decode.h

该软件是一个有名的基于网络的入侵检测系统

    u_int8_t dsap;
    u_int8_t ssap;
    u_int8_t protid[3];
    u_int16_t ethertype;
} Trh_llc;

/* RIF structure
 * Linux/tcpdump patch defines tokenring header in dump way, since not
 * every tokenring header with have RIF data... we define it separately, and
 * a bit more split up
 */

typedef struct _Trh_mr
{
#if defined(WORDS_BIGENDIAN)
    u_int16_t bcast:3,
    len:5,
    dir:1,
    lf:3,
    res:4;
#else
    u_int16_t len:5,/* length of RIF field, including RC itself (bytes) */
    bcast:3, /* broadcast indicator */
    res:4, /* reserved */
    lf:3,  /* largest frame size */
    dir:1; /* direction */

#endif
    u_int16_t rseg[8];
} Trh_mr;


typedef struct _Trh_hdr
{
    u_int8_t ac; /* access control field */
    u_int8_t fc; /* frame control field */
    u_int8_t daddr[TR_ALEN]; /* src address */
    u_int8_t saddr[TR_ALEN]; /* dst address */
} Trh_hdr;



#endif /* WIN32 */
/* End Token Ring Data Structures */


/* Start FDDI Data Structures */

/* FDDI header is always this: -worm5er */
typedef struct _Fddi_hdr 
{
    u_int8_t fc; /* frame control field */
    u_int8_t daddr[FDDI_ALEN]; /* src address */
    u_int8_t saddr[FDDI_ALEN]; /* dst address */
} Fddi_hdr;

/* splitting the llc up because of variable lengths of the LLC -worm5er */
typedef struct _Fddi_llc_saps 
{
    u_int8_t dsap;
    u_int8_t ssap;
} Fddi_llc_saps;

/* I've found sna frames have two addition bytes after the llc saps -worm5er */
typedef struct _Fddi_llc_sna 
{
    u_int8_t ctrl_fld[2];
} Fddi_llc_sna;

/* I've also found other frames that seem to have only one byte...  We're only
really intersted in the IP data so, until we want other, I'm going to say
the data is one byte beyond this frame...  -worm5er */
typedef struct _Fddi_llc_other 
{
    u_int8_t ctrl_fld[1];
} Fddi_llc_other;

/* Just like TR the ip/arp data is setup as such: -worm5er */
typedef struct _Fddi_llc_iparp  
{
    u_int8_t ctrl_fld;
    u_int8_t protid[3];
    u_int16_t ethertype;
} Fddi_llc_iparp;

/* End FDDI Data Structures */

typedef struct _EtherHdr
{
    u_int8_t  ether_dst[6];
    u_int8_t  ether_src[6];
    u_int16_t ether_type;

} EtherHdr;

typedef struct _IPHdr
{
#if defined(WORDS_BIGENDIAN)
    u_int8_t    ip_ver:4,         /* IP version */
    ip_hlen:4;        /* IP header length */
#else
    u_int8_t    ip_hlen:4, ip_ver:4;
#endif
    u_int8_t    ip_tos;           /* type of service */
    u_int16_t   ip_len;           /* datagram length */
    u_int16_t   ip_id;            /* identification  */
    u_int16_t   ip_off;           /* fragment offset */
    u_int8_t    ip_ttl;           /* time to live field */
    u_int8_t    ip_proto;         /* datagram protocol */
    u_int16_t   ip_csum;          /* checksum */
    struct in_addr ip_src;      /* source IP */
    struct in_addr ip_dst;      /* dest IP */

} IPHdr;


typedef struct _TCPHdr
{
    u_int16_t th_sport;       /* source port */
    u_int16_t th_dport;       /* destination port */
    u_int32_t th_seq;          /* sequence number */
    u_int32_t th_ack;          /* acknowledgement number */
#ifdef WORDS_BIGENDIAN
    u_int8_t  th_off:4,       /* data offset */
    th_x2:4;        /* (unused) */
#else
    u_int8_t  th_x2:4, th_off:4;
#endif
    u_int8_t  th_flags;
    u_int16_t th_win;         /* window */
    u_int16_t th_sum;         /* checksum */
    u_int16_t th_urp;         /* urgent pointer */

} TCPHdr;


typedef struct _UDPHdr
{
    u_int16_t uh_sport;
    u_int16_t uh_dport;
    u_int16_t uh_len;
    u_int16_t uh_chk;

} UDPHdr;


typedef struct _ICMPHdr
{
    u_int8_t type;
    u_int8_t code;
    u_int16_t csum;

    union {
                u_char s_ih_pptr;                 /* ICMP_PARAMPROB */
                struct in_addr ih_gwaddr;       /* ICMP_REDIRECT */
                struct s_ih_idseq {
                        u_int16_t icd_id;
                        u_int16_t icd_seq;
                } s_ih_idseq;
                int s_ih_void;

                /* ICMP_UNREACH_NEEDFRAG -- Path MTU Discovery (RFC1191) */
                struct s_ih_pmtu {
                        u_int16_t ipm_void;
                        u_int16_t ipm_nextmtu;
                } s_ih_pmtu;

                struct s_ih_rtradv {
                        u_char irt_num_addrs;
                        u_char irt_wpa;
                        u_int16_t irt_lifetime;
                } s_ih_rtradv;
        } s_icmp_hun;
#define ih_pptr       s_icmp_hun.s_ih_pptr
#define ih_gwaddr     s_icmp_hun.s_ih_gwaddr
#define ih_id         s_icmp_hun.s_ih_idseq.icd_id
#define ih_seq        s_icmp_hun.s_ih_idseq.icd_seq
#define ih_void       s_icmp_hun.s_ih_void
#define ih_pmvoid     s_icmp_hun.s_ih_pmtu.ipm_void
#define ih_nextmtu    s_icmp_hun.s_ih_pmtu.ipm_nextmtu
#define ih_num_addrs  s_icmp_hun.s_ih_rtradv.irt_num_addrs
#define ih_wpa        s_icmp_hun.s_ih_rtradv.irt_wpa
#define ih_lifetime   s_icmp_hun.s_ih_rtradv.irt_lifetime
        union {
                struct s_id_ts {
                        u_int32_t its_otime;
                        u_int32_t its_rtime;
                        u_int32_t its_ttime;
                } s_id_ts;
                struct s_id_ip  {
                        struct _IPHdr idi_ip;
                        /* options and then 64 bits of data */
                } s_id_ip;
                u_int32_t s_id_mask;
                char    s_id_data[1];
        } s_icmp_dun;
#define ih_otime      s_icmp_dun.s_id_ts.its_otime
#define ih_rtime      s_icmp_dun.s_id_ts.its_rtime
#define ih_ttime      s_icmp_dun.s_id_ts.its_ttime
#define ih_ip         s_icmp_dun.s_id_ip.idi_ip
#define ih_mask       s_icmp_dun.s_id_mask
#define ih_data       s_icmp_dun.s_id_data

} ICMPHdr;


typedef struct _ARPHdr
{
    u_int16_t  ar_hrd;         /* format of hardware address   */
    u_int16_t  ar_pro;         /* format of protocol address   */
    u_int8_t   ar_hln;         /* length of hardware address   */
    u_int8_t   ar_pln;         /* length of protocol address   */
    u_int16_t  ar_op;          /* ARP opcode (command)         */
} ARPHdr;



typedef struct _EtherARP
{
    ARPHdr        ea_hdr;         /* fixed-size header */
    u_int8_t arp_sha[6];     /* sender hardware address */
    u_int8_t arp_spa[4];     /* sender protocol address */
    u_int8_t arp_tha[6];     /* target hardware address */
    u_int8_t arp_tpa[4];     /* target protocol address */
} EtherARP;


typedef struct _Options
{
    u_int8_t code;
    int len;
    u_char *data;
} Options;



typedef struct _Packet
{
    struct pcap_pkthdr *pkth;    /* BPF data */
    u_char *pkt;                 /* base pointer to the raw packet data */

    Fddi_hdr *fddihdr;           /* FDDI support headers */
    Fddi_llc_saps *fddisaps;
    Fddi_llc_sna  *fddisna;
    Fddi_llc_iparp *fddiiparp;
    Fddi_llc_other *fddiother;
    Trh_hdr *trh;                /* Token Ring support headers */
    Trh_llc  *trhllc;
    Trh_mr   *trhmr;

    EtherHdr *eh;                /* standard TCP/IP/Ethernet/ARP headers */
    EtherARP *ah;
    IPHdr    *iph;
    TCPHdr   *tcph;
    UDPHdr   *udph;
    ICMPHdr  *icmph;

    u_char   *data;              /* packet payload pointer */
    u_int16_t  dsize;            /* packet payload size */

    u_int8_t   frag_flag;        /* flag to indicate a fragmented packet */
    u_int16_t  frag_offset;      /* fragment offset number */
    u_char   mf;                 /* more fragments flag */
    u_char   df;                 /* don't fragment flag */

    u_int16_t  sp;               /* source port (TCP/UDP) */
    u_int16_t  dp;               /* dest port (TCP/UDP) */
    u_int32_t  sip;
    u_int32_t  dip;
    int caplen;

    Options ip_options[40];      /* ip options decode structure */
    int ip_option_count;         /* number of options in this packet */
    Options tcp_options[40];     /* tcp options decode struct */
    int tcp_option_count;        

} Packet;


/* this struct is for the alert socket code.... */
typedef struct _Alertpkt 
{
    u_char alertmsg[256];    /* variable.. */
    struct pcap_pkthdr pkth;
    long dlthdr;             /* datalink header offset. (ethernet, etc.. ) */
    long nethdr;             /* network header offset. (ip etc...) */
    long transhdr;           /* transport header offset (tcp/udp/icmp ..) */
    long data;
    unsigned long val; /* which fields are valid. (NULL could be valids also) */
    /* Packet struct --> was null */
#define NOPACKET_STRUCT 0x1
    /* no transport headers in packet */
#define NO_TRANSHDR	0x2 
    u_char pkt[SNAPLEN];
} Alertpkt;




/*  P R O T O T Y P E S  ******************************************************/
void DecodeTRPkt(Packet *, struct pcap_pkthdr *, u_char *);
void DecodeFDDIPkt(Packet *, struct pcap_pkthdr *, u_char *);
void DecodeEthPkt(Packet *, struct pcap_pkthdr *, u_char *);
void DecodePppPkt(Packet *, struct pcap_pkthdr *, u_char *);
void DecodeSlipPkt(Packet *, struct pcap_pkthdr *, u_char *);
void DecodeNullPkt(Packet *, struct pcap_pkthdr *, u_char *);
void DecodeRawPkt(Packet *, struct pcap_pkthdr *, u_char *);
void DecodeI4LRawIPPkt(Packet *, struct pcap_pkthdr *, u_char *);
void DecodeI4LCiscoIPPkt(Packet *, struct pcap_pkthdr *, u_char *);
void DecodeIP(u_char *, int, Packet *);
void DecodeARP(u_char *, int, Packet *);
void DecodeIPV6(u_char *, int);
void DecodeIPX(u_char *, int);
void DecodeTCP(u_char *, int, Packet *);
void DecodeUDP(u_char *, int, Packet *);
void DecodeICMP(u_char *, int, Packet *);
void DecodeIPOptions(u_char *, int, Packet *);
void DecodeTCPOptions(u_char *, int, Packet *);
void DecodeIPOptions(u_char *, int, Packet *);

#endif  /* __DECODE_H__ */