http_connect.c File Reference

#include <stdlib.h>
#include <stdio.h>
#include <math.h>
#include <sys/time.h>

Include dependency graph for http_connect.c:

Go to the source code of this file.

Defines
#define	max(a, b)   ((a) >= (b) ? (a) : (b))
#define	min(a, b)   ((a) <= (b) ? (a) : (b))
Enumerations
enum	inputs {   SYN, FIN, RST, ACK_ONLY,   DATA_ACK }
enum	states {   PENDING, SYN_SENT, FIN_SENT, RESET,   IN_REQUEST, IN_RESPONSE }
Functions
void	begin_REQ (void)
void	begin_RSP (void)
int	check_ACK_advance (unsigned long old_ack)
void	check_tuple_reuse (void)
long	elapsed_ms (char *end, char *start)
void	error_line (char *s)
void	error_state (char *s)
void	get_host_port (char *adr, char *host, char *port)
int	get_sequence (char *p, unsigned long *begin, unsigned long *end, unsigned long *bytes)
void	init_active (void)
void	init_connection (void)
void	log_ACT (char *how)
void	log_connection (void)
void	log_END (char *how)
void	log_log (void)
void	log_nosyn (void)
void	log_REQ (void)
void	log_RSP (void)
void	log_SYN (void)
void	main (int argc, char *argv[])
void	more_REQ (void)
void	more_RSP (void)
int	parse_dump_record (void)
static void	tvsub (struct timeval *tdiff, struct timeval *t1, struct timeval *t0)
void	Usage (char *s)
Variables
int	act_req_count = 0
int	act_rsp_count = 0
unsigned long	begin_seq
enum states	connection_state = PENDING
char	current_dst [25] = ""
unsigned long	current_request_end
unsigned long	current_response_end
char	current_src [25] = ""
unsigned long	current_synseq
char	dh [25]
char	dst_host [25]
char	dst_port [10]
FILE *	dumpFP
long	elapsed
unsigned long	end_seq
int	err_count = 0
int	fin_count = 0
char	FIN_sent_time [20]
char	fl [5]
char	gt [3]
int	has_ack
int	has_seq
int	have_ACK_error = 0
int	have_FINdata_error = 0
int	have_pending_acks = 0
int	have_pending_fins = 0
int	have_pending_othr = 0
int	have_pending_rsts = 0
int	have_value_error = 0
char	input_name [256] = ""
enum inputs	input_type
char	last_connection_time [20]
unsigned long	last_request_end
unsigned long	last_response_end
enum states	last_state = PENDING
timeval	lastTime = {0,0}
char	log_name [256] = ""
FILE *	logFP
char	lt [3]
unsigned long	new_ack
int	new_address = 0
char	new_line [500]
FILE *	outFP
char	output_name [256] = ""
char	p1 [50]
char	p2 [50]
char	p3 [50]
int	pending_ack_count = 0
int	pending_cmb_count = 0
int	pending_fin_count = 0
int	pending_oth_count = 0
int	pending_rst_count = 0
int	rc = 0
timeval	recvTime
int	report_ACK_err = 1
int	req_count = 0
char	request_end_time [20]
char	response_end_time [20]
int	rsp_count = 0
int	rst_count = 0
char	RST_sent_time [20]
unsigned long	seq_bytes
char	sh [25]
char	src_host [25]
char	src_port [10]
char	start_request_time [20]
char	start_response_time [20]
int	syn_count = 0
int	trm_count = 0
char	ts [20]

---

Define Documentation

#define max (  a, b   )     ((a) >= (b) ? (a) : (b))

Definition at line 74 of file http_connect.c.

#define min (  a, b   )     ((a) <= (b) ? (a) : (b))

Definition at line 73 of file http_connect.c.

---

Enumeration Type Documentation

enum inputs

Enumerator: SYN  FIN  RST  ACK_ONLY  DATA_ACK  Definition at line 172 of file http_connect.c. {SYN, FIN, RST, ACK_ONLY, DATA_ACK};

enum states

Enumerator: PENDING  SYN_SENT  FIN_SENT  RESET  IN_REQUEST  IN_RESPONSE  Definition at line 167 of file http_connect.c. {PENDING, SYN_SENT, FIN_SENT, RESET, IN_REQUEST, IN_RESPONSE};

---

Function Documentation

void begin_REQ (  void   )

Definition at line 1272 of file http_connect.c. References connection_state, current_request_end, IN_REQUEST, last_state, new_ack, request_end_time, start_request_time, and ts. Referenced by main(). { current_request_end = new_ack; /* record the request start time as beginning at the tcpdump time stamp on this record */ strcpy(start_request_time, ts); strcpy(request_end_time, ts); last_state = connection_state; connection_state = IN_REQUEST; }

void begin_RSP (  void   )

Definition at line 1296 of file http_connect.c. References connection_state, current_response_end, end_seq, IN_RESPONSE, last_state, response_end_time, start_response_time, and ts. Referenced by main(). { current_response_end = end_seq; /* record timestamp of tcpdump record as current value of both start and end times of response (in case no later end time is found) */ strcpy(start_response_time, ts); strcpy(response_end_time, ts); last_state = connection_state; connection_state = IN_RESPONSE; }

int check_ACK_advance (  unsigned long  old_ack  )

Definition at line 1181 of file http_connect.c. References error_state(), have_ACK_error, new_ack, and report_ACK_err. Referenced by main(). { if ((new_ack < old_ack) && report_ACK_err) { if (have_ACK_error == 0) { error_state("ACK error -- backward"); have_ACK_error = 1; } return(-1); } else return (0); } Here is the call graph for this function:

void check_tuple_reuse (  void   )

Definition at line 1200 of file http_connect.c. References begin_seq, connection_state, current_synseq, elapsed, elapsed_ms(), error_state(), FIN_SENT, has_seq, IN_REQUEST, IN_RESPONSE, init_connection(), last_connection_time, last_state, log_END(), log_REQ(), log_RSP(), RESET, SYN_SENT, and ts. Referenced by main(). { /* ignore duplicate SYNs (have same SYN sequence number) */ if ((has_seq == 1) && (current_synseq != begin_seq)) { /* if a non-duplicate SYN comes before any other activity, treat it as terminating the incomplete connection and starting another */ if ((connection_state == SYN_SENT) || ((connection_state == RESET) && (last_state == SYN_SENT))) { log_END("TRM"); init_connection(); return; } /* It is quite possible to have a valid new connection that reuses the same source and destination IP.port address 4-tuple. Treat this as valid if there has been a FIN from the server or at least 2*MSL has passed since seeing any previous packet from this connection (in case we missed the FIN). If there was a FIN from the server, allow for the case it was an active close by the server (normal for HTTP 1.0), the stack is a BSD derivative, and SO_REUSEADDR is is use (see Stevens vol. 1, pp 245) */ if (connection_state == FIN_SENT) elapsed = 60001; /* force beyond 2MSL test */ else elapsed = elapsed_ms(ts, last_connection_time); if (elapsed < 60000) /* MSL of 30 seconds, minimum */ error_state("Non-duplicate SYN in connection"); else { /* perform all actions associated with the end of one connection and the beginning of the next (see state PENDING) */ switch (connection_state) { case FIN_SENT: log_END("FIN"); break; case RESET: if (last_state == IN_RESPONSE) log_RSP(); log_END("RST"); break; case IN_RESPONSE: log_RSP(); log_END("TRM"); break; case IN_REQUEST: log_REQ(); log_END("TRM"); break; default: break; } init_connection(); } } } Here is the call graph for this function:

long elapsed_ms (  char *  end, char *  start )

void error_line (  char *  s  )

void error_state (  char *  s  )

void get_host_port (  char *  adr, char *  host, char *  port )

Definition at line 1714 of file http_connect.c. Referenced by log_ACT(), log_END(), and log_SYN(). { char *fp; char *fpx; char adr_field[50]; strcpy(adr_field, adr); /* break string at '.' separating host and port fields (last in string) */ fp = (char *)rindex(adr_field, '.'); *fp = '\0'; /* replace '.' with string terminator */ strcpy(host, adr_field); /* copies host name up to terminator */ fp++; /* move pointer past terminator to 1st char in port field */ fpx = (char *)index(fp, ':'); /* see if we have the ':' after a dst port */ if (fpx != NULL) *fpx = '\0'; /* if so, replace with string terminator */ strcpy(port, fp); }

int get_sequence (  char *  p, unsigned long *  begin, unsigned long *  end, unsigned long *  bytes )

Definition at line 1733 of file http_connect.c. Referenced by parse_dump_record(). { char seq_field[50]; char *cursor = seq_field; char *fp; strcpy (seq_field, p); fp = (char *)strsep(&cursor, ":" ); if ((cursor == (char *)NULL) || (fp == (char *)NULL)) return (-1); else *begin = strtoul(fp, (char **)NULL, 10); fp = (char *)strsep(&cursor, "(" ); if ((cursor == (char *)NULL) || (fp == (char *)NULL)) return (-1); else *end = strtoul(fp, (char **)NULL, 10); fp = (char *)strsep(&cursor, ")" ); if ((cursor == (char *)NULL) || (fp == (char *)NULL)) return (-1); else *bytes = strtoul(fp, (char **)NULL, 10); return(0); }

void init_active (  void   )

Definition at line 1165 of file http_connect.c. References FIN_sent_time, have_ACK_error, have_FINdata_error, have_value_error, last_connection_time, and RST_sent_time. Referenced by main(). { strcpy(FIN_sent_time, ""); strcpy(RST_sent_time, ""); strcpy(last_connection_time, ""); have_ACK_error = 0; have_value_error = 0; have_FINdata_error = 0; }

void init_connection (  void   )

Definition at line 1131 of file http_connect.c. References begin_seq, connection_state, current_request_end, current_response_end, current_synseq, error_line(), FIN_sent_time, has_seq, have_ACK_error, have_FINdata_error, have_value_error, last_connection_time, last_request_end, last_response_end, log_SYN(), RST_sent_time, and SYN_SENT. Referenced by check_tuple_reuse(), and main(). { log_SYN(); /* log start of connection */ connection_state = SYN_SENT; /* new connection state */ /* save SYN sequence number for duplicate detection */ if (has_seq == 1) current_synseq = begin_seq; else error_line ("SYN without valid sequence #"); /* assume tcpdump relative addressing and initialize */ /* note that initializing to 1 instead of 0 adjusts for ACK being the next expected sequence number */ last_request_end = 1; /* need "last" and "current" */ last_response_end = 1; /* values since there may be */ current_response_end = 1; /* > 1 request per connection */ current_request_end = 1; strcpy(FIN_sent_time, ""); strcpy(RST_sent_time, ""); strcpy(last_connection_time, ""); have_ACK_error = 0; have_value_error = 0; have_FINdata_error = 0; } Here is the call graph for this function:

void log_ACT (  char *  how  )

Definition at line 1665 of file http_connect.c. References act_req_count, act_rsp_count, current_dst, current_src, dst_host, dst_port, get_host_port(), outFP, src_host, src_port, and ts. Referenced by main(). { /* parse sourse host/port */ get_host_port(current_src, src_host, src_port); /* parse destination host/port */ get_host_port(current_dst, dst_host, dst_port); /* for activity on a SYN-less connection we record the tcpdump timestamp of the first record of activiy associated with that conneciton along with the TCP connection 4-tuple and the way the connection started (Request or Response). */ fprintf(outFP, "%s %-15s %5s > %-15s %4s: ACT-%s\n", ts, dst_host, dst_port, src_host, src_port, how); if (strcmp(how, "REQ") == 0) act_req_count++; else if (strcmp(how, "RSP") == 0) act_rsp_count++; } Here is the call graph for this function:

void log_connection (  void   )

Definition at line 1473 of file http_connect.c. References connection_state, current_response_end, FIN_SENT, have_pending_acks, have_pending_fins, have_pending_othr, have_pending_rsts, IN_REQUEST, IN_RESPONSE, last_response_end, last_state, log_END(), log_REQ(), log_RSP(), PENDING, pending_ack_count, pending_cmb_count, pending_fin_count, pending_oth_count, pending_rst_count, and RESET. Referenced by main(). { /* if no more tcpdump records found while processing an http request, log (perhaps incomplete) client request */ if (connection_state == IN_REQUEST) log_REQ(); else { /* if no more records found while processing an http response, log (perhaps incomplete) response information */ if ((connection_state == IN_RESPONSE) || ((connection_state == RESET) && last_state == IN_RESPONSE)) { /* don't log if just ACKed 1 (assume FIN) */ if (current_response_end > (last_response_end + 1)) log_RSP(); } } /* make log entry indicating type of connection termination; entry for connection is made only if a valid start (SYN) was previously recognized */ if (connection_state != PENDING) /* saw SYN */ { if (connection_state == FIN_SENT) log_END("FIN"); else { if (connection_state == RESET) log_END("RST"); else log_END("TRM"); } } else { if (((have_pending_fins > 0) + (have_pending_rsts > 0) + (have_pending_othr > 0) + (have_pending_acks > 0)) > 1) pending_cmb_count++; else { pending_fin_count += (have_pending_fins > 0); pending_rst_count += (have_pending_rsts > 0); pending_ack_count += (have_pending_acks > 0); pending_oth_count += (have_pending_othr > 0); } } } Here is the call graph for this function:

void log_END (  char *  how  )

Definition at line 1624 of file http_connect.c. References current_dst, current_src, dst_host, dst_port, fin_count, FIN_sent_time, get_host_port(), last_connection_time, outFP, rst_count, RST_sent_time, src_host, src_port, and trm_count. Referenced by check_tuple_reuse(), and log_connection(). { char logical_end_time[20]; /* parse sourse host/port */ get_host_port(current_src, src_host, src_port); /* parse destination host/port */ get_host_port(current_dst, dst_host, dst_port); if (strcmp(how, "FIN") == 0) { fin_count++; strcpy(logical_end_time, FIN_sent_time); } else { if (strcmp(how, "RST") == 0) { rst_count++; strcpy(logical_end_time, RST_sent_time); } else if (strcmp(how, "TRM") == 0) { trm_count++; strcpy(logical_end_time, last_connection_time); } } /* for termination of a connection we record the tcpdump timestamp of the last record of any kind associated with that conneciton along with the TCP connection 4-tuple and the way the connection ended (FIN, Reset, or just no more records in the trace). */ fprintf(outFP, "%s %-15s %5s > %-15s %4s: %s %s\n", last_connection_time, dst_host, dst_port, src_host, src_port, how, logical_end_time); } Here is the call graph for this function:

void log_log (  void   )

Definition at line 1527 of file http_connect.c. References act_req_count, act_rsp_count, err_count, fin_count, input_name, logFP, output_name, pending_ack_count, pending_cmb_count, pending_fin_count, pending_oth_count, pending_rst_count, req_count, rsp_count, rst_count, syn_count, and trm_count. Referenced by main(). { fprintf(logFP, "Input tcpdump file: %s \n", input_name); fprintf(logFP, "Output connection file: %s \n", output_name); fprintf(logFP, " SYNs %8d \n", syn_count); fprintf(logFP, " REQs %8d \n", req_count); fprintf(logFP, " ACT-REQs %8d \n", act_req_count); fprintf(logFP, " RSPs %8d \n", rsp_count); fprintf(logFP, " ACT-RSPs %8d \n", act_rsp_count); fprintf(logFP, " FINs %8d \n", fin_count); fprintf(logFP, " RSTs %8d \n", rst_count); fprintf(logFP, " TRMs %8d \n", trm_count); fprintf(logFP, " ERRs %8d \n", err_count); fprintf(logFP, "Partial Connections:\n"); fprintf(logFP, " FIN only %8d \n", pending_fin_count); fprintf(logFP, " RST only %8d \n", pending_rst_count); fprintf(logFP, " ACK only %8d \n", pending_ack_count); fprintf(logFP, " Combos %8d \n", pending_cmb_count); fprintf(logFP, " Other %8d \n", pending_oth_count); }

void log_nosyn (  void   )

void log_REQ (  void   )

void log_RSP (  void   )

void log_SYN (  void   )

Definition at line 1611 of file http_connect.c. References current_dst, current_src, dst_host, dst_port, get_host_port(), outFP, src_host, src_port, syn_count, and ts. Referenced by init_connection(). { /* parse sourse host/port */ get_host_port(current_src, src_host, src_port); /* parse destination host/port */ get_host_port(current_dst, dst_host, dst_port); fprintf(outFP, "%s %-15s %5s > %-15s %4s: SYN\n", ts, dst_host, dst_port, src_host, src_port); syn_count++; } Here is the call graph for this function:

void main (  int  argc, char *  argv[] )

Definition at line 249 of file http_connect.c. References ACK_ONLY, begin_REQ(), begin_RSP(), check_ACK_advance(), check_tuple_reuse(), connection_state, current_dst, current_request_end, current_response_end, current_src, current_synseq, DATA_ACK, dh, dumpFP, end_seq, error_state(), FIN, FIN_SENT, FIN_sent_time, fl, gt, has_ack, has_seq, have_FINdata_error, have_pending_acks, have_pending_fins, have_pending_othr, have_pending_rsts, IN_REQUEST, IN_RESPONSE, init_active(), init_connection(), input_name, input_type, last_connection_time, last_request_end, last_response_end, last_state, log_ACT(), log_connection(), log_log(), log_name, log_REQ(), log_RSP(), logFP, more_REQ(), more_RSP(), new_ack, new_address, new_line, outFP, output_name, p1, p2, p3, parse_dump_record(), PENDING, rc, request_end_time, RESET, response_end_time, RST, RST_sent_time, seq_bytes, sh, start_request_time, start_response_time, SYN, SYN_SENT, ts, and Usage(). { int i; /* Parse the command line */ i = 1; while (i < argc) { if (strcmp (argv[i], "-r") == 0) { /* -r flag is followed by name of file to read */ if (++i >= argc) Usage (argv[0]); strcpy (input_name, argv[i]); } else if (strcmp (argv[i], "-w") == 0) { /* -w flag is followed by the name of file to write */ if (++i >= argc) Usage (argv[0]); strcpy (output_name, argv[i]); } else Usage (argv[0]); i++; } /* Open files */ /* Note: program is written to also be used as a filter */ if (strcmp(output_name, "") == 0) /* if no explicit output file named with -w, use stdout */ outFP = stdout; else { if ((outFP = fopen (output_name, "w")) == NULL) { fprintf (stderr, "error opening %s\n", output_name); exit (-1); } } if (strcmp(input_name, "") == 0) /* if no explicit input file named with -r, use stdin */ dumpFP = stdin; else { if ((dumpFP = fopen (input_name, "r")) == NULL) { fprintf (stderr, "error opening %s\n", input_name); exit (-1); } } strcpy(log_name, output_name); strcat(log_name, ".log"); if ((logFP = fopen (log_name, "w")) == NULL) { fprintf (stderr, "error opening %s\n", log_name); exit (-1); } /* begin main loop; once through loop for each line in the tcpdump */ /* a <continue> anywhere in the loop (usually after an error case) implies beginning of processing a new tcpdump record */ while (!feof (dumpFP)) { /* printf("State is %d, last_state is %d\n", connection_state, last_state); */ /* Get and parse line of tcpdump file */ fgets (new_line, sizeof(new_line), dumpFP); /* get line pieces; this works because there are always 8 or more fields separated by white space in tcpdump ASCII-format lines */ /* sscanf (new_line, "%s %s %s %s %s %s %s %s %s", &ts, &lt, &sh, &gt, &dh, &fl, &p1, &p2, &p3); */ sscanf (new_line, "%s %s %s %s %s %s %s %s", &ts, &sh, &gt, &dh, &fl, &p1, &p2, &p3); /* If any part of the connection tuple (source host.port,destination host.port) differs from the current values, there are no more tcpdump records for that connection so treat as end of connection. The action taken at the end of a connection depends on the current state of processing in that connection */ if ((strcmp(current_src, sh) != 0) || /* new source host/port */ (strcmp(current_dst, dh) != 0)) /* new dest. host/port */ { log_connection(); /* begin processing this record as being from a potential new TCP connection so initialize connection's state */ strcpy(current_src, sh); /* new connection tuple */ strcpy(current_dst, dh); /* host and port for src & dest */ have_pending_acks = 0; have_pending_fins = 0; have_pending_rsts = 0; have_pending_othr = 0; current_synseq = 0; connection_state = PENDING; /* unconnected pending a SYN */ last_state = PENDING; new_address = 1; /* true only for very first record from a different TCP connection -- avoids multiple error messages */ } /* break dump record into essential data fields; initializes the following variables: begin_seq, end_seq, seq_bytes, new_ack, has_ack, has_seq, input_type. Also checks for suspect sequence and ACK values. */ if ((rc = parse_dump_record()) < 0) continue; /* processing records from a TCP connections is based on a notion of the current "state" of the connection. The defined states are PENDING := record is from different connection than before but a beginning SYN has not yet been identified. SYN_SENT:= have identified SYN sent from source port 80 (server) FIN_SENT:= have identified a FIN sent from source port 80 (server) This terminates any data from server. RESET := have identified a Reset sent from source port 80 (server) This means that the server should not accept any more client data. IN_REQUEST := processing ACKs sent from source port 80 (server) in response to data (request) from the client. In this state, need to identify end of client data (request) and start of server data (response). IN_RESPONSE := processing data sequence #s from source port 80 In this state, need to identify the end of server data (response) and, possibly the beginning of a new request. Whenever the state changes, the prior state is also noted. Fundamental to all of this is the notion that a server cannot possibly be sending data in response to a request unless that data is accompanied or preceeded by an advance in the ACK sequence indicating receipt of the request data. Similarly, we assume that any new data sent by a server that follows or is accompanied by an advance in the ACK sequence number is a response to the request that caused the ACK sequence to advance. Put another way, response data (sequence # advance) marks the end of a request and ACK advance marks the end of a response. Of course other events such as FIN or Reset can mark ends also. The use of ACK advance to mark the end of a response assumes that HTTP/1.1 browsers don't overlap requests on a single TCP connection even if they may "batch" requests, i.e., a new request will not be generated until the response has been received. If requests and responses are batched but not overlapped this will understate the number of objects requested and overstate request and response sizes. This use of advancing sequence numbers (ACK or data) to mark requests and responses is disturbed by segment reorderings in the network. In some cases, such as reordering of only data segments in a response, there is no problem since only the highest value seen is used. Reordering of ACKs (especially with data) presents real problems since boundaries between requests and responses are missed which can result in overstating request and response sizes. For this reason, all such cases of ACK misordering are logged and reported. */ switch (connection_state) /* a <break> anywhere ends processing of the current tcpdump record by ending the switch (which continues the main read loop) */ { case PENDING: { switch (input_type) { case FIN: { /* Ignore random FIN before something useful */ have_pending_fins++; break; } case SYN: { /* normal connection start, initialize connection state */ init_connection(); break; } case RST: { /* Ignore random Reset before something useful */ have_pending_rsts++; break; } /* The trace may start after a connection is established and we do not see a SYN. Determine if the connection is most likely in a request or in a response and log its status. As before, a request is indicated if the ACK sequence (after the first one in the trace) is advancing and a response is indicated if the data sequence number is advancing. */ case ACK_ONLY: { /* ignore initial ACK (has absolute value, not relative) */ if (new_address == 1) { new_address = 0; have_pending_acks++; } else { /* If ACK advances, the connection is in a request */ if ((new_ack > 2) && (new_ack < 16384)) { log_ACT("REQ"); last_request_end = 1; current_request_end = new_ack; last_response_end = 1; current_response_end = 1; /* record the request start time as beginning at the tcpdump time stamp on this record */ strcpy(start_request_time, ts); strcpy(request_end_time, ts); last_state = connection_state; connection_state = IN_REQUEST; init_active(); /* initialize connection state */ } else /* ignore ACKs that are not advancing */ have_pending_acks++; } break; } case DATA_ACK: { /* If data sequence advances, connection is in response */ if ((seq_bytes > 1) && (seq_bytes < 65535)) { log_ACT("RSP"); /* assume tcpdump relative addressing and initialize */ last_request_end = 1; current_request_end = 1; last_response_end = 0; current_response_end = seq_bytes; /* record timestamp of tcpdump record as current value of both start and end times of response (in case no later end time is found) */ strcpy(start_response_time, ts); strcpy(response_end_time, ts); last_state = connection_state; connection_state = IN_RESPONSE; init_active(); } else /* ignore data lengths of 0 or 1 */ have_pending_othr++; break; } default: break; } /* end switch on input_type */ break; } /* end case PENDING */ case SYN_SENT: { /* Treat this case as the establishment of a connection. Usually the first activity on the connection will be request data from the client, but some servers appear to "pre-send" data (maybe the headers) speculatively before ACKing any client data. */ switch (input_type) { case FIN: /* A FIN marks the end of either or both request and response */ { if ((has_ack == 1) && (new_ack > (current_request_end + 1))) /* ignore possible ACK of FIN */ { /* this record had advanced the ACK sequence so save current request data and log it (since the FIN ends the connection it also ends the request). */ begin_REQ(); log_REQ(); } /* If the data sequence number advances, then there was response data. Save the current response info. and log it (since the FIN ends the connection, it also ends the response). */ if ((has_seq == 1) && (end_seq > current_response_end)) { begin_RSP(); log_RSP(); } last_state = SYN_SENT; connection_state = FIN_SENT; /* record timestamp of first FIN seen on connection */ if (strcmp(FIN_sent_time, "") == 0) strcpy(FIN_sent_time, ts); break; } case SYN: { /* In some cases the same host/port pairs are reused in a single trace; check for plausible reuse */ check_tuple_reuse(); break; } case RST: { connection_state = RESET; last_state = SYN_SENT; /* record timestamp of first Reset on the connection */ if (strcmp(RST_sent_time, "") == 0) strcpy(RST_sent_time, ts); break; } case ACK_ONLY: { /* since there is no data sequence # present in the record and, therefore, the server is not sending data so all the client's data may not have arrived. Note the current extent of ACKed client data and change state */ if (new_ack > (current_request_end + 1)) begin_REQ(); break; } case DATA_ACK: { /* check for presence of data sequence # in the common cases in SYN_SENT state, data presence indicates that request data has been received and server is sending data that should be a response */ if (new_ack > (current_request_end + 1)) {/* this record had advanced the ACK sequence so save current request info. and change state */ begin_REQ(); /* the server's data sequence may not have advanced; but if it has, treat it as the start of a response and the end of the client (request) data */ if (end_seq > current_response_end) { /* start of response ends the request, log it and change state to look for end of response */ log_REQ(); begin_RSP(); } } else /* some servers appear to send response data immediately on completing the TCP connection without receiving any request data */ if ((end_seq > last_response_end) && (seq_bytes > 0)) begin_RSP(); break; } default: break; } /* end switch on input type */ break; } /* end case SYN_SENT */ case FIN_SENT: { switch (input_type) { case SYN: { /* In some cases the same host/port pairs are reused in a single trace; check for plausible reuse */ check_tuple_reuse(); break; } case FIN: /* ignore multiple FINs */ break; case RST: /* ignore reset after FIN */ break; case ACK_ONLY: /* If there is an ACK (only) coming after a FIN is sent, it is ether the normal one in the 4-way termination or it is to ACK more request data which will be ignored (there can be no response). In either case, it is ignored here. */ break; case DATA_ACK: { /* All others may have sequence number fields. Treat them as errors if they advance the sequence number after a FIN. The usual case here is just retransmissions (including retransmission of the FIN) which should not advance it because the highest sequence number possible was on the FIN */ if ((end_seq > (current_response_end + 2)) && (have_FINdata_error == 0)) { error_state("new data in FIN_SENT state"); have_FINdata_error = 1; } break; } default: break; } /* end switch on input type */ break; } /* end case FIN_SENT */ case RESET: { /* A Reset nominally means an abnormal close of the connection with any queued data discarded before transmitting it. We observe, however, that under some (unknown) circumstances segments that advance the data sequence number continue in the trace after the Reset. If these are part of a response, it makes sense to count them in the response size since the server obviously sent them and the network has to handle them. This also means that a FIN following the Reset may be a valid indication of the end of a response. Just ignore anything else unexpected (e.g., Reset) */ switch (input_type) { case RST: break; case SYN: { /* In some cases the same host/port pairs are reused in a single trace; check for plausible reuse */ check_tuple_reuse(); break; } case ACK_ONLY: /* an ACK might advance possibly indicating a request. However, since the connection is Reset and there should be no new response, just ignore it */ break; case FIN: { /* Only if the state is IN_RESPONSE do we try to continue looking for the end of the response. FIN is treated as the true end of a response. */ if (last_state == IN_RESPONSE) {/* ends the current response, ignore any ACK */ if ((has_seq == 1) && (end_seq > current_response_end)) more_RSP(); log_RSP(); last_state = RESET; connection_state = FIN_SENT; /* record timestamp of first FIN on connection */ if (strcmp(FIN_sent_time, "") == 0) strcpy(FIN_sent_time, ts); } break; } case DATA_ACK: { /* segments with data may advance the data sequence number as more parts of the response. They may also advance the ACK which normally would indicate a new request. However, after a Reset, it probably will be ignored by the server so it is also ignored here except to mark the end of the response. */ if (last_state == IN_RESPONSE) { if (new_ack > (last_request_end + 1)) /* new request */ { /* implies end of current response */ log_RSP(); last_state = RESET; /* will ignore all else */ break; } /* As long as the data sequence # advances, continue to save info about the current response. */ if ((end_seq > current_response_end) && (seq_bytes > 0)) more_RSP(); } break; } default: break; } /* end switch on input type */ break; } /* end case RESET */ case IN_RESPONSE: { /* In this state, look for events that will indicate the end of the response data (ACK advances for request, FIN, Reset). If the event is ACK advance, this also initiates the start of a new request. */ switch (input_type) { case FIN: { /* FIN is complicated since the segment that carries it may also advance the ACK (new request), advance the data sequence # and end the connection. If the ACK advances, any sequence # advance is for the new request; otherwise a sequence # advance extends and completes the current response. */ if (has_ack == 1) { if ((rc = check_ACK_advance(current_request_end)) < 0) break; } /* The ACK advance amount has to be greater than 1 to be considered a real new request. This is primarily to filter out just an ACK for a FIN from the client. Note the ACK must advance so duplicate ACKs are ignored. */ if ((has_ack == 1) && (new_ack > (current_request_end + 1))) { /* implies end of current response, begin request Log the info. for the current response. */ log_RSP(); /*end of previous response */ /* on FIN, assume end of request also since server is closing the connection. */ begin_REQ(); log_REQ(); /* if the data sequence # also advances, this segment (only -- because of the FIN) carries the last part of the response */ if ((has_seq == 1) && (end_seq > last_response_end)) {/* response begins and ends in the FIN segment */ begin_RSP(); log_RSP(); /* also end of any response */ } /* Note that the null "else" here is the case that the data sequence # does not advance (there is no response to the request) -- probably an HTTP/1.1 broswer attempting multiple requests on a TCP connection where the server doesn't play nice. */ } else /* the ACK did not advance so no request; if the data sequence # advances, it extends the current response */ { if ((has_seq == 1) && (end_seq > current_response_end)) more_RSP(); log_RSP(); /* FIN always implies end of response */ } last_state = IN_RESPONSE; connection_state = FIN_SENT; if (strcmp(FIN_sent_time, "") == 0) strcpy(FIN_sent_time, ts); break; } case RST: /* Look for a Reset and only change state to RESET to continue processing. This is explained in comments in processing for the RESET state when the last_state is IN_RESPONSE. */ {/* ignore any advance in seq# on Reset */ /* it may not be wise to trust ACK on RST */ last_state = IN_RESPONSE; connection_state = RESET; if (strcmp(RST_sent_time, "") == 0) strcpy(RST_sent_time, ts); break; } case SYN: { /* In some cases the same host/port pairs are reused in a single trace; check for plausible reuse */ check_tuple_reuse(); break; } case ACK_ONLY: /* Begin checking for cases where the ACK may advance and really indicate that a new request starts. */ { /* The ACK advance amount has to be greater than 1 to be considered a real new request. This is primarily to filter out just an ACK for a FIN from the client. Note the ACK must advance so duplicate or OOO ACKs are ignored. */ if (new_ack > (last_request_end + 1)) { /* implies end of current response, begin request. Log the info. for the current response and change states. */ log_RSP(); /* since there is no data sequence # present in the record and, therefore, the server is not sending data so all the client's data may not have arrived. Note the current extent of ACKed client data and start time */ begin_REQ(); } break; } case DATA_ACK: /* cases with data and ACKs have two important sub-cases: (a) ACK sequence number advances -- implies the start of a new request and the end of the current response; if the data sequence number also advances, it is assumed that all the request data has been received and the first of the response data is contained in the segment. (b) the ACK sequence number does not advance so any advance in the data sequence number is more of the current response. */ { if ((rc = check_ACK_advance(last_request_end)) < 0) break; /* The ACK advance amount has to be greater than 1 to be considered a real new request. This is primarily to filter out just an ACK for a FIN from the client. Note the ACK must advance so duplicate ACKs are ignored. */ if (new_ack > (last_request_end + 1)) { /* implies end of current response, begin request Log the info. for the current response. */ log_RSP(); begin_REQ(); /* If there is also new data (sequence # advances), then the request is considered completed and a new response has started but not necessarily completed. */ if ((end_seq > current_response_end) && (seq_bytes > 0)) {/* Log info. about this request */ log_REQ(); begin_RSP(); } } else /* the ACK did not advance so no request; if the data sequence # advances, it extends the current response */ if (end_seq > current_response_end) more_RSP(); break; } default: break; } /* end switch on input type */ break; } /* end case IN_RESPONSE */ case IN_REQUEST: { /* In this state check for events that indicate the end of the request data (advance of data sequence #, FIN, Reset). An advance in the data sequence # also marks the beginning of the response to the request */ switch (input_type) { case FIN: /* FIN is somewhat less complicated here since the segment that implies that the server will send no more data. Treat this as effectively ending the request. If the ACK advances, it is considered as part of the request and if the data sequence # advances, it is the response data (all in this segment). */ { /* FIN can ACK more of current request */ /* The ACK advance amount has to be greater than 1 to be considered as extending the request. This is primarily to filter out just an ACK for a FIN from the client. Note the ACK must advance so duplicate ACKs are ignored. */ if ((has_ack == 1) && (new_ack > (current_request_end + 1))) more_REQ(); else if (has_ack == 1) { if ((rc = check_ACK_advance(current_request_end)) < 0) break; } log_REQ(); /* on FIN, assume end of request */ /* the server's data sequence may not have advanced; but if it has, treat it as the complete response */ if ((has_seq == 1) && (end_seq > last_response_end)) { begin_RSP(); log_RSP(); /* also end of any response */ } last_state = IN_REQUEST; connection_state = FIN_SENT; if (strcmp(FIN_sent_time, "") == 0) strcpy(FIN_sent_time, ts); break; } case RST: { /* Treat a Reset as ending the request with no response */ /* ignore any advance in ack on Reset */ /* treat as ending any request */ log_REQ(); last_state = IN_REQUEST; connection_state = RESET; if (strcmp(RST_sent_time, "") == 0) strcpy(RST_sent_time, ts); break; } case SYN: { /* In some cases the same host/port pairs are reused in a single trace; check for plausible reuse */ check_tuple_reuse(); break; } case ACK_ONLY: { /* The ACK advance amount has to be greater than 1 to be considered as extending the requesst. This is primarily to filter out just an ACK for a FIN from the client. Note the ACK must advance so duplicate or OOO ACKs are ignored. */ if (new_ack > (current_request_end + 1)) more_REQ(); break; } case DATA_ACK: { /* cases with data and ACKs have two important sub-cases: (a) ACK sequence number advances which extends the amount of request data, and (b) the data sequence # advances which ends the request and is the beginning of the response to that request. */ /* The ACK advance amount has to be greater than 1 to be considered as extending the request. This is primarily to filter out just an ACK for a FIN from the client. Note the ACK must advance so duplicate ACKs are ignored. */ if (new_ack > (current_request_end + 1)) more_REQ(); else if ((rc = check_ACK_advance(current_request_end)) < 0) break; /* the server's data sequence may not have advanced; but if it has, treat it as the start of a response and the end of the request data */ if ((end_seq > last_response_end) && (seq_bytes > 0)) { /* record info. for current request and change state to look for the end of the response*/ log_REQ(); begin_RSP(); } break; } default: break; } /* end switch on input type */ break; } /* end case IN_REQUEST */ default: break; } /* end switch on connection state */ /* save the last known time for the connection from current record */ strcpy(last_connection_time, ts); } /* end main loop */ log_log(); close (dumpFP); close (outFP); close (logFP); } /* end main() */ Here is the call graph for this function:

void more_REQ (  void   )

Definition at line 1288 of file http_connect.c. References current_request_end, new_ack, request_end_time, and ts. Referenced by main(). { current_request_end = new_ack; strcpy(request_end_time, ts); }

void more_RSP (  void   )

Definition at line 1313 of file http_connect.c. References current_response_end, end_seq, response_end_time, and ts. Referenced by main(). { current_response_end = end_seq; /* save the new (potential) response end time */ strcpy(response_end_time, ts); }

int parse_dump_record (  void   )

Definition at line 1327 of file http_connect.c. References ACK_ONLY, begin_seq, connection_state, current_request_end, current_response_end, DATA_ACK, end_seq, error_line(), FIN, fl, get_sequence(), has_ack, has_seq, have_value_error, IN_REQUEST, IN_RESPONSE, input_type, last_state, new_ack, p1, p2, p3, PENDING, rc, RESET, RST, seq_bytes, SYN, and SYN_SENT. Referenced by main(). { begin_seq = end_seq = seq_bytes = new_ack = 0; has_ack = has_seq = 0; /* The following flag combinations are flagged because they (a) make no real sense for SYNs and (b) should be very rare. */ if ((strcmp(fl, "SFRP") == 0) || (strcmp(fl, "SFR") == 0) || (strcmp(fl, "SFP") == 0) || (strcmp(fl, "SF") == 0) || (strcmp(fl, "SRP") == 0) || (strcmp(fl, "SR") == 0)) { /* If out of PENDING state (initial SYN recognized), just note the error, ignore it and continue. */ if (connection_state != PENDING) error_line ("SYN in combination with F or R"); return(-1); } /* In tcpdump format, the fields coming after flags are, in order, data-seqno (format "bbb:eee(ccc)") and ack (format "ack xxx"). Both the data-seqno and ack fields may not be present if they do not have valid information. If the data-seqno field is not present, the first field after the flag is the string "ack"; if both are not present the field after the flag is the string "win". Also check to see if tcpdump used absolute instead of relative values */ if (strcmp(p1, "ack") == 0) /* ack and no data sequence no. */ { has_seq = 0; has_ack = 1; new_ack = strtoul(p2, (char **)NULL, 10); } else { if (strcmp(p1, "win") == 0) /* no ack, no data */ { has_ack = 0; has_seq = 0; } else { /* assume it is a valid sequence number field */ /* parse sequence field in header */ /* sequence field format is <begin_seq #>:<end_seq #>(<seq_bytes count>) */ if ((rc = get_sequence(p1, &begin_seq, &end_seq, &seq_bytes)) < 0) { error_line ("invalid sequence # field"); return (-1); } has_seq = 1; /* check the field following the data sequence # for an ACK */ if (strcmp(p2, "ack") == 0) { has_ack = 1; new_ack = strtoul(p3, (char **)NULL, 10); } else has_ack = 0; } } /* classify flag combinations into equivalence classes for later steps */ if ((strcmp(fl, "F") == 0) || (strcmp(fl, "FP") == 0) || (strcmp(fl, "FR") == 0) || (strcmp(fl, "FRP") == 0)) input_type = FIN; else { if ((strcmp(fl, "R") == 0) || (strcmp(fl, "RP") == 0)) input_type = RST; else { if ((strcmp(fl, "S") == 0) || (strcmp(fl, "SP") == 0)) input_type = SYN; else { if ((has_ack == 1) && (has_seq == 0)) input_type = ACK_ONLY; else if ((has_seq == 1) && (has_ack == 1)) input_type = DATA_ACK; else { error_line("Unexpected Data/ACK combination"); return (-1); } } } } if ((connection_state == IN_RESPONSE) || (connection_state == IN_REQUEST) || (connection_state == SYN_SENT) || ((connection_state == RESET) && (last_state == IN_RESPONSE))) { /* allow for gaps of up to one normal TCP window */ if (((input_type == FIN) || (input_type == DATA_ACK)) && (end_seq > (current_response_end + 65535))) { if (have_value_error == 0) { error_line ("suspect sequence # value"); have_value_error = 1; } return (-1); } /* ACK is required for each 2 segments with space for gaps */ if (((input_type == FIN) || (input_type == ACK_ONLY) || (input_type == DATA_ACK)) && (new_ack > (current_request_end + 16384))) { if (have_value_error == 0) { error_line ("suspect ACK value"); have_value_error = 1; } return (-1); } } return(0); } Here is the call graph for this function:

static void tvsub (  struct timeval *  tdiff, struct timeval *  t1, struct timeval *  t0 )  [static]

Definition at line 1770 of file http_connect.c. { tdiff->tv_sec = t1->tv_sec - t0->tv_sec; tdiff->tv_usec = t1->tv_usec - t0->tv_usec; if (tdiff->tv_usec < 0) { tdiff->tv_sec--; tdiff->tv_usec += 1000000; } }

void Usage (  char *  s  )

Definition at line 78 of file http_connect.c. { fprintf (stderr,"\nUsage: %s\n", s); fprintf (stderr," [-w file_name] (name for output file)\n"); fprintf (stderr," [-r file_name] (name for input file)\n"); fprintf (stderr,"If either -w or -r is omitted, stdout(stdin) is used\n"); fprintf (stderr,"\n"); exit(-1); }

---

Variable Documentation

int act_req_count = 0

Definition at line 147 of file http_connect.c. Referenced by log_ACT(), and log_log().

int act_rsp_count = 0

Definition at line 148 of file http_connect.c. Referenced by log_ACT(), and log_log().

unsigned long begin_seq

Definition at line 108 of file http_connect.c. Referenced by check_tuple_reuse(), init_connection(), and parse_dump_record().

enum states connection_state = PENDING

Definition at line 169 of file http_connect.c. Referenced by begin_REQ(), begin_RSP(), check_tuple_reuse(), init_connection(), log_connection(), main(), and parse_dump_record().

char current_dst[25] = ""

Definition at line 179 of file http_connect.c. Referenced by log_ACT(), log_END(), log_SYN(), and main().

unsigned long current_request_end

Definition at line 127 of file http_connect.c. Referenced by begin_REQ(), init_connection(), main(), more_REQ(), and parse_dump_record().

unsigned long current_response_end

Definition at line 136 of file http_connect.c. Referenced by begin_RSP(), init_connection(), log_connection(), main(), more_RSP(), and parse_dump_record().

char current_src[25] = ""

Definition at line 175 of file http_connect.c.

unsigned long current_synseq

Definition at line 109 of file http_connect.c. Referenced by check_tuple_reuse(), init_connection(), and main().

char dh[25]

Definition at line 100 of file http_connect.c.

char dst_host[25]

Definition at line 180 of file http_connect.c. Referenced by log_ACT(), log_END(), and log_SYN().

char dst_port[10]

Definition at line 181 of file http_connect.c. Referenced by log_ACT(), log_END(), log_SYN(), and IntTcpAgent::send_one().

FILE* dumpFP

Definition at line 88 of file http_connect.c.

long elapsed

Definition at line 220 of file http_connect.c. Referenced by check_tuple_reuse(), log_IDLE(), and main().

unsigned long end_seq

Definition at line 108 of file http_connect.c. Referenced by begin_RSP(), main(), more_RSP(), and parse_dump_record().

int err_count = 0

Definition at line 146 of file http_connect.c. Referenced by log_log().

int fin_count = 0

Definition at line 143 of file http_connect.c. Referenced by log_END(), and log_log().

char FIN_sent_time[20]

Definition at line 210 of file http_connect.c. Referenced by init_active(), init_connection(), log_END(), and main().

char fl[5]

Definition at line 102 of file http_connect.c.

char gt[3]

Definition at line 98 of file http_connect.c.

int has_ack

Definition at line 111 of file http_connect.c. Referenced by main(), and parse_dump_record().

int has_seq

Definition at line 111 of file http_connect.c. Referenced by check_tuple_reuse(), init_connection(), main(), and parse_dump_record().

int have_ACK_error = 0

Definition at line 163 of file http_connect.c. Referenced by check_ACK_advance(), init_active(), and init_connection().

int have_FINdata_error = 0

Definition at line 165 of file http_connect.c. Referenced by init_active(), init_connection(), and main().

int have_pending_acks = 0

Definition at line 158 of file http_connect.c. Referenced by log_connection(), and main().

int have_pending_fins = 0

Definition at line 159 of file http_connect.c. Referenced by log_connection(), and main().

int have_pending_othr = 0

Definition at line 161 of file http_connect.c. Referenced by log_connection(), and main().

int have_pending_rsts = 0

Definition at line 160 of file http_connect.c. Referenced by log_connection(), and main().

int have_value_error = 0

Definition at line 164 of file http_connect.c. Referenced by init_active(), init_connection(), and parse_dump_record().

char input_name[256] = ""

Definition at line 214 of file http_connect.c. Referenced by log_log(), and main().

enum inputs input_type

Definition at line 173 of file http_connect.c. Referenced by main(), and parse_dump_record().

char last_connection_time[20]

Definition at line 212 of file http_connect.c. Referenced by check_tuple_reuse(), init_active(), init_connection(), log_END(), and main().

unsigned long last_request_end

Definition at line 127 of file http_connect.c. Referenced by init_connection(), and main().

unsigned long last_response_end

Definition at line 136 of file http_connect.c. Referenced by init_connection(), log_connection(), and main().

enum states last_state = PENDING

Definition at line 170 of file http_connect.c. Referenced by begin_REQ(), begin_RSP(), check_tuple_reuse(), log_connection(), main(), and parse_dump_record().

struct timeval lastTime = {0,0}

Definition at line 92 of file http_connect.c.

char log_name[256] = ""

Definition at line 216 of file http_connect.c. Referenced by main().

FILE* logFP

Definition at line 89 of file http_connect.c. Referenced by log_log(), and main().

char lt[3]

Definition at line 99 of file http_connect.c. Referenced by EmpFtpTrafPool::command().

unsigned long new_ack

Definition at line 108 of file http_connect.c. Referenced by begin_REQ(), check_ACK_advance(), main(), more_REQ(), and parse_dump_record().

int new_address = 0

Definition at line 222 of file http_connect.c. Referenced by main().

char new_line[500]

Definition at line 218 of file http_connect.c.

FILE * outFP

Definition at line 88 of file http_connect.c.

char output_name[256] = ""

Definition at line 215 of file http_connect.c. Referenced by log_log(), and main().

char p1[50]

Definition at line 103 of file http_connect.c. Referenced by LandmarkAgent::aggregate_tags(), SensorQueryAgent::command(), TfrcSinkAgent::est_loss_EWMA(), main(), parse_dump_record(), FullTcpAgent::predict_ok(), LandmarkAgent::search_tag(), and RNG::U01().

char p2[50]

Definition at line 104 of file http_connect.c. Referenced by LandmarkAgent::aggregate_tags(), SensorQueryAgent::command(), LandmarkAgent::command(), DSDV_Agent::command(), TfrcSinkAgent::est_loss_EWMA(), DSDV_Agent::lost_link(), main(), parse_dump_record(), FullTcpAgent::predict_ok(), LandmarkAgent::search_tag(), and RNG::U01().

char p3[50]

Definition at line 105 of file http_connect.c. Referenced by LandmarkAgent::aggregate_tags(), SensorQueryAgent::command(), main(), parse_dump_record(), FullTcpAgent::predict_ok(), and LandmarkAgent::search_tag().

int pending_ack_count = 0

Definition at line 151 of file http_connect.c. Referenced by log_connection(), and log_log().

int pending_cmb_count = 0

Definition at line 153 of file http_connect.c. Referenced by log_connection(), and log_log().

int pending_fin_count = 0

Definition at line 149 of file http_connect.c. Referenced by log_connection(), and log_log().

int pending_oth_count = 0

Definition at line 152 of file http_connect.c. Referenced by log_connection(), and log_log().

int pending_rst_count = 0

Definition at line 150 of file http_connect.c. Referenced by log_connection(), and log_log().

int rc = 0

Definition at line 223 of file http_connect.c. Referenced by RcHandler::handle(), main(), parse_dump_record(), SessionHelper::recv(), and LDPAgent::recv().

struct timeval recvTime

Definition at line 91 of file http_connect.c.

int report_ACK_err = 1

Definition at line 76 of file http_connect.c. Referenced by check_ACK_advance().

int req_count = 0

Definition at line 141 of file http_connect.c. Referenced by log_log().

char request_end_time[20]

Definition at line 208 of file http_connect.c. Referenced by begin_REQ(), main(), and more_REQ().

char response_end_time[20]

Definition at line 207 of file http_connect.c. Referenced by begin_RSP(), main(), and more_RSP().

int rsp_count = 0

Definition at line 142 of file http_connect.c. Referenced by log_log().

int rst_count = 0

Definition at line 144 of file http_connect.c. Referenced by log_END(), and log_log().

char RST_sent_time[20]

Definition at line 211 of file http_connect.c. Referenced by init_active(), init_connection(), log_END(), and main().

unsigned long seq_bytes

Definition at line 108 of file http_connect.c. Referenced by main(), and parse_dump_record().

char sh[25]

Definition at line 96 of file http_connect.c.

char src_host[25]

Definition at line 176 of file http_connect.c. Referenced by log_ACT(), log_END(), and log_SYN().

char src_port[10]

Definition at line 177 of file http_connect.c. Referenced by log_ACT(), log_END(), and log_SYN().

char start_request_time[20]

Definition at line 188 of file http_connect.c. Referenced by begin_REQ(), and main().

char start_response_time[20]

Definition at line 194 of file http_connect.c. Referenced by begin_RSP(), and main().

int syn_count = 0

Definition at line 140 of file http_connect.c. Referenced by log_log(), and log_SYN().

int trm_count = 0

Definition at line 145 of file http_connect.c. Referenced by log_END(), and log_log().

char ts[20]

Definition at line 94 of file http_connect.c.

---