suricata
decode.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2024 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \defgroup decode Packet decoding
20  *
21  * \brief Code in charge of protocol decoding
22  *
23  * The task of decoding packets is made in different files and
24  * as Suricata is supporting encapsulation there is a potential
25  * recursivity in the call.
26  *
27  * For each protocol a DecodePROTO function is provided. For
28  * example we have DecodeIPV4() for IPv4 and DecodePPP() for
29  * PPP.
30  *
31  * These functions have all a pkt and a len argument which
32  * are respectively a pointer to the protocol data and the length
33  * of this protocol data.
34  *
35  * \attention The pkt parameter must point to the effective data because
36  * it will be used later to set per protocol pointer like Packet::tcph
37  *
38  * @{
39  */
40 
41 
42 /**
43  * \file
44  *
45  * \author Victor Julien <victor@inliniac.net>
46  *
47  * Decode the raw packet
48  */
49 
50 #include "suricata-common.h"
51 #include "decode.h"
52 
53 #include "packet.h"
54 #include "flow.h"
55 #include "flow-storage.h"
56 #include "tmqh-packetpool.h"
57 #include "app-layer.h"
58 #include "output.h"
59 
60 #include "decode-vxlan.h"
61 #include "decode-geneve.h"
62 #include "decode-erspan.h"
63 #include "decode-teredo.h"
64 #include "decode-arp.h"
65 
66 #include "defrag-hash.h"
67 
68 #include "util-hash.h"
69 #include "util-hash-string.h"
70 #include "util-print.h"
71 #include "util-profiling.h"
72 #include "util-validate.h"
73 #include "util-debug.h"
74 #include "util-exception-policy.h"
75 #include "action-globals.h"
76 
77 uint32_t default_packet_size = 0;
78 extern bool stats_decoder_events;
79 extern const char *stats_decoder_events_prefix;
80 extern bool stats_stream_events;
83 
84 /* Settings order as in the enum */
85 // clang-format off
88  /* EXCEPTION_POLICY_NOT_SET */ false,
89  /* EXCEPTION_POLICY_AUTO */ false,
90  /* EXCEPTION_POLICY_PASS_PACKET */ true,
91  /* EXCEPTION_POLICY_PASS_FLOW */ false,
92  /* EXCEPTION_POLICY_BYPASS_FLOW */ true,
93  /* EXCEPTION_POLICY_DROP_PACKET */ false,
94  /* EXCEPTION_POLICY_DROP_FLOW */ false,
95  /* EXCEPTION_POLICY_REJECT */ true,
96  },
97  .valid_settings_ips = {
98  /* EXCEPTION_POLICY_NOT_SET */ false,
99  /* EXCEPTION_POLICY_AUTO */ false,
100  /* EXCEPTION_POLICY_PASS_PACKET */ true,
101  /* EXCEPTION_POLICY_PASS_FLOW */ false,
102  /* EXCEPTION_POLICY_BYPASS_FLOW */ true,
103  /* EXCEPTION_POLICY_DROP_PACKET */ true,
104  /* EXCEPTION_POLICY_DROP_FLOW */ false,
105  /* EXCEPTION_POLICY_REJECT */ true,
106  },
107 };
108 // clang-format on
109 
110 /* Settings order as in the enum */
111 // clang-format off
113  .valid_settings_ids = {
114  /* EXCEPTION_POLICY_NOT_SET */ false,
115  /* EXCEPTION_POLICY_AUTO */ false,
116  /* EXCEPTION_POLICY_PASS_PACKET */ true,
117  /* EXCEPTION_POLICY_PASS_FLOW */ false,
118  /* EXCEPTION_POLICY_BYPASS_FLOW */ true,
119  /* EXCEPTION_POLICY_DROP_PACKET */ false,
120  /* EXCEPTION_POLICY_DROP_FLOW */ false,
121  /* EXCEPTION_POLICY_REJECT */ true,
122  },
123  .valid_settings_ips = {
124  /* EXCEPTION_POLICY_NOT_SET */ false,
125  /* EXCEPTION_POLICY_AUTO */ false,
126  /* EXCEPTION_POLICY_PASS_PACKET */ true,
127  /* EXCEPTION_POLICY_PASS_FLOW */ false,
128  /* EXCEPTION_POLICY_BYPASS_FLOW */ true,
129  /* EXCEPTION_POLICY_DROP_PACKET */ true,
130  /* EXCEPTION_POLICY_DROP_FLOW */ false,
131  /* EXCEPTION_POLICY_REJECT */ true,
132  },
133 };
134 // clang-format on
135 
136 /**
137  * \brief Initialize PacketAlerts with dynamic alerts array size
138  *
139  */
141 {
142  PacketAlert *pa_array = SCCalloc(packet_alert_max, sizeof(PacketAlert));
143  BUG_ON(pa_array == NULL);
144 
145  return pa_array;
146 }
147 
149 {
150  if (pa != NULL) {
151  SCFree(pa);
152  }
153 }
154 
155 static int DecodeTunnel(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t,
157 
158 static int DecodeTunnel(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt,
159  uint32_t len, enum DecodeTunnelProto proto)
160 {
161  switch (proto) {
162  case DECODE_TUNNEL_PPP:
163  return DecodePPP(tv, dtv, p, pkt, len);
164  case DECODE_TUNNEL_IPV4:
165  DEBUG_VALIDATE_BUG_ON(len > UINT16_MAX);
166  return DecodeIPV4(tv, dtv, p, pkt, (uint16_t)len);
167  case DECODE_TUNNEL_IPV6:
169  DEBUG_VALIDATE_BUG_ON(len > UINT16_MAX);
170  return DecodeIPV6(tv, dtv, p, pkt, (uint16_t)len);
171  case DECODE_TUNNEL_VLAN:
172  return DecodeVLAN(tv, dtv, p, pkt, len);
174  return DecodeEthernet(tv, dtv, p, pkt, len);
176  return DecodeERSPAN(tv, dtv, p, pkt, len);
178  return DecodeERSPANTypeI(tv, dtv, p, pkt, len);
179  case DECODE_TUNNEL_NSH:
180  return DecodeNSH(tv, dtv, p, pkt, len);
181  case DECODE_TUNNEL_ARP:
182  return DecodeARP(tv, dtv, p, pkt, len);
183  default:
184  SCLogDebug("FIXME: DecodeTunnel: protocol %" PRIu32 " not supported.", proto);
185  break;
186  }
187  return TM_ECODE_OK;
188 }
189 
190 /**
191  * \brief Return a malloced packet.
192  */
194 {
195  PacketDestructor(p);
196  SCFree(p);
197 }
198 
199 /**
200  * \brief Finalize decoding of a packet
201  *
202  * This function needs to be call at the end of decode
203  * functions when decoding has been successful.
204  *
205  */
207 {
208  if (p->flags & PKT_IS_INVALID) {
210  }
211 }
212 
215 {
216  for (uint8_t i = 0; i < p->events.cnt; i++) {
217  const uint8_t e = p->events.events[i];
218 
220  continue;
222  continue;
224  }
225 }
226 
227 /**
228  * \brief Get a malloced packet.
229  *
230  * \retval p packet, NULL on error
231  */
233 {
234  Packet *p = SCCalloc(1, SIZE_OF_PACKET);
235  if (unlikely(p == NULL)) {
236  return NULL;
237  }
238  PacketInit(p);
240 
241  SCLogDebug("allocated a new packet only using alloc...");
242 
244  return p;
245 }
246 
247 /**
248  * \brief Return a packet to where it was allocated.
249  */
251 {
252  if (likely(p->pool != NULL)) {
255  } else {
256  PacketFree(p);
257  }
258 }
259 
260 /**
261  * \brief Get a packet. We try to get a packet from the packetpool first, but
262  * if that is empty we alloc a packet that is free'd again after
263  * processing.
264  *
265  * \retval p packet, NULL on error
266  */
268 {
269  /* try the pool first */
271 
272  if (p == NULL) {
273  /* non fatal, we're just not processing a packet then */
274  p = PacketGetFromAlloc();
275  } else {
278  }
279 
280  return p;
281 }
282 
283 inline int PacketCallocExtPkt(Packet *p, int datalen)
284 {
285  if (! p->ext_pkt) {
286  p->ext_pkt = SCCalloc(1, datalen);
287  if (unlikely(p->ext_pkt == NULL)) {
288  SET_PKT_LEN(p, 0);
289  return -1;
290  }
291  }
292  return 0;
293 }
294 
295 /**
296  * \brief Copy data to Packet payload at given offset
297  *
298  * This function copies data/payload to a Packet. It uses the
299  * space allocated at Packet creation (pointed by Packet::pkt)
300  * or allocate some memory (pointed by Packet::ext_pkt) if the
301  * data size is to big to fit in initial space (of size
302  * default_packet_size).
303  *
304  * \param Pointer to the Packet to modify
305  * \param Offset of the copy relatively to payload of Packet
306  * \param Pointer to the data to copy
307  * \param Length of the data to copy
308  */
309 inline int PacketCopyDataOffset(Packet *p, uint32_t offset, const uint8_t *data, uint32_t datalen)
310 {
311  if (unlikely(offset + datalen > MAX_PAYLOAD_SIZE)) {
312  /* too big */
313  SET_PKT_LEN(p, 0);
314  return -1;
315  }
316 
317  /* Do we have already an packet with allocated data */
318  if (! p->ext_pkt) {
319  uint32_t newsize = offset + datalen;
320  // check overflow
321  if (newsize < offset)
322  return -1;
323  if (newsize <= default_packet_size) {
324  /* data will fit in memory allocated with packet */
325  memcpy(GET_PKT_DIRECT_DATA(p) + offset, data, datalen);
326  } else {
327  /* here we need a dynamic allocation */
329  if (unlikely(p->ext_pkt == NULL)) {
330  SET_PKT_LEN(p, 0);
331  return -1;
332  }
333  /* copy initial data */
335  /* copy data as asked */
336  memcpy(p->ext_pkt + offset, data, datalen);
337  }
338  } else {
339  memcpy(p->ext_pkt + offset, data, datalen);
340  }
341  return 0;
342 }
343 
344 /**
345  * \brief Copy data to Packet payload and set packet length
346  *
347  * \param Pointer to the Packet to modify
348  * \param Pointer to the data to copy
349  * \param Length of the data to copy
350  */
351 inline int PacketCopyData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
352 {
353  SET_PKT_LEN(p, pktlen);
354  return PacketCopyDataOffset(p, 0, pktdata, pktlen);
355 }
356 
357 /**
358  * \brief Setup a pseudo packet (tunnel)
359  *
360  * \param parent parent packet for this pseudo pkt
361  * \param pkt raw packet data
362  * \param len packet data length
363  * \param proto protocol of the tunneled packet
364  *
365  * \retval p the pseudo packet or NULL if out of memory
366  */
368  const uint8_t *pkt, uint32_t len, enum DecodeTunnelProto proto)
369 {
370  int ret;
371 
372  SCEnter();
373 
374  if (parent->nb_decoded_layers + 1 >= decoder_max_layers) {
376  SCReturnPtr(NULL, "Packet");
377  }
378 
379  /* get us a packet */
381  if (unlikely(p == NULL)) {
382  SCReturnPtr(NULL, "Packet");
383  }
384 
385  /* copy packet and set length, proto */
386  PacketCopyData(p, pkt, len);
387  DEBUG_VALIDATE_BUG_ON(parent->recursion_level == 255);
388  p->recursion_level = parent->recursion_level + 1;
390  p->nb_decoded_layers = parent->nb_decoded_layers + 1;
391  p->ts = parent->ts;
392  p->datalink = DLT_RAW;
393  p->tenant_id = parent->tenant_id;
394  p->livedev = parent->livedev;
395 
396  /* set the root ptr to the lowest layer */
397  if (parent->root != NULL) {
398  p->root = parent->root;
399  BUG_ON(parent->ttype != PacketTunnelChild);
400  } else {
401  p->root = parent;
402  parent->ttype = PacketTunnelRoot;
403  }
404  /* tell new packet it's part of a tunnel */
406 
407  ret = DecodeTunnel(tv, dtv, p, GET_PKT_DATA(p),
408  GET_PKT_LEN(p), proto);
409 
410  if (unlikely(ret != TM_ECODE_OK) ||
412  {
413  /* Not a (valid) tunnel packet */
414  SCLogDebug("tunnel packet is invalid");
415  p->root = NULL;
417  SCReturnPtr(NULL, "Packet");
418  }
419 
420  /* Update tunnel settings in parent */
421  if (parent->root == NULL) {
422  parent->ttype = PacketTunnelRoot;
423  }
424  TUNNEL_INCR_PKT_TPR(p);
425 
426  /* disable payload (not packet) inspection on the parent, as the payload
427  * is the packet we will now run through the system separately. We do
428  * check it against the ip/port/other header checks though */
429  DecodeSetNoPayloadInspectionFlag(parent);
430  SCReturnPtr(p, "Packet");
431 }
432 
433 /**
434  * \brief Setup a pseudo packet (reassembled frags)
435  *
436  * Difference with PacketPseudoPktSetup is that this func doesn't increment
437  * the recursion level. It needs to be on the same level as the frags because
438  * we run the flow engine against this and we need to get the same flow.
439  *
440  * \param parent parent packet for this pseudo pkt
441  * \param pkt raw packet data
442  * \param len packet data length
443  * \param proto protocol of the tunneled packet
444  *
445  * \retval p the pseudo packet or NULL if out of memory
446  */
447 Packet *PacketDefragPktSetup(Packet *parent, const uint8_t *pkt, uint32_t len, uint8_t proto)
448 {
449  SCEnter();
450 
451  /* get us a packet */
453  if (unlikely(p == NULL)) {
454  SCReturnPtr(NULL, "Packet");
455  }
456 
457  /* set the root ptr to the lowest layer */
458  if (parent->root != NULL) {
459  p->root = parent->root;
460  BUG_ON(parent->ttype != PacketTunnelChild);
461  } else {
462  p->root = parent;
463  // we set parent->ttype later
464  }
465  /* tell new packet it's part of a tunnel */
467 
468  /* copy packet and set length, proto */
469  if (pkt && len) {
470  PacketCopyData(p, pkt, len);
471  }
472  p->recursion_level = parent->recursion_level; /* NOT incremented */
473  p->ts = parent->ts;
474  p->tenant_id = parent->tenant_id;
475  memcpy(&p->vlan_id[0], &parent->vlan_id[0], sizeof(p->vlan_id));
476  p->vlan_idx = parent->vlan_idx;
477  p->livedev = parent->livedev;
478 
479  SCReturnPtr(p, "Packet");
480 }
481 
482 /**
483  * \brief inform defrag "parent" that a pseudo packet is
484  * now associated to it.
485  */
487 {
488  /* tell parent packet it's part of a tunnel */
489  if (parent->ttype == PacketTunnelNone)
490  parent->ttype = PacketTunnelRoot;
491 
492  /* increment tunnel packet refcnt in the root packet */
493  TUNNEL_INCR_PKT_TPR(parent);
494 
495  /* disable payload (not packet) inspection on the parent, as the payload
496  * is the packet we will now run through the system separately. We do
497  * check it against the ip/port/other header checks though */
498  DecodeSetNoPayloadInspectionFlag(parent);
499 }
500 
501 /**
502  * \note if p->flow is set, the flow is locked
503  */
505 {
506  if (PKT_IS_PSEUDOPKT(p))
507  return;
508 
509 #ifdef CAPTURE_OFFLOAD
510  /* Don't try to bypass if flow is already out or
511  * if we have failed to do it once */
512  if (p->flow) {
513  int state = p->flow->flow_state;
514  if ((state == FLOW_STATE_LOCAL_BYPASSED) ||
515  (state == FLOW_STATE_CAPTURE_BYPASSED)) {
516  return;
517  }
518 
519  FlowBypassInfo *fc;
520 
522  if (fc == NULL) {
523  fc = SCCalloc(sizeof(FlowBypassInfo), 1);
524  if (fc) {
526  } else {
527  return;
528  }
529  }
530  }
531  if (p->BypassPacketsFlow && p->BypassPacketsFlow(p)) {
532  if (p->flow) {
533  FlowUpdateState(p->flow, FLOW_STATE_CAPTURE_BYPASSED);
534  }
535  } else {
536  if (p->flow) {
538  }
539  }
540 #else /* CAPTURE_OFFLOAD */
541  if (p->flow) {
542  int state = p->flow->flow_state;
543  if (state == FLOW_STATE_LOCAL_BYPASSED)
544  return;
546  }
547 #endif
548 }
549 
550 /** \brief switch direction of a packet */
552 {
553  if (PKT_IS_TOSERVER(p)) {
556 
560  }
561  } else {
564 
568  }
569  }
570 }
571 
572 /* counter name store */
573 static HashTable *g_counter_table = NULL;
574 static SCMutex g_counter_table_mutex = SCMUTEX_INITIALIZER;
575 
577 {
578  SCMutexLock(&g_counter_table_mutex);
579  if (g_counter_table) {
580  HashTableFree(g_counter_table);
581  g_counter_table = NULL;
582  }
583  SCMutexUnlock(&g_counter_table_mutex);
584 }
585 
586 static bool IsDefragMemcapExceptionPolicyStatsValid(enum ExceptionPolicy policy)
587 {
588  if (EngineModeIsIPS()) {
590  }
592 }
593 
594 static bool IsFlowMemcapExceptionPolicyStatsValid(enum ExceptionPolicy policy)
595 {
596  if (EngineModeIsIPS()) {
598  }
600 }
601 
603 {
604  /* register counters */
605  dtv->counter_pkts = StatsRegisterCounter("decoder.pkts", tv);
606  dtv->counter_bytes = StatsRegisterCounter("decoder.bytes", tv);
607  dtv->counter_invalid = StatsRegisterCounter("decoder.invalid", tv);
608  dtv->counter_ipv4 = StatsRegisterCounter("decoder.ipv4", tv);
609  dtv->counter_ipv6 = StatsRegisterCounter("decoder.ipv6", tv);
610  dtv->counter_eth = StatsRegisterCounter("decoder.ethernet", tv);
611  dtv->counter_arp = StatsRegisterCounter("decoder.arp", tv);
612  dtv->counter_ethertype_unknown = StatsRegisterCounter("decoder.unknown_ethertype", tv);
613  dtv->counter_chdlc = StatsRegisterCounter("decoder.chdlc", tv);
614  dtv->counter_raw = StatsRegisterCounter("decoder.raw", tv);
615  dtv->counter_null = StatsRegisterCounter("decoder.null", tv);
616  dtv->counter_sll = StatsRegisterCounter("decoder.sll", tv);
617  dtv->counter_tcp = StatsRegisterCounter("decoder.tcp", tv);
618 
620  dtv->counter_tcp_synack = StatsRegisterCounter("tcp.synack", tv);
622 
623  dtv->counter_udp = StatsRegisterCounter("decoder.udp", tv);
624  dtv->counter_sctp = StatsRegisterCounter("decoder.sctp", tv);
625  dtv->counter_esp = StatsRegisterCounter("decoder.esp", tv);
626  dtv->counter_icmpv4 = StatsRegisterCounter("decoder.icmpv4", tv);
627  dtv->counter_icmpv6 = StatsRegisterCounter("decoder.icmpv6", tv);
628  dtv->counter_ppp = StatsRegisterCounter("decoder.ppp", tv);
629  dtv->counter_pppoe = StatsRegisterCounter("decoder.pppoe", tv);
630  dtv->counter_geneve = StatsRegisterCounter("decoder.geneve", tv);
631  dtv->counter_gre = StatsRegisterCounter("decoder.gre", tv);
632  dtv->counter_vlan = StatsRegisterCounter("decoder.vlan", tv);
633  dtv->counter_vlan_qinq = StatsRegisterCounter("decoder.vlan_qinq", tv);
634  dtv->counter_vlan_qinqinq = StatsRegisterCounter("decoder.vlan_qinqinq", tv);
635  dtv->counter_vxlan = StatsRegisterCounter("decoder.vxlan", tv);
636  dtv->counter_vntag = StatsRegisterCounter("decoder.vntag", tv);
637  dtv->counter_ieee8021ah = StatsRegisterCounter("decoder.ieee8021ah", tv);
638  dtv->counter_teredo = StatsRegisterCounter("decoder.teredo", tv);
639  dtv->counter_ipv4inipv6 = StatsRegisterCounter("decoder.ipv4_in_ipv6", tv);
640  dtv->counter_ipv6inipv6 = StatsRegisterCounter("decoder.ipv6_in_ipv6", tv);
641  dtv->counter_mpls = StatsRegisterCounter("decoder.mpls", tv);
642  dtv->counter_avg_pkt_size = StatsRegisterAvgCounter("decoder.avg_pkt_size", tv);
643  dtv->counter_max_pkt_size = StatsRegisterMaxCounter("decoder.max_pkt_size", tv);
644  dtv->counter_max_mac_addrs_src = StatsRegisterMaxCounter("decoder.max_mac_addrs_src", tv);
645  dtv->counter_max_mac_addrs_dst = StatsRegisterMaxCounter("decoder.max_mac_addrs_dst", tv);
646  dtv->counter_erspan = StatsRegisterMaxCounter("decoder.erspan", tv);
647  dtv->counter_nsh = StatsRegisterMaxCounter("decoder.nsh", tv);
648  dtv->counter_flow_memcap = StatsRegisterCounter("flow.memcap", tv);
650  FlowGetMemcapExceptionPolicy(), "flow.memcap_exception_policy.",
651  IsFlowMemcapExceptionPolicyStatsValid);
652 
653  dtv->counter_tcp_active_sessions = StatsRegisterCounter("tcp.active_sessions", tv);
654  dtv->counter_flow_total = StatsRegisterCounter("flow.total", tv);
655  dtv->counter_flow_active = StatsRegisterCounter("flow.active", tv);
658  dtv->counter_flow_icmp4 = StatsRegisterCounter("flow.icmpv4", tv);
659  dtv->counter_flow_icmp6 = StatsRegisterCounter("flow.icmpv6", tv);
660  dtv->counter_flow_tcp_reuse = StatsRegisterCounter("flow.tcp_reuse", tv);
661  dtv->counter_flow_get_used = StatsRegisterCounter("flow.get_used", tv);
662  dtv->counter_flow_get_used_eval = StatsRegisterCounter("flow.get_used_eval", tv);
663  dtv->counter_flow_get_used_eval_reject = StatsRegisterCounter("flow.get_used_eval_reject", tv);
664  dtv->counter_flow_get_used_eval_busy = StatsRegisterCounter("flow.get_used_eval_busy", tv);
665  dtv->counter_flow_get_used_failed = StatsRegisterCounter("flow.get_used_failed", tv);
666 
667  dtv->counter_flow_spare_sync_avg = StatsRegisterAvgCounter("flow.wrk.spare_sync_avg", tv);
668  dtv->counter_flow_spare_sync = StatsRegisterCounter("flow.wrk.spare_sync", tv);
669  dtv->counter_flow_spare_sync_incomplete = StatsRegisterCounter("flow.wrk.spare_sync_incomplete", tv);
670  dtv->counter_flow_spare_sync_empty = StatsRegisterCounter("flow.wrk.spare_sync_empty", tv);
671 
673  StatsRegisterCounter("defrag.ipv4.fragments", tv);
674  dtv->counter_defrag_ipv4_reassembled = StatsRegisterCounter("defrag.ipv4.reassembled", tv);
676  StatsRegisterCounter("defrag.ipv6.fragments", tv);
677  dtv->counter_defrag_ipv6_reassembled = StatsRegisterCounter("defrag.ipv6.reassembled", tv);
678  dtv->counter_defrag_max_hit = StatsRegisterCounter("defrag.max_trackers_reached", tv);
679  dtv->counter_defrag_no_frags = StatsRegisterCounter("defrag.max_frags_reached", tv);
680  dtv->counter_defrag_tracker_soft_reuse = StatsRegisterCounter("defrag.tracker_soft_reuse", tv);
681  dtv->counter_defrag_tracker_hard_reuse = StatsRegisterCounter("defrag.tracker_hard_reuse", tv);
682  dtv->counter_defrag_tracker_timeout = StatsRegisterCounter("defrag.wrk.tracker_timeout", tv);
683 
685  DefragGetMemcapExceptionPolicy(), "defrag.memcap_exception_policy.",
686  IsDefragMemcapExceptionPolicyStatsValid);
687 
688  for (int i = 0; i < DECODE_EVENT_MAX; i++) {
689  BUG_ON(i != (int)DEvents[i].code);
690 
692  continue;
694  continue;
695 
696  if (i < DECODE_EVENT_PACKET_MAX &&
697  strncmp(DEvents[i].event_name, "decoder.", 8) == 0)
698  {
699  SCMutexLock(&g_counter_table_mutex);
700  if (g_counter_table == NULL) {
701  g_counter_table = HashTableInit(256, StringHashFunc,
704  if (g_counter_table == NULL) {
705  FatalError("decoder counter hash "
706  "table init failed");
707  }
708  }
709 
710  char name[256];
711  char *dot = strchr(DEvents[i].event_name, '.');
712  BUG_ON(!dot);
713  snprintf(name, sizeof(name), "%s.%s",
715 
716  const char *found = HashTableLookup(g_counter_table, name, 0);
717  if (!found) {
718  char *add = SCStrdup(name);
719  if (add == NULL)
720  FatalError("decoder counter hash "
721  "table name init failed");
722  int r = HashTableAdd(g_counter_table, add, 0);
723  if (r != 0)
724  FatalError("decoder counter hash "
725  "table name add failed");
726  found = add;
727  }
729  found, tv);
730 
731  SCMutexUnlock(&g_counter_table_mutex);
732  } else {
734  DEvents[i].event_name, tv);
735  }
736  }
737 }
738 
740  const DecodeThreadVars *dtv, const Packet *p)
741 {
743  //StatsIncr(tv, dtv->counter_pkts_per_sec);
747 }
748 
749 /**
750  * \brief Debug print function for printing addresses
751  *
752  * \param Address object
753  *
754  * \todo IPv6
755  */
757 {
758  if (a == NULL)
759  return;
760 
761  switch (a->family) {
762  case AF_INET:
763  {
764  char s[16];
765  PrintInet(AF_INET, (const void *)&a->addr_data32[0], s, sizeof(s));
766  SCLogDebug("%s", s);
767  break;
768  }
769  }
770 }
771 
772 /** \brief Alloc and setup DecodeThreadVars */
774 {
775  DecodeThreadVars *dtv = NULL;
776 
777  if ((dtv = SCCalloc(1, sizeof(DecodeThreadVars))) == NULL)
778  return NULL;
779 
781 
783  SCLogError("initializing flow log API for thread failed");
785  return NULL;
786  }
787 
788  return dtv;
789 }
790 
792 {
793  if (dtv != NULL) {
794  if (dtv->app_tctx != NULL)
796 
797  if (dtv->output_flow_thread_data != NULL)
799 
800  SCFree(dtv);
801  }
802 }
803 
804 /**
805  * \brief Set data for Packet and set length when zero copy is used
806  *
807  * \param Pointer to the Packet to modify
808  * \param Pointer to the data
809  * \param Length of the data
810  */
811 inline int PacketSetData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
812 {
813  SET_PKT_LEN(p, pktlen);
814  if (unlikely(!pktdata)) {
815  return -1;
816  }
817  // ext_pkt cannot be const (because we sometimes copy)
818  p->ext_pkt = (uint8_t *) pktdata;
819  p->flags |= PKT_ZERO_COPY;
820 
821  return 0;
822 }
823 
824 const char *PktSrcToString(enum PktSrcEnum pkt_src)
825 {
826  const char *pkt_src_str = NULL;
827  switch (pkt_src) {
828  case PKT_SRC_WIRE:
829  pkt_src_str = "wire/pcap";
830  break;
831  case PKT_SRC_DECODER_GRE:
832  pkt_src_str = "gre tunnel";
833  break;
835  pkt_src_str = "ipv4 tunnel";
836  break;
838  pkt_src_str = "ipv6 tunnel";
839  break;
841  pkt_src_str = "teredo tunnel";
842  break;
843  case PKT_SRC_DEFRAG:
844  pkt_src_str = "defrag";
845  break;
847  pkt_src_str = "stream (detect/log)";
848  break;
849  case PKT_SRC_FFR:
850  pkt_src_str = "stream (flow timeout)";
851  break;
853  pkt_src_str = "geneve encapsulation";
854  break;
856  pkt_src_str = "vxlan encapsulation";
857  break;
859  pkt_src_str = "detect reload flush";
860  break;
862  pkt_src_str = "capture timeout flush";
863  break;
865  pkt_src_str = "shutdown flush";
866  break;
867  }
868  DEBUG_VALIDATE_BUG_ON(pkt_src_str == NULL);
869  return pkt_src_str;
870 }
871 
873 {
874  switch (r) {
876  return "decode error";
878  return "defrag error";
880  return "defrag memcap";
882  return "flow memcap";
884  return "flow drop";
886  return "stream error";
888  return "stream memcap";
890  return "stream midstream";
892  return "stream reassembly";
894  return "applayer error";
896  return "applayer memcap";
898  return "rules";
900  return "threshold detection_filter";
902  return "nfq error";
904  return "tunnel packet drop";
906  case PKT_DROP_REASON_MAX:
907  return NULL;
908  }
909  return NULL;
910 }
911 
912 static const char *PacketDropReasonToJsonString(enum PacketDropReason r)
913 {
914  switch (r) {
916  return "ips.drop_reason.decode_error";
918  return "ips.drop_reason.defrag_error";
920  return "ips.drop_reason.defrag_memcap";
922  return "ips.drop_reason.flow_memcap";
924  return "ips.drop_reason.flow_drop";
926  return "ips.drop_reason.stream_error";
928  return "ips.drop_reason.stream_memcap";
930  return "ips.drop_reason.stream_midstream";
932  return "ips.drop_reason.stream_reassembly";
934  return "ips.drop_reason.applayer_error";
936  return "ips.drop_reason.applayer_memcap";
938  return "ips.drop_reason.rules";
940  return "ips.drop_reason.threshold_detection_filter";
942  return "ips.drop_reason.nfq_error";
944  return "ips.drop_reason.tunnel_packet_drop";
946  case PKT_DROP_REASON_MAX:
947  return NULL;
948  }
949  return NULL;
950 }
951 
952 typedef struct CaptureStats_ {
957 
960 
962 
964 {
965  if (!EngineModeIsIPS() || PKT_IS_PSEUDOPKT(p))
966  return;
967 
971  } else if (unlikely(PacketCheckAction(p, ACTION_DROP))) {
973  } else if (unlikely(p->flags & PKT_STREAM_MODIFIED)) {
975  } else {
977  }
980  }
981 }
982 
984 {
985  if (EngineModeIsIPS()) {
987  s->counter_ips_accepted = StatsRegisterCounter("ips.accepted", tv);
988  s->counter_ips_blocked = StatsRegisterCounter("ips.blocked", tv);
989  s->counter_ips_rejected = StatsRegisterCounter("ips.rejected", tv);
990  s->counter_ips_replaced = StatsRegisterCounter("ips.replaced", tv);
991  for (int i = PKT_DROP_REASON_NOT_SET; i < PKT_DROP_REASON_MAX; i++) {
992  const char *name = PacketDropReasonToJsonString(i);
993  if (name != NULL)
995  }
996  }
997 }
998 
1000 {
1005  intmax_t value = 0;
1006  if (ConfGetInt("decoder.max-layers", &value) == 1) {
1007  if (value < 0 || value > UINT8_MAX) {
1008  SCLogWarning("Invalid value for decoder.max-layers");
1009  } else {
1010  decoder_max_layers = (uint8_t)value;
1011  }
1012  }
1014 }
1015 
1017 {
1018  intmax_t max = 0;
1019  if (ConfGetInt("packet-alert-max", &max) == 1) {
1020  if (max <= 0 || max > UINT8_MAX) {
1021  SCLogWarning("Invalid value for packet-alert-max, default value set instead");
1022  } else {
1023  packet_alert_max = (uint16_t)max;
1024  }
1025  }
1026  SCLogDebug("detect->packet_alert_max set to %d", packet_alert_max);
1027 }
1028 
1029 /**
1030  * @}
1031  */
PacketCheckAction
bool PacketCheckAction(const Packet *p, const uint8_t a)
Definition: packet.c:49
DecodeThreadVars_::counter_flow_get_used_eval_busy
uint16_t counter_flow_get_used_eval_busy
Definition: decode.h:1007
PKT_DROP_REASON_DEFRAG_MEMCAP
@ PKT_DROP_REASON_DEFRAG_MEMCAP
Definition: decode.h:363
PKT_DROP_REASON_DEFRAG_ERROR
@ PKT_DROP_REASON_DEFRAG_ERROR
Definition: decode.h:362
ConfGetInt
int ConfGetInt(const char *name, intmax_t *val)
Retrieve a configuration value as an integer.
Definition: conf.c:399
DecodeThreadVars_::counter_defrag_ipv4_reassembled
uint16_t counter_defrag_ipv4_reassembled
Definition: decode.h:983
util-hash-string.h
PKT_DROP_REASON_RULES_THRESHOLD
@ PKT_DROP_REASON_RULES_THRESHOLD
Definition: decode.h:369
DecodeThreadVars_::counter_ethertype_unknown
uint16_t counter_ethertype_unknown
Definition: decode.h:957
DecodeThreadVars_::counter_flow_udp
uint16_t counter_flow_udp
Definition: decode.h:1000
len
uint8_t len
Definition: app-layer-dnp3.h:2
DecodeThreadVars_::counter_bytes
uint16_t counter_bytes
Definition: decode.h:937
DECODE_TUNNEL_IPV6
@ DECODE_TUNNEL_IPV6
Definition: decode.h:1070
CaptureStats_::counter_ips_blocked
uint16_t counter_ips_blocked
Definition: decode.c:954
decode-erspan.h
decode-vxlan.h
DecodeThreadVars_::counter_eth
uint16_t counter_eth
Definition: decode.h:945
DecodeThreadVars_::counter_flow_active
uint16_t counter_flow_active
Definition: decode.h:998
OutputFlowLogThreadInit
TmEcode OutputFlowLogThreadInit(ThreadVars *tv, void **data)
thread init for the flow logger This will run the thread init functions for the individual registered...
Definition: output-flow.c:123
StatsIncr
void StatsIncr(ThreadVars *tv, uint16_t id)
Increments the local counter.
Definition: counters.c:166
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
DecodeERSPAN
int DecodeERSPAN(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
ERSPAN Type II.
Definition: decode-erspan.c:76
PacketFreeOrRelease
void PacketFreeOrRelease(Packet *p)
Return a packet to where it was allocated.
Definition: decode.c:250
DECODE_EVENT_MAX
@ DECODE_EVENT_MAX
Definition: decode-events.h:310
DecodeThreadVars_::counter_flow_icmp4
uint16_t counter_flow_icmp4
Definition: decode.h:1001
DecodeThreadVars_::counter_vxlan
uint16_t counter_vxlan
Definition: decode.h:970
DecodeThreadVars_::counter_max_pkt_size
uint16_t counter_max_pkt_size
Definition: decode.h:939
DecodePPP
int DecodePPP(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition: decode-ppp.c:174
PacketCopyData
int PacketCopyData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
Copy data to Packet payload and set packet length.
Definition: decode.c:351
PacketBypassCallback
void PacketBypassCallback(Packet *p)
Definition: decode.c:504
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1319
DecodeThreadVars_::counter_avg_pkt_size
uint16_t counter_avg_pkt_size
Definition: decode.h:938
DecodeERSPANConfig
void DecodeERSPANConfig(void)
Functions to decode ERSPAN Type I and II packets.
Definition: decode-erspan.c:53
PacketPoolReturnPacket
void PacketPoolReturnPacket(Packet *p)
Return packet to Packet pool.
Definition: tmqh-packetpool.c:177
GetFlowBypassInfoID
FlowStorageId GetFlowBypassInfoID(void)
Definition: flow-util.c:214
FlowBypassInfo_
Definition: flow.h:531
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
PKT_DROP_REASON_STREAM_MEMCAP
@ PKT_DROP_REASON_STREAM_MEMCAP
Definition: decode.h:371
DecodeNSH
int DecodeNSH(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Function to decode NSH packets.
Definition: decode-nsh.c:46
PKT_DROP_REASON_FLOW_MEMCAP
@ PKT_DROP_REASON_FLOW_MEMCAP
Definition: decode.h:364
DecodeTeredoConfig
void DecodeTeredoConfig(void)
Definition: decode-teredo.c:104
CaptureStatsSetup
void CaptureStatsSetup(ThreadVars *tv)
Definition: decode.c:983
PacketDropReasonToString
const char * PacketDropReasonToString(enum PacketDropReason r)
Definition: decode.c:872
PacketEngineEvents_::events
uint8_t events[PACKET_ENGINE_EVENT_MAX]
Definition: decode.h:287
CaptureStats_
Definition: decode.c:952
PKT_STREAM_MODIFIED
#define PKT_STREAM_MODIFIED
Definition: decode.h:1271
DECODE_TUNNEL_IPV6_TEREDO
@ DECODE_TUNNEL_IPV6_TEREDO
Definition: decode.h:1071
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
PKT_SRC_SHUTDOWN_FLUSH
@ PKT_SRC_SHUTDOWN_FLUSH
Definition: decode.h:63
AddressDebugPrint
void AddressDebugPrint(Address *a)
Debug print function for printing addresses.
Definition: decode.c:756
PKT_SRC_DECODER_IPV4
@ PKT_SRC_DECODER_IPV4
Definition: decode.h:53
DecodeThreadVars_::counter_flow_spare_sync_avg
uint16_t counter_flow_spare_sync_avg
Definition: decode.h:1013
PacketDefragPktSetup
Packet * PacketDefragPktSetup(Packet *parent, const uint8_t *pkt, uint32_t len, uint8_t proto)
Setup a pseudo packet (reassembled frags)
Definition: decode.c:447
stats_stream_events
bool stats_stream_events
Definition: counters.c:104
PKT_ZERO_COPY
#define PKT_ZERO_COPY
Definition: decode.h:1284
PKT_SRC_CAPTURE_TIMEOUT
@ PKT_SRC_CAPTURE_TIMEOUT
Definition: decode.h:61
action-globals.h
Packet_::flags
uint32_t flags
Definition: decode.h:512
PacketAlertCreate
PacketAlert * PacketAlertCreate(void)
Initialize PacketAlerts with dynamic alerts array size.
Definition: decode.c:140
DecodeThreadVars_::counter_vntag
uint16_t counter_vntag
Definition: decode.h:971
Packet_::vlan_idx
uint8_t vlan_idx
Definition: decode.h:503
DecodeThreadVars_::counter_flow_get_used_eval
uint16_t counter_flow_get_used_eval
Definition: decode.h:1005
util-hash.h
ExceptionPolicyStatsSetts_
Definition: util-exception-policy-types.h:48
CaptureStats
struct CaptureStats_ CaptureStats
StatsSetUI64
void StatsSetUI64(ThreadVars *tv, uint16_t id, uint64_t x)
Sets a value of type double to the local counter.
Definition: counters.c:207
Packet_::pool
struct PktPool_ * pool
Definition: decode.h:638
DecodeThreadVars_::counter_tcp_synack
uint16_t counter_tcp_synack
Definition: decode.h:951
PKT_DROP_REASON_MAX
@ PKT_DROP_REASON_MAX
Definition: decode.h:376
PKT_DROP_REASON_STREAM_REASSEMBLY
@ PKT_DROP_REASON_STREAM_REASSEMBLY
Definition: decode.h:373
DECODE_TUNNEL_ERSPANI
@ DECODE_TUNNEL_ERSPANI
Definition: decode.h:1067
DecodeThreadVars_::counter_teredo
uint16_t counter_teredo
Definition: decode.h:974
DecodeThreadVars_::counter_erspan
uint16_t counter_erspan
Definition: decode.h:978
PacketCopyDataOffset
int PacketCopyDataOffset(Packet *p, uint32_t offset, const uint8_t *data, uint32_t datalen)
Copy data to Packet payload at given offset.
Definition: decode.c:309
DecodeThreadVars_::counter_raw
uint16_t counter_raw
Definition: decode.h:960
SCMutexLock
#define SCMutexLock(mut)
Definition: threads-debug.h:117
FLOW_PKT_TOSERVER
#define FLOW_PKT_TOSERVER
Definition: flow.h:232
HashTable_
Definition: util-hash.h:35
ACTION_REJECT_ANY
#define ACTION_REJECT_ANY
Definition: action-globals.h:37
Address_
Definition: decode.h:108
flow_memcap_eps_stats
ExceptionPolicyStatsSetts flow_memcap_eps_stats
Definition: decode.c:112
DecodeARP
int DecodeARP(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition: decode-arp.c:29
DecodeThreadVars_::counter_arp
uint16_t counter_arp
Definition: decode.h:956
DecodeThreadVars_::counter_flow_tcp
uint16_t counter_flow_tcp
Definition: decode.h:999
SCMUTEX_INITIALIZER
#define SCMUTEX_INITIALIZER
Definition: threads-debug.h:121
PacketDecodeFinalize
void PacketDecodeFinalize(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p)
Finalize decoding of a packet.
Definition: decode.c:206
proto
uint8_t proto
Definition: decode-template.h:0
PacketAlertGetMaxConfig
void PacketAlertGetMaxConfig(void)
Definition: decode.c:1016
decoder_max_layers
uint8_t decoder_max_layers
Definition: decode.c:81
DecodeThreadVars_::counter_tcp_active_sessions
uint16_t counter_tcp_active_sessions
Definition: decode.h:996
Packet_::flowflags
uint8_t flowflags
Definition: decode.h:506
StringHashCompareFunc
char StringHashCompareFunc(void *data1, uint16_t datalen1, void *data2, uint16_t datalen2)
Definition: util-hash-string.c:38
Packet_::BypassPacketsFlow
int(* BypassPacketsFlow)(struct Packet_ *)
Definition: decode.h:562
TmqhOutputPacketpool
void TmqhOutputPacketpool(ThreadVars *t, Packet *p)
Definition: tmqh-packetpool.c:314
DecodeVXLANConfig
void DecodeVXLANConfig(void)
Definition: decode-vxlan.c:98
PacketDropReason
PacketDropReason
Definition: decode.h:359
DecodeThreadVars_::counter_max_mac_addrs_src
uint16_t counter_max_mac_addrs_src
Definition: decode.h:940
DecodeUnregisterCounters
void DecodeUnregisterCounters(void)
Definition: decode.c:576
GET_PKT_DIRECT_MAX_SIZE
#define GET_PKT_DIRECT_MAX_SIZE(p)
Definition: decode.h:207
DecodeThreadVars_::counter_flow_get_used
uint16_t counter_flow_get_used
Definition: decode.h:1004
PacketTunnelChild
@ PacketTunnelChild
Definition: decode.h:382
tmqh-packetpool.h
StringHashFunc
uint32_t StringHashFunc(HashTable *ht, void *data, uint16_t datalen)
Definition: util-hash-string.c:33
Packet_::events
PacketEngineEvents events
Definition: decode.h:598
PacketAlertFree
void PacketAlertFree(PacketAlert *pa)
Definition: decode.c:148
DECODE_EVENT_PACKET_MAX
@ DECODE_EVENT_PACKET_MAX
Definition: decode-events.h:224
TM_ECODE_OK
@ TM_ECODE_OK
Definition: tm-threads-common.h:80
HashTableFree
void HashTableFree(HashTable *ht)
Definition: util-hash.c:78
DecodeThreadVars_::counter_flow_spare_sync_empty
uint16_t counter_flow_spare_sync_empty
Definition: decode.h:1011
Flow_::flow_state
FlowStateType flow_state
Definition: flow.h:417
DecodeThreadVars_::counter_flow_tcp_reuse
uint16_t counter_flow_tcp_reuse
Definition: decode.h:1003
DECODE_TUNNEL_NSH
@ DECODE_TUNNEL_NSH
Definition: decode.h:1073
DecodeThreadVars_::counter_flow_total
uint16_t counter_flow_total
Definition: decode.h:997
Packet_::datalink
int datalink
Definition: decode.h:607
PKT_DEFAULT_MAX_DECODED_LAYERS
#define PKT_DEFAULT_MAX_DECODED_LAYERS
Definition: decode.h:1324
stats_decoder_events_prefix
const char * stats_decoder_events_prefix
Definition: counters.c:102
DLT_RAW
#define DLT_RAW
Definition: decode.h:1222
DecodeRegisterPerfCounters
void DecodeRegisterPerfCounters(DecodeThreadVars *dtv, ThreadVars *tv)
Definition: decode.c:602
DecodeThreadVars_::counter_flow_spare_sync
uint16_t counter_flow_spare_sync
Definition: decode.h:1010
DECODE_TUNNEL_ERSPANII
@ DECODE_TUNNEL_ERSPANII
Definition: decode.h:1066
DecodeThreadVars_::counter_defrag_tracker_timeout
uint16_t counter_defrag_tracker_timeout
Definition: decode.h:990
SET_PKT_LEN
#define SET_PKT_LEN(p, len)
Definition: decode.h:209
DecodeThreadVars_::counter_ipv6inipv6
uint16_t counter_ipv6inipv6
Definition: decode.h:977
StatsRegisterMaxCounter
uint16_t StatsRegisterMaxCounter(const char *name, struct ThreadVars_ *tv)
Registers a counter, whose value holds the maximum of all the values assigned to it.
Definition: counters.c:991
FLOW_STATE_LOCAL_BYPASSED
@ FLOW_STATE_LOCAL_BYPASSED
Definition: flow.h:509
decode.h
util-debug.h
DecodeThreadVars_::counter_flow_get_used_failed
uint16_t counter_flow_get_used_failed
Definition: decode.h:1008
PKT_SRC_WIRE
@ PKT_SRC_WIRE
Definition: decode.h:51
CaptureStats_::counter_ips_rejected
uint16_t counter_ips_rejected
Definition: decode.c:955
PKT_IS_TOSERVER
#define PKT_IS_TOSERVER(p)
Definition: decode.h:234
DecodeThreadVars_::counter_icmpv4
uint16_t counter_icmpv4
Definition: decode.h:954
DecodeThreadVars_::counter_ppp
uint16_t counter_ppp
Definition: decode.h:964
DecodeERSPANTypeI
int DecodeERSPANTypeI(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
ERSPAN Type I.
Definition: decode-erspan.c:65
DEvents
const struct DecodeEvents_ DEvents[]
Definition: decode-events.c:29
Packet_::ts
SCTime_t ts
Definition: decode.h:523
PKT_DROP_REASON_APPLAYER_ERROR
@ PKT_DROP_REASON_APPLAYER_ERROR
Definition: decode.h:366
SCMutexUnlock
#define SCMutexUnlock(mut)
Definition: threads-debug.h:119
PacketSwap
void PacketSwap(Packet *p)
switch direction of a packet
Definition: decode.c:551
util-exception-policy.h
DecodeThreadVars_::counter_tcp_rst
uint16_t counter_tcp_rst
Definition: decode.h:952
PktSrcEnum
PktSrcEnum
Definition: decode.h:50
PKT_DROP_REASON_NOT_SET
@ PKT_DROP_REASON_NOT_SET
Definition: decode.h:360
DecodeTunnelProto
DecodeTunnelProto
Definition: decode.h:1064
PacketDestructor
void PacketDestructor(Packet *p)
Cleanup a packet so that we can free it. No memset needed..
Definition: packet.c:152
CaptureStatsUpdate
void CaptureStatsUpdate(ThreadVars *tv, const Packet *p)
Definition: decode.c:963
util-print.h
PKT_SRC_DECODER_TEREDO
@ PKT_SRC_DECODER_TEREDO
Definition: decode.h:55
SCEnter
#define SCEnter(...)
Definition: util-debug.h:271
GET_PKT_DATA
#define GET_PKT_DATA(p)
Definition: decode.h:205
ExceptionPolicySetStatsCounters
void ExceptionPolicySetStatsCounters(ThreadVars *tv, ExceptionPolicyCounters *counter, ExceptionPolicyStatsSetts *setting, enum ExceptionPolicy conf_policy, const char *default_str, bool(*isExceptionPolicyValid)(enum ExceptionPolicy))
Definition: util-exception-policy.c:298
HashTableLookup
void * HashTableLookup(HashTable *ht, void *data, uint16_t datalen)
Definition: util-hash.c:183
ThreadVars_
Per thread variable structure.
Definition: threadvars.h:58
PrintInet
const char * PrintInet(int af, const void *src, char *dst, socklen_t size)
Definition: util-print.c:230
DECODE_TUNNEL_PPP
@ DECODE_TUNNEL_PPP
Definition: decode.h:1072
FLOW_PKT_TOCLIENT_FIRST
#define FLOW_PKT_TOCLIENT_FIRST
Definition: flow.h:238
FlowSetStorageById
int FlowSetStorageById(Flow *f, FlowStorageId id, void *ptr)
Definition: flow-storage.c:45
PacketFree
void PacketFree(Packet *p)
Return a malloced packet.
Definition: decode.c:193
PktSrcToString
const char * PktSrcToString(enum PktSrcEnum pkt_src)
Definition: decode.c:824
ExceptionPolicyStatsSetts_::valid_settings_ids
bool valid_settings_ids[EXCEPTION_POLICY_MAX]
Definition: util-exception-policy-types.h:50
DecodeThreadVars_::counter_vlan_qinq
uint16_t counter_vlan_qinq
Definition: decode.h:968
DecodeThreadVars_::counter_defrag_tracker_hard_reuse
uint16_t counter_defrag_tracker_hard_reuse
Definition: decode.h:989
SCLogWarning
#define SCLogWarning(...)
Macro used to log WARNING messages.
Definition: util-debug.h:249
HashTableAdd
int HashTableAdd(HashTable *ht, void *data, uint16_t datalen)
Definition: util-hash.c:104
SIZE_OF_PACKET
#define SIZE_OF_PACKET
Definition: decode.h:671
StringHashFreeFunc
void StringHashFreeFunc(void *data)
Definition: util-hash-string.c:51
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:300
PKT_DROP_REASON_RULES
@ PKT_DROP_REASON_RULES
Definition: decode.h:368
util-profiling.h
PacketCallocExtPkt
int PacketCallocExtPkt(Packet *p, int datalen)
Definition: decode.c:283
PKT_SRC_STREAM_TCP_DETECTLOG_FLUSH
@ PKT_SRC_STREAM_TCP_DETECTLOG_FLUSH
Definition: decode.h:58
DECODE_TUNNEL_VLAN
@ DECODE_TUNNEL_VLAN
Definition: decode.h:1068
PKT_SRC_DECODER_IPV6
@ PKT_SRC_DECODER_IPV6
Definition: decode.h:54
CaptureStats_::counter_ips_accepted
uint16_t counter_ips_accepted
Definition: decode.c:953
Packet_
Definition: decode.h:475
DecodeThreadVars_::counter_nsh
uint16_t counter_nsh
Definition: decode.h:979
DecodeIPV6
int DecodeIPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint16_t len)
Definition: decode-ipv6.c:560
DECODE_TUNNEL_IPV4
@ DECODE_TUNNEL_IPV4
Definition: decode.h:1069
GET_PKT_LEN
#define GET_PKT_LEN(p)
Definition: decode.h:204
DecodeThreadVars_::app_tctx
AppLayerThreadCtx * app_tctx
Definition: decode.h:933
decode-teredo.h
DecodeThreadVars_::counter_sll
uint16_t counter_sll
Definition: decode.h:959
PKT_DROP_REASON_STREAM_ERROR
@ PKT_DROP_REASON_STREAM_ERROR
Definition: decode.h:370
DecodeThreadVars_::counter_sctp
uint16_t counter_sctp
Definition: decode.h:962
Packet_::livedev
struct LiveDevice_ * livedev
Definition: decode.h:586
DecodeThreadVars_::counter_invalid
uint16_t counter_invalid
Definition: decode.h:943
DecodeThreadVars_::counter_ieee8021ah
uint16_t counter_ieee8021ah
Definition: decode.h:972
SCReturnPtr
#define SCReturnPtr(x, type)
Definition: util-debug.h:287
AppLayerGetCtxThread
AppLayerThreadCtx * AppLayerGetCtxThread(void)
Creates a new app layer thread context.
Definition: app-layer.c:1059
DecodeThreadVars_::counter_ipv4inipv6
uint16_t counter_ipv4inipv6
Definition: decode.h:976
FLOW_PKT_TOCLIENT
#define FLOW_PKT_TOCLIENT
Definition: flow.h:233
DecodeThreadVars_::counter_vlan
uint16_t counter_vlan
Definition: decode.h:967
DECODE_TUNNEL_ETHERNET
@ DECODE_TUNNEL_ETHERNET
Definition: decode.h:1065
DecodeThreadVars_::counter_tcp
uint16_t counter_tcp
Definition: decode.h:949
FlowGetStorageById
void * FlowGetStorageById(const Flow *f, FlowStorageId id)
Definition: flow-storage.c:40
DecodeThreadVars_::counter_pkts
uint16_t counter_pkts
Definition: decode.h:936
FlowUpdateState
void FlowUpdateState(Flow *f, const enum FlowState s)
Definition: flow.c:1161
PacketTunnelNone
@ PacketTunnelNone
Definition: decode.h:380
dtv
DecodeThreadVars * dtv
Definition: fuzz_decodepcapfile.c:33
DecodeThreadVars_::counter_defrag_memcap_eps
ExceptionPolicyCounters counter_defrag_memcap_eps
Definition: decode.h:991
default_packet_size
uint32_t default_packet_size
Definition: decode.c:77
Packet_::nb_decoded_layers
uint8_t nb_decoded_layers
Definition: decode.h:612
PKT_SRC_DECODER_GENEVE
@ PKT_SRC_DECODER_GENEVE
Definition: decode.h:62
DecodeThreadVars_::counter_chdlc
uint16_t counter_chdlc
Definition: decode.h:946
Packet_::ReleasePacket
void(* ReleasePacket)(struct Packet_ *)
Definition: decode.h:559
flow-storage.h
Packet_::flow
struct Flow_ * flow
Definition: decode.h:514
Packet_::tenant_id
uint32_t tenant_id
Definition: decode.h:633
PKT_DROP_REASON_INNER_PACKET
@ PKT_DROP_REASON_INNER_PACKET
Definition: decode.h:375
FlowGetMemcapExceptionPolicy
enum ExceptionPolicy FlowGetMemcapExceptionPolicy(void)
Definition: flow.c:132
DecodeThreadVarsFree
void DecodeThreadVarsFree(ThreadVars *tv, DecodeThreadVars *dtv)
Definition: decode.c:791
DecodeThreadVars_::counter_flow_spare_sync_incomplete
uint16_t counter_flow_spare_sync_incomplete
Definition: decode.h:1012
PKT_DROP_REASON_APPLAYER_MEMCAP
@ PKT_DROP_REASON_APPLAYER_MEMCAP
Definition: decode.h:367
DecodeGlobalConfig
void DecodeGlobalConfig(void)
Definition: decode.c:999
suricata-common.h
PKT_SRC_FFR
@ PKT_SRC_FFR
Definition: decode.h:57
decode-arp.h
DecodeThreadVars_::counter_flow_icmp6
uint16_t counter_flow_icmp6
Definition: decode.h:1002
DecodeThreadVars_::counter_ipv6
uint16_t counter_ipv6
Definition: decode.h:948
packet.h
CaptureStats_::counter_ips_replaced
uint16_t counter_ips_replaced
Definition: decode.c:956
DecodeThreadVars_::counter_gre
uint16_t counter_gre
Definition: decode.h:966
ACTION_DROP
#define ACTION_DROP
Definition: action-globals.h:30
DecodeThreadVars_::counter_esp
uint16_t counter_esp
Definition: decode.h:963
Packet_::ext_pkt
uint8_t * ext_pkt
Definition: decode.h:583
PKT_DROP_REASON_NFQ_ERROR
@ PKT_DROP_REASON_NFQ_ERROR
Definition: decode.h:374
DecodeThreadVars_::counter_defrag_no_frags
uint16_t counter_defrag_no_frags
Definition: decode.h:987
DecodeThreadVars_::counter_defrag_ipv6_reassembled
uint16_t counter_defrag_ipv6_reassembled
Definition: decode.h:985
DecodeThreadVars_::counter_udp
uint16_t counter_udp
Definition: decode.h:953
Packet_::ttype
enum PacketTunnelType ttype
Definition: decode.h:521
PacketUpdateEngineEventCounters
void PacketUpdateEngineEventCounters(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p)
Definition: decode.c:213
SCStrdup
#define SCStrdup(s)
Definition: util-mem.h:56
CaptureStats_::counter_drop_reason
uint16_t counter_drop_reason[PKT_DROP_REASON_MAX]
Definition: decode.c:958
DecodeThreadVars_::counter_flow_memcap_eps
ExceptionPolicyCounters counter_flow_memcap_eps
Definition: decode.h:994
FatalError
#define FatalError(...)
Definition: util-debug.h:502
decode-geneve.h
PKT_SRC_DEFRAG
@ PKT_SRC_DEFRAG
Definition: decode.h:56
tv
ThreadVars * tv
Definition: fuzz_decodepcapfile.c:32
DecodeThreadVars_::counter_ipv4
uint16_t counter_ipv4
Definition: decode.h:947
PACKET_PROFILING_START
#define PACKET_PROFILING_START(p)
Definition: util-profiling.h:73
util-validate.h
PacketGetFromAlloc
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:232
defrag_memcap_eps_stats
ExceptionPolicyStatsSetts defrag_memcap_eps_stats
Definition: decode.c:86
PKT_SRC_DECODER_VXLAN
@ PKT_SRC_DECODER_VXLAN
Definition: decode.h:59
StatsAddUI64
void StatsAddUI64(ThreadVars *tv, uint16_t id, uint64_t x)
Adds a value of type uint64_t to the local counter.
Definition: counters.c:146
SCMalloc
#define SCMalloc(sz)
Definition: util-mem.h:47
PACKET_ALERT_MAX
#define PACKET_ALERT_MAX
Definition: decode.h:264
Packet_::root
struct Packet_ * root
Definition: decode.h:621
DecodeThreadVars_::counter_pppoe
uint16_t counter_pppoe
Definition: decode.h:973
DecodeThreadVars_::counter_mpls
uint16_t counter_mpls
Definition: decode.h:975
SCLogError
#define SCLogError(...)
Macro used to log ERROR messages.
Definition: util-debug.h:261
OutputFlowLogThreadDeinit
TmEcode OutputFlowLogThreadDeinit(ThreadVars *tv, void *thread_data)
Definition: output-flow.c:163
PKT_SRC_DETECT_RELOAD_FLUSH
@ PKT_SRC_DETECT_RELOAD_FLUSH
Definition: decode.h:60
SCFree
#define SCFree(p)
Definition: util-mem.h:61
DecodeThreadVars_
Structure to hold thread specific data for all decode modules.
Definition: decode.h:931
MAX_PAYLOAD_SIZE
#define MAX_PAYLOAD_SIZE
Definition: decode.h:669
ExceptionPolicyStatsSetts_::valid_settings_ips
bool valid_settings_ips[EXCEPTION_POLICY_MAX]
Definition: util-exception-policy-types.h:51
AppLayerDestroyCtxThread
void AppLayerDestroyCtxThread(AppLayerThreadCtx *app_tctx)
Destroys the context created by AppLayerGetCtxThread().
Definition: app-layer.c:1080
Packet_::recursion_level
uint8_t recursion_level
Definition: decode.h:500
DecodeThreadVars_::output_flow_thread_data
void * output_flow_thread_data
Definition: decode.h:1019
DecodeThreadVars_::counter_geneve
uint16_t counter_geneve
Definition: decode.h:965
DecodeThreadVars_::counter_max_mac_addrs_dst
uint16_t counter_max_mac_addrs_dst
Definition: decode.h:941
DecodeThreadVarsAlloc
DecodeThreadVars * DecodeThreadVarsAlloc(ThreadVars *tv)
Alloc and setup DecodeThreadVars.
Definition: decode.c:773
DecodeThreadVars_::counter_defrag_max_hit
uint16_t counter_defrag_max_hit
Definition: decode.h:986
HashTableInit
HashTable * HashTableInit(uint32_t size, uint32_t(*Hash)(struct HashTable_ *, void *, uint16_t), char(*Compare)(void *, uint16_t, void *, uint16_t), void(*Free)(void *))
Definition: util-hash.c:35
PacketSetData
int PacketSetData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
Set data for Packet and set length when zero copy is used.
Definition: decode.c:811
PacketPoolGetPacket
Packet * PacketPoolGetPacket(void)
Get a new packet from the packet pool.
Definition: tmqh-packetpool.c:127
DecodeThreadVars_::counter_vlan_qinqinq
uint16_t counter_vlan_qinqinq
Definition: decode.h:969
GET_PKT_DIRECT_DATA
#define GET_PKT_DIRECT_DATA(p)
Definition: decode.h:206
DecodeThreadVars_::counter_null
uint16_t counter_null
Definition: decode.h:961
t_capture_stats
thread_local CaptureStats t_capture_stats
Definition: decode.c:961
DecodeThreadVars_::counter_icmpv6
uint16_t counter_icmpv6
Definition: decode.h:955
EngineModeIsIPS
int EngineModeIsIPS(void)
Definition: suricata.c:228
defrag-hash.h
Packet_::drop_reason
uint8_t drop_reason
Definition: decode.h:615
Address_::family
char family
Definition: decode.h:109
PKT_SRC_DECODER_GRE
@ PKT_SRC_DECODER_GRE
Definition: decode.h:52
ENGINE_SET_INVALID_EVENT
#define ENGINE_SET_INVALID_EVENT(p, e)
Definition: decode.h:1156
PacketAlert_
Definition: decode.h:239
DecodeGeneveConfig
void DecodeGeneveConfig(void)
Definition: decode-geneve.c:128
DecodeThreadVars_::counter_flow_memcap
uint16_t counter_flow_memcap
Definition: decode.h:993
DecodeThreadVars_::counter_defrag_ipv6_fragments
uint16_t counter_defrag_ipv6_fragments
Definition: decode.h:984
PacketTunnelRoot
@ PacketTunnelRoot
Definition: decode.h:381
packet_alert_max
uint16_t packet_alert_max
Definition: decode.c:82
Packet_::vlan_id
uint16_t vlan_id[VLAN_MAX_LAYERS]
Definition: decode.h:502
DECODE_TUNNEL_ARP
@ DECODE_TUNNEL_ARP
Definition: decode.h:1074
likely
#define likely(expr)
Definition: util-optimize.h:32
StatsRegisterAvgCounter
uint16_t StatsRegisterAvgCounter(const char *name, struct ThreadVars_ *tv)
Registers a counter, whose value holds the average of all the values assigned to it.
Definition: counters.c:971
PacketDefragPktSetupParent
void PacketDefragPktSetupParent(Packet *parent)
inform defrag "parent" that a pseudo packet is now associated to it.
Definition: decode.c:486
DecodeThreadVars_::counter_tcp_syn
uint16_t counter_tcp_syn
Definition: decode.h:950
PacketTunnelPktSetup
Packet * PacketTunnelPktSetup(ThreadVars *tv, DecodeThreadVars *dtv, Packet *parent, const uint8_t *pkt, uint32_t len, enum DecodeTunnelProto proto)
Setup a pseudo packet (tunnel)
Definition: decode.c:367
stats_decoder_events
bool stats_decoder_events
Definition: counters.c:101
flow.h
PKT_DROP_REASON_STREAM_MIDSTREAM
@ PKT_DROP_REASON_STREAM_MIDSTREAM
Definition: decode.h:372
DecodeIPV4
int DecodeIPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint16_t len)
Definition: decode-ipv4.c:520
PacketInit
void PacketInit(Packet *p)
Initialize a packet structure for use.
Definition: packet.c:63
ExceptionPolicy
ExceptionPolicy
Definition: util-exception-policy-types.h:25
StatsRegisterCounter
uint16_t StatsRegisterCounter(const char *name, struct ThreadVars_ *tv)
Registers a normal, unqualified counter.
Definition: counters.c:951
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
GENERIC_TOO_MANY_LAYERS
@ GENERIC_TOO_MANY_LAYERS
Definition: decode-events.h:221
DecodeThreadVars_::counter_flow_get_used_eval_reject
uint16_t counter_flow_get_used_eval_reject
Definition: decode.h:1006
DecodeVLAN
int DecodeVLAN(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition: decode-vlan.c:54
FLOW_PKT_TOSERVER_FIRST
#define FLOW_PKT_TOSERVER_FIRST
Definition: flow.h:237
DefragGetMemcapExceptionPolicy
enum ExceptionPolicy DefragGetMemcapExceptionPolicy(void)
Definition: defrag-hash.c:80
SCMutex
#define SCMutex
Definition: threads-debug.h:114
PacketGetFromQueueOrAlloc
Packet * PacketGetFromQueueOrAlloc(void)
Get a packet. We try to get a packet from the packetpool first, but if that is empty we alloc a packe...
Definition: decode.c:267
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
DecodeEthernet
int DecodeEthernet(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len)
Definition: decode-ethernet.c:42
PKT_DROP_REASON_FLOW_DROP
@ PKT_DROP_REASON_FLOW_DROP
Definition: decode.h:365
WARN_UNUSED
#define WARN_UNUSED
Definition: suricata-common.h:403
PKT_IS_INVALID
#define PKT_IS_INVALID
Definition: decode.h:1291
DecodeUpdatePacketCounters
void DecodeUpdatePacketCounters(ThreadVars *tv, const DecodeThreadVars *dtv, const Packet *p)
Definition: decode.c:739
DecodeThreadVars_::counter_engine_events
uint16_t counter_engine_events[DECODE_EVENT_MAX]
Definition: decode.h:1015
output.h
DecodeThreadVars_::counter_defrag_tracker_soft_reuse
uint16_t counter_defrag_tracker_soft_reuse
Definition: decode.h:988
app-layer.h
PKT_DROP_REASON_DECODE_ERROR
@ PKT_DROP_REASON_DECODE_ERROR
Definition: decode.h:361
DecodeThreadVars_::counter_defrag_ipv4_fragments
uint16_t counter_defrag_ipv4_fragments
Definition: decode.h:982
PacketEngineEvents_::cnt
uint8_t cnt
Definition: decode.h:286