aboutsummaryrefslogtreecommitdiffstats
path: root/epan/dissectors/packet-udp.h
blob: 30857cbc892fa7498f2938e30634524310689da9 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
/* packet-udp.h
 *
 * Wireshark - Network traffic analyzer
 * By Gerald Combs <gerald@wireshark.org>
 * Copyright 1998 Gerald Combs
 *
 *
 * SPDX-License-Identifier: GPL-2.0-or-later
 */

#ifndef __PACKET_UDP_H__
#define __PACKET_UDP_H__

#ifdef __cplusplus
extern "C" {
#endif /* __cplusplus */

#include "ws_symbol_export.h"

#include <epan/conversation.h>

/* UDP structs and definitions */
typedef struct _e_udphdr {
  guint16 uh_sport;
  guint16 uh_dport;
  guint32 uh_ulen;
  guint32 uh_sum_cov;
  guint16 uh_sum;
  guint32 uh_stream; /* this stream index field is included to help differentiate when address/port pairs are reused */
  address ip_src;
  address ip_dst;
} e_udphdr;

/* Conversation and process structures originally copied from packet-tcp.c */
typedef struct _udp_flow_t {
	/* Process info, currently discovered via IPFIX */
	guint32 process_uid;    /* UID of local process */
	guint32 process_pid;    /* PID of local process */
	gchar *username;	/* Username of the local process */
	gchar *command;         /* Local process name + path + args */
} udp_flow_t;

struct udp_analysis {
	/* These two structs are managed based on comparing the source
	 * and destination addresses and, if they're equal, comparing
	 * the source and destination ports.
	 *
	 * If the source is greater than the destination, then stuff
	 * sent from src is in ual1.
	 *
	 * If the source is less than the destination, then stuff
	 * sent from src is in ual2.
	 *
	 * XXX - if the addresses and ports are equal, we don't guarantee
	 * the behavior.
	 */
	udp_flow_t	flow1;
	udp_flow_t	flow2;

	/* These pointers are set by get_tcp_conversation_data()
	 * fwd point in the same direction as the current packet
	 * and rev in the reverse direction
	 */
	udp_flow_t	*fwd;
	udp_flow_t	*rev;

	/* Keep track of udp stream numbers instead of using the conversation
	 * index (as how it was done before). This prevents gaps in the
	 * stream index numbering
	 */
	guint32		stream;
};

/** Associate process information with a given flow
 *
 * @param frame_num The frame number
 * @param local_addr The local IPv4 or IPv6 address of the process
 * @param remote_addr The remote IPv4 or IPv6 address of the process
 * @param local_port The local TCP port of the process
 * @param remote_port The remote TCP port of the process
 * @param uid The numeric user ID of the process
 * @param pid The numeric PID of the process
 * @param username Ephemeral string containing the full or partial process name
 * @param command Ephemeral string containing the full or partial process name
 */
extern void add_udp_process_info(guint32 frame_num, address *local_addr, address *remote_addr, guint16 local_port, guint16 remote_port, guint32 uid, guint32 pid, gchar *username, gchar *command);

/** Get the current number of UDP streams
 *
 * @return The number of UDP streams
 */
WS_DLL_PUBLIC guint32 get_udp_stream_count(void);

WS_DLL_PUBLIC void decode_udp_ports(tvbuff_t *, int, packet_info *,
	proto_tree *, int, int, int);

WS_DLL_PUBLIC struct udp_analysis *get_udp_conversation_data(conversation_t *,
	packet_info *);

/*
 * Loop for dissecting PDUs within a UDP packet; Similar to tcp_dissect_pdus,
 * but doesn't have stream support. Assumes that a PDU consists of a
 * fixed-length chunk of data that contains enough information
 * to determine the length of the PDU, followed by rest of the PDU.
 *
 * @param tvb the tvbuff with the (remaining) packet data passed to dissector
 * @param pinfo the packet info of this packet (additional info) passed to dissector
 * @param tree the protocol tree to be build or NULL passed to dissector
 * @param fixed_len is the length of the fixed-length part of the PDU.
 * @param heuristic_check is the optional routine called to see if dissection
 * should be done; it's passed "pinfo", "tvb", "offset" and "dissector_data".
 * @param get_pdu_len is a routine called to get the length of the PDU from
 * the fixed-length part of the PDU; it's passed "pinfo", "tvb", "offset" and
 * "dissector_data".
 * @param dissect_pdu the sub-dissector to be called
 * @param dissector_data parameter to pass to subdissector
 */
WS_DLL_PUBLIC int
udp_dissect_pdus(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
		 guint fixed_len, gboolean (*heuristic_check)(packet_info *, tvbuff_t *, int, void*),
		 guint (*get_pdu_len)(packet_info *, tvbuff_t *, int, void*),
		 dissector_t dissect_pdu, void* dissector_data);

#ifdef __cplusplus
}
#endif /* __cplusplus */

#endif