| 1 | Writing decoder modules for libpacketdump |
|---|
| 2 | ========================================= |
|---|
| 3 | |
|---|
| 4 | libpacketdump can be used to decode and print packet structure. This can be |
|---|
| 5 | useful for debugging (network protocols, or your own libtrace programs), or |
|---|
| 6 | just to look at the internals of the packets you are seeing to better |
|---|
| 7 | understand how things work. |
|---|
| 8 | |
|---|
| 9 | It has a modular design such that each decoder is only responsible for |
|---|
| 10 | its specific part of the packet. It decodes the information it knows about, |
|---|
| 11 | then control is passed to the decoder that understands the next part of the |
|---|
| 12 | packet. Code only needs to be written once for each part, and then decoders |
|---|
| 13 | are mixed and matched as appropriate depending on the structure and content |
|---|
| 14 | of the packet. |
|---|
| 15 | |
|---|
| 16 | These modules can be constructed in two ways: |
|---|
| 17 | |
|---|
| 18 | * as C code within a shared library |
|---|
| 19 | * as a plain text description of the field sizes and types |
|---|
| 20 | |
|---|
| 21 | Each modules filename is constructed based on the part of the packet it deals |
|---|
| 22 | with. The bit before the underscore describes the part of the packet it follows |
|---|
| 23 | on from, while the bit after the underscore describes what it actually is. |
|---|
| 24 | Shared libraries end in .so, and plain text files end in .protocol. All these |
|---|
| 25 | files must reside in DIRNAME (by default /usr/local/lib/libpacketdump/). |
|---|
| 26 | |
|---|
| 27 | |
|---|
| 28 | Writing a decoder module as a shared library |
|---|
| 29 | -------------------------------------------- |
|---|
| 30 | |
|---|
| 31 | TODO |
|---|
| 32 | |
|---|
| 33 | |
|---|
| 34 | |
|---|
| 35 | Writing a decoder module as plain text |
|---|
| 36 | -------------------------------------- |
|---|
| 37 | |
|---|
| 38 | These files have a very simple format that mimics the layout of the headers |
|---|
| 39 | seen in the packets. Each line of the file represents a single field in the |
|---|
| 40 | header, or describes the header that follows this one. For them to be found |
|---|
| 41 | by the parser they must have a .protocol extension. |
|---|
| 42 | |
|---|
| 43 | A .protocol file might look something like this: |
|---|
| 44 | |
|---|
| 45 | be16 integer "FOO Src port" |
|---|
| 46 | be16 integer "FOO Dst port" |
|---|
| 47 | be8 hex "FOO type" |
|---|
| 48 | be24 integer "FOO other" |
|---|
| 49 | next "foo" "FOO type" |
|---|
| 50 | |
|---|
| 51 | All lines in the file are one of these two types: |
|---|
| 52 | |
|---|
| 53 | Field description: <byteorder> <size> <displaytype> <name> |
|---|
| 54 | Next header: next <nextheader prefix> <nextheader fieldname> |
|---|
| 55 | |
|---|
| 56 | |
|---|
| 57 | <byteorder> |
|---|
| 58 | Fields in packet headers can be in big endian or little endian form; most are |
|---|
| 59 | in big endian. Specify 'be' for big endian fields or 'le' for little endian |
|---|
| 60 | fields. This ensures they are displayed correctly. |
|---|
| 61 | |
|---|
| 62 | <size> |
|---|
| 63 | The width of the field in bits. For example, addresses in the IP header are |
|---|
| 64 | 32 bits, while ports in the UDP/TCP headers are 16 bits. |
|---|
| 65 | |
|---|
| 66 | <display type> |
|---|
| 67 | This determines how the data is treated when it is displayed. Valid values are: |
|---|
| 68 | integer - displays the data as an integer value |
|---|
| 69 | hex - displays the data as a hexadecimal value |
|---|
| 70 | ipv4 - displays the data as an IPV4 address in dotted quad form |
|---|
| 71 | mac - displays the data as a MAC address as colon separated hexadecimals |
|---|
| 72 | flag - displays the field name if the data is true, nothing otherwise |
|---|
| 73 | hidden - does not get displayed |
|---|
| 74 | |
|---|
| 75 | <name> |
|---|
| 76 | A string literal used as a prefix when printing the field value, and as an |
|---|
| 77 | identifier to be referenced by the nextheader option (if present). |
|---|
| 78 | |
|---|
| 79 | <nextheader prefix> |
|---|
| 80 | A string literal used as a prefix to the filename describing where to find |
|---|
| 81 | information on decoding the header that follows this one. It usually describes |
|---|
| 82 | the current level at which the packet is being decoded such as "eth" or "ip". |
|---|
| 83 | |
|---|
| 84 | <nextheader fieldname> |
|---|
| 85 | The string literal used as the name of the field whose value determines what |
|---|
| 86 | the next header should be. The value of this field gets appended to the prefix |
|---|
| 87 | (after an underscore) to create the basename of the file describing the next |
|---|
| 88 | header. For example, in the IP header the next header is described by the value |
|---|
| 89 | of the protocol field, and so the name used for the protocol field should be |
|---|
| 90 | given here. If a TCP packet is being decoded, the value of the protocol field |
|---|
| 91 | will be '6' and this is used to construct the next file name. |
|---|
| 92 | |
|---|
