suricata
decode.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2013 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  */
23 
24 #ifndef __DECODE_H__
25 #define __DECODE_H__
26 
27 //#define DBG_THREADS
28 #define COUNTERS
29 
30 #include "suricata-common.h"
31 #include "threadvars.h"
32 #include "decode-events.h"
33 #include "flow-worker.h"
34 
35 #ifdef HAVE_NAPATECH
36 #include "util-napatech.h"
37 #endif /* HAVE_NAPATECH */
38 
39 
40 typedef enum {
47 
48 enum PktSrcEnum {
58 };
59 
60 #include "source-nflog.h"
61 #include "source-nfq.h"
62 #include "source-ipfw.h"
63 #include "source-pcap.h"
64 #include "source-af-packet.h"
65 #include "source-netmap.h"
66 #include "source-windivert.h"
67 #ifdef HAVE_PF_RING_FLOW_OFFLOAD
68 #include "source-pfring.h"
69 #endif
70 
71 #include "action-globals.h"
72 
73 #include "decode-erspan.h"
74 #include "decode-ethernet.h"
75 #include "decode-gre.h"
76 #include "decode-ppp.h"
77 #include "decode-pppoe.h"
78 #include "decode-sll.h"
79 #include "decode-ipv4.h"
80 #include "decode-ipv6.h"
81 #include "decode-icmpv4.h"
82 #include "decode-icmpv6.h"
83 #include "decode-tcp.h"
84 #include "decode-udp.h"
85 #include "decode-sctp.h"
86 #include "decode-raw.h"
87 #include "decode-null.h"
88 #include "decode-vlan.h"
89 #include "decode-mpls.h"
90 
91 #include "detect-reference.h"
92 
93 #include "app-layer-protos.h"
94 
95 /* forward declarations */
96 struct DetectionEngineThreadCtx_;
98 
99 struct PktPool_;
100 
101 /* declare these here as they are called from the
102  * PACKET_RECYCLE and PACKET_CLEANUP macro's. */
106 
107 /* Address */
108 typedef struct Address_ {
109  char family;
110  union {
111  uint32_t address_un_data32[4]; /* type-specific field */
112  uint16_t address_un_data16[8]; /* type-specific field */
113  uint8_t address_un_data8[16]; /* type-specific field */
114  struct in6_addr address_un_in6;
115  } address;
116 } Address;
117 
118 #define addr_data32 address.address_un_data32
119 #define addr_data16 address.address_un_data16
120 #define addr_data8 address.address_un_data8
121 #define addr_in6addr address.address_un_in6
122 
123 #define COPY_ADDRESS(a, b) do { \
124  (b)->family = (a)->family; \
125  (b)->addr_data32[0] = (a)->addr_data32[0]; \
126  (b)->addr_data32[1] = (a)->addr_data32[1]; \
127  (b)->addr_data32[2] = (a)->addr_data32[2]; \
128  (b)->addr_data32[3] = (a)->addr_data32[3]; \
129  } while (0)
130 
131 /* Set the IPv4 addresses into the Addrs of the Packet.
132  * Make sure p->ip4h is initialized and validated.
133  *
134  * We set the rest of the struct to 0 so we can
135  * prevent using memset. */
136 #define SET_IPV4_SRC_ADDR(p, a) do { \
137  (a)->family = AF_INET; \
138  (a)->addr_data32[0] = (uint32_t)(p)->ip4h->s_ip_src.s_addr; \
139  (a)->addr_data32[1] = 0; \
140  (a)->addr_data32[2] = 0; \
141  (a)->addr_data32[3] = 0; \
142  } while (0)
143 
144 #define SET_IPV4_DST_ADDR(p, a) do { \
145  (a)->family = AF_INET; \
146  (a)->addr_data32[0] = (uint32_t)(p)->ip4h->s_ip_dst.s_addr; \
147  (a)->addr_data32[1] = 0; \
148  (a)->addr_data32[2] = 0; \
149  (a)->addr_data32[3] = 0; \
150  } while (0)
151 
152 /* clear the address structure by setting all fields to 0 */
153 #define CLEAR_ADDR(a) do { \
154  (a)->family = 0; \
155  (a)->addr_data32[0] = 0; \
156  (a)->addr_data32[1] = 0; \
157  (a)->addr_data32[2] = 0; \
158  (a)->addr_data32[3] = 0; \
159  } while (0)
160 
161 /* Set the IPv6 addressesinto the Addrs of the Packet.
162  * Make sure p->ip6h is initialized and validated. */
163 #define SET_IPV6_SRC_ADDR(p, a) do { \
164  (a)->family = AF_INET6; \
165  (a)->addr_data32[0] = (p)->ip6h->s_ip6_src[0]; \
166  (a)->addr_data32[1] = (p)->ip6h->s_ip6_src[1]; \
167  (a)->addr_data32[2] = (p)->ip6h->s_ip6_src[2]; \
168  (a)->addr_data32[3] = (p)->ip6h->s_ip6_src[3]; \
169  } while (0)
170 
171 #define SET_IPV6_DST_ADDR(p, a) do { \
172  (a)->family = AF_INET6; \
173  (a)->addr_data32[0] = (p)->ip6h->s_ip6_dst[0]; \
174  (a)->addr_data32[1] = (p)->ip6h->s_ip6_dst[1]; \
175  (a)->addr_data32[2] = (p)->ip6h->s_ip6_dst[2]; \
176  (a)->addr_data32[3] = (p)->ip6h->s_ip6_dst[3]; \
177  } while (0)
178 
179 /* Set the TCP ports into the Ports of the Packet.
180  * Make sure p->tcph is initialized and validated. */
181 #define SET_TCP_SRC_PORT(pkt, prt) do { \
182  SET_PORT(TCP_GET_SRC_PORT((pkt)), *(prt)); \
183  } while (0)
184 
185 #define SET_TCP_DST_PORT(pkt, prt) do { \
186  SET_PORT(TCP_GET_DST_PORT((pkt)), *(prt)); \
187  } while (0)
188 
189 /* Set the UDP ports into the Ports of the Packet.
190  * Make sure p->udph is initialized and validated. */
191 #define SET_UDP_SRC_PORT(pkt, prt) do { \
192  SET_PORT(UDP_GET_SRC_PORT((pkt)), *(prt)); \
193  } while (0)
194 #define SET_UDP_DST_PORT(pkt, prt) do { \
195  SET_PORT(UDP_GET_DST_PORT((pkt)), *(prt)); \
196  } while (0)
197 
198 /* Set the SCTP ports into the Ports of the Packet.
199  * Make sure p->sctph is initialized and validated. */
200 #define SET_SCTP_SRC_PORT(pkt, prt) do { \
201  SET_PORT(SCTP_GET_SRC_PORT((pkt)), *(prt)); \
202  } while (0)
203 
204 #define SET_SCTP_DST_PORT(pkt, prt) do { \
205  SET_PORT(SCTP_GET_DST_PORT((pkt)), *(prt)); \
206  } while (0)
207 
208 
209 
210 #define GET_IPV4_SRC_ADDR_U32(p) ((p)->src.addr_data32[0])
211 #define GET_IPV4_DST_ADDR_U32(p) ((p)->dst.addr_data32[0])
212 #define GET_IPV4_SRC_ADDR_PTR(p) ((p)->src.addr_data32)
213 #define GET_IPV4_DST_ADDR_PTR(p) ((p)->dst.addr_data32)
214 
215 #define GET_IPV6_SRC_IN6ADDR(p) ((p)->src.addr_in6addr)
216 #define GET_IPV6_DST_IN6ADDR(p) ((p)->dst.addr_in6addr)
217 #define GET_IPV6_SRC_ADDR(p) ((p)->src.addr_data32)
218 #define GET_IPV6_DST_ADDR(p) ((p)->dst.addr_data32)
219 #define GET_TCP_SRC_PORT(p) ((p)->sp)
220 #define GET_TCP_DST_PORT(p) ((p)->dp)
221 
222 #define GET_PKT_LEN(p) ((p)->pktlen)
223 #define GET_PKT_DATA(p) ((((p)->ext_pkt) == NULL ) ? (uint8_t *)((p) + 1) : (p)->ext_pkt)
224 #define GET_PKT_DIRECT_DATA(p) (uint8_t *)((p) + 1)
225 #define GET_PKT_DIRECT_MAX_SIZE(p) (default_packet_size)
226 
227 #define SET_PKT_LEN(p, len) do { \
228  (p)->pktlen = (len); \
229  } while (0)
230 
231 
232 /* Port is just a uint16_t */
233 typedef uint16_t Port;
234 #define SET_PORT(v, p) ((p) = (v))
235 #define COPY_PORT(a,b) ((b) = (a))
236 
237 #define CMP_ADDR(a1, a2) \
238  (((a1)->addr_data32[3] == (a2)->addr_data32[3] && \
239  (a1)->addr_data32[2] == (a2)->addr_data32[2] && \
240  (a1)->addr_data32[1] == (a2)->addr_data32[1] && \
241  (a1)->addr_data32[0] == (a2)->addr_data32[0]))
242 #define CMP_PORT(p1, p2) \
243  ((p1) == (p2))
244 
245 /*Given a packet pkt offset to the start of the ip header in a packet
246  *We determine the ip version. */
247 #define IP_GET_RAW_VER(pkt) ((((pkt)[0] & 0xf0) >> 4))
248 
249 #define PKT_IS_IPV4(p) (((p)->ip4h != NULL))
250 #define PKT_IS_IPV6(p) (((p)->ip6h != NULL))
251 #define PKT_IS_TCP(p) (((p)->tcph != NULL))
252 #define PKT_IS_UDP(p) (((p)->udph != NULL))
253 #define PKT_IS_ICMPV4(p) (((p)->icmpv4h != NULL))
254 #define PKT_IS_ICMPV6(p) (((p)->icmpv6h != NULL))
255 #define PKT_IS_TOSERVER(p) (((p)->flowflags & FLOW_PKT_TOSERVER))
256 #define PKT_IS_TOCLIENT(p) (((p)->flowflags & FLOW_PKT_TOCLIENT))
257 
258 #define IPH_IS_VALID(p) (PKT_IS_IPV4((p)) || PKT_IS_IPV6((p)))
259 
260 /* Retrieve proto regardless of IP version */
261 #define IP_GET_IPPROTO(p) \
262  (p->proto ? p->proto : \
263  (PKT_IS_IPV4((p))? IPV4_GET_IPPROTO((p)) : (PKT_IS_IPV6((p))? IPV6_GET_L4PROTO((p)) : 0)))
264 
265 /* structure to store the sids/gids/etc the detection engine
266  * found in this packet */
267 typedef struct PacketAlert_ {
268  SigIntId num; /* Internal num, used for sorting */
269  uint8_t action; /* Internal num, used for sorting */
270  uint8_t flags;
271  const struct Signature_ *s;
272  uint64_t tx_id;
273 } PacketAlert;
274 
275 /** After processing an alert by the thresholding module, if at
276  * last it gets triggered, we might want to stick the drop action to
277  * the flow on IPS mode */
278 #define PACKET_ALERT_FLAG_DROP_FLOW 0x01
279 /** alert was generated based on state */
280 #define PACKET_ALERT_FLAG_STATE_MATCH 0x02
281 /** alert was generated based on stream */
282 #define PACKET_ALERT_FLAG_STREAM_MATCH 0x04
283 /** alert is in a tx, tx_id set */
284 #define PACKET_ALERT_FLAG_TX 0x08
285 /** action was changed by rate_filter */
286 #define PACKET_ALERT_RATE_FILTER_MODIFIED 0x10
287 
288 #define PACKET_ALERT_MAX 15
289 
290 typedef struct PacketAlerts_ {
291  uint16_t cnt;
293  /* single pa used when we're dropping,
294  * so we can log it out in the drop log. */
296 } PacketAlerts;
297 
298 /** number of decoder events we support per packet. Power of 2 minus 1
299  * for memory layout */
300 #define PACKET_ENGINE_EVENT_MAX 15
301 
302 /** data structure to store decoder, defrag and stream events */
303 typedef struct PacketEngineEvents_ {
304  uint8_t cnt; /**< number of events */
305  uint8_t events[PACKET_ENGINE_EVENT_MAX]; /**< array of events */
307 
308 typedef struct PktVar_ {
309  uint32_t id;
310  struct PktVar_ *next; /* right now just implement this as a list,
311  * in the long run we have thing of something
312  * faster. */
313  uint16_t key_len;
314  uint16_t value_len;
315  uint8_t *key;
316  uint8_t *value;
317 } PktVar;
318 
319 #ifdef PROFILING
320 
321 /** \brief Per TMM stats storage */
322 typedef struct PktProfilingTmmData_ {
323  uint64_t ticks_start;
324  uint64_t ticks_end;
325 #ifdef PROFILE_LOCKING
326  uint64_t mutex_lock_cnt;
327  uint64_t mutex_lock_wait_ticks;
328  uint64_t mutex_lock_contention;
329  uint64_t spin_lock_cnt;
330  uint64_t spin_lock_wait_ticks;
331  uint64_t spin_lock_contention;
332  uint64_t rww_lock_cnt;
333  uint64_t rww_lock_wait_ticks;
334  uint64_t rww_lock_contention;
335  uint64_t rwr_lock_cnt;
336  uint64_t rwr_lock_wait_ticks;
337  uint64_t rwr_lock_contention;
338 #endif
340 
341 typedef struct PktProfilingData_ {
342  uint64_t ticks_start;
343  uint64_t ticks_end;
345 
346 typedef struct PktProfilingDetectData_ {
347  uint64_t ticks_start;
348  uint64_t ticks_end;
349  uint64_t ticks_spent;
351 
352 typedef struct PktProfilingAppData_ {
353  uint64_t ticks_spent;
355 
356 typedef struct PktProfilingLoggerData_ {
357  uint64_t ticks_start;
358  uint64_t ticks_end;
359  uint64_t ticks_spent;
361 
363  uint64_t ticks_spent;
365 
368  uint32_t size; /**< array size */
370 
371 /** \brief Per pkt stats storage */
372 typedef struct PktProfiling_ {
373  uint64_t ticks_start;
374  uint64_t ticks_end;
375 
381  uint64_t proto_detect;
382 } PktProfiling;
383 
384 #endif /* PROFILING */
385 
386 /* forward declartion since Packet struct definition requires this */
387 struct PacketQueue_;
388 
389 /* sizes of the members:
390  * src: 17 bytes
391  * dst: 17 bytes
392  * sp/type: 1 byte
393  * dp/code: 1 byte
394  * proto: 1 byte
395  * recurs: 1 byte
396  *
397  * sum of above: 38 bytes
398  *
399  * flow ptr: 4/8 bytes
400  * flags: 1 byte
401  * flowflags: 1 byte
402  *
403  * sum of above 44/48 bytes
404  */
405 typedef struct Packet_
406 {
407  /* Addresses, Ports and protocol
408  * these are on top so we can use
409  * the Packet as a hash key */
412  union {
414  // icmp type and code of this packet
415  struct {
416  uint8_t type;
417  uint8_t code;
418  } icmp_s;
419  };
420  union {
422  // icmp type and code of the expected counterpart (for flows)
423  struct {
424  uint8_t type;
425  uint8_t code;
426  } icmp_d;
427  };
428  uint8_t proto;
429  /* make sure we can't be attacked on when the tunneled packet
430  * has the exact same tuple as the lower levels */
432 
433  uint16_t vlan_id[2];
434  uint8_t vlan_idx;
435 
436  /* flow */
437  uint8_t flowflags;
438  /* coccinelle: Packet:flowflags:FLOW_PKT_ */
439 
440  /* Pkt Flags */
441  uint32_t flags;
442 
443  struct Flow_ *flow;
444 
445  /* raw hash value for looking up the flow, will need to modulated to the
446  * hash size still */
447  uint32_t flow_hash;
448 
449  struct timeval ts;
450 
451  union {
452  /* nfq stuff */
453 #ifdef HAVE_NFLOG
454  NFLOGPacketVars nflog_v;
455 #endif /* HAVE_NFLOG */
456 #ifdef NFQ
458 #endif /* NFQ */
459 #ifdef IPFW
461 #endif /* IPFW */
462 #ifdef AF_PACKET
463  AFPPacketVars afp_v;
464 #endif
465 #ifdef HAVE_NETMAP
466  NetmapPacketVars netmap_v;
467 #endif
468 #ifdef HAVE_PFRING
469 #ifdef HAVE_PF_RING_FLOW_OFFLOAD
470  PfringPacketVars pfring_v;
471 #endif
472 #endif
473 #ifdef WINDIVERT
474  WinDivertPacketVars windivert_v;
475 #endif /* WINDIVERT */
476 
477  /** libpcap vars: shared by Pcap Live mode and Pcap File mode */
479  };
480 
481  /** The release function for packet structure and data */
482  void (*ReleasePacket)(struct Packet_ *);
483  /** The function triggering bypass the flow in the capture method.
484  * Return 1 for success and 0 on error */
485  int (*BypassPacketsFlow)(struct Packet_ *);
486 
487  /* pkt vars */
489 
490  /* header pointers */
491  EthernetHdr *ethh;
492 
493  /* Checksum for IP packets. */
495  /* Check sum for TCP, UDP or ICMP packets */
497 
499 
501 
502  /* IPv4 and IPv6 are mutually exclusive */
503  union {
505  struct {
508  };
509  };
510  /* Can only be one of TCP, UDP, ICMP at any given time */
511  union {
515  } l4vars;
516 #define tcpvars l4vars.tcpvars
517 #define icmpv4vars l4vars.icmpv4vars
518 #define icmpv6vars l4vars.icmpv6vars
519 
520  TCPHdr *tcph;
521 
522  UDPHdr *udph;
523 
524  SCTPHdr *sctph;
525 
526  ICMPV4Hdr *icmpv4h;
527 
529 
530  PPPHdr *ppph;
532  PPPOEDiscoveryHdr *pppoedh;
533 
534  GREHdr *greh;
535 
536  VLANHdr *vlanh[2];
537 
538  /* ptr to the payload of the packet
539  * with it's length. */
540  uint8_t *payload;
541  uint16_t payload_len;
542 
543  /* IPS action to take */
544  uint8_t action;
545 
546  uint8_t pkt_src;
547 
548  /* storage: set to pointer to heap and extended via allocation if necessary */
549  uint32_t pktlen;
550  uint8_t *ext_pkt;
551 
552  /* Incoming interface */
554 
556 
557  struct Host_ *host_src;
558  struct Host_ *host_dst;
559 
560  /** packet number in the pcap file, matches wireshark */
561  uint64_t pcap_cnt;
562 
563 
564  /* engine events */
566 
568 
569  /* double linked list ptrs */
570  struct Packet_ *next;
571  struct Packet_ *prev;
572 
573  /** data linktype in host order */
574  int datalink;
575 
576  /* tunnel/encapsulation handling */
577  struct Packet_ *root; /* in case of tunnel this is a ptr
578  * to the 'real' packet, the one we
579  * need to set the verdict on --
580  * It should always point to the lowest
581  * packet in a encapsulated packet */
582 
583  /** mutex to protect access to:
584  * - tunnel_rtv_cnt
585  * - tunnel_tpr_cnt
586  */
588  /* ready to set verdict counter, only set in root */
589  uint16_t tunnel_rtv_cnt;
590  /* tunnel packet ref count */
591  uint16_t tunnel_tpr_cnt;
592 
593  /** tenant id for this packet, if any. If 0 then no tenant was assigned. */
594  uint32_t tenant_id;
595 
596  /* The Packet pool from which this packet was allocated. Used when returning
597  * the packet to its owner's stack. If NULL, then allocated with malloc.
598  */
599  struct PktPool_ *pool;
600 
601 #ifdef PROFILING
603 #endif
604 #ifdef HAVE_NAPATECH
606 #endif
607 } Packet;
608 
609 /** highest mtu of the interfaces we monitor */
610 extern int g_default_mtu;
611 #define DEFAULT_MTU 1500
612 #define MINIMUM_MTU 68 /**< ipv4 minimum: rfc791 */
613 
614 #define DEFAULT_PACKET_SIZE (DEFAULT_MTU + ETHERNET_HEADER_LEN)
615 /* storage: maximum ip packet size + link header */
616 #define MAX_PAYLOAD_SIZE (IPV6_HEADER_LEN + 65536 + 28)
618 #define SIZE_OF_PACKET (default_packet_size + sizeof(Packet))
619 
620 typedef struct PacketQueue_ {
623  uint32_t len;
624 #ifdef DBG_PERF
625  uint32_t dbg_maxlen;
626 #endif /* DBG_PERF */
629 } PacketQueue;
630 
631 /** \brief Structure to hold thread specific data for all decode modules */
632 typedef struct DecodeThreadVars_
633 {
634  /** Specific context for udp protocol detection (here atm) */
636 
638 
639  /** stats/counters */
640  uint16_t counter_pkts;
641  uint16_t counter_bytes;
644 
645  uint16_t counter_invalid;
646 
647  uint16_t counter_eth;
648  uint16_t counter_ipv4;
649  uint16_t counter_ipv6;
650  uint16_t counter_tcp;
651  uint16_t counter_udp;
652  uint16_t counter_icmpv4;
653  uint16_t counter_icmpv6;
654 
655  uint16_t counter_sll;
656  uint16_t counter_raw;
657  uint16_t counter_null;
658  uint16_t counter_sctp;
659  uint16_t counter_ppp;
660  uint16_t counter_gre;
661  uint16_t counter_vlan;
664  uint16_t counter_pppoe;
665  uint16_t counter_teredo;
666  uint16_t counter_mpls;
669  uint16_t counter_erspan;
670 
671  /** frag stats - defrag runs in the context of the decoder. */
679 
681 
686 
687  uint16_t counter_engine_events[DECODE_EVENT_MAX];
688 
689  /* thread data for flow logging api: only used at forced
690  * flow recycle during lookups */
692 
694 
695 typedef struct CaptureStats_ {
696 
701 
702 } CaptureStats;
703 
704 void CaptureStatsUpdate(ThreadVars *tv, CaptureStats *s, const Packet *p);
706 
707 #define PACKET_CLEAR_L4VARS(p) do { \
708  memset(&(p)->l4vars, 0x00, sizeof((p)->l4vars)); \
709  } while (0)
710 
711 /**
712  * \brief reset these to -1(indicates that the packet is fresh from the queue)
713  */
714 #define PACKET_RESET_CHECKSUMS(p) do { \
715  (p)->level3_comp_csum = -1; \
716  (p)->level4_comp_csum = -1; \
717  } while (0)
718 
719 /* if p uses extended data, free them */
720 #define PACKET_FREE_EXTDATA(p) do { \
721  if ((p)->ext_pkt) { \
722  if (!((p)->flags & PKT_ZERO_COPY)) { \
723  SCFree((p)->ext_pkt); \
724  } \
725  (p)->ext_pkt = NULL; \
726  } \
727  } while(0)
728 
729 /**
730  * \brief Initialize a packet structure for use.
731  */
732 #define PACKET_INITIALIZE(p) { \
733  SCMutexInit(&(p)->tunnel_mutex, NULL); \
734  PACKET_RESET_CHECKSUMS((p)); \
735  (p)->livedev = NULL; \
736 }
737 
738 #define PACKET_RELEASE_REFS(p) do { \
739  FlowDeReference(&((p)->flow)); \
740  HostDeReference(&((p)->host_src)); \
741  HostDeReference(&((p)->host_dst)); \
742  } while (0)
743 
744 /**
745  * \brief Recycle a packet structure for reuse.
746  */
747 #define PACKET_REINIT(p) do { \
748  CLEAR_ADDR(&(p)->src); \
749  CLEAR_ADDR(&(p)->dst); \
750  (p)->sp = 0; \
751  (p)->dp = 0; \
752  (p)->proto = 0; \
753  (p)->recursion_level = 0; \
754  PACKET_FREE_EXTDATA((p)); \
755  (p)->flags = (p)->flags & PKT_ALLOC; \
756  (p)->flowflags = 0; \
757  (p)->pkt_src = 0; \
758  (p)->vlan_id[0] = 0; \
759  (p)->vlan_id[1] = 0; \
760  (p)->vlan_idx = 0; \
761  (p)->ts.tv_sec = 0; \
762  (p)->ts.tv_usec = 0; \
763  (p)->datalink = 0; \
764  (p)->action = 0; \
765  if ((p)->pktvar != NULL) { \
766  PktVarFree((p)->pktvar); \
767  (p)->pktvar = NULL; \
768  } \
769  (p)->ethh = NULL; \
770  if ((p)->ip4h != NULL) { \
771  CLEAR_IPV4_PACKET((p)); \
772  } \
773  if ((p)->ip6h != NULL) { \
774  CLEAR_IPV6_PACKET((p)); \
775  } \
776  if ((p)->tcph != NULL) { \
777  CLEAR_TCP_PACKET((p)); \
778  } \
779  if ((p)->udph != NULL) { \
780  CLEAR_UDP_PACKET((p)); \
781  } \
782  if ((p)->sctph != NULL) { \
783  CLEAR_SCTP_PACKET((p)); \
784  } \
785  if ((p)->icmpv4h != NULL) { \
786  CLEAR_ICMPV4_PACKET((p)); \
787  } \
788  if ((p)->icmpv6h != NULL) { \
789  CLEAR_ICMPV6_PACKET((p)); \
790  } \
791  (p)->ppph = NULL; \
792  (p)->pppoesh = NULL; \
793  (p)->pppoedh = NULL; \
794  (p)->greh = NULL; \
795  (p)->vlanh[0] = NULL; \
796  (p)->vlanh[1] = NULL; \
797  (p)->payload = NULL; \
798  (p)->payload_len = 0; \
799  (p)->BypassPacketsFlow = NULL; \
800  (p)->pktlen = 0; \
801  (p)->alerts.cnt = 0; \
802  (p)->alerts.drop.action = 0; \
803  (p)->pcap_cnt = 0; \
804  (p)->tunnel_rtv_cnt = 0; \
805  (p)->tunnel_tpr_cnt = 0; \
806  (p)->events.cnt = 0; \
807  AppLayerDecoderEventsResetEvents((p)->app_layer_events); \
808  (p)->next = NULL; \
809  (p)->prev = NULL; \
810  (p)->root = NULL; \
811  (p)->livedev = NULL; \
812  PACKET_RESET_CHECKSUMS((p)); \
813  PACKET_PROFILING_RESET((p)); \
814  p->tenant_id = 0; \
815  } while (0)
816 
817 #define PACKET_RECYCLE(p) do { \
818  PACKET_RELEASE_REFS((p)); \
819  PACKET_REINIT((p)); \
820  } while (0)
821 
822 /**
823  * \brief Cleanup a packet so that we can free it. No memset needed..
824  */
825 #define PACKET_DESTRUCTOR(p) do { \
826  if ((p)->pktvar != NULL) { \
827  PktVarFree((p)->pktvar); \
828  } \
829  PACKET_FREE_EXTDATA((p)); \
830  SCMutexDestroy(&(p)->tunnel_mutex); \
831  AppLayerDecoderEventsFreeEvents(&(p)->app_layer_events); \
832  PACKET_PROFILING_RESET((p)); \
833  } while (0)
834 
835 
836 /* macro's for setting the action
837  * handle the case of a root packet
838  * for tunnels */
839 
840 #define PACKET_SET_ACTION(p, a) do { \
841  ((p)->root ? \
842  ((p)->root->action = a) : \
843  ((p)->action = a)); \
844 } while (0)
845 
846 #define PACKET_ALERT(p) PACKET_SET_ACTION(p, ACTION_ALERT)
847 
848 #define PACKET_ACCEPT(p) PACKET_SET_ACTION(p, ACTION_ACCEPT)
849 
850 #define PACKET_DROP(p) PACKET_SET_ACTION(p, ACTION_DROP)
851 
852 #define PACKET_REJECT(p) PACKET_SET_ACTION(p, (ACTION_REJECT|ACTION_DROP))
853 
854 #define PACKET_REJECT_DST(p) PACKET_SET_ACTION(p, (ACTION_REJECT_DST|ACTION_DROP))
855 
856 #define PACKET_REJECT_BOTH(p) PACKET_SET_ACTION(p, (ACTION_REJECT_BOTH|ACTION_DROP))
857 
858 #define PACKET_PASS(p) PACKET_SET_ACTION(p, ACTION_PASS)
859 
860 #define PACKET_TEST_ACTION(p, a) \
861  ((p)->root ? \
862  ((p)->root->action & a) : \
863  ((p)->action & a))
864 
865 #define PACKET_UPDATE_ACTION(p, a) do { \
866  ((p)->root ? \
867  ((p)->root->action |= a) : \
868  ((p)->action |= a)); \
869 } while (0)
870 
871 #define TUNNEL_INCR_PKT_RTV_NOLOCK(p) do { \
872  ((p)->root ? (p)->root->tunnel_rtv_cnt++ : (p)->tunnel_rtv_cnt++); \
873  } while (0)
874 
875 #define TUNNEL_INCR_PKT_TPR(p) do { \
876  SCMutexLock((p)->root ? &(p)->root->tunnel_mutex : &(p)->tunnel_mutex); \
877  ((p)->root ? (p)->root->tunnel_tpr_cnt++ : (p)->tunnel_tpr_cnt++); \
878  SCMutexUnlock((p)->root ? &(p)->root->tunnel_mutex : &(p)->tunnel_mutex); \
879  } while (0)
880 
881 #define TUNNEL_PKT_RTV(p) ((p)->root ? (p)->root->tunnel_rtv_cnt : (p)->tunnel_rtv_cnt)
882 #define TUNNEL_PKT_TPR(p) ((p)->root ? (p)->root->tunnel_tpr_cnt : (p)->tunnel_tpr_cnt)
883 
884 #define IS_TUNNEL_PKT(p) (((p)->flags & PKT_TUNNEL))
885 #define SET_TUNNEL_PKT(p) ((p)->flags |= PKT_TUNNEL)
886 #define UNSET_TUNNEL_PKT(p) ((p)->flags &= ~PKT_TUNNEL)
887 #define IS_TUNNEL_ROOT_PKT(p) (IS_TUNNEL_PKT(p) && (p)->root == NULL)
888 
889 #define IS_TUNNEL_PKT_VERDICTED(p) (((p)->flags & PKT_TUNNEL_VERDICTED))
890 #define SET_TUNNEL_PKT_VERDICTED(p) ((p)->flags |= PKT_TUNNEL_VERDICTED)
891 
898  DECODE_TUNNEL_IPV6_TEREDO, /**< separate protocol for stricter error handling */
900 };
901 
903  uint8_t *pkt, uint32_t len, enum DecodeTunnelProto proto, PacketQueue *pq);
904 Packet *PacketDefragPktSetup(Packet *parent, uint8_t *pkt, uint32_t len, uint8_t proto);
905 void PacketDefragPktSetupParent(Packet *parent);
911  DecodeThreadVars *dtv, Packet *p);
912 void PacketFree(Packet *p);
913 void PacketFreeOrRelease(Packet *p);
914 int PacketCallocExtPkt(Packet *p, int datalen);
915 int PacketCopyData(Packet *p, uint8_t *pktdata, uint32_t pktlen);
916 int PacketSetData(Packet *p, uint8_t *pktdata, uint32_t pktlen);
917 int PacketCopyDataOffset(Packet *p, uint32_t offset, uint8_t *data, uint32_t datalen);
918 const char *PktSrcToString(enum PktSrcEnum pkt_src);
920 void PacketSwap(Packet *p);
921 
925  const DecodeThreadVars *dtv, const Packet *p);
926 
927 /* decoder functions */
928 int DecodeEthernet(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *);
929 int DecodeSll(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *);
930 int DecodePPP(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *);
931 int DecodePPPOESession(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *);
932 int DecodePPPOEDiscovery(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *);
933 int DecodeTunnel(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *, enum DecodeTunnelProto) __attribute__ ((warn_unused_result));
934 int DecodeNull(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *);
935 int DecodeRaw(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *);
936 int DecodeIPV4(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *);
937 int DecodeIPV6(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *);
938 int DecodeICMPV4(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *);
939 int DecodeICMPV6(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *);
940 int DecodeTCP(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *);
941 int DecodeUDP(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *);
942 int DecodeSCTP(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *);
943 int DecodeGRE(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *);
944 int DecodeVLAN(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *);
945 int DecodeMPLS(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *);
946 int DecodeERSPAN(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *);
947 int DecodeTEMPLATE(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t, PacketQueue *);
948 
949 #ifdef UNITTESTS
950 void DecodeIPV6FragHeader(Packet *p, uint8_t *pkt,
951  uint16_t hdrextlen, uint16_t plen,
952  uint16_t prev_hdrextlen);
953 #endif
954 
955 void AddressDebugPrint(Address *);
956 
957 #ifdef AFLFUZZ_DECODER
958 typedef int (*DecoderFunc)(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
959  uint8_t *pkt, uint32_t len, PacketQueue *pq);
960 
961 int DecoderParseDataFromFile(char *filename, DecoderFunc Decoder);
962 int DecoderParseDataFromFileSerie(char *fileprefix, DecoderFunc Decoder);
963 #endif
964 void DecodeGlobalConfig(void);
965 void DecodeUnregisterCounters(void);
966 
967 /** \brief Set the No payload inspection Flag for the packet.
968  *
969  * \param p Packet to set the flag in
970  */
971 #define DecodeSetNoPayloadInspectionFlag(p) do { \
972  (p)->flags |= PKT_NOPAYLOAD_INSPECTION; \
973  } while (0)
974 
975 #define DecodeUnsetNoPayloadInspectionFlag(p) do { \
976  (p)->flags &= ~PKT_NOPAYLOAD_INSPECTION; \
977  } while (0)
978 
979 /** \brief Set the No packet inspection Flag for the packet.
980  *
981  * \param p Packet to set the flag in
982  */
983 #define DecodeSetNoPacketInspectionFlag(p) do { \
984  (p)->flags |= PKT_NOPACKET_INSPECTION; \
985  } while (0)
986 #define DecodeUnsetNoPacketInspectionFlag(p) do { \
987  (p)->flags &= ~PKT_NOPACKET_INSPECTION; \
988  } while (0)
989 
990 
991 #define ENGINE_SET_EVENT(p, e) do { \
992  SCLogDebug("p %p event %d", (p), e); \
993  if ((p)->events.cnt < PACKET_ENGINE_EVENT_MAX) { \
994  (p)->events.events[(p)->events.cnt] = e; \
995  (p)->events.cnt++; \
996  } \
997 } while(0)
998 
999 #define ENGINE_SET_INVALID_EVENT(p, e) do { \
1000  p->flags |= PKT_IS_INVALID; \
1001  ENGINE_SET_EVENT(p, e); \
1002 } while(0)
1003 
1004 
1005 
1006 #define ENGINE_ISSET_EVENT(p, e) ({ \
1007  int r = 0; \
1008  uint8_t u; \
1009  for (u = 0; u < (p)->events.cnt; u++) { \
1010  if ((p)->events.events[u] == (e)) { \
1011  r = 1; \
1012  break; \
1013  } \
1014  } \
1015  r; \
1016 })
1017 
1018 #ifndef IPPROTO_IPIP
1019 #define IPPROTO_IPIP 4
1020 #endif
1021 
1022 /* older libcs don't contain a def for IPPROTO_DCCP
1023  * inside of <netinet/in.h>
1024  * if it isn't defined let's define it here.
1025  */
1026 #ifndef IPPROTO_DCCP
1027 #define IPPROTO_DCCP 33
1028 #endif
1029 
1030 /* older libcs don't contain a def for IPPROTO_SCTP
1031  * inside of <netinet/in.h>
1032  * if it isn't defined let's define it here.
1033  */
1034 #ifndef IPPROTO_SCTP
1035 #define IPPROTO_SCTP 132
1036 #endif
1037 
1038 #ifndef IPPROTO_MH
1039 #define IPPROTO_MH 135
1040 #endif
1041 
1042 /* Host Identity Protocol (rfc 5201) */
1043 #ifndef IPPROTO_HIP
1044 #define IPPROTO_HIP 139
1045 #endif
1046 
1047 #ifndef IPPROTO_SHIM6
1048 #define IPPROTO_SHIM6 140
1049 #endif
1050 
1051 /* pcap provides this, but we don't want to depend on libpcap */
1052 #ifndef DLT_EN10MB
1053 #define DLT_EN10MB 1
1054 #endif
1055 
1056 /* taken from pcap's bpf.h */
1057 #ifndef DLT_RAW
1058 #ifdef __OpenBSD__
1059 #define DLT_RAW 14 /* raw IP */
1060 #else
1061 #define DLT_RAW 12 /* raw IP */
1062 #endif
1063 #endif
1064 
1065 #ifndef DLT_NULL
1066 #define DLT_NULL 0
1067 #endif
1068 
1069 /** libpcap shows us the way to linktype codes
1070  * \todo we need more & maybe put them in a separate file? */
1071 #define LINKTYPE_NULL DLT_NULL
1072 #define LINKTYPE_ETHERNET DLT_EN10MB
1073 #define LINKTYPE_LINUX_SLL 113
1074 #define LINKTYPE_PPP 9
1075 #define LINKTYPE_RAW DLT_RAW
1076 /* http://www.tcpdump.org/linktypes.html defines DLT_RAW as 101, yet others don't.
1077  * Libpcap on at least OpenBSD returns 101 as datalink type for RAW pcaps though. */
1078 #define LINKTYPE_RAW2 101
1079 #define LINKTYPE_IPV4 228
1080 #define LINKTYPE_GRE_OVER_IP 778
1081 #define PPP_OVER_GRE 11
1082 #define VLAN_OVER_GRE 13
1083 
1084 /*Packet Flags*/
1085 #define PKT_NOPACKET_INSPECTION (1) /**< Flag to indicate that packet header or contents should not be inspected*/
1086 #define PKT_NOPAYLOAD_INSPECTION (1<<2) /**< Flag to indicate that packet contents should not be inspected*/
1087 #define PKT_ALLOC (1<<3) /**< Packet was alloc'd this run, needs to be freed */
1088 #define PKT_HAS_TAG (1<<4) /**< Packet has matched a tag */
1089 #define PKT_STREAM_ADD (1<<5) /**< Packet payload was added to reassembled stream */
1090 #define PKT_STREAM_EST (1<<6) /**< Packet is part of establised stream */
1091 #define PKT_STREAM_EOF (1<<7) /**< Stream is in eof state */
1092 #define PKT_HAS_FLOW (1<<8)
1093 #define PKT_PSEUDO_STREAM_END (1<<9) /**< Pseudo packet to end the stream */
1094 #define PKT_STREAM_MODIFIED (1<<10) /**< Packet is modified by the stream engine, we need to recalc the csum and reinject/replace */
1095 #define PKT_MARK_MODIFIED (1<<11) /**< Packet mark is modified */
1096 #define PKT_STREAM_NOPCAPLOG (1<<12) /**< Exclude packet from pcap logging as it's part of a stream that has reassembly depth reached. */
1097 
1098 #define PKT_TUNNEL (1<<13)
1099 #define PKT_TUNNEL_VERDICTED (1<<14)
1100 
1101 #define PKT_IGNORE_CHECKSUM (1<<15) /**< Packet checksum is not computed (TX packet for example) */
1102 #define PKT_ZERO_COPY (1<<16) /**< Packet comes from zero copy (ext_pkt must not be freed) */
1103 
1104 #define PKT_HOST_SRC_LOOKED_UP (1<<17)
1105 #define PKT_HOST_DST_LOOKED_UP (1<<18)
1106 
1107 #define PKT_IS_FRAGMENT (1<<19) /**< Packet is a fragment */
1108 #define PKT_IS_INVALID (1<<20)
1109 #define PKT_PROFILE (1<<21)
1110 
1111 /** indication by decoder that it feels the packet should be handled by
1112  * flow engine: Packet::flow_hash will be set */
1113 #define PKT_WANTS_FLOW (1<<22)
1114 
1115 /** protocol detection done */
1116 #define PKT_PROTO_DETECT_TS_DONE (1<<23)
1117 #define PKT_PROTO_DETECT_TC_DONE (1<<24)
1118 
1119 #define PKT_REBUILT_FRAGMENT (1<<25) /**< Packet is rebuilt from
1120  * fragments. */
1121 #define PKT_DETECT_HAS_STREAMDATA (1<<26) /**< Set by Detect() if raw stream data is available. */
1123 #define PKT_PSEUDO_DETECTLOG_FLUSH (1<<27) /**< Detect/log flush for protocol upgrade */
1125 /** Packet is part of stream in known bad condition (loss, wrong thread),
1126  * so flag it for not setting stream events */
1127 #define PKT_STREAM_NO_EVENTS (1<<28)
1129 /** \brief return 1 if the packet is a pseudo packet */
1130 #define PKT_IS_PSEUDOPKT(p) \
1131  ((p)->flags & (PKT_PSEUDO_STREAM_END|PKT_PSEUDO_DETECTLOG_FLUSH))
1132 
1133 #define PKT_SET_SRC(p, src_val) ((p)->pkt_src = src_val)
1135 /** \brief return true if *this* packet needs to trigger a verdict.
1136  *
1137  * If we have the root packet, and we have none outstanding,
1138  * we can verdict now.
1139  *
1140  * If we have a upper layer packet, it's the only one and root
1141  * is already processed, we can verdict now.
1142  *
1143  * Otherwise, a future packet will issue the verdict.
1144  */
1145 static inline bool VerdictTunnelPacket(Packet *p)
1146 {
1147  bool verdict = true;
1148  SCMutex *m = p->root ? &p->root->tunnel_mutex : &p->tunnel_mutex;
1149  SCMutexLock(m);
1150  const uint16_t outstanding = TUNNEL_PKT_TPR(p) - TUNNEL_PKT_RTV(p);
1151  SCLogDebug("tunnel: outstanding %u", outstanding);
1152 
1153  /* if there are packets outstanding, we won't verdict this one */
1154  if (IS_TUNNEL_ROOT_PKT(p) && !IS_TUNNEL_PKT_VERDICTED(p) && !outstanding) {
1155  // verdict
1156  SCLogDebug("root %p: verdict", p);
1157  } else if (!IS_TUNNEL_ROOT_PKT(p) && outstanding == 1 && p->root && IS_TUNNEL_PKT_VERDICTED(p->root)) {
1158  // verdict
1159  SCLogDebug("tunnel %p: verdict", p);
1160  } else {
1161  verdict = false;
1162  }
1163  SCMutexUnlock(m);
1164  return verdict;
1165 }
1166 
1167 #endif /* __DECODE_H__ */
1168 
uint16_t counter_max_pkt_size
Definition: decode.h:643
EthernetHdr * ethh
Definition: decode.h:491
uint16_t counter_ips_rejected
Definition: decode.h:699
#define SCMutex
uint16_t counter_defrag_ipv6_reassembled
Definition: decode.h:676
void PacketDefragPktSetupParent(Packet *parent)
inform defrag "parent" that a pseudo packet is now assosiated to it.
Definition: decode.c:386
IPV4Vars ip4vars
Definition: decode.h:504
int DecodeMPLS(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *)
Definition: decode-mpls.c:47
UDPHdr * udph
Definition: decode.h:522
DecodeThreadVars * DecodeThreadVarsAlloc(ThreadVars *)
Alloc and setup DecodeThreadVars.
Definition: decode.c:592
#define SCLogDebug(...)
Definition: util-debug.h:335
void CaptureStatsUpdate(ThreadVars *tv, CaptureStats *s, const Packet *p)
Definition: decode.c:685
uint16_t counter_ieee8021ah
Definition: decode.h:663
uint64_t ticks_start
Definition: decode.h:342
int(* BypassPacketsFlow)(struct Packet_ *)
Definition: decode.h:485
struct Flow_ * flow
Definition: decode.h:443
__thread uint64_t rww_lock_contention
struct PktVar_ * next
Definition: decode.h:310
IPFWPacketVars ipfw_v
Definition: decode.h:460
int32_t level4_comp_csum
Definition: decode.h:496
#define IS_TUNNEL_ROOT_PKT(p)
Definition: decode.h:887
AppLayerDecoderEvents * app_layer_events
Definition: decode.h:567
SCCondT cond_q
Definition: decode.h:628
struct PktProfilingTmmData_ PktProfilingTmmData
Per TMM stats storage.
uint8_t address_un_data8[16]
Definition: decode.h:113
#define PACKET_ALERT_MAX
Definition: decode.h:288
void PacketDecodeFinalize(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p)
Finalize decoding of a packet.
Definition: decode.c:114
struct PacketEngineEvents_ PacketEngineEvents
uint16_t counter_bytes
Definition: decode.h:641
int DecodePPP(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *)
Definition: decode-ppp.c:43
uint8_t type
Definition: decode.h:416
uint16_t counter_eth
Definition: decode.h:647
Per pkt stats storage.
Definition: decode.h:372
uint16_t counter_null
Definition: decode.h:657
Port sp
Definition: decode.h:413
void DecodeRegisterPerfCounters(DecodeThreadVars *, ThreadVars *)
Definition: decode.c:453
PktSrcEnum
Definition: decode.h:48
struct Packet_ * next
Definition: decode.h:570
uint64_t ticks_spent
Definition: decode.h:359
Port dp
Definition: decode.h:421
ICMPV4Hdr * icmpv4h
Definition: decode.h:526
uint16_t counter_vlan_qinq
Definition: decode.h:662
uint8_t action
Definition: decode.h:269
int DecodeRaw(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *)
Definition: decode-raw.c:46
uint64_t offset
Address dst
Definition: decode.h:411
uint16_t counter_defrag_ipv6_timeouts
Definition: decode.h:677
struct PktVar_ PktVar
void PacketFree(Packet *p)
Return a malloced packet.
Definition: decode.c:101
int DecodeUDP(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *)
Definition: decode-udp.c:73
__thread uint64_t spin_lock_wait_ticks
uint16_t counter_defrag_ipv4_timeouts
Definition: decode.h:674
uint64_t ticks_start
Definition: decode.h:347
uint16_t counter_ipv4
Definition: decode.h:648
void DecodeIPV6FragHeader(Packet *p, uint8_t *pkt, uint16_t hdrextlen, uint16_t plen, uint16_t prev_hdrextlen)
Definition: decode-ipv6.c:107
int DecodeTCP(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *)
Definition: decode-tcp.c:199
uint64_t pcap_cnt
Definition: decode.h:561
uint8_t * ext_pkt
Definition: decode.h:550
struct PktProfilingPrefilterData_ PktProfilingPrefilterData
__thread uint64_t spin_lock_contention
struct PktProfilingDetectData_ PktProfilingDetectData
void DecodeGlobalConfig(void)
Definition: decode.c:706
ICMPV6Vars icmpv6vars
Definition: decode.h:514
uint16_t key_len
Definition: decode.h:313
TCPHdr * tcph
Definition: decode.h:520
uint16_t counter_ipv4inipv6
Definition: decode.h:667
Packet * PacketGetFromQueueOrAlloc(void)
Get a packet. We try to get a packet from the packetpool first, but if that is empty we alloc a packe...
Definition: decode.c:176
SCTPHdr * sctph
Definition: decode.h:524
Signature container.
Definition: detect.h:495
#define SCMutexLock(mut)
uint16_t counter_teredo
Definition: decode.h:665
__thread uint64_t rwr_lock_wait_ticks
void PacketFreeOrRelease(Packet *p)
Return a packet to where it was allocated.
Definition: decode.c:161
struct Host_ * host_src
Definition: decode.h:557
uint16_t counter_vlan
Definition: decode.h:661
uint16_t counter_erspan
Definition: decode.h:669
SigIntId num
Definition: decode.h:268
struct PktPool_ * pool
Definition: decode.h:599
uint64_t ticks_start
Definition: decode.h:323
#define IS_TUNNEL_PKT_VERDICTED(p)
Definition: decode.h:889
uint16_t counter_raw
Definition: decode.h:656
uint16_t counter_pkts
Definition: decode.h:640
#define SCCondT
uint16_t counter_flow_udp
Definition: decode.h:683
struct PktProfilingAppData_ PktProfilingAppData
void AppLayerDecoderEventsResetEvents(AppLayerDecoderEvents *events)
int(* Decoder)(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *)
uint16_t counter_flow_tcp
Definition: decode.h:682
const struct Signature_ * s
Definition: decode.h:271
typedef __attribute__
DNP3 application header.
uint16_t counter_avg_pkt_size
Definition: decode.h:642
uint16_t counter_defrag_ipv6_fragments
Definition: decode.h:675
PktVar * pktvar
Definition: decode.h:488
void AddressDebugPrint(Address *)
Debug print function for printing addresses.
Definition: decode.c:575
Data structure to store app layer decoder events.
uint64_t ticks_end
Definition: decode.h:374
#define SCMutexUnlock(mut)
IPV6Hdr * ip6h
Definition: decode.h:500
struct PacketAlerts_ PacketAlerts
ICMPV6Hdr * icmpv6h
Definition: decode.h:528
char family
Definition: decode.h:109
int DecodeICMPV4(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *)
Main ICMPv4 decoding function.
uint16_t value_len
Definition: decode.h:314
int datalink
Definition: decode.h:574
uint8_t proto
Definition: decode.h:428
IPV6ExtHdrs ip6eh
Definition: decode.h:507
uint64_t ticks_spent
Definition: decode.h:349
struct PktProfilingPrefilterEngine_ PktProfilingPrefilterEngine
uint32_t len
Definition: decode.h:623
struct PktProfilingData_ PktProfilingData
PPPHdr * ppph
Definition: decode.h:530
uint8_t recursion_level
Definition: decode.h:431
uint8_t type
PPPOESessionHdr * pppoesh
Definition: decode.h:531
AppLayerThreadCtx * app_tctx
Definition: decode.h:635
int DecodeSll(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *)
Definition: decode-sll.c:39
uint16_t counter_ipv6inipv6
Definition: decode.h:668
struct PktProfilingLoggerData_ PktProfilingLoggerData
int DecodeIPV6(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *)
Definition: decode-ipv6.c:584
struct PktProfiling_ PktProfiling
Per pkt stats storage.
Structure to hold thread specific data for all decode modules.
Definition: decode.h:632
__thread uint64_t mutex_lock_wait_ticks
uint16_t counter_mpls
Definition: decode.h:666
struct PacketAlert_ PacketAlert
DecodeTunnelProto
Definition: decode.h:892
void AppLayerDecoderEventsFreeEvents(AppLayerDecoderEvents **events)
uint16_t counter_icmpv4
Definition: decode.h:652
struct Host_ * host_dst
Definition: decode.h:558
uint16_t counter_tcp
Definition: decode.h:650
uint8_t flowflags
Definition: decode.h:437
void PacketBypassCallback(Packet *p)
Definition: decode.c:400
int DecodeNull(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *)
Definition: decode-null.c:48
PacketEngineEvents events
Definition: decode.h:565
Packet * top
Definition: decode.h:621
void * output_flow_thread_data
Definition: decode.h:691
#define TUNNEL_PKT_TPR(p)
Definition: decode.h:882
uint64_t proto_detect
Definition: decode.h:381
struct CaptureStats_ CaptureStats
void PacketUpdateEngineEventCounters(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p)
Definition: decode.c:121
void PacketSwap(Packet *p)
switch direction of a packet
Definition: decode.c:418
uint16_t counter_ips_accepted
Definition: decode.h:697
uint16_t counter_ips_blocked
Definition: decode.h:698
uint16_t counter_flow_icmp4
Definition: decode.h:684
uint8_t proto
uint32_t pktlen
Definition: decode.h:549
uint16_t Port
Definition: decode.h:233
uint8_t pkt_src
Definition: decode.h:546
uint64_t tx_id
Definition: decode.h:272
uint64_t ticks_spent
Definition: decode.h:353
uint16_t counter_flow_memcap
Definition: decode.h:680
union Address_::@40 address
int DecodeEthernet(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *)
uint16_t counter_ipv6
Definition: decode.h:649
__thread uint64_t mutex_lock_contention
__thread uint64_t rwr_lock_cnt
PPPOEDiscoveryHdr * pppoedh
Definition: decode.h:532
struct Packet_ Packet
int DecodePPPOESession(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *)
Main decoding function for PPPOE Session packets.
Definition: decode-pppoe.c:129
Packet * bot
Definition: decode.h:622
int DecodeIPV4(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *)
Definition: decode-ipv4.c:532
IPV4Hdr * ip4h
Definition: decode.h:498
int PacketCopyDataOffset(Packet *p, uint32_t offset, uint8_t *data, uint32_t datalen)
Copy data to Packet payload at given offset.
Definition: decode.c:217
uint8_t vlan_idx
Definition: decode.h:434
#define TUNNEL_PKT_RTV(p)
Definition: decode.h:881
Per TMM stats storage.
Definition: decode.h:322
uint64_t ticks_end
Definition: decode.h:343
uint32_t id
Definition: decode.h:309
uint16_t counter_invalid
Definition: decode.h:645
uint16_t address_un_data16[8]
Definition: decode.h:112
struct in6_addr address_un_in6
Definition: decode.h:114
int DecodeTunnel(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *, enum DecodeTunnelProto) __attribute__((warn_unused_result))
Definition: decode.c:74
uint8_t code
Definition: decode.h:417
int DecodeTEMPLATE(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t, PacketQueue *)
Function to decode TEMPLATE packets.
uint16_t counter_sctp
Definition: decode.h:658
SCMutex tunnel_mutex
Definition: decode.h:587
uint16_t tunnel_tpr_cnt
Definition: decode.h:591
struct Address_ Address
int PacketSetData(Packet *p, uint8_t *pktdata, uint32_t pktlen)
Set data for Packet and set length when zeo copy is used.
Definition: decode.c:638
uint16_t counter_ppp
Definition: decode.h:659
struct DecodeThreadVars_ DecodeThreadVars
Structure to hold thread specific data for all decode modules.
uint8_t * key
Definition: decode.h:315
IPV6Vars ip6vars
Definition: decode.h:506
Definition: host.h:58
uint16_t tunnel_rtv_cnt
Definition: decode.h:589
uint8_t * value
Definition: decode.h:316
uint32_t address_un_data32[4]
Definition: decode.h:111
uint8_t flags
Definition: decode.h:270
int32_t level3_comp_csum
Definition: decode.h:494
int DecodeICMPV6(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *)
Decode ICMPV6 packets and fill the Packet with the decoded info.
uint16_t counter_ips_replaced
Definition: decode.h:700
PacketAlert drop
Definition: decode.h:295
uint32_t default_packet_size
Definition: decode.h:617
PktProfiling * profile
Definition: decode.h:602
int PacketCallocExtPkt(Packet *p, int datalen)
Definition: decode.c:191
uint64_t ticks_end
Definition: decode.h:324
uint64_t ts
struct Packet_ * prev
Definition: decode.h:571
uint16_t counter_icmpv6
Definition: decode.h:653
__thread uint64_t rwr_lock_contention
__thread uint64_t rww_lock_cnt
const char * PktSrcToString(enum PktSrcEnum pkt_src)
Definition: decode.c:650
uint16_t counter_gre
Definition: decode.h:660
SCMutex m
Definition: flow-hash.h:105
__thread uint64_t rww_lock_wait_ticks
uint16_t counter_udp
Definition: decode.h:651
per packet Pfring vars
Definition: source-pfring.h:61
get the highest proto/next header field we know
Definition: decode-ipv6.h:100
uint16_t counter_flow_icmp6
Definition: decode.h:685
ChecksumValidationMode
Definition: decode.h:40
PacketAlerts alerts
Definition: decode.h:555
struct PacketQueue_ PacketQueue
int g_default_mtu
Definition: suricata.c:222
void DecodeUpdatePacketCounters(ThreadVars *tv, const DecodeThreadVars *dtv, const Packet *p)
Definition: decode.c:558
int DecodeERSPAN(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *)
Function to decode ERSPAN packets.
Definition: decode-erspan.c:46
#define PACKET_ENGINE_EVENT_MAX
Definition: decode.h:300
NapatechPacketVars ntpv
Definition: decode.h:605
int DecodeVLAN(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *)
Definition: decode-vlan.c:62
uint64_t ticks_start
Definition: decode.h:373
uint16_t counter_sll
Definition: decode.h:655
void CaptureStatsSetup(ThreadVars *tv, CaptureStats *s)
Definition: decode.c:698
NFQPacketVars nfq_v
Definition: decode.h:457
uint16_t cnt
Definition: decode.h:291
TCPVars tcpvars
Definition: decode.h:512
uint16_t counter_pppoe
Definition: decode.h:664
struct LiveDevice_ * livedev
Definition: decode.h:553
uint32_t tenant_id
Definition: decode.h:594
uint32_t flow_hash
Definition: decode.h:447
uint8_t len
Per thread variable structure.
Definition: threadvars.h:57
__thread uint64_t mutex_lock_cnt
uint8_t code
uint16_t counter_defrag_ipv4_fragments
Definition: decode.h:672
uint32_t flags
Definition: decode.h:441
This is for the app layer in general and it contains per thread context relevant to both the alpd and...
Definition: app-layer.c:57
uint16_t payload_len
Definition: decode.h:541
Packet * PacketTunnelPktSetup(ThreadVars *tv, DecodeThreadVars *dtv, Packet *parent, uint8_t *pkt, uint32_t len, enum DecodeTunnelProto proto, PacketQueue *pq)
Setup a pseudo packet (tunnel)
Definition: decode.c:274
void DecodeThreadVarsFree(ThreadVars *, DecodeThreadVars *)
Definition: decode.c:618
uint16_t counter_defrag_max_hit
Definition: decode.h:678
per packet AF_PACKET vars
PktProfilingPrefilterEngine * engines
Definition: decode.h:367
PcapPacketVars pcap_v
Definition: decode.h:478
uint16_t counter_defrag_ipv4_reassembled
Definition: decode.h:673
int DecodePPPOEDiscovery(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *)
Main decoding function for PPPOE Discovery packets.
Definition: decode-pppoe.c:50
Flow data structure.
Definition: flow.h:324
GREHdr * greh
Definition: decode.h:534
uint8_t * payload
Definition: decode.h:540
int PacketCopyData(Packet *p, uint8_t *pktdata, uint32_t pktlen)
Copy data to Packet payload and set packet length.
Definition: decode.c:258
#define SigIntId
int DecodeGRE(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *)
Function to decode GRE packets.
Definition: decode-gre.c:46
int DecodeSCTP(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *)
Definition: decode-sctp.c:62
ICMPV4Vars icmpv4vars
Definition: decode.h:513
Packet * PacketDefragPktSetup(Packet *parent, uint8_t *pkt, uint32_t len, uint8_t proto)
Setup a pseudo packet (reassembled frags)
Definition: decode.c:348
__thread uint64_t spin_lock_cnt
void DecodeUnregisterCounters(void)
Definition: decode.c:443
SCMutex mutex_q
Definition: decode.h:627
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:140
Address src
Definition: decode.h:410
uint64_t ticks_start
Definition: decode.h:357
struct Packet_ * root
Definition: decode.h:577
uint8_t action
Definition: decode.h:544