/*** Copyright (C) 1998-2001 Martin Roesch <roesch@clark.net>** Portions Copyright(C) 2002 Andrew R. Baker <andrewb@snort.org>**** This program is distributed under the terms of version 1.0 of the ** Q Public License.  See LICENSE.QPL for further details.**** This program is distributed in the hope that it will be useful,** but WITHOUT ANY WARRANTY; without even the implied warranty of** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.***//* $Id: op_decode.h,v 1.6 2004/04/03 19:57:32 andrewbaker Exp $ */#ifndef __OP_DECODE_H__#define __OP_DECODE_H__/*  I N C L U D E S  **********************************************************/#include "config.h"#include <sys/types.h>#include <netinet/in.h>#include "barnyard.h"/*  D E F I N E S  ************************************************************//* how big can an ethernet frame be? */#define ETHERNET_MTU            1500/* ethernet ether_types */#define ETHERNET_TYPE_IP            0x0800#define ETHERNET_TYPE_ARP           0x0806#define ETHERNET_TYPE_REVARP        0x8035#define ETHERNET_TYPE_IPV6          0x86dd#define ETHERNET_TYPE_IPX           0x8137#define ETHERNET_TYPE_PPPoE_DISC    0x8863 /* discovery stage */#define ETHERNET_TYPE_PPPoE_SESS    0x8864 /* session stage */#define ETHERNET_TYPE_8021Q         0x8100#define ETH_DSAP_SNA                   0x08    /* SNA */#define ETH_SSAP_SNA                   0x00    /* SNA */#define ETH_DSAP_STP                   0x42    /* Spanning Tree Protocol */#define ETH_SSAP_STP                   0x42    /* Spanning Tree Protocol */#define ETH_DSAP_IP                    0xaa    /* IP */#define ETH_SSAP_IP                    0xaa    /* IP */#define ETH_ORG_CODE_ETHR              0x000000    /* Encapsulated Ethernet */#define ETH_ORG_CODE_CDP               0x00000c    /* Cisco Discovery Proto */#define ETHERNET_HEADER_LEN             14#define MINIMAL_TOKENRING_HEADER_LEN    22#define TR_HLEN                         MINIMAL_TOKENRING_HEADER_LEN#define TOKENRING_LLC_LEN                8#define SLIP_HEADER_LEN                 16#define PPP_IP          0x0021        /* Internet Protocol */#define PPP_VJ_COMP     0x002d        /* VJ compressed TCP/IP */#define PPP_VJ_UCOMP    0x002f        /* VJ uncompressed TCP/IP */#define PPP_IPX         0x002b        /* Novell IPX Protocol *//* otherwise defined in /usr/include/ppp_defs.h */#ifndef PPP_MTU    #define PPP_MTU                 1500#endif/* NULL aka LoopBack interfaces */#define NULL_HDRLEN             4/* otherwise defined in /usr/include/ppp_defs.h */#define IP_HEADER_LEN           20#define TCP_HEADER_LEN          20#define UDP_HEADER_LEN          8#define ICMP_HEADER_LEN         4#define TH_FIN  0x01#define TH_SYN  0x02#define TH_RST  0x04#define TH_PUSH 0x08#define TH_ACK  0x10#define TH_URG  0x20#define TH_RES2 0x40#define TH_RES1 0x80/* * tcp options stuff. used to be in <netinet/tcp.h> but it breaks * things on AIX */#define TCPOPT_EOL              0#define TCPOPT_NOP              1#define TCPOPT_MAXSEG           2#define TCPOLEN_MAXSEG          4#define TCPOPT_WINDOW           3#define TCPOLEN_WINDOW          3#define TCPOPT_SACK_PERMITTED   4    /* Experimental */#define TCPOLEN_SACK_PERMITTED  2#define TCPOPT_SACK             5    /* Experimental */#define TCPOPT_TIMESTAMP        8#define TCPOLEN_TIMESTAMP       10#define TCPOLEN_TSTAMP_APPA    (TCPOLEN_TIMESTAMP+2)    /* appendix A */#define TCPOPT_TSTAMP_HDR    \    (TCPOPT_NOP<<24|TCPOPT_NOP<<16|TCPOPT_TIMESTAMP<<8|TCPOLEN_TIMESTAMP)/* * Default maximum segment size for TCP. * With an IP MSS of 576, this is 536, * but 512 is probably more convenient. * This should be defined as MIN(512, IP_MSS - sizeof (struct tcpiphdr)). */#ifndef TCP_MSS    #define    TCP_MSS       512#endif#ifndef TCP_MAXWIN    #define    TCP_MAXWIN    65535    /* largest value for (unscaled) window */#endif#ifndef TCP_MAX_WINSHIFT     #define TCP_MAX_WINSHIFT 14    /* maximum window shift */#endif/* * User-settable options (used with setsockopt). */#ifndef TCP_NODELAY    #define    TCP_NODELAY  0x01    /* don't delay send to coalesce packets */#endif#ifndef TCP_MAXSEG    #define    TCP_MAXSEG   0x02    /* set maximum segment size */#endif#define SOL_TCP             6    /* TCP level */#define L2TP_PORT 1701#define DHCP_CLIENT_PORT 68#define DHCP_SERVER_PORT 67/* IRIX 6.2 hack! */#ifndef IRIX    #define SNAPLEN      1514#else    #define SNAPLEN      1500#endif#define MIN_SNAPLEN     68#define PROMISC         1#define READ_TIMEOUT    500/* Start Token Ring */#ifndef WIN32    #define TR_ALEN     6        /* octets in an Ethernet header */    #define IPARP_SAP   0xaa    #define AC          0x10    #define LLC_FRAME   0x40    #define TRMTU                      2000    /* 2000 bytes            */    #define TR_RII                     0x80    #define TR_RCF_DIR_BIT             0x80    #define TR_RCF_LEN_MASK            0x1f00    #define TR_RCF_BROADCAST           0x8000    /* all-routes broadcast   */    #define TR_RCF_LIMITED_BROADCAST   0xC000    /* single-route broadcast */    #define TR_RCF_FRAME2K             0x20    #define TR_RCF_BROADCAST_MASK      0xC000#endif                /* WIN32 *//* End Token Ring *//* Start FDDI */#define FDDI_ALLC_LEN          13#define FDDI_ALEN              6#define FDDI_MIN_HLEN          FDDI_ALLC_LEN + 3#define FDDI_DSAP_SNA          0x08    /* SNA */#define FDDI_SSAP_SNA          0x00    /* SNA */#define FDDI_DSAP_STP          0x42    /* Spanning Tree Protocol */#define FDDI_SSAP_STP          0x42    /* Spanning Tree Protocol */#define FDDI_DSAP_IP           0xaa    /* IP */#define FDDI_SSAP_IP           0xaa    /* IP */#define FDDI_ORG_CODE_ETHR     0x000000    /* Encapsulated Ethernet */#define FDDI_ORG_CODE_CDP      0x00000c    /* Cisco Discovery Proto(?) */#define ETHERNET_TYPE_CDP      0x2000    /* Cisco Discovery Protocol *//* End FDDI */#define ARPOP_REQUEST   1    /* ARP request                  */#define ARPOP_REPLY     2    /* ARP reply                    */#define ARPOP_RREQUEST  3    /* RARP request                 */#define ARPOP_RREPLY    4    /* RARP reply                   *//* PPPoE types */#define PPPoE_CODE_SESS 0x00 /* PPPoE session */#define PPPoE_CODE_PADI 0x09 /* PPPoE Active Discovery Initiation */#define PPPoE_CODE_PADO 0x07 /* PPPoE Active Discovery Offer */#define PPPoE_CODE_PADR 0x19 /* PPPoE Active Discovery Request */#define PPPoE_CODE_PADS 0x65 /* PPPoE Active Discovery Session-confirmation */#define PPPoE_CODE_PADT 0xa7 /* PPPoE Active Discovery Terminate *//* PPPoE tag types */#define PPPoE_TAG_END_OF_LIST        0x0000#define PPPoE_TAG_SERVICE_NAME       0x0101#define PPPoE_TAG_AC_NAME            0x0102#define PPPoE_TAG_HOST_UNIQ          0x0103#define PPPoE_TAG_AC_COOKIE          0x0104#define PPPoE_TAG_VENDOR_SPECIFIC    0x0105#define PPPoE_TAG_RELAY_SESSION_ID   0x0110#define PPPoE_TAG_SERVICE_NAME_ERROR 0x0201#define PPPoE_TAG_AC_SYSTEM_ERROR    0x0202#define PPPoE_TAG_GENERIC_ERROR      0x0203#define ICMP_ECHOREPLY          0    /* Echo Reply                   */#define ICMP_DEST_UNREACH       3    /* Destination Unreachable      */#define ICMP_SOURCE_QUENCH      4    /* Source Quench                */#define ICMP_REDIRECT           5    /* Redirect (change route)      */#define ICMP_ECHO               8    /* Echo Request                 */#define ICMP_TIME_EXCEEDED      11    /* Time Exceeded                */#define ICMP_PARAMETERPROB      12    /* Parameter Problem            */#define ICMP_TIMESTAMP          13    /* Timestamp Request            */#define ICMP_TIMESTAMPREPLY     14    /* Timestamp Reply              */#define ICMP_INFO_REQUEST       15    /* Information Request          */#define ICMP_INFO_REPLY         16    /* Information Reply            */#define ICMP_ADDRESS            17    /* Address Mask Request         */#define ICMP_ADDRESSREPLY       18    /* Address Mask Reply           */#define NR_ICMP_TYPES           18/* Codes for ICMP UNREACHABLES */#define ICMP_NET_UNREACH        0    /* Network Unreachable          */#define ICMP_HOST_UNREACH       1    /* Host Unreachable             */#define ICMP_PROT_UNREACH       2    /* Protocol Unreachable         */#define ICMP_PORT_UNREACH       3    /* Port Unreachable             */#define ICMP_FRAG_NEEDED        4    /* Fragmentation Needed/DF set  */#define ICMP_SR_FAILED          5    /* Source Route failed          */#define ICMP_NET_UNKNOWN        6#define ICMP_HOST_UNKNOWN       7#define ICMP_HOST_ISOLATED      8#define ICMP_NET_ANO            9#define ICMP_HOST_ANO           10#define ICMP_NET_UNR_TOS        11#define ICMP_HOST_UNR_TOS       12#define ICMP_PKT_FILTERED       13    /* Packet filtered */#define ICMP_PREC_VIOLATION     14    /* Precedence violation */#define ICMP_PREC_CUTOFF        15    /* Precedence cut off */#define NR_ICMP_UNREACH         15    /* instead of hardcoding immediate                     * value *//* ip option type codes */#ifndef IPOPT_EOL    #define IPOPT_EOL            0x00#endif#ifndef IPOPT_NOP    #define IPOPT_NOP            0x01#endif#ifndef IPOPT_RR    #define IPOPT_RR             0x07#endif#ifndef IPOPT_RTRALT    #define IPOPT_RTRALT         0x14#endif#ifndef IPOPT_TS    #define IPOPT_TS             0x44#endif#ifndef IPOPT_SECURITY    #define IPOPT_SECURITY       0x82#endif#ifndef IPOPT_LSRR    #define IPOPT_LSRR           0x83#endif#ifndef IPOPT_LSRR_E    #define IPOPT_LSRR_E         0x84#endif#ifndef IPOPT_SATID    #define IPOPT_SATID          0x88#endif#ifndef IPOPT_SSRR    #define IPOPT_SSRR           0x89#endif/* tcp option codes */#define TOPT_EOL                0x00#define TOPT_NOP                0x01#define TOPT_MSS                0x02#define TOPT_WS                 0x03#define TOPT_TS                 0x08#ifndef TCPOPT_WSCALE    #define TCPOPT_WSCALE       3    /* window scale factor (rfc1072) */#endif#ifndef TCPOPT_SACKOK    #define    TCPOPT_SACKOK    4    /* selective ack ok (rfc1072) */#endif#ifndef TCPOPT_SACK    #define    TCPOPT_SACK      5    /* selective ack (rfc1072) */#endif#ifndef TCPOPT_ECHO    #define TCPOPT_ECHO         6    /* echo (rfc1072) */#endif#ifndef TCPOPT_ECHOREPLY    #define TCPOPT_ECHOREPLY    7    /* echo (rfc1072) */#endif#ifndef TCPOPT_TIMESTAMP    #define TCPOPT_TIMESTAMP    8    /* timestamps (rfc1323) */#endif#ifndef TCPOPT_CC    #define TCPOPT_CC           11    /* T/TCP CC options (rfc1644) */#endif#ifndef TCPOPT_CCNEW    #define TCPOPT_CCNEW        12    /* T/TCP CC options (rfc1644) */#endif#ifndef TCPOPT_CCECHO    #define TCPOPT_CCECHO       13    /* T/TCP CC options (rfc1644) */#endif#define EXTRACT_16BITS(p) ((u_short) ntohs (*(u_short *)(p)))#ifdef WORDS_MUSTALIGN/* force word-aligned ntohl parameter */    #define EXTRACT_32BITS(p)  ({ u_int32_t __tmp; memmove(&__tmp, (p), sizeof(u_int32_t)); (u_int32_t) ntohl(__tmp);})#else/* allows unaligned ntohl parameter - dies w/SIGBUS on SPARCs */    #define EXTRACT_32BITS(p) ((u_int32_t) ntohl (*(u_int32_t *)(p)))#endif                /* WORDS_MUSTALIGN */#define PACKET_REBUILT_FRAG    0x00000001#define PACKET_REBUILT_STREAM  0x00000002/*  D A T A  S T R U C T U R E S  *********************************************//* START Token Ring Data Structures */#ifndef WIN32/* LLC structure */typedef struct _Trh_llc{    u_int8_t dsap;    u_int8_t ssap;    u_int8_t protid[3];    u_int16_t ethertype;} Trh_llc;/* RIF structure * Linux/tcpdump patch defines tokenring header in dump way, since not * every tokenring header with have RIF data... we define it separately, and * a bit more split up */typedef struct _Trh_mr{#if defined(WORDS_BIGENDIAN)    u_int16_t bcast:3, len:5, dir:1, lf:3, res:4;#else    u_int16_t len:5,        /* length of RIF field, including RC itself                             * (bytes) */    bcast:3,      /* broadcast indicator */    res:4,        /* reserved */    lf:3,         /* largest frame size */    dir:1;        /* direction */#endif    u_int16_t rseg[8];} Trh_mr;typedef struct _Trh_hdr{    u_int8_t ac;        /* access control field */    u_int8_t fc;        /* frame control field */    u_int8_t daddr[TR_ALEN];    /* src address */