Common subdirectories: sancp-1.6.1.patch.b/contrib and sancp-1.6.1.patch.d/contrib
diff -U3 -d sancp-1.6.1.patch.b/decode.cc sancp-1.6.1.patch.d/decode.cc
--- sancp-1.6.1.patch.b/decode.cc 2006-07-01 12:29:28.000000000 -0500
+++ sancp-1.6.1.patch.d/decode.cc 2006-07-05 22:41:46.000000000 -0500
@@ -20,12 +20,9 @@
extern struct gvars gVars;
u_int8_t e_hlen=14;
u_int8_t ip_hlen=0;
- u_int8_t done=0;
- u_int16_t tcpoptlen=0;
u_int8_t tcp_hlen=0;
u_int16_t udp_len=0;
u_int16_t ip_len=0;
- u_int16_t bytes_processed=0;
nc->d_total_pkts=nc->s_ip=nc->d_ip=nc->free=nc->proto=nc->s_port=nc->d_port=nc->d_total_bytes=nc->collected=0;
nc->timeout=gVars.default_timeout;
@@ -35,6 +32,13 @@
nc->fH=0;
nc->start_time=nc->last_pkt=gVars.timeptr.tv_sec;
nc->limit=gVars.default_limit;
+ //
+ // If we don't have a pkt then perhaps we should not have been called
+ //
+ if(!pkt){
+ printf("Error decode: received empty packet\n");
+ return;
+ }
nc->s_total_pkts=1;
nc->stats=gVars.smode?1:0;
nc->realtime=gVars.rmode?1:0;
@@ -67,8 +71,23 @@
nc->os_info.len=ip_len;
nc->os_info.wss=ntohs(*(u_int16_t*)(pkt + e_hlen + ip_hlen + 14));
nc->os_info.df=((pkt[e_hlen + 6]&0x40)==0x40)?1:0;
+
+#ifdef EXPERIMENTAL_TCPOPTIONS
+ u_int16_t tcpoptlen=0;
+ u_int16_t bytes_processed=0;
+ int loopctr=0;
+ u_int8_t done=0;
+
+ //
+ // THIS CODE DOES NOT PROPERLY PARSE TCPOPTIONS FOR ALL PACKETS
+ // INFINITE LOOPS WERE POSSIBLE IN THIS PORTION OF CODE UNTIL
+ // int loopctr WAS INTRODUCED TO LIMIT OPTIONS TO TCPOPTIONS_MAX
+ //
+ //tcpopt = *pkt + (e_hlen + ip_hlen + 20); // this is where we should find tcp options
+
+ int tcpoptctr=(e_hlen + ip_hlen + 20);
+
nc->os_info.wscale=0;
- int tcpoptctr=(e_hlen + ip_hlen + 20);
tcpoptlen=tcp_hlen>20?(tcp_hlen - 20):0;
@@ -106,7 +125,11 @@
break;
}
+ loopctr++;
+ // Bail out after 8 'options' - NEEDED UNTIL THIS CODE IS FIXED TO PROPERLY PARSE TCPOPTIONS
+ if(loopctr>TCPOPTIONS_MAX){ done = 1; }
}
+#endif
}
}
else if( nc->proto==IPPROTO_UDP )
Common subdirectories: sancp-1.6.1.patch.b/docs and sancp-1.6.1.patch.d/docs
Common subdirectories: sancp-1.6.1.patch.b/etc and sancp-1.6.1.patch.d/etc
diff -U3 -d sancp-1.6.1.patch.b/help.cc sancp-1.6.1.patch.d/help.cc
--- sancp-1.6.1.patch.b/help.cc 2004-09-13 12:55:24.000000000 -0500
+++ sancp-1.6.1.patch.d/help.cc 2006-07-05 22:41:46.000000000 -0500
@@ -203,11 +203,22 @@
<< " The next 8 fields contain p0F information gathered from initial TCP packet\n"
<< " 20: 16bit wss: window segment size (initial packet, tcp only)\n"
<< " 21: 8bit ttl: time to live (initial packet, tcp only)\n"
+#ifdef EXPERIMENTAL_TCPOPTIONS
<< " 22: 16bit mss: maximum segment size (initial packet, tcp only)\n"
+#else
+<< " 22: 16bit mss: maximum segment size (initial packet, tcp only) need to re-compile with EXPERIMENTAL_TCPOPTIONS\n"
+#endif
<< " 23: Y/N df: don't fragment bit was set (initial packet, tcp only)\n"
+#ifdef EXPERIMENTAL_TCPOPTIONS
<< " 24: 8bit wscale: window scale (initial packet, tcp only)\n"
<< " 25: Y/N sack_ok: sack_ok flag was set (initial packet, tcp only)\n"
<< " 26: Y/N nop: 'no op' was seen (initial packet, tcp only)\n"
+#else
+<< " 24: 8bit wscale: window scale (initial packet, tcp only) need to re-compile with EXPERIMENTAL_TCPOPTIONS\n"
+<< " 25: Y/N sack_ok: sack_ok flag was set (initial packet, tcp only) need to re-compile with EXPERIMENTAL_TCPOPTIONS\n"
+<< " 26: Y/N nop: 'no op' was seen (initial packet, tcp only) need to re-compile with EXPERIMENTAL_TCPOPTIONS\n"
+#endif
+
<< " 27: 16bit len: ip length (initial packet, tcp only)\n"
<< "\n"
<< " The next 8 fields contain p0F information gathered from second TCP packet\n"
diff -U3 -d sancp-1.6.1.patch.b/sancp.h sancp-1.6.1.patch.d/sancp.h
--- sancp-1.6.1.patch.b/sancp.h 2004-11-02 11:45:30.000000000 -0600
+++ sancp-1.6.1.patch.d/sancp.h 2006-07-05 22:43:19.000000000 -0500
@@ -13,6 +13,7 @@
* ***********************************************************************/
#define SANCP_H
+#define EXPERIMENTAL_TCPOPTIONS
//#define DEBUG 1
@@ -128,7 +129,7 @@
/* Hash Table Protos */
#define DEFAULT_FLUSH_INTERVAL 1800
#define DEFAULT_EXPIRE_INTERVAL 10
-#define VERSION "1.6.1"
+#define VERSION "1.6.1 patch d"
#define NAME "sancp"
#define LOG_DIR "./" /* default relative to current working directory */
#define CONFIG_DIR "/etc/sancp/"
@@ -204,11 +205,14 @@
#define CNX_REREVERSED 4
#define MAX_PACK_LEN 20000 /* Sufficient for ethernet packets. */
#define ETHER_SIZE 14
+#ifdef EXPERIMENTAL_TCPOPTIONS
#define TCPOPT_EOL 0
#define TCPOPT_NOP 1
#define TCPOPT_MAXSEG 2
#define TCPOPT_SACKOK 4 /* Experimental */
#define TCPOPT_WSCALE 3
+#define TCPOPTIONS_MAX 8 /* Maximum number of tcpoptions to parse */
+#endif
#define R_FIN 0x01
@@ -233,9 +237,14 @@
u_int8_t ttl;
u_int16_t len;
u_int16_t wss;
+#ifdef EXPERIMENTAL_TCPOPTIONS
+ u_int8_t df:1, nop:1, sack_ok:1;
u_int16_t mss;
short wscale;
- u_int8_t df:1, nop:1, sack_ok:1;
+#else
+ u_int8_t df:1;
+#endif
+
};
diff -U3 -d sancp-1.6.1.patch.b/statefull_logging.cc sancp-1.6.1.patch.d/statefull_logging.cc
--- sancp-1.6.1.patch.b/statefull_logging.cc 2004-11-02 11:49:16.000000000 -0600
+++ sancp-1.6.1.patch.d/statefull_logging.cc 2006-07-05 22:41:46.000000000 -0500
@@ -416,6 +416,7 @@
}
break;
}
+#ifdef EXPERIMENTAL_TCPOPTIONS
case tcp_mss_s: {
if(cn->reversed==1){
snprintf(LOG,MAXENTRYLEN,"%u",cn->os_info2.mss);
@@ -448,6 +449,7 @@
}
break;
}
+#endif
case ip_len_d: {
if(cn->reversed==1){
snprintf(LOG,MAXENTRYLEN,"%u",cn->os_info.len);
@@ -480,6 +482,7 @@
}
break;
}
+#ifdef EXPERIMENTAL_TCPOPTIONS
case tcp_mss_d: {
if(cn->reversed==1){
snprintf(LOG,MAXENTRYLEN,"%u",cn->os_info.mss);
@@ -512,6 +515,7 @@
}
break;
}
+#endif
case total_bytes: {
snprintf(LOG,MAXENTRYLEN,"%llu",cn->total_bytes);
break;