Code in charge of protocol decoding. More...
Files | |
| file | decode-chdlc.c |
| file | decode-erspan.c |
| file | decode-esp.c |
| file | decode-ethernet.c |
| file | decode-gre.c |
| file | decode-icmpv4.c |
| file | decode-icmpv6.c |
| file | decode-ipv4.c |
| file | decode-ipv6.c |
| file | decode-nsh.c |
| file | decode-null.c |
| file | decode-ppp.c |
| file | decode-pppoe.c |
| file | decode-raw.c |
| file | decode-sctp.c |
| file | decode-sll.c |
| file | decode-tcp.c |
| file | decode-template.c |
| file | decode-teredo.c |
| file | decode-udp.c |
| file | decode-vlan.c |
| file | decode-vntag.c |
| file | decode.c |
Data Structures | |
| struct | CaptureStats_ |
Typedefs | |
| typedef struct CaptureStats_ | CaptureStats |
Functions | |
| PacketAlert * | PacketAlertCreate (void) |
| Initialize PacketAlerts with dynamic alerts array size. More... | |
| void | PacketAlertFree (PacketAlert *pa) |
| void | PacketFree (Packet *p) |
| Return a malloced packet. More... | |
| void | PacketDecodeFinalize (ThreadVars *tv, DecodeThreadVars *dtv, Packet *p) |
| Finalize decoding of a packet. More... | |
| void | PacketUpdateEngineEventCounters (ThreadVars *tv, DecodeThreadVars *dtv, Packet *p) |
| Packet * | PacketGetFromAlloc (void) |
| Get a malloced packet. More... | |
| void | PacketFreeOrRelease (Packet *p) |
| Return a packet to where it was allocated. More... | |
| Packet * | PacketGetFromQueueOrAlloc (void) |
| Get a packet. We try to get a packet from the packetpool first, but if that is empty we alloc a packet that is free'd again after processing. More... | |
| int | PacketCallocExtPkt (Packet *p, int datalen) |
| int | PacketCopyDataOffset (Packet *p, uint32_t offset, const uint8_t *data, uint32_t datalen) |
| Copy data to Packet payload at given offset. More... | |
| int | PacketCopyData (Packet *p, const uint8_t *pktdata, uint32_t pktlen) |
| Copy data to Packet payload and set packet length. More... | |
| Packet * | PacketTunnelPktSetup (ThreadVars *tv, DecodeThreadVars *dtv, Packet *parent, const uint8_t *pkt, uint32_t len, enum DecodeTunnelProto proto) |
| Setup a pseudo packet (tunnel) More... | |
| Packet * | PacketDefragPktSetup (Packet *parent, const uint8_t *pkt, uint32_t len, uint8_t proto) |
| Setup a pseudo packet (reassembled frags) More... | |
| void | PacketDefragPktSetupParent (Packet *parent) |
| inform defrag "parent" that a pseudo packet is now associated to it. More... | |
| void | PacketBypassCallback (Packet *p) |
| void | PacketSwap (Packet *p) |
| switch direction of a packet More... | |
| void | DecodeUnregisterCounters (void) |
| void | DecodeRegisterPerfCounters (DecodeThreadVars *dtv, ThreadVars *tv) |
| void | DecodeUpdatePacketCounters (ThreadVars *tv, const DecodeThreadVars *dtv, const Packet *p) |
| void | AddressDebugPrint (Address *a) |
| Debug print function for printing addresses. More... | |
| DecodeThreadVars * | DecodeThreadVarsAlloc (ThreadVars *tv) |
| Alloc and setup DecodeThreadVars. More... | |
| void | DecodeThreadVarsFree (ThreadVars *tv, DecodeThreadVars *dtv) |
| int | PacketSetData (Packet *p, const uint8_t *pktdata, uint32_t pktlen) |
| Set data for Packet and set length when zero copy is used. More... | |
| const char * | PktSrcToString (enum PktSrcEnum pkt_src) |
| const char * | PacketDropReasonToString (enum PacketDropReason r) |
| void | CaptureStatsUpdate (ThreadVars *tv, const Packet *p) |
| void | CaptureStatsSetup (ThreadVars *tv) |
| void | DecodeGlobalConfig (void) |
| void | PacketAlertGetMaxConfig (void) |
Variables | |
| uint32_t | default_packet_size = 0 |
| bool | stats_decoder_events |
| const char * | stats_decoder_events_prefix |
| bool | stats_stream_events |
| uint8_t | decoder_max_layers = PKT_DEFAULT_MAX_DECODED_LAYERS |
| uint16_t | packet_alert_max = PACKET_ALERT_MAX |
| ExceptionPolicyStatsSetts | defrag_memcap_eps_stats |
| ExceptionPolicyStatsSetts | flow_memcap_eps_stats |
| thread_local CaptureStats | t_capture_stats |
Detailed Description
Code in charge of protocol decoding.
The task of decoding packets is made in different files and as Suricata is supporting encapsulation there is a potential recursivity in the call.
For each protocol a DecodePROTO function is provided. For example we have DecodeIPV4() for IPv4 and DecodePPP() for PPP.
These functions have all a pkt and a len argument which are respectively a pointer to the protocol data and the length of this protocol data.
- Attention
- The pkt parameter must point to the effective data because it will be used later to set per protocol pointer like Packet::tcph
Typedef Documentation
◆ CaptureStats
| typedef struct CaptureStats_ CaptureStats |
Function Documentation
◆ AddressDebugPrint()
| void AddressDebugPrint | ( | Address * | a | ) |
Debug print function for printing addresses.
- Parameters
-
Address object
- Todo:
- IPv6
Definition at line 756 of file decode.c.
References Address_::family, PrintInet(), and SCLogDebug.
◆ CaptureStatsSetup()
| void CaptureStatsSetup | ( | ThreadVars * | tv | ) |
Definition at line 983 of file decode.c.
References CaptureStats_::counter_ips_accepted, CaptureStats_::counter_ips_blocked, CaptureStats_::counter_ips_rejected, CaptureStats_::counter_ips_replaced, EngineModeIsIPS(), PKT_DROP_REASON_MAX, PKT_DROP_REASON_NOT_SET, StatsRegisterCounter(), t_capture_stats, and tv.
◆ CaptureStatsUpdate()
| void CaptureStatsUpdate | ( | ThreadVars * | tv, |
| const Packet * | p | ||
| ) |
Definition at line 963 of file decode.c.
References ACTION_DROP, ACTION_REJECT_ANY, CaptureStats_::counter_drop_reason, CaptureStats_::counter_ips_accepted, CaptureStats_::counter_ips_blocked, CaptureStats_::counter_ips_rejected, CaptureStats_::counter_ips_replaced, Packet_::drop_reason, EngineModeIsIPS(), Packet_::flags, PacketCheckAction(), PKT_DROP_REASON_NOT_SET, PKT_IS_PSEUDOPKT, PKT_STREAM_MODIFIED, StatsIncr(), t_capture_stats, tv, and unlikely.
◆ DecodeGlobalConfig()
| void DecodeGlobalConfig | ( | void | ) |
Definition at line 999 of file decode.c.
References ConfGetInt(), DecodeERSPANConfig(), DecodeGeneveConfig(), decoder_max_layers, DecodeTeredoConfig(), DecodeVXLANConfig(), PacketAlertGetMaxConfig(), and SCLogWarning.
◆ DecodeRegisterPerfCounters()
| void DecodeRegisterPerfCounters | ( | DecodeThreadVars * | dtv, |
| ThreadVars * | tv | ||
| ) |
Definition at line 602 of file decode.c.
References DecodeThreadVars_::counter_arp, DecodeThreadVars_::counter_avg_pkt_size, DecodeThreadVars_::counter_bytes, DecodeThreadVars_::counter_chdlc, DecodeThreadVars_::counter_erspan, DecodeThreadVars_::counter_esp, DecodeThreadVars_::counter_eth, DecodeThreadVars_::counter_ethertype_unknown, DecodeThreadVars_::counter_flow_memcap, DecodeThreadVars_::counter_flow_memcap_eps, DecodeThreadVars_::counter_geneve, DecodeThreadVars_::counter_gre, DecodeThreadVars_::counter_icmpv4, DecodeThreadVars_::counter_icmpv6, DecodeThreadVars_::counter_ieee8021ah, DecodeThreadVars_::counter_invalid, DecodeThreadVars_::counter_ipv4, DecodeThreadVars_::counter_ipv4inipv6, DecodeThreadVars_::counter_ipv6, DecodeThreadVars_::counter_ipv6inipv6, DecodeThreadVars_::counter_max_mac_addrs_dst, DecodeThreadVars_::counter_max_mac_addrs_src, DecodeThreadVars_::counter_max_pkt_size, DecodeThreadVars_::counter_mpls, DecodeThreadVars_::counter_nsh, DecodeThreadVars_::counter_null, DecodeThreadVars_::counter_pkts, DecodeThreadVars_::counter_ppp, DecodeThreadVars_::counter_pppoe, DecodeThreadVars_::counter_raw, DecodeThreadVars_::counter_sctp, DecodeThreadVars_::counter_sll, DecodeThreadVars_::counter_tcp, DecodeThreadVars_::counter_tcp_rst, DecodeThreadVars_::counter_tcp_syn, DecodeThreadVars_::counter_tcp_synack, DecodeThreadVars_::counter_teredo, DecodeThreadVars_::counter_udp, DecodeThreadVars_::counter_vlan, DecodeThreadVars_::counter_vlan_qinq, DecodeThreadVars_::counter_vlan_qinqinq, DecodeThreadVars_::counter_vntag, DecodeThreadVars_::counter_vxlan, dtv, ExceptionPolicySetStatsCounters(), flow_memcap_eps_stats, FlowGetMemcapExceptionPolicy(), StatsRegisterAvgCounter(), StatsRegisterCounter(), StatsRegisterMaxCounter(), and tv.
Referenced by DecodeErfDagThreadInit().
◆ DecodeThreadVarsAlloc()
| DecodeThreadVars* DecodeThreadVarsAlloc | ( | ThreadVars * | tv | ) |
Alloc and setup DecodeThreadVars.
Definition at line 773 of file decode.c.
References DecodeThreadVars_::app_tctx, AppLayerGetCtxThread(), DecodeThreadVarsFree(), dtv, DecodeThreadVars_::output_flow_thread_data, OutputFlowLogThreadInit(), SCCalloc, SCLogError, TM_ECODE_OK, and tv.
Referenced by DecodeErfDagThreadInit().
◆ DecodeThreadVarsFree()
| void DecodeThreadVarsFree | ( | ThreadVars * | tv, |
| DecodeThreadVars * | dtv | ||
| ) |
Definition at line 791 of file decode.c.
References DecodeThreadVars_::app_tctx, AppLayerDestroyCtxThread(), dtv, DecodeThreadVars_::output_flow_thread_data, OutputFlowLogThreadDeinit(), SCFree, and tv.
Referenced by DecodeErfDagThreadDeinit(), and DecodeThreadVarsAlloc().
◆ DecodeUnregisterCounters()
| void DecodeUnregisterCounters | ( | void | ) |
Definition at line 576 of file decode.c.
References SCMutexLock.
◆ DecodeUpdatePacketCounters()
| void DecodeUpdatePacketCounters | ( | ThreadVars * | tv, |
| const DecodeThreadVars * | dtv, | ||
| const Packet * | p | ||
| ) |
Definition at line 739 of file decode.c.
References DecodeThreadVars_::counter_avg_pkt_size, DecodeThreadVars_::counter_bytes, DecodeThreadVars_::counter_max_pkt_size, DecodeThreadVars_::counter_pkts, dtv, GET_PKT_LEN, StatsAddUI64(), StatsIncr(), StatsSetUI64(), and tv.
Referenced by DecodeErfDag().
◆ PacketAlertCreate()
| PacketAlert* PacketAlertCreate | ( | void | ) |
Initialize PacketAlerts with dynamic alerts array size.
Definition at line 140 of file decode.c.
References BUG_ON, packet_alert_max, and SCCalloc.
Referenced by PacketInit().
◆ PacketAlertFree()
| void PacketAlertFree | ( | PacketAlert * | pa | ) |
Definition at line 148 of file decode.c.
References SCFree.
Referenced by PacketDestructor().
◆ PacketAlertGetMaxConfig()
| void PacketAlertGetMaxConfig | ( | void | ) |
Definition at line 1016 of file decode.c.
References ConfGetInt(), packet_alert_max, SCLogDebug, and SCLogWarning.
Referenced by DecodeGlobalConfig().
◆ PacketBypassCallback()
| void PacketBypassCallback | ( | Packet * | p | ) |
- Note
- if p->flow is set, the flow is locked
Definition at line 504 of file decode.c.
References Packet_::BypassPacketsFlow, Packet_::flow, Flow_::flow_state, FLOW_STATE_LOCAL_BYPASSED, FlowGetStorageById(), FlowSetStorageById(), FlowUpdateState(), GetFlowBypassInfoID(), PKT_IS_PSEUDOPKT, and SCCalloc.
◆ PacketCallocExtPkt()
|
inline |
Definition at line 283 of file decode.c.
References Packet_::ext_pkt, SCCalloc, SET_PKT_LEN, and unlikely.
◆ PacketCopyData()
|
inline |
Copy data to Packet payload and set packet length.
- Parameters
-
Pointer to the Packet to modify Pointer to the data to copy Length of the data to copy
Definition at line 351 of file decode.c.
References PacketCopyDataOffset(), and SET_PKT_LEN.
Referenced by PacketDefragPktSetup(), and PacketTunnelPktSetup().
◆ PacketCopyDataOffset()
|
inline |
Copy data to Packet payload at given offset.
This function copies data/payload to a Packet. It uses the space allocated at Packet creation (pointed by Packet::pkt) or allocate some memory (pointed by Packet::ext_pkt) if the data size is to big to fit in initial space (of size default_packet_size).
- Parameters
-
Pointer to the Packet to modify Offset of the copy relatively to payload of Packet Pointer to the data to copy Length of the data to copy
Definition at line 309 of file decode.c.
References default_packet_size, Packet_::ext_pkt, GET_PKT_DIRECT_DATA, GET_PKT_DIRECT_MAX_SIZE, MAX_PAYLOAD_SIZE, offset, SCMalloc, SET_PKT_LEN, and unlikely.
Referenced by PacketCopyData().
◆ PacketDecodeFinalize()
| void PacketDecodeFinalize | ( | ThreadVars * | tv, |
| DecodeThreadVars * | dtv, | ||
| Packet * | p | ||
| ) |
Finalize decoding of a packet.
This function needs to be call at the end of decode functions when decoding has been successful.
Definition at line 206 of file decode.c.
References DecodeThreadVars_::counter_invalid, dtv, Packet_::flags, PKT_IS_INVALID, StatsIncr(), and tv.
Referenced by DecodeErfDag().
◆ PacketDefragPktSetup()
Setup a pseudo packet (reassembled frags)
Difference with PacketPseudoPktSetup is that this func doesn't increment the recursion level. It needs to be on the same level as the frags because we run the flow engine against this and we need to get the same flow.
- Parameters
-
parent parent packet for this pseudo pkt pkt raw packet data len packet data length proto protocol of the tunneled packet
- Return values
-
p the pseudo packet or NULL if out of memory
Definition at line 447 of file decode.c.
References BUG_ON, len, Packet_::livedev, PacketCopyData(), PacketGetFromQueueOrAlloc(), PacketTunnelChild, Packet_::recursion_level, Packet_::root, SCEnter, SCReturnPtr, Packet_::tenant_id, Packet_::ts, Packet_::ttype, unlikely, Packet_::vlan_id, and Packet_::vlan_idx.
◆ PacketDefragPktSetupParent()
| void PacketDefragPktSetupParent | ( | Packet * | parent | ) |
inform defrag "parent" that a pseudo packet is now associated to it.
Definition at line 486 of file decode.c.
References PacketTunnelNone, PacketTunnelRoot, and Packet_::ttype.
◆ PacketDropReasonToString()
| const char* PacketDropReasonToString | ( | enum PacketDropReason | r | ) |
Definition at line 872 of file decode.c.
References PKT_DROP_REASON_APPLAYER_ERROR, PKT_DROP_REASON_APPLAYER_MEMCAP, PKT_DROP_REASON_DECODE_ERROR, PKT_DROP_REASON_DEFRAG_ERROR, PKT_DROP_REASON_DEFRAG_MEMCAP, PKT_DROP_REASON_FLOW_DROP, PKT_DROP_REASON_FLOW_MEMCAP, PKT_DROP_REASON_INNER_PACKET, PKT_DROP_REASON_MAX, PKT_DROP_REASON_NFQ_ERROR, PKT_DROP_REASON_NOT_SET, PKT_DROP_REASON_RULES, PKT_DROP_REASON_RULES_THRESHOLD, PKT_DROP_REASON_STREAM_ERROR, PKT_DROP_REASON_STREAM_MEMCAP, PKT_DROP_REASON_STREAM_MIDSTREAM, and PKT_DROP_REASON_STREAM_REASSEMBLY.
◆ PacketFree()
| void PacketFree | ( | Packet * | p | ) |
Return a malloced packet.
Definition at line 193 of file decode.c.
References PacketDestructor(), and SCFree.
Referenced by PacketFreeOrRelease(), PacketGetFromAlloc(), and UTHFreePacket().
◆ PacketFreeOrRelease()
| void PacketFreeOrRelease | ( | Packet * | p | ) |
Return a packet to where it was allocated.
Definition at line 250 of file decode.c.
References likely, PacketFree(), PacketPoolReturnPacket(), Packet_::pool, and Packet_::ReleasePacket.
◆ PacketGetFromAlloc()
| Packet* PacketGetFromAlloc | ( | void | ) |
Get a malloced packet.
- Return values
-
p packet, NULL on error
Definition at line 232 of file decode.c.
References PACKET_PROFILING_START, PacketFree(), PacketInit(), Packet_::ReleasePacket, SCCalloc, SCLogDebug, SIZE_OF_PACKET, and unlikely.
Referenced by PacketGetFromQueueOrAlloc(), UTHBuildPacketFromEth(), UTHBuildPacketIPV6Real(), and UTHBuildPacketReal().
◆ PacketGetFromQueueOrAlloc()
| Packet* PacketGetFromQueueOrAlloc | ( | void | ) |
Get a packet. We try to get a packet from the packetpool first, but if that is empty we alloc a packet that is free'd again after processing.
- Return values
-
p packet, NULL on error
Definition at line 267 of file decode.c.
References DEBUG_VALIDATE_BUG_ON, PACKET_PROFILING_START, PacketGetFromAlloc(), PacketPoolGetPacket(), PacketPoolReturnPacket(), and Packet_::ReleasePacket.
Referenced by PacketDefragPktSetup(), PacketTunnelPktSetup(), and ReceiveErfFileLoop().
◆ PacketSetData()
|
inline |
Set data for Packet and set length when zero copy is used.
- Parameters
-
Pointer to the Packet to modify Pointer to the data Length of the data
Definition at line 811 of file decode.c.
References Packet_::ext_pkt, Packet_::flags, PKT_ZERO_COPY, SET_PKT_LEN, and unlikely.
◆ PacketSwap()
| void PacketSwap | ( | Packet * | p | ) |
switch direction of a packet
Definition at line 551 of file decode.c.
References FLOW_PKT_TOCLIENT, FLOW_PKT_TOCLIENT_FIRST, FLOW_PKT_TOSERVER, FLOW_PKT_TOSERVER_FIRST, Packet_::flowflags, and PKT_IS_TOSERVER.
◆ PacketTunnelPktSetup()
| Packet* PacketTunnelPktSetup | ( | ThreadVars * | tv, |
| DecodeThreadVars * | dtv, | ||
| Packet * | parent, | ||
| const uint8_t * | pkt, | ||
| uint32_t | len, | ||
| enum DecodeTunnelProto | proto | ||
| ) |
Setup a pseudo packet (tunnel)
- Parameters
-
parent parent packet for this pseudo pkt pkt raw packet data len packet data length proto protocol of the tunneled packet
- Return values
-
p the pseudo packet or NULL if out of memory
Definition at line 367 of file decode.c.
References BUG_ON, Packet_::datalink, DEBUG_VALIDATE_BUG_ON, decoder_max_layers, DLT_RAW, ENGINE_SET_INVALID_EVENT, GENERIC_TOO_MANY_LAYERS, len, Packet_::livedev, Packet_::nb_decoded_layers, PacketCopyData(), PacketGetFromQueueOrAlloc(), PacketTunnelChild, PacketTunnelRoot, Packet_::recursion_level, Packet_::root, SCEnter, SCReturnPtr, Packet_::tenant_id, Packet_::ts, Packet_::ttype, and unlikely.
◆ PacketUpdateEngineEventCounters()
| void PacketUpdateEngineEventCounters | ( | ThreadVars * | tv, |
| DecodeThreadVars * | dtv, | ||
| Packet * | p | ||
| ) |
Definition at line 213 of file decode.c.
References PacketEngineEvents_::cnt, DecodeThreadVars_::counter_engine_events, DECODE_EVENT_PACKET_MAX, dtv, PacketEngineEvents_::events, Packet_::events, stats_decoder_events, stats_stream_events, StatsIncr(), and tv.
◆ PktSrcToString()
| const char* PktSrcToString | ( | enum PktSrcEnum | pkt_src | ) |
Definition at line 824 of file decode.c.
References DEBUG_VALIDATE_BUG_ON, PKT_SRC_CAPTURE_TIMEOUT, PKT_SRC_DECODER_GENEVE, PKT_SRC_DECODER_GRE, PKT_SRC_DECODER_IPV4, PKT_SRC_DECODER_IPV6, PKT_SRC_DECODER_TEREDO, PKT_SRC_DECODER_VXLAN, PKT_SRC_DEFRAG, PKT_SRC_DETECT_RELOAD_FLUSH, PKT_SRC_FFR, PKT_SRC_SHUTDOWN_FLUSH, PKT_SRC_STREAM_TCP_DETECTLOG_FLUSH, and PKT_SRC_WIRE.
Referenced by StreamTcp().
Variable Documentation
◆ decoder_max_layers
| uint8_t decoder_max_layers = PKT_DEFAULT_MAX_DECODED_LAYERS |
Definition at line 81 of file decode.c.
Referenced by DecodeGlobalConfig(), and PacketTunnelPktSetup().
◆ default_packet_size
| uint32_t default_packet_size = 0 |
Definition at line 77 of file decode.c.
Referenced by PacketCopyDataOffset(), and RunUnittests().
◆ defrag_memcap_eps_stats
| ExceptionPolicyStatsSetts defrag_memcap_eps_stats |
◆ flow_memcap_eps_stats
| ExceptionPolicyStatsSetts flow_memcap_eps_stats |
Definition at line 112 of file decode.c.
Referenced by DecodeRegisterPerfCounters().
◆ packet_alert_max
| uint16_t packet_alert_max = PACKET_ALERT_MAX |
Definition at line 82 of file decode.c.
Referenced by AlertQueueInit(), PacketAlertCreate(), and PacketAlertGetMaxConfig().
◆ stats_decoder_events
| bool stats_decoder_events |
Definition at line 101 of file counters.c.
Referenced by PacketUpdateEngineEventCounters().
◆ stats_decoder_events_prefix
| const char* stats_decoder_events_prefix |
add stream events as stats? disabled by default
Definition at line 102 of file counters.c.
◆ stats_stream_events
| bool stats_stream_events |
Definition at line 104 of file counters.c.
Referenced by PacketUpdateEngineEventCounters().
◆ t_capture_stats
| thread_local CaptureStats t_capture_stats |
Definition at line 961 of file decode.c.
Referenced by CaptureStatsSetup(), and CaptureStatsUpdate().
