"Fossies" - the Fresh Open Source Software Archive 
Member "snort3_extra-3.1.53.0/src/codecs/cd_token_ring/cd_token_ring.cc" (20 Dec 2022, 7186 Bytes) of package /linux/misc/snort3_extra-3.1.53.0.tar.gz:
As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style:
standard) with prefixed line numbers and
code folding option.
Alternatively you can here
view or
download the uninterpreted source code file.
For more information about "cd_token_ring.cc" see the
Fossies "Dox" file reference documentation.
1 //--------------------------------------------------------------------------
2 // Copyright (C) 2014-2022 Cisco and/or its affiliates. All rights reserved.
3 // Copyright (C) 2002-2013 Sourcefire, Inc.
4 // Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com>
5 //
6 // This program is free software; you can redistribute it and/or modify it
7 // under the terms of the GNU General Public License Version 2 as published
8 // by the Free Software Foundation. You may not use, modify or distribute
9 // this program under any other version of the GNU General Public License.
10 //
11 // This program is distributed in the hope that it will be useful, but
12 // WITHOUT ANY WARRANTY; without even the implied warranty of
13 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 // General Public License for more details.
15 //
16 // You should have received a copy of the GNU General Public License along
17 // with this program; if not, write to the Free Software Foundation, Inc.,
18 // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
19 //--------------------------------------------------------------------------
20 // token_ring.h author Josh Rosenbaum <jrosenba@cisco.com>
21
22 #include <daq_dlt.h>
23
24 #include "codecs/codec_module.h"
25 #include "framework/codec.h"
26 #include "protocols/token_ring.h"
27
28 using namespace snort;
29
30 namespace
31 {
32 #define TR_NAME "token_ring"
33 #define TR_HELP "support for token ring decoding"
34
35 static const RuleMap tkr_rules[] =
36 {
37 { DECODE_BAD_TRH, "bad Token Ring header" },
38 { DECODE_BAD_TR_ETHLLC, "bad Token Ring ETHLLC header" },
39 { DECODE_BAD_TR_MR_LEN, "bad Token Ring MRLEN header" },
40 { DECODE_BAD_TRHMR, "bad Token Ring MR header" },
41 { 0, nullptr }
42 };
43
44 class TrCodecModule : public BaseCodecModule
45 {
46 public:
47 TrCodecModule() : BaseCodecModule(TR_NAME, TR_HELP) { }
48
49 const RuleMap* get_rules() const override
50 { return tkr_rules; }
51 };
52
53 class TrCodec : public Codec
54 {
55 public:
56 TrCodec() : Codec(TR_NAME) { }
57
58 void get_data_link_type(std::vector<int>&) override;
59 bool decode(const RawData&, CodecData&, DecodeData&) override;
60 };
61
62 // THESE ARE NEVER USED!!
63 #define MINIMAL_TOKENRING_HEADER_LEN 22
64 #define TR_HLEN MINIMAL_TOKENRING_HEADER_LEN
65 #define TOKENRING_LLC_LEN 8
66 // DELETE FIN
67
68 #define TR_ALEN 6 /* octets in an Ethernet header */
69
70 #define AC 0x10
71 #define LLC_FRAME 0x40
72
73 #define TRMTU 2000 /* 2000 bytes */
74 #define TR_RII 0x80
75 #define TR_RCF_DIR_BIT 0x80
76 #define TR_RCF_LEN_MASK 0x1f00
77 #define TR_RCF_BROADCAST 0x8000 /* all-routes broadcast */
78 #define TR_RCF_LIMITED_BROADCAST 0xC000 /* single-route broadcast */
79 #define TR_RCF_FRAME2K 0x20
80 #define TR_RCF_BROADCAST_MASK 0xC000
81 } // namespace
82
83 void TrCodec::get_data_link_type(std::vector<int>& v)
84 {
85 v.push_back(DLT_IEEE802);
86 }
87
88 //void DecodeTRPkt(Packet * p, const DAQ_PktHdr_t * pkthdr, const uint8_t * pkt)
89 bool TrCodec::decode(const RawData& raw, CodecData& codec, DecodeData&)
90 {
91 const uint32_t cap_len = raw.len;
92 uint32_t dataoff; /* data offset is variable here */
93
94 if (cap_len < sizeof(token_ring::Trh_hdr))
95 {
96 codec_event(codec, DECODE_BAD_TRH);
97 return false;
98 }
99
100 /* lay the tokenring header structure over the packet data */
101 //const token_ring::Trh_hdr *trh = reinterpret_cast<const token_ring::Trh_hdr *>(raw_pkt);
102
103 /*
104 * according to rfc 1042:
105 *
106 * The presence of a Routing Information Field is indicated by the Most
107 * Significant Bit (MSB) of the source address, called the Routing
108 * Information Indicator (RII). If the RII equals zero, a RIF is
109 * not present. If the RII equals 1, the RIF is present.
110 * ..
111 * However the MSB is already zeroed by this moment, so there's no
112 * real way to figure out whether RIF is presented in packet, so we are
113 * doing some tricks to find IPARP signature..
114 */
115
116 /*
117 * first I assume that we have single-ring network with no RIF
118 * information presented in frame
119 */
120 if (cap_len < (sizeof(token_ring::Trh_hdr) + sizeof(token_ring::Trh_llc)))
121 {
122 codec_event(codec, DECODE_BAD_TR_ETHLLC);
123 return false;
124 }
125
126 const token_ring::Trh_llc* trhllc =
127 reinterpret_cast<const token_ring::Trh_llc*>(raw.data + sizeof(token_ring::Trh_hdr));
128
129 if (trhllc->dsap != IPARP_SAP && trhllc->ssap != IPARP_SAP)
130 {
131 /*
132 * DSAP != SSAP != 0xAA .. either we are having frame which doesn't
133 * carry IP datagrams or has RIF information present. We assume
134 * the latter ...
135 */
136
137 if (cap_len < (sizeof(token_ring::Trh_hdr) + sizeof(token_ring::Trh_llc) +
138 sizeof(token_ring::Trh_mr)))
139 {
140 codec_event(codec, DECODE_BAD_TRHMR);
141 return false;
142 }
143
144 const token_ring::Trh_mr* const trhmr =
145 reinterpret_cast<const token_ring::Trh_mr*>(raw.data + sizeof(token_ring::Trh_hdr));
146
147 if (cap_len < (sizeof(token_ring::Trh_hdr) + sizeof(token_ring::Trh_llc) +
148 sizeof(token_ring::Trh_mr) + TRH_MR_LEN(trhmr)))
149 {
150 codec_event(codec, DECODE_BAD_TR_MR_LEN);
151 return false;
152 }
153
154 dataoff = sizeof(token_ring::Trh_hdr) + TRH_MR_LEN(trhmr) + sizeof(token_ring::Trh_llc);
155 }
156 else
157 {
158 dataoff = sizeof(token_ring::Trh_hdr) + sizeof(token_ring::Trh_llc);
159 }
160
161 /*
162 * ideally we would need to check both SSAP, DSAP, and protoid fields: IP
163 * datagrams and ARP requests and replies are transmitted in standard
164 * 802.2 LLC Type 1 Unnumbered Information format, control code 3, with
165 * the DSAP and the SSAP fields of the 802.2 header set to 170, the
166 * assigned global SAP value for SNAP [6]. The 24-bit Organization Code
167 * in the SNAP is zero, and the remaining 16 bits are the EtherType from
168 * Assigned Numbers [7] (IP = 2048, ARP = 2054). .. but we would check
169 * SSAP and DSAP and assume this would be enough to trust.
170 */
171 if (trhllc->dsap != IPARP_SAP && trhllc->ssap != IPARP_SAP)
172 {
173 return false;
174 }
175
176 codec.lyr_len = dataoff;
177 codec.next_prot_id = trhllc->ethertype();
178 codec.codec_flags |= CODEC_ETHER_NEXT;
179 return true;
180 }
181
182 //-------------------------------------------------------------------------
183 // api
184 //-------------------------------------------------------------------------
185
186 static Module* mod_ctor()
187 { return new TrCodecModule; }
188
189 static void mod_dtor(Module* m)
190 { delete m; }
191
192 static Codec* ctor(Module*)
193 { return new TrCodec(); }
194
195 static void dtor(Codec* cd)
196 { delete cd; }
197
198 static const CodecApi tr_api =
199 {
200 {
201 PT_CODEC,
202 sizeof(CodecApi),
203 CDAPI_VERSION,
204 0,
205 API_RESERVED,
206 API_OPTIONS,
207 TR_NAME,
208 TR_HELP,
209 mod_ctor,
210 mod_dtor
211 },
212 nullptr, // pinit
213 nullptr, // pterm
214 nullptr, // tinit
215 nullptr, // tterm
216 ctor,
217 dtor,
218 };
219
220 SO_PUBLIC const BaseApi* snort_plugins[] =
221 {
222 &tr_api.base,
223 nullptr
224 };
225