1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
|
/* packet-udp.h
*
* Wireshark - Network traffic analyzer
* By Gerald Combs <gerald@wireshark.org>
* Copyright 1998 Gerald Combs
*
*
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#ifndef __PACKET_UDP_H__
#define __PACKET_UDP_H__
#include "ws_symbol_export.h"
#include <epan/conversation.h>
#ifdef __cplusplus
extern "C" {
#endif /* __cplusplus */
/* UDP structs and definitions */
typedef struct _e_udphdr {
guint16 uh_sport;
guint16 uh_dport;
guint32 uh_ulen;
guint32 uh_sum_cov;
guint16 uh_sum;
guint32 uh_stream; /* this stream index field is included to help differentiate when address/port pairs are reused */
address ip_src;
address ip_dst;
} e_udphdr;
/* Conversation and process structures originally copied from packet-tcp.c */
typedef struct _udp_flow_t {
/* Process info, currently discovered via IPFIX */
guint32 process_uid; /* UID of local process */
guint32 process_pid; /* PID of local process */
gchar *username; /* Username of the local process */
gchar *command; /* Local process name + path + args */
} udp_flow_t;
struct udp_analysis {
/* These two structs are managed based on comparing the source
* and destination addresses and, if they're equal, comparing
* the source and destination ports.
*
* If the source is greater than the destination, then stuff
* sent from src is in ual1.
*
* If the source is less than the destination, then stuff
* sent from src is in ual2.
*
* XXX - if the addresses and ports are equal, we don't guarantee
* the behavior.
*/
udp_flow_t flow1;
udp_flow_t flow2;
/* These pointers are set by get_udp_conversation_data()
* fwd point in the same direction as the current packet
* and rev in the reverse direction
*/
udp_flow_t *fwd;
udp_flow_t *rev;
/* Keep track of udp stream numbers instead of using the conversation
* index (as how it was done before). This prevents gaps in the
* stream index numbering
*/
guint32 stream;
/* Remember the timestamp of the first frame seen in this udp
* conversation to be able to calculate a relative time compared
* to the start of this conversation
*/
nstime_t ts_first;
/* Remember the timestamp of the frame that was last seen in this
* udp conversation to be able to calculate a delta time compared
* to previous frame in this conversation
*/
nstime_t ts_prev;
};
/** Associate process information with a given flow
*
* @param frame_num The frame number
* @param local_addr The local IPv4 or IPv6 address of the process
* @param remote_addr The remote IPv4 or IPv6 address of the process
* @param local_port The local TCP port of the process
* @param remote_port The remote TCP port of the process
* @param uid The numeric user ID of the process
* @param pid The numeric PID of the process
* @param username Ephemeral string containing the full or partial process name
* @param command Ephemeral string containing the full or partial process name
*/
extern void
add_udp_process_info(guint32 frame_num, address *local_addr, address *remote_addr,
guint16 local_port, guint16 remote_port,
guint32 uid, guint32 pid,
gchar *username, gchar *command);
/** Get the current number of UDP streams
*
* @return The number of UDP streams
*/
WS_DLL_PUBLIC guint32
get_udp_stream_count(void);
WS_DLL_PUBLIC void
decode_udp_ports(tvbuff_t *, int, packet_info *, proto_tree *, int, int, int);
WS_DLL_PUBLIC struct udp_analysis *
get_udp_conversation_data(conversation_t *, packet_info *);
/*
* Loop for dissecting PDUs within a UDP packet; Similar to tcp_dissect_pdus,
* but doesn't have stream support. Assumes that a PDU consists of a
* fixed-length chunk of data that contains enough information
* to determine the length of the PDU, followed by rest of the PDU.
*
* @param tvb the tvbuff with the (remaining) packet data passed to dissector
* @param pinfo the packet info of this packet (additional info) passed to dissector
* @param tree the protocol tree to be build or NULL passed to dissector
* @param fixed_len is the length of the fixed-length part of the PDU.
* @param heuristic_check is the optional routine called to see if dissection
* should be done; it's passed "pinfo", "tvb", "offset" and "dissector_data".
* @param get_pdu_len is a routine called to get the length of the PDU from
* the fixed-length part of the PDU; it's passed "pinfo", "tvb", "offset" and
* "dissector_data".
* @param dissect_pdu the sub-dissector to be called
* @param dissector_data parameter to pass to subdissector
*/
WS_DLL_PUBLIC int
udp_dissect_pdus(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
guint fixed_len,
gboolean (*heuristic_check)(packet_info *, tvbuff_t *, int, void*),
guint (*get_pdu_len)(packet_info *, tvbuff_t *, int, void*),
dissector_t dissect_pdu, void* dissector_data);
#ifdef __cplusplus
}
#endif /* __cplusplus */
#endif
|