Packet Decoding
Packet decoding is the process of inspecting and interpreting the various protocol headers in a network packet. Every network packet consists of various encapsulation headers in addition to the data that it carries. When Snort analyzes an HTTP request packet, it performs decoding of all the protocol layers that encapsulate the HTTP request, starting from the outermost layer and working its way to the innermost layer – Ethernet, IPv4, and TCP. Each of these headers deals with various aspects of the communication – for example, the Internet Protocol (IP) header deals with aspects of sending the packet from one host (IP address) to another host (IP address), whereas the transport protocol header deals with ensuring reliable, consistent data transmission. In this chapter, we will study how Snort analyzes and decodes the various packet headers. We will also investigate how the packet decoding module is structured, the important data structures, and how the...
