int DissecRegist(const char *file_cfg)
{
proto_dep dep;
memset(&dep, 0, sizeof(proto_dep));
/* protocol name */
ProtName("802.11 Radiotap", "radiotap");
/* pcapf dependence */
dep.name = "pcapf";
dep.attr = "pcapf.layer1";
dep.type = FT_UINT16;
dep.val.uint16 = DLT_IEEE802_11_RADIO;
ProtDep(&dep);
/* pol dependence */
dep.name = "pol";
dep.attr = "pol.layer1";
dep.type = FT_UINT16;
dep.val.uint16 = DLT_IEEE802_11_RADIO;
ProtDep(&dep);
/* dissectors registration */
ProtDissectors(RadiotapDissector, NULL, NULL, NULL);
return 0;
}
int DissecRegist(const char *file_cfg)
{
proto_info info;
proto_dep dep;
memset(&info, 0, sizeof(proto_info));
memset(&dep, 0, sizeof(proto_dep));
/* protocol name */
ProtName("PPP-over-Ethernet Session", "pppoe");
/* Type */
info.name = "Type";
info.abbrev = "pppoe.type";
info.type = FT_UINT8;
type_id = ProtInfo(&info);
/* Code */
info.name = "Code";
info.abbrev = "pppoe.code";
info.type = FT_UINT8;
code_id = ProtInfo(&info);
/* Session ID */
info.name = "Session ID";
info.abbrev = "pppoe.session_id";
info.type = FT_UINT16;
ses_id = ProtInfo(&info);
/* ethernet dependence */
dep.name = "eth";
dep.attr = "eth.type";
dep.type = FT_UINT16;
dep.val.uint16 = ETHERTYPE_PPPOES;
ProtDep(&dep);
/* vlan dependence */
dep.name = "vlan";
dep.attr = "vlan.type";
dep.type = FT_UINT16;
dep.val.uint16 = ETHERTYPE_PPPOES;
ProtDep(&dep);
/* rule */
/*ProtAddRule("(pppoe.session_id == pkt.pppoe.session_id)");*/
#warning "deadlock"
/* dissectors registration */
ProtDissectors(PppoeDissector, NULL, NULL, NULL);
return 0;
}
int DissecRegist(const char *file_cfg)
{
proto_dep dep;
pei_cmpt peic;
memset(&dep, 0, sizeof(proto_dep));
/* protocol name */
ProtName("Address Resolution Protocol", "arp");
/* ethernet dependence */
dep.name = "eth";
dep.attr = "eth.type";
dep.type = FT_UINT16;
dep.val.uint16 = ETHERTYPE_ARP;
ProtDep(&dep);
dep.name = "eth";
dep.attr = "eth.type";
dep.type = FT_UINT16;
dep.val.uint16 = ETHERTYPE_REVARP;
ProtDep(&dep);
/* vlan dependence */
dep.name = "vlan";
dep.attr = "vlan.type";
dep.type = FT_UINT16;
dep.val.uint16 = ETHERTYPE_ARP;
ProtDep(&dep);
dep.name = "vlan";
dep.attr = "vlan.type";
dep.type = FT_UINT16;
dep.val.uint16 = ETHERTYPE_REVARP;
ProtDep(&dep);
/* PEI components */
peic.abbrev = "mac";
peic.desc = "MAC address";
ProtPeiComponent(&peic);
peic.abbrev = "ip";
peic.desc = "IP address";
ProtPeiComponent(&peic);
/* dissectors registration */
ProtDissectors(ArpDissector, NULL, NULL, NULL);
return 0;
}
int DissecRegist(const char *file_cfg)
{
proto_info info;
proto_dep dep;
memset(&info, 0, sizeof(proto_info));
memset(&dep, 0, sizeof(proto_dep));
/* protocol name */
ProtName("Ethernet", "eth");
/* Ethertype */
info.name = "Source Hardware Address";
info.abbrev = "eth.src";
info.type = FT_ETHER;
mac_src_id = ProtInfo(&info);
/* Ethertype */
info.name = "Ethertype";
info.abbrev = "eth.type";
info.type = FT_UINT16;
etype_id = ProtInfo(&info);
/* pcapf */
dep.name = "pcapf";
dep.attr = "pcapf.layer1";
dep.type = FT_UINT16;
dep.val.uint16 = DLT_EN10MB;
ProtDep(&dep);
/* pol */
dep.name = "pol";
dep.attr = "pol.layer1";
dep.type = FT_UINT16;
dep.val.uint16 = DLT_EN10MB;
ProtDep(&dep);
/* llc dependence */
dep.name = "llc";
dep.attr = "llc.type";
dep.type = FT_UINT16;
dep.val.uint16 = DLT_EN10MB;
ProtDep(&dep);
/* dissectors registration */
ProtDissectors(EthDissector, NULL, NULL, NULL);
return 0;
}
int DissecRegist(const char *file_cfg)
{
proto_info info;
proto_dep dep;
memset(&info, 0, sizeof(proto_info));
memset(&dep, 0, sizeof(proto_dep));
/* protocol name */
ProtName("IEEE 802.11 wireless LAN", "wlan");
/* BSS ID */
info.name = "BSS Id";
info.abbrev = "wlan.bssid";
info.type = FT_ETHER;
bss_id = ProtInfo(&info);
/* dep: pcapf */
dep.name = "pcapf";
dep.attr = "pcapf.layer1";
dep.type = FT_UINT16;
dep.val.uint16 = DLT_IEEE802_11;
ProtDep(&dep);
/* dep: pol */
dep.name = "pol";
dep.attr = "pol.layer1";
dep.type = FT_UINT16;
dep.val.uint16 = DLT_IEEE802_11;
ProtDep(&dep);
/* dep: ppi */
dep.name = "ppi";
dep.attr = "ppi.dlt";
dep.type = FT_UINT32;
dep.val.uint16 = DLT_IEEE802_11;
ProtDep(&dep);
/* dissectors registration */
ProtDissectors(Ieee80211Dissector, NULL, NULL, NULL);
return 0;
}
int DissecRegist(const char *file_cfg)
{
proto_dep dep;
pei_cmpt peic;
bool hins;
insert_http = FALSE;
if (file_cfg != NULL) {
if (CfgParamBool(file_cfg, "HTTPFD_HTTP_INSERT", &hins) == 0) {
if (hins) {
insert_http = TRUE;
}
}
}
memset(&dep, 0, sizeof(proto_dep));
memset(&peic, 0, sizeof(pei_cmpt));
/* protocol name */
ProtName("Http file download", "httpfd");
/* http dependence */
dep.name = "http";
dep.attr = "http.content_range";
dep.type = FT_STRING;
dep.op = FT_OP_CNTD;
dep.val.str = DMemMalloc(2);
strcpy(dep.val.str, "-");
ProtDep(&dep);
peic.abbrev = "url";
peic.desc = "Uniform Resource Locator";
ProtPeiComponent(&peic);
peic.abbrev = "file";
peic.desc = "File";
ProtPeiComponent(&peic);
peic.abbrev = "range";
peic.desc = "File range";
ProtPeiComponent(&peic);
peic.abbrev = "content_type";
peic.desc = "Content Type";
ProtPeiComponent(&peic);
/* dissectors registration */
ProtDissectors(HttpFdDissector, NULL, NULL, NULL);
return 0;
}
int DissecRegist(const char *file_cfg)
{
proto_heury_dep hdep;
proto_dep dep;
pei_cmpt peic;
memset(&hdep, 0, sizeof(proto_heury_dep));
memset(&dep, 0, sizeof(proto_dep));
memset(&peic, 0, sizeof(pei_cmpt));
/* protocol name */
ProtName("Telnet", "telnet");
/* hdep: tcp */
hdep.name = "tcp";
hdep.ProtCheck = TelnetCheck;
hdep.pktlim = TELNET_PKT_LIMIT;
ProtHeuDep(&hdep);
/* dep: tcp */
dep.name = "tcp";
dep.attr = "tcp.dstport";
dep.type = FT_UINT16;
dep.val.uint16 = TCP_PORT_TELNET;
dep.ProtCheck = TelnetVerify;
dep.pktlim = TELNET_PKT_LIMIT;
ProtDep(&dep);
/* PEI components */
peic.abbrev = "host";
peic.desc = "Host name or IP";
ProtPeiComponent(&peic);
peic.abbrev = "user";
peic.desc = "User name";
ProtPeiComponent(&peic);
peic.abbrev = "password";
peic.desc = "Password";
ProtPeiComponent(&peic);
peic.abbrev = "cmd";
peic.desc = "Commands";
ProtPeiComponent(&peic);
/* dissectors subdissectors registration */
ProtDissectors(NULL, TelnetDissector, NULL, NULL);
return 0;
}
int DissecRegist(const char *file_cfg)
{
proto_info info;
proto_dep dep;
memset(&info, 0, sizeof(proto_info));
memset(&dep, 0, sizeof(proto_dep));
family_id = -1;
/* protocol name */
ProtName("Null/Loopback", "null");
/* protocol */
info.name = "family type";
info.abbrev = "null.family";
info.type = FT_UINT32;
family_id = ProtInfo(&info);
/* pcapf dependence */
dep.name = "pcapf";
dep.attr = "pcapf.layer1";
dep.type = FT_UINT16;
dep.val.uint16 = DLT_NULL;
ProtDep(&dep);
/* pol dependence */
dep.name = "pol";
dep.attr = "pol.layer1";
dep.type = FT_UINT16;
dep.val.uint16 = DLT_NULL;
ProtDep(&dep);
/* dissectors registration */
ProtDissectors(NullDissector, NULL, NULL, NULL);
return 0;
}
int DissecRegist(const char *file_cfg)
{
proto_info info;
proto_dep dep;
memset(&info, 0, sizeof(proto_info));
memset(&dep, 0, sizeof(proto_dep));
/* protocol name */
ProtName("Cisco HDLC", "chdlc");
/* Protocol */
info.name = "Protocol";
info.abbrev = "chdlc.protocol";
info.type = FT_UINT16;
proto_id = ProtInfo(&info);
/* dep: pcapf */
dep.name = "pcapf";
dep.attr = "pcapf.layer1";
dep.type = FT_UINT16;
dep.val.uint16 = DLT_CHDLC;
ProtDep(&dep);
/* dep: pol */
dep.name = "pol";
dep.attr = "pol.layer1";
dep.type = FT_UINT16;
dep.val.uint16 = DLT_CHDLC;
ProtDep(&dep);
/* dissectors registration */
ProtDissectors(ChdlcDissector, NULL, NULL, NULL);
return 0;
}
int DissecRegist(const char *file_cfg)
{
proto_dep dep;
pei_cmpt peic;
memset(&dep, 0, sizeof(proto_dep));
memset(&peic, 0, sizeof(pei_cmpt));
/* protocol name */
ProtName("MMS Message Encapsulation", "mms");
/* http dependence */
dep.name = "http";
dep.attr = "http.content_type";
dep.type = FT_STRING;
dep.op = FT_OP_CNTD;
dep.val.str = DMemMalloc(32);
strcpy(dep.val.str, "application/vnd.wap.mms-message");
ProtDep(&dep);
/* PEI components */
peic.abbrev = "url";
peic.desc = "Uniform Resource Locator";
ProtPeiComponent(&peic);
peic.abbrev = "from";
peic.desc = "Source telephon number";
ProtPeiComponent(&peic);
peic.abbrev = "to";
peic.desc = "Destinaton telephon number";
ProtPeiComponent(&peic);
peic.abbrev = "cc";
peic.desc = "Destinaton telephon number (cc)";
ProtPeiComponent(&peic);
peic.abbrev = "bcc";
peic.desc = "Destinaton telephon number (bcc)";
ProtPeiComponent(&peic);
peic.abbrev = "part";
peic.desc = "Content part";
ProtPeiComponent(&peic);
peic.abbrev = "raw";
peic.desc = "Binary raw fromat";
ProtPeiComponent(&peic);
/* dissectors registration */
ProtDissectors(MmsDissector, NULL, NULL, NULL);
return 0;
}
int DissecRegist(const char *file_cfg)
{
proto_info info;
proto_dep dep;
memset(&info, 0, sizeof(proto_info));
memset(&dep, 0, sizeof(proto_dep));
/* protocol name */
ProtName("802.1Q Virtual LAN", "vlan");
/* Tunnel ID */
info.name = "Vlan ID";
info.abbrev = "vlan.id";
info.type = FT_UINT16;
vid_id = ProtInfo(&info);
/* protocol */
info.name = "Ethertype";
info.abbrev = "vlan.type";
info.type = FT_UINT16;
proto_id = ProtInfo(&info);
/* dep: udp */
dep.name = "eth";
dep.attr = "eth.type";
dep.type = FT_UINT16;
dep.val.uint16 = ETHERTYPE_VLAN;
ProtDep(&dep);
/* rule */
/*ProtAddRule("(vlan.id == pkt.vlan.id)");*/
#warning "deadlock"
/* dissectors registration */
ProtDissectors(VlanDissector, NULL, NULL, NULL);
return 0;
}
static int GtpDissecRegist(void)
{
proto_info info;
proto_dep dep;
memset(&info, 0, sizeof(proto_info));
memset(&dep, 0, sizeof(proto_dep));
/* protocol name */
ProtName("GPRS Tunneling Protocol", "gtp");
/* tunnel endpoint identifier (TEID) */
info.name = "Tunnel endpoint identifier";
info.abbrev = "gtp.teid";
info.type = FT_UINT32;
tunnel_id = ProtInfo(&info);
/* message type */
info.name = "Message Type";
info.abbrev = "gtp.msg";
info.type = FT_UINT8;
proto_id = ProtInfo(&info);
/* dep: udp */
dep.name = "udp";
dep.attr = "udp.dstport";
dep.type = FT_UINT16;
dep.val.uint16 = UDP_PORT_GTPv1U;
ProtDep(&dep);
/* rule (gtp is a node) */
//ProtAddRule("gtp.teid == pkt.gtp.teid");
/* dissectors registration */
ProtDissectors(GtpDissector, NULL, NULL, NULL);
return 0;
}
int DissecRegist(const char *file_cfg)
{
proto_dep dep;
pei_cmpt peic;
memset(&dep, 0, sizeof(proto_dep));
memset(&peic, 0, sizeof(pei_cmpt));
/* protocol name */
ProtName("Internet Printing Protocol", "ipp");
/* http dependence */
dep.name = "http";
dep.attr = "http.content_type";
dep.type = FT_STRING;
dep.op = FT_OP_CNTD;
dep.val.str = DMemMalloc(16);
strcpy(dep.val.str, "application/ipp");
ProtDep(&dep);
/* PEI components */
peic.abbrev = "url";
peic.desc = "Uniform Resource Locator";
ProtPeiComponent(&peic);
peic.abbrev = "pdf";
peic.desc = "pdf file";
ProtPeiComponent(&peic);
peic.abbrev = "pcl";
peic.desc = "pcl file";
ProtPeiComponent(&peic);
/* dissectors registration */
ProtDissectors(IppDissector, NULL, NULL, NULL);
return 0;
}
int DissecRegist(const char *file_cfg)
{
proto_info info;
proto_dep dep;
memset(&info, 0, sizeof(proto_info));
memset(&dep, 0, sizeof(proto_dep));
/* protocol name */
ProtName("Internet Protocol", "ip");
/* protocol */
info.name = "Protocol";
info.abbrev = "ip.proto";
info.type = FT_UINT8;
proto_id = ProtInfo(&info);
/* source */
info.name = "Source";
info.abbrev = "ip.src";
info.type = FT_IPv4;
src_id = ProtInfo(&info);
/* destination */
info.name = "Destination";
info.abbrev = "ip.dst";
info.type = FT_IPv4;
dst_id = ProtInfo(&info);
/* packet offset */
info.name = "Packet Offset";
info.abbrev = "ip.offset";
info.type = FT_UINT32;
offset_id = ProtInfo(&info);
#if SNIFFER_EVASION
/* time to live */
info.name = "Time To Live";
info.abbrev = "ip.ttl";
info.type = FT_UINT8;
ttl_id = ProtInfo(&info);
/* identification */
info.name = "Identification";
info.abbrev = "ip.id";
info.type = FT_UINT16;
id_id = ProtInfo(&info);
#endif
/* ethernet dependence */
dep.name = "eth";
dep.attr = "eth.type";
dep.type = FT_UINT16;
dep.val.uint16 = ETHERTYPE_IP;
ProtDep(&dep);
/* llc dependence */
dep.name = "llc";
dep.attr = "llc.type";
dep.type = FT_UINT16;
dep.val.uint16 = ETHERTYPE_IP;
ProtDep(&dep);
/* sll dependence */
dep.name = "sll";
dep.attr = "sll.protocol";
dep.type = FT_UINT16;
dep.val.uint16 = ETHERTYPE_IP;
ProtDep(&dep);
/* ppp dependence */
dep.name = "ppp";
dep.attr = "ppp.protocol";
dep.type = FT_UINT16;
dep.val.uint16 = PPP_IP;
ProtDep(&dep);
dep.name = "ppp";
dep.attr = "ppp.protocol";
dep.type = FT_UINT16;
dep.val.uint16 = ETHERTYPE_IP;
ProtDep(&dep);
/* pcapf dependence */
dep.name = "pcapf";
dep.attr = "pcapf.layer1";
dep.type = FT_UINT16;
dep.val.uint16 = DLT_RAW;
ProtDep(&dep);
dep.val.uint16 = DLT_IPV4;
ProtDep(&dep);
/* pol dependence */
dep.name = "pol";
dep.attr = "pol.layer1";
dep.type = FT_UINT16;
dep.val.uint16 = DLT_RAW;
ProtDep(&dep);
dep.val.uint16 = DLT_IPV4;
ProtDep(&dep);
/* vlan dependence */
dep.name = "vlan";
dep.attr = "vlan.type";
dep.type = FT_UINT16;
dep.val.uint16 = ETHERTYPE_IP;
ProtDep(&dep);
/* chdlc dependence */
dep.name = "chdlc";
dep.attr = "chdlc.protocol";
dep.type = FT_UINT16;
dep.val.uint16 = ETHERTYPE_IP;
ProtDep(&dep);
/* GTP dependence */
dep.name = "gtp";
dep.attr = "gtp.msg";
dep.type = FT_UINT8;
dep.val.uint8 = GTP_MSG_TPDU;
ProtDep(&dep);
/* dissectors registration */
ProtDissectors(IpDissector, NULL, NULL, NULL);
return 0;
}
int DissecRegist(const char *file_cfg)
{
proto_info info;
proto_dep dep;
memset(&info, 0, sizeof(proto_info));
memset(&dep, 0, sizeof(proto_dep));
pkttype_id = -1;
hatype_id = -1;
halen_id = -1;
protocol_id = -1;
/* protocol name */
ProtName("Linux cooked-mode capture", "sll");
#if 0
/* packet type */
info.name = "Packet type";
info.abbrev = "sll.pkttype";
info.type = FT_UINT16;
pkttype_id = ProtInfo(&info);
/* link-layer address type */
info.name = "Link-layer address type";
info.abbrev = "sll.hatype";
info.type = FT_UINT16;
hatype_id = ProtInfo(&info);
/* link-layer address length */
info.name = "Link-layer address length";
info.abbrev = "sll.halen";
info.type = FT_UINT16;
halen_id = ProtInfo(&info);
/* link-layer address */
#endif
/* protocol */
info.name = "Protocol type";
info.abbrev = "sll.protocol";
info.type = FT_UINT16;
protocol_id = ProtInfo(&info);
/* pcapf dependence */
dep.name = "pcapf";
dep.attr = "pcapf.layer1";
dep.type = FT_UINT16;
dep.val.uint16 = DLT_LINUX_SLL;
ProtDep(&dep);
/* pol dependence */
dep.name = "pol";
dep.attr = "pol.layer1";
dep.type = FT_UINT16;
dep.val.uint16 = DLT_LINUX_SLL;
ProtDep(&dep);
/* dissectors registration */
ProtDissectors(SllDissector, NULL, NULL, NULL);
return 0;
}
