suricata  5.0.3
About: Suricata is a high performance Network Intrusion Detection (IDS) and Prevention (IPS) and Network Security Monitoring engine.
  Fossies Dox: suricata-5.0.3.tar.gz  ("unofficial" and yet experimental doxygen-generated source code documentation)  

Packet decoding

Code in charge of protocol decoding. More...

Files

file  decode-erspan.c
 
file  decode-ethernet.c
 
file  decode-gre.c
 
file  decode-icmpv4.c
 
file  decode-icmpv6.c
 
file  decode-ipv4.c
 
file  decode-ipv6.c
 
file  decode-null.c
 
file  decode-ppp.c
 
file  decode-pppoe.c
 
file  decode-raw.c
 
file  decode-sctp.c
 
file  decode-sll.c
 
file  decode-tcp.c
 
file  decode-template.c
 
file  decode-teredo.c
 
file  decode-udp.c
 
file  decode-vlan.c
 
file  decode.c
 

Functions

int DecodeTunnel (ThreadVars *tv, DecodeThreadVars *dtv, Packet *p, const uint8_t *pkt, uint32_t len, PacketQueue *pq, enum DecodeTunnelProto proto)
 
void PacketFree (Packet *p)
 Return a malloced packet. More...
 
void PacketDecodeFinalize (ThreadVars *tv, DecodeThreadVars *dtv, Packet *p)
 Finalize decoding of a packet. More...
 
void PacketUpdateEngineEventCounters (ThreadVars *tv, DecodeThreadVars *dtv, Packet *p)
 
PacketPacketGetFromAlloc (void)
 Get a malloced packet. More...
 
void PacketFreeOrRelease (Packet *p)
 Return a packet to where it was allocated. More...
 
PacketPacketGetFromQueueOrAlloc (void)
 Get a packet. We try to get a packet from the packetpool first, but if that is empty we alloc a packet that is free'd again after processing. More...
 
int PacketCallocExtPkt (Packet *p, int datalen)
 
int PacketCopyDataOffset (Packet *p, uint32_t offset, const uint8_t *data, uint32_t datalen)
 Copy data to Packet payload at given offset. More...
 
int PacketCopyData (Packet *p, const uint8_t *pktdata, uint32_t pktlen)
 Copy data to Packet payload and set packet length. More...
 
PacketPacketTunnelPktSetup (ThreadVars *tv, DecodeThreadVars *dtv, Packet *parent, const uint8_t *pkt, uint32_t len, enum DecodeTunnelProto proto, PacketQueue *pq)
 Setup a pseudo packet (tunnel) More...
 
PacketPacketDefragPktSetup (Packet *parent, const uint8_t *pkt, uint32_t len, uint8_t proto)
 Setup a pseudo packet (reassembled frags) More...
 
void PacketDefragPktSetupParent (Packet *parent)
 inform defrag "parent" that a pseudo packet is now associated to it. More...
 
void PacketBypassCallback (Packet *p)
 
void PacketSwap (Packet *p)
 switch direction of a packet More...
 
void DecodeUnregisterCounters (void)
 
void DecodeRegisterPerfCounters (DecodeThreadVars *dtv, ThreadVars *tv)
 
void DecodeUpdatePacketCounters (ThreadVars *tv, const DecodeThreadVars *dtv, const Packet *p)
 
void AddressDebugPrint (Address *a)
 Debug print function for printing addresses. More...
 
DecodeThreadVarsDecodeThreadVarsAlloc (ThreadVars *tv)
 Alloc and setup DecodeThreadVars. More...
 
void DecodeThreadVarsFree (ThreadVars *tv, DecodeThreadVars *dtv)
 
int PacketSetData (Packet *p, const uint8_t *pktdata, uint32_t pktlen)
 Set data for Packet and set length when zero copy is used. More...
 
const char * PktSrcToString (enum PktSrcEnum pkt_src)
 
void CaptureStatsUpdate (ThreadVars *tv, CaptureStats *s, const Packet *p)
 
void CaptureStatsSetup (ThreadVars *tv, CaptureStats *s)
 
void DecodeGlobalConfig (void)
 

Variables

uint32_t default_packet_size = 0
 
bool stats_decoder_events
 
const char * stats_decoder_events_prefix
 
bool stats_stream_events
 
static HashTableg_counter_table = NULL
 
static pthread_mutex_t g_counter_table_mutex = PTHREAD_MUTEX_INITIALIZER
 

Detailed Description

Code in charge of protocol decoding.

The task of decoding packets is made in different files and as Suricata is supporting encapsulation there is a potential recursivity in the call.

For each protocol a DecodePROTO function is provided. For example we have DecodeIPV4() for IPv4 and DecodePPP() for PPP.

These functions have all a pkt and a len argument which are respectively a pointer to the protocol data and the length of this protocol data.

Attention
The pkt parameter must point to the effective data because it will be used later to set per protocol pointer like Packet::tcph

Function Documentation

◆ AddressDebugPrint()

void AddressDebugPrint ( Address a)

Debug print function for printing addresses.

Parameters
Addressobject
Todo:
IPv6

Definition at line 601 of file decode.c.

References Address_::family, PrintInet(), sock_to_gzip_file::s, and SCLogDebug.

◆ CaptureStatsSetup()

void CaptureStatsSetup ( ThreadVars tv,
CaptureStats s 
)

Definition at line 723 of file decode.c.

References sock_to_gzip_file::s, and StatsRegisterCounter().

◆ CaptureStatsUpdate()

void CaptureStatsUpdate ( ThreadVars tv,
CaptureStats s,
const Packet p 
)

< Packet is modified by the stream engine, we need to recalc the csum and reinject/replace

Definition at line 710 of file decode.c.

References ACTION_DROP, ACTION_REJECT, ACTION_REJECT_BOTH, ACTION_REJECT_DST, Packet_::flags, PACKET_TEST_ACTION, PKT_STREAM_MODIFIED, sock_to_gzip_file::s, StatsIncr(), and unlikely.

◆ DecodeGlobalConfig()

void DecodeGlobalConfig ( void  )

Definition at line 731 of file decode.c.

References DecodeERSPANConfig(), DecodeTeredoConfig(), and DecodeVXLANConfig().

Referenced by PostConfLoadedSetup().

◆ DecodeRegisterPerfCounters()

void DecodeRegisterPerfCounters ( DecodeThreadVars dtv,
ThreadVars tv 
)

Definition at line 478 of file decode.c.

References BUG_ON, DecodeThreadVars_::counter_avg_pkt_size, DecodeThreadVars_::counter_bytes, DecodeThreadVars_::counter_defrag_ipv4_fragments, DecodeThreadVars_::counter_defrag_ipv4_reassembled, DecodeThreadVars_::counter_defrag_ipv4_timeouts, DecodeThreadVars_::counter_defrag_ipv6_fragments, DecodeThreadVars_::counter_defrag_ipv6_reassembled, DecodeThreadVars_::counter_defrag_ipv6_timeouts, DecodeThreadVars_::counter_defrag_max_hit, DecodeThreadVars_::counter_engine_events, DecodeThreadVars_::counter_erspan, DecodeThreadVars_::counter_eth, DecodeThreadVars_::counter_flow_icmp4, DecodeThreadVars_::counter_flow_icmp6, DecodeThreadVars_::counter_flow_memcap, DecodeThreadVars_::counter_flow_tcp, DecodeThreadVars_::counter_flow_udp, DecodeThreadVars_::counter_gre, DecodeThreadVars_::counter_icmpv4, DecodeThreadVars_::counter_icmpv6, DecodeThreadVars_::counter_ieee8021ah, DecodeThreadVars_::counter_invalid, DecodeThreadVars_::counter_ipv4, DecodeThreadVars_::counter_ipv4inipv6, DecodeThreadVars_::counter_ipv6, DecodeThreadVars_::counter_ipv6inipv6, DecodeThreadVars_::counter_max_pkt_size, DecodeThreadVars_::counter_mpls, DecodeThreadVars_::counter_null, DecodeThreadVars_::counter_pkts, DecodeThreadVars_::counter_ppp, DecodeThreadVars_::counter_pppoe, DecodeThreadVars_::counter_raw, DecodeThreadVars_::counter_sctp, DecodeThreadVars_::counter_sll, DecodeThreadVars_::counter_tcp, DecodeThreadVars_::counter_teredo, DecodeThreadVars_::counter_udp, DecodeThreadVars_::counter_vlan, DecodeThreadVars_::counter_vlan_qinq, DecodeThreadVars_::counter_vxlan, DECODE_EVENT_MAX, DECODE_EVENT_PACKET_MAX, DEvents, FatalError, g_counter_table, g_counter_table_mutex, HashTableAdd(), HashTableInit(), HashTableLookup(), struct-flags::i, unicode::r, SC_ERR_INITIALIZATION, SCMutexLock, SCMutexUnlock, SCStrdup, stats_decoder_events, stats_decoder_events_prefix, stats_stream_events, StatsRegisterAvgCounter(), StatsRegisterCounter(), StatsRegisterMaxCounter(), StringHashCompareFunc(), StringHashFreeFunc(), and StringHashFunc().

Referenced by DecodeErfFileThreadInit(), DecodePcapFileThreadInit(), DecodePcapThreadInit(), and FlowWorkerThreadInit().

◆ DecodeThreadVarsAlloc()

◆ DecodeThreadVarsFree()

◆ DecodeTunnel()

◆ DecodeUnregisterCounters()

void DecodeUnregisterCounters ( void  )

Definition at line 468 of file decode.c.

References g_counter_table, g_counter_table_mutex, HashTableFree(), SCMutexLock, and SCMutexUnlock.

Referenced by PostRunDeinit().

◆ DecodeUpdatePacketCounters()

◆ PacketBypassCallback()

◆ PacketCallocExtPkt()

int PacketCallocExtPkt ( Packet p,
int  datalen 
)
inline

◆ PacketCopyData()

int PacketCopyData ( Packet p,
const uint8_t *  pktdata,
uint32_t  pktlen 
)
inline

Copy data to Packet payload and set packet length.

Parameters
Pointerto the Packet to modify
Pointerto the data to copy
Lengthof the data to copy

Definition at line 262 of file decode.c.

References PacketCopyDataOffset(), and SET_PKT_LEN.

Referenced by Defrag4Reassemble(), Defrag6Reassemble(), PacketDefragPktSetup(), PacketTunnelPktSetup(), PcapCallbackLoop(), PcapFileCallbackLoop(), and StreamTcpPseudoSetup().

◆ PacketCopyDataOffset()

int PacketCopyDataOffset ( Packet p,
uint32_t  offset,
const uint8_t *  data,
uint32_t  datalen 
)
inline

Copy data to Packet payload at given offset.

This function copies data/payload to a Packet. It uses the space allocated at Packet creation (pointed by Packet::pkt) or allocate some memory (pointed by Packet::ext_pkt) if the data size is to big to fit in initial space (of size default_packet_size).

Parameters
Pointerto the Packet to modify
Offsetof the copy relatively to payload of Packet
Pointerto the data to copy
Lengthof the data to copy

Definition at line 221 of file decode.c.

References sock_to_gzip_file::data, default_packet_size, Packet_::ext_pkt, GET_PKT_DIRECT_DATA, GET_PKT_DIRECT_MAX_SIZE, MAX_PAYLOAD_SIZE, SCMalloc, SET_PKT_LEN, and unlikely.

Referenced by Defrag4Reassemble(), Defrag6Reassemble(), and PacketCopyData().

◆ PacketDecodeFinalize()

void PacketDecodeFinalize ( ThreadVars tv,
DecodeThreadVars dtv,
Packet p 
)

Finalize decoding of a packet.

This function needs to be call at the end of decode functions when decoding has been successful.

Definition at line 118 of file decode.c.

References DecodeThreadVars_::counter_invalid, Packet_::flags, PKT_IS_INVALID, and StatsIncr().

Referenced by DecodeErfFile(), DecodePcap(), and DecodePcapFile().

◆ PacketDefragPktSetup()

Packet* PacketDefragPktSetup ( Packet parent,
const uint8_t *  pkt,
uint32_t  len,
uint8_t  proto 
)

Setup a pseudo packet (reassembled frags)

Difference with PacketPseudoPktSetup is that this func doesn't increment the recursion level. It needs to be on the same level as the frags because we run the flow engine against this and we need to get the same flow.

Parameters
parentparent packet for this pseudo pkt
pktraw packet data
lenpacket data length
protoprotocol of the tunneled packet
Return values
pthe pseudo packet or NULL if out of memory

Definition at line 352 of file decode.c.

References Packet_::datalink, Packet_::livedev, PacketCopyData(), PacketGetFromQueueOrAlloc(), Packet_::recursion_level, Packet_::root, SCEnter, SCReturnPtr, SET_TUNNEL_PKT, Packet_::tenant_id, Packet_::ts, unlikely, Packet_::vlan_id, and Packet_::vlan_idx.

Referenced by Defrag4Reassemble(), and Defrag6Reassemble().

◆ PacketDefragPktSetupParent()

void PacketDefragPktSetupParent ( Packet parent)

inform defrag "parent" that a pseudo packet is now associated to it.

< Flag to indicate that packet contents should not be inspected

Definition at line 391 of file decode.c.

References DecodeSetNoPayloadInspectionFlag, SET_TUNNEL_PKT, and TUNNEL_INCR_PKT_TPR.

Referenced by DefragInsertFrag().

◆ PacketFree()

void PacketFree ( Packet p)

Return a malloced packet.

< Packet comes from zero copy (ext_pkt must not be freed)

Definition at line 105 of file decode.c.

References PACKET_DESTRUCTOR, and SCFree.

Referenced by PacketFreeOrRelease(), PacketGetFromAlloc(), PacketPoolDestroy(), and PacketPoolReturnPacket().

◆ PacketFreeOrRelease()

void PacketFreeOrRelease ( Packet p)

Return a packet to where it was allocated.

< Packet was alloc'd this run, needs to be freed

Definition at line 165 of file decode.c.

References Packet_::flags, PacketFree(), PacketPoolReturnPacket(), and PKT_ALLOC.

Referenced by Defrag4Reassemble(), and Defrag6Reassemble().

◆ PacketGetFromAlloc()

Packet* PacketGetFromAlloc ( void  )

Get a malloced packet.

Return values
ppacket, NULL on error

< Packet was alloc'd this run, needs to be freed

Definition at line 144 of file decode.c.

References Packet_::flags, PACKET_INITIALIZE, PACKET_PROFILING_START, PacketFree(), PKT_ALLOC, Packet_::ReleasePacket, SCLogDebug, SCMalloc, SIZE_OF_PACKET, and unlikely.

Referenced by InjectPackets(), PacketGetFromQueueOrAlloc(), and PacketPoolInit().

◆ PacketGetFromQueueOrAlloc()

Packet* PacketGetFromQueueOrAlloc ( void  )

Get a packet. We try to get a packet from the packetpool first, but if that is empty we alloc a packet that is free'd again after processing.

Return values
ppacket, NULL on error

Definition at line 180 of file decode.c.

References PACKET_PROFILING_START, PacketGetFromAlloc(), and PacketPoolGetPacket().

Referenced by PacketDefragPktSetup(), PacketTunnelPktSetup(), PcapCallbackLoop(), PcapFileCallbackLoop(), ReceiveErfFileLoop(), StreamTcpPseudoSetup(), and TmThreadsCaptureInjectPacket().

◆ PacketSetData()

int PacketSetData ( Packet p,
const uint8_t *  pktdata,
uint32_t  pktlen 
)
inline

Set data for Packet and set length when zero copy is used.

Parameters
Pointerto the Packet to modify
Pointerto the data
Lengthof the data

< Packet comes from zero copy (ext_pkt must not be freed)

Definition at line 657 of file decode.c.

References Packet_::ext_pkt, Packet_::flags, PKT_ZERO_COPY, SET_PKT_LEN, and unlikely.

◆ PacketSwap()

void PacketSwap ( Packet p)

◆ PacketTunnelPktSetup()

Packet* PacketTunnelPktSetup ( ThreadVars tv,
DecodeThreadVars dtv,
Packet parent,
const uint8_t *  pkt,
uint32_t  len,
enum DecodeTunnelProto  proto,
PacketQueue pq 
)

Setup a pseudo packet (tunnel)

Parameters
parentparent packet for this pseudo pkt
pktraw packet data
lenpacket data length
protoprotocol of the tunneled packet
Return values
pthe pseudo packet or NULL if out of memory

< Flag to indicate that packet contents should not be inspected

Definition at line 278 of file decode.c.

References Packet_::datalink, DECODE_TUNNEL_IPV6_TEREDO, DecodeSetNoPayloadInspectionFlag, DecodeTunnel(), Packet_::flags, GET_PKT_DATA, GET_PKT_LEN, PacketCopyData(), PacketGetFromQueueOrAlloc(), PKT_IS_INVALID, Packet_::recursion_level, Packet_::root, SCEnter, SCLogDebug, SCReturnPtr, SET_TUNNEL_PKT, Packet_::tenant_id, TM_ECODE_OK, TmqhOutputPacketpool(), Packet_::ts, TUNNEL_INCR_PKT_TPR, unlikely, and UNSET_TUNNEL_PKT.

Referenced by DecodeGRE(), DecodeIP6inIP6(), DecodeIPV4(), DecodeIPv4inIPv6(), DecodeTeredo(), and DecodeVXLAN().

◆ PacketUpdateEngineEventCounters()

◆ PktSrcToString()

Variable Documentation

◆ default_packet_size

uint32_t default_packet_size = 0

Definition at line 71 of file decode.c.

Referenced by ConfigGetCaptureValue(), PacketCopyDataOffset(), and RunUnittests().

◆ g_counter_table

HashTable* g_counter_table = NULL
static

Definition at line 465 of file decode.c.

Referenced by DecodeRegisterPerfCounters(), and DecodeUnregisterCounters().

◆ g_counter_table_mutex

pthread_mutex_t g_counter_table_mutex = PTHREAD_MUTEX_INITIALIZER
static

Definition at line 466 of file decode.c.

Referenced by DecodeRegisterPerfCounters(), and DecodeUnregisterCounters().

◆ stats_decoder_events

bool stats_decoder_events

Definition at line 102 of file counters.c.

Referenced by DecodeRegisterPerfCounters(), and PacketUpdateEngineEventCounters().

◆ stats_decoder_events_prefix

const char* stats_decoder_events_prefix

add stream events as stats? disabled by default

Definition at line 103 of file counters.c.

Referenced by DecodeRegisterPerfCounters().

◆ stats_stream_events

bool stats_stream_events