defrag.h File Reference

YAF Fragment Reassembler. More...

#include <yaf/autoinc.h>

Go to the source code of this file.

Typedefs

typedef void(* YAFragFunc )(uint8_t *vctx, const struct pcap_pkthdr *hdr, const uint8_t *pkt)
 Packet handler function type.

Functions

void yaf_defrag_init (int32_t init_datalink, uint32_t init_timeout, uint32_t init_maxcount, YAFragFunc init_ipfn, YAFragFunc init_nonipfn)
 Initialize the fragment reassembler.
void yaf_defrag (uint8_t *vctx, const struct pcap_pkthdr *hdr, const uint8_t *pkt)
 Handle a packet.
void yaf_defrag_reset ()
 Reset the fragment reassembler.

Detailed Description

YAF Fragment Reassembler.

This file defines the interface to a drop-in IP fragment reassembler for pcap-based network inspection tools. The interface consists of three functions; yaf_defrag_init() initializes the fragment reassembler's internal data structures, yaf_defrag() handles packets from pcap_dispatch() and reassembles fragments, and yaf_defrag_reset() flushes outstanding fragmented packets and cleans up internal storage.

The "drop-in" nature of this module comes from the fact that when a packet is found not to be an IP packet, not to be a fragment, or is reassembled from fragments, it is passed as a full packet including datalink headers to a caller-supplied pcap handler function.

Typedef Documentation

typedef void(* YAFragFunc)(uint8_t *vctx, const struct pcap_pkthdr *hdr, const uint8_t *pkt)
 

Packet handler function type.

Parallels pcap_dispatch handler; passed as ipfn and nonipfn to yaf_defrag_init as functions to pass complete IP datagrams and non-IP packets to on calls to yaf_defrag().

Function Documentation

void yaf_defrag uint8_t *  vctx,
const struct pcap_pkthdr *  hdr,
const uint8_t *  pkt
 

Handle a packet.

Pass this function to pcap_dispatch() to use the reassembler. Will cause ipfn or nonipfn to be called when the packet is reassembled or if it is not fragmented. This function can handle trace files with capture length less than the MTU of the underlying link-layer; missing bytes in this case will replaced with zeroes in the defragmented packet.

Parameters:
vctx user data pointer from pcap_dispatch()
hdr pcap packet header
pkt pcap packet buffer

void yaf_defrag_init int32_t  init_datalink,
uint32_t  init_timeout,
uint32_t  init_maxcount,
YAFragFunc  init_ipfn,
YAFragFunc  init_nonipfn
 

Initialize the fragment reassembler.

Allocates internal data structures for use by yaf_defrag(). Must be called before the first call to yaf_defrag().

Parameters:
init_datalink DLT_ datalink layer constant from pcap_datalink() for the pcap context on which yaf_defrag() will operate.
init_timeout Fragment timeout; fragments that take longer than this many seconds to reassemble will be dropped. A value of zero will select the default timeout of 30 seconds.
init_maxcount Maximum fragment count. If more than this many fragments (not fragmented datagrams) are outstanding and awaiting assembly, the reassembler will begin dropping fragments in oldest-first order. This allows reassembler users to limit resource consupmtion. A value of zero will disable resource limits.
init_ipfn YAFragFunc pointer to pass assembled or non-fragmented IP packets to. This function will be called with the datalink header of the final packet to be received, and the IP checksum set to zero. The vctx user data pointer will be the one supplied to pcap_dispatch().
init_nonipfn YAFragFunc pointer to pass non-IP packets to. May be NULL; in that case, non-IP packets will be ignored.

void yaf_defrag_reset  ) 
 

Reset the fragment reassembler.

Cleans up internal data structures. After reset, yaf_defrag_init() must be called before handling any more packets.

© 2005-2006 Carnegie Mellon University
Generated Thu Jul 6 15:52:58 2006 for YAF 0.1.6 by Doxygen 1.4.5.