udp流检测统计-xiaolan425-ChinaUnix博客

xiaolan425的ChinaUnix博客

首页　| 　博文目录　| 　关于我

xiaolan425

博客访问： 561101
博文数量： 375
博客积分： 0
博客等级：民兵
技术积分： 15
用户组：普通用户
注册时间： 2013-09-20 10:21

文章分类

全部博文（375）

Linux（2）
IBM-AIX（0）
HP-UX（1）
Solaris（89）
未分配的博文（283）

文章存档

2015年（1）

2014年（374）

我的朋友

相关博文

udp流检测统计

分类： LINUX

2014-08-18 14:00:07

原文地址：udp流检测统计作者：zooyo

#include <stdio.h>
#include <pcap.h>
#include <stdlib.h>
#include <time.h>
#include <getopt.h>
#include <linux/if_ether.h>
#include <linux/ip.h>
#include <linux/udp.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <string.h>
#define MIN_LEN (sizeof(struct ethhdr) + sizeof(struct iphdr) + sizeof(struct udphdr))
#ifdef DEBUG
#define DEBUGP(format,args...) fprintf(stdout, format, ##args)
#else
#define DEBUGP(format,args...)
#endif
#define HASHSIZE (1024 * 1024 * 2)
#define HASH_KEY(ip1, ip2, ports, initval) jhash_3words(ip1, ip2, ports, initval) % HASHSIZE
/* swap - swap value of @a and @b */
#define swap(a, b) \
do { typeof(a) __tmp = (a); (a) = (b); (b) = __tmp; } while (0)
#define __jhash_mix(a, b, c) { \
a -= b; a -= c; a ^= (c>>13); \
b -= c; b -= a; b ^= (a<<8); \
c -= a; c -= b; c ^= (b>>13); \
a -= b; a -= c; a ^= (c>>12); \
b -= c; b -= a; b ^= (a<<16); \
c -= a; c -= b; c ^= (b>>5); \
a -= b; a -= c; a ^= (c>>3); \
b -= c; b -= a; b ^= (a<<10); \
c -= a; c -= b; c ^= (b>>15); \
}
/* The golden ration: an arbitrary value */
#define JHASH_GOLDEN_RATIO 0x9e3779b9
static struct option opts[] = {
{.name = "start", .has_arg = 1, .val = 's'},
{.name = "end", .has_arg = 1, .val = 'e'},
{.name = "file", .has_arg = 1, .val = 'f'},
{.name = "help", .has_arg = 0, .val = 'h'},
{NULL}
};
enum udpflow_dir{
UDPFLOW_ORG = 0,
UDPFLOW_REPLY,
UDPFLOW_MAX
};
struct udp_tuple{
u_int32_t src;
u_int32_t dst;
u_int16_t sport;
u_int16_t dport;
};
struct udp_counter{
u_int64_t bytes;
u_int32_t packet;
u_int32_t total;
};
typedef struct _udpflow{
struct udp_tuple tuple;
struct udp_counter counter[UDPFLOW_MAX];
time_t start;
time_t end;
struct _udpflow *next;
}udpflow;
static int s = 1, e = 0;
static udpflow *hash_t[HASHSIZE];
static u_int32_t initval;
static inline u_int32_t jhash_3words(u_int32_t a,
u_int32_t b,
u_int32_t c,
u_int32_t initval) {
a += JHASH_GOLDEN_RATIO;
b += JHASH_GOLDEN_RATIO;
c += initval;
__jhash_mix(a, b, c);
return c;
}
static void print_help(void) {
printf("-h Print this help\n");
printf("-s Began to capture in which package\n");
printf("-e End capture in which package\n");
printf("-f Captured packets\n");
exit(-1);
}
static char* trans_time(time_t sec) {
static char buf[32];
struct tm *date;
date = localtime(&sec);
strftime(buf, 64, "%Y-%m-%d %H:%M:%S", date);
return buf;
}
static u_int32_t hash_udpflow(struct udp_tuple *tuple) {
union {
u_int32_t v32;
u_int16_t v16[2];
}ports;
u_int32_t hash, sip, tip;
sip = tuple->src;
tip = tuple->dst;
ports.v16[0] = tuple->sport;
ports.v16[1] = tuple->dport;
/*
无论是请求数据还是应答数据都排序后送去哈希
这样使得同一个流的哈希结果是一样
*/
if(sip < tip) swap(sip, tip);
if(ports.v16[0] < ports.v16[1]) swap(ports.v16[0], ports.v16[1]);
hash = HASH_KEY(sip, tip, ports.v32, initval);
return hash;
}
static udpflow *lookup(struct udp_tuple *tuple, u_int32_t hash, int *dir) {
udpflow *pNode = hash_t[hash];
while(pNode != NULL) {
/*
遍历链表的每个节点, 如果查询到统一方向是请求数据
反方向是应答数据, 第一个数据包就确认为请求包
*/
if(pNode->tuple.src == tuple->src
&& pNode->tuple.dst == tuple->dst
&& pNode->tuple.sport == tuple->sport
&& pNode->tuple.dport == tuple->dport) {
*dir = UDPFLOW_ORG;
return pNode;
}
if(pNode->tuple.src == tuple->dst
&& pNode->tuple.dst == tuple->src
&& pNode->tuple.sport == tuple->dport
&& pNode->tuple.dport == tuple->sport) {
*dir = UDPFLOW_REPLY;
return pNode;
}
pNode = pNode->next;
}
return NULL;
}
static void insert(udpflow *udp, u_int32_t hash) {
udp->next = hash_t[hash];
hash_t[hash] = udp;
}
static udpflow *found_udpflow(struct udp_tuple *tuple, int *dir) {
u_int32_t hash;
udpflow *udp;
hash = hash_udpflow(tuple); //计算哈希值
udp = lookup(tuple, hash, dir); //在哈希链表中查询当前包的五元组是否已知
if(!udp){ //未找到该值则新建链表节点
udp = (udpflow *)malloc(sizeof(udpflow));
if(!udp) return NULL;
memset(udp, 0, sizeof(udpflow));
*dir = UDPFLOW_ORG; //新建节点为请求数据方向
udp->tuple.src = tuple->src;
udp->tuple.dst = tuple->dst;
udp->tuple.sport = tuple->sport;
udp->tuple.dport = tuple->dport;
insert(udp, hash);
}
return udp;
}
static void dispatcher_handler(u_char *args, //回调函数传递的参数
const struct pcap_pkthdr *header, const u_char *pkt_data) {
struct ethhdr *ethh;
struct iphdr *iph;
struct udphdr *udph;
struct udp_tuple tuple;
udpflow *udp;
int dir;
u_int32_t count;
if(header->caplen < MIN_LEN) return;
ethh = (struct ethhdr *)pkt_data;
//上层是IP协议继续
if(ntohs(ethh->h_proto) == 0x0800) {
pkt_data += sizeof(struct ethhdr);
iph = (struct iphdr *)pkt_data;
//udp协议继续检测
if(iph->protocol == 17) {
//跳过IP首部,这里IP首部长度取首部内的长度值
if(header->caplen > iph->ihl*4) pkt_data += iph->ihl*4;
udph = (struct udphdr *)pkt_data;
tuple.src = iph->saddr;
tuple.dst = iph->daddr;
tuple.sport = udph->source;
tuple.dport = udph->dest;
/*
查找当前数据包是否存在于已知UDP流中
返回的指针要么为查询到的地址, 要么就是新建节点的地址
以便取出数据直接进行统计操作
*/
udp = found_udpflow(&tuple, &dir);
if(!udp) return;
udp->counter[dir].total++;
count = udp->counter[UDPFLOW_ORG].total + udp->counter[UDPFLOW_REPLY].total;
if(count == s){
/* 找到开始技术的位置 */
udp->counter[dir].packet++;
udp->counter[dir].bytes += header->caplen;
udp->start = header->ts.tv_sec;
/* 结束位置未设置则为0, 或者计数器不超过结束位置 */
} else if(count > s && (e <= s || count <= e)) {
udp->counter[dir].packet++;
udp->counter[dir].bytes += header->caplen;
udp->end = header->ts.tv_sec;
} else {
return;
}
}
}
}
static int load_packet(char *pcapfile) {
pcap_t *handle;
char errbuf[PCAP_ERRBUF_SIZE];
/* 从已捕获的dump文件中读取数据包 */
if((handle = pcap_open_offline(pcapfile, errbuf)) == NULL) {
printf("open the dumpfile failed\n");
exit(3);
}
#if 0
char filter_exp[] = "udp";
struct bpf_program fp;
if (pcap_compile(handle, &fp, filter_exp, 0, 0) == -1) {
fprintf(stderr, "Couldn't parse filter %s: %s\n",
filter_exp, pcap_geterr(handle));
exit(4);
}
if (pcap_setfilter(handle, &fp) == -1) {
fprintf(stderr, "Couldn't install filter %s: %s\n",
filter_exp, pcap_geterr(handle));
exit(5);
}
#endif
/* 开始循环抓包,调用packet_callback处理
跟从网卡获取数据包一样, 直到读到EOF */
pcap_loop(handle, 0, dispatcher_handler, NULL);
pcap_close(handle);
return 0;
}
static void print_info(void) {
int idx;
int size = HASHSIZE;
u_int64_t rpy_avg, req_avg, perc;
char src[32] = {0}, dst[32] = {0};
udpflow *p;
for(idx=0; idx<HASHSIZE; idx++) {
p = hash_t[idx];
if(!p || !p->counter[UDPFLOW_REPLY].packet) continue;
snprintf(src, sizeof(src), "%s:%d", inet_ntoa(*((struct in_addr *)&p->tuple.src)),
ntohs(p->tuple.sport));
snprintf(dst, sizeof(dst), "%s:%d", inet_ntoa(*((struct in_addr *)&p->tuple.dst)),
ntohs(p->tuple.dport));
fprintf(stdout, "%-21s -> %-21s", src, dst);
fprintf(stdout, " ORG_cnt:%-4d REPLY_cnt:%-4d", p->counter[UDPFLOW_ORG].packet, p->counter[UDPFLOW_REPLY].packet);
req_avg = p->counter[UDPFLOW_ORG].bytes / p->counter[UDPFLOW_ORG].packet;
rpy_avg = p->counter[UDPFLOW_REPLY].bytes / p->counter[UDPFLOW_REPLY].packet;
perc = rpy_avg/req_avg;
fprintf(stdout, " ORG_avg:%-4lu REPLY_avg:%-4lu PERC:%-3lu SEC:%ld\n", req_avg, rpy_avg, perc, p->end-p->start);
}
}
main(int argc, char **argv) {
char c;
char *pcapfile = NULL;
opterr = 0;
initval = random();
if (argc < 2) print_help();
while((c = getopt_long(argc, argv, "s:e:f:h", opts, NULL)) != -1) {
switch(c) {
case '?':
fprintf(stderr, "bad options\n");
exit(1);
case 's':
s = atoi(optarg);
break;
case 'e':
e = atoi(optarg);
break;
case 'f':
pcapfile = optarg;
break;
case 'h':
print_help();
}
}
if(!pcapfile) {
fprintf(stderr, "Specify the captured packets\n");
exit(2);
}
load_packet(pcapfile);
print_info();
return 0;
}

阅读(1061) | 评论(0) | 转发(0) |

上一篇：ARP欺骗攻击程序_多线程主动扫描内网

下一篇：循环队列的基本操作

给主人留下些什么吧！~~

感谢所有关心和支持过ChinaUnix的朋友们

16024965号-6