chg: [pibs] added option to bypass synseen logic

haegardev · haegardev · commit 38036c3f47fb · 2020-02-19T17:18:06.000+01:00
diff --git a/bin/synseen.c b/bin/synseen.c
@@ -145,35 +145,37 @@ void synseen_process_frame(pibs_t *pibs, wtap *wth, uint8_t* eth,
     uint32_t ip;
     struct pcap_pkthdr pchdr;
     memcpy(&ip, &ipv4->ip_src, 4);
-    // Record only source ips where syn flag is set
-    // TODO check other connection establishment alternatives
-    if (tcp->th_flags  == 2 ){
-        insert_ip(pibs, ip, wth->rec.ts.secs);
-        return;
-    }
+    if (!pibs->bypass) {
+        // Record only source ips where syn flag is set
+        // TODO check other connection establishment alternatives
+        if (tcp->th_flags  == 2 ){
+            insert_ip(pibs, ip, wth->rec.ts.secs);
+            return;
+        }
 
-    lastseen =  get_last_timestamp(pibs, ip);
+        lastseen =  get_last_timestamp(pibs, ip);
 
-    if (lastseen > 0){
-        HDBG("IP %x %s was already seen before at %ld. Time difference %ld.\n"
-               , ip, inet_ntoa(ipv4->ip_src), lastseen, wth->rec.ts.secs-lastseen);
-        return;
-    }
-    // TODO keep these IPs in a hashtable and rank them
-    if (pibs->show_backscatter) {
-        printf("%ld,%s,%d,%d\n",
-               wth->rec.ts.secs, inet_ntoa(ipv4->ip_src), tcp->th_flags,
-               ntohs(tcp->th_sport));
-    }
-    //TODO relative time
-    //Purge old ips?
-    if (pibs->should_writepcap) {
-        pchdr.ts.tv_sec = wth->rec.ts.secs;
-        //TODO other part of the timestamp
-        pchdr.ts.tv_usec = wth->rec.ts.nsecs / 1000;
-        pchdr.caplen =  wth->rec.rec_header.packet_header.caplen;
-        pchdr.len =  wth->rec.rec_header.packet_header.len;
-        pcap_dump((u_char*)pibs->dumper, &pchdr, eth);
+        if (lastseen > 0){
+            HDBG("IP %x %s was already seen before at %ld. Time difference %ld.\n"
+                   , ip, inet_ntoa(ipv4->ip_src), lastseen, wth->rec.ts.secs-lastseen);
+            return;
+        }
+        // TODO keep these IPs in a hashtable and rank them
+        if (pibs->show_backscatter) {
+            printf("%ld,%s,%d,%d\n",
+                wth->rec.ts.secs, inet_ntoa(ipv4->ip_src), tcp->th_flags,
+                ntohs(tcp->th_sport));
+        }
+        //TODO relative time
+        //Purge old ips?
+        if (pibs->should_writepcap) {
+            pchdr.ts.tv_sec = wth->rec.ts.secs;
+            //TODO other part of the timestamp
+            pchdr.ts.tv_usec = wth->rec.ts.nsecs / 1000;
+            pchdr.caplen =  wth->rec.rec_header.packet_header.caplen;
+            pchdr.len =  wth->rec.rec_header.packet_header.len;
+            pcap_dump((u_char*)pibs->dumper, &pchdr, eth);
+        }
     }
     if (pibs->synseen_callback) {
         synseen_callback = pibs->synseen_callback;
