decode.h

/*
 *  Copyright 2007-2026 Carnegie Mellon University
 *  See license information in LICENSE.txt.
 */
/*
 *  decode.h
 *  YAF Layer 2 and Layer 3 decode routines
 *
 *  ------------------------------------------------------------------------
 *  Authors: Brian Trammell
 *  ------------------------------------------------------------------------
 *  @DISTRIBUTION_STATEMENT_BEGIN@
 *  YAF 2.19
 *
 *  Copyright 2026 Carnegie Mellon University.
 *
 *  NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING
 *  INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON
 *  UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
 *  AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR
 *  PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF
 *  THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF
 *  ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT
 *  INFRINGEMENT.
 *
 *  Licensed under a GNU GPL 2.0-style license, please see LICENSE.txt or
 *  contact permission@sei.cmu.edu for full terms.
 *
 *  [DISTRIBUTION STATEMENT A] This material has been approved for public
 *  release and unlimited distribution.  Please see Copyright notice for
 *  non-US Government use and distribution.
 *
 *  This Software includes and/or makes use of Third-Party Software each
 *  subject to its own license.
 *
 *  DM26-0194
 *  @DISTRIBUTION_STATEMENT_END@
 *  ------------------------------------------------------------------------
 */

 
#ifndef _YAF_DECODE_H_
#define _YAF_DECODE_H_
 
#include <yaf/autoinc.h>
#include <yaf/yafcore.h>

typedef struct yfIPFragInfo_st {
    uint32_t   ipid;
    uint16_t   offset;
    uint16_t   iphlen;
    uint16_t   l4hlen;
    uint8_t    frag;
    uint8_t    more;
} yfIPFragInfo_t;

#define YF_MPLS_LABEL_COUNT_MAX     3

typedef struct yfL2Info_st {
    uint8_t    smac[6];
    uint8_t    dmac[6];
    uint16_t   l2hlen;
    uint16_t   vlan_tag;
    uint32_t   mpls_count;
    uint32_t   mpls_label[YF_MPLS_LABEL_COUNT_MAX];
} yfL2Info_t;

typedef struct yfMPTCPInfo_st {
    uint64_t   idsn;
    uint32_t   token;
    uint16_t   mss;
    uint8_t    flags;
    /* address id */
    uint8_t    addrid;
} yfMPTCPInfo_t;

typedef struct yfTCPInfo_st {
    uint32_t        seq;
    uint8_t         flags;
    yfMPTCPInfo_t   mptcp;
} yfTCPInfo_t;

typedef struct yfPBuf_st {
    yfTime_t             ptime;
    yfFlowKey_t          key;
    size_t               allHeaderLen;
    struct pcap_pkthdr   pcap_hdr;
    pcap_t              *pcapt;
    uint64_t             pcap_offset;
    uint32_t             iplen;
    uint16_t             pcap_caplist;
#if 0
    uint16_t             ifnum;
#endif
    uint8_t              frag;
    yfTCPInfo_t          tcpinfo;
    yfL2Info_t           l2info;
#if defined(YAF_ENABLE_P0F) || defined(YAF_ENABLE_FPEXPORT)
    size_t               headerLen;
    uint8_t              headerVal[YFP_IPTCPHEADER_SIZE];
#endif /* if defined(YAF_ENABLE_P0F) || defined(YAF_ENABLE_FPEXPORT) */
    size_t               paylen;
    uint8_t              payload[1];
} yfPBuf_t;

#define YF_PBUFLEN_NOL2INFO offsetof(yfPBuf_t, l2info)

#define YF_PBUFLEN_NOPAYLOAD offsetof(yfPBuf_t, paylen)

#define YF_PBUFLEN_BASE offsetof(yfPBuf_t, payload)
 
struct yfDecodeCtx_st;
typedef struct yfDecodeCtx_st yfDecodeCtx_t;

#define YF_TYPE_IPv4    0x0800
#define YF_TYPE_IPv6    0x86DD
#define YF_TYPE_IPANY   0x0000

#define YF_PROTO_IP6_HOP    0
#define YF_PROTO_ICMP       1
#define YF_PROTO_TCP        6
#define YF_PROTO_UDP        17
#define YF_PROTO_IP6_ROUTE  43
#define YF_PROTO_IP6_FRAG   44
#define YF_PROTO_GRE        47
#define YF_PROTO_ICMP6      58
#define YF_PROTO_IP6_NONEXT  59
#define YF_PROTO_IP6_DOPT   60

#define YF_TF_FIN       0x01
#define YF_TF_SYN       0x02
#define YF_TF_RST       0x04
#define YF_TF_PSH       0x08
#define YF_TF_ACK       0x10
#define YF_TF_URG       0x20
#define YF_TF_ECE       0x40
#define YF_TF_CWR       0x80

#define YF_MF_PRIO_CHANGE    0x01
#define YF_MF_PRIORITY       0x02
#define YF_MF_FAIL           0x04
#define YF_MF_FASTCLOSE      0x08

yfDecodeCtx_t *
yfDecodeCtxAlloc(
    int        datalink,
    uint16_t   reqtype,
    gboolean   gremode,
    GArray    *vxlanports,
    GArray    *geneveports);

void
yfDecodeCtxFree(
    yfDecodeCtx_t  *ctx);

gboolean
yfDecodeToPBuf(
    yfDecodeCtx_t   *ctx,
    const yfTime_t  *ptime,
    size_t           caplen,
    const uint8_t   *pkt,
    yfIPFragInfo_t  *fraginfo,
    size_t           pbuflen,
    yfPBuf_t        *pbuf);

uint64_t
yfDecodeTimeval(
    const struct timeval  *tv);

void
yfDecodeDumpStats(
    yfDecodeCtx_t  *ctx,
    uint64_t        packetTotal);

void
yfDecodeResetOffset(
    yfDecodeCtx_t  *ctx);

uint32_t
yfGetDecodeStats(
    yfDecodeCtx_t  *ctx);
 

gboolean
yfDefragTCP(
    uint8_t         *pkt,
    size_t          *caplen,
    yfFlowKey_t     *key,
    yfIPFragInfo_t  *fraginfo,
    yfTCPInfo_t     *tcpinfo,
    size_t          *payoff);
 
#endif /* ifndef _YAF_DECODE_H_ */