Wireshark · Ethereal-dev: [Ethereal-dev] Patch for Sebek V3

Ethereal-dev: [Ethereal-dev] Patch for Sebek V3

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Camilo Viecco <cviecco@xxxxxxxxxxx>

Date: Wed, 01 Mar 2006 08:53:26 -0500

Hello all

I just make some midifications for the current Sebek dissector so It can
understand both sebek V2 and V3 packets.
Previously it was limited to version 2 only.

Camilo Viecco

Index: packet-sebek.c
===================================================================
--- packet-sebek.c	(revision 17421)
+++ packet-sebek.c	(working copy)
@@ -1,5 +1,7 @@
 /* packet-sebek.c
  * Routines for Sebek - Kernel based data capture - packet dissection
+ * Modified to add sebek V3 
+ * Copyright 2006, Camilo Viecco <cviecco@xxxxxxxxxxx>
  * Copyright 1999, Nathan Neulinger <nneul@xxxxxxx>
  *
  * See: http://project.honeynet.org/tools/sebek/ for more details
@@ -40,9 +42,11 @@
 #include <epan/addr_resolv.h>
 
 /*
+  Sebek v2:
+
         IP address:     32bit unsigned
         MAGIC Val:      32bit unsigned
-        Sebek Ver:      16bit unsigned
+        Sebek Ver:      16bit unsigned    #value must match 2
         Type            16bit unsigned
         Counter:        32bit unsigned
         Time_sec:       32bit unsigned
@@ -55,6 +59,33 @@
 
         Data:           Variable Length data
 
+
+  Sebek v3 header
+        IP address:     32bit unsigned
+        MAGIC Val:      32bit unsigned
+        Sebek Ver:      16bit unsigned    #value must match 3
+        Type            16bit unsigned
+        Counter:        32bit unsigned
+        Time_sec:       32bit unsigned
+        Time_usec:      32bit unsigned
+        Parent_pid:     32bit unsigned
+        Proc ID:        32bit unsigned
+        User ID:        32bit unsigned
+        File Desc:      32bit unsigned
+        inode:          32bit unsigned
+        Command:        12char array
+        Length:         Data Length
+        Data:           Variable data length
+
+    Sebekv3 has a sock_socket_record subheader for IPV4:
+        Dest_ip:         32bit unsigned
+        Dest_port:       16bit unsigned
+        Src_ip:          32bit unsigned
+        src_port:        16bit unsigned
+        call:            16bit unsigned
+        proto             8bit unsigned
+       
+
  *
  */
 
@@ -74,7 +105,16 @@
 static int hf_sebek_cmd = -1;
 static int hf_sebek_len = -1;
 static int hf_sebek_data = -1;
+static int hf_sebek_ppid = -1;
+static int hf_sebek_inode = -1;
+static int hf_sebek_socket_src_ip=-1;
+static int hf_sebek_socket_src_port=-1;
+static int hf_sebek_socket_dst_ip=-1;
+static int hf_sebek_socket_dst_port=-1;
+static int hf_sebek_socket_call=-1;
+static int hf_sebek_socket_proto=-1;
 
+
 static gint ett_sebek = -1;
 
 /* dissect_sebek - dissects sebek packet data
@@ -90,6 +130,11 @@
 	int offset = 0;
 	int datalen = 0;
 	nstime_t ts;
+        int sebek_ver=0;
+	int sebek_type=0;
+        int cmd_len=0;
+        char tmp_str[257];
+        tmp_str[256]=0;
 	
 	if (check_col(pinfo->cinfo, COL_PROTOCOL))
 		col_set_str(pinfo->cinfo, COL_PROTOCOL, "SEBEK");
@@ -98,52 +143,160 @@
 	{
 		col_clear(pinfo->cinfo, COL_INFO);
 		col_set_str(pinfo->cinfo, COL_INFO, "SEBEK - ");
-		col_append_fstr(pinfo->cinfo, COL_INFO, " pid(%d)", tvb_get_ntohl(tvb, 20));
-		col_append_fstr(pinfo->cinfo, COL_INFO, " uid(%d)", tvb_get_ntohl(tvb, 24));
-		col_append_fstr(pinfo->cinfo, COL_INFO, " fd(%d)", tvb_get_ntohl(tvb, 28));
-		col_append_fstr(pinfo->cinfo, COL_INFO, " cmd: %s", tvb_format_text(tvb, 32, 12));
+              
+		if (tvb->length<6)
+                        {sebek_ver=0;}
+                else{sebek_ver=tvb_get_ntohs(tvb,4);};
+                /*next line for debug*/
+                /*sebek_ver=2;*/
+                switch(sebek_ver){
+			case 2:	col_append_fstr(pinfo->cinfo, COL_INFO, " pid(%d)", tvb_get_ntohl(tvb, 20));
+				col_append_fstr(pinfo->cinfo, COL_INFO, " uid(%d)", tvb_get_ntohl(tvb, 24));
+				col_append_fstr(pinfo->cinfo, COL_INFO, " fd(%d)", tvb_get_ntohl(tvb, 28));
+				col_append_fstr(pinfo->cinfo, COL_INFO, " cmd: %s", tvb_format_text(tvb, 32, 12));
+				break;
+			case 3:	col_append_fstr(pinfo->cinfo, COL_INFO, " pid(%d)", tvb_get_ntohl(tvb, 24));
+                                col_append_fstr(pinfo->cinfo, COL_INFO, " uid(%d)", tvb_get_ntohl(tvb, 28));
+                                col_append_fstr(pinfo->cinfo, COL_INFO, " fd(%d)", tvb_get_ntohl(tvb, 32));
+                                cmd_len=tvb_strnlen(tvb,40,12);
+                                if(cmd_len<0){cmd_len=0;};
+                                col_append_fstr(pinfo->cinfo, COL_INFO, " cmd: %s", tvb_format_text(tvb, 40, cmd_len));
+				break;
+			default:/*nop but to make some compilers happy*/
+				sebek_ver=sebek_ver;
+				break;
+                }
 	}
 
 
 	if (tree) {
-		/* Adding NTP item and subtree */
+		/* Adding Sebek item and subtree */
 		ti = proto_tree_add_item(tree, proto_sebek, tvb, 0, -1, FALSE);
 		sebek_tree = proto_item_add_subtree(ti, ett_sebek);
 
-		proto_tree_add_item(sebek_tree, hf_sebek_magic, tvb, offset, 4, FALSE);
-		offset += 4;
+                /* check for minimum lenght before deciding where to go*/
+               if (tvb->length<6) 
+			{sebek_ver=0;}
+		else{sebek_ver=tvb_get_ntohs(tvb,4);};
+                /*next line for debug*/
+                /*sebek_ver=2;*/
+                /*if version ==2 */
+                switch(sebek_ver){
+                        case 2: proto_tree_add_item(sebek_tree, hf_sebek_magic, tvb, offset, 4, FALSE);
+                                offset += 4;
 
-		proto_tree_add_item(sebek_tree, hf_sebek_version, tvb, offset, 2, FALSE);
-		offset += 2;
+                                proto_tree_add_item(sebek_tree, hf_sebek_version, tvb, offset, 2, FALSE);
+                                offset += 2;
 
-		proto_tree_add_item(sebek_tree, hf_sebek_type, tvb, offset, 2, FALSE);
-		offset += 2;
+                                proto_tree_add_item(sebek_tree, hf_sebek_type, tvb, offset, 2, FALSE);
+                                offset += 2;
 
-		proto_tree_add_item(sebek_tree, hf_sebek_counter, tvb, offset, 4, FALSE);
-		offset += 4;
+                                proto_tree_add_item(sebek_tree, hf_sebek_counter, tvb, offset, 4, FALSE);
+                                offset += 4;
 
-		ts.secs = tvb_get_ntohl(tvb, offset);
-		ts.nsecs = tvb_get_ntohl(tvb, offset+4);
-		proto_tree_add_time(sebek_tree, hf_sebek_time, tvb, offset, 8, &ts);
-		offset += 8; 
+                                ts.secs = tvb_get_ntohl(tvb, offset);
+                                ts.nsecs = tvb_get_ntohl(tvb, offset+4);
+                                proto_tree_add_time(sebek_tree, hf_sebek_time, tvb, offset, 8, &ts);
+                                offset += 8;
 
-		proto_tree_add_item(sebek_tree, hf_sebek_pid, tvb, offset, 4, FALSE);
-		offset += 4;
+                                proto_tree_add_item(sebek_tree, hf_sebek_pid, tvb, offset, 4, FALSE);
+                                offset += 4;
 
-		proto_tree_add_item(sebek_tree, hf_sebek_uid, tvb, offset, 4, FALSE);
-		offset += 4;
+                                proto_tree_add_item(sebek_tree, hf_sebek_uid, tvb, offset, 4, FALSE);
+                                offset += 4;
 
-		proto_tree_add_item(sebek_tree, hf_sebek_fd, tvb, offset, 4, FALSE);
-		offset += 4;
+                                proto_tree_add_item(sebek_tree, hf_sebek_fd, tvb, offset, 4, FALSE);
+                                offset += 4;
 
-		proto_tree_add_item(sebek_tree, hf_sebek_cmd, tvb, offset, 12, FALSE);
-		offset += 12;
+                                proto_tree_add_item(sebek_tree, hf_sebek_cmd, tvb, offset, 12, FALSE);
+                                offset += 12;
 
-		datalen = tvb_get_letohl(tvb, offset);
-		proto_tree_add_item(sebek_tree, hf_sebek_len, tvb, offset, 4, FALSE);
-		offset += 4;
+                                datalen = tvb_get_letohl(tvb, offset);
+                                proto_tree_add_item(sebek_tree, hf_sebek_len, tvb, offset, 4, FALSE);
+                                offset += 4;
 
-		proto_tree_add_item(sebek_tree, hf_sebek_data, tvb, offset, -1, FALSE);
+				proto_tree_add_item(sebek_tree, hf_sebek_data, tvb, offset, -1, FALSE);
+
+
+                                break;
+
+			case 3:	proto_tree_add_item(sebek_tree, hf_sebek_magic, tvb, offset, 4, FALSE);
+				offset += 4;
+
+				proto_tree_add_item(sebek_tree, hf_sebek_version, tvb, offset, 2, FALSE);
+				offset += 2;
+
+				sebek_type=tvb_get_ntohs(tvb, offset);
+				proto_tree_add_item(sebek_tree, hf_sebek_type, tvb, offset, 2, FALSE);
+				offset += 2;
+
+				proto_tree_add_item(sebek_tree, hf_sebek_counter, tvb, offset, 4, FALSE);
+				offset += 4;
+
+				ts.secs = tvb_get_ntohl(tvb, offset);
+				ts.nsecs = tvb_get_ntohl(tvb, offset+4);
+				proto_tree_add_time(sebek_tree, hf_sebek_time, tvb, offset, 8, &ts);
+				offset += 8; 
+
+                                proto_tree_add_item(sebek_tree, hf_sebek_ppid, tvb, offset, 4, FALSE);
+                                offset += 4;
+
+				proto_tree_add_item(sebek_tree, hf_sebek_pid, tvb, offset, 4, FALSE);
+				offset += 4;
+
+				proto_tree_add_item(sebek_tree, hf_sebek_uid, tvb, offset, 4, FALSE);
+				offset += 4;
+
+				proto_tree_add_item(sebek_tree, hf_sebek_fd, tvb, offset, 4, FALSE);
+				offset += 4;
+
+                                proto_tree_add_item(sebek_tree, hf_sebek_inode, tvb, offset, 4, FALSE);
+                                offset += 4;
+
+				proto_tree_add_item(sebek_tree, hf_sebek_cmd, tvb, offset, 12, FALSE);
+				offset += 12;
+
+				/*datalen = tvb_get_letohl(tvb, offset);*/
+                                datalen =tvb_get_ntohl(tvb,offset);
+				proto_tree_add_item(sebek_tree, hf_sebek_len, tvb, offset, 4, FALSE);
+				offset += 4;
+
+    				/*tvb_get_nstringz(tvb, offset, 255,tmp_str);*/
+                		/*fprintf(stderr,"datalen=%u, offset=%d remaining=%d, str=%s\n",datalen,offset,tvb_length_remaining(tvb,offset),tmp_str);*/
+               			
+				if(2==sebek_type){
+					/*data is socket data, process accordingly*/
+					proto_tree_add_item(sebek_tree, hf_sebek_socket_dst_ip, tvb, offset, 4, FALSE);
+					offset +=4;
+                                        proto_tree_add_item(sebek_tree, hf_sebek_socket_dst_port, tvb, offset, 2, FALSE);
+                                        offset +=2;
+                                        proto_tree_add_item(sebek_tree, hf_sebek_socket_src_ip, tvb, offset, 4, FALSE);
+                                        offset +=4;
+                                        proto_tree_add_item(sebek_tree, hf_sebek_socket_src_port, tvb, offset, 2, FALSE);
+                                        offset +=2;
+                                        proto_tree_add_item(sebek_tree, hf_sebek_socket_call, tvb, offset, 2, FALSE);
+                                        offset +=2;
+                                        proto_tree_add_item(sebek_tree, hf_sebek_socket_proto, tvb, offset, 1, FALSE);
+                                        offset +=1;
+
+				}
+				else{
+                			proto_tree_add_item(sebek_tree, hf_sebek_data, tvb, offset, -1, FALSE);
+				}
+
+
+				break;
+
+
+			default:offset=offset; 
+				break;
+
+		}
+                /*tvb_get_nstringz(tvb, offset, 255,tmp_str);*/
+                /*fprintf(stderr,"datalen=%u, offset=%d remaining=%d, str=%s\n",datalen,offset,tvb_length_remaining(tvb,offset),tmp_str);*/
+
+		/*proto_tree_add_item(sebek_tree, hf_sebek_data, tvb, offset, -1, FALSE);*/
+
 		
 	}
 }
@@ -182,10 +335,37 @@
 		{ &hf_sebek_len, {
 			"Data Length", "sebek.len", FT_UINT32, BASE_DEC,
 			NULL, 0, "Data Length", HFILL }},
-		{ &hf_sebek_data, {
-			"Data", "sebek.data", FT_STRING, 0,
-			NULL, 0, "Data", HFILL }},
-        };
+                { &hf_sebek_ppid, {
+                        "Parent Process ID", "sebek.ppid", FT_UINT32, BASE_DEC,
+                        NULL, 0, "Process ID", HFILL }},
+                { &hf_sebek_inode, {
+                        "Inode ID", "sebek.inode", FT_UINT32, BASE_DEC,
+                        NULL, 0, "Process ID", HFILL }},
+                { &hf_sebek_data, {
+                        "Data", "sebek.data", FT_STRING, 0,
+                        NULL, 0, "Data", HFILL }},
+
+                { &hf_sebek_socket_src_ip, {
+                        "Socket.local_ip", "sebek.socket.src_ip", FT_IPv4, 0,
+                        NULL, 0, "Socket.src_ip", HFILL }},
+                { &hf_sebek_socket_src_port, {
+                        "Socket.local_port", "sebek.socket.src_port", FT_UINT16, BASE_DEC,
+                        NULL, 0, "Socket.src_port", HFILL }},
+                { &hf_sebek_socket_dst_ip, {
+                        "Socket.remote_ip", "sebek.socket.dst_ip", FT_IPv4, 0,
+                        NULL, 0, "Socket.dst_ip", HFILL }},
+                { &hf_sebek_socket_dst_port, {
+                        "Socket.remote_port", "sebek.socket.dst_port", FT_UINT16, BASE_DEC,
+                        NULL, 0, "Socket.dst_port", HFILL }},
+                { &hf_sebek_socket_call, {
+                        "Socket.Call_id", "sebek.socket.call", FT_UINT16, BASE_DEC,
+                        NULL, 0, "Socket.call", HFILL }},
+                { &hf_sebek_socket_proto, {
+                        "Socket.ip_proto", "sebek.socket.ip_proto", FT_UINT8, BASE_DEC,
+                        NULL, 0, "Socket.ip_proto", HFILL }},
+
+
+       };
 	static gint *ett[] = {
 		&ett_sebek,
 	};

Follow-Ups:
- Re: [Ethereal-dev] Patch for Sebek V3
  - From: Jaap Keuter

Prev by Date: Re: SV: [Ethereal-dev] MPEG TS
Next by Date: Re: [Ethereal-dev] Preparing for 1.0
Previous by thread: Re: [Ethereal-dev] Ethereal V0.10.14 Not always the active window
Next by thread: Re: [Ethereal-dev] Patch for Sebek V3
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$