[Snort-devel] Protocol Headers

Bruno G. San Alejo bgonzalez at ...3012...
Tue Mar 10 09:05:54 EDT 2009

    Hi, I'm not a Snort develeper by any means but since actually I'm
being looking at this issuealso myself I'll tell what I found.

    It's all in the snort.c and decode.c files. From Snort.c you have
snortmain(), which calls SetPktProcessor(), which calls  DecodeEthPkt(),
which calls the right function for decode IP, ARP, IPX, ..., IPV6. You
have to take a look at the grinder thing. I'm not too sure but I recall
that's a pointer to a function at the level of the DecodeEthPkt() level.
Then they basically pass a pointer to this function with the  raw packet
data, and then they go through the "packet" incrementing the pointer as
needed to get to the other fields. Since all the protocols are one laid
before the other (or embebbed) by icrementing the pointer in right
amount of bytes, they go peeling the protocols.

    I was taking a look at ICMP, so I'll follow with that. From
DecodeEthPkt() you go to DecodeTCP(), DecodeIP(), or DecodeICMP(). All
of this works because the structure of the packet is known. This last
function has a pointer to the actual packet, and by laying it over the
right struct (in this case over the field ICMP header field in the
struct Packet), you get the value of these fields from the Packet
struct. The struct Packet is the keystone to decoding the raw packet.
>From this, Snort goes so many bytes ahead and extracts every field by
incrementing the pointer (the lengths of these fields are known since
they know what type of packet they are working on). Some fields are not
extracted but assumed they are at the right place (that gives a little
problem with redirect ICMP packets when extracting the gateway's IP).
When they have gone through the ICMP header with they call the function
DecodeICMPEmbeddedIP(p->data, p->dsize, p), which is the actual "payload".

       Hope this helps. See ya.

Rayne wrote:
> Hi,
> How does Snort detect and peel off the header layers of a packet to
> get to the payload?
> Thank you.
> ------------------------------------------------------------------------
> ------------------------------------------------------------------------------
> ------------------------------------------------------------------------
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

More information about the Snort-devel mailing list