tcp.h

Firestorm NIDS是一个性能非常高的网络入侵检测系统 (NIDS)。目前

#ifndef __PKT_TCP_HEADER_INCLUDED__
#define __PKT_TCP_HEADER_INCLUDED__

#define FLAG_TCP_CSUM	0x01 /* Checksum OK */
#define FLAG_TCP_STATE	0x02 /* Valid stream */
#define FLAG_TCP_SURE	0x04 /* Assured (seen packets in both directions) */
#define FLAG_TCP_TRACK	0x08 /* Conntrack is even on? */
#define FLAG_TCP_2SVR	0x10 /* To server */
#define FLAG_TCP_CT_EST	0x20 /* 3-way handshake complete */
#define FLAG_TCP_SACK	0x40 /* This packet is a selective ACK */
#define FLAG_TCP_STREAM	0x80 /* Reassembling */

/* MISC */
#define TCP_MSS			512
#define TCP_MAXWIN		65535
#define TCP_MAX_WINSHIFT	16

/* OPTIONS */
#define TCPOPT_EOL 0
#define TCPOPT_NOP 1
#define TCPOPT_MAXSEG 2
#define TCPOPT_WSCALE 3
#define TCPOPT_SACK_PERMITTED 4
#define TCPOPT_SACK 5
#define TCPOPT_ECHO 6
#define TCPOPT_ECHOREPLY 7
#define TCPOPT_TIMESTAMP 8
#define TCPOPT_POC_PERMITTED 9
#define TCPOPT_POC 10
#define TCPOPT_CC 11
#define TCPOPT_CCNEW 12
#define TCPOPT_CCECHO 13
#define TCPOPT_MAX 14

#define TCPOLEN_EOL 1
#define TCPOLEN_NOP 1
#define TCPOLEN_MAXSEG 4
#define TCPOLEN_WSCALE 3
#define TCPOLEN_SACK_PERMITTED 2
#define TCPOLEN_ECHO 6
#define TCPOLEN_ECHOREPLY 6
#define TCPOLEN_TIMESTAMP 10
#define TCPOLEN_CC 6
#define TCPOLEN_CCNEW 6
#define TCPOLEN_CCECHO 6
#define TCPOLEN_POC_PERMITTED 2
#define TCPOLEN_POC 3

/* TCP FLAGS */
#define TCP_FIN		0x01	/* Finish */
#define TCP_SYN		0x02	/* Synchronise */
#define TCP_RST		0x04	/* Reset */
#define TCP_PSH		0x08	/* Push */
#define TCP_ACK		0x10	/* Acknowlege */
#define TCP_URG		0x20	/* Urgent pointer */
#define TCP_ECE		0x40	/* ECN echo */
#define TCP_CWR		0x80	/* Congestion window reduced */

#define TCP_STD		(TCP_FIN|TCP_SYN|TCP_RST|TCP_PSH|TCP_ACK|TCP_URG)

typedef union _tcpflags {
	u_int8_t flags;
	struct {
#if __BYTE_ORDER == __LITTLE_ENDIAN
	u_int8_t fin:1;
	u_int8_t syn:1;
	u_int8_t rst:1;
	u_int8_t psh:1;
	u_int8_t ack:1;
	u_int8_t urg:1;
	u_int8_t ece:1;
	u_int8_t cwr:1;
#elif __BYTE_ORDER == __BIG_ENDIAN
	u_int8_t cwr:1;
	u_int8_t ece:1;
	u_int8_t urg:1;
	u_int8_t ack:1;
	u_int8_t psh:1;
	u_int8_t rst:1;
	u_int8_t syn:1;
	u_int8_t fin:1;
#else
#error "Couldn't determine endianness"
#endif
	}bits;
}tcpflags;

struct pkt_tcphdr
{
	u_int16_t	sport,dport;
	u_int32_t	seq;
	u_int32_t	ack;
#if __BYTE_ORDER == __LITTLE_ENDIAN
	u_int8_t	res1:4;	/* ??? */
	u_int8_t	doff:4;
#elif __BYTE_ORDER == __BIG_ENDIAN
	u_int8_t	doff:4;
	u_int8_t	res1:4;	/* ??? */
#endif
	tcpflags	flags;
	u_int16_t	win;
	u_int16_t	csum;
	u_int16_t	urp;
};

/* Possible TCP states */
enum{
	TCP_ESTABLISHED = 1,
	TCP_SYN_SENT,
	TCP_SYN_RECV,
	TCP_FIN_WAIT1,
	TCP_FIN_WAIT2,
	TCP_TIME_WAIT,
	TCP_CLOSE,
	TCP_CLOSE_WAIT,
	TCP_LAST_ACK,
	TCP_LISTEN,
	TCP_CLOSING,	 /* now a valid state */
	TCP_MAX_STATES /* Leave at the end! */
};

/* TCP pseudo-header for checksumming */
struct tcp_phdr {
	u_int32_t sip, dip;
	u_int8_t zero, proto;
	u_int16_t tcp_len;
};

/* A simplex tcp stream */
#define TF_SACK_OK	(1<<0)
#define TF_WSCALE_OK	(1<<1)
#define TF_TSTAMP_OK	(1<<2)
struct tcp_stream {
	u_int8_t	state; /* from above enum */
	u_int8_t	flags; /* optional features */
	u_int8_t	scale; /* scaling factor */
	u_int8_t	reserved;

	u_int32_t	ts_recent; /* a recent timestamp */
	u_int32_t	ts_recent_stamp; /* local time on it */

	u_int32_t	snd_una; /* first byte we want ack for */
	u_int32_t	snd_nxt; /* next sequence to send */

	u_int32_t	rcv_nxt; /* what we want to recv next */
	u_int32_t	rcv_wnd; /* receiver window */
	u_int32_t	rcv_wup; /* rcv_nxt on last window update */

	u_int32_t	isn; /* equivalent of rfc793 iss */
};

/* prev=oldest, next=newest */
struct tcp_lru {
	struct tcp_session *next, *prev;
};

struct tcp_tmo {
	struct tcp_lru lru;
	struct tcp_session *next, *prev;
};

/* A duplex tcp session */
struct tcp_session {
	/* Global LRU list */
	struct tcp_session *next, *prev;

	/* Timeout list, for SYN timeouts etc.. */
	struct tcp_session *tmo_next, *tmo_prev;

	/* Hash table collision chaining */
	struct tcp_session *hash_next, **hash_pprev;

	/* TCP state: network byte order */
	u_int32_t c_addr, s_addr;
	u_int16_t c_port, s_port;

	/* TCP state: host byte order */
	struct tcp_stream client;
	struct tcp_stream server;

	/* Application layer protocol carried on this stream */
	struct proto *proto;

	/* Application layer state (flow information) */
	void *flow;

	/* index in hash table */
	int bucket;

	/* expirty time */
	unsigned int expire;
};

/* tcp_session allocator union */
union tcp_union {
	union tcp_union *next;
	struct tcp_session s;
};

/* TCP segment variables */
struct tcpseg {
	u_int32_t ack,seq,win,len,seq_end;
	u_int32_t tsval;
	int saw_tstamp;
};

/* serialised version of above */
struct tcp_serial {
	u_int32_t c_addr, s_addr;
	u_int16_t c_port, s_port;
	struct tcp_stream client;
	struct tcp_stream server;
};

#endif /* __PKT_TCP_HEADER_INCLUDED__ */