summaryrefslogtreecommitdiffstats
path: root/libnetutil/PacketParser.cc
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--libnetutil/PacketParser.cc1789
1 files changed, 1789 insertions, 0 deletions
diff --git a/libnetutil/PacketParser.cc b/libnetutil/PacketParser.cc
new file mode 100644
index 0000000..01c661b
--- /dev/null
+++ b/libnetutil/PacketParser.cc
@@ -0,0 +1,1789 @@
+/***************************************************************************
+ * PacketParser.cc -- The PacketParser Class offers methods to parse *
+ * received network packets. Its main purpose is to facilitate the *
+ * conversion of raw sequences of bytes into chains of objects of the *
+ * PacketElement family. *
+ * *
+ ***********************IMPORTANT NMAP LICENSE TERMS************************
+ *
+ * The Nmap Security Scanner is (C) 1996-2023 Nmap Software LLC ("The Nmap
+ * Project"). Nmap is also a registered trademark of the Nmap Project.
+ *
+ * This program is distributed under the terms of the Nmap Public Source
+ * License (NPSL). The exact license text applying to a particular Nmap
+ * release or source code control revision is contained in the LICENSE
+ * file distributed with that version of Nmap or source code control
+ * revision. More Nmap copyright/legal information is available from
+ * https://nmap.org/book/man-legal.html, and further information on the
+ * NPSL license itself can be found at https://nmap.org/npsl/ . This
+ * header summarizes some key points from the Nmap license, but is no
+ * substitute for the actual license text.
+ *
+ * Nmap is generally free for end users to download and use themselves,
+ * including commercial use. It is available from https://nmap.org.
+ *
+ * The Nmap license generally prohibits companies from using and
+ * redistributing Nmap in commercial products, but we sell a special Nmap
+ * OEM Edition with a more permissive license and special features for
+ * this purpose. See https://nmap.org/oem/
+ *
+ * If you have received a written Nmap license agreement or contract
+ * stating terms other than these (such as an Nmap OEM license), you may
+ * choose to use and redistribute Nmap under those terms instead.
+ *
+ * The official Nmap Windows builds include the Npcap software
+ * (https://npcap.com) for packet capture and transmission. It is under
+ * separate license terms which forbid redistribution without special
+ * permission. So the official Nmap Windows builds may not be redistributed
+ * without special permission (such as an Nmap OEM license).
+ *
+ * Source is provided to this software because we believe users have a
+ * right to know exactly what a program is going to do before they run it.
+ * This also allows you to audit the software for security holes.
+ *
+ * Source code also allows you to port Nmap to new platforms, fix bugs, and add
+ * new features. You are highly encouraged to submit your changes as a Github PR
+ * or by email to the dev@nmap.org mailing list for possible incorporation into
+ * the main distribution. Unless you specify otherwise, it is understood that
+ * you are offering us very broad rights to use your submissions as described in
+ * the Nmap Public Source License Contributor Agreement. This is important
+ * because we fund the project by selling licenses with various terms, and also
+ * because the inability to relicense code has caused devastating problems for
+ * other Free Software projects (such as KDE and NASM).
+ *
+ * The free version of Nmap is distributed in the hope that it will be
+ * useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Warranties,
+ * indemnification and commercial support are all available through the
+ * Npcap OEM program--see https://nmap.org/oem/
+ *
+ ***************************************************************************/
+ /* This code was originally part of the Nping tool. */
+
+#include "PacketParser.h"
+#include <assert.h>
+
+#define PKTPARSERDEBUG false
+
+PacketParser::PacketParser() {
+ this->reset();
+} /* End of PacketParser constructor */
+
+
+PacketParser::~PacketParser() {
+
+} /* End of PacketParser destructor */
+
+
+/** Sets every attribute to its default value- */
+void PacketParser::reset() {
+
+} /* End of PacketParser destructor */
+
+
+const char *PacketParser::header_type2string(int val){
+ header_type_string_t header_types[]={
+ {HEADER_TYPE_IPv6_HOPOPT, "IPv6 Hop-by-Hop"},
+ {HEADER_TYPE_ICMPv4,"ICMPv4"},
+ {HEADER_TYPE_IGMP,"IGMP"},
+ {HEADER_TYPE_IPv4,"IPv4"},
+ {HEADER_TYPE_TCP,"TCP"},
+ {HEADER_TYPE_EGP,"EGP"},
+ {HEADER_TYPE_UDP,"UDP"},
+ {HEADER_TYPE_IPv6,"IPv6"},
+ {HEADER_TYPE_IPv6_ROUTE,"IPv6-Route"},
+ {HEADER_TYPE_IPv6_FRAG,"IPv6-Frag"},
+ {HEADER_TYPE_GRE,"GRE"},
+ {HEADER_TYPE_ESP,"ESP"},
+ {HEADER_TYPE_AH,"AH"},
+ {HEADER_TYPE_ICMPv6,"ICMPv6"},
+ {HEADER_TYPE_IPv6_NONXT,"IPv6-NoNxt"},
+ {HEADER_TYPE_IPv6_OPTS,"IPv6-Opts"},
+ {HEADER_TYPE_EIGRP,"EIGRP"},
+ {HEADER_TYPE_ETHERNET,"Ethernet"},
+ {HEADER_TYPE_L2TP,"L2TP"},
+ {HEADER_TYPE_SCTP,"SCTP"},
+ {HEADER_TYPE_IPv6_MOBILE,"Mobility Header"},
+ {HEADER_TYPE_MPLS_IN_IP,"MPLS-in-IP"},
+ {HEADER_TYPE_ARP,"ARP"},
+ {HEADER_TYPE_RAW_DATA,"Raw Data"},
+ {0,NULL}
+ };
+ int i=0;
+ for(i=0; header_types[i].str!=NULL; i++ ){
+ if((int)header_types[i].type==val)
+ return header_types[i].str;
+ }
+ return NULL;
+} /* End of header_type2string() */
+
+
+
+#define MAX_HEADERS_IN_PACKET 32
+pkt_type_t *PacketParser::parse_packet(const u8 *pkt, size_t pktlen, bool eth_included){
+ if(PKTPARSERDEBUG)printf("%s(%p, %lu)\n", __func__, pkt, (long unsigned)pktlen);
+ static pkt_type_t this_packet[MAX_HEADERS_IN_PACKET+1]; /* Packet structure array */
+ u8 current_header=0; /* Current array position of "this_packet" */
+ const u8 *curr_pkt=pkt; /* Pointer to current part of the packet */
+ size_t curr_pktlen=pktlen; /* Remaining packet length */
+ int ethlen=0, arplen=0; /* Aux length variables: link layer */
+ int iplen=0,ip6len=0; /* Aux length variables: network layer */
+ int tcplen=0,udplen=0,icmplen=0; /* Aux length variables: transport layer */
+ int exthdrlen=0; /* Aux length variables: extension headers */
+ int next_layer=0; /* Next header type to process */
+ int expected=0; /* Next protocol expected */
+ bool finished=false; /* Loop breaking flag */
+ bool unknown_hdr=false; /* Indicates unknown header found */
+ IPv4Header ip4;
+ IPv6Header ip6;
+ TCPHeader tcp;
+ UDPHeader udp;
+ ICMPv4Header icmp4;
+ ICMPv6Header icmp6;
+ EthernetHeader eth;
+ DestOptsHeader ext_dopts;
+ FragmentHeader ext_frag;
+ HopByHopHeader ext_hopt;
+ RoutingHeader ext_routing;
+ ARPHeader arp;
+ memset(this_packet, 0, sizeof(this_packet));
+
+ /* Decide which layer we have to start from */
+ if( eth_included ){
+ next_layer=LINK_LAYER;
+ expected=HEADER_TYPE_ETHERNET;
+ }else{
+ next_layer=NETWORK_LAYER;
+ }
+
+ /* Header processing loop */
+ while(!finished && curr_pktlen>0 && current_header<MAX_HEADERS_IN_PACKET){
+ /* Ethernet and ARP headers ***********************************************/
+ if(next_layer==LINK_LAYER ){
+ if(PKTPARSERDEBUG)puts("Next Layer=Link");
+ if(expected==HEADER_TYPE_ETHERNET){
+ if(PKTPARSERDEBUG)puts("Expected Layer=Ethernet");
+ if(eth.storeRecvData(curr_pkt, curr_pktlen)==OP_FAILURE){
+ unknown_hdr=true;
+ break;
+ }
+ if( (ethlen=eth.validate())==OP_FAILURE){
+ unknown_hdr=true;
+ break;
+ }
+ /* Determine next header type */
+ switch( eth.getEtherType() ){
+ case ETHTYPE_IPV4:
+ expected=HEADER_TYPE_IPv4;
+ next_layer=NETWORK_LAYER;
+ break;
+ case ETHTYPE_IPV6:
+ expected=HEADER_TYPE_IPv6;
+ next_layer=NETWORK_LAYER;
+ break;
+ case ETHTYPE_ARP:
+ next_layer=LINK_LAYER;
+ expected=HEADER_TYPE_ARP;
+ break;
+ default:
+ next_layer=APPLICATION_LAYER;
+ expected=HEADER_TYPE_RAW_DATA;
+ break;
+ }
+ this_packet[current_header].length=ethlen;
+ this_packet[current_header++].type=HEADER_TYPE_ETHERNET;
+ eth.reset();
+ curr_pkt+=ethlen;
+ curr_pktlen-=ethlen;
+ }else if(expected==HEADER_TYPE_ARP){
+ if(PKTPARSERDEBUG)puts("Expected Layer=ARP");
+ if(arp.storeRecvData(curr_pkt, curr_pktlen)==OP_FAILURE){
+ unknown_hdr=true;
+ break;
+ }
+ if( (arplen=arp.validate())==OP_FAILURE){
+ unknown_hdr=true;
+ break;
+ }
+ this_packet[current_header].length=arplen;
+ this_packet[current_header++].type=HEADER_TYPE_ARP;
+ arp.reset();
+ curr_pkt+=arplen;
+ curr_pktlen-=arplen;
+ if(curr_pktlen>0){
+ next_layer=APPLICATION_LAYER;
+ expected=HEADER_TYPE_RAW_DATA;
+ }else{
+ finished=true;
+ }
+ }else{
+ assert(finished==true);
+ }
+ /* IPv4 and IPv6 headers **************************************************/
+ }else if(next_layer==NETWORK_LAYER){
+ if(PKTPARSERDEBUG)puts("Next Layer=Network");
+ /* Determine IP version */
+ if (ip4.storeRecvData(curr_pkt, curr_pktlen)==OP_FAILURE){
+ unknown_hdr=true;
+ break;
+ }
+
+ /* IP version 4 ---------------------------------*/
+ if(ip4.getVersion()==4){
+ if( (iplen=ip4.validate())==OP_FAILURE){
+ unknown_hdr=true;
+ break;
+ }
+ /* Determine next header type */
+ switch(ip4.getNextProto()){
+ case HEADER_TYPE_ICMPv4:
+ next_layer=TRANSPORT_LAYER;
+ expected=HEADER_TYPE_ICMPv4;
+ break;
+ case HEADER_TYPE_IPv4: /* IP in IP */
+ next_layer=NETWORK_LAYER;
+ expected=HEADER_TYPE_IPv4;
+ break;
+ case HEADER_TYPE_TCP:
+ next_layer=TRANSPORT_LAYER;
+ expected=HEADER_TYPE_TCP;
+ break;
+ case HEADER_TYPE_UDP:
+ next_layer=TRANSPORT_LAYER;
+ expected=HEADER_TYPE_UDP;
+ break;
+ case HEADER_TYPE_IPv6: /* IPv6 in IPv4 */
+ next_layer=NETWORK_LAYER;
+ expected=HEADER_TYPE_IPv6;
+ break;
+ default:
+ next_layer=APPLICATION_LAYER;
+ expected=HEADER_TYPE_RAW_DATA;
+ break;
+ }
+ this_packet[current_header].length=iplen;
+ this_packet[current_header++].type=HEADER_TYPE_IPv4;
+ ip4.reset();
+ curr_pkt+=iplen;
+ curr_pktlen-=iplen;
+ /* IP version 6 ---------------------------------*/
+ }else if(ip4.getVersion()==6){
+ ip4.reset();
+ if (ip6.storeRecvData(curr_pkt, curr_pktlen)==OP_FAILURE){
+ unknown_hdr=true;
+ break;
+ }
+ if( (ip6len=ip6.validate())==OP_FAILURE ){
+ unknown_hdr=true;
+ break;
+ }
+ switch( ip6.getNextHeader() ){
+ case HEADER_TYPE_ICMPv6:
+ next_layer=TRANSPORT_LAYER;
+ expected=HEADER_TYPE_ICMPv6;
+ break;
+ case HEADER_TYPE_IPv4: /* IPv4 in IPv6 */
+ next_layer=NETWORK_LAYER;
+ expected=HEADER_TYPE_IPv4;
+ break;
+ case HEADER_TYPE_TCP:
+ next_layer=TRANSPORT_LAYER;
+ expected=HEADER_TYPE_TCP;
+ break;
+ case HEADER_TYPE_UDP:
+ next_layer=TRANSPORT_LAYER;
+ expected=HEADER_TYPE_UDP;
+ break;
+ case HEADER_TYPE_IPv6: /* IPv6 in IPv6 */
+ next_layer=NETWORK_LAYER;
+ expected=HEADER_TYPE_IPv6;
+ break;
+ case HEADER_TYPE_IPv6_HOPOPT:
+ next_layer=EXTHEADERS_LAYER;
+ expected=HEADER_TYPE_IPv6_HOPOPT;
+ break;
+ case HEADER_TYPE_IPv6_OPTS:
+ next_layer=EXTHEADERS_LAYER;
+ expected=HEADER_TYPE_IPv6_OPTS;
+ break;
+ case HEADER_TYPE_IPv6_ROUTE:
+ next_layer=EXTHEADERS_LAYER;
+ expected=HEADER_TYPE_IPv6_ROUTE;
+ break;
+ case HEADER_TYPE_IPv6_FRAG:
+ next_layer=EXTHEADERS_LAYER;
+ expected=HEADER_TYPE_IPv6_FRAG;
+ break;
+ default:
+ next_layer=APPLICATION_LAYER;
+ expected=HEADER_TYPE_RAW_DATA;
+ break;
+ }
+ this_packet[current_header].length=ip6len;
+ this_packet[current_header++].type=HEADER_TYPE_IPv6;
+ ip6.reset();
+ curr_pkt+=ip6len;
+ curr_pktlen-=ip6len;
+ /* Bogus IP version -----------------------------*/
+ }else{
+ /* Wrong IP version, treat as raw data. */
+ next_layer=APPLICATION_LAYER;
+ expected=HEADER_TYPE_RAW_DATA;
+ }
+ /* TCP, UDP, ICMPv4 and ICMPv6 headers ************************************/
+ }else if(next_layer==TRANSPORT_LAYER){
+ if(PKTPARSERDEBUG)puts("Next Layer=Transport");
+ if(expected==HEADER_TYPE_TCP){
+ if(PKTPARSERDEBUG)puts("Expected Layer=TCP");
+ if(tcp.storeRecvData(curr_pkt, curr_pktlen)==OP_FAILURE ){
+ unknown_hdr=true;
+ break;
+ }
+ if( (tcplen=tcp.validate())==OP_FAILURE){
+ unknown_hdr=true;
+ break;
+ }
+ expected=HEADER_TYPE_RAW_DATA;
+ this_packet[current_header].length=tcplen;
+ this_packet[current_header++].type=HEADER_TYPE_TCP;
+ tcp.reset();
+ curr_pkt+=tcplen;
+ curr_pktlen-=tcplen;
+ next_layer=APPLICATION_LAYER;
+ }else if(expected==HEADER_TYPE_UDP){
+ if(PKTPARSERDEBUG)puts("Expected Layer=UDP");
+ if(udp.storeRecvData(curr_pkt, curr_pktlen)==OP_FAILURE ){
+ unknown_hdr=true;
+ break;
+ }
+ if( (udplen=udp.validate())==OP_FAILURE){
+ unknown_hdr=true;
+ break;
+ }
+ expected=HEADER_TYPE_RAW_DATA;
+ this_packet[current_header].length=udplen;
+ this_packet[current_header++].type=HEADER_TYPE_UDP;
+ udp.reset();
+ curr_pkt+=udplen;
+ curr_pktlen-=udplen;
+ next_layer=APPLICATION_LAYER;
+ }else if(expected==HEADER_TYPE_ICMPv4){
+ if(PKTPARSERDEBUG)puts("Expected Layer=ICMPv4");
+ if(icmp4.storeRecvData(curr_pkt, curr_pktlen)==OP_FAILURE ){
+ unknown_hdr=true;
+ break;
+ }
+ if( (icmplen=icmp4.validate())==OP_FAILURE){
+ unknown_hdr=true;
+ break;
+ }
+ switch( icmp4.getType() ){
+ /* Types that include an IPv4 packet as payload */
+ case ICMP_UNREACH:
+ case ICMP_TIMXCEED:
+ case ICMP_PARAMPROB:
+ case ICMP_SOURCEQUENCH:
+ case ICMP_REDIRECT:
+ next_layer=NETWORK_LAYER;
+ expected=HEADER_TYPE_IPv4;
+ break;
+ /* ICMP types that include misc payloads (or no payload) */
+ default:
+ expected=HEADER_TYPE_RAW_DATA;
+ next_layer=APPLICATION_LAYER;
+ break;
+ }
+ this_packet[current_header].length=icmplen;
+ this_packet[current_header++].type=HEADER_TYPE_ICMPv4;
+ icmp4.reset();
+ curr_pkt+=icmplen;
+ curr_pktlen-=icmplen;
+ }else if(expected==HEADER_TYPE_ICMPv6){
+ if(PKTPARSERDEBUG)puts("Expected Layer=ICMPv6");
+ if(icmp6.storeRecvData(curr_pkt, curr_pktlen)==OP_FAILURE){
+ unknown_hdr=true;
+ break;
+ }
+ if( (icmplen=icmp6.validate())==OP_FAILURE){
+ unknown_hdr=true;
+ break;
+ }
+ switch( icmp6.getType() ){
+ /* Types that include an IPv6 packet as payload */
+ case ICMPv6_UNREACH:
+ case ICMPv6_PKTTOOBIG:
+ case ICMPv6_TIMXCEED:
+ case ICMPv6_PARAMPROB:
+ next_layer=NETWORK_LAYER;
+ expected=HEADER_TYPE_IPv6;
+ break;
+ /* ICMPv6 types that include misc payloads (or no payload) */
+ default:
+ expected=HEADER_TYPE_RAW_DATA;
+ next_layer=APPLICATION_LAYER;
+ break;
+ }
+ this_packet[current_header].length=icmplen;
+ this_packet[current_header++].type=HEADER_TYPE_ICMPv6;
+ icmp6.reset();
+ curr_pkt+=icmplen;
+ curr_pktlen-=icmplen;
+ }else{
+ /* Wrong application layer protocol, treat as raw data. */
+ next_layer=APPLICATION_LAYER;
+ expected=HEADER_TYPE_RAW_DATA;
+ }
+
+ /* IPv6 Extension Headers */
+ }else if(next_layer==EXTHEADERS_LAYER){
+ if(PKTPARSERDEBUG)puts("Next Layer=ExtHdr");
+ u8 ext_next=0;
+ /* Hop-by-Hop Options */
+ if(expected==HEADER_TYPE_IPv6_HOPOPT){
+ if(PKTPARSERDEBUG)puts("Expected=Hopt");
+ if(ext_hopt.storeRecvData(curr_pkt, curr_pktlen)==OP_FAILURE ){
+ unknown_hdr=true;
+ break;
+ }
+ if( (exthdrlen=ext_hopt.validate())==OP_FAILURE){
+ unknown_hdr=true;
+ break;
+ }
+ ext_next=ext_hopt.getNextHeader();
+ ext_hopt.reset();
+ /* Routing Header */
+ }else if(expected==HEADER_TYPE_IPv6_ROUTE){
+ if(PKTPARSERDEBUG)puts("Expected=Route");
+ if(ext_routing.storeRecvData(curr_pkt, curr_pktlen)==OP_FAILURE ){
+ unknown_hdr=true;
+ break;
+ }
+ if( (exthdrlen=ext_routing.validate())==OP_FAILURE){
+ unknown_hdr=true;
+ break;
+ }
+ ext_next=ext_routing.getNextHeader();
+ ext_routing.reset();
+ /* Fragmentation Header */
+ }else if(expected==HEADER_TYPE_IPv6_FRAG){
+ if(PKTPARSERDEBUG)puts("Expected=Frag");
+ if(ext_frag.storeRecvData(curr_pkt, curr_pktlen)==OP_FAILURE ){
+ unknown_hdr=true;
+ break;
+ }
+ if( (exthdrlen=ext_frag.validate())==OP_FAILURE){
+ unknown_hdr=true;
+ break;
+ }
+ ext_next=ext_frag.getNextHeader();
+ ext_frag.reset();
+ /* Destination Options Header */
+ }else if(expected==HEADER_TYPE_IPv6_OPTS){
+ if(PKTPARSERDEBUG)puts("Expected=Dopts");
+ if(ext_dopts.storeRecvData(curr_pkt, curr_pktlen)==OP_FAILURE ){
+ unknown_hdr=true;
+ break;
+ }
+ if( (exthdrlen=ext_dopts.validate())==OP_FAILURE){
+ unknown_hdr=true;
+ break;
+ }
+ ext_next=ext_dopts.getNextHeader();
+ ext_dopts.reset();
+ }else{
+ /* Should never happen. */
+ unknown_hdr=true;
+ break;
+ }
+
+ /* Update the info for this header */
+ this_packet[current_header].length=exthdrlen;
+ this_packet[current_header++].type=expected;
+ curr_pkt+=exthdrlen;
+ curr_pktlen-=exthdrlen;
+
+ /* Lets's see what comes next */
+ switch(ext_next){
+ case HEADER_TYPE_ICMPv6:
+ next_layer=TRANSPORT_LAYER;
+ expected=HEADER_TYPE_ICMPv6;
+ break;
+ case HEADER_TYPE_IPv4: /* IPv4 in IPv6 */
+ next_layer=NETWORK_LAYER;
+ expected=HEADER_TYPE_IPv4;
+ break;
+ case HEADER_TYPE_TCP:
+ next_layer=TRANSPORT_LAYER;
+ expected=HEADER_TYPE_TCP;
+ break;
+ case HEADER_TYPE_UDP:
+ next_layer=TRANSPORT_LAYER;
+ expected=HEADER_TYPE_UDP;
+ break;
+ case HEADER_TYPE_IPv6: /* IPv6 in IPv6 */
+ next_layer=NETWORK_LAYER;
+ expected=HEADER_TYPE_IPv6;
+ break;
+ case HEADER_TYPE_IPv6_HOPOPT:
+ next_layer=EXTHEADERS_LAYER;
+ expected=HEADER_TYPE_IPv6_HOPOPT;
+ break;
+ case HEADER_TYPE_IPv6_OPTS:
+ next_layer=EXTHEADERS_LAYER;
+ expected=HEADER_TYPE_IPv6_OPTS;
+ break;
+ case HEADER_TYPE_IPv6_ROUTE:
+ next_layer=EXTHEADERS_LAYER;
+ expected=HEADER_TYPE_IPv6_ROUTE;
+ break;
+ case HEADER_TYPE_IPv6_FRAG:
+ next_layer=EXTHEADERS_LAYER;
+ expected=HEADER_TYPE_IPv6_FRAG;
+ break;
+ default:
+ next_layer=APPLICATION_LAYER;
+ expected=HEADER_TYPE_RAW_DATA;
+ break;
+ }
+
+ /* Miscellaneous payloads *************************************************/
+ }else{ // next_layer==APPLICATION_LAYER
+ if(PKTPARSERDEBUG)puts("Next Layer=Application");
+
+ /* If we get here it is possible that the packet is ARP but
+ * we have no access to the original Ethernet header. We
+ * determine if this header is ARP by checking its size
+ * and checking for some common values. */
+ if(arp.storeRecvData(curr_pkt, curr_pktlen)!=OP_FAILURE){
+ if( (arplen=arp.validate())!=OP_FAILURE){
+ if(arp.getHardwareType()==HDR_ETH10MB){
+ if(arp.getProtocolType()==0x0800){
+ if(arp.getHwAddrLen()==ETH_ADDRESS_LEN){
+ if(arp.getProtoAddrLen()==IPv4_ADDRESS_LEN){
+ this_packet[current_header].length=arplen;
+ this_packet[current_header++].type=HEADER_TYPE_ARP;
+ arp.reset();
+ curr_pkt+=arplen;
+ curr_pktlen-=arplen;
+ if(curr_pktlen>0){
+ next_layer=APPLICATION_LAYER;
+ expected=HEADER_TYPE_RAW_DATA;
+ }else{
+ finished=true;
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+
+ //if(expected==HEADER_TYPE_DNS){
+ //}else if(expected==HEADER_TYPE_HTTP){
+ //}... ETC
+ this_packet[current_header].length=curr_pktlen;
+ this_packet[current_header++].type=HEADER_TYPE_RAW_DATA;
+ curr_pktlen=0;
+ finished=true;
+ }
+ } /* End of header processing loop */
+
+ /* If we couldn't validate some header, treat that header and any remaining
+ * data, as raw application data. */
+ if (unknown_hdr==true){
+ if(curr_pktlen>0){
+ if(PKTPARSERDEBUG)puts("Unknown layer found. Treating it as raw data.");
+ this_packet[current_header].length=curr_pktlen;
+ this_packet[current_header++].type=HEADER_TYPE_RAW_DATA;
+ }
+ }
+
+ return this_packet;
+} /* End of parse_received_packet() */
+
+
+/* TODO: remove */
+int PacketParser::dummy_print_packet_type(const u8 *pkt, size_t pktlen, bool eth_included){
+ pkt_type_t *packetheaders=PacketParser::parse_packet(pkt, pktlen, eth_included);
+ for(int i=0; packetheaders[i].length!=0; i++){
+ printf("%s:", header_type2string(packetheaders[i].type));
+ }
+ printf("\n");
+ return OP_SUCCESS;
+} /* End of dummy_print_packet_type() */
+
+
+int PacketParser::dummy_print_packet(const u8 *pkt, size_t pktlen, bool eth_included){
+ PacketElement *me=NULL, *aux=NULL;
+ if( (me=split(pkt, pktlen, eth_included))==NULL )
+ return OP_FAILURE;
+ else{
+ me->print(stdout, PRINT_DETAIL_HIGH);
+ printf("\n");
+ }
+ /* Free the structs */
+ while(me!=NULL){
+ aux=me->getNextElement();
+ delete me;
+ me=aux;
+ }
+ return OP_SUCCESS;
+} /* End of dummy_print_packet() */
+
+
+
+/** For a given packet, this method determines where the application layer data
+ * begins. It returs a positive offset if any application data was found, zero
+ * if the packet did not contain application data and a negative integer in
+ * case of error. */
+int PacketParser::payload_offset(const u8 *pkt, size_t pktlen, bool link_included){
+ PacketElement *me=NULL, *aux=NULL;
+ size_t offset=pktlen; /* Initially, point to the end of the packet. */
+
+ /* Safe checks*/
+ if(pkt==NULL || pktlen<=0)
+ return -1;
+
+ dummy_print_packet_type(pkt, pktlen, link_included);
+
+ /* Split the packet into separate protocol headers */
+ if( (me=split(pkt, pktlen, link_included))==NULL )
+ return -2;
+ else{
+ aux=me;
+ }
+
+ /* Find if there is application data and where it begins */
+ while(me!=NULL){
+ /* When we find application data, we compute the offset by substacting the
+ length of the application data from the packet's total length */
+ if(me->protocol_id()==HEADER_TYPE_RAW_DATA){
+ offset = pktlen - me->getLen();
+ break;
+ }
+ me = me->getNextElement();
+ }
+
+ /* Free the structs */
+ me=aux;
+ while(me!=NULL){
+ aux=me->getNextElement();
+ delete me;
+ me=aux;
+ }
+
+ /* Return 0 if we didn't find any application data */
+ if(offset==pktlen){
+ return 0;
+ }else{
+ return offset;
+ }
+} /* End of payload_offset() */
+
+
+
+
+PacketElement *PacketParser::split(const u8 *pkt, size_t pktlen){
+ return split(pkt, pktlen, false);
+} /* End of split() */
+
+
+PacketElement *PacketParser::split(const u8 *pkt, size_t pktlen, bool eth_included){
+ pkt_type_t *packetheaders=NULL;
+ const u8 *curr_pkt=pkt;
+ PacketElement *first=NULL;
+ PacketElement *last=NULL;
+ IPv4Header *ip4=NULL;
+ IPv6Header *ip6=NULL;
+ DestOptsHeader *ext_dopts=NULL;
+ FragmentHeader *ext_frag=NULL;
+ HopByHopHeader *ext_hopt=NULL;
+ RoutingHeader *ext_routing=NULL;
+ TCPHeader *tcp=NULL;
+ UDPHeader *udp=NULL;
+ ICMPv4Header *icmp4=NULL;
+ ICMPv6Header *icmp6=NULL;
+ EthernetHeader *eth=NULL;
+ ARPHeader *arp=NULL;
+ RawData *raw=NULL;
+
+ /* Analyze the packet. This returns a list of header types and lengths */
+ if((packetheaders=PacketParser::parse_packet(pkt, pktlen, eth_included))==NULL)
+ return NULL;
+
+ /* Store each header in its own PacketHeader object type */
+ for(int i=0; packetheaders[i].length!=0; i++){
+
+ switch(packetheaders[i].type){
+
+ case HEADER_TYPE_ETHERNET:
+ eth=new EthernetHeader();
+ eth->storeRecvData(curr_pkt, packetheaders[i].length);
+ if(first==NULL){
+ first=eth;
+ }else{
+ last->setNextElement(eth);
+ }
+ last=eth;
+ break;
+
+ case HEADER_TYPE_ARP:
+ arp=new ARPHeader();
+ arp->storeRecvData(curr_pkt, packetheaders[i].length);
+ if(first==NULL){
+ first=arp;
+ }else{
+ last->setNextElement(arp);
+ }
+ last=arp;
+ break;
+
+ case HEADER_TYPE_IPv4:
+ ip4=new IPv4Header();
+ ip4->storeRecvData(curr_pkt, packetheaders[i].length);
+ if(first==NULL){
+ first=ip4;
+ }else{
+ last->setNextElement(ip4);
+ }
+ last=ip4;
+ break;
+
+ case HEADER_TYPE_IPv6:
+ ip6=new IPv6Header();
+ ip6->storeRecvData(curr_pkt, packetheaders[i].length);
+ if(first==NULL){
+ first=ip6;
+ }else{
+ last->setNextElement(ip6);
+ }
+ last=ip6;
+ break;
+
+ case HEADER_TYPE_TCP:
+ tcp=new TCPHeader();
+ tcp->storeRecvData(curr_pkt, packetheaders[i].length);
+ if(first==NULL){
+ first=tcp;
+ }else{
+ last->setNextElement(tcp);
+ }
+ last=tcp;
+ break;
+
+ case HEADER_TYPE_UDP:
+ udp=new UDPHeader();
+ udp->storeRecvData(curr_pkt, packetheaders[i].length);
+ if(first==NULL){
+ first=udp;
+ }else{
+ last->setNextElement(udp);
+ }
+ last=udp;
+ break;
+
+ case HEADER_TYPE_ICMPv4:
+ icmp4=new ICMPv4Header();
+ icmp4->storeRecvData(curr_pkt, packetheaders[i].length);
+ if(first==NULL){
+ first=icmp4;
+ }else{
+ last->setNextElement(icmp4);
+ }
+ last=icmp4;
+ break;
+
+ case HEADER_TYPE_ICMPv6:
+ icmp6=new ICMPv6Header();
+ icmp6->storeRecvData(curr_pkt, packetheaders[i].length);
+ if(first==NULL){
+ first=icmp6;
+ }else{
+ last->setNextElement(icmp6);
+ }
+ last=icmp6;
+ break;
+
+ case HEADER_TYPE_IPv6_HOPOPT:
+ ext_hopt=new HopByHopHeader();
+ ext_hopt->storeRecvData(curr_pkt, packetheaders[i].length);
+ if(first==NULL){
+ first=ext_hopt;
+ }else{
+ last->setNextElement(ext_hopt);
+ }
+ last=ext_hopt;
+ break;
+
+ case HEADER_TYPE_IPv6_ROUTE:
+ ext_routing=new RoutingHeader();
+ ext_routing->storeRecvData(curr_pkt, packetheaders[i].length);
+ if(first==NULL){
+ first=ext_routing;
+ }else{
+ last->setNextElement(ext_routing);
+ }
+ last=ext_routing;
+ break;
+
+ case HEADER_TYPE_IPv6_FRAG:
+ ext_frag=new FragmentHeader();
+ ext_frag->storeRecvData(curr_pkt, packetheaders[i].length);
+ if(first==NULL){
+ first=ext_frag;
+ }else{
+ last->setNextElement(ext_frag);
+ }
+ last=ext_frag;
+ break;
+
+ case HEADER_TYPE_IPv6_OPTS:
+ ext_dopts=new DestOptsHeader();
+ ext_dopts->storeRecvData(curr_pkt, packetheaders[i].length);
+ if(first==NULL){
+ first=ext_dopts;
+ }else{
+ last->setNextElement(ext_dopts);
+ }
+ last=ext_dopts;
+ break;
+
+ case HEADER_TYPE_RAW_DATA:
+ default:
+ raw=new RawData();
+ raw->storeRecvData(curr_pkt, packetheaders[i].length);
+ if(first==NULL){
+ first=raw;
+ }else{
+ last->setNextElement(raw);
+ }
+ last=raw;
+ break;
+ }
+ curr_pkt+=packetheaders[i].length;
+ }
+ return first;
+} /* End of split() */
+
+
+/* This method frees a chain of PacketElement objects. Note that objects in
+ * the chain are freed by calling "delete" on them, so only those instances
+ * that have been obtained through a call to "new" should be passed to this
+ * method. Chains returned by PacketParser::split() are safe to use with this.*/
+int PacketParser::freePacketChain(PacketElement *first){
+ PacketElement *curr=first;
+ PacketElement *next=NULL;
+ while(curr!=NULL){
+ next=curr->getNextElement();
+ delete curr;
+ curr=next;
+ }
+ return OP_SUCCESS;
+} /* End of freePacketChain() */
+
+
+/* This method is for debugging purposes only. It tests the packet parser and
+ * the PacketElement class family. Basically it checks that the supplied
+ * chain of PacketElements can be serialized and de-serialized correctly.
+ * Returns NULL on success or an error string in case of failure. */
+const char *PacketParser::test_packet_parser(PacketElement *test_pkt){
+ const char *errmsg=NULL;
+ PacketElement *parsed_pkt=NULL;
+ PacketElement *orig_pkt=NULL;
+ PacketElement *new_pkt=NULL;
+ u8 *mypktbuff2=NULL;
+ u8 *mypktbuff=NULL;
+
+ if(test_pkt==NULL){
+ errmsg="NULL pointer supplied";
+ goto end;
+ }
+
+ /* Generate a serialized version of the packet */
+ mypktbuff=(u8 *)safe_malloc(test_pkt->getLen());
+ test_pkt->dumpToBinaryBuffer(mypktbuff, test_pkt->getLen());
+
+ /* Generate a chain of PacketElement objects from the serialized version. */
+ parsed_pkt=PacketParser::split(mypktbuff, test_pkt->getLen());
+
+ if(parsed_pkt==NULL){
+ errmsg="PacketParser::split() returned NULL";
+ goto end;
+ }
+ if(parsed_pkt->getLen()!=test_pkt->getLen()){
+ errmsg="Packets have different lengths";
+ goto end;
+ }
+
+ /* Generate a serialized version of the new chain */
+ mypktbuff2=(u8 *)safe_malloc(parsed_pkt->getLen());
+ parsed_pkt->dumpToBinaryBuffer(mypktbuff2, parsed_pkt->getLen());
+
+ /* Make sure both packets produce the exact same binary buffer */
+ if(memcmp(mypktbuff, mypktbuff2, parsed_pkt->getLen())!=0){
+ errmsg="The two packets do not result in the same binary buffer";
+ goto end;
+ }
+
+ /* Now let's check that both chains have the same number and type of
+ * PacketElements. */
+ orig_pkt=test_pkt;
+ new_pkt=parsed_pkt;
+ while(orig_pkt!=NULL && new_pkt!=NULL){
+ if(orig_pkt->protocol_id() != new_pkt->protocol_id() ){
+ errmsg="Protocol IDs do not match";
+ goto end;
+ }
+ orig_pkt=orig_pkt->getNextElement();
+ new_pkt=new_pkt->getNextElement();
+ }
+
+ if(orig_pkt!=NULL || new_pkt!=NULL){
+ errmsg="The two packets do not have the same number of chained elements.";
+ goto end;
+ }
+
+ end:
+ /* Free our allocations */
+ if(mypktbuff!=NULL)
+ free(mypktbuff);
+ if(mypktbuff2!=NULL)
+ free(mypktbuff2);
+ if(parsed_pkt!=NULL)
+ PacketParser::freePacketChain(parsed_pkt);
+
+ /* If everything went well, errmsg should still be NULL. Otherwise it
+ * should point to an error message.*/
+ return errmsg;
+}
+
+
+
+/* Returns true if the supplied "rcvd" packet is a response to the "sent" packet.
+ * This method currently handles IPv4, IPv6, ICMPv4, ICMPv6, TCP and UDP. Here
+ * some examples of what can be matched using it:
+ *
+ * Probe: TCP SYN -> Response TCP SYN|ACK
+ * Probe: TCP SYN -> Response TCP RST|ACK
+ * Probe: UDP:53 -> Response UDP from port 53.
+ * Probe ICMP Echo -> Response ICMP Echo reply
+ * Probe ICMPv6 Neighbor Solicitation -> Response ICMPv6 Neighbor Advert
+ * Probe Malformed IPv6 -> Response ICMPv6 Parameter Problem
+ * Probe MLDv1 Query -> Response MLDv1 Report
+ * Probe ICMP Timestamp request -> Response ICMP timestamp response
+ * etc...
+ *
+ * Note that ICMP error messages are matched against sent probes (e.g: an ICMP
+ * Parameter Problem generated as a result of an invalid TCP segment is matched
+ * positively with the original TCP segment). Therefore, the caller must ensure
+ * that the received packet is what it expects before using it (e.g: the packet
+ * is an actual TCP packet, not an ICMP error).
+ *
+ * Warning: this method assumes that the probes you send are reasonably
+ * different from each other. Don't expect a 100% accuracy if you send a bunch
+ * of TCP segments with the same source and destination port numbers, or a
+ * bunch of ICMP messages with the same identifier and sequence number. */
+bool PacketParser::is_response(PacketElement *sent, PacketElement *rcvd){
+ if(PKTPARSERDEBUG)printf("%s(): called\n", __func__);
+
+ if(sent==NULL || rcvd==NULL)
+ return false;
+
+ /* If any of the packets is encapsulated in an Ethernet frame, strip the
+ * link layer header before proceeding with the matching process. */
+ if(rcvd->protocol_id()==HEADER_TYPE_ETHERNET)
+ if( (rcvd=rcvd->getNextElement())==NULL)
+ return false;
+ if(sent->protocol_id()==HEADER_TYPE_ETHERNET)
+ if( (sent=sent->getNextElement())==NULL)
+ return false;
+
+ /* Make sure both packets have the same network layer */
+ if(rcvd->protocol_id()!=sent->protocol_id())
+ return false;
+
+ /* The packet could be ARP */
+ if(rcvd->protocol_id()==HEADER_TYPE_ARP){
+ ARPHeader *sent_arp=(ARPHeader *)sent;
+ ARPHeader *rcvd_arp=(ARPHeader *)rcvd;
+ switch(sent_arp->getOpCode()){
+ case OP_ARP_REQUEST:
+ if(rcvd_arp->getOpCode()==OP_ARP_REPLY){
+ /* TODO @todo: getTargetIP() and getSenderIP() should
+ * either return struct in_addr or IPAddress but not u32. */
+ if(sent_arp->getTargetIP()==rcvd_arp->getSenderIP())
+ if(sent_arp->getSenderIP()==rcvd_arp->getTargetIP())
+ return true;
+ }
+ return false;
+ break;
+
+ /* We only support ARP, not RARP or other weird stuff. Also, if
+ * we didn't send a request, then we don't expect any response */
+ case OP_RARP_REQUEST:
+ case OP_DRARP_REQUEST:
+ case OP_INARP_REQUEST:
+ default:
+ return false;
+ break;
+
+ }
+ return false;
+ }
+
+ /* The packet is IPv4 or IPv6 */
+ if(rcvd->protocol_id()!=HEADER_TYPE_IPv6 && rcvd->protocol_id()!=HEADER_TYPE_IPv4)
+ return false;
+ if(PKTPARSERDEBUG)printf("%s(): Both packets use IP.\n", __func__);
+
+ /* Handle the network layer with a more specific class */
+ NetworkLayerElement *rcvd_ip=(NetworkLayerElement *)rcvd;
+ NetworkLayerElement *sent_ip=(NetworkLayerElement *)sent;
+
+ /* Ensure the packet comes from the host we sent the probe to */
+ if( memcmp(rcvd_ip->getSourceAddress(), sent_ip->getDestinationAddress(), rcvd_ip->getAddressLength())!=0 )
+ return false;
+ /* Ensure the received packet is destined to us */
+ if( memcmp(rcvd_ip->getDestinationAddress(), sent_ip->getSourceAddress(), rcvd_ip->getAddressLength())!=0 )
+ return false;
+
+ if(PKTPARSERDEBUG)printf("%s(): Src and Dst addresses make sense.\n", __func__);
+
+ /* Skip layers until we find ICMP or a transport protocol */
+ PacketElement *rcvd_layer4=rcvd_ip->getNextElement();
+ PacketElement *sent_layer4=sent_ip->getNextElement();
+ while(rcvd_layer4!=NULL){
+ if(rcvd_layer4->protocol_id()==HEADER_TYPE_UDP || rcvd_layer4->protocol_id()==HEADER_TYPE_TCP ||
+ rcvd_layer4->protocol_id()==HEADER_TYPE_ICMPv4 || rcvd_layer4->protocol_id()==HEADER_TYPE_ICMPv6 ){
+ break;
+ }else{
+ rcvd_layer4=rcvd_layer4->getNextElement();
+ }
+ }
+ while(sent_layer4!=NULL){
+ if(sent_layer4->protocol_id()==HEADER_TYPE_UDP || sent_layer4->protocol_id()==HEADER_TYPE_TCP ||
+ sent_layer4->protocol_id()==HEADER_TYPE_ICMPv4 || sent_layer4->protocol_id()==HEADER_TYPE_ICMPv6 ){
+ break;
+ }else{
+ sent_layer4=sent_layer4->getNextElement();
+ }
+ }
+ if(rcvd_layer4==NULL || sent_layer4==NULL)
+ return false;
+
+ if(PKTPARSERDEBUG)printf("%s(): Layer 4 found for both packets.\n", __func__);
+
+ /* If we get here it means that both packets have a proper layer4 protocol
+ * header. Now we have to check which type are they and see if a probe-response
+ * relation can be established. */
+ if(sent_layer4->protocol_id()==HEADER_TYPE_ICMPv6 || sent_layer4->protocol_id()==HEADER_TYPE_ICMPv4){
+
+ if(PKTPARSERDEBUG)printf("%s(): Sent packet is ICMP.\n", __func__);
+
+ /* Make sure received packet is ICMP (we only expect ICMP responses for
+ * ICMP probes) */
+ if(rcvd_layer4->protocol_id()!=HEADER_TYPE_ICMPv6 && rcvd_layer4->protocol_id()!=HEADER_TYPE_ICMPv4 )
+ return false;
+
+ /* Make sure both packets have the same ICMP version */
+ if(sent_layer4->protocol_id()!=rcvd_layer4->protocol_id())
+ return false;
+
+ if(PKTPARSERDEBUG)printf("%s(): Received packet is ICMP too.\n", __func__);
+
+ /* Check if the received ICMP is an error message. We don't care which kind
+ * of error message it is. The only important thing is that error messages
+ * contain a copy of the original datagram, and that's what we want to
+ * match against the sent probe. */
+ if( ((ICMPHeader *)rcvd_layer4)->isError() ){
+ NetworkLayerElement *iperror=(NetworkLayerElement *)rcvd_layer4->getNextElement();
+
+ if(PKTPARSERDEBUG)printf("%s(): Received ICMP is an error message.\n", __func__);
+
+ /* ICMP error message must contain the original datagram */
+ if(iperror==NULL)
+ return false;
+
+ /* The first header must be IP */
+ if(iperror->protocol_id()!=HEADER_TYPE_IPv6 && iperror->protocol_id()!=HEADER_TYPE_IPv4)
+ return false;
+
+ /* The IP version must match the probe's */
+ if(iperror->protocol_id()!=sent_ip->protocol_id())
+ return false;
+
+ /* Source and destination addresses must match the probe's */
+ if( memcmp(iperror->getSourceAddress(), sent_ip->getSourceAddress(), iperror->getAddressLength())!=0 )
+ return false;
+ if( memcmp(iperror->getDestinationAddress(), sent_ip->getDestinationAddress(), iperror->getAddressLength())!=0 )
+ return false;
+
+ /* So far we've verified that the ICMP error contains an IP datagram that matches
+ * what we sent. Now, let's find the upper layer ICMP header (skip extension
+ * headers until we find ICMP) */
+ ICMPHeader *inner_icmp=(ICMPHeader *)iperror->getNextElement();
+ while(inner_icmp!=NULL){
+ if(inner_icmp->protocol_id()==HEADER_TYPE_ICMPv4 || inner_icmp->protocol_id()==HEADER_TYPE_ICMPv6 ){
+ break;
+ }else{
+ inner_icmp=(ICMPHeader *)inner_icmp->getNextElement();
+ }
+ }
+ if(inner_icmp==NULL)
+ return false;
+
+ /* If we get here it means that we've found an ICMP header inside the
+ * ICMP error message that we received. First of all, check that the
+ * ICMP version matches what we sent. */
+ if(sent_layer4->protocol_id() != inner_icmp->protocol_id())
+ return false;
+
+ /* Make sure ICMP type and code match */
+ if( ((ICMPHeader*)sent_layer4)->getType() != inner_icmp->getType() )
+ return false;
+ if( ((ICMPHeader*)sent_layer4)->getCode() != inner_icmp->getCode() )
+ return false;
+
+ /* Now go into a bit of detail and try to determine if both headers
+ * are equal, comparing the values of specific fields. */
+ if(sent_layer4->protocol_id()==HEADER_TYPE_ICMPv6){
+ ICMPv6Header *sent_icmp6=(ICMPv6Header *)sent_layer4;
+ ICMPv6Header *inner_icmp6=(ICMPv6Header *)inner_icmp;
+
+ switch(sent_icmp6->getType()){
+ case ICMPv6_UNREACH:
+ case ICMPv6_TIMXCEED :
+ /* For these we cannot guarantee that the received ICMPv6 error
+ * packet included data beyond the inner ICMPv6 header, so we just
+ * assume that they are a match to the sent probe. (We shouldn't
+ * really be sending ICMPv6 error messages and expect ICMPv6 error
+ * responses that contain our ICMv6P error messages, should we?
+ * Well, even if we do, there is a good chance we are able to match
+ * those responses with the original probe) */
+ break;
+
+ case ICMPv6_PKTTOOBIG:
+ if(sent_icmp6->getMTU() != inner_icmp6->getMTU())
+ return false;
+ break;
+
+ case ICMPv6_PARAMPROB:
+ if(sent_icmp6->getPointer() != inner_icmp6->getPointer())
+ return false;
+ break;
+
+ case ICMPv6_ECHO:
+ case ICMPv6_ECHOREPLY:
+ if(sent_icmp6->getIdentifier() != inner_icmp6->getIdentifier())
+ return false;
+ if(sent_icmp6->getSequence() != inner_icmp6->getSequence())
+ return false;
+ break;
+
+ case ICMPv6_ROUTERSOLICIT:
+ /* Here we do not have much to compare, so we just test that
+ * the reserved field contains the same value, usually zero. */
+ if(sent_icmp6->getReserved()!=inner_icmp6->getReserved())
+ return false;
+ break;
+
+ case ICMPv6_ROUTERADVERT:
+ if(sent_icmp6->getCurrentHopLimit() != inner_icmp6->getCurrentHopLimit() )
+ return false;
+ if(sent_icmp6->getRouterLifetime() != inner_icmp6->getRouterLifetime() )
+ return false;
+ if(sent_icmp6->getReachableTime() != inner_icmp6->getReachableTime() )
+ return false;
+ if(sent_icmp6->getRetransmissionTimer() != inner_icmp6->getRetransmissionTimer() )
+ return false;
+ break;
+
+ case ICMPv6_REDIRECT:
+ if( memcmp(sent_icmp6->getTargetAddress().s6_addr, inner_icmp6->getTargetAddress().s6_addr, 16) !=0 )
+ return false;
+ if( memcmp(sent_icmp6->getDestinationAddress().s6_addr, inner_icmp6->getDestinationAddress().s6_addr, 16) !=0 )
+ return false;
+ break;
+
+ case ICMPv6_NGHBRSOLICIT:
+ case ICMPv6_NGHBRADVERT:
+ if( memcmp(sent_icmp6->getTargetAddress().s6_addr, inner_icmp6->getTargetAddress().s6_addr, 16) !=0 )
+ return false;
+ break;
+
+ case ICMPv6_RTRRENUM:
+ if(sent_icmp6->getSequence() != inner_icmp6->getSequence() )
+ return false;
+ if(sent_icmp6->getSegmentNumber() != inner_icmp6->getSegmentNumber() )
+ return false;
+ if(sent_icmp6->getMaxDelay() != inner_icmp6->getMaxDelay() )
+ return false;
+ if(sent_icmp6->getFlags() != inner_icmp6->getFlags() )
+ return false;
+ break;
+
+ case ICMPv6_NODEINFOQUERY:
+ case ICMPv6_NODEINFORESP:
+ if(sent_icmp6->getNodeInfoFlags() != inner_icmp6->getNodeInfoFlags() )
+ return false;
+ if(sent_icmp6->getNonce() != inner_icmp6->getNonce())
+ return false;
+ if(sent_icmp6->getQtype() != inner_icmp6->getQtype() )
+ return false;
+ break;
+
+
+ case ICMPv6_GRPMEMBQUERY:
+ case ICMPv6_GRPMEMBREP:
+ case ICMPv6_GRPMEMBRED:
+ case ICMPv6_INVNGHBRSOLICIT:
+ case ICMPv6_INVNGHBRADVERT:
+ case ICMPv6_MLDV2:
+ case ICMPv6_AGENTDISCOVREQ:
+ case ICMPv6_AGENTDISCOVREPLY:
+ case ICMPv6_MOBPREFIXSOLICIT:
+ case ICMPv6_MOBPREFIXADVERT:
+ case ICMPv6_CERTPATHSOLICIT:
+ case ICMPv6_CERTPATHADVERT:
+ case ICMPv6_EXPMOBILITY:
+ case ICMPv6_MRDADVERT:
+ case ICMPv6_MRDSOLICIT:
+ case ICMPv6_MRDTERMINATE:
+ case ICMPv6_FMIPV6:
+ /* All these types are not currently implemented but since the
+ * sent_icmp.getType() has returned such type, we assume
+ * that there is a match (don't return false here). */
+ break;
+
+ default:
+ /* Do not match ICMPv6 types we don't know about */
+ return false;
+ break;
+ }
+ }else if(sent_layer4->protocol_id()==HEADER_TYPE_ICMPv4){
+ ICMPv4Header *sent_icmp4=(ICMPv4Header *)sent_layer4;
+ ICMPv4Header *inner_icmp4=(ICMPv4Header *)inner_icmp;
+
+ switch(sent_icmp4->getType()){
+ case ICMP_ECHOREPLY:
+ case ICMP_ECHO:
+ case ICMP_TSTAMP:
+ case ICMP_TSTAMPREPLY:
+ case ICMP_INFO:
+ case ICMP_INFOREPLY:
+ case ICMP_MASK:
+ case ICMP_MASKREPLY:
+ case ICMP_DOMAINNAME:
+ case ICMP_DOMAINNAMEREPLY:
+ /* Check the message identifier and sequence number */
+ if(sent_icmp4->getIdentifier() != inner_icmp4->getIdentifier())
+ return false;
+ if(sent_icmp4->getSequence() != inner_icmp4->getSequence())
+ return false;
+ break;
+
+ case ICMP_ROUTERADVERT:
+ /* Check only the main fields, no need to parse the whole list
+ * of addresses (maybe we didn't even get enough octets to
+ * check that). */
+ if(sent_icmp4->getNumAddresses() != inner_icmp4->getNumAddresses() )
+ return false;
+ if(sent_icmp4->getAddrEntrySize() != inner_icmp4->getAddrEntrySize())
+ return false;
+ if(sent_icmp4->getLifetime() != inner_icmp4->getLifetime() )
+ return false;
+ break;
+
+ case ICMP_ROUTERSOLICIT:
+ /* Here we do not have much to compare, so we just test that
+ * the reserved field contains the same value, usually zero. */
+ if(sent_icmp4->getReserved()!=inner_icmp4->getReserved())
+ return false;
+ break;
+
+ case ICMP_UNREACH:
+ case ICMP_SOURCEQUENCH:
+ case ICMP_TIMXCEED:
+ /* For these we cannot guarantee that the received ICMP error
+ * packet included data beyond the inner ICMP header, so we just
+ * assume that they are a match to the sent probe. (We shouldn't
+ * really be sending ICMP error messages and expect ICMP error
+ * responses that contain our ICMP error messages, should we?
+ * Well, even if we do, there is a good chance we are able to match
+ * those responses with the original probe) */
+ break;
+
+ case ICMP_REDIRECT:
+ if(sent_icmp4->getGatewayAddress().s_addr != inner_icmp4->getGatewayAddress().s_addr)
+ return false;
+ break;
+
+ case ICMP_PARAMPROB:
+ if(sent_icmp4->getParameterPointer() != inner_icmp4->getParameterPointer())
+ return false;
+ break;
+
+ case ICMP_TRACEROUTE:
+ if(sent_icmp4->getIDNumber() != inner_icmp4->getIDNumber())
+ return false;
+ if(sent_icmp4->getOutboundHopCount() != inner_icmp4->getOutboundHopCount())
+ return false;
+ if(sent_icmp4->getOutputLinkSpeed() != inner_icmp4->getOutputLinkSpeed() )
+ return false;
+ if(sent_icmp4->getOutputLinkMTU() != inner_icmp4->getOutputLinkMTU() )
+ return false;
+ break;
+
+ case ICMP_SECURITYFAILURES:
+ /* Check the pointer and the reserved field */
+ if(sent_icmp4->getSecurityPointer() != inner_icmp4->getSecurityPointer())
+ return false;
+ if(sent_icmp4->getReserved() != inner_icmp4->getReserved())
+ return false;
+ break;
+
+ default:
+ /* Do not match ICMP types we don't know about */
+ return false;
+ break;
+ }
+ }else{
+ return false; // Should never happen, though.
+ }
+ }else{ /* Received ICMP is informational. */
+
+ if(PKTPARSERDEBUG)printf("%s(): Received ICMP is an informational message.\n", __func__);
+
+ /* If we get here it means that we received an informational ICMPv6
+ * message. So now we have to check if the received message is the
+ * expected reply to the probe we sent (like an Echo reply for an Echo
+ * request, etc). */
+
+ if(sent_layer4->protocol_id()==HEADER_TYPE_ICMPv6 && rcvd_layer4->protocol_id()==HEADER_TYPE_ICMPv6){
+ ICMPv6Header *sent_icmp6=(ICMPv6Header *)sent_layer4;
+ ICMPv6Header *rcvd_icmp6=(ICMPv6Header *)rcvd_layer4;
+
+ switch( sent_icmp6->getType() ){
+
+ case ICMPv6_UNREACH:
+ case ICMPv6_TIMXCEED :
+ case ICMPv6_PKTTOOBIG:
+ case ICMPv6_PARAMPROB:
+ /* This should never happen. If we got here, the received type
+ * should be of an informational message, not an error message. */
+ printf("Error in isResponse()\n");
+ return false;
+ break;
+
+ case ICMPv6_ECHO:
+ /* For Echo request, we expect echo replies */
+ if(rcvd_icmp6->getType()!=ICMPv6_ECHOREPLY)
+ return false;
+ /* And we expect the ID and sequence number of the reply to
+ * match the ID and seq of the request. */
+ if(sent_icmp6->getIdentifier() != rcvd_icmp6->getIdentifier())
+ return false;
+ if(sent_icmp6->getSequence() != rcvd_icmp6->getSequence())
+ return false;
+ break;
+
+ case ICMPv6_ECHOREPLY:
+ /* We don't expect replies to Echo replies */
+ return false;
+ break;
+
+ case ICMPv6_ROUTERSOLICIT:
+ /* For Router solicitations, we expect Router advertisements.
+ * We only check if the received ICMP is a router advert because
+ * there is nothing else that can be used to match the solicitation
+ * with the response. */
+ if(rcvd_icmp6->getType()!=ICMPv6_ROUTERADVERT)
+ return false;
+ break;
+
+ case ICMPv6_ROUTERADVERT:
+ /* We don't expect replies to router advertisements */
+ return false;
+ break;
+
+ case ICMPv6_REDIRECT:
+ /* We don't expect replies to Redirect messages */
+ return false;
+ break;
+
+ case ICMPv6_NGHBRSOLICIT:
+ if(PKTPARSERDEBUG)printf("%s(): Sent ICMP is an ICMPv6 Neighbor Solicitation.\n", __func__);
+ /* For Neighbor solicitations, we expect Neighbor advertisements
+ * with the "S" flag set (solicited flag) and the same address
+ * in the "TargetAddress" field. */
+ if(rcvd_icmp6->getType()!=ICMPv6_NGHBRADVERT)
+ return false;
+ if(PKTPARSERDEBUG)printf("%s(): Received ICMP is an ICMPv6 Neighbor Advertisement.\n", __func__);
+ if( !(rcvd_icmp6->getFlags() & 0x40) )
+ return false;
+ if( memcmp(sent_icmp6->getTargetAddress().s6_addr, rcvd_icmp6->getTargetAddress().s6_addr, 16) !=0 )
+ return false;
+ break;
+
+ case ICMPv6_NGHBRADVERT:
+ /* We don't expect replies to Neighbor advertisements */
+ return false;
+ break;
+
+ case ICMPv6_NODEINFOQUERY:
+ /* For Node Information Queries we expect Node Information
+ * responses with the same Nonce value that we used in the query. */
+ if(rcvd_icmp6->getType()!=ICMPv6_NODEINFORESP)
+ return false;
+ if(sent_icmp6->getNonce() != rcvd_icmp6->getNonce())
+ return false;
+ break;
+
+ case ICMPv6_NODEINFORESP:
+ /* Obviously, we do not expect responses to a response */
+ return false;
+ break;
+
+ case ICMPv6_INVNGHBRSOLICIT:
+ /* For Inverse Neighbor Discovery Solicitations we expect
+ * advertisements in response. We don't do any additional
+ * validation since any advert can be considered a response
+ * to the solicitation. */
+ if(rcvd_icmp6->getType()!=ICMPv6_INVNGHBRADVERT)
+ return false;
+ break;
+
+ case ICMPv6_INVNGHBRADVERT:
+ /* We don't expect responses to advertisements */
+ return false;
+ break;
+
+
+ case ICMPv6_RTRRENUM:
+ /* We don't expect specific responses to router renumbering
+ * messages. */
+ return false;
+ break;
+
+ case ICMPv6_GRPMEMBQUERY:
+ /* For Multicast Listener Discovery (MLD) queries, we expect
+ * either MLD Responses or MLD Done messages. We can't handle MLDv2
+ * yet, so we don't match it. TODO: Implement support for MLDv2 */
+ if(rcvd_icmp6->getType()!=ICMPv6_GRPMEMBREP && rcvd_icmp6->getType()!=ICMPv6_GRPMEMBRED)
+ return false;
+ /* Now we have two possibilities:
+ * a) The query is a "General Query" where the multicast address
+ * is set to zero.
+ * b) The query is a "Multicast-Address-Specific Query", where
+ * the multicast address field is set to an actual multicast
+ * address.
+ * In the first case, we match any query response to the request,
+ * as we don't have a multicast address to compare. In the second
+ * case, we verify that the target mcast address of the query
+ * matches the one in the response. */
+ struct in6_addr zeroaddr;
+ memset(&zeroaddr, 0, sizeof(struct in6_addr));
+ if( memcmp( sent_icmp6->getMulticastAddress().s6_addr, zeroaddr.s6_addr, 16) != 0 ){ /* Case B: */
+ if (memcmp( sent_icmp6->getMulticastAddress().s6_addr, rcvd_icmp6->getMulticastAddress().s6_addr, 16)!=0 )
+ return false;
+ }
+ break;
+
+ case ICMPv6_GRPMEMBREP:
+ case ICMPv6_GRPMEMBRED:
+ /* We don't expect responses to MLD reports */
+ return false;
+ break;
+
+ case ICMPv6_MLDV2:
+ case ICMPv6_AGENTDISCOVREQ:
+ case ICMPv6_AGENTDISCOVREPLY:
+ case ICMPv6_MOBPREFIXSOLICIT:
+ case ICMPv6_MOBPREFIXADVERT:
+ case ICMPv6_CERTPATHSOLICIT:
+ case ICMPv6_CERTPATHADVERT:
+ case ICMPv6_EXPMOBILITY:
+ case ICMPv6_MRDADVERT:
+ case ICMPv6_MRDSOLICIT:
+ case ICMPv6_MRDTERMINATE:
+ case ICMPv6_FMIPV6:
+ default:
+ /* Do not match ICMPv6 types we don't implement or know about *
+ * TODO: Implement these ICMPv6 types. */
+ return false;
+ break;
+
+ }
+
+ }else if(sent_layer4->protocol_id()==HEADER_TYPE_ICMPv4 && rcvd_layer4->protocol_id()==HEADER_TYPE_ICMPv4){
+ ICMPv4Header *sent_icmp4=(ICMPv4Header *)sent_layer4;
+ ICMPv4Header *rcvd_icmp4=(ICMPv4Header *)rcvd_layer4;
+
+ switch( sent_icmp4->getType() ){
+
+ case ICMP_ECHOREPLY:
+ /* We don't expect replies to Echo replies. */
+ return false;
+ break;
+
+ case ICMP_UNREACH:
+ case ICMP_SOURCEQUENCH:
+ case ICMP_REDIRECT:
+ case ICMP_TIMXCEED:
+ case ICMP_PARAMPROB:
+ /* Nodes are not supposed to respond to error messages, so
+ * we don't expect any replies. */
+ return false;
+ break;
+
+ case ICMP_ECHO:
+ /* For Echo request, we expect echo replies */
+ if(rcvd_icmp4->getType()!=ICMP_ECHOREPLY)
+ return false;
+ /* And we expect the ID and sequence number of the reply to
+ * match the ID and seq of the request. */
+ if(sent_icmp4->getIdentifier() != rcvd_icmp4->getIdentifier())
+ return false;
+ if(sent_icmp4->getSequence() != rcvd_icmp4->getSequence())
+ return false;
+ break;
+
+ case ICMP_ROUTERSOLICIT:
+ /* For ICMPv4 router solicitations, we expect router advertisements.
+ * We don't validate anything else because in IPv4 any advert that
+ * comes from the host we sent the solicitation to can be
+ * considered a response. */
+ if(rcvd_icmp4->getType()!=ICMP_ROUTERADVERT)
+ return false;
+ break;
+
+ case ICMP_ROUTERADVERT:
+ /* We don't expect responses to advertisements */
+ return false;
+ break;
+
+ case ICMP_TSTAMP:
+ /* For Timestampt requests, we expect timestamp replies */
+ if(rcvd_icmp4->getType()!=ICMP_TSTAMPREPLY)
+ return false;
+ /* And we expect the ID and sequence number of the reply to
+ * match the ID and seq of the request. */
+ if(sent_icmp4->getIdentifier() != rcvd_icmp4->getIdentifier())
+ return false;
+ if(sent_icmp4->getSequence() != rcvd_icmp4->getSequence())
+ return false;
+ break;
+
+ case ICMP_TSTAMPREPLY:
+ /* We do not expect responses to timestamp replies */
+ return false;
+ break;
+
+ case ICMP_INFO:
+ /* For Information requests, we expect Information replies */
+ if(rcvd_icmp4->getType()!=ICMP_INFOREPLY)
+ return false;
+ /* And we expect the ID and sequence number of the reply to
+ * match the ID and seq of the request. */
+ if(sent_icmp4->getIdentifier() != rcvd_icmp4->getIdentifier())
+ return false;
+ if(sent_icmp4->getSequence() != rcvd_icmp4->getSequence())
+ return false;
+ break;
+
+ case ICMP_INFOREPLY:
+ /* We do not expect responses to Information replies */
+ return false;
+ break;
+
+ case ICMP_MASK:
+ /* For Netmask requests, we expect Netmask replies */
+ if(rcvd_icmp4->getType()!=ICMP_MASKREPLY)
+ return false;
+ /* And we expect the ID and sequence number of the reply to
+ * match the ID and seq of the request. */
+ if(sent_icmp4->getIdentifier() != rcvd_icmp4->getIdentifier())
+ return false;
+ if(sent_icmp4->getSequence() != rcvd_icmp4->getSequence())
+ return false;
+ break;
+
+ case ICMP_MASKREPLY:
+ /* We do not expect responses to netmask replies */
+ return false;
+ break;
+
+ case ICMP_TRACEROUTE:
+ /* We don't expect replies to a traceroute message as it is
+ * sent as a response to an IP datagram that contains the
+ * IP traceroute option. Also, note that this function does
+ * not take this into account when processing IPv4 datagrams
+ * so if we receive an ICMP_TRACEROUTE we'll not be able
+ * to match it with the original IP datagram. */
+ return false;
+ break;
+
+ case ICMP_DOMAINNAME:
+ /* For Domain Name requests, we expect Domain Name replies */
+ if(rcvd_icmp4->getType()!=ICMP_DOMAINNAMEREPLY)
+ return false;
+ /* And we expect the ID and sequence number of the reply to
+ * match the ID and seq of the request. */
+ if(sent_icmp4->getIdentifier() != rcvd_icmp4->getIdentifier())
+ return false;
+ if(sent_icmp4->getSequence() != rcvd_icmp4->getSequence())
+ return false;
+ break;
+
+ case ICMP_DOMAINNAMEREPLY:
+ /* We do not expect replies to DN replies */
+ return false;
+ break;
+
+ case ICMP_SECURITYFAILURES:
+ /* Nodes are not expected to send replies to this message, as it
+ * is an ICMP error. */
+ return false;
+ break;
+ }
+ }else{
+ return false; // Should never happen
+ }
+ }
+ }else if(sent_layer4->protocol_id()==HEADER_TYPE_TCP || sent_layer4->protocol_id()==HEADER_TYPE_UDP){
+
+ if(PKTPARSERDEBUG)printf("%s(): Sent packet has a transport layer header.\n", __func__);
+
+ /* Both are TCP or both UDP */
+ if(sent_layer4->protocol_id()==rcvd_layer4->protocol_id()){
+
+ if(PKTPARSERDEBUG)printf("%s(): Received packet has a transport layer header too.\n", __func__);
+
+ /* Probe source port must equal response target port */
+ if( ((TransportLayerElement *)sent_layer4)->getSourcePort() != ((TransportLayerElement *)rcvd_layer4)->getDestinationPort() )
+ return false;
+ /* Probe target port must equal response source port */
+ if( ((TransportLayerElement *)rcvd_layer4)->getSourcePort() != ((TransportLayerElement *)sent_layer4)->getDestinationPort() )
+ return false;
+
+ /* If we sent TCP or UDP and got ICMP in response, we need to find a copy of our packet in the
+ * ICMP payload, providing it is an ICMP error message. */
+ }else if(rcvd_layer4->protocol_id()==HEADER_TYPE_ICMPv6 || rcvd_layer4->protocol_id()==HEADER_TYPE_ICMPv4){
+
+ if(PKTPARSERDEBUG)printf("%s(): Received packet does not have transport layer header but an ICMP header.\n", __func__);
+
+ /* We only expect ICMP error messages */
+ if( !(((ICMPHeader *)rcvd_layer4)->isError()) )
+ return false;
+
+ /* Let's validate the original header */
+ NetworkLayerElement *iperror=(NetworkLayerElement *)rcvd_layer4->getNextElement();
+
+ /* ICMP error message must contain the original datagram */
+ if(iperror==NULL)
+ return false;
+
+ /* The first header must be IP */
+ if(iperror->protocol_id()!=HEADER_TYPE_IPv6 && iperror->protocol_id()!=HEADER_TYPE_IPv4)
+ return false;
+
+ /* The IP version must match the probe's */
+ if(iperror->protocol_id()!=sent_ip->protocol_id())
+ return false;
+
+ /* Source and destination addresses must match the probe's (NATs are
+ * supposed to rewrite them too, so this should be OK) */
+ if( memcmp(iperror->getSourceAddress(), sent_ip->getSourceAddress(), iperror->getAddressLength())!=0 )
+ return false;
+ if( memcmp(iperror->getDestinationAddress(), sent_ip->getDestinationAddress(), iperror->getAddressLength())!=0 )
+ return false;
+
+ /* So far we've verified that the ICMP error contains an IP datagram that matches
+ * what we sent. Now, let's find the upper layer protocol (skip extension
+ * headers and the like until we find some transport protocol). */
+ TransportLayerElement *layer4error=(TransportLayerElement *)iperror->getNextElement();
+ while(layer4error!=NULL){
+ if(layer4error->protocol_id()==HEADER_TYPE_UDP || layer4error->protocol_id()==HEADER_TYPE_TCP ){
+ break;
+ }else{
+ layer4error=(TransportLayerElement *)layer4error->getNextElement();
+ }
+ }
+ if(layer4error==NULL)
+ return false;
+
+ /* Now make sure we see the same port numbers */
+ if( layer4error->getSourcePort() != ((TransportLayerElement *)sent_layer4)->getSourcePort() )
+ return false;
+ if( layer4error->getDestinationPort() != ((TransportLayerElement *)sent_layer4)->getDestinationPort() )
+ return false;
+ } else {
+ return false;
+ }
+ }else{
+ /* We sent a layer 4 other than ICMP, ICMPv6, TCP, or UDP. We return false
+ * as we cannot match responses for protocols we don't understand */
+ return false;
+ }
+
+ /* If we get there it means the packet passed all the tests. Return true
+ * to indicate that the packet is a response to this FPProbe. */
+ if(PKTPARSERDEBUG)printf("%s(): The received packet was successfully matched with the sent packet.\n", __func__);
+ return true;
+}
+
+/* Tries to find a transport layer header in the supplied chain of
+ * protocol headers. On success it returns a pointer to a PacketElement
+ * of one of these types:
+ *
+ * HEADER_TYPE_TCP
+ * HEADER_TYPE_UDP
+ * HEADER_TYPE_ICMPv4
+ * HEADER_TYPE_ICMPv6
+ * HEADER_TYPE_SCTP
+ * HEADER_TYPE_ARP
+ *
+ * It returns NULL if no transport layer header is found.
+ *
+ * Note that this method only understands IPv4, IPv6 (and its
+ * extension headers) and Ethernet. If the supplied packet contains
+ * something different before the tranport layer, NULL will be returned.
+ * */
+PacketElement *PacketParser::find_transport_layer(PacketElement *chain){
+ PacketElement *aux=chain;
+ /* Traverse the chain of PacketElements */
+ while(aux!=NULL){
+ switch(aux->protocol_id()){
+ /* If we have a link or a network layer header, skip it. */
+ case HEADER_TYPE_IPv6_HOPOPT:
+ case HEADER_TYPE_IPv4:
+ case HEADER_TYPE_IPv6:
+ case HEADER_TYPE_IPv6_ROUTE:
+ case HEADER_TYPE_IPv6_FRAG:
+ case HEADER_TYPE_IPv6_NONXT:
+ case HEADER_TYPE_IPv6_OPTS:
+ case HEADER_TYPE_ETHERNET:
+ case HEADER_TYPE_IPv6_MOBILE:
+ aux=aux->getNextElement();
+ break;
+
+ /* If we found the transport layer, return it. */
+ case HEADER_TYPE_TCP:
+ case HEADER_TYPE_UDP:
+ case HEADER_TYPE_ICMPv4:
+ case HEADER_TYPE_ICMPv6:
+ case HEADER_TYPE_SCTP:
+ case HEADER_TYPE_ARP:
+ return aux;
+ break;
+
+ /* Otherwise, the packet contains headers we don't understand
+ * so we just return NULL to indicate that no valid transport
+ * layer was found. */
+ default:
+ return NULL;
+ break;
+ }
+ }
+ return NULL;
+} /* End of find_transport_layer() */