[Snort-devel] Re: Snort prepoocessor Kickstart
Dirk_Geschke at ...802...
Thu Dec 1 01:41:04 EST 2005
> I just saw, the structure IPHdr is initialized in Packet structure.
> So it takes care of that,
> but there are two structure pointers created, *iph, *orgiph.
> ie IP header, and original IP header.
> why do we need two?
> any comments!!!
the orig_iph contains the original IP header of an ICMP packet, ICMP error
messages contain the first bytes of the original packet, so you can relate
to which original packet this ICMP error message belongs.
In DecodeIPOnly() it is set and this function is invoked for example from
IMCP_DEST_UNREACH in decode.c:
if(!DecodeIPOnly(pkt + 8, orig_p_caplen, p)
Note: ICMP error messages are 1 Byte Type, 1 Byte Code, 2 Bytes Checksum,
4 Byte Message Data for additional ICMP messages and then follows
the original Header of the IP packet for which the ICMP was generated
and finally 8 bytes of original payload which usually contains the
source and destination ports (at least for TCP and UDP).
So at least, the original IP header starts at 1+1+2+4 = 8 Bytes off,
hence the pkt + 8 in the function call...
More information about the Snort-devel