// See the file "COPYING" in the main distribution directory for copyright. #pragma once #include "zeek/analyzer/Analyzer.h" #include "zeek/packet_analysis/Analyzer.h" #include "zeek/packet_analysis/Component.h" #include "zeek/packet_analysis/protocol/ip/IPBasedAnalyzer.h" #include "zeek/packet_analysis/protocol/ip/SessionAdapter.h" namespace zeek { class VectorVal; using VectorValPtr = IntrusivePtr; class RecordVal; using RecordValPtr = IntrusivePtr; namespace packet_analysis::ICMP { class ICMPSessionAdapter; class ICMPAnalyzer final : public IP::IPBasedAnalyzer { public: ICMPAnalyzer(); ~ICMPAnalyzer() override = default; static zeek::packet_analysis::AnalyzerPtr Instantiate() { return std::make_shared(); } packet_analysis::IP::SessionAdapter* MakeSessionAdapter(Connection* conn) override; protected: bool InitConnKey(size_t len, const uint8_t* data, Packet* packet, IPBasedConnKey& key) override; void DeliverPacket(Connection* c, double t, bool is_orig, int remaining, Packet* pkt) override; private: void NextICMP4(double t, const struct icmp* icmpp, int len, int caplen, const u_char*& data, const IP_Hdr* ip_hdr, ICMPSessionAdapter* adapter); void NextICMP6(double t, const struct icmp* icmpp, int len, int caplen, const u_char*& data, const IP_Hdr* ip_hdr, ICMPSessionAdapter* adapter); void ICMP_Sent(const struct icmp* icmpp, int len, int caplen, int icmpv6, const u_char* data, const IP_Hdr* ip_hdr, ICMPSessionAdapter* adapter); void Echo(double t, const struct icmp* icmpp, int len, int caplen, const u_char*& data, const IP_Hdr* ip_hdr, ICMPSessionAdapter* adapter); void Redirect(double t, const struct icmp* icmpp, int len, int caplen, const u_char*& data, const IP_Hdr* ip_hdr, ICMPSessionAdapter* adapter); void RouterAdvert(double t, const struct icmp* icmpp, int len, int caplen, const u_char*& data, const IP_Hdr* ip_hdr, ICMPSessionAdapter* adapter); void NeighborAdvert(double t, const struct icmp* icmpp, int len, int caplen, const u_char*& data, const IP_Hdr* ip_hdr, ICMPSessionAdapter* adapter); void NeighborSolicit(double t, const struct icmp* icmpp, int len, int caplen, const u_char*& data, const IP_Hdr* ip_hdr, ICMPSessionAdapter* adapter); void RouterSolicit(double t, const struct icmp* icmpp, int len, int caplen, const u_char*& data, const IP_Hdr* ip_hdr, ICMPSessionAdapter* adapter); RecordValPtr BuildInfo(const struct icmp* icmpp, int len, bool icmpv6, const IP_Hdr* ip_hdr); RecordValPtr ExtractICMP4Context(int len, const u_char*& data); void Context4(double t, const struct icmp* icmpp, int len, int caplen, const u_char*& data, const IP_Hdr* ip_hdr, ICMPSessionAdapter* adapter); TransportProto GetContextProtocol(const IP_Hdr* ip_hdr, uint32_t* src_port, uint32_t* dst_port); RecordValPtr ExtractICMP6Context(int len, const u_char*& data); void Context6(double t, const struct icmp* icmpp, int len, int caplen, const u_char*& data, const IP_Hdr* ip_hdr, ICMPSessionAdapter* adapter); // RFC 4861 Neighbor Discover message options VectorValPtr BuildNDOptionsVal(int caplen, const u_char* data, ICMPSessionAdapter* adapter); void UpdateEndpointVal(const ValPtr& endp, bool is_orig); }; // Returns the counterpart type to the given type (e.g., the counterpart // to ICMP_ECHOREPLY is ICMP_ECHO). extern int ICMP4_counterpart(int icmp_type, int icmp_code, bool& is_one_way); extern int ICMP6_counterpart(int icmp_type, int icmp_code, bool& is_one_way); } // namespace packet_analysis::ICMP } // namespace zeek