suricata
decode.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2019 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \defgroup decode Packet decoding
20  *
21  * \brief Code in charge of protocol decoding
22  *
23  * The task of decoding packets is made in different files and
24  * as Suricata is supporting encapsulation there is a potential
25  * recursivity in the call.
26  *
27  * For each protocol a DecodePROTO function is provided. For
28  * example we have DecodeIPV4() for IPv4 and DecodePPP() for
29  * PPP.
30  *
31  * These functions have all a pkt and and a len argument which
32  * are respectively a pointer to the protocol data and the length
33  * of this protocol data.
34  *
35  * \attention The pkt parameter must point to the effective data because
36  * it will be used later to set per protocol pointer like Packet::tcph
37  *
38  * @{
39  */
40 
41 
42 /**
43  * \file
44  *
45  * \author Victor Julien <victor@inliniac.net>
46  *
47  * Decode the raw packet
48  */
49 
50 #include "suricata-common.h"
51 #include "suricata.h"
52 #include "conf.h"
53 #include "decode.h"
54 #include "decode-teredo.h"
55 #include "util-debug.h"
56 #include "util-mem.h"
57 #include "app-layer-detect-proto.h"
58 #include "app-layer.h"
59 #include "tm-threads.h"
60 #include "util-error.h"
61 #include "util-print.h"
62 #include "tmqh-packetpool.h"
63 #include "util-profiling.h"
64 #include "pkt-var.h"
65 #include "util-mpm-ac.h"
66 #include "util-hash-string.h"
67 #include "output.h"
68 #include "output-flow.h"
69 
70 extern bool stats_decoder_events;
72 extern bool stats_stream_events;
73 
75  uint8_t *pkt, uint32_t len, PacketQueue *pq, enum DecodeTunnelProto proto)
76 {
77  switch (proto) {
78  case DECODE_TUNNEL_PPP:
79  return DecodePPP(tv, dtv, p, pkt, len, pq);
80  case DECODE_TUNNEL_IPV4:
81  return DecodeIPV4(tv, dtv, p, pkt, len, pq);
82  case DECODE_TUNNEL_IPV6:
84  return DecodeIPV6(tv, dtv, p, pkt, len, pq);
85  case DECODE_TUNNEL_VLAN:
86  return DecodeVLAN(tv, dtv, p, pkt, len, pq);
88  return DecodeEthernet(tv, dtv, p, pkt, len, pq);
90  return DecodeERSPAN(tv, dtv, p, pkt, len, pq);
91  default:
92  SCLogDebug("FIXME: DecodeTunnel: protocol %" PRIu32 " not supported.", proto);
93  break;
94  }
95  return TM_ECODE_OK;
96 }
97 
98 /**
99  * \brief Return a malloced packet.
100  */
102 {
104  SCFree(p);
105 }
106 
107 /**
108  * \brief Finalize decoding of a packet
109  *
110  * This function needs to be call at the end of decode
111  * functions when decoding has been succesful.
112  *
113  */
115 {
116  if (p->flags & PKT_IS_INVALID) {
117  StatsIncr(tv, dtv->counter_invalid);
118  }
119 }
120 
122  DecodeThreadVars *dtv, Packet *p)
123 {
124  for (uint8_t i = 0; i < p->events.cnt; i++) {
125  const uint8_t e = p->events.events[i];
126 
128  continue;
130  continue;
131  StatsIncr(tv, dtv->counter_engine_events[e]);
132  }
133 }
134 
135 /**
136  * \brief Get a malloced packet.
137  *
138  * \retval p packet, NULL on error
139  */
141 {
143  if (unlikely(p == NULL)) {
144  return NULL;
145  }
146 
147  memset(p, 0, SIZE_OF_PACKET);
150  p->flags |= PKT_ALLOC;
151 
152  SCLogDebug("allocated a new packet only using alloc...");
153 
155  return p;
156 }
157 
158 /**
159  * \brief Return a packet to where it was allocated.
160  */
162 {
163  if (p->flags & PKT_ALLOC)
164  PacketFree(p);
165  else
167 }
168 
169 /**
170  * \brief Get a packet. We try to get a packet from the packetpool first, but
171  * if that is empty we alloc a packet that is free'd again after
172  * processing.
173  *
174  * \retval p packet, NULL on error
175  */
177 {
178  /* try the pool first */
180 
181  if (p == NULL) {
182  /* non fatal, we're just not processing a packet then */
183  p = PacketGetFromAlloc();
184  } else {
186  }
187 
188  return p;
189 }
190 
191 inline int PacketCallocExtPkt(Packet *p, int datalen)
192 {
193  if (! p->ext_pkt) {
194  p->ext_pkt = SCCalloc(1, datalen);
195  if (unlikely(p->ext_pkt == NULL)) {
196  SET_PKT_LEN(p, 0);
197  return -1;
198  }
199  }
200  return 0;
201 }
202 
203 /**
204  * \brief Copy data to Packet payload at given offset
205  *
206  * This function copies data/payload to a Packet. It uses the
207  * space allocated at Packet creation (pointed by Packet::pkt)
208  * or allocate some memory (pointed by Packet::ext_pkt) if the
209  * data size is to big to fit in initial space (of size
210  * default_packet_size).
211  *
212  * \param Pointer to the Packet to modify
213  * \param Offset of the copy relatively to payload of Packet
214  * \param Pointer to the data to copy
215  * \param Length of the data to copy
216  */
217 inline int PacketCopyDataOffset(Packet *p, uint32_t offset, uint8_t *data, uint32_t datalen)
218 {
219  if (unlikely(offset + datalen > MAX_PAYLOAD_SIZE)) {
220  /* too big */
221  return -1;
222  }
223 
224  /* Do we have already an packet with allocated data */
225  if (! p->ext_pkt) {
226  uint32_t newsize = offset + datalen;
227  // check overflow
228  if (newsize < offset)
229  return -1;
230  if (newsize <= default_packet_size) {
231  /* data will fit in memory allocated with packet */
232  memcpy(GET_PKT_DIRECT_DATA(p) + offset, data, datalen);
233  } else {
234  /* here we need a dynamic allocation */
236  if (unlikely(p->ext_pkt == NULL)) {
237  SET_PKT_LEN(p, 0);
238  return -1;
239  }
240  /* copy initial data */
242  /* copy data as asked */
243  memcpy(p->ext_pkt + offset, data, datalen);
244  }
245  } else {
246  memcpy(p->ext_pkt + offset, data, datalen);
247  }
248  return 0;
249 }
250 
251 /**
252  * \brief Copy data to Packet payload and set packet length
253  *
254  * \param Pointer to the Packet to modify
255  * \param Pointer to the data to copy
256  * \param Length of the data to copy
257  */
258 inline int PacketCopyData(Packet *p, uint8_t *pktdata, uint32_t pktlen)
259 {
260  SET_PKT_LEN(p, (size_t)pktlen);
261  return PacketCopyDataOffset(p, 0, pktdata, pktlen);
262 }
263 
264 /**
265  * \brief Setup a pseudo packet (tunnel)
266  *
267  * \param parent parent packet for this pseudo pkt
268  * \param pkt raw packet data
269  * \param len packet data length
270  * \param proto protocol of the tunneled packet
271  *
272  * \retval p the pseudo packet or NULL if out of memory
273  */
275  uint8_t *pkt, uint32_t len, enum DecodeTunnelProto proto,
276  PacketQueue *pq)
277 {
278  int ret;
279 
280  SCEnter();
281 
282  /* get us a packet */
284  if (unlikely(p == NULL)) {
285  SCReturnPtr(NULL, "Packet");
286  }
287 
288  /* copy packet and set lenght, proto */
289  PacketCopyData(p, pkt, len);
290  p->recursion_level = parent->recursion_level + 1;
291  p->ts.tv_sec = parent->ts.tv_sec;
292  p->ts.tv_usec = parent->ts.tv_usec;
293  p->datalink = DLT_RAW;
294  p->tenant_id = parent->tenant_id;
295 
296  /* set the root ptr to the lowest layer */
297  if (parent->root != NULL)
298  p->root = parent->root;
299  else
300  p->root = parent;
301 
302  /* tell new packet it's part of a tunnel */
303  SET_TUNNEL_PKT(p);
304 
305  ret = DecodeTunnel(tv, dtv, p, GET_PKT_DATA(p),
306  GET_PKT_LEN(p), pq, proto);
307 
308  if (unlikely(ret != TM_ECODE_OK) ||
309  (proto == DECODE_TUNNEL_IPV6_TEREDO && (p->flags & PKT_IS_INVALID)))
310  {
311  /* Not a (valid) tunnel packet */
312  SCLogDebug("tunnel packet is invalid");
313 
314  p->root = NULL;
315  UNSET_TUNNEL_PKT(p);
316  TmqhOutputPacketpool(tv, p);
317  SCReturnPtr(NULL, "Packet");
318  }
319 
320 
321  /* tell parent packet it's part of a tunnel */
322  SET_TUNNEL_PKT(parent);
323 
324  /* increment tunnel packet refcnt in the root packet */
326 
327  /* disable payload (not packet) inspection on the parent, as the payload
328  * is the packet we will now run through the system separately. We do
329  * check it against the ip/port/other header checks though */
331  SCReturnPtr(p, "Packet");
332 }
333 
334 /**
335  * \brief Setup a pseudo packet (reassembled frags)
336  *
337  * Difference with PacketPseudoPktSetup is that this func doesn't increment
338  * the recursion level. It needs to be on the same level as the frags because
339  * we run the flow engine against this and we need to get the same flow.
340  *
341  * \param parent parent packet for this pseudo pkt
342  * \param pkt raw packet data
343  * \param len packet data length
344  * \param proto protocol of the tunneled packet
345  *
346  * \retval p the pseudo packet or NULL if out of memory
347  */
348 Packet *PacketDefragPktSetup(Packet *parent, uint8_t *pkt, uint32_t len, uint8_t proto)
349 {
350  SCEnter();
351 
352  /* get us a packet */
354  if (unlikely(p == NULL)) {
355  SCReturnPtr(NULL, "Packet");
356  }
357 
358  /* set the root ptr to the lowest layer */
359  if (parent->root != NULL)
360  p->root = parent->root;
361  else
362  p->root = parent;
363 
364  /* copy packet and set lenght, proto */
365  if (pkt && len) {
366  PacketCopyData(p, pkt, len);
367  }
368  p->recursion_level = parent->recursion_level; /* NOT incremented */
369  p->ts.tv_sec = parent->ts.tv_sec;
370  p->ts.tv_usec = parent->ts.tv_usec;
371  p->datalink = DLT_RAW;
372  p->tenant_id = parent->tenant_id;
373  /* tell new packet it's part of a tunnel */
374  SET_TUNNEL_PKT(p);
375  p->vlan_id[0] = parent->vlan_id[0];
376  p->vlan_id[1] = parent->vlan_id[1];
377  p->vlan_idx = parent->vlan_idx;
378 
379  SCReturnPtr(p, "Packet");
380 }
381 
382 /**
383  * \brief inform defrag "parent" that a pseudo packet is
384  * now assosiated to it.
385  */
387 {
388  /* tell parent packet it's part of a tunnel */
389  SET_TUNNEL_PKT(parent);
390 
391  /* increment tunnel packet refcnt in the root packet */
392  TUNNEL_INCR_PKT_TPR(parent);
393 
394  /* disable payload (not packet) inspection on the parent, as the payload
395  * is the packet we will now run through the system separately. We do
396  * check it against the ip/port/other header checks though */
398 }
399 
401 {
402  /* Don't try to bypass if flow is already out or
403  * if we have failed to do it once */
404  int state = SC_ATOMIC_GET(p->flow->flow_state);
405  if ((state == FLOW_STATE_LOCAL_BYPASSED) ||
406  (state == FLOW_STATE_CAPTURE_BYPASSED)) {
407  return;
408  }
409 
410  if (p->BypassPacketsFlow && p->BypassPacketsFlow(p)) {
412  } else {
414  }
415 }
416 
417 /* counter name store */
418 static HashTable *g_counter_table = NULL;
419 static SCMutex g_counter_table_mutex = SCMUTEX_INITIALIZER;
420 
422 {
423  SCMutexLock(&g_counter_table_mutex);
424  if (g_counter_table) {
425  HashTableFree(g_counter_table);
426  g_counter_table = NULL;
427  }
428  SCMutexUnlock(&g_counter_table_mutex);
429 }
430 
432 {
433  /* register counters */
434  dtv->counter_pkts = StatsRegisterCounter("decoder.pkts", tv);
435  dtv->counter_bytes = StatsRegisterCounter("decoder.bytes", tv);
436  dtv->counter_invalid = StatsRegisterCounter("decoder.invalid", tv);
437  dtv->counter_ipv4 = StatsRegisterCounter("decoder.ipv4", tv);
438  dtv->counter_ipv6 = StatsRegisterCounter("decoder.ipv6", tv);
439  dtv->counter_eth = StatsRegisterCounter("decoder.ethernet", tv);
440  dtv->counter_raw = StatsRegisterCounter("decoder.raw", tv);
441  dtv->counter_null = StatsRegisterCounter("decoder.null", tv);
442  dtv->counter_sll = StatsRegisterCounter("decoder.sll", tv);
443  dtv->counter_tcp = StatsRegisterCounter("decoder.tcp", tv);
444  dtv->counter_udp = StatsRegisterCounter("decoder.udp", tv);
445  dtv->counter_sctp = StatsRegisterCounter("decoder.sctp", tv);
446  dtv->counter_icmpv4 = StatsRegisterCounter("decoder.icmpv4", tv);
447  dtv->counter_icmpv6 = StatsRegisterCounter("decoder.icmpv6", tv);
448  dtv->counter_ppp = StatsRegisterCounter("decoder.ppp", tv);
449  dtv->counter_pppoe = StatsRegisterCounter("decoder.pppoe", tv);
450  dtv->counter_gre = StatsRegisterCounter("decoder.gre", tv);
451  dtv->counter_vlan = StatsRegisterCounter("decoder.vlan", tv);
452  dtv->counter_vlan_qinq = StatsRegisterCounter("decoder.vlan_qinq", tv);
453  dtv->counter_ieee8021ah = StatsRegisterCounter("decoder.ieee8021ah", tv);
454  dtv->counter_teredo = StatsRegisterCounter("decoder.teredo", tv);
455  dtv->counter_ipv4inipv6 = StatsRegisterCounter("decoder.ipv4_in_ipv6", tv);
456  dtv->counter_ipv6inipv6 = StatsRegisterCounter("decoder.ipv6_in_ipv6", tv);
457  dtv->counter_mpls = StatsRegisterCounter("decoder.mpls", tv);
458  dtv->counter_avg_pkt_size = StatsRegisterAvgCounter("decoder.avg_pkt_size", tv);
459  dtv->counter_max_pkt_size = StatsRegisterMaxCounter("decoder.max_pkt_size", tv);
460  dtv->counter_erspan = StatsRegisterMaxCounter("decoder.erspan", tv);
461  dtv->counter_flow_memcap = StatsRegisterCounter("flow.memcap", tv);
462 
463  dtv->counter_flow_tcp = StatsRegisterCounter("flow.tcp", tv);
464  dtv->counter_flow_udp = StatsRegisterCounter("flow.udp", tv);
465  dtv->counter_flow_icmp4 = StatsRegisterCounter("flow.icmpv4", tv);
466  dtv->counter_flow_icmp6 = StatsRegisterCounter("flow.icmpv6", tv);
467 
469  StatsRegisterCounter("defrag.ipv4.fragments", tv);
471  StatsRegisterCounter("defrag.ipv4.reassembled", tv);
473  StatsRegisterCounter("defrag.ipv4.timeouts", tv);
475  StatsRegisterCounter("defrag.ipv6.fragments", tv);
477  StatsRegisterCounter("defrag.ipv6.reassembled", tv);
479  StatsRegisterCounter("defrag.ipv6.timeouts", tv);
481  StatsRegisterCounter("defrag.max_frag_hits", tv);
482 
483  for (int i = 0; i < DECODE_EVENT_MAX; i++) {
484  BUG_ON(i != (int)DEvents[i].code);
485 
487  continue;
489  continue;
490 
491  if (i < DECODE_EVENT_PACKET_MAX &&
492  strncmp(DEvents[i].event_name, "decoder.", 8) == 0)
493  {
494  SCMutexLock(&g_counter_table_mutex);
495  if (g_counter_table == NULL) {
496  g_counter_table = HashTableInit(256, StringHashFunc,
499  BUG_ON(g_counter_table == NULL);
500  }
501 
502  char name[256];
503  char *dot = index(DEvents[i].event_name, '.');
504  BUG_ON(!dot);
505  snprintf(name, sizeof(name), "%s.%s",
507 
508  const char *found = HashTableLookup(g_counter_table, name, 0);
509  if (!found) {
510  char *add = SCStrdup(name);
511  BUG_ON(!add);
512  HashTableAdd(g_counter_table, add, 0);
513  found = add;
514  }
516  found, tv);
517 
518  SCMutexUnlock(&g_counter_table_mutex);
519  } else {
521  DEvents[i].event_name, tv);
522  }
523  }
524 
525  return;
526 }
527 
529  const DecodeThreadVars *dtv, const Packet *p)
530 {
531  StatsIncr(tv, dtv->counter_pkts);
532  //StatsIncr(tv, dtv->counter_pkts_per_sec);
533  StatsAddUI64(tv, dtv->counter_bytes, GET_PKT_LEN(p));
536 }
537 
538 /**
539  * \brief Debug print function for printing addresses
540  *
541  * \param Address object
542  *
543  * \todo IPv6
544  */
546 {
547  if (a == NULL)
548  return;
549 
550  switch (a->family) {
551  case AF_INET:
552  {
553  char s[16];
554  PrintInet(AF_INET, (const void *)&a->addr_data32[0], s, sizeof(s));
555  SCLogDebug("%s", s);
556  break;
557  }
558  }
559 }
560 
561 /** \brief Alloc and setup DecodeThreadVars */
563 {
564  DecodeThreadVars *dtv = NULL;
565 
566  if ( (dtv = SCMalloc(sizeof(DecodeThreadVars))) == NULL)
567  return NULL;
568  memset(dtv, 0, sizeof(DecodeThreadVars));
569 
570  dtv->app_tctx = AppLayerGetCtxThread(tv);
571 
573  SCLogError(SC_ERR_THREAD_INIT, "initializing flow log API for thread failed");
574  DecodeThreadVarsFree(tv, dtv);
575  return NULL;
576  }
577 
578  /** set config defaults */
579  int vlanbool = 0;
580  if ((ConfGetBool("vlan.use-for-tracking", &vlanbool)) == 1 && vlanbool == 0) {
581  dtv->vlan_disabled = 1;
582  }
583  SCLogDebug("vlan tracking is %s", dtv->vlan_disabled == 0 ? "enabled" : "disabled");
584 
585  return dtv;
586 }
587 
589 {
590  if (dtv != NULL) {
591  if (dtv->app_tctx != NULL)
593 
594  if (dtv->output_flow_thread_data != NULL)
596 
597  SCFree(dtv);
598  }
599 }
600 
601 /**
602  * \brief Set data for Packet and set length when zeo copy is used
603  *
604  * \param Pointer to the Packet to modify
605  * \param Pointer to the data
606  * \param Length of the data
607  */
608 inline int PacketSetData(Packet *p, uint8_t *pktdata, uint32_t pktlen)
609 {
610  SET_PKT_LEN(p, (size_t)pktlen);
611  if (unlikely(!pktdata)) {
612  return -1;
613  }
614  p->ext_pkt = pktdata;
615  p->flags |= PKT_ZERO_COPY;
616 
617  return 0;
618 }
619 
620 const char *PktSrcToString(enum PktSrcEnum pkt_src)
621 {
622  const char *pkt_src_str = "<unknown>";
623  switch (pkt_src) {
624  case PKT_SRC_WIRE:
625  pkt_src_str = "wire/pcap";
626  break;
627  case PKT_SRC_DECODER_GRE:
628  pkt_src_str = "gre tunnel";
629  break;
631  pkt_src_str = "ipv4 tunnel";
632  break;
634  pkt_src_str = "ipv6 tunnel";
635  break;
637  pkt_src_str = "teredo tunnel";
638  break;
639  case PKT_SRC_DEFRAG:
640  pkt_src_str = "defrag";
641  break;
643  pkt_src_str = "stream";
644  break;
646  pkt_src_str = "stream (detect/log)";
647  break;
648  case PKT_SRC_FFR:
649  pkt_src_str = "stream (flow timeout)";
650  break;
651  }
652  return pkt_src_str;
653 }
654 
656 {
659  } else if (unlikely(PACKET_TEST_ACTION(p, ACTION_DROP))) {
661  } else if (unlikely(p->flags & PKT_STREAM_MODIFIED)) {
663  } else {
665  }
666 }
667 
669 {
670  s->counter_ips_accepted = StatsRegisterCounter("ips.accepted", tv);
671  s->counter_ips_blocked = StatsRegisterCounter("ips.blocked", tv);
672  s->counter_ips_rejected = StatsRegisterCounter("ips.rejected", tv);
673  s->counter_ips_replaced = StatsRegisterCounter("ips.replaced", tv);
674 }
675 
677 {
679 }
680 
681 /**
682  * @}
683  */
uint16_t counter_max_pkt_size
Definition: decode.h:653
uint16_t counter_ips_rejected
Definition: decode.h:709
uint16_t counter_defrag_ipv6_reassembled
Definition: decode.h:686
void PacketDefragPktSetupParent(Packet *parent)
inform defrag "parent" that a pseudo packet is now assosiated to it.
Definition: decode.c:386
#define GET_PKT_DIRECT_MAX_SIZE(p)
Definition: decode.h:226
DecodeThreadVars * DecodeThreadVarsAlloc(ThreadVars *tv)
Alloc and setup DecodeThreadVars.
Definition: decode.c:562
#define SCLogDebug(...)
Definition: util-debug.h:335
void CaptureStatsUpdate(ThreadVars *tv, CaptureStats *s, const Packet *p)
Definition: decode.c:655
uint16_t counter_ieee8021ah
Definition: decode.h:673
int(* BypassPacketsFlow)(struct Packet_ *)
Definition: decode.h:490
struct Flow_ * flow
Definition: decode.h:444
int HashTableAdd(HashTable *ht, void *data, uint16_t datalen)
Definition: util-hash.c:113
#define ACTION_REJECT_DST
int DecodePPP(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint32_t len, PacketQueue *pq)
Definition: decode-ppp.c:43
#define BUG_ON(x)
#define PACKET_TEST_ACTION(p, a)
Definition: decode.h:870
#define SET_PKT_LEN(p, len)
Definition: decode.h:228
void PacketDecodeFinalize(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p)
Finalize decoding of a packet.
Definition: decode.c:114
uint16_t counter_bytes
Definition: decode.h:651
#define unlikely(expr)
Definition: util-optimize.h:35
uint16_t counter_eth
Definition: decode.h:657
int ConfGetBool(const char *name, int *val)
Retrieve a configuration value as an boolen.
Definition: conf.c:517
uint16_t counter_null
Definition: decode.h:667
bool stats_decoder_events
Definition: counters.c:102
void DecodeRegisterPerfCounters(DecodeThreadVars *dtv, ThreadVars *tv)
Definition: decode.c:431
void DecodeTeredoConfig(void)
Definition: decode-teredo.c:46
PktSrcEnum
Definition: decode.h:48
#define ACTION_REJECT
#define PKT_ALLOC
Definition: decode.h:1096
uint16_t counter_vlan_qinq
Definition: decode.h:672
uint64_t offset
uint16_t counter_defrag_ipv6_timeouts
Definition: decode.h:687
void PacketPoolReturnPacket(Packet *p)
Return packet to Packet pool.
#define PACKET_INITIALIZE(p)
Initialize a packet structure for use.
Definition: decode.h:742
void PacketFree(Packet *p)
Return a malloced packet.
Definition: decode.c:101
HashTable * HashTableInit(uint32_t size, uint32_t(*Hash)(struct HashTable_ *, void *, uint16_t), char(*Compare)(void *, uint16_t, void *, uint16_t), void(*Free)(void *))
Definition: util-hash.c:34
uint16_t counter_defrag_ipv4_timeouts
Definition: decode.h:684
uint16_t counter_ipv4
Definition: decode.h:658
uint8_t events[PACKET_ENGINE_EVENT_MAX]
Definition: decode.h:306
uint8_t * ext_pkt
Definition: decode.h:555
void DecodeGlobalConfig(void)
Definition: decode.c:676
uint16_t counter_ipv4inipv6
Definition: decode.h:677
Packet * PacketGetFromQueueOrAlloc(void)
Get a packet. We try to get a packet from the packetpool first, but if that is empty we alloc a packe...
Definition: decode.c:176
#define PKT_ZERO_COPY
Definition: decode.h:1111
bool stats_stream_events
Definition: counters.c:105
void(* ReleasePacket)(struct Packet_ *)
Definition: decode.h:487
uint16_t counter_teredo
Definition: decode.h:675
void PacketFreeOrRelease(Packet *p)
Return a packet to where it was allocated.
Definition: decode.c:161
Packet * PacketPoolGetPacket(void)
Get a new packet from the packet pool.
uint16_t vlan_id[2]
Definition: decode.h:434
uint16_t counter_vlan
Definition: decode.h:671
uint16_t counter_erspan
Definition: decode.h:679
uint16_t counter_raw
Definition: decode.h:666
uint16_t counter_pkts
Definition: decode.h:650
uint16_t counter_flow_udp
Definition: decode.h:693
uint16_t counter_flow_tcp
Definition: decode.h:692
uint16_t StatsRegisterCounter(const char *name, struct ThreadVars_ *tv)
Registers a normal, unqualified counter.
Definition: counters.c:939
int DecodeIPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint16_t len, PacketQueue *pq)
Definition: decode-ipv4.c:533
uint16_t counter_avg_pkt_size
Definition: decode.h:652
uint16_t counter_defrag_ipv6_fragments
Definition: decode.h:685
#define SIZE_OF_PACKET
Definition: decode.h:628
#define SCCalloc(nm, a)
Definition: util-mem.h:205
void AddressDebugPrint(Address *a)
Debug print function for printing addresses.
Definition: decode.c:545
int DecodeIPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint16_t len, PacketQueue *pq)
Definition: decode-ipv6.c:584
#define DecodeSetNoPayloadInspectionFlag(p)
Set the No payload inspection Flag for the packet.
Definition: decode.h:980
#define SCMutexUnlock(mut)
void StatsSetUI64(ThreadVars *tv, uint16_t id, uint64_t x)
Sets a value of type double to the local counter.
Definition: counters.c:185
AppLayerThreadCtx * AppLayerGetCtxThread(ThreadVars *tv)
Creates a new app layer thread context.
Definition: app-layer.c:783
void TmqhOutputPacketpool(ThreadVars *t, Packet *p)
char family
Definition: decode.h:110
int datalink
Definition: decode.h:579
#define ACTION_REJECT_BOTH
uint8_t recursion_level
Definition: decode.h:432
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint32_t len, PacketQueue *pq)
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
AppLayerThreadCtx * app_tctx
Definition: decode.h:645
uint16_t counter_ipv6inipv6
Definition: decode.h:678
#define PKT_STREAM_MODIFIED
Definition: decode.h:1103
Structure to hold thread specific data for all decode modules.
Definition: decode.h:642
#define GET_PKT_DIRECT_DATA(p)
Definition: decode.h:225
uint16_t counter_mpls
Definition: decode.h:676
DecodeTunnelProto
Definition: decode.h:902
uint16_t counter_icmpv4
Definition: decode.h:662
#define SCEnter(...)
Definition: util-debug.h:337
char StringHashCompareFunc(void *data1, uint16_t datalen1, void *data2, uint16_t datalen2)
uint16_t counter_tcp
Definition: decode.h:660
void PacketBypassCallback(Packet *p)
Definition: decode.c:400
PacketEngineEvents events
Definition: decode.h:570
void * output_flow_thread_data
Definition: decode.h:701
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:163
const char * stats_decoder_events_prefix
Definition: decode.c:71
const char * PrintInet(int af, const void *src, char *dst, socklen_t size)
Definition: util-print.c:267
void PacketUpdateEngineEventCounters(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p)
Definition: decode.c:121
const struct DecodeEvents_ DEvents[]
Definition: decode-events.c:29
uint16_t counter_ips_accepted
Definition: decode.h:707
uint16_t counter_ips_blocked
Definition: decode.h:708
uint16_t counter_flow_icmp4
Definition: decode.h:694
uint8_t proto
#define index
Definition: win32-misc.h:29
#define UNSET_TUNNEL_PKT(p)
Definition: decode.h:896
uint16_t counter_flow_memcap
Definition: decode.h:690
TmEcode OutputFlowLogThreadInit(ThreadVars *tv, void *initdata, void **data)
thread init for the flow logger This will run the thread init functions for the individual registered...
Definition: output-flow.c:128
uint16_t counter_ipv6
Definition: decode.h:659
int DecodeVLAN(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint32_t len, PacketQueue *pq)
Definition: decode-vlan.c:62
int PacketCopyDataOffset(Packet *p, uint32_t offset, uint8_t *data, uint32_t datalen)
Copy data to Packet payload at given offset.
Definition: decode.c:217
uint8_t vlan_idx
Definition: decode.h:435
uint16_t counter_invalid
Definition: decode.h:655
int DecodeTunnel(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint32_t len, PacketQueue *pq, enum DecodeTunnelProto proto)
Definition: decode.c:74
void HashTableFree(HashTable *ht)
Definition: util-hash.c:79
#define SCMalloc(a)
Definition: util-mem.h:174
uint16_t counter_sctp
Definition: decode.h:668
void * HashTableLookup(HashTable *ht, void *data, uint16_t datalen)
Definition: util-hash.c:193
int PacketSetData(Packet *p, uint8_t *pktdata, uint32_t pktlen)
Set data for Packet and set length when zeo copy is used.
Definition: decode.c:608
uint16_t counter_ppp
Definition: decode.h:669
#define SCFree(a)
Definition: util-mem.h:236
uint16_t counter_engine_events[DECODE_EVENT_MAX]
Definition: decode.h:697
#define TUNNEL_INCR_PKT_TPR(p)
Definition: decode.h:885
uint16_t StatsRegisterAvgCounter(const char *name, struct ThreadVars_ *tv)
Registers a counter, whose value holds the average of all the values assigned to it.
Definition: counters.c:960
void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
Destroys the context created by AppLayeGetCtxThread().
Definition: app-layer.c:805
uint16_t counter_ips_replaced
Definition: decode.h:710
uint32_t default_packet_size
Definition: decode.h:627
int PacketCallocExtPkt(Packet *p, int datalen)
Definition: decode.c:191
void StringHashFreeFunc(void *data)
#define SCMutex
uint16_t counter_icmpv6
Definition: decode.h:663
#define PACKET_PROFILING_START(p)
#define MAX_PAYLOAD_SIZE
Definition: decode.h:626
#define SCMutexLock(mut)
void FlowUpdateState(Flow *f, enum FlowState s)
Definition: flow.c:1033
const char * PktSrcToString(enum PktSrcEnum pkt_src)
Definition: decode.c:620
uint16_t counter_gre
Definition: decode.h:670
#define SCReturnPtr(x, type)
Definition: util-debug.h:353
uint16_t counter_udp
Definition: decode.h:661
TmEcode OutputFlowLogThreadDeinit(ThreadVars *tv, void *thread_data)
Definition: output-flow.c:170
uint16_t counter_flow_icmp6
Definition: decode.h:695
#define SC_ATOMIC_GET(name)
Get the value from the atomic variable.
Definition: util-atomic.h:193
#define GET_PKT_DATA(p)
Definition: decode.h:224
void DecodeUpdatePacketCounters(ThreadVars *tv, const DecodeThreadVars *dtv, const Packet *p)
Definition: decode.c:528
#define SCStrdup(a)
Definition: util-mem.h:220
#define PACKET_DESTRUCTOR(p)
Cleanup a packet so that we can free it. No memset needed..
Definition: decode.h:835
uint16_t counter_sll
Definition: decode.h:665
uint32_t StringHashFunc(HashTable *ht, void *data, uint16_t datalen)
void CaptureStatsSetup(ThreadVars *tv, CaptureStats *s)
Definition: decode.c:668
uint16_t counter_pppoe
Definition: decode.h:674
uint32_t tenant_id
Definition: decode.h:599
uint8_t len
Per thread variable structure.
Definition: threadvars.h:57
struct timeval ts
Definition: decode.h:450
uint8_t code
#define GET_PKT_LEN(p)
Definition: decode.h:223
uint16_t counter_defrag_ipv4_fragments
Definition: decode.h:682
#define ACTION_DROP
uint32_t flags
Definition: decode.h:442
void StatsAddUI64(ThreadVars *tv, uint16_t id, uint64_t x)
Adds a value of type uint64_t to the local counter.
Definition: counters.c:142
Packet * PacketTunnelPktSetup(ThreadVars *tv, DecodeThreadVars *dtv, Packet *parent, uint8_t *pkt, uint32_t len, enum DecodeTunnelProto proto, PacketQueue *pq)
Setup a pseudo packet (tunnel)
Definition: decode.c:274
void DecodeThreadVarsFree(ThreadVars *tv, DecodeThreadVars *dtv)
Definition: decode.c:588
uint16_t counter_defrag_max_hit
Definition: decode.h:688
#define SET_TUNNEL_PKT(p)
Definition: decode.h:895
int DecodeERSPAN(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, uint8_t *pkt, uint32_t len, PacketQueue *pq)
Function to decode ERSPAN packets.
Definition: decode-erspan.c:46
uint16_t counter_defrag_ipv4_reassembled
Definition: decode.h:683
uint16_t StatsRegisterMaxCounter(const char *name, struct ThreadVars_ *tv)
Registers a counter, whose value holds the maximum of all the values assigned to it.
Definition: counters.c:981
#define PKT_IS_INVALID
Definition: decode.h:1117
int PacketCopyData(Packet *p, uint8_t *pktdata, uint32_t pktlen)
Copy data to Packet payload and set packet length.
Definition: decode.c:258
Packet * PacketDefragPktSetup(Packet *parent, uint8_t *pkt, uint32_t len, uint8_t proto)
Setup a pseudo packet (reassembled frags)
Definition: decode.c:348
void DecodeUnregisterCounters(void)
Definition: decode.c:421
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:140
struct Packet_ * root
Definition: decode.h:582
#define SCMUTEX_INITIALIZER