Logo Search packages:      
Sourcecode: tcptrack version File versions  Download package

Guesser.cc

#include <iostream>
#include "IPv4TCPCapture.h"
#include "Guesser.h"

Guesser::Guesser()
{
}

Guesser::~Guesser()
{
      for( pktmap::iterator i=hash.begin(); i!=hash.end(); )
      {
            IPv4TCPCapture *cp = (*i).second;
            pktmap::iterator tmp_i = i;
            i++;
            hash.erase(tmp_i);
            delete cp;
      }
}

TCPConnection * Guesser::addPacket( IPv4TCPCapture &p )
{
      // TODO: there should be a thread or something that periodically
      // checks hash for the age of the packets it contains and removes 
      // old stuff.

      // TCP Packets with the following flags set will not trigger the
      // detection of a new connection.
      if( p.ipv4().tcp().syn() )
            return NULL;
      if( p.ipv4().tcp().ece() )
            return NULL;
      if( p.ipv4().tcp().fin() || p.ipv4().tcp().rst() )
      {
            hash.erase(p.ipv4().sockpair());
            return NULL;
      }
      

      if( hash[p.ipv4().sockpair()]==NULL )
      {
            // no packets received yet for this connection
            IPv4TCPCapture *cp = new IPv4TCPCapture(p);
            hash[cp->ipv4().sockpair()]=cp;

            
            return NULL;
      }
      else
      {
            // already received a packet for this connection.
            // replace the old with the new. (remove later)
            // return a connection.

            IPv4TCPCapture *ocp = hash[p.ipv4().sockpair()];
            hash.erase(p.ipv4().sockpair());


            if(    ( ocp->ipv4().srcAddr() == p.ipv4().dstAddr() )
                && ( ocp->ipv4().tcp().srcPort() == p.ipv4().tcp().dstPort() ) 
                && ( p.timestamp().tv_sec-ocp->timestamp().tv_sec < 60 ) )
            {
                  TCPConnection *nc;
                  
                  // Currently a TCPConnection expects to be built from a packet
                  // that is going from the client to the server. This is because
                  // the client initiates the connection and TCPConnection
                  // was originally coded to only accept the initial SYN packet
                  // to its constructor. At some point this logic may be
                  // moved into the TCPConnection constructor.
                  
                  // crude way to guess at which end is the client:
                  // whichever end has the lowest port number.
                  // TODO: can this cli/server guessing be made more intelligent?
                  if( p.ipv4().tcp().srcPort() > p.ipv4().tcp().dstPort() )
                  {
                        // this packet might be the one we saw that went from
                        // client->server.
                        nc=new TCPConnection(p);
                  }
                  else
                  {
                        // if not, maybe it was this other packet.
                        nc=new TCPConnection(*ocp);
                  }

                  delete ocp;
                  return nc;
            }
            else
            {
                  hash[ocp->ipv4().sockpair()] = new IPv4TCPCapture(p);
                  delete ocp;
                  return NULL;
            }
      }
      
      return NULL;
}

Generated by  Doxygen 1.6.0   Back to index