1 /*
2 ** Copyright (C) 2002-2009 Sourcefire, Inc.
3 ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com>
4 **
5 ** This program is free software; you can redistribute it and/or modify
6 ** it under the terms of the GNU General Public License Version 2 as
7 ** published by the Free Software Foundation. You may not use, modify or
8 ** distribute this program under any other version of the GNU General
9 ** Public License.
10 **
11 ** This program is distributed in the hope that it will be useful,
12 ** but WITHOUT ANY WARRANTY; without even the implied warranty of
13 ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 ** GNU General Public License for more details.
15 **
16 ** You should have received a copy of the GNU General Public License
17 ** along with this program; if not, write to the Free Software
18 ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
19 */
20
21 /* $Id$ */
22
23
24 #ifndef __DECODE_H__
25 #define __DECODE_H__
26
27
28 /* I N C L U D E S **********************************************************/
29
30 #ifdef HAVE_CONFIG_H
31 #include "config.h"
32 #endif
33
34 #include <stddef.h>
35 #include <sys/types.h>
36 #include <pcap.h>
37
38 #ifndef WIN32
39 #include <sys/socket.h>
40 #include <netinet/in.h>
41 #include <net/if.h>
42 #else /* !WIN32 */
43 #include <netinet/in_systm.h>
44 #include "libnet/IPExport.h"
45 #ifndef IFNAMSIZ
46 #define IFNAMESIZ MAX_ADAPTER_NAME
47 #endif /* !IFNAMSIZ */
48 #endif /* !WIN32 */
49
50 #include "bitop.h"
51 #include "ipv6_port.h"
52 #include "sf_ip.h"
53 #include "util.h"
54
55 extern int linktype;
56
57 /* D E F I N E S ************************************************************/
58 #define ETHERNET_MTU 1500
59 #define ETHERNET_TYPE_IP 0x0800
60 #define ETHERNET_TYPE_ARP 0x0806
61 #define ETHERNET_TYPE_REVARP 0x8035
62 #define ETHERNET_TYPE_EAPOL 0x888e
63 #define ETHERNET_TYPE_IPV6 0x86dd
64 #define ETHERNET_TYPE_IPX 0x8137
65 #define ETHERNET_TYPE_PPPoE_DISC 0x8863 /* discovery stage */
66 #define ETHERNET_TYPE_PPPoE_SESS 0x8864 /* session stage */
67 #define ETHERNET_TYPE_8021Q 0x8100
68 #define ETHERNET_TYPE_LOOP 0x9000
69 #define ETHERNET_TYPE_MPLS_UNICAST 0x8847
70 #define ETHERNET_TYPE_MPLS_MULTICAST 0x8848
71
72 #define ETH_DSAP_SNA 0x08 /* SNA */
73 #define ETH_SSAP_SNA 0x00 /* SNA */
74 #define ETH_DSAP_STP 0x42 /* Spanning Tree Protocol */
75 #define ETH_SSAP_STP 0x42 /* Spanning Tree Protocol */
76 #define ETH_DSAP_IP 0xaa /* IP */
77 #define ETH_SSAP_IP 0xaa /* IP */
78
79 #define ETH_ORG_CODE_ETHR 0x000000 /* Encapsulated Ethernet */
80 #define ETH_ORG_CODE_CDP 0x00000c /* Cisco Discovery Proto */
81
82 #define ETHERNET_HEADER_LEN 14
83 #define ETHERNET_MAX_LEN_ENCAP 1518 /* 802.3 (+LLC) or ether II ? */
84 #define PPPOE_HEADER_LEN 20 /* ETHERNET_HEADER_LEN + 6 */
85
86 #define VLAN_HEADER_LEN 4
87 #ifndef NO_NON_ETHER_DECODER
88 #define MINIMAL_TOKENRING_HEADER_LEN 22
89 #define MINIMAL_IEEE80211_HEADER_LEN 10 /* Ack frames and others */
90 #define IEEE802_11_DATA_HDR_LEN 24 /* Header for data packets */
91 #define TR_HLEN MINIMAL_TOKENRING_HEADER_LEN
92 #define TOKENRING_LLC_LEN 8
93 #define SLIP_HEADER_LEN 16
94
95 /* Frame type/subype combinations with version = 0 */
96 /*** FRAME TYPE ***** HEX **** SUBTYPE TYPE DESCRIPT ********/
97 #define WLAN_TYPE_MGMT_ASREQ 0x0 /* 0000 00 Association Req */
98 #define WLAN_TYPE_MGMT_ASRES 0x10 /* 0001 00 Assocaition Res */
99 #define WLAN_TYPE_MGMT_REREQ 0x20 /* 0010 00 Reassoc. Req. */
100 #define WLAN_TYPE_MGMT_RERES 0x30 /* 0011 00 Reassoc. Resp. */
101 #define WLAN_TYPE_MGMT_PRREQ 0x40 /* 0100 00 Probe Request */
102 #define WLAN_TYPE_MGMT_PRRES 0x50 /* 0101 00 Probe Response */
103 #define WLAN_TYPE_MGMT_BEACON 0x80 /* 1000 00 Beacon */
104 #define WLAN_TYPE_MGMT_ATIM 0x90 /* 1001 00 ATIM message */
105 #define WLAN_TYPE_MGMT_DIS 0xa0 /* 1010 00 Disassociation */
106 #define WLAN_TYPE_MGMT_AUTH 0xb0 /* 1011 00 Authentication */
107 #define WLAN_TYPE_MGMT_DEAUTH 0xc0 /* 1100 00 Deauthentication*/
108
109 #define WLAN_TYPE_CONT_PS 0xa4 /* 1010 01 Power Save */
110 #define WLAN_TYPE_CONT_RTS 0xb4 /* 1011 01 Request to send */
111 #define WLAN_TYPE_CONT_CTS 0xc4 /* 1100 01 Clear to sene */
112 #define WLAN_TYPE_CONT_ACK 0xd4 /* 1101 01 Acknowledgement */
113 #define WLAN_TYPE_CONT_CFE 0xe4 /* 1110 01 Cont. Free end */
114 #define WLAN_TYPE_CONT_CFACK 0xf4 /* 1111 01 CF-End + CF-Ack */
115
116 #define WLAN_TYPE_DATA_DATA 0x08 /* 0000 10 Data */
117 #define WLAN_TYPE_DATA_DTCFACK 0x18 /* 0001 10 Data + CF-Ack */
118 #define WLAN_TYPE_DATA_DTCFPL 0x28 /* 0010 10 Data + CF-Poll */
119 #define WLAN_TYPE_DATA_DTACKPL 0x38 /* 0011 10 Data+CF-Ack+CF-Pl */
120 #define WLAN_TYPE_DATA_NULL 0x48 /* 0100 10 Null (no data) */
121 #define WLAN_TYPE_DATA_CFACK 0x58 /* 0101 10 CF-Ack (no data)*/
122 #define WLAN_TYPE_DATA_CFPL 0x68 /* 0110 10 CF-Poll (no data)*/
123 #define WLAN_TYPE_DATA_ACKPL 0x78 /* 0111 10 CF-Ack+CF-Poll */
124
125 /*** Flags for IEEE 802.11 Frame Control ***/
126 /* The following are designed to be bitwise-AND-d in an 8-bit u_char */
127 #define WLAN_FLAG_TODS 0x0100 /* To DS Flag 10000000 */
128 #define WLAN_FLAG_FROMDS 0x0200 /* From DS Flag 01000000 */
129 #define WLAN_FLAG_FRAG 0x0400 /* More Frag 00100000 */
130 #define WLAN_FLAG_RETRY 0x0800 /* Retry Flag 00010000 */
131 #define WLAN_FLAG_PWRMGMT 0x1000 /* Power Mgmt. 00001000 */
132 #define WLAN_FLAG_MOREDAT 0x2000 /* More Data 00000100 */
133 #define WLAN_FLAG_WEP 0x4000 /* Wep Enabled 00000010 */
134 #define WLAN_FLAG_ORDER 0x8000 /* Strict Order 00000001 */
135
136 /* IEEE 802.1x eapol types */
137 #define EAPOL_TYPE_EAP 0x00 /* EAP packet */
138 #define EAPOL_TYPE_START 0x01 /* EAPOL start */
139 #define EAPOL_TYPE_LOGOFF 0x02 /* EAPOL Logoff */
140 #define EAPOL_TYPE_KEY 0x03 /* EAPOL Key */
141 #define EAPOL_TYPE_ASF 0x04 /* EAPOL Encapsulated ASF-Alert */
142
143 /* Extensible Authentication Protocol Codes RFC 2284*/
144 #define EAP_CODE_REQUEST 0x01
145 #define EAP_CODE_RESPONSE 0x02
146 #define EAP_CODE_SUCCESS 0x03
147 #define EAP_CODE_FAILURE 0x04
148 /* EAP Types */
149 #define EAP_TYPE_IDENTITY 0x01
150 #define EAP_TYPE_NOTIFY 0x02
151 #define EAP_TYPE_NAK 0x03
152 #define EAP_TYPE_MD5 0x04
153 #define EAP_TYPE_OTP 0x05
154 #define EAP_TYPE_GTC 0x06
155 #define EAP_TYPE_TLS 0x0d
156 #endif // NO_NON_ETHER_DECODER
157
158 /* Cisco HDLC header values */
159 #define CHDLC_HEADER_LEN 4
160 #define CHDLC_ADDR_UNICAST 0x0f
161 #define CHDLC_ADDR_MULTICAST 0x8f
162 #define CHDLC_ADDR_BROADCAST 0xff
163 #define CHDLC_CTRL_UNNUMBERED 0x03
164
165 #define MAX_PORTS 65536
166
167 /* ppp header structure
168 *
169 * Actually, this is the header for RFC1332 Section 3
170 * IPCP Configuration Options for sending IP datagrams over a PPP link
171 *
172 */
173 struct ppp_header {
174 unsigned char address;
175 unsigned char control;
176 unsigned short protocol;
177 };
178
179 #ifndef PPP_HDRLEN
180 #define PPP_HDRLEN sizeof(struct ppp_header)
181 #endif
182
183 #define PPP_IP 0x0021 /* Internet Protocol */
184 #define PPP_VJ_COMP 0x002d /* VJ compressed TCP/IP */
185 #define PPP_VJ_UCOMP 0x002f /* VJ uncompressed TCP/IP */
186 #define PPP_IPX 0x002b /* Novell IPX Protocol */
187
188 /* otherwise defined in /usr/include/ppp_defs.h */
189 #ifndef PPP_MTU
190 #define PPP_MTU 1500
191 #endif
192
193 /* NULL aka LoopBack interfaces */
194 #define NULL_HDRLEN 4
195
196 /* enc interface */
197 struct enc_header {
198 uint32_t af;
199 uint32_t spi;
200 uint32_t flags;
201 };
202 #define ENC_HEADER_LEN 12
203
204 /* otherwise defined in /usr/include/ppp_defs.h */
205 #define IP_HEADER_LEN 20
206 #define TCP_HEADER_LEN 20
207 #define UDP_HEADER_LEN 8
208 #define ICMP_HEADER_LEN 4
209
210 #define IP_OPTMAX 40
211 #define IP6_EXTMAX 40
212 #define TCP_OPTLENMAX 40 /* (((2^4) - 1) * 4 - TCP_HEADER_LEN) */
213
214 #ifndef IP_MAXPACKET
215 #define IP_MAXPACKET 65535 /* maximum packet size */
216 #endif /* IP_MAXPACKET */
217
218 #define TH_FIN 0x01
219 #define TH_SYN 0x02
220 #define TH_RST 0x04
221 #define TH_PUSH 0x08
222 #define TH_ACK 0x10
223 #define TH_URG 0x20
224 #define TH_RES2 0x40
225 #define TH_RES1 0x80
226 #define TH_NORESERVED (TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG)
227
228 /* http://www.iana.org/assignments/tcp-parameters
229 *
230 * tcp options stuff. used to be in <netinet/tcp.h> but it breaks
231 * things on AIX
232 */
233 #define TCPOPT_EOL 0 /* End of Option List [RFC793] */
234 #define TCPOLEN_EOL 1 /* Always one byte */
235
236 #define TCPOPT_NOP 1 /* No-Option [RFC793] */
237 #define TCPOLEN_NOP 1 /* Always one byte */
238
239 #define TCPOPT_MAXSEG 2 /* Maximum Segment Size [RFC793] */
240 #define TCPOLEN_MAXSEG 4 /* Always 4 bytes */
241
242 #define TCPOPT_WSCALE 3 /* Window scaling option [RFC1323] */
243 #define TCPOLEN_WSCALE 3 /* 1 byte with logarithmic values */
244
245 #define TCPOPT_SACKOK 4 /* Experimental [RFC2018]*/
246 #define TCPOLEN_SACKOK 2
247
248 #define TCPOPT_SACK 5 /* Experimental [RFC2018] variable length */
249
250 #define TCPOPT_ECHO 6 /* Echo (obsoleted by option 8) [RFC1072] */
251 #define TCPOLEN_ECHO 6 /* 6 bytes */
252
253 #define TCPOPT_ECHOREPLY 7 /* Echo Reply (obsoleted by option 8)[RFC1072] */
254 #define TCPOLEN_ECHOREPLY 6 /* 6 bytes */
255
256 #define TCPOPT_TIMESTAMP 8 /* Timestamp [RFC1323], 10 bytes */
257 #define TCPOLEN_TIMESTAMP 10
258
259 #define TCPOPT_PARTIAL_PERM 9 /* Partial Order Permitted/ Experimental [RFC1693] */
260 #define TCPOLEN_PARTIAL_PERM 2 /* Partial Order Permitted/ Experimental [RFC1693] */
261
262 #define TCPOPT_PARTIAL_SVC 10 /* Partial Order Profile [RFC1693] */
263 #define TCPOLEN_PARTIAL_SVC 3 /* 3 bytes long -- Experimental */
264
265 /* atleast decode T/TCP options... */
266 #define TCPOPT_CC 11 /* T/TCP Connection count [RFC1644] */
267 #define TCPOPT_CC_NEW 12 /* CC.NEW [RFC1644] */
268 #define TCPOPT_CC_ECHO 13 /* CC.ECHO [RFC1644] */
269 #define TCPOLEN_CC 6 /* page 17 of rfc1644 */
270 #define TCPOLEN_CC_NEW 6 /* page 17 of rfc1644 */
271 #define TCPOLEN_CC_ECHO 6 /* page 17 of rfc1644 */
272
273 #define TCPOPT_ALTCSUM 15 /* TCP Alternate Checksum Data [RFC1146], variable length */
274 #define TCPOPT_SKEETER 16 /* Skeeter [Knowles] */
275 #define TCPOPT_BUBBA 17 /* Bubba [Knowles] */
276
277 #define TCPOPT_TRAILER_CSUM 18 /* Trailer Checksum Option [Subbu & Monroe] */
278 #define TCPOLEN_TRAILER_CSUM 3
279
280 #define TCPOPT_MD5SIG 19 /* MD5 Signature Option [RFC2385] */
281 #define TCPOLEN_MD5SIG 18
282
283 /* Space Communications Protocol Standardization */
284 #define TCPOPT_SCPS 20 /* Capabilities [Scott] */
285 #define TCPOPT_SELNEGACK 21 /* Selective Negative Acknowledgements [Scott] */
286 #define TCPOPT_RECORDBOUND 22 /* Record Boundaries [Scott] */
287 #define TCPOPT_CORRUPTION 23 /* Corruption experienced [Scott] */
288
289 #define TCPOPT_SNAP 24 /* SNAP [Sukonnik] -- anyone have info?*/
290 #define TCPOPT_UNASSIGNED 25 /* Unassigned (released 12/18/00) */
291 #define TCPOPT_COMPRESSION 26 /* TCP Compression Filter [Bellovin] */
292 /* http://www.research.att.com/~smb/papers/draft-bellovin-tcpcomp-00.txt*/
293
294 #define TCP_OPT_TRUNC -1
295 #define TCP_OPT_BADLEN -2
296
297 /* Why are these lil buggers here? Never Used. -- cmg */
298 #define TCPOLEN_TSTAMP_APPA (TCPOLEN_TIMESTAMP+2) /* appendix A / rfc 1323 */
299 #define TCPOPT_TSTAMP_HDR \
300 (TCPOPT_NOP<<24|TCPOPT_NOP<<16|TCPOPT_TIMESTAMP<<8|TCPOLEN_TIMESTAMP)
301
302 /*
303 * Default maximum segment size for TCP.
304 * With an IP MSS of 576, this is 536,
305 * but 512 is probably more convenient.
306 * This should be defined as MIN(512, IP_MSS - sizeof (struct tcpiphdr)).
307 */
308
309 #ifndef TCP_MSS
310 #define TCP_MSS 512
311 #endif
312
313 #ifndef TCP_MAXWIN
314 #define TCP_MAXWIN 65535 /* largest value for (unscaled) window */
315 #endif
316
317 #ifndef TCP_MAX_WINSHIFT
318 #define TCP_MAX_WINSHIFT 14 /* maximum window shift */
319 #endif
320
321 /*
322 * User-settable options (used with setsockopt).
323 */
324 #ifndef TCP_NODELAY
325 #define TCP_NODELAY 0x01 /* don't delay send to coalesce packets */
326 #endif
327
328 #ifndef TCP_MAXSEG
329 #define TCP_MAXSEG 0x02 /* set maximum segment size */
330 #endif
331
332 #define SOL_TCP 6 /* TCP level */
333
334
335
336 #define L2TP_PORT 1701
337 #define DHCP_CLIENT_PORT 68
338 #define DHCP_SERVER_PORT 67
339
340 /* IRIX 6.2 hack! */
341 #ifndef IRIX
342 #define SNAPLEN 1514
343 #else
344 #define SNAPLEN 1500
345 #endif
346
347 #define READ_TIMEOUT 500
348
349 #ifndef NO_NON_ETHER_DECODER
350 /* Start Token Ring */
351 #define TR_ALEN 6 /* octets in an Ethernet header */
352 #define IPARP_SAP 0xaa
353
354 #define AC 0x10
355 #define LLC_FRAME 0x40
356
357 #define TRMTU 2000 /* 2000 bytes */
358 #define TR_RII 0x80
359 #define TR_RCF_DIR_BIT 0x80
360 #define TR_RCF_LEN_MASK 0x1f00
361 #define TR_RCF_BROADCAST 0x8000 /* all-routes broadcast */
362 #define TR_RCF_LIMITED_BROADCAST 0xC000 /* single-route broadcast */
363 #define TR_RCF_FRAME2K 0x20
364 #define TR_RCF_BROADCAST_MASK 0xC000
365 /* End Token Ring */
366
367 /* Start FDDI */
368 #define FDDI_ALLC_LEN 13
369 #define FDDI_ALEN 6
370 #define FDDI_MIN_HLEN (FDDI_ALLC_LEN + 3)
371
372 #define FDDI_DSAP_SNA 0x08 /* SNA */
373 #define FDDI_SSAP_SNA 0x00 /* SNA */
374 #define FDDI_DSAP_STP 0x42 /* Spanning Tree Protocol */
375 #define FDDI_SSAP_STP 0x42 /* Spanning Tree Protocol */
376 #define FDDI_DSAP_IP 0xaa /* IP */
377 #define FDDI_SSAP_IP 0xaa /* IP */
378
379 #define FDDI_ORG_CODE_ETHR 0x000000 /* Encapsulated Ethernet */
380 #define FDDI_ORG_CODE_CDP 0x00000c /* Cisco Discovery
381 * Proto(?) */
382
383 #define ETHERNET_TYPE_CDP 0x2000 /* Cisco Discovery Protocol */
384 /* End FDDI */
385 #endif // NO_NON_ETHER_DECODER
386
387 #define ARPOP_REQUEST 1 /* ARP request */
388 #define ARPOP_REPLY 2 /* ARP reply */
389 #define ARPOP_RREQUEST 3 /* RARP request */
390 #define ARPOP_RREPLY 4 /* RARP reply */
391
392 /* PPPoE types */
393 #define PPPoE_CODE_SESS 0x00 /* PPPoE session */
394 #define PPPoE_CODE_PADI 0x09 /* PPPoE Active Discovery Initiation */
395 #define PPPoE_CODE_PADO 0x07 /* PPPoE Active Discovery Offer */
396 #define PPPoE_CODE_PADR 0x19 /* PPPoE Active Discovery Request */
397 #define PPPoE_CODE_PADS 0x65 /* PPPoE Active Discovery Session-confirmation */
398 #define PPPoE_CODE_PADT 0xa7 /* PPPoE Active Discovery Terminate */
399
400 /* PPPoE tag types */
401 #define PPPoE_TAG_END_OF_LIST 0x0000
402 #define PPPoE_TAG_SERVICE_NAME 0x0101
403 #define PPPoE_TAG_AC_NAME 0x0102
404 #define PPPoE_TAG_HOST_UNIQ 0x0103
405 #define PPPoE_TAG_AC_COOKIE 0x0104
406 #define PPPoE_TAG_VENDOR_SPECIFIC 0x0105
407 #define PPPoE_TAG_RELAY_SESSION_ID 0x0110
408 #define PPPoE_TAG_SERVICE_NAME_ERROR 0x0201
409 #define PPPoE_TAG_AC_SYSTEM_ERROR 0x0202
410 #define PPPoE_TAG_GENERIC_ERROR 0x0203
411
412
413 #define ICMP_ECHOREPLY 0 /* Echo Reply */
414 #define ICMP_DEST_UNREACH 3 /* Destination Unreachable */
415 #define ICMP_SOURCE_QUENCH 4 /* Source Quench */
416 #define ICMP_REDIRECT 5 /* Redirect (change route) */
417 #define ICMP_ECHO 8 /* Echo Request */
418 #define ICMP_ROUTER_ADVERTISE 9 /* Router Advertisement */
419 #define ICMP_ROUTER_SOLICIT 10 /* Router Solicitation */
420 #define ICMP_TIME_EXCEEDED 11 /* Time Exceeded */
421 #define ICMP_PARAMETERPROB 12 /* Parameter Problem */
422 #define ICMP_TIMESTAMP 13 /* Timestamp Request */
423 #define ICMP_TIMESTAMPREPLY 14 /* Timestamp Reply */
424 #define ICMP_INFO_REQUEST 15 /* Information Request */
425 #define ICMP_INFO_REPLY 16 /* Information Reply */
426 #define ICMP_ADDRESS 17 /* Address Mask Request */
427 #define ICMP_ADDRESSREPLY 18 /* Address Mask Reply */
428 #define NR_ICMP_TYPES 18
429
430 /* Codes for ICMP UNREACHABLES */
431 #define ICMP_NET_UNREACH 0 /* Network Unreachable */
432 #define ICMP_HOST_UNREACH 1 /* Host Unreachable */
433 #define ICMP_PROT_UNREACH 2 /* Protocol Unreachable */
434 #define ICMP_PORT_UNREACH 3 /* Port Unreachable */
435 #define ICMP_FRAG_NEEDED 4 /* Fragmentation Needed/DF set */
436 #define ICMP_SR_FAILED 5 /* Source Route failed */
437 #define ICMP_NET_UNKNOWN 6
438 #define ICMP_HOST_UNKNOWN 7
439 #define ICMP_HOST_ISOLATED 8
440 #define ICMP_PKT_FILTERED_NET 9
441 #define ICMP_PKT_FILTERED_HOST 10
442 #define ICMP_NET_UNR_TOS 11
443 #define ICMP_HOST_UNR_TOS 12
444 #define ICMP_PKT_FILTERED 13 /* Packet filtered */
445 #define ICMP_PREC_VIOLATION 14 /* Precedence violation */
446 #define ICMP_PREC_CUTOFF 15 /* Precedence cut off */
447 #define NR_ICMP_UNREACH 15 /* instead of hardcoding immediate
448 * value */
449
450 #define ICMP_REDIR_NET 0
451 #define ICMP_REDIR_HOST 1
452 #define ICMP_REDIR_TOS_NET 2
453 #define ICMP_REDIR_TOS_HOST 3
454
455 #define ICMP_TIMEOUT_TRANSIT 0
456 #define ICMP_TIMEOUT_REASSY 1
457
458 #define ICMP_PARAM_BADIPHDR 0
459 #define ICMP_PARAM_OPTMISSING 1
460 #define ICMP_PARAM_BAD_LENGTH 2
461
462 /* ip option type codes */
463 #ifndef IPOPT_EOL
464 #define IPOPT_EOL 0x00
465 #endif
466
467 #ifndef IPOPT_NOP
468 #define IPOPT_NOP 0x01
469 #endif
470
471 #ifndef IPOPT_RR
472 #define IPOPT_RR 0x07
473 #endif
474
475 #ifndef IPOPT_RTRALT
476 #define IPOPT_RTRALT 0x94
477 #endif
478
479 #ifndef IPOPT_TS
480 #define IPOPT_TS 0x44
481 #endif
482
483 #ifndef IPOPT_SECURITY
484 #define IPOPT_SECURITY 0x82
485 #endif
486
487 #ifndef IPOPT_LSRR
488 #define IPOPT_LSRR 0x83
489 #endif
490
491 #ifndef IPOPT_LSRR_E
492 #define IPOPT_LSRR_E 0x84
493 #endif
494
495 #ifndef IPOPT_ESEC
496 #define IPOPT_ESEC 0x85
497 #endif
498
499 #ifndef IPOPT_SATID
500 #define IPOPT_SATID 0x88
501 #endif
502
503 #ifndef IPOPT_SSRR
504 #define IPOPT_SSRR 0x89
505 #endif
506
507
508 /* tcp option codes */
509 #define TOPT_EOL 0x00
510 #define TOPT_NOP 0x01
511 #define TOPT_MSS 0x02
512 #define TOPT_WS 0x03
513 #define TOPT_TS 0x08
514 #ifndef TCPOPT_WSCALE
515 #define TCPOPT_WSCALE 3 /* window scale factor (rfc1072) */
516 #endif
517 #ifndef TCPOPT_SACKOK
518 #define TCPOPT_SACKOK 4 /* selective ack ok (rfc1072) */
519 #endif
520 #ifndef TCPOPT_SACK
521 #define TCPOPT_SACK 5 /* selective ack (rfc1072) */
522 #endif
523 #ifndef TCPOPT_ECHO
524 #define TCPOPT_ECHO 6 /* echo (rfc1072) */
525 #endif
526 #ifndef TCPOPT_ECHOREPLY
527 #define TCPOPT_ECHOREPLY 7 /* echo (rfc1072) */
528 #endif
529 #ifndef TCPOPT_TIMESTAMP
530 #define TCPOPT_TIMESTAMP 8 /* timestamps (rfc1323) */
531 #endif
532 #ifndef TCPOPT_CC
533 #define TCPOPT_CC 11 /* T/TCP CC options (rfc1644) */
534 #endif
535 #ifndef TCPOPT_CCNEW
536 #define TCPOPT_CCNEW 12 /* T/TCP CC options (rfc1644) */
537 #endif
538 #ifndef TCPOPT_CCECHO
539 #define TCPOPT_CCECHO 13 /* T/TCP CC options (rfc1644) */
540 #endif
541
542 #define EXTRACT_16BITS(p) ((u_short) ntohs (*(u_short *)(p)))
543
544 #ifdef WORDS_MUSTALIGN
545
546 #if defined(__GNUC__)
547 /* force word-aligned ntohl parameter */
548 #define EXTRACT_32BITS(p) ({ uint32_t __tmp; memmove(&__tmp, (p), sizeof(uint32_t)); (uint32_t) ntohl(__tmp);})
549 #endif /* __GNUC__ */
550
551 #else
552
553 /* allows unaligned ntohl parameter - dies w/SIGBUS on SPARCs */
554 #define EXTRACT_32BITS(p) ((uint32_t) ntohl (*(uint32_t *)(p)))
555
556 #endif /* WORDS_MUSTALIGN */
557
558 /* packet status flags */
559 #define PKT_REBUILT_FRAG 0x00000001 /* is a rebuilt fragment */
560 #define PKT_REBUILT_STREAM 0x00000002 /* is a rebuilt stream */
561 #define PKT_STREAM_UNEST_UNI 0x00000004 /* is from an unestablished stream and
562 * we've only seen traffic in one
563 * direction
564 */
565 #define PKT_STREAM_UNEST_BI 0x00000008 /* is from an unestablished stream and
566 * we've seen traffic in both
567 * directions
568 */
569 #define PKT_STREAM_EST 0x00000010 /* is from an established stream */
570 #define PKT_ECN 0x00000020 /* this is ECN traffic */
571 #define PKT_FROM_SERVER 0x00000040 /* this packet came from the server
572 side of a connection (TCP) */
573 #define PKT_FROM_CLIENT 0x00000080 /* this packet came from the client
574 side of a connection (TCP) */
575 #define PKT_HTTP_DECODE 0x00000100 /* this packet has normalized http */
576 #define PKT_FRAG_ALERTED 0x00000200 /* this packet has been alerted by
577 defrag */
578 #define PKT_STREAM_INSERT 0x00000400 /* this packet has been inserted into stream4 */
579 #define PKT_ALT_DECODE 0x00000800 /* this packet has been normalized by telnet
580 (only set when we must look at an alernative buffer)
581 */
582 #define PKT_STREAM_TWH 0x00001000
583 #define PKT_IGNORE_PORT 0x00002000 /* this packet should be ignored, based on port */
584 #define PKT_PASS_RULE 0x00004000 /* this packet has matched a pass rule */
585 #define PKT_NO_DETECT 0x00008000 /* this packet should not be preprocessed */
586 #define PKT_PREPROC_RPKT 0x00010000 /* set in original packet to indicate a preprocessor
587 * has a reassembled packet */
588 #define PKT_DCE_RPKT 0x00020000 /* this packet is a DCE/RPC reassembled one */
589 #define PKT_IP_RULE 0x00040000 /* this packet is being evaluated against an IP rule */
590 #define PKT_IP_RULE_2ND 0x00080000 /* this packet is being evaluated against an IP rule */
591
592 #define PKT_SMB_SEG 0x00100000 /* this is an SMB desegmented packet */
593 #define PKT_DCE_SEG 0x00200000 /* this is a DCE/RPC desegmented packet */
594 #define PKT_DCE_FRAG 0x00400000 /* this is a DCE/RPC defragmented packet */
595 #define PKT_SMB_TRANS 0x00800000 /* this is an SMB Transact reassembled packet */
596 #define PKT_DCE_PKT 0x01000000 /* this is a DCE packet processed by DCE/RPC preprocessor */
597 #define PKT_RPC_PKT 0x02000000 /* this is an ONC RPC packet processed by rpc decode preprocessor */
598
599 #define PKT_STATELESS 0x10000000 /* Packet has matched a stateless rule */
600 #define PKT_INLINE_DROP 0x20000000
601 #define PKT_OBFUSCATED 0x40000000 /* this packet has been obfuscated */
602 #define PKT_LOGGED 0x80000000 /* this packet has been logged */
603 #define DECODE_START_INDEX 400
604 #define DECODE_SID_MAX 405 /* Highest numbered sid in decoder rules */
605 #define DECODE_INDEX_MAX (DECODE_SID_MAX - DECODE_START_INDEX + 1)
606
607 /* Only include application layer reassembled data
608 * flags here - no PKT_REBUILT_FRAG */
609 #define REASSEMBLED_PACKET_FLAGS \
610 (PKT_REBUILT_STREAM|PKT_SMB_SEG|PKT_DCE_SEG|PKT_DCE_FRAG|PKT_SMB_TRANS)
611
612
613 /* D A T A S T R U C T U R E S *********************************************/
614
615 #ifndef NO_NON_ETHER_DECODER
616 /* Start Token Ring Data Structures */
617
618
619 #ifdef _MSC_VER
620 /* Visual C++ pragma to disable warning messages about nonstandard bit field type */
621 #pragma warning( disable : 4214 )
622 #endif
623
624 /* LLC structure */
625 typedef struct _Trh_llc
626 {
627 uint8_t dsap;
628 uint8_t ssap;
629 uint8_t protid[3];
630 uint16_t ethertype;
631 } Trh_llc;
632
633 /* RIF structure
634 * Linux/tcpdump patch defines tokenring header in dump way, since not
635 * every tokenring header with have RIF data... we define it separately, and
636 * a bit more split up
637 */
638
639 #ifdef _MSC_VER
640 /* Visual C++ pragma to disable warning messages about nonstandard bit field type */
641 #pragma warning( disable : 4214 )
642 #endif
643
644
645 /* These are macros to use the bitlevel accesses in the Trh_Mr header
646
647 they haven't been tested and they aren't used much so here is a
648 listing of what used to be there
649
650 #if defined(WORDS_BIGENDIAN)
651 uint16_t bcast:3, len:5, dir:1, lf:3, res:4;
652 #else
653 uint16_t len:5, length of RIF field, including RC itself
654 bcast:3, broadcast indicator
655 res:4, reserved
656 lf:3, largest frame size
657 dir:1; direction
658 */
659
660 #define TRH_MR_BCAST(trhmr) ((ntohs((trhmr)->bcast_len_dir_lf_res) & 0xe000) >> 13)
661 #define TRH_MR_LEN(trhmr) ((ntohs((trhmr)->bcast_len_dir_lf_res) & 0x1F00) >> 8)
662 #define TRH_MR_DIR(trhmr) ((ntohs((trhmr)->bcast_len_dir_lf_res) & 0x0080) >> 8)
663 #define TRH_MR_LF(trhmr) ((ntohs((trhmr)->bcast_len_dir_lf_res) & 0x0070) >> 7)
664 #define TRH_MR_RES(trhmr) ((ntohs((trhmr)->bcast_len_dir_lf_res) & 0x000F))
665
666 typedef struct _Trh_mr
667 {
668 uint16_t bcast_len_dir_lf_res; /* broadcast/res/framesize/direction */
669 uint16_t rseg[8];
670 } Trh_mr;
671 #ifdef _MSC_VER
672 /* Visual C++ pragma to enable warning messages about nonstandard bit field type */
673 #pragma warning( default : 4214 )
674 #endif
675
676
677 typedef struct _Trh_hdr
678 {
679 uint8_t ac; /* access control field */
680 uint8_t fc; /* frame control field */
681 uint8_t daddr[TR_ALEN]; /* src address */
682 uint8_t saddr[TR_ALEN]; /* dst address */
683 } Trh_hdr;
684
685 #ifdef WIN32
686 /* Visual C++ pragma to enable warning messages about nonstandard bit field type */
687 #pragma warning( default : 4214 )
688 #endif
689 /* End Token Ring Data Structures */
690
691
692 /* Start FDDI Data Structures */
693
694 /* FDDI header is always this: -worm5er */
695 typedef struct _Fddi_hdr
696 {
697 uint8_t fc; /* frame control field */
698 uint8_t daddr[FDDI_ALEN]; /* src address */
699 uint8_t saddr[FDDI_ALEN]; /* dst address */
700 } Fddi_hdr;
701
702 /* splitting the llc up because of variable lengths of the LLC -worm5er */
703 typedef struct _Fddi_llc_saps
704 {
705 uint8_t dsap;
706 uint8_t ssap;
707 } Fddi_llc_saps;
708
709 /* I've found sna frames have two addition bytes after the llc saps -worm5er */
710 typedef struct _Fddi_llc_sna
711 {
712 uint8_t ctrl_fld[2];
713 } Fddi_llc_sna;
714
715 /* I've also found other frames that seem to have only one byte... We're only
716 really intersted in the IP data so, until we want other, I'm going to say
717 the data is one byte beyond this frame... -worm5er */
718 typedef struct _Fddi_llc_other
719 {
720 uint8_t ctrl_fld[1];
721 } Fddi_llc_other;
722
723 /* Just like TR the ip/arp data is setup as such: -worm5er */
724 typedef struct _Fddi_llc_iparp
725 {
726 uint8_t ctrl_fld;
727 uint8_t protid[3];
728 uint16_t ethertype;
729 } Fddi_llc_iparp;
730
731 /* End FDDI Data Structures */
732
733
734 /* 'Linux cooked captures' data
735 * (taken from tcpdump source).
736 */
737
738 #define SLL_HDR_LEN 16 /* total header length */
739 #define SLL_ADDRLEN 8 /* length of address field */
740 typedef struct _SLLHdr {
741 uint16_t sll_pkttype; /* packet type */
742 uint16_t sll_hatype; /* link-layer address type */
743 uint16_t sll_halen; /* link-layer address length */
744 uint8_t sll_addr[SLL_ADDRLEN]; /* link-layer address */
745 uint16_t sll_protocol; /* protocol */
746 } SLLHdr;
747
748
749 /*
750 * Snort supports 3 versions of the OpenBSD pflog header:
751 *
752 * Pflog1_Hdr: CVS = 1.3, DLT_OLD_PFLOG = 17, Length = 28
753 * Pflog2_Hdr: CVS = 1.8, DLT_PFLOG = 117, Length = 48
754 * Pflog3_Hdr: CVS = 1.12, DLT_PFLOG = 117, Length = 64
755 *
756 * Since they have the same DLT, Pflog{2,3}Hdr are distinguished
757 * by their actual length. The minimum required length excludes
758 * padding.
759 */
760 /* Old OpenBSD pf firewall pflog0 header
761 * (information from pf source in kernel)
762 * the rule, reason, and action codes tell why the firewall dropped it -fleck
763 */
764
765 typedef struct _Pflog1_hdr
766 {
767 uint32_t af;
768 char intf[IFNAMSIZ];
769 int16_t rule;
770 uint16_t reason;
771 uint16_t action;
772 uint16_t dir;
773 } Pflog1Hdr;
774
775 #define PFLOG1_HDRLEN (sizeof(struct _Pflog1_hdr))
776
777 /*
778 * Note that on OpenBSD, af type is sa_family_t. On linux, that's an unsigned
779 * short, but on OpenBSD, that's a uint8_t, so we should explicitly use uint8_t
780 * here. - ronaldo
781 */
782
783 #define PFLOG_RULELEN 16
784 #define PFLOG_PADLEN 3
785
786 typedef struct _Pflog2_hdr
787 {
788 int8_t length;
789 uint8_t af;
790 uint8_t action;
791 uint8_t reason;
792 char ifname[IFNAMSIZ];
793 char ruleset[PFLOG_RULELEN];
794 uint32_t rulenr;
795 uint32_t subrulenr;
796 uint8_t dir;
797 uint8_t pad[PFLOG_PADLEN];
798 } Pflog2Hdr;
799
800 #define PFLOG2_HDRLEN (sizeof(struct _Pflog2_hdr))
801 #define PFLOG2_HDRMIN (PFLOG2_HDRLEN - PFLOG_PADLEN)
802
803 typedef struct _Pflog3_hdr
804 {
805 int8_t length;
806 uint8_t af;
807 uint8_t action;
808 uint8_t reason;
809 char ifname[IFNAMSIZ];
810 char ruleset[PFLOG_RULELEN];
811 uint32_t rulenr;
812 uint32_t subrulenr;
813 uint32_t uid;
814 uint32_t pid;
815 uint32_t rule_uid;
816 uint32_t rule_pid;
817 uint8_t dir;
818 uint8_t pad[PFLOG_PADLEN];
819 } Pflog3Hdr;
820
821 #define PFLOG3_HDRLEN (sizeof(struct _Pflog3_hdr))
822 #define PFLOG3_HDRMIN (PFLOG3_HDRLEN - PFLOG_PADLEN)
823
824 /*
825 * ssl_pkttype values.
826 */
827
828 #define LINUX_SLL_HOST 0
829 #define LINUX_SLL_BROADCAST 1
830 #define LINUX_SLL_MULTICAST 2
831 #define LINUX_SLL_OTHERHOST 3
832 #define LINUX_SLL_OUTGOING 4
833
834 /* ssl protocol values */
835
836 #define LINUX_SLL_P_802_3 0x0001 /* Novell 802.3 frames without 802.2 LLC header */
837 #define LINUX_SLL_P_802_2 0x0004 /* 802.2 frames (not D/I/X Ethernet) */
838 #endif // NO_NON_ETHER_DECODER
839
840
841 #ifdef _MSC_VER
842 /* Visual C++ pragma to disable warning messages
843 * about nonstandard bit field type
844 */
845 #pragma warning( disable : 4214 )
846 #endif
847
848 #define VTH_PRIORITY(vh) ((ntohs((vh)->vth_pri_cfi_vlan) & 0xe000) >> 13)
849 #define VTH_CFI(vh) ((ntohs((vh)->vth_pri_cfi_vlan) & 0x0100) >> 12)
850 #define VTH_VLAN(vh) ((unsigned short)(ntohs((vh)->vth_pri_cfi_vlan) & 0x0FFF))
851
852 typedef struct _VlanTagHdr
853 {
854 uint16_t vth_pri_cfi_vlan;
855 uint16_t vth_proto; /* protocol field... */
856 } VlanTagHdr;
857 #ifdef _MSC_VER
858 /* Visual C++ pragma to enable warning messages about nonstandard bit field type */
859 #pragma warning( default : 4214 )
860 #endif
861
862
863 typedef struct _EthLlc
864 {
865 uint8_t dsap;
866 uint8_t ssap;
867 } EthLlc;
868
869 typedef struct _EthLlcOther
870 {
871 uint8_t ctrl;
872 uint8_t org_code[3];
873 uint16_t proto_id;
874 } EthLlcOther;
875
876 /* We must twiddle to align the offset the ethernet header and align
877 * the IP header on solaris -- maybe this will work on HPUX too.
878 */
879 #if defined (SOLARIS) || defined (SUNOS) || defined (__sparc__) || defined(__sparc64__) || defined (HPUX)
880 #define SPARC_TWIDDLE 2
881 #else
882 #define SPARC_TWIDDLE 0
883 #endif
884
885 /*
886 * Ethernet header
887 */
888
889 typedef struct _EtherHdr
890 {
891 uint8_t ether_dst[6];
892 uint8_t ether_src[6];
893 uint16_t ether_type;
894
895 } EtherHdr;
896
897
898 #ifndef NO_NON_ETHER_DECODER
899 /*
900 * Wireless Header (IEEE 802.11)
901 */
902 typedef struct _WifiHdr
903 {
904 uint16_t frame_control;
905 uint16_t duration_id;
906 uint8_t addr1[6];
907 uint8_t addr2[6];
908 uint8_t addr3[6];
909 uint16_t seq_control;
910 uint8_t addr4[6];
911 } WifiHdr;
912 #endif // NO_NON_ETHER_DECODER
913
914
915 /* Can't add any fields not in the real header here
916 because of how the decoder uses structure overlaying */
917 #ifdef _MSC_VER
918 /* Visual C++ pragma to disable warning messages
919 * about nonstandard bit field type
920 */
921 #pragma warning( disable : 4214 )
922 #endif
923
924 /* tcpdump shows us the way to cross platform compatibility */
925 #define IP_VER(iph) (((iph)->ip_verhl & 0xf0) >> 4)
926 #define IP_HLEN(iph) ((iph)->ip_verhl & 0x0f)
927
928 /* we need to change them as well as get them */
929 #define SET_IP_VER(iph, value) ((iph)->ip_verhl = (unsigned char)(((iph)->ip_verhl & 0x0f) | (value << 4)))
930 #define SET_IP_HLEN(iph, value) ((iph)->ip_verhl = (unsigned char)(((iph)->ip_verhl & 0xf0) | (value & 0x0f)))
931
932 #define NUM_IP_PROTOS 256
933
934 typedef struct _IPHdr
935 {
936 uint8_t ip_verhl; /* version & header length */
937 uint8_t ip_tos; /* type of service */
938 uint16_t ip_len; /* datagram length */
939 uint16_t ip_id; /* identification */
940 uint16_t ip_off; /* fragment offset */
941 uint8_t ip_ttl; /* time to live field */
942 uint8_t ip_proto; /* datagram protocol */
943 uint16_t ip_csum; /* checksum */
944 struct in_addr ip_src; /* source IP */
945 struct in_addr ip_dst; /* dest IP */
946 } IPHdr;
947
948 typedef struct _IPv4Hdr
949 {
950 uint8_t ip_verhl; /* version & header length */
951 uint8_t ip_tos; /* type of service */
952 uint16_t ip_len; /* datagram length */
953 uint16_t ip_id; /* identification */
954 uint16_t ip_off; /* fragment offset */
955 uint8_t ip_ttl; /* time to live field */
956 uint8_t ip_proto; /* datagram protocol */
957 uint16_t ip_csum; /* checksum */
958 sfip_t ip_src; /* source IP */
959 sfip_t ip_dst; /* dest IP */
960 } IP4Hdr;
961
962 typedef struct _IPv6Hdr
963 {
964 uint32_t vcl; /* version, class, and label */
965 uint16_t len; /* length of the payload */
966 uint8_t next; /* next header
967 * Uses the same flags as
968 * the IPv4 protocol field */
969 uint8_t hop_lmt; /* hop limit */
970 sfip_t ip_src;
971 sfip_t ip_dst;
972 } IP6Hdr;
973
974 /* IPv6 address */
975 #ifndef s6_addr
976 struct in6_addr
977 {
978 union
979 {
980 uint8_t u6_addr8[16];
981 uint16_t u6_addr16[8];
982 uint32_t u6_addr32[4];
983 } in6_u;
984 #define s6_addr in6_u.u6_addr8
985 #define s6_addr16 in6_u.u6_addr16
986 #define s6_addr32 in6_u.u6_addr32
987 };
988 #endif
989
990 typedef struct _IP6RawHdr
991 {
992 union
993 {
994 struct _IP6HdrCtl
995 {
996 uint32_t ip6_un1_flow; /* 4 bits version, 8 bits TC,
997 20 bits flow-ID */
998 uint16_t ip6_un1_plen; /* payload length */
999 uint8_t ip6_un1_nxt; /* next header */
1000 uint8_t ip6_un1_hlim; /* hop limit */
1001 } IP6HdrCtl;
1002 uint8_t ip6_un2_vfc; /* 4 bits version, top 4 bits tclass */
1003 } IP6Ctl;
1004
1005 struct in6_addr ip6_src; /* source address */
1006 struct in6_addr ip6_dst; /* destination address */
1007 } IP6RawHdr;
1008
1009 #define ip6vfc IP6Ctl.ip6_un2_vfc
1010 #define ip6flow IP6Ctl.IP6HdrCtl.ip6_un1_flow
1011 #define ip6plen IP6Ctl.IP6HdrCtl.ip6_un1_plen
1012 #define ip6nxt IP6Ctl.IP6HdrCtl.ip6_un1_nxt
1013 #define ip6hlim IP6Ctl.IP6HdrCtl.ip6_un1_hlim
1014 #define ip6hops IP6Ctl.IP6HdrCtl.ip6_un1_hlim
1015
1016 #define IP6_HDR_LEN 40
1017
1018 #ifndef IP_PROTO_HOPOPTS
1019 # define IP_PROTO_HOPOPTS 0
1020 #endif
1021
1022 #define IP_PROTO_NONE 59
1023 #define IP_PROTO_ROUTING 43
1024 #define IP_PROTO_FRAGMENT 44
1025 #define IP_PROTO_AH 51
1026 #define IP_PROTO_DSTOPTS 60
1027 #define IP_PROTO_ICMPV6 58
1028 #define IP_PROTO_IPV6 41
1029 #define IP_PROTO_IPIP 4
1030
1031 #define IP6F_OFFSET_MASK 0xfff8 /* mask out offset from _offlg */
1032 #define IP6F_MF_MASK 0x0001 /* more-fragments flag */
1033
1034 #define IP6F_OFFSET(fh) ((ntohs((fh)->ip6f_offlg) & IP6F_OFFSET_MASK) >> 3)
1035 #define IP6F_RES(fh) (fh)->ip6f_reserved
1036 #define IP6F_MF(fh) (ntohs((fh)->ip6f_offlg) & IP6F_MF_MASK )
1037
1038 /* to store references to IP6 Extension Headers */
1039 typedef struct _IP6Option
1040 {
1041 uint8_t type;
1042 const uint8_t *data;
1043 } IP6Option;
1044
1045 /* Generic Extension Header */
1046 typedef struct _IP6Extension
1047 {
1048 uint8_t ip6e_nxt;
1049 uint8_t ip6e_len;
1050 /* options follow */
1051 uint8_t ip6e_pad[6];
1052 } IP6Extension;
1053
1054 typedef struct _IP6HopByHop
1055 {
1056 uint8_t ip6hbh_nxt;
1057 uint8_t ip6hbh_len;
1058 /* options follow */
1059 uint8_t ip6hbh_pad[6];
1060 } IP6HopByHop;
1061
1062 typedef struct _IP6Dest
1063 {
1064 uint8_t ip6dest_nxt;
1065 uint8_t ip6dest_len;
1066 /* options follow */
1067 uint8_t ip6dest_pad[6];
1068 } IP6Dest;
1069
1070 typedef struct _IP6Route
1071 {
1072 uint8_t ip6rte_nxt;
1073 uint8_t ip6rte_len;
1074 uint8_t ip6rte_type;
1075 uint8_t ip6rte_seg_left;
1076 /* type specific data follows */
1077 } IP6Route;
1078
1079 typedef struct _IP6Route0
1080 {
1081 uint8_t ip6rte0_nxt;
1082 uint8_t ip6rte0_len;
1083 uint8_t ip6rte0_type;
1084 uint8_t ip6rte0_seg_left;
1085 uint8_t ip6rte0_reserved;
1086 uint8_t ip6rte0_bitmap[3];
1087 struct in6_addr ip6rte0_addr[1]; /* Up to 23 IP6 addresses */
1088 } IP6Route0;
1089
1090 /* Fragment header */
1091 typedef struct _IP6Frag
1092 {
1093 uint8_t ip6f_nxt; /* next header */
1094 uint8_t ip6f_reserved; /* reserved field */
1095 uint16_t ip6f_offlg; /* offset, reserved, and flag */
1096 uint32_t ip6f_ident; /* identification */
1097 } IP6Frag;
1098
1099 typedef struct _ICMP6
1100 {
1101 uint8_t type;
1102 uint8_t code;
1103 uint16_t csum;
1104
1105 } ICMP6Hdr;
1106
1107 #define ICMP6_UNREACH 1
1108 #define ICMP6_BIG 2
1109 #define ICMP6_TIME 3
1110 #define ICMP6_PARAMS 4
1111 #define ICMP6_ECHO 128
1112 #define ICMP6_REPLY 129
1113
1114 /* Minus 1 due to the 'body' field */
1115 #define ICMP6_MIN_HEADER_LEN (sizeof(ICMP6Hdr) )
1116
1117 struct _Packet;
1118
1119 /* IPHeader access calls */
1120 sfip_t * ip4_ret_src(struct _Packet *);
1121 sfip_t * ip4_ret_dst(struct _Packet *);
1122 uint16_t ip4_ret_tos(struct _Packet *);
1123 uint8_t ip4_ret_ttl(struct _Packet *);
1124 uint16_t ip4_ret_len(struct _Packet *);
1125 uint32_t ip4_ret_id(struct _Packet *);
1126 uint8_t ip4_ret_proto(struct _Packet *);
1127 uint16_t ip4_ret_off(struct _Packet *);
1128 uint8_t ip4_ret_ver(struct _Packet *);
1129 uint8_t ip4_ret_hlen(struct _Packet *);
1130
1131 sfip_t * orig_ip4_ret_src(struct _Packet *);
1132 sfip_t * orig_ip4_ret_dst(struct _Packet *);
1133 uint16_t orig_ip4_ret_tos(struct _Packet *);
1134 uint8_t orig_ip4_ret_ttl(struct _Packet *);
1135 uint16_t orig_ip4_ret_len(struct _Packet *);
1136 uint32_t orig_ip4_ret_id(struct _Packet *);
1137 uint8_t orig_ip4_ret_proto(struct _Packet *);
1138 uint16_t orig_ip4_ret_off(struct _Packet *);
1139 uint8_t orig_ip4_ret_ver(struct _Packet *);
1140 uint8_t orig_ip4_ret_hlen(struct _Packet *);
1141
1142 sfip_t * ip6_ret_src(struct _Packet *);
1143 sfip_t * ip6_ret_dst(struct _Packet *);
1144 uint16_t ip6_ret_toc(struct _Packet *);
1145 uint8_t ip6_ret_hops(struct _Packet *);
1146 uint16_t ip6_ret_len(struct _Packet *);
1147 uint32_t ip6_ret_id(struct _Packet *);
1148 uint8_t ip6_ret_next(struct _Packet *);
1149 uint16_t ip6_ret_off(struct _Packet *);
1150 uint8_t ip6_ret_ver(struct _Packet *);
1151 uint8_t ip6_ret_hlen(struct _Packet *);
1152
1153 sfip_t * orig_ip6_ret_src(struct _Packet *);
1154 sfip_t * orig_ip6_ret_dst(struct _Packet *);
1155 uint16_t orig_ip6_ret_toc(struct _Packet *);
1156 uint8_t orig_ip6_ret_hops(struct _Packet *);
1157 uint16_t orig_ip6_ret_len(struct _Packet *);
1158 uint32_t orig_ip6_ret_id(struct _Packet *);
1159 uint8_t orig_ip6_ret_next(struct _Packet *);
1160 uint16_t orig_ip6_ret_off(struct _Packet *);
1161 uint8_t orig_ip6_ret_ver(struct _Packet *);
1162 uint8_t orig_ip6_ret_hlen(struct _Packet *);
1163
1164 typedef struct _IPH_API
1165 {
1166 sfip_t * (*iph_ret_src)(struct _Packet *);
1167 sfip_t * (*iph_ret_dst)(struct _Packet *);
1168 uint16_t (*iph_ret_tos)(struct _Packet *);
1169 uint8_t (*iph_ret_ttl)(struct _Packet *);
1170 uint16_t (*iph_ret_len)(struct _Packet *);
1171 uint32_t (*iph_ret_id)(struct _Packet *);
1172 uint8_t (*iph_ret_proto)(struct _Packet *);
1173 uint16_t (*iph_ret_off)(struct _Packet *);
1174 uint8_t (*iph_ret_ver)(struct _Packet *);
1175 uint8_t (*iph_ret_hlen)(struct _Packet *);
1176
1177 sfip_t * (*orig_iph_ret_src)(struct _Packet *);
1178 sfip_t * (*orig_iph_ret_dst)(struct _Packet *);
1179 uint16_t (*orig_iph_ret_tos)(struct _Packet *);
1180 uint8_t (*orig_iph_ret_ttl)(struct _Packet *);
1181 uint16_t (*orig_iph_ret_len)(struct _Packet *);
1182 uint32_t (*orig_iph_ret_id)(struct _Packet *);
1183 uint8_t (*orig_iph_ret_proto)(struct _Packet *);
1184 uint16_t (*orig_iph_ret_off)(struct _Packet *);
1185 uint8_t (*orig_iph_ret_ver)(struct _Packet *);
1186 uint8_t (*orig_iph_ret_hlen)(struct _Packet *);
1187 char ver;
1188 } IPH_API;
1189
1190 #ifdef SUP_IP6
1191 extern IPH_API ip4;
1192 extern IPH_API ip6;
1193
1194 #define IPH_API_V4 4
1195 #define IPH_API_V6 6
1196
1197 #define iph_is_valid(p) (p->family != NO_IP)
1198 #define NO_IP 0
1199 #endif
1200
1201 #ifdef _MSC_VER
1202 /* Visual C++ pragma to enable warning messages about nonstandard bit field type */
1203 #pragma warning( default : 4214 )
1204 #endif
1205
1206
1207 /* Can't add any fields not in the real header here
1208 because of how the decoder uses structure overlaying */
1209 #ifdef _MSC_VER
1210 /* Visual C++ pragma to disable warning
1211 * messages about nonstandard bit field type
1212 */
1213 #pragma warning( disable : 4214 )
1214 #endif
1215
1216 #ifndef IPPROTO_IPIP
1217 #define IPPROTO_IPIP 4
1218 #endif
1219
1220 /* GRE related stuff */
1221 typedef struct _GREHdr
1222 {
1223 uint8_t flags;
1224 uint8_t version;
1225 uint16_t ether_type;
1226
1227 } GREHdr;
1228
1229 #ifdef GRE
1230
1231 #ifndef IPPROTO_GRE
1232 #define IPPROTO_GRE 47
1233 #endif
1234
1235 #define GRE_TYPE_TRANS_BRIDGING 0x6558
1236 #define GRE_TYPE_PPP 0x880B
1237
1238 #define GRE_HEADER_LEN 4
1239 #define GRE_CHKSUM_LEN 2
1240 #define GRE_OFFSET_LEN 2
1241 #define GRE_KEY_LEN 4
1242 #define GRE_SEQ_LEN 4
1243 #define GRE_SRE_HEADER_LEN 4
1244
1245 #define GRE_CHKSUM(x) (x->flags & 0x80)
1246 #define GRE_ROUTE(x) (x->flags & 0x40)
1247 #define GRE_KEY(x) (x->flags & 0x20)
1248 #define GRE_SEQ(x) (x->flags & 0x10)
1249 #define GRE_SSR(x) (x->flags & 0x08)
1250 #define GRE_RECUR(x) (x->flags & 0x07)
1251 #define GRE_VERSION(x) (x->version & 0x07)
1252 #define GRE_FLAGS(x) (x->version & 0xF8)
1253 #define GRE_PROTO(x) ntohs(x->ether_type)
1254
1255 /* GRE version 1 used with PPTP */
1256 #define GRE_V1_HEADER_LEN 8
1257 #define GRE_V1_ACK_LEN 4
1258 #define GRE_V1_FLAGS(x) (x->version & 0x78)
1259 #define GRE_V1_ACK(x) (x->version & 0x80)
1260
1261 #endif /* GRE */
1262
1263
1264 /* more macros for TCP offset */
1265 #define TCP_OFFSET(tcph) (((tcph)->th_offx2 & 0xf0) >> 4)
1266 #define TCP_X2(tcph) ((tcph)->th_offx2 & 0x0f)
1267
1268 #define TCP_ISFLAGSET(tcph, flags) (((tcph)->th_flags & (flags)) == (flags))
1269
1270 /* we need to change them as well as get them */
1271 #define SET_TCP_OFFSET(tcph, value) ((tcph)->th_offx2 = (unsigned char)(((tcph)->th_offx2 & 0x0f) | (value << 4)))
1272 #define SET_TCP_X2(tcph, value) ((tcph)->th_offx2 = (unsigned char)(((tcph)->th_offx2 & 0xf0) | (value & 0x0f)))
1273
1274 typedef struct _TCPHdr
1275 {
1276 uint16_t th_sport; /* source port */
1277 uint16_t th_dport; /* destination port */
1278 uint32_t th_seq; /* sequence number */
1279 uint32_t th_ack; /* acknowledgement number */
1280 uint8_t th_offx2; /* offset and reserved */
1281 uint8_t th_flags;
1282 uint16_t th_win; /* window */
1283 uint16_t th_sum; /* checksum */
1284 uint16_t th_urp; /* urgent pointer */
1285
1286 } TCPHdr;
1287 #ifdef _MSC_VER
1288 /* Visual C++ pragma to enable warning messages
1289 * about nonstandard bit field type
1290 */
1291 #pragma warning( default : 4214 )
1292 #endif
1293
1294
1295 typedef struct _UDPHdr
1296 {
1297 uint16_t uh_sport;
1298 uint16_t uh_dport;
1299 uint16_t uh_len;
1300 uint16_t uh_chk;
1301
1302 } UDPHdr;
1303
1304
1305 typedef struct _ICMPHdr
1306 {
1307 uint8_t type;
1308 uint8_t code;
1309 uint16_t csum;
1310 union
1311 {
1312 uint8_t pptr;
1313
1314 struct in_addr gwaddr;
1315
1316 struct idseq
1317 {
1318 uint16_t id;
1319 uint16_t seq;
1320 } idseq;
1321
1322 int sih_void;
1323
1324 struct pmtu
1325 {
1326 uint16_t ipm_void;
1327 uint16_t nextmtu;
1328 } pmtu;
1329
1330 struct rtradv
1331 {
1332 uint8_t num_addrs;
1333 uint8_t wpa;
1334 uint16_t lifetime;
1335 } rtradv;
1336 } icmp_hun;
1337
1338 #define s_icmp_pptr icmp_hun.pptr
1339 #define s_icmp_gwaddr icmp_hun.gwaddr
1340 #define s_icmp_id icmp_hun.idseq.id
1341 #define s_icmp_seq icmp_hun.idseq.seq
1342 #define s_icmp_void icmp_hun.sih_void
1343 #define s_icmp_pmvoid icmp_hun.pmtu.ipm_void
1344 #define s_icmp_nextmtu icmp_hun.pmtu.nextmtu
1345 #define s_icmp_num_addrs icmp_hun.rtradv.num_addrs
1346 #define s_icmp_wpa icmp_hun.rtradv.wpa
1347 #define s_icmp_lifetime icmp_hun.rtradv.lifetime
1348
1349 union
1350 {
1351 /* timestamp */
1352 struct ts
1353 {
1354 uint32_t otime;
1355 uint32_t rtime;
1356 uint32_t ttime;
1357 } ts;
1358
1359 /* IP header for unreach */
1360 struct ih_ip
1361 {
1362 IPHdr *ip;
1363 /* options and then 64 bits of data */
1364 } ip;
1365
1366 struct ra_addr
1367 {
1368 uint32_t addr;
1369 uint32_t preference;
1370 } radv;
1371
1372 uint32_t mask;
1373
1374 char data[1];
1375
1376 } icmp_dun;
1377 #define s_icmp_otime icmp_dun.ts.otime
1378 #define s_icmp_rtime icmp_dun.ts.rtime
1379 #define s_icmp_ttime icmp_dun.ts.ttime
1380 #define s_icmp_ip icmp_dun.ih_ip
1381 #define s_icmp_radv icmp_dun.radv
1382 #define s_icmp_mask icmp_dun.mask
1383 #define s_icmp_data icmp_dun.data
1384
1385 } ICMPHdr;
1386
1387
1388 typedef struct _ARPHdr
1389 {
1390 uint16_t ar_hrd; /* format of hardware address */
1391 uint16_t ar_pro; /* format of protocol address */
1392 uint8_t ar_hln; /* length of hardware address */
1393 uint8_t ar_pln; /* length of protocol address */
1394 uint16_t ar_op; /* ARP opcode (command) */
1395 } ARPHdr;
1396
1397
1398
1399 typedef struct _EtherARP
1400 {
1401 ARPHdr ea_hdr; /* fixed-size header */
1402 uint8_t arp_sha[6]; /* sender hardware address */
1403 uint8_t arp_spa[4]; /* sender protocol address */
1404 uint8_t arp_tha[6]; /* target hardware address */
1405 uint8_t arp_tpa[4]; /* target protocol address */
1406 } EtherARP;
1407
1408
1409 #ifndef NO_NON_ETHER_DECODER
1410 typedef struct _EtherEapol
1411 {
1412 uint8_t version; /* EAPOL proto version */
1413 uint8_t eaptype; /* EAPOL Packet type */
1414 uint16_t len; /* Packet body length */
1415 } EtherEapol;
1416
1417 typedef struct _EAPHdr
1418 {
1419 uint8_t code;
1420 uint8_t id;
1421 uint16_t len;
1422 } EAPHdr;
1423
1424 typedef struct _EapolKey
1425 {
1426 uint8_t type;
1427 uint8_t length[2];
1428 uint8_t counter[8];
1429 uint8_t iv[16];
1430 uint8_t index;
1431 uint8_t sig[16];
1432 } EapolKey;
1433 #endif // NO_NON_ETHER_DECODER
1434
1435 typedef struct _Options
1436 {
1437 uint8_t code;
1438 uint8_t len; /* length of the data section */
1439 const uint8_t *data;
1440 } Options;
1441
1442 /* PPPoEHdr Header; EtherHdr plus the PPPoE Header */
1443 typedef struct _PPPoEHdr
1444 {
1445 EtherHdr ethhdr; /* ethernet header */
1446 unsigned char ver_type; /* pppoe version/type */
1447 unsigned char code; /* pppoe code CODE_* */
1448 unsigned short session; /* session id */
1449 unsigned short length; /* payload length */
1450 /* payload follows */
1451 } PPPoEHdr;
1452
1453 /* PPPoE tag; the payload is a sequence of these */
1454 typedef struct _PPPoE_Tag
1455 {
1456 unsigned short type; /* tag type TAG_* */
1457 unsigned short length; /* tag length */
1458 /* payload follows */
1459 } PPPoE_Tag;
1460
1461 #define DECODE_BLEN 65535
1462
1463 /* Max Number of HTTP/1.1 requests in a single segment */
1464 #define URI_COUNT 5
1465
1466 #define HTTPURI_PIPELINE_REQ 0x01
1467
1468 #define HTTP_BUFFER_URI 0
1469 #define HTTP_BUFFER_HEADER 1
1470 #define HTTP_BUFFER_CLIENT_BODY 2
1471 #define HTTP_BUFFER_METHOD 3
1472 #define HTTP_BUFFER_COOKIE 4
1473
1474 #define MPLS_HEADER_LEN 4
1475 #define NUM_RESERVED_LABELS 16
1476
1477 typedef struct _HttpUri
1478 {
1479 const uint8_t *uri; /* static buffer for uri length */
1480 uint16_t length;
1481 uint32_t decode_flags;
1482 } HttpUri;
1483
1484 struct IPH_API;
1485
1486 typedef struct _MplsHdr
1487 {
1488 uint32_t label;
1489 uint8_t exp;
1490 uint8_t bos;
1491 uint8_t ttl;
1492 } MplsHdr;
1493
1494 typedef struct _Packet
1495 {
1496 const struct pcap_pkthdr *pkth; /* BPF data */
1497 const uint8_t *pkt; /* base pointer to the raw packet data */
1498
1499 EtherARP *ah;
1500 const EtherHdr *eh; /* standard TCP/IP/Ethernet/ARP headers */
1501 const VlanTagHdr *vh;
1502 EthLlc *ehllc;
1503 EthLlcOther *ehllcother;
1504 const GREHdr *greh;
1505 uint32_t *mpls;
1506
1507 const IPHdr *iph, *orig_iph;/* and orig. headers for ICMP_*_UNREACH family */
1508 const IPHdr *inner_iph; /* if IP-in-IP, this will be the inner IP header */
1509 const IPHdr *outer_iph; /* if IP-in-IP, this will be the outer IP header */
1510 const TCPHdr *tcph, *orig_tcph;
1511 const UDPHdr *udph, *orig_udph;
1512 const ICMPHdr *icmph, *orig_icmph;
1513
1514 const uint8_t *data; /* packet payload pointer */
1515 const uint8_t *ip_data; /* IP payload pointer */
1516 const uint8_t *outer_ip_data; /* Outer IP payload pointer */
1517 const uint8_t *ip_frag_start;
1518 const uint8_t *ip_options_data;
1519 const uint8_t *tcp_options_data;
1520
1521 void *ssnptr; /* for tcp session tracking info... */
1522 void *fragtracker; /* for ip fragmentation tracking info... */
1523 void *flow; /* for flow info */
1524 void *streamptr; /* for tcp pkt dump */
1525
1526 IP4Hdr *ip4h, *orig_ip4h; /* SUP_IP6 members */
1527 IP6Hdr *ip6h, *orig_ip6h;
1528 ICMP6Hdr *icmp6h, *orig_icmp6h;
1529
1530 IPH_API* iph_api;
1531 IPH_API* orig_iph_api;
1532 IPH_API* outer_iph_api;
1533 IPH_API* outer_orig_iph_api;
1534
1535 IP4Hdr inner_ip4h, inner_orig_ip4h;
1536 IP6Hdr inner_ip6h, inner_orig_ip6h;
1537 IP4Hdr outer_ip4h, outer_orig_ip4h;
1538 IP6Hdr outer_ip6h, outer_orig_ip6h;
1539
1540 MplsHdr mplsHdr;
1541
1542 int family;
1543 int orig_family;
1544 int outer_family;
1545 int bytes_to_inspect; /* Number of bytes to check against rules */
1546 /* this is not set - always 0 (inspect all) */
1547
1548 uint32_t preprocessor_bits; /* flags for preprocessors to check */
1549 uint32_t preproc_reassembly_pkt_bits;
1550
1551 /* int ip_payload_len; */ /* Replacement for IP_LEN(p->iph->ip_len) << 2 */
1552 /* int ip_payload_off; */ /* IP_LEN(p->iph->ip_len) << 2 + p->data */
1553
1554 uint32_t caplen;
1555 uint32_t http_pipeline_count; /* Counter for HTTP pipelined requests */
1556 uint32_t packet_flags; /* special flags for the packet */
1557 uint32_t proto_bits;
1558
1559 uint16_t dsize; /* packet payload size */
1560 uint16_t ip_dsize; /* IP payload size */
1561 uint16_t alt_dsize; /* the dsize of a packet before munging (used for log)*/
1562 uint16_t actual_ip_len; /* for logging truncated pkts (usually by small snaplen)*/
1563 uint16_t outer_ip_dsize; /* Outer IP payload size */
1564
1565 uint16_t frag_offset; /* fragment offset number */
1566 uint16_t ip_frag_len;
1567 uint16_t ip_options_len;
1568 uint16_t tcp_options_len;
1569
1570 uint16_t sp; /* source port (TCP/UDP) */
1571 uint16_t dp; /* dest port (TCP/UDP) */
1572 uint16_t orig_sp; /* source port (TCP/UDP) of original datagram */
1573 uint16_t orig_dp; /* dest port (TCP/UDP) of original datagram */
1574
1575 int16_t application_protocol_ordinal;
1576
1577 uint8_t frag_flag; /* flag to indicate a fragmented packet */
1578 uint8_t mf; /* more fragments flag */
1579 uint8_t df; /* don't fragment flag */
1580 uint8_t rf; /* IP reserved bit */
1581
1582 uint8_t uri_count; /* number of URIs in this packet */
1583 uint8_t csum_flags; /* checksum flags */
1584 uint8_t encapsulated;
1585
1586 uint8_t ip_option_count; /* number of options in this packet */
1587 uint8_t tcp_option_count;
1588 uint8_t ip6_extension_count;
1589 uint8_t ip6_frag_index;
1590
1591 uint8_t ip_lastopt_bad; /* flag to indicate that option decoding was
1592 halted due to a bad option */
1593 uint8_t tcp_lastopt_bad; /* flag to indicate that option decoding was
1594 halted due to a bad option */
1595
1596 #ifndef NO_NON_ETHER_DECODER
1597 const Fddi_hdr *fddihdr; /* FDDI support headers */
1598 Fddi_llc_saps *fddisaps;
1599 Fddi_llc_sna *fddisna;
1600 Fddi_llc_iparp *fddiiparp;
1601 Fddi_llc_other *fddiother;
1602
1603 const Trh_hdr *trh; /* Token Ring support headers */
1604 Trh_llc *trhllc;
1605 Trh_mr *trhmr;
1606
1607 Pflog1Hdr *pf1h; /* OpenBSD pflog interface header - version 1 */
1608 Pflog2Hdr *pf2h; /* OpenBSD pflog interface header - version 2 */
1609 Pflog3Hdr *pf3h; /* OpenBSD pflog interface header - version 3 */
1610
1611 const SLLHdr *sllh; /* Linux cooked sockets header */
1612 const WifiHdr *wifih; /* wireless LAN header */
1613 const PPPoEHdr *pppoeh; /* Encapsulated PPP of Ether header */
1614
1615 const EtherEapol *eplh; /* 802.1x EAPOL header */
1616 const EAPHdr *eaph;
1617 const uint8_t *eaptype;
1618 EapolKey *eapolk;
1619 #endif
1620
1621 // nothing after this point is zeroed ...
1622 Options ip_options[IP_OPTMAX]; /* ip options decode structure */
1623 Options tcp_options[TCP_OPTLENMAX]; /* tcp options decode struct */
1624 IP6Option ip6_extensions[IP6_EXTMAX]; /* IPv6 Extension References */
1625
1626 /**policyId provided in configuration file. Used for correlating configuration
1627 * with event output
1628 */
1629 uint16_t configPolicyId;
1630
1631 int linktype; /* packet specific linktype */
1632 } Packet;
1633
1634 #define PKT_ZERO_LEN offsetof(Packet, ip_options)
1635
1636 #define PROTO_BIT__NONE 0x00000000
1637 #define PROTO_BIT__IP 0x00000001
1638 #define PROTO_BIT__ARP 0x00000002
1639 #define PROTO_BIT__TCP 0x00000004
1640 #define PROTO_BIT__UDP 0x00000008
1641 #define PROTO_BIT__ICMP 0x00000010
1642 #define PROTO_BIT__ALL 0xffffffff
1643
1644 #define IsIP(p) (IPH_IS_VALID(p))
1645 #define IsTCP(p) (IsIP(p) && (GET_IPH_PROTO(p) == IPPROTO_TCP))
1646 #define IsUDP(p) (IsIP(p) && (GET_IPH_PROTO(p) == IPPROTO_UDP))
1647 #define IsICMP(p) (IsIP(p) && (GET_IPH_PROTO(p) == IPPROTO_ICMP))
1648 #define IP_HAS_PORTS(p) (IsIP(p) && ((GET_IPH_PROTO(p) == IPPROTO_TCP) || (GET_IPH_PROTO(p) == IPPROTO_UDP)))
1649
1650 #ifdef SUP_IP6
1651 /* Sets the callbacks to point at the family selected by
1652 * * "family". "family" is either AF_INET or AF_INET6 */
1653 #define CALLBACK_IP 0
1654 #define CALLBACK_ICMP_ORIG 1
1655
set_callbacks(struct _Packet * p,int family,char orig)1656 static INLINE void set_callbacks(struct _Packet *p, int family, char orig)
1657 {
1658 if (p == NULL)
1659 {
1660 ErrorMessage("%s(%d) Can't set iph api callback: Packet is NULL.\n",
1661 __FILE__, __LINE__);
1662 return;
1663 }
1664
1665 if (orig == CALLBACK_IP)
1666 {
1667 if(family == AF_INET)
1668 p->iph_api = &ip4;
1669 else
1670 p->iph_api = &ip6;
1671
1672 p->family = family;
1673 }
1674 else if (orig == CALLBACK_ICMP_ORIG)
1675 {
1676 if(family == AF_INET)
1677 p->orig_iph_api = &ip4;
1678 else
1679 p->orig_iph_api = &ip6;
1680
1681 p->orig_family = family;
1682 }
1683 else
1684 {
1685 ErrorMessage("%s(%d) Can't set iph api callback: Invalid callback "
1686 "type: %c.\n", __FILE__, __LINE__, orig);
1687 return;
1688 }
1689 }
1690 #endif
1691
1692
1693 typedef struct s_pseudoheader
1694 {
1695 uint32_t sip, dip;
1696 uint8_t zero;
1697 uint8_t protocol;
1698 uint16_t len;
1699
1700 } PSEUDO_HDR;
1701
1702 /* Default classification for decoder alerts */
1703 #define DECODE_CLASS 25
1704
1705 typedef struct _DecoderFlags
1706 {
1707 char decode_alerts; /* if decode.c alerts are going to be enabled */
1708 char oversized_alert; /* alert if garbage after tcp/udp payload */
1709 char oversized_drop; /* alert if garbage after tcp/udp payload */
1710 char drop_alerts; /* drop alerts from decoder */
1711 char tcpopt_experiment; /* TcpOptions Decoder */
1712 char drop_tcpopt_experiment; /* Drop alerts from TcpOptions Decoder */
1713 char tcpopt_obsolete; /* Alert on obsolete TCP options */
1714 char drop_tcpopt_obsolete; /* Drop on alerts from obsolete TCP options */
1715 char tcpopt_ttcp; /* Alert on T/TCP options */
1716 char drop_tcpopt_ttcp; /* Drop on alerts from T/TCP options */
1717 char tcpopt_decode; /* alert on decoder inconsistencies */
1718 char drop_tcpopt_decode; /* Drop on alerts from decoder inconsistencies */
1719 char ipopt_decode; /* alert on decoder inconsistencies */
1720 char drop_ipopt_decode; /* Drop on alerts from decoder inconsistencies */
1721
1722 /* To be moved to the frag preprocessor once it supports IPv6 */
1723 char ipv6_bad_frag_pkt;
1724 char bsd_icmp_frag;
1725 char drop_bad_ipv6_frag;
1726
1727 } DecoderFlags;
1728
1729 #define ALERTMSG_LENGTH 256
1730
1731
1732 /* P R O T O T Y P E S ******************************************************/
1733 int DecodePacket(int, Packet *, const struct pcap_pkthdr *, const uint8_t *);
1734 void DecodeARP(const uint8_t *, uint32_t, Packet *);
1735 void DecodeEthPkt(Packet *, const struct pcap_pkthdr *, const uint8_t *);
1736 void DecodeEthLoopback(const uint8_t *, uint32_t, Packet *);
1737 void DecodeVlan(const uint8_t *, const uint32_t, Packet *);
1738 void DecodePppPkt(Packet *, const struct pcap_pkthdr *, const uint8_t *);
1739 void DecodePppPktEncapsulated(Packet *, const uint32_t, const uint8_t *);
1740 void DecodeNullPkt(Packet *, const struct pcap_pkthdr *, const uint8_t *);
1741 void DecodeRawPkt(Packet *, const struct pcap_pkthdr *, const uint8_t *);
1742 void DecodeIP(const uint8_t *, const uint32_t, Packet *);
1743 void DecodeIPV6(const uint8_t *, uint32_t, Packet *);
1744 void DecodeTCP(const uint8_t *, const uint32_t, Packet *);
1745 void DecodeUDP(const uint8_t *, const uint32_t, Packet *);
1746 void DecodeICMP(const uint8_t *, const uint32_t, Packet *);
1747 void DecodeICMPEmbeddedIP(const uint8_t *, const uint32_t, Packet *);
1748 void DecodeIPOptions(const uint8_t *, uint32_t, Packet *);
1749 void DecodeTCPOptions(const uint8_t *, uint32_t, Packet *);
1750 void DecodeIPOptions(const uint8_t *, uint32_t, Packet *);
1751 void DecodePPPoEPkt(Packet *, const struct pcap_pkthdr *, const uint8_t *);
1752 #ifdef GRE
1753 void DecodeGRE(const uint8_t *, const uint32_t, Packet *);
1754 void DecodeTransBridging(const uint8_t *, const uint32_t, Packet *);
1755 void DecoderAlertGRE(Packet *, int, const char *, const uint8_t *, uint32_t);
1756 #endif /* GRE */
1757 #ifdef GIDS
1758 #ifndef IPFW
1759 void DecodeIptablesPkt(Packet *, const struct pcap_pkthdr *, const uint8_t *);
1760 #else
1761 void DecodeIpfwPkt(Packet *, const struct pcap_pkthdr *, const uint8_t *);
1762 #endif /* IPFW */
1763 #endif /* GIDS */
1764
1765 #ifndef NO_NON_ETHER_DECODER
1766 void DecodeTRPkt(Packet *, const struct pcap_pkthdr *, const uint8_t *);
1767 void DecodeFDDIPkt(Packet *, const struct pcap_pkthdr *, const uint8_t *);
1768 void DecodeLinuxSLLPkt(Packet *, const struct pcap_pkthdr *, const uint8_t *);
1769 void DecodeIEEE80211Pkt(Packet *, const struct pcap_pkthdr *, const uint8_t *);
1770 void DecodeSlipPkt(Packet *, const struct pcap_pkthdr *, const uint8_t *);
1771 void DecodeI4LRawIPPkt(Packet *, const struct pcap_pkthdr *, const uint8_t *);
1772 void DecodeI4LCiscoIPPkt(Packet *, const struct pcap_pkthdr *, const uint8_t *);
1773 void DecodeChdlcPkt(Packet *, const struct pcap_pkthdr *, const uint8_t *);
1774 void DecodePflog(Packet *, const struct pcap_pkthdr *, const uint8_t *);
1775 void DecodeOldPflog(Packet *, const struct pcap_pkthdr *, const uint8_t *);
1776 void DecodePppSerialPkt(Packet *, const struct pcap_pkthdr *, const uint8_t *);
1777 void DecodeEncPkt(Packet *, const struct pcap_pkthdr *, const uint8_t *);
1778 void DecodeEAP(const uint8_t *, const uint32_t, Packet *);
1779 void DecodeEapol(const uint8_t *, uint32_t, Packet *);
1780 void DecodeEapolKey(const uint8_t *, uint32_t, Packet *);
1781 void DecodeIPX(const uint8_t *, uint32_t, Packet *);
1782 #endif // NO_NON_ETHER_DECODER
1783
1784 void BsdFragHashInit(int max);
1785 void BsdFragHashCleanup(void);
1786 void BsdFragHashReset(void);
1787
1788 #if defined(WORDS_MUSTALIGN) && !defined(__GNUC__)
1789 uint32_t EXTRACT_32BITS (u_char *);
1790 #endif /* WORDS_MUSTALIGN && !__GNUC__ */
1791
1792 /* XXX not sure where this guy needs to live at the moment */
1793 typedef struct _PortList
1794 {
1795 int ports[32]; /* 32 is kind of arbitrary */
1796
1797 int num_entries;
1798
1799 } PortList;
1800
1801 #ifdef MPLS
1802 int isPrivateIP(uint32_t addr);
1803 void DecodeEthOverMPLS(Packet * p, const struct pcap_pkthdr * pkthdr, const uint8_t * pkt);
1804 void DecodeMPLS(const uint8_t * pkt, struct pcap_pkthdr * pkthdr, Packet * p);
1805 #endif
1806
1807 void InitSynToMulticastDstIp( void );
1808 void SynToMulticastDstIpDestroy( void );
1809
1810 #define SFTARGET_UNKNOWN_PROTOCOL -1
1811
1812 #endif /* __DECODE_H__ */
1813