suricata
decode.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2023 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \defgroup decode Packet decoding
20  *
21  * \brief Code in charge of protocol decoding
22  *
23  * The task of decoding packets is made in different files and
24  * as Suricata is supporting encapsulation there is a potential
25  * recursivity in the call.
26  *
27  * For each protocol a DecodePROTO function is provided. For
28  * example we have DecodeIPV4() for IPv4 and DecodePPP() for
29  * PPP.
30  *
31  * These functions have all a pkt and a len argument which
32  * are respectively a pointer to the protocol data and the length
33  * of this protocol data.
34  *
35  * \attention The pkt parameter must point to the effective data because
36  * it will be used later to set per protocol pointer like Packet::tcph
37  *
38  * @{
39  */
40 
41 
42 /**
43  * \file
44  *
45  * \author Victor Julien <victor@inliniac.net>
46  *
47  * Decode the raw packet
48  */
49 
50 #include "suricata-common.h"
51 #include "decode.h"
52 
53 #include "packet.h"
54 #include "flow.h"
55 #include "flow-storage.h"
56 #include "tmqh-packetpool.h"
57 #include "app-layer.h"
58 #include "output.h"
59 
60 #include "decode-vxlan.h"
61 #include "decode-geneve.h"
62 #include "decode-erspan.h"
63 #include "decode-teredo.h"
64 
65 #include "util-hash.h"
66 #include "util-hash-string.h"
67 #include "util-print.h"
68 #include "util-profiling.h"
69 #include "util-validate.h"
70 #include "action-globals.h"
71 
72 uint32_t default_packet_size = 0;
73 extern bool stats_decoder_events;
74 extern const char *stats_decoder_events_prefix;
75 extern bool stats_stream_events;
78 
79 /**
80  * \brief Initialize PacketAlerts with dynamic alerts array size
81  *
82  */
84 {
85  PacketAlert *pa_array = SCCalloc(packet_alert_max, sizeof(PacketAlert));
86  BUG_ON(pa_array == NULL);
87 
88  return pa_array;
89 }
90 
92 {
93  if (pa != NULL) {
94  SCFree(pa);
95  }
96 }
97 
98 static int DecodeTunnel(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t,
100 
101 static int DecodeTunnel(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt,
102  uint32_t len, enum DecodeTunnelProto proto)
103 {
104  switch (proto) {
105  case DECODE_TUNNEL_PPP:
106  return DecodePPP(tv, dtv, p, pkt, len);
107  case DECODE_TUNNEL_IPV4:
108  DEBUG_VALIDATE_BUG_ON(len > UINT16_MAX);
109  return DecodeIPV4(tv, dtv, p, pkt, (uint16_t)len);
110  case DECODE_TUNNEL_IPV6:
112  DEBUG_VALIDATE_BUG_ON(len > UINT16_MAX);
113  return DecodeIPV6(tv, dtv, p, pkt, (uint16_t)len);
114  case DECODE_TUNNEL_VLAN:
115  return DecodeVLAN(tv, dtv, p, pkt, len);
117  return DecodeEthernet(tv, dtv, p, pkt, len);
119  return DecodeERSPAN(tv, dtv, p, pkt, len);
121  return DecodeERSPANTypeI(tv, dtv, p, pkt, len);
122  case DECODE_TUNNEL_NSH:
123  return DecodeNSH(tv, dtv, p, pkt, len);
124  default:
125  SCLogDebug("FIXME: DecodeTunnel: protocol %" PRIu32 " not supported.", proto);
126  break;
127  }
128  return TM_ECODE_OK;
129 }
130 
131 /**
132  * \brief Return a malloced packet.
133  */
135 {
136  PacketDestructor(p);
137  SCFree(p);
138 }
139 
140 /**
141  * \brief Finalize decoding of a packet
142  *
143  * This function needs to be call at the end of decode
144  * functions when decoding has been successful.
145  *
146  */
148 {
149  if (p->flags & PKT_IS_INVALID) {
151  }
152 }
153 
156 {
157  for (uint8_t i = 0; i < p->events.cnt; i++) {
158  const uint8_t e = p->events.events[i];
159 
161  continue;
163  continue;
165  }
166 }
167 
168 /**
169  * \brief Get a malloced packet.
170  *
171  * \retval p packet, NULL on error
172  */
174 {
175  Packet *p = SCCalloc(1, SIZE_OF_PACKET);
176  if (unlikely(p == NULL)) {
177  return NULL;
178  }
179  PacketInit(p);
181 
182  SCLogDebug("allocated a new packet only using alloc...");
183 
185  return p;
186 }
187 
188 /**
189  * \brief Return a packet to where it was allocated.
190  */
192 {
193  if (likely(p->pool != NULL)) {
196  } else {
197  PacketFree(p);
198  }
199 }
200 
201 /**
202  * \brief Get a packet. We try to get a packet from the packetpool first, but
203  * if that is empty we alloc a packet that is free'd again after
204  * processing.
205  *
206  * \retval p packet, NULL on error
207  */
209 {
210  /* try the pool first */
212 
213  if (p == NULL) {
214  /* non fatal, we're just not processing a packet then */
215  p = PacketGetFromAlloc();
216  } else {
219  }
220 
221  return p;
222 }
223 
224 inline int PacketCallocExtPkt(Packet *p, int datalen)
225 {
226  if (! p->ext_pkt) {
227  p->ext_pkt = SCCalloc(1, datalen);
228  if (unlikely(p->ext_pkt == NULL)) {
229  SET_PKT_LEN(p, 0);
230  return -1;
231  }
232  }
233  return 0;
234 }
235 
236 /**
237  * \brief Copy data to Packet payload at given offset
238  *
239  * This function copies data/payload to a Packet. It uses the
240  * space allocated at Packet creation (pointed by Packet::pkt)
241  * or allocate some memory (pointed by Packet::ext_pkt) if the
242  * data size is to big to fit in initial space (of size
243  * default_packet_size).
244  *
245  * \param Pointer to the Packet to modify
246  * \param Offset of the copy relatively to payload of Packet
247  * \param Pointer to the data to copy
248  * \param Length of the data to copy
249  */
250 inline int PacketCopyDataOffset(Packet *p, uint32_t offset, const uint8_t *data, uint32_t datalen)
251 {
252  if (unlikely(offset + datalen > MAX_PAYLOAD_SIZE)) {
253  /* too big */
254  SET_PKT_LEN(p, 0);
255  return -1;
256  }
257 
258  /* Do we have already an packet with allocated data */
259  if (! p->ext_pkt) {
260  uint32_t newsize = offset + datalen;
261  // check overflow
262  if (newsize < offset)
263  return -1;
264  if (newsize <= default_packet_size) {
265  /* data will fit in memory allocated with packet */
266  memcpy(GET_PKT_DIRECT_DATA(p) + offset, data, datalen);
267  } else {
268  /* here we need a dynamic allocation */
270  if (unlikely(p->ext_pkt == NULL)) {
271  SET_PKT_LEN(p, 0);
272  return -1;
273  }
274  /* copy initial data */
276  /* copy data as asked */
277  memcpy(p->ext_pkt + offset, data, datalen);
278  }
279  } else {
280  memcpy(p->ext_pkt + offset, data, datalen);
281  }
282  return 0;
283 }
284 
285 /**
286  * \brief Copy data to Packet payload and set packet length
287  *
288  * \param Pointer to the Packet to modify
289  * \param Pointer to the data to copy
290  * \param Length of the data to copy
291  */
292 inline int PacketCopyData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
293 {
294  SET_PKT_LEN(p, (size_t)pktlen);
295  return PacketCopyDataOffset(p, 0, pktdata, pktlen);
296 }
297 
298 /**
299  * \brief Setup a pseudo packet (tunnel)
300  *
301  * \param parent parent packet for this pseudo pkt
302  * \param pkt raw packet data
303  * \param len packet data length
304  * \param proto protocol of the tunneled packet
305  *
306  * \retval p the pseudo packet or NULL if out of memory
307  */
309  const uint8_t *pkt, uint32_t len, enum DecodeTunnelProto proto)
310 {
311  int ret;
312 
313  SCEnter();
314 
315  if (parent->nb_decoded_layers + 1 >= decoder_max_layers) {
317  SCReturnPtr(NULL, "Packet");
318  }
319 
320  /* get us a packet */
322  if (unlikely(p == NULL)) {
323  SCReturnPtr(NULL, "Packet");
324  }
325 
326  /* copy packet and set length, proto */
327  PacketCopyData(p, pkt, len);
328  DEBUG_VALIDATE_BUG_ON(parent->recursion_level == 255);
329  p->recursion_level = parent->recursion_level + 1;
331  p->nb_decoded_layers = parent->nb_decoded_layers + 1;
332  p->ts = parent->ts;
333  p->datalink = DLT_RAW;
334  p->tenant_id = parent->tenant_id;
335  p->livedev = parent->livedev;
336 
337  /* set the root ptr to the lowest layer */
338  if (parent->root != NULL)
339  p->root = parent->root;
340  else
341  p->root = parent;
342 
343  /* tell new packet it's part of a tunnel */
344  SET_TUNNEL_PKT(p);
345 
346  ret = DecodeTunnel(tv, dtv, p, GET_PKT_DATA(p),
347  GET_PKT_LEN(p), proto);
348 
349  if (unlikely(ret != TM_ECODE_OK) ||
351  {
352  /* Not a (valid) tunnel packet */
353  SCLogDebug("tunnel packet is invalid");
354 
355  p->root = NULL;
356  UNSET_TUNNEL_PKT(p);
358  SCReturnPtr(NULL, "Packet");
359  }
360 
361 
362  /* tell parent packet it's part of a tunnel */
363  SET_TUNNEL_PKT(parent);
364 
365  /* increment tunnel packet refcnt in the root packet */
366  TUNNEL_INCR_PKT_TPR(p);
367 
368  /* disable payload (not packet) inspection on the parent, as the payload
369  * is the packet we will now run through the system separately. We do
370  * check it against the ip/port/other header checks though */
371  DecodeSetNoPayloadInspectionFlag(parent);
372  SCReturnPtr(p, "Packet");
373 }
374 
375 /**
376  * \brief Setup a pseudo packet (reassembled frags)
377  *
378  * Difference with PacketPseudoPktSetup is that this func doesn't increment
379  * the recursion level. It needs to be on the same level as the frags because
380  * we run the flow engine against this and we need to get the same flow.
381  *
382  * \param parent parent packet for this pseudo pkt
383  * \param pkt raw packet data
384  * \param len packet data length
385  * \param proto protocol of the tunneled packet
386  *
387  * \retval p the pseudo packet or NULL if out of memory
388  */
389 Packet *PacketDefragPktSetup(Packet *parent, const uint8_t *pkt, uint32_t len, uint8_t proto)
390 {
391  SCEnter();
392 
393  /* get us a packet */
395  if (unlikely(p == NULL)) {
396  SCReturnPtr(NULL, "Packet");
397  }
398 
399  /* set the root ptr to the lowest layer */
400  if (parent->root != NULL)
401  p->root = parent->root;
402  else
403  p->root = parent;
404 
405  /* copy packet and set length, proto */
406  if (pkt && len) {
407  PacketCopyData(p, pkt, len);
408  }
409  p->recursion_level = parent->recursion_level; /* NOT incremented */
410  p->ts = parent->ts;
411  p->datalink = DLT_RAW;
412  p->tenant_id = parent->tenant_id;
413  /* tell new packet it's part of a tunnel */
414  SET_TUNNEL_PKT(p);
415  memcpy(&p->vlan_id[0], &parent->vlan_id[0], sizeof(p->vlan_id));
416  p->vlan_idx = parent->vlan_idx;
417  p->livedev = parent->livedev;
418 
419  SCReturnPtr(p, "Packet");
420 }
421 
422 /**
423  * \brief inform defrag "parent" that a pseudo packet is
424  * now associated to it.
425  */
427 {
428  /* tell parent packet it's part of a tunnel */
429  SET_TUNNEL_PKT(parent);
430 
431  /* increment tunnel packet refcnt in the root packet */
432  TUNNEL_INCR_PKT_TPR(parent);
433 
434  /* disable payload (not packet) inspection on the parent, as the payload
435  * is the packet we will now run through the system separately. We do
436  * check it against the ip/port/other header checks though */
437  DecodeSetNoPayloadInspectionFlag(parent);
438 }
439 
440 /**
441  * \note if p->flow is set, the flow is locked
442  */
444 {
445  if (PKT_IS_PSEUDOPKT(p))
446  return;
447 
448 #ifdef CAPTURE_OFFLOAD
449  /* Don't try to bypass if flow is already out or
450  * if we have failed to do it once */
451  if (p->flow) {
452  int state = p->flow->flow_state;
453  if ((state == FLOW_STATE_LOCAL_BYPASSED) ||
454  (state == FLOW_STATE_CAPTURE_BYPASSED)) {
455  return;
456  }
457 
458  FlowBypassInfo *fc;
459 
461  if (fc == NULL) {
462  fc = SCCalloc(sizeof(FlowBypassInfo), 1);
463  if (fc) {
465  } else {
466  return;
467  }
468  }
469  }
470  if (p->BypassPacketsFlow && p->BypassPacketsFlow(p)) {
471  if (p->flow) {
472  FlowUpdateState(p->flow, FLOW_STATE_CAPTURE_BYPASSED);
473  }
474  } else {
475  if (p->flow) {
477  }
478  }
479 #else /* CAPTURE_OFFLOAD */
480  if (p->flow) {
481  int state = p->flow->flow_state;
482  if (state == FLOW_STATE_LOCAL_BYPASSED)
483  return;
485  }
486 #endif
487 }
488 
489 /** \brief switch direction of a packet */
491 {
492  if (PKT_IS_TOSERVER(p)) {
495 
499  }
500  } else {
503 
507  }
508  }
509 }
510 
511 /* counter name store */
512 static HashTable *g_counter_table = NULL;
513 static SCMutex g_counter_table_mutex = SCMUTEX_INITIALIZER;
514 
516 {
517  SCMutexLock(&g_counter_table_mutex);
518  if (g_counter_table) {
519  HashTableFree(g_counter_table);
520  g_counter_table = NULL;
521  }
522  SCMutexUnlock(&g_counter_table_mutex);
523 }
524 
526 {
527  /* register counters */
528  dtv->counter_pkts = StatsRegisterCounter("decoder.pkts", tv);
529  dtv->counter_bytes = StatsRegisterCounter("decoder.bytes", tv);
530  dtv->counter_invalid = StatsRegisterCounter("decoder.invalid", tv);
531  dtv->counter_ipv4 = StatsRegisterCounter("decoder.ipv4", tv);
532  dtv->counter_ipv6 = StatsRegisterCounter("decoder.ipv6", tv);
533  dtv->counter_eth = StatsRegisterCounter("decoder.ethernet", tv);
534  dtv->counter_arp = StatsRegisterCounter("decoder.arp", tv);
535  dtv->counter_ethertype_unknown = StatsRegisterCounter("decoder.unknown_ethertype", tv);
536  dtv->counter_chdlc = StatsRegisterCounter("decoder.chdlc", tv);
537  dtv->counter_raw = StatsRegisterCounter("decoder.raw", tv);
538  dtv->counter_null = StatsRegisterCounter("decoder.null", tv);
539  dtv->counter_sll = StatsRegisterCounter("decoder.sll", tv);
540  dtv->counter_tcp = StatsRegisterCounter("decoder.tcp", tv);
541 
543  dtv->counter_tcp_synack = StatsRegisterCounter("tcp.synack", tv);
545 
546  dtv->counter_udp = StatsRegisterCounter("decoder.udp", tv);
547  dtv->counter_sctp = StatsRegisterCounter("decoder.sctp", tv);
548  dtv->counter_esp = StatsRegisterCounter("decoder.esp", tv);
549  dtv->counter_icmpv4 = StatsRegisterCounter("decoder.icmpv4", tv);
550  dtv->counter_icmpv6 = StatsRegisterCounter("decoder.icmpv6", tv);
551  dtv->counter_ppp = StatsRegisterCounter("decoder.ppp", tv);
552  dtv->counter_pppoe = StatsRegisterCounter("decoder.pppoe", tv);
553  dtv->counter_geneve = StatsRegisterCounter("decoder.geneve", tv);
554  dtv->counter_gre = StatsRegisterCounter("decoder.gre", tv);
555  dtv->counter_vlan = StatsRegisterCounter("decoder.vlan", tv);
556  dtv->counter_vlan_qinq = StatsRegisterCounter("decoder.vlan_qinq", tv);
557  dtv->counter_vlan_qinqinq = StatsRegisterCounter("decoder.vlan_qinqinq", tv);
558  dtv->counter_vxlan = StatsRegisterCounter("decoder.vxlan", tv);
559  dtv->counter_vntag = StatsRegisterCounter("decoder.vntag", tv);
560  dtv->counter_ieee8021ah = StatsRegisterCounter("decoder.ieee8021ah", tv);
561  dtv->counter_teredo = StatsRegisterCounter("decoder.teredo", tv);
562  dtv->counter_ipv4inipv6 = StatsRegisterCounter("decoder.ipv4_in_ipv6", tv);
563  dtv->counter_ipv6inipv6 = StatsRegisterCounter("decoder.ipv6_in_ipv6", tv);
564  dtv->counter_mpls = StatsRegisterCounter("decoder.mpls", tv);
565  dtv->counter_avg_pkt_size = StatsRegisterAvgCounter("decoder.avg_pkt_size", tv);
566  dtv->counter_max_pkt_size = StatsRegisterMaxCounter("decoder.max_pkt_size", tv);
567  dtv->counter_max_mac_addrs_src = StatsRegisterMaxCounter("decoder.max_mac_addrs_src", tv);
568  dtv->counter_max_mac_addrs_dst = StatsRegisterMaxCounter("decoder.max_mac_addrs_dst", tv);
569  dtv->counter_erspan = StatsRegisterMaxCounter("decoder.erspan", tv);
570  dtv->counter_nsh = StatsRegisterMaxCounter("decoder.nsh", tv);
571  dtv->counter_flow_memcap = StatsRegisterCounter("flow.memcap", tv);
572 
573  dtv->counter_tcp_active_sessions = StatsRegisterCounter("tcp.active_sessions", tv);
574  dtv->counter_flow_total = StatsRegisterCounter("flow.total", tv);
575  dtv->counter_flow_active = StatsRegisterCounter("flow.active", tv);
578  dtv->counter_flow_icmp4 = StatsRegisterCounter("flow.icmpv4", tv);
579  dtv->counter_flow_icmp6 = StatsRegisterCounter("flow.icmpv6", tv);
580  dtv->counter_flow_tcp_reuse = StatsRegisterCounter("flow.tcp_reuse", tv);
581  dtv->counter_flow_get_used = StatsRegisterCounter("flow.get_used", tv);
582  dtv->counter_flow_get_used_eval = StatsRegisterCounter("flow.get_used_eval", tv);
583  dtv->counter_flow_get_used_eval_reject = StatsRegisterCounter("flow.get_used_eval_reject", tv);
584  dtv->counter_flow_get_used_eval_busy = StatsRegisterCounter("flow.get_used_eval_busy", tv);
585  dtv->counter_flow_get_used_failed = StatsRegisterCounter("flow.get_used_failed", tv);
586 
587  dtv->counter_flow_spare_sync_avg = StatsRegisterAvgCounter("flow.wrk.spare_sync_avg", tv);
588  dtv->counter_flow_spare_sync = StatsRegisterCounter("flow.wrk.spare_sync", tv);
589  dtv->counter_flow_spare_sync_incomplete = StatsRegisterCounter("flow.wrk.spare_sync_incomplete", tv);
590  dtv->counter_flow_spare_sync_empty = StatsRegisterCounter("flow.wrk.spare_sync_empty", tv);
591 
593  StatsRegisterCounter("defrag.ipv4.fragments", tv);
594  dtv->counter_defrag_ipv4_reassembled = StatsRegisterCounter("defrag.ipv4.reassembled", tv);
596  StatsRegisterCounter("defrag.ipv6.fragments", tv);
597  dtv->counter_defrag_ipv6_reassembled = StatsRegisterCounter("defrag.ipv6.reassembled", tv);
599  StatsRegisterCounter("defrag.max_frag_hits", tv);
600 
601  for (int i = 0; i < DECODE_EVENT_MAX; i++) {
602  BUG_ON(i != (int)DEvents[i].code);
603 
605  continue;
607  continue;
608 
609  if (i < DECODE_EVENT_PACKET_MAX &&
610  strncmp(DEvents[i].event_name, "decoder.", 8) == 0)
611  {
612  SCMutexLock(&g_counter_table_mutex);
613  if (g_counter_table == NULL) {
614  g_counter_table = HashTableInit(256, StringHashFunc,
617  if (g_counter_table == NULL) {
618  FatalError("decoder counter hash "
619  "table init failed");
620  }
621  }
622 
623  char name[256];
624  char *dot = strchr(DEvents[i].event_name, '.');
625  BUG_ON(!dot);
626  snprintf(name, sizeof(name), "%s.%s",
628 
629  const char *found = HashTableLookup(g_counter_table, name, 0);
630  if (!found) {
631  char *add = SCStrdup(name);
632  if (add == NULL)
633  FatalError("decoder counter hash "
634  "table name init failed");
635  int r = HashTableAdd(g_counter_table, add, 0);
636  if (r != 0)
637  FatalError("decoder counter hash "
638  "table name add failed");
639  found = add;
640  }
642  found, tv);
643 
644  SCMutexUnlock(&g_counter_table_mutex);
645  } else {
647  DEvents[i].event_name, tv);
648  }
649  }
650 
651  return;
652 }
653 
655  const DecodeThreadVars *dtv, const Packet *p)
656 {
658  //StatsIncr(tv, dtv->counter_pkts_per_sec);
662 }
663 
664 /**
665  * \brief Debug print function for printing addresses
666  *
667  * \param Address object
668  *
669  * \todo IPv6
670  */
672 {
673  if (a == NULL)
674  return;
675 
676  switch (a->family) {
677  case AF_INET:
678  {
679  char s[16];
680  PrintInet(AF_INET, (const void *)&a->addr_data32[0], s, sizeof(s));
681  SCLogDebug("%s", s);
682  break;
683  }
684  }
685 }
686 
687 /** \brief Alloc and setup DecodeThreadVars */
689 {
690  DecodeThreadVars *dtv = NULL;
691 
692  if ((dtv = SCCalloc(1, sizeof(DecodeThreadVars))) == NULL)
693  return NULL;
694 
696 
698  SCLogError("initializing flow log API for thread failed");
700  return NULL;
701  }
702 
703  return dtv;
704 }
705 
707 {
708  if (dtv != NULL) {
709  if (dtv->app_tctx != NULL)
711 
712  if (dtv->output_flow_thread_data != NULL)
714 
715  SCFree(dtv);
716  }
717 }
718 
719 /**
720  * \brief Set data for Packet and set length when zero copy is used
721  *
722  * \param Pointer to the Packet to modify
723  * \param Pointer to the data
724  * \param Length of the data
725  */
726 inline int PacketSetData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
727 {
728  SET_PKT_LEN(p, (size_t)pktlen);
729  if (unlikely(!pktdata)) {
730  return -1;
731  }
732  // ext_pkt cannot be const (because we sometimes copy)
733  p->ext_pkt = (uint8_t *) pktdata;
734  p->flags |= PKT_ZERO_COPY;
735 
736  return 0;
737 }
738 
739 const char *PktSrcToString(enum PktSrcEnum pkt_src)
740 {
741  const char *pkt_src_str = NULL;
742  switch (pkt_src) {
743  case PKT_SRC_WIRE:
744  pkt_src_str = "wire/pcap";
745  break;
746  case PKT_SRC_DECODER_GRE:
747  pkt_src_str = "gre tunnel";
748  break;
750  pkt_src_str = "ipv4 tunnel";
751  break;
753  pkt_src_str = "ipv6 tunnel";
754  break;
756  pkt_src_str = "teredo tunnel";
757  break;
758  case PKT_SRC_DEFRAG:
759  pkt_src_str = "defrag";
760  break;
762  pkt_src_str = "stream (detect/log)";
763  break;
764  case PKT_SRC_FFR:
765  pkt_src_str = "stream (flow timeout)";
766  break;
768  pkt_src_str = "geneve encapsulation";
769  break;
771  pkt_src_str = "vxlan encapsulation";
772  break;
774  pkt_src_str = "detect reload flush";
775  break;
777  pkt_src_str = "capture timeout flush";
778  break;
780  pkt_src_str = "shutdown flush";
781  break;
782  }
783  DEBUG_VALIDATE_BUG_ON(pkt_src_str == NULL);
784  return pkt_src_str;
785 }
786 
788 {
789  switch (r) {
791  return "decode error";
793  return "defrag error";
795  return "defrag memcap";
797  return "flow memcap";
799  return "flow drop";
801  return "stream error";
803  return "stream memcap";
805  return "stream midstream";
807  return "stream reassembly";
809  return "applayer error";
811  return "applayer memcap";
813  return "rules";
815  return "threshold detection_filter";
817  return "nfq error";
819  return "tunnel packet drop";
821  case PKT_DROP_REASON_MAX:
822  return NULL;
823  }
824  return NULL;
825 }
826 
827 static const char *PacketDropReasonToJsonString(enum PacketDropReason r)
828 {
829  switch (r) {
831  return "ips.drop_reason.decode_error";
833  return "ips.drop_reason.defrag_error";
835  return "ips.drop_reason.defrag_memcap";
837  return "ips.drop_reason.flow_memcap";
839  return "ips.drop_reason.flow_drop";
841  return "ips.drop_reason.stream_error";
843  return "ips.drop_reason.stream_memcap";
845  return "ips.drop_reason.stream_midstream";
847  return "ips.drop_reason.stream_reassembly";
849  return "ips.drop_reason.applayer_error";
851  return "ips.drop_reason.applayer_memcap";
853  return "ips.drop_reason.rules";
855  return "ips.drop_reason.threshold_detection_filter";
857  return "ips.drop_reason.nfq_error";
859  return "ips.drop_reason.tunnel_packet_drop";
861  case PKT_DROP_REASON_MAX:
862  return NULL;
863  }
864  return NULL;
865 }
866 
867 typedef struct CaptureStats_ {
872 
875 
877 
879 {
880  if (!EngineModeIsIPS() || PKT_IS_PSEUDOPKT(p))
881  return;
882 
886  } else if (unlikely(PacketCheckAction(p, ACTION_DROP))) {
888  } else if (unlikely(p->flags & PKT_STREAM_MODIFIED)) {
890  } else {
892  }
895  }
896 }
897 
899 {
900  if (EngineModeIsIPS()) {
902  s->counter_ips_accepted = StatsRegisterCounter("ips.accepted", tv);
903  s->counter_ips_blocked = StatsRegisterCounter("ips.blocked", tv);
904  s->counter_ips_rejected = StatsRegisterCounter("ips.rejected", tv);
905  s->counter_ips_replaced = StatsRegisterCounter("ips.replaced", tv);
906  for (int i = PKT_DROP_REASON_NOT_SET; i < PKT_DROP_REASON_MAX; i++) {
907  const char *name = PacketDropReasonToJsonString(i);
908  if (name != NULL)
910  }
911  }
912 }
913 
915 {
920  intmax_t value = 0;
921  if (ConfGetInt("decoder.max-layers", &value) == 1) {
922  if (value < 0 || value > UINT8_MAX) {
923  SCLogWarning("Invalid value for decoder.max-layers");
924  } else {
925  decoder_max_layers = (uint8_t)value;
926  }
927  }
929 }
930 
932 {
933  intmax_t max = 0;
934  if (ConfGetInt("packet-alert-max", &max) == 1) {
935  if (max <= 0 || max > UINT8_MAX) {
936  SCLogWarning("Invalid value for packet-alert-max, default value set instead");
937  } else {
938  packet_alert_max = (uint16_t)max;
939  }
940  }
941  SCLogDebug("detect->packet_alert_max set to %d", packet_alert_max);
942 }
943 
944 /**
945  * @}
946  */
PacketCheckAction
bool PacketCheckAction(const Packet *p, const uint8_t a)
Definition: packet.c:48
DecodeThreadVars_::counter_flow_get_used_eval_busy
uint16_t counter_flow_get_used_eval_busy
Definition: decode.h:743
PKT_DROP_REASON_DEFRAG_MEMCAP
@ PKT_DROP_REASON_DEFRAG_MEMCAP
Definition: decode.h:394
PKT_DROP_REASON_DEFRAG_ERROR
@ PKT_DROP_REASON_DEFRAG_ERROR
Definition: decode.h:393
ConfGetInt
int ConfGetInt(const char *name, intmax_t *val)
Retrieve a configuration value as an integer.
Definition: conf.c:399
DecodeThreadVars_::counter_defrag_ipv4_reassembled
uint16_t counter_defrag_ipv4_reassembled
Definition: decode.h:725
util-hash-string.h
PKT_DROP_REASON_RULES_THRESHOLD
@ PKT_DROP_REASON_RULES_THRESHOLD
Definition: decode.h:400
DecodeThreadVars_::counter_ethertype_unknown
uint16_t counter_ethertype_unknown
Definition: decode.h:699
DecodeThreadVars_::counter_flow_udp
uint16_t counter_flow_udp
Definition: decode.h:736
len
uint8_t len
Definition: app-layer-dnp3.h:2
DecodeThreadVars_::counter_bytes
uint16_t counter_bytes
Definition: decode.h:679
DECODE_TUNNEL_IPV6
@ DECODE_TUNNEL_IPV6
Definition: decode.h:813
CaptureStats_::counter_ips_blocked
uint16_t counter_ips_blocked
Definition: decode.c:869
decode-erspan.h
decode-vxlan.h
DecodeThreadVars_::counter_eth
uint16_t counter_eth
Definition: decode.h:687
DecodeThreadVars_::counter_flow_active
uint16_t counter_flow_active
Definition: decode.h:734
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:167
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
DecodeERSPAN
int DecodeERSPAN(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
ERSPAN Type II.
Definition: decode-erspan.c:75
PacketFreeOrRelease
void PacketFreeOrRelease(Packet *p)
Return a packet to where it was allocated.
Definition: decode.c:191
DecodeThreadVars_::counter_flow_icmp4
uint16_t counter_flow_icmp4
Definition: decode.h:737
DecodeThreadVars_::counter_vxlan
uint16_t counter_vxlan
Definition: decode.h:712
DecodeThreadVars_::counter_max_pkt_size
uint16_t counter_max_pkt_size
Definition: decode.h:681
DecodePPP
int DecodePPP(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition: decode-ppp.c:44
PacketCopyData
int PacketCopyData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
Copy data to Packet payload and set packet length.
Definition: decode.c:292
PacketBypassCallback
void PacketBypassCallback(Packet *p)
Definition: decode.c:443
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1058
DecodeThreadVars_::counter_avg_pkt_size
uint16_t counter_avg_pkt_size
Definition: decode.h:680
DecodeERSPANConfig
void DecodeERSPANConfig(void)
Functions to decode ERSPAN Type I and II packets.
Definition: decode-erspan.c:52
PacketPoolReturnPacket
void PacketPoolReturnPacket(Packet *p)
Return packet to Packet pool.
Definition: tmqh-packetpool.c:179
GetFlowBypassInfoID
FlowStorageId GetFlowBypassInfoID(void)
Definition: flow-util.c:212
FlowBypassInfo_
Definition: flow.h:525
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
PKT_DROP_REASON_STREAM_MEMCAP
@ PKT_DROP_REASON_STREAM_MEMCAP
Definition: decode.h:402
DecodeNSH
int DecodeNSH(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Function to decode NSH packets.
Definition: decode-nsh.c:46
PKT_DROP_REASON_FLOW_MEMCAP
@ PKT_DROP_REASON_FLOW_MEMCAP
Definition: decode.h:395
DecodeTeredoConfig
void DecodeTeredoConfig(void)
Definition: decode-teredo.c:104
CaptureStatsSetup
void CaptureStatsSetup(ThreadVars *tv)
Definition: decode.c:898
PacketDropReasonToString
const char * PacketDropReasonToString(enum PacketDropReason r)
Definition: decode.c:787
PacketEngineEvents_::events
uint8_t events[PACKET_ENGINE_EVENT_MAX]
Definition: decode.h:309
CaptureStats_
Definition: decode.c:867
PKT_STREAM_MODIFIED
#define PKT_STREAM_MODIFIED
Definition: decode.h:1010
DECODE_TUNNEL_IPV6_TEREDO
@ DECODE_TUNNEL_IPV6_TEREDO
Definition: decode.h:814
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
PKT_SRC_SHUTDOWN_FLUSH
@ PKT_SRC_SHUTDOWN_FLUSH
Definition: decode.h:66
AddressDebugPrint
void AddressDebugPrint(Address *a)
Debug print function for printing addresses.
Definition: decode.c:671
PKT_SRC_DECODER_IPV4
@ PKT_SRC_DECODER_IPV4
Definition: decode.h:56
DecodeThreadVars_::counter_flow_spare_sync_avg
uint16_t counter_flow_spare_sync_avg
Definition: decode.h:749
PacketDefragPktSetup
Packet * PacketDefragPktSetup(Packet *parent, const uint8_t *pkt, uint32_t len, uint8_t proto)
Setup a pseudo packet (reassembled frags)
Definition: decode.c:389
stats_stream_events
bool stats_stream_events
Definition: counters.c:104
PKT_ZERO_COPY
#define PKT_ZERO_COPY
Definition: decode.h:1023
PKT_SRC_CAPTURE_TIMEOUT
@ PKT_SRC_CAPTURE_TIMEOUT
Definition: decode.h:64
action-globals.h
Packet_::flags
uint32_t flags
Definition: decode.h:467
PacketAlertCreate
PacketAlert * PacketAlertCreate(void)
Initialize PacketAlerts with dynamic alerts array size.
Definition: decode.c:83
DecodeThreadVars_::counter_vntag
uint16_t counter_vntag
Definition: decode.h:713
Packet_::vlan_idx
uint8_t vlan_idx
Definition: decode.h:458
DecodeThreadVars_::counter_flow_get_used_eval
uint16_t counter_flow_get_used_eval
Definition: decode.h:741
util-hash.h
CaptureStats
struct CaptureStats_ CaptureStats
StatsSetUI64
void StatsSetUI64(ThreadVars *tv, uint16_t id, uint64_t x)
Sets a value of type double to the local counter.
Definition: counters.c:210
DECODE_EVENT_PACKET_MAX
@ DECODE_EVENT_PACKET_MAX
Definition: decode-events.h:224
Packet_::pool
struct PktPool_ * pool
Definition: decode.h:639
DecodeThreadVars_::counter_tcp_synack
uint16_t counter_tcp_synack
Definition: decode.h:693
PKT_DROP_REASON_MAX
@ PKT_DROP_REASON_MAX
Definition: decode.h:407
PKT_DROP_REASON_STREAM_REASSEMBLY
@ PKT_DROP_REASON_STREAM_REASSEMBLY
Definition: decode.h:404
DECODE_TUNNEL_ERSPANI
@ DECODE_TUNNEL_ERSPANI
Definition: decode.h:810
DecodeThreadVars_::counter_teredo
uint16_t counter_teredo
Definition: decode.h:716
DecodeThreadVars_::counter_erspan
uint16_t counter_erspan
Definition: decode.h:720
PacketCopyDataOffset
int PacketCopyDataOffset(Packet *p, uint32_t offset, const uint8_t *data, uint32_t datalen)
Copy data to Packet payload at given offset.
Definition: decode.c:250
DecodeThreadVars_::counter_raw
uint16_t counter_raw
Definition: decode.h:702
SCMutexLock
#define SCMutexLock(mut)
Definition: threads-debug.h:117
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:222
HashTable_
Definition: util-hash.h:35
ACTION_REJECT_ANY
#define ACTION_REJECT_ANY
Definition: action-globals.h:37
Address_
Definition: decode.h:115
DecodeThreadVars_::counter_arp
uint16_t counter_arp
Definition: decode.h:698
DecodeThreadVars_::counter_flow_tcp
uint16_t counter_flow_tcp
Definition: decode.h:735
SCMUTEX_INITIALIZER
#define SCMUTEX_INITIALIZER
Definition: threads-debug.h:121
PacketDecodeFinalize
void PacketDecodeFinalize(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p)
Finalize decoding of a packet.
Definition: decode.c:147
proto
uint8_t proto
Definition: decode-template.h:0
PacketAlertGetMaxConfig
void PacketAlertGetMaxConfig(void)
Definition: decode.c:931
decoder_max_layers
uint8_t decoder_max_layers
Definition: decode.c:76
SET_TUNNEL_PKT
#define SET_TUNNEL_PKT(p)
Definition: decode.h:800
DecodeThreadVars_::counter_tcp_active_sessions
uint16_t counter_tcp_active_sessions
Definition: decode.h:732
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:461
StringHashCompareFunc
char StringHashCompareFunc(void *data1, uint16_t datalen1, void *data2, uint16_t datalen2)
Definition: util-hash-string.c:38
Packet_::BypassPacketsFlow
int(* BypassPacketsFlow)(struct Packet_ *)
Definition: decode.h:522
TmqhOutputPacketpool
void TmqhOutputPacketpool(ThreadVars *t, Packet *p)
Definition: tmqh-packetpool.c:333
DecodeVXLANConfig
void DecodeVXLANConfig(void)
Definition: decode-vxlan.c:98
PacketDropReason
PacketDropReason
Definition: decode.h:390
DecodeThreadVars_::counter_max_mac_addrs_src
uint16_t counter_max_mac_addrs_src
Definition: decode.h:682
DecodeUnregisterCounters
void DecodeUnregisterCounters(void)
Definition: decode.c:515
GET_PKT_DIRECT_MAX_SIZE
#define GET_PKT_DIRECT_MAX_SIZE(p)
Definition: decode.h:222
DecodeThreadVars_::counter_flow_get_used
uint16_t counter_flow_get_used
Definition: decode.h:740
tmqh-packetpool.h
StringHashFunc
uint32_t StringHashFunc(HashTable *ht, void *data, uint16_t datalen)
Definition: util-hash-string.c:33
Packet_::events
PacketEngineEvents events
Definition: decode.h:602
PacketAlertFree
void PacketAlertFree(PacketAlert *pa)
Definition: decode.c:91
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:84
HashTableFree
void HashTableFree(HashTable *ht)
Definition: util-hash.c:78
DecodeThreadVars_::counter_flow_spare_sync_empty
uint16_t counter_flow_spare_sync_empty
Definition: decode.h:747
Flow_::flow_state
FlowStateType flow_state
Definition: flow.h:411
DecodeThreadVars_::counter_flow_tcp_reuse
uint16_t counter_flow_tcp_reuse
Definition: decode.h:739
DECODE_TUNNEL_NSH
@ DECODE_TUNNEL_NSH
Definition: decode.h:816
DecodeThreadVars_::counter_flow_total
uint16_t counter_flow_total
Definition: decode.h:733
Packet_::datalink
int datalink
Definition: decode.h:611
PKT_DEFAULT_MAX_DECODED_LAYERS
#define PKT_DEFAULT_MAX_DECODED_LAYERS
Definition: decode.h:1063
stats_decoder_events_prefix
const char * stats_decoder_events_prefix
Definition: counters.c:102
DLT_RAW
#define DLT_RAW
Definition: decode.h:963
DecodeRegisterPerfCounters
void DecodeRegisterPerfCounters(DecodeThreadVars *dtv, ThreadVars *tv)
Definition: decode.c:525
DecodeThreadVars_::counter_flow_spare_sync
uint16_t counter_flow_spare_sync
Definition: decode.h:746
DECODE_TUNNEL_ERSPANII
@ DECODE_TUNNEL_ERSPANII
Definition: decode.h:809
SET_PKT_LEN
#define SET_PKT_LEN(p, len)
Definition: decode.h:224
DecodeThreadVars_::counter_ipv6inipv6
uint16_t counter_ipv6inipv6
Definition: decode.h:719
StatsRegisterMaxCounter
uint16_t StatsRegisterMaxCounter(const char *name, struct ThreadVars_ *tv)
Registers a counter, whose value holds the maximum of all the values assigned to it.
Definition: counters.c:1011
FLOW_STATE_LOCAL_BYPASSED
@ FLOW_STATE_LOCAL_BYPASSED
Definition: flow.h:503
decode.h
DecodeThreadVars_::counter_flow_get_used_failed
uint16_t counter_flow_get_used_failed
Definition: decode.h:744
PKT_SRC_WIRE
@ PKT_SRC_WIRE
Definition: decode.h:54
CaptureStats_::counter_ips_rejected
uint16_t counter_ips_rejected
Definition: decode.c:870
PKT_IS_TOSERVER
#define PKT_IS_TOSERVER(p)
Definition: decode.h:251
DecodeThreadVars_::counter_icmpv4
uint16_t counter_icmpv4
Definition: decode.h:696
DecodeThreadVars_::counter_ppp
uint16_t counter_ppp
Definition: decode.h:706
DecodeERSPANTypeI
int DecodeERSPANTypeI(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
ERSPAN Type I.
Definition: decode-erspan.c:64
DEvents
const struct DecodeEvents_ DEvents[]
Definition: decode-events.c:29
Packet_::ts
SCTime_t ts
Definition: decode.h:475
PKT_DROP_REASON_APPLAYER_ERROR
@ PKT_DROP_REASON_APPLAYER_ERROR
Definition: decode.h:397
OutputFlowLogThreadInit
TmEcode OutputFlowLogThreadInit(ThreadVars *tv, void *initdata, void **data)
thread init for the flow logger This will run the thread init functions for the individual registered...
Definition: output-flow.c:123
SCMutexUnlock
#define SCMutexUnlock(mut)
Definition: threads-debug.h:119
PacketSwap
void PacketSwap(Packet *p)
switch direction of a packet
Definition: decode.c:490
DecodeThreadVars_::counter_tcp_rst
uint16_t counter_tcp_rst
Definition: decode.h:694
PktSrcEnum
PktSrcEnum
Definition: decode.h:53
PKT_DROP_REASON_NOT_SET
@ PKT_DROP_REASON_NOT_SET
Definition: decode.h:391
DecodeTunnelProto
DecodeTunnelProto
Definition: decode.h:807
PacketDestructor
void PacketDestructor(Packet *p)
Cleanup a packet so that we can free it. No memset needed..
Definition: packet.c:177
CaptureStatsUpdate
void CaptureStatsUpdate(ThreadVars *tv, const Packet *p)
Definition: decode.c:878
util-print.h
PKT_SRC_DECODER_TEREDO
@ PKT_SRC_DECODER_TEREDO
Definition: decode.h:58
AppLayerGetCtxThread
AppLayerThreadCtx * AppLayerGetCtxThread(ThreadVars *tv)
Creates a new app layer thread context.
Definition: app-layer.c:1005
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
GET_PKT_DATA
#define GET_PKT_DATA(p)
Definition: decode.h:220
HashTableLookup
void * HashTableLookup(HashTable *ht, void *data, uint16_t datalen)
Definition: util-hash.c:191
UNSET_TUNNEL_PKT
#define UNSET_TUNNEL_PKT(p)
Definition: decode.h:801
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:57
PrintInet
const char * PrintInet(int af, const void *src, char *dst, socklen_t size)
Definition: util-print.c:262
DECODE_TUNNEL_PPP
@ DECODE_TUNNEL_PPP
Definition: decode.h:815
FLOW_PKT_TOCLIENT_FIRST
#define FLOW_PKT_TOCLIENT_FIRST
Definition: flow.h:228
FlowSetStorageById
int FlowSetStorageById(Flow *f, FlowStorageId id, void *ptr)
Definition: flow-storage.c:45
PacketFree
void PacketFree(Packet *p)
Return a malloced packet.
Definition: decode.c:134
PktSrcToString
const char * PktSrcToString(enum PktSrcEnum pkt_src)
Definition: decode.c:739
DecodeThreadVars_::counter_vlan_qinq
uint16_t counter_vlan_qinq
Definition: decode.h:710
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:249
HashTableAdd
int HashTableAdd(HashTable *ht, void *data, uint16_t datalen)
Definition: util-hash.c:112
SIZE_OF_PACKET
#define SIZE_OF_PACKET
Definition: decode.h:669
StringHashFreeFunc
void StringHashFreeFunc(void *data)
Definition: util-hash-string.c:51
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:300
PKT_DROP_REASON_RULES
@ PKT_DROP_REASON_RULES
Definition: decode.h:399
util-profiling.h
PacketCallocExtPkt
int PacketCallocExtPkt(Packet *p, int datalen)
Definition: decode.c:224
PKT_SRC_STREAM_TCP_DETECTLOG_FLUSH
@ PKT_SRC_STREAM_TCP_DETECTLOG_FLUSH
Definition: decode.h:61
DECODE_TUNNEL_VLAN
@ DECODE_TUNNEL_VLAN
Definition: decode.h:811
PKT_SRC_DECODER_IPV6
@ PKT_SRC_DECODER_IPV6
Definition: decode.h:57
CaptureStats_::counter_ips_accepted
uint16_t counter_ips_accepted
Definition: decode.c:868
Packet_
Definition: decode.h:430
DecodeThreadVars_::counter_nsh
uint16_t counter_nsh
Definition: decode.h:721
DecodeIPV6
int DecodeIPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint16_t len)
Definition: decode-ipv6.c:564
DECODE_TUNNEL_IPV4
@ DECODE_TUNNEL_IPV4
Definition: decode.h:812
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition: decode.h:219
DecodeThreadVars_::app_tctx
AppLayerThreadCtx * app_tctx
Definition: decode.h:675
decode-teredo.h
DecodeThreadVars_::counter_sll
uint16_t counter_sll
Definition: decode.h:701
PKT_DROP_REASON_STREAM_ERROR
@ PKT_DROP_REASON_STREAM_ERROR
Definition: decode.h:401
DecodeThreadVars_::counter_sctp
uint16_t counter_sctp
Definition: decode.h:704
Packet_::livedev
struct LiveDevice_ * livedev
Definition: decode.h:590
DecodeThreadVars_::counter_invalid
uint16_t counter_invalid
Definition: decode.h:685
DecodeThreadVars_::counter_ieee8021ah
uint16_t counter_ieee8021ah
Definition: decode.h:714
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:287
DecodeThreadVars_::counter_ipv4inipv6
uint16_t counter_ipv4inipv6
Definition: decode.h:718
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:223
DecodeThreadVars_::counter_vlan
uint16_t counter_vlan
Definition: decode.h:709
DECODE_TUNNEL_ETHERNET
@ DECODE_TUNNEL_ETHERNET
Definition: decode.h:808
DecodeThreadVars_::counter_tcp
uint16_t counter_tcp
Definition: decode.h:691
FlowGetStorageById
void * FlowGetStorageById(const Flow *f, FlowStorageId id)
Definition: flow-storage.c:40
DecodeThreadVars_::counter_pkts
uint16_t counter_pkts
Definition: decode.h:678
FlowUpdateState
void FlowUpdateState(Flow *f, const enum FlowState s)
Definition: flow.c:1178
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
default_packet_size
uint32_t default_packet_size
Definition: decode.c:72
Packet_::nb_decoded_layers
uint8_t nb_decoded_layers
Definition: decode.h:616
PKT_SRC_DECODER_GENEVE
@ PKT_SRC_DECODER_GENEVE
Definition: decode.h:65
DecodeThreadVars_::counter_chdlc
uint16_t counter_chdlc
Definition: decode.h:688
Packet_::ReleasePacket
void(* ReleasePacket)(struct Packet_ *)
Definition: decode.h:519
flow-storage.h
Packet_::flow
struct Flow_ * flow
Definition: decode.h:469
Packet_::tenant_id
uint32_t tenant_id
Definition: decode.h:634
PKT_DROP_REASON_INNER_PACKET
@ PKT_DROP_REASON_INNER_PACKET
Definition: decode.h:406
DecodeThreadVarsFree
void DecodeThreadVarsFree(ThreadVars *tv, DecodeThreadVars *dtv)
Definition: decode.c:706
DecodeThreadVars_::counter_flow_spare_sync_incomplete
uint16_t counter_flow_spare_sync_incomplete
Definition: decode.h:748
PKT_DROP_REASON_APPLAYER_MEMCAP
@ PKT_DROP_REASON_APPLAYER_MEMCAP
Definition: decode.h:398
DecodeGlobalConfig
void DecodeGlobalConfig(void)
Definition: decode.c:914
suricata-common.h
PKT_SRC_FFR
@ PKT_SRC_FFR
Definition: decode.h:60
DecodeThreadVars_::counter_flow_icmp6
uint16_t counter_flow_icmp6
Definition: decode.h:738
DecodeThreadVars_::counter_ipv6
uint16_t counter_ipv6
Definition: decode.h:690
packet.h
CaptureStats_::counter_ips_replaced
uint16_t counter_ips_replaced
Definition: decode.c:871
DecodeThreadVars_::counter_gre
uint16_t counter_gre
Definition: decode.h:708
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
DecodeThreadVars_::counter_esp
uint16_t counter_esp
Definition: decode.h:705
Packet_::ext_pkt
uint8_t * ext_pkt
Definition: decode.h:587
PKT_DROP_REASON_NFQ_ERROR
@ PKT_DROP_REASON_NFQ_ERROR
Definition: decode.h:405
DecodeThreadVars_::counter_defrag_ipv6_reassembled
uint16_t counter_defrag_ipv6_reassembled
Definition: decode.h:727
DecodeThreadVars_::counter_udp
uint16_t counter_udp
Definition: decode.h:695
GENERIC_TOO_MANY_LAYERS
@ GENERIC_TOO_MANY_LAYERS
Definition: decode-events.h:221
PacketUpdateEngineEventCounters
void PacketUpdateEngineEventCounters(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p)
Definition: decode.c:154
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
CaptureStats_::counter_drop_reason
uint16_t counter_drop_reason[PKT_DROP_REASON_MAX]
Definition: decode.c:873
FatalError
#define FatalError(...)
Definition: util-debug.h:502
decode-geneve.h
PKT_SRC_DEFRAG
@ PKT_SRC_DEFRAG
Definition: decode.h:59
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
DecodeThreadVars_::counter_ipv4
uint16_t counter_ipv4
Definition: decode.h:689
PACKET_PROFILING_START
#define PACKET_PROFILING_START(p)
Definition: util-profiling.h:73
util-validate.h
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:173
PKT_SRC_DECODER_VXLAN
@ PKT_SRC_DECODER_VXLAN
Definition: decode.h:62
StatsAddUI64
void StatsAddUI64(ThreadVars *tv, uint16_t id, uint64_t x)
Adds a value of type uint64_t to the local counter.
Definition: counters.c:146
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
PACKET_ALERT_MAX
#define PACKET_ALERT_MAX
Definition: decode.h:286
Packet_::root
struct Packet_ * root
Definition: decode.h:622
DecodeThreadVars_::counter_pppoe
uint16_t counter_pppoe
Definition: decode.h:715
DecodeThreadVars_::counter_mpls
uint16_t counter_mpls
Definition: decode.h:717
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
OutputFlowLogThreadDeinit
TmEcode OutputFlowLogThreadDeinit(ThreadVars *tv, void *thread_data)
Definition: output-flow.c:163
PKT_SRC_DETECT_RELOAD_FLUSH
@ PKT_SRC_DETECT_RELOAD_FLUSH
Definition: decode.h:63
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:673
MAX_PAYLOAD_SIZE
#define MAX_PAYLOAD_SIZE
Definition: decode.h:667
AppLayerDestroyCtxThread
void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
Destroys the context created by AppLayerGetCtxThread().
Definition: app-layer.c:1026
Packet_::recursion_level
uint8_t recursion_level
Definition: decode.h:455
DecodeThreadVars_::output_flow_thread_data
void * output_flow_thread_data
Definition: decode.h:755
DecodeThreadVars_::counter_geneve
uint16_t counter_geneve
Definition: decode.h:707
DecodeThreadVars_::counter_max_mac_addrs_dst
uint16_t counter_max_mac_addrs_dst
Definition: decode.h:683
DecodeThreadVarsAlloc
DecodeThreadVars * DecodeThreadVarsAlloc(ThreadVars *tv)
Alloc and setup DecodeThreadVars.
Definition: decode.c:688
DecodeThreadVars_::counter_defrag_max_hit
uint16_t counter_defrag_max_hit
Definition: decode.h:728
HashTableInit
HashTable * HashTableInit(uint32_t size, uint32_t(*Hash)(struct HashTable_ *, void *, uint16_t), char(*Compare)(void *, uint16_t, void *, uint16_t), void(*Free)(void *))
Definition: util-hash.c:35
PacketSetData
int PacketSetData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
Set data for Packet and set length when zero copy is used.
Definition: decode.c:726
PacketPoolGetPacket
Packet * PacketPoolGetPacket(void)
Get a new packet from the packet pool.
Definition: tmqh-packetpool.c:127
DecodeThreadVars_::counter_vlan_qinqinq
uint16_t counter_vlan_qinqinq
Definition: decode.h:711
GET_PKT_DIRECT_DATA
#define GET_PKT_DIRECT_DATA(p)
Definition: decode.h:221
DecodeThreadVars_::counter_null
uint16_t counter_null
Definition: decode.h:703
t_capture_stats
thread_local CaptureStats t_capture_stats
Definition: decode.c:876
DecodeThreadVars_::counter_icmpv6
uint16_t counter_icmpv6
Definition: decode.h:697
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:229
Packet_::drop_reason
uint8_t drop_reason
Definition: decode.h:619
Address_::family
char family
Definition: decode.h:116
PKT_SRC_DECODER_GRE
@ PKT_SRC_DECODER_GRE
Definition: decode.h:55
ENGINE_SET_INVALID_EVENT
#define ENGINE_SET_INVALID_EVENT(p, e)
Definition: decode.h:897
PacketAlert_
Definition: decode.h:263
DecodeGeneveConfig
void DecodeGeneveConfig(void)
Definition: decode-geneve.c:128
DecodeThreadVars_::counter_flow_memcap
uint16_t counter_flow_memcap
Definition: decode.h:730
DecodeThreadVars_::counter_defrag_ipv6_fragments
uint16_t counter_defrag_ipv6_fragments
Definition: decode.h:726
packet_alert_max
uint16_t packet_alert_max
Definition: decode.c:77
Packet_::vlan_id
uint16_t vlan_id[VLAN_MAX_LAYERS]
Definition: decode.h:457
likely
#define likely(expr)
Definition: util-optimize.h:32
StatsRegisterAvgCounter
uint16_t StatsRegisterAvgCounter(const char *name, struct ThreadVars_ *tv)
Registers a counter, whose value holds the average of all the values assigned to it.
Definition: counters.c:991
PacketDefragPktSetupParent
void PacketDefragPktSetupParent(Packet *parent)
inform defrag "parent" that a pseudo packet is now associated to it.
Definition: decode.c:426
DecodeThreadVars_::counter_tcp_syn
uint16_t counter_tcp_syn
Definition: decode.h:692
PacketTunnelPktSetup
Packet * PacketTunnelPktSetup(ThreadVars *tv, DecodeThreadVars *dtv, Packet *parent, const uint8_t *pkt, uint32_t len, enum DecodeTunnelProto proto)
Setup a pseudo packet (tunnel)
Definition: decode.c:308
stats_decoder_events
bool stats_decoder_events
Definition: counters.c:101
flow.h
PKT_DROP_REASON_STREAM_MIDSTREAM
@ PKT_DROP_REASON_STREAM_MIDSTREAM
Definition: decode.h:403
DecodeIPV4
int DecodeIPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint16_t len)
Definition: decode-ipv4.c:520
PacketInit
void PacketInit(Packet *p)
Initialize a packet structure for use.
Definition: packet.c:62
StatsRegisterCounter
uint16_t StatsRegisterCounter(const char *name, struct ThreadVars_ *tv)
Registers a normal, unqualified counter.
Definition: counters.c:971
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
DecodeThreadVars_::counter_flow_get_used_eval_reject
uint16_t counter_flow_get_used_eval_reject
Definition: decode.h:742
DecodeVLAN
int DecodeVLAN(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition: decode-vlan.c:54
code
uint8_t code
Definition: decode-icmpv4.h:1
FLOW_PKT_TOSERVER_FIRST
#define FLOW_PKT_TOSERVER_FIRST
Definition: flow.h:227
SCMutex
#define SCMutex
Definition: threads-debug.h:114
PacketGetFromQueueOrAlloc
Packet * PacketGetFromQueueOrAlloc(void)
Get a packet. We try to get a packet from the packetpool first, but if that is empty we alloc a packe...
Definition: decode.c:208
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:104
DecodeEthernet
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition: decode-ethernet.c:42
PKT_DROP_REASON_FLOW_DROP
@ PKT_DROP_REASON_FLOW_DROP
Definition: decode.h:396
WARN_UNUSED
#define WARN_UNUSED
Definition: suricata-common.h:403
PKT_IS_INVALID
#define PKT_IS_INVALID
Definition: decode.h:1030
DecodeUpdatePacketCounters
void DecodeUpdatePacketCounters(ThreadVars *tv, const DecodeThreadVars *dtv, const Packet *p)
Definition: decode.c:654
DecodeThreadVars_::counter_engine_events
uint16_t counter_engine_events[DECODE_EVENT_MAX]
Definition: decode.h:751
output.h
DECODE_EVENT_MAX
@ DECODE_EVENT_MAX
Definition: decode-events.h:301
app-layer.h
PKT_DROP_REASON_DECODE_ERROR
@ PKT_DROP_REASON_DECODE_ERROR
Definition: decode.h:392
DecodeThreadVars_::counter_defrag_ipv4_fragments
uint16_t counter_defrag_ipv4_fragments
Definition: decode.h:724
PacketEngineEvents_::cnt
uint8_t cnt
Definition: decode.h:308