snort_packet

1. struct _SFsnortpkt
2.  
3. 1. SFDAQ_pktheader_t *pkt_header // DAQ:Data Acquisition
4.  
5. typedef DAQ_PktHdr_t SFDAQ_PktHdr_t;
6. typedef struct _daq_pkthdr
7. {
8. struct timeval ts; /* Timestamp */
9. uint32_t caplen; /* Length of the portion present */
10. uint32_t pktlen; /* Length of this packet (off wire) */
11. int32_t ingress_index; /* Index of the inbound interface. */
12. int32_t egress_index; /* Index of the outbound interface. */
13. int32_t ingress_group; /* Index of the inbound group. */
14. int32_t egress_group; /* Index of the outbound group. */
15. uint32_t flags; /* Flags for the packet (DAQ_PKT_FLAG_*) */
16. uint32_t opaque; /* Opaque context value from the DAQ module
17. or underlying hardware.
18. Directly related to the opaque value in
19. FlowStats. */
20. void *priv_ptr; /* Private data pointer */
21. } DAQ_PktHdr_t;
22.  
23. 2. int pkt_data : length of packet etc
24.  
25. 3. eth_arp_header : Ethernet ARP Header. ARP: Address Resolution Protocol used by IP.
26.  
27. 4. const EtherHeader *ether_header;
28.  
29.  
30. typedef struct _EtherHeader
31. {
32. uint8_t ether_destination[6];
33. uint8_t ether_source[6];
34. uint16_t ethernet_type;
35.  
36. } EtherHeader;
37.  
38. 5. const VlanHeader *vlan_tag_header;
39.  
40. typedef struct _VlanHeader
41. {
42. uint16_t vth_pri_cfi_vlan;
43. uint16_t vth_proto; /* protocol field... */
44.  
45. } VlanHeader;
46.  
47. 6. void *ether_header_llc;
48.  
49. llc : logical link control (LLC) data communication protocol layer is the upper sublayer of the data link layer (layer 2) of the seven-layer OSI model. The LLC sublayer provides multiplexing mechanisms that make it possible for several network protocols
50.  
51. 7. void *ether_header_other;
52.  
53. 8. const void *ppp_over_ether_header;
54.  
55. PPP: Point to point protocol: direct connection between two nodes
56.  
57. 9. const void *gre_header;
58. Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an Internet Protocol network.
59.  
60. 10. uint32_t *mpls;
61.  
62. Multiprotocol Label Switching (MPLS) is a mechanism in high-performance telecommunications networks that directs data from one network node to the next based on short path labels rather than long network addresses, avoiding complex lookups in a routing table.
63.  
64. 11. const CiscoMetaHdr *cmdh; /* Cisco Metadata Header */
65.  
66. typedef struct _CiscoMetaHdr
67. {
68. uint8_t version; // This must be 1
69. uint8_t length; //This is the header size in bytes / 8
70. } CiscoMetaHdr;
71.  
72. 12.13.14.
73. const IPV4Header *ip4_header, *orig_ip4_header;
74. const IPV4Header *inner_ip4_header; //for IP in IP (ip tunneling protocol)
75. const IPV4Header *outer_ip4_header;
76.  
77.  
78. typedef struct _IPV4Header
79. {
80. uint8_t version_headerlength;
81. uint8_t type_service;
82. uint16_t data_length;
83. uint16_t identifier;
84. uint16_t offset;
85. uint8_t time_to_live;
86. uint8_t proto;
87. uint16_t checksum;
88. struct in_addr source;
89. struct in_addr destination;
90. } IPV4Header;
91.  
92. 15. const TCPHeader *tcp_header, *orig_tcp_header;
93.  
94. Transmission Control Protocol
95. typedef struct _TCPHeader
96. {
97. uint16_t source_port;
98. uint16_t destination_port;
99. uint32_t sequence;
100. uint32_t acknowledgement;
101. uint8_t offset_reserved;
102. uint8_t flags;
103. uint16_t window;
104. uint16_t checksum;
105. uint16_t urgent_pointer;
106. } TCPHeader;
107.  
108. 16.17.18.
109. User Datagram Protocol
110. const UDPHeader *udp_header, *orig_udp_header;
111. const UDPHeader *inner_udph; /* if Teredo + UDP, this will be the inner UDP header */
112. const UDPHeader *outer_udph; /* if Teredo + UDP, this will be the outer UDP header */
113.  
114. typedef struct _UDPHeader
115. {
116. uint16_t source_port;
117. uint16_t destination_port;
118. uint16_t data_length;
119. uint16_t checksum;
120. } UDPHeader;
121.  
122. ??19. const ICMPHeader *icmp_header, *orig_icmp_header;
123.  
124. Internet Control Message Protocol
125.  
126. typedef struct _ICMPHeader
127. {
128. uint8_t type;
129. uint8_t code;
130. uint16_t checksum;
131.  
132. union
133. {
134. /* type 12 */
135. uint8_t parameter_problem_ptr;
136.  
137. /* type 5 */
138. struct in_addr gateway_addr;
139.  
140. /* type 8, 0 */
141. ICMPSequenceID echo;
142.  
143. /* type 13, 14 */
144. ICMPSequenceID timestamp;
145.  
146. /* type 15, 16 */
147. ICMPSequenceID info;
148.  
149. int voidInfo;
150.  
151. /* type 3/code=4 (Path MTU, RFC 1191) */
152. struct path_mtu
153. {
154. uint16_t voidInfo;
155. uint16_t next_mtu;
156. } path_mtu;
157.  
158. /* type 9 */
159. struct router_advertisement
160. {
161. uint8_t number_addrs;
162. uint8_t entry_size;
163. uint16_t lifetime;
164. } router_advertisement;
165. } icmp_header_union;
166.  
167.  
168. 20.21.22
169. const uint8_t *payload;
170. const uint8_t *ip_payload;
171. const uint8_t *outer_ip_payload;
172.  
173. 23.24
174. ?????
175. void *stream_session; //streaming layer??
176. void *fragmentation_tracking_ptr;
177.  
178. 25.IP4Hdr *ip4h, *orig_ip4h;
179.  
180. typedef struct _IPv4Hdr
181. {
182. uint8_t ip_verhl; /* version & header length */
183. uint8_t ip_tos; /* type of service */
184. uint16_t ip_len; /* datagram length */
185. uint16_t ip_id; /* identification */
186. uint16_t ip_off; /* fragment offset */
187. uint8_t ip_ttl; /* time to live field */
188. uint8_t ip_proto; /* datagram protocol */
189. uint16_t ip_csum; /* checksum */
190. IPAddresses* ip_addrs; /* IP addresses*/
191. } IP4Hdr;
192.  
193. 26. IP6Hdr *ip6h, *orig_ip6h;
194. typedef struct _IPv6Hdr
195. {
196. uint32_t vcl; /* version, class, and label */
197. uint16_t len; /* length of the payload */
198. uint8_t next; /* next header
199. * Uses the same flags as
200. * the IPv4 protocol field */
201. uint8_t hop_lmt; /* hop limit */
202. IPAddresses* ip_addrs; /* IP addresses*/
203. } IP6Hdr;
204.  
205. 27. ICMP6Hdr *icmp6h, *orig_icmp6h;
206.  
207. typedef struct _ICMP6
208. {
209. uint8_t type;
210. uint8_t code;
211. uint16_t csum;
212.  
213. } ICMP6Hdr;
214.  
215. 28.29.30.31
216. ??????????????????
217. IPH_API* iph_api;
218. IPH_API* orig_iph_api;
219. IPH_API* outer_iph_api;
220. IPH_API* outer_orig_iph_api;
221.  
222. 32.33.34.
223. ???
224. int family;
225. int orig_family;
226. int outer_family;
227.  
228. 35. PreprocEnableMask preprocessor_bit_mask;
229.  
230. 36. uint32_t flags;
231. uint32_t xtradata_mask;
232.  
233. uint16_t proto_bits;
234.  
235. 39. uint16_t payload_size;
236. uint16_t ip_payload_size;
237. uint16_t normalized_payload_size;
238. uint16_t actual_ip_length;
239. uint16_t outer_ip_payload_size;
240.  
241. uint16_t ip_fragment_offset;
242. uint16_t ip_frag_length;
243. uint16_t ip4_options_length;
244. uint16_t tcp_options_length;
245.  
246. uint16_t src_port;
247. uint16_t dst_port;
248. uint16_t orig_src_port;
249. uint16_t orig_dst_port;
250.  
251. ??52. int16_t application_protocol_ordinal;
252.  
253. 53. :/
254. uint8_t ip_fragmented;
255. uint8_t ip_more_fragments;
256. uint8_t ip_dont_fragment;
257. uint8_t ip_reserved;
258. uint8_t num_ip_options;
259. uint8_t num_tcp_options;
260. uint8_t num_ip6_extensions;
261. uint8_t ip6_frag_extension;
262.  
263. uint8_t invalid_flags;
264. uint8_t encapsulated;
265. uint8_t GTPencapsulated;
266. uint8_t next_layer_index;
267.  
268. 66.
269. #ifndef NO_NON_ETHER_DECODER
270. const void *fddi_header;
271. void *fddi_saps;
272. void *fddi_sna;
273. void *fddi_iparp;
274. void *fddi_other;
275.  
276. const void *tokenring_header;
277. void *tokenring_header_llc;
278. void *tokenring_header_mr;
279.  
280. void *pflog1_header;
281. void *pflog2_header;
282. void *pflog3_header;
283. void *pflog4_header;
284.  
285. #ifdef DLT_LINUX_SLL
286. const void *sll_header;
287. #endif
288. #ifdef DLT_IEEE802_11
289. const void *wifi_header;
290. #endif
291. const void *ether_eapol_header;
292. const void *eapol_headear;
293. const uint8_t *eapol_type;
294. void *eapol_key;
295. #endif
296.  
297. 101. IPOptions ip_options[MAX_IP_OPTIONS];
298. TCPOptions tcp_options[MAX_TCP_OPTIONS];
299.  
300. typedef struct _IPOptions
301. {
302. uint8_t option_code;
303. uint8_t length;
304. uint8_t *option_data;
305. } IPOptions;
306.  
307. 103. IP6Extension *ip6_extensions;
308.  
309. typedef struct _IPv6Extension
310. {
311. uint8_t option_type;
312. const uint8_t *option_data;
313. } IP6Extension;
314.  
315. 104. CiscoMetaOpt *cmd_options; /* Cisco Metadata header options */
316.  
317. typedef struct _CiscoMetaOpt
318. {
319. uint16_t opt_len_type; /* 3-bit length + 13-bit type. Length of 0 = 4. Type must be 1. */
320. uint16_t sgt; /* Can be any value except 0xFFFF */
321. } CiscoMetaOpt;
322.  
323. 105.
324. ?????
325. const uint8_t *ip_frag_start;
326. const uint8_t *ip4_options_data;
327. const uint8_t *tcp_options_data;
328.  
329. 108. const IP6RawHdr* raw_ip6_header;
330.  
331. typedef struct _IP6RawHdr
332. {
333. uint32_t vcl; /* version, class, and label */
334. uint16_t payload_len; /* length of the payload */
335. uint8_t next_header; /* same values as ip4 protocol field + new ip6 values */
336. uint8_t hop_limit; /* same usage as ip4 ttl */
337.  
338. struct in6_addr src_addr;
339. struct in6_addr dst_addr;
340. } IP6RawHdr;
341.  
342. 109. ProtoLayer proto_layers[MAX_PROTO_LAYERS];
343.  
344. typedef struct {
345. PROTO_ID proto_id;
346. uint16_t proto_length;
347. uint8_t* proto_start;
348. } ProtoLayer;