diff options
| -rw-r--r-- | Makefile | 28 | ||||
| -rw-r--r-- | gg_map/Makefile | 2 | ||||
| -rw-r--r-- | gg_map/README.txt | 9 | ||||
| -rw-r--r-- | gg_map/gg_map.c | 95 | ||||
| -rwxr-xr-x | gg_map/glouglou_localsniff.sh | 23 | ||||
| -rw-r--r-- | gg_sniff/README.txt | 22 | ||||
| -rw-r--r-- | gg_sniff/gg_sniff.c | 14 | ||||
| -rw-r--r-- | gg_sniff/gg_sniff.h | 2 | ||||
| -rw-r--r-- | gg_sniff/pcap.c | 24 | ||||
| -rw-r--r-- | glougloud/glougloud.c | 25 |
10 files changed, 189 insertions, 55 deletions
diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..b0be2a8 --- /dev/null +++ b/Makefile @@ -0,0 +1,28 @@ +LIB = libglouglou +DAEMON = glougloud +PROBES = gg_sniff gg_trackproc +ANALYSERS = gg_map +DIRS = $(LIB) $(DAEMON) $(PROBES) $(ANALYSERS) + +all: + -for d in $(DIRS); do (cd $$d; make); done + +clean: + -for d in $(DIRS); do (cd $$d; make clean); done + +install: + -for d in $(DIRS); do (cd $$d; make install); done + +pkg: + $(eval _pkgname := "glouglou_pkg_$(shell date +%Y%m%d_%H%M)") + mkdir -p $(_pkgname) + cp libglouglou/libglouglou.so \ + glougloud/glougloud \ + gg_sniff/gg_sniff \ + gg_trackproc/gg_trackproc \ + gg_map/gg_map gg_map/glouglou_localsniff.sh \ + $(_pkgname) + tar -czf $(_pkgname).tgz $(_pkgname) + @echo -e "\nCreated $(_pkgname) and $(_pkgname).tgz" + +.PHONY: pkg diff --git a/gg_map/Makefile b/gg_map/Makefile index 17040af..2722e39 100644 --- a/gg_map/Makefile +++ b/gg_map/Makefile @@ -4,6 +4,7 @@ LIBS += $(shell pkg-config --libs elementary evas ecore) -levent -lglouglou -leg CFLAGS += -Wall -g BINARY=gg_map +WRAPPER=glouglou_localsniff.sh PREFIX=/usr/local BINDIR=$(PREFIX)/bin @@ -15,6 +16,7 @@ install: $(BINARY) @echo "installation of $(BINARY)" mkdir -p $(BINDIR) install -m 0755 $(BINARY) $(BINDIR) + install -m 0755 $(WRAPPER) $(BINDIR) clean: rm -f $(BINARY) $(BINARY).o diff --git a/gg_map/README.txt b/gg_map/README.txt index 5b5146e..4a92b49 100644 --- a/gg_map/README.txt +++ b/gg_map/README.txt @@ -6,12 +6,11 @@ WARNING: Work in progress, don't expect this to work ! * libglouglou -* egraph +* egraph (git clone git://git.enlightenment.org/devs/kiwi/egraph.git) -* Enlightenment Foundation Libraries -http://www.enlightenment.org - * evas - * elementary +* Enlightenment Foundation Libraries - http://www.enlightenment.org + * efl (git clone git://git.enlightenment.org/core/efl.git) + * elementary (git clone git://git.enlightenment.org/core/elementary.git) TODO ==== diff --git a/gg_map/gg_map.c b/gg_map/gg_map.c index dda280c..48c68f0 100644 --- a/gg_map/gg_map.c +++ b/gg_map/gg_map.c @@ -6,13 +6,26 @@ #include <libglouglou.h> #include <libggnet.h> -int _debug = 0; +int _loglevel = 0; Evas_Object *_mainwin; Evas_Object *_egraph = NULL; struct ggnet *_ggnet; struct event_base *_ev_base; +#if defined(__OpenBSD__) +void __dead +#else +void +#endif +usage(void) +{ + extern char *__progname; + + fprintf(stderr, "usage: %s [-hv] [ip [port]]\n", __progname); + exit(1); +} + /* link between ecore loop and libevent loop */ static Eina_Bool _cb_ecore_libevent(void *data) { @@ -117,7 +130,7 @@ _conn_add(u_int id, u_int src, u_int dst, u_int proto, u_int8_t pktsize) int size, response; GG_PKTDATA_SIZE_DECODE(pktsize, size, response); - if (_debug) + if (_loglevel >= 2) printf("_conn_add\n"); if (response > 0) /* cannot have a new connection that is a response */ return; @@ -131,7 +144,7 @@ _conn_add(u_int id, u_int src, u_int dst, u_int proto, u_int8_t pktsize) va = _node_to_vertice(a); vb = _node_to_vertice(b); e = egraph_edge_find(_egraph, va, vb); - if (_debug) + if (_loglevel >= 2) printf("_conn_add: a %d b %d e %x id %d\n", va->id, vb->id, e, id); if (!e) { if (a->group && a->group->conn_count == 1) @@ -139,7 +152,7 @@ _conn_add(u_int id, u_int src, u_int dst, u_int proto, u_int8_t pktsize) if (b->group && b->group->conn_count == 1) _node_detach_parentgroup(b); e = egraph_edge_add(_egraph, va, vb, conn); - if (_debug) + if (_loglevel >= 2) printf("_conn_add: egraph edge added %x\n", e); } ggnet_conn_usrdata_set(conn, e); @@ -156,7 +169,7 @@ _conn_del(int id) { a = ggnet_conn_src_get(conn); b = ggnet_conn_dst_get(conn); e = ggnet_conn_usrdata_get(conn); - if (_debug) + if (_loglevel >= 2) printf("_conn_del: conn id %d\n", id); // XXX ggnet_conn_del(_ggnet, conn); /* is there other connections between these peers ? */ @@ -164,7 +177,7 @@ _conn_del(int id) { if (!otherconn) { // XXX lets keep the edges, igraph layouting behaves badly when you have // a vertice without edge ... - if (_debug) + if (_loglevel >= 2) printf("_conn_del: edge del %x\n", e); // XXX egraph_edge_del(_egraph, e); if (a->group && a->group->conn_count == 0) @@ -172,11 +185,11 @@ _conn_del(int id) { if (b->group && b->group->conn_count == 0) _node_attach_parentgroup(b); } else { - if (_debug) + if (_loglevel >= 2) printf("_conn_del: not last one, edge %x *not* deleted\n", e); } } else { - if (_debug) + if (_loglevel >= 2) printf("_conn_del: does not exist !\n"); } } @@ -222,12 +235,14 @@ _cb_packet(struct gg_client *cli, struct gg_packet *pkt) { switch(pkt->type) { case PACKET_NEWCONN: - printf(" type PACKET_NEWCONN\n"); - printf(" newconn_id %d\n", pkt->newconn_id); - printf(" newconn_src %4x\n", pkt->newconn_src); - printf(" newconn_dst %4x\n", pkt->newconn_dst); - printf(" newconn_proto %d\n", pkt->newconn_proto); - printf(" newconn_size %d\n", pkt->newconn_size); + if (_loglevel >= 1) { + printf(" type PACKET_NEWCONN\n"); + printf(" newconn_id %d\n", pkt->newconn_id); + printf(" newconn_src %4x\n", pkt->newconn_src); + printf(" newconn_dst %4x\n", pkt->newconn_dst); + printf(" newconn_proto %d\n", pkt->newconn_proto); + printf(" newconn_size %d\n", pkt->newconn_size); + } _conn_del(pkt->newconn_id); /* in case we missed a previous del */ _conn_add(pkt->newconn_id, pkt->newconn_src, pkt->newconn_dst, @@ -235,25 +250,31 @@ _cb_packet(struct gg_client *cli, struct gg_packet *pkt) break; case PACKET_DELCONN: - printf(" type PACKET_DELCONN\n"); - printf(" delconn_id %d\n", pkt->delconn_id); + if (_loglevel >= 1) { + printf(" type PACKET_DELCONN\n"); + printf(" delconn_id %d\n", pkt->delconn_id); + } _conn_del(pkt->delconn_id); break; case PACKET_DATA: - //printf(" type PACKET_DATA\n"); - //printf(" data_connid %d\n", pkt->data_connid); - //printf(" data_size %d\n", pkt->data_size); + if (_loglevel >= 1) { + //printf(" type PACKET_DATA\n"); + //printf(" data_connid %d\n", pkt->data_connid); + //printf(" data_size %d\n", pkt->data_size); + } _conn_data(pkt->data_connid, pkt->data_size); break; case PACKET_NAME: - printf(" type PACKET_NAME\n"); - printf(" name_addr %4x\n", pkt->name_addr); - printf(" name_len %d\n", pkt->name_len); - printf(" name_name_fqdn %s\n", pkt->name_fqdn); + if (_loglevel >= 1) { + printf(" type PACKET_NAME\n"); + printf(" name_addr %4x\n", pkt->name_addr); + printf(" name_len %d\n", pkt->name_len); + printf(" name_name_fqdn %s\n", pkt->name_fqdn); + } _conn_name(pkt->name_addr, pkt->name_len, pkt->name_fqdn); break; @@ -333,7 +354,33 @@ elm_main(int argc, char **argv) Evas_Object *bx, *bx2, *ck, *sc, *seg_it, *lb; Evas *evas; struct gg_client *ggcli; + char gg_serv_ip[30] = "127.0.0.1"; + int gg_serv_port = GLOUGLOU_ANALY_DEFAULT_PORT; int retval = -1; + int op; + + while ((op = getopt(argc, argv, "hv")) != -1) { + switch (op) { + case 'h': + usage(); + /* NOTREACHED */ + case 'v': + _loglevel++; + break; + default: + usage(); + /* NOTREACHED */ + } + } + switch (argc - optind) { + case 2: gg_serv_port = atoi(argv[3]); + case 1: strncpy(gg_serv_ip, argv[2], sizeof(gg_serv_ip)); + case 0: + break; + default: + usage(); + /* NOTREACHED */ + } win = elm_win_add(NULL, "panes", ELM_WIN_BASIC); evas = evas_object_evas_get(win); @@ -437,7 +484,7 @@ elm_main(int argc, char **argv) _cb_ggnet_addgroup, _cb_ggnet_delgroup); _ev_base = event_base_new(); - ggcli = gg_client_connect(_ev_base, "127.0.0.1", GLOUGLOU_ANALY_DEFAULT_PORT, + ggcli = gg_client_connect(_ev_base, gg_serv_ip, gg_serv_port, NULL, _cb_packet, NULL); if (!ggcli) goto quit; diff --git a/gg_map/glouglou_localsniff.sh b/gg_map/glouglou_localsniff.sh new file mode 100755 index 0000000..75d9cdd --- /dev/null +++ b/gg_map/glouglou_localsniff.sh @@ -0,0 +1,23 @@ +#!/bin/sh + +# Wrapper script to visualize network activity on local machine + +PATH="./:$PATH" # for pkg + +glougloud=`which glougloud` +gg_sniff=`which gg_sniff` +gg_map=`which gg_map` +iface=${1-"eth0"} + +if [ -z "$glougloud" -o -z "$gg_sniff" -o -z "$gg_map" ]; then + echo "instalation incomplete (glougloud, gg_sniff, gg_map)" + exit 1 +fi + +tmux start \;\ + new-session -d -s glouglou \;\ + neww -n "glougloud" "sudo $glougloud -v; bash" \;\ + neww -n "gg_sniff" "sudo $gg_sniff -v -i $iface" \;\ + neww -n "gg_map" "gg_map" \;\ + attach-session -t glouglou + diff --git a/gg_sniff/README.txt b/gg_sniff/README.txt index 2a43d02..fddbb3f 100644 --- a/gg_sniff/README.txt +++ b/gg_sniff/README.txt @@ -1,7 +1,5 @@ gg_sniff - glouglou probe client for network activity -WARNING: Work in progress, don't expect this to work ! - Requirements ============ @@ -13,14 +11,28 @@ Requirements Installation ============ -git clone git@meg:glouglou -cd gg_sniff make && sudo make install Usage ===== -gg_sniff -i eth0 +sudo gg_sniff + +sudo gg_sniff -i eth0 + +sudo gg_sniff -i eth0 10.137.2.9 + +sudo gg_sniff -v -f "not port 4430 and not port 4431 and net 10.137.2.0/24" 10.137.2.9 + +(10.137.2.9 is where glougloud is) + +Notes on capture +================ + +By default gg_sniff captures on any interfaces (works on Linux only). +By default the capture filter is "not port 4430 and not port 4431 and not port 53". +You can change it via -f, but dont forget to keep filtering out port 4430 and +port 4431 because those are the ports used by glouglou itself ! Notes on architecture and security ================================== diff --git a/gg_sniff/gg_sniff.c b/gg_sniff/gg_sniff.c index cd2d2c5..8ee6de1 100644 --- a/gg_sniff/gg_sniff.c +++ b/gg_sniff/gg_sniff.c @@ -39,7 +39,7 @@ usage(void) { extern char *__progname; - fprintf(stderr, "usage: %s [-hv] [-i interface] [ip [port]]\n", __progname); + fprintf(stderr, "usage: %s [-hv] [-f filter] [-i interface] [ip [port]]\n", __progname); exit(1); } @@ -60,6 +60,7 @@ main(int argc, char **argv) struct event *ev_sigint, *ev_sigterm, *ev_sigchld, *ev_sighup; char ggserv_ip[30] = "127.0.0.1"; char *iface = NULL; + char *filter = NULL; int ggserv_port = GLOUGLOU_PROBE_DEFAULT_PORT; int pcap_init = 0; int loglevel = 0; @@ -70,11 +71,14 @@ main(int argc, char **argv) if (geteuid() != 0) errx(1, "must be root"); - while ((op = getopt(argc, argv, "ahi:v")) != -1) { + while ((op = getopt(argc, argv, "af:hi:v")) != -1) { switch (op) { case 'a': active = 1; break; + case 'f': + filter = strndup(optarg, 256); + break; case 'h': usage(); /* NOTREACHED */ @@ -90,8 +94,8 @@ main(int argc, char **argv) } } switch (argc - optind) { - case 2: ggserv_port = atoi(argv[3]); - case 1: strncpy(ggserv_ip, argv[2], sizeof(ggserv_ip)); + case 2: ggserv_port = atoi(argv[optind+1]); + case 1: strncpy(ggserv_ip, argv[optind], sizeof(ggserv_ip)); case 0: break; default: @@ -110,7 +114,7 @@ main(int argc, char **argv) ggcli = gg_client_connect(_ev_base, ggserv_ip, ggserv_port, NULL, NULL, NULL); if (!ggcli) goto quit; - pcap_init = ggsniff_pcap_init(_ev_base, ggcli, net, iface, active); + pcap_init = ggsniff_pcap_init(_ev_base, ggcli, net, iface, active, filter); if (!pcap_init) goto quit; diff --git a/gg_sniff/gg_sniff.h b/gg_sniff/gg_sniff.h index f848c88..5cbd1fd 100644 --- a/gg_sniff/gg_sniff.h +++ b/gg_sniff/gg_sniff.h @@ -1,5 +1,5 @@ /* pcap.c */ int ggsniff_pcap_init(struct event_base *, struct gg_client *, - struct ggnet *, char *, int); + struct ggnet *, char *, int, char *); void ggsniff_pcap_shutdown(void); diff --git a/gg_sniff/pcap.c b/gg_sniff/pcap.c index fc5b978..7456e67 100644 --- a/gg_sniff/pcap.c +++ b/gg_sniff/pcap.c @@ -99,7 +99,7 @@ static struct _cap_t _cap; int ggsniff_pcap_init(struct event_base *ev_base, struct gg_client *ggcli, - struct ggnet *net, char *iface, int active) + struct ggnet *net, char *iface, int active, char *filter) { char errbuf[PCAP_ERRBUF_SIZE]; struct bpf_program bprog; @@ -115,9 +115,11 @@ ggsniff_pcap_init(struct event_base *ev_base, struct gg_client *ggcli, err(1, "capture: pcap_open_live failed on interface %s\n" "with snaplen %d : %s", iface, PCAP_SNAPLEN, errbuf); - if (pcap_compile(pcap, &bprog, PCAP_FILTER, 0, 0) < 0) + if (!filter) + filter = strndup(PCAP_FILTER, 256); + if (pcap_compile(pcap, &bprog, filter, 0, 0) < 0) err(1, "capture: pcap_compile failed with filter %s : %s", - PCAP_FILTER, pcap_geterr(pcap)); + filter, pcap_geterr(pcap)); if (pcap_setfilter(pcap, &bprog) < 0) err(1, "capture: pcap_setfilter failed : %s", pcap_geterr(pcap)); @@ -284,7 +286,7 @@ my_pcap_open_live(const char *dev, int slen, int promisc, int to_ms, static void cb_pcap(int fd, short why, void *data) { - gg_log_tmp("cb_pcap"); + //gg_log_tmp("cb_pcap"); pcap_dispatch(_cap.pcap, PCAP_COUNT, _cap.handler, NULL); /* reschedule */ @@ -492,7 +494,7 @@ ip_handle(struct ip *ip, const u_char *pend, u_int wirelen) * if this isn't the first frag, we're missing the * next level protocol header. */ - gg_log_tmp("user: got a fragmented ip packet !"); + gg_log_debug("user: got a fragmented ip packet !"); } pkt.ver = PACKET_VERSION; @@ -547,16 +549,16 @@ ether_handle(struct ether_header *ether, const u_char *pend, u_int wirelen) ether_type = ntohs(ether->ether_type); if (ether_type <= ETHERMTU) - gg_log_tmp("llc packet !"); + gg_log_debug("llc packet !"); else { switch (ether_type) { case ETHERTYPE_IP: - gg_log_tmp("loop family AF_LINK IP"); + gg_log_debug("loop family AF_LINK IP"); ip = (struct ip *)((u_char *)ether + sizeof(struct ether_header)); ip_handle(ip, pend, wirelen); break; default: - gg_log_tmp("loop non ip packet !"); + gg_log_debug("loop non ip packet !"); break; } } @@ -630,7 +632,7 @@ phandler_sll(u_char *user, const struct pcap_pkthdr *h, const u_char *p) ep = (struct ether_header *)((u_char *)p + SLL_HDR_LEN); ether_handle(ep, pend, len); default: - gg_log_tmp("unknown family %x !", family); + gg_log_debug("unknown family %x !", family); break; } } else { @@ -667,7 +669,7 @@ phandler_loop(u_char *user, const struct pcap_pkthdr *h, const u_char *p) family = ntohl(family); switch (family) { case AF_INET: - gg_log_tmp("loop family AF_INET"); + gg_log_debug("loop family AF_INET"); ip = (struct ip *)(p + NULL_HDRLEN); ip_handle(ip, pend, len); break; @@ -676,7 +678,7 @@ phandler_loop(u_char *user, const struct pcap_pkthdr *h, const u_char *p) ether_handle(ep, pend, len); break; default: - gg_log_tmp("unknown family %x !", family); + gg_log_debug("unknown family %x !", family); break; } } diff --git a/glougloud/glougloud.c b/glougloud/glougloud.c index 2a87492..e868e29 100644 --- a/glougloud/glougloud.c +++ b/glougloud/glougloud.c @@ -37,7 +37,8 @@ usage(void) { extern char *__progname; - fprintf(stderr, "usage: %s [-hi]\n", __progname); + fprintf(stderr, "usage: %s [-hv] [-l probes_ip] [-L analysers_ip]\n" + "\t\t[-p probes_port] [-P analysers_port]\n", __progname); exit(1); } @@ -53,14 +54,30 @@ int main(int argc, char **argv) { struct event *ev_sigint, *ev_sigterm, *ev_sigchld, *ev_sighup; + char probes_ip[30] = "127.0.0.1"; + char analysers_ip[30] = "127.0.0.1"; + int probes_port = GLOUGLOU_PROBE_DEFAULT_PORT; + int analysers_port = GLOUGLOU_ANALY_DEFAULT_PORT; int loglevel = 0; int op; - while ((op = getopt(argc, argv, "hv")) != -1) { + while ((op = getopt(argc, argv, "hl:L:p:P:v")) != -1) { switch (op) { case 'h': usage(); /* NOTREACHED */ + case 'l': + strncpy(probes_ip, optarg, sizeof(probes_ip)); + break; + case 'L': + strncpy(analysers_ip, optarg, sizeof(analysers_ip)); + break; + case 'p': + probes_port = atoi(optarg); + break; + case 'P': + analysers_port = atoi(optarg); + break; case 'v': loglevel++; break; @@ -89,9 +106,9 @@ main(int argc, char **argv) evsignal_add(ev_sighup, NULL); signal(SIGPIPE, SIG_IGN); - ggserv_probes = gg_server_start(ev_base, "127.0.0.1", GLOUGLOU_PROBE_DEFAULT_PORT, + ggserv_probes = gg_server_start(ev_base, probes_ip, probes_port, prb_handle_conn, prb_handle_packet, NULL); - ggserv_analysers = gg_server_start(ev_base, "127.0.0.1", GLOUGLOU_ANALY_DEFAULT_PORT, + ggserv_analysers = gg_server_start(ev_base, analysers_ip, analysers_port, cli_handle_conn, cli_handle_packet, NULL); event_base_dispatch(ev_base); |