Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-03 23:28:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Move packet parsing code out of adapter into analyzer

Browse source
This commit is contained in:
Tim Wojtulewicz 2021-05-14 10:45:17 -07:00
parent f6e31107e1
commit d6c74373c7
5 changed files with 927 additions and 930 deletions
Download patch file Download diff file Expand all files Collapse all files

26
src/packet_analysis/protocol/tcp/TCP.h
View file

@ -5,9 +5,14 @@
#include "zeek/packet_analysis/Analyzer.h"
#include "zeek/packet_analysis/Component.h"
#include "zeek/packet_analysis/protocol/ip/IPBasedAnalyzer.h"
#include "zeek/analyzer/protocol/tcp/TCP_Flags.h"
namespace zeek::analyzer::tcp { class TCP_Endpoint; }
namespace zeek::packet_analysis::TCP {
class TCPSessionAdapter;
class TCPAnalyzer final : public IP::IPBasedAnalyzer {
public:
TCPAnalyzer();
@ -63,6 +68,27 @@ protected:
* override in child classes, as not all analyzers need a PIA.
*/
analyzer::pia::PIA* MakePIA(Connection* conn) override;
private:
const struct tcphdr* ExtractTCP_Header(const u_char*& data, int& len, int& remaining,
TCPSessionAdapter* adapter);
void SynWeirds(analyzer::tcp::TCP_Flags flags, analyzer::tcp::TCP_Endpoint* endpoint,
int data_len) const;
int ParseTCPOptions(TCPSessionAdapter* adapter, const struct tcphdr* tcp,
bool is_orig) const;
void CheckRecording(Connection* c, bool need_contents, analyzer::tcp::TCP_Flags flags);
// Returns true if the checksum is valid, false if not (and in which
// case also updates the status history of the endpoint).
bool ValidateChecksum(const IP_Hdr* ip, const struct tcphdr* tp,
analyzer::tcp::TCP_Endpoint* endpoint,
int len, int caplen, TCPSessionAdapter* adapter);
TableValPtr ignored_nets;
};
}