suricata
decode.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2024 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \defgroup decode Packet decoding
20  *
21  * \brief Code in charge of protocol decoding
22  *
23  * The task of decoding packets is made in different files and
24  * as Suricata is supporting encapsulation there is a potential
25  * recursivity in the call.
26  *
27  * For each protocol a DecodePROTO function is provided. For
28  * example we have DecodeIPV4() for IPv4 and DecodePPP() for
29  * PPP.
30  *
31  * These functions have all a pkt and a len argument which
32  * are respectively a pointer to the protocol data and the length
33  * of this protocol data.
34  *
35  * \attention The pkt parameter must point to the effective data because
36  * it will be used later to set per protocol pointer like Packet::tcph
37  *
38  * @{
39  */
40 
41 
42 /**
43  * \file
44  *
45  * \author Victor Julien <victor@inliniac.net>
46  *
47  * Decode the raw packet
48  */
49 
50 #include "suricata-common.h"
51 #include "decode.h"
52 
53 #include "packet.h"
54 #include "flow.h"
55 #include "flow-storage.h"
56 #include "tmqh-packetpool.h"
57 #include "app-layer.h"
58 #include "output.h"
59 
60 #include "decode-vxlan.h"
61 #include "decode-geneve.h"
62 #include "decode-erspan.h"
63 #include "decode-teredo.h"
64 #include "decode-arp.h"
65 
66 #include "defrag-hash.h"
67 
68 #include "util-hash.h"
69 #include "util-hash-string.h"
70 #include "util-print.h"
71 #include "util-profiling.h"
72 #include "util-validate.h"
73 #include "util-debug.h"
74 #include "util-exception-policy.h"
75 #include "action-globals.h"
76 
77 uint32_t default_packet_size = 0;
78 extern bool stats_decoder_events;
79 extern const char *stats_decoder_events_prefix;
80 extern bool stats_stream_events;
83 
84 /* Settings order as in the enum */
85 // clang-format off
88  /* EXCEPTION_POLICY_NOT_SET */ false,
89  /* EXCEPTION_POLICY_AUTO */ false,
90  /* EXCEPTION_POLICY_PASS_PACKET */ true,
91  /* EXCEPTION_POLICY_PASS_FLOW */ false,
92  /* EXCEPTION_POLICY_BYPASS_FLOW */ true,
93  /* EXCEPTION_POLICY_DROP_PACKET */ false,
94  /* EXCEPTION_POLICY_DROP_FLOW */ false,
95  /* EXCEPTION_POLICY_REJECT */ true,
96  },
97  .valid_settings_ips = {
98  /* EXCEPTION_POLICY_NOT_SET */ false,
99  /* EXCEPTION_POLICY_AUTO */ false,
100  /* EXCEPTION_POLICY_PASS_PACKET */ true,
101  /* EXCEPTION_POLICY_PASS_FLOW */ false,
102  /* EXCEPTION_POLICY_BYPASS_FLOW */ true,
103  /* EXCEPTION_POLICY_DROP_PACKET */ true,
104  /* EXCEPTION_POLICY_DROP_FLOW */ false,
105  /* EXCEPTION_POLICY_REJECT */ true,
106  },
107 };
108 // clang-format on
109 
110 /* Settings order as in the enum */
111 // clang-format off
113  .valid_settings_ids = {
114  /* EXCEPTION_POLICY_NOT_SET */ false,
115  /* EXCEPTION_POLICY_AUTO */ false,
116  /* EXCEPTION_POLICY_PASS_PACKET */ true,
117  /* EXCEPTION_POLICY_PASS_FLOW */ false,
118  /* EXCEPTION_POLICY_BYPASS_FLOW */ true,
119  /* EXCEPTION_POLICY_DROP_PACKET */ false,
120  /* EXCEPTION_POLICY_DROP_FLOW */ false,
121  /* EXCEPTION_POLICY_REJECT */ true,
122  },
123  .valid_settings_ips = {
124  /* EXCEPTION_POLICY_NOT_SET */ false,
125  /* EXCEPTION_POLICY_AUTO */ false,
126  /* EXCEPTION_POLICY_PASS_PACKET */ true,
127  /* EXCEPTION_POLICY_PASS_FLOW */ false,
128  /* EXCEPTION_POLICY_BYPASS_FLOW */ true,
129  /* EXCEPTION_POLICY_DROP_PACKET */ true,
130  /* EXCEPTION_POLICY_DROP_FLOW */ false,
131  /* EXCEPTION_POLICY_REJECT */ true,
132  },
133 };
134 // clang-format on
135 
136 /**
137  * \brief Initialize PacketAlerts with dynamic alerts array size
138  *
139  */
141 {
142  PacketAlert *pa_array = SCCalloc(packet_alert_max, sizeof(PacketAlert));
143  BUG_ON(pa_array == NULL);
144 
145  return pa_array;
146 }
147 
149 {
150  if (pa != NULL) {
151  SCFree(pa);
152  }
153 }
154 
155 static int DecodeTunnel(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t,
157 
158 static int DecodeTunnel(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt,
159  uint32_t len, enum DecodeTunnelProto proto)
160 {
161  switch (proto) {
162  case DECODE_TUNNEL_PPP:
163  return DecodePPP(tv, dtv, p, pkt, len);
164  case DECODE_TUNNEL_IPV4:
165  DEBUG_VALIDATE_BUG_ON(len > UINT16_MAX);
166  return DecodeIPV4(tv, dtv, p, pkt, (uint16_t)len);
167  case DECODE_TUNNEL_IPV6:
169  DEBUG_VALIDATE_BUG_ON(len > UINT16_MAX);
170  return DecodeIPV6(tv, dtv, p, pkt, (uint16_t)len);
171  case DECODE_TUNNEL_VLAN:
172  return DecodeVLAN(tv, dtv, p, pkt, len);
174  return DecodeEthernet(tv, dtv, p, pkt, len);
176  return DecodeERSPAN(tv, dtv, p, pkt, len);
178  return DecodeERSPANTypeI(tv, dtv, p, pkt, len);
179  case DECODE_TUNNEL_NSH:
180  return DecodeNSH(tv, dtv, p, pkt, len);
181  case DECODE_TUNNEL_ARP:
182  return DecodeARP(tv, dtv, p, pkt, len);
183  default:
184  SCLogDebug("FIXME: DecodeTunnel: protocol %" PRIu32 " not supported.", proto);
185  break;
186  }
187  return TM_ECODE_OK;
188 }
189 
190 /**
191  * \brief Return a malloced packet.
192  */
194 {
195  PacketDestructor(p);
196  SCFree(p);
197 }
198 
199 /**
200  * \brief Finalize decoding of a packet
201  *
202  * This function needs to be call at the end of decode
203  * functions when decoding has been successful.
204  *
205  */
207 {
208  if (p->flags & PKT_IS_INVALID) {
210  }
211 }
212 
215 {
216  for (uint8_t i = 0; i < p->events.cnt; i++) {
217  const uint8_t e = p->events.events[i];
218 
220  continue;
222  continue;
224  }
225 }
226 
227 /**
228  * \brief Get a malloced packet.
229  *
230  * \retval p packet, NULL on error
231  */
233 {
234  Packet *p = SCCalloc(1, SIZE_OF_PACKET);
235  if (unlikely(p == NULL)) {
236  return NULL;
237  }
238  PacketInit(p);
240 
241  SCLogDebug("allocated a new packet only using alloc...");
242 
244  return p;
245 }
246 
247 /**
248  * \brief Return a packet to where it was allocated.
249  */
251 {
252  if (likely(p->pool != NULL)) {
255  } else {
256  PacketFree(p);
257  }
258 }
259 
260 /**
261  * \brief Get a packet. We try to get a packet from the packetpool first, but
262  * if that is empty we alloc a packet that is free'd again after
263  * processing.
264  *
265  * \retval p packet, NULL on error
266  */
268 {
269  /* try the pool first */
271 
272  if (p == NULL) {
273  /* non fatal, we're just not processing a packet then */
274  p = PacketGetFromAlloc();
275  } else {
278  }
279 
280  return p;
281 }
282 
283 inline int PacketCallocExtPkt(Packet *p, int datalen)
284 {
285  if (! p->ext_pkt) {
286  p->ext_pkt = SCCalloc(1, datalen);
287  if (unlikely(p->ext_pkt == NULL)) {
288  SET_PKT_LEN(p, 0);
289  return -1;
290  }
291  }
292  return 0;
293 }
294 
295 /**
296  * \brief Copy data to Packet payload at given offset
297  *
298  * This function copies data/payload to a Packet. It uses the
299  * space allocated at Packet creation (pointed by Packet::pkt)
300  * or allocate some memory (pointed by Packet::ext_pkt) if the
301  * data size is to big to fit in initial space (of size
302  * default_packet_size).
303  *
304  * \param Pointer to the Packet to modify
305  * \param Offset of the copy relatively to payload of Packet
306  * \param Pointer to the data to copy
307  * \param Length of the data to copy
308  */
309 inline int PacketCopyDataOffset(Packet *p, uint32_t offset, const uint8_t *data, uint32_t datalen)
310 {
311  if (unlikely(offset + datalen > MAX_PAYLOAD_SIZE)) {
312  /* too big */
313  SET_PKT_LEN(p, 0);
314  return -1;
315  }
316 
317  /* Do we have already an packet with allocated data */
318  if (! p->ext_pkt) {
319  uint32_t newsize = offset + datalen;
320  // check overflow
321  if (newsize < offset)
322  return -1;
323  if (newsize <= default_packet_size) {
324  /* data will fit in memory allocated with packet */
325  memcpy(GET_PKT_DIRECT_DATA(p) + offset, data, datalen);
326  } else {
327  /* here we need a dynamic allocation */
329  if (unlikely(p->ext_pkt == NULL)) {
330  SET_PKT_LEN(p, 0);
331  return -1;
332  }
333  /* copy initial data */
335  /* copy data as asked */
336  memcpy(p->ext_pkt + offset, data, datalen);
337  }
338  } else {
339  memcpy(p->ext_pkt + offset, data, datalen);
340  }
341  return 0;
342 }
343 
344 /**
345  * \brief Copy data to Packet payload and set packet length
346  *
347  * \param Pointer to the Packet to modify
348  * \param Pointer to the data to copy
349  * \param Length of the data to copy
350  */
351 inline int PacketCopyData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
352 {
353  SET_PKT_LEN(p, pktlen);
354  return PacketCopyDataOffset(p, 0, pktdata, pktlen);
355 }
356 
357 /**
358  * \brief Setup a pseudo packet (tunnel)
359  *
360  * \param parent parent packet for this pseudo pkt
361  * \param pkt raw packet data
362  * \param len packet data length
363  * \param proto protocol of the tunneled packet
364  *
365  * \retval p the pseudo packet or NULL if out of memory
366  */
368  const uint8_t *pkt, uint32_t len, enum DecodeTunnelProto proto)
369 {
370  int ret;
371 
372  SCEnter();
373 
374  if (parent->nb_decoded_layers + 1 >= decoder_max_layers) {
376  SCReturnPtr(NULL, "Packet");
377  }
378 
379  /* get us a packet */
381  if (unlikely(p == NULL)) {
382  SCReturnPtr(NULL, "Packet");
383  }
384 
385  /* copy packet and set length, proto */
386  PacketCopyData(p, pkt, len);
387  DEBUG_VALIDATE_BUG_ON(parent->recursion_level == 255);
388  p->recursion_level = parent->recursion_level + 1;
390  p->nb_decoded_layers = parent->nb_decoded_layers + 1;
391  p->ts = parent->ts;
392  p->datalink = DLT_RAW;
393  p->tenant_id = parent->tenant_id;
394  p->livedev = parent->livedev;
395 
396  /* set the root ptr to the lowest layer */
397  if (parent->root != NULL) {
398  p->root = parent->root;
399  BUG_ON(parent->ttype != PacketTunnelChild);
400  } else {
401  p->root = parent;
402  parent->ttype = PacketTunnelRoot;
403  }
404  /* tell new packet it's part of a tunnel */
406 
407  ret = DecodeTunnel(tv, dtv, p, GET_PKT_DATA(p),
408  GET_PKT_LEN(p), proto);
409 
410  if (unlikely(ret != TM_ECODE_OK) ||
412  {
413  /* Not a (valid) tunnel packet */
414  SCLogDebug("tunnel packet is invalid");
415  p->root = NULL;
417  SCReturnPtr(NULL, "Packet");
418  }
419 
420  /* Update tunnel settings in parent */
421  if (parent->root == NULL) {
422  parent->ttype = PacketTunnelRoot;
423  }
424  TUNNEL_INCR_PKT_TPR(p);
425 
426  /* disable payload (not packet) inspection on the parent, as the payload
427  * is the packet we will now run through the system separately. We do
428  * check it against the ip/port/other header checks though */
429  DecodeSetNoPayloadInspectionFlag(parent);
430  SCReturnPtr(p, "Packet");
431 }
432 
433 /**
434  * \brief Setup a pseudo packet (reassembled frags)
435  *
436  * Difference with PacketPseudoPktSetup is that this func doesn't increment
437  * the recursion level. It needs to be on the same level as the frags because
438  * we run the flow engine against this and we need to get the same flow.
439  *
440  * \param parent parent packet for this pseudo pkt
441  * \param pkt raw packet data
442  * \param len packet data length
443  * \param proto protocol of the tunneled packet
444  *
445  * \retval p the pseudo packet or NULL if out of memory
446  */
447 Packet *PacketDefragPktSetup(Packet *parent, const uint8_t *pkt, uint32_t len, uint8_t proto)
448 {
449  SCEnter();
450 
451  /* get us a packet */
453  if (unlikely(p == NULL)) {
454  SCReturnPtr(NULL, "Packet");
455  }
456 
457  /* set the root ptr to the lowest layer */
458  if (parent->root != NULL) {
459  p->root = parent->root;
460  BUG_ON(parent->ttype != PacketTunnelChild);
461  } else {
462  p->root = parent;
463  // we set parent->ttype later
464  }
465  /* tell new packet it's part of a tunnel */
467 
468  /* copy packet and set length, proto */
469  if (pkt && len) {
470  PacketCopyData(p, pkt, len);
471  }
472  p->recursion_level = parent->recursion_level; /* NOT incremented */
473  p->ts = parent->ts;
474  p->tenant_id = parent->tenant_id;
475  memcpy(&p->vlan_id[0], &parent->vlan_id[0], sizeof(p->vlan_id));
476  p->vlan_idx = parent->vlan_idx;
477  p->livedev = parent->livedev;
478 
479  SCReturnPtr(p, "Packet");
480 }
481 
482 /**
483  * \brief inform defrag "parent" that a pseudo packet is
484  * now associated to it.
485  */
487 {
488  /* tell parent packet it's part of a tunnel */
489  if (parent->ttype == PacketTunnelNone)
490  parent->ttype = PacketTunnelRoot;
491 
492  /* increment tunnel packet refcnt in the root packet */
493  TUNNEL_INCR_PKT_TPR(parent);
494 
495  /* disable payload (not packet) inspection on the parent, as the payload
496  * is the packet we will now run through the system separately. We do
497  * check it against the ip/port/other header checks though */
498  DecodeSetNoPayloadInspectionFlag(parent);
499 }
500 
501 /**
502  * \note if p->flow is set, the flow is locked
503  */
505 {
506  if (PKT_IS_PSEUDOPKT(p))
507  return;
508 
509 #ifdef CAPTURE_OFFLOAD
510  /* Don't try to bypass if flow is already out or
511  * if we have failed to do it once */
512  if (p->flow) {
513  int state = p->flow->flow_state;
514  if ((state == FLOW_STATE_LOCAL_BYPASSED) ||
515  (state == FLOW_STATE_CAPTURE_BYPASSED)) {
516  return;
517  }
518 
519  FlowBypassInfo *fc;
520 
522  if (fc == NULL) {
523  fc = SCCalloc(sizeof(FlowBypassInfo), 1);
524  if (fc) {
526  } else {
527  return;
528  }
529  }
530  }
531  if (p->BypassPacketsFlow && p->BypassPacketsFlow(p)) {
532  if (p->flow) {
533  FlowUpdateState(p->flow, FLOW_STATE_CAPTURE_BYPASSED);
534  }
535  } else {
536  if (p->flow) {
538  }
539  }
540 #else /* CAPTURE_OFFLOAD */
541  if (p->flow) {
542  int state = p->flow->flow_state;
543  if (state == FLOW_STATE_LOCAL_BYPASSED)
544  return;
546  }
547 #endif
548 }
549 
550 /** \brief switch direction of a packet */
552 {
553  if (PKT_IS_TOSERVER(p)) {
556 
560  }
561  } else {
564 
568  }
569  }
570 }
571 
572 /* counter name store */
573 static HashTable *g_counter_table = NULL;
574 static SCMutex g_counter_table_mutex = SCMUTEX_INITIALIZER;
575 
577 {
578  SCMutexLock(&g_counter_table_mutex);
579  if (g_counter_table) {
580  HashTableFree(g_counter_table);
581  g_counter_table = NULL;
582  }
583  SCMutexUnlock(&g_counter_table_mutex);
584 }
585 
586 static bool IsDefragMemcapExceptionPolicyStatsValid(enum ExceptionPolicy policy)
587 {
588  if (EngineModeIsIPS()) {
590  }
592 }
593 
594 static bool IsFlowMemcapExceptionPolicyStatsValid(enum ExceptionPolicy policy)
595 {
596  if (EngineModeIsIPS()) {
598  }
600 }
601 
603 {
604  /* register counters */
605  dtv->counter_pkts = StatsRegisterCounter("decoder.pkts", tv);
606  dtv->counter_bytes = StatsRegisterCounter("decoder.bytes", tv);
607  dtv->counter_invalid = StatsRegisterCounter("decoder.invalid", tv);
608  dtv->counter_ipv4 = StatsRegisterCounter("decoder.ipv4", tv);
609  dtv->counter_ipv6 = StatsRegisterCounter("decoder.ipv6", tv);
610  dtv->counter_eth = StatsRegisterCounter("decoder.ethernet", tv);
611  dtv->counter_arp = StatsRegisterCounter("decoder.arp", tv);
612  dtv->counter_ethertype_unknown = StatsRegisterCounter("decoder.unknown_ethertype", tv);
613  dtv->counter_chdlc = StatsRegisterCounter("decoder.chdlc", tv);
614  dtv->counter_raw = StatsRegisterCounter("decoder.raw", tv);
615  dtv->counter_null = StatsRegisterCounter("decoder.null", tv);
616  dtv->counter_sll = StatsRegisterCounter("decoder.sll", tv);
617  dtv->counter_tcp = StatsRegisterCounter("decoder.tcp", tv);
618 
620  dtv->counter_tcp_synack = StatsRegisterCounter("tcp.synack", tv);
623 
624  dtv->counter_udp = StatsRegisterCounter("decoder.udp", tv);
625  dtv->counter_sctp = StatsRegisterCounter("decoder.sctp", tv);
626  dtv->counter_esp = StatsRegisterCounter("decoder.esp", tv);
627  dtv->counter_icmpv4 = StatsRegisterCounter("decoder.icmpv4", tv);
628  dtv->counter_icmpv6 = StatsRegisterCounter("decoder.icmpv6", tv);
629  dtv->counter_ppp = StatsRegisterCounter("decoder.ppp", tv);
630  dtv->counter_pppoe = StatsRegisterCounter("decoder.pppoe", tv);
631  dtv->counter_geneve = StatsRegisterCounter("decoder.geneve", tv);
632  dtv->counter_gre = StatsRegisterCounter("decoder.gre", tv);
633  dtv->counter_vlan = StatsRegisterCounter("decoder.vlan", tv);
634  dtv->counter_vlan_qinq = StatsRegisterCounter("decoder.vlan_qinq", tv);
635  dtv->counter_vlan_qinqinq = StatsRegisterCounter("decoder.vlan_qinqinq", tv);
636  dtv->counter_vxlan = StatsRegisterCounter("decoder.vxlan", tv);
637  dtv->counter_vntag = StatsRegisterCounter("decoder.vntag", tv);
638  dtv->counter_ieee8021ah = StatsRegisterCounter("decoder.ieee8021ah", tv);
639  dtv->counter_teredo = StatsRegisterCounter("decoder.teredo", tv);
640  dtv->counter_ipv4inipv6 = StatsRegisterCounter("decoder.ipv4_in_ipv6", tv);
641  dtv->counter_ipv6inipv6 = StatsRegisterCounter("decoder.ipv6_in_ipv6", tv);
642  dtv->counter_mpls = StatsRegisterCounter("decoder.mpls", tv);
643  dtv->counter_avg_pkt_size = StatsRegisterAvgCounter("decoder.avg_pkt_size", tv);
644  dtv->counter_max_pkt_size = StatsRegisterMaxCounter("decoder.max_pkt_size", tv);
645  dtv->counter_max_mac_addrs_src = StatsRegisterMaxCounter("decoder.max_mac_addrs_src", tv);
646  dtv->counter_max_mac_addrs_dst = StatsRegisterMaxCounter("decoder.max_mac_addrs_dst", tv);
647  dtv->counter_erspan = StatsRegisterMaxCounter("decoder.erspan", tv);
648  dtv->counter_nsh = StatsRegisterMaxCounter("decoder.nsh", tv);
649  dtv->counter_flow_memcap = StatsRegisterCounter("flow.memcap", tv);
651  FlowGetMemcapExceptionPolicy(), "flow.memcap_exception_policy.",
652  IsFlowMemcapExceptionPolicyStatsValid);
653 
654  dtv->counter_tcp_active_sessions = StatsRegisterCounter("tcp.active_sessions", tv);
655  dtv->counter_flow_total = StatsRegisterCounter("flow.total", tv);
656  dtv->counter_flow_active = StatsRegisterCounter("flow.active", tv);
659  dtv->counter_flow_icmp4 = StatsRegisterCounter("flow.icmpv4", tv);
660  dtv->counter_flow_icmp6 = StatsRegisterCounter("flow.icmpv6", tv);
661  dtv->counter_flow_tcp_reuse = StatsRegisterCounter("flow.tcp_reuse", tv);
662  dtv->counter_flow_get_used = StatsRegisterCounter("flow.get_used", tv);
663  dtv->counter_flow_get_used_eval = StatsRegisterCounter("flow.get_used_eval", tv);
664  dtv->counter_flow_get_used_eval_reject = StatsRegisterCounter("flow.get_used_eval_reject", tv);
665  dtv->counter_flow_get_used_eval_busy = StatsRegisterCounter("flow.get_used_eval_busy", tv);
666  dtv->counter_flow_get_used_failed = StatsRegisterCounter("flow.get_used_failed", tv);
667 
668  dtv->counter_flow_spare_sync_avg = StatsRegisterAvgCounter("flow.wrk.spare_sync_avg", tv);
669  dtv->counter_flow_spare_sync = StatsRegisterCounter("flow.wrk.spare_sync", tv);
670  dtv->counter_flow_spare_sync_incomplete = StatsRegisterCounter("flow.wrk.spare_sync_incomplete", tv);
671  dtv->counter_flow_spare_sync_empty = StatsRegisterCounter("flow.wrk.spare_sync_empty", tv);
672 
674  StatsRegisterCounter("defrag.ipv4.fragments", tv);
675  dtv->counter_defrag_ipv4_reassembled = StatsRegisterCounter("defrag.ipv4.reassembled", tv);
677  StatsRegisterCounter("defrag.ipv6.fragments", tv);
678  dtv->counter_defrag_ipv6_reassembled = StatsRegisterCounter("defrag.ipv6.reassembled", tv);
679  dtv->counter_defrag_max_hit = StatsRegisterCounter("defrag.max_trackers_reached", tv);
680  dtv->counter_defrag_no_frags = StatsRegisterCounter("defrag.max_frags_reached", tv);
681  dtv->counter_defrag_tracker_soft_reuse = StatsRegisterCounter("defrag.tracker_soft_reuse", tv);
682  dtv->counter_defrag_tracker_hard_reuse = StatsRegisterCounter("defrag.tracker_hard_reuse", tv);
683  dtv->counter_defrag_tracker_timeout = StatsRegisterCounter("defrag.wrk.tracker_timeout", tv);
684 
686  DefragGetMemcapExceptionPolicy(), "defrag.memcap_exception_policy.",
687  IsDefragMemcapExceptionPolicyStatsValid);
688 
689  for (int i = 0; i < DECODE_EVENT_MAX; i++) {
690  BUG_ON(i != (int)DEvents[i].code);
691 
693  continue;
695  continue;
696 
697  if (i < DECODE_EVENT_PACKET_MAX &&
698  strncmp(DEvents[i].event_name, "decoder.", 8) == 0)
699  {
700  SCMutexLock(&g_counter_table_mutex);
701  if (g_counter_table == NULL) {
702  g_counter_table = HashTableInit(256, StringHashFunc,
705  if (g_counter_table == NULL) {
706  FatalError("decoder counter hash "
707  "table init failed");
708  }
709  }
710 
711  char name[256];
712  char *dot = strchr(DEvents[i].event_name, '.');
713  BUG_ON(!dot);
714  snprintf(name, sizeof(name), "%s.%s",
716 
717  const char *found = HashTableLookup(g_counter_table, name, 0);
718  if (!found) {
719  char *add = SCStrdup(name);
720  if (add == NULL)
721  FatalError("decoder counter hash "
722  "table name init failed");
723  int r = HashTableAdd(g_counter_table, add, 0);
724  if (r != 0)
725  FatalError("decoder counter hash "
726  "table name add failed");
727  found = add;
728  }
730  found, tv);
731 
732  SCMutexUnlock(&g_counter_table_mutex);
733  } else {
735  DEvents[i].event_name, tv);
736  }
737  }
738 }
739 
741  const DecodeThreadVars *dtv, const Packet *p)
742 {
744  //StatsIncr(tv, dtv->counter_pkts_per_sec);
748 }
749 
750 /**
751  * \brief Debug print function for printing addresses
752  *
753  * \param Address object
754  *
755  * \todo IPv6
756  */
758 {
759  if (a == NULL)
760  return;
761 
762  switch (a->family) {
763  case AF_INET:
764  {
765  char s[16];
766  PrintInet(AF_INET, (const void *)&a->addr_data32[0], s, sizeof(s));
767  SCLogDebug("%s", s);
768  break;
769  }
770  }
771 }
772 
773 /** \brief Alloc and setup DecodeThreadVars */
775 {
776  DecodeThreadVars *dtv = NULL;
777 
778  if ((dtv = SCCalloc(1, sizeof(DecodeThreadVars))) == NULL)
779  return NULL;
780 
782 
784  SCLogError("initializing flow log API for thread failed");
786  return NULL;
787  }
788 
789  return dtv;
790 }
791 
793 {
794  if (dtv != NULL) {
795  if (dtv->app_tctx != NULL)
797 
798  if (dtv->output_flow_thread_data != NULL)
800 
801  SCFree(dtv);
802  }
803 }
804 
805 /**
806  * \brief Set data for Packet and set length when zero copy is used
807  *
808  * \param Pointer to the Packet to modify
809  * \param Pointer to the data
810  * \param Length of the data
811  */
812 inline int PacketSetData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
813 {
814  SET_PKT_LEN(p, pktlen);
815  if (unlikely(!pktdata)) {
816  return -1;
817  }
818  // ext_pkt cannot be const (because we sometimes copy)
819  p->ext_pkt = (uint8_t *) pktdata;
820  p->flags |= PKT_ZERO_COPY;
821 
822  return 0;
823 }
824 
825 const char *PktSrcToString(enum PktSrcEnum pkt_src)
826 {
827  const char *pkt_src_str = NULL;
828  switch (pkt_src) {
829  case PKT_SRC_WIRE:
830  pkt_src_str = "wire/pcap";
831  break;
832  case PKT_SRC_DECODER_GRE:
833  pkt_src_str = "gre tunnel";
834  break;
836  pkt_src_str = "ipv4 tunnel";
837  break;
839  pkt_src_str = "ipv6 tunnel";
840  break;
842  pkt_src_str = "teredo tunnel";
843  break;
844  case PKT_SRC_DEFRAG:
845  pkt_src_str = "defrag";
846  break;
848  pkt_src_str = "stream (detect/log)";
849  break;
850  case PKT_SRC_FFR:
851  pkt_src_str = "stream (flow timeout)";
852  break;
854  pkt_src_str = "geneve encapsulation";
855  break;
857  pkt_src_str = "vxlan encapsulation";
858  break;
860  pkt_src_str = "detect reload flush";
861  break;
863  pkt_src_str = "capture timeout flush";
864  break;
866  pkt_src_str = "shutdown flush";
867  break;
868  }
869  DEBUG_VALIDATE_BUG_ON(pkt_src_str == NULL);
870  return pkt_src_str;
871 }
872 
874 {
875  switch (r) {
877  return "decode error";
879  return "defrag error";
881  return "defrag memcap";
883  return "flow memcap";
885  return "flow drop";
887  return "stream error";
889  return "stream memcap";
891  return "stream midstream";
893  return "stream urgent";
895  return "stream reassembly";
897  return "applayer error";
899  return "applayer memcap";
901  return "rules";
903  return "threshold detection_filter";
905  return "nfq error";
907  return "tunnel packet drop";
909  case PKT_DROP_REASON_MAX:
910  return NULL;
911  }
912  return NULL;
913 }
914 
915 static const char *PacketDropReasonToJsonString(enum PacketDropReason r)
916 {
917  switch (r) {
919  return "ips.drop_reason.decode_error";
921  return "ips.drop_reason.defrag_error";
923  return "ips.drop_reason.defrag_memcap";
925  return "ips.drop_reason.flow_memcap";
927  return "ips.drop_reason.flow_drop";
929  return "ips.drop_reason.stream_error";
931  return "ips.drop_reason.stream_memcap";
933  return "ips.drop_reason.stream_midstream";
935  return "ips.drop_reason.stream_urgent";
937  return "ips.drop_reason.stream_reassembly";
939  return "ips.drop_reason.applayer_error";
941  return "ips.drop_reason.applayer_memcap";
943  return "ips.drop_reason.rules";
945  return "ips.drop_reason.threshold_detection_filter";
947  return "ips.drop_reason.nfq_error";
949  return "ips.drop_reason.tunnel_packet_drop";
951  case PKT_DROP_REASON_MAX:
952  return NULL;
953  }
954  return NULL;
955 }
956 
957 typedef struct CaptureStats_ {
962 
965 
967 
969 {
970  if (!EngineModeIsIPS() || PKT_IS_PSEUDOPKT(p))
971  return;
972 
976  } else if (unlikely(PacketCheckAction(p, ACTION_DROP))) {
978  } else if (unlikely(p->flags & PKT_STREAM_MODIFIED)) {
980  } else {
982  }
985  }
986 }
987 
989 {
990  if (EngineModeIsIPS()) {
992  s->counter_ips_accepted = StatsRegisterCounter("ips.accepted", tv);
993  s->counter_ips_blocked = StatsRegisterCounter("ips.blocked", tv);
994  s->counter_ips_rejected = StatsRegisterCounter("ips.rejected", tv);
995  s->counter_ips_replaced = StatsRegisterCounter("ips.replaced", tv);
996  for (int i = PKT_DROP_REASON_NOT_SET; i < PKT_DROP_REASON_MAX; i++) {
997  const char *name = PacketDropReasonToJsonString(i);
998  if (name != NULL)
1000  }
1001  }
1002 }
1003 
1005 {
1010  intmax_t value = 0;
1011  if (ConfGetInt("decoder.max-layers", &value) == 1) {
1012  if (value < 0 || value > UINT8_MAX) {
1013  SCLogWarning("Invalid value for decoder.max-layers");
1014  } else {
1015  decoder_max_layers = (uint8_t)value;
1016  }
1017  }
1019 }
1020 
1022 {
1023  intmax_t max = 0;
1024  if (ConfGetInt("packet-alert-max", &max) == 1) {
1025  if (max <= 0 || max > UINT8_MAX) {
1026  SCLogWarning("Invalid value for packet-alert-max, default value set instead");
1027  } else {
1028  packet_alert_max = (uint16_t)max;
1029  }
1030  }
1031  SCLogDebug("detect->packet_alert_max set to %d", packet_alert_max);
1032 }
1033 
1034 /**
1035  * @}
1036  */
PacketCheckAction
bool PacketCheckAction(const Packet *p, const uint8_t a)
Definition: packet.c:49
DecodeThreadVars_::counter_flow_get_used_eval_busy
uint16_t counter_flow_get_used_eval_busy
Definition: decode.h:1009
PKT_DROP_REASON_DEFRAG_MEMCAP
@ PKT_DROP_REASON_DEFRAG_MEMCAP
Definition: decode.h:363
PKT_DROP_REASON_DEFRAG_ERROR
@ PKT_DROP_REASON_DEFRAG_ERROR
Definition: decode.h:362
ConfGetInt
int ConfGetInt(const char *name, intmax_t *val)
Retrieve a configuration value as an integer.
Definition: conf.c:399
DecodeThreadVars_::counter_defrag_ipv4_reassembled
uint16_t counter_defrag_ipv4_reassembled
Definition: decode.h:985
util-hash-string.h
PKT_DROP_REASON_RULES_THRESHOLD
@ PKT_DROP_REASON_RULES_THRESHOLD
Definition: decode.h:369
DecodeThreadVars_::counter_ethertype_unknown
uint16_t counter_ethertype_unknown
Definition: decode.h:959
DecodeThreadVars_::counter_flow_udp
uint16_t counter_flow_udp
Definition: decode.h:1002
len
uint8_t len
Definition: app-layer-dnp3.h:2
DecodeThreadVars_::counter_bytes
uint16_t counter_bytes
Definition: decode.h:938
DECODE_TUNNEL_IPV6
@ DECODE_TUNNEL_IPV6
Definition: decode.h:1072
CaptureStats_::counter_ips_blocked
uint16_t counter_ips_blocked
Definition: decode.c:959
decode-erspan.h
decode-vxlan.h
DecodeThreadVars_::counter_eth
uint16_t counter_eth
Definition: decode.h:946
DecodeThreadVars_::counter_flow_active
uint16_t counter_flow_active
Definition: decode.h:1000
OutputFlowLogThreadInit
TmEcode OutputFlowLogThreadInit(ThreadVars *tv, void **data)
thread init for the flow logger This will run the thread init functions for the individual registered...
Definition: output-flow.c:123
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:166
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
DecodeERSPAN
int DecodeERSPAN(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
ERSPAN Type II.
Definition: decode-erspan.c:76
PacketFreeOrRelease
void PacketFreeOrRelease(Packet *p)
Return a packet to where it was allocated.
Definition: decode.c:250
DECODE_EVENT_MAX
@ DECODE_EVENT_MAX
Definition: decode-events.h:311
DecodeThreadVars_::counter_flow_icmp4
uint16_t counter_flow_icmp4
Definition: decode.h:1003
DecodeThreadVars_::counter_vxlan
uint16_t counter_vxlan
Definition: decode.h:972
DecodeThreadVars_::counter_max_pkt_size
uint16_t counter_max_pkt_size
Definition: decode.h:940
DecodePPP
int DecodePPP(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition: decode-ppp.c:174
PacketCopyData
int PacketCopyData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
Copy data to Packet payload and set packet length.
Definition: decode.c:351
PacketBypassCallback
void PacketBypassCallback(Packet *p)
Definition: decode.c:504
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1321
DecodeThreadVars_::counter_avg_pkt_size
uint16_t counter_avg_pkt_size
Definition: decode.h:939
DecodeERSPANConfig
void DecodeERSPANConfig(void)
Functions to decode ERSPAN Type I and II packets.
Definition: decode-erspan.c:53
PacketPoolReturnPacket
void PacketPoolReturnPacket(Packet *p)
Return packet to Packet pool.
Definition: tmqh-packetpool.c:177
GetFlowBypassInfoID
FlowStorageId GetFlowBypassInfoID(void)
Definition: flow-util.c:214
FlowBypassInfo_
Definition: flow.h:531
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
PKT_DROP_REASON_STREAM_MEMCAP
@ PKT_DROP_REASON_STREAM_MEMCAP
Definition: decode.h:371
DecodeNSH
int DecodeNSH(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Function to decode NSH packets.
Definition: decode-nsh.c:46
PKT_DROP_REASON_FLOW_MEMCAP
@ PKT_DROP_REASON_FLOW_MEMCAP
Definition: decode.h:364
DecodeTeredoConfig
void DecodeTeredoConfig(void)
Definition: decode-teredo.c:104
CaptureStatsSetup
void CaptureStatsSetup(ThreadVars *tv)
Definition: decode.c:988
PacketDropReasonToString
const char * PacketDropReasonToString(enum PacketDropReason r)
Definition: decode.c:873
PacketEngineEvents_::events
uint8_t events[PACKET_ENGINE_EVENT_MAX]
Definition: decode.h:287
CaptureStats_
Definition: decode.c:957
PKT_STREAM_MODIFIED
#define PKT_STREAM_MODIFIED
Definition: decode.h:1273
DECODE_TUNNEL_IPV6_TEREDO
@ DECODE_TUNNEL_IPV6_TEREDO
Definition: decode.h:1073
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
PKT_SRC_SHUTDOWN_FLUSH
@ PKT_SRC_SHUTDOWN_FLUSH
Definition: decode.h:63
AddressDebugPrint
void AddressDebugPrint(Address *a)
Debug print function for printing addresses.
Definition: decode.c:757
PKT_SRC_DECODER_IPV4
@ PKT_SRC_DECODER_IPV4
Definition: decode.h:53
DecodeThreadVars_::counter_flow_spare_sync_avg
uint16_t counter_flow_spare_sync_avg
Definition: decode.h:1015
PacketDefragPktSetup
Packet * PacketDefragPktSetup(Packet *parent, const uint8_t *pkt, uint32_t len, uint8_t proto)
Setup a pseudo packet (reassembled frags)
Definition: decode.c:447
stats_stream_events
bool stats_stream_events
Definition: counters.c:104
PKT_ZERO_COPY
#define PKT_ZERO_COPY
Definition: decode.h:1286
PKT_SRC_CAPTURE_TIMEOUT
@ PKT_SRC_CAPTURE_TIMEOUT
Definition: decode.h:61
action-globals.h
Packet_::flags
uint32_t flags
Definition: decode.h:513
PacketAlertCreate
PacketAlert * PacketAlertCreate(void)
Initialize PacketAlerts with dynamic alerts array size.
Definition: decode.c:140
DecodeThreadVars_::counter_vntag
uint16_t counter_vntag
Definition: decode.h:973
Packet_::vlan_idx
uint8_t vlan_idx
Definition: decode.h:504
DecodeThreadVars_::counter_flow_get_used_eval
uint16_t counter_flow_get_used_eval
Definition: decode.h:1007
util-hash.h
ExceptionPolicyStatsSetts_
Definition: util-exception-policy-types.h:48
CaptureStats
struct CaptureStats_ CaptureStats
StatsSetUI64
void StatsSetUI64(ThreadVars *tv, uint16_t id, uint64_t x)
Sets a value of type double to the local counter.
Definition: counters.c:207
Packet_::pool
struct PktPool_ * pool
Definition: decode.h:639
DecodeThreadVars_::counter_tcp_synack
uint16_t counter_tcp_synack
Definition: decode.h:952
PKT_DROP_REASON_MAX
@ PKT_DROP_REASON_MAX
Definition: decode.h:377
PKT_DROP_REASON_STREAM_REASSEMBLY
@ PKT_DROP_REASON_STREAM_REASSEMBLY
Definition: decode.h:373
DECODE_TUNNEL_ERSPANI
@ DECODE_TUNNEL_ERSPANI
Definition: decode.h:1069
DecodeThreadVars_::counter_teredo
uint16_t counter_teredo
Definition: decode.h:976
DecodeThreadVars_::counter_erspan
uint16_t counter_erspan
Definition: decode.h:980
PacketCopyDataOffset
int PacketCopyDataOffset(Packet *p, uint32_t offset, const uint8_t *data, uint32_t datalen)
Copy data to Packet payload at given offset.
Definition: decode.c:309
DecodeThreadVars_::counter_raw
uint16_t counter_raw
Definition: decode.h:962
SCMutexLock
#define SCMutexLock(mut)
Definition: threads-debug.h:117
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:232
HashTable_
Definition: util-hash.h:35
ACTION_REJECT_ANY
#define ACTION_REJECT_ANY
Definition: action-globals.h:37
Address_
Definition: decode.h:108
flow_memcap_eps_stats
ExceptionPolicyStatsSetts flow_memcap_eps_stats
Definition: decode.c:112
DecodeARP
int DecodeARP(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition: decode-arp.c:29
DecodeThreadVars_::counter_arp
uint16_t counter_arp
Definition: decode.h:958
DecodeThreadVars_::counter_flow_tcp
uint16_t counter_flow_tcp
Definition: decode.h:1001
SCMUTEX_INITIALIZER
#define SCMUTEX_INITIALIZER
Definition: threads-debug.h:121
PacketDecodeFinalize
void PacketDecodeFinalize(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p)
Finalize decoding of a packet.
Definition: decode.c:206
proto
uint8_t proto
Definition: decode-template.h:0
PacketAlertGetMaxConfig
void PacketAlertGetMaxConfig(void)
Definition: decode.c:1021
decoder_max_layers
uint8_t decoder_max_layers
Definition: decode.c:81
DecodeThreadVars_::counter_tcp_active_sessions
uint16_t counter_tcp_active_sessions
Definition: decode.h:998
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:507
StringHashCompareFunc
char StringHashCompareFunc(void *data1, uint16_t datalen1, void *data2, uint16_t datalen2)
Definition: util-hash-string.c:38
Packet_::BypassPacketsFlow
int(* BypassPacketsFlow)(struct Packet_ *)
Definition: decode.h:563
TmqhOutputPacketpool
void TmqhOutputPacketpool(ThreadVars *t, Packet *p)
Definition: tmqh-packetpool.c:314
DecodeVXLANConfig
void DecodeVXLANConfig(void)
Definition: decode-vxlan.c:98
PacketDropReason
PacketDropReason
Definition: decode.h:359
DecodeThreadVars_::counter_max_mac_addrs_src
uint16_t counter_max_mac_addrs_src
Definition: decode.h:941
DecodeUnregisterCounters
void DecodeUnregisterCounters(void)
Definition: decode.c:576
GET_PKT_DIRECT_MAX_SIZE
#define GET_PKT_DIRECT_MAX_SIZE(p)
Definition: decode.h:207
DecodeThreadVars_::counter_flow_get_used
uint16_t counter_flow_get_used
Definition: decode.h:1006
PacketTunnelChild
@ PacketTunnelChild
Definition: decode.h:383
tmqh-packetpool.h
StringHashFunc
uint32_t StringHashFunc(HashTable *ht, void *data, uint16_t datalen)
Definition: util-hash-string.c:33
Packet_::events
PacketEngineEvents events
Definition: decode.h:599
PacketAlertFree
void PacketAlertFree(PacketAlert *pa)
Definition: decode.c:148
DECODE_EVENT_PACKET_MAX
@ DECODE_EVENT_PACKET_MAX
Definition: decode-events.h:224
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:80
HashTableFree
void HashTableFree(HashTable *ht)
Definition: util-hash.c:78
DecodeThreadVars_::counter_flow_spare_sync_empty
uint16_t counter_flow_spare_sync_empty
Definition: decode.h:1013
Flow_::flow_state
FlowStateType flow_state
Definition: flow.h:417
DecodeThreadVars_::counter_flow_tcp_reuse
uint16_t counter_flow_tcp_reuse
Definition: decode.h:1005
PKT_DROP_REASON_STREAM_URG
@ PKT_DROP_REASON_STREAM_URG
Definition: decode.h:374
DECODE_TUNNEL_NSH
@ DECODE_TUNNEL_NSH
Definition: decode.h:1075
DecodeThreadVars_::counter_flow_total
uint16_t counter_flow_total
Definition: decode.h:999
Packet_::datalink
int datalink
Definition: decode.h:608
PKT_DEFAULT_MAX_DECODED_LAYERS
#define PKT_DEFAULT_MAX_DECODED_LAYERS
Definition: decode.h:1326
stats_decoder_events_prefix
const char * stats_decoder_events_prefix
Definition: counters.c:102
DLT_RAW
#define DLT_RAW
Definition: decode.h:1224
DecodeRegisterPerfCounters
void DecodeRegisterPerfCounters(DecodeThreadVars *dtv, ThreadVars *tv)
Definition: decode.c:602
DecodeThreadVars_::counter_flow_spare_sync
uint16_t counter_flow_spare_sync
Definition: decode.h:1012
DECODE_TUNNEL_ERSPANII
@ DECODE_TUNNEL_ERSPANII
Definition: decode.h:1068
DecodeThreadVars_::counter_defrag_tracker_timeout
uint16_t counter_defrag_tracker_timeout
Definition: decode.h:992
SET_PKT_LEN
#define SET_PKT_LEN(p, len)
Definition: decode.h:209
DecodeThreadVars_::counter_ipv6inipv6
uint16_t counter_ipv6inipv6
Definition: decode.h:979
StatsRegisterMaxCounter
uint16_t StatsRegisterMaxCounter(const char *name, struct ThreadVars_ *tv)
Registers a counter, whose value holds the maximum of all the values assigned to it.
Definition: counters.c:991
FLOW_STATE_LOCAL_BYPASSED
@ FLOW_STATE_LOCAL_BYPASSED
Definition: flow.h:509
decode.h
util-debug.h
DecodeThreadVars_::counter_flow_get_used_failed
uint16_t counter_flow_get_used_failed
Definition: decode.h:1010
PKT_SRC_WIRE
@ PKT_SRC_WIRE
Definition: decode.h:51
CaptureStats_::counter_ips_rejected
uint16_t counter_ips_rejected
Definition: decode.c:960
PKT_IS_TOSERVER
#define PKT_IS_TOSERVER(p)
Definition: decode.h:234
DecodeThreadVars_::counter_icmpv4
uint16_t counter_icmpv4
Definition: decode.h:956
DecodeThreadVars_::counter_ppp
uint16_t counter_ppp
Definition: decode.h:966
DecodeERSPANTypeI
int DecodeERSPANTypeI(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
ERSPAN Type I.
Definition: decode-erspan.c:65
DEvents
const struct DecodeEvents_ DEvents[]
Definition: decode-events.c:29
Packet_::ts
SCTime_t ts
Definition: decode.h:524
PKT_DROP_REASON_APPLAYER_ERROR
@ PKT_DROP_REASON_APPLAYER_ERROR
Definition: decode.h:366
SCMutexUnlock
#define SCMutexUnlock(mut)
Definition: threads-debug.h:119
PacketSwap
void PacketSwap(Packet *p)
switch direction of a packet
Definition: decode.c:551
util-exception-policy.h
DecodeThreadVars_::counter_tcp_rst
uint16_t counter_tcp_rst
Definition: decode.h:953
PktSrcEnum
PktSrcEnum
Definition: decode.h:50
PKT_DROP_REASON_NOT_SET
@ PKT_DROP_REASON_NOT_SET
Definition: decode.h:360
DecodeTunnelProto
DecodeTunnelProto
Definition: decode.h:1066
PacketDestructor
void PacketDestructor(Packet *p)
Cleanup a packet so that we can free it. No memset needed..
Definition: packet.c:152
CaptureStatsUpdate
void CaptureStatsUpdate(ThreadVars *tv, const Packet *p)
Definition: decode.c:968
util-print.h
PKT_SRC_DECODER_TEREDO
@ PKT_SRC_DECODER_TEREDO
Definition: decode.h:55
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
GET_PKT_DATA
#define GET_PKT_DATA(p)
Definition: decode.h:205
ExceptionPolicySetStatsCounters
void ExceptionPolicySetStatsCounters(ThreadVars *tv, ExceptionPolicyCounters *counter, ExceptionPolicyStatsSetts *setting, enum ExceptionPolicy conf_policy, const char *default_str, bool(*isExceptionPolicyValid)(enum ExceptionPolicy))
Definition: util-exception-policy.c:298
HashTableLookup
void * HashTableLookup(HashTable *ht, void *data, uint16_t datalen)
Definition: util-hash.c:183
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
PrintInet
const char * PrintInet(int af, const void *src, char *dst, socklen_t size)
Definition: util-print.c:230
DECODE_TUNNEL_PPP
@ DECODE_TUNNEL_PPP
Definition: decode.h:1074
FLOW_PKT_TOCLIENT_FIRST
#define FLOW_PKT_TOCLIENT_FIRST
Definition: flow.h:238
FlowSetStorageById
int FlowSetStorageById(Flow *f, FlowStorageId id, void *ptr)
Definition: flow-storage.c:45
PacketFree
void PacketFree(Packet *p)
Return a malloced packet.
Definition: decode.c:193
PktSrcToString
const char * PktSrcToString(enum PktSrcEnum pkt_src)
Definition: decode.c:825
ExceptionPolicyStatsSetts_::valid_settings_ids
bool valid_settings_ids[EXCEPTION_POLICY_MAX]
Definition: util-exception-policy-types.h:50
DecodeThreadVars_::counter_vlan_qinq
uint16_t counter_vlan_qinq
Definition: decode.h:970
DecodeThreadVars_::counter_defrag_tracker_hard_reuse
uint16_t counter_defrag_tracker_hard_reuse
Definition: decode.h:991
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:249
HashTableAdd
int HashTableAdd(HashTable *ht, void *data, uint16_t datalen)
Definition: util-hash.c:104
SIZE_OF_PACKET
#define SIZE_OF_PACKET
Definition: decode.h:672
StringHashFreeFunc
void StringHashFreeFunc(void *data)
Definition: util-hash-string.c:51
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:300
PKT_DROP_REASON_RULES
@ PKT_DROP_REASON_RULES
Definition: decode.h:368
util-profiling.h
PacketCallocExtPkt
int PacketCallocExtPkt(Packet *p, int datalen)
Definition: decode.c:283
PKT_SRC_STREAM_TCP_DETECTLOG_FLUSH
@ PKT_SRC_STREAM_TCP_DETECTLOG_FLUSH
Definition: decode.h:58
DECODE_TUNNEL_VLAN
@ DECODE_TUNNEL_VLAN
Definition: decode.h:1070
DecodeThreadVars_::counter_tcp_urg
uint16_t counter_tcp_urg
Definition: decode.h:954
PKT_SRC_DECODER_IPV6
@ PKT_SRC_DECODER_IPV6
Definition: decode.h:54
CaptureStats_::counter_ips_accepted
uint16_t counter_ips_accepted
Definition: decode.c:958
Packet_
Definition: decode.h:476
DecodeThreadVars_::counter_nsh
uint16_t counter_nsh
Definition: decode.h:981
DecodeIPV6
int DecodeIPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint16_t len)
Definition: decode-ipv6.c:560
DECODE_TUNNEL_IPV4
@ DECODE_TUNNEL_IPV4
Definition: decode.h:1071
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition: decode.h:204
DecodeThreadVars_::app_tctx
AppLayerThreadCtx * app_tctx
Definition: decode.h:934
decode-teredo.h
DecodeThreadVars_::counter_sll
uint16_t counter_sll
Definition: decode.h:961
PKT_DROP_REASON_STREAM_ERROR
@ PKT_DROP_REASON_STREAM_ERROR
Definition: decode.h:370
DecodeThreadVars_::counter_sctp
uint16_t counter_sctp
Definition: decode.h:964
Packet_::livedev
struct LiveDevice_ * livedev
Definition: decode.h:587
DecodeThreadVars_::counter_invalid
uint16_t counter_invalid
Definition: decode.h:944
DecodeThreadVars_::counter_ieee8021ah
uint16_t counter_ieee8021ah
Definition: decode.h:974
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:287
AppLayerGetCtxThread
AppLayerThreadCtx * AppLayerGetCtxThread(void)
Creates a new app layer thread context.
Definition: app-layer.c:1060
DecodeThreadVars_::counter_ipv4inipv6
uint16_t counter_ipv4inipv6
Definition: decode.h:978
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:233
DecodeThreadVars_::counter_vlan
uint16_t counter_vlan
Definition: decode.h:969
DECODE_TUNNEL_ETHERNET
@ DECODE_TUNNEL_ETHERNET
Definition: decode.h:1067
DecodeThreadVars_::counter_tcp
uint16_t counter_tcp
Definition: decode.h:950
FlowGetStorageById
void * FlowGetStorageById(const Flow *f, FlowStorageId id)
Definition: flow-storage.c:40
DecodeThreadVars_::counter_pkts
uint16_t counter_pkts
Definition: decode.h:937
FlowUpdateState
void FlowUpdateState(Flow *f, const enum FlowState s)
Definition: flow.c:1161
PacketTunnelNone
@ PacketTunnelNone
Definition: decode.h:381
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
DecodeThreadVars_::counter_defrag_memcap_eps
ExceptionPolicyCounters counter_defrag_memcap_eps
Definition: decode.h:993
default_packet_size
uint32_t default_packet_size
Definition: decode.c:77
Packet_::nb_decoded_layers
uint8_t nb_decoded_layers
Definition: decode.h:613
PKT_SRC_DECODER_GENEVE
@ PKT_SRC_DECODER_GENEVE
Definition: decode.h:62
DecodeThreadVars_::counter_chdlc
uint16_t counter_chdlc
Definition: decode.h:947
Packet_::ReleasePacket
void(* ReleasePacket)(struct Packet_ *)
Definition: decode.h:560
flow-storage.h
Packet_::flow
struct Flow_ * flow
Definition: decode.h:515
Packet_::tenant_id
uint32_t tenant_id
Definition: decode.h:634
PKT_DROP_REASON_INNER_PACKET
@ PKT_DROP_REASON_INNER_PACKET
Definition: decode.h:376
FlowGetMemcapExceptionPolicy
enum ExceptionPolicy FlowGetMemcapExceptionPolicy(void)
Definition: flow.c:132
DecodeThreadVarsFree
void DecodeThreadVarsFree(ThreadVars *tv, DecodeThreadVars *dtv)
Definition: decode.c:792
DecodeThreadVars_::counter_flow_spare_sync_incomplete
uint16_t counter_flow_spare_sync_incomplete
Definition: decode.h:1014
PKT_DROP_REASON_APPLAYER_MEMCAP
@ PKT_DROP_REASON_APPLAYER_MEMCAP
Definition: decode.h:367
DecodeGlobalConfig
void DecodeGlobalConfig(void)
Definition: decode.c:1004
suricata-common.h
PKT_SRC_FFR
@ PKT_SRC_FFR
Definition: decode.h:57
decode-arp.h
DecodeThreadVars_::counter_flow_icmp6
uint16_t counter_flow_icmp6
Definition: decode.h:1004
DecodeThreadVars_::counter_ipv6
uint16_t counter_ipv6
Definition: decode.h:949
packet.h
CaptureStats_::counter_ips_replaced
uint16_t counter_ips_replaced
Definition: decode.c:961
DecodeThreadVars_::counter_gre
uint16_t counter_gre
Definition: decode.h:968
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
DecodeThreadVars_::counter_esp
uint16_t counter_esp
Definition: decode.h:965
Packet_::ext_pkt
uint8_t * ext_pkt
Definition: decode.h:584
PKT_DROP_REASON_NFQ_ERROR
@ PKT_DROP_REASON_NFQ_ERROR
Definition: decode.h:375
DecodeThreadVars_::counter_defrag_no_frags
uint16_t counter_defrag_no_frags
Definition: decode.h:989
DecodeThreadVars_::counter_defrag_ipv6_reassembled
uint16_t counter_defrag_ipv6_reassembled
Definition: decode.h:987
DecodeThreadVars_::counter_udp
uint16_t counter_udp
Definition: decode.h:955
Packet_::ttype
enum PacketTunnelType ttype
Definition: decode.h:522
PacketUpdateEngineEventCounters
void PacketUpdateEngineEventCounters(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p)
Definition: decode.c:213
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
CaptureStats_::counter_drop_reason
uint16_t counter_drop_reason[PKT_DROP_REASON_MAX]
Definition: decode.c:963
DecodeThreadVars_::counter_flow_memcap_eps
ExceptionPolicyCounters counter_flow_memcap_eps
Definition: decode.h:996
FatalError
#define FatalError(...)
Definition: util-debug.h:502
decode-geneve.h
PKT_SRC_DEFRAG
@ PKT_SRC_DEFRAG
Definition: decode.h:56
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
DecodeThreadVars_::counter_ipv4
uint16_t counter_ipv4
Definition: decode.h:948
PACKET_PROFILING_START
#define PACKET_PROFILING_START(p)
Definition: util-profiling.h:73
util-validate.h
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:232
defrag_memcap_eps_stats
ExceptionPolicyStatsSetts defrag_memcap_eps_stats
Definition: decode.c:86
PKT_SRC_DECODER_VXLAN
@ PKT_SRC_DECODER_VXLAN
Definition: decode.h:59
StatsAddUI64
void StatsAddUI64(ThreadVars *tv, uint16_t id, uint64_t x)
Adds a value of type uint64_t to the local counter.
Definition: counters.c:146
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
PACKET_ALERT_MAX
#define PACKET_ALERT_MAX
Definition: decode.h:264
Packet_::root
struct Packet_ * root
Definition: decode.h:622
DecodeThreadVars_::counter_pppoe
uint16_t counter_pppoe
Definition: decode.h:975
DecodeThreadVars_::counter_mpls
uint16_t counter_mpls
Definition: decode.h:977
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
OutputFlowLogThreadDeinit
TmEcode OutputFlowLogThreadDeinit(ThreadVars *tv, void *thread_data)
Definition: output-flow.c:163
PKT_SRC_DETECT_RELOAD_FLUSH
@ PKT_SRC_DETECT_RELOAD_FLUSH
Definition: decode.h:60
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:932
MAX_PAYLOAD_SIZE
#define MAX_PAYLOAD_SIZE
Definition: decode.h:670
ExceptionPolicyStatsSetts_::valid_settings_ips
bool valid_settings_ips[EXCEPTION_POLICY_MAX]
Definition: util-exception-policy-types.h:51
AppLayerDestroyCtxThread
void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
Destroys the context created by AppLayerGetCtxThread().
Definition: app-layer.c:1081
Packet_::recursion_level
uint8_t recursion_level
Definition: decode.h:501
DecodeThreadVars_::output_flow_thread_data
void * output_flow_thread_data
Definition: decode.h:1021
DecodeThreadVars_::counter_geneve
uint16_t counter_geneve
Definition: decode.h:967
DecodeThreadVars_::counter_max_mac_addrs_dst
uint16_t counter_max_mac_addrs_dst
Definition: decode.h:942
DecodeThreadVarsAlloc
DecodeThreadVars * DecodeThreadVarsAlloc(ThreadVars *tv)
Alloc and setup DecodeThreadVars.
Definition: decode.c:774
DecodeThreadVars_::counter_defrag_max_hit
uint16_t counter_defrag_max_hit
Definition: decode.h:988
HashTableInit
HashTable * HashTableInit(uint32_t size, uint32_t(*Hash)(struct HashTable_ *, void *, uint16_t), char(*Compare)(void *, uint16_t, void *, uint16_t), void(*Free)(void *))
Definition: util-hash.c:35
PacketSetData
int PacketSetData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
Set data for Packet and set length when zero copy is used.
Definition: decode.c:812
PacketPoolGetPacket
Packet * PacketPoolGetPacket(void)
Get a new packet from the packet pool.
Definition: tmqh-packetpool.c:127
DecodeThreadVars_::counter_vlan_qinqinq
uint16_t counter_vlan_qinqinq
Definition: decode.h:971
GET_PKT_DIRECT_DATA
#define GET_PKT_DIRECT_DATA(p)
Definition: decode.h:206
DecodeThreadVars_::counter_null
uint16_t counter_null
Definition: decode.h:963
t_capture_stats
thread_local CaptureStats t_capture_stats
Definition: decode.c:966
DecodeThreadVars_::counter_icmpv6
uint16_t counter_icmpv6
Definition: decode.h:957
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:228
defrag-hash.h
Packet_::drop_reason
uint8_t drop_reason
Definition: decode.h:616
Address_::family
char family
Definition: decode.h:109
PKT_SRC_DECODER_GRE
@ PKT_SRC_DECODER_GRE
Definition: decode.h:52
ENGINE_SET_INVALID_EVENT
#define ENGINE_SET_INVALID_EVENT(p, e)
Definition: decode.h:1158
PacketAlert_
Definition: decode.h:239
DecodeGeneveConfig
void DecodeGeneveConfig(void)
Definition: decode-geneve.c:128
DecodeThreadVars_::counter_flow_memcap
uint16_t counter_flow_memcap
Definition: decode.h:995
DecodeThreadVars_::counter_defrag_ipv6_fragments
uint16_t counter_defrag_ipv6_fragments
Definition: decode.h:986
PacketTunnelRoot
@ PacketTunnelRoot
Definition: decode.h:382
packet_alert_max
uint16_t packet_alert_max
Definition: decode.c:82
Packet_::vlan_id
uint16_t vlan_id[VLAN_MAX_LAYERS]
Definition: decode.h:503
DECODE_TUNNEL_ARP
@ DECODE_TUNNEL_ARP
Definition: decode.h:1076
likely
#define likely(expr)
Definition: util-optimize.h:32
StatsRegisterAvgCounter
uint16_t StatsRegisterAvgCounter(const char *name, struct ThreadVars_ *tv)
Registers a counter, whose value holds the average of all the values assigned to it.
Definition: counters.c:971
PacketDefragPktSetupParent
void PacketDefragPktSetupParent(Packet *parent)
inform defrag "parent" that a pseudo packet is now associated to it.
Definition: decode.c:486
DecodeThreadVars_::counter_tcp_syn
uint16_t counter_tcp_syn
Definition: decode.h:951
PacketTunnelPktSetup
Packet * PacketTunnelPktSetup(ThreadVars *tv, DecodeThreadVars *dtv, Packet *parent, const uint8_t *pkt, uint32_t len, enum DecodeTunnelProto proto)
Setup a pseudo packet (tunnel)
Definition: decode.c:367
stats_decoder_events
bool stats_decoder_events
Definition: counters.c:101
flow.h
PKT_DROP_REASON_STREAM_MIDSTREAM
@ PKT_DROP_REASON_STREAM_MIDSTREAM
Definition: decode.h:372
DecodeIPV4
int DecodeIPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint16_t len)
Definition: decode-ipv4.c:520
PacketInit
void PacketInit(Packet *p)
Initialize a packet structure for use.
Definition: packet.c:63
ExceptionPolicy
ExceptionPolicy
Definition: util-exception-policy-types.h:25
StatsRegisterCounter
uint16_t StatsRegisterCounter(const char *name, struct ThreadVars_ *tv)
Registers a normal, unqualified counter.
Definition: counters.c:951
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
GENERIC_TOO_MANY_LAYERS
@ GENERIC_TOO_MANY_LAYERS
Definition: decode-events.h:221
DecodeThreadVars_::counter_flow_get_used_eval_reject
uint16_t counter_flow_get_used_eval_reject
Definition: decode.h:1008
DecodeVLAN
int DecodeVLAN(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition: decode-vlan.c:54
FLOW_PKT_TOSERVER_FIRST
#define FLOW_PKT_TOSERVER_FIRST
Definition: flow.h:237
DefragGetMemcapExceptionPolicy
enum ExceptionPolicy DefragGetMemcapExceptionPolicy(void)
Definition: defrag-hash.c:80
SCMutex
#define SCMutex
Definition: threads-debug.h:114
PacketGetFromQueueOrAlloc
Packet * PacketGetFromQueueOrAlloc(void)
Get a packet. We try to get a packet from the packetpool first, but if that is empty we alloc a packe...
Definition: decode.c:267
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
DecodeEthernet
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition: decode-ethernet.c:42
PKT_DROP_REASON_FLOW_DROP
@ PKT_DROP_REASON_FLOW_DROP
Definition: decode.h:365
WARN_UNUSED
#define WARN_UNUSED
Definition: suricata-common.h:403
PKT_IS_INVALID
#define PKT_IS_INVALID
Definition: decode.h:1293
DecodeUpdatePacketCounters
void DecodeUpdatePacketCounters(ThreadVars *tv, const DecodeThreadVars *dtv, const Packet *p)
Definition: decode.c:740
DecodeThreadVars_::counter_engine_events
uint16_t counter_engine_events[DECODE_EVENT_MAX]
Definition: decode.h:1017
output.h
DecodeThreadVars_::counter_defrag_tracker_soft_reuse
uint16_t counter_defrag_tracker_soft_reuse
Definition: decode.h:990
app-layer.h
PKT_DROP_REASON_DECODE_ERROR
@ PKT_DROP_REASON_DECODE_ERROR
Definition: decode.h:361
DecodeThreadVars_::counter_defrag_ipv4_fragments
uint16_t counter_defrag_ipv4_fragments
Definition: decode.h:984
PacketEngineEvents_::cnt
uint8_t cnt
Definition: decode.h:286