decode.h
1 /*
2  * @internal
3  *
4  ** @file decode.h
5  ** YAF Layer 2 and Layer 3 decode routines
6  **
7  ** ------------------------------------------------------------------------
8  ** Copyright (C) 2007-2015 Carnegie Mellon University. All Rights Reserved.
9  ** ------------------------------------------------------------------------
10  ** Authors: Brian Trammell
11  ** ------------------------------------------------------------------------
12  ** @OPENSOURCE_HEADER_START@
13  ** Use of the YAF system and related source code is subject to the terms
14  ** of the following licenses:
15  **
16  ** GNU Public License (GPL) Rights pursuant to Version 2, June 1991
17  ** Government Purpose License Rights (GPLR) pursuant to DFARS 252.227.7013
18  **
19  ** NO WARRANTY
20  **
21  ** ANY INFORMATION, MATERIALS, SERVICES, INTELLECTUAL PROPERTY OR OTHER
22  ** PROPERTY OR RIGHTS GRANTED OR PROVIDED BY CARNEGIE MELLON UNIVERSITY
23  ** PURSUANT TO THIS LICENSE (HEREINAFTER THE "DELIVERABLES") ARE ON AN
24  ** "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY
25  ** KIND, EITHER EXPRESS OR IMPLIED AS TO ANY MATTER INCLUDING, BUT NOT
26  ** LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE,
27  ** MERCHANTABILITY, INFORMATIONAL CONTENT, NONINFRINGEMENT, OR ERROR-FREE
28  ** OPERATION. CARNEGIE MELLON UNIVERSITY SHALL NOT BE LIABLE FOR INDIRECT,
29  ** SPECIAL OR CONSEQUENTIAL DAMAGES, SUCH AS LOSS OF PROFITS OR INABILITY
30  ** TO USE SAID INTELLECTUAL PROPERTY, UNDER THIS LICENSE, REGARDLESS OF
31  ** WHETHER SUCH PARTY WAS AWARE OF THE POSSIBILITY OF SUCH DAMAGES.
32  ** LICENSEE AGREES THAT IT WILL NOT MAKE ANY WARRANTY ON BEHALF OF
33  ** CARNEGIE MELLON UNIVERSITY, EXPRESS OR IMPLIED, TO ANY PERSON
34  ** CONCERNING THE APPLICATION OF OR THE RESULTS TO BE OBTAINED WITH THE
35  ** DELIVERABLES UNDER THIS LICENSE.
36  **
37  ** Licensee hereby agrees to defend, indemnify, and hold harmless Carnegie
38  ** Mellon University, its trustees, officers, employees, and agents from
39  ** all claims or demands made against them (and any related losses,
40  ** expenses, or attorney's fees) arising out of, or relating to Licensee's
41  ** and/or its sub licensees' negligent use or willful misuse of or
42  ** negligent conduct or willful misconduct regarding the Software,
43  ** facilities, or other rights or assistance granted by Carnegie Mellon
44  ** University under this License, including, but not limited to, any
45  ** claims of product liability, personal injury, death, damage to
46  ** property, or violation of any laws or regulations.
47  **
48  ** Carnegie Mellon University Software Engineering Institute authored
49  ** documents are sponsored by the U.S. Department of Defense under
50  ** Contract FA8721-05-C-0003. Carnegie Mellon University retains
51  ** copyrights in all material produced under this contract. The U.S.
52  ** Government retains a non-exclusive, royalty-free license to publish or
53  ** reproduce these documents, or allow others to do so, for U.S.
54  ** Government purposes only pursuant to the copyright license under the
55  ** contract clause at 252.227.7013.
56  **
57  ** @OPENSOURCE_HEADER_END@
58  ** ------------------------------------------------------------------------
59  */
60 
75 #ifndef _YAF_DECODE_H_
76 #define _YAF_DECODE_H_
77 
78 #include <yaf/autoinc.h>
79 #include <yaf/yafcore.h>
80 
82 typedef struct yfIPFragInfo_st {
84  uint32_t ipid;
86  uint16_t offset;
88  uint16_t iphlen;
93  uint16_t l4hlen;
98  uint8_t frag;
102  uint8_t more;
103 } yfIPFragInfo_t;
104 
106 #define YF_MPLS_LABEL_COUNT_MAX 3
107 
109 typedef struct yfL2Info_st {
111  uint8_t smac[6];
113  uint8_t dmac[6];
115  uint16_t l2hlen;
117  uint16_t vlan_tag;
119  uint32_t mpls_count;
121  uint32_t mpls_label[YF_MPLS_LABEL_COUNT_MAX];
122 } yfL2Info_t;
123 
125 typedef struct yfMPTCPInfo_st {
127  uint64_t idsn;
129  uint32_t token;
131  uint16_t mss;
133  uint8_t flags;
134  /* address id */
135  uint8_t addrid;
136 } yfMPTCPInfo_t;
137 
139 typedef struct yfTCPInfo_st {
141  uint32_t seq;
143  uint8_t flags;
145  yfMPTCPInfo_t mptcp;
146 } yfTCPInfo_t;
147 
149 typedef struct yfPBuf_st {
151  uint64_t ptime;
153  yfFlowKey_t key;
155  size_t allHeaderLen;
157  struct pcap_pkthdr pcap_hdr;
159  pcap_t *pcapt;
161  uint64_t pcap_offset;
163  uint16_t pcap_caplist;
165  uint16_t iplen;
167  uint16_t ifnum;
170  uint8_t frag;
172  yfTCPInfo_t tcpinfo;
174  yfL2Info_t l2info;
175 # if defined(YAF_ENABLE_P0F) || defined(YAF_ENABLE_FPEXPORT)
176 
177  size_t headerLen;
179  uint8_t headerVal[YFP_IPTCPHEADER_SIZE];
180 # endif
181 
182  size_t paylen;
186  uint8_t payload[1];
187 } yfPBuf_t;
188 
190 #define YF_PBUFLEN_NOL2INFO offsetof(yfPBuf_t, l2info)
191 
193 #define YF_PBUFLEN_NOPAYLOAD offsetof(yfPBuf_t, paylen)
194 
196 #define YF_PBUFLEN_BASE offsetof(yfPBuf_t, payload)
197 
198 struct yfDecodeCtx_st;
200 typedef struct yfDecodeCtx_st yfDecodeCtx_t;
201 
203 #define YF_TYPE_IPv4 0x0800
204 
205 #define YF_TYPE_IPv6 0x86DD
206 
210 #define YF_TYPE_IPANY 0x0000
211 
213 #define YF_PROTO_IP6_HOP 0
214 
215 #define YF_PROTO_ICMP 1
216 
217 #define YF_PROTO_TCP 6
218 
219 #define YF_PROTO_UDP 17
220 
221 #define YF_PROTO_IP6_ROUTE 43
222 
223 #define YF_PROTO_IP6_FRAG 44
224 
225 #define YF_PROTO_GRE 47
226 
227 #define YF_PROTO_ICMP6 58
228 
229 #define YF_PROTO_IP6_NONEXT 59
230 
231 #define YF_PROTO_IP6_DOPT 60
232 
234 #define YF_TF_FIN 0x01
235 
236 #define YF_TF_SYN 0x02
237 
238 #define YF_TF_RST 0x04
239 
240 #define YF_TF_PSH 0x08
241 
242 #define YF_TF_ACK 0x10
243 
244 #define YF_TF_URG 0x20
245 
246 #define YF_TF_ECE 0x40
247 
248 #define YF_TF_CWR 0x80
249 
251 #define YF_MF_PRIO_CHANGE 0x01
252 
253 #define YF_MF_PRIORITY 0x02
254 
255 #define YF_MF_FAIL 0x04
256 
257 #define YF_MF_FASTCLOSE 0x08
258 
277 yfDecodeCtx_t *yfDecodeCtxAlloc(
278  int datalink,
279  uint16_t reqtype,
280  gboolean gremode);
281 
287 void yfDecodeCtxFree(
288  yfDecodeCtx_t *ctx);
289 
325 gboolean yfDecodeToPBuf(
326  yfDecodeCtx_t *ctx,
327  uint64_t ptime,
328  size_t caplen,
329  const uint8_t *pkt,
330  yfIPFragInfo_t *fraginfo,
331  size_t pbuflen,
332  yfPBuf_t *pbuf);
333 
342 uint64_t yfDecodeTimeval(
343  const struct timeval *tv);
344 
353 uint64_t yfDecodeTimeNTP(
354  uint64_t ntp);
355 
363 void yfDecodeDumpStats(
364  yfDecodeCtx_t *ctx,
365  uint64_t packetTotal);
366 
373 void yfDecodeResetOffset(
374  yfDecodeCtx_t *ctx);
375 
382 uint32_t yfGetDecodeStats(
383  yfDecodeCtx_t *ctx);
384 
385 
399 gboolean yfDefragTCP(
400  uint8_t *pkt,
401  size_t *caplen,
402  yfFlowKey_t *key,
403  yfIPFragInfo_t *fraginfo,
404  yfTCPInfo_t *tcpinfo,
405  size_t *payoff);
406 
407 /* end idem */
408 #endif
yfPBuf_st::pcap_caplist
uint16_t pcap_caplist
caplist
Definition: decode.h:163
yfTCPInfo_st::flags
uint8_t flags
TCP flags.
Definition: decode.h:143
yfMPTCPInfo_st::flags
uint8_t flags
flags
Definition: decode.h:133
yfMPTCPInfo_st::idsn
uint64_t idsn
initial dsn
Definition: decode.h:127
yfTCPInfo_st::mptcp
yfMPTCPInfo_t mptcp
MPTCP Info.
Definition: decode.h:145
yfIPFragInfo_st::l4hlen
uint16_t l4hlen
Decoded header length.
Definition: decode.h:93
yfPBuf_st::iplen
uint16_t iplen
Packet IP length.
Definition: decode.h:165
yfPBuf_st::frag
uint8_t frag
flag for determining if the packet was fragmented 0-no, 1-yes, 2-not fully assembled ...
Definition: decode.h:170
YFP_IPTCPHEADER_SIZE
#define YFP_IPTCPHEADER_SIZE
This is the size of the packet to store away for use primarily in passive OS fingerprinting, this value is only used if application labeling is enabled.
Definition: yafcore.h:188
yafcore.h
YAF Core Library.
yfMPTCPInfo_st::token
uint32_t token
token
Definition: decode.h:129
yfIPFragInfo_st::ipid
uint32_t ipid
Fragment ID.
Definition: decode.h:84
yfL2Info_st::mpls_count
uint32_t mpls_count
MPLS label count.
Definition: decode.h:119
yfMPTCPInfo_st::mss
uint16_t mss
maximum segment size
Definition: decode.h:131
yfIPFragInfo_st::more
uint8_t more
More fragments flag.
Definition: decode.h:102
yfPBuf_st::key
yfFlowKey_t key
Flow key containing decoded IP and transport headers.
Definition: decode.h:153
yfTCPInfo_st
TCP information structure.
Definition: decode.h:139
yfIPFragInfo_st::frag
uint8_t frag
Fragmented packet flag.
Definition: decode.h:98
yfPBuf_st::tcpinfo
yfTCPInfo_t tcpinfo
TCP information structure.
Definition: decode.h:172
yfPBuf_st::allHeaderLen
size_t allHeaderLen
Length of all headers, L2, L3, L4.
Definition: decode.h:155
yfPBuf_st::paylen
size_t paylen
Length of payload available in captured payload buffer.
Definition: decode.h:182
yfPBuf_st::ptime
uint64_t ptime
Packet timestamp in epoch milliseconds.
Definition: decode.h:151
yfIPFragInfo_st
Packet decoding interface for YAF.
Definition: decode.h:82
yfPBuf_st::l2info
yfL2Info_t l2info
Decoded layer 2 information.
Definition: decode.h:174
yfTCPInfo_st::seq
uint32_t seq
TCP sequence number.
Definition: decode.h:141
yfFlowKey_st
A YAF flow key.
Definition: yafcore.h:208
yfL2Info_st
Datalink layer information structure.
Definition: decode.h:109
yfL2Info_st::vlan_tag
uint16_t vlan_tag
VLAN tag.
Definition: decode.h:117
yfMPTCPInfo_st
MPTCP information structure.
Definition: decode.h:125
yfPBuf_st::pcapt
pcap_t * pcapt
pcap struct
Definition: decode.h:159
yfPBuf_st
Full packet information structure.
Definition: decode.h:149
yfIPFragInfo_st::iphlen
uint16_t iphlen
IP header length.
Definition: decode.h:88
yfPBuf_st::pcap_offset
uint64_t pcap_offset
offset into pcap
Definition: decode.h:161
yfIPFragInfo_st::offset
uint16_t offset
Fragment offset within the reassembled datagram.
Definition: decode.h:86
yfPBuf_st::ifnum
uint16_t ifnum
Interface number packet was decoded from.
Definition: decode.h:167
yfL2Info_st::l2hlen
uint16_t l2hlen
Layer 2 Header Length.
Definition: decode.h:115