Go to the source code of this file.
Data Structures | |
| struct | TcpStateQueue_ |
| struct | StreamTcpSackRecord |
| struct | TcpSegmentPcapHdrStorage_ |
| struct | TcpSegment |
| struct | TcpStream_ |
| struct | TcpSession_ |
Typedefs | |
| typedef struct TcpStateQueue_ | TcpStateQueue |
| typedef struct StreamTcpSackRecord | StreamTcpSackRecord |
| typedef struct TcpSegmentPcapHdrStorage_ | TcpSegmentPcapHdrStorage |
| typedef struct TcpStream_ | TcpStream |
| typedef struct TcpSession_ | TcpSession |
Enumerations | |
| enum | TcpState { TCP_NONE = 0, TCP_SYN_SENT = 2, TCP_SYN_RECV = 3, TCP_ESTABLISHED = 4, TCP_FIN_WAIT1 = 5, TCP_FIN_WAIT2 = 6, TCP_TIME_WAIT = 7, TCP_LAST_ACK = 8, TCP_CLOSE_WAIT = 9, TCP_CLOSING = 10, TCP_CLOSED = 11 } |
Functions | |
| int | TcpSackCompare (struct StreamTcpSackRecord *a, struct StreamTcpSackRecord *b) |
| RB_HEAD (TCPSACK, StreamTcpSackRecord) | |
| RB_PROTOTYPE (TCPSACK, StreamTcpSackRecord, rb, TcpSackCompare) | |
| struct TcpSegment | __attribute__ ((__packed__)) TcpSegment |
| DNP3 link header. More... | |
| RB_ENTRY (TcpSegment) __attribute__((__packed__)) rb | |
| int | TcpSegmentCompare (struct TcpSegment *a, struct TcpSegment *b) |
| compare function for the Segment tree More... | |
| RB_HEAD (TCPSEG, TcpSegment) | |
| RB_PROTOTYPE (TCPSEG, TcpSegment, rb, TcpSegmentCompare) | |
Variables | |
| PoolThreadId | pool_id |
| uint16_t | payload_len |
| uint32_t | seq |
| StreamingBufferSegment | sbseg |
| TcpSegmentPcapHdrStorage * | pcap_hdr_storage |
Detailed Description
Definition in file stream-tcp-private.h.
Macro Definition Documentation
◆ PAWS_24DAYS
| #define PAWS_24DAYS 2073600 |
NOTE: flags field is 12 bits 24 days in seconds
Definition at line 248 of file stream-tcp-private.h.
◆ PKT_IS_IN_RIGHT_DIR
| #define PKT_IS_IN_RIGHT_DIR | ( | ssn, | |
| p | |||
| ) |
Definition at line 250 of file stream-tcp-private.h.
◆ SEG_SEQ_RIGHT_EDGE
| #define SEG_SEQ_RIGHT_EDGE | ( | seg | ) | ((seg)->seq + TCP_SEG_LEN((seg))) |
Definition at line 98 of file stream-tcp-private.h.
◆ SEQ_EQ
| #define SEQ_EQ | ( | a, | |
| b | |||
| ) | ((int32_t)((a) - (b)) == 0) |
Definition at line 257 of file stream-tcp-private.h.
◆ SEQ_GEQ
| #define SEQ_GEQ | ( | a, | |
| b | |||
| ) | ((int32_t)((a) - (b)) >= 0) |
Definition at line 261 of file stream-tcp-private.h.
◆ SEQ_GT
| #define SEQ_GT | ( | a, | |
| b | |||
| ) | ((int32_t)((a) - (b)) > 0) |
Definition at line 260 of file stream-tcp-private.h.
◆ SEQ_LEQ
| #define SEQ_LEQ | ( | a, | |
| b | |||
| ) | ((int32_t)((a) - (b)) <= 0) |
Definition at line 259 of file stream-tcp-private.h.
◆ SEQ_LT
| #define SEQ_LT | ( | a, | |
| b | |||
| ) | ((int32_t)((a) - (b)) < 0) |
Definition at line 258 of file stream-tcp-private.h.
◆ SEQ_MAX
| #define SEQ_MAX | ( | a, | |
| b | |||
| ) | (SEQ_GT((a), (b)) ? (a) : (b)) |
Definition at line 263 of file stream-tcp-private.h.
◆ SEQ_MIN
| #define SEQ_MIN | ( | a, | |
| b | |||
| ) | (SEQ_LT((a), (b)) ? (a) : (b)) |
Definition at line 262 of file stream-tcp-private.h.
◆ STREAM_APP_PROGRESS
| #define STREAM_APP_PROGRESS | ( | stream | ) | (STREAM_BASE_OFFSET((stream)) + (stream)->app_progress_rel) |
Definition at line 146 of file stream-tcp-private.h.
◆ STREAM_BASE_OFFSET
| #define STREAM_BASE_OFFSET | ( | stream | ) | ((stream)->sb.region.stream_offset) |
Definition at line 145 of file stream-tcp-private.h.
◆ STREAM_HAS_SEEN_DATA
| #define STREAM_HAS_SEEN_DATA | ( | stream | ) | StreamingBufferHasData(&(stream)->sb) |
Definition at line 105 of file stream-tcp-private.h.
◆ STREAM_LOG_PROGRESS
| #define STREAM_LOG_PROGRESS | ( | stream | ) | (STREAM_BASE_OFFSET((stream)) + (stream)->log_progress_rel) |
Definition at line 148 of file stream-tcp-private.h.
◆ STREAM_PKT_FLAG_ACK_UNSEEN_DATA
| #define STREAM_PKT_FLAG_ACK_UNSEEN_DATA BIT_U16(9) |
Definition at line 320 of file stream-tcp-private.h.
◆ STREAM_PKT_FLAG_DSACK
| #define STREAM_PKT_FLAG_DSACK BIT_U16(8) |
Definition at line 319 of file stream-tcp-private.h.
◆ STREAM_PKT_FLAG_DUP_ACK
| #define STREAM_PKT_FLAG_DUP_ACK BIT_U16(7) |
Definition at line 318 of file stream-tcp-private.h.
◆ STREAM_PKT_FLAG_EVENTSET
| #define STREAM_PKT_FLAG_EVENTSET BIT_U16(6) |
Definition at line 317 of file stream-tcp-private.h.
◆ STREAM_PKT_FLAG_KEEPALIVE
| #define STREAM_PKT_FLAG_KEEPALIVE BIT_U16(3) |
Definition at line 314 of file stream-tcp-private.h.
◆ STREAM_PKT_FLAG_KEEPALIVEACK
| #define STREAM_PKT_FLAG_KEEPALIVEACK BIT_U16(4) |
Definition at line 315 of file stream-tcp-private.h.
◆ STREAM_PKT_FLAG_RETRANSMISSION
| #define STREAM_PKT_FLAG_RETRANSMISSION BIT_U16(0) |
Definition at line 311 of file stream-tcp-private.h.
◆ STREAM_PKT_FLAG_SET
| #define STREAM_PKT_FLAG_SET | ( | p, | |
| f | |||
| ) | (p)->l4.vars.tcp.stream_pkt_flags |= (f) |
Definition at line 325 of file stream-tcp-private.h.
◆ STREAM_PKT_FLAG_SPURIOUS_RETRANSMISSION
| #define STREAM_PKT_FLAG_SPURIOUS_RETRANSMISSION BIT_U16(1) |
Definition at line 312 of file stream-tcp-private.h.
◆ STREAM_PKT_FLAG_STATE_UPDATE
| #define STREAM_PKT_FLAG_STATE_UPDATE BIT_U16(2) |
Definition at line 313 of file stream-tcp-private.h.
◆ STREAM_PKT_FLAG_TCP_PORT_REUSE
| #define STREAM_PKT_FLAG_TCP_PORT_REUSE BIT_U16(10) |
Definition at line 321 of file stream-tcp-private.h.
◆ STREAM_PKT_FLAG_TCP_ZERO_WIN_PROBE
| #define STREAM_PKT_FLAG_TCP_ZERO_WIN_PROBE BIT_U16(11) |
Definition at line 322 of file stream-tcp-private.h.
◆ STREAM_PKT_FLAG_TCP_ZERO_WIN_PROBE_ACK
| #define STREAM_PKT_FLAG_TCP_ZERO_WIN_PROBE_ACK BIT_U16(12) |
Definition at line 323 of file stream-tcp-private.h.
◆ STREAM_PKT_FLAG_WINDOWUPDATE
| #define STREAM_PKT_FLAG_WINDOWUPDATE BIT_U16(5) |
Definition at line 316 of file stream-tcp-private.h.
◆ STREAM_RAW_PROGRESS
| #define STREAM_RAW_PROGRESS | ( | stream | ) | (STREAM_BASE_OFFSET((stream)) + (stream)->raw_progress_rel) |
Definition at line 147 of file stream-tcp-private.h.
◆ STREAM_RIGHT_EDGE
| #define STREAM_RIGHT_EDGE | ( | stream | ) | (STREAM_BASE_OFFSET((stream)) + (STREAM_SEQ_RIGHT_EDGE((stream)) - (stream)->base_seq)) |
Definition at line 103 of file stream-tcp-private.h.
◆ STREAM_SEQ_RIGHT_EDGE
| #define STREAM_SEQ_RIGHT_EDGE | ( | stream | ) | (stream)->segs_right_edge |
Definition at line 102 of file stream-tcp-private.h.
◆ STREAMTCP_FLAG_3WHS_CONFIRMED
| #define STREAMTCP_FLAG_3WHS_CONFIRMED BIT_U32(12) |
3WHS confirmed by server – if suri sees 3whs ACK but server doesn't (pkt is lost on the way to server), SYN/ACK is retransmitted. If server sends normal packet we assume 3whs to be completed. Only used for SYN/ACK resend event.
Definition at line 200 of file stream-tcp-private.h.
◆ STREAMTCP_FLAG_4WHS
| #define STREAMTCP_FLAG_4WHS BIT_U32(7) |
Flag to indicate we're dealing with 4WHS: SYN, SYN, SYN/ACK, ACK (http://www.breakingpointsystems.com/community/blog/tcp-portals-the-three-way-handshake-is-a-lie)
Definition at line 186 of file stream-tcp-private.h.
◆ STREAMTCP_FLAG_APP_LAYER_DISABLED
| #define STREAMTCP_FLAG_APP_LAYER_DISABLED BIT_U32(13) |
App Layer tracking/reassembly is disabled
Definition at line 202 of file stream-tcp-private.h.
◆ STREAMTCP_FLAG_ASYNC
| #define STREAMTCP_FLAG_ASYNC BIT_U32(6) |
Flag to indicate that the session is handling asynchronous stream.
Definition at line 183 of file stream-tcp-private.h.
◆ STREAMTCP_FLAG_BYPASS
| #define STREAMTCP_FLAG_BYPASS BIT_U32(14) |
Stream can be bypass
Definition at line 204 of file stream-tcp-private.h.
◆ STREAMTCP_FLAG_CLIENT_SACKOK
| #define STREAMTCP_FLAG_CLIENT_SACKOK BIT_U32(9) |
Flag to indicate the client (SYN pkt) permits SACK
Definition at line 191 of file stream-tcp-private.h.
◆ STREAMTCP_FLAG_CLOSED_BY_RST
| #define STREAMTCP_FLAG_CLOSED_BY_RST BIT_U32(5) |
Closed by RST
Definition at line 181 of file stream-tcp-private.h.
◆ STREAMTCP_FLAG_DETECTION_EVASION_ATTEMPT
| #define STREAMTCP_FLAG_DETECTION_EVASION_ATTEMPT BIT_U32(8) |
Flag to indicate that this session is possible trying to evade the detection (http://www.packetstan.com/2010/06/recently-ive-been-on-campaign-to-make.html)
Definition at line 189 of file stream-tcp-private.h.
◆ STREAMTCP_FLAG_LOSSY_BE_LIBERAL
| #define STREAMTCP_FLAG_LOSSY_BE_LIBERAL BIT_U32(11) |
Session is in "lossy" state, be liberal
Definition at line 195 of file stream-tcp-private.h.
◆ STREAMTCP_FLAG_MIDSTREAM
| #define STREAMTCP_FLAG_MIDSTREAM BIT_U32(0) |
Flag for mid stream session
Definition at line 171 of file stream-tcp-private.h.
◆ STREAMTCP_FLAG_MIDSTREAM_ESTABLISHED
| #define STREAMTCP_FLAG_MIDSTREAM_ESTABLISHED BIT_U32(1) |
Flag for mid stream established session
Definition at line 173 of file stream-tcp-private.h.
◆ STREAMTCP_FLAG_MIDSTREAM_SYNACK
| #define STREAMTCP_FLAG_MIDSTREAM_SYNACK BIT_U32(2) |
Flag for mid session when syn/ack is received
Definition at line 175 of file stream-tcp-private.h.
◆ STREAMTCP_FLAG_SACKOK
| #define STREAMTCP_FLAG_SACKOK BIT_U32(10) |
Flag to indicate both sides of the session permit SACK (SYN + SYN/ACK)
Definition at line 193 of file stream-tcp-private.h.
◆ STREAMTCP_FLAG_SERVER_WSCALE
| #define STREAMTCP_FLAG_SERVER_WSCALE BIT_U32(4) |
Server supports wscale (even though it can be 0)
Definition at line 179 of file stream-tcp-private.h.
◆ STREAMTCP_FLAG_TCP_FAST_OPEN
| #define STREAMTCP_FLAG_TCP_FAST_OPEN BIT_U32(15) |
SSN uses TCP Fast Open
Definition at line 206 of file stream-tcp-private.h.
◆ STREAMTCP_FLAG_TFO_DATA_IGNORED
| #define STREAMTCP_FLAG_TFO_DATA_IGNORED BIT_U32(16) |
SYN/ACK ignored the data while ACKing the SYN
Definition at line 208 of file stream-tcp-private.h.
◆ STREAMTCP_FLAG_TIMESTAMP
| #define STREAMTCP_FLAG_TIMESTAMP BIT_U32(3) |
Flag for TCP Timestamp option
Definition at line 177 of file stream-tcp-private.h.
◆ STREAMTCP_FLAG_ZWP_TC
| #define STREAMTCP_FLAG_ZWP_TC BIT_U32(18) |
Definition at line 211 of file stream-tcp-private.h.
◆ STREAMTCP_FLAG_ZWP_TS
| #define STREAMTCP_FLAG_ZWP_TS BIT_U32(17) |
Definition at line 210 of file stream-tcp-private.h.
◆ STREAMTCP_QUEUE_FLAG_SACK
| #define STREAMTCP_QUEUE_FLAG_SACK 0x04 |
Definition at line 33 of file stream-tcp-private.h.
◆ STREAMTCP_QUEUE_FLAG_TS
| #define STREAMTCP_QUEUE_FLAG_TS 0x01 |
Definition at line 31 of file stream-tcp-private.h.
◆ STREAMTCP_QUEUE_FLAG_WS
| #define STREAMTCP_QUEUE_FLAG_WS 0x02 |
Definition at line 32 of file stream-tcp-private.h.
◆ STREAMTCP_SET_RA_BASE_SEQ
| #define STREAMTCP_SET_RA_BASE_SEQ | ( | stream, | |
| seq | |||
| ) |
Definition at line 265 of file stream-tcp-private.h.
◆ STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED
| #define STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED BIT_U16(7) |
App proto detection completed
Definition at line 233 of file stream-tcp-private.h.
◆ STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_SKIPPED
| #define STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_SKIPPED BIT_U16(8) |
App proto detection skipped
Definition at line 235 of file stream-tcp-private.h.
◆ STREAMTCP_STREAM_FLAG_DEPTH_REACHED
| #define STREAMTCP_STREAM_FLAG_DEPTH_REACHED BIT_U16(3) |
Stream has reached it's reassembly depth, all further packets are ignored
Definition at line 224 of file stream-tcp-private.h.
◆ STREAMTCP_STREAM_FLAG_DISABLE_RAW
| #define STREAMTCP_STREAM_FLAG_DISABLE_RAW BIT_U16(10) |
Raw reassembly disabled completely
Definition at line 239 of file stream-tcp-private.h.
◆ STREAMTCP_STREAM_FLAG_HAS_GAP
| #define STREAMTCP_STREAM_FLAG_HAS_GAP BIT_U16(0) |
Flag to indicate that we have seen gap on the stream
Definition at line 218 of file stream-tcp-private.h.
◆ STREAMTCP_STREAM_FLAG_KEEPALIVE
| #define STREAMTCP_STREAM_FLAG_KEEPALIVE BIT_U16(2) |
we received a keep alive
Definition at line 222 of file stream-tcp-private.h.
◆ STREAMTCP_STREAM_FLAG_NEW_RAW_DISABLED
| #define STREAMTCP_STREAM_FLAG_NEW_RAW_DISABLED BIT_U16(9) |
Raw reassembly disabled for new segments
Definition at line 237 of file stream-tcp-private.h.
◆ STREAMTCP_STREAM_FLAG_NOREASSEMBLY
| #define STREAMTCP_STREAM_FLAG_NOREASSEMBLY BIT_U16(1) |
Flag to avoid stream reassembly/app layer inspection for the stream
Definition at line 220 of file stream-tcp-private.h.
◆ STREAMTCP_STREAM_FLAG_RST_RECV
| #define STREAMTCP_STREAM_FLAG_RST_RECV BIT_U16(11) |
Definition at line 241 of file stream-tcp-private.h.
◆ STREAMTCP_STREAM_FLAG_TIMESTAMP
| #define STREAMTCP_STREAM_FLAG_TIMESTAMP BIT_U16(5) |
Stream supports TIMESTAMP – used to set ssn STREAMTCP_FLAG_TIMESTAMP flag.
Definition at line 229 of file stream-tcp-private.h.
◆ STREAMTCP_STREAM_FLAG_TRIGGER_RAW
| #define STREAMTCP_STREAM_FLAG_TRIGGER_RAW BIT_U16(4) |
Trigger reassembly next time we need 'raw'
Definition at line 226 of file stream-tcp-private.h.
◆ STREAMTCP_STREAM_FLAG_ZERO_TIMESTAMP
| #define STREAMTCP_STREAM_FLAG_ZERO_TIMESTAMP BIT_U16(6) |
Flag to indicate the zero value of timestamp
Definition at line 231 of file stream-tcp-private.h.
◆ StreamTcpDisableAppLayerReassembly
| #define StreamTcpDisableAppLayerReassembly | ( | ssn | ) |
Definition at line 306 of file stream-tcp-private.h.
◆ StreamTcpIsSetStreamFlagAppProtoDetectionCompleted
| #define StreamTcpIsSetStreamFlagAppProtoDetectionCompleted | ( | stream | ) | ((stream)->flags & STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED) |
Definition at line 302 of file stream-tcp-private.h.
◆ StreamTcpResetStreamFlagAppProtoDetectionCompleted
| #define StreamTcpResetStreamFlagAppProtoDetectionCompleted | ( | stream | ) | ((stream)->flags &= ~STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED); |
Definition at line 304 of file stream-tcp-private.h.
◆ StreamTcpSetEvent
| #define StreamTcpSetEvent | ( | p, | |
| e | |||
| ) |
Definition at line 271 of file stream-tcp-private.h.
◆ StreamTcpSetStreamFlagAppProtoDetectionCompleted
| #define StreamTcpSetStreamFlagAppProtoDetectionCompleted | ( | stream | ) | ((stream)->flags |= STREAMTCP_STREAM_FLAG_APPPROTO_DETECTION_COMPLETED) |
Definition at line 300 of file stream-tcp-private.h.
◆ TCP_SEG_LEN
| #define TCP_SEG_LEN | ( | seg | ) | (seg)->payload_len |
Definition at line 95 of file stream-tcp-private.h.
◆ TCP_SEG_OFFSET
| #define TCP_SEG_OFFSET | ( | seg | ) | (seg)->sbseg.stream_offset |
Definition at line 96 of file stream-tcp-private.h.
◆ TCPSEG_PKT_HDR_DEFAULT_SIZE
| #define TCPSEG_PKT_HDR_DEFAULT_SIZE 64 |
Definition at line 59 of file stream-tcp-private.h.
Typedef Documentation
◆ StreamTcpSackRecord
| typedef struct StreamTcpSackRecord StreamTcpSackRecord |
◆ TcpSegmentPcapHdrStorage
| typedef struct TcpSegmentPcapHdrStorage_ TcpSegmentPcapHdrStorage |
◆ TcpSession
| typedef struct TcpSession_ TcpSession |
◆ TcpStateQueue
| typedef struct TcpStateQueue_ TcpStateQueue |
Tracking SYNs and SYN/ACKs
◆ TcpStream
| typedef struct TcpStream_ TcpStream |
Enumeration Type Documentation
◆ TcpState
| enum TcpState |
| Enumerator | |
|---|---|
| TCP_NONE | |
| TCP_SYN_SENT | |
| TCP_SYN_RECV | |
| TCP_ESTABLISHED | |
| TCP_FIN_WAIT1 | |
| TCP_FIN_WAIT2 | |
| TCP_TIME_WAIT | |
| TCP_LAST_ACK | |
| TCP_CLOSE_WAIT | |
| TCP_CLOSING | |
| TCP_CLOSED | |
Definition at line 150 of file stream-tcp-private.h.
Function Documentation
◆ RB_ENTRY()
| __attribute__::RB_ENTRY | ( | TcpSegment | ) |
◆ RB_HEAD() [1/2]
| RB_HEAD | ( | TCPSACK | , |
| StreamTcpSackRecord | |||
| ) |
◆ RB_HEAD() [2/2]
| RB_HEAD | ( | TCPSEG | , |
| TcpSegment | |||
| ) |
◆ RB_PROTOTYPE() [1/2]
| RB_PROTOTYPE | ( | TCPSACK | , |
| StreamTcpSackRecord | , | ||
| rb | , | ||
| TcpSackCompare | |||
| ) |
◆ RB_PROTOTYPE() [2/2]
| RB_PROTOTYPE | ( | TCPSEG | , |
| TcpSegment | , | ||
| rb | , | ||
| TcpSegmentCompare | |||
| ) |
◆ TcpSackCompare()
| int TcpSackCompare | ( | struct StreamTcpSackRecord * | a, |
| struct StreamTcpSackRecord * | b | ||
| ) |
Definition at line 34 of file stream-tcp-sack.c.
References StreamTcpSackRecord::le, StreamTcpSackRecord::re, SEQ_EQ, SEQ_GT, and SEQ_LT.
◆ TcpSegmentCompare()
| int TcpSegmentCompare | ( | struct TcpSegment * | a, |
| struct TcpSegment * | b | ||
| ) |
compare function for the Segment tree
Main sort point is the sequence number. When sequence numbers are equal compare payload_len as well. This way the tree is sorted by seq, and in case of duplicate seqs we are sorted small to large.
Definition at line 51 of file stream-tcp-list.c.
References TcpSegment::payload_len, TcpSegment::seq, SEQ_GT, and SEQ_LT.
Variable Documentation
◆ payload_len
| uint16_t payload_len |
actual size of the payload
Definition at line 1 of file stream-tcp-private.h.
Referenced by DetectBase64DecodeDoMatch(), DetectByteExtractDoMatch(), DetectBytejumpDoMatch(), DetectByteMathDoMatch(), DetectBytetestDoMatch(), DetectPcrePayloadMatch(), StreamTcpCreateTestPacket(), UTHBuildPacket(), UTHBuildPacketIPV6Real(), UTHBuildPacketIPV6SrcDst(), UTHBuildPacketReal(), UTHBuildPacketSrcDst(), and UTHBuildPacketSrcDstPorts().
◆ pcap_hdr_storage
| TcpSegmentPcapHdrStorage* pcap_hdr_storage |
Definition at line 5 of file stream-tcp-private.h.
◆ pool_id
| PoolThreadId pool_id |
Definition at line 0 of file stream-tcp-private.h.
Referenced by StreamTcpSessionClear().
◆ sbseg
| StreamingBufferSegment sbseg |
Definition at line 4 of file stream-tcp-private.h.
◆ seq
| uint32_t seq |
Definition at line 2 of file stream-tcp-private.h.
Referenced by StreamTcpUTAddPayload(), StreamTcpUTAddSegmentWithByte(), and StreamTcpUTAddSegmentWithPayload().
