4.13 SFSnortPacket
SFSnortPacket用来镜像Snort抓的包,并且提供访问该包所有数据的接口。 它和与它相关的数据定义在sf_snort_packet.h中
typedef struct _SFSnortPacket
{
const SFDAQ_PktHdr_t *pkt_header; /* Is this GPF'd? */
const uint8_t *pkt_data;
void *ether_arp_header;
const EtherHeader *ether_header;
const void *vlan_tag_header;
void *ether_header_llc;
void *ether_header_other;
const void *ppp_over_ether_header;
const void *gre_header;
uint32_t *mpls;
const IPV4Header *ip4_header, *orig_ip4_header;
const IPV4Header *inner_ip4_header;
const IPV4Header *outer_ip4_header;
const TCPHeader *tcp_header, *orig_tcp_header;
const UDPHeader *udp_header, *orig_udp_header;
const UDPHeader *inner_udph; /* if Teredo + UDP, this will be the inner UDP header */
const UDPHeader *outer_udph; /* if Teredo + UDP, this will be the outer UDP header */
const ICMPHeader *icmp_header, *orig_icmp_header;
const uint8_t *payload;
const uint8_t *ip_payload;
const uint8_t *outer_ip_payload;
void *stream_session;
void *fragmentation_tracking_ptr;
IP4Hdr *ip4h, *orig_ip4h;
IP6Hdr *ip6h, *orig_ip6h;
ICMP6Hdr *icmp6h, *orig_icmp6h;
IPH_API* iph_api;
IPH_API* orig_iph_api;
IPH_API* outer_iph_api;
IPH_API* outer_orig_iph_api;
int family;
int orig_family;
int outer_family;
uint32_t preprocessor_bit_mask;
uint32_t preproc_reassembly_pkt_bit_mask;
uint32_t flags;
uint32_t xtradata_mask;
uint16_t proto_bits;
uint16_t payload_size;
uint16_t ip_payload_size;
uint16_t normalized_payload_size;
uint16_t actual_ip_length;
uint16_t outer_ip_payload_size;
uint16_t ip_fragment_offset;
uint16_t ip_frag_length;
uint16_t ip4_options_length;
uint16_t tcp_options_length;
uint16_t src_port;
uint16_t dst_port;
uint16_t orig_src_port;
uint16_t orig_dst_port;
int16_t application_protocol_ordinal;
uint8_t ip_fragmented;
uint8_t ip_more_fragments;
uint8_t ip_dont_fragment;
uint8_t ip_reserved;
uint8_t num_ip_options;
uint8_t num_tcp_options;
uint8_t num_ip6_extensions;
uint8_t ip6_frag_extension;
uint8_t invalid_flags;
uint8_t encapsulated;
uint8_t GTPencapsulated;
uint8_t next_layer_index;
#ifndef NO_NON_ETHER_DECODER
const void *fddi_header;
void *fddi_saps;
void *fddi_sna;
void *fddi_iparp;
void *fddi_other;
const void *tokenring_header;
void *tokenring_header_llc;
void *tokenring_header_mr;
void *pflog1_header;
void *pflog2_header;
void *pflog3_header;
void *pflog4_header;
#ifdef DLT_LINUX_SLL
const void *sll_header;
#endif
#ifdef DLT_IEEE802_11
const void *wifi_header;
#endif
const void *ether_eapol_header;
const void *eapol_headear;
const uint8_t *eapol_type;
void *eapol_key;
#endif
IPOptions ip_options[MAX_IP_OPTIONS];
TCPOptions tcp_options[MAX_TCP_OPTIONS];
IP6Extension *ip6_extensions;
const uint8_t *ip_frag_start;
const uint8_t *ip4_options_data;
const uint8_t *tcp_options_data;
const IP6RawHdr* raw_ip6_header;
ProtoLayer proto_layers[MAX_PROTO_LAYERS];
IP4Hdr inner_ip4h, inner_orig_ip4h;
IP6Hdr inner_ip6h, inner_orig_ip6h;
IP4Hdr outer_ip4h, outer_orig_ip4h;
IP6Hdr outer_ip6h, outer_orig_ip6h;
MplsHdr mplsHdr;
PseudoPacketType pseudo_type;
uint16_t max_payload;
/**policyId provided in configuration file. Used for correlating configuration
* with event output
*/
uint16_t configPolicyId;
uint32_t iplist_id;
unsigned char iprep_layer;
uint8_t ps_proto; /* Used for portscan and unified2 logging */
uint8_t ips_os_selected;
void *cur_pp;
} SFSnortPacket;