K
Keith
Hello everyone,
This is my first question to the newsgroup and I'm very new to
programming with C. My background is with Cisco routers, switches, and
firewalls. Over the years I've been collecting rather large syslog
files from firewalls and used several variations of "grep" and
Microsoft's "findstr" to pull out specific information from the
syslogs (layer 4 ports and IP addresses) and ignore all the other
information.
With this in mind I took it upon myself to learn C so that I could
create a simple little program to do all that work for me. I've
created a program listed below that is trying to get me to where I
need to go, but I know I'm not fully understanding the way C uses
pointers to variables when the variables are used over and over again
in a loop. Though most of my syslog files have over 100,000 records
for any one weekday, the problem my program has can be shown with just
a file that has two records. What you will see from the program is
that I open a syslog file called "pix1.txt" with just the contents
listed below:
<166>%PIX-6-302001: Built outbound TCP connection 35700999 for faddr
209.195.178.164/21 gaddr 67.65.127.249/59371 laddr 10.231.3.76/2875
<166>%PIX-6-302005: Built UDP connection for faddr 200.23.1.1/13156
gaddr 67.65.127.26/53 laddr 10.231.200.250/53
I then scan through the records locating various parts so that I can
record if the layer 4 traffic is TCP or UDP, the layer 4 port that is
used (the one I'm interested in comes right before the word "gaddr" in
the record), and the source IP address (which is located right after
the word "laddr" in the record). I'm using the strcpy and strncpy
functions and I'm pretty sure my problem is with the way I'm using the
variables and the way those functions use pointers. If it were working
correctly my newly created file called "ports.txt" would contain the
following data (I delimit with '&' so that I can import into Excel):
TCP&21&10.231.3.76
UDP&13156&10.231.200.250
However, what I'm getting is the following:
TCP&21&10.231.3.76
UDP&13156UDP&10.231.200.250
The first line looks fine but the second line has already starting
including some things that I didn't mean to include. It gets even
worse when the source file has more than two syslog records, and I'm
sure that's due to a snowballing effect of some sort.
My question is that since my goal is pretty simple (I want to take
data from one file and throw out stuff I don't want and write the
stuff I want to another file), there has to be something very
elementary that I'm missing with the way C handles strings and any
help to point me in the right direction would be greatly appreciated.
Below is copy of the source file I'm working on at the moment. I
downloaded lcc-win32 and have used the C tutorial to learn what I've
done so far, and I'm able to use the debugging option of the IDE to
see the errors happening with the pointers during the string
functions.
Thanks for the help,
Ron
/*------------------------------------------------------------------------
Module: c:\lcc\sysread\sysread.c
Author: Ron
Project: Sysread
State: Work in Progress
Creation Date: August 2003
Description: This program reads a file containing syslog
output from a PIX and writes the ports and
source IP's to a new file.
------------------------------------------------------------------------*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#define MAXLINELEN 200
int main()
{
FILE *infile,*outfile;
char buf1[MAXLINELEN], protocol[3], port[5], ipaddress[15];
int index1;
infile = fopen("pix1.txt","r");
outfile = fopen("ports.txt","w");
while(fgets(buf1,MAXLINELEN,infile)) {
/*------------------------------------------------------------------
Determine if TCP or UDP.
------------------------------------------------------------------*/
if (strstr(buf1,"TCP") == NULL) {
strcpy(protocol,"UDP");
}
else {
strcpy(protocol,"TCP");
}
/*------------------------------------------------------------------
Determine the layer four port.
------------------------------------------------------------------*/
index1 = strcspn(buf1,"/");
strcpy(buf1,&buf1[index1 + 1]);
index1 = strcspn(buf1,"g");
strncpy(port,buf1,index1 - 1);
/*------------------------------------------------------------------
Determine the source IP address.
------------------------------------------------------------------*/
index1 = strcspn(buf1,"l");
strcpy(buf1,&buf1[index1 + 6]);
index1 = strcspn(buf1,"/");
strncpy(ipaddress,buf1,index1);
fprintf(outfile,"%s&%s&%s\n",protocol,port,ipaddress);
}
fclose(infile);
fclose(outfile);
return 0;
}
This is my first question to the newsgroup and I'm very new to
programming with C. My background is with Cisco routers, switches, and
firewalls. Over the years I've been collecting rather large syslog
files from firewalls and used several variations of "grep" and
Microsoft's "findstr" to pull out specific information from the
syslogs (layer 4 ports and IP addresses) and ignore all the other
information.
With this in mind I took it upon myself to learn C so that I could
create a simple little program to do all that work for me. I've
created a program listed below that is trying to get me to where I
need to go, but I know I'm not fully understanding the way C uses
pointers to variables when the variables are used over and over again
in a loop. Though most of my syslog files have over 100,000 records
for any one weekday, the problem my program has can be shown with just
a file that has two records. What you will see from the program is
that I open a syslog file called "pix1.txt" with just the contents
listed below:
<166>%PIX-6-302001: Built outbound TCP connection 35700999 for faddr
209.195.178.164/21 gaddr 67.65.127.249/59371 laddr 10.231.3.76/2875
<166>%PIX-6-302005: Built UDP connection for faddr 200.23.1.1/13156
gaddr 67.65.127.26/53 laddr 10.231.200.250/53
I then scan through the records locating various parts so that I can
record if the layer 4 traffic is TCP or UDP, the layer 4 port that is
used (the one I'm interested in comes right before the word "gaddr" in
the record), and the source IP address (which is located right after
the word "laddr" in the record). I'm using the strcpy and strncpy
functions and I'm pretty sure my problem is with the way I'm using the
variables and the way those functions use pointers. If it were working
correctly my newly created file called "ports.txt" would contain the
following data (I delimit with '&' so that I can import into Excel):
TCP&21&10.231.3.76
UDP&13156&10.231.200.250
However, what I'm getting is the following:
TCP&21&10.231.3.76
UDP&13156UDP&10.231.200.250
The first line looks fine but the second line has already starting
including some things that I didn't mean to include. It gets even
worse when the source file has more than two syslog records, and I'm
sure that's due to a snowballing effect of some sort.
My question is that since my goal is pretty simple (I want to take
data from one file and throw out stuff I don't want and write the
stuff I want to another file), there has to be something very
elementary that I'm missing with the way C handles strings and any
help to point me in the right direction would be greatly appreciated.
Below is copy of the source file I'm working on at the moment. I
downloaded lcc-win32 and have used the C tutorial to learn what I've
done so far, and I'm able to use the debugging option of the IDE to
see the errors happening with the pointers during the string
functions.
Thanks for the help,
Ron
/*------------------------------------------------------------------------
Module: c:\lcc\sysread\sysread.c
Author: Ron
Project: Sysread
State: Work in Progress
Creation Date: August 2003
Description: This program reads a file containing syslog
output from a PIX and writes the ports and
source IP's to a new file.
------------------------------------------------------------------------*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#define MAXLINELEN 200
int main()
{
FILE *infile,*outfile;
char buf1[MAXLINELEN], protocol[3], port[5], ipaddress[15];
int index1;
infile = fopen("pix1.txt","r");
outfile = fopen("ports.txt","w");
while(fgets(buf1,MAXLINELEN,infile)) {
/*------------------------------------------------------------------
Determine if TCP or UDP.
------------------------------------------------------------------*/
if (strstr(buf1,"TCP") == NULL) {
strcpy(protocol,"UDP");
}
else {
strcpy(protocol,"TCP");
}
/*------------------------------------------------------------------
Determine the layer four port.
------------------------------------------------------------------*/
index1 = strcspn(buf1,"/");
strcpy(buf1,&buf1[index1 + 1]);
index1 = strcspn(buf1,"g");
strncpy(port,buf1,index1 - 1);
/*------------------------------------------------------------------
Determine the source IP address.
------------------------------------------------------------------*/
index1 = strcspn(buf1,"l");
strcpy(buf1,&buf1[index1 + 6]);
index1 = strcspn(buf1,"/");
strncpy(ipaddress,buf1,index1);
fprintf(outfile,"%s&%s&%s\n",protocol,port,ipaddress);
}
fclose(infile);
fclose(outfile);
return 0;
}