- 001
- 002
- 003
- 004
- 005
- 006
- 007
- 008
- 009
- 010
- 011
- 012
- 013
- 014
- 015
- 016
- 017
- 018
- 019
- 020
- 021
- 022
- 023
- 024
- 025
- 026
- 027
- 028
- 029
- 030
- 031
- 032
- 033
- 034
- 035
- 036
- 037
- 038
- 039
- 040
- 041
- 042
- 043
- 044
- 045
- 046
- 047
- 048
- 049
- 050
- 051
- 052
- 053
- 054
- 055
- 056
- 057
- 058
- 059
- 060
- 061
- 062
- 063
- 064
- 065
- 066
- 067
- 068
- 069
- 070
- 071
- 072
- 073
- 074
- 075
- 076
- 077
- 078
- 079
- 080
- 081
- 082
- 083
- 084
- 085
- 086
- 087
- 088
- 089
- 090
- 091
- 092
- 093
- 094
- 095
- 096
- 097
- 098
- 099
- 100
static volatile int rotatelog=0;
void daemonize();
void *receive_thread(void *ptr);
void *write_thread(void *ptr);
void sighup_hdl(int signal);
FILE *hfl_log;
int main(){
daemonize();
hfl_log=fopen(HM_LOGFILE, "a");
setlinebuf(hfl_log);
signal(SIGHUP,sighup_hdl);
receive_thread(NULL);
return 0;
}
void daemonize(){
int devnullfd = -1;
umask(~0700);
devnullfd = open("/dev/null", 0);
dup2(devnullfd, STDIN_FILENO);
dup2(devnullfd, STDOUT_FILENO);
close(devnullfd);
switch(fork()) {
case -1:
perror("fork");
exit(1);
break;
case 0:
break;
default:
exit(0);
break;
}
}
void *receive_thread(void *ptr){
int udpsock, i;
struct _peventmsg *pmsg;
struct sockaddr_in serv;
socklen_t servlen;
ssize_t len;
time_t tm;
char sign1[SHA_DIGEST_LENGTH], sign2[SHA_DIGEST_LENGTH];
udpsock=socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP);
if (udpsock==-1)
return NULL;
i=32*1024*1024;
setsockopt(udpsock, SOL_SOCKET, SO_RCVBUFFORCE, (void*)&i, sizeof(i));
memset(&serv, 0, sizeof(serv));
serv.sin_family = AF_INET;
serv.sin_port = htons(TSPORT);
serv.sin_addr.s_addr = inet_addr(TSIP);
if (bind(udpsock, (struct sockaddr *)&serv, sizeof(struct sockaddr_in))){
close(udpsock);
return NULL;
}
while (1){
if (rotatelog){
rotatelog=0;
//fflush(hfl_log); fclose() should be enough
fclose(hfl_log);
hfl_log=fopen(HM_LOGFILE, "a");
//do we really tail -f that much on this log that we need it line buffered? It requires 1 write per incoming packet
setlinebuf(hfl_log);
}
pmsg=(struct _peventmsg *)malloc(sizeof(struct _peventmsg));
servlen=sizeof(serv);
len=recvfrom(udpsock, &pmsg->msg, sizeof(pmsg->msg), 0, (struct sockaddr *)&serv, &servlen);
if (len!=sizeof(pmsg->msg)){
free(pmsg);
continue;
}
time(&tm);
if (pmsg->msg.tm+20<tm || pmsg->msg.tm-20>tm){
free(pmsg);
continue;
}
memcpy(sign1, pmsg->msg.sign, sizeof(sign1));
memset(pmsg->msg.sign, 0, sizeof(pmsg->msg.sign));
strcpy(pmsg->msg.sign, SECRET);
SHA1((unsigned char *)&pmsg->msg, sizeof(pmsg->msg), (unsigned char *)sign2);
if (memcmp(sign1, sign2, sizeof(sign1))){
free(pmsg);
continue;
}
strcpy(pmsg->ip, inet_ntoa(serv.sin_addr));
fprintf(hfl_log, "%ld %s %lu %u %u %u %u %s\n",
le64toh(pmsg->msg.tm), pmsg->msg.ip, le64toh(pmsg->msg.bytessent), le32toh(pmsg->msg.seconds),
le32toh(pmsg->msg.ttype), le32toh(pmsg->msg.tcpi_total_retrans), le32toh(pmsg->msg.tcpi_snd_mss), pmsg->ip);
free(pmsg);
}
}
Traffic analysis tool: http://vasil.ludost.net/blog/?p=3029