====================
libnids-1.19
====================
1. Introduction
2. IP defragmentation
3. TCP stream assembly
4. A sample application
5. Basic libnids structures and functions
6. Misc useful hacks
1. Introduction
Declarations of data structures and functions defined by libnids are
gathered in include file "nids.h". An application which uses libnids
must include this file and must be linked with libnids.a.
An application's function main usually looks this way:
main()
{
application private processing, not related to libnids
optional modification of libnids parameters
if (!nids_init() ) something's wrong, terminate;
registration of callback functions
nids_run();
// not reached in normal situation
}
Another method is mentioned later.
2. IP defragmentation
In order to receive all IP packets seen by libnids (including
fragmented ones, packets with invalid checksum et cetera) a programmer
should define a callback function of the following type
void ip_frag_func(struct ip * a_packet, int len)
After calling nids_init, this function should be registered with
libnids:
nids_register_ip_frag(ip_frag_func);
Function ip_frag_func will be called from libnids; parameter a_packet
will point to a received datagram, len is the packet length.
Analogically, in order to receive only packets, which will be accepted
by a target host (that is, packets not fragmented or packets assembled
from fragments; a header correctness is verified) one should define a
callback function
void ip_func(struct ip * a_packet)
and register it with
nids_register_ip(ip_func);
3. TCP stream assembly
In order to receive data exchanged in a TCP stream, one must declare a
callback function
void tcp_callback(struct tcp_stream * ns, void ** param)
Structure tcp_stream provides all info on a TCP connection. For
instance, it contains two fields of type struct half_stream (named
client and server), each of them describing one side of a connection.
We'll explain all its fields later.
One of tcp_stream field is named nids_state. Behaviour of tcp_callback
depends on value of this field.
*
ns->nids_state==NIDS_JUST_EST
In this case, ns describes a connection which has just been
established. Tcp_callback must decide if it wishes to be notified
in future of arrival of data in this connection. All the
connection parameters are available (IP addresses, ports numbers
etc). If the connection is interesting, tcp_callback informs
libnids which data it wishes to receive (data to client, to
server, urgent data to client, urgent data to server). Then the
function returns.
*
ns->nids_state==NIDS_DATA
In this case, new data has arrived. Structures half_stream
(members of tcp_stream) contain buffers with data.
* The following values of nids_state field :
+ NIDS_CLOSE
+ NIDS_RESET
+ NIDS_TIMEOUT
mean that the connection has been closed. Tcp_callback should free
allocated resources, if any.
*
ns->nids_state==NIDS_EXITING
In this case, libnids is exiting. This is the applications last
opportunity to make use of any data left stored in the half_stream
buffers. When reading traffic from a capture file rather than the
network, libnids may never see a close, reset, or timeout. If the
application has unprocessed data (e.g., from using nids_discard(),
this allows the application to process it.
4. A sample application
Now let's have a look at a simple application, which displays on
stderr data exchanged in all TCP connections seen by libnids.
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <arpa/inet.h>
#include <string.h>
#include <stdio.h>
#include "nids.h"
#define int_ntoa(x) inet_ntoa(*((struct in_addr *)&x))
// struct tuple4 contains addresses and port numbers of the TCP connections
// the following auxiliary function produces a string looking like
// 10.0.0.1,1024,10.0.0.2,23
char *
adres (struct tuple4 addr)
{
static char buf[256];
strcpy (buf, int_ntoa (addr.saddr));
sprintf (buf + strlen (buf), ",%i,", addr.source);
strcat (buf, int_ntoa (addr.daddr));
sprintf (buf + strlen (buf), ",%i", addr.dest);
return buf;
}
void
tcp_callback (struct tcp_stream *a_tcp, void ** this_time_not_needed)
{
char buf[1024];
strcpy (buf, adres (a_tcp->addr)); // we put conn params into buf
if (a_tcp->nids_state == NIDS_JUST_EST)
{
// connection described by a_tcp is established
// here we decide, if we wish to follow this stream
// sample condition: if (a_tcp->addr.dest!=23) return;
// in this simple app we follow each stream, so..
a_tcp->client.collect++; // we want data received by a client
a_tcp->server.collect++; // and by a server, too
a_tcp->server.collect_urg++; // we want urgent data received by a
// server
#ifdef WE_WANT_URGENT_DATA_RECEIVED_BY_A_CLIENT
a_tcp->client.collect_urg++; // if we don't increase this value,
// we won't be notified of urgent data
// arrival
#endif
fprintf (stderr, "%s established\n", buf);
return;
}
if (a_tcp->nids_state == NIDS_CLOSE)
{
// connection has been closed normally
fprintf (stderr, "%s closing\n", buf);
return;
}
if (a_tcp->nids_state == NIDS_RESET)
{
// connection has been closed by RST
fprintf (stderr, "%s reset\n", buf);
return;
}
if (a_tcp->nids_state == NIDS_DATA)
{
// new data has arrived; gotta determine in what direction
// and if it's urgent or not
struct half_stream *hlf;
if (a_tcp->server.count_new_urg)
{
// new byte of urgent data has arrived
strcat(buf,"(urgent->)");
buf[strlen(buf)+1]=0;
buf[strlen(buf)]=a_tcp->server.urgdata;
write(1,buf,strlen(buf));
return;
}
// We don't have to check if urgent data to client has arrived,
// because we haven't increased a_tcp->client.collect_urg variable.
// So, we have some normal data to take care of.
if (a_tcp->client.count_new)
{
// new data for the client
hlf = &a_tcp->client; // from now on, we will deal with hlf var,
// which will point to client side of conn
strcat (buf, "(<-)"); // symbolic direction of data
}
else
{
hlf = &a_tcp->server; // analogical
strcat (buf, "(->)");
}
fprintf(stderr,"%s",buf); // we print the connection parameters
// (saddr, daddr, sport, dport) accompanied
// by data flow direction (-> or <-)
write(2,hlf->data,hlf->count_new); // we print the newly arrived data
}
return ;
}
int
main ()
{
// here we can alter libnids params, for instance:
// nids_params.n_hosts=256;
if (!nids_init ())
{
fprintf(stderr,"%s\n",nids_errbuf);
exit(1);
}
nids_register_tcp (tcp_callback);
nids_run ();
return 0;
}
5. Basic libnids structure
没有合适的资源?快使用搜索试试~ 我知道了~
资源推荐
资源详情
资源评论
收起资源包目录
Libnids-1.19-for-win32 (104个子文件)
libnids.3 10KB
bugtraq_post 5KB
tcp.c 23KB
ip_fragment.c 19KB
libnids.c 15KB
random.c 15KB
ip_options.c 6KB
checksum.c 6KB
overflows.c 6KB
getopt.c 5KB
misc.c 4KB
printall.c 4KB
killtcp.c 3KB
scan.c 3KB
sniff.c 2KB
hash.c 2KB
nids_next.c 951B
allpromisc.c 933B
util.c 742B
CHANGES 5KB
configure 148KB
COPYING 18KB
CREDITS 4KB
printall.dsp 4KB
libnids.dsp 4KB
sniff.dsp 4KB
overflows.dsp 4KB
libnids.dsw 1KB
config.guess 39KB
TCP_VAR.H 12KB
Bpf.h 9KB
IP_VAR.H 7KB
IP_ICMP.H 6KB
IP.H 6KB
pcap.h 5KB
TCP.H 4KB
UDP_VAR.H 3KB
IF_ETHER.H 3KB
nids.h 3KB
pcap-namedb.h 3KB
TCPIP.H 2KB
IN_SYSTM.H 2KB
UDP.H 2KB
config.h 1KB
GNUC.H 758B
util.h 730B
tcp.h 518B
scan.h 481B
ip_fragment.h 364B
checksum.h 288B
getopt.h 138B
hash.h 71B
In.h 0B
UNISTD.H 0B
API.html 25KB
vc60.idb 65KB
vc60.idb 41KB
configure.in 6KB
Makefile.in 3KB
config.h.in 1KB
Makefile.in 795B
Makefile.in 447B
install-sh 5KB
libnids.lib 232KB
libnids-debug.lib 212KB
libpcap.lib 176KB
libnids.lib 57KB
LINUX 1KB
libnids.3.mdoc 10KB
MISC 3KB
mkinstalldirs 681B
libnids.ncb 113KB
NEW_LIBPCAP 205B
tcp.obj 35KB
ip_fragment.obj 32KB
libnids.obj 28KB
overflows.obj 18KB
overflows.obj 18KB
random.obj 16KB
printall.obj 14KB
scan.obj 14KB
ip_options.obj 13KB
checksum.obj 13KB
hash.obj 12KB
util.obj 12KB
misc.obj 11KB
killtcp.obj 10KB
allpromisc.obj 9KB
getopt.obj 4KB
libnids.opt 70KB
PATCH 889B
overflows.pch 2.7MB
libnids.pch 2.69MB
vc60.pdb 76KB
vc60.pdb 68KB
PERFORMANCE 3KB
overflows.plg 987B
libnids.plg 824B
README 3KB
config.sub 28KB
共 104 条
- 1
- 2
yayaer2
- 粉丝: 5
- 资源: 25
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
最新资源
- 青岛大学人工智能实验二 利用α-β搜索的博弈树算法编写一字棋游戏
- ### 1、项目介绍 本项目Scrapy进行数据爬取,并使用Django框架+PyEcharts实现可视化大屏 效果如下:
- # 微信小程序-健康菜谱 基于微信小程序的一个查找检索菜谱的应用 ### 效果 !动态图(./res/gif/demo
- zabbix-get命令包资源
- 289ssm-mysql-jsp 计算机课程实验管理系统.zip(可运行源码+数据库文件+文档)
- 毕业设计,基于PyQt5实现的可视化界面的Python车牌自动识别系统源码
- 20-天天果园项目.rar
- 26-朴素贝叶斯分类.rar
- 没有安Matlab 也可以 生成FIR抽头系数工具.py
- 自助购药小程序源代码含文档
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功
- 1
- 2
前往页