suricata
decode.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2019 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \defgroup decode Packet decoding
20  *
21  * \brief Code in charge of protocol decoding
22  *
23  * The task of decoding packets is made in different files and
24  * as Suricata is supporting encapsulation there is a potential
25  * recursivity in the call.
26  *
27  * For each protocol a DecodePROTO function is provided. For
28  * example we have DecodeIPV4() for IPv4 and DecodePPP() for
29  * PPP.
30  *
31  * These functions have all a pkt and and a len argument which
32  * are respectively a pointer to the protocol data and the length
33  * of this protocol data.
34  *
35  * \attention The pkt parameter must point to the effective data because
36  * it will be used later to set per protocol pointer like Packet::tcph
37  *
38  * @{
39  */
40 
41 
42 /**
43  * \file
44  *
45  * \author Victor Julien <victor@inliniac.net>
46  *
47  * Decode the raw packet
48  */
49 
50 #include "suricata-common.h"
51 #include "suricata.h"
52 #include "conf.h"
53 #include "decode.h"
54 #include "decode-teredo.h"
55 #include "util-debug.h"
56 #include "util-mem.h"
57 #include "app-layer-detect-proto.h"
58 #include "app-layer.h"
59 #include "tm-threads.h"
60 #include "util-error.h"
61 #include "util-print.h"
62 #include "tmqh-packetpool.h"
63 #include "util-profiling.h"
64 #include "pkt-var.h"
65 #include "util-mpm-ac.h"
66 #include "util-hash-string.h"
67 #include "output.h"
68 #include "output-flow.h"
69 #include "flow-storage.h"
70 
71 extern bool stats_decoder_events;
73 extern bool stats_stream_events;
74 
76  const uint8_t *pkt, uint32_t len, PacketQueue *pq, enum DecodeTunnelProto proto)
77 {
78  switch (proto) {
79  case DECODE_TUNNEL_PPP:
80  return DecodePPP(tv, dtv, p, pkt, len, pq);
81  case DECODE_TUNNEL_IPV4:
82  return DecodeIPV4(tv, dtv, p, pkt, len, pq);
83  case DECODE_TUNNEL_IPV6:
85  return DecodeIPV6(tv, dtv, p, pkt, len, pq);
86  case DECODE_TUNNEL_VLAN:
87  return DecodeVLAN(tv, dtv, p, pkt, len, pq);
89  return DecodeEthernet(tv, dtv, p, pkt, len, pq);
91  return DecodeERSPAN(tv, dtv, p, pkt, len, pq);
92  default:
93  SCLogDebug("FIXME: DecodeTunnel: protocol %" PRIu32 " not supported.", proto);
94  break;
95  }
96  return TM_ECODE_OK;
97 }
98 
99 /**
100  * \brief Return a malloced packet.
101  */
103 {
105  SCFree(p);
106 }
107 
108 /**
109  * \brief Finalize decoding of a packet
110  *
111  * This function needs to be call at the end of decode
112  * functions when decoding has been succesful.
113  *
114  */
116 {
117  if (p->flags & PKT_IS_INVALID) {
118  StatsIncr(tv, dtv->counter_invalid);
119  }
120 }
121 
123  DecodeThreadVars *dtv, Packet *p)
124 {
125  for (uint8_t i = 0; i < p->events.cnt; i++) {
126  const uint8_t e = p->events.events[i];
127 
129  continue;
131  continue;
132  StatsIncr(tv, dtv->counter_engine_events[e]);
133  }
134 }
135 
136 /**
137  * \brief Get a malloced packet.
138  *
139  * \retval p packet, NULL on error
140  */
142 {
144  if (unlikely(p == NULL)) {
145  return NULL;
146  }
147 
148  memset(p, 0, SIZE_OF_PACKET);
151  p->flags |= PKT_ALLOC;
152 
153  SCLogDebug("allocated a new packet only using alloc...");
154 
156  return p;
157 }
158 
159 /**
160  * \brief Return a packet to where it was allocated.
161  */
163 {
164  if (p->flags & PKT_ALLOC)
165  PacketFree(p);
166  else
168 }
169 
170 /**
171  * \brief Get a packet. We try to get a packet from the packetpool first, but
172  * if that is empty we alloc a packet that is free'd again after
173  * processing.
174  *
175  * \retval p packet, NULL on error
176  */
178 {
179  /* try the pool first */
181 
182  if (p == NULL) {
183  /* non fatal, we're just not processing a packet then */
184  p = PacketGetFromAlloc();
185  } else {
187  }
188 
189  return p;
190 }
191 
192 inline int PacketCallocExtPkt(Packet *p, int datalen)
193 {
194  if (! p->ext_pkt) {
195  p->ext_pkt = SCCalloc(1, datalen);
196  if (unlikely(p->ext_pkt == NULL)) {
197  SET_PKT_LEN(p, 0);
198  return -1;
199  }
200  }
201  return 0;
202 }
203 
204 /**
205  * \brief Copy data to Packet payload at given offset
206  *
207  * This function copies data/payload to a Packet. It uses the
208  * space allocated at Packet creation (pointed by Packet::pkt)
209  * or allocate some memory (pointed by Packet::ext_pkt) if the
210  * data size is to big to fit in initial space (of size
211  * default_packet_size).
212  *
213  * \param Pointer to the Packet to modify
214  * \param Offset of the copy relatively to payload of Packet
215  * \param Pointer to the data to copy
216  * \param Length of the data to copy
217  */
218 inline int PacketCopyDataOffset(Packet *p, uint32_t offset, const uint8_t *data, uint32_t datalen)
219 {
220  if (unlikely(offset + datalen > MAX_PAYLOAD_SIZE)) {
221  /* too big */
222  return -1;
223  }
224 
225  /* Do we have already an packet with allocated data */
226  if (! p->ext_pkt) {
227  uint32_t newsize = offset + datalen;
228  // check overflow
229  if (newsize < offset)
230  return -1;
231  if (newsize <= default_packet_size) {
232  /* data will fit in memory allocated with packet */
233  memcpy(GET_PKT_DIRECT_DATA(p) + offset, data, datalen);
234  } else {
235  /* here we need a dynamic allocation */
237  if (unlikely(p->ext_pkt == NULL)) {
238  SET_PKT_LEN(p, 0);
239  return -1;
240  }
241  /* copy initial data */
243  /* copy data as asked */
244  memcpy(p->ext_pkt + offset, data, datalen);
245  }
246  } else {
247  memcpy(p->ext_pkt + offset, data, datalen);
248  }
249  return 0;
250 }
251 
252 /**
253  * \brief Copy data to Packet payload and set packet length
254  *
255  * \param Pointer to the Packet to modify
256  * \param Pointer to the data to copy
257  * \param Length of the data to copy
258  */
259 inline int PacketCopyData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
260 {
261  SET_PKT_LEN(p, (size_t)pktlen);
262  return PacketCopyDataOffset(p, 0, pktdata, pktlen);
263 }
264 
265 /**
266  * \brief Setup a pseudo packet (tunnel)
267  *
268  * \param parent parent packet for this pseudo pkt
269  * \param pkt raw packet data
270  * \param len packet data length
271  * \param proto protocol of the tunneled packet
272  *
273  * \retval p the pseudo packet or NULL if out of memory
274  */
276  const uint8_t *pkt, uint32_t len, enum DecodeTunnelProto proto,
277  PacketQueue *pq)
278 {
279  int ret;
280 
281  SCEnter();
282 
283  /* get us a packet */
285  if (unlikely(p == NULL)) {
286  SCReturnPtr(NULL, "Packet");
287  }
288 
289  /* copy packet and set lenght, proto */
290  PacketCopyData(p, pkt, len);
291  p->recursion_level = parent->recursion_level + 1;
292  p->ts.tv_sec = parent->ts.tv_sec;
293  p->ts.tv_usec = parent->ts.tv_usec;
294  p->datalink = DLT_RAW;
295  p->tenant_id = parent->tenant_id;
296 
297  /* set the root ptr to the lowest layer */
298  if (parent->root != NULL)
299  p->root = parent->root;
300  else
301  p->root = parent;
302 
303  /* tell new packet it's part of a tunnel */
304  SET_TUNNEL_PKT(p);
305 
306  ret = DecodeTunnel(tv, dtv, p, GET_PKT_DATA(p),
307  GET_PKT_LEN(p), pq, proto);
308 
309  if (unlikely(ret != TM_ECODE_OK) ||
310  (proto == DECODE_TUNNEL_IPV6_TEREDO && (p->flags & PKT_IS_INVALID)))
311  {
312  /* Not a (valid) tunnel packet */
313  SCLogDebug("tunnel packet is invalid");
314 
315  p->root = NULL;
316  UNSET_TUNNEL_PKT(p);
317  TmqhOutputPacketpool(tv, p);
318  SCReturnPtr(NULL, "Packet");
319  }
320 
321 
322  /* tell parent packet it's part of a tunnel */
323  SET_TUNNEL_PKT(parent);
324 
325  /* increment tunnel packet refcnt in the root packet */
327 
328  /* disable payload (not packet) inspection on the parent, as the payload
329  * is the packet we will now run through the system separately. We do
330  * check it against the ip/port/other header checks though */
332  SCReturnPtr(p, "Packet");
333 }
334 
335 /**
336  * \brief Setup a pseudo packet (reassembled frags)
337  *
338  * Difference with PacketPseudoPktSetup is that this func doesn't increment
339  * the recursion level. It needs to be on the same level as the frags because
340  * we run the flow engine against this and we need to get the same flow.
341  *
342  * \param parent parent packet for this pseudo pkt
343  * \param pkt raw packet data
344  * \param len packet data length
345  * \param proto protocol of the tunneled packet
346  *
347  * \retval p the pseudo packet or NULL if out of memory
348  */
349 Packet *PacketDefragPktSetup(Packet *parent, const uint8_t *pkt, uint32_t len, uint8_t proto)
350 {
351  SCEnter();
352 
353  /* get us a packet */
355  if (unlikely(p == NULL)) {
356  SCReturnPtr(NULL, "Packet");
357  }
358 
359  /* set the root ptr to the lowest layer */
360  if (parent->root != NULL)
361  p->root = parent->root;
362  else
363  p->root = parent;
364 
365  /* copy packet and set lenght, proto */
366  if (pkt && len) {
367  PacketCopyData(p, pkt, len);
368  }
369  p->recursion_level = parent->recursion_level; /* NOT incremented */
370  p->ts.tv_sec = parent->ts.tv_sec;
371  p->ts.tv_usec = parent->ts.tv_usec;
372  p->datalink = DLT_RAW;
373  p->tenant_id = parent->tenant_id;
374  /* tell new packet it's part of a tunnel */
375  SET_TUNNEL_PKT(p);
376  p->vlan_id[0] = parent->vlan_id[0];
377  p->vlan_id[1] = parent->vlan_id[1];
378  p->vlan_idx = parent->vlan_idx;
379 
380  SCReturnPtr(p, "Packet");
381 }
382 
383 /**
384  * \brief inform defrag "parent" that a pseudo packet is
385  * now assosiated to it.
386  */
388 {
389  /* tell parent packet it's part of a tunnel */
390  SET_TUNNEL_PKT(parent);
391 
392  /* increment tunnel packet refcnt in the root packet */
393  TUNNEL_INCR_PKT_TPR(parent);
394 
395  /* disable payload (not packet) inspection on the parent, as the payload
396  * is the packet we will now run through the system separately. We do
397  * check it against the ip/port/other header checks though */
399 }
400 
402 {
403 #ifdef CAPTURE_OFFLOAD
404  /* Don't try to bypass if flow is already out or
405  * if we have failed to do it once */
406  if (p->flow) {
407  int state = SC_ATOMIC_GET(p->flow->flow_state);
408  if ((state == FLOW_STATE_LOCAL_BYPASSED) ||
409  (state == FLOW_STATE_CAPTURE_BYPASSED)) {
410  return;
411  }
412  FlowBypassInfo *fc = SCCalloc(sizeof(FlowBypassInfo), 1);
413  if (fc) {
415  } else {
416  return;
417  }
418  }
419  if (p->BypassPacketsFlow && p->BypassPacketsFlow(p)) {
420  if (p->flow) {
421  FlowUpdateState(p->flow, FLOW_STATE_CAPTURE_BYPASSED);
422  }
423  } else {
424  if (p->flow) {
426  }
427  }
428 #else /* CAPTURE_OFFLOAD */
429  if (p->flow) {
430  int state = SC_ATOMIC_GET(p->flow->flow_state);
431  if (state == FLOW_STATE_LOCAL_BYPASSED)
432  return;
434  }
435 #endif
436 }
437 
438 /** \brief switch direction of a packet */
440 {
441  if (PKT_IS_TOSERVER(p)) {
444 
448  }
449  } else {
452 
456  }
457  }
458 }
459 
460 /* counter name store */
461 static HashTable *g_counter_table = NULL;
462 static SCMutex g_counter_table_mutex = SCMUTEX_INITIALIZER;
463 
465 {
466  SCMutexLock(&g_counter_table_mutex);
467  if (g_counter_table) {
468  HashTableFree(g_counter_table);
469  g_counter_table = NULL;
470  }
471  SCMutexUnlock(&g_counter_table_mutex);
472 }
473 
475 {
476  /* register counters */
477  dtv->counter_pkts = StatsRegisterCounter("decoder.pkts", tv);
478  dtv->counter_bytes = StatsRegisterCounter("decoder.bytes", tv);
479  dtv->counter_invalid = StatsRegisterCounter("decoder.invalid", tv);
480  dtv->counter_ipv4 = StatsRegisterCounter("decoder.ipv4", tv);
481  dtv->counter_ipv6 = StatsRegisterCounter("decoder.ipv6", tv);
482  dtv->counter_eth = StatsRegisterCounter("decoder.ethernet", tv);
483  dtv->counter_raw = StatsRegisterCounter("decoder.raw", tv);
484  dtv->counter_null = StatsRegisterCounter("decoder.null", tv);
485  dtv->counter_sll = StatsRegisterCounter("decoder.sll", tv);
486  dtv->counter_tcp = StatsRegisterCounter("decoder.tcp", tv);
487  dtv->counter_udp = StatsRegisterCounter("decoder.udp", tv);
488  dtv->counter_sctp = StatsRegisterCounter("decoder.sctp", tv);
489  dtv->counter_icmpv4 = StatsRegisterCounter("decoder.icmpv4", tv);
490  dtv->counter_icmpv6 = StatsRegisterCounter("decoder.icmpv6", tv);
491  dtv->counter_ppp = StatsRegisterCounter("decoder.ppp", tv);
492  dtv->counter_pppoe = StatsRegisterCounter("decoder.pppoe", tv);
493  dtv->counter_gre = StatsRegisterCounter("decoder.gre", tv);
494  dtv->counter_vlan = StatsRegisterCounter("decoder.vlan", tv);
495  dtv->counter_vlan_qinq = StatsRegisterCounter("decoder.vlan_qinq", tv);
496  dtv->counter_vxlan = StatsRegisterCounter("decoder.vxlan", tv);
497  dtv->counter_ieee8021ah = StatsRegisterCounter("decoder.ieee8021ah", tv);
498  dtv->counter_teredo = StatsRegisterCounter("decoder.teredo", tv);
499  dtv->counter_ipv4inipv6 = StatsRegisterCounter("decoder.ipv4_in_ipv6", tv);
500  dtv->counter_ipv6inipv6 = StatsRegisterCounter("decoder.ipv6_in_ipv6", tv);
501  dtv->counter_mpls = StatsRegisterCounter("decoder.mpls", tv);
502  dtv->counter_avg_pkt_size = StatsRegisterAvgCounter("decoder.avg_pkt_size", tv);
503  dtv->counter_max_pkt_size = StatsRegisterMaxCounter("decoder.max_pkt_size", tv);
504  dtv->counter_erspan = StatsRegisterMaxCounter("decoder.erspan", tv);
505  dtv->counter_flow_memcap = StatsRegisterCounter("flow.memcap", tv);
506 
507  dtv->counter_flow_tcp = StatsRegisterCounter("flow.tcp", tv);
508  dtv->counter_flow_udp = StatsRegisterCounter("flow.udp", tv);
509  dtv->counter_flow_icmp4 = StatsRegisterCounter("flow.icmpv4", tv);
510  dtv->counter_flow_icmp6 = StatsRegisterCounter("flow.icmpv6", tv);
511 
513  StatsRegisterCounter("defrag.ipv4.fragments", tv);
515  StatsRegisterCounter("defrag.ipv4.reassembled", tv);
517  StatsRegisterCounter("defrag.ipv4.timeouts", tv);
519  StatsRegisterCounter("defrag.ipv6.fragments", tv);
521  StatsRegisterCounter("defrag.ipv6.reassembled", tv);
523  StatsRegisterCounter("defrag.ipv6.timeouts", tv);
525  StatsRegisterCounter("defrag.max_frag_hits", tv);
526 
527  for (int i = 0; i < DECODE_EVENT_MAX; i++) {
528  BUG_ON(i != (int)DEvents[i].code);
529 
531  continue;
533  continue;
534 
535  if (i < DECODE_EVENT_PACKET_MAX &&
536  strncmp(DEvents[i].event_name, "decoder.", 8) == 0)
537  {
538  SCMutexLock(&g_counter_table_mutex);
539  if (g_counter_table == NULL) {
540  g_counter_table = HashTableInit(256, StringHashFunc,
543  if (g_counter_table == NULL) {
544  FatalError(SC_ERR_INITIALIZATION, "decoder counter hash "
545  "table init failed");
546  }
547  }
548 
549  char name[256];
550  char *dot = strchr(DEvents[i].event_name, '.');
551  BUG_ON(!dot);
552  snprintf(name, sizeof(name), "%s.%s",
554 
555  const char *found = HashTableLookup(g_counter_table, name, 0);
556  if (!found) {
557  char *add = SCStrdup(name);
558  if (add == NULL)
559  FatalError(SC_ERR_INITIALIZATION, "decoder counter hash "
560  "table name init failed");
561  int r = HashTableAdd(g_counter_table, add, 0);
562  if (r != 0)
563  FatalError(SC_ERR_INITIALIZATION, "decoder counter hash "
564  "table name add failed");
565  found = add;
566  }
568  found, tv);
569 
570  SCMutexUnlock(&g_counter_table_mutex);
571  } else {
573  DEvents[i].event_name, tv);
574  }
575  }
576 
577  return;
578 }
579 
581  const DecodeThreadVars *dtv, const Packet *p)
582 {
583  StatsIncr(tv, dtv->counter_pkts);
584  //StatsIncr(tv, dtv->counter_pkts_per_sec);
585  StatsAddUI64(tv, dtv->counter_bytes, GET_PKT_LEN(p));
588 }
589 
590 /**
591  * \brief Debug print function for printing addresses
592  *
593  * \param Address object
594  *
595  * \todo IPv6
596  */
598 {
599  if (a == NULL)
600  return;
601 
602  switch (a->family) {
603  case AF_INET:
604  {
605  char s[16];
606  PrintInet(AF_INET, (const void *)&a->addr_data32[0], s, sizeof(s));
607  SCLogDebug("%s", s);
608  break;
609  }
610  }
611 }
612 
613 /** \brief Alloc and setup DecodeThreadVars */
615 {
616  DecodeThreadVars *dtv = NULL;
617 
618  if ( (dtv = SCMalloc(sizeof(DecodeThreadVars))) == NULL)
619  return NULL;
620  memset(dtv, 0, sizeof(DecodeThreadVars));
621 
622  dtv->app_tctx = AppLayerGetCtxThread(tv);
623 
625  SCLogError(SC_ERR_THREAD_INIT, "initializing flow log API for thread failed");
626  DecodeThreadVarsFree(tv, dtv);
627  return NULL;
628  }
629 
630  return dtv;
631 }
632 
634 {
635  if (dtv != NULL) {
636  if (dtv->app_tctx != NULL)
638 
639  if (dtv->output_flow_thread_data != NULL)
641 
642  SCFree(dtv);
643  }
644 }
645 
646 /**
647  * \brief Set data for Packet and set length when zeo copy is used
648  *
649  * \param Pointer to the Packet to modify
650  * \param Pointer to the data
651  * \param Length of the data
652  */
653 inline int PacketSetData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
654 {
655  SET_PKT_LEN(p, (size_t)pktlen);
656  if (unlikely(!pktdata)) {
657  return -1;
658  }
659  p->ext_pkt = (uint8_t *)pktdata;
660  p->flags |= PKT_ZERO_COPY;
661 
662  return 0;
663 }
664 
665 const char *PktSrcToString(enum PktSrcEnum pkt_src)
666 {
667  const char *pkt_src_str = "<unknown>";
668  switch (pkt_src) {
669  case PKT_SRC_WIRE:
670  pkt_src_str = "wire/pcap";
671  break;
672  case PKT_SRC_DECODER_GRE:
673  pkt_src_str = "gre tunnel";
674  break;
676  pkt_src_str = "ipv4 tunnel";
677  break;
679  pkt_src_str = "ipv6 tunnel";
680  break;
682  pkt_src_str = "teredo tunnel";
683  break;
684  case PKT_SRC_DEFRAG:
685  pkt_src_str = "defrag";
686  break;
688  pkt_src_str = "stream";
689  break;
691  pkt_src_str = "stream (detect/log)";
692  break;
693  case PKT_SRC_FFR:
694  pkt_src_str = "stream (flow timeout)";
695  break;
697  pkt_src_str = "vxlan encapsulation";
698  break;
699  }
700  return pkt_src_str;
701 }
702 
704 {
707  } else if (unlikely(PACKET_TEST_ACTION(p, ACTION_DROP))) {
709  } else if (unlikely(p->flags & PKT_STREAM_MODIFIED)) {
711  } else {
713  }
714 }
715 
717 {
718  s->counter_ips_accepted = StatsRegisterCounter("ips.accepted", tv);
719  s->counter_ips_blocked = StatsRegisterCounter("ips.blocked", tv);
720  s->counter_ips_rejected = StatsRegisterCounter("ips.rejected", tv);
721  s->counter_ips_replaced = StatsRegisterCounter("ips.replaced", tv);
722 }
723 
725 {
728 }
729 
730 /**
731  * @}
732  */
uint16_t counter_max_pkt_size
Definition: decode.h:641
uint16_t counter_ips_rejected
Definition: decode.h:698
#define SCMutex
uint16_t counter_defrag_ipv6_reassembled
Definition: decode.h:675
void PacketDefragPktSetupParent(Packet *parent)
inform defrag "parent" that a pseudo packet is now assosiated to it.
Definition: decode.c:387
int DecodePPP(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len, PacketQueue *pq)
Definition: decode-ppp.c:43
#define GET_PKT_DIRECT_MAX_SIZE(p)
Definition: decode.h:227
Packet * PacketTunnelPktSetup(ThreadVars *tv, DecodeThreadVars *dtv, Packet *parent, const uint8_t *pkt, uint32_t len, enum DecodeTunnelProto proto, PacketQueue *pq)
Setup a pseudo packet (tunnel)
Definition: decode.c:275
DecodeThreadVars * DecodeThreadVarsAlloc(ThreadVars *tv)
Alloc and setup DecodeThreadVars.
Definition: decode.c:614
#define SCLogDebug(...)
Definition: util-debug.h:335
void CaptureStatsUpdate(ThreadVars *tv, CaptureStats *s, const Packet *p)
Definition: decode.c:703
uint16_t counter_ieee8021ah
Definition: decode.h:662
int(* BypassPacketsFlow)(struct Packet_ *)
Definition: decode.h:487
struct Flow_ * flow
Definition: decode.h:445
int HashTableAdd(HashTable *ht, void *data, uint16_t datalen)
Definition: util-hash.c:113
#define ACTION_REJECT_DST
#define BUG_ON(x)
#define PACKET_TEST_ACTION(p, a)
Definition: decode.h:857
#define SET_PKT_LEN(p, len)
Definition: decode.h:229
void PacketDecodeFinalize(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p)
Finalize decoding of a packet.
Definition: decode.c:115
uint16_t counter_bytes
Definition: decode.h:639
#define unlikely(expr)
Definition: util-optimize.h:35
uint16_t counter_eth
Definition: decode.h:645
uint16_t counter_null
Definition: decode.h:655
bool stats_decoder_events
Definition: counters.c:102
void DecodeRegisterPerfCounters(DecodeThreadVars *dtv, ThreadVars *tv)
Definition: decode.c:474
void DecodeTeredoConfig(void)
Definition: decode-teredo.c:46
PktSrcEnum
Definition: decode.h:48
#define ACTION_REJECT
#define PKT_ALLOC
Definition: decode.h:1088
uint16_t counter_vlan_qinq
Definition: decode.h:660
#define FLOW_PKT_TOSERVER_FIRST
Definition: flow.h:206
uint64_t offset
uint16_t counter_defrag_ipv6_timeouts
Definition: decode.h:676
void PacketPoolReturnPacket(Packet *p)
Return packet to Packet pool.
#define PACKET_INITIALIZE(p)
Initialize a packet structure for use.
Definition: decode.h:731
void PacketFree(Packet *p)
Return a malloced packet.
Definition: decode.c:102
HashTable * HashTableInit(uint32_t size, uint32_t(*Hash)(struct HashTable_ *, void *, uint16_t), char(*Compare)(void *, uint16_t, void *, uint16_t), void(*Free)(void *))
Definition: util-hash.c:34
uint16_t counter_defrag_ipv4_timeouts
Definition: decode.h:673
uint16_t counter_ipv4
Definition: decode.h:646
uint8_t events[PACKET_ENGINE_EVENT_MAX]
Definition: decode.h:307
uint8_t * ext_pkt
Definition: decode.h:550
void DecodeGlobalConfig(void)
Definition: decode.c:724
uint16_t counter_ipv4inipv6
Definition: decode.h:666
Packet * PacketGetFromQueueOrAlloc(void)
Get a packet. We try to get a packet from the packetpool first, but if that is empty we alloc a packe...
Definition: decode.c:177
#define PKT_ZERO_COPY
Definition: decode.h:1103
bool stats_stream_events
Definition: counters.c:105
void(* ReleasePacket)(struct Packet_ *)
Definition: decode.h:484
#define SCMutexLock(mut)
uint16_t counter_teredo
Definition: decode.h:664
void PacketFreeOrRelease(Packet *p)
Return a packet to where it was allocated.
Definition: decode.c:162
Packet * PacketPoolGetPacket(void)
Get a new packet from the packet pool.
uint16_t vlan_id[2]
Definition: decode.h:435
uint16_t counter_vlan
Definition: decode.h:659
uint16_t counter_erspan
Definition: decode.h:668
uint16_t counter_raw
Definition: decode.h:654
uint16_t counter_pkts
Definition: decode.h:638
uint16_t counter_flow_udp
Definition: decode.h:682
uint16_t counter_flow_tcp
Definition: decode.h:681
uint16_t StatsRegisterCounter(const char *name, struct ThreadVars_ *tv)
Registers a normal, unqualified counter.
Definition: counters.c:943
uint16_t counter_avg_pkt_size
Definition: decode.h:640
uint16_t counter_defrag_ipv6_fragments
Definition: decode.h:674
#define SIZE_OF_PACKET
Definition: decode.h:618
#define SCCalloc(nm, a)
Definition: util-mem.h:253
void AddressDebugPrint(Address *a)
Debug print function for printing addresses.
Definition: decode.c:597
#define SCMutexUnlock(mut)
#define DecodeSetNoPayloadInspectionFlag(p)
Set the No payload inspection Flag for the packet.
Definition: decode.h:972
void StatsSetUI64(ThreadVars *tv, uint16_t id, uint64_t x)
Sets a value of type double to the local counter.
Definition: counters.c:190
AppLayerThreadCtx * AppLayerGetCtxThread(ThreadVars *tv)
Creates a new app layer thread context.
Definition: app-layer.c:820
void TmqhOutputPacketpool(ThreadVars *t, Packet *p)
char family
Definition: decode.h:111
int datalink
Definition: decode.h:574
#define SCMUTEX_INITIALIZER
#define ACTION_REJECT_BOTH
uint8_t recursion_level
Definition: decode.h:433
int DecodeVLAN(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len, PacketQueue *pq)
Definition: decode-vlan.c:62
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
AppLayerThreadCtx * app_tctx
Definition: decode.h:635
uint16_t counter_ipv6inipv6
Definition: decode.h:667
#define PKT_STREAM_MODIFIED
Definition: decode.h:1095
Structure to hold thread specific data for all decode modules.
Definition: decode.h:632
#define GET_PKT_DIRECT_DATA(p)
Definition: decode.h:226
uint16_t counter_mpls
Definition: decode.h:665
DecodeTunnelProto
Definition: decode.h:889
uint16_t counter_icmpv4
Definition: decode.h:650
#define SCEnter(...)
Definition: util-debug.h:337
char StringHashCompareFunc(void *data1, uint16_t datalen1, void *data2, uint16_t datalen2)
uint16_t counter_tcp
Definition: decode.h:648
uint8_t flowflags
Definition: decode.h:439
int DecodeERSPAN(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len, PacketQueue *pq)
Function to decode ERSPAN packets.
Definition: decode-erspan.c:46
void PacketBypassCallback(Packet *p)
Definition: decode.c:401
PacketEngineEvents events
Definition: decode.h:565
void * output_flow_thread_data
Definition: decode.h:690
#define PKT_IS_TOSERVER(p)
Definition: decode.h:257
#define FLOW_PKT_TOSERVER
Definition: flow.h:201
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:168
const char * stats_decoder_events_prefix
Definition: decode.c:72
const char * PrintInet(int af, const void *src, char *dst, socklen_t size)
Definition: util-print.c:267
void PacketUpdateEngineEventCounters(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p)
Definition: decode.c:122
void PacketSwap(Packet *p)
switch direction of a packet
Definition: decode.c:439
int FlowSetStorageById(Flow *f, int id, void *ptr)
Definition: flow-storage.c:44
const struct DecodeEvents_ DEvents[]
Definition: decode-events.c:29
uint16_t counter_ips_accepted
Definition: decode.h:696
uint16_t counter_ips_blocked
Definition: decode.h:697
uint16_t counter_flow_icmp4
Definition: decode.h:683
uint8_t proto
#define UNSET_TUNNEL_PKT(p)
Definition: decode.h:883
uint16_t counter_flow_memcap
Definition: decode.h:679
TmEcode OutputFlowLogThreadInit(ThreadVars *tv, void *initdata, void **data)
thread init for the flow logger This will run the thread init functions for the individual registered...
Definition: output-flow.c:129
uint16_t counter_ipv6
Definition: decode.h:647
uint8_t vlan_idx
Definition: decode.h:436
int PacketSetData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
Set data for Packet and set length when zeo copy is used.
Definition: decode.c:653
#define FLOW_PKT_TOCLIENT_FIRST
Definition: flow.h:207
uint16_t counter_invalid
Definition: decode.h:643
void HashTableFree(HashTable *ht)
Definition: util-hash.c:79
#define SCMalloc(a)
Definition: util-mem.h:222
uint16_t counter_sctp
Definition: decode.h:656
void * HashTableLookup(HashTable *ht, void *data, uint16_t datalen)
Definition: util-hash.c:193
int DecodeIPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint16_t len, PacketQueue *pq)
Definition: decode-ipv6.c:585
uint16_t counter_ppp
Definition: decode.h:657
#define SCFree(a)
Definition: util-mem.h:322
uint16_t counter_engine_events[DECODE_EVENT_MAX]
Definition: decode.h:686
int DecodeIPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint16_t len, PacketQueue *pq)
Definition: decode-ipv4.c:532
#define TUNNEL_INCR_PKT_TPR(p)
Definition: decode.h:872
uint16_t StatsRegisterAvgCounter(const char *name, struct ThreadVars_ *tv)
Registers a counter, whose value holds the average of all the values assigned to it.
Definition: counters.c:963
void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
Destroys the context created by AppLayeGetCtxThread().
Definition: app-layer.c:842
uint16_t counter_ips_replaced
Definition: decode.h:699
uint32_t default_packet_size
Definition: decode.h:617
int PacketCallocExtPkt(Packet *p, int datalen)
Definition: decode.c:192
void StringHashFreeFunc(void *data)
#define FatalError(x,...)
Definition: util-debug.h:539
uint16_t counter_icmpv6
Definition: decode.h:651
#define PACKET_PROFILING_START(p)
#define MAX_PAYLOAD_SIZE
Definition: decode.h:616
int DecodeTunnel(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len, PacketQueue *pq, enum DecodeTunnelProto proto)
Definition: decode.c:75
void FlowUpdateState(Flow *f, enum FlowState s)
Definition: flow.c:1104
const char * PktSrcToString(enum PktSrcEnum pkt_src)
Definition: decode.c:665
uint16_t counter_gre
Definition: decode.h:658
#define SCReturnPtr(x, type)
Definition: util-debug.h:353
uint16_t counter_udp
Definition: decode.h:649
TmEcode OutputFlowLogThreadDeinit(ThreadVars *tv, void *thread_data)
Definition: output-flow.c:171
uint16_t counter_flow_icmp6
Definition: decode.h:684
#define SC_ATOMIC_GET(name)
Get the value from the atomic variable.
Definition: util-atomic.h:192
#define GET_PKT_DATA(p)
Definition: decode.h:225
void DecodeUpdatePacketCounters(ThreadVars *tv, const DecodeThreadVars *dtv, const Packet *p)
Definition: decode.c:580
#define SCStrdup(a)
Definition: util-mem.h:268
void DecodeVXLANConfig(void)
Definition: decode-vxlan.c:88
#define PACKET_DESTRUCTOR(p)
Cleanup a packet so that we can free it. No memset needed..
Definition: decode.h:822
uint16_t counter_sll
Definition: decode.h:653
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len, PacketQueue *pq)
int PacketCopyData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
Copy data to Packet payload and set packet length.
Definition: decode.c:259
uint32_t StringHashFunc(HashTable *ht, void *data, uint16_t datalen)
void CaptureStatsSetup(ThreadVars *tv, CaptureStats *s)
Definition: decode.c:716
int GetFlowBypassInfoID(void)
Definition: flow-util.c:209
uint16_t counter_pppoe
Definition: decode.h:663
uint32_t tenant_id
Definition: decode.h:594
uint8_t len
Per thread variable structure.
Definition: threadvars.h:57
struct timeval ts
Definition: decode.h:451
#define FLOW_PKT_TOCLIENT
Definition: flow.h:202
uint8_t code
Packet * PacketDefragPktSetup(Packet *parent, const uint8_t *pkt, uint32_t len, uint8_t proto)
Setup a pseudo packet (reassembled frags)
Definition: decode.c:349
#define GET_PKT_LEN(p)
Definition: decode.h:224
uint16_t counter_defrag_ipv4_fragments
Definition: decode.h:671
#define ACTION_DROP
uint32_t flags
Definition: decode.h:443
void StatsAddUI64(ThreadVars *tv, uint16_t id, uint64_t x)
Adds a value of type uint64_t to the local counter.
Definition: counters.c:147
void DecodeThreadVarsFree(ThreadVars *tv, DecodeThreadVars *dtv)
Definition: decode.c:633
int PacketCopyDataOffset(Packet *p, uint32_t offset, const uint8_t *data, uint32_t datalen)
Copy data to Packet payload at given offset.
Definition: decode.c:218
uint16_t counter_defrag_max_hit
Definition: decode.h:677
#define SET_TUNNEL_PKT(p)
Definition: decode.h:882
uint16_t counter_defrag_ipv4_reassembled
Definition: decode.h:672
uint16_t StatsRegisterMaxCounter(const char *name, struct ThreadVars_ *tv)
Registers a counter, whose value holds the maximum of all the values assigned to it.
Definition: counters.c:983
#define PKT_IS_INVALID
Definition: decode.h:1109
void DecodeUnregisterCounters(void)
Definition: decode.c:464
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:141
struct Packet_ * root
Definition: decode.h:577
uint16_t counter_vxlan
Definition: decode.h:661