1 /* $Id$ */ 2 /**************************************************************************** 3 * 4 * Copyright (C) 2014-2021 Cisco and/or its affiliates. All rights reserved. 5 * Copyright (C) 2005-2013 Sourcefire, Inc. 6 * 7 * This program is free software; you can redistribute it and/or modify 8 * it under the terms of the GNU General Public License Version 2 as 9 * published by the Free Software Foundation. You may not use, modify or 10 * distribute this program under any other version of the GNU General 11 * Public License. 12 * 13 * This program is distributed in the hope that it will be useful, 14 * but WITHOUT ANY WARRANTY; without even the implied warranty of 15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 * GNU General Public License for more details. 17 * 18 * You should have received a copy of the GNU General Public License 19 * along with this program; if not, write to the Free Software 20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 21 * 22 ****************************************************************************/ 23 24 #ifndef __SF_PROTOCOLS_H__ 25 #define __SF_PROTOCOLS_H__ 26 27 typedef uint8_t IpProto; 28 29 typedef enum { 30 PROTO_ETH, /* DecodeEthPkt */ 31 PROTO_FPATH, /* FabricPath - handled by DecodeEthPkt */ 32 PROTO_CISCO_META, /* Cisco Metadata - handled by DecodeEthPkt */ 33 34 PROTO_IP4, /* DecodeIP */ 35 /* DecodeIPOptions - handled with IP4 */ 36 PROTO_ICMP4, /* DecodeICMP */ 37 PROTO_ICMP_IP4, /* DecodeICMPEmbeddedIP */ 38 39 PROTO_UDP, /* DecodeUDP */ 40 PROTO_TCP, /* DecodeTCP */ 41 /* DecodeTCPOptions - handled with TCP */ 42 43 PROTO_IP6, /* DecodeIPV6 */ 44 /* DecodeIPV6Extensions - nothing to do here, calls below */ 45 PROTO_IP6_HOP_OPTS, /* DecodeIPV6Options - ip6 hop, dst, rte, and frag exts */ 46 PROTO_IP6_DST_OPTS, 47 PROTO_ICMP6, /* DecodeICMP6 */ 48 PROTO_ICMP_IP6, /* DecodeICMPEmbeddedIP6 */ 49 PROTO_VLAN, /* DecodeVlan */ 50 #ifdef GRE 51 PROTO_GRE, /* DecodeGRE */ 52 /* DecodeTransBridging - basically same as DecodeEthPkt */ 53 PROTO_ERSPAN, /* DecodeERSPANType2 and DecodeERSPANType3 */ 54 #endif 55 PROTO_PPPOE, /* DecodePPPoEPkt */ 56 PROTO_PPP_ENCAP, /* DecodePppPktEncapsulated */ 57 PROTO_MPLS, /* DecodeMPLS - decoder changes pkth len/caplen! */ 58 /* DecodeEthOverMPLS - basically same as straight eth */ 59 PROTO_ARP, /* DecodeARP */ 60 PROTO_GTP, /* DecodeGTP */ 61 PROTO_AH, /* DecodeAH - Authentication Header (IPSec stuff) */ 62 63 #ifndef NO_NON_ETHER_DECODER 64 PROTO_TR, /* DecodeTRPkt */ 65 PROTO_FDDI, /* DecodeFDDIPkt */ 66 PROTO_LSLL, /* DecodeLinuxSLLPkt sockaddr_ll for "any" device and */ 67 /* certain misbehaving link layer encapsulations */ 68 PROTO_80211, /* DecodeIEEE80211Pkt */ 69 PROTO_SLIP, /* DecodeSlipPkt - actually, based on header size, this */ 70 /* must be CSLIP (TCP/IP header compression) but all it */ 71 /* does is skip over the presumed header w/o expanding */ 72 /* and then jumps into IP4 decoding only; also, the actual */ 73 /* esc/end sequences must already have been removed because */ 74 /* there is no attempt to do that. */ 75 PROTO_L2I4, /* DecodeI4LRawIPPkt - always skips 2 bytes and then does */ 76 /* IP4 decoding only */ 77 PROTO_L2I4C, /* DecodeI4LCiscoIPPkt -always skips 4 bytes and then does */ 78 /* IP4 decoding only */ 79 PROTO_CHDLC, /* DecodeChdlcPkt - skips 4 bytes and decodes IP4 only. */ 80 PROTO_PFLOG, /* DecodePflog */ 81 PROTO_OLD_PFLOG, /* DecodeOldPflog */ 82 PROTO_PPP, /* DecodePppPkt - weird - optionally skips addr and cntl */ 83 /* bytes; what about flag and protocol? */ 84 /* calls only DecodePppPktEncapsulated. */ 85 PROTO_PPP_SERIAL, /* DecodePppSerialPkt - also weird - requires addr, cntl, */ 86 /* and proto (no flag) but optionally skips only 2 bytes */ 87 /* (presumably the trailer w/chksum is already stripped) */ 88 /* Calls either DecodePppPktEncapsulated or DecodeChdlcPkt. */ 89 PROTO_ENC, /* DecodeEncPkt - skips 12 bytes and decodes IP4 only. */ 90 /* (add family + "spi" + "flags" - don't know what this is) */ 91 PROTO_EAP, /* DecodeEAP */ 92 PROTO_EAPOL, /* DecodeEapol - leaf decoder */ 93 PROTO_EAPOL_KEY, /* DecodeEapolKey - leaf decoder */ 94 #endif /* NO_NON_ETHER_DECODER */ 95 96 PROTO_MAX 97 } PROTO_ID; 98 99 /* DecodeIPX - just counts; no decoding */ 100 /* DecodeEthLoopback - same as ipx */ 101 /* DecodeRawPkt - jumps straight into IP4 decoding */ 102 /* there is nothing to do */ 103 /* DecodeNullPkt - same as DecodeRawPkt */ 104 105 typedef struct { 106 PROTO_ID proto; 107 uint16_t length; 108 uint8_t* start; 109 } Layer; 110 111 #endif /* __PROTOCOLS_H__ */ 112 113