Merge pull request #147 from BonnyAD9/icmp-plugin

Introduce Icmp plugin

Author: SiskaPavel

.gitignore

@@ -45,8 +45,8 @@ m4/ltsugar.m4
 m4/ltversion.m4
 m4/lt~obsolete.m4
 
-# Generated Makefile 
-# (meta build system like autotools, 
+# Generated Makefile
+# (meta build system like autotools,
 # can automatically generate from config.status script
 # (which is called by configure script))
 Makefile
@@ -94,7 +94,8 @@ libtool
 fields.c
 fields.h
 ipfixprobe-nemea.*
-./ipfixprobe
+ipfixprobe
+ipfixprobe_stats
 ipfixprobe-*.tar.gz
 
 # Test Outputs

Makefile.am

@@ -126,14 +126,16 @@ ipfixprobe_process_src=\
 		process/md5.cpp \
 		process/common.hpp \
 		process/ssadetector.hpp \
-		process/ssadetector.cpp
+		process/ssadetector.cpp \
+		process/icmp.hpp \
+		process/icmp.cpp
 
 if WITH_QUIC
 ipfixprobe_process_src+=\
 		process/quic.hpp \
 		process/quic.cpp \
 		process/quic_parser.cpp \
-		process/quic_parser.hpp 
+		process/quic_parser.hpp
 
 endif
 

README.md

@@ -597,6 +597,14 @@ List of fields exported together with basic flow fields on interface by quic plu
 |:------------------:|:------:|:-------------------------------:|
 | QUIC_SNI           | string | Decrypted server name           |
 
+### ICMP
+
+List of fields exported together with basic flow fields on interface by icmp plugin.
+
+| Output field       | Type   | Description                     |
+|:------------------:|:------:|:-------------------------------:|
+| L4_ICMP_TYPE_CODE  | uint16 | ICMP type (MSB) and code (LSB)  |
+
 ### SSADetector
 
 List of fields exported together with basic flow fields on interface by ssadetector plugin.

include/ipfixprobe/ipfix-elements.hpp

@@ -487,6 +487,9 @@ namespace ipxp {
    F(OSQUERY_KERNEL_VERSION) \
    F(OSQUERY_SYSTEM_HOSTNAME)
 
+#define IPFIX_ICMP_TEMPLATE(F) \
+   F(L4_ICMP_TYPE_CODE)
+
 #ifdef WITH_FLEXPROBE
 #define IPFIX_FLEXPROBE_DATA_TEMPLATE(F) F(FX_FRAME_SIGNATURE) F(FX_INPUT_INTERFACE)
 #define IPFIX_FLEXPROBE_TCP_TEMPLATE(F) F(FX_TCP_TRACKING)
@@ -529,7 +532,8 @@ namespace ipxp {
    IPFIX_FLEXPROBE_DATA_TEMPLATE(F) \
    IPFIX_FLEXPROBE_TCP_TEMPLATE(F) \
    IPFIX_FLEXPROBE_ENCR_TEMPLATE(F) \
-   IPFIX_SSADETECTOR_TEMPLATE(F)
+   IPFIX_SSADETECTOR_TEMPLATE(F) \
+   IPFIX_ICMP_TEMPLATE(F)
 
 /**
  * Helper macro, convert FIELD into its name as a C literal.

input/parser.cpp

@@ -467,54 +467,6 @@ inline uint16_t parse_udp_hdr(const u_char *data_ptr, uint16_t data_len, Packet
    return 8;
 }
 
-/**
- * \brief Parse specific fields from ICMP header.
- * \param [in] data_ptr Pointer to begin of header.
- * \param [in] data_len Length of packet data in `data_ptr`.
- * \param [out] pkt Pointer to Packet structure where parsed fields will be stored.
- * \return Size of header in bytes.
- */
-inline uint16_t parse_icmp_hdr(const u_char *data_ptr, uint16_t data_len, Packet *pkt)
-{
-   struct icmphdr *icmp = (struct icmphdr *) data_ptr;
-   if (sizeof(struct icmphdr) > data_len) {
-      throw "Parser detected malformed packet";
-   }
-   pkt->dst_port = icmp->type * 256 + icmp->code;
-
-   DEBUG_MSG("ICMP header:\n");
-   DEBUG_MSG("\tType:\t\t%u\n",     icmp->type);
-   DEBUG_MSG("\tCode:\t\t%u\n",     icmp->code);
-   DEBUG_MSG("\tChecksum:\t%#06x\n",ntohs(icmp->checksum));
-   DEBUG_MSG("\tRest:\t\t%#06x\n",  ntohl(*(uint32_t *) &icmp->un));
-
-   return 0;
-}
-
-/**
- * \brief Parse specific fields from ICMPv6 header.
- * \param [in] data_ptr Pointer to begin of header.
- * \param [in] data_len Length of packet data in `data_ptr`.
- * \param [out] pkt Pointer to Packet structure where parsed fields will be stored.
- * \return Size of header in bytes.
- */
-inline uint16_t parse_icmpv6_hdr(const u_char *data_ptr, uint16_t data_len, Packet *pkt)
-{
-   struct icmp6_hdr *icmp6 = (struct icmp6_hdr *) data_ptr;
-   if (sizeof(struct icmp6_hdr) > data_len) {
-      throw "Parser detected malformed packet";
-   }
-   pkt->dst_port = icmp6->icmp6_type * 256 + icmp6->icmp6_code;
-
-   DEBUG_MSG("ICMPv6 header:\n");
-   DEBUG_MSG("\tType:\t\t%u\n",     icmp6->icmp6_type);
-   DEBUG_MSG("\tCode:\t\t%u\n",     icmp6->icmp6_code);
-   DEBUG_MSG("\tChecksum:\t%#x\n",  ntohs(icmp6->icmp6_cksum));
-   DEBUG_MSG("\tBody:\t\t%#x\n",    ntohs(*(uint32_t *) &icmp6->icmp6_dataun));
-
-   return 0;
-}
-
 /**
  * \brief Skip MPLS stack.
  * \param [in] data_ptr Pointer to begin of header.
@@ -689,10 +641,6 @@ void parse_packet(parser_opt_t *opt, struct timeval ts, const uint8_t *data, uin
          data_offset += parse_tcp_hdr(data + data_offset, caplen - data_offset, pkt);
       } else if (pkt->ip_proto == IPPROTO_UDP) {
          data_offset += parse_udp_hdr(data + data_offset, caplen - data_offset, pkt);
-      } else if (pkt->ip_proto == IPPROTO_ICMP) {
-         data_offset += parse_icmp_hdr(data + data_offset, caplen - data_offset, pkt);
-      } else if (pkt->ip_proto == IPPROTO_ICMPV6) {
-         data_offset += parse_icmpv6_hdr(data + data_offset, caplen - data_offset, pkt);
       }
    } catch (const char *err) {
       DEBUG_MSG("%s\n", err);

process/icmp.cpp

@@ -0,0 +1,85 @@
+/**
+ * \file icmp.cpp
+ * \brief Plugin for parsing icmp traffic.
+ * \author Jakub Antonín Štigler xstigl00@[email protected]
+ * \date 2023
+ */
+/*
+ * Copyright (C) 2023 CESNET
+ *
+ * LICENSE TERMS
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ * 3. Neither the name of the Company nor the names of its contributors
+ *    may be used to endorse or promote products derived from this
+ *    software without specific prior written permission.
+ *
+ * ALTERNATIVELY, provided that this notice is retained in full, this
+ * product may be distributed under the terms of the GNU General Public
+ * License (GPL) version 2 or later, in which case the provisions
+ * of the GPL apply INSTEAD OF those given above.
+ *
+ * This software is provided as is'', and any express or implied
+ * warranties, including, but not limited to, the implied warranties of
+ * merchantability and fitness for a particular purpose are disclaimed.
+ * In no event shall the company or contributors be liable for any
+ * direct, indirect, incidental, special, exemplary, or consequential
+ * damages (including, but not limited to, procurement of substitute
+ * goods or services; loss of use, data, or profits; or business
+ * interruption) however caused and on any theory of liability, whether
+ * in contract, strict liability, or tort (including negligence or
+ * otherwise) arising in any way out of the use of this software, even
+ * if advised of the possibility of such damage.
+ *
+ */
+
+#include <iostream>
+
+#include "icmp.hpp"
+
+#include "../input/headers.hpp"
+
+namespace ipxp {
+
+int RecordExtICMP::REGISTERED_ID = -1;
+
+__attribute__((constructor)) static void register_this_plugin()
+{
+   static PluginRecord rec = PluginRecord("icmp", [](){return new ICMPPlugin();});
+   register_plugin(&rec);
+   RecordExtICMP::REGISTERED_ID = register_extension();
+}
+
+ProcessPlugin *ICMPPlugin::copy()
+{
+   return new ICMPPlugin(*this);
+}
+
+int ICMPPlugin::post_create(Flow &rec, const Packet &pkt)
+{
+   if (pkt.ip_proto == IPPROTO_ICMP ||
+       pkt.ip_proto == IPPROTO_ICMPV6) {
+      if (pkt.payload_len < sizeof(RecordExtICMP::type_code))
+         return 0;
+
+      auto ext = new RecordExtICMP();
+
+      // the type and code are the first two bytes, type on MSB and code on LSB
+      // in the network byte order
+      ext->type_code = *reinterpret_cast<const uint16_t *>(pkt.payload);
+
+      rec.add_extension(ext);
+   }
+   return 0;
+}
+
+}
+

process/icmp.hpp

@@ -0,0 +1,146 @@
+/**
+ * \file icmp.hpp
+ * \brief Plugin for parsing icmp traffic.
+ * \author Jakub Antonín Štigler xstigl00@[email protected]
+ * \date 2023
+ */
+/*
+ * Copyright (C) 2023 CESNET
+ *
+ * LICENSE TERMS
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ * 3. Neither the name of the Company nor the names of its contributors
+ *    may be used to endorse or promote products derived from this
+ *    software without specific prior written permission.
+ *
+ * ALTERNATIVELY, provided that this notice is retained in full, this
+ * product may be distributed under the terms of the GNU General Public
+ * License (GPL) version 2 or later, in which case the provisions
+ * of the GPL apply INSTEAD OF those given above.
+ *
+ * This software is provided as is'', and any express or implied
+ * warranties, including, but not limited to, the implied warranties of
+ * merchantability and fitness for a particular purpose are disclaimed.
+ * In no event shall the company or contributors be liable for any
+ * direct, indirect, incidental, special, exemplary, or consequential
+ * damages (including, but not limited to, procurement of substitute
+ * goods or services; loss of use, data, or profits; or business
+ * interruption) however caused and on any theory of liability, whether
+ * in contract, strict liability, or tort (including negligence or
+ * otherwise) arising in any way out of the use of this software, even
+ * if advised of the possibility of such damage.
+ *
+ */
+
+#ifndef IPXP_PROCESS_ICMP_HPP
+#define IPXP_PROCESS_ICMP_HPP
+
+#include <cstring>
+
+#ifdef WITH_NEMEA
+  #include "fields.h"
+#endif
+
+#include <sstream>
+
+#include <ipfixprobe/utils.hpp>
+
+#include <ipfixprobe/process.hpp>
+#include <ipfixprobe/flowifc.hpp>
+#include <ipfixprobe/packet.hpp>
+#include <ipfixprobe/ipfix-elements.hpp>
+
+namespace ipxp {
+
+#define ICMP_UNIREC_TEMPLATE "L4_ICMP_TYPE_CODE"
+
+UR_FIELDS (
+   uint16 L4_ICMP_TYPE_CODE
+)
+
+/**
+ * \brief Flow record extension header for storing parsed ICMP data.
+ */
+struct RecordExtICMP : public RecordExt {
+   static int REGISTERED_ID;
+
+   uint16_t type_code;
+
+   RecordExtICMP() : RecordExt(REGISTERED_ID)
+   {
+      type_code = 0;
+   }
+
+#ifdef WITH_NEMEA
+   virtual void fill_unirec(ur_template_t *tmplt, void *record)
+   {
+      ur_set(tmplt, record, F_L4_ICMP_TYPE_CODE, type_code);
+   }
+
+   const char *get_unirec_tmplt() const
+   {
+      return ICMP_UNIREC_TEMPLATE;
+   }
+#endif
+
+   virtual int fill_ipfix(uint8_t *buffer, int size)
+   {
+      const int LEN = 2;
+
+      if (size < LEN) {
+         return -1;
+      }
+
+      *reinterpret_cast<uint16_t *>(buffer) = ntohs(type_code);
+
+      return LEN;
+   }
+
+   const char **get_ipfix_tmplt() const
+   {
+      static const char *ipfix_template[] = {
+         IPFIX_ICMP_TEMPLATE(IPFIX_FIELD_NAMES)
+         NULL
+      };
+      return ipfix_template;
+   }
+
+   std::string get_text() const
+   {
+      // type is on the first byte, code is on the second byte
+      auto *type_code = reinterpret_cast<const uint8_t *>(&this->type_code);
+
+      std::ostringstream out;
+      out << "type=\"" << static_cast<int>(type_code[0]) << '"'
+         << ",code=\"" << static_cast<int>(type_code[1]) << '"';
+
+      return out.str();
+   }
+};
+
+/**
+ * \brief Process plugin for parsing ICMP packets.
+ */
+class ICMPPlugin : public ProcessPlugin
+{
+public:
+   OptionsParser *get_parser() const { return new OptionsParser("icmp", "Parse ICMP traffic"); }
+   std::string get_name() const { return "icmp"; }
+   RecordExt *get_ext() const { return new RecordExtICMP(); }
+   ProcessPlugin *copy();
+
+   int post_create(Flow &rec, const Packet &pkt);
+};
+
+}
+#endif /* IPXP_PROCESS_ICMP_HPP */
+