opendpi-master\src\include\ipq_protocols_osdpi.h 协议特征对应的id和名字,包括长串和短串
缩写PACE: Protocol & Application Classfication Engine
enven if they use advanced obfuscation(模糊) and encryption techniques.
It helps network equipment vendors enhance their products with powerfull and proven Layer 7 protocol network
management and visibility capabilities.In addition it accelerates time-to-market for a variety of different application scenarios.
int main(int argc, char **argv)
{
parseOptions(argc, argv);-->
setupDetection();-->ipoque_init_detection_module (分配ipoque_detection_module_struct结构空间,
初始化该结构,设置各软件的超时,如pplive_connection_timeout)
openPcapFile();-->pcap_open_live(pcap.c)-->pcap_create(pcap-linux.c,注册操作函数pcap_activate_linux)-->
//注意 在activate_mmap函数中重新注册了
handle->read_op = pcap_read_linux_mmap;
runPcapLoop();
closePcapFile();
printResults();
terminateDetection();
return 0;
}
pcap_activate_linux(pcap_t *handle) 初始化pcap_t结构体中的主要回调函数
handle->read_op =
pcap_read_linux;
NETBIOS
MDNS
pcap_read_linux_mmap
struct pcap {
int snapshot;
int linktype; /* Network linktype */
int linktype_ext; /* Extended information stored in the linktype field of a file */
int tzoff; /* timezone offset */
int offset; /* offset for proper alignment */
int activated; /* true if the capture is really started */
int oldstyle; /* if we're opening with pcap_open_live() */
int break_loop; /* flag set to force break from packet-reading loop */
struct pcap_sf sf;
struct pcap_md md;
struct pcap_opt opt;
int bufsize;
u_char *buffer;
u_char *bp;
int cc;
u_char *pkt;
pcap_direction_t direction;
activate_op_t activate_op;
can_set_rfmon_op_t can_set_rfmon_op;
read_op_t read_op;
inject_op_t inject_op;
setfilter_op_t setfilter_op;
setdirection_op_t setdirection_op;
set_datalink_op_t set_datalink_op;
getnonblock_op_t getnonblock_op;
setnonblock_op_t setnonblock_op;
stats_op_t stats_op;
pcap_handler oneshot_callback;
cleanup_op_t cleanup_op;
struct bpf_program fcode;
char errbuf[PCAP_ERRBUF_SIZE + 1];
int dlt_count;
u_int *dlt_list;
int tstamp_type_count;
u_int *tstamp_type_list;
struct pcap_pkthdr pcap_header; /* This is needed for the pcap_next_ex() to work */
};
int snapshot;
int linktype; /* Network linktype */
int linktype_ext; /* Extended information stored in the linktype field of a file */
int tzoff; /* timezone offset */
int offset; /* offset for proper alignment */
int activated; /* true if the capture is really started */
int oldstyle; /* if we're opening with pcap_open_live() */
int break_loop; /* flag set to force break from packet-reading loop */
struct pcap_sf sf;
struct pcap_md md;
struct pcap_opt opt;
int bufsize;
u_char *buffer;
u_char *bp;
int cc;
u_char *pkt;
pcap_direction_t direction;
activate_op_t activate_op;
can_set_rfmon_op_t can_set_rfmon_op;
read_op_t read_op;
inject_op_t inject_op;
setfilter_op_t setfilter_op;
setdirection_op_t setdirection_op;
set_datalink_op_t set_datalink_op;
getnonblock_op_t getnonblock_op;
setnonblock_op_t setnonblock_op;
stats_op_t stats_op;
pcap_handler oneshot_callback;
cleanup_op_t cleanup_op;
struct bpf_program fcode;
char errbuf[PCAP_ERRBUF_SIZE + 1];
int dlt_count;
u_int *dlt_list;
int tstamp_type_count;
u_int *tstamp_type_list;
struct pcap_pkthdr pcap_header; /* This is needed for the pcap_next_ex() to work */
};
全局变量:
osdpi_ids:所有id对应的变量,每个id用来连接一个ip与一个表示该ip的ID
osdpi_flows:所有flow对应的变量,每个flows用来连接一个flow与一个表示该id的key
protocol_counter,protocol_counter_bytes:与协议相关的计数器
struct ipoque_packet_struct
typedef
struct ipoque_packet_struct {
const struct iphdr * iph;
# ifdef IPOQUE_DETECTION_SUPPORT_IPV6
const struct ipq_ipv6hdr *iphv6;
# endif
const struct tcphdr * tcp;
const struct udphdr * udp;
const u8 *generic_l4_ptr; /* is set only for non tcp-udp traffic */
const u8 * payload;
IPOQUE_TIMESTAMP_COUNTER_SIZE tick_timestamp;
u16 detected_protocol_stack[IPOQUE_PROTOCOL_HISTORY_SIZE];
u8 detected_subprotocol_stack[IPOQUE_PROTOCOL_HISTORY_SIZE];
/* this is for simple read-only access to the real protocol
* used for the main loop */
u16 real_protocol_read_only;
# if IPOQUE_PROTOCOL_HISTORY_SIZE > 1
# if IPOQUE_PROTOCOL_HISTORY_SIZE > 5
# error protocol stack size not supported
# endif
struct {
u8 entry_is_real_protocol : 5;
u8 current_stack_size_minus_one : 3;
} __attribute__ ((packed)) protocol_stack_info;
# endif
struct ipoque_int_one_line_struct line[IPOQUE_MAX_PARSE_LINES_PER_PACKET];
struct ipoque_int_one_line_struct
unix_line[IPOQUE_MAX_PARSE_LINES_PER_PACKET];
struct ipoque_int_one_line_struct host_line;
struct ipoque_int_one_line_struct referer_line;
struct ipoque_int_one_line_struct content_line;
struct ipoque_int_one_line_struct accept_line;
struct ipoque_int_one_line_struct user_agent_line;
struct ipoque_int_one_line_struct http_url_name;
struct ipoque_int_one_line_struct http_encoding;
struct ipoque_int_one_line_struct http_transfer_encoding;
struct ipoque_int_one_line_struct http_contentlen;
struct ipoque_int_one_line_struct http_cookie;
struct ipoque_int_one_line_struct http_x_session_type;
struct ipoque_int_one_line_struct server_line;
struct ipoque_int_one_line_struct http_method;
struct ipoque_int_one_line_struct http_response;
u16 l3_packet_len;
u16 l4_packet_len;
u16 payload_packet_len;
u16 actual_payload_len;
u16 num_retried_bytes;
u16 parsed_lines;
u16 parsed_unix_lines;
u16 empty_line_position;
u8 tcp_retransmission;
u8 l4_protocol;
u8 packet_lines_parsed_complete;
u8 packet_unix_lines_parsed_complete;
u8 empty_line_position_set;
u8 packet_direction : 1;
} ipoque_packet_struct_t;
const struct iphdr * iph;
# ifdef IPOQUE_DETECTION_SUPPORT_IPV6
const struct ipq_ipv6hdr *iphv6;
# endif
const struct tcphdr * tcp;
const struct udphdr * udp;
const u8 *generic_l4_ptr; /* is set only for non tcp-udp traffic */
const u8 * payload;
IPOQUE_TIMESTAMP_COUNTER_SIZE tick_timestamp;
u16 detected_protocol_stack[IPOQUE_PROTOCOL_HISTORY_SIZE];
u8 detected_subprotocol_stack[IPOQUE_PROTOCOL_HISTORY_SIZE];
/* this is for simple read-only access to the real protocol
* used for the main loop */
u16 real_protocol_read_only;
# if IPOQUE_PROTOCOL_HISTORY_SIZE > 1
# if IPOQUE_PROTOCOL_HISTORY_SIZE > 5
# error protocol stack size not supported
# endif
struct {
u8 entry_is_real_protocol : 5;
u8 current_stack_size_minus_one : 3;
} __attribute__ ((packed)) protocol_stack_info;
# endif
struct ipoque_int_one_line_struct line[IPOQUE_MAX_PARSE_LINES_PER_PACKET];
struct ipoque_int_one_line_struct
unix_line[IPOQUE_MAX_PARSE_LINES_PER_PACKET];
struct ipoque_int_one_line_struct host_line;
struct ipoque_int_one_line_struct referer_line;
struct ipoque_int_one_line_struct content_line;
struct ipoque_int_one_line_struct accept_line;
struct ipoque_int_one_line_struct user_agent_line;
struct ipoque_int_one_line_struct http_url_name;
struct ipoque_int_one_line_struct http_encoding;
struct ipoque_int_one_line_struct http_transfer_encoding;
struct ipoque_int_one_line_struct http_contentlen;
struct ipoque_int_one_line_struct http_cookie;
struct ipoque_int_one_line_struct http_x_session_type;
struct ipoque_int_one_line_struct server_line;
struct ipoque_int_one_line_struct http_method;
struct ipoque_int_one_line_struct http_response;
u16 l3_packet_len;
u16 l4_packet_len;
u16 payload_packet_len;
u16 actual_payload_len;
u16 num_retried_bytes;
u16 parsed_lines;
u16 parsed_unix_lines;
u16 empty_line_position;
u8 tcp_retransmission;
u8 l4_protocol;
u8 packet_lines_parsed_complete;
u8 packet_unix_lines_parsed_complete;
u8 empty_line_position_set;
u8 packet_direction : 1;
} ipoque_packet_struct_t;
struct ipoque_detection_module_struct
typedef
struct ipoque_detection_module_struct {
IPOQUE_PROTOCOL_BITMASK detection_bitmask;
IPOQUE_PROTOCOL_BITMASK generic_http_packet_bitmask;
IPOQUE_TIMESTAMP_COUNTER_SIZE current_ts;
u32 ticks_per_second;
# ifdef IPOQUE_ENABLE_DEBUG_MESSAGES
void *user_data;
# endif
/* internal structures to save functions calls */
struct ipoque_packet_struct packet;
struct ipoque_flow_struct * flow;
struct ipoque_id_struct * src;
struct ipoque_id_struct * dst;
/* callback function buffer */
struct ipq_call_function_struct
callback_buffer[IPOQUE_MAX_SUPPORTED_PROTOCOLS + 1];
u32 callback_buffer_size;
struct ipq_call_function_struct
callback_buffer_tcp_no_payload[IPOQUE_MAX_SUPPORTED_PROTOCOLS + 1];
u32 callback_buffer_size_tcp_no_payload;
struct ipq_call_function_struct
callback_buffer_tcp_payload[IPOQUE_MAX_SUPPORTED_PROTOCOLS + 1];
u32 callback_buffer_size_tcp_payload;
struct ipq_call_function_struct
callback_buffer_udp[IPOQUE_MAX_SUPPORTED_PROTOCOLS + 1];
u32 callback_buffer_size_udp;
struct ipq_call_function_struct
callback_buffer_non_tcp_udp[IPOQUE_MAX_SUPPORTED_PROTOCOLS + 1];
u32 callback_buffer_size_non_tcp_udp;
# ifdef IPOQUE_ENABLE_DEBUG_MESSAGES
/* debug callback, only set when debug is used */
ipoque_debug_function_ptr ipoque_debug_printf;
const char *ipoque_debug_print_file;
const char *ipoque_debug_print_function;
u32 ipoque_debug_print_line;
# endif
/* misc parameters */
u32 tcp_max_retransmission_window_size;
u32 edonkey_upper_ports_only : 1; //占一位
u32 edonkey_safe_mode : 1;
//若4个字节未用完则对齐
u32 directconnect_connection_ip_tick_timeout;
/*gadu gadu*/
u32 gadugadu_peer_connection_timeout;
/* pplive params */
u32 pplive_connection_timeout;
/* ftp parameters */
u32 ftp_connection_timeout;
/* irc parameters */
u32 irc_timeout;
/* gnutella parameters */
u32 gnutella_timeout;
/* battlefield parameters */
u32 battlefield_timeout;
/* thunder parameters */
u32 thunder_timeout;
/* SoulSeek parameters */
u32 soulseek_connection_ip_tick_timeout;
/* rtsp parameters */
u32 rtsp_connection_timeout;
/* tvants parameters */
u32 tvants_connection_timeout;
u32 orb_rstp_ts_timeout;
/* yahoo */
// u32 yahoo_http_filetransfer_timeout;
u8 yahoo_detect_http_connections;
u32 yahoo_lan_video_timeout;
u32 zattoo_connection_timeout;
u32 jabber_stun_timeout;
u32 jabber_file_transfer_timeout;
u32 manolito_subscriber_timeout;
# ifdef IPOQUE_ENABLE_DEBUG_MESSAGES
# define IPOQUE_IP_STRING_SIZE 40
char ip_string[IPOQUE_IP_STRING_SIZE];
# endif
u8 ip_version_limit;
} ipoque_detection_module_struct_t;
IPOQUE_PROTOCOL_BITMASK detection_bitmask;
IPOQUE_PROTOCOL_BITMASK generic_http_packet_bitmask;
IPOQUE_TIMESTAMP_COUNTER_SIZE current_ts;
u32 ticks_per_second;
# ifdef IPOQUE_ENABLE_DEBUG_MESSAGES
void *user_data;
# endif
/* internal structures to save functions calls */
struct ipoque_packet_struct packet;
struct ipoque_flow_struct * flow;
struct ipoque_id_struct * src;
struct ipoque_id_struct * dst;
/* callback function buffer */
struct ipq_call_function_struct
callback_buffer[IPOQUE_MAX_SUPPORTED_PROTOCOLS + 1];
u32 callback_buffer_size;
struct ipq_call_function_struct
callback_buffer_tcp_no_payload[IPOQUE_MAX_SUPPORTED_PROTOCOLS + 1];
u32 callback_buffer_size_tcp_no_payload;
struct ipq_call_function_struct
callback_buffer_tcp_payload[IPOQUE_MAX_SUPPORTED_PROTOCOLS + 1];
u32 callback_buffer_size_tcp_payload;
struct ipq_call_function_struct
callback_buffer_udp[IPOQUE_MAX_SUPPORTED_PROTOCOLS + 1];
u32 callback_buffer_size_udp;
struct ipq_call_function_struct
callback_buffer_non_tcp_udp[IPOQUE_MAX_SUPPORTED_PROTOCOLS + 1];
u32 callback_buffer_size_non_tcp_udp;
# ifdef IPOQUE_ENABLE_DEBUG_MESSAGES
/* debug callback, only set when debug is used */
ipoque_debug_function_ptr ipoque_debug_printf;
const char *ipoque_debug_print_file;
const char *ipoque_debug_print_function;
u32 ipoque_debug_print_line;
# endif
/* misc parameters */
u32 tcp_max_retransmission_window_size;
u32 edonkey_upper_ports_only : 1; //占一位
u32 edonkey_safe_mode : 1;
//若4个字节未用完则对齐
u32 directconnect_connection_ip_tick_timeout;
/*gadu gadu*/
u32 gadugadu_peer_connection_timeout;
/* pplive params */
u32 pplive_connection_timeout;
/* ftp parameters */
u32 ftp_connection_timeout;
/* irc parameters */
u32 irc_timeout;
/* gnutella parameters */
u32 gnutella_timeout;
/* battlefield parameters */
u32 battlefield_timeout;
/* thunder parameters */
u32 thunder_timeout;
/* SoulSeek parameters */
u32 soulseek_connection_ip_tick_timeout;
/* rtsp parameters */
u32 rtsp_connection_timeout;
/* tvants parameters */
u32 tvants_connection_timeout;
u32 orb_rstp_ts_timeout;
/* yahoo */
// u32 yahoo_http_filetransfer_timeout;
u8 yahoo_detect_http_connections;
u32 yahoo_lan_video_timeout;
u32 zattoo_connection_timeout;
u32 jabber_stun_timeout;
u32 jabber_file_transfer_timeout;
u32 manolito_subscriber_timeout;
# ifdef IPOQUE_ENABLE_DEBUG_MESSAGES
# define IPOQUE_IP_STRING_SIZE 40
char ip_string[IPOQUE_IP_STRING_SIZE];
# endif
u8 ip_version_limit;
} ipoque_detection_module_struct_t;
pcap-linux.c
activate_mmap()-->create_ring()-->初始化handle->buffer
handle->opt.buffer_size = 2.1024*1024(2M)环大小
static const struct proto_ops packet_ops_spkt = {
.family = PF_PACKET,
.owner = THIS_MODULE,
.release = packet_release,
//挂载af_packet协议
.bind = packet_bind_spkt,
.connect = sock_no_connect,
.socketpair = sock_no_socketpair,
.accept = sock_no_accept,
.getname = packet_getname_spkt,
.poll = datagram_poll,
.ioctl = packet_ioctl,
.listen = sock_no_listen,
.shutdown = sock_no_shutdown,
.setsockopt = sock_no_setsockopt,
.getsockopt = sock_no_getsockopt,
.sendmsg = packet_sendmsg_spkt,
.recvmsg = packet_recvmsg,
.mmap = sock_no_mmap,
.sendpage = sock_no_sendpage,
};
加载af_packet协议到全局数组的流程
iface_bind(
pcap-linux.c)-->bind()-->调用socket 注册的bind函数packet_bind_spkt(af_packet.c)
-->packet_do_bind-->dev_add_pack(协议注册,加入ptype_base协议链表中(ip协议也在该链表中)
扫一扫
3729
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
