Skip to content
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
123 lines (111 sloc) 3.55 KB
Copyright (c) 1999 Rafal Wojtczuk <>. All rights reserved.
See the file COPYING for license details.
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <arpa/inet.h>
#include <string.h>
#include <stdio.h>
#include "nids.h"
#define int_ntoa(x) inet_ntoa(*((struct in_addr *)&x))
// struct tuple4 contains addresses and port numbers of the TCP connections
// the following auxiliary function produces a string looking like
char *
adres (struct tuple4 addr)
static char buf[256];
strcpy (buf, int_ntoa (addr.saddr));
sprintf (buf + strlen (buf), ",%i,", addr.source);
strcat (buf, int_ntoa (addr.daddr));
sprintf (buf + strlen (buf), ",%i", addr.dest);
return buf;
tcp_callback (struct tcp_stream *a_tcp, void ** this_time_not_needed)
char buf[1024];
strcpy (buf, adres (a_tcp->addr)); // we put conn params into buf
if (a_tcp->nids_state == NIDS_JUST_EST)
// connection described by a_tcp is established
// here we decide, if we wish to follow this stream
// sample condition: if (a_tcp->addr.dest!=23) return;
// in this simple app we follow each stream, so..
a_tcp->client.collect++; // we want data received by a client
a_tcp->server.collect++; // and by a server, too
a_tcp->server.collect_urg++; // we want urgent data received by a
// server
a_tcp->client.collect_urg++; // if we don't increase this value,
// we won't be notified of urgent data
// arrival
fprintf (stderr, "%s established\n", buf);
if (a_tcp->nids_state == NIDS_CLOSE)
// connection has been closed normally
fprintf (stderr, "%s closing\n", buf);
if (a_tcp->nids_state == NIDS_RESET)
// connection has been closed by RST
fprintf (stderr, "%s reset\n", buf);
if (a_tcp->nids_state == NIDS_DATA)
// new data has arrived; gotta determine in what direction
// and if it's urgent or not
struct half_stream *hlf;
if (a_tcp->server.count_new_urg)
// new byte of urgent data has arrived
// We don't have to check if urgent data to client has arrived,
// because we haven't increased a_tcp->client.collect_urg variable.
// So, we have some normal data to take care of.
if (a_tcp->client.count_new)
// new data for client
hlf = &a_tcp->client; // from now on, we will deal with hlf var,
// which will point to client side of conn
strcat (buf, "(<-)"); // symbolic direction of data
hlf = &a_tcp->server; // analogical
strcat (buf, "(->)");
fprintf(stderr,"%s",buf); // we print the connection parameters
// (saddr, daddr, sport, dport) accompanied
// by data flow direction (-> or <-)
write(2,hlf->data,hlf->count_new); // we print the newly arrived data
return ;
main ()
// here we can alter libnids params, for instance:
// nids_params.n_hosts=256;
if (!nids_init ())
nids_register_tcp (tcp_callback);
nids_run ();
return 0;
You can’t perform that action at this time.