decode.h
1/*
2 * Copyright 2007-2024 Carnegie Mellon University
3 * See license information in LICENSE.txt.
4 */
5/*
6 * decode.h
7 * YAF Layer 2 and Layer 3 decode routines
8 *
9 * ------------------------------------------------------------------------
10 * Authors: Brian Trammell
11 * ------------------------------------------------------------------------
12 * @DISTRIBUTION_STATEMENT_BEGIN@
13 * YAF 2.16
14 *
15 * Copyright 2024 Carnegie Mellon University.
16 *
17 * NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING
18 * INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON
19 * UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
20 * AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR
21 * PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF
22 * THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF
23 * ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT
24 * INFRINGEMENT.
25 *
26 * Licensed under a GNU GPL 2.0-style license, please see LICENSE.txt or
27 * contact permission@sei.cmu.edu for full terms.
28 *
29 * [DISTRIBUTION STATEMENT A] This material has been approved for public
30 * release and unlimited distribution. Please see Copyright notice for
31 * non-US Government use and distribution.
32 *
33 * This Software includes and/or makes use of Third-Party Software each
34 * subject to its own license.
35 *
36 * DM24-1063
37 * @DISTRIBUTION_STATEMENT_END@
38 * ------------------------------------------------------------------------
39 */
40
59#ifndef _YAF_DECODE_H_
60#define _YAF_DECODE_H_
61
62#include <yaf/autoinc.h>
63#include <yaf/yafcore.h>
64
66typedef struct yfIPFragInfo_st {
68 uint32_t ipid;
70 uint16_t offset;
72 uint16_t iphlen;
77 uint16_t l4hlen;
82 uint8_t frag;
86 uint8_t more;
87} yfIPFragInfo_t;
88
90#define YF_MPLS_LABEL_COUNT_MAX 3
91
93typedef struct yfL2Info_st {
95 uint8_t smac[6];
97 uint8_t dmac[6];
99 uint16_t l2hlen;
101 uint16_t vlan_tag;
103 uint32_t mpls_count;
105 uint32_t mpls_label[YF_MPLS_LABEL_COUNT_MAX];
106} yfL2Info_t;
107
109typedef struct yfMPTCPInfo_st {
111 uint64_t idsn;
113 uint32_t token;
115 uint16_t mss;
117 uint8_t flags;
118 /* address id */
119 uint8_t addrid;
120} yfMPTCPInfo_t;
121
123typedef struct yfTCPInfo_st {
125 uint32_t seq;
127 uint8_t flags;
129 yfMPTCPInfo_t mptcp;
130} yfTCPInfo_t;
131
133typedef struct yfPBuf_st {
135 yfTime_t ptime;
137 yfFlowKey_t key;
139 size_t allHeaderLen;
141 struct pcap_pkthdr pcap_hdr;
143 pcap_t *pcapt;
145 uint64_t pcap_offset;
147 uint16_t pcap_caplist;
149 uint32_t iplen;
151 uint16_t ifnum;
154 uint8_t frag;
156 yfTCPInfo_t tcpinfo;
158 yfL2Info_t l2info;
159#if defined(YAF_ENABLE_P0F) || defined(YAF_ENABLE_FPEXPORT)
161 size_t headerLen;
163 uint8_t headerVal[YFP_IPTCPHEADER_SIZE];
164#endif /* if defined(YAF_ENABLE_P0F) || defined(YAF_ENABLE_FPEXPORT) */
166 size_t paylen;
170 uint8_t payload[1];
171} yfPBuf_t;
172
174#define YF_PBUFLEN_NOL2INFO offsetof(yfPBuf_t, l2info)
175
177#define YF_PBUFLEN_NOPAYLOAD offsetof(yfPBuf_t, paylen)
178
180#define YF_PBUFLEN_BASE offsetof(yfPBuf_t, payload)
181
182struct yfDecodeCtx_st;
184typedef struct yfDecodeCtx_st yfDecodeCtx_t;
185
187#define YF_TYPE_IPv4 0x0800
189#define YF_TYPE_IPv6 0x86DD
194#define YF_TYPE_IPANY 0x0000
195
197#define YF_PROTO_IP6_HOP 0
199#define YF_PROTO_ICMP 1
201#define YF_PROTO_TCP 6
203#define YF_PROTO_UDP 17
205#define YF_PROTO_IP6_ROUTE 43
207#define YF_PROTO_IP6_FRAG 44
209#define YF_PROTO_GRE 47
211#define YF_PROTO_ICMP6 58
213#define YF_PROTO_IP6_NONEXT 59
215#define YF_PROTO_IP6_DOPT 60
216
218#define YF_TF_FIN 0x01
220#define YF_TF_SYN 0x02
222#define YF_TF_RST 0x04
224#define YF_TF_PSH 0x08
226#define YF_TF_ACK 0x10
228#define YF_TF_URG 0x20
230#define YF_TF_ECE 0x40
232#define YF_TF_CWR 0x80
233
235#define YF_MF_PRIO_CHANGE 0x01
237#define YF_MF_PRIORITY 0x02
239#define YF_MF_FAIL 0x04
241#define YF_MF_FASTCLOSE 0x08
242
264yfDecodeCtx_t *
265yfDecodeCtxAlloc(
266 int datalink,
267 uint16_t reqtype,
268 gboolean gremode,
269 GArray *vxlanports,
270 GArray *geneveports);
271
277void
278yfDecodeCtxFree(
279 yfDecodeCtx_t *ctx);
280
312gboolean
313yfDecodeToPBuf(
314 yfDecodeCtx_t *ctx,
315 const yfTime_t *ptime,
316 size_t caplen,
317 const uint8_t *pkt,
318 yfIPFragInfo_t *fraginfo,
319 size_t pbuflen,
320 yfPBuf_t *pbuf);
321
329uint64_t
330yfDecodeTimeval(
331 const struct timeval *tv);
332
339void
340yfDecodeDumpStats(
341 yfDecodeCtx_t *ctx,
342 uint64_t packetTotal);
343
350void
351yfDecodeResetOffset(
352 yfDecodeCtx_t *ctx);
353
360uint32_t
361yfGetDecodeStats(
362 yfDecodeCtx_t *ctx);
363
364
378gboolean
379yfDefragTCP(
380 uint8_t *pkt,
381 size_t *caplen,
382 yfFlowKey_t *key,
383 yfIPFragInfo_t *fraginfo,
384 yfTCPInfo_t *tcpinfo,
385 size_t *payoff);
386
387#endif /* ifndef _YAF_DECODE_H_ */
yfFlowKey_st
A YAF flow key.
Definition yafcore.h:244
yfIPFragInfo_st
Fragmentation information structure.
Definition decode.h:66
yfIPFragInfo_st::offset
uint16_t offset
Fragment offset within the reassembled datagram.
Definition decode.h:70
yfIPFragInfo_st::l4hlen
uint16_t l4hlen
Decoded header length.
Definition decode.h:77
yfIPFragInfo_st::more
uint8_t more
More fragments flag.
Definition decode.h:86
yfIPFragInfo_st::ipid
uint32_t ipid
Fragment ID.
Definition decode.h:68
yfIPFragInfo_st::iphlen
uint16_t iphlen
IP header length.
Definition decode.h:72
yfIPFragInfo_st::frag
uint8_t frag
Fragmented packet flag.
Definition decode.h:82
yfL2Info_st
Datalink layer information structure.
Definition decode.h:93
yfL2Info_st::vlan_tag
uint16_t vlan_tag
VLAN tag.
Definition decode.h:101
yfL2Info_st::mpls_label
uint32_t mpls_label[YF_MPLS_LABEL_COUNT_MAX]
MPLS label stack.
Definition decode.h:105
yfL2Info_st::mpls_count
uint32_t mpls_count
MPLS label count.
Definition decode.h:103
yfL2Info_st::dmac
uint8_t dmac[6]
Destination MAC address.
Definition decode.h:97
yfL2Info_st::l2hlen
uint16_t l2hlen
Layer 2 Header Length.
Definition decode.h:99
yfL2Info_st::smac
uint8_t smac[6]
Source MAC address.
Definition decode.h:95
yfMPTCPInfo_st
MPTCP information structure.
Definition decode.h:109
yfMPTCPInfo_st::token
uint32_t token
token
Definition decode.h:113
yfMPTCPInfo_st::flags
uint8_t flags
flags
Definition decode.h:117
yfMPTCPInfo_st::idsn
uint64_t idsn
initial dsn
Definition decode.h:111
yfMPTCPInfo_st::mss
uint16_t mss
maximum segment size
Definition decode.h:115
yfPBuf_st
Full packet information structure.
Definition decode.h:133
yfPBuf_st::pcap_offset
uint64_t pcap_offset
offset into pcap
Definition decode.h:145
yfPBuf_st::tcpinfo
yfTCPInfo_t tcpinfo
TCP information structure.
Definition decode.h:156
yfPBuf_st::ptime
yfTime_t ptime
Packet timestamp.
Definition decode.h:135
yfPBuf_st::iplen
uint32_t iplen
Packet IP length.
Definition decode.h:149
yfPBuf_st::l2info
yfL2Info_t l2info
Decoded layer 2 information.
Definition decode.h:158
yfPBuf_st::pcapt
pcap_t * pcapt
pcap struct
Definition decode.h:143
yfPBuf_st::ifnum
uint16_t ifnum
Interface number packet was decoded from.
Definition decode.h:151
yfPBuf_st::pcap_caplist
uint16_t pcap_caplist
caplist
Definition decode.h:147
yfPBuf_st::paylen
size_t paylen
Length of payload available in captured payload buffer.
Definition decode.h:166
yfPBuf_st::allHeaderLen
size_t allHeaderLen
Length of all headers, L2, L3, L4.
Definition decode.h:139
yfPBuf_st::pcap_hdr
struct pcap_pkthdr pcap_hdr
pcap header
Definition decode.h:141
yfPBuf_st::key
yfFlowKey_t key
Flow key containing decoded IP and transport headers.
Definition decode.h:137
yfPBuf_st::frag
uint8_t frag
flag for determining if the packet was fragmented 0-no, 1-yes, 2-not fully assembled
Definition decode.h:154
yfPBuf_st::payload
uint8_t payload[1]
Captured payload buffer.
Definition decode.h:170
yfTCPInfo_st
TCP information structure.
Definition decode.h:123
yfTCPInfo_st::seq
uint32_t seq
TCP sequence number.
Definition decode.h:125
yfTCPInfo_st::flags
uint8_t flags
TCP flags.
Definition decode.h:127
yfTCPInfo_st::mptcp
yfMPTCPInfo_t mptcp
MPTCP Info.
Definition decode.h:129
yfTime_st
YAF timestamp: represents a moment in time.
Definition yaftime.h:47
yafcore.h
YAF Core Library.
YFP_IPTCPHEADER_SIZE
#define YFP_IPTCPHEADER_SIZE
This is the size of the packet to store away for use primarily in passive OS fingerprinting,...
Definition yafcore.h:173