[Snort-devel] Re: Snort prepoocessor Kickstart

Dirk Geschke Dirk_Geschke at ...802...
Thu Dec 1 01:41:04 EST 2005

Hi Yash,

> I just saw, the structure IPHdr is initialized in Packet structure.
> So it takes care of that,
> but there are two structure pointers created, *iph, *orgiph.
> ie IP header, and original IP header.
> why do we need two?
> any comments!!!

the orig_iph contains the original IP header of an ICMP packet, ICMP error
messages contain the first bytes of the original packet, so you can relate
to which original packet this ICMP error message belongs.

In DecodeIPOnly() it is set and this function is invoked for example from
IMCP_DEST_UNREACH in decode.c:
  if(!DecodeIPOnly(pkt + 8, orig_p_caplen, p)

Note: ICMP error messages are 1 Byte Type, 1 Byte Code, 2 Bytes Checksum, 
      4 Byte Message Data for additional ICMP messages and then follows
      the original Header of the IP packet for which the ICMP was generated
      and finally 8 bytes of original payload which usually contains the 
      source and destination ports (at least for TCP and UDP).

      So at least, the original IP header starts at 1+1+2+4 = 8 Bytes off,
      hence the pkt + 8 in the  function call...

Best regards


More information about the Snort-devel mailing list