zeek/src/NFS.h

// See the file "COPYING" in the main distribution directory for copyright.

#ifndef nfs_h
#define nfs_h

#include "RPC.h"
#include "XDR.h"
#include "Event.h"

class NFS_Interp : public RPC_Interpreter {
public:
	NFS_Interp(Analyzer* arg_analyzer) : RPC_Interpreter(arg_analyzer) { }

protected:
	int RPC_BuildCall(RPC_CallInfo* c, const u_char*& buf, int& n);
	int RPC_BuildReply(RPC_CallInfo* c, BifEnum::rpc_status rpc_status,
				const u_char*& buf, int& n, double start_time,
				double last_time, int reply_len);

	// Returns a new val_list that already has a conn_val, rpc_status and
	// nfs_status. These are the first parameters for each nfs_* event
	// ...
	val_list* event_common_vl(RPC_CallInfo *c, BifEnum::rpc_status rpc_status,
				BifEnum::NFS3::status_t nfs_status,
				double rep_start_time, double rep_last_time,
				int reply_len);

	// These methods parse the appropriate NFSv3 "type" out of buf. If
	// there are any errors (i.e., buffer to short, etc), buf will be set
	// to 0. However, the methods might still return an allocated Val * !
	// So, you might want to Unref() the Val if buf is 0. Method names
	// are based on the type names of RFC 1813.
	StringVal* nfs3_fh(const u_char*& buf, int& n);
	RecordVal* nfs3_fattr(const u_char*& buf, int& n);
	EnumVal* nfs3_ftype(const u_char*& buf, int& n);
	RecordVal* nfs3_wcc_attr(const u_char*& buf, int& n);
	RecordVal* nfs3_diropargs(const u_char*&buf, int &n);
	StringVal* nfs3_filename(const u_char*& buf, int& n);
	StringVal* nfs3_nfspath(const u_char*& buf, int& n)
		{
		return nfs3_filename(buf,n);
		}

	RecordVal* nfs3_post_op_attr(const u_char*&buf, int &n);	// Return 0 or an fattr
	RecordVal* nfs3_pre_op_attr(const u_char*&buf, int &n);	// Return 0 or an wcc_attr
	RecordVal* nfs3_lookup_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status);
	RecordVal* nfs3_readargs(const u_char*& buf, int& n);
	RecordVal* nfs3_read_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status, bro_uint_t offset);
	RecordVal* nfs3_readlink_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status);
	RecordVal* nfs3_writeargs(const u_char*& buf, int& n);
	EnumVal* nfs3_stable_how(const u_char*& buf, int& n);
	RecordVal* nfs3_write_reply(const u_char*& buf, int& n, BifEnum::NFS3::status_t status);
	RecordVal* nfs3_newobj_reply(const u_char*& buf, int&n, BifEnum::NFS3::status_t status);
	RecordVal* nfs3_delobj_reply(const u_char*& buf, int& n);
	StringVal* nfs3_post_op_fh(const u_char*& buf, int& n);
	RecordVal* nfs3_readdirargs(bool isplus, const u_char*& buf, int&n);
	RecordVal* nfs3_readdir_reply(bool isplus, const u_char*& buf, int&n, BifEnum::NFS3::status_t status);

	// Consumes the file data in the RPC message. Depending on NFS::return_data* consts
	// in bro.init returns NULL or the data as string val:
	//   * offset is the offset of the read/write call
	//   * size is the amount of bytes read (or requested to be written),
	StringVal* nfs3_file_data(const u_char*& buf, int& n, uint64_t offset, int size);

	RecordVal* ExtractOptAttrs(const u_char*& buf, int& n);
	Val* ExtractUint32(const u_char*& buf, int& n);
	Val* ExtractUint64(const u_char*& buf, int& n);
	Val* ExtractTime(const u_char*& buf, int& n);
	Val* ExtractInterval(const u_char*& buf, int& n);
	Val* ExtractBool(const u_char*& buf, int& n);
};

class NFS_Analyzer : public RPC_Analyzer {
public:
	NFS_Analyzer(Connection* conn);
	virtual void Init();

	static Analyzer* InstantiateAnalyzer(Connection* conn)
		{ return new NFS_Analyzer(conn); }

	static bool Available()
		{
		return ( nfs_proc_null || nfs_proc_not_implemented || nfs_proc_getattr ||
		         nfs_proc_lookup || nfs_proc_read || nfs_proc_readlink ||
		         nfs_proc_write || nfs_proc_create || nfs_proc_mkdir ||
		         nfs_proc_remove || nfs_proc_rmdir || nfs_proc_readdir ||
		         nfs_reply_status ||
		         rpc_dialogue || rpc_call || rpc_reply );
		}
};


#endif