packet.h

Firestorm NIDS是一个性能非常高的网络入侵检测系统 (NIDS)。目前

#ifndef __PACKET_HEADER_INCLUDED__
#define __PACKET_HEADER_INCLUDED__

#include <sys/time.h>
#include <sys/types.h>

/* packet macros */
#include <pmacros.h>

/* Various protocol headers */
#include <pkt/eth.h>
#include <pkt/ip.h>
#include <pkt/icmp.h>
#include <pkt/igmp.h>
#include <pkt/vlan.h>
#include <pkt/tcp.h>
#include <pkt/udp.h>
#include <pkt/arp.h>
#include <pkt/gre.h>
#include <pkt/sll.h>
#include <pkt/http.h>
#include <pkt/ipx.h>
#include <pkt/sap.h>

/* Maximum number of layers in decode */
#define PKT_LAYERS	8

typedef unsigned long long int serial_t;

struct layer {
	/* Various protocols are supported in the
	 * union by default - its not really a modular
	 * violation - it just makes things easier to follow */
	union {
		struct pkt_ethhdr	*eth; /* Ethernet II */
		struct pkt_machdr	*mac; /* 802.3 MAC */
		struct pkt_llchdr	*llc; /* Logical Link Control */
		struct pkt_snaphdr	*snap; /* Sub-Network Access Protocol */
		struct pkt_iphdr	*ip;
		struct pkt_icmphdr	*icmp;
		struct pkt_igmphdr	*igmp;
		struct pkt_tcphdr	*tcp;
		struct pkt_arphdr	*arp;
		struct pkt_udphdr	*udp;
		struct pkt_grehdr	*gre;
		struct pkt_vlanhdr	*vlan;
		struct pkt_sllhdr	*sll;
		struct pkt_ipxhdr	*ipx;
		struct pkt_sap		*sap;
		void			*raw;
	}h;
	struct proto	*proto; /* protocol of this layer */
	u_int32_t	flags; /* protocol specific flags */
	void		*session; /* decode or session information */
};

struct packet {
	/* Serial number for packet */
	serial_t	serial;
	
	/* length of packet on the wire */
	size_t		len;

	/* Length of captured packet */
	size_t		caplen;
	
	/* decode information */
	struct layer	layer[PKT_LAYERS];
	u_int8_t	llen;

	/* Actual packet data */
	void		*base;
	void		*end;

	/* time of capture */
	struct timeval	time;

	/* Capture device that cought us */
	struct capture	*capture;

#define FP_CLONE	(1<<1) /* memcpy to clone the payload? */
#define FP_LIVE		(1<<2) /* Live capture: ie, not from refragmentation */
#define FP_HOST		(1<<3) /* Directly to sensor */
#define FP_MULTICAST	(1<<4) /* Multicast packet */
#define FP_BROADCAST	(1<<5) /* Broadcast packet */
#define FP_PROMISC	(1<<6) /* Promiscuous packet */
#define FP_OUTGOING	(1<<7) /* Sensor generated */
#define FP_PKTTYPE      (1<<8) /* packet type is known for sure */
	u_int32_t	flags;
};

/* If unsure, about packet type just select PROMISC ;) */
#define FPMASK_PKTTYPE (FP_HOST|FP_MULTICAST|FP_BROADCAST|FP_PROMISC|FP_OUTGOING)

#endif /* __PACKET_HEADER_INCLUDED__ */