Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
zeek/src/analyzer/protocol/ntp/NTP.cc
Jon Siwek b6862c5c59 Add methods to queue events without handler existence check 
Added ConnectionEventFast() and QueueEventFast() methods to avoid
redundant event handler existence checks.

It's common practice for caller to already check for event handler
existence before doing all the work of constructing the arguments, so
it's desirable to not have to check for existence again.

E.g. going through ConnectionEvent() means 3 existence checks:
one you do yourself before calling it, one in ConnectionEvent(), and then
another in QueueEvent().

The existence check itself can be more than a few operations sometimes
as it needs to check a few flags that determine if it's enabled, has
a local body, or has any remote receivers in the old comm. system or
has been flagged as something to publish in the new comm. system.
2019-04-11 20:30:25 -07:00

114 lines
2.9 KiB
C++
Raw Blame History

// See the file "COPYING" in the main distribution directory for copyright.
#include "bro-config.h"
#include "NetVar.h"
#include "NTP.h"
#include "Sessions.h"
#include "Event.h"
#include "events.bif.h"
using namespace analyzer::ntp;
NTP_Analyzer::NTP_Analyzer(Connection* conn)
: Analyzer("NTP", conn)
{
ADD_ANALYZER_TIMER(&NTP_Analyzer::ExpireTimer,
network_time + ntp_session_timeout, 1,
TIMER_NTP_EXPIRE);
}
void NTP_Analyzer::Done()
{
Analyzer::Done();
Event(udp_session_done);
}
void NTP_Analyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64 seq, const IP_Hdr* ip, int caplen)
{
Analyzer::DeliverPacket(len, data, is_orig, seq, ip, caplen);
// Actually we could just get rid of the Request/Reply and simply use
// the code of Message(). But for now we use it as an example of how
// to convert an old-style UDP analyzer.
if ( is_orig )
Request(data, len);
else
Reply(data, len);
}
int NTP_Analyzer::Request(const u_char* data, int len)
{
Message(data, len);
return 1;
}
int NTP_Analyzer::Reply(const u_char* data, int len)
{
Message(data, len);
return 1;
}
void NTP_Analyzer::Message(const u_char* data, int len)
{
if ( (unsigned) len < sizeof(struct ntpdata) )
{
Weird("truncated_NTP");
return;
}
struct ntpdata* ntp_data = (struct ntpdata *) data;
len -= sizeof *ntp_data;
data += sizeof *ntp_data;
if ( ! ntp_message )
return;
RecordVal* msg = new RecordVal(ntp_msg);
unsigned int code = ntp_data->status & 0x7;
msg->Assign(0, val_mgr->GetCount((unsigned int) (ntohl(ntp_data->refid))));
msg->Assign(1, val_mgr->GetCount(code));
msg->Assign(2, val_mgr->GetCount((unsigned int) ntp_data->stratum));
msg->Assign(3, val_mgr->GetCount((unsigned int) ntp_data->ppoll));
msg->Assign(4, val_mgr->GetInt((unsigned int) ntp_data->precision));
msg->Assign(5, new Val(ShortFloat(ntp_data->distance), TYPE_INTERVAL));
msg->Assign(6, new Val(ShortFloat(ntp_data->dispersion), TYPE_INTERVAL));
msg->Assign(7, new Val(LongFloat(ntp_data->reftime), TYPE_TIME));
msg->Assign(8, new Val(LongFloat(ntp_data->org), TYPE_TIME));
msg->Assign(9, new Val(LongFloat(ntp_data->rec), TYPE_TIME));
msg->Assign(10, new Val(LongFloat(ntp_data->xmt), TYPE_TIME));
ConnectionEventFast(ntp_message, {
BuildConnVal(),
msg,
new StringVal(new BroString(data, len, 0)),
});
}
double NTP_Analyzer::ShortFloat(struct s_fixedpt fp)
{
return ConvertToDouble(ntohs(fp.int_part), ntohs(fp.fraction), 65536.0);
}
double NTP_Analyzer::LongFloat(struct l_fixedpt fp)
{
double t = ConvertToDouble(ntohl(fp.int_part), ntohl(fp.fraction),
4294967296.0);
return t ? t - JAN_1970 : 0.0;
}
double NTP_Analyzer::ConvertToDouble(unsigned int int_part,
unsigned int fraction, double frac_base)
{
return double(int_part) + double(fraction) / frac_base;
}
void NTP_Analyzer::ExpireTimer(double /* t */)
{
Event(connection_timeout);
sessions->Remove(Conn());
}
Reference in a new issue View git blame Copy permalink