packet-transum.h

/* packet-transum.h
 * Header file for the TRANSUM response time analyzer post-dissector
 * By Paul Offord <[email protected]>
 * Copyright 2016 Advance Seven Limited
 *
 * Wireshark - Network traffic analyzer
 * By Gerald Combs <[email protected]>
 * Copyright 1998 Gerald Combs
 *
 * SPDX-License-Identifier: GPL-2.0-or-later
 */
 
#define ETH_TYPE_IPV4 0x0800
#define ETH_TYPE_IPV6 0x86dd
 
#define IP_PROTO_TCP 6
#define IP_PROTO_UDP 17
 
#define RTE_CALC_SYN    1
#define RTE_CALC_GTCP   2
#define RTE_CALC_GUDP   3
#define RTE_CALC_SMB1   4
#define RTE_CALC_SMB2   5
#define RTE_CALC_DCERPC 6
#define RTE_CALC_DNS    7
 
#define MAX_SUBPKTS_PER_PACKET 16
 
typedef struct _RRPD
{
    /*
     * When c2s is true the associated packet is travelling client-to-service.
     * When false it is travelling service-to-client.
     * Only valid for RRPDs embedded in subpacket structures.
     */
    bool c2s; 
    uint8_t  ip_proto;   
    uint32_t stream_no;  
    uint64_t session_id; 
    uint64_t msg_id;     
    /*
     * When decode_based is false, the RR boundary is detected by a direction
     * change (s2c -> c2s) on the stream, as used by GTCP and GUDP calculations.
     * When true, application-protocol values (e.g. DCERPC) are used to detect
     * APDU boundaries.
     */
    bool decode_based; 
    bool is_retrans; 
    uint32_t req_first_frame;  
    nstime_t req_first_rtime;  
    uint32_t req_last_frame;   
    nstime_t req_last_rtime;   
    uint32_t rsp_first_frame;  
    nstime_t rsp_first_rtime;  
    uint32_t rsp_last_frame;   
    nstime_t rsp_last_rtime;   
    unsigned calculation; 
    /* Tuning counters */
    uint32_t req_search_total; 
    uint32_t rsp_search_total; 
} RRPD;
 
typedef struct _PKT_INFO
{
    int      frame_number;  
    nstime_t relative_time; 
    /* TCP analysis flags */
    bool     tcp_retran;      
    bool     tcp_keep_alive;  
    bool     tcp_flags_syn;   
    bool     tcp_flags_ack;   
    bool     tcp_flags_reset; 
    uint32_t tcp_flags_urg;   
    uint32_t tcp_seq;         
    /* Generic transport values */
    uint16_t srcport; 
    uint16_t dstport; 
    uint16_t len;     
    /* TLS */
    uint8_t ssl_content_type; 
    /* TDS */
    uint8_t  tds_type;   
    uint16_t tds_length; 
    /* SMB */
    uint16_t smb_mid; 
    /* SMB2 */
    uint64_t smb2_sesid;  
    uint64_t smb2_msg_id; 
    uint16_t smb2_cmd;    
    /* DCERPC */
    uint8_t  dcerpc_ver;        
    uint8_t  dcerpc_pkt_type;   
    uint32_t dcerpc_cn_call_id; 
    uint16_t dcerpc_cn_ctx_id;  
    /* DNS */
    uint16_t dns_id; 
    /* Calculated values */
    bool pkt_of_interest; 
    /* RRPD data for this packet; populated based on the detected application protocol */
    RRPD rrpd; 
} PKT_INFO;
 
typedef enum {
    HF_INTEREST_IP_PROTO = 0,    
    HF_INTEREST_IPV6_NXT,        
    HF_INTEREST_TCP_RETRAN,      
    HF_INTEREST_TCP_KEEP_ALIVE,  
    HF_INTEREST_TCP_FLAGS_SYN,   
    HF_INTEREST_TCP_FLAGS_ACK,   
    HF_INTEREST_TCP_FLAGS_RESET, 
    HF_INTEREST_TCP_FLAGS_URG,   
    HF_INTEREST_TCP_SEQ,         
    HF_INTEREST_TCP_SRCPORT,     
    HF_INTEREST_TCP_DSTPORT,     
    HF_INTEREST_TCP_STREAM,      
    HF_INTEREST_TCP_LEN,         
    HF_INTEREST_UDP_SRCPORT,     
    HF_INTEREST_UDP_DSTPORT,     
    HF_INTEREST_UDP_STREAM,      
    HF_INTEREST_UDP_LENGTH,      
    HF_INTEREST_SSL_CONTENT_TYPE, 
    HF_INTEREST_TDS_TYPE,        
    HF_INTEREST_TDS_LENGTH,      
    HF_INTEREST_SMB_MID,         
    HF_INTEREST_SMB2_SES_ID,     
    HF_INTEREST_SMB2_MSG_ID,     
    HF_INTEREST_SMB2_CMD,        
    HF_INTEREST_DCERPC_VER,         
    HF_INTEREST_DCERPC_PKT_TYPE,    
    HF_INTEREST_DCERPC_CN_CALL_ID,  
    HF_INTEREST_DCERPC_CN_CTX_ID,   
    HF_INTEREST_DNS_ID,          
    HF_INTEREST_END_OF_LIST      
} ehf_of_interest;
 
typedef struct _HF_OF_INTEREST_INFO {
    int         hf;         
    const char *proto_name; 
} HF_OF_INTEREST_INFO;
 
extern HF_OF_INTEREST_INFO hf_of_interest[HF_INTEREST_END_OF_LIST];
 
void add_detected_tcp_svc(uint16_t port);
 
extern bool is_dcerpc_context_zero(uint32_t pkt_type);
 
extern bool is_dcerpc_req_pkt_type(uint32_t pkt_type);
 
 
/*
 * Editor modelines  -  https://www.wireshark.org/tools/modelines.html
 *
 * Local variables:
 * c-basic-offset: 4
 * tab-width: 8
 * indent-tabs-mode: nil
 * End:
 *
 * vi: set shiftwidth=4 tabstop=8 expandtab:
 * :indentSize=4:tabSize=8:noTabs=true:
 */