View unanswered posts | View active topics It is currently Tue Oct 15, 2019 6:04 am



Post new topic Reply to topic  [ 41 posts ]  Go to page Previous  1, 2, 3, 4, 5  Next
 Questions about PEI format/purpose; extracting info from PEI 
Author Message

Joined: Tue Jul 20, 2010 5:35 pm
Posts: 32
Reply with quote
Post Re: Questions about PEI format/purpose; extracting info from
gianluca.costa wrote:
a mistake, I meant:
Code:
 DISPATCH_PARALLEL=0

The dispatcher is used also by all manipulators (see configuration file of manipulators).
Ciao.
Gianluca


Out of all of Xplico, I am still quite unfamiliar with the role that manipulators play - where in the chain of Capture-dissector -> protocol dissector -> dispatcher do manipulators fit? Are you suggesting that they come after the dispachers, or before?


Tue Jul 27, 2010 6:15 pm
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: Questions about PEI format/purpose; extracting info from
Quote:
Out of all of Xplico, I am still quite unfamiliar with the role that manipulators play - where in the chain of Capture-dissector -> protocol dissector -> dispatcher do manipulators fit?
Code:
                                                      --------->manipulator (1)
                                                     |--------->manipulator (2)
                                                     |   ...
                                                     |--------->manipulator (n)
Capture-dissector -> protocol dissector ---(PEI)---->| (or)
                                                      --------->dispatcher

And manipulators generate new PEI from the in input PEIs and it send this new PEI to the dispatcher

Code:
---(PEI)---->manipulators---(PEI)---->dispatcher


Theoretically, downstream of a manipulator could be another manipulator.
In theory (by design) Xplico can also be recursive (with pkt output not pei).


Quote:
Are you suggesting that they come after the dispachers, or before?

Both depends on your point of view ;).


Tue Jul 27, 2010 6:29 pm
Profile WWW

Joined: Tue Jul 20, 2010 5:35 pm
Posts: 32
Reply with quote
Post Re: Questions about PEI format/purpose; extracting info from
gianluca.costa wrote:
Quote:
Does the PEI include a way for me to know which particular PCAP file the protocol element information is coming from?

Yes every PEI has a stack frame: ppei->stack in this stack you can find all informations (see pol, sol, ip extraction -in a dispatcher-).
To print (in the shell) the stack: ProtStackFrmDisp(ppei->stk, TRUE);
To save (in a buffer) a XML representation of a stack: ProtStackFrmXML(ppei->stack);
This XML is the info-xml file of XI.

Ciao.
Gianluca

How do you grab the PCAP file from ppei->stack ? I am using the debugger and also looking at xplico-src/dispatch/include/pei.h and xplico-src/common/include/packet.h, but don't see clearly where a pcap filename would be. I am thinking that since I'm dealing with a stack of items, the item that I'm looking for would be at the bottom (or top..) of this ppei->stack (but I still don't know how to access the filename information with it). Does it have something to do with the 'attr[2]' attribute of pstack_f ? Thank you.


Wed Jul 28, 2010 8:15 pm
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: Questions about PEI format/purpose; extracting info from
In this case, GDB is not the right tool.
If you think about it, I had the same your problem to retrieve the number of POL and SOL, then in the dispatcher Lite there is the solution. Even with the ProtStackFrmDisp appears the name of the file, so in the ProtStackFrmDisp code there is the answer to your question, for what I have mentioned.

Quote:
How do you grab the PCAP file from ppei->stack ? I am using the debugger and also looking at xplico-src/dispatch/include/pei.h and xplico-src/common/include/packet.h, but don't see clearly where a pcap filename would be.

The 2 dissectors (not capture-dissector) pol and pcapf have this Pkt stack info:
Code:
-----------------------------------------------------------
pol: Point of Listen
-----------------------------------------------------------
Pkt info:
        pol.layer1: Physical Layer
        pol.count: Packet number
        pol.file: File name
        pol.sesid: Session id
        pol.polid: Pol id
-----------------------------------------------------------
-----------------------------------------------------------

Code:
-----------------------------------------------------------                                   
pcapf: Pcap file                                                                             
-----------------------------------------------------------                                   
Pkt info:                                                                                     
        pcapf.layer1: Physical Layer                                                         
        pcapf.count: Packet number                                                           
        pcapf.file: File name                                                                 
-----------------------------------------------------------                                   
-----------------------------------------------------------

Both have: File name this is the file name of the pcap.

Quote:
I am thinking that since I'm dealing with a stack of items, the item that I'm looking for would be at the bottom (or top..) of this ppei->stack (but I still don't know how to access the filename information with it).

In the previous post I told you to see how I pull out the number POL and the number SOL (present in the stack). See the first code lines of DispPop in the Lite dispatcher:
Code:
  frame = ProtStackSearchProt(ppei->stack, pol_id);   
  if (frame) {
        ProtGetAttr(frame, pol_polid_id, &val);
        pol = val.int32;
        ProtGetAttr(frame, pol_sesid_id, &val);
        sess = val.int32;
  }


Quote:
Does it have something to do with the 'attr[2]' attribute of pstack_f ?

Yes... attr is not only 2 byte ;).
I'm giving you a lot of support... now you have a user in the wiki, I hope you contribute to (very near) future.

Ciao.
Gianluca


Thu Jul 29, 2010 5:19 am
Profile WWW

Joined: Tue Jul 20, 2010 5:35 pm
Posts: 32
Reply with quote
Post Re: Questions about PEI format/purpose; extracting info from
In xplico-src/dispatch/custom/custom.c:DispInit(), I have:

Code:
pcap_prot_id = ProtId("pcapf");
if (pcap_prot_id != -1) {
    pei_pcap_filename_id = ProtPeiComptId(pcap_prot_id, "file");
}


I stepped through the ProtPeiCompId() function when the code reaches this point, and found that it sets pei_pcap_filename_id to -1 because it could not find a good entry in the prot_tbl (namely, the prot_tbl[pcap_prot_id].peic_num == 0, where pcap_prot_id equals 0).

I then took steps to find out where this protocol table gets populated, and came across the DissecRegist() functions of dissectors/udp_grbg/udp_garbage.c and dissectors/pcapf/pcapf.c . For the udp_grbg example, it looks like the protocol table gets updated by calls to ProtPeiComponent(), but I then notice that pcapf.c does not also have these ProtPeiComponent() calls - they instead have ProtInfo() calls.

Is there a reason for why pcapf.c:DissecRegist() does not have these ProtPeiComponent() calls? Is it something related to the way protocols are layered? I also notice that dissectors/eth/eth.c also does not have these calls.


Thu Jul 29, 2010 7:27 pm
Profile

Joined: Tue Jul 20, 2010 5:35 pm
Posts: 32
Reply with quote
Post Re: Questions about PEI format/purpose; extracting info from
gianluca.costa wrote:
I'm giving you a lot of support... now you have a user in the wiki, I hope you contribute to (very near) future.

Ciao.
Gianluca

I really appreciate your help - without it, I would have to find out all of this information myself, costing time. Documentation is, however, not my current priority - my priority is results. I will document things once I have accomplished my goal(s) with Xplico - I need to get information exported first. Thank you though.


Thu Jul 29, 2010 7:31 pm
Profile

Joined: Tue Jul 20, 2010 5:35 pm
Posts: 32
Reply with quote
Post Re: Questions about PEI format/purpose; extracting info from
kizzobot wrote:
In xplico-src/dispatch/custom/custom.c:DispInit(), I have:

Code:
pcap_prot_id = ProtId("pcapf");
if (pcap_prot_id != -1) {
    pei_pcap_filename_id = ProtPeiComptId(pcap_prot_id, "file");
}


I stepped through the ProtPeiCompId() function when the code reaches this point, and found that it sets pei_pcap_filename_id to -1 because it could not find a good entry in the prot_tbl (namely, the prot_tbl[pcap_prot_id].peic_num == 0, where pcap_prot_id equals 0).

I then took steps to find out where this protocol table gets populated, and came across the DissecRegist() functions of dissectors/udp_grbg/udp_garbage.c and dissectors/pcapf/pcapf.c . For the udp_grbg example, it looks like the protocol table gets updated by calls to ProtPeiComponent(), but I then notice that pcapf.c does not also have these ProtPeiComponent() calls - they instead have ProtInfo() calls.

Is there a reason for why pcapf.c:DissecRegist() does not have these ProtPeiComponent() calls? Is it something related to the way protocols are layered? I also notice that dissectors/eth/eth.c also does not have these calls.


After looking at the code for a bit longer, something is telling me that I should not be using ProtPeiComptId() to access the needed filename data, because it doesn't seem like the filename is a PEI component - it seems like it's something else, and thus should have another function for accessing the data (I don't know what though).


Thu Jul 29, 2010 9:59 pm
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: Questions about PEI format/purpose; extracting info from
Quote:
After looking at the code for a bit longer, something is telling me that I should not be using ProtPeiComptId() to access the needed filename data, because it doesn't seem like the filename is a PEI component - it seems like it's something else, and thus should have another function for accessing the data (I don't know what though).

In what dispatcher you saw using the function ProtPeiComptId() ? Maybe you did not understand what is its purpose. It seems to me very easy to understand how the dispatcher extracts the components of PEI.
For example for the POP protocol (PEI) dispatcher (function DispPop of Lite dispatcher) the code to find and extract the components of a POP-PEI start with:
Code:
    cmpn = ppei->components;
    while (cmpn != NULL) {
        if (cmpn->eid == pei_pop_user_id) {
            user = cmpn->strbuf;
        }
        else if (cmpn->eid == pei_pop_pswd_id) {
            pwd = cmpn->strbuf;
        }
        else if (cmpn->eid == pei_pop_eml_id) {
            path = cmpn->file_path;
        }
        cmpn = cmpn->next;
    }

Where at the end of the 'while' cicle: user is the user name, pwd is the password, path is the path of mail file.

The function ProtPeiComptId() and all these functions:
Code:
int PeiInit(pei *ppei);
int PeiNew(pei **ppei, int prot_id);
int PeiSetReturn(pei *ppei, bool ret);
int PeiParent(pei *ppei, pei *ppei_parent);
int PeiCapTime(pei *ppei, time_t time_cap);
int PeiDecodeTime(pei *ppei, time_t time_dec);
int PeiStackFlow(pei *ppei, const pstack_f *stack);
int PeiMarker(pei *ppei, unsigned long serial);
int PeiNewComponent(pei_component **comp, int comp_id);
int PeiCompAddFile(pei_component *comp, const char *file_name, const char *file_path, unsigned long file_size);
int PeiCompAddStingBuff(pei_component *comp, const char *strbuf);
int PeiCompCapTime(pei_component *comp, time_t time_cap);
int PeiCompCapEndTime(pei_component *comp, time_t time_cap_end);
int PeiCompError(pei_component *comp, eerror err);
int PeiCompUpdated(pei_component *comp);
pei_component *PeiCompSearch(pei *ppei, int comp);
int PeiAddComponent(pei *ppei, pei_component *comp);
int PeiAddStkGrp(pei *ppei, const pstack_f *add);
int PeiIns(pei *ppei);

can be used in dissector to create/compose a PEI and all its components.

Ciao.
Gianluca


Fri Jul 30, 2010 5:30 am
Profile WWW
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: Questions about PEI format/purpose; extracting info from
Quote:
I really appreciate your help - without it, I would have to find out all of this information myself, costing time. Documentation is, however, not my current priority - my priority is results. I will document things once I have accomplished my goal(s) with Xplico - I need to get information exported first. Thank you though.

Exactly, I'm saving you some time.
I understand your priorities. I work for a living and certainly help you is not my priority during the week.
Maybe you should wait until I have time to write documentation on the wiki.
I do not believe in the promises, especially if they come from companies.

Ciao.
Gianluca


Fri Jul 30, 2010 5:59 am
Profile WWW

Joined: Tue Jul 20, 2010 5:35 pm
Posts: 32
Reply with quote
Post Re: Questions about PEI format/purpose; extracting info from
gianluca.costa wrote:
Quote:
After looking at the code for a bit longer, something is telling me that I should not be using ProtPeiComptId() to access the needed filename data, because it doesn't seem like the filename is a PEI component - it seems like it's something else, and thus should have another function for accessing the data (I don't know what though).

In what dispatcher you saw using the function ProtPeiComptId() ? Maybe you did not understand what is its purpose. It seems to me very easy to understand how the dispatcher extracts the components of PEI.
For example for the POP protocol (PEI) dispatcher (function DispPop of Lite dispatcher) the code to find and extract the components of a POP-PEI start with:
Code:
    cmpn = ppei->components;
    while (cmpn != NULL) {
        if (cmpn->eid == pei_pop_user_id) {
            user = cmpn->strbuf;
        }
        else if (cmpn->eid == pei_pop_pswd_id) {
            pwd = cmpn->strbuf;
        }
        else if (cmpn->eid == pei_pop_eml_id) {
            path = cmpn->file_path;
        }
        cmpn = cmpn->next;
    }

Where at the end of the 'while' cicle: user is the user name, pwd is the password, path is the path of mail file.

Oh yes, I've seen that code before, and understand what it does. I know how to extract those components - it doesn't seem like you can get the PCAP filename from that though. From the code that you showed earlier regarding how to get the PCAP filename from a PEI (viewtopic.php?p=623#p623), you used a different set of functions to extract the filename - this is what I'm looking for.

I believe that this is where I'm getting confused - the PCAP filename doesn't seem to be a PEI component; if it were, I probably would have thought to add another "else if" branch and said "pcap_filename = cmpn->strbuf;" (where appropriate). It seems like filename info is somewhere else though, and the following post (viewtopic.php?p=626#p626) details my debugging with regards to extracting the filename.

In xplico-src/dispatch/custom/custom.c:DispInsPei(), I have
Code:
        frame = ProtStackSearchProt(ppei->stack, pcap_prot_id);
        if (frame) {
            ProtGetAttr(frame, pei_pcap_filename_id, &val);
            filename = val.str;
        }

but then the "filename" variable ends up being trash (NULL, or something).


Fri Jul 30, 2010 8:56 pm
Profile
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 41 posts ]  Go to page Previous  1, 2, 3, 4, 5  Next


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by Vjacheslav Trushkin for Free Forums/DivisionCore.