#include <TCP_Contents.h>
Inheritance diagram for TCP_Reassembler:
Public Member Functions | |
| TCP_Reassembler (TCP_Contents *arg_contents_processor, const uint32 *src_addr) | |
| virtual | ~TCP_Reassembler () |
| void | SetContentsFile (BroFile *f) |
| void | MatchUndelivered (int up_to_seq=-1) |
Protected Member Functions | |
| TCP_Reassembler () | |
| DECLARE_SERIAL (TCP_Reassembler) | |
| void | Undelivered (int up_to_seq) |
| void | RecordToSeq (int start_seq, int stop_seq, BroFile *f) |
| void | RecordBlock (DataBlock *b, BroFile *f) |
| void | RecordGap (int start_seq, int upper_seq, BroFile *f) |
| void | BlockInserted (double t, DataBlock *b) |
| void | Overlap (const u_char *b1, const u_char *b2, int n) |
Protected Attributes | |
| TCP_Contents * | contents_processor |
| BroFile * | record_contents_file |
|
||||||||||||
|
Definition at line 32 of file TCP_Contents.h. References contents_processor, REASSEM_TCP, record_contents_file, and uint32.
00034 : Reassembler(1, src_addr, REASSEM_TCP) 00035 { 00036 contents_processor = arg_contents_processor; 00037 record_contents_file = 0; 00038 } |
|
|
Definition at line 26 of file TCP_Contents.cc. References record_contents_file, RecordToSeq(), BroObj::Unref, and DataBlock::upper.
00027 {
00028 if ( record_contents_file )
00029 { // Record any undelivered data.
00030 if ( blocks && last_reassem_seq < last_block->upper )
00031 RecordToSeq(last_reassem_seq, last_block->upper,
00032 record_contents_file);
00033 Unref(record_contents_file);
00034 }
00035 }
|
|
|
Definition at line 46 of file TCP_Contents.h.
00046 { }
|
|
||||||||||||
|
Implements Reassembler. Definition at line 167 of file TCP_Contents.cc. References DataBlock::block, TCP_Contents::Conn(), contents_processor, TCP_Contents::Deliver(), TCP_Contents::Endpoint(), TCP_Endpoint::HasContents(), TCP_Contents::IsOrig(), Connection::Match(), DataBlock::next, TCP_Endpoint::peer, record_contents_file, RecordBlock(), rule_matcher, DataBlock::seq, Reassembler::TrimToSeq(), and DataBlock::upper.
00168 {
00169 if ( start_block->seq > last_reassem_seq ||
00170 start_block->upper <= last_reassem_seq )
00171 return;
00172
00173 // We've filled a leading hole. Deliver as much as possible.
00174 // Note that the new block may include both some old stuff
00175 // and some new stuff. AddAndCheck() will have split the
00176 // new stuff off into its own block(s), but in the following
00177 // loop we have to take care not to deliver already-delivered
00178 // data.
00179 for ( DataBlock* b = start_block; b && b->seq <= last_reassem_seq;
00180 b = b->next )
00181 {
00182 if ( b->seq == last_reassem_seq )
00183 { // New stuff.
00184 int len = b->upper - b->seq;
00185
00186 if ( record_contents_file )
00187 RecordBlock(b, record_contents_file);
00188
00189 contents_processor->Deliver(t, last_reassem_seq,
00190 len, b->block);
00191 if ( rule_matcher )
00192 contents_processor->Conn()->Match(Rule::PAYLOAD,
00193 b->block, len, false, false,
00194 contents_processor->IsOrig());
00195
00196 last_reassem_seq += len;
00197 }
00198 }
00199
00200 if ( ! contents_processor->Endpoint()->peer->HasContents() )
00201 // Our endpoint's peer doesn't do reassembly and so
00202 // (presumably) isn't processing acks. So don't hold
00203 // the now-delivered data.
00204 TrimToSeq(last_reassem_seq);
00205
00206 // Note: don't make an EOF check here, because then we'd miss it
00207 // for FIN packets that don't carry any payload (and thus
00208 // endpoint->DataSent is not called). Instead, do the check in
00209 // TCP_Connection::NextPacket.
00210 }
|
|
|
|
|
|
Definition at line 108 of file TCP_Contents.cc. References DataBlock::block, TCP_Contents::Conn(), contents_processor, TCP_Contents::IsOrig(), Connection::Match(), DataBlock::next, rule_matcher, DataBlock::seq, DataBlock::upper, and Connection::Weird(). Referenced by TCP_Contents::MatchUndeliveredData(), and Undelivered().
00109 {
00110 if ( ! blocks || ! rule_matcher )
00111 return;
00112
00113 if ( up_to_seq == -1 )
00114 up_to_seq = last_block->upper;
00115
00116 if ( last_reassem_seq < up_to_seq )
00117 contents_processor->Conn()->Weird("matching_undelivered_data");
00118
00119 for ( DataBlock* b = blocks; b && b->upper <= up_to_seq; b = b->next )
00120 contents_processor->Conn()->Match(Rule::PAYLOAD, b->block,
00121 b->upper - b->seq, false, false,
00122 contents_processor->IsOrig());
00123 }
|
|
||||||||||||||||
|
Implements Reassembler. Definition at line 212 of file TCP_Contents.cc. References BroString, TCP_Contents::Conn(), contents_processor, TCP_Contents::Endpoint(), Connection::Event(), TCP_Endpoint::HasDoneSomething(), and TCP_Endpoint::peer.
00213 {
00214 if ( rexmit_inconsistency &&
00215 memcmp((const void*) b1, (const void*) b2, n) &&
00216 // The following weeds out keep-alives for which that's all
00217 // we've ever seen for the connection.
00218 (n > 1 || contents_processor->Endpoint()->peer->HasDoneSomething()) )
00219 {
00220 BroString* b1_s = new BroString((const u_char*) b1, n, 0);
00221 BroString* b2_s = new BroString((const u_char*) b2, n, 0);
00222 contents_processor->Conn()->Event(rexmit_inconsistency,
00223 new StringVal(b1_s), new StringVal(b2_s));
00224 }
00225 }
|
|
||||||||||||
|
Definition at line 152 of file TCP_Contents.cc. References DataBlock::block, internal_error(), DataBlock::seq, DataBlock::upper, and BroFile::Write(). Referenced by BlockInserted(), and RecordToSeq().
00153 {
00154 unsigned int len = b->upper - b->seq;
00155 if ( ! f->Write((const char*)b->block, len) )
00156 // ### this should really generate an event
00157 internal_error("contents write failed");
00158 }
|
|
||||||||||||||||
|
Definition at line 160 of file TCP_Contents.cc. References fmt(), internal_error(), and BroFile::Write(). Referenced by RecordToSeq().
00161 {
00162 if ( ! f->Write(fmt("\n<<gap %d>>\n", upper_seq - start_seq)) )
00163 // ### this should really generate an event
00164 internal_error("contents gap write failed");
00165 }
|
|
||||||||||||||||
|
Definition at line 125 of file TCP_Contents.cc. References DataBlock::next, RecordBlock(), RecordGap(), DataBlock::seq, and DataBlock::upper. Referenced by SetContentsFile(), Undelivered(), and ~TCP_Reassembler().
00126 {
00127 DataBlock* b = blocks;
00128 // Skip over blocks up to the start seq.
00129 while ( b && b->upper <= start_seq )
00130 b = b->next;
00131
00132 if ( ! b )
00133 return;
00134
00135 int last_seq = start_seq;
00136 while ( b && b->upper <= stop_seq )
00137 {
00138 if ( b->seq > last_seq )
00139 RecordGap(last_seq, b->seq, f);
00140
00141 RecordBlock(b, f);
00142 last_seq = b->upper;
00143 b = b->next;
00144 }
00145
00146 if ( b )
00147 // Check for final gap.
00148 if ( last_seq < stop_seq )
00149 RecordGap(last_seq, stop_seq, f);
00150 }
|
|
|
Definition at line 37 of file TCP_Contents.cc. References BroFile::IsOpen(), BroFile::Name(), record_contents_file, RecordToSeq(), run_time(), DataBlock::seq, and BroObj::Unref. Referenced by TCP_Contents::SetContentsFile().
00038 {
00039 if ( ! f->IsOpen() )
00040 {
00041 run_time("no such file \"%s\"", f->Name());
00042 return;
00043 }
00044
00045 if ( record_contents_file )
00046 // We were already recording, no need to catch up.
00047 Unref(record_contents_file);
00048 else
00049 {
00050 if ( blocks )
00051 RecordToSeq(blocks->seq, last_reassem_seq, f);
00052 }
00053
00054 record_contents_file = f;
00055 }
|
|
|
Reimplemented from Reassembler. Definition at line 57 of file TCP_Contents.cc. References TCP_Contents::Conn(), contents_processor, TCP_Contents::Endpoint(), TCP_Endpoint::FIN_cnt, TCP_Endpoint::FIN_seq, TCP_Connection::IsPartial(), MatchUndelivered(), record_contents_file, RecordToSeq(), TCP_Endpoint::RST_cnt, TCP_Endpoint::start_seq, tcp_match_undelivered, and TCP_Contents::Undelivered().
00058 {
00059 if ( up_to_seq <= 2 && contents_processor->Conn()->IsPartial() )
00060 // Since it was a partial connection, we faked up its
00061 // initial sequence numbers as though we'd seen a SYN.
00062 // We've now received the first ack and are getting a
00063 // complaint that either that data is missing (if
00064 // up_to_seq is 1), or one octet beyond it is missing
00065 // (if up_to_seq is 2). The latter can occur when the
00066 // first packet we saw instantiating the partial connection
00067 // was a keep-alive. So, in either case, just ignore it.
00068 return;
00069
00070 #if 0
00071 if ( contents_processor->Endpoint()->FIN_cnt > 0 )
00072 {
00073 // Make sure we're not worrying about undelivered
00074 // FIN control octets!
00075 int FIN_seq = contents_processor->Endpoint()->FIN_seq - contents_processor->Endpoint()->start_seq;
00076 if ( up_to_seq >= FIN_seq )
00077 up_to_seq = FIN_seq - 1;
00078 }
00079 #endif
00080 if ( contents_processor->Endpoint()->FIN_cnt > 0 ||
00081 contents_processor->Endpoint()->RST_cnt > 0 )
00082 {
00083 // We could be running on a SYN/FIN/RST-filtered trace - don't
00084 // complain about data missing at the end of the connection.
00085 //
00086 // Note, this check will confuse the EOF checker (and cause a
00087 // missing FIN in the rewritten trace) when the content gap
00088 // in the middle is discovered only after the FIN packet.
00089 return;
00090 }
00091
00092 if ( up_to_seq <= last_reassem_seq )
00093 return;
00094
00095 if ( record_contents_file )
00096 RecordToSeq(last_reassem_seq, up_to_seq, record_contents_file);
00097
00098 // Inform the endpoint about the gap.
00099 contents_processor->Undelivered(last_reassem_seq,
00100 up_to_seq - last_reassem_seq);
00101
00102 if ( tcp_match_undelivered )
00103 MatchUndelivered(up_to_seq);
00104
00105 last_reassem_seq = up_to_seq; // we've done our best ...
00106 }
|
|
|
Definition at line 59 of file TCP_Contents.h. Referenced by BlockInserted(), MatchUndelivered(), Overlap(), TCP_Reassembler(), and Undelivered(). |
|
|
Definition at line 60 of file TCP_Contents.h. Referenced by BlockInserted(), SetContentsFile(), TCP_Reassembler(), Undelivered(), and ~TCP_Reassembler(). |
1.3.6