Site Navigation

FreeBSD Manual Pages

   man apropos
 
   All Sections 1 - General Commands 2 - System Calls 3 - Subroutines 4 - Special Files 5 - File Formats 6 - Games 7 - Macros and Conventions 8 - Maintenance Commands 9 - Kernel Interface n - New Commands FreeBSD 16.0-CURRENT FreeBSD 15.0-RELEASE FreeBSD 15.0-RELEASE and Ports FreeBSD 15.0-STABLE FreeBSD 14.3-RELEASE FreeBSD 14.3-RELEASE and Ports FreeBSD 14.3-STABLE FreeBSD 14.2-RELEASE FreeBSD 14.2-RELEASE and Ports FreeBSD 14.1-RELEASE FreeBSD 14.1-RELEASE and Ports FreeBSD 14.0-RELEASE FreeBSD 14.0-RELEASE and Ports FreeBSD 13.5-RELEASE FreeBSD 13.5-RELEASE and Ports FreeBSD 13.5-STABLE FreeBSD 13.4-RELEASE FreeBSD 13.4-RELEASE and Ports FreeBSD 13.3-RELEASE FreeBSD 13.3-RELEASE and Ports FreeBSD 13.2-RELEASE FreeBSD 13.2-RELEASE and Ports FreeBSD 13.1-RELEASE FreeBSD 13.1-RELEASE and Ports FreeBSD 13.0-RELEASE FreeBSD 13.0-RELEASE and Ports FreeBSD 12.4-RELEASE FreeBSD 12.4-RELEASE and Ports FreeBSD 12.3-RELEASE FreeBSD 12.3-RELEASE and Ports FreeBSD 12.2-RELEASE FreeBSD 12.2-RELEASE and Ports FreeBSD 12.1-RELEASE FreeBSD 12.1-RELEASE and Ports FreeBSD 12.0-RELEASE FreeBSD 12.0-RELEASE and Ports FreeBSD 11.4-RELEASE FreeBSD 11.4-RELEASE and Ports FreeBSD 11.3-RELEASE FreeBSD 11.3-RELEASE and Ports FreeBSD 11.2-RELEASE FreeBSD 11.2-RELEASE and Ports FreeBSD 11.1-RELEASE FreeBSD 11.1-RELEASE and Ports FreeBSD 11.0-RELEASE FreeBSD 11.0-RELEASE and Ports FreeBSD 10.4-RELEASE FreeBSD 10.4-RELEASE and Ports FreeBSD 10.3-RELEASE FreeBSD 10.3-RELEASE and Ports FreeBSD 10.2-RELEASE FreeBSD 10.2-RELEASE and Ports FreeBSD 10.1-RELEASE FreeBSD 10.1-RELEASE and Ports FreeBSD 10.0-RELEASE FreeBSD 10.0-RELEASE and Ports FreeBSD 9.3-RELEASE FreeBSD 9.3-RELEASE and Ports FreeBSD 9.2-RELEASE FreeBSD 9.2-RELEASE and Ports FreeBSD 9.1-RELEASE FreeBSD 9.1-RELEASE and Ports FreeBSD 9.0-RELEASE FreeBSD 9.0-RELEASE and Ports FreeBSD 8.4-RELEASE FreeBSD 8.4-RELEASE and Ports FreeBSD 8.3-RELEASE FreeBSD 8.3-RELEASE and Ports FreeBSD 8.2-RELEASE FreeBSD 8.2-RELEASE and Ports FreeBSD 8.1-RELEASE FreeBSD 8.1-RELEASE and Ports FreeBSD 8.0-RELEASE FreeBSD 8.0-RELEASE and Ports FreeBSD 7.4-RELEASE FreeBSD 7.4-RELEASE and Ports FreeBSD 7.3-RELEASE FreeBSD 7.3-RELEASE and Ports FreeBSD 7.2-RELEASE FreeBSD 7.2-RELEASE and Ports FreeBSD 7.1-RELEASE FreeBSD 7.1-RELEASE and Ports FreeBSD 7.0-RELEASE FreeBSD 6.4-RELEASE FreeBSD 6.4-RELEASE and Ports FreeBSD 6.3-RELEASE FreeBSD 6.3-RELEASE and Ports FreeBSD 6.2-RELEASE FreeBSD 6.1-RELEASE FreeBSD 6.0-RELEASE FreeBSD 6.0-RELEASE and Ports FreeBSD 5.5-RELEASE FreeBSD 5.5-RELEASE and Ports FreeBSD 5.4-RELEASE FreeBSD 5.4-RELEASE and Ports FreeBSD 5.3-RELEASE FreeBSD 5.3-RELEASE and Ports FreeBSD 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE and Ports FreeBSD 5.2-RELEASE FreeBSD 5.2-RELEASE and Ports FreeBSD 5.1-RELEASE FreeBSD 5.0-RELEASE FreeBSD 4.11-RELEASE FreeBSD 4.11-RELEASE and Ports FreeBSD 4.10-RELEASE FreeBSD 4.10-RELEASE and Ports FreeBSD 4.9-RELEASE FreeBSD 4.9-RELEASE and Ports FreeBSD 4.8-RELEASE FreeBSD 4.8-RELEASE and Ports FreeBSD 4.7-RELEASE FreeBSD 4.6.2-RELEASE FreeBSD 4.6.2-RELEASE and Ports FreeBSD 4.6-RELEASE FreeBSD 4.6-RELEASE and Ports FreeBSD 4.5-RELEASE FreeBSD 4.5-RELEASE and Ports FreeBSD 4.4-RELEASE FreeBSD 4.3-RELEASE FreeBSD 4.3-RELEASE and Ports FreeBSD 4.2-RELEASE FreeBSD 4.2-RELEASE and Ports FreeBSD 4.1.1-RELEASE FreeBSD 4.1.1-RELEASE and Ports FreeBSD 4.1-RELEASE FreeBSD 4.0-RELEASE FreeBSD 3.5.1-RELEASE FreeBSD 3.5.1-RELEASE and Ports FreeBSD 3.5-RELEASE and Ports FreeBSD 3.4-RELEASE FreeBSD 3.4-RELEASE and Ports FreeBSD 3.3-RELEASE FreeBSD 3.2-RELEASE FreeBSD 3.1-RELEASE FreeBSD 3.0-RELEASE FreeBSD 2.2.8-RELEASE FreeBSD 2.2.8-RELEASE and Ports FreeBSD 2.2.7-RELEASE FreeBSD 2.2.6-RELEASE FreeBSD 2.2.5-RELEASE FreeBSD 2.2.2-RELEASE FreeBSD 2.2.1-RELEASE FreeBSD 2.1.7.1-RELEASE FreeBSD 2.1.6.1-RELEASE FreeBSD 2.1.5-RELEASE FreeBSD 2.1.0-RELEASE FreeBSD 2.0.5-RELEASE FreeBSD 2.0-RELEASE FreeBSD 1.1.5.1-RELEASE FreeBSD 1.1-RELEASE FreeBSD 1.0-RELEASE FreeBSD Ports 15.0 FreeBSD Ports 14.3 FreeBSD Ports 14.3.quarterly FreeBSD Ports 14.2 FreeBSD Ports 14.1 FreeBSD Ports 14.0 FreeBSD Ports 13.5 FreeBSD Ports 13.4 FreeBSD Ports 13.3 FreeBSD Ports 13.2 FreeBSD Ports 13.1 FreeBSD Ports 13.0 FreeBSD Ports 12.4 FreeBSD Ports 12.3 FreeBSD Ports 12.2 FreeBSD Ports 12.1 FreeBSD Ports 12.0 FreeBSD Ports 11.4 FreeBSD Ports 11.3 FreeBSD Ports 11.2 FreeBSD Ports 11.1 FreeBSD Ports 11.0 FreeBSD Ports 10.4 FreeBSD Ports 10.3 FreeBSD Ports 10.2 FreeBSD Ports 10.1 FreeBSD Ports 10.0 FreeBSD Ports 9.3 FreeBSD Ports 9.2 FreeBSD Ports 9.1 FreeBSD Ports 9.0 FreeBSD Ports 8.4 FreeBSD Ports 8.3 FreeBSD Ports 8.2 FreeBSD Ports 8.1 FreeBSD Ports 8.0 FreeBSD Ports 7.4 FreeBSD Ports 7.3 FreeBSD Ports 7.2 FreeBSD Ports 7.1 FreeBSD Ports 7.0 FreeBSD Ports 6.4 FreeBSD Ports 6.3 FreeBSD Ports 6.2 FreeBSD Ports 6.0 FreeBSD Ports 5.5 FreeBSD Ports 5.4 FreeBSD Ports 5.3 FreeBSD Ports 5.2.1 FreeBSD Ports 5.2 FreeBSD Ports 5.1 FreeBSD Ports 4.11 FreeBSD Ports 4.10 FreeBSD Ports 4.9 FreeBSD Ports 4.8 FreeBSD Ports 4.7 FreeBSD Ports 4.6.2 FreeBSD Ports 4.6 FreeBSD Ports 4.5 FreeBSD Ports 4.3 FreeBSD Ports 4.2 FreeBSD Ports 4.1.1 FreeBSD Ports 3.5.1 FreeBSD Ports 3.5 FreeBSD Ports 3.4 FreeBSD Ports 2.2.8 4.4BSD Lite2 4.3BSD NET/2 4.3BSD Reno 2.11 BSD 2.10 BSD 2.9.1 BSD 2.8 BSD 386BSD 0.1 386BSD 0.0 CentOS 7.9 CentOS 7.8 CentOS 7.7 CentOS 7.6 CentOS 7.5 CentOS 7.4 CentOS 7.3 CentOS 7.2 CentOS 7.1 CentOS 7.0 CentOS 6.10 CentOS 6.9 CentOS 6.8 CentOS 6.7 CentOS 6.6 CentOS 6.5 CentOS 6.4 CentOS 6.3 CentOS 6.2 CentOS 6.1 CentOS 6.0 CentOS 5.11 CentOS 5.10 CentOS 5.9 CentOS 5.8 CentOS 5.7 CentOS 5.6 CentOS 5.5 CentOS 5.4 CentOS 4.8 CentOS 3.9 Darwin 8.0.1/ppc Darwin 7.0.1 Darwin 6.0.2/x86 Darwin 1.4.1/x86 Darwin 1.3.1/x86 Debian 14.0 unstable Debian 13.2.0 Debian 12.12.0 Debian 11.11.0 Debian 10.13.0 Debian 9.13.0 Debian 8.11.1 Debian 7.11.0 Debian 6.0.10 Debian 5.0.10 Debian 4.0.9 Debian 3.1.8 Debian 2.2.7 Debian 2.0.0 Dell UNIX SVR4 2.2 DragonFly 6.4.2 DragonFly 5.8.3 DragonFly 4.8.1 DragonFly 3.8.2 DragonFly 2.10.1 DragonFly 1.12.1 DragonFly 1.0A HP-UX 11.22 HP-UX 11.20 HP-UX 11.11 HP-UX 11.00 HP-UX 10.20 HP-UX 10.10 HP-UX 10.01 HP-UX 9.07 HP-UX 8.07 Inferno 4th Edition IRIX 6.5.30 Linux Slackware 3.1 MACH 2.5/i386 macOS 26.2 macOS 15.7.3 macOS 14.8.3 macOS 13.6.5 macOS 12.7.3 macOS 11.1 macOS 10.15.7 macOS 10.13.6 macOS 10.12.0 Minix 3.3.0 Minix 3.2.1 Minix 3.2.0 Minix 3.1.7 Minix 3.1.6 Minix 3.1.5 Minix 2.0.0 NetBSD 10.1 NetBSD 10.0 NetBSD 9.4 NetBSD 9.3 NetBSD 9.2 NetBSD 9.1 NetBSD 9.0 NetBSD 8.3 NetBSD 8.2 NetBSD 8.1 NetBSD 8.0 NetBSD 7.2 NetBSD 7.1.2 NetBSD 7.1 NetBSD 7.0 NetBSD 6.1.5 NetBSD 6.0 NetBSD 5.2.3 NetBSD 5.2 NetBSD 5.1 NetBSD 5.0 NetBSD 4.0.1 NetBSD 4.0 NetBSD 3.1 NetBSD 3.0 NetBSD 2.1 NetBSD 2.0.2 NetBSD 2.0 NetBSD 1.6.2 NetBSD 1.6.1 NetBSD 1.6 NetBSD 1.5.3 NetBSD 1.5.2 NetBSD 1.5.1 NetBSD 1.5 NetBSD 1.4.3 NetBSD 1.4.2 NetBSD 1.4.1 NetBSD 1.4 NetBSD 1.3.3 NetBSD 1.3.2 NetBSD 1.3.1 NetBSD 1.3 NetBSD 1.2.1 NetBSD 1.2 NetBSD 1.1 NetBSD 1.0 NeXTSTEP 3.3 OpenBSD 7.8 OpenBSD 7.7 OpenBSD 7.6 OpenBSD 7.5 OpenBSD 7.4 OpenBSD 7.3 OpenBSD 7.2 OpenBSD 7.1 OpenBSD 7.0 OpenBSD 6.9 OpenBSD 6.8 OpenBSD 6.7 OpenBSD 6.6 OpenBSD 6.5 OpenBSD 6.4 OpenBSD 6.3 OpenBSD 6.2 OpenBSD 6.1 OpenBSD 6.0 OpenBSD 5.9 OpenBSD 5.8 OpenBSD 5.7 OpenBSD 5.6 OpenBSD 5.5 OpenBSD 5.4 OpenBSD 5.3 OpenBSD 5.2 OpenBSD 5.1 OpenBSD 5.0 OpenBSD 4.9 OpenBSD 4.8 OpenBSD 4.7 OpenBSD 4.6 OpenBSD 4.5 OpenBSD 4.4 OpenBSD 4.3 OpenBSD 4.2 OpenBSD 4.1 OpenBSD 4.0 OpenBSD 3.9 OpenBSD 3.8 OpenBSD 3.7 OpenBSD 3.6 OpenBSD 3.5 OpenBSD 3.4 OpenBSD 3.3 OpenBSD 3.2 OpenBSD 3.1 OpenBSD 3.0 OpenBSD 2.9 OpenBSD 2.8 OpenBSD 2.7 OpenBSD 2.6 OpenBSD 2.5 OpenBSD 2.4 OpenBSD 2.3 OpenBSD 2.2 OpenBSD 2.1 OpenBSD 2.0 OpenDarwin 7.2.1 OpenDarwin 6.6.2/x86 OpenDarwin 6.6.1/x86 OpenDarwin 20030208pre4/ppc OpenIndiana 2024.10 OpenIndiana 2022.10 OpenIndiana 2020.10 OpenIndiana 2017.10 OpenIndiana 2015.10 OpenIndiana 2013.08 OpenSolaris 2010.03 OpenSolaris 2009.06 OpenStep 4.2 openSUSE 42.3 openSUSE 42.2 openSUSE 42.1 openSUSE 16.0 openSUSE 15.6 openSUSE 15.5 openSUSE 15.4 openSUSE 15.3 openSUSE 15.2 openSUSE 15.1 openSUSE 15.0 openSUSE 13.2 openSUSE 13.1 openSUSE 11.4 openSUSE 11.3 openSUSE 11.2 openSUSE 10.3 openSUSE 10.2 OSF1 V5.1/alpha OSF1 V4.0/alpha OSF1 V1.0/mips Plan 9 Red Hat 9.0 Red Hat 8.0 Red Hat 7.3 Red Hat 7.2 Red Hat 7.1 Red Hat 7.0 Red Hat 6.2 Red Hat 6.1 Red Hat 5.2 Red Hat 5.0 Red Hat 4.2 Rhapsody DR1 Rhapsody DR2 Rocky 10.0 Rocky 9.6 Rocky 9.5 Rocky 9.4 Rocky 9.3 Rocky 9.2 Rocky 9.1 Rocky 9.0 Rocky 8.10 Rocky 8.9 Rocky 8.8 Rocky 8.7 Rocky 8.6 Rocky 8.5 Rocky 8.4 Rocky 8.3 Sun UNIX 0.4 SunOS 5.10 SunOS 5.9 SunOS 5.8 SunOS 5.7 SunOS 5.6 SunOS 5.5.1 SunOS 4.1.3 SuSE 11.3 SuSE 11.2 SuSE 11.1 SuSE 11.0 SuSE 10.3 SuSE 10.2 SuSE 10.1 SuSE 10.0 SuSE 9.3 SuSE 9.2 SuSE 8.2 SuSE 8.1 SuSE 8.0 SuSE 7.3 SuSE 7.2 SuSE 7.1 SuSE 7.0 SuSE 6.4 SuSE 6.3 SuSE 6.1 SuSE 6.0 SuSE 5.3 SuSE 5.2 SuSE 5.0 SuSE 4.3 SuSE ES 10 SP1 Ubuntu 24.04 noble Ubuntu 23.10 mantic Ubuntu 22.04 jammy Ubuntu 20.04 focal Ubuntu 18.04 bionic Ubuntu 16.04 xenial Ubuntu 14.04 trusty ULTRIX 4.2 Ultrix-32 2.0/VAX Unix Seventh Edition X11R7.4 X11R7.3.2 X11R7.2 X11R6.9.0 X11R6.8.2 X11R6.7.0 XFree86 4.8.0 XFree86 4.7.0 XFree86 4.6.0 XFree86 4.5.0 XFree86 4.4.0 XFree86 4.3.0 XFree86 4.2.99.3 XFree86 4.2.0 XFree86 4.1.0 XFree86 4.0.2 XFree86 4.0.1 XFree86 4.0 XFree86 3.3.6 XFree86 3.3 XFree86 2.1 All Architectures html pdf ascii

home | help

---

LIBNIDS(3)		   Library Functions Manual		    LIBNIDS(3)

NAME
       libnids - network intrusion detection system E-box library

SYNOPSIS
       #include	<nids.h>

       extern struct nids_prm nids_params;
       extern char nids_errbuf[];

       int
       nids_init(void);

       void
       nids_register_ip_frag(void (*ip_frag_func)(struct ip *pkt, int len));

       void
       nids_unregister_ip_frag(void (*ip_frag_func)(struct ip *pkt, int	len));

       void
       nids_register_ip(void (*ip_func)(struct ip *pkt,	int len));

       void
       nids_unregister_ip(void (*ip_func)(struct ip *pkt, int len));

       void
       nids_register_udp(void (*udp_func)(struct tuple4	*addr, u_char *data, int len, struct ip	*pkt));

       void
       nids_unregister_udp(void	(*udp_func)(struct tuple4 *addr, u_char	*data, int len,	struct ip *pkt));

       void
       nids_register_tcp(void (*tcp_func)(struct tcp_stream *ts, void **param));

       void
       nids_unregister_tcp(void	(*tcp_func)(struct tcp_stream *ts, void	**param));

       void
       nids_killtcp(struct tcp_stream *ts);

       void
       nids_discard(struct tcp_stream *ts, int numbytes);

       void
       nids_run(void);

       int
       nids_dispatch(int cnt);

       int
       nids_next(void);

       int
       nids_getfd(void);

       int
       nids_register_chksum_ctl(struct nids_chksum_ctl *, int);

       void
       nids_pcap_handler(u_char	*par, struct pcap_pkthdr *hdr, u_char *data);

       struct tcp_stream *
       nids_find_tcp_stream(struct tuple4 *addr);

DESCRIPTION
       libnids	provides  the  functionality  of a network intrusion detection
       system (NIDS) E-box component. It currently performs:

	    1. IP defragmentation
	    2. TCP stream reassembly
	    3. TCP port	scan detection

       libnids performs	TCP/IP reassembly in exactly the  same	way  as	 Linux
       2.0.36 kernels, and correctly handles all of the	attacks	implemented in
       fragrouter(8) (plus many	other attacks as well).

ROUTINES
       nids_init() initializes the application for sniffing, based on the val-
       ues set in the global variable nids_params, declared as follows:

       struct nids_prm {
	    int	 n_tcp_streams;
	    int	 n_hosts;
	    char *device;
	    char *filename;
	    int	 sk_buff_size;
	    int	 dev_addon;
	    void (*syslog)(int type, int err, struct ip	*iph, void *data);
	    int	 syslog_level;
	    int	 scan_num_hosts;
	    int	 scan_num_ports;
	    int	 scan_delay;
	    void (*no_mem)(void);
	    int	 (*ip_filter)(struct ip	*iph);
	    char *pcap_filter;
	    int	 promisc;
	    int	 one_loop_less;
	    int	 pcap_timeout;
	    int	 multiproc;
	    int	 queue_limit;
	    int	 tcp_workarounds;
	    pcap_t    *pcap_desc;
       } nids_params;

       The members of this structure are:

       n_tcp_streams
	      Size  of the hash	table used for storing TCP connection informa-
	      tion ( a maximum of 3/4 *	n_tcp_streams TCP connections will  be
	      followed simultaneously).	Default	value: 1024

       n_hosts
	      Size  of	the hash table used for	storing	IP defragmentation in-
	      formation. Default value:	256

       filename
	      It this variable is set,	libnids	 will  call  pcap_open_offline
	      with    this    variable	  as	the   argument	 (instead   of
	      pcap_open_live()). Default value:	NULL

       device Interface	to monitor. Default value: NULL	(in which case an  ap-
	      propriate	 device	is determined automatically). If this variable
	      is assigned value	all, libnids will attempt to  capture  packets
	      on all interfaces	(which works on	Linux only)

       sk_buff_size
	      Size  of struct sk_buff (used for	queuing	packets), which	should
	      be set to	match the value	on the hosts being monitored.  Default
	      value: 168

       dev_addon
	      Number of	bytes in struct	sk_buff	reserved for link-layer	infor-
	      mation.  Default	value: -1 (in which case an appropriate	offset
	      if determined automatically based	on link-layer type)

       syslog Syslog callback function,	used  to  report  unusual  conditions,
	      such  as	port scan attempts, invalid TCP	header flags, etc. De-
	      fault value: nids_syslog	(which	logs  messages	via  syslog(3)
	      without regard for message rate per second or free disk space)

       syslog_level
	      Log  level  used	by  nids_syslog	 for reporting events via sys-
	      log(3). Default value: LOG_ALERT

       scan_num_hosts
	      Size of hash table used for storing  portscan  information  (the
	      maximum  number portscans	that will be detected simultaneously).
	      If set to	0, portscan detection will be disabled.	Default	value:
	      256

       scan_num_ports
	      Minimum number of	ports that  must  be  scanned  from  the  same
	      source host before it is identifed as a portscan.	Default	value:
	      10

       scan_delay
	      Maximum delay (in	milliseconds) between connections to different
	      ports  for  them to be identified	as part	of a portscan. Default
	      value: 3000

       no_mem Out-of-memory callback function, used to terminate  the  calling
	      process gracefully.

       ip_filter
	      IP  filtering  callback function,	used to	selectively discard IP
	      packets, inspected after reassembly. If the function  returns  a
	      non-zero	value,	the packet is processed; otherwise, it is dis-
	      carded. Default value: nids_ip_filter (which always returns 1)

       pcap_filter
	      pcap(3) filter string applied to the link-layer  (raw,  unassem-
	      bled)  packets.  Note: filters like ``tcp	dst port 23'' will NOT
	      correctly	handle appropriately fragmented	traffic,  e.g.	8-byte
	      IP fragments; one	should add "or (ip[6:2]	& 0x1fff != 0)"	at the
	      end of the filter	to process reassembled packets.	Default	value:
	      NULL

       promisc
	      If  non-zero, libnids will set the interface(s) it listens on to
	      promiscuous mode.	Default	value: 1

       one_loop_less
	      Disabled by default; see comments	in API.html file

       pcap_timeout
	      Sets the pcap read timeout, which	may or may not be supported by
	      your platform.  Default value: 1024.

       multiproc
	      If nonzero, creates a separate thread  for  packets  processing.
	      See API.html.  Default value: 0.

       queue_limit
	      If  multiproc  is	nonzero, this is the maximum number of packets
	      queued in	the thread which reads packets from  libpcap.  Default
	      value: 20000

       tcp_workarounds
	      Enables  extra  checks for faulty	implementations	of TCP such as
	      the ones which allow connections to be closed despite  the  fact
	      that  there should be retransmissions for	lost packets first (as
	      stated by	RFC 793, section 3.5).	If non-zero, libnids will  set
	      the  NIDS_TIMED_OUT  state  for savagely closed connections. De-
	      fault value: 0

       pcap_desc
	      It  this	variable   is	set,   libnids	 will	call   neither
	      pcap_open_live  nor pcap_open_offline, but will use a pre-opened
	      PCAP descriptor; use this	with nids_pcap_handler() in  order  to
	      interactively feed packets to libnids. Default value: NULL

       Returns	1 on success, 0	on failure (in which case nids_errbuf contains
       an appropriate error message).

       nids_register_ip_frag() registers a user-defined	callback  function  to
       process	all  incoming IP packets (including IP fragments, packets with
       invalid checksums, etc.).

       nids_unregister_ip_frag() unregisters a user-defined callback  function
       to process all incoming IP packets.

       nids_register_ip()   registers  a  user-defined	callback  function  to
       process IP packets validated and	reassembled by libnids.

       nids_unregister_ip() unregisters	a user-defined	callback  function  to
       process IP packets.

       nids_register_udp()  registers  a  user-defined	callback  function  to
       process UDP packets validated and reassembled by	libnids.

       nids_unregister_udp() unregisters a user-defined	callback  function  to
       process UDP packets.

       nids_register_tcp()  registers  a  user-defined	callback  function  to
       process	TCP  streams  validated	 and  reassembled  by	libnids.   The
       tcp_stream structure is defined as follows:

       struct tcp_stream {
	    struct tuple4 {
		 u_short source;
		 u_short   dest;
		 u_int	   saddr;
		 u_int	   daddr;
	    } addr;
	    char	   nids_state;
	    struct half_stream {
		 char state;
		 char collect;
		 char collect_urg;
		 char *data;
		 u_char	   urgdata;
		 int  count;
		 int  offset;
		 int  count_new;
		 char count_new_urg;
		 ...
	    } client;
	    struct half_stream	server;
	    ...
	    void	   *user;
       };

       The members of the tuple4 structure identify a unique TCP connection:

       source, dest
	      Client and server	port numbers

       saddr, daddr
	      Client and server	IP addresses

       The  members  of	 the half_stream structure describe each half of a TCP
       connection (client and server):

       state  Socket state (e.g. TCP_ESTABLISHED).

       collect
	      A	boolean	which specifies	whether	to collect data	for this  half
	      of the connection	in the data buffer.

       collect_urg
	      A	boolean	which specifies	whether	to collect urgent data pointed
	      to  by the TCP urgent pointer for	this half of the connection in
	      the urgdata buffer.

       data   Buffer for normal	data.

       urgdata
	      One-byte buffer for urgent data.

       count  The number of bytes appended to data since the creation  of  the
	      connection.

       offset The  current  offset  from  the  first  byte  stored in the data
	      buffer, identifying the start of newly received data.

       count_new
	      The number of bytes appended to data since the  last  invocation
	      of the TCP callback function (if 0, no new data arrived).

       count_new_urg
	      The  number  of bytes appended to	urgdata	since the last invoca-
	      tion of the TCP callback function	(if 0, no new urgent data  ar-
	      rived).

       The  value of the nids_state field provides information about the state
       of the TCP connection, to be used by the	TCP callback function:

       NIDS_JUST_EST
	      Connection just established. Connection parameters in  the  addr
	      structure	are available for inspection. If the connection	is in-
	      teresting,  the  TCP callback function may specify which data it
	      wishes to	receive	in the future by setting non-zero  values  for
	      the  collect  or collect_urg variables in	the appropriate	client
	      or server	half_stream structure members.

       NIDS_DATA
	      New data has arrived on a	connection. The	half_stream structures
	      contain buffers of data.

       NIDS_CLOSE, NIDS_RESET, NIDS_TIMED_OUT
	      Connection has closed. The TCP callback function should free any
	      resources	it may have allocated for this connection.

       The param pointer passed	by libnids as argument	to  the	 TCP  callback
       function	 may  be set to	save a pointer to user-defined connection-spe-
       cific data to pass to subsequent	invocations of the TCP callback	 func-
       tion  (ex. the current working directory	for an FTP control connection,
       etc.).

       The user	pointer	in the tcp_stream structure has	the same  purpose  ex-
       cept it is global to the	stream,	whereas	the param pointer is different
       from  one  callback  function to	the other even though they were	called
       for the same stream.

       nids_unregister_tcp() unregisters a user-defined	callback  function  to
       process TCP streams.

       nids_killtcp()  tears  down the specified TCP connection	with symmetric
       RST packets between client and server.

       nids_discard() may be called from the TCP callback function to  specify
       the  number  of	bytes to discard from the beginning of the data	buffer
       (updating the offset value accordingly) after the TCP callback function
       exits. Otherwise, the new data (totalling count_new bytes) will be dis-
       carded by default.

       nids_run() starts the packet-driven application,	reading	packets	in  an
       endless	loop, and invoking registered callback functions to handle new
       data as it arrives. This	function does not return.

       nids_dispatch() attempts	to process cnt packets before returning,  with
       a  cnt of -1 understood as all packets available	in one pcap buffer, or
       all packets in a	file when reading offline.  On	success,  returns  the
       count  of  packets processed, which may be zero upon EOF	(offline read)
       or upon hitting pcap_timeout (if	supported by your platform).  On fail-
       ure, returns -1,	putting	an appropriate error message in	nids_errbuf.

       nids_next() process the next available packet  before  returning.   Re-
       turns  1	 on success, 0 if no packet was	processed, setting nids_effbuf
       appropriately if	an error prevented packet processing.

       nids_getfd() may	be used	by an application  sleeping  in	 select(2)  to
       snoop  for a socket file	descriptor present in the read fd_set. Returns
       the file	descriptor on success, -1 on failure (in which	case  nids_er-
       rbuf contains an	appropriate error message).

       nids_register_chksum_ctl()  takes  as  arguments	 an  array  of	struct
       nids_chksum_ctl elements	and the	number of elements in  the  array.   A
       nids_chksum_ctl element is defined as follows:

       struct nids_chksum_ctl {
	    u_int netaddr;
	    u_int mask;
	    u_int action;
	    /* private members */
       };

       Internal	checksumming functions will first check	elements of this array
       one  by one, and	if the source ip SRCIP of the current packet satisfies
       condition

	      (SRCIP&chksum_ctl_array[i].mask)==chksum_ctl_array[i].netaddr

       then if	the action field is NIDS_DO_CHKSUM, the	packet will be	check-
       summed; if the action field is NIDS_DONT_CHKSUM,	the packet will	not be
       checksummed.  If	the packet matches none	of the array elements, the de-
       fault action is to perform checksumming.

       nids_pcap_handler()  may	 be  used  by an application already running a
       capture with libpcap, in	order to pass frames to	libnids	 interactively
       (frame per frame) instead of having libnids itself do the capture.

       nids_find_tcp_stream()  returns	a  pointer to the tcp_stream structure
       corresponding to	the tuple passed as argument if	 libnids  knows	 about
       this TCP	connection already, otherwise it returns NULL.

       nids_free_tcp_stream()  removes	the  given tcp_stream from the list of
       streams tracked by libnids.  Warning: its usage can result in  crashes!
       See comments in the API.html file.

SEE ALSO
       pcap(3),	libnet(3), fragrouter(8)

AUTHOR
       Rafal Wojtczuk <nergal@icm.edu.pl>

       Manpage by Dug Song <dugsong@monkey.org>, minor updates by Michael Pom-
       raning <mjp@pilcrow.madison.wi.us>

								    LIBNIDS(3)

---

NAME | SYNOPSIS | DESCRIPTION | ROUTINES | SEE ALSO | AUTHOR

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=libnids&sektion=3&manpath=FreeBSD+Ports+15.0>

home | help

---

Legal Notices | © 1995-2026 The FreeBSD Project. All rights reserved.

Contact