suricata
decode.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2013 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  */
23 
24 #ifndef __DECODE_H__
25 #define __DECODE_H__
26 
27 //#define DBG_THREADS
28 #define COUNTERS
29 
30 #include "suricata-common.h"
31 #include "threadvars.h"
32 #include "decode-events.h"
33 #include "flow-worker.h"
34 
35 #ifdef HAVE_NAPATECH
36 #include "util-napatech.h"
37 #endif /* HAVE_NAPATECH */
38 
39 
40 typedef enum {
47 
48 enum PktSrcEnum {
58 };
59 
60 #include "source-nflog.h"
61 #include "source-nfq.h"
62 #include "source-ipfw.h"
63 #include "source-pcap.h"
64 #include "source-af-packet.h"
65 #include "source-mpipe.h"
66 #include "source-netmap.h"
67 #include "source-windivert.h"
68 #ifdef HAVE_PF_RING_FLOW_OFFLOAD
69 #include "source-pfring.h"
70 #endif
71 
72 #include "action-globals.h"
73 
74 #include "decode-erspan.h"
75 #include "decode-ethernet.h"
76 #include "decode-gre.h"
77 #include "decode-ppp.h"
78 #include "decode-pppoe.h"
79 #include "decode-sll.h"
80 #include "decode-ipv4.h"
81 #include "decode-ipv6.h"
82 #include "decode-icmpv4.h"
83 #include "decode-icmpv6.h"
84 #include "decode-tcp.h"
85 #include "decode-udp.h"
86 #include "decode-sctp.h"
87 #include "decode-raw.h"
88 #include "decode-null.h"
89 #include "decode-vlan.h"
90 #include "decode-mpls.h"
91 
92 #include "detect-reference.h"
93 
94 #include "app-layer-protos.h"
95 
96 /* forward declarations */
97 struct DetectionEngineThreadCtx_;
99 
100 struct PktPool_;
101 
102 /* declare these here as they are called from the
103  * PACKET_RECYCLE and PACKET_CLEANUP macro's. */
107 
108 /* Address */
109 typedef struct Address_ {
110  char family;
111  union {
112  uint32_t address_un_data32[4]; /* type-specific field */
113  uint16_t address_un_data16[8]; /* type-specific field */
114  uint8_t address_un_data8[16]; /* type-specific field */
115  struct in6_addr address_un_in6;
116  } address;
117 } Address;
118 
119 #define addr_data32 address.address_un_data32
120 #define addr_data16 address.address_un_data16
121 #define addr_data8 address.address_un_data8
122 #define addr_in6addr address.address_un_in6
123 
124 #define COPY_ADDRESS(a, b) do { \
125  (b)->family = (a)->family; \
126  (b)->addr_data32[0] = (a)->addr_data32[0]; \
127  (b)->addr_data32[1] = (a)->addr_data32[1]; \
128  (b)->addr_data32[2] = (a)->addr_data32[2]; \
129  (b)->addr_data32[3] = (a)->addr_data32[3]; \
130  } while (0)
131 
132 /* Set the IPv4 addresses into the Addrs of the Packet.
133  * Make sure p->ip4h is initialized and validated.
134  *
135  * We set the rest of the struct to 0 so we can
136  * prevent using memset. */
137 #define SET_IPV4_SRC_ADDR(p, a) do { \
138  (a)->family = AF_INET; \
139  (a)->addr_data32[0] = (uint32_t)(p)->ip4h->s_ip_src.s_addr; \
140  (a)->addr_data32[1] = 0; \
141  (a)->addr_data32[2] = 0; \
142  (a)->addr_data32[3] = 0; \
143  } while (0)
144 
145 #define SET_IPV4_DST_ADDR(p, a) do { \
146  (a)->family = AF_INET; \
147  (a)->addr_data32[0] = (uint32_t)(p)->ip4h->s_ip_dst.s_addr; \
148  (a)->addr_data32[1] = 0; \
149  (a)->addr_data32[2] = 0; \
150  (a)->addr_data32[3] = 0; \
151  } while (0)
152 
153 /* clear the address structure by setting all fields to 0 */
154 #define CLEAR_ADDR(a) do { \
155  (a)->family = 0; \
156  (a)->addr_data32[0] = 0; \
157  (a)->addr_data32[1] = 0; \
158  (a)->addr_data32[2] = 0; \
159  (a)->addr_data32[3] = 0; \
160  } while (0)
161 
162 /* Set the IPv6 addressesinto the Addrs of the Packet.
163  * Make sure p->ip6h is initialized and validated. */
164 #define SET_IPV6_SRC_ADDR(p, a) do { \
165  (a)->family = AF_INET6; \
166  (a)->addr_data32[0] = (p)->ip6h->s_ip6_src[0]; \
167  (a)->addr_data32[1] = (p)->ip6h->s_ip6_src[1]; \
168  (a)->addr_data32[2] = (p)->ip6h->s_ip6_src[2]; \
169  (a)->addr_data32[3] = (p)->ip6h->s_ip6_src[3]; \
170  } while (0)
171 
172 #define SET_IPV6_DST_ADDR(p, a) do { \
173  (a)->family = AF_INET6; \
174  (a)->addr_data32[0] = (p)->ip6h->s_ip6_dst[0]; \
175  (a)->addr_data32[1] = (p)->ip6h->s_ip6_dst[1]; \
176  (a)->addr_data32[2] = (p)->ip6h->s_ip6_dst[2]; \
177  (a)->addr_data32[3] = (p)->ip6h->s_ip6_dst[3]; \
178  } while (0)
179 
180 /* Set the TCP ports into the Ports of the Packet.
181  * Make sure p->tcph is initialized and validated. */
182 #define SET_TCP_SRC_PORT(pkt, prt) do { \
183  SET_PORT(TCP_GET_SRC_PORT((pkt)), *(prt)); \
184  } while (0)
185 
186 #define SET_TCP_DST_PORT(pkt, prt) do { \
187  SET_PORT(TCP_GET_DST_PORT((pkt)), *(prt)); \
188  } while (0)
189 
190 /* Set the UDP ports into the Ports of the Packet.
191  * Make sure p->udph is initialized and validated. */
192 #define SET_UDP_SRC_PORT(pkt, prt) do { \
193  SET_PORT(UDP_GET_SRC_PORT((pkt)), *(prt)); \
194  } while (0)
195 #define SET_UDP_DST_PORT(pkt, prt) do { \
196  SET_PORT(UDP_GET_DST_PORT((pkt)), *(prt)); \
197  } while (0)
198 
199 /* Set the SCTP ports into the Ports of the Packet.
200  * Make sure p->sctph is initialized and validated. */
201 #define SET_SCTP_SRC_PORT(pkt, prt) do { \
202  SET_PORT(SCTP_GET_SRC_PORT((pkt)), *(prt)); \
203  } while (0)
204 
205 #define SET_SCTP_DST_PORT(pkt, prt) do { \
206  SET_PORT(SCTP_GET_DST_PORT((pkt)), *(prt)); \
207  } while (0)
208 
209 
210 
211 #define GET_IPV4_SRC_ADDR_U32(p) ((p)->src.addr_data32[0])
212 #define GET_IPV4_DST_ADDR_U32(p) ((p)->dst.addr_data32[0])
213 #define GET_IPV4_SRC_ADDR_PTR(p) ((p)->src.addr_data32)
214 #define GET_IPV4_DST_ADDR_PTR(p) ((p)->dst.addr_data32)
215 
216 #define GET_IPV6_SRC_IN6ADDR(p) ((p)->src.addr_in6addr)
217 #define GET_IPV6_DST_IN6ADDR(p) ((p)->dst.addr_in6addr)
218 #define GET_IPV6_SRC_ADDR(p) ((p)->src.addr_data32)
219 #define GET_IPV6_DST_ADDR(p) ((p)->dst.addr_data32)
220 #define GET_TCP_SRC_PORT(p) ((p)->sp)
221 #define GET_TCP_DST_PORT(p) ((p)->dp)
222 
223 #define GET_PKT_LEN(p) ((p)->pktlen)
224 #define GET_PKT_DATA(p) ((((p)->ext_pkt) == NULL ) ? (uint8_t *)((p) + 1) : (p)->ext_pkt)
225 #define GET_PKT_DIRECT_DATA(p) (uint8_t *)((p) + 1)
226 #define GET_PKT_DIRECT_MAX_SIZE(p) (default_packet_size)
227 
228 #define SET_PKT_LEN(p, len) do { \
229  (p)->pktlen = (len); \
230  } while (0)
231 
232 
233 /* Port is just a uint16_t */
234 typedef uint16_t Port;
235 #define SET_PORT(v, p) ((p) = (v))
236 #define COPY_PORT(a,b) ((b) = (a))
237 
238 #define CMP_ADDR(a1, a2) \
239  (((a1)->addr_data32[3] == (a2)->addr_data32[3] && \
240  (a1)->addr_data32[2] == (a2)->addr_data32[2] && \
241  (a1)->addr_data32[1] == (a2)->addr_data32[1] && \
242  (a1)->addr_data32[0] == (a2)->addr_data32[0]))
243 #define CMP_PORT(p1, p2) \
244  ((p1) == (p2))
245 
246 /*Given a packet pkt offset to the start of the ip header in a packet
247  *We determine the ip version. */
248 #define IP_GET_RAW_VER(pkt) ((((pkt)[0] & 0xf0) >> 4))
249 
250 #define PKT_IS_IPV4(p) (((p)->ip4h != NULL))
251 #define PKT_IS_IPV6(p) (((p)->ip6h != NULL))
252 #define PKT_IS_TCP(p) (((p)->tcph != NULL))
253 #define PKT_IS_UDP(p) (((p)->udph != NULL))
254 #define PKT_IS_ICMPV4(p) (((p)->icmpv4h != NULL))
255 #define PKT_IS_ICMPV6(p) (((p)->icmpv6h != NULL))
256 #define PKT_IS_TOSERVER(p) (((p)->flowflags & FLOW_PKT_TOSERVER))
257 #define PKT_IS_TOCLIENT(p) (((p)->flowflags & FLOW_PKT_TOCLIENT))
258 
259 #define IPH_IS_VALID(p) (PKT_IS_IPV4((p)) || PKT_IS_IPV6((p)))
260 
261 /* Retrieve proto regardless of IP version */
262 #define IP_GET_IPPROTO(p) \
263  (p->proto ? p->proto : \
264  (PKT_IS_IPV4((p))? IPV4_GET_IPPROTO((p)) : (PKT_IS_IPV6((p))? IPV6_GET_L4PROTO((p)) : 0)))
265 
266 /* structure to store the sids/gids/etc the detection engine
267  * found in this packet */
268 typedef struct PacketAlert_ {
269  SigIntId num; /* Internal num, used for sorting */
270  uint8_t action; /* Internal num, used for sorting */
271  uint8_t flags;
272  const struct Signature_ *s;
273  uint64_t tx_id;
274 } PacketAlert;
275 
276 /** After processing an alert by the thresholding module, if at
277  * last it gets triggered, we might want to stick the drop action to
278  * the flow on IPS mode */
279 #define PACKET_ALERT_FLAG_DROP_FLOW 0x01
280 /** alert was generated based on state */
281 #define PACKET_ALERT_FLAG_STATE_MATCH 0x02
282 /** alert was generated based on stream */
283 #define PACKET_ALERT_FLAG_STREAM_MATCH 0x04
284 /** alert is in a tx, tx_id set */
285 #define PACKET_ALERT_FLAG_TX 0x08
286 /** action was changed by rate_filter */
287 #define PACKET_ALERT_RATE_FILTER_MODIFIED 0x10
288 
289 #define PACKET_ALERT_MAX 15
290 
291 typedef struct PacketAlerts_ {
292  uint16_t cnt;
294  /* single pa used when we're dropping,
295  * so we can log it out in the drop log. */
297 } PacketAlerts;
298 
299 /** number of decoder events we support per packet. Power of 2 minus 1
300  * for memory layout */
301 #define PACKET_ENGINE_EVENT_MAX 15
302 
303 /** data structure to store decoder, defrag and stream events */
304 typedef struct PacketEngineEvents_ {
305  uint8_t cnt; /**< number of events */
306  uint8_t events[PACKET_ENGINE_EVENT_MAX]; /**< array of events */
308 
309 typedef struct PktVar_ {
310  uint32_t id;
311  struct PktVar_ *next; /* right now just implement this as a list,
312  * in the long run we have thing of something
313  * faster. */
314  uint16_t key_len;
315  uint16_t value_len;
316  uint8_t *key;
317  uint8_t *value;
318 } PktVar;
319 
320 #ifdef PROFILING
321 
322 /** \brief Per TMM stats storage */
323 typedef struct PktProfilingTmmData_ {
324  uint64_t ticks_start;
325  uint64_t ticks_end;
326 #ifdef PROFILE_LOCKING
327  uint64_t mutex_lock_cnt;
328  uint64_t mutex_lock_wait_ticks;
329  uint64_t mutex_lock_contention;
330  uint64_t spin_lock_cnt;
331  uint64_t spin_lock_wait_ticks;
332  uint64_t spin_lock_contention;
333  uint64_t rww_lock_cnt;
334  uint64_t rww_lock_wait_ticks;
335  uint64_t rww_lock_contention;
336  uint64_t rwr_lock_cnt;
337  uint64_t rwr_lock_wait_ticks;
338  uint64_t rwr_lock_contention;
339 #endif
341 
342 typedef struct PktProfilingData_ {
343  uint64_t ticks_start;
344  uint64_t ticks_end;
346 
347 typedef struct PktProfilingDetectData_ {
348  uint64_t ticks_start;
349  uint64_t ticks_end;
350  uint64_t ticks_spent;
352 
353 typedef struct PktProfilingAppData_ {
354  uint64_t ticks_spent;
356 
357 typedef struct PktProfilingLoggerData_ {
358  uint64_t ticks_start;
359  uint64_t ticks_end;
360  uint64_t ticks_spent;
362 
364  uint64_t ticks_spent;
366 
369  uint32_t size; /**< array size */
371 
372 /** \brief Per pkt stats storage */
373 typedef struct PktProfiling_ {
374  uint64_t ticks_start;
375  uint64_t ticks_end;
376 
382  uint64_t proto_detect;
383 } PktProfiling;
384 
385 #endif /* PROFILING */
386 
387 /* forward declartion since Packet struct definition requires this */
388 struct PacketQueue_;
389 
390 /* sizes of the members:
391  * src: 17 bytes
392  * dst: 17 bytes
393  * sp/type: 1 byte
394  * dp/code: 1 byte
395  * proto: 1 byte
396  * recurs: 1 byte
397  *
398  * sum of above: 38 bytes
399  *
400  * flow ptr: 4/8 bytes
401  * flags: 1 byte
402  * flowflags: 1 byte
403  *
404  * sum of above 44/48 bytes
405  */
406 typedef struct Packet_
407 {
408  /* Addresses, Ports and protocol
409  * these are on top so we can use
410  * the Packet as a hash key */
413  union {
415  // icmp type and code of this packet
416  struct {
417  uint8_t type;
418  uint8_t code;
419  } icmp_s;
420  };
421  union {
423  // icmp type and code of the expected counterpart (for flows)
424  struct {
425  uint8_t type;
426  uint8_t code;
427  } icmp_d;
428  };
429  uint8_t proto;
430  /* make sure we can't be attacked on when the tunneled packet
431  * has the exact same tuple as the lower levels */
433 
434  uint16_t vlan_id[2];
435  uint8_t vlan_idx;
436 
437  /* flow */
438  uint8_t flowflags;
439  /* coccinelle: Packet:flowflags:FLOW_PKT_ */
440 
441  /* Pkt Flags */
442  uint32_t flags;
443 
444  struct Flow_ *flow;
445 
446  /* raw hash value for looking up the flow, will need to modulated to the
447  * hash size still */
448  uint32_t flow_hash;
449 
450  struct timeval ts;
451 
452  union {
453  /* nfq stuff */
454 #ifdef HAVE_NFLOG
455  NFLOGPacketVars nflog_v;
456 #endif /* HAVE_NFLOG */
457 #ifdef NFQ
459 #endif /* NFQ */
460 #ifdef IPFW
462 #endif /* IPFW */
463 #ifdef AF_PACKET
464  AFPPacketVars afp_v;
465 #endif
466 #ifdef HAVE_MPIPE
467  /* tilegx mpipe stuff */
468  MpipePacketVars mpipe_v;
469 #endif
470 #ifdef HAVE_NETMAP
471  NetmapPacketVars netmap_v;
472 #endif
473 #ifdef HAVE_PFRING
474 #ifdef HAVE_PF_RING_FLOW_OFFLOAD
475  PfringPacketVars pfring_v;
476 #endif
477 #endif
478 #ifdef WINDIVERT
479  WinDivertPacketVars windivert_v;
480 #endif /* WINDIVERT */
481 
482  /** libpcap vars: shared by Pcap Live mode and Pcap File mode */
484  };
485 
486  /** The release function for packet structure and data */
487  void (*ReleasePacket)(struct Packet_ *);
488  /** The function triggering bypass the flow in the capture method.
489  * Return 1 for success and 0 on error */
490  int (*BypassPacketsFlow)(struct Packet_ *);
491 
492  /* pkt vars */
494 
495  /* header pointers */
496  EthernetHdr *ethh;
497 
498  /* Checksum for IP packets. */
500  /* Check sum for TCP, UDP or ICMP packets */
502 
503  IPV4Hdr *ip4h;
504 
505  IPV6Hdr *ip6h;
506 
507  /* IPv4 and IPv6 are mutually exclusive */
508  union {
510  struct {
513  };
514  };
515  /* Can only be one of TCP, UDP, ICMP at any given time */
516  union {
520  } l4vars;
521 #define tcpvars l4vars.tcpvars
522 #define icmpv4vars l4vars.icmpv4vars
523 #define icmpv6vars l4vars.icmpv6vars
524 
525  TCPHdr *tcph;
526 
527  UDPHdr *udph;
528 
529  SCTPHdr *sctph;
530 
531  ICMPV4Hdr *icmpv4h;
532 
534 
535  PPPHdr *ppph;
537  PPPOEDiscoveryHdr *pppoedh;
538 
539  GREHdr *greh;
540 
541  VLANHdr *vlanh[2];
542 
543  /* ptr to the payload of the packet
544  * with it's length. */
545  uint8_t *payload;
546  uint16_t payload_len;
547 
548  /* IPS action to take */
549  uint8_t action;
550 
551  uint8_t pkt_src;
552 
553  /* storage: set to pointer to heap and extended via allocation if necessary */
554  uint32_t pktlen;
555  uint8_t *ext_pkt;
556 
557  /* Incoming interface */
559 
561 
562  struct Host_ *host_src;
563  struct Host_ *host_dst;
564 
565  /** packet number in the pcap file, matches wireshark */
566  uint64_t pcap_cnt;
567 
568 
569  /* engine events */
571 
573 
574  /* double linked list ptrs */
575  struct Packet_ *next;
576  struct Packet_ *prev;
577 
578  /** data linktype in host order */
579  int datalink;
580 
581  /* tunnel/encapsulation handling */
582  struct Packet_ *root; /* in case of tunnel this is a ptr
583  * to the 'real' packet, the one we
584  * need to set the verdict on --
585  * It should always point to the lowest
586  * packet in a encapsulated packet */
587 
588  /** mutex to protect access to:
589  * - tunnel_rtv_cnt
590  * - tunnel_tpr_cnt
591  */
593  /* ready to set verdict counter, only set in root */
594  uint16_t tunnel_rtv_cnt;
595  /* tunnel packet ref count */
596  uint16_t tunnel_tpr_cnt;
597 
598  /** tenant id for this packet, if any. If 0 then no tenant was assigned. */
599  uint32_t tenant_id;
600 
601  /* The Packet pool from which this packet was allocated. Used when returning
602  * the packet to its owner's stack. If NULL, then allocated with malloc.
603  */
604  struct PktPool_ *pool;
605 
606 #ifdef PROFILING
608 #endif
609 #ifdef HAVE_NAPATECH
611 #endif
612 }
613 #ifdef HAVE_MPIPE
614  /* mPIPE requires packet buffers to be aligned to 128 byte boundaries. */
615  __attribute__((aligned(128)))
616 #endif
617 Packet;
618 
619 /** highest mtu of the interfaces we monitor */
620 extern int g_default_mtu;
621 #define DEFAULT_MTU 1500
622 #define MINIMUM_MTU 68 /**< ipv4 minimum: rfc791 */
623 
624 #define DEFAULT_PACKET_SIZE (DEFAULT_MTU + ETHERNET_HEADER_LEN)
625 /* storage: maximum ip packet size + link header */
626 #define MAX_PAYLOAD_SIZE (IPV6_HEADER_LEN + 65536 + 28)
628 #define SIZE_OF_PACKET (default_packet_size + sizeof(Packet))
629 
630 typedef struct PacketQueue_ {
631  Packet *top;
632  Packet *bot;
633  uint32_t len;
634 #ifdef DBG_PERF
635  uint32_t dbg_maxlen;
636 #endif /* DBG_PERF */
639 } PacketQueue;
640 
641 /** \brief Structure to hold thread specific data for all decode modules */
642 typedef struct DecodeThreadVars_
643 {
644  /** Specific context for udp protocol detection (here atm) */
646 
648 
649  /** stats/counters */
650  uint16_t counter_pkts;
651  uint16_t counter_bytes;
654 
655  uint16_t counter_invalid;
656 
657  uint16_t counter_eth;
658  uint16_t counter_ipv4;
659  uint16_t counter_ipv6;
660  uint16_t counter_tcp;
661  uint16_t counter_udp;
662  uint16_t counter_icmpv4;
663  uint16_t counter_icmpv6;
664 
665  uint16_t counter_sll;
666  uint16_t counter_raw;
667  uint16_t counter_null;
668  uint16_t counter_sctp;
669  uint16_t counter_ppp;
670  uint16_t counter_gre;
671  uint16_t counter_vlan;
674  uint16_t counter_pppoe;
675  uint16_t counter_teredo;
676  uint16_t counter_mpls;
679  uint16_t counter_erspan;
680 
681  /** frag stats - defrag runs in the context of the decoder. */
689 
691 
696 
697  uint16_t counter_engine_events[DECODE_EVENT_MAX];
698 
699  /* thread data for flow logging api: only used at forced
700  * flow recycle during lookups */
702 
704 
705 typedef struct CaptureStats_ {
706 
711 
712 } CaptureStats;
713 
714 void CaptureStatsUpdate(ThreadVars *tv, CaptureStats *s, const Packet *p);
716 
717 #define PACKET_CLEAR_L4VARS(p) do { \
718  memset(&(p)->l4vars, 0x00, sizeof((p)->l4vars)); \
719  } while (0)
720 
721 /**
722  * \brief reset these to -1(indicates that the packet is fresh from the queue)
723  */
724 #define PACKET_RESET_CHECKSUMS(p) do { \
725  (p)->level3_comp_csum = -1; \
726  (p)->level4_comp_csum = -1; \
727  } while (0)
728 
729 /* if p uses extended data, free them */
730 #define PACKET_FREE_EXTDATA(p) do { \
731  if ((p)->ext_pkt) { \
732  if (!((p)->flags & PKT_ZERO_COPY)) { \
733  SCFree((p)->ext_pkt); \
734  } \
735  (p)->ext_pkt = NULL; \
736  } \
737  } while(0)
738 
739 /**
740  * \brief Initialize a packet structure for use.
741  */
742 #define PACKET_INITIALIZE(p) { \
743  SCMutexInit(&(p)->tunnel_mutex, NULL); \
744  PACKET_RESET_CHECKSUMS((p)); \
745  (p)->livedev = NULL; \
746 }
747 
748 #define PACKET_RELEASE_REFS(p) do { \
749  FlowDeReference(&((p)->flow)); \
750  HostDeReference(&((p)->host_src)); \
751  HostDeReference(&((p)->host_dst)); \
752  } while (0)
753 
754 /**
755  * \brief Recycle a packet structure for reuse.
756  */
757 #define PACKET_REINIT(p) do { \
758  CLEAR_ADDR(&(p)->src); \
759  CLEAR_ADDR(&(p)->dst); \
760  (p)->sp = 0; \
761  (p)->dp = 0; \
762  (p)->proto = 0; \
763  (p)->recursion_level = 0; \
764  PACKET_FREE_EXTDATA((p)); \
765  (p)->flags = (p)->flags & PKT_ALLOC; \
766  (p)->flowflags = 0; \
767  (p)->pkt_src = 0; \
768  (p)->vlan_id[0] = 0; \
769  (p)->vlan_id[1] = 0; \
770  (p)->vlan_idx = 0; \
771  (p)->ts.tv_sec = 0; \
772  (p)->ts.tv_usec = 0; \
773  (p)->datalink = 0; \
774  (p)->action = 0; \
775  if ((p)->pktvar != NULL) { \
776  PktVarFree((p)->pktvar); \
777  (p)->pktvar = NULL; \
778  } \
779  (p)->ethh = NULL; \
780  if ((p)->ip4h != NULL) { \
781  CLEAR_IPV4_PACKET((p)); \
782  } \
783  if ((p)->ip6h != NULL) { \
784  CLEAR_IPV6_PACKET((p)); \
785  } \
786  if ((p)->tcph != NULL) { \
787  CLEAR_TCP_PACKET((p)); \
788  } \
789  if ((p)->udph != NULL) { \
790  CLEAR_UDP_PACKET((p)); \
791  } \
792  if ((p)->sctph != NULL) { \
793  CLEAR_SCTP_PACKET((p)); \
794  } \
795  if ((p)->icmpv4h != NULL) { \
796  CLEAR_ICMPV4_PACKET((p)); \
797  } \
798  if ((p)->icmpv6h != NULL) { \
799  CLEAR_ICMPV6_PACKET((p)); \
800  } \
801  (p)->ppph = NULL; \
802  (p)->pppoesh = NULL; \
803  (p)->pppoedh = NULL; \
804  (p)->greh = NULL; \
805  (p)->vlanh[0] = NULL; \
806  (p)->vlanh[1] = NULL; \
807  (p)->payload = NULL; \
808  (p)->payload_len = 0; \
809  (p)->BypassPacketsFlow = NULL; \
810  (p)->pktlen = 0; \
811  (p)->alerts.cnt = 0; \
812  (p)->alerts.drop.action = 0; \
813  (p)->pcap_cnt = 0; \
814  (p)->tunnel_rtv_cnt = 0; \
815  (p)->tunnel_tpr_cnt = 0; \
816  (p)->events.cnt = 0; \
817  AppLayerDecoderEventsResetEvents((p)->app_layer_events); \
818  (p)->next = NULL; \
819  (p)->prev = NULL; \
820  (p)->root = NULL; \
821  (p)->livedev = NULL; \
822  PACKET_RESET_CHECKSUMS((p)); \
823  PACKET_PROFILING_RESET((p)); \
824  p->tenant_id = 0; \
825  } while (0)
826 
827 #define PACKET_RECYCLE(p) do { \
828  PACKET_RELEASE_REFS((p)); \
829  PACKET_REINIT((p)); \
830  } while (0)
831 
832 /**
833  * \brief Cleanup a packet so that we can free it. No memset needed..
834  */
835 #define PACKET_DESTRUCTOR(p) do { \
836  if ((p)->pktvar != NULL) { \
837  PktVarFree((p)->pktvar); \
838  } \
839  PACKET_FREE_EXTDATA((p)); \
840  SCMutexDestroy(&(p)->tunnel_mutex); \
841  AppLayerDecoderEventsFreeEvents(&(p)->app_layer_events); \
842  PACKET_PROFILING_RESET((p)); \
843  } while (0)
844 
845 
846 /* macro's for setting the action
847  * handle the case of a root packet
848  * for tunnels */
849 
850 #define PACKET_SET_ACTION(p, a) do { \
851  ((p)->root ? \
852  ((p)->root->action = a) : \
853  ((p)->action = a)); \
854 } while (0)
855 
856 #define PACKET_ALERT(p) PACKET_SET_ACTION(p, ACTION_ALERT)
857 
858 #define PACKET_ACCEPT(p) PACKET_SET_ACTION(p, ACTION_ACCEPT)
859 
860 #define PACKET_DROP(p) PACKET_SET_ACTION(p, ACTION_DROP)
861 
862 #define PACKET_REJECT(p) PACKET_SET_ACTION(p, (ACTION_REJECT|ACTION_DROP))
863 
864 #define PACKET_REJECT_DST(p) PACKET_SET_ACTION(p, (ACTION_REJECT_DST|ACTION_DROP))
865 
866 #define PACKET_REJECT_BOTH(p) PACKET_SET_ACTION(p, (ACTION_REJECT_BOTH|ACTION_DROP))
867 
868 #define PACKET_PASS(p) PACKET_SET_ACTION(p, ACTION_PASS)
869 
870 #define PACKET_TEST_ACTION(p, a) \
871  ((p)->root ? \
872  ((p)->root->action & a) : \
873  ((p)->action & a))
874 
875 #define PACKET_UPDATE_ACTION(p, a) do { \
876  ((p)->root ? \
877  ((p)->root->action |= a) : \
878  ((p)->action |= a)); \
879 } while (0)
880 
881 #define TUNNEL_INCR_PKT_RTV_NOLOCK(p) do { \
882  ((p)->root ? (p)->root->tunnel_rtv_cnt++ : (p)->tunnel_rtv_cnt++); \
883  } while (0)
884 
885 #define TUNNEL_INCR_PKT_TPR(p) do { \
886  SCMutexLock((p)->root ? &(p)->root->tunnel_mutex : &(p)->tunnel_mutex); \
887  ((p)->root ? (p)->root->tunnel_tpr_cnt++ : (p)->tunnel_tpr_cnt++); \
888  SCMutexUnlock((p)->root ? &(p)->root->tunnel_mutex : &(p)->tunnel_mutex); \
889  } while (0)
890 
891 #define TUNNEL_PKT_RTV(p) ((p)->root ? (p)->root->tunnel_rtv_cnt : (p)->tunnel_rtv_cnt)
892 #define TUNNEL_PKT_TPR(p) ((p)->root ? (p)->root->tunnel_tpr_cnt : (p)->tunnel_tpr_cnt)
893 
894 #define IS_TUNNEL_PKT(p) (((p)->flags & PKT_TUNNEL))
895 #define SET_TUNNEL_PKT(p) ((p)->flags |= PKT_TUNNEL)
896 #define UNSET_TUNNEL_PKT(p) ((p)->flags &= ~PKT_TUNNEL)
897 #define IS_TUNNEL_ROOT_PKT(p) (IS_TUNNEL_PKT(p) && (p)->root == NULL)
898 
899 #define IS_TUNNEL_PKT_VERDICTED(p) (((p)->flags & PKT_TUNNEL_VERDICTED))
900 #define SET_TUNNEL_PKT_VERDICTED(p) ((p)->flags |= PKT_TUNNEL_VERDICTED)
901 
908  DECODE_TUNNEL_IPV6_TEREDO, /**< separate protocol for stricter error handling */
910 };
911 
912 Packet *PacketTunnelPktSetup(ThreadVars *tv, DecodeThreadVars *dtv, Packet *parent,
913  uint8_t *pkt, uint32_t len, enum DecodeTunnelProto proto, PacketQueue *pq);
914 Packet *PacketDefragPktSetup(Packet *parent, uint8_t *pkt, uint32_t len, uint8_t proto);
915 void PacketDefragPktSetupParent(Packet *parent);
917 Packet *PacketGetFromQueueOrAlloc(void);
918 Packet *PacketGetFromAlloc(void);
919 void PacketDecodeFinalize(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p);
921  DecodeThreadVars *dtv, Packet *p);
922 void PacketFree(Packet *p);
923 void PacketFreeOrRelease(Packet *p);
924 int PacketCallocExtPkt(Packet *p, int datalen);
925 int PacketCopyData(Packet *p, uint8_t *pktdata, uint32_t pktlen);
926 int PacketSetData(Packet *p, uint8_t *pktdata, uint32_t pktlen);
927 int PacketCopyDataOffset(Packet *p, uint32_t offset, uint8_t *data, uint32_t datalen);
928 const char *PktSrcToString(enum PktSrcEnum pkt_src);
929 void PacketBypassCallback(Packet *p);
930 
934  const DecodeThreadVars *dtv, const Packet *p);
935 
936 /* decoder functions */
937 int DecodeEthernet(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *);
938 int DecodeSll(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *);
939 int DecodePPP(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *);
940 int DecodePPPOESession(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *);
941 int DecodePPPOEDiscovery(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *);
942 int DecodeTunnel(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *, enum DecodeTunnelProto) __attribute__ ((warn_unused_result));
943 int DecodeNull(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *);
944 int DecodeRaw(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *);
945 int DecodeIPV4(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *);
946 int DecodeIPV6(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *);
947 int DecodeICMPV4(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *);
948 int DecodeICMPV6(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *);
949 int DecodeTCP(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *);
950 int DecodeUDP(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *);
951 int DecodeSCTP(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *);
952 int DecodeGRE(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *);
953 int DecodeVLAN(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *);
954 int DecodeMPLS(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *);
955 int DecodeERSPAN(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *);
956 int DecodeTEMPLATE(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t, PacketQueue *);
957 
958 #ifdef UNITTESTS
959 void DecodeIPV6FragHeader(Packet *p, uint8_t *pkt,
960  uint16_t hdrextlen, uint16_t plen,
961  uint16_t prev_hdrextlen);
962 #endif
963 
964 void AddressDebugPrint(Address *);
965 
966 #ifdef AFLFUZZ_DECODER
967 typedef int (*DecoderFunc)(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
968  uint8_t *pkt, uint32_t len, PacketQueue *pq);
969 
970 int DecoderParseDataFromFile(char *filename, DecoderFunc Decoder);
971 int DecoderParseDataFromFileSerie(char *fileprefix, DecoderFunc Decoder);
972 #endif
973 void DecodeGlobalConfig(void);
974 void DecodeUnregisterCounters(void);
975 
976 /** \brief Set the No payload inspection Flag for the packet.
977  *
978  * \param p Packet to set the flag in
979  */
980 #define DecodeSetNoPayloadInspectionFlag(p) do { \
981  (p)->flags |= PKT_NOPAYLOAD_INSPECTION; \
982  } while (0)
983 
984 #define DecodeUnsetNoPayloadInspectionFlag(p) do { \
985  (p)->flags &= ~PKT_NOPAYLOAD_INSPECTION; \
986  } while (0)
987 
988 /** \brief Set the No packet inspection Flag for the packet.
989  *
990  * \param p Packet to set the flag in
991  */
992 #define DecodeSetNoPacketInspectionFlag(p) do { \
993  (p)->flags |= PKT_NOPACKET_INSPECTION; \
994  } while (0)
995 #define DecodeUnsetNoPacketInspectionFlag(p) do { \
996  (p)->flags &= ~PKT_NOPACKET_INSPECTION; \
997  } while (0)
998 
999 
1000 #define ENGINE_SET_EVENT(p, e) do { \
1001  SCLogDebug("p %p event %d", (p), e); \
1002  if ((p)->events.cnt < PACKET_ENGINE_EVENT_MAX) { \
1003  (p)->events.events[(p)->events.cnt] = e; \
1004  (p)->events.cnt++; \
1005  } \
1006 } while(0)
1007 
1008 #define ENGINE_SET_INVALID_EVENT(p, e) do { \
1009  p->flags |= PKT_IS_INVALID; \
1010  ENGINE_SET_EVENT(p, e); \
1011 } while(0)
1012 
1013 
1014 
1015 #define ENGINE_ISSET_EVENT(p, e) ({ \
1016  int r = 0; \
1017  uint8_t u; \
1018  for (u = 0; u < (p)->events.cnt; u++) { \
1019  if ((p)->events.events[u] == (e)) { \
1020  r = 1; \
1021  break; \
1022  } \
1023  } \
1024  r; \
1025 })
1026 
1027 #ifndef IPPROTO_IPIP
1028 #define IPPROTO_IPIP 4
1029 #endif
1030 
1031 /* older libcs don't contain a def for IPPROTO_DCCP
1032  * inside of <netinet/in.h>
1033  * if it isn't defined let's define it here.
1034  */
1035 #ifndef IPPROTO_DCCP
1036 #define IPPROTO_DCCP 33
1037 #endif
1038 
1039 /* older libcs don't contain a def for IPPROTO_SCTP
1040  * inside of <netinet/in.h>
1041  * if it isn't defined let's define it here.
1042  */
1043 #ifndef IPPROTO_SCTP
1044 #define IPPROTO_SCTP 132
1045 #endif
1046 
1047 #ifndef IPPROTO_MH
1048 #define IPPROTO_MH 135
1049 #endif
1050 
1051 /* Host Identity Protocol (rfc 5201) */
1052 #ifndef IPPROTO_HIP
1053 #define IPPROTO_HIP 139
1054 #endif
1055 
1056 #ifndef IPPROTO_SHIM6
1057 #define IPPROTO_SHIM6 140
1058 #endif
1059 
1060 /* pcap provides this, but we don't want to depend on libpcap */
1061 #ifndef DLT_EN10MB
1062 #define DLT_EN10MB 1
1063 #endif
1064 
1065 /* taken from pcap's bpf.h */
1066 #ifndef DLT_RAW
1067 #ifdef __OpenBSD__
1068 #define DLT_RAW 14 /* raw IP */
1069 #else
1070 #define DLT_RAW 12 /* raw IP */
1071 #endif
1072 #endif
1073 
1074 #ifndef DLT_NULL
1075 #define DLT_NULL 0
1076 #endif
1077 
1078 /** libpcap shows us the way to linktype codes
1079  * \todo we need more & maybe put them in a separate file? */
1080 #define LINKTYPE_NULL DLT_NULL
1081 #define LINKTYPE_ETHERNET DLT_EN10MB
1082 #define LINKTYPE_LINUX_SLL 113
1083 #define LINKTYPE_PPP 9
1084 #define LINKTYPE_RAW DLT_RAW
1085 /* http://www.tcpdump.org/linktypes.html defines DLT_RAW as 101, yet others don't.
1086  * Libpcap on at least OpenBSD returns 101 as datalink type for RAW pcaps though. */
1087 #define LINKTYPE_RAW2 101
1088 #define LINKTYPE_IPV4 228
1089 #define LINKTYPE_GRE_OVER_IP 778
1090 #define PPP_OVER_GRE 11
1091 #define VLAN_OVER_GRE 13
1092 
1093 /*Packet Flags*/
1094 #define PKT_NOPACKET_INSPECTION (1) /**< Flag to indicate that packet header or contents should not be inspected*/
1095 #define PKT_NOPAYLOAD_INSPECTION (1<<2) /**< Flag to indicate that packet contents should not be inspected*/
1096 #define PKT_ALLOC (1<<3) /**< Packet was alloc'd this run, needs to be freed */
1097 #define PKT_HAS_TAG (1<<4) /**< Packet has matched a tag */
1098 #define PKT_STREAM_ADD (1<<5) /**< Packet payload was added to reassembled stream */
1099 #define PKT_STREAM_EST (1<<6) /**< Packet is part of establised stream */
1100 #define PKT_STREAM_EOF (1<<7) /**< Stream is in eof state */
1101 #define PKT_HAS_FLOW (1<<8)
1102 #define PKT_PSEUDO_STREAM_END (1<<9) /**< Pseudo packet to end the stream */
1103 #define PKT_STREAM_MODIFIED (1<<10) /**< Packet is modified by the stream engine, we need to recalc the csum and reinject/replace */
1104 #define PKT_MARK_MODIFIED (1<<11) /**< Packet mark is modified */
1105 #define PKT_STREAM_NOPCAPLOG (1<<12) /**< Exclude packet from pcap logging as it's part of a stream that has reassembly depth reached. */
1106 
1107 #define PKT_TUNNEL (1<<13)
1108 #define PKT_TUNNEL_VERDICTED (1<<14)
1109 
1110 #define PKT_IGNORE_CHECKSUM (1<<15) /**< Packet checksum is not computed (TX packet for example) */
1111 #define PKT_ZERO_COPY (1<<16) /**< Packet comes from zero copy (ext_pkt must not be freed) */
1112 
1113 #define PKT_HOST_SRC_LOOKED_UP (1<<17)
1114 #define PKT_HOST_DST_LOOKED_UP (1<<18)
1115 
1116 #define PKT_IS_FRAGMENT (1<<19) /**< Packet is a fragment */
1117 #define PKT_IS_INVALID (1<<20)
1118 #define PKT_PROFILE (1<<21)
1119 
1120 /** indication by decoder that it feels the packet should be handled by
1121  * flow engine: Packet::flow_hash will be set */
1122 #define PKT_WANTS_FLOW (1<<22)
1123 
1124 /** protocol detection done */
1125 #define PKT_PROTO_DETECT_TS_DONE (1<<23)
1126 #define PKT_PROTO_DETECT_TC_DONE (1<<24)
1127 
1128 #define PKT_REBUILT_FRAGMENT (1<<25) /**< Packet is rebuilt from
1129  * fragments. */
1130 #define PKT_DETECT_HAS_STREAMDATA (1<<26) /**< Set by Detect() if raw stream data is available. */
1132 #define PKT_PSEUDO_DETECTLOG_FLUSH (1<<27) /**< Detect/log flush for protocol upgrade */
1134 /** Packet is part of stream in known bad condition (loss, wrong thread),
1135  * so flag it for not setting stream events */
1136 #define PKT_STREAM_NO_EVENTS (1<<28)
1138 /** \brief return 1 if the packet is a pseudo packet */
1139 #define PKT_IS_PSEUDOPKT(p) \
1140  ((p)->flags & (PKT_PSEUDO_STREAM_END|PKT_PSEUDO_DETECTLOG_FLUSH))
1141 
1142 #define PKT_SET_SRC(p, src_val) ((p)->pkt_src = src_val)
1144 /** \brief return true if *this* packet needs to trigger a verdict.
1145  *
1146  * If we have the root packet, and we have none outstanding,
1147  * we can verdict now.
1148  *
1149  * If we have a upper layer packet, it's the only one and root
1150  * is already processed, we can verdict now.
1151  *
1152  * Otherwise, a future packet will issue the verdict.
1153  */
1154 static inline bool VerdictTunnelPacket(Packet *p)
1155 {
1156  bool verdict = true;
1157  SCMutex *m = p->root ? &p->root->tunnel_mutex : &p->tunnel_mutex;
1158  SCMutexLock(m);
1159  const uint16_t outstanding = TUNNEL_PKT_TPR(p) - TUNNEL_PKT_RTV(p);
1160  SCLogDebug("tunnel: outstanding %u", outstanding);
1161 
1162  /* if there are packets outstanding, we won't verdict this one */
1163  if (IS_TUNNEL_ROOT_PKT(p) && !IS_TUNNEL_PKT_VERDICTED(p) && !outstanding) {
1164  // verdict
1165  SCLogDebug("root %p: verdict", p);
1166  } else if (!IS_TUNNEL_ROOT_PKT(p) && outstanding == 1 && p->root && IS_TUNNEL_PKT_VERDICTED(p->root)) {
1167  // verdict
1168  SCLogDebug("tunnel %p: verdict", p);
1169  } else {
1170  verdict = false;
1171  }
1172  SCMutexUnlock(m);
1173  return verdict;
1174 }
1175 
1176 #endif /* __DECODE_H__ */
1177 
uint16_t counter_max_pkt_size
Definition: decode.h:653
EthernetHdr * ethh
Definition: decode.h:496
uint16_t counter_ips_rejected
Definition: decode.h:709
uint16_t counter_defrag_ipv6_reassembled
Definition: decode.h:686
void PacketDefragPktSetupParent(Packet *parent)
inform defrag "parent" that a pseudo packet is now assosiated to it.
Definition: decode.c:386
IPV4Vars ip4vars
Definition: decode.h:509
int DecodeMPLS(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *)
Definition: decode-mpls.c:47
UDPHdr * udph
Definition: decode.h:527
DecodeThreadVars * DecodeThreadVarsAlloc(ThreadVars *)
Alloc and setup DecodeThreadVars.
Definition: decode.c:562
#define SCLogDebug(...)
Definition: util-debug.h:335
void CaptureStatsUpdate(ThreadVars *tv, CaptureStats *s, const Packet *p)
Definition: decode.c:655
uint16_t counter_ieee8021ah
Definition: decode.h:673
uint64_t ticks_start
Definition: decode.h:343
int(* BypassPacketsFlow)(struct Packet_ *)
Definition: decode.h:490
struct Flow_ * flow
Definition: decode.h:444
__thread uint64_t rww_lock_contention
struct PktVar_ * next
Definition: decode.h:311
IPFWPacketVars ipfw_v
Definition: decode.h:461
int32_t level4_comp_csum
Definition: decode.h:501
#define IS_TUNNEL_ROOT_PKT(p)
Definition: decode.h:897
AppLayerDecoderEvents * app_layer_events
Definition: decode.h:572
SCCondT cond_q
Definition: decode.h:638
struct PktProfilingTmmData_ PktProfilingTmmData
Per TMM stats storage.
uint8_t address_un_data8[16]
Definition: decode.h:114
#define PACKET_ALERT_MAX
Definition: decode.h:289
void PacketDecodeFinalize(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p)
Finalize decoding of a packet.
Definition: decode.c:114
struct PacketEngineEvents_ PacketEngineEvents
uint16_t counter_bytes
Definition: decode.h:651
int DecodePPP(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *)
Definition: decode-ppp.c:43
uint8_t type
Definition: decode.h:417
uint16_t counter_eth
Definition: decode.h:657
Per pkt stats storage.
Definition: decode.h:373
uint16_t counter_null
Definition: decode.h:667
Port sp
Definition: decode.h:414
void DecodeRegisterPerfCounters(DecodeThreadVars *, ThreadVars *)
Definition: decode.c:431
PktSrcEnum
Definition: decode.h:48
struct Packet_ * next
Definition: decode.h:575
uint64_t ticks_spent
Definition: decode.h:360
Port dp
Definition: decode.h:422
ICMPV4Hdr * icmpv4h
Definition: decode.h:531
uint16_t counter_vlan_qinq
Definition: decode.h:672
uint8_t action
Definition: decode.h:270
union Address_::@48 address
int DecodeRaw(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *)
Definition: decode-raw.c:46
uint64_t offset
Address dst
Definition: decode.h:412
uint16_t counter_defrag_ipv6_timeouts
Definition: decode.h:687
struct PktVar_ PktVar
void PacketFree(Packet *p)
Return a malloced packet.
Definition: decode.c:101
int DecodeUDP(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *)
Definition: decode-udp.c:73
__thread uint64_t spin_lock_wait_ticks
uint16_t counter_defrag_ipv4_timeouts
Definition: decode.h:684
uint64_t ticks_start
Definition: decode.h:348
uint16_t counter_ipv4
Definition: decode.h:658
void DecodeIPV6FragHeader(Packet *p, uint8_t *pkt, uint16_t hdrextlen, uint16_t plen, uint16_t prev_hdrextlen)
Definition: decode-ipv6.c:107
int DecodeTCP(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *)
Definition: decode-tcp.c:200
uint64_t pcap_cnt
Definition: decode.h:566
uint8_t * ext_pkt
Definition: decode.h:555
struct PktProfilingPrefilterData_ PktProfilingPrefilterData
__thread uint64_t spin_lock_contention
struct PktProfilingDetectData_ PktProfilingDetectData
void DecodeGlobalConfig(void)
Definition: decode.c:676
ICMPV6Vars icmpv6vars
Definition: decode.h:519
uint16_t key_len
Definition: decode.h:314
#define SCCondT
TCPHdr * tcph
Definition: decode.h:525
uint16_t counter_ipv4inipv6
Definition: decode.h:677
Packet * PacketGetFromQueueOrAlloc(void)
Get a packet. We try to get a packet from the packetpool first, but if that is empty we alloc a packe...
Definition: decode.c:176
SCTPHdr * sctph
Definition: decode.h:529
Signature container.
Definition: detect.h:492
uint16_t counter_teredo
Definition: decode.h:675
__thread uint64_t rwr_lock_wait_ticks
void PacketFreeOrRelease(Packet *p)
Return a packet to where it was allocated.
Definition: decode.c:161
struct Host_ * host_src
Definition: decode.h:562
uint16_t counter_vlan
Definition: decode.h:671
uint16_t counter_erspan
Definition: decode.h:679
SigIntId num
Definition: decode.h:269
struct PktPool_ * pool
Definition: decode.h:604
uint64_t ticks_start
Definition: decode.h:324
#define IS_TUNNEL_PKT_VERDICTED(p)
Definition: decode.h:899
uint16_t counter_raw
Definition: decode.h:666
uint16_t counter_pkts
Definition: decode.h:650
uint16_t counter_flow_udp
Definition: decode.h:693
struct PktProfilingAppData_ PktProfilingAppData
void AppLayerDecoderEventsResetEvents(AppLayerDecoderEvents *events)
int(* Decoder)(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *)
uint16_t counter_flow_tcp
Definition: decode.h:692
const struct Signature_ * s
Definition: decode.h:272
uint16_t counter_avg_pkt_size
Definition: decode.h:652
uint16_t counter_defrag_ipv6_fragments
Definition: decode.h:685
PktVar * pktvar
Definition: decode.h:493
void AddressDebugPrint(Address *)
Debug print function for printing addresses.
Definition: decode.c:545
Data structure to store app layer decoder events.
uint64_t ticks_end
Definition: decode.h:375
#define SCMutexUnlock(mut)
IPV6Hdr * ip6h
Definition: decode.h:505
struct PacketAlerts_ PacketAlerts
ICMPV6Hdr * icmpv6h
Definition: decode.h:533
char family
Definition: decode.h:110
int DecodeICMPV4(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *)
Main ICMPv4 decoding function.
uint16_t type
uint16_t value_len
Definition: decode.h:315
int datalink
Definition: decode.h:579
uint8_t proto
Definition: decode.h:429
IPV6ExtHdrs ip6eh
Definition: decode.h:512
uint64_t ticks_spent
Definition: decode.h:350
struct PktProfilingPrefilterEngine_ PktProfilingPrefilterEngine
uint32_t len
Definition: decode.h:633
struct PktProfilingData_ PktProfilingData
PPPHdr * ppph
Definition: decode.h:535
uint8_t recursion_level
Definition: decode.h:432
PPPOESessionHdr * pppoesh
Definition: decode.h:536
AppLayerThreadCtx * app_tctx
Definition: decode.h:645
int DecodeSll(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *)
Definition: decode-sll.c:39
uint16_t counter_ipv6inipv6
Definition: decode.h:678
struct PktProfilingLoggerData_ PktProfilingLoggerData
int DecodeIPV6(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *)
Definition: decode-ipv6.c:584
struct PktProfiling_ PktProfiling
Per pkt stats storage.
Structure to hold thread specific data for all decode modules.
Definition: decode.h:642
__thread uint64_t mutex_lock_wait_ticks
uint16_t counter_mpls
Definition: decode.h:676
typedef __attribute__
struct PacketAlert_ PacketAlert
DecodeTunnelProto
Definition: decode.h:902
void AppLayerDecoderEventsFreeEvents(AppLayerDecoderEvents **events)
uint16_t counter_icmpv4
Definition: decode.h:662
struct Host_ * host_dst
Definition: decode.h:563
uint16_t counter_tcp
Definition: decode.h:660
uint8_t flowflags
Definition: decode.h:438
void PacketBypassCallback(Packet *p)
Definition: decode.c:400
int DecodeNull(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *)
Definition: decode-null.c:48
PacketEngineEvents events
Definition: decode.h:570
Packet * top
Definition: decode.h:631
void * output_flow_thread_data
Definition: decode.h:701
#define TUNNEL_PKT_TPR(p)
Definition: decode.h:892
uint64_t proto_detect
Definition: decode.h:382
struct CaptureStats_ CaptureStats
void PacketUpdateEngineEventCounters(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p)
Definition: decode.c:121
uint16_t counter_ips_accepted
Definition: decode.h:707
uint16_t counter_ips_blocked
Definition: decode.h:708
uint16_t counter_flow_icmp4
Definition: decode.h:694
uint8_t proto
uint32_t pktlen
Definition: decode.h:554
uint16_t Port
Definition: decode.h:234
uint8_t pkt_src
Definition: decode.h:551
uint64_t tx_id
Definition: decode.h:273
uint64_t ticks_spent
Definition: decode.h:354
uint16_t counter_flow_memcap
Definition: decode.h:690
int DecodeEthernet(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *)
uint16_t counter_ipv6
Definition: decode.h:659
__thread uint64_t mutex_lock_contention
__thread uint64_t rwr_lock_cnt
PPPOEDiscoveryHdr * pppoedh
Definition: decode.h:537
int DecodePPPOESession(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *)
Main decoding function for PPPOE Session packets.
Definition: decode-pppoe.c:129
Packet * bot
Definition: decode.h:632
int DecodeIPV4(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *)
Definition: decode-ipv4.c:533
IPV4Hdr * ip4h
Definition: decode.h:503
int PacketCopyDataOffset(Packet *p, uint32_t offset, uint8_t *data, uint32_t datalen)
Copy data to Packet payload at given offset.
Definition: decode.c:217
uint8_t vlan_idx
Definition: decode.h:435
#define TUNNEL_PKT_RTV(p)
Definition: decode.h:891
Per TMM stats storage.
Definition: decode.h:323
uint64_t ticks_end
Definition: decode.h:344
uint32_t id
Definition: decode.h:310
uint16_t counter_invalid
Definition: decode.h:655
uint16_t address_un_data16[8]
Definition: decode.h:113
struct in6_addr address_un_in6
Definition: decode.h:115
int DecodeTunnel(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *, enum DecodeTunnelProto) __attribute__((warn_unused_result))
Definition: decode.c:74
uint8_t code
Definition: decode.h:418
int DecodeTEMPLATE(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t, PacketQueue *)
Function to decode TEMPLATE packets.
uint16_t counter_sctp
Definition: decode.h:668
SCMutex tunnel_mutex
Definition: decode.h:592
uint16_t tunnel_tpr_cnt
Definition: decode.h:596
struct Address_ Address
int PacketSetData(Packet *p, uint8_t *pktdata, uint32_t pktlen)
Set data for Packet and set length when zeo copy is used.
Definition: decode.c:608
uint16_t counter_ppp
Definition: decode.h:669
struct DecodeThreadVars_ DecodeThreadVars
Structure to hold thread specific data for all decode modules.
uint8_t * key
Definition: decode.h:316
IPV6Vars ip6vars
Definition: decode.h:511
Definition: host.h:58
uint16_t tunnel_rtv_cnt
Definition: decode.h:594
uint8_t * value
Definition: decode.h:317
uint32_t address_un_data32[4]
Definition: decode.h:112
uint8_t flags
Definition: decode.h:271
int32_t level3_comp_csum
Definition: decode.h:499
int DecodeICMPV6(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *)
Decode ICMPV6 packets and fill the Packet with the decoded info.
uint16_t counter_ips_replaced
Definition: decode.h:710
PacketAlert drop
Definition: decode.h:296
uint32_t default_packet_size
Definition: decode.h:627
PktProfiling * profile
Definition: decode.h:607
int PacketCallocExtPkt(Packet *p, int datalen)
Definition: decode.c:191
uint64_t ticks_end
Definition: decode.h:325
uint64_t ts
#define SCMutex
struct Packet_ * prev
Definition: decode.h:576
uint16_t counter_icmpv6
Definition: decode.h:663
__thread uint64_t rwr_lock_contention
__thread uint64_t rww_lock_cnt
#define SCMutexLock(mut)
const char * PktSrcToString(enum PktSrcEnum pkt_src)
Definition: decode.c:620
uint16_t counter_gre
Definition: decode.h:670
SCMutex m
Definition: flow-hash.h:105
__thread uint64_t rww_lock_wait_ticks
uint16_t counter_udp
Definition: decode.h:661
per packet Pfring vars
Definition: source-pfring.h:61
get the highest proto/next header field we know
Definition: decode-ipv6.h:100
uint16_t counter_flow_icmp6
Definition: decode.h:695
ChecksumValidationMode
Definition: decode.h:40
PacketAlerts alerts
Definition: decode.h:560
struct PacketQueue_ PacketQueue
int g_default_mtu
Definition: suricata.c:224
void DecodeUpdatePacketCounters(ThreadVars *tv, const DecodeThreadVars *dtv, const Packet *p)
Definition: decode.c:528
int DecodeERSPAN(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *)
Function to decode ERSPAN packets.
Definition: decode-erspan.c:46
#define PACKET_ENGINE_EVENT_MAX
Definition: decode.h:301
NapatechPacketVars ntpv
Definition: decode.h:610
int DecodeVLAN(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *)
Definition: decode-vlan.c:62
struct Packet_ Packet
uint64_t ticks_start
Definition: decode.h:374
uint16_t counter_sll
Definition: decode.h:665
void CaptureStatsSetup(ThreadVars *tv, CaptureStats *s)
Definition: decode.c:668
NFQPacketVars nfq_v
Definition: decode.h:458
uint16_t cnt
Definition: decode.h:292
TCPVars tcpvars
Definition: decode.h:517
uint16_t counter_pppoe
Definition: decode.h:674
struct LiveDevice_ * livedev
Definition: decode.h:558
uint32_t tenant_id
Definition: decode.h:599
uint32_t flow_hash
Definition: decode.h:448
uint8_t len
Per thread variable structure.
Definition: threadvars.h:57
__thread uint64_t mutex_lock_cnt
uint8_t code
uint16_t counter_defrag_ipv4_fragments
Definition: decode.h:682
uint32_t flags
Definition: decode.h:442
This is for the app layer in general and it contains per thread context relevant to both the alpd and...
Definition: app-layer.c:57
uint16_t payload_len
Definition: decode.h:546
Packet * PacketTunnelPktSetup(ThreadVars *tv, DecodeThreadVars *dtv, Packet *parent, uint8_t *pkt, uint32_t len, enum DecodeTunnelProto proto, PacketQueue *pq)
Setup a pseudo packet (tunnel)
Definition: decode.c:274
void DecodeThreadVarsFree(ThreadVars *, DecodeThreadVars *)
Definition: decode.c:588
uint16_t counter_defrag_max_hit
Definition: decode.h:688
per packet AF_PACKET vars
PktProfilingPrefilterEngine * engines
Definition: decode.h:368
PcapPacketVars pcap_v
Definition: decode.h:483
uint16_t counter_defrag_ipv4_reassembled
Definition: decode.h:683
int DecodePPPOEDiscovery(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *)
Main decoding function for PPPOE Discovery packets.
Definition: decode-pppoe.c:50
Flow data structure.
Definition: flow.h:327
GREHdr * greh
Definition: decode.h:539
uint8_t * payload
Definition: decode.h:545
int PacketCopyData(Packet *p, uint8_t *pktdata, uint32_t pktlen)
Copy data to Packet payload and set packet length.
Definition: decode.c:258
#define SigIntId
int DecodeGRE(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint32_t, PacketQueue *)
Function to decode GRE packets.
Definition: decode-gre.c:46
int DecodeSCTP(ThreadVars *, DecodeThreadVars *, Packet *, uint8_t *, uint16_t, PacketQueue *)
Definition: decode-sctp.c:62
ICMPV4Vars icmpv4vars
Definition: decode.h:518
Packet * PacketDefragPktSetup(Packet *parent, uint8_t *pkt, uint32_t len, uint8_t proto)
Setup a pseudo packet (reassembled frags)
Definition: decode.c:348
__thread uint64_t spin_lock_cnt
void DecodeUnregisterCounters(void)
Definition: decode.c:421
SCMutex mutex_q
Definition: decode.h:637
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:140
Address src
Definition: decode.h:411
uint64_t ticks_start
Definition: decode.h:358
struct Packet_ * root
Definition: decode.h:582
uint8_t action
Definition: decode.h:549