tcpflow  1.6.1
About: tcpflow is a TCP/IP packet demultiplexer that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging.
  Fossies Dox: tcpflow-1.6.1.tar.gz  ("unofficial" and yet experimental doxygen-generated source code documentation)  

bulk_extractor_i.h File Reference
#include <assert.h>
#include "sbuf.h"
#include "utf8.h"
#include "utils.h"
#include <vector>
#include <set>
#include <map>
#include "feature_recorder.h"
#include "feature_recorder_set.h"
#include "pcap_fake.h"
Include dependency graph for bulk_extractor_i.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Classes

struct  be13::ether_addr
 
struct  be13::ether_header
 
struct  be13::ip4_addr
 
struct  be13::ip4
 
struct  be13::ip4_dgram
 
struct  be13::ip6_addr
 
struct  be13::ip6_hdr
 
struct  be13::ip6_dgram
 
struct  be13::tcphdr
 
class  be13::packet_info
 
class  be13::packet_info::frame_too_short
 
class  scanner_info
 
struct  scanner_info::scanner_config
 
class  scanner_params
 
class  recursion_control_block
 
class  scanner_def
 
struct  be13::plugin
 

Namespaces

 be13
 

Macros

#define DEBUG_PEDANTIC   0x0001
 
#define DEBUG_PRINT_STEPS   0x0002
 
#define DEBUG_SCANNER   0x0004
 
#define DEBUG_NO_SCANNERS   0x0008
 
#define DEBUG_DUMP_DATA   0x0010
 
#define DEBUG_DECODING   0x0020
 
#define DEBUG_INFO   0x0040
 
#define DEBUG_EXIT_EARLY   1000
 
#define DEBUG_ALLOCATE_512MiB   1002
 
#define __LITTLE_ENDIAN   1234
 
#define __BIG_ENDIAN   4321
 
#define __BYTE_ORDER   __LITTLE_ENDIAN
 
#define ETH_ALEN   6
 
#define IPPROTO_TCP   6 /* tcp */
 
#define IP_RF   0x8000 /* reserved fragment flag */
 
#define IP_DF   0x4000 /* dont fragment flag */
 
#define IP_MF   0x2000 /* more fragments flag */
 
#define IP_OFFMASK   0x1fff /* mask for fragmenting bits */
 
#define TH_FIN   0x01
 
#define TH_SYN   0x02
 
#define TH_RST   0x04
 
#define TH_PUSH   0x08
 
#define TH_ACK   0x10
 
#define TH_URG   0x20
 
#define ETHERTYPE_PUP   0x0200 /* Xerox PUP */
 
#define ETHERTYPE_SPRITE   0x0500 /* Sprite */
 
#define ETHERTYPE_IP   0x0800 /* IP */
 
#define ETHERTYPE_ARP   0x0806 /* Address resolution */
 
#define ETHERTYPE_REVARP   0x8035 /* Reverse ARP */
 
#define ETHERTYPE_AT   0x809B /* AppleTalk protocol */
 
#define ETHERTYPE_AARP   0x80F3 /* AppleTalk ARP */
 
#define ETHERTYPE_VLAN   0x8100 /* IEEE 802.1Q VLAN tagging */
 
#define ETHERTYPE_IPX   0x8137 /* IPX */
 
#define ETHERTYPE_IPV6   0x86dd /* IP protocol version 6 */
 
#define ETHERTYPE_LOOPBACK   0x9000 /* used to test interfaces */
 
#define ONE_HUNDRED_NANO_SEC_TO_SECONDS   10000000
 
#define SECONDS_BETWEEN_WIN32_EPOCH_AND_UNIX_EPOCH   11644473600LL
 

Typedefs

typedef uint32_t be13::ip4_addr_t
 
typedef uint32_t be13::tcp_seq
 
typedef void scanner_t(const class scanner_params &sp, const class recursion_control_block &rcb)
 
typedef void process_t(const class scanner_params &sp)
 
typedef void packet_callback_t(void *user, const be13::packet_info &pi)
 

Functions

std::ostream & operator<< (std::ostream &os, const class scanner_params &sp)
 
std::string itos (int i)
 
std::string dtos (double d)
 
std::string utos (unsigned int i)
 
std::string utos (uint64_t i)
 
std::string utos (uint16_t i)
 
std::string safe_utf16to8 (std::wstring s)
 
std::wstring safe_utf8to16 (std::string s)
 
void truncate_at (std::string &line, char ch)
 
int isxdigit (int c)
 
std::string microsoftDateToISODate (const uint64_t &time)
 
std::string unixTimeToISODate (const uint64_t &t)
 
bool validASCIIName (const std::string &name)
 

Detailed Description

bulk_extractor scanner plug_in architecture.

Scanners are called with two parameters: A reference to a scanner_params (SP) object. A reference to a recursion_control_block (RCB) object.

On startup, each scanner is called with a special SP and RCB. The scanners respond by setting fields in the SP and returning.

When executing, once again each scanner is called with the SP and RCB. This is the only file that needs to be included for a scanner.

  • phase_startup - scanners are loaded and register the names of the feature files they want.
  • phase_scan - each scanner is called to analyze 1 or more sbufs.
  • phase_shutdown - scanners are given a chance to shutdown

Definition in file bulk_extractor_i.h.

Macro Definition Documentation

◆ __BIG_ENDIAN

#define __BIG_ENDIAN   4321

Definition at line 48 of file bulk_extractor_i.h.

◆ __BYTE_ORDER

#define __BYTE_ORDER   __LITTLE_ENDIAN

Definition at line 49 of file bulk_extractor_i.h.

◆ __LITTLE_ENDIAN

#define __LITTLE_ENDIAN   1234

Definition at line 47 of file bulk_extractor_i.h.

◆ DEBUG_ALLOCATE_512MiB

#define DEBUG_ALLOCATE_512MiB   1002

Definition at line 23 of file bulk_extractor_i.h.

◆ DEBUG_DECODING

#define DEBUG_DECODING   0x0020

Definition at line 20 of file bulk_extractor_i.h.

◆ DEBUG_DUMP_DATA

#define DEBUG_DUMP_DATA   0x0010

Definition at line 19 of file bulk_extractor_i.h.

◆ DEBUG_EXIT_EARLY

#define DEBUG_EXIT_EARLY   1000

Definition at line 22 of file bulk_extractor_i.h.

◆ DEBUG_INFO

#define DEBUG_INFO   0x0040

Definition at line 21 of file bulk_extractor_i.h.

◆ DEBUG_NO_SCANNERS

#define DEBUG_NO_SCANNERS   0x0008

Definition at line 18 of file bulk_extractor_i.h.

◆ DEBUG_PEDANTIC

#define DEBUG_PEDANTIC   0x0001

Definition at line 15 of file bulk_extractor_i.h.

◆ DEBUG_PRINT_STEPS

#define DEBUG_PRINT_STEPS   0x0002

Definition at line 16 of file bulk_extractor_i.h.

◆ DEBUG_SCANNER

#define DEBUG_SCANNER   0x0004

Definition at line 17 of file bulk_extractor_i.h.