decode.h

该源码是用C语言编写的,实现网络入侵检测系统的功能

#ifndef TCPOPT_CCNEW
    #define TCPOPT_CCNEW		12	/* T/TCP CC options (rfc1644) */
#endif
#ifndef TCPOPT_CCECHO
    #define TCPOPT_CCECHO		13	/* T/TCP CC options (rfc1644) */
#endif

#define EXTRACT_16BITS(p) ((u_short) ntohs (*(u_short *)(p)))

#ifdef WORDS_MUSTALIGN

/* force word-aligned ntohl parameter */
    #define EXTRACT_32BITS(p)  ({ u_int32_t __tmp; memmove(&__tmp, (p), sizeof(u_int32_t)); (u_int32_t) ntohl(__tmp);})

#else

/* allows unaligned ntohl parameter - dies w/SIGBUS on SPARCs */
    #define EXTRACT_32BITS(p) ((u_int32_t) ntohl (*(u_int32_t *)(p)))

#endif				/* WORDS_MUSTALIGN */

/*  D A T A  S T R U C T U R E S  *********************************************/

/* Start Token Ring Data Structures */
#ifdef WIN32 /* Uhm, We need this. -- Mike */

/* LLC structure */
typedef struct _Trh_llc
{
    u_int8_t dsap;
    u_int8_t ssap;
    u_int8_t protid[3];
    u_int16_t ethertype;
}        Trh_llc;

/* RIF structure
 * Linux/tcpdump patch defines tokenring header in dump way, since not
 * every tokenring header with have RIF data... we define it separately, and
 * a bit more split up
 */

typedef struct _Trh_mr
{
#if defined(WORDS_BIGENDIAN)
    u_int16_t bcast:3, len:5, dir:1, lf:3, res:4;
#else
    u_int16_t len:5,        /* length of RIF field, including RC itself
                 * (bytes) */
    bcast:3,      /* broadcast indicator */
    res:4,        /* reserved */
    lf:3,     /* largest frame size */
    dir:1;        /* direction */

#endif
    u_int16_t rseg[8];
}       Trh_mr;


typedef struct _Trh_hdr
{
    u_int8_t ac;        /* access control field */
    u_int8_t fc;        /* frame control field */
    u_int8_t daddr[TR_ALEN];    /* src address */
    u_int8_t saddr[TR_ALEN];    /* dst address */
}        Trh_hdr;



#endif				/* WIN32 */
/* End Token Ring Data Structures */


/* Start FDDI Data Structures */

/* FDDI header is always this: -worm5er */
typedef struct _Fddi_hdr
{
    u_int8_t fc;        /* frame control field */
    u_int8_t daddr[FDDI_ALEN];  /* src address */
    u_int8_t saddr[FDDI_ALEN];  /* dst address */
}         Fddi_hdr;

/* splitting the llc up because of variable lengths of the LLC -worm5er */
typedef struct _Fddi_llc_saps
{
    u_int8_t dsap;
    u_int8_t ssap;
}              Fddi_llc_saps;

/* I've found sna frames have two addition bytes after the llc saps -worm5er */
typedef struct _Fddi_llc_sna
{
    u_int8_t ctrl_fld[2];
}             Fddi_llc_sna;

/* I've also found other frames that seem to have only one byte...  We're only
really intersted in the IP data so, until we want other, I'm going to say
the data is one byte beyond this frame...  -worm5er */
typedef struct _Fddi_llc_other
{
    u_int8_t ctrl_fld[1];
}               Fddi_llc_other;

/* Just like TR the ip/arp data is setup as such: -worm5er */
typedef struct _Fddi_llc_iparp
{
    u_int8_t ctrl_fld;
    u_int8_t protid[3];
    u_int16_t ethertype;
}               Fddi_llc_iparp;

/* End FDDI Data Structures */

typedef struct _EtherHdr
{
    u_int8_t ether_dst[6];
    u_int8_t ether_src[6];
    u_int16_t ether_type;

}         EtherHdr;

typedef struct _IPHdr
{
#if defined(WORDS_BIGENDIAN)
    u_int8_t ip_ver:4,      /* IP version */
    ip_hlen:4;     /* IP header length */
#else
    u_int8_t ip_hlen:4, ip_ver:4;
#endif
    u_int8_t ip_tos;        /* type of service */
    u_int16_t ip_len;       /* datagram length */
    u_int16_t ip_id;        /* identification  */
    u_int16_t ip_off;       /* fragment offset */
    u_int8_t ip_ttl;        /* time to live field */
    u_int8_t ip_proto;      /* datagram protocol */
    u_int16_t ip_csum;      /* checksum */
    struct in_addr ip_src;  /* source IP */
    struct in_addr ip_dst;  /* dest IP */

}      IPHdr;


typedef struct _TCPHdr
{
    u_int16_t th_sport;     /* source port */
    u_int16_t th_dport;     /* destination port */
    u_int32_t th_seq;       /* sequence number */
    u_int32_t th_ack;       /* acknowledgement number */
#ifdef WORDS_BIGENDIAN
    u_int8_t th_off:4,      /* data offset */
    th_x2:4;       /* (unused) */
#else
    u_int8_t th_x2:4, th_off:4;
#endif
    u_int8_t th_flags;
    u_int16_t th_win;       /* window */
    u_int16_t th_sum;       /* checksum */
    u_int16_t th_urp;       /* urgent pointer */

}       TCPHdr;


typedef struct _UDPHdr
{
    u_int16_t uh_sport;
    u_int16_t uh_dport;
    u_int16_t uh_len;
    u_int16_t uh_chk;

}       UDPHdr;


typedef struct _ICMPHdr
{
    u_int8_t type;
    u_int8_t code;
    u_int16_t csum;

}        ICMPHdr;


typedef struct _echoext
{
    u_int16_t id;
    u_int16_t seqno;

}        echoext;

typedef struct _ARPHdr
{
    u_int16_t ar_hrd;       /* format of hardware address   */
    u_int16_t ar_pro;       /* format of protocol address   */
    u_int8_t ar_hln;        /* length of hardware address   */
    u_int8_t ar_pln;        /* length of protocol address   */
    u_int16_t ar_op;        /* ARP opcode (command)         */
}       ARPHdr;



typedef struct _EtherARP
{
    ARPHdr ea_hdr;      /* fixed-size header */
    u_int8_t arp_sha[6];    /* sender hardware address */
    u_int8_t arp_spa[4];    /* sender protocol address */
    u_int8_t arp_tha[6];    /* target hardware address */
    u_int8_t arp_tpa[4];    /* target protocol address */
}         EtherARP;


typedef struct _Options
{
    u_int8_t code;
    u_int32_t len;
    u_int8_t *data;
}        Options;


typedef struct _Packet
{
    struct pcap_pkthdr *pkth;   /* BPF data */
    u_int8_t *pkt;      /* base pointer to the raw packet data */

    Fddi_hdr *fddihdr;      /* FDDI support headers */
    Fddi_llc_saps *fddisaps;
    Fddi_llc_sna *fddisna;
    Fddi_llc_iparp *fddiiparp;
    Fddi_llc_other *fddiother;

    Trh_hdr *trh;       /* Token Ring support headers */
    Trh_llc *trhllc;
    Trh_mr *trhmr;

    EtherHdr *eh;       /* standard TCP/IP/Ethernet/ARP headers */
    EtherARP *ah;
    IPHdr *iph, *orig_iph;      /* and orig. headers for ICMP_*_UNREACH family */
    TCPHdr *tcph, *orig_tcph;
    UDPHdr *udph, *orig_udph;
    ICMPHdr *icmph, *orig_icmph;

    echoext *ext;       /* ICMP echo extension struct */

    u_int8_t *data;     /* packet payload pointer */
    u_int16_t dsize;        /* packet payload size */

    u_int8_t frag_flag;     /* flag to indicate a fragmented packet */
    u_int16_t frag_offset;  /* fragment offset number */
    u_int8_t mf;            /* more fragments flag */
    u_int8_t df;            /* don't fragment flag */
    u_int8_t rf;                  /* IP reserved bit */

    u_int16_t sp;       /* source port (TCP/UDP) */
    u_int16_t dp;       /* dest port (TCP/UDP) */
    u_int16_t orig_sp;      /* source port (TCP/UDP) of original datagram */
    u_int16_t orig_dp;      /* dest port (TCP/UDP) of original datagram */
    u_int32_t caplen;

    Options ip_options[40]; /* ip options decode structure */
    u_int32_t ip_option_count;  /* number of options in this packet */
    u_char ip_lastopt_bad;  /* flag to indicate that option decoding was
                               halted due to a bad option */
    Options tcp_options[40];    /* tcp options decode struct */
    u_int32_t tcp_option_count;
    u_char tcp_lastopt_bad;  /* flag to indicate that option decoding was
                                halted due to a bad option */

    u_int8_t csum_flags;        /* checksum flags */

}       Packet;


/* this struct is for the alert socket code.... */
typedef struct _Alertpkt
{
    u_int8_t alertmsg[256]; /* variable.. */
    struct pcap_pkthdr pkth;
    u_int32_t dlthdr;       /* datalink header offset. (ethernet, etc.. ) */
    u_int32_t nethdr;       /* network header offset. (ip etc...) */
    u_int32_t transhdr;     /* transport header offset (tcp/udp/icmp ..) */
    u_int32_t data;
    u_int32_t val;  /* which fields are valid. (NULL could be
                                 * valids also) 
                                 */
    /* Packet struct --> was null */
#define NOPACKET_STRUCT 0x1
    /* no transport headers in packet */
#define NO_TRANSHDR	0x2
    u_int8_t pkt[SNAPLEN];
}         Alertpkt;




/*  P R O T O T Y P E S  ******************************************************/
void DecodeTRPkt(Packet *, struct pcap_pkthdr *, u_int8_t *);
void DecodeFDDIPkt(Packet *, struct pcap_pkthdr *, u_int8_t *);
void DecodeEthPkt(Packet *, struct pcap_pkthdr *, u_int8_t *);
void DecodePppPkt(Packet *, struct pcap_pkthdr *, u_int8_t *);
void DecodeSlipPkt(Packet *, struct pcap_pkthdr *, u_int8_t *);
void DecodeNullPkt(Packet *, struct pcap_pkthdr *, u_int8_t *);
void DecodeRawPkt(Packet *, struct pcap_pkthdr *, u_int8_t *);
void DecodeI4LRawIPPkt(Packet *, struct pcap_pkthdr *, u_int8_t *);
void DecodeI4LCiscoIPPkt(Packet *, struct pcap_pkthdr *, u_int8_t *);
#ifndef WIN32
void DecodeIP(u_int8_t *, u_int32_t, Packet *);
#else
void DecodeIP(u_int8_t *, const u_int32_t, Packet *);
#endif
void DecodeARP(u_int8_t *, u_int32_t, Packet *);
void DecodeIPV6(u_int8_t *, u_int32_t);
void DecodeIPX(u_int8_t *, u_int32_t);
#ifndef WIN32
void DecodeTCP(u_int8_t *, u_int32_t, Packet *);
void DecodeUDP(u_int8_t *, u_int32_t, Packet *);
void DecodeICMP(u_int8_t *, u_int32_t, Packet *);
#else
void DecodeTCP(u_int8_t *, const u_int32_t, Packet *);
void DecodeUDP(u_int8_t *, const u_int32_t, Packet *);
void DecodeICMP(u_int8_t *, const u_int32_t, Packet *);
#endif
void DecodeIPOptions(u_int8_t *, u_int32_t, Packet *);
void DecodeTCPOptions(u_int8_t *, u_int32_t, Packet *);
void DecodeIPOptions(u_int8_t *, u_int32_t, Packet *);

#endif				/* __DECODE_H__ */