anon.h File Reference

#include "ip_structs.h"
#include "tcp_structs.h"

Include dependency graph for anon.h:

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Classes
struct	sandnb
struct	nb_table
struct	dialog
Defines
#define	min(a, b)   ((a)<(b)?(a):(b))
#define	max(a, b)   ((a)>=(b)?(a):(b))
Typedefs
typedef sandnb	string_and_nb
Functions
nb_table *	clone_nb_table (nb_table table)
void	packet_handler (u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data)
	The packet handler function, which is called for every processed packet.
void	display_packet_infos (int nb, struct timeval *ts, char *ip_src, char *ip_dst, int sport, int dport)
	Displays infos about a IP packet.
void	ts_print (struct timeval *tvp_)
	Prints a timestamp following this format: 16:21:48.970264.
void	ts_print_diff (struct timeval *tvp_)
	Prints a time difference following this format: 14.95ms.
char *	strptime (const char *s, const char *format, struct tm *tm)
	Libc function, which converts a character string to values which are stored in a tm structure, using a specified format.
int32_t	gmt2local (time_t t)
	Returns the difference between gmt and local time in seconds. This function is borrowed from tcpdump (www.tcpdump.org/).
void	convert_to_small (char *ptr)
	Converts a string to lowercase.
dialog *	buffer_request (char *request, int len, int nb, char *ip_src, char *ip_dst, int port_src, int port_dst)
	Buffers a request in memory.
dialog *	find_request (char *ip_src, char *ip_dst, int port_src, int port_dst)
	Finds a request in a dialog, matching some criteria.
char *	generate_anonymised_url (char *s)
	Generates an anonymised URL from a genuine URL.
void	add_anonymised_url (char *url, char *newurl)
	Adds an anonymised URL the the table.
char *	find_url (char *s, int offset)
	Finds an URL (anonymised or not) in the table.
char *	find_anonymised_url (char *s)
	Finds an anonymised URL in the table, corresponding to the specified non anonymised URL.
void	free_anonymised_url_table ()
	Frees the table of anonymised URLs.
int	parse_size (char *string)
	: Parses a size in the form: "10m" or "1g", and returns the number of bytes
char *	get_extension (char *s)
	Returns the file extension of an URL, without any extra parameter.
void	anon_sequence (u_int32_t *seq)
	Anonymises a sequence number (4 bytes) in memory and adds it to a table (if the -u option is used).
void	anon_port (u_int16_t *port)
	Anonymises a port (2 bytes) in memory and adds it to a table.
void	anon_ip (struct in_addr *ip)
	Anonymises an IP (4 bytes) in memory and adds it to a table.
char *	find_anonymised_ip (struct in_addr *ip)
	Finds an anonymised IP in the table.
void	anon_url (char *s)
	Anonymises an URL (a string) in memory.
void	anon_timestamp (register struct timeval *tvp)
	Anonymises an timestamp (8 bytes) in memory.
void	anon_date (char *date)
	Anonymises a date in memory.
void	anon_field (char *field, char *s)
	Anonymises a HTTP header field.
void	anon_http (char *data, int len)
	Anonymises a HTTP header in memory.
void	scan_http (struct dialog *d)
	Scans two HTTP headers in memory (request and response) and gathers statistics.
char *	process_http (char *data, int len, int scan, int anon)
	This a wrapper to call either scan_http() or anon_http().
void	content_length_stats ()
	Makes and prints statistics about content_lengh fields.
void	date_stats ()
string_and_nb *	add_and_count_string_with_data (string_and_nb *table, char *s, void *data)
	Adds a string in a table if not yet present. If the string is already present, a counter is incremented.
string_and_nb *	find_item (string_and_nb *table, char *s)
	Lookup a string in a string table. If found, the item is returned, Null otherwise.
void	display_string_table_with_data (char *title, string_and_nb *table, char *data_title, int sorted)
	Displays a string table and associated counters and data.
void	free_string_table (string_and_nb *table)
	Frees a string table.
void	process_dialog (struct dialog *d)
	Scans a HTTP dialog (request+response) and displays it if needed.
void	free_dialog (struct dialog *d)
	Frees a HTTP dialog.
pcap_if_t *	get_pcap_interface (char *name)
	Gets a network interface given a name such as "eth0".
void	stats_add_server (char *s)
void	stats_add_server_simple (char *s)
void	stats_add_http_response_code_with_data (char *s, char *data)
void	stats_add_http_version (char *s)
void	stats_add_user_agent (char *s)
void	stats_add_last_modified (char *s)
void	stats_add_url (char *s)
void	stats_add_extension (char *s)
void	stats_add_suffix (char *s)
void	stats_add_content_type (char *s)
void	stats_add_content_type_simple (char *s)
void	stats_add_content_length (char *s)
void	stats_add_header (char *s)
void	stats_add_url_with_data (char *s, void *data)
void	stats_add_new_url_with_data (char *s, void *data)
void	stats_add_sequence_number (char *s)
void	stats_add_freshness (int nb)
void *	xmalloc (size_t size)
	A wrapper to malloc() which quits the program if the memory allocation fails.
void *	xrealloc (void *ptr, size_t size)
	A wrapper to realloc() which quits the program if the memory allocation fails.
char *	is_in (char **string_table, char *string)
	Checks if a string is contained in a string array.
char *	base_name (register char *f)
	Returns the base name of a file (ie: /tmp/anon ==> anon).
int	is_ip_in_a_string (char *s)
	Returns 1 if the provided string is in the form "xxx.xxx.xxx.xxx".
void	memset_range (char *start, char *end, int c)
	Fills a memory area with a specified character (this is a wrapper for memset).
char *	strstr_limited (char *ptr, char *end, char *str)
	Wrapper for strstr, which limits the memory area to search.
u_int32_t	getip32 (char *ip)
	Converts an IP address of the form XXX.XXX.XXX.XXX to an unsigned integer (32 bits).
char	get_random_char ()
	Gets a random letter from the alphabet.
void	catch_ctrl_c (int signum)
	Signal Handler to catch CTRL+C.
char *	compute_flags (u_int8_t flags)
	Builds a string containing a textual representation of the flags present in a TCP header.
char *	add_flag (char *s, char *flag)
	It is a small function called by compute_flags().
char *	get_time (double t)
	Returns a human readable string representing a time.
char *	get_size (int s)
	Returns a human readable string representing a size in bytes.
char *	get_speed (double speed)
	Returns a human readable string representing a speed in bytes/s.
char *	get_pct (double pct)
	Returns a human readable string representing a percentage.
char *	string_append (char *s, const char *fmt,...)
	Appends a string to another.

---

Define Documentation

#define max (  a, b   )     ((a)>=(b)?(a):(b))

Definition at line 5 of file anon.h. Referenced by content_length_stats(), and display_string_table_with_data().

#define min (  a, b   )     ((a)<(b)?(a):(b))

Definition at line 4 of file anon.h.

---

Typedef Documentation

typedef struct sandnb string_and_nb

---

Function Documentation

string_and_nb* add_and_count_string_with_data (  string_and_nb *  table, char *  s, void *  data )

Adds a string in a table if not yet present. If the string is already present, a counter is incremented. Parameters: string_and_nb  *table: The table to add the string to char  *s: the string to add void  *data: an optional data associated with the string Returns: The table containing the string Definition at line 1761 of file anon.c. References sandnb::data, display_raw_stats, sandnb::nb, nbpackets, sandnb::next, sandnb::s, string_append(), and xmalloc(). Referenced by stats_add_http_response_code_with_data(), and stats_add_sequence_number_with_data(). { string_and_nb *ptr=table; string_and_nb *tmp; string_and_nb *prev=NULL; int ret; //No need to sort and group results, if displaying raw stats if(!display_raw_stats) { while(ptr) { ret=strcmp(s, ptr->s); if(ret<0) { prev=ptr; } else if (ret>0) break; //We have to insert the string here else //ret=0, we've found the string { if(data) { if(ptr->data) free(ptr->data); ptr->data=data; } ptr->nb++; return table; } ptr=ptr->next; } } tmp=xmalloc(sizeof(string_and_nb)); if(display_raw_stats) { tmp->s=string_append(NULL, "%i:%s",nbpackets, s); } else { tmp->s=strdup(s); } tmp->nb=1; if(data) tmp->data=data; else tmp->data=NULL; //If this is the first string in the list if(table==NULL) { tmp->next=NULL; return tmp; } else { if(prev) { tmp->next=prev->next; prev->next=tmp; return table; } else { //We insert the new struct at the beginning of the table tmp->next=table; return tmp; } } } Here is the call graph for this function:

void add_anonymised_url (  char *  url_, char *  newurl_ )

Adds an anonymised URL the the table. Parameters: char  *url: the non anonymised url char  *newurl: the corresponding anonymised url Definition at line 792 of file anon.c. References anon_url_table, debug, nburl, print, and xrealloc(). Referenced by anon_url(), and generate_anonymised_url(). { char *url=strdup(url_); char *newurl=strdup(newurl_); if(debug) print("ADDING URL:%s \n--> %s\n",url,newurl); nburl++; anon_url_table=(char*)xrealloc(anon_url_table, nburl*2*4); memcpy(anon_url_table+2*(nburl-1)*4,&url,4); memcpy(anon_url_table+2*(nburl-1)*4+4,&newurl,4); } Here is the call graph for this function:

char* add_flag (  char *  s, char *  flag )

It is a small function called by compute_flags(). Parameters: char  *s: The string containing the previous flags char  *flag: The flag to add to the string Returns: A string containing the new flag and the previous ones Definition at line 370 of file anon.c. References xrealloc(). Referenced by compute_flags(). { int len=0; if(s) len=strlen(s); s=xrealloc(s, len+strlen(flag)+2); if(len==0) sprintf(s+len, "%s", flag); else sprintf(s+len, ".%s", flag); return s; } Here is the call graph for this function:

void anon_date (  char *  date  )

Anonymises a date in memory. Parameters: char  *date: the non anonymised date (a string) Definition at line 886 of file anon.c. References date_offset, and strptime(). Referenced by anon_field(). { struct tm time; char *ret; time_t nb_seconds; char buffer[100]; int len=strlen(date); ret=strptime(date, "%a, %d %b %Y %T GMT", &time); nb_seconds=mktime(&time); //The first date seen in the capture will be anonymised to: Tue, 01 Jan 1980 00:00:00 GMT if(date_offset==0) date_offset=nb_seconds-(3600*24)*(365*10+2); nb_seconds-=date_offset; gmtime_r(&nb_seconds, &time); strftime(buffer, 99, "%a, %d %b %Y %T GMT", &time); //print("DATE NEW:%s\n",asctime(&time)); //print("DDATE:%i\n",ttime); //strcpy(date, buffer); strncpy(date, buffer, len); date[len]='\0'; //print("DATE NEW:%s\n",buffer); } Here is the call graph for this function:

void anon_field (  char *  field, char *  s )

Anonymises a HTTP header field. Parameters: char  *field: the field to anonymise (ie: Location:) char  *s: the field's content to anonymise (ie: www.google.com) Definition at line 914 of file anon.c. References anon_date(), anon_url(), anonymise, anonymise_date, anonymise_url, and is_ip_in_a_string(). Referenced by process_http(). { if(strcmp(field, "Host: ")==0 || strcmp(field, "Referer: ")==0 || strcmp(field, "Location: ")==0 || strcmp(field, "Content-Location: ")==0) { if(anonymise && anonymise_url) { //Some webservers send an IP in the Host field! if(strcmp(field, "Host: ")==0 && is_ip_in_a_string(s+strlen(field))) { snprintf(s+strlen(field), strlen(s+strlen(field)), "000.000.000.000"); } else { anon_url(s+strlen(field)); } } return; } if(strcmp(field, "GET ")==0) { if(anonymise && anonymise_url) { char backup_char; char *http_version=strstr(s, " HTTP/"); if(!http_version) { http_version=s+strlen(s); } backup_char=*http_version; *http_version='\0'; anon_url(s+strlen(field)); *http_version=backup_char; } return; } if(strcmp(field, "Date: ")==0 || strcmp(field, "Last-Modified: ")==0 || strcmp(field, "If-Modified-Since: ")==0 || strcmp(field, "Expires: ")==0) { if(anonymise && anonymise_date) anon_date(s+strlen(field)); return; } memset(s+strlen(field), 'X', strlen(s)-strlen(field)); return; } Here is the call graph for this function:

void anon_http (  char *  data, int  len )

Anonymises a HTTP header in memory. Parameters: char  *data: the HTTP header data int  len: its length Definition at line 1253 of file anon.c. References process_http(). Referenced by packet_handler(). { process_http(data, len, 0, 1); } Here is the call graph for this function:

void anon_ip (  struct in_addr *  ip  )

Anonymises an IP (4 bytes) in memory and adds it to a table. Parameters: struct  in_addr *ip: the non anonymised IP Definition at line 2010 of file anon.c. References find_anonymised_ip(), FIRST_ANON_IP, firstanonip, getip32(), ip_table, nbip, and xrealloc(). Referenced by packet_handler(). { char *ptr = NULL; struct in_addr newip; ptr=find_anonymised_ip(ip); if(ptr) { memcpy (&newip, ptr + 4, 4); } else /* We have a new IP to anonymise */ { u_int32_t tmp; if (firstanonip == 0) firstanonip = getip32 (FIRST_ANON_IP); tmp = firstanonip += nbip * 16777216; memcpy (&newip, &tmp, 4); /* We add the original and anonymised IPs to the table */ ip_table = xrealloc (ip_table, (nbip + 1) * 8); memcpy (ip_table + nbip * 8, ip, 4); memcpy (ip_table + nbip * 8 + 4, &newip, 4); nbip++; } memcpy (ip, &newip, 4); } Here is the call graph for this function:

void anon_port (  u_int16_t *  port  )

Anonymises a port (2 bytes) in memory and adds it to a table. Parameters: struct  u_int16_t *port: the non anonymised port Definition at line 1960 of file anon.c. References FIRST_ANON_PORT, nbports, port_table, and xrealloc(). Referenced by packet_handler(). { int i; u_int16_t *port2=(u_int16_t*)port_table; u_int16_t newport = 0; /* We look for the port in the table, if it has already been anonymised */ for (i = 0; i < nbports; i++) { /* If the IP is found, we get the IP to replace it */ if(*port==*port2) { memcpy (&newport, port_table+i*4+ 2, 2); break; } port2+=2; } if (newport == 0) /* We have a new port to anonymise */ { newport = htons (nbports + FIRST_ANON_PORT); /* We add the original and anonymised ports to the table */ port_table = xrealloc (port_table, (nbports + 1) * 4); memcpy (port_table + nbports * 4, port, 2); memcpy (port_table + nbports * 4 + 2, &newport, 2); port_table[nbports] = *port; port_table[nbports + 1] = newport; nbports++; } memcpy (port, &newport, 2); } Here is the call graph for this function:

void anon_sequence (  u_int32_t *  seq  )

Anonymises a sequence number (4 bytes) in memory and adds it to a table (if the -u option is used). Parameters: u_int32_t  *seq: the non anonymised sequence number Definition at line 880 of file anon.c. References rand_seq_nb. Referenced by packet_handler(). { if(rand_seq_nb==0) rand_seq_nb=(u_int32_t)*seq; *seq-=(u_int32_t)rand_seq_nb%65536; }

void anon_timestamp (  register struct timeval *  tvp  )

Anonymises an timestamp (8 bytes) in memory. Parameters: register  struct timeval *tvp: the non anonymised timestamp Definition at line 415 of file anon.c. References nbpackets, timeoffset, and timeoffset_usec. Referenced by packet_handler(). { //This if the first packet. //We take the timestamp and substract it from each following timestamp, //so the first packet's timestamp will be 0. if(nbpackets==0) { timeoffset=tvp->tv_sec; timeoffset_usec=tvp->tv_usec; } tvp->tv_sec-=timeoffset; if(timeoffset_usec <= tvp->tv_usec) tvp->tv_usec-=timeoffset_usec; else { tvp->tv_usec-=timeoffset_usec; tvp->tv_usec+=1000000; tvp->tv_sec--; } }

void anon_url (  char *  s  )

Anonymises an URL (a string) in memory. Parameters: char  *s: the non anonymised url Definition at line 847 of file anon.c. References add_anonymised_url(), find_anonymised_url, generate_anonymised_url(), and look_for_anonymised_url. Referenced by anon_field(). { char *start=strstr(s, "://"); char *newurl; int found=0; if(!start) start=s; else start=start+3; newurl=find_anonymised_url(s); if(!newurl) { int count=0; found=0; generate: newurl=generate_anonymised_url(s); //We make sure our anonymised url is not duplicated //After 3 tries, we give up, if the URL is "/" for example if(look_for_anonymised_url(newurl) && count<3) { count++; free(newurl); goto generate; } add_anonymised_url(s, newurl); } else found=1; memcpy(s, newurl, strlen(s)); if(found==0) free(newurl); } Here is the call graph for this function:

char* base_name (  register char *  f  )

Returns the base name of a file (ie: /tmp/anon ==> anon). Parameters: char  *f: The filename Returns: a string containing the base name Definition at line 212 of file anon.c. Referenced by main(). { char *file = strrchr(f, '/'); if (file == NULL) return f; return(file+1); }

struct dialog* buffer_request (  char *  request, int  len, int  nb, char *  ip_src, char *  ip_dst, int  port_src, int  port_dst )

Buffers a request in memory. Parameters: char  *request : A string containing the HTTP request (several lines) int  len : The len of this string int  nb : The number of the packet containing the request char  *ip_src : a string representation of the source ip, in this format: 10.0.0.1 char  *ip_dst : the same for the destination ip int  port_src : the source port of the packet containing the request int  port_dst : the destination port Returns: a pointer on a newly allocated dialog struct, filled with the above informations Definition at line 463 of file anon.c. References display, dialog::ip_dst, dialog::ip_src, dialog::next, dialog::port_dst, dialog::port_src, dialog::prev, print, dialog::req_nb, dialog::request, dialog::request_len, and xmalloc(). Referenced by packet_handler(). { struct dialog *newdialog; newdialog = xmalloc (sizeof (struct dialog)); strcpy (newdialog->ip_src, ip_src); strcpy (newdialog->ip_dst, ip_dst); newdialog->req_nb=nb; newdialog->request_len=len; newdialog->port_src = port_src; newdialog->port_dst = port_dst; newdialog->request = request; newdialog->next=NULL; if(dialog_table==NULL) { //We have no request buffered yet dialog_table=newdialog; newdialog->prev=NULL; } else { //We jump at the end of the list, //and we count the requests already buffered int i=0; struct dialog *ptr=dialog_table; while(ptr && ptr->next!=NULL) { if(ptr->request) i++; //We don't count the discarded responses ptr=ptr->next; } ptr->next=newdialog; newdialog->prev=ptr; if(request && display) print("[%d buffered] ",i+1); } return newdialog; } Here is the call graph for this function:

void catch_ctrl_c (  int  signum  )

Signal Handler to catch CTRL+C. Parameters: int  signum: signal number with which the function has been called Here, it is SIGINT, received when the user presses CTRL+C Definition at line 360 of file anon.c. References adhandle. Referenced by main(). { //We break the loop and restore the initial signal handler struct sigaction sa; pcap_breakloop(adhandle); sa.sa_handler = SIG_DFL; sa.sa_flags = 0; sigaction(SIGINT, &sa, NULL); }

nb_table* clone_nb_table (  nb_table  table  )

Definition at line 1444 of file anon.c. References display_raw_stats, nb_table::len, nb_table::nbpackets, nb_table::start, and xmalloc(). Referenced by content_length_stats(), and latency_stats(). { nb_table *new_table=xmalloc(sizeof(nb_table)); new_table->len=table.len; new_table->start=xmalloc(table.len*sizeof(int)); memcpy(new_table->start, table.start, table.len*sizeof(int)); if(display_raw_stats) { new_table->nbpackets=xmalloc(table.len*sizeof(int)); memcpy(new_table->nbpackets, table.nbpackets, table.len*sizeof(int)); } return new_table; } Here is the call graph for this function:

char* compute_flags (  u_int8_t  flags  )

Builds a string containing a textual representation of the flags present in a TCP header. Parameters: u_int8_t  flags: The byte in memory containing the flags Returns: A string in the form "PSH.ACK" etc. Definition at line 379 of file anon.c. References add_flag(), TCP_ACK, TCP_FIN, TCP_PUSH, TCP_RST, TCP_SYN, and TCP_URG. Referenced by packet_handler(). { char *s=NULL; if(flags & TCP_FIN) s=add_flag(s, "FIN"); if(flags & TCP_SYN) s=add_flag(s, "SYN"); if(flags & TCP_RST) s=add_flag(s, "RST"); if(flags & TCP_PUSH) s=add_flag(s, "PSH"); if(flags & TCP_ACK) s=add_flag(s, "ACK"); if(flags & TCP_URG) s=add_flag(s, "URG"); if(s==NULL) s=strdup(""); return s; } Here is the call graph for this function:

void content_length_stats (   )

Makes and prints statistics about content_lengh fields. Definition at line 1568 of file anon.c. References clone_nb_table(), display_deviation(), display_string_table_unsorted, free_nb_table(), free_string_table(), max, and summarize_stats(). Referenced by main(). { string_and_nb *new_content_length_table=NULL; int max; int i; char *title_s; nb_table *cloned_cl_table=clone_nb_table(cl_table); title_s=display_deviation(cloned_cl_table, "Content-Length:"); free_nb_table(*cloned_cl_table); free(cloned_cl_table); max=1000; for(i=0;i<7;i++) { new_content_length_table=summarize_stats(&cl_table, new_content_length_table, max, NULL); max*=10; } new_content_length_table=summarize_stats(&cl_table, new_content_length_table, -1, NULL); display_string_table_unsorted(title_s,new_content_length_table); free(title_s); free_string_table(new_content_length_table); } Here is the call graph for this function:

void convert_to_small (  char *  ptr  )

Converts a string to lowercase. Parameters: char  *ptr: a pointer to the string to convert Definition at line 1258 of file anon.c. Referenced by process_http(). { char c; while((c=*ptr)) { if(c>='A' && c<='Z') *ptr=c-'A'+'a'; ptr++; } }

void date_stats (   )

void display_packet_infos (  int  nb, struct timeval *  ts, char *  ip_src, char *  ip_dst, int  sport, int  dport )

Displays infos about a IP packet. Definition at line 392 of file anon.c. References display, display_timestamp, max_display_space, print, and ts_print(). Referenced by packet_handler(). { //We format the output to be more readable char display_space[100]; int len=0; len=sprintf(display_space, "%s:%d",ip_src, sport); if(len>max_display_space) max_display_space=len; len=sprintf(display_space, "%s:%d",ip_dst, dport); if(len>max_display_space) max_display_space=len; memset(display_space,' ',100); sprintf(display_space, "%s:%d ",ip_src, sport); sprintf(display_space+max_display_space, " --> %s:%d ",ip_dst, dport); display_space[max_display_space*2+5]='\0'; if(ts) { print ("[%5i] ", nb); if(display && display_timestamp) ts_print(ts); } print("%s ",display_space); } Here is the call graph for this function:

void display_string_table_with_data (  char *  title, string_and_nb *  table, char *  data_title, int  sorted )

Displays a string table and associated counters and data. Parameters: char  *title: The title of the table string_and_nb  *table: the table to display char  *data_title: a string to display before displaying the data sorted,:  1 if the table has to be sorted before displaying it, 0 otherwise Definition at line 1598 of file anon.c. References sandnb::data, display_raw_stats, get_pct(), max, sandnb::nb, sandnb::next, pct_treshold, print, sandnb::s, string_append(), and xmalloc(). { string_and_nb *ptr=table; string_and_nb *ptr_bak2; int i,j; int nb=0; int max=0; char buffer[100]; int len; int maxlen; int total=0; double pct; char *pct_s=NULL; int *sorted_table=NULL; int max_pos=0; int pos; string_and_nb *tmp; char *d_title=NULL; while(ptr) { nb++; max=max(ptr->nb , max); total+=ptr->nb; ptr=ptr->next; } print("#%s ",title); if(display_raw_stats) sorted=0; if(sorted) print("%i different strings ",nb); print("\n|Total count: %i\n",total); //if(sorted) print("\n"); //else print("\n"); maxlen=snprintf(buffer,99,"%i",max); ptr=table; sorted_table=xmalloc(nb*sizeof(nb)); if(data_title && strcmp(data_title,"")!=0) d_title=strdup(data_title); else d_title=strdup(" DATA:"); if(sorted) { //Sorting the results for(j=0;j<nb;j++) { pos=0; max=0; ptr=table; while(ptr) { if(ptr->nb > max) { max=ptr->nb; max_pos=pos; tmp=ptr; } ptr=ptr->next; pos++; } tmp->nb*=-1; sorted_table[j]=max_pos; } } else //not sorted { if(display_raw_stats) { for(j=0;j<nb;j++) sorted_table[j]=nb-j-1; } else { for(j=0;j<nb;j++) sorted_table[j]=j; } } ptr=table; ptr_bak2=table; //used if not sorted for(j=0;j<nb;j++) { if(sorted) { ptr=table; for(i=0;i<sorted_table[j];i++) ptr=ptr->next; ptr->nb*=-1; } else { ptr=ptr_bak2; } pct=(double)ptr->nb/total; //We group the values below the specified percentage if(pct_treshold!=0 && pct<pct_treshold/100.0 && sorted && j<nb-1 && table!=http_response_code_table) //We should pass a value to the function instead... { string_and_nb *ptr_bak=ptr; char *new_string=strdup("Various: "); int nb_total=0; int k; char *comma; ptr->nb*=-1; //This nb already have been reversed for(k=j;k<nb;k++) { ptr=table; for(i=0;i<sorted_table[k];i++) ptr=ptr->next; ptr->nb*=-1; nb_total+=ptr->nb; if(k==nb-1) comma=""; else comma=","; if(ptr->data==NULL) { new_string=string_append(new_string, "%s%s",ptr->s, comma); } else { new_string=string_append(new_string, "%s%s%s%s",ptr->s,d_title,(char*)ptr->data,comma); } } ptr=ptr_bak; ptr->nb=nb_total; free(ptr->s); ptr->s=new_string; if(ptr->data) {free(ptr->data);ptr->data=NULL;} j=nb; pct=(double)ptr->nb/total; } if(display_raw_stats) { print("%s\n",ptr->s); } else { pct_s=get_pct(pct); if(!pct_s) pct_s=strdup("[??]"); len=snprintf(buffer,99, "%i",ptr->nb); memset(buffer, ' ', 99); snprintf(buffer+maxlen-len,99, "%i",ptr->nb); buffer[maxlen+1]='\0'; if(ptr->data) print("[%7s] %s %s%s%s\n",pct_s,buffer,ptr->s,d_title,(char*)ptr->data); else print("[%7s] %s %s\n",pct_s,buffer, ptr->s); free(pct_s); } if(!sorted) { ptr_bak2=ptr->next; } } if(d_title) free(d_title); if(sorted_table) free(sorted_table); print("\n"); } Here is the call graph for this function:

char* find_anonymised_ip (  struct in_addr *  ip  )

Finds an anonymised IP in the table. Parameters: struct  in_addr *ip: The non-anonymised IP Returns: a string containing the corresponding anonymised IP, or NULL if not found Definition at line 1993 of file anon.c. References ip_table, and nbip. Referenced by anon_ip(). { char *ptr = ip_table; int i; for (i = 0; i < nbip; i++) { /* If the IP is found, we get the IP to replace it */ if (memcmp (ptr, ip, 4) == 0) { return ptr; } ptr += 8; } return NULL; }

char * find_anonymised_url (  char *  s  )

Finds an anonymised URL in the table, corresponding to the specified non anonymised URL. Parameters: char  *s: The non-anonymised URL Returns: a string containing the corresponding anonymised URL, or NULL if not found

string_and_nb* find_item (  string_and_nb *  table, char *  s )

Lookup a string in a string table. If found, the item is returned, Null otherwise. Parameters: string_and_nb  *table: the table to search char  *s: the string to look for Returns: a pointer on a string_and_nb, giving access to the string, the counter and the associated data. Null is returned if the item is not found Definition at line 1836 of file anon.c. References sandnb::next, and sandnb::s. Referenced by packet_handler(), and summarize_stats(). { string_and_nb *ptr=table; int ret; while(ptr) { ret=strcmp(s, ptr->s); if(ret>0) return NULL; else if(ret==0) return ptr; ptr=ptr->next; } return NULL; }

struct dialog* find_request (  char *  ip_src, char *  ip_dst, int  port_src, int  port_dst )

Finds a request in a dialog, matching some criteria. Parameters: char  *ip_src : a string representation of the source ip, in this format: 10.0.0.1 char  *ip_dst : the same for the destination ip int  port_src : the source port of the packet containing the request int  port_dst : the destination port Returns: a pointer on the first matching dialog struct if found, NULL otherwise Definition at line 503 of file anon.c. References dialog::ip_dst, dialog::ip_src, dialog::next, dialog::port_dst, dialog::port_src, and dialog::request. Referenced by packet_handler(). { struct dialog *ptr = dialog_table; while (ptr) { if (strcmp (ptr->ip_src, ip_dst) == 0 && strcmp (ptr->ip_dst, ip_src) == 0 && ptr->port_src == port_dst && ptr->port_dst == port_src && ptr->request!=NULL) { return ptr; } ptr = ptr->next; } return NULL; }

char* find_url (  char *  s, int  offset )

Finds an URL (anonymised or not) in the table. Parameters: char  *s: The non-anonymised URL int  offset: if offset=0: finds a non anonymised URL and returns the corresponding anonymised one if offset=4: finds an anonymised URL and returns it Returns: a string containing the corresponding anonymised URL, or NULL if not found Definition at line 826 of file anon.c. References anon_url_table, and nburl. { //offset=0: finds a non anonymised URL and returns the corresponding anonymised one //offset=4: finds an anonymised URL and returns it //print("looking for -%s-\n",s); int i; char *ptr=anon_url_table; char *tmp; for(i=0;i<nburl;i++) { memcpy(&tmp, ptr+offset, 4); if(strcmp(tmp,s)==0) { memcpy(&tmp, ptr+4, 4); return tmp; } ptr+=8; } return NULL; }

void free_anonymised_url_table (   )

Frees the table of anonymised URLs. Definition at line 2557 of file anon.c. References anon_url_table, and nburl. Referenced by main(). { char *ptr=anon_url_table; char *tmp; int i; for(i=0;i<nburl;i++) { memcpy(&tmp, ptr, 4); free(tmp); memcpy(&tmp, ptr+4, 4); free(tmp); ptr+=8; } free(anon_url_table); }

void free_dialog (  struct dialog *  d  )

Frees a HTTP dialog. Parameters: struct  dialog *d: the dialog structure to free Definition at line 1921 of file anon.c. References dialog::next, dialog::prev, dialog::request, and dialog::response. Referenced by main(), and packet_handler(). { if(d->request) free(d->request); if(d->response) free(d->response); if(d==dialog_table) { //If we are freeing the first dialog, we have to update dialog_table dialog_table=d->next; } if(d->next) d->next->prev=d->prev; if(d->prev) d->prev->next=d->next; free(d); }

void free_string_table (  string_and_nb *  table  )

Frees a string table. Parameters: string_and_nb  *table: the table to free Definition at line 1284 of file anon.c. References sandnb::data, sandnb::next, and sandnb::s. Referenced by content_length_stats(), freshness_stats(), latency_stats(), and main(). { string_and_nb *next=NULL; while(table) { next=table->next; if(table->s) free(table->s); if(table->data) free(table->data); free(table); table=next; } }

char* generate_anonymised_url (  char *  s  )

Generates an anonymised URL from a genuine URL. Parameters: char  *s: the non anonymised url Returns: a string containing the anonymised url Definition at line 545 of file anon.c. References add_anonymised_url(), debug, find_anonymised_url, find_end(), get_random_char(), memset_range(), and print. Referenced by anon_url(). { char *newurl=strdup(s); char *afterproto=strstr(newurl, "://"); char *first_slash; char *last_dot; char *ptr; int has_hostname=1; if(afterproto) { if(strncasecmp(newurl,"file:///",8)==0) { ptr=afterproto+4; } else { ptr=afterproto+3; } } else { //This is an url without a hostname (eg GET [url]) if(*newurl=='/') { has_hostname=0; } afterproto=newurl; ptr=newurl; } first_slash=strstr(ptr, "/"); // http://hostname.com/bla.ext?xxxx // ^ // | // ptr //Anonymising the host name if(has_hostname) { char *ptr_orig=ptr; //char *hostname; char *new_hostname; char bak; int found=0; if(first_slash) { bak=*first_slash; *first_slash='\0'; } new_hostname=find_anonymised_url(ptr); if(!new_hostname) { found=0; new_hostname=strdup(ptr); last_dot=rindex(new_hostname,'.'); if(!last_dot) last_dot=new_hostname+strlen(new_hostname); ptr=new_hostname; while(ptr<last_dot) { *ptr=get_random_char(); ptr++; } //If the url is only a hostname, we won't add it twice! (since full_url=hostname) if(strlen(ptr_orig)<strlen(s)) { add_anonymised_url(ptr_orig,new_hostname); } } else found=1; memcpy(ptr_orig, new_hostname, strlen(new_hostname)); if(found==0) free(new_hostname); if(first_slash) *first_slash=bak; } else { first_slash=strstr(ptr,"/"); } if(!first_slash) first_slash=newurl; //Anonymising the part after the hostname, and before the filename if(first_slash) { char bak; char *ptr=first_slash+1; char *end; char *slash; end=find_end(ptr); if(!end) end=newurl+strlen(newurl); bak=*end; *end='\0'; slash=rindex(ptr,'/'); if(slash) { memset_range(ptr, slash, 'i'); ptr=slash+1; } *end=bak; //Anonymising the base file name, keeping the extension bak=*end; *end='\0'; last_dot=rindex(ptr,'.'); *end=bak; if(!last_dot) last_dot=end; //while(ptr<end) while(ptr<last_dot) { *ptr=get_random_char(); ptr++; } //Anonymising optional parameters (e.g. ?cat=5) ptr=end; while(*ptr) { if(*ptr=='?' || *ptr=='&' || *ptr==';' || *ptr=='%' || *ptr=='+' || *ptr=='=' || *ptr=='!' || *ptr=='$' || *ptr=='@' || *ptr=='"' || *ptr==','){} else *ptr='z'; ptr++; } } if(debug) print("anon URL:%s --> %s\n",s,newurl); return newurl; } Here is the call graph for this function:

char * get_extension (  char *  s  )

Returns the file extension of an URL, without any extra parameter. Parameters: char  *s: the URL Returns: a string containing the file extension

pcap_if_t* get_pcap_interface (  char *  name  )

Gets a network interface given a name such as "eth0". Parameters: char  *name: The name of the interface to look for. If this name is "show", then a list of available interfaces is displayed. Returns: a pointer to a pcap_if_t, or NULL is he interface is not available. Definition at line 2040 of file anon.c. References alldevs, and print. Referenced by main(). { char errbuf[PCAP_ERRBUF_SIZE]; pcap_if_t *d; int i = 0; int show = 0; /* * Retrieve the device list */ if (pcap_findalldevs (&alldevs, errbuf) == -1) { print("Error in pcap_findalldevs: %s\n", errbuf); exit (1); } if (name && strcasecmp (name, "show") == 0) show = 1; /* * Print the list */ if (show) print ("Available interfaces for live capture:\n"); for (d = alldevs; d; d = d->next) { if (name == NULL) return d; if (show) { print (" %s", d->name); if (d->description) print (" (%s)\n", d->description); else print (" (No description available)\n"); } else { if (name && strcmp (d->name, name) == 0) return d; } i++; } if(alldevs) { pcap_freealldevs (alldevs); alldevs=NULL; } if (i == 0) { print ("\nNo interfaces found!\n"); exit (1); } return NULL; }

char* get_pct (  double  pct  )  [inline]

Returns a human readable string representing a percentage. Definition at line 248 of file anon.c. References string_append(). Referenced by display_string_table_with_data(), and packet_handler(). { return string_append(NULL,"%.2f%c",(double)pct*100,'%'); } Here is the call graph for this function:

char get_random_char (   )  [inline]

Gets a random letter from the alphabet. Returns: a random character (a letter) Definition at line 539 of file anon.c. Referenced by generate_anonymised_url(). { return 'a' + (int)(rand()/(RAND_MAX+1.0)*26); }

char* get_size (  int  s  )

Returns a human readable string representing a size in bytes. Definition at line 279 of file anon.c. References string_append(). Referenced by main(), packet_handler(), and summarize_stats(). { double size; if(s==-1) { return strdup("???"); } if(s>999999) { size=(double) s / 1000000; if(size==(int)s/1000000) return string_append(NULL, "%i MB",(int)size); return string_append(NULL, "%.2f MB",size); } else if(s>999) { size=(double) s / 1000; if(size==(int)s/1000) return string_append(NULL, "%i KB",(int)size); return string_append(NULL, "%.2f KB",size); } else { size=(double) s; if(size==(int)s) return string_append(NULL, "%i B",(int)size); return string_append(NULL, "%.2f B",size); } return NULL; } Here is the call graph for this function:

char* get_speed (  double  speed  )

Returns a human readable string representing a speed in bytes/s. Definition at line 253 of file anon.c. References string_append(). Referenced by main(), and packet_handler(). { char *tmp; if(speed>999999) { speed=(double) speed / 1000000; tmp=string_append(NULL, "%.2f MB/s",speed); if(tmp && strncmp(tmp, "inf", 3)==0) { free(tmp); return NULL; } return tmp; } else if(speed>999) { speed=(double) speed / 1000; return string_append(NULL, "%.2f KB/s",speed); } else { return string_append(NULL, "%.2f B/s",speed); } } Here is the call graph for this function:

char* get_time (  double  t  )

Returns a human readable string representing a time. Definition at line 308 of file anon.c. References string_append(). Referenced by main(). { int years=0; int months=0; int days=0; int hours=0; int minutes=0; int seconds=0; char *tmp=NULL; seconds=t; if(seconds>59) { minutes=seconds/60; seconds=seconds%60; } if(minutes>59) { hours=minutes/60; minutes=minutes%60; } if(hours>23) { days=hours/24; hours=hours%24; } if(days>364) { years=days/365; days=days%365; } if(days>29) { months=days/30; days=days%30; } /* if(months>11) { years+=months/12; months=months%12; } */ if(years>0) tmp=string_append(NULL, "%iy%im%id%ih%im%is",years, months, days, hours, minutes, seconds); else if(months>0) tmp=string_append(NULL, "%im%id%ih%im%is",months, days, hours, minutes, seconds); else if(days>0) tmp=string_append(NULL, "%id%ih%im%is",days, hours, minutes, seconds); else if(hours>0) tmp=string_append(NULL, "%ih%im%is",hours, minutes, seconds); else if(minutes>0) tmp=string_append(NULL, "%im%is",minutes, seconds); else tmp=string_append(NULL, "%is",seconds); return tmp; } Here is the call graph for this function:

u_int32_t getip32 (  char *  ip  )

Converts an IP address of the form XXX.XXX.XXX.XXX to an unsigned integer (32 bits). Parameters: char  *ip: The IP address to convert Returns: an unsigned 32-bit integer Definition at line 1950 of file anon.c. Referenced by anon_ip(). { int c1, c2, c3, c4; u_int32_t tmp; sscanf (ip, "%i.%i.%i.%i", &c1, &c2, &c3, &c4); tmp = c4 * 16777216 + c3 * 65536 + c2 * 256 + c1; return tmp; }

int32_t gmt2local (  time_t  t  )

Returns the difference between gmt and local time in seconds. This function is borrowed from tcpdump (www.tcpdump.org/). Parameters: time_t  t: contains the specified time Returns: a 32-bit integer containing a number of seconds Definition at line 29 of file gmt2local.c. Referenced by main(). { register int dt, dir; register struct tm *gmt, *loc; struct tm sgmt; if (t == 0) t = time(NULL); gmt = &sgmt; *gmt = *gmtime(&t); loc = localtime(&t); dt = (loc->tm_hour - gmt->tm_hour) * 60 * 60 + (loc->tm_min - gmt->tm_min) * 60; /* * If the year or julian day is different, we span 00:00 GMT * and must add or subtract a day. Check the year first to * avoid problems when the julian day wraps. */ dir = loc->tm_year - gmt->tm_year; if (dir == 0) dir = loc->tm_yday - gmt->tm_yday; dt += dir * 24 * 60 * 60; return (dt); }

char* is_in (  char **  string_table, char *  string )

Checks if a string is contained in a string array. Parameters: char  **string_table : An array of strings char  *string : The string to look for Returns: a char * containing the matched string in the array, if present NULL otherwise Definition at line 521 of file anon.c. References nb_fields_to_anonymise. Referenced by process_http(). { int i; for(i=0;i<nb_fields_to_anonymise;i++) { if(strncmp(string_table[i], string, strlen(string_table[i]))==0) { return string_table[i]; } } return NULL; }

int is_ip_in_a_string (  char *  s  )

Returns 1 if the provided string is in the form "xxx.xxx.xxx.xxx". Parameters: char  *s: The string to analyse Returns: 1 if the string contains an IP, 0 otherwise Definition at line 219 of file anon.c. Referenced by anon_field(), and get_infos(). { int nb,tmp1,tmp2,tmp3,tmp4; if(!s) return(0); nb=sscanf(s, "%i.%i.%i.%i",&tmp1,&tmp2,&tmp3,&tmp4); if(nb==4) return(1); return(0); }

void memset_range (  char *  start, char *  end, int  c )

Fills a memory area with a specified character (this is a wrapper for memset). Parameters: char  *start : Start of the memory area char  *end : End of the memory area int  c : The character to fill the area with Definition at line 534 of file anon.c. Referenced by generate_anonymised_url(), and packet_handler(). { if(end-start>0) memset(start, c, end-start); }

void packet_handler (  u_char *  param, const struct pcap_pkthdr *  header, const u_char *  packet )

The packet handler function, which is called for every processed packet. valid Definition at line 2575 of file anon.c. References adhandle, anon_http(), anon_ip(), anon_port(), anon_sequence(), anon_timestamp(), anonymise, anonymise_checksum, anonymise_content, anonymise_http, anonymise_ip, anonymise_mac, anonymise_port, anonymise_sequence, anonymise_timestamp, buffer_request(), compute_flags(), sandnb::data, display, display_additional_info, display_flags, display_http, display_http_only, display_packet_infos(), display_progress, display_tcp_infos, dumphandle, ETHER_HDRLEN, find_item(), find_request(), free_dialog(), get_pct(), get_size(), get_speed(), ifile, input_file_last, input_file_read, input_file_size, input_file_size_1pct, input_file_size_s, ip_s::ip_dst, IP_HL, ip_s::ip_sum, IP_V, maxfilesize, memset_range(), nb_request, nb_response, nbpackets, nbpacketstocapture, nbvalidpackets, ofile, output_file_written, output_stream, print, process_dialog(), dialog::req_nb, dialog::resp_nb, dialog::response, dialog::response_len, sandnb::s, start_time, stats_add_latency(), stats_add_sequence_number_with_data(), strstr_limited(), tcp_s::th_chksum, tcp_s::th_dport, tcp_s::th_flag, tcp_s::th_hlen_reserved, tcp_s::th_sport, truncate_packet, ts_print_diff(), dialog::ts_request, dialog::ts_response, use_sequence_numbers, and xmalloc(). Referenced by main(). { const u_char *data = packet; char *eop=(char*)packet+header->caplen; //End of packet (in memory) struct ether_header *eptr; /* net/ethernet.h */ struct ip_s *ip; u_int tcp_len; u_int len=header->caplen; u_int ip_hlen; char ip_src[] = "xxx.xxx.xxx.xxx"; char ip_dst[] = "xxx.xxx.xxx.xxx"; char real_ip_src[] = "xxx.xxx.xxx.xxx"; char real_ip_dst[] = "xxx.xxx.xxx.xxx"; u_short dport, sport, realdport, realsport; struct dialog *d = NULL; char *buffer; struct tcp_s *tcp; char *flags=NULL; u_int32_t seq; char seq_nb[12]; char next_seq_nb[12]; string_and_nb *item=NULL; int expected=0; char *eoh=NULL; *eop='\0'; input_file_read+=header->caplen+16; input_file_last+=header->caplen+16; if(!display && display_progress) { //stats are displayed every 1Mb (or 1%) for offline mode, or every 50kb for online mode if((ifile && input_file_last>=input_file_size_1pct && input_file_last>1000000) || (!ifile && input_file_read-input_file_last>=50000)) { time_t t; double diff; input_file_last=0; time(&t); diff=input_file_read/difftime(t, start_time); buffer=get_size(input_file_read); if(buffer) { if(input_file_size_s) { char *buffer2=get_pct((double)input_file_read/input_file_size); if(buffer2) { print("[%s] ",buffer2); free(buffer2); } print("Processed %s/%s",buffer,input_file_size_s); } else print("Processed %s",buffer); free(buffer); } buffer=get_speed(diff); if(buffer) { print(" at %s",buffer); free(buffer); } if(ofile) { char *tmp=get_size(output_file_written); if(tmp) { print(" (Written %s)",tmp); free(tmp); } } print("\n"); fflush(output_stream); } } if(anonymise && anonymise_timestamp) anon_timestamp((struct timeval*)&header->ts); // Packet is smaller than ethernet header length if ((header->caplen) < ETHER_HDRLEN) goto function_end; // Anoymise source & dest MAC address if (anonymise && anonymise_mac) memset ((char *) packet, 0, 12); eptr = (struct ether_header *) data; // We only process the packet if its type it is an IP packet. if (ntohs (eptr->ether_type) != ETHERTYPE_IP) goto function_end; if (len < sizeof (struct ip_s)) goto function_end; // We now have an IP packet data += sizeof (struct ether_header); len -= sizeof (struct ether_header); ip = (struct ip_s *) (data); // If the ip packet hasn't been truncated and it has a correct header length if (len < sizeof (struct ip_s) || IP_HL (ip) < 5) goto function_end; if (ip->ip_p != IPPROTO_TCP) goto function_end; if(anonymise && anonymise_checksum) ip->ip_sum=(u_int16_t)0; //We check that the used version of IP is 4 if (IP_V (ip) != 4) goto function_end; ip_hlen = (ip->ip_vhl & 0x0f) * 4; // We have a TCP packet data += ip_hlen; len -= ip_hlen; if (len < sizeof (struct tcp_s)) goto function_end; //The TCP packet is valid tcp = (struct tcp_s*) data; if(display && display_tcp_infos && display_flags) flags=compute_flags(tcp->th_flag); if(anonymise && anonymise_checksum) tcp->th_chksum=(u_int16_t)0; //Erasing tcp timestamp if(anonymise && anonymise_timestamp) { if (tcp->th_hlen_reserved > 80) { int offset=0; if (tcp-> th_hlen_reserved == 128) { if ((data[20] == 0x01) && (data[21] == 0x01) && (data[22] == 0x08) && (data[23] == 0x0a)) offset=24; } else if (tcp->th_hlen_reserved == 160) { if ((data[26] == 0x08) && (data[27] == 0x0a)) offset=28; } if(offset) { //print("TIME "); //ts_print((struct timeval*)data+offset); //print("\n"); //anon_timestamp((struct timeval*)data+offset); //print("TIME2 "); //ts_print((struct timeval*)data+offset); //print("\n\n"); memset((void*)data+offset,0,8); } } } /* Anonymising IP src & dest */ strcpy (real_ip_src,inet_ntoa(ip->ip_src)); strcpy (real_ip_dst,inet_ntoa(ip->ip_dst)); if (anonymise && anonymise_ip) { anon_ip(&(ip->ip_src)); anon_ip(&(ip->ip_dst)); } strcpy (ip_src,inet_ntoa(ip->ip_src)); strcpy (ip_dst,inet_ntoa(ip->ip_dst)); /* Anonymising source and destination ports */ realdport = ntohs (tcp->th_dport); // destination port number realsport = ntohs (tcp->th_sport); // source port number if (anonymise && anonymise_port) { anon_port(&(tcp->th_sport)); anon_port(&(tcp->th_dport)); } dport = ntohs (tcp->th_dport); // destination port number sport = ntohs (tcp->th_sport); // source port number nbpackets++; data += tcp->th_hlen_reserved/4; len -= tcp->th_hlen_reserved/4; tcp_len=header->len-sizeof(struct ether_header)-ip_hlen-tcp->th_hlen_reserved/4; if(anonymise && anonymise_sequence) anon_sequence(&(tcp->th_seq)); seq=htonl(tcp->th_seq); sprintf(seq_nb, "%u", seq); if(use_sequence_numbers) sprintf(next_seq_nb,"%u",seq+tcp_len); if (/*(already_anonymised ||realsport == 80 || realdport ==80) &&*/ len >sizeof(struct tcp_s) && (strncmp(data,"HTTP",4) == 0 || strncmp(data,"GET ",4) == 0)) { //We look for the end of the headers (CRLF CRLF) eoh= strstr_limited ((char*)data, eop, "\r\n\r\n"); //End of headers if (eoh) { //We only keep a final "\r\n" eoh+=2; len=eoh-(char*)data; } else eoh = eop; if(anonymise && anonymise_content) memset_range(eoh, eop,0); if(anonymise && anonymise_http) anon_http((char*)data,len); if(display) display_packet_infos(nbpackets, (struct timeval*)&(header->ts), ip_src, ip_dst, sport, dport); nbvalidpackets++; buffer = xmalloc (len + 1); memcpy (buffer, data, len); buffer[len] = '\0'; if (*data=='G') //This is a request { if(display) { print ("REQ "); display_additional_info(); } nb_request++; d=buffer_request(buffer,len,nbpackets,ip_src,ip_dst,sport,dport); memcpy(&(d->ts_request), (struct timeval*)&(header->ts), sizeof(struct timeval)); } else // This is a response { if(display) { print ("ANS "); display_additional_info(); } nb_response++; d = find_request (ip_src, ip_dst, sport, dport); if (d) //We have a buffered request corresponing to this response { int lat; struct timeval time_diff; memcpy(&(d->ts_response), (struct timeval*)&(header->ts), sizeof(struct timeval)); time_diff.tv_sec=d->ts_response.tv_sec-d->ts_request.tv_sec; if(d->ts_request.tv_usec <= d->ts_response.tv_usec) time_diff.tv_usec=d->ts_response.tv_usec - d->ts_request.tv_usec; else { time_diff.tv_usec=d->ts_response.tv_usec - d->ts_request.tv_usec + 1000000; time_diff.tv_sec--; } lat=time_diff.tv_sec*1000000.0+time_diff.tv_usec; stats_add_latency(lat); if(display) { print("lat="); ts_print_diff(&time_diff); print("[%i]",d->req_nb); } } else //We have found no corresponding request to this reply { d=buffer_request(NULL,0,0,real_ip_src,real_ip_dst,realsport,realdport); memcpy(&(d->ts_response), (struct timeval*)&(header->ts), sizeof(struct timeval)); if(display) print ("[??]"); } d->resp_nb=nbpackets; d->response = buffer; d->response_len=len; if(display && display_http) print ("\n-----------------\n"); process_dialog(d); free_dialog(d); if(display && display_http) print ("-----------------"); } if(display) print("\n"); } //end if is_valid else { if(truncate_packet) eoh=(char*)data; if(anonymise && anonymise_content) memset_range((char*)data, eop,'\0'); if(tcp_len>0) { if (use_sequence_numbers) { if((item=find_item(sequence_number_table, seq_nb))) { //If were expecting this sequence number //This is a continuation packet, containing HTTP data goto exp; } } else { exp: nbvalidpackets++; expected=1; } } if(!display_http_only && display) { display_packet_infos(nbpackets, (struct timeval*)&(header->ts), ip_src, ip_dst, sport, dport); if(expected) { //if(item && item->data) print("CNT %s ",(char*)item->data); //else print("CNT "); } else print(" "); display_additional_info(); print("\n"); } } if(use_sequence_numbers) { char tmp[12]; char *tmp2; sprintf(tmp, "%i", nbpackets); tmp2=strdup(tmp); if(expected) { free(item->s); item->s=strdup(next_seq_nb); if(item->data) { free(item->data); item->data=tmp2; } } else stats_add_sequence_number_with_data(next_seq_nb, tmp2); } if(nbpackets>=nbpacketstocapture && nbpacketstocapture>0) pcap_breakloop(adhandle); function_end: //We dump the (anonymised) packet to the output file, if needed if (ofile) { if(maxfilesize==0 || output_file_written<maxfilesize) { if(truncate_packet) { int diff; //if(eoh==NULL) eoh = eop; if(eoh==NULL) eoh = (char *)data; diff=eoh-(char*)packet; if(header->caplen!=diff) { //new_header=xmalloc(sizeof(struct pcap_pkthdr)); //memcpy(new_header, header, sizeof(struct pcap_pkthdr)); //new_header->caplen=diff+1; ((struct pcap_pkthdr*)header)->caplen=diff; //*((char*)packet+diff)='\0'; //printf("diff:%i\n",diff); //header=new_header; //printf("aaa\n"); //printf("%i %i\n",header->caplen,eoh-(char*)packet); } } pcap_dump ((u_char *) dumphandle, header, packet); output_file_written+=header->caplen+16; } } if(flags) free(flags); } Here is the call graph for this function:

int parse_size (  char *  string  )

: Parses a size in the form: "10m" or "1g", and returns the number of bytes Parameters: char  *string: the string to parse Returns: The corresponding number of bytes Definition at line 1936 of file anon.c. Referenced by main(). { char *s; int len; int mult=1; if(string==NULL) return 0; s=strdup(string); len=strlen(s); if(*(s+len-1)=='g' || *(s+len-1)=='G') {mult=1000000000;*(s+len-1)='\0';} else if(*(s+len-1)=='m' || *(s+len-1)=='M') {mult=1000000;*(s+len-1)='\0';} else if(*(s+len-1)=='k' || *(s+len-1)=='K') {mult=1000;*(s+len-1)='\0';} return mult*atoi(s); }

void process_dialog (  struct dialog *  d  )

Scans a HTTP dialog (request+response) and displays it if needed. Parameters: struct  dialog *d: a dialog structure containing the request, the response, and some additional information Definition at line 1909 of file anon.c. References display, display_http, do_stats, print, dialog::request, dialog::response, and scan_http(). Referenced by main(), and packet_handler(). { if(do_stats) scan_http(d); if(display && display_http) { if(d->request) print ("%s\n", d->request); print ("-----------------\n"); if(d->response) print ("%s\n", d->response); } } Here is the call graph for this function:

char* process_http (  char *  data, int  len, int  scan, int  anon )

This a wrapper to call either scan_http() or anon_http(). ! This is NOT an HTTP response code! This is a document beginning with "HTTP/1.1" Definition at line 981 of file anon.c. References anon_field(), anonymise, anonymise_http, convert_to_small(), display_raw_stats, fields_to_anonymise, find_end(), get_extension, get_suffix, is_in(), stats_add_content_length_nb(), stats_add_content_type(), stats_add_content_type_simple(), stats_add_extension(), stats_add_header(), stats_add_http_response_code_with_data(), stats_add_http_version(), stats_add_server(), stats_add_server_simple(), stats_add_suffix(), stats_add_user_agent(), string_append(), strptime(), and strstr_limited(). Referenced by anon_http(), and scan_http(). { char *ptr=data; char *tmp; char *last_modified=NULL; char *date=NULL; char *end=data+len; char *nextpos=NULL; char backup_char; if(data==NULL) return NULL; while(1) { tmp=strstr_limited(ptr, end, "\r"); if(!tmp) { tmp=strstr_limited(ptr, end, "\n"); } else { char *tmp2=strstr_limited(ptr, tmp, "\n"); if(tmp2 && tmp2<tmp) tmp=tmp2; } if(!tmp) { tmp=end; nextpos=NULL; //We skip the headers that have been truncated due to too small snaplen if(scan) break; } else { if(*tmp=='\r' && *(tmp+1)=='\n') { nextpos=tmp+2; } else if(*tmp=='\r' || *tmp=='\n') { nextpos=tmp+1; } } backup_char=*tmp; *tmp='\0'; if(anon && anonymise && anonymise_http) { char *field=is_in(fields_to_anonymise, ptr); if(field) { anon_field(field, ptr); } else { //Handle special Hotmail servers headers, beginning with "<" //Special thanks to Microsoft... if(ptr && *ptr=='<') { anon_field("",ptr); } } } if(scan) { //Uncomment to get headers stats if(display_raw_stats) { char *tmp=strstr(ptr, ":"); char bak; char *dup; if(!tmp) tmp=strstr(ptr," "); else { char *tmp2=strstr(ptr, " "); if(tmp2 && tmp2<tmp) tmp=tmp2; } if(tmp) { bak=*tmp; *tmp='\0'; } dup=strdup(ptr); //convert_to_small(dup); stats_add_header(dup); free(dup); if(tmp) *tmp=bak; } if(ptr+5<end && strncmp(ptr, "HTTP/",5)==0) { //We only keep the response code char bak; char *tmp=NULL; int tmp_i; bak=ptr[12]; if(ptr[12]==' ') { tmp=strdup(ptr+13); } else { //Some webservers are broken: //Normally, they should answer: //response-code [SPACE] reason-code //Unfortunately, that it not always the case tmp=strdup(""); } ptr[12]='\0'; if(sscanf(ptr+9,"%i ",&tmp_i)==1) { stats_add_http_response_code_with_data(ptr+9, tmp); ptr[12]=bak; bak=ptr[9]; ptr[9]='\0'; stats_add_http_version(ptr); ptr[9]=bak; } else { free(tmp); ptr[12]=bak; nextpos=NULL; } } else if(ptr+4<end && strncmp(ptr, "GET ",4)==0) { char *tmp; char *page=strdup(ptr+4); *(page+strlen(page)-8)='\0'; tmp=get_extension(page); if(tmp) { char *tmp2=find_end(tmp); //for URLs like: // ._zahi,7,2,15,108,verdenab,8,204,102,0_zahelp // ._zahello,7,3,18,328,verdenab,10,204,102,0_zaplease if(tmp2) { *tmp2='\0'; } convert_to_small(tmp); stats_add_extension(tmp); free(tmp); } free(page); } else if(strncmp(ptr, "Date: ",6)==0) { date=strdup(ptr+6); } else if(strncmp(ptr, "Server: ",8)==0) { char *dup=strdup(ptr+8); char *tmp; if(strncmp(dup, ".V", 2)==0) //Like .V15 Apache/xxx { char *space=index(ptr+8, ' '); if(space) { free(dup); dup=strdup(space+1); } } tmp=index(dup,'/'); if(tmp) *tmp='\0'; tmp=index(dup,' '); if(tmp) *tmp='\0'; tmp=strstr(dup,"Apache"); if(tmp) *(tmp+6)='\0'; tmp=index(dup,'-'); if(tmp) *tmp='\0'; stats_add_server(ptr+8); /* if(strncmp(ptr+8, ".V", 2)==0) //Like .V15 Apache/xxx { char *space=index(ptr+8, ' '); if(space) stats_add_server_simple(space+1); else stats_add_server_simple(dup); } else {*/ stats_add_server_simple(dup); //} free(dup); } else if(strncmp(ptr, "Content-Type: ",14)==0) { char *dup=strdup(ptr+14); char *tmp=strstr(dup,";"); char *dup2=NULL; if(tmp) *tmp='\0'; convert_to_small(dup); dup2=strdup(dup); if((tmp=strstr(dup2,"/"))) *tmp='\0'; stats_add_content_type(dup); stats_add_content_type_simple(dup2); free(dup); free(dup2); } else if(strncmp(ptr, "Host: ",6)==0) { char *tmp; tmp=get_suffix(ptr+6); if(tmp) { convert_to_small(tmp); stats_add_suffix(tmp); free(tmp); } } else if(strncmp(ptr, "Last-Modified: ",15)==0) { last_modified=strdup(ptr+15); } else if(strncmp(ptr, "Content-Length: ",16)==0) { stats_add_content_length_nb(atoi(ptr+16)); } else if(strncmp(ptr, "User-Agent: ",12)==0) { stats_add_user_agent(ptr+12); } } if(tmp) *tmp=backup_char; if(nextpos==NULL) break; ptr=nextpos; } if(scan) { if(last_modified && date) { struct tm time_date; struct tm time_lm; char *ret_date; char *ret_lm; ret_date=strptime(date, "%a, %d %b %Y %T GMT", &time_date); ret_lm=strptime(last_modified, "%a, %d %b %Y %T GMT", &time_lm); if(ret_date==date+strlen(date) && ret_lm==last_modified+strlen(last_modified)) { //The two dates have been correctly parsed time_t seconds_date=mktime(&time_date); time_t seconds_lm=mktime(&time_lm); double diff=difftime(seconds_date,seconds_lm); free(last_modified); free(date); last_modified=NULL; date=NULL; if(diff>=0) return string_append(NULL, "%i", (int)diff); } } /*else { if(date) printf("NOLAST LAST\n"); else printf("NOLAST DATE\n"); } */ } if(date) free(date); if(last_modified) free(last_modified); return NULL; } Here is the call graph for this function:

void scan_http (  struct dialog *  d  )

Scans two HTTP headers in memory (request and response) and gathers statistics. Parameters: struct  dialog *d: a dialog structure containing the request, the response, and some additional information Definition at line 1268 of file anon.c. References process_http(), dialog::request, dialog::request_len, dialog::response, dialog::response_len, and stats_add_freshness(). Referenced by process_dialog(). { char *freshness=NULL; //char *tmp=NULL; /*tmp=*/process_http(d->request, d->request_len, 1, 0); freshness=process_http(d->response, d->response_len, 1, 0); if(freshness) { stats_add_freshness(atoi(freshness)); free(freshness); } //if(tmp) free(tmp); } Here is the call graph for this function:

void stats_add_content_length (  char *  s  )

void stats_add_content_type (  char *  s  )

Definition at line 1888 of file anon.c. References add_and_count_string. Referenced by process_http(). { content_type_table=add_and_count_string(content_type_table, s); }

void stats_add_content_type_simple (  char *  s  )

Definition at line 1892 of file anon.c. References add_and_count_string. Referenced by process_http(). { content_type_simple_table=add_and_count_string(content_type_simple_table, s); }

void stats_add_extension (  char *  s  )

Definition at line 1862 of file anon.c. References add_and_count_string. Referenced by process_http(). { extension_table=add_and_count_string(extension_table, s); }

void stats_add_freshness (  int  nb  )

Definition at line 1900 of file anon.c. References add_nb(). Referenced by scan_http(). { add_nb(&fresh_table, nb); } Here is the call graph for this function:

void stats_add_header (  char *  s  )

Definition at line 1858 of file anon.c. Referenced by process_http(). { // header_table=add_and_count_string(header_table, s); }

void stats_add_http_response_code_with_data (  char *  s, char *  data )

Definition at line 1883 of file anon.c. References add_and_count_string_with_data(). Referenced by process_http(). { http_response_code_table=add_and_count_string_with_data(http_response_code_table, s, data); } Here is the call graph for this function:

void stats_add_http_version (  char *  s  )

Definition at line 1896 of file anon.c. References add_and_count_string. Referenced by process_http(). { http_version_table=add_and_count_string(http_version_table, s); }

void stats_add_last_modified (  char *  s  )

void stats_add_new_url_with_data (  char *  s, void *  data )

void stats_add_sequence_number (  char *  s  )

Definition at line 1850 of file anon.c. References add_and_count_string. { sequence_number_table=add_and_count_string(sequence_number_table, s); }

void stats_add_server (  char *  s  )

Definition at line 1870 of file anon.c. References add_and_count_string. Referenced by process_http(). { server_version_table=add_and_count_string(server_version_table, s); }

void stats_add_server_simple (  char *  s  )

Definition at line 1874 of file anon.c. References add_and_count_string. Referenced by process_http(). { server_version_simple_table=add_and_count_string(server_version_simple_table, s); }

void stats_add_suffix (  char *  s  )

Definition at line 1866 of file anon.c. References add_and_count_string. Referenced by process_http(). { suffix_table=add_and_count_string(suffix_table, s); }

void stats_add_url (  char *  s  )

void stats_add_url_with_data (  char *  s, void *  data )

void stats_add_user_agent (  char *  s  )

Definition at line 1878 of file anon.c. References add_and_count_string. Referenced by process_http(). { user_agent_table=add_and_count_string(user_agent_table, s); }

char* string_append (  char *  s, const char *  fmt,   ... )

Appends a string to another. Definition at line 228 of file anon.c. References get_string_from_args, xmalloc(), and xrealloc(). Referenced by add_and_count_string_with_data(), display_deviation(), display_string_table_with_data(), get_pct(), get_size(), get_speed(), get_time(), latency_stats(), process_http(), and summarize_stats(). { char *tmp; get_string_from_args(tmp); if(!tmp) return NULL; if(s==NULL) { s=xmalloc( strlen(tmp)+1); strcpy(s, tmp); } else { s=xrealloc(s, strlen(s)+strlen(tmp)+1); strcat(s, tmp); } free(tmp); if(s==NULL) return NULL; return s; } Here is the call graph for this function:

char * strptime (  const char *  s, const char *  format, struct tm *  tm )

Libc function, which converts a character string to values which are stored in a tm structure, using a specified format. Parameters: const  char *s : The string to convert const  char *format : The format of s struct  tm *tm : The tm structure to store the values Returns: a pointer to the first character not processed in this function call Referenced by anon_date(), and process_http().

char* strstr_limited (  char *  ptr, char *  end, char *  str )

Wrapper for strstr, which limits the memory area to search. Parameters: char  *ptr: start of the memory area char  *end: end of the memory area char  *str: the string to find Returns: If found, a char * pointing to the searched string. NULL otherwise. Definition at line 963 of file anon.c. Referenced by packet_handler(), and process_http(). { char *first; if(!str) return NULL; while(1) { first=memchr(ptr, *str, end-ptr); if(first) { int len=strlen(str); if(first+len<=end && strncmp(str, first, len)==0) return first; } else return NULL; ptr=first+1; if(ptr>end) return NULL; } }

void ts_print (  struct timeval *  tvp_  )

Prints a timestamp following this format: 16:21:48.970264. Parameters: struct  timeval *tvp_: A pointer on a timeval Definition at line 447 of file anon.c. References anonymise, anonymise_timestamp, print, and timeoffset. Referenced by display_packet_infos(). { register int s; struct timeval tv; struct timeval *tvp=&tv; tv.tv_sec=tvp_->tv_sec; tv.tv_usec=tvp_->tv_usec; if(!anonymise && anonymise_timestamp) s = (tvp->tv_sec+timeoffset) % 86400; else s = (tvp->tv_sec) % 86400; (void)print("%02d:%02d:%02d.%06u ", s / 3600, (s % 3600) / 60, s % 60, (unsigned)tvp->tv_usec); }

void ts_print_diff (  struct timeval *  tvp  )

Prints a time difference following this format: 14.95ms. Parameters: struct  timeval *tvp_: A pointer on a timeval Definition at line 438 of file anon.c. References print. Referenced by packet_handler(). { //Print the latency in miliseconds float time=tvp->tv_sec*1000.0+tvp->tv_usec/1000.0; print("%.02fms ",time); }

void* xmalloc (  size_t  size  )

A wrapper to malloc() which quits the program if the memory allocation fails. Definition at line 804 of file anon.c. References print. Referenced by add_and_count_string_with_data(), buffer_request(), clone_nb_table(), display_string_table_with_data(), packet_handler(), and string_append(). { void *tmp=malloc(size); if(!tmp) { print("Memory allocation error!\n"); exit(EXIT_FAILURE); } return tmp; }

void* xrealloc (  void *  ptr, size_t  size )

A wrapper to realloc() which quits the program if the memory allocation fails. Definition at line 815 of file anon.c. References print. Referenced by add_anonymised_url(), add_flag(), add_nb(), anon_ip(), anon_port(), and string_append(). { void *tmp=realloc(ptr,size); if(!tmp) { print("Memory allocation error!\n"); exit(1); } return tmp; }

---