"Fossies" - the Fresh Open Source Software Archive

Member "snort-2.9.17/src/decode.h" (16 Oct 2020, 65212 Bytes) of package /linux/misc/snort-2.9.17.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "decode.h" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 2.9.16.1_vs_2.9.17.

    1 /*
    2 ** Copyright (C) 2014-2020 Cisco and/or its affiliates. All rights reserved.
    3 ** Copyright (C) 2002-2013 Sourcefire, Inc.
    4 ** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com>
    5 **
    6 ** This program is free software; you can redistribute it and/or modify
    7 ** it under the terms of the GNU General Public License Version 2 as
    8 ** published by the Free Software Foundation.  You may not use, modify or
    9 ** distribute this program under any other version of the GNU General
   10 ** Public License.
   11 **
   12 ** This program is distributed in the hope that it will be useful,
   13 ** but WITHOUT ANY WARRANTY; without even the implied warranty of
   14 ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   15 ** GNU General Public License for more details.
   16 **
   17 ** You should have received a copy of the GNU General Public License
   18 ** along with this program; if not, write to the Free Software
   19 ** Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
   20 */
   21 
   22 /* $Id$ */
   23 
   24 #ifndef __DECODE_H__
   25 #define __DECODE_H__
   26 
   27 
   28 /*  I N C L U D E S  **********************************************************/
   29 
   30 #ifdef HAVE_CONFIG_H
   31 #include "config.h"
   32 #endif
   33 
   34 #include <stddef.h>
   35 #include <sys/types.h>
   36 
   37 #ifndef WIN32
   38 #include <sys/socket.h>
   39 #include <netinet/in.h>
   40 #include <net/if.h>
   41 #else /* !WIN32 */
   42 #include <netinet/in_systm.h>
   43 #ifndef IFNAMSIZ
   44 #define IFNAMESIZ MAX_ADAPTER_NAME
   45 #endif /* !IFNAMSIZ */
   46 #endif /* !WIN32 */
   47 
   48 #include <daq.h>
   49 #include <sfbpf_dlt.h>
   50 
   51 #include "bitop.h"
   52 #include "ipv6_port.h"
   53 #include "sf_ip.h"
   54 #include "sf_iph.h"
   55 #include "sf_protocols.h"
   56 #include "util.h"
   57 #include "sf_types.h"
   58 #include "sf_sdlist_types.h"
   59 #include "preprocids.h"
   60 
   61 struct _SnortConfig;
   62 
   63 /*  D E F I N E S  ************************************************************/
   64 
   65 #define ETHERNET_MTU                  1500
   66 #define ETHERNET_TYPE_IP              0x0800
   67 #define ETHERNET_TYPE_ARP             0x0806
   68 #define ETHERNET_TYPE_REVARP          0x8035
   69 #define ETHERNET_TYPE_EAPOL           0x888e
   70 #define ETHERNET_TYPE_IPV6            0x86dd
   71 #define ETHERNET_TYPE_IPX             0x8137
   72 #define ETHERNET_TYPE_PPPoE_DISC      0x8863 /* discovery stage */
   73 #define ETHERNET_TYPE_PPPoE_SESS      0x8864 /* session stage */
   74 #define ETHERNET_TYPE_8021Q           0x8100
   75 #define ETHERNET_TYPE_8021AD          0x88a8
   76 #define ETHERNET_TYPE_QINQ_NS1        0x9100 /* Q-in-Q non standard */
   77 #define ETHERNET_TYPE_QINQ_NS2        0x9200 /* Q-in-Q non standard */
   78 #define ETHERNET_TYPE_LOOP            0x9000
   79 #define ETHERNET_TYPE_MPLS_UNICAST    0x8847
   80 #define ETHERNET_TYPE_MPLS_MULTICAST  0x8848
   81 #define ETHERNET_TYPE_ERSPAN_TYPE2    0x88be
   82 #define ETHERNET_TYPE_ERSPAN_TYPE3    0x22eb
   83 #define ETHERNET_TYPE_FPATH           0x8903
   84 #define ETHERNET_TYPE_CISCO_META      0x8909
   85 
   86 #define ETH_DSAP_SNA                  0x08    /* SNA */
   87 #define ETH_SSAP_SNA                  0x00    /* SNA */
   88 #define ETH_DSAP_STP                  0x42    /* Spanning Tree Protocol */
   89 #define ETH_SSAP_STP                  0x42    /* Spanning Tree Protocol */
   90 #define ETH_DSAP_IP                   0xaa    /* IP */
   91 #define ETH_SSAP_IP                   0xaa    /* IP */
   92 
   93 #define ETH_ORG_CODE_ETHR              0x000000    /* Encapsulated Ethernet */
   94 #define ETH_ORG_CODE_CDP               0x00000c    /* Cisco Discovery Proto */
   95 
   96 #define FABRICPATH_HEADER_LEN           16
   97 #define ETHERNET_HEADER_LEN             14
   98 #define ETHERNET_MAX_LEN_ENCAP          1518    /* 802.3 (+LLC) or ether II ? */
   99 #define FABRICPATH_HEADER_LEN           16
  100 
  101 #define CISCO_META_PREHEADER_LEN        2
  102 #define CISCO_META_VALID_OPT_LEN        4       /* length of valid options */
  103 #define CISCO_META_OPT_LEN_SHIFT        13      /* right shift opt_len_type to get option length */
  104 #define CISCO_META_OPT_TYPE_MASK        0x1FFF  /* mask opt_len_type to get option type */
  105 #define CISCO_META_OPT_TYPE_SGT         1
  106 
  107 #define PPPOE_HEADER_LEN                6
  108 
  109 #define VLAN_HEADER_LEN                  4
  110 
  111 #ifndef NO_NON_ETHER_DECODER
  112 #define MINIMAL_TOKENRING_HEADER_LEN    22
  113 #define MINIMAL_IEEE80211_HEADER_LEN    10    /* Ack frames and others */
  114 #define IEEE802_11_DATA_HDR_LEN         24    /* Header for data packets */
  115 #define TR_HLEN                         MINIMAL_TOKENRING_HEADER_LEN
  116 #define TOKENRING_LLC_LEN                8
  117 #define SLIP_HEADER_LEN                 16
  118 
  119 /* Frame type/subype combinations with version = 0 */
  120         /*** FRAME TYPE *****  HEX ****  SUBTYPE TYPE  DESCRIPT ********/
  121 #define WLAN_TYPE_MGMT_ASREQ   0x0      /* 0000    00  Association Req */
  122 #define WLAN_TYPE_MGMT_ASRES   0x10     /* 0001    00  Assocaition Res */
  123 #define WLAN_TYPE_MGMT_REREQ   0x20     /* 0010    00  Reassoc. Req.   */
  124 #define WLAN_TYPE_MGMT_RERES   0x30     /* 0011    00  Reassoc. Resp.  */
  125 #define WLAN_TYPE_MGMT_PRREQ   0x40     /* 0100    00  Probe Request   */
  126 #define WLAN_TYPE_MGMT_PRRES   0x50     /* 0101    00  Probe Response  */
  127 #define WLAN_TYPE_MGMT_BEACON  0x80     /* 1000    00  Beacon          */
  128 #define WLAN_TYPE_MGMT_ATIM    0x90     /* 1001    00  ATIM message    */
  129 #define WLAN_TYPE_MGMT_DIS     0xa0     /* 1010    00  Disassociation  */
  130 #define WLAN_TYPE_MGMT_AUTH    0xb0     /* 1011    00  Authentication  */
  131 #define WLAN_TYPE_MGMT_DEAUTH  0xc0     /* 1100    00  Deauthentication*/
  132 
  133 #define WLAN_TYPE_CONT_PS      0xa4     /* 1010    01  Power Save      */
  134 #define WLAN_TYPE_CONT_RTS     0xb4     /* 1011    01  Request to send */
  135 #define WLAN_TYPE_CONT_CTS     0xc4     /* 1100    01  Clear to sene   */
  136 #define WLAN_TYPE_CONT_ACK     0xd4     /* 1101    01  Acknowledgement */
  137 #define WLAN_TYPE_CONT_CFE     0xe4     /* 1110    01  Cont. Free end  */
  138 #define WLAN_TYPE_CONT_CFACK   0xf4     /* 1111    01  CF-End + CF-Ack */
  139 
  140 #define WLAN_TYPE_DATA_DATA    0x08     /* 0000    10  Data            */
  141 #define WLAN_TYPE_DATA_DTCFACK 0x18     /* 0001    10  Data + CF-Ack   */
  142 #define WLAN_TYPE_DATA_DTCFPL  0x28     /* 0010    10  Data + CF-Poll  */
  143 #define WLAN_TYPE_DATA_DTACKPL 0x38     /* 0011    10  Data+CF-Ack+CF-Pl */
  144 #define WLAN_TYPE_DATA_NULL    0x48     /* 0100    10  Null (no data)  */
  145 #define WLAN_TYPE_DATA_CFACK   0x58     /* 0101    10  CF-Ack (no data)*/
  146 #define WLAN_TYPE_DATA_CFPL    0x68     /* 0110    10  CF-Poll (no data)*/
  147 #define WLAN_TYPE_DATA_ACKPL   0x78     /* 0111    10  CF-Ack+CF-Poll  */
  148 
  149 /*** Flags for IEEE 802.11 Frame Control ***/
  150 /* The following are designed to be bitwise-AND-d in an 8-bit u_char */
  151 #define WLAN_FLAG_TODS      0x0100    /* To DS Flag   10000000 */
  152 #define WLAN_FLAG_FROMDS    0x0200    /* From DS Flag 01000000 */
  153 #define WLAN_FLAG_FRAG      0x0400    /* More Frag    00100000 */
  154 #define WLAN_FLAG_RETRY     0x0800    /* Retry Flag   00010000 */
  155 #define WLAN_FLAG_PWRMGMT   0x1000    /* Power Mgmt.  00001000 */
  156 #define WLAN_FLAG_MOREDAT   0x2000    /* More Data    00000100 */
  157 #define WLAN_FLAG_WEP       0x4000    /* Wep Enabled  00000010 */
  158 #define WLAN_FLAG_ORDER     0x8000    /* Strict Order 00000001 */
  159 
  160 /* IEEE 802.1x eapol types */
  161 #define EAPOL_TYPE_EAP      0x00      /* EAP packet */
  162 #define EAPOL_TYPE_START    0x01      /* EAPOL start */
  163 #define EAPOL_TYPE_LOGOFF   0x02      /* EAPOL Logoff */
  164 #define EAPOL_TYPE_KEY      0x03      /* EAPOL Key */
  165 #define EAPOL_TYPE_ASF      0x04      /* EAPOL Encapsulated ASF-Alert */
  166 
  167 /* Extensible Authentication Protocol Codes RFC 2284*/
  168 #define EAP_CODE_REQUEST    0x01
  169 #define EAP_CODE_RESPONSE   0x02
  170 #define EAP_CODE_SUCCESS    0x03
  171 #define EAP_CODE_FAILURE    0x04
  172 /* EAP Types */
  173 #define EAP_TYPE_IDENTITY   0x01
  174 #define EAP_TYPE_NOTIFY     0x02
  175 #define EAP_TYPE_NAK        0x03
  176 #define EAP_TYPE_MD5        0x04
  177 #define EAP_TYPE_OTP        0x05
  178 #define EAP_TYPE_GTC        0x06
  179 #define EAP_TYPE_TLS        0x0d
  180 #endif  // NO_NON_ETHER_DECODER
  181 
  182 /* Cisco HDLC header values */
  183 #define CHDLC_HEADER_LEN        4
  184 #define CHDLC_ADDR_UNICAST      0x0f
  185 #define CHDLC_ADDR_MULTICAST    0x8f
  186 #define CHDLC_ADDR_BROADCAST    0xff
  187 #define CHDLC_CTRL_UNNUMBERED   0x03
  188 
  189 /* Teredo values */
  190 #define TEREDO_PORT 3544
  191 #define TEREDO_INDICATOR_ORIGIN 0x00
  192 #define TEREDO_INDICATOR_ORIGIN_LEN 8
  193 #define TEREDO_INDICATOR_AUTH 0x01
  194 #define TEREDO_INDICATOR_AUTH_MIN_LEN 13
  195 #define TEREDO_MIN_LEN 2
  196 
  197 /* GTP values */
  198 
  199 #define GTP_MIN_LEN 8
  200 #define GTP_V0_HEADER_LEN 20
  201 #define GTP_V1_HEADER_LEN 12
  202 /* ESP constants */
  203 #define ESP_HEADER_LEN 8
  204 #define ESP_AUTH_DATA_LEN 12
  205 #define ESP_TRAILER_LEN 2
  206 
  207 #define MAX_PORTS 65536
  208 
  209 /* ppp header structure
  210  *
  211  * Actually, this is the header for RFC1332 Section 3
  212  * IPCP Configuration Options for sending IP datagrams over a PPP link
  213  *
  214  */
  215 struct ppp_header {
  216     unsigned char  address;
  217     unsigned char  control;
  218     unsigned short protocol;
  219 };
  220 
  221 #ifndef PPP_HDRLEN
  222     #define PPP_HDRLEN          sizeof(struct ppp_header)
  223 #endif
  224 
  225 #define PPP_IP         0x0021        /* Internet Protocol */
  226 #define PPP_IPV6       0x0057        /* Internet Protocol v6 */
  227 #define PPP_VJ_COMP    0x002d        /* VJ compressed TCP/IP */
  228 #define PPP_VJ_UCOMP   0x002f        /* VJ uncompressed TCP/IP */
  229 #define PPP_IPX        0x002b        /* Novell IPX Protocol */
  230 
  231 /* otherwise defined in /usr/include/ppp_defs.h */
  232 #ifndef PPP_MTU
  233     #define PPP_MTU                 1500
  234 #endif
  235 
  236 /* NULL aka LoopBack interfaces */
  237 #define NULL_HDRLEN             4
  238 
  239 /* enc interface */
  240 struct enc_header {
  241     uint32_t af;
  242     uint32_t spi;
  243     uint32_t flags;
  244 };
  245 #define ENC_HEADER_LEN          12
  246 
  247 /* otherwise defined in /usr/include/ppp_defs.h */
  248 #define IP_HEADER_LEN           20
  249 #define TCP_HEADER_LEN          20
  250 #define UDP_HEADER_LEN          8
  251 #define ICMP_HEADER_LEN         4
  252 #define ICMP_NORMAL_LEN         8
  253 
  254 #define IP_OPTMAX               40
  255 #define TCP_OPTLENMAX           40 /* (((2^4) - 1) * 4  - TCP_HEADER_LEN) */
  256 
  257 #define LOG_FUNC_MAX            32
  258 
  259 #ifndef IP_MAXPACKET
  260 #define IP_MAXPACKET    65535        /* maximum packet size */
  261 #endif /* IP_MAXPACKET */
  262 
  263 
  264 /* http://www.iana.org/assignments/ipv6-parameters
  265  *
  266  * IPv6 Options (not Extension Headers)
  267  */
  268 #define IP6_OPT_TUNNEL_ENCAP    0x04
  269 #define IP6_OPT_QUICK_START     0x06
  270 #define IP6_OPT_CALIPSO         0x07
  271 #define IP6_OPT_HOME_ADDRESS    0xC9
  272 #define IP6_OPT_ENDPOINT_IDENT  0x8A
  273 
  274 // these are bits in th_flags:
  275 #define TH_FIN  0x01
  276 #define TH_SYN  0x02
  277 #define TH_RST  0x04
  278 #define TH_PUSH 0x08
  279 #define TH_ACK  0x10
  280 #define TH_URG  0x20
  281 #define TH_ECE  0x40
  282 #define TH_CWR  0x80
  283 #define TH_RES2 TH_ECE  // TBD TH_RES* should be deleted (see log.c)
  284 #define TH_RES1 TH_CWR
  285 #define TH_NORESERVED (TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG)
  286 
  287 // these are bits in th_offx2:
  288 #define TH_RSV  0x0E  // reserved bits
  289 #define TH_NS   0x01  // ECN nonce bit
  290 
  291 /* http://www.iana.org/assignments/tcp-parameters
  292  *
  293  * tcp options stuff. used to be in <netinet/tcp.h> but it breaks
  294  * things on AIX
  295  */
  296 #define TCPOPT_EOL              0   /* End of Option List [RFC793] */
  297 #define TCPOLEN_EOL             1   /* Always one byte */
  298 
  299 #define TCPOPT_NOP              1   /* No-Option [RFC793] */
  300 #define TCPOLEN_NOP             1   /* Always one byte */
  301 
  302 #define TCPOPT_MAXSEG           2   /* Maximum Segment Size [RFC793] */
  303 #define TCPOLEN_MAXSEG          4   /* Always 4 bytes */
  304 
  305 #define TCPOPT_WSCALE           3   /* Window scaling option [RFC1323] */
  306 #define TCPOLEN_WSCALE          3   /* 1 byte with logarithmic values */
  307 
  308 #define TCPOPT_SACKOK           4    /* Experimental [RFC2018]*/
  309 #define TCPOLEN_SACKOK          2
  310 
  311 #define TCPOPT_SACK             5    /* Experimental [RFC2018] variable length */
  312 
  313 #define TCPOPT_ECHO             6    /* Echo (obsoleted by option 8)      [RFC1072] */
  314 #define TCPOLEN_ECHO            6    /* 6 bytes  */
  315 
  316 #define TCPOPT_ECHOREPLY        7    /* Echo Reply (obsoleted by option 8)[RFC1072] */
  317 #define TCPOLEN_ECHOREPLY       6    /* 6 bytes  */
  318 
  319 #define TCPOPT_TIMESTAMP        8   /* Timestamp [RFC1323], 10 bytes */
  320 #define TCPOLEN_TIMESTAMP       10
  321 
  322 #define TCPOPT_PARTIAL_PERM     9   /* Partial Order Permitted/ Experimental [RFC1693] */
  323 #define TCPOLEN_PARTIAL_PERM    2   /* Partial Order Permitted/ Experimental [RFC1693] */
  324 
  325 #define TCPOPT_PARTIAL_SVC      10  /*  Partial Order Profile [RFC1693] */
  326 #define TCPOLEN_PARTIAL_SVC     3   /*  3 bytes long -- Experimental */
  327 
  328 /* atleast decode T/TCP options... */
  329 #define TCPOPT_CC               11  /*  T/TCP Connection count  [RFC1644] */
  330 #define TCPOPT_CC_NEW           12  /*  CC.NEW [RFC1644] */
  331 #define TCPOPT_CC_ECHO          13  /*  CC.ECHO [RFC1644] */
  332 #define TCPOLEN_CC             6  /* page 17 of rfc1644 */
  333 #define TCPOLEN_CC_NEW         6  /* page 17 of rfc1644 */
  334 #define TCPOLEN_CC_ECHO        6  /* page 17 of rfc1644 */
  335 
  336 #define TCPOPT_ALTCSUM          15  /* TCP Alternate Checksum Data [RFC1146], variable length */
  337 #define TCPOPT_SKEETER          16  /* Skeeter [Knowles] */
  338 #define TCPOPT_BUBBA            17  /* Bubba   [Knowles] */
  339 
  340 #define TCPOPT_TRAILER_CSUM     18  /* Trailer Checksum Option [Subbu & Monroe] */
  341 #define TCPOLEN_TRAILER_CSUM  3
  342 
  343 #define TCPOPT_MD5SIG           19  /* MD5 Signature Option [RFC2385] */
  344 #define TCPOLEN_MD5SIG        18
  345 
  346 /* Space Communications Protocol Standardization */
  347 #define TCPOPT_SCPS             20  /* Capabilities [Scott] */
  348 #define TCPOPT_SELNEGACK        21  /* Selective Negative Acknowledgements [Scott] */
  349 #define TCPOPT_RECORDBOUND         22  /* Record Boundaries [Scott] */
  350 #define TCPOPT_CORRUPTION          23  /* Corruption experienced [Scott] */
  351 
  352 #define TCPOPT_SNAP                24  /* SNAP [Sukonnik] -- anyone have info?*/
  353 #define TCPOPT_UNASSIGNED          25  /* Unassigned (released 12/18/00) */
  354 #define TCPOPT_COMPRESSION         26  /* TCP Compression Filter [Bellovin] */
  355 /* http://www.research.att.com/~smb/papers/draft-bellovin-tcpcomp-00.txt*/
  356 
  357 #define TCPOPT_AUTH   29  /* [RFC5925] - The TCP Authentication Option
  358                              Intended to replace MD5 Signature Option [RFC2385] */
  359 
  360 #define TCPOPT_TFO    34  /* [RFC7413] - TCP Fast Open */
  361 
  362 #define TCP_OPT_TRUNC -1
  363 #define TCP_OPT_BADLEN -2
  364 
  365 /* Why are these lil buggers here? Never Used. -- cmg */
  366 #define TCPOLEN_TSTAMP_APPA     (TCPOLEN_TIMESTAMP+2)    /* appendix A / rfc 1323 */
  367 #define TCPOPT_TSTAMP_HDR    \
  368     (TCPOPT_NOP<<24|TCPOPT_NOP<<16|TCPOPT_TIMESTAMP<<8|TCPOLEN_TIMESTAMP)
  369 
  370 /*
  371  * Default maximum segment size for TCP.
  372  * With an IP MSS of 576, this is 536,
  373  * but 512 is probably more convenient.
  374  * This should be defined as MIN(512, IP_MSS - sizeof (struct tcpiphdr)).
  375  */
  376 
  377 #ifndef TCP_MSS
  378     #define    TCP_MSS      512
  379 #endif
  380 
  381 #ifndef TCP_MAXWIN
  382     #define    TCP_MAXWIN   65535    /* largest value for (unscaled) window */
  383 #endif
  384 
  385 #ifndef TCP_MAX_WINSHIFT
  386     #define TCP_MAX_WINSHIFT    14    /* maximum window shift */
  387 #endif
  388 
  389 /*
  390  * User-settable options (used with setsockopt).
  391  */
  392 #ifndef TCP_NODELAY
  393     #define    TCP_NODELAY   0x01    /* don't delay send to coalesce packets */
  394 #endif
  395 
  396 #ifndef TCP_MAXSEG
  397     #define    TCP_MAXSEG    0x02    /* set maximum segment size */
  398 #endif
  399 
  400 #define SOL_TCP        6    /* TCP level */
  401 
  402 
  403 
  404 #define L2TP_PORT           1701
  405 #define DHCP_CLIENT_PORT    68
  406 #define DHCP_SERVER_PORT    67
  407 
  408 #ifndef NO_NON_ETHER_DECODER
  409 /* Start Token Ring */
  410 #define TR_ALEN             6        /* octets in an Ethernet header */
  411 #define IPARP_SAP           0xaa
  412 
  413 #define AC                  0x10
  414 #define LLC_FRAME           0x40
  415 
  416 #define TRMTU                      2000    /* 2000 bytes            */
  417 #define TR_RII                     0x80
  418 #define TR_RCF_DIR_BIT             0x80
  419 #define TR_RCF_LEN_MASK            0x1f00
  420 #define TR_RCF_BROADCAST           0x8000    /* all-routes broadcast   */
  421 #define TR_RCF_LIMITED_BROADCAST   0xC000    /* single-route broadcast */
  422 #define TR_RCF_FRAME2K             0x20
  423 #define TR_RCF_BROADCAST_MASK      0xC000
  424 /* End Token Ring */
  425 
  426 /* Start FDDI */
  427 #define FDDI_ALLC_LEN                   13
  428 #define FDDI_ALEN                       6
  429 #define FDDI_MIN_HLEN                   (FDDI_ALLC_LEN + 3)
  430 
  431 #define FDDI_DSAP_SNA                   0x08    /* SNA */
  432 #define FDDI_SSAP_SNA                   0x00    /* SNA */
  433 #define FDDI_DSAP_STP                   0x42    /* Spanning Tree Protocol */
  434 #define FDDI_SSAP_STP                   0x42    /* Spanning Tree Protocol */
  435 #define FDDI_DSAP_IP                    0xaa    /* IP */
  436 #define FDDI_SSAP_IP                    0xaa    /* IP */
  437 
  438 #define FDDI_ORG_CODE_ETHR              0x000000    /* Encapsulated Ethernet */
  439 #define FDDI_ORG_CODE_CDP               0x00000c    /* Cisco Discovery
  440                              * Proto(?) */
  441 
  442 #define ETHERNET_TYPE_CDP               0x2000    /* Cisco Discovery Protocol */
  443 /* End FDDI */
  444 #endif  // NO_NON_ETHER_DECODER
  445 
  446 #define ARPOP_REQUEST   1    /* ARP request                  */
  447 #define ARPOP_REPLY     2    /* ARP reply                    */
  448 #define ARPOP_RREQUEST  3    /* RARP request                 */
  449 #define ARPOP_RREPLY    4    /* RARP reply                   */
  450 
  451 /* PPPoE types */
  452 #define PPPoE_CODE_SESS 0x00 /* PPPoE session */
  453 #define PPPoE_CODE_PADI 0x09 /* PPPoE Active Discovery Initiation */
  454 #define PPPoE_CODE_PADO 0x07 /* PPPoE Active Discovery Offer */
  455 #define PPPoE_CODE_PADR 0x19 /* PPPoE Active Discovery Request */
  456 #define PPPoE_CODE_PADS 0x65 /* PPPoE Active Discovery Session-confirmation */
  457 #define PPPoE_CODE_PADT 0xa7 /* PPPoE Active Discovery Terminate */
  458 
  459 /* PPPoE tag types */
  460 #define PPPoE_TAG_END_OF_LIST        0x0000
  461 #define PPPoE_TAG_SERVICE_NAME       0x0101
  462 #define PPPoE_TAG_AC_NAME            0x0102
  463 #define PPPoE_TAG_HOST_UNIQ          0x0103
  464 #define PPPoE_TAG_AC_COOKIE          0x0104
  465 #define PPPoE_TAG_VENDOR_SPECIFIC    0x0105
  466 #define PPPoE_TAG_RELAY_SESSION_ID   0x0110
  467 #define PPPoE_TAG_SERVICE_NAME_ERROR 0x0201
  468 #define PPPoE_TAG_AC_SYSTEM_ERROR    0x0202
  469 #define PPPoE_TAG_GENERIC_ERROR      0x0203
  470 
  471 
  472 #define ICMP_ECHOREPLY          0    /* Echo Reply                   */
  473 #define ICMP_DEST_UNREACH       3    /* Destination Unreachable      */
  474 #define ICMP_SOURCE_QUENCH      4    /* Source Quench                */
  475 #define ICMP_REDIRECT           5    /* Redirect (change route)      */
  476 #define ICMP_ECHO               8    /* Echo Request                 */
  477 #define ICMP_ROUTER_ADVERTISE   9    /* Router Advertisement         */
  478 #define ICMP_ROUTER_SOLICIT     10    /* Router Solicitation          */
  479 #define ICMP_TIME_EXCEEDED      11    /* Time Exceeded                */
  480 #define ICMP_PARAMETERPROB      12    /* Parameter Problem            */
  481 #define ICMP_TIMESTAMP          13    /* Timestamp Request            */
  482 #define ICMP_TIMESTAMPREPLY     14    /* Timestamp Reply              */
  483 #define ICMP_INFO_REQUEST       15    /* Information Request          */
  484 #define ICMP_INFO_REPLY         16    /* Information Reply            */
  485 #define ICMP_ADDRESS            17    /* Address Mask Request         */
  486 #define ICMP_ADDRESSREPLY       18    /* Address Mask Reply           */
  487 #define NR_ICMP_TYPES           18
  488 
  489 /* Codes for ICMP UNREACHABLES */
  490 #define ICMP_NET_UNREACH        0    /* Network Unreachable          */
  491 #define ICMP_HOST_UNREACH       1    /* Host Unreachable             */
  492 #define ICMP_PROT_UNREACH       2    /* Protocol Unreachable         */
  493 #define ICMP_PORT_UNREACH       3    /* Port Unreachable             */
  494 #define ICMP_FRAG_NEEDED        4    /* Fragmentation Needed/DF set  */
  495 #define ICMP_SR_FAILED          5    /* Source Route failed          */
  496 #define ICMP_NET_UNKNOWN        6
  497 #define ICMP_HOST_UNKNOWN       7
  498 #define ICMP_HOST_ISOLATED      8
  499 #define ICMP_PKT_FILTERED_NET   9
  500 #define ICMP_PKT_FILTERED_HOST  10
  501 #define ICMP_NET_UNR_TOS        11
  502 #define ICMP_HOST_UNR_TOS       12
  503 #define ICMP_PKT_FILTERED       13    /* Packet filtered */
  504 #define ICMP_PREC_VIOLATION     14    /* Precedence violation */
  505 #define ICMP_PREC_CUTOFF        15    /* Precedence cut off */
  506 #define NR_ICMP_UNREACH         15    /* instead of hardcoding immediate
  507                                        * value */
  508 
  509 #define ICMP_REDIR_NET          0
  510 #define ICMP_REDIR_HOST         1
  511 #define ICMP_REDIR_TOS_NET      2
  512 #define ICMP_REDIR_TOS_HOST     3
  513 
  514 #define ICMP_TIMEOUT_TRANSIT    0
  515 #define ICMP_TIMEOUT_REASSY     1
  516 
  517 #define ICMP_PARAM_BADIPHDR     0
  518 #define ICMP_PARAM_OPTMISSING   1
  519 #define ICMP_PARAM_BAD_LENGTH   2
  520 
  521 /* ip option type codes */
  522 #ifndef IPOPT_EOL
  523     #define IPOPT_EOL            0x00
  524 #endif
  525 
  526 #ifndef IPOPT_NOP
  527     #define IPOPT_NOP            0x01
  528 #endif
  529 
  530 #ifndef IPOPT_RR
  531     #define IPOPT_RR             0x07
  532 #endif
  533 
  534 #ifndef IPOPT_RTRALT
  535     #define IPOPT_RTRALT         0x94
  536 #endif
  537 
  538 #ifndef IPOPT_TS
  539     #define IPOPT_TS             0x44
  540 #endif
  541 
  542 #ifndef IPOPT_SECURITY
  543     #define IPOPT_SECURITY       0x82
  544 #endif
  545 
  546 #ifndef IPOPT_LSRR
  547     #define IPOPT_LSRR           0x83
  548 #endif
  549 
  550 #ifndef IPOPT_LSRR_E
  551     #define IPOPT_LSRR_E         0x84
  552 #endif
  553 
  554 #ifndef IPOPT_ESEC
  555     #define IPOPT_ESEC           0x85
  556 #endif
  557 
  558 #ifndef IPOPT_SATID
  559     #define IPOPT_SATID          0x88
  560 #endif
  561 
  562 #ifndef IPOPT_SSRR
  563     #define IPOPT_SSRR           0x89
  564 #endif
  565 
  566 
  567 /* tcp option codes */
  568 #define TOPT_EOL                0x00
  569 #define TOPT_NOP                0x01
  570 #define TOPT_MSS                0x02
  571 #define TOPT_WS                 0x03
  572 #define TOPT_TS                 0x08
  573 #ifndef TCPOPT_WSCALE
  574     #define TCPOPT_WSCALE           3     /* window scale factor (rfc1072) */
  575 #endif
  576 #ifndef TCPOPT_SACKOK
  577     #define    TCPOPT_SACKOK        4     /* selective ack ok (rfc1072) */
  578 #endif
  579 #ifndef TCPOPT_SACK
  580     #define    TCPOPT_SACK          5     /* selective ack (rfc1072) */
  581 #endif
  582 #ifndef TCPOPT_ECHO
  583     #define TCPOPT_ECHO             6     /* echo (rfc1072) */
  584 #endif
  585 #ifndef TCPOPT_ECHOREPLY
  586     #define TCPOPT_ECHOREPLY        7     /* echo (rfc1072) */
  587 #endif
  588 #ifndef TCPOPT_TIMESTAMP
  589     #define TCPOPT_TIMESTAMP        8     /* timestamps (rfc1323) */
  590 #endif
  591 #ifndef TCPOPT_CC
  592     #define TCPOPT_CC               11    /* T/TCP CC options (rfc1644) */
  593 #endif
  594 #ifndef TCPOPT_CCNEW
  595     #define TCPOPT_CCNEW            12    /* T/TCP CC options (rfc1644) */
  596 #endif
  597 #ifndef TCPOPT_CCECHO
  598     #define TCPOPT_CCECHO           13    /* T/TCP CC options (rfc1644) */
  599 #endif
  600 
  601 #define EXTRACT_16BITS(p) ((u_short) ntohs (*(u_short *)(p)))
  602 
  603 #ifdef WORDS_MUSTALIGN
  604 
  605 #if defined(__GNUC__)
  606 /* force word-aligned ntohl parameter */
  607     #define EXTRACT_32BITS(p)  ({ uint32_t __tmp; memmove(&__tmp, (p), sizeof(uint32_t)); (uint32_t) ntohl(__tmp);})
  608 #endif /* __GNUC__ */
  609 
  610 #else
  611 
  612 /* allows unaligned ntohl parameter - dies w/SIGBUS on SPARCs */
  613     #define EXTRACT_32BITS(p) ((uint32_t) ntohl (*(uint32_t *)(p)))
  614 
  615 #endif                /* WORDS_MUSTALIGN */
  616 
  617 /* packet status flags */
  618 #define PKT_REBUILT_FRAG     0x00000001  /* is a rebuilt fragment */
  619 #define PKT_REBUILT_STREAM   0x00000002  /* is a rebuilt stream */
  620 #define PKT_STREAM_UNEST_UNI 0x00000004  /* is from an unestablished stream and
  621                                           * we've only seen traffic in one direction */
  622 #define PKT_STREAM_EST       0x00000008  /* is from an established stream */
  623 
  624 #define PKT_STREAM_INSERT    0x00000010  /* this packet has been queued for stream reassembly */
  625 #define PKT_STREAM_TWH       0x00000020  /* packet completes the 3-way handshake */
  626 #define PKT_FROM_SERVER      0x00000040  /* this packet came from the server
  627                                             side of a connection (TCP) */
  628 #define PKT_FROM_CLIENT      0x00000080  /* this packet came from the client
  629                                             side of a connection (TCP) */
  630 
  631 #define PKT_PDU_HEAD         0x00000100  /* start of PDU */
  632 #define PKT_PDU_TAIL         0x00000200  /* end of PDU */
  633 #define PKT_UNSURE_ENCAP     0x00000400  /* packet may have incorrect encapsulation layer. */
  634                                          /* don't alert if "next layer" is invalid. */
  635 #define PKT_HTTP_DECODE      0x00000800  /* this packet has normalized http */
  636 
  637 #define PKT_IGNORE           0x00001000  /* this packet should be ignored, based on port */
  638 #define PKT_TRUST            0x00002000  /* this packet should fallback to being whitelisted if no other verdict was specified */
  639 #define PKT_ALLOW_MULTIPLE_DETECT 0x00004000  /* packet has either pipelined mime attachements */
  640                                               /* or pipeline http requests */
  641 #define PKT_PAYLOAD_OBFUSCATE     0x00008000
  642 
  643 #define PKT_STATELESS        0x00010000  /* Packet has matched a stateless rule */
  644 #define PKT_PASS_RULE        0x00020000  /* this packet has matched a pass rule */
  645 #define PKT_IP_RULE          0x00040000  /* this packet is being evaluated against an IP rule */
  646 #define PKT_IP_RULE_2ND      0x00080000  /* this packet is being evaluated against an IP rule */
  647 
  648 #define PKT_LOGGED           0x00100000  /* this packet has been logged */
  649 #define PKT_PSEUDO           0x00200000  /* is a pseudo packet */
  650 #define PKT_MODIFIED         0x00400000  /* packet had normalizations, etc. */
  651 #ifdef NORMALIZER
  652 #define PKT_RESIZED          0x00800000  /* packet has new size; must set modified too */
  653 #endif
  654 
  655 // neither of these flags will be set for (full) retransmissions or non-data segments
  656 // a partial overlap results in out of sequence condition
  657 // out of sequence condition is sticky
  658 #define PKT_STREAM_ORDER_OK  0x01000000  /* this segment is in order, w/o gaps */
  659 #define PKT_STREAM_ORDER_BAD 0x02000000  /* this stream had at least one gap */
  660 #define PKT_REASSEMBLED_OLD  0x04000000  /* for backwards compat with so rules */
  661 
  662 #define PKT_IPREP_SOURCE_TRIGGERED  0x08000000
  663 #define PKT_IPREP_DATA_SET          0x10000000
  664 #define PKT_FILE_EVENT_SET          0x20000000
  665 #define PKT_EARLY_REASSEMBLY 0x40000000  /* this packet. part of the expected stream, should have stream reassembly set */
  666 #define PKT_RETRANSMIT       0x80000000  /* this packet is identified as re-transmitted one */
  667 #define PKT_PURGE            0x0100000000  /* Stream will not flush the data */
  668 #define PKT_H1_ABORT         0x0200000000  /* Used by H1 and H2 paf */
  669 #define PKT_UPGRADE_PROTO    0x0400000000  /* Used by H1 paf */
  670 #define PKT_PSEUDO_FLUSH     0x0800000000
  671 #define PKT_FAST_BLOCK       0x1000000000 /* pkt blocked by fast-blocking */
  672 
  673 #define PKT_PDU_FULL (PKT_PDU_HEAD | PKT_PDU_TAIL)
  674 
  675 #define REASSEMBLED_PACKET_FLAGS (PKT_REBUILT_STREAM|PKT_REASSEMBLED_OLD)
  676 
  677 typedef enum {
  678     PSEUDO_PKT_IP,
  679     PSEUDO_PKT_TCP,
  680     PSEUDO_PKT_DCE_RPKT,
  681     PSEUDO_PKT_SMB_SEG,
  682     PSEUDO_PKT_DCE_SEG,
  683     PSEUDO_PKT_DCE_FRAG,
  684     PSEUDO_PKT_SMB_TRANS,
  685     PSEUDO_PKT_PS,
  686     PSEUDO_PKT_SDF,
  687     PSEUDO_PKT_MAX
  688 } PseudoPacketType;
  689 
  690 /* error flags */
  691 #define PKT_ERR_CKSUM_IP     0x01
  692 #define PKT_ERR_CKSUM_TCP    0x02
  693 #define PKT_ERR_CKSUM_UDP    0x04
  694 #define PKT_ERR_CKSUM_ICMP   0x08
  695 #define PKT_ERR_CKSUM_IGMP   0x10
  696 #define PKT_ERR_CKSUM_ANY    0x1F
  697 #define PKT_ERR_BAD_TTL      0x20
  698 #define PKT_ERR_SYN_RL_DROP  0x40
  699 
  700 /*  D A T A  S T R U C T U R E S  *********************************************/
  701 typedef int (*LogFunction)(void *ssnptr, uint8_t **buf, uint32_t *len, uint32_t *type);
  702 
  703 #ifndef NO_NON_ETHER_DECODER
  704 /* Start Token Ring Data Structures */
  705 
  706 #ifdef _MSC_VER
  707     /* Visual C++ pragma to disable warning messages about nonstandard bit field type */
  708     #pragma warning( disable : 4214 )
  709 #endif
  710 
  711 /* LLC structure */
  712 typedef struct _Trh_llc
  713 {
  714     uint8_t dsap;
  715     uint8_t ssap;
  716     uint8_t protid[3];
  717     uint16_t ethertype;
  718 }        Trh_llc;
  719 
  720 /* RIF structure
  721  * Linux/tcpdump patch defines tokenring header in dump way, since not
  722  * every tokenring header with have RIF data... we define it separately, and
  723  * a bit more split up
  724  */
  725 
  726 #ifdef _MSC_VER
  727   /* Visual C++ pragma to disable warning messages about nonstandard bit field type */
  728   #pragma warning( disable : 4214 )
  729 #endif
  730 
  731 
  732 /* These are macros to use the bitlevel accesses in the Trh_Mr header
  733 
  734    they haven't been tested and they aren't used much so here is a
  735    listing of what used to be there
  736 
  737    #if defined(WORDS_BIGENDIAN)
  738       uint16_t bcast:3, len:5, dir:1, lf:3, res:4;
  739    #else
  740       uint16_t len:5,         length of RIF field, including RC itself
  741       bcast:3,       broadcast indicator
  742       res:4,         reserved
  743       lf:3,      largest frame size
  744       dir:1;         direction
  745 */
  746 
  747 #define TRH_MR_BCAST(trhmr)  ((ntohs((trhmr)->bcast_len_dir_lf_res) & 0xe000) >> 13)
  748 #define TRH_MR_LEN(trhmr)    ((ntohs((trhmr)->bcast_len_dir_lf_res) & 0x1F00) >> 8)
  749 #define TRH_MR_DIR(trhmr)    ((ntohs((trhmr)->bcast_len_dir_lf_res) & 0x0080) >> 7)
  750 #define TRH_MR_LF(trhmr)     ((ntohs((trhmr)->bcast_len_dir_lf_res) & 0x0070) >> 4)
  751 #define TRH_MR_RES(trhmr)     ((ntohs((trhmr)->bcast_len_dir_lf_res) & 0x000F))
  752 
  753 typedef struct _Trh_mr
  754 {
  755     uint16_t bcast_len_dir_lf_res; /* broadcast/res/framesize/direction */
  756     uint16_t rseg[8];
  757 }       Trh_mr;
  758 #ifdef _MSC_VER
  759   /* Visual C++ pragma to enable warning messages about nonstandard bit field type */
  760   #pragma warning( default : 4214 )
  761 #endif
  762 
  763 
  764 typedef struct _Trh_hdr
  765 {
  766     uint8_t ac;        /* access control field */
  767     uint8_t fc;        /* frame control field */
  768     uint8_t daddr[TR_ALEN];    /* src address */
  769     uint8_t saddr[TR_ALEN];    /* dst address */
  770 }        Trh_hdr;
  771 
  772 #ifdef WIN32
  773     /* Visual C++ pragma to enable warning messages about nonstandard bit field type */
  774     #pragma warning( default : 4214 )
  775 #endif
  776 /* End Token Ring Data Structures */
  777 
  778 
  779 /* Start FDDI Data Structures */
  780 
  781 /* FDDI header is always this: -worm5er */
  782 typedef struct _Fddi_hdr
  783 {
  784     uint8_t fc;        /* frame control field */
  785     uint8_t daddr[FDDI_ALEN];  /* src address */
  786     uint8_t saddr[FDDI_ALEN];  /* dst address */
  787 }         Fddi_hdr;
  788 
  789 /* splitting the llc up because of variable lengths of the LLC -worm5er */
  790 typedef struct _Fddi_llc_saps
  791 {
  792     uint8_t dsap;
  793     uint8_t ssap;
  794 }              Fddi_llc_saps;
  795 
  796 /* I've found sna frames have two addition bytes after the llc saps -worm5er */
  797 typedef struct _Fddi_llc_sna
  798 {
  799     uint8_t ctrl_fld[2];
  800 }             Fddi_llc_sna;
  801 
  802 /* I've also found other frames that seem to have only one byte...  We're only
  803 really intersted in the IP data so, until we want other, I'm going to say
  804 the data is one byte beyond this frame...  -worm5er */
  805 typedef struct _Fddi_llc_other
  806 {
  807     uint8_t ctrl_fld[1];
  808 }               Fddi_llc_other;
  809 
  810 /* Just like TR the ip/arp data is setup as such: -worm5er */
  811 typedef struct _Fddi_llc_iparp
  812 {
  813     uint8_t ctrl_fld;
  814     uint8_t protid[3];
  815     uint16_t ethertype;
  816 }               Fddi_llc_iparp;
  817 
  818 /* End FDDI Data Structures */
  819 
  820 
  821 /* 'Linux cooked captures' data
  822  * (taken from tcpdump source).
  823  */
  824 
  825 #define SLL_HDR_LEN     16              /* total header length */
  826 #define SLL_ADDRLEN     8               /* length of address field */
  827 typedef struct _SLLHdr {
  828         uint16_t       sll_pkttype;    /* packet type */
  829         uint16_t       sll_hatype;     /* link-layer address type */
  830         uint16_t       sll_halen;      /* link-layer address length */
  831         uint8_t        sll_addr[SLL_ADDRLEN];  /* link-layer address */
  832         uint16_t       sll_protocol;   /* protocol */
  833 } SLLHdr;
  834 
  835 
  836 /*
  837  * Snort supports 3 versions of the OpenBSD pflog header:
  838  *
  839  * Pflog1_Hdr:  CVS = 1.3,  DLT_OLD_PFLOG = 17,  Length = 28
  840  * Pflog2_Hdr:  CVS = 1.8,  DLT_PFLOG     = 117, Length = 48
  841  * Pflog3_Hdr:  CVS = 1.12, DLT_PFLOG     = 117, Length = 64
  842  * Pflog3_Hdr:  CVS = 1.172, DLT_PFLOG     = 117, Length = 100
  843  *
  844  * Since they have the same DLT, Pflog{2,3}Hdr are distinguished
  845  * by their actual length.  The minimum required length excludes
  846  * padding.
  847  */
  848 /* Old OpenBSD pf firewall pflog0 header
  849  * (information from pf source in kernel)
  850  * the rule, reason, and action codes tell why the firewall dropped it -fleck
  851  */
  852 
  853 typedef struct _Pflog1_hdr
  854 {
  855     uint32_t af;
  856     char intf[IFNAMSIZ];
  857     int16_t rule;
  858     uint16_t reason;
  859     uint16_t action;
  860     uint16_t dir;
  861 } Pflog1Hdr;
  862 
  863 #define PFLOG1_HDRLEN (sizeof(struct _Pflog1_hdr))
  864 
  865 /*
  866  * Note that on OpenBSD, af type is sa_family_t. On linux, that's an unsigned
  867  * short, but on OpenBSD, that's a uint8_t, so we should explicitly use uint8_t
  868  * here.  - ronaldo
  869  */
  870 
  871 #define PFLOG_RULELEN 16
  872 #define PFLOG_PADLEN  3
  873 
  874 typedef struct _Pflog2_hdr
  875 {
  876     int8_t   length;
  877     uint8_t  af;
  878     uint8_t  action;
  879     uint8_t  reason;
  880     char     ifname[IFNAMSIZ];
  881     char     ruleset[PFLOG_RULELEN];
  882     uint32_t rulenr;
  883     uint32_t subrulenr;
  884     uint8_t  dir;
  885     uint8_t  pad[PFLOG_PADLEN];
  886 } Pflog2Hdr;
  887 
  888 #define PFLOG2_HDRLEN (sizeof(struct _Pflog2_hdr))
  889 #define PFLOG2_HDRMIN (PFLOG2_HDRLEN - PFLOG_PADLEN)
  890 
  891 typedef struct _Pflog3_hdr
  892 {
  893     int8_t   length;
  894     uint8_t  af;
  895     uint8_t  action;
  896     uint8_t  reason;
  897     char     ifname[IFNAMSIZ];
  898     char     ruleset[PFLOG_RULELEN];
  899     uint32_t rulenr;
  900     uint32_t subrulenr;
  901     uint32_t uid;
  902     uint32_t pid;
  903     uint32_t rule_uid;
  904     uint32_t rule_pid;
  905     uint8_t  dir;
  906     uint8_t  pad[PFLOG_PADLEN];
  907 } Pflog3Hdr;
  908 
  909 #define PFLOG3_HDRLEN (sizeof(struct _Pflog3_hdr))
  910 #define PFLOG3_HDRMIN (PFLOG3_HDRLEN - PFLOG_PADLEN)
  911 
  912 
  913 typedef struct _Pflog4_hdr
  914 {
  915     uint8_t  length;
  916     uint8_t  af;
  917     uint8_t  action;
  918     uint8_t  reason;
  919     char     ifname[IFNAMSIZ];
  920     char     ruleset[PFLOG_RULELEN];
  921     uint32_t rulenr;
  922     uint32_t subrulenr;
  923     uint32_t uid;
  924     uint32_t pid;
  925     uint32_t rule_uid;
  926     uint32_t rule_pid;
  927     uint8_t  dir;
  928     uint8_t  rewritten;
  929     uint8_t  pad[2];
  930     uint8_t saddr[16];
  931     uint8_t daddr[16];
  932     uint16_t sport;
  933     uint16_t dport;
  934 } Pflog4Hdr;
  935 
  936 #define PFLOG4_HDRLEN sizeof(struct _Pflog4_hdr)
  937 #define PFLOG4_HDRMIN sizeof(struct _Pflog4_hdr)
  938 
  939 /*
  940  * ssl_pkttype values.
  941  */
  942 
  943 #define LINUX_SLL_HOST          0
  944 #define LINUX_SLL_BROADCAST     1
  945 #define LINUX_SLL_MULTICAST     2
  946 #define LINUX_SLL_OTHERHOST     3
  947 #define LINUX_SLL_OUTGOING      4
  948 
  949 /* ssl protocol values */
  950 
  951 #define LINUX_SLL_P_802_3       0x0001  /* Novell 802.3 frames without 802.2 LLC header */
  952 #define LINUX_SLL_P_802_2       0x0004  /* 802.2 frames (not D/I/X Ethernet) */
  953 #endif  // NO_NON_ETHER_DECODER
  954 
  955 
  956 #ifdef _MSC_VER
  957   /* Visual C++ pragma to disable warning messages
  958    * about nonstandard bit field type
  959    */
  960   #pragma warning( disable : 4214 )
  961 #endif
  962 
  963 #define VTH_PRIORITY(vh)  ((ntohs((vh)->vth_pri_cfi_vlan) & 0xe000) >> 13)
  964 #define VTH_CFI(vh)       ((ntohs((vh)->vth_pri_cfi_vlan) & 0x1000) >> 12)
  965 #define VTH_VLAN(vh)      ((uint16_t)(ntohs((vh)->vth_pri_cfi_vlan) & 0x0FFF))
  966 
  967 typedef struct _VlanTagHdr
  968 {
  969     uint16_t vth_pri_cfi_vlan;
  970     uint16_t vth_proto;  /* protocol field... */
  971 } VlanTagHdr;
  972 #ifdef _MSC_VER
  973   /* Visual C++ pragma to enable warning messages about nonstandard bit field type */
  974   #pragma warning( default : 4214 )
  975 #endif
  976 
  977 
  978 typedef struct _EthLlc
  979 {
  980     uint8_t dsap;
  981     uint8_t ssap;
  982 } EthLlc;
  983 
  984 typedef struct _EthLlcOther
  985 {
  986     uint8_t ctrl;
  987     uint8_t org_code[3];
  988     uint16_t proto_id;
  989 } EthLlcOther;
  990 
  991 /* We must twiddle to align the offset the ethernet header and align
  992  * the IP header on solaris -- maybe this will work on HPUX too.
  993  */
  994 #if defined (SOLARIS) || defined (SUNOS) || defined (__sparc__) || defined(__sparc64__) || defined (HPUX)
  995 #define SPARC_TWIDDLE       2
  996 #else
  997 #define SPARC_TWIDDLE       0
  998 #endif
  999 
 1000 /*
 1001  * Cisco FabricPath / Data Center Ethernet header
 1002  */
 1003 
 1004 typedef struct _FPathHdr
 1005 {
 1006     uint8_t fpath_dst[6];
 1007     uint8_t fpath_src[6];
 1008     uint16_t fpath_type;
 1009     uint16_t fptag_extra; /* 10-bit FTag + 6-bit TTL */
 1010 } FPathHdr;
 1011 
 1012 typedef struct _CiscoMetaHdr
 1013 {
 1014     uint8_t version; // This must be 1
 1015     uint8_t length; //This is the header size in bytes / 8
 1016 } CiscoMetaHdr;
 1017 
 1018 /*
 1019  * Cisco MetaData header options
 1020  */
 1021 
 1022 typedef struct _CiscoMetaOpt
 1023 {
 1024     uint16_t opt_len_type;  /* 3-bit length + 13-bit type. Length of 0 = 4. Type must be 1. */
 1025     uint16_t sgt;           /* Can be any value except 0xFFFF */
 1026 } CiscoMetaOpt;
 1027 
 1028 /*
 1029  * Ethernet header
 1030  */
 1031 
 1032 typedef struct _EtherHdr
 1033 {
 1034     uint8_t ether_dst[6];
 1035     uint8_t ether_src[6];
 1036     uint16_t ether_type;
 1037 
 1038 } EtherHdr;
 1039 
 1040 
 1041 #ifndef NO_NON_ETHER_DECODER
 1042 /*
 1043  *  Wireless Header (IEEE 802.11)
 1044  */
 1045 typedef struct _WifiHdr
 1046 {
 1047   uint16_t frame_control;
 1048   uint16_t duration_id;
 1049   uint8_t  addr1[6];
 1050   uint8_t  addr2[6];
 1051   uint8_t  addr3[6];
 1052   uint16_t seq_control;
 1053   uint8_t  addr4[6];
 1054 } WifiHdr;
 1055 #endif  // NO_NON_ETHER_DECODER
 1056 
 1057 
 1058 /* Can't add any fields not in the real header here
 1059    because of how the decoder uses structure overlaying */
 1060 #ifdef _MSC_VER
 1061   /* Visual C++ pragma to disable warning messages
 1062    * about nonstandard bit field type
 1063    */
 1064   #pragma warning( disable : 4214 )
 1065 #endif
 1066 
 1067 /* tcpdump shows us the way to cross platform compatibility */
 1068 #define IP_VER(iph)    (((iph)->ip_verhl & 0xf0) >> 4)
 1069 #define IP_HLEN(iph)   ((iph)->ip_verhl & 0x0f)
 1070 
 1071 /* we need to change them as well as get them */
 1072 #define SET_IP_VER(iph, value)  ((iph)->ip_verhl = (unsigned char)(((iph)->ip_verhl & 0x0f) | (value << 4)))
 1073 #define SET_IP_HLEN(iph, value)  ((iph)->ip_verhl = (unsigned char)(((iph)->ip_verhl & 0xf0) | (value & 0x0f)))
 1074 
 1075 #define NUM_IP_PROTOS 256
 1076 
 1077 /* Last updated 6/2/2010.
 1078    Source: http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml */
 1079 #define MIN_UNASSIGNED_IP_PROTO 143
 1080 
 1081 #ifndef IPPROTO_SWIPE
 1082 #define IPPROTO_SWIPE           53
 1083 #endif
 1084 #ifndef IPPROTO_IP_MOBILITY
 1085 #define IPPROTO_IP_MOBILITY     55
 1086 #endif
 1087 #ifndef IPPROTO_SUN_ND
 1088 #define IPPROTO_SUN_ND          77
 1089 #endif
 1090 #ifndef IPPROTO_PIM
 1091 #define IPPROTO_PIM             103
 1092 #endif
 1093 #ifndef IPPROTO_PGM
 1094 #define IPPROTO_PGM             113
 1095 #endif
 1096 
 1097 typedef struct _IPHdr
 1098 {
 1099     uint8_t ip_verhl;      /* version & header length */
 1100     uint8_t ip_tos;        /* type of service */
 1101     uint16_t ip_len;       /* datagram length */
 1102     uint16_t ip_id;        /* identification  */
 1103     uint16_t ip_off;       /* fragment offset */
 1104     uint8_t ip_ttl;        /* time to live field */
 1105     uint8_t ip_proto;      /* datagram protocol */
 1106     uint16_t ip_csum;      /* checksum */
 1107     struct in_addr ip_src;  /* source IP */
 1108     struct in_addr ip_dst;  /* dest IP */
 1109 } IPHdr;
 1110 
 1111 typedef struct _IPAddresses
 1112 {
 1113     sfaddr_t ip_src;       /* source IP */
 1114     sfaddr_t ip_dst;       /* dest IP */
 1115 } IPAddresses;
 1116 
 1117 typedef struct _IPv4Hdr
 1118 {
 1119     uint8_t ip_verhl;      /* version & header length */
 1120     uint8_t ip_tos;        /* type of service */
 1121     uint16_t ip_len;       /* datagram length */
 1122     uint16_t ip_id;        /* identification  */
 1123     uint16_t ip_off;       /* fragment offset */
 1124     uint8_t ip_ttl;        /* time to live field */
 1125     uint8_t ip_proto;      /* datagram protocol */
 1126     uint16_t ip_csum;      /* checksum */
 1127     IPAddresses* ip_addrs; /* IP addresses*/
 1128 } IP4Hdr;
 1129 
 1130 typedef struct _IPv6Hdr
 1131 {
 1132     uint32_t vcl;      /* version, class, and label */
 1133     uint16_t len;      /* length of the payload */
 1134     uint8_t  next;     /* next header
 1135                          * Uses the same flags as
 1136                          * the IPv4 protocol field */
 1137     uint8_t  hop_lmt;  /* hop limit */
 1138     IPAddresses* ip_addrs; /* IP addresses*/
 1139 } IP6Hdr;
 1140 
 1141 /* IPv6 address */
 1142 #ifndef s6_addr
 1143 struct in6_addr
 1144 {
 1145     union
 1146     {
 1147         uint8_t u6_addr8[16];
 1148         uint16_t u6_addr16[8];
 1149         uint32_t u6_addr32[4];
 1150     } in6_u;
 1151 #define s6_addr         in6_u.u6_addr8
 1152 #define s6_addr16       in6_u.u6_addr16
 1153 #define s6_addr32       in6_u.u6_addr32
 1154 };
 1155 #endif
 1156 
 1157 typedef struct _IP6RawHdr
 1158 {
 1159     uint32_t ip6_vtf;               /* 4 bits version, 8 bits TC,
 1160                                         20 bits flow-ID */
 1161     uint16_t ip6_payload_len;               /* payload length */
 1162     uint8_t  ip6_next;                /* next header */
 1163     uint8_t  ip6_hoplim;               /* hop limit */
 1164 
 1165     struct in6_addr ip6_src;      /* source address */
 1166     struct in6_addr ip6_dst;      /* destination address */
 1167 } IP6RawHdr;
 1168 
 1169 #define ip6flow  ip6_vtf
 1170 #define ip6plen  ip6_payload_len
 1171 #define ip6nxt   ip6_next
 1172 #define ip6hlim  ip6_hoplim
 1173 #define ip6hops  ip6_hoplim
 1174 
 1175 #define IPRAW_HDR_VER(p_rawiph) \
 1176    (ntohl(p_rawiph->ip6_vtf) >> 28)
 1177 
 1178 #define IP6_HDR_LEN 40
 1179 
 1180 #ifndef IP_PROTO_HOPOPTS
 1181 # define IP_PROTO_HOPOPTS    0
 1182 #endif
 1183 
 1184 #define IP_PROTO_NONE       59
 1185 #define IP_PROTO_ROUTING    43
 1186 #define IP_PROTO_FRAGMENT   44
 1187 #define IP_PROTO_AH         51
 1188 #define IP_PROTO_DSTOPTS    60
 1189 #define IP_PROTO_ICMPV6     58
 1190 #define IP_PROTO_IPV6       41
 1191 #define IP_PROTO_IPIP       4
 1192 
 1193 #define IP6F_OFFSET_MASK    0xfff8  /* mask out offset from _offlg */
 1194 #define IP6F_MF_MASK        0x0001  /* more-fragments flag */
 1195 
 1196 #define IP6F_OFFSET(fh) ((ntohs((fh)->ip6f_offlg) & IP6F_OFFSET_MASK) >> 3)
 1197 #define IP6F_RES(fh) (fh)->ip6f_reserved
 1198 #define IP6F_MF(fh) (ntohs((fh)->ip6f_offlg) & IP6F_MF_MASK )
 1199 
 1200 /* to store references to IP6 Extension Headers */
 1201 typedef struct _IP6Option
 1202 {
 1203     uint8_t type;
 1204     const uint8_t *data;
 1205 } IP6Option;
 1206 
 1207 /* Generic Extension Header */
 1208 typedef struct _IP6Extension
 1209 {
 1210     uint8_t ip6e_nxt;
 1211     uint8_t ip6e_len;
 1212     /* options follow */
 1213     uint8_t ip6e_pad[6];
 1214 } IP6Extension;
 1215 
 1216 typedef struct _IP6HopByHop
 1217 {
 1218     uint8_t ip6hbh_nxt;
 1219     uint8_t ip6hbh_len;
 1220     /* options follow */
 1221     uint8_t ip6hbh_pad[6];
 1222 } IP6HopByHop;
 1223 
 1224 typedef struct _IP6Dest
 1225 {
 1226     uint8_t ip6dest_nxt;
 1227     uint8_t ip6dest_len;
 1228     /* options follow */
 1229     uint8_t ip6dest_pad[6];
 1230 } IP6Dest;
 1231 
 1232 typedef struct _IP6Route
 1233 {
 1234     uint8_t ip6rte_nxt;
 1235     uint8_t ip6rte_len;
 1236     uint8_t ip6rte_type;
 1237     uint8_t ip6rte_seg_left;
 1238     /* type specific data follows */
 1239 } IP6Route;
 1240 
 1241 typedef struct _IP6Route0
 1242 {
 1243     uint8_t ip6rte0_nxt;
 1244     uint8_t ip6rte0_len;
 1245     uint8_t ip6rte0_type;
 1246     uint8_t ip6rte0_seg_left;
 1247     uint8_t ip6rte0_reserved;
 1248     uint8_t ip6rte0_bitmap[3];
 1249     struct in6_addr ip6rte0_addr[1];  /* Up to 23 IP6 addresses */
 1250 } IP6Route0;
 1251 
 1252 /* Fragment header */
 1253 typedef struct _IP6Frag
 1254 {
 1255     uint8_t   ip6f_nxt;     /* next header */
 1256     uint8_t   ip6f_reserved;    /* reserved field */
 1257     uint16_t  ip6f_offlg;   /* offset, reserved, and flag */
 1258     uint32_t  ip6f_ident;   /* identification */
 1259 } IP6Frag;
 1260 
 1261 typedef struct _ICMP6
 1262 {
 1263     uint8_t type;
 1264     uint8_t code;
 1265     uint16_t csum;
 1266 
 1267 } ICMP6Hdr;
 1268 
 1269 typedef struct _ICMP6TooBig
 1270 {
 1271     uint8_t type;
 1272     uint8_t code;
 1273     uint16_t csum;
 1274     uint32_t mtu;
 1275 } ICMP6TooBig;
 1276 
 1277 typedef struct _ICMP6RouterAdvertisement
 1278 {
 1279     uint8_t type;
 1280     uint8_t code;
 1281     uint16_t csum;
 1282     uint8_t num_addrs;
 1283     uint8_t addr_entry_size;
 1284     uint16_t lifetime;
 1285     uint32_t reachable_time;
 1286     uint32_t retrans_time;
 1287 } ICMP6RouterAdvertisement;
 1288 
 1289 typedef struct _ICMP6RouterSolicitation
 1290 {
 1291     uint8_t type;
 1292     uint8_t code;
 1293     uint16_t csum;
 1294     uint32_t reserved;
 1295 } ICMP6RouterSolicitation;
 1296 
 1297 typedef struct _ICMP6NodeInfo
 1298 {
 1299     uint8_t type;
 1300     uint8_t code;
 1301     uint16_t csum;
 1302     uint16_t qtype;
 1303     uint16_t flags;
 1304     uint64_t nonce;
 1305 } ICMP6NodeInfo;
 1306 
 1307 #define ICMP6_UNREACH 1
 1308 #define ICMP6_BIG    2
 1309 #define ICMP6_TIME   3
 1310 #define ICMP6_PARAMS 4
 1311 #define ICMP6_ECHO   128
 1312 #define ICMP6_REPLY  129
 1313 #define ICMP6_SOLICITATION 133
 1314 #define ICMP6_ADVERTISEMENT 134
 1315 #define ICMP6_NODE_INFO_QUERY 139
 1316 #define ICMP6_NODE_INFO_RESPONSE 140
 1317 
 1318 /* Minus 1 due to the 'body' field  */
 1319 #define ICMP6_MIN_HEADER_LEN (sizeof(ICMP6Hdr) )
 1320 
 1321 #ifdef _MSC_VER
 1322   /* Visual C++ pragma to enable warning messages about nonstandard bit field type */
 1323   #pragma warning( default : 4214 )
 1324 #endif
 1325 
 1326 
 1327 /* Can't add any fields not in the real header here
 1328    because of how the decoder uses structure overlaying */
 1329 #ifdef _MSC_VER
 1330   /* Visual C++ pragma to disable warning
 1331    * messages about nonstandard bit field type
 1332    */
 1333   #pragma warning( disable : 4214 )
 1334 #endif
 1335 
 1336 #ifndef IPPROTO_IPIP
 1337 #define IPPROTO_IPIP 4
 1338 #endif
 1339 
 1340 /* GRE related stuff */
 1341 typedef struct _GREHdr
 1342 {
 1343     uint8_t flags;
 1344     uint8_t version;
 1345     uint16_t ether_type;
 1346 
 1347 } GREHdr;
 1348 
 1349 #ifdef GRE
 1350 
 1351 #ifndef IPPROTO_GRE
 1352 #define IPPROTO_GRE 47
 1353 #endif
 1354 
 1355 #define GRE_TYPE_TRANS_BRIDGING 0x6558
 1356 #define GRE_TYPE_PPP            0x880B
 1357 
 1358 #define GRE_HEADER_LEN 4
 1359 #define GRE_CHKSUM_LEN 2
 1360 #define GRE_OFFSET_LEN 2
 1361 #define GRE_KEY_LEN 4
 1362 #define GRE_SEQ_LEN 4
 1363 #define GRE_SRE_HEADER_LEN 4
 1364 
 1365 #define GRE_CHKSUM(x)  (x->flags & 0x80)
 1366 #define GRE_ROUTE(x)   (x->flags & 0x40)
 1367 #define GRE_KEY(x)     (x->flags & 0x20)
 1368 #define GRE_SEQ(x)     (x->flags & 0x10)
 1369 #define GRE_SSR(x)     (x->flags & 0x08)
 1370 #define GRE_RECUR(x)   (x->flags & 0x07)
 1371 #define GRE_VERSION(x)   (x->version & 0x07)
 1372 #define GRE_FLAGS(x)     (x->version & 0xF8)
 1373 #define GRE_PROTO(x)  ntohs(x->ether_type)
 1374 
 1375 /* GRE version 1 used with PPTP */
 1376 #define GRE_V1_HEADER_LEN 8
 1377 #define GRE_V1_ACK_LEN 4
 1378 #define GRE_V1_FLAGS(x)  (x->version & 0x78)
 1379 #define GRE_V1_ACK(x)    (x->version & 0x80)
 1380 
 1381 typedef struct _ERSpanType2Hdr
 1382 {
 1383     uint16_t ver_vlan;
 1384     uint16_t flags_spanId;
 1385     uint32_t pad;
 1386 } ERSpanType2Hdr;
 1387 
 1388 typedef struct _ERSpanType3Hdr
 1389 {
 1390     uint16_t ver_vlan;
 1391     uint16_t flags_spanId;
 1392     uint32_t timestamp;
 1393     uint16_t pad0;
 1394     uint16_t pad1;
 1395     uint32_t pad2;
 1396     uint32_t pad3;
 1397 } ERSpanType3Hdr;
 1398 
 1399 #define ERSPAN_VERSION(x) ((ntohs(x->ver_vlan) & 0xf000) >> 12)
 1400 #define ERSPAN_VLAN(x) (ntohs(x->ver_vlan) & 0x0fff)
 1401 #define ERSPAN_SPAN_ID(x) (ntohs(x->flags_spanId) & 0x03ff)
 1402 #define ERSPAN3_TIMESTAMP(x) (x->timestamp)
 1403 
 1404 #endif  /* GRE */
 1405 
 1406 
 1407 /* more macros for TCP offset */
 1408 #define TCP_OFFSET(tcph)        (((tcph)->th_offx2 & 0xf0) >> 4)
 1409 #define TCP_X2(tcph)            ((tcph)->th_offx2 & 0x0f)
 1410 
 1411 #define TCP_ISFLAGSET(tcph, flags) (((tcph)->th_flags & (flags)) == (flags))
 1412 
 1413 /* we need to change them as well as get them */
 1414 #define SET_TCP_OFFSET(tcph, value)  ((tcph)->th_offx2 = (unsigned char)(((tcph)->th_offx2 & 0x0f) | (value << 4)))
 1415 #define SET_TCP_X2(tcph, value)  ((tcph)->th_offx2 = (unsigned char)(((tcph)->th_offx2 & 0xf0) | (value & 0x0f)))
 1416 
 1417 typedef struct _TCPHdr
 1418 {
 1419     uint16_t th_sport;     /* source port */
 1420     uint16_t th_dport;     /* destination port */
 1421     uint32_t th_seq;       /* sequence number */
 1422     uint32_t th_ack;       /* acknowledgement number */
 1423     uint8_t th_offx2;      /* offset and reserved */
 1424     uint8_t th_flags;
 1425     uint16_t th_win;       /* window */
 1426     uint16_t th_sum;       /* checksum */
 1427     uint16_t th_urp;       /* urgent pointer */
 1428 
 1429 }       TCPHdr;
 1430 #ifdef _MSC_VER
 1431   /* Visual C++ pragma to enable warning messages
 1432    * about nonstandard bit field type
 1433    */
 1434   #pragma warning( default : 4214 )
 1435 #endif
 1436 
 1437 
 1438 typedef struct _UDPHdr
 1439 {
 1440     uint16_t uh_sport;
 1441     uint16_t uh_dport;
 1442     uint16_t uh_len;
 1443     uint16_t uh_chk;
 1444 
 1445 }       UDPHdr;
 1446 
 1447 
 1448 typedef struct _ICMPHdr
 1449 {
 1450     uint8_t type;
 1451     uint8_t code;
 1452     uint16_t csum;
 1453     union
 1454     {
 1455         struct
 1456         {
 1457             uint8_t pptr;
 1458             uint8_t pres1;
 1459             uint16_t pres2;
 1460         } param;
 1461 
 1462         struct in_addr gwaddr;
 1463 
 1464         struct idseq
 1465         {
 1466             uint16_t id;
 1467             uint16_t seq;
 1468         } idseq;
 1469 
 1470         uint32_t sih_void;
 1471 
 1472         struct pmtu
 1473         {
 1474             uint16_t ipm_void;
 1475             uint16_t nextmtu;
 1476         } pmtu;
 1477 
 1478         struct rtradv
 1479         {
 1480             uint8_t num_addrs;
 1481             uint8_t wpa;
 1482             uint16_t lifetime;
 1483         } rtradv;
 1484     } icmp_hun;
 1485 
 1486 #define s_icmp_pptr       icmp_hun.param.pptr
 1487 #define s_icmp_gwaddr     icmp_hun.gwaddr
 1488 #define s_icmp_id         icmp_hun.idseq.id
 1489 #define s_icmp_seq        icmp_hun.idseq.seq
 1490 #define s_icmp_void       icmp_hun.sih_void
 1491 #define s_icmp_pmvoid     icmp_hun.pmtu.ipm_void
 1492 #define s_icmp_nextmtu    icmp_hun.pmtu.nextmtu
 1493 #define s_icmp_num_addrs  icmp_hun.rtradv.num_addrs
 1494 #define s_icmp_wpa        icmp_hun.rtradv.wpa
 1495 #define s_icmp_lifetime   icmp_hun.rtradv.lifetime
 1496 
 1497     union
 1498     {
 1499         /* timestamp */
 1500         struct ts
 1501         {
 1502             uint32_t otime;
 1503             uint32_t rtime;
 1504             uint32_t ttime;
 1505         } ts;
 1506 
 1507         /* IP header for unreach */
 1508         struct ih_ip
 1509         {
 1510             IPHdr *ip;
 1511             /* options and then 64 bits of data */
 1512         } ip;
 1513 
 1514         struct ra_addr
 1515         {
 1516             uint32_t addr;
 1517             uint32_t preference;
 1518         } radv;
 1519 
 1520         uint32_t mask;
 1521 
 1522         char    data[1];
 1523 
 1524     } icmp_dun;
 1525 #define s_icmp_otime      icmp_dun.ts.otime
 1526 #define s_icmp_rtime      icmp_dun.ts.rtime
 1527 #define s_icmp_ttime      icmp_dun.ts.ttime
 1528 #define s_icmp_ip         icmp_dun.ih_ip
 1529 #define s_icmp_radv       icmp_dun.radv
 1530 #define s_icmp_mask       icmp_dun.mask
 1531 #define s_icmp_data       icmp_dun.data
 1532 
 1533 }        ICMPHdr;
 1534 
 1535 
 1536 typedef struct _ARPHdr
 1537 {
 1538     uint16_t ar_hrd;       /* format of hardware address   */
 1539     uint16_t ar_pro;       /* format of protocol address   */
 1540     uint8_t ar_hln;        /* length of hardware address   */
 1541     uint8_t ar_pln;        /* length of protocol address   */
 1542     uint16_t ar_op;        /* ARP opcode (command)         */
 1543 }       ARPHdr;
 1544 
 1545 
 1546 
 1547 typedef struct _EtherARP
 1548 {
 1549     ARPHdr ea_hdr;      /* fixed-size header */
 1550     uint8_t arp_sha[6];    /* sender hardware address */
 1551     uint8_t arp_spa[4];    /* sender protocol address */
 1552     uint8_t arp_tha[6];    /* target hardware address */
 1553     uint8_t arp_tpa[4];    /* target protocol address */
 1554 }         EtherARP;
 1555 
 1556 
 1557 #ifndef NO_NON_ETHER_DECODER
 1558 typedef struct _EtherEapol
 1559 {
 1560     uint8_t  version;  /* EAPOL proto version */
 1561     uint8_t  eaptype;  /* EAPOL Packet type */
 1562     uint16_t len;  /* Packet body length */
 1563 }         EtherEapol;
 1564 
 1565 typedef struct _EAPHdr
 1566 {
 1567     uint8_t code;
 1568     uint8_t id;
 1569     uint16_t len;
 1570 }         EAPHdr;
 1571 
 1572 typedef struct _EapolKey
 1573 {
 1574   uint8_t type;
 1575   uint8_t length[2];
 1576   uint8_t counter[8];
 1577   uint8_t iv[16];
 1578   uint8_t index;
 1579   uint8_t sig[16];
 1580 }       EapolKey;
 1581 #endif  // NO_NON_ETHER_DECODER
 1582 
 1583 typedef struct _Options
 1584 {
 1585     uint8_t code;
 1586     uint8_t len; /* length of the data section */
 1587     const uint8_t *data;
 1588 } Options;
 1589 
 1590 /* PPPoEHdr Header; EtherHdr plus the PPPoE Header */
 1591 typedef struct _PPPoEHdr
 1592 {
 1593     unsigned char ver_type;     /* pppoe version/type */
 1594     unsigned char code;         /* pppoe code CODE_* */
 1595     unsigned short session;     /* session id */
 1596     unsigned short length;      /* payload length */
 1597                                 /* payload follows */
 1598 } PPPoEHdr;
 1599 
 1600 /* PPPoE tag; the payload is a sequence of these */
 1601 typedef struct _PPPoE_Tag
 1602 {
 1603     unsigned short type;    /* tag type TAG_* */
 1604     unsigned short length;    /* tag length */
 1605                             /* payload follows */
 1606 } PPPoE_Tag;
 1607 
 1608 #define MPLS_HEADER_LEN    4
 1609 #define NUM_RESERVED_LABELS    16
 1610 #ifdef MPLS_RFC4023_SUPPORT
 1611 #define IPPROTO_MPLS    137
 1612 #endif
 1613 
 1614 typedef struct _MplsHdr
 1615 {
 1616     uint32_t label;
 1617     uint8_t  exp;
 1618     uint8_t  bos;
 1619     uint8_t  ttl;
 1620 } MplsHdr;
 1621 
 1622 typedef struct _H2PriSpec
 1623 {
 1624     uint32_t stream_id;
 1625     uint32_t weight;
 1626     uint8_t  exclusive;
 1627 } H2PriSpec;
 1628 
 1629 typedef struct _H2Hdr
 1630 {
 1631     uint32_t length;
 1632     uint32_t stream_id;
 1633     uint8_t  type;
 1634     uint8_t  flags;
 1635     uint8_t  reserved;
 1636     H2PriSpec pri;
 1637 } H2Hdr;
 1638 
 1639 #define PGM_NAK_ERR -1
 1640 #define PGM_NAK_OK 0
 1641 #define PGM_NAK_VULN 1
 1642 
 1643 typedef struct _PGM_NAK_OPT
 1644 {
 1645     uint8_t type;     /* 02 = vuln */
 1646     uint8_t len;
 1647     uint8_t res[2];
 1648     uint32_t seq[1];    /* could be many many more, but 1 is sufficient */
 1649 } PGM_NAK_OPT;
 1650 
 1651 typedef struct _PGM_NAK
 1652 {
 1653     uint32_t  seqnum;
 1654     uint16_t  afil1;
 1655     uint16_t  res1;
 1656     uint32_t  src;
 1657     uint16_t  afi2;
 1658     uint16_t  res2;
 1659     uint32_t  multi;
 1660     PGM_NAK_OPT opt;
 1661 } PGM_NAK;
 1662 
 1663 typedef struct _PGM_HEADER
 1664 {
 1665     uint16_t srcport;
 1666     uint16_t dstport;
 1667     uint8_t  type;
 1668     uint8_t  opt;
 1669     uint16_t checksum;
 1670     uint8_t  gsd[6];
 1671     uint16_t length;
 1672     PGM_NAK  nak;
 1673 } PGM_HEADER;
 1674 
 1675 /* GTP basic Header  */
 1676 typedef struct _GTPHdr
 1677 {
 1678     uint8_t  flag;              /* flag: version (bit 6-8), PT (5), E (3), S (2), PN (1) */
 1679     uint8_t  type;              /* message type */
 1680     uint16_t length;            /* length */
 1681 
 1682 } GTPHdr;
 1683 
 1684 #define LAYER_MAX  32
 1685 
 1686 // forward declaration for snort expected session created due to this packet.
 1687 struct _ExpectNode;
 1688 
 1689 // REMEMBER match any changes you make here in:
 1690 // dynamic-plugins/sf_engine/sf_snort_packet.h
 1691 typedef struct _Packet
 1692 {
 1693     const DAQ_PktHdr_t *pkth;    // packet meta data
 1694     const uint8_t *pkt;         // raw packet data
 1695 
 1696     //vvv------------------------------------------------
 1697     // TODO convenience stuff to be refactored for layers
 1698     //^^^------------------------------------------------
 1699 
 1700     //vvv-----------------------------
 1701     EtherARP *ah;
 1702     const EtherHdr *eh;         /* standard TCP/IP/Ethernet/ARP headers */
 1703     const VlanTagHdr *vh;
 1704     EthLlc *ehllc;
 1705     EthLlcOther *ehllcother;
 1706     const PPPoEHdr *pppoeh;     /* Encapsulated PPP of Ether header */
 1707     const GREHdr *greh;
 1708     uint32_t *mpls;
 1709     const CiscoMetaHdr *cmdh;                /* Cisco Metadata Header */
 1710 
 1711     const IPHdr *iph, *orig_iph;/* and orig. headers for ICMP_*_UNREACH family */
 1712     const IPHdr *inner_iph;     /* if IP-in-IP, this will be the inner IP header */
 1713     const IPHdr *outer_iph;     /* if IP-in-IP, this will be the outer IP header */
 1714     const TCPHdr *tcph, *orig_tcph;
 1715     const UDPHdr *udph, *orig_udph;
 1716     const UDPHdr *inner_udph;   /* if Teredo + UDP, this will be the inner UDP header */
 1717     const UDPHdr *outer_udph;   /* if Teredo + UDP, this will be the outer UDP header */
 1718     const ICMPHdr *icmph, *orig_icmph;
 1719 
 1720     const uint8_t *data;        /* packet payload pointer */
 1721     const uint8_t *ip_data;     /* IP payload pointer */
 1722     const uint8_t *outer_ip_data;  /* Outer IP payload pointer */
 1723     //^^^-----------------------------
 1724 
 1725     void *ssnptr;               /* for tcp session tracking info... */
 1726     void *fragtracker;          /* for ip fragmentation tracking info... */
 1727 
 1728     //vvv-----------------------------
 1729     IP4Hdr *ip4h, *orig_ip4h;
 1730     IP6Hdr *ip6h, *orig_ip6h;
 1731     ICMP6Hdr *icmp6h, *orig_icmp6h;
 1732 
 1733     IPH_API* iph_api;
 1734     IPH_API* orig_iph_api;
 1735     IPH_API* outer_iph_api;
 1736     IPH_API* outer_orig_iph_api;
 1737 
 1738     int family;
 1739     int orig_family;
 1740     int outer_family;
 1741     //^^^-----------------------------
 1742 
 1743     PreprocEnableMask preprocessor_bits; /* flags for preprocessors to check */
 1744 
 1745     uint64_t packet_flags;      /* special flags for the packet */
 1746 
 1747     uint32_t xtradata_mask;
 1748 
 1749     uint16_t proto_bits;
 1750 
 1751     //vvv-----------------------------
 1752     uint16_t dsize;             /* packet payload size */
 1753     uint16_t ip_dsize;          /* IP payload size */
 1754     uint16_t alt_dsize;         /* the dsize of a packet before munging (used for log)*/
 1755     uint16_t actual_ip_len;     /* for logging truncated pkts (usually by small snaplen)*/
 1756     uint16_t outer_ip_dsize;    /* Outer IP payload size */
 1757     //^^^-----------------------------
 1758 
 1759     uint16_t frag_offset;       /* fragment offset number */
 1760     uint16_t ip_frag_len;
 1761     uint16_t ip_options_len;
 1762     uint16_t tcp_options_len;
 1763 
 1764     //vvv-----------------------------
 1765     uint16_t sp;                /* source port (TCP/UDP) */
 1766     uint16_t dp;                /* dest port (TCP/UDP) */
 1767     uint16_t orig_sp;           /* source port (TCP/UDP) of original datagram */
 1768     uint16_t orig_dp;           /* dest port (TCP/UDP) of original datagram */
 1769     //^^^-----------------------------
 1770     // and so on ...
 1771 
 1772     int16_t application_protocol_ordinal;
 1773 
 1774     uint8_t frag_flag;          /* flag to indicate a fragmented packet */
 1775     uint8_t mf;                 /* more fragments flag */
 1776     uint8_t df;                 /* don't fragment flag */
 1777     uint8_t rf;                 /* IP reserved bit */
 1778 
 1779     uint8_t ip_option_count;    /* number of options in this packet */
 1780     uint8_t tcp_option_count;
 1781     uint8_t ip6_extension_count;
 1782     uint8_t ip6_frag_index;
 1783 
 1784     uint8_t error_flags;        /* flags indicate checksum errors, bad TTLs, etc. */
 1785     uint8_t encapsulated;
 1786     uint8_t GTPencapsulated;
 1787     uint8_t non_ip_pkt;
 1788     uint8_t next_layer;         /* index into layers for next encap */
 1789 
 1790 #ifndef NO_NON_ETHER_DECODER
 1791     const Fddi_hdr *fddihdr;    /* FDDI support headers */
 1792     Fddi_llc_saps *fddisaps;
 1793     Fddi_llc_sna *fddisna;
 1794     Fddi_llc_iparp *fddiiparp;
 1795     Fddi_llc_other *fddiother;
 1796 
 1797     const Trh_hdr *trh;         /* Token Ring support headers */
 1798     Trh_llc *trhllc;
 1799     Trh_mr *trhmr;
 1800 
 1801     Pflog1Hdr *pf1h;            /* OpenBSD pflog interface header - version 1 */
 1802     Pflog2Hdr *pf2h;            /* OpenBSD pflog interface header - version 2 */
 1803     Pflog3Hdr *pf3h;            /* OpenBSD pflog interface header - version 3 */
 1804     Pflog4Hdr *pf4h;            /* OpenBSD pflog interface header - version 4 */
 1805 
 1806 #ifdef DLT_LINUX_SLL
 1807     const SLLHdr *sllh;         /* Linux cooked sockets header */
 1808 #endif
 1809 #ifdef DLT_IEEE802_11
 1810     const WifiHdr *wifih;       /* wireless LAN header */
 1811 #endif
 1812     const EtherEapol *eplh;     /* 802.1x EAPOL header */
 1813     const EAPHdr *eaph;
 1814     const uint8_t *eaptype;
 1815     EapolKey *eapolk;
 1816 #endif
 1817 
 1818     // nothing after this point is zeroed ...
 1819     Options ip_options[IP_OPTMAX];         /* ip options decode structure */
 1820     Options tcp_options[TCP_OPTLENMAX];    /* tcp options decode struct */
 1821     IP6Option *ip6_extensions;  /* IPv6 Extension References */
 1822     CiscoMetaOpt *cmd_options;    /* Cisco Metadata header options */
 1823 
 1824     const uint8_t *ip_frag_start;
 1825     const uint8_t *ip_options_data;
 1826     const uint8_t *tcp_options_data;
 1827 
 1828     const IP6RawHdr* raw_ip6h;  // innermost raw ip6 header
 1829     Layer layers[LAYER_MAX];    /* decoded encapsulations */
 1830 
 1831     IPAddresses inner_ips, inner_orig_ips;
 1832     IP4Hdr inner_ip4h, inner_orig_ip4h;
 1833     IP6Hdr inner_ip6h, inner_orig_ip6h;
 1834     IPAddresses outer_ips, outer_orig_ips;
 1835     IP4Hdr outer_ip4h, outer_orig_ip4h;
 1836     IP6Hdr outer_ip6h, outer_orig_ip6h;
 1837 
 1838     MplsHdr mplsHdr;
 1839     H2Hdr   *h2Hdr;
 1840 
 1841     PseudoPacketType pseudo_type;    // valid only when PKT_PSEUDO is set
 1842     uint16_t max_dsize;
 1843 
 1844     /**policyId provided in configuration file. Used for correlating configuration
 1845      * with event output
 1846      */
 1847     uint16_t configPolicyId;
 1848 
 1849     uint32_t iplist_id;
 1850     unsigned char iprep_layer;
 1851 
 1852     uint8_t ps_proto;  // Used for portscan and unified2 logging
 1853 
 1854     uint8_t ips_os_selected;
 1855     void    *cur_pp;
 1856 
 1857     // Expected session created due to this packet.
 1858     struct _ExpectNode* expectedSession;
 1859 } Packet;
 1860 
 1861 #define PKT_ZERO_LEN offsetof(Packet, ip_options)
 1862 
 1863 #define PROTO_BIT__NONE     0x0000
 1864 #define PROTO_BIT__IP       0x0001
 1865 #define PROTO_BIT__ARP      0x0002
 1866 #define PROTO_BIT__TCP      0x0004
 1867 #define PROTO_BIT__UDP      0x0008
 1868 #define PROTO_BIT__ICMP     0x0010
 1869 #define PROTO_BIT__TEREDO   0x0020
 1870 #define PROTO_BIT__GTP      0x0040
 1871 #define PROTO_BIT__OTHER    0x8000
 1872 #define PROTO_BIT__ALL      0xffff
 1873 
 1874 #define IsIP(p) (IPH_IS_VALID(p))
 1875 #define IsTCP(p) (IsIP(p) && p->tcph)
 1876 #define IsUDP(p) (IsIP(p) && p->udph)
 1877 #define IsICMP(p) (IsIP(p) && p->icmph)
 1878 #define GET_PKT_SEQ(p) (ntohl(p->tcph->th_seq))
 1879 
 1880 /* Macros to deal with sequence numbers - p810 TCP Illustrated vol 2 */
 1881 #define SEQ_LT(a,b)  ((int)((a) - (b)) <  0)
 1882 #define SEQ_LEQ(a,b) ((int)((a) - (b)) <= 0)
 1883 #define SEQ_GT(a,b)  ((int)((a) - (b)) >  0)
 1884 #define SEQ_GEQ(a,b) ((int)((a) - (b)) >= 0)
 1885 #define SEQ_EQ(a,b)  ((int)((a) - (b)) == 0)
 1886 
 1887 #define BIT(i) (0x1 << (i-1))
 1888 
 1889 typedef struct s_pseudoheader
 1890 {
 1891     uint32_t sip, dip;
 1892     uint8_t  zero;
 1893     uint8_t  protocol;
 1894     uint16_t len;
 1895 
 1896 } PSEUDO_HDR;
 1897 
 1898 /* Default classification for decoder alerts */
 1899 #define DECODE_CLASS 25
 1900 
 1901 typedef struct _DecoderFlags
 1902 {
 1903     char decode_alerts;   /* if decode.c alerts are going to be enabled */
 1904     char oversized_alert;   /* alert if garbage after tcp/udp payload */
 1905     char oversized_drop;   /* alert if garbage after tcp/udp payload */
 1906     char drop_alerts;     /* drop alerts from decoder */
 1907     char tcpopt_experiment;  /* TcpOptions Decoder */
 1908     char drop_tcpopt_experiment; /* Drop alerts from TcpOptions Decoder */
 1909     char tcpopt_obsolete;    /* Alert on obsolete TCP options */
 1910     char drop_tcpopt_obsolete; /* Drop on alerts from obsolete TCP options */
 1911     char tcpopt_ttcp;        /* Alert on T/TCP options */
 1912     char drop_tcpopt_ttcp;   /* Drop on alerts from T/TCP options */
 1913     char tcpopt_decode;      /* alert on decoder inconsistencies */
 1914     char drop_tcpopt_decode; /* Drop on alerts from decoder inconsistencies */
 1915     char ipopt_decode;      /* alert on decoder inconsistencies */
 1916     char drop_ipopt_decode; /* Drop on alerts from decoder inconsistencies */
 1917 
 1918     /* To be moved to the frag preprocessor once it supports IPv6 */
 1919     char ipv6_bad_frag_pkt;
 1920     char bsd_icmp_frag;
 1921     char drop_bad_ipv6_frag;
 1922 
 1923 } DecoderFlags;
 1924 
 1925 #define        ALERTMSG_LENGTH 256
 1926 
 1927 
 1928 /*  P R O T O T Y P E S  ******************************************************/
 1929 
 1930 // root decoders
 1931 void DecodeEthPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
 1932 void DecodeNullPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
 1933 void DecodeRawPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
 1934 void DecodeRawPkt6(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
 1935 
 1936 // chained decoders
 1937 void DecodeARP(const uint8_t *, uint32_t, Packet *);
 1938 void DecodeEthLoopback(const uint8_t *, uint32_t, Packet *);
 1939 void DecodeVlan(const uint8_t *, const uint32_t, Packet *);
 1940 void DecodePppPktEncapsulated(const uint8_t *, const uint32_t, Packet *);
 1941 void DecodePPPoEPkt(const uint8_t *, const uint32_t, Packet *);
 1942 void DecodeIP(const uint8_t *, const uint32_t, Packet *);
 1943 void DecodeIPV6(const uint8_t *, uint32_t, Packet *);
 1944 void DecodeTCP(const uint8_t *, const uint32_t, Packet *);
 1945 void DecodeUDP(const uint8_t *, const uint32_t, Packet *);
 1946 void DecodeICMP(const uint8_t *, const uint32_t, Packet *);
 1947 void DecodeICMP6(const uint8_t *, const uint32_t, Packet *);
 1948 void DecodeICMPEmbeddedIP(const uint8_t *, const uint32_t, Packet *);
 1949 void DecodeICMPEmbeddedIP6(const uint8_t *, const uint32_t, Packet *);
 1950 void DecodeIPOptions(const uint8_t *, uint32_t, Packet *);
 1951 void DecodeTCPOptions(const uint8_t *, uint32_t, Packet *);
 1952 void DecodeTeredo(const uint8_t *, uint32_t, Packet *);
 1953 void DecodeAH(const uint8_t *, uint32_t, Packet *);
 1954 void DecodeESP(const uint8_t *, uint32_t, Packet *);
 1955 void DecodeGTP(const uint8_t *, uint32_t, Packet *);
 1956 
 1957 #ifdef GRE
 1958 void DecodeGRE(const uint8_t *, const uint32_t, Packet *);
 1959 void DecodeTransBridging(const uint8_t *, const uint32_t, Packet *);
 1960 #endif  /* GRE */
 1961 void DecoderAlertEncapsulated(Packet *, int, const char *, const uint8_t *, uint32_t);
 1962 
 1963 #ifdef MPLS
 1964 int isPrivateIP(uint32_t addr);
 1965 void DecodeEthOverMPLS(const uint8_t*, const uint32_t, Packet*);
 1966 void DecodeMPLS(const uint8_t*, const uint32_t, Packet*);
 1967 #endif
 1968 
 1969 #ifndef NO_NON_ETHER_DECODER
 1970 // root decoders
 1971 void DecodeTRPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
 1972 void DecodeFDDIPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
 1973 void DecodeLinuxSLLPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
 1974 void DecodeIEEE80211Pkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
 1975 void DecodeSlipPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
 1976 void DecodeI4LRawIPPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
 1977 void DecodeI4LCiscoIPPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
 1978 void DecodeChdlcPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
 1979 void DecodePflog(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
 1980 void DecodeOldPflog(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
 1981 void DecodePppPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
 1982 void DecodePppSerialPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
 1983 void DecodeEncPkt(Packet *, const DAQ_PktHdr_t*, const uint8_t *);
 1984 
 1985 // chained decoders
 1986 void DecodeEAP(const uint8_t *, const uint32_t, Packet *);
 1987 void DecodeEapol(const uint8_t *, uint32_t, Packet *);
 1988 void DecodeEapolKey(const uint8_t *, uint32_t, Packet *);
 1989 void DecodeIPX(const uint8_t *, uint32_t, Packet *);
 1990 #endif  // NO_NON_ETHER_DECODER
 1991 
 1992 void BsdFragHashInit(int max);
 1993 void BsdFragHashCleanup(void);
 1994 void BsdFragHashReset(void);
 1995 
 1996 #if defined(WORDS_MUSTALIGN) && !defined(__GNUC__)
 1997 uint32_t EXTRACT_32BITS (u_char *);
 1998 #endif /* WORDS_MUSTALIGN && !__GNUC__ */
 1999 
 2000 extern void UpdateDecodeRulesArray(uint32_t sid, int bOn, int bAll);
 2001 
 2002 /*Decode functions that need to be called once the policies are set */
 2003 extern void DecodePolicySpecific(Packet *);
 2004 
 2005 /* XXX not sure where this guy needs to live at the moment */
 2006 typedef struct _PortList
 2007 {
 2008     int ports[32];   /* 32 is kind of arbitrary */
 2009 
 2010     int num_entries;
 2011 
 2012 } PortList;
 2013 
 2014 void InitSynToMulticastDstIp( struct _SnortConfig * );
 2015 void SynToMulticastDstIpDestroy( void );
 2016 void InitMulticastReservedIp( struct _SnortConfig * );
 2017 void MulticastReservedIpDestroy( void );
 2018 
 2019 #define SFTARGET_UNKNOWN_PROTOCOL -1
 2020 
 2021 static inline int PacketWasCooked(Packet* p)
 2022 {
 2023     return ( p->packet_flags & PKT_PSEUDO ) != 0;
 2024 }
 2025 
 2026 static inline bool IsPortscanPacket(const Packet *p)
 2027 {
 2028     return ((p->packet_flags & PKT_PSEUDO) && (p->pseudo_type == PSEUDO_PKT_PS));
 2029 }
 2030 
 2031 static inline uint8_t GetEventProto(const Packet *p)
 2032 {
 2033     if (IsPortscanPacket(p))
 2034         return p->ps_proto;
 2035     return IPH_IS_VALID(p) ? GET_IPH_PROTO(p) : 0;
 2036 }
 2037 
 2038 static inline bool PacketHasFullPDU (const Packet* p)
 2039 {
 2040     return ( (p->packet_flags & PKT_PDU_FULL) == PKT_PDU_FULL );
 2041 }
 2042 
 2043 static inline bool PacketHasStartOfPDU (const Packet* p)
 2044 {
 2045     return ( (p->packet_flags & PKT_PDU_HEAD) != 0 );
 2046 }
 2047 
 2048 static inline bool PacketHasPAFPayload (const Packet* p)
 2049 {
 2050     return ( (p->packet_flags & PKT_REBUILT_STREAM) || (p->packet_flags & PKT_PDU_TAIL) );
 2051 }
 2052 
 2053 static inline bool PacketIsRebuilt (const Packet* p)
 2054 {
 2055     return ( (p->packet_flags & (PKT_REBUILT_STREAM|PKT_REBUILT_FRAG)) != 0 );
 2056 }
 2057 
 2058 static inline void SetExtraData (Packet* p, uint32_t xid)
 2059 {
 2060     p->xtradata_mask |= BIT(xid);
 2061 }
 2062 
 2063 #endif  /* __DECODE_H__ */
 2064