head	1.1;
access;
symbols;
locks; strict;
comment	@ * @;


1.1
date	2008.04.21.23.39.06;	author wessels;	state Exp;
branches;
next	;


desc
@@


1.1
log
@Initial revision
@
text
@#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <pcap.h>
#include <err.h>
#include <string.h>
#include <time.h>
#include <errno.h>

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

#include "pcap_layers.h"

struct in_addr dst;

static time_t start_time = 1234676778;

struct _xact {
	int ignore_flag;
	time_t ts;
 	struct in_addr clt;
	struct in_addr srv;
	u_short qtype;
};

/*
 * this will only be called if 'ip' is a complete IPv header
 */
int
my_ip4_handler(const struct ip *ip4, int len, void *userdata)
{
    struct _xact *x = userdata;
    x->clt = ipv4->ip_src;
    x->srv = ipv4->ip_dst;
    return 0;
}

int
my_dns_handler(u_char *buf, int len, void *userdata)
{
	...
	/* make sure QR bit = 0; */
	if (QR != 0) {
		x->ignore_flag = 1;
		return 0;
	}
	/* look for malformed or bogus queries */
	x->qtype = question->qtype;
	return 0;
}

analyze_II_1(struct _xact *x)
{
	static min_intvl = 99999999999;	/* fix */
	int intvl = x->ts % 300;
        if (intvl < min_intvl)
	    min_intvl = intvl;
	data_II_1[srv,intvl]++;	/* fix */
}

void
analyze(struct _xact *x)
{
	analyze_II_1(x);
	analyze_II_2(x);
}

int
main(int argc, char *argv[])
{
    pcap_t *in = NULL;
    char errbuf[PCAP_ERRBUF_SIZE + 1];
    struct pcap_pkthdr hdr;
    const u_char *data;
    struct _xact X;


    in = pcap_open_offline("-", errbuf);
    if (NULL == in) {
	fprintf(stderr, "stdin: %s", errbuf);
	exit(1);
    }

    pcap_layers_init(pcap_datalink(in));
    callback_ipv4 = my_ip4_handler;
    callback_l7 = my_dns_handler;

    while ((data = pcap_next(in, &hdr))) {
	    memset(&X, 0, sizeof(X));
	    X.ts = hdr.ts.tv_sec;
	    handle_pcap(&X, &hdr, data);
	    if (!X.ignore_flag)
	         analyze(&X);
    }

    pcap_close(in);
    report();
    exit(0);
}

@