hello david,
why getting this warning and how can solve this. important thing is not getting result. last time told me '/' problem. i can not get it.please can u tell again.

#include <syslog.h>
#include <libnet.h>
#include <pcap.h>
#include <time.h>
/* misc defines */
#define MAX_STRING 0x100 /* default string length */
#define CON_REMOVED 0xFFFFFFFF /* tag a node for removal */
#define CLEANUP_INTERVAL 1000 /* how often the cleaner runs */
#define EXPIRE_TIME 11800 /* seconds that a connection should
* should linger in SYN-ACK state
* before it gets expired
*/
#define MAX_PACKET 1500 /* max packet size */

/* filter to catch SYN-ACK, FIN-ACK, and RST segments */
#define FILTER "((tcp[13] & 0x12) == 0x12) || ((tcp[13] & 0x11) == 0x11) || \
((tcp[13] & 0x14) == 0x14) || ((tcp[13] & 0x04) == 0x04)"


/* patricia key symbolic constants */
#define KEY_BYTES 12
#define MIN_KEY_BIT 0
#define MAX_KEY_BIT (KEY_BYTES * 8 - 1)

/*
* Simple way to subtract timeval based timers. Not every OS has this,
* so we'll just define it here.
*/
#define PTIMERSUB(tvp, uvp, vvp) \
do \
{ \
(vvp)->tv_sec = (tvp)->tv_sec - (uvp)->tv_sec; \
(vvp)->tv_usec = (tvp)->tv_usec - (uvp)->tv_usec; \
if ((vvp)->tv_usec < 0) \
{ \
(vvp)->tv_sec--; \
(vvp)->tv_usec += 1000000; \
} \
} \
while (0) \

/* code cleanup to set connection state */
#define SET_STATE(c, dip, dp, sip, sp, s) \
{ \
c->dst_addr.s_addr = dip;c->dst_port = dp; \
c->src_addr.s_addr = sip;c->src_port = sp; \
c->seq = s; \
}

/* TCP connection info */
struct tcp_connection
{
struct in_addr src_addr; /* source address */
struct in_addr dst_addr; /* destination address */
struct timeval ts; /* time value */
u_long seq; /* sequence number */
u_short src_port; /* source port */
u_short dst_port; /* destination port */
};

/* decision node within the patricia trie */
struct pt_node
{
int bit; /* decision bit */
struct pt_node *l; /* left node */
struct pt_node *r; /* right node */
struct tcp_connection *con; /* connection info */
};

/* patricia trie context */
struct pt_context
{
struct pt_node *head; /* head of the trie */
u_long n; /* number of existing nodes */
};

/* main descry control context */
struct descry_pack
{
pcap_t *p; /* libpcap context */
u_char flags; /* control flags */
#define ALL_HOSTS 0x1 /* monitor all hosts on segment */
#define DO_SYSLOG 0x02 /* log to syslog */
int offset; /* offset to IP header */
struct pt_context *pt; /* patricia trie context */
};

/************************************************** ********/



/*int descry_init(struct descry_pack **, char *, char *, u_char);
void descry_destroy(struct descry_pack *);
void descry(u_char *, struct pcap_pkthdr *, u_char *);
void check_state(struct descry_pack *, struct tcp_connection *,
struct tcp_connection *);
int pt_init(struct pt_context **);
struct pt_node *pt_new(int bit, struct pt_node *, struct pt_node *,
struct tcp_connection *);
int pt_insert(struct pt_context *, struct tcp_connection *);
void pt_expire(struct descry_pack *, struct timeval*);
int pt_find(struct pt_context *, struct tcp_connection *,
struct tcp_connection **);
void pt_delete(struct pt_context *, struct tcp_connection *);
void pt_make_key(u_char *, struct tcp_connection *);
void pt_walk_r(struct descry_pack *, struct pt_node *, struct pt_node *,
struct timeval *);
int pt_remove_r(struct pt_context *, struct pt_node *, u_char *,
struct pt_node *);
int pt_search_r(struct pt_node *, u_char *, struct pt_node **);
int diff_bit(u_char *, u_char *, int *);
int get_bit(u_char *, struct pt_node *);
char *get_time();
void usage(char *);*/

/************************************************** ******************/
/*Function Body*/
/************************************************** ******************/
int
descry_init(struct descry_pack **gp, char *device, char *capture_file,
u_char flags)
{
char *interface = NULL;
char error[PCAP_ERRBUF_SIZE];
struct bpf_program prog;
u_int32_t network, netmask;

*gp = malloc(sizeof(struct descry_pack));
if (*gp == NULL)
{
perror("descry_init(): malloc(): ");
return (0);
}

/* initialize the patricia trie */
if (pt_init(&((*gp)->pt)) == 0)
{
/* error set in pt_init() */
return (EXIT_FAILURE);
}

/* control flags */
(*gp)->flags = flags;

if (capture_file)
{
/* we have a capture file to analyze */
(*gp)->p = pcap_open_offline(capture_file, error);
if ((*gp)->p == NULL)
{
fprintf(stderr, "pcap_open_offline() %s\n", error);
return (0);
}
}
else
{
/* we're doing a live capture, do we have a device? */
if (device)
{
interface = device;
}
else
{
interface = pcap_lookupdev(error);
if (interface == NULL)
{
fprintf(stderr, "pcap_lookupdev(): %s\n", error);
return (0);
}
}
(*gp)->p = pcap_open_live(interface, MAX_PACKET,
((*gp)->flags & ALL_HOSTS), 0, error);
if ((*gp)->p == NULL)
{
fprintf(stderr, "pcap_open_live() %s\n", error);
return (0);
}
}

/* get the length of the link layer header */
switch (pcap_datalink((*gp)->p))
{
case DLT_SLIP:
/* a little SLIPstreaming! Whoops! There's Charlie! */
(*gp)->offset = 0x10;
break;
case DLT_PPP:
/* PPP y0 */
(*gp)->offset = 0x04;
break;
default:
case DLT_EN10MB:
/* good old ethernet or something like it I hope! */
(*gp)->offset = 0x0e;
break;
}

if (interface)
{
/* compile our filter and apply it to the interface */
if (pcap_lookupnet(interface, &network, &netmask, error) < 0)
{
fprintf(stderr, "pcap_lookupnet() %s\n", error);
return (0);
}
}
if (pcap_compile((*gp)->p, &prog, FILTER, 1, netmask) < 0)
{
fprintf(stderr, "pcap_compile(): \"%s\" failed\n", FILTER);
return (0);
}
if (pcap_setfilter((*gp)->p, &prog) < 0)
{
fprintf(stderr, "pcap_setfilter() failed\n");
return 0;
}
return (1);
}
/************************************************** ******************/
void
descry_destroy(struct descry_pack *gp)
{
/* do something someday*/
}
/************************************************** ******************/
void
descry(u_char *u, struct pcap_pkthdr *phdr, u_char *packet)
{
struct libnet_ipv4_hdr *ip;
struct libnet_tcp_hdr *tcp;
struct descry_pack *gp;
struct tcp_connection *c;
struct tcp_connection *rc;
static u_char cleanup = 0;
struct timeval ts;

rc = NULL;
c = NULL;
gp = (struct descry_pack *)u;

/*
* In order to keep the trie from growing boundlessly, we need to
* periodically expire half open connections.
*/
{
ts.tv_usec = phdr->ts.tv_usec;
ts.tv_sec = phdr->ts.tv_sec;

/* expire old connections */
pt_expire(gp, &ts);
cleanup = 0;
}

/*
* Ignore packets that do not have an entire TCP header. Currently
* this code does not handle fragmented TCP headers and will not
* detect scans that use them.
*/
if (phdr->len < (gp->offset + LIBNET_IPV4_H + LIBNET_TCP_H))
{
return;
}

/* overlay IP and TCP headers */
ip = (struct libnet_ipv4_hdr *)(packet + gp->offset);
tcp = (struct libnet_tcp_hdr *)(packet + gp->offset +
(ip->ip_hl << 2));

/* shave off the lower order 6 bits containing the control flags */
switch (tcp->th_flags & 0x3F)
{
case (TH_SYN | TH_ACK):
/* this is a new connection to be added to the trie */

/* get memory for the connection state */
c = malloc(sizeof (struct tcp_connection ));
if (c == NULL)
{
return;
}

/* set connection state */
memcpy(&(c->ts), &(phdr->ts), sizeof(struct timeval));
/*
* The context for the connection state is biased towards
* the initiator of the TCP connection. Since this TCP
* segment is the SYN|ACK (response from server), we reverse
* the source and destination when filling in the connection
* information.
*/
SET_STATE(c, ip->ip_src.s_addr, tcp->th_sport,
ip->ip_dst.s_addr, tcp->th_dport, tcp->th_ack);

/* insert TCP connection into the trie */
if (pt_insert(gp->pt, c) == 0)
{
fprintf(stderr, "pt_insert() failed!\n");
}
break;
case (TH_FIN | TH_ACK):
case (TH_RST):
case (TH_RST | TH_ACK):
/* connection teardown */

/* get memory for the connection state */
c = malloc(sizeof (struct tcp_connection));
if (c == NULL)
{
return;
}
/* set connection state so we can search for the connection */
SET_STATE(c, ip->ip_dst.s_addr, tcp->th_dport,
ip->ip_src.s_addr, tcp->th_sport, tcp->th_seq);


if (pt_find(gp->pt, c, &rc))
{
check_state(gp, c, rc);
pt_delete(gp->pt, rc);
}
else
{
/*
* Did not find the connection. Assuming the initiator
* sent the teardown request, so we will try again
* while making the assumption that the server sent it.
*/
SET_STATE(c, ip->ip_src.s_addr, tcp->th_sport,
ip->ip_dst.s_addr, tcp->th_dport, tcp->th_ack);
pt_delete(gp->pt, c);
}
free(c);
break;
default:
break;
}
}

char *
get_time()
{
int i;
time_t t;
static char buf[26];

t = time((time_t *)NULL);
strcpy(buf, ctime(&t));

/* cut out the day, year and \n */
for (i = 0; i < 20; i++)
{
buf[i] = buf[i + 4];
}
buf[15] = 0;

return (buf);
}

void
check_state(struct descry_pack *gp, struct tcp_connection *con1,
struct tcp_connection *con2)
{
/* check sequence number delta to see if data was sent */
if (ntohl(con1->seq) >= ntohl(con2->seq) &&
ntohl(con1->seq) <= ntohl(con2->seq) + 2)
{
if (gp->flags & DO_SYSLOG)
{
syslog(LOG_NOTICE,
"Possible TCP port scan from %s:%d to %s:%d",
libnet_addr2name4(con1->src_addr.s_addr,
LIBNET_DONT_RESOLVE),
ntohs(con1->src_port),
libnet_addr2name4(con1->dst_addr.s_addr,
LIBNET_DONT_RESOLVE),
ntohs(con1->dst_port));
}
else
{
fprintf(stderr,
"[%s] TCP probe from %s:%d to %s:%d\n",
get_time(),
libnet_addr2name4(con1->src_addr.s_addr,
LIBNET_DONT_RESOLVE),
ntohs(con1->src_port),
libnet_addr2name4(con1->dst_addr.s_addr,
LIBNET_DONT_RESOLVE),
ntohs(con1->dst_port));
}
}
}

void
pt_make_key(u_char *key, struct tcp_connection *c)
{
if (c == NULL)
{
fprintf(stderr, "pt_make_key(): c is NULL!\n");
return;
}
/* create a key for the trie from connection info */
memcpy(key, &(c->src_addr.s_addr), 4);
memcpy(key + 4, &(c->src_port), 2);
memcpy(key + 6, &(c->dst_addr.s_addr), 4);
memcpy(key + 10, &(c->dst_port), 2);
}

struct pt_node *
pt_new(int bit, struct pt_node *l, struct pt_node *r,
struct tcp_connection *con)
{
struct pt_node *p = NULL;

p = malloc(sizeof(struct pt_node));
if (p)
{
p->bit = bit;
p->l = l;
p->r = r;
p->con = con;
}
return (p);
}

int
pt_init(struct pt_context **p)
{
*p = malloc(sizeof(struct pt_context));
if (*p == NULL)
{
perror("pt_init(): malloc(): ");
return (0);
}

(*p)->head = NULL;
(*p)->n = 0;

return (1);
}

int
get_bit(u_char *key, struct pt_node *n)
{
u_char conkey[KEY_BYTES];

memset(conkey, 0, KEY_BYTES);
if (n->bit < MIN_KEY_BIT || n->bit > MAX_KEY_BIT)
{
pt_make_key(conkey, n->con);
if (memcmp(key, conkey, KEY_BYTES) == 0)
{

return (2);
}
else
{

return (3);
}
}

return ((key[n->bit % 8] >> (7 - (n->bit % )) & 0x01);
}

int
pt_search_r(struct pt_node *n, u_char *key, struct pt_node **rc)
{

switch (get_bit(key, n))
{
case 0:
return (pt_search_r(n->l, key, rc));
case 1:
return (pt_search_r(n->r, key, rc));
case 2:
*rc = n;
return (1);
default:
*rc = n;
return (0);
}
}

int
pt_remove_r(struct pt_context *pt, struct pt_node *n, u_char *key,
struct pt_node *prev)
{
struct pt_node *tmp;

if (n == NULL)
{
return (0);
}

/* extract bit from the key */
switch (get_bit(key, n))
{
case 0:
/* recurse down the left of this node */
return (pt_remove_r(pt, n->l, key, n));
break;
case 1:
/* recurse down the right of this node */
return (pt_remove_r(pt, n->r, key, n));
break;
case 2:
/*
* Found the node to remove, deallocate its data and move
* the sibling data node up one.
*/
free(n->con);
n->con = (struct tcp_connection *)CON_REMOVED;
/*
* This will happen if the connection just removed was the
* only thing in the trie, and therefore in the root node.
*/
if (prev == NULL)
{
return (1);
}
/*
* If the left child node was removed, move up the values
* from the right and then free the unused nodes.
*/
if ((int)prev->l->con == CON_REMOVED)
{
tmp = prev->r->r;
free(prev->l);
prev->con = prev->r->con;
prev->bit = prev->r->bit;
prev->l = prev->r->l;
free(prev->r);
prev->r = tmp;
}

else
{
tmp = prev->l->l;
free(prev->r);
prev->con = prev->l->con;
prev->bit = prev->l->bit;
prev->r = prev->l->r;
free(prev->l);
prev->l = tmp;
}

pt->n -= 2;
return (1);
default:
return (0);
}
}

void
pt_delete(struct pt_context *pt, struct tcp_connection *c)
{
u_char key[KEY_BYTES];

/* if the trie is empty, just return */
if (pt->head == NULL)
{
return;
}

memset(key, 0, KEY_BYTES);
pt_make_key(key, c);

/* call the recursive search and delete function */
if (pt_remove_r(pt, pt->head, key, NULL))
{

if (pt->n == 1 && (int)(pt->head->con) == CON_REMOVED)
{
free(pt->head);
pt->head = NULL;
pt->n = 0;
}
}
}

I'm having a hard time understanding why you don't look (yes, look) at the things that the various messages have flagged.

As for this one:

The largest value that an unsigned char can ever take on is 255. Therefore cleanup can never (that's never) be greater than the defined value of CLEANUP_INTERVAL, so the if condition can never (that's never) be true.

Now whether this is any part of the particular problem you are reporting, I can't say. Whether there may be other problems, I can't say. But it is kind of obvious that this part of the program can't work in the way that it was expected by whoever it is that wrote the thing.


Regards,

Dave

Footnote: I hate to repeat myself (again) but