArgusLog(LOG_ERR, "ArgusParseSourceID error: %s: interface len gt 4 char", optarg); *iptr++ = '\0'; } // process the sid part. // string // if (subsid) { switch (src->type & ~ARGUS_TYPE_INTERFACE) { case ARGUS_TYPE_STRING: { slen = strlen((const char *)&src->trans.srcid.a_un.str); bcopy(&src->trans.srcid.a_un.str, buf, slen); type = ARGUS_TYPE_STRING; break; } case ARGUS_TYPE_INT: { slen = sizeof(src->trans.srcid.a_un.value); bcopy(&src->trans.srcid.a_un.value, buf, slen); type = ARGUS_TYPE_INT; break; } case ARGUS_TYPE_IPV4: { unsigned int saddr = ntohl(src->trans.srcid.a_un.ipv4); slen = sizeof(src->trans.srcid.a_un.ipv4); bcopy(&saddr, buf, slen); type = ARGUS_TYPE_IPV4; break; } case ARGUS_TYPE_IPV6: { slen = sizeof(src->trans.srcid.a_un.ipv6); bcopy(&src->trans.srcid.a_un.ipv6, buf, slen); type = ARGUS_TYPE_IPV6; break; } case ARGUS_TYPE_UUID : { slen = sizeof(src->trans.srcid.a_un.uuid); bcopy(&src->trans.srcid.a_un.uuid, buf, slen); type = ARGUS_TYPE_UUID; break; } } } else if (*optarg == '"') { optarg++; if (optarg[strlen(optarg) - 1] == '\n') optarg[strlen(optarg) - 1] = '\0'; if (optarg[strlen(optarg) - 1] == '\"') optarg[strlen(optarg) - 1] = '\0'; strncpy((char *) buf, optarg, sizeof(buf) - 1); slen = strlen((char *) buf); type = ARGUS_TYPE_STRING; } else // // uuid // if (strchr(optarg, '-')) { if (strlen(optarg) == 36) { const char *cptr = (const char *) optarg; int i; for (i = 0; i < 16; i++) { sscanf((const char *) cptr, "%2hhx", &buf[i]); cptr += 2; if (*cptr == '-') cptr++; } slen = 16; type = ARGUS_TYPE_UUID; } } else if (strlen(optarg) == 32) { const char *cptr = (const char *) optarg; int i; for (i = 0; i < 16; i++) { sscanf((const char *) cptr, "%2hhx", &buf[i]); cptr += 2; } slen = 16; type = ARGUS_TYPE_UUID; } else if (strchr(optarg, '.')) { #if defined(HAVE_INET_ATON) struct in_addr pin; if (inet_aton(optarg, &pin)) { bcopy(&pin.s_addr, (char *)buf, 4); slen = 4; } #else #if defined(HAVE_GETADDRINFO) struct addrinfo *host, hints; bzero(&hints, sizeof(hints)); hints.ai_family = AF_INET; hints.ai_flags = AI_NUMERICHOST; if ((retn = getaddrinfo(optarg, NULL, NULL, &host)) == 0) { struct addrinfo *hptr = host; do { switch (host->ai_family) { case AF_INET: { struct sockaddr_in *sa = (struct sockaddr_in *) host->ai_addr; bcopy ((char *)&sa->sin_addr, (char *)buf, 4); slen = 4; type = ARGUS_TYPE_IPV4; break; } } host = host->ai_next; } while (host != NULL); freeaddrinfo(hptr); } #else // HAVE_GETADDRINFO struct hostent *host; if ((host = gethostbyname(optarg)) != NULL) { if ((host->h_addrtype == 2) && (host->h_length == 4)) { bcopy ((char *) *host->h_addr_list, (char *)buf, host->h_length); slen = 4; } } #endif #endif type = ARGUS_TYPE_IPV4; } else if (strchr(optarg, ':')) { struct in6_addr in6; int rv; slen = 0; type = ARGUS_TYPE_IPV6; #ifdef HAVE_INET_PTON rv = inet_pton(AF_INET6, optarg, &in6); if (rv == 1) { slen = sizeof(in6.s6_addr); bcopy(&in6.s6_addr, buf, slen); } else if (rv == 0) { ArgusLog(LOG_INFO, "invalid IPv6 address \"%s\".\n", optarg); } else { ArgusLog(LOG_INFO, "inet_pton: %s\n", strerror(errno)); } #else ArgusLog(LOG_INFO, "skipping IPv6 source ID %s; no support.\n", optarg); #endif } else if (isalnum((int)*optarg)) { long value; char *tptr; if ((value = strtol(optarg, (char **)&tptr, 10)) != 0) { slen = strlen(optarg); if (tptr == &optarg[slen]) { int num = value; bcopy(&num, buf, sizeof(num)); slen = sizeof(num); type = ARGUS_TYPE_INT; } } } if (iptr != NULL) { int len; if (strcmp(iptr, "inf") == 0) { char inf[5] = {0,}; if (dev && (dev->name != NULL)) { shortname_ethdev_unique(dev->name, inf, sizeof(inf), src->ArgusDeviceList); len = strlen(inf); bcopy(inf, &buf[slen], len); slen += len; ArgusLog(LOG_INFO, "mapping interface name %s -> %s\n", dev->name, inf); } type |= ARGUS_TYPE_INTERFACE; } else { len = strlen(iptr); bcopy(iptr, &buf[slen], len); slen += len; type |= ARGUS_TYPE_INTERFACE; } } if (type) setArgusID (src, buf, slen, type); else retn = 1; if (retn > 0) ArgusLog (LOG_ERR, "Srcid format error: %s\n", sptr); free (sptr); } } void setArgusManInf (struct ArgusSourceStruct *src, char *optarg) { if (src->ArgusMarIncludeInterface != NULL) { free (src->ArgusMarIncludeInterface); src->ArgusMarIncludeInterface = NULL; } src->type |= ARGUS_TYPE_INTERFACE; if (optarg && (strlen(optarg) > 0)) { if (strcmp("no", optarg) != 0) { if (strcmp("yes", optarg) == 0) src->ArgusMarIncludeInterface = strdup("man0"); else src->ArgusMarIncludeInterface = strdup(optarg); } } } char * getArgusManInf (struct ArgusSourceStruct *src) { return (src->ArgusMarIncludeInterface); } struct ArgusDumpStruct * ArgusNewDump (struct ArgusSourceStruct *src, struct ArgusInterfaceStruct *inf) { struct ArgusDumpStruct *retn = NULL; if ((retn = (struct ArgusDumpStruct *) ArgusCalloc (1, sizeof(*retn))) == NULL) ArgusLog (LOG_ERR, "ArgusNewDump: ArgusCalloc error %s\n", strerror(errno)); if (ArgusDumpTask != NULL) bcopy(ArgusDumpTask, retn, sizeof(*retn)); if (inf != NULL) { retn->ArgusPd = inf->ArgusPd; if (ArgusDumpTask->ArgusWriteOutPacketFile != NULL) { if (inf->ArgusDevice->name != NULL) { char buf[MAXSTRLEN]; int len = strlen (ArgusDumpTask->ArgusWriteOutPacketFile); bzero(buf, MAXSTRLEN); bcopy(ArgusDumpTask->ArgusWriteOutPacketFile, buf, len); buf[len++] = '.'; bcopy(inf->ArgusDevice->name, &buf[len], strlen(inf->ArgusDevice->name)); retn->ArgusWriteOutPacketFile = strdup(buf); } else { retn->ArgusWriteOutPacketFile = strdup(ArgusDumpTask->ArgusWriteOutPacketFile); } } } #if defined(ARGUS_THREADS) if (pthread_mutex_init(&retn->lock, NULL)) ArgusLog (LOG_ERR, "ArgusNewSource: pthread_mutex_init error\n"); #endif return retn; } void setArgusPacketCaptureProtocols(struct ArgusDumpStruct *dump, char *optarg) { char ppc[ARGUS_MAX_PROTOCOLS]; int enabled = 0, found = 0; bzero (ppc, ARGUS_MAX_PROTOCOLS); if (dump->ppc != NULL) { ArgusFree(dump->ppc); dump->ppc = NULL; } if (optarg && strlen(optarg)) { struct protoent *pent = NULL; char *sptr = optarg, *tok; while ((tok = strtok(sptr, ",\t\n")) != NULL) { found = 0; if ((pent = getprotobyname(tok)) != NULL) { ppc[pent->p_proto] = 1; enabled = 1; found = 1; } else { int i; for (i = 0; i < MAX_PORT_ALG_TYPES; i++) { if (strcmp(tok, RaPortAlgorithmTable[i].field) == 0) { ppc[RaPortAlgorithmTable[i].proto] = 1; enabled = 1; found = 1; } } } #ifdef ARGUSDEBUG if (!found) { ArgusDebug (1, "setArgusPacketCaptureProtocols() %s not supported.\n", tok); } #endif sptr = NULL; } } if (enabled) { if ((dump->ppc = (char *) ArgusCalloc (1, ARGUS_MAX_PROTOCOLS)) == NULL) ArgusLog (LOG_ERR, "setArgusPacketCaptureProtocols () ArgusCalloc error %s\n", strerror(errno)); bcopy(ppc, dump->ppc, ARGUS_MAX_PROTOCOLS); } } int ArgusDumpPacket (struct ArgusDumpStruct *dump, const struct pcap_pkthdr *h, const u_char *p) { int retn = 0; if (dump != NULL) { #if defined(ARGUS_THREADS) if (pthread_mutex_lock(&dump->lock) == 0) { #endif if (dump->ArgusWriteOutPacketFile != NULL) { if (dump->ArgusPcapOutFile == NULL) { if ((dump->ArgusPcapOutFile = pcap_dump_open(dump->ArgusPd, dump->ArgusWriteOutPacketFile)) == NULL) ArgusLog (LOG_ERR, "%s\n", pcap_geterr (dump->ArgusPd)); } if (dump->ArgusPcapOutFile != NULL) { #if defined(HAVE_PCAP_DUMP_FTELL) dump->ArgusPacketOffset = pcap_dump_ftell(dump->ArgusPcapOutFile); #endif pcap_dump((u_char *)dump->ArgusPcapOutFile, h, p); } } #if defined(ARGUS_THREADS) pthread_mutex_unlock(&dump->lock); } #endif } return retn; } #if !defined(ARGUS_TILERA) int ArgusProcessLcpPacket (struct ArgusSourceStruct *, struct lcp_hdr *, int, struct timeval *); int ArgusProcessPacket (struct ArgusSourceStruct *, char *, int, struct timeval *, int); struct pcap_pkthdr_32 { struct timeval32 ts; /* time stamp */ bpf_u_int32 caplen; /* length of portion present */ bpf_u_int32 len; /* length of this packet (off wire) */ }; void ArgusEtherPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p) { struct ArgusSourceStruct *src = (struct ArgusSourceStruct *) user; int ind = src->ArgusThisIndex; struct timeval tvpbuf, *tvp = &tvpbuf; unsigned int caplen; unsigned int length; ArgusGetPcapPkthdrTime(src, h, tvp); if (ArgusDumpTask->ArgusDumpPacket) ArgusDumpPacket(src->ArgusInterface[ind].ArgusDump, h, p); #if defined(CYGWIN) struct pcap_pkthdr_32 *h32 = (struct pcap_pkthdr_32 *)h; caplen = h32->caplen; length = h32->len; #else caplen = h->caplen; length = h->len; #endif if (p != NULL) { unsigned int ind = src->ArgusThisIndex; if (src->ArgusReadingOffLine) src->ArgusInputOffset = ftell(src->ArgusPacketInput); ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusGlobalTime = *tvp; src->lasttime = *tvp; src->ArgusModel->ArgusMatchProtocol = 0; if (p && (length >= sizeof(struct ether_header))) { struct ether_header *ep; src->ArgusInterface[ind].ArgusTotalPkts++; src->ArgusInterface[ind].ArgusTotalBytes += length; src->ArgusInterface[ind].ArgusPacketBuffer = (u_char *) p; ep = (struct ether_header *) p; src->ArgusModel->ArgusThisLength = length; src->ArgusModel->ArgusSnapLength = caplen; src->ArgusModel->ArgusThisSnapEnd = ((u_char *)ep) + caplen; src->ArgusModel->ArgusThisEncaps = ARGUS_ENCAPS_ETHER; if (ArgusProcessPacket (src, (char *)ep, length, tvp, ARGUS_ETHER_HDR)) { if (ArgusDumpTask->ArgusDumpPacketOnError) ArgusDumpPacket(src->ArgusInterface[ind].ArgusDump, h, p); } else if (ArgusDumpTask->ArgusDumpPacketOnProtocol && src->ArgusModel->ArgusMatchProtocol) ArgusDumpPacket(src->ArgusInterface[ind].ArgusDump, h, p); } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusEtherPacket (%p, %p, %p) returning\n", user, h, p); #endif } #define TYPE_LEGACY 0 #define TYPE_HDLC_POS 1 #define TYPE_ETH 2 #define TYPE_ATM 3 #define TYPE_AAL5 4 #if !defined(ntohll) #if defined(_LITTLE_ENDIAN) #if defined(__FreeBSD__) || defined(__OpenBSD__) || defined(__NetBSD__) || defined(__APPLE__) || defined(__sun__) #include #define ntohll(x) EXTRACT_64BITS(&x) #define htonll(x) EXTRACT_64BITS(&x) #else #if defined(HAVE_SOLARIS) #include #define ntohll(x) bswap_64(x) #define htonll(x) bswap_64(x) #endif #endif #else #define ntohll(x) x #define htonll(x) x #endif #endif void ArgusDagPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p) { struct ArgusSourceStruct *src = (void *) user; dag_record_t *hdr = (void *) h; struct timeval tvpbuf, *tvp = &tvpbuf; unsigned int length, caplen; unsigned long long ts; int ind = src->ArgusThisIndex; length = ntohs(hdr->wlen); caplen = ntohs(hdr->rlen) - DAG_REC_SIZE; src->ArgusInterface[ind].ArgusTotalPkts++; src->ArgusInterface[ind].ArgusTotalBytes += length; ts = hdr->ts; tvp->tv_sec = (ts >> 32); #if defined(ARGUS_NANOSECONDS) ts = (ts & 0xfffffffcULL) * 1000000000; tvp->tv_usec = (int)(ts >> 32); #else ts = (ts & 0xffffffffULL) * 1000000; ts += 0x80000000; /* rounding */ tvp->tv_usec = (int)(ts >> 32); if (tvp->tv_usec >= 1000000) { tvp->tv_usec -= 1000000; tvp->tv_sec++; } #endif if (src->ArgusReadingOffLine) src->ArgusInputOffset = ftell(src->ArgusPacketInput); ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusGlobalTime = *tvp; src->lasttime = *tvp; src->ArgusModel->ArgusMatchProtocol = 0; if (p && length) { switch (hdr->type) { case TYPE_LEGACY: break; case TYPE_HDLC_POS: { int retn = 0, offset = 0, linktype = 0; unsigned short proto = 0; unsigned short value; #if defined(_LITTLE_ENDIAN) value = ntohs(*(unsigned short *)p); #else value = (*(unsigned short *)p); #endif if (value == 0xFF03) { linktype = DLT_PPP_SERIAL; if ((p[0] == PPP_ADDRESS) && (p[1] == PPP_CONTROL)) { p += 2; length -= 2; } if (*p & 01) { proto = *p; p++; length -= 1; } else { #if defined(_LITTLE_ENDIAN) proto = ntohs(*(u_short *)p); #else proto = *(u_short *)p; #endif p += 2; length -= 2; } } else { linktype = DLT_CHDLC; #if defined(_LITTLE_ENDIAN) proto = ntohs(*(u_short *)&p[2]); #else proto = *(u_short *)p; #endif #if !defined(CHDLC_HDRLEN) #define CHDLC_HDRLEN 4 #endif offset = CHDLC_HDRLEN; p = src->ArgusInterface[ind].ArgusPacketBuffer + offset; length -= offset; } if (src->ArgusInterface[ind].ArgusTotalPkts == 1) src->ArgusInterface[ind].ArgusPcap.linktype = linktype; src->ArgusModel->ArgusThisLength = length; src->ArgusModel->ArgusSnapLength = caplen; src->ArgusModel->ArgusThisSnapEnd = src->ArgusInterface[ind].ArgusPacketBuffer + caplen; switch (proto) { case PPP_LCP: retn = ArgusProcessLcpPacket (src, (struct lcp_hdr *)p, length, tvp); break; case ETHERTYPE_IP: /*XXX*/ case PPP_IP: retn = ArgusProcessPacket (src, (char *)p, length, tvp, ETHERTYPE_IP); break; case PPP_IPV6: case ETHERTYPE_IPV6: /*XXX*/ retn = ArgusProcessPacket (src, (char *)p, length, tvp, ETHERTYPE_IPV6); break; case ETHERTYPE_MPLS: retn = ArgusProcessPacket (src, (char *)p, length, tvp, ETHERTYPE_MPLS); break; case ETHERTYPE_MPLS_MULTI: retn = ArgusProcessPacket (src, (char *)p, length, tvp, ETHERTYPE_MPLS_MULTI); break; default: break; } if (retn) { if (ArgusDumpTask->ArgusDumpPacketOnError) ArgusDumpPacket(src->ArgusInterface[ind].ArgusDump, h, p); } else if (ArgusDumpTask->ArgusDumpPacketOnProtocol && src->ArgusModel->ArgusMatchProtocol) ArgusDumpPacket(src->ArgusInterface[ind].ArgusDump, h, p); break; } case TYPE_ETH: { if (src->ArgusInterface[ind].ArgusTotalPkts == 1) src->ArgusInterface[ind].ArgusPcap.linktype = DLT_EN10MB; p += 2; src->ArgusModel->ArgusThisLength = length - 2; src->ArgusModel->ArgusSnapLength = caplen - 2; src->ArgusModel->ArgusThisSnapEnd = (u_char *)p + (caplen - 2); if (ArgusProcessPacket (src, (char *)p, length, tvp, ARGUS_ETHER_HDR)) { if (ArgusDumpTask->ArgusDumpPacketOnError) ArgusDumpPacket(src->ArgusInterface[ind].ArgusDump, h, p); } else if (ArgusDumpTask->ArgusDumpPacketOnProtocol && src->ArgusModel->ArgusMatchProtocol) ArgusDumpPacket(src->ArgusInterface[ind].ArgusDump, h, p); break; } case TYPE_ATM: case TYPE_AAL5: { if (src->ArgusInterface[ind].ArgusTotalPkts == 1) src->ArgusInterface[ind].ArgusPcap.linktype = DLT_ATM_RFC1483; break; } default: { if (src->ArgusInterface[ind].ArgusTotalPkts == 1) src->ArgusInterface[ind].ArgusPcap.linktype = DLT_NULL; break; } } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusDagPacket (%p, %p) returning\n", src, hdr); #endif } void ArgusTokenPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p) { #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusTokenPacket (%p, %p, %p) returning\n", user, h, p); #endif } #include void ArgusArcnetPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p) { struct ArgusSourceStruct *src = (struct ArgusSourceStruct *) user; struct ether_header *ep = (struct ether_header *) src->ArgusInterface[src->ArgusThisIndex].ArgusPacketBufferBuffer; struct arc_header *ap = (struct arc_header *) p; u_char arc_type = ap->arc_type; int ind = src->ArgusThisIndex; int archdrlen = 0; struct timeval tvpbuf, *tvp = &tvpbuf; unsigned int length = h->len; unsigned int caplen = h->caplen; ArgusGetPcapPkthdrTime(src, h, tvp); if (ArgusDumpTask->ArgusDumpPacket) ArgusDumpPacket(src->ArgusInterface[ind].ArgusDump, h, p); if (src->ArgusReadingOffLine) src->ArgusInputOffset = ftell(src->ArgusPacketInput); ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusGlobalTime = *tvp; if (src->ArgusModel->ArgusGlobalTime.tv_sec < 0) { ArgusLog (LOG_ERR, "ArgusArcnetPacket (%p, %p, %p) libpcap timestamp out of range %d.%d\n", user, h, p, src->ArgusModel->ArgusGlobalTime.tv_sec, src->ArgusModel->ArgusGlobalTime.tv_usec); } src->ArgusInterface[ind].ArgusPacketBuffer = src->ArgusInterface[ind].ArgusPacketBufferBuffer; switch (arc_type) { case ARCTYPE_IP_OLD: case ARCTYPE_ARP_OLD: case ARCTYPE_DIAGNOSE: archdrlen = ARC_HDRLEN; break; default: if (ap->arc_flag == 0xff) { archdrlen = ARC_HDRNEWLEN_EXC; } else { archdrlen = ARC_HDRNEWLEN; } break; } length -= archdrlen; caplen -= archdrlen; p += archdrlen; bcopy (p, (char *)ep, caplen); src->ArgusModel->ArgusThisLength = length; src->ArgusModel->ArgusSnapLength = caplen; src->ArgusModel->ArgusThisSnapEnd = ((u_char *)ep) + caplen; src->ArgusModel->ArgusThisEncaps = ARGUS_ENCAPS_ARCNET; if (ArgusProcessPacket (src, (char *)ep, length, tvp, ARGUS_ETHER_HDR)) { if (ArgusDumpTask->ArgusDumpPacketOnError) ArgusDumpPacket(src->ArgusInterface[ind].ArgusDump, h, p); } else if (ArgusDumpTask->ArgusDumpPacketOnProtocol && src->ArgusModel->ArgusMatchProtocol) ArgusDumpPacket(src->ArgusInterface[ind].ArgusDump, h, p); #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusArcnetPacket (%p, %p, %p) returning\n", user, h, p); #endif } void ArgusAtmClipPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p) { #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusAtmClipPacket (%p, %p, %p) returning\n", user, h, p); #endif } void ArgusLoopPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p) { #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusLoopPacket (%p, %p, %p) returning\n", user, h, p); #endif } void ArgusHdlcPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p) { struct ArgusSourceStruct *src = (struct ArgusSourceStruct *) user; int ind = src->ArgusThisIndex; struct timeval tvpbuf, *tvp = &tvpbuf; unsigned int caplen = h->caplen; unsigned int length = h->len; ArgusGetPcapPkthdrTime(src, h, tvp); if (ArgusDumpTask->ArgusDumpPacket) ArgusDumpPacket(src->ArgusInterface[ind].ArgusDump, h, p); src->ArgusInterface[ind].ArgusTotalPkts++; src->ArgusInterface[ind].ArgusTotalBytes += length; src->ArgusInterface[ind].ArgusPacketBuffer = (u_char *) p; if (src->ArgusReadingOffLine) src->ArgusInputOffset = ftell(src->ArgusPacketInput); ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusGlobalTime = *tvp; if (p && length) { int retn = 0, offset = 0; unsigned short proto = 0; unsigned short value; #define CHDLC_UNICAST 0x0f #define CHDLC_BCAST 0x8f #define CHDLC_TYPE_SLARP 0x8035 #define CHDLC_TYPE_CDP 0x2000 #if defined(_LITTLE_ENDIAN) value = ntohs(*(unsigned short *)p); #else value = (*(unsigned short *)p); #endif switch (value) { case CHDLC_UNICAST: case CHDLC_BCAST: case CHDLC_TYPE_SLARP: case CHDLC_TYPE_CDP: default: src->ArgusModel->ArgusThisEncaps = ARGUS_ENCAPS_CHDLC; break; } #if defined(_LITTLE_ENDIAN) proto = ntohs(*(u_short *)&p[2]); #else proto = *(u_short *)&p[2]; #endif #if !defined(CHDLC_HDRLEN) #define CHDLC_HDRLEN 4 #endif offset = CHDLC_HDRLEN; p = (unsigned char *) (src->ArgusInterface[ind].ArgusPacketBuffer + offset); length -= offset; src->ArgusModel->ArgusThisLength = length; src->ArgusModel->ArgusSnapLength = caplen; src->ArgusModel->ArgusThisSnapEnd = (src->ArgusInterface[ind].ArgusPacketBuffer + caplen); switch (proto) { case ETHERTYPE_IP: retn = ArgusProcessPacket (src, (char *)p, length, tvp, ETHERTYPE_IP); break; case ETHERTYPE_IPV6: retn = ArgusProcessPacket (src, (char *)p, length, tvp, ETHERTYPE_IPV6); break; case ETHERTYPE_MPLS: retn = ArgusProcessPacket (src, (char *)p, length, tvp, ETHERTYPE_MPLS); break; case ETHERTYPE_MPLS_MULTI: retn = ArgusProcessPacket (src, (char *)p, length, tvp, ETHERTYPE_MPLS_MULTI); break; } if (retn) { if (ArgusDumpTask->ArgusDumpPacketOnError) ArgusDumpPacket(src->ArgusInterface[ind].ArgusDump, h, p); } else if (ArgusDumpTask->ArgusDumpPacketOnProtocol && src->ArgusModel->ArgusMatchProtocol) ArgusDumpPacket(src->ArgusInterface[ind].ArgusDump, h, p); } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusHdlcPacket (%p, %p, %p) returning\n", user, h, p); #endif } void ArgusPppHdlcPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p) { struct ArgusSourceStruct *src = (struct ArgusSourceStruct *) user; int ind = src->ArgusThisIndex; struct timeval tvpbuf, *tvp = &tvpbuf; unsigned int caplen = h->caplen; unsigned int length = h->len; ArgusGetPcapPkthdrTime(src, h, tvp); if (ArgusDumpTask->ArgusDumpPacket) ArgusDumpPacket(src->ArgusInterface[ind].ArgusDump, h, p); src->ArgusInterface[ind].ArgusTotalPkts++; src->ArgusInterface[ind].ArgusTotalBytes += length; src->ArgusInterface[ind].ArgusPacketBuffer = (u_char *) p; if (src->ArgusReadingOffLine) src->ArgusInputOffset = ftell(src->ArgusPacketInput); ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusThisEncaps = ARGUS_ENCAPS_HDLC; if (p && length) { unsigned short proto = 0; unsigned short value; int offset = 0, retn = 0; #if defined(_LITTLE_ENDIAN) value = ntohs(*(unsigned short *)p); #else value = (*(unsigned short *)p); #endif if (value == 0xFF03) { src->ArgusModel->ArgusThisEncaps |= ARGUS_ENCAPS_PPP; if ((p[0] == PPP_ADDRESS) && (p[1] == PPP_CONTROL)) { p += 2; length -= 2; } if (*p & 01) { proto = *p; p++; length -= 1; } else { #if defined(_LITTLE_ENDIAN) proto = ntohs(*(u_short *)p); #else proto = *(u_short *)p; #endif p += 2; length -= 2; } } else { #if defined(_LITTLE_ENDIAN) proto = ntohs(*(u_short *)&p[2]); #else proto = *(u_short *)p; #endif #if !defined(CHDLC_HDRLEN) #define CHDLC_HDRLEN 4 #endif src->ArgusModel->ArgusThisEncaps = ARGUS_ENCAPS_CHDLC; offset = CHDLC_HDRLEN; p = (unsigned char *) (src->ArgusInterface[ind].ArgusPacketBuffer + offset); length -= offset; } src->ArgusModel->ArgusThisLength = length; src->ArgusModel->ArgusSnapLength = caplen; src->ArgusModel->ArgusThisSnapEnd = (src->ArgusInterface[ind].ArgusPacketBuffer + caplen); switch (proto) { case PPP_LCP: retn = ArgusProcessLcpPacket (src, (struct lcp_hdr *)p, length, tvp); break; case ETHERTYPE_IP: case PPP_IP: retn = ArgusProcessPacket (src, (char *)p, length, tvp, ETHERTYPE_IP); break; case PPP_IPV6: case ETHERTYPE_IPV6: retn = ArgusProcessPacket (src, (char *)p, length, tvp, ETHERTYPE_IPV6); break; case PPP_MPLS_UCAST: case ETHERTYPE_MPLS: retn = ArgusProcessPacket (src, (char *)p, length, tvp, ETHERTYPE_MPLS); break; case PPP_MPLS_MCAST: case ETHERTYPE_MPLS_MULTI: retn = ArgusProcessPacket (src, (char *)p, length, tvp, ETHERTYPE_MPLS_MULTI); break; case PPP_OSI: case PPP_NS: case PPP_DECNET: case PPP_APPLE: case PPP_IPX: case PPP_VJC: case PPP_VJNC: case PPP_BRPDU: case PPP_STII: case PPP_VINES: case PPP_COMP: case PPP_HELLO: case PPP_LUXCOM: case PPP_SNS: case PPP_IPCP: case PPP_OSICP: case PPP_NSCP: case PPP_DECNETCP: case PPP_APPLECP: case PPP_IPXCP: case PPP_STIICP: case PPP_VINESCP: case PPP_IPV6CP: case PPP_CCP: case PPP_PAP: case PPP_LQM: case PPP_CHAP: case PPP_BACP: case PPP_BAP: case PPP_MP: default: break; } if (retn) { if (ArgusDumpTask->ArgusDumpPacketOnError) ArgusDumpPacket(src->ArgusInterface[ind].ArgusDump, h, p); } else if (ArgusDumpTask->ArgusDumpPacketOnProtocol && src->ArgusModel->ArgusMatchProtocol) ArgusDumpPacket(src->ArgusInterface[ind].ArgusDump, h, p); } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusPppHdlcPacket (%p, %p, %p) returning\n", user, h, p); #endif } void ArgusPppEtherPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p) { #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusPppEtherPacket (%p, %p, %p) returning\n", user, h, p); #endif } #define PFLOG_RULESET_NAME_SIZE 16 struct pfloghdr { u_int8_t length; sa_family_t af; u_int8_t action; u_int8_t reason; char ifname[IFNAMSIZ]; char ruleset[PFLOG_RULESET_NAME_SIZE]; u_int32_t rulenr; u_int32_t subrulenr; uid_t uid; pid_t pid; uid_t rule_uid; pid_t rule_pid; u_int8_t dir; u_int8_t pad[3]; }; #define PFLOG_HDRLEN sizeof(struct pfloghdr) void ArgusPflogPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p) { struct pcap_pkthdr hbuf; u_int hdrlen = 0; u_int caplen = h->caplen; const struct pfloghdr *hdr; uint8_t af; /* check length */ if (caplen >= sizeof(uint8_t)) { #define MIN_PFLOG_HDRLEN 45 hdr = (struct pfloghdr *)p; if (hdr->length >= MIN_PFLOG_HDRLEN) { hdrlen = BPF_WORDALIGN(hdr->length); if (caplen >= hdrlen) { /* print what we know */ hdr = (struct pfloghdr *)p; /* skip to the real packet */ af = hdr->af; memcpy((char *)&hbuf, (char *)h, sizeof(*h)); hbuf.len -= hdrlen; hbuf.caplen -= hdrlen; p += hdrlen; switch (af) { case AF_INET: case AF_INET6: ArgusIpPacket(user, &hbuf, p); break; default: /* address family not handled, print raw packet if (!ndo->ndo_eflag) pflog_print(ndo, hdr); if (!ndo->ndo_suppress_default_print) ND_DEFAULTPRINT(p, caplen); */ break; } } } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusPflogPacket (%p, %p, %p) returning\n", user, h, p); #endif } void Argus802_11Packet (u_char *user, const struct pcap_pkthdr *h, const u_char *p) { struct ArgusSourceStruct *src = (struct ArgusSourceStruct *) user; struct timeval tvpbuf, *tvp = &tvpbuf; int ind = src->ArgusThisIndex; unsigned int length = h->len; unsigned int caplen = h->caplen; ArgusGetPcapPkthdrTime(src, h, tvp); if (ArgusDumpTask->ArgusDumpPacket) ArgusDumpPacket(src->ArgusInterface[ind].ArgusDump, h, p); if (src->ArgusReadingOffLine) src->ArgusInputOffset = ftell(src->ArgusPacketInput); ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusThisLength = length; src->ArgusModel->ArgusSnapLength = caplen; src->ArgusModel->ArgusThisSnapEnd = ((u_char *)p) + caplen; src->ArgusModel->ArgusThisEncaps = ARGUS_ENCAPS_802_11; if (ArgusProcessPacket (src, (char *)p, length, tvp, ARGUS_802_11_HDR)) { if (ArgusDumpTask->ArgusDumpPacketOnError) ArgusDumpPacket(src->ArgusInterface[ind].ArgusDump, h, p); } else if (ArgusDumpTask->ArgusDumpPacketOnProtocol && src->ArgusModel->ArgusMatchProtocol) ArgusDumpPacket(src->ArgusInterface[ind].ArgusDump, h, p); #ifdef ARGUSDEBUG ArgusDebug (8, "Argus802_11Packet (%p, %p, %p) returning\n", user, h, p); #endif } void ArgusLtalkPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p) { #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusLtalkPacket (%p, %p, %p) returning\n", user, h, p); #endif } void ArgusJuniperPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p) { struct ArgusSourceStruct *src = (struct ArgusSourceStruct *) user; struct timeval tvpbuf, *tvp = &tvpbuf; struct juniper_l2info_t l2info; int ind = src->ArgusThisIndex; unsigned int length = h->len; unsigned int caplen = h->caplen; ArgusGetPcapPkthdrTime(src, h, tvp); if (ArgusDumpTask->ArgusDumpPacket) ArgusDumpPacket(src->ArgusInterface[ind].ArgusDump, h, p); if (src->ArgusReadingOffLine) src->ArgusInputOffset = ftell(src->ArgusPacketInput); ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusGlobalTime = *tvp; if (juniper_parse_header(p, h, &l2info) != 0) { src->ArgusModel->ArgusThisLength = length - l2info.header_len; src->ArgusModel->ArgusSnapLength = caplen; src->ArgusModel->ArgusThisSnapEnd = ((u_char *)p) + caplen; src->ArgusModel->ArgusThisEncaps = ARGUS_ENCAPS_JUNIPER; p += l2info.header_len; if (ArgusProcessPacket (src, (char *)p, length, tvp, ARGUS_ETHER_HDR)) { if (ArgusDumpTask->ArgusDumpPacketOnError) ArgusDumpPacket(src->ArgusInterface[ind].ArgusDump, h, p); } else if (ArgusDumpTask->ArgusDumpPacketOnProtocol && src->ArgusModel->ArgusMatchProtocol) ArgusDumpPacket(src->ArgusInterface[ind].ArgusDump, h, p); } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusJuniperPacket (%p, %p, %p) returning\n", user, h, p); #endif } void ArgusIpNetPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p) { #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusIpNetPacket (%p, %p, %p) returning\n", user, h, p); #endif } int ip_heuristic_guess(register const u_char *p, u_int length) { switch(p[0]) { case 0x45: case 0x46: case 0x47: case 0x48: case 0x49: case 0x4a: case 0x4b: case 0x4c: case 0x4d: case 0x4e: case 0x4f: // ip_print(gndo, p, length); break; #ifdef INET6 case 0x60: case 0x61: case 0x62: case 0x63: case 0x64: case 0x65: case 0x66: case 0x67: case 0x68: case 0x69: case 0x6a: case 0x6b: case 0x6c: case 0x6d: case 0x6e: case 0x6f: // ip6_print(p, length); break; #endif default: return 0; /* did not find a ip header */ break; } return 1; /* we printed an v4/v6 packet */ } int juniper_read_tlv_value(const u_char *p, u_int tlv_type, u_int tlv_len) { int tlv_value; /* TLVs < 128 are little endian encoded */ if (tlv_type < 128) { switch (tlv_len) { case 1: tlv_value = *p; break; case 2: tlv_value = EXTRACT_LE_16BITS(p); break; case 3: tlv_value = EXTRACT_LE_24BITS(p); break; case 4: tlv_value = EXTRACT_LE_32BITS(p); break; default: tlv_value = -1; break; } } else { /* TLVs >= 128 are big endian encoded */ switch (tlv_len) { case 1: tlv_value = *p; break; case 2: tlv_value = EXTRACT_16BITS(p); break; case 3: tlv_value = EXTRACT_24BITS(p); break; case 4: tlv_value = EXTRACT_32BITS(p); break; default: tlv_value = -1; break; } } return tlv_value; } static int juniper_parse_header (const u_char *p, const struct pcap_pkthdr *h, struct juniper_l2info_t *l2info) { struct juniper_cookie_table_t *lp = juniper_cookie_table; u_int idx, jnx_ext_len, jnx_header_len = 0; u_int8_t tlv_type,tlv_len; #ifdef DLT_JUNIPER_ATM2 u_int32_t control_word; #endif const u_char *tptr; l2info->header_len = 0; l2info->cookie_len = 0; l2info->proto = 0; l2info->length = h->len; l2info->caplen = h->caplen; // TCHECK2(p[0],4); l2info->flags = p[3]; l2info->direction = p[3]&JUNIPER_BPF_PKT_IN; if (EXTRACT_24BITS(p) != JUNIPER_MGC_NUMBER) { /* magic number found ? */ return 0; } /* magic number + flags */ jnx_header_len = 4; /* extensions present ? - calculate how much bytes to skip */ if ((l2info->flags & JUNIPER_BPF_EXT ) == JUNIPER_BPF_EXT ) { tptr = p+jnx_header_len; /* ok to read extension length ? */ /// TCHECK2(tptr[0], 2); jnx_ext_len = EXTRACT_16BITS(tptr); jnx_header_len += 2; tptr +=2; /* nail up the total length - * just in case something goes wrong * with TLV parsing */ jnx_header_len += jnx_ext_len; // TCHECK2(tptr[0], jnx_ext_len); while (jnx_ext_len > JUNIPER_EXT_TLV_OVERHEAD) { tlv_type = *(tptr++); tlv_len = *(tptr++); /* sanity check */ if (tlv_type == 0 || tlv_len == 0) break; juniper_read_tlv_value(tptr, tlv_type, tlv_len); switch (tlv_type) { case JUNIPER_EXT_TLV_IFD_NAME: /* FIXME */ break; case JUNIPER_EXT_TLV_IFD_MEDIATYPE: case JUNIPER_EXT_TLV_TTP_IFD_MEDIATYPE: break; case JUNIPER_EXT_TLV_IFL_ENCAPS: case JUNIPER_EXT_TLV_TTP_IFL_ENCAPS: break; case JUNIPER_EXT_TLV_IFL_IDX: /* fall through */ case JUNIPER_EXT_TLV_IFL_UNIT: case JUNIPER_EXT_TLV_IFD_IDX: default: break; } tptr+=tlv_len; jnx_ext_len -= tlv_len+JUNIPER_EXT_TLV_OVERHEAD; } } if ((l2info->flags & JUNIPER_BPF_NO_L2 ) == JUNIPER_BPF_NO_L2 ) { /* there is no link-layer present - * perform the v4/v6 heuristics * to figure out what it is */ // TCHECK2(p[jnx_header_len+4],1); if(ip_heuristic_guess(p+jnx_header_len+4,l2info->length-(jnx_header_len+4)) == 0) printf("no IP-hdr found!"); l2info->header_len=jnx_header_len+4; return 0; /* stop parsing the output further */ } l2info->header_len = jnx_header_len; p+=l2info->header_len; l2info->length -= l2info->header_len; l2info->caplen -= l2info->header_len; /* search through the cookie table and copy values matching for our PIC type */ while (lp->s != NULL) { if (lp->pictype == l2info->pictype) { l2info->cookie_len += lp->cookie_len; switch (p[0]) { case LS_COOKIE_ID: l2info->cookie_type = LS_COOKIE_ID; l2info->cookie_len += 2; break; case AS_COOKIE_ID: l2info->cookie_type = AS_COOKIE_ID; l2info->cookie_len = 8; break; default: l2info->bundle = l2info->cookie[0]; break; } #ifdef DLT_JUNIPER_MFR /* MFR child links don't carry cookies */ if (l2info->pictype == DLT_JUNIPER_MFR && (p[0] & MFR_BE_MASK) == MFR_BE_MASK) { l2info->cookie_len = 0; } #endif l2info->header_len += l2info->cookie_len; l2info->length -= l2info->cookie_len; l2info->caplen -= l2info->cookie_len; if (l2info->cookie_len > 0) { // TCHECK2(p[0],l2info->cookie_len); for (idx = 0; idx < l2info->cookie_len; idx++) { l2info->cookie[idx] = p[idx]; /* copy cookie data */ } } l2info->proto = EXTRACT_16BITS(p+l2info->cookie_len); break; } ++lp; } p+=l2info->cookie_len; /* DLT_ specific parsing */ switch(l2info->pictype) { #ifdef DLT_JUNIPER_MLPPP case DLT_JUNIPER_MLPPP: switch (l2info->cookie_type) { case LS_COOKIE_ID: l2info->bundle = l2info->cookie[1]; break; case AS_COOKIE_ID: l2info->bundle = (EXTRACT_16BITS(&l2info->cookie[6])>>3)&0xfff; l2info->proto = (l2info->cookie[5])&JUNIPER_LSQ_L3_PROTO_MASK; break; default: l2info->bundle = l2info->cookie[0]; break; } break; #endif #ifdef DLT_JUNIPER_MLFR case DLT_JUNIPER_MLFR: switch (l2info->cookie_type) { case LS_COOKIE_ID: l2info->bundle = l2info->cookie[1]; l2info->proto = EXTRACT_16BITS(p); l2info->header_len += 2; l2info->length -= 2; l2info->caplen -= 2; break; case AS_COOKIE_ID: l2info->bundle = (EXTRACT_16BITS(&l2info->cookie[6])>>3)&0xfff; l2info->proto = (l2info->cookie[5])&JUNIPER_LSQ_L3_PROTO_MASK; break; default: l2info->bundle = l2info->cookie[0]; l2info->header_len += 2; l2info->length -= 2; l2info->caplen -= 2; break; } break; #endif #ifdef DLT_JUNIPER_MFR case DLT_JUNIPER_MFR: switch (l2info->cookie_type) { case LS_COOKIE_ID: l2info->bundle = l2info->cookie[1]; l2info->proto = EXTRACT_16BITS(p); l2info->header_len += 2; l2info->length -= 2; l2info->caplen -= 2; break; case AS_COOKIE_ID: l2info->bundle = (EXTRACT_16BITS(&l2info->cookie[6])>>3)&0xfff; l2info->proto = (l2info->cookie[5])&JUNIPER_LSQ_L3_PROTO_MASK; break; default: l2info->bundle = l2info->cookie[0]; break; } break; #endif #ifdef DLT_JUNIPER_ATM2 case DLT_JUNIPER_ATM2: // TCHECK2(p[0],4); /* ATM cell relay control word present ? */ if (l2info->cookie[7] & ATM2_PKT_TYPE_MASK) { control_word = EXTRACT_32BITS(p); /* some control word heuristics */ switch(control_word) { case 0: /* zero control word */ case 0x08000000: /* < JUNOS 7.4 control-word */ case 0x08380000: /* cntl word plus cell length (56) >= JUNOS 7.4*/ l2info->header_len += 4; break; default: break; } } break; #endif #ifdef DLT_JUNIPER_GGSN case DLT_JUNIPER_GGSN: break; #endif #ifdef DLT_JUNIPER_ATM1 case DLT_JUNIPER_ATM1: break; #endif #ifdef DLT_JUNIPER_PPP case DLT_JUNIPER_PPP: break; #endif #ifdef DLT_JUNIPER_CHDLC case DLT_JUNIPER_CHDLC: break; #endif #ifdef DLT_JUNIPER_ETHER case DLT_JUNIPER_ETHER: break; #endif #ifdef DLT_JUNIPER_FRELAY case DLT_JUNIPER_FRELAY: break; #endif default: break; } return 1; /* everything went ok so far. continue parsing */ } #define PRISM_HDR_LEN 144 #define WLANCAP_MAGIC_COOKIE_V1 0x80211001 #define DIDmsg_lnxind_wlansniffrm 0x0041 #define DIDmsg_lnxind_wlansniffrm_hosttime 0x1041 #define DIDmsg_lnxind_wlansniffrm_mactime 0x2041 #define DIDmsg_lnxind_wlansniffrm_channel 0x3041 #define DIDmsg_lnxind_wlansniffrm_rssi 0x4041 #define DIDmsg_lnxind_wlansniffrm_sq 0x5041 #define DIDmsg_lnxind_wlansniffrm_signal 0x6041 #define DIDmsg_lnxind_wlansniffrm_noise 0x7041 #define DIDmsg_lnxind_wlansniffrm_rate 0x8041 #define DIDmsg_lnxind_wlansniffrm_istx 0x9041 #define DIDmsg_lnxind_wlansniffrm_frmlen 0xA041 struct prism_value { u_int32_t did; u_int16_t status, len; u_int32_t data; }; struct prism_header { u_int32_t msgcode, msglen; u_char devname[16]; struct prism_value hosttime; struct prism_value mactime; struct prism_value channel; struct prism_value rssi; struct prism_value sq; struct prism_value signal; struct prism_value noise; struct prism_value rate; struct prism_value istx; struct prism_value frmlen; }; /* * For DLT_PRISM_HEADER; like DLT_IEEE802_11, but with an extra header, * containing information such as radio information, which we * currently ignore. * * If, however, the packet begins with WLANCAP_MAGIC_COOKIE_V1, it's * really DLT_IEEE802_11_RADIO (currently, on Linux, there's no * ARPHRD_ type for DLT_IEEE802_11_RADIO, as there is a * ARPHRD_IEEE80211_PRISM for DLT_PRISM_HEADER, so * ARPHRD_IEEE80211_PRISM is used for DLT_IEEE802_11_RADIO, and * the first 4 bytes of the header are used to indicate which it is). */ void ArgusPrismPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p) { struct prism_header *phdr = (struct prism_header *) p; u_int caplen = h->caplen, phdrlen = sizeof (*phdr); if (caplen < 4) return; if (EXTRACT_32BITS(p) == WLANCAP_MAGIC_COOKIE_V1) Argus802_11RadioPacket (user, h, p + PRISM_HDR_LEN); if (caplen < PRISM_HDR_LEN) return; /* ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusThisLength = length; src->ArgusModel->ArgusSnapLength = caplen; src->ArgusModel->ArgusThisSnapEnd = ((u_char *)ep) + caplen; src->ArgusModel->ArgusThisEncaps = ARGUS_ENCAPS_PRISM; */ if (phdr->hosttime.len != 4) { #define swapl(n) (((((unsigned long)(n) & 0xFF)) << 24) | \ ((((unsigned long)(n) & 0xFF00)) << 8) | \ ((((unsigned long)(n) & 0xFF0000)) >> 8) | \ ((((unsigned long)(n) & 0xFF000000)) >> 24)) #define swaps(n) (((((unsigned short)(n) & 0xFF)) << 8) | (((unsigned short)(n) & 0xFF00) >> 8)) phdr->msgcode = swapl(phdr->msgcode); phdr->msglen = swapl(phdr->msglen); phdr->hosttime.did = swapl(phdr->hosttime.did); phdr->hosttime.status = swaps(phdr->hosttime.status); phdr->hosttime.len = swaps(phdr->hosttime.len); phdr->hosttime.data = swapl(phdr->hosttime.data); phdr->mactime.did = swapl(phdr->mactime.did); phdr->mactime.status = swaps(phdr->mactime.status); phdr->mactime.len = swaps(phdr->mactime.len); phdr->mactime.data = swapl(phdr->mactime.data); phdr->channel.did = swapl(phdr->channel.did); phdr->channel.status = swaps(phdr->channel.status); phdr->channel.len = swaps(phdr->channel.len); phdr->channel.data = swapl(phdr->channel.data); phdr->rssi.did = swapl(phdr->rssi.did); phdr->rssi.status = swaps(phdr->rssi.status); phdr->rssi.len = swaps(phdr->rssi.len); phdr->rssi.data = swapl(phdr->rssi.data); phdr->sq.did = swapl(phdr->sq.did); phdr->sq.status = swaps(phdr->sq.status); phdr->sq.len = swaps(phdr->sq.len); phdr->sq.data = swapl(phdr->sq.data); phdr->signal.did = swapl(phdr->signal.did); phdr->signal.status = swaps(phdr->signal.status); phdr->signal.len = swaps(phdr->signal.len); phdr->signal.data = swapl(phdr->signal.data); phdr->noise.did = swapl(phdr->noise.did); phdr->noise.status = swaps(phdr->noise.status); phdr->noise.len = swaps(phdr->noise.len); phdr->noise.data = swapl(phdr->noise.data); phdr->rate.did = swapl(phdr->rate.did); phdr->rate.status = swaps(phdr->rate.status); phdr->rate.len = swaps(phdr->rate.len); phdr->rate.data = swapl(phdr->rate.data); phdr->istx.did = swapl(phdr->istx.did); phdr->istx.status = swaps(phdr->istx.status); phdr->istx.len = swaps(phdr->istx.len); phdr->istx.data = swapl(phdr->istx.data); phdr->frmlen.did = swapl(phdr->frmlen.did); phdr->frmlen.status = swaps(phdr->frmlen.status); phdr->frmlen.len = swaps(phdr->frmlen.len); phdr->frmlen.data = swapl(phdr->frmlen.data); } if ((phdrlen == PRISM_HDR_LEN) && ((void *)(phdr + 1) == (p + PRISM_HDR_LEN))) Argus802_11Packet (user, h, p + PRISM_HDR_LEN); #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusPrismPacket (%p, %p, %p) returning\n", user, h, p); #endif } struct avs_header { u_int32_t version, length; u_int64_t mactime, hosttime; u_int32_t phytype, channel; u_int32_t datarate, antenna; u_int32_t priority, ssi_type; u_int32_t ssi_signal, ssi_noise; u_int32_t preamble, encoding; }; void Argus802_11RadioAvsPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p) { struct avs_header *ahdr = (struct avs_header *) p; u_int32_t caplen = h->caplen, caphdr_len; caphdr_len = EXTRACT_32BITS(p + 4); if (caphdr_len < 8) return; if (caplen < caphdr_len) return; Argus802_11Packet (user, h, (u_char *)(ahdr + 1)); #ifdef ARGUSDEBUG ArgusDebug (8, "Argus802_11RadioAvsPacket (%p, %p, %p) returning\n", user, h, p); #endif } static int ArgusParseRadioTapField(struct cpack_state *, u_int32_t, struct ieee80211_radiotap *); void Argus802_11RadioPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p) { struct ArgusSourceStruct *src = (struct ArgusSourceStruct *) user; struct ieee80211_radiotap_header *rthdr = (struct ieee80211_radiotap_header *) p; struct pcap_pkthdr phdr = *h; u_int32_t rthdr_len; #define BITNO_32(x) (((x) >> 16) ? 16 + BITNO_16((x) >> 16) : BITNO_16((x))) #define BITNO_16(x) (((x) >> 8) ? 8 + BITNO_8((x) >> 8) : BITNO_8((x))) #define BITNO_8(x) (((x) >> 4) ? 4 + BITNO_4((x) >> 4) : BITNO_4((x))) #define BITNO_4(x) (((x) >> 2) ? 2 + BITNO_2((x) >> 2) : BITNO_2((x))) #define BITNO_2(x) (((x) & 2) ? 1 : 0) #define BIT(n) (1U << n) #define IS_EXTENDED(__p) \ (EXTRACT_LE_32BITS(__p) & BIT(IEEE80211_RADIOTAP_EXT)) != 0 struct cpack_state cpacker; u_int32_t present, next_present; u_int32_t *presentp, *last_presentp; enum ieee80211_radiotap_type bit; int bit0; u_char *iter; if ((rthdr_len = rthdr->it_len) < 8) return; bzero(&src->ArgusThisRadioTap, sizeof(src->ArgusThisRadioTap)); if (h->caplen < rthdr_len) return; for (last_presentp = &rthdr->it_present; IS_EXTENDED(last_presentp) && (u_char*)(last_presentp + 1) <= p + rthdr_len; last_presentp++); /* are there more bitmap extensions than bytes in header? */ if (IS_EXTENDED(last_presentp)) return; iter = (u_char*)(last_presentp + 1); if (cpack_init(&cpacker, (u_int8_t *)iter, rthdr_len - (iter - p)) != 0) return; /* Assume no flags */ /* Assume no Atheros padding between 802.11 header and body */ for (bit0 = 0, presentp = &rthdr->it_present; presentp <= last_presentp; presentp++, bit0 += 32) { for (present = EXTRACT_LE_32BITS(presentp); present; present = next_present) { /* clear the least significant bit that is set */ next_present = present & (present - 1); /* extract the least significant bit that is set */ bit = (enum ieee80211_radiotap_type) (bit0 + BITNO_32(present ^ next_present)); if (ArgusParseRadioTapField(&cpacker, bit, &src->ArgusThisRadioTap) != 0) goto out; } } out: phdr.len -= rthdr_len; phdr.caplen -= rthdr_len; Argus802_11Packet (user, (const struct pcap_pkthdr *)&phdr, ((u_char *)rthdr + rthdr_len)); #undef BITNO_32 #undef BITNO_16 #undef BITNO_8 #undef BITNO_4 #undef BITNO_2 #undef BIT #ifdef ARGUSDEBUG ArgusDebug (3, "Argus802_11RadioPacket (%p, %p, %p) returning\n", user, h, p); #endif } void ArgusIpPacket(u_char *user, const struct pcap_pkthdr *h, const u_char *p) { struct ArgusSourceStruct *src = (struct ArgusSourceStruct *) user; struct timeval tvpbuf, *tvp = &tvpbuf; int ind = src->ArgusThisIndex; struct ip *ip = (struct ip *) p; unsigned int length = h->len; unsigned int caplen = h->caplen; ArgusGetPcapPkthdrTime(src, h, tvp); if (ArgusDumpTask->ArgusDumpPacket) ArgusDumpPacket(src->ArgusInterface[ind].ArgusDump, h, p); if (src->ArgusReadingOffLine) src->ArgusInputOffset = ftell(src->ArgusPacketInput); ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusSnapLength = caplen; src->ArgusModel->ArgusThisSnapEnd = ((u_char *) ip) + caplen; src->ArgusModel->ArgusThisEncaps = 0; if (p) { src->ArgusModel->ArgusThisIpHdr = ip; src->ArgusModel->ArgusThisLength = length; ArgusProcessIpPacket (src->ArgusModel, ip, length, tvp); } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusIpPacket (%p, %p, %p) returning\n", user, h, p); #endif } #define ENC_HDRLEN 12 /* From $OpenBSD: mbuf.h,v 1.56 2002/01/25 15:50:23 art Exp $ */ #define M_CONF 0x0400 /* packet was encrypted (ESP-transport) */ #define M_AUTH 0x0800 /* packet was authenticated (AH) */ struct enchdr { u_int32_t af; u_int32_t spi; u_int32_t flags; }; void ArgusEncPacket(u_char *user, const struct pcap_pkthdr *h, const u_char *p) { struct ArgusSourceStruct *src = (struct ArgusSourceStruct *) user; struct timeval tvpbuf, *tvp = &tvpbuf; int ind = src->ArgusThisIndex; struct ip *ip = (struct ip *) (p + ENC_HDRLEN); unsigned int caplen = h->caplen - ENC_HDRLEN; unsigned int length = h->len - ENC_HDRLEN; ArgusGetPcapPkthdrTime(src, h, tvp); if (ArgusDumpTask->ArgusDumpPacket) ArgusDumpPacket(src->ArgusInterface[ind].ArgusDump, h, p); if (src->ArgusReadingOffLine) src->ArgusInputOffset = ftell(src->ArgusPacketInput); ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusSnapLength = caplen; src->ArgusModel->ArgusThisSnapEnd = ((u_char *) ip) + caplen; src->ArgusModel->ArgusThisEncaps |= ARGUS_ENCAPS_SPI; if (p) { src->ArgusModel->ArgusThisIpHdr = ip; src->ArgusModel->ArgusThisLength = length; if (ArgusProcessPacket (src, (char *)p, length, tvp, ETHERTYPE_IP)) { if (ArgusDumpTask->ArgusDumpPacketOnError) ArgusDumpPacket(src->ArgusInterface[ind].ArgusDump, h, p); } else if (ArgusDumpTask->ArgusDumpPacketOnProtocol && src->ArgusModel->ArgusMatchProtocol) ArgusDumpPacket(src->ArgusInterface[ind].ArgusDump, h, p); } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusEncPacket (%p, %p, %p) returning\n", user, h, p); #endif } #if defined(ultrix) || defined(__alpha) static int fddi_bitswap = 0; #else static int fddi_bitswap = 1; #endif int fddipad = FDDIPAD; #define FDDI_HDRLEN (sizeof(struct fddi_header)) static u_char fddi_bit_swap[] = { 0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0, 0x10, 0x90, 0x50, 0xd0, 0x30, 0xb0, 0x70, 0xf0, 0x08, 0x88, 0x48, 0xc8, 0x28, 0xa8, 0x68, 0xe8, 0x18, 0x98, 0x58, 0xd8, 0x38, 0xb8, 0x78, 0xf8, 0x04, 0x84, 0x44, 0xc4, 0x24, 0xa4, 0x64, 0xe4, 0x14, 0x94, 0x54, 0xd4, 0x34, 0xb4, 0x74, 0xf4, 0x0c, 0x8c, 0x4c, 0xcc, 0x2c, 0xac, 0x6c, 0xec, 0x1c, 0x9c, 0x5c, 0xdc, 0x3c, 0xbc, 0x7c, 0xfc, 0x02, 0x82, 0x42, 0xc2, 0x22, 0xa2, 0x62, 0xe2, 0x12, 0x92, 0x52, 0xd2, 0x32, 0xb2, 0x72, 0xf2, 0x0a, 0x8a, 0x4a, 0xca, 0x2a, 0xaa, 0x6a, 0xea, 0x1a, 0x9a, 0x5a, 0xda, 0x3a, 0xba, 0x7a, 0xfa, 0x06, 0x86, 0x46, 0xc6, 0x26, 0xa6, 0x66, 0xe6, 0x16, 0x96, 0x56, 0xd6, 0x36, 0xb6, 0x76, 0xf6, 0x0e, 0x8e, 0x4e, 0xce, 0x2e, 0xae, 0x6e, 0xee, 0x1e, 0x9e, 0x5e, 0xde, 0x3e, 0xbe, 0x7e, 0xfe, 0x01, 0x81, 0x41, 0xc1, 0x21, 0xa1, 0x61, 0xe1, 0x11, 0x91, 0x51, 0xd1, 0x31, 0xb1, 0x71, 0xf1, 0x09, 0x89, 0x49, 0xc9, 0x29, 0xa9, 0x69, 0xe9, 0x19, 0x99, 0x59, 0xd9, 0x39, 0xb9, 0x79, 0xf9, 0x05, 0x85, 0x45, 0xc5, 0x25, 0xa5, 0x65, 0xe5, 0x15, 0x95, 0x55, 0xd5, 0x35, 0xb5, 0x75, 0xf5, 0x0d, 0x8d, 0x4d, 0xcd, 0x2d, 0xad, 0x6d, 0xed, 0x1d, 0x9d, 0x5d, 0xdd, 0x3d, 0xbd, 0x7d, 0xfd, 0x03, 0x83, 0x43, 0xc3, 0x23, 0xa3, 0x63, 0xe3, 0x13, 0x93, 0x53, 0xd3, 0x33, 0xb3, 0x73, 0xf3, 0x0b, 0x8b, 0x4b, 0xcb, 0x2b, 0xab, 0x6b, 0xeb, 0x1b, 0x9b, 0x5b, 0xdb, 0x3b, 0xbb, 0x7b, 0xfb, 0x07, 0x87, 0x47, 0xc7, 0x27, 0xa7, 0x67, 0xe7, 0x17, 0x97, 0x57, 0xd7, 0x37, 0xb7, 0x77, 0xf7, 0x0f, 0x8f, 0x4f, 0xcf, 0x2f, 0xaf, 0x6f, 0xef, 0x1f, 0x9f, 0x5f, 0xdf, 0x3f, 0xbf, 0x7f, 0xff, }; static inline void Argusextract_fddi_addrs(const struct fddi_header *fp, struct ether_header *ehdr) { char *fsrc = (char *)&ehdr->ether_shost; char *fdst = (char *)&ehdr->ether_dhost; int i; if (fddi_bitswap) { for (i = 0; i < 6; ++i) fdst[i] = fddi_bit_swap[fp->fddi_dhost[i]]; for (i = 0; i < 6; ++i) fsrc[i] = fddi_bit_swap[fp->fddi_shost[i]]; } else { bcopy ((char *) fp->fddi_dhost, fdst, 6); bcopy ((char *) fp->fddi_shost, fsrc, 6); } } int ArgusCreatePktFromFddi(const struct fddi_header *fp, struct ether_header *ep, int length) { unsigned char *ptr; unsigned int retn = 0; struct argus_llc *llc; if ((fp->fddi_fc & FDDIFC_CLFF) == FDDIFC_LLC_ASYNC) { Argusextract_fddi_addrs (fp, ep); llc = (struct argus_llc *)(fp + 1); if (llc->ssap == LLCSAP_SNAP && llc->dsap == LLCSAP_SNAP && llc->llcui == LLC_UI) { ((struct ether_header *) ep)->ether_type = EXTRACT_16BITS(&llc->ethertype[0]); ptr = (unsigned char *)(llc + 1); length -= (sizeof(struct fddi_header) + sizeof(struct argus_llc)); bcopy ((char *)ptr, (char *)(ep + 1), length); retn = length + sizeof(struct ether_header); } } return (retn); } void ArgusFddiPacket(u_char *user, const struct pcap_pkthdr *h, const u_char *p) { struct ArgusSourceStruct *src = (struct ArgusSourceStruct *) user; const struct fddi_header *fp = (struct fddi_header *)p; struct timeval tvpbuf, *tvp = &tvpbuf; int ind = src->ArgusThisIndex; unsigned int length = h->len; unsigned int caplen = h->caplen; struct ether_header *ep; ArgusGetPcapPkthdrTime(src, h, tvp); if (ArgusDumpTask->ArgusDumpPacket) ArgusDumpPacket(src->ArgusInterface[ind].ArgusDump, h, p); ep = (struct ether_header *) src->ArgusInterface[ind].ArgusPacketBuffer; if (src->ArgusReadingOffLine) src->ArgusInputOffset = ftell(src->ArgusPacketInput); ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusThisLength = length; src->ArgusModel->ArgusSnapLength = caplen; src->ArgusModel->ArgusThisSnapEnd = ((u_char *)ep) + caplen; src->ArgusModel->ArgusThisEncaps = ARGUS_ENCAPS_FDDI; src->ArgusModel->ArgusMatchProtocol = 0; src->ArgusInterface[ind].ArgusPacketBuffer = src->ArgusInterface[ind].ArgusPacketBufferBuffer; if (p && (length = ArgusCreatePktFromFddi(fp, ep, length))) { if (p && length) { if (ArgusProcessPacket (src, (char *)ep, length, tvp, ARGUS_ETHER_HDR)) { if (ArgusDumpTask->ArgusDumpPacketOnError) ArgusDumpPacket(src->ArgusInterface[ind].ArgusDump, h, p); } else if (ArgusDumpTask->ArgusDumpPacketOnProtocol && src->ArgusModel->ArgusMatchProtocol) ArgusDumpPacket(src->ArgusInterface[ind].ArgusDump, h, p); } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusFddiPacket (%p, %p, %p) returning\n", user, h, p); #endif } #define ARGUS_802_6_MAC_HDR_LEN 20 #define ARGUS_ATM_HDR_OFFSET 8 void ArgusATMPacket(u_char *user, const struct pcap_pkthdr *h, const u_char *p) { struct ArgusSourceStruct *src = (struct ArgusSourceStruct *) user; struct timeval tvpbuf, *tvp = &tvpbuf; int ind = src->ArgusThisIndex; unsigned int caplen = h->caplen; unsigned int length = h->len; struct ether_header *ep; ArgusGetPcapPkthdrTime(src, h, tvp); if (ArgusDumpTask->ArgusDumpPacket) ArgusDumpPacket(src->ArgusInterface[ind].ArgusDump, h, p); ep = (struct ether_header *) src->ArgusInterface[ind].ArgusPacketBuffer; if (src->ArgusReadingOffLine) src->ArgusInputOffset = ftell(src->ArgusPacketInput); ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusGlobalTime = *tvp; src->ArgusInterface[ind].ArgusPacketBuffer = src->ArgusInterface[ind].ArgusPacketBufferBuffer; if (caplen > 8) { if (p[0] != 0xaa || p[1] != 0xaa || p[2] != 0x03) { if (caplen > 28) { p += ARGUS_802_6_MAC_HDR_LEN; length -= ARGUS_802_6_MAC_HDR_LEN; caplen -= ARGUS_802_6_MAC_HDR_LEN; } else return; } } else return; ep->ether_type = ((p[6] << 8) | p[7]); length -= ARGUS_ATM_HDR_OFFSET; caplen -= ARGUS_ATM_HDR_OFFSET; p += ARGUS_ATM_HDR_OFFSET; bcopy (p, (char *)(ep + 1), caplen); length += sizeof(*ep); caplen += sizeof(*ep); src->ArgusModel->ArgusThisLength = length; src->ArgusModel->ArgusSnapLength = caplen; src->ArgusModel->ArgusThisSnapEnd = ((u_char *)ep) + caplen; src->ArgusModel->ArgusThisEncaps = ARGUS_ENCAPS_ATM; if (ArgusProcessPacket (src, (char *)ep, length, tvp, ARGUS_ETHER_HDR)) { if (ArgusDumpTask->ArgusDumpPacketOnError) ArgusDumpPacket(src->ArgusInterface[ind].ArgusDump, h, p); } else if (ArgusDumpTask->ArgusDumpPacketOnProtocol && src->ArgusModel->ArgusMatchProtocol) ArgusDumpPacket(src->ArgusInterface[ind].ArgusDump, h, p); #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusATMPacket (%p, %p, %p) returning\n", user, h, p); #endif } void ArgusPppPacket(u_char *user, const struct pcap_pkthdr *h, const u_char *p) { struct ArgusSourceStruct *src = (struct ArgusSourceStruct *) user; struct timeval tvpbuf, *tvp = &tvpbuf; int ind = src->ArgusThisIndex; struct ip *ip = (struct ip *) (p + PPP_HDRLEN); unsigned int length = h->len; unsigned int caplen = h->caplen; ArgusGetPcapPkthdrTime(src, h, tvp); if (ArgusDumpTask->ArgusDumpPacket) ArgusDumpPacket(src->ArgusInterface[ind].ArgusDump, h, p); if (src->ArgusReadingOffLine) src->ArgusInputOffset = ftell(src->ArgusPacketInput); src->ArgusModel->ArgusMatchProtocol = 0; if (p && (length > PPP_HDRLEN)) { ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusSnapLength = caplen; src->ArgusModel->ArgusThisSnapEnd = ((u_char *)ip) + (caplen - PPP_HDRLEN); src->ArgusModel->ArgusThisEncaps = ARGUS_ENCAPS_PPP; length -= PPP_HDRLEN; src->ArgusModel->ArgusThisLength = length; ArgusProcessIpPacket (src->ArgusModel, ip, length, tvp); } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusPppPacket (%p, %p, %p) returning\n", user, h, p); #endif } #define ARGUS_PPPBSDOS_HDR_LEN 24 void ArgusPppBsdosPacket(u_char *user, const struct pcap_pkthdr *h, const u_char *p) { struct ArgusSourceStruct *src = (struct ArgusSourceStruct *) user; struct timeval tvpbuf, *tvp = &tvpbuf; int ind = src->ArgusThisIndex; unsigned int length = h->len, hdrlen = 0; unsigned int caplen = h->caplen; unsigned short ptype = 0; tvp->tv_sec = h->ts.tv_sec; tvp->tv_usec = h->ts.tv_usec; if (ArgusDumpTask->ArgusDumpPacket) ArgusDumpPacket(src->ArgusInterface[ind].ArgusDump, h, p); if (src->ArgusReadingOffLine) src->ArgusInputOffset = ftell(src->ArgusPacketInput); ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusSnapLength = caplen; src->ArgusModel->ArgusThisSnapEnd = (u_char *) p + caplen; src->ArgusModel->ArgusThisEncaps = ARGUS_ENCAPS_PPP; if (p[0] == PPP_ADDRESS && p[1] == PPP_CONTROL) { p += 2; hdrlen = 2; } if (*p & 01) { /* Retrieve the protocol type */ ptype = *p; /* Compressed protocol field */ p++; hdrlen += 1; } else { #if defined(_LITTLE_ENDIAN) ptype = ntohs(*(u_short *)p); #else ptype = *(u_short *)p; #endif p += 2; hdrlen += 2; } src->ArgusModel->ArgusMatchProtocol = 0; length -= hdrlen; if (ptype == PPP_IP) if (p && (length > 0)) { src->ArgusModel->ArgusThisLength = length; ArgusProcessIpPacket (src->ArgusModel, (struct ip *) p, length, tvp); } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusPppBsdosPacket (%p, %p, %p) returning\n", user, h, p); #endif } #if defined(__NetBSD__) || defined(__FreeBSD__) #include #include #endif #include #include /* XXX BSD/OS 2.1 compatibility */ #if !defined(ARGUS_SLIP_HDR_LEN) && defined(SLC_BPFHDR) #define SLIP_HDRLEN SLC_BPFHDR #define SLX_DIR 0 #define SLX_CHDR (SLC_BPFHDRLEN - 1) #define CHDR_LEN (SLC_BPFHDR - SLC_BPFHDRLEN) #else #endif void ArgusSlipPacket(u_char *user, const struct pcap_pkthdr *h, const u_char *p) { struct ArgusSourceStruct *src = (struct ArgusSourceStruct *) user; struct timeval tvpbuf, *tvp = &tvpbuf; int ind = src->ArgusThisIndex; struct ip *ip = (struct ip *) (p + SLIP_HDRLEN); unsigned int length = h->len; unsigned int caplen = h->caplen; tvp->tv_sec = h->ts.tv_sec; tvp->tv_usec = h->ts.tv_usec; if (ArgusDumpTask->ArgusDumpPacket) ArgusDumpPacket(src->ArgusInterface[ind].ArgusDump, h, p); if (src->ArgusReadingOffLine) src->ArgusInputOffset = ftell(src->ArgusPacketInput); ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusGlobalTime = *tvp; src->ArgusModel->ArgusSnapLength = caplen; src->ArgusModel->ArgusThisSnapEnd = ((u_char *)ip) + (caplen - SLIP_HDRLEN); src->ArgusModel->ArgusThisEncaps = ARGUS_ENCAPS_SLIP; src->ArgusModel->ArgusMatchProtocol = 0; if (p && (length > SLIP_HDRLEN)) { length -= SLIP_HDRLEN; src->ArgusModel->ArgusThisLength = length; ArgusProcessIpPacket (src->ArgusModel, ip, length, tvp); } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusSlipPacket (%p, %p, %p) returning\n", user, h, p); #endif } #include #if !defined(ETHER_ADDR_LEN) #define ETHER_ADDR_LEN 6 #endif void ArgusSllPacket(u_char *user, const struct pcap_pkthdr *h, const u_char *p) { struct ArgusSourceStruct *src = (struct ArgusSourceStruct *) user; struct ArgusModelerStruct *model = src->ArgusModel; int ind = src->ArgusThisIndex; unsigned int length = h->len; unsigned int caplen = h->caplen; const struct sll_header *sllp = NULL; struct timeval tvpbuf, *tvp = &tvpbuf; unsigned char buf[2048]; struct ether_header *ep = (struct ether_header *)buf; u_short pkttype; tvp->tv_sec = h->ts.tv_sec; tvp->tv_usec = h->ts.tv_usec; if (src->ArgusReadingOffLine) src->ArgusInputOffset = ftell(src->ArgusPacketInput); ArgusModel->ArgusGlobalTime = *tvp; model->ArgusGlobalTime = *tvp; if (ArgusDumpTask->ArgusDumpPacket) ArgusDumpPacket(src->ArgusInterface[ind].ArgusDump, h, p); sllp = (const struct sll_header *)p; memcpy((void *)&ep->ether_shost, sllp->sll_addr, ETHER_ADDR_LEN); #if defined(_LITTLE_ENDIAN) pkttype = ntohs(sllp->sll_pkttype); #else pkttype = sllp->sll_pkttype; #endif if (pkttype != LINUX_SLL_OUTGOING) { if (pkttype == LINUX_SLL_BROADCAST) memset((void *)&ep->ether_dhost, 0xFF, ETHER_ADDR_LEN); else { memset((void *)&ep->ether_dhost, 0, ETHER_ADDR_LEN); if (pkttype == LINUX_SLL_MULTICAST) #if defined(HAVE_SOLARIS) ep->ether_dhost.ether_addr_octet[0] = 0x01; #else ep->ether_dhost[0] = 0x01; #endif else #if defined(HAVE_SOLARIS) ep->ether_dhost.ether_addr_octet[ETHER_ADDR_LEN-1] = 0x01; #else ep->ether_dhost[ETHER_ADDR_LEN-1] = 0x01; #endif } } else { /* * We sent this packet; we don't know whether it's * broadcast, multicast, or unicast, so just make * the destination address all 0's. */ memset((void *)&ep->ether_dhost, 0, ETHER_ADDR_LEN); } length -= SLL_HDR_LEN; caplen -= SLL_HDR_LEN; p += SLL_HDR_LEN; ep->ether_type = sllp->sll_protocol; memcpy((ep + 1), p, caplen); model->ArgusThisSnapEnd = (unsigned char *)(ep + caplen); model->ArgusThisLength = length; model->ArgusSnapLength = caplen; model->ArgusThisEncaps = ARGUS_ENCAPS_SLL; if (ArgusProcessPacket (src, (char *)ep, length, tvp, ARGUS_ETHER_HDR)) { if (ArgusDumpTask->ArgusDumpPacketOnError) ArgusDumpPacket(src->ArgusInterface[ind].ArgusDump, h, p); } else if (ArgusDumpTask->ArgusDumpPacketOnProtocol && src->ArgusModel->ArgusMatchProtocol) ArgusDumpPacket(src->ArgusInterface[ind].ArgusDump, h, p); #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusSllPacket (%p, %p, %p) returning\n", user, h, p); #endif } /* * Byte-swap a 32-bit number. * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on * big-endian platforms.) */ #define SWAPLONG(y) \ ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) #define NULL_HDRLEN 4 #define BSD_AF_INET 2 #define BSD_AF_NS 6 /* XEROX NS protocols */ #define BSD_AF_ISO 7 #define BSD_AF_APPLETALK 16 #define BSD_AF_IPX 23 #define BSD_AF_INET6_BSD 24 /* OpenBSD (and probably NetBSD), BSD/OS */ #define BSD_AF_INET6_FREEBSD 28 #define BSD_AF_INET6_DARWIN 30 void ArgusNullPacket(u_char *user, const struct pcap_pkthdr *h, const u_char *p) { struct ArgusSourceStruct *src = (struct ArgusSourceStruct *) user; int ind = src->ArgusThisIndex; struct pcap_pkthdr hbuf; unsigned int family; if (ArgusDumpTask->ArgusDumpPacket) ArgusDumpPacket(src->ArgusInterface[ind].ArgusDump, h, p); memcpy((char *)&family, (char *)p, sizeof(family)); memcpy((char *)&hbuf, (char *)h, sizeof(*h)); if ((family & 0xFFFF0000) != 0) family = SWAPLONG(family); hbuf.len -= NULL_HDRLEN; hbuf.caplen -= NULL_HDRLEN; p += NULL_HDRLEN; switch (family) { case BSD_AF_INET: case BSD_AF_INET6_BSD: case BSD_AF_INET6_FREEBSD: case BSD_AF_INET6_DARWIN: ArgusIpPacket (user, &hbuf, p); break; } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusNullPacket (%p, %p, %p) returning\n", user, h, p); #endif } #endif #include #if defined(HAVE_SOLARIS) #include #endif void *ArgusEventsProcess(void *); extern int getArguspidflag (void); extern char * ArgusCreatePIDFile (struct ArgusSourceStruct *, char *, char *); extern char *ArgusPidFile; extern char *ArgusPidPath; #define ARGUS_LAUNCHED 0x01 #define ARGUS_INITED 0x02 #define ARGUS_COMPLETE 0x04 void ArgusSourceProcess (struct ArgusSourceStruct *stask) { struct timeval tv, stv; struct timeval tvpbuf, *tvp = &tvpbuf; struct timespec ttsbuf, *tts = &ttsbuf; if (stask != NULL) { unsigned ArgusSourceCount = 0; #if defined(ARGUS_THREADS) int ArgusThreadCount = 0; #endif extern uid_t new_uid; extern gid_t new_gid; bzero(interfacetable, sizeof(interfacetable)); if (stask->ArgusRfileList != NULL) { struct ArgusRfileStruct *rfile = (struct ArgusRfileStruct *) stask->ArgusRfileList->start; int i, count = stask->ArgusRfileList->count; if (setuid(getuid()) != 0) ArgusLog (LOG_ERR, "ArgusInitSource: setuid %s\n", strerror(errno)); if (stask->ArgusDeviceList) clearArgusDevice(stask); for (i = 0; i < count; i++) { stask->mode = rfile->mode; setArgusDevice(stask, rfile->name, ARGUS_FILE_DEVICE, rfile->mode); rfile = (struct ArgusRfileStruct *) rfile->nxt; } } else { if (!(stask->ArgusDeviceList)) setArgusDevice (stask, "any", ARGUS_LIVE_DEVICE, 0); } if (stask->ArgusDeviceList) { #if defined(ARGUS_THREADS) int i, count = stask->ArgusDeviceList->count; ArgusThreadCount = 0; #endif #if defined(ARGUSDEBUG) if (!(stask->ArgusReadingOffLine)) ArgusDebug(1, "%s started with %d device%s", __func__, stask->ArgusDeviceList->count, stask->ArgusDeviceList->count > 1 ? "s" : ""); #endif if (daemonflag) if (getArguspidflag() && ((ArgusPidFile = ArgusCreatePIDFile (ArgusSourceTask, ArgusPidPath, ArgusProgramName)) == NULL)) ArgusLog (LOG_ERR, "daemon cannot create pid file"); #if defined(ARGUS_THREADS) for (i = 0; i < count; i++) { struct ArgusDeviceStruct *device = (struct ArgusDeviceStruct *) ArgusPopFrontList(stask->ArgusDeviceList, ARGUS_LOCK); if (device != NULL) { struct ArgusSourceStruct *src = NULL; src = ArgusCloneSource(stask); clearArgusDevice(src); if (device->trans.srcid.a_un.value != 0) { src->trans = device->trans; } else { device->trans = stask->trans; device->idtype = stask->type; src->trans = stask->trans; src->type = stask->type; } ArgusPushBackList(src->ArgusDeviceList, (struct ArgusListRecord *) device, ARGUS_LOCK); stask->srcs[ArgusSourceCount++] = src; src->ArgusDeviceStr = strdup(device->name); lookup_interface(interfacetable, (const u_char *)device->name); if (ArgusInitSource (src) > 0) { if (new_gid > 0) { if (setgid(new_gid) < 0) ArgusLog (LOG_ERR, "ArgusInitOutput: setgid error %s", strerror(errno)); } if (new_uid > 0) { if (setuid(new_uid) < 0) ArgusLog (LOG_ERR, "ArgusInitOutput: setuid error %s", strerror(errno)); } src->status |= ARGUS_LAUNCHED; if ((pthread_create(&src->thread, NULL, ArgusGetPackets, (void *) src)) != 0) ArgusLog (LOG_ERR, "ArgusNewEventProcessor() pthread_create error %s\n", strerror(errno)); ArgusThreadCount++; } } } #else ArgusInitSource (stask); if (new_gid > 0) { if (setgid(new_gid) < 0) ArgusLog (LOG_ERR, "ArgusInitOutput: setgid error %s", strerror(errno)); } if (new_uid > 0) { if (setuid(new_uid) < 0) ArgusLog (LOG_ERR, "ArgusInitOutput: setuid error %s", strerror(errno)); } ArgusGetPackets (stask); #endif /* ARGUS_THREADS */ } gettimeofday (&stv, 0L); stv.tv_sec += stask->ArgusInterfaceScanInterval; #if defined(ARGUS_THREADS) do { int pretn = 0, retn = 0, i; /* * non-zero when the stask->srcs[] array needs to be * compacted due to source removal */ int source_closed; if (stask->ArgusDeviceStr != NULL && !stask->ArgusReadingOffLine) { gettimeofday (&tv, 0L); if ((stv.tv_sec < tv.tv_sec) || ((stv.tv_sec == tv.tv_sec) && (stv.tv_usec <= tv.tv_usec))) { // OK, periodically look for new devices to be created. // For laptops that may be the pflog0 device coming and going. if (strstr(stask->ArgusDeviceStr, "all")) { pcap_if_t *ifap = NULL, *ifa = NULL; char *errbuf = NULL; if ((errbuf = (char *) ArgusMalloc (PCAP_ERRBUF_SIZE+1)) != NULL) { #if defined(HAVE_PCAP_FINDALLDEVS_NOCHECKS) if ((pretn = pcap_findalldevs_nochecks(&ifap, errbuf)) != 0) ArgusLog(LOG_INFO, "ArgusSourceProcess: pcap_findalldevs_nochecks error: %s\n", errbuf); #else if ((pretn = pcap_findalldevs(&ifap, errbuf)) != 0) ArgusLog(LOG_INFO, "ArgusSourceProcess: pcap_findalldevs error: %s\n", errbuf); #endif ArgusFree(errbuf); } // // First check that the interfaces we have open are there. // If not, mark for shutdown. // if ((pretn == 0) && (ArgusSourceCount > 0)) { for (i = 0; i < ArgusSourceCount; i++) { struct ArgusSourceStruct *src; int found = 0; if ((src = stask->srcs[i]) != NULL) { pthread_mutex_lock(&src->ArgusDeviceList->lock); struct ArgusDeviceStruct *device = (struct ArgusDeviceStruct *)ArgusPopFrontList(src->ArgusDeviceList, ARGUS_NOLOCK); for (ifa = ifap; ifa; ifa = ifa->next) { if (!strcmp(device->name, ifa->name)) found = 1; } if (!found) { src->status |= ARGUS_SHUTDOWN; } ArgusPushBackList(src->ArgusDeviceList, (struct ArgusListRecord *) device, ARGUS_NOLOCK); pthread_mutex_unlock(&src->ArgusDeviceList->lock); } } } // // Next check to see if there are any interfaces we don't have ... // if (pretn == 0) { for (ifa = ifap; ifa; ifa = ifa->next) { if (!(ifa->flags & PCAP_IF_LOOPBACK)) { if (get_interface((const u_char *)ifa->name, interfacetable) == NULL) { int found = 0; if (stask->ArgusDeviceList->count) { #if defined(ARGUS_THREADS) if (pthread_mutex_lock(&stask->ArgusDeviceList->lock) == 0) { int i, count = stask->ArgusDeviceList->count; int per_dev_count; if (count > 0) { for (i = 0; i < count && !found; i++) { struct ArgusDeviceStruct *device = (struct ArgusDeviceStruct *) ArgusPopFrontList(stask->ArgusDeviceList, ARGUS_NOLOCK); if (device != NULL) { if (!strcmp(device->name, ifa->name)) found = 1; if (device->list && (per_dev_count = device->list->count)) { int x; for (x = 0; x < per_dev_count && !found; x++) { struct ArgusDeviceStruct *dev = (struct ArgusDeviceStruct *) ArgusPopFrontList(device->list, ARGUS_LOCK); if (!strcmp(dev->name, ifa->name)) found = 1; ArgusPushBackList(device->list, (struct ArgusListRecord *) dev, ARGUS_LOCK); } } ArgusPushBackList(stask->ArgusDeviceList, (struct ArgusListRecord *) device, ARGUS_NOLOCK); } } } pthread_mutex_unlock(&stask->ArgusDeviceList->lock); } if (found) break; #endif } if (!found && (ArgusSourceCount > 0)) { int i, per_dev_count; for (i = 0; i < ArgusSourceCount && !found; i++) { struct ArgusSourceStruct *src; if ((src = stask->srcs[i]) != NULL) { pthread_mutex_lock(&src->ArgusDeviceList->lock); struct ArgusDeviceStruct *device; device = (struct ArgusDeviceStruct *)ArgusPopFrontList(src->ArgusDeviceList, ARGUS_NOLOCK); if (!strcmp(device->name, ifa->name)) found = 1; if (device->list) { int x; pthread_mutex_lock(&device->list->lock); per_dev_count = device->list->count; for (x = 0; x < per_dev_count && !found; x++) { struct ArgusDeviceStruct *dev = (struct ArgusDeviceStruct *) ArgusPopFrontList(device->list, ARGUS_NOLOCK); if (!strcmp(dev->name, ifa->name)) found = 1; ArgusPushBackList(device->list, (struct ArgusListRecord *) dev, ARGUS_NOLOCK); } pthread_mutex_unlock(&device->list->lock); } ArgusPushBackList(src->ArgusDeviceList, (struct ArgusListRecord *) device, ARGUS_NOLOCK); pthread_mutex_unlock(&src->ArgusDeviceList->lock); } } } if (!found) { int type = ARGUS_LIVE_DEVICE, mode = 0, status = ARGUS_TYPE_IND; struct ArgusDeviceStruct *dev = NULL; char *srcid = NULL, *dlt = NULL, *sptr; struct ArgusSourceStruct *src = NULL; ArgusLog(LOG_INFO, "ArgusSourceProcess: new device: %s found\n", ifa->name); src = ArgusCloneSource(stask); clearArgusDevice(src); setArgusDevice (src, ifa->name, ARGUS_LIVE_DEVICE, 0); if (ArgusInitSource (src) > 0) { if (new_gid > 0) { if (setgid(new_gid) < 0) ArgusLog (LOG_ERR, "ArgusInitOutput: setgid error %s", strerror(errno)); } if (new_uid > 0) { if (setuid(new_uid) < 0) ArgusLog (LOG_ERR, "ArgusInitOutput: setuid error %s", strerror(errno)); } src->status |= ARGUS_LAUNCHED; if ((pthread_create(&src->thread, NULL, ArgusGetPackets, (void *) src)) != 0) ArgusLog (LOG_ERR, "ArgusNewEventProcessor() pthread_create error %s\n", strerror(errno)); ArgusThreadCount++; } stask->srcs[ArgusSourceCount++] = src; if ((sptr = strchr (stask->ArgusDeviceStr, '/')) != NULL) srcid = sptr; if ((dev = (struct ArgusDeviceStruct *) ArgusCalloc(1, sizeof(*dev))) == NULL) ArgusLog (LOG_ERR, "setArgusDevice ArgusCalloc %s\n", strerror(errno)); dev->name = strdup(ifa->name); dev->status = status; dev->type = type; dev->mode = mode; if (dlt != NULL) { #if defined(HAVE_PCAP_DATALINK_NAME_TO_VAL) dev->dlt = pcap_datalink_name_to_val(dlt); #endif dev->dltname = strdup(dlt); } if (dev != NULL) { struct ArgusSourceStruct *src = NULL; if (srcid != NULL) { int type = ArgusSourceTask->type; ArgusParseSourceID (ArgusSourceTask, dev, srcid); dev->trans = ArgusSourceTask->trans; dev->idtype = ArgusSourceTask->type; ArgusSourceTask->type = type; } else { char inf[5] = {0,}; dev->trans = ArgusSourceTask->trans; dev->idtype = ArgusSourceTask->type; if (dev && (dev->name != NULL)) { shortname_ethdev_unique(dev->name, inf, sizeof(inf), ArgusSourceTask->ArgusDeviceList); bcopy(inf, dev->trans.srcid.inf, 4); dev->trans.hdr.argus_dsrvl8.qual |= ARGUS_TYPE_INTERFACE; ArgusLog(LOG_INFO, "mapping interface name %s -> %s\n", dev->name, inf); } } src = ArgusCloneSource(stask); clearArgusDevice(src); if (dev->trans.srcid.a_un.value != 0) { src->trans = dev->trans; } else { dev->trans = stask->trans; dev->idtype = stask->type; src->trans = stask->trans; src->type = stask->type; } src->type = dev->type; if (ArgusInitSource (src) > 0) { if (new_gid > 0) { if (setgid(new_gid) < 0) ArgusLog (LOG_ERR, "ArgusInitOutput: setgid error %s", strerror(errno)); } if (new_uid > 0) { if (setuid(new_uid) < 0) ArgusLog (LOG_ERR, "ArgusInitOutput: setuid error %s", strerror(errno)); } src->status |= ARGUS_LAUNCHED; if ((pthread_create(&src->thread, NULL, ArgusGetPackets, (void *) src)) != 0) ArgusLog (LOG_ERR, "ArgusNewEventProcessor() pthread_create error %s\n", strerror(errno)); ArgusThreadCount++; } stask->srcs[ArgusSourceCount++] = src; ArgusPushBackList(src->ArgusDeviceList, (struct ArgusListRecord *) dev, ARGUS_LOCK); } } lookup_interface(interfacetable, (const u_char *)ifa->name); #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusSourceProcess: Adding Interface %s\n", ifa->name); #endif } else { } } } } if (ifap != NULL) pcap_freealldevs(ifap); } gettimeofday (&stv, 0L); stv.tv_sec += stask->ArgusInterfaceScanInterval; } } if ((retn = pthread_mutex_lock(&stask->lock))) { switch (retn) { case EINVAL: ArgusLog(LOG_ERR, "ArgusSourceProcess: pthread_mutex_lock() error EINVAL\n"); break; case EDEADLK: ArgusLog(LOG_ERR, "ArgusSourceProcess: pthread_mutex_lock() error EDEADLK\n"); break; } } gettimeofday (tvp, 0L); tts->tv_sec = tvp->tv_sec + 0; tts->tv_nsec = (tvp->tv_usec * 1000) + 250000000; if (tts->tv_nsec > 1000000000) { tts->tv_sec++; tts->tv_nsec -= 1000000000; } if ((retn = pthread_cond_timedwait(&stask->cond, &stask->lock, tts))) { switch (retn) { case EINVAL: ArgusLog(LOG_ERR, "ArgusSourceProcess: pthread_cond_timedwait() error EINVAL\n"); break; case ETIMEDOUT: break; } } for (source_closed = 0, i = 0; i < ArgusSourceCount; i++) { struct ArgusSourceStruct *src = stask->srcs[i]; if (src != NULL) { if (src->status & ARGUS_SHUTDOWN) { pthread_t thread = 0; if (src->status & ARGUS_LAUNCHED) { if (src->eNflag == 0) stask->status |= ARGUS_SHUTDOWN; if ((thread = src->thread) != 0) { /* Prevent ArgusCloseModeler from stopping the output * process */ if (src->ArgusModel) src->ArgusModel->ArgusOutputList = NULL; } } pthread_mutex_lock(&src->ArgusDeviceList->lock); struct ArgusDeviceStruct *device = (struct ArgusDeviceStruct *)ArgusPopFrontList(src->ArgusDeviceList, ARGUS_NOLOCK); delete_interface((const u_char *) device->name); ArgusPushBackList(src->ArgusDeviceList, (struct ArgusListRecord *) device, ARGUS_NOLOCK); pthread_mutex_unlock(&src->ArgusDeviceList->lock); ArgusCloseOneSource(src); stask->srcs[i] = NULL; if (thread != 0) { ArgusThreadCount--; #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusSourceProcess: ArgusGetPackets[%d] done ... thread count %d\n", i, ArgusThreadCount); #endif } source_closed++; if (stask->srcs[i]) src->status &= ~(ARGUS_SHUTDOWN | ARGUS_LAUNCHED); else ArgusFree(src); } else { if (!(src->status & (ARGUS_LAUNCHED | ARGUS_NOSOURCES))) { if (ArgusInitSource (src) > 0) { if (new_gid > 0) { if (setgid(new_gid) < 0) ArgusLog (LOG_ERR, "ArgusInitOutput: setgid error %s", strerror(errno)); } if (new_uid > 0) { if (setuid(new_uid) < 0) ArgusLog (LOG_ERR, "ArgusInitOutput: setuid error %s", strerror(errno)); } src->status |= ARGUS_LAUNCHED; if ((pthread_create(&src->thread, NULL, ArgusGetPackets, (void *) src)) != 0) ArgusLog (LOG_ERR, "%s() pthread_create error %s\n", __func__, strerror(errno)); ArgusThreadCount++; } } } } } /* Compact the source array if one or more sources were closed */ if (source_closed) { #ifdef ARGUSDEBUG ArgusDebug(2, "%s: compacting stask array\n", __func__); #endif /* remove any empty entries from the end */ while ((ArgusSourceCount > 0) && (stask->srcs[ArgusSourceCount-1] == NULL)) ArgusSourceCount--; for (i = 0; i < ArgusSourceCount; i++) { if (stask->srcs[i] == NULL) { /* swap this empty entry with the last entry */ stask->srcs[i] = stask->srcs[ArgusSourceCount-1]; stask->srcs[ArgusSourceCount-1] = NULL; ArgusSourceCount--; } } } if (stask->ArgusRfileList && ArgusSourceCount == 0) stask->status |= ARGUS_SHUTDOWN; pthread_mutex_unlock(&stask->lock); } while (!(stask->status & ARGUS_SHUTDOWN)); } #endif /* ARGUS_THREADS */ } void * ArgusGetPackets (void *arg) { void *retn = NULL; struct ArgusSourceStruct *src = arg; fd_set ArgusReadMask, ArgusWriteMask, ArgusExceptMask; int noerror = 1; struct timeval wait; int tmp, width = 0, fd; int i, fds[ARGUS_MAXINTERFACE]; #if defined(ARGUS_PLURIBUS) || defined(CYGWIN) int notselectable = 1; #else int notselectable = 0; #endif #if defined(ARGUS_THREADS) sigset_t blocked_signals; sigfillset(&blocked_signals); pthread_sigmask(SIG_BLOCK, &blocked_signals, NULL); #endif /* ARGUS_THREADS */ if (src != NULL) { #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusGetPackets (%p) starting\n", src); #endif #if defined(HAVE_SOLARIS) sigignore (SIGPIPE); #else signal (SIGPIPE, SIG_IGN); #endif FD_ZERO(&ArgusReadMask); FD_ZERO(&ArgusWriteMask); FD_ZERO(&ArgusExceptMask); #define ARGUS_INTERFACE_TIMEOUT 500000 wait.tv_sec = 0; wait.tv_usec = ARGUS_INTERFACE_TIMEOUT; ArgusGetInterfaceStatus(src); ArgusGetTimeOfDay(src, &src->ArgusStartTime); for (i = 0; i < ARGUS_MAXINTERFACE; i++) fds[i] = -1; if (src->ArgusInterface[0].ArgusPd) { int up = 0; switch (src->ArgusInterface[0].ArgusInterfaceType) { case ARGUSERFPKTFILE: { if (src->ArgusInterface[0].ArgusPcap.fd) { for (i = 0; i < src->ArgusInterfaces; i++) { do { FD_SET(src->ArgusInterface[i].ArgusPcap.fd, &ArgusReadMask); width = src->ArgusInterface[i].ArgusPcap.fd + 1; if (select (width + 1, &ArgusReadMask, NULL, NULL, &wait) > 0) { ArgusErfRead(src); if (src->eNflag > 0) src->eNflag--; } else break; } while (noerror && (src->eNflag != 0) && (!(ArgusShutDownFlag))); } } break; } default: { for (i = 0; i < src->ArgusInterfaces; i++) { if (src->ArgusInterface[i].ArgusPd) { #if !defined(CYGWIN) && !defined(WIN32) && !defined(MSDOS) #if defined(HAVE_PCAP_GET_SELECTABLE_FD) if (pcap_get_selectable_fd(src->ArgusInterface[i].ArgusPd) < 0) #endif notselectable++; #endif #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusGetPackets: interface %s %s selectable\n", src->ArgusInterface[i].ifr.ifr_name, (notselectable ? "is not" : "is")); #endif if ((src->ArgusInterface[i].ifr.ifr_flags & IFF_UP) != 0) { up++; if ((fd = pcap_fileno(src->ArgusInterface[i].ArgusPd)) >= 0) { fds[i] = fd; setArgusInterfaceStatus(src, 1); FD_SET(pcap_fileno(src->ArgusInterface[i].ArgusPd), &ArgusReadMask); if (width < fd) width = fd; } } else setArgusInterfaceStatus(src, 0); } else setArgusInterfaceStatus(src, 0); } if (!(src->ArgusReadingOffLine)) { int cnt, noPkts = 0; do { if (notselectable) { for (i = 0; i < src->ArgusInterfaces; i++) { if (src->ArgusInterface[i].ArgusPd) { src->ArgusThisIndex = i; cnt = pcap_dispatch(src->ArgusInterface[i].ArgusPd, src->ArgusPcapDispatchNum, src->ArgusInterface[i].ArgusCallBack, (u_char *)src); } } if (cnt > 0) { noPkts = 0; } else if (cnt == 0) { #if !defined(CYGWIN) if (noPkts++ > 5) { struct timespec tsbuf = {0, 5000000}, *ts = &tsbuf; // 5 millisec nanosleep(ts, NULL); ArgusGetTimeOfDay(src, &src->ArgusModel->ArgusGlobalTime); ArgusModel->ArgusGlobalTime = src->ArgusModel->ArgusGlobalTime; noPkts = 0; } #else struct timespec tsbuf = {0, 100000000}, *ts = &tsbuf; // 50 millisec nanosleep(ts, NULL); ArgusGetTimeOfDay(src, &src->ArgusModel->ArgusGlobalTime); ArgusModel->ArgusGlobalTime = src->ArgusModel->ArgusGlobalTime; noPkts++; #endif } else { ArgusLog(LOG_INFO, "%s: pcap_dispatch() failed\n", __func__); noerror = 0; } } else { if (up && ((tmp = select (width + 1, &ArgusReadMask, NULL, NULL, &wait)) >= 0)) { #ifdef ARGUSDEBUG ArgusDebug (10, "ArgusGetPackets: select() returned %d\n", tmp); #endif if (tmp > 0) { for (i = 0; i < src->ArgusInterfaces; i++) { if ((fd = fds[i]) != -1) { if (src->ArgusInterface[i].ArgusPd == NULL) { fds[i] = -1; } else if (FD_ISSET(fd, &ArgusReadMask)) { src->ArgusThisIndex = i; switch (src->ArgusInterface[i].ArgusInterfaceType) { case ARGUSLIBPPKTFILE: if ((pcap_dispatch (src->ArgusInterface[i].ArgusPd, src->ArgusPcapDispatchNum, src->ArgusInterface[i].ArgusCallBack, (u_char *)src)) < 0) { if (!(strncmp (pcap_geterr(src->ArgusInterface[i].ArgusPd), "recvfrom", 8))) { #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusGetPackets: pcap_dispatch() returned %s\n", pcap_geterr(src->ArgusInterface[i].ArgusPd)); #endif } else noerror = 0; } else { #ifdef ARGUSDEBUG ArgusDebug (9, "ArgusGetPackets: pcap_dispatch() interface %s %d up\n", src->ArgusInterface[i].ArgusDevice, up); #endif } break; case ARGUSERFPKTFILE: if (ArgusErfRead (src) < 0) noerror = 0; break; case ARGUSSNOOPKTFILE: if (ArgusSnoopRead (src) < 0) noerror = 0; break; case ARGUSMOATTSHPKTFILE: if (ArgusMoatTshRead (src) < 0) noerror = 0; break; } if (src->eNflag > 0) src->eNflag--; } } } } else { ArgusGetTimeOfDay(src, &src->ArgusModel->ArgusGlobalTime); ArgusModel->ArgusGlobalTime = src->ArgusModel->ArgusGlobalTime; } } else { ArgusGetTimeOfDay(src, &src->ArgusModel->ArgusGlobalTime); ArgusModel->ArgusGlobalTime = src->ArgusModel->ArgusGlobalTime; if (up) { #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusGetPackets: select() returned %s\n", strerror(errno)); #endif } else { struct timespec tsbuf = {0, 250000000}, *ts = &tsbuf; #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusGetPackets: no interfaces up: sleeping\n"); #endif nanosleep(ts, NULL); ArgusGetTimeOfDay(src, &src->ArgusModel->ArgusGlobalTime); ArgusModel->ArgusGlobalTime = src->ArgusModel->ArgusGlobalTime; } } width = 0; up = 0; FD_ZERO(&ArgusReadMask); for (i = 0; i < src->ArgusInterfaces; i++) { if (src->ArgusInterface[i].ArgusPd && ((fd = pcap_fileno(src->ArgusInterface[i].ArgusPd)) >= 0)) { fds[i] = fd; if (src->ArgusInterface[i].ifr.ifr_flags & IFF_UP) { up++; FD_SET(pcap_fileno(src->ArgusInterface[i].ArgusPd), &ArgusReadMask); if (width < pcap_fileno(src->ArgusInterface[i].ArgusPd)) width = pcap_fileno(src->ArgusInterface[i].ArgusPd); } } else { fds[i] = -1; ArgusOpenInterface(src, NULL, &src->ArgusInterface[i]); } } wait.tv_sec = 0; wait.tv_usec = ARGUS_INTERFACE_TIMEOUT; } /* #endif */ if (ArgusUpdateTime (src->ArgusModel)) { ArgusGetInterfaceStatus(src); ArgusQueueManager(src->ArgusModel); #if !defined(ARGUS_THREADS) ArgusOutputProcess(ArgusOutputTask); #endif } } while (noerror && (src->eNflag != 0) && (!(ArgusShutDownFlag))); } else { long ioffset = 0, offset = 0; ioffset = ftell(src->ArgusPacketInput); offset = ioffset; for (i = 0; i < src->ArgusInterfaces; i++) { int retn = 0; src->ArgusThisIndex = i; if (getArgusfflag(src)) { // reading the tail of the file, so be ready to sleep if nothing there do { char *estr; if (offset > 0) fseek(src->ArgusPacketInput, offset, SEEK_SET); if ((retn = pcap_dispatch (src->ArgusInterface[i].ArgusPd, src->ArgusPcapDispatchNum, src->ArgusInterface[i].ArgusCallBack, (u_char *)src)) < 0) { if ((estr = pcap_geterr(src->ArgusInterface[i].ArgusPd)) != NULL) { #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusGetPackets () pcap_dispatch returned %s\n", estr); #endif } } if (retn > 0) { if (src->eNflag > 0) src->eNflag -= retn; #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusGetPackets () pcap_dispatch read %d packets\n", retn); #endif offset = src->ArgusInputOffset; } else { struct timespec tsbuf = {0, 100000000}, *ts = &tsbuf; #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusGetPackets () pcap_dispatch read 0 packets...sleeping", retn); #endif nanosleep(ts, NULL); ArgusGetTimeOfDay(src, &src->ArgusModel->ArgusGlobalTime); ArgusModel->ArgusGlobalTime = src->ArgusModel->ArgusGlobalTime; } #if !defined(ARGUS_THREADS) ArgusOutputProcess(ArgusOutputTask); #endif } while (getArgusfflag(src) && (src->eNflag != 0) && !ArgusShutDownFlag); } else { for (i = 0; i < src->ArgusInterfaces; i++) { src->ArgusThisIndex = i; if ((pcap_dispatch (src->ArgusInterface[i].ArgusPd, src->eNflag, src->ArgusInterface[i].ArgusCallBack, (u_char *)src)) < 0) { if (!(strncmp (pcap_geterr(src->ArgusInterface[i].ArgusPd), "recvfrom", 8))) { ArgusLog (LOG_ERR, "ArgusGetPackets: pcap_dispatch() returned %s\n", pcap_geterr(src->ArgusInterface[i].ArgusPd)); } } #if !defined(ARGUS_THREADS) ArgusOutputProcess(ArgusOutputTask); #endif } } } } } } } setArgusFarReportInterval (src->ArgusModel, "0"); ArgusQueueManager(src->ArgusModel); #if !defined(ARGUS_THREADS) ArgusOutputProcess(ArgusOutputTask); #endif ArgusGetTimeOfDay(src, &src->ArgusEndTime); } #if defined(ARGUS_THREADS) #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusGetPackets () returning\n"); #endif if (src != NULL) src->status |= ARGUS_SHUTDOWN; pthread_exit(retn); #endif /* ARGUS_THREADS */ return (retn); } void Argusbpf_dump(struct bpf_program *p, int option) { struct bpf_insn *insn; int i, n = p->bf_len; insn = p->bf_insns; if (option > 2) { fprintf(stdout, "%d\n", n); for (i = 0; i < n; ++insn, ++i) { fprintf(stdout, "%lu %lu %lu %lu\n", (long) insn->code, (long) insn->jt, (long) insn->jf, (long) insn->k); } return; } if (option > 1) { for (i = 0; i < n; ++insn, ++i) { fprintf(stdout, "{ 0x%x, %d, %d, 0x%08x },\n", insn->code, insn->jt, insn->jf, (int) insn->k); } return; } for (i = 0; i < n; ++insn, ++i) fprintf (stdout, "%s\n", bpf_image(insn, i)); } #include #include #if defined(HAVE_FCNTL_H) #include #endif #define ARGUSSNOOPTAG "snoop" int ArgusOpenInputPacketFile(struct ArgusSourceStruct *src, struct ArgusDeviceStruct *device, struct ArgusInterfaceStruct *inf) { int ch, rlen, type; int retn = 0; if (device != NULL) { char *readbuf, *errbuf; inf->ArgusDevice = device; if ((readbuf = (char *) ArgusMalloc (1024)) == NULL) ArgusLog (LOG_ERR, "%s: ArgusMalloc %s\n", __func__, strerror(errno)); if ((errbuf = (char *) ArgusMalloc (PCAP_ERRBUF_SIZE+1)) == NULL) ArgusLog (LOG_ERR, "%s: ArgusMalloc %s\n", __func__, strerror(errno)); if (strcmp(device->name, "-")) { if ((src->ArgusPacketInput = fopen(device->name, "r")) == NULL) { snprintf (errbuf, PCAP_ERRBUF_SIZE - 1, "%s: %s\n", device->name, strerror(errno)); } } else src->ArgusPacketInput = stdin; /* pcap_open_offline_with_tstamp_precision() takes an additional precision argument specifying the time stamp precision desired; if PCAP_TSTAMP_PRECISION_MICRO is specified, packet time stamps will be supplied in seconds and microseconds, and if PCAP_TSTAMP_PRECI- SION_NANO is specified, packet time stamps will be supplied in seconds and nanoseconds. */ #if defined(HAVE_PCAP_FOPEN_OFFLINE) # if defined(HAVE_PCAP_FOPEN_OFFLINE_WITH_TSTAMP_PRECISION) # if defined(ARGUS_NANOSECONDS) inf->ArgusPd = pcap_fopen_offline_with_tstamp_precision(src->ArgusPacketInput, PCAP_TSTAMP_PRECISION_NANO, errbuf); src->timeStampType = ARGUS_TYPE_UTC_NANOSECONDS; # else inf->ArgusPd = pcap_fopen_offline_with_tstamp_precision(src->ArgusPacketInput, PCAP_TSTAMP_PRECISION_MICRO, errbuf); # endif # else /* HAVE_PCAP_FOPEN_OFFLINE_WITH_TSTAMP_PRECISION */ inf->ArgusPd = pcap_open_offline(device->name, errbuf); # endif /* HAVE_PCAP_FOPEN_OFFLINE_WITH_TSTAMP_PRECISION */ #else # if defined(HAVE_PCAP_OPEN_OFFLINE_WITH_TSTAMP_PRECISION) # if defined(ARGUS_NANOSECONDS) inf->ArgusPd = pcap_open_offline_with_tstamp_precision(device->name, PCAP_TSTAMP_PRECISION_NANO, errbuf); src->timeStampType = ARGUS_TYPE_UTC_NANOSECONDS; # else inf->ArgusPd = pcap_open_offline_with_tstamp_precision(device->name, PCAP_TSTAMP_PRECISION_MICRO, errbuf); # endif # else /* HAVE_PCAP_OPEN_OFFLINE_WITH_TSTAMP_PRECISION */ inf->ArgusPd = pcap_open_offline(device->name, errbuf); # endif /* HAVE_PCAP_OPEN_OFFLINE_WITH_TSTAMP_PRECISION */ #endif if (inf->ArgusPd != NULL) { src->ArgusInputPacketFileType = ARGUSLIBPPKTFILE; inf->ArgusInterfaceType = ARGUSLIBPPKTFILE; inf->ArgusDevice = (struct ArgusDeviceStruct *) device; if ((type = pcap_datalink(inf->ArgusPd)) >= 0) if ((inf->ArgusCallBack = Arguslookup_pcap_callback(type)) == NULL) ArgusLog(LOG_ERR, "ArgusOpenInputPacketFile(%s) unsupported device type %d\n", device->name, type); inf->ArgusLocalNet = 0; inf->ArgusNetMask = 0; inf->ArgusDump = ArgusNewDump(src, inf); src->ArgusReadingOffLine++; retn = 1; } else { if (strcmp(device->name, "-")) { if ((src->ArgusPacketInput = fopen(device->name, "r")) == NULL) { snprintf (errbuf, PCAP_ERRBUF_SIZE - 1, "%s: %s\n", device->name, strerror(errno)); } } else src->ArgusPacketInput = stdin; if (src->ArgusPacketInput) { if ((strstr (device->name, ".erf")) != NULL) { if ((inf->ArgusPcap.fd = open (device->name, O_RDONLY)) >= 0) { inf->ArgusPcap.snapshot = 1500; inf->ArgusPcap.linktype = DLT_EN10MB; inf->ArgusInterfaceType = ARGUSERFPKTFILE; src->ArgusInputPacketFileType = ARGUSERFPKTFILE; inf->ArgusDevice = device; src->ArgusReadingOffLine++; retn = 1; } else ArgusLog(LOG_ERR, "ArgusOpenInputPacketFile(%s) error. %s\n", device->name, strerror(errno)); } else if (getArgusMoatTshFile(src)) { if (src->ArgusPacketInput == stdin) { inf->ArgusPcap.fd = 0; inf->ArgusPcap.snapshot = 1500; inf->ArgusPcap.linktype = DLT_EN10MB; inf->ArgusInterfaceType = ARGUSMOATTSHPKTFILE; src->ArgusInputPacketFileType = ARGUSMOATTSHPKTFILE; inf->ArgusDevice = device; src->ArgusReadingOffLine++; retn = 1; } else if ((inf->ArgusPcap.fd = open (device->name, O_RDONLY)) >= 0) { inf->ArgusPcap.snapshot = 1500; inf->ArgusPcap.linktype = DLT_EN10MB; inf->ArgusInterfaceType = ARGUSMOATTSHPKTFILE; src->ArgusInputPacketFileType = ARGUSMOATTSHPKTFILE; inf->ArgusDevice = device; src->ArgusReadingOffLine++; retn = 1; } else ArgusLog(LOG_ERR, "ArgusOpenInputPacketFile(%s) error. %s\n", device->name, strerror(errno)); } else if ((ch = fgetc(src->ArgusPacketInput)) != EOF) { ungetc(ch, src->ArgusPacketInput); if ((rlen = fread ((char *)readbuf, 1, sizeof(ARGUSSNOOPTAG), src->ArgusPacketInput)) == sizeof(ARGUSSNOOPTAG)) { if ((strncmp((char *)readbuf, ARGUSSNOOPTAG, sizeof(ARGUSSNOOPTAG)) == 0)) { fclose(src->ArgusPacketInput); if ((inf->ArgusPcap.fd = open (device->name, O_RDONLY)) >= 0) { lseek(inf->ArgusPcap.fd, 16, SEEK_SET); inf->ArgusPcap.snapshot = 1500; inf->ArgusPcap.linktype = DLT_EN10MB; src->ArgusInputPacketFileType = ARGUSSNOOPKTFILE; inf->ArgusDevice = device; src->ArgusReadingOffLine++; retn = 1; } } else { snprintf (errbuf, PCAP_ERRBUF_SIZE - 1, "%s, unknown packet file format", device->name); } } else { snprintf (errbuf, PCAP_ERRBUF_SIZE - 1, "Error reading %s. Read %d bytes", device->name, rlen); } } else { snprintf (errbuf, PCAP_ERRBUF_SIZE - 1, "Error reading %s. stream empty", device->name); } inf->ArgusLocalNet = 0; inf->ArgusNetMask = 0; } if (retn == 0) ArgusLog (LOG_ALERT, "ArgusOpenInputPacketFile: pcap_open_offline: %s", errbuf); } ArgusFree(readbuf); ArgusFree(errbuf); } #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusOpenInputPacketFile(%p, %p, %p) returning %d\n", src, device, inf, retn); #endif return (retn); } void ArgusGetInterfaceStatus (struct ArgusSourceStruct *src) { struct ArgusDeviceStruct *device = NULL; char *devicename = NULL; struct ifreq ifr; int i; #if !defined(CYGWIN) int fd; #endif if (ArgusShutDownFlag) return; if (src && src->ArgusDeviceList) { if (pthread_mutex_lock(&src->ArgusDeviceList->lock) == 0) { device = (struct ArgusDeviceStruct *)src->ArgusDeviceList->start; if (device) devicename = strdup(device->name); pthread_mutex_unlock(&src->ArgusDeviceList->lock); } } if (devicename == NULL) return; if ((strstr(devicename, "dag")) || (strstr(devicename, "napa")) || (strstr(devicename, "dna")) || (strstr(devicename, "zc")) || ((strstr(devicename, "eth")) && (strstr(devicename, "@")))) { for (i = 0; i < src->ArgusInterfaces; i++) { if (src->ArgusInterface[i].ArgusPd) bzero ((char *)&src->ArgusInterface[i].ifr, sizeof(ifr)); src->ArgusInterface[i].ifr.ifr_flags |= IFF_UP; setArgusInterfaceStatus(src, 1); } goto out; } if (strstr(devicename, "default")) { for (i = 0; i < src->ArgusInterfaces; i++) { if (src->ArgusInterface[i].ArgusPd && (pcap_fileno(src->ArgusInterface[i].ArgusPd) > 0)) bzero ((char *)&src->ArgusInterface[i].ifr, sizeof(ifr)); src->ArgusInterface[i].ifr.ifr_flags |= IFF_UP; setArgusInterfaceStatus(src, 1); } goto out; } if (ArgusGetInterfaceFD < 0) if ((ArgusGetInterfaceFD = socket(PF_INET, SOCK_DGRAM, 0)) < 0) ArgusLog(LOG_ERR, "ArgusGetInterfaceStatus: socket %s", strerror(errno)); #if !defined(CYGWIN) fd = ArgusGetInterfaceFD; #endif for (i = 0; i < src->ArgusInterfaces; i++) { if (src->ArgusInterface[i].ArgusPd && (pcap_fileno(src->ArgusInterface[i].ArgusPd) > 0)) { memcpy ((char *)&ifr, (char *)&src->ArgusInterface[i].ifr, sizeof(ifr)); #if !defined(CYGWIN) if ((ioctl(fd, SIOCGIFFLAGS, (char *)&src->ArgusInterface[i].ifr)) < 0) { if (src->ArgusInterface[i].ArgusPd) { pcap_close(src->ArgusInterface[i].ArgusPd); src->ArgusInterface[i].ArgusPd = NULL; goto out; } } #else src->ArgusInterface[i].ifr.ifr_flags |= IFF_UP; setArgusInterfaceStatus(src, 1); #endif if ((ifr.ifr_flags & IFF_UP) != (src->ArgusInterface[i].ifr.ifr_flags & IFF_UP)) { int loglevel = LOG_INFO; char *errbuf; setArgusInterfaceStatus(src, (src->ArgusInterface[i].ifr.ifr_flags & IFF_UP) ? 1 : 0); if ((errbuf = (char *) ArgusMalloc (PCAP_ERRBUF_SIZE+1)) != NULL) { if (!((pcap_lookupnet (src->ArgusInterface[i].ArgusDevice->name, (u_int *)&src->ArgusInterface[i].ArgusLocalNet, (u_int *)&src->ArgusInterface[i].ArgusNetMask, errbuf)) < 0)) { #if defined(_LITTLE_ENDIAN) src->ArgusInterface[i].ArgusLocalNet = ntohl(src->ArgusInterface[i].ArgusLocalNet); src->ArgusInterface[i].ArgusNetMask = ntohl(src->ArgusInterface[i].ArgusNetMask); #endif } ArgusFree(errbuf); } else ArgusLog (LOG_ERR, "%s: ArgusMalloc %s\n", __func__, strerror(errno)); if (!(src->ArgusInterface[i].ifr.ifr_flags & IFF_UP)) loglevel = LOG_ALERT; ArgusLog (loglevel, "ArgusGetInterfaceStatus: interface %s is %s\n", src->ArgusInterface[i].ifr.ifr_name, (src->ArgusInterface[i].ifr.ifr_flags & IFF_UP) ? "up" : "down"); } pcap_stats (src->ArgusInterface[i].ArgusPd, &src->ArgusInterface[i].ArgusStat); } else { } } out: free(devicename); return; } int RaSortFileList (const void *, const void *); int RaSortFileList (const void *item1, const void *item2) { struct ArgusRfileStruct *file1 = *(struct ArgusRfileStruct **) item1; struct ArgusRfileStruct *file2 = *(struct ArgusRfileStruct **) item2; return (strcmp (file1->name, file2->name)); } void ArgusSortFileList (struct ArgusListStruct *list) { struct ArgusRfileStruct *rfile; void **array = NULL; int i = 0, count = 0; if ((list != NULL) && (count = list->count)) { if ((array = ArgusCalloc (count, sizeof(rfile))) == NULL) ArgusLog (LOG_ERR, "ArgusSortFileList: ArgusCalloc %s", strerror(errno)); while ((rfile = (void *)ArgusPopFrontList(list, ARGUS_LOCK)) != NULL) array[i++] = rfile; if (i != count) ArgusLog (LOG_ERR, "ArgusSortFileList: integrity failure"); qsort (array, i, sizeof(rfile), RaSortFileList); for (i = 0; i < count; i++) ArgusPushFrontList(list, (struct ArgusListRecord *) array[i], ARGUS_LOCK); ArgusFree (array); } #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusSortFileList(%p)\n", list); #endif } static int ArgusParseRadioTapField(struct cpack_state *s, u_int32_t bit, struct ieee80211_radiotap *rtap) { union { int8_t i8; u_int8_t u8; int16_t i16; u_int16_t u16; u_int32_t u32; u_int64_t u64; } u, u2, u3, u4; int rc; switch (bit) { case IEEE80211_RADIOTAP_FLAGS: rc = cpack_uint8(s, &u.u8); break; case IEEE80211_RADIOTAP_RATE: case IEEE80211_RADIOTAP_DB_ANTSIGNAL: case IEEE80211_RADIOTAP_DB_ANTNOISE: case IEEE80211_RADIOTAP_ANTENNA: rc = cpack_uint8(s, &u.u8); break; case IEEE80211_RADIOTAP_DBM_ANTSIGNAL: case IEEE80211_RADIOTAP_DBM_ANTNOISE: rc = cpack_int8(s, &u.i8); break; case IEEE80211_RADIOTAP_CHANNEL: rc = cpack_uint16(s, &u.u16); if (rc != 0) break; rc = cpack_uint16(s, &u2.u16); break; case IEEE80211_RADIOTAP_FHSS: case IEEE80211_RADIOTAP_LOCK_QUALITY: case IEEE80211_RADIOTAP_TX_ATTENUATION: rc = cpack_uint16(s, &u.u16); break; case IEEE80211_RADIOTAP_DB_TX_ATTENUATION: rc = cpack_uint8(s, &u.u8); break; case IEEE80211_RADIOTAP_DBM_TX_POWER: rc = cpack_int8(s, &u.i8); break; case IEEE80211_RADIOTAP_TSFT: rc = cpack_uint64(s, &u.u64); break; case IEEE80211_RADIOTAP_XCHANNEL: rc = cpack_uint32(s, &u.u32); if (rc != 0) break; rc = cpack_uint16(s, &u2.u16); if (rc != 0) break; rc = cpack_uint8(s, &u3.u8); if (rc != 0) break; rc = cpack_uint8(s, &u4.u8); break; default: /* this bit indicates a field whose * size we do not know, so we cannot * proceed. Just print the bit number. */ return -1; } if (rc != 0) return rc; /* struct ieee80211_radiotap { struct ieee80211_radiotap_header hdr; u_int64_t tsft; u_int16_t txchan, rxchan; u_int16_t fhss; u_int8_t rate; u_int8_t dbm_antsignal; u_int8_t dbm_antnoise; u_int8_t db_antsignal; u_int8_t db_antnoise; u_int16_t lock_quality; u_int16_t tx_attenuation; u_int16_t db_tx_attenuation; u_int8_t dbm_tx_power; u_int8_t flags; u_int8_t antenna; struct ieee80211_xchannel xchan; }; */ switch (bit) { case IEEE80211_RADIOTAP_TSFT: rtap->tsft = u.u64; break; case IEEE80211_RADIOTAP_CHANNEL: break; case IEEE80211_RADIOTAP_FHSS: rtap->fhss = u.u16; break; case IEEE80211_RADIOTAP_RATE: rtap->rate = u.u8; break; case IEEE80211_RADIOTAP_DBM_ANTSIGNAL: rtap->dbm_antsignal = u.u8; break; case IEEE80211_RADIOTAP_DBM_ANTNOISE: rtap->dbm_antnoise = u.u8; break; case IEEE80211_RADIOTAP_DB_ANTSIGNAL: rtap->db_antsignal = u.u8; break; case IEEE80211_RADIOTAP_DB_ANTNOISE: rtap->db_antnoise = u.u8; break; case IEEE80211_RADIOTAP_LOCK_QUALITY: rtap->lock_quality = u.u16; break; case IEEE80211_RADIOTAP_TX_ATTENUATION: rtap->tx_attenuation = u.u16; break; case IEEE80211_RADIOTAP_DB_TX_ATTENUATION: rtap->db_tx_attenuation = u.u16; break; case IEEE80211_RADIOTAP_DBM_TX_POWER: rtap->dbm_tx_power = u.u8; break; case IEEE80211_RADIOTAP_FLAGS: rtap->flags = u.u8; break; case IEEE80211_RADIOTAP_ANTENNA: rtap->antenna = u.u8; break; case IEEE80211_RADIOTAP_XCHANNEL: break; } return 0; } /*- * Copyright (c) 2003, 2004 David Young. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The name of David Young may not be used to endorse or promote * products derived from this software without specific prior * written permission. * * THIS SOFTWARE IS PROVIDED BY DAVID YOUNG ``AS IS'' AND ANY * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL DAVID * YOUNG BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY * OF SUCH DAMAGE. */ #include #include static u_int8_t * cpack_next_boundary(u_int8_t *buf, u_int8_t *p, size_t alignment) { size_t misalignment = (size_t)(p - buf) % alignment; if (misalignment == 0) return p; return p + (alignment - misalignment); } /* Advance to the next wordsize boundary. Return NULL if fewer than * wordsize bytes remain in the buffer after the boundary. Otherwise, * return a pointer to the boundary. */ static u_int8_t * cpack_align_and_reserve(struct cpack_state *cs, size_t wordsize) { u_int8_t *next; /* Ensure alignment. */ next = cpack_next_boundary(cs->c_buf, cs->c_next, wordsize); /* Too little space for wordsize bytes? */ if (next - cs->c_buf + wordsize > cs->c_len) return NULL; return next; } int cpack_init(struct cpack_state *cs, u_int8_t *buf, size_t buflen) { memset(cs, 0, sizeof(*cs)); cs->c_buf = buf; cs->c_len = buflen; cs->c_next = cs->c_buf; return 0; } /* Unpack a 64-bit unsigned integer. */ int cpack_uint64(struct cpack_state *cs, u_int64_t *u) { u_int8_t *next; if ((next = cpack_align_and_reserve(cs, sizeof(*u))) == NULL) return -1; *u = EXTRACT_LE_64BITS(next); /* Move pointer past the u_int64_t. */ cs->c_next = next + sizeof(*u); return 0; } /* Unpack a 32-bit unsigned integer. */ int cpack_uint32(struct cpack_state *cs, u_int32_t *u) { u_int8_t *next; if ((next = cpack_align_and_reserve(cs, sizeof(*u))) == NULL) return -1; *u = EXTRACT_LE_32BITS(next); /* Move pointer past the u_int32_t. */ cs->c_next = next + sizeof(*u); return 0; } /* Unpack a 16-bit unsigned integer. */ int cpack_uint16(struct cpack_state *cs, u_int16_t *u) { u_int8_t *next; if ((next = cpack_align_and_reserve(cs, sizeof(*u))) == NULL) return -1; *u = EXTRACT_LE_16BITS(next); /* Move pointer past the u_int16_t. */ cs->c_next = next + sizeof(*u); return 0; } /* Unpack an 8-bit unsigned integer. */ int cpack_uint8(struct cpack_state *cs, u_int8_t *u) { /* No space left? */ if ((size_t)(cs->c_next - cs->c_buf) >= cs->c_len) return -1; *u = *cs->c_next; /* Move pointer past the u_int8_t. */ cs->c_next++; return 0; } argus-5.0.2/argus/ArgusSource.h000066400000000000000000001073461471541253600164160ustar00rootroot00000000000000 /* * Argus-5.0 Software. Argus files - Source processor * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/argus/ArgusSource.h#12 $ * $DateTime: 2016/10/03 10:25:27 $ * $Change: 3209 $ */ /* ArgusSource.h */ #ifndef ArgusSource_h #define ArgusSource_h #include #include #include #include #include #if defined(ARGUS_TILERA) #include #include #include #include #include #include #include #include #include #include #else #include #endif /*- * Copyright (c) 2003, 2004 David Young. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The name of David Young may not be used to endorse or promote * products derived from this software without specific prior * written permission. * * THIS SOFTWARE IS PROVIDED BY DAVID YOUNG ``AS IS'' AND ANY * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL DAVID * YOUNG BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY * OF SUCH DAMAGE. */ #ifndef _CPACK_H #define _CPACK_H struct cpack_state { u_int8_t *c_buf; u_int8_t *c_next; size_t c_len; }; int cpack_init(struct cpack_state *, u_int8_t *, size_t); int cpack_uint8(struct cpack_state *, u_int8_t *); int cpack_uint16(struct cpack_state *, u_int16_t *); int cpack_uint32(struct cpack_state *, u_int32_t *); int cpack_uint64(struct cpack_state *, u_int64_t *); #define cpack_int8(__s, __p) cpack_uint8((__s), (u_int8_t*)(__p)) #define cpack_int16(__s, __p) cpack_uint16((__s), (u_int16_t*)(__p)) #define cpack_int32(__s, __p) cpack_uint32((__s), (u_int32_t*)(__p)) #define cpack_int64(__s, __p) cpack_uint64((__s), (u_int64_t*)(__p)) #endif /* _CPACK_H */ int pcap_read(pcap_t *, int cnt, pcap_handler, u_char *); int pcap_offline_read(pcap_t *, int, pcap_handler, u_char *); #include #include #include #include #include #include #include #if defined(__NetBSD__) #include #endif #if !defined(__OpenBSD__) #include #endif #include #if !defined(__OpenBSD__) || (defined(__OpenBSD__) && !defined(_NETINET_IF_SYSTEM_H_)) #define _NETINET_IF_SYSTEM_H_ #include #endif #ifndef _NETINET_IP_H_ #include #define _NETINET_IP_H_ #endif #ifndef _NETINET_UDP_H_ #include #define _NETINET_UDP_H_ #endif #include #define ARGUSLIBPPKTFILE 1 #define ARGUSSNOOPKTFILE 2 #define ARGUSMOATTSHPKTFILE 3 #define ARGUSDAGLINK 4 #define ARGUSERFPKTFILE 5 #define ARGUS_FILE_DEVICE 1 #define ARGUS_LIVE_DEVICE 2 #define ARGUS_MAXINTERFACE 64 #define ARGUS_TYPE_IND 0x01 #define ARGUS_TYPE_BOND 0x02 #define ARGUS_TYPE_DUPLEX 0x04 #define ARGUS_LAUNCHED 0x01 #define ARGUS_INITED 0x02 #define ARGUS_COMPLETE 0x04 #define ARGUS_NOSOURCES 0x08 #define ARGUS_DONT_OPEN 0x10 struct ArgusDeviceStruct { struct ArgusListObjectStruct *nxt; int status, type, mode, link, idtype, dlt; struct ArgusTransportStruct trans; char *name, *dltname; struct ArgusListStruct *list; struct ArgusSourceStruct *src; struct ArgusMarInterfaceStruct *inf; #if defined(ARGUS_TILERA) netio_input_config_t config; #endif }; struct ArgusRfileStruct { struct ArgusListObjectStruct *nxt; int mode; char *name; }; struct arguspcap_sf { FILE *rfile; int swapped; int hdrsize; int version_major; int version_minor; u_char *base; }; struct arguspcap_md { struct pcap_stat stat; /*XXX*/ int use_bpf; /* using kernel filter */ u_long TotPkts; /* can't oflow for 79 hrs on ether */ u_long TotAccepted; /* count accepted by filter */ u_long TotDrops; /* count of dropped packets */ long TotMissed; /* missed by i/f during this run */ long OrigMissed; /* missed by i/f before this run */ #ifdef linux int sock_packet; /* using Linux 2.0 compatible interface */ int timeout; /* timeout specified to pcap_open_live */ int clear_promisc; /* must clear promiscuous mode when we close */ int cooked; /* using SOCK_DGRAM rather than SOCK_RAW */ int lo_ifindex; /* interface index of the loopback device */ char *device; /* device name */ struct pcap *next; /* list of open promiscuous sock_packet pcaps */ #endif }; struct arguspcap { int fd; int snapshot; int linktype; int tzoff; /* timezone offset */ int offset; /* offset for proper alignment */ struct arguspcap_sf sf; struct arguspcap_md md; /* * Read buffer. */ int bufsize; u_char *buffer; u_char *bp; int cc; /* * Place holder for pcap_next(). */ u_char *pkt; /* * Placeholder for filter code if bpf not in kernel. */ struct bpf_program fcode; char errbuf[PCAP_ERRBUF_SIZE]; }; #define MAXSTRSIZE 1024 #define ARGUS_MAXSNAPLEN 65535 struct ArgusInterfaceStruct { struct ArgusDeviceStruct *ArgusDevice; struct ArgusDumpStruct *ArgusDump; pcap_t *ArgusPd; struct bpf_program ArgusFilter; int state, index, ArgusInterfaceType; pcap_handler ArgusCallBack; struct ifreq ifr; struct arguspcap ArgusPcap; unsigned int ArgusLocalNet, ArgusNetMask; struct pcap_stat ArgusStat; long ArgusPacketOffset; long long ArgusTotalPkts; long long ArgusTotalIPPkts; long long ArgusTotalNonIPPkts; long long ArgusLastPkts; long long ArgusTotalDrop; long long ArgusLastDrop; long long ArgusTotalBytes; long long ArgusLastBytes; u_char *ArgusPacketBuffer; u_char ArgusPacketBufferBuffer[ARGUS_MAXSNAPLEN]; }; struct ArgusMoatTshPktHdr { unsigned int sec; char interface; char usec[3]; struct ip ip; struct tcphdr tcp; }; #define SNOOP_FILE_OFFSET 16 struct ArgusSnoopPktHdr { unsigned int len; unsigned int tlen; unsigned int pad[2]; struct timeval argtvp; }; #if defined(ArgusSource) #define JUNIPER_BPF_OUT 0 /* Outgoing packet */ #define JUNIPER_BPF_IN 1 /* Incoming packet */ #define JUNIPER_BPF_PKT_IN 0x1 /* Incoming packet */ #define JUNIPER_BPF_NO_L2 0x2 /* L2 header stripped */ #define JUNIPER_BPF_IIF 0x4 /* IIF is valid */ #define JUNIPER_BPF_FILTER 0x40 /* BPF filtering is supported */ #define JUNIPER_BPF_EXT 0x80 /* extensions present */ #define JUNIPER_MGC_NUMBER 0x4d4743 /* = "MGC" */ #define JUNIPER_LSQ_COOKIE_RE (1 << 3) #define JUNIPER_LSQ_COOKIE_DIR (1 << 2) #define JUNIPER_LSQ_L3_PROTO_SHIFT 4 #define JUNIPER_LSQ_L3_PROTO_MASK (0x17 << JUNIPER_LSQ_L3_PROTO_SHIFT) #define JUNIPER_LSQ_L3_PROTO_IPV4 (0 << JUNIPER_LSQ_L3_PROTO_SHIFT) #define JUNIPER_LSQ_L3_PROTO_IPV6 (1 << JUNIPER_LSQ_L3_PROTO_SHIFT) #define JUNIPER_LSQ_L3_PROTO_MPLS (2 << JUNIPER_LSQ_L3_PROTO_SHIFT) #define JUNIPER_LSQ_L3_PROTO_ISO (3 << JUNIPER_LSQ_L3_PROTO_SHIFT) #define AS_PIC_COOKIE_LEN 8 #define JUNIPER_IPSEC_O_ESP_ENCRYPT_ESP_AUTHEN_TYPE 1 #define JUNIPER_IPSEC_O_ESP_ENCRYPT_AH_AUTHEN_TYPE 2 #define JUNIPER_IPSEC_O_ESP_AUTHENTICATION_TYPE 3 #define JUNIPER_IPSEC_O_AH_AUTHENTICATION_TYPE 4 #define JUNIPER_IPSEC_O_ESP_ENCRYPTION_TYPE 5 /* codepoints for encoding extensions to a .pcap file */ enum { JUNIPER_EXT_TLV_IFD_IDX = 1, JUNIPER_EXT_TLV_IFD_NAME = 2, JUNIPER_EXT_TLV_IFD_MEDIATYPE = 3, JUNIPER_EXT_TLV_IFL_IDX = 4, JUNIPER_EXT_TLV_IFL_UNIT = 5, JUNIPER_EXT_TLV_IFL_ENCAPS = 6, JUNIPER_EXT_TLV_TTP_IFD_MEDIATYPE = 7, JUNIPER_EXT_TLV_TTP_IFL_ENCAPS = 8 }; /* 1 byte type and 1-byte length */ #define JUNIPER_EXT_TLV_OVERHEAD 2 struct tok jnx_ext_tlv_values[] = { { JUNIPER_EXT_TLV_IFD_IDX, "Device Interface Index" }, { JUNIPER_EXT_TLV_IFD_NAME,"Device Interface Name" }, { JUNIPER_EXT_TLV_IFD_MEDIATYPE, "Device Media Type" }, { JUNIPER_EXT_TLV_IFL_IDX, "Logical Interface Index" }, { JUNIPER_EXT_TLV_IFL_UNIT,"Logical Unit Number" }, { JUNIPER_EXT_TLV_IFL_ENCAPS, "Logical Interface Encapsulation" }, { JUNIPER_EXT_TLV_TTP_IFD_MEDIATYPE, "TTP derived Device Media Type" }, { JUNIPER_EXT_TLV_TTP_IFL_ENCAPS, "TTP derived Logical Interface Encapsulation" }, { 0, NULL } }; struct tok jnx_flag_values[] = { { JUNIPER_BPF_EXT, "Ext" }, { JUNIPER_BPF_FILTER, "Filter" }, { JUNIPER_BPF_IIF, "IIF" }, { JUNIPER_BPF_NO_L2, "no-L2" }, { JUNIPER_BPF_PKT_IN, "In" }, { 0, NULL } }; #define JUNIPER_IFML_ETHER 1 #define JUNIPER_IFML_FDDI 2 #define JUNIPER_IFML_TOKENRING 3 #define JUNIPER_IFML_PPP 4 #define JUNIPER_IFML_FRAMERELAY 5 #define JUNIPER_IFML_CISCOHDLC 6 #define JUNIPER_IFML_SMDSDXI 7 #define JUNIPER_IFML_ATMPVC 8 #define JUNIPER_IFML_PPP_CCC 9 #define JUNIPER_IFML_FRAMERELAY_CCC 10 #define JUNIPER_IFML_IPIP 11 #define JUNIPER_IFML_GRE 12 #define JUNIPER_IFML_PIM 13 #define JUNIPER_IFML_PIMD 14 #define JUNIPER_IFML_CISCOHDLC_CCC 15 #define JUNIPER_IFML_VLAN_CCC 16 #define JUNIPER_IFML_MLPPP 17 #define JUNIPER_IFML_MLFR 18 #define JUNIPER_IFML_ML 19 #define JUNIPER_IFML_LSI 20 #define JUNIPER_IFML_DFE 21 #define JUNIPER_IFML_ATM_CELLRELAY_CCC 22 #define JUNIPER_IFML_CRYPTO 23 #define JUNIPER_IFML_GGSN 24 #define JUNIPER_IFML_LSI_PPP 25 #define JUNIPER_IFML_LSI_CISCOHDLC 26 #define JUNIPER_IFML_PPP_TCC 27 #define JUNIPER_IFML_FRAMERELAY_TCC 28 #define JUNIPER_IFML_CISCOHDLC_TCC 29 #define JUNIPER_IFML_ETHERNET_CCC 30 #define JUNIPER_IFML_VT 31 #define JUNIPER_IFML_EXTENDED_VLAN_CCC 32 #define JUNIPER_IFML_ETHER_OVER_ATM 33 #define JUNIPER_IFML_MONITOR 34 #define JUNIPER_IFML_ETHERNET_TCC 35 #define JUNIPER_IFML_VLAN_TCC 36 #define JUNIPER_IFML_EXTENDED_VLAN_TCC 37 #define JUNIPER_IFML_CONTROLLER 38 #define JUNIPER_IFML_MFR 39 #define JUNIPER_IFML_LS 40 #define JUNIPER_IFML_ETHERNET_VPLS 41 #define JUNIPER_IFML_ETHERNET_VLAN_VPLS 42 #define JUNIPER_IFML_ETHERNET_EXTENDED_VLAN_VPLS 43 #define JUNIPER_IFML_LT 44 #define JUNIPER_IFML_SERVICES 45 #define JUNIPER_IFML_ETHER_VPLS_OVER_ATM 46 #define JUNIPER_IFML_FR_PORT_CCC 47 #define JUNIPER_IFML_FRAMERELAY_EXT_CCC 48 #define JUNIPER_IFML_FRAMERELAY_EXT_TCC 49 #define JUNIPER_IFML_FRAMERELAY_FLEX 50 #define JUNIPER_IFML_GGSNI 51 #define JUNIPER_IFML_ETHERNET_FLEX 52 #define JUNIPER_IFML_COLLECTOR 53 #define JUNIPER_IFML_AGGREGATOR 54 #define JUNIPER_IFML_LAPD 55 #define JUNIPER_IFML_PPPOE 56 #define JUNIPER_IFML_PPP_SUBORDINATE 57 #define JUNIPER_IFML_CISCOHDLC_SUBORDINATE 58 #define JUNIPER_IFML_DFC 59 #define JUNIPER_IFML_PICPEER 60 struct tok juniper_ifmt_values[] = { { JUNIPER_IFML_ETHER, "Ethernet" }, { JUNIPER_IFML_FDDI, "FDDI" }, { JUNIPER_IFML_TOKENRING, "Token-Ring" }, { JUNIPER_IFML_PPP, "PPP" }, { JUNIPER_IFML_PPP_SUBORDINATE, "PPP-Subordinate" }, { JUNIPER_IFML_FRAMERELAY, "Frame-Relay" }, { JUNIPER_IFML_CISCOHDLC, "Cisco-HDLC" }, { JUNIPER_IFML_SMDSDXI, "SMDS-DXI" }, { JUNIPER_IFML_ATMPVC, "ATM-PVC" }, { JUNIPER_IFML_PPP_CCC, "PPP-CCC" }, { JUNIPER_IFML_FRAMERELAY_CCC, "Frame-Relay-CCC" }, { JUNIPER_IFML_FRAMERELAY_EXT_CCC, "Extended FR-CCC" }, { JUNIPER_IFML_IPIP, "IP-over-IP" }, { JUNIPER_IFML_GRE, "GRE" }, { JUNIPER_IFML_PIM, "PIM-Encapsulator" }, { JUNIPER_IFML_PIMD, "PIM-Decapsulator" }, { JUNIPER_IFML_CISCOHDLC_CCC, "Cisco-HDLC-CCC" }, { JUNIPER_IFML_VLAN_CCC, "VLAN-CCC" }, { JUNIPER_IFML_EXTENDED_VLAN_CCC, "Extended-VLAN-CCC" }, { JUNIPER_IFML_MLPPP, "Multilink-PPP" }, { JUNIPER_IFML_MLFR, "Multilink-FR" }, { JUNIPER_IFML_MFR, "Multilink-FR-UNI-NNI" }, { JUNIPER_IFML_ML, "Multilink" }, { JUNIPER_IFML_LS, "LinkService" }, { JUNIPER_IFML_LSI, "LSI" }, { JUNIPER_IFML_ATM_CELLRELAY_CCC, "ATM-CCC-Cell-Relay" }, { JUNIPER_IFML_CRYPTO, "IPSEC-over-IP" }, { JUNIPER_IFML_GGSN, "GGSN" }, { JUNIPER_IFML_PPP_TCC, "PPP-TCC" }, { JUNIPER_IFML_FRAMERELAY_TCC, "Frame-Relay-TCC" }, { JUNIPER_IFML_FRAMERELAY_EXT_TCC, "Extended FR-TCC" }, { JUNIPER_IFML_CISCOHDLC_TCC, "Cisco-HDLC-TCC" }, { JUNIPER_IFML_ETHERNET_CCC, "Ethernet-CCC" }, { JUNIPER_IFML_VT, "VPN-Loopback-tunnel" }, { JUNIPER_IFML_ETHER_OVER_ATM, "Ethernet-over-ATM" }, { JUNIPER_IFML_ETHER_VPLS_OVER_ATM, "Ethernet-VPLS-over-ATM" }, { JUNIPER_IFML_MONITOR, "Monitor" }, { JUNIPER_IFML_ETHERNET_TCC, "Ethernet-TCC" }, { JUNIPER_IFML_VLAN_TCC, "VLAN-TCC" }, { JUNIPER_IFML_EXTENDED_VLAN_TCC, "Extended-VLAN-TCC" }, { JUNIPER_IFML_CONTROLLER, "Controller" }, { JUNIPER_IFML_ETHERNET_VPLS, "VPLS" }, { JUNIPER_IFML_ETHERNET_VLAN_VPLS, "VLAN-VPLS" }, { JUNIPER_IFML_ETHERNET_EXTENDED_VLAN_VPLS, "Extended-VLAN-VPLS" }, { JUNIPER_IFML_LT, "Logical-tunnel" }, { JUNIPER_IFML_SERVICES, "General-Services" }, { JUNIPER_IFML_PPPOE, "PPPoE" }, { JUNIPER_IFML_ETHERNET_FLEX, "Flexible-Ethernet-Services" }, { JUNIPER_IFML_FRAMERELAY_FLEX, "Flexible-FrameRelay" }, { JUNIPER_IFML_COLLECTOR, "Flow-collection" }, { JUNIPER_IFML_PICPEER, "PIC Peer" }, { JUNIPER_IFML_DFC, "Dynamic-Flow-Capture" }, {0, NULL} }; #define JUNIPER_IFLE_ATM_SNAP 2 #define JUNIPER_IFLE_ATM_NLPID 3 #define JUNIPER_IFLE_ATM_VCMUX 4 #define JUNIPER_IFLE_ATM_LLC 5 #define JUNIPER_IFLE_ATM_PPP_VCMUX 6 #define JUNIPER_IFLE_ATM_PPP_LLC 7 #define JUNIPER_IFLE_ATM_PPP_FUNI 8 #define JUNIPER_IFLE_ATM_CCC 9 #define JUNIPER_IFLE_FR_NLPID 10 #define JUNIPER_IFLE_FR_SNAP 11 #define JUNIPER_IFLE_FR_PPP 12 #define JUNIPER_IFLE_FR_CCC 13 #define JUNIPER_IFLE_ENET2 14 #define JUNIPER_IFLE_IEEE8023_SNAP 15 #define JUNIPER_IFLE_IEEE8023_LLC 16 #define JUNIPER_IFLE_PPP 17 #define JUNIPER_IFLE_CISCOHDLC 18 #define JUNIPER_IFLE_PPP_CCC 19 #define JUNIPER_IFLE_IPIP_NULL 20 #define JUNIPER_IFLE_PIM_NULL 21 #define JUNIPER_IFLE_GRE_NULL 22 #define JUNIPER_IFLE_GRE_PPP 23 #define JUNIPER_IFLE_PIMD_DECAPS 24 #define JUNIPER_IFLE_CISCOHDLC_CCC 25 #define JUNIPER_IFLE_ATM_CISCO_NLPID 26 #define JUNIPER_IFLE_VLAN_CCC 27 #define JUNIPER_IFLE_MLPPP 28 #define JUNIPER_IFLE_MLFR 29 #define JUNIPER_IFLE_LSI_NULL 30 #define JUNIPER_IFLE_AGGREGATE_UNUSED 31 #define JUNIPER_IFLE_ATM_CELLRELAY_CCC 32 #define JUNIPER_IFLE_CRYPTO 33 #define JUNIPER_IFLE_GGSN 34 #define JUNIPER_IFLE_ATM_TCC 35 #define JUNIPER_IFLE_FR_TCC 36 #define JUNIPER_IFLE_PPP_TCC 37 #define JUNIPER_IFLE_CISCOHDLC_TCC 38 #define JUNIPER_IFLE_ETHERNET_CCC 39 #define JUNIPER_IFLE_VT 40 #define JUNIPER_IFLE_ATM_EOA_LLC 41 #define JUNIPER_IFLE_EXTENDED_VLAN_CCC 42 #define JUNIPER_IFLE_ATM_SNAP_TCC 43 #define JUNIPER_IFLE_MONITOR 44 #define JUNIPER_IFLE_ETHERNET_TCC 45 #define JUNIPER_IFLE_VLAN_TCC 46 #define JUNIPER_IFLE_EXTENDED_VLAN_TCC 47 #define JUNIPER_IFLE_MFR 48 #define JUNIPER_IFLE_ETHERNET_VPLS 49 #define JUNIPER_IFLE_ETHERNET_VLAN_VPLS 50 #define JUNIPER_IFLE_ETHERNET_EXTENDED_VLAN_VPLS 51 #define JUNIPER_IFLE_SERVICES 52 #define JUNIPER_IFLE_ATM_ETHER_VPLS_ATM_LLC 53 #define JUNIPER_IFLE_FR_PORT_CCC 54 #define JUNIPER_IFLE_ATM_MLPPP_LLC 55 #define JUNIPER_IFLE_ATM_EOA_CCC 56 #define JUNIPER_IFLE_LT_VLAN 57 #define JUNIPER_IFLE_COLLECTOR 58 #define JUNIPER_IFLE_AGGREGATOR 59 #define JUNIPER_IFLE_LAPD 60 #define JUNIPER_IFLE_ATM_PPPOE_LLC 61 #define JUNIPER_IFLE_ETHERNET_PPPOE 62 #define JUNIPER_IFLE_PPPOE 63 #define JUNIPER_IFLE_PPP_SUBORDINATE 64 #define JUNIPER_IFLE_CISCOHDLC_SUBORDINATE 65 #define JUNIPER_IFLE_DFC 66 #define JUNIPER_IFLE_PICPEER 67 struct tok juniper_ifle_values[] = { { JUNIPER_IFLE_AGGREGATOR, "Aggregator" }, { JUNIPER_IFLE_ATM_CCC, "CCC over ATM" }, { JUNIPER_IFLE_ATM_CELLRELAY_CCC, "ATM CCC Cell Relay" }, { JUNIPER_IFLE_ATM_CISCO_NLPID, "CISCO compatible NLPID" }, { JUNIPER_IFLE_ATM_EOA_CCC, "Ethernet over ATM CCC" }, { JUNIPER_IFLE_ATM_EOA_LLC, "Ethernet over ATM LLC" }, { JUNIPER_IFLE_ATM_ETHER_VPLS_ATM_LLC, "Ethernet VPLS over ATM LLC" }, { JUNIPER_IFLE_ATM_LLC, "ATM LLC" }, { JUNIPER_IFLE_ATM_MLPPP_LLC, "MLPPP over ATM LLC" }, { JUNIPER_IFLE_ATM_NLPID, "ATM NLPID" }, { JUNIPER_IFLE_ATM_PPPOE_LLC, "PPPoE over ATM LLC" }, { JUNIPER_IFLE_ATM_PPP_FUNI, "PPP over FUNI" }, { JUNIPER_IFLE_ATM_PPP_LLC, "PPP over ATM LLC" }, { JUNIPER_IFLE_ATM_PPP_VCMUX, "PPP over ATM VCMUX" }, { JUNIPER_IFLE_ATM_SNAP, "ATM SNAP" }, { JUNIPER_IFLE_ATM_SNAP_TCC, "ATM SNAP TCC" }, { JUNIPER_IFLE_ATM_TCC, "ATM VCMUX TCC" }, { JUNIPER_IFLE_ATM_VCMUX, "ATM VCMUX" }, { JUNIPER_IFLE_CISCOHDLC, "C-HDLC" }, { JUNIPER_IFLE_CISCOHDLC_CCC, "C-HDLC CCC" }, { JUNIPER_IFLE_CISCOHDLC_SUBORDINATE, "C-HDLC via dialer" }, { JUNIPER_IFLE_CISCOHDLC_TCC, "C-HDLC TCC" }, { JUNIPER_IFLE_COLLECTOR, "Collector" }, { JUNIPER_IFLE_CRYPTO, "Crypto" }, { JUNIPER_IFLE_ENET2, "Ethernet" }, { JUNIPER_IFLE_ETHERNET_CCC, "Ethernet CCC" }, { JUNIPER_IFLE_ETHERNET_EXTENDED_VLAN_VPLS, "Extended VLAN VPLS" }, { JUNIPER_IFLE_ETHERNET_PPPOE, "PPPoE over Ethernet" }, { JUNIPER_IFLE_ETHERNET_TCC, "Ethernet TCC" }, { JUNIPER_IFLE_ETHERNET_VLAN_VPLS, "VLAN VPLS" }, { JUNIPER_IFLE_ETHERNET_VPLS, "VPLS" }, { JUNIPER_IFLE_EXTENDED_VLAN_CCC, "Extended VLAN CCC" }, { JUNIPER_IFLE_EXTENDED_VLAN_TCC, "Extended VLAN TCC" }, { JUNIPER_IFLE_FR_CCC, "FR CCC" }, { JUNIPER_IFLE_FR_NLPID, "FR NLPID" }, { JUNIPER_IFLE_FR_PORT_CCC, "FR CCC" }, { JUNIPER_IFLE_FR_PPP, "FR PPP" }, { JUNIPER_IFLE_FR_SNAP, "FR SNAP" }, { JUNIPER_IFLE_FR_TCC, "FR TCC" }, { JUNIPER_IFLE_GGSN, "GGSN" }, { JUNIPER_IFLE_GRE_NULL, "GRE NULL" }, { JUNIPER_IFLE_GRE_PPP, "PPP over GRE" }, { JUNIPER_IFLE_IPIP_NULL, "IPIP" }, { JUNIPER_IFLE_LAPD, "LAPD" }, { JUNIPER_IFLE_LSI_NULL, "LSI Null" }, { JUNIPER_IFLE_LT_VLAN, "LT VLAN" }, { JUNIPER_IFLE_MFR, "MFR" }, { JUNIPER_IFLE_MLFR, "MLFR" }, { JUNIPER_IFLE_MLPPP, "MLPPP" }, { JUNIPER_IFLE_MONITOR, "Monitor" }, { JUNIPER_IFLE_PIMD_DECAPS, "PIMd" }, { JUNIPER_IFLE_PIM_NULL, "PIM Null" }, { JUNIPER_IFLE_PPP, "PPP" }, { JUNIPER_IFLE_PPPOE, "PPPoE" }, { JUNIPER_IFLE_PPP_CCC, "PPP CCC" }, { JUNIPER_IFLE_PPP_SUBORDINATE, "" }, { JUNIPER_IFLE_PPP_TCC, "PPP TCC" }, { JUNIPER_IFLE_SERVICES, "General Services" }, { JUNIPER_IFLE_VLAN_CCC, "VLAN CCC" }, { JUNIPER_IFLE_VLAN_TCC, "VLAN TCC" }, { JUNIPER_IFLE_VT, "VT" }, {0, NULL} }; struct juniper_cookie_table_t { u_int32_t pictype; /* pic type */ u_int8_t cookie_len; /* cookie len */ const char *s; /* pic name */ }; static struct juniper_cookie_table_t juniper_cookie_table[] = { #ifdef DLT_JUNIPER_ATM1 { DLT_JUNIPER_ATM1, 4, "ATM1"}, #endif #ifdef DLT_JUNIPER_ATM2 { DLT_JUNIPER_ATM2, 8, "ATM2"}, #endif #ifdef DLT_JUNIPER_MLPPP { DLT_JUNIPER_MLPPP, 2, "MLPPP"}, #endif #ifdef DLT_JUNIPER_MLFR { DLT_JUNIPER_MLFR, 2, "MLFR"}, #endif #ifdef DLT_JUNIPER_MFR { DLT_JUNIPER_MFR, 4, "MFR"}, #endif #ifdef DLT_JUNIPER_PPPOE { DLT_JUNIPER_PPPOE, 0, "PPPoE"}, #endif #ifdef DLT_JUNIPER_PPPOE_ATM { DLT_JUNIPER_PPPOE_ATM, 0, "PPPoE ATM"}, #endif #ifdef DLT_JUNIPER_GGSN { DLT_JUNIPER_GGSN, 8, "GGSN"}, #endif #ifdef DLT_JUNIPER_MONITOR { DLT_JUNIPER_MONITOR, 8, "MONITOR"}, #endif #ifdef DLT_JUNIPER_SERVICES { DLT_JUNIPER_SERVICES, 8, "AS"}, #endif #ifdef DLT_JUNIPER_ES { DLT_JUNIPER_ES, 0, "ES"}, #endif { 0, 0, NULL } }; struct juniper_l2info_t { u_int32_t length; u_int32_t caplen; u_int32_t pictype; u_int8_t direction; u_int8_t header_len; u_int8_t cookie_len; u_int8_t cookie_type; u_int8_t cookie[8]; u_int8_t bundle; u_int16_t proto; u_int8_t flags; }; #define LS_COOKIE_ID 0x54 #define AS_COOKIE_ID 0x47 #define LS_MLFR_COOKIE_LEN 4 #define ML_MLFR_COOKIE_LEN 2 #define LS_MFR_COOKIE_LEN 6 #define ATM1_COOKIE_LEN 4 #define ATM2_COOKIE_LEN 8 #define ATM2_PKT_TYPE_MASK 0x70 #define ATM2_GAP_COUNT_MASK 0x3F #define JUNIPER_PROTO_NULL 1 #define JUNIPER_PROTO_IPV4 2 #define JUNIPER_PROTO_IPV6 6 #define MFR_BE_MASK 0xc0 /* static struct tok juniper_protocol_values[] = { { JUNIPER_PROTO_NULL, "Null" }, { JUNIPER_PROTO_IPV4, "IPv4" }, { JUNIPER_PROTO_IPV6, "IPv6" }, { 0, NULL} }; */ int ip_heuristic_guess(register const u_char *, u_int); int juniper_ppp_heuristic_guess(register const u_char *, u_int); int juniper_read_tlv_value(const u_char *, u_int, u_int); static int juniper_parse_header (const u_char *, const struct pcap_pkthdr *, struct juniper_l2info_t *); #endif #define ARGUS_HOLDING 1 struct ArgusDumpStruct { int state, status, proc; #if defined(ARGUS_THREADS) pthread_t thread; pthread_mutex_t lock; pthread_cond_t cond; #endif char *ArgusWriteOutPacketFile; pcap_dumper_t *ArgusPcapOutFile; pcap_t *ArgusPd; int ArgusDumpPacket; int ArgusDumpPacketOnError; int ArgusDumpPacketOnProtocol; unsigned long ArgusPacketOffset; char *ppc; }; struct ArgusSourceStruct { int state, status, proc; int timeStampType; #if defined(ARGUS_THREADS) pthread_t thread; pthread_mutex_t lock; pthread_cond_t cond; #endif struct ArgusListStruct *ArgusDeviceList; struct ArgusListStruct *ArgusRfileList; struct ArgusModelerStruct *ArgusModel; struct ArgusDumpStruct *ArgusDump; char *ArgusInputFilter, *ArgusDeviceStr; char *ArgusWriteOutPacketFile; struct ArgusTransportStruct trans; char * ArgusMarIncludeInterface; int ArgusPcapBufSize, ArgusPcapDispatchNum, type, mode; int ArgusInterfaceScanInterval; struct timeval ArgusStartTime, ArgusEndTime, lasttime; int ArgusSnapLength, ArgusThisLength; unsigned char *ArgusThisSnapEnd; struct ieee80211_radiotap ArgusThisRadioTap; unsigned char ArgusInterfaceType; unsigned char ArgusInterfaceStatus; int Argustflag, sNflag, eNflag, kflag, pflag, uflag, tflag; float Tflag; pcap_if_t *ArgusPacketDevices; pcap_if_t *ArgusDevice; int ArgusInterfaceIndex, ArgusThisIndex, ArgusInterfaces; struct ArgusInterfaceStruct ArgusInterface[ARGUS_MAXINTERFACE]; struct ArgusSourceStruct *srcs[ARGUS_MAXINTERFACE]; #if defined(ARGUS_TILERA) netio_queue_t queue; #endif int ArgusReadingOffLine; int ArgusInputPacketFileType; int Argusbpflag, ArgusCaptureFlag, Argusfflag; FILE *ArgusPacketInput; long ArgusInputOffset; int ArgusSnapLen, ArgusOflag, Arguspflag; char **ArgusArgv; int ArgusOptind; char *ArgusCmdBuf; }; int setArgusListInterfaces (struct ArgusSourceStruct *, int); int setArgusTimestampType(char *); int setArgusDeDup(char *); void ArgusParseSourceID (struct ArgusSourceStruct *, struct ArgusDeviceStruct *, char *); void setArgusManInf (struct ArgusSourceStruct *, char *); char *getArgusManInf (struct ArgusSourceStruct *); int ArgusSnoopRead (struct ArgusSourceStruct *); void ArgusIpPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusArcnetPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusEtherPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusTokenPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusAtmClipPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusLoopPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusHdlcPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusSlipPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusPppPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusPppBsdosPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusFddiPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusATMPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusSllPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusPppHdlcPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusPppEtherPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void Argus802_11Packet (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusLtalkPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusPrismPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void Argus802_11RadioPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void Argus802_11RadioAvsPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusEncPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusDagPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusJuniperPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusIpNetPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusPflogPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); void ArgusNullPacket (u_char *user, const struct pcap_pkthdr *h, const u_char *p); struct callback { pcap_handler function; int type; char *fname; }; void ArgusSourceProcess (struct ArgusSourceStruct *); void *ArgusGetPackets (void *); struct ArgusDeviceStruct *ArgusCloneDevice(struct ArgusDeviceStruct *); int ArgusOpenInputPacketFile(struct ArgusSourceStruct *, struct ArgusDeviceStruct *, struct ArgusInterfaceStruct *); pcap_handler Arguslookup_pcap_callback (int); pcap_handler Arguslookup_dag_callback (int); void Argusbpf_dump(struct bpf_program *, int); void setArgusRealTime (struct ArgusSourceStruct *, float value); float getArgusRealTime (struct ArgusSourceStruct *); int getArgusID(struct ArgusSourceStruct *, struct ArgusAddrStruct *); unsigned int getArgusIDType(struct ArgusSourceStruct *); void setArgusID(struct ArgusSourceStruct *, void *, int, unsigned int); void setArgusMoatTshFile (struct ArgusSourceStruct *, int); int getArgusMoatTshFile (struct ArgusSourceStruct *); void setArgusWriteOutPacketFile (struct ArgusDumpStruct *, char *); unsigned char getArgusInterfaceType(struct ArgusSourceStruct *); void setArgusInterfaceType(struct ArgusSourceStruct *, unsigned char); unsigned char getArgusInterfaceStatus(struct ArgusSourceStruct *); void setArgusInterfaceStatus(struct ArgusSourceStruct *, unsigned char); void setArgusPacketCaptureProtocols(struct ArgusDumpStruct *, char *); #if defined(ArgusSource) static struct callback ArgusSourceCallbacks[] = { #if defined(ARGUS_TILERA) #else { ArgusArcnetPacket, DLT_ARCNET, "ArgusArcnetPacket()" }, { ArgusEtherPacket, DLT_EN10MB, "ArgusEtherPacket()" }, { ArgusTokenPacket, DLT_IEEE802, "ArgusTokenPacket()" }, { ArgusSlipPacket, DLT_SLIP, "ArgusSlipPacket()" }, { ArgusSlipPacket, DLT_SLIP_BSDOS, "ArgusSlipPacket()" }, { ArgusPppPacket, DLT_PPP, "ArgusPppPacket()" }, { ArgusPppBsdosPacket, DLT_PPP_BSDOS, "ArgusPppBsdosPacket()" }, { ArgusFddiPacket, DLT_FDDI, "ArgusFddiPacket()" }, { ArgusATMPacket, DLT_ATM_RFC1483, "ArgusATMPacket()" }, { ArgusIpPacket, DLT_RAW, "ArgusIpPacket()" }, { ArgusPflogPacket, DLT_PFLOG, "ArgusPflogPacket()" }, { ArgusNullPacket, DLT_NULL, "ArgusNullPacket()" }, #ifdef DLT_ENC { ArgusEncPacket, DLT_ENC, "ArgusEncPacket()" }, #endif #ifdef DLT_LANE8023 { ArgusLanePacket, DLT_LANE8023, "ArgusLanePacket()" }, #endif #ifdef DLT_CIP { ArgusCipPacket, DLT_CIP, "ArgusCipPacket()" }, #endif #ifdef DLT_ATM_CLIP { ArgusAtmClipPacket, DLT_ATM_CLIP, "ArgusAtmClipPacket()" }, #endif #ifdef DLT_LINUX_SLL { ArgusSllPacket, DLT_LINUX_SLL, "ArgusSllPacket()" }, #endif #ifdef DLT_LOOP { ArgusLoopPacket, DLT_LOOP, "ArgusLoopPacket()" }, #endif #ifdef DLT_C_HDLC { ArgusHdlcPacket, DLT_C_HDLC, "ArgusHdlcPacket()" }, #endif #ifdef DLT_HDLC { ArgusHdlcPacket, DLT_HDLC, "ArgusHdlcPacket()" }, #endif #ifdef DLT_PPP_SERIAL { ArgusPppHdlcPacket, DLT_PPP_SERIAL, "ArgusPppHdlcPacket()" }, #endif #ifdef DLT_PPP_ETHER { ArgusPppEtherPacket, DLT_PPP_ETHER, "ArgusPppEtherPacket()" }, #endif #ifdef DLT_LINUX_SLL { ArgusSllPacket, DLT_LINUX_SLL, "ArgusSllPacket()" }, #endif #ifdef DLT_IEEE802_11 { Argus802_11Packet, DLT_IEEE802_11, "Argus802_11Packet()"}, #endif #ifdef DLT_PRISM_HEADER { ArgusPrismPacket, DLT_PRISM_HEADER, "ArgusPrismPacket()" }, #endif #ifdef DLT_IEEE802_11_RADIO { Argus802_11RadioPacket, DLT_IEEE802_11_RADIO, "Argus802_11RadioPacket()" }, #endif #ifdef DLT_IEEE802_11_RADIO_AVS { Argus802_11RadioAvsPacket, DLT_IEEE802_11_RADIO_AVS, "Argus802_11RadioAvsPacket()" }, #endif #ifdef DLT_LTALK { ArgusLtalkPacket, DLT_LTALK, "ArgusLtalkPacket()" }, #endif #ifdef DLT_JUNIPER_ETHER { ArgusJuniperPacket, DLT_JUNIPER_ETHER, "ArgusJuniperPacket()" }, #endif #ifdef DLT_IPNET { ArgusIpNetPacket, DLT_IPNET, "ArgusIpNetPacket()" }, #endif { NULL, DLT_NULL, "" }, #endif { NULL, 0, NULL}, }; extern int Argustflag; struct ArgusSourceStruct *ArgusSourceTask = NULL; struct ArgusDumpStruct *ArgusDumpTask = NULL; struct ArgusSourceStruct *ArgusNewSource(struct ArgusModelerStruct *); struct ArgusSourceStruct *ArgusCloneSource(struct ArgusSourceStruct *); int ArgusInitSource(struct ArgusSourceStruct *); int ArgusCloseSource(struct ArgusSourceStruct *); void ArgusDeleteSource(struct ArgusSourceStruct *); struct ArgusDumpStruct *ArgusNewDump(struct ArgusSourceStruct *, struct ArgusInterfaceStruct *); extern char *ArgusCopyArgv (char **argv); void setArgusOutputTask(void); void setArgusModeler(struct ArgusSourceStruct *); struct ArgusOutputStruct *getArgusOutputTask(void); struct ArgusModelerStruct *getArgusModeler(struct ArgusSourceStruct *); int getArgusSnapLen(struct ArgusSourceStruct *); void setArgusSnapLen(struct ArgusSourceStruct *, int); int getArgusbpflag(struct ArgusSourceStruct *); int getArgusfflag(struct ArgusSourceStruct *); int getArguspflag(struct ArgusSourceStruct *); int getArgusOflag(struct ArgusSourceStruct *); void setArgusbpflag(struct ArgusSourceStruct *, int); void setArgusfflag(struct ArgusSourceStruct *, int); void setArguspflag(struct ArgusSourceStruct *, int); void setArgusOflag(struct ArgusSourceStruct *, int); void setArgusCaptureFlag(struct ArgusSourceStruct *, int); void setArgusDevice(struct ArgusSourceStruct *, char *, int, int); void setArgusInfile(struct ArgusSourceStruct *, char *); void setArgusrfile(struct ArgusSourceStruct *, char *); void setArgusrFile(struct ArgusSourceStruct *, char *); char *getArgusDevice(struct ArgusSourceStruct *); char *getArgusInfile(struct ArgusSourceStruct *); char *getArgusrfile(struct ArgusSourceStruct *); void clearArgusDevice(struct ArgusSourceStruct *); int ArgusCreatePktFromFddi(const struct fddi_header *, struct ether_header *, int); #else /* defined(ArgusSource) */ extern struct ArgusSourceStruct *ArgusSourceTask; extern struct ArgusDumpStruct *ArgusDumpTask; extern long long ArgusTotalPkts; extern long long ArgusLastPkts; extern long long ArgusTotalDrop; extern long long ArgusLastDrop; extern long long ArgusTotalBytes; extern long long ArgusLastBytes; extern struct ArgusSourceStruct *ArgusNewSource(struct ArgusModelerStruct *); extern struct ArgusSourceStruct *ArgusCloneSource(struct ArgusSourceStruct *); extern int ArgusInitSource(struct ArgusSourceStruct *); extern int ArgusCloseSource(struct ArgusSourceStruct *); extern void ArgusDeleteSource(struct ArgusSourceStruct *); extern struct ArgusDumpStruct *ArgusNewDump(struct ArgusSourceStruct *, struct ArgusInterfaceStruct *); extern struct ArgusOutputStruct *getArgusOutputTask(struct ArgusSourceStruct *); extern void setArgusOutputTask(struct ArgusSourceStruct *); extern struct ArgusModelerStruct *getArgusModeler(struct ArgusSourceStruct *); extern void setArgusModeler(struct ArgusSourceStruct *); extern int getArgusSnapLen(struct ArgusSourceStruct *); extern void setArgusSnapLen(struct ArgusSourceStruct *, int); extern int getArgusbpflag(struct ArgusSourceStruct *); extern int getArgusfflag(struct ArgusSourceStruct *); extern int getArguspflag(struct ArgusSourceStruct *); extern int getArgusOflag(struct ArgusSourceStruct *); extern int getArgusMoatTshFile (struct ArgusSourceStruct *); extern void setArgusbpflag(struct ArgusSourceStruct *, int); extern void setArgusfflag(struct ArgusSourceStruct *, int); extern void setArguspflag(struct ArgusSourceStruct *, int); extern void setArgusOflag(struct ArgusSourceStruct *, int); extern void setArgusCaptureFlag(struct ArgusSourceStruct *, int); extern void setArgusMoatTshFile (struct ArgusSourceStruct *, int value); extern void setArgusWriteOutPacketFile (struct ArgusDumpStruct *, char *); extern void setArgusDevice(struct ArgusSourceStruct *, char *, int, int); extern void setArgusInfile(struct ArgusSourceStruct *, char *); extern void setArgusrfile(struct ArgusSourceStruct *, char *); extern char *getArgusDevice(struct ArgusSourceStruct *); extern char *getArgusInfile(struct ArgusSourceStruct *); extern char *getArgusrfile(struct ArgusSourceStruct *); extern void clearArgusDevice(struct ArgusSourceStruct *); #endif #endif /* #ifndef ArgusSource_h */ argus-5.0.2/argus/ArgusTcp.c000066400000000000000000001224641471541253600156750ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - TCP Protocol processing * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/argus/ArgusTcp.c#11 $ * $DateTime: 2016/09/18 16:32:53 $ * $Change: 3186 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #if !defined(ArgusTcp) #define ArgusTcp #endif #include #include #include "ArgusTimeDiff.h" #include #include extern void ArgusZeroRecord(struct ArgusFlowStruct *); /* These tcp optinos do not have the size octet */ #define ZEROLENOPT(o) ((o) == TCPOPT_EOL || (o) == TCPOPT_NOP) #if !defined(TH_ECE) #define TH_ECE 0x40 #endif #if !defined(TH_CWR) #define TH_CWR 0x80 #endif void ArgusParseTCPOptions(struct ArgusModelerStruct *, struct tcphdr *, int, u_int *, struct ArgusTCPObjectMetrics *); void ArgusInitializeTCP (struct ArgusModelerStruct *, struct ArgusFlowStruct *); void ArgusUpdateTCPState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char *); int ArgusUpdateTCPSequence (struct ArgusModelerStruct *, struct ArgusFlowStruct *, struct tcphdr *); void ArgusTCPKeystroke (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char *); int ArgusUpdateTCPStateMachine (struct ArgusModelerStruct *, struct ArgusFlowStruct *, struct tcphdr *); void ArgusTCPFlowRecord (struct ArgusNetworkStruct *, unsigned char); long long ArgusDiffTime (struct ArgusTime *, struct ArgusTime *, struct timeval *); #include #include void ArgusUpdateTCPState (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, unsigned char *state) { struct ArgusTCPObjectMetrics *ArgusThisTCPsrc, *ArgusThisTCPdst; struct tcphdr *thdr = (struct tcphdr *) model->ArgusThisUpHdr; struct tcphdr tcpbuf, *tcp = &tcpbuf; struct ArgusTCPObject *tcpExt = NULL; if (thdr && STRUCTCAPTURED(model, *thdr)) { int tcplen = model->ArgusThisLength; int tcphlen = thdr->th_off * 4; int tcpdatalen = tcplen - tcphlen; unsigned char flags = thdr->th_flags; #ifdef _LITTLE_ENDIAN bzero ((char *)tcp, sizeof(tcpbuf)); tcp->th_dport = ntohs(thdr->th_dport); tcp->th_sport = ntohs(thdr->th_sport); tcp->th_seq = ntohl(thdr->th_seq); tcp->th_ack = ntohl(thdr->th_ack); tcp->th_win = ntohs(thdr->th_win); tcp->th_flags = thdr->th_flags; #else bcopy ((char *) thdr, (char *)tcp, sizeof(tcpbuf)); #endif if (*state == ARGUS_START) { struct ArgusNetworkStruct *net = (struct ArgusNetworkStruct *) &flowstr->canon.net; net->hdr.type = ARGUS_NETWORK_DSR; net->hdr.subtype = ARGUS_TCP_INIT; net->hdr.argus_dsrvl8.len = ((sizeof(struct ArgusTCPInitStatus)+3))/4 + 1; net->hdr.argus_dsrvl8.qual = ARGUS_TCP_INIT_V2; flowstr->dsrs[ARGUS_NETWORK_INDEX] = (struct ArgusDSRHeader *) net; tcpExt = &net->net_union.tcp; bzero ((char *)tcpExt, sizeof(*tcpExt)); model->ArgusSnapLength -= tcphlen; model->ArgusThisLength = tcpdatalen; model->ArgusThisUpHdr += tcphlen; if (model->ArgusThisDir) { ArgusThisTCPsrc = &tcpExt->src; ArgusThisTCPdst = &tcpExt->dst; } else { ArgusThisTCPsrc = &tcpExt->dst; ArgusThisTCPdst = &tcpExt->src; } if ((tcphlen -= sizeof(*tcp)) > 0) ArgusParseTCPOptions (model, thdr, tcphlen, &tcpExt->options, ArgusThisTCPsrc); if (flags & TH_RST) { tcpExt->status |= ARGUS_RESET; ArgusThisTCPsrc->status |= ARGUS_RESET; tcpExt->state = TCPS_LISTEN; ArgusThisTCPsrc->bytes += model->ArgusThisLength; ArgusThisTCPsrc->flags |= flags; if (tcp->th_seq) { ArgusThisTCPsrc->seqbase = tcp->th_seq - 1; ArgusThisTCPsrc->seq = tcp->th_seq + model->ArgusThisLength; } else { ArgusThisTCPsrc->seqbase = tcp->th_ack - 1; ArgusThisTCPsrc->seq = tcp->th_ack - 1; } ArgusThisTCPdst->ack = tcp->th_ack - 1; ArgusThisTCPsrc->lasttime.tv_sec = model->ArgusGlobalTime.tv_sec; ArgusThisTCPsrc->lasttime.tv_usec = model->ArgusGlobalTime.tv_usec; } else { switch (flags & (TH_SYN|TH_ACK|TH_FIN|TH_PUSH|TH_URG)) { case (TH_SYN): tcpExt->status |= ARGUS_SAW_SYN; tcpExt->state = TCPS_SYN_SENT; ArgusThisTCPsrc->bytes += model->ArgusThisLength; ArgusThisTCPsrc->seqbase = tcp->th_seq; ArgusThisTCPsrc->seq = tcp->th_seq; ArgusThisTCPsrc->win = tcp->th_win; ArgusThisTCPsrc->flags |= flags; if ((flags & (TH_ECE|TH_CWR)) == (TH_ECE|TH_CWR)) tcpExt->options |= ARGUS_TCP_SRC_ECN; break; case (TH_SYN|TH_ACK): case (TH_SYN|TH_ACK|TH_PUSH): case (TH_SYN|TH_ACK|TH_PUSH|TH_URG): { tcpExt->status |= ARGUS_SAW_SYN_SENT; tcpExt->state = TCPS_SYN_RECEIVED; ArgusThisTCPsrc->bytes += model->ArgusThisLength; ArgusThisTCPsrc->seqbase = tcp->th_seq; ArgusThisTCPsrc->seq = tcp->th_seq; ArgusThisTCPsrc->win = tcp->th_win; ArgusThisTCPsrc->flags |= flags; ArgusThisTCPdst->ack = tcp->th_ack - 1; if ((tcp->th_flags & (TH_ECE|TH_CWR)) == TH_ECE) tcpExt->options |= ARGUS_TCP_DST_ECN; break; } case (TH_ACK): case (TH_PUSH|TH_ACK): case (TH_URG|TH_ACK): case (TH_PUSH|TH_URG|TH_ACK): ArgusThisTCPdst->ack = tcp->th_ack - 1; case (TH_PUSH): case (TH_URG): case (TH_PUSH|TH_URG): tcpExt->status |= ARGUS_CON_ESTABLISHED; tcpExt->state = TCPS_ESTABLISHED; ArgusThisTCPsrc->bytes += model->ArgusThisLength; ArgusThisTCPsrc->flags |= flags; ArgusThisTCPsrc->seqbase = tcp->th_seq - 1; ArgusThisTCPsrc->seq = tcp->th_seq + model->ArgusThisLength; ArgusThisTCPsrc->win = tcp->th_win; break; case (TH_FIN): case (TH_FIN|TH_ACK): case (TH_FIN|TH_ACK|TH_URG): case (TH_FIN|TH_ACK|TH_PUSH): case (TH_FIN|TH_ACK|TH_PUSH|TH_URG): tcpExt->status |= ARGUS_FIN; tcpExt->state = TCPS_FIN_WAIT_1; ArgusThisTCPsrc->bytes += model->ArgusThisLength; ArgusThisTCPsrc->flags |= flags; ArgusThisTCPsrc->seqbase = tcp->th_seq - 1; ArgusThisTCPsrc->seq = tcp->th_seq + model->ArgusThisLength; ArgusThisTCPsrc->win = tcp->th_win; break; default: tcpExt->status |= ARGUS_CON_ESTABLISHED; tcpExt->state = TCPS_ESTABLISHED; ArgusThisTCPsrc->bytes += model->ArgusThisLength; ArgusThisTCPsrc->flags |= flags; ArgusThisTCPsrc->seqbase = tcp->th_seq - 1; ArgusThisTCPsrc->seq = tcp->th_seq + model->ArgusThisLength; if (!(flags & TH_RST)) ArgusThisTCPsrc->win = tcp->th_win; break; } ArgusThisTCPsrc->lasttime.tv_sec = model->ArgusGlobalTime.tv_sec; ArgusThisTCPsrc->lasttime.tv_usec = model->ArgusGlobalTime.tv_usec; } } else { #define ARGUS_ECN_FLAGS (ARGUS_TCP_SRC_ECN | ARGUS_TCP_DST_ECN) tcpExt = (struct ArgusTCPObject *)&flowstr->canon.net.net_union.tcp; if (model->ArgusThisDir) { ArgusThisTCPsrc = &tcpExt->src; } else { ArgusThisTCPsrc = &tcpExt->dst; } switch (tcpExt->state) { case TCPS_CLOSE_WAIT: case TCPS_FIN_WAIT_1: case TCPS_CLOSING: case TCPS_LAST_ACK: case TCPS_FIN_WAIT_2: case TCPS_TIME_WAIT: case TCPS_LISTEN: { if (flags & TH_SYN) { ArgusSendFlowRecord (model, flowstr, ARGUS_STOP); ArgusZeroRecord (flowstr); ArgusRemoveFromQueue(flowstr->qhdr.queue, &flowstr->qhdr, ARGUS_LOCK); ArgusInitializeTCP (model, flowstr); tcpExt->status |= ARGUS_PORT_REUSE; ArgusPushQueue(model->ArgusStatusQueue, &flowstr->qhdr, ARGUS_LOCK); return; // ArgusUpdateBasicFlow (model, flowstr, ARGUS_START); // ArgusUpdateTCPState (model, flowstr, state); } } default: { if (getArgusTCPflag(model)) { flowstr->canon.net.hdr.subtype = ARGUS_TCP_PERF; flowstr->canon.net.hdr.argus_dsrvl8.len = ((sizeof(struct ArgusTCPObject)+3))/4 + 1; } else { flowstr->canon.net.hdr.subtype = ARGUS_TCP_STATUS; } model->ArgusSnapLength -= tcphlen; model->ArgusThisLength = tcpdatalen; model->ArgusThisUpHdr += tcphlen; if ((tcphlen - sizeof(*tcp)) > 0) ArgusParseTCPOptions (model, thdr, (tcphlen - sizeof(*tcp)), &tcpExt->options, ArgusThisTCPsrc); ArgusThisTCPsrc->flags |= flags; if ((tcpExt->options & ARGUS_ECN_FLAGS) && (flags & TH_ECE)) { if (flags & TH_ACK) { if (model->ArgusThisDir) { tcpExt->status |= ARGUS_SRC_CONGESTED; } else { tcpExt->status |= ARGUS_DST_CONGESTED; } } } if (ArgusUpdateTCPSequence(model, flowstr, tcp)) { switch (ArgusUpdateTCPStateMachine(model, flowstr, tcp)) { case TCPS_LISTEN: if (flags == TH_SYN) { ArgusThisTCPsrc->bytes -= model->ArgusThisLength; model->ArgusThisUpHdr -= tcphlen; model->ArgusThisLength = tcplen; model->ArgusSnapLength += tcphlen; ArgusRemoveFromQueue (flowstr->qhdr.queue, &flowstr->qhdr, ARGUS_LOCK); ArgusSendFlowRecord (model, flowstr, ARGUS_STOP); ArgusInitializeTCP (model, flowstr); ArgusPushQueue(model->ArgusStatusQueue, &flowstr->qhdr, ARGUS_LOCK); return; } break; case TCPS_CLOSED: case TCPS_TIME_WAIT: if (!(tcpExt->status & ARGUS_RESET)) tcpExt->status |= ARGUS_NORMAL_CLOSE; flowstr->timeout = 10; break; } } ArgusThisTCPsrc->lasttime.tv_sec = model->ArgusGlobalTime.tv_sec; ArgusThisTCPsrc->lasttime.tv_usec = model->ArgusGlobalTime.tv_usec; } } } } } void ArgusInitializeTCP (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flow) { struct ArgusSystemFlow *fdsr = (struct ArgusSystemFlow *)flow->dsrs[ARGUS_FLOW_INDEX]; struct ArgusTCPObject *tcpExt = (struct ArgusTCPObject *)&flow->canon.net.net_union.tcp; bzero ((char *)tcpExt, sizeof(*tcpExt)); if (fdsr) { if (!(model->ArgusThisDir)) { fdsr->hdr.argus_dsrvl8.qual &= ~ARGUS_DIRECTION; fdsr->hdr.subtype &= ~ARGUS_REVERSE; } } flow->state = model->state & ARGUS_DIRECTION; model->ArgusThisDir = 1; flow->qhdr.lasttime = model->ArgusGlobalTime; ArgusUpdateFlow (model, flow, ARGUS_START, 0); } int ArgusUpdateTCPStateMachine (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, struct tcphdr *tcp) { struct ArgusTCPObjectMetrics *ArgusThisTCPsrc, *ArgusThisTCPdst; unsigned char flags = tcp->th_flags & (TH_SYN | TH_ACK | TH_RST | TH_FIN) ; struct ArgusTCPObject *tcpExt = (struct ArgusTCPObject *)&flowstr->canon.net.net_union.tcp; unsigned int state = tcpExt->state; int len = model->ArgusThisLength; if (model->ArgusThisDir) { ArgusThisTCPsrc = &tcpExt->src; ArgusThisTCPdst = &tcpExt->dst; } else { ArgusThisTCPsrc = &tcpExt->dst; ArgusThisTCPdst = &tcpExt->src; } if (flags & TH_RST) { tcpExt->status |= ARGUS_RESET; ArgusThisTCPsrc->status |= ARGUS_RESET; if (state == TCPS_SYN_SENT) { if (ArgusThisTCPdst->seq == ArgusThisTCPsrc->ack) state = TCPS_LISTEN; else state = TCPS_CLOSING; } else { if ((tcp->th_seq >= ArgusThisTCPsrc->ack) && (tcp->th_seq < (ArgusThisTCPsrc->ack + (ArgusThisTCPsrc->win >> ArgusThisTCPsrc->winshift)))) state = TCPS_CLOSED; else state = TCPS_CLOSING; } } else { switch (state) { case TCPS_LISTEN: case TCPS_SYN_SENT: if (flags == TH_SYN) { ArgusThisTCPsrc->status |= ARGUS_PKTS_RETRANS; ArgusThisTCPsrc->retrans++; } else if (flags == (TH_SYN|TH_ACK)) { if (ArgusThisTCPsrc->status & ARGUS_SAW_SYN) { state = TCPS_LISTEN; tcpExt->status |= ARGUS_SAW_SYN_SENT; ArgusThisTCPsrc->status |= ARGUS_SAW_SYN_SENT; } else { state = TCPS_SYN_RECEIVED; tcpExt->status |= ARGUS_SAW_SYN_SENT; ArgusThisTCPsrc->status |= ARGUS_SAW_SYN_SENT; if (ArgusThisTCPdst->seq == ArgusThisTCPsrc->ack) { struct timeval lasttime; lasttime.tv_sec = ArgusThisTCPdst->lasttime.tv_sec; lasttime.tv_usec = ArgusThisTCPdst->lasttime.tv_usec; tcpExt->synAckuSecs = ArgusAbsTimeDiff (&model->ArgusGlobalTime, &lasttime); #if defined(ARGUS_NANOSECONDS) /* convert this from ns to us */ tcpExt->synAckuSecs /= 1000; #endif } } } else if (flags & TH_FIN) { state = TCPS_FIN_WAIT_1; tcpExt->status |= ARGUS_FIN; ArgusThisTCPsrc->status |= ARGUS_FIN; } else if (flags & TH_ACK) { state = TCPS_ESTABLISHED; tcpExt->status |= ARGUS_CON_ESTABLISHED; ArgusThisTCPsrc->status |= ARGUS_CON_ESTABLISHED; /* flowstr->ArgusTimeout = ARGUS_IPTIMEOUT; */ } break; case TCPS_SYN_RECEIVED: if (flags & TH_FIN) { state = TCPS_FIN_WAIT_1; tcpExt->status |= ARGUS_FIN; ArgusThisTCPsrc->status |= ARGUS_FIN; } else if (!(flags & TH_SYN)) { if (flags & TH_ACK) { state = TCPS_ESTABLISHED; tcpExt->status |= ARGUS_CON_ESTABLISHED; /* flowstr->ArgusTimeout = ARGUS_IPTIMEOUT; */ ArgusThisTCPsrc->status |= ARGUS_CON_ESTABLISHED; if (ArgusThisTCPsrc->seq == ArgusThisTCPdst->ack) { struct timeval lasttime; lasttime.tv_sec = ArgusThisTCPdst->lasttime.tv_sec; lasttime.tv_usec = ArgusThisTCPdst->lasttime.tv_usec; tcpExt->ackDatauSecs = ArgusAbsTimeDiff (&model->ArgusGlobalTime, &lasttime); #if defined(ARGUS_NANOSECONDS) /* convert this from ns to us */ tcpExt->ackDatauSecs /= 1000; #endif } } } else { ArgusThisTCPsrc->status |= ARGUS_PKTS_RETRANS; ArgusThisTCPsrc->retrans++; } break; case TCPS_ESTABLISHED: if (flags & TH_FIN) { state = TCPS_FIN_WAIT_1; tcpExt->status |= ARGUS_FIN; ArgusThisTCPsrc->status |= ARGUS_FIN; } else { if (flags & TH_SYN) { if (flags & TH_ACK) { tcpExt->status |= ARGUS_SAW_SYN_SENT; tcpExt->status |= ARGUS_CON_ESTABLISHED; } ArgusThisTCPsrc->status |= ARGUS_PKTS_RETRANS; ArgusThisTCPsrc->retrans++; } } break; case TCPS_CLOSE_WAIT: case TCPS_FIN_WAIT_1: if ((flags & TH_SYN) && !(flags & TH_ACK)) { state = TCPS_LISTEN; } else case TCPS_LAST_ACK: case TCPS_FIN_WAIT_2: if (flags & TH_FIN) { if (!(flags & TH_ACK)) { if (ArgusThisTCPdst->status & ARGUS_FIN_ACK) { ArgusThisTCPsrc->status |= ARGUS_PKTS_RETRANS; ArgusThisTCPsrc->retrans++; } } else { tcpExt->status |= ARGUS_FIN; ArgusThisTCPsrc->status |= ARGUS_FIN; } } if ((flags & TH_ACK) && !(len)) { if (ArgusThisTCPdst->status & ARGUS_FIN) { if (ArgusThisTCPdst->seq == ArgusThisTCPsrc->ack) { state = TCPS_FIN_WAIT_2; tcpExt->status |= ARGUS_FIN_ACK; ArgusThisTCPdst->status |= ARGUS_FIN_ACK; } } } break; case TCPS_CLOSING: case TCPS_TIME_WAIT: if ((flags & TH_SYN) && !(flags & TH_ACK)) state = TCPS_LISTEN; else if (flags & TH_ACK) if ((ArgusThisTCPsrc->seq == ArgusThisTCPsrc->ack) && (ArgusThisTCPdst->seq == ArgusThisTCPsrc->ack)) state = TCPS_CLOSED; break; case TCPS_CLOSED: if ((flags & TH_SYN) && !(flags & TH_ACK)) state = TCPS_LISTEN; break; } } if (state != TCPS_LISTEN) tcpExt->state = state; return (state); } int ArgusUpdateTCPSequence (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, struct tcphdr *tcp) { struct ArgusTCPObjectMetrics *ArgusThisTCPsrc, *ArgusThisTCPdst; struct ArgusTCPObject *tcpExt = (struct ArgusTCPObject *)&flowstr->canon.net.net_union.tcp; unsigned char flags = tcp->th_flags; int len = model->ArgusThisLength; int retn = 1, win, ArgusDuplicatePacket = 0; unsigned int maxseq = 0; unsigned int seq = tcp->th_seq; unsigned int newseq = seq + len; struct ArgusIPAttrStruct *attr = NULL; unsigned short ipid = 0, *tipid = NULL; if (model->ArgusThisDir) { ArgusThisTCPsrc = &tcpExt->src; ArgusThisTCPdst = &tcpExt->dst; } else { ArgusThisTCPsrc = &tcpExt->dst; ArgusThisTCPdst = &tcpExt->src; } if ((attr = (struct ArgusIPAttrStruct *) flowstr->dsrs[ARGUS_IPATTR_INDEX]) != NULL) { if (model->ArgusThisDir) { if (attr->hdr.argus_dsrvl8.qual & ARGUS_IPATTR_SRC) ipid = attr->src.ip_id; tipid = &flowstr->sipid; } else { if (attr->hdr.argus_dsrvl8.qual & ARGUS_IPATTR_DST) ipid = attr->dst.ip_id; tipid = &flowstr->dipid; } } if (flags == TH_SYN) /* we started over */ return (retn); model->ArgusInProtocol = 1; if (!(tcp->th_win) && !(flags & (TH_FIN|TH_RST))) { ArgusThisTCPsrc->status |= ARGUS_WINDOW_SHUT; model->ArgusInProtocol = 0; } else { if (!(flags & (TH_FIN|TH_RST))) { ArgusThisTCPsrc->win = tcp->th_win; } } if (len && (ArgusThisTCPdst->win != 0)) { ArgusThisTCPsrc->bytes += len; if (ArgusThisTCPsrc->winbytes == 0) model->ArgusInProtocol = 0; if (ArgusThisTCPsrc->flags & TH_FIN) { if (tcp->th_seq < ArgusThisTCPsrc->seq) { ArgusThisTCPsrc->retrans++; ArgusThisTCPsrc->status |= ARGUS_PKTS_RETRANS; } else if (!(flags & TH_FIN)) ArgusThisTCPsrc->status |= ARGUS_OUTOFORDER; } if (!(flags & TH_SYN)) ArgusThisTCPsrc->winbytes += len; } else model->ArgusInProtocol = 0; if (newseq < seq) { /* we rolled over */ ArgusThisTCPsrc->ackbytes += ArgusThisTCPsrc->seq - ArgusThisTCPsrc->seqbase; /* ackbytes holds the number of rollover bytes */ ArgusThisTCPsrc->seqbase = newseq; ArgusThisTCPsrc->seq = newseq; } else { if (!ArgusThisTCPsrc->seqbase) { /* first packet in this direction */ ArgusThisTCPsrc->seqbase = seq; ArgusThisTCPsrc->seq = newseq; } else { if (len) { if (model->ArgusTrackDuplicates && (tipid && ((ipid != 0) && (*tipid == ipid)))) { if (model->ArgusThisDir) ArgusThisTCPsrc->status |= ARGUS_SRC_DUPLICATES; else ArgusThisTCPdst->status |= ARGUS_DST_DUPLICATES; ArgusDuplicatePacket = 1; } else { if (ArgusThisTCPdst->win != 0) { /* not first packet seen in this direction */ if (tcp->th_seq < ArgusThisTCPdst->ack) { if ((ArgusThisTCPdst->ack - tcp->th_seq) < (ArgusThisTCPsrc->win >> ArgusThisTCPsrc->winshift)) { ArgusThisTCPsrc->retrans++; ArgusThisTCPsrc->status |= ARGUS_PKTS_RETRANS; ArgusThisTCPsrc->winbytes -= len; model->ArgusInProtocol = 0; } } else { if (newseq > ArgusThisTCPsrc->seq) { maxseq = newseq; } else { maxseq = ArgusThisTCPsrc->seq; } if (ArgusThisTCPsrc->win) { int dipid; if (tipid && ((dipid = (ipid - *tipid)) < 0) && (dipid > -5000)) { ArgusThisTCPsrc->status |= ARGUS_OUTOFORDER; } else if (ArgusThisTCPsrc->winbytes > ((maxseq - 1) - ArgusThisTCPdst->ack)) { ArgusThisTCPsrc->retrans++; ArgusThisTCPsrc->status |= ARGUS_PKTS_RETRANS; ArgusThisTCPsrc->winbytes -= len; model->ArgusInProtocol = 0; } else { if (newseq < ArgusThisTCPsrc->seq) { if (tcp->th_seq == (ArgusThisTCPdst->ack + 1)) { ArgusThisTCPsrc->retrans++; ArgusThisTCPsrc->status |= ARGUS_PKTS_RETRANS; ArgusThisTCPsrc->winbytes -= len; } else { ArgusThisTCPsrc->status |= ARGUS_OUTOFORDER; } } } } ArgusThisTCPsrc->seq = maxseq; } } *tipid = ipid; } } else { } } } if (!(ArgusDuplicatePacket)) { if (tcp->th_ack && (flags & TH_ACK)) { if (ArgusThisTCPsrc->ack) { if (ArgusThisTCPdst->seq > ArgusThisTCPsrc->ack) ArgusThisTCPdst->winbytes = (ArgusThisTCPdst->seq - 1) - ArgusThisTCPsrc->ack; } if (!(ArgusThisTCPsrc->ack == (tcp->th_ack - 1))) { if (!(ArgusThisTCPsrc->ack) || (ArgusThisTCPdst->seq == tcp->th_ack)) { ArgusThisTCPdst->winbytes = 0; if (!(ArgusThisTCPsrc->ack == (tcp->th_ack - 1))) if (ArgusThisTCPdst->seq == tcp->th_ack) ArgusThisTCPdst->winnum++; } else { if (!(flags & TH_SYN)) if (ArgusThisTCPsrc->ack) { win = (tcp->th_ack - 1) - ArgusThisTCPsrc->ack; win = (ArgusThisTCPdst->winbytes < win) ? ArgusThisTCPdst->winbytes : win; ArgusThisTCPdst->winbytes -= win; ArgusThisTCPdst->winnum++; } } ArgusThisTCPsrc->ack = tcp->th_ack - 1; } } } else retn = 0; /* ArgusInProtocol = 1; */ return (retn); } void ArgusTCPKeystroke (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, unsigned char *state) { struct ArgusKeyStrokeConf *ArgusKeyStroke = &model->ArgusKeyStroke; struct tcphdr *thdr = (struct tcphdr *) model->ArgusThisUpHdr; struct tcphdr tcpbuf, *tcp = &tcpbuf; if (thdr && STRUCTCAPTURED(model, *thdr)) { int tcplen = model->ArgusThisLength; int tcphlen = thdr->th_off * 4; int tcpdatalen = tcplen - tcphlen; if (ArgusKeyStroke->status & ARGUS_SSH_KEYSTROKE) if (!(flowstr->status & ARGUS_SSH_MONITOR)) return; if (++flowstr->skey.n_pkts < ArgusKeyStroke->n_min) { #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusTCPKeystroke: flow %p packet %lld flow_n_pkts(%d) < n_min(%d)\n", flowstr, model->ArgusTotalPacket, flowstr->skey.n_pkts, ArgusKeyStroke->n_min); #endif return; } else { #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusTCPKeystroke: flow %p packet %lld flow_n_pkts(%d)\n", flowstr, model->ArgusTotalPacket, flowstr->skey.n_pkts); #endif } if (tcpdatalen > 0) { #ifdef _LITTLE_ENDIAN bzero ((char *)tcp, sizeof(tcpbuf)); tcp->th_dport = ntohs(thdr->th_dport); tcp->th_sport = ntohs(thdr->th_sport); tcp->th_seq = ntohl(thdr->th_seq); tcp->th_ack = ntohl(thdr->th_ack); tcp->th_win = ntohs(thdr->th_win); tcp->th_flags = thdr->th_flags; #else bcopy ((char *) thdr, (char *)tcp, sizeof(tcpbuf)); #endif if (ArgusKeyStroke->status & ARGUS_SSH_KEYSTROKE) { if (tcpdatalen % 4) { flowstr->status &= ~ARGUS_SSH_MONITOR; #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusTCPKeystroke: packet %lld flow %p ssh monitor and tcpdatalen(%d) not mod 4\n", flowstr->skey.n_pkts, flowstr, tcpdatalen); #endif return; } } if (flowstr->dsrs[ARGUS_BEHAVIOR_INDEX] == NULL) { flowstr->dsrs[ARGUS_BEHAVIOR_INDEX] = (struct ArgusDSRHeader *) &flowstr->canon.actor.hdr; flowstr->dsrindex |= 1 << ARGUS_BEHAVIOR_INDEX; } #define CLIENT 1 #define SERVER 0 switch (model->ArgusThisDir) { case CLIENT: { if ((tcpdatalen >= ArgusKeyStroke->dc_min) && (tcpdatalen <= ArgusKeyStroke->dc_max)) { int i = 0, found = 0; #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusTCPKeystroke: flow %p packet %lld client packet seq(%u) size(%d) OK\n", flowstr, flowstr->skey.n_pkts, tcp->th_seq, tcpdatalen); #endif for (i = 0; i < ARGUS_NUM_KEYSTROKE_PKTS && !found; i++) { struct ArgusKeyStrokePacket *pkt = &flowstr->skey.data.pkts[i]; if (pkt->n_pno == 0) { // this is an empty slot, so use it struct timeval tvpbuf, *tvp = &tvpbuf; pkt->ts.tv_sec = model->ArgusGlobalTime.tv_sec; pkt->ts.tv_usec = model->ArgusGlobalTime.tv_usec; pkt->intpkt = ArgusDiffTime (&pkt->ts, &flowstr->skey.prev_c_ts, tvp); pkt->seq = tcp->th_seq + tcpdatalen; pkt->n_pno = flowstr->skey.n_pkts; found = 1; } } if (!found) { // don't have an empty slot, so create one. clear earliest packet number client packet. keep tentatives int lpno = 0x7FFFFFFF, npkt = -1; for (i = 0; i < ARGUS_NUM_KEYSTROKE_PKTS; i++) { struct ArgusKeyStrokePacket *pkt = &flowstr->skey.data.pkts[i]; if (pkt->status != ARGUS_KEYSTROKE_TENTATIVE) { if (pkt->n_pno < lpno) { npkt = i; lpno = pkt->n_pno; } } } if (npkt < 0) { // nothing but tentatives, so lets clear the tentative at index = 0 #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusTCPKeystroke: flow %p packet %lld no non-tentative packets to reject, clearing first\n", flowstr, flowstr->skey.n_pkts); #endif npkt = 0; } { struct ArgusKeyStrokePacket *pkt = &flowstr->skey.data.pkts[npkt]; struct timeval tvpbuf, *tvp = &tvpbuf; #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusTCPKeystroke: flow %p packet %lld clearing client %d seq(%u)\n", flowstr, flowstr->skey.n_pkts, npkt, pkt->seq); #endif pkt->ts.tv_sec = model->ArgusGlobalTime.tv_sec; pkt->ts.tv_usec = model->ArgusGlobalTime.tv_usec; pkt->intpkt = ArgusDiffTime (&pkt->ts, &flowstr->skey.prev_c_ts, tvp); pkt->seq = tcp->th_seq + tcpdatalen; pkt->n_pno = flowstr->skey.n_pkts; } } } #ifdef ARGUSDEBUG else { ArgusDebug (5, "ArgusTCPKeystroke: flow %p packet %lld client packet size(%d) NOK reset\n", flowstr, flowstr->skey.n_pkts, tcpdatalen); } #endif break; } case SERVER: { struct ArgusKeyStrokePacket *pkt = NULL; int i, found = 0, reject = 1; for (i = 0; i < ARGUS_NUM_KEYSTROKE_PKTS && !found; i++) { pkt = &flowstr->skey.data.pkts[i]; if ((pkt->status == 0) && (pkt->seq == tcp->th_ack)) found++; } if (found) { struct ArgusTime stime; stime.tv_sec = model->ArgusGlobalTime.tv_sec; stime.tv_usec = model->ArgusGlobalTime.tv_usec; if ((flowstr->skey.n_pkts - pkt->n_pno) <= ArgusKeyStroke->gs_max) { if ((tcpdatalen >= ArgusKeyStroke->ds_min) && (tcpdatalen <= ArgusKeyStroke->ds_max)) { struct timeval tvpbuf, *tvp = &tvpbuf; if (pkt->intpkt >= ArgusKeyStroke->ic_min) { long long slint = ArgusDiffTime (&stime, &flowstr->skey.prev_s_ts, tvp); float ic_ratio = (pkt->intpkt * 1.0) / (slint * 1.0); if ((ic_ratio >= ArgusKeyStroke->icr_min) && (ic_ratio <= ArgusKeyStroke->icr_max)) { if ((pkt->n_pno - flowstr->skey.prev_pno) <= ArgusKeyStroke->gpc_max) { int i; #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusTCPKeystroke: flow %p packet %lld server keystroke ", flowstr, flowstr->skey.n_pkts); #endif flowstr->skey.n_strokes++; for (i = 0; i < ARGUS_NUM_KEYSTROKE_PKTS; i++) { struct ArgusKeyStrokePacket *tpkt = &flowstr->skey.data.pkts[i]; if (tpkt->status == ARGUS_KEYSTROKE_TENTATIVE) { #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusTCPKeystroke: flow %p packet %lld TENTATIVE packet %lld keystroke ", flowstr, flowstr->skey.n_pkts, tpkt->n_pno); #endif flowstr->skey.n_strokes++; bzero(tpkt, sizeof(*tpkt)); } } flowstr->skey.prev_pno = pkt->n_pno; flowstr->skey.prev_c_ts = pkt->ts; flowstr->skey.prev_s_ts = stime; bzero(pkt, sizeof(*pkt)); } else { for (i = 0; i < ARGUS_NUM_KEYSTROKE_PKTS; i++) { struct ArgusKeyStrokePacket *tpkt = &flowstr->skey.data.pkts[i]; if (tpkt->status == ARGUS_KEYSTROKE_TENTATIVE) bzero(tpkt, sizeof(*tpkt)); } pkt->status = ARGUS_KEYSTROKE_TENTATIVE; #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusTCPKeystroke: flow %p packet %lld server packet pc_gap(%d) > gpc_max(%d) TENTATIVE\n", flowstr, flowstr->skey.n_pkts, (pkt->n_pno - flowstr->skey.prev_pno) , ArgusKeyStroke->gpc_max); #endif flowstr->skey.prev_pno = pkt->n_pno; flowstr->skey.prev_c_ts = pkt->ts; flowstr->skey.prev_s_ts = stime; } reject = 0; } #ifdef ARGUSDEBUG else { ArgusDebug (5, "ArgusTCPKeystroke: flow %p packet %lld server ic_ratio(%f) out of range\n", flowstr, flowstr->skey.n_pkts, ic_ratio); } #endif } #ifdef ARGUSDEBUG else { ArgusDebug (5, "ArgusTCPKeystroke: flow %p packet %lld rejected server IPA(%lld) < ic_min(%d)\n", flowstr, flowstr->skey.n_pkts, pkt->intpkt, ArgusKeyStroke->ic_min); } #endif } #ifdef ARGUSDEBUG else { ArgusDebug (5, "ArgusTCPKeystroke: flow %p packet %lld rejected server packet size(%d)\n", flowstr, flowstr->skey.n_pkts, tcpdatalen); } #endif } #ifdef ARGUSDEBUG else { ArgusDebug (5, "ArgusTCPKeystroke: flow %p packet %lld rejected server packet flow s_gap(%d) > gs_gap(%d)\n", flowstr, flowstr->skey.n_pkts, (flowstr->skey.n_pkts - pkt->n_pno), ArgusKeyStroke->gs_max); } #endif if (reject) { for (i = 0; i < ARGUS_NUM_KEYSTROKE_PKTS; i++) { struct ArgusKeyStrokePacket *tpkt = &flowstr->skey.data.pkts[i]; if (tpkt->status == ARGUS_KEYSTROKE_TENTATIVE) bzero(tpkt, sizeof(*tpkt)); } bzero(pkt, sizeof(*pkt)); } } #ifdef ARGUSDEBUG else { ArgusDebug (5, "ArgusTCPKeystroke: flow %p packet %lld server packet ack(%u) no match\n", flowstr, flowstr->skey.n_pkts, tcp->th_ack); } #endif } } } #ifdef ARGUSDEBUG else { ArgusDebug (5, "ArgusTCPKeystroke: flow %p packet %lld %s packet rejected tcpdatalen(%d)\n", flowstr, flowstr->skey.n_pkts, (model->ArgusThisDir ? "server" : "client"), tcpdatalen); } #endif } } #include void ArgusTCPFlowRecord (struct ArgusNetworkStruct *net, unsigned char state) { struct ArgusTCPObject *tcp = (struct ArgusTCPObject *)&net->net_union.tcp; net->hdr.argus_dsrvl8.qual = ARGUS_TCP_INIT_V2; tcp->status &= ~(ARGUS_RESET | ARGUS_PKTS_RETRANS | ARGUS_WINDOW_SHUT | ARGUS_OUTOFORDER | ARGUS_DUPLICATES); if (tcp->src.status & ARGUS_RESET) tcp->status |= ARGUS_SRC_RESET; if (tcp->dst.status & ARGUS_RESET) tcp->status |= ARGUS_DST_RESET; if (tcp->src.status & ARGUS_PKTS_RETRANS) tcp->status |= ARGUS_SRC_PKTS_RETRANS; if (tcp->dst.status & ARGUS_PKTS_RETRANS) tcp->status |= ARGUS_DST_PKTS_RETRANS; if (tcp->src.status & ARGUS_WINDOW_SHUT) tcp->status |= ARGUS_SRC_WINDOW_SHUT; if (tcp->dst.status & ARGUS_WINDOW_SHUT) tcp->status |= ARGUS_DST_WINDOW_SHUT; if (tcp->src.status & ARGUS_OUTOFORDER) tcp->status |= ARGUS_SRC_OUTOFORDER; if (tcp->dst.status & ARGUS_OUTOFORDER) tcp->status |= ARGUS_DST_OUTOFORDER; if (tcp->src.status & ARGUS_DUPLICATES) tcp->status |= ARGUS_SRC_DUPLICATES; if (tcp->dst.status & ARGUS_DUPLICATES) tcp->status |= ARGUS_DST_DUPLICATES; switch (net->hdr.subtype) { case ARGUS_TCP_INIT: net->hdr.argus_dsrvl8.len = ((sizeof(struct ArgusTCPInitStatus)+3))/4 + 1; break; case ARGUS_TCP_STATUS: net->hdr.argus_dsrvl8.len = ((sizeof(struct ArgusTCPStatus)+3))/4 + 1; break; case ARGUS_TCP_PERF: net->hdr.argus_dsrvl8.len = ((sizeof(struct ArgusTCPObject)+3))/4 + 1; break; } } void ArgusParseTCPOptions(struct ArgusModelerStruct *model, struct tcphdr *tcp, int len, u_int *options, struct ArgusTCPObjectMetrics *ArgusThisTCPsrc) { register const u_char *cp; register int i, opt, alen, datalen; if ((tcp != NULL)) { cp = (const u_char *)tcp + sizeof(*tcp); while (len > 0) { opt = *cp++; if (ZEROLENOPT(opt)) alen = 1; else { alen = *cp++; /* total including type, len */ if (alen < 2 || alen > len) goto bad; --len; /* account for length byte */ } --len; /* account for type byte */ datalen = 0; switch (opt) { case TCPOPT_MAXSEG: *options |= ARGUS_TCP_MAXSEG; datalen = 2; LENCHECK(model, datalen); ArgusThisTCPsrc->maxseg = ntohs(*(u_short *)cp); break; case TCPOPT_EOL: break; case TCPOPT_NOP: break; case TCPOPT_WSCALE: *options |= ARGUS_TCP_WSCALE; datalen = 1; LENCHECK(model, datalen); ArgusThisTCPsrc->winshift = *cp; break; case TCPOPT_SACKOK: *options |= ARGUS_TCP_SACKOK; break; case TCPOPT_SACK: *options |= ARGUS_TCP_SACK; datalen = alen - 2; for (i = 0; i < datalen; i += 4) { LENCHECK(model, i + 4); } break; case TCPOPT_ECHO: *options |= ARGUS_TCP_ECHO; datalen = 4; LENCHECK(model, datalen); break; case TCPOPT_ECHOREPLY: *options |= ARGUS_TCP_ECHOREPLY; datalen = 4; LENCHECK(model, datalen); break; case TCPOPT_TIMESTAMP: *options |= ARGUS_TCP_TIMESTAMP; datalen = 8; LENCHECK(model, 4); LENCHECK(model, datalen); break; case TCPOPT_CC: *options |= ARGUS_TCP_CC; datalen = 4; LENCHECK(model, datalen); break; case TCPOPT_CCNEW: *options |= ARGUS_TCP_CCNEW; datalen = 4; LENCHECK(model, datalen); break; case TCPOPT_CCECHO: *options |= ARGUS_TCP_CCECHO; datalen = 4; LENCHECK(model, datalen); break; default: datalen = alen - 2; for (i = 0; i < datalen; ++i) LENCHECK(model, i); break; } cp += datalen; len -= datalen; ++datalen; /* option octet */ if (!ZEROLENOPT(opt)) ++datalen; /* size octet */ if (opt == TCPOPT_EOL) break; } } bad: trunc: { } } argus-5.0.2/argus/ArgusTimeDiff.h000066400000000000000000000043541471541253600166400ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - Time include files * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ #ifndef __ARGUS_TIME_DIFF_H # define __ARGUS_TIME_DIFF_H # ifdef HAVE_CONFIG_H # include "argus_config.h" # endif # include static inline long long ArgusTimeDiff(const struct timeval * const start, const struct timeval * const stop) { long long retn, t1, t2; #if defined(ARGUS_NANOSECONDS) t1 = (start->tv_sec * 1000000000LL) + (start->tv_usec * 1LL); t2 = (stop->tv_sec * 1000000000LL) + ( stop->tv_usec * 1LL); #else t1 = (start->tv_sec * 1000000LL) + (start->tv_usec * 1LL); t2 = (stop->tv_sec * 1000000LL) + ( stop->tv_usec * 1LL); #endif retn = t2 - t1; return (retn); } static inline unsigned long long ArgusAbsTimeDiff(const struct timeval * const start, const struct timeval * const stop) { unsigned long long retn = 0; const struct timeval *t1 = start, *t2 = stop; if ((stop->tv_sec < start->tv_sec) || ((stop->tv_sec == start->tv_sec) && (stop->tv_usec < start->tv_usec))) { t2 = start; t1 = stop; } #if defined(ARGUS_NANOSECONDS) retn = ((t2->tv_sec * 1000000000LL) + t2->tv_usec) - ((t1->tv_sec * 1000000000LL) + t1->tv_usec); #else retn = ((t2->tv_sec * 1000000LL) + t2->tv_usec) - ((t1->tv_sec * 1000000LL) + t1->tv_usec); #endif return (retn); } #endif argus-5.0.2/argus/ArgusUdp.c000066400000000000000000000044371471541253600156760ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - UDP Protocol processing * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/argus/ArgusUdp.c#5 $ * $DateTime: 2015/06/22 17:59:06 $ * $Change: 3024 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #if !defined(ArgusUdp) #define ArgusUdp #endif #include #include #include #include #include #include void ArgusUpdateUDPState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char *); void ArgusUpdateUDPState (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, unsigned char *state) { struct udphdr *up = (struct udphdr *) model->ArgusThisUpHdr; u_char *nxtHdr = (u_char *)(up + 1); if (STRUCTCAPTURED(model, *up)) { model->ArgusThisLength -= sizeof(*up); model->ArgusSnapLength -= sizeof(*up); model->ArgusThisUpHdr = nxtHdr; if (*state == ARGUS_START) { } else { if ((flowstr->canon.metric.src.pkts + flowstr->canon.metric.dst.pkts) > 2) { flowstr->timeout = ARGUS_IPTIMEOUT; } } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusUpdateUDPState(0x%x, %d) returning\n", flowstr, state); #endif } #include void ArgusUDPFlowRecord (struct ArgusFlowStruct *, struct ArgusRecord *, unsigned char); void ArgusUDPFlowRecord (struct ArgusFlowStruct *flow, struct ArgusRecord *argus, unsigned char state) { } argus-5.0.2/argus/ArgusUdt.c000066400000000000000000000712311471541253600156760ustar00rootroot00000000000000/* * Argus Software. Argus files - Udt protocol processing * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/gargoyle/argus/argus/ArgusUdt.c#7 $ * $DateTime: 2015/09/02 16:24:01 $ * $Change: 3068 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #if !defined(ArgusUdt) #define ArgusUdt #endif #include #include #include #include #include #include struct ArgusSystemFlow * ArgusCreateUDTFlow (struct ArgusModelerStruct *model, struct udt_header *udt) { struct ArgusSystemFlow *retn = NULL; struct ArgusSystemFlow *tflow = model->ArgusThisFlow; if (STRUCTCAPTURED(model, *udt)) { struct ether_header *ep = model->ArgusThisMacHdr; if (ep != NULL) { if (model->ArgusFlowType == ARGUS_BIDIRECTIONAL) { int dstgteq = 1, i; tflow->hdr.type = ARGUS_FLOW_DSR; tflow->hdr.subtype = ARGUS_FLOW_CLASSIC5TUPLE; tflow->hdr.argus_dsrvl8.qual = ARGUS_TYPE_UDT; tflow->hdr.argus_dsrvl8.len = 6; #ifndef ETH_ALEN #define ETH_ALEN 6 #endif for (i = 0; i < ETH_ALEN; i++) { if (((unsigned char *)&ep->ether_shost)[i] != ((unsigned char *)&ep->ether_dhost)[i]) { if (((unsigned char *)&ep->ether_shost)[i] > ((unsigned char *)&ep->ether_dhost)[i]) dstgteq = 0; break; } } if (dstgteq) { bcopy ((char *) ep, (char *)&tflow->udt_flow.mac.mac_union.ether.ehdr, sizeof (struct ether_header)); } else { model->state |= ARGUS_DIRECTION; bcopy ((char *)&ep->ether_shost, (char *)&tflow->udt_flow.mac.mac_union.ether.ehdr.ether_dhost, ETH_ALEN); bcopy ((char *)&ep->ether_dhost, (char *)&tflow->udt_flow.mac.mac_union.ether.ehdr.ether_shost, ETH_ALEN); tflow->udt_flow.mac.mac_union.ether.ehdr.ether_type = ep->ether_type; } if (model->ArgusThisEncaps & ARGUS_ENCAPS_LLC) { tflow->udt_flow.mac.mac_union.ether.ehdr.ether_type = 0; switch (model->ArgusThisNetworkFlowType & 0xFFFF) { case ARGUS_ISIS: tflow->udt_flow.mac.mac_union.ether.ehdr.ether_type = ARGUS_ISIS; break; default: model->ArgusThisNetworkFlowType &= ~(0xFFFF); break; } if (dstgteq) { tflow->udt_flow.mac.mac_union.ether.ssap = model->ArgusThisLLC->ssap; tflow->udt_flow.mac.mac_union.ether.dsap = model->ArgusThisLLC->dsap; } else { tflow->udt_flow.mac.mac_union.ether.ssap = model->ArgusThisLLC->dsap; tflow->udt_flow.mac.mac_union.ether.dsap = model->ArgusThisLLC->ssap; } } else { tflow->udt_flow.mac.mac_union.ether.ssap = 0; tflow->udt_flow.mac.mac_union.ether.dsap = 0; } switch (ntohs(udt->un_udt.cntl.type) & UDT_PACKET_MASK) { case UDT_CONTROL_PACKET: { struct udtoe_control_hdr *udtc = (void *) ((char *)udt + UDTOECONTROLPAD); tflow->udt_flow.sockid = EXTRACT_32BITS(&udtc->sockid); break; } case UDT_DATA_PACKET: { struct udt_data_hdr *udtd = (void *) udt; tflow->udt_flow.sockid = EXTRACT_32BITS(&udtd->sockid); break; } } if (model->state & ARGUS_DIRECTION) { tflow->hdr.argus_dsrvl8.qual |= ARGUS_DIRECTION; tflow->hdr.subtype |= ARGUS_REVERSE; } retn = tflow; } } } return (retn); } void ArgusUpdateUDToEState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char *); void ArgusUpdateUDTState (struct ArgusModelerStruct *, struct ArgusFlowStruct *, unsigned char *); void ArgusUpdateUDToEState (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, unsigned char *state) { struct udtoe_header *udt = (struct udtoe_header *) model->ArgusThisUpHdr; u_char *nxtHdr = (u_char *)(udt + 1); if (STRUCTCAPTURED(model, *udt)) { model->ArgusThisLength -= sizeof(*udt); model->ArgusSnapLength -= sizeof(*udt); model->ArgusThisUpHdr = nxtHdr; if (*state == ARGUS_START) { } else { struct ArgusNetworkStruct *net = (struct ArgusNetworkStruct *) flowstr->dsrs[ARGUS_NETWORK_INDEX]; struct ArgusUDTObjectMetrics *ArgusThisUdtMetric; if (model->ArgusThisDir) { ArgusThisUdtMetric = &net->net_union.udt.src; } else { ArgusThisUdtMetric = &net->net_union.udt.dst; } if ((flowstr->canon.metric.src.pkts + flowstr->canon.metric.dst.pkts) > 2) flowstr->timeout = ARGUS_IPTIMEOUT; switch (udt->un_udt.cntl.type & UDTOE_PACKET_MASK) { case UDTOE_CONTROL_PACKET: { struct udtoe_control_hdr *udtc = (void *) ((char *)udt + UDTOECONTROLPAD); unsigned char type = ((udtc->type & 0x7F) >> 3); model->ArgusThisLength -= 48; switch (type & UDTOE_CONTROL_TYPE_MASK) { case UDTOE_CONTROL_HANDSHAKE: { struct udt_control_handshake *hshake = (void *) (udtc + 1); if (ntohl(hshake->version) == 4) { ArgusThisUdtHshake = hshake; hshake->version = ntohl(hshake->version); hshake->socktype = ntohl(hshake->socktype); hshake->initseq = ntohl(hshake->initseq); hshake->psize = ntohl(hshake->psize); hshake->wsize = ntohl(hshake->wsize); hshake->conntype = ntohl(hshake->conntype); hshake->sockid = ntohl(hshake->sockid); } #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateUDToEState(%p, %d) UDT_CONTROL_HANDSHAKE type %d seqNum %d size %d maxWin %d conn %d sockid 0x%x\n", flowstr, *state, hshake->socktype, hshake->initseq, hshake->psize, hshake->wsize, hshake->conntype, hshake->sockid); #endif break; } case UDTOE_CONTROL_KEEPALIVE: { #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateUDToEState(%p, %d) UDT_CONTROL_KEEPALIVE\n", flowstr, *state); #endif break; } case UDTOE_CONTROL_ACK: { struct udt_control_ack *ack = (void *) (udtc + 1); int len = model->ArgusThisLength/4; if (len--) { ArgusThisUdtMetric->ack = ntohl(ack->ackseqnum); if (len--) { ArgusThisUdtMetric->rtt = ntohl(ack->rtt); if (len--) { ArgusThisUdtMetric->var = ntohl(ack->var); if (len--) { ArgusThisUdtMetric->bsize = ntohl(ack->bsize); if (ack->bsize == 0) { net->net_union.udt.status |= ARGUS_WINDOW_SHUT; } if (len--) { ArgusThisUdtMetric->rate = ntohl(ack->rate); if (len--) { ArgusThisUdtMetric->lcap = ntohl(ack->lcap); }}}}}} #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateUDToEState(%p, %d) UDT_CONTROL_ACK, sockid 0x%x ack = 0x%x\n", flowstr, *state, ntohl(udtc->sockid), net->net_union.udt.src.ack); #endif break; } case UDTOE_CONTROL_NAK: { struct udt_control_nak *nak = (void *) (udtc + 1); int num = 0, len = model->ArgusThisLength/4; unsigned int *sptr = &nak->seqnum; int i, fitem, sseq = 0, eseq = 0, range = 0; #ifdef ARGUSDEBUG char buf[256]; *buf = '\0'; #endif for (i = 0, fitem = 0; i < len; i++, sptr++) { *sptr = ntohl(*sptr); if (*sptr & 0x80000000) { sseq = *sptr & 0x7FFFFFFF; range = 1; } else { eseq = *sptr; if (range) { #ifdef ARGUSDEBUG if (fitem++) sprintf(&buf[strlen(buf)], ",0x%x-0x%x", sseq, eseq); else sprintf(&buf[strlen(buf)], "0x%x-0x%x", sseq, eseq); #endif num += (eseq - sseq) + 1; range = 0; } else { #ifdef ARGUSDEBUG if (fitem++) sprintf(&buf[strlen(buf)], ",0x%x", eseq); else sprintf(&buf[strlen(buf)], "0x%x", eseq); #endif fitem++; num++; } } } #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateUDToEState(%p, %d) UDT_CONTROL_NAK, sockid 0x%x nak.comp[%d] num %d %s", flowstr, *state, ntohl(udtc->sockid), len, num, buf); #endif if (num) ArgusThisUdtMetric->nacked += num; break; } case UDTOE_CONTROL_CONGEST: { net->net_union.udt.status |= ARGUS_ECN_CONGESTED; #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateUDToEState(%p, %d) UDT_CONTROL_CONGEST, sockid 0x%x", flowstr, *state, ntohl(udtc->sockid)); #endif break; } case UDTOE_CONTROL_SHUTDOWN: { #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateUDToEState(%p, %d) UDT_CONTROL_SHUTDOWN\n", flowstr, *state); #endif break; } case UDTOE_CONTROL_ACKACK: { #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateUDToEState(%p, %d) UDT_CONTROL_ACKACK\n", flowstr, *state); #endif break; } case UDTOE_CONTROL_DROPREQ: { struct udt_control_dropreq *drop = (void *)(udtc + 1); if (drop->firstseqnum == 0) if (net != NULL) net->net_union.udt.status |= ARGUS_UDT_FIRSTDROPZERO; #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateUDToEState(%p, %d) UDT_CONTROL_DROPREQ\n", flowstr, *state); #endif break; } default: { #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateUDToEState(%p, %d) UDT_CONTROL_UNKNOWN\n", flowstr, *state); #endif break; } } break; } /* struct ArgusUDTObjectMetrics { struct ArgusTime lasttime; unsigned int seq, tstamp, ack, rtt, var, bsize, rate, lcap; int solo, first, middle, last, drops, retrans, nacked; }; struct ArgusUDTObject { unsigned int state, status; struct udt_control_handshake hshake; struct ArgusUDTObjectMetrics src; }; */ case UDT_DATA_PACKET: { struct udt_data_hdr *udtd = (void *) udt; unsigned int seqnum = ntohl(udtd->seqnum); unsigned int msgnum = ntohl(udtd->msgnum); unsigned int tstamp = ntohl(udtd->tstamp); #ifdef ARGUSDEBUG unsigned int sockid = ntohl(udtd->sockid); #endif int seq = ArgusThisUdtMetric->seq; int loss = 0;; #define ARGUS_UDT_MSGTYPE 0xC0000000 #define ARGUS_UDT_SOLO_MSG 0xC0000000 #define ARGUS_UDT_FIRST_MSG 0x80000000 #define ARGUS_UDT_MIDDLE_MSG 0x00000000 #define ARGUS_UDT_LAST_MSG 0x40000000 switch (msgnum & ARGUS_UDT_MSGTYPE) { case ARGUS_UDT_SOLO_MSG: ArgusThisUdtMetric->solo++; break; case ARGUS_UDT_FIRST_MSG: ArgusThisUdtMetric->first++; break; case ARGUS_UDT_MIDDLE_MSG: ArgusThisUdtMetric->middle++; break; case ARGUS_UDT_LAST_MSG: ArgusThisUdtMetric->last++; break; } /* msgnum &= 0x1FFFFFFF; */ if (seqnum == (seq + 1)) { ArgusThisUdtMetric->lasttime.tv_sec = model->ArgusGlobalTime.tv_sec; ArgusThisUdtMetric->lasttime.tv_usec = model->ArgusGlobalTime.tv_usec; ArgusThisUdtMetric->tstamp = tstamp; ArgusThisUdtMetric->seq = seqnum; } else { if (seq > 0) { if (seqnum > (seq + 2)) { loss = seqnum - (seq + 1); ArgusThisUdtMetric->drops += loss; net->net_union.udt.status |= ARGUS_PKTS_DROP; ArgusThisUdtMetric->seq = seqnum; } else { if (seqnum != (seq + 1)) { ArgusThisUdtMetric->retrans++; net->net_union.udt.status |= ARGUS_PKTS_RETRANS; } else { ArgusThisUdtMetric->lasttime.tv_sec = model->ArgusGlobalTime.tv_sec; ArgusThisUdtMetric->lasttime.tv_usec = model->ArgusGlobalTime.tv_usec; ArgusThisUdtMetric->tstamp = tstamp; ArgusThisUdtMetric->seq = seqnum; } } } else { ArgusThisUdtMetric->lasttime.tv_sec = model->ArgusGlobalTime.tv_sec; ArgusThisUdtMetric->lasttime.tv_usec = model->ArgusGlobalTime.tv_usec; ArgusThisUdtMetric->tstamp = tstamp; ArgusThisUdtMetric->seq = seqnum; } } #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateUDToEState(%p, %d) UDT_DATA_PACKET seq 0x%x msgnum 0x%x tstmp 0x%x sockid 0x%x loss %d\n", flowstr, *state, seqnum, msgnum, tstamp, sockid, loss); #endif break; } } } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusUpdateUDToEState(%p, %d) returning\n", flowstr, *state); #endif } void ArgusUpdateUDTState (struct ArgusModelerStruct *model, struct ArgusFlowStruct *flowstr, unsigned char *state) { struct udt_header *udt = (struct udt_header *) model->ArgusThisUpHdr; u_char *nxtHdr = (u_char *)(udt + 1); if (STRUCTCAPTURED(model, *udt)) { model->ArgusThisLength -= sizeof(*udt); model->ArgusSnapLength -= sizeof(*udt); model->ArgusThisUpHdr = nxtHdr; if (*state == ARGUS_START) { } else { struct ArgusNetworkStruct *net = (struct ArgusNetworkStruct *) flowstr->dsrs[ARGUS_NETWORK_INDEX]; if ((flowstr->canon.metric.src.pkts + flowstr->canon.metric.dst.pkts) > 2) flowstr->timeout = ARGUS_IPTIMEOUT; switch (ntohs(udt->un_udt.cntl.type) & UDT_PACKET_MASK) { case UDT_CONTROL_PACKET: { struct udt_control_hdr *udtc = (void *) udt; unsigned short type = EXTRACT_16BITS(&udtc->type); switch (type & UDT_CONTROL_TYPE_MASK) { case UDT_CONTROL_HANDSHAKE: { struct udt_control_handshake *hshake = (void *) (udtc + 1); if (ntohl(hshake->version) == 4) { ArgusThisUdtHshake = hshake; } else { } #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateUDTState(%p, %d) UDT_CONTROL_HANDSHAKE\n", flowstr, *state); #endif break; } case UDT_CONTROL_KEEPALIVE: { #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateUDTState(%p, %d) UDT_CONTROL_KEEPALIVE\n", flowstr, *state); #endif break; } case UDT_CONTROL_ACK: { struct udt_control_ack *ack = (void *) (udtc + 1); int len = model->ArgusThisLength/4; if (len--) { net->net_union.udt.src.ack = ntohl(ack->ackseqnum); if (len--) { net->net_union.udt.src.rtt = ntohl(ack->rtt); if (len--) { net->net_union.udt.src.var = ntohl(ack->var); if (len--) { net->net_union.udt.src.bsize = ntohl(ack->bsize); if (ack->bsize == 0) { net->net_union.udt.status |= ARGUS_WINDOW_SHUT; } if (len--) { net->net_union.udt.src.rate = ntohl(ack->rate); if (len--) { net->net_union.udt.src.lcap = ntohl(ack->lcap); }}}}}} #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateUDTState(%p, %d) UDT_CONTROL_ACK, sockid 0x%x ack = 0x%x\n", flowstr, *state, udtc->sockid, net->net_union.udt.src.ack); #endif break; } case UDT_CONTROL_NAK: { struct udt_control_nak *nak = (void *) (udtc + 1); int num = 0, len = model->ArgusThisLength/4; unsigned int *sptr = &nak->seqnum, value; int i, fitem, sseq = 0, eseq = 0, range = 0; #ifdef ARGUSDEBUG char buf[256]; *buf = '\0'; #endif for (i = 0, fitem = 0; i < len; i++, sptr++) { if (BYTESCAPTURED(ArgusModel, sptr, 4)) { value = ntohl(*sptr); if (value & 0x80000000) { sseq = value & 0x7FFFFFFF; range = 1; } else { #ifdef ARGUSDEBUG int slen = sizeof(buf) - strlen(buf); #endif eseq = value; if (range) { #ifdef ARGUSDEBUG if (fitem++) snprintf(&buf[strlen(buf)], slen, ",0x%x-0x%x", sseq, eseq); else snprintf(&buf[strlen(buf)], slen, "0x%x-0x%x", sseq, eseq); #endif num += (eseq - sseq) + 1; range = 0; } else { #ifdef ARGUSDEBUG if (fitem++) snprintf(&buf[strlen(buf)], slen, ",0x%x", eseq); else snprintf(&buf[strlen(buf)], slen, "0x%x", eseq); #endif fitem++; num++; } } } else break; } #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateUDTState(%p, %d) UDT_CONTROL_NAK, sockid 0x%x nak.comp[%d] num %d %s", flowstr, *state, udtc->sockid, len, num, buf); #endif if (num) net->net_union.udt.src.nacked += num; break; } case UDT_CONTROL_CONGEST: { net->net_union.udt.status |= ARGUS_ECN_CONGESTED; break; } case UDT_CONTROL_SHUTDOWN: { #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateUDTState(%p, %d) UDT_CONTROL_SHUTDOWN\n", flowstr, *state); #endif break; } case UDT_CONTROL_ACKACK: { #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateUDTState(%p, %d) UDT_CONTROL_ACKACK\n", flowstr, *state); #endif break; } case UDT_CONTROL_DROPREQ: { struct udt_control_dropreq *drop = (void *)(udtc + 1); if (drop->firstseqnum == 0) if (net != NULL) net->net_union.udt.status |= ARGUS_UDT_FIRSTDROPZERO; #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateUDTState(%p, %d) UDT_CONTROL_DROPREQ\n", flowstr, *state); #endif break; } default: { #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateUDTState(%p, %d) UDT_CONTROL_UNKNOWN\n", flowstr, *state); #endif break; } } break; } /* struct ArgusUDTObjectMetrics { struct ArgusTime lasttime; unsigned int seq, tstamp, ack, rtt, var, bsize, rate, lcap; int solo, first, middle, last, drops, retrans, nacked; }; struct ArgusUDTObject { unsigned int state, status; struct udt_control_handshake hshake; struct ArgusUDTObjectMetrics src; }; */ case UDT_DATA_PACKET: { struct udt_data_hdr *udtd = (void *) udt; unsigned int seqnum = ntohl(udtd->seqnum); unsigned int msgnum = ntohl(udtd->msgnum); unsigned int tstamp = ntohl(udtd->tstamp); #ifdef ARGUSDEBUG unsigned int sockid = ntohl(udtd->sockid); #endif int loss = 0; #define ARGUS_UDT_MSGTYPE 0xC0000000 #define ARGUS_UDT_SOLO_MSG 0xC0000000 #define ARGUS_UDT_FIRST_MSG 0x80000000 #define ARGUS_UDT_MIDDLE_MSG 0x00000000 #define ARGUS_UDT_LAST_MSG 0x40000000 switch (msgnum & ARGUS_UDT_MSGTYPE) { case ARGUS_UDT_SOLO_MSG: net->net_union.udt.src.solo++; break; case ARGUS_UDT_FIRST_MSG: net->net_union.udt.src.first++; break; case ARGUS_UDT_MIDDLE_MSG: net->net_union.udt.src.middle++; break; case ARGUS_UDT_LAST_MSG: net->net_union.udt.src.last++; break; } /* msgnum &= 0x1FFFFFFF; */ if (net->net_union.udt.src.seq > 0) { if (seqnum > (net->net_union.udt.src.seq + 2)) { loss = seqnum - (net->net_union.udt.src.seq + 1); net->net_union.udt.src.drops += loss; net->net_union.udt.status |= ARGUS_PKTS_DROP; net->net_union.udt.src.seq = seqnum; } else { if (seqnum != (net->net_union.udt.src.seq + 1)) { net->net_union.udt.src.retrans++; net->net_union.udt.status |= ARGUS_PKTS_RETRANS; } else { net->net_union.udt.src.lasttime.tv_sec = model->ArgusGlobalTime.tv_sec; net->net_union.udt.src.lasttime.tv_usec = model->ArgusGlobalTime.tv_usec; net->net_union.udt.src.tstamp = tstamp; net->net_union.udt.src.seq = seqnum; } } } else { net->net_union.udt.src.lasttime.tv_sec = model->ArgusGlobalTime.tv_sec; net->net_union.udt.src.lasttime.tv_usec = model->ArgusGlobalTime.tv_usec; net->net_union.udt.src.tstamp = tstamp; net->net_union.udt.src.seq = seqnum; } #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusUpdateUDTState(%p, %d) UDT_DATA_PACKET seq 0x%x msgnum 0x%x tstmp 0x%x sockid 0x%x loss %d\n", flowstr, *state, seqnum, msgnum, tstamp, sockid, loss); #endif break; } } } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusUpdateUDTState(%p, %d) returning\n", flowstr, *state); #endif } #include void ArgusUDTFlowRecord (struct ArgusFlowStruct *, struct ArgusRecord *, unsigned char); void ArgusUDTFlowRecord (struct ArgusFlowStruct *flow, struct ArgusRecord *argus, unsigned char state) { } struct udt_control_handshake *ArgusThisUdtHshake = NULL; int ArgusParseUDToEHeader (struct ArgusModelerStruct *, struct udt_header *, unsigned int *); int ArgusParseUDToEHeader (struct ArgusModelerStruct *model, struct udt_header *udt, unsigned int *status) { int retn = 0; ArgusThisUdtHshake = NULL; if (STRUCTCAPTURED(model, *udt)) { switch (udt->un_udt.cntl.type & UDTOE_PACKET_MASK) { case UDTOE_CONTROL_PACKET: { struct udtoe_control_hdr *udtc = (void *) ((char *)udt + UDTOECONTROLPAD); switch ((udtc->type & 0x7F) >> 3) { case UDTOE_CONTROL_HANDSHAKE: { struct udt_control_handshake *hshake = (void *) (udtc + 1); if (ntohl(hshake->version) == 4) { ArgusThisUdtHshake = hshake; retn = 1; } else *status |= ARGUS_UDT_BADVERSION; break; } case UDTOE_CONTROL_KEEPALIVE: retn = 1; break; case UDTOE_CONTROL_ACK: { retn = 1; break; } case UDTOE_CONTROL_NAK: retn = 1; break; case UDTOE_CONTROL_SHUTDOWN: retn = 1; break; case UDTOE_CONTROL_ACKACK: retn = 1; break; case UDTOE_CONTROL_DROPREQ: { struct udt_control_dropreq *drop = (void *)(udtc + 1); if (drop->firstseqnum == 0) *status |= ARGUS_UDT_FIRSTDROPZERO; retn = 1; break; } } break; } case UDT_DATA_PACKET: retn = 1; break; } } return (retn); } int ArgusParseUDTHeader (struct ArgusModelerStruct *model, struct udt_header *udt, unsigned int *status) { int retn = 0; ArgusThisUdtHshake = NULL; if (STRUCTCAPTURED(model, *udt)) { switch (ntohs(udt->un_udt.cntl.type) & UDT_PACKET_MASK) { case UDT_CONTROL_PACKET: { struct udt_control_hdr *udtc = (void *) udt; switch ((ntohs(udtc->type) & 0x78) >> 3) { case UDT_CONTROL_HANDSHAKE: { struct udt_control_handshake *hshake = (void *) (udt + 1); if (ntohl(hshake->version) == 4) { ArgusThisUdtHshake = hshake; retn = 1; } else *status |= ARGUS_UDT_BADVERSION; break; } case UDT_CONTROL_KEEPALIVE: retn = 1; break; case UDT_CONTROL_ACK: { /* struct udt_control_ack *ack = (void *) (udt + 1); */ retn = 1; break; } case UDT_CONTROL_NAK: retn = 1; break; case UDT_CONTROL_SHUTDOWN: retn = 1; break; case UDT_CONTROL_ACKACK: retn = 1; break; case UDT_CONTROL_DROPREQ: { struct udt_control_dropreq *drop = (void *)(udt + 1); if (drop->firstseqnum == 0) *status |= ARGUS_UDT_FIRSTDROPZERO; retn = 1; break; } } break; } case UDT_DATA_PACKET: retn = 1; break; } } return (retn); } argus-5.0.2/argus/ArgusUtil.c000066400000000000000000002417241471541253600160650ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - Utilities * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/argus/ArgusUtil.c#13 $ * $DateTime: 2016/06/07 14:21:31 $ * $Change: 3159 $ */ /* ArgusUtil.c */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #define _GNU_SOURCE #if !defined(ArgusUtil) #define ArgusUtil #endif #include #include #include #include #if defined(HAVE_SYS_VFS_H) #include #else #include #include #endif #if defined(ARGUS_THREADS) #include #endif #if defined(ARGUS_SASL) #include #endif #define Argus_Parser #include #include #include #include #include #include #include "ArgusTimeDiff.h" struct ArgusListStruct * ArgusNewList () { struct ArgusListStruct *retn = NULL; if ((retn = (struct ArgusListStruct *) ArgusCalloc (1, sizeof (struct ArgusListStruct))) != NULL) { retn->start = NULL; retn->count = 0; #if defined(ARGUS_THREADS) pthread_mutex_init(&retn->lock, NULL); pthread_cond_init(&retn->cond, NULL); #endif } #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusNewList () returning %p\n", retn); #endif return (retn); } void ArgusDeleteList (struct ArgusListStruct *list, int type) { if (list) { #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusDeleteList (%p, %d) %d items on list\n", list, type, list->count); #endif while (list->start) { struct ArgusListRecord *retn = ArgusPopFrontList(list, ARGUS_LOCK); switch (type) { case ARGUS_RFILE_LIST: { struct ArgusRfileStruct *rfile = (struct ArgusRfileStruct *) retn; if (rfile->name != NULL) free(rfile->name); ArgusFree(retn); break; } case ARGUS_WFILE_LIST: { struct ArgusWfileStruct *wfile = (struct ArgusWfileStruct *) retn; if (wfile->filename != NULL) free(wfile->filename); if (wfile->filter != NULL) free(wfile->filter); ArgusFree(retn); break; } case ARGUS_DEVICE_LIST: { struct ArgusDeviceStruct *device = (struct ArgusDeviceStruct *) retn; extern void delete_interface(const u_char *); if (device->inf != NULL) ArgusFree(device->inf); if (device->name != NULL) { delete_interface((const u_char *)device->name); free(device->name); } ArgusFree(retn); break; } case ARGUS_OUTPUT_LIST: ArgusFreeListRecord(retn); break; case ARGUS_EVENT_LIST: { struct ArgusEventRecordStruct *event = (struct ArgusEventRecordStruct *) retn; if (event->entry != NULL) free(event->entry); if (event->method != NULL) free(event->method); if (event->filename != NULL) free(event->filename); ArgusFree(retn); break; } case ARGUS_BIND_ADDR_LIST: { struct ArgusBindAddrStruct *baddr = (struct ArgusBindAddrStruct *) retn; if (baddr->addr != NULL) { free(baddr->addr); } ArgusFree(retn); break; } } } #if defined(ARGUS_THREADS) pthread_cond_destroy(&list->cond); pthread_mutex_destroy(&list->lock); #endif ArgusFree (list); } #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusDeleteList (%p, %d) returning\n", list, type); #endif } int ArgusListEmpty (struct ArgusListStruct *list) { return (list->count == 0); } int ArgusGetListCount(struct ArgusListStruct *list) { return (list->count); } int ArgusPushFrontList(struct ArgusListStruct *list, struct ArgusListRecord *rec, int lstat) { int retn = 0; if (list && rec) { #if defined(ARGUS_THREADS) if (lstat) pthread_mutex_lock(&list->lock); #endif if (list->start) { rec->nxt = list->start; } else { rec->nxt = NULL; } list->start = (struct ArgusListObjectStruct *) rec; if (list->end == NULL) list->end = (struct ArgusListObjectStruct *) rec; list->count++; list->pushed++; #if defined(ARGUS_THREADS) if (lstat) pthread_mutex_unlock(&list->lock); #endif retn++; } #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusPushFrontList (%p, %p, %d) returning %p\n", list, rec, lstat); #endif return (retn); } int ArgusPushBackList(struct ArgusListStruct *list, struct ArgusListRecord *rec, int lstat) { int retn = 0; if (list && rec) { rec->nxt = NULL; #if defined(ARGUS_THREADS) if (lstat) pthread_mutex_lock(&list->lock); #endif if (list->end) { list->end->nxt = (struct ArgusListObjectStruct *) rec; } else { list->start = (struct ArgusListObjectStruct *) rec; } list->end = (struct ArgusListObjectStruct *) rec; list->count++; list->pushed++; #if defined(ARGUS_THREADS) if (lstat) pthread_mutex_unlock(&list->lock); #endif retn++; } #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusPushBackList (%p, %p, %d) returning %d\n", list, rec, lstat, retn); #endif return (retn); } void ArgusLoadList(struct ArgusListStruct *l1, struct ArgusListStruct *l2) { if (l1 && l2) { int count; #if defined(ARGUS_THREADS) pthread_mutex_lock(&l1->lock); pthread_mutex_lock(&l2->lock); #endif count = l1->count; if (l2->start == NULL) l2->start = l1->start; else l2->end->nxt = l1->start; l2->end = l1->end; l2->count += count; l1->start = NULL; l1->end = NULL; l1->loaded += count; l1->count = 0; #if defined(ARGUS_THREADS) pthread_mutex_unlock(&l2->lock); pthread_mutex_unlock(&l1->lock); #endif #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusLoadList (%p, %p) load %d objects\n", l1, l2, count); #endif } } struct ArgusListRecord * ArgusPopFrontList(struct ArgusListStruct *list, int lstat) { struct ArgusListRecord *retn = NULL; #if defined(ARGUS_THREADS) if (lstat) pthread_mutex_lock(&list->lock); #endif if ((retn = (struct ArgusListRecord *) list->start)) { list->start = retn->nxt; list->count--; list->popped++; if (list->start == NULL) { list->end = NULL; if (list->count != 0) ArgusLog (LOG_ERR, "ArgusPopFrontList(%p, %d) list empty count is %d\n", list, lstat, list->count); } } #if defined(ARGUS_THREADS) if (lstat) pthread_mutex_unlock(&list->lock); #endif #ifdef ARGUSDEBUG ArgusDebug (9, "ArgusPopFrontList (%p) returning\n", retn); #endif return (retn); } struct ArgusQueueStruct * ArgusNewQueue () { struct ArgusQueueStruct *retn = NULL; if ((retn = (struct ArgusQueueStruct *) ArgusCalloc (1, sizeof (struct ArgusQueueStruct))) != NULL) { retn->count = 0; #if defined(ARGUS_THREADS) pthread_mutex_init(&retn->lock, NULL); #endif retn->start = NULL; retn->end = NULL; } #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusNewQueue () returning %p\n", retn); #endif return (retn); } void ArgusDeleteQueue (struct ArgusQueueStruct *queue) { struct ArgusQueueHeader *obj = NULL; if (queue != NULL) { #if defined(ARGUS_THREADS) pthread_mutex_lock(&queue->lock); #endif #ifdef ARGUSDEBUG if (queue->count > 0) ArgusDebug (1, "ArgusDeleteQueue (%p) contains %d items\n", queue, queue->count); #endif while ((obj = ArgusPopQueue(queue, ARGUS_NOLOCK))) ArgusFree(obj); if (queue->array != NULL) { ArgusFree(queue->array); queue->array = NULL; } #if defined(ARGUS_THREADS) pthread_mutex_unlock(&queue->lock); #endif #if defined(ARGUS_THREADS) pthread_mutex_destroy(&queue->lock); #endif ArgusFree(queue); } #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusDeleteQueue (%p) returning\n", queue); #endif } int ArgusGetQueueCount(struct ArgusQueueStruct *queue) { #ifdef ARGUSDEBUG ArgusDebug (10, "ArgusGetQueueCount (%p) returning %d\n", queue, queue->count); #endif return (queue->count); } void ArgusPushQueue(struct ArgusQueueStruct *queue, struct ArgusQueueHeader *obj, int type) { #if defined(ARGUS_THREADS) if (type == ARGUS_LOCK) pthread_mutex_lock(&queue->lock); #endif if ((ArgusAddToQueue (queue, obj, ARGUS_NOLOCK)) > 0) { queue->start = queue->start->prv; queue->end = queue->start->prv; } #if defined(ARGUS_THREADS) if (type == ARGUS_LOCK) pthread_mutex_unlock(&queue->lock); #endif #ifdef ARGUSDEBUG ArgusDebug (10, "ArgusPushQueue (%p, %p) returning\n", queue, obj); #endif } int ArgusAddToQueue(struct ArgusQueueStruct *queue, struct ArgusQueueHeader *obj, int type) { int retn = 0; if (queue && obj) { if (obj->queue == NULL) { #if defined(ARGUS_THREADS) if (type == ARGUS_LOCK) pthread_mutex_lock(&queue->lock); #endif if (queue->start != NULL) { obj->prv = queue->start->prv; queue->start->prv = obj; obj->nxt = queue->start; obj->prv->nxt = obj; } else { queue->start = obj; obj->nxt = obj; obj->prv = obj; } queue->end = obj; queue->count++; #if defined(ARGUS_THREADS) if (type == ARGUS_LOCK) pthread_mutex_unlock(&queue->lock); #endif obj->queue = queue; obj->qtime = ArgusModel->ArgusGlobalTime; /* if (ArgusSourceTask->ArgusReadingOffLine) obj->qtime = ArgusModel->ArgusGlobalTime; else gettimeofday(&obj->qtime, 0L); */ retn = 1; } else ArgusLog (LOG_ERR, "ArgusAddToQueue (%p, %p) obj in queue %p\n", queue, obj, obj->queue); } else ArgusLog (LOG_ERR, "ArgusAddToQueue (%p, %p) parameter error\n", queue, obj); #ifdef ARGUSDEBUG ArgusDebug (10, "ArgusAddToQueue (%p, %p) returning %d\n", queue, obj, retn); #endif return (retn); } struct ArgusQueueHeader * ArgusPopQueue (struct ArgusQueueStruct *queue, int type) { struct ArgusQueueHeader *retn = NULL; struct ArgusQueueHeader *obj = NULL; if (queue && queue->count) { #if defined(ARGUS_THREADS) if (type == ARGUS_LOCK) pthread_mutex_lock(&queue->lock); #endif if ((obj = (struct ArgusQueueHeader *) queue->start) != NULL) { queue->count--; if (queue->count) { if (queue->start == obj) queue->start = obj->nxt; obj->prv->nxt = obj->nxt; obj->nxt->prv = obj->prv; queue->end = queue->start->prv; } else { queue->start = NULL; queue->end = NULL; } } #if defined(ARGUS_THREADS) if (type == ARGUS_LOCK) pthread_mutex_unlock(&queue->lock); #endif if (obj != NULL) { obj->prv = NULL; obj->nxt = NULL; obj->queue = NULL; retn = obj; } } #ifdef ARGUSDEBUG ArgusDebug (10, "ArgusPopQueue (%p) returning %p\n", queue, retn); #endif return(retn); } struct ArgusQueueHeader * ArgusPopBackQueue (struct ArgusQueueStruct *queue, int type) { struct ArgusQueueHeader *retn = NULL; struct ArgusQueueHeader *obj = NULL; if (queue && queue->count) { #if defined(ARGUS_THREADS) if (type == ARGUS_LOCK) pthread_mutex_lock(&queue->lock); #endif if ((obj = (struct ArgusQueueHeader *) queue->end) != NULL) { queue->count--; if (queue->count) { if (queue->start == obj) queue->start = obj->nxt; obj->prv->nxt = obj->nxt; obj->nxt->prv = obj->prv; queue->end = queue->start->prv; } else { queue->start = NULL; queue->end = NULL; } } #if defined(ARGUS_THREADS) if (type == ARGUS_LOCK) pthread_mutex_unlock(&queue->lock); #endif if (obj != NULL) { obj->prv = NULL; obj->nxt = NULL; obj->queue = NULL; retn = obj; } } #ifdef ARGUSDEBUG ArgusDebug (10, "ArgusPopBackQueue (%p) returning %p\n", queue, retn); #endif return(retn); } struct ArgusQueueHeader * ArgusRemoveFromQueue(struct ArgusQueueStruct *queue, struct ArgusQueueHeader *obj, int type) { struct ArgusQueueHeader *retn = NULL; if ((queue != NULL) && (obj != NULL)) { #if defined(ARGUS_THREADS) if (type == ARGUS_LOCK) pthread_mutex_lock(&queue->lock); #endif if (obj->queue == queue) { if (queue->count) { queue->count--; if (queue->count) { if (queue->start == obj) queue->start = obj->nxt; obj->prv->nxt = obj->nxt; obj->nxt->prv = obj->prv; queue->end = queue->start->prv; } else { queue->start = NULL; queue->end = NULL; } } obj->prv = NULL; obj->nxt = NULL; obj->queue = NULL; retn = obj; } #if defined(ARGUS_THREADS) if (type == ARGUS_LOCK) pthread_mutex_unlock(&queue->lock); #endif } #ifdef ARGUSDEBUG ArgusDebug (10, "ArgusRemoveFromQueue (%p, %p) returning %p\n", queue, obj, obj); #endif return (retn); } #include #include void ArgusProcessQueue(struct ArgusModelerStruct *model, struct ArgusQueueStruct *queue, int status) { struct ArgusFlowStruct *obj = NULL; switch (status) { case ARGUS_STOP: case ARGUS_SHUTDOWN: #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusProcessQueue (%p, %d) Shuting Down with %d records\n", queue, status, queue->count); #endif while (queue->count) { if ((obj = (struct ArgusFlowStruct *) ArgusPopBackQueue(queue, ARGUS_LOCK)) != NULL) { if (!(obj->status & ARGUS_RECORD_WRITTEN)) ArgusSendFlowRecord(model, obj, status); ArgusDeleteObject (obj); } } break; } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusProcessQueue (%p, %d) returning\n", queue, status); #endif } void ArgusDeleteObject(struct ArgusFlowStruct *obj) { if (obj) { struct ArgusHashTableHeader *htblhdr; struct ArgusNetworkStruct *net = NULL; struct ArgusEncapsStruct *encaps = NULL; struct ArgusQueueStruct *queue; if ((queue = obj->qhdr.queue) != NULL) { if (ArgusRemoveFromQueue (queue, &obj->qhdr, ARGUS_LOCK)) { obj->qhdr.queue = NULL; } else ArgusLog (LOG_ERR, "ArgusDeleteObject: race condition on queue %p\n", queue); } if ((htblhdr = obj->htblhdr) != NULL) { ArgusRemoveHashEntry(htblhdr); obj->htblhdr = NULL; } if ((net = (struct ArgusNetworkStruct *) obj->dsrs[ARGUS_FRAG_INDEX]) != NULL) { if (net->hdr.subtype == ARGUS_NETWORK_SUBTYPE_FRAG) { struct ArgusFragObject *frag = &net->net_union.frag; struct ArgusFragOffsetStruct *fragOffset = frag->offsets.nxt; while ((fragOffset = frag->offsets.nxt) != NULL) { frag->offsets.nxt = fragOffset->nxt; free(fragOffset); } net->hdr.type = 0; } } if ((encaps = (struct ArgusEncapsStruct *) obj->dsrs[ARGUS_ENCAPS_INDEX]) != NULL) { if (encaps->sbuf != NULL) { ArgusFree(encaps->sbuf); encaps->slen = 0; } if (encaps->dbuf != NULL) { ArgusFree(encaps->dbuf); encaps->dlen = 0; } } if (obj->dsrs[ARGUS_SRCUSERDATA_INDEX] != NULL) { ArgusFree(obj->dsrs[ARGUS_SRCUSERDATA_INDEX]); obj->dsrs[ARGUS_SRCUSERDATA_INDEX] = NULL; } if (obj->dsrs[ARGUS_DSTUSERDATA_INDEX] != NULL) { ArgusFree(obj->dsrs[ARGUS_DSTUSERDATA_INDEX]); obj->dsrs[ARGUS_DSTUSERDATA_INDEX] = NULL; } if (obj->frag.start != NULL) { struct ArgusFlowStruct *frag; while ((frag = (void *) ArgusPopQueue(&obj->frag, ARGUS_LOCK))) { ArgusSendFlowRecord(ArgusModel, frag, ARGUS_TIMEOUT); ArgusDeleteObject(frag); } } ArgusFree(obj); ArgusModel->ArgusTotalClosedFlows++; } #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusDeleteObject (%p) returning\n", obj); #endif } int ArgusUpdateTime (struct ArgusModelerStruct *model) { long long diff; int retn = 0; if (model->ArgusUpdateTimer.tv_sec == 0) model->ArgusUpdateTimer = model->ArgusGlobalTime; if ((diff = ArgusTimeDiff(&model->ArgusUpdateTimer, &model->ArgusGlobalTime)) >= 0) { retn = 1; #ifdef ARGUSDEBUG #if defined(ARGUS_NANOSECONDS) ArgusDebug (8, "ArgusUpdateTime (%p) update %d.%09d global time %d.%09d returning %d\n", model, model->ArgusUpdateTimer.tv_sec, model->ArgusUpdateTimer.tv_usec, model->ArgusGlobalTime.tv_sec, model->ArgusGlobalTime.tv_usec, retn); #else ArgusDebug (8, "ArgusUpdateTime (%p) update %d.%06d global time %d.%06d returning %d\n", model, model->ArgusUpdateTimer.tv_sec, model->ArgusUpdateTimer.tv_usec, model->ArgusGlobalTime.tv_sec, model->ArgusGlobalTime.tv_usec, retn); #endif #endif model->ArgusUpdateTimer = model->ArgusGlobalTime; model->ArgusUpdateTimer.tv_sec += model->ArgusUpdateInterval.tv_sec; model->ArgusUpdateTimer.tv_usec += model->ArgusUpdateInterval.tv_usec; #if defined(ARGUS_NANOSECONDS) if (model->ArgusUpdateTimer.tv_usec >= 1000000000) { model->ArgusUpdateTimer.tv_sec++; model->ArgusUpdateTimer.tv_usec -= 1000000000; if (model->ArgusUpdateTimer.tv_usec >= 1000000000) { ArgusLog (LOG_ERR, "ArgusUpdateTime: usec still too big %d(using NANO)\n", model->ArgusUpdateTimer.tv_usec); } } #else if (model->ArgusUpdateTimer.tv_usec >= 1000000) { model->ArgusUpdateTimer.tv_sec++; model->ArgusUpdateTimer.tv_usec -= 1000000; if (model->ArgusUpdateTimer.tv_usec >= 1000000) { ArgusLog (LOG_ERR, "ArgusUpdateTime: usec still too big %d(using MICRO)\n", model->ArgusUpdateTimer.tv_usec); } } #endif } else { #ifdef ARGUSDEBUG #if defined(ARGUS_NANOSECONDS) ArgusDebug (8, "ArgusUpdateTime (%p) update %d.%09d global time %d.%09d returning %d\n", model, model->ArgusUpdateTimer.tv_sec, model->ArgusUpdateTimer.tv_usec, model->ArgusGlobalTime.tv_sec, model->ArgusGlobalTime.tv_usec, retn); #else ArgusDebug (8, "ArgusUpdateTime (%p) update %d.%06d global time %d.%06d returning %d\n", model, model->ArgusUpdateTimer.tv_sec, model->ArgusUpdateTimer.tv_usec, model->ArgusGlobalTime.tv_sec, model->ArgusGlobalTime.tv_usec, retn); #endif #endif } #ifdef ARGUSDEBUG if (retn > 0) { } else ArgusDebug (8, "ArgusUpdateTime (%p) not time\n", model); #endif return (retn); } struct ArgusHashStats { int n, max; }; struct ArgusHashTable *ArgusNewHashTable (size_t, int); struct ArgusHashStats *ArgusHashTableStats = NULL; int ArgusHashTableMax = 0; void ArgusEmptyHashTable (struct ArgusHashTable *); void ArgusDeleteHashTable (struct ArgusHashTable *); struct ArgusHashTable * ArgusNewHashTable (size_t size, int status) { struct ArgusHashTable *retn = NULL; if ((retn = (struct ArgusHashTable *) ArgusCalloc (1, sizeof(*retn))) == NULL) ArgusLog (LOG_ERR, "ArgusNewHashTable: ArgusCalloc(1, %d) error %s\n", size, strerror(errno)); if ((retn->array = (struct ArgusHashTableHeader **) ArgusMallocAligned (size * sizeof(struct ArgusHashTableHeader *), 64)) == NULL) ArgusLog (LOG_ERR, "RaMergeQueue: ArgusCalloc error %s\n", strerror(errno)); memset(retn->array, 0, size * sizeof (struct ArgusHashTableHeader *)); retn->size = size; #if defined(ARGUS_HASH_DEBUG) if ((retn->status = status) == ARGUSHASHTABLETRACK) { if (ArgusHashTableStats == NULL) { if ((ArgusHashTableStats = (struct ArgusHashStats *) ArgusCalloc (size, sizeof(struct ArgusHashStats))) == NULL) ArgusLog (LOG_ERR, "ArgusHashTableStats: ArgusCalloc(%d, %d) error %s\n", size, sizeof(struct ArgusStatsObject), strerror(errno)); } } #endif #if defined(ARGUS_THREADS) pthread_mutex_init(&retn->lock, NULL); #endif #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusNewHashTable (%d) returning %p\n", size, retn); #endif return (retn); } void ArgusDeleteHashTable (struct ArgusHashTable *htbl) { if (htbl != NULL) { ArgusEmptyHashTable (htbl); if (htbl->array != NULL) ArgusFree(htbl->array); ArgusFree(htbl); } #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusDeleteHashTable (%p)\n", htbl); #endif } void ArgusEmptyHashTable (struct ArgusHashTable *htbl) { struct ArgusHashTableHeader *htblhdr = NULL, *tmp; int i, count = 0, bins = 0; #if defined(ARGUS_THREADS) pthread_mutex_lock(&htbl->lock); #endif for (i = 0; i < htbl->size; i++) { if ((htblhdr = htbl->array[i]) != NULL) { htblhdr->prv->nxt = NULL; while ((tmp = htblhdr) != NULL) { htblhdr = htblhdr->nxt; ArgusFree (tmp); htbl->items--; count++; } htbl->array[i] = NULL; htbl->bins--; bins++; } } #if defined(ARGUS_THREADS) pthread_mutex_unlock(&htbl->lock); #endif #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusEmptyHashTable (%p) cleared %d bins %d items\n", htbl, bins, count); #endif } int ArgusCreateFlowKey (struct ArgusModelerStruct *model, struct ArgusSystemFlow *flow, struct ArgusHashStruct *hstruct) { unsigned int *ptr = (unsigned int *)&flow->flow_un; unsigned int *key = (unsigned int *) hstruct->key; int retn = 0, i, len = flow->hdr.argus_dsrvl8.len - 1; memset (hstruct, 0, sizeof(*hstruct)); if (len > 0) { for (i = 0; i < len; i++) *key++ = *ptr++; hstruct->len = len; if (model->ArgusFlowKey & ARGUS_FLOW_KEY_VLAN) { *key++ = model->ArgusThisPacket8021QEncaps & 0x0FFF; hstruct->len++; } if (model->ArgusFlowKey & (ARGUS_FLOW_KEY_LOCAL_MPLS | ARGUS_FLOW_KEY_COMPLETE_MPLS)) { *key++ = model->ArgusThisMplsLabel; hstruct->len++; } if (model->ArgusFlowKey & (ARGUS_FLOW_KEY_LAYER_2 | ARGUS_FLOW_KEY_LAYER_2_MATRIX)) { struct ether_header *ep = model->ArgusThisEpHdr; if (ep) { int klen = (sizeof(*ep) + (sizeof(*key) - 1)) / sizeof(*key); if (model->state & ARGUS_DIRECTION) { #ifndef ETH_ALEN #define ETH_ALEN 6 #endif char *kptr = (char *) key; bcopy ((char *)&ep->ether_shost, kptr, ETH_ALEN); kptr += ETH_ALEN; bcopy ((char *)&ep->ether_dhost, kptr, ETH_ALEN); kptr += ETH_ALEN; bcopy ((char *)&ep->ether_type, kptr, sizeof(ep->ether_type)); } else bcopy (ep, key, sizeof(*ep)); key += klen; hstruct->len += klen; } } ptr = hstruct->key; for (i = 0; i < hstruct->len; i++) hstruct->hash ^= *ptr++; hstruct->hash ^= hstruct->hash >> 16; hstruct->hash ^= hstruct->hash >> 8; hstruct->ind = hstruct->hash % (model->ArgusHashTableSize - 1); } #ifdef ARGUSDEBUG // ArgusDebug (8, "ArgusCreateFlowKey () generated 0x%x hash\n", retn); #endif return (retn); } struct ArgusFlowStruct * ArgusFindFlow (struct ArgusModelerStruct *model, struct ArgusHashStruct *hstruct) { struct ArgusFlowStruct *retn = NULL; struct ArgusHashTableHeader *hashEntry = NULL, *target, *head; struct ArgusHashTable *table = model->ArgusHashTable; if (table && hstruct) { unsigned int hash = hstruct->hash; unsigned int i; if ((target = table->array[hstruct->ind]) != NULL) { unsigned int *ptr3 = hstruct->key; int len = hstruct->len; head = target; do { if ((target->hstruct.hash == hash) && (target->hstruct.len == hstruct->len)) { unsigned int *ptr1 = target->hstruct.key; unsigned int *ptr2 = ptr3; if (len > 0) { for (i = 0; i < len; i++) if (*ptr1++ != *ptr2++) break; if (i == len) { hashEntry = target; break; } } else hashEntry = target; } target = target->nxt; } while (target && (target != head) && (hashEntry == NULL)); if (hashEntry != NULL) { if (hashEntry != head) table->array[hstruct->ind] = hashEntry; retn = hashEntry->object; } } } #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusFindFlow () returning %p\n", retn); #endif return (retn); } struct ArgusHashTableHeader * ArgusAddHashEntry (struct ArgusHashTable *table, struct ArgusFlowStruct *flow, struct ArgusHashStruct *hstruct) { struct ArgusHashTableHeader *retn = NULL, *start = NULL; if (table != NULL) { unsigned int ind = hstruct->ind; retn = &flow->htblbuf; memcpy(&retn->hstruct, hstruct, sizeof(*hstruct)); retn->object = flow; if ((start = table->array[ind]) != NULL) { retn->nxt = start; retn->prv = start->prv; retn->prv->nxt = retn; retn->nxt->prv = retn; } else { retn->prv = retn; retn->nxt = retn; table->bins++; } table->items++; table->array[ind] = retn; retn->htbl = table; #if defined(ARGUS_HASH_DEBUG) if (table->status & ARGUSHASHTABLETRACK) { ArgusHashTableStats[ind].n++; if (ArgusHashTableStats[ind].max < ArgusHashTableStats[ind].n) ArgusHashTableStats[ind].max = ArgusHashTableStats[ind].n; if (ArgusHashTableMax < ArgusHashTableStats[ind].n) ArgusHashTableMax = ArgusHashTableStats[ind].n; } #endif } #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusAddHashEntry (%p) returning %p\n", flow, retn); #endif return (retn); } void ArgusRemoveHashEntry (struct ArgusHashTableHeader *htblhdr) { if (htblhdr != NULL) { struct ArgusHashTable *table = htblhdr->htbl; if (table != NULL) { unsigned int ind = htblhdr->hstruct.ind; htblhdr->prv->nxt = htblhdr->nxt; htblhdr->nxt->prv = htblhdr->prv; if (htblhdr == table->array[ind]) { if (htblhdr == htblhdr->nxt) { table->array[ind] = NULL; table->bins--; } else table->array[ind] = htblhdr->nxt; } table->items--; #if defined(ARGUS_HASH_DEBUG) if (table->status & ARGUSHASHTABLETRACK) ArgusHashTableStats[ind].n--; #endif } } #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusRemoveHashEntry (%p) returning\n", htblhdr); #endif } void ArgusZeroRecord (struct ArgusFlowStruct *); void ArgusZeroRecord (struct ArgusFlowStruct *flow) { int i; flow->status &= ~ARGUS_RECORD_WRITTEN; flow->status &= ~0xF0; for (i = 0; i < ARGUSMAXDSRTYPE; i++) { if (flow->dsrs[i] != NULL) { switch (i) { default: flow->dsrs[i] = NULL; break; case ARGUS_FLOW_INDEX: { struct ArgusFlow *tflow = (struct ArgusFlow *)flow->dsrs[i]; tflow->hdr.argus_dsrvl8.qual &= ~ARGUS_FRAGMENT; break; } case ARGUS_TRANSPORT_INDEX: case ARGUS_MAC_INDEX: break; case ARGUS_JITTER_INDEX: { struct ArgusJitterStruct *jit = (void *)flow->dsrs[i]; bzero ((char *)&jit->src, sizeof(struct ArgusJitterObject)); bzero ((char *)&jit->dst, sizeof(struct ArgusJitterObject)); jit->src.act.minval = -1.0; jit->src.idle.minval = -1.0; jit->dst.act.minval = -1.0; jit->dst.idle.minval = -1.0; break; } case ARGUS_IPATTR_INDEX: { struct ArgusIPAttrStruct *attr = (void *)flow->dsrs[i]; attr->hdr.argus_dsrvl8.qual &= ~(ARGUS_IPATTR_SRC_FRAGMENTS | ARGUS_IPATTR_DST_FRAGMENTS); attr->src.status = 0; attr->src.options = 0; attr->dst.status = 0; attr->dst.options = 0; break; } case ARGUS_TIME_INDEX: { struct ArgusTimeObject *tim = (void *)flow->dsrs[i]; bzero(&tim->src, sizeof(*tim) - 4); break; } case ARGUS_METRIC_INDEX: { struct ArgusMetricStruct *metric = (void *) flow->dsrs[i]; bzero((&metric->hdr + 1), sizeof(*metric) - 4); break; } case ARGUS_NETWORK_INDEX: { struct ArgusNetworkStruct *net = NULL; if ((net = (struct ArgusNetworkStruct *) flow->dsrs[ARGUS_NETWORK_INDEX]) != NULL) { switch (net->hdr.type) { case ARGUS_NETWORK_DSR: { switch (net->hdr.subtype) { case ARGUS_NETWORK_SUBTYPE_FRAG: { struct ArgusFragObject *frag = &net->net_union.frag; struct ArgusFragOffsetStruct *fragOffset = frag->offsets.nxt; while ((fragOffset = frag->offsets.nxt) != NULL) { frag->offsets.nxt = fragOffset->nxt; free(fragOffset); } bzero((char *)frag, sizeof(struct ArgusFragObject)); break; } case ARGUS_TCP_INIT: case ARGUS_TCP_STATUS: case ARGUS_TCP_PERF: { struct ArgusTCPObject *tcp = &net->net_union.tcp; unsigned int statusMask = ~(ARGUS_PORT_REUSE|ARGUS_RESET|ARGUS_PKTS_RETRANS|ARGUS_WINDOW_SHUT|ARGUS_OUTOFORDER|ARGUS_ECN_CONGESTED); tcp->src.status &= statusMask; tcp->dst.status &= statusMask; tcp->status &= statusMask; tcp->src.retrans = 0; tcp->dst.retrans = 0; tcp->src.flags = 0; tcp->dst.flags = 0; tcp->src.bytes = 0; tcp->dst.bytes = 0; tcp->src.winbytes = 0; tcp->dst.winbytes = 0; tcp->src.ackbytes = 0; tcp->dst.ackbytes = 0; tcp->src.seqbase = tcp->src.seq; tcp->dst.seqbase = tcp->dst.seq; break; } case ARGUS_RTP_FLOW: { struct ArgusRTPObject *rtp = &net->net_union.rtp; rtp->sdrop = 0; rtp->ddrop = 0; break; } case ARGUS_ESP_DSR: { struct ArgusESPObject *esp = &net->net_union.esp; esp->status = 0; esp->lostseq = 0; break; } } break; } } net->hdr.argus_dsrvl8.qual = 0; } break; } case ARGUS_SRCUSERDATA_INDEX: case ARGUS_DSTUSERDATA_INDEX: { struct ArgusDataStruct *user = (struct ArgusDataStruct *) flow->dsrs[i]; user->count = 0; memset (user->array, 0, user->size); break; } } } } memset(&flow->stime.act, 0, sizeof(flow->stime.act)); memset(&flow->stime.idle, 0, sizeof(flow->stime.idle)); memset(&flow->dtime.act, 0, sizeof(flow->dtime.act)); memset(&flow->dtime.idle, 0, sizeof(flow->dtime.idle)); flow->stime.act.minval = 0xffffffff; flow->stime.idle.minval = 0xffffffff; flow->dtime.act.minval = 0xffffffff; flow->dtime.idle.minval = 0xffffffff; flow->sipid = 0; flow->dipid = 0; flow->skey.n_strokes = 0; #ifdef ARGUSDEBUG ArgusDebug (8, "ArgusZeroRecord (%p) returning\n", flow); #endif } /* struct ArgusSocketStruct { struct ArgusListStruct *ArgusSocketList; int fd, status, cnt, expectedSize, errornum; int ArgusLastRecord, ArgusReadState; struct timeval lastwrite; struct ArgusRecordStruct *rec; int length, writen; struct sockaddr sock; char *filename; void *obj; unsigned char *ptr, buf[ARGUS_MAXRECORD]; }; */ struct ArgusSocketStruct * ArgusNewSocket (int fd) { struct ArgusSocketStruct *retn = NULL; int flags; if ((retn = ((struct ArgusSocketStruct *) ArgusCalloc (1, sizeof (struct ArgusSocketStruct)))) != NULL) { if ((retn->ArgusSocketList = ArgusNewList()) != NULL) { retn->fd = fd; flags = fcntl (fd, F_GETFL, 0); flags |= O_NONBLOCK; fcntl (fd, F_SETFL, flags); } else ArgusLog(LOG_ERR, "ArgusNewSocket: ArgusNewList failed %s", strerror(errno)); } else ArgusLog(LOG_ERR, "ArgusNewSocket: ArgusCalloc failed %s", strerror(errno)); #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusNewSocket (%d) returning %p\n", fd, retn); #endif return (retn); } void ArgusDeleteSocket (struct ArgusOutputStruct *output, struct ArgusClientData *client) { struct ArgusSocketStruct *asock = client->sock; if (asock != NULL) { struct ArgusListStruct *list = asock->ArgusSocketList; while (!(ArgusListEmpty (list))) if (ArgusWriteOutSocket(output, client) < 0) break; #ifdef ARGUSDEBUG if (!(ArgusListEmpty (list))) ArgusDebug(2, "ArgusDeleteSocket: list not empty"); #endif ArgusDeleteList(asock->ArgusSocketList, ARGUS_OUTPUT_LIST); close(asock->fd); asock->fd = -1; if (asock->filename) { free(asock->filename); asock->filename = NULL; } ArgusFree (asock); client->sock = NULL; client->fd = -1; } #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusDeleteSocket (%p) returning\n", asock); #endif } void ArgusSetChroot(char *dir) { if (chdir(dir) < 0) ArgusLog(LOG_ERR, "ArgusSetChroot: failed to chdir to \"%s\": %s", dir, strerror(errno)); if (chroot(dir) < 0) ArgusLog(LOG_ERR, "ArgusSetChroot: failed to chroot to \"%s\": %s", dir, strerror(errno)); if (chdir("/") < 0) ArgusLog(LOG_ERR, "ArgusSetChroot: failed to chdir to \"/\" after chroot: %s", dir, strerror(errno)); #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusSetChroot (%s) returning\n", dir); #endif } #include #include #define ARGUS_MAXERROR 200000 #define ARGUS_MAXWRITENUM 100000 int ArgusMaxListLength = 1000000; int ArgusCloseFile = 0; extern struct ArgusRecord *ArgusGenerateInitialMar (struct ArgusOutputStruct *); int ArgusWriteSocket (struct ArgusOutputStruct *output, struct ArgusClientData *client, struct ArgusRecordStruct *rec) { struct ArgusSocketStruct *asock = client->sock; struct ArgusListStruct *list = asock->ArgusSocketList; struct stat statbuf; int retn = 0, ocnt; #if defined(HAVE_SOLARIS) struct statvfs statfsbuf; #else struct statfs statfsbuf; #endif if (ArgusListEmpty (list) && (asock->rec == NULL)) { #ifdef ARGUSDEBUG if (asock->writen || asock->length) ArgusDebug (6, "ArgusWriteSocket: asock stats error %d %d\n", asock->writen, asock->length); #endif if (client->host == NULL) { if (!(output->ArgusWriteStdOut) && (asock->filename)) { if (asock->lastwrite.tv_sec < output->ArgusModel->ArgusGlobalTime.tv_sec) { if (((stat (asock->filename, &statbuf)) < 0) || (ArgusCloseFile)) { if (asock->fd != -1) close(asock->fd); if ((asock->fd = open (asock->filename, O_WRONLY|O_APPEND|O_CREAT|O_NONBLOCK, 0x1a4)) < 0) ArgusLog (LOG_ERR, "ArgusWriteSocket: open(%s, flags, 0x1a4) failed %s\n", asock->filename, strerror(errno)); #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusWriteSocket: created outfile %s\n", asock->filename); #endif } #if defined(HAVE_SOLARIS) retn = statvfs (asock->filename, &statfsbuf); #else retn = statfs (asock->filename, &statfsbuf); #endif if (retn == 0) { if (statfsbuf.f_bfree > 100) { if ((stat (asock->filename, &statbuf)) == 0) { if (statbuf.st_size == 0) { if (output->ArgusInitMar != NULL) ArgusFree(output->ArgusInitMar); output->ArgusInitMar = ArgusGenerateInitialMar(output); ocnt = ntohs(output->ArgusInitMar->hdr.len) * 4; #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusWriteSocket: write initial mar (%d, %p, %d)\n", asock->fd, output->ArgusInitMar, ocnt); #endif if (((retn = write (asock->fd, output->ArgusInitMar, ocnt))) < ocnt) ArgusLog (LOG_ERR, "ArgusWriteSocket: write %s failed %s\n", asock->filename, strerror(errno)); ArgusFree(output->ArgusInitMar); output->ArgusInitMar = NULL; } } } else { close(asock->fd); asock->fd = -1; } } asock->lastwrite = output->ArgusModel->ArgusGlobalTime; } } } if (asock->fd != -1) { if (ArgusGenerateRecord (output->ArgusModel, rec, 0, (struct ArgusRecord *)&asock->buf)) { int cnt = ((struct ArgusRecord *)&asock->buf)->hdr.len * 4; #if defined(_LITTLE_ENDIAN) ArgusHtoN((struct ArgusRecord *)&asock->buf); #endif #ifdef ARGUS_SASL if (client->sasl_conn) { unsigned int outputlen = 0; const char *output = NULL; const int *ssfp; int result; if ((result = sasl_getprop(client->sasl_conn, SASL_SSF, (const void **) &ssfp)) != SASL_OK) ArgusLog (LOG_ERR, "sasl_getprop: error %s\n", sasl_errdetail(client->sasl_conn)); if (ssfp && (*ssfp > 0)) { #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusHandleClientData: sasl_encode(%p, %p, %d, %p, %p)\n", client->sasl_conn, rec, cnt, &output, &outputlen); #endif if ((retn = sasl_encode(client->sasl_conn, (const char *) asock->buf, (unsigned int) cnt, &output, &outputlen)) == SASL_OK) { #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusHandleClientData: sasl_encode returned %d bytes\n", outputlen); #endif if (outputlen < ARGUS_MAXRECORD) { bcopy(output, asock->buf, outputlen); cnt = outputlen; } else ArgusLog (LOG_ERR, "sasl_encode: returned too many bytes %d\n", outputlen); } else ArgusLog (LOG_ERR, "sasl_encode: failed returned %d\n", retn); } } #endif #ifdef ARGUSDEBUG ArgusDebug (4, "ArgusWriteSocket: write record (%d, %p, %d)\n", asock->fd, &asock->buf, cnt); #endif if (client->host != NULL) { retn = sendto (asock->fd, &asock->buf, cnt, 0, client->host->ai_addr, client->host->ai_addrlen); #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusWriteSocket: sendto (%d, %p, %d, ...) %d\n", asock->fd, &asock->buf, cnt, retn); #endif } else { retn = write (asock->fd, &asock->buf, cnt); #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusWriteSocket: write (%d, %p, %d, ...) %d\n", asock->fd, &asock->buf, cnt, retn); #endif } if (retn >= 0) { asock->status |= ARGUS_WAS_FUNCTIONAL; asock->errornum = 0; if (retn != cnt) { #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusWriteSocket: write returned %d, scheduled record\n", retn); #endif asock->writen = retn; asock->length = cnt; asock->rec = ArgusCopyRecordStruct(rec); } else { asock->writen = 0; asock->length = 0; #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusWriteSocket: write successful %d\n", retn); #endif } } else { #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusWriteSocket: write returned %d, errno %d\n", retn, errno); #endif asock->writen = 0; asock->length = cnt; asock->rec = ArgusCopyRecordStruct(rec); switch (errno) { case ENOSPC: if (asock->filename != NULL) { close(asock->fd); asock->fd = -1; if (asock->rec != NULL) ArgusFreeListRecord(asock->rec); asock->rec = NULL; asock->writen = 0; asock->length = 0; ArgusFreeListRecord(rec); while ((rec = (struct ArgusRecordStruct *) ArgusPopFrontList(list, ARGUS_LOCK)) != NULL) ArgusFreeListRecord(rec); } break; case EAGAIN: case EINTR: retn = 0; break; case EPIPE: { if (!(asock->status & ARGUS_WAS_FUNCTIONAL)) { retn = 0; } break; } default: break; } } } else { #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusWriteSocket: ArgusGenerateRecord returned zero\n"); #endif } } } else { if (list->count >= ArgusMaxListLength) { if (ArgusWriteOutSocket(output, client) < 0) { #if defined(ARGUS_THREADS) pthread_mutex_lock(&list->lock); #endif if (list->count >= ArgusMaxListLength) { struct ArgusRecordStruct *trec; int i; #define ARGUS_MAX_TOSS_RECORD 64 ArgusLog (LOG_WARNING, "ArgusWriteSocket: ArgusWriteOutSocket tossing records\n"); for (i = 0; i < ARGUS_MAX_TOSS_RECORD; i++) if ((trec = (struct ArgusRecordStruct *) ArgusPopFrontList(list, ARGUS_NOLOCK)) != NULL) ArgusFreeListRecord(trec); } #if defined(ARGUS_THREADS) pthread_mutex_unlock(&list->lock); #endif } } if (asock->rec == NULL) asock->rec = (struct ArgusRecordStruct *) ArgusPopFrontList(list, ARGUS_LOCK); #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusWriteSocket (%p, %p, %p) schedule record\n", output, asock, rec); #endif ArgusPushBackList (list, (struct ArgusListRecord *) ArgusCopyRecordStruct(rec), ARGUS_LOCK); retn = 0; } #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusWriteSocket (%p, %p, %p) returning %d\n", output, asock, rec, retn); #endif return (retn); } #define ARGUS_LISTREPORTLEN 50000 #define ARGUS_LISTREPORTTIME 30 int ArgusWriteOutSocket (struct ArgusOutputStruct *output, struct ArgusClientData *client) { struct ArgusSocketStruct *asock = client->sock; struct ArgusListStruct *list = NULL; struct ArgusRecordStruct *rec = NULL; int retn = 0, count = 1, len, ocnt; struct stat statbuf; unsigned char *ptr; if ((list = asock->ArgusSocketList) != NULL) { if ((count = ArgusGetListCount(list)) > 0) { if (count > ARGUS_MAXWRITENUM) count = ARGUS_MAXWRITENUM; if (count == 1) count = 2; #if defined(ARGUS_THREADS) pthread_mutex_lock(&list->lock); #endif while ((asock->fd != -1 ) && count--) { if ((rec = asock->rec) != NULL) { ptr = (unsigned char *)&asock->buf; if (!(asock->writen)) { if (!(output->ArgusWriteStdOut) && (asock->filename)) { if (asock->lastwrite.tv_sec < output->ArgusModel->ArgusGlobalTime.tv_sec) { if (((stat (asock->filename, &statbuf)) < 0) || (ArgusCloseFile)) { close(asock->fd); if ((asock->fd = open (asock->filename, O_WRONLY|O_APPEND|O_CREAT|O_NONBLOCK, 0x1a4)) < 0) ArgusLog (LOG_ERR, "ArgusWriteSocket: open(%s, O_WRONLY|O_APPEND|O_CREAT|O_NONBLOCK, 0x1a4) failed %s\n", asock->filename, strerror(errno)); #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusWriteOutSocket: created outfile %s\n", asock->filename); #endif } if ((stat (asock->filename, &statbuf)) == 0) { if (statbuf.st_size == 0) { if (output->ArgusInitMar != NULL) ArgusFree(output->ArgusInitMar); output->ArgusInitMar = ArgusGenerateInitialMar(output); ocnt = sizeof(struct ArgusRecord); if (((retn = write (asock->fd, output->ArgusInitMar, ocnt))) < ocnt) ArgusLog (LOG_ERR, "ArgusWriteSocket: write %s failed %s\n", asock->filename, strerror(errno)); ArgusFree(output->ArgusInitMar); output->ArgusInitMar = NULL; } } asock->lastwrite = output->ArgusModel->ArgusGlobalTime; } } } if ((asock->writen < asock->length) && ( asock->writen >= 0)) { len = asock->length - asock->writen; if (client->host != NULL) { retn = sendto (asock->fd, (unsigned char *)&ptr[asock->writen], len, 0, client->host->ai_addr, client->host->ai_addrlen); #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusWriteSocket: sendto (%d, %p, %d, ...) %d\n", asock->fd, &asock->buf, len, retn); #endif } else { retn = write(asock->fd, (unsigned char *)&ptr[asock->writen], len); #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusWriteSocket: write (%d, %p, %d, ...) %d\n", asock->fd, &asock->buf, len, retn); #endif } if (retn >= 0) { asock->errornum = 0; asock->writen += retn; } else { switch (errno) { case ENOSPC: { if (asock->filename != NULL) { close(asock->fd); asock->fd = -1; asock->rec = NULL; asock->writen = 0; asock->length = 0; ArgusFreeListRecord(rec); while ((rec = (struct ArgusRecordStruct *) ArgusPopFrontList(list, ARGUS_NOLOCK)) != NULL) ArgusFreeListRecord(rec); } break; } case EAGAIN: case EINTR: { if (!(output->ArgusWriteStdOut) && (asock->filename == NULL)) { if (asock->errornum++ < ARGUS_MAXERROR) { retn = 0; } else { } } else { retn = 0; } break; } case EPIPE: break; default: if (asock->errornum++ == 0) ArgusLog (LOG_WARNING, "ArgusWriteOutSocket: write() %s\n", strerror(errno)); break; } } } if (asock->writen >= asock->length) { gettimeofday(&list->outputTime, 0L); ArgusFreeListRecord(rec); #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusWriteOutSocket: rec %p complete, %d count\n", rec, count); #endif asock->rec = NULL; asock->writen = 0; asock->length = 0; if ((rec = (struct ArgusRecordStruct *) ArgusPopFrontList(list, ARGUS_NOLOCK)) != NULL) { if (ArgusGenerateRecord (output->ArgusModel, rec, 0, (struct ArgusRecord *)&asock->buf)) { int cnt = ((struct ArgusRecord *)&asock->buf)->hdr.len * 4; #if defined(_LITTLE_ENDIAN) ArgusHtoN((struct ArgusRecord *)&asock->buf); #endif #ifdef ARGUS_SASL if (client->sasl_conn) { unsigned int outputlen = 0; const char *output = NULL; #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusHandleClientData: sasl_encode(%p, %p, %d, %p, %p)\n", client->sasl_conn, rec, cnt, &output, &outputlen); #endif if ((retn = sasl_encode(client->sasl_conn, (const char *) asock->buf, (unsigned int) cnt, &output, &outputlen)) == SASL_OK) { #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusWriteOutSocket: sasl_encode returned %d bytes\n", outputlen); #endif if (outputlen < ARGUS_MAXRECORD) { bcopy(output, asock->buf, outputlen); cnt = outputlen; } else ArgusLog (LOG_ERR, "sasl_encode: returned too many bytes %d\n", outputlen); } else ArgusLog (LOG_ERR, "sasl_encode: failed returned %d\n", retn); } #endif asock->writen = 0; asock->length = cnt; asock->rec = rec; #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusWriteOutSocket: posted record %p", rec); #endif } else { #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusWriteOutSocket: ArgusGenerateRecord error! deleting record"); #endif ArgusFreeListRecord(rec); } } else { #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusWriteOutSocket: list %p is now empty", list); #endif } } else { #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusWriteOutSocket: still work to be done for %p, len %d writen %d", rec, asock->length, asock->writen); #endif break; } } else { #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusWriteOutSocket: nothing to be done for %p, len %d writen %d", rec, asock->length, asock->writen); #endif } } #if defined(ARGUS_THREADS) pthread_mutex_unlock(&list->lock); #endif #ifdef ARGUSDEBUG ArgusDebug (9, "ArgusWriteOutSocket(%p): queue empty\n", asock); #endif if (asock->errornum >= ARGUS_MAXERROR) { ArgusLog (LOG_WARNING, "ArgusWriteOutSocket(%p) maximum errors exceeded %d\n", asock, asock->errornum); retn = -1; } if ((count = ArgusGetListCount(list)) > ArgusMaxListLength) { ArgusLog (LOG_WARNING, "ArgusWriteOutSocket(%p) max queue exceeded %d\n", asock, count); retn = -1; } #ifdef ARGUSDEBUG if (list) { ArgusDebug (6, "ArgusWriteOutSocket (%p) %d records waiting. returning %d\n", asock, count, retn); } else { ArgusDebug (6, "ArgusWriteOutSocket (%p) no list. returning %d\n", asock, count, retn); } #endif } } else { #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusWriteOutSocket (%p, %p) no list returning %d\n", output, client, retn); #endif } #ifdef ARGUSDEBUG ArgusDebug (6, "ArgusWriteOutSocket (%p, %p) returning %d\n", output, client, retn); #endif return retn; } #if !defined(ArgusAddrtoName) #define ArgusAddrtoName #endif #include #include #include #include #ifdef ETHER_SERVICE struct ether_addr; #ifdef HAVE_ETHER_HOSTTON /* * XXX - do we need any of this if doesn't declare * ether_hostton()? */ #ifdef HAVE_NETINET_IF_ETHER_H struct mbuf; /* Squelch compiler warnings on some platforms for */ struct rtentry; /* declarations in */ #include /* for "struct ifnet" in "struct arpcom" on Solaris */ #include #endif /* HAVE_NETINET_IF_ETHER_H */ #ifdef NETINET_ETHER_H_DECLARES_ETHER_HOSTTON #include #endif /* NETINET_ETHER_H_DECLARES_ETHER_HOSTTON */ #endif /* HAVE_ETHER_HOSTTON */ #endif /* * hash tables for whatever-to-name translations #define HASHNAMESIZE 4096 struct h6namemem { struct in6_addr addr; char *name; struct h6namemem *nxt; }; struct hnamemem { u_int addr; char *name; struct hnamemem *nxt; }; struct h6namemem h6nametable[HASHNAMESIZE]; struct hnamemem hnametable[HASHNAMESIZE]; struct hnamemem tporttable[HASHNAMESIZE]; struct hnamemem uporttable[HASHNAMESIZE]; struct hnamemem eprototable[HASHNAMESIZE]; struct hnamemem nnametable[HASHNAMESIZE]; struct hnamemem llcsaptable[HASHNAMESIZE]; struct enamemem { u_short e_addr0; u_short e_addr1; u_short e_addr2; char *e_name; u_char *e_nsap; struct enamemem *e_nxt; }; struct enamemem enametable[HASHNAMESIZE]; struct enamemem nsaptable[HASHNAMESIZE]; struct protoidmem { u_int p_oui; arg_uint16 p_proto; char *p_name; struct protoidmem *p_nxt; }; struct protoidmem protoidtable[HASHNAMESIZE]; */ /* * A faster replacement for inet_ntoa(). */ char * intoa(u_int addr) { char *cp; u_int byte; int n; static char buf[sizeof(".xxx.xxx.xxx.xxx")]; /* addr = htonl(addr); */ cp = &buf[sizeof buf]; *--cp = '\0'; n = 4; do { byte = addr & 0xff; *--cp = byte % 10 + '0'; byte /= 10; if (byte > 0) { *--cp = byte % 10 + '0'; byte /= 10; if (byte > 0) *--cp = byte + '0'; } *--cp = '.'; addr >>= 8; } while (--n > 0); return cp + 1; } /* * Return a name for the IP address pointed to by ap. This address * is assumed to be in network byte order. */ char * ArgusGetName(struct ArgusParserStruct *parser, u_char *ap) { static struct hnamemem *p; /* static for longjmp() */ u_int addr; #if !defined(TCPDUMP_ALIGN) addr = *(const u_int *)ap; #else /* * Deal with alignment. */ switch ((int)ap & 3) { case 0: addr = *(u_int *)ap; break; case 2: addr = ((u_int)*(u_short *)ap << 16) | (u_int)*(u_short *)(ap + 2); break; default: addr = ((u_int)ap[3] << 24) | ((u_int)ap[2] << 16) | ((u_int)ap[1] << 8) | (u_int)ap[0]; break; } #endif p = &parser->hnametable[addr % (HASHNAMESIZE-1)]; for (; p->nxt; p = p->nxt) { if (p->addr == addr) if (p->name != NULL) return (p->name); } p->addr = addr; p->nxt = (struct hnamemem *)calloc(1, sizeof (*p)); return (intoa(addr)); } #include #include #if !defined(INET6_ADDRSTRLEN) #define INET6_ADDRSTRLEN 46 #endif #if !defined(AF_INET6) #define AF_INET6 23 #endif char * ArgusGetV6Name(struct ArgusParserStruct *parser, u_char *ap) { struct in6_addr addr; char ntop_buf[INET6_ADDRSTRLEN]; struct h6namemem *p; /* static for longjmp() */ const char *cp; memcpy(&addr, ap, sizeof(addr)); p = &parser->h6nametable[*(u_int16_t *)&addr.s6_addr[14] & (HASHNAMESIZE-1)]; for (; p->nxt; p = p->nxt) { if (memcmp(&p->addr, &addr, sizeof(addr)) == 0) return (p->name); } p->addr = addr; p->nxt = (struct h6namemem *)calloc(1, sizeof (*p)); if ((cp = inet_ntop(AF_INET6, (const void *) &addr, ntop_buf, sizeof(ntop_buf))) != NULL) p->name = strdup(cp); return (p->name); } struct timeval * RaMinTime (struct timeval *s1, struct timeval *s2) { struct timeval *retn = s2; if ((s1->tv_sec < s2->tv_sec) || ((s1->tv_sec == s2->tv_sec) && (s1->tv_usec < s2->tv_usec))) retn = s1; return (retn); } struct timeval * RaMaxTime (struct timeval *s1, struct timeval *s2) { struct timeval *retn = s2; if ((s1->tv_sec > s2->tv_sec) || ((s1->tv_sec == s2->tv_sec) && (s1->tv_usec > s2->tv_usec))) retn = s1; return (retn); } float RaDeltaFloatTime (struct timeval *s1, struct timeval *s2) { float retn = 0.0; if (s1 && s2) { #if defined(ARGUS_NANOSECONDS) double v1 = (s1->tv_sec * 1.0) + (s1->tv_usec / 1000000000.0); double v2 = (s2->tv_sec * 1.0) + (s2->tv_usec / 1000000000.0); #else double v1 = (s1->tv_sec * 1.0) + (s1->tv_usec / 1000000.0); double v2 = (s2->tv_sec * 1.0) + (s2->tv_usec / 1000000.0); #endif retn = v1 - v2; } return (retn); } int RaDiffTime (struct timeval *s1, struct timeval *s2, struct timeval *diff) { int retn = 0; if (s1 && s2 && diff) { bzero ((char *)diff, sizeof(*diff)); #if defined(ARGUS_NANOSECONDS) double v1 = (s1->tv_sec * 1.0) + (s1->tv_usec / 1000000000.0); double v2 = (s2->tv_sec * 1.0) + (s2->tv_usec / 1000000000.0); #else double v1 = (s1->tv_sec * 1.0) + (s1->tv_usec / 1000000.0); double v2 = (s2->tv_sec * 1.0) + (s2->tv_usec / 1000000.0); #endif double f, i; v1 -= v2; f = modf(v1, &i); diff->tv_sec = i; #if defined(ARGUS_NANOSECONDS) diff->tv_usec = f * 1000000000; #else diff->tv_usec = f * 1000000; #endif retn = 1; } return (retn); } long long ArgusDiffTime (struct ArgusTime *, struct ArgusTime *, struct timeval *); long long ArgusDiffTime (struct ArgusTime *s1, struct ArgusTime *s2, struct timeval *diff) { long long v1 = 0, v2 = 0; if (s1 && s2 && diff) { #if defined(ARGUS_NANOSECONDS) v1 = (s1->tv_sec * 1000000000LL) + s1->tv_usec; v2 = (s2->tv_sec * 1000000000LL) + s2->tv_usec; #else v1 = (s1->tv_sec * 1000000LL) + s1->tv_usec; v2 = (s2->tv_sec * 1000000LL) + s2->tv_usec; #endif v1 -= v2; #if defined(ARGUS_NANOSECONDS) diff->tv_sec = v1 / 1000000000; diff->tv_usec = v1 % 1000000000; #else diff->tv_sec = v1 / 1000000; diff->tv_usec = v1 % 1000000; #endif } return (v1); } float RaGetFloatDuration (struct ArgusRecordStruct *argus) { float retn = 0; int sec = 0, usec = 0; if (argus->hdr.type & ARGUS_MAR) { struct ArgusRecord *rec = (struct ArgusRecord *) &argus->canon; sec = rec->argus_mar.now.tv_sec - rec->argus_mar.startime.tv_sec; usec = rec->argus_mar.now.tv_usec - rec->argus_mar.startime.tv_usec; } else { struct ArgusTimeObject *dtime = &argus->canon.time; struct timeval *stime = NULL, *ltime = NULL; struct timeval srctime, dsttime; unsigned int subtype = dtime->hdr.subtype & (ARGUS_TIME_SRC_START | ARGUS_TIME_DST_START | ARGUS_TIME_SRC_END | ARGUS_TIME_DST_END); if (subtype) { switch (subtype) { case ARGUS_TIME_SRC_START | ARGUS_TIME_DST_START | ARGUS_TIME_SRC_END | ARGUS_TIME_DST_END: { srctime.tv_sec = dtime->src.start.tv_sec; srctime.tv_usec = dtime->src.start.tv_usec; dsttime.tv_sec = dtime->dst.start.tv_sec; dsttime.tv_usec = dtime->dst.start.tv_usec; stime = RaMinTime(&srctime, &dsttime); srctime.tv_sec = dtime->src.end.tv_sec; srctime.tv_usec = dtime->src.end.tv_usec; dsttime.tv_sec = dtime->dst.end.tv_sec; dsttime.tv_usec = dtime->dst.end.tv_usec; ltime = RaMaxTime(&srctime, &dsttime); break; } case ARGUS_TIME_SRC_START: case ARGUS_TIME_SRC_START | ARGUS_TIME_SRC_END: { srctime.tv_sec = dtime->src.start.tv_sec; srctime.tv_usec = dtime->src.start.tv_usec; dsttime.tv_sec = dtime->src.end.tv_sec; dsttime.tv_usec = dtime->src.end.tv_usec; stime = &srctime; ltime = &dsttime; break; } case ARGUS_TIME_DST_START: case ARGUS_TIME_DST_START | ARGUS_TIME_DST_END: { srctime.tv_sec = dtime->dst.start.tv_sec; srctime.tv_usec = dtime->dst.start.tv_usec; dsttime.tv_sec = dtime->dst.end.tv_sec; dsttime.tv_usec = dtime->dst.end.tv_usec; stime = &srctime; ltime = &dsttime; break; } case ARGUS_TIME_SRC_START | ARGUS_TIME_DST_END: { srctime.tv_sec = dtime->src.start.tv_sec; srctime.tv_usec = dtime->src.start.tv_usec; dsttime.tv_sec = dtime->dst.end.tv_sec; dsttime.tv_usec = dtime->dst.end.tv_usec; stime = &srctime; ltime = &dsttime; break; } default: break; } } else { srctime.tv_sec = dtime->src.start.tv_sec; srctime.tv_usec = dtime->src.start.tv_usec; dsttime.tv_sec = dtime->src.end.tv_sec; dsttime.tv_usec = dtime->src.end.tv_usec; stime = &srctime; ltime = &dsttime; } if (stime && ltime) { sec = ltime->tv_sec - stime->tv_sec; usec = ltime->tv_usec - stime->tv_usec; } } #if defined(ARGUS_NANOSECONDS) retn = (sec * 1.0) + usec/1000000000.0; #else retn = (sec * 1.0) + usec/1000000.0; #endif return (retn); } float RaGetFloatSrcDuration (struct ArgusRecordStruct *argus) { float retn = 0.0; int sec = 0, usec = 0; if (argus->hdr.type & ARGUS_MAR) { } else { struct ArgusTimeObject *dtime = &argus->canon.time; struct ArgusTime *stime = &dtime->src.start; struct ArgusTime *ltime = &dtime->src.end; sec = ltime->tv_sec - stime->tv_sec; usec = ltime->tv_usec - stime->tv_usec; #if defined(ARGUS_NANOSECONDS) retn = (sec * 1.0) + usec/1000000000.0; #else retn = (sec * 1.0) + usec/1000000.0; #endif } return (retn); } float RaGetFloatDstDuration (struct ArgusRecordStruct *argus) { float retn = 0.0; int sec = 0, usec = 0; if (argus->hdr.type & ARGUS_MAR) { } else { struct ArgusTimeObject *dtime = &argus->canon.time; struct ArgusTime *stime = &dtime->dst.start; struct ArgusTime *ltime = &dtime->dst.end; sec = ltime->tv_sec - stime->tv_sec; usec = ltime->tv_usec - stime->tv_usec; #if defined(ARGUS_NANOSECONDS) retn = (sec * 1.0) + usec/1000000000.0; #else retn = (sec * 1.0) + usec/1000000.0; #endif } return (retn); } double ArgusFetchDuration (struct ArgusRecordStruct *ns) { double retn = RaGetFloatDuration(ns); return (retn); } double ArgusFetchSrcDuration (struct ArgusRecordStruct *ns) { double retn = RaGetFloatSrcDuration(ns); return (retn); } double ArgusFetchDstDuration (struct ArgusRecordStruct *ns) { double retn = RaGetFloatDstDuration(ns); return (retn); } double ArgusFetchSrcLoad (struct ArgusRecordStruct *ns) { struct ArgusMetricStruct *m1 = NULL; float dur = 0.0; long long cnt1; double retn = 0.0; dur = ArgusFetchSrcDuration(ns); if ((m1 = (struct ArgusMetricStruct *) ns->dsrs[ARGUS_METRIC_INDEX]) != NULL) { cnt1 = m1->src.pkts; } else { cnt1 = 0; } if (dur > 0.0) retn = (cnt1 * 1.0)/dur; return (retn); } double ArgusFetchDstLoad (struct ArgusRecordStruct *ns) { struct ArgusMetricStruct *m1 = NULL; struct timeval ts1buf, *ts1 = &ts1buf; struct timeval t1buf, *t1d = &t1buf; long long cnt1 = 0; float d1 = 0.0; double retn = 0; ts1->tv_sec = ns->canon.time.src.start.tv_sec; ts1->tv_usec = ns->canon.time.src.start.tv_usec; t1d->tv_sec = ns->canon.time.src.end.tv_sec; t1d->tv_usec = ns->canon.time.src.end.tv_usec; t1d->tv_sec -= ts1->tv_sec; t1d->tv_usec -= ts1->tv_usec; #if defined(ARGUS_NANOSECONDS) if (t1d->tv_usec < 0) {t1d->tv_sec--; t1d->tv_usec += 1000000000;} d1 = ((t1d->tv_sec * 1.0) + (t1d->tv_usec/1000000000.0)); #else if (t1d->tv_usec < 0) {t1d->tv_sec--; t1d->tv_usec += 1000000;} d1 = ((t1d->tv_sec * 1.0) + (t1d->tv_usec/1000000.0)); #endif if ((m1 = (struct ArgusMetricStruct *) ns->dsrs[ARGUS_METRIC_INDEX]) != NULL) cnt1 = m1->dst.pkts; if (d1 > 0.0) retn = (cnt1 * 1.0)/d1; return (retn); } double ArgusFetchLoad (struct ArgusRecordStruct *ns) { struct ArgusMetricStruct *m1 = NULL; struct timeval ts1buf, *ts1 = &ts1buf; struct timeval t1buf, *t1d = &t1buf; long long cnt1 = 0; float d1 = 0.0; double retn = 0; ts1->tv_sec = ns->canon.time.src.start.tv_sec; ts1->tv_usec = ns->canon.time.src.start.tv_usec; t1d->tv_sec = ns->canon.time.src.end.tv_sec; t1d->tv_usec = ns->canon.time.src.end.tv_usec; t1d->tv_sec -= ts1->tv_sec; t1d->tv_usec -= ts1->tv_usec; #if defined(ARGUS_NANOSECONDS) if (t1d->tv_usec < 0) {t1d->tv_sec--; t1d->tv_usec += 1000000000;} d1 = ((t1d->tv_sec * 1.0) + (t1d->tv_usec/1000000000.0)); #else if (t1d->tv_usec < 0) {t1d->tv_sec--; t1d->tv_usec += 1000000;} d1 = ((t1d->tv_sec * 1.0) + (t1d->tv_usec/1000000.0)); #endif if ((m1 = (struct ArgusMetricStruct *) ns->dsrs[ARGUS_METRIC_INDEX]) != NULL) cnt1 = m1->src.pkts + m1->dst.pkts; if ((cnt1 > 0) && (d1 > 0.0)) retn = (cnt1 * 1.0)/d1; return (retn); } double ArgusFetchLoss (struct ArgusRecordStruct *ns) { double retn = 0.0; if (ns) { if (ns->hdr.type & ARGUS_MAR) { } else { struct ArgusFlow *flow = (struct ArgusFlow *)&ns->canon.flow; switch (flow->hdr.subtype & 0x3F) { case ARGUS_FLOW_CLASSIC5TUPLE: { switch ((flow->hdr.argus_dsrvl8.qual & 0x1F)) { case ARGUS_TYPE_IPV4: { switch (ns->canon.flow.ip_flow.ip_p) { case IPPROTO_UDP: { if (ns->canon.net.hdr.subtype == ARGUS_RTP_FLOW) { struct ArgusRTPObject *rtp = (void *)&ns->canon.net.net_union.rtp; retn = (rtp->sdrop + rtp->ddrop) * 1.0; } break; } case IPPROTO_ICMP: { break; } case IPPROTO_TCP: { struct ArgusTCPObject *tcp = (void *)&ns->canon.net.net_union.tcp; if ((tcp != NULL) && (tcp->state != 0)) { if (ns->canon.metric.src.pkts) retn = (tcp->src.retrans + tcp->dst.retrans) * 1.0; } break; } case IPPROTO_ESP: { struct ArgusESPObject *esp = (void *)&ns->canon.net.net_union.esp; if (esp != NULL) { if (ns->canon.metric.src.pkts) retn = esp->lostseq * 1.0; } break; } } break; } case ARGUS_TYPE_IPV6: { switch (flow->ipv6_flow.ip_p) { case IPPROTO_UDP: { if (ns->canon.net.hdr.subtype == ARGUS_RTP_FLOW) { struct ArgusRTPObject *rtp = (void *)&ns->canon.net.net_union.rtp; retn = (rtp->sdrop + rtp->ddrop) * 1.0; } break; } case IPPROTO_ICMP: { break; } case IPPROTO_TCP: { struct ArgusTCPObject *tcp = (void *)&ns->canon.net.net_union.tcp; if ((tcp != NULL) && (tcp->state != 0)) { if (ns->canon.metric.src.pkts) retn = (tcp->src.retrans + tcp->dst.retrans) * 1.0; } break; } } } } break; } } } } return (retn); } double ArgusFetchSrcLoss (struct ArgusRecordStruct *ns) { double retn = 0.0; if (ns) { if (ns->hdr.type & ARGUS_MAR) { } else { struct ArgusFlow *flow = (struct ArgusFlow *)&ns->canon.flow; switch (flow->hdr.subtype & 0x3F) { case ARGUS_FLOW_CLASSIC5TUPLE: { switch ((flow->hdr.argus_dsrvl8.qual & 0x1F)) { case ARGUS_TYPE_IPV4: { switch (ns->canon.flow.ip_flow.ip_p) { case IPPROTO_UDP: { if (ns->canon.net.hdr.subtype == ARGUS_RTP_FLOW) { struct ArgusRTPObject *rtp = (void *)&ns->canon.net.net_union.rtp; retn = rtp->sdrop * 1.0; } break; } case IPPROTO_ICMP: { break; } case IPPROTO_TCP: { struct ArgusTCPObject *tcp = (void *)&ns->canon.net.net_union.tcp; if ((tcp != NULL) && (tcp->state != 0)) { if (ns->canon.metric.src.pkts) retn = tcp->src.retrans * 1.0; } break; } case IPPROTO_ESP: { struct ArgusESPObject *esp = (void *)&ns->canon.net.net_union.esp; if (esp != NULL) { if (ns->canon.metric.src.pkts) retn = esp->lostseq * 1.0; } break; } } break; } case ARGUS_TYPE_IPV6: { switch (flow->ipv6_flow.ip_p) { case IPPROTO_UDP: { if (ns->canon.net.hdr.subtype == ARGUS_RTP_FLOW) { struct ArgusRTPObject *rtp = (void *)&ns->canon.net.net_union.rtp; retn = rtp->sdrop * 1.0; } break; } case IPPROTO_ICMP: { break; } case IPPROTO_TCP: { struct ArgusTCPObject *tcp = (void *)&ns->canon.net.net_union.tcp; if ((tcp != NULL) && (tcp->state != 0)) { if (ns->canon.metric.src.pkts) retn = tcp->src.retrans * 1.0; } break; } } } } break; } } } } return (retn); } double ArgusFetchDstLoss (struct ArgusRecordStruct *ns) { double retn = 0.0; if (ns) { if (ns->hdr.type & ARGUS_MAR) { } else { struct ArgusFlow *flow = (struct ArgusFlow *)&ns->canon.flow; switch (flow->hdr.subtype & 0x3F) { case ARGUS_FLOW_CLASSIC5TUPLE: { switch ((flow->hdr.argus_dsrvl8.qual & 0x1F)) { case ARGUS_TYPE_IPV4: { switch (ns->canon.flow.ip_flow.ip_p) { case IPPROTO_UDP: { if (ns->canon.net.hdr.subtype == ARGUS_RTP_FLOW) { struct ArgusRTPObject *rtp = (void *)&ns->canon.net.net_union.rtp; retn = rtp->ddrop * 1.0; } } case IPPROTO_ICMP: { break; } case IPPROTO_TCP: { struct ArgusTCPObject *tcp = (void *)&ns->canon.net.net_union.tcp; if ((tcp != NULL) && (tcp->state != 0)) { if (ns->canon.metric.dst.pkts) retn = tcp->dst.retrans * 1.0; } break; } case IPPROTO_ESP: { struct ArgusESPObject *esp = (void *)&ns->canon.net.net_union.esp; if (esp != NULL) { if (ns->canon.metric.dst.pkts) retn = esp->lostseq * 1.0; } } } break; } case ARGUS_TYPE_IPV6: { switch (flow->ipv6_flow.ip_p) { case IPPROTO_UDP: { if (ns->canon.net.hdr.subtype == ARGUS_RTP_FLOW) { struct ArgusRTPObject *rtp = (void *)&ns->canon.net.net_union.rtp; retn = rtp->ddrop * 1.0; } break; } case IPPROTO_ICMP: { break; } case IPPROTO_TCP: { struct ArgusTCPObject *tcp = (void *)&ns->canon.net.net_union.tcp; if ((tcp != NULL) && (tcp->state != 0)) { if (ns->canon.metric.dst.pkts) retn = tcp->dst.retrans * 1.0; } break; } } } } break; } } } } return (retn); } double ArgusFetchPercentLoss (struct ArgusRecordStruct *ns) { double retn = 0.0; int pkts = 0; if (ns) { retn = ArgusFetchLoss(ns); pkts = ns->canon.metric.src.pkts + ns->canon.metric.dst.pkts; if (pkts > 0) { retn = (retn * 100.0)/((pkts * 1.0 )+ retn); } else retn = 0.0; } return (retn); } double ArgusFetchPercentSrcLoss (struct ArgusRecordStruct *ns) { double retn = 0.0; int pkts = 0; if (ns) { retn = ArgusFetchSrcLoss(ns); pkts = ns->canon.metric.src.pkts; if (pkts > 0) { retn = (retn * 100.0)/((pkts * 1.0) + retn); } else retn = 0.0; } return (retn); } double ArgusFetchPercentDstLoss (struct ArgusRecordStruct *ns) { double retn = 0.0; int pkts = 0; if (ns) { retn = ArgusFetchDstLoss(ns); pkts = ns->canon.metric.dst.pkts; if (pkts > 0) { retn = (retn * 100.0)/((pkts * 1.0) + retn); } else retn = 0.0; } return (retn); } double ArgusFetchSrcRate (struct ArgusRecordStruct *ns) { struct ArgusMetricStruct *m1 = NULL; struct timeval ts1buf, *ts1 = &ts1buf; struct timeval t1buf, *t1d = &t1buf; long long cnt1 = 0; float d1, r1 = 0.0; double retn = 0; ts1->tv_sec = ns->canon.time.src.start.tv_sec; ts1->tv_usec = ns->canon.time.src.start.tv_usec; t1d->tv_sec = ns->canon.time.src.end.tv_sec; t1d->tv_usec = ns->canon.time.src.end.tv_usec; t1d->tv_sec -= ts1->tv_sec; t1d->tv_usec -= ts1->tv_usec; #if defined(ARGUS_NANOSECONDS) if (t1d->tv_usec < 0) {t1d->tv_sec--; t1d->tv_usec += 1000000000;} d1 = ((t1d->tv_sec * 1.0) + (t1d->tv_usec/1000000000.0)); #else if (t1d->tv_usec < 0) {t1d->tv_sec--; t1d->tv_usec += 1000000;} d1 = ((t1d->tv_sec * 1.0) + (t1d->tv_usec/1000000.0)); #endif if ((m1 = (struct ArgusMetricStruct *) ns->dsrs[ARGUS_METRIC_INDEX]) != NULL) cnt1 = m1->src.bytes * 8; if ((cnt1 > 0) && (d1 > 0.0)) r1 = (cnt1 * 1.0)/d1; retn = r1; return (retn); } double ArgusFetchDstRate (struct ArgusRecordStruct *ns) { struct ArgusMetricStruct *m1 = NULL; struct timeval ts1buf, *ts1 = &ts1buf; struct timeval t1buf, *t1d = &t1buf; float d1, r1 = 0.0; long long cnt1 = 0; double retn = 0; ts1->tv_sec = ns->canon.time.src.start.tv_sec; ts1->tv_usec = ns->canon.time.src.start.tv_usec; t1d->tv_sec = ns->canon.time.src.end.tv_sec; t1d->tv_usec = ns->canon.time.src.end.tv_usec; t1d->tv_sec -= ts1->tv_sec; t1d->tv_usec -= ts1->tv_usec; #if defined(ARGUS_NANOSECONDS) if (t1d->tv_usec < 0) {t1d->tv_sec--; t1d->tv_usec += 1000000000;} d1 = ((t1d->tv_sec * 1.0) + (t1d->tv_usec/1000000000.0)); #else if (t1d->tv_usec < 0) {t1d->tv_sec--; t1d->tv_usec += 1000000;} d1 = ((t1d->tv_sec * 1.0) + (t1d->tv_usec/1000000.0)); #endif if ((m1 = (struct ArgusMetricStruct *) ns->dsrs[ARGUS_METRIC_INDEX]) != NULL) cnt1 = m1->dst.bytes * 8; if ((cnt1 > 0) && (d1 > 0.0)) r1 = (cnt1 * 1.0)/d1; retn = r1; return (retn); } double ArgusFetchRate (struct ArgusRecordStruct *ns) { struct ArgusMetricStruct *m1 = NULL; struct timeval ts1buf, *ts1 = &ts1buf; struct timeval t1buf, *t1d = &t1buf; long long cnt1 = 0; float d1, r1 = 0.0; double retn = 0; ts1->tv_sec = ns->canon.time.src.start.tv_sec; ts1->tv_usec = ns->canon.time.src.start.tv_usec; t1d->tv_sec = ns->canon.time.src.end.tv_sec; t1d->tv_usec = ns->canon.time.src.end.tv_usec; t1d->tv_sec -= ts1->tv_sec; t1d->tv_usec -= ts1->tv_usec; #if defined(ARGUS_NANOSECONDS) if (t1d->tv_usec < 0) {t1d->tv_sec--; t1d->tv_usec += 1000000000;} d1 = ((t1d->tv_sec * 1.0) + (t1d->tv_usec/1000000000.0)); #else if (t1d->tv_usec < 0) {t1d->tv_sec--; t1d->tv_usec += 1000000;} d1 = ((t1d->tv_sec * 1.0) + (t1d->tv_usec/1000000.0)); #endif if ((m1 = (struct ArgusMetricStruct *) ns->dsrs[ARGUS_METRIC_INDEX]) != NULL) cnt1 = (m1->src.bytes + m1->dst.bytes) * 8; if ((cnt1 > 0) && (d1 > 0.0)) r1 = (cnt1 * 1.0)/d1; retn = r1; return (retn); } double ArgusFetchAppByteRatio (struct ArgusRecordStruct *ns) { struct ArgusMetricStruct *m1 = NULL; double retn = 0.0; if ((m1 = (struct ArgusMetricStruct *) ns->dsrs[ARGUS_METRIC_INDEX]) != NULL) { double nvalue = (m1->src.appbytes - m1->dst.appbytes) * 1.0; double dvalue = (m1->src.appbytes + m1->dst.appbytes) * 1.0; if (dvalue > 0) retn = nvalue / dvalue; else retn = -0.0; } return (retn); } argus-5.0.2/argus/ArgusUtil.h000066400000000000000000000273511471541253600160700ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - Utilities include files * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * Copyright (c) 1993, 1994 Carnegie Mellon University. * All rights reserved. * * Permission to use, copy, modify, and distribute this software and * its documentation for any purpose and without fee is hereby granted, * provided that the above copyright notice appear in all copies and * that both that copyright notice and this permission notice appear * in supporting documentation, and that the name of CMU not be * used in advertising or publicity pertaining to distribution of the * software without specific, written prior permission. * * CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING * ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL * CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR * ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, * WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, * ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS * SOFTWARE. * */ /* * $Id: //depot/gargoyle/argus/argus/ArgusUtil.h#5 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ /* ArgusUtil.h */ #ifndef ArgusUtil_h #define ArgusUtil_h #if defined(HAVE_STDLIB_H) #include #endif #if defined(HAVE_STRINGS_H) #include #endif #include #include #include #include #include #include #include #define ARGUS_NOLOCK 0 #define ARGUS_LOCK 1 #define ARGUS_RFILE_LIST 1 #define ARGUS_WFILE_LIST 2 #define ARGUS_DEVICE_LIST 3 #define ARGUS_OUTPUT_LIST 4 #define ARGUS_EVENT_LIST 5 #define ARGUS_BIND_ADDR_LIST 6 struct ArgusListObjectStruct { struct ArgusListObjectStruct *nxt; void *obj; }; struct ArgusListRecord { struct ArgusListObjectStruct *nxt; struct ArgusRecordHeader argus; }; struct ArgusListStruct { struct ArgusListObjectStruct *start; struct ArgusListObjectStruct *end; #if defined(ARGUS_THREADS) pthread_mutex_t lock; pthread_cond_t cond; #endif unsigned int count, pushed, popped, loaded; struct timeval outputTime, reportTime; }; #define ARGUS_PROCESS_NEXT_PASS 0x10 /* struct ArgusQueueHeader { struct ArgusQueueHeader *prv, *nxt; struct ArgusQueueStruct *queue; struct timeval lasttime, qtime; unsigned int status; }; struct ArgusQueueStruct { struct ArgusQueueHeader qhdr; int count, turns, timeout, status, reclaim; #if defined(ARGUS_THREADS) pthread_mutex_t lock; #endif struct ArgusQueueHeader *start, *end; struct ArgusFlowStruct **array; }; */ #include #define ARGUS_READINGPREHDR 1 #define ARGUS_READINGHDR 2 #define ARGUS_READINGBLOCK 4 #define ARGUS_WAS_FUNCTIONAL 0x10 #define ARGUS_SOCKET_COMPLETE 0x20 #define ARGUS_MAXRECORD 0x40000 struct ArgusSocketStruct { struct ArgusListStruct *ArgusSocketList; int fd, status, cnt, expectedSize, errornum; int ArgusLastRecord, ArgusReadState; struct timeval lastwrite; struct ArgusRecordStruct *rec; int length, writen; struct sockaddr sock; char *filename; void *obj; unsigned char *ptr, buf[ARGUS_MAXRECORD]; }; typedef int (*ArgusHandler)(struct ArgusSocketStruct *, unsigned char *, int, void *); #if defined(ArgusUtil) #if defined(_LITTLE_ENDIAN) void ArgusNtoH (struct ArgusRecord *); void ArgusHtoN (struct ArgusRecord *); #endif struct ArgusListStruct *ArgusNewList(void); void ArgusDeleteList(struct ArgusListStruct *, int); int ArgusListEmpty (struct ArgusListStruct *); int ArgusGetListCount (struct ArgusListStruct *); int ArgusPushFrontList(struct ArgusListStruct *, struct ArgusListRecord *, int); int ArgusPushBackList (struct ArgusListStruct *, struct ArgusListRecord *, int); struct ArgusListRecord *ArgusPopFrontList (struct ArgusListStruct *, int); void ArgusLoadList(struct ArgusListStruct *, struct ArgusListStruct *); struct ArgusQueueStruct *ArgusNewQueue (void); void ArgusDeleteQueue (struct ArgusQueueStruct *); int ArgusGetQueueCount(struct ArgusQueueStruct *); void ArgusPushQueue(struct ArgusQueueStruct *, struct ArgusQueueHeader *, int); int ArgusAddToQueue(struct ArgusQueueStruct *, struct ArgusQueueHeader *, int); struct ArgusQueueHeader *ArgusPopQueue(struct ArgusQueueStruct *, int); struct ArgusQueueHeader *ArgusPopBackQueue (struct ArgusQueueStruct *queue, int type); struct ArgusQueueHeader *ArgusRemoveFromQueue(struct ArgusQueueStruct *, struct ArgusQueueHeader *, int); void ArgusProcessQueue(struct ArgusModelerStruct *, struct ArgusQueueStruct *, int); void ArgusEmptyQueue(struct ArgusQueueStruct *); void ArgusDeleteObject(struct ArgusFlowStruct *); struct ArgusHashTableHeader *ArgusFindHashObject (struct ArgusHashTable *, struct ArgusSystemFlow *, unsigned short); extern struct ArgusHashTableHeader *ArgusAddHashEntry (struct ArgusHashTable *, struct ArgusFlowStruct *, struct ArgusHashStruct *); void ArgusRemoveHashEntry (struct ArgusHashTableHeader *); struct ArgusSocketStruct * ArgusNewSocket (int fd); void ArgusDeleteSocket (struct ArgusOutputStruct *, struct ArgusClientData *); int ArgusReadSocket (struct ArgusSocketStruct *, ArgusHandler, void *); int ArgusWriteSocket (struct ArgusOutputStruct *, struct ArgusClientData *, struct ArgusRecordStruct *); int ArgusWriteOutSocket (struct ArgusOutputStruct *, struct ArgusClientData *); char *ArgusGetFlowString (struct ArgusFlowStruct *); char *ArgusGetName(struct ArgusParserStruct *, unsigned char *); char *ArgusGetV6Name(struct ArgusParserStruct *, unsigned char *); void ArgusSetChroot(char *); #ifdef ARGUSDEBUG extern void ArgusDebug (int, char *, ...); #endif struct timeval *RaMinTime (struct timeval *, struct timeval *); struct timeval *RaMaxTime (struct timeval *, struct timeval *); float RaDeltaFloatTime (struct timeval *, struct timeval *); int RaDiffTime (struct timeval *, struct timeval *, struct timeval *); float RaGetFloatDuration (struct ArgusRecordStruct *); float RaGetFloatSrcDuration (struct ArgusRecordStruct *); float RaGetFloatDstDuration (struct ArgusRecordStruct *); double ArgusFetchDuration (struct ArgusRecordStruct *); double ArgusFetchSrcDuration (struct ArgusRecordStruct *); double ArgusFetchDstDuration (struct ArgusRecordStruct *); double ArgusFetchLoad (struct ArgusRecordStruct *); double ArgusFetchSrcLoad (struct ArgusRecordStruct *); double ArgusFetchDstLoad (struct ArgusRecordStruct *); double ArgusFetchLoss (struct ArgusRecordStruct *); double ArgusFetchSrcLoss (struct ArgusRecordStruct *); double ArgusFetchDstLoss (struct ArgusRecordStruct *); double ArgusFetchPercentLoss (struct ArgusRecordStruct *); double ArgusFetchPercentSrcLoss (struct ArgusRecordStruct *); double ArgusFetchPercentDstLoss (struct ArgusRecordStruct *); double ArgusFetchRate (struct ArgusRecordStruct *); double ArgusFetchSrcRate (struct ArgusRecordStruct *); double ArgusFetchDstRate (struct ArgusRecordStruct *); double ArgusFetchAppByteRatio (struct ArgusRecordStruct *); #else #if defined(_LITTLE_ENDIAN) extern void ArgusNtoH (struct ArgusRecord *); extern void ArgusHtoN (struct ArgusRecord *); #endif extern struct ArgusListStruct *ArgusNewList(void); extern void ArgusDeleteList(struct ArgusListStruct *, int); extern int ArgusListEmpty (struct ArgusListStruct *); extern int ArgusGetListCount (struct ArgusListStruct *); extern int ArgusPushFrontList(struct ArgusListStruct *, struct ArgusListRecord *, int); extern int ArgusPushBackList (struct ArgusListStruct *, struct ArgusListRecord *, int); extern struct ArgusListRecord *ArgusPopFrontList (struct ArgusListStruct *, int); extern void ArgusLoadList(struct ArgusListStruct *, struct ArgusListStruct *); extern struct ArgusQueueStruct *ArgusNewQueue (void); extern int ArgusDeleteQueue (struct ArgusQueueStruct *); extern int ArgusGetQueueCount(struct ArgusQueueStruct *); extern void ArgusPushQueue(struct ArgusQueueStruct *, struct ArgusQueueHeader *, int); extern int ArgusAddToQueue(struct ArgusQueueStruct *, struct ArgusQueueHeader *, int); extern struct ArgusQueueHeader *ArgusPopQueue(struct ArgusQueueStruct *, int); struct ArgusQueueHeader *ArgusPopBackQueue (struct ArgusQueueStruct *queue, int type); extern struct ArgusQueueHeader *ArgusRemoveFromQueue(struct ArgusQueueStruct *, struct ArgusQueueHeader *, int); extern void ArgusProcessQueue(struct ArgusModelerStruct *, struct ArgusQueueStruct *, int); extern void ArgusEmptyQueue(struct ArgusQueueStruct *); extern void ArgusDeleteObject(struct ArgusFlowStruct *obj); struct ArgusHashTableHeader *ArgusFindHashObject (struct ArgusHashTable *, struct ArgusSystemFlow *, unsigned short); extern struct ArgusHashTableHeader *ArgusAddHashEntry (struct ArgusHashTable *, struct ArgusFlowStruct *, struct ArgusHashStruct *); extern void ArgusRemoveHashEntry (struct ArgusHashTableHeader *); extern struct ArgusSocketStruct * ArgusNewSocket (int fd); extern void ArgusDeleteSocket (struct ArgusOutputStruct *, struct ArgusClientData *); extern int ArgusWriteSocket (struct ArgusOutputStruct *, struct ArgusClientData *, struct ArgusRecordStruct *); extern int ArgusWriteOutSocket (struct ArgusOutputStruct *, struct ArgusClientData *); extern char *ArgusGetFlowString (struct ArgusFlowStruct *); extern char *ArgusGetName(struct ArgusParserStruct *, unsigned char *); extern char *ArgusGetV6Name(struct ArgusParserStruct *, unsigned char *); extern void ArgusSetChroot(char *); #ifdef ARGUSDEBUG extern void ArgusDebug (int, char *, ...); #endif extern struct timeval *RaMinTime (struct timeval *, struct timeval *); extern struct timeval *RaMaxTime (struct timeval *, struct timeval *); extern float RaDeltaFloatTime (struct timeval *, struct timeval *); extern int RaDiffTime (struct timeval *, struct timeval *, struct timeval *); extern float RaGetFloatDuration (struct ArgusRecordStruct *); extern float RaGetFloatSrcDuration (struct ArgusRecordStruct *); extern float RaGetFloatDstDuration (struct ArgusRecordStruct *); extern double ArgusFetchDuration (struct ArgusRecordStruct *); extern double ArgusFetchSrcDuration (struct ArgusRecordStruct *); extern double ArgusFetchDstDuration (struct ArgusRecordStruct *); extern double ArgusFetchLoad (struct ArgusRecordStruct *); extern double ArgusFetchSrcLoad (struct ArgusRecordStruct *); extern double ArgusFetchDstLoad (struct ArgusRecordStruct *); extern double ArgusFetchLoss (struct ArgusRecordStruct *); extern double ArgusFetchSrcLoss (struct ArgusRecordStruct *); extern double ArgusFetchDstLoss (struct ArgusRecordStruct *); extern double ArgusFetchPercentLoss (struct ArgusRecordStruct *); extern double ArgusFetchPercentSrcLoss (struct ArgusRecordStruct *); extern double ArgusFetchPercentDstLoss (struct ArgusRecordStruct *); extern double ArgusFetchRate (struct ArgusRecordStruct *); extern double ArgusFetchSrcRate (struct ArgusRecordStruct *); extern double ArgusFetchDstRate (struct ArgusRecordStruct *); extern double ArgusFetchAppByteRatio (struct ArgusRecordStruct *); #endif #endif argus-5.0.2/argus/ArgusVxLan.c000066400000000000000000000043311471541253600161670ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - VxLan Protocol Processor * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id$ * $DateTime: 2014/05/14 12:53:31 $ * $Change: 2827 $ */ #if !defined(ArgusVxLan) #define ArgusVxLan #include #include unsigned short ArgusParseVxLan (struct ArgusModelerStruct *, void *); struct vxlanhdr { unsigned char flgs, res[3]; unsigned int vni; }; unsigned short ArgusParseVxLan (struct ArgusModelerStruct *model, void *ptr) { unsigned short retn = 0; struct vxlanhdr *vxl = ptr; if (STRUCTCAPTURED(model, *vxl)) { if (vxl->flgs == 0x08) { unsigned int vni = ntohl(vxl->vni) >> 8; int len = ((unsigned char *) (vxl + 1)) - model->ArgusThisUpHdr; retn = ARGUS_ETHER_HDR; model->ArgusThisVxLanVni = vni; model->ArgusThisEncaps |= ARGUS_ENCAPS_VXLAN; model->ArgusThisUpHdr = (unsigned char *)(vxl + 1); model->ArgusThisLength -= len; model->ArgusSnapLength -= len; if (ArgusDumpTask->ppc != NULL) if (ArgusDumpTask->ppc[ARGUS_VXLAN_PROTO] == 1) model->ArgusMatchProtocol++; #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusParseVxLan(%p, %p) vni is %d\n", model, ptr, vni); #endif } } #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusParseVxLan(%p, %p) returning %d\n", model, ptr, retn); #endif return (retn); } #endif argus-5.0.2/argus/ArgusVxLan.h000066400000000000000000000024671471541253600162040ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - VxLan Protocol Includes * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id$ * $DateTime: 2014/05/14 12:53:31 $ * $Change: 2827 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #ifndef ArgusVxLan_h #define ArgusVxLan_h #include #include #include #include #include #include unsigned short ArgusParseVxLan (struct ArgusModelerStruct *, void *); #endif argus-5.0.2/argus/Makefile.in000077500000000000000000000102671471541253600160460ustar00rootroot00000000000000# # Argus-5.0 Software. Argus files - Makefile.in # Copyright (c) 2000-2024 QoSient, LLC # All rights reserved. # # This program is free software, released under the GNU General # Public License; you can redistribute it and/or modify it under the terms # of the GNU General Public License as published by the Free Software # Foundation; either version 3, or any later version. # # Other licenses are available through QoSient, LLC. # Inquire at info@qosient.com. # # This program is distributed WITHOUT ANY WARRANTY; without even the # implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # See the * GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. # # Written by Carter Bullard # QoSient, LLC # # Various configurable paths (remember to edit Makefile.in, not Makefile) # Top level hierarchy prefix = @prefix@ exec_prefix = @exec_prefix@ datarootdir = @datarootdir@ # Pathname of directory to install the system binaries SBINDIR = @sbindir@ # Pathname of directory to install the system binaries BINDIR = @bindir@ # Pathname of directory to install the include files INCLDEST = @includedir@ # Pathname of directory to install the library LIBDEST = @libdir@ # Pathname of directory to install the man page MANDEST = @mandir@ # VPATH srcdir = @srcdir@ VPATH = @srcdir@ COMPATLIB = @COMPATLIB@ @LIB_XDR@ WRAPLIBS = @WRAPLIBS@ SASLLIBS = @LIB_SASL@ # # You shouldn't need to edit anything below. # CC = @CC@ CCOPT = @V_CCOPT@ INCLS = -I$(srcdir) @V_INCLS@ @XDR_INCLS@ -I$(srcdir)/../include DEFS = @DEFS@ #DEFS = -DARGUSPERFMETRICS=1 @DEFS@ # Standard CFLAGS CFLAGS = $(CCOPT) $(INCLS) $(DEFS) $(EXTRA_CFLAGS) LDFLAGS = @LDFLAGS@ INSTALL = @INSTALL@ RANLIB = @V_RANLIB@ # # Flex and bison allow you to specify the prefixes of the global symbols # used by the generated parser. This allows programs to use lex/yacc # and link against libpcap. If you don't have flex or bison, get them. # LEX = @V_LEX@ YACC = @V_YACC@ # Explicitly define compilation rule since SunOS 4's make doesn't like gcc. # Also, gcc does not remove the .o before forking 'as', which can be a # problem if you don't own the file but can write to the directory. .c.o: @rm -f $@ $(CC) $(CFLAGS) -c $< SRC = argus.c ArgusModeler.c ArgusSource.c ArgusUtil.c ArgusOutput.c ArgusUdp.c \ ArgusTcp.c ArgusIcmp.c ArgusIgmp.c ArgusEsp.c ArgusArp.c ArgusFrag.c ArgusUdt.c \ ArgusLcp.c ArgusIsis.c ArgusAuth.c Argus802.11.c ArgusApp.c ArgusEvents.c \ ArgusNetflow.c ArgusSflow.c ArgusVxLan.c ArgusGre.c ArgusL2TP.c ArgusIfnam.c \ ArgusGeneve.c PROG = @INSTALL_BIN@/argus # We would like to say "OBJ = $(SRC:.c=.o)" but Ultrix's make cannot # hack the extra indirection OBJ = $(SRC:.c=.o) LIB = ../lib/argus_common.a @LIBS@ @V_THREADS@ $(WRAPLIBS) $(SASLLIBS) $(COMPATLIB) HDR = pcap.h pcap-int.h pcap-namedb.h pcap-nit.h pcap-pf.h \ ethertype.h gencode.h gnuc.h TAGHDR = \ pcap/bpf.h TAGFILES = \ $(SRC) $(HDR) $(TAGHDR) CLEANFILES = $(OBJ) $(PROG) all: $(PROG) @INSTALL_BIN@/argus: $(OBJ) ../lib/argus_common.a $(CC) $(CFLAGS) -o $@ $(OBJ) $(LDFLAGS) $(LIB) install: force all [ -d $(DESTDIR)$(SBINDIR) ] || \ (mkdir -p $(DESTDIR)$(SBINDIR); chmod 755 $(DESTDIR)$(SBINDIR)) $(INSTALL) $(srcdir)/../bin/argus $(DESTDIR)$(SBINDIR)/argus uninstall: force rm -f $(DESTDIR)$(SBINDIR)/argus clean: rm -f $(CLEANFILES) distclean: rm -f $(CLEANFILES) Makefile config.cache config.log config.status \ gnuc.h os-proto.h bpf_filter.c net tags: $(TAGFILES) ctags -wtd $(TAGFILES) tar: force @cwd=`pwd` ; dir=`basename $$cwd` ; name=libpcap-`cat VERSION` ; \ list="" ; tar="tar chFFf" ; \ for i in `cat FILES` ; do list="$$list $$name/$$i" ; done; \ echo \ "rm -f ../$$name; ln -s $$dir ../$$name" ; \ rm -f ../$$name; ln -s $$dir ../$$name ; \ echo \ "(cd .. ; $$tar - [lots of files]) | compress > /tmp/$$name.tar.Z" ; \ (cd .. ; $$tar - $$list) | compress > /tmp/$$name.tar.Z ; \ echo \ "rm -f ../$$name" ; \ rm -f ../$$name force: /tmp depend: force ../bin/mkdep -c $(CC) $(DEFS) $(INCLS) $(SRC) argus-5.0.2/argus/argus.c000066400000000000000000002350361471541253600152660ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - Main argus processing * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/argus/argus.c#18 $ * $DateTime: 2016/10/27 18:40:41 $ * $Change: 3232 $ */ /* * argus - Audit Record Generation and Utilization System * * written by Carter Bullard * QoSient LLC * */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #if !defined(Argus) #define Argus #endif #define _GNU_SOURCE #include #include #include #include #if defined(HAVE_SYS_TYPES_H) #include #endif #if defined(HAVE_SYS_WAIT_H) #include #endif #include #if defined(ARGUS_TILERA) #include #include #include #include #include #include #if defined(HAVE_UUID_UUID_H) #include #else #if defined(HAVE_UUID_H) #include #endif #endif void bind_proc(int); #endif void ArgusParseResourceFile (struct ArgusModelerStruct *, char *, int); char *ArgusPidFile = NULL; pid_t ArgusSessionId = 0; struct timeval ArgusNowTime; char *ArgusPidPath = NULL; int ArgusDaemon = 0; #if defined(ARGUS_THREADS) pthread_attr_t attrbuf, *ArgusAttr = &attrbuf; #endif #if defined(ARGUS_FLEXLM) # include "argus_lic.h" static void *license; #endif static void ArgusShutDown (void); void usage(void) { extern char version[]; fprintf (stdout, "Argus Version %s\n", version); fprintf (stdout, "usage: %s [options] [-i interface] [filter-expression] \n", ArgusProgramName); fprintf (stdout, "usage: %s [options] -r packetfile [filter-expression] \n\n", ArgusProgramName); fprintf (stdout, "options: -A Generate application byte metrics.\n"); fprintf (stdout, " -b dump filter compiler output.\n"); fprintf (stdout, " -B specify bind interface address(s).\n"); fprintf (stdout, " -c daemon chroot directory.\n"); fprintf (stdout, " -C run in control plane monitoring mode.\n"); fprintf (stdout, " -d run Argus in daemon mode.\n"); #if defined(ARGUSDEBUG) fprintf (stdout, " -D set debug reporting .\n"); #endif fprintf (stdout, " -e specify Argus Identifier .\n"); fprintf (stdout, " -f don't stop when EOF is seen, but wait for more\n"); fprintf (stdout, " packets to arrive in packet capture file.\n"); fprintf (stdout, " -F read configuration from .\n"); fprintf (stdout, " -h print help.\n"); fprintf (stdout, " -i specify interface to use as a packet source.\n"); fprintf (stdout, " Supported formats: \n"); fprintf (stdout, " -i ind:all open all as independent sources.\n"); fprintf (stdout, " -i dup:en0,en1/srcid use two as duplex sources. \n"); fprintf (stdout, " -i bond:en0,en1/srcid use two as bonded interfaces. \n"); fprintf (stdout, " -i dup:[bond:en0,en1],en2 complex specification. \n"); fprintf (stdout, " -i en0/srcid -i en1/srcid equivalent to '-i ind:en0/..' \n"); fprintf (stdout, " -i en0 en1 equivalent '-i bond:en0,en1') \n"); fprintf (stdout, " -J generate packet performance data.\n"); fprintf (stdout, " -M set MAR Status Report Time Interval (300s).\n"); fprintf (stdout, " -m turn on MAC Layer Reporting.\n"); fprintf (stdout, " -O turn off filter optimizer.\n"); fprintf (stdout, " -p don't go into promiscuous mode.\n"); fprintf (stdout, " -P enable remote access on (561).\n"); fprintf (stdout, " -r use packet file as data source.\n"); fprintf (stdout, " Supported formats: \n"); fprintf (stdout, " -r file file open files as, discover packet formats\n"); fprintf (stdout, " -r cisco:file open files and look for netflow records in packet payload\n"); fprintf (stdout, " -R generate response time data.\n"); fprintf (stdout, " -s set the packet snaplen size.\n"); fprintf (stdout, " -S set FAR Status Report Time Interval (60s).\n"); fprintf (stdout, " -t indicate that packetfile is MOAT Tsh format. \n"); fprintf (stdout, " -u specify user id for daemon.\n"); fprintf (stdout, " -g specify group id for daemon.\n"); fprintf (stdout, " -U specify the number of user bytes to capture.\n"); fprintf (stdout, " -w write output to , or '-', for stdout,\n"); fprintf (stdout, " against optional filter expression.\n"); fprintf (stdout, " -w write output to URL based stream.\n"); fprintf (stdout, " Supported formats: \n"); fprintf (stdout, " -w argus-udp://hostname[:port] default port is 561. \n"); fprintf (stdout, " -w udp://hostname[:port] \n"); fprintf (stdout, " -w domain://path/to/socket \n"); fprintf (stdout, " -w - write to stdout \n"); fprintf (stdout, " -X reset argus configuration.\n"); fprintf (stdout, " -Z generate packet size data.\n"); fflush (stdout); exit (-1); } /* * Argus main routine * * Argus main will: * simply instantiate the source, modeler, and output tasks, * parse out the command line options, * initalize the tasks and then loop. * Afterwards, it will delete all the tasks and exit(); * */ #define ArgusEnvItems 2 char *ArgusResourceEnvStr [] = { "ARGUSHOME", "HOME", }; #include #include #include #include #include static char ArgusPidFileName[MAXPATHNAMELEN]; char * ArgusCreatePIDFile (struct ArgusSourceStruct *, char *, char *); void setArgusEventDataRecord (char *); extern void setArgusPcapBufSize (struct ArgusSourceStruct *, int); extern void setArgusPcapDispatchNumber (struct ArgusSourceStruct *, int); extern void setArgusInterfaceScanInterval (struct ArgusSourceStruct *, int); extern void setArgusTunnelParsing (struct ArgusModelerStruct *, char *); extern void setArgusTunnelInformation (struct ArgusModelerStruct *, char *); #define ARGUS_MAX_INSTANCES 5 char * ArgusCreatePIDFile (struct ArgusSourceStruct *src, char *pidpath, char *appname) { FILE *fd; char pidstrbuf[128], *pidstr; char *retn = NULL, *dev = NULL, *devstr = NULL; int i, pid; struct stat statbuf; if (pidpath == NULL) if (stat ("/var/run", &statbuf) == 0) pidpath = "/var/run"; #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusCreatePIDFile(%s, %s) pidpath is %s\n", pidpath, appname, pidpath); #endif dev = getArgusDevice(src); if ((appname != NULL) && dev != NULL && (pidpath != NULL)) { if ((devstr = strrchr(dev, (int)'/')) != NULL) devstr++; else devstr = dev; for (i = 0; i < ARGUS_MAX_INSTANCES; i++) { snprintf (ArgusPidFileName, MAXPATHNAMELEN - 1, "%s/%s.%s.%d.pid", pidpath, appname, devstr, i); retn = ArgusPidFileName; if ((stat (retn, &statbuf)) == 0) { if ((fd = fopen (ArgusPidFileName, "r")) != NULL) { if ((pidstr = fgets (pidstrbuf, 128, fd)) != NULL) { if ((pid = (int) strtol(pidstr, (char **)NULL, 10)) > 0) { if (pid < 100000000) { if ((kill (pid, 0)) == 0) { #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusCreatePIDFile(%s, %s) pid %d is running\n", pidpath, appname, pid); #endif retn = NULL; } else { switch (errno) { case ESRCH: break; default: ArgusLog (LOG_ERR, "kill returned error: %s\n", strerror(errno)); } } } } } fclose (fd); } else { #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusCreatePIDFile(%s, %s) fopen error %s:%s\n", pidpath, appname, ArgusPidFileName, strerror(errno)); #endif } } if (retn != NULL) break; } if (retn && ((fd = fopen (retn, "w+")) != NULL)) { pid = getpid(); fprintf (fd, "%d\n", pid); fclose (fd); } else { #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusCreatePIDFile(%s, %s) fopen error %s\n", pidpath, appname, strerror(errno)); #endif retn = NULL; } } else { #ifdef ARGUSDEBUG if (dev == NULL) ArgusDebug (1, "ArgusCreatePIDFile(%s, %s) dev is null\n", pidpath, appname); #endif } if (dev != NULL) free(dev); /* allocated by strdup in getArgusDevice() */ #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusCreatePIDFile(%s, %s) returning %s\n", pidpath, appname, retn); #endif return (retn); } int main (int argc, char *argv[]) { int commandlinew = 0, doconf = 0; static char path[MAXPATHNAMELEN]; int dodebug = 0, i, pid = 0; int readoffline = 0; char *tmparg, *filter; #if !defined(CYGWIN) extern char *optarg; extern int optind, opterr; #endif struct stat statbuf; int op, commandlinei = 0; #if defined(ARGUS_THREADS) sigset_t blocked_signals; #if defined(_POSIX_THREAD_PRIORITY_SCHEDULING) && !defined(sun) && !defined(CYGWIN) && !defined(OpenBSD) int thread_policy; struct sched_param thread_param; #if defined(HAVE_SCHED_GET_PRIORITY_MIN) int rr_min_priority, rr_max_priority; #endif #endif int status; #endif #if defined(ARGUS_FLEXLM) int borrow = 0; struct timeval borrow_expire = {0, 0}; sigset_t prev_blocked_signals; #endif ArgusUid = getuid(); ArgusGid = getgid(); gettimeofday(&ArgusNowTime, 0L); uflag = 0; pflag = 6; #ifdef CYGWIN #endif if (strchr (argv[0], '/')) { #if defined(HAVE_STRLCPY) strlcpy(path, argv[0], MAXPATHNAMELEN - 1); #else bzero(path, MAXPATHNAMELEN); strncpy(path, argv[0], MAXPATHNAMELEN - 1); #endif argv[0] = strrchr(argv[0], '/') + 1; } ArgusProgramName = argv[0]; #ifdef HAVE_SYSLOG #ifndef LOG_PERROR #define LOG_PERROR LOG_CONS #endif openlog (ArgusProgramName, LOG_PID | LOG_PERROR, LOG_DAEMON); #endif for (i = 1; (i < argc); i++) { char *ptr = argv[i]; if (ptr != NULL) { if (*ptr == '-') { ptr++; if ((*ptr == 0) || (isspace((int)*ptr))) break; do { switch (*ptr) { case 'r': readoffline = 1; break; case 'D': if (isdigit((int)*++ptr)) { setArgusdflag (ArgusModel, atoi (ptr)); } else { if (isdigit((int)*argv[i + 1])) setArgusdflag (ArgusModel, atoi (argv[++i])); else break; } break; #if defined(ARGUS_FLEXLM) case 'E': /* Borrow a license for the specified Expiration * in number of days. */ if (isdigit((int)*++ptr)) { borrow = atoi(ptr); } else { if (isdigit((int)*argv[i + 1])) borrow = atoi(argv[++i]); else break; } break; #endif case 'X': case 'F': doconf++; break; default: { if (dodebug) { if (isdigit((int)*ptr)) { setArgusdflag (ArgusModel, atoi (ptr)); dodebug = 0; } } } } } while (isalpha((int)*++ptr)); } } } if ((ArgusModel = ArgusNewModeler()) == NULL) ArgusLog (LOG_ERR, "Error Creating Modeler: Exiting.\n"); if ((ArgusSourceTask = ArgusNewSource(ArgusModel)) == NULL) ArgusLog (LOG_ERR, "Error Creating Source Task: Exiting.\n"); if ((ArgusDumpTask = ArgusNewDump(ArgusSourceTask, NULL)) == NULL) ArgusLog (LOG_ERR, "Error Creating Dump Task: Exiting.\n"); ArgusModel->ArgusSrc = ArgusSourceTask; if ((ArgusOutputTask = ArgusNewOutput(ArgusSourceTask, ArgusModel)) == NULL) ArgusLog (LOG_ERR, "Error Creating Output Thread: Exiting.\n"); setArgusFarReportInterval (ArgusModel, ARGUS_FARSTATUSTIMER); setArgusMarReportInterval (ArgusOutputTask,ARGUS_MARSTATUSTIMER); setArgusMarInfReportInterval (ArgusOutputTask,ARGUS_MARINTERFACETIMER); if (!doconf) { snprintf (path, MAXPATHNAMELEN - 1, "/etc/argus.conf"); if (stat (path, &statbuf) == 0) { ArgusParseResourceFile (ArgusModel, path, readoffline); } } optind = 1; opterr = 0; while ((op = getopt (argc, argv, "AbB:c:CdD:e:E:fF:g:H:i:Jk:lmM:N:OP:pRr:S:s:tT:u:U:w:XZh")) != EOF) { switch (op) { case 'A': setArgusAflag(ArgusModel, 1); break; case 'b': setArgusbpflag (ArgusSourceTask, 1); break; case 'B': setArgusBindAddr (ArgusOutputTask, optarg); break; case 'c': if ((chroot_dir = strdup(optarg)) == NULL) ArgusLog (LOG_ERR, "strdup %s", strerror(errno)); break; case 'C': { setArgusCaptureFlag(ArgusSourceTask, 1); setArgusControlMonitor(ArgusModel); setArgusSnapLen(ArgusSourceTask, ARGUS_MAXSNAPLEN); break; } case 'd': ArgusDaemon = ArgusDaemon ? 0 : 1; break; case 'D': setArgusdflag (ArgusModel, atoi (optarg)); break; case 'e': ArgusParseSourceID(ArgusSourceTask, NULL, optarg); break; case 'H': setArgusHashTableSize (ArgusModel, atoi(optarg)); break; case 'E': /* handled above */ break; case 'f': setArgusfflag (ArgusSourceTask, 1); break; case 'F': ArgusParseResourceFile (ArgusModel, optarg, readoffline); break; case 'g': { struct group *gr; if ((gr = getgrnam(optarg)) == NULL) ArgusLog (LOG_ERR, "unknown group \"%s\"\n", optarg); new_gid = gr->gr_gid; endgrent(); break; } case 'i': if (!readoffline) { char Istr[1024], *Iptr = Istr; size_t slen; if (!commandlinei++) clearArgusDevice(ArgusSourceTask); do { memset(Istr, 0, sizeof(Istr)); if (*optarg == '"') { if (Iptr[1] != '\0') snprintf (Istr, 1024, "%s ", (&Iptr[1])); while ((Iptr = strchr (Istr, '"')) == NULL) { if ((optarg = argv[optind]) != NULL) { snprintf (&Istr[strlen(Istr)], (1024 - strlen(Istr)), "%s ", optarg); optind++; } else break; } optarg = Istr; } else snprintf (&Istr[strlen(Istr)], (1024 - strlen(Istr)), "%s ", optarg); if ((optarg = argv[optind]) != NULL) if (*optarg != '-') optind++; } while (optarg && (*optarg != '-')); /* remove trailing space */ slen = strlen(Istr); if (slen > 0 && Istr[slen-1] == ' ') Istr[slen-1] = '\0'; setArgusDevice (ArgusSourceTask, Istr, ARGUS_LIVE_DEVICE, 0); break; } case 'J': setArgusGenerateTime (ArgusModel, 1); break; case 'k': setArgusLogDisplayPriority (atoi(optarg)); break; case 'l': setArgusListInterfaces (ArgusSourceTask, 1); break; case 'm': setArgusmflag (ArgusModel, 1); break; case 'M': setArgusMarReportInterval (ArgusOutputTask, optarg); break; case 'N': { char *ptr = NULL; if ((ptr = strchr (optarg, '-')) != NULL) { char *eptr = ptr + 1; ArgusSourceTask->sNflag = (int) strtol(optarg, (char **)&ptr, 10); if (ptr == optarg) usage (); ArgusSourceTask->eNflag = (int) strtol(eptr, (char **)&ptr, 10); if (ptr == eptr) usage (); } else { ArgusSourceTask->sNflag = 0; ArgusSourceTask->eNflag = (int) strtol(optarg, (char **)&ptr, 10); if (ptr == optarg) usage (); } break; } case 'O': setArgusOflag (ArgusSourceTask, 0); break; case 'P': setArgusPortNum(ArgusOutputTask, atoi(optarg)); break; case 'p': setArguspflag (ArgusSourceTask, 1); break; case 'R': setArgusResponseStatus (ArgusModel, 1); break; case 'r': { char Rstr[1024], *Rptr = Rstr; do { if (*optarg == '"') { if (Rptr[1] != '\0') snprintf (Rstr, 1024, "%s ", (&Rptr[1])); while ((Rptr = strchr (Rstr, '"')) == NULL) { if ((optarg = argv[optind]) != NULL) { snprintf (&Rstr[strlen(Rstr)], (1024 - strlen(Rstr)), "%s ", optarg); optind++; } else break; } optarg = Rstr; } setArgusrfile (ArgusSourceTask, optarg); if ((optarg = argv[optind]) != NULL) if (*optarg != '-') optind++; } while (optarg && (*optarg != '-')); break; } case 'S': setArgusFarReportInterval (ArgusModel, optarg); break; case 's': setArgusSnapLen (ArgusSourceTask, atoi(optarg)); break; case 't': setArgusMoatTshFile (ArgusSourceTask, 1); break; case 'T': { float value; char *nptr = optarg, *endptr; value = strtod(nptr, &endptr); if (nptr != endptr) setArgusRealTime (ArgusSourceTask, value); else usage (); break; } case 'u': { struct passwd *pw; if ((pw = getpwnam(optarg)) == NULL) ArgusLog (LOG_ERR, "unknown user \"%s\"\n", optarg); new_uid = pw->pw_uid; endpwent(); break; } case 'U': setArgusUserDataLen (ArgusModel, atoi (optarg)); if (getArgusSnapLen(ArgusSourceTask) != ARGUS_MAXSNAPLEN) setArgusSnapLen (ArgusSourceTask, atoi(optarg) + ARGUS_MINSNAPLEN); break; case 'w': if (!commandlinew++) clearArgusWfile(); if ((tmparg = optarg) != NULL) { if ((*tmparg != '-') || ((*tmparg == '-') && (!(strcmp (tmparg, "-"))))) { if (argc == optind) filter = NULL; else { filter = argv[optind]; if (*filter == '-') { filter = NULL; } else optind++; } setArgusWfile (tmparg, filter); break; } } case 'X': clearArgusConfiguration (ArgusModel); break; case 'Z': setArgusGeneratePacketSize(ArgusModel, 1); break; case 'h': default: usage (); } } setArgusArgv (ArgusSourceTask, argv); setArgusOptind (ArgusSourceTask, optind); setArgusCmdBuf (ArgusSourceTask); if (ArgusSourceTask->ArgusCmdBuf != NULL) ArgusSourceTask->ArgusInputFilter = strdup(ArgusSourceTask->ArgusCmdBuf); if (getArgusrfile(ArgusSourceTask) != NULL) { ArgusSourceTask->ArgusReadingOffLine++; if (!(getArgusRealTime(ArgusSourceTask))) { ArgusDaemon = 0; setArgusBindAddr(ArgusOutputTask, NULL); if (getArgusfflag (ArgusSourceTask) == 0) { setArgusPortNum(ArgusOutputTask, 0); } } } setArgusInterfaceStatus(ArgusSourceTask, 1); if ((daemonflag = ArgusDaemon) != 0) { if ((pid = fork ()) < 0) { ArgusLog (LOG_ERR, "Can't fork daemon %s", strerror(errno)); } else { if (pid) { struct timespec ts = {0, 500000000}; int status; nanosleep(&ts, NULL); waitpid(pid, &status, WNOHANG); if (kill(pid, 0) < 0) { exit (1); } else exit (0); } else { ArgusSessionId = setsid(); if ((freopen ("/dev/null", "w", stdout)) == NULL) ArgusLog (LOG_ERR, "Cannot map stdout to /dev/null"); if ((freopen ("/dev/null", "w", stderr)) == NULL) ArgusLog (LOG_ERR, "Cannot map stderr to /dev/null"); #ifdef HAVE_SYSLOG closelog (); openlog (ArgusProgramName, LOG_PID, LOG_DAEMON); #endif } } } #if defined(ARGUS_FLEXLM) if (borrow > 0) { gettimeofday(&borrow_expire, NULL); borrow_expire.tv_sec += (86400 * borrow); } sigfillset(&blocked_signals); if (pthread_sigmask(SIG_BLOCK, &blocked_signals, &prev_blocked_signals) != 0) ArgusLog(LOG_ERR, "unable to block all signals\n"); license = ArgusLicenseInit((borrow > 0) ? &borrow_expire : NULL); ArgusLicenseCheckout(license); /* exits process on failure */ sigemptyset(&blocked_signals); if (pthread_sigmask(SIG_SETMASK, &prev_blocked_signals, NULL) != 0) ArgusLog(LOG_ERR, "unable to unblock all signals\n"); #endif // ArgusLog(LOG_INFO, "started"); #if defined(ARGUS_THREADS) pthread_mutex_init(&ArgusMainLock, NULL); if ((status = pthread_attr_init(ArgusAttr)) != 0) ArgusLog (LOG_ERR, "pthreads init error"); #if defined(_POSIX_THREAD_PRIORITY_SCHEDULING) && !defined(sun) && !defined(CYGWIN) && !defined(OpenBSD) if ((pthread_attr_getschedpolicy(ArgusAttr, &thread_policy)) != 0) ArgusLog (LOG_ERR, "pthreads get policy error"); if ((pthread_attr_getschedparam(ArgusAttr, &thread_param)) != 0) ArgusLog (LOG_ERR, "pthreads get sched params error"); if ((pthread_attr_setschedpolicy(ArgusAttr, SCHED_RR)) != 0) ArgusLog (LOG_ERR, "pthreads set SCHED_RR error"); #if defined(HAVE_SCHED_GET_PRIORITY_MIN) if ((rr_min_priority = sched_get_priority_min(SCHED_RR)) == -1) ArgusLog (LOG_ERR, "pthreads get priority min error"); if ((rr_max_priority = sched_get_priority_max(SCHED_RR)) == -1) ArgusLog (LOG_ERR, "pthreads get priority max error"); thread_param.sched_priority = (rr_max_priority + rr_min_priority)/2 + 1; if (thread_param.sched_priority > rr_max_priority) thread_param.sched_priority = rr_max_priority; if (thread_param.sched_priority < (rr_max_priority - 8)) thread_param.sched_priority = rr_max_priority - 8; if ((pthread_attr_setschedparam(ArgusAttr, &thread_param)) != 0) ArgusLog (LOG_ERR, "pthreads set sched param error"); #endif #else #if defined(__sun__) pthread_attr_setschedpolicy(ArgusAttr, SCHED_RR); #endif #endif pthread_attr_setdetachstate(ArgusAttr, PTHREAD_CREATE_JOINABLE); #endif ArgusInitOutput (ArgusOutputTask); if (getArgusrfile(ArgusSourceTask) != NULL) { if (getArgusRealTime(ArgusSourceTask)) { ArgusInitEvents (ArgusEventsTask); } } else { ArgusInitEvents (ArgusEventsTask); } #if defined(ARGUS_THREADS) sigemptyset(&blocked_signals); pthread_sigmask(SIG_BLOCK, &blocked_signals, NULL); #endif #if defined(HAVE_SOLARIS) sigignore(SIGPIPE); #else (void) signal (SIGPIPE, SIG_IGN); #endif (void) signal (SIGHUP, (void (*)(int)) ArgusScheduleShutDown); (void) signal (SIGINT, (void (*)(int)) ArgusScheduleShutDown); (void) signal (SIGTERM, (void (*)(int)) ArgusScheduleShutDown); (void) signal (SIGUSR1, (void (*)(int)) ArgusUsr1Sig); (void) signal (SIGUSR2, (void (*)(int)) ArgusUsr2Sig); ArgusSourceProcess(ArgusSourceTask); #ifdef ARGUSDEBUG ArgusDebug (1, "main() ArgusSourceProcess returned: shuting down"); #endif ArgusShutDown(); #ifdef HAVE_SYSLOG closelog(); #endif exit(0); } void ArgusComplete () { #define ARGUSPERFMETRICS 1 #if defined(ARGUSPERFMETRICS) /* long long ArgusTotalPkts = 0, ArgusTotalIPPkts = 0; long long ArgusTotalNonIPPkts = 0; */ struct timeval timediff; double totaltime; int i, len; char buf[256]; long long ArgusTotalNewFlows; long long ArgusTotalClosedFlows; long long ArgusTotalSends; long long ArgusTotalBadSends; long long ArgusTotalUpdates; long long ArgusTotalCacheHits; char *ArgusIntStr[ARGUS_MAXINTERFACE]; bzero(ArgusIntStr, sizeof(ArgusIntStr)); #endif #if defined(ARGUSPERFMETRICS) for (i = 0; i < ARGUS_MAXINTERFACE; i++) { if (ArgusSourceTask->ArgusInterface[i].ArgusDevice != NULL) { /* ArgusTotalPkts += ArgusSourceTask->ArgusInterface[i].ArgusTotalPkts; ArgusTotalIPPkts += ArgusSourceTask->ArgusInterface[i].ArgusTotalIPPkts; ArgusTotalNonIPPkts += ArgusSourceTask->ArgusInterface[i].ArgusTotalNonIPPkts; */ } } if (ArgusSourceTask->ArgusEndTime.tv_sec == 0) gettimeofday (&ArgusSourceTask->ArgusEndTime, 0L); if (ArgusSourceTask->ArgusStartTime.tv_sec == 0) ArgusSourceTask->ArgusStartTime = ArgusSourceTask->ArgusEndTime; bzero(buf, sizeof(buf)); timediff.tv_sec = ArgusSourceTask->ArgusEndTime.tv_sec - ArgusSourceTask->ArgusStartTime.tv_sec; timediff.tv_usec = ArgusSourceTask->ArgusEndTime.tv_usec - ArgusSourceTask->ArgusStartTime.tv_usec; if (timediff.tv_usec < 0) { #if defined(ARGUS_NANOSECONDS) timediff.tv_usec += 1000000000; #else timediff.tv_usec += 1000000; #endif timediff.tv_sec--; } #if defined(ARGUS_NANOSECONDS) totaltime = (double) timediff.tv_sec + (((double) timediff.tv_usec)/1000000000.0); #else totaltime = (double) timediff.tv_sec + (((double) timediff.tv_usec)/1000000.0); #endif for (i = 0; i < ARGUS_MAXINTERFACE; i++) { char sbuf[MAXSTRLEN]; if (ArgusSourceTask->ArgusInterface[i].ArgusDevice != NULL) { sprintf (sbuf, "%s\n Total Pkts %8lld Rate %f\n", ArgusSourceTask->ArgusInterface[i].ArgusDevice->name, ArgusSourceTask->ArgusInterface[i].ArgusTotalPkts, ArgusSourceTask->ArgusInterface[i].ArgusTotalPkts/totaltime); ArgusIntStr[i] = strdup(sbuf); } } #endif ArgusCloseSource (ArgusSourceTask); ArgusCloseEvents (ArgusEventsTask); ArgusCloseModeler (ArgusModel); ArgusCloseOutput (ArgusOutputTask); #if defined(ARGUSPERFMETRICS) ArgusTotalNewFlows = ArgusModel->ArgusTotalNewFlows; ArgusTotalClosedFlows = ArgusModel->ArgusTotalClosedFlows; ArgusTotalSends = ArgusModel->ArgusTotalSends; ArgusTotalBadSends = ArgusModel->ArgusTotalBadSends; ArgusTotalUpdates = ArgusModel->ArgusTotalUpdates; ArgusTotalCacheHits = ArgusModel->ArgusTotalCacheHits; #endif ArgusFree(ArgusOutputTask); ArgusFree(ArgusModel); ArgusDeleteEvents(ArgusEventsTask); ArgusDeleteSource(ArgusSourceTask); #if defined(ARGUSPERFMETRICS) len = (int) strlen(ArgusProgramName); for (i = 0; i < len; i++) buf[i] = ' '; if (ArgusTotalNewFlows > 0) { extern int ArgusAllocTotal, ArgusFreeTotal; fprintf (stderr, "%s: Time %d.%06d Flows %-8lld Closed %-8lld Sends %-8lld BSends %-8lld\n", ArgusProgramName, (int)timediff.tv_sec, (int)timediff.tv_usec, ArgusTotalNewFlows, ArgusTotalClosedFlows, ArgusTotalSends, ArgusTotalBadSends); fprintf (stderr, "%*s Updates %-8lld Cache %-8lld\n", (int)strlen(ArgusProgramName), " ", ArgusTotalUpdates, ArgusTotalCacheHits); fprintf (stderr, "%*s Total Memory %-8d Free %-8d\n", (int)strlen(ArgusProgramName), " ", ArgusAllocTotal, ArgusFreeTotal); } for (i = 0; i < ARGUS_MAXINTERFACE; i++) { if (ArgusIntStr[i] != NULL) { fprintf (stderr, "Source: %s\n", ArgusIntStr[i]); free(ArgusIntStr[i]); } } #endif } char *ArgusSignalTable [] = { "Normal Shutdown", "SIGHUP", "SIGINT", "SIGQUIT", "SIGILL", "SIGTRAP", "SIGABRT", "SIGBUS", "SIGFPE", "SIGKILL", "SIGUSR1", "SIGSEGV", "SIGUSR2", "SIGPIPE", "SIGALRM", "SIGTERM", "SIGSTKFLT", "SIGCHLD", "SIGCONT", "SIGSTOP", "SIGTSTP", "SIGTTIN", "SIGTTOU", "SIGURG", "SIGXCPU", "SIGXFSZ", "SIGVTALRM", "SIGPROF", "SIGWINCH", "SIGIO", }; int ArgusShutDownFlag = 0; int ArgusShutDownSig = 0; #if defined(HAVE_BACKTRACE) #include void ArgusBacktrace (void) { void* callstack[128]; int i, frames = backtrace(callstack, 128); char** strs = backtrace_symbols(callstack, frames); for (i = 0; i < frames; ++i) { ArgusLog(LOG_WARNING, "%s", strs[i]); } free(strs); } #endif void ArgusScheduleShutDown (int sig) { ArgusSourceTask->status |= ARGUS_SHUTDOWN; #ifdef ARGUSDEBUG #if defined(HAVE_BACKTRACE) if (Argusdflag > 1) { ArgusLog(LOG_WARNING, "ArgusScheduleShutDown(%d)", sig); ArgusBacktrace(); } #endif ArgusShutDownSig = sig; ArgusShutDownFlag++; ArgusDebug (1, "ArgusScheduleShutDown(%d)\n", sig); #endif } static void ArgusShutDown (void) { #if defined(ARGUSDEBUG) #if defined(HAVE_BACKTRACE) if (Argusdflag > 1) { ArgusLog(LOG_WARNING, "ArgusShutDown(%d)", ArgusShutDownSig); ArgusBacktrace(); } #endif #endif #ifdef ARGUSDEBUG if (Argusdflag >= 1) fprintf(stderr, "\n"); ArgusDebug (1, "ArgusShutDown(%s)\n\n", ArgusSignalTable[ArgusShutDownSig]); #endif ArgusComplete (); if (ArgusPidFile) unlink (ArgusPidFile); if (ArgusPidPath) free (ArgusPidPath); ArgusDeleteMallocList(); if (daemonflag) ArgusLog(LOG_INFO, "stopped"); #if defined(ARGUS_FLEXLM) ArgusLicenseCheckin(license); ArgusLicenseCleanup(license); #endif #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusShutDown()\n"); #endif } void setArgusBindAddr (struct ArgusOutputStruct *output, char *value) { if (value && (strcmp(value, "null") == 0)) value = NULL; if (value) { if (output->ArgusBindAddrs == NULL) output->ArgusBindAddrs = ArgusNewList(); struct ArgusBindAddrStruct *baddr; char *tok, *ptr = value; while ((tok = strtok (ptr, ", \t")) != NULL) { if ((baddr = (struct ArgusBindAddrStruct *) ArgusCalloc(1, sizeof(*baddr))) == NULL) ArgusLog (LOG_ERR, "setArgusBindAddr ArgusCalloc %s\n", strerror(errno)); baddr->addr = strdup(tok); ArgusPushBackList(output->ArgusBindAddrs, (struct ArgusListRecord *) baddr, ARGUS_LOCK); ptr = NULL; } } else { if (output->ArgusBindAddrs != NULL) { ArgusDeleteList(output->ArgusBindAddrs, ARGUS_BIND_ADDR_LIST); output->ArgusBindAddrs = NULL; } } } char * getArgusBindAddr (struct ArgusOutputStruct *output) { char *retn = NULL; if (output->ArgusBindAddrs != NULL) { if (output->ArgusBindAddrs->start) { struct ArgusBindAddrStruct *baddr = (void *) output->ArgusBindAddrs->start; retn = baddr->addr; } } return(retn); } void setArguspidflag (int value) { pidflag = value; } int getArguspidflag () { return (pidflag); } #define ARGUS_RCITEMS 67 #define ARGUS_MONITOR_ID 0 #define ARGUS_MONITOR_ID_INCLUDE_INF 1 #define ARGUS_DAEMON 2 #define ARGUS_ACCESS_PORT 3 #define ARGUS_INTERFACE 4 #define ARGUS_OUTPUT_FILE 5 #define ARGUS_SET_PID 6 #define ARGUS_PID_PATH 7 #define ARGUS_GO_PROMISCUOUS 8 #define ARGUS_FLOW_STATUS_INTERVAL 9 #define ARGUS_MAR_STATUS_INTERVAL 10 #define ARGUS_CAPTURE_DATA_LEN 11 #define ARGUS_GENERATE_START_RECORDS 12 #define ARGUS_GENERATE_RESPONSE_TIME_DATA 13 #define ARGUS_GENERATE_JITTER_DATA 14 #define ARGUS_GENERATE_MAC_DATA 15 #define ARGUS_DEBUG_LEVEL 16 #define ARGUS_FILTER_OPTIMIZER 17 #define ARGUS_FILTER 18 #define ARGUS_PACKET_CAPTURE_FILE 19 #define ARGUS_PACKET_CAPTURE_ON_ERROR 20 #define ARGUS_PACKET_CAPTURE_ON_PROTO 21 #define ARGUS_MIN_SSF 22 #define ARGUS_MAX_SSF 23 #define ARGUS_COLLECTOR 24 #define ARGUS_FLOW_TYPE 25 #define ARGUS_FLOW_KEY 26 #define ARGUS_GENERATE_APPBYTE_METRIC 27 #define ARGUS_CHROOT_DIR 28 #define ARGUS_SETUSER_ID 29 #define ARGUS_SETGROUP_ID 30 #define ARGUS_GENERATE_TCP_PERF_METRIC 31 #define ARGUS_GENERATE_BIDIRECTIONAL_TIMESTAMPS 32 #define ARGUS_GENERATE_PACKET_SIZE 33 #define ARGUS_ENV 34 #define ARGUS_CAPTURE_FULL_CONTROL_DATA 35 #define ARGUS_SELF_SYNCHRONIZE 36 #define ARGUS_EVENT_DATA 37 #define ARGUS_JITTER_HISTOGRAM 38 #define ARGUS_OUTPUT_STREAM 39 #define ARGUS_KEYSTROKE 40 #define ARGUS_KEYSTROKE_CONF 41 #define ARGUS_TUNNEL_DISCOVERY 42 #define ARGUS_IP_TIMEOUT 43 #define ARGUS_TCP_TIMEOUT 44 #define ARGUS_ICMP_TIMEOUT 45 #define ARGUS_IGMP_TIMEOUT 46 #define ARGUS_FRAG_TIMEOUT 47 #define ARGUS_ARP_TIMEOUT 48 #define ARGUS_OTHER_TIMEOUT 49 #define ARGUS_TRACK_DUPLICATES 50 #define ARGUS_PCAP_BUF_SIZE 51 #define ARGUS_OS_FINGERPRINTING 52 #define ARGUS_CONTROLPLANE_PROTO 53 #define ARGUS_PCAP_DISPATCH_NUM 54 #define ARGUS_HASHTABLE_SIZE 55 #define ARGUS_GENERATE_HASH_METRICS 56 #define ARGUS_INTERFACE_SCAN_INTERVAL 57 #define ARGUS_LOG_DISPLAY_PRIORITY 58 #define ARGUS_MAR_INTERFACE_INTERVAL 59 #define ARGUS_TIMESTAMP_TYPE 60 #define ARGUS_DEDUP 61 #define ARGUS_PACKET_SIZE_HISTOGRAM 62 #define ARGUS_TUNNEL_PARSING 63 #define ARGUS_TUNNEL_INFORMATION 64 #define ARGUS_BIND_IP 65 #define ARGUS_ENCAPS_CAPTURE 66 char *ArgusResourceFileStr [ARGUS_RCITEMS] = { "ARGUS_MONITOR_ID=", "ARGUS_MONITOR_ID_INCLUDE_INF=", "ARGUS_DAEMON=", "ARGUS_ACCESS_PORT=", "ARGUS_INTERFACE=", "ARGUS_OUTPUT_FILE=", "ARGUS_SET_PID=", "ARGUS_PID_PATH=", "ARGUS_GO_PROMISCUOUS=", "ARGUS_FLOW_STATUS_INTERVAL=", "ARGUS_MAR_STATUS_INTERVAL=", "ARGUS_CAPTURE_DATA_LEN=", "ARGUS_GENERATE_START_RECORDS=", "ARGUS_GENERATE_RESPONSE_TIME_DATA=", "ARGUS_GENERATE_JITTER_DATA=", "ARGUS_GENERATE_MAC_DATA=", "ARGUS_DEBUG_LEVEL=", "ARGUS_FILTER_OPTIMIZER=", "ARGUS_FILTER=", "ARGUS_PACKET_CAPTURE_FILE=", "ARGUS_PACKET_CAPTURE_ON_ERROR=", "ARGUS_PACKET_CAPTURE_ON_PROTO=", "ARGUS_MIN_SSF=", "ARGUS_MAX_SSF=", "ARGUS_COLLECTOR=", "ARGUS_FLOW_TYPE=", "ARGUS_FLOW_KEY=", "ARGUS_GENERATE_APPBYTE_METRIC=", "ARGUS_CHROOT_DIR=", "ARGUS_SETUSER_ID=", "ARGUS_SETGROUP_ID=", "ARGUS_GENERATE_TCP_PERF_METRIC=", "ARGUS_GENERATE_BIDIRECTIONAL_TIMESTAMPS=", "ARGUS_GENERATE_PACKET_SIZE=", "ARGUS_ENV=", "ARGUS_CAPTURE_FULL_CONTROL_DATA=", "ARGUS_SELF_SYNCHRONIZE=", "ARGUS_EVENT_DATA=", "ARGUS_JITTER_HISTOGRAM=", "ARGUS_OUTPUT_STREAM=", "ARGUS_KEYSTROKE=", "ARGUS_KEYSTROKE_CONF=", "ARGUS_TUNNEL_DISCOVERY=", "ARGUS_IP_TIMEOUT=", "ARGUS_TCP_TIMEOUT=", "ARGUS_ICMP_TIMEOUT=", "ARGUS_IGMP_TIMEOUT=", "ARGUS_FRAG_TIMEOUT=", "ARGUS_ARP_TIMEOUT=", "ARGUS_OTHER_TIMEOUT=", "ARGUS_TRACK_DUPLICATES=", "ARGUS_PCAP_BUF_SIZE=", "ARGUS_OS_FINGERPRINTING=", "ARGUS_CONTROLPLANE_PROTO=", "ARGUS_PCAP_DISPATCH_NUM=", "ARGUS_HASHTABLE_SIZE=", "ARGUS_GENERATE_HASH_METRICS=", "ARGUS_INTERFACE_SCAN_INTERVAL=", "ARGUS_LOG_DISPLAY_PRIORITY=", "ARGUS_MAR_INTERFACE_INTERVAL=", "ARGUS_TIMESTAMP_TYPE=", "ARGUS_DEDUP=", "ARGUS_PACKET_SIZE_HISTOGRAM=", "ARGUS_TUNNEL_PARSING=", "ARGUS_TUNNEL_INFORMATION=", "ARGUS_BIND_IP=", "ARGUS_ENCAPS_CAPTURE=" }; #define ARGUS_INTERFACE_SCAN_INTERVAL_MAX 60 extern pcap_dumper_t *ArgusPcapOutFile; extern char *ArgusWriteOutPacketFile; #ifdef CYGWIN static int __wmic_get_uuid(char *uuidstr, size_t len) { FILE *fp; char str[64]; int res = -1; if (len < 37) /* need 37 bytes, including terminating null, to hold uuid string */ return -1; fp = popen("/cygdrive/c/Windows/System32/Wbem/wmic.exe" " path win32_computersystemproduct get uuid", "r"); if (fp == NULL) { fp = popen("c:/Windows/System32/Wbem/wmic.exe" " path win32_computersystemproduct get uuid", "r"); return -1; } if (fgets(str, sizeof(str), fp) == NULL) goto close_out; if (strncmp(str, "UUID", 4) == 0) { if (fgets(str, sizeof(str), fp) == NULL) goto close_out; if (strlen(str) >= 37) { strncpy(uuidstr, str, 36); uuidstr[36] = '\0'; res = 0; } } close_out: fclose(fp); return res; } #endif #ifdef HAVE_MACHINE_ID static int __linux_get_machine_id_uuid(char *uuidstr, size_t len) { #if defined(__FreeBSD__) || defined(__OpenBSD__) || defined(__NetBSD__) || defined(__APPLE__) || defined(__sun__) char *fptr = "/etc/machine-id"; #else char *fptr = "/var/lib/dbus/machine-id"; #endif char str[64], *sptr = str; int slen, res = -1; FILE *fp; if (len < 37) /* need 37 bytes, including terminating null, to hold uuid string */ return -1; if ((fp = fopen(fptr, "r")) != NULL) { if (fgets(str, sizeof(str), fp) == NULL) goto linux_close_out; if (strncmp(sptr, "UUID", 4) == 0) sptr += 4; if (sptr[strlen(sptr) - 1] == '\n') sptr[strlen(sptr) - 1] = '\0'; if ((slen = strlen(sptr)) >= 32) { strncpy(uuidstr, sptr, 32); uuidstr[33] = '\0'; res = 0; } linux_close_out: fclose(fp); } return res; } #endif void ArgusParseResourceFile (struct ArgusModelerStruct *model, char *file, int readoffline) { FILE *fd; char strbuf[MAXSTRLEN], *str = strbuf, *optarg; char result[MAXSTRLEN], *qptr = NULL; int i, len, done = 0, linenum = 0; int interfaces = 0, outputfiles = 0; if (file) { if ((fd = fopen (file, "r")) != NULL) { while ((fgets(str, MAXSTRLEN, fd)) != NULL) { done = 0; linenum++; while (*str && isspace((int)*str)) str++; if (*str && (*str != '#') && (*str != '\n') && (*str != '!')) { for (i = 0; i < ARGUS_RCITEMS && !done; i++) { len = (int) strlen(ArgusResourceFileStr[i]); if (!(strncmp (str, ArgusResourceFileStr[i], len))) { int quoted = 0; optarg = &str[len]; if (*optarg == '\"') { optarg++; if ((qptr = strchr(optarg, '"')) != NULL) *qptr++ = '\0'; else ArgusLog (LOG_ERR, "ArgusParseResourceFile(%s) string unterminated at line %d\n", file, linenum); quoted = 1; } // deal with potential embedded comments if (!quoted) { if (((qptr = strstr(optarg, " //")) != NULL) || ((qptr = strstr(optarg, "\t//")) != NULL)) *qptr++ = '\0'; } while (optarg[strlen(optarg) - 1] == '\n') optarg[strlen(optarg) - 1] = '\0'; switch (i) { case ARGUS_MONITOR_ID: if (optarg && quoted) { // Argus ID is a string. Limit to date is 4 characters. int slen = (int) strlen(optarg); if (slen > 4) { optarg[4] = '\0'; slen = 4; } setArgusID (ArgusSourceTask, optarg, slen, ARGUS_TYPE_STRING); } else { if (optarg && (*optarg == '`')) { char *ptr = NULL; char *tptr = strchr((optarg + 1), '`'); int appendInf = 0; if (strstr(optarg, "/inf")) appendInf = 1; if (tptr != NULL) { FILE *fd; optarg++; *tptr = '\0'; if (!(strcmp (optarg, "hostname"))) { if ((fd = popen("hostname", "r")) != NULL) { char buf[128], *sptr; ptr = NULL; clearerr(fd); while ((ptr == NULL) && !(feof(fd))) ptr = fgets(result, MAXSTRLEN, fd); if (ptr == NULL) ArgusLog (LOG_ERR, "ArgusParseResourceFile(%s) `hostname` failed %s.\n", file, strerror(errno)); pclose(fd); ptr[strlen(ptr) - 1] = '\0'; if ((sptr = strstr(ptr, ".local")) != NULL) { if (strlen(sptr) == strlen(".local")) *sptr = '\0'; } if (appendInf) sprintf(buf, "\"%s\"/inf", ptr); else sprintf(buf, "\"%s\"", ptr); optarg = strdup(buf); } else ArgusLog (LOG_ERR, "ArgusParseResourceFile(%s) System error: popen() %s\n", file, strerror(errno)); } else if (!(strcmp (optarg, "hostuuid"))) { #ifdef HAVE_GETHOSTUUID uuid_t id; struct timespec ts = {0,0}; if (gethostuuid(id, &ts) == 0) { char buf[128], sbuf[64]; uuid_unparse(id, sbuf); if (appendInf) sprintf(buf, "%s/inf", sbuf); else sprintf(buf, "%s", sbuf); optarg = strdup(buf); } else ArgusLog (LOG_ERR, "ArgusParseResourceFile(%s) System error: gethostuuid() %s\n", file, strerror(errno)); #else # ifdef HAVE_MACHINE_ID char uuidstr[64]; char buf[128]; bzero(uuidstr, 64); if (__linux_get_machine_id_uuid(uuidstr, 37) == 0) { if (appendInf) sprintf(buf, "%s/inf", uuidstr); else sprintf(buf, "%s", uuidstr); optarg = strdup(buf); } else { ArgusLog(LOG_ERR, "%s(%s) unable to " "read system UUID\n", __func__, file); } #else # ifdef CYGWIN char uuidstr[64]; char buf[128]; if (__wmic_get_uuid(uuidstr, 37) == 0) { if (appendInf) sprintf(buf, "%s/inf", uuidstr); else sprintf(buf, "%s", uuidstr); optarg = strdup(buf); } else { ArgusLog(LOG_ERR, "%s(%s) unable to " "read system UUID\n", __func__, file); } # endif # endif #endif } else ArgusLog (LOG_ERR, "ArgusParseResourceFile(%s) unsupported command `%s` line %d.\n", optarg, linenum); } else ArgusLog (LOG_ERR, "ArgusParseResourceFile(%s) syntax error line %d\n", file, linenum); } ArgusParseSourceID(ArgusSourceTask, NULL, optarg); } break; case ARGUS_MONITOR_ID_INCLUDE_INF: setArgusManInf(ArgusSourceTask, optarg); break; case ARGUS_DAEMON: if (!(strncasecmp(optarg, "yes", 3))) ArgusDaemon = 1; else ArgusDaemon = 0; break; case ARGUS_ACCESS_PORT: setArgusPortNum(ArgusOutputTask, atoi(optarg)); break; case ARGUS_OUTPUT_FILE: case ARGUS_OUTPUT_STREAM: { char *ptr = NULL; if ((ptr = strchr (optarg, '"')) != NULL) *ptr = '\0'; if ((ptr = strchr (optarg, ' ')) != NULL) { *ptr++ = '\0'; } if (!outputfiles++) clearArgusWfile(); setArgusWfile (optarg, ptr); break; } case ARGUS_INTERFACE: if (readoffline) break; if (!interfaces++) clearArgusDevice(ArgusSourceTask); setArgusDevice (ArgusSourceTask, optarg, ARGUS_LIVE_DEVICE, 0); break; case ARGUS_SET_PID: if (!(strncasecmp(optarg, "yes", 3))) setArguspidflag (1); else setArguspidflag (0); break; case ARGUS_PID_PATH: { ArgusPidPath = strdup(optarg); break; } case ARGUS_GO_PROMISCUOUS: if (!(strncasecmp(optarg, "yes", 3))) setArguspflag (ArgusSourceTask, 1); else setArguspflag (ArgusSourceTask, 0); break; case ARGUS_FLOW_STATUS_INTERVAL: setArgusFarReportInterval (model, optarg); break; case ARGUS_MAR_STATUS_INTERVAL: setArgusMarReportInterval (ArgusOutputTask, optarg); break; case ARGUS_MAR_INTERFACE_INTERVAL: setArgusMarInfReportInterval (ArgusOutputTask, optarg); break; case ARGUS_CAPTURE_DATA_LEN: setArgusUserDataLen (model, atoi(optarg)); if (getArgusSnapLen(ArgusSourceTask) != ARGUS_MAXSNAPLEN) setArgusSnapLen (ArgusSourceTask, atoi(optarg) + ARGUS_MINSNAPLEN); break; case ARGUS_GENERATE_START_RECORDS: { extern int ArgusGenerateStartRecords; if ((!strncasecmp(optarg, "yes", 3))) ArgusGenerateStartRecords++; else ArgusGenerateStartRecords = 0; break; } case ARGUS_GENERATE_RESPONSE_TIME_DATA: if (!(strncasecmp(optarg, "yes", 3))) setArgusResponseStatus (model, 1); else setArgusResponseStatus (model, 0); break; case ARGUS_GENERATE_JITTER_DATA: if (!(strncasecmp(optarg, "yes", 3))) { #if !defined(HAVE_XDR) ArgusLog (LOG_ERR, "Jitter data generation not supported\n"); #endif setArgusGenerateTime (model, 1); } else setArgusGenerateTime (model, 0); break; case ARGUS_GENERATE_MAC_DATA: if (!(strncasecmp(optarg, "yes", 3))) setArgusmflag (model, 1); else setArgusmflag (model, 0); break; case ARGUS_DEBUG_LEVEL: setArgusdflag (model, atoi(optarg)); break; case ARGUS_FILTER_OPTIMIZER: if (!(strncasecmp(optarg, "yes", 3))) setArgusOflag (ArgusSourceTask, 1); else setArgusOflag (ArgusSourceTask, 0); break; case ARGUS_FILTER: if ((ArgusSourceTask->ArgusInputFilter = ArgusCalloc (1, MAXSTRLEN)) != NULL) { char *ptr = ArgusSourceTask->ArgusInputFilter; str = optarg; while (*str) { if ((*str == '\\') && (str[1] == '\n')) { if (fgets(str, MAXSTRLEN, fd) != NULL) while (*str && (isspace((int)*str) && (str[1] && isspace((int)str[1])))) str++; } if ((*str != '\n') && (*str != '"')) *ptr++ = *str++; else str++; } #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusParseResourceFile: ArgusFilter \"%s\" \n", ArgusSourceTask->ArgusInputFilter); #endif } break; case ARGUS_PACKET_CAPTURE_FILE: if (*optarg != '\0') { setArgusWriteOutPacketFile (ArgusDumpTask, optarg); ArgusDumpTask->ArgusDumpPacket = 1; } #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusParseResourceFile: ArgusPacketCaptureFile \"%s\" \n", ArgusSourceTask->ArgusWriteOutPacketFile); #endif break; case ARGUS_PACKET_CAPTURE_ON_ERROR: if (!(strncasecmp(optarg, "yes", 3))) { ArgusDumpTask->ArgusDumpPacketOnError = 1; ArgusDumpTask->ArgusDumpPacket = 0; } else { ArgusDumpTask->ArgusDumpPacketOnError = 0; } #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusParseResourceFile: ArgusPacketCaptureOnError \"%s\" \n", optarg); #endif break; case ARGUS_PACKET_CAPTURE_ON_PROTO: setArgusPacketCaptureProtocols(ArgusDumpTask, optarg); if (ArgusDumpTask->ppc) { ArgusDumpTask->ArgusDumpPacketOnProtocol = 1; ArgusDumpTask->ArgusDumpPacket = 0; } #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusParseResourceFile: ArgusPacketCaptureProtocols \"%s\" \n", optarg); #endif break; case ARGUS_ENCAPS_CAPTURE: setArgusEncapsCapture(model, optarg); #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusParseResourceFile: ArgusEncapsCapture \"%s\" \n", optarg); #endif break; case ARGUS_BIND_IP: if (*optarg != '\0') setArgusBindAddr (ArgusOutputTask, optarg); #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusParseResourceFile: ArgusBindAddr \"%s\" \n", ArgusBindAddr); #endif break; case ARGUS_MIN_SSF: if (*optarg != '\0') { #ifdef ARGUS_SASL ArgusMinSsf = atoi(optarg); #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusParseResourceFile: ArgusMinSsf \"%d\" \n", ArgusMinSsf); #endif #endif } break; case ARGUS_MAX_SSF: if (*optarg != '\0') { #ifdef ARGUS_SASL ArgusMaxSsf = atoi(optarg); #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusParseResourceFile: ArgusMaxSsf \"%d\" \n", ArgusMaxSsf); #endif #endif } break; case ARGUS_SELF_SYNCHRONIZE: if (!(strncasecmp(optarg, "yes", 3))) { setArgusSynchronize (ArgusModel, 1); } else { setArgusSynchronize (ArgusModel, 0); } break; case ARGUS_EVENT_DATA: { setArgusEventDataRecord (optarg); break; } case ARGUS_COLLECTOR: break; case ARGUS_FLOW_TYPE: if (!(strncasecmp(optarg, "Uni", 3))) setArgusFlowType (model, ARGUS_UNIDIRECTIONAL); else if (!(strncasecmp(optarg, "Bi", 2))) setArgusFlowType (model, ARGUS_BIDIRECTIONAL); break; case ARGUS_FLOW_KEY: { char *tok = NULL; setArgusFlowKey (model, 0); while ((tok = strtok(optarg, " +\t")) != NULL) { if (!(strncasecmp(tok, "CLASSIC_5_TUPLE", 14))) setArgusFlowKey (model, ARGUS_FLOW_KEY_CLASSIC5TUPLE); else if (!(strncasecmp(tok, "LAYER_2", 10))) setArgusFlowKey (model, ARGUS_FLOW_KEY_LAYER_2); else if (!(strncasecmp(tok, "LOCAL_MPLS", 10))) setArgusFlowKey (model, ARGUS_FLOW_KEY_LOCAL_MPLS); else if (!(strncasecmp(tok, "COMPLETE_MPLS", 10))) setArgusFlowKey (model, ARGUS_FLOW_KEY_COMPLETE_MPLS); else if (!(strncasecmp(tok, "VLAN", 4))) setArgusFlowKey (model, ARGUS_FLOW_KEY_VLAN); else if (!(strncasecmp(tok, "LAYER_2_MATRIX", 14))) setArgusFlowKey (model, ARGUS_FLOW_KEY_LAYER_2_MATRIX); else if (!(strncasecmp(tok, "LAYER_3_MATRIX", 14))) setArgusFlowKey (model, ARGUS_FLOW_KEY_LAYER_3_MATRIX); optarg = NULL; } break; } case ARGUS_CAPTURE_FULL_CONTROL_DATA: if (!(strncasecmp(optarg, "yes", 3))) { setArgusCaptureFlag (ArgusSourceTask, 1); setArgusControlMonitor(ArgusModel); setArgusSnapLen (ArgusSourceTask, ARGUS_MAXSNAPLEN); } else { setArgusCaptureFlag (ArgusSourceTask, 0); } break; case ARGUS_GENERATE_TCP_PERF_METRIC: { if (!(strncasecmp(optarg, "yes", 3))) setArgusTCPflag(model, 1); else setArgusTCPflag(model, 0); break; } case ARGUS_GENERATE_BIDIRECTIONAL_TIMESTAMPS: { if (!(strncasecmp(optarg, "yes", 3))) setArgusTimeReport(model, 1); else setArgusTimeReport(model, 0); break; } case ARGUS_GENERATE_APPBYTE_METRIC: { if (!(strncasecmp(optarg, "yes", 3))) setArgusAflag(model, 1); else setArgusAflag(model, 0); break; } case ARGUS_GENERATE_PACKET_SIZE: { if (!(strncasecmp(optarg, "yes", 3))) setArgusGeneratePacketSize(model, 1); else setArgusGeneratePacketSize(model, 0); break; } case ARGUS_PACKET_SIZE_HISTOGRAM: { if (!(strncasecmp(optarg, "yes", 3))) setArgusGeneratePacketSizeHisto(model, 1); else setArgusGeneratePacketSizeHisto(model, 0); break; } case ARGUS_CHROOT_DIR: { if (chroot_dir != NULL) free(chroot_dir); chroot_dir = strdup(optarg); break; } case ARGUS_SETUSER_ID: { struct passwd *pw; if ((pw = getpwnam(optarg)) == NULL) ArgusLog (LOG_ERR, "unknown user \"%s\"\n", optarg); new_uid = pw->pw_uid; endpwent(); break; } case ARGUS_SETGROUP_ID: { struct group *gr; if ((gr = getgrnam(optarg)) == NULL) ArgusLog (LOG_ERR, "unknown group \"%s\"\n", optarg); new_gid = gr->gr_gid; endgrent(); break; } case ARGUS_ENV: { if (putenv(optarg)) ArgusLog (LOG_ERR, "Argus set env \"%s\" error %s\n", optarg, strerror(errno)); break; } case ARGUS_KEYSTROKE: { if (!(strncasecmp(optarg, "yes", 3))) setArgusKeystroke(model, ARGUS_TCP_KEYSTROKE); else if (!(strncasecmp(optarg, "tcp", 3))) setArgusKeystroke(model, ARGUS_TCP_KEYSTROKE); else if (!(strncasecmp(optarg, "ssh", 3))) setArgusKeystroke(model, ARGUS_SSH_KEYSTROKE); else setArgusKeystroke(model, 0); if (getArgusKeystroke(model)) { model->ArgusKeyStroke.n_min = 23; model->ArgusKeyStroke.dc_min = 48; model->ArgusKeyStroke.dc_max = 128; model->ArgusKeyStroke.gs_max = 3; model->ArgusKeyStroke.ds_min = 24; model->ArgusKeyStroke.ds_max = 256; model->ArgusKeyStroke.gpc_max = 3; model->ArgusKeyStroke.ic_min = 50000; model->ArgusKeyStroke.lcs_max = 50000; model->ArgusKeyStroke.icr_min = 0.892; model->ArgusKeyStroke.icr_max = 1.122; } break; } case ARGUS_KEYSTROKE_CONF: { char tokbuf[MAXSTRLEN], *ksptr = tokbuf, *kstok, *brkt; #if defined(HAVE_STRLCPY) strlcpy(tokbuf, optarg, MAXSTRLEN - 1); #else strncpy(tokbuf, optarg, MAXSTRLEN - 1); #endif while ((kstok = strtok_r(ksptr, ";", &brkt)) != NULL) { setArgusKeystrokeVariable(model, kstok); ksptr = NULL; } break; } case ARGUS_OS_FINGERPRINTING: { if (!(strncasecmp(optarg, "yes", 3))) setArgusOSFingerPrinting(model, 1); else setArgusOSFingerPrinting(model, 0); break; } case ARGUS_CONTROLPLANE_PROTO: { setArgusControlPlaneProtocols(model, optarg); break; } case ARGUS_TUNNEL_DISCOVERY: { if (!(strncasecmp(optarg, "yes", 3))) setArgusTunnelDiscovery(model, 1); else setArgusTunnelDiscovery(model, 0); break; } case ARGUS_TRACK_DUPLICATES: { if (!(strncasecmp(optarg, "yes", 3))) setArgusTrackDuplicates(model, 1); else setArgusTrackDuplicates(model, 0); break; } case ARGUS_IP_TIMEOUT: { setArgusIpTimeout (model, atoi(optarg)); break; } case ARGUS_TCP_TIMEOUT: { setArgusTcpTimeout (model, atoi(optarg)); break; } case ARGUS_ICMP_TIMEOUT: { setArgusIcmpTimeout (model, atoi(optarg)); break; } case ARGUS_IGMP_TIMEOUT: { setArgusIgmpTimeout (model, atoi(optarg)); break; } case ARGUS_FRAG_TIMEOUT: { setArgusFragTimeout (model, atoi(optarg)); break; } case ARGUS_ARP_TIMEOUT: { setArgusArpTimeout (model, atoi(optarg)); break; } case ARGUS_OTHER_TIMEOUT: { setArgusOtherTimeout (model, atoi(optarg)); break; } case ARGUS_PCAP_BUF_SIZE: { int size = atoi(optarg); if (size > 0) { if (strchr(optarg, 'K')) size *= 1000; if (strchr(optarg, 'M')) size *= 1000000; if (strchr(optarg, 'G')) size *= 1000000000; setArgusPcapBufSize (ArgusSourceTask, size); } break; } case ARGUS_PCAP_DISPATCH_NUM: { int num = atoi(optarg); setArgusPcapDispatchNumber (ArgusSourceTask, num); break; } case ARGUS_HASHTABLE_SIZE: { setArgusHashTableSize (model, atoi(optarg)); break; } case ARGUS_GENERATE_HASH_METRICS: { if (!(strncasecmp(optarg, "yes", 3))) setArgusHashflag(model, 1); else setArgusHashflag(model, 0); break; } case ARGUS_INTERFACE_SCAN_INTERVAL: { long num; num = strtol(optarg, NULL, 0); if (num <= 0) { ArgusLog(LOG_WARNING, "%s: Scan interval must be positive integer. Using 1 second.\n", __func__); num = 1; } else if (num > ARGUS_INTERFACE_SCAN_INTERVAL_MAX) { ArgusLog(LOG_WARNING, "%s: Limiting interface scan interval to %d\n", __func__, ARGUS_INTERFACE_SCAN_INTERVAL_MAX); num = ARGUS_INTERFACE_SCAN_INTERVAL_MAX; } setArgusInterfaceScanInterval(ArgusSourceTask, (int) num); break; } case ARGUS_LOG_DISPLAY_PRIORITY: setArgusLogDisplayPriority(atoi(optarg)); break; case ARGUS_TIMESTAMP_TYPE: setArgusTimestampType(optarg); break; case ARGUS_DEDUP: setArgusDeDup(optarg); break; case ARGUS_TUNNEL_PARSING: setArgusTunnelParsing(model, optarg); break; case ARGUS_TUNNEL_INFORMATION: setArgusTunnelInformation(model, optarg); break; } done = 1; break; } } } } fclose (fd); } else { #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusParseResourceFile: open %s %s\n", file, strerror(errno)); #endif } } #ifdef ARGUSDEBUG ArgusDebug (1, "ArgusParseResourceFile (%s) returning\n", file); #endif } void clearArgusConfiguration (struct ArgusModelerStruct *model) { daemonflag = 0; setArgusID (ArgusSourceTask, 0, 0, 0); clearArgusWfile (); clearArgusDevice (ArgusSourceTask); setArgusPortNum(ArgusOutputTask, 0); setArgusBindAddr (ArgusOutputTask, NULL); setArguspidflag (0); setArguspflag (ArgusSourceTask, 0); setArgusFarReportInterval (model, ARGUS_FARSTATUSTIMER); setArgusMarReportInterval (ArgusOutputTask, ARGUS_MARSTATUSTIMER); setArgusUserDataLen (model, 0); setArgusSnapLen (ArgusSourceTask, ARGUS_MINSNAPLEN); setArgusResponseStatus (model, 0); setArgusGenerateTime (model, 0); setArgusmflag (model, 0); setArgusOflag (ArgusSourceTask, 1); setArgusCaptureFlag (ArgusSourceTask, 0); setArgusAflag(model, 0); setArgusTimeReport(model, 0); setArgusFlowKey (model, ARGUS_FLOW_KEY_CLASSIC5TUPLE); setArgusFlowType(model, ARGUS_BIDIRECTIONAL); if (ArgusDumpTask) { if (ArgusDumpTask->ArgusPcapOutFile != NULL) { pcap_dump_close(ArgusDumpTask->ArgusPcapOutFile); ArgusDumpTask->ArgusPcapOutFile = NULL; } free(ArgusDumpTask->ArgusWriteOutPacketFile); ArgusDumpTask->ArgusWriteOutPacketFile = NULL; ArgusDumpTask->ArgusDumpPacketOnProtocol = 0; ArgusDumpTask->ArgusDumpPacketOnError = 0; } if (ArgusSourceTask->ArgusInputFilter) { ArgusFree(ArgusSourceTask->ArgusInputFilter); ArgusSourceTask->ArgusInputFilter = NULL; } setArgusPcapDispatchNumber(ArgusSourceTask, 1); #ifdef ARGUSDEBUG ArgusDebug (1, "clearArgusConfiguration () returning\n"); #endif } int getArgusPortNum(struct ArgusOutputStruct *output) { return(output->ArgusPortNum); } void setArgusPortNum(struct ArgusOutputStruct *output, int value) { output->ArgusPortNum = value; #ifdef ARGUSDEBUG ArgusDebug (2, "setArgusPortNum(%d) returning\n", value); #endif } void clearArgusWfile(void) { ArgusDeleteList (ArgusOutputTask->ArgusWfileList, ARGUS_WFILE_LIST); ArgusOutputTask->ArgusWfileList = NULL; } void setArgusWfile(char *file, char *filter) { struct ArgusWfileStruct *wfile = NULL; if (ArgusOutputTask->ArgusWfileList == NULL) ArgusOutputTask->ArgusWfileList = ArgusNewList(); if (file) { if ((wfile = (struct ArgusWfileStruct *) ArgusCalloc (1, sizeof (*wfile))) != NULL) { wfile->filename = strdup(file); if (filter) wfile->filter = strdup(filter); ArgusPushFrontList(ArgusOutputTask->ArgusWfileList, (struct ArgusListRecord *) wfile, ARGUS_LOCK); } else ArgusLog (LOG_ERR, "setArgusWfile, ArgusCalloc %s\n", strerror(errno)); } else ArgusLog (LOG_ERR, "setArgusWfile, file is null\n"); } void ArgusUsr1Sig (int sig) { #ifdef ARGUSDEBUG int value = 0, i; Argusdflag = (Argusdflag++ > 30) ? 30 : Argusdflag; if (Argusdflag == 1) { struct ArgusSourceStruct *src; for (i = 0; i < ARGUS_MAXINTERFACE; i++) { if ((src = ArgusSourceTask->srcs[i]) != NULL) { struct ArgusModelerStruct *model = src->ArgusModel; if ((value = getArgusKeystroke(model)) > 0) { ArgusDebug (0, "ArgusKeyStroke model[%d] %s: DC_MIN=%d, DC_MAX=%d, GS_MAX=%d, DS_MIN=%d, DS_MAX=%d, IC_MIN=%d, LCS_MAX=%d, GPC_MAX=%d, ICR_MIN=%f, ICR_MAX=%f\n", i, (value == ARGUS_TCP_KEYSTROKE) ? "\"tcp\"" : ((value == ARGUS_SSH_KEYSTROKE) ? "\"ssh\"" : "\"unknown\""), model->ArgusKeyStroke.dc_min, model->ArgusKeyStroke.dc_max, model->ArgusKeyStroke.gs_max, model->ArgusKeyStroke.ds_min, model->ArgusKeyStroke.ds_max, model->ArgusKeyStroke.ic_min, model->ArgusKeyStroke.lcs_max, model->ArgusKeyStroke.gpc_max, model->ArgusKeyStroke.icr_min, model->ArgusKeyStroke.icr_max); } } } } ArgusDebug (0, "ArgusUsr1Sig: debug %d enabled\n", Argusdflag); #endif } void ArgusUsr2Sig (int sig) { #ifdef ARGUSDEBUG Argusdflag = 0; ArgusDebug (0, "ArgusUsr2Sig: debug disabled\n"); #endif } int getArgusControlMonitor (struct ArgusModelerStruct *model) { return (model->ArgusControlMonitor); } void setArgusControlMonitor (struct ArgusModelerStruct *model) { model->ArgusControlMonitor++; } void clearArgusEventRecord(void) { ArgusDeleteList (ArgusEventsTask->ArgusEventsList, ARGUS_EVENT_LIST); ArgusEventsTask->ArgusEventsList = NULL; } /* Syntax is: "method:pathname:interval:postprocessor" Where: method = [ "file" | "prog" ] pathname = %s interval = %d postproc = [ "compress" | "encrypt" | "none" ] */ void setArgusEventDataRecord (char *ptr) { struct ArgusEventRecordStruct *event = NULL; char *sptr = NULL, *method = NULL, *file = NULL; char *tok = NULL, *pp = NULL, *tptr = NULL; int ind = 0, interval = 0, elem = 0; if (ArgusEventsTask == NULL) ArgusEventsTask = ArgusNewEvents(); if (ArgusEventsTask->ArgusEventsList == NULL) ArgusEventsTask->ArgusEventsList = ArgusNewList(); if (ptr) { int i; if ((sptr = strdup(ptr)) != NULL) tok = strtok(sptr, ":"); while (tok != NULL) { switch (ind++) { case 0: method = strdup(tok); if (!((strncmp(method, "file", 4) == 0) || (strncmp(method, "prog", 4) == 0))) ArgusLog (LOG_ERR, "setArgusEventDataRecord, syntax error %s\n", ptr); elem++; break; case 1: file = strdup(tok); elem++; break; case 2: interval = (int) strtol(tok, (char **)&tptr, 10); if (tptr == tok) ArgusLog (LOG_ERR, "setArgusEventDataRecord, syntax error %s\n", ptr); i = *tptr; if (strlen(tptr) && (isalpha(i))) { switch (*tptr) { case 's': break; case 'm': interval *= 60; break; case 'h': interval *= 60 * 60; break; case 'd': interval *= 60 * 60 * 24; break; case 'w': interval *= 60 * 60 * 24 * 7; break; case 'M': interval *= 60 * 60 * 24 * 30; break; case 'y': interval *= 60 * 60 * 24 * 365; break; } } elem++; break; case 3: pp = strdup(tok); if (!((strncmp(pp, "compress", 8) == 0) || (strncmp(pp, "compress2", 9) == 0))) ArgusLog (LOG_ERR, "setArgusEventDataRecord, syntax error %s\n", ptr); elem++; break; default: ArgusLog (LOG_ERR, "setArgusEventDataRecord, syntax error %s\n", ptr); break; } tok = strtok(NULL, ":"); } if (elem < 3) ArgusLog (LOG_ERR, "setArgusEventDataRecord, syntax error %s\n", ptr); if (sptr) free (sptr); if ((event = (struct ArgusEventRecordStruct *) ArgusCalloc (1, sizeof (*event))) != NULL) { event->entry = strdup(ptr); event->method = method; event->filename = file; event->interval = interval; if (pp != NULL) { if (!(strncmp(pp, "compress", 8))) event->status |= ARGUS_ZLIB_COMPRESS; if (!(strncmp(pp, "compress2", 9))) event->status |= ARGUS_ZLIB_COMPRESS2; } ArgusPushFrontList(ArgusEventsTask->ArgusEventsList, (struct ArgusListRecord *) event, ARGUS_LOCK); } else ArgusLog (LOG_ERR, "setArgusEventDataRecord, ArgusCalloc %s\n", strerror(errno)); free(pp); } else ArgusLog (LOG_ERR, "setArgusEventDataRecord, event is null\n"); #ifdef ARGUSDEBUG ArgusDebug (2, "setArgusEventDataRecord(%s)\n", ptr); #endif } void setArgusArgv(struct ArgusSourceStruct *src, char **value) { src->ArgusArgv = value; } void setArgusOptind (struct ArgusSourceStruct *src, int value) { src->ArgusOptind = value; } void setArgusCmdBuf (struct ArgusSourceStruct *src) { ArgusSourceTask->ArgusCmdBuf = ArgusCopyArgv(&src->ArgusArgv[src->ArgusOptind]); } char * ArgusCopyArgv (char **argv) { char **p; int len = 0; char *buf = NULL, *src, *dst; p = argv; if (*p == 0) return 0; while (*p) len += (int) strlen (*p++) + 1; if ((buf = (char *) malloc (len)) != NULL) { p = argv; dst = buf; while ((src = *p++) != NULL) { if (*src != '-') { while ((*dst++ = *src++) != '\0') ; dst[-1] = ' '; } } dst[-1] = '\0'; } #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusCopyArgv(%p) returning %p\n", argv, buf); #endif return buf; } argus-5.0.2/argus/argus.h000066400000000000000000000076621471541253600152750ustar00rootroot00000000000000/* * Argus-5.0 Software. Argus files - main argus includes * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/argus/argus.h#7 $ * $DateTime: 2016/10/04 10:36:36 $ * $Change: 3213 $ */ /* argus.h */ #include #include #include #ifndef Argus_h #define Argus_h #include #include #include #include #include #include #include #if defined(ARGUS_NANOSECONDS) #define ARGUS_FRACTION_TIME 1000000000 #else #define ARGUS_FRACTION_TIME 1000000 #endif #define MINOR_VERSION_0 0 #define MINOR_VERSION_1 1 #define MINOR_VERSION_2 2 #define MINOR_VERSION_3 3 #define MINOR_VERSION_4 4 #define MINOR_VERSION_5 5 #define MINOR_VERSION_6 6 #define MINOR_VERSION_7 7 #define MINOR_VERSION_8 8 #define MINOR_VERSION_9 9 #define MAJOR_VERSION_1 1 #define MAJOR_VERSION_2 2 #define MAJOR_VERSION_3 3 #define MAJOR_VERSION_4 4 #define MAJOR_VERSION_5 5 #define MAJOR_VERSION_6 6 #define VERSION_MAJOR MAJOR_VERSION_5 #define VERSION_MINOR MINOR_VERSION_0 #if defined(Argus) #include #include #include #include #ifndef MAXPATHNAMELEN #define MAXPATHNAMELEN BUFSIZ #endif #if defined(ARGUS_THREADS) pthread_mutex_t ArgusMainLock; #endif char *RaTimeFormat = "%d %b %y %T"; char RaFieldDelimiter = '.'; int nflag = 1, Nflag = -1, uflag = 1, gflag = 0; int Uflag = 6, XMLflag = 0, pflag = 0, pidflag = 0; int Dflag = 0, daemonflag = 0; uid_t new_uid = 0; gid_t new_gid = 0; char *chroot_dir = NULL; int Argusdflag = 0; int ArgusUid = 0; int ArgusGid = 0; int ArgusPortNum = 0; void ArgusUsr1Sig (int); void ArgusUsr2Sig (int); #if defined(ARGUS_SASL) int ArgusMaxSsf = 0; int ArgusMinSsf = 0; #endif char *ArgusProgramName = NULL; void ArgusLoop (void); void ArgusBacktrace (void); void ArgusScheduleShutDown (int); void usage(void); void ArgusLog (int, char *, ...); void ArgusComplete (void); void setArguspidflag (int); int getArguspidflag (void); void setArgusArgv(struct ArgusSourceStruct *, char **); void setArgusOptind(struct ArgusSourceStruct *, int); void setArgusCmdBuf(struct ArgusSourceStruct *); char *ArgusCopyArgv (char **); void clearArgusWfile(void); void clearArgusEventRecord(void); char *ArgusBindAddr = NULL; struct ArgusListStruct *ArgusWfileList = NULL; #else /* defined(Argus) */ #if defined(ARGUS_THREADS) extern pthread_mutex_t ArgusMainLock; #endif extern int Argusdflag; extern char *ArgusProgramName; extern void ArgusLoop (void); extern void ArgusScheduleShutDown (int); extern int nflag, Nflag, uflag, gflag; extern int daemonflag; extern int ArgusUid; extern int ArgusGid; extern char *ArgusBindAddr; extern void ArgusUsr1Sig (int); extern void ArgusUsr2Sig (int); extern struct ArgusListStruct *ArgusWfileList; #if defined(ARGUS_SASL) extern int ArgusMaxSsf; extern int ArgusMinSsf; #endif extern void usage(void); extern void ArgusLog (int, char *, ...); extern void ArgusComplete (void); #endif /* defined(Argus) */ #endif /* Argus_h */ argus-5.0.2/bin/000077500000000000000000000000001471541253600134175ustar00rootroot00000000000000argus-5.0.2/bin/argusbug000077500000000000000000000234731471541253600151750ustar00rootroot00000000000000#!/bin/sh # # Argus-5.0 Software. Bug Report # Copyright (c) 2000-2024 QoSient, LLC # All rights reserved. # # This program is free software, released under the GNU General # Public License; you can redistribute it and/or modify it under the terms # of the GNU General Public License as published by the Free Software # Foundation; either version 3, or any later version. # # Other licenses are available through QoSient, LLC. # Inquire at info@qosient.com. # # This program is distributed WITHOUT ANY WARRANTY; without even the # implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # See the * GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. # # Written by Carter Bullard # QoSient, LLC # echo "Finding system information for a ARGUS bug report" VERSION="5.0" BUGARGUS="argus-info@lists.andrew.cmu.edu" LIBC_INFO="" for pat in /lib/libc.* /lib/libc-* /usr/lib/libc.* /usr/lib/libc-* do TMP=`ls -l $pat 2>/dev/null` if test $? = 0 then LIBC_INFO="$LIBC_INFO $TMP" fi done PATH=../:$PATH:/bin:/usr/bin:/usr/local/bin export PATH BUGADDR=${1-$BUGARGUS} ENVIRONMENT=`uname -a` : ${USER=${LOGNAME-`whoami`}} COMMAND=`echo $0|sed 's%.*/\([^/]*\)%\1%'` # Try to create a secure tmpfile umask 077 TEMPDIR=/tmp/argusbug-$$ mkdir $TEMPDIR || (echo "can not create directory in /tmp, aborting"; exit 1;) TEMP=${TEMPDIR}/argusbug trap 'rm -f $TEMP $TEMP.x; rmdir $TEMPDIR; exit 1' 1 2 3 13 15 trap 'rm -f $TEMP $TEMP.x; rmdir $TEMPDIR' 0 # How to read the passwd database. PASSWD="cat /etc/passwd" if test -f /usr/lib/sendmail then MAIL_AGENT="/usr/lib/sendmail -oi -t" elif test -f /usr/sbin/sendmail then MAIL_AGENT="/usr/sbin/sendmail -oi -t" else MAIL_AGENT="rmail $BUGARGUS" fi # Figure out how to echo a string without a trailing newline N=`echo 'hi there\c'` case "$N" in *c) ECHON1='echo -n' ECHON2= ;; *) ECHON1=echo ECHON2='\c' ;; esac # Find out the name of the originator of this PR. if test -n "$NAME" then ORIGINATOR="$NAME" elif test -f $HOME/.fullname then ORIGINATOR="`sed -e '1q' $HOME/.fullname`" else # Must use temp file due to incompatibilities in quoting behavior # and to protect shell metacharacters in the expansion of $LOGNAME $PASSWD | grep "^$LOGNAME:" | awk -F: '{print $5}' | sed -e 's/,.*//' > $TEMP ORIGINATOR="`cat $TEMP`" rm -f $TEMP fi if test -n "$ORGANIZATION" then if test -f "$ORGANIZATION" then ORGANIZATION="`cat $ORGANIZATION`" fi else if test -f $HOME/.organization then ORGANIZATION="`cat $HOME/.organization`" elif test -f $HOME/.signature then ORGANIZATION=`sed -e "s/^/ /" $HOME/.signature; echo ">"` fi fi PATH_DIRS=`echo $PATH | sed -e 's/^:/. /' -e 's/:$/ ./' -e 's/::/ . /g' -e 's/:/ /g' ` which_1 () { for cmd do # Absolute path ?. if expr "x$cmd" : "x/" > /dev/null then echo "$cmd" exit 0 else for d in $PATH_DIRS do file="$d/$cmd" if test -x "$file" -a ! -d "$file" then echo "$file" exit 0 fi done fi done exit 1 } change_editor () { echo "You can change editor by setting the environment variable VISUAL." echo "If your shell is a bourne shell (sh) do" echo "VISUAL=your_editors_name; export VISUAL" echo "If your shell is a C shell (csh) do" echo "setenv VISUAL your_editors_name" } # If they don't have a preferred editor set, then use vi if test -z "$VISUAL" then if test -z "$EDITOR" then EDIT=vi else EDIT="$EDITOR" fi else EDIT="$VISUAL" VISUALSET="true" fi #which_1 $EDIT used_editor=`which_1 $EDIT` echo "test -x $used_editor" if test -x "$used_editor" then echo "Using editor $used_editor"; change_editor sleep 2 else echo "Could not find a text editor. (tried $EDIT)" change_editor exit 1 fi # Find out some information. SYSTEM=`( test -f /bin/uname && /bin/uname -a ) || \ ( test -f /usr/bin/uname && /usr/bin/uname -a ) || echo ""` ARCH=`test -f /bin/arch && /bin/arch` MACHINE=`test -f /bin/machine && /bin/machine` FILE_PATHS= for cmd in argus ra libpcap.a make gmake gcc cc do file=`which_1 $cmd` if test $? = 0 then if test $cmd = "argus" then ARGUS_INFO=`$file -h 2>&1 | grep -i version 2>&1` elif test $cmd = "ra" then RA_INFO=`$file -h 2>&1 | grep -i version 2>&1` elif test $cmd = "tcpdump" then TCPDUMP_INFO=`$file -h 2>&1 | grep -i version 2>&1 | tr "\n" " "` elif test $cmd = "gcc" then GCC_INFO=`$file -v 2>&1` fi FILE_PATHS="$FILE_PATHS $file" fi done SUBJECT_C="ARGUSBug <50 character or so descriptive subject here (for reference)>" ORGANIZATION_C='' LICENCE_C='[none | licence | email support | extended email support ]' SYNOPSIS_C='' SEVERITY_C='<[ non-critical | serious | critical ] (one line)>' PRIORITY_C='<[ low | medium | high ] (one line)>' CLASS_C='<[ install-bug | sw-bug | doc-bug | change-request | support ] (one line)>' PRODUCT_C='<[ argus | ra | ratop | racluster | rasort | racount | raxml] (one line)>' RELEASE_C='' ENVIRONMENT_C='' DESCRIPTION_C='' INSTALL_C='' HOW_TO_REPEAT_C='' FIX_C='' cat > $TEMP <'). SEND-PR: From: ${USER} To: ${BUGADDR} Subject: $SUBJECT_C >Description: $DESCRIPTION_C $INSTALL_C >How-To-Repeat: $HOW_TO_REPEAT_C >Fix: $FIX_C >Submitter-Id: >Originator: ${ORIGINATOR} >Organization: ${ORGANIZATION- $ORGANIZATION_C} >ARGUS support: $LICENCE_C >Release: argus-${VERSION} >Product: $PRODUCT_C >Synopsis: $SYNOPSIS_C >Class: $CLASS_C >Severity: $SEVERITY_C >Priority: $PRIORITY_C >Environment: $ENVIRONMENT_C `test -n "$SYSTEM" && echo "System: $SYSTEM"` `test -n "$ARCH" && echo "Arch: $ARCH"` `test -n "$MACHINE" && echo "Mach: $MACHINE"` `test -n "$FILE_PATHS" && echo "Paths: $FILE_PATHS"` `test -n "$ARGUS_INFO" && echo "ARGUS: $ARGUS_INFO"` `test -n "$RA_INFO" && echo "RA: $RA_INFO"` `test -n "$TCPDUMP_INFO" && echo "TCPDUMP: $TCPDUMP_INFO"` `test -n "$GCC_INFO" && echo "GCC: $GCC_INFO"` `test -n "$LIBC_INFO" && echo "LIBC: $LIBC_INFO"` EOF chmod u+w $TEMP cp $TEMP $TEMP.x eval $EDIT $TEMP if cmp -s $TEMP $TEMP.x then echo "File not changed, no bug report submitted." echo "File saved as /tmp/argus-bugreport-template." mv $TEMP /tmp/argus-bugreport-template exit 1 fi # # Check the enumeration fields # This is a "sed-subroutine" with one keyword parameter # (with workaround for Sun sed bug) # SED_CMD=' /$PATTERN/{ s||| s|<.*>|| s|^[ ]*|| s|[ ]*$|| p q }' while :; do CNT=0 # # 1) Severity # PATTERN=">Severity:" SEVERITY=`eval sed -n -e "\"$SED_CMD\"" $TEMP` case "$SEVERITY" in ""|non-critical|serious|critical) CNT=`expr $CNT + 1` ;; *) echo "$COMMAND: \`$SEVERITY' is not a valid value for \`Severity'." esac # # 2) Priority # PATTERN=">Priority:" PRIORITY=`eval sed -n -e "\"$SED_CMD\"" $TEMP` case "$PRIORITY" in ""|low|medium|high) CNT=`expr $CNT + 1` ;; *) echo "$COMMAND: \`$PRIORITY' is not a valid value for \`Priority'." esac # # 3) Class # PATTERN=">Class:" CLASS=`eval sed -n -e "\"$SED_CMD\"" $TEMP` case "$CLASS" in ""|install-bug|sw-bug|doc-bug|change-request|support) CNT=`expr $CNT + 1` ;; *) echo "$COMMAND: \`$CLASS' is not a valid value for \`Class'." esac # # 4) Synopsis # VALUE=`grep "^>Synopsis:" $TEMP | sed 's/>Synopsis:[ ]*//'` case "$VALUE" in "$SYNOPSIS_C") echo "$COMMAND: \`$VALUE' is not a valid value for \`Synopsis'." ;; *) CNT=`expr $CNT + 1` esac test $CNT -lt 4 && echo "Errors were found with the problem report." # Check if subject of mail was changed, if not, use Synopsis field # subject=`grep "^Subject" $TEMP| sed 's/^Subject:[ ]*//'` if [ X"$subject" = X"$SUBJECT_C" -o X"$subject" = X"$SYNOPSIS_C" ]; then subject=`grep Synopsis $TEMP | sed 's/>Synopsis:[ ]*//'` sed "s/^Subject:[ ]*.*/Subject: $subject/" $TEMP > $TEMP.tmp mv -f $TEMP.tmp $TEMP fi while :; do $ECHON1 "a)bort, e)dit or s)end? $ECHON2" read input case "$input" in a*) echo "$COMMAND: problem report saved in $HOME/dead.argusbug." cat $TEMP >> $HOME/dead.argusbug xs=1; exit ;; e*) eval $EDIT $TEMP continue 2 ;; s*) break 2 ;; esac done done # # Remove comments and send the problem report # (we have to use patterns, where the comment contains regex chars) # # /^>Originator:/s;$ORIGINATOR;; sed -e " /^SEND-PR:/d /^>Organization:/,/^>[A-Za-z-]*:/s;$ORGANIZATION_C;; /^>Confidential:/s;<.*>;; /^>Synopsis:/s;$SYNOPSIS_C;; /^>Severity:/s;<.*>;; /^>Priority:/s;<.*>;; /^>Class:/s;<.*>;; /^>Release:/,/^>[A-Za-z-]*:/s;$RELEASE_C;; /^>Environment:/,/^>[A-Za-z-]*:/s;$ENVIRONMENT_C;; /^>Description:/,/^>[A-Za-z-]*:/s;$DESCRIPTION_C;; /^>How-To-Repeat:/,/^>[A-Za-z-]*:/s;$HOW_TO_REPEAT_C;; /^>Fix:/,/^>[A-Za-z-]*:/s;$FIX_C;; " $TEMP > $TEMP.x if $MAIL_AGENT < $TEMP.x then echo "$COMMAND: problem report sent" xs=0; exit else echo "$COMMAND: mysterious mail failure, report not sent." echo "$COMMAND: problem report saved in $HOME/dead.argusbug." cat $TEMP >> $HOME/dead.argusbug fi exit 0 argus-5.0.2/bin/mkdep000077500000000000000000000045331471541253600144520ustar00rootroot00000000000000#!/bin/sh - # # Copyright (c) 1987 Regents of the University of California. # All rights reserved. # # Redistribution and use in source and binary forms are permitted # provided that the above copyright notice and this paragraph are # duplicated in all such forms and that any documentation, # advertising materials, and other materials related to such # distribution and use acknowledge that the software was developed # by the University of California, Berkeley. The name of the # University may not be used to endorse or promote products derived # from this software without specific prior written permission. # THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR # IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED # WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. # # @(#)mkdep.sh 5.12 (Berkeley) 6/30/88 # MAKE=Makefile # default makefile name is "Makefile" CC=cc # default C compiler is "cc" while : do case "$1" in # -c allows you to specify the C compiler -c) CC=$2 shift; shift ;; # -f allows you to select a makefile name -f) MAKE=$2 shift; shift ;; # the -p flag produces "program: program.c" style dependencies # so .o's don't get produced -p) SED='s;\.o;;' shift ;; *) break ;; esac done if [ $# = 0 ] ; then echo 'usage: mkdep [-p] [-c cc] [-f makefile] [flags] file ...' exit 1 fi if [ ! -w $MAKE ]; then echo "mkdep: no writeable file \"$MAKE\"" exit 1 fi TMP=/tmp/mkdep$$ trap 'rm -f $TMP ; exit 1' 1 2 3 13 15 cp $MAKE ${MAKE}.bak sed -e '/DO NOT DELETE THIS LINE/,$d' < $MAKE > $TMP cat << _EOF_ >> $TMP # DO NOT DELETE THIS LINE -- mkdep uses it. # DO NOT PUT ANYTHING AFTER THIS LINE, IT WILL GO AWAY. _EOF_ # If your compiler doesn't have -M, add it. If you can't, the next two # lines will try and replace the "cc -M". The real problem is that this # hack can't deal with anything that requires a search path, and doesn't # even try for anything using bracket (<>) syntax. # # egrep '^#include[ ]*".*"' /dev/null $* | # sed -e 's/:[^"]*"\([^"]*\)".*/: \1/' -e 's/\.c/.o/' | $CC -MM $* | sed " s; \./; ;g $SED" >> $TMP cat << _EOF_ >> $TMP # IF YOU PUT ANYTHING HERE IT WILL GO AWAY _EOF_ # copy to preserve permissions cp $TMP $MAKE rm -f ${MAKE}.bak $TMP exit 0 argus-5.0.2/common/000077500000000000000000000000001471541253600141375ustar00rootroot00000000000000argus-5.0.2/common/Makefile.in000077500000000000000000000077401471541253600162170ustar00rootroot00000000000000# # Argus-5.0 Software. Common files - Makefile.in # Copyright (c) 2000-2024 QoSient, LLC # All rights reserved. # # This program is free software, released under the GNU General # Public License; you can redistribute it and/or modify it under the terms # of the GNU General Public License as published by the Free Software # Foundation; either version 3, or any later version. # # Other licenses are available through QoSient, LLC. # Inquire at info@qosient.com. # # This program is distributed WITHOUT ANY WARRANTY; without even the # implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # See the * GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. # Written by Carter Bullard # QoSient, LLC # # Top level hierarchy prefix = @prefix@ exec_prefix = @exec_prefix@ datarootdir = @datarootdir@ # Pathname of directory to install the include files INCLDEST = @includedir@ # Pathname of directory to install the library LIBDEST = @libdir@ # Pathname of directory to install the man page MANDEST = @mandir@ # VPATH srcdir = @srcdir@ VPATH = @srcdir@ # # You shouldn't need to edit anything below. # CC = @CC@ CCOPT = @V_CCOPT@ ARCH = @V_ARCH@ INCLS = -I$(srcdir) @V_INCLS@ @XDR_INCLS@ -I$(srcdir)/../include -I$(srcdir)/../argus DEFS = @DEFS@ # Standard CFLAGS CFLAGS = $(ARCH) $(CCOPT) $(INCLS) $(DEFS) $(EXTRA_CFLAGS) LDFLAGS = @LDFLAGS@ INSTALL = @INSTALL@ RANLIB = @V_RANLIB@ # # Flex and bison allow you to specify the prefixes of the global symbols # used by the generated parser. This allows programs to use lex/yacc # and link against libpcap. If you don't have flex or bison, get them. # LEX = @V_LEX@ YACC = @V_YACC@ # Explicitly define compilation rule since SunOS 4's make doesn't like gcc. # Also, gcc does not remove the .o before forking 'as', which can be a # problem if you don't own the file but can write to the directory. .c.o: @rm -f $@ $(CC) $(CFLAGS) -c $< # We would like to say "OBJ = $(SRC:.c=.o)" but Ultrix's make cannot # hack the extra indirection VSRC = version.c LSRC = scanner.l YSRC = grammar.y GENSRC = $(LSRC:.l=.c) $(YSRC:.y=.c) GENHDR = tokdefs.h TAGHDR = bpf/net/bpf.h TAGFILES = $(SRC) $(HDR) $(TAGHDR) LIBS = @INSTALL_LIB@/argus_common.a OBJ = $(COMMONOBJ) $(PARSEOBJ) CLEANFILES = $(LIBS) $(OBJ) $(GENSRC) $(GENHDR) $(VSRC) lex.yy.c COMMONSRC = argus_util.c argus_code.c argus_filter.c $(GENSRC) $(VSRC) COMMONOBJ = argus_util.o argus_code.o argus_filter.o grammar.o scanner.o version.o SRC = $(COMMONSRC) all: $(LIBS) @INSTALL_LIB@/argus_common.a: $(COMMONOBJ) rm -f $@; ar qc $@ $(COMMONOBJ) -$(RANLIB) $@ scanner.c: scanner.l @rm -f $@ $(LEX) -t $< > $$$$.$@; mv $$$$.$@ $@ scanner.o: scanner.c tokdefs.h tokdefs.h: grammar.c grammar.c: grammar.y @rm -f grammar.c tokdefs.h $(YACC) -d $< mv y.tab.c grammar.c mv y.tab.h tokdefs.h grammar.o: grammar.c $(CC) $(CFLAGS) -Dyylval=argus_lval -c grammar.c version.o: version.c version.c: $(srcdir)/../VERSION @rm -f $@ sed -e 's/.*/char version[] = "&";/' $(srcdir)/../VERSION > $@ install: all force uninstall: clean clean: rm -f $(CLEANFILES) distclean: rm -f $(CLEANFILES) Makefile config.cache config.log config.status \ gnuc.h os-proto.h bpf_filter.c net tags: $(TAGFILES) ctags -wtd $(TAGFILES) tar: force @cwd=`pwd` ; dir=`basename $$cwd` ; name=libpcap-`cat VERSION` ; \ list="" ; tar="tar chFFf" ; \ for i in `cat FILES` ; do list="$$list $$name/$$i" ; done; \ echo \ "rm -f ../$$name; ln -s $$dir ../$$name" ; \ rm -f ../$$name; ln -s $$dir ../$$name ; \ echo \ "(cd .. ; $$tar - [lots of files]) | compress > /tmp/$$name.tar.Z" ; \ (cd .. ; $$tar - $$list) | compress > /tmp/$$name.tar.Z ; \ echo \ "rm -f ../$$name" ; \ rm -f ../$$name force: /tmp depend: $(GENSRC) $(VSRC) force ../bin/mkdep -c $(CC) $(DEFS) $(INCLS) $(SRC) argus-5.0.2/common/argus_auth.c000066400000000000000000000343261471541253600164550ustar00rootroot00000000000000/* * Argus-5.0 Software. Common library routines - Authentication * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * Copyright (c) 2000 Carnegie Mellon University. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The name "Carnegie Mellon University" must not be used to * endorse or promote products derived from this software without * prior written permission. For permission or any other legal * details, please contact * Office of Technology Transfer * Carnegie Mellon University * 5000 Forbes Avenue * Pittsburgh, PA 15213-3890 * (412) 268-4387, fax: (412) 268-7395 * tech-transfer@andrew.cmu.edu * * 4. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by Computing Services * at Carnegie Mellon University (http://www.cmu.edu/computing/)." * * CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY * AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE * FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ /* * Written/Maintained/Modified by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/common/argus_auth.c#5 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #ifndef ArgusAuth #define ArgusAuth #endif #include #include #include #include #include #ifdef ARGUS_SASL #include #include #include #endif /* ARGUS_SASL */ #include #include #include #include #include #include #include extern void ArgusLog (int, char *, ...); int ArgusInitializeAuthentication (struct ARGUS_INPUT *); int ArgusAuthenticate (struct ARGUS_INPUT *); #ifdef ARGUS_SASL static int RaGetRealm(void *context, int, const char **, const char **); static int RaSimple(void *context, int, const char **, unsigned *); static int RaGetSecret(sasl_conn_t *, void *context, int, sasl_secret_t **); int RaSaslNegotiate(FILE *, FILE *, sasl_conn_t *); int RaGetSaslString (FILE *, char *, int); int RaSendSaslString (FILE *, const char *, int); /* RaCallBacks we support */ static sasl_callback_t RaCallBacks[] = { { SASL_CB_GETREALM, &RaGetRealm, NULL }, { SASL_CB_USER, &RaSimple, NULL }, { SASL_CB_AUTHNAME, &RaSimple, NULL }, { SASL_CB_PASS, &RaGetSecret, NULL }, { SASL_CB_LIST_END, NULL, NULL } }; char *RaSaslMech = NULL; #endif int ArgusInitializeAuthentication (struct ARGUS_INPUT *input) { int retn = 1; #ifdef ARGUS_SASL struct sockaddr_in localaddr, remoteaddr; int salen, fd = input->fd; char *localhostname = NULL; if ((retn = sasl_client_init(RaCallBacks)) != SASL_OK) ArgusLog (LOG_ERR, "ArgusInitializeAuthentication() sasl_client_init %d", retn); localhostname = ArgusCalloc (1, 1024); gethostname(localhostname, 1024); if (!strchr (localhostname, '.')) { strcat (localhostname, "."); getdomainname (&localhostname[strlen(localhostname)], 1024 - strlen(localhostname)); } if ((retn = sasl_client_new("argus", localhostname, NULL, SASL_SECURITY_LAYER, &input->sasl_conn)) != SASL_OK) ArgusLog (LOG_ERR, "ArgusInitializeAuthentication() sasl_client_new %d", retn); /* set external properties here sasl_setprop(input->sasl_conn, SASL_SSF_EXTERNAL, &extprops); */ /* set required security properties here sasl_setprop(input->sasl_conn, SASL_SEC_PROPS, &secprops); */ /* set ip addresses */ salen = sizeof(localaddr); if (getsockname(fd, (struct sockaddr *)&localaddr, &salen) < 0) perror("getsockname"); salen = sizeof(remoteaddr); if (getpeername(fd, (struct sockaddr *)&remoteaddr, &salen) < 0) perror("getpeername"); if ((retn = sasl_setprop(input->sasl_conn, SASL_IP_LOCAL, &localaddr)) != SASL_OK) ArgusLog (LOG_ERR, "ArgusInitializeAuthentication() error setting localaddr %d", retn); if ((retn = sasl_setprop(input->sasl_conn, SASL_IP_REMOTE, &remoteaddr)) != SASL_OK) ArgusLog (LOG_ERR, "ArgusInitializeAuthentication() error setting remoteaddr %d", retn); retn = 1; #endif #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusInitializeAuthentication () returning %d\n", retn); #endif return (retn); } int ArgusAuthenticate (struct ARGUS_INPUT *input) { int retn = 0; if (ArgusInitializeAuthentication(input)) { #ifdef ARGUS_SASL int fd = input->fd; if ((input->in = fdopen(fd, "r")) == NULL) ArgusLog (LOG_ERR, "ArgusAuthenticate(0x%x) fdopen in failed %s", strerror(errno)); if ((input->out = fdopen(fd, "w")) == NULL) ArgusLog (LOG_ERR, "ArgusAuthenticate(0x%x) fdopen out failed %s", strerror(errno)); if ((retn = RaSaslNegotiate(input->in, input->out, input->sasl_conn)) == SASL_OK) retn = 1; else retn = 0; #endif } #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusAuthenticate (0x%x) returning %d\n", input, retn); #endif return (retn); } #ifdef ARGUS_SASL static void RaChop (char *s) /* remove \r\n at end of the line */ { char *p; assert(s); p = s + strlen(s) - 1; if (p[0] == '\n') *p-- = '\0'; if (p >= s && p[0] == '\r') *p-- = '\0'; } static int RaGetRealm(void *context __attribute__((unused)), int id, const char **availrealms, const char **result) { static char buf[1024]; if (id != SASL_CB_GETREALM) return SASL_BADPARAM; if (!result) return SASL_BADPARAM; printf("please choose a realm (available:"); while (*availrealms) { printf(" %s", *availrealms); availrealms++; } printf("): "); fgets(buf, sizeof buf, stdin); RaChop(buf); *result = buf; return SASL_OK; } static char RaSimpleBuf[1024]; static int RaSimple(void *context __attribute__((unused)), int id, const char **result, unsigned *len) { char *ptr = NULL; if (! result) return SASL_BADPARAM; switch (id) { case SASL_CB_USER: if (ustr == NULL) { printf("please enter an authorization id: "); fgets(RaSimpleBuf, sizeof(RaSimpleBuf), stdin); } else { if ((ptr = strchr(ustr, '/')) != NULL) *ptr = '\0'; snprintf (RaSimpleBuf, sizeof(RaSimpleBuf), "%s", ustr); if (ptr) *ptr = '/'; } break; case SASL_CB_AUTHNAME: if (ustr != NULL) if ((ptr = strchr(ustr, '/')) != NULL) ptr++; if (ptr == NULL) { printf("please enter an authentication id: "); fgets(RaSimpleBuf, sizeof RaSimpleBuf, stdin); } else snprintf (RaSimpleBuf, sizeof(RaSimpleBuf), "%s", ptr); break; default: return SASL_BADPARAM; } RaChop(RaSimpleBuf); *result = RaSimpleBuf; if (len) *len = strlen(RaSimpleBuf); return SASL_OK; } #ifndef HAVE_GETPASSPHRASE static char * getpassphrase(const char *prompt) { return getpass(prompt); } #endif static int RaGetSecret(sasl_conn_t *conn, void *context __attribute__((unused)), int id, sasl_secret_t **psecret) { char *password; size_t len; static sasl_secret_t *x; if (! conn || ! psecret || id != SASL_CB_PASS) return SASL_BADPARAM; if (pstr != NULL) password = pstr; else password = getpassphrase("Password: "); if (! password) return SASL_FAIL; len = strlen(password); x = (sasl_secret_t *) realloc(x, sizeof(sasl_secret_t) + len); if (!x) { memset(password, 0, len); return SASL_NOMEM; } x->len = len; #if defined(HAVE_STRLCPY) strlcpy(x->data, password, len); #else memset(x->data, 0, len); strncpy(x->data, password, len); #endif memset(password, 0, len); *psecret = x; return SASL_OK; } int RaSaslNegotiate(FILE *in, FILE *out, sasl_conn_t *conn) { int retn = 0; char buf[8192]; char *data; const char *chosenmech; int len, c; #ifdef ARGUSDEBUG ArgusDebug (1, "RaSaslNegotiate(0x%x, 0x%x, 0x%x) receiving capability list... ", in, out, conn); #endif if ((len = RaGetSaslString(in, buf, sizeof(buf))) <= 0) ArgusLog (LOG_ERR, "RaSaslNegotiate: RaGetSaslString(0x%x, 0x%x, %d) error %s\n", in, buf, sizeof(buf), strerror(errno)); if (RaSaslMech) { /* make sure that 'RaSaslMech' appears in 'buf' */ if (!strstr(buf, RaSaslMech)) { printf("server doesn't offer mandatory mech '%s'\n", RaSaslMech); return 0; } } else RaSaslMech = buf; #ifdef ARGUSDEBUG ArgusDebug (1, "RaSaslNegotiate(0x%x, 0x%x, 0x%x) calling sasl_client_start()", in, out, conn); #endif retn = sasl_client_start(conn, RaSaslMech, NULL, NULL, &data, &len, &chosenmech); if ((retn != SASL_OK) && (retn != SASL_CONTINUE)) { fputc ('N', out); fflush(out); ArgusLog (LOG_ERR, "RaSaslNegotiate: error starting SASL negotiation"); } if (retn == SASL_INTERACT) ArgusLog (LOG_ERR, "RaSaslNegotiate: returned SASL_INTERACT\n"); #ifdef ARGUSDEBUG ArgusDebug (1, "RaSaslNegotiate: using mechanism %s\n", chosenmech); #endif /* we send two strings; the mechanism chosen and the initial response */ RaSendSaslString(out, chosenmech, strlen(chosenmech)); RaSendSaslString(out, data, len); for (;;) { #ifdef ARGUSDEBUG ArgusDebug (2, "waiting for server reply...\n"); #endif switch (c = fgetc(in)) { case 'O': goto done_ok; case 'N': goto done_no; case 'C': /* continue authentication */ break; default: printf("bad protocol from server (%c %x)\n", c, c); return 0; } if ((len = RaGetSaslString(in, buf, sizeof(buf))) <= 0) ArgusLog (LOG_ERR, "RaSaslNegotiate: RaGetSaslString(0x%x, 0x%x, %d) returned %d\n", in, buf, sizeof(buf), len); retn = sasl_client_step(conn, buf, len, NULL, &data, &len); if ((retn != SASL_OK) && (retn != SASL_CONTINUE)) { fputc ('N', out); fflush(out); ArgusLog (LOG_ERR, "RaSaslNegotiate: error performing SASL negotiation"); } if (data) { #ifdef ARGUSDEBUG ArgusDebug (2, "sending response length %d...\n", len); #endif RaSendSaslString(out, data, len); free(data); } else { #ifdef ARGUSDEBUG ArgusDebug (2, "sending null response...\n"); #endif RaSendSaslString(out, "", 0); } } done_ok: #ifdef ARGUSDEBUG ArgusDebug (1, "successful authentication"); #endif return SASL_OK; done_no: #ifdef ARGUSDEBUG ArgusDebug (1, "authentication failed"); #endif return -1; } /* send/recv library for IMAP4 style literals. */ int RaSendSaslString (FILE *f, const char *s, int l) { char *saslbuf; int len, al = 0; if ((saslbuf = ArgusCalloc (1, MAXSTRLEN)) == NULL) ArgusLog (LOG_ERR, "ArgusInitOutput:ArgusCalloc error %s\n", strerror(errno)); snprintf(saslbuf, MAXSTRLEN, "{%d}\r\n", l); len = strlen(saslbuf); bcopy (s, &saslbuf[len], l); len += l; al = fwrite(saslbuf, 1, len, f); fflush(f); #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusSendSaslString(0x%x, 0x%x, %d)\n", f, s, l); s = saslbuf; if (3 <= Argusdflag) { while (len--) { if (isprint((int)((unsigned char) *s))) { printf("%c ", *s); } else { printf("%x ", (unsigned char) *s); } s++; } printf("\n"); } #endif ArgusFree (saslbuf); return al; } int RaGetSaslString (FILE *f, char *buf, int buflen) { int c, len, l; char *s; if ((c = fgetc(f)) != '{') return -1; /* read length */ len = 0; c = fgetc(f); while (isdigit(c)) { len = len * 10 + (c - '0'); c = fgetc(f); } if (c != '}') return -1; if ((c = fgetc(f)) != '\r') return -1; if ((c = fgetc(f)) != '\n') return -1; /* read string */ if (buflen <= len) { fread(buf, buflen - 1, 1, f); buf[buflen - 1] = '\0'; /* discard oversized string */ len -= buflen - 1; while (len--) (void)fgetc(f); len = buflen - 1; } else { fread(buf, len, 1, f); buf[len] = '\0'; } l = len; s = buf; #ifdef ARGUSDEBUG ArgusDebug (3, "ArgusGetSaslString(0x%x, 0x%x, %d)\n", f, s, l); if (3 <= Argusdflag) { while (l--) { if (isprint((int)((unsigned char) *s))) { printf("%c ", *s); } else { printf("%X ", (unsigned char) *s); } s++; } printf("\n"); } #endif return len; } #endif argus-5.0.2/common/argus_code.c000066400000000000000000004377201471541253600164330ustar00rootroot00000000000000/* * Argus-5.0 Software. Common library routines - Filter code * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * Copyright (c) 1990, 1991, 1992, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ /* * $Id: //depot/gargoyle/argus/common/argus_code.c#7 $ * $DateTime: 2015/06/22 18:22:35 $ * $Change: 3025 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #include #if defined(HAVE_SOLARIS) || (__FreeBSD__) || (__NetBSD__) || (__OpenBSD__) #include #include #endif #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include /* static u_int ArgusNetMask; */ static int fsnaplen; #ifndef __GNUC__ #define inline #endif #ifndef AF_INET6 #define AF_INET6 23 #endif #ifndef IPPROTO_IGRP #define IPPROTO_IGRP 9 #endif #define JMP(c) ((c)|NFF_JMP|NFF_K) #define ARGUSFORKFILTER 1 static u_int off_nl = 0; static int alloc_reg(void); static void free_reg(int); static struct ablock *root; #define NCHUNKS 16 #define CHUNK0SIZE 1024 struct chunk { u_int n_left; void *m; }; static struct chunk chunks[NCHUNKS]; static int cur_chunk; static void *newchunk(u_int); static void freechunks(void); static struct ablock *new_block(int); static struct slist *new_stmt(int); static struct ablock *Argusgen_retblk(int); static void syntax(void); #if defined(ARGUSFORKFILTER) static void deadman(pid_t); #endif static void backpatch(struct ablock *, struct ablock *); static void merge(struct ablock *, struct ablock *); static struct ablock *Argusgen_cmp(int, u_int, u_int, u_int, u_int, int); static struct ablock *Argusgen_mcmp(int, u_int, u_int, u_int, u_int, u_int, int); static struct ablock *Argusgen_bcmp(int, u_int, u_int, u_char *, int); static struct ablock *Argusgen_prototype(u_int, u_int); static struct ablock *Argusgen_hostop(u_int *, u_int *, int, int, u_int); static struct ablock *Argusgen_ehostop(u_char *, int); static struct ablock *Argusgen_host(u_int *, u_int *, int, int, int); static struct ablock *Argusgen_srcid(u_int, u_int, int); static struct ablock *Argusgen_inode(u_int, u_int, int); static struct ablock *Argusgen_gateway(u_char *, u_int *, int, int, int); static struct ablock *Argusgen_portatom(int, long, int); struct ablock *Argusgen_portop(int, int, int, u_int); static struct ablock *Argusgen_port(int, u_int, int, u_int); static int Arguslookup_proto(char *, int); static struct ablock *Argusgen_flow(int); static struct ablock *Argusgen_proto(int, int, int); static struct ablock *Argusgen_ipid(int, int, u_int); static struct ablock *Argusgen_ttl(int, int, u_int); static struct ablock *Argusgen_tos(int, int, u_int); static struct ablock *Argusgen_vid(int, int, u_int); static struct ablock *Argusgen_vpri(int, int, u_int); static struct ablock *Argusgen_mid(int, int, u_int); static struct ablock *Argusgen_byte(int, int, u_int); static struct ablock *Argusgen_pkt(int, int, u_int); static struct ablock *Argusgen_nstroke(int, int, u_int); static struct ablock *Argusgen_seq(int, int, u_int); //static struct ablock *Argusgen_dup(int, int, u_int); static struct ablock *Argusgen_tcpbase(int, int, u_int); static struct ablock *Argusgen_trans(int, int, u_int); static struct ablock *Argusgen_deltadur(int, int, u_int); static struct ablock *Argusgen_deltastart(int, int, u_int); static struct ablock *Argusgen_deltalast(int, int, u_int); static struct ablock *Argusgen_rate(float, int, u_int); static struct ablock *Argusgen_load(float, int, u_int); static struct ablock *Argusgen_inter(float, int, int, u_int); static struct ablock *Argusgen_jitter(float, int, int, u_int); static struct ablock *Argusgen_dur(float, int, u_int); static struct ablock *Argusgen_mean(float, int, u_int); static struct ablock *Argusgen_encaps(int, int, u_int); static struct slist *xfer_to_x(struct arth *); static struct slist *xfer_to_a(struct arth *); static struct ablock *Argusgen_len(int, int); static struct ablock *Argusgen_linktype(unsigned int); #if !defined(CYGWIN) static u_int net_mask(u_int *); #endif extern void ArgusLog (int, char *, ...); extern float RaDeltaFloatTime (struct timeval *, struct timeval *); static void * newchunk(u_int n) { struct chunk *cp; int k, size; /* XXX Round up to nearest long long. */ n = (n + sizeof(long long) - 1) & ~(sizeof(long long) - 1); cp = &chunks[cur_chunk]; if (n > cp->n_left) { ++cp, k = ++cur_chunk; if (k >= NCHUNKS) ArgusLog(LOG_ERR, "out of memory"); size = CHUNK0SIZE << k; cp->m = (void *)calloc(1, size); memset((char *)cp->m, 0, size); cp->n_left = size; if (n > size) ArgusLog(LOG_ERR, "out of memory"); } cp->n_left -= n; #if defined(ARGUSDEBUG) ArgusDebug (9, "newchunk (%d) returning 0x%x\n", n, (char *)cp->m + cp->n_left); #endif return (void *)((char *)cp->m + cp->n_left); } static void freechunks() { int i; for (i = 0; i < NCHUNKS; ++i) if (chunks[i].m) free(chunks[i].m); #if defined(ARGUSDEBUG) ArgusDebug (9, "freechunks () returning\n"); #endif } /* * A strdup whose allocations are freed after code generation is over. */ char * Argussdup(char *s) { int n = strlen(s) + 1; char *cp = newchunk(n); strncpy(cp, s, (n - 1)); #if defined(ARGUSDEBUG) ArgusDebug (7, "Argussdup (%s) returning 0x%x\n", s, cp); #endif return (cp); } static struct ablock * new_block(int code) { struct ablock *p; p = (struct ablock *)newchunk(sizeof(*p)); p->s.code = code; p->head = p; #if defined(ARGUSDEBUG) ArgusDebug (9, "new_block (%d) returning 0x%x\n", code, p); #endif return p; } static struct slist * new_stmt(int code) { struct slist *p; p = (struct slist *)newchunk(sizeof(*p)); p->s.code = code; #if defined(ARGUSDEBUG) ArgusDebug (9, "new_stmt (%d) returning 0x%x\n", code, p); #endif return p; } static struct ablock * Argusgen_retblk(int v) { struct ablock *b = new_block(NFF_RET|NFF_K); b->s.data.k = v; #if defined(ARGUSDEBUG) ArgusDebug (7, "Argusgen_retblk (%d) returning 0x%x\n", v, b); #endif return b; } #if defined(ARGUSFORKFILTER) static void deadman(pid_t pid) { // extern struct ArgusParserStruct *ArgusParser; char *errormsg = "ERROR: compiler timed out"; #if defined(ARGUSDEBUG) ArgusDebug (4, "ArgusFilterCompile deadman() %s\n", errormsg); #endif kill(pid, SIGTERM); /* if (ArgusParser->ArgusFilterFiledes[1] != -1) { if ((len = write (ArgusParser->ArgusFilterFiledes[1], errormsg, strlen(errormsg))) < 0) ArgusLog (LOG_ERR, "ArgusFilterCompile: write retn %s\n", strerror(errno)); if ((len = read (ArgusParser->ArgusControlFiledes[0], &response, 1)) < 0) ArgusLog (LOG_ERR, "ArgusFilterCompile: read retn %s\n", strerror(errno)); } else */ ArgusLog (LOG_INFO, errormsg); } #endif static void syntax() { extern struct ArgusParserStruct *ArgusParser; char response, *errormsg = "SYNTAX ERROR: filter expression"; int len; #if defined(ARGUSDEBUG) ArgusDebug (4, "ArgusFilterCompile syntax() %s\n", errormsg); #endif if (ArgusParser->ArgusFilterFiledes[1] != -1) { if ((len = write (ArgusParser->ArgusFilterFiledes[1], errormsg, 4)) < 0) ArgusLog (LOG_ERR, "ArgusFilterCompile: write retn %s\n", strerror(errno)); #if defined(ARGUSDEBUG) ArgusDebug (4, "ArgusFilterCompile () syntax error routine wrote %d bytes of error message\n", len); #endif if ((len = read (ArgusParser->ArgusControlFiledes[0], &response, 1)) < 0) ArgusLog (LOG_ERR, "ArgusFilterCompile: read retn %s\n", strerror(errno)); #if defined(ARGUSDEBUG) ArgusDebug (4, "ArgusFilterCompile () syntax error routine read %d bytes of response\n", len); #endif } else ArgusLog (LOG_ERR, errormsg); exit (1); } char * ArgusFilterCompile(struct nff_program *program, char *buf, int optimize) { extern int argus_n_errors; char *retn = NULL; int len; #if defined(ARGUSFORKFILTER) extern struct ArgusParserStruct *ArgusParser; int width, status = 0; char response; pid_t pid; if ((pipe (ArgusParser->ArgusFilterFiledes)) < 0) ArgusLog (LOG_ERR, "pipe %s", strerror(errno)); if ((pipe (ArgusParser->ArgusControlFiledes)) < 0) ArgusLog (LOG_ERR, "pipe %s", strerror(errno)); if ((pid = fork()) == 0) { #endif fsnaplen = 96; #if defined(ARGUSDEBUG) ArgusDebug (4, "ArgusFilterCompile () calling argus_lex_init(%s)\n", buf); #endif argus_lex_init(buf ? buf : ""); #if defined(ARGUSDEBUG) ArgusDebug (4, "ArgusFilterCompile () calling argus_parse()\n"); #endif argus_parse(); #if defined(ARGUSDEBUG) ArgusDebug (4, "ArgusFilterCompile () argus_parse() done\n"); #endif if (argus_n_errors) { retn = "SYNTAX ERROR: in filter expression"; len = strlen(retn); #if defined(ARGUSDEBUG) ArgusDebug (4, "ArgusFilterCompile syntax() %s\n", retn); #endif } else { if (root == NULL) root = Argusgen_retblk(fsnaplen); if (optimize) Argusnff_optimize(&root); if (!(root == NULL || (root->s.code == (NFF_RET|NFF_K) && root->s.data.k == 0))) { program->bf_insns = Argusicode_to_fcode(root, &len); program->bf_len = len; freechunks(); retn = (char *)&program->bf_len; } else { ArgusLog (LOG_ALERT, "ArgusFilterCompile: expression rejects all records"); retn = NULL; len = 0; } } #if defined(ARGUSFORKFILTER) if ((len = write (ArgusParser->ArgusFilterFiledes[1], retn, sizeof(program->bf_len))) < 0) ArgusLog (LOG_ERR, "ArgusFilterCompile: write retn %s\n", strerror(errno)); #if defined(ARGUSDEBUG) ArgusDebug (4, "ArgusFilterCompile () wrote %d bytes of program header", len); #endif if (!(argus_n_errors)) { if (program->bf_len > 0) { if ((len = write (ArgusParser->ArgusFilterFiledes[1], program->bf_insns, program->bf_len * sizeof(*program->bf_insns))) < 0) ArgusLog (LOG_ERR, "ArgusFilterCompile: write filter retn %s", strerror(errno)); #if defined(ARGUSDEBUG) ArgusDebug (4, "ArgusFilterCompile () wrote %d bytes of program body", len); #endif } } #if defined(ARGUSDEBUG) ArgusDebug (4, "ArgusFilterCompile () waiting for response from requestor"); #endif if ((len = read (ArgusParser->ArgusControlFiledes[0], &response, 1)) < 0) ArgusLog (LOG_ERR, "ArgusFilterCompile: read retn %s\n", strerror(errno)); #if defined(ARGUSDEBUG) ArgusDebug (4, "ArgusFilterCompile () received response"); #endif _exit(EXIT_SUCCESS); } else { struct timeval wait, now, then; float deltatime = 0.0; fd_set readmask; gettimeofday(&now, NULL); then = now; wait.tv_sec = 0; wait.tv_usec = 500000; FD_ZERO (&readmask); FD_SET (ArgusParser->ArgusFilterFiledes[0], &readmask); width = ArgusParser->ArgusFilterFiledes[0] + 1; #if defined(ARGUSDEBUG) ArgusDebug (4, "ArgusFilterCompile () waiting for filter process %d on pipe %d\n", pid, ArgusParser->ArgusFilterFiledes[0]); #endif #define ARGUS_COMPILER_TIMEOUT 1.5 while (((deltatime = RaDeltaFloatTime(&now, &then)) <= ARGUS_COMPILER_TIMEOUT) && (select (width, &readmask, NULL, NULL, &wait) >= 0)) { if (deltatime >= ARGUS_COMPILER_TIMEOUT) { deadman(pid); retn = "TI"; } else { if (FD_ISSET (ArgusParser->ArgusFilterFiledes[0], &readmask)) { if ((len = read (ArgusParser->ArgusFilterFiledes[0], &program->bf_len, sizeof(program->bf_len))) > 0) { if ((!(strstr ((char *)&program->bf_len, "ERR"))) && (!(strstr ((char *)&program->bf_len, "SYN")))) { #if defined(ARGUSDEBUG) ArgusDebug (4, "ArgusFilterCompile () read filter length %d\n", program->bf_len); #endif if (program->bf_len > 0) { if ((program->bf_insns = (void *) calloc (program->bf_len, sizeof(*program->bf_insns))) != NULL) { if ((len = read (ArgusParser->ArgusFilterFiledes[0], program->bf_insns, (program->bf_len * sizeof(*program->bf_insns)))) > 0) { #if defined(ARGUSDEBUG) ArgusDebug (4, "ArgusFilterCompile () read filter body %d\n", len); #endif retn = 0; status++; } } else ArgusLog(LOG_ERR, "ArgusFilterCompile: calloc error %s\n", strerror(errno)); } else { status++; #if defined(ARGUSDEBUG) ArgusDebug (4, "ArgusFilterCompile () no filter body %d\n", len); #endif } } else { if ((strstr ((char *)&program->bf_len, "SYN"))) retn = "SY"; else retn = "ER"; #if defined(ARGUSDEBUG) ArgusDebug (4, "ArgusFilterCompile () received Error from compiler\n"); #endif } } } } if (status || (retn != NULL)) break; FD_SET (ArgusParser->ArgusFilterFiledes[0], &readmask); width = ArgusParser->ArgusFilterFiledes[0] + 1; wait.tv_sec = 0; wait.tv_usec = 200000; gettimeofday(&now, NULL); } if (!status) { len = waitpid(pid, &status, WNOHANG); if ((len == pid) || (len == -1)) { #if defined(ARGUSDEBUG) ArgusDebug (4, "ArgusFilterCompile () filter process %d terminated\n", pid); if (WIFEXITED(status)) { ArgusDebug (4, "ArgusFilterCompile () child %d exited %d\n", pid, WEXITSTATUS(status)); } else if (WIFSIGNALED(status)) { ArgusDebug (4, "ArgusFilterCompile () child %d signaled %d\n", pid, WTERMSIG(status)); } else { ArgusDebug (4, "ArgusFilterCompile () filter process %d terminated\n", pid); return (NULL); } #endif if (len == -1) return (NULL); } } else { if (retn == NULL) retn = "OK"; } if ((len = write (ArgusParser->ArgusControlFiledes[1], retn, 2)) < 0) ArgusLog (LOG_ERR, "ArgusFilterCompile: write retn %s\n", strerror(errno)); // now block and wait for the child to be done len = waitpid(pid, &status, 0); } close(ArgusParser->ArgusFilterFiledes[0]); close(ArgusParser->ArgusFilterFiledes[1]); close(ArgusParser->ArgusControlFiledes[0]); close(ArgusParser->ArgusControlFiledes[1]); ArgusParser->ArgusFilterFiledes[0] = 0; ArgusParser->ArgusFilterFiledes[1] = 0; ArgusParser->ArgusControlFiledes[0] = 0; ArgusParser->ArgusControlFiledes[1] = 0; #endif /* ARGUSFORKFILTER */ #if defined(ARGUSDEBUG) ArgusDebug (2, "ArgusFilterCompile () done %d\n", retn); #endif return (retn); } /* * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates * which of the jt and jf fields has been resolved and which is a pointer * back to another unresolved block (or nil). At least one of the fields * in each block is already resolved. */ static void backpatch(struct ablock *list, struct ablock *target) { struct ablock *next; while (list) { if (!list->sense) { next = JT(list); JT(list) = target; } else { next = JF(list); JF(list) = target; } list = next; } #if defined(ARGUSDEBUG) ArgusDebug (9, "backpatch (0x%x, 0x%x) returning 0x%x\n", list, target); #endif } /* * Merge the lists in b0 and b1, using the 'sense' field to indicate * which of jt and jf is the link. */ static void merge( struct ablock *b0, struct ablock *b1) { register struct ablock **p = &b0; /* Find end of list. */ while (*p) p = !((*p)->sense) ? &JT(*p) : &JF(*p); /* Concatenate the lists. */ *p = b1; #if defined(ARGUSDEBUG) ArgusDebug (9, "merge (0x%x, 0x%x)\n", b0, b1); #endif } void Argusfinish_parse(struct ablock *p) { if (p != NULL) { backpatch(p, Argusgen_retblk(fsnaplen)); p->sense = !p->sense; backpatch(p, Argusgen_retblk(0)); root = p->head; } #if defined(ARGUSDEBUG) ArgusDebug (3, "Argusfinish_parse (0x%x)\n", p); #endif } void Argusgen_and(struct ablock *b0, struct ablock *b1) { if (b0 != b1) { backpatch(b0, b1->head); b0->sense = !b0->sense; b1->sense = !b1->sense; merge(b1, b0); b1->sense = !b1->sense; b1->head = b0->head; } #if defined(ARGUSDEBUG) ArgusDebug (7, "Argusgen_and (0x%x, 0x%x)\n", b0, b1); #endif } void Argusgen_or( struct ablock *b0, struct ablock *b1) { if (b0 != b1) { b0->sense = !b0->sense; backpatch(b0, b1->head); b0->sense = !b0->sense; merge(b1, b0); b1->head = b0->head; } #if defined(ARGUSDEBUG) ArgusDebug (7, "Argusgen_or (0x%x, 0x%x)\n", b0, b1); #endif } void Argusgen_not(struct ablock *b) { b->sense = !b->sense; #if defined(ARGUSDEBUG) ArgusDebug (7, "Argusgen_not (0x%x, 0x%x)\n", b); #endif } static struct ablock * Argusgen_cmp(int dsr, u_int offset, u_int size, u_int v, u_int op, int type) { struct slist *s; struct ablock *b; s = new_stmt(NFF_LD|NFF_DSR|size); s->s.dsr = dsr; s->s.data.k = offset; switch (op) { case Q_EQUAL: b = new_block(JMP(NFF_JEQ)); break; case Q_LESS: b = new_block(JMP(NFF_JGE)); b->sense = !b->sense; break; case Q_GREATER: b = new_block(JMP(NFF_JGT)); break; case Q_GEQ: b = new_block(JMP(NFF_JGE)); break; case Q_LEQ: b = new_block(JMP(NFF_JGT)); b->sense = !b->sense; break; } b->stmts = s; b->s.data.k = v; b->s.type = type; #if defined(ARGUSDEBUG) ArgusDebug (7, "Argusgen_cmp (%d, %d, %d, %d, %d, %d) returns %p\n", dsr, offset, size, v, op, type, b); #endif return b; } static struct ablock * Argusgen_fcmp(int dsr, u_int offset, u_int size, float v, u_int op, int type) { struct slist *s; struct ablock *b; s = new_stmt(NFF_LD|NFF_DSR|size); s->s.dsr = dsr; s->s.data.k = offset; switch (op) { case Q_EQUAL: b = new_block(JMP(NFF_JEQ|NFF_F)); break; case Q_LESS: b = new_block(JMP(NFF_JGE|NFF_F)); b->sense = !b->sense; break; case Q_GREATER: b = new_block(JMP(NFF_JGT|NFF_F)); break; case Q_GEQ: b = new_block(JMP(NFF_JGE|NFF_F)); break; case Q_LEQ: b = new_block(JMP(NFF_JGT|NFF_F)); b->sense = !b->sense; break; } b->stmts = s; b->s.data.f = v; #if defined(ARGUSDEBUG) ArgusDebug (7, "Argusgen_fcmp (%d, %d, %f, %d, %d) returns %p\n", offset, size, v, op, type, b); #endif return b; } static struct ablock * Argusgen_mcmp(int dsr, u_int offset, u_int size, u_int v, u_int mask, u_int op, int type) { struct ablock *b = Argusgen_cmp(dsr, offset, size, (v & mask), op, type); struct slist *s; if (mask != 0xffffffff) { s = new_stmt(NFF_ALU|NFF_AND|NFF_K); s->s.data.k = mask; b->stmts->next = s; } #if defined(ARGUSDEBUG) ArgusDebug (7, "Argusgen_mcmp (%d, %d, %d, %d, 0x%x, %d) returns %p\n", dsr, offset, size, v, mask, op, b); #endif return b; } static struct ablock * Argusgen_bcmp(int dsr, u_int offset, u_int size, u_char *v, int type) { struct ablock *b, *tmp; b = NULL; while (size >= 4) { u_char *p = &v[size - 4]; u_int w; #if defined(_LITTLE_ENDIAN) w = (p[3] << 24) | (p[2] << 16) | (p[1] << 8) | p[0]; #else w = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]; #endif tmp = Argusgen_cmp(dsr, offset + size - 4, NFF_W, w, Q_EQUAL, type); if (b != NULL) Argusgen_and(b, tmp); b = tmp; size -= 4; } while (size >= 2) { u_char *p = &v[size - 2]; u_int w; #if defined(_LITTLE_ENDIAN) w = (p[1] << 8) | p[0]; #else w = (p[0] << 8) | p[1]; #endif tmp = Argusgen_cmp(dsr, offset + size - 2, NFF_H, w, Q_EQUAL, type); if (b != NULL) Argusgen_and(b, tmp); b = tmp; size -= 2; } if (size > 0) { tmp = Argusgen_cmp(dsr, offset, NFF_B, (u_int)v[0], Q_EQUAL, type); if (b != NULL) Argusgen_and(b, tmp); b = tmp; } #if defined(ARGUSDEBUG) ArgusDebug (7, "Argusgen_bcmp (%d, %d, %d) returns %p\n", offset, size, v, b); #endif return b; } struct ablock * Argusgen_dns(int v, int value, int dir) { struct ablock *b1 = NULL, *b2 = NULL; struct ArgusRecordStruct argus; /* struct ArgusDnsQueryStruct *sdns = &argus.srcappdata; struct ArgusDnsQueryStruct *ddns = &argus.dstappdata; */ struct ArgusDnsQueryStruct *sdns = (struct ArgusDnsQueryStruct *) &argus.srate; struct ArgusDnsQueryStruct *ddns = (struct ArgusDnsQueryStruct *) &argus.drate; int soffset = ((char *)&sdns - (char *)&argus); int doffset = ((char *)&ddns - (char *)&argus); switch (dir) { case Q_SRC: { b1 = Argusgen_mcmp(-1, soffset, NFF_W, value, value, Q_EQUAL, Q_DEFAULT); Argusgen_not(b1); break; } case Q_DST: { b1 = Argusgen_mcmp(-1, doffset, NFF_W, value, value, Q_EQUAL, Q_DEFAULT); Argusgen_not(b1); break; } case Q_OR: case Q_DEFAULT: b1 = Argusgen_mcmp(-1, doffset, NFF_W, value, value, Q_EQUAL, Q_DEFAULT); Argusgen_not(b1); b2 = Argusgen_mcmp(-1, soffset, NFF_W, value, value, Q_EQUAL, Q_DEFAULT); Argusgen_not(b2); Argusgen_or(b2, b1); break; case Q_AND: b1 = Argusgen_mcmp(-1, doffset, NFF_W, value, value, Q_EQUAL, Q_DEFAULT); Argusgen_not(b1); b2 = Argusgen_mcmp(-1, soffset, NFF_W, value, value, Q_EQUAL, Q_DEFAULT); Argusgen_not(b2); Argusgen_and(b2, b1); break; } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_dnsauth () returns %p\n", b1); #endif return (b1); } static struct ablock * Argusgen_espstatustype(unsigned int proto) { struct ablock *b0 = NULL, *b1 = NULL; struct ArgusNetworkStruct net; int offset = ((char *)&net.net_union.esp.status - (char *)&net); b1 = Argusgen_prototype(IPPROTO_ESP, Q_DEFAULT); switch (proto) { case ARGUS_SRC_PKTS_DROP: b0 = Argusgen_mcmp(ARGUS_NETWORK_INDEX, offset, NFF_W, ARGUS_SRC_PKTS_DROP, ARGUS_SRC_PKTS_DROP, Q_EQUAL, Q_DEFAULT); break; case ARGUS_DST_PKTS_DROP: b0 = Argusgen_mcmp(ARGUS_NETWORK_INDEX, offset, NFF_W, ARGUS_DST_PKTS_DROP, ARGUS_DST_PKTS_DROP, Q_EQUAL, Q_DEFAULT); break; } if (b0) Argusgen_and(b0, b1); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_espstatustype () returns %p\n", b1); #endif return (b1); } static struct ablock * Argusgen_ipstatustype(unsigned int proto) { struct ablock *b1 = NULL; switch (proto) { case ARGUS_CON_ESTABLISHED: { struct ablock *b2, *b3; b1 = Argusgen_linktype(ETHERTYPE_IP); b2 = Argusgen_pkt(0, Q_SRC, Q_GREATER); b3 = Argusgen_pkt(0, Q_DST, Q_GREATER); Argusgen_and(b2, b3); Argusgen_and(b3, b1); break; } } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_tcpstatustype () returns %p\n", b1); #endif return (b1); } static struct ablock * Argusgen_tcpstatustype(unsigned int proto) { struct ablock *b0, *b1; unsigned int value = proto; struct ArgusNetworkStruct net; int offset = ((char *)&net.net_union.tcp.status - (char *)&net); b0 = Argusgen_prototype(IPPROTO_TCP, Q_DEFAULT); switch (proto) { case ARGUS_SRC_CONGESTED: case ARGUS_DST_CONGESTED: case ARGUS_SRC_RESET: case ARGUS_DST_RESET: case ARGUS_SRC_WINDOW_SHUT: case ARGUS_DST_WINDOW_SHUT: case ARGUS_NORMAL_CLOSE: case ARGUS_SAW_SYN: case ARGUS_SAW_SYN_SENT: case ARGUS_CON_ESTABLISHED: case ARGUS_CLOSE_WAITING: case ARGUS_SRC_PKTS_RETRANS: case ARGUS_DST_PKTS_RETRANS: case ARGUS_SRC_OUTOFORDER: case ARGUS_DST_OUTOFORDER: default: b1 = Argusgen_mcmp(ARGUS_NETWORK_INDEX, offset, NFF_W, value, value, Q_EQUAL, Q_DEFAULT); break; } Argusgen_and(b0, b1); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_tcpstatustype () returns %p\n", b1); #endif return (b1); } static struct ablock * Argusgen_ipattrstatustype(unsigned int status) { struct ablock *b1; struct ArgusIPAttrStruct ipattr; int offset = ((char *)&ipattr.hdr.argus_dsrvl8.qual - (char *)&ipattr); b1 = Argusgen_mcmp(ARGUS_IPATTR_INDEX, offset, NFF_B, status, status, Q_EQUAL, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_ipattrstatustype (%d) returns %p\n", status, b1); #endif return (b1); } static struct ablock * Argusgen_causetype(unsigned int cause) { struct ablock *b0 = NULL; struct ArgusCanonRecord canon; int offset = ((char *)&canon.hdr.cause - (char *)&canon); switch (cause) { case ARGUS_START: case ARGUS_STATUS: case ARGUS_STOP: case ARGUS_TIMEOUT: case ARGUS_SHUTDOWN: b0 = Argusgen_mcmp(-1, offset, NFF_B, (u_int) cause, cause, Q_EQUAL, Q_DEFAULT); break; } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_causetype () returns %p\n", b0); #endif return (b0); } static struct ablock * Argusgen_recordtype(unsigned int type) { struct ablock *b0 = NULL; struct ArgusCanonRecord canon; int offset = ((char *)&canon.hdr.type - (char *)&canon); switch (type) { case ARGUS_MAR: case ARGUS_FAR: case ARGUS_EVENT: case ARGUS_INDEX: case ARGUS_DATASUP: b0 = Argusgen_mcmp(-1, offset, NFF_B, (u_int) type, type, Q_EQUAL, Q_DEFAULT); break; } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_recordtype () returns %p\n", b0); #endif return (b0); } static struct ablock * Argusgen_mpls(unsigned int proto) { struct ablock *b1 = NULL; struct ArgusMplsStruct mpls; int offset = ((char *)&mpls.hdr.type - (char *)&mpls); b1 = Argusgen_cmp(ARGUS_MPLS_INDEX, offset, NFF_B, (u_int) ARGUS_MPLS_DSR, Q_EQUAL, Q_DEFAULT); return(b1); } static struct ablock * Argusgen_vlan(unsigned int proto) { struct ablock *b1 = NULL; struct ArgusVlanStruct vlan; int offset = ((char *)&vlan.hdr.type - (char *)&vlan); b1 = Argusgen_cmp(ARGUS_VLAN_INDEX, offset, NFF_B, (u_int) ARGUS_VLAN_DSR, Q_EQUAL, Q_DEFAULT); return(b1); } static struct ablock * Argusgen_linktype(unsigned int proto) { struct ablock *b1 = NULL; struct ArgusFlow flow; int offset = ((char *)&flow.hdr.argus_dsrvl8.qual - (char *)&flow); switch (proto) { default: switch (proto) { case ETHERTYPE_REVARP: b1 = Argusgen_mcmp(ARGUS_FLOW_INDEX, offset, NFF_B, (u_int) ARGUS_TYPE_ARP, 0x1F, Q_EQUAL, Q_DEFAULT); break; case ETHERTYPE_ARP: b1 = Argusgen_mcmp(ARGUS_FLOW_INDEX, offset, NFF_B, (u_int) ARGUS_TYPE_ARP, 0x1F, Q_EQUAL, Q_DEFAULT); break; case ETHERTYPE_IP: b1 = Argusgen_mcmp(ARGUS_FLOW_INDEX, offset, NFF_B, (u_int) ARGUS_TYPE_IPV4, 0x1F, Q_EQUAL, Q_DEFAULT); break; case ETHERTYPE_IPV6: b1 = Argusgen_mcmp(ARGUS_FLOW_INDEX, offset, NFF_B, (u_int) ARGUS_TYPE_IPV6, 0x1F, Q_EQUAL, Q_DEFAULT); break; case ETHERTYPE_ISIS: b1 = Argusgen_mcmp(ARGUS_FLOW_INDEX, offset, NFF_B, (u_int) ARGUS_TYPE_ISIS, 0x1F, Q_EQUAL, Q_DEFAULT); break; default: { struct ablock *b0 = NULL; b0 = Argusgen_mcmp(ARGUS_FLOW_INDEX, offset, NFF_B, (u_int) ARGUS_TYPE_ETHER, 0x1F, Q_EQUAL, Q_DEFAULT); offset = ((char *)&flow.mac_flow.ehdr.ether_type - (char *)&flow); b1 = Argusgen_cmp(ARGUS_FLOW_INDEX, offset, NFF_H, (u_int) proto, Q_EQUAL, Q_DEFAULT); Argusgen_and(b0, b1); break; } } break; } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_linktype (0x%x) returns %p\n", proto, b1); #endif return (b1); } static struct ablock * Argusgen_prototype(unsigned int v, unsigned int proto) { struct ArgusFlow flow; struct ArgusNetworkStruct net; struct ablock *b0, *b1; int offset; switch (v) { default: switch (proto) { case Q_IPV4: offset = ((char *)&flow.ip_flow.ip_p - (char *)&flow); b0 = Argusgen_linktype(ETHERTYPE_IP); b1 = Argusgen_cmp(ARGUS_FLOW_INDEX, offset, NFF_B, v, Q_EQUAL, Q_DEFAULT); Argusgen_and(b0, b1); return b1; case Q_IPV6: #if defined(_LITTLE_ENDIAN) offset = ((char *)&flow.ipv6_flow - (char *)&flow) + 35; #else offset = ((char *)&flow.ipv6_flow - (char *)&flow) + 32; #endif b0 = Argusgen_linktype(ETHERTYPE_IPV6); b1 = Argusgen_cmp(ARGUS_FLOW_INDEX, offset, NFF_B, v, Q_EQUAL, Q_DEFAULT); Argusgen_and(b0, b1); return b1; case Q_IP: case Q_DEFAULT: b0 = Argusgen_prototype(v, Q_IPV4); b1 = Argusgen_prototype(v, Q_IPV6); Argusgen_or(b0, b1); return b1; } break; case IPPROTO_UDT: { offset = ((char *)&net.hdr.subtype - (char *)&net); b1 = Argusgen_cmp(ARGUS_NETWORK_INDEX, offset, NFF_B, (u_int) ARGUS_UDT_FLOW, Q_EQUAL, Q_DEFAULT); break; } case IPPROTO_RTP: { offset = ((char *)&flow.ip_flow.ip_p - (char *)&flow); b0 = Argusgen_cmp(ARGUS_FLOW_INDEX, offset, NFF_B, (u_int) IPPROTO_UDP, Q_EQUAL, Q_DEFAULT); offset = ((char *)&net.hdr.subtype - (char *)&net); b1 = Argusgen_cmp(ARGUS_NETWORK_INDEX, offset, NFF_B, (u_int) ARGUS_RTP_FLOW, Q_EQUAL, Q_DEFAULT); Argusgen_and(b0, b1); break; } case IPPROTO_RTCP: { offset = ((char *)&flow.ip_flow.ip_p - (char *)&flow); b0 = Argusgen_cmp(ARGUS_FLOW_INDEX, offset, NFF_B, (u_int) IPPROTO_UDP, Q_EQUAL, Q_DEFAULT); offset = ((char *)&net.hdr.subtype - (char *)&net); b1 = Argusgen_cmp(ARGUS_NETWORK_INDEX, offset, NFF_B, (u_int) ARGUS_RTCP_FLOW, Q_EQUAL, Q_DEFAULT); Argusgen_and(b0, b1); break; } } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_prototype (0x%x) returns %p\n", proto, b1); #endif return b1; } static struct ablock * Argusgen_hostop(unsigned int *addr, unsigned int *mask, int type, int dir, unsigned int proto) { int offset, src_off = 0, dst_off = 0, len = 0; struct ablock *b0 = NULL, *b1 = NULL; struct ArgusFlow flow; switch (proto) { case ETHERTYPE_IP: src_off = ((char *)&flow.ip_flow.ip_src - (char *)&flow); dst_off = ((char *)&flow.ip_flow.ip_dst - (char *)&flow); len = sizeof(flow.ip_flow.ip_src); break; case ETHERTYPE_IPV6: src_off = ((char *)&flow.ipv6_flow.ip_src - (char *)&flow); dst_off = ((char *)&flow.ipv6_flow.ip_dst - (char *)&flow); len = sizeof(flow.ipv6_flow.ip_src); break; case ETHERTYPE_ARP: src_off = ((char *)&flow.arp_flow.arp_spa - (char *)&flow); dst_off = ((char *)&flow.arp_flow.arp_tpa - (char *)&flow); len = sizeof(flow.arp_flow.arp_spa); break; case ETHERTYPE_REVARP: break; } switch (dir) { case Q_SRC: offset = src_off; break; case Q_DST: offset = dst_off; break; case Q_AND: b0 = Argusgen_hostop(addr, mask, type, Q_SRC, proto); b1 = Argusgen_hostop(addr, mask, type, Q_DST, proto); Argusgen_and(b0, b1); return b1; case Q_OR: case Q_DEFAULT: b0 = Argusgen_hostop(addr, mask, type, Q_SRC, proto); b1 = Argusgen_hostop(addr, mask, type, Q_DST, proto); Argusgen_or(b0, b1); return b1; default: abort(); } switch (len) { case 0: break; case 1: b1 = Argusgen_mcmp(ARGUS_FLOW_INDEX, offset, NFF_B, (u_int)*addr, (u_int)*mask, Q_EQUAL, Q_DEFAULT); break; case 2: b1 = Argusgen_mcmp(ARGUS_FLOW_INDEX, offset, NFF_H, (u_int)*addr, (u_int)*mask, Q_EQUAL, Q_DEFAULT); break; case 4: case 8: case 16: { int i; for (i = 0; i < len/4; i++) { if (mask[i] != 0) { if (b1 == NULL) { b1 = Argusgen_mcmp(ARGUS_FLOW_INDEX, offset + i*4, NFF_W, (u_int)addr[i], (u_int)mask[i], Q_EQUAL, Q_DEFAULT); } else { b0 = Argusgen_mcmp(ARGUS_FLOW_INDEX, offset + i*4, NFF_W, (u_int)addr[i], (u_int)mask[i], Q_EQUAL, Q_DEFAULT); Argusgen_and(b0, b1); } } } } } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_hostop (0x%x, 0x%x, %d, %d, 0x%x) returns %p\n", addr, mask, type, dir, proto, b1); #endif return b1; } static struct ablock * Argusgen_ehostop( u_char *eaddr, int dir) { struct ablock *b0 = NULL, *b1 = NULL; struct ArgusMacStruct mac; int offset; #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_ehostop (0x%x, %d)\n", eaddr, dir); #endif switch (dir) { case Q_SRC: { offset = ((char *)&mac.mac.mac_union.ether.ehdr.ether_shost - (char *)&mac); return Argusgen_bcmp (ARGUS_MAC_INDEX, offset, 6, eaddr, Q_DEFAULT); } case Q_DST: { offset = ((char *)&mac.mac.mac_union.ether.ehdr.ether_dhost - (char *)&mac); return Argusgen_bcmp (ARGUS_MAC_INDEX, offset, 6, eaddr, Q_DEFAULT); } case Q_AND: { b0 = Argusgen_ehostop(eaddr, Q_SRC); b1 = Argusgen_ehostop(eaddr, Q_DST); Argusgen_and(b0, b1); return b1; } case Q_DEFAULT: case Q_OR: { b0 = Argusgen_ehostop(eaddr, Q_SRC); b1 = Argusgen_ehostop(eaddr, Q_DST); Argusgen_or(b0, b1); return b1; } } abort(); /* NOTREACHED */ } extern struct ArgusParserStruct *ArgusParser; static struct ablock * Argusgen_host(u_int *addr, u_int *mask, int type, int proto, int dir) { struct ablock *b0 = NULL, *b1 = NULL; switch (proto) { case Q_DEFAULT: { struct ablock *b2 = NULL; b0 = Argusgen_linktype(ETHERTYPE_ARP); if (*mask > 0) { b1 = Argusgen_hostop(addr, mask, type, dir, ETHERTYPE_ARP); Argusgen_and(b0, b1); } else b1 = b0; if (!type || (type == Q_IPV4)) { b0 = Argusgen_linktype(ETHERTYPE_IP); if (*mask > 0) { b2 = Argusgen_hostop(addr, mask, type, dir, ETHERTYPE_IP); Argusgen_and(b0, b2); Argusgen_or(b2, b1); } else Argusgen_or(b0, b1); } if (!type || (type == Q_IPV6)) { b0 = Argusgen_linktype(ETHERTYPE_IPV6); if (*mask > 0) { b2 = Argusgen_hostop(addr, mask, type, dir, ETHERTYPE_IPV6); Argusgen_and(b0, b2); Argusgen_or(b2, b1); } else Argusgen_or(b0, b1); } break; } case Q_IP: { struct ablock *b2 = NULL; if (!type || (type == Q_IPV4)) { b0 = Argusgen_linktype(ETHERTYPE_IP); if (*mask > 0) { b1 = Argusgen_hostop(addr, mask, type, dir, ETHERTYPE_IP); Argusgen_and(b0, b1); } else b1 = b0; } if (!type || (type == Q_IPV6)) { b0 = Argusgen_linktype(ETHERTYPE_IPV6); if (*mask > 0) { b2 = Argusgen_hostop(addr, mask, type, dir, ETHERTYPE_IPV6); Argusgen_and(b0, b2); Argusgen_or(b2, b1); } else Argusgen_or(b0, b1); } break; } case Q_IPV6: { b0 = Argusgen_linktype(ETHERTYPE_IPV6); if (*mask > 0) { b1 = Argusgen_hostop(addr, mask, type, dir, ETHERTYPE_IPV6); Argusgen_and(b0, b1); } break; } case Q_IPV4: { b0 = Argusgen_linktype(ETHERTYPE_IP); if (*mask > 0) { b1 = Argusgen_hostop(addr, mask, type, dir, ETHERTYPE_IP); Argusgen_and(b0, b1); } else b1 = b0; break; } case Q_ARP: { b0 = Argusgen_flow(ARGUS_FLOW_ARP); if (*mask > 0) { b1 = Argusgen_hostop(addr, mask, type, dir, ETHERTYPE_ARP); Argusgen_and(b0, b1); } else b1 = b0; break; } case Q_RARP: { b0 = Argusgen_linktype(ETHERTYPE_REVARP); if (*mask > 0) { b1 = Argusgen_hostop(addr, mask, type, dir, ETHERTYPE_REVARP); Argusgen_and(b0, b1); } else b1 = b0; break; } case Q_TCP: ArgusLog(LOG_ERR, "'tcp' modifier applied to host"); case Q_UDP: ArgusLog(LOG_ERR, "'udp' modifier applied to host"); case Q_RTP: ArgusLog(LOG_ERR, "'rtp' modifier applied to host"); case Q_RTCP: ArgusLog(LOG_ERR, "'rtcp' modifier applied to host"); case Q_UDT: ArgusLog(LOG_ERR, "'udt' modifier applied to host"); case Q_ICMP: b0 = Argusgen_linktype(ETHERTYPE_IP); if (*mask > 0) { b1 = Argusgen_hostop(addr, mask, type, dir, ETHERTYPE_IP); Argusgen_and(b0, b1); } else b1 = b0; break; case Q_ISIS: ArgusLog(LOG_ERR, "'isis' modifier applied to host"); case Q_RSVP: ArgusLog(LOG_ERR, "'rsvp' modifier applied to host"); default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_host (0x%x, 0x%x, %d, 0x%x, %d) returns %p\n", addr, mask, type, proto, dir, b1); #endif return (b1); } static struct ablock * Argusgen_srcid(u_int addr, u_int mask, int type) { struct ablock *b1 = NULL, *b0 = NULL, *tmp; struct ArgusTransportStruct trans; struct ArgusRecord mar; int offset = ((char *)&mar.argus_mar.argusid - (char *)&mar); tmp = Argusgen_recordtype(ARGUS_MAR); b1 = Argusgen_mcmp(ARGUS_MAR_INDEX, offset, NFF_W, (u_int)addr, mask, Q_EQUAL, type); Argusgen_and(tmp, b1); offset = ((char *)&trans.srcid - (char *)&trans); tmp = Argusgen_recordtype(ARGUS_FAR); b0 = Argusgen_recordtype(ARGUS_EVENT); Argusgen_or(b0, tmp); b0 = Argusgen_mcmp(ARGUS_TRANSPORT_INDEX, offset, NFF_W, (u_int)addr, mask, Q_EQUAL, type); Argusgen_and(tmp, b0); Argusgen_or(b0, b1); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_srcid (0x%x, 0x%x) returns %p\n", addr, mask, b1); #endif return (b1); } static struct ablock * Argusgen_inode(u_int addr, u_int mask, int type) { struct ablock *b1 = NULL, *tmp; struct ArgusIcmpStruct icmp; int offset = ((char *)&icmp.osrcaddr - (char *)&icmp); tmp = Argusgen_recordtype(ARGUS_FAR); b1 = Argusgen_mcmp(ARGUS_ICMP_INDEX, offset, NFF_W, (u_int)addr, mask, Q_EQUAL, type); Argusgen_and(tmp, b1); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_inode (0x%x, 0x%x) returns %p\n", addr, mask, b1); #endif return (b1); } static struct ablock * Argusgen_gateway( u_char *eaddr, u_int *alist, int type, int proto, int dir) { struct ablock *b0, *b1 = NULL; u_int maskbuf[4], *mask = maskbuf; if (dir != 0) ArgusLog(LOG_ERR, "direction applied to 'gateway'"); switch (proto) { case Q_DEFAULT: case Q_IP: case Q_IPV4: case Q_ARP: case Q_RARP: *mask = 0xffffffffL; b0 = Argusgen_ehostop(eaddr, Q_OR); b1 = Argusgen_host(alist, mask, type, proto, Q_OR); Argusgen_not(b1); Argusgen_and(b0, b1); break; case Q_IPV6: default: ArgusLog(LOG_ERR, "illegal modifier of 'gateway'"); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_gateway (0x%x, 0x%x, %d, 0x%x, %d) returns %p\n", eaddr, alist, type, proto, dir, b1); #endif return b1; } #include struct ablock * Argusgen_proto_abbrev(int proto) { struct ablock *b0, *b1 = NULL; switch (proto) { case Q_TCP: b1 = Argusgen_prototype(IPPROTO_TCP, Q_DEFAULT); break; case Q_ESP: b1 = Argusgen_prototype(IPPROTO_ESP, Q_DEFAULT); break; case Q_RTP: b1 = Argusgen_prototype(IPPROTO_RTP, Q_DEFAULT); break; case Q_RTCP: b1 = Argusgen_prototype(IPPROTO_RTCP, Q_DEFAULT); break; case Q_UDT: b1 = Argusgen_prototype(IPPROTO_UDT, Q_DEFAULT); break; case Q_UDP: b1 = Argusgen_prototype(IPPROTO_UDP, Q_DEFAULT); break; case Q_ICMP: b1 = Argusgen_prototype(IPPROTO_ICMP, Q_DEFAULT); break; case Q_IGMP: b1 = Argusgen_prototype(IPPROTO_IGMP, Q_DEFAULT); break; case Q_IGRP: b1 = Argusgen_prototype(IPPROTO_IGRP, Q_DEFAULT); break; case Q_ARP: b1 = Argusgen_flow(ARGUS_FLOW_ARP); break; case Q_MPLS: b1 = Argusgen_mpls(Q_DEFAULT); break; case Q_VLAN: b1 = Argusgen_vlan(Q_DEFAULT); break; case Q_RARP: b1 = Argusgen_linktype(ETHERTYPE_REVARP); break; case Q_IPV6: b1 = Argusgen_linktype(ETHERTYPE_IPV6); break; case Q_IPV4: b1 = Argusgen_linktype(ETHERTYPE_IP); break; case Q_IP: b0 = Argusgen_linktype(ETHERTYPE_IPV6); b1 = Argusgen_linktype(ETHERTYPE_IP); Argusgen_or(b0, b1); break; case Q_ISIS: b1 = Argusgen_linktype(ETHERTYPE_ISIS); break; case Q_MAN: b1 = Argusgen_recordtype(ARGUS_MAR); break; case Q_FAR: b1 = Argusgen_recordtype(ARGUS_FAR); break; case Q_EVENT: b1 = Argusgen_recordtype(ARGUS_EVENT); break; case Q_INDEX: b1 = Argusgen_recordtype(ARGUS_INDEX); break; case Q_CONNECTED: case Q_ESTABLISHED: b0 = Argusgen_ipstatustype(ARGUS_CON_ESTABLISHED); b1 = Argusgen_tcpstatustype(ARGUS_CON_ESTABLISHED); Argusgen_or(b0, b1); break; case Q_MERGED: case Q_ANON: break; case Q_ICMPMAP: { struct ArgusIcmpStruct icmp; int offset = ((char *)&icmp.hdr.argus_dsrvl8.qual - (char *)&icmp); b1 = Argusgen_mcmp(ARGUS_ICMP_INDEX, offset, NFF_B, 0, 0x07, Q_EQUAL, Q_DEFAULT); Argusgen_not(b1); break; } case Q_ECHO: { struct ArgusNetworkStruct net; int offset = ((char *)&net.net_union.icmp.icmp_type - (char *)&net); b0 = Argusgen_cmp(ARGUS_NETWORK_INDEX, offset, NFF_B, (u_int) 0x08, Q_EQUAL, Q_DEFAULT); b1 = Argusgen_cmp(ARGUS_NETWORK_INDEX, offset, NFF_B, (u_int) 0x00, Q_EQUAL, Q_DEFAULT); Argusgen_or(b0, b1); b0 = Argusgen_prototype(IPPROTO_ICMP, Q_DEFAULT); Argusgen_and(b0, b1); break; } case Q_UNREACH: { struct ArgusNetworkStruct net; struct ArgusIcmpStruct icmp; int offset = ((char *)&net.net_union.icmp.icmp_type - (char *)&net); b1 = Argusgen_prototype(IPPROTO_ICMP, Q_DEFAULT); b0 = Argusgen_cmp(ARGUS_NETWORK_INDEX, offset, NFF_B, (u_int) 0x03, Q_EQUAL, Q_DEFAULT); Argusgen_and(b0, b1); offset = ((char *)&icmp.hdr.argus_dsrvl8.qual - (char *)&icmp); b0 = Argusgen_cmp(ARGUS_ICMP_INDEX, offset, NFF_B, ARGUS_ICMPUNREACH_MAPPED, Q_EQUAL, Q_DEFAULT); Argusgen_or(b0, b1); break; } case Q_REDIRECT: { struct ArgusIcmpStruct icmp; int offset = ((char *)&icmp.icmp_type - (char *)&icmp); b1 = Argusgen_prototype(IPPROTO_ICMP, Q_DEFAULT); b0 = Argusgen_cmp(ARGUS_ICMP_INDEX, offset, NFF_B, (u_int) 0x05, Q_EQUAL, Q_DEFAULT); Argusgen_and(b0, b1); offset = ((char *)&icmp.hdr.argus_dsrvl8.qual - (char *)&icmp); b0 = Argusgen_cmp(ARGUS_ICMP_INDEX, offset, NFF_B, ARGUS_ICMPREDIREC_MAPPED, Q_EQUAL, Q_DEFAULT); Argusgen_or(b0, b1); break; } case Q_TIMEXED: { struct ArgusNetworkStruct net; struct ArgusIcmpStruct icmp; int offset = ((char *)&net.net_union.icmp.icmp_type - (char *)&net); b1 = Argusgen_prototype(IPPROTO_ICMP, Q_DEFAULT); b0 = Argusgen_cmp(ARGUS_NETWORK_INDEX, offset, NFF_B, (u_int) 0x0B, Q_EQUAL, Q_DEFAULT); Argusgen_and(b0, b1); offset = ((char *)&icmp.hdr.argus_dsrvl8.qual - (char *)&icmp); b0 = Argusgen_cmp(ARGUS_ICMP_INDEX, offset, NFF_B, ARGUS_ICMPTIMXCED_MAPPED, Q_EQUAL, Q_DEFAULT); Argusgen_or(b0, b1); break; } case Q_START: b1 = Argusgen_causetype(ARGUS_START); break; case Q_STOP: b1 = Argusgen_causetype(ARGUS_STOP); break; case Q_STATUS: b1 = Argusgen_causetype(ARGUS_STATUS); break; case Q_SHUTDOWN: b1 = Argusgen_causetype(ARGUS_SHUTDOWN); break; case Q_ERROR: b1 = Argusgen_causetype(ARGUS_ERROR); break; case Q_TIMEDOUT: b1 = Argusgen_causetype(ARGUS_TIMEOUT); break; case Q_RETRANS: b0 = Argusgen_espstatustype(ARGUS_SRC_PKTS_DROP); b1 = Argusgen_tcpstatustype(ARGUS_SRC_PKTS_RETRANS); Argusgen_or(b0, b1); b0 = Argusgen_espstatustype(ARGUS_DST_PKTS_DROP); Argusgen_or(b0, b1); b0 = Argusgen_tcpstatustype(ARGUS_DST_PKTS_RETRANS); Argusgen_or(b0, b1); break; case Q_SRCRETRANS: b0 = Argusgen_espstatustype(ARGUS_SRC_PKTS_DROP); b1 = Argusgen_tcpstatustype(ARGUS_SRC_PKTS_RETRANS); Argusgen_or(b0, b1); break; case Q_DSTRETRANS: b0 = Argusgen_espstatustype(ARGUS_DST_PKTS_DROP); b1 = Argusgen_tcpstatustype(ARGUS_DST_PKTS_RETRANS); Argusgen_or(b0, b1); break; case Q_FRAG: b0 = Argusgen_ipattrstatustype(ARGUS_IPATTR_SRC_FRAGMENTS); b1 = Argusgen_ipattrstatustype(ARGUS_IPATTR_DST_FRAGMENTS); Argusgen_or(b0, b1); b0 = Argusgen_linktype(ETHERTYPE_IP); Argusgen_and(b0, b1); break; case Q_SRCFRAG: b0 = Argusgen_linktype(ETHERTYPE_IP); b1 = Argusgen_ipattrstatustype(ARGUS_IPATTR_SRC_FRAGMENTS); Argusgen_and(b0, b1); break; case Q_DSTFRAG: b0 = Argusgen_linktype(ETHERTYPE_IP); b1 = Argusgen_ipattrstatustype(ARGUS_IPATTR_DST_FRAGMENTS); Argusgen_and(b0, b1); break; case Q_OUTOFORDER: b1 = Argusgen_tcpstatustype(ARGUS_SRC_OUTOFORDER); b0 = Argusgen_tcpstatustype(ARGUS_DST_OUTOFORDER); Argusgen_or(b0, b1); break; case Q_SRCOUTOFORDER: b1 = Argusgen_tcpstatustype(ARGUS_SRC_OUTOFORDER); break; case Q_DSTOUTOFORDER: b1 = Argusgen_tcpstatustype(ARGUS_DST_OUTOFORDER); break; case Q_SYN: b1 = Argusgen_tcpstatustype(ARGUS_SAW_SYN); break; case Q_SYNACK: b1 = Argusgen_tcpstatustype(ARGUS_SAW_SYN_SENT); break; case Q_FIN: b1 = Argusgen_tcpstatustype(ARGUS_FIN); break; case Q_FINACK: b1 = Argusgen_tcpstatustype(ARGUS_FIN_ACK); break; case Q_WAIT: b1 = Argusgen_tcpstatustype(ARGUS_CLOSE_WAITING); break; case Q_NORMAL: b1 = Argusgen_tcpstatustype(ARGUS_NORMAL_CLOSE); break; case Q_RTR: { struct ArgusFlow flow; int offset = ((char *)&flow.igmp_flow.type - (char *)&flow); b1 = Argusgen_prototype(IPPROTO_IGMP, Q_DEFAULT); b0 = Argusgen_cmp(ARGUS_FLOW_INDEX, offset, NFF_B, (u_int) IGMP_HOST_MEMBERSHIP_QUERY, Q_EQUAL, Q_DEFAULT); Argusgen_and(b0, b1); break; } case Q_LVG: { struct ArgusFlow flow; int offset = ((char *)&flow.igmp_flow.type - (char *)&flow); b1 = Argusgen_prototype(IPPROTO_IGMP, Q_DEFAULT); b0 = Argusgen_cmp(ARGUS_FLOW_INDEX, offset, NFF_B, (u_int) IGMP_HOST_LEAVE_MESSAGE, Q_EQUAL, Q_DEFAULT); Argusgen_and(b0, b1); break; } case Q_MBR: { struct ArgusFlow flow; int offset = ((char *)&flow.igmp_flow.type - (char *)&flow); b1 = Argusgen_prototype(IPPROTO_IGMP, Q_DEFAULT); b0 = Argusgen_cmp(ARGUS_FLOW_INDEX, offset, NFF_B, (u_int) IGMP_HOST_MEMBERSHIP_QUERY, Q_EQUAL, Q_DEFAULT); Argusgen_not(b0); Argusgen_and(b0, b1); break; } case Q_COCODE: { struct ArgusCountryCodeStruct cocode; int offset = ((char *)&cocode.src - (char *)&cocode); b1 = Argusgen_cmp(ARGUS_COCODE_INDEX, offset, NFF_H, 0, Q_EQUAL, Q_DEFAULT); Argusgen_not(b1); break; } case Q_LINK: ArgusLog(LOG_ERR, "link layer applied in wrong context"); default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_proto_abbrev (%d) returns 0x%x\n", proto, b1); #endif return b1; } static struct ablock * Argusgen_tcpoptatom(int off, u_int v) { struct ablock *b0; b0 = Argusgen_mcmp(ARGUS_NETWORK_INDEX, off, NFF_W, (u_int)v, (u_int)v, Q_EQUAL, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_tcpoptatom (%d, %d) returns %p\n", off, v, b0); #endif return b0; } static struct ablock * Argusgen_ipidatom(int off, u_int v, u_int op) { struct ablock *b0; b0 = Argusgen_cmp(ARGUS_IPATTR_INDEX, off, NFF_H, (u_int)v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_ipidatom (%d, 0x%x, %d) returns 0x%x\n", off, v, op, b0); #endif return b0; } static struct ablock * Argusgen_ttlatom(int off, u_int v, u_int op) { struct ablock *b0; b0 = Argusgen_cmp(ARGUS_IPATTR_INDEX, off, NFF_B, (u_int)v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_ttlatom (%d, 0x%x, %d) returns 0x%x\n", off, v, op, b0); #endif return b0; } static struct ablock * Argusgen_tosatom(int off, u_int v, u_int op) { struct ablock *b0; b0 = Argusgen_cmp(ARGUS_IPATTR_INDEX, off, NFF_B, v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_tosatom (%d, 0x%x) returns 0x%x\n", off, v, b0); #endif return b0; } static struct ablock * Argusgen_dsbatom(int off, u_int v, u_int op) { struct ablock *b0; v = (v << 2); b0 = Argusgen_mcmp(ARGUS_IPATTR_INDEX, off, NFF_B, v, 0xFC, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_dsbatom (%d, 0x%x) returns 0x%x\n", off, v, b0); #endif return b0; } static struct ablock * Argusgen_vidatom(int off, u_int v, u_int op) { struct ablock *b0; b0 = Argusgen_mcmp(ARGUS_VLAN_INDEX, off, NFF_H, v, 0x0FFF, Q_EQUAL, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_vidatom (%d, 0x%x) returns 0x%x\n", off, v, b0); #endif return b0; } static struct ablock * Argusgen_vpriatom(int off, u_int v, u_int op) { struct ablock *b0; b0 = Argusgen_mcmp(ARGUS_VLAN_INDEX, off, NFF_H, (v << 12), 0xF000, Q_EQUAL, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_vpriatom (%d, 0x%x) returns 0x%x\n", off, v, b0); #endif return b0; } static struct ablock * Argusgen_midatom(int off, u_int v, u_int op) { struct ablock *b0; unsigned int mask = 0xFFFFF000; unsigned int label = v << 12; b0 = Argusgen_mcmp(ARGUS_MPLS_INDEX, off, NFF_W, label, mask, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_midatom (%d, 0x%x) returns 0x%x\n", off, v, b0); #endif return b0; } static struct ablock * Argusgen_encapsatom(int off, u_int v, u_int op) { struct ablock *b0; b0 = Argusgen_mcmp(ARGUS_ENCAPS_INDEX, off, NFF_W, v, v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_encapsatom (%d, 0x%x) returns 0x%x\n", off, v, b0); #endif return b0; } static struct ablock * Argusgen_portatom( int off, long v, int op) { struct ablock *b0; b0 = Argusgen_cmp(ARGUS_FLOW_INDEX, off, NFF_H, (u_int)v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_portatom (%d, 0x%x) returns 0x%x\n", off, v, b0); #endif return b0; } static struct ablock * Argusgen_pktatom( int off, long v, int op) { struct ablock *b0; b0 = Argusgen_cmp(ARGUS_METRIC_INDEX, off, NFF_L, (u_int)v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_pktatom (%d, 0x%x) returns 0x%x\n", off, v, b0); #endif return b0; } static struct ablock * Argusgen_byteatom( int off, long v, int op) { struct ablock *b0; b0 = Argusgen_cmp(ARGUS_METRIC_INDEX, off, NFF_L, (u_int)v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_byteatom (%d, 0x%x) returns 0x%x\n", off, v, b0); #endif return b0; } static struct ablock * Argusgen_nstrokeatom( int off, long v, int op) { struct ablock *b0; b0 = Argusgen_cmp(ARGUS_BEHAVIOR_INDEX, off, NFF_W, (u_int)v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_nstrokeatom (%d, 0x%x) returns 0x%x\n", off, v, b0); #endif return b0; } /* static struct ablock * Argusgen_dupatom( int off, long v, int op) { struct ablock *b0; b0 = Argusgen_cmp(ARGUS_NETWORK_INDEX, off, NFF_W, (u_int)v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_dupatom (%d, 0x%x) returns 0x%x\n", off, v, b0); #endif return b0; } */ static struct ablock * Argusgen_tcpbaseatom( int off, long v, int op) { struct ablock *b0; b0 = Argusgen_cmp(ARGUS_NETWORK_INDEX, off, NFF_W, (u_int)v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_tcpbaseatom (%d, 0x%x) returns 0x%x\n", off, v, b0); #endif return b0; } static struct ablock * Argusgen_transatom( int off, long v, int op) { struct ablock *b0; b0 = Argusgen_cmp(ARGUS_AGR_INDEX, off, NFF_W, (u_int)v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_transatom (%d, 0x%x) returns 0x%x\n", off, v, b0); #endif return b0; } static struct ablock * Argusgen_rateatom( int off, float v, int op) { struct ablock *b0; b0 = Argusgen_fcmp(-1, off, NFF_F, v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_rateatom (%d, %f, %d) returns 0x%x\n", off, v, op, b0); #endif return b0; } static struct ablock * Argusgen_loadatom( int off, float v, int op) { struct ablock *b0; b0 = Argusgen_fcmp(-1, off, NFF_F, v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_loadatom (%d, %f, %d) returns 0x%x\n", off, v, op, b0); #endif return b0; } static struct ablock * Argusgen_plossatom( int off, float v, int op) { struct ablock *b0; b0 = Argusgen_fcmp(-1, off, NFF_F, v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_plossatom (%d, %f, %d) returns 0x%x\n", off, v, op, b0); #endif return b0; } static struct ablock * Argusgen_pcratom( int off, float v, int op) { struct ablock *b0; b0 = Argusgen_fcmp(-1, off, NFF_F, v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_pcratom (%d, %f, %d) returns 0x%x\n", off, v, op, b0); #endif return b0; } static struct ablock * Argusgen_duratom( int off, float v, int op) { struct ablock *b0; b0 = Argusgen_fcmp(-1, off, NFF_F, v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_duratom (%d, %f, %d) returns 0x%x\n", off, v, op, b0); #endif return b0; } static struct ablock * Argusgen_meanatom( int off, long v, int op) { struct ablock *b0; b0 = Argusgen_cmp(-1, off, NFF_L, (u_int)v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_meanatom (%d, 0x%x) returns 0x%x\n", off, v, b0); #endif return b0; } static struct ablock * Argusgen_deltaduratom( int off, long v, int op) { struct ablock *b0; b0 = Argusgen_cmp(ARGUS_COR_INDEX, off, NFF_W, (u_int)v*1000, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_deltaduratom (%d, 0x%x, %d) returns 0x%x\n", off, v, op, b0); #endif return b0; } static struct ablock * Argusgen_deltastartatom( int off, long v, int op) { struct ablock *b0; b0 = Argusgen_cmp(ARGUS_COR_INDEX, off, NFF_W, (u_int)v*1000, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_deltastartatom (%d, 0x%x, %d) returns 0x%x\n", off, v, op, b0); #endif return b0; } static struct ablock * Argusgen_deltalastatom( int off, long v, int op) { struct ablock *b0; b0 = Argusgen_cmp(ARGUS_COR_INDEX, off, NFF_W, (u_int)v*1000, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_deltalastatom (%d, 0x%x, %d) returns 0x%x\n", off, v, op, b0); #endif return b0; } static struct ablock * Argusgen_deltaspktsatom( int off, long v, int op) { struct ablock *b0; b0 = Argusgen_cmp(ARGUS_COR_INDEX, off, NFF_W, (u_int)v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_deltaspktsatom (%d, 0x%x, %d) returns 0x%x\n", off, v, op, b0); #endif return b0; } static struct ablock * Argusgen_deltadpktsatom( int off, long v, int op) { struct ablock *b0; b0 = Argusgen_cmp(ARGUS_COR_INDEX, off, NFF_W, (u_int)v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_deltadpktsatom (%d, 0x%x, %d) returns 0x%x\n", off, v, op, b0); #endif return b0; } static struct ablock * Argusgen_asnatom( int off, long v, int op) { struct ablock *b0; b0 = Argusgen_cmp(ARGUS_ASN_INDEX, off, NFF_W, (u_int)v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_asnatom (%d, 0x%x) returns 0x%x\n", off, v, b0); #endif return b0; } static struct ablock * Argusgen_coratom( int off, long v, int op) { struct ablock *b0; b0 = Argusgen_cmp(ARGUS_COR_INDEX, off, NFF_B, (u_int)v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_coratom (%d, 0x%x) returns 0x%x\n", off, v, b0); #endif return b0; } static struct ablock * Argusgen_spiatom( int off, long v, int op) { struct ablock *b0; b0 = Argusgen_cmp(ARGUS_FLOW_INDEX, off, NFF_W, (u_int)v, op, Q_DEFAULT); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_spiatom (%d, 0x%x) returns 0x%x\n", off, v, b0); #endif return b0; } struct ablock * Argusgen_portop(int port, int proto, int dir, u_int op) { struct ArgusFlow flow; struct ablock *b0 = NULL, *b1 = NULL, *b2 = NULL; /* ip proto 'proto' */ switch (dir) { case Q_SRC: { int ip4offset = ((char *)&flow.ip_flow.sport - (char *)&flow); int ip6offset = ((char *)&flow.ipv6_flow.sport - (char *)&flow); b1 = Argusgen_prototype(proto, Q_IPV4); b0 = Argusgen_portatom(ip4offset, port, op); Argusgen_and(b0, b1); b2 = Argusgen_prototype(proto, Q_IPV6); b0 = Argusgen_portatom(ip6offset, port, op); Argusgen_and(b0, b2); Argusgen_or(b2, b1); break; } case Q_DST: { int ip4offset = ((char *)&flow.ip_flow.dport - (char *)&flow); int ip6offset = ((char *)&flow.ipv6_flow.dport - (char *)&flow); b1 = Argusgen_prototype(proto, Q_IPV4); b0 = Argusgen_portatom(ip4offset, port, op); Argusgen_and(b0, b1); b2 = Argusgen_prototype(proto, Q_IPV6); b0 = Argusgen_portatom(ip6offset, port, op); Argusgen_and(b0, b2); Argusgen_or(b2, b1); break; } case Q_OR: case Q_DEFAULT: b0 = Argusgen_portop(port, proto, Q_SRC, op); b1 = Argusgen_portop(port, proto, Q_DST, op); Argusgen_or(b0, b1); break; case Q_AND: b0 = Argusgen_portop(port, proto, Q_SRC, op); b1 = Argusgen_portop(port, proto, Q_DST, op); Argusgen_and(b0, b1); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_portop (0x%x, 0x%x, %d) returns 0x%x\n", port, proto, dir, b1); #endif return b1; } static struct ablock * Argusgen_port( int port, u_int ip_proto, int dir, u_int op) { struct ablock *b1, *b0; switch (ip_proto) { case IPPROTO_TCP: b1 = Argusgen_portop(port, IPPROTO_TCP, dir, op); break; case IPPROTO_UDP: b1 = Argusgen_portop(port, IPPROTO_UDP, dir, op); break; case IPPROTO_UDT: b1 = Argusgen_portop(port, IPPROTO_UDT, dir, op); break; case IPPROTO_RTP: b0 = Argusgen_portop(port, IPPROTO_UDP, dir, op); b1 = Argusgen_portop(port, IPPROTO_RTP, dir, op); Argusgen_and(b0, b1); break; case IPPROTO_RTCP: b0 = Argusgen_portop(port, IPPROTO_UDP, dir, op); b1 = Argusgen_portop(port, IPPROTO_RTCP, dir, op); Argusgen_and(b0, b1); break; case PROTO_UNDEF: b0 = Argusgen_portop(port, IPPROTO_TCP, dir, op); b1 = Argusgen_portop(port, IPPROTO_UDP, dir, op); Argusgen_or(b0, b1); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_port (0x%x, 0x%x, %d) returns 0x%x\n", port, ip_proto, dir, b1); #endif return b1; } static int Arguslookup_proto( char *name, int proto) { int v = 0; switch (proto) { case Q_DEFAULT: case Q_IP: case Q_IPV6: case Q_IPV4: v = argus_nametoproto(name); if (v == PROTO_UNDEF) ArgusLog(LOG_ERR, "unknown proto '%s'", name); break; case Q_LINK: /* XXX should look up h/w protocol type based on linktype */ v = argus_nametoeproto(name); if (v == PROTO_UNDEF) ArgusLog(LOG_ERR, "unknown ether proto '%s'", name); break; case Q_MAN: ArgusLog (LOG_ERR, "man proto called '%s'", name); break; default: v = PROTO_UNDEF; break; } #if defined(ARGUSDEBUG) ArgusDebug (4, "Arguslookup_proto (%s, 0x%x) returns 0x%x\n", name, proto, v); #endif return v; } static struct ablock * Argusgen_proto( int v, int proto, int dir) { struct ablock *b1; if (dir != Q_DEFAULT) ArgusLog(LOG_ERR, "direction applied to 'proto'"); switch (proto) { case Q_DEFAULT: case Q_IP: case Q_IPV6: case Q_IPV4: b1 = Argusgen_prototype(v, proto); break; case Q_ARP: b1 = Argusgen_linktype(ETHERTYPE_ARP); break; case Q_RARP: ArgusLog(LOG_ERR, "rarp does not encapsulate another protocol"); /* NOTREACHED */ case Q_MAN: b1 = Argusgen_recordtype(ARGUS_MAR); break; case Q_FAR: b1 = Argusgen_recordtype(ARGUS_FAR); break; case Q_EVENT: b1 = Argusgen_recordtype(ARGUS_EVENT); break; case Q_INDEX: b1 = Argusgen_recordtype(ARGUS_INDEX); break; case Q_LINK: b1 = Argusgen_linktype(v); break; case Q_UDP: ArgusLog(LOG_ERR, "'udp proto' is bogus"); /* NOTREACHED */ case Q_RTP: ArgusLog(LOG_ERR, "'rtp proto' is bogus"); /* NOTREACHED */ case Q_RTCP: ArgusLog(LOG_ERR, "'rtcp proto' is bogus"); /* NOTREACHED */ case Q_TCP: ArgusLog(LOG_ERR, "'tcp proto' is bogus"); /* NOTREACHED */ case Q_ICMP: ArgusLog(LOG_ERR, "'icmp proto' is bogus"); /* NOTREACHED */ case Q_IGMP: ArgusLog(LOG_ERR, "'igmp proto' is bogus"); /* NOTREACHED */ default: abort(); /* NOTREACHED */ } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_proto (0x%x, 0x%x, %d) returns 0x%x\n", v, proto, dir, b1); #endif return b1; } static struct ablock * Argusgen_flow(int tflow) { struct ablock *b0 = NULL, *b1 = NULL; struct ArgusFlow flow; int soffset = ((char *)&flow.hdr.subtype - (char *)&flow); b0 = Argusgen_recordtype(ARGUS_FAR); b1 = Argusgen_mcmp(ARGUS_FLOW_INDEX, soffset, NFF_B, tflow, tflow, Q_EQUAL, Q_DEFAULT); Argusgen_and(b0, b1); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_flow (%d) returns 0x%x\n", tflow, b1); #endif return b1; } static struct ablock * Argusgen_tcpopt(int v) { struct ablock *b0, *b1 = NULL; struct ArgusNetworkStruct net; unsigned int opt = 0; int offset = ((char *)&net.net_union.tcp.options - (char *)&net); b0 = Argusgen_linktype(ETHERTYPE_IP); switch (v) { case Q_TCPOPT: opt = ARGUS_TCP_OPTIONS; break; case Q_MSS: opt = ARGUS_TCP_MAXSEG; break; case Q_WSCALE: opt = ARGUS_TCP_WSCALE; break; case Q_SELECTIVEACKOK: opt = ARGUS_TCP_SACKOK; break; case Q_SELECTIVEACK: opt = ARGUS_TCP_SACK; break; case Q_TCPECHO: opt = ARGUS_TCP_ECHO; break; case Q_TCPECHOREPLY: opt = ARGUS_TCP_ECHOREPLY; break; case Q_TCPTIMESTAMP: opt = ARGUS_TCP_TIMESTAMP; break; case Q_TCPCC: opt = ARGUS_TCP_CC; break; case Q_TCPCCNEW: opt = ARGUS_TCP_CCNEW; break; case Q_TCPCCECHO: opt = ARGUS_TCP_CCECHO; break; case Q_SECN: opt = ARGUS_TCP_SRC_ECN; break; case Q_DECN: opt = ARGUS_TCP_DST_ECN; break; } b1 = Argusgen_tcpoptatom(offset, opt); Argusgen_and(b0, b1); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_tcpopt (%d) returns %p\n", v, b1); #endif return b1; } static struct ablock * Argusgen_ipid(int v, int dir, u_int op) { struct ablock *b0, *b1 = NULL, *tmp; struct ArgusIPAttrStruct attr; int soffset = ((char *)&attr.src.ip_id - (char *)&attr); int doffset = ((char *)&attr.dst.ip_id - (char *)&attr); b0 = Argusgen_prototype(IPPROTO_TCP, Q_DEFAULT); switch (dir) { case Q_SRC: b1 = Argusgen_ipidatom(soffset, (u_int)v, op); break; case Q_DST: b1 = Argusgen_ipidatom(doffset, (u_int)v, op); break; case Q_OR: case Q_DEFAULT: tmp = Argusgen_ipidatom(soffset, (u_int)v, op); b1 = Argusgen_ipidatom(doffset, (u_int)v, op); Argusgen_or(tmp, b1); break; case Q_AND: tmp = Argusgen_ipidatom(soffset, (u_int)v, op); b1 = Argusgen_ipidatom(doffset, (u_int)v, op); Argusgen_and(tmp, b1); break; default: abort(); } Argusgen_and(b0, b1); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_ipid (0x%x, %d) returns %p\n", v, dir, b1); #endif return b1; } static struct ablock * Argusgen_ttl(int v, int dir, u_int op) { struct ablock *b0, *b1 = NULL, *tmp; struct ArgusIPAttrStruct attr; int soffset = ((char *)&attr.src.ttl - (char *)&attr); int doffset = ((char *)&attr.dst.ttl - (char *)&attr); b0 = Argusgen_linktype(ETHERTYPE_IP); switch (dir) { case Q_SRC: { b1 = Argusgen_ttlatom(soffset, (u_int)v, op); break; } case Q_DST: { b1 = Argusgen_ttlatom(doffset, (u_int)v, op); break; } case Q_OR: case Q_DEFAULT: tmp = Argusgen_ttlatom(soffset, (u_int)v, op); b1 = Argusgen_ttlatom(doffset, (u_int)v, op); Argusgen_or(tmp, b1); break; case Q_AND: tmp = Argusgen_ttlatom(soffset, (u_int)v, op); b1 = Argusgen_ttlatom(doffset, (u_int)v, op); Argusgen_and(tmp, b1); break; default: abort(); } Argusgen_and(b0, b1); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_ttl (0x%x, %d, %d) returns %p\n", v, dir, op, b1); #endif return b1; } static struct ablock * Argusgen_tos(int v, int dir, u_int op) { struct ablock *b0, *b1 = NULL, *tmp; struct ArgusIPAttrStruct attr; int soffset = ((char *)&attr.src.tos - (char *)&attr); int doffset = ((char *)&attr.dst.tos - (char *)&attr); b0 = Argusgen_linktype(ETHERTYPE_IP); switch (dir) { case Q_SRC: b1 = Argusgen_tosatom(soffset, (u_int)v, op); break; case Q_DST: b1 = Argusgen_tosatom(doffset, (u_int)v, op); break; default: case Q_OR: case Q_DEFAULT: tmp = Argusgen_tosatom(soffset, (u_int)v, op); b1 = Argusgen_tosatom(doffset, (u_int)v, op); Argusgen_or(tmp, b1); break; case Q_AND: tmp = Argusgen_tosatom(soffset, (u_int)v, op); b1 = Argusgen_tosatom(doffset, (u_int)v, op); Argusgen_and(tmp, b1); break; } Argusgen_and(b0, b1); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_tos (0x%x, %d) returns %p\n", v, dir, b1); #endif return b1; } static struct ablock * Argusgen_dsb(int v, int dir, u_int op) { struct ablock *b0, *b1 = NULL, *tmp; struct ArgusIPAttrStruct attr; int soffset = ((char *)&attr.src.tos - (char *)&attr); int doffset = ((char *)&attr.dst.tos - (char *)&attr); b0 = Argusgen_linktype(ETHERTYPE_IP); switch (dir) { case Q_SRC: b1 = Argusgen_dsbatom(soffset, (u_int)v, op); break; case Q_DST: b1 = Argusgen_dsbatom(doffset, (u_int)v, op); break; default: case Q_OR: case Q_DEFAULT: tmp = Argusgen_dsbatom(soffset, (u_int)v, op); b1 = Argusgen_dsbatom(doffset, (u_int)v, op); Argusgen_or(tmp, b1); break; case Q_AND: tmp = Argusgen_dsbatom(soffset, (u_int)v, op); b1 = Argusgen_dsbatom(doffset, (u_int)v, op); Argusgen_and(tmp, b1); break; } Argusgen_and(b0, b1); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_dsb (0x%x, %d) returns %p\n", v, dir, b1); #endif return b1; } static struct ablock * Argusgen_cocode(char *v, int dir, u_int op) { extern struct ArgusParserStruct *ArgusParser; struct ablock *b0 = NULL, *b1 = NULL; struct ArgusCountryCodeStruct cocode; unsigned short val; int soffset = ((char *)&cocode.src - (char *)&cocode); int doffset = ((char *)&cocode.dst - (char *)&cocode); bcopy(v, (char *)&val, sizeof(val)); switch (dir) { case Q_SRC: b1 = Argusgen_cmp(ARGUS_COCODE_INDEX, soffset, NFF_H, val, Q_EQUAL, Q_DEFAULT); break; case Q_DST: b1 = Argusgen_cmp(ARGUS_COCODE_INDEX, doffset, NFF_H, val, Q_EQUAL, Q_DEFAULT); break; default: case Q_OR: case Q_DEFAULT: b1 = Argusgen_cmp(ARGUS_COCODE_INDEX, doffset, NFF_H, val, Q_EQUAL, Q_DEFAULT); b0 = Argusgen_cmp(ARGUS_COCODE_INDEX, soffset, NFF_H, val, Q_EQUAL, Q_DEFAULT); Argusgen_or(b0, b1); break; case Q_AND: b1 = Argusgen_cmp(ARGUS_COCODE_INDEX, doffset, NFF_H, val, Q_EQUAL, Q_DEFAULT); b0 = Argusgen_cmp(ARGUS_COCODE_INDEX, soffset, NFF_H, val, Q_EQUAL, Q_DEFAULT); Argusgen_and(b0, b1); break; } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_cocode (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } static struct ablock * Argusgen_vid(int v, int dir, u_int op) { struct ArgusVlanStruct vlan; struct ablock *b0, *b1 = NULL; int offset = 0; switch (dir) { case Q_SRC: offset = ((char *)&vlan.sid - (char *)&vlan); b1 = Argusgen_vidatom(offset, (u_int)v, op); break; case Q_DST: offset = ((char *)&vlan.did - (char *)&vlan); b1 = Argusgen_vidatom(offset, (u_int)v, op); break; case Q_OR: case Q_DEFAULT: offset = ((char *)&vlan.sid - (char *)&vlan); b0 = Argusgen_vidatom(offset, (u_int)v, op); offset = ((char *)&vlan.did - (char *)&vlan); b1 = Argusgen_vidatom(offset, (u_int)v, op); Argusgen_or(b0, b1); break; case Q_AND: offset = ((char *)&vlan.sid - (char *)&vlan); b0 = Argusgen_vidatom(offset, (u_int)v, op); offset = ((char *)&vlan.did - (char *)&vlan); b1 = Argusgen_vidatom(offset, (u_int)v, op); Argusgen_and(b0, b1); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_vid (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } static struct ablock * Argusgen_vpri(int v, int dir, u_int op) { struct ablock *b0, *b1 = NULL; struct ArgusVlanStruct vlan; int offset; switch (dir) { case Q_SRC: offset = ((char *)&vlan.sid - (char *)&vlan); b1 = Argusgen_vpriatom(offset, (u_int)v, op); break; case Q_DST: offset = ((char *)&vlan.did - (char *)&vlan); b1 = Argusgen_vpriatom(offset, (u_int)v, op); break; case Q_OR: case Q_DEFAULT: offset = ((char *)&vlan.sid - (char *)&vlan); b0 = Argusgen_vpriatom(offset, (u_int)v, op); offset = ((char *)&vlan.did - (char *)&vlan); b1 = Argusgen_vpriatom(offset, (u_int)v, op); Argusgen_or(b0, b1); break; case Q_AND: offset = ((char *)&vlan.sid - (char *)&vlan); b0 = Argusgen_vpriatom(offset, (u_int)v, op); offset = ((char *)&vlan.did - (char *)&vlan); b1 = Argusgen_vpriatom(offset, (u_int)v, op); Argusgen_and(b0, b1); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_vpri (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } static struct ablock * Argusgen_mid(int v, int dir, u_int op) { struct ablock *retn = NULL, *b0, *b1 = NULL; struct ArgusMplsStruct mpls; int offset; switch (dir) { case Q_SRC: offset = ((char *)&mpls.slabel - (char *)&mpls); b1 = Argusgen_midatom(offset, (u_int)v, op); break; case Q_DST: offset = ((char *)&mpls.dlabel - (char *)&mpls); b1 = Argusgen_midatom(offset, (u_int)v, op); break; case Q_OR: case Q_DEFAULT: offset = ((char *)&mpls.slabel - (char *)&mpls); b0 = Argusgen_midatom(offset, (u_int)v, op); offset = ((char *)&mpls.dlabel - (char *)&mpls); b1 = Argusgen_midatom(offset, (u_int)v, op); Argusgen_or(b0, b1); break; case Q_AND: offset = ((char *)&mpls.slabel - (char *)&mpls); b0 = Argusgen_midatom(offset, (u_int)v, op); offset = ((char *)&mpls.dlabel - (char *)&mpls); b1 = Argusgen_midatom(offset, (u_int)v, op); Argusgen_and(b0, b1); break; default: abort(); } if (retn != NULL) { Argusgen_or(b1, retn); } else retn = b1; #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_mid (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return retn; } static struct ablock * Argusgen_encaps(int v, int dir, u_int op) { struct ablock *b1 = NULL, *tmp; struct ArgusEncapsStruct encaps; int soffset = ((char *)&encaps.src - (char *)&encaps); int doffset = ((char *)&encaps.dst - (char *)&encaps); switch (dir) { case Q_SRC: b1 = Argusgen_encapsatom(soffset, (u_int)v, op); break; case Q_DST: b1 = Argusgen_encapsatom(doffset, (u_int)v, op); break; default: case Q_OR: case Q_DEFAULT: tmp = Argusgen_encapsatom(soffset, (u_int)v, op); b1 = Argusgen_encapsatom(doffset, (u_int)v, op); Argusgen_or(tmp, b1); break; case Q_AND: tmp = Argusgen_encapsatom(soffset, (u_int)v, op); b1 = Argusgen_encapsatom(doffset, (u_int)v, op); Argusgen_and(tmp, b1); break; } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_encaps (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } static struct ablock * Argusgen_trans(int v, int dir, u_int op) { struct ablock *b1 = NULL; struct ArgusAgrStruct agr; int offset; offset = ((char *)&agr.count - (char *)&agr); b1 = Argusgen_transatom(offset, (u_int)v, op); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_trans (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } static struct ablock * Argusgen_rate(float v, int dir, u_int op) { struct ablock *b0, *b1 = NULL; struct ArgusRecordStruct argus; int offset; switch (dir) { case Q_SRC: offset = ((char *)&argus.srate - (char *)&argus.hdr); b1 = Argusgen_rateatom(offset, v, op); break; case Q_DST: offset = ((char *)&argus.drate - (char *)&argus.hdr); b1 = Argusgen_rateatom(offset, v, op); break; case Q_OR: case Q_DEFAULT: offset = ((char *)&argus.srate - (char *)&argus.hdr); b0 = Argusgen_rateatom(offset, v, op); offset = ((char *)&argus.drate - (char *)&argus.hdr); b1 = Argusgen_rateatom(offset, v, op); Argusgen_or(b0, b1); break; case Q_AND: offset = ((char *)&argus.srate - (char *)&argus.hdr); b0 = Argusgen_rateatom(offset, v, op); offset = ((char *)&argus.drate - (char *)&argus.hdr); b1 = Argusgen_rateatom(offset, v, op); Argusgen_and(b0, b1); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_rate (%f, %d, %d) returns 0x%x\n", v, dir, op, b1); #endif return b1; } static struct ablock * Argusgen_load(float v, int dir, u_int op) { struct ablock *b0, *b1 = NULL; struct ArgusRecordStruct argus; int offset; switch (dir) { case Q_SRC: offset = ((char *)&argus.sload - (char *)&argus.hdr); b1 = Argusgen_loadatom(offset, v, op); break; case Q_DST: offset = ((char *)&argus.dload - (char *)&argus.hdr); b1 = Argusgen_loadatom(offset, v, op); break; case Q_OR: case Q_DEFAULT: offset = ((char *)&argus.sload - (char *)&argus.hdr); b0 = Argusgen_loadatom(offset, v, op); offset = ((char *)&argus.dload - (char *)&argus.hdr); b1 = Argusgen_loadatom(offset, v, op); Argusgen_or(b0, b1); break; case Q_AND: offset = ((char *)&argus.sload - (char *)&argus.hdr); b0 = Argusgen_loadatom(offset, v, op); offset = ((char *)&argus.dload - (char *)&argus.hdr); b1 = Argusgen_loadatom(offset, v, op); Argusgen_and(b0, b1); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_load (%f, %d, %d) returns 0x%x\n", v, dir, op, b1); #endif return b1; } /* static struct ablock * Argusgen_loss(float v, int dir, u_int op) { struct ablock *b0, *b1 = NULL; struct ArgusRecordStruct argus; int offset; switch (dir) { case Q_SRC: offset = ((char *)&argus.sloss - (char *)&argus.hdr); b1 = Argusgen_lossatom(offset, v, op); break; case Q_DST: offset = ((char *)&argus.dloss - (char *)&argus.hdr); b1 = Argusgen_lossatom(offset, v, op); break; case Q_OR: case Q_DEFAULT: offset = ((char *)&argus.sloss - (char *)&argus.hdr); b0 = Argusgen_lossatom(offset, v, op); offset = ((char *)&argus.dloss - (char *)&argus.hdr); b1 = Argusgen_lossatom(offset, v, op); Argusgen_or(b0, b1); break; case Q_AND: offset = ((char *)&argus.sloss - (char *)&argus.hdr); b0 = Argusgen_lossatom(offset, v, op); offset = ((char *)&argus.dloss - (char *)&argus.hdr); b1 = Argusgen_lossatom(offset, v, op); Argusgen_and(b0, b1); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_loss (%f, %d, %d) returns 0x%x\n", v, dir, op, b1); #endif return b1; } */ static struct ablock * Argusgen_ploss(float v, int dir, u_int op) { struct ablock *b0, *b1 = NULL; struct ArgusRecordStruct argus; int offset; switch (dir) { case Q_SRC: offset = ((char *)&argus.sploss - (char *)&argus.hdr); b1 = Argusgen_plossatom(offset, v, op); break; case Q_DST: offset = ((char *)&argus.dploss - (char *)&argus.hdr); b1 = Argusgen_plossatom(offset, v, op); break; case Q_OR: case Q_DEFAULT: offset = ((char *)&argus.sploss - (char *)&argus.hdr); b0 = Argusgen_plossatom(offset, v, op); offset = ((char *)&argus.dploss - (char *)&argus.hdr); b1 = Argusgen_plossatom(offset, v, op); Argusgen_or(b0, b1); break; case Q_AND: offset = ((char *)&argus.sploss - (char *)&argus.hdr); b0 = Argusgen_plossatom(offset, v, op); offset = ((char *)&argus.dploss - (char *)&argus.hdr); b1 = Argusgen_plossatom(offset, v, op); Argusgen_and(b0, b1); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_ploss (%f, %d, %d) returns 0x%x\n", v, dir, op, b1); #endif return b1; } static struct ablock * Argusgen_pcr(float v, int dir, u_int op) { struct ArgusRecordStruct argus; struct ablock *b1 = NULL, *b0 = NULL; int offset = ((char *)&argus.pcr - (char *)&argus.hdr); b0 = Argusgen_recordtype(ARGUS_FAR); b1 = Argusgen_pcratom(offset, v, op); Argusgen_and(b0, b1); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_pcr (%f, %d, %d) returns 0x%x\n", v, dir, op, b1); #endif return b1; } static struct ablock * Argusgen_inter(float v, int dir, int type, u_int op) { struct ablock *b1 = NULL, *b0 = NULL; struct ArgusJitterStruct jitter; float value = v * 1000.0; int offset; switch (dir) { case Q_SRC: switch (type) { case Q_INTER: offset = (char *)&jitter.src.act.meanval - (char *)&jitter; break; case Q_INTERACTIVE: offset = (char *)&jitter.src.act.meanval - (char *)&jitter; break; case Q_INTERIDLE: offset = (char *)&jitter.src.idle.meanval - (char *)&jitter; break; } b1 = Argusgen_fcmp(ARGUS_JITTER_INDEX, offset, NFF_F, value, op, Q_DEFAULT); break; case Q_DST: switch (type) { case Q_INTER: offset = (char *)&jitter.dst.act.meanval - (char *)&jitter; break; case Q_INTERACTIVE: offset = (char *)&jitter.dst.act.meanval - (char *)&jitter; break; case Q_INTERIDLE: offset = (char *)&jitter.dst.idle.meanval - (char *)&jitter; break; } b1 = Argusgen_fcmp(ARGUS_JITTER_INDEX, offset, NFF_F, value, op, Q_DEFAULT); break; case Q_OR: switch (type) { case Q_INTER: offset = (char *)&jitter.src.act.meanval - (char *)&jitter; break; case Q_INTERACTIVE: offset = (char *)&jitter.src.act.meanval - (char *)&jitter; break; case Q_INTERIDLE: offset = (char *)&jitter.src.idle.meanval - (char *)&jitter; break; } b0 = Argusgen_fcmp(ARGUS_JITTER_INDEX, offset, NFF_F, value, op, Q_DEFAULT); offset = (char *)&jitter.dst.act.meanval - (char *)&jitter; b1 = Argusgen_fcmp(ARGUS_JITTER_INDEX, offset, NFF_F, value, op, Q_DEFAULT); Argusgen_or(b0, b1); break; case Q_DEFAULT: case Q_AND: switch (type) { case Q_INTER: offset = (char *)&jitter.src.act.meanval - (char *)&jitter; break; case Q_INTERACTIVE: offset = (char *)&jitter.src.act.meanval - (char *)&jitter; break; case Q_INTERIDLE: offset = (char *)&jitter.src.idle.meanval - (char *)&jitter; break; } b0 = Argusgen_fcmp(ARGUS_JITTER_INDEX, offset, NFF_F, value, op, Q_DEFAULT); switch (type) { case Q_INTER: offset = (char *)&jitter.dst.act.meanval - (char *)&jitter; break; case Q_INTERACTIVE: offset = (char *)&jitter.dst.act.meanval - (char *)&jitter; break; case Q_INTERIDLE: offset = (char *)&jitter.dst.idle.meanval - (char *)&jitter; break; } b1 = Argusgen_fcmp(ARGUS_JITTER_INDEX, offset, NFF_F, value, op, Q_DEFAULT); Argusgen_and(b0, b1); break; } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_inter (%f, %d, %d) returns 0x%x\n", v, dir, op, b1); #endif return b1; } static struct ablock * Argusgen_jitter(float v, int dir, int type, u_int op) { struct ablock *b1 = NULL, *b0 = NULL; struct ArgusJitterStruct jitter; float value = v * 1000.0; int offset; switch (dir) { case Q_SRC: switch (type) { case Q_JITTER: offset = (char *)&jitter.src.act.stdev - (char *)&jitter; break; case Q_JITTERACTIVE: offset = (char *)&jitter.src.act.stdev - (char *)&jitter; break; case Q_JITTERIDLE: offset = (char *)&jitter.src.idle.stdev - (char *)&jitter; break; } b1 = Argusgen_fcmp(ARGUS_JITTER_INDEX, offset, NFF_F, value, op, Q_DEFAULT); break; case Q_DST: switch (type) { case Q_JITTER: offset = (char *)&jitter.dst.act.stdev - (char *)&jitter; break; case Q_JITTERACTIVE: offset = (char *)&jitter.dst.act.stdev - (char *)&jitter; break; case Q_JITTERIDLE: offset = (char *)&jitter.dst.idle.stdev - (char *)&jitter; break; } b1 = Argusgen_fcmp(ARGUS_JITTER_INDEX, offset, NFF_F, value, op, Q_DEFAULT); break; case Q_OR: switch (type) { case Q_JITTER: offset = (char *)&jitter.src.act.stdev - (char *)&jitter; break; case Q_JITTERACTIVE: offset = (char *)&jitter.src.act.stdev - (char *)&jitter; break; case Q_JITTERIDLE: offset = (char *)&jitter.src.idle.stdev - (char *)&jitter; break; } b0 = Argusgen_fcmp(ARGUS_JITTER_INDEX, offset, NFF_F, value, op, Q_DEFAULT); offset = (char *)&jitter.dst.act.stdev - (char *)&jitter; b1 = Argusgen_fcmp(ARGUS_JITTER_INDEX, offset, NFF_F, value, op, Q_DEFAULT); Argusgen_or(b0, b1); break; case Q_DEFAULT: case Q_AND: switch (type) { case Q_JITTER: offset = (char *)&jitter.src.act.stdev - (char *)&jitter; break; case Q_JITTERACTIVE: offset = (char *)&jitter.src.act.stdev - (char *)&jitter; break; case Q_JITTERIDLE: offset = (char *)&jitter.src.idle.stdev - (char *)&jitter; break; } b0 = Argusgen_fcmp(ARGUS_JITTER_INDEX, offset, NFF_F, value, op, Q_DEFAULT); switch (type) { case Q_JITTER: offset = (char *)&jitter.dst.act.stdev - (char *)&jitter; break; case Q_JITTERACTIVE: offset = (char *)&jitter.dst.act.stdev - (char *)&jitter; break; case Q_JITTERIDLE: offset = (char *)&jitter.dst.idle.stdev - (char *)&jitter; break; } b1 = Argusgen_fcmp(ARGUS_JITTER_INDEX, offset, NFF_F, value, op, Q_DEFAULT); Argusgen_and(b0, b1); break; } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_jitter (%f, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } static struct ablock * Argusgen_dur(float v, int dir, u_int op) { struct ablock *b1 = NULL; struct ArgusRecordStruct argus; int offset; switch (dir) { case Q_SRC: case Q_DST: case Q_OR: case Q_DEFAULT: case Q_AND: offset = ((char *)&argus.dur - (char *)&argus.hdr); b1 = Argusgen_duratom(offset, v, op); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_dur (%f, %d, %d) returns 0x%x\n", v, dir, op, b1); #endif return b1; } static struct ablock * Argusgen_mean(float v, int dir, u_int op) { struct ablock *b1 = NULL; struct ArgusRecordStruct argus; int offset; switch (dir) { case Q_SRC: case Q_DST: case Q_OR: case Q_DEFAULT: case Q_AND: offset = ((char *)&argus.mean - (char *)&argus.hdr); b1 = Argusgen_meanatom(offset, v, op); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_mean (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } static struct ablock * Argusgen_deltadur(int v, int dir, u_int op) { struct ablock *b1 = NULL; struct ArgusCorrelateStruct cor; int offset = ((char *)&cor.metrics.deltaDur - (char *)&cor); switch (dir) { case Q_SRC: case Q_DST: case Q_OR: case Q_DEFAULT: case Q_AND: b1 = Argusgen_deltaduratom(offset, v, op); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_deltadur (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } static struct ablock * Argusgen_deltastart(int v, int dir, u_int op) { struct ablock *b1 = NULL; struct ArgusCorrelateStruct cor; int offset = ((char *)&cor.metrics.deltaStart - (char *)&cor); switch (dir) { case Q_SRC: case Q_DST: case Q_OR: case Q_DEFAULT: case Q_AND: b1 = Argusgen_deltastartatom(offset, v, op); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_deltastart (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } static struct ablock * Argusgen_deltalast(int v, int dir, u_int op) { struct ablock *b1 = NULL; struct ArgusCorrelateStruct cor; int offset = ((char *)&cor.metrics.deltaLast - (char *)&cor); switch (dir) { case Q_SRC: case Q_DST: case Q_OR: case Q_DEFAULT: case Q_AND: b1 = Argusgen_deltalastatom(offset, v, op); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_deltalast (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } static struct ablock * Argusgen_deltasrcpkts(int v, int dir, u_int op) { struct ablock *b1 = NULL; struct ArgusCorrelateStruct cor; int offset = ((char *)&cor.metrics.deltaSrcPkts - (char *)&cor); switch (dir) { case Q_SRC: case Q_DST: case Q_OR: case Q_DEFAULT: case Q_AND: b1 = Argusgen_deltaspktsatom(offset, v, op); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_deltasrcpkts (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } static struct ablock * Argusgen_deltadstpkts(int v, int dir, u_int op) { struct ablock *b1 = NULL; struct ArgusCorrelateStruct cor; int offset = ((char *)&cor.metrics.deltaDstPkts - (char *)&cor); switch (dir) { case Q_SRC: case Q_DST: case Q_OR: case Q_DEFAULT: case Q_AND: b1 = Argusgen_deltadpktsatom(offset, v, op); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_deltadstpkts (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } static struct ablock * Argusgen_asn(u_int v, int dir, u_int op) { struct ablock *b1 = NULL, *b0 = NULL; struct ArgusAsnStruct asn; int offset; switch (dir) { case Q_SRC: offset = ((char *)&asn.src_as - (char *)&asn); b1 = Argusgen_asnatom(offset, (u_int)v, op); break; case Q_DST: offset = ((char *)&asn.dst_as - (char *)&asn); b1 = Argusgen_asnatom(offset, (u_int)v, op); break; case Q_OR: case Q_DEFAULT: offset = ((char *)&asn.src_as - (char *)&asn); b0 = Argusgen_asnatom(offset, (u_int)v, op); offset = ((char *)&asn.dst_as - (char *)&asn); b1 = Argusgen_asnatom(offset, (u_int)v, op); Argusgen_or(b0, b1); break; case Q_AND: offset = ((char *)&asn.src_as - (char *)&asn); b0 = Argusgen_asnatom(offset, (u_int)v, op); offset = ((char *)&asn.dst_as - (char *)&asn); b1 = Argusgen_asnatom(offset, (u_int)v, op); Argusgen_and(b0, b1); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_asn (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } static struct ablock * Argusgen_cor(u_int v, int dir, u_int op) { struct ablock *b1 = NULL; struct ArgusCorrelateStruct cor; int offset = ((char *)&cor.hdr.argus_dsrvl8.len - (char *)&cor); int value = (v * ((sizeof(struct ArgusCorMetrics) + 3 )/ 4)) + 1; if (value == 1) value = 0; b1 = Argusgen_coratom(offset, (u_int)value, op); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_cor (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } static struct ablock * Argusgen_spi(u_int v, int dir, u_int op) { struct ablock *b0 = NULL, *b1 = NULL; struct ArgusFlow flow; int offset = ((char *)&flow.flow_un.esp.spi - (char *)&flow); b1 = Argusgen_prototype(IPPROTO_ESP, Q_DEFAULT); b0 = Argusgen_spiatom(offset, v, op); if (b0) Argusgen_and(b0, b1); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_spi (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } /* static struct ablock * Argusgen_dup(int v, int dir, u_int op) { struct ablock *b0, *b1 = NULL; struct ArgusNetworkStruct net; int offset; switch (dir) { case Q_SRC: offset = ((char *)&net.net_union.tcp.sdups - (char *)&net); b1 = Argusgen_dupatom(offset, (u_int)v, op); break; case Q_DST: offset = ((char *)&net.net_union.tcp.ddups - (char *)&net); b1 = Argusgen_dupatom(offset, (u_int)v, op); break; case Q_OR: case Q_DEFAULT: offset = ((char *)&net.net_union.tcp.sdups - (char *)&net); b0 = Argusgen_dupatom(offset, (u_int)v, op); offset = ((char *)&net.net_union.tcp.ddups - (char *)&net); b1 = Argusgen_dupatom(offset, (u_int)v, op); Argusgen_or(b0, b1); break; case Q_AND: offset = ((char *)&net.net_union.tcp.sdups - (char *)&net); b0 = Argusgen_dupatom(offset, (u_int)v, op); offset = ((char *)&net.net_union.tcp.ddups - (char *)&net); b1 = Argusgen_dupatom(offset, (u_int)v, op); Argusgen_and(b0, b1); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_dup (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } */ static struct ablock * Argusgen_tcpbase(int v, int dir, u_int op) { struct ablock *b0, *b1 = NULL; struct ArgusNetworkStruct net; int offset; switch (dir) { case Q_SRC: offset = ((char *)&net.net_union.tcp.src.seqbase - (char *)&net); b1 = Argusgen_tcpbaseatom(offset, (u_int)v, op); break; case Q_DST: offset = ((char *)&net.net_union.tcp.dst.seqbase - (char *)&net); b1 = Argusgen_tcpbaseatom(offset, (u_int)v, op); break; case Q_OR: case Q_DEFAULT: offset = ((char *)&net.net_union.tcp.src.seqbase - (char *)&net); b0 = Argusgen_tcpbaseatom(offset, (u_int)v, op); offset = ((char *)&net.net_union.tcp.dst.seqbase - (char *)&net); b1 = Argusgen_tcpbaseatom(offset, (u_int)v, op); Argusgen_or(b0, b1); break; case Q_AND: offset = ((char *)&net.net_union.tcp.src.seqbase - (char *)&net); b0 = Argusgen_tcpbaseatom(offset, (u_int)v, op); offset = ((char *)&net.net_union.tcp.dst.seqbase - (char *)&net); b1 = Argusgen_tcpbaseatom(offset, (u_int)v, op); Argusgen_and(b0, b1); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_tcpbase (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } static struct ablock * Argusgen_pkt(int v, int dir, u_int op) { struct ablock *b0, *b1 = NULL; struct ArgusMetricStruct metric; int offset; switch (dir) { case Q_SRC: offset = ((char *)&metric.src.pkts - (char *)&metric); b1 = Argusgen_pktatom(offset, (u_int)v, op); break; case Q_DST: offset = ((char *)&metric.dst.pkts - (char *)&metric); b1 = Argusgen_pktatom(offset, (u_int)v, op); break; case Q_OR: case Q_DEFAULT: offset = ((char *)&metric.src.pkts - (char *)&metric); b0 = Argusgen_pktatom(offset, (u_int)v, op); offset = ((char *)&metric.dst.pkts - (char *)&metric); b1 = Argusgen_pktatom(offset, (u_int)v, op); Argusgen_or(b0, b1); break; case Q_AND: offset = ((char *)&metric.src.pkts - (char *)&metric); b0 = Argusgen_pktatom(offset, (u_int)v, op); offset = ((char *)&metric.dst.pkts - (char *)&metric); b1 = Argusgen_pktatom(offset, (u_int)v, op); Argusgen_and(b0, b1); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_pkt (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } static struct ablock * Argusgen_byte(int v, int dir, u_int op) { struct ablock *b0, *b1 = NULL; struct ArgusMetricStruct metric; int offset; switch (dir) { case Q_SRC: offset = ((char *)&metric.src.bytes - (char *)&metric); b1 = Argusgen_byteatom(offset, (u_int)v, op); break; case Q_DST: offset = ((char *)&metric.dst.bytes - (char *)&metric); b1 = Argusgen_byteatom(offset, (u_int)v, op); break; case Q_OR: case Q_DEFAULT: offset = ((char *)&metric.src.bytes - (char *)&metric); b0 = Argusgen_byteatom(offset, (u_int)v, op); offset = ((char *)&metric.dst.bytes - (char *)&metric); b1 = Argusgen_byteatom(offset, (u_int)v, op); Argusgen_or(b0, b1); break; case Q_AND: offset = ((char *)&metric.src.bytes - (char *)&metric); b0 = Argusgen_byteatom(offset, (u_int)v, op); offset = ((char *)&metric.dst.bytes - (char *)&metric); b1 = Argusgen_byteatom(offset, (u_int)v, op); Argusgen_and(b0, b1); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_byte (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } struct ablock * Argusgen_appbytes(int v, int dir, u_int op) { struct ablock *b0, *b1 = NULL; struct ArgusMetricStruct metric; int offset; switch (dir) { case Q_SRC: offset = ((char *)&metric.src.appbytes - (char *)&metric); b1 = Argusgen_byteatom(offset, (u_int)v, op); break; case Q_DST: offset = ((char *)&metric.dst.appbytes - (char *)&metric); b1 = Argusgen_byteatom(offset, (u_int)v, op); break; case Q_OR: case Q_DEFAULT: offset = ((char *)&metric.src.appbytes - (char *)&metric); b0 = Argusgen_byteatom(offset, (u_int)v, op); offset = ((char *)&metric.dst.appbytes - (char *)&metric); b1 = Argusgen_byteatom(offset, (u_int)v, op); Argusgen_or(b0, b1); break; case Q_AND: offset = ((char *)&metric.src.appbytes - (char *)&metric); b0 = Argusgen_byteatom(offset, (u_int)v, op); offset = ((char *)&metric.dst.appbytes - (char *)&metric); b1 = Argusgen_byteatom(offset, (u_int)v, op); Argusgen_and(b0, b1); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_appbytes (0x%x, %d) returns 0x%x\n", v, dir, b1); #endif return b1; } struct ablock * Argusgen_seq(int v, int dir, u_int op) { struct ablock *b1 = NULL, *b0 = NULL; struct ArgusTransportStruct trans; int offset; offset = ((char *)&trans.seqnum - (char *)&trans); b1 = Argusgen_recordtype(ARGUS_FAR); b0 = Argusgen_cmp(ARGUS_TRANSPORT_INDEX, offset, NFF_W, (u_int)v, op, Q_DEFAULT); Argusgen_and(b0, b1); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_seq (0x%x, %d, 0x%x) returns %p\n", v, dir, op ,b1); #endif return (b1); } static struct ablock * Argusgen_nstroke(int v, int dir, u_int op) { struct ablock *b0, *b1 = NULL; struct ArgusBehaviorStruct actor; int offset; switch (dir) { case Q_SRC: offset = ((char *)&actor.keyStroke.src.n_strokes - (char *)&actor); b1 = Argusgen_nstrokeatom(offset, (u_int)v, op); break; case Q_DST: offset = ((char *)&actor.keyStroke.dst.n_strokes - (char *)&actor); b1 = Argusgen_nstrokeatom(offset, (u_int)v, op); break; case Q_OR: case Q_DEFAULT: offset = ((char *)&actor.keyStroke.src.n_strokes - (char *)&actor); b0 = Argusgen_nstrokeatom(offset, (u_int)v, op); offset = ((char *)&actor.keyStroke.dst.n_strokes - (char *)&actor); b1 = Argusgen_nstrokeatom(offset, (u_int)v, op); Argusgen_or(b0, b1); break; case Q_AND: offset = ((char *)&actor.keyStroke.src.n_strokes - (char *)&actor); b0 = Argusgen_nstrokeatom(offset, (u_int)v, op); offset = ((char *)&actor.keyStroke.dst.n_strokes - (char *)&actor); b1 = Argusgen_nstrokeatom(offset, (u_int)v, op); Argusgen_and(b0, b1); break; default: abort(); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_nstroke (0x%x, %d, 0x%x) returns %p\n", v, dir, op, b1); #endif return b1; } /* * Left justify 'addr' and return its resulting network mask. */ #if !defined(TH_ECE) #define TH_ECE 0x40 #endif #if !defined(TH_CWR) #define TH_CWR 0x80 #endif #if !defined(CYGWIN) static u_int net_mask(u_int *addr) { register u_int m = 0xffffffff; if (*addr) while ((*addr & 0xff000000) == 0) *addr <<= 8, m <<= 8; #if defined(ARGUSDEBUG) ArgusDebug (9, "net_mask (0x%x) returns 0x%x\n", addr, m); #endif return m; } #endif #include struct ablock * Argusgen_ocode(int name, struct qual q) { struct ablock *b1 = NULL; b1 = Argusgen_tcpopt(name); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_ocode (0x%x, 0x%x) returns %p\n", name, q, b1); #endif return b1; } struct ablock * Argusgen_tcode(int name, struct qual q) { int dir = q.dir; struct ablock *b0 = NULL, *b1 = NULL; switch (name) { case Q_OUTOFORDER: { switch (dir) { case Q_SRC: b1 = Argusgen_proto_abbrev(Q_SRCOUTOFORDER); break; case Q_DST: b1 = Argusgen_proto_abbrev(Q_DSTOUTOFORDER); break; case Q_AND: b0 = Argusgen_proto_abbrev(Q_SRCOUTOFORDER); b1 = Argusgen_proto_abbrev(Q_DSTOUTOFORDER); Argusgen_and(b0, b1); break; default: case Q_OR: b1 = Argusgen_proto_abbrev(Q_OUTOFORDER); break; } break; } case Q_RETRANS: { switch (dir) { case Q_SRC: b1 = Argusgen_proto_abbrev(Q_SRCRETRANS); break; case Q_DST: b1 = Argusgen_proto_abbrev(Q_DSTRETRANS); break; case Q_AND: b0 = Argusgen_proto_abbrev(Q_SRCRETRANS); b1 = Argusgen_proto_abbrev(Q_DSTRETRANS); Argusgen_and(b0, b1); break; default: case Q_OR: b1 = Argusgen_proto_abbrev(Q_RETRANS); break; } break; } case Q_FRAG: { switch (dir) { case Q_SRC: b1 = Argusgen_proto_abbrev(Q_SRCFRAG); break; case Q_DST: b1 = Argusgen_proto_abbrev(Q_DSTFRAG); break; default: case Q_OR: b1 = Argusgen_proto_abbrev(Q_FRAG); break; } break; } case Q_FRAG_ONLY: { break; } case Q_WINSHUT: { switch (dir) { case Q_SRC: b1 = Argusgen_tcpstatustype(ARGUS_SRC_WINDOW_SHUT); break; case Q_DST: b1 = Argusgen_tcpstatustype(ARGUS_DST_WINDOW_SHUT); break; case Q_AND: b0 = Argusgen_tcpstatustype(ARGUS_SRC_WINDOW_SHUT); b1 = Argusgen_tcpstatustype(ARGUS_DST_WINDOW_SHUT); Argusgen_and(b0, b1); break; default: case Q_OR: b0 = Argusgen_tcpstatustype(ARGUS_SRC_WINDOW_SHUT); b1 = Argusgen_tcpstatustype(ARGUS_DST_WINDOW_SHUT); Argusgen_or(b0, b1); break; } break; } case Q_ECN: { switch (dir) { case Q_SRC: b1 = Argusgen_tcpstatustype(ARGUS_SRC_CONGESTED); break; case Q_DST: b1 = Argusgen_tcpstatustype(ARGUS_DST_CONGESTED); break; case Q_AND: b0 = Argusgen_tcpstatustype(ARGUS_SRC_CONGESTED); b1 = Argusgen_tcpstatustype(ARGUS_DST_CONGESTED); Argusgen_and(b0, b1); break; default: case Q_OR: b0 = Argusgen_tcpstatustype(ARGUS_SRC_CONGESTED); b1 = Argusgen_tcpstatustype(ARGUS_DST_CONGESTED); Argusgen_or(b0, b1); break; } break; } case Q_SYN: case Q_ACK: case Q_PUSH: case Q_URGENT: case Q_RESET: case Q_ECE: case Q_CWR: case Q_FIN: { struct ArgusNetworkStruct net; int soffset = ((char *)&net.net_union.tcp.src.flags - (char *)&net); int doffset = ((char *)&net.net_union.tcp.dst.flags - (char *)&net); int value = 0; switch (name) { case Q_SYN: value = TH_SYN; break; case Q_ACK: value = TH_ACK; break; case Q_PUSH: value = TH_PUSH; break; case Q_URGENT: value = TH_URG; break; case Q_FIN: value = TH_FIN; break; case Q_RESET: value = TH_RST; break; case Q_ECE: value = TH_ECE; break; case Q_CWR: value = TH_CWR; break; } switch (dir) { case Q_SRC: b1 = Argusgen_mcmp(ARGUS_NETWORK_INDEX, soffset, NFF_B, value, value, Q_EQUAL, Q_DEFAULT); break; case Q_DST: b1 = Argusgen_mcmp(ARGUS_NETWORK_INDEX, doffset, NFF_B, value, value, Q_EQUAL, Q_DEFAULT); break; case Q_AND: b0 = Argusgen_mcmp(ARGUS_NETWORK_INDEX, doffset, NFF_B, value, value, Q_EQUAL, Q_DEFAULT); b1 = Argusgen_mcmp(ARGUS_NETWORK_INDEX, soffset, NFF_B, value, value, Q_EQUAL, Q_DEFAULT); Argusgen_and(b0, b1); break; default: case Q_OR: b0 = Argusgen_mcmp(ARGUS_NETWORK_INDEX, soffset, NFF_B, value, value, Q_EQUAL, Q_DEFAULT); b1 = Argusgen_mcmp(ARGUS_NETWORK_INDEX, doffset, NFF_B, value, value, Q_EQUAL, Q_DEFAULT); Argusgen_or(b0, b1); break; } b0 = Argusgen_prototype(IPPROTO_TCP, Q_DEFAULT); Argusgen_and(b0, b1); break; } case Q_MULTIPATH: { struct ArgusMacStruct mac; int offset = ((char *)&mac.hdr.argus_dsrvl8.qual - (char *)&mac); int value = 0; switch (dir) { case Q_SRC: { value = ARGUS_SRC_MULTIPATH; b1 = Argusgen_mcmp(ARGUS_MAC_INDEX, offset, NFF_B, value, value, Q_EQUAL, Q_DEFAULT); break; } case Q_DST: { value = ARGUS_DST_MULTIPATH; b1 = Argusgen_mcmp(ARGUS_MAC_INDEX, offset, NFF_B, value, value, Q_EQUAL, Q_DEFAULT); break; } case Q_AND: { value = ARGUS_MULTIPATH; b1 = Argusgen_mcmp(ARGUS_MAC_INDEX, offset, NFF_B, value, value, Q_EQUAL, Q_DEFAULT); break; } default: case Q_OR: { value = ARGUS_SRC_MULTIPATH; b0 = Argusgen_mcmp(ARGUS_MAC_INDEX, offset, NFF_B, value, value, Q_EQUAL, Q_DEFAULT); value = ARGUS_DST_MULTIPATH; b1 = Argusgen_mcmp(ARGUS_MAC_INDEX, offset, NFF_B, value, value, Q_EQUAL, Q_DEFAULT); Argusgen_or(b0, b1); break; } } break; } case Q_PSNP: { struct ArgusFlow flow; int offset = ((char *)&flow.isis_flow.pdu_type - (char *)&flow); int value = 0; value = L1_PSNP; b0 = Argusgen_cmp (ARGUS_FLOW_INDEX, offset, NFF_W, value, Q_EQUAL, Q_DEFAULT); value = L2_PSNP; b1 = Argusgen_cmp (ARGUS_FLOW_INDEX, offset, NFF_W, value, Q_EQUAL, Q_DEFAULT); Argusgen_or(b0, b1); b0 = Argusgen_linktype(ETHERTYPE_ISIS); Argusgen_and(b0, b1); break; } case Q_CSNP: { struct ArgusFlow flow; int offset = ((char *)&flow.isis_flow.pdu_type - (char *)&flow); int value = 0; value = L1_CSNP; b0 = Argusgen_cmp (ARGUS_FLOW_INDEX, offset, NFF_W, value, Q_EQUAL, Q_DEFAULT); value = L2_CSNP; b1 = Argusgen_cmp (ARGUS_FLOW_INDEX, offset, NFF_W, value, Q_EQUAL, Q_DEFAULT); Argusgen_or(b0, b1); b0 = Argusgen_linktype(ETHERTYPE_ISIS); Argusgen_and(b0, b1); break; } case Q_HELLO: { struct ArgusFlow flow; int offset = ((char *)&flow.isis_flow.pdu_type - (char *)&flow); int value = 0; value = L1_LAN_IIH; b0 = Argusgen_cmp (ARGUS_FLOW_INDEX, offset, NFF_W, value, Q_EQUAL, Q_DEFAULT); value = L2_LAN_IIH; b1 = Argusgen_cmp (ARGUS_FLOW_INDEX, offset, NFF_W, value, Q_EQUAL, Q_DEFAULT); Argusgen_or(b0, b1); b0 = Argusgen_linktype(ETHERTYPE_ISIS); Argusgen_and(b0, b1); break; } case Q_LSP: { struct ArgusFlow flow; int offset = ((char *)&flow.isis_flow.pdu_type - (char *)&flow); int value = 0; value = L1_LSP; b0 = Argusgen_cmp (ARGUS_FLOW_INDEX, offset, NFF_W, value, Q_EQUAL, Q_DEFAULT); value = L2_LSP; b1 = Argusgen_cmp (ARGUS_FLOW_INDEX, offset, NFF_W, value, Q_EQUAL, Q_DEFAULT); Argusgen_or(b0, b1); b0 = Argusgen_linktype(ETHERTYPE_ISIS); Argusgen_and(b0, b1); break; } } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_tcode (0x%x, 0x%x) returns %p\n", name, q, b1); #endif return b1; } #include struct ablock * Argusgen_scode(char *name, struct qual q) { int port, real_proto = -1, slen = 0, i; int type = q.type, proto = q.proto, dir = q.dir; u_int maskbuf[4], *mask = maskbuf; struct ablock *b = NULL, *tmp; #if HAVE_GETADDRINFO struct addrinfo *host = NULL; int retn; #else struct hostent *host = NULL; u_int **alist; #endif u_char *eaddr; slen = strlen(name); if ((name[0] == '\"') && (name[strlen(name) - 1] == '\"')) { name++; name[strlen(name) - 1] = '\0'; slen -= 2; } switch (q.addr) { case Q_NET: { #if defined(CYGWIN) ArgusLog(LOG_ERR, "cygwin does not support net"); #else u_int addr = 0; struct netent *np; if ((np = getnetbyname(name)) != NULL) if ((addr = np->n_net) == 0) ArgusLog(LOG_ERR, "unknown network '%s'", name); *mask = net_mask(&addr); b = Argusgen_host(&addr, mask, type, proto, dir); #endif break; } case Q_DEFAULT: case Q_HOST: switch (proto) { case Q_LINK: { eaddr = argus_ether_hostton(name); if (eaddr == NULL) ArgusLog(LOG_ERR, "unknown ether host '%s'", name); b = Argusgen_ehostop(eaddr, dir); break; } case Q_DECNET: { unsigned short dn_addr = __argus_nametodnaddr(name); b = (Argusgen_host((u_int *)&dn_addr, 0, type, proto, dir)); break; } case Q_DEFAULT: case Q_IPV6: case Q_IP: case Q_IPV4: { #if HAVE_GETADDRINFO if ((retn = getaddrinfo(name, NULL, NULL, &host)) == 0) { struct addrinfo *hptr = host; while (host) { struct sockaddr_in *sa = (struct sockaddr_in *)host->ai_addr; unsigned int addr[128]; bcopy ((char *)&sa->sin_addr, (char *)&addr, host->ai_addrlen); switch (host->ai_family) { case AF_INET: { proto = Q_IPV4; *mask = 0xffffffff; addr[0] = ntohl(addr[0]); tmp = Argusgen_host(&addr[0], mask, type, proto, dir); if (b != NULL) Argusgen_or(b, tmp); b = tmp; break; } case AF_INET6: { proto = Q_IPV6; for (i = 0; i < 4; i++) { mask[i] = 0xffffffff; addr[i] = ntohl(addr[i]); } tmp = Argusgen_host(addr, mask, type, proto, dir); if (b != NULL) Argusgen_or(b, tmp); b = tmp; break; } } host = host->ai_next; } freeaddrinfo(hptr); } else { switch (retn) { case EAI_AGAIN: ArgusLog(LOG_ERR, "dns server not available"); break; case EAI_NONAME: ArgusLog(LOG_ERR, "host %s unknown", name); break; #if defined(EAI_ADDRFAMILY) case EAI_ADDRFAMILY: ArgusLog(LOG_ERR, "host %s has no IP address", name); break; #endif case EAI_SYSTEM: ArgusLog(LOG_ERR, "host %s name server error %s", name, strerror(errno)); break; } } #else if ((host = gethostbyname(name)) != NULL) { alist = (unsigned int **) host->h_addr_list; while (*alist) { **alist = htonl(**alist); *alist++; } alist = (unsigned int **) host->h_addr_list; } if (alist == NULL || *alist == NULL) ArgusLog(LOG_ERR, "unknown host '%s'", name); switch (host->h_addrtype) { case AF_INET: proto = Q_IPV4; *mask = 0xffffffff; break; case AF_INET6: proto = Q_IPV6; for (i = 0; i < 4; i++) mask[i] = 0xffffffff; break; } b = Argusgen_host(*alist++, mask, type, proto, dir); while (*alist) { tmp = Argusgen_host(*alist++, mask, type, proto, dir); Argusgen_or(b, tmp); b = tmp; } #endif break; } } break; case Q_INODE: case Q_SRCID: { if (type == Q_STRING) { *mask = 0xffffffff; unsigned int addr = 0; if (slen > 4) slen = 4; bcopy(name, (char *)&addr, slen); switch (q.addr) { case Q_INODE: b = Argusgen_inode(addr, *mask, type); break; case Q_SRCID: b = Argusgen_srcid(addr, *mask, type); break; } break; } else { #if HAVE_GETADDRINFO struct addrinfo hints; bzero(&hints, sizeof(hints)); hints.ai_family = PF_INET; if ((retn = getaddrinfo(name, NULL, &hints, &host)) == 0) { struct addrinfo *hptr = host; while (host) { struct sockaddr_in *sa = (struct sockaddr_in *)host->ai_addr; unsigned int addr[4]; bcopy ((char *)&sa->sin_addr, (char *)&addr, host->ai_addrlen); switch (host->ai_family) { case AF_INET: { proto = Q_IPV4; *mask = 0xffffffff; addr[0] = ntohl(addr[0]); switch (q.addr) { case Q_INODE: tmp = Argusgen_inode(addr[0], *mask, type); break; case Q_SRCID: tmp = Argusgen_srcid(addr[0], *mask, type); break; } if (b != NULL) Argusgen_or(b, tmp); b = tmp; break; } } host = host->ai_next; } freeaddrinfo(hptr); } else { switch (retn) { case EAI_AGAIN: ArgusLog(LOG_ERR, "dns server not available"); break; case EAI_NONAME: ArgusLog(LOG_ERR, "srcid %s unknown", name); break; #if defined(EAI_ADDRFAMILY) case EAI_ADDRFAMILY: ArgusLog(LOG_ERR, "srcid %s has no IP address", name); break; #endif case EAI_SYSTEM: ArgusLog(LOG_ERR, "srcid %s name server error %s", name, strerror(errno)); break; } } #else if ((host = gethostbyname(name)) != NULL) { alist = (unsigned int **) host->h_addr_list; while (*alist) { **alist = htonl(**alist); *alist++; } alist = (unsigned int **) host->h_addr_list; } if (alist == NULL || *alist == NULL) ArgusLog(LOG_ERR, "unknown srcid '%s'", name); switch (q.addr) { case Q_INODE: { b = Argusgen_inode(**alist++, 0xffffffffL); while (*alist) { tmp = Argusgen_inode(**alist++, 0xffffffffL); Argusgen_or(b, tmp); b = tmp; } } case Q_SRCID: { b = Argusgen_srcid(**alist++, 0xffffffffL, type); while (*alist) { tmp = Argusgen_srcid(**alist++, 0xffffffffL, type); Argusgen_or(b, tmp); b = tmp; } } } #endif } break; } case Q_PORT: { char *ptr = NULL; if ((proto != Q_DEFAULT) && (proto != Q_UDP) && (proto != Q_TCP) && (proto != Q_UDT) && (proto != Q_RTP) && (proto != Q_RTCP)) ArgusLog(LOG_ERR, "illegal qualifier of 'port'"); if ((ptr = strchr(name, '-')) != NULL) { char *endptr; int port; *ptr++ = '\0'; port = strtol(name, (char **)&endptr, 10); if (endptr == name) break; b = Argusgen_ncode (ptr, port, q, Q_GEQ); port = strtol(ptr, (char **)&endptr, 10); if (endptr == ptr) break; tmp = Argusgen_ncode (ptr, port, q, Q_LEQ); Argusgen_and(tmp, b); } else { if (argus_nametoport(name, &port, &real_proto) == 0) ArgusLog(LOG_ERR, "unknown port '%s'", name); if ((proto == Q_UDP) || (proto == Q_RTP) || (proto == Q_RTCP) || (proto == Q_UDT)) { if (real_proto == IPPROTO_TCP) ArgusLog(LOG_ERR, "port '%s' is tcp", name); else { /* override PROTO_UNDEF */ real_proto = IPPROTO_UDP; } } if (proto == Q_TCP) { if (real_proto == IPPROTO_UDP) ArgusLog(LOG_ERR, "port '%s' is udp", name); else /* override PROTO_UNDEF */ real_proto = IPPROTO_TCP; } b = Argusgen_port(port, real_proto, dir, Q_EQUAL); if (ptr != NULL) { if (argus_nametoport(ptr, &port, &real_proto) == 0) ArgusLog(LOG_ERR, "unknown port '%s'", name); tmp = Argusgen_port(port, real_proto, dir, Q_EQUAL); ptr[-1] = '-'; } } break; } case Q_GATEWAY: eaddr = argus_ether_hostton(name); if (eaddr == NULL) ArgusLog(LOG_ERR, "unknown ether host: %s", name); #if HAVE_GETADDRINFO if ((retn = getaddrinfo(name, NULL, NULL, &host)) == 0) { struct addrinfo *hptr = host; while (host) { struct sockaddr_in *sa = (struct sockaddr_in *)host->ai_addr; unsigned int addr[4]; bcopy ((char *)&sa->sin_addr, (char *)&addr, host->ai_addrlen); switch (host->ai_family) { case AF_INET: { proto = Q_IPV4; *mask = 0xffffffff; addr[0] = ntohl(addr[0]); tmp = Argusgen_gateway(eaddr, &addr[0], type, proto, dir); if (b != NULL) Argusgen_or(b, tmp); b = tmp; break; } case AF_INET6: { proto = Q_IPV6; for (i = 0; i < 4; i++) { mask[i] = 0xffffffff; addr[i] = ntohl(addr[i]); } tmp = Argusgen_gateway(eaddr, addr, type, proto, dir); if (b != NULL) Argusgen_or(b, tmp); b = tmp; break; } } host = host->ai_next; } freeaddrinfo(hptr); } else { switch (retn) { case EAI_AGAIN: ArgusLog(LOG_ERR, "dns server not available"); break; case EAI_NONAME: ArgusLog(LOG_ERR, "srcid %s unknown", name); break; #if defined(EAI_ADDRFAMILY) case EAI_ADDRFAMILY: ArgusLog(LOG_ERR, "srcid %s has no IP address", name); break; #endif case EAI_SYSTEM: ArgusLog(LOG_ERR, "srcid %s name server error %s", name, strerror(errno)); break; } } #else if ((host = gethostbyname(name)) != NULL) alist = (unsigned int **) host->h_addr_list; if (alist == NULL || *alist == NULL) ArgusLog(LOG_ERR, "unknown host '%s'", name); b = Argusgen_gateway(eaddr, *alist, type, proto, dir); #endif break; case Q_PROTO: real_proto = Arguslookup_proto(name, proto); if (real_proto >= 0) b = Argusgen_proto(real_proto, proto, dir); else ArgusLog(LOG_ERR, "unknown protocol: %s", name); break; case Q_DSB: { struct ArgusDSCodePointStruct *dsctable = ArgusSelectDSCodesTable(ArgusParser); struct ArgusDSCodePointStruct *dscode = NULL; int i = 0, val = -1; if (dsctable && (dscode = &dsctable[i])) { while (dscode->label != NULL) { if (!(strncasecmp(dscode->label, name, strlen(dscode->label)))) { val = dscode->code; break; } dscode = &dsctable[++i]; } } if (val >= 0) b = Argusgen_dsb(val, dir, Q_EQUAL); break; } case Q_CO: { b = Argusgen_cocode(name, dir, Q_EQUAL); break; } case Q_ENCAPS: { int i = 0, val = -1; struct ArgusEncapsulationStruct *encaps = &argus_encapsulations[i]; while (encaps->label != NULL) { if (!(strncasecmp(encaps->label, name, strlen(encaps->label)))) { val = encaps->code; break; } encaps = &argus_encapsulations[++i]; } if (val >= 0) b = Argusgen_encaps(val, dir, Q_EQUAL); break; } case Q_UNDEF: syntax(); /* NOTREACHED */ } if (b == NULL) ArgusLog(LOG_ERR, "Argusgen_scode error"); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_scode (%s, 0x%x) returns %p\n", name, q, b); #endif return b; } struct ablock * Argusgen_mcode(char *s1, char *s2, int masklen, struct qual q) { struct ArgusCIDRAddr cidrbuf, *cidr = &cidrbuf, *cidraddr = NULL; struct ablock *b0 = NULL; char buf[128]; if (s1 != NULL) { if (snprintf (buf, 128, "%s/%d", s1, masklen) >= 128) ArgusLog(LOG_ERR, "Argusgen_mcode: addressmlength must be < 128 bytes"); if ((cidraddr = RaParseCIDRAddr (ArgusParser, buf)) == NULL) ArgusLog(LOG_ERR, "Argusgen_mcode: CIDR address format error"); bcopy ((char *)cidraddr, (char *)cidr, sizeof(*cidr)); if (s2 != NULL) { if (snprintf (buf, 128, "%s/%d", s2, masklen) >= 128) ArgusLog(LOG_ERR, "Argusgen_mcode: addressmlength must be < 128 bytes"); if ((cidraddr = RaParseCIDRAddr (ArgusParser, buf)) == NULL) ArgusLog(LOG_ERR, "Argusgen_mcode: CIDR address format error"); bcopy ((char *)&cidraddr->addr, (char *)&cidr->mask, sizeof(cidr->mask)); } switch (q.addr) { case Q_NET: b0 = Argusgen_host(cidr->addr, cidr->mask, q.type, q.proto, q.dir); break; default: ArgusLog(LOG_ERR, "Mask syntax for networks only"); /* NOTREACHED */ } } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_mcode (%s, %s, %d, 0x%x) returns %p\n", s1, s2, masklen, q, b0); #endif return b0; } struct ablock * Argusgen_ncode(char *s, int v, struct qual q, u_int op) { int dir = q.dir, vlen, proto = q.proto, type = q.type; u_int *addr = NULL, maskbuf[4], *mask = maskbuf; struct ablock *b; bzero(mask, sizeof(maskbuf)); switch (type) { case Q_IPV6: { vlen = 128; break; } case Q_IPV4: { if (s == NULL) vlen = 32; else vlen = __argus_atoin(s, (unsigned int *)&v); break; } } switch (q.addr) { case Q_DEFAULT: case Q_HOST: case Q_NET: switch (type) { case Q_LINK: ArgusLog(LOG_ERR, "illegal link layer address"); break; case Q_IPV6: { struct ArgusCIDRAddr *cidraddr = RaParseCIDRAddr (ArgusParser, s); int i, len; memset((char *)mask, 0, sizeof(maskbuf)); for (i = 0, len = cidraddr->masklen; i < len; i++) mask[i/32] |= (1 << (31 - (i % 32))); for (i = 0; i < 4; i++) mask[i] = ntohl(mask[i]); addr = (u_int*)&cidraddr->addr; break; } case Q_IP: case Q_IPV4: { *mask = 0xffffffff; if ((s == NULL) && (q.addr == Q_NET)) { /* Promote short net number */ while (v && (v & 0xff000000) == 0) { v <<= 8; *mask <<= 8; } } else { /* Promote short ipaddr */ v <<= 32 - vlen; *mask <<= 32 - vlen; } addr = (u_int *)&v; break; } } b = Argusgen_host(addr, mask, type, proto, dir); break; case Q_SRCID: *mask = 0xffffffff; b = Argusgen_srcid(v, *mask, type); break; case Q_INODE: *mask = 0xffffffff; b = Argusgen_inode(v, *mask, type); break; case Q_PORT: { switch (proto) { case Q_UDP: proto = IPPROTO_UDP; break; case Q_UDT: proto = IPPROTO_UDT; break; case Q_RTP: proto = IPPROTO_RTP; break; case Q_RTCP: proto = IPPROTO_RTCP; break; case Q_TCP: proto = IPPROTO_TCP; break; case Q_DEFAULT: proto = PROTO_UNDEF; break; default: ArgusLog(LOG_ERR, "illegal qualifier of 'port'"); } b = Argusgen_port((int)v, proto, dir, op); break; } case Q_GATEWAY: ArgusLog(LOG_ERR, "'gateway' requires a name"); /* NOTREACHED */ case Q_PROTO: b = Argusgen_proto((int)v, proto, dir); break; case Q_IPID: b = Argusgen_ipid((int)v, dir, op); break; case Q_TTL: b = Argusgen_ttl((int)v, dir, op); break; case Q_TOS: b = Argusgen_tos((int)v, dir, op); break; case Q_DSB: { b = Argusgen_dsb((int)v, dir, op); break; } case Q_VID: b = Argusgen_vid((int)v, dir, op); break; case Q_VPRI: b = Argusgen_vpri((int)v, dir, op); break; case Q_MPLSID: b = Argusgen_mid((int)v, dir, op); break; case Q_BYTE: b = Argusgen_byte((int)v, dir, op); break; case Q_PKT: b = Argusgen_pkt((int)v, dir, op); break; case Q_NSTROKE: b = Argusgen_nstroke((int)v, dir, op); break; case Q_SEQ: b = Argusgen_seq((int)v, dir, op); break; case Q_APPBYTE: b = Argusgen_appbytes((int)v, dir, op); break; case Q_TCPBASE: b = Argusgen_tcpbase((int)v, dir, op); break; case Q_TRANS: b = Argusgen_trans((int)v, dir, op); break; case Q_LOAD: b = Argusgen_load(v, dir, op); break; case Q_RATE: b = Argusgen_rate(v, dir, op); break; /* case Q_LOSS: b = Argusgen_loss(v, dir, op); break; */ case Q_PLOSS: b = Argusgen_ploss(v, dir, op); break; /* case Q_GAP: b = Argusgen_gap(v, dir, op); break; case Q_DUP: b = Argusgen_dup(v, dir, op); break; */ case Q_PCR: b = Argusgen_pcr(v, dir, op); break; case Q_INTER: case Q_INTERACTIVE: case Q_INTERIDLE: b = Argusgen_inter((int)v, dir, type, op); break; case Q_JITTER: case Q_JITTERACTIVE: case Q_JITTERIDLE: b = Argusgen_jitter(v, dir, type, op); break; case Q_DUR: b = Argusgen_dur(v, dir, op); break; case Q_AVGDUR: b = Argusgen_mean(v, dir, op); break; case Q_DELTADUR: b = Argusgen_deltadur(v, dir, op); break; case Q_DELTASTART: b = Argusgen_deltastart(v, dir, op); break; case Q_DELTALAST: b = Argusgen_deltalast(v, dir, op); break; case Q_DELTASPKTS: b = Argusgen_deltasrcpkts(v, dir, op); break; case Q_DELTADPKTS: b = Argusgen_deltadstpkts(v, dir, op); break; case Q_SPI: b = Argusgen_spi(v, dir, op); break; case Q_ASN: b = Argusgen_asn((int)v, dir, op); break; case Q_CORRELATED: b = Argusgen_cor((int)v, dir, op); break; case Q_UNDEF: syntax(); /* NOTREACHED */ default: abort(); /* NOTREACHED */ } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_ncode (%s, 0x%x, 0x%x, 0x%x) returns %p\n", s, v, &q, op, b); #endif return b; } struct ablock * Argusgen_fcode(char *s, float v, struct qual q, u_int op) { int dir = q.dir; struct ablock *b; switch (q.addr) { case Q_LOAD: b = Argusgen_load(v, dir, op); break; case Q_RATE: b = Argusgen_rate(v, dir, op); break; case Q_INTER: case Q_INTERACTIVE: case Q_INTERIDLE: b = Argusgen_inter(v, dir, q.addr, op); break; case Q_JITTER: case Q_JITTERACTIVE: case Q_JITTERIDLE: b = Argusgen_jitter(v, dir, q.addr, op); break; case Q_DUR: b = Argusgen_dur(v, dir, op); break; case Q_AVGDUR: b = Argusgen_mean(v, dir, op); break; case Q_PLOSS: b = Argusgen_ploss(v, dir, op); break; case Q_PCR: b = Argusgen_pcr(v, dir, op); break; case Q_UNDEF: syntax(); /* NOTREACHED */ default: abort(); /* NOTREACHED */ } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_fcode (%s, %f, 0x%x, 0x%x) returns %p\n", s, v, &q, op, b); #endif return b; } struct ablock * Argusgen_ecode( u_char *eaddr, struct qual q) { struct ablock *b0 = NULL, *b1 = NULL; struct ArgusFlow flow; int offset, len; switch (q.proto) { case Q_LINK: case Q_ETHER: if (q.addr == Q_HOST || q.addr == Q_DEFAULT) b0 = Argusgen_ehostop(eaddr, (int)q.dir); break; case Q_ARP: if (q.addr == Q_HOST) { b1 = Argusgen_linktype(ETHERTYPE_ARP); offset = ((char *)&flow.arp_flow.haddr.h_un.ethernet - (char *)&flow); len = sizeof(flow.arp_flow.haddr.h_un.ethernet); b0 = Argusgen_bcmp (ARGUS_FLOW_INDEX, offset, len, eaddr, Q_DEFAULT); Argusgen_and(b1, b0); } break; default: ArgusLog(LOG_ERR, "ethernet address used in non-ether expression"); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_ecode (0x%x, 0x%x) returns %p\n", eaddr, q, b0); #endif return b0; } void Argussappend(struct slist *s0, struct slist *s1) { /* * This is definitely not the best way to do this, but the * lists will rarely get long. */ while (s0->next) s0 = s0->next; s0->next = s1; #if defined(ARGUSDEBUG) ArgusDebug (7, "Argussappend (0x%x, 0x%x)\n", s0, s1); #endif } static struct slist * xfer_to_x(struct arth *a) { struct slist *s; s = new_stmt(NFF_LDX|NFF_MEM); s->s.data.k = a->regno; #if defined(ARGUSDEBUG) ArgusDebug (9, "xfer_to_x (0x%x) returns %p\n", a, s); #endif return s; } static struct slist * xfer_to_a(struct arth *a) { struct slist *s; s = new_stmt(NFF_LD|NFF_MEM); s->s.data.k = a->regno; #if defined(ARGUSDEBUG) ArgusDebug (9, "xfer_to_a (0x%x) returns %p\n", a, s); #endif return s; } struct arth * ArgusLoad( int proto, struct arth *index, int size) { struct slist *s, *tmp; struct ablock *b; int regno = alloc_reg(); free_reg(index->regno); switch (size) { default: ArgusLog(LOG_ERR, "data size must be 1, 2, or 4"); case 1: size = NFF_B; break; case 2: size = NFF_H; break; case 4: size = NFF_W; break; case 8: size = NFF_L; break; } switch (proto) { default: ArgusLog(LOG_ERR, "unsupported index operation"); case Q_LINK: s = xfer_to_x(index); tmp = new_stmt(NFF_LD|NFF_IND|size); Argussappend(s, tmp); Argussappend(index->s, s); break; case Q_IP: case Q_IPV4: case Q_IPV6: case Q_ARP: case Q_RARP: s = xfer_to_x(index); tmp = new_stmt(NFF_LD|NFF_IND|size); tmp->s.data.k = off_nl; Argussappend(s, tmp); Argussappend(index->s, s); b = Argusgen_proto_abbrev(proto); if (index->b) Argusgen_and(index->b, b); index->b = b; break; case Q_TCP: case Q_RTP: case Q_RTCP: case Q_UDT: case Q_UDP: case Q_ICMP: case Q_IGMP: case Q_IGRP: s = new_stmt(NFF_LDX|NFF_MSH|NFF_B); s->s.data.k = off_nl; Argussappend(s, xfer_to_a(index)); Argussappend(s, new_stmt(NFF_ALU|NFF_ADD|NFF_X)); Argussappend(s, new_stmt(NFF_MISC|NFF_TAX)); Argussappend(s, tmp = new_stmt(NFF_LD|NFF_IND|size)); tmp->s.data.k = off_nl; Argussappend(index->s, s); b = Argusgen_proto_abbrev(proto); if (index->b) Argusgen_and(index->b, b); index->b = b; break; } index->regno = regno; s = new_stmt(NFF_ST); s->s.data.k = regno; Argussappend(index->s, s); #if defined(ARGUSDEBUG) ArgusDebug (5, "ArgusLoad (0x%x, 0x%x, 0x%x) returns %p\n", proto, index, size, index); #endif return index; } struct ablock * Argusgen_relation( int code, struct arth *a0, struct arth *a1, int reversed) { struct slist *s0, *s1, *s2; struct ablock *b, *tmp; s0 = xfer_to_x(a1); s1 = xfer_to_a(a0); s2 = new_stmt(NFF_ALU|NFF_SUB|NFF_X); b = new_block(JMP(code)); if (reversed) Argusgen_not(b); Argussappend(s1, s2); Argussappend(s0, s1); Argussappend(a1->s, s0); Argussappend(a0->s, a1->s); b->stmts = a0->s; free_reg(a0->regno); free_reg(a1->regno); /* 'and' together protocol checks */ if (a0->b) { if (a1->b) { Argusgen_and(a0->b, tmp = a1->b); } else tmp = a0->b; } else tmp = a1->b; if (tmp) Argusgen_and(tmp, b); #if defined(ARGUSDEBUG) ArgusDebug (5, "Argusgen_relation (0x%x, 0x%x, 0x%x, %d) returns %p\n", code, a0, a1, reversed, b); #endif return b; } struct arth * ArgusLoadLen() { int regno = alloc_reg(); struct arth *a = (struct arth *)newchunk(sizeof(*a)); struct slist *s; s = new_stmt(NFF_LD|NFF_LEN); s->next = new_stmt(NFF_ST); s->next->s.data.k = regno; a->s = s; a->regno = regno; #if defined(ARGUSDEBUG) ArgusDebug (5, "ArgusLoadLen () returns %p\n", a); #endif return a; } struct arth * ArgusLoadI(int val) { struct arth *a; struct slist *s; int reg; a = (struct arth *)newchunk(sizeof(*a)); reg = alloc_reg(); s = new_stmt(NFF_LD|NFF_IMM); s->s.data.k = val; s->next = new_stmt(NFF_ST); s->next->s.data.k = reg; a->s = s; a->regno = reg; #if defined(ARGUSDEBUG) ArgusDebug (5, "ArgusLoadI (0x%x) returns %p\n", val, a); #endif return a; } struct arth * ArgusNeg(struct arth *a) { struct slist *s; s = xfer_to_a(a); Argussappend(a->s, s); s = new_stmt(NFF_ALU|NFF_NEG); s->s.data.k = 0; Argussappend(a->s, s); s = new_stmt(NFF_ST); s->s.data.k = a->regno; Argussappend(a->s, s); #if defined(ARGUSDEBUG) ArgusDebug (4, "ArgusNeg (0x%x) returns %p\n", a, a); #endif return a; } struct arth * ArgusArth( int code, struct arth *a0, struct arth *a1) { struct slist *s0, *s1, *s2; s0 = xfer_to_x(a1); s1 = xfer_to_a(a0); s2 = new_stmt(NFF_ALU|NFF_X|code); Argussappend(s1, s2); Argussappend(s0, s1); Argussappend(a1->s, s0); Argussappend(a0->s, a1->s); free_reg(a1->regno); s0 = new_stmt(NFF_ST); a0->regno = s0->s.data.k = alloc_reg(); Argussappend(a0->s, s0); #if defined(ARGUSDEBUG) ArgusDebug (5, "Argusgen_arth (0x%x, 0x%x, 0x%x) returns %p\n", code, a0, a1, a0); #endif return a0; } /* * Here we handle simple allocation of the scratch registers. * If too many registers are alloc'd, the allocator punts. */ static int regused[NFF_MEMWORDS]; static int curreg; /* * Return the next free register. */ static int alloc_reg() { int retn = -1; int n = NFF_MEMWORDS; while (--n >= 0) { if (regused[curreg]) curreg = (curreg + 1) % NFF_MEMWORDS; else { regused[curreg] = 1; retn = curreg; break; } } if (retn == -1) ArgusLog(LOG_ERR, "too many registers needed to evaluate expression"); #if defined(ARGUSDEBUG) ArgusDebug (9, "alloc_reg () returns %p\n", retn); #endif return (retn); } /* * Return a register to the table so it can * be used later. */ static void free_reg(int n) { regused[n] = 0; #if defined(ARGUSDEBUG) ArgusDebug (9, "free_reg (%d)\n", n); #endif } static struct ablock * Argusgen_len(int jmp, int n) { struct slist *s; struct ablock *b; s = new_stmt(NFF_LD|NFF_LEN); s->next = new_stmt(NFF_ALU|NFF_SUB|NFF_K); s->next->s.data.k = n; b = new_block(JMP(jmp)); b->stmts = s; #if defined(ARGUSDEBUG) ArgusDebug (6, "Argusgen_len (%d, %d) return %p\n", jmp, n, b); #endif return b; } struct ablock * Argusgen_greater(int n) { struct ablock *b; b = Argusgen_len(NFF_JGE, n); #if defined(ARGUSDEBUG) ArgusDebug (6, "Argusgen_greater (%d) return %p\n", n, b); #endif return b; } struct ablock * Argusgen_less(int n) { struct ablock *b; b = Argusgen_len(NFF_JGT, n); Argusgen_not(b); #if defined(ARGUSDEBUG) ArgusDebug (6, "Argusgen_less (%d) return %p\n", n, b); #endif return b; } struct ablock * Argusgen_byteop(int op, int idx, int val) { struct ablock *b; struct slist *s; switch (op) { default: abort(); case '=': return Argusgen_cmp(-1, (u_int)idx, NFF_B, (u_int)val, Q_EQUAL, Q_DEFAULT); case '<': b = Argusgen_cmp(-1, (u_int)idx, NFF_B, (u_int)val, Q_EQUAL, Q_DEFAULT); b->s.code = JMP(NFF_JGE); Argusgen_not(b); return b; case '>': b = Argusgen_cmp(-1, (u_int)idx, NFF_B, (u_int)val, Q_EQUAL, Q_DEFAULT); b->s.code = JMP(NFF_JGT); return b; case '|': s = new_stmt(NFF_ALU|NFF_OR|NFF_K); break; case '&': s = new_stmt(NFF_ALU|NFF_AND|NFF_K); break; } s->s.data.k = val; b = new_block(JMP(NFF_JEQ)); b->stmts = s; Argusgen_not(b); #if defined(ARGUSDEBUG) ArgusDebug (6, "Argusgen_byteop (0x%x, 0x%x, 0x%x) return %p\n", op, idx, val, b); #endif return b; } struct ablock * Argusgen_broadcast(int proto) { struct ablock *b0 = NULL, *b1 = NULL; static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; u_int netaddr = 0xffffffffL, mask; /* u_int classmask = 0xffffffffL; */ switch (proto) { case Q_LINK: b0 = Argusgen_ehostop(ebroadcast, Q_OR); break; case Q_IP: mask = 0xffffffffL; /* if (ArgusParser->ArgusCurrentInput) { netaddr = ArgusParser->ArgusLocalNet & ArgusParser->ArgusNetMask; classmask = ipaddrtonetmask(ArgusParser->ArgusLocalNet); b1 = Argusgen_host((u_int *)&netaddr, &mask, Q_IPV4, proto, Q_OR); netaddr |= ~(~0 & ArgusNetMask); b0 = Argusgen_host((u_int *)&netaddr, &mask, Q_IPV4, proto, Q_OR); Argusgen_or(b1, b0); if (classmask != ArgusNetMask) { netaddr = ArgusParser->ArgusLocalNet & classmask; b1 = Argusgen_host((u_int *)&netaddr, &mask, Q_IPV4, proto, Q_OR); Argusgen_or(b1, b0); } } */ netaddr = ~0; b1 = Argusgen_host( (u_int *)&netaddr, &mask, Q_IPV4, proto, Q_OR); if (b0 != NULL) Argusgen_or(b1, b0); else b0 = b1; break; case Q_DEFAULT: ArgusLog(LOG_ERR, "only ether/ip broadcast filters supported"); } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_broadcast (0x%x) returns %p\n", proto, b0); #endif return b0; } struct ablock * Argusgen_multicast(int proto) { register struct ablock *b0 = NULL, *b1 = NULL; register struct slist *s; switch (proto) { case Q_LINK: s = new_stmt(NFF_LD|NFF_B|NFF_ABS); s->s.data.k = 92; b0 = new_block(JMP(NFF_JSET)); b0->s.data.k = 1; b0->stmts = s; s = new_stmt(NFF_LD|NFF_B|NFF_ABS); s->s.data.k = 98; b1 = new_block(JMP(NFF_JSET)); b1->s.data.k = 1; b1->stmts = s; Argusgen_or(b0, b1); break; case Q_IP: case Q_DEFAULT: { struct ArgusFlow flow; int src_off = 0, dst_off = 0; src_off = ((char *)&flow.ip_flow.ip_src - (char *)&flow); dst_off = ((char *)&flow.ip_flow.ip_dst - (char *)&flow); b1 = Argusgen_mcmp(ARGUS_FLOW_INDEX, src_off, NFF_W, 0xe0000000, 0xf0000000, Q_EQUAL, Q_DEFAULT); b1->s.code = JMP(NFF_JGE); b0 = Argusgen_mcmp(ARGUS_FLOW_INDEX, dst_off, NFF_W, 0xe0000000, 0xf0000000, Q_EQUAL, Q_DEFAULT); b0->s.code = JMP(NFF_JGE); Argusgen_or(b0, b1); b0 = Argusgen_linktype(ETHERTYPE_IP); Argusgen_and(b0, b1); break; } } #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_multicast (0x%x) returns %p\n", proto, b1); #endif return b1; } /* * generate command for inbound/outbound. It's here so we can * make it link-type specific. 'dir' = 0 implies "inbound", * = 1 implies "outbound". */ struct ablock * Argusgen_inbound(int dir) { register struct ablock *b0; b0 = Argusgen_relation(NFF_JEQ, ArgusLoad(Q_LINK, ArgusLoadI(0), 1), ArgusLoadI(0), dir); #if defined(ARGUSDEBUG) ArgusDebug (4, "Argusgen_multicast (0x%x) returns %p\n", dir, b0); #endif return (b0); } argus-5.0.2/common/argus_filter.c000066400000000000000000002530051471541253600167760ustar00rootroot00000000000000/* * Argus-5.0 Software. Common library routines - Filter processing * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * Copyright (c) 1990, 1991, 1992, 1993 * The Regents of the University of California. All rights reserved. * * This code is derived from the Stanford/CMU enet packet filter, * (net/enet.c) distributed as part of 4.3BSD, and code contributed * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence * Berkeley Laboratory. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)nff.c 7.5 (Berkeley) 7/15/91 * */ /* * $Id: //depot/gargoyle/argus/common/argus_filter.c#6 $ * $DateTime: 2016/09/18 16:32:53 $ * $Change: 3186 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #ifndef ArgusFilter #define ArgusFilter #endif #include #include #if defined(ARGUS_PLURIBUS) #define _STDC_C99 #else #if !defined(__USE_ISOC99) #define __USE_ISOC99 #endif #endif #include #include #include #include #include #include #include #if defined(HAVE_SOLARIS) #include #endif #include #include #include #include #include #include #include #include #include #include #include #include #include #ifdef sun #include #endif #include extern void ArgusLog (int, char *, ...); #define EXTRACT_SHORT(p) ((arg_uint16)*(arg_uint16 *)p) #define EXTRACT_LONG(p) (*(unsigned int *)p) #define EXTRACT_FLOAT(p) (*(float *)p) #define EXTRACT_DOUBLE(p) (*(double *)p) #define EXTRACT_LONGLONG(p) (*(unsigned long long *)p) static int floatisequal(double, double); static int floatisgreaterthan(double, double); static int floatislessthan(double, double); static int floatisgreaterthanequal(double, double); #include #if defined(ARGUS_PLURIBUS) #ifndef signbit #include inline int signbit(double x) { switch (fpclass(x)) { case FP_SNAN: case FP_QNAN: case FP_PZERO: case FP_PNORM: case FP_PDENORM: case FP_PINF: return(0); case FP_NDENORM: case FP_NZERO: case FP_NINF: case FP_NNORM: return(1); } } #endif #endif /* Hex digit to integer. */ int xdtoi(int c) { if (isdigit(c)) return c - '0'; else if (islower(c)) return c - 'a' + 10; else return c - 'A' + 10; } /* * Execute the filter program starting at pc on the packet p * buflen is the amount of data present */ int ArgusFilterRecord (struct nff_insn *, struct ArgusRecordStruct *); int ArgusFilterOrig (struct nff_insn *, struct ArgusRecordStruct *, int, int); int ArgusFilterRecord (struct nff_insn *pc, struct ArgusRecordStruct *argus) { int buflen = sizeof(*argus); if (pc) return ArgusFilterOrig (pc, argus, buflen, buflen); else return -1; } static int floatisequal(double F, double f) { extern struct ArgusParserStruct *ArgusParser; double epsilon = pow(0.1, ((ArgusParser->pflag + 1) * 1.0)); double pval = pow(10.0, ArgusParser->pflag); F = round(F * pval) / pval; f = round(f * pval) / pval; return ((fabs(F - f) <= epsilon) ? ((F == 0) ? (signbit(F) == signbit(f)) : 1) : 0); } static int floatisgreaterthan(double F, double f) { extern struct ArgusParserStruct *ArgusParser; double pval = pow(10.0, ArgusParser->pflag); F = round(F * pval) / pval; f = round(f * pval) / pval; return ((F > f) ? 1 : (((F == 0) && (f == 0)) ? ((!(signbit(F)) && signbit(f)) ? 1 : 0) : 0)); } static int floatislessthan(double F, double f) { extern struct ArgusParserStruct *ArgusParser; double pval = pow(10.0, ArgusParser->pflag); F = round(F * pval) / pval; f = round(f * pval) / pval; return ((F < f) ? 1 : (((F == 0) && (f == 0)) ? ((!(signbit(F)) && signbit(f)) ? 0 : 1) : 0)); } static int floatisgreaterthanequal(double F, double f) { return (!(floatislessthan(F, f))); } int ArgusFilterOrig (struct nff_insn *pc, struct ArgusRecordStruct *argus, int wirelen, int buflen) { nff_int64 A = 0, X = 0; nff_int64 mem [NFF_MEMWORDS]; int k, retn; u_char *p = (u_char *)argus; float F; --pc; while (1) { ++pc; switch (pc->code) { default: abort(); case NFF_RET|NFF_K: { retn = pc->data.k; return retn; } case NFF_RET|NFF_A: return (unsigned int)A; case NFF_LD|NFF_D|NFF_DSR: { if (pc->dsr >= 0) { struct ArgusDSRHeader *dsr; if ((dsr = argus->dsrs[pc->dsr]) != NULL) { u_char *ptr = (u_char *)dsr; k = pc->data.k; if (k + sizeof(double) > (dsr->argus_dsrvl8.len * 4)) A = -1; else A = EXTRACT_DOUBLE(&ptr[k]); } else A = -1; } else { if (argus != NULL) { u_char *ptr = (u_char *)&argus->hdr; k = pc->data.k; if ((k + sizeof(double)) > sizeof(struct ArgusRecordStruct)) A = -1; else A = EXTRACT_DOUBLE(&ptr[k]); } else A = -1; } continue; } case NFF_LD|NFF_D|NFF_ABS: { k = pc->data.k; if (k + sizeof(double) > buflen) { A = -1; } else A = EXTRACT_DOUBLE(&p[k]); continue; } case NFF_LD|NFF_F|NFF_DSR: { if (pc->dsr >= 0) { struct ArgusDSRHeader *dsr; if ((dsr = argus->dsrs[pc->dsr]) != NULL) { u_char *ptr = (u_char *)dsr; k = pc->data.k; if ((k + sizeof(float)) > (dsr->argus_dsrvl8.len * 4)) F = -10000000; else F = EXTRACT_FLOAT(&ptr[k]); } else F = -10000000; } else { if (argus != NULL) { u_char *ptr = (u_char *)&argus->hdr; k = pc->data.k; if ((k + sizeof(float)) > sizeof(struct ArgusRecordStruct)) F = -10000000; else F = EXTRACT_FLOAT(&ptr[k]); } else F = -10000000; } continue; } case NFF_LD|NFF_F|NFF_ABS: { k = pc->data.k; if (k + sizeof(float) > buflen) { F = -10000000; } else F = EXTRACT_FLOAT(&p[k]); continue; } case NFF_LD|NFF_L|NFF_DSR: { if (pc->dsr >= 0) { struct ArgusDSRHeader *dsr; if ((dsr = argus->dsrs[pc->dsr]) != NULL) { u_char *ptr = (u_char *)dsr; k = pc->data.k; if (k + sizeof(long long) > (dsr->argus_dsrvl8.len * 4)) A = -1; else A = EXTRACT_LONGLONG(&ptr[k]); } else A = -1; } else { if (argus != NULL) { u_char *ptr = (u_char *)&argus->hdr; k = pc->data.k; if ((k + sizeof(long long)) > sizeof(struct ArgusRecordStruct)) A = -1; else A = EXTRACT_LONGLONG(&ptr[k]); } else A = -1; } continue; } case NFF_LD|NFF_L|NFF_ABS: { k = pc->data.k; if ((k + sizeof(long long)) > buflen) { A = -1; } else A = EXTRACT_LONGLONG(&p[k]); continue; } case NFF_LD|NFF_W|NFF_DSR: { if (pc->dsr >= 0) { struct ArgusDSRHeader *dsr; if ((dsr = argus->dsrs[pc->dsr]) != NULL) { u_char *ptr = (u_char *)dsr; k = pc->data.k; if ((k + sizeof(int)) > (dsr->argus_dsrvl8.len * 4)) A = -1; else A = EXTRACT_LONG(&ptr[k]); } else A = -1; } else { if (argus != NULL) { u_char *ptr = (u_char *)&argus->hdr; k = pc->data.k; if ((k + sizeof(int)) > sizeof(struct ArgusRecordStruct)) A = -1; else A = EXTRACT_LONG(&ptr[k]); } else A = -1; } continue; } case NFF_LD|NFF_W|NFF_ABS: { k = pc->data.k; if ((k + sizeof(int)) > buflen) { A = -1; } else A = EXTRACT_LONG(&p[k]); continue; } case NFF_LD|NFF_H|NFF_DSR: { if (pc->dsr >= 0) { struct ArgusDSRHeader *dsr; if ((dsr = argus->dsrs[pc->dsr]) != NULL) { u_char *ptr = (u_char *)dsr; k = pc->data.k; if ((k + sizeof(short)) > (dsr->argus_dsrvl8.len * 4)) A = -1; else A = EXTRACT_SHORT(&ptr[k]); } else A = -1; } else { if (argus != NULL) { u_char *ptr = (u_char *)&argus->hdr; k = pc->data.k; if ((k + sizeof(short)) > sizeof(struct ArgusRecordStruct)) A = -1; else A = EXTRACT_SHORT(&ptr[k]); } else A = -1; } continue; } case NFF_LD|NFF_H|NFF_ABS: { k = pc->data.k; if ((k + sizeof(short)) > buflen) A = -1; else A = EXTRACT_SHORT(&p[k]); continue; } case NFF_LD|NFF_B|NFF_DSR: { if (pc->dsr >= 0) { struct ArgusDSRHeader *dsr; if ((dsr = argus->dsrs[pc->dsr]) != NULL) { u_char *ptr = (u_char *)dsr; k = pc->data.k; if (k > (dsr->argus_dsrvl8.len * 4)) A = -1; else A = ptr[k]; } else A = -1; } else { if (argus != NULL) { u_char *ptr = (u_char *)&argus->hdr; k = pc->data.k; if (k > sizeof(struct ArgusRecordStruct)) A = -1; else A = ptr[k]; } else A = -1; } continue; } case NFF_LD|NFF_B|NFF_ABS: { k = pc->data.k; if (k >= buflen) { A = -1; } else A = p[k]; continue; } case NFF_LD|NFF_W|NFF_LEN: { A = wirelen; continue; } case NFF_LDX|NFF_W|NFF_LEN: { X = wirelen; continue; } case NFF_LD|NFF_W|NFF_IND: { k = X + pc->data.k; if ((k + sizeof(int)) > buflen) { A = -1; } else A = EXTRACT_LONG(&p[k]); continue; } case NFF_LD|NFF_H|NFF_IND: { k = X + pc->data.k; if ((k + sizeof(short)) > buflen) { A = -1; } else A = EXTRACT_SHORT(&p[k]); continue; } case NFF_LD|NFF_B|NFF_IND: { k = X + pc->data.k; if (k >= buflen) { A = -1; } else A = p[k]; continue; } case NFF_LDX|NFF_MSH|NFF_B: { k = pc->data.k; if (k >= buflen) { X = -1; } else X = (p[k] & 0xf) << 2; continue; } case NFF_LD|NFF_IMM: { A = pc->data.k; continue; } case NFF_LDX|NFF_IMM: { X = pc->data.k; continue; } case NFF_LD|NFF_MEM: { k = pc->data.k; A = mem[k]; continue; } case NFF_LDX|NFF_MEM: { k = pc->data.k; X = mem[k]; continue; } case NFF_ST: { k = pc->data.k; mem[k] = A; continue; } case NFF_STX: { k = pc->data.k; mem[k] = X; continue; } case NFF_JMP|NFF_JA: { k = pc->data.k; pc += k; continue; } case NFF_JMP|NFF_JGT|NFF_K: { pc += ((A > pc->data.k) && (A != -1)) ? pc->jt : pc->jf; continue; } case NFF_JMP|NFF_JGE|NFF_K: { pc += ((A >= pc->data.k) && (A != -1)) ? pc->jt : pc->jf; continue; } case NFF_JMP|NFF_JEQ|NFF_K: { pc += ((A == pc->data.k) && (A != -1)) ? pc->jt : pc->jf; continue; } case NFF_JMP|NFF_JGT|NFF_F: { pc += ((floatisgreaterthan(F, pc->data.f)) && (F != -10000000)) ? pc->jt : pc->jf; continue; } case NFF_JMP|NFF_JGE|NFF_F: { pc += ((floatisgreaterthanequal(F, pc->data.f)) && (F != -10000000)) ? pc->jt : pc->jf; continue; } case NFF_JMP|NFF_JEQ|NFF_F: { pc += ((floatisequal(F, pc->data.f)) && (F != -10000000)) ? pc->jt : pc->jf; continue; } case NFF_JMP|NFF_JSET|NFF_K: { pc += ((A & pc->data.k) && (A != -1)) ? pc->jt : pc->jf; continue; } case NFF_JMP|NFF_JGT|NFF_X: { pc += ((A > X) && (A != -1)) ? pc->jt : pc->jf; continue; } case NFF_JMP|NFF_JGE|NFF_X: { pc += ((A >= X) && (A != -1)) ? pc->jt : pc->jf; continue; } case NFF_JMP|NFF_JEQ|NFF_X: { pc += ((A == X) && (A != -1)) ? pc->jt : pc->jf; continue; } case NFF_JMP|NFF_JSET|NFF_X: { pc += ((A & X) && (A != -1)) ? pc->jt : pc->jf; continue; } case NFF_ALU|NFF_ADD|NFF_X: { A += X; continue; } case NFF_ALU|NFF_SUB|NFF_X: { A -= X; continue; } case NFF_ALU|NFF_MUL|NFF_X: { A *= X; continue; } case NFF_ALU|NFF_DIV|NFF_X: { if (X == 0) return 0; A /= X; continue; } case NFF_ALU|NFF_AND|NFF_X: { A &= X; continue; } case NFF_ALU|NFF_OR|NFF_X: { A |= X; continue; } case NFF_ALU|NFF_LSH|NFF_X: { A <<= X; continue; } case NFF_ALU|NFF_RSH|NFF_X: { A >>= X; continue; } case NFF_ALU|NFF_ADD|NFF_K: { A += pc->data.k; continue; } case NFF_ALU|NFF_SUB|NFF_K: { A -= pc->data.k; continue; } case NFF_ALU|NFF_MUL|NFF_K: { A *= pc->data.k; continue; } case NFF_ALU|NFF_DIV|NFF_K: { A /= pc->data.k; continue; } case NFF_ALU|NFF_AND|NFF_K: { A &= pc->data.k; continue; } case NFF_ALU|NFF_OR|NFF_K: { A |= pc->data.k; continue; } case NFF_ALU|NFF_LSH|NFF_K: { A <<= pc->data.k; continue; } case NFF_ALU|NFF_RSH|NFF_K: { A >>= pc->data.k; continue; } case NFF_ALU|NFF_NEG: { A = -A; continue; } case NFF_MISC|NFF_TAX: { X = A; continue; } case NFF_MISC|NFF_TXA: { A = X; continue; } } } } /* * Copyright (c) 1990, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ #ifndef __GNUC__ #define inline #endif static inline int skip_space(FILE *); static inline int skip_line(FILE *); static inline int skip_space(FILE *f) { int c; do { c = getc(f); } while (isspace(c) && c != '\n'); return c; } static inline int skip_line(FILE *f) { int c; do c = getc(f); while (c != '\n' && c != EOF); return c; } #include struct argus_etherent * argus_next_etherent(FILE *fp) { int c, d, i; char *bp; static struct argus_etherent e; static int nline = 1; top: while (nline) { /* Find addr */ c = skip_space(fp); if (c == '\n') continue; /* If this is a comment, or first thing on line cannot be ethernet address, skip the line. */ else if (!isxdigit(c)) c = skip_line(fp); else { /* must be the start of an address */ for (i = 0; i < 6; i += 1) { d = xdtoi(c); c = getc(fp); if (c != ':') { d <<= 4; d |= xdtoi(c); c = getc(fp); } e.addr[i] = d; if (c != ':') break; c = getc(fp); } nline = 0; } if (c == EOF) return 0; } /* If we started a new line, 'c' holds the char past the ether addr, which we assume is white space. If we are continuing a line, 'c' is garbage. In either case, we can throw it away. */ c = skip_space(fp); if (c == '\n') { nline = 1; goto top; } else if (c == '#') { (void)skip_line(fp); nline = 1; goto top; } else if (c == EOF) return 0; /* Must be a name. */ bp = e.name; /* Use 'd' to prevent argus_strbuffer overflow. */ d = sizeof(e.name) - 1; do { *bp++ = c; c = getc(fp); } while (!isspace(c) && c != EOF && --d > 0); *bp = '\0'; if (c == '\n') nline = 1; return &e; } /* * Copyright (c) 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the Computer Systems * Engineering Group at Lawrence Berkeley Laboratory. * 4. Neither the name of the University nor of the Laboratory may be used * to endorse or promote products derived from this software without * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #if defined(HAVE_SOLARIS) #include #endif /* Not all systems have IFF_LOOPBACK */ #ifdef IFF_LOOPBACK #define ISLOOPBACK(p) ((p)->ifr_flags & IFF_LOOPBACK) #else #define ISLOOPBACK(p) (strcmp((p)->ifr_name, "lo0") == 0) #endif #if !defined(__OpenBSD__) #include #endif /* * Return the name of a network interface attached to the system, or NULL * if none can be found. The interface must be configured up; the * lowest unit number is preferred; loopback is ignored. */ char * ArgusLookupDev(char *ebuf) { int fd, minunit, n; char *cp; struct ifreq *ifrp, *ifend, *ifnext, *mp; struct ifconf ifc; struct ifreq ibuf[16], ifr; static char device[sizeof(ifrp->ifr_name) + 1]; fd = socket(AF_INET, SOCK_DGRAM, 0); if (fd < 0) { (void)snprintf(ebuf, MAXSTRLEN, "socket: %s", argus_strerror(errno)); return (NULL); } ifc.ifc_len = sizeof ibuf; ifc.ifc_buf = (caddr_t)ibuf; if (ioctl(fd, SIOCGIFCONF, (char *)&ifc) < 0 || ifc.ifc_len < sizeof(struct ifreq)) { (void)snprintf(ebuf, MAXSTRLEN, "SIOCGIFCONF: %s", argus_strerror(errno)); (void)close(fd); return (NULL); } ifrp = ibuf; ifend = (struct ifreq *)((char *)ibuf + ifc.ifc_len); mp = NULL; minunit = 666; for (; ifrp < ifend; ifrp = ifnext) { #if BSD - 0 >= 199006 n = ifrp->ifr_addr.sa_len + sizeof(ifrp->ifr_name); if (n < sizeof(*ifrp)) ifnext = ifrp + 1; else ifnext = (struct ifreq *)((char *)ifrp + n); if (ifrp->ifr_addr.sa_family != AF_INET) continue; #else ifnext = ifrp + 1; #endif /* * Need a template to preserve address info that is * used below to locate the next entry. (Otherwise, * SIOCGIFFLAGS stomps over it because the requests * are returned in a union.) */ strncpy(ifr.ifr_name, ifrp->ifr_name, sizeof(ifr.ifr_name)); if (ioctl(fd, SIOCGIFFLAGS, (char *)&ifr) < 0) { (void)snprintf(ebuf, MAXSTRLEN, "SIOCGIFFLAGS: %s", argus_strerror(errno)); (void)close(fd); return (NULL); } /* Must be up and not the loopback */ if ((ifr.ifr_flags & IFF_UP) == 0 || ISLOOPBACK(&ifr)) continue; for (cp = ifrp->ifr_name; !isdigit((int)*cp); ++cp) continue; n = atoi(cp); if (n < minunit) { minunit = n; mp = ifrp; } } (void)close(fd); if (mp == NULL) { (void)strncpy(ebuf, "no suitable device found", MAXSTRLEN); return (NULL); } (void)strncpy(device, mp->ifr_name, sizeof(device) - 1); device[sizeof(device) - 1] = '\0'; return (device); } int ArgusLookupNet(char *device, unsigned int *netp, unsigned int *maskp, char *ebuf) { int fd; struct sockaddr_in *sin; struct ifreq ifr; fd = socket(AF_INET, SOCK_DGRAM, 0); if (fd < 0) { (void)snprintf(ebuf, MAXSTRLEN, "socket: %s", argus_strerror(errno)); return (-1); } (void)strncpy(ifr.ifr_name, device, sizeof(ifr.ifr_name)); if (ioctl(fd, SIOCGIFADDR, (char *)&ifr) < 0) { (void)snprintf(ebuf, MAXSTRLEN, "SIOCGIFADDR: %s: %s", device, argus_strerror(errno)); (void)close(fd); return (-1); } sin = (struct sockaddr_in *)&ifr.ifr_addr; *netp = sin->sin_addr.s_addr; if (ioctl(fd, SIOCGIFNETMASK, (char *)&ifr) < 0) { (void)snprintf(ebuf, MAXSTRLEN, "SIOCGIFNETMASK: %s: %s", device, argus_strerror(errno)); (void)close(fd); return (-1); } (void)close(fd); *maskp = sin->sin_addr.s_addr; if (*maskp == 0) { if (IN_CLASSA(*netp)) *maskp = IN_CLASSA_NET; else if (IN_CLASSB(*netp)) *maskp = IN_CLASSB_NET; else if (IN_CLASSC(*netp)) *maskp = IN_CLASSC_NET; else { (void)snprintf(ebuf, MAXSTRLEN, "inet class for 0x%x unknown", *netp); return (-1); } } *netp &= *maskp; return (0); } #if defined(ARGUS_SYS_ERRLIST) && defined(HAVE_SOLARIS) static char ArgusErrorString[128]; #endif char * argus_strerror(int errnum) { #if defined(ARGUS_SYS_ERRLIST) && defined(HAVE_SOLARIS) if ((unsigned int)errnum < sys_nerr) return ((char *) sys_errlist[errnum]); (void)snprintf(ArgusErrorString, 128, "Unknown error: %d", errnum); return (ArgusErrorString); #else return (strerror(errnum)); #endif } /* * Copyright (c) 1988, 1989, 1990, 1991, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. * * Optimization module for tcpdump intermediate representation. */ #ifdef __osf__ #include #endif #include #ifdef linux #include #endif #define A_ATOM NFF_MEMWORDS #define X_ATOM (NFF_MEMWORDS+1) #define NOP -1 /*#define BDEBUG*/ #if defined(BDEBUG) int dflag = 2; #endif /* * This define is used to represent *both* the accumulator and * x register in use-def computations. * Currently, the use-def code assumes only one definition per instruction. */ #define AX_ATOM N_ATOMS /* * A flag to indicate that further optimization is needed. * Iterative passes are continued until a given pass yields no * branch movement. */ static int done; /* * A ablock is marked if only if its mark equals the current mark. * Rather than traverse the code array, marking each item, 'cur_mark' is * incremented. This automatically makes each element unmarked. */ static int cur_mark; #define isMarked(p) ((p)->mark == cur_mark) #define unMarkAll() cur_mark += 1 #define Mark(p) ((p)->mark = cur_mark) static void opt_init(struct ablock *); static void opt_cleanup(void); static void make_marks(struct ablock *); static void mark_code(struct ablock *); static void intern_blocks(struct ablock *); static int eq_slist(struct slist *, struct slist *); static void find_levels_r(struct ablock *); static void find_levels(struct ablock *); static void find_dom(struct ablock *); static void propedom(struct edge *); static void find_edom(struct ablock *); static void find_closure(struct ablock *); static int atomuse(struct stmt *); static int atomdef(struct stmt *); static void compute_local_ud(struct ablock *); static void find_ud(struct ablock *); static void init_val(void); static long long F(int, unsigned long long, unsigned long long); static inline void vstore(struct stmt *, long long *, long long, int); static void opt_blk(struct ablock *, int); static int use_conflict(struct ablock *, struct ablock *); static void opt_j(struct edge *); static void or_pullup(struct ablock *); static void and_pullup(struct ablock *); static void opt_blks(struct ablock *, int); static inline void link_inedge(struct edge *, struct ablock *); static void find_inedges(struct ablock *); static void opt_root(struct ablock **); static void opt_loop(struct ablock *, int); static void fold_op(struct stmt *, long long, long long); static inline struct slist *this_op(struct slist *); static void opt_not(struct ablock *); static void opt_peep(struct ablock *); static void opt_stmt(struct stmt *, long long[], int); static void deadstmt(struct stmt *, struct stmt *[]); static void opt_deadstores(struct ablock *); static void opt_blk(struct ablock *, int); static int use_conflict(struct ablock *, struct ablock *); static void opt_j(struct edge *); static struct ablock *fold_edge(struct ablock *, struct edge *); static inline int eq_blk(struct ablock *, struct ablock *); static int slength(struct slist *); static int count_blocks(struct ablock *); static void number_blks_r(struct ablock *); static int count_stmts(struct ablock *); static int convert_code_r(struct ablock *); #ifdef BDEBUG static void opt_dump(struct ablock *); #endif static int n_blocks; struct ablock **blocks; static int n_edges; struct edge **edges; /* * A bit vector set representation of the dominators. * We round up the set size to the next power of two. */ static int nodewords; static int edgewords; struct ablock **levels; nff_u_int32 *space; #define BITS_PER_WORD (8*sizeof(nff_u_int32)) /* * True if a is in uset {p} */ #define SET_MEMBER(p, a) \ ((p)[(unsigned)(a) / BITS_PER_WORD] & (1 << ((unsigned)(a) % BITS_PER_WORD))) /* * Add 'a' to uset p. */ #define SET_INSERT(p, a) \ (p)[(unsigned)(a) / BITS_PER_WORD] |= (1 << ((unsigned)(a) % BITS_PER_WORD)) /* * Delete 'a' from uset p. */ #define SET_DELETE(p, a) \ (p)[(unsigned)(a) / BITS_PER_WORD] &= ~(1 << ((unsigned)(a) % BITS_PER_WORD)) /* * a := a intersect b */ #define SET_INTERSECT(a, b, n)\ {\ register nff_u_int32 *_x = a, *_y = b;\ register int _n = n;\ while (--_n >= 0) *_x++ &= *_y++;\ } /* * a := a - b */ #define SET_SUBTRACT(a, b, n)\ {\ register nff_u_int32 *_x = a, *_y = b;\ register int _n = n;\ while (--_n >= 0) *_x++ &=~ *_y++;\ } /* * a := a union b */ #define SET_UNION(a, b, n)\ {\ register nff_u_int32 *_x = a, *_y = b;\ register int _n = n;\ while (--_n >= 0) *_x++ |= *_y++;\ } static uset all_dom_sets; static uset all_closure_sets; static uset all_edge_sets; #ifndef MAX #define MAX(a,b) ((a)>(b)?(a):(b)) #endif static void find_levels_r(struct ablock *b) { int level; if (isMarked(b)) return; Mark(b); b->link = 0; if (JT(b)) { find_levels_r(JT(b)); find_levels_r(JF(b)); level = MAX(JT(b)->level, JF(b)->level) + 1; } else level = 0; b->level = level; b->link = levels[level]; levels[level] = b; } /* * Level graph. The levels go from 0 at the leaves to * N_LEVELS at the root. The levels[] array points to the * first node of the level list, whose elements are linked * with the 'link' field of the struct block. */ static void find_levels(struct ablock *root) { memset((char *)levels, 0, n_blocks * sizeof(*levels)); unMarkAll(); find_levels_r(root); } /* * Find dominator relationships. * Assumes graph has been leveled. */ static void find_dom(struct ablock *root) { int i; struct ablock *b; nff_u_int32 *x; /* * Initialize sets to contain all nodes. */ x = all_dom_sets; i = n_blocks * nodewords; while (--i >= 0) *x++ = ~0; /* Root starts off empty. */ for (i = nodewords; --i >= 0;) root->dom[i] = 0; /* root->level is the highest level no found. */ for (i = root->level; i >= 0; --i) { for (b = levels[i]; b; b = b->link) { SET_INSERT(b->dom, b->id); if (JT(b) == 0) continue; SET_INTERSECT(JT(b)->dom, b->dom, nodewords); SET_INTERSECT(JF(b)->dom, b->dom, nodewords); } } } static void propedom(struct edge *ep) { SET_INSERT(ep->edom, ep->id); if (ep->succ) { SET_INTERSECT(ep->succ->et.edom, ep->edom, edgewords); SET_INTERSECT(ep->succ->ef.edom, ep->edom, edgewords); } } /* * Compute edge dominators. * Assumes graph has been leveled and predecessors established. */ static void find_edom(struct ablock *root) { int i; uset x; struct ablock *b; x = all_edge_sets; for (i = n_edges * edgewords; --i >= 0; ) x[i] = ~0; /* root->level is the highest level no found. */ memset(root->et.edom, 0, edgewords * sizeof(*(uset)0)); memset(root->ef.edom, 0, edgewords * sizeof(*(uset)0)); for (i = root->level; i >= 0; --i) { for (b = levels[i]; b != 0; b = b->link) { propedom(&b->et); propedom(&b->ef); } } } /* * Find the backwards transitive closure of the flow graph. These sets * are backwards in the sense that we find the set of nodes that reach * a given node, not the set of nodes that can be reached by a node. * * Assumes graph has been leveled. */ static void find_closure(struct ablock *root) { int i; struct ablock *b; /* * Initialize sets to contain no nodes. */ memset((char *)all_closure_sets, 0, n_blocks * nodewords * sizeof(*all_closure_sets)); /* root->level is the highest level no found. */ for (i = root->level; i >= 0; --i) { for (b = levels[i]; b; b = b->link) { SET_INSERT(b->closure, b->id); if (JT(b) == 0) continue; SET_UNION(JT(b)->closure, b->closure, nodewords); SET_UNION(JF(b)->closure, b->closure, nodewords); } } } /* * Return the register number that is used by s. If A and X are both * used, return AX_ATOM. If no register is used, return -1. * * The implementation should probably change to an array access. */ static int atomuse(struct stmt *s) { register int c = s->code; if (c == NOP) return -1; switch (NFF_CLASS(c)) { case NFF_RET: return (NFF_RVAL(c) == NFF_A) ? A_ATOM : (NFF_RVAL(c) == NFF_X) ? X_ATOM : -1; case NFF_LD: case NFF_LDX: return (NFF_MODE(c) == NFF_IND) ? X_ATOM : (NFF_MODE(c) == NFF_MEM) ? s->data.k : -1; case NFF_ST: return A_ATOM; case NFF_STX: return X_ATOM; case NFF_JMP: case NFF_ALU: if (NFF_SRC(c) == NFF_X) return AX_ATOM; return A_ATOM; case NFF_MISC: return NFF_MISCOP(c) == NFF_TXA ? X_ATOM : A_ATOM; } abort(); /* NOTREACHED */ } /* * Return the register number that is defined by 's'. We assume that * a single stmt cannot define more than one register. If no register * is defined, return -1. * * The implementation should probably change to an array access. */ static int atomdef(struct stmt *s) { if (s->code == NOP) return -1; switch (NFF_CLASS(s->code)) { case NFF_LD: case NFF_ALU: return A_ATOM; case NFF_LDX: return X_ATOM; case NFF_ST: case NFF_STX: { int k = s->data.k; return k; } case NFF_MISC: return NFF_MISCOP(s->code) == NFF_TAX ? X_ATOM : A_ATOM; } return -1; } static void compute_local_ud(struct ablock *b) { struct slist *s; atomset def = 0, use = 0, kill = 0; int atom; for (s = b->stmts; s; s = s->next) { if (s->s.code == NOP) continue; atom = atomuse(&s->s); if (atom >= 0) { if (atom == AX_ATOM) { if (!ATOMELEM(def, X_ATOM)) use |= ATOMMASK(X_ATOM); if (!ATOMELEM(def, A_ATOM)) use |= ATOMMASK(A_ATOM); } else if (atom < N_ATOMS) { if (!ATOMELEM(def, atom)) use |= ATOMMASK(atom); } else abort(); } atom = atomdef(&s->s); if (atom >= 0) { if (!ATOMELEM(use, atom)) kill |= ATOMMASK(atom); def |= ATOMMASK(atom); } } if (!ATOMELEM(def, A_ATOM) && NFF_CLASS(b->s.code) == NFF_JMP) use |= ATOMMASK(A_ATOM); b->def = def; b->kill = kill; b->in_use = use; } /* * Assume graph is already leveled. */ static void find_ud(struct ablock *root) { int i, maxlevel; struct ablock *p; /* * root->level is the highest level no found; * count down from there. */ maxlevel = root->level; for (i = maxlevel; i >= 0; --i) for (p = levels[i]; p; p = p->link) { compute_local_ud(p); p->out_use = 0; } for (i = 1; i <= maxlevel; ++i) { for (p = levels[i]; p; p = p->link) { p->out_use |= JT(p)->in_use | JF(p)->in_use; p->in_use |= p->out_use &~ p->kill; } } } /* * These data structures are used in a Cocke and Shwarz style * value numbering scheme. Since the flowgraph is acyclic, * exit values can be propagated from a node's predecessors * provided it is uniquely defined. */ struct valnode { int code; unsigned long long v0, v1; unsigned long long val; struct valnode *next; }; #define MODULUS 213 static struct valnode *hashtbl[MODULUS]; static int curval; static int maxval; /* Integer constants mapped with the load immediate opcode. */ #define K(i) F(NFF_LD|NFF_IMM, i, 0L) struct vmapinfo { int is_const; unsigned long long const_val; }; struct vmapinfo *vmap; struct valnode *vnode_base; struct valnode *next_vnode; static void init_val() { curval = 0; next_vnode = vnode_base; memset((char *)vmap, 0, maxval * sizeof(*vmap)); memset((char *)hashtbl, 0, sizeof hashtbl); } /* Because we really don't have an IR, this stuff is a little messy. */ static long long F(int code, unsigned long long v0, unsigned long long v1) { u_int hash; long long val; struct valnode *p; hash = (u_int)code ^ (v0 << 4) ^ (v1 << 8); hash %= MODULUS; for (p = hashtbl[hash]; p; p = p->next) if (p->code == code && p->v0 == v0 && p->v1 == v1) return p->val; val = ++curval; if (NFF_MODE(code) == NFF_IMM && (NFF_CLASS(code) == NFF_LD || NFF_CLASS(code) == NFF_LDX)) { vmap[val].const_val = v0; vmap[val].is_const = 1; } p = next_vnode++; p->val = val; p->code = code; p->v0 = v0; p->v1 = v1; p->next = hashtbl[hash]; hashtbl[hash] = p; return val; } static inline void vstore( struct stmt *s, long long *valp, long long newval, int alter) { if (alter && *valp == newval) s->code = NOP; else *valp = newval; } static void fold_op(struct stmt *s, long long v0, long long v1) { long long a, b; a = vmap[v0].const_val; b = vmap[v1].const_val; switch (NFF_OP(s->code)) { case NFF_ADD: a += b; break; case NFF_SUB: a -= b; break; case NFF_MUL: a *= b; break; case NFF_DIV: if (b == 0) ArgusLog(LOG_ERR, "division by zero"); a /= b; break; case NFF_AND: a &= b; break; case NFF_OR: a |= b; break; case NFF_LSH: a <<= b; break; case NFF_RSH: a >>= b; break; case NFF_NEG: a = -a; break; default: abort(); } s->data.k = a; s->code = NFF_LD|NFF_IMM; done = 0; } static inline struct slist * this_op(struct slist *s) { while (s != 0 && s->s.code == NOP) s = s->next; return s; } static void opt_not(struct ablock *b) { struct ablock *tmp = JT(b); JT(b) = JF(b); JF(b) = tmp; } static void opt_peep(struct ablock *b) { struct slist *s; struct slist *next, *last; long long val; s = b->stmts; if (s == 0) return; last = s; while (1) { s = this_op(s); if (s == 0) break; next = this_op(s->next); if (next == 0) break; last = next; /* * st M[k] --> st M[k] * ldx M[k] tax */ if ((s->s.code == NFF_ST) && (next->s.code == (NFF_LDX|NFF_MEM)) && (s->s.data.k == next->s.data.k)) { done = 0; next->s.code = NFF_MISC|NFF_TAX; } /* * ld #k --> ldx #k * tax txa */ if ((s->s.code == (NFF_LD|NFF_IMM)) && (next->s.code == (NFF_MISC|NFF_TAX))) { s->s.code = NFF_LDX|NFF_IMM; next->s.code = NFF_MISC|NFF_TXA; done = 0; } /* * This is an ugly special case, but it happens * when you say tcp[k] or udp[k] where k is a constant. */ if (s->s.code == (NFF_LD|NFF_IMM)) { struct slist *add, *tax, *ild; /* * Check that X isn't used on exit from this * ablock (which the optimizer might cause). * We know the code generator won't generate * any local dependencies. */ if (ATOMELEM(b->out_use, X_ATOM)) break; if (next->s.code != (NFF_LDX|NFF_MSH|NFF_B)) add = next; else add = this_op(next->next); if (add == 0 || add->s.code != (NFF_ALU|NFF_ADD|NFF_X)) break; tax = this_op(add->next); if (tax == 0 || tax->s.code != (NFF_MISC|NFF_TAX)) break; ild = this_op(tax->next); if (ild == 0 || NFF_CLASS(ild->s.code) != NFF_LD || NFF_MODE(ild->s.code) != NFF_IND) break; /* * XXX We need to check that X is not * subsequently used. We know we can eliminate the * accumulator modifications since it is defined * by the last stmt of this sequence. * * We want to turn this sequence: * * (004) ldi #0x2 {s} * (005) ldxms [14] {next} -- optional * (006) addx {add} * (007) tax {tax} * (008) ild [x+0] {ild} * * into this sequence: * * (004) nop * (005) ldxms [14] * (006) nop * (007) nop * (008) ild [x+2] * */ ild->s.data.k += s->s.data.k; s->s.code = NOP; add->s.code = NOP; tax->s.code = NOP; done = 0; } s = next; } /* * If we have a subtract to do a comparison, and the X register * is a known constant, we can merge this value into the * comparison. */ if (last->s.code == (NFF_ALU|NFF_SUB|NFF_X) && !ATOMELEM(b->out_use, A_ATOM)) { val = b->val[X_ATOM]; if (vmap[val].is_const) { int op; b->s.data.k += vmap[val].const_val; op = NFF_OP(b->s.code); if (op == NFF_JGT || op == NFF_JGE) { struct ablock *t = JT(b); JT(b) = JF(b); JF(b) = t; b->s.data.k *= -1; } last->s.code = NOP; done = 0; } else if (b->s.data.k == 0) { /* * sub x -> nop * j #0 j x */ last->s.code = NOP; b->s.code = NFF_CLASS(b->s.code) | NFF_OP(b->s.code) |NFF_X; done = 0; } } /* * Likewise, a constant subtract can be simplified. */ else if (last->s.code == (NFF_ALU|NFF_SUB|NFF_K) && !ATOMELEM(b->out_use, A_ATOM)) { int op; b->s.data.k += last->s.data.k; last->s.code = NOP; op = NFF_OP(b->s.code); if (op == NFF_JGT || op == NFF_JGE) { struct ablock *t = JT(b); JT(b) = JF(b); JF(b) = t; b->s.data.k *= -1; } done = 0; } /* * and #k nop * jeq #0 -> jset #k */ if (last->s.code == (NFF_ALU|NFF_AND|NFF_K) && !ATOMELEM(b->out_use, A_ATOM) && b->s.data.k == 0) { b->s.data.k = last->s.data.k; b->s.code = NFF_JMP|NFF_K|NFF_JSET; last->s.code = NOP; done = 0; opt_not(b); } /* * If the accumulator is a known constant, we can compute the * comparison result. */ val = b->val[A_ATOM]; if (vmap[val].is_const && NFF_SRC(b->s.code) == NFF_K) { long long v = vmap[val].const_val; switch (NFF_OP(b->s.code)) { case NFF_JEQ: v = (v == b->s.data.k); break; case NFF_JGT: v = v > b->s.data.k; break; case NFF_JGE: v = v >= b->s.data.k; break; case NFF_JSET: v &= b->s.data.k; break; default: abort(); } if (JF(b) != JT(b)) done = 0; if (v) JF(b) = JT(b); else JT(b) = JF(b); } } /* * Compute the symbolic value of expression of 's', and update * anything it defines in the value table 'val'. If 'alter' is true, * do various optimizations. This code would be cleaner if symbolic * evaluation and code transformations weren't folded together. */ static void opt_stmt( struct stmt *s, long long val[], int alter) { int op; long long v; switch (s->code) { case NFF_LD|NFF_DSR|NFF_L: case NFF_LD|NFF_ABS|NFF_L: case NFF_LD|NFF_DSR|NFF_W: case NFF_LD|NFF_ABS|NFF_W: case NFF_LD|NFF_DSR|NFF_H: case NFF_LD|NFF_ABS|NFF_H: case NFF_LD|NFF_DSR|NFF_B: case NFF_LD|NFF_ABS|NFF_B: case NFF_LD|NFF_DSR|NFF_F: case NFF_LD|NFF_ABS|NFF_F: v = F(s->code, s->data.k, 0L); vstore(s, &val[A_ATOM], v, alter); break; case NFF_LD|NFF_IND|NFF_L: case NFF_LD|NFF_IND|NFF_W: case NFF_LD|NFF_IND|NFF_H: case NFF_LD|NFF_IND|NFF_B: case NFF_LD|NFF_IND|NFF_F: v = val[X_ATOM]; if (alter && vmap[v].is_const) { s->code = NFF_LD|NFF_ABS|NFF_SIZE(s->code); s->data.k += vmap[v].const_val; v = F(s->code, s->data.k, 0L); done = 0; } else v = F(s->code, s->data.k, v); vstore(s, &val[A_ATOM], v, alter); break; case NFF_LD|NFF_LEN: v = F(s->code, 0L, 0L); vstore(s, &val[A_ATOM], v, alter); break; case NFF_LD|NFF_IMM: v = K(s->data.k); vstore(s, &val[A_ATOM], v, alter); break; case NFF_LDX|NFF_IMM: v = K(s->data.k); vstore(s, &val[X_ATOM], v, alter); break; case NFF_LDX|NFF_MSH|NFF_B: v = F(s->code, s->data.k, 0L); vstore(s, &val[X_ATOM], v, alter); break; case NFF_ALU|NFF_NEG: if (alter && vmap[val[A_ATOM]].is_const) { s->code = NFF_LD|NFF_IMM; s->data.k = -vmap[val[A_ATOM]].const_val; val[A_ATOM] = K(s->data.k); } else val[A_ATOM] = F(s->code, val[A_ATOM], 0L); break; case NFF_ALU|NFF_ADD|NFF_K: case NFF_ALU|NFF_SUB|NFF_K: case NFF_ALU|NFF_MUL|NFF_K: case NFF_ALU|NFF_DIV|NFF_K: case NFF_ALU|NFF_AND|NFF_K: case NFF_ALU|NFF_OR|NFF_K: case NFF_ALU|NFF_LSH|NFF_K: case NFF_ALU|NFF_RSH|NFF_K: op = NFF_OP(s->code); if (alter) { if (s->data.k == 0) { /* don't optimize away "sub #0" * as it may be needed later to * fixup the generated math code */ if (op == NFF_ADD || op == NFF_LSH || op == NFF_RSH || op == NFF_OR) { s->code = NOP; break; } if (op == NFF_MUL || op == NFF_AND) { s->code = NFF_LD|NFF_IMM; val[A_ATOM] = K(s->data.k); break; } } if (vmap[val[A_ATOM]].is_const) { fold_op(s, val[A_ATOM], K(s->data.k)); val[A_ATOM] = K(s->data.k); break; } } val[A_ATOM] = F(s->code, val[A_ATOM], K(s->data.k)); break; case NFF_ALU|NFF_ADD|NFF_X: case NFF_ALU|NFF_SUB|NFF_X: case NFF_ALU|NFF_MUL|NFF_X: case NFF_ALU|NFF_DIV|NFF_X: case NFF_ALU|NFF_AND|NFF_X: case NFF_ALU|NFF_OR|NFF_X: case NFF_ALU|NFF_LSH|NFF_X: case NFF_ALU|NFF_RSH|NFF_X: op = NFF_OP(s->code); if (alter && vmap[val[X_ATOM]].is_const) { if (vmap[val[A_ATOM]].is_const) { fold_op(s, val[A_ATOM], val[X_ATOM]); val[A_ATOM] = K(s->data.k); } else { s->code = NFF_ALU|NFF_K|op; s->data.k = vmap[val[X_ATOM]].const_val; done = 0; val[A_ATOM] = F(s->code, val[A_ATOM], K(s->data.k)); } break; } /* * Check if we're doing something to an accumulator * that is 0, and simplify. This may not seem like * much of a simplification but it could open up further * optimizations. * XXX We could also check for mul by 1, and -1, etc. */ if (alter && vmap[val[A_ATOM]].is_const && vmap[val[A_ATOM]].const_val == 0) { if (op == NFF_ADD || op == NFF_OR || op == NFF_LSH || op == NFF_RSH || op == NFF_SUB) { s->code = NFF_MISC|NFF_TXA; vstore(s, &val[A_ATOM], val[X_ATOM], alter); break; } else if (op == NFF_MUL || op == NFF_DIV || op == NFF_AND) { s->code = NFF_LD|NFF_IMM; s->data.k = 0; vstore(s, &val[A_ATOM], K(s->data.k), alter); break; } else if (op == NFF_NEG) { s->code = NOP; break; } } val[A_ATOM] = F(s->code, val[A_ATOM], val[X_ATOM]); break; case NFF_MISC|NFF_TXA: vstore(s, &val[A_ATOM], val[X_ATOM], alter); break; case NFF_LD|NFF_MEM: v = val[s->data.k]; if (alter && vmap[v].is_const) { s->code = NFF_LD|NFF_IMM; s->data.k = vmap[v].const_val; done = 0; } vstore(s, &val[A_ATOM], v, alter); break; case NFF_MISC|NFF_TAX: vstore(s, &val[X_ATOM], val[A_ATOM], alter); break; case NFF_LDX|NFF_MEM: v = val[s->data.k]; if (alter && vmap[v].is_const) { s->code = NFF_LDX|NFF_IMM; s->data.k = vmap[v].const_val; done = 0; } vstore(s, &val[X_ATOM], v, alter); break; case NFF_ST: vstore(s, &val[s->data.k], val[A_ATOM], alter); break; case NFF_STX: vstore(s, &val[s->data.k], val[X_ATOM], alter); break; case NOP: break; default: ArgusLog(LOG_ERR, "opt_stmt: statement not in list"); break; } } static void deadstmt(struct stmt *s, struct stmt *last[]) { register int atom; atom = atomuse(s); if (atom >= 0) { if (atom == AX_ATOM) { last[X_ATOM] = 0; last[A_ATOM] = 0; } else last[atom] = 0; } atom = atomdef(s); if (atom >= 0) { if (last[atom]) { done = 0; last[atom]->code = NOP; } last[atom] = s; } } static void opt_deadstores(struct ablock *b) { register struct slist *s; register int atom; struct stmt *last[N_ATOMS]; memset((char *)last, 0, sizeof last); for (s = b->stmts; s != 0; s = s->next) deadstmt(&s->s, last); deadstmt(&b->s, last); for (atom = 0; atom < N_ATOMS; ++atom) if (last[atom] && !ATOMELEM(b->out_use, atom)) { last[atom]->code = NOP; done = 0; } } static void opt_blk( struct ablock *b, int do_stmts) { long long aval; struct slist *s; struct edge *p; int i; #if 0 for (s = b->stmts; s && s->next; s = s->next) if (NFF_CLASS(s->s.code) == NFF_JMP) { do_stmts = 0; break; } #endif /* * Initialize the atom values. * If we have no predecessors, everything is undefined. * Otherwise, we inherent our values from our predecessors. * If any register has an ambiguous value (i.e. control paths are * merging) give it the undefined value of 0. */ p = b->in_edges; if (p == 0) memset((char *)b->val, 0, sizeof(b->val)); else { memcpy((char *)b->val, (char *)p->pred->val, sizeof(b->val)); while ((p = p->next) != NULL) { for (i = 0; i < N_ATOMS; ++i) if (b->val[i] != p->pred->val[i]) b->val[i] = 0; } } aval = b->val[A_ATOM]; for (s = b->stmts; s; s = s->next) opt_stmt(&s->s, b->val, do_stmts); /* * This is a special case: if we don't use anything from this * block, and we load the accumulator with value that is * already there, or if this ablock is a return, * eliminate all the statements. */ if (do_stmts && ((b->out_use == 0 && aval != 0 &&b->val[A_ATOM] == aval) || NFF_CLASS(b->s.code) == NFF_RET)) { if (b->stmts != 0) { b->stmts = 0; done = 0; } } else { opt_peep(b); opt_deadstores(b); } /* * Set up values for branch optimizer. */ if (NFF_SRC(b->s.code) == NFF_K) b->oval = K(b->s.data.k); else b->oval = b->val[X_ATOM]; b->et.code = b->s.code; b->ef.code = -b->s.code; } /* * Return true if any register that is used on exit from 'succ', has * an exit value that is different from the corresponding exit value * from 'b'. */ static int use_conflict(struct ablock *b, struct ablock *succ) { int atom; atomset use = succ->out_use; if (use == 0) return 0; for (atom = 0; atom < N_ATOMS; ++atom) if (ATOMELEM(use, atom)) if (b->val[atom] != succ->val[atom]) return 1; return 0; } static struct ablock * fold_edge(struct ablock *child, struct edge *ep) { int sense; int code = ep->code; long long aval0, aval1, oval0, oval1; if (code < 0) { code = -code; sense = 0; } else sense = 1; if (child->s.code != code) return 0; aval0 = child->val[A_ATOM]; oval0 = child->oval; aval1 = ep->pred->val[A_ATOM]; oval1 = ep->pred->oval; if (aval0 != aval1) return 0; if (oval0 == oval1) /* * The operands are identical, so the * result is true if a true branch was * taken to get here, otherwise false. */ return sense ? JT(child) : JF(child); if (sense && code == (NFF_JMP|NFF_JEQ|NFF_K)) /* * At this point, we only know the comparison if we * came down the true branch, and it was an equality * comparison with a constant. We rely on the fact that * distinct constants have distinct value numbers. */ return JF(child); return 0; } static void opt_j(struct edge *ep) { register int i, k; register struct ablock *target = NULL; if (JT(ep->succ) == 0) return; if (JT(ep->succ) == JF(ep->succ)) { /* * Common branch targets can be eliminated, provided * there is no data dependency. */ if (!use_conflict(ep->pred, ep->succ->et.succ)) { done = 0; ep->succ = JT(ep->succ); } } /* * For each edge dominator that matches the successor of this * edge, promote the edge successor to the its grandchild. * * XXX We violate the set abstraction here in favor a reasonably * efficient loop. */ top: for (i = 0; i < edgewords; ++i) { register nff_u_int32 x = ep->edom[i]; while (x != 0) { k = ffs(x) - 1; x &=~ (1 << k); k += i * BITS_PER_WORD; target = fold_edge(ep->succ, edges[k]); /* * Check that there is no data dependency between * nodes that will be violated if we move the edge. */ if (target != 0 && !use_conflict(ep->pred, target)) { done = 0; ep->succ = target; if (JT(target) != 0) /* * Start over unless we hit a leaf. */ goto top; return; } } } } static void or_pullup(struct ablock *b) { long long val; int at_top; struct ablock *pull; struct ablock **diffp, **samep; struct edge *ep; ep = b->in_edges; if (ep == 0) return; /* * Make sure each predecessor loads the same value. * XXX why? */ val = ep->pred->val[A_ATOM]; for (ep = ep->next; ep != 0; ep = ep->next) if (val != ep->pred->val[A_ATOM]) return; if (JT(b->in_edges->pred) == b) diffp = &JT(b->in_edges->pred); else diffp = &JF(b->in_edges->pred); at_top = 1; while (1) { if (*diffp == 0) return; if (JT(*diffp) != JT(b)) return; if (!SET_MEMBER((*diffp)->dom, b->id)) return; if ((*diffp)->val[A_ATOM] != val) break; diffp = &JF(*diffp); at_top = 0; } samep = &JF(*diffp); while (1) { if (*samep == 0) return; if (JT(*samep) != JT(b)) return; if (!SET_MEMBER((*samep)->dom, b->id)) return; if ((*samep)->val[A_ATOM] == val) break; /* XXX Need to check that there are no data dependencies between dp0 and dp1. Currently, the code generator will not produce such dependencies. */ samep = &JF(*samep); } #ifdef notdef /* XXX This doesn't cover everything. */ for (i = 0; i < N_ATOMS; ++i) if ((*samep)->val[i] != pred->val[i]) return; #endif /* Pull up the node. */ pull = *samep; *samep = JF(pull); JF(pull) = *diffp; /* * At the top of the chain, each predecessor needs to point at the * pulled up node. Inside the chain, there is only one predecessor * to worry about. */ if (at_top) { for (ep = b->in_edges; ep != 0; ep = ep->next) { if (JT(ep->pred) == b) JT(ep->pred) = pull; else JF(ep->pred) = pull; } } else *diffp = pull; done = 0; } static void and_pullup(struct ablock *b) { long long val; int at_top; struct ablock *pull; struct ablock **diffp, **samep; struct edge *ep; ep = b->in_edges; if (ep == 0) return; /* * Make sure each predecessor loads the same value. */ val = ep->pred->val[A_ATOM]; for (ep = ep->next; ep != 0; ep = ep->next) if (val != ep->pred->val[A_ATOM]) return; if (JT(b->in_edges->pred) == b) diffp = &JT(b->in_edges->pred); else diffp = &JF(b->in_edges->pred); at_top = 1; while (1) { if (*diffp == 0) return; if (JF(*diffp) != JF(b)) return; if (!SET_MEMBER((*diffp)->dom, b->id)) return; if ((*diffp)->val[A_ATOM] != val) break; diffp = &JT(*diffp); at_top = 0; } samep = &JT(*diffp); while (1) { if (*samep == 0) return; if (JF(*samep) != JF(b)) return; if (!SET_MEMBER((*samep)->dom, b->id)) return; if ((*samep)->val[A_ATOM] == val) break; /* XXX Need to check that there are no data dependencies between diffp and samep. Currently, the code generator will not produce such dependencies. */ samep = &JT(*samep); } #ifdef notdef /* XXX This doesn't cover everything. */ for (i = 0; i < N_ATOMS; ++i) if ((*samep)->val[i] != pred->val[i]) return; #endif /* Pull up the node. */ pull = *samep; *samep = JT(pull); JT(pull) = *diffp; /* * At the top of the chain, each predecessor needs to point at the * pulled up node. Inside the chain, there is only one predecessor * to worry about. */ if (at_top) { for (ep = b->in_edges; ep != 0; ep = ep->next) { if (JT(ep->pred) == b) JT(ep->pred) = pull; else JF(ep->pred) = pull; } } else *diffp = pull; done = 0; } static void opt_blks( struct ablock *root, int do_stmts) { int i, maxlevel; struct ablock *p; init_val(); maxlevel = root->level; find_inedges(root); for (i = maxlevel; i >= 0; --i) for (p = levels[i]; p; p = p->link) opt_blk(p, do_stmts); if (do_stmts) /* * No point trying to move branches; it can't possibly * make a difference at this point. */ return; for (i = 1; i <= maxlevel; ++i) { for (p = levels[i]; p; p = p->link) { opt_j(&p->et); opt_j(&p->ef); } } find_inedges(root); for (i = 1; i <= maxlevel; ++i) { for (p = levels[i]; p; p = p->link) { or_pullup(p); and_pullup(p); } } } static inline void link_inedge(struct edge *parent, struct ablock *child) { parent->next = child->in_edges; child->in_edges = parent; } static void find_inedges(struct ablock *root) { int i; struct ablock *b; for (i = 0; i < n_blocks; ++i) blocks[i]->in_edges = 0; /* * Traverse the graph, adding each edge to the predecessor * list of its successors. Skip the leaves (i.e. level 0). */ for (i = root->level; i > 0; --i) { for (b = levels[i]; b != 0; b = b->link) { link_inedge(&b->et, JT(b)); link_inedge(&b->ef, JF(b)); } } } static void opt_root(struct ablock **b) { struct slist *tmp, *s; s = (*b)->stmts; (*b)->stmts = 0; while (NFF_CLASS((*b)->s.code) == NFF_JMP && JT(*b) == JF(*b)) *b = JT(*b); tmp = (*b)->stmts; if (tmp != 0) Argussappend(s, tmp); (*b)->stmts = s; /* * If the root node is a return, then there is no * point executing any statements (since the nff machine * has no side effects). */ if (NFF_CLASS((*b)->s.code) == NFF_RET) (*b)->stmts = 0; } static void opt_loop(struct ablock *root, int do_stmts) { #ifdef BDEBUG if (dflag > 1) { printf("opt_loop(root, %d) begin\n", do_stmts); opt_dump(root); } #endif do { done = 1; find_levels(root); find_dom(root); find_closure(root); find_ud(root); find_edom(root); opt_blks(root, do_stmts); #ifdef BDEBUG if (dflag > 1) { printf("opt_loop(root, %d) bottom, done=%d\n", do_stmts, done); opt_dump(root); } #endif } while (!done); } /* * Optimize the filter code in its dag representation. */ void Argusnff_optimize(struct ablock **rootp) { struct ablock *root; root = *rootp; opt_init(root); opt_loop(root, 0); opt_loop(root, 1); intern_blocks(root); #ifdef BDEBUG if (dflag > 1) { printf("after intern_blocks()\n"); opt_dump(root); } #endif opt_root(rootp); #ifdef BDEBUG if (dflag > 1) { printf("after opt_root()\n"); opt_dump(root); } #endif opt_cleanup(); #ifdef ARGUSDEBUG ArgusDebug (6, "Argusnff_optimize (0x%x)", rootp); #endif } static void make_marks(struct ablock *p) { if (!isMarked(p)) { Mark(p); if (NFF_CLASS(p->s.code) != NFF_RET) { make_marks(JT(p)); make_marks(JF(p)); } } } /* * Mark code array such that isMarked(i) is true * only for nodes that are alive. */ static void mark_code(struct ablock *p) { cur_mark += 1; make_marks(p); } /* * True iff the two stmt lists load the same value from the packet into * the accumulator. */ static int eq_slist(struct slist *x, struct slist *y) { while (1) { while (x && x->s.code == NOP) x = x->next; while (y && y->s.code == NOP) y = y->next; if (x == 0) return y == 0; if (y == 0) return x == 0; if (x->s.code != y->s.code || x->s.data.k != y->s.data.k) return 0; x = x->next; y = y->next; } } static inline int eq_blk(struct ablock *b0, struct ablock *b1) { if (b0->s.code == b1->s.code && b0->s.dsr == b1->s.dsr && b0->s.data.k == b1->s.data.k && b0->et.succ == b1->et.succ && b0->ef.succ == b1->ef.succ) return eq_slist(b0->stmts, b1->stmts); return 0; } static void intern_blocks(struct ablock *root) { struct ablock *p; int i, j; int done; top: done = 1; for (i = 0; i < n_blocks; ++i) blocks[i]->link = 0; mark_code(root); for (i = n_blocks - 1; --i >= 0; ) { if (!isMarked(blocks[i])) continue; for (j = i + 1; j < n_blocks; ++j) { if (!isMarked(blocks[j])) continue; if (eq_blk(blocks[i], blocks[j])) { blocks[i]->link = blocks[j]->link ? blocks[j]->link : blocks[j]; break; } } } for (i = 0; i < n_blocks; ++i) { p = blocks[i]; if (JT(p) == 0) continue; if (JT(p)->link) { done = 0; JT(p) = JT(p)->link; } if (JF(p)->link) { done = 0; JF(p) = JF(p)->link; } } if (!done) goto top; } static void opt_cleanup() { free((void *)vnode_base); free((void *)vmap); free((void *)edges); free((void *)space); free((void *)levels); free((void *)blocks); } /* * Return the number of stmts in 's'. */ static int slength(struct slist *s) { int n = 0; for (; s; s = s->next) if (s->s.code != NOP) ++n; return n; } /* * Return the number of nodes reachable by 'p'. * All nodes should be initially unmarked. */ static int count_blocks(struct ablock *p) { if (p == 0 || isMarked(p)) return 0; Mark(p); return count_blocks(JT(p)) + count_blocks(JF(p)) + 1; } /* * Do a depth first search on the flow graph, numbering the * the basic blocks, and entering them into the 'blocks' array.` */ static void number_blks_r(struct ablock *p) { int n; if (p == 0 || isMarked(p)) return; Mark(p); n = n_blocks++; p->id = n; blocks[n] = p; number_blks_r(JT(p)); number_blks_r(JF(p)); } /* * Return the number of stmts in the flowgraph reachable by 'p'. * The nodes should be unmarked before calling. * * Note that "stmts" means "instructions", and that this includes * * side-effect statements in 'p' (slength(p->stmts)); * * statements in the true branch from 'p' (count_stmts(JT(p))); * * statements in the false branch from 'p' (count_stmts(JF(p))); * * the conditional jump itself (1); * * an extra long jump if the true branch requires it (p->longjt); * * an extra long jump if the false branch requires it (p->longjf). */ static int count_stmts(struct ablock *p) { int n; if (p == 0 || isMarked(p)) return 0; Mark(p); n = count_stmts(JT(p)) + count_stmts(JF(p)); return slength(p->stmts) + n + 1 + p->longjt + p->longjf; } /* * Allocate memory. All allocation is done before optimization * is begun. A linear bound on the size of all data structures is computed * from the total number of blocks and/or statements. */ static void opt_init(struct ablock *root) { nff_u_int32 *p; int i, n, max_stmts; /* * First, count the blocks, so we can malloc an array to map * ablock number to block. Then, put the blocks into the array. */ unMarkAll(); n = count_blocks(root); blocks = (struct ablock **)malloc(n * sizeof(*blocks)); unMarkAll(); n_blocks = 0; number_blks_r(root); n_edges = 2 * n_blocks; edges = (struct edge **)malloc(n_edges * sizeof(*edges)); /* * The number of levels is bounded by the number of nodes. */ levels = (struct ablock **)malloc(n_blocks * sizeof(*levels)); edgewords = n_edges / (8 * sizeof(nff_u_int32)) + 1; nodewords = n_blocks / (8 * sizeof(nff_u_int32)) + 1; /* XXX */ space = (nff_u_int32 *)malloc(2 * n_blocks * nodewords * sizeof(*space) + n_edges * edgewords * sizeof(*space)); p = space; all_dom_sets = p; for (i = 0; i < n; ++i) { blocks[i]->dom = p; p += nodewords; } all_closure_sets = p; for (i = 0; i < n; ++i) { blocks[i]->closure = p; p += nodewords; } all_edge_sets = p; for (i = 0; i < n; ++i) { register struct ablock *b = blocks[i]; b->et.edom = p; p += edgewords; b->ef.edom = p; p += edgewords; b->et.id = i; edges[i] = &b->et; b->ef.id = n_blocks + i; edges[n_blocks + i] = &b->ef; b->et.pred = b; b->ef.pred = b; } max_stmts = 0; for (i = 0; i < n; ++i) max_stmts += slength(blocks[i]->stmts) + 1; /* * We allocate at most 3 value numbers per statement, * so this is an upper bound on the number of valnodes * we'll need. */ maxval = 3 * max_stmts; vmap = (struct vmapinfo *)malloc(maxval * sizeof(*vmap)); vnode_base = (struct valnode *)malloc(maxval * sizeof(*vnode_base)); } /* * Some pointers used to convert the basic ablock form of the code, * into the array form that NFF requires. 'fstart' will point to * the malloc'd array while 'ftail' is used during the recursive traversal. */ static struct nff_insn *fstart; static struct nff_insn *ftail; #ifdef BDEBUG int bids[1000]; #endif /* * Returns true if successful. Returns false if a branch has * an offset that is too large. If so, we have marked that * branch so that on a subsequent iteration, it will be treated * properly. */ static int convert_code_r(struct ablock *p) { struct nff_insn *dst; struct slist *src; int slen; u_int off; int extrajmps; /* number of extra jumps inserted */ struct slist **offset = NULL; if (p == 0 || isMarked(p)) return (1); Mark(p); if (convert_code_r(JF(p)) == 0) return (0); if (convert_code_r(JT(p)) == 0) return (0); slen = slength(p->stmts); dst = ftail -= (slen + 1 + p->longjt + p->longjf); /* inflate length by any extra jumps */ p->offset = dst - fstart; /* generate offset[] for convenience */ if (slen) { offset = (struct slist **)calloc(sizeof(struct slist *), slen); if (!offset) { ArgusLog(LOG_ERR, "not enough core"); /*NOTREACHED*/ } } src = p->stmts; for (off = 0; off < slen && src; off++) { #if 0 printf("off=%d src=%x\n", off, src); #endif offset[off] = src; src = src->next; } off = 0; for (src = p->stmts; src; src = src->next) { if (src->s.code == NOP) continue; dst->dsr = src->s.dsr; dst->code = (u_short)src->s.code; dst->type = src->s.type; dst->data.k = src->s.data.k; /* fill block-local relative jump */ if (NFF_CLASS(src->s.code) != NFF_JMP || src->s.code == (NFF_JMP|NFF_JA)) { #if 0 if (src->s.jt || src->s.jf) { ArgusLog(LOG_ERR, "illegal jmp destination"); /*NOTREACHED*/ } #endif goto filled; } if (off == slen - 2) /*???*/ goto filled; { int i; int jt, jf; char *ljerr = "%s for block-local relative jump: off=%d"; #if 0 printf("code=%x off=%d %x %x\n", src->s.code, off, src->s.jt, src->s.jf); #endif if (!src->s.jt || !src->s.jf) { ArgusLog(LOG_ERR, "no jmp destination %d, %d", ljerr, off); /*NOTREACHED*/ } jt = jf = 0; for (i = 0; i < slen; i++) { if (offset[i] == src->s.jt) { if (jt) { ArgusLog(LOG_ERR, "multiple matches %d, %d", ljerr, off); /*NOTREACHED*/ } dst->jt = i - off - 1; jt++; } if (offset[i] == src->s.jf) { if (jf) { ArgusLog(LOG_ERR, "multiple matches %d, %d", ljerr, off); /*NOTREACHED*/ } dst->jf = i - off - 1; jf++; } } if (!jt || !jf) { ArgusLog(LOG_ERR, "no destination found %d, %d", ljerr, off); /*NOTREACHED*/ } } filled: ++dst; ++off; } if (offset) free(offset); #ifdef BDEBUG bids[dst - fstart] = p->id + 1; #endif dst->dsr = p->s.dsr; dst->code = (u_short)p->s.code; dst->type = p->s.type; dst->data.k = p->s.data.k; if (JT(p)) { extrajmps = 0; off = JT(p)->offset - (p->offset + slen) - 1; if (off >= 256) { /* offset too large for branch, must add a jump */ if (p->longjt == 0) { /* mark this instruction and retry */ p->longjt++; return(0); } /* branch if T to following jump */ dst->jt = extrajmps; extrajmps++; dst[extrajmps].code = NFF_JMP|NFF_JA; dst[extrajmps].type = dst->type; dst[extrajmps].data.k = off - extrajmps; } else dst->jt = off; off = JF(p)->offset - (p->offset + slen) - 1; if (off >= 256) { /* offset too large for branch, must add a jump */ if (p->longjf == 0) { /* mark this instruction and retry */ p->longjf++; return(0); } /* branch if F to following jump */ /* if two jumps are inserted, F goes to second one */ dst->jf = extrajmps; extrajmps++; dst[extrajmps].code = NFF_JMP|NFF_JA; dst[extrajmps].type = dst->type; dst[extrajmps].data.k = off - extrajmps; } else dst->jf = off; } return (1); } /* * Convert flowgraph intermediate representation to the * NFF array representation. Set *lenp to the number of instructions. */ struct nff_insn * Argusicode_to_fcode(struct ablock *root, int *lenp) { int n; struct nff_insn *fp; /* * Loop doing convert_code_r() until no branches remain * with too-large offsets. */ while (1) { unMarkAll(); n = *lenp = count_stmts(root); fp = (struct nff_insn *)malloc(sizeof(*fp) * n); memset((char *)fp, 0, sizeof(*fp) * n); fstart = fp; ftail = fp + n; unMarkAll(); if (convert_code_r(root)) break; free(fp); } #ifdef ARGUSDEBUG ArgusDebug (10, "Argusicode_to_fcode () returning 0x%x", fp); #endif return fp; } #ifdef BDEBUG static void opt_dump(struct ablock *root) { struct nff_program f; char *buf; char *code = NULL; if ((code = ArgusCalloc (1, MAXSTRLEN)) == NULL) ArgusLog (LOG_ERR, "ArgusInitOutput:ArgusCalloc error %s\n", strerror(errno)); memset(bids, 0, sizeof bids); f.bf_insns = Argusicode_to_fcode(root, &f.bf_len); nff_dump(&f, code, MAXSTRLEN, 1); printf("%s\n", code); free((char *)f.bf_insns); ArgusFree(code); } #endif extern void nff_dump(struct nff_program *, char *, int, int); static char *nff_image(struct nff_insn *p, int n); void nff_dump(struct nff_program *p, char *buf, int buflen, int option) { struct nff_insn *insn; int i, slen; int n = p->bf_len; insn = p->bf_insns; if (option > 2) { slen = strlen(buf); snprintf(&buf[slen], buflen - slen, "%d\n", n); for (i = 0; i < n; ++insn, ++i) { slen = strlen(buf); snprintf(&buf[slen], buflen - slen, "%lu %lu %lu %llu\n", (long)insn->code, (long)insn->jt, (long)insn->jf, insn->data.k); } return ; } if (option > 1) { for (i = 0; i < n; ++insn, ++i) { slen = strlen(buf); snprintf(&buf[slen], buflen - slen, "{ 0x%x, %d, %d, 0x%08llx },\n", insn->code, insn->jt, insn->jf, insn->data.k); } return; } for (i = 0; i < n; ++insn, ++i) { slen = strlen(buf); #ifdef BDEBUG extern int bids[]; snprintf(&buf[slen], buflen - slen, bids[i] > 0 ? "[%02d]" : " -- ", bids[i] - 1); #endif snprintf(&buf[slen], buflen - slen, "%s\n", nff_image(insn, i)); } } /* * Copyright (c) 1990, 1991, 1992, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ static char *nff_image(struct nff_insn *, int); static char * nff_image(struct nff_insn *p, int n) { int v, dsr; static char image[256]; char operand[64], op[32]; char *fmt, *s; float f; dsr = p->dsr; v = p->data.k; f = p->data.f; s = p->data.s; switch (p->code) { default: sprintf(op, "unimp"); fmt = "0x%x"; v = p->code; break; case NFF_RET|NFF_K: sprintf(op, "ret"); fmt = " #%d"; break; case NFF_RET|NFF_A: sprintf(op, "ret"); fmt = " "; break; case NFF_LD|NFF_F|NFF_DSR: if (dsr < 0) sprintf(op, "ldf hdr"); else sprintf(op, "ldf dsr[%d]", dsr); fmt = "[%d]"; break; case NFF_LD|NFF_F|NFF_ABS: sprintf(op, "ldf"); fmt = "[%d]"; break; case NFF_LD|NFF_L|NFF_DSR: if (dsr < 0) sprintf(op, "ldll hdr"); else sprintf(op, "ldll dsr[%d]", dsr); fmt = "[%Ld]"; break; case NFF_LD|NFF_L|NFF_ABS: sprintf(op, "ldll"); fmt = "[%Ld]"; break; case NFF_LD|NFF_W|NFF_DSR: if (dsr < 0) sprintf(op, "ld hdr"); else sprintf(op, "ld dsr[%d]", dsr); fmt = "[%d]"; break; case NFF_LD|NFF_W|NFF_ABS: sprintf(op, "ld"); fmt = "[%d]"; break; case NFF_LD|NFF_H|NFF_DSR: if (dsr < 0) sprintf(op, "ldh hdr"); else sprintf(op, "ldh dsr[%d]", dsr); fmt = "[%d]"; break; case NFF_LD|NFF_H|NFF_ABS: sprintf(op, "ldh"); fmt = "[%d]"; break; case NFF_LD|NFF_B|NFF_DSR: if (dsr < 0) sprintf(op, "ldb hdr"); else sprintf(op, "ldb dsr[%d]", dsr); fmt = "[%d]"; break; case NFF_LD|NFF_B|NFF_ABS: sprintf(op, "ldb"); fmt = "[%d]"; break; case NFF_LD|NFF_W|NFF_LEN: sprintf(op, "ld"); fmt = "#pktlen"; break; case NFF_LD|NFF_F|NFF_IND: sprintf(op, "ldf"); fmt = "[x + %d]"; break; case NFF_LD|NFF_L|NFF_IND: sprintf(op, "ldll"); fmt = "[x + %Ld]"; break; case NFF_LD|NFF_W|NFF_IND: sprintf(op, "ld"); fmt = "[x + %d]"; break; case NFF_LD|NFF_H|NFF_IND: sprintf(op, "ldh"); fmt = "[x + %d]"; break; case NFF_LD|NFF_B|NFF_IND: sprintf(op, "ldb"); fmt = "[x + %d]"; break; case NFF_LD|NFF_IMM: sprintf(op, "ld"); fmt = "#0x%x"; break; case NFF_LDX|NFF_IMM: sprintf(op, "ldx"); fmt = "#0x%x"; break; case NFF_LDX|NFF_MSH|NFF_B: sprintf(op, "ldxb"); fmt = "4*([%d]&0xf)"; break; case NFF_LD|NFF_MEM: sprintf(op, "ld"); fmt = "M[%d]"; break; case NFF_LDX|NFF_MEM: sprintf(op, "ldx"); fmt = "M[%d]"; break; case NFF_ST: sprintf(op, "st"); fmt = "M[%d]"; break; case NFF_STX: sprintf(op, "stx"); fmt = "M[%d]"; break; case NFF_JMP|NFF_JA: sprintf(op, "ja"); fmt = "%d"; v = n + p->data.k; break; case NFF_JMP|NFF_JGT|NFF_F: sprintf(op, "jgt"); fmt = "#%f"; break; case NFF_JMP|NFF_JGE|NFF_F: sprintf(op, "jge"); fmt = "#%f"; break; case NFF_JMP|NFF_JEQ|NFF_F: sprintf(op, "jeq"); fmt = "#%f"; break; case NFF_JMP|NFF_JGT|NFF_K: sprintf(op, "jgt"); fmt = "#0x%x"; break; case NFF_JMP|NFF_JGE|NFF_K: sprintf(op, "jge"); fmt = "#0x%x"; break; case NFF_JMP|NFF_JEQ|NFF_K: sprintf(op, "jeq"); switch (p->type) { case Q_STRING: fmt = "\"%s\""; break; case Q_DEFAULT: fmt = "#0x%x"; break; } break; case NFF_JMP|NFF_JSET|NFF_K: sprintf(op, "jset"); fmt = "#0x%x"; break; case NFF_JMP|NFF_JGT|NFF_X: sprintf(op, "jgt"); fmt = "x"; break; case NFF_JMP|NFF_JGE|NFF_X: sprintf(op, "jge"); fmt = "x"; break; case NFF_JMP|NFF_JEQ|NFF_X: sprintf(op, "jeq"); fmt = "x"; break; case NFF_JMP|NFF_JSET|NFF_X: sprintf(op, "jset"); fmt = "x"; break; case NFF_ALU|NFF_ADD|NFF_X: sprintf(op, "add"); fmt = "x"; break; case NFF_ALU|NFF_SUB|NFF_X: sprintf(op, "sub"); fmt = "x"; break; case NFF_ALU|NFF_MUL|NFF_X: sprintf(op, "mul"); fmt = "x"; break; case NFF_ALU|NFF_DIV|NFF_X: sprintf(op, "div"); fmt = "x"; break; case NFF_ALU|NFF_AND|NFF_X: sprintf(op, "and"); fmt = "x"; break; case NFF_ALU|NFF_OR|NFF_X: sprintf(op, "or"); fmt = "x"; break; case NFF_ALU|NFF_LSH|NFF_X: sprintf(op, "lsh"); fmt = "x"; break; case NFF_ALU|NFF_RSH|NFF_X: sprintf(op, "rsh"); fmt = "x"; break; case NFF_ALU|NFF_ADD|NFF_K: sprintf(op, "add"); fmt = " #%d"; break; case NFF_ALU|NFF_SUB|NFF_K: sprintf(op, "sub"); fmt = " #%d"; break; case NFF_ALU|NFF_MUL|NFF_K: sprintf(op, "mul"); fmt = " #%d"; break; case NFF_ALU|NFF_DIV|NFF_K: sprintf(op, "div"); fmt = " #%d"; break; case NFF_ALU|NFF_AND|NFF_K: sprintf(op, "and"); fmt = " #%d"; break; case NFF_ALU|NFF_OR|NFF_K: sprintf(op, "or"); fmt = " #%d"; break; case NFF_ALU|NFF_LSH|NFF_K: sprintf(op, "lsh"); fmt = " #%d"; break; case NFF_ALU|NFF_RSH|NFF_K: sprintf(op, "rsh"); fmt = " #%d"; break; case NFF_ALU|NFF_NEG: sprintf(op, "neg"); fmt = ""; break; case NFF_MISC|NFF_TAX: sprintf(op, "tax"); fmt = ""; break; case NFF_MISC|NFF_TXA: sprintf(op, "txa"); fmt = ""; break; } if (!(strcmp (fmt, "#%f"))) (void)snprintf(operand, 64, fmt, f); else if (!(strcmp (fmt, "\"%s\""))) { (void)snprintf(operand, 64, fmt, s); } else (void)snprintf(operand, 64, fmt, v); if ((NFF_CLASS(p->code) == NFF_JMP) && (NFF_OP(p->code) != NFF_JA)) (void)snprintf(image, 256, "(%03d) %-8s %-16s jt %d\tjf %d", n, op, operand, (n + 1 + p->jt), (n + 1 + p->jf)); else (void)snprintf(image, 256, "(%03d) %-8s%s", n, op, operand); return image; } argus-5.0.2/common/argus_util.c000066400000000000000000002535721471541253600164770ustar00rootroot00000000000000/* * Argus-5.0 Software. Common library routines - Utilities * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/common/argus_util.c#13 $ * $DateTime: 2016/10/27 18:40:41 $ * $Change: 3232 $ */ #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #ifndef argus_util #define argus_util #endif #include #include #include #include #include #include #if (HAVE_SYSLOG_H) #include #endif #include #include #include #include #include #include #if defined(HAVE_XDR) #include #include #endif #if defined(ARGUS_THREADS) #include #endif #ifndef HAVE_POSIX_MEMALIGN # ifdef HAVE_MEMALIGN # include # endif #endif #include #include #include #include #include #include #include #include #include #if defined(AIX) #include #endif #ifndef AF_INET6 #define AF_INET6 23 #endif #ifdef HAVE_ETHER_HOSTTON /* * XXX - do we need any of this if doesn't declare * ether_hostton()? */ #ifdef HAVE_NETINET_IF_ETHER_H struct mbuf; /* Squelch compiler warnings on some platforms for */ struct rtentry; /* declarations in */ #include /* for "struct ifnet" in "struct arpcom" on Solaris */ #include #endif /* HAVE_NETINET_IF_ETHER_H */ #ifdef NETINET_ETHER_H_DECLARES_ETHER_HOSTTON #include #endif /* NETINET_ETHER_H_DECLARES_ETHER_HOSTTON */ #endif /* HAVE_ETHER_HOSTTON */ extern char *ArgusProgramName; #ifdef HAVE_BACKTRACE extern void ArgusBacktrace (void); #endif void ArgusInitAddrtoname(struct ArgusParserStruct *, u_int, u_int); void ArgusInitServarray(struct ArgusParserStruct *); void ArgusInitEprotoarray(struct ArgusParserStruct *); void ArgusInitProtoidarray(struct ArgusParserStruct *); void ArgusInitEtherarray(struct ArgusParserStruct *); void ArgusInitLlcsaparray(struct ArgusParserStruct *); void ArgusFreeEtherarray(struct ArgusParserStruct *); void ArgusFreeServarray(struct ArgusParserStruct *); void ArgusFreeProtoidarray(struct ArgusParserStruct *); void ArgusFreeLlcsaparray(struct ArgusParserStruct *); u_int ipaddrtonetmask(u_int); u_int getnetnumber( u_int); struct ArgusParserStruct * ArgusNewParser(char *progname) { struct ArgusParserStruct *retn = NULL; if ((retn = (struct ArgusParserStruct *) ArgusCalloc(1, sizeof(*retn))) == NULL) ArgusLog (LOG_ERR, "ArgusNewParser(%s) ArgusCalloc error %s", progname, strerror(errno)); retn->ArgusCIDRPtr = &retn->ArgusCIDRBuffer; ArgusInitAddrtoname (retn, 0L, 0L); retn->pflag = 6; return (retn); } void ArgusCloseParser(struct ArgusParserStruct *parser) { ArgusFreeEtherarray(parser); ArgusFreeServarray(parser); ArgusFreeProtoidarray(parser); ArgusFreeLlcsaparray(parser); /* ArgusFreeEprotoarray(parser); ArgusFreeDSCodepointarray(parser); */ } void ArgusAdjustGlobalTime (struct timeval *global, struct timeval *now) { struct timeval ArgusTimeDelta; ArgusTimeDelta.tv_sec = now->tv_sec - global->tv_sec; ArgusTimeDelta.tv_usec = now->tv_usec - global->tv_usec; global->tv_sec = now->tv_sec - ArgusTimeDelta.tv_sec; global->tv_usec = now->tv_usec - ArgusTimeDelta.tv_usec; if (global->tv_usec < 0) { global->tv_sec--; global->tv_usec += 1000000; } else { if (global->tv_usec > 1000000) { global->tv_sec++; global->tv_usec -= 1000000; } } } extern char *print_time(struct timeval *); #ifdef ARGUSDEBUG void ArgusDebug (int d, char *fmt, ...); #include void ArgusDebug (int d, char *fmt, ...) { struct timeval now; extern int Argusdflag, daemonflag; char *buf = NULL, *ptr; va_list ap; if (d <= Argusdflag) { va_start (ap, fmt); if ((buf = ArgusCalloc (1, MAXSTRLEN)) == NULL) ArgusLog (LOG_ERR, "ArgusNewDump: ArgusCalloc error %s\n", strerror(errno)); ptr = buf; gettimeofday (&now, 0L); #if defined(ARGUS_THREADS) { pthread_t ptid; char pbuf[128]; int i; bzero(pbuf, sizeof(pbuf)); ptid = pthread_self(); for (i = 0; i < sizeof(ptid); i++) { snprintf (&pbuf[i*2], 3, "%02hhx", ((char *)&ptid)[i]); } (void) snprintf (buf, MAXSTRLEN, "%s[%d.%s]: %s ", ArgusProgramName, (int)getpid(), pbuf, print_time(&now)); } ptr = &buf[strlen(buf)]; (void) vsnprintf (ptr, 1024, fmt, ap); ptr = &buf[strlen(buf)]; if (*fmt) { fmt += (int) strlen (fmt); if (fmt[-1] != '\n') snprintf (ptr, 2, "\n"); } if (daemonflag) { #ifdef HAVE_SYSLOG syslog (LOG_ALERT, "%s", buf); #endif } else fprintf (stderr, "%s", buf); #else (void) snprintf (buf, MAXSTRLEN, "%s[%d]: %s ", ArgusProgramName, (int)getpid(), print_time(&now)); ptr = &buf[strlen(buf)]; (void) vsnprintf (ptr, 1024, fmt, ap); ptr = &buf[strlen(buf)]; if (*fmt) { fmt += (int) strlen (fmt); if (fmt[-1] != '\n') snprintf (ptr, 2, "\n"); } if (daemonflag) { #ifdef HAVE_SYSLOG syslog (LOG_ALERT, "%s", buf); #endif } else fprintf (stderr, "%s", buf); #endif if (buf != NULL) ArgusFree(buf); va_end (ap); } } #endif #include #if !defined(HAVE_STRTOF) && !defined(CYGWIN) float strtof (char *, char **); float strtof (char *str, char **ptr) { double ipart = 0.0, fpart = 0.0, multi = 0.0; float retn = 0.0; char *dptr; int i; if ((dptr = strchr (str, '.')) != NULL) { int len = 0; *dptr++ = 0; len = strlen(dptr); i = atoi(dptr); multi = pow(10.0, len * 1.0); fpart = i * 1.0/multi; } ipart = atoi(str); retn = ipart + fpart; return(retn); } #endif void ArgusPrintHex (const u_char *, u_int); #if !defined(ntohll) #if defined(_LITTLE_ENDIAN) #if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__sun__) #include #define ntohll(x) EXTRACT_64BITS(&x) #define htonll(x) EXTRACT_64BITS(&x) #else #include #define ntohll(x) bswap_64(x) #define htonll(x) bswap_64(x) #endif #else #define ntohll(x) x #define htonll(x) x #endif #endif void ArgusHtoN (struct ArgusRecord *); #include void ArgusHtoN (struct ArgusRecord *argus) { #if defined(_LITTLE_ENDIAN) struct ArgusRecordHeader *hdr = &argus->hdr; struct ArgusDSRHeader *dsr = (struct ArgusDSRHeader *) (hdr + 1); switch (argus->hdr.type & 0xF0) { case ARGUS_MAR: { switch (argus->argus_mar.status & (ARGUS_IDIS_STRING | ARGUS_IDIS_INT | ARGUS_IDIS_IPV4)) { case ARGUS_IDIS_STRING: case ARGUS_IDIS_IPV6: case ARGUS_IDIS_UUID: break; case ARGUS_IDIS_INT: { argus->argus_mar.value = htonl(argus->argus_mar.value); break; } case ARGUS_IDIS_IPV4: { argus->argus_mar.ipv4 = htonl(argus->argus_mar.ipv4); break; } } argus->argus_mar.status = htonl(argus->argus_mar.status); argus->argus_mar.argusid = htonl(argus->argus_mar.argusid); argus->argus_mar.localnet = htonl(argus->argus_mar.localnet); argus->argus_mar.netmask = htonl(argus->argus_mar.netmask); argus->argus_mar.nextMrSequenceNum = htonl(argus->argus_mar.nextMrSequenceNum); argus->argus_mar.startime.tv_sec = htonl(argus->argus_mar.startime.tv_sec); argus->argus_mar.startime.tv_usec = htonl(argus->argus_mar.startime.tv_usec); argus->argus_mar.now.tv_sec = htonl(argus->argus_mar.now.tv_sec); argus->argus_mar.now.tv_usec = htonl(argus->argus_mar.now.tv_usec); argus->argus_mar.reportInterval = htons(argus->argus_mar.reportInterval); argus->argus_mar.argusMrInterval = htons(argus->argus_mar.argusMrInterval); argus->argus_mar.pktsRcvd = htonll(argus->argus_mar.pktsRcvd); argus->argus_mar.bytesRcvd = htonll(argus->argus_mar.bytesRcvd); argus->argus_mar.drift = htonll(argus->argus_mar.drift); argus->argus_mar.records = htonl(argus->argus_mar.records); argus->argus_mar.flows = htonl(argus->argus_mar.flows); argus->argus_mar.dropped = htonl(argus->argus_mar.dropped); argus->argus_mar.queue = htonl(argus->argus_mar.queue); argus->argus_mar.output = htonl(argus->argus_mar.output); argus->argus_mar.clients = htonl(argus->argus_mar.clients); argus->argus_mar.bufs = htonl(argus->argus_mar.bufs); argus->argus_mar.bytes = htonl(argus->argus_mar.bytes); argus->argus_mar.record_len = htonl(argus->argus_mar.record_len); break; } case ARGUS_EVENT: case ARGUS_NETFLOW: case ARGUS_FAR: { if (argus->hdr.len > 1) { int cnt; while ((char *) dsr < ((char *) argus + (hdr->len * 4))) { switch (dsr->type & 0x7F) { case ARGUS_FLOW_DSR: { struct ArgusFlow *flow = (struct ArgusFlow *) dsr; switch (flow->hdr.subtype & 0x3F) { case ARGUS_FLOW_CLASSIC5TUPLE: { switch (flow->hdr.argus_dsrvl8.qual & 0x1F) { case ARGUS_TYPE_IPV4: flow->ip_flow.ip_src = htonl(flow->ip_flow.ip_src); flow->ip_flow.ip_dst = htonl(flow->ip_flow.ip_dst); switch (flow->ip_flow.ip_p) { case IPPROTO_TCP: case IPPROTO_UDP: flow->ip_flow.sport = htons(flow->ip_flow.sport); flow->ip_flow.dport = htons(flow->ip_flow.dport); break; case IPPROTO_ESP: flow->esp_flow.spi = htonl(flow->esp_flow.spi); break; case IPPROTO_IGMP: flow->igmp_flow.ip_id = htons(flow->igmp_flow.ip_id); break; } break; case ARGUS_TYPE_IPV6: { unsigned int *iptr = (unsigned int *)&flow->ipv6_flow; if (flow->hdr.argus_dsrvl8.qual & ARGUS_FRAGMENT) { flow->fragv6_flow.ip_id = htonl(flow->fragv6_flow.ip_id); } else { switch (flow->ipv6_flow.ip_p) { case IPPROTO_TCP: case IPPROTO_UDP: flow->ipv6_flow.sport = htons(flow->ipv6_flow.sport); flow->ipv6_flow.dport = htons(flow->ipv6_flow.dport); break; case IPPROTO_ESP: flow->esp6_flow.spi = htonl(flow->esp6_flow.spi); break; } } iptr[8] = htonl(iptr[8]); break; } case ARGUS_TYPE_ETHER: { struct ArgusEtherMacFlow *mac = (struct ArgusEtherMacFlow *) &flow->mac_flow; mac->ehdr.ether_type = htons(mac->ehdr.ether_type); break; } case ARGUS_TYPE_ISIS: { struct ArgusIsisFlow *isis = (struct ArgusIsisFlow *) &flow->isis_flow; switch (isis->pdu_type = htonl(isis->pdu_type)) { case L1_LAN_IIH: case L2_LAN_IIH: break; case L1_CSNP: case L2_CSNP: break; case L1_PSNP: case L2_PSNP: break; case L1_LSP: case L2_LSP: isis->isis_un.lsp.seqnum = htonl(isis->isis_un.lsp.seqnum); break; } isis->chksum = htonl(isis->chksum); break; } case ARGUS_TYPE_RARP: { struct ArgusRarpFlow *rarp = (struct ArgusRarpFlow *) &flow->rarp_flow; rarp->arp_tpa = htonl(rarp->arp_tpa); break; } /* case ARGUS_TYPE_ARP: { struct ArgusArpLegacyFlow *arp = (struct ArgusArpLegacyFlow *) &flow->flow_un; arp->arp_spa = htonl(arp->arp_spa); arp->arp_tpa = htonl(arp->arp_tpa); break; } */ } break; } case ARGUS_FLOW_ARP: { switch (flow->hdr.argus_dsrvl8.qual & 0x1F) { case ARGUS_TYPE_RARP: { struct ArgusRarpFlow *rarp = (struct ArgusRarpFlow *) &flow->rarp_flow; rarp->hrd = htons(rarp->hrd); rarp->pro = htons(rarp->pro); rarp->op = htons(rarp->op); if (rarp->pln == 4) { rarp->arp_tpa = htonl(rarp->arp_tpa); } break; } case ARGUS_TYPE_ARP: { struct ArgusArpFlow *arp = (struct ArgusArpFlow *) &flow->arp_flow; arp->hrd = htons(arp->hrd); arp->pro = htons(arp->pro); arp->op = htons(arp->op); if (arp->pln == 4) { arp->arp_spa = htonl(arp->arp_spa); arp->arp_tpa = htonl(arp->arp_tpa); } break; } } break; } } break; } case ARGUS_FLOW_HASH_DSR: { struct ArgusFlowHashStruct *hash = (struct ArgusFlowHashStruct *) dsr; hash->hash = htonl(hash->hash); hash->ind = htonl(hash->ind); break; } case ARGUS_ENCAPS_DSR: { struct ArgusEncapsStruct *encaps = (struct ArgusEncapsStruct *) dsr; encaps->src = htonl(encaps->src); encaps->dst = htonl(encaps->dst); if (encaps->hdr.argus_dsrvl8.len > 3) { encaps->slen = htons(encaps->slen); encaps->dlen = htons(encaps->dlen); } break; } case ARGUS_IPATTR_DSR: { struct ArgusIPAttrStruct *attr = (struct ArgusIPAttrStruct *) dsr; unsigned int *dsrptr = (unsigned int *)(dsr + 1); if (attr->hdr.argus_dsrvl8.qual & ARGUS_IPATTR_SRC) { struct ArgusIPAttrObject *aobj = (struct ArgusIPAttrObject *) dsrptr; aobj->ip_id = htons(aobj->ip_id); dsrptr++; } if (attr->hdr.argus_dsrvl8.qual & ARGUS_IPATTR_SRC_OPTIONS) { *dsrptr = htonl(*dsrptr); dsrptr++; } if (attr->hdr.argus_dsrvl8.qual & ARGUS_IPATTR_DST) { struct ArgusIPAttrObject *aobj = (struct ArgusIPAttrObject *) dsrptr; aobj->ip_id = htons(aobj->ip_id); dsrptr++; } if (attr->hdr.argus_dsrvl8.qual & ARGUS_IPATTR_DST_OPTIONS) { *dsrptr = htonl(*dsrptr); dsrptr++; } break; } case ARGUS_ICMP_DSR: { struct ArgusIcmpStruct *icmp = (struct ArgusIcmpStruct *) dsr; icmp->iseq = htons(icmp->iseq); icmp->osrcaddr = htonl(icmp->osrcaddr); icmp->odstaddr = htonl(icmp->odstaddr); icmp->isrcaddr = htonl(icmp->isrcaddr); icmp->idstaddr = htonl(icmp->idstaddr); icmp->igwaddr = htonl(icmp->igwaddr); break; } case ARGUS_TRANSPORT_DSR: { struct ArgusTransportStruct *trans = (struct ArgusTransportStruct *) dsr; unsigned int *iptr = (unsigned int *)&trans->srcid.a_un.value; if (trans->hdr.subtype & ARGUS_SRCID) { switch (trans->hdr.argus_dsrvl8.qual & ~ARGUS_TYPE_INTERFACE) { case ARGUS_TYPE_INT: case ARGUS_TYPE_IPV4: *iptr = htonl(*iptr); iptr += 1; break; case ARGUS_TYPE_UUID: case ARGUS_TYPE_IPV6: iptr += 4; break; case ARGUS_TYPE_ETHER: iptr += 2; break; case ARGUS_TYPE_STRING: iptr += 1; break; } if (trans->hdr.argus_dsrvl8.qual & ARGUS_TYPE_INTERFACE) iptr += 1; } if (trans->hdr.subtype & ARGUS_SEQ) *iptr = htonl(*iptr); break; } case ARGUS_TIME_DSR: { unsigned int x, *dtime = (unsigned int *) dsr; for (x = 1; x < dsr->argus_dsrvl8.len; x++) dtime[x] = htonl(dtime[x]); break; } case ARGUS_METER_DSR: { if (dsr->subtype & ARGUS_METER_PKTS_BYTES) { switch (dsr->argus_dsrvl8.qual & 0x0F) { case ARGUS_SRCDST_BYTE: break; case ARGUS_SRCDST_SHORT: ((unsigned short *)(dsr + 1))[0] = htons(((unsigned short *)(dsr + 1))[0]); ((unsigned short *)(dsr + 1))[1] = htons(((unsigned short *)(dsr + 1))[1]); ((unsigned short *)(dsr + 1))[2] = htons(((unsigned short *)(dsr + 1))[2]); ((unsigned short *)(dsr + 1))[3] = htons(((unsigned short *)(dsr + 1))[3]); break; case ARGUS_SRCDST_INT: ((unsigned int *)(dsr + 1))[0] = htonl(((unsigned int *)(dsr + 1))[0]); ((unsigned int *)(dsr + 1))[1] = htonl(((unsigned int *)(dsr + 1))[1]); ((unsigned int *)(dsr + 1))[2] = htonl(((unsigned int *)(dsr + 1))[2]); ((unsigned int *)(dsr + 1))[3] = htonl(((unsigned int *)(dsr + 1))[3]); break; case ARGUS_SRCDST_LONGLONG: ((long long *)(dsr + 1))[0] = htonll(((long long *)(dsr + 1))[0]); ((long long *)(dsr + 1))[1] = htonll(((long long *)(dsr + 1))[1]); ((long long *)(dsr + 1))[2] = htonll(((long long *)(dsr + 1))[2]); ((long long *)(dsr + 1))[3] = htonll(((long long *)(dsr + 1))[3]); break; break; case ARGUS_SRC_SHORT: ((unsigned short *)(dsr + 1))[0] = htons(((unsigned short *)(dsr + 1))[0]); ((unsigned short *)(dsr + 1))[1] = htons(((unsigned short *)(dsr + 1))[1]); break; case ARGUS_SRC_INT: ((unsigned int *)(dsr + 1))[0] = htonl(((unsigned int *)(dsr + 1))[0]); ((unsigned int *)(dsr + 1))[1] = htonl(((unsigned int *)(dsr + 1))[1]); break; case ARGUS_SRC_LONGLONG: case ARGUS_DST_LONGLONG: ((long long *)(dsr + 1))[0] = htonll(((long long *)(dsr + 1))[0]); ((long long *)(dsr + 1))[1] = htonll(((long long *)(dsr + 1))[1]); break; case ARGUS_DST_SHORT: ((unsigned short *)(dsr + 1))[0] = htons(((unsigned short *)(dsr + 1))[0]); ((unsigned short *)(dsr + 1))[1] = htons(((unsigned short *)(dsr + 1))[1]); break; case ARGUS_DST_INT: ((unsigned int *)(dsr + 1))[0] = htonl(((unsigned int *)(dsr + 1))[0]); ((unsigned int *)(dsr + 1))[1] = htonl(((unsigned int *)(dsr + 1))[1]); break; } } else if (dsr->subtype & ARGUS_METER_PKTS_BYTES_APP) { switch (dsr->argus_dsrvl8.qual & 0x0F) { case ARGUS_SRCDST_BYTE: case ARGUS_SRC_BYTE: case ARGUS_DST_BYTE: break; case ARGUS_SRCDST_SHORT: ((unsigned short *)(dsr + 1))[0] = htons(((unsigned short *)(dsr + 1))[0]); ((unsigned short *)(dsr + 1))[1] = htons(((unsigned short *)(dsr + 1))[1]); ((unsigned short *)(dsr + 1))[2] = htons(((unsigned short *)(dsr + 1))[2]); ((unsigned short *)(dsr + 1))[3] = htons(((unsigned short *)(dsr + 1))[3]); ((unsigned short *)(dsr + 1))[4] = htons(((unsigned short *)(dsr + 1))[4]); ((unsigned short *)(dsr + 1))[5] = htons(((unsigned short *)(dsr + 1))[5]); break; case ARGUS_SRCDST_INT: ((unsigned int *)(dsr + 1))[0] = htonl(((unsigned int *)(dsr + 1))[0]); ((unsigned int *)(dsr + 1))[1] = htonl(((unsigned int *)(dsr + 1))[1]); ((unsigned int *)(dsr + 1))[2] = htonl(((unsigned int *)(dsr + 1))[2]); ((unsigned int *)(dsr + 1))[3] = htonl(((unsigned int *)(dsr + 1))[3]); ((unsigned int *)(dsr + 1))[4] = htonl(((unsigned int *)(dsr + 1))[4]); ((unsigned int *)(dsr + 1))[5] = htonl(((unsigned int *)(dsr + 1))[5]); break; case ARGUS_SRCDST_LONGLONG: ((long long *)(dsr + 1))[0] = htonll(((long long *)(dsr + 1))[0]); ((long long *)(dsr + 1))[1] = htonll(((long long *)(dsr + 1))[1]); ((long long *)(dsr + 1))[2] = htonll(((long long *)(dsr + 1))[2]); ((long long *)(dsr + 1))[3] = htonll(((long long *)(dsr + 1))[3]); ((long long *)(dsr + 1))[4] = htonll(((long long *)(dsr + 1))[4]); ((long long *)(dsr + 1))[5] = htonll(((long long *)(dsr + 1))[5]); break; case ARGUS_SRC_SHORT: ((unsigned short *)(dsr + 1))[0] = htons(((unsigned short *)(dsr + 1))[0]); ((unsigned short *)(dsr + 1))[1] = htons(((unsigned short *)(dsr + 1))[1]); ((unsigned short *)(dsr + 1))[2] = htons(((unsigned short *)(dsr + 1))[2]); break; case ARGUS_SRC_INT: ((unsigned int *)(dsr + 1))[0] = htonl(((unsigned int *)(dsr + 1))[0]); ((unsigned int *)(dsr + 1))[1] = htonl(((unsigned int *)(dsr + 1))[1]); ((unsigned int *)(dsr + 1))[2] = htonl(((unsigned int *)(dsr + 1))[2]); break; case ARGUS_SRC_LONGLONG: case ARGUS_DST_LONGLONG: ((long long *)(dsr + 1))[0] = htonll(((long long *)(dsr + 1))[0]); ((long long *)(dsr + 1))[1] = htonll(((long long *)(dsr + 1))[1]); ((long long *)(dsr + 1))[2] = htonll(((long long *)(dsr + 1))[2]); case ARGUS_DST_SHORT: ((unsigned short *)(dsr + 1))[0] = htons(((unsigned short *)(dsr + 1))[0]); ((unsigned short *)(dsr + 1))[1] = htons(((unsigned short *)(dsr + 1))[1]); ((unsigned short *)(dsr + 1))[2] = htons(((unsigned short *)(dsr + 1))[2]); break; case ARGUS_DST_INT: ((unsigned int *)(dsr + 1))[0] = htonl(((unsigned int *)(dsr + 1))[0]); ((unsigned int *)(dsr + 1))[1] = htonl(((unsigned int *)(dsr + 1))[1]); ((unsigned int *)(dsr + 1))[2] = htonl(((unsigned int *)(dsr + 1))[2]); break; } } break; } case ARGUS_PSIZE_DSR: { switch (dsr->argus_dsrvl8.qual & 0x0F) { case ARGUS_SRCDST_SHORT: ((unsigned short *)(dsr + 1))[0] = htons(((unsigned short *)(dsr + 1))[0]); ((unsigned short *)(dsr + 1))[1] = htons(((unsigned short *)(dsr + 1))[1]); ((unsigned short *)(dsr + 1))[2] = htons(((unsigned short *)(dsr + 1))[2]); ((unsigned short *)(dsr + 1))[3] = htons(((unsigned short *)(dsr + 1))[3]); break; case ARGUS_SRC_SHORT: case ARGUS_DST_SHORT: ((unsigned short *)(dsr + 1))[0] = htons(((unsigned short *)(dsr + 1))[0]); ((unsigned short *)(dsr + 1))[1] = htons(((unsigned short *)(dsr + 1))[1]); break; case ARGUS_SRCDST_INT: ((unsigned int *)(dsr + 1))[0] = htonl(((unsigned int *)(dsr + 1))[0]); ((unsigned int *)(dsr + 1))[1] = htonl(((unsigned int *)(dsr + 1))[1]); ((unsigned int *)(dsr + 1))[2] = htonl(((unsigned int *)(dsr + 1))[2]); ((unsigned int *)(dsr + 1))[3] = htonl(((unsigned int *)(dsr + 1))[3]); break; case ARGUS_SRC_INT: case ARGUS_DST_INT: ((unsigned int *)(dsr + 1))[0] = htonl(((unsigned int *)(dsr + 1))[0]); ((unsigned int *)(dsr + 1))[1] = htonl(((unsigned int *)(dsr + 1))[1]); break; } break; } case ARGUS_NETWORK_DSR: { struct ArgusNetworkStruct *net = (struct ArgusNetworkStruct *)dsr; switch (net->hdr.subtype) { case ARGUS_TCP_INIT: { struct ArgusTCPInitStatus *tcp = (void *)&net->net_union.tcpinit; tcp->status = htonl(tcp->status); tcp->seqbase = htonl(tcp->seqbase); tcp->options = htonl(tcp->options); tcp->win = htons(tcp->win); tcp->maxseg = htons(tcp->maxseg); break; } case ARGUS_TCP_STATUS: { struct ArgusTCPStatus *tcp = (struct ArgusTCPStatus *)&net->net_union.tcpstatus; tcp->status = htonl(tcp->status); break; } case ARGUS_TCP_PERF: { struct ArgusTCPObject *tcp = (struct ArgusTCPObject *)&net->net_union.tcp; tcp->status = htonl(tcp->status); tcp->state = htonl(tcp->state); tcp->options = htonl(tcp->options); tcp->synAckuSecs = htonl(tcp->synAckuSecs); tcp->ackDatauSecs = htonl(tcp->ackDatauSecs); tcp->src.lasttime.tv_sec = htonl(tcp->src.lasttime.tv_sec); tcp->src.lasttime.tv_usec = htonl(tcp->src.lasttime.tv_usec); tcp->src.status = htonl(tcp->src.status); tcp->src.seqbase = htonl(tcp->src.seqbase); tcp->src.seq = htonl(tcp->src.seq); tcp->src.ack = htonl(tcp->src.ack); tcp->src.winnum = htonl(tcp->src.winnum); tcp->src.bytes = htonl(tcp->src.bytes); tcp->src.retrans = htonl(tcp->src.retrans); tcp->src.ackbytes = htonl(tcp->src.ackbytes); tcp->src.winbytes = htonl(tcp->src.winbytes); tcp->src.win = htons(tcp->src.win); tcp->src.maxseg = htons(tcp->src.maxseg); if (dsr->argus_dsrvl8.len > (((sizeof(struct ArgusTCPObject) - sizeof(struct ArgusTCPObjectMetrics))+3)/4 + 1)) { tcp->dst.lasttime.tv_sec = htonl(tcp->dst.lasttime.tv_sec); tcp->dst.lasttime.tv_usec = htonl(tcp->dst.lasttime.tv_usec); tcp->dst.status = htonl(tcp->dst.status); tcp->dst.seqbase = htonl(tcp->dst.seqbase); tcp->dst.seq = htonl(tcp->dst.seq); tcp->dst.ack = htonl(tcp->dst.ack); tcp->dst.winnum = htonl(tcp->dst.winnum); tcp->dst.bytes = htonl(tcp->dst.bytes); tcp->dst.retrans = htonl(tcp->dst.retrans); tcp->dst.ackbytes = htonl(tcp->dst.ackbytes); tcp->dst.winbytes = htonl(tcp->dst.winbytes); tcp->dst.win = htons(tcp->dst.win); tcp->dst.maxseg = htons(tcp->dst.maxseg); } break; } case ARGUS_ESP_DSR: { struct ArgusESPObject *espObj = (struct ArgusESPObject *)&net->net_union.esp; espObj->status = htonl(espObj->status); espObj->spi = htonl(espObj->spi); espObj->lastseq = htonl(espObj->lastseq); espObj->lostseq = htonl(espObj->lostseq); break; } case ARGUS_RTP_FLOW: { struct ArgusRTPObject *rtpObj = (struct ArgusRTPObject *)&net->net_union.rtp; rtpObj->state = htonl(rtpObj->state); rtpObj->src.rh_seq = htons(rtpObj->src.rh_seq); rtpObj->src.rh_time = htonl(rtpObj->src.rh_time); rtpObj->src.rh_ssrc = htonl(rtpObj->src.rh_ssrc); rtpObj->dst.rh_seq = htons(rtpObj->dst.rh_seq); rtpObj->dst.rh_time = htonl(rtpObj->dst.rh_time); rtpObj->dst.rh_ssrc = htonl(rtpObj->dst.rh_ssrc); rtpObj->sdrop = htons(rtpObj->sdrop); rtpObj->ddrop = htons(rtpObj->ddrop); rtpObj->ssdev = htons(rtpObj->ssdev); rtpObj->dsdev = htons(rtpObj->dsdev); break; } case ARGUS_RTCP_FLOW: { struct ArgusRTCPObject *rtcpObj = (struct ArgusRTCPObject *)&net->net_union.rtcp; rtcpObj->src.rh_len = htons(rtcpObj->src.rh_len); rtcpObj->src.rh_ssrc = htonl(rtcpObj->src.rh_ssrc); rtcpObj->dst.rh_len = htons(rtcpObj->dst.rh_len); rtcpObj->dst.rh_ssrc = htonl(rtcpObj->dst.rh_ssrc); rtcpObj->sdrop = htons(rtcpObj->sdrop); rtcpObj->ddrop = htons(rtcpObj->ddrop); break; } } break; } case ARGUS_VLAN_DSR: { struct ArgusVlanStruct *vlan = (struct ArgusVlanStruct *) dsr; vlan->sid = htons(vlan->sid); vlan->did = htons(vlan->did); break; } case ARGUS_GRE_DSR: { struct ArgusGreStruct *gre = (struct ArgusGreStruct *) dsr; gre->flags = htons(gre->flags); gre->proto = htons(gre->proto); break; } case ARGUS_VXLAN_DSR: { struct ArgusVxLanStruct *vlan = (struct ArgusVxLanStruct *) dsr; vlan->svnid = htonl(vlan->svnid); vlan->dvnid = htonl(vlan->dvnid); break; } case ARGUS_GENEVE_DSR: { struct ArgusGeneveStruct *gen = (struct ArgusGeneveStruct *) dsr; gen->ptype = htons(gen->ptype); gen->vni = htonl(gen->vni); break; } case ARGUS_MPLS_DSR: { struct ArgusMplsStruct *mpls = (struct ArgusMplsStruct *) dsr; unsigned int *label = (unsigned int *)(dsr + 1); int num, i; if ((num = ((mpls->hdr.argus_dsrvl8.qual & 0xF0) >> 4)) > 0) { for (i = 0; i < num; i++) { *label = htonl(*label); label++; } } if ((num = (mpls->hdr.argus_dsrvl8.qual & 0x0F)) > 0) { for (i = 0; i < num; i++) { *label = htonl(*label); label++; } } break; } case ARGUS_JITTER_DSR: { #if defined(HAVE_XDR) struct ArgusJitterStruct *jit = (struct ArgusJitterStruct *) dsr; struct ArgusStatsObject *stat = (struct ArgusStatsObject *) (dsr + 1); int len = (jit->hdr.argus_dsrvl8.len - 1) * 4; XDR xdrbuf, *xdrs = &xdrbuf; char buf[sizeof(*stat)]; while (len > 0) { memset(buf, 0, sizeof(buf)); xdrmem_create(xdrs, buf, sizeof(*stat), XDR_ENCODE); xdr_int(xdrs, &stat->n); xdr_float(xdrs, &stat->minval); xdr_float(xdrs, &stat->meanval); xdr_float(xdrs, &stat->stdev); xdr_float(xdrs, &stat->maxval); bcopy(buf, stat, sizeof(*stat)); len -= sizeof (*stat); stat++; } #endif break; } case ARGUS_DATA_DSR: { struct ArgusDataStruct *data = (struct ArgusDataStruct *) dsr; data->size = htons(data->size); data->count = htons(data->count); break; } case ARGUS_BEHAVIOR_DSR: { struct ArgusBehaviorStruct *actor = (struct ArgusBehaviorStruct *) dsr; actor->keyStroke.src.n_strokes = htonl(actor->keyStroke.src.n_strokes); actor->keyStroke.dst.n_strokes = htonl(actor->keyStroke.dst.n_strokes); break; } } if ((cnt = ((dsr->type & 0x80) ? 1 : ((dsr->type == ARGUS_DATA_DSR) ? dsr->argus_dsrvl16.len : dsr->argus_dsrvl8.len)) * 4) > 0) { if (dsr->type == ARGUS_DATA_DSR) dsr->argus_dsrvl16.len = htons(dsr->argus_dsrvl16.len); dsr = (struct ArgusDSRHeader *)((char *)dsr + cnt); } else break; } } break; } } hdr->len = htons(hdr->len); #endif } void ArgusPrintHex (const u_char *bp, u_int length) { const u_short *sp; u_int i; int nshorts; sp = (u_short *)bp; nshorts = (u_int) length / sizeof(u_short); i = 0; while (--nshorts >= 0) { if ((i++ % 8) == 0) { (void)printf("\n\t"); } (void)printf(" %04x", ntohs(*sp++)); } if (length & 1) { if ((i % 8) == 0) (void)printf("\n\t"); (void)printf(" %02x", *(u_char *)sp); } (void)printf("\n"); fflush(stdout); } char *ArgusProcessStr = NULL; void ArgusPrintDirection (char *, struct ArgusRecordStruct *, int); void ArgusPrintDirection (char *buf, struct ArgusRecordStruct *argus, int len) { switch (argus->hdr.type & 0xF0) { case ARGUS_MAR: break; case ARGUS_EVENT: case ARGUS_NETFLOW: case ARGUS_FAR: { struct ArgusMetricStruct *metric = (struct ArgusMetricStruct *)argus->dsrs[ARGUS_METRIC_INDEX]; struct ArgusFlow *flow = (struct ArgusFlow *)argus->dsrs[ARGUS_FLOW_INDEX]; struct ArgusNetworkStruct *net = (struct ArgusNetworkStruct *)argus->dsrs[ARGUS_NETWORK_INDEX]; int type, src_count = 0, dst_count = 0; if (metric == NULL) { sprintf (buf, "%*.*s ", len, len, " "); } else { char dirStr[16]; sprintf (dirStr, "%s", "<->"); if ((dst_count = metric->dst.pkts) == 0) dirStr[0] = ' '; if ((src_count = metric->src.pkts) == 0) dirStr[2] = ' '; if ((src_count == 0) && (dst_count == 0)) dirStr[1] = ' '; if (flow != NULL) { switch (flow->hdr.subtype & 0x3F) { case ARGUS_FLOW_CLASSIC5TUPLE: { switch (type = (flow->hdr.argus_dsrvl8.qual & 0x1F)) { case ARGUS_TYPE_IPV4: switch (flow->ip_flow.ip_p) { case IPPROTO_TCP: { if (net != NULL) { struct ArgusTCPObject *tcp = (struct ArgusTCPObject *)&net->net_union.tcp; if (!((tcp->status & ARGUS_SAW_SYN) || (tcp->status & ARGUS_SAW_SYN_SENT))) { dirStr[1] = '?'; } if ((tcp->status & ARGUS_SAW_SYN) || (tcp->status & ARGUS_SAW_SYN_SENT)) { if (flow->hdr.subtype & ARGUS_REVERSE) { dirStr[0] = '<'; dirStr[2] = ' '; } else { dirStr[0] = ' '; dirStr[2] = '>'; } } } } break; } break; case ARGUS_TYPE_IPV6: switch (flow->ipv6_flow.ip_p) { case IPPROTO_TCP: { if (net != NULL) { struct ArgusTCPObject *tcp = (struct ArgusTCPObject *)&net->net_union.tcp; if (!((tcp->status & ARGUS_SAW_SYN) || (tcp->status & ARGUS_SAW_SYN_SENT))) { dirStr[1] = '?'; } else { if ((tcp->status & ARGUS_SAW_SYN) || (tcp->status & ARGUS_SAW_SYN_SENT)) { if (flow->hdr.subtype & ARGUS_REVERSE) { dirStr[0] = '<'; dirStr[2] = ' '; } else { dirStr[0] = ' '; dirStr[2] = '>'; } } } } } break; } break; case ARGUS_TYPE_RARP: sprintf (dirStr, "%s", "tel"); break; case ARGUS_TYPE_ARP: sprintf (dirStr, "%s", "who"); break; } break; } case ARGUS_FLOW_ARP: { sprintf (dirStr, "%s", "who"); break; } } } } break; } } #ifdef ARGUSDEBUG ArgusDebug (10, "ArgusPrintDirection (%p, %p, %d)", buf, argus, len); #endif } #if defined(ARGUSMEMDEBUG) long long ArgusAllocMax = 0; long long ArgusAllocBytes = 0; #endif long long ArgusAllocTotal = 0; long long ArgusFreeTotal = 0; struct ArgusMemoryList memory = {NULL, 0}; #define ARGUS_ALLOC 0x45672381 /* #define ARGUS_ALIGN 128 */ typedef void *(*allocator_func)(size_t, void *); static void * __argus_malloc (int bytes, allocator_func alloc, void *aux) { void *retn = NULL; int offset; if (bytes) { #if defined(ARGUS_THREADS) pthread_mutex_lock(&memory.lock); #endif ArgusAllocTotal++; #if defined(ARGUSMEMDEBUG) ArgusAllocBytes += bytes; if (ArgusAllocMax < ArgusAllocBytes) ArgusAllocMax = ArgusAllocBytes; #endif #if defined(ARGUS_ALIGN) offset = ARGUS_ALIGN; #else offset = 0; #endif #if !defined(ARGUSMEMDEBUG) retn = (void *) alloc(bytes + offset, aux); #else if ((retn = (u_int *) alloc(bytes + sizeof(struct ArgusMemoryHeader) + offset, aux)) != NULL) { struct ArgusMemoryHeader *mem = (struct ArgusMemoryHeader *)retn; mem->tag = ARGUS_ALLOC; mem->len = bytes; mem->offset = offset; #if defined(__GNUC__) mem->frame[0] = __builtin_return_address(0); mem->frame[1] = __builtin_return_address(1); mem->frame[2] = __builtin_return_address(2); #endif if (memory.start) { mem->nxt = memory.start; mem->prv = memory.end; mem->prv->nxt = mem; mem->nxt->prv = mem; memory.end = mem; } else { memory.start = mem; memory.end = mem; mem->nxt = mem; mem->prv = mem; } memory.count++; memory.total++; retn = (void *)(mem + 1); } #endif #if defined(ARGUS_ALIGN) if (retn != NULL) { unsigned short toff; toff = ((unsigned long)retn & (offset - 1)); toff = offset - toff; retn = (void *)((char *)retn + toff); ((unsigned short *)retn)[-1] = toff; } #endif #if defined(ARGUS_THREADS) pthread_mutex_unlock(&memory.lock); #endif } return (retn); } static void * __malloc(size_t bytes, void *aux __attribute__((unused))) { return malloc(bytes); } void * ArgusMalloc(int bytes) { return __argus_malloc(bytes, __malloc, NULL); } static void * __calloc(size_t bytes, void *aux __attribute__((unused))) { return calloc(1, bytes); } void * ArgusCalloc (int nitems, int bytes) { int total = nitems * bytes; void *retn = __argus_malloc(total, __calloc, NULL); return (retn); } static void * __malloc_aligned(size_t bytes, void *aux) { void *mem; size_t alignment = *(size_t *)aux; #if defined(HAVE_POSIX_MEMALIGN) int res = posix_memalign(&mem, alignment, bytes); #else int res = -1; # if defined(HAVE_MEMALIGN) mem = memalign(alignment, bytes); # else mem = malloc(bytes); # endif if (mem) res = 0; #endif if (res == 0) return mem; return NULL; } void * ArgusMallocAligned(int bytes, size_t alignment) { return __argus_malloc(bytes, __malloc_aligned, &alignment); } void ArgusFree (void *buf) { void *ptr = buf; if (ptr) { #if defined(ARGUS_THREADS) pthread_mutex_lock(&memory.lock); #endif ArgusFreeTotal++; #if defined(ARGUSMEMDEBUG) { struct ArgusMemoryHeader *mem = ptr; #if defined(ARGUS_ALIGN) unsigned short offset = ((unsigned short *)mem)[-1]; mem = (void *)((char *)mem - offset); #endif mem--; if (mem->tag != ARGUS_ALLOC) ArgusLog (LOG_ERR, "ArgusFree: buffer error 0x%x", ptr); if (memory.count == 1) { memory.start = NULL; memory.end = NULL; } else { mem->prv->nxt = mem->nxt; mem->nxt->prv = mem->prv; if (mem == memory.start) { memory.start = mem->nxt; } else if (mem == memory.end) { memory.end = mem->prv; } } ArgusAllocBytes -= mem->len; memory.count--; ptr = mem; } #else #if defined(ARGUS_ALIGN) { unsigned short offset; if ((offset = ((unsigned short *)ptr)[-1]) > 0) ptr = (void *)((char *)ptr - offset); } #endif #endif free (ptr); if (ArgusAllocTotal > 0) ArgusAllocTotal--; } #if defined(ARGUS_THREADS) pthread_mutex_unlock(&memory.lock); #endif } /* the argus malloc list is the list of free MallocLists for the system. these are blocks that are used to convey flow data from the modeler to the output processor. They are fixed length blocks, and so no need to malloc and free, so just keep them in a list when they aren't being used. we keep 2000 in the list when demand goes below this, and we start with 20, when we initialize the modeler. no more than 1M records. so, when something asks for one, we take it off the list if there is one, and if not we just create one and return the buffer. The buffer has a memory header in front so that the records can be put in the list when they are freed, without corrupting the headers that were in the last block. Be sure and respect that so other routines don't stomp on our header. */ #define ARGUS_MEMORY_MAX 1000000 #define ARGUS_MEMORY_HI_THRESH 2000 #define ARGUS_MEMORY_LOW_THRESH 20 struct ArgusMemoryList *ArgusMallocList = NULL; void ArgusInitMallocList (int length) { struct ArgusMemoryList *retn = NULL; int memlen = length + sizeof(struct ArgusMemoryHeader); if (ArgusMallocList != NULL) { if (length == ArgusMallocList->size) return; else ArgusLog(LOG_ERR, "ArgusInitMallocList called with multiple sizes"); } #if defined(ARGUS_THREADS) if (ArgusModel) pthread_mutex_lock(&ArgusModel->lock); #endif if ((retn = (struct ArgusMemoryList *) ArgusCalloc(1, sizeof(*ArgusMallocList))) == NULL) ArgusLog(LOG_ERR, "ArgusInitMallocList ArgusCalloc %s", strerror(errno)); retn->size = length; #if defined(ARGUS_THREADS) pthread_mutex_init(&retn->lock, NULL); pthread_mutex_lock(&retn->lock); #endif ArgusMallocList = retn; while (ArgusMallocList->count < ARGUS_MEMORY_LOW_THRESH) { struct ArgusMemoryHeader *mem; if ((mem = (struct ArgusMemoryHeader *) ArgusCalloc (1, memlen)) != NULL) { if (ArgusMallocList->end) { ArgusMallocList->end->nxt = mem; } else { ArgusMallocList->start = mem; ArgusMallocList->count = 0; } ArgusMallocList->end = mem; ArgusMallocList->count++; ArgusMallocList->total++; } } #if defined(ARGUS_THREADS) pthread_mutex_unlock(&ArgusMallocList->lock); if (ArgusModel) pthread_mutex_unlock(&ArgusModel->lock); #endif return; } void ArgusDeleteMallocList (void) { struct ArgusMemoryList *retn = NULL; struct ArgusMemoryHeader *crt, *rel; if (ArgusMallocList != NULL) { #if defined(ARGUS_THREADS) pthread_mutex_lock(&ArgusMallocList->lock); #endif retn = ArgusMallocList; ArgusMallocList = NULL; if ((crt = retn->start) != NULL) { while (crt != NULL) { rel = crt; crt = crt->nxt; ArgusFree(rel); } } #if defined(ARGUS_THREADS) pthread_mutex_destroy(&retn->lock); #endif ArgusFree(retn); } } void * ArgusMallocListRecord (int length) { struct ArgusMemoryHeader *mem = NULL; int memlen = length + sizeof(struct ArgusMemoryHeader); void *retn = NULL; if (ArgusMallocList == NULL) ArgusInitMallocList(length); if (length == ArgusMallocList->size) { #if defined(ARGUS_THREADS) pthread_mutex_lock(&ArgusMallocList->lock); #endif if (ArgusMallocList->start == NULL) { if (ArgusMallocList->total < ARGUS_MEMORY_MAX) { if ((mem = (struct ArgusMemoryHeader *) ArgusCalloc (1, memlen)) == NULL) ArgusLog(LOG_ERR, "ArgusMallocListRecord ArgusCalloc %s", strerror(errno)); mem->len = length; ArgusMallocList->total++; ArgusMallocList->out++; } else { #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusMallocList memory pool exhausted (%d : %d)\n", ArgusMallocList->total, ARGUS_MEMORY_MAX); #endif } } else { mem = ArgusMallocList->start; ArgusMallocList->start = mem->nxt; ArgusMallocList->out++; ArgusMallocList->count--; if (ArgusMallocList->start == NULL) { ArgusMallocList->end = NULL; ArgusMallocList->count = 0; } } #if defined(ARGUS_THREADS) pthread_mutex_unlock(&ArgusMallocList->lock); #endif } else { if ((mem = (struct ArgusMemoryHeader *) ArgusCalloc (1, length + sizeof(struct ArgusMemoryHeader))) == NULL) ArgusLog(LOG_ERR, "ArgusMallocListRecord ArgusCalloc %s", strerror(errno)); } if (mem != NULL) retn = (void *)(mem + 1); return (retn); } void ArgusFreeListRecord (void *buf) { if (buf != NULL) { struct ArgusMemoryHeader *mem = (struct ArgusMemoryHeader *)buf; struct ArgusRecordStruct *rec = buf; /* struct ArgusHashTableHdr *htblhdr; struct ArgusQueueStruct *nsq; if ((htblhdr = rec->htblhdr) != NULL) { #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusFreeListRecord (0x%x) htbldr 0x%x\n", buf, htblhdr); #endif } if ((nsq = rec->nsq) != NULL) { #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusFreeListRecord (%p) nsq %p\n", buf, nsq); #endif } */ if (rec->dsrs[ARGUS_SRCUSERDATA_INDEX] != NULL) { ArgusFree(rec->dsrs[ARGUS_SRCUSERDATA_INDEX]); rec->dsrs[ARGUS_SRCUSERDATA_INDEX] = NULL; } if (rec->dsrs[ARGUS_DSTUSERDATA_INDEX] != NULL) { ArgusFree(rec->dsrs[ARGUS_DSTUSERDATA_INDEX]); rec->dsrs[ARGUS_DSTUSERDATA_INDEX] = NULL; } mem = mem - 1; if ((ArgusMallocList == NULL) || (mem->len != ArgusMallocList->size)) { ArgusFree(mem); } else { #if defined(ARGUS_THREADS) if (pthread_mutex_lock(&ArgusMallocList->lock) == 0) { #endif if (ArgusMallocList->count < ARGUS_MEMORY_HI_THRESH) { mem->nxt = NULL; if (ArgusMallocList->end != NULL) ArgusMallocList->end->nxt = mem; ArgusMallocList->end = mem; if (ArgusMallocList->start == NULL) ArgusMallocList->start = mem; ArgusMallocList->count++; } else { ArgusMallocList->total--; ArgusFree(mem); } ArgusMallocList->in++; #if defined(ARGUS_THREADS) pthread_mutex_unlock(&ArgusMallocList->lock); } #endif } } #ifdef ARGUSDEBUG ArgusDebug (5, "ArgusFreeListRecord (%p) returning\n", buf); #endif return; } struct ArgusLogPriorityStruct { int priority; char *label; }; #define ARGUSPRIORITYSTR 8 struct ArgusLogPriorityStruct ArgusPriorityStr[ARGUSPRIORITYSTR] = { { LOG_EMERG, "ArgusEmergency" }, { LOG_ALERT, " ArgusAlert" }, { LOG_CRIT, " ArgusCritical" }, { LOG_ERR, " ArgusError" }, { LOG_WARNING, " ArgusWarning" }, { LOG_NOTICE, " ArgusNotice" }, { LOG_INFO, " ArgusInfo" }, { LOG_DEBUG, " ArgusDebug" }, }; /* log level for non-syslog display (stderr) */ static int ArgusLogDisplayPriority = LOG_WARNING; void setArgusLogDisplayPriority(int prio) { if (prio < LOG_EMERG || prio > LOG_DEBUG) return; ArgusLogDisplayPriority = prio; } #include void ArgusLog (int priority, char *fmt, ...) { va_list ap; char buf[1024], *ptr; struct timeval now; gettimeofday (&now, 0L); buf[0] = 0; ptr = &buf[0]; if (priority == LOG_NOTICE) return; if (!daemonflag) { #if defined(ARGUS_THREADS) pthread_t ptid; char pbuf[128]; int i; bzero(pbuf, sizeof(pbuf)); ptid = pthread_self(); for (i = 0; i < sizeof(ptid); i++) { snprintf (&pbuf[i*2], 3, "%02hhx", ((char *)&ptid)[i]); } (void) snprintf (buf, 1024, "%s[%d.%s]: %s ", ArgusProgramName, (int)getpid(), pbuf, print_time(&now)); #else (void) snprintf (buf, 1024, "%s[%d]: %s ", ArgusProgramName, (int)getpid(), print_time(&now)); #endif ptr = &buf[strlen(buf)]; } va_start (ap, fmt); (void) vsnprintf (ptr, 1024, fmt, ap); ptr = &buf[strlen(buf)]; va_end (ap); if (daemonflag) { #ifdef HAVE_SYSLOG syslog (priority, "%s", buf); #endif } else if (priority <= ArgusLogDisplayPriority) { char *label = NULL; int i; if (*fmt) { fmt += (int) strlen (fmt); if (fmt[-1] != '\n') snprintf (ptr, 2, "\n"); } for (i = 0; i < ARGUSPRIORITYSTR; i++) if (ArgusPriorityStr[i].priority == priority) { label = ArgusPriorityStr[i].label; break; } fprintf (stderr, "%s: %s", label, buf); } switch (priority) { case LOG_ERR: #ifdef HAVE_BACKTRACE ArgusBacktrace(); #endif exit(1); default: break; } } void ArgusRecordDump (struct ArgusRecord *); void ArgusDumpBuffer (const u_char *, int); #define HEXDUMP_BYTES_PER_LINE 16 #define HEXDUMP_SHORTS_PER_LINE (HEXDUMP_BYTES_PER_LINE / 2) #define HEXDUMP_HEXSTUFF_PER_SHORT 5 /* 4 hex digits and a space */ #define HEXDUMP_HEXSTUFF_PER_LINE \ (HEXDUMP_HEXSTUFF_PER_SHORT * HEXDUMP_SHORTS_PER_LINE) void ArgusRecordDump (struct ArgusRecord *argus) { int length = argus->hdr.len; const u_char *cp = (const u_char *) argus; ArgusDumpBuffer (cp, length); } #include void ArgusDumpBuffer (const u_char *cp, int length) { u_int oset = 0; register u_int i; register int s1, s2; register int nshorts; char hexstuff[HEXDUMP_SHORTS_PER_LINE*HEXDUMP_HEXSTUFF_PER_SHORT+1], *hsp; char asciistuff[HEXDUMP_BYTES_PER_LINE+1], *asp; #ifdef ARGUSDEBUG ArgusDebug (2, "ArgusDumpBuffer (%p, %d)\n", cp, length); #endif nshorts = length / sizeof(u_short); i = 0; hsp = hexstuff; asp = asciistuff; while (--nshorts >= 0) { s1 = *cp++; s2 = *cp++; (void)snprintf(hsp, sizeof(hexstuff) - (hsp - hexstuff), " %02x%02x", s1, s2); hsp += HEXDUMP_HEXSTUFF_PER_SHORT; *(asp++) = (isgraph(s1) ? s1 : '.'); *(asp++) = (isgraph(s2) ? s2 : '.'); if (++i >= HEXDUMP_SHORTS_PER_LINE) { *hsp = *asp = '\0'; (void)printf("\n0x%04x\t%-*s\t%s", oset, HEXDUMP_HEXSTUFF_PER_LINE, hexstuff, asciistuff); i = 0; hsp = hexstuff; asp = asciistuff; oset += HEXDUMP_BYTES_PER_LINE; } } if (length & 1) { s1 = *cp++; (void)snprintf(hsp, sizeof(hexstuff) - (hsp - hexstuff), " %02x", s1); hsp += 3; *(asp++) = (isgraph(s1) ? s1 : '.'); ++i; } if (i > 0) { *hsp = *asp = '\0'; (void)printf("\n0x%04x\t%-*s\t%s", oset, HEXDUMP_HEXSTUFF_PER_LINE, hexstuff, asciistuff); } } extern char *ArgusProgramName; extern int uflag, pflag; char ArgusPrintTimeBuf[64]; char * print_time(struct timeval *tvp) { char timeZoneBuf[32]; char *retn = ArgusPrintTimeBuf, *ptr; struct tm *tm, tmbuf; bzero (timeZoneBuf, sizeof(timeZoneBuf)); bzero (ArgusPrintTimeBuf, sizeof(ArgusPrintTimeBuf)); if ((tm = localtime_r ((time_t *)&tvp->tv_sec, &tmbuf)) != NULL) { #if !defined(HAVE_STRFTIME) snprintf (retn, 32, "%9d", (int) tvp->tv_sec); #else if (uflag) snprintf (retn, 32, "%9d", (int) tvp->tv_sec); else strftime ((char *) retn, 64, RaTimeFormat, tm); #endif if (pflag) { ptr = &retn[strlen(retn)]; snprintf (ptr, 32, ".%06d", (int) tvp->tv_usec); ptr[pflag + 1] = '\0'; } } else retn = NULL; return (retn); } #define ArgusAddrtoName #include #include #include /* Find the hash node that corresponds the ether address 'ep'. */ static inline struct enamemem * lookup_emem(struct ArgusParserStruct *parser, const u_char *ep) { u_int i, j, k; struct enamemem *tp; k = (ep[0] << 8) | ep[1]; j = (ep[2] << 8) | ep[3]; i = (ep[4] << 8) | ep[5]; tp = &parser->enametable[(i ^ j) % (HASHNAMESIZE-1)]; while (tp->e_nxt) if (tp->e_addr0 == i && tp->e_addr1 == j && tp->e_addr2 == k) return tp; else tp = tp->e_nxt; tp->e_addr0 = i; tp->e_addr1 = j; tp->e_addr2 = k; tp->e_nxt = (struct enamemem *)calloc(1, sizeof(*tp)); return tp; } /* Find the hash node that corresponds the NSAP 'nsap'. static inline struct enamemem * lookup_nsap(struct ArgusParserStruct *parser, const u_char *nsap) { u_int i, j, k; int nlen = *nsap; struct enamemem *tp; const u_char *ensap = nsap + nlen - 6; if (nlen > 6) { k = (ensap[0] << 8) | ensap[1]; j = (ensap[2] << 8) | ensap[3]; i = (ensap[4] << 8) | ensap[5]; } else i = j = k = 0; tp = &parser->nsaptable[(i ^ j) % (HASHNAMESIZE-1)]; while (tp->e_nxt) if (tp->e_addr0 == i && tp->e_addr1 == j && tp->e_addr2 == k && tp->e_nsap[0] == nlen && bcmp((char *)&(nsap[1]), (char *)&(tp->e_nsap[1]), nlen) == 0) return tp; else tp = tp->e_nxt; tp->e_addr0 = i; tp->e_addr1 = j; tp->e_addr2 = k; tp->e_nsap = (u_char *) calloc(1, nlen + 1); bcopy(nsap, tp->e_nsap, nlen + 1); tp->e_nxt = (struct enamemem *)calloc(1, sizeof(*tp)); return tp; } */ /* Find the hash node that corresponds the protoid 'pi'. */ static inline struct protoidmem * lookup_protoid(struct ArgusParserStruct *parser, const u_char *pi) { u_int i, j; struct protoidmem *tp; /* 5 octets won't be aligned */ i = (((pi[0] << 8) + pi[1]) << 8) + pi[2]; j = (pi[3] << 8) + pi[4]; /* XXX should be endian-insensitive, but do big-endian testing XXX */ tp = &parser->protoidtable[(i ^ j) % (HASHNAMESIZE-1)]; while (tp->p_nxt) if (tp->p_oui == i && tp->p_proto == j) return tp; else tp = tp->p_nxt; tp->p_oui = i; tp->p_proto = j; tp->p_nxt = (struct protoidmem *)calloc(1, sizeof(*tp)); return tp; } void ArgusInitServarray(struct ArgusParserStruct *parser) { #if !defined(CYGWIN) struct servent *sv; struct hnamemem *table; int i; while ((sv = getservent()) != NULL) { int port = ntohs(sv->s_port); i = port % (HASHNAMESIZE-1); if (strcmp(sv->s_proto, "tcp") == 0) table = &parser->tporttable[i]; else if (strcmp(sv->s_proto, "udp") == 0) table = &parser->uporttable[i]; else continue; while (table->name) table = table->nxt; if (parser->nflag > 1) { char buf[32]; (void)snprintf(buf, 32, "%d", port); table->name = strdup(buf); } else table->name = strdup(sv->s_name); table->addr = port; table->nxt = (struct hnamemem *)calloc(1, sizeof(*table)); } endservent(); parser->ArgusSrvInit = 1; #endif } void ArgusFreeServarray(struct ArgusParserStruct *parser) { int i, x; for (i = 0; i < HASHNAMESIZE; i++) { struct hnamemem *table; for (x = 0; x < 2; x++) { switch (x) { case 0: table = parser->tporttable; break; case 1: table = parser->uporttable; break; } if (table[i].name != NULL) { struct hnamemem *tp, *sp; free(table[i].name); if ((tp = (struct hnamemem *)table[i].nxt) != NULL) { do { if (tp->name != NULL) free (tp->name); sp = tp->nxt; free(tp); } while ((tp = sp) != NULL); } } } } } void ArgusInitEprotoarray(struct ArgusParserStruct *parser) { struct ArgusEtherTypeStruct *p = argus_ethertype_names; bzero ((char *)parser->argus_eproto_db, sizeof (parser->argus_eproto_db)); while (p->range != NULL) { int i, start, end; char *ptr; start = atoi(p->range); if ((ptr = strchr(p->range, '-')) != NULL) end = atoi(ptr + 1); else end = start; for (i = start; i < (end + 1); i++) parser->argus_eproto_db[i] = p; p++; } } /* * SNAP proto IDs with org code 0:0:0 are actually encapsulated Ethernet * types. */ void ArgusInitProtoidarray(struct ArgusParserStruct *parser) { struct ArgusEtherTypeStruct *p; struct protoidmem *tp; u_char protoid[5]; int i; bzero(&protoid, sizeof(protoid)); bzero(&parser->protoidtable, sizeof(parser->protoidtable)); for (i = 0; i < ARGUS_MAXEPROTODB; i++) { if ((p = parser->argus_eproto_db[i]) != NULL) { protoid[3] = i; tp = lookup_protoid(parser, protoid); tp->p_name = p->tag; } } } void ArgusFreeProtoidarray(struct ArgusParserStruct *parser) { int i; for (i = 0; i < HASHNAMESIZE; i++) { struct protoidmem *sp = &parser->protoidtable[i], *tp; if ((tp = sp->p_nxt) != NULL) { do { sp = tp->p_nxt; free(tp); } while ((tp = sp) != NULL); } } } static struct etherlist { u_char addr[6]; char *name; } etherlist[] = { {{ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, "Broadcast" }, {{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, NULL } }; /* * Initialize the ethers hash table. We take two different approaches * depending on whether or not the system provides the ethers name * service. If it does, we just wire in a few names at startup, * and etheraddr_string() fills in the table on demand. If it doesn't, * then we suck in the entire /etc/ethers file at startup. The idea * is that parsing the local file will be fast, but spinning through * all the ethers entries via NIS & next_etherent might be very slow. * * XXX argus_next_etherent doesn't belong in the pcap interface, but * since the pcap module already does name-to-address translation, * it's already does most of the work for the ethernet address-to-name * translation, so we just argus_next_etherent as a convenience. */ void ArgusInitEtherarray(struct ArgusParserStruct *parser) { struct etherlist *el; struct enamemem *tp; #ifndef ETHER_SERVICE struct argus_etherent *ep; FILE *fp; /* Suck in entire ethers file */ fp = fopen(PCAP_ETHERS_FILE, "r"); if (fp != NULL) { while ((ep = argus_next_etherent(fp)) != NULL) { tp = lookup_emem(parser, ep->addr); tp->e_name = strdup(ep->name); } (void)fclose(fp); } #endif /* Hardwire some ethernet names */ for (el = etherlist; el->name != NULL; ++el) { #if defined(ETHER_SERVICE) && !defined(linux) && !defined(CYGWIN) /* Use yp/nis version of name if available */ char wrk[256]; if (ether_ntohost(wrk, (struct ether_addr *)el->addr) == 0) { tp = lookup_emem(parser, el->addr); tp->e_name = strdup(wrk); } #else /* install if not already present */ tp = lookup_emem(parser, el->addr); if (tp->e_name == NULL) tp->e_name = el->name; #endif } } void ArgusFreeEtherarray(struct ArgusParserStruct *parser) { int i; for (i = 0; i < HASHNAMESIZE; i++) { struct enamemem *tp, *sp; if ((tp = (struct enamemem *)parser->enametable[i].e_nxt) != NULL) { do { sp = tp->e_nxt; free(tp); tp = sp; } while (tp != NULL); } } } #include static struct ArgusTokenStruct llcsap_db[] = { { LLCSAP_NULL, "null" }, { LLCSAP_8021B_I, "gsap" }, { LLCSAP_8021B_G, "isap" }, { LLCSAP_SNAPATH, "snapath" }, { LLCSAP_IP, "ipsap" }, { LLCSAP_SNA1, "sna1" }, { LLCSAP_SNA2, "sna2" }, { LLCSAP_PROWAYNM, "p-nm" }, { LLCSAP_TI, "ti" }, { LLCSAP_BPDU, "stp" }, { LLCSAP_RS511, "eia" }, { LLCSAP_ISO8208, "x25" }, { LLCSAP_XNS, "xns" }, { LLCSAP_NESTAR, "nestar" }, { LLCSAP_PROWAYASLM, "p-aslm" }, { LLCSAP_ARP, "arp" }, { LLCSAP_SNAP, "snap" }, { LLCSAP_VINES1, "vine1" }, { LLCSAP_VINES2, "vine2" }, { LLCSAP_NETWARE, "netware" }, { LLCSAP_NETBIOS, "netbios" }, { LLCSAP_IBMNM, "ibmnm" }, { LLCSAP_RPL1, "rpl1" }, { LLCSAP_UB, "ub" }, { LLCSAP_RPL2, "rpl2" }, { LLCSAP_ISONS, "clns" }, { LLCSAP_GLOBAL, "gbl" }, { 0, NULL } }; void ArgusInitLlcsaparray(struct ArgusParserStruct *parser) { int i; struct hnamemem *table; for (i = 0; llcsap_db[i].s != NULL; i++) { table = &parser->llcsaptable[llcsap_db[i].v]; while (table->name) table = table->nxt; table->name = llcsap_db[i].s; table->addr = llcsap_db[i].v; table->nxt = (struct hnamemem *)calloc(1, sizeof(*table)); } } void ArgusFreeLlcsaparray(struct ArgusParserStruct *parser) { int i; struct hnamemem *table; for (i = 0; llcsap_db[i].s != NULL; i++) { struct hnamemem *ttbl; table = &parser->llcsaptable[llcsap_db[i].v]; if ((table = table->nxt) != NULL) { do { ttbl = table; table = table->nxt; free(ttbl); } while (table); } } } char *argus_dscodes[0x100]; void ArgusInitDSCodepointarray(struct ArgusParserStruct *); struct ArgusDSCodePointStruct *ArgusSelectDSCodesTable(struct ArgusParserStruct *); struct ArgusDSCodePointStruct * ArgusSelectDSCodesTable(struct ArgusParserStruct *parser) { struct ArgusDSCodePointStruct *retn = NULL; switch (parser->ArgusDSCodePoints) { case ARGUS_IANA_DSCODES: retn = argus_dscodepoints; break; case ARGUS_DISA_DSCODES: retn = argus_disa_dscodepoints; break; } return (retn); } void ArgusInitDSCodepointarray(struct ArgusParserStruct *parser) { struct ArgusDSCodePointStruct *argus_dsctable = argus_dscodepoints; int i; bzero (&argus_dscodes, sizeof(argus_dscodes)); if ((argus_dsctable = ArgusSelectDSCodesTable(parser)) != NULL) { for (i = 0; argus_dsctable[i].label != NULL; i++) argus_dscodes[(int)argus_dsctable[i].code] = argus_dsctable[i].label; } } /* * Initialize the address to name translation machinery. We map all * non-local IP addresses to numeric addresses if fflag is true (i.e., * to prevent blocking on the nameserver). localnet is the IP address * of the local network. mask is its subnet mask. */ void ArgusInitAddrtoname(struct ArgusParserStruct *parser, u_int localnet, u_int mask) { if (parser->fflag) { parser->f_localnet = localnet; parser->f_netmask = mask; } if (parser->nflag > 1) /* * Simplest way to suppress names. */ return; ArgusInitEtherarray(parser); ArgusInitServarray(parser); ArgusInitEprotoarray(parser); ArgusInitLlcsaparray(parser); ArgusInitProtoidarray(parser); ArgusInitDSCodepointarray(parser); } #ifndef __GNUC__ #define inline #endif /* * Convert a port name to its port and protocol numbers. * We assume only TCP or UDP. * Return 0 upon failure. */ int argus_nametoport(char *name, int *port, int *proto) { struct protoent *pp = NULL; struct servent *sp = NULL; char *pname = NULL, *other; #ifdef ARGUSDEBUG ArgusDebug (8, "argus_nametoport (%s, .., ..) starting\n", name); #endif if (proto == NULL) { #ifdef ARGUSDEBUG ArgusDebug (8, "%s (%s, ) proto is null\n", __func__, name); #endif return 0; } if (*proto != -1) { #ifdef ARGUSDEBUG ArgusDebug (8, "argus_nametoport (%s, .., %d) calling getprotobynumber\n", name, *proto); #endif if ((pp = getprotobynumber(*proto)) != NULL) { pname = pp->p_name; } else ArgusLog(LOG_ERR, "getprotobynumber(%d) returned NULL %s", *proto, strerror(errno)); } if (name != NULL) { #ifdef ARGUSDEBUG ArgusDebug (8, "argus_nametoport: calling getservbyname(%s, %s)\n", name, pname); #endif sp = getservbyname(name, pname); #ifdef ARGUSDEBUG ArgusDebug (8, "argus_nametoport: getservbyname() returned %p\n", sp); #endif } if (sp != NULL) { #ifdef ARGUSDEBUG ArgusDebug (8, "argus_nametoport: sp is %p\n", sp); #endif *port = ntohs(sp->s_port); #ifdef ARGUSDEBUG ArgusDebug (8, "argus_nametoport (%s, .., ..) calling argus_nametoproto(%s)\n", sp->s_proto); #endif *proto = argus_nametoproto(sp->s_proto); /* * We need to check /etc/services for ambiguous entries. * If we find the ambiguous entry, and it has the * same port number, change the proto to PROTO_UNDEF * so both TCP and UDP will be checked. */ if (*proto == IPPROTO_TCP) other = "udp"; else other = "tcp"; sp = getservbyname(name, other); if (sp != 0) { if (*port != ntohs(sp->s_port)) /* Can't handle ambiguous names that refer to different port numbers. */ ArgusLog(LOG_ERR, "ambiguous port %s in /etc/services values %d and %d", name, *port, ntohs(sp->s_port)); *proto = PROTO_UNDEF; } #ifdef ARGUSDEBUG ArgusDebug (8, "argus_nametoport (%s, %d, %d)\n", name, *port, *proto); #endif return 1; } #if defined(ultrix) || defined(__osf__) /* Special hack in case NFS isn't in /etc/services */ if (strcmp(name, "nfs") == 0) { *port = 2049; *proto = PROTO_UNDEF; return 1; } #endif #ifdef ARGUSDEBUG ArgusDebug (8, "argus_nametoport (%s, %d, %d)\n", name, *port, *proto); #endif return 0; } int argus_nametoproto(char *str) { struct protoent *p; p = getprotobyname(str); if (p != 0) return p->p_proto; else return PROTO_UNDEF; } int argus_nametoeproto(char *s) { struct ArgusEtherTypeStruct *p = argus_ethertype_names; while (p->tag != 0) { if (strcmp(p->tag, s) == 0) { return atoi(p->range); } p += 1; } return PROTO_UNDEF; } u_int __argus_atoin(char *s, u_int *addr) { u_int n; int len; *addr = 0; len = 0; while (1) { n = 0; while (*s && *s != '.') n = n * 10 + *s++ - '0'; *addr <<= 8; *addr |= n & 0xff; len += 8; if (*s == '\0') { *addr = *addr; return len; } ++s; } /* NOTREACHED */ } u_int __argus_atodn(char *s) { #define AREASHIFT 10 #define AREAMASK 0176000 #define NODEMASK 01777 u_int addr = 0; u_int node, area; if (sscanf((char *)s, "%d.%d", (int *) &area, (int *) &node) != 2) ArgusLog (LOG_ERR,"malformed decnet address '%s'", s); addr = (area << AREASHIFT) & AREAMASK; addr |= (node & NODEMASK); return(addr); } /* * Convert 's' which has the form "xx:xx:xx:xx:xx:xx" into a new * ethernet address. Assumes 's' is well formed. */ /* Hex digit to integer. */ int xdtoi(int); int xdtoi(int c) { if (isdigit(c)) return c - '0'; else if (islower(c)) return c - 'a' + 10; else return c - 'A' + 10; } u_char * argus_ether_aton(char *s) { register u_char *ep, *e; register u_int d; e = ep = (u_char *)malloc(6); while (*s) { if (*s == ':') s += 1; d = xdtoi(*s++); if (isxdigit((int)*s)) { d <<= 4; d |= xdtoi(*s++); } *ep++ = d; } return (e); } #ifndef HAVE_ETHER_HOSTTON u_char * argus_ether_hostton(char *name) { register struct argus_etherent *ep; register u_char *ap; static FILE *fp = NULL; static int init = 0; if (!init) { fp = fopen(PCAP_ETHERS_FILE, "r"); ++init; if (fp == NULL) return (NULL); } else if (fp == NULL) return (NULL); else rewind(fp); while ((ep = argus_next_etherent(fp)) != NULL) { if (strcmp(ep->name, name) == 0) { ap = (u_char *)malloc(6); if (ap != NULL) { memcpy(ap, ep->addr, 6); return (ap); } break; } } return (NULL); } #else #if !defined(HAVE_DECL_ETHER_HOSTTON) || !HAVE_DECL_ETHER_HOSTTON #ifndef HAVE_STRUCT_ETHER_ADDR struct ether_addr { unsigned char ether_addr_octet[6]; }; #endif #if !defined(__APPLE_CC__) && !defined(__APPLE__) extern int ether_hostton(const char *, struct ether_addr *); #endif #endif u_char * argus_ether_hostton(char *name) { register u_char *ap; u_char a[6]; ap = NULL; if (ether_hostton((char*)name, (struct ether_addr *)a) == 0) { ap = (u_char *)malloc(6); if (ap != NULL) memcpy(ap, a, 6); } return (ap); } #endif u_short __argus_nametodnaddr(char *name) { #ifndef DECNETLIB ArgusLog (LOG_ERR,"decnet name support not included, '%s' cannot be translated\n", name); return(0); #else struct nodeent *getnodebyname(); struct nodeent *nep; u_short res; nep = getnodebyname(name); if (nep == ((struct nodeent *)0)) ArgusLog (LOG_ERR,"unknown decnet host name '%s'\n", name); memcpy((char *)&res, (char *)nep->n_addr, sizeof(u_short)); return(res); #endif } u_int ipaddrtonetmask(u_int addr) { if (IN_CLASSA (addr)) return IN_CLASSA_NET; if (IN_CLASSB (addr)) return IN_CLASSB_NET; if (IN_CLASSC (addr)) return IN_CLASSC_NET; if (IN_CLASSD (addr)) return 0xFFFFFFFF; else return 0; } u_int getnetnumber( u_int addr) { if (IN_CLASSA (addr)) return (addr >> 24 ); if (IN_CLASSB (addr)) return (addr >> 16 ); if (IN_CLASSC (addr)) return (addr >> 8 ); if (IN_CLASSD (addr)) return (addr >> 0 ); else return 0; } static char hex[] = "0123456789abcdef"; char etheraddrbuf[32]; char * etheraddr_string(struct ArgusParserStruct *parser, u_char *ep) { char *cp = etheraddrbuf; u_int i, j; bzero (cp, sizeof(etheraddrbuf)); if ((j = *ep >> 4) != 0) *cp++ = hex[j]; *cp++ = hex[*ep++ & 0xf]; for (i = 5; (int)--i >= 0;) { *cp++ = ':'; if ((j = *ep >> 4) != 0) *cp++ = hex[j]; *cp++ = hex[*ep++ & 0xf]; } return (etheraddrbuf); } /* There are two types of addresses to parse, IPv4 and IPv6 addresses. An address is in the form: dd[.:][:][dd]/n where n is the number significant bits in the address. */ int ArgusNumTokens (char *, char); int ArgusNumTokens (char *str, char tok) { int retn = 0; if (str != NULL) { while ((str = strchr(str, tok)) != NULL) { retn++; str++; } } return (retn); } struct ArgusCIDRAddr * RaParseCIDRAddr (struct ArgusParserStruct *parser, char *addr) { struct ArgusCIDRAddr *retn = NULL; char *ptr = NULL, *mask = NULL, strbuf[128], *str = strbuf; snprintf (str, 128, "%s", addr); if (parser->ArgusCIDRPtr == NULL) parser->ArgusCIDRPtr = &parser->ArgusCIDRBuffer; retn = parser->ArgusCIDRPtr; retn->type = 0; retn->len = 0; retn->masklen = 0; memset(&retn->addr, 0, sizeof(retn->addr)); if ((ptr = strchr(str, '!')) != NULL) { retn->opmask = ARGUSMONITOR_NOTEQUAL; str = ptr + 1; } if ((mask = strchr (str, '/')) != NULL) { *mask++ = '\0'; retn->masklen = strtol((const char *)mask, (char **)&ptr, 10); if (ptr == mask) { #ifdef ARGUSDEBUG ArgusDebug (1, "RaParseCIDRAddr: format error: mask length incorrect.\n", retn); #endif return (NULL); } } if ((ptr = strchr (str, ':')) != NULL) retn->type = AF_INET6; else if ((ptr = strchr (str, '.')) != NULL) retn->type = AF_INET; if (!(retn->type)) retn->type = (retn->masklen > 32) ? AF_INET6 : AF_INET; switch (retn->type) { case AF_INET: { int i, len = sizeof(struct in_addr); retn->len = len; for (i = 0; (i < len) && str; i++) { long int tval = strtol(str, (char **)&ptr, 10); if (ptr != NULL) { if (strlen(ptr) > 0) { if (*ptr++ != '.') { #ifdef ARGUSDEBUG ArgusDebug (1, "RaParseCIDRAddr: format error: IPv4 addr format.\n"); #endif return(NULL); } } else ptr = NULL; retn->addr[0] |= (tval << ((len - (i + 1)) * 8)); } str = ptr; } if (!(retn->masklen)) retn->masklen = 32; retn->mask[0] = 0xFFFFFFFF << (32 - retn->masklen); break; } case AF_INET6: { unsigned short *val = (unsigned short *)&retn->addr; int ind = 0, len = sizeof(retn->addr)/(sizeof(unsigned short)); int fsecnum = 8, lsecnum = 0, rsecnum = 0, i, masklen; char *sstr = NULL, *ipv4addr = NULL; retn->len = sizeof(retn->addr); if ((sstr = strstr(str, "::")) != NULL) { *sstr++ = '\0'; *sstr++ = '\0'; if (strlen(str)) fsecnum = ArgusNumTokens(str, ':') + 1; if (strlen(sstr)) lsecnum = ArgusNumTokens(sstr, ':') + 1; if (!(retn->masklen)) retn->masklen = 128; } else sstr = str; if (strchr (sstr, '.')) { lsecnum += (lsecnum > 0) ? 1 : 2; if ((ipv4addr = strrchr(sstr, ':')) == NULL) { ipv4addr = sstr; sstr = NULL; } else { *ipv4addr++ = '\0'; } } if (fsecnum + lsecnum) { rsecnum = 8 - (fsecnum + lsecnum); if (fsecnum) { while (str && *str && (ind++ < len)) { *val++ = htons(strtol(str, (char **)&ptr, 16)); if (ptr != NULL) { if (strlen(ptr) > 0) { if (*ptr++ != ':') { #ifdef ARGUSDEBUG ArgusDebug (1, "RaParseCIDRAddr: format error: IPv4 addr format.\n"); #endif return(NULL); } } else ptr = NULL; } str = ptr; } } for (i = 0; i < rsecnum; i++) *val++ = 0; if (lsecnum) { if ((str = sstr) != NULL) { while (str && (ind++ < len)) { *val++ = htons(strtol(str, (char **)&ptr, 16)); if (ptr != NULL) { if (strlen(ptr) > 0) { if (*ptr++ != ':') { #ifdef ARGUSDEBUG ArgusDebug (1, "RaParseCIDRAddr: format error: IPv4 addr format.\n"); #endif return(NULL); } } else ptr = NULL; } str = ptr; } } } if (ipv4addr) { unsigned char *cval = (unsigned char *)&retn->addr[3]; int ind = 0, len = sizeof(struct in_addr); while (ipv4addr && (ind++ < len)) { *cval++ = strtol(ipv4addr, (char **)&ptr, 10); if (ptr != NULL) { if (strlen(ptr) > 0) { if (*ptr++ != '.') { #ifdef ARGUSDEBUG ArgusDebug (1, "RaParseCIDRAddr: format error: IPv4 addr format.\n"); #endif return(NULL); } } else ptr = NULL; } ipv4addr = ptr; } retn->masklen = 128; } } if (!(retn->masklen)) { retn->masklen = (((char *)val - (char *)&retn->addr)) * 8; } for (i = 0; i < 4; i++) retn->mask[i] = 0; if ((masklen = retn->masklen) > 0) { unsigned int *mask = &retn->mask[0]; while (masklen) { if (masklen > 32) { *mask++ = 0xFFFFFFFF; masklen -= 32; } else { *mask = 0xFFFFFFFF << masklen; masklen = 0; } } } break; } default: break; } #ifdef ARGUSDEBUG ArgusDebug (9, "RaParseCIDRAddr: returning %p \n", retn); #endif return (retn); } #if !defined(HAVE_FLOORF) /* floorf.c: Returns the integer smaller or equal than x Copyright (C) 2001, 2002 Jesus Calvino-Fraga, jesusc@ieee.org This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* Version 1.0 - Initial release */ float floorf (float x) { long r; r=x; if (r<=0) return (r+((r>x)?-1:0)); else return r; } #endif #if !defined(HAVE_REMAINDERF) /* no copyright on remainderf - Author LB */ float remainderf(float x, float y) { float r; r = x - ((int) (x/y+0.5)) * y; return r; } #endif argus-5.0.2/common/grammar.y000077500000000000000000000350121471541253600157630ustar00rootroot00000000000000%{ /* Argus-5.0 Software. Common library routines - Grammar files * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * * $Id: //depot/gargoyle/argus/common/grammar.y#6 $ * $DateTime: 2015/06/22 17:59:06 $ * $Change: 3024 $ */ /* * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994 * The Regents of the University of California. Af rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) af advertising materials mentioning * features or use of this software display the fofowing acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. * */ #ifdef HAVE_CONFIG_H #include #endif #include #include #if defined(HAVE_SOLARIS) || defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) #include #endif #include #include #include #include #include #include #include #include #include #include extern void ArgusLog (int, char *, ...); extern int argus_error (char *); #define YYDEBUG 1 #define QSET(q, p, d, a) (q).proto = (p),\ (q).dir = (d),\ (q).addr = (a) int argus_n_errors = 0; static struct qual qerr = { Q_UNDEF, Q_UNDEF, Q_UNDEF}; %} %union { int i; float f; u_long h; u_char *e; char *s; struct stmt *stmt; struct arth *a; struct { struct qual q; struct ablock *b; } blk; struct ablock *rblk; } %type expr id nid pid term rterm qid tid oid %type head thead %type pqual dqual aqual iqual ndaqual %type fqual %type arth narth %type oname pname sname tname pnum relop irelop %type fnum %type and or paren not nuf prog %type other %token START STOP STATUS SHUTDOWN ERROR %token MAN FAR EVENT INDEX %token DST SRC HOST INODE GATEWAY IPID TTL TOS DSB SRCID TCPBASE %token NET AMASK PORT EQUAL LESS GREATER PROTO BYTE PKT APPBYTE %token TRANS ARP RARP IP IPV4 IPV6 TCP UDP ICMP IGMP %token ISIS HELLO LSP CSNP PSNP %token UDT SVC TCPRTT TCPOPT %token MSS WSCALE SELECTIVEACKOK SELECTIVEACK TCPECHO TCPECHOREPLY %token TCPTIMESTAMP TCPCC TCPCCNEW TCPCCECHO SECN DECN %token ETHER MPLS VLAN ANON VID VPRI MPLSID SPI %token ENCAPS RTP RTCP ESP DECNET LAT MOPRC MOPDL %token TK_BROADCAST TK_MULTICAST FRAG FRAG_ONLY %token ABR PCR RATE LOAD LOSS PLOSS GAP DUP CO %token INTER INTERACTIVE INTERIDLE JITTER JITTERACTIVE JITTERIDLE %token DUR AVGDUR DELTADUR DELTASTART DELTALAST %token DELTASPKTS DELTADPKTS %token SEQ NSTROKE %token INBOUND OUTBOUND %token LINK AUTH RECURS REQ RSP %token GEQ LEQ NEQ %token LSH RSH %token LEN %token OUTOFORDER RETRANS NORMAL WAIT MULTIPATH RESET TIMEDOUT WINSHUT %token SYN SYNACK ACK PUSH URGENT DATA ECE CWR FIN FINACK ICMPECHO ICMPMAP %token UNREACH REDIRECT ECN TIMEXED ESTABLISHED CONNECTED CORRELATED %token RTR MBR LVG COCODE ASN %token ID %token EID %token HIDV4 %token HIDV6 %token STRING %token NUM %token FLOAT %left OR AND %nonassoc '!' %left '|' %left '&' %left LSH RSH %left '+' '-' %left '*' '/' %nonassoc UMINUS %% prog: nuf expr { Argusfinish_parse($2.b); } | nuf ; nuf: /* nuf */ { $$.q = qerr; } ; expr: term | expr and term { Argusgen_and($1.b, $3.b); $$ = $3; } | expr and id { Argusgen_and($1.b, $3.b); $$ = $3; } | expr or term { Argusgen_or($1.b, $3.b); $$ = $3; } | expr or id { Argusgen_or($1.b, $3.b); $$ = $3; } ; and: AND { $$ = $0; } ; or: OR { $$ = $0; } ; id: nid | pnum { $$.b = Argusgen_ncode(NULL, (int)$1, $$.q = $0.q, Q_EQUAL); } | fnum { $$.b = Argusgen_fcode(NULL, (float)$1, $$.q = $0.q, Q_EQUAL); } | LESS pnum { $$.b = Argusgen_ncode(NULL, (int)$2, $$.q = $0.q, Q_LESS); } | GREATER pnum { $$.b = Argusgen_ncode(NULL, (int)$2, $$.q = $0.q, Q_GREATER); } | EQUAL pnum { $$.b = Argusgen_ncode(NULL, (int)$2, $$.q = $0.q, Q_EQUAL); } | GEQ pnum { $$.b = Argusgen_ncode(NULL, (int)$2, $$.q = $0.q, Q_GEQ); } | LEQ pnum { $$.b = Argusgen_ncode(NULL, (int)$2, $$.q = $0.q, Q_LEQ); } | LESS fnum { $$.b = Argusgen_fcode(NULL, (float)$2, $$.q = $0.q, Q_LESS); } | GREATER fnum { $$.b = Argusgen_fcode(NULL, (float)$2, $$.q = $0.q, Q_GREATER); } | EQUAL fnum { $$.b = Argusgen_fcode(NULL, (float)$2, $$.q = $0.q, Q_EQUAL); } | GEQ fnum { $$.b = Argusgen_fcode(NULL, (float)$2, $$.q = $0.q, Q_GEQ); } | LEQ fnum { $$.b = Argusgen_fcode(NULL, (float)$2, $$.q = $0.q, Q_LEQ); } | paren pid ')' { $$ = $2; } ; tid: tname { $$.b = Argusgen_tcode($1, $$.q = $0.q); } oid: oname { $$.b = Argusgen_ocode($1, $$.q = $0.q); } ; nid: ID { $$.b = Argusgen_scode($1, $$.q = $0.q); } | STRING { $$.q = $0.q; $$.q.type = Q_STRING; $$.b = Argusgen_scode($1, $$.q); } | HIDV4 '/' NUM { $$.q = $0.q; $$.q.type = Q_IPV4; $$.b = Argusgen_mcode($1, NULL, $3, $$.q); } | HIDV4 AMASK HIDV4 { $$.q = $0.q; $$.q.type = Q_IPV4; $$.b = Argusgen_mcode($1, (char *)$3, 0, $$.q); } | HIDV4 { $$.q = $0.q; $$.q.type = Q_IPV4; $$.b = Argusgen_ncode($1, 0, $$.q, Q_EQUAL); } | HIDV6 '/' NUM { $$.q = $0.q; $$.q.type = Q_IPV6; $$.b = Argusgen_mcode($1, NULL, $3, $$.q); } | HIDV6 { $$.q = $0.q; $$.q.type = Q_IPV6; $$.b = Argusgen_ncode($1, 0, $$.q, Q_EQUAL); } | EID { $$.q = $0.q; $$.q.type = Q_IPV6; $$.b = Argusgen_ecode($1, $$.q); } | not id { Argusgen_not($2.b); $$ = $2; } ; not: '!' { $$ = $0; } ; paren: '(' { $$ = $0; } ; pid: nid | qid and id { Argusgen_and($1.b, $3.b); $$ = $3; } | qid or id { Argusgen_or($1.b, $3.b); $$ = $3; } ; qid: pnum { $$.b = Argusgen_ncode(NULL, (int)$1, $$.q = $0.q, Q_EQUAL); } | fnum { $$.b = Argusgen_fcode(NULL, (float)$1, $$.q = $0.q, Q_EQUAL); } | pid ; term: rterm | not term { Argusgen_not($2.b); $$ = $2; } ; head: pqual dqual aqual { QSET($$.q, $1, $2, $3); } | pqual dqual { QSET($$.q, $1, $2, Q_DEFAULT); } | pqual aqual { QSET($$.q, $1, Q_DEFAULT, $2); } | pqual iqual { QSET($$.q, $1, Q_DEFAULT, $2); $$.q.type = Q_INTEGER; } | pqual fqual { QSET($$.q, $1, Q_DEFAULT, $2); $$.q.type = Q_FLOAT; } | pqual dqual iqual { QSET($$.q, $1, $2, $3); $$.q.type = Q_INTEGER; } | pqual dqual fqual { QSET($$.q, $1, $2, $3); $$.q.type = Q_FLOAT; } | pqual PROTO { QSET($$.q, $1, Q_DEFAULT, Q_PROTO); } | pqual ndaqual { QSET($$.q, $1, Q_DEFAULT, $2); } ; thead: pqual dqual { QSET($$.q, $1, $2, Q_DEFAULT); } ; rterm: head id { $$ = $2; } | thead tid { $$ = $2; } | paren expr ')' { $$.b = $2.b; $$.q = $1.q; } | pname { $$.b = Argusgen_proto_abbrev($1); $$.q = qerr; } | sname { $$.b = Argusgen_proto_abbrev($1); $$.q = qerr; } | tid { $$ = $1; } | oid { $$ = $1; } | arth relop arth { $$.b = Argusgen_relation($2, $1, $3, 0); $$.q = qerr; } | arth irelop arth { $$.b = Argusgen_relation($2, $1, $3, 1); $$.q = qerr; } | other { $$.b = $1; $$.q = qerr; } ; /* protocol level qualifiers */ pqual: pname | { $$ = Q_DEFAULT; } ; /* 'direction' qualifiers */ dqual: SRC { $$ = Q_SRC; } | DST { $$ = Q_DST; } | SRC OR DST { $$ = Q_OR; } | DST OR SRC { $$ = Q_OR; } | SRC AND DST { $$ = Q_AND; } | DST AND SRC { $$ = Q_AND; } ; /* address type qualifiers */ aqual: HOST { $$ = Q_HOST; } | SRCID { $$ = Q_SRCID; } | INODE { $$ = Q_INODE; } | NET { $$ = Q_NET; } ; /* identifier types */ iqual: PORT { $$ = Q_PORT; } | IPID { $$ = Q_IPID; } | TTL { $$ = Q_TTL; } | TOS { $$ = Q_TOS; } | DSB { $$ = Q_DSB; } | CO { $$ = Q_CO; } | ASN { $$ = Q_ASN; } | VID { $$ = Q_VID; } | VPRI { $$ = Q_VPRI; } | MPLSID { $$ = Q_MPLSID; } | BYTE { $$ = Q_BYTE; } | APPBYTE { $$ = Q_APPBYTE; } | PKT { $$ = Q_PKT; } | TRANS { $$ = Q_TRANS; } | TCPRTT { $$ = Q_TCPRTT; } | TCPBASE { $$ = Q_TCPBASE; } | LOSS { $$ = Q_LOSS; } | GAP { $$ = Q_GAP; } | DUP { $$ = Q_DUP; } | SPI { $$ = Q_SPI; } | ENCAPS { $$ = Q_ENCAPS; } | DELTADUR { $$ = Q_DELTADUR; } | DELTASTART { $$ = Q_DELTASTART; } | DELTALAST { $$ = Q_DELTALAST; } | NSTROKE { $$ = Q_NSTROKE; } | SEQ { $$ = Q_SEQ; } ; /* identifier types */ fqual: DUR { $$ = Q_DUR; } | AVGDUR { $$ = Q_AVGDUR; } | INTER { $$ = Q_INTER; } | INTERACTIVE { $$ = Q_INTERACTIVE; } | INTERIDLE { $$ = Q_INTERIDLE; } | JITTER { $$ = Q_JITTER; } | JITTERACTIVE { $$ = Q_JITTERACTIVE; } | JITTERIDLE { $$ = Q_JITTERIDLE; } | RATE { $$ = Q_RATE; } | LOAD { $$ = Q_LOAD; } | PLOSS { $$ = Q_PLOSS; } | ABR { $$ = Q_PCR; } | PCR { $$ = Q_PCR; } ; /* non-directional address type qualifiers */ ndaqual: GATEWAY { $$ = Q_GATEWAY; } ; sname: START { $$ = Q_START; } | STOP { $$ = Q_STOP; } | STATUS { $$ = Q_STATUS; } | SHUTDOWN { $$ = Q_SHUTDOWN; } | ERROR { $$ = Q_ERROR; } | MAN { $$ = Q_MAN; } | FAR { $$ = Q_FAR; } | EVENT { $$ = Q_EVENT; } | INDEX { $$ = Q_INDEX; } | SVC { $$ = Q_SVC; } | NORMAL { $$ = Q_NORMAL; } | WAIT { $$ = Q_WAIT; } | SYNACK { $$ = Q_SYNACK; } | FINACK { $$ = Q_FINACK; } | ESTABLISHED { $$ = Q_ESTABLISHED; } | CONNECTED { $$ = Q_CONNECTED; } | CORRELATED { $$ = Q_CORRELATED; } | TIMEDOUT { $$ = Q_TIMEDOUT; } | ICMPMAP { $$ = Q_ICMPMAP; } | ICMPECHO { $$ = Q_ECHO; } | UNREACH { $$ = Q_UNREACH; } | REDIRECT { $$ = Q_REDIRECT; } | TIMEXED { $$ = Q_TIMEXED; } | RTR { $$ = Q_RTR; } | MBR { $$ = Q_MBR; } | LVG { $$ = Q_LVG; } | COCODE { $$ = Q_COCODE; } ; pname: LINK { $$ = Q_LINK; } | ETHER { $$ = Q_ETHER; } | IP { $$ = Q_IP; } | IPV4 { $$ = Q_IPV4; } | IPV6 { $$ = Q_IPV6; } | ARP { $$ = Q_ARP; } | RARP { $$ = Q_RARP; } | ESP { $$ = Q_ESP; } | RTP { $$ = Q_RTP; } | RTCP { $$ = Q_RTCP; } | TCP { $$ = Q_TCP; } | UDP { $$ = Q_UDP; } | ICMP { $$ = Q_ICMP; } | IGMP { $$ = Q_IGMP; } | MPLS { $$ = Q_MPLS; } | ISIS { $$ = Q_ISIS; } | VLAN { $$ = Q_VLAN; } | UDT { $$ = Q_UDT; } | ANON { $$ = Q_ANON; } | DECNET { $$ = Q_DECNET; } | LAT { $$ = Q_LAT; } | MOPDL { $$ = Q_MOPDL; } | MOPRC { $$ = Q_MOPRC; } ; tname: OUTOFORDER { $$ = Q_OUTOFORDER; } | RETRANS { $$ = Q_RETRANS; } | WINSHUT { $$ = Q_WINSHUT; } | SYN { $$ = Q_SYN; } | FIN { $$ = Q_FIN; } | RESET { $$ = Q_RESET; } | ACK { $$ = Q_ACK; } | PUSH { $$ = Q_PUSH; } | URGENT { $$ = Q_URGENT; } | CWR { $$ = Q_CWR; } | ECE { $$ = Q_ECE; } | FRAG { $$ = Q_FRAG; } | FRAG_ONLY { $$ = Q_FRAG_ONLY; } | ECN { $$ = Q_ECN; } | MULTIPATH { $$ = Q_MULTIPATH; } | HELLO { $$ = Q_HELLO; } | LSP { $$ = Q_LSP; } | CSNP { $$ = Q_CSNP; } | PSNP { $$ = Q_PSNP; } ; oname: TCPOPT { $$ = Q_TCPOPT; } | MSS { $$ = Q_MSS; } | WSCALE { $$ = Q_WSCALE; } | SELECTIVEACKOK { $$ = Q_SELECTIVEACKOK; } | SELECTIVEACK { $$ = Q_SELECTIVEACK; } | TCPECHO { $$ = Q_TCPECHO; } | TCPECHOREPLY { $$ = Q_TCPECHOREPLY; } | TCPTIMESTAMP { $$ = Q_TCPTIMESTAMP; } | TCPCC { $$ = Q_TCPCC; } | TCPCCNEW { $$ = Q_TCPCCNEW; } | TCPCCECHO { $$ = Q_TCPCCECHO; } | SECN { $$ = Q_SECN; } | DECN { $$ = Q_DECN; } ; other: pqual TK_BROADCAST { $$ = Argusgen_broadcast($1); } | pqual TK_MULTICAST { $$ = Argusgen_multicast($1); } | INBOUND { $$ = Argusgen_inbound(0); } | OUTBOUND { $$ = Argusgen_inbound(1); } ; relop: '>' { $$ = NFF_JGT; } | GEQ { $$ = NFF_JGE; } | '=' { $$ = NFF_JEQ; } | EQUAL { $$ = NFF_JEQ; } ; irelop: LEQ { $$ = NFF_JGT; } | '<' { $$ = NFF_JGE; } | NEQ { $$ = NFF_JEQ; } ; arth: pnum { $$ = ArgusLoadI($1); } | narth ; narth: pname '[' arth ']' { $$ = ArgusLoad($1, $3, 1); } | pname '[' arth ':' NUM ']' { $$ = ArgusLoad($1, $3, $5); } | arth '+' arth { $$ = ArgusArth(NFF_ADD, $1, $3); } | arth '-' arth { $$ = ArgusArth(NFF_SUB, $1, $3); } | arth '*' arth { $$ = ArgusArth(NFF_MUL, $1, $3); } | arth '/' arth { $$ = ArgusArth(NFF_DIV, $1, $3); } | arth '&' arth { $$ = ArgusArth(NFF_AND, $1, $3); } | arth '|' arth { $$ = ArgusArth(NFF_OR, $1, $3); } | arth LSH arth { $$ = ArgusArth(NFF_LSH, $1, $3); } | arth RSH arth { $$ = ArgusArth(NFF_RSH, $1, $3); } | paren narth ')' { $$ = $2; } | LEN { $$ = ArgusLoadLen(); } ; pnum: NUM | paren pnum ')' { $$ = $2; } ; fnum: FLOAT | paren fnum ')' { $$ = $2; } ; %% int yyerror(char *msg) { ++argus_n_errors; return(1); } argus-5.0.2/common/scanner.l000077500000000000000000000270671471541253600157640ustar00rootroot00000000000000%{ /* Argus-5.0 Software * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * $Id: //depot/gargoyle/argus/common/scanner.l#5 $ * $DateTime: 2015/06/22 18:22:35 $ * $Change: 3025 $ */ /* * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ #define YY_NO_INPUT #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include extern void ArgusLog (int, char *, ...); #ifndef __GNUC__ #define inline #endif int argus_lex(void); int stoi(char *); float stof(char *); int xdtoi(int); #ifdef FLEX_SCANNER int argus_get_lineno (void); FILE *argus_get_in (void); FILE *argus_get_out (void); static YY_BUFFER_STATE in_buffer; #else static char *in_buffer; #undef getc #define getc(fp) (*in_buffer == 0 ? EOF : *in_buffer++) #endif #define yylval argus_lval extern YYSTYPE yylval; %} %option nounput N ([0-9]+|(0X|0x)[0-9A-Fa-f]+) B ([0-9A-Fa-f][0-9A-Fa-f]?) ISD [0-9A-Fa-f]{4} V6 ((([0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4})|(([0-9A-Fa-f]{1,4}:){6}:[0-9A-Fa-f]{1,4})|(([0-9A-Fa-f]{1,4}:){5}:([0-9A-Fa-f]{1,4}:)?[0-9A-Fa-f]{1,4})|(([0-9A-Fa-f]{1,4}:){4}:([0-9A-Fa-f]{1,4}:){0,2}[0-9A-Fa-f]{1,4})|(([0-9A-Fa-f]{1,4}:){3}:([0-9A-Fa-f]{1,4}:){0,3}[0-9A-Fa-f]{1,4})|(([0-9A-Fa-f]{1,4}:){2}:([0-9A-Fa-f]{1,4}:){0,4}[0-9A-Fa-f]{1,4})|(([0-9A-Fa-f]{1,4}:){6}((\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b)\.){3}(\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b))|(([0-9A-Fa-f]{1,4}:){0,5}:((\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b)\.){3}(\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b))|(::([0-9A-Fa-f]{1,4}:){0,5}((\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b)\.){3}(\b((25[0-5])|(1\d{2})|(2[0-4]\d)|(\d{1,2}))\b))|([0-9A-Fa-f]{1,4}::([0-9A-Fa-f]{1,4}:){0,5}[0-9A-Fa-f]{1,4})|(::([0-9A-Fa-f]{1,4}:){0,6}[0-9A-Fa-f]{1,4})|(([0-9A-Fa-f]{1,4}:){1,7}:)) %% start return START; init return START; stop return STOP; status return STATUS; shut return SHUTDOWN; error return ERROR; man return MAN; mar return MAN; far return FAR; event return EVENT; index return INDEX; dst return DST; src return SRC; seq return SEQ; auth return AUTH; recurs return RECURS; req return REQ; rsp return RSP; link|ppp|slip return LINK; fddi return LINK; ether return LINK; arp return ARP; rarp return RARP; ip return IP; ipv4 return IPV4; ipv6 return IPV6; tcp return TCP; udp return UDP; udt return UDT; rtp return RTP; rtcp return RTCP; icmp return ICMP; igmp return IGMP; mpls return MPLS; vlan return VLAN; vid return VID; vpri return VPRI; mid return MPLSID; ipid return IPID; anon return ANON; isis return ISIS; psnp return PSNP; csnp return CSNP; lsp return LSP; hello return HELLO; svc return SVC; spi return SPI; host return HOST; srcid return SRCID; inode return INODE; net return NET; mask return AMASK; port return PORT; proto return PROTO; encaps return ENCAPS; ttl return TTL; tos return TOS; dsb return DSB; dsbyte return DSB; co return CO; cocode return COCODE; as return ASN; asn return ASN; trans return TRANS; pkt return PKT; pkts return PKT; byte return BYTE; bytes return BYTE; data return APPBYTE; appbyte return APPBYTE; appbytes return APPBYTE; pcr return PCR; pcratio return PCR; abr return ABR; abratio return ABR; nstroke return NSTROKE; nstrokes return NSTROKE; tcpb return TCPBASE; base return TCPBASE; tcprtt return TCPRTT; tcpopt return TCPOPT; mss return MSS; wscale return WSCALE; selackok return SELECTIVEACKOK; selack return SELECTIVEACK; tcpecho return TCPECHO; tcpechoreply return TCPECHOREPLY; tcptimestamp return TCPTIMESTAMP; tcpcc return TCPCC; tcpccnew return TCPCCNEW; tcpccecho return TCPCCECHO; secn return SECN; decn return DECN; rate return RATE; load return LOAD; inter return INTER; intpkt return INTER; intpktact return INTERACTIVE; intpktidle return INTERIDLE; jit return JITTER; jitter return JITTER; jitact return JITTERACTIVE; jitidle return JITTERIDLE; dur return DUR; avgdur return AVGDUR; deldur return DELTADUR; delstime return DELTALAST; delltime return DELTALAST; loss return LOSS; ploss return PLOSS; gap return GAP; dup return DUP; gateway return GATEWAY; EQ return EQUAL; eq return EQUAL; equal return EQUAL; LT return LESS; lt return LESS; LTE return LEQ; lte return LEQ; LESS return LESS; less return LESS; GT return GREATER; gt return GREATER; GTE return GEQ; gte return GEQ; greater return GREATER; broadcast return TK_BROADCAST; multicast return TK_MULTICAST; AND return AND; OR return OR; NOT return '!'; and|"&&" return AND; or|"||" return OR; not return '!'; len|length return LEN; inbound return INBOUND; outbound return OUTBOUND; syn return SYN; synack return SYNACK; fin return FIN; finack return FINACK; rst return RESET; ack return ACK; urg return URGENT; ece return ECE; cwr return CWR; push return PUSH; reset return RESET; rtr return RTR; mbr return MBR; lvg return LVG; normal return NORMAL; wait return WAIT; timeout return TIMEDOUT; est return ESTABLISHED; con return CONNECTED; avail return CONNECTED; cor return CORRELATED; corolated return CORRELATED; ecn return ECN; drop return RETRANS; retrans return RETRANS; outoforder return OUTOFORDER; ooo return OUTOFORDER; multipath return MULTIPATH; mpath return MULTIPATH; winshut return WINSHUT; frag return FRAG; fragonly return FRAG_ONLY; icmpmap return ICMPMAP; echo return ICMPECHO; unreach return UNREACH; redirect return REDIRECT; timexed return TIMEXED; [ \n\t] ; [+\-*/:\[\]!<>()&|=] return yytext[0]; ">=" return GEQ; "<=" return LEQ; "!=" return NEQ; "==" return '='; "<<" return LSH; ">>" return RSH; \+?{N} { yylval.i = stoi((char *)yytext); return NUM; } -{N} { yylval.i = stoi((char *)yytext); return NUM; } -(\.{N}) { yylval.f = stof((char *)yytext); return FLOAT; } \+?(\.{N}) { yylval.f = stof((char *)yytext); return FLOAT; } -({N}\.{N}) { yylval.f = stof((char *)yytext); return FLOAT; } \+?({N}\.{N}) { yylval.f = stof((char *)yytext); return FLOAT; } ({N}\.{N}\.{N}\.{N}) { yylval.s = Argussdup((char *)yytext); return HIDV4; } {B}:{B}:{B}:{B}:{B}:{B} { yylval.e = argus_ether_aton((char *)yytext); return EID; } {V6} { yylval.s = Argussdup((char *)yytext); return HIDV6; } \"[^\*\n]*\" { yylval.s = Argussdup((char *)yytext); return STRING; } [A-Za-z0-9][-_.A-Za-z0-9]*[.A-Za-z0-9] { yylval.s = Argussdup((char *)yytext); return ID; } "\\"[^ !()\n\t]+ { yylval.s = Argussdup((char *)yytext + 1); return ID; } [^ \[\]\t\n\-_.A-Za-z0-9!<>()&|=]+i { ArgusLog(LOG_INFO, "illegal token: %s\n", yytext); } . { ArgusLog (LOG_INFO, "illegal char '%c'", *yytext); } %% void argus_lex_init(char *buf) { #ifdef FLEX_SCANNER in_buffer = yy_scan_string(buf); #else in_buffer = buf; #endif } /* * Also define a yywrap. Note that if we're using flex, it will * define a macro to map this identifier to pcap_wrap. */ int yywrap() { return 1; } /* Hex digit to integer. int xdtoi(c) int c; { if (isdigit((int)c)) return c - '0'; else if (islower(c)) return c - 'a' + 10; else return c - 'A' + 10; } */ /* * Convert string to integer. Just like atoi(), but checks for * preceding 0x or 0 and uses hex or octal instead of decimal. */ int stoi(char *s) { int base = 10; int n = 0; int sign = 0; /* Skip whitespace */ while (isspace((int)*s)) s++; /* Check for sign */ if (*s == '-') { sign = 1; s++; } else { if (*s == '+') s++; } if (*s == '0') { s++; if (*s == '\0') { } else { if (*s == 'x' || *s == 'X') { s++; base = 16; } else { base = 8; } } } while (*s) n = n * base + xdtoi(*s++); if (sign) n *= -1; return n; } /* * Convert string to float. Just like atof(), but checks for * preceding 0x or 0 and uses hex or octal instead of decimal. */ float stof(char* s) { float retn = 0.0, frac = 0.0; int sign = 0; /* Skip whitespace */ while (isspace((int)*s)) s++; /* Check for sign */ if (*s == '-') { sign = 1; s++; } else { if (*s == '+') s++; } /* Read integer part */ while (isdigit((int)*s)) retn = retn * 10 + (*(s++) - '0'); /* Read fractional part */ if (*s == '.') { float q; s++; while (isdigit((int)*s)) s++; s--; do { q = *s - '0'; frac = (frac + q) / 10; } while (isdigit((int)*(--s))); while (isdigit((int)*(++s))) s++; } /* Skip whitespace */ while (isspace((int)*s)) s++; /* Combine integer and fractional part, and apply sign */ retn += frac; if (sign) retn *= -1; /* Process E notation */ if (*s == 'e' || *s == 'E') { int i, j = atoi(++s); if (j == 0) return retn; for (i = 0; i != j; (j > 0) ? i++ : i--) retn *= (j > 0) ? 10 : -10; } return retn; } argus-5.0.2/config/000077500000000000000000000000001471541253600141145ustar00rootroot00000000000000argus-5.0.2/config/config.guess000077500000000000000000001235501471541253600164420ustar00rootroot00000000000000#! /bin/sh # Attempt to guess a canonical system name. # Copyright 1992-2014 Free Software Foundation, Inc. timestamp='2014-03-23' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, see . # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a # configuration script generated by Autoconf, you may include it under # the same distribution terms that you use for the rest of that # program. This Exception is an additional permission under section 7 # of the GNU General Public License, version 3 ("GPLv3"). # # Originally written by Per Bothner. # # You can get the latest version of this script from: # http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD # # Please send patches with a ChangeLog entry to config-patches@gnu.org. me=`echo "$0" | sed -e 's,.*/,,'` usage="\ Usage: $0 [OPTION] Output the configuration name of the system \`$me' is run on. Operation modes: -h, --help print this help, then exit -t, --time-stamp print date of last modification, then exit -v, --version print version number, then exit Report bugs and patches to ." version="\ GNU config.guess ($timestamp) Originally written by Per Bothner. Copyright 1992-2014 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." help=" Try \`$me --help' for more information." # Parse command line while test $# -gt 0 ; do case $1 in --time-stamp | --time* | -t ) echo "$timestamp" ; exit ;; --version | -v ) echo "$version" ; exit ;; --help | --h* | -h ) echo "$usage"; exit ;; -- ) # Stop option processing shift; break ;; - ) # Use stdin as input. break ;; -* ) echo "$me: invalid option $1$help" >&2 exit 1 ;; * ) break ;; esac done if test $# != 0; then echo "$me: too many arguments$help" >&2 exit 1 fi trap 'exit 1' 1 2 15 # CC_FOR_BUILD -- compiler used by this script. Note that the use of a # compiler to aid in system detection is discouraged as it requires # temporary files to be created and, as you can see below, it is a # headache to deal with in a portable fashion. # Historically, `CC_FOR_BUILD' used to be named `HOST_CC'. We still # use `HOST_CC' if defined, but it is deprecated. # Portable tmp directory creation inspired by the Autoconf team. set_cc_for_build=' trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ; trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ; : ${TMPDIR=/tmp} ; { tmp=`(umask 077 && mktemp -d "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } || { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } || { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir $tmp) && echo "Warning: creating insecure temp directory" >&2 ; } || { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ; dummy=$tmp/dummy ; tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ; case $CC_FOR_BUILD,$HOST_CC,$CC in ,,) echo "int x;" > $dummy.c ; for c in cc gcc c89 c99 ; do if ($c -c -o $dummy.o $dummy.c) >/dev/null 2>&1 ; then CC_FOR_BUILD="$c"; break ; fi ; done ; if test x"$CC_FOR_BUILD" = x ; then CC_FOR_BUILD=no_compiler_found ; fi ;; ,,*) CC_FOR_BUILD=$CC ;; ,*,*) CC_FOR_BUILD=$HOST_CC ;; esac ; set_cc_for_build= ;' # This is needed to find uname on a Pyramid OSx when run in the BSD universe. # (ghazi@noc.rutgers.edu 1994-08-24) if (test -f /.attbin/uname) >/dev/null 2>&1 ; then PATH=$PATH:/.attbin ; export PATH fi UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown case "${UNAME_SYSTEM}" in Linux|GNU|GNU/*) # If the system lacks a compiler, then just pick glibc. # We could probably try harder. LIBC=gnu eval $set_cc_for_build cat <<-EOF > $dummy.c #include #if defined(__UCLIBC__) LIBC=uclibc #elif defined(__dietlibc__) LIBC=dietlibc #else LIBC=gnu #endif EOF eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC' | sed 's, ,,g'` ;; esac # Note: order is significant - the case branches are not exclusive. case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in *:NetBSD:*:*) # NetBSD (nbsd) targets should (where applicable) match one or # more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*, # *-*-netbsdecoff* and *-*-netbsd*. For targets that recently # switched to ELF, *-*-netbsd* would select the old # object file format. This provides both forward # compatibility and a consistent mechanism for selecting the # object file format. # # Note: NetBSD doesn't particularly care about the vendor # portion of the name. We always set it to "unknown". sysctl="sysctl -n hw.machine_arch" UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \ /usr/sbin/$sysctl 2>/dev/null || echo unknown)` case "${UNAME_MACHINE_ARCH}" in armeb) machine=armeb-unknown ;; arm*) machine=arm-unknown ;; sh3el) machine=shl-unknown ;; sh3eb) machine=sh-unknown ;; sh5el) machine=sh5le-unknown ;; *) machine=${UNAME_MACHINE_ARCH}-unknown ;; esac # The Operating System including object format, if it has switched # to ELF recently, or will in the future. case "${UNAME_MACHINE_ARCH}" in arm*|i386|m68k|ns32k|sh3*|sparc|vax) eval $set_cc_for_build if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ELF__ then # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout). # Return netbsd for either. FIX? os=netbsd else os=netbsdelf fi ;; *) os=netbsd ;; esac # The OS release # Debian GNU/NetBSD machines have a different userland, and # thus, need a distinct triplet. However, they do not need # kernel version information, so it can be replaced with a # suitable tag, in the style of linux-gnu. case "${UNAME_VERSION}" in Debian*) release='-gnu' ;; *) release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'` ;; esac # Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM: # contains redundant information, the shorter form: # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. echo "${machine}-${os}${release}" exit ;; *:Bitrig:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'` echo ${UNAME_MACHINE_ARCH}-unknown-bitrig${UNAME_RELEASE} exit ;; *:OpenBSD:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'` echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE} exit ;; *:ekkoBSD:*:*) echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE} exit ;; *:SolidBSD:*:*) echo ${UNAME_MACHINE}-unknown-solidbsd${UNAME_RELEASE} exit ;; macppc:MirBSD:*:*) echo powerpc-unknown-mirbsd${UNAME_RELEASE} exit ;; *:MirBSD:*:*) echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE} exit ;; alpha:OSF1:*:*) case $UNAME_RELEASE in *4.0) UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'` ;; *5.*) UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'` ;; esac # According to Compaq, /usr/sbin/psrinfo has been available on # OSF/1 and Tru64 systems produced since 1995. I hope that # covers most systems running today. This code pipes the CPU # types through head -n 1, so we only detect the type of CPU 0. ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^ The alpha \(.*\) processor.*$/\1/p' | head -n 1` case "$ALPHA_CPU_TYPE" in "EV4 (21064)") UNAME_MACHINE="alpha" ;; "EV4.5 (21064)") UNAME_MACHINE="alpha" ;; "LCA4 (21066/21068)") UNAME_MACHINE="alpha" ;; "EV5 (21164)") UNAME_MACHINE="alphaev5" ;; "EV5.6 (21164A)") UNAME_MACHINE="alphaev56" ;; "EV5.6 (21164PC)") UNAME_MACHINE="alphapca56" ;; "EV5.7 (21164PC)") UNAME_MACHINE="alphapca57" ;; "EV6 (21264)") UNAME_MACHINE="alphaev6" ;; "EV6.7 (21264A)") UNAME_MACHINE="alphaev67" ;; "EV6.8CB (21264C)") UNAME_MACHINE="alphaev68" ;; "EV6.8AL (21264B)") UNAME_MACHINE="alphaev68" ;; "EV6.8CX (21264D)") UNAME_MACHINE="alphaev68" ;; "EV6.9A (21264/EV69A)") UNAME_MACHINE="alphaev69" ;; "EV7 (21364)") UNAME_MACHINE="alphaev7" ;; "EV7.9 (21364A)") UNAME_MACHINE="alphaev79" ;; esac # A Pn.n version is a patched version. # A Vn.n version is a released version. # A Tn.n version is a released field test version. # A Xn.n version is an unreleased experimental baselevel. # 1.2 uses "1.2" for uname -r. echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` # Reset EXIT trap before exiting to avoid spurious non-zero exit code. exitcode=$? trap '' 0 exit $exitcode ;; Alpha\ *:Windows_NT*:*) # How do we know it's Interix rather than the generic POSIX subsystem? # Should we change UNAME_MACHINE based on the output of uname instead # of the specific Alpha model? echo alpha-pc-interix exit ;; 21064:Windows_NT:50:3) echo alpha-dec-winnt3.5 exit ;; Amiga*:UNIX_System_V:4.0:*) echo m68k-unknown-sysv4 exit ;; *:[Aa]miga[Oo][Ss]:*:*) echo ${UNAME_MACHINE}-unknown-amigaos exit ;; *:[Mm]orph[Oo][Ss]:*:*) echo ${UNAME_MACHINE}-unknown-morphos exit ;; *:OS/390:*:*) echo i370-ibm-openedition exit ;; *:z/VM:*:*) echo s390-ibm-zvmoe exit ;; *:OS400:*:*) echo powerpc-ibm-os400 exit ;; arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*) echo arm-acorn-riscix${UNAME_RELEASE} exit ;; arm*:riscos:*:*|arm*:RISCOS:*:*) echo arm-unknown-riscos exit ;; SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*) echo hppa1.1-hitachi-hiuxmpp exit ;; Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*) # akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE. if test "`(/bin/universe) 2>/dev/null`" = att ; then echo pyramid-pyramid-sysv3 else echo pyramid-pyramid-bsd fi exit ;; NILE*:*:*:dcosx) echo pyramid-pyramid-svr4 exit ;; DRS?6000:unix:4.0:6*) echo sparc-icl-nx6 exit ;; DRS?6000:UNIX_SV:4.2*:7* | DRS?6000:isis:4.2*:7*) case `/usr/bin/uname -p` in sparc) echo sparc-icl-nx7; exit ;; esac ;; s390x:SunOS:*:*) echo ${UNAME_MACHINE}-ibm-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; sun4H:SunOS:5.*:*) echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*) echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; i86pc:AuroraUX:5.*:* | i86xen:AuroraUX:5.*:*) echo i386-pc-auroraux${UNAME_RELEASE} exit ;; i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*) eval $set_cc_for_build SUN_ARCH="i386" # If there is a compiler, see if it is configured for 64-bit objects. # Note that the Sun cc does not turn __LP64__ into 1 like gcc does. # This test works for both compilers. if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \ (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ grep IS_64BIT_ARCH >/dev/null then SUN_ARCH="x86_64" fi fi echo ${SUN_ARCH}-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; sun4*:SunOS:6*:*) # According to config.sub, this is the proper way to canonicalize # SunOS6. Hard to guess exactly what SunOS6 will be like, but # it's likely to be more like Solaris than SunOS4. echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; sun4*:SunOS:*:*) case "`/usr/bin/arch -k`" in Series*|S4*) UNAME_RELEASE=`uname -v` ;; esac # Japanese Language versions have a version number like `4.1.3-JL'. echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'` exit ;; sun3*:SunOS:*:*) echo m68k-sun-sunos${UNAME_RELEASE} exit ;; sun*:*:4.2BSD:*) UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3 case "`/bin/arch`" in sun3) echo m68k-sun-sunos${UNAME_RELEASE} ;; sun4) echo sparc-sun-sunos${UNAME_RELEASE} ;; esac exit ;; aushp:SunOS:*:*) echo sparc-auspex-sunos${UNAME_RELEASE} exit ;; # The situation for MiNT is a little confusing. The machine name # can be virtually everything (everything which is not # "atarist" or "atariste" at least should have a processor # > m68000). The system name ranges from "MiNT" over "FreeMiNT" # to the lowercase version "mint" (or "freemint"). Finally # the system name "TOS" denotes a system which is actually not # MiNT. But MiNT is downward compatible to TOS, so this should # be no problem. atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*) echo m68k-atari-mint${UNAME_RELEASE} exit ;; atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*) echo m68k-atari-mint${UNAME_RELEASE} exit ;; *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*) echo m68k-atari-mint${UNAME_RELEASE} exit ;; milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*) echo m68k-milan-mint${UNAME_RELEASE} exit ;; hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*) echo m68k-hades-mint${UNAME_RELEASE} exit ;; *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*) echo m68k-unknown-mint${UNAME_RELEASE} exit ;; m68k:machten:*:*) echo m68k-apple-machten${UNAME_RELEASE} exit ;; powerpc:machten:*:*) echo powerpc-apple-machten${UNAME_RELEASE} exit ;; RISC*:Mach:*:*) echo mips-dec-mach_bsd4.3 exit ;; RISC*:ULTRIX:*:*) echo mips-dec-ultrix${UNAME_RELEASE} exit ;; VAX*:ULTRIX*:*:*) echo vax-dec-ultrix${UNAME_RELEASE} exit ;; 2020:CLIX:*:* | 2430:CLIX:*:*) echo clipper-intergraph-clix${UNAME_RELEASE} exit ;; mips:*:*:UMIPS | mips:*:*:RISCos) eval $set_cc_for_build sed 's/^ //' << EOF >$dummy.c #ifdef __cplusplus #include /* for printf() prototype */ int main (int argc, char *argv[]) { #else int main (argc, argv) int argc; char *argv[]; { #endif #if defined (host_mips) && defined (MIPSEB) #if defined (SYSTYPE_SYSV) printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0); #endif #if defined (SYSTYPE_SVR4) printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0); #endif #if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD) printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0); #endif #endif exit (-1); } EOF $CC_FOR_BUILD -o $dummy $dummy.c && dummyarg=`echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` && SYSTEM_NAME=`$dummy $dummyarg` && { echo "$SYSTEM_NAME"; exit; } echo mips-mips-riscos${UNAME_RELEASE} exit ;; Motorola:PowerMAX_OS:*:*) echo powerpc-motorola-powermax exit ;; Motorola:*:4.3:PL8-*) echo powerpc-harris-powermax exit ;; Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*) echo powerpc-harris-powermax exit ;; Night_Hawk:Power_UNIX:*:*) echo powerpc-harris-powerunix exit ;; m88k:CX/UX:7*:*) echo m88k-harris-cxux7 exit ;; m88k:*:4*:R4*) echo m88k-motorola-sysv4 exit ;; m88k:*:3*:R3*) echo m88k-motorola-sysv3 exit ;; AViiON:dgux:*:*) # DG/UX returns AViiON for all architectures UNAME_PROCESSOR=`/usr/bin/uname -p` if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ] then if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \ [ ${TARGET_BINARY_INTERFACE}x = x ] then echo m88k-dg-dgux${UNAME_RELEASE} else echo m88k-dg-dguxbcs${UNAME_RELEASE} fi else echo i586-dg-dgux${UNAME_RELEASE} fi exit ;; M88*:DolphinOS:*:*) # DolphinOS (SVR3) echo m88k-dolphin-sysv3 exit ;; M88*:*:R3*:*) # Delta 88k system running SVR3 echo m88k-motorola-sysv3 exit ;; XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3) echo m88k-tektronix-sysv3 exit ;; Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD) echo m68k-tektronix-bsd exit ;; *:IRIX*:*:*) echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'` exit ;; ????????:AIX?:[12].1:2) # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX. echo romp-ibm-aix # uname -m gives an 8 hex-code CPU id exit ;; # Note that: echo "'`uname -s`'" gives 'AIX ' i*86:AIX:*:*) echo i386-ibm-aix exit ;; ia64:AIX:*:*) if [ -x /usr/bin/oslevel ] ; then IBM_REV=`/usr/bin/oslevel` else IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE} fi echo ${UNAME_MACHINE}-ibm-aix${IBM_REV} exit ;; *:AIX:2:3) if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then eval $set_cc_for_build sed 's/^ //' << EOF >$dummy.c #include main() { if (!__power_pc()) exit(1); puts("powerpc-ibm-aix3.2.5"); exit(0); } EOF if $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` then echo "$SYSTEM_NAME" else echo rs6000-ibm-aix3.2.5 fi elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then echo rs6000-ibm-aix3.2.4 else echo rs6000-ibm-aix3.2 fi exit ;; *:AIX:*:[4567]) IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'` if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then IBM_ARCH=rs6000 else IBM_ARCH=powerpc fi if [ -x /usr/bin/oslevel ] ; then IBM_REV=`/usr/bin/oslevel` else IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE} fi echo ${IBM_ARCH}-ibm-aix${IBM_REV} exit ;; *:AIX:*:*) echo rs6000-ibm-aix exit ;; ibmrt:4.4BSD:*|romp-ibm:BSD:*) echo romp-ibm-bsd4.4 exit ;; ibmrt:*BSD:*|romp-ibm:BSD:*) # covers RT/PC BSD and echo romp-ibm-bsd${UNAME_RELEASE} # 4.3 with uname added to exit ;; # report: romp-ibm BSD 4.3 *:BOSX:*:*) echo rs6000-bull-bosx exit ;; DPX/2?00:B.O.S.:*:*) echo m68k-bull-sysv3 exit ;; 9000/[34]??:4.3bsd:1.*:*) echo m68k-hp-bsd exit ;; hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*) echo m68k-hp-bsd4.4 exit ;; 9000/[34678]??:HP-UX:*:*) HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` case "${UNAME_MACHINE}" in 9000/31? ) HP_ARCH=m68000 ;; 9000/[34]?? ) HP_ARCH=m68k ;; 9000/[678][0-9][0-9]) if [ -x /usr/bin/getconf ]; then sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` case "${sc_cpu_version}" in 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1 532) # CPU_PA_RISC2_0 case "${sc_kernel_bits}" in 32) HP_ARCH="hppa2.0n" ;; 64) HP_ARCH="hppa2.0w" ;; '') HP_ARCH="hppa2.0" ;; # HP-UX 10.20 esac ;; esac fi if [ "${HP_ARCH}" = "" ]; then eval $set_cc_for_build sed 's/^ //' << EOF >$dummy.c #define _HPUX_SOURCE #include #include int main () { #if defined(_SC_KERNEL_BITS) long bits = sysconf(_SC_KERNEL_BITS); #endif long cpu = sysconf (_SC_CPU_VERSION); switch (cpu) { case CPU_PA_RISC1_0: puts ("hppa1.0"); break; case CPU_PA_RISC1_1: puts ("hppa1.1"); break; case CPU_PA_RISC2_0: #if defined(_SC_KERNEL_BITS) switch (bits) { case 64: puts ("hppa2.0w"); break; case 32: puts ("hppa2.0n"); break; default: puts ("hppa2.0"); break; } break; #else /* !defined(_SC_KERNEL_BITS) */ puts ("hppa2.0"); break; #endif default: puts ("hppa1.0"); break; } exit (0); } EOF (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` test -z "$HP_ARCH" && HP_ARCH=hppa fi ;; esac if [ ${HP_ARCH} = "hppa2.0w" ] then eval $set_cc_for_build # hppa2.0w-hp-hpux* has a 64-bit kernel and a compiler generating # 32-bit code. hppa64-hp-hpux* has the same kernel and a compiler # generating 64-bit code. GNU and HP use different nomenclature: # # $ CC_FOR_BUILD=cc ./config.guess # => hppa2.0w-hp-hpux11.23 # $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess # => hppa64-hp-hpux11.23 if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | grep -q __LP64__ then HP_ARCH="hppa2.0w" else HP_ARCH="hppa64" fi fi echo ${HP_ARCH}-hp-hpux${HPUX_REV} exit ;; ia64:HP-UX:*:*) HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` echo ia64-hp-hpux${HPUX_REV} exit ;; 3050*:HI-UX:*:*) eval $set_cc_for_build sed 's/^ //' << EOF >$dummy.c #include int main () { long cpu = sysconf (_SC_CPU_VERSION); /* The order matters, because CPU_IS_HP_MC68K erroneously returns true for CPU_PA_RISC1_0. CPU_IS_PA_RISC returns correct results, however. */ if (CPU_IS_PA_RISC (cpu)) { switch (cpu) { case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break; case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break; case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break; default: puts ("hppa-hitachi-hiuxwe2"); break; } } else if (CPU_IS_HP_MC68K (cpu)) puts ("m68k-hitachi-hiuxwe2"); else puts ("unknown-hitachi-hiuxwe2"); exit (0); } EOF $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` && { echo "$SYSTEM_NAME"; exit; } echo unknown-hitachi-hiuxwe2 exit ;; 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* ) echo hppa1.1-hp-bsd exit ;; 9000/8??:4.3bsd:*:*) echo hppa1.0-hp-bsd exit ;; *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*) echo hppa1.0-hp-mpeix exit ;; hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* ) echo hppa1.1-hp-osf exit ;; hp8??:OSF1:*:*) echo hppa1.0-hp-osf exit ;; i*86:OSF1:*:*) if [ -x /usr/sbin/sysversion ] ; then echo ${UNAME_MACHINE}-unknown-osf1mk else echo ${UNAME_MACHINE}-unknown-osf1 fi exit ;; parisc*:Lites*:*:*) echo hppa1.1-hp-lites exit ;; C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*) echo c1-convex-bsd exit ;; C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*) if getsysinfo -f scalar_acc then echo c32-convex-bsd else echo c2-convex-bsd fi exit ;; C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*) echo c34-convex-bsd exit ;; C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*) echo c38-convex-bsd exit ;; C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*) echo c4-convex-bsd exit ;; CRAY*Y-MP:*:*:*) echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; CRAY*[A-Z]90:*:*:*) echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \ | sed -e 's/CRAY.*\([A-Z]90\)/\1/' \ -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \ -e 's/\.[^.]*$/.X/' exit ;; CRAY*TS:*:*:*) echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; CRAY*T3E:*:*:*) echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; CRAY*SV1:*:*:*) echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; *:UNICOS/mp:*:*) echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit ;; 5000:UNIX_System_V:4.*:*) FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'` echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit ;; i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE} exit ;; sparc*:BSD/OS:*:*) echo sparc-unknown-bsdi${UNAME_RELEASE} exit ;; *:BSD/OS:*:*) echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE} exit ;; *:FreeBSD:*:*) UNAME_PROCESSOR=`/usr/bin/uname -p` case ${UNAME_PROCESSOR} in amd64) echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; *) echo ${UNAME_PROCESSOR}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; esac exit ;; i*:CYGWIN*:*) echo ${UNAME_MACHINE}-pc-cygwin exit ;; *:MINGW64*:*) echo ${UNAME_MACHINE}-pc-mingw64 exit ;; *:MINGW*:*) echo ${UNAME_MACHINE}-pc-mingw32 exit ;; *:MSYS*:*) echo ${UNAME_MACHINE}-pc-msys exit ;; i*:windows32*:*) # uname -m includes "-pc" on this system. echo ${UNAME_MACHINE}-mingw32 exit ;; i*:PW*:*) echo ${UNAME_MACHINE}-pc-pw32 exit ;; *:Interix*:*) case ${UNAME_MACHINE} in x86) echo i586-pc-interix${UNAME_RELEASE} exit ;; authenticamd | genuineintel | EM64T) echo x86_64-unknown-interix${UNAME_RELEASE} exit ;; IA64) echo ia64-unknown-interix${UNAME_RELEASE} exit ;; esac ;; [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*) echo i${UNAME_MACHINE}-pc-mks exit ;; 8664:Windows_NT:*) echo x86_64-pc-mks exit ;; i*:Windows_NT*:* | Pentium*:Windows_NT*:*) # How do we know it's Interix rather than the generic POSIX subsystem? # It also conflicts with pre-2.0 versions of AT&T UWIN. Should we # UNAME_MACHINE based on the output of uname instead of i386? echo i586-pc-interix exit ;; i*:UWIN*:*) echo ${UNAME_MACHINE}-pc-uwin exit ;; amd64:CYGWIN*:*:* | x86_64:CYGWIN*:*:*) echo x86_64-unknown-cygwin exit ;; p*:CYGWIN*:*) echo powerpcle-unknown-cygwin exit ;; prep*:SunOS:5.*:*) echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; *:GNU:*:*) # the GNU system echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-${LIBC}`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'` exit ;; *:GNU/*:*:*) # other systems with GNU libc and userland echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC} exit ;; i*86:Minix:*:*) echo ${UNAME_MACHINE}-pc-minix exit ;; aarch64:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; aarch64_be:Linux:*:*) UNAME_MACHINE=aarch64_be echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; alpha:Linux:*:*) case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in EV5) UNAME_MACHINE=alphaev5 ;; EV56) UNAME_MACHINE=alphaev56 ;; PCA56) UNAME_MACHINE=alphapca56 ;; PCA57) UNAME_MACHINE=alphapca56 ;; EV6) UNAME_MACHINE=alphaev6 ;; EV67) UNAME_MACHINE=alphaev67 ;; EV68*) UNAME_MACHINE=alphaev68 ;; esac objdump --private-headers /bin/sh | grep -q ld.so.1 if test "$?" = 0 ; then LIBC="gnulibc1" ; fi echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; arc:Linux:*:* | arceb:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; arm*:Linux:*:*) eval $set_cc_for_build if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ARM_EABI__ then echo ${UNAME_MACHINE}-unknown-linux-${LIBC} else if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ARM_PCS_VFP then echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabi else echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabihf fi fi exit ;; avr32*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; cris:Linux:*:*) echo ${UNAME_MACHINE}-axis-linux-${LIBC} exit ;; crisv32:Linux:*:*) echo ${UNAME_MACHINE}-axis-linux-${LIBC} exit ;; frv:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; hexagon:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; i*86:Linux:*:*) echo ${UNAME_MACHINE}-pc-linux-${LIBC} exit ;; ia64:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; m32r*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; m68*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; mips:Linux:*:* | mips64:Linux:*:*) eval $set_cc_for_build sed 's/^ //' << EOF >$dummy.c #undef CPU #undef ${UNAME_MACHINE} #undef ${UNAME_MACHINE}el #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) CPU=${UNAME_MACHINE}el #else #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) CPU=${UNAME_MACHINE} #else CPU= #endif #endif EOF eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'` test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; } ;; openrisc*:Linux:*:*) echo or1k-unknown-linux-${LIBC} exit ;; or32:Linux:*:* | or1k*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; padre:Linux:*:*) echo sparc-unknown-linux-${LIBC} exit ;; parisc64:Linux:*:* | hppa64:Linux:*:*) echo hppa64-unknown-linux-${LIBC} exit ;; parisc:Linux:*:* | hppa:Linux:*:*) # Look for CPU level case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in PA7*) echo hppa1.1-unknown-linux-${LIBC} ;; PA8*) echo hppa2.0-unknown-linux-${LIBC} ;; *) echo hppa-unknown-linux-${LIBC} ;; esac exit ;; ppc64:Linux:*:*) echo powerpc64-unknown-linux-${LIBC} exit ;; ppc:Linux:*:*) echo powerpc-unknown-linux-${LIBC} exit ;; ppc64le:Linux:*:*) echo powerpc64le-unknown-linux-${LIBC} exit ;; ppcle:Linux:*:*) echo powerpcle-unknown-linux-${LIBC} exit ;; s390:Linux:*:* | s390x:Linux:*:*) echo ${UNAME_MACHINE}-ibm-linux-${LIBC} exit ;; sh64*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; sh*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; sparc:Linux:*:* | sparc64:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; tile*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; vax:Linux:*:*) echo ${UNAME_MACHINE}-dec-linux-${LIBC} exit ;; x86_64:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; xtensa*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; i*86:DYNIX/ptx:4*:*) # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. # earlier versions are messed up and put the nodename in both # sysname and nodename. echo i386-sequent-sysv4 exit ;; i*86:UNIX_SV:4.2MP:2.*) # Unixware is an offshoot of SVR4, but it has its own version # number series starting with 2... # I am not positive that other SVR4 systems won't match this, # I just have to hope. -- rms. # Use sysv4.2uw... so that sysv4* matches it. echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION} exit ;; i*86:OS/2:*:*) # If we were able to find `uname', then EMX Unix compatibility # is probably installed. echo ${UNAME_MACHINE}-pc-os2-emx exit ;; i*86:XTS-300:*:STOP) echo ${UNAME_MACHINE}-unknown-stop exit ;; i*86:atheos:*:*) echo ${UNAME_MACHINE}-unknown-atheos exit ;; i*86:syllable:*:*) echo ${UNAME_MACHINE}-pc-syllable exit ;; i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.[02]*:*) echo i386-unknown-lynxos${UNAME_RELEASE} exit ;; i*86:*DOS:*:*) echo ${UNAME_MACHINE}-pc-msdosdjgpp exit ;; i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*) UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'` if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL} else echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL} fi exit ;; i*86:*:5:[678]*) # UnixWare 7.x, OpenUNIX and OpenServer 6. case `/bin/uname -X | grep "^Machine"` in *486*) UNAME_MACHINE=i486 ;; *Pentium) UNAME_MACHINE=i586 ;; *Pent*|*Celeron) UNAME_MACHINE=i686 ;; esac echo ${UNAME_MACHINE}-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION} exit ;; i*86:*:3.2:*) if test -f /usr/options/cb.name; then UNAME_REL=`sed -n 's/.*Version //p' /dev/null >/dev/null ; then UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')` (/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486 (/bin/uname -X|grep '^Machine.*Pentium' >/dev/null) \ && UNAME_MACHINE=i586 (/bin/uname -X|grep '^Machine.*Pent *II' >/dev/null) \ && UNAME_MACHINE=i686 (/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \ && UNAME_MACHINE=i686 echo ${UNAME_MACHINE}-pc-sco$UNAME_REL else echo ${UNAME_MACHINE}-pc-sysv32 fi exit ;; pc:*:*:*) # Left here for compatibility: # uname -m prints for DJGPP always 'pc', but it prints nothing about # the processor, so we play safe by assuming i586. # Note: whatever this is, it MUST be the same as what config.sub # prints for the "djgpp" host, or else GDB configury will decide that # this is a cross-build. echo i586-pc-msdosdjgpp exit ;; Intel:Mach:3*:*) echo i386-pc-mach3 exit ;; paragon:*:*:*) echo i860-intel-osf1 exit ;; i860:*:4.*:*) # i860-SVR4 if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4 else # Add other i860-SVR4 vendors below as they are discovered. echo i860-unknown-sysv${UNAME_RELEASE} # Unknown i860-SVR4 fi exit ;; mini*:CTIX:SYS*5:*) # "miniframe" echo m68010-convergent-sysv exit ;; mc68k:UNIX:SYSTEM5:3.51m) echo m68k-convergent-sysv exit ;; M680?0:D-NIX:5.3:*) echo m68k-diab-dnix exit ;; M68*:*:R3V[5678]*:*) test -r /sysV68 && { echo 'm68k-motorola-sysv'; exit; } ;; 3[345]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0 | S7501*:*:4.0:3.0) OS_REL='' test -r /etc/.relid \ && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ && { echo i486-ncr-sysv4.3${OS_REL}; exit; } /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;; 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*) /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ && { echo i486-ncr-sysv4; exit; } ;; NCR*:*:4.2:* | MPRAS*:*:4.2:*) OS_REL='.3' test -r /etc/.relid \ && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ && { echo i486-ncr-sysv4.3${OS_REL}; exit; } /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ && { echo i586-ncr-sysv4.3${OS_REL}; exit; } /bin/uname -p 2>/dev/null | /bin/grep pteron >/dev/null \ && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;; m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*) echo m68k-unknown-lynxos${UNAME_RELEASE} exit ;; mc68030:UNIX_System_V:4.*:*) echo m68k-atari-sysv4 exit ;; TSUNAMI:LynxOS:2.*:*) echo sparc-unknown-lynxos${UNAME_RELEASE} exit ;; rs6000:LynxOS:2.*:*) echo rs6000-unknown-lynxos${UNAME_RELEASE} exit ;; PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.[02]*:*) echo powerpc-unknown-lynxos${UNAME_RELEASE} exit ;; SM[BE]S:UNIX_SV:*:*) echo mips-dde-sysv${UNAME_RELEASE} exit ;; RM*:ReliantUNIX-*:*:*) echo mips-sni-sysv4 exit ;; RM*:SINIX-*:*:*) echo mips-sni-sysv4 exit ;; *:SINIX-*:*:*) if uname -p 2>/dev/null >/dev/null ; then UNAME_MACHINE=`(uname -p) 2>/dev/null` echo ${UNAME_MACHINE}-sni-sysv4 else echo ns32k-sni-sysv fi exit ;; PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort # says echo i586-unisys-sysv4 exit ;; *:UNIX_System_V:4*:FTX*) # From Gerald Hewes . # How about differentiating between stratus architectures? -djm echo hppa1.1-stratus-sysv4 exit ;; *:*:*:FTX*) # From seanf@swdc.stratus.com. echo i860-stratus-sysv4 exit ;; i*86:VOS:*:*) # From Paul.Green@stratus.com. echo ${UNAME_MACHINE}-stratus-vos exit ;; *:VOS:*:*) # From Paul.Green@stratus.com. echo hppa1.1-stratus-vos exit ;; mc68*:A/UX:*:*) echo m68k-apple-aux${UNAME_RELEASE} exit ;; news*:NEWS-OS:6*:*) echo mips-sony-newsos6 exit ;; R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*) if [ -d /usr/nec ]; then echo mips-nec-sysv${UNAME_RELEASE} else echo mips-unknown-sysv${UNAME_RELEASE} fi exit ;; BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only. echo powerpc-be-beos exit ;; BeMac:BeOS:*:*) # BeOS running on Mac or Mac clone, PPC only. echo powerpc-apple-beos exit ;; BePC:BeOS:*:*) # BeOS running on Intel PC compatible. echo i586-pc-beos exit ;; BePC:Haiku:*:*) # Haiku running on Intel PC compatible. echo i586-pc-haiku exit ;; x86_64:Haiku:*:*) echo x86_64-unknown-haiku exit ;; SX-4:SUPER-UX:*:*) echo sx4-nec-superux${UNAME_RELEASE} exit ;; SX-5:SUPER-UX:*:*) echo sx5-nec-superux${UNAME_RELEASE} exit ;; SX-6:SUPER-UX:*:*) echo sx6-nec-superux${UNAME_RELEASE} exit ;; SX-7:SUPER-UX:*:*) echo sx7-nec-superux${UNAME_RELEASE} exit ;; SX-8:SUPER-UX:*:*) echo sx8-nec-superux${UNAME_RELEASE} exit ;; SX-8R:SUPER-UX:*:*) echo sx8r-nec-superux${UNAME_RELEASE} exit ;; Power*:Rhapsody:*:*) echo powerpc-apple-rhapsody${UNAME_RELEASE} exit ;; *:Rhapsody:*:*) echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE} exit ;; *:Darwin:*:*) UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown eval $set_cc_for_build if test "$UNAME_PROCESSOR" = unknown ; then UNAME_PROCESSOR=powerpc fi if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ grep IS_64BIT_ARCH >/dev/null then case $UNAME_PROCESSOR in i386) UNAME_PROCESSOR=x86_64 ;; powerpc) UNAME_PROCESSOR=powerpc64 ;; esac fi fi elif test "$UNAME_PROCESSOR" = i386 ; then # Avoid executing cc on OS X 10.9, as it ships with a stub # that puts up a graphical alert prompting to install # developer tools. Any system running Mac OS X 10.7 or # later (Darwin 11 and later) is required to have a 64-bit # processor. This is not true of the ARM version of Darwin # that Apple uses in portable devices. UNAME_PROCESSOR=x86_64 fi echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE} exit ;; *:procnto*:*:* | *:QNX:[0123456789]*:*) UNAME_PROCESSOR=`uname -p` if test "$UNAME_PROCESSOR" = "x86"; then UNAME_PROCESSOR=i386 UNAME_MACHINE=pc fi echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE} exit ;; *:QNX:*:4*) echo i386-pc-qnx exit ;; NEO-?:NONSTOP_KERNEL:*:*) echo neo-tandem-nsk${UNAME_RELEASE} exit ;; NSE-*:NONSTOP_KERNEL:*:*) echo nse-tandem-nsk${UNAME_RELEASE} exit ;; NSR-?:NONSTOP_KERNEL:*:*) echo nsr-tandem-nsk${UNAME_RELEASE} exit ;; *:NonStop-UX:*:*) echo mips-compaq-nonstopux exit ;; BS2000:POSIX*:*:*) echo bs2000-siemens-sysv exit ;; DS/*:UNIX_System_V:*:*) echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE} exit ;; *:Plan9:*:*) # "uname -m" is not consistent, so use $cputype instead. 386 # is converted to i386 for consistency with other x86 # operating systems. if test "$cputype" = "386"; then UNAME_MACHINE=i386 else UNAME_MACHINE="$cputype" fi echo ${UNAME_MACHINE}-unknown-plan9 exit ;; *:TOPS-10:*:*) echo pdp10-unknown-tops10 exit ;; *:TENEX:*:*) echo pdp10-unknown-tenex exit ;; KS10:TOPS-20:*:* | KL10:TOPS-20:*:* | TYPE4:TOPS-20:*:*) echo pdp10-dec-tops20 exit ;; XKL-1:TOPS-20:*:* | TYPE5:TOPS-20:*:*) echo pdp10-xkl-tops20 exit ;; *:TOPS-20:*:*) echo pdp10-unknown-tops20 exit ;; *:ITS:*:*) echo pdp10-unknown-its exit ;; SEI:*:*:SEIUX) echo mips-sei-seiux${UNAME_RELEASE} exit ;; *:DragonFly:*:*) echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` exit ;; *:*VMS:*:*) UNAME_MACHINE=`(uname -p) 2>/dev/null` case "${UNAME_MACHINE}" in A*) echo alpha-dec-vms ; exit ;; I*) echo ia64-dec-vms ; exit ;; V*) echo vax-dec-vms ; exit ;; esac ;; *:XENIX:*:SysV) echo i386-pc-xenix exit ;; i*86:skyos:*:*) echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE}` | sed -e 's/ .*$//' exit ;; i*86:rdos:*:*) echo ${UNAME_MACHINE}-pc-rdos exit ;; i*86:AROS:*:*) echo ${UNAME_MACHINE}-pc-aros exit ;; x86_64:VMkernel:*:*) echo ${UNAME_MACHINE}-unknown-esx exit ;; esac cat >&2 < in order to provide the needed information to handle your system. config.guess timestamp = $timestamp uname -m = `(uname -m) 2>/dev/null || echo unknown` uname -r = `(uname -r) 2>/dev/null || echo unknown` uname -s = `(uname -s) 2>/dev/null || echo unknown` uname -v = `(uname -v) 2>/dev/null || echo unknown` /usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null` /bin/uname -X = `(/bin/uname -X) 2>/dev/null` hostinfo = `(hostinfo) 2>/dev/null` /bin/universe = `(/bin/universe) 2>/dev/null` /usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null` /bin/arch = `(/bin/arch) 2>/dev/null` /usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null` /usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null` UNAME_MACHINE = ${UNAME_MACHINE} UNAME_RELEASE = ${UNAME_RELEASE} UNAME_SYSTEM = ${UNAME_SYSTEM} UNAME_VERSION = ${UNAME_VERSION} EOF exit 1 # Local variables: # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "timestamp='" # time-stamp-format: "%:y-%02m-%02d" # time-stamp-end: "'" # End: argus-5.0.2/config/config.sub000077500000000000000000001056341471541253600161100ustar00rootroot00000000000000#! /bin/sh # Configuration validation subroutine script. # Copyright 1992-2014 Free Software Foundation, Inc. timestamp='2014-05-01' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, see . # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a # configuration script generated by Autoconf, you may include it under # the same distribution terms that you use for the rest of that # program. This Exception is an additional permission under section 7 # of the GNU General Public License, version 3 ("GPLv3"). # Please send patches with a ChangeLog entry to config-patches@gnu.org. # # Configuration subroutine to validate and canonicalize a configuration type. # Supply the specified configuration type as an argument. # If it is invalid, we print an error message on stderr and exit with code 1. # Otherwise, we print the canonical config type on stdout and succeed. # You can get the latest version of this script from: # http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD # This file is supposed to be the same for all GNU packages # and recognize all the CPU types, system types and aliases # that are meaningful with *any* GNU software. # Each package is responsible for reporting which valid configurations # it does not support. The user should be able to distinguish # a failure to support a valid configuration from a meaningless # configuration. # The goal of this file is to map all the various variations of a given # machine specification into a single specification in the form: # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM # or in some cases, the newer four-part form: # CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM # It is wrong to echo any other type of specification. me=`echo "$0" | sed -e 's,.*/,,'` usage="\ Usage: $0 [OPTION] CPU-MFR-OPSYS $0 [OPTION] ALIAS Canonicalize a configuration name. Operation modes: -h, --help print this help, then exit -t, --time-stamp print date of last modification, then exit -v, --version print version number, then exit Report bugs and patches to ." version="\ GNU config.sub ($timestamp) Copyright 1992-2014 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." help=" Try \`$me --help' for more information." # Parse command line while test $# -gt 0 ; do case $1 in --time-stamp | --time* | -t ) echo "$timestamp" ; exit ;; --version | -v ) echo "$version" ; exit ;; --help | --h* | -h ) echo "$usage"; exit ;; -- ) # Stop option processing shift; break ;; - ) # Use stdin as input. break ;; -* ) echo "$me: invalid option $1$help" exit 1 ;; *local*) # First pass through any local machine types. echo $1 exit ;; * ) break ;; esac done case $# in 0) echo "$me: missing argument$help" >&2 exit 1;; 1) ;; *) echo "$me: too many arguments$help" >&2 exit 1;; esac # Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any). # Here we must recognize all the valid KERNEL-OS combinations. maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'` case $maybe_os in nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \ linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \ knetbsd*-gnu* | netbsd*-gnu* | \ kopensolaris*-gnu* | \ storm-chaos* | os2-emx* | rtmk-nova*) os=-$maybe_os basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` ;; android-linux) os=-linux-android basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown ;; *) basic_machine=`echo $1 | sed 's/-[^-]*$//'` if [ $basic_machine != $1 ] then os=`echo $1 | sed 's/.*-/-/'` else os=; fi ;; esac ### Let's recognize common machines as not being operating systems so ### that things like config.sub decstation-3100 work. We also ### recognize some manufacturers as not being operating systems, so we ### can provide default operating systems below. case $os in -sun*os*) # Prevent following clause from handling this invalid input. ;; -dec* | -mips* | -sequent* | -encore* | -pc532* | -sgi* | -sony* | \ -att* | -7300* | -3300* | -delta* | -motorola* | -sun[234]* | \ -unicom* | -ibm* | -next | -hp | -isi* | -apollo | -altos* | \ -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\ -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \ -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \ -apple | -axis | -knuth | -cray | -microblaze*) os= basic_machine=$1 ;; -bluegene*) os=-cnk ;; -sim | -cisco | -oki | -wec | -winbond) os= basic_machine=$1 ;; -scout) ;; -wrs) os=-vxworks basic_machine=$1 ;; -chorusos*) os=-chorusos basic_machine=$1 ;; -chorusrdb) os=-chorusrdb basic_machine=$1 ;; -hiux*) os=-hiuxwe2 ;; -sco6) os=-sco5v6 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco5) os=-sco3.2v5 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco4) os=-sco3.2v4 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco3.2.[4-9]*) os=`echo $os | sed -e 's/sco3.2./sco3.2v/'` basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco3.2v[4-9]*) # Don't forget version if it is 3.2v4 or newer. basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco5v6*) # Don't forget version if it is 3.2v4 or newer. basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco*) os=-sco3.2v2 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -udk*) basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -isc) os=-isc2.2 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -clix*) basic_machine=clipper-intergraph ;; -isc*) basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -lynx*178) os=-lynxos178 ;; -lynx*5) os=-lynxos5 ;; -lynx*) os=-lynxos ;; -ptx*) basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'` ;; -windowsnt*) os=`echo $os | sed -e 's/windowsnt/winnt/'` ;; -psos*) os=-psos ;; -mint | -mint[0-9]*) basic_machine=m68k-atari os=-mint ;; esac # Decode aliases for certain CPU-COMPANY combinations. case $basic_machine in # Recognize the basic CPU types without company name. # Some are omitted here because they have special meanings below. 1750a | 580 \ | a29k \ | aarch64 | aarch64_be \ | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \ | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \ | am33_2.0 \ | arc | arceb \ | arm | arm[bl]e | arme[lb] | armv[2-8] | armv[3-8][lb] | armv7[arm] \ | avr | avr32 \ | be32 | be64 \ | bfin \ | c4x | c8051 | clipper \ | d10v | d30v | dlx | dsp16xx \ | epiphany \ | fido | fr30 | frv \ | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ | hexagon \ | i370 | i860 | i960 | ia64 \ | ip2k | iq2000 \ | k1om \ | le32 | le64 \ | lm32 \ | m32c | m32r | m32rle | m68000 | m68k | m88k \ | maxq | mb | microblaze | microblazeel | mcore | mep | metag \ | mips | mipsbe | mipseb | mipsel | mipsle \ | mips16 \ | mips64 | mips64el \ | mips64octeon | mips64octeonel \ | mips64orion | mips64orionel \ | mips64r5900 | mips64r5900el \ | mips64vr | mips64vrel \ | mips64vr4100 | mips64vr4100el \ | mips64vr4300 | mips64vr4300el \ | mips64vr5000 | mips64vr5000el \ | mips64vr5900 | mips64vr5900el \ | mipsisa32 | mipsisa32el \ | mipsisa32r2 | mipsisa32r2el \ | mipsisa32r6 | mipsisa32r6el \ | mipsisa64 | mipsisa64el \ | mipsisa64r2 | mipsisa64r2el \ | mipsisa64r6 | mipsisa64r6el \ | mipsisa64sb1 | mipsisa64sb1el \ | mipsisa64sr71k | mipsisa64sr71kel \ | mipsr5900 | mipsr5900el \ | mipstx39 | mipstx39el \ | mn10200 | mn10300 \ | moxie \ | mt \ | msp430 \ | nds32 | nds32le | nds32be \ | nios | nios2 | nios2eb | nios2el \ | ns16k | ns32k \ | open8 | or1k | or1knd | or32 \ | pdp10 | pdp11 | pj | pjl \ | powerpc | powerpc64 | powerpc64le | powerpcle \ | pyramid \ | rl78 | rx \ | score \ | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ | sh64 | sh64le \ | sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \ | sparcv8 | sparcv9 | sparcv9b | sparcv9v \ | spu \ | tahoe | tic4x | tic54x | tic55x | tic6x | tic80 | tron \ | ubicom32 \ | v850 | v850e | v850e1 | v850e2 | v850es | v850e2v3 \ | we32k \ | x86 | xc16x | xstormy16 | xtensa \ | z8k | z80) basic_machine=$basic_machine-unknown ;; c54x) basic_machine=tic54x-unknown ;; c55x) basic_machine=tic55x-unknown ;; c6x) basic_machine=tic6x-unknown ;; m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | nvptx | picochip) basic_machine=$basic_machine-unknown os=-none ;; m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65 | z8k) ;; ms1) basic_machine=mt-unknown ;; strongarm | thumb | xscale) basic_machine=arm-unknown ;; xgate) basic_machine=$basic_machine-unknown os=-none ;; xscaleeb) basic_machine=armeb-unknown ;; xscaleel) basic_machine=armel-unknown ;; # We use `pc' rather than `unknown' # because (1) that's what they normally are, and # (2) the word "unknown" tends to confuse beginning users. i*86 | x86_64) basic_machine=$basic_machine-pc ;; # Object if more than one company name word. *-*-*) echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2 exit 1 ;; # Recognize the basic CPU types with company name. 580-* \ | a29k-* \ | aarch64-* | aarch64_be-* \ | alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \ | alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \ | alphapca5[67]-* | alpha64pca5[67]-* | arc-* | arceb-* \ | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ | avr-* | avr32-* \ | be32-* | be64-* \ | bfin-* | bs2000-* \ | c[123]* | c30-* | [cjt]90-* | c4x-* \ | c8051-* | clipper-* | craynv-* | cydra-* \ | d10v-* | d30v-* | dlx-* \ | elxsi-* \ | f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \ | h8300-* | h8500-* \ | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \ | hexagon-* \ | i*86-* | i860-* | i960-* | ia64-* \ | ip2k-* | iq2000-* \ | k1om-* \ | le32-* | le64-* \ | lm32-* \ | m32c-* | m32r-* | m32rle-* \ | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \ | m88110-* | m88k-* | maxq-* | mcore-* | metag-* \ | microblaze-* | microblazeel-* \ | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \ | mips16-* \ | mips64-* | mips64el-* \ | mips64octeon-* | mips64octeonel-* \ | mips64orion-* | mips64orionel-* \ | mips64r5900-* | mips64r5900el-* \ | mips64vr-* | mips64vrel-* \ | mips64vr4100-* | mips64vr4100el-* \ | mips64vr4300-* | mips64vr4300el-* \ | mips64vr5000-* | mips64vr5000el-* \ | mips64vr5900-* | mips64vr5900el-* \ | mipsisa32-* | mipsisa32el-* \ | mipsisa32r2-* | mipsisa32r2el-* \ | mipsisa32r6-* | mipsisa32r6el-* \ | mipsisa64-* | mipsisa64el-* \ | mipsisa64r2-* | mipsisa64r2el-* \ | mipsisa64r6-* | mipsisa64r6el-* \ | mipsisa64sb1-* | mipsisa64sb1el-* \ | mipsisa64sr71k-* | mipsisa64sr71kel-* \ | mipsr5900-* | mipsr5900el-* \ | mipstx39-* | mipstx39el-* \ | mmix-* \ | mt-* \ | msp430-* \ | nds32-* | nds32le-* | nds32be-* \ | nios-* | nios2-* | nios2eb-* | nios2el-* \ | none-* | np1-* | ns16k-* | ns32k-* \ | open8-* \ | or1k*-* \ | orion-* \ | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \ | pyramid-* \ | rl78-* | romp-* | rs6000-* | rx-* \ | sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \ | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ | sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \ | sparclite-* \ | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx?-* \ | tahoe-* \ | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \ | tile*-* \ | tron-* \ | ubicom32-* \ | v850-* | v850e-* | v850e1-* | v850es-* | v850e2-* | v850e2v3-* \ | vax-* \ | we32k-* \ | x86-* | x86_64-* | xc16x-* | xps100-* \ | xstormy16-* | xtensa*-* \ | ymp-* \ | z8k-* | z80-*) ;; # Recognize the basic CPU types without company name, with glob match. xtensa*) basic_machine=$basic_machine-unknown ;; # Recognize the various machine names and aliases which stand # for a CPU type and a company and sometimes even an OS. 386bsd) basic_machine=i386-unknown os=-bsd ;; 3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc) basic_machine=m68000-att ;; 3b*) basic_machine=we32k-att ;; a29khif) basic_machine=a29k-amd os=-udi ;; abacus) basic_machine=abacus-unknown ;; adobe68k) basic_machine=m68010-adobe os=-scout ;; alliant | fx80) basic_machine=fx80-alliant ;; altos | altos3068) basic_machine=m68k-altos ;; am29k) basic_machine=a29k-none os=-bsd ;; amd64) basic_machine=x86_64-pc ;; amd64-*) basic_machine=x86_64-`echo $basic_machine | sed 's/^[^-]*-//'` ;; amdahl) basic_machine=580-amdahl os=-sysv ;; amiga | amiga-*) basic_machine=m68k-unknown ;; amigaos | amigados) basic_machine=m68k-unknown os=-amigaos ;; amigaunix | amix) basic_machine=m68k-unknown os=-sysv4 ;; apollo68) basic_machine=m68k-apollo os=-sysv ;; apollo68bsd) basic_machine=m68k-apollo os=-bsd ;; aros) basic_machine=i386-pc os=-aros ;; aux) basic_machine=m68k-apple os=-aux ;; balance) basic_machine=ns32k-sequent os=-dynix ;; blackfin) basic_machine=bfin-unknown os=-linux ;; blackfin-*) basic_machine=bfin-`echo $basic_machine | sed 's/^[^-]*-//'` os=-linux ;; bluegene*) basic_machine=powerpc-ibm os=-cnk ;; c54x-*) basic_machine=tic54x-`echo $basic_machine | sed 's/^[^-]*-//'` ;; c55x-*) basic_machine=tic55x-`echo $basic_machine | sed 's/^[^-]*-//'` ;; c6x-*) basic_machine=tic6x-`echo $basic_machine | sed 's/^[^-]*-//'` ;; c90) basic_machine=c90-cray os=-unicos ;; cegcc) basic_machine=arm-unknown os=-cegcc ;; convex-c1) basic_machine=c1-convex os=-bsd ;; convex-c2) basic_machine=c2-convex os=-bsd ;; convex-c32) basic_machine=c32-convex os=-bsd ;; convex-c34) basic_machine=c34-convex os=-bsd ;; convex-c38) basic_machine=c38-convex os=-bsd ;; cray | j90) basic_machine=j90-cray os=-unicos ;; craynv) basic_machine=craynv-cray os=-unicosmp ;; cr16 | cr16-*) basic_machine=cr16-unknown os=-elf ;; crds | unos) basic_machine=m68k-crds ;; crisv32 | crisv32-* | etraxfs*) basic_machine=crisv32-axis ;; cris | cris-* | etrax*) basic_machine=cris-axis ;; crx) basic_machine=crx-unknown os=-elf ;; da30 | da30-*) basic_machine=m68k-da30 ;; decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn) basic_machine=mips-dec ;; decsystem10* | dec10*) basic_machine=pdp10-dec os=-tops10 ;; decsystem20* | dec20*) basic_machine=pdp10-dec os=-tops20 ;; delta | 3300 | motorola-3300 | motorola-delta \ | 3300-motorola | delta-motorola) basic_machine=m68k-motorola ;; delta88) basic_machine=m88k-motorola os=-sysv3 ;; dicos) basic_machine=i686-pc os=-dicos ;; djgpp) basic_machine=i586-pc os=-msdosdjgpp ;; dpx20 | dpx20-*) basic_machine=rs6000-bull os=-bosx ;; dpx2* | dpx2*-bull) basic_machine=m68k-bull os=-sysv3 ;; ebmon29k) basic_machine=a29k-amd os=-ebmon ;; elxsi) basic_machine=elxsi-elxsi os=-bsd ;; encore | umax | mmax) basic_machine=ns32k-encore ;; es1800 | OSE68k | ose68k | ose | OSE) basic_machine=m68k-ericsson os=-ose ;; fx2800) basic_machine=i860-alliant ;; genix) basic_machine=ns32k-ns ;; gmicro) basic_machine=tron-gmicro os=-sysv ;; go32) basic_machine=i386-pc os=-go32 ;; h3050r* | hiux*) basic_machine=hppa1.1-hitachi os=-hiuxwe2 ;; h8300hms) basic_machine=h8300-hitachi os=-hms ;; h8300xray) basic_machine=h8300-hitachi os=-xray ;; h8500hms) basic_machine=h8500-hitachi os=-hms ;; harris) basic_machine=m88k-harris os=-sysv3 ;; hp300-*) basic_machine=m68k-hp ;; hp300bsd) basic_machine=m68k-hp os=-bsd ;; hp300hpux) basic_machine=m68k-hp os=-hpux ;; hp3k9[0-9][0-9] | hp9[0-9][0-9]) basic_machine=hppa1.0-hp ;; hp9k2[0-9][0-9] | hp9k31[0-9]) basic_machine=m68000-hp ;; hp9k3[2-9][0-9]) basic_machine=m68k-hp ;; hp9k6[0-9][0-9] | hp6[0-9][0-9]) basic_machine=hppa1.0-hp ;; hp9k7[0-79][0-9] | hp7[0-79][0-9]) basic_machine=hppa1.1-hp ;; hp9k78[0-9] | hp78[0-9]) # FIXME: really hppa2.0-hp basic_machine=hppa1.1-hp ;; hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893) # FIXME: really hppa2.0-hp basic_machine=hppa1.1-hp ;; hp9k8[0-9][13679] | hp8[0-9][13679]) basic_machine=hppa1.1-hp ;; hp9k8[0-9][0-9] | hp8[0-9][0-9]) basic_machine=hppa1.0-hp ;; hppa-next) os=-nextstep3 ;; hppaosf) basic_machine=hppa1.1-hp os=-osf ;; hppro) basic_machine=hppa1.1-hp os=-proelf ;; i370-ibm* | ibm*) basic_machine=i370-ibm ;; i*86v32) basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` os=-sysv32 ;; i*86v4*) basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` os=-sysv4 ;; i*86v) basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` os=-sysv ;; i*86sol2) basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` os=-solaris2 ;; i386mach) basic_machine=i386-mach os=-mach ;; i386-vsta | vsta) basic_machine=i386-unknown os=-vsta ;; iris | iris4d) basic_machine=mips-sgi case $os in -irix*) ;; *) os=-irix4 ;; esac ;; isi68 | isi) basic_machine=m68k-isi os=-sysv ;; m68knommu) basic_machine=m68k-unknown os=-linux ;; m68knommu-*) basic_machine=m68k-`echo $basic_machine | sed 's/^[^-]*-//'` os=-linux ;; m88k-omron*) basic_machine=m88k-omron ;; magnum | m3230) basic_machine=mips-mips os=-sysv ;; merlin) basic_machine=ns32k-utek os=-sysv ;; microblaze*) basic_machine=microblaze-xilinx ;; mingw64) basic_machine=x86_64-pc os=-mingw64 ;; mingw32) basic_machine=i686-pc os=-mingw32 ;; mingw32ce) basic_machine=arm-unknown os=-mingw32ce ;; miniframe) basic_machine=m68000-convergent ;; *mint | -mint[0-9]* | *MiNT | *MiNT[0-9]*) basic_machine=m68k-atari os=-mint ;; mips3*-*) basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'` ;; mips3*) basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown ;; monitor) basic_machine=m68k-rom68k os=-coff ;; morphos) basic_machine=powerpc-unknown os=-morphos ;; msdos) basic_machine=i386-pc os=-msdos ;; ms1-*) basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'` ;; msys) basic_machine=i686-pc os=-msys ;; mvs) basic_machine=i370-ibm os=-mvs ;; nacl) basic_machine=le32-unknown os=-nacl ;; ncr3000) basic_machine=i486-ncr os=-sysv4 ;; netbsd386) basic_machine=i386-unknown os=-netbsd ;; netwinder) basic_machine=armv4l-rebel os=-linux ;; news | news700 | news800 | news900) basic_machine=m68k-sony os=-newsos ;; news1000) basic_machine=m68030-sony os=-newsos ;; news-3600 | risc-news) basic_machine=mips-sony os=-newsos ;; necv70) basic_machine=v70-nec os=-sysv ;; next | m*-next ) basic_machine=m68k-next case $os in -nextstep* ) ;; -ns2*) os=-nextstep2 ;; *) os=-nextstep3 ;; esac ;; nh3000) basic_machine=m68k-harris os=-cxux ;; nh[45]000) basic_machine=m88k-harris os=-cxux ;; nindy960) basic_machine=i960-intel os=-nindy ;; mon960) basic_machine=i960-intel os=-mon960 ;; nonstopux) basic_machine=mips-compaq os=-nonstopux ;; np1) basic_machine=np1-gould ;; neo-tandem) basic_machine=neo-tandem ;; nse-tandem) basic_machine=nse-tandem ;; nsr-tandem) basic_machine=nsr-tandem ;; op50n-* | op60c-*) basic_machine=hppa1.1-oki os=-proelf ;; openrisc | openrisc-*) basic_machine=or32-unknown ;; os400) basic_machine=powerpc-ibm os=-os400 ;; OSE68000 | ose68000) basic_machine=m68000-ericsson os=-ose ;; os68k) basic_machine=m68k-none os=-os68k ;; pa-hitachi) basic_machine=hppa1.1-hitachi os=-hiuxwe2 ;; paragon) basic_machine=i860-intel os=-osf ;; parisc) basic_machine=hppa-unknown os=-linux ;; parisc-*) basic_machine=hppa-`echo $basic_machine | sed 's/^[^-]*-//'` os=-linux ;; pbd) basic_machine=sparc-tti ;; pbb) basic_machine=m68k-tti ;; pc532 | pc532-*) basic_machine=ns32k-pc532 ;; pc98) basic_machine=i386-pc ;; pc98-*) basic_machine=i386-`echo $basic_machine | sed 's/^[^-]*-//'` ;; pentium | p5 | k5 | k6 | nexgen | viac3) basic_machine=i586-pc ;; pentiumpro | p6 | 6x86 | athlon | athlon_*) basic_machine=i686-pc ;; pentiumii | pentium2 | pentiumiii | pentium3) basic_machine=i686-pc ;; pentium4) basic_machine=i786-pc ;; pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*) basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'` ;; pentiumpro-* | p6-* | 6x86-* | athlon-*) basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` ;; pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*) basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` ;; pentium4-*) basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'` ;; pn) basic_machine=pn-gould ;; power) basic_machine=power-ibm ;; ppc | ppcbe) basic_machine=powerpc-unknown ;; ppc-* | ppcbe-*) basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppcle | powerpclittle | ppc-le | powerpc-little) basic_machine=powerpcle-unknown ;; ppcle-* | powerpclittle-*) basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppc64) basic_machine=powerpc64-unknown ;; ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppc64le | powerpc64little | ppc64-le | powerpc64-little) basic_machine=powerpc64le-unknown ;; ppc64le-* | powerpc64little-*) basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ps2) basic_machine=i386-ibm ;; pw32) basic_machine=i586-unknown os=-pw32 ;; rdos | rdos64) basic_machine=x86_64-pc os=-rdos ;; rdos32) basic_machine=i386-pc os=-rdos ;; rom68k) basic_machine=m68k-rom68k os=-coff ;; rm[46]00) basic_machine=mips-siemens ;; rtpc | rtpc-*) basic_machine=romp-ibm ;; s390 | s390-*) basic_machine=s390-ibm ;; s390x | s390x-*) basic_machine=s390x-ibm ;; sa29200) basic_machine=a29k-amd os=-udi ;; sb1) basic_machine=mipsisa64sb1-unknown ;; sb1el) basic_machine=mipsisa64sb1el-unknown ;; sde) basic_machine=mipsisa32-sde os=-elf ;; sei) basic_machine=mips-sei os=-seiux ;; sequent) basic_machine=i386-sequent ;; sh) basic_machine=sh-hitachi os=-hms ;; sh5el) basic_machine=sh5le-unknown ;; sh64) basic_machine=sh64-unknown ;; sparclite-wrs | simso-wrs) basic_machine=sparclite-wrs os=-vxworks ;; sps7) basic_machine=m68k-bull os=-sysv2 ;; spur) basic_machine=spur-unknown ;; st2000) basic_machine=m68k-tandem ;; stratus) basic_machine=i860-stratus os=-sysv4 ;; strongarm-* | thumb-*) basic_machine=arm-`echo $basic_machine | sed 's/^[^-]*-//'` ;; sun2) basic_machine=m68000-sun ;; sun2os3) basic_machine=m68000-sun os=-sunos3 ;; sun2os4) basic_machine=m68000-sun os=-sunos4 ;; sun3os3) basic_machine=m68k-sun os=-sunos3 ;; sun3os4) basic_machine=m68k-sun os=-sunos4 ;; sun4os3) basic_machine=sparc-sun os=-sunos3 ;; sun4os4) basic_machine=sparc-sun os=-sunos4 ;; sun4sol2) basic_machine=sparc-sun os=-solaris2 ;; sun3 | sun3-*) basic_machine=m68k-sun ;; sun4) basic_machine=sparc-sun ;; sun386 | sun386i | roadrunner) basic_machine=i386-sun ;; sv1) basic_machine=sv1-cray os=-unicos ;; symmetry) basic_machine=i386-sequent os=-dynix ;; t3e) basic_machine=alphaev5-cray os=-unicos ;; t90) basic_machine=t90-cray os=-unicos ;; tile*) basic_machine=$basic_machine-unknown os=-linux-gnu ;; tx39) basic_machine=mipstx39-unknown ;; tx39el) basic_machine=mipstx39el-unknown ;; toad1) basic_machine=pdp10-xkl os=-tops20 ;; tower | tower-32) basic_machine=m68k-ncr ;; tpf) basic_machine=s390x-ibm os=-tpf ;; udi29k) basic_machine=a29k-amd os=-udi ;; ultra3) basic_machine=a29k-nyu os=-sym1 ;; v810 | necv810) basic_machine=v810-nec os=-none ;; vaxv) basic_machine=vax-dec os=-sysv ;; vms) basic_machine=vax-dec os=-vms ;; vpp*|vx|vx-*) basic_machine=f301-fujitsu ;; vxworks960) basic_machine=i960-wrs os=-vxworks ;; vxworks68) basic_machine=m68k-wrs os=-vxworks ;; vxworks29k) basic_machine=a29k-wrs os=-vxworks ;; w65*) basic_machine=w65-wdc os=-none ;; w89k-*) basic_machine=hppa1.1-winbond os=-proelf ;; xbox) basic_machine=i686-pc os=-mingw32 ;; xps | xps100) basic_machine=xps100-honeywell ;; xscale-* | xscalee[bl]-*) basic_machine=`echo $basic_machine | sed 's/^xscale/arm/'` ;; ymp) basic_machine=ymp-cray os=-unicos ;; z8k-*-coff) basic_machine=z8k-unknown os=-sim ;; z80-*-coff) basic_machine=z80-unknown os=-sim ;; none) basic_machine=none-none os=-none ;; # Here we handle the default manufacturer of certain CPU types. It is in # some cases the only manufacturer, in others, it is the most popular. w89k) basic_machine=hppa1.1-winbond ;; op50n) basic_machine=hppa1.1-oki ;; op60c) basic_machine=hppa1.1-oki ;; romp) basic_machine=romp-ibm ;; mmix) basic_machine=mmix-knuth ;; rs6000) basic_machine=rs6000-ibm ;; vax) basic_machine=vax-dec ;; pdp10) # there are many clones, so DEC is not a safe bet basic_machine=pdp10-unknown ;; pdp11) basic_machine=pdp11-dec ;; we32k) basic_machine=we32k-att ;; sh[1234] | sh[24]a | sh[24]aeb | sh[34]eb | sh[1234]le | sh[23]ele) basic_machine=sh-unknown ;; sparc | sparcv8 | sparcv9 | sparcv9b | sparcv9v) basic_machine=sparc-sun ;; cydra) basic_machine=cydra-cydrome ;; orion) basic_machine=orion-highlevel ;; orion105) basic_machine=clipper-highlevel ;; mac | mpw | mac-mpw) basic_machine=m68k-apple ;; pmac | pmac-mpw) basic_machine=powerpc-apple ;; *-unknown) # Make sure to match an already-canonicalized machine name. ;; *) echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2 exit 1 ;; esac # Here we canonicalize certain aliases for manufacturers. case $basic_machine in *-digital*) basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'` ;; *-commodore*) basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'` ;; *) ;; esac # Decode manufacturer-specific aliases for certain operating systems. if [ x"$os" != x"" ] then case $os in # First match some system type aliases # that might get confused with valid system types. # -solaris* is a basic system type, with this one exception. -auroraux) os=-auroraux ;; -solaris1 | -solaris1.*) os=`echo $os | sed -e 's|solaris1|sunos4|'` ;; -solaris) os=-solaris2 ;; -svr4*) os=-sysv4 ;; -unixware*) os=-sysv4.2uw ;; -gnu/linux*) os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'` ;; # First accept the basic system types. # The portable systems comes first. # Each alternative MUST END IN A *, to match a version number. # -sysv* is not here because it comes later, after sysvr4. -gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \ | -*vms* | -sco* | -esix* | -isc* | -aix* | -cnk* | -sunos | -sunos[34]*\ | -hpux* | -unos* | -osf* | -luna* | -dgux* | -auroraux* | -solaris* \ | -sym* | -kopensolaris* | -plan9* \ | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \ | -aos* | -aros* \ | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \ | -bitrig* | -openbsd* | -solidbsd* \ | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \ | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ | -chorusos* | -chorusrdb* | -cegcc* \ | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \ | -linux-newlib* | -linux-musl* | -linux-uclibc* \ | -uxpv* | -beos* | -mpeix* | -udk* \ | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \ | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \ | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \ | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* | -tirtos*) # Remember, each alternative MUST END IN *, to match a version number. ;; -qnx*) case $basic_machine in x86-* | i*86-*) ;; *) os=-nto$os ;; esac ;; -nto-qnx*) ;; -nto*) os=`echo $os | sed -e 's|nto|nto-qnx|'` ;; -sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \ | -windows* | -osx | -abug | -netware* | -os9* | -beos* | -haiku* \ | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*) ;; -mac*) os=`echo $os | sed -e 's|mac|macos|'` ;; -linux-dietlibc) os=-linux-dietlibc ;; -linux*) os=`echo $os | sed -e 's|linux|linux-gnu|'` ;; -sunos5*) os=`echo $os | sed -e 's|sunos5|solaris2|'` ;; -sunos6*) os=`echo $os | sed -e 's|sunos6|solaris3|'` ;; -opened*) os=-openedition ;; -os400*) os=-os400 ;; -wince*) os=-wince ;; -osfrose*) os=-osfrose ;; -osf*) os=-osf ;; -utek*) os=-bsd ;; -dynix*) os=-bsd ;; -acis*) os=-aos ;; -atheos*) os=-atheos ;; -syllable*) os=-syllable ;; -386bsd) os=-bsd ;; -ctix* | -uts*) os=-sysv ;; -nova*) os=-rtmk-nova ;; -ns2 ) os=-nextstep2 ;; -nsk*) os=-nsk ;; # Preserve the version number of sinix5. -sinix5.*) os=`echo $os | sed -e 's|sinix|sysv|'` ;; -sinix*) os=-sysv4 ;; -tpf*) os=-tpf ;; -triton*) os=-sysv3 ;; -oss*) os=-sysv3 ;; -svr4) os=-sysv4 ;; -svr3) os=-sysv3 ;; -sysvr4) os=-sysv4 ;; # This must come after -sysvr4. -sysv*) ;; -ose*) os=-ose ;; -es1800*) os=-ose ;; -xenix) os=-xenix ;; -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) os=-mint ;; -aros*) os=-aros ;; -zvmoe) os=-zvmoe ;; -dicos*) os=-dicos ;; -nacl*) ;; -none) ;; *) # Get rid of the `-' at the beginning of $os. os=`echo $os | sed 's/[^-]*-//'` echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2 exit 1 ;; esac else # Here we handle the default operating systems that come with various machines. # The value should be what the vendor currently ships out the door with their # machine or put another way, the most popular os provided with the machine. # Note that if you're going to try to match "-MANUFACTURER" here (say, # "-sun"), then you have to tell the case statement up towards the top # that MANUFACTURER isn't an operating system. Otherwise, code above # will signal an error saying that MANUFACTURER isn't an operating # system, and we'll never get to this point. case $basic_machine in score-*) os=-elf ;; spu-*) os=-elf ;; *-acorn) os=-riscix1.2 ;; arm*-rebel) os=-linux ;; arm*-semi) os=-aout ;; c4x-* | tic4x-*) os=-coff ;; c8051-*) os=-elf ;; hexagon-*) os=-elf ;; tic54x-*) os=-coff ;; tic55x-*) os=-coff ;; tic6x-*) os=-coff ;; # This must come before the *-dec entry. pdp10-*) os=-tops20 ;; pdp11-*) os=-none ;; *-dec | vax-*) os=-ultrix4.2 ;; m68*-apollo) os=-domain ;; i386-sun) os=-sunos4.0.2 ;; m68000-sun) os=-sunos3 ;; m68*-cisco) os=-aout ;; mep-*) os=-elf ;; mips*-cisco) os=-elf ;; mips*-*) os=-elf ;; or32-*) os=-coff ;; *-tti) # must be before sparc entry or we get the wrong os. os=-sysv3 ;; sparc-* | *-sun) os=-sunos4.1.1 ;; *-be) os=-beos ;; *-haiku) os=-haiku ;; *-ibm) os=-aix ;; *-knuth) os=-mmixware ;; *-wec) os=-proelf ;; *-winbond) os=-proelf ;; *-oki) os=-proelf ;; *-hp) os=-hpux ;; *-hitachi) os=-hiux ;; i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent) os=-sysv ;; *-cbm) os=-amigaos ;; *-dg) os=-dgux ;; *-dolphin) os=-sysv3 ;; m68k-ccur) os=-rtu ;; m88k-omron*) os=-luna ;; *-next ) os=-nextstep ;; *-sequent) os=-ptx ;; *-crds) os=-unos ;; *-ns) os=-genix ;; i370-*) os=-mvs ;; *-next) os=-nextstep3 ;; *-gould) os=-sysv ;; *-highlevel) os=-bsd ;; *-encore) os=-bsd ;; *-sgi) os=-irix ;; *-siemens) os=-sysv4 ;; *-masscomp) os=-rtu ;; f30[01]-fujitsu | f700-fujitsu) os=-uxpv ;; *-rom68k) os=-coff ;; *-*bug) os=-coff ;; *-apple) os=-macos ;; *-atari*) os=-mint ;; *) os=-none ;; esac fi # Here we handle the case where we know the os, and the CPU type, but not the # manufacturer. We pick the logical manufacturer. vendor=unknown case $basic_machine in *-unknown) case $os in -riscix*) vendor=acorn ;; -sunos*) vendor=sun ;; -cnk*|-aix*) vendor=ibm ;; -beos*) vendor=be ;; -hpux*) vendor=hp ;; -mpeix*) vendor=hp ;; -hiux*) vendor=hitachi ;; -unos*) vendor=crds ;; -dgux*) vendor=dg ;; -luna*) vendor=omron ;; -genix*) vendor=ns ;; -mvs* | -opened*) vendor=ibm ;; -os400*) vendor=ibm ;; -ptx*) vendor=sequent ;; -tpf*) vendor=ibm ;; -vxsim* | -vxworks* | -windiss*) vendor=wrs ;; -aux*) vendor=apple ;; -hms*) vendor=hitachi ;; -mpw* | -macos*) vendor=apple ;; -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) vendor=atari ;; -vos*) vendor=stratus ;; esac basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"` ;; esac echo $basic_machine$os exit # Local variables: # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "timestamp='" # time-stamp-format: "%:y-%02m-%02d" # time-stamp-end: "'" # End: argus-5.0.2/config/install-sh000077500000000000000000000127211471541253600161230ustar00rootroot00000000000000#! /bin/sh # # install - install a program, script, or datafile # This comes from X11R5 (mit/util/scripts/install.sh). # # Copyright 1991 by the Massachusetts Institute of Technology # # Permission to use, copy, modify, distribute, and sell this software and its # documentation for any purpose is hereby granted without fee, provided that # the above copyright notice appear in all copies and that both that # copyright notice and this permission notice appear in supporting # documentation, and that the name of M.I.T. not be used in advertising or # publicity pertaining to distribution of the software without specific, # written prior permission. M.I.T. makes no representations about the # suitability of this software for any purpose. It is provided "as is" # without express or implied warranty. # # Calling this script install-sh is preferred over install.sh, to prevent # `make' implicit rules from creating a file called install from it # when there is no Makefile. # # This script is compatible with the BSD install script, but was written # from scratch. It can only install one file at a time, a restriction # shared with many OS's install programs. # set DOITPROG to echo to test this script # Don't use :- since 4.3BSD and earlier shells don't like it. doit="${DOITPROG-}" # put in absolute paths if you don't have them in your path; or use env. vars. mvprog="${MVPROG-mv}" cpprog="${CPPROG-cp}" chmodprog="${CHMODPROG-chmod}" chownprog="${CHOWNPROG-chown}" chgrpprog="${CHGRPPROG-chgrp}" stripprog="${STRIPPROG-strip}" rmprog="${RMPROG-rm}" mkdirprog="${MKDIRPROG-mkdir}" transformbasename="" transform_arg="" instcmd="$mvprog" chmodcmd="$chmodprog 0755" chowncmd="" chgrpcmd="" stripcmd="" rmcmd="$rmprog -f" mvcmd="$mvprog" src="" dst="" dir_arg="" while [ x"$1" != x ]; do case $1 in -c) instcmd="$cpprog" shift continue;; -d) dir_arg=true shift continue;; -m) chmodcmd="$chmodprog $2" shift shift continue;; -o) chowncmd="$chownprog $2" shift shift continue;; -g) chgrpcmd="$chgrpprog $2" shift shift continue;; -s) stripcmd="$stripprog" shift continue;; -t=*) transformarg=`echo $1 | sed 's/-t=//'` shift continue;; -b=*) transformbasename=`echo $1 | sed 's/-b=//'` shift continue;; *) if [ x"$src" = x ] then src=$1 else # this colon is to work around a 386BSD /bin/sh bug : dst=$1 fi shift continue;; esac done if [ x"$src" = x ] then echo "install: no input file specified" exit 1 else true fi if [ x"$dir_arg" != x ]; then dst=$src src="" if [ -d $dst ]; then instcmd=: else instcmd=mkdir fi else # Waiting for this to be detected by the "$instcmd $src $dsttmp" command # might cause directories to be created, which would be especially bad # if $src (and thus $dsttmp) contains '*'. if [ -f $src -o -d $src ] then true else echo "install: $src does not exist" exit 1 fi if [ x"$dst" = x ] then echo "install: no destination specified" exit 1 else true fi # If destination is a directory, append the input filename; if your system # does not like double slashes in filenames, you may need to add some logic if [ -d $dst ] then dst="$dst"/`basename $src` else true fi fi ## this sed command emulates the dirname command dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'` # Make sure that the destination directory exists. # this part is taken from Noah Friedman's mkinstalldirs script # Skip lots of stat calls in the usual case. if [ ! -d "$dstdir" ]; then defaultIFS=' ' IFS="${IFS-${defaultIFS}}" oIFS="${IFS}" # Some sh's can't handle IFS=/ for some reason. IFS='%' set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'` IFS="${oIFS}" pathcomp='' while [ $# -ne 0 ] ; do pathcomp="${pathcomp}${1}" shift if [ ! -d "${pathcomp}" ] ; then $mkdirprog "${pathcomp}" else true fi pathcomp="${pathcomp}/" done fi if [ x"$dir_arg" != x ] then $doit $instcmd $dst && if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi && if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi && if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi && if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi else # If we're going to rename the final executable, determine the name now. if [ x"$transformarg" = x ] then dstfile=`basename $dst` else dstfile=`basename $dst $transformbasename | sed $transformarg`$transformbasename fi # don't allow the sed command to completely eliminate the filename if [ x"$dstfile" = x ] then dstfile=`basename $dst` else true fi # Make a temp file name in the proper directory. dsttmp=$dstdir/#inst.$$# # Move or copy the file name to the temp name $doit $instcmd $src $dsttmp && trap "rm -f ${dsttmp}" 0 && # and set any options; do chmod last to preserve setuid bits # If any of these fail, we abort the whole thing. If we want to # ignore errors from any of these, just make sure not to ignore # errors from the above "$doit $instcmd $src $dsttmp" command. if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi && if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi && if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi && if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi && # Now rename the file to the real destination. $doit $rmcmd -f $dstdir/$dstfile && $doit $mvcmd $dsttmp $dstdir/$dstfile fi && exit 0 argus-5.0.2/config/mkinstalldirs000077500000000000000000000011501471541253600167170ustar00rootroot00000000000000#!/bin/sh # Make directory hierarchy. # Written by Noah Friedman # Public domain. defaultIFS=' ' IFS="${IFS-${defaultIFS}}" for file in ${1+"$@"} ; do oIFS="${IFS}" # Some sh's can't handle IFS=/ for some reason. IFS='%' set - `echo ${file} | sed -e 's@/@%@g' -e 's@^%@/@'` IFS="${oIFS}" test ".${1}" = "." && shift pathcomp='' while test $# -ne 0 ; do pathcomp="${pathcomp}${1}" shift if test ! -d "${pathcomp}"; then echo "mkdir $pathcomp" 1>&2 mkdir "${pathcomp}" fi pathcomp="${pathcomp}/" done done # eof argus-5.0.2/configure000077500000000000000000011567211471541253600145730ustar00rootroot00000000000000#! /bin/sh # Guess values for system-dependent variables and create Makefiles. # Generated by GNU Autoconf 2.72 for Argus-5.0 Server Programs 5.0.0. # # Report bugs to . # # # Copyright (C) 1992-1996, 1998-2017, 2020-2023 Free Software Foundation, # Inc. # # # This configure script is free software; the Free Software Foundation # gives unlimited permission to copy, distribute and modify it. ## -------------------- ## ## M4sh Initialization. ## ## -------------------- ## # Be more Bourne compatible DUALCASE=1; export DUALCASE # for MKS sh if test ${ZSH_VERSION+y} && (emulate sh) >/dev/null 2>&1 then : emulate sh NULLCMD=: # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which # is contrary to our usage. Disable this feature. alias -g '${1+"$@"}'='"$@"' setopt NO_GLOB_SUBST else case e in #( e) case `(set -o) 2>/dev/null` in #( *posix*) : set -o posix ;; #( *) : ;; esac ;; esac fi # Reset variables that may have inherited troublesome values from # the environment. # IFS needs to be set, to space, tab, and newline, in precisely that order. # (If _AS_PATH_WALK were called with IFS unset, it would have the # side effect of setting IFS to empty, thus disabling word splitting.) # Quoting is to prevent editors from complaining about space-tab. as_nl=' ' export as_nl IFS=" "" $as_nl" PS1='$ ' PS2='> ' PS4='+ ' # Ensure predictable behavior from utilities with locale-dependent output. LC_ALL=C export LC_ALL LANGUAGE=C export LANGUAGE # We cannot yet rely on "unset" to work, but we need these variables # to be unset--not just set to an empty or harmless value--now, to # avoid bugs in old shells (e.g. pre-3.0 UWIN ksh). This construct # also avoids known problems related to "unset" and subshell syntax # in other old shells (e.g. bash 2.01 and pdksh 5.2.14). for as_var in BASH_ENV ENV MAIL MAILPATH CDPATH do eval test \${$as_var+y} \ && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : done # Ensure that fds 0, 1, and 2 are open. if (exec 3>&0) 2>/dev/null; then :; else exec 0&1) 2>/dev/null; then :; else exec 1>/dev/null; fi if (exec 3>&2) ; then :; else exec 2>/dev/null; fi # The user is always right. if ${PATH_SEPARATOR+false} :; then PATH_SEPARATOR=: (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || PATH_SEPARATOR=';' } fi # Find who we are. Look in the path if we contain no directory separator. as_myself= case $0 in #(( *[\\/]* ) as_myself=$0 ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac test -r "$as_dir$0" && as_myself=$as_dir$0 && break done IFS=$as_save_IFS ;; esac # We did not find ourselves, most probably we were run as 'sh COMMAND' # in which case we are not to be found in the path. if test "x$as_myself" = x; then as_myself=$0 fi if test ! -f "$as_myself"; then printf "%s\n" "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 exit 1 fi # Use a proper internal environment variable to ensure we don't fall # into an infinite loop, continuously re-executing ourselves. if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then _as_can_reexec=no; export _as_can_reexec; # We cannot yet assume a decent shell, so we have to provide a # neutralization value for shells without unset; and this also # works around shells that cannot unset nonexistent variables. # Preserve -v and -x to the replacement shell. BASH_ENV=/dev/null ENV=/dev/null (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV case $- in # (((( *v*x* | *x*v* ) as_opts=-vx ;; *v* ) as_opts=-v ;; *x* ) as_opts=-x ;; * ) as_opts= ;; esac exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} # Admittedly, this is quite paranoid, since all the known shells bail # out after a failed 'exec'. printf "%s\n" "$0: could not re-execute with $CONFIG_SHELL" >&2 exit 255 fi # We don't want this to propagate to other subprocesses. { _as_can_reexec=; unset _as_can_reexec;} if test "x$CONFIG_SHELL" = x; then as_bourne_compatible="if test \${ZSH_VERSION+y} && (emulate sh) >/dev/null 2>&1 then : emulate sh NULLCMD=: # Pre-4.2 versions of Zsh do word splitting on \${1+\"\$@\"}, which # is contrary to our usage. Disable this feature. alias -g '\${1+\"\$@\"}'='\"\$@\"' setopt NO_GLOB_SUBST else case e in #( e) case \`(set -o) 2>/dev/null\` in #( *posix*) : set -o posix ;; #( *) : ;; esac ;; esac fi " as_required="as_fn_return () { (exit \$1); } as_fn_success () { as_fn_return 0; } as_fn_failure () { as_fn_return 1; } as_fn_ret_success () { return 0; } as_fn_ret_failure () { return 1; } exitcode=0 as_fn_success || { exitcode=1; echo as_fn_success failed.; } as_fn_failure && { exitcode=1; echo as_fn_failure succeeded.; } as_fn_ret_success || { exitcode=1; echo as_fn_ret_success failed.; } as_fn_ret_failure && { exitcode=1; echo as_fn_ret_failure succeeded.; } if ( set x; as_fn_ret_success y && test x = \"\$1\" ) then : else case e in #( e) exitcode=1; echo positional parameters were not saved. ;; esac fi test x\$exitcode = x0 || exit 1 blah=\$(echo \$(echo blah)) test x\"\$blah\" = xblah || exit 1 test -x / || exit 1" as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" && test \"x\`expr \$as_lineno_1'\$as_run' + 1\`\" = \"x\$as_lineno_2'\$as_run'\"' || exit 1 test \$(( 1 + 1 )) = 2 || exit 1" if (eval "$as_required") 2>/dev/null then : as_have_required=yes else case e in #( e) as_have_required=no ;; esac fi if test x$as_have_required = xyes && (eval "$as_suggested") 2>/dev/null then : else case e in #( e) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR as_found=false for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac as_found=: case $as_dir in #( /*) for as_base in sh bash ksh sh5; do # Try only shells that exist, to save several forks. as_shell=$as_dir$as_base if { test -f "$as_shell" || test -f "$as_shell.exe"; } && as_run=a "$as_shell" -c "$as_bourne_compatible""$as_required" 2>/dev/null then : CONFIG_SHELL=$as_shell as_have_required=yes if as_run=a "$as_shell" -c "$as_bourne_compatible""$as_suggested" 2>/dev/null then : break 2 fi fi done;; esac as_found=false done IFS=$as_save_IFS if $as_found then : else case e in #( e) if { test -f "$SHELL" || test -f "$SHELL.exe"; } && as_run=a "$SHELL" -c "$as_bourne_compatible""$as_required" 2>/dev/null then : CONFIG_SHELL=$SHELL as_have_required=yes fi ;; esac fi if test "x$CONFIG_SHELL" != x then : export CONFIG_SHELL # We cannot yet assume a decent shell, so we have to provide a # neutralization value for shells without unset; and this also # works around shells that cannot unset nonexistent variables. # Preserve -v and -x to the replacement shell. BASH_ENV=/dev/null ENV=/dev/null (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV case $- in # (((( *v*x* | *x*v* ) as_opts=-vx ;; *v* ) as_opts=-v ;; *x* ) as_opts=-x ;; * ) as_opts= ;; esac exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} # Admittedly, this is quite paranoid, since all the known shells bail # out after a failed 'exec'. printf "%s\n" "$0: could not re-execute with $CONFIG_SHELL" >&2 exit 255 fi if test x$as_have_required = xno then : printf "%s\n" "$0: This script requires a shell more modern than all" printf "%s\n" "$0: the shells that I found on your system." if test ${ZSH_VERSION+y} ; then printf "%s\n" "$0: In particular, zsh $ZSH_VERSION has bugs and should" printf "%s\n" "$0: be upgraded to zsh 4.3.4 or later." else printf "%s\n" "$0: Please tell bug-autoconf@gnu.org and $0: bug-report@qosient.com about your system, including any $0: error possibly output before this message. Then install $0: a modern shell, or manually run the script under such a $0: shell if you do have one." fi exit 1 fi ;; esac fi fi SHELL=${CONFIG_SHELL-/bin/sh} export SHELL # Unset more variables known to interfere with behavior of common tools. CLICOLOR_FORCE= GREP_OPTIONS= unset CLICOLOR_FORCE GREP_OPTIONS ## --------------------- ## ## M4sh Shell Functions. ## ## --------------------- ## # as_fn_unset VAR # --------------- # Portably unset VAR. as_fn_unset () { { eval $1=; unset $1;} } as_unset=as_fn_unset # as_fn_set_status STATUS # ----------------------- # Set $? to STATUS, without forking. as_fn_set_status () { return $1 } # as_fn_set_status # as_fn_exit STATUS # ----------------- # Exit the shell with STATUS, even in a "trap 0" or "set -e" context. as_fn_exit () { set +e as_fn_set_status $1 exit $1 } # as_fn_exit # as_fn_mkdir_p # ------------- # Create "$as_dir" as a directory, including parents if necessary. as_fn_mkdir_p () { case $as_dir in #( -*) as_dir=./$as_dir;; esac test -d "$as_dir" || eval $as_mkdir_p || { as_dirs= while :; do case $as_dir in #( *\'*) as_qdir=`printf "%s\n" "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( *) as_qdir=$as_dir;; esac as_dirs="'$as_qdir' $as_dirs" as_dir=`$as_dirname -- "$as_dir" || $as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$as_dir" : 'X\(//\)[^/]' \| \ X"$as_dir" : 'X\(//\)$' \| \ X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || printf "%s\n" X"$as_dir" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` test -d "$as_dir" && break done test -z "$as_dirs" || eval "mkdir $as_dirs" } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" } # as_fn_mkdir_p # as_fn_executable_p FILE # ----------------------- # Test if FILE is an executable regular file. as_fn_executable_p () { test -f "$1" && test -x "$1" } # as_fn_executable_p # as_fn_append VAR VALUE # ---------------------- # Append the text in VALUE to the end of the definition contained in VAR. Take # advantage of any shell optimizations that allow amortized linear growth over # repeated appends, instead of the typical quadratic growth present in naive # implementations. if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null then : eval 'as_fn_append () { eval $1+=\$2 }' else case e in #( e) as_fn_append () { eval $1=\$$1\$2 } ;; esac fi # as_fn_append # as_fn_arith ARG... # ------------------ # Perform arithmetic evaluation on the ARGs, and store the result in the # global $as_val. Take advantage of shells that can avoid forks. The arguments # must be portable across $(()) and expr. if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null then : eval 'as_fn_arith () { as_val=$(( $* )) }' else case e in #( e) as_fn_arith () { as_val=`expr "$@" || test $? -eq 1` } ;; esac fi # as_fn_arith # as_fn_error STATUS ERROR [LINENO LOG_FD] # ---------------------------------------- # Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are # provided, also output the error to LOG_FD, referencing LINENO. Then exit the # script with STATUS, using 1 if that was 0. as_fn_error () { as_status=$1; test $as_status -eq 0 && as_status=1 if test "$4"; then as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 fi printf "%s\n" "$as_me: error: $2" >&2 as_fn_exit $as_status } # as_fn_error if expr a : '\(a\)' >/dev/null 2>&1 && test "X`expr 00001 : '.*\(...\)'`" = X001; then as_expr=expr else as_expr=false fi if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then as_basename=basename else as_basename=false fi if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then as_dirname=dirname else as_dirname=false fi as_me=`$as_basename -- "$0" || $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ X"$0" : 'X\(//\)$' \| \ X"$0" : 'X\(/\)' \| . 2>/dev/null || printf "%s\n" X/"$0" | sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/ q } /^X\/\(\/\/\)$/{ s//\1/ q } /^X\/\(\/\).*/{ s//\1/ q } s/.*/./; q'` # Avoid depending upon Character Ranges. as_cr_letters='abcdefghijklmnopqrstuvwxyz' as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' as_cr_Letters=$as_cr_letters$as_cr_LETTERS as_cr_digits='0123456789' as_cr_alnum=$as_cr_Letters$as_cr_digits as_lineno_1=$LINENO as_lineno_1a=$LINENO as_lineno_2=$LINENO as_lineno_2a=$LINENO eval 'test "x$as_lineno_1'$as_run'" != "x$as_lineno_2'$as_run'" && test "x`expr $as_lineno_1'$as_run' + 1`" = "x$as_lineno_2'$as_run'"' || { # Blame Lee E. McMahon (1931-1989) for sed's syntax. :-) sed -n ' p /[$]LINENO/= ' <$as_myself | sed ' t clear :clear s/[$]LINENO.*/&-/ t lineno b :lineno N :loop s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/ t loop s/-\n.*// ' >$as_me.lineno && chmod +x "$as_me.lineno" || { printf "%s\n" "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; } # If we had to re-execute with $CONFIG_SHELL, we're ensured to have # already done that, so ensure we don't try to do so again and fall # in an infinite loop. This has already happened in practice. _as_can_reexec=no; export _as_can_reexec # Don't try to exec as it changes $[0], causing all sort of problems # (the dirname of $[0] is not the place where we might find the # original and so on. Autoconf is especially sensitive to this). . "./$as_me.lineno" # Exit status is that of the last command. exit } # Determine whether it's possible to make 'echo' print without a newline. # These variables are no longer used directly by Autoconf, but are AC_SUBSTed # for compatibility with existing Makefiles. ECHO_C= ECHO_N= ECHO_T= case `echo -n x` in #((((( -n*) case `echo 'xy\c'` in *c*) ECHO_T=' ';; # ECHO_T is single tab character. xy) ECHO_C='\c';; *) echo `echo ksh88 bug on AIX 6.1` > /dev/null ECHO_T=' ';; esac;; *) ECHO_N='-n';; esac # For backward compatibility with old third-party macros, we provide # the shell variables $as_echo and $as_echo_n. New code should use # AS_ECHO(["message"]) and AS_ECHO_N(["message"]), respectively. as_echo='printf %s\n' as_echo_n='printf %s' rm -f conf$$ conf$$.exe conf$$.file if test -d conf$$.dir; then rm -f conf$$.dir/conf$$.file else rm -f conf$$.dir mkdir conf$$.dir 2>/dev/null fi if (echo >conf$$.file) 2>/dev/null; then if ln -s conf$$.file conf$$ 2>/dev/null; then as_ln_s='ln -s' # ... but there are two gotchas: # 1) On MSYS, both 'ln -s file dir' and 'ln file dir' fail. # 2) DJGPP < 2.04 has no symlinks; 'ln -s' creates a wrapper executable. # In both cases, we have to default to 'cp -pR'. ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || as_ln_s='cp -pR' elif ln conf$$.file conf$$ 2>/dev/null; then as_ln_s=ln else as_ln_s='cp -pR' fi else as_ln_s='cp -pR' fi rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file rmdir conf$$.dir 2>/dev/null if mkdir -p . 2>/dev/null; then as_mkdir_p='mkdir -p "$as_dir"' else test -d ./-p && rmdir ./-p as_mkdir_p=false fi as_test_x='test -x' as_executable_p=as_fn_executable_p # Sed expression to map a string onto a valid CPP name. as_sed_cpp="y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g" as_tr_cpp="eval sed '$as_sed_cpp'" # deprecated # Sed expression to map a string onto a valid variable name. as_sed_sh="y%*+%pp%;s%[^_$as_cr_alnum]%_%g" as_tr_sh="eval sed '$as_sed_sh'" # deprecated test -n "$DJDIR" || exec 7<&0 &1 # Name of the host. # hostname on some systems (SVR3.2, old GNU/Linux) returns a bogus exit status, # so uname gets run too. ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q` # # Initializations. # ac_default_prefix=/usr/local ac_clean_files= ac_config_libobj_dir=. LIBOBJS= cross_compiling=no subdirs= MFLAGS= MAKEFLAGS= # Identity of this package. PACKAGE_NAME='Argus-5.0 Server Programs' PACKAGE_TARNAME='argus' PACKAGE_VERSION='5.0.0' PACKAGE_STRING='Argus-5.0 Server Programs 5.0.0' PACKAGE_BUGREPORT='bug-report@qosient.com' PACKAGE_URL='http://qosient.com/argus' ac_unique_file="argus/argus.c" ac_default_prefix=/usr/local # Factoring default headers for most tests. ac_includes_default="\ #include #ifdef HAVE_STDIO_H # include #endif #ifdef HAVE_STDLIB_H # include #endif #ifdef HAVE_STRING_H # include #endif #ifdef HAVE_INTTYPES_H # include #endif #ifdef HAVE_STDINT_H # include #endif #ifdef HAVE_STRINGS_H # include #endif #ifdef HAVE_SYS_TYPES_H # include #endif #ifdef HAVE_SYS_STAT_H # include #endif #ifdef HAVE_UNISTD_H # include #endif" ac_header_c_list= ac_func_c_list= enable_year2038=no ac_subst_vars='LTLIBOBJS INSTALL_BIN INSTALL_LIB XDR_INCLS LIB_XDR COMPATLIB WRAPLIBS V_THREADS V_PERL V_INCLS V_CCOPT V_ARCH INCLS ARGUSPRO_VERSION PACKAGE_RELEASE POW_LIB ALLOCA EGREP GREP PCRE_CONFIG SASLFLAGS LIB_SASL CPP V_RANLIB YFLAGS YACC RANLIB INSTALL_DATA INSTALL_SCRIPT INSTALL_PROGRAM LN_S SET_MAKE V_YACC V_LEX LIBOBJS PCAP_CONFIG OBJEXT EXEEXT ac_ct_CC CPPFLAGS LDFLAGS CFLAGS CC SHLICC2 CLANG target_os target_vendor target_cpu target host_os host_vendor host_cpu host build_os build_vendor build_cpu build target_alias host_alias build_alias LIBS ECHO_T ECHO_N ECHO_C DEFS mandir localedir libdir psdir pdfdir dvidir htmldir infodir docdir oldincludedir includedir runstatedir localstatedir sharedstatedir sysconfdir datadir datarootdir libexecdir sbindir bindir program_transform_name prefix exec_prefix PACKAGE_URL PACKAGE_BUGREPORT PACKAGE_STRING PACKAGE_VERSION PACKAGE_TARNAME PACKAGE_NAME PATH_SEPARATOR SHELL' ac_subst_files='' ac_user_opts=' enable_option_checking with_gcc with_examples with_pluribus with_libpcap with_perl with_sasl with_staticsasl with_libpcre with_pcre_config enable_largefile with_hashdebug with_nanoseconds with_threads with_tcpwrappers enable_year2038 ' ac_precious_vars='build_alias host_alias target_alias CC CFLAGS LDFLAGS LIBS CPPFLAGS YACC YFLAGS CPP' # Initialize some variables set by options. ac_init_help= ac_init_version=false ac_unrecognized_opts= ac_unrecognized_sep= # The variables have the same names as the options, with # dashes changed to underlines. cache_file=/dev/null exec_prefix=NONE no_create= no_recursion= prefix=NONE program_prefix=NONE program_suffix=NONE program_transform_name=s,x,x, silent= site= srcdir= verbose= x_includes=NONE x_libraries=NONE # Installation directory options. # These are left unexpanded so users can "make install exec_prefix=/foo" # and all the variables that are supposed to be based on exec_prefix # by default will actually change. # Use braces instead of parens because sh, perl, etc. also accept them. # (The list follows the same order as the GNU Coding Standards.) bindir='${exec_prefix}/bin' sbindir='${exec_prefix}/sbin' libexecdir='${exec_prefix}/libexec' datarootdir='${prefix}/share' datadir='${datarootdir}' sysconfdir='${prefix}/etc' sharedstatedir='${prefix}/com' localstatedir='${prefix}/var' runstatedir='${localstatedir}/run' includedir='${prefix}/include' oldincludedir='/usr/include' docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' infodir='${datarootdir}/info' htmldir='${docdir}' dvidir='${docdir}' pdfdir='${docdir}' psdir='${docdir}' libdir='${exec_prefix}/lib' localedir='${datarootdir}/locale' mandir='${datarootdir}/man' ac_prev= ac_dashdash= for ac_option do # If the previous option needs an argument, assign it. if test -n "$ac_prev"; then eval $ac_prev=\$ac_option ac_prev= continue fi case $ac_option in *=?*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;; *=) ac_optarg= ;; *) ac_optarg=yes ;; esac case $ac_dashdash$ac_option in --) ac_dashdash=yes ;; -bindir | --bindir | --bindi | --bind | --bin | --bi) ac_prev=bindir ;; -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*) bindir=$ac_optarg ;; -build | --build | --buil | --bui | --bu) ac_prev=build_alias ;; -build=* | --build=* | --buil=* | --bui=* | --bu=*) build_alias=$ac_optarg ;; -cache-file | --cache-file | --cache-fil | --cache-fi \ | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c) ac_prev=cache_file ;; -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \ | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*) cache_file=$ac_optarg ;; --config-cache | -C) cache_file=config.cache ;; -datadir | --datadir | --datadi | --datad) ac_prev=datadir ;; -datadir=* | --datadir=* | --datadi=* | --datad=*) datadir=$ac_optarg ;; -datarootdir | --datarootdir | --datarootdi | --datarootd | --dataroot \ | --dataroo | --dataro | --datar) ac_prev=datarootdir ;; -datarootdir=* | --datarootdir=* | --datarootdi=* | --datarootd=* \ | --dataroot=* | --dataroo=* | --dataro=* | --datar=*) datarootdir=$ac_optarg ;; -disable-* | --disable-*) ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid feature name: '$ac_useropt'" ac_useropt_orig=$ac_useropt ac_useropt=`printf "%s\n" "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "enable_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--disable-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval enable_$ac_useropt=no ;; -docdir | --docdir | --docdi | --doc | --do) ac_prev=docdir ;; -docdir=* | --docdir=* | --docdi=* | --doc=* | --do=*) docdir=$ac_optarg ;; -dvidir | --dvidir | --dvidi | --dvid | --dvi | --dv) ac_prev=dvidir ;; -dvidir=* | --dvidir=* | --dvidi=* | --dvid=* | --dvi=* | --dv=*) dvidir=$ac_optarg ;; -enable-* | --enable-*) ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid feature name: '$ac_useropt'" ac_useropt_orig=$ac_useropt ac_useropt=`printf "%s\n" "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "enable_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--enable-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval enable_$ac_useropt=\$ac_optarg ;; -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \ | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \ | --exec | --exe | --ex) ac_prev=exec_prefix ;; -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \ | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \ | --exec=* | --exe=* | --ex=*) exec_prefix=$ac_optarg ;; -gas | --gas | --ga | --g) # Obsolete; use --with-gas. with_gas=yes ;; -help | --help | --hel | --he | -h) ac_init_help=long ;; -help=r* | --help=r* | --hel=r* | --he=r* | -hr*) ac_init_help=recursive ;; -help=s* | --help=s* | --hel=s* | --he=s* | -hs*) ac_init_help=short ;; -host | --host | --hos | --ho) ac_prev=host_alias ;; -host=* | --host=* | --hos=* | --ho=*) host_alias=$ac_optarg ;; -htmldir | --htmldir | --htmldi | --htmld | --html | --htm | --ht) ac_prev=htmldir ;; -htmldir=* | --htmldir=* | --htmldi=* | --htmld=* | --html=* | --htm=* \ | --ht=*) htmldir=$ac_optarg ;; -includedir | --includedir | --includedi | --included | --include \ | --includ | --inclu | --incl | --inc) ac_prev=includedir ;; -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \ | --includ=* | --inclu=* | --incl=* | --inc=*) includedir=$ac_optarg ;; -infodir | --infodir | --infodi | --infod | --info | --inf) ac_prev=infodir ;; -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*) infodir=$ac_optarg ;; -libdir | --libdir | --libdi | --libd) ac_prev=libdir ;; -libdir=* | --libdir=* | --libdi=* | --libd=*) libdir=$ac_optarg ;; -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \ | --libexe | --libex | --libe) ac_prev=libexecdir ;; -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \ | --libexe=* | --libex=* | --libe=*) libexecdir=$ac_optarg ;; -localedir | --localedir | --localedi | --localed | --locale) ac_prev=localedir ;; -localedir=* | --localedir=* | --localedi=* | --localed=* | --locale=*) localedir=$ac_optarg ;; -localstatedir | --localstatedir | --localstatedi | --localstated \ | --localstate | --localstat | --localsta | --localst | --locals) ac_prev=localstatedir ;; -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \ | --localstate=* | --localstat=* | --localsta=* | --localst=* | --locals=*) localstatedir=$ac_optarg ;; -mandir | --mandir | --mandi | --mand | --man | --ma | --m) ac_prev=mandir ;; -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*) mandir=$ac_optarg ;; -nfp | --nfp | --nf) # Obsolete; use --without-fp. with_fp=no ;; -no-create | --no-create | --no-creat | --no-crea | --no-cre \ | --no-cr | --no-c | -n) no_create=yes ;; -no-recursion | --no-recursion | --no-recursio | --no-recursi \ | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) no_recursion=yes ;; -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \ | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \ | --oldin | --oldi | --old | --ol | --o) ac_prev=oldincludedir ;; -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \ | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \ | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*) oldincludedir=$ac_optarg ;; -prefix | --prefix | --prefi | --pref | --pre | --pr | --p) ac_prev=prefix ;; -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*) prefix=$ac_optarg ;; -program-prefix | --program-prefix | --program-prefi | --program-pref \ | --program-pre | --program-pr | --program-p) ac_prev=program_prefix ;; -program-prefix=* | --program-prefix=* | --program-prefi=* \ | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*) program_prefix=$ac_optarg ;; -program-suffix | --program-suffix | --program-suffi | --program-suff \ | --program-suf | --program-su | --program-s) ac_prev=program_suffix ;; -program-suffix=* | --program-suffix=* | --program-suffi=* \ | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*) program_suffix=$ac_optarg ;; -program-transform-name | --program-transform-name \ | --program-transform-nam | --program-transform-na \ | --program-transform-n | --program-transform- \ | --program-transform | --program-transfor \ | --program-transfo | --program-transf \ | --program-trans | --program-tran \ | --progr-tra | --program-tr | --program-t) ac_prev=program_transform_name ;; -program-transform-name=* | --program-transform-name=* \ | --program-transform-nam=* | --program-transform-na=* \ | --program-transform-n=* | --program-transform-=* \ | --program-transform=* | --program-transfor=* \ | --program-transfo=* | --program-transf=* \ | --program-trans=* | --program-tran=* \ | --progr-tra=* | --program-tr=* | --program-t=*) program_transform_name=$ac_optarg ;; -pdfdir | --pdfdir | --pdfdi | --pdfd | --pdf | --pd) ac_prev=pdfdir ;; -pdfdir=* | --pdfdir=* | --pdfdi=* | --pdfd=* | --pdf=* | --pd=*) pdfdir=$ac_optarg ;; -psdir | --psdir | --psdi | --psd | --ps) ac_prev=psdir ;; -psdir=* | --psdir=* | --psdi=* | --psd=* | --ps=*) psdir=$ac_optarg ;; -q | -quiet | --quiet | --quie | --qui | --qu | --q \ | -silent | --silent | --silen | --sile | --sil) silent=yes ;; -runstatedir | --runstatedir | --runstatedi | --runstated \ | --runstate | --runstat | --runsta | --runst | --runs \ | --run | --ru | --r) ac_prev=runstatedir ;; -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \ | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \ | --run=* | --ru=* | --r=*) runstatedir=$ac_optarg ;; -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) ac_prev=sbindir ;; -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ | --sbi=* | --sb=*) sbindir=$ac_optarg ;; -sharedstatedir | --sharedstatedir | --sharedstatedi \ | --sharedstated | --sharedstate | --sharedstat | --sharedsta \ | --sharedst | --shareds | --shared | --share | --shar \ | --sha | --sh) ac_prev=sharedstatedir ;; -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \ | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \ | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \ | --sha=* | --sh=*) sharedstatedir=$ac_optarg ;; -site | --site | --sit) ac_prev=site ;; -site=* | --site=* | --sit=*) site=$ac_optarg ;; -srcdir | --srcdir | --srcdi | --srcd | --src | --sr) ac_prev=srcdir ;; -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*) srcdir=$ac_optarg ;; -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \ | --syscon | --sysco | --sysc | --sys | --sy) ac_prev=sysconfdir ;; -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \ | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*) sysconfdir=$ac_optarg ;; -target | --target | --targe | --targ | --tar | --ta | --t) ac_prev=target_alias ;; -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*) target_alias=$ac_optarg ;; -v | -verbose | --verbose | --verbos | --verbo | --verb) verbose=yes ;; -version | --version | --versio | --versi | --vers | -V) ac_init_version=: ;; -with-* | --with-*) ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid package name: '$ac_useropt'" ac_useropt_orig=$ac_useropt ac_useropt=`printf "%s\n" "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "with_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--with-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval with_$ac_useropt=\$ac_optarg ;; -without-* | --without-*) ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid package name: '$ac_useropt'" ac_useropt_orig=$ac_useropt ac_useropt=`printf "%s\n" "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "with_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--without-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval with_$ac_useropt=no ;; --x) # Obsolete; use --with-x. with_x=yes ;; -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \ | --x-incl | --x-inc | --x-in | --x-i) ac_prev=x_includes ;; -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \ | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*) x_includes=$ac_optarg ;; -x-libraries | --x-libraries | --x-librarie | --x-librari \ | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l) ac_prev=x_libraries ;; -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \ | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*) x_libraries=$ac_optarg ;; -*) as_fn_error $? "unrecognized option: '$ac_option' Try '$0 --help' for more information" ;; *=*) ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='` # Reject names that are not valid shell variable names. case $ac_envvar in #( '' | [0-9]* | *[!_$as_cr_alnum]* ) as_fn_error $? "invalid variable name: '$ac_envvar'" ;; esac eval $ac_envvar=\$ac_optarg export $ac_envvar ;; *) # FIXME: should be removed in autoconf 3.0. printf "%s\n" "$as_me: WARNING: you should use --build, --host, --target" >&2 expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null && printf "%s\n" "$as_me: WARNING: invalid host type: $ac_option" >&2 : "${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}" ;; esac done if test -n "$ac_prev"; then ac_option=--`echo $ac_prev | sed 's/_/-/g'` as_fn_error $? "missing argument to $ac_option" fi if test -n "$ac_unrecognized_opts"; then case $enable_option_checking in no) ;; fatal) as_fn_error $? "unrecognized options: $ac_unrecognized_opts" ;; *) printf "%s\n" "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2 ;; esac fi # Check all directory arguments for consistency. for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ datadir sysconfdir sharedstatedir localstatedir includedir \ oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ libdir localedir mandir runstatedir do eval ac_val=\$$ac_var # Remove trailing slashes. case $ac_val in */ ) ac_val=`expr "X$ac_val" : 'X\(.*[^/]\)' \| "X$ac_val" : 'X\(.*\)'` eval $ac_var=\$ac_val;; esac # Be sure to have absolute directory names. case $ac_val in [\\/$]* | ?:[\\/]* ) continue;; NONE | '' ) case $ac_var in *prefix ) continue;; esac;; esac as_fn_error $? "expected an absolute directory name for --$ac_var: $ac_val" done # There might be people who depend on the old broken behavior: '$host' # used to hold the argument of --host etc. # FIXME: To remove some day. build=$build_alias host=$host_alias target=$target_alias # FIXME: To remove some day. if test "x$host_alias" != x; then if test "x$build_alias" = x; then cross_compiling=maybe elif test "x$build_alias" != "x$host_alias"; then cross_compiling=yes fi fi ac_tool_prefix= test -n "$host_alias" && ac_tool_prefix=$host_alias- test "$silent" = yes && exec 6>/dev/null ac_pwd=`pwd` && test -n "$ac_pwd" && ac_ls_di=`ls -di .` && ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` || as_fn_error $? "working directory cannot be determined" test "X$ac_ls_di" = "X$ac_pwd_ls_di" || as_fn_error $? "pwd does not report name of working directory" # Find the source files, if location was not specified. if test -z "$srcdir"; then ac_srcdir_defaulted=yes # Try the directory containing this script, then the parent directory. ac_confdir=`$as_dirname -- "$as_myself" || $as_expr X"$as_myself" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$as_myself" : 'X\(//\)[^/]' \| \ X"$as_myself" : 'X\(//\)$' \| \ X"$as_myself" : 'X\(/\)' \| . 2>/dev/null || printf "%s\n" X"$as_myself" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` srcdir=$ac_confdir if test ! -r "$srcdir/$ac_unique_file"; then srcdir=.. fi else ac_srcdir_defaulted=no fi if test ! -r "$srcdir/$ac_unique_file"; then test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .." as_fn_error $? "cannot find sources ($ac_unique_file) in $srcdir" fi ac_msg="sources are in $srcdir, but 'cd $srcdir' does not work" ac_abs_confdir=`( cd "$srcdir" && test -r "./$ac_unique_file" || as_fn_error $? "$ac_msg" pwd)` # When building in place, set srcdir=. if test "$ac_abs_confdir" = "$ac_pwd"; then srcdir=. fi # Remove unnecessary trailing slashes from srcdir. # Double slashes in file names in object file debugging info # mess up M-x gdb in Emacs. case $srcdir in */) srcdir=`expr "X$srcdir" : 'X\(.*[^/]\)' \| "X$srcdir" : 'X\(.*\)'`;; esac for ac_var in $ac_precious_vars; do eval ac_env_${ac_var}_set=\${${ac_var}+set} eval ac_env_${ac_var}_value=\$${ac_var} eval ac_cv_env_${ac_var}_set=\${${ac_var}+set} eval ac_cv_env_${ac_var}_value=\$${ac_var} done # # Report the --help message. # if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF 'configure' configures Argus-5.0 Server Programs 5.0.0 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... To assign environment variables (e.g., CC, CFLAGS...), specify them as VAR=VALUE. See below for descriptions of some of the useful variables. Defaults for the options are specified in brackets. Configuration: -h, --help display this help and exit --help=short display options specific to this package --help=recursive display the short help of all the included packages -V, --version display version information and exit -q, --quiet, --silent do not print 'checking ...' messages --cache-file=FILE cache test results in FILE [disabled] -C, --config-cache alias for '--cache-file=config.cache' -n, --no-create do not create output files --srcdir=DIR find the sources in DIR [configure dir or '..'] Installation directories: --prefix=PREFIX install architecture-independent files in PREFIX [$ac_default_prefix] --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX [PREFIX] By default, 'make install' will install all the files in '$ac_default_prefix/bin', '$ac_default_prefix/lib' etc. You can specify an installation prefix other than '$ac_default_prefix' using '--prefix', for instance '--prefix=\$HOME'. For better control, use the options below. Fine tuning of the installation directories: --bindir=DIR user executables [EPREFIX/bin] --sbindir=DIR system admin executables [EPREFIX/sbin] --libexecdir=DIR program executables [EPREFIX/libexec] --sysconfdir=DIR read-only single-machine data [PREFIX/etc] --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] --localstatedir=DIR modifiable single-machine data [PREFIX/var] --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] --libdir=DIR object code libraries [EPREFIX/lib] --includedir=DIR C header files [PREFIX/include] --oldincludedir=DIR C header files for non-gcc [/usr/include] --datarootdir=DIR read-only arch.-independent data root [PREFIX/share] --datadir=DIR read-only architecture-independent data [DATAROOTDIR] --infodir=DIR info documentation [DATAROOTDIR/info] --localedir=DIR locale-dependent data [DATAROOTDIR/locale] --mandir=DIR man documentation [DATAROOTDIR/man] --docdir=DIR documentation root [DATAROOTDIR/doc/argus] --htmldir=DIR html documentation [DOCDIR] --dvidir=DIR dvi documentation [DOCDIR] --pdfdir=DIR pdf documentation [DOCDIR] --psdir=DIR ps documentation [DOCDIR] _ACEOF cat <<\_ACEOF System types: --build=BUILD configure for building on BUILD [guessed] --host=HOST cross-compile to build programs to run on HOST [BUILD] --target=TARGET configure for building compilers for TARGET [HOST] _ACEOF fi if test -n "$ac_init_help"; then case $ac_init_help in short | recursive ) echo "Configuration of Argus-5.0 Server Programs 5.0.0:";; esac cat <<\_ACEOF Optional Features: --disable-option-checking ignore unrecognized --enable/--with options --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) --enable-FEATURE[=ARG] include FEATURE [ARG=yes] --disable-largefile omit support for large files --enable-year2038 support timestamps after 2038 Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) --without-gcc don't use gcc --without-examples don't compile examples --with-pluribus Compile for pluribus --with-libpcap=DIR Compile with libpcap in --with-perl=DIR Use perl in --with-sasl=DIR Compile with libsasl2 in --with-staticsasl=DIR Compile with staticly linked libsasl in --with-libpcre=DIR Compile with libpcre in --with-pcre-config=PATH Location of PCRE pcre-config (auto) --with-hashdebug enable hash table debugging --without-nanoseconds don't use nanosecond timestamps --without-threads don't use native threads package --with-wrappers=DIR Compile with tcpwrappers in Some influential environment variables: CC C compiler command CFLAGS C compiler flags LDFLAGS linker flags, e.g. -L if you have libraries in a nonstandard directory LIBS libraries to pass to the linker, e.g. -l CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I if you have headers in a nonstandard directory YACC The 'Yet Another Compiler Compiler' implementation to use. Defaults to the first program found out of: 'bison -y', 'byacc', 'yacc'. YFLAGS The list of arguments that will be passed by default to $YACC. This script will default YFLAGS to the empty string to avoid a default value of '-d' given by some make applications. CPP C preprocessor Use these variables to override the choices made by 'configure' or to help it to find libraries and programs with nonstandard names/locations. Report bugs to . Argus-5.0 Server Programs home page: . _ACEOF ac_status=$? fi if test "$ac_init_help" = "recursive"; then # If there are subdirs, report their specific --help. for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue test -d "$ac_dir" || { cd "$srcdir" && ac_pwd=`pwd` && srcdir=. && test -d "$ac_dir"; } || continue ac_builddir=. case "$ac_dir" in .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_dir_suffix=/`printf "%s\n" "$ac_dir" | sed 's|^\.[\\/]||'` # A ".." for each directory in $ac_dir_suffix. ac_top_builddir_sub=`printf "%s\n" "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` case $ac_top_builddir_sub in "") ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; esac ;; esac ac_abs_top_builddir=$ac_pwd ac_abs_builddir=$ac_pwd$ac_dir_suffix # for backward compatibility: ac_top_builddir=$ac_top_build_prefix case $srcdir in .) # We are building in place. ac_srcdir=. ac_top_srcdir=$ac_top_builddir_sub ac_abs_top_srcdir=$ac_pwd ;; [\\/]* | ?:[\\/]* ) # Absolute name. ac_srcdir=$srcdir$ac_dir_suffix; ac_top_srcdir=$srcdir ac_abs_top_srcdir=$srcdir ;; *) # Relative name. ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix ac_top_srcdir=$ac_top_build_prefix$srcdir ac_abs_top_srcdir=$ac_pwd/$srcdir ;; esac ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix cd "$ac_dir" || { ac_status=$?; continue; } # Check for configure.gnu first; this name is used for a wrapper for # Metaconfig's "Configure" on case-insensitive file systems. if test -f "$ac_srcdir/configure.gnu"; then echo && $SHELL "$ac_srcdir/configure.gnu" --help=recursive elif test -f "$ac_srcdir/configure"; then echo && $SHELL "$ac_srcdir/configure" --help=recursive else printf "%s\n" "$as_me: WARNING: no configuration information is in $ac_dir" >&2 fi || ac_status=$? cd "$ac_pwd" || { ac_status=$?; break; } done fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF Argus-5.0 Server Programs configure 5.0.0 generated by GNU Autoconf 2.72 Copyright (C) 2023 Free Software Foundation, Inc. This configure script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it. _ACEOF exit fi ## ------------------------ ## ## Autoconf initialization. ## ## ------------------------ ## # ac_fn_c_try_compile LINENO # -------------------------- # Try to compile conftest.$ac_ext, and return whether this succeeded. ac_fn_c_try_compile () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack rm -f conftest.$ac_objext conftest.beam if { { ac_try="$ac_compile" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" printf "%s\n" "$ac_try_echo"; } >&5 (eval "$ac_compile") 2>conftest.err ac_status=$? if test -s conftest.err; then grep -v '^ *+' conftest.err >conftest.er1 cat conftest.er1 >&5 mv -f conftest.er1 conftest.err fi printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext then : ac_retval=0 else case e in #( e) printf "%s\n" "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=1 ;; esac fi eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_compile # ac_fn_c_try_link LINENO # ----------------------- # Try to link conftest.$ac_ext, and return whether this succeeded. ac_fn_c_try_link () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack rm -f conftest.$ac_objext conftest.beam conftest$ac_exeext if { { ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" printf "%s\n" "$ac_try_echo"; } >&5 (eval "$ac_link") 2>conftest.err ac_status=$? if test -s conftest.err; then grep -v '^ *+' conftest.err >conftest.er1 cat conftest.er1 >&5 mv -f conftest.er1 conftest.err fi printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest$ac_exeext && { test "$cross_compiling" = yes || test -x conftest$ac_exeext } then : ac_retval=0 else case e in #( e) printf "%s\n" "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=1 ;; esac fi # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would # interfere with the next link command; also delete a directory that is # left behind by Apple's compiler. We do this before executing the actions. rm -rf conftest.dSYM conftest_ipa8_conftest.oo eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_link # ac_fn_c_check_func LINENO FUNC VAR # ---------------------------------- # Tests whether FUNC exists, setting the cache variable VAR accordingly ac_fn_c_check_func () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 printf %s "checking for $2... " >&6; } if eval test \${$3+y} then : printf %s "(cached) " >&6 else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Define $2 to an innocuous variant, in case declares $2. For example, HP-UX 11i declares gettimeofday. */ #define $2 innocuous_$2 /* System header to define __stub macros and hopefully few prototypes, which can conflict with char $2 (void); below. */ #include #undef $2 /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char $2 (void); /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined __stub_$2 || defined __stub___$2 choke me #endif int main (void) { return $2 (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO" then : eval "$3=yes" else case e in #( e) eval "$3=no" ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext ;; esac fi eval ac_res=\$$3 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 printf "%s\n" "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_func # ac_fn_c_check_header_compile LINENO HEADER VAR INCLUDES # ------------------------------------------------------- # Tests whether HEADER exists and can be compiled using the include files in # INCLUDES, setting the cache variable VAR accordingly. ac_fn_c_check_header_compile () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 printf %s "checking for $2... " >&6; } if eval test \${$3+y} then : printf %s "(cached) " >&6 else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 #include <$2> _ACEOF if ac_fn_c_try_compile "$LINENO" then : eval "$3=yes" else case e in #( e) eval "$3=no" ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi eval ac_res=\$$3 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 printf "%s\n" "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_header_compile # ac_fn_c_try_cpp LINENO # ---------------------- # Try to preprocess conftest.$ac_ext, and return whether this succeeded. ac_fn_c_try_cpp () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack if { { ac_try="$ac_cpp conftest.$ac_ext" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" printf "%s\n" "$ac_try_echo"; } >&5 (eval "$ac_cpp conftest.$ac_ext") 2>conftest.err ac_status=$? if test -s conftest.err; then grep -v '^ *+' conftest.err >conftest.er1 cat conftest.er1 >&5 mv -f conftest.er1 conftest.err fi printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } > conftest.i && { test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || test ! -s conftest.err } then : ac_retval=0 else case e in #( e) printf "%s\n" "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=1 ;; esac fi eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_cpp # ac_fn_c_find_intX_t LINENO BITS VAR # ----------------------------------- # Finds a signed integer type with width BITS, setting cache variable VAR # accordingly. ac_fn_c_find_intX_t () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for int$2_t" >&5 printf %s "checking for int$2_t... " >&6; } if eval test \${$3+y} then : printf %s "(cached) " >&6 else case e in #( e) eval "$3=no" # Order is important - never check a type that is potentially smaller # than half of the expected target width. for ac_type in int$2_t 'int' 'long int' \ 'long long int' 'short int' 'signed char'; do cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_includes_default enum { N = $2 / 2 - 1 }; int main (void) { static int test_array [1 - 2 * !(0 < ($ac_type) ((((($ac_type) 1 << N) << N) - 1) * 2 + 1))]; test_array [0] = 0; return test_array [0]; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_includes_default enum { N = $2 / 2 - 1 }; int main (void) { static int test_array [1 - 2 * !(($ac_type) ((((($ac_type) 1 << N) << N) - 1) * 2 + 1) < ($ac_type) ((((($ac_type) 1 << N) << N) - 1) * 2 + 2))]; test_array [0] = 0; return test_array [0]; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : else case e in #( e) case $ac_type in #( int$2_t) : eval "$3=yes" ;; #( *) : eval "$3=\$ac_type" ;; esac ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext if eval test \"x\$"$3"\" = x"no" then : else case e in #( e) break ;; esac fi done ;; esac fi eval ac_res=\$$3 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 printf "%s\n" "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_find_intX_t # ac_fn_c_find_uintX_t LINENO BITS VAR # ------------------------------------ # Finds an unsigned integer type with width BITS, setting cache variable VAR # accordingly. ac_fn_c_find_uintX_t () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for uint$2_t" >&5 printf %s "checking for uint$2_t... " >&6; } if eval test \${$3+y} then : printf %s "(cached) " >&6 else case e in #( e) eval "$3=no" # Order is important - never check a type that is potentially smaller # than half of the expected target width. for ac_type in uint$2_t 'unsigned int' 'unsigned long int' \ 'unsigned long long int' 'unsigned short int' 'unsigned char'; do cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_includes_default int main (void) { static int test_array [1 - 2 * !((($ac_type) -1 >> ($2 / 2 - 1)) >> ($2 / 2 - 1) == 3)]; test_array [0] = 0; return test_array [0]; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : case $ac_type in #( uint$2_t) : eval "$3=yes" ;; #( *) : eval "$3=\$ac_type" ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext if eval test \"x\$"$3"\" = x"no" then : else case e in #( e) break ;; esac fi done ;; esac fi eval ac_res=\$$3 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 printf "%s\n" "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_find_uintX_t # ac_fn_c_check_type LINENO TYPE VAR INCLUDES # ------------------------------------------- # Tests whether TYPE exists after having included INCLUDES, setting cache # variable VAR accordingly. ac_fn_c_check_type () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 printf %s "checking for $2... " >&6; } if eval test \${$3+y} then : printf %s "(cached) " >&6 else case e in #( e) eval "$3=no" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main (void) { if (sizeof ($2)) return 0; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main (void) { if (sizeof (($2))) return 0; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : else case e in #( e) eval "$3=yes" ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi eval ac_res=\$$3 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 printf "%s\n" "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_type # ac_fn_c_check_member LINENO AGGR MEMBER VAR INCLUDES # ---------------------------------------------------- # Tries to find if the field MEMBER exists in type AGGR, after including # INCLUDES, setting cache variable VAR accordingly. ac_fn_c_check_member () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $2.$3" >&5 printf %s "checking for $2.$3... " >&6; } if eval test \${$4+y} then : printf %s "(cached) " >&6 else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $5 int main (void) { static $2 ac_aggr; if (ac_aggr.$3) return 0; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : eval "$4=yes" else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $5 int main (void) { static $2 ac_aggr; if (sizeof ac_aggr.$3) return 0; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : eval "$4=yes" else case e in #( e) eval "$4=no" ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi eval ac_res=\$$4 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 printf "%s\n" "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_member # ac_fn_check_decl LINENO SYMBOL VAR INCLUDES EXTRA-OPTIONS FLAG-VAR # ------------------------------------------------------------------ # Tests whether SYMBOL is declared in INCLUDES, setting cache variable VAR # accordingly. Pass EXTRA-OPTIONS to the compiler, using FLAG-VAR. ac_fn_check_decl () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack as_decl_name=`echo $2|sed 's/ *(.*//'` { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether $as_decl_name is declared" >&5 printf %s "checking whether $as_decl_name is declared... " >&6; } if eval test \${$3+y} then : printf %s "(cached) " >&6 else case e in #( e) as_decl_use=`echo $2|sed -e 's/(/((/' -e 's/)/) 0&/' -e 's/,/) 0& (/g'` eval ac_save_FLAGS=\$$6 as_fn_append $6 " $5" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main (void) { #ifndef $as_decl_name #ifdef __cplusplus (void) $as_decl_use; #else (void) $as_decl_name; #endif #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : eval "$3=yes" else case e in #( e) eval "$3=no" ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext eval $6=\$ac_save_FLAGS ;; esac fi eval ac_res=\$$3 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 printf "%s\n" "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_check_decl # ac_fn_c_try_run LINENO # ---------------------- # Try to run conftest.$ac_ext, and return whether this succeeded. Assumes that # executables *can* be run. ac_fn_c_try_run () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack if { { ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" printf "%s\n" "$ac_try_echo"; } >&5 (eval "$ac_link") 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } && { ac_try='./conftest$ac_exeext' { { case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" printf "%s\n" "$ac_try_echo"; } >&5 (eval "$ac_try") 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; } then : ac_retval=0 else case e in #( e) printf "%s\n" "$as_me: program exited with status $ac_status" >&5 printf "%s\n" "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=$ac_status ;; esac fi rm -rf conftest.dSYM conftest_ipa8_conftest.oo eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_run ac_configure_args_raw= for ac_arg do case $ac_arg in *\'*) ac_arg=`printf "%s\n" "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;; esac as_fn_append ac_configure_args_raw " '$ac_arg'" done case $ac_configure_args_raw in *$as_nl*) ac_safe_unquote= ;; *) ac_unsafe_z='|&;<>()$`\\"*?[ '' ' # This string ends in space, tab. ac_unsafe_a="$ac_unsafe_z#~" ac_safe_unquote="s/ '\\([^$ac_unsafe_a][^$ac_unsafe_z]*\\)'/ \\1/g" ac_configure_args_raw=` printf "%s\n" "$ac_configure_args_raw" | sed "$ac_safe_unquote"`;; esac cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. It was created by Argus-5.0 Server Programs $as_me 5.0.0, which was generated by GNU Autoconf 2.72. Invocation command line was $ $0$ac_configure_args_raw _ACEOF exec 5>>config.log { cat <<_ASUNAME ## --------- ## ## Platform. ## ## --------- ## hostname = `(hostname || uname -n) 2>/dev/null | sed 1q` uname -m = `(uname -m) 2>/dev/null || echo unknown` uname -r = `(uname -r) 2>/dev/null || echo unknown` uname -s = `(uname -s) 2>/dev/null || echo unknown` uname -v = `(uname -v) 2>/dev/null || echo unknown` /usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null || echo unknown` /bin/uname -X = `(/bin/uname -X) 2>/dev/null || echo unknown` /bin/arch = `(/bin/arch) 2>/dev/null || echo unknown` /usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null || echo unknown` /usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown` /usr/bin/hostinfo = `(/usr/bin/hostinfo) 2>/dev/null || echo unknown` /bin/machine = `(/bin/machine) 2>/dev/null || echo unknown` /usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null || echo unknown` /bin/universe = `(/bin/universe) 2>/dev/null || echo unknown` _ASUNAME as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac printf "%s\n" "PATH: $as_dir" done IFS=$as_save_IFS } >&5 cat >&5 <<_ACEOF ## ----------- ## ## Core tests. ## ## ----------- ## _ACEOF # Keep a trace of the command line. # Strip out --no-create and --no-recursion so they do not pile up. # Strip out --silent because we don't want to record it for future runs. # Also quote any args containing shell meta-characters. # Make two passes to allow for proper duplicate-argument suppression. ac_configure_args= ac_configure_args0= ac_configure_args1= ac_must_keep_next=false for ac_pass in 1 2 do for ac_arg do case $ac_arg in -no-create | --no-c* | -n | -no-recursion | --no-r*) continue ;; -q | -quiet | --quiet | --quie | --qui | --qu | --q \ | -silent | --silent | --silen | --sile | --sil) continue ;; *\'*) ac_arg=`printf "%s\n" "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;; esac case $ac_pass in 1) as_fn_append ac_configure_args0 " '$ac_arg'" ;; 2) as_fn_append ac_configure_args1 " '$ac_arg'" if test $ac_must_keep_next = true; then ac_must_keep_next=false # Got value, back to normal. else case $ac_arg in *=* | --config-cache | -C | -disable-* | --disable-* \ | -enable-* | --enable-* | -gas | --g* | -nfp | --nf* \ | -q | -quiet | --q* | -silent | --sil* | -v | -verb* \ | -with-* | --with-* | -without-* | --without-* | --x) case "$ac_configure_args0 " in "$ac_configure_args1"*" '$ac_arg' "* ) continue ;; esac ;; -* ) ac_must_keep_next=true ;; esac fi as_fn_append ac_configure_args " '$ac_arg'" ;; esac done done { ac_configure_args0=; unset ac_configure_args0;} { ac_configure_args1=; unset ac_configure_args1;} # When interrupted or exit'd, cleanup temporary files, and complete # config.log. We remove comments because anyway the quotes in there # would cause problems or look ugly. # WARNING: Use '\'' to represent an apostrophe within the trap. # WARNING: Do not start the trap code with a newline, due to a FreeBSD 4.0 bug. trap 'exit_status=$? # Sanitize IFS. IFS=" "" $as_nl" # Save into config.log some information that might help in debugging. { echo printf "%s\n" "## ---------------- ## ## Cache variables. ## ## ---------------- ##" echo # The following way of writing the cache mishandles newlines in values, ( for ac_var in `(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'\''`; do eval ac_val=\$$ac_var case $ac_val in #( *${as_nl}*) case $ac_var in #( *_cv_*) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 printf "%s\n" "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; esac case $ac_var in #( _ | IFS | as_nl) ;; #( BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( *) { eval $ac_var=; unset $ac_var;} ;; esac ;; esac done (set) 2>&1 | case $as_nl`(ac_space='\'' '\''; set) 2>&1` in #( *${as_nl}ac_space=\ *) sed -n \ "s/'\''/'\''\\\\'\'''\''/g; s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\''\\2'\''/p" ;; #( *) sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" ;; esac | sort ) echo printf "%s\n" "## ----------------- ## ## Output variables. ## ## ----------------- ##" echo for ac_var in $ac_subst_vars do eval ac_val=\$$ac_var case $ac_val in *\'\''*) ac_val=`printf "%s\n" "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; esac printf "%s\n" "$ac_var='\''$ac_val'\''" done | sort echo if test -n "$ac_subst_files"; then printf "%s\n" "## ------------------- ## ## File substitutions. ## ## ------------------- ##" echo for ac_var in $ac_subst_files do eval ac_val=\$$ac_var case $ac_val in *\'\''*) ac_val=`printf "%s\n" "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; esac printf "%s\n" "$ac_var='\''$ac_val'\''" done | sort echo fi if test -s confdefs.h; then printf "%s\n" "## ----------- ## ## confdefs.h. ## ## ----------- ##" echo cat confdefs.h echo fi test "$ac_signal" != 0 && printf "%s\n" "$as_me: caught signal $ac_signal" printf "%s\n" "$as_me: exit $exit_status" } >&5 rm -f core *.core core.conftest.* && rm -f -r conftest* confdefs* conf$$* $ac_clean_files && exit $exit_status ' 0 for ac_signal in 1 2 13 15; do trap 'ac_signal='$ac_signal'; as_fn_exit 1' $ac_signal done ac_signal=0 # confdefs.h avoids OS command line length limits that DEFS can exceed. rm -f -r conftest* confdefs.h printf "%s\n" "/* confdefs.h */" > confdefs.h # Predefined preprocessor variables. printf "%s\n" "#define PACKAGE_NAME \"$PACKAGE_NAME\"" >>confdefs.h printf "%s\n" "#define PACKAGE_TARNAME \"$PACKAGE_TARNAME\"" >>confdefs.h printf "%s\n" "#define PACKAGE_VERSION \"$PACKAGE_VERSION\"" >>confdefs.h printf "%s\n" "#define PACKAGE_STRING \"$PACKAGE_STRING\"" >>confdefs.h printf "%s\n" "#define PACKAGE_BUGREPORT \"$PACKAGE_BUGREPORT\"" >>confdefs.h printf "%s\n" "#define PACKAGE_URL \"$PACKAGE_URL\"" >>confdefs.h # Let the site file select an alternate cache file if it wants to. # Prefer an explicitly selected file to automatically selected ones. if test -n "$CONFIG_SITE"; then ac_site_files="$CONFIG_SITE" elif test "x$prefix" != xNONE; then ac_site_files="$prefix/share/config.site $prefix/etc/config.site" else ac_site_files="$ac_default_prefix/share/config.site $ac_default_prefix/etc/config.site" fi for ac_site_file in $ac_site_files do case $ac_site_file in #( */*) : ;; #( *) : ac_site_file=./$ac_site_file ;; esac if test -f "$ac_site_file" && test -r "$ac_site_file"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: loading site script $ac_site_file" >&5 printf "%s\n" "$as_me: loading site script $ac_site_file" >&6;} sed 's/^/| /' "$ac_site_file" >&5 . "$ac_site_file" \ || { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in '$ac_pwd':" >&5 printf "%s\n" "$as_me: error: in '$ac_pwd':" >&2;} as_fn_error $? "failed to load site script $ac_site_file See 'config.log' for more details" "$LINENO" 5; } fi done if test -r "$cache_file"; then # Some versions of bash will fail to source /dev/null (special files # actually), so we avoid doing that. DJGPP emulates it as a regular file. if test /dev/null != "$cache_file" && test -f "$cache_file"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: loading cache $cache_file" >&5 printf "%s\n" "$as_me: loading cache $cache_file" >&6;} case $cache_file in [\\/]* | ?:[\\/]* ) . "$cache_file";; *) . "./$cache_file";; esac fi else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: creating cache $cache_file" >&5 printf "%s\n" "$as_me: creating cache $cache_file" >&6;} >$cache_file fi # Test code for whether the C compiler supports C89 (global declarations) ac_c_conftest_c89_globals=' /* Does the compiler advertise C89 conformance? Do not test the value of __STDC__, because some compilers set it to 0 while being otherwise adequately conformant. */ #if !defined __STDC__ # error "Compiler does not advertise C89 conformance" #endif #include #include struct stat; /* Most of the following tests are stolen from RCS 5.7 src/conf.sh. */ struct buf { int x; }; struct buf * (*rcsopen) (struct buf *, struct stat *, int); static char *e (char **p, int i) { return p[i]; } static char *f (char * (*g) (char **, int), char **p, ...) { char *s; va_list v; va_start (v,p); s = g (p, va_arg (v,int)); va_end (v); return s; } /* C89 style stringification. */ #define noexpand_stringify(a) #a const char *stringified = noexpand_stringify(arbitrary+token=sequence); /* C89 style token pasting. Exercises some of the corner cases that e.g. old MSVC gets wrong, but not very hard. */ #define noexpand_concat(a,b) a##b #define expand_concat(a,b) noexpand_concat(a,b) extern int vA; extern int vbee; #define aye A #define bee B int *pvA = &expand_concat(v,aye); int *pvbee = &noexpand_concat(v,bee); /* OSF 4.0 Compaq cc is some sort of almost-ANSI by default. It has function prototypes and stuff, but not \xHH hex character constants. These do not provoke an error unfortunately, instead are silently treated as an "x". The following induces an error, until -std is added to get proper ANSI mode. Curiously \x00 != x always comes out true, for an array size at least. It is necessary to write \x00 == 0 to get something that is true only with -std. */ int osf4_cc_array ['\''\x00'\'' == 0 ? 1 : -1]; /* IBM C 6 for AIX is almost-ANSI by default, but it replaces macro parameters inside strings and character constants. */ #define FOO(x) '\''x'\'' int xlc6_cc_array[FOO(a) == '\''x'\'' ? 1 : -1]; int test (int i, double x); struct s1 {int (*f) (int a);}; struct s2 {int (*f) (double a);}; int pairnames (int, char **, int *(*)(struct buf *, struct stat *, int), int, int);' # Test code for whether the C compiler supports C89 (body of main). ac_c_conftest_c89_main=' ok |= (argc == 0 || f (e, argv, 0) != argv[0] || f (e, argv, 1) != argv[1]); ' # Test code for whether the C compiler supports C99 (global declarations) ac_c_conftest_c99_globals=' /* Does the compiler advertise C99 conformance? */ #if !defined __STDC_VERSION__ || __STDC_VERSION__ < 199901L # error "Compiler does not advertise C99 conformance" #endif // See if C++-style comments work. #include extern int puts (const char *); extern int printf (const char *, ...); extern int dprintf (int, const char *, ...); extern void *malloc (size_t); extern void free (void *); // Check varargs macros. These examples are taken from C99 6.10.3.5. // dprintf is used instead of fprintf to avoid needing to declare // FILE and stderr. #define debug(...) dprintf (2, __VA_ARGS__) #define showlist(...) puts (#__VA_ARGS__) #define report(test,...) ((test) ? puts (#test) : printf (__VA_ARGS__)) static void test_varargs_macros (void) { int x = 1234; int y = 5678; debug ("Flag"); debug ("X = %d\n", x); showlist (The first, second, and third items.); report (x>y, "x is %d but y is %d", x, y); } // Check long long types. #define BIG64 18446744073709551615ull #define BIG32 4294967295ul #define BIG_OK (BIG64 / BIG32 == 4294967297ull && BIG64 % BIG32 == 0) #if !BIG_OK #error "your preprocessor is broken" #endif #if BIG_OK #else #error "your preprocessor is broken" #endif static long long int bignum = -9223372036854775807LL; static unsigned long long int ubignum = BIG64; struct incomplete_array { int datasize; double data[]; }; struct named_init { int number; const wchar_t *name; double average; }; typedef const char *ccp; static inline int test_restrict (ccp restrict text) { // Iterate through items via the restricted pointer. // Also check for declarations in for loops. for (unsigned int i = 0; *(text+i) != '\''\0'\''; ++i) continue; return 0; } // Check varargs and va_copy. static bool test_varargs (const char *format, ...) { va_list args; va_start (args, format); va_list args_copy; va_copy (args_copy, args); const char *str = ""; int number = 0; float fnumber = 0; while (*format) { switch (*format++) { case '\''s'\'': // string str = va_arg (args_copy, const char *); break; case '\''d'\'': // int number = va_arg (args_copy, int); break; case '\''f'\'': // float fnumber = va_arg (args_copy, double); break; default: break; } } va_end (args_copy); va_end (args); return *str && number && fnumber; } ' # Test code for whether the C compiler supports C99 (body of main). ac_c_conftest_c99_main=' // Check bool. _Bool success = false; success |= (argc != 0); // Check restrict. if (test_restrict ("String literal") == 0) success = true; char *restrict newvar = "Another string"; // Check varargs. success &= test_varargs ("s, d'\'' f .", "string", 65, 34.234); test_varargs_macros (); // Check flexible array members. struct incomplete_array *ia = malloc (sizeof (struct incomplete_array) + (sizeof (double) * 10)); ia->datasize = 10; for (int i = 0; i < ia->datasize; ++i) ia->data[i] = i * 1.234; // Work around memory leak warnings. free (ia); // Check named initializers. struct named_init ni = { .number = 34, .name = L"Test wide string", .average = 543.34343, }; ni.number = 58; int dynamic_array[ni.number]; dynamic_array[0] = argv[0][0]; dynamic_array[ni.number - 1] = 543; // work around unused variable warnings ok |= (!success || bignum == 0LL || ubignum == 0uLL || newvar[0] == '\''x'\'' || dynamic_array[ni.number - 1] != 543); ' # Test code for whether the C compiler supports C11 (global declarations) ac_c_conftest_c11_globals=' /* Does the compiler advertise C11 conformance? */ #if !defined __STDC_VERSION__ || __STDC_VERSION__ < 201112L # error "Compiler does not advertise C11 conformance" #endif // Check _Alignas. char _Alignas (double) aligned_as_double; char _Alignas (0) no_special_alignment; extern char aligned_as_int; char _Alignas (0) _Alignas (int) aligned_as_int; // Check _Alignof. enum { int_alignment = _Alignof (int), int_array_alignment = _Alignof (int[100]), char_alignment = _Alignof (char) }; _Static_assert (0 < -_Alignof (int), "_Alignof is signed"); // Check _Noreturn. int _Noreturn does_not_return (void) { for (;;) continue; } // Check _Static_assert. struct test_static_assert { int x; _Static_assert (sizeof (int) <= sizeof (long int), "_Static_assert does not work in struct"); long int y; }; // Check UTF-8 literals. #define u8 syntax error! char const utf8_literal[] = u8"happens to be ASCII" "another string"; // Check duplicate typedefs. typedef long *long_ptr; typedef long int *long_ptr; typedef long_ptr long_ptr; // Anonymous structures and unions -- taken from C11 6.7.2.1 Example 1. struct anonymous { union { struct { int i; int j; }; struct { int k; long int l; } w; }; int m; } v1; ' # Test code for whether the C compiler supports C11 (body of main). ac_c_conftest_c11_main=' _Static_assert ((offsetof (struct anonymous, i) == offsetof (struct anonymous, w.k)), "Anonymous union alignment botch"); v1.i = 2; v1.w.k = 5; ok |= v1.i != 5; ' # Test code for whether the C compiler supports C11 (complete). ac_c_conftest_c11_program="${ac_c_conftest_c89_globals} ${ac_c_conftest_c99_globals} ${ac_c_conftest_c11_globals} int main (int argc, char **argv) { int ok = 0; ${ac_c_conftest_c89_main} ${ac_c_conftest_c99_main} ${ac_c_conftest_c11_main} return ok; } " # Test code for whether the C compiler supports C99 (complete). ac_c_conftest_c99_program="${ac_c_conftest_c89_globals} ${ac_c_conftest_c99_globals} int main (int argc, char **argv) { int ok = 0; ${ac_c_conftest_c89_main} ${ac_c_conftest_c99_main} return ok; } " # Test code for whether the C compiler supports C89 (complete). ac_c_conftest_c89_program="${ac_c_conftest_c89_globals} int main (int argc, char **argv) { int ok = 0; ${ac_c_conftest_c89_main} return ok; } " as_fn_append ac_header_c_list " stdio.h stdio_h HAVE_STDIO_H" as_fn_append ac_header_c_list " stdlib.h stdlib_h HAVE_STDLIB_H" as_fn_append ac_header_c_list " string.h string_h HAVE_STRING_H" as_fn_append ac_header_c_list " inttypes.h inttypes_h HAVE_INTTYPES_H" as_fn_append ac_header_c_list " stdint.h stdint_h HAVE_STDINT_H" as_fn_append ac_header_c_list " strings.h strings_h HAVE_STRINGS_H" as_fn_append ac_header_c_list " sys/stat.h sys_stat_h HAVE_SYS_STAT_H" as_fn_append ac_header_c_list " sys/types.h sys_types_h HAVE_SYS_TYPES_H" as_fn_append ac_header_c_list " unistd.h unistd_h HAVE_UNISTD_H" as_fn_append ac_func_c_list " vprintf HAVE_VPRINTF" as_fn_append ac_header_c_list " vfork.h vfork_h HAVE_VFORK_H" as_fn_append ac_func_c_list " fork HAVE_FORK" as_fn_append ac_func_c_list " vfork HAVE_VFORK" as_fn_append ac_header_c_list " sys/time.h sys_time_h HAVE_SYS_TIME_H" as_fn_append ac_func_c_list " alarm HAVE_ALARM" as_fn_append ac_header_c_list " sys/select.h sys_select_h HAVE_SYS_SELECT_H" as_fn_append ac_header_c_list " sys/socket.h sys_socket_h HAVE_SYS_SOCKET_H" # Auxiliary files required by this configure script. ac_aux_files="install-sh config.guess config.sub" # Locations in which to look for auxiliary files. ac_aux_dir_candidates="${srcdir}/config" # Search for a directory containing all of the required auxiliary files, # $ac_aux_files, from the $PATH-style list $ac_aux_dir_candidates. # If we don't find one directory that contains all the files we need, # we report the set of missing files from the *first* directory in # $ac_aux_dir_candidates and give up. ac_missing_aux_files="" ac_first_candidate=: printf "%s\n" "$as_me:${as_lineno-$LINENO}: looking for aux files: $ac_aux_files" >&5 as_save_IFS=$IFS; IFS=$PATH_SEPARATOR as_found=false for as_dir in $ac_aux_dir_candidates do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac as_found=: printf "%s\n" "$as_me:${as_lineno-$LINENO}: trying $as_dir" >&5 ac_aux_dir_found=yes ac_install_sh= for ac_aux in $ac_aux_files do # As a special case, if "install-sh" is required, that requirement # can be satisfied by any of "install-sh", "install.sh", or "shtool", # and $ac_install_sh is set appropriately for whichever one is found. if test x"$ac_aux" = x"install-sh" then if test -f "${as_dir}install-sh"; then printf "%s\n" "$as_me:${as_lineno-$LINENO}: ${as_dir}install-sh found" >&5 ac_install_sh="${as_dir}install-sh -c" elif test -f "${as_dir}install.sh"; then printf "%s\n" "$as_me:${as_lineno-$LINENO}: ${as_dir}install.sh found" >&5 ac_install_sh="${as_dir}install.sh -c" elif test -f "${as_dir}shtool"; then printf "%s\n" "$as_me:${as_lineno-$LINENO}: ${as_dir}shtool found" >&5 ac_install_sh="${as_dir}shtool install -c" else ac_aux_dir_found=no if $ac_first_candidate; then ac_missing_aux_files="${ac_missing_aux_files} install-sh" else break fi fi else if test -f "${as_dir}${ac_aux}"; then printf "%s\n" "$as_me:${as_lineno-$LINENO}: ${as_dir}${ac_aux} found" >&5 else ac_aux_dir_found=no if $ac_first_candidate; then ac_missing_aux_files="${ac_missing_aux_files} ${ac_aux}" else break fi fi fi done if test "$ac_aux_dir_found" = yes; then ac_aux_dir="$as_dir" break fi ac_first_candidate=false as_found=false done IFS=$as_save_IFS if $as_found then : else case e in #( e) as_fn_error $? "cannot find required auxiliary files:$ac_missing_aux_files" "$LINENO" 5 ;; esac fi # These three variables are undocumented and unsupported, # and are intended to be withdrawn in a future Autoconf release. # They can cause serious problems if a builder's source tree is in a directory # whose full name contains unusual characters. if test -f "${ac_aux_dir}config.guess"; then ac_config_guess="$SHELL ${ac_aux_dir}config.guess" fi if test -f "${ac_aux_dir}config.sub"; then ac_config_sub="$SHELL ${ac_aux_dir}config.sub" fi if test -f "$ac_aux_dir/configure"; then ac_configure="$SHELL ${ac_aux_dir}configure" fi # Check that the precious variables saved in the cache have kept the same # value. ac_cache_corrupted=false for ac_var in $ac_precious_vars; do eval ac_old_set=\$ac_cv_env_${ac_var}_set eval ac_new_set=\$ac_env_${ac_var}_set eval ac_old_val=\$ac_cv_env_${ac_var}_value eval ac_new_val=\$ac_env_${ac_var}_value case $ac_old_set,$ac_new_set in set,) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: '$ac_var' was set to '$ac_old_val' in the previous run" >&5 printf "%s\n" "$as_me: error: '$ac_var' was set to '$ac_old_val' in the previous run" >&2;} ac_cache_corrupted=: ;; ,set) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: '$ac_var' was not set in the previous run" >&5 printf "%s\n" "$as_me: error: '$ac_var' was not set in the previous run" >&2;} ac_cache_corrupted=: ;; ,);; *) if test "x$ac_old_val" != "x$ac_new_val"; then # differences in whitespace do not lead to failure. ac_old_val_w=`echo x $ac_old_val` ac_new_val_w=`echo x $ac_new_val` if test "$ac_old_val_w" != "$ac_new_val_w"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: '$ac_var' has changed since the previous run:" >&5 printf "%s\n" "$as_me: error: '$ac_var' has changed since the previous run:" >&2;} ac_cache_corrupted=: else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: warning: ignoring whitespace changes in '$ac_var' since the previous run:" >&5 printf "%s\n" "$as_me: warning: ignoring whitespace changes in '$ac_var' since the previous run:" >&2;} eval $ac_var=\$ac_old_val fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: former value: '$ac_old_val'" >&5 printf "%s\n" "$as_me: former value: '$ac_old_val'" >&2;} { printf "%s\n" "$as_me:${as_lineno-$LINENO}: current value: '$ac_new_val'" >&5 printf "%s\n" "$as_me: current value: '$ac_new_val'" >&2;} fi;; esac # Pass precious variables to config.status. if test "$ac_new_set" = set; then case $ac_new_val in *\'*) ac_arg=$ac_var=`printf "%s\n" "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;; *) ac_arg=$ac_var=$ac_new_val ;; esac case " $ac_configure_args " in *" '$ac_arg' "*) ;; # Avoid dups. Use of quotes ensures accuracy. *) as_fn_append ac_configure_args " '$ac_arg'" ;; esac fi done if $ac_cache_corrupted; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in '$ac_pwd':" >&5 printf "%s\n" "$as_me: error: in '$ac_pwd':" >&2;} { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: changes in the environment can compromise the build" >&5 printf "%s\n" "$as_me: error: changes in the environment can compromise the build" >&2;} as_fn_error $? "run '${MAKE-make} distclean' and/or 'rm $cache_file' and start over" "$LINENO" 5 fi ## -------------------- ## ## Main body of script. ## ## -------------------- ## ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu PACKAGE_RELEASE='3.8' ARGUSPRO_VERSION='1.0' printf "%s\n" "#define ARGUSPRO_VERSION_STRING \"1.0\"" >>confdefs.h ac_config_headers="$ac_config_headers include/argus_config.h" # Make sure we can run config.sub. $SHELL "${ac_aux_dir}config.sub" sun4 >/dev/null 2>&1 || as_fn_error $? "cannot run $SHELL ${ac_aux_dir}config.sub" "$LINENO" 5 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking build system type" >&5 printf %s "checking build system type... " >&6; } if test ${ac_cv_build+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_build_alias=$build_alias test "x$ac_build_alias" = x && ac_build_alias=`$SHELL "${ac_aux_dir}config.guess"` test "x$ac_build_alias" = x && as_fn_error $? "cannot guess build type; you must specify one" "$LINENO" 5 ac_cv_build=`$SHELL "${ac_aux_dir}config.sub" $ac_build_alias` || as_fn_error $? "$SHELL ${ac_aux_dir}config.sub $ac_build_alias failed" "$LINENO" 5 ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_build" >&5 printf "%s\n" "$ac_cv_build" >&6; } case $ac_cv_build in *-*-*) ;; *) as_fn_error $? "invalid value of canonical build" "$LINENO" 5;; esac build=$ac_cv_build ac_save_IFS=$IFS; IFS='-' set x $ac_cv_build shift build_cpu=$1 build_vendor=$2 shift; shift # Remember, the first character of IFS is used to create $*, # except with old shells: build_os=$* IFS=$ac_save_IFS case $build_os in *\ *) build_os=`echo "$build_os" | sed 's/ /-/g'`;; esac { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking host system type" >&5 printf %s "checking host system type... " >&6; } if test ${ac_cv_host+y} then : printf %s "(cached) " >&6 else case e in #( e) if test "x$host_alias" = x; then ac_cv_host=$ac_cv_build else ac_cv_host=`$SHELL "${ac_aux_dir}config.sub" $host_alias` || as_fn_error $? "$SHELL ${ac_aux_dir}config.sub $host_alias failed" "$LINENO" 5 fi ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_host" >&5 printf "%s\n" "$ac_cv_host" >&6; } case $ac_cv_host in *-*-*) ;; *) as_fn_error $? "invalid value of canonical host" "$LINENO" 5;; esac host=$ac_cv_host ac_save_IFS=$IFS; IFS='-' set x $ac_cv_host shift host_cpu=$1 host_vendor=$2 shift; shift # Remember, the first character of IFS is used to create $*, # except with old shells: host_os=$* IFS=$ac_save_IFS case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking target system type" >&5 printf %s "checking target system type... " >&6; } if test ${ac_cv_target+y} then : printf %s "(cached) " >&6 else case e in #( e) if test "x$target_alias" = x; then ac_cv_target=$ac_cv_host else ac_cv_target=`$SHELL "${ac_aux_dir}config.sub" $target_alias` || as_fn_error $? "$SHELL ${ac_aux_dir}config.sub $target_alias failed" "$LINENO" 5 fi ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_target" >&5 printf "%s\n" "$ac_cv_target" >&6; } case $ac_cv_target in *-*-*) ;; *) as_fn_error $? "invalid value of canonical target" "$LINENO" 5;; esac target=$ac_cv_target ac_save_IFS=$IFS; IFS='-' set x $ac_cv_target shift target_cpu=$1 target_vendor=$2 shift; shift # Remember, the first character of IFS is used to create $*, # except with old shells: target_os=$* IFS=$ac_save_IFS case $target_os in *\ *) target_os=`echo "$target_os" | sed 's/ /-/g'`;; esac # The aliases save the names the user supplied, while $host etc. # will get canonicalized. test -n "$target_alias" && test "$program_prefix$program_suffix$program_transform_name" = \ NONENONEs,x,x, && program_prefix=${target_alias}- # Check whether --with-gcc was given. if test ${with_gcc+y} then : withval=$with_gcc; fi # Check whether --with-examples was given. if test ${with_examples+y} then : withval=$with_examples; fi # Check whether --with-pluribus was given. if test ${with_pluribus+y} then : withval=$with_pluribus; with_pluribus=yes else case e in #( e) with_pluribus=no ;; esac fi V_CCOPT="-O" V_INCLS="" if test "${srcdir}" != "." ; then V_INCLS="-I\$(srcdir)" fi if test "${CFLAGS+set}" = set; then LBL_CFLAGS="$CFLAGS" fi if test -z "$CC" ; then case "$target_os" in *darwin*) # Extract the first word of "clang", so it can be a program name with args. set dummy clang; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_CLANG+y} then : printf %s "(cached) " >&6 else case e in #( e) if test -n "$CLANG"; then ac_cv_prog_CLANG="$CLANG" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_CLANG="yes" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS test -z "$ac_cv_prog_CLANG" && ac_cv_prog_CLANG="no" fi ;; esac fi CLANG=$ac_cv_prog_CLANG if test -n "$CLANG"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CLANG" >&5 printf "%s\n" "$CLANG" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi if test $CLANG = yes ; then CC=cc export CC fi ;; bsdi*) # Extract the first word of "shlicc2", so it can be a program name with args. set dummy shlicc2; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_SHLICC2+y} then : printf %s "(cached) " >&6 else case e in #( e) if test -n "$SHLICC2"; then ac_cv_prog_SHLICC2="$SHLICC2" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_SHLICC2="yes" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS test -z "$ac_cv_prog_SHLICC2" && ac_cv_prog_SHLICC2="no" fi ;; esac fi SHLICC2=$ac_cv_prog_SHLICC2 if test -n "$SHLICC2"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $SHLICC2" >&5 printf "%s\n" "$SHLICC2" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi if test $SHLICC2 = yes ; then CC=shlicc2 export CC fi ;; esac fi if test -z "$CC" -a "$with_gcc" = no ; then CC=cc export CC fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args. set dummy ${ac_tool_prefix}gcc; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_CC+y} then : printf %s "(cached) " >&6 else case e in #( e) if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_CC="${ac_tool_prefix}gcc" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi ;; esac fi CC=$ac_cv_prog_CC if test -n "$CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 printf "%s\n" "$CC" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi fi if test -z "$ac_cv_prog_CC"; then ac_ct_CC=$CC # Extract the first word of "gcc", so it can be a program name with args. set dummy gcc; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_ac_ct_CC+y} then : printf %s "(cached) " >&6 else case e in #( e) if test -n "$ac_ct_CC"; then ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_CC="gcc" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi ;; esac fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 printf "%s\n" "$ac_ct_CC" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi if test "x$ac_ct_CC" = x; then CC="" else case $cross_compiling:$ac_tool_warned in yes:) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 printf "%s\n" "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac CC=$ac_ct_CC fi else CC="$ac_cv_prog_CC" fi if test -z "$CC"; then if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args. set dummy ${ac_tool_prefix}cc; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_CC+y} then : printf %s "(cached) " >&6 else case e in #( e) if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_CC="${ac_tool_prefix}cc" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi ;; esac fi CC=$ac_cv_prog_CC if test -n "$CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 printf "%s\n" "$CC" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi fi fi if test -z "$CC"; then # Extract the first word of "cc", so it can be a program name with args. set dummy cc; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_CC+y} then : printf %s "(cached) " >&6 else case e in #( e) if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else ac_prog_rejected=no as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then if test "$as_dir$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then ac_prog_rejected=yes continue fi ac_cv_prog_CC="cc" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS if test $ac_prog_rejected = yes; then # We found a bogon in the path, so make sure we never use it. set dummy $ac_cv_prog_CC shift if test $# != 0; then # We chose a different compiler from the bogus one. # However, it has the same basename, so the bogon will be chosen # first if we set CC to just the basename; use the full file name. shift ac_cv_prog_CC="$as_dir$ac_word${1+' '}$@" fi fi fi ;; esac fi CC=$ac_cv_prog_CC if test -n "$CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 printf "%s\n" "$CC" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi fi if test -z "$CC"; then if test -n "$ac_tool_prefix"; then for ac_prog in cl.exe do # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. set dummy $ac_tool_prefix$ac_prog; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_CC+y} then : printf %s "(cached) " >&6 else case e in #( e) if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_CC="$ac_tool_prefix$ac_prog" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi ;; esac fi CC=$ac_cv_prog_CC if test -n "$CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 printf "%s\n" "$CC" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi test -n "$CC" && break done fi if test -z "$CC"; then ac_ct_CC=$CC for ac_prog in cl.exe do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_ac_ct_CC+y} then : printf %s "(cached) " >&6 else case e in #( e) if test -n "$ac_ct_CC"; then ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_CC="$ac_prog" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi ;; esac fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 printf "%s\n" "$ac_ct_CC" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi test -n "$ac_ct_CC" && break done if test "x$ac_ct_CC" = x; then CC="" else case $cross_compiling:$ac_tool_warned in yes:) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 printf "%s\n" "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac CC=$ac_ct_CC fi fi fi if test -z "$CC"; then if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}clang", so it can be a program name with args. set dummy ${ac_tool_prefix}clang; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_CC+y} then : printf %s "(cached) " >&6 else case e in #( e) if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_CC="${ac_tool_prefix}clang" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi ;; esac fi CC=$ac_cv_prog_CC if test -n "$CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 printf "%s\n" "$CC" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi fi if test -z "$ac_cv_prog_CC"; then ac_ct_CC=$CC # Extract the first word of "clang", so it can be a program name with args. set dummy clang; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_ac_ct_CC+y} then : printf %s "(cached) " >&6 else case e in #( e) if test -n "$ac_ct_CC"; then ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_CC="clang" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi ;; esac fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 printf "%s\n" "$ac_ct_CC" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi if test "x$ac_ct_CC" = x; then CC="" else case $cross_compiling:$ac_tool_warned in yes:) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 printf "%s\n" "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac CC=$ac_ct_CC fi else CC="$ac_cv_prog_CC" fi fi test -z "$CC" && { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in '$ac_pwd':" >&5 printf "%s\n" "$as_me: error: in '$ac_pwd':" >&2;} as_fn_error $? "no acceptable C compiler found in \$PATH See 'config.log' for more details" "$LINENO" 5; } # Provide some information about the compiler. printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5 set X $ac_compile ac_compiler=$2 for ac_option in --version -v -V -qversion -version; do { { ac_try="$ac_compiler $ac_option >&5" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" printf "%s\n" "$ac_try_echo"; } >&5 (eval "$ac_compiler $ac_option >&5") 2>conftest.err ac_status=$? if test -s conftest.err; then sed '10a\ ... rest of stderr output deleted ... 10q' conftest.err >conftest.er1 cat conftest.er1 >&5 fi rm -f conftest.er1 conftest.err printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } done cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { ; return 0; } _ACEOF ac_clean_files_save=$ac_clean_files ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out" # Try to create an executable without -o first, disregard a.out. # It will help us diagnose broken compilers, and finding out an intuition # of exeext. { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the C compiler works" >&5 printf %s "checking whether the C compiler works... " >&6; } ac_link_default=`printf "%s\n" "$ac_link" | sed 's/ -o *conftest[^ ]*//'` # The possible output files: ac_files="a.out conftest.exe conftest a.exe a_out.exe b.out conftest.*" ac_rmfiles= for ac_file in $ac_files do case $ac_file in *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; * ) ac_rmfiles="$ac_rmfiles $ac_file";; esac done rm -f $ac_rmfiles if { { ac_try="$ac_link_default" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" printf "%s\n" "$ac_try_echo"; } >&5 (eval "$ac_link_default") 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } then : # Autoconf-2.13 could set the ac_cv_exeext variable to 'no'. # So ignore a value of 'no', otherwise this would lead to 'EXEEXT = no' # in a Makefile. We should not override ac_cv_exeext if it was cached, # so that the user can short-circuit this test for compilers unknown to # Autoconf. for ac_file in $ac_files '' do test -f "$ac_file" || continue case $ac_file in *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; [ab].out ) # We found the default executable, but exeext='' is most # certainly right. break;; *.* ) if test ${ac_cv_exeext+y} && test "$ac_cv_exeext" != no; then :; else ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` fi # We set ac_cv_exeext here because the later test for it is not # safe: cross compilers may not add the suffix if given an '-o' # argument, so we may need to know it at that point already. # Even if this section looks crufty: it has the advantage of # actually working. break;; * ) break;; esac done test "$ac_cv_exeext" = no && ac_cv_exeext= else case e in #( e) ac_file='' ;; esac fi if test -z "$ac_file" then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } printf "%s\n" "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in '$ac_pwd':" >&5 printf "%s\n" "$as_me: error: in '$ac_pwd':" >&2;} as_fn_error 77 "C compiler cannot create executables See 'config.log' for more details" "$LINENO" 5; } else case e in #( e) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 printf "%s\n" "yes" >&6; } ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for C compiler default output file name" >&5 printf %s "checking for C compiler default output file name... " >&6; } { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_file" >&5 printf "%s\n" "$ac_file" >&6; } ac_exeext=$ac_cv_exeext rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out ac_clean_files=$ac_clean_files_save { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for suffix of executables" >&5 printf %s "checking for suffix of executables... " >&6; } if { { ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" printf "%s\n" "$ac_try_echo"; } >&5 (eval "$ac_link") 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } then : # If both 'conftest.exe' and 'conftest' are 'present' (well, observable) # catch 'conftest.exe'. For instance with Cygwin, 'ls conftest' will # work properly (i.e., refer to 'conftest.exe'), while it won't with # 'rm'. for ac_file in conftest.exe conftest conftest.*; do test -f "$ac_file" || continue case $ac_file in *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` break;; * ) break;; esac done else case e in #( e) { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in '$ac_pwd':" >&5 printf "%s\n" "$as_me: error: in '$ac_pwd':" >&2;} as_fn_error $? "cannot compute suffix of executables: cannot compile and link See 'config.log' for more details" "$LINENO" 5; } ;; esac fi rm -f conftest conftest$ac_cv_exeext { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5 printf "%s\n" "$ac_cv_exeext" >&6; } rm -f conftest.$ac_ext EXEEXT=$ac_cv_exeext ac_exeext=$EXEEXT cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main (void) { FILE *f = fopen ("conftest.out", "w"); if (!f) return 1; return ferror (f) || fclose (f) != 0; ; return 0; } _ACEOF ac_clean_files="$ac_clean_files conftest.out" # Check that the compiler produces executables we can run. If not, either # the compiler is broken, or we cross compile. { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether we are cross compiling" >&5 printf %s "checking whether we are cross compiling... " >&6; } if test "$cross_compiling" != yes; then { { ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" printf "%s\n" "$ac_try_echo"; } >&5 (eval "$ac_link") 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } if { ac_try='./conftest$ac_cv_exeext' { { case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" printf "%s\n" "$ac_try_echo"; } >&5 (eval "$ac_try") 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; }; then cross_compiling=no else if test "$cross_compiling" = maybe; then cross_compiling=yes else { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in '$ac_pwd':" >&5 printf "%s\n" "$as_me: error: in '$ac_pwd':" >&2;} as_fn_error 77 "cannot run C compiled programs. If you meant to cross compile, use '--host'. See 'config.log' for more details" "$LINENO" 5; } fi fi fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $cross_compiling" >&5 printf "%s\n" "$cross_compiling" >&6; } rm -f conftest.$ac_ext conftest$ac_cv_exeext \ conftest.o conftest.obj conftest.out ac_clean_files=$ac_clean_files_save { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for suffix of object files" >&5 printf %s "checking for suffix of object files... " >&6; } if test ${ac_cv_objext+y} then : printf %s "(cached) " >&6 else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { ; return 0; } _ACEOF rm -f conftest.o conftest.obj if { { ac_try="$ac_compile" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" printf "%s\n" "$ac_try_echo"; } >&5 (eval "$ac_compile") 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } then : for ac_file in conftest.o conftest.obj conftest.*; do test -f "$ac_file" || continue; case $ac_file in *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM ) ;; *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'` break;; esac done else case e in #( e) printf "%s\n" "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in '$ac_pwd':" >&5 printf "%s\n" "$as_me: error: in '$ac_pwd':" >&2;} as_fn_error $? "cannot compute suffix of object files: cannot compile See 'config.log' for more details" "$LINENO" 5; } ;; esac fi rm -f conftest.$ac_cv_objext conftest.$ac_ext ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_objext" >&5 printf "%s\n" "$ac_cv_objext" >&6; } OBJEXT=$ac_cv_objext ac_objext=$OBJEXT { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the compiler supports GNU C" >&5 printf %s "checking whether the compiler supports GNU C... " >&6; } if test ${ac_cv_c_compiler_gnu+y} then : printf %s "(cached) " >&6 else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { #ifndef __GNUC__ choke me #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_compiler_gnu=yes else case e in #( e) ac_compiler_gnu=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ac_cv_c_compiler_gnu=$ac_compiler_gnu ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_compiler_gnu" >&5 printf "%s\n" "$ac_cv_c_compiler_gnu" >&6; } ac_compiler_gnu=$ac_cv_c_compiler_gnu if test $ac_compiler_gnu = yes; then GCC=yes else GCC= fi ac_test_CFLAGS=${CFLAGS+y} ac_save_CFLAGS=$CFLAGS { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5 printf %s "checking whether $CC accepts -g... " >&6; } if test ${ac_cv_prog_cc_g+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_save_c_werror_flag=$ac_c_werror_flag ac_c_werror_flag=yes ac_cv_prog_cc_g=no CFLAGS="-g" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_cv_prog_cc_g=yes else case e in #( e) CFLAGS="" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : else case e in #( e) ac_c_werror_flag=$ac_save_c_werror_flag CFLAGS="-g" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_cv_prog_cc_g=yes fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ac_c_werror_flag=$ac_save_c_werror_flag ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_g" >&5 printf "%s\n" "$ac_cv_prog_cc_g" >&6; } if test $ac_test_CFLAGS; then CFLAGS=$ac_save_CFLAGS elif test $ac_cv_prog_cc_g = yes; then if test "$GCC" = yes; then CFLAGS="-g -O2" else CFLAGS="-g" fi else if test "$GCC" = yes; then CFLAGS="-O2" else CFLAGS= fi fi ac_prog_cc_stdc=no if test x$ac_prog_cc_stdc = xno then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $CC option to enable C11 features" >&5 printf %s "checking for $CC option to enable C11 features... " >&6; } if test ${ac_cv_prog_cc_c11+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_cv_prog_cc_c11=no ac_save_CC=$CC cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_c_conftest_c11_program _ACEOF for ac_arg in '' -std=gnu11 do CC="$ac_save_CC $ac_arg" if ac_fn_c_try_compile "$LINENO" then : ac_cv_prog_cc_c11=$ac_arg fi rm -f core conftest.err conftest.$ac_objext conftest.beam test "x$ac_cv_prog_cc_c11" != "xno" && break done rm -f conftest.$ac_ext CC=$ac_save_CC ;; esac fi if test "x$ac_cv_prog_cc_c11" = xno then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 printf "%s\n" "unsupported" >&6; } else case e in #( e) if test "x$ac_cv_prog_cc_c11" = x then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 printf "%s\n" "none needed" >&6; } else case e in #( e) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c11" >&5 printf "%s\n" "$ac_cv_prog_cc_c11" >&6; } CC="$CC $ac_cv_prog_cc_c11" ;; esac fi ac_cv_prog_cc_stdc=$ac_cv_prog_cc_c11 ac_prog_cc_stdc=c11 ;; esac fi fi if test x$ac_prog_cc_stdc = xno then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $CC option to enable C99 features" >&5 printf %s "checking for $CC option to enable C99 features... " >&6; } if test ${ac_cv_prog_cc_c99+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_cv_prog_cc_c99=no ac_save_CC=$CC cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_c_conftest_c99_program _ACEOF for ac_arg in '' -std=gnu99 -std=c99 -c99 -qlanglvl=extc1x -qlanglvl=extc99 -AC99 -D_STDC_C99= do CC="$ac_save_CC $ac_arg" if ac_fn_c_try_compile "$LINENO" then : ac_cv_prog_cc_c99=$ac_arg fi rm -f core conftest.err conftest.$ac_objext conftest.beam test "x$ac_cv_prog_cc_c99" != "xno" && break done rm -f conftest.$ac_ext CC=$ac_save_CC ;; esac fi if test "x$ac_cv_prog_cc_c99" = xno then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 printf "%s\n" "unsupported" >&6; } else case e in #( e) if test "x$ac_cv_prog_cc_c99" = x then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 printf "%s\n" "none needed" >&6; } else case e in #( e) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c99" >&5 printf "%s\n" "$ac_cv_prog_cc_c99" >&6; } CC="$CC $ac_cv_prog_cc_c99" ;; esac fi ac_cv_prog_cc_stdc=$ac_cv_prog_cc_c99 ac_prog_cc_stdc=c99 ;; esac fi fi if test x$ac_prog_cc_stdc = xno then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $CC option to enable C89 features" >&5 printf %s "checking for $CC option to enable C89 features... " >&6; } if test ${ac_cv_prog_cc_c89+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_cv_prog_cc_c89=no ac_save_CC=$CC cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_c_conftest_c89_program _ACEOF for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__" do CC="$ac_save_CC $ac_arg" if ac_fn_c_try_compile "$LINENO" then : ac_cv_prog_cc_c89=$ac_arg fi rm -f core conftest.err conftest.$ac_objext conftest.beam test "x$ac_cv_prog_cc_c89" != "xno" && break done rm -f conftest.$ac_ext CC=$ac_save_CC ;; esac fi if test "x$ac_cv_prog_cc_c89" = xno then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 printf "%s\n" "unsupported" >&6; } else case e in #( e) if test "x$ac_cv_prog_cc_c89" = x then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 printf "%s\n" "none needed" >&6; } else case e in #( e) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5 printf "%s\n" "$ac_cv_prog_cc_c89" >&6; } CC="$CC $ac_cv_prog_cc_c89" ;; esac fi ac_cv_prog_cc_stdc=$ac_cv_prog_cc_c89 ac_prog_cc_stdc=c89 ;; esac fi fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu if test "$GCC" = yes ; then if test "$SHLICC2" = yes ; then ac_cv_lbl_gcc_vers=2 V_CCOPT="-O3" else ac_cv_lbl_gcc_vers=0 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking gcc version" >&5 printf %s "checking gcc version... " >&6; } if test ${ac_cv_lbl_gcc_vers+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_cv_lbl_gcc_vers=`$CC -v 2>&1 | \ sed -e '/^gcc version /!d' \ -e 's/^gcc version //' \ -e 's/ .*//' -e 's/^[^0-9]*//' \ -e 's/\..*//'` ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lbl_gcc_vers" >&5 printf "%s\n" "$ac_cv_lbl_gcc_vers" >&6; } if test $ac_cv_lbl_gcc_vers -gt 1 ; then V_CCOPT="-O3" fi fi else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking that $CC handles ansi prototypes" >&5 printf %s "checking that $CC handles ansi prototypes... " >&6; } if test ${ac_cv_lbl_cc_ansi_prototypes+y} then : printf %s "(cached) " >&6 else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main (void) { int frob(int, char *) ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_cv_lbl_cc_ansi_prototypes=yes else case e in #( e) ac_cv_lbl_cc_ansi_prototypes=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lbl_cc_ansi_prototypes" >&5 printf "%s\n" "$ac_cv_lbl_cc_ansi_prototypes" >&6; } if test $ac_cv_lbl_cc_ansi_prototypes = no ; then case "$target_os" in hpux*) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for HP-UX ansi compiler ($CC -Aa -D_HPUX_SOURCE)" >&5 printf %s "checking for HP-UX ansi compiler ($CC -Aa -D_HPUX_SOURCE)... " >&6; } savedcflags="$CFLAGS" CFLAGS="-Aa -D_HPUX_SOURCE $CFLAGS" if test ${ac_cv_lbl_cc_hpux_cc_aa+y} then : printf %s "(cached) " >&6 else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main (void) { int frob(int, char *) ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_cv_lbl_cc_hpux_cc_aa=yes else case e in #( e) ac_cv_lbl_cc_hpux_cc_aa=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lbl_cc_hpux_cc_aa" >&5 printf "%s\n" "$ac_cv_lbl_cc_hpux_cc_aa" >&6; } if test $ac_cv_lbl_cc_hpux_cc_aa = no ; then as_fn_error $? "\"see the INSTALL doc for more info\"" "$LINENO" 5 fi CFLAGS="$savedcflags" V_CCOPT="-Aa $V_CCOPT" printf "%s\n" "#define _HPUX_SOURCE 1" >>confdefs.h ;; *) as_fn_error $? "see the INSTALL doc for more info" "$LINENO" 5 ;; esac fi V_INCLS="$V_INCLS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" case "$target_os" in irix*) V_CCOPT="$V_CCOPT -xansi -signed -g3" ;; osf*) V_CCOPT="$V_CCOPT -std1 -g3" ;; ultrix*) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking that Ultrix $CC hacks const in prototypes" >&5 printf %s "checking that Ultrix $CC hacks const in prototypes... " >&6; } if test ${ac_cv_lbl_cc_const_proto+y} then : printf %s "(cached) " >&6 else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main (void) { struct a { int b; }; void c(const struct a *) ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_cv_lbl_cc_const_proto=yes else case e in #( e) ac_cv_lbl_cc_const_proto=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lbl_cc_const_proto" >&5 printf "%s\n" "$ac_cv_lbl_cc_const_proto" >&6; } if test $ac_cv_lbl_cc_const_proto = no ; then printf "%s\n" "#define const /**/" >>confdefs.h fi ;; esac fi # Most operating systems have gethostbyname() in the default searched # libraries (i.e. libc): # Some OSes (eg. Solaris) place it in libnsl # Some strange OSes (SINIX) have it in libsocket: { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for library containing gethostbyname" >&5 printf %s "checking for library containing gethostbyname... " >&6; } if test ${ac_cv_search_gethostbyname+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_func_search_save_LIBS=$LIBS cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. The 'extern "C"' is for builds by C++ compilers; although this is not generally supported in C code supporting it here has little cost and some practical benefit (sr 110532). */ #ifdef __cplusplus extern "C" #endif char gethostbyname (void); int main (void) { return gethostbyname (); ; return 0; } _ACEOF for ac_lib in '' nsl socket resolv do if test -z "$ac_lib"; then ac_res="none required" else ac_res=-l$ac_lib LIBS="-l$ac_lib $ac_func_search_save_LIBS" fi if ac_fn_c_try_link "$LINENO" then : ac_cv_search_gethostbyname=$ac_res fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext if test ${ac_cv_search_gethostbyname+y} then : break fi done if test ${ac_cv_search_gethostbyname+y} then : else case e in #( e) ac_cv_search_gethostbyname=no ;; esac fi rm conftest.$ac_ext LIBS=$ac_func_search_save_LIBS ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_gethostbyname" >&5 printf "%s\n" "$ac_cv_search_gethostbyname" >&6; } ac_res=$ac_cv_search_gethostbyname if test "$ac_res" != no then : test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" fi # Unfortunately libsocket sometimes depends on libnsl and # AC_SEARCH_LIBS isn't up to the task of handling dependencies like this. if test "$ac_cv_search_gethostbyname" = "no" then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for gethostbyname in -lsocket" >&5 printf %s "checking for gethostbyname in -lsocket... " >&6; } if test ${ac_cv_lib_socket_gethostbyname+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_check_lib_save_LIBS=$LIBS LIBS="-lsocket -lnsl $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. The 'extern "C"' is for builds by C++ compilers; although this is not generally supported in C code supporting it here has little cost and some practical benefit (sr 110532). */ #ifdef __cplusplus extern "C" #endif char gethostbyname (void); int main (void) { return gethostbyname (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO" then : ac_cv_lib_socket_gethostbyname=yes else case e in #( e) ac_cv_lib_socket_gethostbyname=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_socket_gethostbyname" >&5 printf "%s\n" "$ac_cv_lib_socket_gethostbyname" >&6; } if test "x$ac_cv_lib_socket_gethostbyname" = xyes then : LIBS="-lsocket -lnsl $LIBS" fi fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for library containing socket" >&5 printf %s "checking for library containing socket... " >&6; } if test ${ac_cv_search_socket+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_func_search_save_LIBS=$LIBS cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. The 'extern "C"' is for builds by C++ compilers; although this is not generally supported in C code supporting it here has little cost and some practical benefit (sr 110532). */ #ifdef __cplusplus extern "C" #endif char socket (void); int main (void) { return socket (); ; return 0; } _ACEOF for ac_lib in '' socket do if test -z "$ac_lib"; then ac_res="none required" else ac_res=-l$ac_lib LIBS="-l$ac_lib $ac_func_search_save_LIBS" fi if ac_fn_c_try_link "$LINENO" then : ac_cv_search_socket=$ac_res fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext if test ${ac_cv_search_socket+y} then : break fi done if test ${ac_cv_search_socket+y} then : else case e in #( e) ac_cv_search_socket=no ;; esac fi rm conftest.$ac_ext LIBS=$ac_func_search_save_LIBS ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_socket" >&5 printf "%s\n" "$ac_cv_search_socket" >&6; } ac_res=$ac_cv_search_socket if test "$ac_res" != no then : test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" else case e in #( e) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for socket in -lsocket" >&5 printf %s "checking for socket in -lsocket... " >&6; } if test ${ac_cv_lib_socket_socket+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_check_lib_save_LIBS=$LIBS LIBS="-lsocket -lnsl $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. The 'extern "C"' is for builds by C++ compilers; although this is not generally supported in C code supporting it here has little cost and some practical benefit (sr 110532). */ #ifdef __cplusplus extern "C" #endif char socket (void); int main (void) { return socket (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO" then : ac_cv_lib_socket_socket=yes else case e in #( e) ac_cv_lib_socket_socket=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_socket_socket" >&5 printf "%s\n" "$ac_cv_lib_socket_socket" >&6; } if test "x$ac_cv_lib_socket_socket" = xyes then : LIBS="-lsocket -lnsl $LIBS" fi ;; esac fi # DLPI needs putmsg under HPUX so test for -lstr while we're at it { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for library containing putmsg" >&5 printf %s "checking for library containing putmsg... " >&6; } if test ${ac_cv_search_putmsg+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_func_search_save_LIBS=$LIBS cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. The 'extern "C"' is for builds by C++ compilers; although this is not generally supported in C code supporting it here has little cost and some practical benefit (sr 110532). */ #ifdef __cplusplus extern "C" #endif char putmsg (void); int main (void) { return putmsg (); ; return 0; } _ACEOF for ac_lib in '' str do if test -z "$ac_lib"; then ac_res="none required" else ac_res=-l$ac_lib LIBS="-l$ac_lib $ac_func_search_save_LIBS" fi if ac_fn_c_try_link "$LINENO" then : ac_cv_search_putmsg=$ac_res fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext if test ${ac_cv_search_putmsg+y} then : break fi done if test ${ac_cv_search_putmsg+y} then : else case e in #( e) ac_cv_search_putmsg=no ;; esac fi rm conftest.$ac_ext LIBS=$ac_func_search_save_LIBS ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_putmsg" >&5 printf "%s\n" "$ac_cv_search_putmsg" >&6; } ac_res=$ac_cv_search_putmsg if test "$ac_res" != no then : test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" fi # Check whether --with-libpcap was given. if test ${with_libpcap+y} then : withval=$with_libpcap; with_libpcap="$withval" else case e in #( e) with_libpcap="yes" ;; esac fi LBL_LIBS="$LIBS" libpcap=FAIL lastdir=FAIL if test ${with_libpcap} != "yes"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for specified library" >&5 printf %s "checking for specified library... " >&6; } for dir in ${with_libpcap}; do if test -r $dir/libpcap.a ; then if test -x $dir/pcap-config ; then libpcap="$dir/libpcap.a `$dir/pcap-config --additional-libs --static`" else libpcap=$dir/libpcap.a fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $libpcap" >&5 printf "%s\n" "$libpcap" >&6; } V_PCAPDEP=$libpcap { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for specified pcap.h" >&5 printf %s "checking for specified pcap.h... " >&6; } if test -r $dir/pcap.h; then d=$dir { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: found" >&5 printf "%s\n" "found" >&6; } V_INCLS="-I$d $V_INCLS" else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: not found" >&5 printf "%s\n" "$as_me: WARNING: not found" >&2;} fi fi done else pfopen=/usr/examples/packetfilter/pfopen.c if test -f $pfopen ; then ac_fn_c_check_func "$LINENO" "pfopen" "ac_cv_func_pfopen" if test "x$ac_cv_func_pfopen" = xyes then : printf "%s\n" "#define HAVE_PFOPEN 1" >>confdefs.h fi if test $ac_cv_func_pfopen = "no" ; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: Using $pfopen" >&5 printf "%s\n" "Using $pfopen" >&6; } LIBS="$LIBS $pfopen" fi fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for local pcap library" >&5 printf %s "checking for local pcap library... " >&6; } places=`ls $srcdir/.. | sed -e 's,/$,,' -e "s,^,$srcdir/../," | \ grep -E '/libpcap-[0-9]*.[0-9]*(.[0-9]*)?([ab][0-9]*)?$'` for dir in $places $srcdir/../libpcap $srcdir/libpcap ; do basedir=`echo $dir | sed -e 's/[ab][0-9]*$//'` if test $lastdir = $basedir ; then continue; fi lastdir=$dir if test -r $dir/libpcap.a ; then if test -r $dir/pcap.h ; then libpcap=$dir/libpcap.a d=$dir fi fi done if ! test "$libpcap" = FAIL; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $libpcap" >&5 printf "%s\n" "$libpcap" >&6; } V_PCAPDEP=$libpcap V_INCLS="-I$d $V_INCLS" # Extract the first word of "pcap-config", so it can be a program name with args. set dummy pcap-config; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_path_PCAP_CONFIG+y} then : printf %s "(cached) " >&6 else case e in #( e) case $PCAP_CONFIG in [\\/]* | ?:[\\/]*) ac_cv_path_PCAP_CONFIG="$PCAP_CONFIG" # Let the user override the test with a path. ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $d do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_path_PCAP_CONFIG="$as_dir$ac_word$ac_exec_ext" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS ;; esac ;; esac fi PCAP_CONFIG=$ac_cv_path_PCAP_CONFIG if test -n "$PCAP_CONFIG"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $PCAP_CONFIG" >&5 printf "%s\n" "$PCAP_CONFIG" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi if test -n "$PCAP_CONFIG"; then # # The libpcap directory has a pcap-config script. # Use it to get any additioal libraries needed # to link with the libpcap archive library in # that directory # libpcap="$libpcap `$PCAP_CONFIG --additional-libs --static`" fi fi fi if test "$libpcap" = FAIL ; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: not found" >&5 printf "%s\n" "not found" >&6; } # # Look for pcap-config. # # Extract the first word of "pcap-config", so it can be a program name with args. set dummy pcap-config; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_path_PCAP_CONFIG+y} then : printf %s "(cached) " >&6 else case e in #( e) case $PCAP_CONFIG in [\\/]* | ?:[\\/]*) ac_cv_path_PCAP_CONFIG="$PCAP_CONFIG" # Let the user override the test with a path. ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_path_PCAP_CONFIG="$as_dir$ac_word$ac_exec_ext" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS ;; esac ;; esac fi PCAP_CONFIG=$ac_cv_path_PCAP_CONFIG if test -n "$PCAP_CONFIG"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $PCAP_CONFIG" >&5 printf "%s\n" "$PCAP_CONFIG" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi if test -n "$PCAP_CONFIG" ; then # # Found - use it to get the include flags for # libpcap and the flags to link with libpcap. # libpcap="`$PCAP_CONFIG --libs`" V_INCLS="`$PCAP_CONFIG --cflags` $V_INCLS" V_PCAPDEP="$libpcap" else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for main in -lpcap" >&5 printf %s "checking for main in -lpcap... " >&6; } if test ${ac_cv_lib_pcap_main+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_check_lib_save_LIBS=$LIBS LIBS="-lpcap $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { return main (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO" then : ac_cv_lib_pcap_main=yes else case e in #( e) ac_cv_lib_pcap_main=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pcap_main" >&5 printf "%s\n" "$ac_cv_lib_pcap_main" >&6; } if test "x$ac_cv_lib_pcap_main" = xyes then : libpcap="-lpcap" fi if test $libpcap = FAIL ; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: not found" >&5 printf "%s\n" "not found" >&6; } { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for main in -lpcap" >&5 printf %s "checking for main in -lpcap... " >&6; } if test ${ac_cv_lib_pcap_main+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_check_lib_save_LIBS=$LIBS LIBS="-lpcap $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { return main (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO" then : ac_cv_lib_pcap_main=yes else case e in #( e) ac_cv_lib_pcap_main=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pcap_main" >&5 printf "%s\n" "$ac_cv_lib_pcap_main" >&6; } if test "x$ac_cv_lib_pcap_main" = xyes then : libpcap="-lwpcap" fi if test $libpcap = FAIL ; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for local wpcap library" >&5 printf %s "checking for local wpcap library... " >&6; } dir="../WpdPack" if test -r $dir/Lib/libwpcap.a; then libpcap="$dir/Lib/libwpcap.a" V_PCAPDEP="$libpcap" elif test -r ../npcap/Lib/x64/wpcap.lib; then dir="../npcap" libpcap="../npcap/Lib/x64/wpcap.lib" V_PCAPDEP="$libpcap" else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } as_fn_error $? "see the INSTALL doc for more info" "$LINENO" 5 fi else V_PCAPDEP="$libpcap" fi else V_PCAPDEP="$libpcap" fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for extraneous pcap header directories" >&5 printf %s "checking for extraneous pcap header directories... " >&6; } if test \( ! -r /usr/local/include/pcap.h \) -a \ \( ! -r /usr/include/pcap.h \); then if test -r /usr/local/include/pcap/pcap.h; then d="/usr/local/include/pcap" elif test -r /usr/include/pcap/pcap.h; then d="/usr/include/pcap" elif test -r $dir/Include/pcap.h; then d=$dir/Include fi fi if test -z "$d" ; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: not found" >&5 printf "%s\n" "not found" >&6; } else V_INCLS="-I$d $V_INCLS" { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: found -- -I$d added" >&5 printf "%s\n" "found -- -I$d added" >&6; } fi fi fi V_INCLS=`echo $V_INCLS | sed -e 's/\.\./..\/../'` LIBS="$LIBS $libpcap" case "$host_os" in aix*) pseexe="/lib/pse.exp" { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $pseexe" >&5 printf %s "checking for $pseexe... " >&6; } if test -f $pseexe ; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 printf "%s\n" "yes" >&6; } LIBS="$LIBS -I:$pseexe" fi # # We need "-lodm" and "-lcfg", as libpcap requires them on # AIX, and we just build a static libpcap.a and thus can't # arrange that when you link with libpcap you automatically # link with those libraries. # LIBS="$LIBS -lodm -lcfg" ;; esac ac_fn_c_check_func "$LINENO" "pcap_list_datalinks" "ac_cv_func_pcap_list_datalinks" if test "x$ac_cv_func_pcap_list_datalinks" = xyes then : printf "%s\n" "#define HAVE_PCAP_LIST_DATALINKS /**/" >>confdefs.h else case e in #( e) case " $LIBOBJS " in *" datalinks.$ac_objext "* ) ;; *) LIBOBJS="$LIBOBJS datalinks.$ac_objext" ;; esac ;; esac fi ac_fn_c_check_func "$LINENO" "pcap_set_datalink" "ac_cv_func_pcap_set_datalink" if test "x$ac_cv_func_pcap_set_datalink" = xyes then : printf "%s\n" "#define HAVE_PCAP_SET_DATALINK /**/" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "pcap_datalink_name_to_val" "ac_cv_func_pcap_datalink_name_to_val" if test "x$ac_cv_func_pcap_datalink_name_to_val" = xyes then : printf "%s\n" "#define HAVE_PCAP_DATALINK_NAME_TO_VAL /**/" >>confdefs.h ac_fn_c_check_func "$LINENO" "pcap_datalink_val_to_description" "ac_cv_func_pcap_datalink_val_to_description" if test "x$ac_cv_func_pcap_datalink_val_to_description" = xyes then : printf "%s\n" "#define HAVE_PCAP_DATALINK_VAL_TO_DESCRIPTION /**/" >>confdefs.h else case e in #( e) case " $LIBOBJS " in *" dlnames.$ac_objext "* ) ;; *) LIBOBJS="$LIBOBJS dlnames.$ac_objext" ;; esac ;; esac fi else case e in #( e) case " $LIBOBJS " in *" dlnames.$ac_objext "* ) ;; *) LIBOBJS="$LIBOBJS dlnames.$ac_objext" ;; esac ;; esac fi ac_fn_c_check_func "$LINENO" "pcap_findalldevs_nochecks" "ac_cv_func_pcap_findalldevs_nochecks" if test "x$ac_cv_func_pcap_findalldevs_nochecks" = xyes then : printf "%s\n" "#define HAVE_PCAP_FINDALLDEVS_NOCHECKS /**/" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "pcap_set_buffer_size" "ac_cv_func_pcap_set_buffer_size" if test "x$ac_cv_func_pcap_set_buffer_size" = xyes then : printf "%s\n" "#define HAVE_PCAP_SET_BUFFER_SIZE 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "pcap_fopen_offline" "ac_cv_func_pcap_fopen_offline" if test "x$ac_cv_func_pcap_fopen_offline" = xyes then : printf "%s\n" "#define HAVE_PCAP_FOPEN_OFFLINE 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "pcap_get_selectable_fd" "ac_cv_func_pcap_get_selectable_fd" if test "x$ac_cv_func_pcap_get_selectable_fd" = xyes then : printf "%s\n" "#define HAVE_PCAP_GET_SELECTABLE_FD 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "pcap_next_ex" "ac_cv_func_pcap_next_ex" if test "x$ac_cv_func_pcap_next_ex" = xyes then : printf "%s\n" "#define HAVE_PCAP_NEXT_EX 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "pcap_dump_ftell" "ac_cv_func_pcap_dump_ftell" if test "x$ac_cv_func_pcap_dump_ftell" = xyes then : printf "%s\n" "#define HAVE_PCAP_DUMP_FTELL 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "pcap_dump_flush" "ac_cv_func_pcap_dump_flush" if test "x$ac_cv_func_pcap_dump_flush" = xyes then : printf "%s\n" "#define HAVE_PCAP_DUMP_FLUSH 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "pcap_open_offline_with_tstamp_precision" "ac_cv_func_pcap_open_offline_with_tstamp_precision" if test "x$ac_cv_func_pcap_open_offline_with_tstamp_precision" = xyes then : printf "%s\n" "#define HAVE_PCAP_OPEN_OFFLINE_WITH_TSTAMP_PRECISION 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "pcap_fopen_offline_with_tstamp_precision" "ac_cv_func_pcap_fopen_offline_with_tstamp_precision" if test "x$ac_cv_func_pcap_fopen_offline_with_tstamp_precision" = xyes then : printf "%s\n" "#define HAVE_PCAP_FOPEN_OFFLINE_WITH_TSTAMP_PRECISION 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "pcap_set_tstamp_type" "ac_cv_func_pcap_set_tstamp_type" if test "x$ac_cv_func_pcap_set_tstamp_type" = xyes then : printf "%s\n" "#define HAVE_PCAP_SET_TSTAMP_TYPE 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "pcap_set_tstamp_precision" "ac_cv_func_pcap_set_tstamp_precision" if test "x$ac_cv_func_pcap_set_tstamp_precision" = xyes then : printf "%s\n" "#define HAVE_PCAP_SET_TSTAMP_PRECISION 1" >>confdefs.h fi LIBS="$LBL_LIBS" if test ! -z "$V_PCAPDEP"; then if test -f "$V_PCAPDEP"; then if test -f lib/libpcap.a; then rm -rf lib/libpcap.a fi pcapdir=`echo $V_PCAPDEP | sed -e 's/\.\./..\/../'` ln -s $pcapdir lib/libpcap.a V_PCAPDEP="../lib/libpcap.a" else if test "$V_PCAPDEP" = "-lpcap" ; then if test -f lib/libpcap.a; then rm -rf lib/libpcap.a fi fi if test "$V_PCAPDEP" = "-lwpcap" ; then if test -f lib/libpcap.a; then rm -rf lib/libpcap.a fi fi fi fi for ac_prog in flex do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_V_LEX+y} then : printf %s "(cached) " >&6 else case e in #( e) if test -n "$V_LEX"; then ac_cv_prog_V_LEX="$V_LEX" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_V_LEX="$ac_prog" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi ;; esac fi V_LEX=$ac_cv_prog_V_LEX if test -n "$V_LEX"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $V_LEX" >&5 printf "%s\n" "$V_LEX" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi test -n "$V_LEX" && break done test -n "$V_LEX" || V_LEX="lex" if test "$V_LEX" = flex ; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for flex 2.4 or higher" >&5 printf %s "checking for flex 2.4 or higher... " >&6; } if test ${ac_cv_lbl_flex_v24+y} then : printf %s "(cached) " >&6 else case e in #( e) if flex -V >/dev/null 2>&1; then ac_cv_lbl_flex_v24=yes else ac_cv_lbl_flex_v24=no fi ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lbl_flex_v24" >&5 printf "%s\n" "$ac_cv_lbl_flex_v24" >&6; } if test $ac_cv_lbl_flex_v24 = no ; then s="2.4 or higher required" { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: ignoring obsolete flex executable ($s)" >&5 printf "%s\n" "$as_me: WARNING: ignoring obsolete flex executable ($s)" >&2;} V_LEX=lex fi else as_fn_error $? "flex not found. see the INSTALL for more info" "$LINENO" 5 fi for ac_prog in bison do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_V_YACC+y} then : printf %s "(cached) " >&6 else case e in #( e) if test -n "$V_YACC"; then ac_cv_prog_V_YACC="$V_YACC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_V_YACC="$ac_prog" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi ;; esac fi V_YACC=$ac_cv_prog_V_YACC if test -n "$V_YACC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $V_YACC" >&5 printf "%s\n" "$V_YACC" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi test -n "$V_YACC" && break done test -n "$V_YACC" || V_YACC="yacc" if test "$V_YACC" = bison ; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for bison parameter set" >&5 printf %s "checking for bison parameter set... " >&6; } V_YACC="$V_YACC -y" { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 printf "%s\n" "yes" >&6; } else as_fn_error $? "bison not found. see the INSTALL for more info" "$LINENO" 5 fi if test "$V_LEX" = flex -a -n "argus_" ; then V_LEX="$V_LEX -Pargus_" V_YACC="$V_YACC -p argus_" fi case "$target_os" in linux*) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether machine_id is found" >&5 printf %s "checking whether machine_id is found... " >&6; }; as_ac_File=`printf "%s\n" "ac_cv_file_"/var/lib/dbus/machine-id"" | sed "$as_sed_sh"` { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for \"/var/lib/dbus/machine-id\"" >&5 printf %s "checking for \"/var/lib/dbus/machine-id\"... " >&6; } if eval test \${$as_ac_File+y} then : printf %s "(cached) " >&6 else case e in #( e) test "$cross_compiling" = yes && as_fn_error $? "cannot check for file existence when cross compiling" "$LINENO" 5 if test -r ""/var/lib/dbus/machine-id""; then eval "$as_ac_File=yes" else eval "$as_ac_File=no" fi ;; esac fi eval ac_res=\$$as_ac_File { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 printf "%s\n" "$ac_res" >&6; } if eval test \"x\$"$as_ac_File"\" = x"yes" then : printf "%s\n" "#define HAVE_MACHINE_ID /**/" >>confdefs.h else case e in #( e) no ;; esac fi ;; cygwin*) ;; *bsd*) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether machine_id is found" >&5 printf %s "checking whether machine_id is found... " >&6; }; as_ac_File=`printf "%s\n" "ac_cv_file_"/etc/machine-id"" | sed "$as_sed_sh"` { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for \"/etc/machine-id\"" >&5 printf %s "checking for \"/etc/machine-id\"... " >&6; } if eval test \${$as_ac_File+y} then : printf %s "(cached) " >&6 else case e in #( e) test "$cross_compiling" = yes && as_fn_error $? "cannot check for file existence when cross compiling" "$LINENO" 5 if test -r ""/etc/machine-id""; then eval "$as_ac_File=yes" else eval "$as_ac_File=no" fi ;; esac fi eval ac_res=\$$as_ac_File { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 printf "%s\n" "$ac_res" >&6; } if eval test \"x\$"$as_ac_File"\" = x"yes" then : printf "%s\n" "#define HAVE_MACHINE_ID /**/" >>confdefs.h else case e in #( e) no ;; esac fi ;; esac # Checks for programs. { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for inline" >&5 printf %s "checking for inline... " >&6; } if test ${ac_cv_c_inline+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_cv_c_inline=no for ac_kw in inline __inline__ __inline; do cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #ifndef __cplusplus typedef int foo_t; static $ac_kw foo_t static_foo (void) {return 0; } $ac_kw foo_t foo (void) {return 0; } #endif _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_cv_c_inline=$ac_kw fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext test "$ac_cv_c_inline" != no && break done ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_inline" >&5 printf "%s\n" "$ac_cv_c_inline" >&6; } case $ac_cv_c_inline in inline | yes) ;; *) case $ac_cv_c_inline in no) ac_val=;; *) ac_val=$ac_cv_c_inline;; esac cat >>confdefs.h <<_ACEOF #ifndef __cplusplus #define inline $ac_val #endif _ACEOF ;; esac { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether ${MAKE-make} sets \$(MAKE)" >&5 printf %s "checking whether ${MAKE-make} sets \$(MAKE)... " >&6; } set x ${MAKE-make} ac_make=`printf "%s\n" "$2" | sed 's/+/p/g; s/[^a-zA-Z0-9_]/_/g'` if eval test \${ac_cv_prog_make_${ac_make}_set+y} then : printf %s "(cached) " >&6 else case e in #( e) cat >conftest.make <<\_ACEOF SHELL = /bin/sh all: @echo '@@@%%%=$(MAKE)=@@@%%%' _ACEOF # GNU make sometimes prints "make[1]: Entering ...", which would confuse us. case `${MAKE-make} -f conftest.make 2>/dev/null` in *@@@%%%=?*=@@@%%%*) eval ac_cv_prog_make_${ac_make}_set=yes;; *) eval ac_cv_prog_make_${ac_make}_set=no;; esac rm -f conftest.make ;; esac fi if eval test \$ac_cv_prog_make_${ac_make}_set = yes; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 printf "%s\n" "yes" >&6; } SET_MAKE= else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } SET_MAKE="MAKE=${MAKE-make}" fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether ln -s works" >&5 printf %s "checking whether ln -s works... " >&6; } LN_S=$as_ln_s if test "$LN_S" = "ln -s"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 printf "%s\n" "yes" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no, using $LN_S" >&5 printf "%s\n" "no, using $LN_S" >&6; } fi # Find a good install program. We prefer a C program (faster), # so one script is as good as another. But avoid the broken or # incompatible versions: # SysV /etc/install, /usr/sbin/install # SunOS /usr/etc/install # IRIX /sbin/install # AIX /bin/install # AmigaOS /C/install, which installs bootblocks on floppy discs # AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag # AFS /usr/afsws/bin/install, which mishandles nonexistent args # SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff" # OS/2's system install, which has a completely different semantic # ./install, which can be erroneously created by make from ./install.sh. # Reject install programs that cannot install multiple files. { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for a BSD-compatible install" >&5 printf %s "checking for a BSD-compatible install... " >&6; } if test -z "$INSTALL"; then if test ${ac_cv_path_install+y} then : printf %s "(cached) " >&6 else case e in #( e) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac # Account for fact that we put trailing slashes in our PATH walk. case $as_dir in #(( ./ | /[cC]/* | \ /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* | \ ?:[\\/]os2[\\/]install[\\/]* | ?:[\\/]OS2[\\/]INSTALL[\\/]* | \ /usr/ucb/* ) ;; *) # OSF1 and SCO ODT 3.0 have their own names for install. # Don't use installbsd from OSF since it installs stuff as root # by default. for ac_prog in ginstall scoinst install; do for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_prog$ac_exec_ext"; then if test $ac_prog = install && grep dspmsg "$as_dir$ac_prog$ac_exec_ext" >/dev/null 2>&1; then # AIX install. It has an incompatible calling convention. : elif test $ac_prog = install && grep pwplus "$as_dir$ac_prog$ac_exec_ext" >/dev/null 2>&1; then # program-specific install script used by HP pwplus--don't use. : else rm -rf conftest.one conftest.two conftest.dir echo one > conftest.one echo two > conftest.two mkdir conftest.dir if "$as_dir$ac_prog$ac_exec_ext" -c conftest.one conftest.two "`pwd`/conftest.dir/" && test -s conftest.one && test -s conftest.two && test -s conftest.dir/conftest.one && test -s conftest.dir/conftest.two then ac_cv_path_install="$as_dir$ac_prog$ac_exec_ext -c" break 3 fi fi fi done done ;; esac done IFS=$as_save_IFS rm -rf conftest.one conftest.two conftest.dir ;; esac fi if test ${ac_cv_path_install+y}; then INSTALL=$ac_cv_path_install else # As a last resort, use the slow shell script. Don't cache a # value for INSTALL within a source directory, because that will # break other packages using the cache if that directory is # removed, or if the value is a relative name. INSTALL=$ac_install_sh fi fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $INSTALL" >&5 printf "%s\n" "$INSTALL" >&6; } # Use test -z because SunOS4 sh mishandles braces in ${var-val}. # It thinks the first close brace ends the variable substitution. test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}' test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}' test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644' if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args. set dummy ${ac_tool_prefix}ranlib; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_RANLIB+y} then : printf %s "(cached) " >&6 else case e in #( e) if test -n "$RANLIB"; then ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi ;; esac fi RANLIB=$ac_cv_prog_RANLIB if test -n "$RANLIB"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $RANLIB" >&5 printf "%s\n" "$RANLIB" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi fi if test -z "$ac_cv_prog_RANLIB"; then ac_ct_RANLIB=$RANLIB # Extract the first word of "ranlib", so it can be a program name with args. set dummy ranlib; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_ac_ct_RANLIB+y} then : printf %s "(cached) " >&6 else case e in #( e) if test -n "$ac_ct_RANLIB"; then ac_cv_prog_ac_ct_RANLIB="$ac_ct_RANLIB" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_RANLIB="ranlib" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi ;; esac fi ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB if test -n "$ac_ct_RANLIB"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_ct_RANLIB" >&5 printf "%s\n" "$ac_ct_RANLIB" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi if test "x$ac_ct_RANLIB" = x; then RANLIB=":" else case $cross_compiling:$ac_tool_warned in yes:) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 printf "%s\n" "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac RANLIB=$ac_ct_RANLIB fi else RANLIB="$ac_cv_prog_RANLIB" fi for ac_prog in 'bison -y' byacc do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_YACC+y} then : printf %s "(cached) " >&6 else case e in #( e) if test -n "$YACC"; then ac_cv_prog_YACC="$YACC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_YACC="$ac_prog" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi ;; esac fi YACC=$ac_cv_prog_YACC if test -n "$YACC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $YACC" >&5 printf "%s\n" "$YACC" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi test -n "$YACC" && break done test -n "$YACC" || YACC="yacc" for ac_prog in ranlib do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_V_RANLIB+y} then : printf %s "(cached) " >&6 else case e in #( e) if test -n "$V_RANLIB"; then ac_cv_prog_V_RANLIB="$V_RANLIB" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_V_RANLIB="$ac_prog" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi ;; esac fi V_RANLIB=$ac_cv_prog_V_RANLIB if test -n "$V_RANLIB"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $V_RANLIB" >&5 printf "%s\n" "$V_RANLIB" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi test -n "$V_RANLIB" && break done test -n "$V_RANLIB" || V_RANLIB="@true" # Check whether --with-perl was given. if test ${with_perl+y} then : withval=$with_perl; with_perl="$withval" else case e in #( e) with_perl="yes" ;; esac fi perl=FAIL if ! test ${with_perl} = "no"; then if test ${with_perl} = "yes"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for standard perl installation" >&5 printf %s "checking for standard perl installation... " >&6; } for dir in /usr /usr/local /opt /opt/local; do if test -r $dir/bin/perl ; then perl=$dir/bin/perl { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $perl" >&5 printf "%s\n" "$perl" >&6; } V_PERL="$perl" break; else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi done else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for perl installation in ${with_perl}" >&5 printf %s "checking for perl installation in ${with_perl}... " >&6; } if test -r ${with_perl}/perl ; then perl=${with_perl}/perl { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $perl" >&5 printf "%s\n" "$perl" >&6; } V_PERL="$perl" else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi fi fi # Checks for libraries. ac_header= ac_cache= for ac_item in $ac_header_c_list do if test $ac_cache; then ac_fn_c_check_header_compile "$LINENO" $ac_header ac_cv_header_$ac_cache "$ac_includes_default" if eval test \"x\$ac_cv_header_$ac_cache\" = xyes; then printf "%s\n" "#define $ac_item 1" >> confdefs.h fi ac_header= ac_cache= elif test $ac_header; then ac_cache=$ac_item else ac_header=$ac_item fi done if test $ac_cv_header_stdlib_h = yes && test $ac_cv_header_string_h = yes then : printf "%s\n" "#define STDC_HEADERS 1" >>confdefs.h fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking how to run the C preprocessor" >&5 printf %s "checking how to run the C preprocessor... " >&6; } # On Suns, sometimes $CPP names a directory. if test -n "$CPP" && test -d "$CPP"; then CPP= fi if test -z "$CPP"; then if test ${ac_cv_prog_CPP+y} then : printf %s "(cached) " >&6 else case e in #( e) # Double quotes because $CC needs to be expanded for CPP in "$CC -E" "$CC -E -traditional-cpp" cpp /lib/cpp do ac_preproc_ok=false for ac_c_preproc_warn_flag in '' yes do # Use a header file that comes with gcc, so configuring glibc # with a fresh cross-compiler works. # On the NeXT, cc -E runs the code through the compiler's parser, # not just through cpp. "Syntax error" is here to catch this case. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include Syntax error _ACEOF if ac_fn_c_try_cpp "$LINENO" then : else case e in #( e) # Broken: fails on valid input. continue ;; esac fi rm -f conftest.err conftest.i conftest.$ac_ext # OK, works on sane cases. Now check whether nonexistent headers # can be detected and how. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF if ac_fn_c_try_cpp "$LINENO" then : # Broken: success on invalid input. continue else case e in #( e) # Passes both tests. ac_preproc_ok=: break ;; esac fi rm -f conftest.err conftest.i conftest.$ac_ext done # Because of 'break', _AC_PREPROC_IFELSE's cleaning code was skipped. rm -f conftest.i conftest.err conftest.$ac_ext if $ac_preproc_ok then : break fi done ac_cv_prog_CPP=$CPP ;; esac fi CPP=$ac_cv_prog_CPP else ac_cv_prog_CPP=$CPP fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CPP" >&5 printf "%s\n" "$CPP" >&6; } ac_preproc_ok=false for ac_c_preproc_warn_flag in '' yes do # Use a header file that comes with gcc, so configuring glibc # with a fresh cross-compiler works. # On the NeXT, cc -E runs the code through the compiler's parser, # not just through cpp. "Syntax error" is here to catch this case. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include Syntax error _ACEOF if ac_fn_c_try_cpp "$LINENO" then : else case e in #( e) # Broken: fails on valid input. continue ;; esac fi rm -f conftest.err conftest.i conftest.$ac_ext # OK, works on sane cases. Now check whether nonexistent headers # can be detected and how. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF if ac_fn_c_try_cpp "$LINENO" then : # Broken: success on invalid input. continue else case e in #( e) # Passes both tests. ac_preproc_ok=: break ;; esac fi rm -f conftest.err conftest.i conftest.$ac_ext done # Because of 'break', _AC_PREPROC_IFELSE's cleaning code was skipped. rm -f conftest.i conftest.err conftest.$ac_ext if $ac_preproc_ok then : else case e in #( e) { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in '$ac_pwd':" >&5 printf "%s\n" "$as_me: error: in '$ac_pwd':" >&2;} as_fn_error $? "C preprocessor \"$CPP\" fails sanity check See 'config.log' for more details" "$LINENO" 5; } ;; esac fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu # Check whether --with-sasl was given. if test ${with_sasl+y} then : withval=$with_sasl; with_sasl="$withval" else case e in #( e) with_sasl="no" ;; esac fi # Check whether --with-staticsasl was given. if test ${with_staticsasl+y} then : withval=$with_staticsasl; with_staticsasl="$withval"; if test $with_staticsasl != "no"; then using_static_sasl="static" fi else case e in #( e) with_staticsasl="no"; using_static_sasl="no" ;; esac fi if test ${with_staticsasl} != "no" || test ${with_sasl} != "no"; then SASLFLAGS="" LIB_SASL="" cmu_saved_CPPFLAGS=$CPPFLAGS cmu_saved_LDFLAGS=$LDFLAGS cmu_saved_LIBS=$LIBS if test ${with_staticsasl} != "no"; then if test -d ${with_staticsasl}; then if test -d ${with_staticsasl}/lib64 ; then ac_cv_sasl_where_lib=${with_staticsasl}/lib64 else ac_cv_sasl_where_lib=${with_staticsasl}/lib fi ac_cv_sasl_where_lib=${with_staticsasl}/lib ac_cv_sasl_where_inc=${with_staticsasl}/include SASLFLAGS="-I$ac_cv_sasl_where_inc" LIB_SASL="-L$ac_cv_sasl_where_lib" CPPFLAGS="${cmu_saved_CPPFLAGS} -I${ac_cv_sasl_where_inc}" LDFLAGS="${cmu_saved_LDFLAGS} -L${ac_cv_sasl_where_lib}" else with_staticsasl="/usr" fi ac_fn_c_check_header_compile "$LINENO" "sasl/sasl.h" "ac_cv_header_sasl_sasl_h" "$ac_includes_default" if test "x$ac_cv_header_sasl_sasl_h" = xyes then : ac_fn_c_check_header_compile "$LINENO" "sasl/saslutil.h" "ac_cv_header_sasl_saslutil_h" "$ac_includes_default" if test "x$ac_cv_header_sasl_saslutil_h" = xyes then : for i42 in lib64 lib; do if test -r ${with_staticsasl}/$i42/libsasl2.a; then ac_cv_found_sasl=yes { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for static libsasl" >&5 printf %s "checking for static libsasl... " >&6; } LIB_SASL="$LIB_SASL ${with_staticsasl}/$i42/libsasl2.a" fi done if test ! "$ac_cv_found_sasl" = "yes"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for static libsasl" >&5 printf %s "checking for static libsasl... " >&6; } as_fn_error $? "Could not find ${with_staticsasl}/lib*/libsasl2.a" "$LINENO" 5 fi fi fi if test "$ac_cv_found_sasl" = "yes"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: found" >&5 printf "%s\n" "found" >&6; } else as_fn_error $? "Could not find ${with_staticsasl}/lib*/libsasl2.a" "$LINENO" 5 fi fi if test -d ${with_sasl}; then ac_cv_sasl_where_lib=${with_sasl}/lib ac_cv_sasl_where_inc=${with_sasl}/include DYNSASLFLAGS="-I$ac_cv_sasl_where_inc" CPPFLAGS="${cmu_saved_CPPFLAGS} -I${ac_cv_sasl_where_inc}" LDFLAGS="${cmu_saved_LDFLAGS} -L${ac_cv_sasl_where_lib}" LIBS="-L$ac_cv_sasl_where_lib" fi # be sure to check for a SASLv2 specific function ac_fn_c_check_header_compile "$LINENO" "sasl/sasl.h" "ac_cv_header_sasl_sasl_h" "$ac_includes_default" if test "x$ac_cv_header_sasl_sasl_h" = xyes then : ac_fn_c_check_header_compile "$LINENO" "sasl/saslutil.h" "ac_cv_header_sasl_saslutil_h" "$ac_includes_default" if test "x$ac_cv_header_sasl_saslutil_h" = xyes then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for prop_get in -lsasl2" >&5 printf %s "checking for prop_get in -lsasl2... " >&6; } if test ${ac_cv_lib_sasl2_prop_get+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_check_lib_save_LIBS=$LIBS LIBS="-lsasl2 $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. The 'extern "C"' is for builds by C++ compilers; although this is not generally supported in C code supporting it here has little cost and some practical benefit (sr 110532). */ #ifdef __cplusplus extern "C" #endif char prop_get (void); int main (void) { return prop_get (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO" then : ac_cv_lib_sasl2_prop_get=yes else case e in #( e) ac_cv_lib_sasl2_prop_get=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_sasl2_prop_get" >&5 printf "%s\n" "$ac_cv_lib_sasl2_prop_get" >&6; } if test "x$ac_cv_lib_sasl2_prop_get" = xyes then : ac_cv_found_sasl=yes else case e in #( e) ac_cv_found_sasl=no ;; esac fi else case e in #( e) ac_cv_found_sasl=no ;; esac fi else case e in #( e) ac_cv_found_sasl=no ;; esac fi if test ${with_sasl} != "no"; then if test "$ac_cv_found_sasl" = "yes"; then if test "$ac_cv_sasl_where_lib" != ""; then DYNLIB_SASL="-L$ac_cv_sasl_where_lib" fi DYNLIB_SASL="$DYNLIB_SASL -lsasl2" if test "$using_static_sasl" != "static"; then LIB_SASL=$DYNLIB_SASL SASLFLAGS=$DYNSASLFLAGS fi cmu_saved_CPPFLAGS=$CPPFLAGS CPPFLAGS="$CPPFLAGS $SASLFLAGS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #ifndef SASL_VERSION_MAJOR #error SASL_VERSION_MAJOR not defined #endif #ifndef SASL_VERSION_MINOR #error SASL_VERSION_MINOR not defined #endif #ifndef SASL_VERSION_STEP #error SASL_VERSION_STEP not defined #endif #if SASL_VERSION_MAJOR < 2 || SASL_VERSION_MINOR < 1 || SASL_VERSION_STEP < 7 #error SASL version is less than 2.1.7 #endif _ACEOF if ac_fn_c_try_cpp "$LINENO" then : else case e in #( e) as_fn_error $? "Incorrect SASL headers found. This package requires SASL 2.1.7 or newer." "$LINENO" 5 ;; esac fi rm -f conftest.err conftest.i conftest.$ac_ext CPPFLAGS=$cmu_saved_CPPFLAGS if test "$ac_cv_sasl_where_inc" != ""; then V_INCLS="-I$ac_cv_sasl_where_inc $V_INCLS" fi printf "%s\n" "#define ARGUS_SASL /**/" >>confdefs.h else as_fn_error $? "Could not find sasl2" "$LINENO" 5 fi fi LIBS="$cmu_saved_LIBS" LDFLAGS="$cmu_saved_LDFLAGS" CPPFLAGS="$cmu_saved_CPPFLAGS" fi # Most operating systems have gethostbyname() in the default searched # libraries (i.e. libc): # Some OSes (eg. Solaris) place it in libnsl # Some strange OSes (SINIX) have it in libsocket: { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for library containing gethostbyname" >&5 printf %s "checking for library containing gethostbyname... " >&6; } if test ${ac_cv_search_gethostbyname+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_func_search_save_LIBS=$LIBS cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. The 'extern "C"' is for builds by C++ compilers; although this is not generally supported in C code supporting it here has little cost and some practical benefit (sr 110532). */ #ifdef __cplusplus extern "C" #endif char gethostbyname (void); int main (void) { return gethostbyname (); ; return 0; } _ACEOF for ac_lib in '' nsl socket resolv do if test -z "$ac_lib"; then ac_res="none required" else ac_res=-l$ac_lib LIBS="-l$ac_lib $ac_func_search_save_LIBS" fi if ac_fn_c_try_link "$LINENO" then : ac_cv_search_gethostbyname=$ac_res fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext if test ${ac_cv_search_gethostbyname+y} then : break fi done if test ${ac_cv_search_gethostbyname+y} then : else case e in #( e) ac_cv_search_gethostbyname=no ;; esac fi rm conftest.$ac_ext LIBS=$ac_func_search_save_LIBS ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_gethostbyname" >&5 printf "%s\n" "$ac_cv_search_gethostbyname" >&6; } ac_res=$ac_cv_search_gethostbyname if test "$ac_res" != no then : test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" fi # Unfortunately libsocket sometimes depends on libnsl and # AC_SEARCH_LIBS isn't up to the task of handling dependencies like this. if test "$ac_cv_search_gethostbyname" = "no" then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for gethostbyname in -lsocket" >&5 printf %s "checking for gethostbyname in -lsocket... " >&6; } if test ${ac_cv_lib_socket_gethostbyname+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_check_lib_save_LIBS=$LIBS LIBS="-lsocket -lnsl $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. The 'extern "C"' is for builds by C++ compilers; although this is not generally supported in C code supporting it here has little cost and some practical benefit (sr 110532). */ #ifdef __cplusplus extern "C" #endif char gethostbyname (void); int main (void) { return gethostbyname (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO" then : ac_cv_lib_socket_gethostbyname=yes else case e in #( e) ac_cv_lib_socket_gethostbyname=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_socket_gethostbyname" >&5 printf "%s\n" "$ac_cv_lib_socket_gethostbyname" >&6; } if test "x$ac_cv_lib_socket_gethostbyname" = xyes then : LIBS="-lsocket -lnsl $LIBS" fi fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for library containing socket" >&5 printf %s "checking for library containing socket... " >&6; } if test ${ac_cv_search_socket+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_func_search_save_LIBS=$LIBS cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. The 'extern "C"' is for builds by C++ compilers; although this is not generally supported in C code supporting it here has little cost and some practical benefit (sr 110532). */ #ifdef __cplusplus extern "C" #endif char socket (void); int main (void) { return socket (); ; return 0; } _ACEOF for ac_lib in '' socket do if test -z "$ac_lib"; then ac_res="none required" else ac_res=-l$ac_lib LIBS="-l$ac_lib $ac_func_search_save_LIBS" fi if ac_fn_c_try_link "$LINENO" then : ac_cv_search_socket=$ac_res fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext if test ${ac_cv_search_socket+y} then : break fi done if test ${ac_cv_search_socket+y} then : else case e in #( e) ac_cv_search_socket=no ;; esac fi rm conftest.$ac_ext LIBS=$ac_func_search_save_LIBS ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_socket" >&5 printf "%s\n" "$ac_cv_search_socket" >&6; } ac_res=$ac_cv_search_socket if test "$ac_res" != no then : test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" else case e in #( e) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for socket in -lsocket" >&5 printf %s "checking for socket in -lsocket... " >&6; } if test ${ac_cv_lib_socket_socket+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_check_lib_save_LIBS=$LIBS LIBS="-lsocket -lnsl $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. The 'extern "C"' is for builds by C++ compilers; although this is not generally supported in C code supporting it here has little cost and some practical benefit (sr 110532). */ #ifdef __cplusplus extern "C" #endif char socket (void); int main (void) { return socket (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO" then : ac_cv_lib_socket_socket=yes else case e in #( e) ac_cv_lib_socket_socket=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_socket_socket" >&5 printf "%s\n" "$ac_cv_lib_socket_socket" >&6; } if test "x$ac_cv_lib_socket_socket" = xyes then : LIBS="-lsocket -lnsl $LIBS" fi ;; esac fi # DLPI needs putmsg under HPUX so test for -lstr while we're at it { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for library containing putmsg" >&5 printf %s "checking for library containing putmsg... " >&6; } if test ${ac_cv_search_putmsg+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_func_search_save_LIBS=$LIBS cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. The 'extern "C"' is for builds by C++ compilers; although this is not generally supported in C code supporting it here has little cost and some practical benefit (sr 110532). */ #ifdef __cplusplus extern "C" #endif char putmsg (void); int main (void) { return putmsg (); ; return 0; } _ACEOF for ac_lib in '' str do if test -z "$ac_lib"; then ac_res="none required" else ac_res=-l$ac_lib LIBS="-l$ac_lib $ac_func_search_save_LIBS" fi if ac_fn_c_try_link "$LINENO" then : ac_cv_search_putmsg=$ac_res fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext if test ${ac_cv_search_putmsg+y} then : break fi done if test ${ac_cv_search_putmsg+y} then : else case e in #( e) ac_cv_search_putmsg=no ;; esac fi rm conftest.$ac_ext LIBS=$ac_func_search_save_LIBS ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_putmsg" >&5 printf "%s\n" "$ac_cv_search_putmsg" >&6; } ac_res=$ac_cv_search_putmsg if test "$ac_res" != no then : test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" fi # Check whether --with-libpcre was given. if test ${with_libpcre+y} then : withval=$with_libpcre; with_libpcre="$withval" else case e in #( e) with_libpcre="no" ;; esac fi if test ${with_libpcre} != "no"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for pcre library" >&5 printf %s "checking for pcre library... " >&6; } # Check whether --with-pcre-config was given. if test ${with_pcre_config+y} then : withval=$with_pcre_config; with_pcre_config="$withval" else case e in #( e) with_pcre_config="yes" ;; esac fi if test ${with_pcre_config} != "no"; then if test -f $with_pcre_config ; then PCRE_CONFIG=$with_pcre_config else for ac_prog in pcre-config do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_PCRE_CONFIG+y} then : printf %s "(cached) " >&6 else case e in #( e) if test -n "$PCRE_CONFIG"; then ac_cv_prog_PCRE_CONFIG="$PCRE_CONFIG" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_PCRE_CONFIG="$ac_prog" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi ;; esac fi PCRE_CONFIG=$ac_cv_prog_PCRE_CONFIG if test -n "$PCRE_CONFIG"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $PCRE_CONFIG" >&5 printf "%s\n" "$PCRE_CONFIG" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi test -n "$PCRE_CONFIG" && break done fi fi if test "x$PCRE_CONFIG" != "x"; then PCRE_CFLAGS=`$PCRE_CONFIG --cflags` PCRE_LIBS=`$PCRE_CONFIG --libs-posix` fi if test "x$PCRE_LIBS" != "x" ; then printf "%s\n" "#define ARGUS_PCRE /**/" >>confdefs.h V_PCRE=$PCRE_LIBS; V_INCLS="$PCRE_CFLAGS $V_INCLS" else for ac_header in regex.h do : ac_fn_c_check_header_compile "$LINENO" "regex.h" "ac_cv_header_regex_h" "$ac_includes_default" if test "x$ac_cv_header_regex_h" = xyes then : printf "%s\n" "#define HAVE_REGEX_H 1" >>confdefs.h else case e in #( e) as_fn_error $? "neither pcre nor regex found" "$LINENO" 5 ;; esac fi done fi else for ac_header in regex.h do : ac_fn_c_check_header_compile "$LINENO" "regex.h" "ac_cv_header_regex_h" "$ac_includes_default" if test "x$ac_cv_header_regex_h" = xyes then : printf "%s\n" "#define HAVE_REGEX_H 1" >>confdefs.h else case e in #( e) as_fn_error $? "regex not found" "$LINENO" 5 ;; esac fi done fi # Checks for header files. ac_header_dirent=no for ac_hdr in dirent.h sys/ndir.h sys/dir.h ndir.h; do as_ac_Header=`printf "%s\n" "ac_cv_header_dirent_$ac_hdr" | sed "$as_sed_sh"` { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_hdr that defines DIR" >&5 printf %s "checking for $ac_hdr that defines DIR... " >&6; } if eval test \${$as_ac_Header+y} then : printf %s "(cached) " >&6 else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include <$ac_hdr> int main (void) { if ((DIR *) 0) return 0; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : eval "$as_ac_Header=yes" else case e in #( e) eval "$as_ac_Header=no" ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi eval ac_res=\$$as_ac_Header { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 printf "%s\n" "$ac_res" >&6; } if eval test \"x\$"$as_ac_Header"\" = x"yes" then : cat >>confdefs.h <<_ACEOF #define `printf "%s\n" "HAVE_$ac_hdr" | sed "$as_sed_cpp"` 1 _ACEOF ac_header_dirent=$ac_hdr; break fi done # Two versions of opendir et al. are in -ldir and -lx on SCO Xenix. if test $ac_header_dirent = dirent.h; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for library containing opendir" >&5 printf %s "checking for library containing opendir... " >&6; } if test ${ac_cv_search_opendir+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_func_search_save_LIBS=$LIBS cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. The 'extern "C"' is for builds by C++ compilers; although this is not generally supported in C code supporting it here has little cost and some practical benefit (sr 110532). */ #ifdef __cplusplus extern "C" #endif char opendir (void); int main (void) { return opendir (); ; return 0; } _ACEOF for ac_lib in '' dir do if test -z "$ac_lib"; then ac_res="none required" else ac_res=-l$ac_lib LIBS="-l$ac_lib $ac_func_search_save_LIBS" fi if ac_fn_c_try_link "$LINENO" then : ac_cv_search_opendir=$ac_res fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext if test ${ac_cv_search_opendir+y} then : break fi done if test ${ac_cv_search_opendir+y} then : else case e in #( e) ac_cv_search_opendir=no ;; esac fi rm conftest.$ac_ext LIBS=$ac_func_search_save_LIBS ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_opendir" >&5 printf "%s\n" "$ac_cv_search_opendir" >&6; } ac_res=$ac_cv_search_opendir if test "$ac_res" != no then : test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" fi else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for library containing opendir" >&5 printf %s "checking for library containing opendir... " >&6; } if test ${ac_cv_search_opendir+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_func_search_save_LIBS=$LIBS cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. The 'extern "C"' is for builds by C++ compilers; although this is not generally supported in C code supporting it here has little cost and some practical benefit (sr 110532). */ #ifdef __cplusplus extern "C" #endif char opendir (void); int main (void) { return opendir (); ; return 0; } _ACEOF for ac_lib in '' x do if test -z "$ac_lib"; then ac_res="none required" else ac_res=-l$ac_lib LIBS="-l$ac_lib $ac_func_search_save_LIBS" fi if ac_fn_c_try_link "$LINENO" then : ac_cv_search_opendir=$ac_res fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext if test ${ac_cv_search_opendir+y} then : break fi done if test ${ac_cv_search_opendir+y} then : else case e in #( e) ac_cv_search_opendir=no ;; esac fi rm conftest.$ac_ext LIBS=$ac_func_search_save_LIBS ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_opendir" >&5 printf "%s\n" "$ac_cv_search_opendir" >&6; } ac_res=$ac_cv_search_opendir if test "$ac_res" != no then : test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" fi fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for grep that handles long lines and -e" >&5 printf %s "checking for grep that handles long lines and -e... " >&6; } if test ${ac_cv_path_GREP+y} then : printf %s "(cached) " >&6 else case e in #( e) if test -z "$GREP"; then ac_path_GREP_found=false # Loop through the user's path and test for each of PROGNAME-LIST as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_prog in grep ggrep do for ac_exec_ext in '' $ac_executable_extensions; do ac_path_GREP="$as_dir$ac_prog$ac_exec_ext" as_fn_executable_p "$ac_path_GREP" || continue # Check for GNU ac_path_GREP and select it if it is found. # Check for GNU $ac_path_GREP case `"$ac_path_GREP" --version 2>&1` in #( *GNU*) ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_found=:;; #( *) ac_count=0 printf %s 0123456789 >"conftest.in" while : do cat "conftest.in" "conftest.in" >"conftest.tmp" mv "conftest.tmp" "conftest.in" cp "conftest.in" "conftest.nl" printf "%s\n" 'GREP' >> "conftest.nl" "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break as_fn_arith $ac_count + 1 && ac_count=$as_val if test $ac_count -gt ${ac_path_GREP_max-0}; then # Best one so far, save it but keep looking for a better one ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_max=$ac_count fi # 10*(2^10) chars as input seems more than enough test $ac_count -gt 10 && break done rm -f conftest.in conftest.tmp conftest.nl conftest.out;; esac $ac_path_GREP_found && break 3 done done done IFS=$as_save_IFS if test -z "$ac_cv_path_GREP"; then as_fn_error $? "no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 fi else ac_cv_path_GREP=$GREP fi ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_GREP" >&5 printf "%s\n" "$ac_cv_path_GREP" >&6; } GREP="$ac_cv_path_GREP" { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for egrep" >&5 printf %s "checking for egrep... " >&6; } if test ${ac_cv_path_EGREP+y} then : printf %s "(cached) " >&6 else case e in #( e) if echo a | $GREP -E '(a|b)' >/dev/null 2>&1 then ac_cv_path_EGREP="$GREP -E" else if test -z "$EGREP"; then ac_path_EGREP_found=false # Loop through the user's path and test for each of PROGNAME-LIST as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_prog in egrep do for ac_exec_ext in '' $ac_executable_extensions; do ac_path_EGREP="$as_dir$ac_prog$ac_exec_ext" as_fn_executable_p "$ac_path_EGREP" || continue # Check for GNU ac_path_EGREP and select it if it is found. # Check for GNU $ac_path_EGREP case `"$ac_path_EGREP" --version 2>&1` in #( *GNU*) ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;; #( *) ac_count=0 printf %s 0123456789 >"conftest.in" while : do cat "conftest.in" "conftest.in" >"conftest.tmp" mv "conftest.tmp" "conftest.in" cp "conftest.in" "conftest.nl" printf "%s\n" 'EGREP' >> "conftest.nl" "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break as_fn_arith $ac_count + 1 && ac_count=$as_val if test $ac_count -gt ${ac_path_EGREP_max-0}; then # Best one so far, save it but keep looking for a better one ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_max=$ac_count fi # 10*(2^10) chars as input seems more than enough test $ac_count -gt 10 && break done rm -f conftest.in conftest.tmp conftest.nl conftest.out;; esac $ac_path_EGREP_found && break 3 done done done IFS=$as_save_IFS if test -z "$ac_cv_path_EGREP"; then as_fn_error $? "no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 fi else ac_cv_path_EGREP=$EGREP fi fi ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_EGREP" >&5 printf "%s\n" "$ac_cv_path_EGREP" >&6; } EGREP="$ac_cv_path_EGREP" EGREP_TRADITIONAL=$EGREP ac_cv_path_EGREP_TRADITIONAL=$EGREP { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for sys/wait.h that is POSIX.1 compatible" >&5 printf %s "checking for sys/wait.h that is POSIX.1 compatible... " >&6; } if test ${ac_cv_header_sys_wait_h+y} then : printf %s "(cached) " >&6 else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include #ifndef WEXITSTATUS # define WEXITSTATUS(stat_val) ((unsigned int) (stat_val) >> 8) #endif #ifndef WIFEXITED # define WIFEXITED(stat_val) (((stat_val) & 255) == 0) #endif int main (void) { int s; wait (&s); s = WIFEXITED (s) ? WEXITSTATUS (s) : 1; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_cv_header_sys_wait_h=yes else case e in #( e) ac_cv_header_sys_wait_h=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_sys_wait_h" >&5 printf "%s\n" "$ac_cv_header_sys_wait_h" >&6; } if test $ac_cv_header_sys_wait_h = yes; then printf "%s\n" "#define HAVE_SYS_WAIT_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "sys/sockio.h" "ac_cv_header_sys_sockio_h" "$ac_includes_default" if test "x$ac_cv_header_sys_sockio_h" = xyes then : printf "%s\n" "#define HAVE_SYS_SOCKIO_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "string.h" "ac_cv_header_string_h" "$ac_includes_default" if test "x$ac_cv_header_string_h" = xyes then : printf "%s\n" "#define HAVE_STRING_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "fcntl.h" "ac_cv_header_fcntl_h" "$ac_includes_default" if test "x$ac_cv_header_fcntl_h" = xyes then : printf "%s\n" "#define HAVE_FCNTL_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "sys/file.h" "ac_cv_header_sys_file_h" "$ac_includes_default" if test "x$ac_cv_header_sys_file_h" = xyes then : printf "%s\n" "#define HAVE_SYS_FILE_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "syslog.h" "ac_cv_header_syslog_h" "$ac_includes_default" if test "x$ac_cv_header_syslog_h" = xyes then : printf "%s\n" "#define HAVE_SYSLOG_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "zlib.h" "ac_cv_header_zlib_h" "$ac_includes_default" if test "x$ac_cv_header_zlib_h" = xyes then : printf "%s\n" "#define HAVE_ZLIB_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "arpa/inet.h" "ac_cv_header_arpa_inet_h" "$ac_includes_default" if test "x$ac_cv_header_arpa_inet_h" = xyes then : printf "%s\n" "#define HAVE_ARPA_INET_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "fcntl.h" "ac_cv_header_fcntl_h" "$ac_includes_default" if test "x$ac_cv_header_fcntl_h" = xyes then : printf "%s\n" "#define HAVE_FCNTL_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "inttypes.h" "ac_cv_header_inttypes_h" "$ac_includes_default" if test "x$ac_cv_header_inttypes_h" = xyes then : printf "%s\n" "#define HAVE_INTTYPES_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "limits.h" "ac_cv_header_limits_h" "$ac_includes_default" if test "x$ac_cv_header_limits_h" = xyes then : printf "%s\n" "#define HAVE_LIMITS_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "libintl.h" "ac_cv_header_libintl_h" "$ac_includes_default" if test "x$ac_cv_header_libintl_h" = xyes then : printf "%s\n" "#define HAVE_LIBINTL_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "malloc.h" "ac_cv_header_malloc_h" "$ac_includes_default" if test "x$ac_cv_header_malloc_h" = xyes then : printf "%s\n" "#define HAVE_MALLOC_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "memory.h" "ac_cv_header_memory_h" "$ac_includes_default" if test "x$ac_cv_header_memory_h" = xyes then : printf "%s\n" "#define HAVE_MEMORY_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "netdb.h" "ac_cv_header_netdb_h" "$ac_includes_default" if test "x$ac_cv_header_netdb_h" = xyes then : printf "%s\n" "#define HAVE_NETDB_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "net/if.h" "ac_cv_header_net_if_h" "$ac_includes_default" if test "x$ac_cv_header_net_if_h" = xyes then : printf "%s\n" "#define HAVE_NET_IF_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "netinet/in.h" "ac_cv_header_netinet_in_h" "$ac_includes_default" if test "x$ac_cv_header_netinet_in_h" = xyes then : printf "%s\n" "#define HAVE_NETINET_IN_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "netinet/if_ether.h" "ac_cv_header_netinet_if_ether_h" "$ac_includes_default" if test "x$ac_cv_header_netinet_if_ether_h" = xyes then : printf "%s\n" "#define HAVE_NETINET_IF_ETHER_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "netinet/ether.h" "ac_cv_header_netinet_ether_h" "$ac_includes_default" if test "x$ac_cv_header_netinet_ether_h" = xyes then : printf "%s\n" "#define HAVE_NETINET_ETHER_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "netinet/in_systm.h" "ac_cv_header_netinet_in_systm_h" "$ac_includes_default" if test "x$ac_cv_header_netinet_in_systm_h" = xyes then : printf "%s\n" "#define HAVE_NETINET_IN_SYSTM_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "netinet/ip.h" "ac_cv_header_netinet_ip_h" "$ac_includes_default" if test "x$ac_cv_header_netinet_ip_h" = xyes then : printf "%s\n" "#define HAVE_NETINET_IP_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "netinet/udp.h" "ac_cv_header_netinet_udp_h" "$ac_includes_default" if test "x$ac_cv_header_netinet_udp_h" = xyes then : printf "%s\n" "#define HAVE_NETINET_UDP_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "netinet/tcp.h" "ac_cv_header_netinet_tcp_h" "$ac_includes_default" if test "x$ac_cv_header_netinet_tcp_h" = xyes then : printf "%s\n" "#define HAVE_NETINET_TCP_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "stdlib.h" "ac_cv_header_stdlib_h" "$ac_includes_default" if test "x$ac_cv_header_stdlib_h" = xyes then : printf "%s\n" "#define HAVE_STDLIB_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "stddef.h" "ac_cv_header_stddef_h" "$ac_includes_default" if test "x$ac_cv_header_stddef_h" = xyes then : printf "%s\n" "#define HAVE_STDDEF_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "string.h" "ac_cv_header_string_h" "$ac_includes_default" if test "x$ac_cv_header_string_h" = xyes then : printf "%s\n" "#define HAVE_STRING_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "strings.h" "ac_cv_header_strings_h" "$ac_includes_default" if test "x$ac_cv_header_strings_h" = xyes then : printf "%s\n" "#define HAVE_STRINGS_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "sys/file.h" "ac_cv_header_sys_file_h" "$ac_includes_default" if test "x$ac_cv_header_sys_file_h" = xyes then : printf "%s\n" "#define HAVE_SYS_FILE_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "sys/ioctl.h" "ac_cv_header_sys_ioctl_h" "$ac_includes_default" if test "x$ac_cv_header_sys_ioctl_h" = xyes then : printf "%s\n" "#define HAVE_SYS_IOCTL_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "sys/param.h" "ac_cv_header_sys_param_h" "$ac_includes_default" if test "x$ac_cv_header_sys_param_h" = xyes then : printf "%s\n" "#define HAVE_SYS_PARAM_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "sys/socket.h" "ac_cv_header_sys_socket_h" "$ac_includes_default" if test "x$ac_cv_header_sys_socket_h" = xyes then : printf "%s\n" "#define HAVE_SYS_SOCKET_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "sys/time.h" "ac_cv_header_sys_time_h" "$ac_includes_default" if test "x$ac_cv_header_sys_time_h" = xyes then : printf "%s\n" "#define HAVE_SYS_TIME_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "sys/vfs.h" "ac_cv_header_sys_vfs_h" "$ac_includes_default" if test "x$ac_cv_header_sys_vfs_h" = xyes then : printf "%s\n" "#define HAVE_SYS_VFS_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "syslog.h" "ac_cv_header_syslog_h" "$ac_includes_default" if test "x$ac_cv_header_syslog_h" = xyes then : printf "%s\n" "#define HAVE_SYSLOG_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "termios.h" "ac_cv_header_termios_h" "$ac_includes_default" if test "x$ac_cv_header_termios_h" = xyes then : printf "%s\n" "#define HAVE_TERMIOS_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "unistd.h" "ac_cv_header_unistd_h" "$ac_includes_default" if test "x$ac_cv_header_unistd_h" = xyes then : printf "%s\n" "#define HAVE_UNISTD_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "values.h" "ac_cv_header_values_h" "$ac_includes_default" if test "x$ac_cv_header_values_h" = xyes then : printf "%s\n" "#define HAVE_VALUES_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "features.h" "ac_cv_header_features_h" "$ac_includes_default" if test "x$ac_cv_header_features_h" = xyes then : printf "%s\n" "#define HAVE_FEATURES_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "dns_sd.h" "ac_cv_header_dns_sd_h" "$ac_includes_default" if test "x$ac_cv_header_dns_sd_h" = xyes then : printf "%s\n" "#define HAVE_DNS_SD_H 1" >>confdefs.h fi # Checks for typedefs, structures, and compiler characteristics. { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for an ANSI C-conforming const" >&5 printf %s "checking for an ANSI C-conforming const... " >&6; } if test ${ac_cv_c_const+y} then : printf %s "(cached) " >&6 else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { #ifndef __cplusplus /* Ultrix mips cc rejects this sort of thing. */ typedef int charset[2]; const charset cs = { 0, 0 }; /* SunOS 4.1.1 cc rejects this. */ char const *const *pcpcc; char **ppc; /* NEC SVR4.0.2 mips cc rejects this. */ struct point {int x, y;}; static struct point const zero = {0,0}; /* IBM XL C 1.02.0.0 rejects this. It does not let you subtract one const X* pointer from another in an arm of an if-expression whose if-part is not a constant expression */ const char *g = "string"; pcpcc = &g + (g ? g-g : 0); /* HPUX 7.0 cc rejects these. */ ++pcpcc; ppc = (char**) pcpcc; pcpcc = (char const *const *) ppc; { /* SCO 3.2v4 cc rejects this sort of thing. */ char tx; char *t = &tx; char const *s = 0 ? (char *) 0 : (char const *) 0; *t++ = 0; if (s) return 0; } { /* Someone thinks the Sun supposedly-ANSI compiler will reject this. */ int x[] = {25, 17}; const int *foo = &x[0]; ++foo; } { /* Sun SC1.0 ANSI compiler rejects this -- but not the above. */ typedef const int *iptr; iptr p = 0; ++p; } { /* IBM XL C 1.02.0.0 rejects this sort of thing, saying "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */ struct s { int j; const int *ap[3]; } bx; struct s *b = &bx; b->j = 5; } { /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */ const int foo = 10; if (!foo) return 0; } return !cs[0] && !zero.x; #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_cv_c_const=yes else case e in #( e) ac_cv_c_const=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_const" >&5 printf "%s\n" "$ac_cv_c_const" >&6; } if test $ac_cv_c_const = no; then printf "%s\n" "#define const /**/" >>confdefs.h fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for inline" >&5 printf %s "checking for inline... " >&6; } if test ${ac_cv_c_inline+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_cv_c_inline=no for ac_kw in inline __inline__ __inline; do cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #ifndef __cplusplus typedef int foo_t; static $ac_kw foo_t static_foo (void) {return 0; } $ac_kw foo_t foo (void) {return 0; } #endif _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_cv_c_inline=$ac_kw fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext test "$ac_cv_c_inline" != no && break done ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_inline" >&5 printf "%s\n" "$ac_cv_c_inline" >&6; } case $ac_cv_c_inline in inline | yes) ;; *) case $ac_cv_c_inline in no) ac_val=;; *) ac_val=$ac_cv_c_inline;; esac cat >>confdefs.h <<_ACEOF #ifndef __cplusplus #define inline $ac_val #endif _ACEOF ;; esac # Check whether --enable-largefile was given. if test ${enable_largefile+y} then : enableval=$enable_largefile; fi if test "$enable_largefile,$enable_year2038" != no,no then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $CC option to enable large file support" >&5 printf %s "checking for $CC option to enable large file support... " >&6; } if test ${ac_cv_sys_largefile_opts+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_save_CC="$CC" ac_opt_found=no for ac_opt in "none needed" "-D_FILE_OFFSET_BITS=64" "-D_LARGE_FILES=1" "-n32"; do if test x"$ac_opt" != x"none needed" then : CC="$ac_save_CC $ac_opt" fi cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #ifndef FTYPE # define FTYPE off_t #endif /* Check that FTYPE can represent 2**63 - 1 correctly. We can't simply define LARGE_FTYPE to be 9223372036854775807, since some C++ compilers masquerading as C compilers incorrectly reject 9223372036854775807. */ #define LARGE_FTYPE (((FTYPE) 1 << 31 << 31) - 1 + ((FTYPE) 1 << 31 << 31)) int FTYPE_is_large[(LARGE_FTYPE % 2147483629 == 721 && LARGE_FTYPE % 2147483647 == 1) ? 1 : -1]; int main (void) { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : if test x"$ac_opt" = x"none needed" then : # GNU/Linux s390x and alpha need _FILE_OFFSET_BITS=64 for wide ino_t. CC="$CC -DFTYPE=ino_t" if ac_fn_c_try_compile "$LINENO" then : else case e in #( e) CC="$CC -D_FILE_OFFSET_BITS=64" if ac_fn_c_try_compile "$LINENO" then : ac_opt='-D_FILE_OFFSET_BITS=64' fi rm -f core conftest.err conftest.$ac_objext conftest.beam ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam fi ac_cv_sys_largefile_opts=$ac_opt ac_opt_found=yes fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext test $ac_opt_found = no || break done CC="$ac_save_CC" test $ac_opt_found = yes || ac_cv_sys_largefile_opts="support not detected" ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sys_largefile_opts" >&5 printf "%s\n" "$ac_cv_sys_largefile_opts" >&6; } ac_have_largefile=yes case $ac_cv_sys_largefile_opts in #( "none needed") : ;; #( "supported through gnulib") : ;; #( "support not detected") : ac_have_largefile=no ;; #( "-D_FILE_OFFSET_BITS=64") : printf "%s\n" "#define _FILE_OFFSET_BITS 64" >>confdefs.h ;; #( "-D_LARGE_FILES=1") : printf "%s\n" "#define _LARGE_FILES 1" >>confdefs.h ;; #( "-n32") : CC="$CC -n32" ;; #( *) : as_fn_error $? "internal error: bad value for \$ac_cv_sys_largefile_opts" "$LINENO" 5 ;; esac if test "$enable_year2038" != no then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $CC option for timestamps after 2038" >&5 printf %s "checking for $CC option for timestamps after 2038... " >&6; } if test ${ac_cv_sys_year2038_opts+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_save_CPPFLAGS="$CPPFLAGS" ac_opt_found=no for ac_opt in "none needed" "-D_TIME_BITS=64" "-D__MINGW_USE_VC2005_COMPAT" "-U_USE_32_BIT_TIME_T -D__MINGW_USE_VC2005_COMPAT"; do if test x"$ac_opt" != x"none needed" then : CPPFLAGS="$ac_save_CPPFLAGS $ac_opt" fi cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include /* Check that time_t can represent 2**32 - 1 correctly. */ #define LARGE_TIME_T \\ ((time_t) (((time_t) 1 << 30) - 1 + 3 * ((time_t) 1 << 30))) int verify_time_t_range[(LARGE_TIME_T / 65537 == 65535 && LARGE_TIME_T % 65537 == 0) ? 1 : -1]; int main (void) { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_cv_sys_year2038_opts="$ac_opt" ac_opt_found=yes fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext test $ac_opt_found = no || break done CPPFLAGS="$ac_save_CPPFLAGS" test $ac_opt_found = yes || ac_cv_sys_year2038_opts="support not detected" ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sys_year2038_opts" >&5 printf "%s\n" "$ac_cv_sys_year2038_opts" >&6; } ac_have_year2038=yes case $ac_cv_sys_year2038_opts in #( "none needed") : ;; #( "support not detected") : ac_have_year2038=no ;; #( "-D_TIME_BITS=64") : printf "%s\n" "#define _TIME_BITS 64" >>confdefs.h ;; #( "-D__MINGW_USE_VC2005_COMPAT") : printf "%s\n" "#define __MINGW_USE_VC2005_COMPAT 1" >>confdefs.h ;; #( "-U_USE_32_BIT_TIME_T"*) : { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in '$ac_pwd':" >&5 printf "%s\n" "$as_me: error: in '$ac_pwd':" >&2;} as_fn_error $? "the 'time_t' type is currently forced to be 32-bit. It will stop working after mid-January 2038. Remove _USE_32BIT_TIME_T from the compiler flags. See 'config.log' for more details" "$LINENO" 5; } ;; #( *) : as_fn_error $? "internal error: bad value for \$ac_cv_sys_year2038_opts" "$LINENO" 5 ;; esac fi fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if unaligned accesses fail" >&5 printf %s "checking if unaligned accesses fail... " >&6; } if test ${ac_cv_lbl_unaligned_fail+y} then : printf %s "(cached) " >&6 else case e in #( e) case "$target_cpu" in # XXX: should also check that they don't do weird things (like on arm) alpha*|arm*|hp*|mips|sparc) ac_cv_lbl_unaligned_fail=yes ;; *) cat >conftest.c < # include # include unsigned char a[5] = { 1, 2, 3, 4, 5 }; main() { unsigned int i; pid_t pid; int status; /* avoid "core dumped" message */ pid = fork(); if (pid < 0) exit(2); if (pid > 0) { /* parent */ pid = waitpid(pid, &status, 0); if (pid < 0) exit(3); exit(!WIFEXITED(status)); } /* child */ i = *(unsigned int *)&a[1]; printf("%d\n", i); exit(0); } EOF ${CC-cc} -o conftest $CFLAGS $CPPFLAGS $LDFLAGS \ conftest.c $LIBS >/dev/null 2>&1 if test ! -x conftest ; then ac_cv_lbl_unaligned_fail=yes else ./conftest >conftest.out if test ! -s conftest.out ; then ac_cv_lbl_unaligned_fail=yes else ac_cv_lbl_unaligned_fail=no fi fi rm -rf conftest* core core.conftest ;; esac ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lbl_unaligned_fail" >&5 printf "%s\n" "$ac_cv_lbl_unaligned_fail" >&6; } if test $ac_cv_lbl_unaligned_fail = yes ; then printf "%s\n" "#define LBL_ALIGN /**/" >>confdefs.h fi rm -f os-proto.h if test "${LBL_CFLAGS+set}" = set; then V_CCOPT="$V_CCOPT ${LBL_CFLAGS}" fi if test -f .devel ; then V_CCOPT=`echo $V_CCOPT | sed -e 's/-O3//'` V_CCOPT=`echo $V_CCOPT | sed -e 's/-O//'` if test "$GCC" = yes ; then if test "${LBL_CFLAGS+set}" != set; then if test "$ac_cv_prog_cc_g" = yes ; then V_CCOPT="-g $V_CCOPT" fi V_CCOPT="$V_CCOPT -Wall" if test $ac_cv_lbl_gcc_vers -gt 1 ; then V_CCOPT="$V_CCOPT -Wmissing-prototypes" fi fi else case "$target_os" in solaris*) V_CCOPT="$V_CCOPT -g" ;; irix6*) V_CCOPT="$V_CCOPT -n32" ;; *) ;; esac fi fi if test -f .debug ; then printf "%s\n" "#define ARGUSDEBUG /**/" >>confdefs.h fi if test -f .memory ; then printf "%s\n" "#define ARGUSMEMDEBUG /**/" >>confdefs.h fi ac_fn_c_find_intX_t "$LINENO" "8" "ac_cv_c_int8_t" case $ac_cv_c_int8_t in #( no|yes) ;; #( *) printf "%s\n" "#define int8_t $ac_cv_c_int8_t" >>confdefs.h ;; esac ac_fn_c_find_uintX_t "$LINENO" "8" "ac_cv_c_uint8_t" case $ac_cv_c_uint8_t in #( no|yes) ;; #( *) printf "%s\n" "#define _UINT8_T 1" >>confdefs.h printf "%s\n" "#define uint8_t $ac_cv_c_uint8_t" >>confdefs.h ;; esac ac_fn_c_find_intX_t "$LINENO" "16" "ac_cv_c_int16_t" case $ac_cv_c_int16_t in #( no|yes) ;; #( *) printf "%s\n" "#define int16_t $ac_cv_c_int16_t" >>confdefs.h ;; esac ac_fn_c_find_uintX_t "$LINENO" "16" "ac_cv_c_uint16_t" case $ac_cv_c_uint16_t in #( no|yes) ;; #( *) printf "%s\n" "#define uint16_t $ac_cv_c_uint16_t" >>confdefs.h ;; esac ac_fn_c_find_intX_t "$LINENO" "32" "ac_cv_c_int32_t" case $ac_cv_c_int32_t in #( no|yes) ;; #( *) printf "%s\n" "#define int32_t $ac_cv_c_int32_t" >>confdefs.h ;; esac ac_fn_c_find_uintX_t "$LINENO" "32" "ac_cv_c_uint32_t" case $ac_cv_c_uint32_t in #( no|yes) ;; #( *) printf "%s\n" "#define _UINT32_T 1" >>confdefs.h printf "%s\n" "#define uint32_t $ac_cv_c_uint32_t" >>confdefs.h ;; esac ac_fn_c_check_type "$LINENO" "uid_t" "ac_cv_type_uid_t" "$ac_includes_default" if test "x$ac_cv_type_uid_t" = xyes then : else case e in #( e) printf "%s\n" "#define uid_t int" >>confdefs.h ;; esac fi ac_fn_c_check_type "$LINENO" "gid_t" "ac_cv_type_gid_t" "$ac_includes_default" if test "x$ac_cv_type_gid_t" = xyes then : else case e in #( e) printf "%s\n" "#define gid_t int" >>confdefs.h ;; esac fi ac_fn_c_check_type "$LINENO" "pid_t" "ac_cv_type_pid_t" "$ac_includes_default " if test "x$ac_cv_type_pid_t" = xyes then : else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #if defined _WIN64 && !defined __CYGWIN__ LLP64 #endif int main (void) { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_pid_type='int' else case e in #( e) ac_pid_type='__int64' ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext printf "%s\n" "#define pid_t $ac_pid_type" >>confdefs.h ;; esac fi ac_fn_c_check_type "$LINENO" "size_t" "ac_cv_type_size_t" "$ac_includes_default" if test "x$ac_cv_type_size_t" = xyes then : else case e in #( e) printf "%s\n" "#define size_t unsigned int" >>confdefs.h ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether struct tm is in sys/time.h or time.h" >&5 printf %s "checking whether struct tm is in sys/time.h or time.h... " >&6; } if test ${ac_cv_struct_tm+y} then : printf %s "(cached) " >&6 else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include int main (void) { struct tm tm; int *p = &tm.tm_sec; return !p; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_cv_struct_tm=time.h else case e in #( e) ac_cv_struct_tm=sys/time.h ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_struct_tm" >&5 printf "%s\n" "$ac_cv_struct_tm" >&6; } if test $ac_cv_struct_tm = sys/time.h; then printf "%s\n" "#define TM_IN_SYS_TIME 1" >>confdefs.h fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $CC options needed to detect all undeclared functions" >&5 printf %s "checking for $CC options needed to detect all undeclared functions... " >&6; } if test ${ac_cv_c_undeclared_builtin_options+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_save_CFLAGS=$CFLAGS ac_cv_c_undeclared_builtin_options='cannot detect' for ac_arg in '' -fno-builtin; do CFLAGS="$ac_save_CFLAGS $ac_arg" # This test program should *not* compile successfully. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { (void) strchr; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : else case e in #( e) # This test program should compile successfully. # No library function is consistently available on # freestanding implementations, so test against a dummy # declaration. Include always-available headers on the # off chance that they somehow elicit warnings. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include #include #include extern void ac_decl (int, char *); int main (void) { (void) ac_decl (0, (char *) 0); (void) ac_decl; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : if test x"$ac_arg" = x then : ac_cv_c_undeclared_builtin_options='none needed' else case e in #( e) ac_cv_c_undeclared_builtin_options=$ac_arg ;; esac fi break fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext done CFLAGS=$ac_save_CFLAGS ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_undeclared_builtin_options" >&5 printf "%s\n" "$ac_cv_c_undeclared_builtin_options" >&6; } case $ac_cv_c_undeclared_builtin_options in #( 'cannot detect') : { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in '$ac_pwd':" >&5 printf "%s\n" "$as_me: error: in '$ac_pwd':" >&2;} as_fn_error $? "cannot make $CC report undeclared builtins See 'config.log' for more details" "$LINENO" 5; } ;; #( 'none needed') : ac_c_undeclared_builtin_options='' ;; #( *) : ac_c_undeclared_builtin_options=$ac_cv_c_undeclared_builtin_options ;; esac ac_fn_c_check_member "$LINENO" "struct tm" "tm_zone" "ac_cv_member_struct_tm_tm_zone" "#include #include <$ac_cv_struct_tm> " if test "x$ac_cv_member_struct_tm_tm_zone" = xyes then : printf "%s\n" "#define HAVE_STRUCT_TM_TM_ZONE 1" >>confdefs.h fi if test "$ac_cv_member_struct_tm_tm_zone" = yes; then printf "%s\n" "#define HAVE_TM_ZONE 1" >>confdefs.h else ac_fn_check_decl "$LINENO" "tzname" "ac_cv_have_decl_tzname" "#include " "$ac_c_undeclared_builtin_options" "CFLAGS" if test "x$ac_cv_have_decl_tzname" = xyes then : ac_have_decl=1 else case e in #( e) ac_have_decl=0 ;; esac fi printf "%s\n" "#define HAVE_DECL_TZNAME $ac_have_decl" >>confdefs.h { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for tzname" >&5 printf %s "checking for tzname... " >&6; } if test ${ac_cv_var_tzname+y} then : printf %s "(cached) " >&6 else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #if !HAVE_DECL_TZNAME extern char *tzname[]; #endif int main (void) { return tzname[0][0]; ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO" then : ac_cv_var_tzname=yes else case e in #( e) ac_cv_var_tzname=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_var_tzname" >&5 printf "%s\n" "$ac_cv_var_tzname" >&6; } if test $ac_cv_var_tzname = yes; then printf "%s\n" "#define HAVE_TZNAME 1" >>confdefs.h fi fi # Checks for library functions. # The Ultrix 4.2 mips builtin alloca declared by alloca.h only works # for constant arguments. Useless! { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for working alloca.h" >&5 printf %s "checking for working alloca.h... " >&6; } if test ${ac_cv_working_alloca_h+y} then : printf %s "(cached) " >&6 else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main (void) { char *p = (char *) alloca (2 * sizeof (int)); if (p) return 0; ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO" then : ac_cv_working_alloca_h=yes else case e in #( e) ac_cv_working_alloca_h=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_working_alloca_h" >&5 printf "%s\n" "$ac_cv_working_alloca_h" >&6; } if test $ac_cv_working_alloca_h = yes; then printf "%s\n" "#define HAVE_ALLOCA_H 1" >>confdefs.h fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for alloca" >&5 printf %s "checking for alloca... " >&6; } if test ${ac_cv_func_alloca_works+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_cv_func_alloca_works=$ac_cv_working_alloca_h if test "$ac_cv_func_alloca_works" != yes then : cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include #ifndef alloca # ifdef __GNUC__ # define alloca __builtin_alloca # elif defined _MSC_VER # include # define alloca _alloca # else # ifdef __cplusplus extern "C" # endif void *alloca (size_t); # endif #endif int main (void) { char *p = (char *) alloca (1); if (p) return 0; ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO" then : ac_cv_func_alloca_works=yes fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext fi ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_alloca_works" >&5 printf "%s\n" "$ac_cv_func_alloca_works" >&6; } if test $ac_cv_func_alloca_works = yes; then printf "%s\n" "#define HAVE_ALLOCA 1" >>confdefs.h else # The SVR3 libPW and SVR4 libucb both contain incompatible functions # that cause trouble. Some versions do not even contain alloca or # contain a buggy version. If you still want to use their alloca, # use ar to extract alloca.o from them instead of compiling alloca.c. ALLOCA=\${LIBOBJDIR}alloca.$ac_objext printf "%s\n" "#define C_ALLOCA 1" >>confdefs.h { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking stack direction for C alloca" >&5 printf %s "checking stack direction for C alloca... " >&6; } if test ${ac_cv_c_stack_direction+y} then : printf %s "(cached) " >&6 else case e in #( e) if test "$cross_compiling" = yes then : ac_cv_c_stack_direction=0 else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_includes_default int find_stack_direction (int *addr, int depth) { int dir, dummy = 0; if (! addr) addr = &dummy; *addr = addr < &dummy ? 1 : addr == &dummy ? 0 : -1; dir = depth ? find_stack_direction (addr, depth - 1) : 0; return dir + dummy; } int main (int argc, char **argv) { return find_stack_direction (0, argc + !argv + 20) < 0; } _ACEOF if ac_fn_c_try_run "$LINENO" then : ac_cv_c_stack_direction=1 else case e in #( e) ac_cv_c_stack_direction=-1 ;; esac fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_stack_direction" >&5 printf "%s\n" "$ac_cv_c_stack_direction" >&6; } printf "%s\n" "#define STACK_DIRECTION $ac_cv_c_stack_direction" >>confdefs.h fi ac_func= for ac_item in $ac_func_c_list do if test $ac_func; then ac_fn_c_check_func "$LINENO" $ac_func ac_cv_func_$ac_func if eval test \"x\$ac_cv_func_$ac_func\" = xyes; then echo "#define $ac_item 1" >> confdefs.h fi ac_func= else ac_func=$ac_item fi done if test "x$ac_cv_func_vprintf" = xno then : ac_fn_c_check_func "$LINENO" "_doprnt" "ac_cv_func__doprnt" if test "x$ac_cv_func__doprnt" = xyes then : printf "%s\n" "#define HAVE_DOPRNT 1" >>confdefs.h fi fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether closedir returns void" >&5 printf %s "checking whether closedir returns void... " >&6; } if test ${ac_cv_func_closedir_void+y} then : printf %s "(cached) " >&6 else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include <$ac_header_dirent> int main (void) { return closedir(0); ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_cv_func_closedir_void=no else case e in #( e) ac_cv_func_closedir_void=yes ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_closedir_void" >&5 printf "%s\n" "$ac_cv_func_closedir_void" >&6; } if test $ac_cv_func_closedir_void = yes; then printf "%s\n" "#define CLOSEDIR_VOID 1" >>confdefs.h fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for error_at_line" >&5 printf %s "checking for error_at_line... " >&6; } if test ${ac_cv_lib_error_at_line+y} then : printf %s "(cached) " >&6 else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main (void) { error_at_line (0, 0, "", 0, "an error occurred"); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO" then : ac_cv_lib_error_at_line=yes else case e in #( e) ac_cv_lib_error_at_line=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_error_at_line" >&5 printf "%s\n" "$ac_cv_lib_error_at_line" >&6; } if test $ac_cv_lib_error_at_line = no; then case " $LIBOBJS " in *" error.$ac_objext "* ) ;; *) LIBOBJS="$LIBOBJS error.$ac_objext" ;; esac fi if test "x$ac_cv_func_fork" = xyes; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for working fork" >&5 printf %s "checking for working fork... " >&6; } if test ${ac_cv_func_fork_works+y} then : printf %s "(cached) " >&6 else case e in #( e) if test "$cross_compiling" = yes then : ac_cv_func_fork_works=cross else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_includes_default int main (void) { /* By R. Kuhlmann. */ return fork () < 0; ; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO" then : ac_cv_func_fork_works=yes else case e in #( e) ac_cv_func_fork_works=no ;; esac fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_fork_works" >&5 printf "%s\n" "$ac_cv_func_fork_works" >&6; } else ac_cv_func_fork_works=$ac_cv_func_fork fi if test "x$ac_cv_func_fork_works" = xcross; then case $host in *-*-amigaos* | *-*-msdosdjgpp*) # Override, as these systems have only a dummy fork() stub ac_cv_func_fork_works=no ;; *) ac_cv_func_fork_works=yes ;; esac { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: result $ac_cv_func_fork_works guessed because of cross compilation" >&5 printf "%s\n" "$as_me: WARNING: result $ac_cv_func_fork_works guessed because of cross compilation" >&2;} fi ac_cv_func_vfork_works=$ac_cv_func_vfork if test "x$ac_cv_func_vfork" = xyes; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for working vfork" >&5 printf %s "checking for working vfork... " >&6; } if test ${ac_cv_func_vfork_works+y} then : printf %s "(cached) " >&6 else case e in #( e) if test "$cross_compiling" = yes then : ac_cv_func_vfork_works=cross else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Thanks to Paul Eggert for this test. */ $ac_includes_default #include #include #ifdef HAVE_VFORK_H # include #endif static void do_nothing (int sig) { (void) sig; } /* On some sparc systems, changes by the child to local and incoming argument registers are propagated back to the parent. The compiler is told about this with #include , but some compilers (e.g. gcc -O) don't grok . Test for this by using a static variable whose address is put into a register that is clobbered by the vfork. */ static void sparc_address_test (int arg) { static pid_t child; if (!child) { child = vfork (); if (child < 0) { perror ("vfork"); _exit(2); } if (!child) { arg = getpid(); write(-1, "", 0); _exit (arg); } } } int main (void) { pid_t parent = getpid (); pid_t child; sparc_address_test (0); /* On Solaris 2.4, changes by the child to the signal handler also munge signal handlers in the parent. To detect this, start by putting the parent's handler in a known state. */ signal (SIGTERM, SIG_DFL); child = vfork (); if (child == 0) { /* Here is another test for sparc vfork register problems. This test uses lots of local variables, at least as many local variables as main has allocated so far including compiler temporaries. 4 locals are enough for gcc 1.40.3 on a Solaris 4.1.3 sparc, but we use 8 to be safe. A buggy compiler should reuse the register of parent for one of the local variables, since it will think that parent can't possibly be used any more in this routine. Assigning to the local variable will thus munge parent in the parent process. */ pid_t p = getpid(), p1 = getpid(), p2 = getpid(), p3 = getpid(), p4 = getpid(), p5 = getpid(), p6 = getpid(), p7 = getpid(); /* Convince the compiler that p..p7 are live; otherwise, it might use the same hardware register for all 8 local variables. */ if (p != p1 || p != p2 || p != p3 || p != p4 || p != p5 || p != p6 || p != p7) _exit(1); /* Alter the child's signal handler. */ if (signal (SIGTERM, do_nothing) != SIG_DFL) _exit(1); /* On some systems (e.g. IRIX 3.3), vfork doesn't separate parent from child file descriptors. If the child closes a descriptor before it execs or exits, this munges the parent's descriptor as well. Test for this by closing stdout in the child. */ _exit(close(fileno(stdout)) != 0); } else { int status; struct stat st; while (wait(&status) != child) ; return ( /* Was there some problem with vforking? */ child < 0 /* Did the child munge the parent's signal handler? */ || signal (SIGTERM, SIG_DFL) != SIG_DFL /* Did the child fail? (This shouldn't happen.) */ || status /* Did the vfork/compiler bug occur? */ || parent != getpid() /* Did the file descriptor bug occur? */ || fstat(fileno(stdout), &st) != 0 ); } } _ACEOF if ac_fn_c_try_run "$LINENO" then : ac_cv_func_vfork_works=yes else case e in #( e) ac_cv_func_vfork_works=no ;; esac fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_vfork_works" >&5 printf "%s\n" "$ac_cv_func_vfork_works" >&6; } fi; if test "x$ac_cv_func_fork_works" = xcross; then ac_cv_func_vfork_works=$ac_cv_func_vfork { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: result $ac_cv_func_vfork_works guessed because of cross compilation" >&5 printf "%s\n" "$as_me: WARNING: result $ac_cv_func_vfork_works guessed because of cross compilation" >&2;} fi if test "x$ac_cv_func_vfork_works" = xyes; then printf "%s\n" "#define HAVE_WORKING_VFORK 1" >>confdefs.h else printf "%s\n" "#define vfork fork" >>confdefs.h fi if test "x$ac_cv_func_fork_works" = xyes; then printf "%s\n" "#define HAVE_WORKING_FORK 1" >>confdefs.h fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for GNU libc compatible malloc" >&5 printf %s "checking for GNU libc compatible malloc... " >&6; } if test ${ac_cv_func_malloc_0_nonnull+y} then : printf %s "(cached) " >&6 else case e in #( e) if test "$cross_compiling" = yes then : case "$host_os" in # (( # Guess yes on platforms where we know the result. *-gnu* | freebsd* | netbsd* | openbsd* | bitrig* \ | hpux* | solaris* | cygwin* | mingw* | windows* | msys* ) ac_cv_func_malloc_0_nonnull=yes ;; # If we don't know, assume the worst. *) ac_cv_func_malloc_0_nonnull=no ;; esac else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main (void) { void *p = malloc (0); int result = !p; free (p); return result; ; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO" then : ac_cv_func_malloc_0_nonnull=yes else case e in #( e) ac_cv_func_malloc_0_nonnull=no ;; esac fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_malloc_0_nonnull" >&5 printf "%s\n" "$ac_cv_func_malloc_0_nonnull" >&6; } if test $ac_cv_func_malloc_0_nonnull = yes then : printf "%s\n" "#define HAVE_MALLOC 1" >>confdefs.h else case e in #( e) printf "%s\n" "#define HAVE_MALLOC 0" >>confdefs.h case " $LIBOBJS " in *" malloc.$ac_objext "* ) ;; *) LIBOBJS="$LIBOBJS malloc.$ac_objext" ;; esac printf "%s\n" "#define malloc rpl_malloc" >>confdefs.h ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for working memcmp" >&5 printf %s "checking for working memcmp... " >&6; } if test ${ac_cv_func_memcmp_working+y} then : printf %s "(cached) " >&6 else case e in #( e) if test "$cross_compiling" = yes then : ac_cv_func_memcmp_working=no else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_includes_default int main (void) { /* Some versions of memcmp are not 8-bit clean. */ char c0 = '\100', c1 = '\200', c2 = '\201'; if (memcmp(&c0, &c2, 1) >= 0 || memcmp(&c1, &c2, 1) >= 0) return 1; /* The Next x86 OpenStep bug shows up only when comparing 16 bytes or more and with at least one buffer not starting on a 4-byte boundary. William Lewis provided this test program. */ { char foo[21]; char bar[21]; int i; for (i = 0; i < 4; i++) { char *a = foo + i; char *b = bar + i; strcpy (a, "--------01111111"); strcpy (b, "--------10000000"); if (memcmp (a, b, 16) >= 0) return 1; } return 0; } ; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO" then : ac_cv_func_memcmp_working=yes else case e in #( e) ac_cv_func_memcmp_working=no ;; esac fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_memcmp_working" >&5 printf "%s\n" "$ac_cv_func_memcmp_working" >&6; } test $ac_cv_func_memcmp_working = no && case " $LIBOBJS " in *" memcmp.$ac_objext "* ) ;; *) LIBOBJS="$LIBOBJS memcmp.$ac_objext" ;; esac { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for working mktime" >&5 printf %s "checking for working mktime... " >&6; } if test ${ac_cv_func_working_mktime+y} then : printf %s "(cached) " >&6 else case e in #( e) if test "$cross_compiling" = yes then : ac_cv_func_working_mktime=no else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Test program from Paul Eggert and Tony Leneis. */ #include #ifdef HAVE_SYS_TIME_H # include #endif #include #include #ifdef HAVE_UNISTD_H # include #endif #ifndef HAVE_ALARM # define alarm(X) /* empty */ #endif /* Work around redefinition to rpl_putenv by other config tests. */ #undef putenv static time_t time_t_max; static time_t time_t_min; /* Values we'll use to set the TZ environment variable. */ static const char *tz_strings[] = { (const char *) 0, "TZ=GMT0", "TZ=JST-9", "TZ=EST+3EDT+2,M10.1.0/00:00:00,M2.3.0/00:00:00" }; #define N_STRINGS (sizeof (tz_strings) / sizeof (tz_strings[0])) /* Return 0 if mktime fails to convert a date in the spring-forward gap. Based on a problem report from Andreas Jaeger. */ static int spring_forward_gap (void) { /* glibc (up to about 1998-10-07) failed this test. */ struct tm tm; /* Use the portable POSIX.1 specification "TZ=PST8PDT,M4.1.0,M10.5.0" instead of "TZ=America/Vancouver" in order to detect the bug even on systems that don't support the Olson extension, or don't have the full zoneinfo tables installed. */ putenv ((char*) "TZ=PST8PDT,M4.1.0,M10.5.0"); tm.tm_year = 98; tm.tm_mon = 3; tm.tm_mday = 5; tm.tm_hour = 2; tm.tm_min = 0; tm.tm_sec = 0; tm.tm_isdst = -1; return mktime (&tm) != (time_t) -1; } static int mktime_test1 (time_t now) { struct tm *lt; return ! (lt = localtime (&now)) || mktime (lt) == now; } static int mktime_test (time_t now) { return (mktime_test1 (now) && mktime_test1 ((time_t) (time_t_max - now)) && mktime_test1 ((time_t) (time_t_min + now))); } static int irix_6_4_bug (void) { /* Based on code from Ariel Faigon. */ struct tm tm; tm.tm_year = 96; tm.tm_mon = 3; tm.tm_mday = 0; tm.tm_hour = 0; tm.tm_min = 0; tm.tm_sec = 0; tm.tm_isdst = -1; mktime (&tm); return tm.tm_mon == 2 && tm.tm_mday == 31; } static int bigtime_test (int j) { struct tm tm; time_t now; tm.tm_year = tm.tm_mon = tm.tm_mday = tm.tm_hour = tm.tm_min = tm.tm_sec = j; now = mktime (&tm); if (now != (time_t) -1) { struct tm *lt = localtime (&now); if (! (lt && lt->tm_year == tm.tm_year && lt->tm_mon == tm.tm_mon && lt->tm_mday == tm.tm_mday && lt->tm_hour == tm.tm_hour && lt->tm_min == tm.tm_min && lt->tm_sec == tm.tm_sec && lt->tm_yday == tm.tm_yday && lt->tm_wday == tm.tm_wday && ((lt->tm_isdst < 0 ? -1 : 0 < lt->tm_isdst) == (tm.tm_isdst < 0 ? -1 : 0 < tm.tm_isdst)))) return 0; } return 1; } static int year_2050_test (void) { /* The correct answer for 2050-02-01 00:00:00 in Pacific time, ignoring leap seconds. */ unsigned long int answer = 2527315200UL; struct tm tm; time_t t; tm.tm_year = 2050 - 1900; tm.tm_mon = 2 - 1; tm.tm_mday = 1; tm.tm_hour = tm.tm_min = tm.tm_sec = 0; tm.tm_isdst = -1; /* Use the portable POSIX.1 specification "TZ=PST8PDT,M4.1.0,M10.5.0" instead of "TZ=America/Vancouver" in order to detect the bug even on systems that don't support the Olson extension, or don't have the full zoneinfo tables installed. */ putenv ((char*) "TZ=PST8PDT,M4.1.0,M10.5.0"); t = mktime (&tm); /* Check that the result is either a failure, or close enough to the correct answer that we can assume the discrepancy is due to leap seconds. */ return (t == (time_t) -1 || (0 < t && answer - 120 <= t && t <= answer + 120)); } int main (void) { time_t t, delta; int i, j; /* This test makes some buggy mktime implementations loop. Give up after 60 seconds; a mktime slower than that isn't worth using anyway. */ alarm (60); for (;;) { t = (time_t_max << 1) + 1; if (t <= time_t_max) break; time_t_max = t; } time_t_min = - ((time_t) ~ (time_t) 0 == (time_t) -1) - time_t_max; delta = time_t_max / 997; /* a suitable prime number */ for (i = 0; i < N_STRINGS; i++) { if (tz_strings[i]) putenv ((char*) tz_strings[i]); for (t = 0; t <= time_t_max - delta; t += delta) if (! mktime_test (t)) return 1; if (! (mktime_test ((time_t) 1) && mktime_test ((time_t) (60 * 60)) && mktime_test ((time_t) (60 * 60 * 24)))) return 1; for (j = 1; ; j <<= 1) if (! bigtime_test (j)) return 1; else if (INT_MAX / 2 < j) break; if (! bigtime_test (INT_MAX)) return 1; } return ! (irix_6_4_bug () && spring_forward_gap () && year_2050_test ()); } _ACEOF if ac_fn_c_try_run "$LINENO" then : ac_cv_func_working_mktime=yes else case e in #( e) ac_cv_func_working_mktime=no ;; esac fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_working_mktime" >&5 printf "%s\n" "$ac_cv_func_working_mktime" >&6; } if test $ac_cv_func_working_mktime = no; then case " $LIBOBJS " in *" mktime.$ac_objext "* ) ;; *) LIBOBJS="$LIBOBJS mktime.$ac_objext" ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for GNU libc compatible realloc" >&5 printf %s "checking for GNU libc compatible realloc... " >&6; } if test ${ac_cv_func_realloc_0_nonnull+y} then : printf %s "(cached) " >&6 else case e in #( e) if test "$cross_compiling" = yes then : case "$host_os" in # (( # Guess yes on platforms where we know the result. *-gnu* | freebsd* | netbsd* | openbsd* | bitrig* \ | hpux* | solaris* | cygwin* | mingw* | windows* | msys* ) ac_cv_func_realloc_0_nonnull=yes ;; # If we don't know, assume the worst. *) ac_cv_func_realloc_0_nonnull=no ;; esac else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main (void) { void *p = realloc (0, 0); int result = !p; free (p); return result; ; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO" then : ac_cv_func_realloc_0_nonnull=yes else case e in #( e) ac_cv_func_realloc_0_nonnull=no ;; esac fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_realloc_0_nonnull" >&5 printf "%s\n" "$ac_cv_func_realloc_0_nonnull" >&6; } if test $ac_cv_func_realloc_0_nonnull = yes then : printf "%s\n" "#define HAVE_REALLOC 1" >>confdefs.h else case e in #( e) printf "%s\n" "#define HAVE_REALLOC 0" >>confdefs.h case " $LIBOBJS " in *" realloc.$ac_objext "* ) ;; *) LIBOBJS="$LIBOBJS realloc.$ac_objext" ;; esac printf "%s\n" "#define realloc rpl_realloc" >>confdefs.h ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking types of arguments for select" >&5 printf %s "checking types of arguments for select... " >&6; } if test ${ac_cv_func_select_args+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_cv_func_select_args='int,int *,struct timeval *' for ac_arg234 in 'fd_set *' 'int *' 'void *'; do for ac_arg1 in 'int' 'size_t' 'unsigned long int' 'unsigned int'; do for ac_arg5 in 'struct timeval *' 'const struct timeval *'; do cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_includes_default #ifdef HAVE_SYS_SELECT_H # include #endif #ifdef HAVE_SYS_SOCKET_H # include #endif int main (void) { extern int select ($ac_arg1, $ac_arg234, $ac_arg234, $ac_arg234, $ac_arg5); ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_cv_func_select_args="$ac_arg1,$ac_arg234,$ac_arg5"; break 3 fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext done done done ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_select_args" >&5 printf "%s\n" "$ac_cv_func_select_args" >&6; } ac_save_IFS=$IFS; IFS=',' set dummy `echo "$ac_cv_func_select_args" | sed 's/\*/\*/g'` IFS=$ac_save_IFS shift printf "%s\n" "#define SELECT_TYPE_ARG1 $1" >>confdefs.h printf "%s\n" "#define SELECT_TYPE_ARG234 ($2)" >>confdefs.h printf "%s\n" "#define SELECT_TYPE_ARG5 ($3)" >>confdefs.h rm -rf conftest* printf "%s\n" "#define RETSIGTYPE $ac_cv_type_signal" >>confdefs.h { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether lstat correctly handles trailing slash" >&5 printf %s "checking whether lstat correctly handles trailing slash... " >&6; } if test ${ac_cv_func_lstat_dereferences_slashed_symlink+y} then : printf %s "(cached) " >&6 else case e in #( e) rm -f conftest.sym conftest.file echo >conftest.file if test "$as_ln_s" = "ln -s" && ln -s conftest.file conftest.sym; then if test "$cross_compiling" = yes then : case "$host_os" in # (( # Guess yes on glibc systems. *-gnu*) ac_cv_func_lstat_dereferences_slashed_symlink=yes ;; # If we don't know, assume the worst. *) ac_cv_func_lstat_dereferences_slashed_symlink=no ;; esac else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_includes_default int main (void) { struct stat sbuf; /* Linux will dereference the symlink and fail, as required by POSIX. That is better in the sense that it means we will not have to compile and use the lstat wrapper. */ return lstat ("conftest.sym/", &sbuf) == 0; ; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO" then : ac_cv_func_lstat_dereferences_slashed_symlink=yes else case e in #( e) ac_cv_func_lstat_dereferences_slashed_symlink=no ;; esac fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi else # If the 'ln -s' command failed, then we probably don't even # have an lstat function. ac_cv_func_lstat_dereferences_slashed_symlink=no fi rm -f conftest.sym conftest.file ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_lstat_dereferences_slashed_symlink" >&5 printf "%s\n" "$ac_cv_func_lstat_dereferences_slashed_symlink" >&6; } test $ac_cv_func_lstat_dereferences_slashed_symlink = yes && printf "%s\n" "#define LSTAT_FOLLOWS_SLASHED_SYMLINK 1" >>confdefs.h if test "x$ac_cv_func_lstat_dereferences_slashed_symlink" = xno; then case " $LIBOBJS " in *" lstat.$ac_objext "* ) ;; *) LIBOBJS="$LIBOBJS lstat.$ac_objext" ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether stat accepts an empty string" >&5 printf %s "checking whether stat accepts an empty string... " >&6; } if test ${ac_cv_func_stat_empty_string_bug+y} then : printf %s "(cached) " >&6 else case e in #( e) if test "$cross_compiling" = yes then : ac_cv_func_stat_empty_string_bug=yes else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_includes_default int main (void) { struct stat sbuf; return stat ("", &sbuf) == 0; ; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO" then : ac_cv_func_stat_empty_string_bug=no else case e in #( e) ac_cv_func_stat_empty_string_bug=yes ;; esac fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_stat_empty_string_bug" >&5 printf "%s\n" "$ac_cv_func_stat_empty_string_bug" >&6; } if test $ac_cv_func_stat_empty_string_bug = yes; then case " $LIBOBJS " in *" stat.$ac_objext "* ) ;; *) LIBOBJS="$LIBOBJS stat.$ac_objext" ;; esac printf "%s\n" "#define HAVE_STAT_EMPTY_STRING_BUG 1" >>confdefs.h fi for ac_func in strftime do : ac_fn_c_check_func "$LINENO" "strftime" "ac_cv_func_strftime" if test "x$ac_cv_func_strftime" = xyes then : printf "%s\n" "#define HAVE_STRFTIME 1" >>confdefs.h else case e in #( e) # strftime is in -lintl on SCO UNIX. { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for strftime in -lintl" >&5 printf %s "checking for strftime in -lintl... " >&6; } if test ${ac_cv_lib_intl_strftime+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_check_lib_save_LIBS=$LIBS LIBS="-lintl $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. The 'extern "C"' is for builds by C++ compilers; although this is not generally supported in C code supporting it here has little cost and some practical benefit (sr 110532). */ #ifdef __cplusplus extern "C" #endif char strftime (void); int main (void) { return strftime (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO" then : ac_cv_lib_intl_strftime=yes else case e in #( e) ac_cv_lib_intl_strftime=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_intl_strftime" >&5 printf "%s\n" "$ac_cv_lib_intl_strftime" >&6; } if test "x$ac_cv_lib_intl_strftime" = xyes then : printf "%s\n" "#define HAVE_STRFTIME 1" >>confdefs.h LIBS="-lintl $LIBS" fi ;; esac fi done { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for working strtod" >&5 printf %s "checking for working strtod... " >&6; } if test ${ac_cv_func_strtod+y} then : printf %s "(cached) " >&6 else case e in #( e) if test "$cross_compiling" = yes then : ac_cv_func_strtod=no else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_includes_default int main (void) { { /* Some versions of Linux strtod mis-parse strings with leading '+'. */ char *string = " +69"; char *term; double value; value = strtod (string, &term); if (value != 69 || term != (string + 4)) return 1; } { /* Under Solaris 2.4, strtod returns the wrong value for the terminating character under some conditions. */ char *string = "NaN"; char *term; strtod (string, &term); if (term != string && *(term - 1) == 0) return 1; } return 0; } _ACEOF if ac_fn_c_try_run "$LINENO" then : ac_cv_func_strtod=yes else case e in #( e) ac_cv_func_strtod=no ;; esac fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_strtod" >&5 printf "%s\n" "$ac_cv_func_strtod" >&6; } if test $ac_cv_func_strtod = no; then case " $LIBOBJS " in *" strtod.$ac_objext "* ) ;; *) LIBOBJS="$LIBOBJS strtod.$ac_objext" ;; esac ac_fn_c_check_func "$LINENO" "pow" "ac_cv_func_pow" if test "x$ac_cv_func_pow" = xyes then : fi if test $ac_cv_func_pow = no; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for pow in -lm" >&5 printf %s "checking for pow in -lm... " >&6; } if test ${ac_cv_lib_m_pow+y} then : printf %s "(cached) " >&6 else case e in #( e) ac_check_lib_save_LIBS=$LIBS LIBS="-lm $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. The 'extern "C"' is for builds by C++ compilers; although this is not generally supported in C code supporting it here has little cost and some practical benefit (sr 110532). */ #ifdef __cplusplus extern "C" #endif char pow (void); int main (void) { return pow (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO" then : ac_cv_lib_m_pow=yes else case e in #( e) ac_cv_lib_m_pow=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_m_pow" >&5 printf "%s\n" "$ac_cv_lib_m_pow" >&6; } if test "x$ac_cv_lib_m_pow" = xyes then : POW_LIB=-lm else case e in #( e) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: cannot find library containing definition of pow" >&5 printf "%s\n" "$as_me: WARNING: cannot find library containing definition of pow" >&2;} ;; esac fi fi fi ac_fn_c_check_func "$LINENO" "backtrace" "ac_cv_func_backtrace" if test "x$ac_cv_func_backtrace" = xyes then : printf "%s\n" "#define HAVE_BACKTRACE 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "openlog" "ac_cv_func_openlog" if test "x$ac_cv_func_openlog" = xyes then : printf "%s\n" "#define HAVE_OPENLOG 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "syslog" "ac_cv_func_syslog" if test "x$ac_cv_func_syslog" = xyes then : printf "%s\n" "#define HAVE_SYSLOG 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "vfprintf" "ac_cv_func_vfprintf" if test "x$ac_cv_func_vfprintf" = xyes then : printf "%s\n" "#define HAVE_VFPRINTF 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "strlcpy" "ac_cv_func_strlcpy" if test "x$ac_cv_func_strlcpy" = xyes then : printf "%s\n" "#define HAVE_STRLCPY 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "strftime" "ac_cv_func_strftime" if test "x$ac_cv_func_strftime" = xyes then : printf "%s\n" "#define HAVE_STRFTIME 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "inet_aton" "ac_cv_func_inet_aton" if test "x$ac_cv_func_inet_aton" = xyes then : printf "%s\n" "#define HAVE_INET_ATON 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "inet_pton" "ac_cv_func_inet_pton" if test "x$ac_cv_func_inet_pton" = xyes then : printf "%s\n" "#define HAVE_INET_PTON 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "inet_ntop" "ac_cv_func_inet_ntop" if test "x$ac_cv_func_inet_ntop" = xyes then : printf "%s\n" "#define HAVE_INET_NTOP 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "setlinebuf" "ac_cv_func_setlinebuf" if test "x$ac_cv_func_setlinebuf" = xyes then : printf "%s\n" "#define HAVE_SETLINEBUF 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "strerror" "ac_cv_func_strerror" if test "x$ac_cv_func_strerror" = xyes then : printf "%s\n" "#define HAVE_STRERROR 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "strtof" "ac_cv_func_strtof" if test "x$ac_cv_func_strtof" = xyes then : printf "%s\n" "#define HAVE_STRTOF 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "floorf" "ac_cv_func_floorf" if test "x$ac_cv_func_floorf" = xyes then : printf "%s\n" "#define HAVE_FLOORF 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "remainderf" "ac_cv_func_remainderf" if test "x$ac_cv_func_remainderf" = xyes then : printf "%s\n" "#define HAVE_REMAINDERF 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "timegm" "ac_cv_func_timegm" if test "x$ac_cv_func_timegm" = xyes then : printf "%s\n" "#define HAVE_TIMEGM 1" >>confdefs.h fi saved_CPPFLAGS=$CPPFLAGS saved_LIBS=$LIBS LIB_XDR="" for ac_header in rpc/xdr.h do : ac_fn_c_check_header_compile "$LINENO" "rpc/xdr.h" "ac_cv_header_rpc_xdr_h" "#include #include " if test "x$ac_cv_header_rpc_xdr_h" = xyes then : printf "%s\n" "#define HAVE_RPC_XDR_H 1" >>confdefs.h else case e in #( e) CPPFLAGS="${saved_CPPFLAGS} -I/usr/include/tirpc" unset ac_cv_header_rpc_xdr_h for ac_header in rpc/xdr.h do : ac_fn_c_check_header_compile "$LINENO" "rpc/xdr.h" "ac_cv_header_rpc_xdr_h" "$ac_includes_default" if test "x$ac_cv_header_rpc_xdr_h" = xyes then : printf "%s\n" "#define HAVE_RPC_XDR_H 1" >>confdefs.h XDR_INCLS="-I/usr/include/tirpc" LIB_XDR="-ltirpc" fi done ;; esac fi done LIBS="$LIB_XDR $LIBS" for ac_func in xdrmem_create do : ac_fn_c_check_func "$LINENO" "xdrmem_create" "ac_cv_func_xdrmem_create" if test "x$ac_cv_func_xdrmem_create" = xyes then : printf "%s\n" "#define HAVE_XDRMEM_CREATE 1" >>confdefs.h printf "%s\n" "#define HAVE_XDR /**/" >>confdefs.h else case e in #( e) LIB_XDR="" XDR_INCLS="" ;; esac fi done CPPFLAGS=${saved_CPPFLAGS} LIBS=${saved_LIBS} needsnprintf=no for ac_func in vsnprintf snprintf do : as_ac_var=`printf "%s\n" "ac_cv_func_$ac_func" | sed "$as_sed_sh"` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" if eval test \"x\$"$as_ac_var"\" = x"yes" then : cat >>confdefs.h <<_ACEOF #define `printf "%s\n" "HAVE_$ac_func" | sed "$as_sed_cpp"` 1 _ACEOF else case e in #( e) needsnprintf=yes ;; esac fi done if test $needsnprintf = yes; then case " $LIBOBJS " in *" snprintf.$ac_objext "* ) ;; *) LIBOBJS="$LIBOBJS snprintf.$ac_objext" ;; esac fi # # Do this before checking for ether_hostton(), as it's a # "gethostbyname() -ish function". # ac_fn_c_check_func "$LINENO" "ether_hostton" "ac_cv_func_ether_hostton" if test "x$ac_cv_func_ether_hostton" = xyes then : printf "%s\n" "#define HAVE_ETHER_HOSTTON 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "getaddrinfo" "ac_cv_func_getaddrinfo" if test "x$ac_cv_func_getaddrinfo" = xyes then : printf "%s\n" "#define HAVE_GETADDRINFO 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "gethostname" "ac_cv_func_gethostname" if test "x$ac_cv_func_gethostname" = xyes then : printf "%s\n" "#define HAVE_GETHOSTNAME 1" >>confdefs.h fi if test "$ac_cv_func_ether_hostton" = yes; then # # OK, we have ether_hostton(). Do we have ? # if test "$ac_cv_header_netinet_if_ether_h" = yes; then # # Yes. Does it declare ether_hostton()? # ac_fn_check_decl "$LINENO" "ether_hostton" "ac_cv_have_decl_ether_hostton" " #include #include #include #include struct mbuf; struct rtentry; #include #include " "$ac_c_undeclared_builtin_options" "CFLAGS" if test "x$ac_cv_have_decl_ether_hostton" = xyes then : printf "%s\n" "#define NETINET_IF_ETHER_H_DECLARES_ETHER_HOSTTON /**/" >>confdefs.h fi fi # # Did that succeed? # if test "$ac_cv_have_decl_ether_hostton" != yes; then # # No, how about , as on Linux? # ac_fn_c_check_header_compile "$LINENO" "netinet/ether.h" "ac_cv_header_netinet_ether_h" "$ac_includes_default" if test "x$ac_cv_header_netinet_ether_h" = xyes then : printf "%s\n" "#define HAVE_NETINET_ETHER_H 1" >>confdefs.h fi if test "$ac_cv_header_netinet_ether_h" = yes; then # # We have it - does it declare ether_hostton()? # Unset ac_cv_have_decl_ether_hostton so we don't # treat the previous failure as a cached value and # suppress the next test. # unset ac_cv_have_decl_ether_hostton ac_fn_check_decl "$LINENO" "ether_hostton" "ac_cv_have_decl_ether_hostton" " #include " "$ac_c_undeclared_builtin_options" "CFLAGS" if test "x$ac_cv_have_decl_ether_hostton" = xyes then : printf "%s\n" "#define NETINET_ETHER_H_DECLARES_ETHER_HOSTTON /**/" >>confdefs.h fi fi fi # # Is ether_hostton() declared? # if test "$ac_cv_have_decl_ether_hostton" != yes; then # # No, we'll have to declare it ourselves. # Do we have "struct ether_addr"? # ac_fn_c_check_type "$LINENO" "struct ether_addr" "ac_cv_type_struct_ether_addr" " #include #include #include #include struct mbuf; struct rtentry; #include #include " if test "x$ac_cv_type_struct_ether_addr" = xyes then : printf "%s\n" "#define HAVE_STRUCT_ETHER_ADDR 1" >>confdefs.h fi printf "%s\n" "#define HAVE_DECL_ETHER_HOSTTON 0" >>confdefs.h else printf "%s\n" "#define HAVE_DECL_ETHER_HOSTTON 1" >>confdefs.h fi fi if test "$ac_cv_type_struct_ether_addr" = yes ; then printf "%s\n" "#define HAVE_STRUCT_ETHER_ADDR /**/" >>confdefs.h fi if test "$tcl_cv_member_tm_gmtoff" = yes ; then printf "%s\n" "#define HAVE_TM_GMTOFF /**/" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "alarm" "ac_cv_func_alarm" if test "x$ac_cv_func_alarm" = xyes then : printf "%s\n" "#define HAVE_ALARM 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "bzero" "ac_cv_func_bzero" if test "x$ac_cv_func_bzero" = xyes then : printf "%s\n" "#define HAVE_BZERO 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "endgrent" "ac_cv_func_endgrent" if test "x$ac_cv_func_endgrent" = xyes then : printf "%s\n" "#define HAVE_ENDGRENT 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "endpwent" "ac_cv_func_endpwent" if test "x$ac_cv_func_endpwent" = xyes then : printf "%s\n" "#define HAVE_ENDPWENT 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "floor" "ac_cv_func_floor" if test "x$ac_cv_func_floor" = xyes then : printf "%s\n" "#define HAVE_FLOOR 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "gethostbyaddr" "ac_cv_func_gethostbyaddr" if test "x$ac_cv_func_gethostbyaddr" = xyes then : printf "%s\n" "#define HAVE_GETHOSTBYADDR 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "gethostbyname" "ac_cv_func_gethostbyname" if test "x$ac_cv_func_gethostbyname" = xyes then : printf "%s\n" "#define HAVE_GETHOSTBYNAME 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "getpass" "ac_cv_func_getpass" if test "x$ac_cv_func_getpass" = xyes then : printf "%s\n" "#define HAVE_GETPASS 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "gettimeofday" "ac_cv_func_gettimeofday" if test "x$ac_cv_func_gettimeofday" = xyes then : printf "%s\n" "#define HAVE_GETTIMEOFDAY 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "inet_ntoa" "ac_cv_func_inet_ntoa" if test "x$ac_cv_func_inet_ntoa" = xyes then : printf "%s\n" "#define HAVE_INET_NTOA 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "isascii" "ac_cv_func_isascii" if test "x$ac_cv_func_isascii" = xyes then : printf "%s\n" "#define HAVE_ISASCII 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "localtime_r" "ac_cv_func_localtime_r" if test "x$ac_cv_func_localtime_r" = xyes then : printf "%s\n" "#define HAVE_LOCALTIME_R 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "memchr" "ac_cv_func_memchr" if test "x$ac_cv_func_memchr" = xyes then : printf "%s\n" "#define HAVE_MEMCHR 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "memmove" "ac_cv_func_memmove" if test "x$ac_cv_func_memmove" = xyes then : printf "%s\n" "#define HAVE_MEMMOVE 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "memset" "ac_cv_func_memset" if test "x$ac_cv_func_memset" = xyes then : printf "%s\n" "#define HAVE_MEMSET 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "mkdir" "ac_cv_func_mkdir" if test "x$ac_cv_func_mkdir" = xyes then : printf "%s\n" "#define HAVE_MKDIR 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "modf" "ac_cv_func_modf" if test "x$ac_cv_func_modf" = xyes then : printf "%s\n" "#define HAVE_MODF 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "pow" "ac_cv_func_pow" if test "x$ac_cv_func_pow" = xyes then : printf "%s\n" "#define HAVE_POW 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "putenv" "ac_cv_func_putenv" if test "x$ac_cv_func_putenv" = xyes then : printf "%s\n" "#define HAVE_PUTENV 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "realpath" "ac_cv_func_realpath" if test "x$ac_cv_func_realpath" = xyes then : printf "%s\n" "#define HAVE_REALPATH 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "regcomp" "ac_cv_func_regcomp" if test "x$ac_cv_func_regcomp" = xyes then : printf "%s\n" "#define HAVE_REGCOMP 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "select" "ac_cv_func_select" if test "x$ac_cv_func_select" = xyes then : printf "%s\n" "#define HAVE_SELECT 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "setenv" "ac_cv_func_setenv" if test "x$ac_cv_func_setenv" = xyes then : printf "%s\n" "#define HAVE_SETENV 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "socket" "ac_cv_func_socket" if test "x$ac_cv_func_socket" = xyes then : printf "%s\n" "#define HAVE_SOCKET 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "sqrt" "ac_cv_func_sqrt" if test "x$ac_cv_func_sqrt" = xyes then : printf "%s\n" "#define HAVE_SQRT 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "strcasecmp" "ac_cv_func_strcasecmp" if test "x$ac_cv_func_strcasecmp" = xyes then : printf "%s\n" "#define HAVE_STRCASECMP 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "strchr" "ac_cv_func_strchr" if test "x$ac_cv_func_strchr" = xyes then : printf "%s\n" "#define HAVE_STRCHR 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "strdup" "ac_cv_func_strdup" if test "x$ac_cv_func_strdup" = xyes then : printf "%s\n" "#define HAVE_STRDUP 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "strlcat" "ac_cv_func_strlcat" if test "x$ac_cv_func_strlcat" = xyes then : printf "%s\n" "#define HAVE_STRLCAT 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "strncasecmp" "ac_cv_func_strncasecmp" if test "x$ac_cv_func_strncasecmp" = xyes then : printf "%s\n" "#define HAVE_STRNCASECMP 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "strpbrk" "ac_cv_func_strpbrk" if test "x$ac_cv_func_strpbrk" = xyes then : printf "%s\n" "#define HAVE_STRPBRK 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "strrchr" "ac_cv_func_strrchr" if test "x$ac_cv_func_strrchr" = xyes then : printf "%s\n" "#define HAVE_STRRCHR 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "strstr" "ac_cv_func_strstr" if test "x$ac_cv_func_strstr" = xyes then : printf "%s\n" "#define HAVE_STRSTR 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "strtol" "ac_cv_func_strtol" if test "x$ac_cv_func_strtol" = xyes then : printf "%s\n" "#define HAVE_STRTOL 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "srandomdev" "ac_cv_func_srandomdev" if test "x$ac_cv_func_srandomdev" = xyes then : printf "%s\n" "#define HAVE_SRANDOMDEV 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "tzset" "ac_cv_func_tzset" if test "x$ac_cv_func_tzset" = xyes then : printf "%s\n" "#define HAVE_TZSET 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "gethostuuid" "ac_cv_func_gethostuuid" if test "x$ac_cv_func_gethostuuid" = xyes then : printf "%s\n" "#define HAVE_GETHOSTUUID 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "posix_memalign" "ac_cv_func_posix_memalign" if test "x$ac_cv_func_posix_memalign" = xyes then : printf "%s\n" "#define HAVE_POSIX_MEMALIGN 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "memalign" "ac_cv_func_memalign" if test "x$ac_cv_func_memalign" = xyes then : printf "%s\n" "#define HAVE_MEMALIGN 1" >>confdefs.h fi case "$target" in arm*darwin*) V_ARCH="-arch arm64 -arch x86_64" ;; x86*darwin*) ;; esac case "$target_os" in arm*darwin*) V_ARCH="-arch arm64 -arch x86_64" COMPATLIB="-lz" ;; x86*darwin*) COMPATLIB="-lz" ;; *) if test "$ac_cv_header_zlib_h" = yes ; then COMPATLIB="-lm -lz" else COMPATLIB="-lm" fi ;; esac if test -f .memory ; then printf "%s\n" "#define ARGUSMEMDEBUG /**/" >>confdefs.h fi # Check whether --with-hashdebug was given. if test ${with_hashdebug+y} then : withval=$with_hashdebug; with_hashdebug="$withval" else case e in #( e) with_hashdebug="no" ;; esac fi if test "$with_hashdebug" != no; then printf "%s\n" "#define ARGUS_HASH_DEBUG /**/" >>confdefs.h fi # Check whether --with-nanoseconds was given. if test ${with_nanoseconds+y} then : withval=$with_nanoseconds; with_nanoseconds="$withval" else case e in #( e) with_nanoseconds="yes" ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for nanosecond timestamps" >&5 printf %s "checking for nanosecond timestamps... " >&6; } if test "$with_nanoseconds" != no; then printf "%s\n" "#define ARGUS_NANOSECONDS /**/" >>confdefs.h { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 printf "%s\n" "yes" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi # Check whether --with-threads was given. if test ${with_threads+y} then : withval=$with_threads; with_threads="$withval" else case e in #( e) with_threads="yes" ;; esac fi if test "$with_threads" != no; then case "$host_os" in *openbsd*) ;; *) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for .threads" >&5 printf %s "checking for .threads... " >&6; } if test -f .threads ; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 printf "%s\n" "yes" >&6; } V_THREADS="" if test "$GCC" = yes ; then case "$host_os" in *darwin*) ;; cygwin*) ;; *) V_THREADS="-lpthread $V_THREADS" ;; esac else case "$host_os" in solaris*) V_THREADS="-mt -lpthread $V_THREADS" ;; cygwin*) ;; *darwin*) ;; *) V_THREADS="-lpthread $V_THREADS" ;; esac fi printf "%s\n" "#define ARGUS_THREADS /**/" >>confdefs.h ac_fn_c_check_func "$LINENO" "sched_get_priority_min" "ac_cv_func_sched_get_priority_min" if test "x$ac_cv_func_sched_get_priority_min" = xyes then : printf "%s\n" "#define HAVE_SCHED_GET_PRIORITY_MIN 1" >>confdefs.h fi else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi ;; esac fi # Check whether --with-tcpwrappers was given. if test ${with_tcpwrappers+y} then : withval=$with_tcpwrappers; with_wrappers="$withval" else case e in #( e) with_wrappers="yes" ;; esac fi if test ${with_wrappers} != "no"; then saved_CPPFLAGS=$CPPFLAGS saved_LDFLAGS=$LDFLAGS saved_LIBS=$LIBS if test ${with_wrappers} != "yes"; then CPPFLAGS="${saved_CPPFLAGS} -I${with_wrappers}/include" LDFLAGS="${save_LDFLAGS} -L${with_wrappers}/lib" else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for local tcp_wrappers library" >&5 printf %s "checking for local tcp_wrappers library... " >&6; } libwrap=FAIL lastdir=FAIL pwdir=`pwd` places=`ls .. | sed -e 's,/$,,' -e 's,^,../,' | grep -E 'tcp_wrappers'` for dir in $places; do if test $lastdir = $dir ; then continue; fi lastdir=$dir if test -r $dir/libwrap.a ; then libwrap=$dir/libwrap.a d=$dir fi done if test $libwrap = FAIL ; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: not found" >&5 printf "%s\n" "not found" >&6; } { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for system tcp_wrappers library" >&5 printf %s "checking for system tcp_wrappers library... " >&6; } case "$target_os" in solaris*) CPPFLAGS="${saved_CPPFLAGS} -I/opt/local/include" LDFLAGS="${save_LDFLAGS} -L/opt/local/lib" ;; darwin*) CPPFLAGS="${saved_CPPFLAGS} -I/opt/local/include" LDFLAGS="${save_LDFLAGS} -L/opt/local/lib" ;; esac for ac_header in tcpd.h do : ac_fn_c_check_header_compile "$LINENO" "tcpd.h" "ac_cv_header_tcpd_h" "$ac_includes_default" if test "x$ac_cv_header_tcpd_h" = xyes then : printf "%s\n" "#define HAVE_TCPD_H 1" >>confdefs.h ac_fn_check_decl "$LINENO" "fromhost " "ac_cv_have_decl_fromhost_" " #include " "$ac_c_undeclared_builtin_options" "CFLAGS" if test "x$ac_cv_have_decl_fromhost_" = xyes then : ac_have_decl=1 else case e in #( e) ac_have_decl=0 ;; esac fi printf "%s\n" "#define HAVE_DECL_FROMHOST_ $ac_have_decl" >>confdefs.h if test $ac_have_decl = 1 then : fi else case e in #( e) ac_cv_found_wrappers=no ;; esac fi done if test "$ac_cv_found_wrappers" != no; then V_WRAPDEP="-lwrap" V_INCLS=$CPPFLAGS printf "%s\n" "#define ARGUS_WRAPPERS /**/" >>confdefs.h else LIBS=$saved_LIBS LDFLAGS=$saved_LDFLAGS CPPFLAGS=$saved_CPPFLAGS fi fi fi fi if test ! -z "$V_WRAPDEP"; then if test -f "$V_WRAPDEP"; then if test -f lib/libwrap.a; then rm -rf lib/libwrap.a fi wrapdir=`echo $V_WRAPDEP | sed -e 's/^\.\./..\/../'` ln -s $wrapdir lib/libwrap.a V_WRAPDEP="../lib/libwrap.a" else if test "$V_WRAPDEP" = "-lwrap" ; then if test -f lib/libwrap.a; then rm -rf lib/libwrap.a fi case "$target_os" in linux*) V_WRAPDEP="$V_WRAPDEP -lnsl";; esac fi fi printf "%s\n" "#define HAVE_TCP_WRAPPER /**/" >>confdefs.h WRAPLIBS="$V_WRAPDEP" fi case "$target_cpu" in *86) have_x86=yes; ;; powerpc-apple*) ;; powerpc64-*-linux-gnu) V_CCOPT="$V_CCOPT -m64 -fPIC" ;; esac case "$target_os" in aix*) have_sun=yes; ;; darwin*) have_darwin=yes; ;; hpux9*) have_hpux_nine=yes; ;; hpux10.0*) ;; hpux10.1*) ;; hpux*) have_hpux_ten=yes; ;; sinix*) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if SINIX compiler defines sinix" >&5 printf %s "checking if SINIX compiler defines sinix... " >&6; } if test ${ac_cv_cc_sinix_defined+y} then : printf %s "(cached) " >&6 else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { int i = sinix; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_cv_cc_sinix_defined=yes else case e in #( e) ac_cv_cc_sinix_defined=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_cc_sinix_defined" >&5 printf "%s\n" "$ac_cv_cc_sinix_defined" >&6; } if test "$ac_cv_cc_sinix_defined" = "no" ; then printf "%s\n" "#define sinix /**/" >>confdefs.h fi ;; solaris*) printf "%s\n" "#define HAVE_SOLARIS 1" >>confdefs.h { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for LD_LIBRARY_PATH" >&5 printf %s "checking for LD_LIBRARY_PATH... " >&6; } if test "x$LD_LIBRARY_PATH" != "x" ; then LIBS="$LIBS -R$LD_LIBRARY_PATH" { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes -- added LD_LIBRARY_PATH to run-time linker path" >&5 printf "%s\n" "yes -- added LD_LIBRARY_PATH to run-time linker path" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no -- this may be a problem in a few seconds" >&5 printf "%s\n" "no -- this may be a problem in a few seconds" >&6; } fi COMPATLIB="-lsocket -lnsl -lrt $COMPATLIB" ;; linux*) ;; cygwin*) have_cygwin=yes; V_INCLS="$V_INCLS -I../include/cygwin-include" ;; esac if test "$have_x86" = yes ; then printf "%s\n" "#define CONFIG_X86_BSWAP /**/" >>confdefs.h fi if test "$have_darwin" = yes ; then printf "%s\n" "#define HAVE_DARWIN /**/" >>confdefs.h fi if test "$have_hpux_nine" = yes ; then printf "%s\n" "#define HAVE_HPUX9 /**/" >>confdefs.h fi if test "$have_hpux_ten" = yes ; then printf "%s\n" "#define HAVE_HPUX10_20 /**/" >>confdefs.h fi if test "$have_sun" = yes ; then printf "%s\n" "#define _SUN /**/" >>confdefs.h fi if test "$have_cygwin" = yes ; then printf "%s\n" "#define CYGWIN /**/" >>confdefs.h fi if test "$with_pluribus" = yes ; then printf "%s\n" "#define ARGUS_PLURIBUS /**/" >>confdefs.h fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking tm_gmtoff in struct tm" >&5 printf %s "checking tm_gmtoff in struct tm... " >&6; } if test ${tcl_cv_member_tm_gmtoff+y} then : printf %s "(cached) " >&6 else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main (void) { struct tm tm; tm.tm_gmtoff; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : tcl_cv_member_tm_gmtoff=yes else case e in #( e) tcl_cv_member_tm_gmtoff=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $tcl_cv_member_tm_gmtoff" >&5 printf "%s\n" "$tcl_cv_member_tm_gmtoff" >&6; } if test $tcl_cv_member_tm_gmtoff = yes ; then printf "%s\n" "#define HAVE_TM_GMTOFF /**/" >>confdefs.h fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking sys_errlist in stdio.h" >&5 printf %s "checking sys_errlist in stdio.h... " >&6; } if test ${arg_cv_sys_errlist+y} then : printf %s "(cached) " >&6 else case e in #( e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main (void) { char *ptr = sys_errlist[0]; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : arg_cv_sys_errlist=yes else case e in #( e) arg_cv_sys_errlist=no ;; esac fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $arg_cv_sys_errlist" >&5 printf "%s\n" "$arg_cv_sys_errlist" >&6; } if test $arg_cv_sys_errlist = yes ; then printf "%s\n" "#define HAVE_SYS_ERRLIST /**/" >>confdefs.h fi if test ! -z "$V_PCAPDEP"; then LIBS="$LIBS $V_PCAPDEP" fi INSTALL_LIB="../lib" INSTALL_BIN="../bin" ac_config_files="$ac_config_files Makefile ./common/Makefile ./argus/Makefile ./events/Makefile ./lib/argus.spec" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure # tests run on this system so they can be shared between configure # scripts and configure runs, see configure's option --config-cache. # It is not useful on other systems. If it contains results you don't # want to keep, you may remove or edit it. # # config.status only pays attention to the cache file if you give it # the --recheck option to rerun configure. # # 'ac_cv_env_foo' variables (set or unset) will be overridden when # loading this file, other *unset* 'ac_cv_foo' will be assigned the # following values. _ACEOF # The following way of writing the cache mishandles newlines in values, # but we know of no workaround that is simple, portable, and efficient. # So, we kill variables containing newlines. # Ultrix sh set writes to stderr and can't be redirected directly, # and sets the high bit in the cache file unless we assign to the vars. ( for ac_var in `(set) 2>&1 | sed -n 's/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'`; do eval ac_val=\$$ac_var case $ac_val in #( *${as_nl}*) case $ac_var in #( *_cv_*) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 printf "%s\n" "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; esac case $ac_var in #( _ | IFS | as_nl) ;; #( BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( *) { eval $ac_var=; unset $ac_var;} ;; esac ;; esac done (set) 2>&1 | case $as_nl`(ac_space=' '; set) 2>&1` in #( *${as_nl}ac_space=\ *) # 'set' does not quote correctly, so add quotes: double-quote # substitution turns \\\\ into \\, and sed turns \\ into \. sed -n \ "s/'/'\\\\''/g; s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p" ;; #( *) # 'set' quotes correctly as required by POSIX, so do not add quotes. sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" ;; esac | sort ) | sed ' /^ac_cv_env_/b end t clear :clear s/^\([^=]*\)=\(.*[{}].*\)$/test ${\1+y} || &/ t end s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/ :end' >>confcache if diff "$cache_file" confcache >/dev/null 2>&1; then :; else if test -w "$cache_file"; then if test "x$cache_file" != "x/dev/null"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: updating cache $cache_file" >&5 printf "%s\n" "$as_me: updating cache $cache_file" >&6;} if test ! -f "$cache_file" || test -h "$cache_file"; then cat confcache >"$cache_file" else case $cache_file in #( */* | ?:*) mv -f confcache "$cache_file"$$ && mv -f "$cache_file"$$ "$cache_file" ;; #( *) mv -f confcache "$cache_file" ;; esac fi fi else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: not updating unwritable cache $cache_file" >&5 printf "%s\n" "$as_me: not updating unwritable cache $cache_file" >&6;} fi fi rm -f confcache test "x$prefix" = xNONE && prefix=$ac_default_prefix # Let make expand exec_prefix. test "x$exec_prefix" = xNONE && exec_prefix='${prefix}' DEFS=-DHAVE_CONFIG_H ac_libobjs= ac_ltlibobjs= U= for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue # 1. Remove the extension, and $U if already installed. ac_script='s/\$U\././;s/\.o$//;s/\.obj$//' ac_i=`printf "%s\n" "$ac_i" | sed "$ac_script"` # 2. Prepend LIBOBJDIR. When used with automake>=1.10 LIBOBJDIR # will be set to the directory where LIBOBJS objects are built. as_fn_append ac_libobjs " \${LIBOBJDIR}$ac_i\$U.$ac_objext" as_fn_append ac_ltlibobjs " \${LIBOBJDIR}$ac_i"'$U.lo' done LIBOBJS=$ac_libobjs LTLIBOBJS=$ac_ltlibobjs # Check whether --enable-year2038 was given. if test ${enable_year2038+y} then : enableval=$enable_year2038; fi : "${CONFIG_STATUS=./config.status}" ac_write_fail=0 ac_clean_files_save=$ac_clean_files ac_clean_files="$ac_clean_files $CONFIG_STATUS" { printf "%s\n" "$as_me:${as_lineno-$LINENO}: creating $CONFIG_STATUS" >&5 printf "%s\n" "$as_me: creating $CONFIG_STATUS" >&6;} as_write_fail=0 cat >$CONFIG_STATUS <<_ASEOF || as_write_fail=1 #! $SHELL # Generated by $as_me. # Run this file to recreate the current configuration. # Compiler output produced by configure, useful for debugging # configure, is in config.log if it exists. debug=false ac_cs_recheck=false ac_cs_silent=false SHELL=\${CONFIG_SHELL-$SHELL} export SHELL _ASEOF cat >>$CONFIG_STATUS <<\_ASEOF || as_write_fail=1 ## -------------------- ## ## M4sh Initialization. ## ## -------------------- ## # Be more Bourne compatible DUALCASE=1; export DUALCASE # for MKS sh if test ${ZSH_VERSION+y} && (emulate sh) >/dev/null 2>&1 then : emulate sh NULLCMD=: # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which # is contrary to our usage. Disable this feature. alias -g '${1+"$@"}'='"$@"' setopt NO_GLOB_SUBST else case e in #( e) case `(set -o) 2>/dev/null` in #( *posix*) : set -o posix ;; #( *) : ;; esac ;; esac fi # Reset variables that may have inherited troublesome values from # the environment. # IFS needs to be set, to space, tab, and newline, in precisely that order. # (If _AS_PATH_WALK were called with IFS unset, it would have the # side effect of setting IFS to empty, thus disabling word splitting.) # Quoting is to prevent editors from complaining about space-tab. as_nl=' ' export as_nl IFS=" "" $as_nl" PS1='$ ' PS2='> ' PS4='+ ' # Ensure predictable behavior from utilities with locale-dependent output. LC_ALL=C export LC_ALL LANGUAGE=C export LANGUAGE # We cannot yet rely on "unset" to work, but we need these variables # to be unset--not just set to an empty or harmless value--now, to # avoid bugs in old shells (e.g. pre-3.0 UWIN ksh). This construct # also avoids known problems related to "unset" and subshell syntax # in other old shells (e.g. bash 2.01 and pdksh 5.2.14). for as_var in BASH_ENV ENV MAIL MAILPATH CDPATH do eval test \${$as_var+y} \ && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : done # Ensure that fds 0, 1, and 2 are open. if (exec 3>&0) 2>/dev/null; then :; else exec 0&1) 2>/dev/null; then :; else exec 1>/dev/null; fi if (exec 3>&2) ; then :; else exec 2>/dev/null; fi # The user is always right. if ${PATH_SEPARATOR+false} :; then PATH_SEPARATOR=: (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || PATH_SEPARATOR=';' } fi # Find who we are. Look in the path if we contain no directory separator. as_myself= case $0 in #(( *[\\/]* ) as_myself=$0 ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac test -r "$as_dir$0" && as_myself=$as_dir$0 && break done IFS=$as_save_IFS ;; esac # We did not find ourselves, most probably we were run as 'sh COMMAND' # in which case we are not to be found in the path. if test "x$as_myself" = x; then as_myself=$0 fi if test ! -f "$as_myself"; then printf "%s\n" "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 exit 1 fi # as_fn_error STATUS ERROR [LINENO LOG_FD] # ---------------------------------------- # Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are # provided, also output the error to LOG_FD, referencing LINENO. Then exit the # script with STATUS, using 1 if that was 0. as_fn_error () { as_status=$1; test $as_status -eq 0 && as_status=1 if test "$4"; then as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 fi printf "%s\n" "$as_me: error: $2" >&2 as_fn_exit $as_status } # as_fn_error # as_fn_set_status STATUS # ----------------------- # Set $? to STATUS, without forking. as_fn_set_status () { return $1 } # as_fn_set_status # as_fn_exit STATUS # ----------------- # Exit the shell with STATUS, even in a "trap 0" or "set -e" context. as_fn_exit () { set +e as_fn_set_status $1 exit $1 } # as_fn_exit # as_fn_unset VAR # --------------- # Portably unset VAR. as_fn_unset () { { eval $1=; unset $1;} } as_unset=as_fn_unset # as_fn_append VAR VALUE # ---------------------- # Append the text in VALUE to the end of the definition contained in VAR. Take # advantage of any shell optimizations that allow amortized linear growth over # repeated appends, instead of the typical quadratic growth present in naive # implementations. if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null then : eval 'as_fn_append () { eval $1+=\$2 }' else case e in #( e) as_fn_append () { eval $1=\$$1\$2 } ;; esac fi # as_fn_append # as_fn_arith ARG... # ------------------ # Perform arithmetic evaluation on the ARGs, and store the result in the # global $as_val. Take advantage of shells that can avoid forks. The arguments # must be portable across $(()) and expr. if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null then : eval 'as_fn_arith () { as_val=$(( $* )) }' else case e in #( e) as_fn_arith () { as_val=`expr "$@" || test $? -eq 1` } ;; esac fi # as_fn_arith if expr a : '\(a\)' >/dev/null 2>&1 && test "X`expr 00001 : '.*\(...\)'`" = X001; then as_expr=expr else as_expr=false fi if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then as_basename=basename else as_basename=false fi if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then as_dirname=dirname else as_dirname=false fi as_me=`$as_basename -- "$0" || $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ X"$0" : 'X\(//\)$' \| \ X"$0" : 'X\(/\)' \| . 2>/dev/null || printf "%s\n" X/"$0" | sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/ q } /^X\/\(\/\/\)$/{ s//\1/ q } /^X\/\(\/\).*/{ s//\1/ q } s/.*/./; q'` # Avoid depending upon Character Ranges. as_cr_letters='abcdefghijklmnopqrstuvwxyz' as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' as_cr_Letters=$as_cr_letters$as_cr_LETTERS as_cr_digits='0123456789' as_cr_alnum=$as_cr_Letters$as_cr_digits # Determine whether it's possible to make 'echo' print without a newline. # These variables are no longer used directly by Autoconf, but are AC_SUBSTed # for compatibility with existing Makefiles. ECHO_C= ECHO_N= ECHO_T= case `echo -n x` in #((((( -n*) case `echo 'xy\c'` in *c*) ECHO_T=' ';; # ECHO_T is single tab character. xy) ECHO_C='\c';; *) echo `echo ksh88 bug on AIX 6.1` > /dev/null ECHO_T=' ';; esac;; *) ECHO_N='-n';; esac # For backward compatibility with old third-party macros, we provide # the shell variables $as_echo and $as_echo_n. New code should use # AS_ECHO(["message"]) and AS_ECHO_N(["message"]), respectively. as_echo='printf %s\n' as_echo_n='printf %s' rm -f conf$$ conf$$.exe conf$$.file if test -d conf$$.dir; then rm -f conf$$.dir/conf$$.file else rm -f conf$$.dir mkdir conf$$.dir 2>/dev/null fi if (echo >conf$$.file) 2>/dev/null; then if ln -s conf$$.file conf$$ 2>/dev/null; then as_ln_s='ln -s' # ... but there are two gotchas: # 1) On MSYS, both 'ln -s file dir' and 'ln file dir' fail. # 2) DJGPP < 2.04 has no symlinks; 'ln -s' creates a wrapper executable. # In both cases, we have to default to 'cp -pR'. ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || as_ln_s='cp -pR' elif ln conf$$.file conf$$ 2>/dev/null; then as_ln_s=ln else as_ln_s='cp -pR' fi else as_ln_s='cp -pR' fi rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file rmdir conf$$.dir 2>/dev/null # as_fn_mkdir_p # ------------- # Create "$as_dir" as a directory, including parents if necessary. as_fn_mkdir_p () { case $as_dir in #( -*) as_dir=./$as_dir;; esac test -d "$as_dir" || eval $as_mkdir_p || { as_dirs= while :; do case $as_dir in #( *\'*) as_qdir=`printf "%s\n" "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( *) as_qdir=$as_dir;; esac as_dirs="'$as_qdir' $as_dirs" as_dir=`$as_dirname -- "$as_dir" || $as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$as_dir" : 'X\(//\)[^/]' \| \ X"$as_dir" : 'X\(//\)$' \| \ X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || printf "%s\n" X"$as_dir" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` test -d "$as_dir" && break done test -z "$as_dirs" || eval "mkdir $as_dirs" } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" } # as_fn_mkdir_p if mkdir -p . 2>/dev/null; then as_mkdir_p='mkdir -p "$as_dir"' else test -d ./-p && rmdir ./-p as_mkdir_p=false fi # as_fn_executable_p FILE # ----------------------- # Test if FILE is an executable regular file. as_fn_executable_p () { test -f "$1" && test -x "$1" } # as_fn_executable_p as_test_x='test -x' as_executable_p=as_fn_executable_p # Sed expression to map a string onto a valid CPP name. as_sed_cpp="y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g" as_tr_cpp="eval sed '$as_sed_cpp'" # deprecated # Sed expression to map a string onto a valid variable name. as_sed_sh="y%*+%pp%;s%[^_$as_cr_alnum]%_%g" as_tr_sh="eval sed '$as_sed_sh'" # deprecated exec 6>&1 ## ----------------------------------- ## ## Main body of $CONFIG_STATUS script. ## ## ----------------------------------- ## _ASEOF test $as_write_fail = 0 && chmod +x $CONFIG_STATUS || ac_write_fail=1 cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # Save the log message, to keep $0 and so on meaningful, and to # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" This file was extended by Argus-5.0 Server Programs $as_me 5.0.0, which was generated by GNU Autoconf 2.72. Invocation command line was CONFIG_FILES = $CONFIG_FILES CONFIG_HEADERS = $CONFIG_HEADERS CONFIG_LINKS = $CONFIG_LINKS CONFIG_COMMANDS = $CONFIG_COMMANDS $ $0 $@ on `(hostname || uname -n) 2>/dev/null | sed 1q` " _ACEOF case $ac_config_files in *" "*) set x $ac_config_files; shift; ac_config_files=$*;; esac case $ac_config_headers in *" "*) set x $ac_config_headers; shift; ac_config_headers=$*;; esac cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 # Files that config.status was made for. config_files="$ac_config_files" config_headers="$ac_config_headers" _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 ac_cs_usage="\ '$as_me' instantiates files and other configuration actions from templates according to the current configuration. Unless the files and actions are specified as TAGs, all are instantiated by default. Usage: $0 [OPTION]... [TAG]... -h, --help print this help, then exit -V, --version print version number and configuration settings, then exit --config print configuration, then exit -q, --quiet, --silent do not print progress messages -d, --debug don't remove temporary files --recheck update $as_me by reconfiguring in the same conditions --file=FILE[:TEMPLATE] instantiate the configuration file FILE --header=FILE[:TEMPLATE] instantiate the configuration header FILE Configuration files: $config_files Configuration headers: $config_headers Report bugs to . Argus-5.0 Server Programs home page: ." _ACEOF ac_cs_config=`printf "%s\n" "$ac_configure_args" | sed "$ac_safe_unquote"` ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\''/g"` cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ Argus-5.0 Server Programs config.status 5.0.0 configured by $0, generated by GNU Autoconf 2.72, with options \\"\$ac_cs_config\\" Copyright (C) 2023 Free Software Foundation, Inc. This config.status script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it." ac_pwd='$ac_pwd' srcdir='$srcdir' INSTALL='$INSTALL' test -n "\$AWK" || AWK=awk _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # The default lists apply if the user does not specify any file. ac_need_defaults=: while test $# != 0 do case $1 in --*=?*) ac_option=`expr "X$1" : 'X\([^=]*\)='` ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'` ac_shift=: ;; --*=) ac_option=`expr "X$1" : 'X\([^=]*\)='` ac_optarg= ac_shift=: ;; *) ac_option=$1 ac_optarg=$2 ac_shift=shift ;; esac case $ac_option in # Handling of the options. -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r) ac_cs_recheck=: ;; --version | --versio | --versi | --vers | --ver | --ve | --v | -V ) printf "%s\n" "$ac_cs_version"; exit ;; --config | --confi | --conf | --con | --co | --c ) printf "%s\n" "$ac_cs_config"; exit ;; --debug | --debu | --deb | --de | --d | -d ) debug=: ;; --file | --fil | --fi | --f ) $ac_shift case $ac_optarg in *\'*) ac_optarg=`printf "%s\n" "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; '') as_fn_error $? "missing file argument" ;; esac as_fn_append CONFIG_FILES " '$ac_optarg'" ac_need_defaults=false;; --header | --heade | --head | --hea ) $ac_shift case $ac_optarg in *\'*) ac_optarg=`printf "%s\n" "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; esac as_fn_append CONFIG_HEADERS " '$ac_optarg'" ac_need_defaults=false;; --he | --h) # Conflict between --help and --header as_fn_error $? "ambiguous option: '$1' Try '$0 --help' for more information.";; --help | --hel | -h ) printf "%s\n" "$ac_cs_usage"; exit ;; -q | -quiet | --quiet | --quie | --qui | --qu | --q \ | -silent | --silent | --silen | --sile | --sil | --si | --s) ac_cs_silent=: ;; # This is an error. -*) as_fn_error $? "unrecognized option: '$1' Try '$0 --help' for more information." ;; *) as_fn_append ac_config_targets " $1" ac_need_defaults=false ;; esac shift done ac_configure_extra_args= if $ac_cs_silent; then exec 6>/dev/null ac_configure_extra_args="$ac_configure_extra_args --silent" fi _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 if \$ac_cs_recheck; then set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion shift \printf "%s\n" "running CONFIG_SHELL=$SHELL \$*" >&6 CONFIG_SHELL='$SHELL' export CONFIG_SHELL exec "\$@" fi _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 exec 5>>config.log { echo sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX ## Running $as_me. ## _ASBOX printf "%s\n" "$ac_log" } >&5 _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # Handling of arguments. for ac_config_target in $ac_config_targets do case $ac_config_target in "include/argus_config.h") CONFIG_HEADERS="$CONFIG_HEADERS include/argus_config.h" ;; "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;; "./common/Makefile") CONFIG_FILES="$CONFIG_FILES ./common/Makefile" ;; "./argus/Makefile") CONFIG_FILES="$CONFIG_FILES ./argus/Makefile" ;; "./events/Makefile") CONFIG_FILES="$CONFIG_FILES ./events/Makefile" ;; "./lib/argus.spec") CONFIG_FILES="$CONFIG_FILES ./lib/argus.spec" ;; *) as_fn_error $? "invalid argument: '$ac_config_target'" "$LINENO" 5;; esac done # If the user did not use the arguments to specify the items to instantiate, # then the envvar interface is used. Set only those that are not. # We use the long form for the default assignment because of an extremely # bizarre bug on SunOS 4.1.3. if $ac_need_defaults; then test ${CONFIG_FILES+y} || CONFIG_FILES=$config_files test ${CONFIG_HEADERS+y} || CONFIG_HEADERS=$config_headers fi # Have a temporary directory for convenience. Make it in the build tree # simply because there is no reason against having it here, and in addition, # creating and moving files from /tmp can sometimes cause problems. # Hook for its removal unless debugging. # Note that there is a small window in which the directory will not be cleaned: # after its creation but before its name has been assigned to '$tmp'. $debug || { tmp= ac_tmp= trap 'exit_status=$? : "${ac_tmp:=$tmp}" { test ! -d "$ac_tmp" || rm -fr "$ac_tmp"; } && exit $exit_status ' 0 trap 'as_fn_exit 1' 1 2 13 15 } # Create a (secure) tmp directory for tmp files. { tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` && test -d "$tmp" } || { tmp=./conf$$-$RANDOM (umask 077 && mkdir "$tmp") } || as_fn_error $? "cannot create a temporary directory in ." "$LINENO" 5 ac_tmp=$tmp # Set up the scripts for CONFIG_FILES section. # No need to generate them if there are no CONFIG_FILES. # This happens for instance with './config.status config.h'. if test -n "$CONFIG_FILES"; then ac_cr=`echo X | tr X '\015'` # On cygwin, bash can eat \r inside `` if the user requested igncr. # But we know of no other shell where ac_cr would be empty at this # point, so we can use a bashism as a fallback. if test "x$ac_cr" = x; then eval ac_cr=\$\'\\r\' fi ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' /dev/null` if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then ac_cs_awk_cr='\\r' else ac_cs_awk_cr=$ac_cr fi echo 'BEGIN {' >"$ac_tmp/subs1.awk" && _ACEOF { echo "cat >conf$$subs.awk <<_ACEOF" && echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' && echo "_ACEOF" } >conf$$subs.sh || as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 ac_delim_num=`echo "$ac_subst_vars" | grep -c '^'` ac_delim='%!_!# ' for ac_last_try in false false false false false :; do . ./conf$$subs.sh || as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 ac_delim_n=`sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X` if test $ac_delim_n = $ac_delim_num; then break elif $ac_last_try; then as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 else ac_delim="$ac_delim!$ac_delim _$ac_delim!! " fi done rm -f conf$$subs.sh cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 cat >>"\$ac_tmp/subs1.awk" <<\\_ACAWK && _ACEOF sed -n ' h s/^/S["/; s/!.*/"]=/ p g s/^[^!]*!// :repl t repl s/'"$ac_delim"'$// t delim :nl h s/\(.\{148\}\)..*/\1/ t more1 s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/ p n b repl :more1 s/["\\]/\\&/g; s/^/"/; s/$/"\\/ p g s/.\{148\}// t nl :delim h s/\(.\{148\}\)..*/\1/ t more2 s/["\\]/\\&/g; s/^/"/; s/$/"/ p b :more2 s/["\\]/\\&/g; s/^/"/; s/$/"\\/ p g s/.\{148\}// t delim ' >$CONFIG_STATUS || ac_write_fail=1 rm -f conf$$subs.awk cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 _ACAWK cat >>"\$ac_tmp/subs1.awk" <<_ACAWK && for (key in S) S_is_set[key] = 1 FS = "" } { line = $ 0 nfields = split(line, field, "@") substed = 0 len = length(field[1]) for (i = 2; i < nfields; i++) { key = field[i] keylen = length(key) if (S_is_set[key]) { value = S[key] line = substr(line, 1, len) "" value "" substr(line, len + keylen + 3) len += length(value) + length(field[++i]) substed = 1 } else len += 1 + keylen } print line } _ACAWK _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g" else cat fi < "$ac_tmp/subs1.awk" > "$ac_tmp/subs.awk" \ || as_fn_error $? "could not setup config files machinery" "$LINENO" 5 _ACEOF # VPATH may cause trouble with some makes, so we remove sole $(srcdir), # ${srcdir} and @srcdir@ entries from VPATH if srcdir is ".", strip leading and # trailing colons and then remove the whole line if VPATH becomes empty # (actually we leave an empty line to preserve line numbers). if test "x$srcdir" = x.; then ac_vpsub='/^[ ]*VPATH[ ]*=[ ]*/{ h s/// s/^/:/ s/[ ]*$/:/ s/:\$(srcdir):/:/g s/:\${srcdir}:/:/g s/:@srcdir@:/:/g s/^:*// s/:*$// x s/\(=[ ]*\).*/\1/ G s/\n// s/^[^=]*=[ ]*$// }' fi cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 fi # test -n "$CONFIG_FILES" # Set up the scripts for CONFIG_HEADERS section. # No need to generate them if there are no CONFIG_HEADERS. # This happens for instance with './config.status Makefile'. if test -n "$CONFIG_HEADERS"; then cat >"$ac_tmp/defines.awk" <<\_ACAWK || BEGIN { _ACEOF # Transform confdefs.h into an awk script 'defines.awk', embedded as # here-document in config.status, that substitutes the proper values into # config.h.in to produce config.h. # Create a delimiter string that does not exist in confdefs.h, to ease # handling of long lines. ac_delim='%!_!# ' for ac_last_try in false false :; do ac_tt=`sed -n "/$ac_delim/p" confdefs.h` if test -z "$ac_tt"; then break elif $ac_last_try; then as_fn_error $? "could not make $CONFIG_HEADERS" "$LINENO" 5 else ac_delim="$ac_delim!$ac_delim _$ac_delim!! " fi done # For the awk script, D is an array of macro values keyed by name, # likewise P contains macro parameters if any. Preserve backslash # newline sequences. ac_word_re=[_$as_cr_Letters][_$as_cr_alnum]* sed -n ' s/.\{148\}/&'"$ac_delim"'/g t rset :rset s/^[ ]*#[ ]*define[ ][ ]*/ / t def d :def s/\\$// t bsnl s/["\\]/\\&/g s/^ \('"$ac_word_re"'\)\(([^()]*)\)[ ]*\(.*\)/P["\1"]="\2"\ D["\1"]=" \3"/p s/^ \('"$ac_word_re"'\)[ ]*\(.*\)/D["\1"]=" \2"/p d :bsnl s/["\\]/\\&/g s/^ \('"$ac_word_re"'\)\(([^()]*)\)[ ]*\(.*\)/P["\1"]="\2"\ D["\1"]=" \3\\\\\\n"\\/p t cont s/^ \('"$ac_word_re"'\)[ ]*\(.*\)/D["\1"]=" \2\\\\\\n"\\/p t cont d :cont n s/.\{148\}/&'"$ac_delim"'/g t clear :clear s/\\$// t bsnlc s/["\\]/\\&/g; s/^/"/; s/$/"/p d :bsnlc s/["\\]/\\&/g; s/^/"/; s/$/\\\\\\n"\\/p b cont ' >$CONFIG_STATUS || ac_write_fail=1 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 for (key in D) D_is_set[key] = 1 FS = "" } /^[\t ]*#[\t ]*(define|undef)[\t ]+$ac_word_re([\t (]|\$)/ { line = \$ 0 split(line, arg, " ") if (arg[1] == "#") { defundef = arg[2] mac1 = arg[3] } else { defundef = substr(arg[1], 2) mac1 = arg[2] } split(mac1, mac2, "(") #) macro = mac2[1] prefix = substr(line, 1, index(line, defundef) - 1) if (D_is_set[macro]) { # Preserve the white space surrounding the "#". print prefix "define", macro P[macro] D[macro] next } else { # Replace #undef with comments. This is necessary, for example, # in the case of _POSIX_SOURCE, which is predefined and required # on some systems where configure will not decide to define it. if (defundef == "undef") { print "/*", prefix defundef, macro, "*/" next } } } { print } _ACAWK _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 as_fn_error $? "could not setup config headers machinery" "$LINENO" 5 fi # test -n "$CONFIG_HEADERS" eval set X " :F $CONFIG_FILES :H $CONFIG_HEADERS " shift for ac_tag do case $ac_tag in :[FHLC]) ac_mode=$ac_tag; continue;; esac case $ac_mode$ac_tag in :[FHL]*:*);; :L* | :C*:*) as_fn_error $? "invalid tag '$ac_tag'" "$LINENO" 5;; :[FH]-) ac_tag=-:-;; :[FH]*) ac_tag=$ac_tag:$ac_tag.in;; esac ac_save_IFS=$IFS IFS=: set x $ac_tag IFS=$ac_save_IFS shift ac_file=$1 shift case $ac_mode in :L) ac_source=$1;; :[FH]) ac_file_inputs= for ac_f do case $ac_f in -) ac_f="$ac_tmp/stdin";; *) # Look for the file first in the build tree, then in the source tree # (if the path is not absolute). The absolute path cannot be DOS-style, # because $ac_f cannot contain ':'. test -f "$ac_f" || case $ac_f in [\\/$]*) false;; *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";; esac || as_fn_error 1 "cannot find input file: '$ac_f'" "$LINENO" 5;; esac case $ac_f in *\'*) ac_f=`printf "%s\n" "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac as_fn_append ac_file_inputs " '$ac_f'" done # Let's still pretend it is 'configure' which instantiates (i.e., don't # use $as_me), people would be surprised to read: # /* config.h. Generated by config.status. */ configure_input='Generated from '` printf "%s\n" "$*" | sed 's|^[^:]*/||;s|:[^:]*/|, |g' `' by configure.' if test x"$ac_file" != x-; then configure_input="$ac_file. $configure_input" { printf "%s\n" "$as_me:${as_lineno-$LINENO}: creating $ac_file" >&5 printf "%s\n" "$as_me: creating $ac_file" >&6;} fi # Neutralize special characters interpreted by sed in replacement strings. case $configure_input in #( *\&* | *\|* | *\\* ) ac_sed_conf_input=`printf "%s\n" "$configure_input" | sed 's/[\\\\&|]/\\\\&/g'`;; #( *) ac_sed_conf_input=$configure_input;; esac case $ac_tag in *:-:* | *:-) cat >"$ac_tmp/stdin" \ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;; esac ;; esac ac_dir=`$as_dirname -- "$ac_file" || $as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$ac_file" : 'X\(//\)[^/]' \| \ X"$ac_file" : 'X\(//\)$' \| \ X"$ac_file" : 'X\(/\)' \| . 2>/dev/null || printf "%s\n" X"$ac_file" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` as_dir="$ac_dir"; as_fn_mkdir_p ac_builddir=. case "$ac_dir" in .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_dir_suffix=/`printf "%s\n" "$ac_dir" | sed 's|^\.[\\/]||'` # A ".." for each directory in $ac_dir_suffix. ac_top_builddir_sub=`printf "%s\n" "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` case $ac_top_builddir_sub in "") ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; esac ;; esac ac_abs_top_builddir=$ac_pwd ac_abs_builddir=$ac_pwd$ac_dir_suffix # for backward compatibility: ac_top_builddir=$ac_top_build_prefix case $srcdir in .) # We are building in place. ac_srcdir=. ac_top_srcdir=$ac_top_builddir_sub ac_abs_top_srcdir=$ac_pwd ;; [\\/]* | ?:[\\/]* ) # Absolute name. ac_srcdir=$srcdir$ac_dir_suffix; ac_top_srcdir=$srcdir ac_abs_top_srcdir=$srcdir ;; *) # Relative name. ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix ac_top_srcdir=$ac_top_build_prefix$srcdir ac_abs_top_srcdir=$ac_pwd/$srcdir ;; esac ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix case $ac_mode in :F) # # CONFIG_FILE # case $INSTALL in [\\/$]* | ?:[\\/]* ) ac_INSTALL=$INSTALL ;; *) ac_INSTALL=$ac_top_build_prefix$INSTALL ;; esac _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # If the template does not know about datarootdir, expand it. # FIXME: This hack should be removed a few years after 2.60. ac_datarootdir_hack=; ac_datarootdir_seen= ac_sed_dataroot=' /datarootdir/ { p q } /@datadir@/p /@docdir@/p /@infodir@/p /@localedir@/p /@mandir@/p' case `eval "sed -n \"\$ac_sed_dataroot\" $ac_file_inputs"` in *datarootdir*) ac_datarootdir_seen=yes;; *@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5 printf "%s\n" "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;} _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_datarootdir_hack=' s&@datadir@&$datadir&g s&@docdir@&$docdir&g s&@infodir@&$infodir&g s&@localedir@&$localedir&g s&@mandir@&$mandir&g s&\\\${datarootdir}&$datarootdir&g' ;; esac _ACEOF # Neutralize VPATH when '$srcdir' = '.'. # Shell code in configure.ac might set extrasub. # FIXME: do we really want to maintain this feature? cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_sed_extra="$ac_vpsub $extrasub _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 :t /@[a-zA-Z_][a-zA-Z_0-9]*@/!b s|@configure_input@|$ac_sed_conf_input|;t t s&@top_builddir@&$ac_top_builddir_sub&;t t s&@top_build_prefix@&$ac_top_build_prefix&;t t s&@srcdir@&$ac_srcdir&;t t s&@abs_srcdir@&$ac_abs_srcdir&;t t s&@top_srcdir@&$ac_top_srcdir&;t t s&@abs_top_srcdir@&$ac_abs_top_srcdir&;t t s&@builddir@&$ac_builddir&;t t s&@abs_builddir@&$ac_abs_builddir&;t t s&@abs_top_builddir@&$ac_abs_top_builddir&;t t s&@INSTALL@&$ac_INSTALL&;t t $ac_datarootdir_hack " eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$ac_tmp/subs.awk" \ >$ac_tmp/out || as_fn_error $? "could not create $ac_file" "$LINENO" 5 test -z "$ac_datarootdir_hack$ac_datarootdir_seen" && { ac_out=`sed -n '/\${datarootdir}/p' "$ac_tmp/out"`; test -n "$ac_out"; } && { ac_out=`sed -n '/^[ ]*datarootdir[ ]*:*=/p' \ "$ac_tmp/out"`; test -z "$ac_out"; } && { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable 'datarootdir' which seems to be undefined. Please make sure it is defined" >&5 printf "%s\n" "$as_me: WARNING: $ac_file contains a reference to the variable 'datarootdir' which seems to be undefined. Please make sure it is defined" >&2;} rm -f "$ac_tmp/stdin" case $ac_file in -) cat "$ac_tmp/out" && rm -f "$ac_tmp/out";; *) rm -f "$ac_file" && mv "$ac_tmp/out" "$ac_file";; esac \ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;; :H) # # CONFIG_HEADER # if test x"$ac_file" != x-; then { printf "%s\n" "/* $configure_input */" >&1 \ && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs" } >"$ac_tmp/config.h" \ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 if diff "$ac_file" "$ac_tmp/config.h" >/dev/null 2>&1; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: $ac_file is unchanged" >&5 printf "%s\n" "$as_me: $ac_file is unchanged" >&6;} else rm -f "$ac_file" mv "$ac_tmp/config.h" "$ac_file" \ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 fi else printf "%s\n" "/* $configure_input */" >&1 \ && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs" \ || as_fn_error $? "could not create -" "$LINENO" 5 fi ;; esac done # for ac_tag as_fn_exit 0 _ACEOF ac_clean_files=$ac_clean_files_save test $ac_write_fail = 0 || as_fn_error $? "write failure creating $CONFIG_STATUS" "$LINENO" 5 # configure is writing to config.log, and then calls config.status. # config.status does its own redirection, appending to config.log. # Unfortunately, on DOS this fails, as config.log is still kept open # by configure, so config.status won't be able to write to it; its # output is simply discarded. So we exec the FD to /dev/null, # effectively closing config.log, so it can be properly (re)opened and # appended to by config.status. When coming back to configure, we # need to make the FD available again. if test "$no_create" != yes; then ac_cs_success=: ac_config_status_args= test "$silent" = yes && ac_config_status_args="$ac_config_status_args --quiet" exec 5>/dev/null $SHELL $CONFIG_STATUS $ac_config_status_args || ac_cs_success=false exec 5>>config.log # Use ||, not &&, to avoid exiting from the if with $? = 1, which # would make configure fail if this is the last instruction. $ac_cs_success || as_fn_exit 1 fi if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: unrecognized options: $ac_unrecognized_opts" >&5 printf "%s\n" "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;} fi if test -f .devel ; then make depend fi argus-5.0.2/configure.ac000066400000000000000000000274121471541253600151430ustar00rootroot00000000000000# # Argus-5.0 Software. Tools to read, analyze and manage Argus data. # Copyright (c) 2000-2024 QoSient, LLC # All rights reserved. # # This program is free software, released under the GNU General # Public License; you can redistribute it and/or modify it under the terms # of the GNU General Public License as published by the Free Software # Foundation; either version 3, or any later version. # # Other licenses are available through QoSient, LLC. # Inquire at info@qosient.com. # # This program is distributed WITHOUT ANY WARRANTY; without even the # implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # See the * GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. # # Process this file with autoconf to produce a configure script. AC_PREREQ([2.69]) AC_INIT([Argus-5.0 Server Programs],[5.0.0],[bug-report@qosient.com],[argus],[http://qosient.com/argus]) PACKAGE_RELEASE='3.8' ARGUSPRO_VERSION='1.0' AC_DEFINE([ARGUSPRO_VERSION_STRING], ["1.0"], [Product version number string]) AC_CONFIG_SRCDIR([argus/argus.c]) AC_CONFIG_AUX_DIR([config]) AC_CONFIG_HEADERS([include/argus_config.h]) AC_CANONICAL_TARGET AC_PREFIX_DEFAULT( /usr/local ) AC_LBL_C_INIT(V_CCOPT, V_INCLS) AC_QOSIENT_LIBPCAP(V_PCAPDEP, V_INCLS) if test ! -z "$V_PCAPDEP"; then if test -f "$V_PCAPDEP"; then if test -f lib/libpcap.a; then rm -rf lib/libpcap.a fi pcapdir=`echo $V_PCAPDEP | sed -e 's/\.\./..\/../'` ln -s $pcapdir lib/libpcap.a V_PCAPDEP="../lib/libpcap.a" else if test "$V_PCAPDEP" = "-lpcap" ; then if test -f lib/libpcap.a; then rm -rf lib/libpcap.a fi fi if test "$V_PCAPDEP" = "-lwpcap" ; then if test -f lib/libpcap.a; then rm -rf lib/libpcap.a fi fi fi fi AC_QOSIENT_LEX_AND_YACC(V_LEX, V_YACC, argus_) AC_QOSIENT_MACHINE_ID # Checks for programs. AC_C_INLINE AC_PROG_MAKE_SET AC_PROG_LN_S AC_PROG_INSTALL AC_PROG_RANLIB AC_PROG_YACC AC_CHECK_PROGS(V_RANLIB, ranlib, @true) AC_QOSIENT_PERL(V_PERL) # Checks for libraries. CMU_SASL2(V_INCLS) AC_LBL_LIBRARY_NET AC_QOSIENT_PCRE(V_PCRE, V_INCLS) # Checks for header files. AC_HEADER_DIRENT AC_PROG_EGREP AC_HEADER_SYS_WAIT AC_CHECK_HEADERS([sys/sockio.h string.h fcntl.h sys/file.h syslog.h zlib.h]) AC_CHECK_HEADERS([arpa/inet.h fcntl.h inttypes.h limits.h libintl.h malloc.h memory.h netdb.h]) AC_CHECK_HEADERS([net/if.h netinet/in.h netinet/if_ether.h netinet/ether.h netinet/in_systm.h]) AC_CHECK_HEADERS([netinet/ip.h netinet/udp.h netinet/tcp.h]) AC_CHECK_HEADERS([stdlib.h stddef.h string.h strings.h sys/file.h sys/ioctl.h sys/param.h sys/socket.h]) AC_CHECK_HEADERS([sys/time.h sys/vfs.h syslog.h termios.h unistd.h values.h features.h]) AC_CHECK_HEADERS([dns_sd.h]) # Checks for typedefs, structures, and compiler characteristics. AC_C_CONST AC_C_INLINE AC_SYS_LARGEFILE AC_LBL_UNALIGNED_ACCESS AC_LBL_DEVEL(V_CCOPT) AC_QOSIENT_DEBUG(V_CCOPT) AC_QOSIENT_MEMORY AC_TYPE_INT8_T AC_TYPE_UINT8_T AC_TYPE_INT16_T AC_TYPE_UINT16_T AC_TYPE_INT32_T AC_TYPE_UINT32_T AC_TYPE_UID_T AC_TYPE_PID_T AC_TYPE_SIZE_T AC_STRUCT_TM AC_STRUCT_TIMEZONE # Checks for library functions. AC_FUNC_ALLOCA AC_FUNC_VPRINTF AC_FUNC_CLOSEDIR_VOID AC_FUNC_ERROR_AT_LINE AC_FUNC_FORK AC_FUNC_MALLOC AC_FUNC_MEMCMP AC_FUNC_MKTIME AC_FUNC_REALLOC AC_FUNC_SELECT_ARGTYPES AC_DEFINE_UNQUOTED([RETSIGTYPE],[$ac_cv_type_signal],[Define as the return type of signal handlers (`int' or `void').]) AC_FUNC_STAT AC_FUNC_STRFTIME AC_FUNC_STRTOD AC_CHECK_FUNCS(backtrace) AC_CHECK_FUNCS(openlog syslog) AC_CHECK_FUNCS(vfprintf strlcpy) AC_CHECK_FUNCS(strftime) AC_CHECK_FUNCS([inet_aton inet_pton inet_ntop]) AC_CHECK_FUNCS(setlinebuf) AC_CHECK_FUNCS(strerror strtof) AC_CHECK_FUNCS(floorf remainderf) AC_CHECK_FUNCS(timegm) saved_CPPFLAGS=$CPPFLAGS saved_LIBS=$LIBS LIB_XDR="" AC_CHECK_HEADERS([rpc/xdr.h], , [CPPFLAGS="${saved_CPPFLAGS} -I/usr/include/tirpc" unset ac_cv_header_rpc_xdr_h AC_CHECK_HEADERS(rpc/xdr.h, [XDR_INCLS="-I/usr/include/tirpc" LIB_XDR="-ltirpc"])], [#include #include ]) LIBS="$LIB_XDR $LIBS" AC_CHECK_FUNCS(xdrmem_create, AC_DEFINE([HAVE_XDR], [], [Using system XDR library]), LIB_XDR="" XDR_INCLS="" ) CPPFLAGS=${saved_CPPFLAGS} LIBS=${saved_LIBS} needsnprintf=no AC_CHECK_FUNCS(vsnprintf snprintf,, [needsnprintf=yes]) if test $needsnprintf = yes; then AC_LIBOBJ(snprintf) fi # # Do this before checking for ether_hostton(), as it's a # "gethostbyname() -ish function". # AC_CHECK_FUNCS([ether_hostton getaddrinfo gethostname]) if test "$ac_cv_func_ether_hostton" = yes; then # # OK, we have ether_hostton(). Do we have ? # if test "$ac_cv_header_netinet_if_ether_h" = yes; then # # Yes. Does it declare ether_hostton()? # AC_CHECK_DECL(ether_hostton, [ AC_DEFINE(NETINET_IF_ETHER_H_DECLARES_ETHER_HOSTTON,, [Define to 1 if netinet/if_ether.h declares `ether_hostton']) ],, [ #include #include #include #include struct mbuf; struct rtentry; #include #include ]) fi # # Did that succeed? # if test "$ac_cv_have_decl_ether_hostton" != yes; then # # No, how about , as on Linux? # AC_CHECK_HEADERS(netinet/ether.h) if test "$ac_cv_header_netinet_ether_h" = yes; then # # We have it - does it declare ether_hostton()? # Unset ac_cv_have_decl_ether_hostton so we don't # treat the previous failure as a cached value and # suppress the next test. # unset ac_cv_have_decl_ether_hostton AC_CHECK_DECL(ether_hostton, [ AC_DEFINE(NETINET_ETHER_H_DECLARES_ETHER_HOSTTON,, [Define to 1 if netinet/ether.h declares `ether_hostton']) ],, [ #include ]) fi fi # # Is ether_hostton() declared? # if test "$ac_cv_have_decl_ether_hostton" != yes; then # # No, we'll have to declare it ourselves. # Do we have "struct ether_addr"? # AC_CHECK_TYPES(struct ether_addr,,, [ #include #include #include #include struct mbuf; struct rtentry; #include #include ]) AC_DEFINE(HAVE_DECL_ETHER_HOSTTON, 0, [Define to 1 if you have the declaration of `ether_hostton', and to 0 if you don't.]) else AC_DEFINE(HAVE_DECL_ETHER_HOSTTON, 1, [Define to 1 if you have the declaration of `ether_hostton', and to 0 if you don't.]) fi fi if test "$ac_cv_type_struct_ether_addr" = yes ; then AC_DEFINE([HAVE_STRUCT_ETHER_ADDR], [], [struct ether addr]) fi if test "$tcl_cv_member_tm_gmtoff" = yes ; then AC_DEFINE([HAVE_TM_GMTOFF], [], [tm_gmtoff in struct tm]) fi AC_CHECK_FUNCS([alarm bzero endgrent endpwent floor gethostbyaddr gethostbyname getpass gettimeofday inet_ntoa isascii localtime_r]) AC_CHECK_FUNCS([memchr memmove memset mkdir modf pow putenv realpath regcomp select setenv socket sqrt strcasecmp strchr]) AC_CHECK_FUNCS([strdup strlcat strncasecmp strpbrk strrchr strstr strtol srandomdev tzset]) AC_CHECK_FUNCS([gethostuuid]) AC_CHECK_FUNCS([posix_memalign memalign]) case "$target" in arm*darwin*) V_ARCH="-arch arm64 -arch x86_64" ;; x86*darwin*) ;; esac case "$target_os" in arm*darwin*) V_ARCH="-arch arm64 -arch x86_64" COMPATLIB="-lz" ;; x86*darwin*) COMPATLIB="-lz" ;; *) if test "$ac_cv_header_zlib_h" = yes ; then COMPATLIB="-lm -lz" else COMPATLIB="-lm" fi ;; esac AC_QOSIENT_MEMORY AC_QOSIENT_HASHDEBUG() AC_QOSIENT_NANOSECONDS() AC_QOSIENT_THREADS(V_THREADS) AC_QOSIENT_TCPWRAP(V_WRAPDEP, V_INCLS) if test ! -z "$V_WRAPDEP"; then if test -f "$V_WRAPDEP"; then if test -f lib/libwrap.a; then rm -rf lib/libwrap.a fi wrapdir=`echo $V_WRAPDEP | sed -e 's/^\.\./..\/../'` ln -s $wrapdir lib/libwrap.a V_WRAPDEP="../lib/libwrap.a" else if test "$V_WRAPDEP" = "-lwrap" ; then if test -f lib/libwrap.a; then rm -rf lib/libwrap.a fi case "$target_os" in linux*) V_WRAPDEP="$V_WRAPDEP -lnsl";; esac fi fi AC_DEFINE([HAVE_TCP_WRAPPER], [], [Using Tcp wrappers]) WRAPLIBS="$V_WRAPDEP" fi case "$target_cpu" in *86) have_x86=yes; ;; powerpc-apple*) ;; powerpc64-*-linux-gnu) V_CCOPT="$V_CCOPT -m64 -fPIC" ;; esac case "$target_os" in aix*) dnl Workaround to enable certain features have_sun=yes; ;; darwin*) have_darwin=yes; ;; hpux9*) have_hpux_nine=yes; ;; hpux10.0*) ;; hpux10.1*) ;; hpux*) have_hpux_ten=yes; ;; sinix*) AC_MSG_CHECKING(if SINIX compiler defines sinix) AC_CACHE_VAL(ac_cv_cc_sinix_defined, AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[int i = sinix;]])],[ac_cv_cc_sinix_defined=yes],[ac_cv_cc_sinix_defined=no])) AC_MSG_RESULT($ac_cv_cc_sinix_defined) if test "$ac_cv_cc_sinix_defined" = "no" ; then AC_DEFINE([sinix], [], [Description]) fi ;; solaris*) AC_DEFINE(HAVE_SOLARIS,1,[On solaris]) AC_MSG_CHECKING(for LD_LIBRARY_PATH, since you appear to be running Solaris) if test "x$LD_LIBRARY_PATH" != "x" ; then LIBS="$LIBS -R$LD_LIBRARY_PATH" AC_MSG_RESULT(yes -- added LD_LIBRARY_PATH to run-time linker path) else AC_MSG_RESULT(no -- this may be a problem in a few seconds) fi COMPATLIB="-lsocket -lnsl -lrt $COMPATLIB" ;; linux*) ;; cygwin*) have_cygwin=yes; V_INCLS="$V_INCLS -I../include/cygwin-include" ;; esac if test "$have_x86" = yes ; then AC_DEFINE([CONFIG_X86_BSWAP], [], [System has x86 endian support]) fi if test "$have_darwin" = yes ; then AC_DEFINE([HAVE_DARWIN], [], [Mac OS X]) fi if test "$have_hpux_nine" = yes ; then AC_DEFINE([HAVE_HPUX9], [], [HPUX 9]) fi if test "$have_hpux_ten" = yes ; then AC_DEFINE([HAVE_HPUX10_20], [], [HPUX 10]) fi if test "$have_sun" = yes ; then AC_DEFINE([_SUN], [], [Description]) fi if test "$have_cygwin" = yes ; then AC_DEFINE([CYGWIN], [], [Using cygwin]) fi if test "$with_pluribus" = yes ; then AC_DEFINE([ARGUS_PLURIBUS], [], [Using Pluribus]) fi AC_CACHE_CHECK([tm_gmtoff in struct tm], tcl_cv_member_tm_gmtoff, [ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include ]], [[struct tm tm; tm.tm_gmtoff;]])],[tcl_cv_member_tm_gmtoff=yes],[tcl_cv_member_tm_gmtoff=no])]) if test $tcl_cv_member_tm_gmtoff = yes ; then AC_DEFINE([HAVE_TM_GMTOFF], [], [tm_gmtoff in struct tm]) fi AC_CACHE_CHECK([sys_errlist in stdio.h], arg_cv_sys_errlist, [ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include ]], [[char *ptr = sys_errlist[0];]])],[arg_cv_sys_errlist=yes],[arg_cv_sys_errlist=no])]) if test $arg_cv_sys_errlist = yes ; then AC_DEFINE([HAVE_SYS_ERRLIST], [], [sys_errlist in stdio.h]) fi if test ! -z "$V_PCAPDEP"; then LIBS="$LIBS $V_PCAPDEP" fi INSTALL_LIB="../lib" INSTALL_BIN="../bin" AC_SUBST(PACKAGE_VERSION) AC_SUBST(PACKAGE_RELEASE) AC_SUBST(ARGUSPRO_VERSION) AC_SUBST(LIBS) AC_SUBST(INCLS) AC_SUBST(V_ARCH) AC_SUBST(V_CCOPT) AC_SUBST(V_INCLS) AC_SUBST(V_RANLIB) AC_SUBST(V_YACC) AC_SUBST(V_LEX) AC_SUBST(V_PERL) AC_SUBST(V_THREADS) AC_SUBST(WRAPLIBS) AC_SUBST(COMPATLIB) AC_SUBST(LIB_SASL) AC_SUBST(LIB_XDR) AC_SUBST(XDR_INCLS) AC_SUBST(INSTALL_LIB) AC_SUBST(INSTALL_BIN) AC_CONFIG_FILES([ Makefile ./common/Makefile ./argus/Makefile ./events/Makefile ./lib/argus.spec ]) AC_OUTPUT if test -f .devel ; then make depend fi argus-5.0.2/debian/000077500000000000000000000000001471541253600140715ustar00rootroot00000000000000argus-5.0.2/debian/argus.postinst000077500000000000000000000020421471541253600170200ustar00rootroot00000000000000#!/bin/sh # postinst script for argus # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `configure' # * `abort-upgrade' # * `abort-remove' `in-favour' # # * `abort-remove' # * `abort-deconfigure' `in-favour' # `removing' # # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package case "$1" in configure) if [ -x "/etc/init.d/argus" ]; then if [ ! -e "/etc/init/argus.conf" ]; then update-rc.d argus start 55 2 3 4 5 . stop 45 0 1 6 . >/dev/null fi invoke-rc.d argus start || exit $? fi exit 0 ;; abort-upgrade|abort-remove|abort-deconfigure) ;; *) echo "postinst called with unknown argument \`$1'" >&2 exit 1 ;; esac #DEBHELPER# exit 0 argus-5.0.2/debian/argus.postrm000077500000000000000000000002651471541253600164660ustar00rootroot00000000000000#!/bin/sh set -e # Automatically added by dh_installinit if [ "$1" = "purge" ] ; then update-rc.d argus remove >/dev/null fi # End automatically added section #DEBHELPER# exit 0 argus-5.0.2/debian/argus.preinst000077500000000000000000000013171471541253600166250ustar00rootroot00000000000000#!/bin/sh # preinst script for argus # # see: dh_installdeb(1) set -e # summary of how this script can be called: # * `install' # * `install' # * `upgrade' # * `abort-upgrade' # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package case "$1" in install|upgrade) # # stop the daemon before upgrade # if [ -x "/etc/init.d/argus" ]; then invoke-rc.d argus stop || exit $? fi ;; abort-upgrade) ;; *) echo "preinst called with unknown argument \`$1'" >&2 exit 1 ;; esac #DEBHELPER# exit 0 argus-5.0.2/debian/argus.prerm000077500000000000000000000002271471541253600162650ustar00rootroot00000000000000#!/bin/sh set -e # # stop the daemon before uninstall # if [ -x "/etc/init.d/argus" ]; then invoke-rc.d argus stop || exit $? fi #DEBHELPER# exit 0 argus-5.0.2/debian/changelog000066400000000000000000000002311471541253600157370ustar00rootroot00000000000000argus (3.0.8-1ppa1) precise; urgency=low * Initial release Argus 3.0.8 -- Ponsonby Britt Thu, 04 Jul 1776 13:38:40 -0400 argus-5.0.2/debian/compat000066400000000000000000000000021471541253600152670ustar00rootroot000000000000009 argus-5.0.2/debian/control000066400000000000000000000011431471541253600154730ustar00rootroot00000000000000Source: argus Section: utils Priority: optional Maintainer: Carter Bullard Build-Depends: debhelper (>= 9.0.0), autotools-dev, flex, bison, libpcap-dev, libwrap0-dev, zlib1g-dev Standards-Version: 3.9.6 Homepage: http://qosient.com/argus Package: argus Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends} Description: network flow sensor The ARGUS (Audit Record Generation And Utilization System) is an data network transaction auditing system. The data generated by argus can be used for a wide range of tasks such as network operations, security and performance management. argus-5.0.2/debian/copyright000066400000000000000000000033721471541253600160310ustar00rootroot00000000000000Format: http://dep.debian.net/deps/dep5 Upstream-Name: argus Source: http://qosient.com/argus Files: * Copyright: 2000-2014 Carter Bullard License: GPL-2+ This package is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. . This package is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . You should have received a copy of the GNU General Public License along with this program. If not, see . # If you want to use GPL v2 or later for the /debian/* files use # the following clauses, or change it to suit. Delete these two lines Files: debian/* Copyright: 2014 Carter Bullard License: GPL-2+ This package is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. . This package is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . You should have received a copy of the GNU General Public License along with this program. If not, see . On Debian systems, the complete text of the GNU General Public License version 2 can be found in "/usr/share/common-licenses/GPL-2". argus-5.0.2/debian/docs000066400000000000000000000000071471541253600147410ustar00rootroot00000000000000README argus-5.0.2/debian/install000066400000000000000000000002641471541253600154640ustar00rootroot00000000000000pkg/argus.conf /etc/ pkg/ubuntu/init.d/argus /etc/init.d/ pkg/ubuntu/default/argus /etc/default/ debian/tmp/usr/bin/ usr/ debian/tmp/usr/sbin/ usr/ support/ usr/share/doc/argus argus-5.0.2/debian/manpages000066400000000000000000000001001471541253600155760ustar00rootroot00000000000000debian/tmp/usr/share/man/man5/* debian/tmp/usr/share/man/man8/* argus-5.0.2/debian/rules000077500000000000000000000010321471541253600151450ustar00rootroot00000000000000#!/usr/bin/make -f # -*- makefile -*- # Sample debian/rules that uses debhelper. # This file was originally written by Joey Hess and Craig Small. # As a special exception, when this file is copied by dh-make into a # dh-make output file, you may use that output file without restriction. # This special exception was added by Craig Small in version 0.37 of dh-make. # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 %: dh $@ --with autotools-dev override_dh_auto_install: dh_auto_install --destdir=$(CURDIR)/debian/tmp argus-5.0.2/debian/source/000077500000000000000000000000001471541253600153715ustar00rootroot00000000000000argus-5.0.2/debian/source/format000066400000000000000000000000141471541253600165770ustar00rootroot000000000000003.0 (quilt) argus-5.0.2/doc/000077500000000000000000000000001471541253600134145ustar00rootroot00000000000000argus-5.0.2/doc/README000066400000000000000000000032571471541253600143030ustar00rootroot00000000000000/* * Argus-5.0 Software. Common include files. namedb * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ All documenation for argus-5.0 can be found on the argus home website: http://qosient.com/argus/ If you find that any documentation is either not current, or incorrect, please don't hesitate to send email to the argus developers mailing list, or argus@qosient.com. Man page conversion to pdf's is done with the shell script below, using Ghostscript's ps2pdf on Linux and pstopdf on Mac OS X. Both use "man -t" to generates postscript output. This maybe the case on all Unix's but not sure about that. for i in man/*/*; \ do echo $i; \ man -t $i | ps2pdf - `echo $i | sed -e "s/man/doc\/pdf\/man/"`.pdf; \ done For Mac OS X, use pstopdf. for i in man/*/*; \ do echo $i; \ man -t $i | pstopdf -i -o `echo $i | sed -e "s/man/doc\/pdf\/man/"`.pdf; \ done argus-5.0.2/events/000077500000000000000000000000001471541253600141535ustar00rootroot00000000000000argus-5.0.2/events/Makefile.in000077500000000000000000000117731471541253600162340ustar00rootroot00000000000000# # Argus-5.0 Software. Argus Event files - Makefile.in # Copyright (c) 2000-2024 QoSient, LLC # All rights reserved. # # This program is free software, released under the GNU General # Public License; you can redistribute it and/or modify it under the terms # of the GNU General Public License as published by the Free Software # Foundation; either version 3, or any later version. # # Other licenses are available through QoSient, LLC. # Inquire at info@qosient.com. # # This program is distributed WITHOUT ANY WARRANTY; without even the # implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # See the * GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. # # Written by Carter Bullard # QoSient, LLC # # Various configurable paths (remember to edit Makefile.in, not Makefile) # NOOP = $(SHELL) -c true NOECHO = @ # Top level hierarchy prefix = @prefix@ exec_prefix = @exec_prefix@ datarootdir = @datarootdir@ # Pathname of directory to install the system binaries SBINDIR = @sbindir@ # Pathname of directory to install the system binaries BINDIR = @bindir@ # Pathname of directory to install the include files INCLDEST = @includedir@ # Pathname of directory to install the library LIBDEST = @libdir@ # Pathname of directory to install the man page MANDEST = @mandir@ # Pathname of preferred perl to use for perl scripts PERL = @V_PERL@ # VPATH srcdir = @srcdir@ VPATH = @srcdir@ COMPATLIB = @COMPATLIB@ WRAPLIBS = @WRAPLIBS@ # # You shouldn't need to edit anything below. # CC = @CC@ CCOPT = @V_CCOPT@ INCLS = -I$(srcdir) @V_INCLS@ -I$(srcdir)/../include DEFS = @DEFS@ #DEFS = -DARGUSPERFMETRICS=1 @DEFS@ # Standard CFLAGS CFLAGS = $(CCOPT) @LBL_CFLAGS@ $(INCLS) $(DEFS) $(EXTRA_CFLAGS) LDFLAGS = @LDFLAGS@ INSTALL = @INSTALL@ RANLIB = @V_RANLIB@ # # Flex and bison allow you to specify the prefixes of the global symbols # used by the generated parser. This allows programs to use lex/yacc # and link against libpcap. If you don't have flex or bison, get them. # LEX = @V_LEX@ YACC = @V_YACC@ # Explicitly define compilation rule since SunOS 4's make doesn't like gcc. # Also, gcc does not remove the .o before forking 'as', which can be a # problem if you don't own the file but can write to the directory. .c.o: @rm -f $@ $(CC) $(CFLAGS) -c $< SRC = argus-extip.pl argus-lsof.pl argus-stumbler.pl argus-snmp.sh argus-vmstat.sh argus-airport.sh argus-netstat.pl\ argus-ipaddr.pl argus-ipmitool.pl PROG = @INSTALL_BIN@/argus-extip @INSTALL_BIN@/argus-lsof @INSTALL_BIN@/argus-stumbler @INSTALL_BIN@/argus-snmp \ @INSTALL_BIN@/argus-vmstat @INSTALL_BIN@/argus-airport @INSTALL_BIN@/argus-netstat \ @INSTALL_BIN@/argus-ipaddr @INSTALL_BIN@/argus-ipmitool CLEANFILES = $(PROG) all: $(PROG) @INSTALL_BIN@/argus-ipmitool: argus-ipmitool.pl sed 's+@PERLBIN@+$(PERL)+' argus-ipmitool.pl > $@ chmod +x $@ @INSTALL_BIN@/argus-ipaddr: argus-ipaddr.pl sed 's+@PERLBIN@+$(PERL)+' argus-ipaddr.pl > $@ chmod +x $@ @INSTALL_BIN@/argus-extip: argus-extip.pl sed 's+@PERLBIN@+$(PERL)+' argus-extip.pl > $@ chmod +x $@ @INSTALL_BIN@/argus-lsof: argus-lsof.pl sed 's+@PERLBIN@+$(PERL)+' argus-lsof.pl > $@ chmod +x $@ @INSTALL_BIN@/argus-netstat: argus-netstat.pl sed 's+@PERLBIN@+$(PERL)+' argus-netstat.pl > $@ chmod +x $@ @INSTALL_BIN@/argus-stumbler: argus-stumbler.pl sed 's+@PERLBIN@+$(PERL)+' argus-stumbler.pl > $@ chmod +x $@ @INSTALL_BIN@/argus-snmp: argus-snmp.sh cp -f argus-snmp.sh $@ @INSTALL_BIN@/argus-vmstat: argus-vmstat.sh cp -f argus-vmstat.sh $@ @INSTALL_BIN@/argus-airport: argus-airport.sh cp -f argus-airport.sh $@ install: all force [ -d $(DESTDIR)$(SBINDIR) ] || \ (mkdir -p $(DESTDIR)$(SBINDIR); chmod 755 $(DESTDIR)$(SBINDIR)) $(INSTALL) $(srcdir)/../bin/argus-extip $(DESTDIR)$(BINDIR)/argus-extip $(INSTALL) $(srcdir)/../bin/argus-lsof $(DESTDIR)$(BINDIR)/argus-lsof $(INSTALL) $(srcdir)/../bin/argus-netstat $(DESTDIR)$(BINDIR)/argus-netstat $(INSTALL) $(srcdir)/../bin/argus-stumbler $(DESTDIR)$(BINDIR)/argus-stumbler $(INSTALL) $(srcdir)/../bin/argus-snmp $(DESTDIR)$(BINDIR)/argus-snmp $(INSTALL) $(srcdir)/../bin/argus-vmstat $(DESTDIR)$(BINDIR)/argus-vmstat $(INSTALL) $(srcdir)/../bin/argus-airport $(DESTDIR)$(BINDIR)/argus-airport $(INSTALL) $(srcdir)/../bin/argus-ipaddr $(DESTDIR)$(BINDIR)/argus-ipaddr $(INSTALL) $(srcdir)/../bin/argus-ipmitool $(DESTDIR)$(BINDIR)/argus-ipmitool uninstall: all force rm -f $(DESTDIR)$(BINDIR)/argus-extip rm -f $(DESTDIR)$(BINDIR)/argus-lsof rm -f $(DESTDIR)$(BINDIR)/argus-netstat rm -f $(DESTDIR)$(BINDIR)/argus-stumbler rm -f $(DESTDIR)$(BINDIR)/argus-snmp rm -f $(DESTDIR)$(BINDIR)/argus-vmstat rm -f $(DESTDIR)$(BINDIR)/argus-airport rm -f $(DESTDIR)$(BINDIR)/argus-ipaddr rm -f $(DESTDIR)$(BINDIR)/argus-ipmitool clean: rm -f $(CLEANFILES) distclean: rm -f $(CLEANFILES) Makefile force: /tmp depend: force $(NOECHO) $(NOOP) argus-5.0.2/events/README000066400000000000000000000050461471541253600150400ustar00rootroot00000000000000# # Argus-5.0 Software. Argus event files - README # Copyright (c) 2000-2024 QoSient, LLC # All rights reserved. # # Written by Carter Bullard # QoSient, LLC # Argus-5.0 Event Examples QoSient, LLC http://qosient.com/argus Argus, running as a daemon, can be configured to run programs periodically, and to transport the resulting output as an ARGUS_EVENT. This basic mechanism, allows argus to collect additional situational awareness data and insert it into the argus flow data stream. See the configuration support descriptions in argus.conf.5 for details on this feature. The types of information envisioned for this feature is SNMP collected data, system information, such as resource utilization, temperature, open files and syslog information. But it is not limited to these simple examples. The system is designed to collect and transport ASCII output, upto 64K in length, so it will support unstructured data. The examples below, however, implement a structured approach, to aid argus data collectors, mediators and analysis engines the ability to parse and use the data. This directory contains perl and shell scripts to generate the data for the argus events functions. These scripts were developed on Mac OS X Snow Leopard, and as such may not port cleanly. As a result, we do not install these programs in the automated installation process. Problems, bugs, questions, desirable enhancements, source code contributions, etc., should be sent to argus-info@lists.andrew.cmu.edu ************************************************************ IMPORTANT: Send problems, bug reports, questions and comments to the argus mailing list at Carnegie Mellon University: argus-info@lists.andrew.cmu.edu. Please use the './bin/argusbug' script when posting bug reports about Argus. Argusbug will gather some information about your system and start your editor with a form in which you can describe your problem. Delete information that you consider non-relevant to your problem. Bug reports not generated by Argusbug might be silently ignored by the Argus maintainers, so please use the tool. A report that says 'Argus does not work. Why?' will not be considered a valid bug report. ************************************************************ Comprehensive network transaction auditing is an extremely powerful network management tool, and a large number of sites can benefit from the prototype work that has been done through the Argus Project. Again, thank you for your interest in Argus. I hope that you find the software useful. Carter Bullard carter@qosient.com argus-5.0.2/events/argus-airport.sh000077500000000000000000000026601471541253600173150ustar00rootroot00000000000000#!/bin/bash # # Argus-5.0 Software. Argus Event scripts - airport # Copyright (c) 2000-2024 QoSient, LLC # All rights reserved. # # This program is free software, released under the GNU General # Public License; you can redistribute it and/or modify it under the terms # of the GNU General Public License as published by the Free Software # Foundation; either version 3, or any later version. # # Other licenses are available through QoSient, LLC. # Inquire at info@qosient.com. # # This program is distributed WITHOUT ANY WARRANTY; without even the # implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # See the * GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. # # Written by Carter Bullard # QoSient, LLC # # airport - report apple airport wireless interface stats. # output=`/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -I | sed -e 's/^[ \t]*//' -e 's/:/,/' -e 's/op mode/opMode/' -e 's/link auth/linkAuth/' -e 's/802.11 auth/802.11.auth/' | awk 'BEGIN{FS=","}{print " < "$1" ="$2"\" />"}' | sed -e 's/= /= "/'` # # echo "" echo " " echo "$output" echo " " echo "" argus-5.0.2/events/argus-extip.pl000077500000000000000000000027571471541253600167760ustar00rootroot00000000000000#!@PERLBIN@ # # Argus-5.0 Software. Argus Event scripts - argus-extip # Copyright (c) 2000-2024 QoSient, LLC # All rights reserved. # # This program is free software, released under the GNU General # Public License; you can redistribute it and/or modify it under the terms # of the GNU General Public License as published by the Free Software # Foundation; either version 3, or any later version. # # Other licenses are available through QoSient, LLC. # Inquire at info@qosient.com. # # This program is distributed WITHOUT ANY WARRANTY; without even the # implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # See the * GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. # # Written by Carter Bullard # QoSient, LLC # # argus-extip - get external IP address for this node. # # Carter Bullard # QoSient, LLC # use POSIX; use strict; my $curl = `which curl`; my $host = "qosient.com/argus/argusPublicIP.php"; my $options = "-L -s"; chomp($curl); my @args = "$curl $options $host"; my $data; print "\n"; print " \n"; open(SESAME, "@args |"); while ($data = ) { $data =~ s//>\n/gs; print "$data"; } close(SESAME); print " \n"; print "\n"; argus-5.0.2/events/argus-ipaddr.pl000077500000000000000000000026111471541253600170750ustar00rootroot00000000000000#!@PERLBIN@ # # Argus-5.0 Software. Argus Event scripts - ip addr # Copyright (c) 2000-2024 QoSient, LLC # All rights reserved. # # This program is free software, released under the GNU General # Public License; you can redistribute it and/or modify it under the terms # of the GNU General Public License as published by the Free Software # Foundation; either version 3, or any later version. # # Other licenses are available through QoSient, LLC. # Inquire at info@qosient.com. # # This program is distributed WITHOUT ANY WARRANTY; without even the # implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # See the * GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. # # Written by Carter Bullard # QoSient, LLC # # argus-ipaddr - Report on system interface statistics # Linux specific # use POSIX; use strict; local $ENV{PATH} = "$ENV{PATH}:/usr/bin:/bin:/usr/sbin:/sbin"; my $ip = `which ip`; chomp($ip); my @args = "$ip addr"; my $data; print "\n"; print " \n"; open(SESAME, "@args |"); while ($data = ) { print " $data"; } close(SESAME); print " \n"; print "\n"; argus-5.0.2/events/argus-ipmitool.pl000077500000000000000000000026471471541253600174770ustar00rootroot00000000000000#!/usr/bin/perl # # Argus-5.0 Software. Argus Event scripts - ipmitool # Copyright (c) 2000-2024 QoSient, LLC # All rights reserved. # # This program is free software, released under the GNU General # Public License; you can redistribute it and/or modify it under the terms # of the GNU General Public License as published by the Free Software # Foundation; either version 3, or any later version. # # Other licenses are available through QoSient, LLC. # Inquire at info@qosient.com. # # This program is distributed WITHOUT ANY WARRANTY; without even the # implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # See the * GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. # # Written by Carter Bullard # QoSient, LLC # # argus-ipmitool - Report Dell linux system stats. # Linux specific # use POSIX; use strict; local $ENV{PATH} = "$ENV{PATH}:/usr/bin:/bin:/usr/sbin:/sbin"; my $ipmitool = `which ipmitool`; chomp($ipmitool); my @args = "$ipmitool sensor"; my $data; print "\n"; print " \n"; open(SESAME, "@args |"); while ($data = ) { print " $data"; } close(SESAME); print " \n"; print "\n"; argus-5.0.2/events/argus-lsof.pl000077500000000000000000000026061471541253600166010ustar00rootroot00000000000000#!@PERLBIN@ # # Argus-5.0 Software. Argus Event scripts - argus-lsof # Copyright (c) 2000-2024 QoSient, LLC # All rights reserved. # # This program is free software, released under the GNU General # Public License; you can redistribute it and/or modify it under the terms # of the GNU General Public License as published by the Free Software # Foundation; either version 3, or any later version. # # Other licenses are available through QoSient, LLC. # Inquire at info@qosient.com. # # This program is distributed WITHOUT ANY WARRANTY; without even the # implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # See the * GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. # # Written by Carter Bullard # QoSient, LLC # argus-lsof - Report open inet sockets and provide application names as # XML oriented argus events. # use POSIX; use strict; my $lsof = `which lsof`; chomp($lsof); my @args = "$lsof -i -n -P +c0"; my $data; print "\n"; print " \n"; open(SESAME, "@args |"); while ($data = ) { print " $data"; } close(SESAME); print " \n"; print "\n"; argus-5.0.2/events/argus-netstat.pl000077500000000000000000000100661471541253600173170ustar00rootroot00000000000000#!@PERLBIN@ # # Argus-5.0 Software. Argus Event scripts - netstat # Copyright (c) 2000-2024 QoSient, LLC # All rights reserved. # # This program is free software, released under the GNU General # Public License; you can redistribute it and/or modify it under the terms # of the GNU General Public License as published by the Free Software # Foundation; either version 3, or any later version. # # Other licenses are available through QoSient, LLC. # Inquire at info@qosient.com. # # This program is distributed WITHOUT ANY WARRANTY; without even the # implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # See the * GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. # # Written by Carter Bullard # QoSient, LLC # # netstat - report IPv4 routing table using netstat polling. # # $Id: //depot/gargoyle/argus/events/argus-netstat.pl#2 $ # $DateTime: 2016/06/06 12:23:00 $ # $Change: 3158 $ # Mac OS X generates this type of output for the "netstat -rn" command. # We'll send the whole thing. # # Routing tables # # Internet: # Destination Gateway Flags Refs Use Netif Expire # default link#4 UCSI 1 0 en0 # 10.92.104.14 4c:7c:5f:c5:9b:94 UHLWI 0 0 en0 1196 # 127 127.0.0.1 UCS 0 0 lo0 # 127.0.0.1 127.0.0.1 UH 3 105680 lo0 # 169.254 link#4 UCS 131 0 en0 # 169.254.4.99 dc:86:d8:db:d6:c7 UHLSW 0 0 en0 819 # 169.254.7.133 e0:f8:47:14:dd:1e UHLSW 0 0 en0 756 # 169.254.46.133 f8:16:54:71:d4:e1 UHLSW 1 29 en0 1168 # 169.254.48.214 e8:2a:ea:66:60:93 UHLSW 0 0 en0 1178 # 169.254.105.181 e4:d5:3d:ac:e8:4e UHLSW 0 181 en0 1124 # 169.254.109.113 a4:b8:5:bf:8b:10 UHLSW 0 0 en0 1159 # 169.254.123.227/32 link#4 UCS 1 0 en0 # 169.254.126.5 cc:29:f5:bb:91:1f UHLSW 0 0 en0 1160 # 169.254.253.47 b0:34:95:5f:2d:7e UHLSW 0 0 en0 1170 # 169.254.255.255 ff:ff:ff:ff:ff:ff UHLWb 0 121 en0 # # Internet6: # Destination Gateway Flags Netif Expire # ::1 ::1 UHL lo0 # fd8a:7ca4:5ae0:bf6d::/64 fe80::1590:f573:fef6:fcee%utun0 Uc utun0 # ..... # ff02::%utun0/32 fe80::1590:f573:fef6:fcee%utun0 UmCI utun0 # # Complain about undeclared variables use strict; my $NETSTAT = "/usr/sbin/netstat"; my $Options = "-rn"; my @args = ($NETSTAT, $Options); my $count = 0; my $parsing = ""; print "\n"; print " \n"; open(SESAME, "@args |"); while (my $data = ) { if ($count++ > 0) { my @fields = split /\s+/, $data; if ($parsing > 0) { for ($fields[0]) { if (/Internet6/) { $parsing = 0; } elsif (/Destination/) { } else { my $dest = $fields[0]; my $gate = $fields[1]; my $flag = $fields[2]; my $refs = $fields[3]; my $use = $fields[4]; my $inf = $fields[5]; my $exp = $fields[6]; if ($dest) { print " \n"; } } } } else { for ($fields[0]) { if (/Internet\:/) { $parsing++;} } } } } print " \n"; print "\n"; exit; argus-5.0.2/events/argus-snmp.sh000077500000000000000000000045521471541253600166140ustar00rootroot00000000000000#!/bin/sh # # Argus-5.0 Software. Argus Event scripts - snmp # Copyright (c) 2000-2024 QoSient, LLC # All rights reserved. # # This program is free software, released under the GNU General # Public License; you can redistribute it and/or modify it under the terms # of the GNU General Public License as published by the Free Software # Foundation; either version 3, or any later version. # # Other licenses are available through QoSient, LLC. # Inquire at info@qosient.com. # # This program is distributed WITHOUT ANY WARRANTY; without even the # implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # See the * GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. # # Written by Carter Bullard # QoSient, LLC # # argus-snmp - collect snmp stats and report them as XML oriented argus events. # This program requires a lot of site specific customization, and # so, be sure and change the community string for snmp agent access # and pick the interfaces of interest. # # # $Id: //depot/gargoyle/argus/events/argus-snmp.sh#5 $ # $DateTime: 2015/04/13 00:39:28 $ # $Change: 2980 $ # prog="/usr/bin/snmpwalk -Os -c qosient -v 2c 10.0.1.1" stats="/usr/bin/snmpget -Os -c qosient -v 2c 10.0.1.1" interfaces="2 3 9" echo "" echo " " retn=`$prog ipNetToMediaPhysAddress | awk 'BEGIN{FS="="}{print " < Label = \""$1"\" Value = \""$2"\" />"}'`; echo "$retn" echo " " echo " " for i in $interfaces; do echo " "`$stats ifInUcastPkts.$i | awk 'BEGIN{FS="="}{print "< Label = \""$1"\" Value = \""$2"\" />"}'`; echo " "`$stats ifOutUcastPkts.$i | awk 'BEGIN{FS="="}{print "< Label = \""$1"\" Value = \""$2"\" />"}'`; echo " "`$stats ifInOctets.$i | awk 'BEGIN{FS="="}{print "< Label = \""$1"\" Value = \""$2"\" />"}'`; echo " "`$stats ifOutOctets.$i | awk 'BEGIN{FS="="}{print "< Label = \""$1"\" Value = \""$2"\" />"}'`; echo " "`$stats ifOutDiscards.$i | awk 'BEGIN{FS="="}{print "< Label = \""$1"\" Value = \""$2"\" />"}'`; done echo " " echo "" argus-5.0.2/events/argus-stumble.pl000077500000000000000000000025741471541253600173150ustar00rootroot00000000000000#!@PERLBIN@ # # Argus-5.0 Software. Argus Event scripts - stumble # Copyright (c) 2000-2024 QoSient, LLC # All rights reserved. # # This program is free software, released under the GNU General # Public License; you can redistribute it and/or modify it under the terms # of the GNU General Public License as published by the Free Software # Foundation; either version 3, or any later version. # # Other licenses are available through QoSient, LLC. # Inquire at info@qosient.com. # # This program is distributed WITHOUT ANY WARRANTY; without even the # implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # See the * GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. # # Written by Carter Bullard # QoSient, LLC # # argus-stumble - Report available wireless networks. # use POSIX; use strict; my $stumble = "/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport" my @args = "$stumble -s"; my $data; print "\n"; print " \n"; open(SESAME, "@args |"); while ($data = ) { print " $data"; } close(SESAME); print " \n"; print "\n"; argus-5.0.2/events/argus-stumbler.pl000077500000000000000000000061551471541253600174760ustar00rootroot00000000000000#!@PERLBIN@ # # Argus-5.0 Software. Argus Event scripts - stumbler # Copyright (c) 2000-2024 QoSient, LLC # All rights reserved. # # This program is free software, released under the GNU General # Public License; you can redistribute it and/or modify it under the terms # of the GNU General Public License as published by the Free Software # Foundation; either version 3, or any later version. # # Other licenses are available through QoSient, LLC. # Inquire at info@qosient.com. # # This program is distributed WITHOUT ANY WARRANTY; without even the # implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # See the * GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. # # Written by Carter Bullard # QoSient, LLC # # stumbler - report available wireless networks - using airport. # # $Id$ # $DateTime$ # $Change$ # # Complain about undeclared variables use strict; my $count = 0; my $ssid = ""; my $bssid = ""; my $rssi = ""; my $channel = ""; my $ht = ""; my $cc = ""; my $security = ""; if (my $arg = shift(@ARGV)) { open(SESAME, $arg); } else { my $STUMBLER = "/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport"; my $Options = "-s"; my @args = ($STUMBLER, $Options); open(SESAME, "@args |"); } print "\n"; print " \n"; while (my $data = ) { my $parsing = 1; if ($count++ > 0) { for ($data) { if (/SSID/) { $parsing = 0; } elsif (/IBSS/) { $parsing = 0; } else { my @fields = split /\s+/, $data; $parsing = 0; for (my $i = 1; $i < ($#fields + 1); $i++) { chomp $fields[$i]; $fields[$i] =~ s/^\s+|\s+$//g; for ($parsing) { if (/0/) { $ssid = $fields[$i]; $parsing++;} elsif (/1/) { if ($fields[$i] =~ m/:/) { $bssid = $fields[$i]; $parsing++; } else { $ssid = $ssid . " " . $fields[$i]; } } elsif (/2/) { $rssi = $fields[$i]; $parsing++;} elsif (/3/) { $channel = $fields[$i]; $parsing++;} elsif (/4/) { $ht = $fields[$i]; $parsing++;} elsif (/5/) { $cc = $fields[$i]; $parsing++;} elsif (/6/) { $security = $fields[$i]; $parsing++;} elsif (/7/) { $security = $security . " " . $fields[$i];} else { } } } if ($parsing) { print " Ssid=\"$ssid\" Bssid=\"$bssid\" Rssi=\"$rssi\" Channel=\"$channel\" Ht=\"$ht\" Cc=\"$cc\" Security=\"$security\"\n"; } } } } } print " \n"; print "\n"; exit; argus-5.0.2/events/argus-vmstat.sh000077500000000000000000000031651471541253600171540ustar00rootroot00000000000000#!/bin/bash # # Argus-5.0 Software. Argus Event scripts - vmstat # Copyright (c) 2000-2024 QoSient, LLC # All rights reserved. # # This program is free software, released under the GNU General # Public License; you can redistribute it and/or modify it under the terms # of the GNU General Public License as published by the Free Software # Foundation; either version 3, or any later version. # # Other licenses are available through QoSient, LLC. # Inquire at info@qosient.com. # # This program is distributed WITHOUT ANY WARRANTY; without even the # implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # See the * GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. # # Written by Carter Bullard # QoSient, LLC # # vmstat - report vmstat output as XML oriented argus event. # This example is provided to show how you can format most programs # to get to the XML oriented output used by the argus events system. # # # $Id: //depot/gargoyle/argus/events/argus-vmstat.sh#5 $ # $DateTime: 2015/04/13 00:39:28 $ # $Change: 2980 $ # output=`vm_stat | sed -e 's/"//g' -e 's/\.//' -e 's/: */:/' | \ awk 'BEGIN {FS = ":"}{ if ($1=="Mach Virtual Memory Statistics") \ print " " ; \ else print " < Label = \""$1"\" Value = \""$2"\" />"}'` # # echo "" echo "$output" echo " " echo "" argus-5.0.2/include/000077500000000000000000000000001471541253600142725ustar00rootroot00000000000000argus-5.0.2/include/CflowdFlowPdu.h000066400000000000000000000430001471541253600171570ustar00rootroot00000000000000/*=========================================================================== / CAIDA Copyright Notice / / By accessing this software, cflowd++, you are duly informed / of and agree to be bound by the conditions described below in this / notice: / / This software product, cflowd++, is developed by Daniel W. McRobb, and / copyrighted(C) 1998 by the University of California, San Diego / (UCSD), with all rights reserved. UCSD administers the CAIDA grant, / NCR-9711092, under which part of this code was developed. / / There is no charge for cflowd++ software. You can redistribute it / and/or modify it under the terms of the GNU General Public License, / v. 2 dated June 1991 which is incorporated by reference herein. / cflowd++ is distributed WITHOUT ANY WARRANTY, IMPLIED OR EXPRESS, OF / MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE or that the use / of it will not infringe on any third party's intellectual property / rights. / / You should have received a copy of the GNU GPL along with cflowd++. / Copies can also be obtained from: / / http://www.gnu.org/copyleft/gpl.html / / or by writing to: / / University of California, San Diego / / SDSC/CAIDA / 9500 Gilman Dr., MS-0505 / La Jolla, CA 92093 - 0505 USA / / Or contact: / / info@caida.org /=========================================================================== */ /* * $Id: //depot/gargoyle/argus/include/CflowdFlowPdu.h#1 $ * $DateTime: 2012/05/01 14:08:47 $ * $Change: 2378 $ */ /*--------------------------------------------------------------------------- This header file contains the layout of flow-export packets for Cisco's flow-export. -------------------------------------------------------------------------*/ #if !defined(_FLOWPDU_H_) #define _FLOWPDU_H_ #define k_maxFlowPacketSize 2048 #ifndef uint8_t #define uint8_t unsigned char #endif #ifndef uint16_t #define uint16_t unsigned short #endif #ifndef uint32_t #define uint32_t unsigned int #endif #ifndef ipv4addr_t #define ipv4addr_t unsigned int #endif /*--------------------------------------------------------------------------- flow-export version 1 header -------------------------------------------------------------------------*/ typedef struct { uint16_t version; /* flow-export version number */ uint16_t count; /* number of flow entries */ uint32_t sysUptime; uint32_t unix_secs; uint32_t unix_nsecs; } CiscoFlowHeaderV1_t; #define k_maxFlowsPerV1Packet 24 /*--------------------------------------------------------------------------- flow-export version 1 flow entry -------------------------------------------------------------------------*/ typedef struct { ipv4addr_t srcaddr; /* source IP address */ ipv4addr_t dstaddr; /* destination IP address */ ipv4addr_t nexthop; /* next hop router's IP address */ uint16_t input; /* input interface index */ uint16_t output; /* output interface index */ uint32_t pkts; /* packets sent in duration */ uint32_t bytes; /* octets sent in duration */ uint32_t first; /* SysUptime at start of flow */ uint32_t last; /* and of last packet of flow */ uint16_t srcport; /* TCP/UDP source port number or equivalent */ uint16_t dstport; /* TCP/UDP destination port number or equivalent */ uint16_t pad0; uint8_t prot; /* IP protocol, e.g., 6=TCP, 17=UDP, ... */ uint8_t tos; /* IP Type-of-Service */ uint8_t flags; /* TCP flags */ uint8_t pad1, pad2, pad3; /* pads */ uint32_t pad4; } CiscoFlowEntryV1_t; /*--------------------------------------------------------------------------- flow-export version 5 header -------------------------------------------------------------------------*/ typedef struct { uint16_t version; /* flow-export version number */ uint16_t count; /* number of flow entries */ uint32_t sysUptime; uint32_t unix_secs; uint32_t unix_nsecs; uint32_t flow_sequence; /* sequence number */ uint8_t engine_type; /* no VIP = 0, VIP2 = 1 */ uint8_t engine_id; /* VIP2 slot number */ uint16_t reserved; /* unused */ } CiscoFlowHeaderV5_t; #define k_maxFlowsPerV5Packet 30 /*--------------------------------------------------------------------------- flow-export version 5 flow entry -------------------------------------------------------------------------*/ typedef struct { ipv4addr_t srcaddr; /* source IP address */ ipv4addr_t dstaddr; /* destination IP address */ ipv4addr_t nexthop; /* next hop router's IP address */ uint16_t input; /* input interface index */ uint16_t output; /* output interface index */ uint32_t pkts; /* packets sent in duration */ uint32_t bytes; /* octets sent in duration */ uint32_t first; /* SysUptime at start of flow */ uint32_t last; /* and of last packet of flow */ uint16_t srcport; /* TCP/UDP source port number or equivalent */ uint16_t dstport; /* TCP/UDP destination port number or equivalent */ uint8_t pad; uint8_t tcp_flags; /* bitwise OR of all TCP flags in flow; 0x10 */ /* for non-TCP flows */ uint8_t prot; /* IP protocol, e.g., 6=TCP, 17=UDP, ... */ uint8_t tos; /* IP Type-of-Service */ uint16_t src_as; /* originating AS of source address */ uint16_t dst_as; /* originating AS of destination address */ uint8_t src_mask; /* source address prefix mask bits */ uint8_t dst_mask; /* destination address prefix mask bits */ uint16_t reserved; } CiscoFlowEntryV5_t; /*--------------------------------------------------------------------------- flow-export version 6 header -------------------------------------------------------------------------*/ typedef struct { uint16_t version; /* version */ uint16_t count; /* the number of records in PDU */ uint32_t sysUptime; /* current time in msecs since router booted */ uint32_t unix_secs; /* current seconds since 0000 UTC 1970 */ uint32_t unix_nsecs; /* residual nanoseconds since 0000 UTC 1970 */ uint32_t flow_sequence; /* seq counter of total flows seen */ uint8_t engine_type; /* type of flow switching engine */ uint8_t engine_id; /* ID number of the flow switching engine */ uint16_t reserved; } CiscoFlowHeaderV6_t; #define k_maxFlowsPerV6Packet 27 /*--------------------------------------------------------------------------- flow-export version 6 flow entry -------------------------------------------------------------------------*/ typedef struct { ipv4addr_t srcaddr; /* source IP address */ ipv4addr_t dstaddr; /* destination IP address */ ipv4addr_t nexthop; /* next hop router's IP address */ uint16_t input; /* input interface index */ uint16_t output; /* output interface index */ uint32_t pkts; /* packets sent in duration */ uint32_t bytes; /* octets sent in duration */ uint32_t first; /* SysUptime at start of flow */ uint32_t last; /* and of last packet of flow */ uint16_t srcport; /* TCP/UDP source port number or equivalent */ uint16_t dstport; /* TCP/UDP destination port number or equivalent */ uint8_t rsvd; uint8_t tcp_flags; /* bitwise OR of all TCP flags seen in flow */ uint8_t prot; /* IP protocol, e.g., 6=TCP, 17=UDP, ... */ uint8_t tos; /* IP Type-of-Service */ uint16_t src_as; /* originating AS of source address */ uint16_t dst_as; /* originating AS of destination address */ uint8_t src_mask; /* source address prefix mask bits */ uint8_t dst_mask; /* destination address prefix mask bits */ uint8_t in_encaps; /* size in bytes of the input encapsulation */ uint8_t out_encaps; /* size in bytes of the output encapsulation */ uint32_t peer_nexthop; /* IP address of the nexthop w/in the peer (FIB) */ } CiscoFlowEntryV6_t; /*--------------------------------------------------------------------------- flow-export version 8 --------------------------------------------------------------------------- This is the first flow-export version to support multiple types of flow-export records. Each type is an aggregation, so that only specific types of data may be exported (saving processing and bandwidth). Obviously flow level granularity is gone, but this type of data reduction is useful on high-speed routers like the GSR. -------------------------------------------------------------------------*/ /*--------------------------------------------------------------------------- flow-export version 8 header -------------------------------------------------------------------------*/ typedef struct { uint16_t version; /* flow-export version number */ uint16_t count; /* number of flow entries */ uint32_t sysUptime; /* current time in msecs since router booted */ uint32_t unix_secs; /* current seconds since 0000 UTC 1970 */ uint32_t unix_nsecs; /* residual nanoseconds since 0000 UTC 1970 */ uint32_t flow_sequence; /* sequence number */ uint8_t engine_type; /* type of flow switching engine */ uint8_t engine_id; /* ID number of the flow switching engine */ uint8_t agg_method; /* aggregation method */ uint8_t agg_version; /* aggregation version */ uint32_t reserved; /* unused */ } CiscoFlowHeaderV8_t; /*--------------------------------------------------------------------------- V8 aggregation methods -------------------------------------------------------------------------*/ #define k_CiscoV8FlowExportASAggType 0x01 /* AS agg. */ #define k_CiscoV8FlowExportProtocolPortAggType 0x02 /* protocol/port agg. */ #define k_CiscoV8FlowExportSrcNetAggType 0x03 /* src network agg. */ #define k_CiscoV8FlowExportDstNetAggType 0x04 /* dst network agg. */ #define k_CiscoV8FlowExportNetMatrixAggType 0x05 /* net matrix agg. */ #define k_CiscoV8FlowExportMaxAggType k_CiscoV8FlowExportNetMatrixAggType #define k_CiscoV8FlowExportNumAggTypes k_CiscoV8FlowExportMaxAggType /*--------------------------------------------------------------------------- max flows per packet for each of the different V8 aggregation methods -------------------------------------------------------------------------*/ #define k_maxFlowsPerV8AsAggPacket 51 #define k_maxFlowsPerV8ProtocolPortAggPacket 51 #define k_maxFlowsPerV8SrcNetAggPacket 44 #define k_maxFlowsPerV8DstNetAggPacket 44 #define k_maxFlowsPerV8NetMatrixAggPacket 35 /*--------------------------------------------------------------------------- define max flows per packet, regardless of type of flows. -------------------------------------------------------------------------*/ #define k_maxFlowsPerAnyPacket 51 /*--------------------------------------------------------------------------- V8 AS aggregation flow entry version 2 -------------------------------------------------------------------------*/ typedef struct { uint32_t flows; /* number of flows */ uint32_t pkts; /* number of packets */ uint32_t bytes; /* number of bytes */ uint32_t first; /* sysUptime at start of flow */ uint32_t last; /* sysUptime at end of flow */ uint16_t src_as; /* source AS */ uint16_t dst_as; /* destination AS */ uint16_t input; /* input interface index */ uint16_t output; /* output interface index */ } CiscoFlowEntryV8AsAggV2_t; /*--------------------------------------------------------------------------- V8 protocol/port aggregation flow entry version 2 -------------------------------------------------------------------------*/ typedef struct { uint32_t flows; /* number of flows */ uint32_t pkts; /* number of packets */ uint32_t bytes; /* number of bytes */ uint32_t first; /* sysUptime at start of flow */ uint32_t last; /* sysUptime at end of flow */ uint8_t prot; /* IP protocol (TCP=6, UDP=17, etc.) */ uint8_t pad; uint16_t reserved; uint16_t srcport; /* source port */ uint16_t dstport; /* destination port */ } CiscoFlowEntryV8ProtocolPortAggV2_t; /*--------------------------------------------------------------------------- V8 net matrix aggregation flow entry version 2 -------------------------------------------------------------------------*/ typedef struct { uint32_t flows; /* number of flows */ uint32_t pkts; /* number of packets */ uint32_t bytes; /* number of bytes */ uint32_t first; /* sysUptime at start of flow */ uint32_t last; /* sysUptime at end of flow */ ipv4addr_t srcnet; /* source network */ ipv4addr_t dstnet; /* destination network */ uint8_t dst_mask; /* destination netmask length (bits) */ uint8_t src_mask; /* source netmask length (bits) */ uint16_t reserved; uint16_t src_as; /* source AS */ uint16_t dst_as; /* destination AS */ uint16_t input; /* input interface index */ uint16_t output; /* output interface index */ } CiscoFlowEntryV8NetMatrixAggV2_t; /*--------------------------------------------------------------------------- V8 source network aggregation flow entry version 2 -------------------------------------------------------------------------*/ typedef struct { uint32_t flows; /* number of flows */ uint32_t pkts; /* number of packets */ uint32_t bytes; /* number of bytes */ uint32_t first; /* sysUptime at start of flow */ uint32_t last; /* sysUptime at end of flow */ ipv4addr_t srcnet; /* source network */ uint8_t src_mask; /* source network mask length (bits) */ uint8_t pad; uint16_t src_as; /* source AS */ uint16_t input; /* input interface index */ uint16_t reserved; } CiscoFlowEntryV8SrcNetAggV2_t; /*--------------------------------------------------------------------------- V8 destination network aggregation flow entry version 2 -------------------------------------------------------------------------*/ typedef struct { uint32_t flows; /* number of flows */ uint32_t pkts; /* number of packets */ uint32_t bytes; /* number of bytes */ uint32_t first; /* sysUptime at start of flow */ uint32_t last; /* sysUptime at end of flow */ ipv4addr_t dst_net; /* destination network */ uint8_t dst_mask; /* destination network mask length (bits) */ uint8_t pad; uint16_t dst_as; /* destination AS */ uint16_t output; /* output interface index */ uint16_t reserved; } CiscoFlowEntryV8DstNetAggV2_t; /*--------------------------------------------------------------------------- flow-export version 7 header (Catalyst 5000) NOT USED, V7 FLOW-EXPORT HANDLING NOT IMPLEMENTED. -------------------------------------------------------------------------*/ typedef struct { uint16_t version; /* flow-export version number */ uint16_t count; /* number of flow entries */ uint32_t sysUptime; uint32_t unix_secs; uint32_t unix_nsecs; uint32_t flow_sequence; /* sequence number */ uint32_t reserved; /* unused */ } CiscoFlowHeaderV7_t; /*--------------------------------------------------------------------------- flow-export version 7 flow entry (Catalyst 5000) NOT USED, V7 FLOW-EXPORT HANDLING NOT IMPLEMENTED. -------------------------------------------------------------------------*/ typedef struct { ipv4addr_t srcaddr; /* source IP address (0 for dest-only flows) */ ipv4addr_t dstaddr; /* destination IP address */ ipv4addr_t nexthop; /* next hop router's IP address (always 0) */ uint16_t input; /* input interface index (always 0) */ uint16_t output; /* output interface index */ uint32_t pkts; /* packets sent in duration */ uint32_t bytes; /* octets sent in duration */ uint32_t first; /* SysUptime at start of flow */ uint32_t last; /* and of last packet of flow */ uint16_t srcport; /* TCP/UDP source port number or equivalent, */ /* 0 if flow mask is destination-only or */ /* source-destination. */ uint16_t dstport; /* TCP/UDP destination port number or equivalent, */ /* 0 if flow mask is destination-only or */ /* source-destination. */ uint8_t flags1; /* ???? */ uint8_t tcp_flags; /* bitwise OR of all TCP flags in flow (always 0) */ uint8_t prot; /* IP protocol, e.g., 6=TCP, 17=UDP, ... */ uint8_t tos; /* IP Type-of-Service */ uint16_t src_as; /* originating AS of source address (always 0) */ uint16_t dst_as; /* originating AS of destination address (always 0) */ uint8_t src_mask; /* source address prefix mask bits (always 0) */ uint8_t dst_mask; /* destination address prefix mask bits (always 0) */ uint16_t flags2; /* ???? */ uint32_t router_sc; /* IP address of shortcut router */ } CiscoFlowEntryV7_t; #endif /* _FLOWPDU_H_ */ argus-5.0.2/include/argus-namedb.h000066400000000000000000000100161471541253600170060ustar00rootroot00000000000000/* * Argus-5.0 Software. Common include files. namedb * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * Copyright (c) 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the Computer Systems * Engineering Group at Lawrence Berkeley Laboratory. * 4. Neither the name of the University nor of the Laboratory may be used * to endorse or promote products derived from this software without * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * */ /* * $Id: //depot/gargoyle/argus/include/argus-namedb.h#5 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ #if !defined(argus_namedb_h) #define argus_namedb_h /* * As returned by the argus_next_etherent() * XXX this stuff doesn't belong in this inteface, but this * library already must do name to address translation, so * on systems that don't have support for /etc/ethers, we * export these hooks since they'll */ struct pcap_etherent { u_char addr[6]; char name[122]; }; #if !defined(PCAP_ETHERS_FILE) #define PCAP_ETHERS_FILE "/etc/ethers" #endif struct pcap_etherent *argus_next_etherent(FILE *); u_char *argus_ether_hostton(char*); u_char *argus_ether_aton(char *); unsigned int **argus_nametoaddr(char *); unsigned int argus_nametonetaddr(char *); int argus_nametoport(char *, int *, int *); int argus_nametoproto(char *); int argus_nametoeproto(char *); /* * If a protocol is unknown, PROTO_UNDEF is returned. * Also, argus_nametoport() returns the protocol along with the port number. * If there are ambiguous entried in /etc/services (i.e. domain * can be either tcp or udp) PROTO_UNDEF is returned. */ #define PROTO_UNDEF -1 /* XXX move these to pcap-int.h? */ unsigned int __argus_atodn(char *); unsigned int __argus_atoin(char *, unsigned int *); u_short __argus_nametodnaddr(char *); #endif argus-5.0.2/include/argus/000077500000000000000000000000001471541253600154135ustar00rootroot00000000000000argus-5.0.2/include/argus/CflowdFlowPdu.h000066400000000000000000000562361471541253600203170ustar00rootroot00000000000000/* * Argus-5.0 Software. Common include files. namedb * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * This file is orignally from CAIDA's cflowd source code, but has been * amended and improved over the years. All attempts have been made to * keep the naming and type styles consistent with the original file. */ /*=========================================================================== / @(#) $Name: $ / @(#) $Id: //depot/argus/argus-3.0/clients/include/CflowdFlowPdu.h#5 $ /=========================================================================== / CAIDA Copyright Notice / / By accessing this software, cflowd++, you are duly informed / of and agree to be bound by the conditions described below in this / notice: / / This software product, cflowd++, is developed by Daniel W. McRobb, and / copyrighted(C) 1998 by the University of California, San Diego / (UCSD), with all rights reserved. UCSD administers the CAIDA grant, / NCR-9711092, under which part of this code was developed. / / There is no charge for cflowd++ software. You can redistribute it / and/or modify it under the terms of the GNU General Public License, / v. 2 dated June 1991 which is incorporated by reference herein. / cflowd++ is distributed WITHOUT ANY WARRANTY, IMPLIED OR EXPRESS, OF / MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE or that the use / of it will not infringe on any third party's intellectual property / rights. / / You should have received a copy of the GNU GPL along with cflowd++. / Copies can also be obtained from: / / http://www.gnu.org/copyleft/gpl.html / / or by writing to: / / University of California, San Diego / / SDSC/CAIDA / 9500 Gilman Dr., MS-0505 / La Jolla, CA 92093 - 0505 USA / / Or contact: / / info@caida.org /=========================================================================== */ /* * $Id: //depot/argus/argus-3.0/clients/include/CflowdFlowPdu.h#5 $ * $DateTime: 2006/02/23 13:25:52 $ * $Change: 627 $ */ /*--------------------------------------------------------------------------- This header file contains the layout of flow-export packets for Cisco's flow-export. -------------------------------------------------------------------------*/ #ifndef _FLOWPDU_H_ #define _FLOWPDU_H_ #define k_maxFlowPacketSize 2048 #ifndef uint8_t #define uint8_t unsigned char #endif #ifndef uint16_t #define uint16_t unsigned short #endif #ifndef uint32_t #define uint32_t unsigned int #endif #ifndef ipv4addr_t #define ipv4addr_t unsigned int #endif /*--------------------------------------------------------------------------- flow-export version 1 header -------------------------------------------------------------------------*/ typedef struct { uint16_t version; /* flow-export version number */ uint16_t count; /* number of flow entries */ uint32_t sysUptime; uint32_t unix_secs; uint32_t unix_nsecs; } CiscoFlowHeaderV1_t; #define k_maxFlowsPerV1Packet 24 /*--------------------------------------------------------------------------- flow-export version 1 flow entry -------------------------------------------------------------------------*/ typedef struct { ipv4addr_t srcaddr; /* source IP address */ ipv4addr_t dstaddr; /* destination IP address */ ipv4addr_t nexthop; /* next hop router's IP address */ uint16_t input; /* input interface index */ uint16_t output; /* output interface index */ uint32_t pkts; /* packets sent in duration */ uint32_t bytes; /* octets sent in duration */ uint32_t first; /* SysUptime at start of flow */ uint32_t last; /* and of last packet of flow */ uint16_t srcport; /* TCP/UDP source port number or equivalent */ uint16_t dstport; /* TCP/UDP destination port number or equivalent */ uint16_t pad0; uint8_t prot; /* IP protocol, e.g., 6=TCP, 17=UDP, ... */ uint8_t tos; /* IP Type-of-Service */ uint8_t flags; /* TCP flags */ uint8_t pad1, pad2, pad3; /* pads */ uint32_t pad4; } CiscoFlowEntryV1_t; /*--------------------------------------------------------------------------- flow-export version 5 header -------------------------------------------------------------------------*/ typedef struct { uint16_t version; /* flow-export version number */ uint16_t count; /* number of flow entries */ uint32_t sysUptime; uint32_t unix_secs; uint32_t unix_nsecs; uint32_t flow_sequence; /* sequence number */ uint8_t engine_type; /* no VIP = 0, VIP2 = 1 */ uint8_t engine_id; /* VIP2 slot number */ uint16_t reserved; /* unused */ } CiscoFlowHeaderV5_t; #define k_maxFlowsPerV5Packet 30 /*--------------------------------------------------------------------------- flow-export version 5 flow entry -------------------------------------------------------------------------*/ typedef struct { ipv4addr_t srcaddr; /* source IP address */ ipv4addr_t dstaddr; /* destination IP address */ ipv4addr_t nexthop; /* next hop router's IP address */ uint16_t input; /* input interface index */ uint16_t output; /* output interface index */ uint32_t pkts; /* packets sent in duration */ uint32_t bytes; /* octets sent in duration */ uint32_t first; /* SysUptime at start of flow */ uint32_t last; /* and of last packet of flow */ uint16_t srcport; /* TCP/UDP source port number or equivalent */ uint16_t dstport; /* TCP/UDP destination port number or equivalent */ uint8_t pad; uint8_t tcp_flags; /* bitwise OR of all TCP flags in flow; 0x10 */ /* for non-TCP flows */ uint8_t prot; /* IP protocol, e.g., 6=TCP, 17=UDP, ... */ uint8_t tos; /* IP Type-of-Service */ uint16_t src_as; /* originating AS of source address */ uint16_t dst_as; /* originating AS of destination address */ uint8_t src_mask; /* source address prefix mask bits */ uint8_t dst_mask; /* destination address prefix mask bits */ uint16_t reserved; } CiscoFlowEntryV5_t; /*--------------------------------------------------------------------------- flow-export version 6 header -------------------------------------------------------------------------*/ typedef struct { uint16_t version; /* version */ uint16_t count; /* the number of records in PDU */ uint32_t sysUptime; /* current time in msecs since router booted */ uint32_t unix_secs; /* current seconds since 0000 UTC 1970 */ uint32_t unix_nsecs; /* residual nanoseconds since 0000 UTC 1970 */ uint32_t flow_sequence; /* seq counter of total flows seen */ uint8_t engine_type; /* type of flow switching engine */ uint8_t engine_id; /* ID number of the flow switching engine */ uint16_t reserved; } CiscoFlowHeaderV6_t; #define k_maxFlowsPerV6Packet 27 /*--------------------------------------------------------------------------- flow-export version 6 flow entry -------------------------------------------------------------------------*/ typedef struct { ipv4addr_t srcaddr; /* source IP address */ ipv4addr_t dstaddr; /* destination IP address */ ipv4addr_t nexthop; /* next hop router's IP address */ uint16_t input; /* input interface index */ uint16_t output; /* output interface index */ uint32_t pkts; /* packets sent in duration */ uint32_t bytes; /* octets sent in duration */ uint32_t first; /* SysUptime at start of flow */ uint32_t last; /* and of last packet of flow */ uint16_t srcport; /* TCP/UDP source port number or equivalent */ uint16_t dstport; /* TCP/UDP destination port number or equivalent */ uint8_t rsvd; uint8_t tcp_flags; /* bitwise OR of all TCP flags seen in flow */ uint8_t prot; /* IP protocol, e.g., 6=TCP, 17=UDP, ... */ uint8_t tos; /* IP Type-of-Service */ uint16_t src_as; /* originating AS of source address */ uint16_t dst_as; /* originating AS of destination address */ uint8_t src_mask; /* source address prefix mask bits */ uint8_t dst_mask; /* destination address prefix mask bits */ uint8_t in_encaps; /* size in bytes of the input encapsulation */ uint8_t out_encaps; /* size in bytes of the output encapsulation */ uint32_t peer_nexthop; /* IP address of the nexthop w/in the peer (FIB) */ } CiscoFlowEntryV6_t; /*--------------------------------------------------------------------------- flow-export version 7 header (Catalyst 5000) NOT USED, V7 FLOW-EXPORT HANDLING NOT IMPLEMENTED. -------------------------------------------------------------------------*/ typedef struct { uint16_t version; /* flow-export version number */ uint16_t count; /* number of flow entries */ uint32_t sysUptime; uint32_t unix_secs; uint32_t unix_nsecs; uint32_t flow_sequence; /* sequence number */ uint32_t reserved; /* unused */ } CiscoFlowHeaderV7_t; /*--------------------------------------------------------------------------- flow-export version 7 flow entry (Catalyst 5000) NOT USED, V7 FLOW-EXPORT HANDLING NOT IMPLEMENTED. -------------------------------------------------------------------------*/ typedef struct { ipv4addr_t srcaddr; /* source IP address (0 for dest-only flows) */ ipv4addr_t dstaddr; /* destination IP address */ ipv4addr_t nexthop; /* next hop router's IP address (always 0) */ uint16_t input; /* input interface index (always 0) */ uint16_t output; /* output interface index */ uint32_t pkts; /* packets sent in duration */ uint32_t bytes; /* octets sent in duration */ uint32_t first; /* SysUptime at start of flow */ uint32_t last; /* and of last packet of flow */ uint16_t srcport; /* TCP/UDP source port number or equivalent, */ /* 0 if flow mask is destination-only or */ /* source-destination. */ uint16_t dstport; /* TCP/UDP destination port number or equivalent, */ /* 0 if flow mask is destination-only or */ /* source-destination. */ uint8_t flags1; /* ???? */ uint8_t tcp_flags; /* bitwise OR of all TCP flags in flow (always 0) */ uint8_t prot; /* IP protocol, e.g., 6=TCP, 17=UDP, ... */ uint8_t tos; /* IP Type-of-Service */ uint16_t src_as; /* originating AS of source address (always 0) */ uint16_t dst_as; /* originating AS of destination address (always 0) */ uint8_t src_mask; /* source address prefix mask bits (always 0) */ uint8_t dst_mask; /* destination address prefix mask bits (always 0) */ uint16_t flags2; /* ???? */ uint32_t router_sc; /* IP address of shortcut router */ } CiscoFlowEntryV7_t; /*--------------------------------------------------------------------------- flow-export version 8 --------------------------------------------------------------------------- This is the first flow-export version to support multiple types of flow-export records. Each type is an aggregation, so that only specific types of data may be exported (saving processing and bandwidth). Obviously flow level granularity is gone, but this type of data reduction is useful on high-speed routers like the GSR. -------------------------------------------------------------------------*/ /*--------------------------------------------------------------------------- flow-export version 8 header -------------------------------------------------------------------------*/ typedef struct { uint16_t version; /* flow-export version number */ uint16_t count; /* number of flow entries */ uint32_t sysUptime; /* current time in msecs since router booted */ uint32_t unix_secs; /* current seconds since 0000 UTC 1970 */ uint32_t unix_nsecs; /* residual nanoseconds since 0000 UTC 1970 */ uint32_t flow_sequence; /* sequence number */ uint8_t engine_type; /* type of flow switching engine */ uint8_t engine_id; /* ID number of the flow switching engine */ uint8_t agg_method; /* aggregation method */ uint8_t agg_version; /* aggregation version */ uint32_t reserved; /* unused */ } CiscoFlowHeaderV8_t; /*--------------------------------------------------------------------------- V8 aggregation methods -------------------------------------------------------------------------*/ #define k_CiscoV8FlowExportASAggType 0x01 /* AS agg. */ #define k_CiscoV8FlowExportProtocolPortAggType 0x02 /* protocol/port agg. */ #define k_CiscoV8FlowExportSrcNetAggType 0x03 /* src network agg. */ #define k_CiscoV8FlowExportDstNetAggType 0x04 /* dst network agg. */ #define k_CiscoV8FlowExportNetMatrixAggType 0x05 /* net matrix agg. */ #define k_CiscoV8FlowExportMaxAggType k_CiscoV8FlowExportNetMatrixAggType #define k_CiscoV8FlowExportNumAggTypes k_CiscoV8FlowExportMaxAggType /*--------------------------------------------------------------------------- max flows per packet for each of the different V8 aggregation methods -------------------------------------------------------------------------*/ #define k_maxFlowsPerV8AsAggPacket 51 #define k_maxFlowsPerV8ProtocolPortAggPacket 51 #define k_maxFlowsPerV8SrcNetAggPacket 44 #define k_maxFlowsPerV8DstNetAggPacket 44 #define k_maxFlowsPerV8NetMatrixAggPacket 35 /*--------------------------------------------------------------------------- define max flows per packet, regardless of type of flows. -------------------------------------------------------------------------*/ #define k_maxFlowsPerAnyPacket 51 /*--------------------------------------------------------------------------- V8 AS aggregation flow entry version 2 -------------------------------------------------------------------------*/ typedef struct { uint32_t flows; /* number of flows */ uint32_t pkts; /* number of packets */ uint32_t bytes; /* number of bytes */ uint32_t first; /* sysUptime at start of flow */ uint32_t last; /* sysUptime at end of flow */ uint16_t src_as; /* source AS */ uint16_t dst_as; /* destination AS */ uint16_t input; /* input interface index */ uint16_t output; /* output interface index */ } CiscoFlowEntryV8AsAggV2_t; /*--------------------------------------------------------------------------- V8 protocol/port aggregation flow entry version 2 -------------------------------------------------------------------------*/ typedef struct { uint32_t flows; /* number of flows */ uint32_t pkts; /* number of packets */ uint32_t bytes; /* number of bytes */ uint32_t first; /* sysUptime at start of flow */ uint32_t last; /* sysUptime at end of flow */ uint8_t prot; /* IP protocol (TCP=6, UDP=17, etc.) */ uint8_t pad; uint16_t reserved; uint16_t srcport; /* source port */ uint16_t dstport; /* destination port */ } CiscoFlowEntryV8ProtocolPortAggV2_t; /*--------------------------------------------------------------------------- V8 net matrix aggregation flow entry version 2 -------------------------------------------------------------------------*/ typedef struct { uint32_t flows; /* number of flows */ uint32_t pkts; /* number of packets */ uint32_t bytes; /* number of bytes */ uint32_t first; /* sysUptime at start of flow */ uint32_t last; /* sysUptime at end of flow */ ipv4addr_t srcnet; /* source network */ ipv4addr_t dstnet; /* destination network */ uint8_t dst_mask; /* destination netmask length (bits) */ uint8_t src_mask; /* source netmask length (bits) */ uint16_t reserved; uint16_t src_as; /* source AS */ uint16_t dst_as; /* destination AS */ uint16_t input; /* input interface index */ uint16_t output; /* output interface index */ } CiscoFlowEntryV8NetMatrixAggV2_t; /*--------------------------------------------------------------------------- V8 source network aggregation flow entry version 2 -------------------------------------------------------------------------*/ typedef struct { uint32_t flows; /* number of flows */ uint32_t pkts; /* number of packets */ uint32_t bytes; /* number of bytes */ uint32_t first; /* sysUptime at start of flow */ uint32_t last; /* sysUptime at end of flow */ ipv4addr_t srcnet; /* source network */ uint8_t src_mask; /* source network mask length (bits) */ uint8_t pad; uint16_t src_as; /* source AS */ uint16_t input; /* input interface index */ uint16_t reserved; } CiscoFlowEntryV8SrcNetAggV2_t; /*--------------------------------------------------------------------------- V8 destination network aggregation flow entry version 2 -------------------------------------------------------------------------*/ typedef struct { uint32_t flows; /* number of flows */ uint32_t pkts; /* number of packets */ uint32_t bytes; /* number of bytes */ uint32_t first; /* sysUptime at start of flow */ uint32_t last; /* sysUptime at end of flow */ ipv4addr_t dst_net; /* destination network */ uint8_t dst_mask; /* destination network mask length (bits) */ uint8_t pad; uint16_t dst_as; /* destination AS */ uint16_t output; /* output interface index */ uint16_t reserved; } CiscoFlowEntryV8DstNetAggV2_t; /*--------------------------------------------------------------------------- flow-export version 9 flow entry (NetflowV9) -------------------------------------------------------------------------*/ typedef struct { uint16_t version; /* flow-export version number */ uint16_t count; /* number of flow entries */ uint32_t sysUptime; uint32_t unix_secs; uint32_t package_sequence; /* sequence number */ uint32_t source_id; /* unused */ } CiscoFlowHeaderV9_t; typedef struct { u_int16_t flowset_id, length; } CiscoFlowEntryV9_t; typedef struct { u_int16_t template_id, count; } CiscoFlowTemplateHeaderV9_t; typedef struct { u_int16_t type, length; } CiscoFlowTemplateFlowEntryV9_t; #define k_CiscoV9TemplateFlowsetId 0 #define k_CiscoV9OptionsFlowsetId 1 #define k_CiscoV9MinRecordFlowsetId 256 /* Flowset record types the we care about */ #define k_CiscoV9InBytes 1 #define k_CiscoV9InPackets 2 #define k_CiscoV9Flows 3 #define k_CiscoV9InProtocol 4 #define k_CiscoV9SrcTos 5 #define k_CiscoV9TcpFlags 6 #define k_CiscoV9L4SrcPort 7 #define k_CiscoV9IpV4SrcAddr 8 #define k_CiscoV9SrcMask 9 #define k_CiscoV9InputSnmp 10 #define k_CiscoV9L4DstPort 11 #define k_CiscoV9IpV4DstAddr 12 #define k_CiscoV9DstMask 13 #define k_CiscoV9OutputSnmp 14 #define k_CiscoV9IpV4NextHop 15 #define k_CiscoV9SrcAS 16 #define k_CiscoV9DstAS 17 #define k_CiscoV9BgpIpV4NextHop 18 #define k_CiscoV9MulDstPkts 19 #define k_CiscoV9MulDstBytes 20 #define k_CiscoV9LastSwitched 21 #define k_CiscoV9FirstSwitched 22 #define k_CiscoV9OutBytes 23 #define k_CiscoV9OutPkts 24 #define k_CiscoV9MinPktLen 25 #define k_CiscoV9MaxPktLen 26 #define k_CiscoV9IpV6SrcAddr 27 #define k_CiscoV9IpV6DstAddr 28 #define k_CiscoV9IPV6SrcMask 29 #define k_CiscoV9IpV6DstMask 30 #define k_CiscoV9IpV6FlowLabel 31 #define k_CiscoV9IpV6IcmpType 32 #define k_CiscoV9IpV6MulIgmpType 33 #define k_CiscoV9IpV6SamplingInterval 34 #define k_CiscoV9IpV6SamplingAlgorithm 35 #define k_CiscoV9FlowActiveTimeout 36 #define k_CiscoV9FlowInactiveTimeout 37 #define k_CiscoV9EngineType 38 #define k_CiscoV9EngineID 39 #define k_CiscoV9TotalBytesExp 40 #define k_CiscoV9TotalPktsExp 41 #define k_CiscoV9TotalFlowsExp 42 /* ... */ #define k_CiscoV9MplsTopLabelType 46 #define k_CiscoV9MplsTopLabelIPAddr 47 #define k_CiscoV9FlowSamplerID 48 #define k_CiscoV9FlowSamplerMode 49 #define k_CiscoV9FlowSamplerRandomInt 50 /* ... */ #define k_CiscoV9MinTtl 52 #define k_CiscoV9MaxTtl 53 #define k_CiscoV9IPv4IpId 54 #define k_CiscoV9DstTos 55 #define k_CiscoV9SrcMac 56 #define k_CiscoV9DstMac 57 #define k_CiscoV9SrcVlan 58 #define k_CiscoV9DstVlan 59 #define k_CiscoV9IpProtocolVersion 60 #define k_CiscoV9Direction 61 #define k_CiscoV9IpV6NextHop 62 #define k_CiscoV9BgpIpV6NextHop 63 #define k_CiscoV9IpV6OptionHeaders 64 /* ... */ #define k_CiscoV9MplsLabel1 70 #define k_CiscoV9MplsLabel2 71 #define k_CiscoV9MplsLabel3 72 #define k_CiscoV9MplsLabel4 73 #define k_CiscoV9MplsLabel5 74 #define k_CiscoV9MplsLabel6 75 #define k_CiscoV9MplsLabel7 76 #define k_CiscoV9MplsLabel8 77 #define k_CiscoV9MplsLabel9 78 #define k_CiscoV9MplsLabel10 79 #define k_CiscoV9InDstMac 80 #define k_CiscoV9OutSrcMac 81 #define k_CiscoV9IfName 82 #define k_CiscoV9IfDesc 83 #define k_CiscoV9SampleName 84 #define k_CiscoV9InPermanentBytes 85 #define k_CiscoV9InPermanentPkts 86 /* ... */ #define k_CiscoV9FragmentOffset 88 #define k_CiscoV9ForwardingStatus 89 #define k_CiscoV9MplsPalRD 90 #define k_CiscoV9MplsPrefixLen 91 #define k_CiscoV9SrcTrafficIndex 92 #define k_CiscoV9DstTrafficIndex 93 #define k_CiscoV9ApplicationDesc 94 #define k_CiscoV9ApplicationTag 95 #define k_CiscoV9ApplicationName 96 /* ... */ #define k_CiscoV9PostDSCP 98 #define k_CiscoV9MulticastReplication 99 /* ... */ #define k_CiscoV9ConnId 148 /* ... */ #define k_CiscoV9IcmpType 176 #define k_CiscoV9IcmpCode 177 #define k_CiscoV9IcmpTypeV6 178 #define k_CiscoV9IcmpCodeV6 179 /* ... */ #define k_CiscoV9NatInsideGlobalAddr 225 #define k_CiscoV9NatOutsideGlobalAddr 226 #define k_CiscoV9postNatL4SrcPort 227 #define k_CiscoV9postNatL4DstPort 228 #define k_CiscoV9postNatEvent 230 /* ... */ #define k_CiscoV9IngressVRFID 234 /* ... */ #define k_CiscoEventTimeMilliSec 323 #define k_CiscoEventTimeMicroSec 324 #define k_CiscoEventTimeNanoSec 325 #endif /* _FlowPDU_H_ */ argus-5.0.2/include/argus/bootp.h000066400000000000000000000073151471541253600167150ustar00rootroot00000000000000/* * Bootstrap Protocol (BOOTP). RFC951 and RFC1048. * * This file specifies the "implementation-independent" BOOTP protocol * information which is common to both client and server. * * Copyright 1988 by Carnegie Mellon. * * Permission to use, copy, modify, and distribute this program for any * purpose and without fee is hereby granted, provided that this copyright * and permission notice appear on all copies and supporting documentation, * the name of Carnegie Mellon not be used in advertising or publicity * pertaining to distribution of the program without specific prior * permission, and notice be given in supporting documentation that copying * and distribution is by permission of Carnegie Mellon and Stanford * University. Carnegie Mellon makes no representations about the * suitability of this software for any purpose. It is provided "as is" * without express or implied warranty. */ /* * $Id: //depot/gargoyle/argus/include/argus/bootp.h#1 $ * $DateTime: 2012/05/01 14:08:47 $ * $Change: 2378 $ */ #if !defined(Argus_bootp_h) #define Argus_bootp_h struct bootp { unsigned char bp_op; /* packet opcode type */ unsigned char bp_htype; /* hardware addr type */ unsigned char bp_hlen; /* hardware addr length */ unsigned char bp_hops; /* gateway hops */ unsigned int bp_xid; /* transaction ID */ unsigned short bp_secs; /* seconds since boot began */ unsigned short bp_unused; struct in_addr bp_ciaddr; /* client IP address */ struct in_addr bp_yiaddr; /* 'your' IP address */ struct in_addr bp_siaddr; /* server IP address */ struct in_addr bp_giaddr; /* gateway IP address */ unsigned char bp_chaddr[16]; /* client hardware address */ unsigned char bp_sname[64]; /* server host name */ unsigned char bp_file[128]; /* boot file name */ unsigned char bp_vend[64]; /* vendor-specific area */ }; /* * UDP port numbers, server and client. */ #define IPPORT_BOOTPS 67 #define IPPORT_BOOTPC 68 #define BOOTREPLY 2 #define BOOTREQUEST 1 /* * Vendor magic cookie (v_magic) for CMU */ #define VM_CMU "CMU" /* * Vendor magic cookie (v_magic) for RFC1048 */ #define VM_RFC1048 { 99, 130, 83, 99 } /* * RFC1048 tag values used to specify what information is being supplied in * the vendor field of the packet. */ #define TAG_PAD ((unsigned char) 0) #define TAG_SUBNET_MASK ((unsigned char) 1) #define TAG_TIME_OFFSET ((unsigned char) 2) #define TAG_GATEWAY ((unsigned char) 3) #define TAG_TIME_SERVER ((unsigned char) 4) #define TAG_NAME_SERVER ((unsigned char) 5) #define TAG_DOMAIN_SERVER ((unsigned char) 6) #define TAG_LOG_SERVER ((unsigned char) 7) #define TAG_COOKIE_SERVER ((unsigned char) 8) #define TAG_LPR_SERVER ((unsigned char) 9) #define TAG_IMPRESS_SERVER ((unsigned char) 10) #define TAG_RLP_SERVER ((unsigned char) 11) #define TAG_HOSTNAME ((unsigned char) 12) #define TAG_BOOTSIZE ((unsigned char) 13) #define TAG_END ((unsigned char) 255) /* RFC1497 tags */ #define TAG_DUMPPATH ((unsigned char) 14) #define TAG_DOMAINNAME ((unsigned char) 15) #define TAG_SWAP_SERVER ((unsigned char) 16) #define TAG_ROOTPATH ((unsigned char) 17) #define TAG_EXTPATH ((unsigned char) 18) /* * "vendor" data permitted for CMU bootp clients. */ struct cmu_vend { unsigned char v_magic[4]; /* magic number */ unsigned int v_flags; /* flags/opcodes, etc. */ struct in_addr v_smask; /* Subnet mask */ struct in_addr v_dgate; /* Default gateway */ struct in_addr v_dns1, v_dns2; /* Domain name servers */ struct in_addr v_ins1, v_ins2; /* IEN-116 name servers */ struct in_addr v_ts1, v_ts2; /* Time servers */ unsigned char v_unused[24]; /* currently unused */ }; /* v_flags values */ #define VF_SMASK 1 /* Subnet mask field contains valid data */ #endif argus-5.0.2/include/argus/cflowd.h000066400000000000000000000062761471541253600170550ustar00rootroot00000000000000/* * Copyright (c) 2001 Mark Fullmer and The Ohio State University * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * */ /* * $Id: //depot/argus/argus-3.0/clients/include/cflowd.h#5 $ * $DateTime: 2006/02/23 13:25:52 $ * $Change: 627 $ */ /* Adapted from cflowd */ #define CF_ROUTERMASK 0x00000001 #define CF_SRCIPADDRMASK 0x00000002 #define CF_DSTIPADDRMASK 0x00000004 #define CF_INPUTIFINDEXMASK 0x00000008 #define CF_OUTPUTIFINDEXMASK 0x00000010 #define CF_SRCPORTMASK 0x00000020 #define CF_DSTPORTMASK 0x00000040 #define CF_PKTSMASK 0x00000080 #define CF_BYTESMASK 0x00000100 #define CF_IPNEXTHOPMASK 0x00000200 #define CF_STARTTIMEMASK 0x00000400 #define CF_ENDTIMEMASK 0x00000800 #define CF_PROTOCOLMASK 0x00001000 #define CF_TOSMASK 0x00002000 #define CF_SRCASMASK 0x00004000 #define CF_DSTASMASK 0x00008000 #define CF_SRCMASKLENMASK 0x00010000 #define CF_DSTMASKLENMASK 0x00020000 #define CF_TCPFLAGSMASK 0x00040000 #define CF_INPUTENCAPMASK 0x00080000 #define CF_OUTPUTENCAPMASK 0x00100000 #define CF_PEERNEXTHOPMASK 0x00200000 #define CF_ENGINETYPEMASK 0x00400000 #define CF_ENGINEIDMASK 0x00800000 #define CF_INDEX_V1_MASK 0x00043FFF #define CF_INDEX_V5_MASK 0x00C7FFFF #define CF_INDEX_V6_MASK 0x00FFFFFF #define CF_INDEX_V7_MASK 0x00C7FFFF #define CF_INDEX_V8_1_MASK 0x00C0CD99 #define CF_INDEX_V8_2_MASK 0x00C00DE1 #define CF_INDEX_V8_3_MASK 0x00C14D8B #define CF_INDEX_V8_4_MASK 0x00C28D95 #define CF_INDEX_V8_5_MASK 0x00C3CD9F #define CF_INDEX_V8_6_MASK 0x00C02D95 #define CF_INDEX_V8_7_MASK 0x00C02D9F #define CF_INDEX_V8_8_MASK 0x00C02DFF #define CF_INDEX_V8_9_MASK 0x00C0ED99 #define CF_INDEX_V8_10_MASK 0x00C02DE1 #define CF_INDEX_V8_11_MASK 0x00C16D8B #define CF_INDEX_V8_12_MASK 0x00C2AD95 #define CF_INDEX_V8_13_MASK 0x00C3ED9F #define CF_INDEX_V8_14_MASK 0x00C32DFF argus-5.0.2/include/argus/cons_def.h000066400000000000000000000111641471541253600173470ustar00rootroot00000000000000/* * Argus-5.0 Software. Common include files. cons_def * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * Copyright (c) 1993, 1994 Carnegie Mellon University. * All rights reserved. * * Permission to use, copy, modify, and distribute this software and * its documentation for any purpose and without fee is hereby granted, * provided that the above copyright notice appear in all copies and * that both that copyright notice and this permission notice appear * in supporting documentation, and that the name of CMU not be * used in advertising or publicity pertaining to distribution of the * software without specific, written prior permission. * * CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING * ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL * CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR * ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, * WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, * ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS * SOFTWARE. * */ /* * $Id: //depot/gargoyle/argus/include/argus/cons_def.h#5 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ /* 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| Protocol | L | IP Opt | Exp | State | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |1| Operation | Data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Status Field Format Note that one tick mark represents one bit position. */ /* Argus Operation */ #define ARGUSCONTROL 0x80000000 #define INIT 0x01000000 #define STATUS 0x02000000 #define CLOSE 0x04000000 /* Protocol Specification */ #define PROTOCONTROL 0x00000000 #define IPPROTO 0x01000000 #define UDPPROTO 0x02000000 #define ICMPPROTO 0x04000000 #define TCPPROTO 0x08000000 #define EPPROTO 0x10000000 #define ARPPROTO 0x20000000 #define PROTOMASK 0x7F000000 /* Link Dependant Bits (L) */ #define FRAGMENTS 0x400000 #define MULTIADDR 0x800000 /* IP Option Status Bits */ #define TIMESTAMP 0x010000 #define SECURITY 0x020000 #define LSRCROUTE 0x040000 #define RECORDROUTE 0x080000 #define SSRCROUTE 0x100000 #define RTRALERT 0x200000 #define IPOPTIONMASK 0x3F0000 /* Report Status Bits (Exp) */ #define REVERSE 0x1000 #define MODIFIED 0x2000 #define LOGGED 0x4000 #define DETAIL 0x8000 /* IP, TCP and UDP State Constants and Reporting Values */ #define IP_INIT 0x0001 #define UDP_INIT 0x0001 #define SAW_SYN 0x0001 #define SAW_SYN_SENT 0x0002 #define CON_ESTABLISHED 0x0004 #define CLOSE_WAITING 0x0008 #define PKTS_RETRANS 0x0410 /* SRC_PKTS_RETRANS | DST_PK*/ #define SRC_PKTS_RETRANS 0x0010 #define WINDOW_SHUT 0x0060 /* SRC_WINDOW_SHUT | DST_WIN*/ #define SRC_WINDOW_SHUT 0x0020 #define DST_WINDOW_SHUT 0x0040 #define NORMAL_CLOSE 0x0080 #define RESET 0x0900 /* SRC_RESET | DST_RESET */ #define SRC_RESET 0x0100 #define TIMED_OUT 0x0200 #define DST_PKTS_RETRANS 0x0400 #define DST_RESET 0x0800 /* Fragment State Constants and Reporting Values */ #define FRAG_INIT 0x0001 #define FRAG_OUT_OF_ORDER 0x0002 #define TCP_FRAG_OFFSET_PROBLEM 0x0008 #define FRAG_ONLY 0x0010 argus-5.0.2/include/argus/cons_out.h000066400000000000000000000106311471541253600174160ustar00rootroot00000000000000/* * Argus-5.0 Software. Common include files. cons_out.h * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/include/argus/cons_out.h#5 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ #if !defined(cons_out_h) #define cons_out_h #if !defined(__OpenBSD__) || !defined(_NET_IF_H_) #define _NET_IF_H_ #include #endif #include #if !defined(__OpenBSD__) || !defined(_NETINET_IF_ETHER_H_) #define _NETINET_IP_ETHER_H_ #include #endif struct THA_OBJECT { arg_int32 size; unsigned char *buffer; }; struct tha { struct in_addr src; struct in_addr dst; arg_uint16 sport; arg_uint16 dport; }; struct icmptha { struct in_addr src; struct in_addr dst; arg_uint32 port; arg_uint32 addr; }; struct writeStruct { arg_uint32 status; struct argtimeval startime, lasttime; struct ether_addr ethersrc; struct ether_addr etherdst; struct tha addr; arg_int32 src_count, dst_count; arg_int32 src_bytes, dst_bytes; }; struct inittcpWriteStruct { arg_int32 src_count, dst_count; arg_uint32 addr, seq; }; struct tcpWriteStruct { arg_int32 src_count, dst_count; arg_int32 src_bytes, dst_bytes; }; struct udpWriteStruct { arg_int32 src_count, dst_count; arg_int32 src_bytes, dst_bytes; }; struct icmpWriteStruct { arg_uint8 type, code; arg_uint16 data; struct in_addr srcaddr, dstaddr, gwaddr; }; struct fragWriteStruct { int fragnum, frag_id; unsigned short status, totlen, currlen, maxfraglen; }; struct physWriteStruct { struct ether_addr ethersrc; struct ether_addr etherdst; }; struct arpWriteStruct { struct argtimeval time; struct physWriteStruct phys; struct ether_arp arp; }; struct ipWriteStruct { struct argtimeval startime, lasttime; struct physWriteStruct ws_phys; struct in_addr src; struct in_addr dst; arg_uint16 sport; arg_uint16 dport; union { struct inittcpWriteStruct inittcp; struct tcpWriteStruct tcp; struct udpWriteStruct udp; struct icmpWriteStruct icmp; struct fragWriteStruct frag; } ipws_trans_union; }; struct manInitStruct { struct argtimeval startime, now; arg_int8 initString[20]; arg_uint32 localnet, netmask; arg_uint16 reportInterval, dflagInterval; arg_uint8 interfaceType, interfaceStatus; }; struct manStatStruct { struct argtimeval startime, now; arg_uint16 reportInterval, dflagInterval; arg_uint8 interfaceType, interfaceStatus; arg_uint32 pktsRcvd, bytesRcvd, pktsDrop; arg_uint16 actTCPcons, cloTCPcons; arg_uint16 actUDPcons, cloUDPcons; arg_uint16 actIPcons, cloIPcons; arg_uint16 actICMPcons, cloICMPcons; arg_uint16 actFRAGcons, cloFRAGcons; }; struct WriteStruct { arg_uint32 status; union { struct ipWriteStruct ip; struct arpWriteStruct arp; struct manInitStruct man_init; struct manStatStruct man_stat; } ws_trans_union; }; #define ws_ip ws_trans_union.ip #define ws_arp ws_trans_union.arp #define ws_init ws_trans_union.man_init #define ws_stat ws_trans_union.man_stat #define ws_ip_phys ws_trans_union.ip.ws_phys #define ws_ip_src ws_trans_union.ip.src #define ws_ip_dst ws_trans_union.ip.dst #define ws_ip_port ws_trans_union.ip.port #define ws_ip_inittcp ws_trans_union.ip.ipws_trans_union.inittcp #define ws_ip_tcp ws_trans_union.ip.ipws_trans_union.tcp #define ws_ip_udp ws_trans_union.ip.ipws_trans_union.udp #define ws_ip_icmp ws_trans_union.ip.ipws_trans_union.icmp #define ws_ip_frag ws_trans_union.ip.ipws_trans_union.frag #endif argus-5.0.2/include/argus/extract.h000066400000000000000000000211101471541253600172310ustar00rootroot00000000000000/* * Argus-5.0 Software. Common include files. Extract macros * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * Copyright (c) 1992, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. * */ /* * $Id: //depot/gargoyle/argus/include/argus/extract.h#5 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ #ifdef TCPDUMP_ALIGN #if BYTEORDER == LITTLE_ENDIAN #define EXTRACT_SHORT(p)\ ((u_short)\ ((u_short)*((u_char *)p+1)<<8|\ (u_short)*((u_char *)p+0)<<0)) #define EXTRACT_LONG(p)\ ((u_int32)*((u_char *)p+3)<<24|\ (u_int32)*((u_char *)p+2)<<16|\ (u_int32)*((u_char *)p+1)<<8|\ (u_int32)*((u_char *)p+0)<<0) #else #define EXTRACT_SHORT(p)\ ((u_short)\ ((u_short)*((u_char *)p+0)<<8|\ (u_short)*((u_char *)p+1)<<0)) #define EXTRACT_LONG(p)\ ((u_int32)*((u_char *)p+0)<<24|\ (u_int32)*((u_char *)p+1)<<16|\ (u_int32)*((u_char *)p+2)<<8|\ (u_int32)*((u_char *)p+3)<<0) #endif #else #define EXTRACT_SHORT(p) ((u_short)ntohs(*(u_short *)p)) #define EXTRACT_LONG(p) (ntohl(*(u_int32 *)p)) #endif /* * Copyright (c) 1992, 1993, 1994, 1995, 1996 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. * * @(#) $Header: //depot/gargoyle/argus/include/argus/extract.h#5 $ (LBL) */ /* * Macros to extract possibly-unaligned big-endian integral values. */ #ifdef LBL_ALIGN /* * The processor doesn't natively handle unaligned loads. */ #ifdef HAVE___ATTRIBUTE__ /* * We have __attribute__; we assume that means we have __attribute__((packed)). * Declare packed structures containing a u_int16_t and a u_int32_t, * cast the pointer to point to one of those, and fetch through it; * the GCC manual doesn't appear to explicitly say that * __attribute__((packed)) causes the compiler to generate unaligned-safe * code, but it apppears to do so. * * We do this in case the compiler can generate, for this instruction set, * better code to do an unaligned load and pass stuff to "ntohs()" or * "ntohl()" than the code to fetch the bytes one at a time and * assemble them. (That might not be the case on a little-endian platform, * where "ntohs()" and "ntohl()" might not be done inline.) */ typedef struct { u_int16_t val; } __attribute__((packed)) unaligned_u_int16_t; typedef struct { u_int32_t val; } __attribute__((packed)) unaligned_u_int32_t; #define EXTRACT_16BITS(p) \ ((u_int16_t)ntohs(((const unaligned_u_int16_t *)(p))->val)) #define EXTRACT_32BITS(p) \ ((u_int32_t)ntohl(((const unaligned_u_int32_t *)(p))->val)) #define EXTRACT_64BITS(p) \ ((u_int64_t)(((u_int64_t)ntohl(((const unaligned_u_int32_t *)(p) + 0)->val)) << 32 | \ ((u_int64_t)ntohl(((const unaligned_u_int32_t *)(p) + 1)->val)) << 0)) #else /* HAVE___ATTRIBUTE__ */ /* * We don't have __attribute__, so do unaligned loads of big-endian * quantities the hard way - fetch the bytes one at a time and * assemble them. */ #define EXTRACT_16BITS(p) \ ((u_int16_t)((u_int16_t)*((const u_int8_t *)(p) + 0) << 8 | \ (u_int16_t)*((const u_int8_t *)(p) + 1))) #define EXTRACT_32BITS(p) \ ((u_int32_t)((u_int32_t)*((const u_int8_t *)(p) + 0) << 24 | \ (u_int32_t)*((const u_int8_t *)(p) + 1) << 16 | \ (u_int32_t)*((const u_int8_t *)(p) + 2) << 8 | \ (u_int32_t)*((const u_int8_t *)(p) + 3))) #define EXTRACT_64BITS(p) \ ((u_int64_t)((u_int64_t)*((const u_int8_t *)(p) + 0) << 56 | \ (u_int64_t)*((const u_int8_t *)(p) + 1) << 48 | \ (u_int64_t)*((const u_int8_t *)(p) + 2) << 40 | \ (u_int64_t)*((const u_int8_t *)(p) + 3) << 32 | \ (u_int64_t)*((const u_int8_t *)(p) + 4) << 24 | \ (u_int64_t)*((const u_int8_t *)(p) + 5) << 16 | \ (u_int64_t)*((const u_int8_t *)(p) + 6) << 8 | \ (u_int64_t)*((const u_int8_t *)(p) + 7))) #endif /* HAVE___ATTRIBUTE__ */ #else /* LBL_ALIGN */ /* * The processor natively handles unaligned loads, so we can just * cast the pointer and fetch through it. */ #define EXTRACT_16BITS(p) \ ((u_int16_t)ntohs(*(const u_int16_t *)(p))) #define EXTRACT_32BITS(p) \ ((u_int32_t)ntohl(*(const u_int32_t *)(p))) #define EXTRACT_64BITS(p) \ ((u_int64_t)(((u_int64_t)ntohl(*((const u_int32_t *)(p) + 0))) << 32 | \ ((u_int64_t)ntohl(*((const u_int32_t *)(p) + 1))) << 0)) #endif /* LBL_ALIGN */ #define EXTRACT_24BITS(p) \ ((u_int32_t)((u_int32_t)*((const u_int8_t *)(p) + 0) << 16 | \ (u_int32_t)*((const u_int8_t *)(p) + 1) << 8 | \ (u_int32_t)*((const u_int8_t *)(p) + 2))) /* * Macros to extract possibly-unaligned little-endian integral values. * XXX - do loads on little-endian machines that support unaligned loads? */ #define EXTRACT_LE_8BITS(p) (*(p)) #define EXTRACT_LE_16BITS(p) \ ((u_int16_t)((u_int16_t)*((const u_int8_t *)(p) + 1) << 8 | \ (u_int16_t)*((const u_int8_t *)(p) + 0))) #define EXTRACT_LE_32BITS(p) \ ((u_int32_t)((u_int32_t)*((const u_int8_t *)(p) + 3) << 24 | \ (u_int32_t)*((const u_int8_t *)(p) + 2) << 16 | \ (u_int32_t)*((const u_int8_t *)(p) + 1) << 8 | \ (u_int32_t)*((const u_int8_t *)(p) + 0))) #define EXTRACT_LE_24BITS(p) \ ((u_int32_t)((u_int32_t)*((const u_int8_t *)(p) + 2) << 16 | \ (u_int32_t)*((const u_int8_t *)(p) + 1) << 8 | \ (u_int32_t)*((const u_int8_t *)(p) + 0))) #define EXTRACT_LE_64BITS(p) \ ((u_int64_t)((u_int64_t)*((const u_int8_t *)(p) + 7) << 56 | \ (u_int64_t)*((const u_int8_t *)(p) + 6) << 48 | \ (u_int64_t)*((const u_int8_t *)(p) + 5) << 40 | \ (u_int64_t)*((const u_int8_t *)(p) + 4) << 32 | \ (u_int64_t)*((const u_int8_t *)(p) + 3) << 24 | \ (u_int64_t)*((const u_int8_t *)(p) + 2) << 16 | \ (u_int64_t)*((const u_int8_t *)(p) + 1) << 8 | \ (u_int64_t)*((const u_int8_t *)(p) + 0))) argus-5.0.2/include/argus/fddi.h000066400000000000000000000075161471541253600165030ustar00rootroot00000000000000/* * Argus-5.0 Software. Common include files. fddi.h * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/include/argus/fddi.h#5 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ /* * Copyright (c) 1992, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. * */ #if !defined(fddi_h) #define fddi_h /* * Based on Ultrix if_fddi.h */ /* * This stuff should come from a system header file, but there's no * obviously portable way to do that and it's not really going * to change from system to system (except for the padding business). */ struct fddi_header { #if defined(ultrix) || defined(__alpha) /* Ultrix pads to make everything line up on a nice boundary */ #define FDDIPAD 3 u_char fddi_ph[FDDIPAD]; #else #define FDDIPAD 0 #endif u_char fddi_fc; /* frame control */ u_char fddi_dhost[6]; u_char fddi_shost[6]; }; /* Useful values for fddi_fc (frame control) field */ /* * FDDI Frame Control bits */ #define FDDIFC_C 0x80 /* Class bit */ #define FDDIFC_L 0x40 /* Address length bit */ #define FDDIFC_F 0x30 /* Frame format bits */ #define FDDIFC_Z 0x0f /* Control bits */ /* * FDDI Frame Control values. (48-bit addressing only). */ #define FDDIFC_VOID 0x40 /* Void frame */ #define FDDIFC_NRT 0x80 /* Nonrestricted token */ #define FDDIFC_RT 0xc0 /* Restricted token */ #define FDDIFC_SMT_INFO 0x41 /* SMT Info */ #define FDDIFC_SMT_NSA 0x4F /* SMT Next station adrs */ #define FDDIFC_MAC_BEACON 0xc2 /* MAC Beacon frame */ #define FDDIFC_MAC_CLAIM 0xc3 /* MAC Claim frame */ #define FDDIFC_LLC_ASYNC 0x50 /* Async. LLC frame */ #define FDDIFC_LLC_SYNC 0xd0 /* Sync. LLC frame */ #define FDDIFC_IMP_ASYNC 0x60 /* Implementor Async. */ #define FDDIFC_IMP_SYNC 0xe0 /* Implementor Synch. */ #define FDDIFC_SMT 0x40 /* SMT frame */ #define FDDIFC_MAC 0xc0 /* MAC frame */ #define FDDIFC_CLFF 0xF0 /* Class/Length/Format bits */ #define FDDIFC_ZZZZ 0x0F /* Control bits */ #endif argus-5.0.2/include/argus/gencode.h000066400000000000000000000235501471541253600171750ustar00rootroot00000000000000/* * Argus-5.0 Software. Common include files. gencode.h * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * Copyright (c) 1990, 1991, 1992, 1993, 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. * */ /* * $Id: //depot/gargoyle/argus/include/argus/gencode.h#5 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ /* * filter.h must be included before this file. */ #include /* Address qualifers. */ #define Q_HOST 1 #define Q_SRCID 2 #define Q_NET 3 #define Q_PORT 4 #define Q_GATEWAY 5 #define Q_PROTO 6 #define Q_IPID 7 #define Q_TTL 8 #define Q_TOS 9 #define Q_DSB 10 #define Q_VID 11 #define Q_VPRI 12 #define Q_MPLSID 13 #define Q_SERVICE 14 #define Q_BYTE 15 #define Q_PKT 16 #define Q_TCPBASE 17 #define Q_TRANS 18 #define Q_RATE 19 #define Q_LOAD 20 #define Q_INTER 21 #define Q_JITTER 22 #define Q_DUR 23 #define Q_AVGDUR 24 #define Q_DELTADUR 25 #define Q_DELTASTART 26 #define Q_DELTALAST 27 #define Q_DELTASPKTS 28 #define Q_DELTADPKTS 29 #define Q_SPI 30 #define Q_LOSS 31 #define Q_PLOSS 32 #define Q_ABR 139 #define Q_PCR 139 #define Q_APPBYTE 33 #define Q_CO 34 #define Q_COCODE 35 #define Q_INODE 36 #define Q_ASN 37 #define Q_SEQ 137 #define Q_STRING 138 #define Q_INTEGER 139 #define Q_FLOAT 140 #define Q_GAP 141 #define Q_DUP 142 /* Protocol qualifiers. */ #define Q_MAN 38 #define Q_FAR 132 #define Q_EVENT 133 #define Q_INDEX 134 /* Keystroke Behavior Keywords */ #define Q_NKEY 135 #define Q_NSTROKE 136 #define Q_LINK 39 #define Q_IP 40 #define Q_IPV6 41 #define Q_IPV4 42 #define Q_IB 43 #define Q_IBGBL 44 #define Q_IBLCL 45 #define Q_ISO 46 #define Q_SVC 47 #define Q_ETHER 48 #define Q_LLC 49 #define Q_ARP 50 #define Q_RARP 51 #define Q_TCP 52 #define Q_UDP 53 #define Q_ICMP 54 #define Q_IGMP 55 #define Q_IGRP 56 #define Q_UDT 57 #define Q_LID 58 #define Q_QP 59 #define Q_DECNET 60 #define Q_LAT 62 #define Q_MOPRC 63 #define Q_MOPDL 64 #define Q_ANON 65 #define Q_MERGED 66 /* TCP Protocol qualifiers. */ #define Q_NORMAL 67 #define Q_MULTIPATH 68 #define Q_RESET 69 #define Q_TIMEDOUT 70 #define Q_WINSHUT 71 #define Q_ESTABLISHED 72 #define Q_RETRANS 73 #define Q_SRCRETRANS 74 #define Q_DSTRETRANS 75 #define Q_OUTOFORDER 76 #define Q_SRCOUTOFORDER 77 #define Q_DSTOUTOFORDER 78 #define Q_FRAG 79 #define Q_SRCFRAG 80 #define Q_DSTFRAG 81 #define Q_FRAG_ONLY 82 #define Q_CONNECTED 83 #define Q_REJECT 84 #define Q_ECHO 85 #define Q_UNREACH 86 #define Q_REDIRECT 87 #define Q_TIMEXED 88 #define Q_LOOP 89 #define Q_CORRELATED 90 #define Q_ICMPMAP 91 #define Q_SYN 92 #define Q_SYNACK 93 #define Q_DATA 94 #define Q_SRCDATA 95 #define Q_DSTDATA 96 #define Q_FIN 97 #define Q_FINACK 98 #define Q_WAIT 99 #define Q_ACK 100 #define Q_URGENT 101 #define Q_PUSH 102 #define Q_ECE 103 #define Q_CWR 104 #define Q_TCPRTT 105 /* RTP Protocol qualifiers. */ #define Q_RTP 106 #define Q_RTCP 107 #define Q_ESP 108 #define Q_ECN 109 #define Q_MPLS 110 #define Q_VLAN 111 #define Q_RTR 112 #define Q_MBR 113 #define Q_LVG 114 /* Cause qualifers. */ #define Q_START 115 #define Q_STOP 116 #define Q_STATUS 117 #define Q_SHUTDOWN 118 #define Q_ERROR 119 /* Application Specific qualifers. */ #define Q_DNS 120 /* Encapsulations */ #define Q_ENCAPS 121 /* ISIS */ #define Q_ISIS 122 #define Q_HELLO 123 #define Q_LSP 124 #define Q_CSNP 125 #define Q_PSNP 126 #define Q_RSVP 127 /* Directional qualifers. */ #define Q_SRC 128 #define Q_DST 129 #define Q_OR 130 #define Q_AND 131 /* TCP Option qualifiers. */ #define Q_TCPOPT 143 #define Q_MSS 144 #define Q_WSCALE 145 #define Q_SELECTIVEACKOK 146 #define Q_SELECTIVEACK 147 #define Q_TCPECHO 148 #define Q_TCPECHOREPLY 149 #define Q_TCPTIMESTAMP 150 #define Q_TCPCC 151 #define Q_TCPCCNEW 152 #define Q_TCPCCECHO 153 #define Q_SECN 154 #define Q_DECN 155 #define Q_JITTERACTIVE 156 #define Q_JITTERIDLE 157 #define Q_INTERACTIVE 158 #define Q_INTERIDLE 159 #define Q_DEFAULT 0 #define Q_UNDEF 255 /* Operational qualifiers. */ #define Q_EQUAL 1 #define Q_LESS 2 #define Q_GREATER 3 #define Q_GEQ 4 #define Q_LEQ 5 /* DNS Opcode qualifiers. */ #define Q_AUTH 1 #define Q_RECURS 2 struct stmt { u_int dsr; int code, type; struct slist *jt; /*only for relative jump in ablock*/ struct slist *jf; /*only for relative jump in ablock*/ union { int i; float f; char s[8]; long long k; } data; }; struct slist { struct stmt s; struct slist *next; }; /* * A bit vector to represent definition sets. We assume TOT_REGISTERS * is smaller than 8*sizeof(atomset). */ typedef unsigned int atomset; #define ATOMMASK(n) (1 << (n)) #define ATOMELEM(d, n) (d & ATOMMASK(n)) /* * An unbounded set. */ typedef unsigned int *uset; /* * Total number of atomic entities, including accumulator (A) and index (X). * We treat all these guys similarly during flow analysis. */ #define N_ATOMS (NFF_MEMWORDS+2) struct edge { int id; int code; uset edom; struct ablock *succ; struct ablock *pred; struct edge *next; /* link list of incoming edges for a node */ }; struct ablock { int id; struct slist *stmts; /* side effect stmts */ struct stmt s; /* branch stmt */ int mark; int longjt; /* jt branch requires long jump */ int longjf; /* jf branch requires long jump */ int level; int offset; int sense; struct edge et; struct edge ef; struct ablock *head; struct ablock *link; /* link field used by optimizer */ uset dom; uset closure; struct edge *in_edges; atomset def, kill; atomset in_use; atomset out_use; long long oval; long long val[N_ATOMS]; }; struct arth { struct ablock *b; /* protocol checks */ struct slist *s; /* stmt list */ int regno; /* virtual register number of result */ }; struct qual { unsigned short type; /* is this IPv4 or IPv6; */ unsigned short proto; unsigned char dir; unsigned char addr; }; #define ARGUS_ADDR_VALUE 1 #define ARGUS_FLOAT_VALUE 2 #ifndef __GNUC__ #define volatile #endif /* #define yylex argus_lex #define yyparse argus_parse */ extern int argus_lex(void); extern int argus_parse (void); extern void argus_lex_init(char *buf); struct arth *ArgusLoadI(int); struct arth *ArgusLoad(int, struct arth *, int); struct arth *ArgusLoadLen(void); struct arth *ArgusArth(int, struct arth *, struct arth *); struct arth *ArgusNeg(struct arth *); void Argusgen_and(struct ablock *, struct ablock *); void Argusgen_or(struct ablock *, struct ablock *); void Argusgen_not(struct ablock *); struct ablock *Argusgen_stat(struct ablock *, struct ablock *, unsigned int); struct ablock *Argusgen_ocode(int, struct qual); struct ablock *Argusgen_scode(char *, struct qual); struct ablock *Argusgen_tcode(int, struct qual); struct ablock *Argusgen_ecode(unsigned char *, struct qual); struct ablock *Argusgen_mcode(char *, char *, int, struct qual); struct ablock *Argusgen_ncode(char *, int, struct qual, unsigned int); struct ablock *Argusgen_fcode(char *, float, struct qual, unsigned int); struct ablock *Argusgen_proto_abbrev(int); struct ablock *Argusgen_relation(int, struct arth *, struct arth *, int); struct ablock *Argusgen_less(int); struct ablock *Argusgen_greater(int); struct ablock *Argusgen_byteop(int, int, int); struct ablock *Argusgen_broadcast(int); struct ablock *Argusgen_multicast(int); struct ablock *Argusgen_inbound(int); struct ablock *Argusgen_dns(int, int, int); struct ablock *Argusgen_appbytes(int, int, u_int); void Argusnff_optimize(struct ablock **); void Argus_error(char *fmt, ...); void Argusfinish_parse(struct ablock *); char *Argussdup(char *); struct nff_insn *Argusicode_to_fcode(struct ablock *, int *); int Arguspcap_parse(void); void Arguslex_init(char *); void Argussappend(struct slist *, struct slist *); char *ArgusFilterCompile(struct nff_program *, char *, int); /* XXX */ #define JT(b) ((b)->et.succ) #define JF(b) ((b)->ef.succ) argus-5.0.2/include/argus/global.h000066400000000000000000000016741471541253600170340ustar00rootroot00000000000000/* GLOBAL.H - RSAREF types and constants */ /* * $Id: //depot/argus/argus-3.0/clients/include/global.h#5 $ * $DateTime: 2006/02/23 13:25:52 $ * $Change: 627 $ */ /* PROTOTYPES should be set to one if and only if the compiler supports function argument prototyping. The following makes PROTOTYPES default to 0 if it has not already been defined with C compiler flags. */ #ifndef GLOBAL_H #define GLOBAL_H 0 #ifndef PROTOTYPES #define PROTOTYPES 0 #endif /* POINTER defines a generic pointer type */ typedef unsigned char *POINTER; /* UINT2 defines a two byte word */ typedef unsigned short int UINT2; /* UINT4 defines a four byte word */ typedef unsigned long int UINT4; /* PROTO_LIST is defined depending on how PROTOTYPES is defined above. If using PROTOTYPES, then PROTO_LIST returns the list, otherwise it returns an empty list. */ #if PROTOTYPES #define PROTO_LIST(list) list #else #define PROTO_LIST(list) () #endif #endif argus-5.0.2/include/argus/ieee802_11.h000066400000000000000000000444021471541253600172320ustar00rootroot00000000000000/* @(#) $Header: /tcpdump/master/tcpdump/ieee802_11.h,v 1.9.4.2 2005/11/13 12:07:44 guy Exp $ (LBL) */ /* * Copyright (c) 2001 * Fortress Technologies * Charlie Lenahan ( clenahan@fortresstech.com ) * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ #if !defined(ARGUS_802_11) #define ARGUS_802_11 /* Lengths of 802.11 header components. */ #define IEEE802_11_FC_LEN 2 #define IEEE802_11_DUR_LEN 2 #define IEEE802_11_DA_LEN 6 #define IEEE802_11_SA_LEN 6 #define IEEE802_11_BSSID_LEN 6 #define IEEE802_11_RA_LEN 6 #define IEEE802_11_TA_LEN 6 #define IEEE802_11_SEQ_LEN 2 #define IEEE802_11_IV_LEN 3 #define IEEE802_11_KID_LEN 1 /* Frame check sequence length. */ #define IEEE802_11_FCS_LEN 4 /* Lengths of beacon components. */ #define IEEE802_11_TSTAMP_LEN 8 #define IEEE802_11_BCNINT_LEN 2 #define IEEE802_11_CAPINFO_LEN 2 #define IEEE802_11_LISTENINT_LEN 2 #define IEEE802_11_AID_LEN 2 #define IEEE802_11_STATUS_LEN 2 #define IEEE802_11_REASON_LEN 2 /* Length of previous AP in reassocation frame */ #define IEEE802_11_AP_LEN 6 #define T_MGMT 0x0 /* management */ #define T_CTRL 0x1 /* control */ #define T_DATA 0x2 /* data */ #define T_RESV 0x3 /* reserved */ #define ST_ASSOC_REQUEST 0x0 #define ST_ASSOC_RESPONSE 0x1 #define ST_REASSOC_REQUEST 0x2 #define ST_REASSOC_RESPONSE 0x3 #define ST_PROBE_REQUEST 0x4 #define ST_PROBE_RESPONSE 0x5 /* RESERVED 0x6 */ /* RESERVED 0x7 */ #define ST_BEACON 0x8 #define ST_ATIM 0x9 #define ST_DISASSOC 0xA #define ST_AUTH 0xB #define ST_DEAUTH 0xC /* RESERVED 0xD */ /* RESERVED 0xE */ /* RESERVED 0xF */ #define CTRL_PS_POLL 0xA #define CTRL_RTS 0xB #define CTRL_CTS 0xC #define CTRL_ACK 0xD #define CTRL_CF_END 0xE #define CTRL_END_ACK 0xF #define DATA_DATA 0x0 #define DATA_DATA_CF_ACK 0x1 #define DATA_DATA_CF_POLL 0x2 #define DATA_DATA_CF_ACK_POLL 0x3 #define DATA_NODATA 0x4 #define DATA_NODATA_CF_ACK 0x5 #define DATA_NODATA_CF_POLL 0x6 #define DATA_NODATA_CF_ACK_POLL 0x7 #define DATA_QOS_DATA 0x8 #define DATA_QOS_DATA_CF_ACK 0x9 #define DATA_QOS_DATA_CF_POLL 0xA #define DATA_QOS_DATA_CF_ACK_POLL 0xB #define DATA_QOS_NODATA 0xC #define DATA_QOS_CF_POLL_NODATA 0xE #define DATA_QOS_CF_ACK_POLL_NODATA 0xF /* * The subtype field of a data frame is, in effect, composed of 4 flag * bits - CF-Ack, CF-Poll, Null (means the frame doesn't actually have * any data), and QoS. */ #define DATA_FRAME_IS_CF_ACK(x) ((x) & 0x01) #define DATA_FRAME_IS_CF_POLL(x) ((x) & 0x02) #define DATA_FRAME_IS_NULL(x) ((x) & 0x04) #define DATA_FRAME_IS_QOS(x) ((x) & 0x08) /* * Bits in the frame control field. */ #define FC_VERSION(fc) ((fc) & 0x3) #define FC_TYPE(fc) (((fc) >> 2) & 0x3) #define FC_SUBTYPE(fc) (((fc) >> 4) & 0xF) #define FC_TO_DS(fc) ((fc) & 0x0100) #define FC_FROM_DS(fc) ((fc) & 0x0200) #define FC_MORE_FLAG(fc) ((fc) & 0x0400) #define FC_RETRY(fc) ((fc) & 0x0800) #define FC_POWER_MGMT(fc) ((fc) & 0x1000) #define FC_MORE_DATA(fc) ((fc) & 0x2000) #define FC_WEP(fc) ((fc) & 0x4000) #define FC_ORDER(fc) ((fc) & 0x8000) struct mgmt_header_t { u_int16_t fc; u_int16_t duration; u_int8_t da[6]; u_int8_t sa[6]; u_int8_t bssid[6]; u_int16_t seq_ctrl; }; #define MGMT_HDRLEN (IEEE802_11_FC_LEN+IEEE802_11_DUR_LEN+\ IEEE802_11_DA_LEN+IEEE802_11_SA_LEN+\ IEEE802_11_BSSID_LEN+IEEE802_11_SEQ_LEN) #define CAPABILITY_ESS(cap) ((cap) & 0x0001) #define CAPABILITY_IBSS(cap) ((cap) & 0x0002) #define CAPABILITY_CFP(cap) ((cap) & 0x0004) #define CAPABILITY_CFP_REQ(cap) ((cap) & 0x0008) #define CAPABILITY_PRIVACY(cap) ((cap) & 0x0010) typedef enum { NOT_PRESENT, PRESENT, TRUNCATED } elem_status_t; struct ssid_t { u_int8_t element_id; u_int8_t length; u_char ssid[33]; /* 32 + 1 for null */ }; struct rates_t { u_int8_t element_id; u_int8_t length; u_int8_t rate[16]; }; struct challenge_t { u_int8_t element_id; u_int8_t length; u_int8_t text[254]; /* 1-253 + 1 for null */ }; struct fh_t { u_int8_t element_id; u_int8_t length; u_int16_t dwell_time; u_int8_t hop_set; u_int8_t hop_pattern; u_int8_t hop_index; }; struct ds_t { u_int8_t element_id; u_int8_t length; u_int8_t channel; }; struct cf_t { u_int8_t element_id; u_int8_t length; u_int8_t count; u_int8_t period; u_int16_t max_duration; u_int16_t dur_remaing; }; struct tim_t { u_int8_t element_id; u_int8_t length; u_int8_t count; u_int8_t period; u_int8_t bitmap_control; u_int8_t bitmap[251]; }; #define E_SSID 0 #define E_RATES 1 #define E_FH 2 #define E_DS 3 #define E_CF 4 #define E_TIM 5 #define E_IBSS 6 /* reserved 7 */ /* reserved 8 */ /* reserved 9 */ /* reserved 10 */ /* reserved 11 */ /* reserved 12 */ /* reserved 13 */ /* reserved 14 */ /* reserved 15 */ /* reserved 16 */ #define E_CHALLENGE 16 /* reserved 17 */ /* reserved 18 */ /* reserved 19 */ /* reserved 16 */ /* reserved 16 */ struct mgmt_body_t { u_int8_t timestamp[IEEE802_11_TSTAMP_LEN]; u_int16_t beacon_interval; u_int16_t listen_interval; u_int16_t status_code; u_int16_t aid; u_char ap[IEEE802_11_AP_LEN]; u_int16_t reason_code; u_int16_t auth_alg; u_int16_t auth_trans_seq_num; elem_status_t challenge_status; struct challenge_t challenge; u_int16_t capability_info; elem_status_t ssid_status; struct ssid_t ssid; elem_status_t rates_status; struct rates_t rates; elem_status_t ds_status; struct ds_t ds; elem_status_t cf_status; struct cf_t cf; elem_status_t fh_status; struct fh_t fh; elem_status_t tim_status; struct tim_t tim; }; struct ctrl_rts_t { u_int16_t fc; u_int16_t duration; u_int8_t ra[6]; u_int8_t ta[6]; u_int8_t fcs[4]; }; #define CTRL_RTS_HDRLEN (IEEE802_11_FC_LEN+IEEE802_11_DUR_LEN+\ IEEE802_11_RA_LEN+IEEE802_11_TA_LEN) struct ctrl_cts_t { u_int16_t fc; u_int16_t duration; u_int8_t ra[6]; u_int8_t fcs[4]; }; #define CTRL_CTS_HDRLEN (IEEE802_11_FC_LEN+IEEE802_11_DUR_LEN+IEEE802_11_RA_LEN) struct ctrl_ack_t { u_int16_t fc; u_int16_t duration; u_int8_t ra[6]; u_int8_t fcs[4]; }; #define CTRL_ACK_HDRLEN (IEEE802_11_FC_LEN+IEEE802_11_DUR_LEN+IEEE802_11_RA_LEN) struct ctrl_ps_poll_t { u_int16_t fc; u_int16_t aid; u_int8_t bssid[6]; u_int8_t ta[6]; u_int8_t fcs[4]; }; #define CTRL_PS_POLL_HDRLEN (IEEE802_11_FC_LEN+IEEE802_11_AID_LEN+\ IEEE802_11_BSSID_LEN+IEEE802_11_TA_LEN) struct ctrl_end_t { u_int16_t fc; u_int16_t duration; u_int8_t ra[6]; u_int8_t bssid[6]; u_int8_t fcs[4]; }; #define CTRL_END_HDRLEN (IEEE802_11_FC_LEN+IEEE802_11_DUR_LEN+\ IEEE802_11_RA_LEN+IEEE802_11_BSSID_LEN) struct ctrl_end_ack_t { u_int16_t fc; u_int16_t duration; u_int8_t ra[6]; u_int8_t bssid[6]; u_int8_t fcs[4]; }; #define CTRL_END_ACK_HDRLEN (IEEE802_11_FC_LEN+IEEE802_11_DUR_LEN+\ IEEE802_11_RA_LEN+IEEE802_11_BSSID_LEN) #define IV_IV(iv) ((iv) & 0xFFFFFF) #define IV_PAD(iv) (((iv) >> 24) & 0x3F) #define IV_KEYID(iv) (((iv) >> 30) & 0x03) /* $FreeBSD: src/sys/net80211/ieee80211_radiotap.h,v 1.5 2005/01/22 20:12:05 sam Exp $ */ /* $NetBSD: ieee80211_radiotap.h,v 1.18 2007/03/26 21:22:35 dyoung Exp $ */ /*- * Copyright (c) 2003, 2004 David Young. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The name of David Young may not be used to endorse or promote * products derived from this software without specific prior * written permission. * * THIS SOFTWARE IS PROVIDED BY DAVID YOUNG ``AS IS'' AND ANY * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL DAVID * YOUNG BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY * OF SUCH DAMAGE. */ #ifndef _NET80211_IEEE80211_RADIOTAP_H_ #define _NET80211_IEEE80211_RADIOTAP_H_ /* A generic radio capture format is desirable. It must be * rigidly defined (e.g., units for fields should be given), * and easily extensible. * * The following is an extensible radio capture format. It is * based on a bitmap indicating which fields are present. * * I am trying to describe precisely what the application programmer * should expect in the following, and for that reason I tell the * units and origin of each measurement (where it applies), or else I * use sufficiently weaselly language ("is a monotonically nondecreasing * function of...") that I cannot set false expectations for lawyerly * readers. */ #if defined(__KERNEL__) || defined(_KERNEL) #ifndef DLT_IEEE802_11_RADIO #define DLT_IEEE802_11_RADIO 127 /* 802.11 plus WLAN header */ #endif #endif /* defined(__KERNEL__) || defined(_KERNEL) */ /* XXX tcpdump/libpcap do not tolerate variable-length headers, * yet, so we pad every radiotap header to 64 bytes. Ugh. */ #define IEEE80211_RADIOTAP_HDRLEN 64 /* * The radio capture header precedes the 802.11 header. * * Note well: all radiotap fields are little-endian. */ struct ieee80211_radiotap_header { uint8_t it_version; /* Version 0. Only increases * for drastic changes, * introduction of compatible * new fields does not count. */ uint8_t it_pad; uint16_t it_len; /* length of the whole * header in bytes, including * it_version, it_pad, * it_len, and data fields. */ uint32_t it_present; /* A bitmap telling which * fields are present. Set bit 31 * (0x80000000) to extend the * bitmap by another 32 bits. * Additional extensions are made * by setting bit 31. */ //} __attribute__((__packed__, __aligned__(2))); }; struct ieee80211_xchannel { u_int32_t bitmap; u_int16_t mhz; u_int8_t channum; u_int8_t powercap; }; struct ieee80211_radiotap { struct ieee80211_radiotap_header hdr; u_int64_t tsft; u_int16_t txchan, rxchan; u_int16_t fhss; u_int8_t rate; u_int8_t dbm_antsignal; u_int8_t dbm_antnoise; u_int8_t db_antsignal; u_int8_t db_antnoise; u_int16_t lock_quality; u_int16_t tx_attenuation; u_int16_t db_tx_attenuation; u_int8_t dbm_tx_power; u_int8_t flags; u_int8_t antenna; struct ieee80211_xchannel xchan; }; /* * Name Data type Units * ---- --------- ----- * * IEEE80211_RADIOTAP_TSFT uint64_t microseconds * * Value in microseconds of the MAC's 64-bit 802.11 Time * Synchronization Function timer when the first bit of the * MPDU arrived at the MAC. For received frames, only. * * IEEE80211_RADIOTAP_CHANNEL 2 x uint16_t MHz, bitmap * * Tx/Rx frequency in MHz, followed by flags (see below). * * IEEE80211_RADIOTAP_FHSS uint16_t see below * * For frequency-hopping radios, the hop set (first byte) * and pattern (second byte). * * IEEE80211_RADIOTAP_RATE uint8_t 500kb/s * * Tx/Rx data rate * * IEEE80211_RADIOTAP_DBM_ANTSIGNAL int8_t decibels from * one milliwatt (dBm) * * RF signal power at the antenna, decibel difference from * one milliwatt. * * IEEE80211_RADIOTAP_DBM_ANTNOISE int8_t decibels from * one milliwatt (dBm) * * RF noise power at the antenna, decibel difference from one * milliwatt. * * IEEE80211_RADIOTAP_DB_ANTSIGNAL uint8_t decibel (dB) * * RF signal power at the antenna, decibel difference from an * arbitrary, fixed reference. * * IEEE80211_RADIOTAP_DB_ANTNOISE uint8_t decibel (dB) * * RF noise power at the antenna, decibel difference from an * arbitrary, fixed reference point. * * IEEE80211_RADIOTAP_LOCK_QUALITY uint16_t unitless * * Quality of Barker code lock. Unitless. Monotonically * nondecreasing with "better" lock strength. Called "Signal * Quality" in datasheets. (Is there a standard way to measure * this?) * * IEEE80211_RADIOTAP_TX_ATTENUATION uint16_t unitless * * Transmit power expressed as unitless distance from max * power set at factory calibration. 0 is max power. * Monotonically nondecreasing with lower power levels. * * IEEE80211_RADIOTAP_DB_TX_ATTENUATION uint16_t decibels (dB) * * Transmit power expressed as decibel distance from max power * set at factory calibration. 0 is max power. Monotonically * nondecreasing with lower power levels. * * IEEE80211_RADIOTAP_DBM_TX_POWER int8_t decibels from * one milliwatt (dBm) * * Transmit power expressed as dBm (decibels from a 1 milliwatt * reference). This is the absolute power level measured at * the antenna port. * * IEEE80211_RADIOTAP_FLAGS uint8_t bitmap * * Properties of transmitted and received frames. See flags * defined below. * * IEEE80211_RADIOTAP_ANTENNA uint8_t antenna index * * Unitless indication of the Rx/Tx antenna for this packet. * The first antenna is antenna 0. * * IEEE80211_RADIOTAP_RX_FLAGS uint16_t bitmap * * Properties of received frames. See flags defined below. * * IEEE80211_RADIOTAP_TX_FLAGS uint16_t bitmap * * Properties of transmitted frames. See flags defined below. * * IEEE80211_RADIOTAP_RTS_RETRIES uint8_t data * * Number of rts retries a transmitted frame used. * * IEEE80211_RADIOTAP_DATA_RETRIES uint8_t data * * Number of unicast retries a transmitted frame used. */ enum ieee80211_radiotap_type { IEEE80211_RADIOTAP_TSFT = 0, IEEE80211_RADIOTAP_FLAGS = 1, IEEE80211_RADIOTAP_RATE = 2, IEEE80211_RADIOTAP_CHANNEL = 3, IEEE80211_RADIOTAP_FHSS = 4, IEEE80211_RADIOTAP_DBM_ANTSIGNAL = 5, IEEE80211_RADIOTAP_DBM_ANTNOISE = 6, IEEE80211_RADIOTAP_LOCK_QUALITY = 7, IEEE80211_RADIOTAP_TX_ATTENUATION = 8, IEEE80211_RADIOTAP_DB_TX_ATTENUATION = 9, IEEE80211_RADIOTAP_DBM_TX_POWER = 10, IEEE80211_RADIOTAP_ANTENNA = 11, IEEE80211_RADIOTAP_DB_ANTSIGNAL = 12, IEEE80211_RADIOTAP_DB_ANTNOISE = 13, IEEE80211_RADIOTAP_RX_FLAGS = 14, IEEE80211_RADIOTAP_TX_FLAGS = 15, IEEE80211_RADIOTAP_RTS_RETRIES = 16, IEEE80211_RADIOTAP_DATA_RETRIES = 17, IEEE80211_RADIOTAP_XCHANNEL = 18, IEEE80211_RADIOTAP_EXT = 31 }; #ifndef _KERNEL /* Channel flags. */ #define IEEE80211_CHAN_TURBO 0x0010 /* Turbo channel */ #define IEEE80211_CHAN_CCK 0x0020 /* CCK channel */ #define IEEE80211_CHAN_OFDM 0x0040 /* OFDM channel */ #define IEEE80211_CHAN_2GHZ 0x0080 /* 2 GHz spectrum channel. */ #define IEEE80211_CHAN_5GHZ 0x0100 /* 5 GHz spectrum channel */ #define IEEE80211_CHAN_PASSIVE 0x0200 /* Only passive scan allowed */ #define IEEE80211_CHAN_DYN 0x0400 /* Dynamic CCK-OFDM channel */ #define IEEE80211_CHAN_GFSK 0x0800 /* GFSK channel (FHSS PHY) */ #endif /* !_KERNEL */ /* For IEEE80211_RADIOTAP_FLAGS */ #define IEEE80211_RADIOTAP_F_CFP 0x01 /* sent/received * during CFP */ #define IEEE80211_RADIOTAP_F_SHORTPRE 0x02 /* sent/received * with short * preamble */ #define IEEE80211_RADIOTAP_F_WEP 0x04 /* sent/received * with WEP encryption */ #define IEEE80211_RADIOTAP_F_FRAG 0x08 /* sent/received * with fragmentation */ #define IEEE80211_RADIOTAP_F_FCS 0x10 /* frame includes FCS */ #define IEEE80211_RADIOTAP_F_DATAPAD 0x20 /* frame has padding between * 802.11 header and payload * (to 32-bit boundary) */ #define IEEE80211_RADIOTAP_F_BADFCS 0x40 /* does not pass FCS check */ /* For IEEE80211_RADIOTAP_RX_FLAGS */ #define IEEE80211_RADIOTAP_F_RX_BADFCS 0x0001 /* Frame failed CRC check. * * Deprecated: use the flag * IEEE80211_RADIOTAP_F_BADFCS in * the IEEE80211_RADIOTAP_FLAGS * field, instead. */ /* For IEEE80211_RADIOTAP_TX_FLAGS */ #define IEEE80211_RADIOTAP_F_TX_FAIL 0x0001 /* failed due to excessive * retries */ #define IEEE80211_RADIOTAP_F_TX_CTS 0x0002 /* used cts 'protection' */ #define IEEE80211_RADIOTAP_F_TX_RTS 0x0004 /* used rts/cts handshake */ #endif /* !_NET80211_IEEE80211_RADIOTAP_H_ */ #endif argus-5.0.2/include/argus/md5.h000066400000000000000000000026761471541253600162640ustar00rootroot00000000000000/* MD5.H - header file for MD5C.C */ /* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All rights reserved. License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing the derived work. RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided "as is" without express or implied warranty of any kind. These notices must be retained in any copies of any part of this documentation and/or software. */ /* * $Id: //depot/argus/argus-3.0/clients/include/md5.h#5 $ * $DateTime: 2006/02/23 13:25:52 $ * $Change: 627 $ */ /* MD5 context. */ #ifndef MD5_H #define MD5_H 0 typedef struct { UINT4 state[4]; /* state (ABCD) */ UINT4 count[2]; /* number of bits, modulo 2^64 (lsb first) */ unsigned char buffer[64]; /* input buffer */ } MD5_CTX; void MD5Init (MD5_CTX *); void MD5Update (MD5_CTX *, unsigned char *, unsigned int); void MD5Final (unsigned char [16], MD5_CTX *); #endif argus-5.0.2/include/argus/ppp.h000066400000000000000000000045701471541253600163710ustar00rootroot00000000000000/* * Point to Point Protocol (PPP) RFC1331 * * Copyright 1989 by Carnegie Mellon. * * Permission to use, copy, modify, and distribute this program for any * purpose and without fee is hereby granted, provided that this copyright * and permission notice appear on all copies and supporting documentation, * the name of Carnegie Mellon not be used in advertising or publicity * pertaining to distribution of the program without specific prior * permission, and notice be given in supporting documentation that copying * and distribution is by permission of Carnegie Mellon and Stanford * University. Carnegie Mellon makes no representations about the * suitability of this software for any purpose. It is provided "as is" * without express or implied warranty. */ /* * $Id: //depot/argus/argus-3.0/clients/include/ppp.h#5 $ * $DateTime: 2006/02/23 13:25:52 $ * $Change: 627 $ */ #define PPP_ADDRESS 0xff /* The address byte value */ #define PPP_CONTROL 0x03 /* The control byte value */ /* Protocol numbers */ #define PPP_IP 0x0021 /* Raw IP */ #define PPP_OSI 0x0023 /* OSI Network Layer */ #define PPP_NS 0x0025 /* Xerox NS IDP */ #define PPP_DECNET 0x0027 /* DECnet Phase IV */ #define PPP_APPLE 0x0029 /* Appletalk */ #define PPP_IPX 0x002b /* Novell IPX */ #define PPP_VJC 0x002d /* Van Jacobson Compressed TCP/IP */ #define PPP_VJNC 0x002f /* Van Jacobson Uncompressed TCP/IP */ #define PPP_BRPDU 0x0031 /* Bridging PDU */ #define PPP_STII 0x0033 /* Stream Protocol (ST-II) */ #define PPP_VINES 0x0035 /* Banyan Vines */ #define PPP_HELLO 0x0201 /* 802.1d Hello Packets */ #define PPP_LUXCOM 0x0231 /* Luxcom */ #define PPP_SNS 0x0233 /* Sigma Network Systems */ #define PPP_IPCP 0x8021 /* IP Control Protocol */ #define PPP_OSICP 0x8023 /* OSI Network Layer Control Protocol */ #define PPP_NSCP 0x8025 /* Xerox NS IDP Control Protocol */ #define PPP_DECNETCP 0x8027 /* DECnet Control Protocol */ #define PPP_APPLECP 0x8029 /* Appletalk Control Protocol */ #define PPP_IPXCP 0x802b /* Novell IPX Control Protocol */ #define PPP_STIICP 0x8033 /* Strean Protocol Control Protocol */ #define PPP_VINESCP 0x8035 /* Banyan Vines Control Protocol */ #define PPP_LCP 0xc021 /* Link Control Protocol */ #define PPP_PAP 0xc023 /* Password Authentication Protocol */ #define PPP_LQM 0xc025 /* Link Quality Monitoring */ #define PPP_CHAP 0xc223 /* Challenge Handshake Authentication Protocol */ argus-5.0.2/include/argus/saslint.h000066400000000000000000000113361471541253600172450ustar00rootroot00000000000000/* saslint.h - internal SASL library definitions * Tim Martin */ /* * Copyright (c) 2000 Carnegie Mellon University. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The name "Carnegie Mellon University" must not be used to * endorse or promote products derived from this software without * prior written permission. For permission or any other legal * details, please contact * Office of Technology Transfer * Carnegie Mellon University * 5000 Forbes Avenue * Pittsburgh, PA 15213-3890 * (412) 268-4387, fax: (412) 268-7395 * tech-transfer@andrew.cmu.edu * * 4. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by Computing Services * at Carnegie Mellon University (http://www.cmu.edu/computing/)." * * CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY * AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE * FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ /* * $Id: //depot/gargoyle/argus/include/argus/saslint.h#1 $ * $DateTime: 2012/05/01 14:08:47 $ * $Change: 2378 $ */ #if !defined(Saslint_h) #define Saslint_h #include typedef struct { const sasl_callback_t *callbacks; const char *appname; } sasl_global_callbacks_t; typedef struct sasl_mech_secret { unsigned long len; unsigned long mechoffset; /* 0 if plain mechanism */ unsigned long useroffset; char buf[1]; } sasl_mech_secret_t; typedef struct sasl_credentials sasl_credentials_t; typedef struct sasl_out_params { int doneflag; /* exchange complete */ sasl_ssf_t mech_ssf; /* security layer strength factor of mech */ unsigned maxoutbuf; /* max plain output to security layer */ /* mic functions differs from encode in that the output is intended to be * appended to the input rather than an encapsulated variant of it. * a plugin which supports getmic()/verifymic() but not * encode()/decode() should be exportable. Ditto for framework. * datalen param of verifymic returns length of data in buffer */ void *encode_context; int (*encode)(void *context, const char *input, unsigned inputlen, char **output, unsigned *outputlen); int (*getmic)(void *context, const char *input, unsigned inputlen, char **output, unsigned *outputlen); void *decode_context; int (*decode)(void *context, const char *input, unsigned inputlen, char **output, unsigned *outputlen); int (*verifymic)(void *context, const char *input, unsigned inputlen, unsigned *datalen); char *user; /* canonicalized user name */ char *authid; /* canonicalized authentication id */ char *realm; /* security realm */ /* set to 0 initially, this allows a plugin with extended parameters * to work with an older framework by updating version as parameters * are added. */ int param_version; /* Credentials passed by clients. NOTE: this should ONLY * be set by server plugins. */ sasl_credentials_t *credentials; } sasl_out_params_t; struct sasl_conn { void (*destroy_conn)(sasl_conn_t *); /* destroy function */ int open; /* connection open or not */ char *service; int secflags; /* security layer flags passed to sasl_*_new */ int got_ip_local, got_ip_remote; struct sockaddr_in ip_local, ip_remote; sasl_external_properties_t external; void *context; sasl_out_params_t oparams; sasl_security_properties_t props; sasl_secret_t *secret; int uses_sec_layer; /* if need to encrypt/decrpt all transmissions */ void *mutex; int (*idle_hook)(sasl_conn_t *conn); const sasl_callback_t *callbacks; const sasl_global_callbacks_t *global_callbacks; /* global callbacks * for this * connection */ char *serverFQDN; }; #endif /* SASLINT_H */ argus-5.0.2/include/argus/sll.h000066400000000000000000000130461471541253600163620ustar00rootroot00000000000000/*- * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 * The Regents of the University of California. All rights reserved. * * This code is derived from the Stanford/CMU enet packet filter, * (net/enet.c) distributed as part of 4.3BSD, and code contributed * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence * Berkeley Laboratory. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * */ /* * $Id: //depot/gargoyle/argus/include/argus/sll.h#1 $ * $DateTime: 2012/05/01 14:08:47 $ * $Change: 2378 $ */ #if !defined(sll_h) #define sll_h /* * For captures on Linux cooked sockets, we construct a fake header * that includes: * * a 2-byte "packet type" which is one of: * * LINUX_SLL_HOST packet was sent to us * LINUX_SLL_BROADCAST packet was broadcast * LINUX_SLL_MULTICAST packet was multicast * LINUX_SLL_OTHERHOST packet was sent to somebody else * LINUX_SLL_OUTGOING packet was sent *by* us; * * a 2-byte Ethernet protocol field; * * a 2-byte link-layer type; * * a 2-byte link-layer address length; * * an 8-byte source link-layer address, whose actual length is * specified by the previous value. * * All fields except for the link-layer address are in network byte order. * * DO NOT change the layout of this structure, or change any of the * LINUX_SLL_ values below. If you must change the link-layer header * for a "cooked" Linux capture, introduce a new DLT_ type (ask * "tcpdump-workers@tcpdump.org" for one, so that you don't give it a * value that collides with a value already being used), and use the * new header in captures of that type, so that programs that can * handle DLT_LINUX_SLL captures will continue to handle them correctly * without any change, and so that capture files with different headers * can be told apart and programs that read them can dissect the * packets in them. * * This structure, and the #defines below, must be the same in the * libpcap and tcpdump versions of "sll.h". */ /* * A DLT_LINUX_SLL fake link-layer header. */ #define SLL_HDR_LEN 16 /* total header length */ #define SLL_ADDRLEN 8 /* length of address field */ struct sll_header { u_short sll_pkttype; /* packet type */ u_short sll_hatype; /* link-layer address type */ u_short sll_halen; /* link-layer address length */ u_char sll_addr[SLL_ADDRLEN]; /* link-layer address */ u_short sll_protocol; /* protocol */ }; /* * The LINUX_SLL_ values for "sll_pkttype"; these correspond to the * PACKET_ values on Linux, but are defined here so that they're * available even on systems other than Linux, and so that they * don't change even if the PACKET_ values change. */ #define LINUX_SLL_HOST 0 #define LINUX_SLL_BROADCAST 1 #define LINUX_SLL_MULTICAST 2 #define LINUX_SLL_OTHERHOST 3 #define LINUX_SLL_OUTGOING 4 /* * The LINUX_SLL_ values for "sll_protocol"; these correspond to the * ETH_P_ values on Linux, but are defined here so that they're * available even on systems other than Linux. We assume, for now, * that the ETH_P_ values won't change in Linux; if they do, then: * * if we don't translate them in "pcap-linux.c", capture files * won't necessarily be readable if captured on a system that * defines ETH_P_ values that don't match these values; * * if we do translate them in "pcap-linux.c", that makes life * unpleasant for the BPF code generator, as the values you test * for in the kernel aren't the values that you test for when * reading a capture file, so the fixup code run on BPF programs * handed to the kernel ends up having to do more work. * * Add other values here as necessary, for handling packet types that * might show up on non-Ethernet, non-802.x networks. (Not all the ones * in the Linux "if_ether.h" will, I suspect, actually show up in * captures.) */ #define LINUX_SLL_P_802_3 0x0001 /* Novell 802.3 frames without 802.2 LLC header */ #define LINUX_SLL_P_802_2 0x0004 /* 802.2 frames (not D/I/X Ethernet) */ #endif argus-5.0.2/include/argus_client.h000066400000000000000000000300201471541253600171150ustar00rootroot00000000000000/* * Argus-5.0 Software. Common include files. Client * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/include/argus_client.h#5 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ #if !defined(ArgusClient_h) #define ArgusClient_h #endif #include #include #include #include #include #include #include #include #include #include #include #ifdef ARGUS_SASL #include #endif #include #include #include #define RA_TRANSDURATION 1 #define RA_AVGDURATION 2 #define RA_DELTADURATION 3 #define RA_MODELNAMETAGSTR "RAGATOR_MODEL_NAME=" #define RA_PRESERVETAGSTR "RAGATOR_PRESERVE_FIELDS=" #define RA_REPORTTAGSTR "RAGATOR_REPORT_AGGREGATION=" #define RA_AUTOCORRECTSTR "RAGATOR_AUTO_CORRECTION=" #define RA_HISTOGRAM "RAGATOR_HISTOGRAM=" #define RA_MODELTAGSTR "Model" #define RA_FLOWTAGSTR "Flow" #define RA_MODELIST 1 #define RA_FLOWLIST 2 #define RA_FLOWPOLICYFIELDNUM 11 #define RA_MODELPOLICYFIELDNUM 8 #define RA_LABELSTRING 0 #define RA_POLICYID 1 #define RA_POLICYTYPE 2 #define RA_POLICYSRCADDR 3 #define RA_POLICYDSTADDR 4 #define RA_POLICYPROTO 5 #define RA_POLICYSRCPORT 6 #define RA_POLICYDSTPORT 7 #define RA_POLICYMODELST 8 #define RA_POLICYTIMEOUT 9 #define RA_POLICYIDLETIMEOUT 10 #define RA_MODIFIED 0x10000000 #define RA_CON 1 #define RA_DONE 2 #define RA_HASHTABLESIZE 0x1000 #define RA_SVCPASSED 0x010000 #define RA_SVCFAILED 0x020000 #define RA_SVCINCOMPLETE 0x040000 #define RA_SVCTEST (RA_SVCFAILED|RA_SVCPASSED|RA_SVCINCOMPLETE) #define RA_SVCDISCOVERY 0x080000 #define RA_SVCMULTICAST 0x100000 #define ARGUS_FAR_SRCADDR_MODIFIED 0x0100 #define ARGUS_FAR_DSTADDR_MODIFIED 0x0200 #define ARGUS_FAR_PROTO_MODIFIED 0x0400 #define ARGUS_FAR_SRCPORT_MODIFIED 0x0800 #define ARGUS_FAR_DSTPORT_MODIFIED 0x1000 #define ARGUS_FAR_TPVAL_MODIFIED 0x2000 #define ARGUS_FAR_RECORDREVERSE 0x4000 #define ARGUS_MAX_S_OPTIONS 34 #define ARGUS_MAX_SORT_ALG 34 #define MAX_SORT_ALG_TYPES 28 #define RASORTTIME 0 #define RASORTSTARTTIME 1 #define RASORTLASTTIME 2 #define RASORTTRANS 3 #define RASORTDURATION 4 #define RASORTAVGDURATION 5 #define RASORTSRCADDR 6 #define RASORTDSTADDR 7 #define RASORTPROTOCOL 8 #define RASORTIPID 9 #define RASORTSRCPORT 10 #define RASORTDSTPORT 11 #define RASORTSRCTOS 12 #define RASORTDSTTOS 13 #define RASORTSRCTTL 14 #define RASORTDSTTTL 15 #define RASORTBYTECOUNT 16 #define RASORTSRCBYTECOUNT 17 #define RASORTDSTBYTECOUNT 18 #define RASORTPKTSCOUNT 19 #define RASORTSRCPKTSCOUNT 20 #define RASORTDSTPKTSCOUNT 21 #define RASORTLOAD 22 #define RASORTRATE 23 #define RASORTLOSS 24 #define RASORTTRANREF 25 #define RASORTSEQ 26 #define RASORTSRCID 27 #define ARGUS_READINGPREHDR 1 #define ARGUS_READINGHDR 2 #define ARGUS_READINGBLOCK 4 #define ARGUS_READINGDATAGRAM 8 #define TSEQ_HASHSIZE 9029 #define ARGUS_MAX_PRINT_ALG 67 #define MAX_PRINT_ALG_TYPES 67 typedef struct ArgusRecord * (*ArgusNetFlowHandler)(u_char **); struct ArgusInput { struct ArgusInput *nxt; unsigned int status; int mode, fd, in, out, offset; int ostart, ostop; u_int addr; unsigned short portnum; char *hostname, *filename; FILE *pipe; int major_version, minor_version; unsigned int ArgusLocalNet, ArgusNetMask; struct timeval ArgusLastTime; int ArgusMarInterval; struct stat statbuf; unsigned char *ArgusReadBuffer, *ArgusConvBuffer; unsigned char *ArgusReadPtr, *ArgusConvPtr, *ArgusReadBlockPtr; int ArgusReadSocketCnt, ArgusReadSocketSize; int ArgusReadSocketState, ArgusReadCiscoVersion; int ArgusReadSocketNum, ArgusReadSize; ArgusNetFlowHandler ArgusCiscoNetFlowParse; #ifdef ARGUS_SASL sasl_conn_t *sasl_conn; int ArgusSaslBufCnt; unsigned char *ArgusSaslBuffer; #endif struct ArgusRecord ArgusInitCon, ArgusManStart; }; struct ArgusOutputStruct { char *filename; struct stat statbuf; FILE *fd; }; #define ARGUSMONITOR_EQUAL 0x01000000 #define ARGUSMONITOR_NOTEQUAL 0x02000000 struct RaFlowModelStruct { char *desc; int pindex, mindex; int preserve, report, autocorrect; int *histotimevalues; int histostart, histoend, histobins; int histotimeseries; struct RaPolicyStruct **policy; struct RaPolicyStruct **model; }; struct RaPolicyStruct { u_int RaEntryType, RaPolicyId; struct ArgusCIDRAddr src, dst; u_short type; u_char proto, pad; u_short sport, dport; u_int RaModelId, ArgusTimeout, ArgusIdleTimeout; char *str; }; #if defined(HAVE_SOLARIS) #include #endif #define RA_MODIFIED 0x10000000 extern void ArgusLog (int, char *, ...); #ifdef ArgusClient #if defined(ARGUS_SASL) int ArgusMaxSsf = 128; int ArgusMinSsf = 40; #endif char *appOptstring = NULL; char *RaPrintKeyWords[MAX_PRINT_ALG_TYPES] = { "time", "startime", "lasttime", "trans", "dur", "avgdur", "snet", "saddr", "dnet", "daddr", "proto", "sport", "dport", "tos", "stos", "dtos", "sttl", "dttl", "bytes", "sbytes", "dbytes", "pkts", "spkts", "dpkts", "sload", "dload", "load", "loss", "ploss", "srate", "drate", "rate", "srcid", "ind", "mac", "dir", "jitter", "sjitter", "djitter", "status", "ddur", "dstime", "dltime", "dspkts", "ddpkts", "dsbytes", "ddbytes", "pdspkts", "pddpkts", "pdsbytes", "pddbytes", "user", "tcpext", "win", "jdelay", "ldelay", "seq", "bins", "binnum", "mpls", "vlan", "vid", "vpri", "ipid", "srng", "erng", "svc", }; extern struct ArgusInput *ArgusInput; extern char *ArgusProgramName; extern char *ArgusProgramOptions; extern struct ArgusDSRHeader *ArgusThisDsrs[]; extern signed long long tcp_dst_bytes, tcp_src_bytes; extern signed long long udp_dst_bytes, udp_src_bytes; extern signed long long icmp_dst_bytes, icmp_src_bytes; extern signed long long ip_dst_bytes, ip_src_bytes; extern void ArgusDebug (int, char *, ...); extern int setArgusRemoteFilter(unsigned char *); void ArgusClientInit(struct ArgusParserStruct *); void RaArgusInputComplete (struct ArgusInput *); void RaParseComplete (int); int RaParseType (char *); void ArgusClientTimeout (void); void parse_arg (int, char**); void usage (void); struct ArgusRecordStruct *RaCopyArgusRecordStruct (struct ArgusRecordStruct *); signed long long RaGetActiveDuration (struct ArgusRecordStruct *); signed long long RaGetuSecDuration (struct ArgusRecordStruct *); signed long long RaGetuSecAvgDuration (struct ArgusRecordStruct *); char RaLabelStr[1024], *RaLabel; void RaProcessRecord (struct ArgusRecordStruct *); void RaProcessManRecord (struct ArgusRecordStruct *); void RaProcessFragRecord (struct ArgusRecordStruct *); void RaProcessTCPRecord (struct ArgusRecordStruct *); void RaProcessICMPRecord (struct ArgusRecordStruct *); void RaProcessIGMPRecord (struct ArgusRecordStruct *); void RaProcessUDPRecord (struct ArgusRecordStruct *); void RaProcessIPRecord (struct ArgusRecordStruct *); void RaProcessARPRecord (struct ArgusRecordStruct *); void RaProcessNonIPRecord (struct ArgusRecordStruct *); extern void ArgusLog (int, char *, ...); extern int RaSendArgusRecord(struct ArgusRecordStruct *); extern void ArgusClientTimeout (void); int ArgusWriteConnection (struct ArgusInput *, u_char *, int); char *RaGenerateLabel(struct ArgusParserStruct *, struct ArgusRecordStruct *); int RaParseProbeResourceFile (char **); int RaProbeMonitorsThisAddr (unsigned int, unsigned int); struct ArgusRecordStruct *ArgusGenerateRecordStruct (struct ArgusRecord *); struct ArgusRecord *ArgusGenerateRecord (struct ArgusRecordStruct *, unsigned char); void ArgusDeleteRecordStruct (struct ArgusRecordStruct *); struct ArgusListStruct *ArgusNewList (void); void ArgusDeleteList (struct ArgusListStruct *, int); int ArgusListEmpty (struct ArgusListStruct *); int ArgusGetListCount(struct ArgusListStruct *); void ArgusPushFrontList(struct ArgusListStruct *, void *, int); void ArgusPushBackList(struct ArgusListStruct *, void *, int); void *ArgusFrontList(struct ArgusListStruct *); void *ArgusBackList(struct ArgusListStruct *); void *ArgusPopBackList(struct ArgusListStruct *, int); void *ArgusPopFrontList(struct ArgusListStruct *, int); int ArgusCheckTime (struct ArgusRecordStruct *); #else /* ArgusClient */ #if defined(ARGUS_SASL) extern int ArgusMaxSsf; extern int ArgusMinSsf; #endif /* ARGUS_SASL */ extern char *appOptstring; extern char *RaPrintKeyWords[MAX_PRINT_ALG_TYPES]; extern char *ArgusProgramName; extern char *ArgusProgramOptions; extern void ArgusDebug (int, char *, ...); extern int setArgusRemoteFilter(unsigned char *); extern void ArgusClientInit(struct ArgusParserStruct *); extern void RaArgusInputComplete (struct ArgusInput *); extern void RaParseComplete (int); extern int RaParseType (char *); extern void ArgusClientTimeout (void); extern void parse_arg (int, char**); extern void usage (void); extern struct ArgusRecordStruct *RaCopyArgusRecordStruct (struct ArgusRecordStruct *); extern signed long long RaGetActiveDuration (struct ArgusRecordStruct *); extern signed long long RaGetuSecDuration (struct ArgusRecordStruct *); extern signed long long RaGetuSecAvgDuration (struct ArgusRecordStruct *); extern char RaLabelStr[1024], *RaLabel; extern void RaProcessRecord (struct ArgusRecordStruct *); extern void RaProcessManRecord (struct ArgusRecordStruct *); extern void RaProcessFragRecord (struct ArgusRecordStruct *); extern void RaProcessTCPRecord (struct ArgusRecordStruct *); extern void RaProcessICMPRecord (struct ArgusRecordStruct *); extern void RaProcessIGMPRecord (struct ArgusRecordStruct *); extern void RaProcessUDPRecord (struct ArgusRecordStruct *); extern void RaProcessIPRecord (struct ArgusRecordStruct *); extern void RaProcessARPRecord (struct ArgusRecordStruct *); extern void RaProcessNonIPRecord (struct ArgusRecordStruct *); extern void ArgusLog (int, char *, ...); extern char *RaGenerateLabel(struct ArgusParserStruct *, struct ArgusRecordStruct *); extern int RaSendArgusRecord(struct ArgusRecordStruct *); extern int RaProbeMonitorsThisAddr (unsigned int, unsigned int); extern struct ArgusRecordStruct *ArgusGenerateRecordStruct (struct ArgusRecord *); extern struct ArgusRecord *ArgusGenerateRecord (struct ArgusRecordStruct *, unsigned char); extern void ArgusDeleteRecordStruct (struct ArgusRecordStruct *); extern struct ArgusListStruct *ArgusNewList (void); extern void ArgusDeleteList (struct ArgusListStruct *, int); extern int ArgusListEmpty (struct ArgusListStruct *); extern int ArgusGetListCount(struct ArgusListStruct *); extern void ArgusPushFrontList(struct ArgusListStruct *, void *); extern void ArgusPushBackList(struct ArgusListStruct *, void *); extern void *ArgusFrontList(struct ArgusListStruct *); extern void *ArgusBackList(struct ArgusListStruct *); extern void *ArgusPopBackList(struct ArgusListStruct *); extern void *ArgusPopFrontList(struct ArgusListStruct *); extern int ArgusCheckTime (struct ArgusRecordStruct *); #endif argus-5.0.2/include/argus_compat.h000066400000000000000000000150651471541253600171360ustar00rootroot00000000000000/* * Argus-5.0 Software. Common include files. Compatibility * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/include/argus_compat.h#7 $ * $DateTime: 2016/09/18 16:32:53 $ * $Change: 3186 $ */ #if !defined(Argus_compat_h) #define Argus_compat_h #ifdef __cplusplus extern "C" { #endif #include #ifdef HAVE_CONFIG_H #include "argus_config.h" #endif #if defined(HAVE_SYS_TYPES_H) #include #endif #if defined(HAVE_SYS_WAIT_H) #include #endif #define argtimeval timeval #if !defined(__APPLE__) #if !defined(_STRUCT_TIMEVAL32) struct timeval32 { uint32_t tv_sec, tv_usec; }; #endif #endif #include #if defined(HAVE_SOLARIS) #include #include #endif #if defined(linux) #include #define __FAVOR_BSD #endif #if defined(CYGWIN) #define USE_IPV6 #else #if defined(HAVE_SOLARIS) #include #else #if defined(__OpenBSD__) && !defined(__APPLE__) #include #endif #endif #include #if defined(__FreeBSD__) #if defined(BYTE_ORDER) #define __BYTE_ORDER BYTE_ORDER #endif #if defined(LITTLE_ENDIAN) #define __LITTLE_ENDIAN LITTLE_ENDIAN #endif #if defined(BIG_ENDIAN) #define __BIG_ENDIAN BIG_ENDIAN #endif #endif #if !defined(_LITTLE_ENDIAN) && !defined(_BIG_ENDIAN) #if __BYTE_ORDER == __LITTLE_ENDIAN #define _LITTLE_ENDIAN #else #define _BIG_ENDIAN #endif #endif #endif #if !defined(HAVE_STRTOF) && !defined(CYGWIN) //float strtof (char *, char **); #endif #if defined(__sgi__) || defined(HAVE_SOLARIS) || defined(ultrix) || defined(__osf__) || defined(linux) || defined(bsdi) || defined(AIX) | defined(CYGWIN) #define timelocal mktime #if defined(__sgi__) #include #include #if _MIPS_SZLONG == 64 #undef argtimeval #define argtimeval irix5_timeval #endif #undef TCPSTATES #endif #if defined(linux) #include #endif #if defined(__sgi) || defined(bsdi) struct ether_addr { u_char ether_addr_octet[6]; }; #endif #if defined(AIX) #define _SUN #include #include #endif #endif #define arg_uint8 u_char #define arg_int8 char #define arg_uint16 u_short #define arg_int16 short #if HOST_BITS_PER_INT == 32 #define arg_uint32 u_int #define arg_int32 int #else #define arg_uint32 u_long #define arg_int32 long #endif #if defined(__FreeBSD__) #include #include #endif #if !defined(ICMP_ROUTERADVERT) #define ICMP_ROUTERADVERT 9 /* router advertisement */ #endif #if !defined(ICMP_ROUTERSOLICIT) #define ICMP_ROUTERSOLICIT 10 /* router solicitation */ #endif #if !defined(TCPOPT_WSCALE) #define TCPOPT_WSCALE 3 /* window scale factor (rfc1072) */ #endif #if !defined(TCPOPT_SACKOK) #define TCPOPT_SACKOK 4 /* selective ack ok (rfc1072) */ #endif #if !defined(TCPOPT_SACK) #define TCPOPT_SACK 5 /* selective ack (rfc1072) */ #endif #if !defined(TCPOPT_ECHO) #define TCPOPT_ECHO 6 /* echo (rfc1072) */ #endif #if !defined(TCPOPT_ECHOREPLY) #define TCPOPT_ECHOREPLY 7 /* echo (rfc1072) */ #endif #if !defined(TCPOPT_TIMESTAMP) #define TCPOPT_TIMESTAMP 8 /* timestamps (rfc1323) */ #endif #if !defined(TCPOPT_CC) #define TCPOPT_CC 11 /* T/TCP CC options (rfc1644) */ #endif #if !defined(TCPOPT_CCNEW) #define TCPOPT_CCNEW 12 /* T/TCP CC options (rfc1644) */ #endif #if !defined(TCPOPT_CCECHO) #define TCPOPT_CCECHO 13 /* T/TCP CC options (rfc1644) */ #endif #if !defined(ETHERTYPE_SPRITE) #define ETHERTYPE_SPRITE 0x0500 #endif #if !defined(ETHERTYPE_NS) #define ETHERTYPE_NS 0x0600 #endif #if !defined(ETHERTYPE_IP) #define ETHERTYPE_IP 0x0800 #endif #if !defined(ETHERTYPE_X25L3) #define ETHERTYPE_X25L3 0x0805 #endif #if !defined(ETHERTYPE_ARP) #define ETHERTYPE_ARP 0x0806 #endif #if !defined(ETHERTYPE_VINES) #define ETHERTYPE_VINES 0x0bad #endif #if !defined(ETHERTYPE_TRAIL) #define ETHERTYPE_TRAIL 0x1000 #endif #if !defined(ETHERTYPE_TRAIN) #define ETHERTYPE_TRAIN 0x1984 #endif #if !defined(ETHERTYPE_3C_NBP_DGRAM) #define ETHERTYPE_3C_NBP_DGRAM 0x3c07 #endif #if !defined(ETHERTYPE_DEC) #define ETHERTYPE_DEC 0x6000 #endif #if !defined(ETHERTYPE_MOPDL) #define ETHERTYPE_MOPDL 0x6001 #endif #if !defined(ETHERTYPE_MOPRC) #define ETHERTYPE_MOPRC 0x6002 #endif #if !defined(ETHERTYPE_DN) #define ETHERTYPE_DN 0x6003 #endif #if !defined(ETHERTYPE_LAT) #define ETHERTYPE_LAT 0x6004 #endif #if !defined(ETHERTYPE_DEC_DIAG) #define ETHERTYPE_DEC_DIAG 0x6005 #endif #if !defined(ETHERTYPE_DEC_CUST) #define ETHERTYPE_DEC_CUST 0x6006 #endif #if !defined(ETHERTYPE_SCA) #define ETHERTYPE_SCA 0x6007 #endif #if !defined(ETHERTYPE_REVARP) #define ETHERTYPE_REVARP 0x8035 #endif #if !defined(ETHERTYPE_LANBRIDGE) #define ETHERTYPE_LANBRIDGE 0x8038 #endif #if !defined(ETHERTYPE_DECDNS) #define ETHERTYPE_DECDNS 0x803c #endif #if !defined(ETHERTYPE_DECDTS) #define ETHERTYPE_DECDTS 0x803e #endif #if !defined(ETHERTYPE_VEXP) #define ETHERTYPE_VEXP 0x805b #endif #if !defined(ETHERTYPE_VPROD) #define ETHERTYPE_VPROD 0x805c #endif #if !defined(ETHERTYPE_ATALK) #define ETHERTYPE_ATALK 0x809b #endif #if !defined(ETHERTYPE_AARP) #define ETHERTYPE_AARP 0x80f3 #endif #if !defined(ETHERTYPE_8021Q) #define ETHERTYPE_8021Q 0x8100 #endif #if !defined(ETHERTYPE_IPX) #define ETHERTYPE_IPX 0x8137 #endif #if !defined(ETHERTYPE_SNMP) #define ETHERTYPE_SNMP 0x814c #endif #if !defined(ETHERTYPE_IPV6) #define ETHERTYPE_IPV6 0x86dd #endif #if !defined(ETHERTYPE_MPLS) #define ETHERTYPE_MPLS 0x8847 #endif #if !defined(ETHERTYPE_MPLS_MULTI) #define ETHERTYPE_MPLS_MULTI 0x8848 #endif #if !defined(ETHERTYPE_PPPOED) #define ETHERTYPE_PPPOED 0x8863 #endif #if !defined(ETHERTYPE_PPPOES) #define ETHERTYPE_PPPOES 0x8864 #endif #if !defined(ETHERTYPE_LOOPBACK) #define ETHERTYPE_LOOPBACK 0x9000 #endif #ifdef __cplusplus } #endif #endif /* Argus_compat_h */ argus-5.0.2/include/argus_config.h.in000066400000000000000000000427061471541253600175270ustar00rootroot00000000000000/* include/argus_config.h.in. Generated from configure.ac by autoheader. */ /* Using Argus debug */ #undef ARGUSDEBUG /* Using Argus memory */ #undef ARGUSMEMDEBUG /* Product version number string */ #undef ARGUSPRO_VERSION_STRING /* Using FlexLM */ #undef ARGUS_FLEXLM /* Enabling hashtable debugging */ #undef ARGUS_HASH_DEBUG /* Using nanosecond timestamps */ #undef ARGUS_NANOSECONDS /* Using System Pcre Library */ #undef ARGUS_PCRE /* Using Pluribus */ #undef ARGUS_PLURIBUS /* Description */ #undef ARGUS_SASL /* Using Argus threads */ #undef ARGUS_THREADS /* Using System TcpWrappers Library */ #undef ARGUS_WRAPPERS /* Define to 1 if the `closedir' function returns void instead of int. */ #undef CLOSEDIR_VOID /* System has x86 endian support */ #undef CONFIG_X86_BSWAP /* Using cygwin */ #undef CYGWIN /* Define to 1 if using 'alloca.c'. */ #undef C_ALLOCA /* Define to 1 if you have the `alarm' function. */ #undef HAVE_ALARM /* Define to 1 if you have 'alloca', as a function or macro. */ #undef HAVE_ALLOCA /* Define to 1 if works. */ #undef HAVE_ALLOCA_H /* Define to 1 if you have the header file. */ #undef HAVE_ARPA_INET_H /* Define to 1 if you have the `backtrace' function. */ #undef HAVE_BACKTRACE /* Define to 1 if you have the `bzero' function. */ #undef HAVE_BZERO /* Mac OS X */ #undef HAVE_DARWIN /* Define to 1 if you have the declaration of `ether_hostton', and to 0 if you don't. */ #undef HAVE_DECL_ETHER_HOSTTON /* Define to 1 if you have the declaration of `fromhost ', and to 0 if you don't. */ #undef HAVE_DECL_FROMHOST_ /* Define to 1 if you have the declaration of `tzname', and to 0 if you don't. */ #undef HAVE_DECL_TZNAME /* Define to 1 if you have the header file, and it defines `DIR'. */ #undef HAVE_DIRENT_H /* Define to 1 if you have the header file. */ #undef HAVE_DNS_SD_H /* Define to 1 if you don't have `vprintf' but do have `_doprnt.' */ #undef HAVE_DOPRNT /* Define to 1 if you have the `endgrent' function. */ #undef HAVE_ENDGRENT /* Define to 1 if you have the `endpwent' function. */ #undef HAVE_ENDPWENT /* Define to 1 if you have the `ether_hostton' function. */ #undef HAVE_ETHER_HOSTTON /* Define to 1 if you have the header file. */ #undef HAVE_FCNTL_H /* Define to 1 if you have the header file. */ #undef HAVE_FEATURES_H /* Define to 1 if you have the `floor' function. */ #undef HAVE_FLOOR /* Define to 1 if you have the `floorf' function. */ #undef HAVE_FLOORF /* Define to 1 if you have the `fork' function. */ #undef HAVE_FORK /* Define to 1 if you have the `getaddrinfo' function. */ #undef HAVE_GETADDRINFO /* Define to 1 if you have the `gethostbyaddr' function. */ #undef HAVE_GETHOSTBYADDR /* Define to 1 if you have the `gethostbyname' function. */ #undef HAVE_GETHOSTBYNAME /* Define to 1 if you have the `gethostname' function. */ #undef HAVE_GETHOSTNAME /* Define to 1 if you have the `gethostuuid' function. */ #undef HAVE_GETHOSTUUID /* Define to 1 if you have the `getpass' function. */ #undef HAVE_GETPASS /* Define to 1 if you have the `gettimeofday' function. */ #undef HAVE_GETTIMEOFDAY /* HPUX 10 */ #undef HAVE_HPUX10_20 /* HPUX 9 */ #undef HAVE_HPUX9 /* Define to 1 if you have the `inet_aton' function. */ #undef HAVE_INET_ATON /* Define to 1 if you have the `inet_ntoa' function. */ #undef HAVE_INET_NTOA /* Define to 1 if you have the `inet_ntop' function. */ #undef HAVE_INET_NTOP /* Define to 1 if you have the `inet_pton' function. */ #undef HAVE_INET_PTON /* Define to 1 if you have the header file. */ #undef HAVE_INTTYPES_H /* Define to 1 if you have the `isascii' function. */ #undef HAVE_ISASCII /* Define to 1 if you have the header file. */ #undef HAVE_LIBINTL_H /* Define to 1 if you have the header file. */ #undef HAVE_LIMITS_H /* Define to 1 if you have the `localtime_r' function. */ #undef HAVE_LOCALTIME_R /* Define to 1 if your system has a GNU libc compatible `malloc' function, and to 0 otherwise. */ #undef HAVE_MALLOC /* Define to 1 if you have the header file. */ #undef HAVE_MALLOC_H /* Define to 1 if you have a machine-id in the file system. */ #undef HAVE_MACHINE_ID /* Define to 1 if you have the `memalign' function. */ #undef HAVE_MEMALIGN /* Define to 1 if you have the `memchr' function. */ #undef HAVE_MEMCHR /* Define to 1 if you have the `memmove' function. */ #undef HAVE_MEMMOVE /* Define to 1 if you have the header file. */ #undef HAVE_MEMORY_H /* Define to 1 if you have the `memset' function. */ #undef HAVE_MEMSET /* Define to 1 if you have the `mkdir' function. */ #undef HAVE_MKDIR /* Define to 1 if you have the `modf' function. */ #undef HAVE_MODF /* Define to 1 if you have the header file, and it defines `DIR'. */ #undef HAVE_NDIR_H /* Define to 1 if you have the header file. */ #undef HAVE_NETDB_H /* Define to 1 if you have the header file. */ #undef HAVE_NETINET_ETHER_H /* Define to 1 if you have the header file. */ #undef HAVE_NETINET_IF_ETHER_H /* Define to 1 if you have the header file. */ #undef HAVE_NETINET_IN_H /* Define to 1 if you have the header file. */ #undef HAVE_NETINET_IN_SYSTM_H /* Define to 1 if you have the header file. */ #undef HAVE_NETINET_IP_H /* Define to 1 if you have the header file. */ #undef HAVE_NETINET_TCP_H /* Define to 1 if you have the header file. */ #undef HAVE_NETINET_UDP_H /* Define to 1 if you have the header file. */ #undef HAVE_NET_IF_H /* Define to 1 if you have the `openlog' function. */ #undef HAVE_OPENLOG /* pcap datalink name */ #undef HAVE_PCAP_DATALINK_NAME_TO_VAL /* pcap datalink val to desc */ #undef HAVE_PCAP_DATALINK_VAL_TO_DESCRIPTION /* Define to 1 if you have the `pcap_dump_flush' function. */ #undef HAVE_PCAP_DUMP_FLUSH /* Define to 1 if you have the `pcap_dump_ftell' function. */ #undef HAVE_PCAP_DUMP_FTELL /* pcap list datalinks */ #undef HAVE_PCAP_FINDALLDEVS_NOCHECKS /* Define to 1 if you have the `pcap_fopen_offline' function. */ #undef HAVE_PCAP_FOPEN_OFFLINE /* Define to 1 if you have the `pcap_fopen_offline_with_tstamp_precision' function. */ #undef HAVE_PCAP_FOPEN_OFFLINE_WITH_TSTAMP_PRECISION /* Define to 1 if you have the `pcap_get_selectable_fd' function. */ #undef HAVE_PCAP_GET_SELECTABLE_FD /* pcap list datalinks */ #undef HAVE_PCAP_LIST_DATALINKS /* Define to 1 if you have the `pcap_next_ex' function. */ #undef HAVE_PCAP_NEXT_EX /* Define to 1 if you have the `pcap_open_offline_with_tstamp_precision' function. */ #undef HAVE_PCAP_OPEN_OFFLINE_WITH_TSTAMP_PRECISION /* Define to 1 if you have the `pcap_set_buffer_size' function. */ #undef HAVE_PCAP_SET_BUFFER_SIZE /* pcap set datalink */ #undef HAVE_PCAP_SET_DATALINK /* Define to 1 if you have the `pcap_set_tstamp_precision' function. */ #undef HAVE_PCAP_SET_TSTAMP_PRECISION /* Define to 1 if you have the `pcap_set_tstamp_type' function. */ #undef HAVE_PCAP_SET_TSTAMP_TYPE /* Define to 1 if you have the `pfopen' function. */ #undef HAVE_PFOPEN /* Define to 1 if you have the `posix_memalign' function. */ #undef HAVE_POSIX_MEMALIGN /* Define to 1 if you have the `pow' function. */ #undef HAVE_POW /* Define to 1 if you have the `putenv' function. */ #undef HAVE_PUTENV /* Define to 1 if your system has a GNU libc compatible `realloc' function, and to 0 otherwise. */ #undef HAVE_REALLOC /* Define to 1 if you have the `realpath' function. */ #undef HAVE_REALPATH /* Define to 1 if you have the `regcomp' function. */ #undef HAVE_REGCOMP /* Define to 1 if you have the header file. */ #undef HAVE_REGEX_H /* Define to 1 if you have the `remainderf' function. */ #undef HAVE_REMAINDERF /* Define to 1 if you have the header file. */ #undef HAVE_RPC_XDR_H /* Define to 1 if you have the `sched_get_priority_min' function. */ #undef HAVE_SCHED_GET_PRIORITY_MIN /* Define to 1 if you have the `select' function. */ #undef HAVE_SELECT /* Define to 1 if you have the `setenv' function. */ #undef HAVE_SETENV /* Define to 1 if you have the `setlinebuf' function. */ #undef HAVE_SETLINEBUF /* Define to 1 if you have the `snprintf' function. */ #undef HAVE_SNPRINTF /* Define to 1 if you have the `socket' function. */ #undef HAVE_SOCKET /* On solaris */ #undef HAVE_SOLARIS /* Define to 1 if you have the `sqrt' function. */ #undef HAVE_SQRT /* Define to 1 if you have the `srandomdev' function. */ #undef HAVE_SRANDOMDEV /* Define to 1 if `stat' has the bug that it succeeds when given the zero-length file name argument. */ #undef HAVE_STAT_EMPTY_STRING_BUG /* Define to 1 if you have the header file. */ #undef HAVE_STDDEF_H /* Define to 1 if you have the header file. */ #undef HAVE_STDINT_H /* Define to 1 if you have the header file. */ #undef HAVE_STDIO_H /* Define to 1 if you have the header file. */ #undef HAVE_STDLIB_H /* Define to 1 if you have the `strcasecmp' function. */ #undef HAVE_STRCASECMP /* Define to 1 if you have the `strchr' function. */ #undef HAVE_STRCHR /* Define to 1 if you have the `strdup' function. */ #undef HAVE_STRDUP /* Define to 1 if you have the `strerror' function. */ #undef HAVE_STRERROR /* Define to 1 if you have the `strftime' function. */ #undef HAVE_STRFTIME /* Define to 1 if you have the header file. */ #undef HAVE_STRINGS_H /* Define to 1 if you have the header file. */ #undef HAVE_STRING_H /* Define to 1 if you have the `strlcat' function. */ #undef HAVE_STRLCAT /* Define to 1 if you have the `strlcpy' function. */ #undef HAVE_STRLCPY /* Define to 1 if you have the `strncasecmp' function. */ #undef HAVE_STRNCASECMP /* Define to 1 if you have the `strpbrk' function. */ #undef HAVE_STRPBRK /* Define to 1 if you have the `strrchr' function. */ #undef HAVE_STRRCHR /* Define to 1 if you have the `strstr' function. */ #undef HAVE_STRSTR /* Define to 1 if you have the `strtof' function. */ #undef HAVE_STRTOF /* Define to 1 if you have the `strtol' function. */ #undef HAVE_STRTOL /* struct ether addr */ #undef HAVE_STRUCT_ETHER_ADDR /* Define to 1 if `tm_zone' is a member of `struct tm'. */ #undef HAVE_STRUCT_TM_TM_ZONE /* Define to 1 if you have the `syslog' function. */ #undef HAVE_SYSLOG /* Define to 1 if you have the header file. */ #undef HAVE_SYSLOG_H /* Define to 1 if you have the header file, and it defines `DIR'. */ #undef HAVE_SYS_DIR_H /* sys_errlist in stdio.h */ #undef HAVE_SYS_ERRLIST /* Define to 1 if you have the header file. */ #undef HAVE_SYS_FILE_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_IOCTL_H /* Define to 1 if you have the header file, and it defines `DIR'. */ #undef HAVE_SYS_NDIR_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_PARAM_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_SELECT_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_SOCKET_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_SOCKIO_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_STAT_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_TIME_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_TYPES_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_VFS_H /* Define to 1 if you have that is POSIX.1 compatible. */ #undef HAVE_SYS_WAIT_H /* Define to 1 if you have the header file. */ #undef HAVE_TCPD_H /* Using Tcp wrappers */ #undef HAVE_TCP_WRAPPER /* Define to 1 if you have the header file. */ #undef HAVE_TERMIOS_H /* Define to 1 if you have the `timegm' function. */ #undef HAVE_TIMEGM /* tm_gmtoff in struct tm */ #undef HAVE_TM_GMTOFF /* Define to 1 if your `struct tm' has `tm_zone'. Deprecated, use `HAVE_STRUCT_TM_TM_ZONE' instead. */ #undef HAVE_TM_ZONE /* Define to 1 if you don't have `tm_zone' but do have the external array `tzname'. */ #undef HAVE_TZNAME /* Define to 1 if you have the `tzset' function. */ #undef HAVE_TZSET /* Define to 1 if you have the header file. */ #undef HAVE_UNISTD_H /* Define to 1 if you have the header file. */ #undef HAVE_VALUES_H /* Define to 1 if you have the `vfork' function. */ #undef HAVE_VFORK /* Define to 1 if you have the header file. */ #undef HAVE_VFORK_H /* Define to 1 if you have the `vfprintf' function. */ #undef HAVE_VFPRINTF /* Define to 1 if you have the `vprintf' function. */ #undef HAVE_VPRINTF /* Define to 1 if you have the `vsnprintf' function. */ #undef HAVE_VSNPRINTF /* Define to 1 if `fork' works. */ #undef HAVE_WORKING_FORK /* Define to 1 if `vfork' works. */ #undef HAVE_WORKING_VFORK /* Using system XDR library */ #undef HAVE_XDR /* Define to 1 if you have the `xdrmem_create' function. */ #undef HAVE_XDRMEM_CREATE /* Define to 1 if you have the header file. */ #undef HAVE_ZLIB_H /* Description */ #undef LBL_ALIGN /* Define to 1 if `lstat' dereferences a symlink specified with a trailing slash. */ #undef LSTAT_FOLLOWS_SLASHED_SYMLINK /* Define to 1 if netinet/ether.h declares `ether_hostton' */ #undef NETINET_ETHER_H_DECLARES_ETHER_HOSTTON /* Define to 1 if netinet/if_ether.h declares `ether_hostton' */ #undef NETINET_IF_ETHER_H_DECLARES_ETHER_HOSTTON /* Define to the address where bug reports for this package should be sent. */ #undef PACKAGE_BUGREPORT /* Define to the full name of this package. */ #undef PACKAGE_NAME /* Define to the full name and version of this package. */ #undef PACKAGE_STRING /* Define to the one symbol short name of this package. */ #undef PACKAGE_TARNAME /* Define to the home page for this package. */ #undef PACKAGE_URL /* Define to the version of this package. */ #undef PACKAGE_VERSION /* Define as the return type of signal handlers (`int' or `void'). */ #undef RETSIGTYPE /* Define to the type of arg 1 for `select'. */ #undef SELECT_TYPE_ARG1 /* Define to the type of args 2, 3 and 4 for `select'. */ #undef SELECT_TYPE_ARG234 /* Define to the type of arg 5 for `select'. */ #undef SELECT_TYPE_ARG5 /* If using the C implementation of alloca, define if you know the direction of stack growth for your system; otherwise it will be automatically deduced at runtime. STACK_DIRECTION > 0 => grows toward higher addresses STACK_DIRECTION < 0 => grows toward lower addresses STACK_DIRECTION = 0 => direction of growth unknown */ #undef STACK_DIRECTION /* Define to 1 if all of the C90 standard headers exist (not just the ones required in a freestanding environment). This macro is provided for backward compatibility; new code need not use it. */ #undef STDC_HEADERS /* Define to 1 if you can safely include both and . This macro is obsolete. */ #undef TIME_WITH_SYS_TIME /* Define to 1 if your declares `struct tm'. */ #undef TM_IN_SYS_TIME /* Define to 1 if `lex' declares `yytext' as a `char *' by default, not a `char[]'. */ #undef YYTEXT_POINTER /* Number of bits in a file offset, on hosts where this is settable. */ #undef _FILE_OFFSET_BITS /* needed on HP-UX */ #undef _HPUX_SOURCE /* Define for large files, on AIX-style hosts. */ #undef _LARGE_FILES /* Description */ #undef _SUN /* Define for Solaris 2.5.1 so the uint32_t typedef from , , or is not used. If the typedef were allowed, the #define below would cause a syntax error. */ #undef _UINT32_T /* Define for Solaris 2.5.1 so the uint8_t typedef from , , or is not used. If the typedef were allowed, the #define below would cause a syntax error. */ #undef _UINT8_T /* Define to empty if `const' does not conform to ANSI C. */ #undef const /* Define to `int' if doesn't define. */ #undef gid_t /* Define to `__inline__' or `__inline' if that's what the C compiler calls it, or to nothing if 'inline' is not supported under any name. */ #ifndef __cplusplus #undef inline #endif /* Define to the type of a signed integer type of width exactly 16 bits if such a type exists and the standard includes do not define it. */ #undef int16_t /* Define to the type of a signed integer type of width exactly 32 bits if such a type exists and the standard includes do not define it. */ #undef int32_t /* Define to the type of a signed integer type of width exactly 8 bits if such a type exists and the standard includes do not define it. */ #undef int8_t /* Define to rpl_malloc if the replacement function should be used. */ #undef malloc /* Define as a signed integer type capable of holding a process identifier. */ #undef pid_t /* Define to rpl_realloc if the replacement function should be used. */ #undef realloc /* Description */ #undef sinix /* Define to `unsigned int' if does not define. */ #undef size_t /* Define to `int' if doesn't define. */ #undef uid_t /* Define to the type of an unsigned integer type of width exactly 16 bits if such a type exists and the standard includes do not define it. */ #undef uint16_t /* Define to the type of an unsigned integer type of width exactly 32 bits if such a type exists and the standard includes do not define it. */ #undef uint32_t /* Define to the type of an unsigned integer type of width exactly 8 bits if such a type exists and the standard includes do not define it. */ #undef uint8_t /* Define as `fork' if `vfork' does not work. */ #undef vfork argus-5.0.2/include/argus_dag.h000066400000000000000000000047101471541253600164010ustar00rootroot00000000000000/* * Argus-5.0 Software. Common include files. Endace Dag support * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * Data structures required to define struct Dag Record. * Derived from Dag source code tree ./include/dagapi.h * * $Id: //depot/gargoyle/argus/include/argus_dag.h#5 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ #define TYPE_LEGACY 0 #define TYPE_HDLC_POS 1 #define TYPE_ETH 2 #define TYPE_ATM 3 #define TYPE_AAL5 4 #define TYPE_MC_HDLC 5 #define TYPE_MC_RAW 6 #define TYPE_MC_ATM 7 #define TYPE_MC_RAW_CHANNEL 8 #define TYPE_MC_AAL5 9 #define TYPE_COLOR_HDLC_POS 10 #define TYPE_COLOR_ETH 11 #define TYPE_MC_AAL2 12 #define TYPE_IP_COUNTER 13 #define TYPE_TCP_FLOW_COUNTER 14 #define TYPE_DSM_COLOR_HDLC_POS 15 #define TYPE_DSM_COLOR_ETH 16 #define TYPE_COLOR_MC_HDLC_POS 17 #define TYPE_AAL2 18 #define TYPE_COLOR_HASH_POS 19 #define TYPE_COLOR_HASH_ETH 20 #define TYPE_INFINIBAND 21 #define TYPE_RAW_LINK 24 #define TYPE_PAD 48 #define TYPE_MIN 1 /* sanity checking */ #define TYPE_MAX 48 /* sanity checking */ #define dag_record_size 16 typedef struct flags { uint8_t iface:2; uint8_t vlen:1; uint8_t trunc:1; uint8_t rxerror:1; uint8_t dserror:1; uint8_t reserved:1; uint8_t direction:1; } flags_t; typedef struct dag_record { uint64_t ts; uint8_t type; flags_t flags; uint16_t rlen; uint16_t lctr; uint16_t wlen; } dag_record_t; argus-5.0.2/include/argus_debug.h000066400000000000000000000044461471541253600167420ustar00rootroot00000000000000/* * Argus-5.0 Software. Common include files. Debug support * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/include/argus_debug.h#5 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ #ifndef ArgusDebug_h #define ArgusDebug_h #ifdef __cplusplus extern "C" { #endif #ifndef __GNUC__ #define inline #endif #define ARGUS_DEBUG_ALL 0xffffffff #define ARGUS_DEBUG_MAIN 0x00000001 /* 1 */ #define ARGUS_DEBUG_CORE 0x00000002 /* 2 */ #define ARGUS_DEBUG_INIT 0x00000004 /* 4 */ #define ARGUS_DEBUG_FILTER 0x00000008 /* 8 */ #define ARGUS_DEBUG_FILTERCOMPILE 0x00000010 /* 16 */ #define ARGUS_DEBUG_FILTERCORE 0x00000020 /* 32 */ #define ARGUS_DEBUG_AUTH 0x00000040 /* 64 */ #define ARGUS_DEBUG_DECODE 0x00000080 /* 128 */ #define ARGUS_DEBUG_MEMORY 0x00000100 /* 256 */ #define ARGUS_DEBUG_UTIL 0x00000200 /* 512 */ #define ARGUS_DEBUG_PARSE 0x00000400 /* 1024 */ #define ARGUS_DEBUG_PARSECORE 0x00000800 /* 2048 */ #define ARGUS_DEBUG_READ 0x00001000 /* 4096 */ #define ARGUS_DEBUG_WRITE 0x00002000 /* 8192 */ #define ARGUS_DEBUG_CLIENT 0x00004000 /* 16384 */ #define ARGUS_DEBUG_POLICY 0x00008000 /* 32768 */ #define ARGUS_DEBUG_APPLICATION 0x00010000 /* 65536 */ #define ARGUS_DEBUG_MERGE 0x00020000 /* 131072 */ #define ARGUS_DEBUG_TIME 0x00040000 /* 262144 */ #define ARGUS_DEBUG_SERVICES 0x00080000 /* 524288 */ extern void ArgusDebug (int, char *, ...); #ifdef __cplusplus } #endif #endif /* ArgusFilter_h */ argus-5.0.2/include/argus_def.h000066400000000000000000003127011471541253600164060ustar00rootroot00000000000000/* * Argus-5.0 Software. Common include files. Defines * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/include/argus_def.h#13 $ * $DateTime: 2016/10/03 10:25:27 $ * $Change: 3209 $ */ /* Argus_def.h */ /* * Argus_def.h is a reimplementation of the version 2 argus_def.h * for version 3. The new record structure and data types * are designed to provide flexible and efficient data * representation and transport; motivated to suport IPv6. * While the intent is to provide a clean room style reworking * of the complete argus architecture and data model, there is * continuity and compatibility with version 2 Argus data. * * The basic properties retained are a common fixed size * initial MAR *. The prinicpal difference is a 4 byte * ArgusRecord header with most data integrated into the * Data Specific Records (DSR), support for 8, 16, 32 and * 64 bit counters, and new flow descriptor strategies. * */ #ifndef Argus_def_h #define Argus_def_h #ifdef __cplusplus extern "C" { #endif /* argus constants */ #define MINOR_VERSION_0 0 #define MINOR_VERSION_1 1 #define MINOR_VERSION_2 2 #define MINOR_VERSION_3 3 #define MINOR_VERSION_4 4 #define MINOR_VERSION_5 5 #define MINOR_VERSION_6 6 #define MINOR_VERSION_7 7 #define MINOR_VERSION_8 8 #define MINOR_VERSION_9 9 #define MAJOR_VERSION_1 1 #define MAJOR_VERSION_2 2 #define MAJOR_VERSION_3 3 #define MAJOR_VERSION_4 4 #define MAJOR_VERSION_5 5 #define MAJOR_VERSION_6 6 #define VERSION_MAJOR MAJOR_VERSION_5 #define VERSION_MINOR MINOR_VERSION_0 #ifndef MAXPATHNAMELEN #define MAXPATHNAMELEN BUFSIZ #endif /* Argus Record Format The Argus has a short 32-bit header and then a collection of Data Specific Records, which have a TLV structure. This allows for a lot of options in representing data. The goal is to support explicit data alignment, extended key and non-key attributes, removeable transport identifiers, efficently reporting unidirectional flows, and supporting multi-length counters in the metrics. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Argus Record Header | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Argus Record Transport | O +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ p | | t | Argus Record Flow Key | i | | o +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ n | Argus Record Flow Non-Key | a | Attributes | l +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | D | Argus Metrics | S | . | R +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ s */ /* Argus Record Header Format The argus record is a 32-bit header that specifies the type of record, MAR or FAR, the standard cause indicator, a shorter version number, starting with 3, and a Options field. The Length field, which is the number of 4-byte integers in the record, supports 64K size argus records. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Vers | Cause | Opt | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ #define ARGUS_MAXRECORDSIZE 0x40000 /* Argus Record Header Type Field 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Version Record Field Note that one tick mark represents one bit position. */ /* Argus Record Type */ #define ARGUS_MAR 0x80 /* Normal Argus Management Record */ #define ARGUS_FAR 0x10 /* Normal Argus Data Record */ #define ARGUS_INDEX 0x20 /* New Argus Index Record */ #define ARGUS_NETFLOW 0x30 /* Argus Cisco Netflow Originated Record */ #define ARGUS_EVENT 0x40 /* New Argus Event/Message Record */ #define ARGUS_FLOW 0x50 /* New Argus Flow/Metric Record ... for things not argus flow records */ #define ARGUS_DATASUP 0x60 /* New Supplemental Argus Data Record */ #define ARGUS_ARCHIVAL 0x70 /* New Archival Argus Data Record */ /* Argus Record Header Version Field 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Vers | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Version Record Field Note that one tick mark represents one bit position. */ /* Record Version (Ver) */ #define ARGUS_VERSION_1 0x01 /* Version 1 */ #define ARGUS_VERSION_2 0x02 /* Version 2 */ #define ARGUS_VERSION_3 0x03 /* Version 3 */ #define ARGUS_VERSION_4 0x04 /* Version 4 */ #define ARGUS_VERSION_5 0x05 /* Version 5 */ #define ARGUS_VERSION_6 0x06 /* Version 6 */ #define ARGUS_VERSION ARGUS_VERSION_5 /* Version 5 */ /* Argus Record Header Version Field 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Cause | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Version Record Field Note that one tick mark represents one bit position. */ /* Argus Record Cause */ #define ARGUS_SRC_RADIUM 0x08 /* Argus Radium Node Appliance */ #define ARGUS_START 0x10 /* Initial Record */ #define ARGUS_STATUS 0x20 /* Continuation Record*/ #define ARGUS_STOP 0x30 /* Closed/Terminating Record */ #define ARGUS_TIMEOUT 0x40 /* Record Timed Out */ #define ARGUS_FLUSH 0x50 /* System Record Flush */ #define ARGUS_SHUTDOWN 0x60 /* Administrative Shutdown */ #define ARGUS_CLOSED 0x70 /* Argus Initiates Shutdown */ #define ARGUS_ERROR 0x80 /* Error - Major Problem */ #define ARGUS_MAR_SUPPLEMENTAL 0x90 /* Argus Supplemental Record */ #define ARGUS_MAR_INTERFACE 0xA0 /* Argus Interface Record */ /* Argus Record Header Option Field 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Opt | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Option Record Field Note that one tick mark represents one bit position. The values in the Argus Option Field are specific to each cause. */ /* Argus Start Option Messages */ /* Argus Status Option Messages */ /* Argus Supplemental Option Messages */ /* Argus Stop Option Messages */ /* Argus Timeout Option Messages */ /* Argus Flush Option Messages */ /* Argus Shutdown Option Messages */ /* Argus Error Option Messages */ #define ARGUS_ACCESSDENIED 0x01 #define ARGUS_MAXLISTENEXCD 0x02 /* Argus Record Header Length Field Number of 32-bit longwords, including the header. Unsigned 16 bit integer. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Length Record Field Note that one tick mark represents one bit position. */ #define MAXARGUSRECORD 0x40000 #define MAXSTRLEN 4096 /* Argus Data */ /* Argus Data is a collection of Argus Data Specific Records (DSRs) 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Argus Data Specific Records | | . | | . | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Data Record Field Note that one tick mark represents one bit position. */ /* Argus MAR Record Specific Defines */ #define ARGUS_V5_COOKIE 0xE57150CB #define ARGUS_V3_COOKIE 0xE5712DCB #define ARGUS_V2_COOKIE 0xE5617ACB #define ARGUS_COOKIE ARGUS_V5_COOKIE #define ARGUS_SASL_AUTHENTICATE 0x00001000 #define ARGUS_ID_INC_INF 0x00100000 #define ARGUS_IDIS_STRING 0x00200000 #define ARGUS_IDIS_INT 0x00400000 #define ARGUS_IDIS_IPV6 0x00600000 #define ARGUS_IDIS_IPV4 0x00800000 #define ARGUS_IDIS_UUID 0x00A00000 /* Argus Record Data Specific Record (DSR) Types */ #define ARGUSMAXDSRTYPE 25 /* Argus Data Specific Record (DSR) Formats There are two types of DSR, 1) a Type Value (TV) record with an explicit length of 4 bytes, and 2) a Type Length Value (TLV) record, that is longer than 4 bytes and supports variable length records. The fixed length record is distinquished from the variable length record with the most significant bit of the Type Field set to 1 (>= 0x80). All Argus DSRs are 32-bit aligned. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| Type | SubType | Qualifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Argus DSR Data | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |1| Type | SubType | Argus DSR Data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Data Specific Record (DSR) Field Note that one tick mark represents one bit position. */ /* Argus Data Specific Record Type Field The DSR Type Field specifies the type and format of the DSR. The most significant bit indicates if the DSR is a TV or TLV type. A TV structure has a specific length of 4 bytes, which a TLV has a variable length indicator. The other bits specify highest level semantics for the DSR. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |x| Type | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ #define ARGUS_IMMEDIATE_DATA 0x80 #define ARGUS_TRANSPORT_DSR 0x01 #define ARGUS_FLOW_DSR 0x02 #define ARGUS_TIME_DSR 0x03 #define ARGUS_FLOW_HASH_DSR 0x07 #define ARGUS_METER_DSR 0x10 #define ARGUS_PSIZE_DSR 0x12 #define ARGUS_ENCAPS_DSR 0x20 #define ARGUS_NETWORK_DSR 0x30 #define ARGUS_ICMP_DSR 0x34 #define ARGUS_IB_DSR 0x35 #define ARGUS_ISIS_DSR 0x36 #define ARGUS_RSVP_DSR 0x37 #define ARGUS_ESP_DSR 0x38 #define ARGUS_LCP_DSR 0x39 #define ARGUS_DATA_DSR 0x50 #define ARGUS_AGR_DSR 0x60 #define ARGUS_COR_DSR 0x62 #define ARGUS_COCODE_DSR 0x64 #define ARGUS_LABEL_DSR 0x66 /* Argus Data Specific Record SubType Field The DSR SubType Field indicates the specific types for this DSR, and is specific for the DSR Type. The most significant bit of the subtype field indicates the width of the length, when it is present. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| |x| SubType | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |1| |0| SubType | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ #define ARGUS_LEN_16BITS 0x80 #define ARGUS_TIMEADJUST 0x20 /* Argus Record Data Qualifier Field TLV Data Records that have an 8 bit length field support an 8-bit Qualifier field, which is used to convey additional semantics for the DSR format and contents. In some situations, the qualifier may be used to further specify the actual DSR data format, in others it may provide addition semantics, or it can be used to provide the actual 8-bit data. How the Qualifier is parsed and used is specific to the DSR Type and SubType. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| |0| | Qualifier | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* Argus DSR Qualifier */ #define ARGUS_SRC 0x01 #define ARGUS_DST 0x02 #define ARGUS_SRC_CHANGED 0x04 #define ARGUS_DST_CHANGED 0x08 #define ARGUS_SRC_INT_CHANGED 0x10 #define ARGUS_DST_INT_CHANGED 0x20 #define ARGUS_TYPE_IPV4 0x01 #define ARGUS_TYPE_IPV6 0x02 #define ARGUS_TYPE_ETHER 0x03 #define ARGUS_TYPE_ARP 0x04 #define ARGUS_TYPE_RARP 0x05 #define ARGUS_TYPE_MPLS 0x06 #define ARGUS_TYPE_VLAN 0x07 #define ARGUS_TYPE_WLAN 0x08 #define ARGUS_TYPE_LCP 0x09 #define ARGUS_TYPE_ISIS 0x0A #define ARGUS_TYPE_IB_LOCAL 0x0B #define ARGUS_TYPE_IB_GLOBAL 0x0C #define ARGUS_TYPE_UDT 0x0D #define ARGUS_TYPE_VXLAN 0x0E #define ARGUS_TYPE_GRE 0x0F #define ARGUS_TYPE_INTERFACE 0x10 #define ARGUS_TYPE_INT 0x20 #define ARGUS_TYPE_STRING 0x21 #define ARGUS_TYPE_UUID 0x22 /* Flow Descriptor Option Qualifiers */ #define ARGUS_ANON 0x20 /* Record Descriptor Qualifiers */ #define ARGUS_MERGED 0x40 /* Argus Record Data Length Field Number of 32-bit longwords, including the header. Data records that have a 0 as the most significant bit support variable length records, and as a result have a length field. Records with a 1 as the most significant bit are fixed length 4 byte records, and thus do not have a length field. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The Length field can equal 1. */ #define ARGUS_MAXDSRLEN 0xFF /* DSR Definitions */ /* Argus Mar and Event records are a singular DSR */ #define ARGUS_MAR_INDEX 0 #define ARGUS_EVENT_INDEX 0 /* Argus Data Transport DSR The Transport DSR provides source probe identification and optionally a probe transport specific sequence number. The probe identifier can be a number of types including an IPv4, IPv6 address, an ethernet address, an ID plus an interface specifier, an unsigned 32-bit integer, and/or an arbitrary string, such as a URL. The probe identifier should be unique throughout the monitoring domain. */ /* Argus Transport DSR Type */ #define ARGUS_TRANSPORT_INDEX 0 /* Argus Transport DSR SubType */ #define ARGUS_SRCID 0x01 #define ARGUS_SEQ 0x02 /* Argus Transport DSR Qualifier */ /* ARGUS_TYPE_IPV4 ARGUS_TYPE_IPV6 ARGUS_TYPE_ETHER ARGUS_TYPE_INT ARGUS_TYPE_STRING ARGUS_TYPE_INTERFACE ARGUS_SRCID (with IPV4ADDR as the ID) 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x01 | 0x01 | 0x01 | 0x02 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Argus Source Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_SRCID (with IPV6ADDR as the ID) 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x01 | 0x01 | 0x02 | 0x05 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Argus Source Identifier | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_SRCID (with IPV4 + INF as the ID) 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x01 | 0x01 | 0x11 | 0x03 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Argus Source Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Interface Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_SRCID | ARGUS_SEQ (with 32-bin unsigned int as ID) 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x01 | 0x03 | 0x20 | 0x03 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Argus Source Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_SRCID | ARGUS_SEQ (with STRING as ID) 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x01 | 0x03 | 0x21 | 0x05 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Argus Source Identifier | | | | +---+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | PAD | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_SRCID | ARGUS_SEQ (with IPV6 + INF as the ID) 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x01 | 0x03 | 0x12 | 0x07 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Argus IPV6 Source Identifier | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Interface Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Transport Record Field Note that one tick mark represents one bit position. */ /* Argus Time Descriptor DSR The Argus Time Descriptor is an optional DSR that specifies time for packet related events. These can represent time ranges, single timestamps, or relative timestamps. If relative timestamps are used in an Argus record, there must be only one absolute timestamp to act as the unambiguous reference, and this should be the first timestamp in the record. This absolute reference can stand alone or be included in a composite structure that also contains relative time references. The scale must match, or there is an error. Unsigned 32-bit uSec relative time references can handle up to 71.58278 minutes, and nSec relative time refereces can handle up to 4.294967296 seconds, however there are many network events that can exceed these time ranges, and so when needed, absolute time ranges will be used. Flows are bounded in time with single packet events having a single reference, and multiple packet flows having additional time boundary references. In the case of uni-directional multi-packet flows, a time range indicates the time for the occurence of the first and last measured event for that flow. In bi-directional flows, the strategy is to represent the metrics as two uni- directional flows bound together by the flow descriptors, and some state. This strategy impacts how time will be reported. Each uni-directional flow can be composed of a single packet event or a multi-packet event, so there is a requirement to support up to 4 timestamps in a given record. */ /* Argus Time Descriptor DSR Types */ #define ARGUS_TIME_INDEX 2 /* Argus Time Descriptor DSR SubTypes */ #define ARGUS_TIME_ABSOLUTE_TIMESTAMP 0x01 #define ARGUS_TIME_ABSOLUTE_RANGE 0x02 #define ARGUS_TIME_ABSOLUTE_RELATIVE_RANGE 0x03 #define ARGUS_TIME_RELATIVE_TIMESTAMP 0x04 #define ARGUS_TIME_RELATIVE_RANGE 0x05 #define ARGUS_TIME_SRC_START 0x08 #define ARGUS_TIME_SRC_END 0x10 #define ARGUS_TIME_DST_START 0x20 #define ARGUS_TIME_DST_END 0x40 #define ARGUS_TIME_MASK (ARGUS_TIME_SRC_START | ARGUS_TIME_DST_START | ARGUS_TIME_SRC_END | ARGUS_TIME_DST_END) /* Argus Flow Descriptor DSR Qualifiers */ #define ARGUS_TYPE_UTC_MICROSECONDS 0x18 #define ARGUS_TYPE_UTC_NANOSECONDS 0x19 #define ARGUS_TYPE_MICROSECONDS 0x1A #define ARGUS_TYPE_NANOSECONDS 0x1B /* 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x03 | 0x01 | 0x18 | 0x03 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Seconds | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Fractional Seconds (usec) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x03 | 0x02 | 0x18 | 0x05 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Argus Record Start Time (UTC) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Argus Record Last Time (UTC) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x03 | 0x03 | 0x19 | 0x04 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Seconds | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Fractional Seconds (nsec) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Delta Fractional Seconds (nsec) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x03 | 0x04 | 0x1A | 0x02 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Delta Fractional Seconds (usec) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x03 | 0x05 | 0x1B | 0x03 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Start Delta Fractional Seconds (nsec) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Last Delta Fractional Seconds (nsec) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Time Record Field Note that one tick mark represents one bit position. */ /* Argus Time Adjustment Descriptor DSR The Argus Time Adjustment Descriptor is an optional DSR that specifies a time adjustment that is assigned/imposed by the NTAIS system. Generally added by either an intermediate RADIUM node or in the receiving NTAIS, this value is a single time adjustment value to bring the timestamps into synchronization in the system. The DSR is a composite DSR, and is composed of a mandatory Source Identifier, and a Timestamp, as specified above. The minimum record length is 24 bytes long (6 * 4). */ /* Argus Time Descriptor DSR Types */ #define ARGUS_TIME_ADJ_INDEX 16 /* 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x09 | 0x00 | 0x00 | 0x03 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Argus Transport Record | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Argus Time Record | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Time Adjustment Record Field Note that one tick mark represents one bit position. */ /* Argus Flow Descriptor DSR The Argus Flow Descriptor is an optional DSR that specifies the key and non-key attributes that apply to the flow record. Key attributes indicate the attributes that were used by the probe or aggregator to formulate the flow. This may involve any combination of identifiers that were contained in the packets themselves. A flow description is a collection of identifiers that were used to classify packets. All packets that contain the identifiers are considered a part of the same flow model. The Argus supports both uni and bi- directional flow modeling. Because flow descriptors can be directionally sensitive, a direction bit is included in the flow descriptor qualifier. The Argus supports a number of pre-defined complex flow descriptor groupings as specific data types, in order to be efficient. It also supports arbitrary flow descriptions, While most flows will be Type-P1 5-tuple Layer 3/4 flows, many applications will want to support Layer 2, unidirectional Layer 2.5 (MPLS), Layer 3 address, and Layer 3 CIDR address based flows. Aggregation experiments indicate that non-key attributes can be persistent during the life of some flows, and the ability to report these attributes is important for many analytical methods. So, indicating persistent and non-persistent/last attribute values is extremely important. It is important to propagte throught the life of the flow record, an indication that the RMON style of data, where only one set of the bi-directional flow key objects, are retained and being used as a key. Attributes that are used as keys are indicated in the most significant bit of the DSR. */ /* Argus Flow Descriptor DSR Types */ #define ARGUS_FLOW_INDEX 1 /* Argus Flow Descriptor DSR SubTypes */ #define ARGUS_FLOW_KEY_ATTRIBUTE 0x80 #define ARGUS_FLOW_CLASSIC5TUPLE 0x01 #define ARGUS_FLOW_LAYER_2_MATRIX 0x02 #define ARGUS_FLOW_LAYER_3_MATRIX 0x03 #define ARGUS_FLOW_MPLS 0x04 #define ARGUS_FLOW_VLAN 0x05 #define ARGUS_FLOW_ARP 0x06 #define ARGUS_FLOW_LAYER_2 0x07 #define ARGUS_FLOW_KEYS 0x00000007 #define ARGUS_FLOW_KEY_CLASSIC5TUPLE 0x00000001 #define ARGUS_FLOW_KEY_LAYER_2_MATRIX 0x00000002 #define ARGUS_FLOW_KEY_LAYER_3_MATRIX 0x00000004 #define ARGUS_FLOW_KEY_LOCAL_MPLS 0x00000008 #define ARGUS_FLOW_KEY_COMPLETE_MPLS 0x00000010 #define ARGUS_FLOW_KEY_VLAN 0x00000020 #define ARGUS_FLOW_KEY_LAYER_2 0x00000040 #define ARGUS_FLOW_COMPOSITE 0x08 #define ARGUS_FLOW_DLT_IANA 0x10 /* this is the layer 2 ifType */ #define ARGUS_FLOW_ETH_IANA 0x11 /* this is the layer 3 protocol ids */ #define ARGUS_FLOW_IP_IANA 0x12 /* this is the layer 4 protocol/nexthop number */ #define ARGUS_FLOW_RMON 0x40 /* this has been created usig RMON options */ /* Argus Flow Descriptor DSR Qualifiers */ #define ARGUS_SYSTEM_FLOW 0x20 #define ARGUS_REVERSE 0x40 #define ARGUS_UNIDIRECTIONAL 0x10 #define ARGUS_BIDIRECTIONAL 0x20 #define ARGUS_MASKLEN 0x40 #define ARGUS_FRAGMENT 0x80 /* ARGUS_FLOW_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |K|D| SubType | Qualifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Argus Flow Specific Data | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_FLOW_CLASSIC5TUPLE TYPE=ARGUS_FLOW SubType=ARGUS_CLASSIC5TUPLE Qual=ARGUS_TYPE_IPV4 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |1|D| 0x01 | 0x01 | 0x05 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP Proto | Trans Proto | Source Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination Port | Pad | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_FLOW_CLASSIC5TUPLE TYPE=ARGUS_FLOW SubType=ARGUS_CLASSIC5TUPLE Qual=ARGUS_TYPE_IPV6 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |1|D| 0x01 | 0x02 | 0x0B | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Source IPv6 Address | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Destination IPv6 Address | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP Proto | Trans Proto | Source Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination Port | Pad | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_FLOW_CLASSIC5TUPLE TYPE=FLOW SubType=ARGUS_CLASSIC5TUPLE Qual=ARGUS_TYPE_ETHER 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |1|D| 0x01 | 0x03 | 0x06 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source | | Ethernet +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Address | Destination | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Ethernet | | Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Ethernet Type | dsap | ssap | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_FLOW_CLASSIC5TUPLE TYPE=ARGUS_FLOW SubType=ARGUS_CLASSIC5TUPLE Qual=ARGUS_TYPE_IPV4 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |1|D| 0x01 | 0x01 | 0x06 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ICMP | Trans Proto | Type | Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Identifier | IP Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ TYPE=ARGUS_FLOW SubType=ARGUS_CLASSIC5TUPLE Qual=ARGUS_TYPE_IPV4 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |1|D| 0x01 | 0x01 | 0x06 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IGMP | Trans Proto | Type | Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Pad | IP Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_FLOW_CLASSIC5TUPLE TYPE=ARGUS_FLOW SubType=ARGUS_CLASSIC5TUPLE Qual=ARGUS_TYPE_IPV4 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |1|D| 0x01 | 0x01 | 0x06 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ESP | Trans Proto | Pad | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Security Payload Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_FLOW_CLASSIC5TUPLE TYPE=FLOW SubType=ARGUS_CLASSIC5TUPLE Qual=ARGUS_TYPE_ARP 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |1|0| 0x01 | 0x07 | 0x06 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ARP SPA | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ARP TPA | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Ethernet Address +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Pad | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_FLOW_CLASSIC5TUPLE TYPE=FLOW SubType=ARGUS_CLASSIC5TUPLE Qual=ARGUS_TYPE_ARP (reverse) 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |1|1| 0x01 | 0x07 | 0x05 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ARP TPA | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source | | Ethernet +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Address | Target | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Ethernet | | Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* ARGUS_FLOW_COMPOSITE Composite argus flow descriptors allow for arbitrary identifiers to be used as flow key elements. The trick is to effeciently encode the flow descriptor so that clients can keep up. The concept is that anything in the packet should be fair game fair game, as they are observable identifiers. Practically there are limits, as some fields are arbitrary, or can be modified in the network. Composite flow keys are indicated using the ARGUS_FLOW_COMPOSITE DSR identifier, which is a header preceeding a set of IANA based packet content identifiers. The values of many of the constants are defined in other include files, and so if you see a value you are not familiar with, grep for in the set of include files provided. First the composite methods should be capable of representing the stanard flow defintiions efficiently. This is an example of how to indicate the classic IPv4 5-tuple flow spec for UDP traffic, using Composite Flow DSRs. Type=COMPOSITE SubType=IANA_LAYER3 Qual=IPv4 SubType=IANA_LAYER4 IANA Qual=UDP 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |K| 0x08 | 0x01 | 0x06 | Composite +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |K| 0x01 | 0x01 | 0x03 | IPv4 Matrix +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |K| 0x10 | 0x11 | 0x02 | UDP Matrix +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ This is an example of how to indicate a modified IPv4 flow spec for UDP traffic, using Composite Flow DSRs. This flow spec has src and dst address data and just the protocol field. Type=COMPOSITE SubType=IANA_LAYER3 Qual=IPv4 SubType=IANA_LAYER4 IANA Qual=UDP 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |K| 0x08 | 0x01 | 0x06 | Composite +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |K| 0x01 | 0x01 | 0x03 | IPv4 Matrix +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |K| 0x10 | 0x11 | UDP Protocol +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type=FLOW SubType=LAYER3 Qual=IPv4 Type=LAYER4 SubType=IANA Qual=TCP 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |K| 0x01 | 0x01 | 0x07 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |1|D| 0x01 | 0x01 | 0x05 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP Proto | Trans Proto | Source Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination Port | Pad | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |K| 0x10 | Source ToS | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_FLOW_IPV6_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |K| 0x02 | Qualifier | 0x0A | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Source IPv6 Address | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Destination IPv6 Address | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |K| 0x10 | 0x06 | 0x02 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* #define ARGUS_PROTO_DSR 0x04 ARGUS_PROTO_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |1| 0x04 |K| ProtoType | Protocol Data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x04 |K| Proto Type | Qualifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Argus Protocol Specific Data | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* #define ARGUS_PROTO_DLT_DSR 0x04 #define ARGUS_PROTO_DLT_BPF 0x01 #define ARGUS_PROTO_DLT_IANA 0x02 ARGUS_PROTO_DLT_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |1| 0x04 |K| DLT Value | Data Link Type Data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x04 |K| DLT Value | Qualifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_PROTO_DLT_802_1Q_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |1| 0x04 |K| 71 | 802.1Q Tag | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* ARGUS_PROTO_ETHER_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |1| 0x04 |K| ETH_IANA | Ethernet Protocol Value | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* #define ARGUS_PROTO_IP_DSR 0x10 #define ARGUS_PROTO_IP_ATTR_DSR 0x04 #define ARGUS_PROTO_IP_OPTIONS_DSR 0x05 */ /* ARGUS_PROTO_IP_DSR IP Qualifiers */ #define ARGUS_IP_V4 0x01 #define ARGUS_IP_V6 0x02 #define ARGUS_IP_OPTIONS 0x03 /* ARGUS_PROTO_IP_ATTR_DSR Status */ /* #define ARGUS_IP_TOS_MODIFIED 0x00001000 #define ARGUS_IP_TTL_MODIFIED 0x00002000 #define ARGUS_IP_OPTIONS_MODIFIED 0x00004000 */ #define ARGUS_ICMP_MAPPED 0x07 #define ARGUS_ICMPUNREACH_MAPPED 0x01 #define ARGUS_ICMPREDIREC_MAPPED 0x02 #define ARGUS_ICMPTIMXCED_MAPPED 0x04 /* IP Header Field Identifiers */ #define ARGUS_IP_SRC 0x01 #define ARGUS_IP_DST 0x02 #define ARGUS_IP_PROTO 0x04 #define ARGUS_IP_TOS 0x08 #define ARGUS_IP_TTL 0x10 #define ARGUS_IP_ID 0x20 /* IP Option Indicators */ #define ARGUS_RECORDROUTE 0x01 #define ARGUS_TIMESTAMP 0x02 #define ARGUS_SECURITY 0x04 #define ARGUS_LSRCROUTE 0x08 #define ARGUS_SATID 0x10 #define ARGUS_SSRCROUTE 0x20 #define ARGUS_RTRALERT 0x40 /* ARGUS_PROTO_IP_ATTR_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x10 |K| 0x04 | Qualifier | 0x03 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP ID | TTL | TOS | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Status | Options | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* ARGUS_PROTO_IP_OPTIONS_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x10 |K| 0x05 | Qualifier | 0x02 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP Options Indicator | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* #define ARGUS_PROTO_IP_PROTO_DSR 0x12 ARGUS_PROTO_IP_PROTO_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |1| 0x12 |K| 0x10 | Qualifier | Proto Num | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x12 |K| 0x10 | Proto Num | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | DSR Data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_PROTO_IP_DSR TCP Specific 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x12 |K| 0x10 | 0x06 | 0x03 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TCP State | TCP Options | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_PROTO_IP_DSR UDP Specific 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x12 |K| 0x10 | 0x11 | 0x02 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_PROTO_IP_DSR ICMP Specific 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x12 |K| 0x10 | 0x01 | 0x02 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ICMP Type | ICMP Code | ICMP ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_PROTO_IP_DSR ESP Specific 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x12 |K| 0x10 | 0x32 | 0x02 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ESP Security Payload Identifiier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_PROTO_IP_DSR IGMP Specific 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |1| 0x12 |1| 0x10 | 0x02 | 0x02 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IGMP Type | IGMP Code | Pad | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x20 | SubType | Qualifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Argus Meter Specific Data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* Argus Meter DSR Type */ #define ARGUS_METRIC_INDEX 3 /* Argus Meter DSR Subtype */ #define ARGUS_METER_PKTS_BYTES 0x01 #define ARGUS_METER_PKTS_BYTES_APP 0x04 /* Argus Meter DSR Qual */ #define ARGUS_SRCDST_BYTE 0x01 #define ARGUS_SRCDST_SHORT 0x02 #define ARGUS_SRCDST_INT 0x03 #define ARGUS_SRCDST_LONGLONG 0x04 #define ARGUS_SRC_BYTE 0x05 #define ARGUS_SRC_SHORT 0x06 #define ARGUS_SRC_INT 0x07 #define ARGUS_SRC_LONGLONG 0x08 #define ARGUS_DST_BYTE 0x09 #define ARGUS_DST_SHORT 0x0A #define ARGUS_DST_INT 0x0B #define ARGUS_DST_LONGLONG 0x0C /* #define ARGUS_METER_PKTS_BYTES 0x01 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x20 | 0x01 | 2 | 0x02 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | packets | bytes | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x20 | 0x01 | 3 | 0x03 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | packets | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | bytes | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x20 | 0x01 | 4 | 0x05 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + packets + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + bytes + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* Argus Packet Size DSR Type */ #define ARGUS_PSIZE_INDEX 10 /* Argus Packet Size DSR Subtype */ #define ARGUS_PSIZE_SRC_MAX_MIN 0x01 #define ARGUS_PSIZE_DST_MAX_MIN 0x02 #define ARGUS_PSIZE_HISTO 0x04 /* Argus Packet Size DSR Qual (same as Metric above) */ /* #define ARGUS_SRCDST_SHORT 0x02 #define ARGUS_SRCDST_INT 0x03 #define ARGUS_SRC_SHORT 0x06 #define ARGUS_SRC_INT 0x07 #define ARGUS_DST_SHORT 0x0A #define ARGUS_DST_INT 0x0B */ /* 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x20 | 0x01 | 0x06 | 0x03 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | src min size | src max size | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | dst min size | dst max size | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Standard Source and Destination max and min packet size report. */ #define ARGUS_DIRECTION 0x0000020 /* 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x20 |K| 0x04 | Qualifier | 0x04 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TCPQualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TCP Syn ACK uSec Response Timer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TCP ACK DATA uSec Response Timer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x20 |K| 0x05 | D | Qualifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TCP Sequence Base | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TCP Acknowledged Bytes | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TCP Total Bytes | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TCP Retransmitted Packets | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TCP Last Reported Window | TCP Flags | Pad | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* #define ARGUS_METER_IGMP_PERF 0x06 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x20 |K| 0x06 | D | Qualifier | 0x06 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IGMP Group | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IGMP Join Delay (Timeval) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IGMP Leave Delay (Timeval) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* #define ARGUS_METER_ESP_PERF 0x07 */ /* IP Sec AH Header Qualifier Bits */ /* #define ARGUS_AH_HDR 0x10 #define ARGUS_AH_REPLAY 0x08 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x20 |K| 0x07 | Qualifier | 0x03 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ESP Last Sequence | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ESP Lost Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ #define ARGUS_AGR_INDEX 4 /* 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x22 | 0x01 | Qualifier | 0x02 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | record count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x22 | 0x02 | Qualifier | 0x07 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | record count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | lastStartTime Seconds | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | lastStartTime uSeconds | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | lastTime Seconds | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | lastTime uSeconds | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* Argus Encapsulation DSR Type */ #define ARGUS_ENCAPS_INDEX 15 /* Argus Encapsulation DSR Qualifier */ #define ARGUS_ENCAPS_CHANGED 0x80 /* 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x20 | 0x00 | Qualifier | 0x03 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Src Encapsulation Mask | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Dst Encapsulation Mask | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Encapsulation Headers | | | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* Argus Fragment DSR Type */ #define ARGUS_FRAG_INDEX 5 #define ARGUS_FRAGMENTS 0x01 #define ARGUS_FRAGOVERLAP 0x02 /* Fragment State Constants and Reporting Values */ #define ARGUS_FRAG_INIT 0x10 #define ARGUS_FRAG_OUT_OF_ORDER 0x20 #define ARGUS_TCPFRAGOFFSETERROR 0x40 /* 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x25 | 0x01 | Qualifier | 0x02 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | fragment number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | fragment identification | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Total Fragment Length | Current Fragment Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Maxiumum Fragment Length | pad | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* Argus Network DSR The Network DSR provides additional information regarding transport layer information. */ /* Argus Transport DSR Type */ #define ARGUS_NETWORK_INDEX 5 /* Argus Transport DSR Subtype */ #define ARGUS_TCP_INIT 0x03 #define ARGUS_TCP_STATUS 0x04 #define ARGUS_TCP_PERF 0x05 #define ARGUS_NETWORK_SUBTYPE_ARP 0x10 #define ARGUS_NETWORK_SUBTYPE_FRAG 0x45 /* Argus Transport DSR Qualifier */ #define ARGUS_TCP_INIT_V2 0x02 /* RTP State Constants and Reporting Values */ #define ARGUS_RTP_SRCSILENCE 0x01 #define ARGUS_RTP_DSTSILENCE 0x02 #define ARGUS_HTTP_FLOWTAG 0x01 #define ARGUS_RTCP_FLOW 0x09 #define ARGUS_RTP_FLOW 0x0A /* UDT State Constants and Reporting Values */ #define ARGUS_UDT_FLOW 0x0D /* TCP State Constants and Reporting Values */ #define ARGUS_SAW_SYN 0x00000001 #define ARGUS_SAW_SYN_SENT 0x00000002 #define ARGUS_CON_ESTABLISHED 0x00000004 #define ARGUS_FIN 0x00000008 #define ARGUS_FIN_ACK 0x00000010 #define ARGUS_NORMAL_CLOSE 0x00000020 #define ARGUS_CLOSE_WAITING 0x00000040 #define ARGUS_PORT_REUSE 0x00000080 #define ARGUS_PKTS_RETRANS 0x00000300 /* SRC_PKTS_RETRANS | DST_PK*/ #define ARGUS_SRC_PKTS_RETRANS 0x00000100 #define ARGUS_DST_PKTS_RETRANS 0x00000200 #define ARGUS_WINDOW_SHUT 0x00000C00 /* SRC_WINDOW_SHUT | DST_WIN*/ #define ARGUS_SRC_WINDOW_SHUT 0x00000400 #define ARGUS_DST_WINDOW_SHUT 0x00000800 #define ARGUS_RESET 0x00003000 /* SRC_RESET | DST_RESET */ #define ARGUS_SRC_RESET 0x00001000 #define ARGUS_DST_RESET 0x00002000 #define ARGUS_ECN_CONGESTED 0x0000C000 /* SRC_CONGESTED | DST_CONGESTED */ #define ARGUS_SRC_CONGESTED 0x00004000 #define ARGUS_DST_CONGESTED 0x00008000 #define ARGUS_PKTS_DROP 0x30 #define ARGUS_SRC_PKTS_DROP 0x10 #define ARGUS_DST_PKTS_DROP 0x20 #define ARGUS_OUTOFORDER 0x00030000 #define ARGUS_SRC_OUTOFORDER 0x00010000 #define ARGUS_DST_OUTOFORDER 0x00020000 #define ARGUS_DUPLICATES 0x000C0000 #define ARGUS_SRC_DUPLICATES 0x00040000 #define ARGUS_DST_DUPLICATES 0x00080000 #define ARGUS_TCP_OPTIONS 0xFFF00000 #define ARGUS_TCP_MAXSEG 0x00100000 #define ARGUS_TCP_WSCALE 0x00200000 #define ARGUS_TCP_SACKOK 0x00400000 #define ARGUS_TCP_SACK 0x00800000 #define ARGUS_TCP_ECHO 0x01000000 #define ARGUS_TCP_ECHOREPLY 0x02000000 #define ARGUS_TCP_TIMESTAMP 0x04000000 #define ARGUS_TCP_CC 0x08000000 #define ARGUS_TCP_CCNEW 0x10000000 #define ARGUS_TCP_CCECHO 0x20000000 #define ARGUS_TCP_SRC_ECN 0x40000000 #define ARGUS_TCP_DST_ECN 0x80000000 #define ARGUS_UDT_OPTIONS 0xFFF00000 #define ARGUS_UDT_BADVERSION 0x00100000 #define ARGUS_UDT_FIRSTDROPZERO 0x01000000 /* ESP State Constatans and Reporting Values */ #define ARGUS_ESP_ROLLOVER 0x1000 #define ARGUS_ESP_SEQFAILURE 0x2000 /* Vlan Transport DSR Type */ #define ARGUS_VLAN_DSR 0x40 #define ARGUS_VLAN_INDEX 6 #define ARGUS_SRC_VLAN 0x01 #define ARGUS_DST_VLAN 0x02 /* Mpls Transport DSR Type */ #define ARGUS_MPLS_DSR 0x44 #define ARGUS_MPLS_INDEX 7 /* Argus MPLS DSR SubType */ #define ARGUS_MPLS_SRC_LABEL 0x01 #define ARGUS_MPLS_DST_LABEL 0x02 /* Argus MPLS DSR Qualifier */ #define ARGUS_MPLS_SRC_LABEL_CHANGED 0x10 #define ARGUS_MPLS_DST_LABEL_CHANGED 0x20 /* Mac Layer Header DSR Type */ #define ARGUS_MAC_DSR 0x42 #define ARGUS_MAC_INDEX 13 /* Argus Mac Layer DSR Qualifier */ #define ARGUS_MULTIPATH 0x03 #define ARGUS_SRC_MULTIPATH 0x01 #define ARGUS_DST_MULTIPATH 0x02 /* Jitter Transport DSR Type */ #define ARGUS_JITTER_DSR 0x46 #define ARGUS_JITTER_INDEX 8 /* Argus Jitter DSR Qualifier */ #define ARGUS_SRC_ACTIVE_JITTER 0x01 #define ARGUS_SRC_IDLE_JITTER 0x02 #define ARGUS_DST_ACTIVE_JITTER 0x04 #define ARGUS_DST_IDLE_JITTER 0x08 /* Argus Histogram DSR Type */ #define ARGUS_HISTO_DSR 0x47 #define ARGUS_HISTO_INDEX 18 /* Argus Histogram DSR Subtype */ #define ARGUS_HISTO_EXP 0x01 #define ARGUS_HISTO_LINEAR 0x02 /* ARGUS_HISTO_LINEAR size:bins:start ARGUS_HISTO_EXPONENTIAL size:bins:start:base ARGUS_HISTO_SCALED ARGUS_HISTO_OUTLAYER_LOWER ARGUS_HISTO_OUTLAYER_UPPER */ /* Argus IP Attribute DSR Type */ #define ARGUS_IPATTR_DSR 0x48 #define ARGUS_IPATTR_INDEX 9 /* Argus IP Attribute DSR Qualifier */ #define ARGUS_IPATTR_SRC 0x01 #define ARGUS_IPATTR_DST 0x02 #define ARGUS_IPATTR_SRC_OPTIONS 0x04 #define ARGUS_IPATTR_DST_OPTIONS 0x08 #define ARGUS_IPATTR_SRC_FRAGMENTS 0x10 #define ARGUS_IPATTR_DST_FRAGMENTS 0x20 /* Argus Data DSR Type */ #define ARGUS_DATA_DSR 0x50 #define ARGUS_SRCUSERDATA_INDEX 11 #define ARGUS_DSTUSERDATA_INDEX 12 /* Argus Data DSR SubTypes */ #define ARGUS_TOTAL_PACKET 0x01 #define ARGUS_PACKET_HDR 0x02 #define ARGUS_USER_DATA 0x03 #define ARGUS_DATA_COMPRESS 0x08 #define ARGUS_SRC_DATA 0x10 #define ARGUS_DST_DATA 0x20 /* Argus ICMP DSR Type */ #define ARGUS_ICMP_DSR 0x34 #define ARGUS_ICMP_INDEX 14 /* Argus Behavior DSR Type */ #define ARGUS_BEHAVIOR_DSR 0x54 #define ARGUS_BEHAVIOR_INDEX 17 /* Argus Behavior DSR SubTypes */ #define ARGUS_TCP_KEYSTROKE 0x01 #define ARGUS_SSH_KEYSTROKE 0x02 /* Argus Correlation DSR Type */ #define ARGUS_COR_INDEX 17 /* Argus Country Code DSR */ #define ARGUS_COCODE_INDEX 18 /* Argus Label DSR */ #define ARGUS_LABEL_INDEX 19 /* Argus Label SubTypes */ #define ARGUS_SVC_LABEL 0x01 /* Argus ASN DSR */ #define ARGUS_ASN_DSR 0x32 #define ARGUS_ASN_INDEX 20 /* Argus ASN SubTypes */ #define ARGUS_ASN_ORIGIN 0x01 #define ARGUS_ASN_PEER 0x02 #define ARGUS_SRC_ADDR 0x01 #define ARGUS_DST_ADDR 0x02 #define ARGUS_INODE_ADDR 0x04 #define ARGUS_ADDR_MASK 0x07 /* Argus Flow Hash DSR */ #define ARGUS_FLOW_HASH_DSR 0x07 #define ARGUS_FLOW_HASH_INDEX 21 /* Gre Transport DSR Type */ #define ARGUS_GRE_DSR 0x41 #define ARGUS_GRE_INDEX 23 #define ARGUS_SRC_GRE 0x01 #define ARGUS_DST_GRE 0x02 /* VxLan Transport DSR Type */ #define ARGUS_VXLAN_DSR 0x43 #define ARGUS_VXLAN_INDEX 22 #define ARGUS_SRC_VXLAN 0x01 #define ARGUS_DST_VXLAN 0x02 /* Geneve Transport DSR Type */ #define ARGUS_GENEVE_DSR 0x45 #define ARGUS_GENEVE_INDEX 24 #define ARGUS_SRC_GENEVE 0x01 #define ARGUS_DST_GENEVE 0x02 /* 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x50 | 0x01 | Qualifier | 0x24 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | | Total Packet Contents | | | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Packet Contents Field Note that one tick mark represents one bit position. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x50 | 0x02 | Qualifier | 0x08 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Packet Header Contents | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Packet Header Contents Field Note that one tick mark represents one bit position. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x50 | 0x03 | Qualifier | 0x80 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | | Flow User Data Contents | | | | | | | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Packet Header Contents Field Note that one tick mark represents one bit position. */ /* Argus Record Examples Simple TCP 5-Tuple UDP flow record with transport identifier and sequence numbers with unidirectional Packet and Byte Load Metrics. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Cause | Vers | Opt | Length | Header +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x01 | 0x02 | 0x03 | 0x03 | Transport +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Identifier | Argus Source Identifier | and +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ sequence num | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |K| 0x01 | 0x01 | 0x03 | Flow Key +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ IPv4 Addrs | Source IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x12 |K| 0x10 | 0x11 | 0x02 | Flow Key +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ UDP and Ports | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x20 |K| 0x01 | Qualifier | 0x02 | Src Load Metrics +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 16-bit counters | packets | bytes | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Simple TCP 5-Tuple TCP flow record with TCP state and status indicators, with bidirectional Packet and Byte Metrics. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x1 | 0x2 | 0x03 | 0x0 | 0x000C | Header +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x02 |K| 0x01 | 0x01 | 0x03 | Flow Key +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ IPv4 Addrs | Source IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x12 |K| 0x10 | 0x06 | 0x02 | Flow Key +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ TCP and Ports | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x16 |K| 0x10 | 0x06 | 0x02 | TCP State and Options +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Attributes | TCP State | TCP Options | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x20 |K| 0x01 | SRC Qual | 0x02 | Src Load Metrics +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 16-bit counters | packets | bytes | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| 0x20 |K| 0x01 | DST Qual | 0x02 | Dst Load Metrics +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 16-bit counters | packets | bytes | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* argus_def_v2.h Legacy Argus Record Header Format 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Cause | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Ver | Opt | Status | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Argus Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Status | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Status Record Note that one tick mark represents one bit position. */ /* Argus Record Type */ #define ARGUS_V2_MAR 0x80 /* Normal Argus Management Record */ #define ARGUS_V2_INDEX 0xA0 /* New Argus Index Record */ #define ARGUS_V2_EVENT 0xC0 /* New Argus Event/Message Record */ #define ARGUS_V2_CISCO_NETFLOW 0x10 /* Argus CISCO Netflow Support */ #define ARGUS_V2_WRITESTRUCT 0x20 /* Argus 1.x Write Struct Conversion */ #define ARGUS_V2_RMON 0x40 /* New RMON style FAR Record Format */ #define ARGUS_V2_FAR 0x01 /* Normal Argus Data Record */ #define ARGUS_V2_DATASUP 0x02 /* New Supplemental Argus Data Record */ #define ARGUS_V2_ARCHIVE 0x03 /* New Archival Argus Data Record */ /* Argus Record Cause */ #define ARGUS_V2_START 0x01 /* INIT */ #define ARGUS_V2_STATUS 0x04 /* STATUS */ #define ARGUS_V2_STOP 0x08 /* CLOSE */ #define ARGUS_V2_SHUTDOWN 0x10 /* Administrative shutdown */ #define ARGUS_V2_TIMEOUT 0x20 /* TIMEOUT */ #define ARGUS_V2_ERROR 0x40 /* MAJOR PROBLEM */ /* Record Version (Ver) */ #define ARGUS_V2_VERSION 0x20000000 /* Version 2 */ /* Record Options (Opt)*/ #define ARGUS_V2_ANON 0x01000000 #define ARGUS_V2_MERGED 0x02000000 #define ARGUS_V2_TOPN 0x04000000 #define ARGUS_V2_MATRIX 0x08000000 /* Argus MAR Record Status */ #define ARGUS_V2_SASL_AUTHENTICATE 0x00001000 /* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Status Conditions | Proto | EtherType Field | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Record Status Field Note that one tick mark represents one bit position. */ #define ARGUS_V2_ETHERTYPE 0x00FFFF #define ARGUS_V2_MPLS 0x00010000 #define ARGUS_V2_VLAN 0x00020000 #define ARGUS_V2_PPPoE 0x00040000 #define ARGUS_V2_SNAPENCAPS 0x00080000 #define ARGUS_V2_CONNECTED 0x00100000 #define ARGUS_V2_ID_IS_IPADDR 0x00800000 #define ARGUS_V2_SRC_VLAN 0x0001 #define ARGUS_V2_DST_VLAN 0x0002 #define ARGUS_V2_SRC_MPLS 0x0001 #define ARGUS_V2_DST_MPLS 0x0002 #define ARGUS_V2_SRC_CHANGED 0x0010 #define ARGUS_V2_DST_CHANGED 0x0020 /* Argus Error Messages go into the status field when the Record Cause is ARGUS_V2_ERROR. */ #define ARGUS_V2_ACCESSDENIED 0x000010 #define ARGUS_V2_MAXLISTENEXCD 0x000020 /* Link Types */ #define ARGUS_V2_ETHERNET 0x01000000 #define ARGUS_V2_ATM 0x02000000 #define ARGUS_V2_FDDI 0x03000000 #define ARGUS_V2_TOKENRING 0x04000000 #define ARGUS_V2_SLIP 0x05000000 #define ARGUS_V2_PPP 0x06000000 #define ARGUS_V2_ESP 0x07000000 #define ARGUS_V2_RAW 0x08000000 #define ARGUS_V2_NULL 0x09000000 #define ARGUS_V2_SEND_FRAG_COMPLETE 0x10000000 /* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus FAR Status Field Note that one tick mark represents one bit position. */ /* ICMP Mapped Indicator */ /* argus_far.status indicator */ #define ARGUS_V2_ICMP_MAPPED 0x0007 #define ARGUS_V2_ICMPUNREACH_MAPPED 0x0001 #define ARGUS_V2_ICMPREDIREC_MAPPED 0x0002 #define ARGUS_V2_ICMPTIMXCED_MAPPED 0x0004 #define ARGUS_V2_FRAGMENTS 0x0008 #define ARGUS_V2_FRAGOVERLAP 0x0010 #define ARGUS_V2_TOS_MODIFIED 0x0020 #define ARGUS_V2_TTL_MODIFIED 0x0040 #define ARGUS_V2_OPTION_MODIFIED 0x0080 /* IP Option Indicators */ #define ARGUS_V2_IPOPTIONS 0x3F00 #define ARGUS_V2_TIMESTAMP 0x0100 #define ARGUS_V2_SECURITY 0x0200 #define ARGUS_V2_LSRCROUTE 0x0400 #define ARGUS_V2_RECORDROUTE 0x0800 #define ARGUS_V2_SSRCROUTE 0x1000 #define ARGUS_V2_SATNETID 0x2000 #define ARGUS_V2_MULTIADDR 0x4000 /* Type: DSR Cause: ANY */ #define ARGUS_V2_DSR_TYPES 20 #define ARGUS_V2_DSR_MAC 0 #define ARGUS_V2_DSR_TCP 1 #define ARGUS_V2_DSR_ICMP 2 #define ARGUS_V2_DSR_RTP 3 #define ARGUS_V2_DSR_RTCP 4 #define ARGUS_V2_DSR_IGMP 5 #define ARGUS_V2_DSR_ARP 6 #define ARGUS_V2_DSR_FRG 7 #define ARGUS_V2_DSR_ESP 8 #define ARGUS_V2_DSR_MPLS 9 #define ARGUS_V2_DSR_VLAN 10 #define ARGUS_V2_DSR_PPPOE 11 #define ARGUS_V2_DSR_AGR 12 #define ARGUS_V2_DSR_TIME 13 #define ARGUS_V2_DSR_SRCUSERDATA 14 #define ARGUS_V2_DSR_DSTUSERDATA 15 #define ARGUS_V2_DSR_SRCTIME 16 #define ARGUS_V2_DSR_DSTTIME 17 #define ARGUS_V2_MAC_DSR 0x08 #define ARGUS_V2_TCP_DSR 0x11 #define ARGUS_V2_ICMP_DSR 0x12 #define ARGUS_V2_RTP_DSR 0x14 #define ARGUS_V2_RTCP_DSR 0x15 #define ARGUS_V2_IGMP_DSR 0x18 #define ARGUS_V2_ARP_DSR 0x20 #define ARGUS_V2_FRG_DSR 0x21 #define ARGUS_V2_ESP_DSR 0x22 #define ARGUS_V2_MPLS_DSR 0x28 #define ARGUS_V2_VLAN_DSR 0x2a #define ARGUS_V2_PPPOE_DSR 0x2b #define ARGUS_V2_AGR_DSR 0x30 #define ARGUS_V2_TIME_DSR 0x40 #define ARGUS_V2_SRCUSRDATA_DSR 0x42 #define ARGUS_V2_DSTUSRDATA_DSR 0x43 #define ARGUS_V2_SRC_TIME_DSR 0x01 #define ARGUS_V2_DST_TIME_DSR 0x02 /* IP Sec AH Header Status Bits */ #define ARGUS_V2_AH_HDR 0x00000010 #define ARGUS_V2_AH_REPLAY 0x00000008 /* RTP State Constants and Reporting Values */ #define ARGUS_V2_RTP_SRCSILENCE 0x01 #define ARGUS_V2_RTP_DSTSILENCE 0x02 #define ARGUS_V2_RTCP_TAG 0x2000 #define ARGUS_V2_RTP_TAG 0x4000 #define ARGUS_V2_HTTP_FLOWTAG 0x01 #define ARGUS_V2_RTCP_FLOWTAG 0x10 #define ARGUS_V2_RTP_FLOWTAG 0x20 #define ARGUS_V2_FRAG_FLOWTAG 0xCB /* TCP State Constants and Reporting Values */ #define ARGUS_V2_SAW_SYN 0x00000001 #define ARGUS_V2_SAW_SYN_SENT 0x00000002 #define ARGUS_V2_CON_ESTABLISHED 0x00000004 #define ARGUS_V2_FIN 0x00000008 #define ARGUS_V2_FIN_ACK 0x00000010 #define ARGUS_V2_NORMAL_CLOSE 0x00000020 #define ARGUS_V2_CLOSE_WAITING 0x00000040 #define ARGUS_V2_PKTS_RETRANS 0x00000300 /* SRC_PKTS_RETRANS | DST_PK*/ #define ARGUS_V2_SRC_PKTS_RETRANS 0x00000100 #define ARGUS_V2_DST_PKTS_RETRANS 0x00000200 #define ARGUS_V2_WINDOW_SHUT 0x00000C00 /* SRC_WINDOW_SHUT | DST_WIN*/ #define ARGUS_V2_SRC_WINDOW_SHUT 0x00000400 #define ARGUS_V2_DST_WINDOW_SHUT 0x00000800 #define ARGUS_V2_RESET 0x00003000 /* SRC_RESET | DST_RESET */ #define ARGUS_V2_SRC_RESET 0x00001000 #define ARGUS_V2_DST_RESET 0x00002000 #define ARGUS_V2_ECN_CONGESTED 0x0000C000 /* SRC_CONGESTED | DST_CONGESTED */ #define ARGUS_V2_SRC_CONGESTED 0x00004000 #define ARGUS_V2_DST_CONGESTED 0x00008000 #define ARGUS_V2_TCP_OUTOFORDER 0x00030000 #define ARGUS_V2_SRC_OUTOFORDER 0x00010000 #define ARGUS_V2_DST_OUTOFORDER 0x00020000 #define ARGUS_V2_TCP_OPTIONS 0xFFF00000 #define ARGUS_V2_TCP_MAXSEG 0x00100000 #define ARGUS_V2_TCP_WSCALE 0x00200000 #define ARGUS_V2_TCP_SACKOK 0x00400000 #define ARGUS_V2_TCP_SACK 0x00800000 #define ARGUS_V2_TCP_ECHO 0x01000000 #define ARGUS_V2_TCP_ECHOREPLY 0x02000000 #define ARGUS_V2_TCP_TIMESTAMP 0x04000000 #define ARGUS_V2_TCP_CC 0x08000000 #define ARGUS_V2_TCP_CCNEW 0x10000000 #define ARGUS_V2_TCP_CCECHO 0x20000000 #define ARGUS_V2_TCP_SRC_ECN 0x40000000 #define ARGUS_V2_TCP_DST_ECN 0x80000000 /* Fragment State Constants and Reporting Values */ #define ARGUS_V2_FRAG_INIT 0x0001 #define ARGUS_V2_FRAG_OUT_OF_ORDER 0x0002 #define ARGUS_V2_TCPFRAGOFFSETERROR 0x0004 /* User Data Status Values */ #define ARGUS_V2_FAR_DSR_STATUS 0x00000001 #define ARGUS_V2_MAC_DSR_STATUS 0x00000010 #define ARGUS_V2_VLAN_DSR_STATUS 0x00000020 #define ARGUS_V2_MPLS_DSR_STATUS 0x00000040 #define ARGUS_V2_PPPOE_DSR_STATUS 0x00000080 #define ARGUS_V2_TCP_DSR_STATUS 0x00000100 #define ARGUS_V2_ICMP_DSR_STATUS 0x00000200 #define ARGUS_V2_RTP_DSR_STATUS 0x00000400 #define ARGUS_V2_RTCP_DSR_STATUS 0x00000800 #define ARGUS_V2_IGMP_DSR_STATUS 0x00001000 #define ARGUS_V2_ARP_DSR_STATUS 0x00002000 #define ARGUS_V2_FRG_DSR_STATUS 0x00004000 #define ARGUS_V2_TIME_DSR_STATUS 0x00100000 #define ARGUS_V2_SRCUSRDATA_DSR_STATUS 0x00200000 #define ARGUS_V2_DSTUSRDATA_DSR_STATUS 0x00400000 #define ARGUS_V2_ESP_DSR_STATUS 0x00800000 #define ARGUS_V2_SRCTIME_DSR_STATUS 0x01000000 #define ARGUS_V2_DSTTIME_DSR_STATUS 0x02000000 #define ARGUS_V2_AGR_DSR_STATUS 0x80000000 #define ARGUS_V2_MAX_DSR_INDEX 32 #define ARGUS_V2_FAR_DSR_INDEX 0 #define ARGUS_V2_MAC_DSR_INDEX 4 #define ARGUS_V2_VLAN_DSR_INDEX 5 #define ARGUS_V2_MPLS_DSR_INDEX 6 #define ARGUS_V2_PPPOE_DSR_INDEX 7 #define ARGUS_V2_TCP_DSR_INDEX 8 #define ARGUS_V2_ICMP_DSR_INDEX 9 #define ARGUS_V2_RTP_DSR_INDEX 10 #define ARGUS_V2_RTCP_DSR_INDEX 11 #define ARGUS_V2_IGMP_DSR_INDEX 12 #define ARGUS_V2_ARP_DSR_INDEX 13 #define ARGUS_V2_FRG_DSR_INDEX 14 #define ARGUS_V2_TIME_DSR_INDEX 20 #define ARGUS_V2_SRCUSRDATA_DSR_INDEX 21 #define ARGUS_V2_DSTUSRDATA_DSR_INDEX 22 #define ARGUS_V2_ESP_DSR_INDEX 23 #define ARGUS_V2_SRCTIME_DSR_INDEX 24 #define ARGUS_V2_DSTTIME_DSR_INDEX 25 #define ARGUS_V2_AGR_DSR_INDEX 31 #define ARGUS_V2_AGR_USECACTTIME 0x0010 #define ARGUS_V2_AGR_USECIDLETIME 0x0020 #define ARGUS_V2_AGR_MSECACTTIME 0x0040 #define ARGUS_V2_AGR_MSECIDLETIME 0x0080 #define ARGUS_V2_AGR_NORMALIZED 0x0100 #define IANA_AF_IP 1 #define IANA_AF_IP6 2 #define IANA_AF_NSAP 3 #define IANA_AF_HDLC 4 #define IANA_AF_BBN_1822 5 #define IANA_AF_802 6 #define IANA_AF_E163 7 #define IANA_AF_E164 8 #define IANA_AF_F69 9 #define IANA_AF_X121 10 #define IANA_AF_IPX 11 #define IANA_AF_APPLETALK 12 #define IANA_AF_DECNET 13 #define IANA_AF_BANYANVINES 14 #define IANA_AF_E164_NSAP 15 #define IANA_AF_DNS 16 #define IANA_AF_DISTINQUISHED_NAME 17 #define IANA_AF_AS_NUM 18 #define IANA_AF_XTP_IPV4 19 #define IANA_AF_XTP_IPV6 20 #define IANA_AF_XTP_NATIVE 21 #define IANA_AF_FIBERCHANNEL_PORT 22 #define IANA_AF_FIBERCHANNEL_NODE 23 #define IANA_AF_GWID 24 #define IANA_AF_AFI 25 #define IANA_AF_MPLS_TP_SECTION 26 #define IANA_AF_MPLS_TP_LSP 27 #define IANA_AF_MPLS_TP_PWIRE 28 #define IANA_AF_MT_IP 29 #define IANA_AF_MT_IP6 30 #define IANA_IFT_OTHER 1 #define IANA_IFT_REGULAR1822 2 #define IANA_IFT_HDH1822 3 #define IANA_IFT_DDNX25 4 #define IANA_IFT_RFC877X25 5 #define IANA_IFT_ETHERNETCSMACD 6 #define IANA_IFT_ISO88023CSMACD 7 #define IANA_IFT_ISO88024TOKENBUS 8 #define IANA_IFT_ISO88025TOKENRING 9 #define IANA_IFT_ISO88026MAN 10 #define IANA_IFT_STARLAN 11 #define IANA_IFT_PROTEON10MBIT 12 #define IANA_IFT_PROTEON80MBIT 13 #define IANA_IFT_HYPERCHANNEL 14 #define IANA_IFT_FDDI 15 #define IANA_IFT_LAPB 16 #define IANA_IFT_SDLC 17 #define IANA_IFT_DS1 18 #define IANA_IFT_E1 19 #define IANA_IFT_BASICISDN 20 #define IANA_IFT_PRIMARYISDN 21 #define IANA_IFT_PROPPOINTTOPOINTSERIAL 22 #define IANA_IFT_PPP 23 #define IANA_IFT_SOFTWARELOOPBACK 24 #define IANA_IFT_EON 25 #define IANA_IFT_ETHERNET3MBIT 26 #define IANA_IFT_NSIP 27 #define IANA_IFT_SLIP 28 #define IANA_IFT_ULTRA 29 #define IANA_IFT_DS3 30 #define IANA_IFT_SIP 31 #define IANA_IFT_FRAMERELAY 32 #define IANA_IFT_RS232 33 #define IANA_IFT_PARA 34 #define IANA_IFT_ARCNET 35 #define IANA_IFT_ARCNETPLUS 36 #define IANA_IFT_ATM 37 #define IANA_IFT_MIOX25 38 #define IANA_IFT_SONET 39 #define IANA_IFT_X25PLE 40 #define IANA_IFT_ISO88022LLC 41 #define IANA_IFT_LOCALTALK 42 #define IANA_IFT_SMDSDXI 43 #define IANA_IFT_FRAMERELAYSERVICE 44 #define IANA_IFT_V35 45 #define IANA_IFT_HSSI 46 #define IANA_IFT_HIPPI 47 #define IANA_IFT_MODEM 48 #define IANA_IFT_AAL5 49 #define IANA_IFT_SONETPATH 50 #define IANA_IFT_SONETVT 51 #define IANA_IFT_SMDSICIP 52 #define IANA_IFT_PROPVIRTUAL 53 #define IANA_IFT_PROPMULTIPLEXOR 54 #define IANA_IFT_IEEE80212 55 #define IANA_IFT_FIBRECHANNEL 56 #define IANA_IFT_HIPPIINTERFACE 57 #define IANA_IFT_FRAMERELAYINTERCONNECT 58 #define IANA_IFT_AFLANE8023 59 #define IANA_IFT_AFLANE8025 60 #define IANA_IFT_CCTEMUL 61 #define IANA_IFT_FASTETHER 62 #define IANA_IFT_ISDN 63 #define IANA_IFT_V11 64 #define IANA_IFT_V36 65 #define IANA_IFT_G703AT64K 66 #define IANA_IFT_G703AT2MB 67 #define IANA_IFT_QLLC 68 #define IANA_IFT_FASTETHERFX 69 #define IANA_IFT_CHANNEL 70 #define IANA_IFT_IEEE80211 71 #define IANA_IFT_IBM370PARCHAN 72 #define IANA_IFT_ESCON 73 #define IANA_IFT_DLSW 74 #define IANA_IFT_ISDNS 75 #define IANA_IFT_ISDNU 76 #define IANA_IFT_LAPD 77 #define IANA_IFT_IPSWITCH 78 #define IANA_IFT_RSRB 79 #define IANA_IFT_ATMLOGICAL 80 #define IANA_IFT_DS0 81 #define IANA_IFT_DS0BUNDLE 82 #define IANA_IFT_BSC 83 #define IANA_IFT_ASYNC 84 #define IANA_IFT_CNR 85 #define IANA_IFT_ISO88025DTR 86 #define IANA_IFT_EPLRS 87 #define IANA_IFT_ARAP 88 #define IANA_IFT_PROPCNLS 89 #define IANA_IFT_HOSTPAD 90 #define IANA_IFT_TERMPAD 91 #define IANA_IFT_FRAMERELAYMPI 92 #define IANA_IFT_X213 93 #define IANA_IFT_ADSL 94 #define IANA_IFT_RADSL 95 #define IANA_IFT_SDSL 96 #define IANA_IFT_VDSL 97 #define IANA_IFT_ISO88025CRFPINT 98 #define IANA_IFT_MYRINET 99 #define IANA_IFT_VOICEEM 100 #define IANA_IFT_VOICEFXO 101 #define IANA_IFT_VOICEFXS 102 #define IANA_IFT_VOICEENCAP 103 #define IANA_IFT_VOICEOVERIP 104 #define IANA_IFT_ATMDXI 105 #define IANA_IFT_ATMFUNI 106 #define IANA_IFT_ATMIMA 107 #define IANA_IFT_PPPMULTILINKBUNDLE 108 #define IANA_IFT_IPOVERCDLC 109 #define IANA_IFT_IPOVERCLAW 110 #define IANA_IFT_STACKTOSTACK 111 #define IANA_IFT_VIRTUALIPADDRESS 112 #define IANA_IFT_MPC 113 #define IANA_IFT_IPOVERATM 114 #define IANA_IFT_ISO88025FIBER 115 #define IANA_IFT_TDLC 116 #define IANA_IFT_GIGABITETHERNET 117 #define IANA_IFT_HDLC 118 #define IANA_IFT_LAPF 119 #define IANA_IFT_V37 120 #define IANA_IFT_X25MLP 121 #define IANA_IFT_X25HUNTGROUP 122 #define IANA_IFT_TRASNPHDLC 123 #define IANA_IFT_INTERLEAVE 124 #define IANA_IFT_FAST 125 #define IANA_IFT_IP 126 #define IANA_IFT_DOCSCABLEMACLAYER 127 #define IANA_IFT_DOCSCABLEDOWNSTREAM 128 #define IANA_IFT_DOCSCABLEUPSTREAM 129 #define IANA_IFT_A12MPPSWITCH 130 #define IANA_IFT_TUNNEL 131 #define IANA_IFT_COFFEE 132 #define IANA_IFT_CES 133 #define IANA_IFT_ATMSUBINTERFACE 134 #define IANA_IFT_L2VLAN 135 #define IANA_IFT_L3IPVLAN 136 #define IANA_IFT_L3IPXVLAN 137 #define IANA_IFT_DIGITALPOWERLINE 138 #define IANA_IFT_MEDIAMAILOVERIP 139 #define IANA_IFT_DTM 140 #define IANA_IFT_DCN 141 #define IANA_IFT_IPFORWARD 142 #define IANA_IFT_MSDSL 143 #define IANA_IFT_IEEE1394 144 #define IANA_IFT_IF_GSN 145 #define IANA_IFT_DVBRCCMACLAYER 146 #define IANA_IFT_DVBRCCDOWNSTREAM 147 #define IANA_IFT_DVBRCCUPSTREAM 148 #define IANA_IFT_ATMVIRTUAL 149 #define IANA_IFT_MPLSTUNNEL 150 #define IANA_IFT_SRP 151 #define IANA_IFT_VOICEOVERATM 152 #define IANA_IFT_VOICEOVERFRAMERELAY 153 #define IANA_IFT_IDSL 154 #define IANA_IFT_COMPOSITELINK 155 #define IANA_IFT_SS7SIGLINK 156 #define IANA_IFT_PROPWIRELESSP2P 157 #define IANA_IFT_FRFORWARD 158 #define IANA_IFT_RFC1483 159 #define IANA_IFT_USB 160 #define IANA_IFT_IEEE8023ADLAG 161 #define IANA_IFT_BGPPOLICYACCOUNTING 162 #define IANA_IFT_FRF16MFRBUNDLE 163 #define IANA_IFT_H323GATEKEEPER 164 #define IANA_IFT_H323PROXY 165 #define IANA_IFT_MPLS 166 #define IANA_IFT_MFSIGLINK 167 #define IANA_IFT_HDSL2 168 #define IANA_IFT_SHDSL 169 #define IANA_IFT_DS1FDL 170 #define IANA_IFT_POS 171 #define IANA_IFT_DVBASIIN 172 #define IANA_IFT_DVBASIOUT 173 #define IANA_IFT_PLC 174 #define IANA_IFT_NFAS 175 #define IANA_IFT_TR008 176 #define IANA_IFT_GR303RDT 177 #define IANA_IFT_GR303IDT 178 #define IANA_IFT_ISUP 179 #define IANA_IFT_PROPDOCSWIRELESSMACLAYER 180 #define IANA_IFT_PROPDOCSWIRELESSDOWNSTREAM 181 #define IANA_IFT_PROPDOCSWIRELESSUPSTREAM 182 #define IANA_IFT_HIPERLAN2 183 #define IANA_IFT_PROPBWAP2MP 184 #define IANA_IFT_SONETOVERHEADCHANNEL 185 #define IANA_IFT_DIGITALWRAPPEROVERHEADCHANNEL 186 #define IANA_IFT_AAL2 187 #define IANA_IFT_RADIOMAC 188 #define IANA_IFT_ATMRADIO 189 #define IANA_IFT_IMT 190 #define IANA_IFT_MVL 191 #define IANA_IFT_REACHDSL 192 #define IANA_IFT_FRDLCIENDPT 193 #define IANA_IFT_ATMVCIENDPT 194 #define IANA_IFT_OPTICALCHANNEL 195 #define IANA_IFT_OPTICALTRANSPORT 196 #define IANA_IFT_PROPATM 197 #define IANA_IFT_VOICEOVERCABLE 198 #define IANA_IFT_INFINIBAND 199 #define IANA_IFT_TELINK 200 #define IANA_IFT_Q2931 201 #define IANA_IFT_VIRTUALTG 202 #define IANA_IFT_SIPTG 203 #define IANA_IFT_SIPSIG 204 #define IANA_IFT_DOCSCABLEUPSTREAMCHANNEL 205 #define IANA_IFT_ECONET 206 #define IANA_IFT_PON155 207 #define IANA_IFT_PON622 208 #define IANA_IFT_BRIDGE 209 #define IANA_IFT_LINEGROUP 210 #define IANA_IFT_VOICEEMFGD 211 #define IANA_IFT_VOICEFGDEANA 212 #define IANA_IFT_VOICEDID 213 #define IANA_IFT_MPEGTRANSPORT 214 #define IANA_IFT_SIXTOFOUR 215 #define IANA_IFT_GTP 216 #define IANA_IFT_PDNETHERLOOP1 217 #define IANA_IFT_PDNETHERLOOP2 218 #define IANA_IFT_OPTICALCHANNELGROUP 219 #ifdef __cplusplus } #endif #endif/*Argus_def_h*/ argus-5.0.2/include/argus_def_v2.h000066400000000000000000000020731471541253600170130ustar00rootroot00000000000000/* * Argus-5.0 Software. Common include files. Argus v2 defines - obsoleted * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/include/argus_def_v2.h#3 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ argus-5.0.2/include/argus_dscodepoints.h000066400000000000000000000061321471541253600203440ustar00rootroot00000000000000/* * Argus-5.0 Software. Common include files. dscodepoints * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/include/argus_dscodepoints.h#5 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ /* prepared from IANA DS codepoint definitions Wed Aug 16 11:45:21 EDT 2000 */ #ifndef DSCodePoints_h #define DSCodePoints_h #ifdef __cplusplus extern "C" { #endif #define ARGUS_IANA_DSCODES 0 #define ARGUS_DISA_DSCODES 1 struct ArgusDSCodePointStruct { char code, *label, *desc; }; #if defined(ArgusUtil) struct ArgusDSCodePointStruct *ArgusSelectDSCodesTable(struct ArgusParserStruct *); struct ArgusDSCodePointStruct argus_dscodepoints [] = { { 0x00, "cs0", "Pool 1 Recommended"}, { 0x08, "cs1", "Pool 1 Recommended"}, { 0x10, "cs2", "Pool 1 Recommended"}, { 0x18, "cs3", "Pool 1 Recommended"}, { 0x20, "cs4", "Pool 1 Recommended"}, { 0x28, "cs5", "Pool 1 Recommended"}, { 0x30, "cs6", "Pool 1 Recommended"}, { 0x38, "cs7", "Pool 1 Recommended"}, { 0x0A, "af11", ""}, { 0x0C, "af12", ""}, { 0x0E, "af13", ""}, { 0x12, "af21", ""}, { 0x14, "af22", ""}, { 0x16, "af23", ""}, { 0x1A, "af31", ""}, { 0x1C, "af32", ""}, { 0x1E, "af33", ""}, { 0x22, "af41", ""}, { 0x24, "af42", ""}, { 0x26, "af43", ""}, { 0x2E, "ef", ""}, { 0x00, (char *) 0, (char *) 0 }, }; struct ArgusDSCodePointStruct argus_disa_dscodepoints [] = { { 40, "US", "Tail Drop"}, { 46, "Voice", "Tail Drop"}, { 48, "NC", "Tail Drop"}, { 16, "OAM", "Tail Drop"}, { 38, "Video", "WRED-L"}, { 26, "SMMS", "WRED-M"}, { 28, "SMMS", "WRED-H"}, { 30, "SMMS", "WRED-H"}, { 32, "SM", "WRED-L"}, { 25, "HPMMS", "WRED-L"}, { 9, "HPHTD", "WRED-L"}, { 17, "HPLLD", "WRED-L"}, { 10, "SHTD", "WRED-L"}, { 12, "SHTD", "WRED-L"}, { 14, "SHTD", "WRED-L"}, { 18, "SHLLD", "WRED-L"}, { 20, "SHLLD", "WRED-L"}, { 22, "SHLLD", "WRED-L"}, { 0, "BE", "Tail Drop"}, { 0x00, (char *) 0, (char *) 0 }, }; #else extern struct ArgusDSCodePointStruct *ArgusSelectDSCodesTable(struct ArgusParserStruct *); extern struct ArgusDSCodePointStruct argus_dscodepoints []; extern struct ArgusDSCodePointStruct argus_disa_dscodepoints []; #endif #ifdef __cplusplus } #endif #endif argus-5.0.2/include/argus_encapsulations.h000066400000000000000000000101611471541253600206730ustar00rootroot00000000000000/* * Argus-5.0 Software. Common include files. L2 encapsulations * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/include/argus_encapsulations.h#7 $ * $DateTime: 2015/04/13 16:46:24 $ * $Change: 2991 $ */ /* list of supported encapsulations for filter */ #ifndef Argus_Encapsulations_h #define Argus_Encapsulations_h #ifdef __cplusplus extern "C" { #endif struct ArgusEncapsulationStruct { unsigned int code; char *label, *desc; }; #define ARGUS_ENCAPS_TYPE 29 #define ARGUS_ENCAPS_MPLS 0x01 #define ARGUS_ENCAPS_ETHER 0x02 #define ARGUS_ENCAPS_8021Q 0x04 #define ARGUS_ENCAPS_LLC 0x08 #define ARGUS_ENCAPS_PPP 0x10 #define ARGUS_ENCAPS_ISL 0x20 #define ARGUS_ENCAPS_GRE 0x40 #define ARGUS_ENCAPS_AH 0x80 #define ARGUS_ENCAPS_IP 0x100 #define ARGUS_ENCAPS_IPV6 0x200 #define ARGUS_ENCAPS_HDLC 0x400 #define ARGUS_ENCAPS_CHDLC 0x800 #define ARGUS_ENCAPS_ATM 0x1000 #define ARGUS_ENCAPS_SLL 0x2000 #define ARGUS_ENCAPS_FDDI 0x4000 #define ARGUS_ENCAPS_SLIP 0x8000 #define ARGUS_ENCAPS_ARCNET 0x10000 #define ARGUS_ENCAPS_802_11 0x20000 #define ARGUS_ENCAPS_PRISM 0x40000 #define ARGUS_ENCAPS_AVS 0x80000 #define ARGUS_ENCAPS_IB_LRH 0x100000 #define ARGUS_ENCAPS_IB_GRH 0x200000 #define ARGUS_ENCAPS_TEREDO 0x400000 #define ARGUS_ENCAPS_UDT 0x800000 #define ARGUS_ENCAPS_SPI 0x1000000 #define ARGUS_ENCAPS_JUNIPER 0x2000000 #define ARGUS_ENCAPS_VXLAN 0x4000000 #define ARGUS_ENCAPS_L2TP 0x8000000 #define ARGUS_ENCAPS_GENEVE 0x10000000 #if defined(ArgusUtil) struct ArgusEncapsulationStruct argus_encapsulations [] = { { ARGUS_ENCAPS_MPLS, "mpls", "Multiprotocol Label Switching"}, { ARGUS_ENCAPS_ETHER, "eth", "Ethernet"}, { ARGUS_ENCAPS_8021Q, "802q", "802.1PQ"}, { ARGUS_ENCAPS_LLC, "llc", "Link Layer Control"}, { ARGUS_ENCAPS_PPP, "pppoe", "PPP Over Ethernet"}, { ARGUS_ENCAPS_ISL, "isl", "Inter-Switch Link"}, { ARGUS_ENCAPS_GRE, "gre", "Generic Routing Encapsulation"}, { ARGUS_ENCAPS_AH, "ah", "Authentication Header"}, { ARGUS_ENCAPS_IP, "ipnip", "IP Version 4"}, { ARGUS_ENCAPS_IPV6, "ipnip6", "IP Version 6"}, { ARGUS_ENCAPS_HDLC, "hdlc", "HDLC"}, { ARGUS_ENCAPS_CHDLC, "chdlc", "Cisco HDLC"}, { ARGUS_ENCAPS_ATM, "atm", "Atm"}, { ARGUS_ENCAPS_SLL, "sll", "Sll"}, { ARGUS_ENCAPS_FDDI, "fddi", "Fddi"}, { ARGUS_ENCAPS_SLIP, "slip", "Slip"}, { ARGUS_ENCAPS_ARCNET,"arc", "Arcnet"}, { ARGUS_ENCAPS_802_11,"wlan", "Wireless Lan"}, { ARGUS_ENCAPS_PRISM, "prism", "Prism Wireless Lan"}, { ARGUS_ENCAPS_AVS, "avs", "Avs"}, { ARGUS_ENCAPS_IB_LRH,"lrh", "Infiniband Local Route Header"}, { ARGUS_ENCAPS_IB_GRH,"grh", "Infiniband Global Route Header"}, { ARGUS_ENCAPS_TEREDO,"teredo", "Teredo IPV6 Tunneling"}, { ARGUS_ENCAPS_SPI, "enc", "IPsec Tunnel"}, { ARGUS_ENCAPS_JUNIPER, "juniper", "Juniper Ethernet"}, { ARGUS_ENCAPS_VXLAN, "vxlan", "VxLan Encapsulation"}, { ARGUS_ENCAPS_L2TP, "l2tp", "L2TP Encapsulation"}, { ARGUS_ENCAPS_GENEVE, "geneve", "GENEVE Encapsulation"}, { 0, (char *) NULL, (char *) NULL }, }; #else extern struct ArgusEncapsulationStruct argus_encapsulations []; #endif #ifdef __cplusplus } #endif #endif argus-5.0.2/include/argus_ethernames.h000066400000000000000000000273401471541253600200050ustar00rootroot00000000000000/* * Argus-5.0 Software. Common include files. ethernames * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/include/argus_ethernames.h#5 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ /* prepared from IANA Ether Types definitions Wed Aug 16 11:45:21 EDT 2000 */ #ifndef Argus_Ethernames_h #define Argus_Ethernames_h #ifdef __cplusplus extern "C" { #endif struct ArgusEtherTypeStruct { char *range, *tag, *description; }; #ifdef ArgusAddrtoName struct ArgusEtherTypeStruct argus_ethertype_names [] = { /* { "0000-1500", "802.3", "IEEE802.3 Length Field" }, */ /* Argus Pseudo Ethertypes */ { "0", "llc", "Argus Pseudo LLC Ethertype"}, { "0100", "ipx", "Argus Pseudo Ethertype"}, { "0129", "clns", "Spanning Tree Protocol" }, { "0130", "esis", "Spanning Tree Protocol" }, { "0131", "isis", "Intermediate System IS Protocol" }, { "0132", "nullns", "Spanning Tree Protocol" }, { "0257", "exp", "Experimental" }, { "0258", "drip", "Cisco SNAP ethertype for DRiP" }, { "0259-511", "exp", "Experimental" }, { "0512", "pup", "XEROX PUP (see 0A00)" }, { "0513", "pupat", "PUP Addr Trans (see 0A01)" }, { "1024", "nix", "Nixdorf" }, { "1536", "idp", "XEROX NS IDP" }, { "1632", "dlog", "DLOG" }, { "1633", "dlog", "DLOG" }, { "2048", "ip", "Internet IP (IPv4)" }, { "2049", "x75", "X.75 Internet" }, { "2050", "nbs", "NBS Internet" }, { "2051", "ecma", "ECMA Internet" }, { "2052", "chaos", "Chaosnet" }, { "2053", "x25", "X.25 Level 3" }, { "2054", "arp", "ARP" }, { "2055", "xnscp", "XNS Compatability" }, { "2056", "frarp", "Frame Relay ARP" }, { "2076", "symbl", "Symbolics Private" }, { "2184-2186", "xyplx", "Xyplex" }, { "2304", "ubdeb", "Ungermann-Bass net debugr" }, { "2560", "pup.3", "Xerox IEEE802.3 PUP" }, { "2561", "pupat", "PUP Addr Trans" }, { "2989", "vines", "Banyan VINES" }, { "2990", "vinlb", "VINES Loopback" }, { "2991", "vinec", "VINES Echo" }, { "4096", "brktn", "Berkeley Trailer nego" }, { "4097-4111", "brkte", "Berkeley Trailer encap/IP" }, { "5632", "valid", "Valid Systems" }, { "6532", "train", "MS Train" }, { "8192", "cdp", "Cisco Discovery Protocol" }, { "8193", "cgmp", "Cisco Group Management Protocol" }, { "8195", "vtp", "Cisco VLAN Trunk Protocol" }, { "9298", "cent", "Intel Centrino" }, { "15367", "nbp", "3Com NBP Datagram" }, { "16962", "pcs", "PCS Basic Block Protocol" }, { "21000", "bbn", "BBN Simnet" }, { "24576", "decun", "DEC Unassigned (Exp.)" }, { "24577", "decdl", "DEC MOP Dump/Load" }, { "24578", "decrc", "DEC MOP Remote Console" }, { "24579", "decro", "DEC DECNET Phase IV Route" }, { "24580", "lat", "DEC LAT" }, { "24581", "decdp", "DEC Diagnostic Protocol" }, { "24582", "deccp", "DEC Customer Protocol" }, { "24583", "lavc", "DEC LAVC, SCA" }, { "24584-24585", "decun", "DEC Unassigned" }, { "24586-24596", "3com", "3Com Corporation" }, { "25944", "trans", "Trans Ether Bridging" }, { "25945", "rawfr", "Raw Frame Relay" }, { "28672", "dbdwn", "Ungermann-Bass download" }, { "28674", "ubdia", "Ungermann-Bass dia/loop" }, { "28704-28713", "lrt", "LRT" }, { "28720", "prote", "Proteon" }, { "28724", "cable", "Cabletron" }, { "32771", "cronv", "Cronus VLN" }, { "32772", "crond", "Cronus Direct" }, { "32773", "hppro", "HP Probe" }, { "32774", "nesta", "Nestar" }, { "32776", "att", "AT&T" }, { "32784", "excel", "Excelan" }, { "32787", "sgid", "SGI diagnostics" }, { "32788", "sging", "SGI network games" }, { "32789", "sgres", "SGI reserved" }, { "32790", "sgibs", "SGI bounce server" }, { "32793", "apld", "Apollo Domain" }, { "32815", "tym", "Tymshare" }, { "32816", "tigan", "Tigan, Inc." }, { "32821", "rarp", "Reverse ARP" }, { "32822", "aeon", "Aeonic Systems" }, { "32824", "declb", "DEC LANBridge" }, { "32825-32828", "decun", "DEC Unassigned" }, { "32829", "decee", "DEC Ethernet Encryption" }, { "32830", "decun", "DEC Unassigned" }, { "32831", "dectm", "DEC LAN Traffic Monitor" }, { "32832-32834", "decun", "DEC Unassigned" }, { "32836", "plan", "Planning Research Corp." }, { "32838", "att", "AT&T" }, { "32839", "att", "AT&T" }, { "32841", "expd", "ExperData" }, { "32859", "Vexp", "Stanford V Kernel exp." }, { "32860", "Vprod", "Stanford V Kernel prod." }, { "32861", "es", "Evans & Sutherland" }, { "32864", "ltlm", "Little Machines" }, { "32866", "count", "Counterpoint Computers" }, { "32869", "um", "Univ. of Mass. @ Amherst" }, { "32870", "um", "Univ. of Mass. @ Amherst" }, { "32871", "veeco", "Veeco Integrated Auto." }, { "32872", "gd", "General Dynamics" }, { "32873", "att", "AT&T" }, { "32874", "autop", "Autophon" }, { "32876", "comd", "ComDesign" }, { "32877", "comgr", "Computgraphic Corp." }, { "32878-32887", "land", "Landmark Graphics Corp." }, { "32890", "matra", "Matra" }, { "32891", "dansk", "Dansk Data Elektronik" }, { "32892", "merit", "Merit Internodal" }, { "32893-32895", "vtlnk", "Vitalink Communications" }, { "32896", "vtlnk", "Vitalink TransLAN III" }, { "32897-32899", "count", "Counterpoint Computers" }, { "32923", "atalk", "Appletalk" }, { "32924-32926", "data", "Datability" }, { "32927", "spidr", "Spider Systems Ltd." }, { "32931", "nix", "Nixdorf Computers" }, { "32932-32947", "siem", "Siemens Gammasonics Inc." }, { "32960-32963", "dcaex", "DCA Data Exchange Cluster" }, { "32964", "ban", "Banyan Systems" }, { "32965", "ban", "Banyan Systems" }, { "32966", "pacer", "Pacer Software" }, { "32967", "appli", "Applitek Corporation" }, { "32968-32972", "intrg", "Intergraph Corporation" }, { "32973-32974", "haris", "Harris Corporation" }, { "32975-32978", "taylr", "Taylor Instrument" }, { "32979-32980", "rose", "Rosemount Corporation" }, { "32981", "sna", "IBM SNA Service on Ether" }, { "32989", "varin", "Varian Associates" }, { "32990-32991", "trfs", "Integrated Solutions TRFS" }, { "32992-32995", "allen", "Allen-Bradley" }, { "32996-33008", "data", "Datability" }, { "33010", "retix", "Retix" }, { "33011", "aarp", "AppleTalk AARP (Kinetics)" }, { "33012-33013", "kinet", "Kinetics" }, { "33015", "aplo", "Apollo Computer" }, { "33023", "wcp", "Wellfleet Compression Protocol" }, { "33024-33027", "well", "Wellfleet Communications" }, { "33031-33033", "symbl", "Symbolics Private" }, { "33072", "hayes", "Hayes Microcomputers" }, { "33073", "vglab", "VG Laboratory Systems" }, { "33074-33078", "brdg", "Bridge Communications" }, { "33079-33080", "ipx/spx", "Novell, Inc." }, { "33081-33085", "kti", "KTI" }, { "33096", "logic", "Logicraft" }, { "33097", "ncd", "Network Computing Devices" }, { "33098", "alpha", "Alpha Micro" }, { "33100", "snmp", "SNMP" }, { "33101", "biin", "BIIN" }, { "33104", "biin", "BIIN" }, { "33103", "elite", "Technically Elite Concept" }, { "33104", "ratnl", "Rational Corp" }, { "33105-33107", "qual", "Qualcomm" }, { "33108-33110", "cprot", "Computer Protocol Pty Ltd" }, { "33124-33126", "crd", "Charles River Data System" }, { "33149", "xtp", "XTP" }, { "33150", "sgitw", "SGI/Time Warner prop." }, { "33152", "hippi", "HIPPI-FP encapsulation" }, { "33153", "stp", "STP, HIPPI-ST" }, { "33154", "h6400", "Reserved for HIPPI-6400" }, { "33155", "h6400", "Reserved for HIPPI-6400" }, { "33156-33164", "sgi", "Silicon Graphics prop." }, { "33165", "mot", "Motorola Computer" }, { "33178-33187", "qual", "Qualcomm" }, { "33188", "arai", "ARAI Bunkichi" }, { "33189-33198", "rad", "RAD Network Devices" }, { "33207-33209", "xyplx", "Xyplex" }, { "33228-33237", "apri", "Apricot Computers" }, { "33238-33245", "arti", "Artisoft" }, { "33254-33263", "poly", "Polygon" }, { "33264-33266", "comst", "Comsat Labs" }, { "33267-33269", "saic", "SAIC" }, { "33270-33272", "vg", "VG Analytical" }, { "33277", "ismp", "Cabeltron Interswitch Message Protocol" }, { "33283-33285", "quant", "Quantum Software" }, { "33313-33314", "ascom", "Ascom Banking Systems" }, { "33342-33344", "aes", "Advanced Encryption System" }, { "33407-33410", "athen", "Athena Programming" }, { "33379-33386", "crd", "Charles River Data System" }, { "33434-33435", "iiit", "Inst Ind Info Tech" }, { "33436-33451", "tarus", "Taurus Controls" }, { "33452-34451", "wrq", "Walker Richer & Quinn" }, { "34452-34461", "ideac", "Idea Courier" }, { "34462-34465", "cnt", "Computer Network Tech" }, { "34467-34476", "gtway", "Gateway Communications" }, { "34523", "sectr", "SECTRA" }, { "34526", "delta", "Delta Controls" }, { "34525", "ipv6", "IPv6" }, { "34527", "atom", "ATOMIC" }, { "34528-34543", "lgp", "Landis & Gyr Powers" }, { "34560-34576", "mot", "Motorola" }, { "34605", "cwl", "Cisco Wireless (Aironet)" }, { "34667", "compr", "TCP/IP Compression" }, { "34668", "ipas", "IP Autonomous Systems" }, { "34669", "sdata", "Secure Data" }, { "34824", "mac", "MAC Control" }, { "34825", "slow", "SLOW Protocols" }, { "34827", "ppp", "PPP" }, { "34887", "mplsu", "MPLS Unicast" }, { "34888", "mplsm", "MPLS Multicast" }, { "34915", "pppoe", "PPP Over Ethernet" }, { "34916", "pppoe", "PPP Over Ethernet" }, { "34925", "ans", "Intel ANS (NIC teaming)" }, { "34927", "nlb", "MS Network Load Balancing" }, { "34945", "cdma", "CDMA2000(R) Based Wireless" }, { "34958", "eapol", "802.1x Authentication" }, { "34962", "prof", "PROFInet protocol" }, { "34970", "hscsi", "HyperSCSI protocol" }, { "34971", "csm", "Mindseed Technologies" }, { "34978", "aoe", "ATA Over Ethernet" }, { "34990", "brd", "MS Boardwalk" }, { "34999", "oui", "IEEE 802a OUI Extended" }, { "35000-35002", "gse", "IEC 61850" }, { "35015", "rsn", "802.11i Pre-Authentication" }, { "35018", "tipc", "Transparent InterProcess Communication" }, { "35020", "lldp", "IEEE 802.1 Link Layer Discovery Protocol" }, { "35026", "3gpp", "CDMA2000(R) Access Network" }, { "35478-35479", "invis", "Invisible Software" }, { "36864", "loop", "Loopback" }, { "36865", "xnssm", "3Com(Bridge) XNS Sys Mgmt" }, { "36866", "3coms", "3Com(Bridge) TCP-IP Sys" }, { "36867", "3coml", "3Com(Bridge) loop detect" }, { "36897", "rtmac", "Real-Time Media Access Control" }, { "36898", "rtcfg", "Real-Time Configuration Protocol" }, { "48879", "nrludt", "NRL (Eric Kinzie) UDT Protocol" }, { "64764", "fcft", "Cisco MDS Transport" }, { "65280-65295", "ramo", "ISC Bunker Ramo" }, { "65535", "*", "Merged" }, { (char *) 0, (char *) 0, (char *) 0 }, }; #else extern struct ArgusEtherTypeStruct argus_ethertype_names []; #endif #ifdef __cplusplus } #endif #endif argus-5.0.2/include/argus_ethertype.h000066400000000000000000000104471471541253600176630ustar00rootroot00000000000000/* * Copyright (c) 1993, 1994, 1996 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. * * @(#) $Header: //depot/gargoyle/argus/include/argus_ethertype.h#3 $ (LBL) */ /* * $Id: //depot/gargoyle/argus/include/argus_ethertype.h#3 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ #ifndef Argus_Ethertype_h #define Argus_Ethertype_h #ifdef __cplusplus extern "C" { #endif /* Types missing from some systems */ #ifndef ETHER_HDRLEN #define ETHER_HDRLEN 14 #endif #ifndef ETHERTYPE_JUMBO #define ETHERTYPE_JUMBO 0x8870 #endif #ifndef ETHERTYPE_ISIS #define ETHERTYPE_ISIS 0x0083 #endif #ifndef ETHERTYPE_GRE_ISO #define ETHERTYPE_GRE_ISO 0x00FE #endif #ifndef ETHERTYPE_PUP #define ETHERTYPE_PUP 0x0200 #endif #ifndef ETHERTYPE_SPRITE #define ETHERTYPE_SPRITE 0x0500 #endif #ifndef ETHERTYPE_NS #define ETHERTYPE_NS 0x0600 #endif #ifndef ETHERTYPE_IP #define ETHERTYPE_IP 0x0800 #endif #ifndef ETHERTYPE_X25L3 #define ETHERTYPE_X25L3 0x0805 #endif #ifndef ETHERTYPE_ARP #define ETHERTYPE_ARP 0x0806 #endif #ifndef ETHERTYPE_VINES #define ETHERTYPE_VINES 0x0bad #endif #ifndef ETHERTYPE_TRAIL #define ETHERTYPE_TRAIL 0x1000 #endif #ifndef ETHERTYPE_TRAIN #define ETHERTYPE_TRAIN 0x1984 #endif #ifndef ETHERTYPE_3C_NBP_DGRAM #define ETHERTYPE_3C_NBP_DGRAM 0x3c07 #endif #ifndef ETHERTYPE_DEC #define ETHERTYPE_DEC 0x6000 #endif #ifndef ETHERTYPE_MOPDL #define ETHERTYPE_MOPDL 0x6001 #endif #ifndef ETHERTYPE_MOPRC #define ETHERTYPE_MOPRC 0x6002 #endif #ifndef ETHERTYPE_DN #define ETHERTYPE_DN 0x6003 #endif #ifndef ETHERTYPE_LAT #define ETHERTYPE_LAT 0x6004 #endif #ifndef ETHERTYPE_DEC_DIAG #define ETHERTYPE_DEC_DIAG 0x6005 #endif #ifndef ETHERTYPE_DEC_CUST #define ETHERTYPE_DEC_CUST 0x6006 #endif #ifndef ETHERTYPE_SCA #define ETHERTYPE_SCA 0x6007 #endif #ifndef ETHERTYPE_TRANS_BRIDGE #define ETHERTYPE_TRANS_BRIDGE 0x6558 #endif #ifndef ETHERTYPE_REVARP #define ETHERTYPE_REVARP 0x8035 #endif #ifndef ETHERTYPE_LANBRIDGE #define ETHERTYPE_LANBRIDGE 0x8038 #endif #ifndef ETHERTYPE_DECDNS #define ETHERTYPE_DECDNS 0x803c #endif #ifndef ETHERTYPE_DECDTS #define ETHERTYPE_DECDTS 0x803e #endif #ifndef ETHERTYPE_VEXP #define ETHERTYPE_VEXP 0x805b #endif #ifndef ETHERTYPE_VPROD #define ETHERTYPE_VPROD 0x805c #endif #ifndef ETHERTYPE_ATALK #define ETHERTYPE_ATALK 0x809b #endif #ifndef ETHERTYPE_AARP #define ETHERTYPE_AARP 0x80f3 #endif #ifndef ETHERTYPE_8021Q #define ETHERTYPE_8021Q 0x8100 #endif #ifndef ETHERTYPE_IPX #define ETHERTYPE_IPX 0x8137 #endif #ifndef ETHERTYPE_SNMP #define ETHERTYPE_SNMP 0x814c #endif #ifndef ETHERTYPE_IPV6 #define ETHERTYPE_IPV6 0x86dd #endif #ifndef ETHERTYPE_PPP #define ETHERTYPE_PPP 0x880b #endif #ifndef ETHERTYPE_MPLS #define ETHERTYPE_MPLS 0x8847 #endif #ifndef ETHERTYPE_MPLS_MULTI #define ETHERTYPE_MPLS_MULTI 0x8848 #endif #ifndef ETHERTYPE_PPPOED #define ETHERTYPE_PPPOED 0x8863 #endif #ifndef ETHERTYPE_PPPOES #define ETHERTYPE_PPPOES 0x8864 #endif #ifndef ETHERTYPE_LOOPBACK #define ETHERTYPE_LOOPBACK 0x9000 #endif #ifndef ETHERTYPE_VMAN #define ETHERTYPE_VMAN 0x9100 #endif #ifndef ETHERTYPE_ISO #define ETHERTYPE_ISO 0xfefe #endif #ifndef ETHERTYPE_UDTOE #define ETHERTYPE_UDTOE 0xBEEF #endif #ifdef __cplusplus } #endif #endif argus-5.0.2/include/argus_filter.h000066400000000000000000000212711471541253600171340ustar00rootroot00000000000000/* * Argus-5.0 Software. Common include files. Filter * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * Copyright (c) 1990, 1991, 1992, 1993 * The Regents of the University of California. All rights reserved. * * This code is derived from the Stanford/CMU enet packet filter, * (net/enet.c) distributed as part of 4.3BSD, and code contributed * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence * Berkeley Laboratory. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)bpf.c 7.5 (Berkeley) 7/15/91 * */ /* * $Id: //depot/gargoyle/argus/include/argus_filter.h#5 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ #ifndef ArgusFilter_h #define ArgusFilter_h #ifdef __cplusplus extern "C" { #endif #include #include #include #include #include #include #ifndef __GNUC__ #define inline #endif /* * If a protocol is unknown, PROTO_UNDEF is returned. * Also, s_nametoport() returns the protocol along with the port number. * If there are ambiguous entried in /etc/services (i.e. domain * can be either tcp or udp) PROTO_UNDEF is returned. */ #define PROTO_UNDEF -1 #ifdef ArgusFilter #include void ArgusPrintHex (const unsigned char *, unsigned int); int ArgusLookupNet(char *, unsigned int *, unsigned int *, char *); char *read_infile(char *); static inline int xdtoi(int c); int ArgusFilterRecord (struct nff_insn *pc, struct ArgusRecordStruct *); int ArgusFilterOrig (struct nff_insn *, struct ArgusRecordStruct *, int, int); static inline int skip_space(FILE *); static inline int skip_line(FILE *); static inline int skip_space(FILE *); static inline int skip_line(FILE *); struct argus_etherent *argus_next_etherent(FILE *fp); char *ArgusLookupDev(char *); char *argus_strerror(int); void Argusnff_optimize(struct ablock **); struct nff_insn *Argusicode_to_fcode(struct ablock *, int *); static char *nff_image(struct nff_insn *, int); int stoi( char *); int ArgusCurses = 0; #ifdef NOVFPRINTF int vfprintf( FILE *, char *, va_list); #endif void ArgusDebug (int, char *, ...); void *ArgusMalloc (int); void *ArgusCalloc (int, int); void ArgusFree (void *); void ArgusWindowClose(void); #if defined(__STDC__) void error(const char *fmt, ...); #else void error(const char *fmt, va_dcl); #endif char *savestr(const char *); char *copy_argv( char **); char *read_infile(char *); unsigned int ipaddrtonetmask(unsigned int); unsigned int getnetnumber(unsigned int); void nff_dump(struct nff_program *, char *, int, int); char *intoa(unsigned int); extern SIGRET nohostname(int); char *ArgusGetName(struct ArgusParserStruct *, unsigned char *); char *ArgusGetV6Name(struct ArgusParserStruct *, unsigned char *); char *ArgusEtherProtoString(struct ArgusParserStruct *, unsigned short port); char *linkaddr_string(struct ArgusParserStruct *parser, unsigned char *, unsigned int); char *etheraddr_string(struct ArgusParserStruct *parser, unsigned char *); char *protoid_string(const unsigned char *); char *llcsap_string(unsigned char); char *isonsap_string(const unsigned char *, int); char *tcpport_string(unsigned short); char *udpport_string(unsigned short); extern void init_servarray(void); extern void init_eprotoarray(void); extern void init_protoidarray(void); extern void init_etherarray(void); extern void init_llcsaparray(void); void init_addrtoname(int, unsigned int, unsigned int); unsigned int **argus_nametoaddr(char *); unsigned int argus_nametonetaddr(char *); int argus_nametoport(char *, int *, int *); int argus_nametoproto(char *); int argus_nametoeproto(char *); unsigned int __argus_atoin(char *, unsigned int *); unsigned int __argus_atodn(char *); unsigned char *argus_ether_aton(char *); unsigned char *argus_ether_hostton(char *); unsigned short __argus_nametodnaddr(char *); #else extern void ArgusPrintHex (const unsigned char *, unsigned int); extern int ArgusLookupNet(char *, unsigned int *, unsigned int *, char *); extern char *read_infile(char *); extern int ArgusFilterRecord (struct nff_insn *pc, struct ArgusRecordStruct *); extern int ArgusFilterOrig (struct nff_insn *, u_char *, int, int); //extern struct argus_etherent *argus_next_etherent(FILE *fp); extern char *ArgusLookupDev(char *); extern char *argus_strerror(int); extern void Argusnff_optimize(struct ablock **); extern struct nff_insn *Argusicode_to_fcode(struct ablock *, int *); extern int stoi( char *); extern int ArgusCurses; extern void ArgusWindowClose(void); #ifdef NOVFPRINTF extern int vfprintf( FILE *, char *, va_list); #endif extern void *ArgusMalloc (int); extern void *ArgusCalloc (int, int); extern void ArgusFree (void *); /* extern void error(va_list); extern void warning(va_list); */ extern char *savestr(const char *); extern char *copy_argv( char **); extern char *read_infile(char *); extern unsigned int ipaddrtonetmask(unsigned int); extern unsigned int getnetnumber(unsigned int); extern void nff_dump(struct nff_program *, char *, int, int); extern char *intoa(unsigned int); extern char *ArgusGetName(struct ArgusParserStruct *, unsigned char *); extern char *ArgusGetV6Name(struct ArgusParserStruct *, unsigned char *); extern char *ArgusEtherProtoString(struct ArgusParserStruct *, unsigned short); extern char *linkaddr_string(struct ArgusParserStruct *parser, const unsigned char *, unsigned int); extern char *etheraddr_string(struct ArgusParserStruct *parser, unsigned char *); extern char *protoid_string(const unsigned char *); extern char *llcsap_string(unsigned char); extern char *isonsap_string(const unsigned char *, int); extern char *tcpport_string(unsigned short); extern char *udpport_string(unsigned short); extern void init_addrtoname(int, unsigned int, unsigned int); extern unsigned int **argus_nametoaddr(char *); extern unsigned int argus_nametonetaddr(char *); extern int argus_nametoport(char *, int *, int *); extern int argus_nametoproto(char *); extern int argus_nametoeproto(char *); extern unsigned int __argus_atoin(char *, unsigned int *); extern unsigned int __argus_atodn(char *); extern unsigned char *argus_ether_aton(char *); extern unsigned char *argus_ether_hostton(char *); extern unsigned short __argus_nametodnaddr(char *); #endif #ifdef __cplusplus } #endif #endif /* ArgusFilter_h */ argus-5.0.2/include/argus_geneve.h000066400000000000000000000065541471541253600171270ustar00rootroot00000000000000/* * Argus-5.0 Software. Common include files. Geneve defines * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * Copyright (c) 1993, 1994, 1997 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. * */ /* * $Id: //depot/gargoyle/argus/include/argus_geneve.h#3 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ #if !defined(Argus_geneve_h) #define Argus_geneve_h /* * A definition of the global GENEVE context for a given flow ... * This should hold the IP addresses of the enclosing IP flow * for the GENEVE tunnel ... * */ struct argus_geneve { unsigned char ver_opt, flags; unsigned short ptype; unsigned int vni; struct ArgusSystemFlow *tflow; }; #define GENEVE_CP 0x8000 /* checksum present */ #define GENEVE_RP 0x4000 /* routing present */ #define GENEVE_KP 0x2000 /* key present */ #define GENEVE_SP 0x1000 /* sequence# present */ #define GENEVE_RECRS 0x0700 /* recursion count */ #define GENEVE_AP 0x0080 /* acknowledgment# present */ #define GENEVE_VERS_MASK 0x0007 /* protocol version */ #define GENEVE_VERS 0x0007 /* protocol version */ #define GENEVEPROTO_IP 0x0800 /* IP */ #define GENEVEPROTO_PPP 0x880b /* PPTP */ #define GENEVEPROTO_ISO 0x00fe /* OSI */ /* source route entry types */ #define GENEVESRE_IP 0x0800 /* IP */ #define GENEVESRE_ASN 0xfffe /* ASN */ #endif argus-5.0.2/include/argus_gmpls.h000066400000000000000000000020221471541253600167620ustar00rootroot00000000000000/* * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code * distributions retain the above copyright notice and this paragraph * in its entirety, and (2) distributions including binary code include * the above copyright notice and this paragraph in its entirety in * the documentation or other materials provided with the distribution. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND * WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT * LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS * FOR A PARTICULAR PURPOSE. * * Original code by Hannes Gredler (hannes@juniper.net) */ /* * $Id: //depot/gargoyle/argus/include/argus_gmpls.h#1 $ * $DateTime: 2012/05/01 14:08:47 $ * $Change: 2378 $ */ #if !defined(Argus_gmpls_h) #define Argus_gmpls_h extern struct tok gmpls_link_prot_values[]; extern struct tok gmpls_switch_cap_values[]; extern struct tok gmpls_encoding_values[]; extern struct tok gmpls_payload_values[]; #endif argus-5.0.2/include/argus_gre.h000066400000000000000000000064011471541253600164220ustar00rootroot00000000000000/* * Argus-5.0 Software. Common include files. Gre defines * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * Copyright (c) 1993, 1994, 1997 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. * */ /* * $Id: //depot/gargoyle/argus/include/argus_gre.h#3 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ #if !defined(Argus_gre_h) #define Argus_gre_h /* * A definition of the global GRE context for a given flow ... * This should hold the IP addresses of the enclosing IP flow * for the GRE tunnel ... * */ struct argus_gre { unsigned short flags, proto; struct ArgusSystemFlow *tflow; }; #define GRE_CP 0x8000 /* checksum present */ #define GRE_RP 0x4000 /* routing present */ #define GRE_KP 0x2000 /* key present */ #define GRE_SP 0x1000 /* sequence# present */ #define GRE_RECRS 0x0700 /* recursion count */ #define GRE_AP 0x0080 /* acknowledgment# present */ #define GRE_VERS_MASK 0x0007 /* protocol version */ #define GRE_VERS 0x0007 /* protocol version */ #define GREPROTO_IP 0x0800 /* IP */ #define GREPROTO_PPP 0x880b /* PPTP */ #define GREPROTO_ISO 0x00fe /* OSI */ /* source route entry types */ #define GRESRE_IP 0x0800 /* IP */ #define GRESRE_ASN 0xfffe /* ASN */ #endif argus-5.0.2/include/argus_int.h000066400000000000000000000054351471541253600164450ustar00rootroot00000000000000/* * Argus-5.0 Software. Common include files. interface specs * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/include/argus_int.h#5 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ #if !defined(Argus_int_h) #define Argus_int_h #if !defined(__STDC__) #define const #endif #include /* os dependent stuff */ #if !defined(SIGRET) #define SIGRET void /* default */ #endif struct ArgusTokenStruct { int v; /* value */ char *s; /* string */ }; #define MIN_SNAPLEN 128 #if defined(ARGUS) double update_interval = 1.0, update_time = 0.0; int updatecounter = 0; extern pcap_handler lookup_pcap_callback (void); int lfd = -1; int snaplen = MIN_SNAPLEN; fd_set readmask, writemask, exceptmask; pcap_t *pd = NULL; #define ARGUS_PORT 561 #else extern int Cflag; /* print each ICMP packet */ extern int Rflag; /* print each ICMP record on response for RTT */ extern int dflag; /* print interval code */ extern int wflag; /* write tcp connection data */ extern int nflag; /* leave addresses as numbers*/ extern int debugflag; /* set debug level */ extern int Nflag; /* remove domains from printed host names */ extern double update_interval; extern int updatecounter; extern char *wfile; extern char *program_name; extern int lfd; extern int snaplen; extern fd_set readmask, writemask, exceptmask; #endif #if !defined(min) #define min(a,b) ((a)>(b)?(b):(a)) #define max(a,b) ((b)>(a)?(b):(a)) #endif extern char timestamp_fmt[]; extern long timestamp_scale; extern void timestampinit(void); extern int fn_print(const u_char *, const u_char *); extern int fn_printn(const u_char *, u_int, const u_char *); extern char *dnaddr_string(u_short); extern char *savestr(const char *); extern char *llcsap_string(u_char); extern char *protoid_string(const u_char *); extern char *dnname_string(u_short); extern char *dnnum_string(u_short); #endif /* Argus_out_h */ argus-5.0.2/include/argus_isis.h000066400000000000000000000445041471541253600166220ustar00rootroot00000000000000/* * Argus-5.0 Software. Common include files. ISIS support * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/include/argus_isis.h#5 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ #ifndef ArgusIsis_h #define ArgusIsis_h #include #if defined(HAVE_SOLARIS) || defined(CYGWIN) #include #endif #include /* * Copyright (c) 1992, 1993, 1994, 1995, 1996 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. * * Original code by Matt Thomas, Digital Equipment Corporation * * Extensively modified by Hannes Gredler (hannes@juniper.net) for more * complete IS-IS support. */ #define NLPID_CLNS 129 /* 0x81 */ #define NLPID_ISIS 131 /* 0x83 */ #define NLPID_IP6 0x8e #define NLPID_IP 0xcc #define NLPID_NULLNS 0 #define ISIS_IPV4 1 /* AFI value */ #define ISIS_IPV6 2 /* AFI value */ /* * IS-IS is defined in ISO 10589. Look there for protocol definitions. */ #define SYSTEM_ID_LEN ETHER_ADDR_LEN #define NODE_ID_LEN SYSTEM_ID_LEN+1 #define LSP_ID_LEN SYSTEM_ID_LEN+2 #define ISIS_VERSION 1 #define PDU_TYPE_MASK 0x1F #define PRIORITY_MASK 0x7F #define L1_LAN_IIH 15 #define L2_LAN_IIH 16 #define PTP_IIH 17 #define L1_LSP 18 #define L2_LSP 20 #define L1_CSNP 24 #define L2_CSNP 25 #define L1_PSNP 26 #define L2_PSNP 27 struct tok { int v; /* value */ const char *s; /* string */ }; #include /* * A TLV is a tuple of a type, length and a value and is normally used for * encoding information in all sorts of places. This is an enumeration of * the well known types. * * list taken from rfc3359 plus some memory from veterans ;-) */ #define TLV_AREA_ADDR 1 /* iso10589 */ #define TLV_IS_REACH 2 /* iso10589 */ #define TLV_ESNEIGH 3 /* iso10589 */ #define TLV_PART_DIS 4 /* iso10589 */ #define TLV_PREFIX_NEIGH 5 /* iso10589 */ #define TLV_ISNEIGH 6 /* iso10589 */ #define TLV_ISNEIGH_VARLEN 7 /* iso10589 */ #define TLV_PADDING 8 /* iso10589 */ #define TLV_LSP 9 /* iso10589 */ #define TLV_AUTH 10 /* iso10589, rfc3567 */ #define TLV_CHECKSUM 12 /* rfc3358 */ #define TLV_LSP_BUFFERSIZE 14 /* iso10589 rev2 */ #define TLV_EXT_IS_REACH 22 /* draft-ietf-isis-traffic-05 */ #define TLV_IS_ALIAS_ID 24 /* draft-ietf-isis-ext-lsp-frags-02 */ #define TLV_DECNET_PHASE4 42 #define TLV_LUCENT_PRIVATE 66 #define TLV_INT_IP_REACH 128 /* rfc1195, rfc2966 */ #define TLV_PROTOCOLS 129 /* rfc1195 */ #define TLV_EXT_IP_REACH 130 /* rfc1195, rfc2966 */ #define TLV_IDRP_INFO 131 /* rfc1195 */ #define TLV_IPADDR 132 /* rfc1195 */ #define TLV_IPAUTH 133 /* rfc1195 */ #define TLV_TE_ROUTER_ID 134 /* draft-ietf-isis-traffic-05 */ #define TLV_EXTD_IP_REACH 135 /* draft-ietf-isis-traffic-05 */ #define TLV_HOSTNAME 137 /* rfc2763 */ #define TLV_SHARED_RISK_GROUP 138 /* draft-ietf-isis-gmpls-extensions */ #define TLV_NORTEL_PRIVATE1 176 #define TLV_NORTEL_PRIVATE2 177 #define TLV_HOLDTIME 198 /* ES-IS */ #define TLV_RESTART_SIGNALING 211 /* draft-ietf-isis-restart-01 */ #define TLV_MT_IS_REACH 222 /* draft-ietf-isis-wg-multi-topology-05 */ #define TLV_MT_SUPPORTED 229 /* draft-ietf-isis-wg-multi-topology-05 */ #define TLV_IP6ADDR 232 /* draft-ietf-isis-ipv6-02 */ #define TLV_MT_IP_REACH 235 /* draft-ietf-isis-wg-multi-topology-05 */ #define TLV_IP6_REACH 236 /* draft-ietf-isis-ipv6-02 */ #define TLV_MT_IP6_REACH 237 /* draft-ietf-isis-wg-multi-topology-05 */ #define TLV_PTP_ADJ 240 /* rfc3373 */ #define TLV_IIH_SEQNR 241 /* draft-shen-isis-iih-sequence-00 */ #define TLV_VENDOR_PRIVATE 250 /* draft-ietf-isis-proprietary-tlv-00 */ /* static struct tok isis_tlv_values[] = { { TLV_AREA_ADDR, "Area address(es)"}, { TLV_IS_REACH, "IS Reachability"}, { TLV_ESNEIGH, "ES Neighbor(s)"}, { TLV_PART_DIS, "Partition DIS"}, { TLV_PREFIX_NEIGH, "Prefix Neighbors"}, { TLV_ISNEIGH, "IS Neighbor(s)"}, { TLV_ISNEIGH_VARLEN, "IS Neighbor(s) (variable length)"}, { TLV_PADDING, "Padding"}, { TLV_LSP, "LSP entries"}, { TLV_AUTH, "Authentication"}, { TLV_CHECKSUM, "Checksum"}, { TLV_LSP_BUFFERSIZE, "LSP Buffersize"}, { TLV_EXT_IS_REACH, "Extended IS Reachability"}, { TLV_IS_ALIAS_ID, "IS Alias ID"}, { TLV_DECNET_PHASE4, "DECnet Phase IV"}, { TLV_LUCENT_PRIVATE, "Lucent Proprietary"}, { TLV_INT_IP_REACH, "IPv4 Internal Reachability"}, { TLV_PROTOCOLS, "Protocols supported"}, { TLV_EXT_IP_REACH, "IPv4 External Reachability"}, { TLV_IDRP_INFO, "Inter-Domain Information Type"}, { TLV_IPADDR, "IPv4 Interface address(es)"}, { TLV_IPAUTH, "IPv4 authentication (deprecated)"}, { TLV_TE_ROUTER_ID, "Traffic Engineering Router ID"}, { TLV_EXTD_IP_REACH, "Extended IPv4 Reachability"}, { TLV_HOSTNAME, "Hostname"}, { TLV_SHARED_RISK_GROUP, "Shared Risk Link Group"}, { TLV_NORTEL_PRIVATE1, "Nortel Proprietary"}, { TLV_NORTEL_PRIVATE2, "Nortel Proprietary"}, { TLV_HOLDTIME, "Holdtime"}, { TLV_RESTART_SIGNALING, "Restart Signaling"}, { TLV_MT_IS_REACH, "Multi Topology IS Reachability"}, { TLV_MT_SUPPORTED, "Multi Topology"}, { TLV_IP6ADDR, "IPv6 Interface address(es)"}, { TLV_MT_IP_REACH, "Multi-Topology IPv4 Reachability"}, { TLV_IP6_REACH, "IPv6 reachability"}, { TLV_MT_IP6_REACH, "Multi-Topology IP6 Reachability"}, { TLV_PTP_ADJ, "Point-to-point Adjacency State"}, { TLV_IIH_SEQNR, "Hello PDU Sequence Number"}, { TLV_VENDOR_PRIVATE, "Vendor Private"}, { 0, NULL } }; */ #define SUBTLV_EXT_IS_REACH_ADMIN_GROUP 3 /* draft-ietf-isis-traffic-05 */ #define SUBTLV_EXT_IS_REACH_LINK_LOCAL_REMOTE_ID 4 /* draft-ietf-isis-gmpls-extensions */ #define SUBTLV_EXT_IS_REACH_LINK_REMOTE_ID 5 /* draft-ietf-isis-traffic-05 */ #define SUBTLV_EXT_IS_REACH_IPV4_INTF_ADDR 6 /* draft-ietf-isis-traffic-05 */ #define SUBTLV_EXT_IS_REACH_IPV4_NEIGHBOR_ADDR 8 /* draft-ietf-isis-traffic-05 */ #define SUBTLV_EXT_IS_REACH_MAX_LINK_BW 9 /* draft-ietf-isis-traffic-05 */ #define SUBTLV_EXT_IS_REACH_RESERVABLE_BW 10 /* draft-ietf-isis-traffic-05 */ #define SUBTLV_EXT_IS_REACH_UNRESERVED_BW 11 /* draft-ietf-isis-traffic-05 */ #define SUBTLV_EXT_IS_REACH_TE_METRIC 18 /* draft-ietf-isis-traffic-05 */ #define SUBTLV_EXT_IS_REACH_LINK_PROTECTION_TYPE 20 /* draft-ietf-isis-gmpls-extensions */ #define SUBTLV_EXT_IS_REACH_INTF_SW_CAP_DESCR 21 /* draft-ietf-isis-gmpls-extensions */ /* static struct tok isis_ext_is_reach_subtlv_values[] = { { SUBTLV_EXT_IS_REACH_ADMIN_GROUP, "Administrative groups" }, { SUBTLV_EXT_IS_REACH_LINK_LOCAL_REMOTE_ID, "Link Local/Remote Identifier" }, { SUBTLV_EXT_IS_REACH_LINK_REMOTE_ID, "Link Remote Identifier" }, { SUBTLV_EXT_IS_REACH_IPV4_INTF_ADDR, "IPv4 interface address" }, { SUBTLV_EXT_IS_REACH_IPV4_NEIGHBOR_ADDR, "IPv4 neighbor address" }, { SUBTLV_EXT_IS_REACH_MAX_LINK_BW, "Maximum link bandwidth" }, { SUBTLV_EXT_IS_REACH_RESERVABLE_BW, "Reservable link bandwidth" }, { SUBTLV_EXT_IS_REACH_UNRESERVED_BW, "Unreserved bandwidth" }, { SUBTLV_EXT_IS_REACH_TE_METRIC, "Traffic Engineering Metric" }, { SUBTLV_EXT_IS_REACH_LINK_PROTECTION_TYPE, "Link Protection Type" }, { SUBTLV_EXT_IS_REACH_INTF_SW_CAP_DESCR, "Interface Switching Capability" }, { 250, "Reserved for cisco specific extensions" }, { 251, "Reserved for cisco specific extensions" }, { 252, "Reserved for cisco specific extensions" }, { 253, "Reserved for cisco specific extensions" }, { 254, "Reserved for cisco specific extensions" }, { 255, "Reserved for future expansion" }, { 0, NULL } }; */ #define SUBTLV_EXTD_IP_REACH_ADMIN_TAG32 1 #define SUBTLV_EXTD_IP_REACH_ADMIN_TAG64 2 /* static struct tok isis_ext_ip_reach_subtlv_values[] = { { SUBTLV_EXTD_IP_REACH_ADMIN_TAG32, "32-Bit Administrative tag" }, { SUBTLV_EXTD_IP_REACH_ADMIN_TAG64, "64-Bit Administrative tag" }, { 0, NULL } }; */ #define SUBTLV_AUTH_SIMPLE 1 #define SUBTLV_AUTH_MD5 54 #define SUBTLV_AUTH_MD5_LEN 16 #define SUBTLV_AUTH_PRIVATE 255 /* static struct tok isis_subtlv_auth_values[] = { { SUBTLV_AUTH_SIMPLE, "simple text password"}, { SUBTLV_AUTH_MD5, "HMAC-MD5 password"}, { SUBTLV_AUTH_PRIVATE, "Routing Domain private password"}, { 0, NULL } }; */ #define SUBTLV_IDRP_RES 0 #define SUBTLV_IDRP_LOCAL 1 #define SUBTLV_IDRP_ASN 2 /* static struct tok isis_subtlv_idrp_values[] = { { SUBTLV_IDRP_RES, "Reserved"}, { SUBTLV_IDRP_LOCAL, "Routing-Domain Specific"}, { SUBTLV_IDRP_ASN, "AS Number Tag"}, { 0, NULL} }; */ #define ISIS_8BIT_MASK(x) ((x)&0xff) #define ISIS_MASK_LSP_OL_BIT(x) ((x)&0x4) #define ISIS_MASK_LSP_ISTYPE_BITS(x) ((x)&0x3) #define ISIS_MASK_LSP_PARTITION_BIT(x) ((x)&0x80) #define ISIS_MASK_LSP_ATT_BITS(x) ((x)&0x78) #define ISIS_MASK_LSP_ATT_ERROR_BIT(x) ((x)&0x40) #define ISIS_MASK_LSP_ATT_EXPENSE_BIT(x) ((x)&0x20) #define ISIS_MASK_LSP_ATT_DELAY_BIT(x) ((x)&0x10) #define ISIS_MASK_LSP_ATT_DEFAULT_BIT(x) ((x)&0x8) #define ISIS_MASK_MTID(x) ((x)&0x0fff) #define ISIS_MASK_MTFLAGS(x) ((x)&0xf000) /* static struct tok isis_mt_flag_values[] = { { 0x4000, "sub-TLVs present"}, { 0x8000, "ATT bit set"}, { 0, NULL} }; */ #define ISIS_MASK_TLV_EXTD_IP_UPDOWN(x) ((x)&0x80) #define ISIS_MASK_TLV_EXTD_IP_SUBTLV(x) ((x)&0x40) #define ISIS_MASK_TLV_EXTD_IP6_IE(x) ((x)&0x40) #define ISIS_MASK_TLV_EXTD_IP6_SUBTLV(x) ((x)&0x20) #define ISIS_LSP_TLV_METRIC_SUPPORTED(x) ((x)&0x80) #define ISIS_LSP_TLV_METRIC_IE(x) ((x)&0x40) #define ISIS_LSP_TLV_METRIC_UPDOWN(x) ((x)&0x80) #define ISIS_LSP_TLV_METRIC_VALUE(x) ((x)&0x3f) #define ISIS_MASK_TLV_SHARED_RISK_GROUP(x) ((x)&0x1) /* static struct tok isis_mt_values[] = { { 0, "IPv4 unicast"}, { 1, "In-Band Management"}, { 2, "IPv6 unicast"}, { 3, "Multicast"}, { 4095, "Development, Experimental or Proprietary"}, { 0, NULL } }; */ /* static struct tok isis_iih_circuit_type_values[] = { { 1, "Level 1 only"}, { 2, "Level 2 only"}, { 3, "Level 1, Level 2"}, { 0, NULL} }; */ #define ISIS_LSP_TYPE_UNUSED0 0 #define ISIS_LSP_TYPE_LEVEL_1 1 #define ISIS_LSP_TYPE_UNUSED2 2 #define ISIS_LSP_TYPE_LEVEL_2 3 /* static struct tok isis_lsp_istype_values[] = { { ISIS_LSP_TYPE_UNUSED0, "Unused 0x0 (invalid)"}, { ISIS_LSP_TYPE_LEVEL_1, "L1 IS"}, { ISIS_LSP_TYPE_UNUSED2, "Unused 0x2 (invalid)"}, { ISIS_LSP_TYPE_LEVEL_2, "L1L2 IS"}, { 0, NULL } }; static struct tok osi_nlpid_values[] = { { NLPID_CLNS, "CLNS"}, { NLPID_IP, "IPv4"}, { NLPID_IP6, "IPv6"}, { 0, NULL } }; */ /* * Katz's point to point adjacency TLV uses codes to tell us the state of * the remote adjacency. Enumerate them. */ #define ISIS_PTP_ADJ_UP 0 #define ISIS_PTP_ADJ_INIT 1 #define ISIS_PTP_ADJ_DOWN 2 /* static struct tok isis_ptp_adjancey_values[] = { { ISIS_PTP_ADJ_UP, "Up" }, { ISIS_PTP_ADJ_INIT, "Initializing" }, { ISIS_PTP_ADJ_DOWN, "Down" }, { 0, NULL} }; */ struct isis_tlv_ptp_adj { u_int8_t adjacency_state; u_int8_t extd_local_circuit_id[4]; u_int8_t neighbor_sysid[SYSTEM_ID_LEN]; u_int8_t neighbor_extd_local_circuit_id[4]; }; /* static int osi_cksum(const u_int8_t *, u_int); static int isis_print(const u_int8_t *, u_int); */ struct isis_metric_block { u_int8_t metric_default; u_int8_t metric_delay; u_int8_t metric_expense; u_int8_t metric_error; }; struct isis_tlv_is_reach { struct isis_metric_block isis_metric_block; u_int8_t neighbor_nodeid[NODE_ID_LEN]; }; struct isis_tlv_is_extd_reach { u_int8_t neighbor_nodeid[NODE_ID_LEN]; u_int8_t metric_default[3]; u_int8_t subtlv_len; #if defined(__GNUC__) u_int8_t subtlv[0]; #else u_int8_t subtlv[1]; #endif }; struct isis_tlv_extd_ip_reach { u_int32_t metric_default; u_int8_t up_down_bit : 1; u_int8_t subtlvs_present : 1; u_int8_t prefix_len : 6; #if defined(__GNUC__) u_int8_t prefix[0]; #else u_int8_t prefix[1]; #endif }; struct isis_tlv_es_reach { struct isis_metric_block isis_metric_block; u_int8_t neighbor_sysid[SYSTEM_ID_LEN]; }; struct isis_tlv_ip_reach { struct isis_metric_block isis_metric_block; u_int8_t prefix[4]; u_int8_t mask[4]; }; struct isis_tlv_name { #if defined(__GNUC__) char name[0]; #else char name[4]; #endif }; struct isis_tlv_csum { u_int16_t csum; }; /* static struct tok isis_is_reach_virtual_values[] = { { 0, "IsNotVirtual"}, { 1, "IsVirtual"}, { 0, NULL } }; static struct tok isis_restart_flag_values[] = { { 0x1, "Restart Request"}, { 0x2, "Restart Acknowledgement"}, { 0, NULL } }; */ struct isis_common_header { u_int8_t nlpid; u_int8_t fixed_len; u_int8_t version; /* Protocol version */ u_int8_t id_length; u_int8_t pdu_type; /* 3 MSbits are reserved */ u_int8_t pdu_version; /* Packet format version */ u_int8_t reserved; u_int8_t max_area; }; struct isis_iih_lan_header { u_int8_t circuit_type; u_int8_t source_id[SYSTEM_ID_LEN]; u_int8_t holding_time[2]; u_int8_t pdu_len[2]; u_int8_t priority; u_int8_t lan_id[NODE_ID_LEN]; }; struct isis_iih_ptp_header { u_int8_t circuit_type; u_int8_t source_id[SYSTEM_ID_LEN]; u_int8_t holding_time[2]; u_int8_t pdu_len[2]; u_int8_t circuit_id; }; struct isis_lsp_header { u_int8_t pdu_len[2]; u_int8_t remaining_lifetime[2]; u_int8_t lsp_id[LSP_ID_LEN]; u_int8_t sequence_number[4]; u_int8_t checksum[2]; u_int8_t typeblock; }; struct isis_csnp_header { u_int8_t pdu_len[2]; u_int8_t source_id[NODE_ID_LEN]; u_int8_t start_lsp_id[LSP_ID_LEN]; u_int8_t end_lsp_id[LSP_ID_LEN]; }; struct isis_psnp_header { u_int8_t pdu_len[2]; u_int8_t source_id[NODE_ID_LEN]; }; struct isis_tlv_lsp { u_int8_t remaining_lifetime[2]; u_int8_t lsp_id[LSP_ID_LEN]; u_int8_t sequence_number[4]; u_int8_t checksum[2]; }; #if defined(ArgusIsis) /* static struct tok isis_pdu_values[] = { { L1_LAN_IIH, "L1 Lan IIH"}, { L2_LAN_IIH, "L2 Lan IIH"}, { PTP_IIH, "p2p IIH"}, { L1_LSP, "L1 LSP"}, { L2_LSP, "L2 LSP"}, { L1_CSNP, "L1 CSNP"}, { L2_CSNP, "L2 CSNP"}, { L1_PSNP, "L1 PSNP"}, { L2_PSNP, "L2 PSNP"}, { 0, NULL} }; */ /* rfc3471 */ struct tok gmpls_link_prot_values[] = { { 0x01, "Extra Traffic"}, { 0x02, "Unprotected"}, { 0x04, "Shared"}, { 0x08, "Dedicated 1:1"}, { 0x10, "Dedicated 1+1"}, { 0x20, "Enhanced"}, { 0x40, "Reserved"}, { 0x80, "Reserved"}, { 0, NULL } }; /* rfc3471 */ struct tok gmpls_switch_cap_values[] = { { 1, "Packet-Switch Capable-1"}, { 2, "Packet-Switch Capable-2"}, { 3, "Packet-Switch Capable-3"}, { 4, "Packet-Switch Capable-4"}, { 51, "Layer-2 Switch Capable"}, { 100, "Time-Division-Multiplex"}, { 150, "Lambda-Switch Capable"}, { 200, "Fiber-Switch Capable"}, { 0, NULL } }; /* rfc3471 */ struct tok gmpls_encoding_values[] = { { 1, "Packet"}, { 2, "Ethernet V2/DIX"}, { 3, "ANSI/ETSI PDH"}, { 4, "Reserved"}, { 5, "SDH ITU-T G.707/SONET ANSI T1.105"}, { 6, "Reserved"}, { 7, "Digital Wrapper"}, { 8, "Lambda (photonic)"}, { 9, "Fiber"}, { 10, "Reserved"}, { 11, "FiberChannel"}, { 0, NULL } }; #endif /* ArgusIsis */ #endif /* ArgusIsis_h */ argus-5.0.2/include/argus_llc.h000066400000000000000000000122171471541253600164210ustar00rootroot00000000000000/* * Argus-5.0 Software. Common include files. Llc defines * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * Copyright (c) 1993, 1994, 1997 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that: (1) source code distributions * retain the above copyright notice and this paragraph in its entirety, (2) * distributions including binary code include the above copyright notice and * this paragraph in its entirety in the documentation or other materials * provided with the distribution, and (3) all advertising materials mentioning * features or use of this software display the following acknowledgement: * ``This product includes software developed by the University of California, * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of * the University nor the names of its contributors may be used to endorse * or promote products derived from this software without specific prior * written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. * */ /* * $Id: //depot/gargoyle/argus/include/argus_llc.h#3 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ #if !defined(Argus_llc_h) #define Argus_llc_h /* * This stuff should come from a system header file, but there's no * obviously portable way to do that and it's not really going * to change from system to system. */ /* * A somewhat abstracted view of the LLC header */ struct argus_llc { u_char dsap; u_char ssap; union { u_char u_ctl; u_short is_ctl; struct { u_char snap_ui; u_char snap_pi[5]; } snap; struct { u_char snap_ui; u_char snap_orgcode[3]; u_char snap_ethertype[2]; } snap_ether; } ctl; }; #define llcui ctl.snap.snap_ui #define llcpi ctl.snap.snap_pi #define orgcode ctl.snap_ether.snap_orgcode #define ethertype ctl.snap_ether.snap_ethertype #define llcis ctl.is_ctl #define llcu ctl.u_ctl #define LLC_U_FMT 3 #define LLC_GSAP 1 #define LLC_S_FMT 1 #define LLC_U_POLL 0x10 #define LLC_IS_POLL 0x0001 #define LLC_XID_FI 0x81 #define LLC_U_CMD(u) ((u) & 0xef) #define LLC_UI 0x03 #define LLC_UA 0x63 #define LLC_DISC 0x43 #define LLC_DM 0x0f #define LLC_SABME 0x6f #define LLC_TEST 0xe3 #define LLC_XID 0xaf #define LLC_FRMR 0x87 #define LLC_S_CMD(is) (((is) >> 10) & 0x03) #define LLC_RR 0x0100 #define LLC_RNR 0x0500 #define LLC_REJ 0x0900 #define LLC_IS_NR(is) (((is) >> 1) & 0x7f) #define LLC_I_NS(is) (((is) >> 9) & 0x7f) #if !defined(LLCSAP_NULL) #define LLCSAP_NULL 0x00 #endif #if !defined(LLCSAP_8021B_I) #define LLCSAP_8021B_I 0x02 #endif #if !defined(LLCSAP_8021B_G) #define LLCSAP_8021B_G 0x03 #endif #if !defined(LLCSAP_SNAPATH) #define LLCSAP_SNAPATH 0x04 #endif #if !defined(LLCSAP_IP) #define LLCSAP_IP 0x06 #endif #if !defined(LLCSAP_SNA1) #define LLCSAP_SNA1 0x08 #endif #if !defined(LLCSAP_SNA2) #define LLCSAP_SNA2 0x0c #endif #if !defined(LLCSAP_PROWAYNM) #define LLCSAP_PROWAYNM 0x0e #endif #if !defined(LLCSAP_TI) #define LLCSAP_TI 0x18 #endif #if !defined(LLCSAP_BPDU) #define LLCSAP_BPDU 0x42 #endif #if !defined(LLCSAP_RS511) #define LLCSAP_RS511 0x4e #endif #if !defined(LLCSAP_ISO8208) #define LLCSAP_ISO8208 0x7e #endif #if !defined(LLCSAP_XNS) #define LLCSAP_XNS 0x80 #endif #if !defined(LLCSAP_NESTAR) #define LLCSAP_NESTAR 0x86 #endif #if !defined(LLCSAP_PROWAYASLM) #define LLCSAP_PROWAYASLM 0x8e #endif #if !defined(LLCSAP_ARP) #define LLCSAP_ARP 0x98 #endif #if !defined(LLCSAP_SNAP) #define LLCSAP_SNAP 0xaa #endif #if !defined(LLCSAP_VINES1) #define LLCSAP_VINES1 0xba #endif #if !defined(LLCSAP_VINES2) #define LLCSAP_VINES2 0xbc #endif #if !defined(LLCSAP_NETWARE) #define LLCSAP_NETWARE 0xe0 #endif #if !defined(LLCSAP_NETBIOS) #define LLCSAP_NETBIOS 0xf0 #endif #if !defined(LLCSAP_IBMNM) #define LLCSAP_IBMNM 0xf4 #endif #if !defined(LLCSAP_RPL1) #define LLCSAP_RPL1 0xf8 #endif #if !defined(LLCSAP_UB) #define LLCSAP_UB 0xfa #endif #if !defined(LLCSAP_RPL2) #define LLCSAP_RPL2 0xfc #endif #if !defined(LLCSAP_ISONS) #define LLCSAP_ISONS 0xfe #endif #if !defined(LLCSAP_GLOBAL) #define LLCSAP_GLOBAL 0xff #endif #endif argus-5.0.2/include/argus_namedb.h000066400000000000000000000100611471541253600170700ustar00rootroot00000000000000/* * Argus-5.0 Software. Common include files - name database * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * Copyright (c) 1994 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the Computer Systems * Engineering Group at Lawrence Berkeley Laboratory. * 4. Neither the name of the University nor of the Laboratory may be used * to endorse or promote products derived from this software without * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * */ /* * $Id: //depot/gargoyle/argus/include/argus_namedb.h#5 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ #if !defined(Argus_namedb_h) #define Argus_namedb_h /* * As returned by the argus_next_etherent() * XXX this stuff doesn't belong in this inteface, but this * library already must do name to address translation, so * on systems that don't have support for /etc/ethers, we * export these hooks since they'll */ struct argus_etherent { unsigned char addr[6]; char name[122]; }; #if !defined(PCAP_ETHERS_FILE) #define PCAP_ETHERS_FILE "/etc/ethers" #endif struct argus_etherent *argus_next_etherent(FILE *); unsigned char *argus_ether_hostton(char*); unsigned char *argus_ether_aton(char *); unsigned int **argus_nametoaddr(char *); unsigned int argus_nametonetaddr(char *); int argus_nametoport(char *, int *, int *); int argus_nametoproto(char *); int argus_nametoeproto(char *); /* * If a protocol is unknown, PROTO_UNDEF is returned. * Also, argus_nametoport() returns the protocol along with the port number. * If there are ambiguous entried in /etc/services (i.e. domain * can be either tcp or udp) PROTO_UNDEF is returned. */ #define PROTO_UNDEF -1 /* XXX move these to pcap-int.h? */ unsigned int __argus_atodn(char *); unsigned int __argus_atoin(char *, unsigned int *); unsigned short __argus_nametodnaddr(char *); #endif argus-5.0.2/include/argus_os.h000066400000000000000000000135421471541253600162720ustar00rootroot00000000000000/* * Argus-5.0 Software. Common include files. OS Specific defines * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/include/argus_os.h#5 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ #ifndef ArgusOs_h #define ArgusOs_h #ifdef __cplusplus extern "C" { #endif #if !defined(Argus_os_h) #define Argus_os_h #if defined(HAVE_INTTYPES_H) #include #endif #if !defined(bsdi) #define ETHER_SERVICE #endif #if defined(__APPLE_CC__) || defined(__APPLE__) #define __OpenBSD__ 1 #endif #if defined(__OpenBSD__) #include #include #endif #if defined(ETHER_HEADER_HAS_EA) #define ESRC(ep) ((ep)->ether_shost.ether_addr_octet) #define EDST(ep) ((ep)->ether_dhost.ether_addr_octet) #else #define ESRC(ep) ((ep)->ether_shost) #define EDST(ep) ((ep)->ether_dhost) #endif #if defined(ETHER_ARP_HAS_X) #define SHA(ap) ((ap)->arp_xsha) #define THA(ap) ((ap)->arp_xtha) #define SPA(ap) ((ap)->arp_xspa) #define TPA(ap) ((ap)->arp_xtpa) #else #if defined(ETHER_ARP_HAS_EA) #define SHA(ap) ((ap)->arp_sha.ether_addr_octet) #define THA(ap) ((ap)->arp_tha.ether_addr_octet) #else #define SHA(ap) ((ap)->arp_sha) #define THA(ap) ((ap)->arp_tha) #endif #define SPA(ap) ((ap)->arp_spa) #define TPA(ap) ((ap)->arp_tpa) #endif #if defined(sun) #define ETHERPUP_IPTYPE ETHERTYPE_IP #define ETHERPUP_REVARPTYPE ETHERTYPE_REVARP #define ETHERPUP_ARPTYPE ETHERTYPE_ARP typedef uint8_t u_int8_t; typedef uint16_t u_int16_t; typedef uint32_t u_int32_t; typedef uint64_t u_int64_t; #endif #if defined(__sgi) #define SHA(ap) ((ap)->arp_sha) #define SPA(ap) ((ap)->arp_spa) #define THA(ap) ((ap)->arp_tha) #define TPA(ap) ((ap)->arp_tpa) #define EDST(ep) ((ep)->ether_dhost) #define ESRC(ep) ((ep)->ether_shost) #endif #if defined(__FreeBSD__) || defined(CYGWIN) #include #include #else #include #include #endif #include #if !defined(ICMP6_MEMBERSHIP_QUERY) #define ICMP6_MEMBERSHIP_QUERY 130 #endif #if !defined(ICMP6_MEMBERSHIP_REPORT) #define ICMP6_MEMBERSHIP_REPORT 131 #endif #if !defined(ICMP6_MEMBERSHIP_REDUCTION) #define ICMP6_MEMBERSHIP_REDUCTION 132 #endif #if !defined(ICMP6_HADISCOV_REQUEST) #define ICMP6_HADISCOV_REQUEST 202 #endif #if !defined(ICMP6_HADISCOV_REPLY) #define ICMP6_HADISCOV_REPLY 203 #endif #if !defined(IPPROTO_HOPOPTS) #define IPPROTO_HOPOPTS 0 #endif #if !defined(IPPROTO_ROUTING) #define IPPROTO_ROUTING 40 #endif #if !defined(IPPROTO_FRAGMENT) #define IPPROTO_FRAGMENT 44 #endif #if !defined(IPPROTO_GRE) #define IPPROTO_GRE 47 #endif #if !defined(IPPROTO_ESP) #define IPPROTO_ESP 50 #endif #if !defined(IPPROTO_AH) #define IPPROTO_AH 51 #endif #if !defined(IPPROTO_ICMPV6) #define IPPROTO_ICMPV6 58 #endif #if !defined(IPPROTO_DSTOPTS) #define IPPROTO_DSTOPTS 60 #endif #if !defined(IPPROTO_TTP) #define IPPROTO_TTP 84 #endif #if !defined(IPPROTO_OSPF) #define IPPROTO_OSPF 89 #endif #if !defined(ETHERTYPE_REVARP) #define ETHERTYPE_REVARP 0x8035 #endif #if !defined(IPPROTO_ND) #define IPPROTO_ND 77 #endif #if !defined(REVARP_REQUEST) #define REVARP_REQUEST 3 #endif #if !defined(REVARP_REPLY) #define REVARP_REPLY 4 #endif #endif #if !defined(IPPROTO_IB) #define IPPROTO_IB 253 #endif #if !defined(IPPROTO_RTP) #define IPPROTO_RTP 257 #endif #if !defined(IPPROTO_RTCP) #define IPPROTO_RTCP 258 #endif #if !defined(IPPROTO_UDT) #define IPPROTO_UDT 259 #endif /* newish RIP commands */ #if !defined(RIPCMD_POLL) #define RIPCMD_POLL 5 #endif #if !defined(RIPCMD_POLLENTRY) #define RIPCMD_POLLENTRY 6 #endif #if !defined(ICMP_SR_FAILED) #define ICMP_SR_FAILED 5 /* Source Route failed */ #endif #if !defined(ICMP_PARAMETERPROB) #define ICMP_PARAMETERPROB 12 /* Parameter Problem */ #endif #if !defined(PCAP_IF_LOOPBACK) #define PCAP_IF_LOOPBACK 0x00000001 /* interface is loopback */ #endif #if !defined(PCAP_IF_UP) #define PCAP_IF_UP 0x00000002 /* interface is up */ #endif #if !defined(PCAP_IF_RUNNING) #define PCAP_IF_RUNNING 0x00000004 /* interface is running */ #endif #if !defined(PCAP_IF_WIRELESS) #define PCAP_IF_WIRELESS 0x00000008 /* interface is wireless (*NOT* necessarily Wi-Fi!) */ #endif #if !defined(PCAP_IF_CONNECTION_STATUS) #define PCAP_IF_CONNECTION_STATUS 0x00000030 /* connection status: */ #endif #if !defined(PCAP_IF_CONNECTION_STATUS_UNKNOWN) #define PCAP_IF_CONNECTION_STATUS_UNKNOWN 0x00000000 /* unknown */ #endif #if !defined(PCAP_IF_CONNECTION_STATUS_CONNECTED) #define PCAP_IF_CONNECTION_STATUS_CONNECTED 0x00000010 /* connected */ #endif #if !defined(PCAP_IF_CONNECTION_STATUS_DISCONNECTED) #define PCAP_IF_CONNECTION_STATUS_DISCONNECTED 0x00000020 /* disconnected */ #endif #if !defined(PCAP_IF_CONNECTION_STATUS_NOT_APPLICABLE) #define PCAP_IF_CONNECTION_STATUS_NOT_APPLICABLE 0x00000030 /* not applicable */ #endif #ifdef __cplusplus } #endif #endif argus-5.0.2/include/argus_out.h000066400000000000000000001006011471541253600164510ustar00rootroot00000000000000/* * Argus-5.0 Software. Common include files. Output structures * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/include/argus_out.h#13 $ * $DateTime: 2016/09/18 16:32:53 $ * $Change: 3186 $ */ #if !defined(Argus_out_h) #define Argus_out_h #include #if defined(HAVE_SOLARIS) || defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) #include #include #include #endif #include #if defined(__OpenBSD__) #include #endif #include #include #include #include #include #include #include #include #pragma pack(2) struct ArgusDSRfixLen { unsigned short data; }; struct ArgusDSRvar8bitLen { unsigned char qual; unsigned char len; }; struct ArgusDSRvar16bitLen { unsigned short len; }; struct ArgusDSRHeader { unsigned char type; unsigned char subtype; union { struct ArgusDSRfixLen fl; struct ArgusDSRvar8bitLen vl8; struct ArgusDSRvar16bitLen vl16; } dsr_un; }; struct ArgusSystemDSRHeader { unsigned char type; unsigned char subtype; union { struct ArgusDSRfixLen fl; struct ArgusDSRvar8bitLen vl8; struct ArgusDSRvar16bitLen vl16; } dsr_un; #if defined(ALIGN_64BIT) int pad[3]; #endif }; struct ArgusTime { unsigned int tv_sec, tv_usec; }; #define argus_dsrfl dsr_un.fl #define argus_dsrvl8 dsr_un.vl8 #define argus_dsrvl16 dsr_un.vl16 struct ArgusICMPObject { unsigned char icmp_type, icmp_code; unsigned short iseq; unsigned int osrcaddr, odstaddr; unsigned int isrcaddr, idstaddr; unsigned int igwaddr; }; struct ArgusICMPv6Object { unsigned char icmp_type, icmp_code; unsigned short cksum; }; struct ArgusTCPInitStatus { unsigned int status, seqbase; unsigned int options; unsigned short win; unsigned char flags, winshift; unsigned short maxseg, pad; }; struct ArgusTCPStatus { unsigned int status; unsigned char src, dst, pad[2]; }; struct ArgusTCPObjectMetrics { struct ArgusTime lasttime; unsigned int status, seqbase, seq, ack, winnum; unsigned int bytes, retrans, ackbytes, winbytes; unsigned short win; unsigned char flags, winshift; unsigned short maxseg, pad; // unsigned int dup; }; struct ArgusTCPObject { unsigned int status; unsigned int state, options; unsigned int synAckuSecs, ackDatauSecs; struct ArgusTCPObjectMetrics src, dst; }; struct ArgusUDTObjectMetrics { struct ArgusTime lasttime; unsigned int seq, tstamp, ack, rtt, var, bsize, rate, lcap; int solo, first, middle, last, drops, retrans, nacked; }; struct ArgusUDTObject { unsigned int state, status; struct udt_control_handshake hshake; struct ArgusUDTObjectMetrics src, dst; }; struct ArgusRTPObject { unsigned int state; struct rtphdr src, dst; unsigned short sdrop, ddrop; unsigned short ssdev, dsdev; }; struct ArgusRTCPObject { struct rtcphdr src, dst; unsigned short sdrop, ddrop; }; struct ArgusIGMPObjectV1 { unsigned char igmp_type, igmp_code; unsigned int igmp_group; }; struct ArgusIGMPObject { unsigned char igmp_type, igmp_code; unsigned int igmp_group; struct ArgusTime jdelay; struct ArgusTime ldelay; }; struct ArgusFragOffsetStruct { struct ArgusFragOffsetStruct *nxt; int start, end; }; struct ArgusFragObject { unsigned int fragnum, frag_id; unsigned int startbytes, bytes, totbytes; unsigned short totlen, currlen, maxfraglen, pad; struct ArgusFlowStruct *parent; struct ArgusFragOffsetStruct offsets; }; struct ArgusIsisLspFlow { unsigned char lspid[LSP_ID_LEN]; unsigned int seqnum; }; struct ArgusIsisHelloFlow { unsigned char srcid[SYSTEM_ID_LEN]; unsigned char lanid[NODE_ID_LEN]; u_int8_t circuit_id; /* for point-to-point */ }; struct ArgusIsisCsnpFlow { unsigned char srcid[NODE_ID_LEN]; }; struct ArgusIsisPsnpFlow { unsigned char srcid[NODE_ID_LEN]; }; struct ArgusIsisFlow { int pdu_type; char esrc[ETHER_ADDR_LEN], edst[ETHER_ADDR_LEN]; char proto_version, pad[3]; union { struct ArgusIsisHelloFlow hello; struct ArgusIsisLspFlow lsp; struct ArgusIsisCsnpFlow csnp; struct ArgusIsisPsnpFlow psnp; } isis_un; int chksum; }; struct ArgusESPObject { unsigned int status, spi, lastseq, lostseq; }; struct ArgusARPObject { unsigned char respaddr[6]; unsigned short pad; }; struct ArgusDHCPObject { unsigned int respaddr; }; struct ArgusAHObject { unsigned int src_spi, dst_spi; unsigned int src_replay, dst_replay; }; struct ArgusLcpFlow { struct ether_header ehdr; unsigned char code, id; }; struct ArgusEtherMacFlow { struct ether_header ehdr; unsigned char dsap, ssap; }; struct Argus80211MacFlow { struct ether_header ehdr; unsigned char dsap, ssap; }; struct ArgusMacFlow { union { struct ArgusEtherMacFlow ether; struct Argus80211MacFlow wlan; } mac_union; }; struct ArgusWlanFlow { unsigned char dhost[ETHER_ADDR_LEN]; unsigned char shost[ETHER_ADDR_LEN]; unsigned char bssid[ETHER_ADDR_LEN]; unsigned char ssid[32]; }; struct ArgusIPAttrObject { unsigned char ttl, tos; unsigned short ip_id; unsigned short status; unsigned short options; }; struct ArgusIsisObject { struct isis_common_header common; union { struct isis_iih_lan_header iih_lan; struct isis_iih_ptp_header iih_ptp; struct isis_lsp_header lsp; struct isis_csnp_header csnp; struct isis_psnp_header psnp; } isis_un; }; struct ArgusLCPObject { unsigned int status; unsigned int state, options; }; #include struct Argus80211Beacon { u_int8_t timestamp[IEEE802_11_TSTAMP_LEN]; u_char ap[IEEE802_11_AP_LEN]; u_int16_t beacon_interval, listen_interval; u_int16_t status_code, aid, reason_code; u_int16_t auth_alg, auth_trans_seq_num; u_int16_t capability_info; elem_status_t challenge_status; struct challenge_t challenge; elem_status_t ssid_status; struct ssid_t ssid; elem_status_t rates_status; struct rates_t rates; elem_status_t ds_status; struct ds_t ds; elem_status_t cf_status; struct cf_t cf; elem_status_t fh_status; struct fh_t fh; elem_status_t tim_status; struct tim_t tim; }; struct Argus80211Probe { }; struct Argus80211Object { union { struct Argus80211Beacon beacon; struct Argus80211Probe probe; } o_un; }; struct ArgusESPFlow { unsigned int ip_src, ip_dst; unsigned char ip_p, tp_p; unsigned short pad; unsigned int spi; }; struct ArgusESPv6Flow { unsigned int ip_src[4], ip_dst[4]; #if defined(_LITTLE_ENDIAN) unsigned int flow:20; unsigned int resv:4; unsigned int ip_p:8; #else unsigned int ip_p:8; unsigned int resv:4; unsigned int flow:20; #endif unsigned int spi; }; struct ArgusHAddr { union { unsigned char ethernet[6]; unsigned char ib[32]; unsigned char ieee1394[16]; unsigned char framerelay[4]; unsigned char tokenring[6]; unsigned char arcnet[1]; unsigned char fiberchannel[12]; unsigned char atm[20]; } h_un; }; struct ArgusArpFlow { unsigned short hrd; unsigned short pro; unsigned char hln; unsigned char pln; unsigned short op; unsigned int arp_spa; unsigned int arp_tpa; struct ArgusHAddr haddr; }; struct ArgusRarpFlow { unsigned short hrd; unsigned short pro; unsigned char hln; unsigned char pln; unsigned short op; unsigned int arp_tpa; struct ArgusHAddr shaddr; struct ArgusHAddr dhaddr; }; struct ArgusICMPFlow { unsigned int ip_src, ip_dst; unsigned char ip_p, tp_p; unsigned char type, code; unsigned short id, ip_id; }; struct ArgusICMPv6Flow { unsigned int ip_src[4], ip_dst[4]; #if defined(_LITTLE_ENDIAN) unsigned int flow:20; unsigned int resv:4; unsigned int ip_p:8; #else unsigned int ip_p:8; unsigned int resv:4; unsigned int flow:20; #endif unsigned char type, code; unsigned short id; }; struct ArgusIPFragFlow { unsigned int ip_src, ip_dst; unsigned char ip_p, tp_p; unsigned short pad[2]; unsigned short ip_id; }; struct ArgusIPv6FragFlow { unsigned int ip_src[4], ip_dst[4]; #if defined(_LITTLE_ENDIAN) unsigned int flow:20; unsigned int resv:4; unsigned int ip_p:8; #else unsigned int ip_p:8; unsigned int resv:4; unsigned int flow:20; #endif unsigned int ip_id; }; struct ArgusIGMPFlow { unsigned int ip_src, ip_dst; unsigned char ip_p, tp_p; unsigned char type, code; unsigned short pad, ip_id; }; struct ArgusIGMPv6Flow { unsigned int ip_src[4], ip_dst[4]; #if defined(_LITTLE_ENDIAN) unsigned int flow:20; unsigned int resv:4; unsigned int ip_p:8; #else unsigned int ip_p:8; unsigned int resv:4; unsigned int flow:20; #endif unsigned char type, code; unsigned short pad; }; struct ArgusIPFlow { unsigned int ip_src, ip_dst; unsigned char ip_p, tp_p; unsigned short sport, dport; unsigned char smask, dmask; }; struct ArgusIPv6Flow { unsigned int ip_src[4], ip_dst[4]; #if defined(_LITTLE_ENDIAN) unsigned int flow:20; unsigned int resv:4; unsigned int ip_p:8; #else unsigned int ip_p:8; unsigned int resv:4; unsigned int flow:20; #endif unsigned short sport, dport; unsigned short smask, dmask; }; struct ArgusUdtFlow { struct ArgusMacFlow mac; unsigned int sockid; }; struct ArgusFlow { struct ArgusDSRHeader hdr; union { struct ArgusIPv6Flow ipv6; struct ArgusIPFlow ip; struct ArgusEtherMacFlow mac; struct ArgusICMPv6Flow icmpv6; struct ArgusICMPFlow icmp; struct ArgusIGMPv6Flow igmpv6; struct ArgusIGMPFlow igmp; struct ArgusESPv6Flow espv6; struct ArgusESPFlow esp; struct ArgusArpFlow arp; struct ArgusRarpFlow rarp; struct ArgusIPv6FragFlow fragv6; struct ArgusIPFragFlow frag; struct ArgusLcpFlow lcp; struct ArgusIsisFlow isis; struct ArgusWlanFlow wlan; struct ArgusUdtFlow udt; } flow_un; }; struct ArgusSystemFlow { struct ArgusDSRHeader hdr; union { struct ArgusIPv6Flow ipv6; struct ArgusIPFlow ip; struct ArgusEtherMacFlow mac; struct ArgusICMPv6Flow icmpv6; struct ArgusICMPFlow icmp; struct ArgusIGMPv6Flow igmpv6; struct ArgusIGMPFlow igmp; struct ArgusESPv6Flow espv6; struct ArgusESPFlow esp; struct ArgusArpFlow arp; struct ArgusRarpFlow rarp; struct ArgusIPv6FragFlow fragv6; struct ArgusIPFragFlow frag; struct ArgusLcpFlow lcp; struct ArgusIsisFlow isis; struct ArgusWlanFlow wlan; struct ArgusUdtFlow udt; } flow_un; #if defined(ALIGN_64BIT) int tail[1]; #endif }; #define ipv6_flow flow_un.ipv6 #define ip_flow flow_un.ip #define icmpv6_flow flow_un.icmpv6 #define icmp_flow flow_un.icmp #define igmp_flow flow_un.igmp #define igmp6_flow flow_un.igmpv6 #define mac_flow flow_un.mac #define arp_flow flow_un.arp #define rarp_flow flow_un.rarp #define esp6_flow flow_un.espv6 #define esp_flow flow_un.esp #define fragv6_flow flow_un.fragv6 #define frag_flow flow_un.frag #define lcp_flow flow_un.lcp #define isis_flow flow_un.isis #define wlan_flow flow_un.wlan #define udt_flow flow_un.udt struct ArgusFlowHashStruct { struct ArgusDSRHeader hdr; unsigned int hash; unsigned int ind; }; struct ArgusAddrStruct { union { unsigned int value; unsigned int ipv4; unsigned char ethersrc[6]; unsigned char str[4]; unsigned char uuid[16]; unsigned int ipv6[4]; } a_un; unsigned char inf[4]; }; struct ArgusV3AddrStruct { union { unsigned int value; unsigned int ipv4; unsigned char str[4]; } a_un; }; struct ArgusV3TransportStruct { struct ArgusDSRHeader hdr; struct ArgusV3AddrStruct srcid; unsigned int seqnum; }; struct ArgusTransportStruct { struct ArgusDSRHeader hdr; struct ArgusAddrStruct srcid; unsigned int seqnum; }; struct ArgusTimeStruct { struct ArgusTime start, end; }; struct ArgusEncapsStruct { struct ArgusDSRHeader hdr; unsigned int src, dst; unsigned short slen, dlen; char *sbuf, *dbuf; }; struct ArgusTimeObject { struct ArgusDSRHeader hdr; struct ArgusTimeStruct src, dst; }; struct ArgusEventObject { struct ArgusDSRHeader hdr; }; struct ArgusEventTimeStruct { struct ArgusDSRHeader hdr; struct ArgusTime start; unsigned int duration; }; /* ARGUS_HISTO_LINEAR size:bins:start ARGUS_HISTO_EXPONENTIAL size:bins:start:base ARGUS_HISTO_SCALED ARGUS_HISTO_OUTLAYER_LOWER ARGUS_HISTO_OUTLAYER_UPPER */ struct ArgusHistoObject { struct ArgusDSRHeader hdr; float size; char bins, bits; short start; unsigned char *data; }; struct ArgusUniStats { long long pkts, bytes, appbytes; }; struct ArgusStatObject { int n; float minval; float meanval; float stdev; float maxval; unsigned char fdist[8]; }; struct ArgusStatsObject { int n; float minval; float meanval; float stdev; float maxval; union { unsigned int exp; unsigned int *linear; } dist_union; }; struct ArgusOutputStatObject { int n; float minval; float meanval; float stdev; float maxval; union { unsigned char fdist[8]; struct ArgusHistoObject linear; } dist_union; }; struct ArgusAgrStruct { struct ArgusDSRHeader hdr; unsigned int count; struct ArgusTime laststartime, lasttime; struct ArgusStatObject act, idle; }; struct ArgusPacketSizeObject { unsigned short psizemin, psizemax; unsigned char psize[8]; }; struct ArgusPacketSizeStruct { struct ArgusDSRHeader hdr; struct ArgusPacketSizeObject src, dst; }; struct ArgusJitterObject { struct ArgusStatObject act, idle; }; struct ArgusJitterStruct { struct ArgusDSRHeader hdr; struct ArgusJitterObject src, dst; }; struct ArgusMacStruct { struct ArgusDSRHeader hdr; struct ArgusMacFlow mac; }; struct ArgusVxLanStruct { struct ArgusDSRHeader hdr; unsigned int svnid, dvnid; struct ArgusFlow tflow; }; struct ArgusVlanStruct { struct ArgusDSRHeader hdr; unsigned short sid, did; }; struct ArgusMplsStruct { struct ArgusDSRHeader hdr; unsigned int slabel; unsigned int dlabel; }; struct ArgusGreStruct { struct ArgusDSRHeader hdr; unsigned short flags, proto; struct ArgusFlow tflow; }; struct ArgusGeneveStruct { struct ArgusDSRHeader hdr; unsigned char ver_opt, flags; unsigned short ptype; unsigned int vni; struct ArgusFlow tflow; }; struct ArgusIPAttrStruct { struct ArgusDSRHeader hdr; struct ArgusIPAttrObject src, dst; }; struct ArgusMetricStruct { struct ArgusDSRHeader hdr; struct ArgusUniStats src, dst; }; struct ArgusServiceStruct { struct ArgusDSRHeader hdr; char name[16]; }; struct ArgusDataStruct { struct ArgusDSRHeader hdr; unsigned short size, count; char array[8]; }; struct ArgusIcmpv6Struct { struct ArgusDSRHeader hdr; unsigned char icmp_type, icmp_code; unsigned short cksum; }; struct ArgusIcmpStruct { struct ArgusDSRHeader hdr; unsigned char icmp_type, icmp_code; unsigned short iseq; unsigned int osrcaddr, odstaddr; unsigned int isrcaddr, idstaddr; unsigned int igwaddr; }; struct ArgusKeyStrokeMetrics { int n_strokes; }; struct ArgusKeyStrokeStruct { struct ArgusKeyStrokeMetrics src, dst; }; struct ArgusBehaviorStruct { struct ArgusDSRHeader hdr; union { struct ArgusKeyStrokeStruct keyStroke; } behavior_union; }; #define keyStroke behavior_union.keyStroke struct ArgusCorMetrics { struct ArgusAddrStruct srcid; int deltaDur, deltaStart, deltaLast; int deltaSrcPkts, deltaDstPkts; }; struct ArgusCorrelateStruct { struct ArgusDSRHeader hdr; struct ArgusCorMetrics metrics; }; struct ArgusCountryCodeStruct { struct ArgusDSRHeader hdr; char src[2], dst[2]; }; struct ArgusCoordinates { float lat, lon; }; struct ArgusCoordinateRange { struct ArgusCoordinates max, min; }; struct ArgusSiteLocation { unsigned int status; union { struct ArgusCoordinates cor; struct ArgusCoordinateRange range; } dist_union; }; struct ArgusGeoLocationStruct { struct ArgusDSRHeader hdr; struct ArgusSiteLocation src, dst; }; struct ArgusLabelStruct { struct ArgusDSRHeader hdr; union { char *svc; char *label; }l_un; }; struct ArgusIdStruct { int status; char name[64]; }; struct ArgusInputStruct { struct ArgusDSRHeader hdr; struct ArgusIdStruct id; }; struct ArgusEventStruct { struct ArgusDSRHeader event; /* immediate data */ struct ArgusTransportStruct trans; struct ArgusTimeObject time; struct ArgusDataStruct data; }; struct ArgusMarStruct { unsigned int status, argusid; unsigned int localnet, netmask; unsigned int nextMrSequenceNum; struct ArgusTime startime, now; unsigned char major_version, minor_version; unsigned char interfaceType, interfaceStatus; unsigned short reportInterval, argusMrInterval; unsigned long long pktsRcvd, bytesRcvd; long long drift; unsigned int records, flows, dropped; unsigned int queue, output, clients; unsigned int bufs, bytes; unsigned short suserlen, duserlen; union { unsigned int value; unsigned int ipv4; unsigned char ethersrc[6]; unsigned char str[4]; unsigned char uuid[16]; unsigned int ipv6[4]; struct { unsigned int pad[3]; unsigned int thisid; }; }; unsigned int record_len; }; struct ArgusV3MarStruct { unsigned int status, argusid; unsigned int localnet, netmask, nextMrSequenceNum; struct ArgusTime startime, now; unsigned char major_version, minor_version; unsigned char interfaceType, interfaceStatus; unsigned short reportInterval, argusMrInterval; unsigned long long pktsRcvd, bytesRcvd; long long drift; unsigned int records, flows, dropped; unsigned int queue, output, clients; unsigned int bufs, bytes; unsigned short suserlen, duserlen; unsigned int pad[3]; unsigned int thisid, record_len; }; struct ArgusMarSupStruct { unsigned int status; unsigned char argusid[16]; struct ArgusTime startime, now; struct ArgusInputStruct input; }; #define ARGUS_L2_ADDRESS 0x01 #define ARGUS_IPV4_ADDRESS 0x02 #define ARGUS_IPV6_ADDRESS 0x03 struct ArgusIPv4Addr { unsigned int addr, mask; }; struct ArgusIPv6Addr { unsigned int addr[4]; unsigned int prefixlen; }; struct ArgusAddressStruct { unsigned char type, length; unsigned short status; union { struct ArgusHAddr l2addr; struct ArgusIPv4Addr ipv4; struct ArgusIPv6Addr ipv6; } addr; }; struct ArgusMarInterfaceStruct { unsigned char type, length; unsigned short status; unsigned char inf[4]; int flags, mtu; struct ArgusAddressStruct *addr; }; struct ArgusMarInfStruct { unsigned int status; struct ArgusAddrStruct srcid; struct ArgusTime startime, now; struct ArgusMarInterfaceStruct *inf; }; struct ArgusFarStruct { struct ArgusFlow flow; }; /* The ArgusRecordHeader is composed of 4 4-bit fields, the type, version, cause and options fields. For the purpose of portability, we define them as two char values, so that little endian machines don't mess up the order, and to avoid compiler problems with using bit fields. unsigned char type:4; unsigned char vers:4; unsigned char cause:4; unsigned char opt:4; */ struct ArgusRecordHeader { unsigned char type; unsigned char cause; u_int16_t len; }; struct ArgusRecord { struct ArgusRecordHeader hdr; union { struct ArgusMarStruct mar; struct ArgusMarInfStruct inf; struct ArgusMarSupStruct sup; struct ArgusFarStruct far; struct ArgusEventStruct event; } ar_un; }; #define argus_mar ar_un.mar #define argus_inf ar_un.inf #define argus_sup ar_un.sup #define argus_far ar_un.far #define argus_event ar_un.event struct ArgusAsnStruct { struct ArgusDSRHeader hdr; uint32_t src_as; /* originating AS of source address */ uint32_t dst_as; /* originating AS of destination address */ uint32_t inode_as; /* originating AS of intermediate node address, if present */ }; struct ArgusNetworkStruct { struct ArgusDSRHeader hdr; union { struct ArgusTCPInitStatus tcpinit; struct ArgusTCPStatus tcpstatus; struct ArgusTCPObject tcp; struct ArgusICMPObject icmp; struct ArgusICMPv6Object icmpv6; struct ArgusUDTObject udt; struct ArgusRTPObject rtp; struct ArgusRTCPObject rtcp; struct ArgusIGMPObject igmp; struct ArgusDHCPObject dhcp; struct ArgusESPObject esp; struct ArgusARPObject arp; struct ArgusAHObject ah; struct ArgusFragObject frag; struct ArgusLCPObject lcp; struct ArgusIsisObject isis; } net_union; }; struct ArgusCanonRecord { struct ArgusRecordHeader hdr; struct ArgusFlow flow; struct ArgusFlowHashStruct hash; struct ArgusTransportStruct trans; struct ArgusTimeObject time; struct ArgusEncapsStruct encaps; struct ArgusAsnStruct asn; struct ArgusIPAttrStruct attr; struct ArgusMetricStruct metric; struct ArgusNetworkStruct net; struct ArgusVxLanStruct vxlan; struct ArgusGreStruct gre; struct ArgusGeneveStruct gen; struct ArgusMacStruct mac; struct ArgusVlanStruct vlan; struct ArgusMplsStruct mpls; struct ArgusIcmpStruct icmp; struct ArgusAgrStruct agr; struct ArgusCorrelateStruct cor; struct ArgusJitterStruct jitter; struct ArgusPacketSizeStruct psize; struct ArgusBehaviorStruct actor; struct ArgusCountryCodeStruct cocode; struct ArgusLabelStruct label; struct ArgusDataStruct data; }; #define ARGUS_NSR_STICKY 0x00100000 #define ARGUS_RECORD_MODIFIED 0x0100 struct ArgusRecordStruct { struct ArgusQueueHeader qhdr; unsigned int status, dsrindex, trans, autoid; unsigned short timeout, idle; struct RaBinProcessStruct *bins; struct ArgusInput *input; struct ArgusDSRHeader *dsrs[ARGUSMAXDSRTYPE]; struct ArgusHashTableHdr *htblhdr; struct ArgusHashTableHdr *hinthdr; struct ArgusQueueStruct *nsq; struct ArgusRecordHeader hdr; struct ArgusCanonRecord canon; struct ArgusCorStruct *correlates; float srate, drate, sload, dload, dur, mean; float pcr, sploss, dploss; long long offset; }; struct ArgusV2ETHERObject { unsigned char ethersrc[6]; unsigned char etherdst[6]; }; struct ArgusV2MACFlow { struct ether_header ehdr; unsigned char dsap, ssap; }; struct ArgusV2ESPFlow { unsigned int ip_src, ip_dst; unsigned char ip_p, tp_p; unsigned short pad; unsigned int spi; }; struct ArgusV2ArpFlow { unsigned int arp_spa; unsigned int arp_tpa; unsigned char etheraddr[6]; unsigned short pad; }; struct ArgusV2RarpFlow { unsigned int arp_tpa; unsigned char srceaddr[6]; unsigned char tareaddr[6]; }; struct ArgusV2ICMPFlow { unsigned int ip_src, ip_dst; unsigned char ip_p, tp_p; unsigned char type, code; unsigned short id, ip_id; }; struct ArgusV2IGMPFlow { unsigned int ip_src, ip_dst; unsigned char ip_p, tp_p; unsigned char type, code; unsigned short pad, ip_id; }; struct ArgusV2IPFlow { unsigned int ip_src, ip_dst; unsigned char ip_p, tp_p; unsigned short sport, dport; unsigned short ip_id; }; struct ArgusV2LoadObject { int n; float minval; float meanval; float stdev; float maxval; }; struct ArgusV2LoadStruct { struct ArgusV2LoadObject pktsPerSec, bytesPerSec; }; struct ArgusV2TimeObject { int n; unsigned int minval; unsigned int meanval; unsigned int stdev; unsigned int maxval; }; struct ArgusV2TimeEntity { struct ArgusV2TimeObject act, idle; }; struct ArgusV2AHObject { unsigned int src_spi, dst_spi; unsigned int src_replay, dst_replay; }; struct ArgusV2ARPObject { unsigned char respaddr[6]; unsigned short pad; }; struct ArgusV2DHCPObject { unsigned int respaddr; }; struct ArgusV2FragObject { unsigned char type, length; unsigned short status; int fragnum, frag_id; unsigned short ip_id, totlen, currlen, maxfraglen; }; struct ArgusV2ICMPObject { unsigned char type, length; unsigned short status; unsigned char icmp_type, icmp_code; unsigned short iseq; unsigned int osrcaddr, odstaddr; unsigned int isrcaddr, idstaddr; unsigned int igwaddr; }; struct ArgusV2TCPObjectMetrics { unsigned int seqbase, ackbytes; unsigned int bytes, rpkts; unsigned short win; unsigned char flags, pad; }; struct ArgusV2TCPObject { unsigned char type, length; unsigned short status; unsigned int state; unsigned int options; unsigned int synAckuSecs, ackDatauSecs; struct ArgusV2TCPObjectMetrics src, dst; }; struct ArgusV2RTPObject { unsigned char type, length; unsigned short status; unsigned int state; struct rtphdr src, dst; unsigned short sdrop, ddrop; unsigned short ssdev, dsdev; }; struct ArgusV2RTCPObject { unsigned char type, length; unsigned short status; struct rtcphdr src, dst; unsigned short src_pkt_drop, dst_pkt_drop; }; struct ArgusV2IGMPObjectV1 { unsigned char type, length; unsigned short status; unsigned char igmp_type, igmp_code; unsigned int igmp_group; }; struct ArgusV2IGMPObject { unsigned char type, length; unsigned short status; unsigned char igmp_type, igmp_code; unsigned int igmp_group; struct ArgusTime jdelay; struct ArgusTime ldelay; }; struct ArgusV2FRAGObject { unsigned char type, length; unsigned short status; int fragnum, frag_id; unsigned short totlen, currlen, maxfraglen; }; struct ArgusV2ESPObject { unsigned int spi, lastseq, lostseq; }; struct ArgusV2ESPStruct { unsigned char type, length; u_short status; struct ArgusV2ESPObject src, dst; }; struct ArgusV2AGRStruct { unsigned char type, length; u_short status; unsigned int count; struct ArgusTime laststartime, lasttime; struct ArgusV2TimeObject act, idle; unsigned int startrange, endrange; }; struct ArgusV2PerfStruct { unsigned char type, length; u_short status; int count; struct ArgusV2LoadStruct src, dst; }; struct ArgusV2TimeStruct { unsigned char type, length; u_short status; struct ArgusV2TimeEntity src, dst; }; struct ArgusV2MacStruct { unsigned char type, length; unsigned short status; union { struct ArgusV2ETHERObject ether; } phys_union; }; #define ether_mac phys_union.ether struct ArgusV2VlanStruct { unsigned char type, length; unsigned short status; unsigned short sid, did; }; struct ArgusV2MplsStruct { unsigned char type, length; unsigned short status; unsigned int slabel; unsigned int dlabel; }; struct ArgusV2MarStruct { struct ArgusTime startime, now; unsigned char major_version, minor_version; unsigned char interfaceType, interfaceStatus; unsigned short reportInterval, argusMrInterval; unsigned int argusid, localnet, netmask, nextMrSequenceNum; unsigned long long pktsRcvd, bytesRcvd; unsigned int pktsDrop, flows, flowsClosed; unsigned int actIPcons, cloIPcons; unsigned int actICMPcons, cloICMPcons; unsigned int actIGMPcons, cloIGMPcons; unsigned int inputs, outputs; unsigned int qcount, qtime; int record_len; }; struct ArgusV2TimeDesc { struct ArgusTime start; struct ArgusTime last; }; struct ArgusV2Flow { union { struct ArgusV2IPFlow ip; struct ArgusV2ICMPFlow icmp; struct ArgusV2IGMPFlow igmp; struct ArgusV2MACFlow mac; struct ArgusV2ArpFlow arp; struct ArgusV2RarpFlow rarp; struct ArgusV2ESPFlow esp; } flow_union; }; struct ArgusV2UniAttributes { unsigned short options; unsigned char ttl, tos; }; struct ArgusV2IPAttributes { unsigned short soptions, doptions; unsigned char sttl, dttl; unsigned char stos, dtos; }; struct ArgusV2ARPAttributes { unsigned char response[8]; }; struct ArgusV2Attributes { union { struct ArgusV2IPAttributes ip; struct ArgusV2ARPAttributes arp; } attr_union; }; #define attr_ip attr.attr_union.ip #define attr_arp attr.attr_union.arp struct ArgusV2ArchiveMeter { unsigned int count, bytes; }; struct ArgusV2Meter { unsigned int count, bytes, appbytes; }; struct ArgusV2FarHeaderStruct { unsigned char type, length; unsigned short status; }; struct ArgusV2FarStruct { unsigned char type, length; unsigned short status; unsigned int ArgusV2TransRefNum; struct ArgusV2TimeDesc time; struct ArgusV2Flow flow; struct ArgusV2Attributes attr; struct ArgusV2Meter src, dst; }; struct ArgusV2CorrelateStruct { unsigned char type, length; unsigned short status; unsigned int argusid; int deltaDur, deltaStart, deltaLast; char deltaSrcToS, deltaSrcTTL; char deltaDstToS, deltaDstTTL; unsigned short deltaSrcIpId, deltaDstIpId; struct ArgusV2Meter deltaSrc, deltaDst; }; struct ArgusV2ServiceStruct { unsigned char type, length; u_short status; char name[16]; }; struct ArgusV2RecordArchiveHeader { unsigned char type, cause; unsigned short length; unsigned int status; }; struct ArgusV2RecordHeader { unsigned char type, cause; unsigned short length; unsigned int status; unsigned int argusid; unsigned int seqNumber; }; struct ArgusV2Record { struct ArgusV2RecordHeader ahdr; union { struct ArgusV2MarStruct mar; struct ArgusV2FarStruct far; } ar_un; }; struct ArgusV2CanonicalRecord { struct ArgusV2RecordHeader ahdr; struct ArgusV2FarStruct far; struct ArgusV2MacStruct mac; union { struct ArgusV2TCPObject tcp; struct ArgusV2ESPStruct esp; struct ArgusV2IGMPObject igmp; struct ArgusV2DHCPObject dhcp; struct ArgusV2RTPObject rtp; struct ArgusV2RTCPObject rtcp; struct ArgusV2ARPObject arp; struct ArgusV2AHObject ah; struct ArgusV2FRAGObject frag; } acr_union; struct ArgusV2AGRStruct agr; struct ArgusV2TimeStruct time; struct ArgusV2VlanStruct vlan; struct ArgusV2MplsStruct mpls; struct ArgusV2CorrelateStruct cor; struct ArgusV2ICMPObject icmp; struct ArgusV2ServiceStruct svc; }; struct ArgusV2ArchiveUniRecord { struct ArgusV2RecordArchiveHeader ahdr; unsigned int status; struct ArgusTime startime; unsigned int duration; struct ArgusV2Flow flow; struct ArgusV2UniAttributes attr; struct ArgusV2ArchiveMeter src; }; struct ArgusV2ArchiveRecord { struct ArgusV2RecordArchiveHeader ahdr; unsigned int status; struct ArgusTime startime; unsigned int duration; struct ArgusV2Flow flow; struct ArgusV2Attributes attr; struct ArgusV2ArchiveMeter src, dst; }; struct ArgusV2UserStruct { unsigned char type, length; u_short status; char data; }; #if PRAGMA_STRUCT_ALIGN //{ #pragma options align=reset //} #elif PRAGMA_STRUCT_PACKPUSH //}{ #pragma pack(pop) #elif PRAGMA_STRUCT_PACK //}{ #pragma pack() #endif //} #pragma pack() #endif /* Argus_out_h */ argus-5.0.2/include/argus_parse.h000066400000000000000000001471341471541253600167700ustar00rootroot00000000000000/* * Argus-5.0 Software. Common include files. Parsing * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/include/argus_parse.h#5 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ #if !defined(Argus_parse_h) #define Argus_parse_h #include #include #include #include #include #include #include #if !defined(MAXPATHNAMELEN) #define MAXPATHNAMELEN BUFSIZ #endif #define ARGUS_DEFAULTPORT 561 #define ARGUS_ENCODE_ASCII 0 #define ARGUS_ENCODE_64 1 #define ARGUS_ENCODE_32 2 struct naddrmem { struct naddrmem *nxt; unsigned int addr; unsigned short port; }; struct ArgusInterfaceStruct { int value; char *label; char *desc; }; struct ArgusModeStruct { struct ArgusModeStruct *nxt; char *mode; }; #define MAXSTRLEN 4096 #define MAXTIME 100000 #define READ_REMOTE_CON 0x40000000 #define READ_LOCAL_CON 0x20000000 #define ARGUS_MAX_REMOTE_CONN 64 #define HASHNAMESIZE 4096 #if defined(ArgusParse) struct timeval RaClientTimeout = {1,0}; #define MAXPROCSTATE 7 char *process_state_strings [MAXPROCSTATE] = { "REQ", "ACC", "EST", "CLO", "TIM", "RST", "FIN", }; struct timeval ArgusGlobalTime; struct timeval ArgusNowTime; struct bpf_program ArgusFilterCode; char *RaInputFilter[] = {NULL, NULL}; struct tm *RaTmStruct = NULL, RaTmStructBuf; char *RaTimeFormat = "%d %b %y %T"; char RaFieldDelimiter = '\0'; int RaPrintStartTime = 0; int RaPrintLastTime = 0; int RaCloseInputFd = 1; struct ArgusFarHeaderStruct *ArgusThisFarHdrs[32]; struct naddrmem *naddrtable [HASHNAMESIZE]; void clearArgusWfile(void); void setArgusWfile(char *, char *); char *exceptfile = NULL, *wfile = NULL; struct ARGUS_INPUT *ArgusInput = NULL; struct ARGUS_INPUT *ArgusInputFileList = NULL; struct ARGUS_INPUT *ArgusRemoteHostList = NULL; struct ArgusModeStruct *ArgusModeList = NULL; char *tag_string = "Argus Version "; int major_version = VERSION_MAJOR; int minor_version = VERSION_MINOR; int read_size = 0, detail = 0; int read_mode = 0; struct ArgusRecord *initCon = NULL; unsigned int ArgusLocalNet, ArgusNetMask; char ArgusOriginalBuffer[MAXSTRLEN]; struct ArgusRecord *ArgusOriginal = (struct ArgusRecord *) ArgusOriginalBuffer; int totalrecords = 0; int farrecords = 0; int marrecords = 0; int explicit_date = 0; time_t starTimeFilter_t = 0; time_t lastTimeFilter_t = 0; time_t lasttime_t = 0; time_t startime_t = 0; struct tm starTimeFilter; struct tm lastTimeFilter; char *ArgusProgramName = NULL; char *ArgusProgramArgs = NULL; char *ArgusProgramOptions = NULL; char *dataarg = NULL; char *timearg = NULL; char *servicesfile = NULL; struct bpf_program ArgusFilterCode; int ArgusGrepSource = 0; int ArgusGrepDestination = 0; int RaWriteOut = 1; long long tcp_dst_count = 0; long long tcp_src_count = 0; long long udp_dst_count = 0; long long udp_src_count = 0; long long icmp_dst_count = 0; long long icmp_src_count = 0; long long ip_dst_count = 0; long long ip_src_count = 0; long long arp_dst_count = 0; long long arp_src_count = 0; long long nonip_dst_count = 0; long long nonip_src_count = 0; long long tcp_dst_bytes = 0; long long tcp_src_bytes = 0; long long udp_dst_bytes = 0; long long udp_src_bytes = 0; long long icmp_dst_bytes = 0; long long icmp_src_bytes = 0; long long ip_dst_bytes = 0; long long ip_src_bytes = 0; long long arp_dst_bytes = 0; long long arp_src_bytes = 0; long long nonip_dst_bytes = 0; long long nonip_src_bytes = 0; int hfield = 15; int pfield = 5; int Aflag = 0; int aflag = 0; int Bflag = 0; int bflag = 0; int eflag = 0; char *estr = NULL; int Dflag = 0; int Eflag = 0; int fflag = 0; int gflag = 0; int idflag = 0; int Gflag = 0; int cflag = 0; int Cflag = 0; int jflag = 0; int Lflag = -1; int lflag = 0; int mflag = 0; char *Mflag = NULL; int nflag = 0; int Nflag = 0; int Normflag = 0; int Netflag = 0; int notNetflag = 0; int oflag = 0; int Oflag = 0; int Wflag = 0; int Fflag = 0; int Hflag = 0; char *Hstr = NULL; int pflag = 0; int Pflag = 0; char *sflag = NULL; int dflag = 0; int qflag = 0; int tflag = 0; int uflag = 0; char *ustr = NULL; char *pstr = NULL; int Uflag = 6; int vflag = 0; int Vflag = 0; int iflag = 0; int Iflag = 0; int Tflag = 0; int rflag = 0; int Rflag = 0; int Sflag = 0; int xflag = 0; int Xflag = 0; int XMLflag = 0; int zflag = 0; int Zflag = 0; long thiszone; int total_nets = 0; int total_hosts = 0; struct ARGUS_INPUT *ArgusRemoteFDs[ARGUS_MAX_REMOTE_CONN]; int ArgusActiveServers = 0; extern int ArgusAuthenticate (struct ARGUS_INPUT *); extern void ArgusClientInit (void); extern void usage (void); extern void process_man (struct ArgusRecord *); extern void process_tcp (struct ArgusRecord *); extern void process_icmp (struct ArgusRecord *); extern void process_udp (struct ArgusRecord *); extern void process_ip (struct ArgusRecord *); extern void process_arp (struct ArgusRecord *); extern void process_non_ip (struct ArgusRecord *); void ArgusShutDown (int); extern void RaParseComplete (int); void argus_parse_init (struct ARGUS_INPUT *); char *argus_lookupdev(char *); void read_udp_services (char *); int ArgusHandleDatum (struct ArgusRecord *, struct bpf_program *); void ArgusReformatRecord (struct ArgusRecord *, struct ArgusRecord *); int ArgusReadConnection (struct ARGUS_INPUT *, char *); void ArgusReadStream (void); void ArgusProcessRecord (struct ArgusRecord *); void ArgusGenerateCanonicalRecord (struct ArgusRecord *, struct ArgusCanonicalRecord *); int ArgusGetServerSocket (struct ARGUS_INPUT *); int ArgusAddFileList (char *); void ArgusDeleteFileList (void); int ArgusAddHostList (char *, int); int ArgusAddModeList (char *); void ArgusDeleteHostList (void); int ArgusWriteNewLogfile (char *, struct ArgusRecord *); int check_time (struct ArgusRecord *); int parseUserDataArg (char **, char **, int); int parseTimeArg (char **, char **, int, struct tm *); int check_time_format (struct tm *tm, char *str); int parseTime (struct tm *, struct tm *, char *); #if defined(_LITTLE_ENDIAN) void ArgusHtoN (struct ArgusRecord *argus); #endif #else /* ArgusParse */ extern char *ArgusProgramName; extern char *ArgusProgramArgs; extern char *process_state_strings []; extern int ArgusGrepSource; extern int ArgusGrepDestination; extern struct timeval ArgusGlobalTime; extern struct timeval ArgusNowTime; extern char *RaSortAlgorithmStrings[]; extern int RaSortIndex; extern struct tm *RaTmStruct; extern char *RaInputFilter[]; extern char *RaTimeFormat; extern char RaFieldDelimiter; extern int RaPrintStartTime; extern int RaPrintLastTime; extern int RaCloseInputFd; extern u_int ArgusThisFarStatus; extern struct ArgusFarHeaderStruct *ArgusThisFarHdrs[]; extern struct naddrmem *naddrtable [HASHNAMESIZE]; extern struct ArgusListStruct *ArgusWfileList; extern char *exceptfile, *wfile; extern struct ARGUS_INPUT *ArgusInput; extern struct ARGUS_INPUT *ArgusInputFileList; extern struct ARGUS_INPUT *ArgusRemoteHostList; extern struct ArgusModeStruct *ArgusModeList; extern char *tag_string; extern int major_version; extern int minor_version; extern int read_size; extern int read_mode; extern struct ArgusRecord *initCon; extern unsigned int ArgusLocalNet, ArgusNetMask; extern struct ArgusRecord *ArgusOriginal; extern int totalrecords; extern int farrecords; extern int marrecords; extern int explicit_date; extern time_t lasttime_t; extern time_t startime_t; extern struct tm starTimeFilter; extern struct tm lastTimeFilter; extern char *progname; extern char *dataarg; extern char *timearg; extern char *servicesfile; extern char *ArgusFlowModelFile; extern struct bpf_program ArgusFilterCode; extern char *cmdline; /* For David Brumley's amazingly long cmdlines ;o) */ extern int RaWriteOut; extern long long tcp_dst_count; extern long long tcp_src_count; extern long long udp_dst_count; extern long long udp_src_count; extern long long icmp_dst_count; extern long long icmp_src_count; extern long long ip_dst_count; extern long long ip_src_count; extern long long arp_dst_count; extern long long arp_src_count; extern long long nonip_dst_count; extern long long nonip_src_count; extern long long tcp_dst_bytes; extern long long tcp_src_bytes; extern long long udp_dst_bytes; extern long long udp_src_bytes; extern long long icmp_dst_bytes; extern long long icmp_src_bytes; extern long long ip_dst_bytes; extern long long ip_src_bytes; extern long long arp_dst_bytes; extern long long arp_src_bytes; extern long long nonip_dst_bytes; extern long long nonip_src_bytes; extern int hfield; extern int pfield; extern int Aflag; extern int aflag; extern int Bflag; extern int bflag; extern int eflag; extern char *estr; extern int Dflag; extern int Eflag; extern int fflag; extern int gflag; extern int idflag; extern int Gflag; extern int cflag; extern int Cflag; extern int jflag; extern int Lflag; extern int lflag; extern int mflag; extern char *Mflag; extern int nflag; extern int Nflag; extern int Normflag; extern int Netflag; extern int notNetflag; extern int oflag; extern int Oflag; extern int Wflag; extern int Fflag; extern int Hflag; extern char *Hstr; extern int pflag; extern int Pflag; extern char *sflag; extern int dflag; extern int qflag; extern int tflag; extern int uflag; extern char *ustr; extern char *pstr; extern int Uflag; extern int vflag; extern int Vflag; extern int iflag; extern int Iflag; extern int Tflag; extern int rflag; extern int Rflag; extern int Sflag; extern int xflag; extern int Xflag; extern int XMLflag; extern int zflag; extern int Zflag; extern long thiszone; extern int total_nets; extern int total_hosts; extern struct ARGUS_INPUT *ArgusRemoteFDs[ARGUS_MAX_REMOTE_CONN]; extern int ArgusActiveServers; extern void ArgusShutDown (int); extern void argus_parse_init (struct ARGUS_INPUT *); extern char *argus_lookupdev(char *); extern void read_udp_services (char *); extern int ArgusHandleDatum (struct ArgusRecord *, struct bpf_program *); extern void ArgusReformatRecord (struct ArgusRecord *, struct ArgusRecord *); extern int ArgusReadRemoteConnection (int, struct bpf_program *); extern int ArgusReadConnection (struct ARGUS_INPUT *, char *); extern void ArgusReadStream (void); extern void ArgusProcessRecord (struct ArgusRecord *); extern void ArgusReadRemote (int, struct bpf_program *); extern int read_file (int fd, struct bpf_program *); extern void ArgusProcessRecord (struct ArgusRecord *); extern void ArgusGenerateCanonicalRecord (struct ArgusRecord *, struct ArgusCanonicalRecord *); extern int ArgusGetServerSocket (struct ARGUS_INPUT *); extern int ArgusAddFileList (char *); extern void ArgusDeleteFileList (void); extern int ArgusAddHostList (char *, int); extern int ArgusAddModeList (char *); extern void ArgusDeleteHostList (void); extern int ArgusWriteNewLogfile (char *, struct ArgusRecord *); extern int check_time (struct ArgusRecord *); extern int parseUserDataArg (char **, char **, int); extern int parseTimeArg (char **, char **, int, struct tm *); extern int check_time_format (struct tm *tm, char *str); extern int parseTime (struct tm *, struct tm *, char *); #if defined(_LITTLE_ENDIAN) extern void ArgusHtoN (struct ArgusRecord *argus); #endif #endif #if defined(RaMuxSource) || defined(RadiumSource) #if !defined(NFC_AGGREGATIONDEFINITION_H) #define NFC_AGGREGATIONDEFINITION_H /* $Id: //depot/gargoyle/argus/include/argus_parse.h#5 $ * $Source: $ *------------------------------------------------------------------ * Definition of "Key" and "Value" fields used for purpose of * aggregation * * Cisco NetFlow FlowCollector 3.0 * * September 1998, Anders Fung * * Copyright (c) 1996-1998 by Cisco Systems, Inc. * All rights reserved. *------------------------------------------------------------------ * $Log: argus_parse.h,v $ * Revision 1.1 2003/04/16 20:53:57 qosient * Modified for argus to argus conversion * * Revision 1.12 2003/02/05 23:43:53 qosient * Updated for new year in the copyright * * Revision 1.11 2002/04/01 22:41:01 qosient * Updated * * Revision 1.10 2002/04/01 15:39:32 qosient * Update for handling loss of remote when connected to multiple remotes. * Increase ARGUS_MAX_REMOTE_NUM and RADIUM_MAX_REMOTE_NUM. * * Revision 1.9 2002/03/25 17:49:49 qosient * Updated for correct copyright * * Revision 1.8 2002/03/25 17:38:32 qosient * Updated for correct interface status reporting * * Revision 1.6 2002/02/02 16:01:27 qosient * Updated for next versions of DSRs * * Revision 1.5 2002/02/01 14:10:00 qosient * Updated for libpcap-0.7.1 port * * Revision 1.4 2002/01/04 22:15:08 qosient * Updated * * Revision 1.3 2001/12/17 18:12:45 qosient * Mods to move ramux to radium * * Revision 1.2 2001/10/24 20:47:53 qosient * Updated * * Revision 1.5 2001/10/22 20:20:07 qosient * Updated and fixed for Lflag having bad default value * * Revision 1.4 2001/10/18 17:15:29 qosient * Fixed for output file fd handling issues, primarily for rapop * * Revision 1.3 2001/10/15 20:07:29 qosient * Updated for ramux issues with authentication. Stopped erasing password. * * Revision 1.2 2001/09/12 05:09:30 qosient * Updated * * Revision 1.1.1.1 2001/09/08 22:01:48 qosient * Argus Clients 1.0 * * Revision 1.6 2001/09/03 04:58:51 argus * Lots of mods * * Revision 1.5 2001/07/17 12:38:45 argus * Updated * * Revision 1.4 2001/07/10 18:18:10 argus * Mods for ramon and rasort port * * Revision 1.3 2001/06/09 14:10:09 argus * Minor changes for -H option and formatting * * Revision 1.2 2001/06/07 19:50:45 argus * Updated * * Revision 1.1.1.1 2001/06/03 16:07:57 argus * Start of argus client distribution * * Revision 1.1.1.1 2001/03/24 05:14:27 argus * Imported from argus-2.0.0 * * Revision 1.39 2001/03/06 23:30:41 argus * Fix for Davids incredibly long command lines. * * Revision 1.38 2001/02/03 21:39:08 argus * Mods to support -d option * * Revision 1.37 2000/12/19 16:19:41 argus * Mods to get ramon() to the same level as ra() with regard to dynamic * labels. Also FreeBSD/NetBSD port support for racount(). * * Revision 1.36 2000/12/19 05:59:03 argus * Mods to help in getting pretty output when not using -n. * * Revision 1.35 2000/12/10 20:59:13 argus * Mods to add support for RA_AUTH_PASS (pstr) * * Revision 1.34 2000/12/07 19:00:39 argus * Mods to convert from ArgusError to ArgusLog * * Revision 1.33 2000/12/07 17:51:48 argus * Move Uflag (precision option) to -p option. * * Revision 1.32 2000/11/23 01:58:29 argus * Mods to support GSSAPI authentication * * Revision 1.31 2000/11/16 15:20:34 argus * Update for SASL * * Revision 1.30 2000/11/13 21:51:38 argus * Mods to support ragrep(). * * Revision 1.29 2000/11/13 15:05:14 argus * Fixes for raxml not printing out user data in all protocol types. * * Revision 1.28 2000/10/31 19:35:01 argus * Mods to support new timestats and user data. * * Revision 1.27 2000/10/27 13:45:42 argus * Fix support for multiple remote sources. * * Revision 1.26 2000/10/27 01:48:50 argus * Fixes for multiple source data. * * Revision 1.25 2000/10/26 15:38:09 argus * Mods for qflag defintions and some constants * * Revision 1.24 2000/10/25 22:23:30 argus * Mods to try to fix the LITTLE_ENDIAN issues for Neil. * * Revision 1.23 2000/10/16 21:55:48 argus * support for various .rc's. * * Revision 1.22 2000/10/11 12:51:37 argus * Added Zflag * * Revision 1.21 2000/10/10 14:50:51 argus * Fixes to support XML printing (print_time changes) and a bunch to support * TCP fixes. * * Revision 1.20 2000/10/05 15:04:47 argus * Addition of output labels for ra data. * * Revision 1.19 2000/10/03 23:04:29 argus * Mods for more complete cisco netflow parsing and -CS support. Needs testing. * * Revision 1.18 2000/10/01 14:27:45 argus * Put the filter in a global so we can all get to it. * * Revision 1.17 2000/09/30 15:03:13 argus * Addition of netflow record definitions. * *------------------------------------------------------------------ * $Endlog$ */ /* * AGGREGATION_DEFINITION describes the "Key" and "Value" fields seen in * the datafile. The definition comprise of keywords and delimiters. * By reading the AGGREGATION_DEFINITION, one can interpret what and in what * order are the "Key" and "Value" fields being presented in the datafile. * Datafile consumers can also deduce what aggregation scheme is used * by parsing AGGREGATION_DEFINITION.. * * The order of keywords seen in the AGGREGATION_DEFINITION represents the true * order of the "Key" and "Value" fields presented in the datafile. Each * keyword is delimited by either '|' or ','. * * As part of the new changes to the datafile header, the FORMAT field * will have a value of "B". Please note that the FORMAT may change * if there is any change to any of the existing keywords, definition format, * adding new keyword, or any other header changes. * Also, the delimiter used in the datafile will be prepended at the * beginning of each header. Since AGGREGATION_DEFINITION becomes the 2nd * line of the header, the 1st line of the header will append a * new field, namely "Header", which describes the total number of * lines in the header. * * The AGGREGATION_DEFINITION keywords have the following assignemnts ... * * keyword Description * ------- ----------------------- * srcaddr Source IP Address * dstaddr Destination IP Address * src_subnet Source SubNet * dst_subnet Destination SubNet * src_mask Source SubNet Mask * dst_mask Destination SubNet Mask * src_user_subnet Source User SubNet * dst_user_subnet Destination User SubNet * src_as Source AS * dst_as Destination AS * srcport Source Port * dstport Destination Port * prot Prot field * protocol Protocol (srcport, dstport, and prot lookup) * input Input Interface * output Output Interface * tos Type of Service * nexthop Next Hop IP Address * * pkts Packets * octets Octets * flows Flow Count * starttime First Flow Stamp (UTC sec) * endtime Last Flow Stamp (UTC sec) * activetime Total Active Time (msec) */ /* Key Fields */ #define SRC_ADDR "srcaddr" #define DST_ADDR "dstaddr" #define SRC_SUBNET "src_subnet" #define DST_SUBNET "dst_subnet" #define SRC_SUBNET_MASK "src_mask" #define DST_SUBNET_MASK "dst_mask" #define SRC_USER_SUBNET "src_user_subnet" #define DST_USER_SUBNET "dst_user_subnet" #define SRC_AS "src_as" #define DST_AS "dst_as" #define SRC_PORT "srcport" #define DST_PORT "dstport" #define PROT "prot" #define PROTOCOL_KEY "protocol" #define IN_INTF "input" #define OUT_INTF "output" #define TOS_BIT "tos" #define NEXT_HOP "nexthop" /* Value Fields */ #define PACKET "pkts" #define OCTET "octets" #define FLOW_CNT "flows" #define F_FLOW_STAMP "starttime" #define L_FLOW_STAMP "endtime" #define TOT_ACTIVE_TIME "activetime" /* Delimiter */ /* Could be either "|" or "," */ #define DEL "%c" /* Aggregation Mask */ const char * const SourceNodeDef = SRC_ADDR DEL PACKET DEL OCTET DEL FLOW_CNT; const char * const DestNodeDef = DST_ADDR DEL PACKET DEL OCTET DEL FLOW_CNT; const char * const HostMatrixDef = SRC_ADDR DEL DST_ADDR DEL PACKET DEL OCTET DEL FLOW_CNT; const char * const SourcePortDef = SRC_PORT DEL PACKET DEL OCTET DEL FLOW_CNT; const char * const DestPortDef = DST_PORT DEL PACKET DEL OCTET DEL FLOW_CNT; const char * const ProtocolDef = PROTOCOL_KEY DEL PACKET DEL OCTET DEL FLOW_CNT; const char * const DetailSourceNodeDef = SRC_ADDR DEL SRC_PORT DEL DST_PORT DEL PROTOCOL_KEY DEL PACKET DEL OCTET DEL FLOW_CNT; const char * const DetailDestNodeDef = DST_ADDR DEL SRC_PORT DEL DST_PORT DEL PROTOCOL_KEY DEL PACKET DEL OCTET DEL FLOW_CNT; const char * const DetailHostMatrixDef = SRC_ADDR DEL DST_ADDR DEL SRC_PORT DEL DST_PORT DEL PROTOCOL_KEY DEL PACKET DEL OCTET DEL FLOW_CNT DEL F_FLOW_STAMP DEL L_FLOW_STAMP; const char * const DetailInterfaceDef = SRC_ADDR DEL DST_ADDR DEL IN_INTF DEL OUT_INTF DEL NEXT_HOP DEL PACKET DEL OCTET DEL FLOW_CNT; const char * const CallRecordDef = SRC_ADDR DEL DST_ADDR DEL SRC_PORT DEL DST_PORT DEL PROT DEL TOS_BIT DEL PACKET DEL OCTET DEL FLOW_CNT DEL F_FLOW_STAMP DEL L_FLOW_STAMP DEL TOT_ACTIVE_TIME; const char * const ASMatrixDef = SRC_AS DEL DST_AS DEL PACKET DEL OCTET DEL FLOW_CNT; const char * const DetailASMatrixDef = SRC_ADDR DEL DST_ADDR DEL SRC_AS DEL DST_AS DEL IN_INTF DEL OUT_INTF DEL SRC_PORT DEL DST_PORT DEL PROTOCOL_KEY DEL PACKET DEL OCTET DEL FLOW_CNT; const char * const NetMatrixDef = SRC_SUBNET DEL SRC_SUBNET_MASK DEL IN_INTF DEL DST_SUBNET DEL DST_SUBNET_MASK DEL OUT_INTF DEL PACKET DEL OCTET DEL FLOW_CNT; const char * const ASHostMatrixDef = SRC_ADDR DEL DST_ADDR DEL SRC_AS DEL DST_AS DEL PACKET DEL OCTET DEL FLOW_CNT DEL F_FLOW_STAMP DEL L_FLOW_STAMP DEL TOT_ACTIVE_TIME; const char * const HostMatrixInterfaceDef = SRC_ADDR DEL DST_ADDR DEL IN_INTF DEL OUT_INTF DEL PROTOCOL_KEY DEL PACKET DEL OCTET DEL FLOW_CNT; const char * const DetailCallRecordDef = SRC_ADDR DEL DST_ADDR DEL SRC_PORT DEL DST_PORT DEL IN_INTF DEL OUT_INTF DEL PROTOCOL_KEY DEL TOS_BIT DEL PACKET DEL OCTET DEL FLOW_CNT DEL F_FLOW_STAMP DEL L_FLOW_STAMP DEL TOT_ACTIVE_TIME; const char * const RouterASDef = SRC_AS DEL DST_AS DEL IN_INTF DEL OUT_INTF DEL PACKET DEL OCTET DEL FLOW_CNT DEL F_FLOW_STAMP DEL L_FLOW_STAMP DEL TOT_ACTIVE_TIME; const char * const RouterProtoPortDef = SRC_PORT DEL DST_PORT DEL PROT DEL PACKET DEL OCTET DEL FLOW_CNT DEL F_FLOW_STAMP DEL L_FLOW_STAMP DEL TOT_ACTIVE_TIME; const char * const RouterSrcPrefixDef = SRC_SUBNET DEL SRC_SUBNET_MASK DEL IN_INTF DEL SRC_AS DEL PACKET DEL OCTET DEL FLOW_CNT DEL F_FLOW_STAMP DEL L_FLOW_STAMP DEL TOT_ACTIVE_TIME; const char * const RouterDstPrefixDef = DST_SUBNET DEL DST_SUBNET_MASK DEL OUT_INTF DEL DST_AS DEL PACKET DEL OCTET DEL FLOW_CNT DEL F_FLOW_STAMP DEL L_FLOW_STAMP DEL TOT_ACTIVE_TIME; const char * const RouterPrefixDef = SRC_SUBNET DEL DST_SUBNET DEL SRC_SUBNET_MASK DEL DST_SUBNET_MASK DEL IN_INTF DEL OUT_INTF DEL SRC_AS DEL DST_AS DEL PACKET DEL OCTET DEL FLOW_CNT DEL F_FLOW_STAMP DEL L_FLOW_STAMP DEL TOT_ACTIVE_TIME; #endif #if !defined(NFC_DATAFILE_H) #define NFC_DATAFILE_H /* *------------------------------------------------------------------ * $Id: //depot/gargoyle/argus/include/argus_parse.h#5 $ * $Source: $ *------------------------------------------------------------------ * Definition of datafile formats. * * Binary datafile : Each binary datafiles contains a header and * a list of records. * * The header contains format, aggregation, * agg_version, source, period, starttime, endtime, * activetime, flows, missed, and records. * * Each record structure contains a set of "Keys" * and a "Values" that is specific to the * aggregation scheme being used. * * Cisco NetFlow FlowCollector 3.0 * * October 1998, Anders Fung * * Copyright (c) 1998 by Cisco Systems, Inc. * All rights reserved. *------------------------------------------------------------------ * $Log: argus_parse.h,v $ * Revision 1.1 2003/04/16 20:53:57 qosient * Modified for argus to argus conversion * * Revision 1.12 2003/02/05 23:43:53 qosient * Updated for new year in the copyright * * Revision 1.11 2002/04/01 22:41:01 qosient * Updated * * Revision 1.10 2002/04/01 15:39:32 qosient * Update for handling loss of remote when connected to multiple remotes. * Increase ARGUS_MAX_REMOTE_NUM and RADIUM_MAX_REMOTE_NUM. * * Revision 1.9 2002/03/25 17:49:49 qosient * Updated for correct copyright * * Revision 1.8 2002/03/25 17:38:32 qosient * Updated for correct interface status reporting * * Revision 1.6 2002/02/02 16:01:27 qosient * Updated for next versions of DSRs * * Revision 1.5 2002/02/01 14:10:00 qosient * Updated for libpcap-0.7.1 port * * Revision 1.4 2002/01/04 22:15:08 qosient * Updated * * Revision 1.3 2001/12/17 18:12:45 qosient * Mods to move ramux to radium * * Revision 1.2 2001/10/24 20:47:53 qosient * Updated * * Revision 1.5 2001/10/22 20:20:07 qosient * Updated and fixed for Lflag having bad default value * * Revision 1.4 2001/10/18 17:15:29 qosient * Fixed for output file fd handling issues, primarily for rapop * * Revision 1.3 2001/10/15 20:07:29 qosient * Updated for ramux issues with authentication. Stopped erasing password. * * Revision 1.2 2001/09/12 05:09:30 qosient * Updated * * Revision 1.1.1.1 2001/09/08 22:01:48 qosient * Argus Clients 1.0 * * Revision 1.6 2001/09/03 04:58:51 argus * Lots of mods * * Revision 1.5 2001/07/17 12:38:45 argus * Updated * * Revision 1.4 2001/07/10 18:18:10 argus * Mods for ramon and rasort port * * Revision 1.3 2001/06/09 14:10:09 argus * Minor changes for -H option and formatting * * Revision 1.2 2001/06/07 19:50:45 argus * Updated * * Revision 1.1.1.1 2001/06/03 16:07:57 argus * Start of argus client distribution * * Revision 1.1.1.1 2001/03/24 05:14:27 argus * Imported from argus-2.0.0 * * Revision 1.39 2001/03/06 23:30:41 argus * Fix for Davids incredibly long command lines. * * Revision 1.38 2001/02/03 21:39:08 argus * Mods to support -d option * * Revision 1.37 2000/12/19 16:19:41 argus * Mods to get ramon() to the same level as ra() with regard to dynamic * labels. Also FreeBSD/NetBSD port support for racount(). * * Revision 1.36 2000/12/19 05:59:03 argus * Mods to help in getting pretty output when not using -n. * * Revision 1.35 2000/12/10 20:59:13 argus * Mods to add support for RA_AUTH_PASS (pstr) * * Revision 1.34 2000/12/07 19:00:39 argus * Mods to convert from ArgusError to ArgusLog * * Revision 1.33 2000/12/07 17:51:48 argus * Move Uflag (precision option) to -p option. * * Revision 1.32 2000/11/23 01:58:29 argus * Mods to support GSSAPI authentication * * Revision 1.31 2000/11/16 15:20:34 argus * Update for SASL * * Revision 1.30 2000/11/13 21:51:38 argus * Mods to support ragrep(). * * Revision 1.29 2000/11/13 15:05:14 argus * Fixes for raxml not printing out user data in all protocol types. * * Revision 1.28 2000/10/31 19:35:01 argus * Mods to support new timestats and user data. * * Revision 1.27 2000/10/27 13:45:42 argus * Fix support for multiple remote sources. * * Revision 1.26 2000/10/27 01:48:50 argus * Fixes for multiple source data. * * Revision 1.25 2000/10/26 15:38:09 argus * Mods for qflag defintions and some constants * * Revision 1.24 2000/10/25 22:23:30 argus * Mods to try to fix the LITTLE_ENDIAN issues for Neil. * * Revision 1.23 2000/10/16 21:55:48 argus * support for various .rc's. * * Revision 1.22 2000/10/11 12:51:37 argus * Added Zflag * * Revision 1.21 2000/10/10 14:50:51 argus * Fixes to support XML printing (print_time changes) and a bunch to support * TCP fixes. * * Revision 1.20 2000/10/05 15:04:47 argus * Addition of output labels for ra data. * * Revision 1.19 2000/10/03 23:04:29 argus * Mods for more complete cisco netflow parsing and -CS support. Needs testing. * * Revision 1.18 2000/10/01 14:27:45 argus * Put the filter in a global so we can all get to it. * * Revision 1.17 2000/09/30 15:03:13 argus * Addition of netflow record definitions. * *------------------------------------------------------------------ * $Endlog$ */ #define LABEL_LEN 16 #define IP_LEN 15 #define ASCII_HEADER_LEN 511 #define BIN_FILE_SUFFIX ".bin" #if !defined(__NFC__) enum Aggregation { noAgg, /* reserved */ RawFlows, /* Not supported in binary files */ SourceNode, DestNode, HostMatrix, SourcePort, DestPort, Protocol, DetailDestNode, DetailHostMatrix, DetailInterface, CallRecord, ASMatrix, NetMatrix, DetailSourceNode, DetailASMatrix, ASHostMatrix, HostMatrixInterface, DetailCallRecord, RouterAS, RouterProtoPort, RouterSrcPrefix, RouterDstPrefix, RouterPrefix }; #endif typedef struct { u_short format; /* Header format, it is 2 in this round */ char newline; /* Newline character, '\n' */ char ascii_header[ASCII_HEADER_LEN]; /* Header in ASCII */ u_char aggregation; /* Aggregation scheme used */ u_char agg_version; /* Version of the aggregation scheme used */ char source[IP_LEN]; /* Source IP/Name */ u_char period; /* Aggregation period, 0 means PARTIAL */ u_long starttime; /* Beginning of aggregation period */ u_long endtime; /* End of aggregation period */ u_long flows; /* Number of flows aggregated */ int missed; /* Number of flows missed, -1 means not avail*/ u_long records; /* Number of records in this datafile */ } BinaryHeaderF2; #define HEADER_FORMAT_2 2 typedef struct { /* Keys */ u_long srcaddr; /* Source IP */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ } BinaryRecord_SourceNode_V1; #define SOURCENODE_V1 1 typedef struct { /* Keys */ u_long dstaddr; /* Destination IP */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ } BinaryRecord_DestNode_V1; #define DESTNODE_V1 1 typedef struct { /* Keys */ u_long srcaddr; /* Source IP */ u_long dstaddr; /* Destination IP */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ } BinaryRecord_HostMatrix_V1; #define HOSTMATRIX_V1 1 typedef struct { /* Keys */ char srcport[LABEL_LEN]; /* Source Port Key */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ } BinaryRecord_SourcePort_V1; #define SOURCEPORT_V1 1 typedef struct { /* Keys */ char dstport[LABEL_LEN]; /* Destination Port Key */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ } BinaryRecord_DestPort_V1; #define DESTPORT_V1 1 typedef struct { /* Keys */ char protocol[LABEL_LEN];/* Protocol Key */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ } BinaryRecord_Protocol_V1; #define PROTOCOL_V1 1 typedef struct { /* Keys */ u_long srcaddr; /* Source IP */ char srcport[LABEL_LEN]; /* Source Port Key */ char dstport[LABEL_LEN]; /* Destination Port Key */ char protocol[LABEL_LEN];/* Protocol Key */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ } BinaryRecord_DetailSourceNode_V1; #define DETAIL_SOURCENODE_V1 1 typedef struct { /* Keys */ u_long dstaddr; /* Destination IP */ char srcport[LABEL_LEN]; /* Source Port Key */ char dstport[LABEL_LEN]; /* Destination Port Key */ char protocol[LABEL_LEN];/* Protocol Key */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ } BinaryRecord_DetailDestNode_V1; #define DETAIL_DESTNODE_V1 1 typedef struct { /* Keys */ u_long srcaddr; /* Source IP */ u_long dstaddr; /* Destination IP */ char srcport[LABEL_LEN]; /* Source Port Key */ char dstport[LABEL_LEN]; /* Destination Port Key */ char protocol[LABEL_LEN];/* Protocol Key */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ u_long starttime; /* Start time */ u_long endtime; /* End time */ } BinaryRecord_DetailHostMatrix_V1; #define DETAIL_HOSTMATRIX_V1 1 typedef struct { /* Keys */ u_long srcaddr; /* Source IP */ u_long dstaddr; /* Destination IP */ u_short input; /* Input Interface Number */ u_short output; /* Output Interface Number */ u_long nexthop; /* Next Hop IP */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ } BinaryRecord_DetailInterface_V1; #define DETAIL_INTERFACE_V1 1 typedef struct { /* Keys */ u_long srcaddr; /* Source IP */ u_long dstaddr; /* Destination IP */ u_short srcport; /* Source Port Number */ u_short dstport; /* Destination Port Number */ u_char prot; /* Protocol Number */ u_char tos; /* Type of Service */ u_short reserved; /* Data alignment */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ u_long starttime; /* Start time */ u_long endtime; /* End time */ u_long activetime; /* Total Active Time */ } BinaryRecord_CallRecord_V1; #define CALLRECORD_V1 1 typedef struct { /* Keys */ char src_as[LABEL_LEN]; /* Source AS */ char dst_as[LABEL_LEN]; /* Destination AS */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ } BinaryRecord_ASMatrix_V1; #define ASMATRIX_V1 1 typedef struct { /* Keys */ u_long srcaddr; /* Source IP */ u_long dstaddr; /* Destination IP */ char src_as[LABEL_LEN]; /* Source AS */ char dst_as[LABEL_LEN]; /* Destination AS */ u_short input; /* Input Interface Number */ u_short output; /* Output Interface Number */ char srcport[LABEL_LEN]; /* Source Port Key */ char dstport[LABEL_LEN]; /* Destination Port Key */ char protocol[LABEL_LEN];/* Protocol Key */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ } BinaryRecord_DetailASMatrix_V1; #define DETAIL_ASMATRIX_V1 1 typedef struct { /* Keys */ u_long src_subnet; /* Source SubNet */ u_short src_mask; /* Source SubNet Mask */ u_short input; /* Input Interface Number */ u_long dst_subnet; /* Destination SubNet */ u_short dst_mask; /* Destination SubNet Mask */ u_short output; /* Output Interface Number */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ } BinaryRecord_NetMatrix_V1; #define NETMATRIX_V1 1 typedef struct { /* Keys */ char src_as[LABEL_LEN]; /* Source AS */ char dst_as[LABEL_LEN]; /* Destination AS */ u_short input; /* Input Interface Number */ u_short output; /* Output Interface Number */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ u_long starttime; /* Start time */ u_long endtime; /* End time */ u_long activetime; /* Total Active Time */ } BinaryRecord_RouterAS_V1; #define ROUTERAS_V1 1 typedef struct { /* Keys */ char srcport[LABEL_LEN]; /* Source Port Key */ char dstport[LABEL_LEN]; /* Destination Port Key */ u_char prot; /* Protocol Number */ u_char pad; /* Data alignment */ u_short reserved; /* Data alignment */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ u_long starttime; /* Start time */ u_long endtime; /* End time */ u_long activetime; /* Total Active Time */ } BinaryRecord_RouterProtoPort_V1; #define ROUTERPROTOPORT_V1 1 typedef struct { /* Keys */ u_long src_subnet; /* Source SubNet */ u_short src_mask; /* Source SubNet Mask */ u_short input; /* Input Interface Number */ char src_as[LABEL_LEN]; /* Source AS */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ u_long starttime; /* Start time */ u_long endtime; /* End time */ u_long activetime; /* Total Active Time */ } BinaryRecord_RouterSrcPrefix_V1; #define ROUTERSRCPREFIX_V1 1 typedef struct { /* Keys */ u_long dst_subnet; /* Destination SubNet */ u_short dst_mask; /* Destination SubNet Mask */ u_short output; /* Output Interface Number */ char dst_as[LABEL_LEN]; /* Destination AS */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ u_long starttime; /* Start time */ u_long endtime; /* End time */ u_long activetime; /* Total Active Time */ } BinaryRecord_RouterDstPrefix_V1; #define ROUTERDSTPREFIX_V1 1 typedef struct { /* Keys */ u_long src_subnet; /* Source SubNet */ u_long dst_subnet; /* Destination SubNet */ u_short src_mask; /* Source SubNet Mask */ u_short dst_mask; /* Destination SubNet Mask */ u_short input; /* Input Interface Number */ u_short output; /* Output Interface Number */ char src_as[LABEL_LEN]; /* Source AS */ char dst_as[LABEL_LEN]; /* Destination AS */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ u_long starttime; /* Start time */ u_long endtime; /* End time */ u_long activetime; /* Total Active Time */ } BinaryRecord_RouterPrefix_V1; #define ROUTERPREFIX_V1 1 typedef struct { /* Keys */ u_long srcaddr; /* Source IP */ u_long dstaddr; /* Destination IP */ char src_as[LABEL_LEN]; /* Source AS */ char dst_as[LABEL_LEN]; /* Destination AS */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ u_long starttime; /* Start time */ u_long endtime; /* End time */ u_long activetime; /* Total Active Time */ } BinaryRecord_ASHostMatrix_V1; #define ASHOSTMATRIX_V1 1 typedef struct { /* Keys */ u_long srcaddr; /* Source IP */ u_long dstaddr; /* Destination IP */ u_short input; /* Input Interface Number */ u_short output; /* Output Interface Number */ char protocol[LABEL_LEN];/* Protocol Key */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ } BinaryRecord_HostMatrixInterface_V1; #define HOSTMATRIXINTERFACE_V1 1 typedef struct { /* Keys */ u_long srcaddr; /* Source IP */ u_long dstaddr; /* Destination IP */ char srcport[LABEL_LEN]; /* Source Port Key */ char dstport[LABEL_LEN]; /* Destination Port Key */ u_short input; /* Input Interface Number */ u_short output; /* Output Interface Number */ char protocol[LABEL_LEN];/* Protocol Key */ u_char tos; /* Type of Service */ u_char pad; /* Data alignment */ u_short reserved; /* Data alignment */ /* Values */ u_long pkts; /* Packet count */ u_long octets; /* Byte count */ u_long flows; /* Flow count */ u_long starttime; /* Start time */ u_long endtime; /* End time */ u_long activetime; /* Total Active Time */ } BinaryRecord_DetailCallRecord_V1; #define DETAILCALLRECORD_V1 1 typedef struct { BinaryHeaderF2 header; union { BinaryRecord_SourceNode_V1 * srcnode; BinaryRecord_DestNode_V1 * dstnode; BinaryRecord_HostMatrix_V1 * hostmatrix; BinaryRecord_SourcePort_V1 * srcport; BinaryRecord_DestPort_V1 * dstport; BinaryRecord_Protocol_V1 * protocol; BinaryRecord_DetailSourceNode_V1 * detailsrcnode; BinaryRecord_DetailDestNode_V1 * detaildstnode; BinaryRecord_DetailHostMatrix_V1 * detailhostmatix; BinaryRecord_DetailInterface_V1 * detailinterface; BinaryRecord_CallRecord_V1 * callrecord; BinaryRecord_ASMatrix_V1 * asmatrix; BinaryRecord_DetailASMatrix_V1 * detailasmatrix; BinaryRecord_NetMatrix_V1 * netmatrix; BinaryRecord_ASHostMatrix_V1 * ashostmatrix; BinaryRecord_HostMatrixInterface_V1 * hostmatrixinterface; BinaryRecord_DetailCallRecord_V1 * detailcallrecord; BinaryRecord_RouterAS_V1 * routeras; BinaryRecord_RouterProtoPort_V1 * routerprotoport; BinaryRecord_RouterSrcPrefix_V1 * routersrcprefix; BinaryRecord_RouterDstPrefix_V1 * routerdstprefix; BinaryRecord_RouterPrefix_V1 * routerprefix; } record; } BinaryDatafile; #define MAX_BINARY_HEADER_F2 \ (sizeof(BinaryHeaderF2)) #define MAX_BINARY_RECORD_SOURCE_NODE_SIZE \ (sizeof(BinaryRecord_SourceNode_V1)) #define MAX_BINARY_RECORD_DESTINATION_NODE_SIZE \ (sizeof(BinaryRecord_DestNode_V1)) #define MAX_BINARY_RECORD_HOST_MATRIX_SIZE \ (sizeof(BinaryRecord_HostMatrix_V1)) #define MAX_BINARY_RECORD_SOURCE_PORT_SIZE \ (sizeof(BinaryRecord_SourcePort_V1)) #define MAX_BINARY_RECORD_DESTINATION_PORT_SIZE \ (sizeof(BinaryRecord_DestPort_V1)) #define MAX_BINARY_RECORD_PROTOCOL_SIZE \ (sizeof(BinaryRecord_Protocol_V1)) #define MAX_BINARY_RECORD_DETAIL_SOURCE_NODE_SIZE \ (sizeof(BinaryRecord_DetailSourceNode_V1)) #define MAX_BINARY_RECORD_DETAIL_DESTINATION_NODE_SIZE \ (sizeof(BinaryRecord_DetailDestNode_V1)) #define MAX_BINARY_RECORD_DETAIL_HOST_MATRIX_SIZE \ (sizeof(BinaryRecord_DetailHostMatrix_V1)) #define MAX_BINARY_RECORD_DETAIL_INTERFACE_SIZE \ (sizeof(BinaryRecord_DetailInterface_V1)) #define MAX_BINARY_RECORD_CALL_RECORD_SIZE \ (sizeof(BinaryRecord_CallRecord_V1)) #define MAX_BINARY_RECORD_AS_MATRIX_SIZE \ (sizeof(BinaryRecord_ASMatrix_V1)) #define MAX_BINARY_RECORD_DETAIL_AS_MATRIX_SIZE \ (sizeof(BinaryRecord_DetailASMatrix_V1)) #define MAX_BINARY_RECORD_NET_MATRIX_SIZE \ (sizeof(BinaryRecord_NetMatrix_V1)) #define MAX_BINARY_RECORD_AS_HOST_MATRIX_SIZE \ (sizeof(BinaryRecord_ASHostMatrix_V1)) #define MAX_BINARY_RECORD_HOST_MATRIX_INTERFACE_SIZE \ (sizeof(BinaryRecord_HostMatrixInterface_V1)) #define MAX_BINARY_RECORD_DETAIL_CALL_RECORD_SIZE \ (sizeof(BinaryRecord_DetailCallRecord_V1)) #define MAX_BINARY_RECORD_ROUTER_AS_SIZE \ (sizeof(BinaryRecord_RouterAS_V1)) #define MAX_BINARY_RECORD_ROUTER_PROTO_PORT_SIZE \ (sizeof(BinaryRecord_RouterProtoPort_V1)) #define MAX_BINARY_RECORD_ROUTER_SRC_PREFIX_SIZE \ (sizeof(BinaryRecord_RouterSrcPrefix_V1)) #define MAX_BINARY_RECORD_ROUTER_DST_PREFIX_SIZE \ (sizeof(BinaryRecord_RouterDstPrefix_V1)) #define MAX_BINARY_RECORD_ROUTER_PREFIX_SIZE \ (sizeof(BinaryRecord_RouterPrefix_V1)) #endif /* __NFC_DATAFILE_H__ */ #endif /* RaMuxSource || RadiumSource */ #endif /* ArgusParse_h */ argus-5.0.2/include/argus_parser.h000066400000000000000000000112271471541253600171430ustar00rootroot00000000000000/* * Argus-5.0 Software. Common include files. Parser structs * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/include/argus_parser.h#5 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ #if !defined(Argus_parser_h) #define Argus_parser_h #include #if defined(ARGUS_THREADS) #include #endif #ifdef ARGUS_SASL #include #endif #include #include #include #define ARGUS_PRINTSRC 0x0001 #define ARGUS_PRINTDST 0x0002 #define ARGUS_ACTTIME 0x0004 #define ARGUS_IDLETIME 0x0008 #define ARGUS_DIST 0x0010 #define ARGUS_PRINTGMT 0x0020 #define ARGUS_PRINTNET 0x0022 #define ARGUS_ENCODE_ASCII 0 #define ARGUS_ENCODE_64 1 #define ARGUS_ENCODE_32 2 #define ARGUS_MAX_S_OPTIONS 34 #define HASHNAMESIZE 256 #define ARGUS_FORCE_LOCAL_SRC 0x02 #define ARGUS_FORCE_LOCAL_DST 0x04 #define ARGUS_SUGGEST_LOCAL_SRC 0x08 #define ARGUS_SUGGEST_LOCAL_DST 0x10 #define ARGUS_PORT_SERVICES 0x100 #define ARGUS_PORT_WELLKNOWN 0x200 #define ARGUS_PORT_REGISTERED 0x400 #define ARGUS_ADDR_DIR_MASK (ARGUS_SUGGEST_LOCAL_SRC | ARGUS_SUGGEST_LOCAL_DST | ARGUS_FORCE_LOCAL_SRC | ARGUS_FORCE_LOCAL_DST) #define ARGUS_PORT_DIR_MASK (ARGUS_PORT_SERVICES | ARGUS_PORT_WELLKNOWN | ARGUS_PORT_REGISTERED) #include struct h6namemem { struct in6_addr addr; char *name; struct h6namemem *nxt; }; struct hnamemem { u_int addr; char *name; struct hnamemem *nxt; }; struct enamemem { u_short e_addr0; u_short e_addr1; u_short e_addr2; char *e_name; u_char *e_nsap; /* used only for nsaptable[] */ struct enamemem *e_nxt; }; struct protoidmem { u_int p_oui; u_short p_proto; char *p_name; struct protoidmem *p_nxt; }; struct ArgusCIDRAddr { u_char type, len, masklen, opmask; u_int addr[4], mask[4]; }; struct ArgusParserStruct { int status; char fflag, nflag, tflag, uflag, Wflag; char Iflag, Tflag, rflag, Rflag, Sflag, xflag; char Xflag, XMLflag, zflag, Zflag, pflag; int RaCumulativeMerge, RaFlowMajorModified; int RaAllocHashTableHealers, RaAllocArgusRecord; int RaThisActiveIndex, RaThisFlowNum; int RaThisModelNum, RaParseError; int ArgusSessionId, NonBlockingDNS, ArgusDSCodePoints; int ArgusDirectionFunction; char *RaFlowModelFile, *ArgusFlowModelFile, *ArgusRemoteFilter; struct RaFlowModelStruct *RaFlowModel; struct ArgusCIDRAddr ArgusCIDRBuffer, *ArgusCIDRPtr; struct ArgusModeStruct *ArgusModeList; struct ArgusInput *ArgusCurrentInput; int ArgusFilterFiledes[2]; int ArgusControlFiledes[2]; int ArgusSrvInit; unsigned int f_localnet, f_netmask; struct protoidmem protoidtable[HASHNAMESIZE]; struct enamemem enametable[HASHNAMESIZE]; struct enamemem nsaptable[HASHNAMESIZE]; #define ARGUS_MAXEPROTODB 0x10000 struct ArgusEtherTypeStruct *argus_eproto_db[ARGUS_MAXEPROTODB]; struct h6namemem h6nametable[HASHNAMESIZE]; struct hnamemem hnametable[HASHNAMESIZE]; struct hnamemem tporttable[HASHNAMESIZE]; struct hnamemem uporttable[HASHNAMESIZE]; struct hnamemem eprototable[HASHNAMESIZE]; struct hnamemem nnametable[HASHNAMESIZE]; struct hnamemem llcsaptable[HASHNAMESIZE]; }; #define ARGUSMONITOR_EQUAL 0x01 #define ARGUSMONITOR_NOTEQUAL 0x02 struct ArgusCIDRAddr *RaParseCIDRAddr (struct ArgusParserStruct *, char *); #if defined(Argus_Parser) struct ArgusParserStruct *ArgusNewParser(char *); void ArgusCloseParser(struct ArgusParserStruct *); struct ArgusParserStruct *ArgusParser; #else extern struct ArgusParserStruct *ArgusNewParser(char *); extern void ArgusCloseParser(struct ArgusParserStruct *); extern struct ArgusParserStruct *ArgusParser; #endif #endif argus-5.0.2/include/argus_udt.h000066400000000000000000000064561471541253600164530ustar00rootroot00000000000000/* * Argus-5.0 Software. Common include files. UDT processing * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/include/argus_udt.h#5 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ #ifndef ArgusUdt_h #define ArgusUdt_h #define UDT_SEQNUMBER_MASK 0xEFFFFFFF #define UDT_MSGNUMBER_MASK 0x1FFFFFFF #define UDT_PACKET_MASK 0x8000 #define UDT_CONTROL_PACKET 0x8000 #define UDT_DATA_PACKET 0x0000 #define UDTOECONTROLPAD 48 #define UDT_CONTROL_TYPE_MASK 0x7FFF #define UDT_CONTROL_HANDSHAKE 0x0000 #define UDT_CONTROL_KEEPALIVE 0x0001 #define UDT_CONTROL_ACK 0x0002 #define UDT_CONTROL_NAK 0x0003 #define UDT_CONTROL_CONGEST 0x0004 #define UDT_CONTROL_SHUTDOWN 0x0005 #define UDT_CONTROL_ACKACK 0x0006 #define UDT_CONTROL_DROPREQ 0x0007 #define UDTOE_PACKET_MASK 0x80 #define UDTOE_CONTROL_PACKET 0x80 #define UDTOE_DATA_PACKET 0x00 #define UDTOE_CONTROL_TYPE_MASK 0x7F #define UDTOE_CONTROL_HANDSHAKE 0x00 #define UDTOE_CONTROL_KEEPALIVE 0x01 #define UDTOE_CONTROL_ACK 0x02 #define UDTOE_CONTROL_NAK 0x03 #define UDTOE_CONTROL_CONGEST 0x04 #define UDTOE_CONTROL_SHUTDOWN 0x05 #define UDTOE_CONTROL_ACKACK 0x06 #define UDTOE_CONTROL_DROPREQ 0x07 struct udtoe_control_hdr { unsigned char type, resv; unsigned short ackseq; unsigned int info; unsigned int tstamp; unsigned int sockid; }; struct udt_control_hdr { unsigned short type, resv; unsigned int info; unsigned int tstamp; unsigned int sockid; }; struct udt_control_handshake { unsigned int version; unsigned int socktype; unsigned int initseq; unsigned int psize; unsigned int wsize; unsigned int conntype; unsigned int sockid; }; struct udt_control_ack { unsigned int ackseqnum; unsigned int rtt; unsigned int var; unsigned int bsize; unsigned int rate; unsigned int lcap; }; struct udt_control_nak { unsigned int seqnum; }; struct udt_control_dropreq { unsigned int firstseqnum; unsigned int lastseqnum; }; struct udt_data_hdr { unsigned int seqnum; unsigned int msgnum; unsigned int tstamp; unsigned int sockid; }; struct udtoe_header { union { struct udtoe_control_hdr cntl; struct udt_data_hdr data; } un_udt; }; struct udt_header { union { struct udt_control_hdr cntl; struct udt_data_hdr data; } un_udt; }; #define udt_control un_udt.cntl #define udt_data un_udt.data #endif /* ArgusUdt_h */ argus-5.0.2/include/argus_util.h000066400000000000000000000126011471541253600166210ustar00rootroot00000000000000/* * Argus-5.0 Software. Common include files. Utilities * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ /* * $Id: //depot/gargoyle/argus/include/argus_util.h#6 $ * $DateTime: 2015/04/21 19:24:29 $ * $Change: 3018 $ */ #if !defined(Argus_util_h) #define Argus_util_h #include #if defined(__OpenBSD__) || defined(HAVE_SOLARIS) #include #endif #include #include #include #include #include typedef void (*proc)(void); typedef char *(*strproc)(void); struct ArgusQueueHeader { struct ArgusQueueHeader *prv, *nxt; struct ArgusQueueStruct *queue; struct timeval lasttime, qtime; unsigned int status; }; struct ArgusQueueStruct { struct ArgusQueueHeader qhdr; int count, turns, timeout, status, reclaim; #if defined(ARGUS_THREADS) pthread_mutex_t lock; #endif struct ArgusQueueHeader *start, *end; struct ArgusFlowStruct **array; }; struct ArgusMemoryHeader { struct ArgusMemoryHeader *nxt, *prv; #if defined(__GNUC__) void *frame[3]; #endif unsigned int tag; unsigned short len; unsigned short offset; }; struct ArgusMemoryList { struct ArgusMemoryHeader *start, *end; #if defined(ARGUS_THREADS) pthread_mutex_t lock; #endif int total, count, size; int out, in, freed; }; #if defined(ARGUS_SASL) #include #endif #include #define ARGUS_DATA_SOURCE 0x01 #define ARGUS_CISCO_DATA_SOURCE 0x10 #define ARGUS_SFLOW_DATA_SOURCE 0x20 #define ARGUS_DOMAIN_SOURCE 0x100 #define TSEQ_HASHSIZE 9029 #define ipaddr_string(p) ArgusGetName(ArgusParser, (u_char *)(p)) #if defined(argus_util) #define IPPROTOSTR 134 char *ip_proto_string [IPPROTOSTR] = {"ip", "icmp", "igmp", "ggp", "ipnip", "st", "tcp", "ucl", "egp", "igp", "bbn-rcc-mon", "nvp-ii", "pup", "argus", "emcon", "xnet", "chaos", "udp", "mux", "dcn-meas", "hmp", "prm", "xns-idp", "trunk-1", "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp", "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++", "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre", "mhrp", "bna", "esp", "ah", "i-nlsp", "swipe", "narp", "mobile", "tlsp", "skip", "ipv6-icmp", "ipv6-no", "ipv6-opts", "any", "cftp", "any", "sat-expak", "kryptolan", "rvd", "ippc", "any", "sat-mon", "visa", "ipcv", "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak", "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nsfnet-igp", "dgp", "tcf", "igrp", "ospfigp", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp", "aes-sp3-d", "etherip", "encap", "pri-enc", "gmtp", "ifmp", "pnni", "pim", "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-n-ip", "vrrp", "pgm", "zero", "l2tp", "ddx", "iatp", "stp", "srp", "uti", "smp", "ptp", "isis", "fire", "crtp", "crudp", "sccopmce", "iplt", "sps", "pipe", "sctp", "fc", }; #if defined(__OpenBSD__) #include #include #endif #include #undef ICMP_MAXTYPE #define ICMP_MAXTYPE 41 char *icmptypestr[ICMP_MAXTYPE + 1] = { "ECR", " ", " ", "UR" , "SRC", "RED", "AHA", " ", "ECO", "RTA", "RTS", "TXD", "PAR", "TST", "TSR", "IRQ", "IRR", "MAS", "MSR", "SEC", "ROB", "ROB", "ROB", "ROB", "ROB", "ROB", "ROB", "ROB", "ROB", "ROB", "TRC", "DCE", "MHR", "WAY", "IAH", "MRQ", "MRP", "DNQ", "DNP", "SKP", "PHO", }; int ArgusSrcUserDataLen = 0; int ArgusDstUserDataLen = 0; void ArgusAdjustGlobalTime (struct timeval *, struct timeval *); extern unsigned int thisnet, localaddr, localnet, netmask; extern char *RaTimeFormat; extern char RaFieldDelimiter; void *ArgusMalloc (int); void *ArgusCalloc (int, int); void *ArgusMallocAligned(int, size_t); void ArgusFree (void *); void ArgusFreeListRecord (void *buf); void ArgusInitMallocList (int length); void ArgusDeleteMallocList (void); void *ArgusMallocListRecord (int length); void ArgusLog (int, char *, ...); void setArgusLogDisplayPriority(int); void ArgusInitServarray(struct ArgusParserStruct *); #else extern void ArgusAdjustGlobalTime (struct timeval *); extern void *ArgusMalloc (int); extern void *ArgusCalloc (int, int); void *ArgusMallocAligned(int, size_t); extern void ArgusFree (void *); extern void ArgusFreeListRecord (void *buf); extern void ArgusInitMallocList (int length); extern void ArgusDeleteMallocList (void); extern void *ArgusMallocListRecord (int length); extern void ArgusLog (int, char *, ...); extern void setArgusLogDisplayPriority (int); #endif #endif /* Argus_util_h */ argus-5.0.2/include/argus_v3_def.h000066400000000000000000001247001471541253600170160ustar00rootroot00000000000000/* * Argus-5.0 Software. Common include files. Version 3 definitions * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/gargoyle/argus/include/argus_v3_def.h#5 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ /* Argus_def.h */ */ #if !defined(Argus_def_h) #define Argus_def_h /* Argus Record Format 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | | Argus Record Header | | | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Argus Data | | . | | . | | . | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ /* Argus Record Header Format 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Cause | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Version | Option | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Argus Record Start Time | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Argus Record Last Time | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* Argus Record Header Type Field 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Version Record Field Note that one tick mark represents one bit position. */ /* Argus Record Type */ #define ARGUS_V3_FAR 0x01 /* Normal Argus Data Record */ #define ARGUS_V3_MAR 0x80 /* Normal Argus Management Record */ /* Argus Derivative Types */ #define ARGUS_V1_WRITESTRUCT 0x10 /* Argus 1.x Write Struct Conversion */ #define ARGUS_V2_RECORD 0x20 /* Argus 2.x Argus Record Conversion */ #define ARGUS_V3_CISCO_NETFLOW 0x30 /* Argus CISCO Netflow Support */ /* Argus Record Header Type Field 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Cause | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Cause Record Field Note that one tick mark represents one bit position. */ /* Argus Record Cause */ #define ARGUS_V3_START 0x01 /* Initial Record */ #define ARGUS_V3_STATUS 0x02 /* Qualifier Record*/ #define ARGUS_V3_STOP 0x11 /* Closed/Terminating Record */ #define ARGUS_V3_TIMEOUT 0x12 /* Record Timed Out */ #define ARGUS_V3_SHUTDOWN 0x13 /* Administrative Shutdown */ #define ARGUS_V3_ERROR 0x14 /* Error - Major Problem */ /* Argus Record Header Length Field Number of 32-bit longwords, including the header. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Length Record Field Note that one tick mark represents one bit position. */ /* Argus Record Header Version Field 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Version | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Version Record Field Note that one tick mark represents one bit position. */ /* Record Version (Ver) */ #define ARGUS_VERSION_1 0x01 /* Version 1 */ #define ARGUS_VERSION_2 0x02 /* Version 2 */ #define ARGUS_VERSION_3 0x03 /* Version 3 */ #define ARGUS_VERSION ARGUS_VERSION_3 /* Version 3 */ /* Argus Record Header Option Field 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Option | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Option Record Field Note that one tick mark represents one bit position. */ /* Record Options (Opt)*/ #define ARGUS_V3_SASL_NEGOTIATION 0x80 /* Argus Record Header Qualifier Field 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Qualifier Record Note that one tick mark represents one bit position. */ /* Argus Record Qualifier */ #define ARGUSV3__CONNECTED 0x0001 #define ARGUS_V3_COROLATED 0x0002 #define ARGUS_V3_ANON 0x0010 #define ARGUS_V3_MERGED 0x0020 #define ARGUS_V3_RMON 0x0040 /* 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Seconds | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Fractional Seconds (usec) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Start/Last Time Record Field Note that one tick mark represents one bit position. */ /* Argus Data Argus Data is a collection of Argus Data Specific Records (DSRs) 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Argus Data Specific Records | | . | | . | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* Argus Data Specific Record (DSR) Formats All Argus DSRs are 32-bit aligned. In order to be size conservative, there are two DSR types, one being a Type Value (TV) record with an explicit length of 4 bytes, and a Type Length Value (TLV) record, that provides support for variable length records. The fixed length record does not support a length field. These DSR types are distinquished from the most significant bit in the DSR. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |1| Type | SubType | Argus DSR Data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| Type | Length | SubType | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Argus DSR Data | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Data Specific Record (DSR) Field Note that one tick mark represents one bit position. */ /* Argus Record Data Type Field The DSR Type Field specifies the format of the DSR. The most significant bit indicates if the DSR is a TV or TLV type. The other bits specify highest level semantics for the DSR. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* Argus Record Data Specific Record (DSR) Types */ #define ARGUS_SOURCE_DSR 0x01 #define ARGUS_FLOW_DSR 0x02 #define ARGUS_PROTO_DSR 0x03 #define ARGUS_PROTO_IP_DSR 0x04 #define ARGUS_METER_DSR 0x10 #define ARGUS_DSR_AGR 0x22 #define ARGUS_DSR_TIME 0x23 #define ARGUS_DSR_SRCUSERDATA 0x24 #define ARGUS_DSR_DSTUSERDATA 0x25 #define ARGUS_DSR_SRCTIME 0x26 #define ARGUS_DSR_DSTTIME 0x27 #define ARGUS_DSR_COROLATE 0x28 /* Argus Record Data Length Field Number of 32-bit longwords, including the header. Data records that have a 0 as the most significant bit support variable length records, and as a result have a length field. Records with a 1 as the most significant bit are fixed length 4 byte records, and thus do not require a length field. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| | Length | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The Length field can equal 1. */ /* Argus Record Data SubType Field Data Records that have a 0 as the most significant bit support variable length records. The Length field displaces the SubType field in these headers by 8 bits. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| | SubType | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |1| | SubType | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* Argus Record Data Qualifier Field TLV Data Records support an 8-bit Qualifier field, which is used to convey additional semantics for the DSR format and contents. In some situations, the qualifier may be used to further specify the actual DSR data format, in others it may provide addition semantics, or it can be used to provide the actual 8-bit data. How the Qualifier is parsed and used is specific to the DSR Type and SubType. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |0| | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* Argus Source DSR The #define ARGUS_SOURCE_ID_DSR 0x01 #define ARGUS_SOURCE_TRANS_DSR 0x02 #define ARGUS_ID_IS_IPV4ADDR 0x01 #define ARGUS_ID_IS_IPV6ADDR 0x02 #define ARGUS_COOKIE 0xE5617ACB /* The Argus Source Record Identifier is an optional DSR that helps to identify a specific record. Many applications require the ability to discriminate the source of a specific record, and some have further requirements for the source to provide a unique sequence number for transactional processing and to assist in reliable transport. ARGUS_SOURCE_ID_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x10 | 0x02 | 0x01 | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Argus Source Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_SOURCE_TRANS_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x10 | 0x04 | 0x02 | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Argus Source Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Transaction Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus Source Identifier Record Field Note that one tick mark represents one bit position. */ #define ARGUS_FLOW_DSR 0x01 #define ARGUS_FLOW_IPV4_DSR 0x01 #define ARGUS_FLOW_IPV6_DSR 0x02 #define ARGUS_FLOW_ARP_DSR 0x03 #define ARGUS_FLOW_RARP_DSR 0x04 #define ARGUS_FLOW_IP_FRG_DSR 0x05 /* The Argus Source Record Identifier is an optional DSR that helps to identify a specific record. Many applications require the ability to discriminate the source of a specific record, and some have further requirements for the source to provide a unique sequence number for transactional processing and to assist in reliable transport. ARGUS_FLOW_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x01 | Length | SubType | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Argus Flow Specific Data | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_FLOW_IPV4_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x01 | 0x03 | 0x01 | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Destination IPv4 Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_FLOW_IPV6_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x01 | 0x0B | 0x02 | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Priority | Flow Label | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Source IPv6 Address | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Destination IPv6 Address | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_FLOW_ARP_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x01 | 0x05 | 0x03 | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ARP SPA | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ARP TPA | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Ethernet Address +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Pad | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_FLOW_RARP_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x01 | 0x05 | 0x04 | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ARP TPA | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Source Ethernet Address +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Target Ethernet Address + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_FLOW_IP_FRG_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x01 | 0x05 | 0x05 | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Fragment Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Fragment Identifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IpId | Total Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Current Length | Maximum Frag Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ #define ARGUS_PROTO_DSR 0x04 /* ARGUS_PROTO_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x84 | ProtoType | Protocol Data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x04 | Length | Proto Type | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Argus Protocol Specific Data | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ #define ARGUS_PROTO_DLT_DSR 0x01 #define ARGUS_PROTO_SNAP_DSR 0x02 #define ARGUS_PROTO_MPLS_DSR 0x04 #define ARGUS_PROTO_802_1Q_DSR 0x03 #define ARGUS_PROTO_ISL_DSR 0x06 #define ARGUS_PROTO_PPPOE 0x07 #define ARGUS_PROTO_IP_DSR 0x10 #define ARGUS_PROTO_IP_EXT_ATTR_DSR 0x11 #define ARGUS_PROTO_IP_EXT_OPTIONS_DSR 0x12 /* ARGUS_PROTO_IP_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x84 | 0x10 | Proto Num | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x04 | Length | 0x10 | Proto Num | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* ARGUS_PROTO_IP_DSR TCP Specific 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x04 | 0x03 | 0x10 | 0x06 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TCP State | TCP Options | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_PROTO_IP_DSR UDP Specific 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x02 | 0x02 | 0x10 | 0x11 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_PROTO_IP_DSR ICMP Specific 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x02 | 0x02 | 0x10 | 0x01 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ICMP Type | ICMP Code | ICMP ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_PROTO_IP_DSR ESP Specific 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x02 | 0x02 | 0x10 | 0x32 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ESP Security Payload Identifiier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_PROTO_IP_DSR IGMP Specific 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x02 | 0x02 | 0x10 | 0x02 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IGMP Type | IGMP Code | Pad | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ /* ARGUS_PROTO_IP_EXT_ATTR_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x04 | 0x02 | 0x11 | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP ID | TTL | TOS | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ARGUS_PROTO_IP_EXT_OPTIONS_DSR 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x04 | 0x02 | 0x12 | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP Options Indicator | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ #define ARGUS_PROTO_MPLS_DSR 0x01 /* 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x04 | Length | 0x01 | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Argus MPLS Label Data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Argus MPLS Label Data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ #define ARGUS_PROTO_802_1Q_DSR 0x02 /* 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x04 | 0x08 | 0x02 |1 1| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Src 802.1Q Tag | Dst 802.1Q Tag | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x84 | 0x04 | 802.1Q Tag | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ #define ARGUS_PROTO_SNAP_DSR 0x01 #define ARGUS_PROTO_VLAN_802_1Q_DSR 0x02 #define ARGUS_PROTO_VLAN_ISL_DSR 0x03 #define ARGUS_PROTO_PPPOE 11 #define ARGUS_DSR_AGR 12 #define ARGUS_DSR_TIME 13 #define ARGUS_DSR_SRCUSERDATA 14 #define ARGUS_DSR_DSTUSERDATA 15 #define ARGUS_DSR_SRCTIME 16 #define ARGUS_DSR_DSTTIME 17 #define ARGUS_DSR_COROLATE 18 #define ARGUS_METER_DSR 0x20 /* 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x20 | Length | SubType | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Argus Meter Specific Data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ #define ARGUS_METER_LOAD_DSR 0x01 #define ARGUS_METER_LOAD_BYTE_DSR 0x1 #define ARGUS_METER_LOAD_SHORT_DSR 0x2 #define ARGUS_METER_LOAD_LONG_DSR 0x3 #define ARGUS_METER_LOAD_LONGLONG_DSR 0x4 /* 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x20 | 0x08 | 0x01 | D | | 0x1 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | packets | bytes | packets | bytes | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x20 | Length | 0x01 | D | | 0x2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | packets | bytes | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x20 | Length | 0x01 | D | | 0x3 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | packets | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | bytes | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x20 | Length | 0x01 | D | | 0x4 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + packets + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + bytes + | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ #define ARGUS_METER_TCP_STATUS_DSR 0x02 #define ARGUS_METER_TCP_PERF_DSR 0x03 /* 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x20 | 0x10 | 0x02 | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TCPQualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TCP Syn ACK uSec Response Timer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TCP ACK DATA uSec Response Timer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x20 | Length | 0x03 | D | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TCP Sequence Base | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TCP Acknowledged Bytes | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TCP Total Bytes | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TCP Retransmitted Packets | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TCP Last Reported Window | TCP Flags | Pad | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ #define ARGUS_METER_IGMP_PERF_DSR 0x04 /* 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x20 | 0x18 | 0x04 | D | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IGMP Group | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IGMP Join Delay (Timeval) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IGMP Leave Delay (Timeval) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ #define ARGUS_METER_ESP_PERF_DSR 0x05 /* 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0x20 | 0x0C | 0x05 | D | Qualifier | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ESP Last Sequence | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ESP Lost Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ #define ARGUS_SRC_VLAN 0x0001 #define ARGUS_DST_VLAN 0x0002 #define ARGUS_SRC_MPLS 0x0001 #define ARGUS_DST_MPLS 0x0002 #define ARGUS_SRC_CHANGED 0x0010 #define ARGUS_DST_CHANGED 0x0020 /* Argus Error Messages go into the status field when the Record Cause is ARGUS_ERROR. */ #define ARGUS_ACCESSDENIED 0x000010 #define ARGUS_MAXLISTENEXCD 0x000020 /* Link Types */ #define ARGUS_ETHERNET 0x01000000 #define ARGUS_ATM 0x02000000 #define ARGUS_FDDI 0x03000000 #define ARGUS_TOKENRING 0x04000000 #define ARGUS_SLIP 0x05000000 #define ARGUS_PPP 0x06000000 #define ARGUS_ESP 0x07000000 #define ARGUS_RAW 0x08000000 #define ARGUS_NULL 0x09000000 #define ARGUS_SEND_FRAG_COMPLETE 0x10000000 /* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Argus FAR Qualifier Field Note that one tick mark represents one bit position. */ /* ICMP Mapped Indicator */ /* argus_far.status indicator */ #define ARGUS_ICMP_MAPPED 0x0007 #define ARGUS_ICMPUNREACH_MAPPED 0x0001 #define ARGUS_ICMPREDIREC_MAPPED 0x0002 #define ARGUS_ICMPTIMXCED_MAPPED 0x0004 #define ARGUS_FRAGMENTS 0x0008 #define ARGUS_FRAGOVERLAP 0x0010 #define ARGUS_TOS_MODIFIED 0x0020 #define ARGUS_TTL_MODIFIED 0x0040 #define ARGUS_OPTION_MODIFIED 0x0080 /* IP Option Indicators */ #define ARGUS_IPOPTIONS 0x3F00 #define ARGUS_TIMESTAMP 0x0100 #define ARGUS_SECURITY 0x0200 #define ARGUS_LSRCROUTE 0x0400 #define ARGUS_RECORDROUTE 0x0800 #define ARGUS_SSRCROUTE 0x1000 #define ARGUS_RTRALERT 0x2000 #define ARGUS_MULTIADDR 0x4000 /* Type: DSR Cause: ANY */ #define ARGUS_DSR_TYPES 19 #define ARGUS_DSR_MAC 0 #define ARGUS_DSR_TCP 1 #define ARGUS_DSR_ICMP 2 #define ARGUS_DSR_RTP 3 #define ARGUS_DSR_RTCP 4 #define ARGUS_DSR_IGMP 5 #define ARGUS_DSR_ARP 6 #define ARGUS_DSR_FRG 7 #define ARGUS_DSR_ESP 8 #define ARGUS_DSR_MPLS 9 #define ARGUS_DSR_VLAN 10 #define ARGUS_DSR_PPPOE 11 #define ARGUS_DSR_AGR 12 #define ARGUS_DSR_TIME 13 #define ARGUS_DSR_SRCUSERDATA 14 #define ARGUS_DSR_DSTUSERDATA 15 #define ARGUS_DSR_SRCTIME 16 #define ARGUS_DSR_DSTTIME 17 #define ARGUS_DSR_COROLATE 18 #define ARGUS_MAC_DSR 0x08 #define ARGUS_TCP_DSR 0x11 #define ARGUS_ICMP_DSR 0x12 #define ARGUS_RTP_DSR 0x14 #define ARGUS_RTCP_DSR 0x15 #define ARGUS_IGMP_DSR 0x18 #define ARGUS_ARP_DSR 0x20 #define ARGUS_FRG_DSR 0x21 #define ARGUS_ESP_DSR 0x22 #define ARGUS_MPLS_DSR 0x28 #define ARGUS_VLAN_DSR 0x2a #define ARGUS_PPPOE_DSR 0x2b #define ARGUS_AGR_DSR 0x30 #define ARGUS_TIME_DSR 0x40 #define ARGUS_SRCUSRDATA_DSR 0x42 #define ARGUS_DSTUSRDATA_DSR 0x43 #define ARGUS_COROLATE_DSR 0x50 #define ARGUS_SRC_TIME_DSR 0x01 #define ARGUS_DST_TIME_DSR 0x02 /* IP Sec AH Header Qualifier Bits */ #define ARGUS_AH_HDR 0x00000010 #define ARGUS_AH_REPLAY 0x00000008 /* RTP State Constants and Reporting Values */ #define ARGUS_RTP_SRCSILENCE 0x01 #define ARGUS_RTP_DSTSILENCE 0x02 #define ARGUS_RTCP_TAG 0x2000 #define ARGUS_RTP_TAG 0x4000 #define ARGUS_HTTP_FLOWTAG 0x01 #define ARGUS_RTCP_FLOWTAG 0x10 #define ARGUS_RTP_FLOWTAG 0x20 #define ARGUS_FRAG_FLOWTAG 0xCB /* TCP State Constants and Reporting Values */ #define ARGUS_SAW_SYN 0x00000001 #define ARGUS_SAW_SYN_SENT 0x00000002 #define ARGUS_CON_ESTABLISHED 0x00000004 #define ARGUS_FIN 0x00000008 #define ARGUS_FIN_ACK 0x00000010 #define ARGUS_NORMAL_CLOSE 0x00000020 #define ARGUS_CLOSE_WAITING 0x00000040 #define ARGUS_PKTS_RETRANS 0x00000300 /* SRC_PKTS_RETRANS | DST_PK*/ #define ARGUS_SRC_PKTS_RETRANS 0x00000100 #define ARGUS_DST_PKTS_RETRANS 0x00000200 #define ARGUS_WINDOW_SHUT 0x00000C00 /* SRC_WINDOW_SHUT | DST_WIN*/ #define ARGUS_SRC_WINDOW_SHUT 0x00000400 #define ARGUS_DST_WINDOW_SHUT 0x00000800 #define ARGUS_RESET 0x00003000 /* SRC_RESET | DST_RESET */ #define ARGUS_SRC_RESET 0x00001000 #define ARGUS_DST_RESET 0x00002000 #define ARGUS_ECN_CONGESTED 0x0000C000 /* SRC_CONGESTED | DST_CONGESTED */ #define ARGUS_SRC_CONGESTED 0x00004000 #define ARGUS_DST_CONGESTED 0x00008000 #define ARGUS_OUTOFORDER 0x00030000 #define ARGUS_SRC_OUTOFORDER 0x00010000 #define ARGUS_DST_OUTOFORDER 0x00020000 #define ARGUS_TCP_OPTIONS 0xFFF00000 #define ARGUS_TCP_MAXSEG 0x00100000 #define ARGUS_TCP_WSCALE 0x00200000 #define ARGUS_TCP_SACKOK 0x00400000 #define ARGUS_TCP_SACK 0x00800000 #define ARGUS_TCP_ECHO 0x01000000 #define ARGUS_TCP_ECHOREPLY 0x02000000 #define ARGUS_TCP_TIMESTAMP 0x04000000 #define ARGUS_TCP_CC 0x08000000 #define ARGUS_TCP_CCNEW 0x10000000 #define ARGUS_TCP_CCECHO 0x20000000 #define ARGUS_TCP_SRC_ECN 0x40000000 #define ARGUS_TCP_DST_ECN 0x80000000 /* Fragment State Constants and Reporting Values */ #define ARGUS_FRAG_INIT 0x0001 #define ARGUS_FRAG_OUT_OF_ORDER 0x0002 #define ARGUS_TCPFRAGOFFSETERROR 0x0004 /* User Data Qualifier Values */ #define ARGUS_FAR_DSR_STATUS 0x00000001 #define ARGUS_MAC_DSR_STATUS 0x00000010 #define ARGUS_VLAN_DSR_STATUS 0x00000020 #define ARGUS_MPLS_DSR_STATUS 0x00000040 #define ARGUS_PPPOE_DSR_STATUS 0x00000080 #define ARGUS_TCP_DSR_STATUS 0x00000100 #define ARGUS_ICMP_DSR_STATUS 0x00000200 #define ARGUS_RTP_DSR_STATUS 0x00000400 #define ARGUS_RCTP_DSR_STATUS 0x00000800 #define ARGUS_IGMP_DSR_STATUS 0x00001000 #define ARGUS_ARP_DSR_STATUS 0x00002000 #define ARGUS_FRG_DSR_STATUS 0x00004000 #define ARGUS_TIME_DSR_STATUS 0x00100000 #define ARGUS_SRCUSRDATA_DSR_STATUS 0x00200000 #define ARGUS_DSTUSRDATA_DSR_STATUS 0x00400000 #define ARGUS_ESP_DSR_STATUS 0x00800000 #define ARGUS_SRCTIME_DSR_STATUS 0x01000000 #define ARGUS_DSTTIME_DSR_STATUS 0x02000000 #define ARGUS_COROLATE_DSR_STATUS 0x04000000 #define ARGUS_AGR_DSR_STATUS 0x80000000 #define ARGUS_FAR_DSR_INDEX 0 #define ARGUS_MAC_DSR_INDEX 4 #define ARGUS_VLAN_DSR_INDEX 5 #define ARGUS_MPLS_DSR_INDEX 6 #define ARGUS_PPPOE_DSR_INDEX 7 #define ARGUS_TCP_DSR_INDEX 8 #define ARGUS_ICMP_DSR_INDEX 9 #define ARGUS_RTP_DSR_INDEX 10 #define ARGUS_RTCP_DSR_INDEX 11 #define ARGUS_IGMP_DSR_INDEX 12 #define ARGUS_ARP_DSR_INDEX 13 #define ARGUS_FRG_DSR_INDEX 14 #define ARGUS_TIME_DSR_INDEX 20 #define ARGUS_SRCUSRDATA_DSR_INDEX 21 #define ARGUS_DSTUSRDATA_DSR_INDEX 22 #define ARGUS_ESP_DSR_INDEX 23 #define ARGUS_SRCTIME_DSR_INDEX 24 #define ARGUS_DSTTIME_DSR_INDEX 25 #define ARGUS_COROLATE_DSR_INDEX 26 #define ARGUS_AGR_DSR_INDEX 31 #define ARGUS_AGR_USECACTTIME 0x0010 #define ARGUS_AGR_USECIDLETIME 0x0020 #define ARGUS_AGR_MSECACTTIME 0x0040 #define ARGUS_AGR_MSECIDLETIME 0x0080 #define ARGUS_AGR_NORMALIZED 0x0100 #endif /* Argus_def_h */ argus-5.0.2/include/cygwin-include/000077500000000000000000000000001471541253600172135ustar00rootroot00000000000000argus-5.0.2/include/cygwin-include/linux/000077500000000000000000000000001471541253600203525ustar00rootroot00000000000000argus-5.0.2/include/cygwin-include/linux/if_arp.h000066400000000000000000000033001471541253600217570ustar00rootroot00000000000000/* @(#)if_arp.h 1.5 88/08/19 SMI; from UCB 7.1 1/24/86 */ /* * Copyright (c) 1986 Regents of the University of California. * All rights reserved. The Berkeley software License Agreement * specifies the terms and conditions for redistribution. */ /* * $Id: $ * $DateTime: $ * $Change: $ */ #ifndef _net_if_arp_h #define _net_if_arp_h /* * Address Resolution Protocol. * * See RFC 826 for protocol description. ARP packets are variable * in size; the arphdr structure defines the fixed-length portion. * Protocol type values are the same as those for 10 Mb/s Ethernet. * It is followed by the variable-sized fields ar_sha, arp_spa, * arp_tha and arp_tpa in that order, according to the lengths * specified. Field names used correspond to RFC 826. */ struct arphdr { u_short ar_hrd; /* format of hardware address */ #define ARPHRD_ETHER 1 /* ethernet hardware address */ u_short ar_pro; /* format of protocol address */ u_char ar_hln; /* length of hardware address */ u_char ar_pln; /* length of protocol address */ u_short ar_op; /* one of: */ #define ARPOP_REQUEST 1 /* request to resolve address */ #define ARPOP_REPLY 2 /* response to previous request */ #define REVARP_REQUEST 3 /* Reverse ARP request */ #define REVARP_REPLY 4 /* Reverse ARP reply */ /* * The remaining fields are variable in size, * according to the sizes above, and are defined * as appropriate for specific hardware/protocol * combinations. (E.g., see .) */ #ifdef notdef u_char ar_sha[]; /* sender hardware address */ u_char ar_spa[]; /* sender protocol address */ u_char ar_tha[]; /* target hardware address */ u_char ar_tpa[]; /* target protocol address */ #endif notdef }; #endif argus-5.0.2/include/cygwin-include/linux/igmp.h000066400000000000000000000060241471541253600214610ustar00rootroot00000000000000/* * Linux NET3: Internet Group Management Protocol [IGMP] * * Authors: * Alan Cox * * Extended to talk the BSD extended IGMP protocol of mrouted 3.6 * * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version * 2 of the License, or (at your option) any later version. */ /* * $Id: $ * $DateTime: $ * $Change: $ */ #ifndef _LINUX_IGMP_H #define _LINUX_IGMP_H /* * IGMP protocol structures */ /* * Header in on cable format */ struct igmphdr { __u8 type; __u8 code; /* For newer IGMP */ __u16 csum; __u32 group; }; #define IGMP_HOST_MEMBERSHIP_QUERY 0x11 /* From RFC1112 */ #define IGMP_HOST_MEMBERSHIP_REPORT 0x12 /* Ditto */ #define IGMP_DVMRP 0x13 /* DVMRP routing */ #define IGMP_PIM 0x14 /* PIM routing */ #define IGMP_TRACE 0x15 #define IGMP_HOST_NEW_MEMBERSHIP_REPORT 0x16 /* New version of 0x11 */ #define IGMP_HOST_LEAVE_MESSAGE 0x17 #define IGMP_MTRACE_RESP 0x1e #define IGMP_MTRACE 0x1f /* * Use the BSD names for these for compatibility */ #define IGMP_DELAYING_MEMBER 0x01 #define IGMP_IDLE_MEMBER 0x02 #define IGMP_LAZY_MEMBER 0x03 #define IGMP_SLEEPING_MEMBER 0x04 #define IGMP_AWAKENING_MEMBER 0x05 #define IGMP_MINLEN 8 #define IGMP_MAX_HOST_REPORT_DELAY 10 /* max delay for response to */ /* query (in seconds) */ #define IGMP_TIMER_SCALE 10 /* denotes that the igmphdr->timer field */ /* specifies time in 10th of seconds */ #define IGMP_AGE_THRESHOLD 400 /* If this host don't hear any IGMP V1 */ /* message in this period of time, */ /* revert to IGMP v2 router. */ #define IGMP_ALL_HOSTS htonl(0xE0000001L) #define IGMP_ALL_ROUTER htonl(0xE0000002L) #define IGMP_LOCAL_GROUP htonl(0xE0000000L) #define IGMP_LOCAL_GROUP_MASK htonl(0xFFFFFF00L) /* * struct for keeping the multicast list in */ #ifdef __KERNEL__ /* ip_mc_socklist is real list now. Speed is not argument; this list never used in fast path code */ struct ip_mc_socklist { struct ip_mc_socklist *next; int count; struct ip_mreqn multi; }; struct ip_mc_list { struct in_device *interface; unsigned long multiaddr; struct ip_mc_list *next; struct timer_list timer; int users; atomic_t refcnt; spinlock_t lock; char tm_running; char reporter; char unsolicit_count; char loaded; }; extern int ip_check_mc(struct in_device *dev, u32 mc_addr); extern int igmp_rcv(struct sk_buff *); extern int ip_mc_join_group(struct sock *sk, struct ip_mreqn *imr); extern int ip_mc_leave_group(struct sock *sk, struct ip_mreqn *imr); extern void ip_mc_drop_socket(struct sock *sk); extern void ip_mr_init(void); extern void ip_mc_init_dev(struct in_device *); extern void ip_mc_destroy_dev(struct in_device *); extern void ip_mc_up(struct in_device *); extern void ip_mc_down(struct in_device *); extern int ip_mc_dec_group(struct in_device *in_dev, u32 addr); extern void ip_mc_inc_group(struct in_device *in_dev, u32 addr); #endif #endif argus-5.0.2/include/cygwin-include/net/000077500000000000000000000000001471541253600200015ustar00rootroot00000000000000argus-5.0.2/include/cygwin-include/net/if_arp.h000066400000000000000000000033061471541253600214140ustar00rootroot00000000000000/* @(#)if_arp.h 1.5 88/08/19 SMI; from UCB 7.1 1/24/86 */ /* * Copyright (c) 1986 Regents of the University of California. * All rights reserved. The Berkeley software License Agreement * specifies the terms and conditions for redistribution. */ /* * $Id: $ * $DateTime: $ * $Change: $ */ #ifndef _net_if_arp_h #define _net_if_arp_h /* * Address Resolution Protocol. * * See RFC 826 for protocol description. ARP packets are variable * in size; the arphdr structure defines the fixed-length portion. * Protocol type values are the same as those for 10 Mb/s Ethernet. * It is followed by the variable-sized fields ar_sha, arp_spa, * arp_tha and arp_tpa in that order, according to the lengths * specified. Field names used correspond to RFC 826. */ struct arphdr { u_short ar_hrd; /* format of hardware address */ #define ARPHRD_ETHER 1 /* ethernet hardware address */ u_short ar_pro; /* format of protocol address */ u_char ar_hln; /* length of hardware address */ u_char ar_pln; /* length of protocol address */ u_short ar_op; /* one of: */ #define ARPOP_REQUEST 1 /* request to resolve address */ #define ARPOP_REPLY 2 /* response to previous request */ #define REVARP_REQUEST 3 /* Reverse ARP request */ #define REVARP_REPLY 4 /* Reverse ARP reply */ /* * The remaining fields are variable in size, * according to the sizes above, and are defined * as appropriate for specific hardware/protocol * combinations. (E.g., see .) */ #ifdef notdef u_char ar_sha[]; /* sender hardware address */ u_char ar_spa[]; /* sender protocol address */ u_char ar_tha[]; /* target hardware address */ u_char ar_tpa[]; /* target protocol address */ #endif /* notdef */ }; #endif argus-5.0.2/include/cygwin-include/netinet/000077500000000000000000000000001471541253600206615ustar00rootroot00000000000000argus-5.0.2/include/cygwin-include/netinet/icmp6.h000066400000000000000000000212421471541253600220510ustar00rootroot00000000000000/* Copyright (C) 1991,92,93,94,95,96,97,2000 Free Software Foundation, Inc. This file is part of the GNU C Library. The GNU C Library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. The GNU C Library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with the GNU C Library; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. */ /* * $Id: $ * $DateTime: $ * $Change: $ */ #ifndef _NETINET_ICMP6_H #define _NETINET_ICMP6_H 1 #include #include #include #include #define ICMP6_FILTER 1 #define ICMP6_FILTER_BLOCK 1 #define ICMP6_FILTER_PASS 2 #define ICMP6_FILTER_BLOCKOTHERS 3 #define ICMP6_FILTER_PASSONLY 4 struct icmp6_filter { uint32_t data[8]; }; struct icmp6_hdr { uint8_t icmp6_type; /* type field */ uint8_t icmp6_code; /* code field */ uint16_t icmp6_cksum; /* checksum field */ union { uint32_t icmp6_un_data32[1]; /* type-specific field */ uint16_t icmp6_un_data16[2]; /* type-specific field */ uint8_t icmp6_un_data8[4]; /* type-specific field */ } icmp6_dataun; }; #define icmp6_data32 icmp6_dataun.icmp6_un_data32 #define icmp6_data16 icmp6_dataun.icmp6_un_data16 #define icmp6_data8 icmp6_dataun.icmp6_un_data8 #define icmp6_pptr icmp6_data32[0] /* parameter prob */ #define icmp6_mtu icmp6_data32[0] /* packet too big */ #define icmp6_id icmp6_data16[0] /* echo request/reply */ #define icmp6_seq icmp6_data16[1] /* echo request/reply */ #define icmp6_maxdelay icmp6_data16[0] /* mcast group membership */ #define ICMP6_DST_UNREACH 1 #define ICMP6_PACKET_TOO_BIG 2 #define ICMP6_TIME_EXCEEDED 3 #define ICMP6_PARAM_PROB 4 #define ICMP6_INFOMSG_MASK 0x80 /* all informational messages */ #define ICMP6_ECHO_REQUEST 128 #define ICMP6_ECHO_REPLY 129 #define ICMP6_MEMBERSHIP_QUERY 130 #define ICMP6_MEMBERSHIP_REPORT 131 #define ICMP6_MEMBERSHIP_REDUCTION 132 #define ICMP6_DST_UNREACH_NOROUTE 0 /* no route to destination */ #define ICMP6_DST_UNREACH_ADMIN 1 /* communication with destination */ /* administratively prohibited */ #define ICMP6_DST_UNREACH_NOTNEIGHBOR 2 /* not a neighbor */ #define ICMP6_DST_UNREACH_ADDR 3 /* address unreachable */ #define ICMP6_DST_UNREACH_NOPORT 4 /* bad port */ #define ICMP6_TIME_EXCEED_TRANSIT 0 /* Hop Limit == 0 in transit */ #define ICMP6_TIME_EXCEED_REASSEMBLY 1 /* Reassembly time out */ #define ICMP6_PARAMPROB_HEADER 0 /* erroneous header field */ #define ICMP6_PARAMPROB_NEXTHEADER 1 /* unrecognized Next Header */ #define ICMP6_PARAMPROB_OPTION 2 /* unrecognized IPv6 option */ #define ICMP6_FILTER_WILLPASS(type, filterp) \ ((((filterp)->data[(type) >> 5]) & (1 << ((type) & 31))) == 0) #define ICMP6_FILTER_WILLBLOCK(type, filterp) \ ((((filterp)->data[(type) >> 5]) & (1 << ((type) & 31))) != 0) #define ICMP6_FILTER_SETPASS(type, filterp) \ ((((filterp)->data[(type) >> 5]) &= ~(1 << ((type) & 31)))) #define ICMP6_FILTER_SETBLOCK(type, filterp) \ ((((filterp)->data[(type) >> 5]) |= (1 << ((type) & 31)))) #define ICMP6_FILTER_SETPASSALL(filterp) \ memset (filterp, 0, sizeof (struct icmp6_filter)); #define ICMP6_FILTER_SETBLOCKALL(filterp) \ memset (filterp, 0xFF, sizeof (struct icmp6_filter)); #define ND_ROUTER_SOLICIT 133 #define ND_ROUTER_ADVERT 134 #define ND_NEIGHBOR_SOLICIT 135 #define ND_NEIGHBOR_ADVERT 136 #define ND_REDIRECT 137 struct nd_router_solicit /* router solicitation */ { struct icmp6_hdr nd_rs_hdr; /* could be followed by options */ }; #define nd_rs_type nd_rs_hdr.icmp6_type #define nd_rs_code nd_rs_hdr.icmp6_code #define nd_rs_cksum nd_rs_hdr.icmp6_cksum #define nd_rs_reserved nd_rs_hdr.icmp6_data32[0] struct nd_router_advert /* router advertisement */ { struct icmp6_hdr nd_ra_hdr; uint32_t nd_ra_reachable; /* reachable time */ uint32_t nd_ra_retransmit; /* retransmit timer */ /* could be followed by options */ }; #define nd_ra_type nd_ra_hdr.icmp6_type #define nd_ra_code nd_ra_hdr.icmp6_code #define nd_ra_cksum nd_ra_hdr.icmp6_cksum #define nd_ra_curhoplimit nd_ra_hdr.icmp6_data8[0] #define nd_ra_flags_reserved nd_ra_hdr.icmp6_data8[1] #define ND_RA_FLAG_MANAGED 0x80 #define ND_RA_FLAG_OTHER 0x40 #define ND_RA_FLAG_HOME_AGENT 0x20 #define nd_ra_router_lifetime nd_ra_hdr.icmp6_data16[1] struct nd_neighbor_solicit /* neighbor solicitation */ { struct icmp6_hdr nd_ns_hdr; struct in6_addr nd_ns_target; /* target address */ /* could be followed by options */ }; #define nd_ns_type nd_ns_hdr.icmp6_type #define nd_ns_code nd_ns_hdr.icmp6_code #define nd_ns_cksum nd_ns_hdr.icmp6_cksum #define nd_ns_reserved nd_ns_hdr.icmp6_data32[0] struct nd_neighbor_advert /* neighbor advertisement */ { struct icmp6_hdr nd_na_hdr; struct in6_addr nd_na_target; /* target address */ /* could be followed by options */ }; #define nd_na_type nd_na_hdr.icmp6_type #define nd_na_code nd_na_hdr.icmp6_code #define nd_na_cksum nd_na_hdr.icmp6_cksum #define nd_na_flags_reserved nd_na_hdr.icmp6_data32[0] #if BYTE_ORDER == BIG_ENDIAN #define ND_NA_FLAG_ROUTER 0x80000000 #define ND_NA_FLAG_SOLICITED 0x40000000 #define ND_NA_FLAG_OVERRIDE 0x20000000 #else /* BYTE_ORDER == LITTLE_ENDIAN */ #define ND_NA_FLAG_ROUTER 0x00000080 #define ND_NA_FLAG_SOLICITED 0x00000040 #define ND_NA_FLAG_OVERRIDE 0x00000020 #endif struct nd_redirect /* redirect */ { struct icmp6_hdr nd_rd_hdr; struct in6_addr nd_rd_target; /* target address */ struct in6_addr nd_rd_dst; /* destination address */ /* could be followed by options */ }; #define nd_rd_type nd_rd_hdr.icmp6_type #define nd_rd_code nd_rd_hdr.icmp6_code #define nd_rd_cksum nd_rd_hdr.icmp6_cksum #define nd_rd_reserved nd_rd_hdr.icmp6_data32[0] struct nd_opt_hdr /* Neighbor discovery option header */ { uint8_t nd_opt_type; uint8_t nd_opt_len; /* in units of 8 octets */ /* followed by option specific data */ }; #define ND_OPT_SOURCE_LINKADDR 1 #define ND_OPT_TARGET_LINKADDR 2 #define ND_OPT_PREFIX_INFORMATION 3 #define ND_OPT_REDIRECTED_HEADER 4 #define ND_OPT_MTU 5 #define ND_OPT_RTR_ADV_INTERVAL 7 #define ND_OPT_HOME_AGENT_INFO 8 struct nd_opt_prefix_info /* prefix information */ { uint8_t nd_opt_pi_type; uint8_t nd_opt_pi_len; uint8_t nd_opt_pi_prefix_len; uint8_t nd_opt_pi_flags_reserved; uint32_t nd_opt_pi_valid_time; uint32_t nd_opt_pi_preferred_time; uint32_t nd_opt_pi_reserved2; struct in6_addr nd_opt_pi_prefix; }; #define ND_OPT_PI_FLAG_ONLINK 0x80 #define ND_OPT_PI_FLAG_AUTO 0x40 #define ND_OPT_PI_FLAG_RADDR 0x20 struct nd_opt_rd_hdr /* redirected header */ { uint8_t nd_opt_rh_type; uint8_t nd_opt_rh_len; uint16_t nd_opt_rh_reserved1; uint32_t nd_opt_rh_reserved2; /* followed by IP header and data */ }; struct nd_opt_mtu /* MTU option */ { uint8_t nd_opt_mtu_type; uint8_t nd_opt_mtu_len; uint16_t nd_opt_mtu_reserved; uint32_t nd_opt_mtu_mtu; }; /* Mobile IPv6 extension: Advertisement Interval. */ struct nd_opt_adv_interval { uint8_t nd_opt_adv_interval_type; uint8_t nd_opt_adv_interval_len; uint16_t nd_opt_adv_interval_reserved; uint32_t nd_opt_adv_interval_ival; }; /* Mobile IPv6 extension: Home Agent Info. */ struct nd_opt_home_agent_info { uint8_t nd_opt_home_agent_info_type; uint8_t nd_opt_home_agent_info_len; uint16_t nd_opt_home_agent_info_reserved; int16_t nd_opt_home_agent_info_preference; uint16_t nd_opt_home_agent_info_lifetime; }; #endif /* netinet/icmpv6.h */ argus-5.0.2/include/cygwin-include/netinet/if_ether.h000066400000000000000000000037001471541253600226170ustar00rootroot00000000000000/* * Copyright (c) 1982, 1986 Regents of the University of California. * All rights reserved. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and that due credit is given * to the University of California at Berkeley. The name of the University * may not be used to endorse or promote products derived from this * software without specific prior written permission. This software * is provided ``as is'' without express or implied warranty. * * @(#)if_ether.h 1.28 89/08/04 SMI; from UCB 7.2 12/7/87 */ /* * $Id: $ * $DateTime: $ * $Change: $ */ #ifndef _netinet_if_ether_h #define _netinet_if_ether_h #if !defined(__OpenBSD__) #include #endif /* * Ethernet address - 6 octets */ struct ether_addr { u_char ether_addr_octet[6]; }; /* * Structure of a 10Mb/s Ethernet header. */ struct ether_header { u_char ether_dhost[6]; u_char ether_shost[6]; u_short ether_type; }; #define ETHERTYPE_PUP 0x0200 /* PUP protocol */ #define ETHERTYPE_IP 0x0800 /* IP protocol */ #define ETHERTYPE_ARP 0x0806 /* Addr. resolution protocol */ #define ETHERTYPE_REVARP 0x8035 /* Reverse ARP */ #define ETHERTYPE_TRAIL 0x1000 /* * Ethernet Address Resolution Protocol. * * See RFC 826 for protocol description. Structure below is adapted * to resolving internet addresses. Field names used correspond to * RFC 826. */ struct ether_arp { struct arphdr ea_hdr; /* fixed-size header */ struct ether_addr arp_sha; /* sender hardware address */ u_char arp_spa[4]; /* sender protocol address */ struct ether_addr arp_tha; /* target hardware address */ u_char arp_tpa[4]; /* target protocol address */ }; #define arp_hrd ea_hdr.ar_hrd #define arp_pro ea_hdr.ar_pro #define arp_hln ea_hdr.ar_hln #define arp_pln ea_hdr.ar_pln #define arp_op ea_hdr.ar_op #define ETHERMTU 1500 #endif argus-5.0.2/include/cygwin-include/netinet/igmp.h000066400000000000000000000066301471541253600217730ustar00rootroot00000000000000/* Copyright (C) 1997, 1999 Free Software Foundation, Inc. This file is part of the GNU C Library. The GNU C Library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. The GNU C Library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with the GNU C Library; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. */ /* * $Id: $ * $DateTime: $ * $Change: $ */ #ifndef _NETINET_IGMP_H #define _NETINET_IGMP_H 1 #include #include #include #include #include __BEGIN_DECLS /* * Copyright (c) 1988 Stephen Deering. * Copyright (c) 1992, 1993 * The Regents of the University of California. All rights reserved. * * This code is derived from software contributed to Berkeley by * Stephen Deering of Stanford University. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)igmp.h 8.1 (Berkeley) 6/10/93 * $FreeBSD$ */ struct igmp { u_int8_t igmp_type; /* IGMP type */ u_int8_t igmp_code; /* routing code */ u_int16_t igmp_cksum; /* checksum */ struct in_addr igmp_group; /* group address */ }; /* * Message types, including version number. */ #define IGMP_MEMBERSHIP_QUERY 0x11 /* membership query */ #define IGMP_V1_MEMBERSHIP_REPORT 0x12 /* Ver. 1 membership report */ #define IGMP_V2_MEMBERSHIP_REPORT 0x16 /* Ver. 2 membership report */ #define IGMP_V2_LEAVE_GROUP 0x17 /* Leave-group message */ __END_DECLS #endif /* netinet/igmp.h */ argus-5.0.2/include/cygwin-include/netinet/ip6.h000066400000000000000000000072211471541253600215320ustar00rootroot00000000000000/* Copyright (C) 1991-1997, 2001 Free Software Foundation, Inc. This file is part of the GNU C Library. The GNU C Library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. The GNU C Library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with the GNU C Library; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. */ /* * $Id: $ * $DateTime: $ * $Change: $ */ #ifndef _NETINET_IP6_H #define _NETINET_IP6_H 1 #include #include struct ip6_hdr { union { struct ip6_hdrctl { uint32_t ip6_un1_flow; /* 4 bits version, 8 bits TC, 20 bits flow-ID */ uint16_t ip6_un1_plen; /* payload length */ uint8_t ip6_un1_nxt; /* next header */ uint8_t ip6_un1_hlim; /* hop limit */ } ip6_un1; uint8_t ip6_un2_vfc; /* 4 bits version, top 4 bits tclass */ } ip6_ctlun; struct in6_addr ip6_src; /* source address */ struct in6_addr ip6_dst; /* destination address */ }; #define ip6_vfc ip6_ctlun.ip6_un2_vfc #define ip6_flow ip6_ctlun.ip6_un1.ip6_un1_flow #define ip6_plen ip6_ctlun.ip6_un1.ip6_un1_plen #define ip6_nxt ip6_ctlun.ip6_un1.ip6_un1_nxt #define ip6_hlim ip6_ctlun.ip6_un1.ip6_un1_hlim #define ip6_hops ip6_ctlun.ip6_un1.ip6_un1_hlim /* Hop-by-Hop options header. */ struct ip6_hbh { uint8_t ip6h_nxt; /* next hesder. */ uint8_t ip6h_len; /* length in units of 8 octets. */ /* followed by options */ }; /* Destination options header */ struct ip6_dest { uint8_t ip6d_nxt; /* next header */ uint8_t ip6d_len; /* length in units of 8 octets */ /* followed by options */ }; /* Routing header */ struct ip6_rthdr { uint8_t ip6r_nxt; /* next header */ uint8_t ip6r_len; /* length in units of 8 octets */ uint8_t ip6r_type; /* routing type */ uint8_t ip6r_segleft; /* segments left */ /* followed by routing type specific data */ }; /* Type 0 Routing header */ struct ip6_rthdr0 { uint8_t ip6r0_nxt; /* next header */ uint8_t ip6r0_len; /* length in units of 8 octets */ uint8_t ip6r0_type; /* always zero */ uint8_t ip6r0_segleft; /* segments left */ uint8_t ip6r0_reserved; /* reserved field */ uint8_t ip6r0_slmap[3]; /* strict/loose bit map */ struct in6_addr ip6r0_addr[1]; /* up to 23 addresses */ }; /* Fragment header */ struct ip6_frag { uint8_t ip6f_nxt; /* next header */ uint8_t ip6f_reserved; /* reserved field */ uint16_t ip6f_offlg; /* offset, reserved, and flag */ uint32_t ip6f_ident; /* identification */ }; #if BYTE_ORDER == BIG_ENDIAN #define IP6F_OFF_MASK 0xfff8 /* mask out offset from _offlg */ #define IP6F_RESERVED_MASK 0x0006 /* reserved bits in ip6f_offlg */ #define IP6F_MORE_FRAG 0x0001 /* more-fragments flag */ #else /* BYTE_ORDER == LITTLE_ENDIAN */ #define IP6F_OFF_MASK 0xf8ff /* mask out offset from _offlg */ #define IP6F_RESERVED_MASK 0x0600 /* reserved bits in ip6f_offlg */ #define IP6F_MORE_FRAG 0x0100 /* more-fragments flag */ #endif #endif /* netinet/ip6.h */ argus-5.0.2/include/cygwin-include/netinet/ip_icmp.h000066400000000000000000000116251471541253600224570ustar00rootroot00000000000000/* @(#)ip_icmp.h 1.9 88/08/19 SMI; from UCB 7.3 12/7/87 */ /* * Copyright (c) 1982, 1986 Regents of the University of California. * All rights reserved. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and that due credit is given * to the University of California at Berkeley. The name of the University * may not be used to endorse or promote products derived from this * software without specific prior written permission. This software * is provided ``as is'' without express or implied warranty. */ /* * $Id: $ * $DateTime: $ * $Change: $ */ /* * Interface Control Message Protocol Definitions. * Per RFC 792, September 1981. */ #ifndef _netinet_ip_icmp_h #define _netinet_ip_icmp_h /* * Structure of an icmp header. */ struct icmp { u_char icmp_type; /* type of message, see below */ u_char icmp_code; /* type sub code */ u_short icmp_cksum; /* ones complement cksum of struct */ union { u_char ih_pptr; /* ICMP_PARAMPROB */ struct in_addr ih_gwaddr; /* ICMP_REDIRECT */ struct ih_idseq { n_short icd_id; n_short icd_seq; } ih_idseq; int ih_void; } icmp_hun; #define icmp_pptr icmp_hun.ih_pptr #define icmp_gwaddr icmp_hun.ih_gwaddr #define icmp_id icmp_hun.ih_idseq.icd_id #define icmp_seq icmp_hun.ih_idseq.icd_seq #define icmp_void icmp_hun.ih_void union { struct id_ts { n_time its_otime; n_time its_rtime; n_time its_ttime; } id_ts; struct id_ip { struct ip idi_ip; /* options and then 64 bits of data */ } id_ip; u_long id_mask; char id_data[1]; } icmp_dun; #define icmp_otime icmp_dun.id_ts.its_otime #define icmp_rtime icmp_dun.id_ts.its_rtime #define icmp_ttime icmp_dun.id_ts.its_ttime #define icmp_ip icmp_dun.id_ip.idi_ip #define icmp_mask icmp_dun.id_mask #define icmp_data icmp_dun.id_data }; /* * Lower bounds on packet lengths for various types. * For the error advice packets must first insure that the * packet is large enought to contain the returned ip header. * Only then can we do the check to see if 64 bits of packet * data have been returned, since we need to check the returned * ip header length. */ #define ICMP_MINLEN 8 /* abs minimum */ #define ICMP_TSLEN (8 + 3 * sizeof (n_time)) /* timestamp */ #define ICMP_MASKLEN 12 /* address mask */ #define ICMP_ADVLENMIN (8 + sizeof (struct ip) + 8) /* min */ #define ICMP_ADVLEN(p) (8 + ((p)->icmp_ip.ip_hl << 2) + 8) /* N.B.: must separately check that ip_hl >= 5 */ /* * Definition of type and code field values. */ #define ICMP_ECHOREPLY 0 /* echo reply */ #define ICMP_UNREACH 3 /* dest unreachable, codes: */ #define ICMP_UNREACH_NET 0 /* bad net */ #define ICMP_UNREACH_HOST 1 /* bad host */ #define ICMP_UNREACH_PROTOCOL 2 /* bad protocol */ #define ICMP_UNREACH_PORT 3 /* bad port */ #define ICMP_UNREACH_NEEDFRAG 4 /* IP_DF caused drop */ #define ICMP_UNREACH_SRCFAIL 5 /* src route failed */ #define ICMP_UNREACH_NET_UNKNOWN 6 /* unknown net */ #define ICMP_UNREACH_HOST_UNKNOWN 7 /* unknown host */ #define ICMP_UNREACH_ISOLATED 8 /* src host isolated */ #define ICMP_UNREACH_NET_PROHIB 9 /* net denied */ #define ICMP_UNREACH_HOST_PROHIB 10 /* host denied */ #define ICMP_UNREACH_TOSNET 11 /* bad tos for net */ #define ICMP_UNREACH_TOSHOST 12 /* bad tos for host */ #define ICMP_UNREACH_FILTER_PROHIB 13 /* admin prohib */ #define ICMP_UNREACH_HOST_PRECEDENCE 14 /* host prec vio. */ #define ICMP_UNREACH_PRECEDENCE_CUTOFF 15 /* prec cutoff */ #define ICMP_SOURCEQUENCH 4 /* packet lost, slow down */ #define ICMP_REDIRECT 5 /* shorter route, codes: */ #define ICMP_REDIRECT_NET 0 /* for network */ #define ICMP_REDIRECT_HOST 1 /* for host */ #define ICMP_REDIRECT_TOSNET 2 /* for tos and net */ #define ICMP_REDIRECT_TOSHOST 3 /* for tos and host */ #define ICMP_ECHO 8 /* echo service */ #define ICMP_ROUTERADVERT 9 /* router advertisement */ #define ICMP_ROUTERSOLICIT 10 /* router solicitation */ #define ICMP_TIMXCEED 11 /* time exceeded, code: */ #define ICMP_TIMXCEED_INTRANS 0 /* ttl==0 in transit */ #define ICMP_TIMXCEED_REASS 1 /* ttl==0 in reass */ #define ICMP_PARAMPROB 12 /* ip header bad */ #define ICMP_PARAMPROB_OPTABSENT 1 /* req. opt. absent */ #define ICMP_TSTAMP 13 /* timestamp request */ #define ICMP_TSTAMPREPLY 14 /* timestamp reply */ #define ICMP_IREQ 15 /* information request */ #define ICMP_IREQREPLY 16 /* information reply */ #define ICMP_MASKREQ 17 /* address mask request */ #define ICMP_MASKREPLY 18 /* address mask reply */ #define ICMP_MAXTYPE 18 #define ICMP_INFOTYPE(type) \ ((type) == ICMP_ECHOREPLY || (type) == ICMP_ECHO || \ (type) == ICMP_ROUTERADVERT || (type) == ICMP_ROUTERSOLICIT || \ (type) == ICMP_TSTAMP || (type) == ICMP_TSTAMPREPLY || \ (type) == ICMP_IREQ || (type) == ICMP_IREQREPLY || \ (type) == ICMP_MASKREQ || (type) == ICMP_MASKREPLY) #endif /*!_netinet_ip_icmp_h*/ argus-5.0.2/include/cygwin-include/netinet/ip_var.h000066400000000000000000000061761471541253600223240ustar00rootroot00000000000000/* @(#)ip_var.h 1.11 88/08/19 SMI; from UCB 7.1 6/5/86 */ /* * Copyright (c) 1982, 1986 Regents of the University of California. * All rights reserved. The Berkeley software License Agreement * specifies the terms and conditions for redistribution. */ /* * $Id: $ * $DateTime: $ * $Change: $ */ /* * Overlay for ip header used by other protocols (tcp, udp). */ #ifndef _netinet_ip_var_h #define _netinet_ip_var_h struct ipovly { caddr_t ih_next, ih_prev; /* for protocol sequence q's */ u_char ih_x1; /* (unused) */ u_char ih_pr; /* protocol */ short ih_len; /* protocol length */ struct in_addr ih_src; /* source internet address */ struct in_addr ih_dst; /* destination internet address */ }; /* * Ip reassembly queue structure. Each fragment * being reassembled is attached to one of these structures. * They are timed out after ipq_ttl drops to 0, and may also * be reclaimed if memory becomes tight. */ struct ipq { struct ipq *next,*prev; /* to other reass headers */ u_char ipq_ttl; /* time for reass q to live */ u_char ipq_p; /* protocol of this fragment */ u_short ipq_id; /* sequence id for reassembly */ struct ipasfrag *ipq_next,*ipq_prev; /* to ip headers of fragments */ struct in_addr ipq_src,ipq_dst; }; /* * Ip header, when holding a fragment. * * Note: ipf_next must be at same offset as ipq_next above */ struct ipasfrag { #if __BYTE_ORDER == __LITTLE_ENDIAN u_char ip_hl:4, ip_v:4; #endif #if __BYTE_ORDER == __BIG_ENDIAN u_char ip_v:4, ip_hl:4; #endif u_char ipf_mff; /* copied from (ip_off&IP_MF) */ short ip_len; u_short ip_id; short ip_off; u_char ip_ttl; u_char ip_p; u_short ip_sum; struct ipasfrag *ipf_next; /* next fragment */ struct ipasfrag *ipf_prev; /* previous fragment */ }; /* * Structure stored in mbuf in inpcb.ip_options * and passed to ip_output when ip options are in use. * The actual length of the options (including ipopt_dst) * is in m_len. */ #define MAX_IPOPTLEN 40 struct ipoption { struct in_addr ipopt_dst; /* first-hop dst if source routed */ char ipopt_list[MAX_IPOPTLEN]; /* options proper */ }; struct ipstat { long ips_total; /* total packets received */ long ips_badsum; /* checksum bad */ long ips_tooshort; /* packet too short */ long ips_toosmall; /* not enough data */ long ips_badhlen; /* ip header length < data size */ long ips_badlen; /* ip length < ip header length */ long ips_fragments; /* fragments received */ long ips_fragdropped; /* frags dropped (dups, out of space) */ long ips_fragtimeout; /* fragments timed out */ long ips_forward; /* packets forwarded */ long ips_cantforward; /* packets rcvd for unreachable dest */ long ips_redirectsent; /* packets forwarded on same net */ }; #ifdef KERNEL /* flags passed to ip_output as last parameter */ #define IP_FORWARDING 0x1 /* most of ip header exists */ #define IP_ROUTETOIF SO_DONTROUTE /* bypass routing tables */ #define IP_ALLOWBROADCAST SO_BROADCAST /* can send broadcast packets */ struct ipstat ipstat; struct ipq ipq; /* ip reass. queue */ u_short ip_id; /* ip packet ctr, for ids */ struct mbuf *ip_srcroute(); #endif #endif /*!_netinet_ip_var_h*/ argus-5.0.2/include/cygwin-include/netinet/tcp_var.h000066400000000000000000000143541471541253600224770ustar00rootroot00000000000000/* @(#)tcp_var.h 1.11 88/08/19 SMI; from UCB 7.3 6/30/87 */ /* * Copyright (c) 1982, 1986 Regents of the University of California. * All rights reserved. The Berkeley software License Agreement * specifies the terms and conditions for redistribution. */ /* * $Id: $ * $DateTime: $ * $Change: $ */ /* * Kernel variables for tcp. */ #ifndef _netinet_tcp_var_h #define _netinet_tcp_var_h /* * Tcp control block, one per tcp; fields: */ struct tcpcb { struct tcpiphdr *seg_next; /* sequencing queue */ struct tcpiphdr *seg_prev; short t_state; /* state of this connection */ short t_timer[TCPT_NTIMERS]; /* tcp timers */ short t_rxtshift; /* log(2) of rexmt exp. backoff */ short t_rxtcur; /* current retransmit value */ short t_dupacks; /* consecutive dup acks recd */ u_short t_maxseg; /* maximum segment size */ char t_force; /* 1 if forcing out a byte */ u_char t_flags; #define TF_ACKNOW 0x01 /* ack peer immediately */ #define TF_DELACK 0x02 /* ack, but try to delay it */ #define TF_NODELAY 0x04 /* don't delay packets to coalesce */ #define TF_NOOPT 0x08 /* don't use tcp options */ #define TF_SENTFIN 0x10 /* have sent FIN */ struct tcpiphdr *t_template; /* skeletal packet for transmit */ struct inpcb *t_inpcb; /* back pointer to internet pcb */ /* * The following fields are used as in the protocol specification. * See RFC783, Dec. 1981, page 21. */ /* send sequence variables */ tcp_seq snd_una; /* send unacknowledged */ tcp_seq snd_nxt; /* send next */ tcp_seq snd_up; /* send urgent pointer */ tcp_seq snd_wl1; /* window update seg seq number */ tcp_seq snd_wl2; /* window update seg ack number */ tcp_seq iss; /* initial send sequence number */ u_short snd_wnd; /* send window */ /* receive sequence variables */ u_short rcv_wnd; /* receive window */ tcp_seq rcv_nxt; /* receive next */ tcp_seq rcv_up; /* receive urgent pointer */ tcp_seq irs; /* initial receive sequence number */ /* * Additional variables for this implementation. */ /* receive variables */ tcp_seq rcv_adv; /* advertised window */ /* retransmit variables */ tcp_seq snd_max; /* highest sequence number sent * used to recognize retransmits */ /* congestion control (for slow start, source quench, retransmit after loss) */ u_short snd_cwnd; /* congestion-controlled window */ u_short snd_ssthresh; /* snd_cwnd size threshhold for * for slow start exponential to * linear switch */ /* * transmit timing stuff. * srtt and rttvar are stored as fixed point; for convenience in smoothing, * srtt has 3 bits to the right of the binary point, rttvar has 2. * "Variance" is actually smoothed difference. */ short t_idle; /* inactivity time */ short t_rtt; /* round trip time */ tcp_seq t_rtseq; /* sequence number being timed */ short t_srtt; /* smoothed round-trip time */ short t_rttvar; /* variance in round-trip time */ u_short max_rcvd; /* most peer has sent into window */ u_short max_sndwnd; /* largest window peer has offered */ /* out-of-band data */ char t_oobflags; /* have some */ char t_iobc; /* input character */ #define TCPOOB_HAVEDATA 0x01 #define TCPOOB_HADDATA 0x02 }; #define intotcpcb(ip) ((struct tcpcb *)(ip)->inp_ppcb) #define sototcpcb(so) (intotcpcb(sotoinpcb(so))) /* * TCP statistics. * Many of these should be kept per connection, * but that's inconvenient at the moment. */ struct tcpstat { u_long tcps_connattempt; /* connections initiated */ u_long tcps_accepts; /* connections accepted */ u_long tcps_connects; /* connections established */ u_long tcps_drops; /* connections dropped */ u_long tcps_conndrops; /* embryonic connections dropped */ u_long tcps_closed; /* conn. closed (includes drops) */ u_long tcps_segstimed; /* segs where we tried to get rtt */ u_long tcps_rttupdated; /* times we succeeded */ u_long tcps_delack; /* delayed acks sent */ u_long tcps_timeoutdrop; /* conn. dropped in rxmt timeout */ u_long tcps_rexmttimeo; /* retransmit timeouts */ u_long tcps_persisttimeo; /* persist timeouts */ u_long tcps_keeptimeo; /* keepalive timeouts */ u_long tcps_keepprobe; /* keepalive probes sent */ u_long tcps_keepdrops; /* connections dropped in keepalive */ u_long tcps_sndtotal; /* total packets sent */ u_long tcps_sndpack; /* data packets sent */ u_long tcps_sndbyte; /* data bytes sent */ u_long tcps_sndrexmitpack; /* data packets retransmitted */ u_long tcps_sndrexmitbyte; /* data bytes retransmitted */ u_long tcps_sndacks; /* ack-only packets sent */ u_long tcps_sndprobe; /* window probes sent */ u_long tcps_sndurg; /* packets sent with URG only */ u_long tcps_sndwinup; /* window update-only packets sent */ u_long tcps_sndctrl; /* control (SYN|FIN|RST) packets sent */ u_long tcps_rcvtotal; /* total packets received */ u_long tcps_rcvpack; /* packets received in sequence */ u_long tcps_rcvbyte; /* bytes received in sequence */ u_long tcps_rcvbadsum; /* packets received with ccksum errs */ u_long tcps_rcvbadoff; /* packets received with bad offset */ u_long tcps_rcvshort; /* packets received too short */ u_long tcps_rcvduppack; /* duplicate-only packets received */ u_long tcps_rcvdupbyte; /* duplicate-only bytes received */ u_long tcps_rcvpartduppack; /* packets with some duplicate data */ u_long tcps_rcvpartdupbyte; /* dup. bytes in part-dup. packets */ u_long tcps_rcvoopack; /* out-of-order packets received */ u_long tcps_rcvoobyte; /* out-of-order bytes received */ u_long tcps_rcvpackafterwin; /* packets with data after window */ u_long tcps_rcvbyteafterwin; /* bytes rcvd after window */ u_long tcps_rcvafterclose; /* packets rcvd after "close" */ u_long tcps_rcvwinprobe; /* rcvd window probe packets */ u_long tcps_rcvdupack; /* rcvd duplicate acks */ u_long tcps_rcvacktoomuch; /* rcvd acks for unsent data */ u_long tcps_rcvackpack; /* rcvd ack packets */ u_long tcps_rcvackbyte; /* bytes acked by rcvd acks */ u_long tcps_rcvwinupd; /* rcvd window update packets */ }; #ifdef KERNEL struct inpcb tcb; /* head of queue of active tcpcb's */ struct tcpstat tcpstat; /* tcp statistics */ struct tcpiphdr *tcp_template(); struct tcpcb *tcp_close(), *tcp_drop(); struct tcpcb *tcp_timers(), *tcp_disconnect(), *tcp_usrclosed(); #endif #ifdef sun #define TCP_COMPAT_42 #endif #endif /*!_netinet_tcp_var_h*/ argus-5.0.2/include/cygwin-include/netinet/tcpip.h000066400000000000000000000020111471541253600221430ustar00rootroot00000000000000/* @(#)tcpip.h 1.7 88/08/19 SMI; from UCB 7.1 6/5/85 */ /* * Copyright (c) 1982, 1986 Regents of the University of California. * All rights reserved. The Berkeley software License Agreement * specifies the terms and conditions for redistribution. */ /* * $Id: $ * $DateTime: $ * $Change: $ */ /* * Tcp+ip header, after ip options removed. */ #ifndef _netinet_tcpip_h #define _netinet_tcpip_h struct tcpiphdr { struct ipovly ti_i; /* overlaid ip structure */ struct tcphdr ti_t; /* tcp header */ }; #define ti_next ti_i.ih_next #define ti_prev ti_i.ih_prev #define ti_x1 ti_i.ih_x1 #define ti_pr ti_i.ih_pr #define ti_len ti_i.ih_len #define ti_src ti_i.ih_src #define ti_dst ti_i.ih_dst #define ti_sport ti_t.th_sport #define ti_dport ti_t.th_dport #define ti_seq ti_t.th_seq #define ti_ack ti_t.th_ack #define ti_x2 ti_t.th_x2 #define ti_off ti_t.th_off #define ti_flags ti_t.th_flags #define ti_win ti_t.th_win #define ti_sum ti_t.th_sum #define ti_urp ti_t.th_urp #endif /*!_netinet_tcpip_h*/ argus-5.0.2/include/cygwin-include/netinet/udp_var.h000066400000000000000000000020761471541253600224770ustar00rootroot00000000000000/* @(#)udp_var.h 1.8 88/08/19 SMI; from UCB 7.1 6/5/86 */ /* * Copyright (c) 1982, 1986 Regents of the University of California. * All rights reserved. The Berkeley software License Agreement * specifies the terms and conditions for redistribution. */ /* * $Id: $ * $DateTime: $ * $Change: $ */ /* * UDP kernel structures and variables. */ #ifndef _netinet_udp_var_h #define _netinet_udp_var_h struct udpiphdr { struct ipovly ui_i; /* overlaid ip structure */ struct udphdr ui_u; /* udp header */ }; #define ui_next ui_i.ih_next #define ui_prev ui_i.ih_prev #define ui_x1 ui_i.ih_x1 #define ui_pr ui_i.ih_pr #define ui_len ui_i.ih_len #define ui_src ui_i.ih_src #define ui_dst ui_i.ih_dst #define ui_sport ui_u.uh_sport #define ui_dport ui_u.uh_dport #define ui_ulen ui_u.uh_ulen #define ui_sum ui_u.uh_sum struct udpstat { int udps_hdrops; int udps_badsum; int udps_badlen; int udps_fullsock; }; #define UDP_TTL 30 /* time to live for UDP packets */ #ifdef KERNEL struct inpcb udb; struct udpstat udpstat; #endif #endif /*!_netinet_udp_var_h*/ argus-5.0.2/include/cygwin-include/protocols/000077500000000000000000000000001471541253600212375ustar00rootroot00000000000000argus-5.0.2/include/cygwin-include/protocols/routed.h000066400000000000000000000044441471541253600227200ustar00rootroot00000000000000/* @(#)routed.h 1.9 88/08/19 SMI; from UCB 5.1 6/4/85 */ /* * Copyright (c) 1983 Regents of the University of California. * All rights reserved. The Berkeley software License Agreement * specifies the terms and conditions for redistribution. */ /* * $Id: $ * $DateTime: $ * $Change: $ */ /* * Routing Information Protocol * * Derived from Xerox NS Routing Information Protocol * by changing 32-bit net numbers to sockaddr's and * padding stuff to 32-bit boundaries. */ #ifndef _protocols_routed_h #define _protocols_routed_h #define RIPVERSION 1 struct netinfo { struct sockaddr rip_dst; /* destination net/host */ int rip_metric; /* cost of route */ }; struct rip { u_char rip_cmd; /* request/response */ u_char rip_vers; /* protocol version # */ u_char rip_res1[2]; /* pad to 32-bit boundary */ union { struct netinfo ru_nets[1]; /* variable length... */ char ru_tracefile[1]; /* ditto ... */ } ripun; #define rip_nets ripun.ru_nets #define rip_tracefile ripun.ru_tracefile }; struct entryinfo { struct sockaddr rtu_dst; struct sockaddr rtu_router; short rtu_flags; short rtu_state; int rtu_timer; int rtu_metric; int int_flags; char int_name[16]; }; /* * Packet types. */ #define RIPCMD_REQUEST 1 /* want info - from suppliers */ #define RIPCMD_RESPONSE 2 /* responding to request */ #define RIPCMD_TRACEON 3 /* turn tracing on */ #define RIPCMD_TRACEOFF 4 /* turn it off */ #define RIPCMD_POLL 5 /* like request, but anyone answers */ #define RIPCMD_POLLENTRY 6 /* like poll, but for entire entry */ #define RIPCMD_MAX 7 #ifdef RIPCMDS char *ripcmds[RIPCMD_MAX] = { "#0", "REQUEST", "RESPONSE", "TRACEON", "TRACEOFF", "POLL", "POLLENTRY" }; #endif #define HOPCNT_INFINITY 16 /* per Xerox NS */ #define MAXPACKETSIZE 512 /* max broadcast size */ /* * Timer values used in managing the routing table. * Every update forces an entry's timer to be reset. After * EXPIRE_TIME without updates, the entry is marked invalid, * but held onto until GARBAGE_TIME so that others may * see it "be deleted". */ #define TIMER_RATE 30 /* alarm clocks every 30 seconds */ #define SUPPLY_INTERVAL 30 /* time to supply tables */ #define EXPIRE_TIME 180 /* time to mark entry invalid */ #define GARBAGE_TIME 240 /* time to garbage collect */ #endif /*!_protocols_routed_h*/ argus-5.0.2/include/cygwin-include/sys/000077500000000000000000000000001471541253600200315ustar00rootroot00000000000000argus-5.0.2/include/cygwin-include/sys/mbuf.h000066400000000000000000000000611471541253600211300ustar00rootroot00000000000000 /* * $Id: $ * $DateTime: $ * $Change: $ */ argus-5.0.2/include/net/000077500000000000000000000000001471541253600150605ustar00rootroot00000000000000argus-5.0.2/include/net/arcnet.h000066400000000000000000000062311471541253600165070ustar00rootroot00000000000000/* * Copyright (c) 1982, 1986, 1993 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * * from: NetBSD: if_arc.h,v 1.13 1999/11/19 20:41:19 thorpej Exp */ /* * $Id: //depot/gargoyle/argus/include/net/arcnet.h#1 $ * $DateTime: 2012/05/01 14:08:47 $ * $Change: 2378 $ */ /* * Structure of a 2.5MB/s Arcnet header. * as given to interface code. */ struct arc_header { u_int8_t arc_shost; u_int8_t arc_dhost; u_int8_t arc_type; /* * only present for newstyle encoding with LL fragmentation. * Don't use sizeof(anything), use ARC_HDR{,NEW}LEN instead. */ u_int8_t arc_flag; u_int16_t arc_seqid; /* * only present in exception packets (arc_flag == 0xff) */ u_int8_t arc_type2; /* same as arc_type */ u_int8_t arc_flag2; /* real flag value */ u_int16_t arc_seqid2; /* real seqid value */ } /* __attribute__((__packed__)) */; #define ARC_HDRLEN 3 #define ARC_HDRNEWLEN 6 #define ARC_HDRNEWLEN_EXC 10 /* RFC 1051 */ #define ARCTYPE_IP_OLD 240 /* IP protocol */ #define ARCTYPE_ARP_OLD 241 /* address resolution protocol */ /* RFC 1201 */ #define ARCTYPE_IP 212 /* IP protocol */ #define ARCTYPE_ARP 213 /* address resolution protocol */ #define ARCTYPE_REVARP 214 /* reverse addr resolution protocol */ #define ARCTYPE_ATALK 221 /* Appletalk */ #define ARCTYPE_BANIAN 247 /* Banyan Vines */ #define ARCTYPE_IPX 250 /* Novell IPX */ #define ARCTYPE_INET6 0xc4 /* IPng */ #define ARCTYPE_DIAGNOSE 0x80 /* as per ANSI/ATA 878.1 */ argus-5.0.2/include/net/etherdefs.h000066400000000000000000000041771471541253600172130ustar00rootroot00000000000000/* * Argus Software. Argus files - main argus processing * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/gargoyle/argus/include/net/etherdefs.h#4 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ #ifndef _NET_ETHERNET_H_ #define _NET_ETHERNET_H_ #define ETHER_ADDR_LEN 6 #define ETHER_TYPE_LEN 2 #define ETHER_CRC_LEN 4 #define ETHER_HDR_LEN (ETHER_ADDR_LEN*2+ETHER_TYPE_LEN) #define ETHER_MIN_LEN 64 #define ETHER_MAX_LEN 1518 #ifndef ETHERTYPE_PUP #define ETHERTYPE_PUP 0x0200 /* PUP protocol */ #endif #ifndef ETHERTYPE_IP #define ETHERTYPE_IP 0x0800 /* IP protocol */ #endif #ifndef ETHERTYPE_ARP #define ETHERTYPE_ARP 0x0806 /* Addr. resolution protocol */ #endif #ifndef ETHERTYPE_REVARP #define ETHERTYPE_REVARP 0x8035 /* reverse Addr. resolution protocol */ #endif #ifndef ETHERTYPE_VLAN #define ETHERTYPE_VLAN 0x8100 /* IEEE 802.1Q VLAN tagging */ #endif #ifndef ETHERTYPE_IPV6 #define ETHERTYPE_IPV6 0x86dd /* IPv6 */ #endif #ifndef ETHERTYPE_LOOPBACK #define ETHERTYPE_LOOPBACK 0x9000 /* used to test interfaces */ #endif /* * The ETHERTYPE_NTRAILER packet types starting at ETHERTYPE_TRAIL have * (type-ETHERTYPE_TRAIL)*512 bytes of data followed * by an ETHER type (as given above) and then the (variable-length) header. */ #ifndef ETHERTYPE_TRAIL #define ETHERTYPE_TRAIL 0x1000 /* Trailer packet */ #endif #ifndef ETHERTYPE_NTRAILER #define ETHERTYPE_NTRAILER 16 #endif #endif /* !_NET_ETHERNET_H_ */ argus-5.0.2/include/net/nff.h000066400000000000000000000306021471541253600160030ustar00rootroot00000000000000/* * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 * The Regents of the University of California. All rights reserved. * * This code is derived from the Stanford/CMU enet packet filter, * (net/enet.c) distributed as part of 4.3BSD, and code contributed * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence * Berkeley Laboratory. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)nff.h 7.1 (Berkeley) 5/7/91 * */ /* * $Id: //depot/argus/argus-3.0/clients/include/net/nff.h#11 $ * $DateTime: 2006/04/08 16:37:11 $ * $Change: 816 $ */ #ifndef NFF_MAJOR_VERSION /* BSD style release date */ #define NFF_RELEASE 200611 typedef int nff_int32; typedef unsigned int nff_u_int32; typedef long long nff_int64; typedef unsigned long long nff_u_int64; /* * Alignment macros. NFF_WORDALIGN rounds up to the next * even multiple of NFF_ALIGNMENT. */ #ifndef __NetBSD__ #define NFF_ALIGNMENT sizeof(nff_int64) #else #define NFF_ALIGNMENT sizeof(long long) #endif #define NFF_WORDALIGN(x) (((x)+(NFF_ALIGNMENT-1))&~(NFF_ALIGNMENT-1)) #define NFF_MAXINSNS 1024 #define NFF_MAXBUFSIZE 0x8000 #define NFF_MINBUFSIZE 32 /* * Structure for BIOCSETF. */ struct nff_program { unsigned int bf_len; struct nff_insn *bf_insns; }; /* * Struct returned by BIOCGSTATS. */ struct nff_stat { unsigned int bs_recv; /* number of packets received */ unsigned int bs_drop; /* number of packets dropped */ }; /* * Struct return by BIOCVERSION. This represents the version number of * the filter language described by the instruction encodings below. * nff understands a program iff kernel_major == filter_major && * kernel_minor >= filter_minor, that is, if the value returned by the * running kernel has the same major number and a minor number equal * equal to or less than the filter being downloaded. Otherwise, the * results are undefined, meaning an error may be returned or packets * may be accepted haphazardly. * It has nothing to do with the source code version. */ struct nff_version { unsigned short bv_major; unsigned short bv_minor; }; /* Current version number of filter architecture. */ #define NFF_MAJOR_VERSION 3 #define NFF_MINOR_VERSION 0 /* * NFF ioctls * * The first set is for compatibility with Sun's pcc style * header files. If your using gcc, we assume that you * have run fixincludes so the latter set should work. */ #if (defined(sun) || defined(ibm032)) && !defined(__GNUC__) #endif /* * Structure prepended to each packet. */ struct nff_hdr { struct timeval bh_tstamp; /* time stamp */ nff_u_int32 bh_caplen; /* length of captured portion */ nff_u_int32 bh_datalen; /* original length of packet */ unsigned short bh_hdrlen; /* length of nff header (this struct plus alignment padding) */ }; /* * Data-link level type codes. */ /* * These are the types that are the same on all platforms; on other * platforms, a should be supplied that defines the additional * DLT_* codes appropriately for that platform (the BSDs, for example, * should not just pick up this version of "nff.h"; they should also define * the additional DLT_* codes used by their kernels, as well as the values * defined here - and, if the values they use for particular DLT_ types * differ from those here, they should use their values, not the ones * here). */ #if !defined(DLT_NULL) #define DLT_NULL 0 /* no link-layer encapsulation */ #endif #if !defined(DLT_EN10MB) #define DLT_EN10MB 1 /* Ethernet (10Mb) */ #endif #if !defined(DLT_EN3MB) #define DLT_EN3MB 2 /* Experimental Ethernet (3Mb) */ #endif #if !defined(DLT_AX25) #define DLT_AX25 3 /* Amateur Radio AX.25 */ #endif #if !defined(DLT_PRONET) #define DLT_PRONET 4 /* Proteon ProNET Token Ring */ #endif #if !defined(DLT_CHAOS) #define DLT_CHAOS 5 /* Chaos */ #endif #if !defined(DLT_IEE802) #define DLT_IEEE802 6 /* IEEE 802 Networks */ #endif #if !defined(DLT_ARCNET) #define DLT_ARCNET 7 /* ARCNET */ #endif #if !defined(DLT_SLIP) #define DLT_SLIP 8 /* Serial Line IP */ #endif #if !defined(DLT_PPP) #define DLT_PPP 9 /* Point-to-point Protocol */ #endif #if !defined(DLT_FDDI) #define DLT_FDDI 10 /* FDDI */ #endif /* * These are values from the traditional libpcap "nff.h". * Ports of this to particular platforms should replace these definitions * with the ones appropriate to that platform, if the values are * different on that platform. */ #if !defined(DLT_ATM_RFC1483) #define DLT_ATM_RFC1483 11 /* LLC/SNAP encapsulated atm */ #endif #if !defined(DLT_RAW) #define DLT_RAW 12 /* raw IP */ #endif /* * These are values from BSD/OS's "bpf.h". * These are not the same as the values from the traditional libpcap * "bpf.h"; however, these values shouldn't be generated by any * OS other than BSD/OS, so the correct values to use here are the * BSD/OS values. * * Platforms that have already assigned these values to other * DLT_ codes, however, should give these codes the values * from that platform, so that programs that use these codes will * continue to compile - even though they won't correctly read * files of these types. */ #if !defined(__NetBSD__) #if !defined(DLT_SLIP_BSDOS) #define DLT_SLIP_BSDOS 15 /* BSD/OS Serial Line IP */ #define DLT_PPP_BSDOS 16 /* BSD/OS Point-to-point Protocol */ #endif #if !defined(DLT_PPP_BSDOS) #define DLT_PPP_BSDOS 16 /* BSD/OS Point-to-point Protocol */ #endif #endif #if !defined(DLT_ATM_CLIP) #define DLT_ATM_CLIP 19 /* Linux Classical-IP over ATM */ #endif /* * This value is defined by NetBSD; other platforms should refrain from * using it for other purposes, so that NetBSD savefiles with a link * type of 50 can be read as this type on all platforms. */ #if !defined(DLT_PPP_SERIAL) #define DLT_PPP_SERIAL 50 /* PPP over serial with HDLC encapsulation */ #endif /* * This value was defined by libpcap 0.5; platforms that have defined * it with a different value should define it here with that value - * a link type of 104 in a save file will be mapped to DLT_C_HDLC, * whatever value that happens to be, so programs will correctly * handle files with that link type regardless of the value of * DLT_C_HDLC. * * The name DLT_C_HDLC was used by BSD/OS; we use that name for source * compatibility with programs written for BSD/OS. * * libpcap 0.5 defined it as DLT_CHDLC; we define DLT_CHDLC as well, * for source compatibility with programs written for libpcap 0.5. */ #if !defined(DLT_C_HDLC) #define DLT_C_HDLC 104 /* Cisco HDLC */ #endif #if !defined(DLT_CHDLC) #define DLT_CHDLC DLT_C_HDLC #endif /* * Reserved for future use. * Do not pick other numerical value for these unless you have also * picked up the tcpdump.org top-of-CVS-tree version of "savefile.c", * which will arrange that capture files for these DLT_ types have * the same "network" value on all platforms, regardless of what * value is chosen for their DLT_ type (thus allowing captures made * on one platform to be read on other platforms, even if the two * platforms don't use the same numerical values for all DLT_ types). */ #if !defined(DLT_IEEE802_11) #define DLT_IEEE802_11 105 /* IEEE 802.11 wireless */ #endif /* * Values between 106 and 107 are used in capture file headers as * link-layer types corresponding to DLT_ types that might differ * between platforms; don't use those values for new DLT_ new types. */ /* * OpenBSD DLT_LOOP, for loopback devices; it's like DLT_NULL, except * that the AF_ type in the link-layer header is in network byte order. * * OpenBSD defines it as 12, but that collides with DLT_RAW, so we * define it as 108 here. If OpenBSD picks up this file, it should * define DLT_LOOP as 12 in its version, as per the comment above - * and should not use 108 for any purpose. */ #if !defined(DLT_LOOP) #define DLT_LOOP 108 #endif /* * Values between 109 and 112 are used in capture file headers as * link-layer types corresponding to DLT_ types that might differ * between platforms; don't use those values for new DLT_ new types. */ /* * This is for Linux cooked sockets. */ #if !defined(DLT_LINUX_SLL) #define DLT_LINUX_SLL 113 #endif /* * The instruction encodings. */ /* instruction classes */ #define NFF_CLASS(code) ((code) & 0x0007) #define NFF_LD 0x0000 #define NFF_LDX 0x0001 #define NFF_ST 0x0002 #define NFF_STX 0x0003 #define NFF_ALU 0x0004 #define NFF_JMP 0x0005 #define NFF_RET 0x0006 #define NFF_MISC 0x0007 /* ld/ldx fields */ #define NFF_SIZE(code) ((code) & 0x004F) #define NFF_W 0x0000 #define NFF_H 0x0008 #define NFF_B 0x0010 #define NFF_L 0x0020 #define NFF_D 0x0040 #define NFF_F 0x0080 /* misc */ #define NFF_MISCOP(code) ((code) & 0x100) #define NFF_TAX 0x0000 #define NFF_TXA 0x0100 #define NFF_MODE(code) ((code) & 0x0e00) #define NFF_IMM 0x0000 #define NFF_ABS 0x0200 #define NFF_IND 0x0400 #define NFF_MEM 0x0600 #define NFF_LEN 0x0800 #define NFF_MSH 0x0a00 #define NFF_DSR 0x0c00 /* alu/jmp fields */ #define NFF_OP(code) ((code) & 0xf000) #define NFF_ADD 0x0000 #define NFF_SUB 0x1000 #define NFF_MUL 0x2000 #define NFF_DIV 0x3000 #define NFF_OR 0x4000 #define NFF_AND 0x5000 #define NFF_LSH 0x6000 #define NFF_RSH 0x7000 #define NFF_NEG 0x8000 #define NFF_JA 0x0000 #define NFF_JEQ 0x1000 #define NFF_JGT 0x2000 #define NFF_JGE 0x3000 #define NFF_JSET 0x4000 #define NFF_SRC(code) ((code) & 0x0008) #define NFF_K 0x0000 #define NFF_X 0x0008 /* ret - NFF_K and NFF_X also apply */ #define NFF_RVAL(code) ((code) & 0x0018) #define NFF_A 0x0010 /* * The instruction data structure. */ struct nff_insn { int dsr, type; unsigned short code; unsigned char jt; unsigned char jf; union { int i; float f; char s[8]; nff_int64 k; } data; }; /* * Macros for insn array initializers. */ #define NFF_STMT(code, k) { (unsigned short)(code), 0, 0, k } #define NFF_JUMP(code, k, jt, jf) { (unsigned short)(code), jt, jf, k } #if defined(BSD) && (defined(KERNEL) || defined(_KERNEL)) /* * Systems based on non-BSD kernels don't have ifnet's (or they don't mean * anything if it is in ) and won't work like this. */ # if __STDC__ extern void nff_tap(struct ifnet *, unsigned char *, unsigned int); extern void nff_mtap(struct ifnet *, struct mbuf *); extern void nffattach(struct ifnet *, unsigned int, unsigned int); extern void nffilterattach(int); # else extern void nff_tap(); extern void nff_mtap(); extern void nffattach(); extern void nffilterattach(); # endif /* __STDC__ */ #endif /* BSD && (_KERNEL || KERNEL) */ #if __STDC__ extern int nff_validate(struct nff_insn *, int); extern unsigned int nff_filter(struct nff_insn *, unsigned char *, unsigned int, unsigned int); #else extern int nff_validate(); extern unsigned int nff_filter(); #endif /* * Number of scratch memory words (for NFF_LD|NFF_MEM and NFF_ST). */ #define NFF_MEMWORDS 16 #endif argus-5.0.2/include/net/ppp.h000066400000000000000000000067561471541253600160460ustar00rootroot00000000000000/* * Point to Point Protocol (PPP) RFC1331 * * Copyright 1989 by Carnegie Mellon. * * Permission to use, copy, modify, and distribute this program for any * purpose and without fee is hereby granted, provided that this copyright * and permission notice appear on all copies and supporting documentation, * the name of Carnegie Mellon not be used in advertising or publicity * pertaining to distribution of the program without specific prior * permission, and notice be given in supporting documentation that copying * and distribution is by permission of Carnegie Mellon and Stanford * University. Carnegie Mellon makes no representations about the * suitability of this software for any purpose. It is provided "as is" * without express or implied warranty. */ /* * $Id: //depot/gargoyle/argus/include/net/ppp.h#1 $ * $DateTime: 2012/05/01 14:08:47 $ * $Change: 2378 $ */ #if !defined(ARGUS_PPP_H) #define ARGUS_PPP_H #define PPP_HDRLEN 4 /* length of PPP header */ #define PPP_ADDRESS 0xff /* The address byte value */ #define PPP_CONTROL 0x03 /* The control byte value */ #define PPP_WITHDIRECTION_IN 0x00 /* non-standard for DLT_PPP_WITHDIRECTION */ #define PPP_WITHDIRECTION_OUT 0x01 /* non-standard for DLT_PPP_WITHDIRECTION */ /* Protocol numbers */ #define PPP_IP 0x0021 /* Raw IP */ #define PPP_OSI 0x0023 /* OSI Network Layer */ #define PPP_NS 0x0025 /* Xerox NS IDP */ #define PPP_DECNET 0x0027 /* DECnet Phase IV */ #define PPP_APPLE 0x0029 /* Appletalk */ #define PPP_IPX 0x002b /* Novell IPX */ #define PPP_VJC 0x002d /* Van Jacobson Compressed TCP/IP */ #define PPP_VJNC 0x002f /* Van Jacobson Uncompressed TCP/IP */ #define PPP_BRPDU 0x0031 /* Bridging PDU */ #define PPP_STII 0x0033 /* Stream Protocol (ST-II) */ #define PPP_VINES 0x0035 /* Banyan Vines */ #define PPP_IPV6 0x0057 /* IPv6 */ #define PPP_COMP 0x00fd /* Compressed Datagram */ #define PPP_HELLO 0x0201 /* 802.1d Hello Packets */ #define PPP_LUXCOM 0x0231 /* Luxcom */ #define PPP_SNS 0x0233 /* Sigma Network Systems */ #define PPP_MPLS_UCAST 0x0281 /* MPLS unicast */ #define PPP_MPLS_MCAST 0x0283 /* MPLS broadcast */ #define PPP_IPCP 0x8021 /* IP Control Protocol */ #define PPP_OSICP 0x8023 /* OSI Network Layer Control Protocol */ #define PPP_NSCP 0x8025 /* Xerox NS IDP Control Protocol */ #define PPP_DECNETCP 0x8027 /* DECnet Control Protocol */ #define PPP_APPLECP 0x8029 /* Appletalk Control Protocol */ #define PPP_IPXCP 0x802b /* Novell IPX Control Protocol */ #define PPP_STIICP 0x8033 /* Strean Protocol Control Protocol */ #define PPP_VINESCP 0x8035 /* Banyan Vines Control Protocol */ #define PPP_IPV6CP 0x8057 /* IPv6 Control Protocol */ #define PPP_CCP 0x80fd /* Compress Control Protocol */ #define PPP_LCP 0xc021 /* Link Control Protocol */ #define PPP_PAP 0xc023 /* Password Authentication Protocol */ #define PPP_LQM 0xc025 /* Link Quality Monitoring */ #define PPP_CHAP 0xc223 /* Challenge Handshake Authentication Protocol */ #define PPP_BACP 0xc02b /* Bandwidth Allocation Control Protocol */ #define PPP_BAP 0xc02d /* BAP */ #define PPP_MP 0xc03d /* Multi-Link */ #define PPP_LCP_CONF_REQ 1 #define PPP_LCP_CONF_ACK 2 #define PPP_LCP_CONF_NACK 3 #define PPP_LCP_CONF_REJ 4 #define PPP_LCP_TERM_REQ 5 #define PPP_LCP_TERM_ACK 6 #define PPP_LCP_CODE_REJ 7 #define PPP_LCP_PROTO_REJ 8 #define PPP_LCP_ECHO_REQ 9 #define PPP_LCP_ECHO_REPLY 10 #define PPP_LCP_DISCARD 11 struct lcp_hdr { unsigned char code, id; unsigned short length; }; #endif argus-5.0.2/include/net/slcompress.h000066400000000000000000000074441471541253600174340ustar00rootroot00000000000000/* * Definitions for tcp compression routines. * * Copyright (c) 1989, 1990, 1992, 1993 Regents of the University of * California. All rights reserved. * * Redistribution and use in source and binary forms are permitted * provided that the above copyright notice and this paragraph are * duplicated in all such forms and that any documentation, * advertising materials, and other materials related to such * distribution and use acknowledge that the software was developed * by the University of California, Berkeley. The name of the * University may not be used to endorse or promote products derived * from this software without specific prior written permission. * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. * * Van Jacobson (van@ee.lbl.gov), Dec 31, 1989: * - Initial distribution. */ /* * $Id: //depot/gargoyle/argus/include/net/slcompress.h#1 $ * $DateTime: 2012/05/01 14:08:47 $ * $Change: 2378 $ */ #define MAX_STATES 16 /* must be > 2 and < 256 */ #define MAX_HDR MLEN /* XXX 4bsd-ism: should really be 128 */ /* * Compressed packet format: * * The first octet contains the packet type (top 3 bits), TCP * 'push' bit, and flags that indicate which of the 4 TCP sequence * numbers have changed (bottom 5 bits). The next octet is a * conversation number that associates a saved IP/TCP header with * the compressed packet. The next two octets are the TCP checksum * from the original datagram. The next 0 to 15 octets are * sequence number changes, one change per bit set in the header * (there may be no changes and there are two special cases where * the receiver implicitly knows what changed -- see below). * * There are 5 numbers which can change (they are always inserted * in the following order): TCP urgent pointer, window, * acknowlegement, sequence number and IP ID. (The urgent pointer * is different from the others in that its value is sent, not the * change in value.) Since typical use of SLIP links is biased * toward small packets (see comments on MTU/MSS below), changes * use a variable length coding with one octet for numbers in the * range 1 - 255 and 3 octets (0, MSB, LSB) for numbers in the * range 256 - 65535 or 0. (If the change in sequence number or * ack is more than 65535, an uncompressed packet is sent.) */ /* * Packet types (must not conflict with IP protocol version) * * The top nibble of the first octet is the packet type. There are * three possible types: IP (not proto TCP or tcp with one of the * control flags set); uncompressed TCP (a normal IP/TCP packet but * with the 8-bit protocol field replaced by an 8-bit connection id -- * this type of packet syncs the sender & receiver); and compressed * TCP (described above). * * LSB of 4-bit field is TCP "PUSH" bit (a worthless anachronism) and * is logically part of the 4-bit "changes" field that follows. Top * three bits are actual packet type. For backward compatibility * and in the interest of conserving bits, numbers are chosen so the * IP protocol version number (4) which normally appears in this nibble * means "IP packet". */ /* packet types */ #define TYPE_IP 0x40 #define TYPE_UNCOMPRESSED_TCP 0x70 #define TYPE_COMPRESSED_TCP 0x80 #define TYPE_ERROR 0x00 /* Bits in first octet of compressed packet */ #define NEW_C 0x40 /* flag bits for what changed in a packet */ #define NEW_I 0x20 #define NEW_S 0x08 #define NEW_A 0x04 #define NEW_W 0x02 #define NEW_U 0x01 /* reserved, special-case values of above */ #define SPECIAL_I (NEW_S|NEW_W|NEW_U) /* echoed interactive traffic */ #define SPECIAL_D (NEW_S|NEW_A|NEW_W|NEW_U) /* unidirectional data */ #define SPECIALS_MASK (NEW_S|NEW_A|NEW_W|NEW_U) #define TCP_PUSH_BIT 0x10 argus-5.0.2/include/net/slip.h000066400000000000000000000021221471541253600161750ustar00rootroot00000000000000/* * Argus Software. Argus files - main argus processing * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/gargoyle/argus/include/net/slip.h#4 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ /* linux does not give us the link level header */ #define SLIP_HDRLEN 16 #define SLX_DIR 0 #define SLX_CHDR 1 #define CHDR_LEN 15 #define SLIPDIR_IN 0 #define SLIPDIR_OUT 1 argus-5.0.2/include/netbsd-include/000077500000000000000000000000001471541253600171725ustar00rootroot00000000000000argus-5.0.2/include/netbsd-include/netinet/000077500000000000000000000000001471541253600206405ustar00rootroot00000000000000argus-5.0.2/include/netbsd-include/netinet/rtp.h000066400000000000000000000030421471541253600216150ustar00rootroot00000000000000 /* * $Id: $ * $DateTime: $ * $Change: $ */ #ifndef _netinet_rtp_h #define _netinet_rtp_h /* RTP Upper Layer Format Numbers H.225 */ #define IPPROTO_RTP 257 #define RTP_PCMU 0 #define RTP_PCMA 8 #define RTP_G722 9 #define RTP_G723 4 #define RTP_G728 15 #define RTP_G729 18 #define RTP_H261 31 #define RTP_H263 34 /* RTP Header as defined in H.225 */ struct rtphdr { #ifdef LITTLE_ENDIAN unsigned char rh_cc:4, /* CSRC count */ rh_x:1, /* extension */ rh_p:1, /* padding */ rh_ver:2; /* version */ #else unsigned char rh_ver:2, /* version */ rh_p:1, /* padding */ rh_x:1, /* extension */ rh_cc:4; /* CSRC count */ #endif #ifdef LITTLE_ENDIAN unsigned char rh_pt:7, /* payload type */ rh_mark:1; /* marker */ #else unsigned char rh_mark:1, /* marker */ rh_pt:7; /* payload type */ #endif unsigned short rh_seq; unsigned int rh_time; unsigned int rh_ssrc; }; struct rtcphdr { #ifdef LITTLE_ENDIAN unsigned char rh_rc:5, /* report count */ rh_p:1, /* padding */ rh_ver:2; /* version */ #else unsigned char rh_ver:2, /* version */ rh_p:1, /* padding */ rh_rc:5; /* report count */ #endif unsigned char rh_pt; /* payload type */ unsigned short rh_len; unsigned int rh_ssrc; }; struct rtpexthdr { unsigned short profile, length; }; #endif /*!_netinet_rtp_h*/ argus-5.0.2/include/netinet/000077500000000000000000000000001471541253600157405ustar00rootroot00000000000000argus-5.0.2/include/netinet/rtp.h000066400000000000000000000114371471541253600167240ustar00rootroot00000000000000/* * Argus Software. Argus files - main argus processing * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * */ /* * $Id: //depot/gargoyle/argus/include/netinet/rtp.h#4 $ * $DateTime: 2015/04/13 00:39:28 $ * $Change: 2980 $ */ #ifndef _netinet_rtp_h #define _netinet_rtp_h /* RTP Upper Layer Format Numbers */ #define IPPROTO_RTP 257 #define IPPROTO_RTCP 258 #define RTP_VERSION 2 #define RTP_PT_BVC 22 /* Berkeley video codec */ #define RTP_PT_RGB8 23 /* 8-bit dithered RGB */ #define RTP_PT_HDCC 24 /* SGI proprietary */ #define RTP_PT_CELLB 25 /* Sun CellB */ #define RTP_PT_JPEG 26 /* JPEG */ #define RTP_PT_CUSEEME 27 /* Cornell CU-SeeMe */ #define RTP_PT_NV 28 /* Xerox PARC nv */ #define RTP_PT_PICW 29 /* BB&N PictureWindow */ #define RTP_PT_CPV 30 /* Concept/Bolter/Viewpoint codec */ #define RTP_PT_H261 31 /* ITU H.261 */ #define RTP_PT_MPEG 32 /* MPEG-I & MPEG-II */ #define RTP_PT_MP2T 33 /* MPEG-II either audio or video */ #define RTP_PT_H263 34 /* backward compat hack for decoding RTPv1 ivs streams */ #define RTP_PT_H261_COMPAT 127 /* RTP standard content encodings for audio */ #define RTP_PT_PCMU 0 #define RTP_PT_CELP 1 #define RTP_PT_GSM 3 #define RTP_PT_G723 4 #define RTP_PT_DVI 5 #define RTP_PT_LPC 7 #define RTP_PT_PCMA 8 #define RTP_PT_G722 9 #define RTP_PT_G728 15 #define RTP_PT_G729 18 #define RTP_TIME_OFFSET 2208988800UL #define RTP_M 0x0080 #define RTP_P 0x2000 #define RTP_X 0x1000 #define RTCP_PT_SR 200 #define RTCP_PT_RR 201 #define RTCP_PT_SDES 202 #define RTCP_PT_BYE 203 #define RTCP_PT_APP 204 #define RTCP_SDES_MIN 1 #define RTCP_SDES_MAX 7 #define RTCP_SDES_CNAME 1 #define RTCP_SDES_NAME 2 #define RTCP_SDES_EMAIL 3 #define RTCP_SDES_PHONE 4 #define RTCP_SDES_LOC 5 #define RTCP_SDES_TOOL 6 #define RTCP_SDES_NOTE 7 /* RTP Header as defined in H.225 */ struct rtphdr { #ifdef _LITTLE_ENDIAN unsigned char rh_cc:4, /* CSRC count */ rh_x:1, /* extension */ rh_p:1, /* padding */ rh_ver:2; /* version */ #else unsigned char rh_ver:2, /* version */ rh_p:1, /* padding */ rh_x:1, /* extension */ rh_cc:4; /* CSRC count */ #endif #ifdef _LITTLE_ENDIAN unsigned char rh_pt:7, /* payload type */ rh_mark:1; /* marker */ #else unsigned char rh_mark:1, /* marker */ rh_pt:7; /* payload type */ #endif unsigned short rh_seq; unsigned int rh_time; unsigned int rh_ssrc; }; struct rtcphdr { #ifdef _LITTLE_ENDIAN unsigned char rh_rc:5, /* report count */ rh_p:1, /* padding */ rh_ver:2; /* version */ #else unsigned char rh_ver:2, /* version */ rh_p:1, /* padding */ rh_rc:5; /* report count */ #endif unsigned char rh_pt; /* payload type */ unsigned short rh_len; unsigned int rh_ssrc; }; struct rtpexthdr { unsigned short profile, length; }; typedef struct { unsigned int high; unsigned int low; } ntp64; /* * Sender report. */ struct rtcp_sr { ntp64 sr_ntp; /* 64-bit ntp timestamp */ unsigned int sr_ts; /* reference media timestamp */ unsigned int sr_np; /* no. packets sent */ unsigned int sr_nb; /* no. bytes sent */ }; /* * Receiver report. * Time stamps are middle 32-bits of ntp timestamp. */ struct rtcp_rr { unsigned int rr_srcid; /* sender being reported */ unsigned int rr_loss; /* loss stats (8:fraction, 24:cumulative)*/ unsigned int rr_ehsr; /* ext. highest seqno received */ unsigned int rr_dv; /* jitter (delay variance) */ unsigned int rr_lsr; /* orig. ts from last rr from this src */ unsigned int rr_dlsr; /* time from recpt of last rr to xmit time */ }; #endif /*!_netinet_rtp_h*/ argus-5.0.2/include/netinet/tcp_fsm.h000066400000000000000000000042111471541253600175420ustar00rootroot00000000000000/* @(#)tcp_fsm.h 1.7 88/08/19 SMI; from UCB 7.1 6/5/86 */ /* * Copyright (c) 1982, 1986 Regents of the University of California. * All rights reserved. The Berkeley software License Agreement * specifies the terms and conditions for redistribution. */ /* * $Id: //depot/gargoyle/argus/include/netinet/tcp_fsm.h#1 $ * $DateTime: 2012/05/01 14:08:47 $ * $Change: 2378 $ */ /* * TCP FSM state definitions. * Per RFC793, September, 1981. */ #ifndef _netinet_tcp_fsm_h #define _netinet_tcp_fsm_h #define TCP_NSTATES 11 #define TCPS_CLOSED 0 /* closed */ #define TCPS_LISTEN 1 /* listening for connection */ #define TCPS_SYN_SENT 2 /* active, have sent syn */ #define TCPS_SYN_RECEIVED 3 /* have send and received syn */ /* states < TCPS_ESTABLISHED are those where connections not established */ #define TCPS_ESTABLISHED 4 /* established */ #define TCPS_CLOSE_WAIT 5 /* rcvd fin, waiting for close */ /* states > TCPS_CLOSE_WAIT are those where user has closed */ #define TCPS_FIN_WAIT_1 6 /* have closed, sent fin */ #define TCPS_CLOSING 7 /* closed xchd FIN; await FIN ACK */ #define TCPS_LAST_ACK 8 /* had fin and close; await FIN ACK */ /* states > TCPS_CLOSE_WAIT && < TCPS_FIN_WAIT_2 await ACK of FIN */ #define TCPS_FIN_WAIT_2 9 /* have closed, fin is acked */ #define TCPS_TIME_WAIT 10 /* in 2*msl quiet wait after close */ #define TCPS_HAVERCVDSYN(s) ((s) >= TCPS_SYN_RECEIVED) #define TCPS_HAVERCVDFIN(s) ((s) >= TCPS_TIME_WAIT) #ifdef TCPOUTFLAGS /* * Flags used when sending segments in tcp_output. * Basic flags (TH_RST,TH_ACK,TH_SYN,TH_FIN) are totally * determined by state, with the proviso that TH_FIN is sent only * if all data queued for output is included in the segment. */ u_char tcp_outflags[TCP_NSTATES] = { TH_RST|TH_ACK, 0, TH_SYN, TH_SYN|TH_ACK, TH_ACK, TH_ACK, TH_FIN|TH_ACK, TH_FIN|TH_ACK, TH_FIN|TH_ACK, TH_ACK, TH_ACK, }; #endif #ifdef KPROF int tcp_acounts[TCP_NSTATES][PRU_NREQ]; #endif #ifdef TCPSTATES char *tcpstates[] = { "CLOSED", "LISTEN", "SYN_SENT", "SYN_RCVD", "ESTABLISHED", "CLOSE_WAIT", "FIN_WAIT_1", "CLOSING", "LAST_ACK", "FIN_WAIT_2", "TIME_WAIT", }; #endif #endif /*!_netinet_tcp_fsm_h*/ argus-5.0.2/lib/000077500000000000000000000000001471541253600134155ustar00rootroot00000000000000argus-5.0.2/lib/argus.spec000066400000000000000000000107441471541253600154200ustar00rootroot00000000000000%define ver 5.0.0 %if %{?rel:0}%{!?rel:1} %define rel 3.8 %endif %if %{?srcext:0}%{!?srcext:1} %define srcext .gz %endif Summary: Argus-5.0 Software Name: argus Version: %ver Release: %rel%{dist} License: see COPYING file Group: Applications/Internet Source: %{name}-%{version}.%{rel}.tar%{srcext} URL: http://qosient.com/argus Buildroot: %{_tmppath}/%{name}-%{version}-root BuildRequires: libpcap-devel BuildRequires: cyrus-sasl-devel BuildRequires: zlib-devel Requires: wget Requires: cyrus-sasl Conflicts: argus-systemd-workstation < 5.0-3.2%{dist}.2 Conflicts: argus-systemd-server < 5.0-3.2%{dist}.2 %description Argus-5.0 is the latest release of Argus (Audit Record Generation And Utilization System), which is a data network transaction auditing tool. The data generated by argus can be used for a wide range of tasks such as network operations, security and performance management. Copyright: (c) 2000-2024 QoSient, LLC %define argusdir /usr %define argusman /usr/share/man %define argusdocs /usr/share/doc/argus %define argusbin %{argusdir}/bin %define argussbin %{argusdir}/sbin %prep %setup -q -n %{name}-%{ver}.%{rel} %build %configure --with-sasl %{?_flexlm:--with-flexlm=%{_flexlm}} make EXTRA_CFLAGS="-ggdb" %install rm -rf $RPM_BUILD_ROOT make DESTDIR="$RPM_BUILD_ROOT" install install -D -m 0600 pkg/argus.conf $RPM_BUILD_ROOT/etc/argus.conf install -D -m 0644 pkg/rhel/sysconfig/argus $RPM_BUILD_ROOT/etc/sysconfig/argus install -D -m 0644 pkg/rhel/systemd/argus.server.service $RPM_BUILD_ROOT%{_unitdir}/argus.server.service install -D -m 0644 pkg/rhel/systemd/argus@.service $RPM_BUILD_ROOT%{_unitdir}/argus@.service install -D -m 0644 pkg/rhel/systemd/argus.workstation.service $RPM_BUILD_ROOT%{_unitdir}/argus.workstation.service install -D -m 0700 pkg/rhel/systemd/argus-setup $RPM_BUILD_ROOT/%{argussbin}/argus-setup install -D -m 0700 pkg/rhel/systemd/argus-setup-numa $RPM_BUILD_ROOT/%{argussbin}/argus-setup-numa install -D -m 0644 pkg/rhel/sasl2/argus.conf $RPM_BUILD_ROOT/etc/sasl2/argus.conf install -D -m 0755 support/Archive/argusarchive $RPM_BUILD_ROOT/%{argusbin}/argusarchive install -d -m 0755 $RPM_BUILD_ROOT/%{argusdocs}/support cp -av support $RPM_BUILD_ROOT/%{argusdocs}/ install -d -m 0755 $RPM_BUILD_ROOT/etc/pam.d %post ln -sf /etc/pam.d/system-auth /etc/pam.d/argus %preun if [ "$1" = 0 ] ; then rm -f /etc/pam.d/argus fi %clean rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root) %{argussbin}/argus %{argusbin}/argus-airport %{argusbin}/argus-extip %{argusbin}/argus-lsof %{argusbin}/argus-netstat %{argusbin}/argus-snmp %{argusbin}/argus-stumbler %{argusbin}/argus-vmstat %{argusbin}/argus-ipaddr %{argusbin}/argus-top %{argusbin}/argus-ipmitool %{argusbin}/argusbug %{argusbin}/argusarchive %doc %{argusdocs} %{argusman}/man5/argus.conf.5.gz %{argusman}/man8/argus.8.gz %config /etc/argus.conf %config /etc/sasl2/argus.conf %ghost %config(noreplace) /etc/pam.d/argus %package systemd-server Summary: ArgusPro Server Systemd support files Group: Applications/Internet Requires: argus >= %{version}-%{release} Conflicts: argus-systemd-workstation Conflicts: argus < 5.0-3.0%{dist}.2 BuildArch: noarch %description systemd-server Service description and supporting files for QoSient servers %files systemd-server %attr(644,root,root) %{_unitdir}/argus.server.service %attr(644,root,root) %{_unitdir}/argus@.service %{argussbin}/argus-setup %{argussbin}/argus-setup-numa %config /etc/sysconfig/argus %ghost %{_unitdir}/argus.service %post systemd-server ln -f %{_unitdir}/argus.server.service %{_unitdir}/argus.service %preun systemd-server if [ "$1" = 0 ] ; then systemctl stop argus rm -f %{_unitdir}/argus.service fi %postun systemd-server if [ "$1" -ge "1" ]; then service argus condrestart >/dev/null 2>&1 fi %package systemd-workstation Summary: ArgusPro Workstation Systemd support files Group: Applications/Internet Requires: argus >= %{version}-%{release} Conflicts: argus-systemd-server Conflicts: argus < 5.0-3.0.el7.2 BuildArch: noarch %description systemd-workstation Service description and supporting files for QoSient servers %files systemd-workstation %attr(644,root,root) %{_unitdir}/argus.workstation.service %config /etc/sysconfig/argus %ghost %{_unitdir}/argus.service %post systemd-workstation ln -f %{_unitdir}/argus.workstation.service %{_unitdir}/argus.service %preun systemd-workstation if [ "$1" = 0 ] ; then systemctl stop argus rm -f %{_unitdir}/argus.service fi %postun systemd-workstation if [ "$1" -ge "1" ]; then service argus condrestart >/dev/null 2>&1 fi argus-5.0.2/lib/argus.spec.in000066400000000000000000000107761471541253600160320ustar00rootroot00000000000000%define ver @PACKAGE_VERSION@ %if %{?rel:0}%{!?rel:1} %define rel @PACKAGE_RELEASE@ %endif %if %{?srcext:0}%{!?srcext:1} %define srcext .gz %endif Summary: Argus-5.0 Software Name: argus Version: %ver Release: %rel%{dist} License: see COPYING file Group: Applications/Internet Source: %{name}-%{version}.%{rel}.tar%{srcext} URL: http://qosient.com/argus Buildroot: %{_tmppath}/%{name}-%{version}-root BuildRequires: libpcap-devel BuildRequires: cyrus-sasl-devel BuildRequires: zlib-devel Requires: wget Requires: cyrus-sasl Conflicts: argus-systemd-workstation < 5.0-3.2%{dist}.2 Conflicts: argus-systemd-server < 5.0-3.2%{dist}.2 %description Argus-5.0 is the latest release of Argus (Audit Record Generation And Utilization System), which is a data network transaction auditing tool. The data generated by argus can be used for a wide range of tasks such as network operations, security and performance management. Copyright: (c) 2000-2024 QoSient, LLC %define argusdir /usr %define argusman /usr/share/man %define argusdocs /usr/share/doc/argus %define argusbin %{argusdir}/bin %define argussbin %{argusdir}/sbin %prep %setup -q -n %{name}-%{ver}.%{rel} %build %configure --with-sasl %{?_flexlm:--with-flexlm=%{_flexlm}} make EXTRA_CFLAGS="-ggdb" %install rm -rf $RPM_BUILD_ROOT make DESTDIR="$RPM_BUILD_ROOT" install install -D -m 0600 pkg/argus.conf $RPM_BUILD_ROOT/etc/argus.conf install -D -m 0644 pkg/rhel/sysconfig/argus $RPM_BUILD_ROOT/etc/sysconfig/argus install -D -m 0644 pkg/rhel/systemd/argus.server.service $RPM_BUILD_ROOT%{_unitdir}/argus.server.service install -D -m 0644 pkg/rhel/systemd/argus@.service $RPM_BUILD_ROOT%{_unitdir}/argus@.service install -D -m 0644 pkg/rhel/systemd/argus.workstation.service $RPM_BUILD_ROOT%{_unitdir}/argus.workstation.service install -D -m 0700 pkg/rhel/systemd/argus-setup $RPM_BUILD_ROOT/%{argussbin}/argus-setup install -D -m 0700 pkg/rhel/systemd/argus-setup-numa $RPM_BUILD_ROOT/%{argussbin}/argus-setup-numa install -D -m 0644 pkg/rhel/sasl2/argus.conf $RPM_BUILD_ROOT/etc/sasl2/argus.conf install -D -m 0755 support/Archive/argusarchive $RPM_BUILD_ROOT/%{argusbin}/argusarchive install -d -m 0755 $RPM_BUILD_ROOT/%{argusdocs}/support cp -av support $RPM_BUILD_ROOT/%{argusdocs}/ install -d -m 0755 $RPM_BUILD_ROOT/etc/pam.d %post ln -sf /etc/pam.d/system-auth /etc/pam.d/argus %preun if [ "$1" = 0 ] ; then rm -f /etc/pam.d/argus fi %clean rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root) %{argussbin}/argus %{argusbin}/argus-airport %{argusbin}/argus-extip %{argusbin}/argus-lsof %{argusbin}/argus-netstat %{argusbin}/argus-snmp %{argusbin}/argus-stumbler %{argusbin}/argus-vmstat %{argusbin}/argus-ipaddr %{argusbin}/argus-top %{argusbin}/argus-ipmitool %{argusbin}/argusbug %{argusbin}/argusarchive %doc %{argusdocs} %{argusman}/man5/argus.conf.5.gz %{argusman}/man8/argus.8.gz %config /etc/argus.conf %config /etc/sasl2/argus.conf %ghost %config(noreplace) /etc/pam.d/argus %package systemd-server Summary: ArgusPro Server Systemd support files Group: Applications/Internet Requires: argus >= %{version}-%{release} Conflicts: argus-systemd-workstation Conflicts: argus < 5.0-3.0%{dist}.2 BuildArch: noarch %description systemd-server Service description and supporting files for QoSient servers %files systemd-server %attr(644,root,root) %{_unitdir}/argus.server.service %attr(644,root,root) %{_unitdir}/argus@.service %{argussbin}/argus-setup %{argussbin}/argus-setup-numa %config /etc/sysconfig/argus %ghost %{_unitdir}/argus.service %post systemd-server ln -f %{_unitdir}/argus.server.service %{_unitdir}/argus.service %preun systemd-server if [ "$1" = 0 ] ; then systemctl stop argus rm -f %{_unitdir}/argus.service fi %postun systemd-server if [ "$1" -ge "1" ]; then service argus condrestart >/dev/null 2>&1 fi %package systemd-workstation Summary: ArgusPro Workstation Systemd support files Group: Applications/Internet Requires: argus >= %{version}-%{release} Conflicts: argus-systemd-server Conflicts: argus < 5.0-3.0.el7.2 BuildArch: noarch %description systemd-workstation Service description and supporting files for QoSient servers %files systemd-workstation %attr(644,root,root) %{_unitdir}/argus.workstation.service %config /etc/sysconfig/argus %ghost %{_unitdir}/argus.service %post systemd-workstation ln -f %{_unitdir}/argus.workstation.service %{_unitdir}/argus.service %preun systemd-workstation if [ "$1" = 0 ] ; then systemctl stop argus rm -f %{_unitdir}/argus.service fi %postun systemd-workstation if [ "$1" -ge "1" ]; then service argus condrestart >/dev/null 2>&1 fi argus-5.0.2/logo/000077500000000000000000000000001471541253600136075ustar00rootroot00000000000000argus-5.0.2/logo/argus_logo_medium-6aac34a9.png000066400000000000000000000046731471541253600212410ustar00rootroot00000000000000‰PNG  IHDR·Zú´Çà ‚IDATxÚíÑuÛ6†ÿúø¹GY ¤`ähV^ –¨­ì#/ ' ˆéQ&’¬r“] :]À}àUË2$’ "YÿŽIuñáâ^àüéùùõuBP„›¢7EnŠ"ÜE¸)ŠpS„›¢7EnŠ"ÜE¸)ŠpS„›¢7EnŠ"ÜE¸)ŠpS„›¢7EnŠ"ÜÕ—N»^@‘*ý×FeÉz_pé~½Þ«¢@*K4ñòf×!€üs­²dãò¹ŸšÊ£ƒh à-€¡ü oOh_,]oÈá&Î*^Z¨,I Ÿ¹PîˆZeɨ㽼•ë†uo°ðÞpcç/­\;‰tں߲òÕÙ ö7¶AƒëíZÇØZþjù:u4Ú¥|a…ò™ €¹¢æ ¯‚t«»Š¿ŽèË‹ LünéÜ[)ù»ÑA¤Ì*@»6ü&W(GnM·îÉ&û¯Ä©µõîp¶u°[¾–bÛÔsë R:ˆVrÓŽˆá¸] ežÁ¾ð$¿eÐâ ÀJÑœÁFe[M:ð5ð$ΧnyÃÊÐCÛ*”ÆïÀX ŸÞZÑÀ¼%ÔeÝè z,6ă½¶òa‹ÿ…'•pËúJ <øW‡äcîlO£WÕ°j뀫ög»~v¹ßW¿˜$¦åØQ@P~06ôÆ\û¼›ùò®EÀlq »¬·qŸt´¡$GU8–âÈäà„¶6ý\œ!‘0ðF+&òKW¸—¸cm·ÜÀÀRÑT>_‚ uMT–ÄžÃeÈ®5€¿ ÿ÷Ír½¹¼ €*Kîjì±ÍècD3iÌqE|Œá‰ ì5€QÕäC‰Á©À~'Îvã·Ê’¢û¶Ó;òESM ³±Gƒ]ÖÌÌšN…I^pcxK àÂuž\lxQ‘Ø23¢ v¹ÎªI»êªüåÄòÁ»®ó–ȧÍê®zœ=yWa°•%£–s¼¶!ó¼ÍŒTWGžGš&fm¦‹«>Óûò»|鬡·m;S{Ú!Ñ ou™¯Àã#†û%ö¢]Õ–,-³ÞG¾¶`‹® ¯Ý{Z²ŸÊpŒ ›xཆÛ2µ¨zøÊÖ`K¬‘¹G›³÷6Åãå¹±C/µìèY3¼ûô,ȧ[Q¦<îêá6õVŸÞûcÉŽW%Y?ÆÐäOÃk·¾&N{uägyfÙáÞCÔOÍ¥fŽª´î)4ÛgÅ–ðîQÑ}ÝúAïpV#]K`w2tüüÐ!å)ßÐAôó:­¢wȧãÞá.ÔÚ^b?—Œ»ñ¦r€„XzÕLœ£‰£yÒò·÷MFÏW¨e¥ñI†“}­…è àϦ¡’<úõÞ’<º8¤P¼ü“¢•kŽvâö¶†y‚—¿Tl«#¡ü¾–¼¬Iȧ—M[!?µ€mª ©LºäoSáE9Âĉr\ÑyÑMCÈ•ìÀ¹j´ÍL‘Ë.–Tb¡Ï¶ú ©Š#ÜT]ˆ2ÕAôQÂÞ&œŒ‘×(]•×7Nk@´ÅÕ)€i—i7Šª Sdžûæ=åpr¥ƒè̸GâÓð«,9{¡`§-ãqÊ3ä*K®T–¼’¤S;|là“-¡œ[À~Éåš^ ˆÝ=–ã7\O%õòßÃ]ØUéÕ^8Ø€yº¯¯|a3P?¿ÈµÊ’s÷–·^×ynSmõì…É3 {Ú­î+Üùv !•,ÉO-íVÁ}ÔËϲú•Z2soò|Ä…©}BŸfÚƒvz°ÄáÃFp{(ЄqS¢|çù».wô›B£NßçÍ4ÔgÃkçUp÷ÿ©û£’‰'¯=ô98ìõñ]×BVÆܦÆthÈ dé^F((ó®^P>¿Øqƒ_v¼ç1l® ·÷xSòÐÎÆ›Yf7Vï«øÌÔ)UÛM!’ -ö¬Lö[UÁÝGÏÿ„+¸’!Þ¶©yÕt¿ŸTW~‚ÿ£Ù\B* /´{ÛðÚ6‚•áþbéù“† ÙÇaš»’mwúùŽ‘™ 0b»§Špã±S®-£oØdÔ‘P¤\cÔù~uu-Ún¶½¡·KðåÚ’æã½:ˆ2ckÈ9¸DVeIªƒèæÃ(·G3ÿ.go'¥÷‡Èw*ÕÕH<8>ÀÌB ‘×E@ÅibþõçpÏ<„™Û³':ˆbä…wK¨°Wþ»Ïõ»'+HõÞ­å{R”rPhȪ^†ãQƒ'˜î¯ó¾»šŽÚG¼©U–Œ,£[«Ó²+:‹žx]ßäb•%W:ˆž»Ü¯¢§ F6’3$eˆü Ÿ‰‹M·ÿ8­Iv~…}ûÏ­C'(EÕ€?‚¿“ÿ}{ðXQê9îŒÑál]H8ár¿Ç‘cY(¿X·Mˆe 4¬¹±üݶ¸t*¿»v¶¤éög°fcö=Á<÷Ð7ÈK…¯<Ÿò]H%Ãg^8ÄÝ.À÷±pµF~(éÆw!1iºý§ª!/JÅVuFy}1x¡:M·°ÅòÃ3vª.É娣CÙ ßåâZ0÷Êá=™ç¦‰%úŽÕ“q UX›†¹PUóÂœƒñâù™„Ë 'JxþJeÉ´§sOl€·iôІ±ç{zN0íØñ¶P׎‚Nê+dÐoDU‘¬|1e½Åç4–;„kíŠá@çô&CB¹‘b}ŸßU|ÔbÑŽkiǯm3¥çBv²á¬î7÷Uìl)þ{4Ÿv ë=‡’êîg—ÌŸj.>ûÇ‚Z’$Šp¬”áµ?iÂ}È2M‹iš§›sÿ¸dˆú=›©Ê’3Z‰žûPeªÏøƒæ!܇êµo,ñö‚V"Ü»qÒÃõlgä´ 100G). The default is to not turn this feature on. Commandline equivalent -C .nf \fBARGUS_CAPTURE_FULL_CONTROL_DATA=\fP"yes" .fi .SH ARGUS_CONTROLPLANE_PROTO When \fBARGUS_CAPTURE_FULL_CONTROL_DATA\fP is enabled, you can specify what protocols are control plane protocols. This is whatever you want to specify. The feature assumes non-IP traffic is a control plane protocol, for IP traffic, you can specify protocols, as seen in the /etc/services file, that should be considered control plane. The example below, is just a suggestion. No commandline equivalent .nf \fBARGUS_CONTROLPLANE_PROTO=\fP"sip,udp:name,udp:nicname,udp:domain,udp:netbios-ns,xns-time,udp:ntp,udp:router,udp:ripng,timed,mdns,mdnsresponder,bootps,bootpc" .fi .SH ARGUS_SETUSER_ID Argus can be directed to change its user id using the setuid() system call. This is can used when argus is started as root, in order to access privileged resources, but then after the resources are opened, this directive will cause argus to change its user id value to a 'lesser' capable account. Recommended when argus is running as daemon. Commandline equivalent -u user .nf \fBARGUS_SETUSER_ID=\fPuser .ni .SH ARGUS_SETGROUP_ID Argus can be directed to change its group id using the setgid() system call. This is can used when argus is started as root, in order to access privileged resources, but then after the resources are opened, this directive can be used to change argu's group id value to a 'lesser' capable account. Recommended when argus is running as daemon. Commandline equivalent -g group .nf \fBARGUS_SETGROUP_ID=\fPgroup .fi .SH ARGUS_OUTPUT_FILE Argus can write its output to one or a number of files, default limit is 5 concurrent files, each with their own independant filters. The format is: .nf ARGUS_OUTPUT_FILE=/full/path/file/name ARGUS_OUTPUT_FILE=/full/path/file/name "filter" .fi Most sites will have argus write to a file, for reliablity and performance. The example file name is used here as supporting programs, such as ./support/Archive/argusarchive are configured to use this file. Commandline equivalent -w .nf \fBARGUS_OUTPUT_FILE=\fP/var/log/argus/argus.out .fi .SH ARGUS_OUTPUT_STREAM Argus can write its output to one or a number of remote hosts. The default limit is 5 concurrent output streams, each with their own independant filters. The format is: ARGUS_OUTPUT_STREAM="URI [filter]" ARGUS_OUTPUT_STREAN="argus-udp://host:port 'tcp and not udp'" Most sites will have argus listen() for remote sites to request argus data, but for some sites and applications sending records without registration is desired. This option will cause argus to transmit records that match the optional filter, to the configured targets using UDP as the transport mechanism. Commandline equivalent -w argus-udp://host:port .nf \fBARGUS_OUTPUT_STREAM=\fPargus-udp://224.0.20.21:561 .fi .SH ARGUS_SET_PID When Argus is configured to run as a daemon, with the -d option, Argus can store its pid in a file, to aid in managing the running daemon. However, creating a system pid file requires privileges that may not be appropriate for all cases. When configured to generate a pid file, if Argus cannot create the pid file, it will fail to run. This variable, and the directory the pid is written to, is available to override the default, in case this gets in your way. The default value is to generate a pid. The default path for the pid file, is '/var/run'. No Commandline equivalent .nf \fBARGUS_SET_PID=\fPyes \fBARGUS_PID_PATH=\fP/var/run .SH ARGUS_FLOW_STATUS_INTERVAL Argus will periodically report on a flow's activity every ARGUS_FLOW_STATUS_INTERVAL seconds, as long as there is new activity on the flow. This is so that you can get a view into the activity of very long lived flows. The default is 60 seconds, but this number may be too low or too high depending on your uses. The default value is 60 seconds, but argus does support a minimum value of 1. This is very useful for doing measurements in a controlled experimental environment where the number of flows is < 1000. Commandline equivalent -S \fBARGUS_FLOW_STATUS_INTERVAL=\fP60 .SH ARGUS_MAR_STATUS_INTERVAL Argus will periodically report on a its own health, providing interface status, total packet and bytes counts, packet drop rates, and flow oriented statistics. These records can be used as "keep alives" for periods when there is no network traffic to be monitored. The default value is 300 seconds, but a value of 60 seconds is very common. Commandline equivalent -M \fBARGUS_MAR_STATUS_INTERVAL=\fP300 .SH ARGUS_FLOW_TIMEOUTs Argus has a number of flow state timers that specify how long argus will 'remember' the caches of specific flows after they have gone idle. The default values have been chosen to aggresively timeout flow caches to conserve memory utilization. Increasing values can have an impact on argus memory use, so take care when modifying values. The maxium value for any timeout is 65534 seconds. If you think there is a flow type that doesn't have appropriate timeout support, send email to the developer's list, we'll add one for you. \fBARGUS_IP_TIMEOUT=\fP30 \fBARGUS_TCP_TIMEOUT=\fP60 \fBARGUS_ICMP_TIMEOUT=\fP5 \fBARGUS_IGMP_TIMEOUT=\fP30 \fBARGUS_FRAG_TIMEOUT=\fP5 \fBARGUS_ARP_TIMEOUT=\fP5 \fBARGUS_OTHER_TIMEOUT=\fP30 .SH ARGUS_DEBUG_LEVEL If compiled to support this option, Argus is capable of generating a lot of debug information. The default value is zero (0). Commandline equivalent -D \fBARGUS_DEBUG_LEVEL=\fP0 .SH ARGUS_GENERATE_RESPONSE_TIME_DATA Argus can be configured to report on flows in a manner than provides the best information for calculating application reponse times and network round trip times. # The default value is to not generate this data. # # Commandline equivalent -R # #ARGUS_GENERATE_RESPONSE_TIME_DATA=no .SH ARGUS_GENERATE_PACKET_SIZE Argus can be configured to generate packet size information on a per flow basis, which provides the max and min packet size seen . The default value is to not generate this data. Commandline equivalent -Z .nf \fBARGUS_GENERATE_PACKET_SIZE=\fPyes .fi .SH ARGUS_PACKET_SIZE_HISTOGRAM Argus can be configured to generate packet size information on a per flow basis. This includes the ability to generate a logorithmic frequency distribution histogram of the packet sizes seen. All argus clients can print the distribution as a hex number, where each nibble is one of the columns of the logarithmic histogram, and the relative values are from 0-15. 1 generally means that a packet was seen, and 15 handles all packets up and above the last column range. The default value is to not generate this data. No commandline equivalent .nf \fBARGUS_PACKET_SIZE_HISTOGRAM=\fPno .fi .SH ARGUS_GENERATE_JITTER_DATA Argus can be configured to generate packet jitter information on a per flow basis. The default value is to not generate this data. Commandline equivalent -J \fBARGUS_GENERATE_JITTER_DATA=\fPno .SH ARGUS_LOG_DISPLAY_PRIORITY Specify the log level when sending messages to the terminal. The value must be an integer in the range 0..7. These correspond to the eight syslog levels LOG_EMERG through LOG_DEBUG. The default level is LOG_WARNING. Commandline equivalent -k .nf \fBARGUS_LOG_DISPLAY_PRIORITY=4 .fi .SH ARGUS_GENERATE_MAC_DATA Argus can be configured to not provide MAC addresses in it audit data. This is available if MAC address tracking and audit is not a requirement. The default value is to not generate this data. Commandline equivalent -m .nf \fBARGUS_GENERATE_MAC_DATA=\fPno .fi .SH ARGUS_GENERATE_APPBYTE_METRIC Argus can be configured to generate metrics that include the application byte counts as well as the packet count and byte counters. Commandline equivalent -A .nf \fBARGUS_GENERATE_APPBYTE_METRIC=\fPno .fi .SH ARGUS_GENERATE_TCP_PERF_METRIC Argus by default, generates extended metrics for TCP that include the connection setup time, window sizes, base sequence numbers, and retransmission counters. You can suppress this detailed information using this variable. No commandline equivalent .nf \fBARGUS_GENERATE_TCP_PERF_METRIC=\fPyes .fi .SH ARGUS_GENERATE_BIDIRECTIONAL_TIMESTAMPS Argus by default, generates a single pair of timestamps, for the first and last packet seen on a given flow, during the obseration period. For bi-directional flows, this results in loss of some information. By setting this variable to 'yes', argus will store start and ending timestamps for both directions of the flow. No commandline equivalent .nf \fBARGUS_GENERATE_BIDIRECTIONAL_TIMESTAMPS=\fPno .fi .SH ARGUS_CAPTURE_DATA_LEN Argus can be configured to capture a number of user data bytes from the packet stream. The default value is to not generate this data. Commandline equivalent -U .nf \fBARGUS_CAPTURE_DATA_LEN=\fP0 .fi .SH ARGUS_ENCAPS_CAPTURE Argus can also be configured to capture the encapsulation packet headers that it parses. This supports the ability to realize and debug unknown/unexpectred encapsulation headers, as well as provide client based extensions to encapsulation header processing. The default is to not turn this feature on. .nf \fBARGUS_ENCAPS_CAPTURE=\fP"no" .fi .SH ARGUS_FILTER_OPTIMIZER Argus uses the packet filter capabilities of libpcap. If there is a need to not use the libpcap filter optimizer, you can turn it off here. The default is to leave it on. Commandline equivalent -O \fBARGUS_FILTER_OPTIMIZER=\fPyes .SH ARGUS_FILTER You can provide a filter expression here, if you like. It should be limited to 2K in length. The default is to not filter. No Commandline equivalent \fBARGUS_FILTER=\fP"" .SH ARGUS_PACKET_CAPTURE_FILE Argus allows you to capture packets in tcpdump() format if the source of the packets is a tcpdump() formatted file or live packet source. Use this configuration variable to pecify the path to the packet capture file. Argus will generate the file if it doesn't exist. .nf \fBARGUS_PACKET_CAPTURE_FILE=\fP"/var/log/argus/packet.out" .fi .SH ARGUS_PACKET_CAPTURE_ON_PROTO When an \fBARGUS_PACKET_CAPTURE_FILE\fP is specified, argus allows you to capture packets in tcpdump() format based on the protocol headers parsed in the packets. Use this directive to specify the list of protocols of interest. This is a comma separated list of protocol types found in the encapsulation protocols supported in ./include/encapsulations, the protocols seen in /etc/protocols, and the tunnel protocols that can be discovered using the ARGUS_TUNNEL_DISCOVERY directives. .nf \fBARGUS_PACKET_CAPTURE_ON_PROTO=\fP"gre,vxlan,l2tp" .fi .SH ARGUS_PACKET_CAPTURE_ON_ERROR When an \fBARGUS_PACKET_CAPTURE_FILE\fP is specified, argus allows you to capture packets in tcpdump() format when there is a header parsing error in the argus header logic. This is designed to support the development of argus when adding new packet headers parsing to the suite of headers, but is useful in many other conditions. .nf \fBARGUS_PACKET_CAPTURE_ON_ERROR=\fP"no" .fi .SH ARGUS_SSF Argus supports the use of SASL to provide strong authentication and confidentiality protection. The policy that argus uses is controlled through the use of a minimum and maximum allowable protection strength, which is standard for SASL based appliations. Set these variable to control this policy. The default is no security policy. .nf \fBARGUS_MIN_SSF=\fP0 \fBARGUS_MAX_SSF=\fP0 .fi .SH ARGUS_PCAP_BUF_SIZE Argus supports setting the pcap buffer size. You can use the abbreviations K, M, G to specify thousands, millions or billions of bytes. .nf \fBARGUS_PCAP_BUF_SIZE=\fP1G .fi .SH ARGUS_PCAP_DISPATCH_NUM Argus supports setting the number of packets pcap_dispatch() should ask for with each call. -1 is documented as pcap_dispatch() asking for a complete input buffer of packets. The default number of packets is 1. .nf \fBARGUS_PCAP_DISPATCH_NUM=\fP1 .fi .SH ARGUS_ENV Argus supports setting environment variables to enable functions required by the kernel or shared libraries. This feature is intended to support libraries such as the net pf_ring support for libpcap as supported by code at http://public.lanl.gov/cpw/ Setting environment variables in this way does not affect internal argus variable in any way. As a result, you can't set ARGUS_PATH using this feature. Care should must be taken to assure that the value given the variable conform's to your systems putenv.3 system call. You can have as many of these directives as you like. The example below is intended to set a libpcap ring buffer length to 300MB, if your system supports this feature. .nf \fBARGUS_ENV=\fP"PCAP_MEMORY=300000" .fi .SH ARGUS_TUNNEL_PARSING How Argus processes tunnel headers is configurable. default Argus will parse any tunnel header that it encounters, and continue until it reaches an outermost L4 header, the end-to-end headers. Some users may need argus to stop at the first tunnel, or a specific, tunnel protocol. This option if set to "no", will stop processing at the first tunnel protocol header encountered. The default is to turn this feature on. \fBARGUS_TUNNEL_PARSING=\fP"yes" .SH ARGUS_TUNNEL_INFORMATION When Argus is configured to parser through tunnels, it can be configured to capture tunnel features, such as L3 addresses. When this is set to "yes", argus will formulate a flow spec for each tunnel encountered, and store it in a tunnel specific DSR. The default is to not turn this feature on. \fBARGUS_TUNNEL_INFORMATION=\fP"no" .SH ARGUS_TUNNEL_DISCOVERY Argus can be configured to discover tunneling protocols above the UDP transport header, specifically Teredo (IPv6 over UDP). The algorithm is simple and so, having this on by default may generate false tunnel matching. The default is to not turn this feature on. .nf \fBARGUS_TUNNEL_DISCOVERY=\fPno .fi .SH ARGUS_TRACK_DUPLICATES Argus can be configured to identify and track duplicate packets as a separate metric. While the algorithms are traffic type specific, you can use this strategy to identify problems within your packet collection infrastructure. The default is to not turn this feature on, but for some this feature is invaluable. \fBARGUS_TRACK_DUPLICATES=\fP"no" .SH ARGUS_SELF_SYNCHRONIZE Argus can be configured to be self synchronizing with other argi. This involves using state from packets contents to synchronize the flow reporting. # This adds additional complexity for deciding when to export flow records, and could unnecessarily increase the number of argus records generated. We recommend that you use this feature when you really need to. \fBARGUS_SELF_SYNCHRONIZE=\fPyes .SH ARGUS_EVENT_DATA Argus supports the generation of host originated processes to gather additional data and statistics. These include periodic processes to poll for SNMP data, as an example, or to collect host statistics through reading procfs(). Or single run programs that run at a specified time, or under certain conditions. Events are programs that are run from argus itself, and its output is wrapped by an Argus Event message header and sent to the output collection. When these programs are run is a matter of configuration, and the basic strategies are 1) single shot and 2) periodically. Some types of events are best run based on state changes. In particular are the events that provide network status awareness. Events that provide information, such as what is our current BSSID network (argus-airport), or what is our external IP address, (argus-extip), these can run periodically, but they would be best if run when there are network transitions, such as new interface availability, or a new network association. These argus events, are generated from the complete list of ARGUS_EVENT_DATA directives, that are specified here. .nf The syntax is: Syntax is: "method:path|prog:interval[:postproc]" Where: method = [ "file" | "prog" ] pathname | program = "%s" interval = %d[smhd] [ zero means run once ] postproc = [ "compress" | "compress2" ] \fBARGUS_EVENT_DATA=\fP"prog:/usr/local/bin/argus-vms:20s:compress" \fBARGUS_EVENT_DATA=\fP"prog:/usr/local/bin/argus-snmp:1m:compress" \fBARGUS_EVENT_DATA=\fP"file:/proc/vmstat:30s:compress" \fBARGUS_EVENT_DATA=\fP"prog:/usr/bin/uptime:30s" \fBARGUS_EVENT_DATA=\fP"prog:/usr/local/bin/argus-lsof:30s:compress" \fBARGUS_EVENT_DATA=\fP"prog:/usr/local/bin/argus-extip:60s:compress" .fi .SH ARGUS_KEYSTROKE This version of Argus supports keystroke detection and counting for TCP connections, with specific algorithmic support for SSH connections. The ARGUS_KEYSTROKE variable turns the feature on. Values for this variable are: .nf \fBARGUS_KEYSTROKE=\fP"yes" - turn on TCP flow tracking \fBARGUS_KEYSTROKE=\fP"tcp" - turn on TCP flow tracking \fBARGUS_KEYSTROKE=\fP"ssh" - turn on SSH specific flow tracking \fBARGUS_KEYSTROKE=\fP"no" [default] .fi The algorithm uses a number of variables, all of which can be modifed using the ARGUS_KEYSTROKE_CONF descriptor, which is a semicolon (';') separated set of variable assignments. Here is the list of supported variables: .nf \fBDC_MIN\fP - (int) Minimum client datagram payload size in bytes \fBDC_MAX\fP - (int) Maximum client datagram payload size in bytes \fBGS_MAX\fP - (int) Maximum server packet gap \fBDS_MIN\fP - (int) Minimum server datagram payload size in bytes \fBDS_MAX\fP - (int) Maximum server datagram payload size in bytes \fBIC_MIN\fP - (int) Minimum client interpacket arrival time (microseconds) \fBLCS_MAX\fP - (int) Maximum something - Not sure what this is \fBGPC_MAX\fP - (int) Maximum client packet gap \fBICR_MIN\fP - (float) Minimum client/server interpacket arrival ratio \fBICR_MAX\fP - (float) Maximum client/server interpacket arrival ratio .fi All variables have default values, this variable is used to override those values. The syntax for the variable is: .nf ARGUS_KEYSTROKE_CONF="DC_MIN=20;DS_MIN=20" \fBARGUS_KEYSTROKE\fP="no" \fBARGUS_KEYSTROKE_CONF\fP="" .fi .SH ARGUS_OS_FINGERPRINTING This version of Argus supports operating system fingerprinting through the inclusion of ARGUS_TCP_INIT DSRs in tcp flow reports. Argus itself does not do the fingerprinting, ra* clients use the ARGUS_TCP_INIT DSR to fingerprint using pf.os or nmap like algorithms. .nf \fBARGUS_OS_FINGERPRINTING=\fP"no" .fi .SH ARGUS_GENERATE_HASH_METRICS This version of Argus supports exporting hash values for each flow. \fBARGUS_GENERATE_HASH_METRICS=\fP"yes" .SH ARGUS_HASHTABLE_SIZE This version of Argus supports modifing the default flow classification hash table size using this configuration file. Larger hash table sizes will improve sensor performance by reducing the 'big O' complexity of looking up cached flow records. The default value of 4096 is designed for endpoint sensing, where the number of flows should be < 1M per day. For high performance sensors (40-100G) we recommend > 10M (0x1000000) for the hash table. \fBARGUS_HASHTABLE_SIZE=\fP4096 .RE .SH SEE ALSO .BR argus (8) argus-5.0.2/man/man8/000077500000000000000000000000001471541253600142655ustar00rootroot00000000000000argus-5.0.2/man/man8/argus.8000077500000000000000000000270231471541253600155060ustar00rootroot00000000000000.\" .\" Gargoyle Software .\" Copyright (c) 2000-2024 QoSient, LLC .\" All rights reserved. .\" .TH ARGUS 8 "17 October 2016" "argus 5.0.3.0" .SH NAME argus \- audit record generation and utilization system .SH SYNOPSIS .B argus [ .B options ] [ .B filter expression ] .SH COPYRIGHT Copyright (c) 2000-2024 QoSient, LLC All rights reserved. .SH DESCRIPTION .IX "argus command" "" "\fLargus\fP \(em Internet audit facility" .IX servers argus "" "\fLargus\fP \(em Internet audit facility" .LP .B Argus is a data network transaction auditing tool that categorizes and tracks network packets that match the libpcap filter .I expression into a protocol-specific network flow transaction model. .B Argus reports on the transactions that it discovers, as periodic network flow data, that is suitable for historical and near real-time processing for forensics, trending and alarm/alerting. .LP Designed to run as a daemon, .B argus reads packets directly from a network interface, classifies the packets into network transacations and appends the resulting network flow data to a log file or open socket connected to an .B argus client (such as .BR ra(1) ). .B Argus can also read packet information from .B tcpdump(1) , .B snoop(1) , .B NLANR's Moat Time Sequence Header or .B Endaces ERF raw packet files. \fBArgus\fP can also be configured to append its transaction logs to stdout. .LP .B Argus can provide address based access control for its socket connection facility using .B tcp_wrappers , and it can provide strong authentication and confidentiality protection using .B SASL2 technology. Refer to package documentation to enable each of these services. .SH OPTIONS .TP 5 5 .B \-A Generate application byte metrics in each audit record. .TP 5 5 .B \-b Dump the compiled packet-matching code to stdout and stop. This is used to debug filter expressions. .TP 5 5 .B \-B Specify the bind interface address for remote access. Acceptable values are IP version 4 addresses. The default is to bind to INADDR_ANY address. .TP 5 5 .BI \-c Specify a chroot directory to use after privilege access is complete. Must be super user to use this option. .TP 5 5 .BI \-C Run argus in control plane capture mode. This sets the interface packet snap length to capture full packets, and to enable detailed flow tracking for supported control plane protocols. .TP 5 5 .BI \-d Run argus as a daemon. This will cause argus to do the things that Unix daemons do and return, if there were no errors, with argus running as a detached process. .TP 5 5 .BI \-D Print debug messages to stderr. The higher the \fB\fP the more information printed. Acceptable levels are 1-8. .TP 5 5 .BI \-e Specify the source identifier for this \fBargus\fP. Acceptable values are numbers, strings, hostnames or ip address. Double quotes around the parameter are used to designate the string format. The longest supported string is 4 characeters long. Be sure and single quote or 'escape' the double quotes so that the shell doesn't gooble up the delimiters. This option sets a global Source identifier that can be overriden by specific -i options. .nf argus -e '"arg1"' argus -e \\"arg2\\" .fi .TP 5 5 .BI \-E days Check out a license and cache locally for the specified number of days. Any positive integer is valid but the license server may impose a limit on this value. If the value is zero (0) or the option is not specified, a floating license is requested for the duration of the process. .TP 5 5 .B \-f When reading packets from a packet capture file, the -f option causes argus to not stop when end of file is reached, but rather to wait for additional packets to be appended to the input. The -f option is ignored if the standard input is a pipe, but not if it is a FIFO. .TP 5 5 .B \-F Use \fIconffile\fP as a source of configuration information. Options set in this file override any other specification, and so this is the last word on option values. .TP 5 5 .B \-g Specify a group name to change to after privilege access is complete. .TP 5 5 .B \-h Print an explanation of all the arguments. .TP 5 5 .BI \-i Specify the physical network \fB\fP to be audited. The default is the first network interface that is up and running. The syntax for specifying the interface is the same format used in the argus.conf.5 file. The optional source id specification can be an IPv4 address, an integer, or a string denoted using double quotes. .nf -i interface[/srcid] -i all[/srcid] -i dup:en0,en1/"ap01" ( en0 and en1 are in ingress and egress interfaces ) -i bond:en0,en1/2.3.4.5 ( en0 and en1 are bonded interfaces ) -i en0 en1 ( equivalent '-i bond:en0,en1' ) -i dup:[bond:en0,en1],en2/3 ( in this case 3 is the srcid ) -i en0/"en0" -i en1/"en1" ( equivalent '-i ind:en0/srcid,en1/srcid' ) .fi .TP 5 5 .BI \-J\ Generate packet peformance data in each audit record. .TP 5 5 .B \-k Specify the log level when sending messages to the terminal. The value must be an integer in the range 0..7. These correspond to the eight syslog levels LOG_EMERG through LOG_DEBUG. The default level is LOG_WARNING. .TP 5 5 .B \-M Specify the interval in of argus status records. These records are used to report the internal status of argus itself. The default is 300 seconds. .TP 5 5 .B \-m Provide MAC addresses information in \fBargus\fP records. .TP 5 5 .B \-N | Specify the number of packets to process. You can give an absolute number, or a range with the syntax "start-stop". Examples are: -N 27 - read the first 27 packets. -N 1034-1434 - read 100 packets starting with 1034. .TP 5 5 .B \-O Turn off Berkeley Packet Filter optimizer. No reason to do this unless you think the optimizer generates bad code. .TP 5 5 .B \-p Do not set the physical network interface in promiscuous mode. If the interface is already in promiscuous mode, this option may have no effect. Do this to audit only the traffic coming to and from the system argus is running on. .TP 5 5 .BI \-P Specifies the \fB\fP for remote client connection. The default is to not support remote access. Setting the value to zero (0) will forceably turn off the facility. .TP 5 5 .B \-r <[type:]file [type:]file ... > Read from .B tcpdump(1) , .B snoop(1) or .B NLANR's Moat Time Sequence Header (tsh) packet capture files. If the packet capture file is a \fBtsh\fP format file, then the \fB-t\fP option must also be used. The file "-" specifies stdin as the source of packets. The \fBtype\fP provides the opportunity to specify what type of packet source to expect and process. Supported types are '' (default) and 'cisco', where argus will process the payload of packets as netflow records, when found. Argus will read from only one input packet file at a time, and will open the files in lexigraphic order. Care should be taken to ensure that the timestamps in the packets are ordered, or unexpected behavior may result. If the .B \-r option is specified, .B argus will not put down a .B listen(2) to support remote access. .TP 5 5 .BI \-R Generate argus records such that response times can be derived from transaction data. .TP 5 5 .B \-s Specify the packet snaplen. .TP 5 5 .B \-S Specify the status reporting interval in for all traffic flows. .TP 5 5 .B \-t Indicate that the expected packet capture input file is a .B NLANR's Moat Time Sequence Header (tsh) packet capture file. .TP 5 5 .B \-T timescale Specify a playback timescale for realtime processing of input packets. .TP 5 5 .B \-u Specify an account name to change to after privilege access is complete. .TP 5 5 .B \-U Specify the number of user bytes to capture. .TP 5 5 .B \-w Append transaction status records to \fIoutput-file\fP or write records to the URL based stream. Supported stream URLs are 'argus-udp://host[:port]', where the default port is 561. An \fIoutput-file\fP of '-' directs \fBargus\fP to write the resulting \fIargus-file\fP output to \fIstdout\fP. .TP 5 5 .B \-X Clear existing argus configuration. This removes any initialization done prior to encountering this flag. Allows you to eliminate the effects of the \fI/etc/argus.conf\fP file, or any argus.conf files that may have been loaded. .TP 5 5 .B \-Z Collect packet size information. This options turns on packet size reporting for all flows. Argus will provide the mean, max, min and standard deviation of the packet sizes seen during the flow status interval. .TP 5 5 .B \fIexpression\fP This .B tcpdump(1) expression specifies which transactions will be selected. If no \fIexpression\fP is given, all transactions are selected. Otherwise, only transactions for which \fIexpression\fP is `true' will be dumped. For a complete \fIexpression\fP format description, please refer to the .B tcpdump(1) man page. .SH SIGNALS \fBArgus\fP catches a number of \fBsignal(3)\fP events. The three signals \fBSIGHUP\fP, \fBSIGINT\fP, and \fBSIGTERM\fP cause \fBargus\fP to exit, writing TIMEDOUT status records for all currently active transactions. The signal \fBSIGUSR1\fP will turn on \fBdebug\fP reporting, and subsequent \fBSIGUSR1\fP signals, will increment the \fBdebug-level\fP. The signal \fBSIGUSR2\fP will cause \fBargus\fP to turn off all \fBdebug\fP reporting. .SH FILES .nf /etc/argus.conf - argus daemon configuration file /var/run/argus.#.#.pid - PID file .fi .SH EXAMPLES .LP Run \fBargus\fP as a daemon, writing all its transaction status reports to \fIoutput-file\fP. This is the typical mode. .RS .nf \fBargus -d -e `hostname` -w \fIoutput-file\fP .fi .RE .LP If ICMP traffic is not of interest to you, you can filter out ICMP packets on input. .RS .nf \fBargus -w \fIoutput-file\fP - ip and not icmp .fi .RE .LP Argus supports both input filtering and output filtering, and argus supports multiple output streams, each with their own independant filters. Output streams can be written to udp based sockets, to unicast or multicast addresses. If you are interested in tracking IP traffic only (input filter) and want to report ICMP traffic to one output stream, and all other IP traffic in another output stream. .RS .nf \fBargus -w \fIargus-udp://224.0.20.21:561\fP "icmp" \\ -w \fIargus-udp://224.0.20.21:562\fP "not icmp" - ip .fi .RE .LP Audit the network activity that is flowing between the two gateway routers, whose ethernet addresses are 00:08:03:2D:42:01 and 00:00:0C:18:29:F1. Without specifying an \fIoutput-file\fP, it is assumed that the transaction status reports will be written to a remote client. In this case we have changed the port that the remote client will use to port 430/tcp. .RS .nf \fBargus -P 430 ether host (0:8:3:2d:42:1 and 0:0:c:18:29:f1)\fP & .fi .RE .LP Audit each individual ICMP ECHO transaction from data in . You would do this to gather Round Trip Time (RTT) data within your network. Append the output to \fIoutput-file\fP. .RS .nf \fBargus -R dir -w \fIoutput-file\fP "echo" - icmp .fi .RE .LP Audit all NFS transactions involving the server \fIfileserver\fP and increase the reporting interval to 3600 seconds (to provide high data reduction). Append the output to \fIoutput-file\fP. .RS .nf \fBargus -S 3600 -w \fIoutput-file\fP - host fileserver and udp and port 2049\fP & .fi .RE .LP Import flow data from pcap file containing Cisco flow data packets. Write output to stdout, to a \fIra.1\fP instance. .RS .nf \fBargus -r \fIcisco:pcap-file\fP -w - | ra .f .RE .SH AUTHORS .nf Carter Bullard (carter@qosient.com) .SH SEE ALSO .BR hosts_access (5), .BR hosts_options (5), .BR tcpd (8), .BR tcpdump (1) argus-5.0.2/pkg/000077500000000000000000000000001471541253600134305ustar00rootroot00000000000000argus-5.0.2/pkg/README000066400000000000000000000025021471541253600143070ustar00rootroot00000000000000######################################################################## Note: These materials are a work-in-progress ... ######################################################################## /* * Argus Software. Tools to read, analyze and manage Argus data. * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ * */ Argus 5.0 QoSient, LLC argus@qosient.com http://qosient.com/argus This directory tree contains files used to run argus as a daemon on various types of systems, supporting init.d, systemd and sysconfig. Files that reside in this directory are default argus configurations which are common across all distributions. argus-5.0.2/pkg/argus.conf000066400000000000000000000645731471541253600154370ustar00rootroot00000000000000# # Argus-5.0 Software # Copyright (c) 2000-2024 QoSient, LLC # All rights reserved. # # Example argus.conf # # Argus will open this argus.conf if its installed as /etc/argus.conf. # It will also search for this file as argus.conf in directories # specified in $ARGUSPATH, or $ARGUSHOME, $ARGUSHOME/lib, # or $HOME, $HOME/lib, and parse it to set common configuration # options. All values in this file can be overriden by command # line options, or other files of this format that can be read in # using the -F option. # # # Variable Syntax # # Variable assignments must be of the form: # # VARIABLE=value # VARIABLE="compound values" # # with no white space between the VARIABLE and the '=' sign. # # # Comments # # Comments are supported using a '#' as the first character # in the string, such as this string that you are reading. # # Embedded comments are supported preceeded by a " //" as you # see in the C language. The preceeding white space is very important. # The space or tab is absolutely required to delimit the end of the # variable values and the beginning of the comment. Without the space, # the comment will be included as a part of the configuration variable. # # VARIABLE=value // comment # VARIABLE="compound values" // comment # # # Variable Explanations # # The Argus can be configured to support a large number of # flow types. The Argus can provide either type, i.e. # uni-directional or bi-directional flow tracking and # the flow can be further defined by specifying the key. # The argus supports a set of well known key strategies, # such as 'CLASSIC_5_TUPLE', 'LAYER_2', 'LAYER_2_MATRIX', # 'LAYER_2_MATRIX', 'MPLS', and/or 'VLAN', or the argus can # be configured to # formulate key strategies from a list of # the specific objects that the Argus understands. See the # man page for a complete description. # # The default is the classic 5-tuple IP flow, CLASSIC_5_TUPLE. # ARGUS_FLOW_TYPE="Bidirectional" ARGUS_FLOW_KEY="CLASSIC_5_TUPLE" #ARGUS_FLOW_KEY="CLASSIC_5_TUPLE+LAYER_2" # Argus is capable of running as a daemon, doing all the right things # that daemons do. When this configuration is used for the system # daemon process, say for /etc/argus.conf, this variable should be # set to "yes". # # In the examples seen in the ./support/Startup/argus scripts, # this value is set to "yes", as the system startup strategy # requires the program to daemonize themselves, returning a value # to the system, hopefully quickly. Some systems, however, want # to daemonize the tasks themselves, and those cases, the value # must be set to "no". # # The default value is to not run as a daemon. # # Commandline equivalent -d # ARGUS_DAEMON=no # Argus Monitor Data is uniquely identifiable based on the source # identifier that is included in each output record. This is to # allow you to work with Argus Data from multiple monitors at the # same time. The ID is 32 bits long, and argus suppors a number of # formats as legitimate values. Argus support unsigned ints, IPv4 # addresses and 4 bytes strings, as values. # # The formats are discerned from the values provided. Double-quoted # values are treated as strings, and are truncated to 4 characters. # not, then they are tested wheter they are numbers. # # The configuration allows for you to use host names, however, do # have some understanding how `hostname` will be resolved by the # nameserver before commiting to this strategy completely. # # For convenience, argus supports the notion of "`hostname`" and # "`hostuuid`" for assigning the probe's id. This is to support # general management of larger deployments, so you can have one # argus.conf file that works for a lot of probes. # # The use of `hostuuid` is targeted at Linux and Apple computers. # # With Argus V5 (gargoyle), the srcid formats are extended to include # 64-bit values, designed primarily to provide interface identifiers, # in addition to a 32-bit probe id, as well as to support IPv6 addresses # as identifiers. Interface string extensions are added when the keyword # "inf" is added as the ARGUS_MONITOR_ID specifier. # # The syntax for the monitor id, srcid, is: # [type:/]sid[/inf] # where type can be: # int, str, ipv4, ipv6, uuid # # where sid can be: # int, "string", ipv4, ipv6, uuid # # where inf is: # char[4] # # Examples include: # fe80::1 # 192.168.8.68 # 2345/en0 # ipv4:/192.168.8.68/en1 # 5E487EDE-B311-5E80-B69F-967E5E6C7A9F/en0 # uuid:/5E487EDE-B311-5E80-B69F-967E5E6C7A9F # # Commandline equivalent -e # # ARGUS_MONITOR_ID=`hostuuid` # With Argus V5 (gargoyle), the srcid formats are extended to include # 160-bit values (128-bit sid + 32-bit inf), designed primarily to provide # support for 128-bit uuid's and IPv6 addrs, as well as interface identifiers. # Interface string extensions are not added to ARGUS_MONITOR_ID specifier, unless # you are hard coding the interface name for a specific observation domain, # this is done int he ARGUS_INTERFACE specification. # # To add the semantic that the default "mon0" is a part of this MONITOR_ID, # set the new ARGUS_MONITOR_ID_INDLUCE_INF to "yes". To turn it off, set # it to "no". "No" is the default behavior. ARGUS_MONITOR_ID_INCLUDE_INF=yes # Argus monitors can provide a real-time remote access port # for collecting Argus data. This is a TCP based port service and # the default port number is tcp/561, the "experimental monitor" # service. This feature is disabled by default, and can be forced # off by setting it to zero (0). # # When you do want to enable this service, 561 is a good choice, # as all ra* clients are configured to try this port by default. # # Commandline equivalent -P # ARGUS_ACCESS_PORT=561 # Port 562 would be used, if radium.1 is used to provide access on port 561 # When remote access is enabled (see above), you can specify that Argus # should bind only to a specific IP address. This is useful, for example, # in restricting access to the local host, or binding to a private # interface while capturing from another. # # You can provide multiple addresses, separated by commas, or on multiple # lines. # # The default is to bind to any IP address. # # Commandline equivalent -B # ARGUS_BIND_IP="::1,127.0.0.1" #ARGUS_BIND_IP="::1,127.0.0.1,x.y.z.w" #ARGUS_BIND_IP="127.0.0.1" #ARGUS_BIND_IP="192.168.0.68" # By default, Argus will open the first appropriate interface on a # system that it encounters. For systems that have only one network # interface, this is a reasonable thing to do. But, when there are # more than one suitable interface, you should specify the # interface(s) Argus should use either on the command line or in this # file. # # Argus can track packets from any or all interfaces, concurrently. # The interfaces can be tracked as: # 1. independant - this is where argus tracks flows from each # interface independant from the packets seen on any other # interface. This is useful for hosts/routers that # have full-duplex interfaces, and you want to distinguish # flows based on their interface. There is an option to specify # a distinct srcid to each independant modeler. # # 2. duplex - where argus tracks packets from 2 interfaces # as if they were two half duplex streams of the same link. # Because there is a single modeler tracking the 2 # interfaces, there is a single srcid that can be passed as # an option. # # 3. bonded - where argus tracks packets from multiple interfaces # as if they were from the same stream. Because there is a # single modeler tracking the 2 interfaces, there is a single # srcid that can be passed as an option., # # 4. parallel - hardware packet capture cards can be used to deliver # packets to a set of CPUs to gain highly parallel processing. # The hardware strategy enables a set of argi to process a # single packet stream, independently, generating a collective # output that represents the flow record output of the single # stream. Argus will need to spawn threads to open and process # a number of devices, and then merge the output to generate # a single time sorted flow output stream. # # Interfaces can be specified as groups using '[',']' notation, to build # flexible definitions of packet sources. However, each interface # should be referenced only once (this is due to performance and OS # limitations, so if your OS has no problem with this, go ahead). # # The lo (loopback) interface will be included only if it is specifically # indicated in the option. # # The syntax for specifying this either on the command line or in this file: # -i ind:all # -i dup:en0,en1/srcid # -i bond:en0,en1/srcid # -i para:en0,en1,en2/srcid # -i para:en[0...x]/srcid # -i dup:[bond:en0,en1],en2/srcid # -i en0/srcid -i en1/srcid (equivalent '-i ind:en0/srcid,en1/srcid') # -i en0 en1 (equivalent '-i bond:en0,en1') # -i en1(dlt)/srcid -i en1(dlt)/srcid # # In all cases, if there is a "-e srcid" provided, the srcid provided is used # as the default. If a srcid is specified using this option, it overrides # the default. # # Srcid's are specified using the notion used for ARGUS_MONITOR_ID, as above. # # Commandline equivalent -i # #ARGUS_INTERFACE=any ARGUS_INTERFACE=ind:all #ARGUS_INTERFACE=ind:en0/192.168.0.68,en2/192.168.2.1 #ARGUS_INTERFACE=ind:en0/"en0",en2/19234 #ARGUS_INTERFACE=en0 #ARGUS_MONITOR_ID=inf // Interface name #ARGUS_MONITOR_ID=10.2.45.3:inf // ARGUS_ID + Interface name # By default, Argus will put its interface in promiscuous mode # in order to monitor all the traffic that can be collected. # This can put an undo load on systems. # If the intent is to monitor only the network activity of # the specific system, say to measure the performance of # an HTTP service or DNS service, you'll want to turn # promiscuous mode off. # # The default value is goes into prmiscuous mode. # # Commandline equivalent -p # ARGUS_GO_PROMISCUOUS=no # Argus supports chroot(2) in order to control the file system that # argus exists in and can access. Generally used when argus is running # with privileges, this limits the negative impacts that argus could # inflict on its host machine. # # This option will cause the output file names to be relative to this # directory, and so consider this when trying to find your output files. # # Commandline equivalent -c dir # #ARGUS_CHROOT_DIR=/chroot_dir # Argus can be configured to enable detailed control plane # flow monitoring for specific control plane protocols. # # This feature requires full packet capture for the monitored # interface in order to capture the complete control plane # protocol, and will have a performance impact on the sensor. # # The default is to not turn this feature on. # # Commandline equivalent -C # ARGUS_CAPTURE_FULL_CONTROL_DATA=yes ARGUS_CONTROLPLANE_PROTO="sip,udp:name,udp:nicname,udp:domain,udp:netbios-ns,xns-time,udp:ntp,udp:router,udp:ripng,timed,mdns,mdnsresponder,bootps,bootpc" # Argus can be directed to change its user id using the setuid() system # call. This is can used when argus is started as root, in order to # access privileged resources, but then after the resources are opened, # this directive will cause argus to change its user id value to # a 'lesser' capable account. Recommended when argus is running as # daemon. # # Commandline equivalent -u # #ARGUS_SETUSER_ID=user # Argus can be directed to change its group id using the setgid() system # call. This is can used when argus is started as root, in order to # access privileged resources, but then after the resources are opened, # this directive can be used to change argu's group id value to # a 'lesser' capable account. Recommended when argus is running as # daemon. # # Commandline equivalent -g # #ARGUS_SETGROUP_ID=group # Argus can write its output to one or a number of files. # The default limit is 5 concurrent files, each with their # own independant filters. # # The format is: # ARGUS_OUTPUT_FILE=/full/path/file/name # ARGUS_OUTPUT_FILE="/full/path/file/name filter" # # Most sites will have argus write to a file, for reliablity. # The example file name is used here as supporting programs, # such as ./support/Archive/argusarchive are configured to use # this file (with any chroot'd directory prepended). # # Commandline equivalent -w # #ARGUS_OUTPUT_FILE=/var/log/argus/argus.out # Argus can push its output to one or a number of remote hosts. # The default limit is 5 concurrent output streams, each with their # own independant filters. # # The format is: # ARGUS_OUTPUT_STREAM="URI [filter]" # ARGUS_OUTPUT_STREAM="argus-udp://multicastGroup:port # ARGUS_OUTPUT_STREAM="argus-udp://host:port 'tcp and not udp'" # # Most sites will have argus listen() for remote sites to request argus data, # using a "pull" data model, using Unix sockets. Argus supports the use of # TCP/IP sockets for remote delivery, by default, and UNIX_DOMAIN sockets # for distribution within the OS, as an option. # # ARGUS_OUTPUT_STREAM=domain://path/to/socket/argus.socket # ARGUS_OUTPUT_STREAM=domain://var/run/com.qosient.argus.socket # ARGUS_OUTPUT_STREAM=domain://tmp/com.qosient.argus.socket # # But for some sites and applications, pushing records without explicit registration # is desired. This option will cause argus to transmit records that match the # optional filter, to the configured targets using UDP as the transport mechanism. # # The primary purpose for this feature is to multicast argus records to # a number of listeners on an interface, but it is not limited to this # purpose. The multicast TTL is set to 128 by default, so that you can # send records some distance. # # Commandline equivalent -w argus-udp://host:port # #ARGUS_OUTPUT_STREAM=argus-udp://224.0.20.21:561 # When Argus is configured to run as a daemon, with the -d # option, Argus can store its pid in a file, to aid in # managing the running daemon. However, creating a system # pid file requires priviledges that may not be appropriate # for all cases. # # When configured to generate a pid file, if Argus cannot # create the pid file, it will fail to run. This variable # is available to override the default, in case this gets # in your way. # # The default value is to generate a pid. The default # path for the pid file, is '/var/run'. # # No Commandline equivalent # #ARGUS_SET_PID=yes #ARGUS_PID_PATH="/var/run" # Argus will periodically report on a flow's activity every # ARGUS_FLOW_STATUS_INTERVAL seconds, as long as there is # new activity on the flow. This is so that you can get a # multiple status reports into the activity of a flow. The # default is 5 seconds, but this number may be too low or # too high depending on your uses. Argus does suppport # a minimum value of 0.000001 seconds. Values under 1 sec # are very useful for doing measurements in a controlled # experimental environment where the number of flows is small. # # Because the status interval affects the memory utilization # of the monitor, find the minimum acceptable value is # recommended. # # Commandline equivalent -S # ARGUS_FLOW_STATUS_INTERVAL=5 # Argus will periodically report on a its own health, providing # interface status, total packet and bytes counts, packet drop # rates, and flow oriented statistics. # # These records can be used as "keep alives" for periods when # there is no network traffic to be monitored. # # The default value is 300 seconds, but a value of 60 seconds is # very common. # # Commandline equivalent -M # ARGUS_MAR_STATUS_INTERVAL=5 # Argus has a number of flow state timers that specify how long argus # will 'remember' the caches of specific flows after they have gone # idle. # # The default values have been chosen to aggresively timeout flow # caches to conserve memory utilization. Increasing values can have # an impact on argus memory use, so take care when modifying values. # # The maxium value for any timeout is 65534 seconds. # # If you think there is a flow type that doesn't have appropriate # timeout support, send email to the developer's list, we'll add one # for you. # #ARGUS_IP_TIMEOUT=30 #ARGUS_TCP_TIMEOUT=60 #ARGUS_ICMP_TIMEOUT=5 #ARGUS_IGMP_TIMEOUT=30 #ARGUS_FRAG_TIMEOUT=5 #ARGUS_ARP_TIMEOUT=5 #ARGUS_OTHER_TIMEOUT=30 # If compiled to support this option, Argus is capable of # generating a lot of debug information. # # The default value is zero (0). # # Commandline equivalent -D # #ARGUS_DEBUG_LEVEL=0 # Argus can be configured to report on flows in a manner than # provides the best information for calculating application # reponse times and network round trip times. # # The default value is to not generate this data. # # Commandline equivalent -R # ARGUS_GENERATE_RESPONSE_TIME_DATA=yes # Argus can be configured to generate packet size information # on a per flow basis, which provides the max and min packet # size seen . The default value is to not generate this data. # # Commandline equivalent -Z # ARGUS_GENERATE_PACKET_SIZE=yes # Argus can be configured to generate packet jitter information # on a per flow basis. The default value is to not generate # this data. # # Commandline equivalent -J # ARGUS_GENERATE_JITTER_DATA=yes # Argus can be configured to provide MAC addresses in # it audit data. The default value is to not generate # this data. # # Commandline equivalent -m # ARGUS_GENERATE_MAC_DATA=yes # Argus can be configured to generate metrics that include # the application byte counts as well as the packet count # and byte counters. # # Commandline equivalent -A # ARGUS_GENERATE_APPBYTE_METRIC=yes # Argus by default, generates extended metrics for TCP # that include the connection setup time, window sizes, # base sequence numbers, and retransmission counters. # You can suppress this detailed information using this # variable. # # No commandline equivalent # ARGUS_GENERATE_TCP_PERF_METRIC=yes # Argus by default, generates a single pair of timestamps, # for the first and last packet seen on a given flow, during # the obseration period. For bi-directional flows, this # results in loss of some information. By setting this # variable to 'yes', argus will store start and ending # timestamps for both directions of the flow. # # No commandline equivalent # ARGUS_GENERATE_BIDIRECTIONAL_TIMESTAMPS=yes # Argus can be configured to capture a number of user data # bytes from the packet stream. # # The default value is to not generate this data. # # Commandline equivalent -U # ARGUS_CAPTURE_DATA_LEN=128 # Argus uses the packet filter capabilities of libpcap. If # there is a need to not use the libpcap filter optimizer, # you can turn it off here. The default is to leave it on. # # Commandline equivalent -O # #ARGUS_FILTER_OPTIMIZER=yes # You can provide a filter expression here, if you like. # It should be limited to 2K in length. The default is to # not filter. # # The commandline filter will override this filter expression. # #ARGUS_FILTER="" # Argus allows you to capture packets in tcpdump() format if the source # of the packets is a tcpdump() formatted file or live packet source. # # Specify the path to the packet capture file here. # # Argus can be further configured to either capture all packets (default) that # it receives, or to capture only the packets that cause internal errors, # such as those that can't be classified into an appropritate flow model. # # Specify the path to the packet capture file here. # #ARGUS_PACKET_CAPTURE_FILE="/var/log/argus/packet.out" #ARGUS_PACKET_CAPTURE_ON_ERROR="no" # Argus supports the use of SASL to provide strong # authentication and confidentiality protection. # # The policy that argus uses is controlled through # the use of a minimum and maximum allowable protection # strength. Set these variable to control this policy. # #ARGUS_MIN_SSF=40 #ARGUS_MAX_SSF=128 # Argus supports setting the pcap buffer size, a feature provided # by libpcap. You can use the abbreviations K, M, G to specify # thousands, millions or billions of bytes. # #ARGUS_PCAP_BUF_SIZE=1G # Argus supports setting the number of packets pcap_dispatch() # should ask for with each call. -1 is documented as pcap_dispatch() # asking for a complete input buffer of packets. The default # number of packets is 1. # # Normally you would leave this for high demand systems, however # you may want to set the value to 1 to assure timely processing # of packet data. ARGUS_PCAP_DISPATCH_NUM=-1 # Argus supports setting the pcap buffer size. # You can use the abbreviations K, M, G to specify # thousands, millions or billions of bytes. # #ARGUS_PCAP_BUF_SIZE=1G # Argus supports setting environment variables to enable # functions required by the kernel or shared libraries. # This feature is intended to support libraries such as # the net pf_ring support for libpcap as supported by # code at http://public.lanl.gov/cpw/ # # Setting environment variables in this way does not affect # internal argus variable in any way. As a result, you # can't set ARGUS_PATH using this feature. # # Care should must be taken to assure that the value given # the variable conform's to your systems putenv.3 system call. # You can have as many of these directives as you like. # # The example below is intended to set a libpcap ring buffer # length to 300MB, if your system supports this feature. # #ARGUS_ENV="PCAP_MEMORY=300000" # Argus can be configured to discover tunneling protocols # above the UDP transport header, specifically Teredo # (IPv6 over UDP). The algorithm is simple and so, having # this on by default may generate false tunnel matching. # The default is to not turn this feature on. #ARGUS_TUNNEL_DISCOVERY="no" # Argus can be configured to identify and track duplicate # packets as a separate metric. While the algorithms are # traffic type specific, you can use this strategy to # identify problems within your packet collection infrastructure. # The default is to not turn this feature on. #ARGUS_TRACK_DUPLICATES="no" # Argus can be configured to be self synchronizing with other # argi. This involves using state from packets contents to # synchronize the flow reporting. # #ARGUS_SELF_SYNCHRONIZE=yes # Argus supports the generation of host originated processes # to gather additional data and statistics. These include # periodic processes to poll for SNMP data, as an example, or # to collect host statistics through reading procfs(). Or # single run programs that run at a specified time, or under # certain conditions. # # Events are programs that are run from argus itself, and # its output is wrapped by an Argus Event message header and # sent to the output collection. # # When these programs are run is a matter of configuration, # and the basic strategies are 1) single shot and 2) periodically. # Some types of events are best run based on state changes. # In particular are the events that provide network status awareness. # Events that provide information, such as what is our current # BSSID network (argus-airport), or what is our external IP address, # (argus-extip), these can run periodically, but they would # be best if run when there are network transitions, such as # new interface availability, or a new network association. # # These argus events, are generated from the complete list of # ARGUS_EVENT_DATA directives, that are specified here. # # The syntax is: # Syntax is: "method:path|prog:interval[:postproc]" # Where: method = [ "file" | "prog" ] # pathname | program = "%s" # interval = %d[smhd] [ zero means run once ] # postproc = [ "compress" | "compress2" ] # #ARGUS_EVENT_DATA="prog:/usr/local/bin/argus-vms:20s:compress" #ARGUS_EVENT_DATA="prog:/usr/local/bin/argus-snmp:1m:compress" #ARGUS_EVENT_DATA="file:/proc/vmstat:30s:compress" #ARGUS_EVENT_DATA="prog:/usr/bin/uptime:30s" #ARGUS_EVENT_DATA="prog:/usr/local/bin/argus-lsof:30s:compress" #ARGUS_EVENT_DATA="prog:/usr/local/bin/argus-extip:60s:compress" #ARGUS_EVENT_DATA="prog:/usr/local/bin/argus-airport:60s:compress" #ARGUS_EVENT_DATA="prog:/usr/local/bin/argus-stumbler:60s:compress" # This version of Argus supports keystroke detection and counting for # TCP connections, with specific algoritmic support for SSH connections. # # The ARGUS_KEYSTROKE variable turns the feature on. Values for # this variable are: # ARGUS_KEYSTROKE="yes" - turn on TCP flow tracking # ARGUS_KEYSTROKE="tcp" - turn on TCP flow tracking # ARGUS_KEYSTROKE="ssh" - turn on SSH specific flow tracking # ARGUS_KEYSTROKE="no" [default] # # The algorithm uses a number of variables, all of which can be # modifed using the ARGUS_KEYSTROKE_CONF descriptor, which is a # semicolon (';') separated set of variable assignments. Here is # the list of supported variables: # # DC_MIN - (int) Minimum client datagram payload size in bytes (48) # DC_MAX - (int) Maximum client datagram payload size in bytes (128) # GS_MAX - (int) Maximum server packet gap (3) # DS_MIN - (int) Minimum server datagram payload size in bytes (24) # DS_MAX - (int) Maximum server datagram payload size in bytes (256) # IC_MIN - (int) Minimum client interpacket arrival time (50000 microseconds) # LCS_MAX - (int) Maximum something - Not sure what this is # GPC_MAX - (int) Maximum client packet gap (3) # ICR_MIN - (float) Minimum client/server interpacket arrival ratio (0.816) # ICR_MAX - (float) Maximum client/server interpacket arrival ratio (1.122) # # All variables have default values, this variable is used to override # those values. The syntax for the variable is: # # ARGUS_KEYSTROKE_CONF="DC_MIN=20;DS_MIN=20" # ARGUS_KEYSTROKE="tcp" ARGUS_KEYSTROKE_CONF="DC_MIN=32;GPC_MAX=5" # This version of Argus supports operating system fingerprinting through # the inclusion of ARGUS_TCP_INIT DSRs in tcp flow reports. Argus itself # does not do the fingerprinting, ra* clients use the ARGUS_TCP_INIT DSR # to fingerprint using pf.os or nmap like algorithms. #ARGUS_OS_FINGERPRINTING="no" # This version of Argus supports exporting hash values for each flow. ARGUS_GENERATE_HASH_METRICS="yes" # This version of Argus supports modifing the flow classification # hash table size from the configuration file. # # Depending on the number of simultaneous flow you expect your # argus to process, this number can be reduced to reduce the memory # requirements for a base sensor; or increase, when you have lots # of memory. The default value is very memory conserving, for endpoints. ARGUS_HASHTABLE_SIZE=8192 argus-5.0.2/pkg/init.d/000077500000000000000000000000001471541253600146155ustar00rootroot00000000000000argus-5.0.2/pkg/init.d/argus000077500000000000000000000053561471541253600156750ustar00rootroot00000000000000#!/bin/sh # # Copyright (c) 2000-2024 QoSient, LLC # All rights reserved. # # Permission to use, copy, modify, and distribute this software and # its documentation for any purpose and without fee is hereby granted, # provided that the above copyright notice appear in all copies and # that both that copyright notice and this permission notice appear # in supporting documentation, and that the name of QoSient not be # used in advertising or publicity pertaining to distribution of the # software without specific, written prior permission. # # QOSIENT, LLC DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS # SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND # FITNESS, IN NO EVENT SHALL QOSIENT, LLC BE LIABLE FOR ANY # SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER # RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF # CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN # CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. # # argus This shell script takes care of starting and stopping # argus, on RH Linux. Should be useful for other versions. # # chkconfig: 2345 55 45 # description: argus-3.0 generates network transaction audit records. # processname: argus # config: /etc/argus.conf # Source function library. if [ -f /etc/init.d/functions ]; then . /etc/init.d/functions fi # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [ .${NETWORKING} = ."no" ] && exit 1 # # The assumption here is that /etc/argus.conf specifies ARGUS_DAEMON=no. # If not the system will hang running argus. If this is not set to the # default, change DAEMON_ARGS in /etc/sysconfig/argus # DAEMON_ARGS="-d" # Set argus path by defining $ARGUSHOME for this script. # If argus was installed in another way, modify /etc/sysconfig/argus # to specify ARGUSDIR where the argus binary was installed. ARGUSDIR=/usr/sbin # Source argus configuration. . /etc/sysconfig/argus ARGUSHOME=$ARGUSDIR export PATH=$ARGUSHOME:$PATH [ -f $ARGUSHOME/argus ] || exit 1 RETVAL=0 start() { # Start daemons. echo -n "Starting argus: " argus $DAEMON_ARGS > /dev/null 2>&1 && success || failure RETVAL=$? [ $RETVAL -eq 0 ] && touch /var/lock/subsys/argus echo } stop() { # Stop daemons. echo -n "Shutting down argus: " killproc argus RETVAL=$? [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/argus echo } # See how we were called. case "$1" in start) start ;; stop) stop ;; restart|reload) stop start RETVAL=$? ;; condrestart) if [ -f /var/lock/subsys/argus ]; then stop start RETVAL=$? fi ;; status) status argus RETVAL=$? ;; *) echo "Usage: argus {start|stop|restart|condrestart|status}" exit 1 ;; esac exit $RETVAL argus-5.0.2/pkg/osx/000077500000000000000000000000001471541253600142415ustar00rootroot00000000000000argus-5.0.2/pkg/osx/osx-pkg/000077500000000000000000000000001471541253600156315ustar00rootroot00000000000000argus-5.0.2/pkg/osx/osx-pkg/Contents/000077500000000000000000000000001471541253600174265ustar00rootroot00000000000000argus-5.0.2/pkg/osx/osx-pkg/Contents/MacOS/000077500000000000000000000000001471541253600203705ustar00rootroot00000000000000argus-5.0.2/pkg/osx/osx-pkg/Contents/MacOS/etc/000077500000000000000000000000001471541253600211435ustar00rootroot00000000000000argus-5.0.2/pkg/osx/osx-pkg/Contents/MacOS/etc/argus.conf000077500000000000000000000657361471541253600231570ustar00rootroot00000000000000# # Argus-5.0 Software # Copyright (c) 2000-2024 QoSient, LLC # All rights reserved. # # Example argus.conf # # Argus will open this argus.conf if its installed as /etc/argus.conf. # It will also search for this file as argus.conf in directories # specified in $ARGUSPATH, or $ARGUSHOME, $ARGUSHOME/lib, # or $HOME, $HOME/lib, and parse it to set common configuration # options. All values in this file can be overriden by command # line options, or other files of this format that can be read in # using the -F option. # # # Variable Syntax # # Variable assignments must be of the form: # # VARIABLE=value # VARIABLE="compound values" # # with no white space between the VARIABLE and the '=' sign. # # # Comments # # Comments are supported using a '#' as the first character # in the string, such as this string that you are reading. # # Embedded comments are supported preceeded by a " //" as you # see in the C language. The preceeding white space is very important. # The space or tab is absolutely required to delimit the end of the # variable values and the beginning of the comment. Without the space, # the comment will be included as a part of the configuration variable. # # VARIABLE=value // comment # VARIABLE="compound values" // comment # # # Variable Explanations # # The Argus can be configured to support a large number of # flow types. The Argus can provide either type, i.e. # uni-directional or bi-directional flow tracking and # the flow can be further defined by specifying the key. # The argus supports a set of well known key strategies, # such as 'CLASSIC_5_TUPLE', 'LAYER_2', 'LAYER_2_MATRIX', # 'LAYER_2_MATRIX', 'MPLS', and/or 'VLAN', or the argus can # be configured to # formulate key strategies from a list of # the specific objects that the Argus understands. See the # man page for a complete description. # # The default is the classic 5-tuple IP flow, CLASSIC_5_TUPLE. # ARGUS_FLOW_TYPE="Bidirectional" ARGUS_FLOW_KEY="CLASSIC_5_TUPLE" #ARGUS_FLOW_KEY="CLASSIC_5_TUPLE+LAYER_2" # Argus is capable of running as a daemon, doing all the right things # that daemons do. When this configuration is used for the system # daemon process, say for /etc/argus.conf, this variable should be # set to "yes". # # In the examples seen in the ./support/Startup/argus scripts, # this value is set to "yes", as the system startup strategy # requires the program to daemonize themselves, returning a value # to the system, hopefully quickly. Some systems, however, want # to daemonize the tasks themselves, and those cases, the value # must be set to "no". # # The default value is to not run as a daemon. # # Commandline equivalent -d # ARGUS_DAEMON=no # Argus Monitor Data is uniquely identifiable based on the source # identifier that is included in each output record. This is to # allow you to work with Argus Data from multiple monitors at the # same time. The ID is 32 bits long, and argus suppors a number of # formats as legitimate values. Argus support unsigned ints, IPv4 # addresses and 4 bytes strings, as values. # # The formats are discerned from the values provided. Double-quoted # values are treated as strings, and are truncated to 4 characters. # not, then they are tested wheter they are numbers. # # The configuration allows for you to use host names, however, do # have some understanding how `hostname` will be resolved by the # nameserver before commiting to this strategy completely. # # For convenience, argus supports the notion of "`hostname`" and # "`hostuuid`" for assigning the probe's id. This is to support # general management of larger deployments, so you can have one # argus.conf file that works for a lot of probes. # # The use of `hostuuid` is targeted at Linux and Apple computers. # # With Argus V5 (gargoyle), the srcid formats are extended to include # 64-bit values, designed primarily to provide interface identifiers, # in addition to a 32-bit probe id, as well as to support IPv6 addresses # as identifiers. Interface string extensions are added when the keyword # "inf" is added as the ARGUS_MONITOR_ID specifier. # # The syntax for the monitor id, srcid, is: # [type:/]sid[/inf] # where type can be: # int, str, ipv4, ipv6, uuid # # where sid can be: # int, "string", ipv4, ipv6, uuid # # where inf is: # char[4] # # Examples include: # fe80::1 # 192.168.8.68 # 2345/en0 # ipv4:/192.168.8.68/en1 # 5E487EDE-B311-5E80-B69F-967E5E6C7A9F/en0 # uuid:/5E487EDE-B311-5E80-B69F-967E5E6C7A9F # # Commandline equivalent -e # # #ARGUS_MONITOR_ID=`hostname` // IPv4 address returned #ARGUS_MONITOR_ID=10.2.45.3 // IPv4 address #ARGUS_MONITOR_ID=2435 // Number #ARGUS_MONITOR_ID="en0" // String # With argus-v5, srcid's can include uuids, and traditional id's + interface names #ARGUS_MONITOR_ID=uuid:/5E487EDE-B311-5E80-B69F-967E5E6C7A9F/inf ARGUS_MONITOR_ID=`hostuuid` #ARGUS_MONITOR_ID=inf // Interface name #ARGUS_MONITOR_ID=10.2.45.3/en0 // ARGUS_ID + Interface name #ARGUS_MONITOR_ID=192.168.8.68 // IPv4 address #ARGUS_MONITOR_ID=uuid:/5E487EDE-B311-5E80-B69F-967E5E6C7A9F # With Argus V5 (gargoyle), the srcid formats are extended to include # 160-bit values (128-bit sid + 32-bit inf), designed primarily to provide # support for 128-bit uuid's and IPv6 addrs, as well as interface identifiers. # Interface string extensions are not added to ARGUS_MONITOR_ID specifier, unless # you are hard coding the interface name for a specific observation domain, # this is done int he ARGUS_INTERFACE specification. # # To add the semantic that the default "mon0" is a part of this MONITOR_ID, # set the new ARGUS_MONITOR_ID_INDLUCE_INF to "yes". To turn it off, set # it to "no". "No" is the default behavior. ARGUS_MONITOR_ID_INCLUDE_INF=yes # Argus monitors can provide a real-time remote access port # for collecting Argus data. This is a TCP based port service and # the default port number is tcp/561, the "experimental monitor" # service. This feature is disabled by default, and can be forced # off by setting it to zero (0). # # When you do want to enable this service, 561 is a good choice, # as all ra* clients are configured to try this port by default. # # Commandline equivalent -P # ARGUS_ACCESS_PORT=562 # Port 562 would be used, if radium.1 is used to provide access on prot 561 # When remote access is enabled (see above), you can specify that Argus # should bind only to a specific IP address. This is useful, for example, # in restricting access to the local host, or binding to a private # interface while capturing from another. # # You can provide multiple addresses, separated by commas, or on multiple # lines. # # The default is to bind to any IP address. # # Commandline equivalent -B # ARGUS_BIND_IP="::1,127.0.0.1" #ARGUS_BIND_IP="127.0.0.1" #ARGUS_BIND_IP="192.168.0.68" # By default, Argus will open the first appropriate interface on a # system that it encounters. For systems that have only one network # interface, this is a reasonable thing to do. But, when there are # more than one suitable interface, you should specify the # interface(s) Argus should use either on the command line or in this # file. # # Argus can track packets from any or all interfaces, concurrently. # The interfaces can be tracked as: # 1. independant - this is where argus tracks flows from each # interface independant from the packets seen on any other # interface. This is useful for hosts/routers that # have full-duplex interfaces, and you want to distinguish # flows based on their interface. There is an option to specify # a distinct srcid to each independant modeler. # # 2. duplex - where argus tracks packets from 2 interfaces # as if they were two half duplex streams of the same link. # Because there is a single modeler tracking the 2 # interfaces, there is a single srcid that can be passed as # an option. # # 3. bonded - where argus tracks packets from multiple interfaces # as if they were from the same stream. Because there is a # single modeler tracking the 2 interfaces, there is a single # srcid that can be passed as an option., # # 4. parallel - hardware packet capture cards can be used to deliver # packets to a set of CPUs to gain highly parallel processing. # The hardware strategy enables a set of argi to process a # single packet stream, independently, generating a collective # output that represents the flow record output of the single # stream. Argus will need to spawn threads to open and process # a number of devices, and then merge the output to generate # a single time sorted flow output stream. # # Interfaces can be specified as groups using '[',']' notation, to build # flexible definitions of packet sources. However, each interface # should be referenced only once (this is due to performance and OS # limitations, so if your OS has no problem with this, go ahead). # # The lo (loopback) interface will be included only if it is specifically # indicated in the option. # # The syntax for specifying this either on the command line or in this file: # -i ind:all # -i dup:en0,en1/srcid # -i bond:en0,en1/srcid # -i para:en0,en1,en2/srcid # -i para:en[0...x]/srcid # -i dup:[bond:en0,en1],en2/srcid # -i en0/srcid -i en1/srcid (equivalent '-i ind:en0/srcid,en1/srcid') # -i en0 en1 (equivalent '-i bond:en0,en1') # -i en1(dlt)/srcid -i en1(dlt)/srcid # # In all cases, if there is a "-e srcid" provided, the srcid provided is used # as the default. If a srcid is specified using this option, it overrides # the default. # # Srcid's are specified using the notion used for ARGUS_MONITOR_ID, as above. # # Commandline equivalent -i # #ARGUS_INTERFACE=any ARGUS_INTERFACE=ind:all #ARGUS_INTERFACE=ind:en0/192.168.0.68,en2/192.168.2.1 #ARGUS_INTERFACE=ind:en0/"en0",en2/19234 #ARGUS_INTERFACE=en0 #ARGUS_MONITOR_ID=inf // Interface name #ARGUS_MONITOR_ID=10.2.45.3:inf // ARGUS_ID + Interface name # By default, Argus will put its interface in promiscuous mode # in order to monitor all the traffic that can be collected. # This can put an undo load on systems. # If the intent is to monitor only the network activity of # the specific system, say to measure the performance of # an HTTP service or DNS service, you'll want to turn # promiscuous mode off. # # The default value is goes into prmiscuous mode. # # Commandline equivalent -p # ARGUS_GO_PROMISCUOUS=no # Argus supports chroot(2) in order to control the file system that # argus exists in and can access. Generally used when argus is running # with privileges, this limits the negative impacts that argus could # inflict on its host machine. # # This option will cause the output file names to be relative to this # directory, and so consider this when trying to find your output files. # # Commandline equivalent -c dir # #ARGUS_CHROOT_DIR=/chroot_dir # Argus can be configured to enable detailed control plane # flow monitoring for specific control plane protocols. # # This feature requires full packet capture for the monitored # interface in order to capture the complete control plane # protocol, and will have a performance impact on the sensor. # # The default is to not turn this feature on. # # Commandline equivalent -C # ARGUS_CAPTURE_FULL_CONTROL_DATA=yes ARGUS_CONTROLPLANE_PROTO="sip,udp:name,udp:nicname,udp:domain,udp:netbios-ns,xns-time,udp:ntp,udp:router,udp:ripng,timed,mdns,mdnsresponder,bootps,bootpc" # Argus can be directed to change its user id using the setuid() system # call. This is can used when argus is started as root, in order to # access privileged resources, but then after the resources are opened, # this directive will cause argus to change its user id value to # a 'lesser' capable account. Recommended when argus is running as # daemon. # # Commandline equivalent -u # #ARGUS_SETUSER_ID=user # Argus can be directed to change its group id using the setgid() system # call. This is can used when argus is started as root, in order to # access privileged resources, but then after the resources are opened, # this directive can be used to change argu's group id value to # a 'lesser' capable account. Recommended when argus is running as # daemon. # # Commandline equivalent -g # #ARGUS_SETGROUP_ID=group # Argus can write its output to one or a number of files. # The default limit is 5 concurrent files, each with their # own independant filters. # # The format is: # ARGUS_OUTPUT_FILE=/full/path/file/name # ARGUS_OUTPUT_FILE="/full/path/file/name filter" # # Most sites will have argus write to a file, for reliablity. # The example file name is used here as supporting programs, # such as ./support/Archive/argusarchive are configured to use # this file (with any chroot'd directory prepended). # # Commandline equivalent -w # #ARGUS_OUTPUT_FILE=/var/log/argus/argus.out # Argus can push its output to one or a number of remote hosts. # The default limit is 5 concurrent output streams, each with their # own independant filters. # # The format is: # ARGUS_OUTPUT_STREAM="URI [filter]" # ARGUS_OUTPUT_STREAM="argus-udp://multicastGroup:port # ARGUS_OUTPUT_STREAM="argus-udp://host:port 'tcp and not udp'" # # Most sites will have argus listen() for remote sites to request argus data, # using a "pull" data model, using Unix sockets. Argus supports the use of # TCP/IP sockets for remote delivery, by default, and UNIX_DOMAIN sockets # for distribution within the OS, as an option. # #ARGUS_OUTPUT_STREAM=domain://path/to/socket/argus.socket #ARGUS_OUTPUT_STREAM=domain://var/run/com.qosient.argus.socket #ARGUS_OUTPUT_STREAM=domain://tmp/com.qosient.argus.socket # # # But for some sites and applications, pushing records without explicit registration # is desired. This option will cause argus to transmit records that match the # optional filter, to the configured targets using UDP as the transport mechanism. # # The primary purpose for this feature is to multicast argus records to # a number of listeners on an interface, but it is not limited to this # purpose. The multicast TTL is set to 128 by default, so that you can # send records some distance. # # Commandline equivalent -w argus-udp://host:port # #ARGUS_OUTPUT_STREAM=argus-udp://224.0.20.21:561 # When Argus is configured to run as a daemon, with the -d # option, Argus can store its pid in a file, to aid in # managing the running daemon. However, creating a system # pid file requires priviledges that may not be appropriate # for all cases. # # When configured to generate a pid file, if Argus cannot # create the pid file, it will fail to run. This variable # is available to override the default, in case this gets # in your way. # # The default value is to generate a pid. The default # path for the pid file, is '/var/run'. # # No Commandline equivalent # #ARGUS_SET_PID=yes #ARGUS_PID_PATH="/var/run" # Argus will periodically report on a flow's activity every # ARGUS_FLOW_STATUS_INTERVAL seconds, as long as there is # new activity on the flow. This is so that you can get a # multiple status reports into the activity of a flow. The # default is 5 seconds, but this number may be too low or # too high depending on your uses. Argus does suppport # a minimum value of 0.000001 seconds. Values under 1 sec # are very useful for doing measurements in a controlled # experimental environment where the number of flows is small. # # Because the status interval affects the memory utilization # of the monitor, find the minimum acceptable value is # recommended. # # Commandline equivalent -S # ARGUS_FLOW_STATUS_INTERVAL=5 # Argus will periodically report on a its own health, providing # interface status, total packet and bytes counts, packet drop # rates, and flow oriented statistics. # # These records can be used as "keep alives" for periods when # there is no network traffic to be monitored. # # The default value is 300 seconds, but a value of 60 seconds is # very common. # # Commandline equivalent -M # ARGUS_MAR_STATUS_INTERVAL=5 # Argus has a number of flow state timers that specify how long argus # will 'remember' the caches of specific flows after they have gone # idle. # # The default values have been chosen to aggresively timeout flow # caches to conserve memory utilization. Increasing values can have # an impact on argus memory use, so take care when modifying values. # # The maxium value for any timeout is 65534 seconds. # # If you think there is a flow type that doesn't have appropriate # timeout support, send email to the developer's list, we'll add one # for you. # #ARGUS_IP_TIMEOUT=30 #ARGUS_TCP_TIMEOUT=60 #ARGUS_ICMP_TIMEOUT=5 #ARGUS_IGMP_TIMEOUT=30 #ARGUS_FRAG_TIMEOUT=5 #ARGUS_ARP_TIMEOUT=5 #ARGUS_OTHER_TIMEOUT=30 # If compiled to support this option, Argus is capable of # generating a lot of debug information. # # The default value is zero (0). # # Commandline equivalent -D # #ARGUS_DEBUG_LEVEL=0 # Argus can be configured to report on flows in a manner than # provides the best information for calculating application # reponse times and network round trip times. # # The default value is to not generate this data. # # Commandline equivalent -R # #ARGUS_GENERATE_RESPONSE_TIME_DATA=no # Argus can be configured to generate packet size information # on a per flow basis, which provides the max and min packet # size seen . The default value is to not generate this data. # # Commandline equivalent -Z # #ARGUS_GENERATE_PACKET_SIZE=yes #ARGUS_PACKET_SIZE_HISTOGRAM=yes # Argus can be configured to generate packet jitter information # on a per flow basis. The default value is to not generate # this data. # # Commandline equivalent -J # #ARGUS_GENERATE_JITTER_DATA=yes # Argus can be configured to provide MAC addresses in # it audit data. The default value is to not generate # this data. # # Commandline equivalent -m # ARGUS_GENERATE_MAC_DATA=yes # Argus can be configured to generate metrics that include # the application byte counts as well as the packet count # and byte counters. # # Commandline equivalent -A # ARGUS_GENERATE_APPBYTE_METRIC=yes # Argus by default, generates extended metrics for TCP # that include the connection setup time, window sizes, # base sequence numbers, and retransmission counters. # You can suppress this detailed information using this # variable. # # No commandline equivalent # ARGUS_GENERATE_TCP_PERF_METRIC=yes # Argus by default, generates a single pair of timestamps, # for the first and last packet seen on a given flow, during # the obseration period. For bi-directional flows, this # results in loss of some information. By setting this # variable to 'yes', argus will store start and ending # timestamps for both directions of the flow. # # No commandline equivalent # ARGUS_GENERATE_BIDIRECTIONAL_TIMESTAMPS=yes # Argus can be configured to capture a number of user data # bytes from the packet stream. # # The default value is to not generate this data. # # Commandline equivalent -U # ARGUS_CAPTURE_DATA_LEN=64 # Argus uses the packet filter capabilities of libpcap. If # there is a need to not use the libpcap filter optimizer, # you can turn it off here. The default is to leave it on. # # Commandline equivalent -O # #ARGUS_FILTER_OPTIMIZER=yes # You can provide a filter expression here, if you like. # It should be limited to 2K in length. The default is to # not filter. # # The commandline filter will override this filter expression. # #ARGUS_FILTER="" # Argus supports generating packet capture files in tcpdump() format if # the source of the packets is a tcpdump() formatted file or live packet # source. # # Specify the path to the packet capture file here. # # Argus can be further configured to either capture all packets (default) that # it receives, or to capture only the packets that cause internal errors, # such as those that can't be classified into an appropritate flow model. # # Specify the path to the packet capture file here. # #ARGUS_PACKET_CAPTURE_FILE="/var/log/argus/packet.out" #ARGUS_PACKET_CAPTURE_ON_ERROR="no" # Argus supports the use of SASL to provide strong # authentication and confidentiality protection. # # The policy that argus uses is controlled through # the use of a minimum and maximum allowable protection # strength. Set these variable to control this policy. # #ARGUS_MIN_SSF=40 #ARGUS_MAX_SSF=128 # Argus supports setting the pcap buffer size. # You can use the abbreviations K, M, G to specify # thousands, millions or billions of bytes. # #ARGUS_PCAP_BUF_SIZE=1G # Argus supports setting the number of packets pcap_dispatch() # should ask for with each call. -1 is documented as pcap_dispatch() # asking for a complete input buffer of packets. The default # number of packets is 1. #ARGUS_PCAP_DISPATCH_NUM=1 # Argus supports setting environment variables to enable # functions required by the kernel or shared libraries. # This feature is intended to support libraries such as # the net pf_ring support for libpcap as supported by # code at http://public.lanl.gov/cpw/ # # Setting environment variables in this way does not affect # internal argus variable in any way. As a result, you # can't set ARGUS_PATH using this feature. # # Care should must be taken to assure that the value given # the variable conform's to your systems putenv.3 system call. # You can have as many of these directives as you like. # # The example below is intended to set a libpcap ring buffer # length to 300MB, if your system supports this feature. # #ARGUS_ENV="PCAP_MEMORY=300000" # Argus can be configured to discover tunneling protocols # above the UDP transport header, specifically Teredo # (IPv6 over UDP). The algorithm is simple and should be # considered experimental. Having this on by default may # generate false tunnel matching. # The default is to not turn this feature on. #ARGUS_TUNNEL_DISCOVERY="no" # Argus can be configured to identify and track duplicate # packets as a separate metric. While the algorithms are # traffic type specific, you can use this strategy to # identify problems within your packet collection infrastructure. # The default is to not turn this feature on, but for some # this feature is invaluable. #ARGUS_TRACK_DUPLICATES="no" # Argus can be configured to be self synchronizing with other # argi. This involves using state from packets contents to # synchronize the flow reporting. # # This adds additional complexity for deciding when to export # flow records, and could unnecessarily increase the number # of argus records generated. We recommend that you use this # feature when you really need to. # #ARGUS_SELF_SYNCHRONIZE=yes # Argus supports the generation of host originated processes # to gather additional metadata and statistics. These include # periodic processes to poll for SNMP data, as an example, or # to collect host statistics through reading procfs(). Or # single run programs that run at a specified time, or under # certain conditions. # # Events are programs that are run from argus itself, and # its output is wrapped by an Argus Event message header and # sent to the output collection stream. # # When these programs are run is a matter of configuration, # and the basic strategies are 1) single shot and 2) periodically. # Some types of events are best run based on state changes. # In particular are the events that provide network status awareness. # Events that provide information, such as what is our current # BSSID network (argus-airport), or what is our external IP address, # (argus-extip), these can run periodically, but they would # be best if run when there are network transitions, such as # new interface availability, or a new network association. # # These argus events, are generated from the complete list of # ARGUS_EVENT_DATA directives, that are specified here. # # The syntax is: # Syntax is: "method:path|prog:interval[:postproc]" # Where: method = [ "file" | "prog" ] # pathname | program = "%s" # interval = %d[smhd] [ zero means run once ] # postproc = [ "compress" | "compress2" ] # #ARGUS_EVENT_DATA="prog:/usr/local/bin/argus-vms:20s:compress" #ARGUS_EVENT_DATA="prog:/usr/local/bin/argus-snmp:1m:compress" #ARGUS_EVENT_DATA="file:/proc/vmstat:30s:compress" #ARGUS_EVENT_DATA="prog:/usr/bin/uptime:30s" ARGUS_EVENT_DATA="prog:/usr/local/bin/argus-lsof:30s:compress" #ARGUS_EVENT_DATA="prog:/usr/local/bin/argus-extip:60s:compress" #ARGUS_EVENT_DATA="prog:/usr/local/bin/argus-airport:60s:compress" #ARGUS_EVENT_DATA="prog:/usr/local/bin/argus-stumbler:60s:compress" # This version of Argus supports keystroke detection and counting for # TCP connections, with specific algoritmic support for SSH connections. # # The ARGUS_KEYSTROKE variable turns the feature on. Values for # this variable are: # ARGUS_KEYSTROKE="yes" - turn on TCP flow tracking # ARGUS_KEYSTROKE="tcp" - turn on TCP flow tracking # ARGUS_KEYSTROKE="ssh" - turn on SSH specific flow tracking # ARGUS_KEYSTROKE="no" [default] # # The algorithm uses a number of variables, all of which can be # modifed using the ARGUS_KEYSTROKE_CONF descriptor, which is a # semicolon (';') separated set of variable assignments. Here is # the list of supported variables: # # DC_MIN - (int) Minimum client datagram payload size in bytes (48) # DC_MAX - (int) Maximum client datagram payload size in bytes (128) # GS_MAX - (int) Maximum server packet gap (3) # DS_MIN - (int) Minimum server datagram payload size in bytes (24) # DS_MAX - (int) Maximum server datagram payload size in bytes (256) # IC_MIN - (int) Minimum client interpacket arrival time (50000 microseconds) # LCS_MAX - (int) Maximum something - Not sure what this is # GPC_MAX - (int) Maximum client packet gap (3) # ICR_MIN - (float) Minimum client/server interpacket arrival ratio (0.816) # ICR_MAX - (float) Maximum client/server interpacket arrival ratio (1.122) # # All variables have default values, this variable is used to override # those values. The syntax for the variable is: # # ARGUS_KEYSTROKE_CONF="DC_MIN=20;DS_MIN=20" # ARGUS_KEYSTROKE="ssh" ARGUS_KEYSTROKE_CONF="DC_MIN=32;GPC_MAX=5" # This version of Argus supports operating system fingerprinting through # the inclusion of ARGUS_TCP_INIT DSRs in tcp flow reports. Argus itself # does not do the fingerprinting, ra* clients use the ARGUS_TCP_INIT DSR # to fingerprint using pf.os or nmap like algorithms. #ARGUS_OS_FINGERPRINTING="no" # This version of Argus supports exporting hash values for each flow. ARGUS_GENERATE_HASH_METRICS="yes" # This version of Argus supports modifing the default flow classification # hash table size using this configuration file. Larger hash table sizes will # improve sensor performance by reducing the 'big O' complexity of looking # up cached flow records. # # The default value of 4096 is designed for endpoint sensing, where the number # of flows should be < 1M per day. For high performance sensors (40-100G) we # recommend > 10M (0x1000000) for the hash table. ARGUS_HASHTABLE_SIZE=4096 argus-5.0.2/pkg/sysconfig/000077500000000000000000000000001471541253600154345ustar00rootroot00000000000000argus-5.0.2/pkg/sysconfig/argus000066400000000000000000000004171471541253600165020ustar00rootroot00000000000000 DAEMON_ARGS= # # Monitoring with local-only ra client access on default port # # DAEMON_ARGS="-B 127.0.0.1 -P 561" # # Monitoring span port on eth1 with local-only access remapping port so radium can multiplex over default # # DAEMON_ARGS="-i eth1 -B 127.0.0.1 -P 562" argus-5.0.2/pkg/systemd/000077500000000000000000000000001471541253600151205ustar00rootroot00000000000000argus-5.0.2/pkg/systemd/argus.service000066400000000000000000000004101471541253600176160ustar00rootroot00000000000000[Unit] Description=Argus Flow Monitor After=syslog.target network.target [Service] Type=forking Restart=always RestartSec=5 EnvironmentFile=/etc/sysconfig/argus ExecStart=/usr/sbin/argus -X -d -F /etc/argus.conf $DAEMON_ARGS [Install] WantedBy=multi-user.target argus-5.0.2/pkg/win/000077500000000000000000000000001471541253600142255ustar00rootroot00000000000000argus-5.0.2/pkg/win/etc/000077500000000000000000000000001471541253600150005ustar00rootroot00000000000000argus-5.0.2/pkg/win/etc/argus.conf000066400000000000000000000012421471541253600167670ustar00rootroot00000000000000ARGUS_FLOW_TYPE="Bidirectional" ARGUS_FLOW_KEY="CLASSIC_5_TUPLE" ARGUS_DAEMON=no ARGUS_MONITOR_ID=`hostuuid` ARGUS_MONITOR_ID_INCLUDE_INF=yes ARGUS_ACCESS_PORT=562 ARGUS_BIND_IP="::1,127.0.0.1" ARGUS_INTERFACE=ind:all ARGUS_GO_PROMISCUOUS=no ARGUS_CAPTURE_FULL_CONTROL_DATA=yes ARGUS_CONTROLPLANE_PROTO="5060,udp:42,udp:43,udp:53,udp:137,52,udp:123,udp:520,udp:521,525,5353,5354,67,68" ARGUS_FLOW_STATUS_INTERVAL=5 ARGUS_MAR_STATUS_INTERVAL=5 ARGUS_GENERATE_PACKET_SIZE=yes ARGUS_GENERATE_MAC_DATA=yes ARGUS_GENERATE_APPBYTE_METRIC=yes ARGUS_GENERATE_TCP_PERF_METRIC=yes ARGUS_GENERATE_BIDIRECTIONAL_TIMESTAMPS=yes ARGUS_CAPTURE_DATA_LEN=128 ARGUS_INTERFACE_SCAN_INTERVAL=5 argus-5.0.2/support/000077500000000000000000000000001471541253600143635ustar00rootroot00000000000000argus-5.0.2/support/Archive/000077500000000000000000000000001471541253600157445ustar00rootroot00000000000000argus-5.0.2/support/Archive/README.argusarchive000066400000000000000000000120751471541253600213130ustar00rootroot00000000000000Feb 2010 Some minimal documentation for the argusarchive script. First off (ignoring the new options for post processing for now) the purpose of this script is to be run from cron on the argus archive machine (which may be the same as the sensor machine if the load is low enough) and create an archive of argus files (I usually use 1 hour, your link speed may need that to be much shorter). This is the cron entry I've been using for many years now (although parts of this script are new, I've been using one like it for 10 years or more): 0 * * * * /usr/local/bin/argusarchive >> /var/log/argus.logs/argusarchive.log 2>&1 which creates an archive like this: ls /usr/local/argus argus.archive ls /usr/local/argus/argus.archive 2009 2010 ls /usr/local/argus/argus.archive/2010 01 02 ls /usr/local/argus/argus.archive/2010/02 01 02 03 04 05 06 ls /usr/local/argus/argus.archive/2010/02/04 argus.2010.02.04.00.00.00.0.gz argus.2010.02.04.01.00.00.0.gz ... argus.2010.02.04.23.00.00.0.gz The script creates new directories as needed and via the use of a file (by default in /var/log/argus) remembers the start time of the file (because when the file is processed it only has the end time). The reason for that is so that the first file starts at midnight rather than 23:00 of the day before as using the time the script runs to set the file name does and ends at midnight (rather than 23:00). The starttime file is also the reason that there is a .0 in the file name before the .gz. In the case of a reboot or restart the startup script that starts argus should write a new start time file so to log a record that the restart happened and to mark the appropriate hour of the new data file (in case of an outage that crosses an hour boundary). As well the startup script needs to call argusarchive to move the current output file (using the current value in the start.date file) to the archive and then set the current time in to the argus.start.time file as the start time for the current record. If the crash / restart should occur just as the current file changed the file names may be identical. To fix that problem a ".0" is normally appended to the archive file name. If that file already exists when the restart happens the new file name is set to the ".1" extension so that the files will sort in the correct time order in the archive. This covers the case where the outage crosses an hour boundary as well, the first file will have the correct start time (but possibly less than an hour's data) and the new file will have the correct (possibly several hours later) start time and possibly less than an hour's data. In normal operation all files will end in the .0.gz. This is all that the original argus archive script used to do (although as noted it used the end time and thus ran from 23:00 on day-1 til 23:00 on day). This script by default matches (other than the times) the original script. I added some features to suit how I was running argus. You may or may not want to use some of them. First this script started in the days of argus 2.0.6 (or possibly earlier :-) around 2002 or so. There wasn't an argus ID option in 2.0.6 and I was running multiple argus instances on a single machine. Thus if you add an instance name to the command running from cron like this: 0 * * * * /usr/local/bin/argusarchive com >> /var/log/argus.logs/argusarchive.log 2>&1 then the instance supplied (com for commodity Internet as opposed to CA*net in this case) is appended to all the archive names so the data is separated by instance name (the "com" is replaced by "c4" for the Ca*net link in my case): ls /usr/local/argus argus.archive would become ls /usr/local/argus com_argus.archive and ls /usr/local/argus/argus.archive/2010/02/04 argus.2010.02.04.00.00.00.0.gz would become ls /usr/local/argus/com_argus.archive/2010/02/04 com_argus.2010.02.04.00.00.00.0.gz Then because processing an entire days worth of argus records at one time was taking too much time and memory I added the code to launch post processing code (perl in my case) against the file just archived when argusarchive runs. There is also the option to run the post processing on this machine (probably not advised if it is your capture machine as well) or to cause it to be transferred to a remote machine via ssh and processed there. You can modify this to your taste. New in this version is the option to anonymize the archive data using ranonymize and pass the anonymized data to the post processing programs (which incidentally can and should be run on an id that only has read access to the archived data!). This allows traffic analysis of the data to occur (as only the IPs are anonymized in my case) without the analyist knowing what machines are creating the data. This is useful when a client has a traffic problem but isn't comfortable (or possibly even allowed) to let the analyist see the real IP addresses. If the client runs the same non anonymized traffic through the post processing scripts, they should get the same reports with the real IP addresses from which they can take appropriate action. Peter Van Epp (vanepp@sfu.ca) argus-5.0.2/support/Archive/argusarchive000077500000000000000000000352101471541253600203560ustar00rootroot00000000000000#!/bin/sh # # Argus-5.0 Software. Argus Archive Script # Copyright (c) 2000-2024 QoSient, LLC # All rights reserved. # # This program is free software, released under the GNU General # Public License; you can redistribute it and/or modify it under the terms # of the GNU General Public License as published by the Free Software # Foundation; either version 3, or any later version. # # Other licenses are available through QoSient, LLC. # Inquire at info@qosient.com. # # This program is distributed WITHOUT ANY WARRANTY; without even the # implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # See the * GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. # # Written by Carter Bullard # QoSient, LLC # # 14 Jan 2010 - Peter Van Epp (vanepp@sfu.ca): # Modified for perl traffic scripts and to make it work again # # In case we are running from cron set an appropriate PATH PATH=/bin:/usr/bin:/usr/local/bin # If there is an argument on the command line set it as the argus prefix which # will modify the names of the various data files (for the case where a machine # is collecting for more than one argus instance). If there is no argument, # then the prefix is set to argus so as to be compatible with the original # version of argusarchive. if [ "$1"x = x ]; then INSTANCE=argus else INSTANCE="$1_argus" fi # User setable options: # # Try to use $ARGUSDATA and $ARGUSARCHIVE where possible. # If these are available, the only thing that we need to # know is what is the name of the argus output file. # # If ARGUSDATA set then don't need to define below. For # cron scripts however, $ARGUSDATA may not be defined, so # lets do that here if it isn't already. # where to find the data argus is writing if [ "$ARGUSDATA"x = x ]; then ARGUSDATA=/var/log/argus # not set by user, so set it fi if [ "$ARGUSARCHIVE"x = x ]; then ARGUSARCHIVEBASE=/usr/local/argus # not set by user so set it else ARGUSARCHIVEBASE=$ARGUSARCHIVE # else us the user's value fi DATAFILE=${INSTANCE}.out # argus must be writing data in /$ARGUSDATA/$DATAFILE # set the program paths for your OS (this is FreeBSD) ARGUSBIN=/usr/local/bin # location of argus programs AWK=/usr/bin/awk MV=/bin/mv MKDIR=/bin/mkdir CHOWN=/usr/sbin/chown SU=/usr/bin/su TOUCH=/usr/bin/touch # Data file compression COMPRESS=yes # compress the archived data files yes or no # pick one of the below COMPRESSOR=/usr/bin/gzip # using this compression program COMPRESSFILEEX=gz #COMPRESSOR=/usr/bin/bzip2 # using this compression program #COMPRESSFILEEX=bz2 #COMPRESSOR=/usr/bin/compress # using this compression program #COMPRESSFILEEX=Z # options for perl traffic processing scripts ARGUSREPORTS=$ARGUSDATA # post processing directory POSTPROCESS=no # run the traffic scripts SPOOL=$ARGUSREPORTS/spool # spool directory name POSTPROG=/usr/local/bin/argus3_post_drv.pl POSTLOG=/var/log/argus.logs/argus3_post_drv.log ACCOUNT=argus # account used to run the post scripts (needs only # read access to the archive files) # optionally anonymize the argus data before post processing it ANONPOSTPROCESS=no # run the traffic scripts on the anon data as well ANONYMIZE=$ARGUSBIN/ranonymize # $ARGUSBIN/ranonymize or no ANONCONF=$ARGUSDATA/ranonymize.conf # using this config file if anonimizing ANONDATADIR=$ARGUSREPORTS/anondata # anonymized data storage directory name # end of options # Set ARGUSARCHIVE according to the settings above ARGUSARCHIVE=$ARGUSARCHIVEBASE/${INSTANCE}.archive # create the archive directory if [ ! -d $ARGUSARCHIVE ]; then $MKDIR $ARGUSARCHIVE if [ ! -d $ARGUSARCHIVE ]; then echo "Could not create archive directory $ARGUSARCHIVE" exit fi fi if [ -d $ARGUSDATA ] ; then cd $ARGUSDATA echo "cd $ARGUSDATA" if [ $ARGUSDATA != `pwd` ]; then echo "couldn't change to directory $ARGUSDATA, got `pwd` instead" exit fi else echo "argus data directory $ARGUSDATA not found" exit fi # If there is an argument on the command line set it as the argus prefix which # will modify the names of the various data files (for the case where a machine # is collecting for more than one argus instance). If there is no argument, # then the prefix is set to argus so as to be compatible with the original # version of argusarchive. if [ "$1"x = x ]; then INSTANCE=argus else INSTANCE="$1_argus" fi # In order to have the archive be date consistant (i.e. the first file of the # day starts at or close to midnight instead of 23:00 of the day before as # was originally the case), take the archive file name from a file called # $ARGUSDATA/${INSTANCE}.start.date (which is supposed to be created by the # startup scripts at boot, and every time this script is run). To provide for # the case where the file doesn't exist when this script runs, set the file # to the current time (with a .0 appended to the end) and the next cycles file # name to the current time with a .1 appended. This makes sure that the two # close to identically named files sort in the correct date order for processing # even after the compression suffix is tagged on the end. All the files need # to have the .0 appended to them so they remain the same length and thus # sort correctly. if [ ! -f $ARGUSDATA/${INSTANCE}.start.date ]; then # File doesn't exist so create a current archive file with the current time # and a .0 suffix, and the new archive file (for next cycle) with the current # time and a .1 suffix. The purpose of the suffixes is to maintain file # time order on a sort after the compression suffix is appended to the # file name. Without the suffixes at the next cycle the script would # overwrite the data we archived this time (bad!) because the file names # would be identical. echo "$ARGUSDATA/${INSTANCE}.start.date doesn't exist creating files" ARCHIVE=${INSTANCE}.`date '+%Y.%m.%d.%H.%M.%S'`.0 NEWARCHIVE=${INSTANCE}.`date '+%Y.%m.%d.%H.%M.%S'`.1 else # The file exists, so check the contents are of the form # $INSTANCE.yy.mm.hh.mm.ss.0|1 as it should be. If not set both file names # as above to create a correct pair of file names and log the invalid # contents of the file. ARCHIVE=`cat $ARGUSDATA/${INSTANCE}.start.date` # since I can't figure out how to escape the $ to match eol, cheat ... ESC=$ RESULT=`egrep -c "^$INSTANCE\.[0-9][0-9][0-9][0-9]\.[0-9][0-9]\.[0-9][0-9]\.[0-9][0-9]\.[0-9][0-9]\.[0-9][0-9]\.[0-9]$ESC" $ARGUSDATA/${INSTANCE}.start.date` if [ "$RESULT" = "1" ]; then # the file appears valid so use the contents as the current archive name # and create the next one from the current time with .0 appended. This # should be the normal case when all is well. NEWARCHIVE=${INSTANCE}.`date '+%Y.%m.%d.%H.%M.%S'`.0 else # The format of the saved file looks invalid (perhaps because someone # external messed with it), so recreate a proper current and new archive # file. Log the corrupted version. echo "$ARCHIVE is invalid, recreated" ARCHIVE=${INSTANCE}.`date '+%Y.%m.%d.%H.%M.%S'`.0 NEWARCHIVE=${INSTANCE}.`date '+%Y.%m.%d.%H.%M.%S'`.1 fi fi TIMESTAMP=`date '+%Y.%m.%d.%H.%M.%S'` # and write the next cycle's archive file name to file for the next cycle. `echo $NEWARCHIVE > $ARGUSDATA/${INSTANCE}.start.date` echo "$TIMESTAMP ${INSTANCE}_argusarchive started" YEAR=`echo $ARCHIVE | $AWK 'BEGIN {FS="."}{print $2}'` MONTH=`echo $ARCHIVE | $AWK 'BEGIN {FS="."}{print $3}'` DAY=`echo $ARCHIVE | $AWK 'BEGIN {FS="."}{print $4}'` if [ ! -d $ARGUSARCHIVE ] ; then $MKDIR $ARGUSARCHIVE if [ ! -d $ARGUSARCHIVE ] ; then echo "could not create archive directory $ARGUSARCHIVE" exit else echo "archive directory $ARGUSARCHIVE created" fi else echo "archive directory $ARGUSARCHIVE found" fi ARGUSARCHIVE=$ARGUSARCHIVE/$YEAR if [ ! -d $ARGUSARCHIVE ]; then $MKDIR $ARGUSARCHIVE if [ ! -d $ARGUSARCHIVE ]; then echo "could not create archive directory structure." exit fi fi ARGUSARCHIVE=$ARGUSARCHIVE/$MONTH if [ ! -d $ARGUSARCHIVE ]; then $MKDIR $ARGUSARCHIVE if [ ! -d $ARGUSARCHIVE ]; then echo "could not create archive directory structure." exit fi fi ARGUSARCHIVE=$ARGUSARCHIVE/$DAY if [ ! -d $ARGUSARCHIVE ]; then $MKDIR $ARGUSARCHIVE if [ ! -d $ARGUSARCHIVE ]; then echo "could not create archive directory structure." exit fi fi # Presumably this is for mysql, but I don't know how to create it so # it is currently commented out # if [ ! -d $ARGUSARCHIVE/$INDEX ]; then # $MKDIR $ARGUSARCHIVE/$INDEX # if [ ! -d $ARGUSARCHIVE/$INDEX ]; then # echo "could not create archive index directory." # exit # fi # fi if [ -f $ARGUSDATA/$DATAFILE ] ; then if [ -f $ARGUSARCHIVE/$ARCHIVE ] ; then echo "argus archive file $ARGUSARCHIVE/$ARCHIVE exists, leaving data" exit else $MV $ARGUSDATA/$DATAFILE $ARGUSARCHIVE/$ARCHIVE 2>/dev/null fi else echo "argus data file $ARGUSDATA/$DATAFILE not found" exit fi TIMESTAMP=`date '+%Y.%m.%d.%H.%M.%S'` if [ -f $ARGUSARCHIVE/$ARCHIVE ]; then echo "$TIMESTAMP argus data file $ARGUSARCHIVE/$ARCHIVE moved successfully" else echo "argus data file $ARGUSDATA/$DATAFILE move failed" exit fi # Now compress and/or post process the data file if that has been requested # save a copy of the archive filename (which will change and be updated if # compression is requested) for later processing ARCHIVEFILE=$ARCHIVE ARCHIVEPATHFILE=$ARGUSARCHIVE/$ARCHIVE # compression first if requested if [ $COMPRESS = yes ]; then if [ "$COMPRESSOR"x = x ]; then echo "Compression requested but COMPRESSOR not set" exit fi if [ -f $ARGUSARCHIVE/$ARCHIVE.$COMPRESSFILEEX ]; then echo "Compressed file $ARGUSARCHIVE/$ARCHIVE.$COMPRESSFILEEX already exists, leaving data file" exit fi $COMPRESSOR $ARGUSARCHIVE/$ARCHIVE TIMESTAMP=`date '+%Y.%m.%d.%H.%M.%S'` if [ -f $ARGUSARCHIVE/$ARCHIVE ]; then echo "$TIMESTAMP Original data file $ARGUSARCHIVE/$ARCHIVE still exists compression failed?" exit fi if [ -f $ARGUSARCHIVE/$ARCHIVE.$COMPRESSFILEEX ]; then echo "$TIMESTAMP $ARGUSARCHIVE/$ARCHIVE.$COMPRESSFILEEX compression completed" # so update the data file name for futher processing if requested ARCHIVE=$ARCHIVE.$COMPRESSFILEEX ARCHIVEPATHFILE=$ARGUSARCHIVE/$ARCHIVE else echo "$TIMESTAMP no compressed file $ARGUSARCHIVE/$ARCHIVE.$COMPRESSFILEEX compression failed?" exit fi fi # if we got this far things seem to have worked correctly so do the # anonymizing and post processing if requested if [ $POSTPROCESS = yes ] || [ $ANONPOSTPROCESS = yes ]; then # check the reports directories creating as needed and requested if [ ! -d $ARGUSREPORTS ] ; then $MKDIR $ARGUSREPORTS if [ ! -d $ARGUSREPORTS ] ; then echo "could not create reports directory $ARGUSREPORTS" exit else echo "report directory $ARGUSREPORTS created" fi fi # check and create the spool directory if needed if [ ! -d $SPOOL ] ; then $MKDIR $SPOOL if [ ! -d $SPOOL ] ; then echo "could not create reports directory $SPOOL" exit else echo "report directory $SPOOL created" fi fi fi if [ $POSTPROCESS = yes ]; then # If postprocessing of the unanonymized files has been requested create # the appropriate workfile in the spool directory. echo "$ARCHIVEPATHFILE" > $ARGUSREPORTS/spool/w$ARCHIVE fi # If anonymization has been requested, anonymize and (if requested) compress # the data file if [ $ANONYMIZE = $ARGUSBIN/ranonymize ]; then # Check and create the data directory as needed if [ ! -d $ANONDATADIR ] ; then $MKDIR $ANONDATADIR if [ ! -d $ANONDATADIR ] ; then echo "could not create reports directory $ANONDATADIR" exit else echo "report directory $ANONDATADIR created" fi fi # anonymize the data file as requested and save it (compressed if requestedi) # in to the anondata directory as anonfilename (to differentiate it from the # unanonympized data file) ARCHIVEFILE=anon$ARCHIVEFILE $ANONYMIZE -f $ANONCONF -r $ARGUSARCHIVE/$ARCHIVE -w $ANONDATADIR/$ARCHIVEFILE # update the full path to the now anonymized data file to pass to post # processing if requested ARCHIVEPATHFILE=$ANONDATADIR/$ARCHIVEFILE if [ $COMPRESS = yes ]; then if [ -f $ANONDATADIR/$ARCHIVEFILE.$COMPRESSFILEEX ]; then echo "Compressed file $ANONDATADIR/$ARCHIVEFILE.$COMPRESSFILEEX already exists, leaving data file" exit fi TIMESTAMP=`date '+%Y.%m.%d.%H.%M.%S'` echo "$TIMESTAMP starting compression of $ANONDATADIR/$ARCHIVEFILE" $COMPRESSOR $ANONDATADIR/$ARCHIVEFILE TIMESTAMP=`date '+%Y.%m.%d.%H.%M.%S'` if [ -f $ANONDATADIR/$ARCHIVEFILE ]; then echo "$TIMESTAMP Original data file $ANONDATADIR/$ARCHIVEFILE still exists compression failed?" exit fi if [ -f $ANONDATADIR/$ARCHIVEFILE.$COMPRESSFILEEX ]; then echo "$TIMESTAMP compression of $ANONDATADIR/$ARCHIVEFILE.$COMPRESSFILEEX completed" ARCHIVEFILE=$ARCHIVEFILE.$COMPRESSFILEEX else echo "$TIMESTAMP compression of $ANONDATADIR/$ARCHIVEFILE failed" exit fi # update the full path to the now anonymized data file to pass to post # processing if requested ARCHIVEPATHFILE=$ANONDATADIR/$ARCHIVEFILE fi # end of anon compression if [ $ANONPOSTPROCESS = yes ]; then # Write the workfile in to the spool directory to cause this file to be # post processed when the post processing script is run later. echo "$ARCHIVEPATHFILE" > $ARGUSREPORTS/spool/w$ARCHIVEFILE fi fi # At this point the appropriate work files have been written to the spool # directory so change the ownership of the files to the post processing # user and launch post processing if requested if [ $POSTPROCESS = yes ] || [ $ANONPOSTPROCESS = yes ]; then # Check for and try and create an appropriate log file if [ ! -f $POSTLOG ]; then $TOUCH $POSTLOG if [ ! -f $POSTLOG ]; then echo "Log file $POSTLOG can't be created" exit fi fi # Correct the ownership of the directories we have been writing as root to # the post processing user $CHOWN $ACCOUNT $POSTLOG $CHOWN -R $ACCOUNT $ARGUSREPORTS/spool $CHOWN -R $ACCOUNT $ANONDATADIR # then run the post processing command TIMESTAMP=`date '+%Y.%m.%d.%H.%M.%S'` echo "$TIMESTAMP Post processing started" $SU $ACCOUNT -c "$POSTPROG >> $POSTLOG" TIMESTAMP=`date '+%Y.%m.%d.%H.%M.%S'` echo "$TIMESTAMP Post processing completed" fi TIMESTAMP=`date '+%Y.%m.%d.%H.%M.%S'` echo "$TIMESTAMP argusarchive completed successfully" argus-5.0.2/support/Config/000077500000000000000000000000001471541253600155705ustar00rootroot00000000000000argus-5.0.2/support/Config/argus.conf000077500000000000000000000714131471541253600175710ustar00rootroot00000000000000# # Argus-5.0 Software # Copyright (c) 2000-2024 QoSient, LLC # All rights reserved. # # Example argus.conf # # Argus will open this argus.conf if its installed as /etc/argus.conf. # It will also search for this file as argus.conf in directories # specified in $ARGUSPATH, or $ARGUSHOME, $ARGUSHOME/lib, # or $HOME, $HOME/lib, and parse it to set common configuration # options. All values in this file can be overriden by command # line options, or other files of this format that can be read in # using the -F option. # # # Variable Syntax # # Variable assignments must be of the form: # # VARIABLE=value # VARIABLE="compound values" # # with no white space between the VARIABLE and the '=' sign. # # # Comments # # Comments are supported using a '#' as the first character # in the string, such as this string that you are reading. # # Embedded comments are supported preceeded by a " //" as you # see in the C language. The preceeding white space is very important. # The space or tab is absolutely required to delimit the end of the # variable values and the beginning of the comment. Without the space, # the comment will be included as a part of the configuration variable. # # VARIABLE=value // comment # VARIABLE="compound values" // comment # # # Variable Explanations # # The Argus can be configured to support a large number of # flow types. The Argus can provide either type, i.e. # uni-directional or bi-directional flow tracking and # the flow can be further defined by specifying the key. # The argus supports a set of well known key strategies, # such as 'CLASSIC_5_TUPLE', 'LAYER_2', 'LAYER_2_MATRIX', # 'LAYER_2_MATRIX', 'MPLS', and/or 'VLAN', or the argus can # be configured to # formulate key strategies from a list of # the specific objects that the Argus understands. See the # man page for a complete description. # # The default is the classic 5-tuple IP flow, CLASSIC_5_TUPLE. # ARGUS_FLOW_TYPE="Bidirectional" ARGUS_FLOW_KEY="CLASSIC_5_TUPLE" #ARGUS_FLOW_KEY="CLASSIC_5_TUPLE+LAYER_2" # Argus is capable of running as a daemon, doing all the right things # that daemons do. When this configuration is used for the system # daemon process, say for /etc/argus.conf, this variable should be # set to "yes". # # In the examples seen in the ./support/Startup/argus scripts, # this value is set to "yes", as the system startup strategy # requires the program to daemonize themselves, returning a value # to the system, hopefully quickly. Some systems, however, want # to daemonize the tasks themselves, and those cases, the value # must be set to "no". # # The default value is to not run as a daemon. # # Commandline equivalent -d # ARGUS_DAEMON=no # Argus Monitor Data is uniquely identifiable based on the source # identifier that is included in each output record. This is to # allow you to work with Argus Data from multiple monitors at the # same time. The ID is 32 bits long, and argus suppors a number of # formats as legitimate values. Argus support unsigned ints, IPv4 # addresses and 4 bytes strings, as values. # # The formats are discerned from the values provided. Double-quoted # values are treated as strings, and are truncated to 4 characters. # not, then they are tested wheter they are numbers. # # The configuration allows for you to use host names, however, do # have some understanding how `hostname` will be resolved by the # nameserver before commiting to this strategy completely. # # For convenience, argus supports the notion of "`hostname`" and # "`hostuuid`" for assigning the probe's id. This is to support # general management of larger deployments, so you can have one # argus.conf file that works for a lot of probes. # # The use of `hostuuid` is targeted at Linux and Apple computers. # # With Argus V5 (gargoyle), the srcid formats are extended to include # 64-bit values, designed primarily to provide interface identifiers, # in addition to a 32-bit probe id, as well as to support IPv6 addresses # as identifiers. Interface string extensions are added when the keyword # "inf" is added as the ARGUS_MONITOR_ID specifier. # # The syntax for the monitor id, srcid, is: # [type:/]sid[/inf] # where type can be: # int, str, ipv4, ipv6, uuid # # where sid can be: # int, "string", ipv4, ipv6, uuid # # where inf is: # char[4] # # Examples include: # fe80::1 # 192.168.8.68 # 2345/en0 # ipv4:/192.168.8.68/en1 # 5E487EDE-B311-5E80-B69F-967E5E6C7A9F/en0 # uuid:/5E487EDE-B311-5E80-B69F-967E5E6C7A9F # # Commandline equivalent -e # # #ARGUS_MONITOR_ID=`hostname` // IPv4 address returned #ARGUS_MONITOR_ID=10.2.45.3 // IPv4 address #ARGUS_MONITOR_ID=2435 // Number #ARGUS_MONITOR_ID="en0" // String # With argus-v5, srcid's can include uuids, and traditional id's + interface names #ARGUS_MONITOR_ID=uuid:/5E487EDE-B311-5E80-B69F-967E5E6C7A9F/inf ARGUS_MONITOR_ID=`hostuuid` #ARGUS_MONITOR_ID=inf // Interface name #ARGUS_MONITOR_ID=10.2.45.3/en0 // ARGUS_ID + Interface name #ARGUS_MONITOR_ID=192.168.8.68 // IPv4 address #ARGUS_MONITOR_ID=uuid:/5E487EDE-B311-5E80-B69F-967E5E6C7A9F # With Argus V5 (gargoyle), the srcid formats are extended to include # 160-bit values (128-bit sid + 32-bit inf), designed primarily to provide # support for 128-bit uuid's and IPv6 addrs, as well as interface identifiers. # Interface string extensions are not added to ARGUS_MONITOR_ID specifier, unless # you are hard coding the interface name for a specific observation domain, # this is done int he ARGUS_INTERFACE specification. # # To add the semantic that the default "mon0" is a part of this MONITOR_ID, # set the new ARGUS_MONITOR_ID_INDLUCE_INF to "yes". To turn it off, set # it to "no". "No" is the default behavior. ARGUS_MONITOR_ID_INCLUDE_INF=yes # Argus monitors can provide a real-time remote access port # for collecting Argus data. This is a TCP based port service and # the default port number is tcp/561, the "experimental monitor" # service. This feature is disabled by default, and can be forced # off by setting it to zero (0). # # When you do want to enable this service, 561 is a good choice, # as all ra* clients are configured to try this port by default. # # Commandline equivalent -P # ARGUS_ACCESS_PORT=561 # Port 562 would be used, if radium.1 is used to provide access on port 561 # When remote access is enabled (see above), you can specify that Argus # should bind only to a specific IP address. This is useful, for example, # in restricting access to the local host, or binding to a private # interface while capturing from another. # # You can provide multiple addresses, separated by commas, or on multiple # lines. # # The default is to bind to any IP address. # # Commandline equivalent -B # #ARGUS_BIND_IP="127.0.0.1" #ARGUS_BIND_IP="192.168.0.68" #ARGUS_BIND_IP="::1,127.0.0.1" # By default, Argus will open the first appropriate interface on a # system that it encounters. For systems that have only one network # interface, this is a reasonable thing to do. But, when there are # more than one suitable interface, you should specify the # interface(s) Argus should use either on the command line or in this # file. # # Argus can track packets from any or all interfaces, concurrently. # The interfaces can be tracked as: # 1. independant - this is where argus tracks flows from each # interface independant from the packets seen on any other # interface. This is useful for hosts/routers that # have full-duplex interfaces, and you want to distinguish # flows based on their interface. There is an option to specify # a distinct srcid to each independant modeler. # # 2. duplex - where argus tracks packets from 2 interfaces # as if they were two half duplex streams of the same link. # Because there is a single modeler tracking the 2 # interfaces, there is a single srcid that can be passed as # an option. # # 3. bonded - where argus tracks packets from multiple interfaces # as if they were from the same stream. Because there is a # single modeler tracking the 2 interfaces, there is a single # srcid that can be passed as an option., # # 4. parallel - hardware packet capture cards can be used to deliver # packets to a set of CPUs to gain highly parallel processing. # The hardware strategy enables a set of argi to process a # single packet stream, independently, generating a collective # output that represents the flow record output of the single # stream. Argus will need to spawn threads to open and process # a number of devices, and then merge the output to generate # a single time sorted flow output stream. # # Interfaces can be specified as groups using '[',']' notation, to build # flexible definitions of packet sources. However, each interface # should be referenced only once (this is due to performance and OS # limitations, so if your OS has no problem with this, go ahead). # # The lo (loopback) interface will be included only if it is specifically # indicated in the option. # # The syntax for specifying this either on the command line or in this file: # -i ind:all # -i dup:en0,en1/srcid # -i bond:en0,en1/srcid # -i para:en0,en1,en2/srcid # -i para:en[0...x]/srcid # -i dup:[bond:en0,en1],en2/srcid # -i en0/srcid -i en1/srcid (equivalent '-i ind:en0/srcid,en1/srcid') # -i en0 en1 (equivalent '-i bond:en0,en1') # -i en1(dlt)/srcid -i en1(dlt)/srcid # # In all cases, if there is a "-e srcid" provided, the srcid provided is used # as the default. If a srcid is specified using this option, it overrides # the default. # # Srcid's are specified using the notion used for ARGUS_MONITOR_ID, as above. # # Commandline equivalent -i # #ARGUS_INTERFACE=any ARGUS_INTERFACE=ind:all #ARGUS_INTERFACE=ind:en0/192.168.0.68,en2/192.168.2.1 #ARGUS_INTERFACE=ind:en0/"en0",en2/19234 #ARGUS_INTERFACE=en0 #ARGUS_MONITOR_ID=inf // Interface name #ARGUS_MONITOR_ID=10.2.45.3:inf // ARGUS_ID + Interface name # By default, Argus will put its interface in promiscuous mode # in order to monitor all the traffic that can be collected. # This can put an undo load on systems. # If the intent is to monitor only the network activity of # the specific system, say to measure the performance of # an HTTP service or DNS service, you'll want to turn # promiscuous mode off. # # The default value is to gos into prmiscuous mode. # # Commandline equivalent -p # ARGUS_GO_PROMISCUOUS=no # Argus supports chroot(2) in order to control the file system that # argus exists in and can access. Generally used when argus is running # with privileges, this limits the negative impacts that argus could # inflict on its host machine. # # This option will cause the output file names to be relative to this # directory, and so consider this when trying to find your output files. # # Commandline equivalent -c dir # #ARGUS_CHROOT_DIR=/chroot_dir # Argus can be configured to enable detailed control plane # flow monitoring for specific control plane protocols. # # This feature requires full packet capture for the monitored # interface in order to capture the complete control plane # protocol, and will have a performance impact on the sensor. # # The default is to not turn this feature on. # # Commandline equivalent -C # #ARGUS_CAPTURE_FULL_CONTROL_DATA=no #ARGUS_CONTROLPLANE_PROTO="sip,domain,udp:name,udp:nicname,udp:netbios-ns,xns-time,udp:ntp,udp:router,udp:ripng,timed,mdns,mdnsresponder,bootps,bootpc" # Argus can be directed to change its user id using the setuid() system # call. This is can used when argus is started as root, in order to # access privileged resources, but then after the resources are opened, # this directive will cause argus to change its user id value to # a 'lesser' capable account. Recommended when argus is running as # daemon. # # Commandline equivalent -u # #ARGUS_SETUSER_ID=user # Argus can be directed to change its group id using the setgid() system # call. This is can used when argus is started as root, in order to # access privileged resources, but then after the resources are opened, # this directive can be used to change argu's group id value to # a 'lesser' capable account. Recommended when argus is running as # daemon. # # Commandline equivalent -g # #ARGUS_SETGROUP_ID=group # Argus can write its output to one or a number of files. # The default limit is 5 concurrent files, each with their # own independant filters. # # The format is: # ARGUS_OUTPUT_FILE=/full/path/file/name # ARGUS_OUTPUT_FILE="/full/path/file/name filter" # # Most sites will have argus write to a file, for reliablity. # The example file name is used here as supporting programs, # such as ./support/Archive/argusarchive are configured to use # this file (with any chroot'd directory prepended). # # Commandline equivalent -w # #ARGUS_OUTPUT_FILE=/var/log/argus/argus.out # Argus can push its output to one or a number of remote hosts. # The default limit is 5 concurrent output streams, each with their # own independant filters. # # The format is: # ARGUS_OUTPUT_STREAM="URI [filter]" # ARGUS_OUTPUT_STREAM="argus-udp://multicastGroup:port # ARGUS_OUTPUT_STREAM="argus-udp://host:port 'tcp and not udp'" # # Most sites will have argus listen() for remote sites to request argus data, # using a "pull" data model, using Unix sockets. Argus supports the use of # TCP/IP sockets for remote delivery, by default, and UNIX_DOMAIN sockets # for distribution within the OS, as an option. # #ARGUS_OUTPUT_STREAM=domain://path/to/socket/argus.socket #ARGUS_OUTPUT_STREAM=domain://var/run/com.qosient.argus.socket #ARGUS_OUTPUT_STREAM=domain://tmp/com.qosient.argus.socket # # # But for some sites and applications, pushing records without explicit registration # is desired. This option will cause argus to transmit records that match the # optional filter, to the configured targets using UDP as the transport mechanism. # # The primary purpose for this feature is to multicast argus records to # a number of listeners on an interface, but it is not limited to this # purpose. The multicast TTL is set to 128 by default, so that you can # send records some distance. # # Commandline equivalent -w argus-udp://host:port # #ARGUS_OUTPUT_STREAM=argus-udp://224.0.20.21:561 # When Argus is configured to run as a daemon, with the -d # option, Argus can store its pid in a file, to aid in # managing the running daemon. However, creating a system # pid file requires priviledges that may not be appropriate # for all cases. # # When configured to generate a pid file, if Argus cannot # create the pid file, it will fail to run. This variable # is available to override the default, in case this gets # in your way. # # The default value is to generate a pid. The default # path for the pid file, is '/var/run'. # # No Commandline equivalent # #ARGUS_SET_PID=yes #ARGUS_PID_PATH="/var/run" # Argus will periodically report on a flow's activity every # ARGUS_FLOW_STATUS_INTERVAL seconds, as long as there is # new activity on the flow. This is so that you can get a # multiple status reports into the activity of a flow. The # default is 5 seconds, but this number may be too low or # too high depending on your uses. Argus does suppport # a minimum value of 0.000001 seconds. Values under 1 sec # are very useful for doing measurements in a controlled # experimental environment where the number of flows is small. # # Because the status interval affects the memory utilization # of the monitor, find the minimum acceptable value is # recommended. # # Commandline equivalent -S # ARGUS_FLOW_STATUS_INTERVAL=5 # Argus will periodically report on a its own health, providing # interface status, total packet and bytes counts, packet drop # rates, and flow oriented statistics. # # These records can be used as "keep alives" for periods when # there is no network traffic to be monitored. # # The default value is 300 seconds, but a value of 60 seconds is # very common. # # Commandline equivalent -M # ARGUS_MAR_STATUS_INTERVAL=5 # Argus has a number of flow state timers that specify how long argus # will 'remember' the caches of specific flows after they have gone # idle. # # The default values have been chosen to aggresively timeout flow # caches to conserve memory utilization. Increasing values can have # an impact on argus memory use, so take care when modifying values. # # The maxium value for any timeout is 65534 seconds. # # If you think there is a flow type that doesn't have appropriate # timeout support, send email to the developer's list, we'll add one # for you. # #ARGUS_IP_TIMEOUT=30 #ARGUS_TCP_TIMEOUT=60 #ARGUS_ICMP_TIMEOUT=5 #ARGUS_IGMP_TIMEOUT=30 #ARGUS_FRAG_TIMEOUT=5 #ARGUS_ARP_TIMEOUT=5 #ARGUS_OTHER_TIMEOUT=30 # If compiled to support this option, Argus is capable of # generating a lot of debug information. # # The default value is zero (0). # # Commandline equivalent -D # #ARGUS_DEBUG_LEVEL=0 # Argus can be configured to report on flows in a manner than # provides the best information for calculating application # reponse times and network round trip times. # # The default value is to not generate this data. # # Commandline equivalent -R # #ARGUS_GENERATE_RESPONSE_TIME_DATA=no # Argus can be configured to generate packet size information # on a per flow basis, which provides the max and min packet # size seen . The default value is to not generate this data. # # Commandline equivalent -Z # #ARGUS_GENERATE_PACKET_SIZE=yes #ARGUS_PACKET_SIZE_HISTOGRAM=yes # Argus can be configured to generate packet jitter information # on a per flow basis. The default value is to not generate # this data. # # Commandline equivalent -J # #ARGUS_GENERATE_JITTER_DATA=yes #ARGUS_JITTER_HISTOGRAM=no # Argus can be configured to provide MAC addresses in # it audit data. The default value is to not generate # this data. # # Commandline equivalent -m # ARGUS_GENERATE_MAC_DATA=yes # Argus can be configured to generate metrics that include # the application byte counts as well as the packet count # and byte counters. # # Commandline equivalent -A # ARGUS_GENERATE_APPBYTE_METRIC=yes # Argus by default, generates extended metrics for TCP # that include the connection setup time, window sizes, # base sequence numbers, and retransmission counters. # You can suppress this detailed information using this # variable. # # No commandline equivalent # ARGUS_GENERATE_TCP_PERF_METRIC=yes # Argus by default, generates a single pair of timestamps, # for the first and last packet seen on a given flow, during # the obseration period. For bi-directional flows, this # results in loss of some information. By setting this # variable to 'yes', argus will store start and ending # timestamps for both directions of the flow. # # No commandline equivalent # ARGUS_GENERATE_BIDIRECTIONAL_TIMESTAMPS=yes # Argus can be configured to capture a number of user data # bytes from the packet stream, these are the packet contents # just above the transport header that Argus used to define # the flow key. # # The feature is an important one for understanding what applications # are communicating over the flow, and is a differentiator for argus # when compared to other flow systems. # # Because there is a chance that argus could capture data that # would be considered sensitive for some sites, this option # The default value is to not generate this data. # # Commandline equivalent -U # #ARGUS_CAPTURE_DATA_LEN=64 # Argus can also be configured to capture the encapsulation # packet headers that it parses. This supports the ability to # realize and debug unknown/unexpectred encapsulation headers, # as well as provide client based extensions to encapsulation # header processing. # # The default is to not turn this feature on. # # #ARGUS_ENCAPS_CAPTURE="no" # Argus uses the packet filter capabilities of libpcap. If # there is a need to not use the libpcap filter optimizer, # you can turn it off here. The default is to leave it on. # # Commandline equivalent -O # #ARGUS_FILTER_OPTIMIZER=yes # You can provide a filter expression here, if you like. # It should be limited to 2K in length. The default is to # not filter. # # The commandline filter will override this filter expression. # #ARGUS_FILTER="" # Argus supports generating packet capture files in tcpdump() format if # the source of the packets is a tcpdump() formatted file or live packet # source. # # Specify the path to the packet capture file here. # # Argus can be further configured to either capture all packets (default) that # it receives, or to capture only the packets that cause internal errors, # such as those that can't be classified into an appropritate flow model. # It can also capture packets that match specific protocols in the header # parsing logic. This is useful when the protocol is in a tunnel or # in a weird place in the header. # # Specify the path to the packet capture file here. # #ARGUS_PACKET_CAPTURE_FILE="/var/log/argus/packet.out" #ARGUS_PACKET_CAPTURE_ON_ERROR="no" #ARGUS_PACKET_CAPTURE_ON_PROTO="gre,vxlan,l2tp" # Argus supports the use of SASL to provide strong # authentication and confidentiality protection. # # The policy that argus uses is controlled through # the use of a minimum and maximum allowable protection # strength. Set these variable to control this policy. # #ARGUS_MIN_SSF=40 #ARGUS_MAX_SSF=128 # Argus supports setting the pcap buffer size. # You can use the abbreviations K, M, G to specify # thousands, millions or billions of bytes. # #ARGUS_PCAP_BUF_SIZE=1G # Argus supports setting the number of packets pcap_dispatch() # should ask for with each call. -1 is documented as pcap_dispatch() # asking for a complete input buffer of packets. The default # number of packets is 1. #ARGUS_PCAP_DISPATCH_NUM=1 # Argus supports setting environment variables to enable # functions required by the kernel or shared libraries. # This feature is intended to support libraries such as # the net pf_ring support for libpcap as supported by # code at http://public.lanl.gov/cpw/ # # Setting environment variables in this way does not affect # internal argus variable in any way. As a result, you # can't set ARGUS_PATH using this feature. # # Care should must be taken to assure that the value given # the variable conform's to your systems putenv.3 system call. # You can have as many of these directives as you like. # # The example below is intended to set a libpcap ring buffer # length to 300MB, if your system supports this feature. # #ARGUS_ENV="PCAP_MEMORY=300000" # How Argus processes tunnel headers is configurable. # By default Argus will parse any tunnel header that it # encounters, and continue until it reaches an outermost # L4 header, the end-to-end headers. # # Some users may need argus to stop at the first tunnel, or # a specific, tunnel protocol. This option if set to "no", # will stop processing at the first tunnel protocol header # encountered. # # The default is to turn this feature on. #ARGUS_TUNNEL_PARSING="yes" # When Argus is configured to parser through tunnels, it # can be configured to capture tunnel features, such as L3 # addresses. When this is set to "yes", argus will formulate # a flow spec for each tunnel encountered, and store it in # a tunnel specific DSR. # The default is to not turn this feature on. #ARGUS_TUNNEL_INFORMATION="no" # Argus can be configured to discover tunneling protocols # above the UDP transport header, specifically Teredo # (IPv6 over UDP). The algorithm is simple and should be # considered experimental. Having this on by default may # generate false tunnel matching. # The default is to not turn this feature on. #ARGUS_TUNNEL_DISCOVERY="no" # Argus can be configured to identify and track duplicate # packets as a separate metric. While the algorithms are # traffic type specific, you can use this strategy to # identify problems within your packet collection infrastructure. # The default is to not turn this feature on, but for some # this feature is invaluable. #ARGUS_TRACK_DUPLICATES="no" # Argus can be configured to be self synchronizing with other # argi. This involves using state from packets contents to # synchronize the flow reporting. # # This adds additional complexity for deciding when to export # flow records, and could unnecessarily increase the number # of argus records generated. We recommend that you use this # feature when you really need to. # #ARGUS_SELF_SYNCHRONIZE=yes # Argus supports the generation of host originated processes # to gather additional metadata and statistics. These include # periodic processes to poll for SNMP data, as an example, or # to collect host statistics through reading procfs(). Or # single run programs that run at a specified time, or under # certain conditions. # # Events are programs that are run from argus itself, and # its output is wrapped by an Argus Event message header and # sent to the output collection stream. # # When these programs are run is a matter of configuration, # and the basic strategies are 1) single shot and 2) periodically. # Some types of events are best run based on state changes. # In particular are the events that provide network status awareness. # Events that provide information, such as what is our current # BSSID network (argus-airport), or what is our external IP address, # (argus-extip), these can run periodically, but they would # be best if run when there are network transitions, such as # new interface availability, or a new network association. # # These argus events, are generated from the complete list of # ARGUS_EVENT_DATA directives, that are specified here. # # The syntax is: # Syntax is: "method:path|prog:interval[:postproc]" # Where: method = [ "file" | "prog" ] # pathname | program = "%s" # interval = %d[smhd] [ zero means run once ] # postproc = [ "compress" | "compress2" ] # #ARGUS_EVENT_DATA="prog:/usr/local/bin/argus-vms:20s:compress" #ARGUS_EVENT_DATA="prog:/usr/local/bin/argus-snmp:1m:compress" #ARGUS_EVENT_DATA="file:/proc/vmstat:30s:compress" #ARGUS_EVENT_DATA="prog:/usr/bin/uptime:30s" #ARGUS_EVENT_DATA="prog:/usr/local/bin/argus-lsof:30s:compress" #ARGUS_EVENT_DATA="prog:/usr/local/bin/argus-extip:60s:compress" #ARGUS_EVENT_DATA="prog:/usr/local/bin/argus-airport:60s:compress" #ARGUS_EVENT_DATA="prog:/usr/local/bin/argus-stumbler:60s:compress" # This version of Argus supports keystroke detection and counting for # TCP connections, with specific algoritmic support for SSH connections. # # The ARGUS_KEYSTROKE variable turns the feature on. Values for # this variable are: # ARGUS_KEYSTROKE="yes" - turn on TCP flow tracking # ARGUS_KEYSTROKE="tcp" - turn on TCP flow tracking # ARGUS_KEYSTROKE="ssh" - turn on SSH specific flow tracking # ARGUS_KEYSTROKE="no" [default] # # The algorithm uses a number of variables, all of which can be # modifed using the ARGUS_KEYSTROKE_CONF descriptor, which is a # semicolon (';') separated set of variable assignments. Here is # the list of supported variables: # # DC_MIN - (int) Minimum client datagram payload size in bytes (48) # DC_MAX - (int) Maximum client datagram payload size in bytes (128) # GS_MAX - (int) Maximum server packet gap (3) # DS_MIN - (int) Minimum server datagram payload size in bytes (24) # DS_MAX - (int) Maximum server datagram payload size in bytes (256) # IC_MIN - (int) Minimum client interpacket arrival time (50000 microseconds) # LCS_MAX - (int) Maximum something - Not sure what this is # GPC_MAX - (int) Maximum client packet gap (3) # ICR_MIN - (float) Minimum client/server interpacket arrival ratio (0.816) # ICR_MAX - (float) Maximum client/server interpacket arrival ratio (1.122) # # All variables have default values, this variable is used to override # those values. The syntax for the variable is: # # ARGUS_KEYSTROKE_CONF="DC_MIN=20;DS_MIN=20" # ARGUS_KEYSTROKE="ssh" ARGUS_KEYSTROKE_CONF="DC_MIN=32;GPC_MAX=5" # This version of Argus supports operating system fingerprinting through # the inclusion of ARGUS_TCP_INIT DSRs in tcp flow reports. Argus itself # does not do the fingerprinting, ra* clients use the ARGUS_TCP_INIT DSR # to fingerprint using pf.os or nmap like algorithms. #ARGUS_OS_FINGERPRINTING="no" # This version of Argus supports exporting hash values for each flow. ARGUS_GENERATE_HASH_METRICS="yes" # This version of Argus supports modifing the default flow classification # hash table size using this configuration file. Larger hash table sizes will # improve sensor performance by reducing the 'big O' complexity of looking # up cached flow records. # # The default value of 4096 is designed for endpoint sensing, where the number # of flows should be < 1M per day. For high performance sensors (40-100G) we # recommend > 10M (0x1000000) for the hash table. ARGUS_HASHTABLE_SIZE=4096 argus-5.0.2/support/Deployment/000077500000000000000000000000001471541253600165035ustar00rootroot00000000000000argus-5.0.2/support/Deployment/sample000077500000000000000000000165411471541253600177210ustar00rootroot00000000000000/* * Argus-5.0 Software. Common include files. namedb * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ Example Argus Deployments 1, Getting Started - Host Network Auditing and Saving the Records In the first and simplest configuration, the Argus daemon is run on a host with a single network interface and writes its network activity status flow records directly to a file on the local disk. argus -Xw /path/to/argus/argus.file.out The "-X" option is used to ignore any system Argus configurations, such as /etc/argus, and all options are the defaults. Argus will open the single interface, in promiscuous mode, and write the comprehensive argus network flow status records into the output file. With this strategy, argus will run forever, in the foreground of the shell where you ran it, and the file, argus.file.out, will grow as network traffic is monitored. In Argus-3.x, just like all earlier versions of Argus, the argus.file.out can be renamed or moved, and argus will simply recreate the missing file and continue to write Argus data records. In earlier versions of Argus a simple archive strategy was supported, where you would periodically move the single target output file into an archive directory structure, using commands like this: mv /var/log/argus/argus.out /var/log/argus/archive/argus.`date +%Y%m.%d.%H`:00 This command was usually run from a script, which cron(8) would run periodically. Today, there are a large number of support programs and strategies to provide much more sophisticated archive mechanisms. See the argus-clients distribution for details. One can simply examine the Argus audit records using ra(1), for example, ra -nr /var/log/argus/archive/argus.2010.03.04.10:00 - 2. Creating a Host Daemon and Saving the Records Today, the standard method of running argus in argus-3.x, is for argus to run as a daemon, providing socket access to its output data stream, and using argus client programs to collect the data. argus -X -d -P 561 To recreate the simple example above, and write argus data to a single target output file, you would use the argus client program radium.1, to collect and then distribute the data to the file. radium -X -d -S localhost -w /path/to/argus/argus.file.out With this configuration, Argus will run in the background as a daemon, and listen on port 561, the default argus port, for local or remote Argus client connections. Radium, will run in the background as a daemon, connecting to the argus data server, and write its data stream to the argus.file.out file. Like Argus, Radium will recreate the file, if you rename or move the file. This approach requires that the host's access control mechanism allow port 561/tcp connections. Note: example daemon startup files for both Argus and Radium can be found in the distribution under support/Startup. Argus Configuration Examples: 3. Creating an Argus Record Archive Standard Argus data collection systems normally do not write its output stream to a single target output file, but rather, it writes its data into a local argus archive using the program rasplit.1. rasplit -d -S localhost -M time 5m \ -w /archive/$srcid/%Y/%m/%d/argus.%Y.%m.%d.%H.%M.%S rasplit.1 will run as a daemon, connecting to the local argus, and it will distributed its data into a native OS file system that is structured to support 5 minute log files, organized by argus source id, year, month and day. This is a typical configuration for auditing a single host's traffic (such as a file server or mail host) and its internal ra.1 events. There are a number argus clients designed to support much more complex strategies, such as rastream.1 and rasqlinsert.1. Please see the argus-client distribution for detailed descriptions. 4. Auditing a DMZ - Creating a Argus Probe This example configuration is designed to monitor a network segment, rather than the traffic seen by a single host, generating network activity audit records for all the traffic. It can be used to perform critical functions such as verifying a DMZ network service policy. In this configuration the host is converted to an Argus probe. It is stripped of all non-essential network services and given additional network interface(s). The extra interface(s) is/are attached directly to the DMZ network by configuring the switch to mirror all interfaces attached to the DMZ VLAN to the Argus host's additional network interface(s). Argus is then configured to read data from the additional network interface(s) which are not assigned IP address(es). | ----------- | Gateway | | | ----------- | DMZ Network | 10.1.1.1 | |--------------------------------------------| [switch - port mirroring] | | | 10.1.1.2 | [no assigned addr.] | | ----------- ----------- | Gateway | | Argus | | | | Probe | ----------- ----------- | | | 192.0.0.1 | 192.0.0.2 | | |--------------------------------------------| Internal Network | | | _____________ | Argus | [using radium & rasplit(1)] | Archive | ------------- This configuration should be used with the configuration in example 2 where both Argus and Radium are used except Radium is not saving the files locally as it will act a an Argus record distribution daemon. This enable remote Argus clients can connect directly to observe Argus records in real-time or as in the above illustration, collecting and archiving the Argus records into an archive on a remote host using radium(1) and rasplit(1). argus-5.0.2/support/README000066400000000000000000000045261471541253600152520ustar00rootroot00000000000000/* * Argus-5.0 Software. Support Readme * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ The files in these directories are sample configuration, system startup scripts, filters, etc... to support the use of argus and its clients. These files are simple examples, and may need to be modified to support your specific system. These files have been tested primarily on Linux. Archive argusarchive - An sh shell script for moving the argus daemon's output file into a date based archive. The archive file system is created when needed and the output file is compressed and moved into the file system. Config excel.rc - Excel.rc is a ra configuration file to write output so that it can be imported by Microsoft's Excel. Basically generates a comma-separated-file (csv) with appropriate titles for the columns and a date format that Excel understands. fmodel.conf - A sample flow aggregation configuration for ragator(). Deployment sample - This is a description of a tradtional argus probe deployment strategy. Describes placement on an ethernet DMZ and interface configurations that address issues that you may find important. Startup argus - This is a system boot startup script that does a very nice job. System magic - magic file entry support file(1) recognizing argus data files. argus-5.0.2/support/Startup/000077500000000000000000000000001471541253600160255ustar00rootroot00000000000000argus-5.0.2/support/Startup/README000066400000000000000000000067711471541253600167200ustar00rootroot00000000000000/* * Argus-5.0 Software. Startup Readme * Copyright (c) 2000-2024 QoSient, LLC * All rights reserved. * * This program is free software, released under the GNU General * Public License; you can redistribute it and/or modify it under the terms * of the GNU General Public License as published by the Free Software * Foundation; either version 3, or any later version. * * Other licenses are available through QoSient, LLC. * Inquire at info@qosient.com. * * This program is distributed WITHOUT ANY WARRANTY; without even the * implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Written by Carter Bullard * QoSient, LLC * */ These scripts are intended to help manage the starting/stopping of Argus daemons, both during system boot as well as in normal operation, on a number of platforms, such as Linux, using the chkconfig system, and Mac OS X, with /Library/StartupItems packages. Under Linux Systemctl The argus.service file can be used on Fedora (and RedHat Linux?) to automatically start argus at boot time. Put the file argus.service in /lib/systemd/system, then run these two commands as root: # systemctl enable argus.service # systemctl start argus.service After that, argus should be automatically started when the system boots. Chkconfig The ./argus script takes one of four arguments, start, stop, restart and status. If the specific /etc configuration file is not found, the daemon will be run with some assumptions about the system configuration and writes its logs to /var/log/argus. For installation on Linux: The linux chkconfig system, assumes that the scripts that are run from the /etc/init.d directory return, as the boot process runs each script sequentially, and doesn't progress until each process returns. This means that argus and radium need to run as daemons, in the background. As a result, do check that the individual /etc/ configuration files, argus.conf and radium.conf, set the [ARGUS|RADIUM}_DAEMON variable to "yes". Edit the PATH variable in the script to the directory the binary is located in. Then, install the script in /etc/rc.d/init.d. After this, if your system supports the chkconfig() utility, you can use that to install argus and then have it start when the system boots. # cp argus /etc/rc.d/init.d # chkconfig --add argus # chkconfig --level 2345 argus on If your system doesn't have chkconfig(), then simply create a link to the /etc/rc.d/init.d/argus file in the run level that you want the daemon to run in. Most systems will have this as run level 3. # cd /etc/rc.d/rc3.d # ln -s ../init.d/argus argus Mac OS X Launchctl The com.qosient.argus.plist is a configuration file used with the Mac OS X launchctl system. This file should be installed into the /Library/LaunchDaemons directory on the target machine. This will allow Mac OS X to start argus when the machine boots, and to ensure that it is always running. The included scripts assume that argus has been installed in the default /usr/local/sbin directory, so if you have done something out of the ordinary, you will need to modify the scripts. For installation on Mac OS X: # cp com.qosient.argus.plist /Library/LaunchDaemons # launchctl load /Library/LaunchDaemons/com.qosient.argus.plist argus-5.0.2/support/Startup/argus000066400000000000000000000057001471541253600170730ustar00rootroot00000000000000#!/bin/sh # # Argus-5.0 Software. Argus Startup Script # Copyright (c) 2000-2024 QoSient, LLC # All rights reserved. # # This program is free software, released under the GNU General # Public License; you can redistribute it and/or modify it under the terms # of the GNU General Public License as published by the Free Software # Foundation; either version 3, or any later version. # # Other licenses are available through QoSient, LLC. # Inquire at info@qosient.com. # # This program is distributed WITHOUT ANY WARRANTY; without even the # implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # See the * GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. # # Written by Carter Bullard # QoSient, LLC # # # argus - This shell script takes care of starting and stopping # argus, on RH Linux. Should be useful for other versions. # # chkconfig: 2345 55 45 # description: argus-3.0 generates network transaction audit records. # processname: argus # config: /etc/argus.conf # # The assumption here is that /etc/argus.conf specifies ARGUS_DAEMON=no. # If not the system will hang running argus. If this is not set to the # default, change "argus -d" below to "argus" # # Source function library. if [ -f /etc/init.d/functions ]; then . /etc/init.d/functions else if [ -f /etc/rc.d/init.d/functions ]; then . /etc/init.d/functions fi fi # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [ .${NETWORKING} = ."no" ] && exit 1 # Set argus path by defining $ARGUSHOME for this script. # If argus was installed in another way, modify PATH to # include the directory where the argus binary was installed. ARGUSDIR=/usr/local/sbin ARGUSHOME=$ARGUSDIR export PATH=$ARGUSHOME:$PATH [ -f $ARGUSHOME/argus ] || exit 1 RETVAL=0 start() { # Start daemons. echo -n "Starting argus: " if [ ! -e /etc/argus.conf ] then if [ ! -d /var/log/argus ] then mkdir /var/log/argus fi argus -de `hostname` -w /var/log/argus/argus.out \ > /dev/null 2>&1 RETVAL=$? else argus -d > /dev/null 2>&1 && success || failure RETVAL=$? fi [ $RETVAL -eq 0 ] && touch /var/lock/subsys/argus echo } stop() { # Stop daemons. echo -n "Shutting down argus: " killproc argus RETVAL=$? [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/argus echo } # See how we were called. case "$1" in start) start ;; stop) stop ;; restart|reload) stop start RETVAL=$? ;; condrestart) if [ -f /var/lock/subsys/argus ]; then stop start RETVAL=$? fi ;; status) status argus RETVAL=$? ;; *) echo "Usage: argus {start|stop|restart|condrestart|status}" exit 1 ;; esac exit $RETVAL argus-5.0.2/support/Startup/argus.service000066400000000000000000000010571471541253600205330ustar00rootroot00000000000000[Unit] Description=Start Argus daemon After=network.target # You may need to change the ExecStartPre below to manage the # interface that argus is going to use. You may also need to # change the ExecStart line to point to where argus is installed # on your system, as well as any other arguments to argus. Note # that this assumes that you are not using -d or setting # ARGUS_DAEMON=yes in the config file. # # This was tested on Fedora 16 [Service] ExecStartPre=/sbin/ifconfig em2 up ExecStart=/usr/local/sbin/argus [Install] WantedBy=multi-user.target argus-5.0.2/support/Startup/com.qosient.argus.plist000066400000000000000000000013231471541253600224600ustar00rootroot00000000000000 Description Argus Network Monitor OrderPreference Late Provides Argus Requires Network Uses SystemLog mDNSResponder KeepAlive Program /usr/local/sbin/argus Label com.qosient.argus Disabled argus-5.0.2/support/System/000077500000000000000000000000001471541253600156475ustar00rootroot00000000000000argus-5.0.2/support/System/crontab000077500000000000000000000020351471541253600172250ustar00rootroot00000000000000# # Argus-5.0 Software. Argus Archive Crontab entry # Copyright (c) 2000-2024 QoSient, LLC # All rights reserved. # # This program is free software, released under the GNU General # Public License; you can redistribute it and/or modify it under the terms # of the GNU General Public License as published by the Free Software # Foundation; either version 3, or any later version. # # Other licenses are available through QoSient, LLC. # Inquire at info@qosient.com. # # This program is distributed WITHOUT ANY WARRANTY; without even the # implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # See the * GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. # # # Written by Carter Bullard # QoSient, LLC # # # Archive argus data file every hour, on the hour. 0 * * * * /usr/local/bin/argusarchive >> /var/log/argus/archive.log 2>&1 argus-5.0.2/support/System/magic000077500000000000000000000013011471541253600166500ustar00rootroot00000000000000# # Argus-5.0 Software. Common include files. namedb # Copyright (c) 2000-2024 QoSient, LLC # All rights reserved. # # Written by Carter Bullard # QoSient, LLC # #------------------------------------------------------------------------------ # argus: file(1) magic for argus-3.*; # From: carter@qosient.com (Carter Bullard) # # Argus magic file entry for linux public domain file(1) command. # 8 belong 0xE5712DCB Argus data >40 byte x - version %d >41 byte x \b.%d 8 belong 0xE5617ACB Argus data >32 byte x - version %d >33 byte x \b.%d