001: /*
002: * GNetWatch
003: * Copyright 2006, 2007 Alexandre Fenyo
004: * gnetwatch@fenyo.net
005: *
006: * This file is part of GNetWatch.
007: *
008: * GNetWatch is free software; you can redistribute it and/or modify
009: * it under the terms of the GNU General Public License as published by
010: * the Free Software Foundation; either version 2 of the License, or
011: * (at your option) any later version.
012: *
013: * GNetWatch is distributed in the hope that it will be useful,
014: * but WITHOUT ANY WARRANTY; without even the implied warranty of
015: * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
016: * GNU General Public License for more details.
017: *
018: * You should have received a copy of the GNU General Public License
019: * along with GNetWatch; if not, write to the Free Software
020: * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
021: */
022:
023: package net.fenyo.gnetwatch.activities;
024:
025: import net.fenyo.gnetwatch.*;
026: import net.fenyo.gnetwatch.actions.ExternalCommand;
027: import net.fenyo.gnetwatch.data.EventReachable;
028:
029: import java.util.*;
030: import java.util.regex.Matcher;
031: import java.util.regex.Pattern;
032: import java.io.*;
033:
034: import org.apache.commons.logging.Log;
035: import org.apache.commons.logging.LogFactory;
036:
037: import org.dom4j.*;
038: import org.dom4j.io.*;
039:
040: /*
041: * XPATH doc: http://xmlfr.org/w3c/TR/xpath/
042: * XPATH ex.: IP src address : "string(//field[@name='ip.addr'][1]/@show)"
043: * PDML packet example:
044: <packet>
045: <proto name="geninfo" pos="0" showname="General information" size="74">
046: <field name="num" pos="0" show="1" showname="Number" value="1" size="74"/>
047: <field name="len" pos="0" show="74" showname="Packet Length" value="4a" size="74"/>
048: <field name="caplen" pos="0" show="74" showname="Captured Length" value="4a" size="74"/>
049: <field name="timestamp" pos="0" show="Dec 27, 2006 18:30:17.657143000" showname="Captured Time" value="1167240617.657143000" size="74"/>
050: </proto>
051: <proto name="frame" showname="Frame 1 (74 bytes on wire, 74 bytes captured)" size="74" pos="0">
052: <field name="frame.marked" showname="Frame is marked: False" hide="yes" size="0" pos="0" show="0"/>
053: <field name="frame.time" showname="Arrival Time: Dec 27, 2006 18:30:17.657143000" size="0" pos="0" show="Dec 27, 2006 18:30:17.657143000"/>
054: <field name="frame.time_delta" showname="Time delta from previous packet: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
055: <field name="frame.time_relative" showname="Time since reference or first frame: 0.000000000 seconds" size="0" pos="0" show="0.000000000"/>
056: <field name="frame.number" showname="Frame Number: 1" size="0" pos="0" show="1"/>
057: <field name="frame.pkt_len" showname="Packet Length: 74 bytes" size="0" pos="0" show="74"/>
058: <field name="frame.cap_len" showname="Capture Length: 74 bytes" size="0" pos="0" show="74"/>
059: <field name="frame.protocols" showname="Protocols in frame: eth:ip:tcp" size="0" pos="0" show="eth:ip:tcp"/>
060: </proto>
061: <proto name="eth" showname="Ethernet II, Src: Netgear_fb:43:4f (00:0f:b5:fb:43:4f), Dst: AsustekC_54:cf:69 (00:11:d8:54:cf:69)" size="14" pos="0">
062: <field name="eth.dst" showname="Destination: AsustekC_54:cf:69 (00:11:d8:54:cf:69)" size="6" pos="0" show="00:11:d8:54:cf:69" value="0011d854cf69"/>
063: <field name="eth.src" showname="Source: Netgear_fb:43:4f (00:0f:b5:fb:43:4f)" size="6" pos="6" show="00:0f:b5:fb:43:4f" value="000fb5fb434f"/>
064: <field name="eth.addr" showname="Source or Destination Address: AsustekC_54:cf:69 (00:11:d8:54:cf:69)" hide="yes" size="6" pos="0" show="00:11:d8:54:cf:69" value="0011d854cf69"/>
065: <field name="eth.addr" showname="Source or Destination Address: Netgear_fb:43:4f (00:0f:b5:fb:43:4f)" hide="yes" size="6" pos="6" show="00:0f:b5:fb:43:4f" value="000fb5fb434f"/>
066: <field name="eth.type" showname="Type: IP (0x0800)" size="2" pos="12" show="0x0800" value="0800"/>
067: </proto>
068: <proto name="ip" showname="Internet Protocol, Src: 192.168.0.53 (192.168.0.53), Dst: 192.168.0.29 (192.168.0.29)" size="20" pos="14">
069: <field name="ip.version" showname="Version: 4" size="1" pos="14" show="4" value="45"/>
070: <field name="ip.hdr_len" showname="Header length: 20 bytes" size="1" pos="14" show="20" value="45"/>
071: <field name="ip.dsfield" showname="Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)" size="1" pos="15" show="0" value="00">
072: <field name="ip.dsfield.dscp" showname="0000 00.. = Differentiated Services Codepoint: Default (0x00)" size="1" pos="15" show="0x00" value="0" unmaskedvalue="00"/>
073: <field name="ip.dsfield.ect" showname=".... ..0. = ECN-Capable Transport (ECT): 0" size="1" pos="15" show="0" value="0" unmaskedvalue="00"/>
074: <field name="ip.dsfield.ce" showname=".... ...0 = ECN-CE: 0" size="1" pos="15" show="0" value="0" unmaskedvalue="00"/>
075: </field>
076: <field name="ip.len" showname="Total Length: 60" size="2" pos="16" show="60" value="003c"/>
077: <field name="ip.id" showname="Identification: 0xad9f (44447)" size="2" pos="18" show="0xad9f" value="ad9f"/>
078: <field name="ip.flags" showname="Flags: 0x04 (Don't Fragment)" size="1" pos="20" show="0x04" value="40">
079: <field name="ip.flags.rb" showname="0... = Reserved bit: Not set" size="1" pos="20" show="0" value="0" unmaskedvalue="40"/>
080: <field name="ip.flags.df" showname=".1.. = Don't fragment: Set" size="1" pos="20" show="1" value="1" unmaskedvalue="40"/>
081: <field name="ip.flags.mf" showname="..0. = More fragments: Not set" size="1" pos="20" show="0" value="0" unmaskedvalue="40"/>
082: </field>
083: <field name="ip.frag_offset" showname="Fragment offset: 0" size="2" pos="20" show="0" value="4000"/>
084: <field name="ip.ttl" showname="Time to live: 64" size="1" pos="22" show="64" value="40"/>
085: <field name="ip.proto" showname="Protocol: TCP (0x06)" size="1" pos="23" show="0x06" value="06"/>
086: <field name="ip.checksum" showname="Header checksum: 0x0b7a [correct]" size="2" pos="24" show="0x0b7a" value="0b7a"/>
087: <field name="ip.src" showname="Source: 192.168.0.53 (192.168.0.53)" size="4" pos="26" show="192.168.0.53" value="c0a80035"/>
088: <field name="ip.addr" showname="Source or Destination Address: 192.168.0.53 (192.168.0.53)" hide="yes" size="4" pos="26" show="192.168.0.53" value="c0a80035"/>
089: <field name="ip.src_host" showname="Source Host: 192.168.0.53" hide="yes" size="4" pos="26" show="192.168.0.53" value="c0a80035"/>
090: <field name="ip.host" showname="Source or Destination Host: 192.168.0.53" hide="yes" size="4" pos="26" show="192.168.0.53" value="c0a80035"/>
091: <field name="ip.dst" showname="Destination: 192.168.0.29 (192.168.0.29)" size="4" pos="30" show="192.168.0.29" value="c0a8001d"/>
092: <field name="ip.addr" showname="Source or Destination Address: 192.168.0.29 (192.168.0.29)" hide="yes" size="4" pos="30" show="192.168.0.29" value="c0a8001d"/>
093: <field name="ip.dst_host" showname="Destination Host: 192.168.0.29" hide="yes" size="4" pos="30" show="192.168.0.29" value="c0a8001d"/>
094: <field name="ip.host" showname="Source or Destination Host: 192.168.0.29" hide="yes" size="4" pos="30" show="192.168.0.29" value="c0a8001d"/>
095: </proto>
096: <proto name="tcp" showname="Transmission Control Protocol, Src Port: 34604 (34604), Dst Port: 6001 (6001), Seq: 0, Ack: 0, Len: 0" size="40" pos="34">
097: <field name="tcp.srcport" showname="Source port: 34604 (34604)" size="2" pos="34" show="34604" value="872c"/>
098: <field name="tcp.dstport" showname="Destination port: 6001 (6001)" size="2" pos="36" show="6001" value="1771"/>
099: <field name="tcp.port" showname="Source or Destination Port: 34604" hide="yes" size="2" pos="34" show="34604" value="872c"/>
100: <field name="tcp.port" showname="Source or Destination Port: 6001" hide="yes" size="2" pos="36" show="6001" value="1771"/>
101: <field name="tcp.len" showname="TCP Segment Len: 0" hide="yes" size="4" pos="34" show="0" value="872c1771"/>
102: <field name="tcp.seq" showname="Sequence number: 0 (relative sequence number)" size="4" pos="38" show="0" value="d64b4fd4"/>
103: <field name="tcp.hdr_len" showname="Header length: 40 bytes" size="1" pos="46" show="40" value="a0"/>
104: <field name="tcp.flags" showname="Flags: 0x00c2 (SYN, ECN, CWR)" size="1" pos="47" show="0xc2" value="c2">
105: <field name="tcp.flags.cwr" showname="1... .... = Congestion Window Reduced (CWR): Set" size="1" pos="47" show="1" value="1" unmaskedvalue="c2"/>
106: <field name="tcp.flags.ecn" showname=".1.. .... = ECN-Echo: Set" size="1" pos="47" show="1" value="1" unmaskedvalue="c2"/>
107: <field name="tcp.flags.urg" showname="..0. .... = Urgent: Not set" size="1" pos="47" show="0" value="0" unmaskedvalue="c2"/>
108: <field name="tcp.flags.ack" showname="...0 .... = Acknowledgment: Not set" size="1" pos="47" show="0" value="0" unmaskedvalue="c2"/>
109: <field name="tcp.flags.push" showname=".... 0... = Push: Not set" size="1" pos="47" show="0" value="0" unmaskedvalue="c2"/>
110: <field name="tcp.flags.reset" showname=".... .0.. = Reset: Not set" size="1" pos="47" show="0" value="0" unmaskedvalue="c2"/>
111: <field name="tcp.flags.syn" showname=".... ..1. = Syn: Set" size="1" pos="47" show="1" value="1" unmaskedvalue="c2"/>
112: <field name="tcp.flags.fin" showname=".... ...0 = Fin: Not set" size="1" pos="47" show="0" value="0" unmaskedvalue="c2"/>
113: </field>
114: <field name="tcp.window_size" showname="Window size: 5840" size="2" pos="48" show="5840" value="16d0"/>
115: <field name="tcp.checksum" showname="Checksum: 0xfd91 [correct]" size="2" pos="50" show="0xfd91" value="fd91"/>
116: <field show="Options: (20 bytes)" size="20" pos="54" value="020405b40402080a0a39e24b0000000001030300">
117: <field name="tcp.options.mss" showname="TCP MSS Option: True" hide="yes" size="4" pos="54" show="1" value="020405b4"/>
118: <field name="tcp.options.mss_val" showname="Maximum segment size: 1460 bytes" size="4" pos="54" show="1460" value="020405b4"/>
119: <field show="SACK permitted" size="2" pos="58" value="0402"/>
120: <field name="tcp.options.time_stamp" showname="TCP Time Stamp Option: True" hide="yes" size="10" pos="60" show="1" value="080a0a39e24b00000000"/>
121: <field show="Time stamp: tsval 171565643, tsecr 0" size="10" pos="60" value="080a0a39e24b00000000"/>
122: <field show="NOP" size="1" pos="70" value="01"/>
123: <field name="tcp.options.wscale" showname="TCP Window Scale Option: True" hide="yes" size="3" pos="71" show="1" value="030300"/>
124: <field name="tcp.options.wscale_val" showname="Window scale: 0 (multiply by 1)" size="3" pos="71" show="0" value="030300"/>
125: </field>
126: </proto>
127: </packet>
128: */
129:
130: /**
131: * This class captures Ethernet frames using tethereal on a single layer-2 interface.
132: * The frames are parsed with SAX.
133: * @author Alexandre Fenyo
134: * @version $Id: Capture.java,v 1.13 2007/03/09 22:44:21 fenyo Exp $
135: */
136:
137: public class Capture implements Runnable {
138: private static Log log = LogFactory.getLog(Capture.class);
139:
140: final SAXReader reader = new SAXReader();
141:
142: private final Config config;
143: private ExternalCommand cmd;
144: private CaptureManager manager;
145:
146: private boolean forked = false;
147:
148: private Thread capture_thread = null;
149:
150: private boolean must_end = false;
151:
152: /**
153: * Constructor.
154: * GUI thread.
155: * @param config configuration.
156: * @param manager capture manager this instance works for.
157: * @param device device this instance captures frames from.
158: * @param filter capture filter to apply.
159: */
160: // while debugging, sub processes may not die, so use the following DOS command line to terminate all running tethereal.exe :
161: // wmic process where Name='tethereal.exe' call terminate
162: public Capture(final Config config, final CaptureManager manager,
163: final int device, final String filter) {
164: this .config = config;
165: this .manager = manager;
166: // to convert device to a string, we use the following expression : "" + device
167: // cmd = new ExternalCommand(new String [] { "tethereal", "-i", "" + device, "-T", "psml" }, true);
168: cmd = new ExternalCommand(
169: new String[] { "tethereal", "-i", "" + device, "-T",
170: "pdml", "-R", "\"" + filter + "\"" }, true);
171: }
172:
173: /**
174: * Lists all available devices.
175: * @param none.
176: * @return list of device names.
177: * @throws InterruptedException exception.
178: */
179: // GUI thread
180: public static String[] listDevices() throws InterruptedException {
181: final String devices = new ExternalCommand(new String[] {
182: "tethereal", "-D" }, true).runStdout();
183: return devices == null ? null : devices.split("\n");
184: }
185:
186: /**
187: * Starts the capture thread.
188: * @param none.
189: * @return void.
190: */
191: // GUI thread
192: public void createCaptureThread() {
193: capture_thread = new Thread(this , "Capture Thread");
194: capture_thread.start();
195: }
196:
197: /**
198: * Stops the capture thread and waits for its end.
199: * @param none.
200: * @return void.
201: * @throws InterruptedException exception.
202: */
203: // if InterruptedException is thrown, the thread may not be ended
204: // GUI thread
205: public void end() throws InterruptedException {
206: must_end = true;
207: if (capture_thread != null) {
208: capture_thread.interrupt();
209: }
210:
211: while (!forked)
212: Thread.sleep(100);
213:
214: try {
215: cmd.end();
216: } catch (final IOException ex) {
217: log.error("Exception", ex);
218: }
219:
220: capture_thread.join();
221: }
222:
223: /**
224: * Gives the next frame to the manager.
225: * @param packet next frame.
226: * @return void.
227: * @throws DocumentException SAX parse exception.
228: */
229: // must be called from the Capture thread since SAXReader is not synchronized
230: // Capture thread
231: private void handlePacket(final StringBuffer packet)
232: throws DocumentException {
233: try {
234: final Document document = reader.read(new StringReader(
235: packet.toString()));
236: manager.handlePacket(document);
237: } catch (final DocumentException ex) {
238: log.warn("packet: {" + packet + "}");
239: throw ex;
240: }
241: }
242:
243: /**
244: * Reads tethereal standard output and extracts frames one by one.
245: * @param none.
246: * @return void.
247: */
248: // Capture thread
249: public void run() {
250: final StringBuffer packet = new StringBuffer();
251:
252: try {
253: cmd.fork();
254: forked = true;
255:
256: while (!config.isEnd() && !must_end) {
257: // on doit pouvoir optimiser en utilisant un StringBuffer pour str
258: final String str = cmd.readLineStdout();
259: if (str == null)
260: break;
261: packet.append(str);
262: // log.debug("[" + str + "]");
263: // replaces invalid XML characters with ' '
264: for (int idx = 0; idx < packet.length(); idx++)
265: // http://www.w3.org/TR/REC-xml/#charsets
266: if (packet.charAt(idx) != 9
267: && packet.charAt(idx) != 10
268: && packet.charAt(idx) != 13
269: && packet.charAt(idx) < 32)
270: packet.setCharAt(idx, ' ');
271:
272: if (str.contains("</packet>")) {
273: try {
274: handlePacket(packet);
275: } catch (final DocumentException ex) {
276: log.warn("Exception", ex);
277: }
278: packet.setLength(0);
279: }
280: }
281: } catch (final IOException ex) {
282: log.warn("Exception", ex);
283: } catch (final InterruptedException ex) {
284: // terminate the thread
285: } finally {
286: forked = true;
287: }
288: }
289: }
|