firestorm IPX and SAP decoding

[John Leach <john@xxxxxxxxxx>]

This patch should add IPX protocol decoding to the latest cvs version of
firestorm.
There is also an example child SAP decoder but it's far from finished.

I'll be working on SAP a bit more, then maybe SPX.  Then matchers for
them.

That should be fun.

John Leach.
ECSC Ltd.
Engerland.

diff -urN --exclude=CVS -x firestorm.conf -x 'ipxold*' -x spx.c -x run.sh -x '*.sh' -x '*.html' -x '*.log' -x '*.dump' firestorm/decode_plugins/Makefile.am firestorm-ipx/decode_plugins/Makefile.am
--- firestorm/decode_plugins/Makefile.am	Sun Sep 15 14:34:37 2002
+++ firestorm-ipx/decode_plugins/Makefile.am	Thu Sep 19 19:35:41 2002
@@ -12,7 +12,9 @@
 	http.la \
 	arp.la \
 	gre.la \
-	sll.la
+	sll.la \
+	ipx.la \
+	sap.la
 
 ether_la_SOURCES = ether.c
 tcpip_la_SOURCES = tcpip.c tcpstream.c ipfrag.c icmp.c tcp.c udp.c ip.c
@@ -23,3 +25,5 @@
 arp_la_SOURCES = arp.c
 gre_la_SOURCES = gre.c
 sll_la_SOURCES = sll.c
+ipx_la_SOURCES = ipx.c
+sap_la_SOURCES = sap.c
diff -urN --exclude=CVS -x firestorm.conf -x 'ipxold*' -x spx.c -x run.sh -x '*.sh' -x '*.html' -x '*.log' -x '*.dump' firestorm/decode_plugins/ipx.c firestorm-ipx/decode_plugins/ipx.c
--- firestorm/decode_plugins/ipx.c	Thu Jan  1 01:00:00 1970
+++ firestorm-ipx/decode_plugins/ipx.c	Wed Sep 18 23:23:46 2002
@@ -0,0 +1,133 @@
+#include <stdlib.h>
+#include <firestorm.h>
+#include <packet.h>
+#include <plugin.h>
+#include <generator.h>
+#include <alert.h>
+#include <signature.h>
+#include <decode.h>
+#include <preproc.h>
+#include <netinet/in.h>
+#include <stdio.h>
+#include <string.h>
+
+PLUGIN_STD_DEFS();
+
+proc_preproc_dispatch preproc_dispatch;
+
+/* IPX: Internetwork Packet eXchange */
+int ipx_print(struct layer *l, char *buf, int buflen);
+void ipx_decode(struct packet *);
+struct proto ipx_p=init_proto("ipx", ipx_decode, ipx_print);
+struct proto_req ipx_r[]={
+        proto_request("ethernet", __constant_htons(0x8137)),
+        proto_request("sll", __constant_htons(0x8137)),
+        proto_request("linux", __constant_htons(0x8137)),
+        proto_request("802.3-novell", 0),
+        proto_request("llc", 0xe0),
+	proto_request("__pcap_dlt", 12), /* DLT_RAW */
+	null_request()
+};
+
+int ipx_print(struct layer *l, char *buf, int buflen)
+{
+	char srcskt[16],dstskt[16],ptype[16];
+
+	switch (l->h.ipx->pType) {
+		case 0:
+			strcpy(ptype,"SAP/NSP/Hello");
+			break;
+		case 1:
+			strcpy(ptype,"RIP");
+			break;
+		case 2:
+			strcpy(ptype,"Echo");
+			break;
+		case 3:
+			strcpy(ptype,"Error");
+			break;
+		case 4:
+			strcpy(ptype,"SAP");
+			break;
+		case 5:
+			strcpy(ptype,"SPX");
+			break;
+		case 17:
+			strcpy(ptype,"NCP");
+			break;
+		case 20:
+			strcpy(ptype,"NetBIOS");
+			break;
+		case 104:
+			strcpy(ptype,"NDS NCP");
+			break;
+		default:
+			strcpy(ptype,"Unknown");
+	};
+
+	return snprintf(buf,buflen,"len=%u type=0x%.2x(%s) net=0x%.8x:0x%.8x "
+			"skt=0x%.4x:0x%.4x",
+			htons(l->h.ipx->length),
+			l->h.ipx->pType,
+			ptype,
+			htonl(l->h.ipx->srcNet),
+			htonl(l->h.ipx->dstNet),
+			htons(l->h.ipx->srcSkt),
+			htons(l->h.ipx->dstSkt));
+}
+
+void ipx_decode(struct packet *p)
+{
+	struct proto_child *pc;
+	struct layer *l=&p->layer[p->llen-1];
+	
+	if ( p->llen >= PKT_LAYERS ) goto err;
+	
+	if ( (p->layer[p->llen].h.raw=
+		l->h.raw+sizeof(struct pkt_ipxhdr))
+		> p->end ) goto err;
+
+	for(pc=l->proto->children; pc; pc=pc->next)
+	{
+		if ( l->h.ipx->pType == pc->id ) {
+			p->layer[p->llen].flags=0;
+			p->layer[p->llen].session=NULL;
+			p->layer[p->llen++].proto=pc->proto;
+			pc->proto->decode(p);
+			return;
+		}
+	}
+
+	p->layer[p->llen++].proto=NULL;
+err:
+	preproc_dispatch(p);
+}
+
+int _PLUGIN_INIT (struct plugin_in *in, struct plugin_out *out)
+{
+	proc_decode_add decode_add;
+	int ok=0;
+	
+	plugin_check(in, out);
+	
+	PLUGIN_ID("decode.ipx", "Internetwork Packet eXchange");
+	PLUGIN_VERSION(1, 0);
+	PLUGIN_AUTHOR("John Leach", "john@xxxxxxxxxx");
+	PLUGIN_LICENSE("GPL");
+	
+	if ( !(decode_add=in->import("decode.add")) ) {
+		return PLUGIN_ERR_OBJECT;
+	}
+
+	if ( !(preproc_dispatch=in->import("preproc.dispatch")) ) {
+		return PLUGIN_ERR_OBJECT;
+	}
+
+	ok+=decode_add(&ipx_p, ipx_r);
+	
+	return (ok) ? PLUGIN_ERR_OK : PLUGIN_ERR_FAIL;
+}
+
+int _PLUGIN_UNLOAD (int code) {
+	return PLUGIN_ERR_OK;
+}
diff -urN --exclude=CVS -x firestorm.conf -x 'ipxold*' -x spx.c -x run.sh -x '*.sh' -x '*.html' -x '*.log' -x '*.dump' firestorm/decode_plugins/sap.c firestorm-ipx/decode_plugins/sap.c
--- firestorm/decode_plugins/sap.c	Thu Jan  1 01:00:00 1970
+++ firestorm-ipx/decode_plugins/sap.c	Thu Sep 19 20:00:42 2002
@@ -0,0 +1,95 @@
+#include <stdlib.h>
+#include <firestorm.h>
+#include <packet.h>
+#include <plugin.h>
+#include <generator.h>
+#include <alert.h>
+#include <signature.h>
+#include <decode.h>
+#include <preproc.h>
+#include <netinet/in.h>
+#include <stdio.h>
+#include <string.h>
+
+PLUGIN_STD_DEFS();
+
+proc_preproc_dispatch preproc_dispatch;
+
+/* SAP: Novell's Service Advertising Protocol */
+int sap_print(struct layer *l, char *buf, int buflen);
+void sap_decode(struct packet *p);
+/*void sap_decode(struct packet *);*/
+struct proto sap_p=init_proto("sap", sap_decode, sap_print);
+struct proto_req sap_r[]={
+        proto_request("ipx", 0x00),
+        proto_request("ipx", 0x04),
+	null_request()
+};
+
+int sap_print(struct layer *l, char *buf, int buflen)
+{
+	char out[128];
+	char type[32];
+
+	switch (htons(l->h.sap->op)) {
+		case 1:
+		case 2:
+			strcpy(type,"General service");
+			break;
+		case 3:
+		case 4:
+			strcpy(type,"Nearest service");
+			break;
+	};
+	if (htons(l->h.sap->op)%2==0) {
+		snprintf(out,sizeof(out),"%s reponse server=%s",type,l->h.sap->server_name);
+	} else {
+		snprintf(out,sizeof(out),"%s query",type);
+	};
+
+	/*	return snprintf(buf,buflen,"len=%u type=0x%.2x(%s) net=0x%.8x:0x%.8x "
+			"skt=0x%.4x:0x%.4x",
+			htons(l->h.ipx->length),
+			l->h.ipx->pType,
+			htonl(l->h.ipx->srcNet),
+			htonl(l->h.ipx->dstNet),
+			htons(l->h.ipx->srcSkt),
+			htons(l->h.ipx->dstSkt));*/
+	
+
+	return snprintf(buf,buflen,"%s",out);
+}
+
+void sap_decode(struct packet *p) {
+	p->layer[p->llen++].proto=NULL;
+	preproc_dispatch(p);
+}
+
+int _PLUGIN_INIT (struct plugin_in *in, struct plugin_out *out)
+{
+	proc_decode_add decode_add;
+	int ok=0;
+	
+	plugin_check(in, out);
+	
+	PLUGIN_ID("decode.sap", "Service Advertising Protocol");
+	PLUGIN_VERSION(0, 1);
+	PLUGIN_AUTHOR("John Leach", "john@xxxxxxxxxx");
+	PLUGIN_LICENSE("GPL");
+	
+	if ( !(decode_add=in->import("decode.add")) ) {
+		return PLUGIN_ERR_OBJECT;
+	}
+
+	if ( !(preproc_dispatch=in->import("preproc.dispatch")) ) {
+		return PLUGIN_ERR_OBJECT;
+	}
+
+	ok+=decode_add(&sap_p, sap_r);
+	
+	return (ok) ? PLUGIN_ERR_OK : PLUGIN_ERR_FAIL;
+}
+
+int _PLUGIN_UNLOAD (int code) {
+	return PLUGIN_ERR_OK;
+}
diff -urN --exclude=CVS -x firestorm.conf -x 'ipxold*' -x spx.c -x run.sh -x '*.sh' -x '*.html' -x '*.log' -x '*.dump' firestorm/include/packet.h firestorm-ipx/include/packet.h
--- firestorm/include/packet.h	Thu Aug 22 19:04:28 2002
+++ firestorm-ipx/include/packet.h	Wed Sep 18 23:05:08 2002
@@ -19,6 +19,8 @@
 #include <pkt/gre.h>
 #include <pkt/sll.h>
 #include <pkt/http.h>
+#include <pkt/ipx.h>
+#include <pkt/sap.h>
 
 /* Maximum number of layers in decode */
 #define PKT_LAYERS	8
@@ -43,6 +45,8 @@
 		struct pkt_grehdr	*gre;
 		struct pkt_vlanhdr	*vlan;
 		struct pkt_sllhdr	*sll;
+		struct pkt_ipxhdr	*ipx;
+		struct pkt_sap		*sap;
 		void			*raw;
 	}h;
 	struct proto	*proto; /* protocol of this layer */
diff -urN --exclude=CVS -x firestorm.conf -x 'ipxold*' -x spx.c -x run.sh -x '*.sh' -x '*.html' -x '*.log' -x '*.dump' firestorm/include/pkt/ipx.h firestorm-ipx/include/pkt/ipx.h
--- firestorm/include/pkt/ipx.h	Thu Jan  1 01:00:00 1970
+++ firestorm-ipx/include/pkt/ipx.h	Wed Sep 18 22:10:49 2002
@@ -0,0 +1,22 @@
+#ifndef __PKT_IPX_HEADER_INCLUDED__
+#define __PKT_IPX_HEADER_INCLUDED__
+
+/* IPX transport header */
+struct pkt_ipxhdr
+{
+	u_int16_t cksum;	/* Checksum */
+	u_int16_t length;	/* Length, in bytes, including header */
+	u_int8_t tCtl;		/* Transport Control (i.e. hop count) */
+	u_int8_t pType;		/* Packet Type (i.e. level 2 protocol) */
+	u_int32_t dstNet;	/* destination net */
+	u_int8_t dstNode[6];	/* destination node */
+	u_int16_t dstSkt;	/* destination socket */
+	u_int32_t srcNet;	/* source net */
+	u_int8_t srcNode[6];	/* source node */
+	u_int16_t srcSkt;	/* source socket */
+}__attribute__((packed));
+
+#define ipxSize 30
+
+
+#endif /* __PKT_IPX_HEADER_INCLUDED__ */
diff -urN --exclude=CVS -x firestorm.conf -x 'ipxold*' -x spx.c -x run.sh -x '*.sh' -x '*.html' -x '*.log' -x '*.dump' firestorm/include/pkt/sap.h firestorm-ipx/include/pkt/sap.h
--- firestorm/include/pkt/sap.h	Thu Jan  1 01:00:00 1970
+++ firestorm-ipx/include/pkt/sap.h	Wed Sep 18 23:04:40 2002
@@ -0,0 +1,16 @@
+#ifndef __PKT_SAP_HEADER_INCLUDED__
+#define __PKT_SAP_HEADER_INCLUDED__
+
+/* SAP packet */
+struct pkt_sap
+{
+	u_int16_t op;		/* Operation */
+	u_int16_t service;	/* Service type*/
+	u_int8_t server_name[48]; /* Server name in quotes */
+	u_int32_t network;	/* Network address */
+	u_int8_t node[6];	/* Node address */
+	u_int16_t skt;		/* Socket address */
+	u_int16_t hops;	/* source net */
+}__attribute__((packed));
+
+#endif /* __PKT_SAP_HEADER_INCLUDED__ */
diff -urN --exclude=CVS -x firestorm.conf -x 'ipxold*' -x spx.c -x run.sh -x '*.sh' -x '*.html' -x '*.log' -x '*.dump' firestorm/src/preproc.c firestorm-ipx/src/preproc.c
--- firestorm/src/preproc.c	Sun Sep 15 16:53:04 2002
+++ firestorm-ipx/src/preproc.c	Thu Sep 19 19:35:42 2002
@@ -29,7 +29,7 @@
 #include <signature.h>
 #include <decode.h>
 
-#undef SNIFFER
+#define SNIFFER 1
 
 #ifdef SNIFFER
 struct generator sniffer=init_generator("sniffer");

Attachment: signature.asc
Description: This is a digitally signed message part