1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 22 /* 23 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 24 * Use is subject to license terms. 25 * 26 * Copyright 2011 Nexenta Systems, Inc. All rights reserved. 27 * Copyright 2021 Joyent, Inc. 28 * Copyright 2025 Oxide Computer Company 29 * Copyright 2023 RackTop Systems, Inc. 30 */ 31 32 #ifndef _SNOOP_H 33 #define _SNOOP_H 34 35 #include <rpc/types.h> 36 #include <sys/pfmod.h> 37 #include <sys/time.h> 38 #include <sys/types.h> 39 #include <sys/socket.h> 40 #include <sys/bufmod.h> 41 #include <net/if.h> 42 #include <netinet/in.h> 43 #include <netinet/if_ether.h> 44 #include <netinet/in_systm.h> 45 #include <netinet/ip.h> 46 #include <netinet/ip6.h> 47 #include <netinet/ip_icmp.h> 48 #include <netinet/icmp6.h> 49 #include <net/pppoe.h> 50 #include <libdlpi.h> 51 #include <note.h> 52 53 #ifdef __cplusplus 54 extern "C" { 55 #endif 56 57 /* 58 * Flags to control packet info display 59 */ 60 #define F_NOW 0x00000001 /* display in realtime */ 61 #define F_SUM 0x00000002 /* display summary line */ 62 #define F_ALLSUM 0x00000004 /* display all summary lines */ 63 #define F_DTAIL 0x00000008 /* display detail lines */ 64 #define F_TIME 0x00000010 /* display time */ 65 #define F_ATIME 0x00000020 /* display absolute time */ 66 #define F_RTIME 0x00000040 /* display relative time */ 67 #define F_DROPS 0x00000080 /* display drops */ 68 #define F_LEN 0x00000100 /* display pkt length */ 69 #define F_NUM 0x00000200 /* display pkt number */ 70 #define F_WHO 0x00000400 /* display src/dst */ 71 72 #define MAXLINE (1088) /* max len of detail line */ 73 74 /* 75 * Transient port structure. See TFTP interpreter. 76 */ 77 struct ttable { 78 int t_port; 79 int blksize; 80 int (*t_proc)(int, void *, int); 81 }; 82 83 extern int add_transient(int port, int (*proc)(int, void *, int)); 84 extern struct ttable *is_transient(int port); 85 extern void del_transient(int port); 86 87 /* 88 * The RPC XID cache structure. 89 * When analyzing RPC protocols we 90 * have to cache the xid of the RPC 91 * request together with the program 92 * number, proc, version etc since this 93 * information is missing in the reply 94 * packet. Using the xid in the reply 95 * we can lookup this previously stashed 96 * information in the cache. 97 * 98 * For RPCSEC_GSS flavor, some special processing is 99 * needed for the argument interpretation based on its 100 * control procedure and service type. This information 101 * is stored in the cache table during interpretation of 102 * the rpc header and will be referenced later when the rpc 103 * argument is interpreted. 104 */ 105 #define XID_CACHE_SIZE 256 106 extern struct cache_struct { 107 int xid_num; /* RPC transaction id */ 108 int xid_frame; /* Packet number */ 109 int xid_prog; /* RPC program number */ 110 int xid_vers; /* RPC version number */ 111 int xid_proc; /* RPC procedure number */ 112 unsigned int xid_gss_proc; /* control procedure */ 113 int xid_gss_service; /* none, integ, priv */ 114 } xid_cache[XID_CACHE_SIZE]; 115 116 extern char *tkp, *sav_tkp; 117 extern char *token; 118 extern enum tokentype { 119 EOL, 120 ALPHA, 121 NUMBER, 122 FIELD, 123 ADDR_IP, 124 ADDR_ETHER, 125 SPECIAL, 126 ADDR_IP6, 127 ADDR_AT 128 } tokentype; 129 extern uint_t tokenval; 130 131 enum direction { ANY, TO, FROM }; 132 extern enum direction dir; 133 134 extern int eaddr; /* need ethernet addr */ 135 extern int opstack; /* operand stack depth */ 136 137 /* 138 * The following macros advance the pointer passed to them. They 139 * assume they are given a char *. 140 */ 141 #define GETINT8(v, ptr) { \ 142 (v) = (*(ptr)++); \ 143 } 144 145 #define GETINT16(v, ptr) { \ 146 (v) = *(ptr)++ << 8; \ 147 (v) |= *(ptr)++; \ 148 } 149 150 #define GETINT32(v, ptr) { \ 151 (v) = *(ptr)++ << 8; \ 152 (v) |= *(ptr)++; (v) <<= 8; \ 153 (v) |= *(ptr)++; (v) <<= 8; \ 154 (v) |= *(ptr)++; \ 155 } 156 157 /* 158 * Used to print nested protocol layers. For example, an ip datagram included 159 * in an icmp error, or a PPP packet included in an LCP protocol reject.. 160 */ 161 extern char *prot_nest_prefix; 162 163 extern char *get_sum_line(void); 164 extern char *get_detail_line(int, int); 165 extern int want_packet(uchar_t *, int, int); 166 extern void set_vlan_id(int); 167 extern struct timeval prev_time; 168 extern void process_pkt(struct sb_hdr *, char *, int, int); 169 extern char *getflag(int, int, char *, char *); 170 extern void show_header(char *, char *, int); 171 extern void show_count(void); 172 extern void xdr_init(char *, int); 173 extern char *get_line(int, int); 174 extern int get_line_remain(void); 175 extern char getxdr_char(void); 176 extern char showxdr_char(char *); 177 extern uchar_t getxdr_u_char(void); 178 extern uchar_t showxdr_u_char(char *); 179 extern short getxdr_short(void); 180 extern short showxdr_short(char *); 181 extern ushort_t getxdr_u_short(void); 182 extern ushort_t showxdr_u_short(char *); 183 extern long getxdr_long(void); 184 extern long showxdr_long(char *); 185 extern ulong_t getxdr_u_long(void); 186 extern ulong_t showxdr_u_long(char *); 187 extern longlong_t getxdr_longlong(void); 188 extern longlong_t showxdr_longlong(char *); 189 extern u_longlong_t getxdr_u_longlong(void); 190 extern u_longlong_t showxdr_u_longlong(char *); 191 extern char *getxdr_opaque(char *, int); 192 extern char *getxdr_string(char *, int); 193 extern char *showxdr_string(int, char *); 194 extern char *getxdr_bytes(uint_t *); 195 extern void xdr_skip(int); 196 extern int getxdr_pos(void); 197 extern void setxdr_pos(int); 198 extern char *getxdr_context(char *, int); 199 extern char *showxdr_context(char *); 200 extern enum_t getxdr_enum(void); 201 extern void show_space(void); 202 extern void show_trailer(void); 203 extern char *getxdr_date(void); 204 extern char *showxdr_date(char *); 205 extern char *getxdr_date_ns(void); 206 char *format_time(int64_t sec, uint32_t nsec); 207 extern char *showxdr_date_ns(char *); 208 extern char *getxdr_hex(int); 209 extern char *showxdr_hex(int, char *); 210 extern bool_t getxdr_bool(void); 211 extern bool_t showxdr_bool(char *); 212 extern char *concat_args(char **, int); 213 extern int pf_compile(char *, int); 214 extern void compile(char *, int); 215 extern void load_names(char *); 216 extern void cap_write(struct sb_hdr *, char *, int, int); 217 extern void cap_open_read(const char *); 218 extern void cap_open_write(const char *); 219 extern void cap_open_wr_multi(const char *, size_t, off_t); 220 extern void cap_read(int, int, int, void (*)(), int); 221 extern void cap_close(void); 222 extern boolean_t open_datalink(dlpi_handle_t *, const char *); 223 extern void init_datalink(dlpi_handle_t, ulong_t, ulong_t, struct timeval *, 224 struct Pf_ext_packetfilt *, int direction); 225 extern void net_read(dlpi_handle_t, size_t, int, void (*)(), int); 226 extern void click(int); 227 extern void show_pktinfo(int, int, char *, char *, struct timeval *, 228 struct timeval *, int, int); 229 extern void show_line(char *); 230 /*PRINTFLIKE1*/ 231 extern void show_printf(char *fmt, ...) 232 __PRINTFLIKE(1); 233 extern char *getxdr_time(void); 234 extern char *showxdr_time(char *); 235 extern char *addrtoname(int, const void *); 236 extern char *show_string(const char *, int, int); 237 extern void pr_err(const char *, ...); 238 extern void pr_errdlpi(dlpi_handle_t, const char *, int); 239 extern void check_retransmit(char *, ulong_t); 240 extern char *nameof_prog(int); 241 extern char *getproto(int); 242 extern uint8_t print_ipv6_extensions(int, uint8_t **, uint8_t *, int *, int *); 243 extern void protoprint(int, int, ulong_t, int, int, int, char *, int); 244 extern char *getportname(int, in_port_t); 245 246 extern void interpret_arp(int, struct arphdr *, int); 247 extern void interpret_bparam(int, int, int, int, int, char *, int); 248 extern void interpret_dns(int, int, const uchar_t *, int, int); 249 extern void interpret_mount(int, int, int, int, int, char *, int); 250 extern void interpret_nfs(int, int, int, int, int, char *, int); 251 extern void interpret_nfs3(int, int, int, int, int, char *, int); 252 extern void interpret_nfs4(int, int, int, int, int, char *, int); 253 extern void interpret_nfs4_cb(int, int, int, int, int, char *, int); 254 extern void interpret_nfs_acl(int, int, int, int, int, char *, int); 255 extern void interpret_nis(int, int, int, int, int, char *, int); 256 extern void interpret_nisbind(int, int, int, int, int, char *, int); 257 extern void interpret_nlm(int, int, int, int, int, char *, int); 258 extern void interpret_pmap(int, int, int, int, int, char *, int); 259 extern int interpret_reserved(int, int, in_port_t, in_port_t, char *, int); 260 extern void interpret_rquota(int, int, int, int, int, char *, int); 261 extern void interpret_rstat(int, int, int, int, int, char *, int); 262 extern void interpret_solarnet_fw(int, int, int, int, int, char *, int); 263 extern void interpret_ldap(int, char *, int, int, int); 264 extern void interpret_icmp(int, struct icmp *, int, int); 265 extern void interpret_icmpv6(int, icmp6_t *, int, int); 266 extern int interpret_ip(int, const struct ip *, int); 267 extern int interpret_ipv6(int, const ip6_t *, int); 268 extern int interpret_ppp(int, uchar_t *, int); 269 extern int interpret_pppoe(int, poep_t *, int); 270 struct tcphdr; 271 extern int interpret_tcp(int, struct tcphdr *, int, int); 272 struct udphdr; 273 extern int interpret_udp(int, struct udphdr *, int, int); 274 extern int interpret_esp(int, uint8_t *, int, int); 275 extern int interpret_ah(int, uint8_t *, int, int); 276 struct sctp_hdr; 277 extern void interpret_sctp(int, struct sctp_hdr *, int, int); 278 extern void interpret_mip_cntrlmsg(int, uchar_t *, int); 279 struct dhcp; 280 extern int interpret_dhcp(int, struct dhcp *, int); 281 extern int interpret_dhcpv6(int, const uint8_t *, int); 282 struct tftphdr; 283 extern int interpret_tftp(int, void *, int); 284 extern int interpret_http(int, char *, int); 285 struct ntpdata; 286 extern int interpret_ntp(int, struct ntpdata *, int); 287 extern void interpret_netbios_ns(int, uchar_t *, int); 288 extern void interpret_netbios_datagram(int, uchar_t *, int); 289 extern void interpret_netbios_ses(int, uchar_t *, int); 290 extern int interpret_slp(int, void *, int); 291 struct rip; 292 extern int interpret_rip(int, struct rip *, int); 293 struct rip6; 294 extern int interpret_rip6(int, struct rip6 *, int); 295 extern int interpret_socks_call(int, char *, int); 296 extern int interpret_socks_reply(int, char *, int); 297 extern int interpret_trill(int, struct ether_header **, char *, int *); 298 extern int interpret_isis(int, char *, int, boolean_t); 299 extern int interpret_bpdu(int, char *, int); 300 extern int interpret_vxlan(int, char *, int); 301 extern void init_ldap(void); 302 extern boolean_t arp_for_ether(char *, struct ether_addr *); 303 extern char *ether_ouiname(uint32_t); 304 extern char *tohex(char *p, int len); 305 extern char *printether(struct ether_addr *); 306 extern char *print_ethertype(int); 307 extern const char *arp_htype(int); 308 extern int valid_rpc(char *, int); 309 310 /* 311 * Describes characteristics of the Media Access Layer. 312 * The mac_type is one of the supported DLPI media 313 * types (see <sys/dlpi.h>). 314 * The mtu_size is the size of the largest frame. 315 * network_type_offset is where the network type 316 * is located in the link layer header. 317 * The header length is returned by a function to 318 * allow for variable header size - for ethernet it's 319 * just a constant 14 octets. 320 * The interpreter is the function that "knows" how 321 * to interpret the frame. 322 * try_kernel_filter tells snoop to first try a kernel 323 * filter (because the header size is fixed, or if it could 324 * be of variable size where the variable size is easy for a kernel 325 * filter to handle, for example, Ethernet and VLAN tags) 326 * and only use a user space filter if the filter expression 327 * cannot be expressed in kernel space. 328 */ 329 typedef uint_t (interpreter_fn_t)(int, char *, int, int); 330 typedef uint_t (headerlen_fn_t)(char *, size_t); 331 typedef struct interface { 332 uint_t mac_type; 333 uint_t mtu_size; 334 uint_t network_type_offset; 335 size_t network_type_len; 336 uint_t network_type_ip; 337 uint_t network_type_ipv6; 338 headerlen_fn_t *header_len; 339 interpreter_fn_t *interpreter; 340 boolean_t try_kernel_filter; 341 } interface_t; 342 343 extern interface_t INTERFACES[], *interface; 344 extern char *dlc_header; 345 extern char *src_name, *dst_name; 346 extern char *prot_prefix; 347 extern char *prot_nest_prefix; 348 extern char *prot_title; 349 350 /* Keep track of how many nested IP headers we have. */ 351 extern unsigned int encap_levels, total_encap_levels; 352 353 extern int quitting; 354 extern boolean_t Iflg, Pflg, fflg, rflg; 355 356 /* Packet capture direction. */ 357 #define DIR_INOUT 0 358 #define DIR_IN 1 359 #define DIR_OUT 2 360 361 /* 362 * Global error recovery routine: used to reset snoop variables after 363 * catastrophic failure. 364 */ 365 void snoop_recover(void); 366 367 /* 368 * Global alarm handler structure for managing multiple alarms within 369 * snoop. 370 */ 371 typedef struct snoop_handler { 372 struct snoop_handler *s_next; /* next alarm handler */ 373 time_t s_time; /* time to fire */ 374 void (*s_handler)(); /* alarm handler */ 375 } snoop_handler_t; 376 377 #define SNOOP_MAXRECOVER 20 /* maxium number of recoveries */ 378 #define SNOOP_ALARM_GRAN 3 /* alarm() timeout multiplier */ 379 380 /* 381 * Global alarm handler management routine. 382 */ 383 extern int snoop_alarm(int s_sec, void (*s_handler)()); 384 385 /* 386 * The next two definitions do not take into account the length 387 * of the underlying link header. In order to use them, you must 388 * add link_header_len to them. The reason it is not done here is 389 * that later these macros are used to initialize a table. 390 */ 391 #define IPV4_TYPE_HEADER_OFFSET 9 392 #define IPV6_TYPE_HEADER_OFFSET 6 393 394 #ifdef __cplusplus 395 } 396 #endif 397 398 #endif /* _SNOOP_H */ 399