suricata
decode.h
Go to the documentation of this file.
1 /* Copyright (C) 2007-2013 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  */
23 
24 #ifndef __DECODE_H__
25 #define __DECODE_H__
26 
27 //#define DBG_THREADS
28 #define COUNTERS
29 
30 #include "suricata-common.h"
31 #include "threadvars.h"
32 #include "decode-events.h"
33 #include "flow-worker.h"
34 
35 #ifdef HAVE_NAPATECH
36 #include "util-napatech.h"
37 #endif /* HAVE_NAPATECH */
38 
39 
40 typedef enum {
47 
48 enum PktSrcEnum {
60 };
61 
62 #include "source-nflog.h"
63 #include "source-nfq.h"
64 #include "source-ipfw.h"
65 #include "source-pcap.h"
66 #include "source-af-packet.h"
67 #include "source-netmap.h"
68 #include "source-windivert.h"
69 #ifdef HAVE_PF_RING_FLOW_OFFLOAD
70 #include "source-pfring.h"
71 #endif
72 
73 #include "action-globals.h"
74 
75 #include "decode-erspan.h"
76 #include "decode-ethernet.h"
77 #include "decode-gre.h"
78 #include "decode-ppp.h"
79 #include "decode-pppoe.h"
80 #include "decode-sll.h"
81 #include "decode-ipv4.h"
82 #include "decode-ipv6.h"
83 #include "decode-icmpv4.h"
84 #include "decode-icmpv6.h"
85 #include "decode-tcp.h"
86 #include "decode-udp.h"
87 #include "decode-sctp.h"
88 #include "decode-raw.h"
89 #include "decode-null.h"
90 #include "decode-vlan.h"
91 #include "decode-vxlan.h"
92 #include "decode-mpls.h"
93 
94 #include "detect-reference.h"
95 
96 #include "app-layer-protos.h"
97 
98 /* forward declarations */
99 struct DetectionEngineThreadCtx_;
101 
102 struct PktPool_;
103 
104 /* declare these here as they are called from the
105  * PACKET_RECYCLE and PACKET_CLEANUP macro's. */
109 
110 /* Address */
111 typedef struct Address_ {
112  char family;
113  union {
114  uint32_t address_un_data32[4]; /* type-specific field */
115  uint16_t address_un_data16[8]; /* type-specific field */
116  uint8_t address_un_data8[16]; /* type-specific field */
117  struct in6_addr address_un_in6;
118  } address;
119 } Address;
120 
121 #define addr_data32 address.address_un_data32
122 #define addr_data16 address.address_un_data16
123 #define addr_data8 address.address_un_data8
124 #define addr_in6addr address.address_un_in6
125 
126 #define COPY_ADDRESS(a, b) do { \
127  (b)->family = (a)->family; \
128  (b)->addr_data32[0] = (a)->addr_data32[0]; \
129  (b)->addr_data32[1] = (a)->addr_data32[1]; \
130  (b)->addr_data32[2] = (a)->addr_data32[2]; \
131  (b)->addr_data32[3] = (a)->addr_data32[3]; \
132  } while (0)
133 
134 /* Set the IPv4 addresses into the Addrs of the Packet.
135  * Make sure p->ip4h is initialized and validated.
136  *
137  * We set the rest of the struct to 0 so we can
138  * prevent using memset. */
139 #define SET_IPV4_SRC_ADDR(p, a) do { \
140  (a)->family = AF_INET; \
141  (a)->addr_data32[0] = (uint32_t)(p)->ip4h->s_ip_src.s_addr; \
142  (a)->addr_data32[1] = 0; \
143  (a)->addr_data32[2] = 0; \
144  (a)->addr_data32[3] = 0; \
145  } while (0)
146 
147 #define SET_IPV4_DST_ADDR(p, a) do { \
148  (a)->family = AF_INET; \
149  (a)->addr_data32[0] = (uint32_t)(p)->ip4h->s_ip_dst.s_addr; \
150  (a)->addr_data32[1] = 0; \
151  (a)->addr_data32[2] = 0; \
152  (a)->addr_data32[3] = 0; \
153  } while (0)
154 
155 /* clear the address structure by setting all fields to 0 */
156 #define CLEAR_ADDR(a) do { \
157  (a)->family = 0; \
158  (a)->addr_data32[0] = 0; \
159  (a)->addr_data32[1] = 0; \
160  (a)->addr_data32[2] = 0; \
161  (a)->addr_data32[3] = 0; \
162  } while (0)
163 
164 /* Set the IPv6 addressesinto the Addrs of the Packet.
165  * Make sure p->ip6h is initialized and validated. */
166 #define SET_IPV6_SRC_ADDR(p, a) do { \
167  (a)->family = AF_INET6; \
168  (a)->addr_data32[0] = (p)->ip6h->s_ip6_src[0]; \
169  (a)->addr_data32[1] = (p)->ip6h->s_ip6_src[1]; \
170  (a)->addr_data32[2] = (p)->ip6h->s_ip6_src[2]; \
171  (a)->addr_data32[3] = (p)->ip6h->s_ip6_src[3]; \
172  } while (0)
173 
174 #define SET_IPV6_DST_ADDR(p, a) do { \
175  (a)->family = AF_INET6; \
176  (a)->addr_data32[0] = (p)->ip6h->s_ip6_dst[0]; \
177  (a)->addr_data32[1] = (p)->ip6h->s_ip6_dst[1]; \
178  (a)->addr_data32[2] = (p)->ip6h->s_ip6_dst[2]; \
179  (a)->addr_data32[3] = (p)->ip6h->s_ip6_dst[3]; \
180  } while (0)
181 
182 /* Set the TCP ports into the Ports of the Packet.
183  * Make sure p->tcph is initialized and validated. */
184 #define SET_TCP_SRC_PORT(pkt, prt) do { \
185  SET_PORT(TCP_GET_SRC_PORT((pkt)), *(prt)); \
186  } while (0)
187 
188 #define SET_TCP_DST_PORT(pkt, prt) do { \
189  SET_PORT(TCP_GET_DST_PORT((pkt)), *(prt)); \
190  } while (0)
191 
192 /* Set the UDP ports into the Ports of the Packet.
193  * Make sure p->udph is initialized and validated. */
194 #define SET_UDP_SRC_PORT(pkt, prt) do { \
195  SET_PORT(UDP_GET_SRC_PORT((pkt)), *(prt)); \
196  } while (0)
197 #define SET_UDP_DST_PORT(pkt, prt) do { \
198  SET_PORT(UDP_GET_DST_PORT((pkt)), *(prt)); \
199  } while (0)
200 
201 /* Set the SCTP ports into the Ports of the Packet.
202  * Make sure p->sctph is initialized and validated. */
203 #define SET_SCTP_SRC_PORT(pkt, prt) do { \
204  SET_PORT(SCTP_GET_SRC_PORT((pkt)), *(prt)); \
205  } while (0)
206 
207 #define SET_SCTP_DST_PORT(pkt, prt) do { \
208  SET_PORT(SCTP_GET_DST_PORT((pkt)), *(prt)); \
209  } while (0)
210 
211 
212 
213 #define GET_IPV4_SRC_ADDR_U32(p) ((p)->src.addr_data32[0])
214 #define GET_IPV4_DST_ADDR_U32(p) ((p)->dst.addr_data32[0])
215 #define GET_IPV4_SRC_ADDR_PTR(p) ((p)->src.addr_data32)
216 #define GET_IPV4_DST_ADDR_PTR(p) ((p)->dst.addr_data32)
217 
218 #define GET_IPV6_SRC_IN6ADDR(p) ((p)->src.addr_in6addr)
219 #define GET_IPV6_DST_IN6ADDR(p) ((p)->dst.addr_in6addr)
220 #define GET_IPV6_SRC_ADDR(p) ((p)->src.addr_data32)
221 #define GET_IPV6_DST_ADDR(p) ((p)->dst.addr_data32)
222 #define GET_TCP_SRC_PORT(p) ((p)->sp)
223 #define GET_TCP_DST_PORT(p) ((p)->dp)
224 
225 #define GET_PKT_LEN(p) ((p)->pktlen)
226 #define GET_PKT_DATA(p) ((((p)->ext_pkt) == NULL ) ? (uint8_t *)((p) + 1) : (p)->ext_pkt)
227 #define GET_PKT_DIRECT_DATA(p) (uint8_t *)((p) + 1)
228 #define GET_PKT_DIRECT_MAX_SIZE(p) (default_packet_size)
229 
230 #define SET_PKT_LEN(p, len) do { \
231  (p)->pktlen = (len); \
232  } while (0)
233 
234 
235 /* Port is just a uint16_t */
236 typedef uint16_t Port;
237 #define SET_PORT(v, p) ((p) = (v))
238 #define COPY_PORT(a,b) ((b) = (a))
239 
240 #define CMP_ADDR(a1, a2) \
241  (((a1)->addr_data32[3] == (a2)->addr_data32[3] && \
242  (a1)->addr_data32[2] == (a2)->addr_data32[2] && \
243  (a1)->addr_data32[1] == (a2)->addr_data32[1] && \
244  (a1)->addr_data32[0] == (a2)->addr_data32[0]))
245 #define CMP_PORT(p1, p2) \
246  ((p1) == (p2))
247 
248 /*Given a packet pkt offset to the start of the ip header in a packet
249  *We determine the ip version. */
250 #define IP_GET_RAW_VER(pkt) ((((pkt)[0] & 0xf0) >> 4))
251 
252 #define PKT_IS_IPV4(p) (((p)->ip4h != NULL))
253 #define PKT_IS_IPV6(p) (((p)->ip6h != NULL))
254 #define PKT_IS_TCP(p) (((p)->tcph != NULL))
255 #define PKT_IS_UDP(p) (((p)->udph != NULL))
256 #define PKT_IS_ICMPV4(p) (((p)->icmpv4h != NULL))
257 #define PKT_IS_ICMPV6(p) (((p)->icmpv6h != NULL))
258 #define PKT_IS_TOSERVER(p) (((p)->flowflags & FLOW_PKT_TOSERVER))
259 #define PKT_IS_TOCLIENT(p) (((p)->flowflags & FLOW_PKT_TOCLIENT))
260 
261 #define IPH_IS_VALID(p) (PKT_IS_IPV4((p)) || PKT_IS_IPV6((p)))
262 
263 /* Retrieve proto regardless of IP version */
264 #define IP_GET_IPPROTO(p) \
265  (p->proto ? p->proto : \
266  (PKT_IS_IPV4((p))? IPV4_GET_IPPROTO((p)) : (PKT_IS_IPV6((p))? IPV6_GET_L4PROTO((p)) : 0)))
267 
268 /* structure to store the sids/gids/etc the detection engine
269  * found in this packet */
270 typedef struct PacketAlert_ {
271  SigIntId num; /* Internal num, used for sorting */
272  uint8_t action; /* Internal num, used for sorting */
273  uint8_t flags;
274  const struct Signature_ *s;
275  uint64_t tx_id;
276 } PacketAlert;
277 
278 /** After processing an alert by the thresholding module, if at
279  * last it gets triggered, we might want to stick the drop action to
280  * the flow on IPS mode */
281 #define PACKET_ALERT_FLAG_DROP_FLOW 0x01
282 /** alert was generated based on state */
283 #define PACKET_ALERT_FLAG_STATE_MATCH 0x02
284 /** alert was generated based on stream */
285 #define PACKET_ALERT_FLAG_STREAM_MATCH 0x04
286 /** alert is in a tx, tx_id set */
287 #define PACKET_ALERT_FLAG_TX 0x08
288 /** action was changed by rate_filter */
289 #define PACKET_ALERT_RATE_FILTER_MODIFIED 0x10
290 
291 #define PACKET_ALERT_MAX 15
292 
293 typedef struct PacketAlerts_ {
294  uint16_t cnt;
296  /* single pa used when we're dropping,
297  * so we can log it out in the drop log. */
299 } PacketAlerts;
300 
301 /** number of decoder events we support per packet. Power of 2 minus 1
302  * for memory layout */
303 #define PACKET_ENGINE_EVENT_MAX 15
304 
305 /** data structure to store decoder, defrag and stream events */
306 typedef struct PacketEngineEvents_ {
307  uint8_t cnt; /**< number of events */
308  uint8_t events[PACKET_ENGINE_EVENT_MAX]; /**< array of events */
310 
311 typedef struct PktVar_ {
312  uint32_t id;
313  struct PktVar_ *next; /* right now just implement this as a list,
314  * in the long run we have thing of something
315  * faster. */
316  uint16_t key_len;
317  uint16_t value_len;
318  uint8_t *key;
319  uint8_t *value;
320 } PktVar;
321 
322 #ifdef PROFILING
323 
324 /** \brief Per TMM stats storage */
325 typedef struct PktProfilingTmmData_ {
326  uint64_t ticks_start;
327  uint64_t ticks_end;
328 #ifdef PROFILE_LOCKING
329  uint64_t mutex_lock_cnt;
330  uint64_t mutex_lock_wait_ticks;
331  uint64_t mutex_lock_contention;
332  uint64_t spin_lock_cnt;
333  uint64_t spin_lock_wait_ticks;
334  uint64_t spin_lock_contention;
335  uint64_t rww_lock_cnt;
336  uint64_t rww_lock_wait_ticks;
337  uint64_t rww_lock_contention;
338  uint64_t rwr_lock_cnt;
339  uint64_t rwr_lock_wait_ticks;
340  uint64_t rwr_lock_contention;
341 #endif
343 
344 typedef struct PktProfilingData_ {
345  uint64_t ticks_start;
346  uint64_t ticks_end;
348 
349 typedef struct PktProfilingDetectData_ {
350  uint64_t ticks_start;
351  uint64_t ticks_end;
352  uint64_t ticks_spent;
354 
355 typedef struct PktProfilingAppData_ {
356  uint64_t ticks_spent;
358 
359 typedef struct PktProfilingLoggerData_ {
360  uint64_t ticks_start;
361  uint64_t ticks_end;
362  uint64_t ticks_spent;
364 
366  uint64_t ticks_spent;
368 
371  uint32_t size; /**< array size */
373 
374 /** \brief Per pkt stats storage */
375 typedef struct PktProfiling_ {
376  uint64_t ticks_start;
377  uint64_t ticks_end;
378 
384  uint64_t proto_detect;
385 } PktProfiling;
386 
387 #endif /* PROFILING */
388 
389 /* forward declartion since Packet struct definition requires this */
390 struct PacketQueue_;
391 
392 /* sizes of the members:
393  * src: 17 bytes
394  * dst: 17 bytes
395  * sp/type: 1 byte
396  * dp/code: 1 byte
397  * proto: 1 byte
398  * recurs: 1 byte
399  *
400  * sum of above: 38 bytes
401  *
402  * flow ptr: 4/8 bytes
403  * flags: 1 byte
404  * flowflags: 1 byte
405  *
406  * sum of above 44/48 bytes
407  */
408 typedef struct Packet_
409 {
410  /* Addresses, Ports and protocol
411  * these are on top so we can use
412  * the Packet as a hash key */
415  union {
417  // icmp type and code of this packet
418  struct {
419  uint8_t type;
420  uint8_t code;
421  } icmp_s;
422  };
423  union {
425  // icmp type and code of the expected counterpart (for flows)
426  struct {
427  uint8_t type;
428  uint8_t code;
429  } icmp_d;
430  };
431  uint8_t proto;
432  /* make sure we can't be attacked on when the tunneled packet
433  * has the exact same tuple as the lower levels */
435 
436  uint16_t vlan_id[2];
437  uint8_t vlan_idx;
438 
439  /* flow */
440  uint8_t flowflags;
441  /* coccinelle: Packet:flowflags:FLOW_PKT_ */
442 
443  /* Pkt Flags */
444  uint32_t flags;
445 
446  struct Flow_ *flow;
447 
448  /* raw hash value for looking up the flow, will need to modulated to the
449  * hash size still */
450  uint32_t flow_hash;
451 
452  struct timeval ts;
453 
454  union {
455  /* nfq stuff */
456 #ifdef HAVE_NFLOG
457  NFLOGPacketVars nflog_v;
458 #endif /* HAVE_NFLOG */
459 #ifdef NFQ
461 #endif /* NFQ */
462 #ifdef IPFW
464 #endif /* IPFW */
465 #ifdef AF_PACKET
466  AFPPacketVars afp_v;
467 #endif
468 #ifdef HAVE_NETMAP
469  NetmapPacketVars netmap_v;
470 #endif
471 #ifdef HAVE_PFRING
472 #ifdef HAVE_PF_RING_FLOW_OFFLOAD
473  PfringPacketVars pfring_v;
474 #endif
475 #endif
476 #ifdef WINDIVERT
477  WinDivertPacketVars windivert_v;
478 #endif /* WINDIVERT */
479 
480  /** libpcap vars: shared by Pcap Live mode and Pcap File mode */
482  };
483 
484  /** The release function for packet structure and data */
485  void (*ReleasePacket)(struct Packet_ *);
486  /** The function triggering bypass the flow in the capture method.
487  * Return 1 for success and 0 on error */
488  int (*BypassPacketsFlow)(struct Packet_ *);
489 
490  /* pkt vars */
492 
493  /* header pointers */
494  EthernetHdr *ethh;
495 
496  /* Checksum for IP packets. */
498  /* Check sum for TCP, UDP or ICMP packets */
500 
502 
504 
505  /* IPv4 and IPv6 are mutually exclusive */
506  union {
508  struct {
511  };
512  };
513  /* Can only be one of TCP, UDP, ICMP at any given time */
514  union {
518  } l4vars;
519 #define tcpvars l4vars.tcpvars
520 #define icmpv4vars l4vars.icmpv4vars
521 #define icmpv6vars l4vars.icmpv6vars
522 
523  TCPHdr *tcph;
524 
525  UDPHdr *udph;
526 
527  SCTPHdr *sctph;
528 
529  ICMPV4Hdr *icmpv4h;
530 
532 
533  PPPHdr *ppph;
535  PPPOEDiscoveryHdr *pppoedh;
536 
537  GREHdr *greh;
538 
539  /* ptr to the payload of the packet
540  * with it's length. */
541  uint8_t *payload;
542  uint16_t payload_len;
543 
544  /* IPS action to take */
545  uint8_t action;
546 
547  uint8_t pkt_src;
548 
549  /* storage: set to pointer to heap and extended via allocation if necessary */
550  uint32_t pktlen;
551  uint8_t *ext_pkt;
552 
553  /* Incoming interface */
555 
557 
558  struct Host_ *host_src;
559  struct Host_ *host_dst;
560 
561  /** packet number in the pcap file, matches wireshark */
562  uint64_t pcap_cnt;
563 
564 
565  /* engine events */
567 
569 
570  /* double linked list ptrs */
571  struct Packet_ *next;
572  struct Packet_ *prev;
573 
574  /** data linktype in host order */
575  int datalink;
576 
577  /* tunnel/encapsulation handling */
578  struct Packet_ *root; /* in case of tunnel this is a ptr
579  * to the 'real' packet, the one we
580  * need to set the verdict on --
581  * It should always point to the lowest
582  * packet in a encapsulated packet */
583 
584  /** mutex to protect access to:
585  * - tunnel_rtv_cnt
586  * - tunnel_tpr_cnt
587  */
589  /* ready to set verdict counter, only set in root */
590  uint16_t tunnel_rtv_cnt;
591  /* tunnel packet ref count */
592  uint16_t tunnel_tpr_cnt;
593 
594  /** tenant id for this packet, if any. If 0 then no tenant was assigned. */
595  uint32_t tenant_id;
596 
597  /* The Packet pool from which this packet was allocated. Used when returning
598  * the packet to its owner's stack. If NULL, then allocated with malloc.
599  */
600  struct PktPool_ *pool;
601 
602 #ifdef PROFILING
604 #endif
605 #ifdef HAVE_NAPATECH
607 #endif
608 } Packet;
609 
610 /** highest mtu of the interfaces we monitor */
611 extern int g_default_mtu;
612 #define DEFAULT_MTU 1500
613 #define MINIMUM_MTU 68 /**< ipv4 minimum: rfc791 */
614 
615 #define DEFAULT_PACKET_SIZE (DEFAULT_MTU + ETHERNET_HEADER_LEN)
616 /* storage: maximum ip packet size + link header */
617 #define MAX_PAYLOAD_SIZE (IPV6_HEADER_LEN + 65536 + 28)
619 #define SIZE_OF_PACKET (default_packet_size + sizeof(Packet))
620 
621 typedef struct PacketQueue_ {
624  uint32_t len;
625 #ifdef DBG_PERF
626  uint32_t dbg_maxlen;
627 #endif /* DBG_PERF */
630 } PacketQueue;
631 
632 /** \brief Structure to hold thread specific data for all decode modules */
633 typedef struct DecodeThreadVars_
634 {
635  /** Specific context for udp protocol detection (here atm) */
637 
638  /** stats/counters */
639  uint16_t counter_pkts;
640  uint16_t counter_bytes;
643 
644  uint16_t counter_invalid;
645 
646  uint16_t counter_eth;
647  uint16_t counter_ipv4;
648  uint16_t counter_ipv6;
649  uint16_t counter_tcp;
650  uint16_t counter_udp;
651  uint16_t counter_icmpv4;
652  uint16_t counter_icmpv6;
653 
654  uint16_t counter_sll;
655  uint16_t counter_raw;
656  uint16_t counter_null;
657  uint16_t counter_sctp;
658  uint16_t counter_ppp;
659  uint16_t counter_gre;
660  uint16_t counter_vlan;
662  uint16_t counter_vxlan;
664  uint16_t counter_pppoe;
665  uint16_t counter_teredo;
666  uint16_t counter_mpls;
669  uint16_t counter_erspan;
670 
671  /** frag stats - defrag runs in the context of the decoder. */
679 
681 
686 
687  uint16_t counter_engine_events[DECODE_EVENT_MAX];
688 
689  /* thread data for flow logging api: only used at forced
690  * flow recycle during lookups */
692 
694 
695 typedef struct CaptureStats_ {
696 
701 
702 } CaptureStats;
703 
704 void CaptureStatsUpdate(ThreadVars *tv, CaptureStats *s, const Packet *p);
706 
707 #define PACKET_CLEAR_L4VARS(p) do { \
708  memset(&(p)->l4vars, 0x00, sizeof((p)->l4vars)); \
709  } while (0)
710 
711 /**
712  * \brief reset these to -1(indicates that the packet is fresh from the queue)
713  */
714 #define PACKET_RESET_CHECKSUMS(p) do { \
715  (p)->level3_comp_csum = -1; \
716  (p)->level4_comp_csum = -1; \
717  } while (0)
718 
719 /* if p uses extended data, free them */
720 #define PACKET_FREE_EXTDATA(p) do { \
721  if ((p)->ext_pkt) { \
722  if (!((p)->flags & PKT_ZERO_COPY)) { \
723  SCFree((p)->ext_pkt); \
724  } \
725  (p)->ext_pkt = NULL; \
726  } \
727  } while(0)
728 
729 /**
730  * \brief Initialize a packet structure for use.
731  */
732 #define PACKET_INITIALIZE(p) { \
733  SCMutexInit(&(p)->tunnel_mutex, NULL); \
734  PACKET_RESET_CHECKSUMS((p)); \
735  (p)->livedev = NULL; \
736 }
737 
738 #define PACKET_RELEASE_REFS(p) do { \
739  FlowDeReference(&((p)->flow)); \
740  HostDeReference(&((p)->host_src)); \
741  HostDeReference(&((p)->host_dst)); \
742  } while (0)
743 
744 /**
745  * \brief Recycle a packet structure for reuse.
746  */
747 #define PACKET_REINIT(p) do { \
748  CLEAR_ADDR(&(p)->src); \
749  CLEAR_ADDR(&(p)->dst); \
750  (p)->sp = 0; \
751  (p)->dp = 0; \
752  (p)->proto = 0; \
753  (p)->recursion_level = 0; \
754  PACKET_FREE_EXTDATA((p)); \
755  (p)->flags = (p)->flags & PKT_ALLOC; \
756  (p)->flowflags = 0; \
757  (p)->pkt_src = 0; \
758  (p)->vlan_id[0] = 0; \
759  (p)->vlan_id[1] = 0; \
760  (p)->vlan_idx = 0; \
761  (p)->ts.tv_sec = 0; \
762  (p)->ts.tv_usec = 0; \
763  (p)->datalink = 0; \
764  (p)->action = 0; \
765  if ((p)->pktvar != NULL) { \
766  PktVarFree((p)->pktvar); \
767  (p)->pktvar = NULL; \
768  } \
769  (p)->ethh = NULL; \
770  if ((p)->ip4h != NULL) { \
771  CLEAR_IPV4_PACKET((p)); \
772  } \
773  if ((p)->ip6h != NULL) { \
774  CLEAR_IPV6_PACKET((p)); \
775  } \
776  if ((p)->tcph != NULL) { \
777  CLEAR_TCP_PACKET((p)); \
778  } \
779  if ((p)->udph != NULL) { \
780  CLEAR_UDP_PACKET((p)); \
781  } \
782  if ((p)->sctph != NULL) { \
783  CLEAR_SCTP_PACKET((p)); \
784  } \
785  if ((p)->icmpv4h != NULL) { \
786  CLEAR_ICMPV4_PACKET((p)); \
787  } \
788  if ((p)->icmpv6h != NULL) { \
789  CLEAR_ICMPV6_PACKET((p)); \
790  } \
791  (p)->ppph = NULL; \
792  (p)->pppoesh = NULL; \
793  (p)->pppoedh = NULL; \
794  (p)->greh = NULL; \
795  (p)->payload = NULL; \
796  (p)->payload_len = 0; \
797  (p)->BypassPacketsFlow = NULL; \
798  (p)->pktlen = 0; \
799  (p)->alerts.cnt = 0; \
800  (p)->alerts.drop.action = 0; \
801  (p)->pcap_cnt = 0; \
802  (p)->tunnel_rtv_cnt = 0; \
803  (p)->tunnel_tpr_cnt = 0; \
804  (p)->events.cnt = 0; \
805  AppLayerDecoderEventsResetEvents((p)->app_layer_events); \
806  (p)->next = NULL; \
807  (p)->prev = NULL; \
808  (p)->root = NULL; \
809  (p)->livedev = NULL; \
810  PACKET_RESET_CHECKSUMS((p)); \
811  PACKET_PROFILING_RESET((p)); \
812  p->tenant_id = 0; \
813  } while (0)
814 
815 #define PACKET_RECYCLE(p) do { \
816  PACKET_RELEASE_REFS((p)); \
817  PACKET_REINIT((p)); \
818  } while (0)
819 
820 /**
821  * \brief Cleanup a packet so that we can free it. No memset needed..
822  */
823 #define PACKET_DESTRUCTOR(p) do { \
824  if ((p)->pktvar != NULL) { \
825  PktVarFree((p)->pktvar); \
826  } \
827  PACKET_FREE_EXTDATA((p)); \
828  SCMutexDestroy(&(p)->tunnel_mutex); \
829  AppLayerDecoderEventsFreeEvents(&(p)->app_layer_events); \
830  PACKET_PROFILING_RESET((p)); \
831  } while (0)
832 
833 
834 /* macro's for setting the action
835  * handle the case of a root packet
836  * for tunnels */
837 
838 #define PACKET_SET_ACTION(p, a) do { \
839  ((p)->root ? \
840  ((p)->root->action = a) : \
841  ((p)->action = a)); \
842 } while (0)
843 
844 #define PACKET_ALERT(p) PACKET_SET_ACTION(p, ACTION_ALERT)
845 
846 #define PACKET_ACCEPT(p) PACKET_SET_ACTION(p, ACTION_ACCEPT)
847 
848 #define PACKET_DROP(p) PACKET_SET_ACTION(p, ACTION_DROP)
849 
850 #define PACKET_REJECT(p) PACKET_SET_ACTION(p, (ACTION_REJECT|ACTION_DROP))
851 
852 #define PACKET_REJECT_DST(p) PACKET_SET_ACTION(p, (ACTION_REJECT_DST|ACTION_DROP))
853 
854 #define PACKET_REJECT_BOTH(p) PACKET_SET_ACTION(p, (ACTION_REJECT_BOTH|ACTION_DROP))
855 
856 #define PACKET_PASS(p) PACKET_SET_ACTION(p, ACTION_PASS)
857 
858 #define PACKET_TEST_ACTION(p, a) \
859  ((p)->root ? \
860  ((p)->root->action & a) : \
861  ((p)->action & a))
862 
863 #define PACKET_UPDATE_ACTION(p, a) do { \
864  ((p)->root ? \
865  ((p)->root->action |= a) : \
866  ((p)->action |= a)); \
867 } while (0)
868 
869 #define TUNNEL_INCR_PKT_RTV_NOLOCK(p) do { \
870  ((p)->root ? (p)->root->tunnel_rtv_cnt++ : (p)->tunnel_rtv_cnt++); \
871  } while (0)
872 
873 #define TUNNEL_INCR_PKT_TPR(p) do { \
874  SCMutexLock((p)->root ? &(p)->root->tunnel_mutex : &(p)->tunnel_mutex); \
875  ((p)->root ? (p)->root->tunnel_tpr_cnt++ : (p)->tunnel_tpr_cnt++); \
876  SCMutexUnlock((p)->root ? &(p)->root->tunnel_mutex : &(p)->tunnel_mutex); \
877  } while (0)
878 
879 #define TUNNEL_PKT_RTV(p) ((p)->root ? (p)->root->tunnel_rtv_cnt : (p)->tunnel_rtv_cnt)
880 #define TUNNEL_PKT_TPR(p) ((p)->root ? (p)->root->tunnel_tpr_cnt : (p)->tunnel_tpr_cnt)
881 
882 #define IS_TUNNEL_PKT(p) (((p)->flags & PKT_TUNNEL))
883 #define SET_TUNNEL_PKT(p) ((p)->flags |= PKT_TUNNEL)
884 #define UNSET_TUNNEL_PKT(p) ((p)->flags &= ~PKT_TUNNEL)
885 #define IS_TUNNEL_ROOT_PKT(p) (IS_TUNNEL_PKT(p) && (p)->root == NULL)
886 
887 #define IS_TUNNEL_PKT_VERDICTED(p) (((p)->flags & PKT_TUNNEL_VERDICTED))
888 #define SET_TUNNEL_PKT_VERDICTED(p) ((p)->flags |= PKT_TUNNEL_VERDICTED)
889 
896  DECODE_TUNNEL_IPV6_TEREDO, /**< separate protocol for stricter error handling */
898 };
899 
901  const uint8_t *pkt, uint32_t len, enum DecodeTunnelProto proto, PacketQueue *pq);
902 Packet *PacketDefragPktSetup(Packet *parent, const uint8_t *pkt, uint32_t len, uint8_t proto);
903 void PacketDefragPktSetupParent(Packet *parent);
909  DecodeThreadVars *dtv, Packet *p);
910 void PacketFree(Packet *p);
911 void PacketFreeOrRelease(Packet *p);
912 int PacketCallocExtPkt(Packet *p, int datalen);
913 int PacketCopyData(Packet *p, const uint8_t *pktdata, uint32_t pktlen);
914 int PacketSetData(Packet *p, const uint8_t *pktdata, uint32_t pktlen);
915 int PacketCopyDataOffset(Packet *p, uint32_t offset, const uint8_t *data, uint32_t datalen);
916 const char *PktSrcToString(enum PktSrcEnum pkt_src);
918 void PacketSwap(Packet *p);
919 
923  const DecodeThreadVars *dtv, const Packet *p);
924 
925 /* decoder functions */
926 int DecodeEthernet(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t, PacketQueue *);
927 int DecodeSll(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t, PacketQueue *);
928 int DecodePPP(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t, PacketQueue *);
929 int DecodePPPOESession(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t, PacketQueue *);
930 int DecodePPPOEDiscovery(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t, PacketQueue *);
931 int DecodeTunnel(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t, PacketQueue *, enum DecodeTunnelProto) __attribute__ ((warn_unused_result));
932 int DecodeNull(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t, PacketQueue *);
933 int DecodeRaw(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t, PacketQueue *);
934 int DecodeIPV4(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint16_t, PacketQueue *);
935 int DecodeIPV6(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint16_t, PacketQueue *);
936 int DecodeICMPV4(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t, PacketQueue *);
937 int DecodeICMPV6(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t, PacketQueue *);
938 int DecodeTCP(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint16_t, PacketQueue *);
939 int DecodeUDP(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint16_t, PacketQueue *);
940 int DecodeSCTP(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint16_t, PacketQueue *);
941 int DecodeGRE(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t, PacketQueue *);
942 int DecodeVLAN(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t, PacketQueue *);
943 int DecodeVXLAN(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t, PacketQueue *);
944 int DecodeMPLS(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t, PacketQueue *);
945 int DecodeERSPAN(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t, PacketQueue *);
946 int DecodeTEMPLATE(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t, PacketQueue *);
947 
948 #ifdef UNITTESTS
949 void DecodeIPV6FragHeader(Packet *p, const uint8_t *pkt,
950  uint16_t hdrextlen, uint16_t plen,
951  uint16_t prev_hdrextlen);
952 #endif
953 
954 void AddressDebugPrint(Address *);
955 
956 typedef int (*DecoderFunc)(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
957  const uint8_t *pkt, uint32_t len, PacketQueue *pq);
958 #ifdef AFLFUZZ_DECODER
959 int AFLDecodeIPV4(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
960  const uint8_t *pkt, uint32_t len, PacketQueue *pq);
961 int AFLDecodeIPV6(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p,
962  const uint8_t *pkt, uint32_t len, PacketQueue *pq);
963 int DecoderParseDataFromFile(char *filename, DecoderFunc Decoder);
964 int DecoderParseDataFromFileSerie(char *fileprefix, DecoderFunc Decoder);
965 #endif
966 void DecodeGlobalConfig(void);
967 void DecodeUnregisterCounters(void);
968 
969 /** \brief Set the No payload inspection Flag for the packet.
970  *
971  * \param p Packet to set the flag in
972  */
973 #define DecodeSetNoPayloadInspectionFlag(p) do { \
974  (p)->flags |= PKT_NOPAYLOAD_INSPECTION; \
975  } while (0)
976 
977 #define DecodeUnsetNoPayloadInspectionFlag(p) do { \
978  (p)->flags &= ~PKT_NOPAYLOAD_INSPECTION; \
979  } while (0)
980 
981 /** \brief Set the No packet inspection Flag for the packet.
982  *
983  * \param p Packet to set the flag in
984  */
985 #define DecodeSetNoPacketInspectionFlag(p) do { \
986  (p)->flags |= PKT_NOPACKET_INSPECTION; \
987  } while (0)
988 #define DecodeUnsetNoPacketInspectionFlag(p) do { \
989  (p)->flags &= ~PKT_NOPACKET_INSPECTION; \
990  } while (0)
991 
992 
993 #define ENGINE_SET_EVENT(p, e) do { \
994  SCLogDebug("p %p event %d", (p), e); \
995  if ((p)->events.cnt < PACKET_ENGINE_EVENT_MAX) { \
996  (p)->events.events[(p)->events.cnt] = e; \
997  (p)->events.cnt++; \
998  } \
999 } while(0)
1000 
1001 #define ENGINE_SET_INVALID_EVENT(p, e) do { \
1002  p->flags |= PKT_IS_INVALID; \
1003  ENGINE_SET_EVENT(p, e); \
1004 } while(0)
1005 
1006 
1007 
1008 #define ENGINE_ISSET_EVENT(p, e) ({ \
1009  int r = 0; \
1010  uint8_t u; \
1011  for (u = 0; u < (p)->events.cnt; u++) { \
1012  if ((p)->events.events[u] == (e)) { \
1013  r = 1; \
1014  break; \
1015  } \
1016  } \
1017  r; \
1018 })
1019 
1020 #ifndef IPPROTO_IPIP
1021 #define IPPROTO_IPIP 4
1022 #endif
1023 
1024 /* older libcs don't contain a def for IPPROTO_DCCP
1025  * inside of <netinet/in.h>
1026  * if it isn't defined let's define it here.
1027  */
1028 #ifndef IPPROTO_DCCP
1029 #define IPPROTO_DCCP 33
1030 #endif
1031 
1032 /* older libcs don't contain a def for IPPROTO_SCTP
1033  * inside of <netinet/in.h>
1034  * if it isn't defined let's define it here.
1035  */
1036 #ifndef IPPROTO_SCTP
1037 #define IPPROTO_SCTP 132
1038 #endif
1039 
1040 #ifndef IPPROTO_MH
1041 #define IPPROTO_MH 135
1042 #endif
1043 
1044 /* Host Identity Protocol (rfc 5201) */
1045 #ifndef IPPROTO_HIP
1046 #define IPPROTO_HIP 139
1047 #endif
1048 
1049 #ifndef IPPROTO_SHIM6
1050 #define IPPROTO_SHIM6 140
1051 #endif
1052 
1053 /* pcap provides this, but we don't want to depend on libpcap */
1054 #ifndef DLT_EN10MB
1055 #define DLT_EN10MB 1
1056 #endif
1057 
1058 /* taken from pcap's bpf.h */
1059 #ifndef DLT_RAW
1060 #ifdef __OpenBSD__
1061 #define DLT_RAW 14 /* raw IP */
1062 #else
1063 #define DLT_RAW 12 /* raw IP */
1064 #endif
1065 #endif
1066 
1067 #ifndef DLT_NULL
1068 #define DLT_NULL 0
1069 #endif
1070 
1071 /** libpcap shows us the way to linktype codes
1072  * \todo we need more & maybe put them in a separate file? */
1073 #define LINKTYPE_NULL DLT_NULL
1074 #define LINKTYPE_ETHERNET DLT_EN10MB
1075 #define LINKTYPE_LINUX_SLL 113
1076 #define LINKTYPE_PPP 9
1077 #define LINKTYPE_RAW DLT_RAW
1078 /* http://www.tcpdump.org/linktypes.html defines DLT_RAW as 101, yet others don't.
1079  * Libpcap on at least OpenBSD returns 101 as datalink type for RAW pcaps though. */
1080 #define LINKTYPE_RAW2 101
1081 #define LINKTYPE_IPV4 228
1082 #define LINKTYPE_GRE_OVER_IP 778
1083 #define PPP_OVER_GRE 11
1084 #define VLAN_OVER_GRE 13
1085 
1086 /*Packet Flags*/
1087 #define PKT_NOPACKET_INSPECTION (1) /**< Flag to indicate that packet header or contents should not be inspected*/
1088 #define PKT_NOPAYLOAD_INSPECTION (1<<2) /**< Flag to indicate that packet contents should not be inspected*/
1089 #define PKT_ALLOC (1<<3) /**< Packet was alloc'd this run, needs to be freed */
1090 #define PKT_HAS_TAG (1<<4) /**< Packet has matched a tag */
1091 #define PKT_STREAM_ADD (1<<5) /**< Packet payload was added to reassembled stream */
1092 #define PKT_STREAM_EST (1<<6) /**< Packet is part of establised stream */
1093 #define PKT_STREAM_EOF (1<<7) /**< Stream is in eof state */
1094 #define PKT_HAS_FLOW (1<<8)
1095 #define PKT_PSEUDO_STREAM_END (1<<9) /**< Pseudo packet to end the stream */
1096 #define PKT_STREAM_MODIFIED (1<<10) /**< Packet is modified by the stream engine, we need to recalc the csum and reinject/replace */
1097 #define PKT_MARK_MODIFIED (1<<11) /**< Packet mark is modified */
1098 #define PKT_STREAM_NOPCAPLOG (1<<12) /**< Exclude packet from pcap logging as it's part of a stream that has reassembly depth reached. */
1099 
1100 #define PKT_TUNNEL (1<<13)
1101 #define PKT_TUNNEL_VERDICTED (1<<14)
1102 
1103 #define PKT_IGNORE_CHECKSUM (1<<15) /**< Packet checksum is not computed (TX packet for example) */
1104 #define PKT_ZERO_COPY (1<<16) /**< Packet comes from zero copy (ext_pkt must not be freed) */
1105 
1106 #define PKT_HOST_SRC_LOOKED_UP (1<<17)
1107 #define PKT_HOST_DST_LOOKED_UP (1<<18)
1108 
1109 #define PKT_IS_FRAGMENT (1<<19) /**< Packet is a fragment */
1110 #define PKT_IS_INVALID (1<<20)
1111 #define PKT_PROFILE (1<<21)
1112 
1113 /** indication by decoder that it feels the packet should be handled by
1114  * flow engine: Packet::flow_hash will be set */
1115 #define PKT_WANTS_FLOW (1<<22)
1116 
1117 /** protocol detection done */
1118 #define PKT_PROTO_DETECT_TS_DONE (1<<23)
1119 #define PKT_PROTO_DETECT_TC_DONE (1<<24)
1120 
1121 #define PKT_REBUILT_FRAGMENT (1<<25) /**< Packet is rebuilt from
1122  * fragments. */
1123 #define PKT_DETECT_HAS_STREAMDATA (1<<26) /**< Set by Detect() if raw stream data is available. */
1125 #define PKT_PSEUDO_DETECTLOG_FLUSH (1<<27) /**< Detect/log flush for protocol upgrade */
1127 /** Packet is part of stream in known bad condition (loss, wrong thread),
1128  * so flag it for not setting stream events */
1129 #define PKT_STREAM_NO_EVENTS (1<<28)
1131 /** \brief return 1 if the packet is a pseudo packet */
1132 #define PKT_IS_PSEUDOPKT(p) \
1133  ((p)->flags & (PKT_PSEUDO_STREAM_END|PKT_PSEUDO_DETECTLOG_FLUSH))
1134 
1135 #define PKT_SET_SRC(p, src_val) ((p)->pkt_src = src_val)
1137 /** \brief return true if *this* packet needs to trigger a verdict.
1138  *
1139  * If we have the root packet, and we have none outstanding,
1140  * we can verdict now.
1141  *
1142  * If we have a upper layer packet, it's the only one and root
1143  * is already processed, we can verdict now.
1144  *
1145  * Otherwise, a future packet will issue the verdict.
1146  */
1147 static inline bool VerdictTunnelPacket(Packet *p)
1148 {
1149  bool verdict = true;
1150  SCMutex *m = p->root ? &p->root->tunnel_mutex : &p->tunnel_mutex;
1151  SCMutexLock(m);
1152  const uint16_t outstanding = TUNNEL_PKT_TPR(p) - TUNNEL_PKT_RTV(p);
1153  SCLogDebug("tunnel: outstanding %u", outstanding);
1154 
1155  /* if there are packets outstanding, we won't verdict this one */
1156  if (IS_TUNNEL_ROOT_PKT(p) && !IS_TUNNEL_PKT_VERDICTED(p) && !outstanding) {
1157  // verdict
1158  SCLogDebug("root %p: verdict", p);
1159  } else if (!IS_TUNNEL_ROOT_PKT(p) && outstanding == 1 && p->root && IS_TUNNEL_PKT_VERDICTED(p->root)) {
1160  // verdict
1161  SCLogDebug("tunnel %p: verdict", p);
1162  } else {
1163  verdict = false;
1164  }
1165  SCMutexUnlock(m);
1166  return verdict;
1167 }
1168 
1169 #endif /* __DECODE_H__ */
1170 
uint16_t counter_max_pkt_size
Definition: decode.h:642
EthernetHdr * ethh
Definition: decode.h:494
uint16_t counter_ips_rejected
Definition: decode.h:699
#define SCMutex
uint16_t counter_defrag_ipv6_reassembled
Definition: decode.h:676
void DecodeIPV6FragHeader(Packet *p, const uint8_t *pkt, uint16_t hdrextlen, uint16_t plen, uint16_t prev_hdrextlen)
Definition: decode-ipv6.c:105
void PacketDefragPktSetupParent(Packet *parent)
inform defrag "parent" that a pseudo packet is now assosiated to it.
Definition: decode.c:387
IPV4Vars ip4vars
Definition: decode.h:507
Packet * PacketTunnelPktSetup(ThreadVars *tv, DecodeThreadVars *dtv, Packet *parent, const uint8_t *pkt, uint32_t len, enum DecodeTunnelProto proto, PacketQueue *pq)
Setup a pseudo packet (tunnel)
Definition: decode.c:275
int DecodeICMPV4(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t, PacketQueue *)
Main ICMPv4 decoding function.
UDPHdr * udph
Definition: decode.h:525
DecodeThreadVars * DecodeThreadVarsAlloc(ThreadVars *)
Alloc and setup DecodeThreadVars.
Definition: decode.c:614
#define SCLogDebug(...)
Definition: util-debug.h:335
void CaptureStatsUpdate(ThreadVars *tv, CaptureStats *s, const Packet *p)
Definition: decode.c:706
uint16_t counter_ieee8021ah
Definition: decode.h:663
uint64_t ticks_start
Definition: decode.h:345
int(* BypassPacketsFlow)(struct Packet_ *)
Definition: decode.h:488
struct Flow_ * flow
Definition: decode.h:446
__thread uint64_t rww_lock_contention
struct PktVar_ * next
Definition: decode.h:313
IPFWPacketVars ipfw_v
Definition: decode.h:463
int32_t level4_comp_csum
Definition: decode.h:499
int DecodeVXLAN(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t, PacketQueue *)
Definition: decode-vxlan.c:119
int(* DecoderFunc)(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len, PacketQueue *pq)
Definition: decode.h:956
#define IS_TUNNEL_ROOT_PKT(p)
Definition: decode.h:885
AppLayerDecoderEvents * app_layer_events
Definition: decode.h:568
SCCondT cond_q
Definition: decode.h:629
struct PktProfilingTmmData_ PktProfilingTmmData
Per TMM stats storage.
uint8_t address_un_data8[16]
Definition: decode.h:116
#define PACKET_ALERT_MAX
Definition: decode.h:291
void PacketDecodeFinalize(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p)
Finalize decoding of a packet.
Definition: decode.c:115
struct PacketEngineEvents_ PacketEngineEvents
uint16_t counter_bytes
Definition: decode.h:640
uint8_t type
Definition: decode.h:419
uint16_t counter_eth
Definition: decode.h:646
Per pkt stats storage.
Definition: decode.h:375
uint16_t counter_null
Definition: decode.h:656
Port sp
Definition: decode.h:416
void DecodeRegisterPerfCounters(DecodeThreadVars *, ThreadVars *)
Definition: decode.c:474
PktSrcEnum
Definition: decode.h:48
struct Packet_ * next
Definition: decode.h:571
uint64_t ticks_spent
Definition: decode.h:362
Port dp
Definition: decode.h:424
int DecodePPPOESession(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t, PacketQueue *)
Main decoding function for PPPOE Session packets.
Definition: decode-pppoe.c:130
ICMPV4Hdr * icmpv4h
Definition: decode.h:529
uint16_t counter_vlan_qinq
Definition: decode.h:661
uint8_t action
Definition: decode.h:272
int DecodeGRE(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t, PacketQueue *)
Function to decode GRE packets.
Definition: decode-gre.c:46
uint64_t offset
int DecodeEthernet(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t, PacketQueue *)
Address dst
Definition: decode.h:414
uint16_t counter_defrag_ipv6_timeouts
Definition: decode.h:677
struct PktVar_ PktVar
void PacketFree(Packet *p)
Return a malloced packet.
Definition: decode.c:102
__thread uint64_t spin_lock_wait_ticks
uint16_t counter_defrag_ipv4_timeouts
Definition: decode.h:674
uint64_t ticks_start
Definition: decode.h:350
uint16_t counter_ipv4
Definition: decode.h:647
int DecodeSCTP(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint16_t, PacketQueue *)
Definition: decode-sctp.c:62
uint64_t pcap_cnt
Definition: decode.h:562
uint8_t * ext_pkt
Definition: decode.h:551
struct PktProfilingPrefilterData_ PktProfilingPrefilterData
__thread uint64_t spin_lock_contention
struct PktProfilingDetectData_ PktProfilingDetectData
void DecodeGlobalConfig(void)
Definition: decode.c:727
ICMPV6Vars icmpv6vars
Definition: decode.h:517
uint16_t key_len
Definition: decode.h:316
TCPHdr * tcph
Definition: decode.h:523
uint16_t counter_ipv4inipv6
Definition: decode.h:667
int DecodeRaw(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t, PacketQueue *)
Definition: decode-raw.c:46
Packet * PacketGetFromQueueOrAlloc(void)
Get a packet. We try to get a packet from the packetpool first, but if that is empty we alloc a packe...
Definition: decode.c:177
SCTPHdr * sctph
Definition: decode.h:527
Signature container.
Definition: detect.h:522
#define SCMutexLock(mut)
uint16_t counter_teredo
Definition: decode.h:665
__thread uint64_t rwr_lock_wait_ticks
void PacketFreeOrRelease(Packet *p)
Return a packet to where it was allocated.
Definition: decode.c:162
enum @34 __attribute__
DNP3 application header.
struct Host_ * host_src
Definition: decode.h:558
uint16_t counter_vlan
Definition: decode.h:660
uint16_t counter_erspan
Definition: decode.h:669
SigIntId num
Definition: decode.h:271
struct PktPool_ * pool
Definition: decode.h:600
uint64_t ticks_start
Definition: decode.h:326
#define IS_TUNNEL_PKT_VERDICTED(p)
Definition: decode.h:887
uint16_t counter_raw
Definition: decode.h:655
uint16_t counter_pkts
Definition: decode.h:639
#define SCCondT
uint16_t counter_flow_udp
Definition: decode.h:683
struct PktProfilingAppData_ PktProfilingAppData
void AppLayerDecoderEventsResetEvents(AppLayerDecoderEvents *events)
uint16_t counter_flow_tcp
Definition: decode.h:682
const struct Signature_ * s
Definition: decode.h:274
uint16_t counter_avg_pkt_size
Definition: decode.h:641
uint16_t counter_defrag_ipv6_fragments
Definition: decode.h:675
PktVar * pktvar
Definition: decode.h:491
void AddressDebugPrint(Address *)
Debug print function for printing addresses.
Definition: decode.c:597
Data structure to store app layer decoder events.
uint64_t ticks_end
Definition: decode.h:377
#define SCMutexUnlock(mut)
int DecodeNull(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t, PacketQueue *)
Definition: decode-null.c:48
IPV6Hdr * ip6h
Definition: decode.h:503
struct PacketAlerts_ PacketAlerts
ICMPV6Hdr * icmpv6h
Definition: decode.h:531
char family
Definition: decode.h:112
uint16_t value_len
Definition: decode.h:317
int datalink
Definition: decode.h:575
uint8_t proto
Definition: decode.h:431
IPV6ExtHdrs ip6eh
Definition: decode.h:510
uint64_t ticks_spent
Definition: decode.h:352
struct PktProfilingPrefilterEngine_ PktProfilingPrefilterEngine
uint32_t len
Definition: decode.h:624
struct PktProfilingData_ PktProfilingData
PPPHdr * ppph
Definition: decode.h:533
uint8_t recursion_level
Definition: decode.h:434
uint8_t type
PPPOESessionHdr * pppoesh
Definition: decode.h:534
AppLayerThreadCtx * app_tctx
Definition: decode.h:636
uint16_t counter_ipv6inipv6
Definition: decode.h:668
struct PktProfilingLoggerData_ PktProfilingLoggerData
struct PktProfiling_ PktProfiling
Per pkt stats storage.
Structure to hold thread specific data for all decode modules.
Definition: decode.h:633
__thread uint64_t mutex_lock_wait_ticks
uint16_t counter_mpls
Definition: decode.h:666
struct PacketAlert_ PacketAlert
DecodeTunnelProto
Definition: decode.h:890
void AppLayerDecoderEventsFreeEvents(AppLayerDecoderEvents **events)
uint16_t counter_icmpv4
Definition: decode.h:651
struct Host_ * host_dst
Definition: decode.h:559
uint16_t counter_tcp
Definition: decode.h:649
uint8_t flowflags
Definition: decode.h:440
void PacketBypassCallback(Packet *p)
Definition: decode.c:401
PacketEngineEvents events
Definition: decode.h:566
Packet * top
Definition: decode.h:622
void * output_flow_thread_data
Definition: decode.h:691
#define TUNNEL_PKT_TPR(p)
Definition: decode.h:880
int DecodeMPLS(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t, PacketQueue *)
Definition: decode-mpls.c:47
uint64_t proto_detect
Definition: decode.h:384
struct CaptureStats_ CaptureStats
void PacketUpdateEngineEventCounters(ThreadVars *tv, DecodeThreadVars *dtv, Packet *p)
Definition: decode.c:122
void PacketSwap(Packet *p)
switch direction of a packet
Definition: decode.c:439
uint16_t counter_ips_accepted
Definition: decode.h:697
uint16_t counter_ips_blocked
Definition: decode.h:698
uint16_t counter_flow_icmp4
Definition: decode.h:684
uint8_t proto
uint32_t pktlen
Definition: decode.h:550
uint16_t Port
Definition: decode.h:236
uint8_t pkt_src
Definition: decode.h:547
uint64_t tx_id
Definition: decode.h:275
uint64_t ticks_spent
Definition: decode.h:356
uint16_t counter_flow_memcap
Definition: decode.h:680
uint16_t counter_ipv6
Definition: decode.h:648
__thread uint64_t mutex_lock_contention
__thread uint64_t rwr_lock_cnt
PPPOEDiscoveryHdr * pppoedh
Definition: decode.h:535
struct Packet_ Packet
Packet * bot
Definition: decode.h:623
IPV4Hdr * ip4h
Definition: decode.h:501
uint8_t vlan_idx
Definition: decode.h:437
int PacketSetData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
Set data for Packet and set length when zeo copy is used.
Definition: decode.c:653
#define TUNNEL_PKT_RTV(p)
Definition: decode.h:879
Per TMM stats storage.
Definition: decode.h:325
int DecodeVLAN(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t, PacketQueue *)
Definition: decode-vlan.c:62
uint64_t ticks_end
Definition: decode.h:346
uint32_t id
Definition: decode.h:312
uint16_t counter_invalid
Definition: decode.h:644
uint16_t address_un_data16[8]
Definition: decode.h:115
struct in6_addr address_un_in6
Definition: decode.h:117
uint8_t code
Definition: decode.h:420
int DecodeTEMPLATE(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t, PacketQueue *)
Function to decode TEMPLATE packets.
uint16_t counter_sctp
Definition: decode.h:657
SCMutex tunnel_mutex
Definition: decode.h:588
int DecodeIPV4(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint16_t, PacketQueue *)
Definition: decode-ipv4.c:532
uint16_t tunnel_tpr_cnt
Definition: decode.h:592
struct Address_ Address
uint16_t counter_ppp
Definition: decode.h:658
struct DecodeThreadVars_ DecodeThreadVars
Structure to hold thread specific data for all decode modules.
uint8_t * key
Definition: decode.h:318
IPV6Vars ip6vars
Definition: decode.h:509
Definition: host.h:58
int DecodePPPOEDiscovery(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t, PacketQueue *)
Main decoding function for PPPOE Discovery packets.
Definition: decode-pppoe.c:50
uint16_t tunnel_rtv_cnt
Definition: decode.h:590
uint8_t * value
Definition: decode.h:319
uint32_t address_un_data32[4]
Definition: decode.h:114
int DecodeICMPV6(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t, PacketQueue *)
Decode ICMPV6 packets and fill the Packet with the decoded info.
uint8_t flags
Definition: decode.h:273
int32_t level3_comp_csum
Definition: decode.h:497
uint16_t counter_ips_replaced
Definition: decode.h:700
PacketAlert drop
Definition: decode.h:298
uint32_t default_packet_size
Definition: decode.h:618
PktProfiling * profile
Definition: decode.h:603
int PacketCallocExtPkt(Packet *p, int datalen)
Definition: decode.c:192
uint64_t ticks_end
Definition: decode.h:327
uint64_t ts
struct Packet_ * prev
Definition: decode.h:572
uint16_t counter_icmpv6
Definition: decode.h:652
__thread uint64_t rwr_lock_contention
__thread uint64_t rww_lock_cnt
int DecodeTunnel(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t, PacketQueue *, enum DecodeTunnelProto) __attribute__((warn_unused_result))
Definition: decode.c:75
const char * PktSrcToString(enum PktSrcEnum pkt_src)
Definition: decode.c:665
uint16_t counter_gre
Definition: decode.h:659
SCMutex m
Definition: flow-hash.h:105
__thread uint64_t rww_lock_wait_ticks
uint16_t counter_udp
Definition: decode.h:650
per packet Pfring vars
Definition: source-pfring.h:61
int DecodeERSPAN(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t, PacketQueue *)
Function to decode ERSPAN packets.
Definition: decode-erspan.c:46
get the highest proto/next header field we know
Definition: decode-ipv6.h:103
int DecodeIPV6(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint16_t, PacketQueue *)
Definition: decode-ipv6.c:585
uint16_t counter_flow_icmp6
Definition: decode.h:685
ChecksumValidationMode
Definition: decode.h:40
PacketAlerts alerts
Definition: decode.h:556
struct PacketQueue_ PacketQueue
int g_default_mtu
Definition: suricata.c:224
void DecodeUpdatePacketCounters(ThreadVars *tv, const DecodeThreadVars *dtv, const Packet *p)
Definition: decode.c:580
#define PACKET_ENGINE_EVENT_MAX
Definition: decode.h:303
NapatechPacketVars ntpv
Definition: decode.h:606
uint64_t ticks_start
Definition: decode.h:376
uint16_t counter_sll
Definition: decode.h:654
int PacketCopyData(Packet *p, const uint8_t *pktdata, uint32_t pktlen)
Copy data to Packet payload and set packet length.
Definition: decode.c:259
void CaptureStatsSetup(ThreadVars *tv, CaptureStats *s)
Definition: decode.c:719
NFQPacketVars nfq_v
Definition: decode.h:460
uint16_t cnt
Definition: decode.h:294
TCPVars tcpvars
Definition: decode.h:515
uint16_t counter_pppoe
Definition: decode.h:664
struct LiveDevice_ * livedev
Definition: decode.h:554
uint32_t tenant_id
Definition: decode.h:595
uint32_t flow_hash
Definition: decode.h:450
uint8_t len
Per thread variable structure.
Definition: threadvars.h:57
__thread uint64_t mutex_lock_cnt
uint8_t code
Packet * PacketDefragPktSetup(Packet *parent, const uint8_t *pkt, uint32_t len, uint8_t proto)
Setup a pseudo packet (reassembled frags)
Definition: decode.c:349
uint16_t counter_defrag_ipv4_fragments
Definition: decode.h:672
uint32_t flags
Definition: decode.h:444
This is for the app layer in general and it contains per thread context relevant to both the alpd and...
Definition: app-layer.c:57
uint16_t payload_len
Definition: decode.h:542
void DecodeThreadVarsFree(ThreadVars *, DecodeThreadVars *)
Definition: decode.c:633
int PacketCopyDataOffset(Packet *p, uint32_t offset, const uint8_t *data, uint32_t datalen)
Copy data to Packet payload at given offset.
Definition: decode.c:218
uint16_t counter_defrag_max_hit
Definition: decode.h:678
per packet AF_PACKET vars
PktProfilingPrefilterEngine * engines
Definition: decode.h:370
PcapPacketVars pcap_v
Definition: decode.h:481
uint16_t counter_defrag_ipv4_reassembled
Definition: decode.h:673
int DecodeUDP(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint16_t, PacketQueue *)
Definition: decode-udp.c:74
Flow data structure.
Definition: flow.h:325
GREHdr * greh
Definition: decode.h:537
int DecodeSll(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t, PacketQueue *)
Definition: decode-sll.c:39
uint8_t * payload
Definition: decode.h:541
#define SigIntId
ICMPV4Vars icmpv4vars
Definition: decode.h:516
union Address_::@42 address
__thread uint64_t spin_lock_cnt
void DecodeUnregisterCounters(void)
Definition: decode.c:464
SCMutex mutex_q
Definition: decode.h:628
Packet * PacketGetFromAlloc(void)
Get a malloced packet.
Definition: decode.c:141
Address src
Definition: decode.h:413
int DecodePPP(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint32_t, PacketQueue *)
Definition: decode-ppp.c:43
uint64_t ticks_start
Definition: decode.h:360
struct Packet_ * root
Definition: decode.h:578
uint16_t counter_vxlan
Definition: decode.h:662
uint8_t action
Definition: decode.h:545
int DecodeTCP(ThreadVars *, DecodeThreadVars *, Packet *, const uint8_t *, uint16_t, PacketQueue *)
Definition: decode-tcp.c:233