📄 op_decode.h

📁 知名的开源IDS的日志工具
💻 H
📖 第 1 页 / 共 2 页
字号:
上一页 12
    u_int8_t saddr[TR_ALEN];    /* dst address */} Trh_hdr;#endif /* WIN32 *//* END Token Ring DATA STRUCTURES *//* START FDDI DATA STRUCTURES *//* FDDI header is always this: -worm5er */typedef struct _Fddi_hdr{    u_int8_t fc;        /* frame control field */    u_int8_t daddr[FDDI_ALEN];  /* src address */    u_int8_t saddr[FDDI_ALEN];  /* dst address */} Fddi_hdr;/* splitting the llc up because of variable lengths of the LLC -worm5er */typedef struct _Fddi_llc_saps{    u_int8_t dsap;    u_int8_t ssap;} Fddi_llc_saps;/* I've found sna frames have two addition bytes after the llc saps -worm5er */typedef struct _Fddi_llc_sna{    u_int8_t ctrl_fld[2];} Fddi_llc_sna;/* I've also found other frames that seem to have only one byte...  We're onlyreally intersted in the IP data so, until we want other, I'm going to saythe data is one byte beyond this frame...  -worm5er */typedef struct _Fddi_llc_other{    u_int8_t ctrl_fld[1];} Fddi_llc_other;/* Just like TR the ip/arp data is setup as such: -worm5er */typedef struct _Fddi_llc_iparp{    u_int8_t ctrl_fld;    u_int8_t protid[3];    u_int16_t ethertype;} Fddi_llc_iparp;/* End FDDI Data Structures *//* 'Linux cooked captures' data * (taken from tcpdump source). */#define SLL_HDR_LEN     16              /* total header length */#define SLL_ADDRLEN     8               /* length of address field */typedef struct _SLLHdr {        u_int16_t       sll_pkttype;    /* packet type */        u_int16_t       sll_hatype;     /* link-layer address type */        u_int16_t       sll_halen;      /* link-layer address length */        u_int8_t        sll_addr[SLL_ADDRLEN];  /* link-layer address */        u_int16_t       sll_protocol;   /* protocol */} SLLHdr;/* * ssl_pkttype values. */#define LINUX_SLL_HOST          0#define LINUX_SLL_BROADCAST     1#define LINUX_SLL_MULTICAST     2#define LINUX_SLL_OTHERHOST     3#define LINUX_SLL_OUTGOING      4/* ssl protocol values */#define LINUX_SLL_P_802_3       0x0001  /* Novell 802.3 frames without 802.2 LLC header */#define LINUX_SLL_P_802_2       0x0004  /* 802.2 frames (not D/I/X Ethernet) */typedef struct _VlanTagHdr{#if defined(WORDS_BIGENDIAN)    u_int16_t vth_pri:3,   /* user priority */             vth_cfi:1,   /* canonical format indicator */             vth_vlan:12;  /* vlan number */#else    u_int16_t vth_vlan:12,  /* vlan number */             vth_cfi:1,   /* canonical format indicator */             vth_pri:3;   /* user priority */#endif    u_int16_t vth_proto;  /* protocol field... */} VlanTagHdr;/* ppp header structure */struct ppp_header {    unsigned char  address;    unsigned char  control;    unsigned short protocol;};#ifndef PPP_HDRLEN    #define PPP_HDRLEN          sizeof(struct ppp_header)#endiftypedef struct _EthLlc{    u_int8_t dsap;    u_int8_t ssap;} EthLlc;typedef struct _EthLlcOther{    u_int8_t ctrl;    u_int8_t org_code[3];    u_int16_t proto_id;} EthLlcOther;/*  * Ethernet header */typedef struct _EtherHdr{    u_int8_t ether_dst[6];    u_int8_t ether_src[6];    u_int16_t ether_type;} EtherHdr;#define IP_VER(iph)     (((iph)->ip_verhl & 0xf0) >> 4)#define IP_HLEN(iph)    ((iph)->ip_verhl & 0x0f)typedef struct _IPHdr{    u_int8_t  ip_verhl;     /* version & header length */    u_int8_t  ip_tos;       /* type of service */    u_int16_t ip_len;       /* datagram length */    u_int16_t ip_id;        /* identification  */    u_int16_t ip_off;       /* fragment offset */    u_int8_t  ip_ttl;       /* time to live field */    u_int8_t  ip_proto;     /* datagram protocol */    u_int16_t ip_csum;      /* checksum */    struct in_addr ip_src;  /* source IP */    struct in_addr ip_dst;  /* dest IP */} IPHdr;#define TCP_OFFSET(tcph)    (((tcph)->th_offx2 & 0xf0) >> 4)#define TCP_X2(tcph)        ((tcph)->th_offx2 & 0x0f)/* Can't add any fields not in the real header here    because of how the decoder uses structure overlaying */typedef struct _TCPHdr{    u_int16_t th_sport;     /* source port */    u_int16_t th_dport;     /* destination port */    u_int32_t th_seq;       /* sequence number */    u_int32_t th_ack;       /* acknowledgement number */    u_int8_t  th_offx2;     /* offset and reserved */    u_int8_t  th_flags;     /* tcp flags */    u_int16_t th_win;       /* window */    u_int16_t th_sum;       /* checksum */    u_int16_t th_urp;       /* urgent pointer */} TCPHdr;typedef struct _UDPHdr{    u_int16_t uh_sport;    u_int16_t uh_dport;    u_int16_t uh_len;    u_int16_t uh_chk;} UDPHdr;typedef struct _ICMPHdr{    u_int8_t icmp_type;    u_int8_t icmp_code;    u_int16_t icmp_csum;    union     {        u_int8_t ih_pptr;               /* ICMP_PARAMPROB */        u_int32_t ih_gwaddr;            /* ICMP_REDIRECT */        struct ih_idseq         {            u_int16_t icd_id;            u_int16_t icd_seq;        } ih_idseq;        u_int32_t ih_void;        /* ICMP_UNREACH_NEEDFRAG -- Path MTU Discovery (RFC1191) */        struct ih_pmtu {            u_int16_t ipm_void;            u_int16_t ipm_nextmtu;        } ih_pmtu;        struct ih_rtradv {            u_int8_t irt_num_addrs;            u_int8_t irt_wpa;            u_int16_t irt_lifetime;        } ih_rtradv;    } icmp_hun;    union     {        struct id_ts         {            u_int32_t its_otime;            u_int32_t its_rtime;            u_int32_t its_ttime;        } id_ts;                struct id_ip          {            IPHdr idi_ip;            /* options and then 64 bits of data */        } id_ip;                struct icmp_ra_addr         {            u_int32_t ira_addr;            u_int32_t ira_preference;        } id_radv;                u_int32_t id_mask;                char    id_data[1];    } icmp_dun;} ICMPHdr;#define icmp_pptr       icmp_hun.ih_pptr#define icmp_gwaddr     icmp_hun.ih_gwaddr#define icmp_id         icmp_hun.ih_idseq.icd_id#define icmp_seq        icmp_hun.ih_idseq.icd_seq#define icmp_void       icmp_hun.ih_void#define icmp_pmvoid     icmp_hun.ih_pmtu.ipm_void#define icmp_nextmtu    icmp_hun.ih_pmtu.ipm_nextmtu#define icmp_num_addrs  icmp_hun.ih_rtradv.irt_num_addrs#define icmp_wpa        icmp_hun.ih_rtradv.irt_wpa#define icmp_lifetime   icmp_hun.ih_rtradv.irt_lifetime#define icmp_otime      icmp_dun.id_ts.its_otime#define icmp_rtime      icmp_dun.id_ts.its_rtime#define icmp_ttime      icmp_dun.id_ts.its_ttime#define icmp_ip         icmp_dun.id_ip.idi_ip#define icmp_radv       icmp_dun.id_radv#define icmp_mask       icmp_dun.id_mask#define icmp_data       icmp_dun.id_datatypedef struct _ARPHdr{    u_int16_t ar_hrd;       /* format of hardware address   */    u_int16_t ar_pro;       /* format of protocol address   */    u_int8_t ar_hln;        /* length of hardware address   */    u_int8_t ar_pln;        /* length of protocol address   */    u_int16_t ar_op;        /* ARP opcode (command)         */} ARPHdr;typedef struct _EtherARP{    ARPHdr ea_hdr;      /* fixed-size header */    u_int8_t arp_sha[6];    /* sender hardware address */    u_int8_t arp_spa[4];    /* sender protocol address */    u_int8_t arp_tha[6];    /* target hardware address */    u_int8_t arp_tpa[4];    /* target protocol address */} EtherARP;/* struct for tcp and ip options */typedef struct _Options{    u_int8_t code;    u_int32_t len;    u_int8_t *data;} Options;/* PPPoEHdr Header; EtherHdr plus the PPPoE Header */typedef struct _PPPoEHdr{    EtherHdr ethhdr;        /* ethernet header */    unsigned char ver_type;    /* pppoe version/type */    unsigned char code;        /* pppoe code CODE_* */    unsigned short session;    /* session id */    unsigned short length;    /* payload length */                            /* payload follows */} PPPoEHdr;/* PPPoE tag; the payload is a sequence of these */typedef struct _PPPoE_Tag{    unsigned short type;    /* tag type TAG_* */    unsigned short length;  /* tag length */                            /* payload follows */} PPPoE_Tag;#define PKT_FRAG_FLAG       0x00000001#define PKT_MF_FLAG         0x00000002#define PKT_DF_FLAG         0x00000004#define PKT_RB_FLAG         0x00000008#define PKT_REBUILT_STREAM  0x00000010#define PKT_REBUILT_FRAG    0x00000020#define PKT_CSE_IP          0x00000040#define PKT_CSE_TCP         0x00000080#define PKT_CSE_UDP         0x00000100#define PKT_CSE_ICMP        0x00000200#define PKT_IPOPTS_BAD      0x00000400#define PKT_TCPOPTS_BAD     0x00000800typedef struct _Packet{    SnortPktHeader *pkth;    EtherHdr    *eh;    VlanTagHdr  *vh;    EthLlc      *ehllc;    EthLlcOther *ehllcother;    EtherARP    *ah;    IPHdr       *iph,   *orig_iph;    TCPHdr      *tcph,  *orig_tcph;    UDPHdr      *udph,  *orig_udph;    ICMPHdr     *icmph, *orig_icmph;        u_int8_t    *data;    u_int16_t   dsize;    u_int32_t   pkt_flags;    u_int16_t   frag_offset;        u_int16_t   sp, orig_sp;    u_int16_t   dp, orig_dp;    u_int8_t    *ip_options_data;    u_int8_t    ip_options_len;    Options     ip_options[40];    u_int8_t    ip_option_count;    u_int8_t    *tcp_options_data;    u_int8_t    tcp_options_len;    Options     tcp_options[40];    u_int8_t    tcp_option_count;} Packet;/*  P R O T O T Y P E S  ******************************************************/int DecodePacket(Packet *, SnortPktHeader *, u_int8_t *);/* DLT Decodes */void DecodeEthPkt(Packet *, SnortPktHeader *, u_int8_t *);void DecodeVlan(u_int8_t *, const u_int32_t, Packet *);void DecodePPPoEPkt(Packet *, SnortPktHeader *, u_int8_t *);/* Network Layer */void DecodeIP(u_int8_t *, u_int32_t, Packet *);void DecodeARP(u_int8_t *, u_int32_t, Packet *);void DecodeIPV6(u_int8_t *, u_int32_t);void DecodeIPX(u_int8_t *, u_int32_t);/* transport layer */void DecodeTCP(u_int8_t *, u_int32_t, Packet *);void DecodeUDP(u_int8_t *, u_int32_t, Packet *);void DecodeICMP(u_int8_t *, u_int32_t, Packet *);void DecodeIPOptions(u_int8_t *, u_int32_t, Packet *);void DecodeTCPOptions(u_int8_t *, u_int32_t, Packet *);void DecodeIPOptions(u_int8_t *, u_int32_t, Packet *);void CreateTCPFlagString(Packet *, char *);#endif  /* __OP_DECODE_H__ */
上一页 12
💿 文件大小 158 K
👤 上传用户 qx19860213
📂 所属分类网络
🏷️ 相关标签

#IDS #开源 #日志
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -