Common subdirectories: sancp-1.6.1.patch.b/contrib and sancp-1.6.1.patch.d/contrib diff -U3 -d sancp-1.6.1.patch.b/decode.cc sancp-1.6.1.patch.d/decode.cc --- sancp-1.6.1.patch.b/decode.cc 2006-07-01 12:29:28.000000000 -0500 +++ sancp-1.6.1.patch.d/decode.cc 2006-07-05 22:41:46.000000000 -0500 @@ -20,12 +20,9 @@ extern struct gvars gVars; u_int8_t e_hlen=14; u_int8_t ip_hlen=0; - u_int8_t done=0; - u_int16_t tcpoptlen=0; u_int8_t tcp_hlen=0; u_int16_t udp_len=0; u_int16_t ip_len=0; - u_int16_t bytes_processed=0; nc->d_total_pkts=nc->s_ip=nc->d_ip=nc->free=nc->proto=nc->s_port=nc->d_port=nc->d_total_bytes=nc->collected=0; nc->timeout=gVars.default_timeout; @@ -35,6 +32,13 @@ nc->fH=0; nc->start_time=nc->last_pkt=gVars.timeptr.tv_sec; nc->limit=gVars.default_limit; + // + // If we don't have a pkt then perhaps we should not have been called + // + if(!pkt){ + printf("Error decode: received empty packet\n"); + return; + } nc->s_total_pkts=1; nc->stats=gVars.smode?1:0; nc->realtime=gVars.rmode?1:0; @@ -67,8 +71,23 @@ nc->os_info.len=ip_len; nc->os_info.wss=ntohs(*(u_int16_t*)(pkt + e_hlen + ip_hlen + 14)); nc->os_info.df=((pkt[e_hlen + 6]&0x40)==0x40)?1:0; + +#ifdef EXPERIMENTAL_TCPOPTIONS + u_int16_t tcpoptlen=0; + u_int16_t bytes_processed=0; + int loopctr=0; + u_int8_t done=0; + + // + // THIS CODE DOES NOT PROPERLY PARSE TCPOPTIONS FOR ALL PACKETS + // INFINITE LOOPS WERE POSSIBLE IN THIS PORTION OF CODE UNTIL + // int loopctr WAS INTRODUCED TO LIMIT OPTIONS TO TCPOPTIONS_MAX + // + //tcpopt = *pkt + (e_hlen + ip_hlen + 20); // this is where we should find tcp options + + int tcpoptctr=(e_hlen + ip_hlen + 20); + nc->os_info.wscale=0; - int tcpoptctr=(e_hlen + ip_hlen + 20); tcpoptlen=tcp_hlen>20?(tcp_hlen - 20):0; @@ -106,7 +125,11 @@ break; } + loopctr++; + // Bail out after 8 'options' - NEEDED UNTIL THIS CODE IS FIXED TO PROPERLY PARSE TCPOPTIONS + if(loopctr>TCPOPTIONS_MAX){ done = 1; } } +#endif } } else if( nc->proto==IPPROTO_UDP ) Common subdirectories: sancp-1.6.1.patch.b/docs and sancp-1.6.1.patch.d/docs Common subdirectories: sancp-1.6.1.patch.b/etc and sancp-1.6.1.patch.d/etc diff -U3 -d sancp-1.6.1.patch.b/help.cc sancp-1.6.1.patch.d/help.cc --- sancp-1.6.1.patch.b/help.cc 2004-09-13 12:55:24.000000000 -0500 +++ sancp-1.6.1.patch.d/help.cc 2006-07-05 22:41:46.000000000 -0500 @@ -203,11 +203,22 @@ << " The next 8 fields contain p0F information gathered from initial TCP packet\n" << " 20: 16bit wss: window segment size (initial packet, tcp only)\n" << " 21: 8bit ttl: time to live (initial packet, tcp only)\n" +#ifdef EXPERIMENTAL_TCPOPTIONS << " 22: 16bit mss: maximum segment size (initial packet, tcp only)\n" +#else +<< " 22: 16bit mss: maximum segment size (initial packet, tcp only) need to re-compile with EXPERIMENTAL_TCPOPTIONS\n" +#endif << " 23: Y/N df: don't fragment bit was set (initial packet, tcp only)\n" +#ifdef EXPERIMENTAL_TCPOPTIONS << " 24: 8bit wscale: window scale (initial packet, tcp only)\n" << " 25: Y/N sack_ok: sack_ok flag was set (initial packet, tcp only)\n" << " 26: Y/N nop: 'no op' was seen (initial packet, tcp only)\n" +#else +<< " 24: 8bit wscale: window scale (initial packet, tcp only) need to re-compile with EXPERIMENTAL_TCPOPTIONS\n" +<< " 25: Y/N sack_ok: sack_ok flag was set (initial packet, tcp only) need to re-compile with EXPERIMENTAL_TCPOPTIONS\n" +<< " 26: Y/N nop: 'no op' was seen (initial packet, tcp only) need to re-compile with EXPERIMENTAL_TCPOPTIONS\n" +#endif + << " 27: 16bit len: ip length (initial packet, tcp only)\n" << "\n" << " The next 8 fields contain p0F information gathered from second TCP packet\n" diff -U3 -d sancp-1.6.1.patch.b/sancp.h sancp-1.6.1.patch.d/sancp.h --- sancp-1.6.1.patch.b/sancp.h 2004-11-02 11:45:30.000000000 -0600 +++ sancp-1.6.1.patch.d/sancp.h 2006-07-05 22:43:19.000000000 -0500 @@ -13,6 +13,7 @@ * ***********************************************************************/ #define SANCP_H +#define EXPERIMENTAL_TCPOPTIONS //#define DEBUG 1 @@ -128,7 +129,7 @@ /* Hash Table Protos */ #define DEFAULT_FLUSH_INTERVAL 1800 #define DEFAULT_EXPIRE_INTERVAL 10 -#define VERSION "1.6.1" +#define VERSION "1.6.1 patch d" #define NAME "sancp" #define LOG_DIR "./" /* default relative to current working directory */ #define CONFIG_DIR "/etc/sancp/" @@ -204,11 +205,14 @@ #define CNX_REREVERSED 4 #define MAX_PACK_LEN 20000 /* Sufficient for ethernet packets. */ #define ETHER_SIZE 14 +#ifdef EXPERIMENTAL_TCPOPTIONS #define TCPOPT_EOL 0 #define TCPOPT_NOP 1 #define TCPOPT_MAXSEG 2 #define TCPOPT_SACKOK 4 /* Experimental */ #define TCPOPT_WSCALE 3 +#define TCPOPTIONS_MAX 8 /* Maximum number of tcpoptions to parse */ +#endif #define R_FIN 0x01 @@ -233,9 +237,14 @@ u_int8_t ttl; u_int16_t len; u_int16_t wss; +#ifdef EXPERIMENTAL_TCPOPTIONS + u_int8_t df:1, nop:1, sack_ok:1; u_int16_t mss; short wscale; - u_int8_t df:1, nop:1, sack_ok:1; +#else + u_int8_t df:1; +#endif + }; diff -U3 -d sancp-1.6.1.patch.b/statefull_logging.cc sancp-1.6.1.patch.d/statefull_logging.cc --- sancp-1.6.1.patch.b/statefull_logging.cc 2004-11-02 11:49:16.000000000 -0600 +++ sancp-1.6.1.patch.d/statefull_logging.cc 2006-07-05 22:41:46.000000000 -0500 @@ -416,6 +416,7 @@ } break; } +#ifdef EXPERIMENTAL_TCPOPTIONS case tcp_mss_s: { if(cn->reversed==1){ snprintf(LOG,MAXENTRYLEN,"%u",cn->os_info2.mss); @@ -448,6 +449,7 @@ } break; } +#endif case ip_len_d: { if(cn->reversed==1){ snprintf(LOG,MAXENTRYLEN,"%u",cn->os_info.len); @@ -480,6 +482,7 @@ } break; } +#ifdef EXPERIMENTAL_TCPOPTIONS case tcp_mss_d: { if(cn->reversed==1){ snprintf(LOG,MAXENTRYLEN,"%u",cn->os_info.mss); @@ -512,6 +515,7 @@ } break; } +#endif case total_bytes: { snprintf(LOG,MAXENTRYLEN,"%llu",cn->total_bytes); break;