yafrag.h File Reference
Fragment reassembly interface for YAF. More...
#include <yaf/autoinc.h>
#include <yaf/decode.h>
#include <yaf/yafcore.h>
Go to the source code of this file.
Typedefs | |
| typedef struct yfFragNode_st | yfFragNode_t |
| Opaque fragment node structure. | |
Functions | |
| void | yfFragInit () |
| Initialize or reinitialize the current fragment table. | |
| void | yfDefragmentDecoded (size_t caplen, const uint8_t *pkt, yfFlowKey_t *flowkey, uint16_t iplen, yfTCPInfo_t *tcpinfo, yfIPFragInfo_t *fraginfo, yfL2Info_t *l2info) |
| Defragment a packet returned by yfDecodePkt. | |
| yfFragNode_t * | yfAssembledDecoded (size_t *caplen, const uint8_t **pkt, yfFlowKey_t **flowkey, uint16_t *iplen, yfTCPInfo_t **tcpinfo, yfL2Info_t **l2info) |
| Get the next assembled packet from the assembled fragment queue. | |
| void | yfFragNodeFree (yfFragNode_t *fn) |
| Free a fragment node returned by yfAssembledDecoded(). | |
| void | yfFragDumpStats () |
| Print fragment reassembler statistics to the log. | |
Detailed Description
Fragment reassembly interface for YAF.This facility works by maintaining a current fragment table. Fragments may be added to this table using the yfDefragmentDecoded() call. Completely assembled fragmented packets are placed into an outgoing queue by this call; fragmented packets may be removed from this queue using the yfAssembledDecoded() call. Assembled fragmented packets use storage in a yfFragNode_t structure returned from yfAssembledDecoded(); once assembled packets have been processed, this storage must be returned using the yfFragNodeFree() call.
This interface is configurable by the global variable yaf_fraglim, which sets the maximum number of outstanding current fragments allowed before the fragment timeout of 30 seconds begins being dynamically adjusted downward to limit resource usage. By default, this is 0, for no fragment limit. Set this global to a nonzero value to limit resource usage.
This interface is configurable by the global variable yaf_paylen, which is defined in the flow generator. The fragment reassembler will never keep more than yaf_paylen bytes of paylaod per assembled packet, since the first n bytes of a flow must appear within the first n bytes of each packet of that flow. See the documentation for yaf_paylen in yaftab.h for details. The default, a yaf_paylen of 0, will suppress payload assembly during fragment reassembly.
This facility is used by the YAF flow generator.
Typedef Documentation
| typedef struct yfFragNode_st yfFragNode_t |
Opaque fragment node structure.
Function Documentation
| yfFragNode_t* yfAssembledDecoded | ( | size_t * | caplen, | |
| const uint8_t ** | pkt, | |||
| yfFlowKey_t ** | flowkey, | |||
| uint16_t * | iplen, | |||
| yfTCPInfo_t ** | tcpinfo, | |||
| yfL2Info_t ** | l2info | |||
| ) |
Get the next assembled packet from the assembled fragment queue.
Returns NULL if no assembled packet is available; otherwise, returns a yfFragNode pointer storing information about the assembled packet, and passes pointers to the decoded reassembled packet data through the out parameters of this function. None of the parameters may be NULL.
- Parameters:
-
caplen out parameter returning the length of the packet buffer in pkt. Returns 0 if payload assembly is disabled. pkt out parameter returning the packet buffer containing the assembled packet payload. Returns NULL if payload assembly is disabled. flowkey out parameter returning a pointer to the assembled flow key within the returned fragment node. iplen out parameter returning the total IPv4 or IPv6 packet length, including IP and layer 4 headers but excluding layer 2 headers, of the assembled packet. tcpinfo out parameter returning a pointer to the TCP information structure within the returned fragment node. l2info out parameter returning a pointer to the Layer 2 information structure within the returned fragment node.
- Returns:
- a fragment node storing information about the assembled packet, must be freed with yfFragNodeFree() when the caller is done with the assembled packet.
| void yfDefragmentDecoded | ( | size_t | caplen, | |
| const uint8_t * | pkt, | |||
| yfFlowKey_t * | flowkey, | |||
| uint16_t | iplen, | |||
| yfTCPInfo_t * | tcpinfo, | |||
| yfIPFragInfo_t * | fraginfo, | |||
| yfL2Info_t * | l2info | |||
| ) |
Defragment a packet returned by yfDecodePkt.
This adds the packet to the current fragment table, places any resulting completely assembled fragmented packets into an assembled fragment queue, and frees any timed-out fragments in the table. Its parameters can be passed directly from decoding.
- Parameters:
-
caplen Length of the packet buffer pkt. pkt Packet buffer, assumed to start with the payload as returned from yfDecodePkt(). Contains application payload only. flowkey Pointer to a flow key filled in by yfDecodePkt(), iplen Total IPv4 or IPv6 packet length, including IP and layer 4 headers but excluding layer 2 headers, as returned by yfDecodePkt(). tcpinfo Pointer to TCP information structure as filled in by yfDecodePkt(). MAY be NULL if the caller does not require extended TCP header information. fraginfo Pointer to fragment information structure as filled in by yfDecodePkt(). MUST not be NULL. l2info Pointer to Layer 2 information structure as filled in by yfDecodePkt(). MAY be NULL if the caller does not require layer 2 information.
| void yfFragNodeFree | ( | yfFragNode_t * | fn | ) |