先贴会有用的相关内容:
struct iphdr {
#if BYTE_ORDER == LITTLE_ENDIAN
uint8_t ihl: 4 , version: 4 ;
#elif BYTE_ORDER == BIG_ENDIAN
uint8_t version: 4 , ihl: 4 ;
#else
# error " BYTE_ORDER must be defined "
#endif
uint8_t tos;
uint16_t tot_len;
uint16_t id;
uint16_t frag_off;
uint8_t ttl;
uint8_t protocol;
uint16_t check;
uint32_t saddr;
uint32_t daddr;
};
因为dpi是对包处理,所以这个数据结构很重要。
#define IPOQUE_USE_ASYMMETRIC_DETECTION 0
#define IPQ_SELECTION_BITMASK_PROTOCOL_SIZE u32
#define IPQ_SELECTION_BITMASK_PROTOCOL_IP (1<<0)
#define IPQ_SELECTION_BITMASK_PROTOCOL_INT_TCP (1<<1)
#define IPQ_SELECTION_BITMASK_PROTOCOL_INT_UDP (1<<2)
#define IPQ_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP (1<<3)
#define IPQ_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD (1<<4)
#define IPQ_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION (1<<5)
#define IPQ_SELECTION_BITMASK_PROTOCOL_IPV6 (1<<6)
#define IPQ_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6 (1<<7)
#define IPQ_SELECTION_BITMASK_PROTOCOL_COMPLETE_TRAFFIC (1<<8)
#define IPOQUE_SAVE_AS_BITMASK(bitmask,value) (bitmask)=(((IPOQUE_PROTOCOL_BITMASK)1)<<(value))
#define IPOQUE_BITMASK_COMPARE(a,b) ((a) & (b))
#define IPOQUE_BITMASK_MATCH(x,y) ((x) == (y))
#define IPOQUE_PROTOCOL_BITMASK u64
一些用用的宏,标识包的协议
typedef struct ipoque_packet_struct {
const struct iphdr * iph;
const struct tcphdr * tcp;
const struct udphdr * udp;
const u8 * generic_l4_ptr; /* is set only for non tcp-udp traffic */
const u8 * payload;
IPOQUE_TIMESTAMP_COUNTER_SIZE tick_timestamp;
u32 detected_protocol;
struct ipoque_int_one_line_struct line[IPOQUE_MAX_PARSE_LINES_PER_PACKET];
struct ipoque_int_one_line_struct
unix_line[IPOQUE_MAX_PARSE_LINES_PER_PACKET];
struct ipoque_int_one_line_struct host_line;
struct ipoque_int_one_line_struct referer_line;
struct ipoque_int_one_line_struct content_line;
struct ipoque_int_one_line_struct accept_line;
struct ipoque_int_one_line_struct user_agent_line;
struct ipoque_int_one_line_struct http_url_name;
struct ipoque_int_one_line_struct http_encoding;
struct ipoque_int_one_line_struct http_transfer_encoding;
struct ipoque_int_one_line_struct http_contentlen;
struct ipoque_int_one_line_struct http_cookie;
struct ipoque_int_one_line_struct http_x_session_type;
u16 l3_packet_len;
u16 l4_packet_len;
u16 payload_packet_len;
u16 actual_payload_len;
u16 num_retried_bytes;
u16 parsed_lines;
u16 parsed_unix_lines;
u16 empty_line_position;
u8 tcp_retransmission;
u8 detected_sub_protocol;
u8 l4_protocol;
u8 packet_lines_parsed_complete;
u8 packet_unix_lines_parsed_complete;
u8 empty_line_position_set;
u8 packet_direction: 1 ;
}ipoque_packet_struct_t;
这是对数据包处理所需要的结构体,实际上opendpi中有一个数据结构为struct ipoque_detection_module_struct 是对所有的
包和flow 处理的。
从例子程序中运行情况看:
第一步:
static unsigned int packet_processing( const uint64_t time, const struct iphdr * iph, uint16_t ipsize, uint16_t rawsize)
进行包处理,其中调用get_osdpi_flow()函数 从数据包中取出里IP首部等相关信息。
第二步:调用
ipoque_detection_process_packet(ipoque_struct, ipq_flow, (uint8_t * ) iph, ipsize, time, src, dst);
正式地处理每个数据包,其中调用 ipoque_connection_tracking()函数 设置了包的连接信息,这个函数还没怎么看明白,明天在详细看。
第三步:在ipoque_detection_process_packet中使用如下来处理具体协议:
/* build ipq_selction packet bitmask */
ipq_selection_packet = IPQ_SELECTION_BITMASK_PROTOCOL_COMPLETE_TRAFFIC;
if (ipoque_struct -> packet.iph != NULL) {
ipq_selection_packet |= IPQ_SELECTION_BITMASK_PROTOCOL_IP | IPQ_SELECTION_BITMASK_PROTOCOL_IPV4_OR_IPV6;
}
if (ipoque_struct -> packet.tcp != NULL) {
ipq_selection_packet |=
(IPQ_SELECTION_BITMASK_PROTOCOL_INT_TCP | IPQ_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP);
}
if (ipoque_struct -> packet.udp != NULL) {
ipq_selection_packet |=
(IPQ_SELECTION_BITMASK_PROTOCOL_INT_UDP | IPQ_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP);
}
if (ipoque_struct -> packet.payload_packet_len != 0 ) {
ipq_selection_packet |= IPQ_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD;
}
if (ipoque_struct -> packet.tcp_retransmission == 0 ) {
ipq_selection_packet |= IPQ_SELECTION_BITMASK_PROTOCOL_NO_TCP_RETRANSMISSION;
}
IPOQUE_SAVE_AS_BITMASK(detection_bitmask, ipoque_struct -> packet.detected_protocol);
在如下代码中调用了http.c等匹配信息对包进行具体处理。
if (flow != NULL && ipoque_struct -> packet.tcp != NULL) {
if (ipoque_struct -> packet.payload_packet_len != 0 ) {
for (a = 0 ; a < ipoque_struct -> callback_buffer_size_tcp_payload; a ++ ) {
if ((ipoque_struct -> callback_buffer_tcp_payload[a].ipq_selection_bitmask & ipq_selection_packet) ==
ipoque_struct -> callback_buffer_tcp_payload[a].ipq_selection_bitmask
&& IPOQUE_BITMASK_COMPARE(ipoque_struct -> flow -> excluded_protocol_bitmask,
ipoque_struct -> callback_buffer_tcp_payload[a].excluded_protocol_bitmask) == 0
&& IPOQUE_BITMASK_COMPARE(ipoque_struct -> callback_buffer_tcp_payload[a].detection_bitmask,
detection_bitmask) != 0 ) {
ipoque_struct -> callback_buffer_tcp_payload[a].func(ipoque_struct);
}
}
这就是对一个包处理的过程,明天在细节上看看。
我还不懂,希望大家指教。