/src/wireshark/epan/dissectors/packet-userlog.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* packet-userlog.c |
2 | | * Routines for userlog protocol packet disassembly |
3 | | * Copyright 2016, Jun Wang <sdn_app@163.com> |
4 | | * |
5 | | * Wireshark - Network traffic analyzer |
6 | | * By Gerald Combs <gerald@wireshark.org> |
7 | | * Copyright 1998 Gerald Combs |
8 | | * |
9 | | * SPDX-License-Identifier: GPL-2.0-or-later |
10 | | */ |
11 | | /* |
12 | | * Userlog is user flow logs of H3C device. |
13 | | * Flow logging records users' access to the extranet. The device classifies and |
14 | | * calculates flows through the 5-tuple information, which includes source IP address, |
15 | | * destination IP address, source port, destination port, and protocol number, |
16 | | * and generates user flow logs. Flow logging records the 5-tuple information of |
17 | | * the packets and number of the bytes received and sent. With flow logs, administrators |
18 | | * can track and record accesses to the network, facilitating the availability and |
19 | | * security of the network. |
20 | | * |
21 | | */ |
22 | | |
23 | | #include "config.h" |
24 | | |
25 | | #include <epan/packet.h> |
26 | | #include <epan/prefs.h> |
27 | | #include <epan/ipproto.h> |
28 | | |
29 | | void proto_register_userlog(void); |
30 | | void proto_reg_handoff_userlog(void); |
31 | | |
32 | | static dissector_handle_t userlog_handle; |
33 | | |
34 | | static int proto_userlog; |
35 | | |
36 | | static int hf_userlog_version; |
37 | | static int hf_userlog_logtype; |
38 | | static int hf_userlog_count; |
39 | | static int hf_userlog_timestamp; |
40 | | static int hf_userlog_header_reserved; |
41 | | |
42 | | static int hf_userlog_proto; |
43 | | static int hf_userlog_Operator; |
44 | | static int hf_userlog_IPVerion; |
45 | | static int hf_userlog_IPToS; |
46 | | |
47 | | static int hf_userlog_SourceIP; |
48 | | static int hf_userlog_SrcNatIP; |
49 | | static int hf_userlog_DestIP; |
50 | | static int hf_userlog_DestNatIP; |
51 | | static int hf_userlog_SrcPort; |
52 | | static int hf_userlog_SrcNatPort; |
53 | | static int hf_userlog_DestPort; |
54 | | static int hf_userlog_DestNatPort; |
55 | | |
56 | | static int hf_userlog_StartTime; |
57 | | static int hf_userlog_EndTime; |
58 | | |
59 | | static int hf_userlog_InTotalPkg; |
60 | | static int hf_userlog_InTotalByte; |
61 | | static int hf_userlog_OutTotalPkg; |
62 | | static int hf_userlog_OutTotalByte; |
63 | | |
64 | | static int hf_userlog_Reserved1; |
65 | | static int hf_userlog_Reserved2; |
66 | | static int hf_userlog_Reserved3; |
67 | | |
68 | | static int ett_userlog; |
69 | | static int ett_userlog_header; |
70 | | static int ett_userlog_log; |
71 | | |
72 | | static const value_string version[] = { |
73 | | { 1, "V1" }, |
74 | | { 3, "V3" }, |
75 | | { 0, NULL } |
76 | | }; |
77 | | |
78 | | static const value_string logtype[] = { |
79 | | { 1, "NAT" }, |
80 | | { 2, "BAS" }, |
81 | | { 4, "Flow" }, |
82 | | { 0, NULL } |
83 | | }; |
84 | | |
85 | | static const value_string Operator[] = { |
86 | | { 1, "normal close flow" }, |
87 | | { 2, "timeout" }, |
88 | | { 3, "clear flow" }, |
89 | | { 4, "overflow" }, |
90 | | { 5, "nat static" }, |
91 | | { 6, "time data threshold" }, |
92 | | { 7, "flow delete" }, |
93 | | { 8, "flow create" }, |
94 | | { 0, NULL } |
95 | | }; |
96 | | |
97 | | |
98 | | /* Minimum length (in bytes) of the protocol data. */ |
99 | 0 | #define USERLOG_MIN_LENGTH 8 |
100 | | |
101 | | |
102 | | /* Code to actually dissect the packets */ |
103 | | static int |
104 | | dissect_userlog(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) |
105 | 0 | { |
106 | | /* Set up structures needed to add the protocol subtree and manage it */ |
107 | 0 | proto_item *ti; |
108 | 0 | proto_tree *userlog_header, *userlog_tree; |
109 | 0 | proto_tree *userlog_log; |
110 | | /* Other misc. local variables. */ |
111 | 0 | int offset = 0; |
112 | 0 | unsigned log_count = 1; |
113 | 0 | unsigned log_type, log_max; |
114 | | |
115 | | /* Check that the packet is long enough for it to belong to us. */ |
116 | 0 | if (tvb_reported_length(tvb) < USERLOG_MIN_LENGTH) |
117 | 0 | return 0; |
118 | | |
119 | 0 | col_set_str(pinfo->cinfo, COL_PROTOCOL, "UserLog"); |
120 | | /* Clear out stuff in the info column */ |
121 | 0 | col_clear(pinfo->cinfo,COL_INFO); |
122 | |
|
123 | 0 | ti = proto_tree_add_item(tree, proto_userlog, tvb, 0, -1, ENC_NA); |
124 | 0 | userlog_tree = proto_item_add_subtree(ti, ett_userlog); |
125 | |
|
126 | 0 | userlog_header = proto_tree_add_subtree(userlog_tree, tvb, 0, 16, ett_userlog_header, NULL, "UserLog Header"); |
127 | 0 | proto_tree_add_item(userlog_header, hf_userlog_version, tvb, offset, 1, ENC_BIG_ENDIAN); |
128 | 0 | offset += 1; |
129 | |
|
130 | 0 | proto_tree_add_item_ret_uint(userlog_header, hf_userlog_logtype, tvb, offset, 1, ENC_BIG_ENDIAN, &log_type); |
131 | 0 | col_add_fstr(pinfo->cinfo, COL_INFO, "LogType = %s", val_to_str(log_type, logtype, "Unknown (0x%02x)")); |
132 | 0 | offset += 1; |
133 | |
|
134 | 0 | proto_tree_add_item_ret_uint(userlog_header, hf_userlog_count, tvb, offset, 2, ENC_BIG_ENDIAN, &log_max); |
135 | 0 | proto_item_append_text(ti, ", Log Count = %d", log_max); |
136 | 0 | offset += 2; |
137 | |
|
138 | 0 | proto_tree_add_item(userlog_header, hf_userlog_timestamp, tvb, offset, 4, ENC_BIG_ENDIAN); |
139 | 0 | offset += 4; |
140 | | |
141 | | /* XXX - 8 bytes unaccounted for */ |
142 | 0 | proto_tree_add_item(userlog_header, hf_userlog_header_reserved, tvb, offset, 8, ENC_NA); |
143 | 0 | offset += 8; |
144 | |
|
145 | 0 | if (userlog_tree) { /* we are being asked for details */ |
146 | 0 | while ( log_count <= log_max) |
147 | 0 | { |
148 | 0 | userlog_log = proto_tree_add_subtree_format(userlog_tree, tvb, offset, 64, ett_userlog_log, NULL, "UserLog No.%d", log_count); |
149 | |
|
150 | 0 | proto_tree_add_item(userlog_log, hf_userlog_proto, tvb, offset, 1, ENC_BIG_ENDIAN); |
151 | 0 | offset += 1; |
152 | 0 | proto_tree_add_item(userlog_log, hf_userlog_Operator, tvb, offset, 1, ENC_BIG_ENDIAN); |
153 | 0 | offset += 1; |
154 | 0 | proto_tree_add_item(userlog_log, hf_userlog_IPVerion, tvb, offset, 1, ENC_BIG_ENDIAN); |
155 | 0 | offset += 1; |
156 | 0 | proto_tree_add_item(userlog_log, hf_userlog_IPToS, tvb, offset, 1, ENC_BIG_ENDIAN); |
157 | 0 | offset += 1; |
158 | 0 | proto_tree_add_item(userlog_log, hf_userlog_SourceIP, tvb, offset, 4, ENC_BIG_ENDIAN); |
159 | 0 | offset += 4; |
160 | 0 | proto_tree_add_item(userlog_log, hf_userlog_SrcNatIP, tvb, offset, 4, ENC_BIG_ENDIAN); |
161 | 0 | offset += 4; |
162 | 0 | proto_tree_add_item(userlog_log, hf_userlog_DestIP, tvb, offset, 4, ENC_BIG_ENDIAN); |
163 | 0 | offset += 4; |
164 | 0 | proto_tree_add_item(userlog_log, hf_userlog_DestNatIP, tvb, offset, 4, ENC_BIG_ENDIAN); |
165 | 0 | offset += 4; |
166 | 0 | proto_tree_add_item(userlog_log, hf_userlog_SrcPort, tvb, offset, 2, ENC_BIG_ENDIAN); |
167 | 0 | offset += 2; |
168 | 0 | proto_tree_add_item(userlog_log, hf_userlog_SrcNatPort, tvb, offset, 2, ENC_BIG_ENDIAN); |
169 | 0 | offset += 2; |
170 | 0 | proto_tree_add_item(userlog_log, hf_userlog_DestPort, tvb, offset, 2, ENC_BIG_ENDIAN); |
171 | 0 | offset += 2; |
172 | 0 | proto_tree_add_item(userlog_log, hf_userlog_DestNatPort, tvb, offset, 2, ENC_BIG_ENDIAN); |
173 | 0 | offset += 2; |
174 | 0 | proto_tree_add_item(userlog_log, hf_userlog_StartTime, tvb, offset, 4, ENC_BIG_ENDIAN); |
175 | 0 | offset += 4; |
176 | 0 | proto_tree_add_item(userlog_log, hf_userlog_EndTime, tvb, offset, 4, ENC_BIG_ENDIAN); |
177 | 0 | offset += 4; |
178 | 0 | proto_tree_add_item(userlog_log, hf_userlog_InTotalPkg, tvb, offset, 4, ENC_BIG_ENDIAN); |
179 | 0 | offset += 4; |
180 | 0 | proto_tree_add_item(userlog_log, hf_userlog_InTotalByte, tvb, offset, 4, ENC_BIG_ENDIAN); |
181 | 0 | offset += 4; |
182 | 0 | proto_tree_add_item(userlog_log, hf_userlog_OutTotalPkg, tvb, offset, 4, ENC_BIG_ENDIAN); |
183 | 0 | offset += 4; |
184 | 0 | proto_tree_add_item(userlog_log, hf_userlog_OutTotalByte, tvb, offset, 4, ENC_BIG_ENDIAN); |
185 | 0 | offset += 4; |
186 | 0 | proto_tree_add_item(userlog_log, hf_userlog_Reserved1, tvb, offset, 4, ENC_BIG_ENDIAN); |
187 | 0 | offset += 4; |
188 | 0 | proto_tree_add_item(userlog_log, hf_userlog_Reserved2, tvb, offset, 4, ENC_BIG_ENDIAN); |
189 | 0 | offset += 4; |
190 | 0 | proto_tree_add_item(userlog_log, hf_userlog_Reserved3, tvb, offset, 4, ENC_BIG_ENDIAN); |
191 | 0 | offset += 4; |
192 | |
|
193 | 0 | log_count++; |
194 | |
|
195 | 0 | } |
196 | 0 | } |
197 | |
|
198 | 0 | return tvb_captured_length(tvb); |
199 | 0 | } |
200 | | |
201 | | void |
202 | | proto_register_userlog(void) |
203 | 14 | { |
204 | 14 | static hf_register_info hf[] = { |
205 | 14 | { &hf_userlog_version, |
206 | 14 | { "Version", "userlog.version", |
207 | 14 | FT_UINT8, BASE_DEC, |
208 | 14 | VALS(version), 0x0, |
209 | 14 | NULL, HFILL } |
210 | 14 | }, |
211 | | |
212 | 14 | { &hf_userlog_logtype, |
213 | 14 | { "LogType", "userlog.logtype", |
214 | 14 | FT_UINT8, BASE_DEC, |
215 | 14 | VALS(logtype), 0x0, |
216 | 14 | NULL, HFILL } |
217 | 14 | }, |
218 | | |
219 | 14 | { &hf_userlog_count, |
220 | 14 | { "LogCount", "userlog.count", |
221 | 14 | FT_UINT16, BASE_DEC, |
222 | 14 | NULL, 0x0, |
223 | 14 | NULL, HFILL } |
224 | 14 | }, |
225 | | |
226 | 14 | { &hf_userlog_timestamp, |
227 | 14 | { "TimeStamp", "userlog.timestamp", |
228 | 14 | FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, |
229 | 14 | NULL, 0x0, |
230 | 14 | NULL, HFILL } |
231 | 14 | }, |
232 | | |
233 | 14 | { &hf_userlog_header_reserved, |
234 | 14 | { "Reserved", "userlog.reserved", |
235 | 14 | FT_BYTES, BASE_NONE, |
236 | 14 | NULL, 0x0, |
237 | 14 | NULL, HFILL } |
238 | 14 | }, |
239 | | |
240 | 14 | { &hf_userlog_proto, |
241 | 14 | { "Protocol", "userlog.proto", |
242 | 14 | FT_UINT8, BASE_DEC|BASE_EXT_STRING, |
243 | 14 | &ipproto_val_ext, 0x0, |
244 | 14 | NULL, HFILL } |
245 | 14 | }, |
246 | | |
247 | 14 | { &hf_userlog_Operator, |
248 | 14 | { "Operator", "userlog.Operator", |
249 | 14 | FT_UINT8, BASE_DEC, |
250 | 14 | VALS(Operator), 0x0, |
251 | 14 | NULL, HFILL } |
252 | 14 | }, |
253 | | |
254 | 14 | { &hf_userlog_IPVerion, |
255 | 14 | { "IP Version", "userlog.IPVersion", |
256 | 14 | FT_UINT8, BASE_DEC, |
257 | 14 | NULL, 0x0, |
258 | 14 | NULL, HFILL } |
259 | 14 | }, |
260 | | |
261 | 14 | { &hf_userlog_IPToS, |
262 | 14 | { "IP ToS", "userlog.IPToS", |
263 | 14 | FT_UINT8, BASE_DEC, |
264 | 14 | NULL, 0x0, |
265 | 14 | NULL, HFILL } |
266 | 14 | }, |
267 | | |
268 | 14 | { &hf_userlog_SourceIP, |
269 | 14 | { "Source-IP", "userlog.SourceIP", |
270 | 14 | FT_IPv4, BASE_NONE, |
271 | 14 | NULL, 0x0, |
272 | 14 | NULL, HFILL } |
273 | 14 | }, |
274 | | |
275 | 14 | { &hf_userlog_SrcNatIP, |
276 | 14 | { "Source-NAT-IP", "userlog.Source-NAT-IP", |
277 | 14 | FT_IPv4, BASE_NONE, |
278 | 14 | NULL, 0x0, |
279 | 14 | NULL, HFILL } |
280 | 14 | }, |
281 | | |
282 | 14 | { &hf_userlog_DestIP, |
283 | 14 | { "Destination-IP", "userlog.Destination-IP", |
284 | 14 | FT_IPv4, BASE_NONE, |
285 | 14 | NULL, 0x0, |
286 | 14 | NULL, HFILL } |
287 | 14 | }, |
288 | | |
289 | 14 | { &hf_userlog_DestNatIP, |
290 | 14 | { "Destination-NAT-IP", "userlog.Destination-NAT-IP", |
291 | 14 | FT_IPv4, BASE_NONE, |
292 | 14 | NULL, 0x0, |
293 | 14 | NULL, HFILL } |
294 | 14 | }, |
295 | | |
296 | 14 | { &hf_userlog_SrcPort, |
297 | 14 | { "Source-Port", "userlog.Source-Port", |
298 | 14 | FT_UINT16, BASE_DEC, |
299 | 14 | NULL, 0x0, |
300 | 14 | NULL, HFILL } |
301 | 14 | }, |
302 | | |
303 | 14 | { &hf_userlog_SrcNatPort, |
304 | 14 | { "Source-NAT-Port", "userlog.Source-NAT-Port", |
305 | 14 | FT_UINT16, BASE_DEC, |
306 | 14 | NULL, 0x0, |
307 | 14 | NULL, HFILL } |
308 | 14 | }, |
309 | | |
310 | 14 | { &hf_userlog_DestPort, |
311 | 14 | { "Destination-Port", "userlog.Destination-Port", |
312 | 14 | FT_UINT16, BASE_DEC, |
313 | 14 | NULL, 0x0, |
314 | 14 | NULL, HFILL } |
315 | 14 | }, |
316 | | |
317 | 14 | { &hf_userlog_DestNatPort, |
318 | 14 | { "Destination-NAT-Port", "userlog.Destination-NAT-Port", |
319 | 14 | FT_UINT16, BASE_DEC, |
320 | 14 | NULL, 0x0, |
321 | 14 | NULL, HFILL } |
322 | 14 | }, |
323 | | |
324 | 14 | { &hf_userlog_StartTime, |
325 | 14 | { "StartTime", "userlog.StartTime", |
326 | 14 | FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, |
327 | 14 | NULL, 0x0, |
328 | 14 | NULL, HFILL } |
329 | 14 | }, |
330 | | |
331 | 14 | { &hf_userlog_EndTime, |
332 | 14 | { "EndTime", "userlog.EndTime", |
333 | 14 | FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, |
334 | 14 | NULL, 0x0, |
335 | 14 | NULL, HFILL } |
336 | 14 | }, |
337 | | |
338 | 14 | { &hf_userlog_InTotalPkg, |
339 | 14 | { "InTotalPkg", "userlog.InTotalPkg", |
340 | 14 | FT_UINT32, BASE_DEC, |
341 | 14 | NULL, 0x0, |
342 | 14 | NULL, HFILL } |
343 | 14 | }, |
344 | | |
345 | 14 | { &hf_userlog_InTotalByte, |
346 | 14 | { "InTotalByte", "userlog.InTotalByte", |
347 | 14 | FT_UINT32, BASE_DEC, |
348 | 14 | NULL, 0x0, |
349 | 14 | NULL, HFILL } |
350 | 14 | }, |
351 | | |
352 | 14 | { &hf_userlog_OutTotalPkg, |
353 | 14 | { "OutTotalPkg", "userlog.OutTotalPkg", |
354 | 14 | FT_UINT32, BASE_DEC, |
355 | 14 | NULL, 0x0, |
356 | 14 | NULL, HFILL } |
357 | 14 | }, |
358 | | |
359 | 14 | { &hf_userlog_OutTotalByte, |
360 | 14 | { "OutTotalByte", "userlog.OutTotalByte", |
361 | 14 | FT_UINT32, BASE_DEC, |
362 | 14 | NULL, 0x0, |
363 | 14 | NULL, HFILL } |
364 | 14 | }, |
365 | | |
366 | 14 | { &hf_userlog_Reserved1, |
367 | 14 | { "Reserved1", "userlog.Reserved1", |
368 | 14 | FT_UINT32, BASE_DEC, |
369 | 14 | NULL, 0x0, |
370 | 14 | NULL, HFILL } |
371 | 14 | }, |
372 | | |
373 | 14 | { &hf_userlog_Reserved2, |
374 | 14 | { "Reserved2", "userlog.Reserved2", |
375 | 14 | FT_UINT32, BASE_DEC, |
376 | 14 | NULL, 0x0, |
377 | 14 | NULL, HFILL } |
378 | 14 | }, |
379 | | |
380 | 14 | { &hf_userlog_Reserved3, |
381 | 14 | { "Reserved3", "userlog.Reserved3", |
382 | 14 | FT_UINT32, BASE_DEC, |
383 | 14 | NULL, 0x0, |
384 | 14 | NULL, HFILL } |
385 | 14 | } |
386 | | |
387 | 14 | }; |
388 | | |
389 | | /* Setup protocol subtree array */ |
390 | 14 | static int *ett[] = { |
391 | 14 | &ett_userlog, |
392 | 14 | &ett_userlog_header, |
393 | 14 | &ett_userlog_log |
394 | 14 | }; |
395 | | |
396 | 14 | proto_userlog = proto_register_protocol("UserLog Protocol", "UserLog", "userlog"); |
397 | 14 | proto_register_field_array(proto_userlog, hf, array_length(hf)); |
398 | 14 | proto_register_subtree_array(ett, array_length(ett)); |
399 | 14 | userlog_handle = register_dissector("userlog", dissect_userlog, proto_userlog); |
400 | 14 | } |
401 | | |
402 | | void |
403 | | proto_reg_handoff_userlog(void) |
404 | 14 | { |
405 | 14 | dissector_add_for_decode_as_with_preference("udp.port", userlog_handle); |
406 | | |
407 | 14 | } |
408 | | |
409 | | /* |
410 | | * Editor modelines - https://www.wireshark.org/tools/modelines.html |
411 | | * |
412 | | * Local variables: |
413 | | * c-basic-offset: 8 |
414 | | * tab-width: 8 |
415 | | * indent-tabs-mode: t |
416 | | * End: |
417 | | * |
418 | | * vi: set shiftwidth=8 tabstop=8 noexpandtab: |
419 | | * :indentSize=8:tabSize=8:noTabs=false: |
420 | | */ |