☆ RSTATPROC_STATS相关通信报文

rstat服务会泄露所在主机的敏感信息，比如boottime、curtime。注意，不要混淆了
rstat服务(100001)与status服务(100024)。

版本3的rstat服务我们就不管了，这里只关心版本4的通信报文。Ethereal 0.10.13
干脆未对rstat协议解码，下面是Sniffer Pro 4.70.564的解码显示:

--------------------------------------------------------------------------
UDP: ----- UDP Header -----
      UDP:
      UDP: Source port      = 34094
      UDP: Destination port = 32778
      UDP: Length           = 48
      UDP: Checksum         = 1028 (correct)
      UDP: [40 byte(s) of data]
      UDP:
RPC: C XID=139475002 PROG=Remote Statistics VERS=4 PROC=1(Get Statistics)
      RPC: Transaction id = 139475002
      RPC: Type = 0 (Call)
      RPC: RPC version = 2
      RPC: Program   = 100001 (Remote Statistics), version = 4
      RPC: Procedure = 1 (Get Statistics)
      RPC: Credentials: authorization flavor = 0 (Null)
      RPC: [Credentials: 0 byte(s) of authorization data]
      RPC: Verifier: authorization flavor = 0 (Null)
      RPC: [Verifier: 0 byte(s) of authorization data]
      RPC: [0 bytes of data present]
      RPC:
ADDR  HEX
0020:                               08 50 38 3a 00 00
0030: 00 00 00 00 00 02 00 01 86 a1 00 00 00 04 00 00
0040: 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0050: 00 00

UDP: ----- UDP Header -----
      UDP:
      UDP: Source port      = 32778
      UDP: Destination port = 34094
      UDP: Length           = 144
      UDP: Checksum         = FEC7 (correct)
      UDP: [136 byte(s) of data]
      UDP:
RPC: R XID=139475002  (Reply to 9)
      RPC: Transaction id = 139475002
      RPC: Type = 1 (Reply)
      RPC: Status = 0 (Accepted)
      RPC: Verifier: authorization flavor = 0 (Null)
      RPC: [Verifier: 0 byte(s) of authorization data]
      RPC: Accept status = 0 (Success)
      RPC: [112 bytes of data present]
      RPC:
RSTAT: ----- RSTAT -----
      RSTAT:
      RSTAT: Reply Procedure = 1 (Get Statistics)
      RSTAT: CPU Times:
      RSTAT:   Time (1)       = 4
      RSTAT:   Time (2)       = 1997
      RSTAT:   Time (3)       = 7768
      RSTAT:   Time (4)       = 5938
      RSTAT:
      RSTAT: Disk Transfers:
      RSTAT:   Transfers(1)   = 288098
      RSTAT:   Transfers(2)   = 4
      RSTAT:   Transfers(3)   = 11270
      RSTAT:   Transfers(4)   = 0
      RSTAT:
      RSTAT: Pages in         = 0
      RSTAT: Pages out        = 0
      RSTAT: Swaps in         = 1244932
      RSTAT: Swaps out        = 4968
      RSTAT: Interrupts       = 0
      RSTAT:
      RSTAT: Receive packets  = 2243
      RSTAT: Receive errors   = 0
      RSTAT: Transmit packets = 0
      RSTAT: Transmit errors  = 209170
      RSTAT: Collisions       = 8
      RSTAT:
      RSTAT: V switch         = 6
      RSTAT: Average run 0    = 10
      RSTAT: Average run 1    = 1007617451
      RSTAT: Average run 2    = 0
      RSTAT:
ADDR  HEX
0020:                               08 50 38 3a 00 00
0030: 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0040: 00 00 00 00 00 04 00 00 07 cd 00 00 1e 58 00 00
0050: 17 32 00 04 65 62 00 00 00 04 00 00 2c 06 00 00
0060: 00 00 00 00 00 03 00 00 00 00 00 00 26 64 00 00
0070: 00 24 00 00 00 00 00 00 00 00 00 12 ff 04 00 00
0080: 13 68 00 00 00 00 00 00 08 c3 00 00 00 00 00 00
0090: 00 00 00 03 31 12 00 00 00 08 00 00 00 06 00 00
00a0: 00 0a 3c 0f 05 ab 00 00 00 00 3c 0f 11 77 00 09
00b0: c6 38
--------------------------------------------------------------------------

很遗憾，Sniffer Pro 4.70.564的解码是错的，现在手工解码如下:

--------------------------------------------------------------------------
/*
 * 整块数据对应struct statsvar
 */
0x00, 0x00, 0x00, 0x04,                         // +0x000 cp_time_len
/*
 * cp_time_val[cp_time_len]
 */
0x00, 0x00, 0x07, 0xCD,                         // cp_time_val[0]: 1997
0x00, 0x00, 0x1E, 0x58,                         // cp_time_val[1]: 7768
0x00, 0x00, 0x17, 0x32,                         // cp_time_val[2]: 5938
0x00, 0x04, 0x65, 0x62,                         // cp_time_val[3]: 288098
0x00, 0x00, 0x00, 0x04,                         // dk_xfer_len
/*
 * dk_xfer_val[dk_xfer_len]
 */
0x00, 0x00, 0x2C, 0x06,                         // dk_xfer_val[]: 11270
0x00, 0x00, 0x00, 0x00,                         // dk_xfer_val[]: 0
0x00, 0x00, 0x00, 0x03,                         // dk_xfer_val[]: 3
0x00, 0x00, 0x00, 0x00,                         // dk_xfer_val[]: 0
0x00, 0x00, 0x26, 0x64,                         // v_pgpgin: 9828
0x00, 0x00, 0x00, 0x24,                         // v_pgpgout: 36
0x00, 0x00, 0x00, 0x00,                         // v_pswpin: 0
0x00, 0x00, 0x00, 0x00,                         // v_pswpout: 0
0x00, 0x12, 0xFF, 0x04,                         // v_intr: 1244932
0x00, 0x00, 0x13, 0x68,                         // if_ipackets: 4968
0x00, 0x00, 0x00, 0x00,                         // if_ierrors: 0
0x00, 0x00, 0x08, 0xC3,                         // if_opackets: 2243
0x00, 0x00, 0x00, 0x00,                         // if_oerrors: 0
0x00, 0x00, 0x00, 0x00,                         // if_collisions: 0
0x00, 0x03, 0x31, 0x12,                         // v_swtch: 209170
/*
 * avenrun[3]
 */
0x00, 0x00, 0x00, 0x08,                         // avenrun[0]: 8
0x00, 0x00, 0x00, 0x06,                         // avenrun[1]: 6
0x00, 0x00, 0x00, 0x0A,                         // avenrun[2]: 10
/*
 * 用ctime()、ctime_r()将该值转换成可读形式
 */
0x3C, 0x0F, 0x05, 0xAB,                         // boottime.tv_sec: Thu Dec  6 13:44:11 2001
0x00, 0x00, 0x00, 0x00,                         // boottime.tv_usec: 0us
/*
 * 用ctime()、ctime_r()将该值转换成可读形式
 */
0x3C, 0x0F, 0x11, 0x77,                         // curtime.tv_sec: Thu Dec  6 14:34:31 2001
0x00, 0x09, 0xC6, 0x38                          // curtime.tv_usec: 640568us
--------------------------------------------------------------------------