Clean up a bunch of things:
use value_string tables and make numerical fields numeric, with associated value_string tables, rather than strings; make a signed integer field signed, which means we don't have to format the item for it in the protocol tree ourselves; give it a long protocol name, and make the short protocol name all-caps, as with other short protocol names. svn path=/trunk/; revision=4696
This commit is contained in:
parent
70e640d2d8
commit
007a32e8b1
120
packet-pflog.c
120
packet-pflog.c
|
@ -1,7 +1,7 @@
|
||||||
/* packet-pflog.c
|
/* packet-pflog.c
|
||||||
* Routines for pflog (OpenBSD Firewall Logging) packet disassembly
|
* Routines for pflog (OpenBSD Firewall Logging) packet disassembly
|
||||||
*
|
*
|
||||||
* $Id: packet-pflog.c,v 1.2 2002/01/30 23:08:26 guy Exp $
|
* $Id: packet-pflog.c,v 1.3 2002/02/05 00:43:59 guy Exp $
|
||||||
*
|
*
|
||||||
* Copyright 2001 Mike Frantzen
|
* Copyright 2001 Mike Frantzen
|
||||||
* All rights reserved.
|
* All rights reserved.
|
||||||
|
@ -63,9 +63,6 @@ static int hf_pflog_dir = -1;
|
||||||
|
|
||||||
static gint ett_pflog = -1;
|
static gint ett_pflog = -1;
|
||||||
|
|
||||||
static char *pf_reasons[PFRES_MAX+2] = PFRES_NAMES;
|
|
||||||
|
|
||||||
|
|
||||||
void
|
void
|
||||||
capture_pflog(const u_char *pd, int offset, int len, packet_counts *ld)
|
capture_pflog(const u_char *pd, int offset, int len, packet_counts *ld)
|
||||||
{
|
{
|
||||||
|
@ -82,27 +79,63 @@ capture_pflog(const u_char *pd, int offset, int len, packet_counts *ld)
|
||||||
memcpy(&pflogh, pd, sizeof(pflogh));
|
memcpy(&pflogh, pd, sizeof(pflogh));
|
||||||
NTOHL(pflogh.af);
|
NTOHL(pflogh.af);
|
||||||
|
|
||||||
if (pflogh.af == BSD_PF_INET)
|
switch (pflogh.af) {
|
||||||
|
|
||||||
|
case BSD_PF_INET:
|
||||||
capture_ip(pd, offset, len, ld);
|
capture_ip(pd, offset, len, ld);
|
||||||
|
break;
|
||||||
|
|
||||||
#ifdef notyet
|
#ifdef notyet
|
||||||
else if (pflogh.af == BSD_PF_INET6)
|
case BSD_PF_INET6:
|
||||||
capture_ipv6(pd, offset, len, ld);
|
capture_ipv6(pd, offset, len, ld);
|
||||||
|
break;
|
||||||
#endif
|
#endif
|
||||||
else
|
|
||||||
|
default:
|
||||||
ld->other++;
|
ld->other++;
|
||||||
|
break;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static const value_string af_vals[] = {
|
||||||
|
{ BSD_PF_INET, "IPv4" },
|
||||||
|
{ BSD_PF_INET6, "IPv6" },
|
||||||
|
{ 0, NULL }
|
||||||
|
};
|
||||||
|
|
||||||
|
static const value_string reason_vals[] = {
|
||||||
|
{ 0, "match" },
|
||||||
|
{ 1, "bad-offset" },
|
||||||
|
{ 2, "fragment" },
|
||||||
|
{ 3, "short" },
|
||||||
|
{ 4, "normalize" },
|
||||||
|
{ 5, "memory" },
|
||||||
|
{ 0, NULL }
|
||||||
|
};
|
||||||
|
|
||||||
|
static const value_string action_vals[] = {
|
||||||
|
{ PF_PASS, "passed" },
|
||||||
|
{ PF_DROP, "dropped" },
|
||||||
|
{ PF_SCRUB, "scrubbed" },
|
||||||
|
{ 0, NULL }
|
||||||
|
};
|
||||||
|
|
||||||
|
static const value_string dir_vals[] = {
|
||||||
|
{ PF_IN, "in" },
|
||||||
|
{ PF_OUT, "out" },
|
||||||
|
{ 0, NULL }
|
||||||
|
};
|
||||||
|
|
||||||
static void
|
static void
|
||||||
dissect_pflog(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
|
dissect_pflog(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
|
||||||
{
|
{
|
||||||
struct pfloghdr pflogh;
|
struct pfloghdr pflogh;
|
||||||
tvbuff_t *next_tvb;
|
tvbuff_t *next_tvb;
|
||||||
proto_tree *pflog_tree;
|
proto_tree *pflog_tree;
|
||||||
proto_item *ti, *tf;
|
proto_item *ti;
|
||||||
char *why;
|
|
||||||
|
|
||||||
if (check_col(pinfo->cinfo, COL_PROTOCOL))
|
if (check_col(pinfo->cinfo, COL_PROTOCOL))
|
||||||
col_set_str(pinfo->cinfo, COL_PROTOCOL, "pflog");
|
col_set_str(pinfo->cinfo, COL_PROTOCOL, "PFLOG");
|
||||||
|
|
||||||
/* Copy out the pflog header to insure alignment */
|
/* Copy out the pflog header to insure alignment */
|
||||||
tvb_memcpy(tvb, (guint8 *)&pflogh, 0, sizeof(pflogh));
|
tvb_memcpy(tvb, (guint8 *)&pflogh, 0, sizeof(pflogh));
|
||||||
|
@ -114,55 +147,57 @@ dissect_pflog(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
|
||||||
NTOHS(pflogh.action);
|
NTOHS(pflogh.action);
|
||||||
NTOHS(pflogh.dir);
|
NTOHS(pflogh.dir);
|
||||||
|
|
||||||
why = (pflogh.reason < PFRES_MAX) ? pf_reasons[pflogh.reason] : "unkn";
|
|
||||||
|
|
||||||
if (tree) {
|
if (tree) {
|
||||||
ti = proto_tree_add_protocol_format(tree, proto_pflog, tvb, 0,
|
ti = proto_tree_add_protocol_format(tree, proto_pflog, tvb, 0,
|
||||||
PFLOG_HDRLEN,
|
PFLOG_HDRLEN,
|
||||||
"PF Log %s %s on %s by rule %d", pflogh.af == BSD_PF_INET ? "IPv4" :
|
"PF Log %s %s on %s by rule %d",
|
||||||
pflogh.af == BSD_PF_INET6 ? "IPv6" : "unkn",
|
val_to_str(pflogh.af, af_vals, "unknown (%u)"),
|
||||||
pflogh.action == PF_PASS ? "passed" :
|
val_to_str(pflogh.action, action_vals, "unknown (%u)"),
|
||||||
pflogh.action == PF_DROP ? "dropped" :
|
|
||||||
pflogh.action == PF_SCRUB ? "scrubbed" : "unkn",
|
|
||||||
pflogh.ifname,
|
pflogh.ifname,
|
||||||
pflogh.rnr);
|
pflogh.rnr);
|
||||||
pflog_tree = proto_item_add_subtree(ti, ett_pflog);
|
pflog_tree = proto_item_add_subtree(ti, ett_pflog);
|
||||||
|
|
||||||
tf = proto_tree_add_uint_format(pflog_tree, hf_pflog_rnr, tvb,
|
proto_tree_add_uint(pflog_tree, hf_pflog_af, tvb,
|
||||||
|
offsetof(struct pfloghdr, af), sizeof(pflogh.af),
|
||||||
|
pflogh.af);
|
||||||
|
proto_tree_add_int(pflog_tree, hf_pflog_rnr, tvb,
|
||||||
offsetof(struct pfloghdr, rnr), sizeof(pflogh.rnr),
|
offsetof(struct pfloghdr, rnr), sizeof(pflogh.rnr),
|
||||||
pflogh.rnr, "Rule Number: %d", pflogh.rnr);
|
pflogh.rnr);
|
||||||
tf = proto_tree_add_string(pflog_tree, hf_pflog_ifname, tvb,
|
proto_tree_add_string(pflog_tree, hf_pflog_ifname, tvb,
|
||||||
offsetof(struct pfloghdr, reason), sizeof(pflogh.reason),
|
offsetof(struct pfloghdr, ifname), sizeof(pflogh.ifname),
|
||||||
pflogh.ifname);
|
pflogh.ifname);
|
||||||
tf = proto_tree_add_string(pflog_tree, hf_pflog_reason, tvb,
|
proto_tree_add_uint(pflog_tree, hf_pflog_reason, tvb,
|
||||||
offsetof(struct pfloghdr, reason), sizeof(pflogh.reason),
|
offsetof(struct pfloghdr, reason), sizeof(pflogh.reason),
|
||||||
why);
|
pflogh.reason);
|
||||||
tf = proto_tree_add_string(pflog_tree, hf_pflog_action, tvb,
|
proto_tree_add_uint(pflog_tree, hf_pflog_action, tvb,
|
||||||
offsetof(struct pfloghdr, action), sizeof(pflogh.action),
|
offsetof(struct pfloghdr, action), sizeof(pflogh.action),
|
||||||
pflogh.action == PF_PASS ? "pass" :
|
pflogh.action);
|
||||||
pflogh.action == PF_DROP ? "drop" :
|
proto_tree_add_uint(pflog_tree, hf_pflog_dir, tvb,
|
||||||
pflogh.action == PF_SCRUB ? "scrub" : "unkn");
|
|
||||||
tf = proto_tree_add_string(pflog_tree, hf_pflog_dir, tvb,
|
|
||||||
offsetof(struct pfloghdr, dir), sizeof(pflogh.dir),
|
offsetof(struct pfloghdr, dir), sizeof(pflogh.dir),
|
||||||
pflogh.dir == PF_IN ? "in" : "out");
|
pflogh.dir);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Set the tvbuff for the payload after the header */
|
/* Set the tvbuff for the payload after the header */
|
||||||
next_tvb = tvb_new_subset(tvb, PFLOG_HDRLEN, -1, -1);
|
next_tvb = tvb_new_subset(tvb, PFLOG_HDRLEN, -1, -1);
|
||||||
|
|
||||||
pinfo->ethertype = (hf_pflog_af == BSD_PF_INET) ? ETHERTYPE_IP : ETHERTYPE_IPv6;
|
switch (pflogh.af) {
|
||||||
if (pflogh.af == BSD_PF_INET)
|
|
||||||
|
case BSD_PF_INET:
|
||||||
call_dissector(ip_handle, next_tvb, pinfo, tree);
|
call_dissector(ip_handle, next_tvb, pinfo, tree);
|
||||||
else if (pflogh.af == BSD_PF_INET6)
|
break;
|
||||||
|
|
||||||
|
case BSD_PF_INET6:
|
||||||
call_dissector(ipv6_handle, next_tvb, pinfo, tree);
|
call_dissector(ipv6_handle, next_tvb, pinfo, tree);
|
||||||
else
|
break;
|
||||||
|
|
||||||
|
default:
|
||||||
call_dissector(data_handle, next_tvb, pinfo, tree);
|
call_dissector(data_handle, next_tvb, pinfo, tree);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
if (check_col(pinfo->cinfo, COL_INFO)) {
|
if (check_col(pinfo->cinfo, COL_INFO)) {
|
||||||
col_prepend_fstr(pinfo->cinfo, COL_INFO, "[%s %s/#%d] ",
|
col_prepend_fstr(pinfo->cinfo, COL_INFO, "[%s %s/#%d] ",
|
||||||
pflogh.action == PF_PASS ? "passed" :
|
val_to_str(pflogh.action, action_vals, "unknown (%u)"),
|
||||||
pflogh.action == PF_DROP ? "dropped" :
|
|
||||||
pflogh.action == PF_SCRUB ? "scrubbed" : "unkn",
|
|
||||||
pflogh.ifname,
|
pflogh.ifname,
|
||||||
pflogh.rnr);
|
pflogh.rnr);
|
||||||
}
|
}
|
||||||
|
@ -173,27 +208,28 @@ proto_register_pflog(void)
|
||||||
{
|
{
|
||||||
static hf_register_info hf[] = {
|
static hf_register_info hf[] = {
|
||||||
{ &hf_pflog_af,
|
{ &hf_pflog_af,
|
||||||
{ "Address Family", "pflog.af", FT_UINT32, BASE_DEC, NULL, 0x0,
|
{ "Address Family", "pflog.af", FT_UINT32, BASE_DEC, VALS(af_vals), 0x0,
|
||||||
"Protocol (IPv4 vs IPv6)", HFILL }},
|
"Protocol (IPv4 vs IPv6)", HFILL }},
|
||||||
{ &hf_pflog_ifname,
|
{ &hf_pflog_ifname,
|
||||||
{ "Interface", "pflog.ifname", FT_STRING, BASE_NONE, NULL, 0x0,
|
{ "Interface", "pflog.ifname", FT_STRING, BASE_NONE, NULL, 0x0,
|
||||||
"Interface", HFILL }},
|
"Interface", HFILL }},
|
||||||
{ &hf_pflog_rnr,
|
{ &hf_pflog_rnr,
|
||||||
{ "Rule Number", "pflog.rnr", FT_UINT16, BASE_DEC, NULL, 0x0,
|
{ "Rule Number", "pflog.rnr", FT_INT16, BASE_DEC, NULL, 0x0,
|
||||||
"Last matched firewall rule number", HFILL }},
|
"Last matched firewall rule number", HFILL }},
|
||||||
{ &hf_pflog_reason,
|
{ &hf_pflog_reason,
|
||||||
{ "Reason", "pflog.reason", FT_STRING, BASE_NONE, NULL, 0x0,
|
{ "Reason", "pflog.reason", FT_UINT16, BASE_DEC, VALS(reason_vals), 0x0,
|
||||||
"Reason for logging the packet", HFILL }},
|
"Reason for logging the packet", HFILL }},
|
||||||
{ &hf_pflog_action,
|
{ &hf_pflog_action,
|
||||||
{ "Action", "pflog.action", FT_STRING, BASE_NONE, NULL, 0x0,
|
{ "Action", "pflog.action", FT_UINT16, BASE_DEC, VALS(action_vals), 0x0,
|
||||||
"Action taken by PF on the packet", HFILL }},
|
"Action taken by PF on the packet", HFILL }},
|
||||||
{ &hf_pflog_dir,
|
{ &hf_pflog_dir,
|
||||||
{ "Direction", "pflog.dir", FT_STRING, BASE_NONE, NULL, 0x0,
|
{ "Direction", "pflog.dir", FT_UINT16, BASE_DEC, VALS(dir_vals), 0x0,
|
||||||
"Direction of packet in stack (inbound versus outbound)", HFILL }},
|
"Direction of packet in stack (inbound versus outbound)", HFILL }},
|
||||||
};
|
};
|
||||||
static gint *ett[] = { &ett_pflog };
|
static gint *ett[] = { &ett_pflog };
|
||||||
|
|
||||||
proto_pflog = proto_register_protocol("pflog", "pflog", "pflog");
|
proto_pflog = proto_register_protocol("OpenBSD Packet Filter log file",
|
||||||
|
"PFLOG", "pflog");
|
||||||
proto_register_field_array(proto_pflog, hf, array_length(hf));
|
proto_register_field_array(proto_pflog, hf, array_length(hf));
|
||||||
proto_register_subtree_array(ett, array_length(ett));
|
proto_register_subtree_array(ett, array_length(ett));
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
/* packet-pflog.h
|
/* packet-pflog.h
|
||||||
*
|
*
|
||||||
* $Id: packet-pflog.h,v 1.2 2002/01/29 10:44:43 guy Exp $
|
* $Id: packet-pflog.h,v 1.3 2002/02/05 00:43:59 guy Exp $
|
||||||
*
|
*
|
||||||
* Copyright 2001 Mike Frantzen
|
* Copyright 2001 Mike Frantzen
|
||||||
* All rights reserved.
|
* All rights reserved.
|
||||||
|
@ -42,18 +42,6 @@ struct pfloghdr {
|
||||||
};
|
};
|
||||||
#define PFLOG_HDRLEN sizeof(struct pfloghdr)
|
#define PFLOG_HDRLEN sizeof(struct pfloghdr)
|
||||||
|
|
||||||
/* Named reasons */
|
|
||||||
#define PFRES_NAMES { \
|
|
||||||
"match", \
|
|
||||||
"bad-offset", \
|
|
||||||
"fragment", \
|
|
||||||
"short", \
|
|
||||||
"normalize", \
|
|
||||||
"memory", \
|
|
||||||
NULL \
|
|
||||||
}
|
|
||||||
#define PFRES_MAX 6
|
|
||||||
|
|
||||||
/* Actions */
|
/* Actions */
|
||||||
#define PF_PASS 0
|
#define PF_PASS 0
|
||||||
#define PF_DROP 1
|
#define PF_DROP 1
|
||||||
|
|
Loading…
Reference in New Issue