文章目錄
雜
版本 snort 2.9.15.1
位置
src/decode.h 1687到1856行
盡力去分析全部的字段
不過可能時間所限,只能列出我用到的字段,其他的把源碼放上來,方便查看
參考
要分析這個結構體,首先要對協議包格式有了解
ip包格式說明
Packet源碼
typedef struct _Packet
{
const DAQ_PktHdr_t *pkth;
const uint8_t *pkt; // raw packet data
//vvv------------------------------------------------
// TODO convenience stuff to be refactored for layers
//^^^------------------------------------------------
//vvv-----------------------------
EtherARP *ah;
const EtherHdr *eh; /* standard TCP/IP/Ethernet/ARP headers */
const VlanTagHdr *vh;
EthLlc *ehllc;
EthLlcOther *ehllcother;
const PPPoEHdr *pppoeh; /* Encapsulated PPP of Ether header */
const GREHdr *greh;
uint32_t *mpls;
const CiscoMetaHdr *cmdh; /* Cisco Metadata Header */
const IPHdr *iph, *orig_iph;/* and orig. headers for ICMP_*_UNREACH family */
const IPHdr *inner_iph; /* if IP-in-IP, this will be the inner IP header */
const IPHdr *outer_iph; /* if IP-in-IP, this will be the outer IP header */
const TCPHdr *tcph, *orig_tcph;
const UDPHdr *udph, *orig_udph;
const UDPHdr *inner_udph; /* if Teredo + UDP, this will be the inner UDP header */
const UDPHdr *outer_udph; /* if Teredo + UDP, this will be the outer UDP header */
const ICMPHdr *icmph, *orig_icmph;
const uint8_t *data; /* packet payload pointer */
const uint8_t *ip_data; /* IP payload pointer */
const uint8_t *outer_ip_data; /* Outer IP payload pointer */
//^^^-----------------------------
void *ssnptr; /* for tcp session tracking info... */
void *fragtracker; /* for ip fragmentation tracking info... */
//vvv-----------------------------
IP4Hdr *ip4h, *orig_ip4h;
IP6Hdr *ip6h, *orig_ip6h;
ICMP6Hdr *icmp6h, *orig_icmp6h;
IPH_API* iph_api;
IPH_API* orig_iph_api;
IPH_API* outer_iph_api;
IPH_API* outer_orig_iph_api;
int family;
int orig_family;
int outer_family;
//^^^-----------------------------
PreprocEnableMask preprocessor_bits; /* flags for preprocessors to check */
uint64_t packet_flags; /* special flags for the packet */
uint32_t xtradata_mask;
uint16_t proto_bits;
//vvv-----------------------------
uint16_t dsize; /* packet payload size */
uint16_t ip_dsize; /* IP payload size */
uint16_t alt_dsize; /* the dsize of a packet before munging (used for log)*/
uint16_t actual_ip_len; /* for logging truncated pkts (usually by small snaplen)*/
uint16_t outer_ip_dsize; /* Outer IP payload size */
//^^^-----------------------------
uint16_t frag_offset; /* fragment offset number */
uint16_t ip_frag_len;
uint16_t ip_options_len;
uint16_t tcp_options_len;
//vvv-----------------------------
uint16_t sp; /* source port (TCP/UDP) */
uint16_t dp; /* dest port (TCP/UDP) */
uint16_t orig_sp; /* source port (TCP/UDP) of original datagram */
uint16_t orig_dp; /* dest port (TCP/UDP) of original datagram */
//^^^-----------------------------
// and so on ...
int16_t application_protocol_ordinal;
uint8_t frag_flag; /* flag to indicate a fragmented packet */
uint8_t mf; /* more fragments flag */
uint8_t df; /* don't fragment flag */
uint8_t rf; /* IP reserved bit */
uint8_t ip_option_count; /* number of options in this packet */
uint8_t tcp_option_count;
uint8_t ip6_extension_count;
uint8_t ip6_frag_index;
uint8_t error_flags; /* flags indicate checksum errors, bad TTLs, etc. */
uint8_t encapsulated;
uint8_t GTPencapsulated;
uint8_t next_layer; /* index into layers for next encap */
#ifndef NO_NON_ETHER_DECODER
const Fddi_hdr *fddihdr; /* FDDI support headers */
Fddi_llc_saps *fddisaps;
Fddi_llc_sna *fddisna;
Fddi_llc_iparp *fddiiparp;
Fddi_llc_other *fddiother;
const Trh_hdr *trh; /* Token Ring support headers */
Trh_llc *trhllc;
Trh_mr *trhmr;
Pflog1Hdr *pf1h; /* OpenBSD pflog interface header - version 1 */
Pflog2Hdr *pf2h; /* OpenBSD pflog interface header - version 2 */
Pflog3Hdr *pf3h; /* OpenBSD pflog interface header - version 3 */
Pflog4Hdr *pf4h; /* OpenBSD pflog interface header - version 4 */
#ifdef DLT_LINUX_SLL
const SLLHdr *sllh; /* Linux cooked sockets header */
#endif
#ifdef DLT_IEEE802_11
const WifiHdr *wifih; /* wireless LAN header */
#endif
const EtherEapol *eplh; /* 802.1x EAPOL header */
const EAPHdr *eaph;
const uint8_t *eaptype;
EapolKey *eapolk;
#endif
// nothing after this point is zeroed ...
Options ip_options[IP_OPTMAX]; /* ip options decode structure */
Options tcp_options[TCP_OPTLENMAX]; /* tcp options decode struct */
IP6Option *ip6_extensions; /* IPv6 Extension References */
CiscoMetaOpt *cmd_options; /* Cisco Metadata header options */
const uint8_t *ip_frag_start;
const uint8_t *ip_options_data;
const uint8_t *tcp_options_data;
const IP6RawHdr* raw_ip6h; // innermost raw ip6 header
Layer layers[LAYER_MAX]; /* decoded encapsulations */
IPAddresses inner_ips, inner_orig_ips;
IP4Hdr inner_ip4h, inner_orig_ip4h;
IP6Hdr inner_ip6h, inner_orig_ip6h;
IPAddresses outer_ips, outer_orig_ips;
IP4Hdr outer_ip4h, outer_orig_ip4h;
IP6Hdr outer_ip6h, outer_orig_ip6h;
MplsHdr mplsHdr;
H2Hdr *h2Hdr;
PseudoPacketType pseudo_type; // valid only when PKT_PSEUDO is set
uint16_t max_dsize;
/**policyId provided in configuration file. Used for correlating configuration
* with event output
*/
uint16_t configPolicyId;
uint32_t iplist_id;
unsigned char iprep_layer;
uint8_t ps_proto; // Used for portscan and unified2 logging
uint8_t ips_os_selected;
void *cur_pp;
// Expected session created due to this packet.
struct _ExpectNode* expectedSession;
} Packet;
1. EtherARP *ah
typedef struct _EtherARP
{
ARPHdr ea_hdr; /* fixed-size header */
uint8_t arp_sha[6]; /* sender hardware address */
uint8_t arp_spa[4]; /* sender protocol address */
uint8_t arp_tha[6]; /* target hardware address */
uint8_t arp_tpa[4]; /* target protocol address */
} EtherARP;
1.1 ARPHdr ea_hdr
typedef struct _ARPHdr
{
uint16_t ar_hrd; /* format of hardware address */
uint16_t ar_pro; /* format of protocol address */
uint8_t ar_hln; /* length of hardware address */
uint8_t ar_pln; /* length of protocol address */
uint16_t ar_op; /* ARP opcode (command) */
} ARPHdr;
1.2 uint8_t arp_sha[6]
源MAC地址
1.3 uint8_t arp_spa[4]
1.4 uint8_t arp_tha[6]
1.5 uint8_t arp_tpa[4]
2. EtherHdr *eh
typedef struct _EtherHdr
{
uint8_t ether_dst[6];
uint8_t ether_src[6];
uint16_t ether_type;
} EtherHdr;
2.1 uint8_t ether_dst[6]
2.2 uint8_t ether_src[6]
2.3 uint16_t ether_type
3. VlanTagHdr *vh
typedef struct _VlanTagHdr
{
uint16_t vth_pri_cfi_vlan;
uint16_t vth_proto; /* protocol field... */
} VlanTagHdr;