Hi
A "ping -c 3 www.cw.com" produces 3 times 84 Bytes for input and output
each, says ethereal and iptables. But not ntop:
#42# processIpPkt: length=98 ip_len=84 src=192.168.230.11 dst=192.168.230.11
#42# processIpPkt: length=98 ip_len=84 src=204.71.140.70 dst=204.71.140.70
In pbuf.c the function processIpPkt uses the variable "length" which
contains the number of *ethernet* (or generally layer#2) bytes and not
IP (layer#3) bytes.
I don't know if that's ok or not, but passing this number to the Netflow
exporter functions is definetly not ok, as netflow is a IP-layered
accounting tool.
Attached, you will find a patch. Please check it, too, as I'm neither a
good C coder nor have a big understanding of the source :-) But it works.
TCP might not be correct by now, I'm still trying to figure that out as
it works different to UDP/ICMP/OTHER. You can omit the part betwen the
"/* #42# */" it's just for debugging purposses.
A related question: is this really correct:
pbuf.c: processIpPkt():
case IPPROTO_TCP:
myGlobals.device[actualDeviceId].tcpBytes += tcpUdpLen;
Adding a variable called UdpLen to a called tcpBytes seems strange.
Please tell me what you think as I originally wanted to have this
thing in production by today and now am a bit in hurry to get it work.
bye,
-christian-
--
Christian Hammers WESTEND GmbH - Aachen und Dueren Tel 0241/701333-0
[EMAIL PROTECTED] Internet & Security for Professionals Fax 0241/911879
WESTEND ist CISCO Systems Partner - Authorized Reseller
--- pbuf.c.orig Tue Apr 9 17:07:47 2002
+++ pbuf.c Tue Apr 9 17:28:24 2002
@@ -612,8 +612,6 @@
struct timeval tvstrct;
u_char *theData;
- myGlobals.device[actualDeviceId].ipBytes += length;
myGlobals.device[actualDeviceId].ipPkts++;
-
/* Need to copy this over in case bp isn't properly aligned.
* This occurs on SunOS 4.x at least.
* Paul D. Smith <[EMAIL PROTECTED]>
@@ -621,6 +619,14 @@
memcpy(&ip, bp, sizeof(struct ip));
hlen = (u_int)ip.ip_hl * 4;
+ myGlobals.device[actualDeviceId].ipBytes += ntohs(ip.ip_len);
+myGlobals.device[actualDeviceId].ipPkts++;
+
+ /* #42# */
+ if(ip.ip_p == IPPROTO_ICMP) {
+ printf("#42# processIpPkt: length=%u ip_len=%lu src=%s dst=%s\n", length,
+ntohs(ip.ip_len), inet_ntoa(ip.ip_src), inet_ntoa(ip.ip_dst));
+ }
+ /* #42# */
+
if((bp != NULL) && (in_cksum((const u_short *)bp, hlen, 0) != 0)) {
myGlobals.device[actualDeviceId].rcvdPktStats.badChecksum++;
}
@@ -1121,7 +1127,7 @@
dport, udpDataLength,
(u_char*)(bp+hlen+sizeof(struct udphdr)), actualDeviceId);
- sendUDPflow(srcHost, dstHost, sport, dport, length, actualDeviceId);
+ sendUDPflow(srcHost, dstHost, sport, dport, ntohs(ip.ip_len), actualDeviceId);
+
}
}
break;
@@ -1307,7 +1313,7 @@
if(myGlobals.enableSuspiciousPacketDump) dumpSuspiciousPacket(actualDeviceId);
}
- sendICMPflow(srcHost, dstHost, length, actualDeviceId);
+ sendICMPflow(srcHost, dstHost, ntohs(ip.ip_len), actualDeviceId);
}
break;
@@ -1316,7 +1322,7 @@
myGlobals.device[actualDeviceId].ospfBytes += length;
srcHost->ospfSent += length;
dstHost->ospfRcvd += length;
- sendOTHERflow(srcHost, dstHost, ip.ip_p, length, actualDeviceId);
+ sendOTHERflow(srcHost, dstHost, ip.ip_p, ntohs(ip.ip_len), actualDeviceId);
break;
case IPPROTO_IGMP:
@@ -1324,7 +1330,7 @@
myGlobals.device[actualDeviceId].igmpBytes += length;
srcHost->igmpSent += length;
dstHost->igmpRcvd += length;
- sendOTHERflow(srcHost, dstHost, ip.ip_p, length, actualDeviceId);
+ sendOTHERflow(srcHost, dstHost, ip.ip_p, ntohs(ip.ip_len), actualDeviceId);
break;
default:
@@ -1333,7 +1339,7 @@
sport = dport = 0;
srcHost->otherSent += length;
dstHost->otherRcvd += length;
- sendOTHERflow(srcHost, dstHost, ip.ip_p, length, actualDeviceId);
+ sendOTHERflow(srcHost, dstHost, ip.ip_p, ntohs(ip.ip_len), actualDeviceId);
break;
}
