icmp suppport

* capture,viewer now supports icmp traffic
arkime · Aug 27, 2012 · 7b84645 · 7b84645
1 parent 87be7b7
commit 7b84645
Show file tree

Hide file tree

Showing 7 changed files with 80 additions and 20 deletions.
diff --git a/capture/config.c b/capture/config.c
@@ -118,7 +118,8 @@ void moloch_config_load()
     config.dropGroup        = moloch_config_str(keyfile, "dropGroup", NULL);
 
     config.maxFileSizeG     = moloch_config_int(keyfile, "maxFileSizeG", 4, 1, 63);
-    config.udpTimeout       = moloch_config_int(keyfile, "udpTimeout", 60, 10, 0xffff);
+    config.icmpTimeout      = moloch_config_int(keyfile, "icmpTimeout", 10, 1, 0xffff);
+    config.udpTimeout       = moloch_config_int(keyfile, "udpTimeout", 60, 1, 0xffff);
     config.tcpTimeout       = moloch_config_int(keyfile, "tcpTimeout", 60*8, 10, 0xffff);
     config.tcpSaveTimeout   = moloch_config_int(keyfile, "tcpSaveTimeout", 60*8, 10, 60*120);
     config.maxStreams       = moloch_config_int(keyfile, "maxStreams", 1500000, 1, 16777215);
@@ -158,6 +159,7 @@ void moloch_config_init()
         LOG("dropGroup: %s", config.dropGroup);
 
         LOG("maxFileSizeG: %u", config.maxFileSizeG);
+        LOG("icmpTimeout: %u", config.icmpTimeout);
         LOG("udpTimeout: %u", config.udpTimeout);
         LOG("tcpTimeout: %u", config.tcpTimeout);
         LOG("tcpSaveTimeout: %u", config.tcpSaveTimeout);

diff --git a/capture/moloch.h b/capture/moloch.h
@@ -23,6 +23,7 @@ typedef struct moloch_config {
 
     uint32_t  maxFileSizeG;
     uint32_t  minFreeSpaceG;
+    uint32_t  icmpTimeout;
     uint32_t  udpTimeout;
     uint32_t  tcpTimeout;
     uint32_t  tcpSaveTimeout;

diff --git a/capture/nids.c b/capture/nids.c
@@ -45,6 +45,7 @@ static gchar                 classTag[100];
 
 static MolochSessionHead_t   tcpSessionQ;
 static MolochSessionHead_t   udpSessionQ;
+static MolochSessionHead_t   icmpSessionQ;
 static MolochSessionHead_t   tcpWriteQ;
 
 
@@ -162,10 +163,17 @@ void moloch_nids_save_session(char *key, MolochSession_t *session)
             DLL_REMOVE(tcp_, &tcpWriteQ, session);
         }
 
-        if (session->protocol == IPPROTO_TCP)
+        switch (session->protocol) {
+        case IPPROTO_TCP:
             DLL_REMOVE(q_, &tcpSessionQ, session);
-        else
+            break;
+        case IPPROTO_UDP:
             DLL_REMOVE(q_, &udpSessionQ, session);
+            break;
+        case IPPROTO_ICMP:
+            DLL_REMOVE(q_, &icmpSessionQ, session);
+            break;
+        }
 
         HASH_REMOVE(h_, sessions, session);
         return;
@@ -338,35 +346,38 @@ void moloch_nids_cb_ip(struct ip *packet, int len)
     MolochSession_t *headSession;
     struct tcphdr   *tcphdr = 0;
     struct udphdr   *udphdr = 0;
-    struct icmphdr  *icmphdr = 0;
     MolochSessionHead_t *sessionsQ;
     uint32_t         sessionTimeout;
 
-    if (packet->ip_p == IPPROTO_TCP) {
+    switch (packet->ip_p) {
+    case IPPROTO_TCP:
         sessionsQ = &tcpSessionQ;
         sessionTimeout = config.tcpTimeout;
 
         tcphdr = (struct tcphdr *)((void*)packet + 4 * packet->ip_hl);
 
         moloch_session_id(sessionId, packet->ip_p, packet->ip_src.s_addr, ntohs(tcphdr->source), 
                           packet->ip_dst.s_addr, ntohs(tcphdr->dest));
-
-    } else if (packet->ip_p == IPPROTO_UDP) {
+        break;
+    case IPPROTO_UDP:
         sessionsQ = &udpSessionQ;
         sessionTimeout = config.udpTimeout;
 
         udphdr = (struct udphdr *)((void*)packet + 4 * packet->ip_hl);
 
         moloch_session_id(sessionId, packet->ip_p, packet->ip_src.s_addr, ntohs(udphdr->source), 
                           packet->ip_dst.s_addr, ntohs(udphdr->dest));
-    } else if (packet->ip_p == IPPROTO_ICMP) {
-        icmphdr = (struct icmphdr *)((void*)packet + 4 * packet->ip_hl);
-        /*LOG("ICMP type:%d code: %d id: %d sequence: %d gateway: %d mtu: %d",
-          icmphdr->type, icmphdr->code, icmphdr->un.echo.id,icmphdr->un.echo.sequence,icmphdr->un.gateway,icmphdr->un.frag.mtu);*/
-        return;
-    } else if (packet->ip_p == IPPROTO_IPV6) {
+        break;
+    case IPPROTO_ICMP:
+        sessionsQ = &icmpSessionQ;
+        sessionTimeout = config.icmpTimeout;
+
+        moloch_session_id(sessionId, packet->ip_p, packet->ip_src.s_addr, 0, 
+                          packet->ip_dst.s_addr, 0);
+        break;
+    case IPPROTO_IPV6:
         return;
-    } else {
+    default:
         if (config.logUnknownProtocols)
             LOG("Unknown protocol %d", packet->ip_p);
         return;
@@ -420,13 +431,19 @@ void moloch_nids_cb_ip(struct ip *packet, int len)
 
         moloch_nids_initial_tag(session);
 
-        if (packet->ip_p == IPPROTO_TCP) {
+        switch (packet->ip_p) {
+        case IPPROTO_TCP:
             session->port1 = ntohs(tcphdr->source);
             session->port2 = ntohs(tcphdr->dest);
-
-        } else {
+            break;
+        case IPPROTO_UDP:
             session->port1 = ntohs(udphdr->source);
             session->port2 = ntohs(udphdr->dest);
+            break;
+        case IPPROTO_ICMP:
+            session->port1 = 0;
+            session->port2 = 0;
+            break;
         }
 
         DLL_PUSH_TAIL(q_, sessionsQ, session);
@@ -917,10 +934,17 @@ moloch_hp_cb_on_header_value (http_parser *parser, const char *at, size_t length
 void moloch_nids_session_free (MolochSession_t *session)
 {
     if (session->q_next) {
-        if (session->protocol == IPPROTO_TCP)
+        switch (session->protocol) {
+        case IPPROTO_TCP:
             DLL_REMOVE(q_, &tcpSessionQ, session);
-        else
+            break;
+        case IPPROTO_UDP:
             DLL_REMOVE(q_, &udpSessionQ, session);
+            break;
+        case IPPROTO_ICMP:
+            DLL_REMOVE(q_, &icmpSessionQ, session);
+            break;
+        }
     }
 
     if (session->tcp_next)
@@ -1215,6 +1239,7 @@ void moloch_nids_init()
     DLL_INIT(tcp_, &tcpWriteQ);
     DLL_INIT(q_, &tcpSessionQ);
     DLL_INIT(q_, &udpSessionQ);
+    DLL_INIT(q_, &icmpSessionQ);
 
     cookie = magic_open(MAGIC_MIME);
     if (!cookie) {

diff --git a/config.ini b/config.ini
@@ -62,6 +62,10 @@ tcpSaveTimeout = 720
 # many seconds of inactivity.
 udpTimeout = 30
 
+# ICMP timeout value.  Moloch assumes the ICMP session is ended after this 
+# many seconds of inactivity.
+icmpTimeout = 10
+
 # An aproximiate maximum number of active sessions Moloch/libnids will try 
 # and monitor
 maxStreams = 1000000

diff --git a/single-host/etc/config.ini.template b/single-host/etc/config.ini.template
@@ -62,6 +62,10 @@ tcpSaveTimeout = 720
 # many seconds of inactivity.
 udpTimeout = 30
 
+# ICMP timeout value.  Moloch assumes the ICMP session is ended after this 
+# many seconds of inactivity.
+icmpTimeout = 10
+
 # An aproximiate maximum number of active sessions Moloch/libnids will try 
 # and monitor
 maxStreams = 1000000

diff --git a/viewer/decode.js b/viewer/decode.js
@@ -41,7 +41,7 @@ exports.icmp = function (buffer, obj) {
     sequence:  buffer.readUInt16BE(6)
   };
 
-  obj.udp.data = buffer.slice(8);
+  obj.icmp.data = buffer.slice(8);
 };
 
 exports.tcp = function (buffer, obj) {
@@ -157,6 +157,26 @@ exports.pcap = function (buffer, obj) {
   exports.ether(buffer.slice(16, obj.pcap.incl_len + 16), obj);
 };
 
+exports.reassemble_icmp = function (packets, cb) {
+  var results = [];
+  packets.forEach(function (item) {
+    var key = item.ip.addr1;
+    if (results.length === 0 || key !== results[results.length-1].key) {
+      var result = {
+        key: key,
+        data: item.icmp.data
+      };
+      results.push(result);
+    } else {
+      var newBuf = new Buffer(results[results.length-1].data.length + item.icmp.data.length);
+      results[results.length-1].data.copy(newBuf);
+      item.icmp.data.copy(newBuf, results[results.length-1].data.length);
+      results[results.length-1].data = newBuf;
+    }
+  });
+  cb(null, results);
+};
+
 exports.reassemble_udp = function (packets, cb) {
   var results = [];
   packets.forEach(function (item) {

diff --git a/viewer/viewer.js b/viewer/viewer.js
@@ -1249,6 +1249,10 @@ function localSessionDetail(req, res) {
     /* Now reassembly the packets */
     if (packets.length === 0) {
       localSessionDetailReturn(req, res, session, [{data: "No pcap data found"}]);
+    } else if (packets[0].ip.p === 1) {
+      decode.reassemble_icmp(packets, function(err, results) {
+        localSessionDetailReturn(req, res, session, results);
+      });
     } else if (packets[0].ip.p === 6) {
       decode.reassemble_tcp(packets, function(err, results) {
         localSessionDetailReturn(req, res, session, results);