decode.h File Reference
Packet decoding interface for YAF. More...
#include <yaf/autoinc.h>
#include <yaf/yafcore.h>
Go to the source code of this file.
Data Structures | |
| struct | yfL2Info_st |
| Datalink layer information structure. More... | |
| struct | yfIPFragInfo_st |
| Fragmentation information structure. More... | |
| struct | yfTCPInfo_st |
| TCP information structure. More... | |
Defines | |
| #define | YF_MPLS_LABEL_COUNT_MAX 10 |
| Maximum MPLS label count. | |
| #define | YF_TYPE_IPv4 0x0800 |
| Ethertype for IP version 4 packets. | |
| #define | YF_TYPE_IPv6 0x86DD |
| Ethertype for IP version 6 packets. | |
| #define | YF_TYPE_IPANY 0x0000 |
| Pseudo-ethertype for any IP version packets. | |
| #define | YF_PROTO_IP6_HOP 0 |
| IPv6 Next Header for Hop-by-Hop Options. | |
| #define | YF_PROTO_ICMP 1 |
| IPv4 Protocol Identifier and IPv6 Next Header for ICMP. | |
| #define | YF_PROTO_TCP 6 |
| IPv4 Protocol Identifier and IPv6 Next Header for TCP. | |
| #define | YF_PROTO_UDP 17 |
| IPv4 Protocol Identifier and IPv6 Next Header for UDP. | |
| #define | YF_PROTO_IP6_ROUTE 43 |
| IPv6 Next Header for Routing Options. | |
| #define | YF_PROTO_IP6_FRAG 44 |
| IPv6 Next Header for Fragment Options. | |
| #define | YF_PROTO_GRE 47 |
| IPv4 Protocol Identifier and IPv6 Next Header for GRE. | |
| #define | YF_PROTO_ICMP6 58 |
| IPv4 Protocol Identifier and IPv6 Next Header for ICMP6. | |
| #define | YF_PROTO_IP6_DOPT 60 |
| IPv6 Next Header for Destination Options. | |
| #define | YF_TF_FIN 0x01 |
| TCP FIN flag. | |
| #define | YF_TF_SYN 0x02 |
| TCP SYN flag. | |
| #define | YF_TF_RST 0x04 |
| TCP FIN flag. | |
| #define | YF_TF_PSH 0x08 |
| TCP PSH flag. | |
| #define | YF_TF_ACK 0x10 |
| TCP ACK flag. | |
| #define | YF_TF_URG 0x20 |
| TCP URG flag. | |
| #define | YF_TF_ECE 0x40 |
| TCP ECE flag. | |
| #define | YF_TF_CWR 0x80 |
| TCP CWR flag. | |
Typedefs | |
| typedef struct yfL2Info_st | yfL2Info_t |
| typedef struct yfIPFragInfo_st | yfIPFragInfo_t |
| typedef struct yfTCPInfo_st | yfTCPInfo_t |
Functions | |
| gboolean | yfDecodePkt (int datalink, uint16_t reqtype, const struct timeval *ptime, size_t *caplen, const uint8_t *pkt, yfFlowKey_t *key, uint16_t *iplen, yfTCPInfo_t *tcpinfo, yfIPFragInfo_t *fraginfo, yfL2Info_t *l2info, const uint8_t **payload) |
| Decode a packet. | |
| void | yfDecodeDumpStats () |
| Print decoder statistics to the log. | |
Detailed Description
Packet decoding interface for YAF.This file's single function decodes IPv4 and IPv6 packets within loopback, raw, Ethernet, Linux SLL ("cooked"), and C-HDLC frames, encapsulated within MPLS, 802.1q VLAN, and/or GRE. It provides high-performance partial reassembly of IPv4 and IPv6 fragments to properly generate flows from fragmented data, and to support the export of the first N bytes of a given flow.
This interface is configurable by the global variable yaf_gremode. Set this global to TRUE to enable GRE decoding; otherwise, GRE packets will be left encapsulated.
The structures filled in by yfDecodePkt() are used within the flow generator, and are suitable for other similar purposes.
Define Documentation
| #define YF_TF_ACK 0x10 |
TCP ACK flag.
Acknowledgment number is valid.
| #define YF_TF_CWR 0x80 |
TCP CWR flag.
Used for explicit congestion notification.
| #define YF_TF_ECE 0x40 |
TCP ECE flag.
Used for explicit congestion notification.
| #define YF_TF_FIN 0x01 |
TCP FIN flag.
End of connection.
| #define YF_TF_PSH 0x08 |
TCP PSH flag.
| #define YF_TF_RST 0x04 |
TCP FIN flag.
Abnormal end of connection.
| #define YF_TF_SYN 0x02 |
TCP SYN flag.
Start of connection.
| #define YF_TF_URG 0x20 |
TCP URG flag.
Urgent pointer is valid.
| #define YF_TYPE_IPANY 0x0000 |
Pseudo-ethertype for any IP version packets.
Used as the reqtype argument to yfDecodeIP().
| #define YF_TYPE_IPv4 0x0800 |
Ethertype for IP version 4 packets.
| #define YF_TYPE_IPv6 0x86DD |
Ethertype for IP version 6 packets.
Function Documentation
| gboolean yfDecodePkt | ( | int | datalink, | |
| uint16_t | reqtype, | |||
| const struct timeval * | ptime, | |||
| size_t * | caplen, | |||
| const uint8_t * | pkt, | |||
| yfFlowKey_t * | key, | |||
| uint16_t * | iplen, | |||
| yfTCPInfo_t * | tcpinfo, | |||
| yfIPFragInfo_t * | fraginfo, | |||
| yfL2Info_t * | l2info, | |||
| const uint8_t ** | payload | |||
| ) |
Decode a packet.
It is assumed the packet is encapsulated within a link layer frame described by the datalink parameter. It fills in the key, iplen, tcpinfo, fraginfo, and l2info structures. The payload pointer, if supplied, is updated to point to the first byte after the decoded headers, and caplen is updated to note the amount of payload available in that buffer.
- Parameters:
-
datalink libpcap DLT_ constant describing the layer 2 headers on the packet in pkt. Supported datalink types are DLT_EN10MB (Ethernet), DLT_CHDLC (Cisco HDLC), DLT_LINUX_SLL (Linux "cooked" capture interface), DLT_RAW (raw IP packet, no layer 2), DLT_NULL (loopback), and DLT_LOOP (OpenBSD loopback). reqtype Required IP packet ethertype. Pass YF_TYPE_IPv4 to decode only IPv4 packets, YF_TYPE_IPv6 to decode only IPv6 packets, or YP_TYPE_IPANY to decode both IPv4 and IPv6 packets. ptime Pointer to struct timeval of the time at which the packet was observed. caplen Pointer to the length of the packet buffer pkt. On call, the length is the number of valid bytes at pkt. On return, the length is the number of undecoded bytes remaining in the packet buffer, or the number of valid bytes in the payload buffer. pkt Pointer to packet to decode. Is assumed to start with the layer 2 header described by the datalink parameter. key Pointer to a flow key which will be filled in with information from the decoded IP and layer 4 headers. MUST not be NULL. iplen Pointer to the total IPv4 or IPv6 packet length, including IP and layer 4 headers but excluding layer 2 headers, of the decoded packet. MUST not be NULL. tcpinfo Pointer to TCP information structure which will be filled in with extended TCP header information from the decoded TCP header. Not modified if the packet is not a TCP packet. MAY be NULL if the caller does not require extended TCP header information. fraginfo Pointer to IP Fragment information structure which will be filled in with fragment id and offset information from the decoded IP headers. MAY be NULL if the caller does not require fragment information; in this case, all fragmented packets will be droppped. l2info Pointer to Layer 2 information structure which will be filled in with information from the decoded layer 2 headers. MAY be NULL if the caller does not require layer 2 information. payload Pointer to pointer to first undecoded (application layer) byte in the packet. May be NULL if the caller does not require the payload pointer.
- Returns:
- TRUE on success (a packet of the required type was decoded and all the decode structures are valid), FALSE otherwise. Failures are counted in the decode statistics which can be logged with the yfDecodeDumpStats() call;