v0.0.1

1 files changed, 81 insertions, 44 deletions

diff --git a/example/osfp_example.c b/example/osfp_example.c
index a6c9ab8..f36e430 100644
--- a/example/osfp_example.c
+++ b/example/osfp_example.c
@@ -15,9 +15,9 @@
 #include <pcap.h>
 
 #include "libosfp.h"
-#include "libosfp_fingerprint.h"
+#include "libosfp_score_db.h"
 
-#define DEFAULT_FP_FILE "./fp.json"
+#define DEFAULT_FP_FILE_PATH "./fp.json"
 
 #define ETHERNET_HEADER_LEN     14
 #define VLAN_HEADER_LEN         4
@@ -131,6 +131,9 @@ typedef struct Packet_ {
     struct ipv6hdr *ip6h;
     struct tcphdr *tcph;
 
+    char srcip[46];
+    char dstip[46];
+
     Address src;
     Address dst;
     union {
@@ -154,7 +157,10 @@ typedef struct Packet_ {
 } Packet;
 
 
-unsigned char *fp_file;
+unsigned char *fp_file_path;
+unsigned char *fp_output_file_path;
+FILE *fingerprinting_output_fp;
+
 unsigned char *if_name;
 unsigned char *pcap_file_name;
 unsigned char *bpf_string;
@@ -172,7 +178,7 @@ void usage(void) {
         "  -i iface  - listen on the specified network interface\n"
         "  -r file   - read offline pcap data from a given file\n"
         "  -f file   - read fingerprint database from 'file' (%s)\n",
-        DEFAULT_FP_FILE);
+        DEFAULT_FP_FILE_PATH);
     exit(1);
 }
 
@@ -427,50 +433,39 @@ const char *PrintInet(int af, const void *src, char *dst, socklen_t size)
     return NULL;
 }
 
-void example_header_match(libosfp_context_t *libosfp_context, Packet *p)
+void example_detect(libosfp_context_t *libosfp_context, Packet *p)
 {
-    // tcp/ip header match
     int ret;
     char str_buf[1024];
 
     unsigned char *iph = (unsigned char *)(p->iph != NULL ? (void *)p->iph : (void *)p->ip6h);
     unsigned char *tcph = (unsigned char *)p->tcph;
     libosfp_result_t result;
+    unsigned int os_class_flags = LIBOSFP_OS_CLASS_FLAG_WINDOWS | LIBOSFP_OS_CLASS_FLAG_LINUX | LIBOSFP_OS_CLASS_FLAG_MAC_OS;
 
-    printf("Example header match: --------------------------\n");
+    printf("Example header detect: --------------------------\n");
 
-    ret = libosfp_header_match(libosfp_context, iph, tcph, &result);
+    ret = libosfp_detect(libosfp_context, os_class_flags, iph, tcph, &result);
     if (ret != 0) {
         printf("libosfp header match failed, erro: %s\n", "?");
         goto exit;
     }
 
-    char srcip[46] = {0}, dstip[46] = {0};
-    Port sp, dp;
-    if (p->iph) {
-        PrintInet(AF_INET, (const void *)&(p->src.addr_data32[0]), srcip, sizeof(srcip));
-        PrintInet(AF_INET, (const void *)&(p->dst.addr_data32[0]), dstip, sizeof(dstip));
-    } else if (p->ip6h) {
-        PrintInet(AF_INET6, (const void *)&(p->src.address), srcip, sizeof(srcip));
-        PrintInet(AF_INET6, (const void *)&(p->dst.address), dstip, sizeof(dstip));
-    }
-    sp = p->sp;
-    dp = p->dp;
-
-    printf("Connection info: %s:%d -> %s:%d\n", srcip, sp, dstip, dp);
+    printf("Connection info: %s:%d -> %s:%d\n", p->srcip, p->sp, p->dstip, p->dp);
     printf("Most likely os class: %s\n", libosfp_result_likely_os_class_name_get(&result));
-    printf("Likely score: %u/100\n", libosfp_result_likely_os_class_score_get(&result));
+    printf("Likely score: %u/100\n", result.score.likely_score);
 
-    libosfp_result_to_buf(&result, str_buf, sizeof(str_buf));
-    fprintf(stdout, "%s\n", str_buf);
+    printf("Details:\n");
+    if (libosfp_result_to_buf(&result, str_buf, sizeof(str_buf))) {
+        printf("%s", str_buf);
+    }
 
 exit:
     return;
 }
 
-void example_fingerprint_match(libosfp_context_t *libosfp_context, Packet *p)
+void example_detect_fingerprint(libosfp_context_t *libosfp_context, Packet *p)
 {
-    // fingerprint match
     int ret;
     char str_buf[1024];
 
@@ -479,8 +474,9 @@ void example_fingerprint_match(libosfp_context_t *libosfp_context, Packet *p)
     libosfp_result_t result;
     libosfp_fingerprint_t fp;
 
-    printf("Example fingerprint match: --------------------------\n");
-
+    // fingerprinting
+    printf("Example fingerprint detect: --------------------------\n");
+    memset(&fp, 0, sizeof(libosfp_fingerprint_t));
     ret = libosfp_fingerprinting(iph, tcph, &fp);
     if (ret != 0) {
         printf("libosfp fingerprinting failed\n");
@@ -488,20 +484,31 @@ void example_fingerprint_match(libosfp_context_t *libosfp_context, Packet *p)
     }
 
     libosfp_fingerprint_to_json_buf(&fp, str_buf, sizeof(str_buf));
-    fprintf(stdout, "%s\n", str_buf);
+    printf("%s\n", str_buf);
+
+    // output fingerprint with connection info line
+    if (fingerprinting_output_fp) {
+        fprintf(fingerprinting_output_fp, "Connection info: %s:%d -> %s:%d\n", p->srcip, p->sp, p->dstip, p->dp);
+        fprintf(fingerprinting_output_fp, "%s\n", str_buf);
+        fflush(fingerprinting_output_fp);
+    }
 
-    ret = libosfp_score_db_score(libosfp_context, &fp, &result);
+    // score
+    memset(&result, 0, sizeof(libosfp_result_t));
+    ret = libosfp_score_db_score(libosfp_context->score_db, 0, &fp, &result.score);
     if (ret != 0) {
         printf("libosfp fingerprint score failed, error: %d\n", ret);
         goto exit;
     }
 
-    printf("Connection info: %s\n", "");
+    printf("Connection info: %s:%d -> %s:%d\n", p->srcip, p->sp, p->dstip, p->dp);
     printf("Most likely os class: %s\n", libosfp_result_likely_os_class_name_get(&result));
-    printf("Likely score: %u/100\n", libosfp_result_likely_os_class_score_get(&result));
+    printf("Likely score: %u/100\n", result.score.likely_score);
 
-    libosfp_result_to_buf(&result, str_buf, sizeof(str_buf));
-    fprintf(stdout, "%s\n", str_buf);
+    printf("Details:\n");
+    if (libosfp_result_to_buf(&result, str_buf, sizeof(str_buf))) {
+        printf("%s", str_buf);
+    }
 
 exit:
     return;
@@ -524,9 +531,19 @@ void process_packet(char *user, struct pcap_pkthdr *h, u_char *pkt)
         goto exit;
     }
 
-    example_header_match(libosfp_context, p);
+    if (p->iph) {
+        PrintInet(AF_INET, (const void *)&(p->src.addr_data32[0]), p->srcip, sizeof(p->srcip));
+        PrintInet(AF_INET, (const void *)&(p->dst.addr_data32[0]), p->dstip, sizeof(p->dstip));
+    } else if (p->ip6h) {
+        PrintInet(AF_INET6, (const void *)&(p->src.address), p->srcip, sizeof(p->srcip));
+        PrintInet(AF_INET6, (const void *)&(p->dst.address), p->dstip, sizeof(p->dstip));
+    }
+
+    // fingerprint detect example for libosfp developer
+    example_detect_fingerprint(libosfp_context, p);
 
-    example_fingerprint_match(libosfp_context, p);
+    // tcp/ip header detect example for user
+    example_detect(libosfp_context, p);
 
     printf("---------------------------    processed packet count %d\n", ++processed_packet);
 
@@ -538,14 +555,14 @@ int main(int argc, char *argv[])
 {
     int r;
 
-    while ((r = getopt(argc, argv, "+f:i:r:")) != -1) {
+    while ((r = getopt(argc, argv, "+f:i:r:o:")) != -1) {
         switch(r) {
             case 'f':
-                if (fp_file) {
+                if (fp_file_path) {
                     printf("Multiple -f options not supported.\n");
                     exit(1);
                 }
-                fp_file = (unsigned char*)optarg;
+                fp_file_path = (unsigned char*)optarg;
                 break;
             case 'i':
                 if (if_name) {
@@ -561,6 +578,13 @@ int main(int argc, char *argv[])
                 }
                 pcap_file_name = (unsigned char*)optarg;
                 break;
+            case 'o':
+                if (fp_output_file_path) {
+                    printf("Multiple -o options not supported.\n");
+                    exit(1);
+                }
+                fp_output_file_path = (unsigned char*)optarg;
+                break;
             default:
                 usage();
                 break;
@@ -576,6 +600,15 @@ int main(int argc, char *argv[])
         }
     }
 
+    // fingerprinting out file create
+    if (fp_output_file_path) {
+        fingerprinting_output_fp = fopen(fp_output_file_path, "a+");
+        if (!fingerprinting_output_fp) {
+            printf("No such file: %s\n", fp_output_file_path);
+            exit(1);
+        }
+    }
+
     // prepare pcap handle
 
     char pcap_err[PCAP_ERRBUF_SIZE];
@@ -621,13 +654,14 @@ int main(int argc, char *argv[])
     link_type = pcap_datalink(pcap_handle);
 
     // create libosfp context
-    if (fp_file == NULL) {
-        fp_file = DEFAULT_FP_FILE;
+    if (fp_file_path == NULL) {
+        fp_file_path = DEFAULT_FP_FILE_PATH;
     }
 
-    libosfp_context_t *libosfp_context = libosfp_context_create(fp_file);
+    //libosfp_context_t *libosfp_context = libosfp_context_create(fp_file_path);
+    libosfp_context_t *libosfp_context = libosfp_context_create(NULL);
     if (libosfp_context == NULL) {
-        printf("could not create libosfp context. fingerprints file: %s\n", fp_file);
+        printf("could not create libosfp context. fingerprints file: %s\n", fp_file_path);
         exit(1);
     }
 
@@ -635,9 +669,12 @@ int main(int argc, char *argv[])
     r = libosfp_context_setup(libosfp_context);
     if (r != LIBOSFP_NOERR) {
         printf("could not setup libosfp context. error: %d\n", LIBOSFP_NOERR);
+        libosfp_context_destroy(libosfp_context);
         exit(1);
     }
 
+    libosfp_score_db_debug_print(libosfp_context->score_db);
+
     // loop
     while (1) {
         int r = pcap_dispatch(pcap_handle, 0, (pcap_handler)process_packet, (void*)libosfp_context);    
@@ -647,7 +684,7 @@ int main(int argc, char *argv[])
         }
     }
 
-    // create libosfp context
+    // destroy libosfp context
     libosfp_context_destroy(libosfp_context);
 
     return 0;