search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
flowtop: fix maxxy offsets in display
[netsniff-ng.git] / src / flowtop.c
blobef8c96b32fd8c7e3290f006c29e8f522d69c2208
1 /*
2 * netsniff-ng - the packet sniffing beast
3 * By Daniel Borkmann <daniel@netsniff-ng.org>
4 * Copyright 2011 - 2012 Daniel Borkmann.
5 * Copyright 2011 Emmanuel Roullit.
6 * Subject to the GPL, version 2.
7 *
8 * A tiny tool to provide top-like netfilter connection tracking information.
9 *
10 * The Dark Lord has Nine. But we have One, mightier than they: the White
11 * Rider. He has passed through the fire and the abyss, and they shall
12 * fear him. We will go where he leads.
13 *
14 * -- The Lord of the Rings, Aragorn,
15 * Chapter 'The White Rider'.
16 */
17
18 #define _LGPL_SOURCE
19 #include <stdio.h>
20 #include <stdint.h>
21 #include <stdlib.h>
22 #include <signal.h>
23 #include <getopt.h>
24 #include <pthread.h>
25 #include <signal.h>
26 #include <netdb.h>
27 #include <ctype.h>
28 #include <libnetfilter_conntrack/libnetfilter_conntrack.h>
29 #include <libnetfilter_conntrack/libnetfilter_conntrack_tcp.h>
30 #include <GeoIP.h>
31 #include <GeoIPCity.h>
32 #include <netinet/in.h>
33 #include <curses.h>
34 #include <dirent.h>
35 #include <sys/stat.h>
36 #include <urcu.h>
37 #include <libgen.h>
38
39 #include "die.h"
40 #include "xmalloc.h"
41 #include "xio.h"
42 #include "xutils.h"
43 #include "built_in.h"
44 #include "locking.h"
45 #include "dissector_eth.h"
46 #include "pkt_buff.h"
47
48 struct geo_ip_db {
49 GeoIP *gi4, *gi6;
50 char *path4, *path6;
51 };
52
53 struct flow_entry {
54 uint32_t flow_id, use, status;
55 uint8_t l3_proto, l4_proto;
56 uint32_t ip4_src_addr, ip4_dst_addr;
57 uint32_t ip6_src_addr[4], ip6_dst_addr[4];
58 uint16_t port_src, port_dst;
59 uint8_t tcp_state, tcp_flags;
60 uint64_t counter_pkts, counter_bytes;
61 uint64_t timestamp_start, timestamp_stop;
62 char country_src[128], country_dst[128];
63 char city_src[128], city_dst[128];
64 char rev_dns_src[256], rev_dns_dst[256];
65 int first, procnum, inode;
66 char cmdline[256];
67 struct flow_entry *next;
68 };
69
70 struct flow_list {
71 struct flow_entry *head;
72 struct spinlock lock;
73 };
74
75 #ifndef ATTR_TIMESTAMP_START
76 # define ATTR_TIMESTAMP_START 63
77 #endif
78 #ifndef ATTR_TIMESTAMP_STOP
79 # define ATTR_TIMESTAMP_STOP 64
80 #endif
81
82 #define SCROLL_MAX 1000
83
84 #define INCLUDE_UDP (1 << 0)
85 #define INCLUDE_TCP (1 << 1)
86
87 volatile sig_atomic_t sigint = 0;
88
89 static int what = INCLUDE_TCP, show_src = 0;
90
91 struct geo_ip_db geo_country, geo_city;
92
93 static struct flow_list flow_list;
94
95 static const char *short_options = "vhTULKs";
96 static const struct option long_options[] = {
97 {"tcp", no_argument, NULL, 'T'},
98 {"udp", no_argument, NULL, 'U'},
99 {"show-src", no_argument, NULL, 's'},
100 {"city-db4", required_argument, NULL, 'L'},
101 {"country-db4", required_argument, NULL, 'K'},
102 {"city-db6", required_argument, NULL, 'O'},
103 {"country-db6", required_argument, NULL, 'P'},
104 {"version", no_argument, NULL, 'v'},
105 {"help", no_argument, NULL, 'h'},
106 {NULL, 0, NULL, 0}
107 };
108
109 static const char *const l3proto2str[AF_MAX] = {
110 [AF_INET] = "ipv4",
111 [AF_INET6] = "ipv6",
112 };
113
114 static const char *const proto2str[IPPROTO_MAX] = {
115 [IPPROTO_TCP] = "tcp",
116 [IPPROTO_UDP] = "udp",
117 [IPPROTO_UDPLITE] = "udplite",
118 [IPPROTO_ICMP] = "icmp",
119 [IPPROTO_ICMPV6] = "icmpv6",
120 [IPPROTO_SCTP] = "sctp",
121 [IPPROTO_GRE] = "gre",
122 [IPPROTO_DCCP] = "dccp",
123 [IPPROTO_IGMP] = "igmp",
124 [IPPROTO_IPIP] = "ipip",
125 [IPPROTO_EGP] = "egp",
126 [IPPROTO_PUP] = "pup",
127 [IPPROTO_IDP] = "idp",
128 [IPPROTO_RSVP] = "rsvp",
129 [IPPROTO_IPV6] = "ip6tun",
130 [IPPROTO_ESP] = "esp",
131 [IPPROTO_AH] = "ah",
132 [IPPROTO_PIM] = "pim",
133 [IPPROTO_COMP] = "comp",
134 };
135
136 static const char *const state2str[TCP_CONNTRACK_MAX] = {
137 [TCP_CONNTRACK_NONE] = "NOSTATE",
138 [TCP_CONNTRACK_SYN_SENT] = "SYN_SENT",
139 [TCP_CONNTRACK_SYN_RECV] = "SYN_RECV",
140 [TCP_CONNTRACK_ESTABLISHED] = "ESTABLISHED",
141 [TCP_CONNTRACK_FIN_WAIT] = "FIN_WAIT",
142 [TCP_CONNTRACK_CLOSE_WAIT] = "CLOSE_WAIT",
143 [TCP_CONNTRACK_LAST_ACK] = "LAST_ACK",
144 [TCP_CONNTRACK_TIME_WAIT] = "TIME_WAIT",
145 [TCP_CONNTRACK_CLOSE] = "CLOSE",
146 [TCP_CONNTRACK_SYN_SENT2] = "SYN_SENT2",
147 };
148
149 static const uint8_t states[] = {
150 TCP_CONNTRACK_SYN_SENT,
151 TCP_CONNTRACK_SYN_RECV,
152 TCP_CONNTRACK_ESTABLISHED,
153 TCP_CONNTRACK_FIN_WAIT,
154 TCP_CONNTRACK_CLOSE_WAIT,
155 TCP_CONNTRACK_LAST_ACK,
156 TCP_CONNTRACK_TIME_WAIT,
157 TCP_CONNTRACK_CLOSE,
158 TCP_CONNTRACK_SYN_SENT2,
159 TCP_CONNTRACK_NONE,
160 };
161
162 static const struct nfct_filter_ipv4 filter_ipv4 = {
163 .addr = __constant_htonl(INADDR_LOOPBACK),
164 .mask = 0xffffffff,
165 };
166
167 static const struct nfct_filter_ipv6 filter_ipv6 = {
168 .addr = { 0x0, 0x0, 0x0, 0x1 },
169 .mask = { 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff },
170 };
171
172 static void signal_handler(int number)
173 {
174 switch (number) {
175 case SIGINT:
176 sigint = 1;
177 break;
178 case SIGHUP:
179 default:
180 break;
181 }
182 }
183
184 static void flow_entry_from_ct(struct flow_entry *n, struct nf_conntrack *ct);
185 static void flow_entry_get_extended(struct flow_entry *n);
186
187 static void help(void)
188 {
189 printf("\nflowtop %s, top-like netfilter TCP/UDP flow tracking\n",
190 VERSION_STRING);
191 puts("http://www.netsniff-ng.org\n\n"
192 "Usage: flowtop [options]\n"
193 "Options:\n"
194 " -T|--tcp Show only TCP flows (default)\n"
195 " -U|--udp Show only UDP flows\n"
196 " -s|--show-src Also show source, not only dest\n"
197 " --city-db4 <path> Specifiy path for geoip4 city database\n"
198 " --country-db4 <path> Specifiy path for geoip4 country database\n"
199 " --city-db6 <path> Specifiy path for geoip6 city database\n"
200 " --country-db6 <path> Specifiy path for geoip6 country database\n"
201 " -v|--version Print version\n"
202 " -h|--help Print this help\n\n"
203 "Examples:\n"
204 " flowtop\n"
205 " flowtop -UTs\n\n"
206 "Note:\n"
207 " If netfilter is not running, you can activate it with i.e.:\n"
208 " iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT\n"
209 " iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT\n\n"
210 "Please report bugs to <bugs@netsniff-ng.org>\n"
211 "Copyright (C) 2011-2012 Daniel Borkmann <daniel@netsniff-ng.org>\n"
212 "Copyright (C) 2011-2012 Emmanuel Roullit <emmanuel@netsniff-ng.org>\n"
213 "License: GNU GPL version 2.0\n"
214 "This is free software: you are free to change and redistribute it.\n"
215 "There is NO WARRANTY, to the extent permitted by law.\n");
216 die();
217 }
218
219 static void version(void)
220 {
221 printf("\nflowtop %s, top-like netfilter TCP/UDP flow tracking\n",
222 VERSION_STRING);
223 puts("http://www.netsniff-ng.org\n\n"
224 "Please report bugs to <bugs@netsniff-ng.org>\n"
225 "Copyright (C) 2011-2012 Daniel Borkmann <daniel@netsniff-ng.org>\n"
226 "Copyright (C) 2011-2012 Emmanuel Roullit <emmanuel@netsniff-ng.org>\n"
227 "License: GNU GPL version 2.0\n"
228 "This is free software: you are free to change and redistribute it.\n"
229 "There is NO WARRANTY, to the extent permitted by law.\n");
230 die();
231 }
232
233 static inline struct flow_entry *flow_entry_xalloc(void)
234 {
235 struct flow_entry *n;
236
237 n = xzmalloc(sizeof(*n));
238 n->first = 1;
239
240 return n;
241 }
242
243 static inline void flow_entry_xfree(struct flow_entry *n)
244 {
245 xfree(n);
246 }
247
248 static inline void flow_list_init(struct flow_list *fl)
249 {
250 fl->head = NULL;
251 spinlock_init(&fl->lock);
252 }
253
254 static void flow_list_new_entry(struct flow_list *fl, struct nf_conntrack *ct)
255 {
256 struct flow_entry *n = flow_entry_xalloc();
257
258 rcu_assign_pointer(n->next, fl->head);
259 rcu_assign_pointer(fl->head, n);
260
261 flow_entry_from_ct(n, ct);
262 flow_entry_get_extended(n);
263 }
264
265 static struct flow_entry *flow_list_find_id(struct flow_list *fl,
266 uint32_t id)
267 {
268 struct flow_entry *n = rcu_dereference(fl->head);
269
270 while (n != NULL) {
271 if (n->flow_id == id)
272 return n;
273
274 n = rcu_dereference(n->next);
275 }
276
277 return NULL;
278 }
279
280 static struct flow_entry *flow_list_find_prev_id(struct flow_list *fl,
281 uint32_t id)
282 {
283 struct flow_entry *n = rcu_dereference(fl->head), *tmp;
284
285 if (n->flow_id == id)
286 return NULL;
287
288 while ((tmp = rcu_dereference(n->next)) != NULL) {
289 if (tmp->flow_id == id)
290 return n;
291
292 n = tmp;
293 }
294
295 return NULL;
296 }
297
298 static void flow_list_update_entry(struct flow_list *fl,
299 struct nf_conntrack *ct)
300 {
301 int do_ext = 0;
302 struct flow_entry *n;
303
304 n = flow_list_find_id(fl, nfct_get_attr_u32(ct, ATTR_ID));
305 if (n == NULL) {
306 n = flow_entry_xalloc();
307
308 rcu_assign_pointer(n->next, fl->head);
309 rcu_assign_pointer(fl->head, n);
310
311 do_ext = 1;
312 }
313
314 flow_entry_from_ct(n, ct);
315 if (do_ext)
316 flow_entry_get_extended(n);
317 }
318
319 static void flow_list_destroy_entry(struct flow_list *fl,
320 struct nf_conntrack *ct)
321 {
322 struct flow_entry *n1, *n2;
323 uint32_t id = nfct_get_attr_u32(ct, ATTR_ID);
324
325 n1 = flow_list_find_id(fl, id);
326 if (n1) {
327 n2 = flow_list_find_prev_id(fl, id);
328 if (n2) {
329 rcu_assign_pointer(n2->next, n1->next);
330 rcu_assign_pointer(n1->next, NULL);
331
332 flow_entry_xfree(n1);
333 } else {
334 flow_entry_xfree(fl->head);
335
336 rcu_assign_pointer(fl->head, NULL);
337 }
338 }
339 }
340
341 static void flow_list_destroy(struct flow_list *fl)
342 {
343 struct flow_entry *n;
344
345 while (fl->head != NULL) {
346 n = rcu_dereference(fl->head->next);
347 rcu_assign_pointer(fl->head->next, NULL);
348
349 flow_entry_xfree(fl->head);
350 rcu_assign_pointer(fl->head, n);
351 }
352
353 synchronize_rcu();
354 spinlock_destroy(&fl->lock);
355 }
356
357 static int walk_process(char *process, struct flow_entry *n)
358 {
359 int ret;
360 DIR *dir;
361 struct dirent *ent;
362 char path[1024];
363
364 if (snprintf(path, sizeof(path), "/proc/%s/fd", process) == -1)
365 panic("giant process name! %s\n", process);
366
367 dir = opendir(path);
368 if (!dir)
369 return 0;
370
371 while ((ent = readdir(dir))) {
372 struct stat statbuf;
373
374 if (snprintf(path, sizeof(path), "/proc/%s/fd/%s",
375 process, ent->d_name) < 0)
376 continue;
377
378 if (stat(path, &statbuf) < 0)
379 continue;
380
381 if (S_ISSOCK(statbuf.st_mode) && n->inode == statbuf.st_ino) {
382 memset(n->cmdline, 0, sizeof(n->cmdline));
383
384 snprintf(path, sizeof(path), "/proc/%s/exe", process);
385
386 ret = readlink(path, n->cmdline,
387 sizeof(n->cmdline) - 1);
388 if (ret < 0)
389 panic("readlink error: %s\n", strerror(errno));
390
391 n->procnum = atoi(process);
392 return 1;
393 }
394 }
395
396 closedir(dir);
397 return 0;
398 }
399
400 static void walk_processes(struct flow_entry *n)
401 {
402 int ret;
403 DIR *dir;
404 struct dirent *ent;
405
406 /* n->inode must be set */
407 if (n->inode <= 0) {
408 memset(n->cmdline, 0, sizeof(n->cmdline));
409 return;
410 }
411
412 dir = opendir("/proc");
413 if (!dir)
414 panic("Cannot open /proc!\n");
415
416 while ((ent = readdir(dir))) {
417 if (strspn(ent->d_name, "0123456789") == strlen(ent->d_name)) {
418 ret = walk_process(ent->d_name, n);
419 if (ret > 0)
420 break;
421 }
422 }
423
424 closedir(dir);
425 }
426
427 static int get_port_inode(uint16_t port, int proto, int is_ip6)
428 {
429 int ret = -ENOENT;
430 char path[128], buff[1024];
431 FILE *proc;
432
433 memset(path, 0, sizeof(path));
434 snprintf(path, sizeof(path), "/proc/net/%s%s",
435 proto2str[proto], is_ip6 ? "6" : "");
436
437 proc = fopen(path, "r");
438 if (!proc)
439 return -EIO;
440
441 memset(buff, 0, sizeof(buff));
442
443 while (fgets(buff, sizeof(buff), proc) != NULL) {
444 int inode = 0;
445 unsigned int lport = 0;
446
447 buff[sizeof(buff) - 1] = 0;
448 if (sscanf(buff, "%*u: %*X:%X %*X:%*X %*X %*X:%*X %*X:%*X "
449 "%*X %*u %*u %u", &lport, &inode) == 2) {
450 if ((uint16_t) lport == port) {
451 ret = inode;
452 break;
453 }
454 }
455
456 memset(buff, 0, sizeof(buff));
457 }
458
459 fclose(proc);
460 return ret;
461 }
462
463 #define CP_NFCT(elem, attr, x) \
464 do { n->elem = nfct_get_attr_u##x(ct,(attr)); } while (0)
465 #define CP_NFCT_BUFF(elem, attr) do { \
466 const uint8_t *buff = nfct_get_attr(ct,(attr)); \
467 if (buff != NULL) \
468 memcpy(n->elem, buff, sizeof(n->elem)); \
469 } while (0)
470
471 static void flow_entry_from_ct(struct flow_entry *n, struct nf_conntrack *ct)
472 {
473 CP_NFCT(l3_proto, ATTR_ORIG_L3PROTO, 8);
474 CP_NFCT(l4_proto, ATTR_ORIG_L4PROTO, 8);
475 CP_NFCT(ip4_src_addr, ATTR_ORIG_IPV4_SRC, 32);
476 CP_NFCT(ip4_dst_addr, ATTR_ORIG_IPV4_DST, 32);
477 CP_NFCT(port_src, ATTR_ORIG_PORT_SRC, 16);
478 CP_NFCT(port_dst, ATTR_ORIG_PORT_DST, 16);
479 CP_NFCT(status, ATTR_STATUS, 32);
480 CP_NFCT(tcp_state, ATTR_TCP_STATE, 8);
481 CP_NFCT(tcp_flags, ATTR_TCP_FLAGS_ORIG, 8);
482 CP_NFCT(counter_pkts, ATTR_ORIG_COUNTER_PACKETS, 64);
483 CP_NFCT(counter_bytes, ATTR_ORIG_COUNTER_BYTES, 64);
484 CP_NFCT(timestamp_start, ATTR_TIMESTAMP_START, 64);
485 CP_NFCT(timestamp_stop, ATTR_TIMESTAMP_STOP, 64);
486 CP_NFCT(flow_id, ATTR_ID, 32);
487 CP_NFCT(use, ATTR_USE, 32);
488
489 CP_NFCT_BUFF(ip6_src_addr, ATTR_ORIG_IPV6_SRC);
490 CP_NFCT_BUFF(ip6_dst_addr, ATTR_ORIG_IPV6_DST);
491
492 n->port_src = ntohs(n->port_src);
493 n->port_dst = ntohs(n->port_dst);
494
495 n->ip4_src_addr = ntohl(n->ip4_src_addr);
496 n->ip4_dst_addr = ntohl(n->ip4_dst_addr);
497
498 if (n->first) {
499 n->inode = get_port_inode(n->port_src, n->l4_proto,
500 n->l3_proto == AF_INET6);
501 if (n->inode > 0)
502 walk_processes(n);
503 }
504
505 n->first = 0;
506 }
507
508 enum flow_entry_direction {
509 flow_entry_src,
510 flow_entry_dst,
511 };
512
513 static inline int flow_entry_get_extended_is_dns(struct flow_entry *n)
514 {
515 /* We don't want to analyze / display DNS itself, since we
516 * use it to resolve reverse dns.
517 */
518 return n->port_src == 53 || n->port_dst == 53;
519 }
520
521 #define SELFLD(dir,src_member,dst_member) \
522 (((dir) == flow_entry_src) ? n->src_member : n->dst_member)
523
524 static struct sockaddr_in *
525 flow_entry_get_sain4_obj(struct flow_entry *n, enum flow_entry_direction dir,
526 struct sockaddr_in *sa)
527 {
528 memset(sa, 0, sizeof(*sa));
529 sa->sin_family = PF_INET;
530 sa->sin_addr.s_addr = htonl(SELFLD(dir, ip4_src_addr, ip4_dst_addr));
531
532 return sa;
533 }
534
535 static struct sockaddr_in6 *
536 flow_entry_get_sain6_obj(struct flow_entry *n, enum flow_entry_direction dir,
537 struct sockaddr_in6 *sa)
538 {
539 memset(sa, 0, sizeof(*sa));
540 sa->sin6_family = PF_INET6;
541
542 memcpy(&sa->sin6_addr, SELFLD(dir, ip6_src_addr, ip6_dst_addr),
543 sizeof(SELFLD(dir, ip6_src_addr, ip6_dst_addr)));
544
545 return sa;
546 }
547
548 static void
549 flow_entry_geo_city_lookup_generic(struct flow_entry *n,
550 enum flow_entry_direction dir)
551 {
552 GeoIPRecord *gir = NULL;
553 struct sockaddr_in sa4;
554 struct sockaddr_in6 sa6;
555 inline const char *make_na(const char *p) { return p ? : "N/A"; }
556 const char *city = NULL;
557
558 switch (n->l3_proto) {
559 default:
560 bug();
561
562 case AF_INET:
563 flow_entry_get_sain4_obj(n, dir, &sa4);
564 gir = GeoIP_record_by_ipnum(geo_city.gi4,
565 ntohl(sa4.sin_addr.s_addr));
566 break;
567
568 case AF_INET6:
569 flow_entry_get_sain6_obj(n, dir, &sa6);
570 gir = GeoIP_record_by_ipnum_v6(geo_city.gi6, sa6.sin6_addr);
571 break;
572 }
573
574 city = make_na(gir != NULL ? gir->city : city);
575
576 bug_on(sizeof(n->city_src) != sizeof(n->city_dst));
577 memcpy(SELFLD(dir, city_src, city_dst), city,
578 min(sizeof(n->city_src), strlen(city)));
579 }
580
581 static void
582 flow_entry_geo_country_lookup_generic(struct flow_entry *n,
583 enum flow_entry_direction dir)
584 {
585 struct sockaddr_in sa4;
586 struct sockaddr_in6 sa6;
587 inline const char *make_na(const char *p) { return p ? : "N/A"; }
588 const char *country = NULL;
589
590 switch (n->l3_proto) {
591 default:
592 bug();
593
594 case AF_INET:
595 flow_entry_get_sain4_obj(n, dir, &sa4);
596 country = GeoIP_country_name_by_ipnum(geo_country.gi4,
597 ntohl(sa4.sin_addr.s_addr));
598 break;
599
600 case AF_INET6:
601 flow_entry_get_sain6_obj(n, dir, &sa6);
602 country = GeoIP_country_name_by_ipnum_v6(geo_country.gi6,
603 sa6.sin6_addr);
604 break;
605 }
606
607 country = make_na(country);
608
609 bug_on(sizeof(n->country_src) != sizeof(n->country_dst));
610 memcpy(SELFLD(dir, country_src, country_dst), country,
611 min(sizeof(n->country_src), strlen(country)));
612 }
613
614 static void flow_entry_get_extended_geo(struct flow_entry *n,
615 enum flow_entry_direction dir)
616 {
617 flow_entry_geo_city_lookup_generic(n, dir);
618 flow_entry_geo_country_lookup_generic(n, dir);
619 }
620
621 static void flow_entry_get_extended_revdns(struct flow_entry *n,
622 enum flow_entry_direction dir)
623 {
624 size_t sa_len;
625 struct sockaddr_in sa4;
626 struct sockaddr_in6 sa6;
627 struct sockaddr *sa;
628 struct hostent *hent;
629
630 switch (n->l3_proto) {
631 default:
632 bug();
633
634 case AF_INET:
635 flow_entry_get_sain4_obj(n, dir, &sa4);
636 sa = (struct sockaddr *) &sa4;
637 sa_len = sizeof(sa4);
638 hent = gethostbyaddr(&sa4.sin_addr, sizeof(sa4.sin_addr),
639 AF_INET);
640 break;
641
642 case AF_INET6:
643 flow_entry_get_sain6_obj(n, dir, &sa6);
644 sa = (struct sockaddr *) &sa6;
645 sa_len = sizeof(sa6);
646 hent = gethostbyaddr(&sa6.sin6_addr, sizeof(sa6.sin6_addr),
647 AF_INET6);
648 break;
649 }
650
651 bug_on(sizeof(n->rev_dns_src) != sizeof(n->rev_dns_dst));
652 getnameinfo(sa, sa_len, SELFLD(dir, rev_dns_src, rev_dns_dst),
653 sizeof(n->rev_dns_src), NULL, 0, NI_NUMERICHOST);
654
655 if (hent) {
656 memset(n->rev_dns_dst, 0, sizeof(n->rev_dns_dst));
657 memcpy(SELFLD(dir, rev_dns_src, rev_dns_dst),
658 hent->h_name, min(sizeof(n->rev_dns_src),
659 strlen(hent->h_name)));
660 }
661 }
662
663 static void flow_entry_get_extended(struct flow_entry *n)
664 {
665 if (n->flow_id == 0 || flow_entry_get_extended_is_dns(n))
666 return;
667
668 flow_entry_get_extended_revdns(n, flow_entry_src);
669 flow_entry_get_extended_geo(n, flow_entry_src);
670
671 flow_entry_get_extended_revdns(n, flow_entry_dst);
672 flow_entry_get_extended_geo(n, flow_entry_dst);
673 }
674
675 static uint16_t presenter_get_port(uint16_t src, uint16_t dst, int tcp)
676 {
677 if (src < dst && src < 1024) {
678 return src;
679 } else if (dst < src && dst < 1024) {
680 return dst;
681 } else {
682 const char *tmp1, *tmp2;
683 if (tcp) {
684 tmp1 = lookup_port_tcp(src);
685 tmp2 = lookup_port_tcp(dst);
686 } else {
687 tmp1 = lookup_port_udp(src);
688 tmp2 = lookup_port_udp(dst);
689 }
690 if (tmp1 && !tmp2) {
691 return src;
692 } else if (!tmp1 && tmp2) {
693 return dst;
694 } else {
695 if (src < dst)
696 return src;
697 else
698 return dst;
699 }
700 }
701 }
702
703 static void presenter_screen_init(WINDOW **screen)
704 {
705 (*screen) = initscr();
706 noecho();
707 cbreak();
708 keypad(stdscr, TRUE);
709 nodelay(*screen, TRUE);
710 refresh();
711 wrefresh(*screen);
712 }
713
714 static void presenter_screen_do_line(WINDOW *screen, struct flow_entry *n,
715 unsigned int *line)
716 {
717 char tmp[128];
718 uint16_t port;
719
720 slprintf(tmp, sizeof(tmp), "%u/%s", n->procnum, basename(n->cmdline));
721
722 /* PID, application name */
723 mvwprintw(screen, *line, 2, "[");
724 attron(COLOR_PAIR(3));
725 printw("%s", n->procnum > 0 ? tmp : "N/A");
726 attroff(COLOR_PAIR(3));
727 printw("]");
728
729 /* L3 protocol, L4 protocol, TCP state */
730 printw(":%s:%s", l3proto2str[n->l3_proto], proto2str[n->l4_proto]);
731 printw("[");
732 attron(COLOR_PAIR(3));
733 printw("%s", state2str[n->tcp_state]);
734 attroff(COLOR_PAIR(3));
735 printw("]:");
736
737 /* Guess application port */
738 attron(A_BOLD);
739 if (n->tcp_state != TCP_CONNTRACK_NONE) {
740 port = presenter_get_port(n->port_src, n->port_dst, 1);
741 printw("%s -> ", lookup_port_tcp(port));
742 } else {
743 port = presenter_get_port(n->port_src, n->port_dst, 0);
744 printw("%s -> ", lookup_port_udp(port));
745 }
746 attroff(A_BOLD);
747
748 /* Show source information: reverse DNS, port, country, city */
749 if (show_src) {
750 attron(COLOR_PAIR(1));
751 mvwprintw(screen, ++(*line), 8, "src: %s", n->rev_dns_src);
752 attroff(COLOR_PAIR(1));
753
754 printw(":%u (", n->port_src);
755
756 attron(COLOR_PAIR(4));
757 printw("%s", n->country_src);
758 attroff(COLOR_PAIR(4));
759
760 printw(", %s) => ", n->city_src);
761 }
762
763 /* Show dest information: reverse DNS, port, country, city */
764 attron(COLOR_PAIR(2));
765 mvwprintw(screen, ++(*line), 8, "dst: %s", n->rev_dns_dst);
766 attroff(COLOR_PAIR(2));
767
768 printw(":%u (", n->port_dst);
769
770 attron(COLOR_PAIR(4));
771 printw("%s", n->country_dst);
772 attroff(COLOR_PAIR(4));
773
774 printw(", %s)", n->city_dst);
775 }
776
777 static void presenter_screen_update(WINDOW *screen, struct flow_list *fl,
778 int skip_lines)
779 {
780 int i, maxy;
781 unsigned int line = 3;
782 struct flow_entry *n;
783
784 curs_set(0);
785
786 maxy = getmaxy(screen);
787
788 start_color();
789 init_pair(1, COLOR_RED, COLOR_BLACK);
790 init_pair(2, COLOR_BLUE, COLOR_BLACK);
791 init_pair(3, COLOR_YELLOW, COLOR_BLACK);
792 init_pair(4, COLOR_GREEN, COLOR_BLACK);
793
794 wclear(screen);
795 clear();
796
797 mvwprintw(screen, 1, 2, "Kernel netfilter TCP/UDP "
798 "flow statistics, [+%d]", skip_lines);
799
800 rcu_read_lock();
801
802 if (rcu_dereference(fl->head) == NULL)
803 mvwprintw(screen, line, 2, "(No active sessions! "
804 "Is netfilter running?)");
805
806 maxy -= 6;
807 /* Yes, that's lame :-P */
808 for (i = 0; i < sizeof(states); i++) {
809 n = rcu_dereference(fl->head);
810 while (n && maxy > 0) {
811 if (n->tcp_state != states[i] ||
812 (i != TCP_CONNTRACK_NONE &&
813 n->tcp_state == TCP_CONNTRACK_NONE) ||
814 /* Filter out DNS */
815 presenter_get_port(n->port_src,
816 n->port_dst, 0) == 53) {
817 n = rcu_dereference(n->next);
818 continue;
819 }
820 if (skip_lines > 0) {
821 n = rcu_dereference(n->next);
822 skip_lines--;
823 continue;
824 }
825
826 presenter_screen_do_line(screen, n, &line);
827
828 line++;
829 maxy -= (2 + 1 * show_src);
830 n = rcu_dereference(n->next);
831 }
832 }
833
834 rcu_read_unlock();
835
836 wrefresh(screen);
837 refresh();
838 }
839
840 static inline void presenter_screen_end(void)
841 {
842 endwin();
843 }
844
845 static void presenter(void)
846 {
847 int skip_lines = 0;
848 WINDOW *screen = NULL;
849
850 dissector_init_ethernet(0);
851 presenter_screen_init(&screen);
852
853 rcu_register_thread();
854 while (!sigint) {
855 switch (getch()) {
856 case 'q':
857 sigint = 1;
858 break;
859 case KEY_UP:
860 case 'u':
861 case 'k':
862 skip_lines--;
863 if (skip_lines < 0)
864 skip_lines = 0;
865 break;
866 case KEY_DOWN:
867 case 'd':
868 case 'j':
869 skip_lines++;
870 if (skip_lines > SCROLL_MAX)
871 skip_lines = SCROLL_MAX;
872 break;
873 default:
874 fflush(stdin);
875 break;
876 }
877
878 presenter_screen_update(screen, &flow_list, skip_lines);
879 usleep(100000);
880 }
881 rcu_unregister_thread();
882
883 presenter_screen_end();
884 dissector_cleanup_ethernet();
885 }
886
887 static int collector_cb(enum nf_conntrack_msg_type type,
888 struct nf_conntrack *ct, void *data)
889 {
890 if (sigint)
891 return NFCT_CB_STOP;
892
893 synchronize_rcu();
894 spinlock_lock(&flow_list.lock);
895
896 switch (type) {
897 case NFCT_T_NEW:
898 flow_list_new_entry(&flow_list, ct);
899 break;
900 case NFCT_T_UPDATE:
901 flow_list_update_entry(&flow_list, ct);
902 break;
903 case NFCT_T_DESTROY:
904 flow_list_destroy_entry(&flow_list, ct);
905 break;
906 default:
907 break;
908 }
909
910 spinlock_unlock(&flow_list.lock);
911
912 return NFCT_CB_CONTINUE;
913 }
914
915 static inline GeoIP *collector_geoip_open(const char *path, int type)
916 {
917 if (path != NULL)
918 return GeoIP_open(path, GEOIP_MMAP_CACHE);
919 else
920 return GeoIP_open_type(type, GEOIP_MMAP_CACHE);
921 }
922
923 static void collector_load_geoip(void)
924 {
925 geo_country.gi4 = collector_geoip_open(geo_country.path4,
926 GEOIP_COUNTRY_EDITION);
927 if (geo_country.gi4 == NULL)
928 panic("Cannot open GeoIP4 country database!\n");
929
930 geo_country.gi6 = collector_geoip_open(geo_country.path6,
931 GEOIP_COUNTRY_EDITION_V6);
932 if (geo_country.gi6 == NULL)
933 panic("Cannot open GeoIP6 country database!\n");
934
935 geo_city.gi4 = collector_geoip_open(geo_city.path4,
936 GEOIP_CITY_EDITION_REV1);
937 if (geo_city.gi4 == NULL)
938 panic("Cannot open GeoIP4 city database!\n");
939
940 geo_city.gi6 = collector_geoip_open(geo_city.path6,
941 GEOIP_CITY_EDITION_REV1_V6);
942 if (geo_city.gi6 == NULL)
943 panic("Cannot open GeoIP6 city database!\n");
944
945 GeoIP_set_charset(geo_country.gi4, GEOIP_CHARSET_UTF8);
946 GeoIP_set_charset(geo_country.gi6, GEOIP_CHARSET_UTF8);
947
948 GeoIP_set_charset(geo_city.gi4, GEOIP_CHARSET_UTF8);
949 GeoIP_set_charset(geo_city.gi6, GEOIP_CHARSET_UTF8);
950 }
951
952 static void collector_destroy_geoip(void)
953 {
954 GeoIP_delete(geo_country.gi4);
955 GeoIP_delete(geo_country.gi6);
956
957 GeoIP_delete(geo_city.gi4);
958 GeoIP_delete(geo_city.gi6);
959 }
960
961 static void *collector(void *null)
962 {
963 int ret;
964 struct nfct_handle *handle;
965 struct nfct_filter *filter;
966
967 handle = nfct_open(CONNTRACK, NFCT_ALL_CT_GROUPS);
968 if (!handle)
969 panic("Cannot create a nfct handle!\n");
970
971 filter = nfct_filter_create();
972 if (!filter)
973 panic("Cannot create a nfct filter!\n");
974
975 if (what & INCLUDE_UDP)
976 nfct_filter_add_attr_u32(filter, NFCT_FILTER_L4PROTO,
977 IPPROTO_UDP);
978 if (what & INCLUDE_TCP)
979 nfct_filter_add_attr_u32(filter, NFCT_FILTER_L4PROTO,
980 IPPROTO_TCP);
981
982 nfct_filter_set_logic(filter, NFCT_FILTER_SRC_IPV4,
983 NFCT_FILTER_LOGIC_NEGATIVE);
984 nfct_filter_add_attr(filter, NFCT_FILTER_SRC_IPV4,
985 &filter_ipv4);
986
987 nfct_filter_set_logic(filter, NFCT_FILTER_SRC_IPV6,
988 NFCT_FILTER_LOGIC_NEGATIVE);
989 nfct_filter_add_attr(filter, NFCT_FILTER_SRC_IPV6,
990 &filter_ipv6);
991
992 ret = nfct_filter_attach(nfct_fd(handle), filter);
993 if (ret < 0)
994 panic("Cannot attach filter to handle!\n");
995
996 nfct_callback_register(handle, NFCT_T_ALL, collector_cb, NULL);
997
998 collector_load_geoip();
999
1000 flow_list_init(&flow_list);
1001
1002 rcu_register_thread();
1003 while (!sigint)
1004 nfct_catch(handle);
1005 rcu_unregister_thread();
1006
1007 flow_list_destroy(&flow_list);
1008
1009 collector_destroy_geoip();
1010
1011 nfct_filter_destroy(filter);
1012 nfct_close(handle);
1013
1014 pthread_exit(0);
1015 }
1016
1017 int main(int argc, char **argv)
1018 {
1019 pthread_t tid;
1020 int ret, c, opt_index, what_cmd = 0;
1021
1022 memset(&geo_country, 0, sizeof(geo_country));
1023 memset(&geo_city, 0, sizeof(geo_city));
1024
1025 while ((c = getopt_long(argc, argv, short_options, long_options,
1026 &opt_index)) != EOF) {
1027 switch (c) {
1028 case 'T':
1029 what_cmd |= INCLUDE_TCP;
1030 break;
1031 case 'U':
1032 what_cmd |= INCLUDE_UDP;
1033 break;
1034 case 's':
1035 show_src = 1;
1036 break;
1037 case 'L':
1038 geo_city.path4 = xstrdup(optarg);
1039 break;
1040 case 'K':
1041 geo_country.path4 = xstrdup(optarg);
1042 break;
1043 case 'O':
1044 geo_city.path6 = xstrdup(optarg);
1045 break;
1046 case 'P':
1047 geo_country.path6 = xstrdup(optarg);
1048 break;
1049 case 'h':
1050 help();
1051 break;
1052 case 'v':
1053 version();
1054 break;
1055 case '?':
1056 switch (optopt) {
1057 case 'L':
1058 case 'K':
1059 case 'O':
1060 case 'P':
1061 panic("Option -%c requires an argument!\n",
1062 optopt);
1063 default:
1064 if (isprint(optopt))
1065 whine("Unknown option character "
1066 "`0x%X\'!\n", optopt);
1067 die();
1068 }
1069 default:
1070 break;
1071 }
1072 }
1073
1074 if (what_cmd > 0)
1075 what = what_cmd;
1076
1077 rcu_init();
1078
1079 register_signal(SIGINT, signal_handler);
1080 register_signal(SIGHUP, signal_handler);
1081
1082 ret = pthread_create(&tid, NULL, collector, NULL);
1083 if (ret < 0)
1084 panic("Cannot create phthread!\n");
1085
1086 presenter();
1087
1088 free(geo_country.path4);
1089 free(geo_country.path6);
1090
1091 free(geo_city.path4);
1092 free(geo_city.path6);
1093
1094 return 0;
1095 }
netsniff-ng toolkit, the packet sniffing beast, staging tree