-
Notifications
You must be signed in to change notification settings - Fork 1
/
fp_tcp.h
95 lines (60 loc) · 3.6 KB
/
fp_tcp.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
/*
p0f - TCP/IP packet matching
----------------------------
Copyright (C) 2012 by Michal Zalewski <lcamtuf@coredump.cx>
Distributed under the terms and conditions of GNU LGPL.
*/
#ifndef _HAVE_FP_TCP_H
#define _HAVE_FP_TCP_H
#include "types.h"
/* Simplified data for signature matching and NAT detection: */
struct tcp_sig {
u32 opt_hash; /* Hash of opt_layout & opt_cnt */
u32 quirks; /* Quirks */
u8 opt_eol_pad; /* Amount of padding past EOL */
u8 ip_opt_len; /* Length of IP options */
s8 ip_ver; /* -1 = any, IP_VER4, IP_VER6 */
u8 ttl; /* Actual TTL */
s32 mss; /* Maximum segment size (-1 = any) */
u16 win; /* Window size */
u8 win_type; /* WIN_TYPE_* */
s16 wscale; /* Window scale (-1 = any) */
s8 pay_class; /* -1 = any, 0 = zero, 1 = non-zero */
u16 tot_hdr; /* Total header length */
u32 ts1; /* Own timestamp */
u64 recv_ms; /* Packet recv unix time (ms) */
/* Information used for matching with p0f.fp: */
struct tcp_sig_record* matched; /* NULL = no match */
u8 fuzzy; /* Approximate match? */
u8 dist; /* Distance */
};
/* Methods for matching window size in tcp_sig: */
#define WIN_TYPE_NORMAL 0x00 /* Literal value */
#define WIN_TYPE_ANY 0x01 /* Wildcard (p0f.fp sigs only) */
#define WIN_TYPE_MOD 0x02 /* Modulo check (p0f.fp sigs only) */
#define WIN_TYPE_MSS 0x03 /* Window size MSS multiplier */
#define WIN_TYPE_MTU 0x04 /* Window size MTU multiplier */
/* Record for a TCP signature read from p0f.fp: */
struct tcp_sig_record {
u8 generic; /* Generic entry? */
s32 class_id; /* OS class ID (-1 = user) */
s32 name_id; /* OS name ID */
u8* flavor; /* Human-readable flavor string */
u32 label_id; /* Signature label ID */
u32* sys; /* OS class / name IDs for user apps */
u32 sys_cnt; /* Length of sys */
u32 line_no; /* Line number in p0f.fp */
u8 bad_ttl; /* TTL is generated randomly */
struct tcp_sig* sig; /* Actual signature data */
};
#include "process.h"
struct packet_data;
struct packet_flow;
void tcp_register_sig(u8 to_srv, u8 generic, s32 sig_class, u32 sig_name,
u8* sig_flavor, u32 label_id, u32* sys, u32 sys_cnt,
u8* val, u32 line_no);
struct tcp_sig* fingerprint_tcp(u8 to_srv, struct packet_data* pk,
struct packet_flow* f);
void fingerprint_sendsyn(struct packet_data* pk);
void check_ts_tcp(u8 to_srv, struct packet_data* pk, struct packet_flow* f);
#endif /* _HAVE_FP_TCP_H */