processpacket.h

The C++ Client Edition contains a full set of C++ class libraries, with client side source code for

#pragma once
#include <Winsock2.h>
#include <WS2tcpip.h>
#include <Iphlpapi.h>
#include "URIFilter.h"
#include "../Utils/FilterLog.h"

/* D E F I N I T I O N S */




#define ETHERNET_HEADER_LEN             14
#define IP_HEADER_LEN					20
#define TCP_HEADER_LEN					20

#define ETHERNET_TYPE_IP				0x0800

/* tcpdump shows us the way to cross platform compatibility */
#define IP_VER(iph)		(((iph)->ip_verhl & 0xf0) >> 4)
#define IP_HLEN(iph)	((iph)->ip_verhl & 0x0f)

/* more macros for TCP offset */
#define TCP_OFFSET(tcph)	(((tcph)->th_offx2 & 0xf0) >> 4)
#define TCP_X2(tcph)	((tcph)->th_offx2 & 0x0f)

/* we need to change them as well as get them */
#define SET_TCP_OFFSET(tcph, value)  ((tcph)->th_offx2 = (((tcph)->th_offx2 & 0x0f) | (value << 4)))
#define SET_TCP_X2(tcph, value)  ((tcph)->th_offx2 = (((tcph)->th_offx2 & 0xf0) | (value & 0x0f)))

/* we need to change them as well as get them */
#define SET_IP_VER(iph, value)  ((iph)->ip_verhl = (((iph)->ip_verhl & 0x0f) | (value << 4)))
#define SET_IP_HLEN(iph, value)  ((iph)->ip_verhl = (((iph)->ip_verhl & 0xf0) | (value & 0x0f)))


#define SIO_RCVALL _WSAIOW(IOC_VENDOR,1)    //this removes the need of mstcpip.h


typedef unsigned char		u_int8_t;
typedef unsigned short		u_int16_t;
typedef unsigned int		u_int32_t;

/* 14 bytes for ethernet header.
Although as the article mentioned, We have 26 bytes in ethernet header but pCap only provide us 
14 bytes which also is fairly enough for our need */
typedef struct _EtherHdr
{
	u_int8_t ether_dst[6]; // Destination MAC address
	u_int8_t ether_src[6]; // Source MAC address
	u_int16_t ether_type; // Protocol type
}EtherHdr;


/* 20 bytes or more for IP header */
struct IPHdr
{
	u_int8_t ip_verhl;      /* version & header length */
	u_int8_t ip_tos;        /* type of service */
	u_int16_t ip_len;       /* datagram length */
	u_int16_t ip_id;        /* identification  */
	u_int16_t ip_off;       /* fragment offset */
	u_int8_t ip_ttl;        /* time to live field */
	u_int8_t ip_proto;      /* datagram protocol */
	u_int16_t ip_csum;      /* checksum */
	struct in_addr ip_src;  /* source IP */
	struct in_addr ip_dst;  /* dest IP */
};

/* 20 bytes or more for TCP header */
struct TCPHdr
{
	u_int16_t th_sport;     /* source port */
	u_int16_t th_dport;     /* destination port */
	u_int32_t th_seq;       /* sequence number */
	u_int32_t th_ack;       /* acknowledgement number */
	u_int8_t th_offx2;     /* offset and reserved */
	u_int8_t th_flags;
#define	TH_FIN	0x01
#define	TH_SYN	0x02
#define	TH_RST	0x04
#define	TH_PSH	0x08
#define	TH_ACK	0x10
#define	TH_URG	0x20
	u_int16_t th_win;       /* window */
	u_int16_t th_sum;       /* checksum */
	u_int16_t th_urp;       /* urgent pointer */

};

 /* Our handy data structure which ease our work in packet processing */
typedef struct _Packet
{	
	u_int8_t			*pkt;	/* base pointer to the raw packet data */
	
	EtherHdr			*eh;	/* standard TCP/IP/Ethernet/ARP headers */
	IPHdr				*iph;   /* and original headers for ICMP_*_UNREACH family */
	u_int32_t			ip_options_len;
	u_int8_t			*ip_options_data;


	TCPHdr				*tcph;
	u_int32_t			tcp_options_len;
	u_int8_t			*tcp_options_data;


	u_int8_t			*data;					/* packet payload pointer */
	u_int16_t			dsize;					/* packet payload size */

	u_int8_t			*http_uri_content;
	u_int32_t			http_payload_len;
	u_int8_t			http_state;				/* HTTP request / HTTP response */
	u_int8_t			banned;					/* Indicate if the request should be sensored */
	unsigned char		matched[128];			/* Keyword that this request matched to - maximum 128 byte*/
	
#define	CLIENT_REQUEST	0x01
#define	SERVER_RESPONSE	0x02
#define	NOT_HTTP		0x04

	
	u_int8_t frag_flag;     /* flag to indicate a fragmented packet */
	u_int16_t frag_offset;  /* fragment offset number */
	u_int8_t mf;            /* more fragments flag */
	u_int8_t df;            /* don't fragment flag */
	u_int8_t rf;            /* IP reserved bit */

}Packet;




/* Main object to perform all packet processing and filtering */
class CProcessPacket
{
public:
	CProcessPacket(CFilterLog		*in_pFilterlog);
	~CProcessPacket(void);

	/* Start engine on specified adapter
	in_szSourceDevice	Intended adapter to perform filtering through */
	int		StartEngine(const char* in_szSourceDevice);

	/* Stop engine and cleanup all resources used by it */
	int		StopEngine();

	IP_ADAPTER_INFO					m_AdapterInfo[16];

private:

	/* Events we need to synchronize our thread */
	HANDLE							m_hThrdReadyEvent;

	/* we need a helper socket to send raw packets on the wire.*/	
	SOCKET							m_helperSocket;
	/* we need a sniffer socket to capture raw IP packets.*/	
	SOCKET							m_sniffSocket;
	



	/* source device canonical string */
	char*							m_szSourceDevice;	

	/* handle to sniffing thread */
	HANDLE							m_hSniffThread;	
	CURIFilter*						m_pUrlFilterObj;	
	/* log object */
	CFilterLog						*m_pFilterLog;	
	/* Block buffer to send toward banned client */
	u_int8_t						m_pBlockBuffer[512];
	u_int32_t						m_cbBlockBuffer;
	/* A 40 bytes buffer needed to send a TCP reset packet */
	char							reset_buf[40];
	

	static DWORD WINAPI ThreadHandler(LPVOID in_pParam);
	


	/* Decode IP header and hold them in Packet object */
	void				DecodeIP(u_int8_t *,
								const u_int32_t,
								Packet *);

	void				DecodeTCP(u_int8_t *,
								const u_int32_t,
								Packet *);

	void 				DecodeHTTP(u_int8_t *,
								const u_int32_t,
								Packet *);

	/* Check first 4 bytes if incoming buffer for 'GET /' */
	int					CheckHttpState(u_int8_t* buffer,u_int32_t len);
	int					FilterHttpRequest(Packet *);		
	/* Calculate checksum for IP header */
	unsigned short CalcIPSum(unsigned short *, int);

	/* Calculate checksum for TCP header */
	unsigned short CalcTCPSum(unsigned short *h, unsigned short * d, int dlen);

	int						RetrieveAllAdaptersInfo();

	
};