Code in charge of protocol decoding. More...
Files | |
| file | decode-chdlc.c |
| file | decode-erspan.c |
| file | decode-esp.c |
| file | decode-ethernet.c |
| file | decode-gre.c |
| file | decode-icmpv4.c |
| file | decode-icmpv6.c |
| file | decode-ipv4.c |
| file | decode-ipv6.c |
| file | decode-nsh.c |
| file | decode-null.c |
| file | decode-ppp.c |
| file | decode-pppoe.c |
| file | decode-raw.c |
| file | decode-sctp.c |
| file | decode-sll.c |
| file | decode-tcp.c |
| file | decode-template.c |
| file | decode-teredo.c |
| file | decode-udp.c |
| file | decode-vlan.c |
| file | decode-vntag.c |
| file | decode.c |
Data Structures | |
| struct | CaptureStats_ |
Typedefs | |
| typedef struct CaptureStats_ | CaptureStats |
Functions | |
| PacketAlert * | PacketAlertCreate (void) |
| Initialize PacketAlerts with dynamic alerts array size. More... | |
| void | PacketAlertFree (PacketAlert *pa) |
| void | PacketFree (Packet *p) |
| Return a malloced packet. More... | |
| void | PacketDecodeFinalize (ThreadVars *tv, DecodeThreadVars *dtv, Packet *p) |
| Finalize decoding of a packet. More... | |
| void | PacketUpdateEngineEventCounters (ThreadVars *tv, DecodeThreadVars *dtv, Packet *p) |
| Packet * | PacketGetFromAlloc (void) |
| Get a malloced packet. More... | |
| void | PacketFreeOrRelease (Packet *p) |
| Return a packet to where it was allocated. More... | |
| Packet * | PacketGetFromQueueOrAlloc (void) |
| Get a packet. We try to get a packet from the packetpool first, but if that is empty we alloc a packet that is free'd again after processing. More... | |
| int | PacketCallocExtPkt (Packet *p, int datalen) |
| int | PacketCopyDataOffset (Packet *p, uint32_t offset, const uint8_t *data, uint32_t datalen) |
| Copy data to Packet payload at given offset. More... | |
| int | PacketCopyData (Packet *p, const uint8_t *pktdata, uint32_t pktlen) |
| Copy data to Packet payload and set packet length. More... | |
| Packet * | PacketTunnelPktSetup (ThreadVars *tv, DecodeThreadVars *dtv, Packet *parent, const uint8_t *pkt, uint32_t len, enum DecodeTunnelProto proto) |
| Setup a pseudo packet (tunnel) More... | |
| Packet * | PacketDefragPktSetup (Packet *parent, const uint8_t *pkt, uint32_t len, uint8_t proto) |
| Setup a pseudo packet (reassembled frags) More... | |
| void | PacketDefragPktSetupParent (Packet *parent) |
| inform defrag "parent" that a pseudo packet is now associated to it. More... | |
| void | PacketBypassCallback (Packet *p) |
| void | PacketSwap (Packet *p) |
| switch direction of a packet More... | |
| void | DecodeUnregisterCounters (void) |
| void | DecodeRegisterPerfCounters (DecodeThreadVars *dtv, ThreadVars *tv) |
| void | DecodeUpdatePacketCounters (ThreadVars *tv, const DecodeThreadVars *dtv, const Packet *p) |
| void | AddressDebugPrint (Address *a) |
| Debug print function for printing addresses. More... | |
| DecodeThreadVars * | DecodeThreadVarsAlloc (ThreadVars *tv) |
| Alloc and setup DecodeThreadVars. More... | |
| void | DecodeThreadVarsFree (ThreadVars *tv, DecodeThreadVars *dtv) |
| int | PacketSetData (Packet *p, const uint8_t *pktdata, uint32_t pktlen) |
| Set data for Packet and set length when zero copy is used. More... | |
| const char * | PktSrcToString (enum PktSrcEnum pkt_src) |
| const char * | PacketDropReasonToString (enum PacketDropReason r) |
| void | CaptureStatsUpdate (ThreadVars *tv, const Packet *p) |
| void | CaptureStatsSetup (ThreadVars *tv) |
| void | DecodeGlobalConfig (void) |
| void | PacketAlertGetMaxConfig (void) |
Variables | |
| uint32_t | default_packet_size = 0 |
| bool | stats_decoder_events |
| const char * | stats_decoder_events_prefix |
| bool | stats_stream_events |
| uint8_t | decoder_max_layers = PKT_DEFAULT_MAX_DECODED_LAYERS |
| uint16_t | packet_alert_max = PACKET_ALERT_MAX |
| ExceptionPolicyStatsSetts | defrag_memcap_eps_stats |
| ExceptionPolicyStatsSetts | flow_memcap_eps_stats |
| thread_local CaptureStats | t_capture_stats |
Detailed Description
Code in charge of protocol decoding.
The task of decoding packets is made in different files and as Suricata is supporting encapsulation there is a potential recursivity in the call.
For each protocol a DecodePROTO function is provided. For example we have DecodeIPV4() for IPv4 and DecodePPP() for PPP.
These functions have all a pkt and a len argument which are respectively a pointer to the protocol data and the length of this protocol data.
- Attention
- The pkt parameter must point to the effective data because it will be used later to set per protocol pointer like Packet::tcph
Typedef Documentation
◆ CaptureStats
| typedef struct CaptureStats_ CaptureStats |
Function Documentation
◆ AddressDebugPrint()
| void AddressDebugPrint | ( | Address * | a | ) |
Debug print function for printing addresses.
- Parameters
-
Address object
- Todo:
- IPv6
Definition at line 752 of file decode.c.
References Address_::family, PrintInet(), and SCLogDebug.
◆ CaptureStatsSetup()
| void CaptureStatsSetup | ( | ThreadVars * | tv | ) |
Definition at line 979 of file decode.c.
References CaptureStats_::counter_ips_accepted, CaptureStats_::counter_ips_blocked, CaptureStats_::counter_ips_rejected, CaptureStats_::counter_ips_replaced, EngineModeIsIPS(), PKT_DROP_REASON_MAX, PKT_DROP_REASON_NOT_SET, StatsRegisterCounter(), t_capture_stats, and tv.
◆ CaptureStatsUpdate()
| void CaptureStatsUpdate | ( | ThreadVars * | tv, |
| const Packet * | p | ||
| ) |
Definition at line 959 of file decode.c.
References ACTION_DROP, ACTION_REJECT_ANY, CaptureStats_::counter_drop_reason, CaptureStats_::counter_ips_accepted, CaptureStats_::counter_ips_blocked, CaptureStats_::counter_ips_rejected, CaptureStats_::counter_ips_replaced, Packet_::drop_reason, EngineModeIsIPS(), Packet_::flags, PacketCheckAction(), PKT_DROP_REASON_NOT_SET, PKT_IS_PSEUDOPKT, PKT_STREAM_MODIFIED, StatsIncr(), t_capture_stats, tv, and unlikely.
◆ DecodeGlobalConfig()
| void DecodeGlobalConfig | ( | void | ) |
Definition at line 995 of file decode.c.
References ConfGetInt(), DecodeERSPANConfig(), DecodeGeneveConfig(), decoder_max_layers, DecodeTeredoConfig(), DecodeVXLANConfig(), PacketAlertGetMaxConfig(), and SCLogWarning.
◆ DecodeRegisterPerfCounters()
| void DecodeRegisterPerfCounters | ( | DecodeThreadVars * | dtv, |
| ThreadVars * | tv | ||
| ) |
Definition at line 599 of file decode.c.
References DecodeThreadVars_::counter_arp, DecodeThreadVars_::counter_avg_pkt_size, DecodeThreadVars_::counter_bytes, DecodeThreadVars_::counter_chdlc, DecodeThreadVars_::counter_erspan, DecodeThreadVars_::counter_esp, DecodeThreadVars_::counter_eth, DecodeThreadVars_::counter_ethertype_unknown, DecodeThreadVars_::counter_flow_memcap, DecodeThreadVars_::counter_flow_memcap_eps, DecodeThreadVars_::counter_geneve, DecodeThreadVars_::counter_gre, DecodeThreadVars_::counter_icmpv4, DecodeThreadVars_::counter_icmpv6, DecodeThreadVars_::counter_ieee8021ah, DecodeThreadVars_::counter_invalid, DecodeThreadVars_::counter_ipv4, DecodeThreadVars_::counter_ipv4inipv6, DecodeThreadVars_::counter_ipv6, DecodeThreadVars_::counter_ipv6inipv6, DecodeThreadVars_::counter_max_mac_addrs_dst, DecodeThreadVars_::counter_max_mac_addrs_src, DecodeThreadVars_::counter_max_pkt_size, DecodeThreadVars_::counter_mpls, DecodeThreadVars_::counter_nsh, DecodeThreadVars_::counter_null, DecodeThreadVars_::counter_pkts, DecodeThreadVars_::counter_ppp, DecodeThreadVars_::counter_pppoe, DecodeThreadVars_::counter_raw, DecodeThreadVars_::counter_sctp, DecodeThreadVars_::counter_sll, DecodeThreadVars_::counter_tcp, DecodeThreadVars_::counter_tcp_rst, DecodeThreadVars_::counter_tcp_syn, DecodeThreadVars_::counter_tcp_synack, DecodeThreadVars_::counter_teredo, DecodeThreadVars_::counter_udp, DecodeThreadVars_::counter_vlan, DecodeThreadVars_::counter_vlan_qinq, DecodeThreadVars_::counter_vlan_qinqinq, DecodeThreadVars_::counter_vntag, DecodeThreadVars_::counter_vxlan, dtv, ExceptionPolicySetStatsCounters(), flow_memcap_eps_stats, FlowGetMemcapExceptionPolicy(), StatsRegisterAvgCounter(), StatsRegisterCounter(), StatsRegisterMaxCounter(), and tv.
Referenced by DecodeErfDagThreadInit(), DecodePfringThreadInit(), and NapatechDecodeThreadInit().
◆ DecodeThreadVarsAlloc()
| DecodeThreadVars* DecodeThreadVarsAlloc | ( | ThreadVars * | tv | ) |
Alloc and setup DecodeThreadVars.
Definition at line 769 of file decode.c.
References DecodeThreadVars_::app_tctx, AppLayerGetCtxThread(), DecodeThreadVarsFree(), dtv, DecodeThreadVars_::output_flow_thread_data, OutputFlowLogThreadInit(), SCCalloc, SCLogError, TM_ECODE_OK, and tv.
Referenced by DecodeErfDagThreadInit(), DecodePfringThreadInit(), and NapatechDecodeThreadInit().
◆ DecodeThreadVarsFree()
| void DecodeThreadVarsFree | ( | ThreadVars * | tv, |
| DecodeThreadVars * | dtv | ||
| ) |
Definition at line 787 of file decode.c.
References DecodeThreadVars_::app_tctx, AppLayerDestroyCtxThread(), dtv, DecodeThreadVars_::output_flow_thread_data, OutputFlowLogThreadDeinit(), SCFree, and tv.
Referenced by DecodeErfDagThreadDeinit(), DecodePfringThreadDeinit(), DecodeThreadVarsAlloc(), and NapatechDecodeThreadDeinit().
◆ DecodeUnregisterCounters()
| void DecodeUnregisterCounters | ( | void | ) |
Definition at line 573 of file decode.c.
References SCMutexLock.
◆ DecodeUpdatePacketCounters()
| void DecodeUpdatePacketCounters | ( | ThreadVars * | tv, |
| const DecodeThreadVars * | dtv, | ||
| const Packet * | p | ||
| ) |
Definition at line 735 of file decode.c.
References DecodeThreadVars_::counter_avg_pkt_size, DecodeThreadVars_::counter_bytes, DecodeThreadVars_::counter_max_pkt_size, DecodeThreadVars_::counter_pkts, dtv, GET_PKT_LEN, StatsAddUI64(), StatsIncr(), StatsSetUI64(), and tv.
Referenced by DecodeErfDag(), DecodePfring(), and NapatechDecode().
◆ PacketAlertCreate()
| PacketAlert* PacketAlertCreate | ( | void | ) |
Initialize PacketAlerts with dynamic alerts array size.
Definition at line 139 of file decode.c.
References BUG_ON, packet_alert_max, and SCCalloc.
Referenced by PacketInit().
◆ PacketAlertFree()
| void PacketAlertFree | ( | PacketAlert * | pa | ) |
Definition at line 147 of file decode.c.
References SCFree.
Referenced by PacketDestructor().
◆ PacketAlertGetMaxConfig()
| void PacketAlertGetMaxConfig | ( | void | ) |
Definition at line 1012 of file decode.c.
References ConfGetInt(), packet_alert_max, SCLogDebug, and SCLogWarning.
Referenced by DecodeGlobalConfig().
◆ PacketBypassCallback()
| void PacketBypassCallback | ( | Packet * | p | ) |
- Note
- if p->flow is set, the flow is locked
Definition at line 501 of file decode.c.
References Packet_::BypassPacketsFlow, Packet_::flow, Flow_::flow_state, FLOW_STATE_LOCAL_BYPASSED, FlowGetStorageById(), FlowSetStorageById(), FlowUpdateState(), GetFlowBypassInfoID(), PKT_IS_PSEUDOPKT, and SCCalloc.
◆ PacketCallocExtPkt()
|
inline |
Definition at line 280 of file decode.c.
References Packet_::ext_pkt, SCCalloc, SET_PKT_LEN, and unlikely.
◆ PacketCopyData()
|
inline |
Copy data to Packet payload and set packet length.
- Parameters
-
Pointer to the Packet to modify Pointer to the data to copy Length of the data to copy
Definition at line 348 of file decode.c.
References PacketCopyDataOffset(), and SET_PKT_LEN.
Referenced by PacketDefragPktSetup(), and PacketTunnelPktSetup().
◆ PacketCopyDataOffset()
|
inline |
Copy data to Packet payload at given offset.
This function copies data/payload to a Packet. It uses the space allocated at Packet creation (pointed by Packet::pkt) or allocate some memory (pointed by Packet::ext_pkt) if the data size is to big to fit in initial space (of size default_packet_size).
- Parameters
-
Pointer to the Packet to modify Offset of the copy relatively to payload of Packet Pointer to the data to copy Length of the data to copy
Definition at line 306 of file decode.c.
References default_packet_size, Packet_::ext_pkt, GET_PKT_DIRECT_DATA, GET_PKT_DIRECT_MAX_SIZE, MAX_PAYLOAD_SIZE, offset, SCMalloc, SET_PKT_LEN, and unlikely.
Referenced by PacketCopyData(), and UTHBuildPacketReal().
◆ PacketDecodeFinalize()
| void PacketDecodeFinalize | ( | ThreadVars * | tv, |
| DecodeThreadVars * | dtv, | ||
| Packet * | p | ||
| ) |
Finalize decoding of a packet.
This function needs to be call at the end of decode functions when decoding has been successful.
Definition at line 203 of file decode.c.
References DecodeThreadVars_::counter_invalid, dtv, Packet_::flags, PKT_IS_INVALID, StatsIncr(), and tv.
Referenced by DecodeErfDag(), DecodePfring(), and NapatechDecode().
◆ PacketDefragPktSetup()
Setup a pseudo packet (reassembled frags)
Difference with PacketPseudoPktSetup is that this func doesn't increment the recursion level. It needs to be on the same level as the frags because we run the flow engine against this and we need to get the same flow.
- Parameters
-
parent parent packet for this pseudo pkt pkt raw packet data len packet data length proto protocol of the tunneled packet
- Return values
-
p the pseudo packet or NULL if out of memory
Definition at line 444 of file decode.c.
References BUG_ON, len, Packet_::livedev, PacketCopyData(), PacketGetFromQueueOrAlloc(), PacketTunnelChild, Packet_::recursion_level, Packet_::root, SCEnter, SCReturnPtr, Packet_::tenant_id, Packet_::ts, Packet_::ttype, unlikely, Packet_::vlan_id, and Packet_::vlan_idx.
◆ PacketDefragPktSetupParent()
| void PacketDefragPktSetupParent | ( | Packet * | parent | ) |
inform defrag "parent" that a pseudo packet is now associated to it.
Definition at line 483 of file decode.c.
References PacketTunnelNone, PacketTunnelRoot, and Packet_::ttype.
◆ PacketDropReasonToString()
| const char* PacketDropReasonToString | ( | enum PacketDropReason | r | ) |
Definition at line 868 of file decode.c.
References PKT_DROP_REASON_APPLAYER_ERROR, PKT_DROP_REASON_APPLAYER_MEMCAP, PKT_DROP_REASON_DECODE_ERROR, PKT_DROP_REASON_DEFRAG_ERROR, PKT_DROP_REASON_DEFRAG_MEMCAP, PKT_DROP_REASON_FLOW_DROP, PKT_DROP_REASON_FLOW_MEMCAP, PKT_DROP_REASON_INNER_PACKET, PKT_DROP_REASON_MAX, PKT_DROP_REASON_NFQ_ERROR, PKT_DROP_REASON_NOT_SET, PKT_DROP_REASON_RULES, PKT_DROP_REASON_RULES_THRESHOLD, PKT_DROP_REASON_STREAM_ERROR, PKT_DROP_REASON_STREAM_MEMCAP, PKT_DROP_REASON_STREAM_MIDSTREAM, and PKT_DROP_REASON_STREAM_REASSEMBLY.
◆ PacketFree()
| void PacketFree | ( | Packet * | p | ) |
Return a malloced packet.
Definition at line 190 of file decode.c.
References PacketDestructor(), and SCFree.
Referenced by PacketFreeOrRelease(), PacketGetFromAlloc(), and UTHFreePacket().
◆ PacketFreeOrRelease()
| void PacketFreeOrRelease | ( | Packet * | p | ) |
Return a packet to where it was allocated.
Definition at line 247 of file decode.c.
References likely, PacketFree(), PacketPoolReturnPacket(), Packet_::pool, and Packet_::ReleasePacket.
◆ PacketGetFromAlloc()
| Packet* PacketGetFromAlloc | ( | void | ) |
Get a malloced packet.
- Return values
-
p packet, NULL on error
Definition at line 229 of file decode.c.
References PACKET_PROFILING_START, PacketFree(), PacketInit(), Packet_::ReleasePacket, SCCalloc, SCLogDebug, SIZE_OF_PACKET, and unlikely.
Referenced by PacketGetFromQueueOrAlloc(), UTHBuildPacketFromEth(), UTHBuildPacketIPV6Real(), and UTHBuildPacketReal().
◆ PacketGetFromQueueOrAlloc()
| Packet* PacketGetFromQueueOrAlloc | ( | void | ) |
Get a packet. We try to get a packet from the packetpool first, but if that is empty we alloc a packet that is free'd again after processing.
- Return values
-
p packet, NULL on error
Definition at line 264 of file decode.c.
References DEBUG_VALIDATE_BUG_ON, PACKET_PROFILING_START, PacketGetFromAlloc(), PacketPoolGetPacket(), PacketPoolReturnPacket(), and Packet_::ReleasePacket.
Referenced by PacketDefragPktSetup(), PacketTunnelPktSetup(), ReceiveErfFileLoop(), and ReceivePfringLoop().
◆ PacketSetData()
|
inline |
Set data for Packet and set length when zero copy is used.
- Parameters
-
Pointer to the Packet to modify Pointer to the data Length of the data
Definition at line 807 of file decode.c.
References Packet_::ext_pkt, Packet_::flags, PKT_ZERO_COPY, SET_PKT_LEN, and unlikely.
Referenced by ReceivePfringLoop().
◆ PacketSwap()
| void PacketSwap | ( | Packet * | p | ) |
switch direction of a packet
Definition at line 548 of file decode.c.
References FLOW_PKT_TOCLIENT, FLOW_PKT_TOCLIENT_FIRST, FLOW_PKT_TOSERVER, FLOW_PKT_TOSERVER_FIRST, Packet_::flowflags, and PKT_IS_TOSERVER.
◆ PacketTunnelPktSetup()
| Packet* PacketTunnelPktSetup | ( | ThreadVars * | tv, |
| DecodeThreadVars * | dtv, | ||
| Packet * | parent, | ||
| const uint8_t * | pkt, | ||
| uint32_t | len, | ||
| enum DecodeTunnelProto | proto | ||
| ) |
Setup a pseudo packet (tunnel)
- Parameters
-
parent parent packet for this pseudo pkt pkt raw packet data len packet data length proto protocol of the tunneled packet
- Return values
-
p the pseudo packet or NULL if out of memory
Definition at line 364 of file decode.c.
References BUG_ON, Packet_::datalink, DEBUG_VALIDATE_BUG_ON, decoder_max_layers, DLT_RAW, ENGINE_SET_INVALID_EVENT, GENERIC_TOO_MANY_LAYERS, len, Packet_::livedev, Packet_::nb_decoded_layers, PacketCopyData(), PacketGetFromQueueOrAlloc(), PacketTunnelChild, PacketTunnelRoot, Packet_::recursion_level, Packet_::root, SCEnter, SCReturnPtr, Packet_::tenant_id, Packet_::ts, Packet_::ttype, and unlikely.
◆ PacketUpdateEngineEventCounters()
| void PacketUpdateEngineEventCounters | ( | ThreadVars * | tv, |
| DecodeThreadVars * | dtv, | ||
| Packet * | p | ||
| ) |
Definition at line 210 of file decode.c.
References PacketEngineEvents_::cnt, DecodeThreadVars_::counter_engine_events, DECODE_EVENT_PACKET_MAX, dtv, PacketEngineEvents_::events, Packet_::events, stats_decoder_events, stats_stream_events, StatsIncr(), and tv.
◆ PktSrcToString()
| const char* PktSrcToString | ( | enum PktSrcEnum | pkt_src | ) |
Definition at line 820 of file decode.c.
References DEBUG_VALIDATE_BUG_ON, PKT_SRC_CAPTURE_TIMEOUT, PKT_SRC_DECODER_GENEVE, PKT_SRC_DECODER_GRE, PKT_SRC_DECODER_IPV4, PKT_SRC_DECODER_IPV6, PKT_SRC_DECODER_TEREDO, PKT_SRC_DECODER_VXLAN, PKT_SRC_DEFRAG, PKT_SRC_DETECT_RELOAD_FLUSH, PKT_SRC_FFR, PKT_SRC_SHUTDOWN_FLUSH, PKT_SRC_STREAM_TCP_DETECTLOG_FLUSH, and PKT_SRC_WIRE.
Referenced by StreamTcp().
Variable Documentation
◆ decoder_max_layers
| uint8_t decoder_max_layers = PKT_DEFAULT_MAX_DECODED_LAYERS |
Definition at line 80 of file decode.c.
Referenced by DecodeGlobalConfig(), and PacketTunnelPktSetup().
◆ default_packet_size
| uint32_t default_packet_size = 0 |
Definition at line 76 of file decode.c.
Referenced by PacketCopyDataOffset(), and RunUnittests().
◆ defrag_memcap_eps_stats
| ExceptionPolicyStatsSetts defrag_memcap_eps_stats |
◆ flow_memcap_eps_stats
| ExceptionPolicyStatsSetts flow_memcap_eps_stats |
Definition at line 111 of file decode.c.
Referenced by DecodeRegisterPerfCounters().
◆ packet_alert_max
| uint16_t packet_alert_max = PACKET_ALERT_MAX |
Definition at line 81 of file decode.c.
Referenced by AlertQueueInit(), PacketAlertCreate(), and PacketAlertGetMaxConfig().
◆ stats_decoder_events
| bool stats_decoder_events |
Definition at line 101 of file counters.c.
Referenced by PacketUpdateEngineEventCounters().
◆ stats_decoder_events_prefix
| const char* stats_decoder_events_prefix |
add stream events as stats? disabled by default
Definition at line 102 of file counters.c.
◆ stats_stream_events
| bool stats_stream_events |
Definition at line 104 of file counters.c.
Referenced by PacketUpdateEngineEventCounters().
◆ t_capture_stats
| thread_local CaptureStats t_capture_stats |
Definition at line 957 of file decode.c.
Referenced by CaptureStatsSetup(), and CaptureStatsUpdate().
