The Nuff Protocol Layers

The Nuff Protocol Layers

The Nuff Protocol Layers

This is the reference documentation for the protocol layers supported by nuff. For a detailed description of these layers and how to use them, see "nuff doc language".

Layers

  1. eth
  2. ip4
  3. udp
  4. cooked4
  5. icmp4
  6. icmp4/echo
  7. icmp4/timxceed
  8. icmp4/unreach
  9. dns

eth

eth is the nuff layer "Ethernet".

eth is not post-processed.

Initial verifier: (>= (strlen x) 14)

Optional Arguments
SwitchDescriptionDefaultVerifier
-dst"Destination MAC Address""\x00\x00\x00\x00\x00\x00"(= 6 (strlen x))
-src"Source MAC Address""\x00\x00\x00\x00\x00\x00"(= 6 (strlen x))
-type"EtherType""\x08\x00"(= 2 (strlen x))
-data"Data"""(string? x)

Accessors
AccessorCode
dst(substring x 0 6)
src(substring x 6 12)
type(substring x 12 14)
data(substring x 14)

Sub-Layers
LayerTransition Code
>ip4(if (and (>= (strlen x-data) 20) (string=? "\x08\x00" x-type)) x-data)

ip4

ip4 is the nuff layer "Internet Protocol version 4".

ip4 is post-processed by ip4-post.

Initial verifier: (and (>= (strlen x) 20) (= 4 (getint x 0 4)))

Optional Arguments
SwitchDescriptionDefaultVerifier
-tos"Type Of Service"0(<= 0 x 65535)
-ipid"IPID"65535(<= 0 x 65535)
-no-frag"Do Not Fragment Bit"
-more-frags"More Fragments Bit"
-evil-bit"Evil Bit"
-frag-offset"Fragment Offset"0(<= 0 x 4095)
-ttl"Time To Live"64(<= 0 x 255)
-proto"Protocol"ip-proto-tcp(<= 0 x 255)
-src"Source IP Address""0.0.0.0"(inet-aton x)
-dst"Destination IP Address""0.0.0.0"(inet-aton x)
-data"Data"""(string? x)

Accessors
AccessorCode
tos(getint x 8 8)
ipid(getint x 32 16)
no-frag(getint x 49 1)
more-frags(getint x 50 1)
evil-bit(getint x 51 1)
frag-offset(getint x 52 12)
ttl(getint x 64 8)
proto(getint x 72 8)
src(inet-ntoa (substring x 12 16))
dst(inet-ntoa (substring x 16 20))
data(substring x (* (getint x 4 4) 4))

Sub-Layers
LayerTransition Code
>icmp4(if (and (>= (strlen x-data) 4) (= x-proto ip-proto-icmp)) x-data)
>udp(if (and (>= (strlen x-data) 8) (= x-proto ip-proto-udp)) x-data)

udp

udp is the nuff layer "User Datagram Protocol".

udp is not post-processed.

Initial verifier: (>= (strlen x) 8)

Optional Arguments
SwitchDescriptionDefaultVerifier
-sp"Source Port"0(<= 0 x 65535)
-dp"Destination Port"0(<= 0 x 65535)
-data"Data"""(string? x)

Accessors
AccessorCode
sp(getint x 0 16)
dp(getint x 16 16)
data(substring x 8)

Sub-Layers
LayerTransition Code
>dns(if (> (strlen x-data) 12) x-data)

cooked4

cooked4 is the nuff layer "IPv4 Cooked Format".

cooked4 is not post-processed.

Initial verifier: (>= (strlen x) 6)

Optional Arguments
SwitchDescriptionDefaultVerifier
-remote"Remote IP Address""0.0.0.0"(inet-aton x)
-remoteport"Remote Port"0(<= 0 x 65535)
-data"Data"""(string? x)

Accessors
AccessorCode
remote(inet-ntoa (substring x 0 4))
remoteport(getint x 32 16)
data(substring x 6)

Sub-Layers
LayerTransition Code
>dns(if (> (strlen x-data) 12) x-data)

icmp4

icmp4 is the nuff layer "Internet Control Message Protocol for IPv4".

icmp4 is not post-processed.

Optional Arguments
SwitchDescriptionDefaultVerifier
-type"ICMP Type"icmp-type-echo-request(<= 0 x 255)
-code"ICMP Code"0(<= 0 x 255)
-data"Data"""(string? x)

Accessors
AccessorCode
type(getint x 0 8)
code(getint x 8 8)
data(substring x 4)

Sub-Layers
LayerTransition Code
>icmp4/echo(if (>= (strlen x-data) 4) x-data)
>icmp4/timxceed(if (and (= x-type 11) (>= (strlen x-data) 24)) x-data)
>icmp4/unreach(if (and (= x-type 3) (>= (strlen x-data) 24)) x-data)

icmp4/echo

icmp4/echo is the nuff layer "ICMP Echo Request".

icmp4/echo is not post-processed.

Optional Arguments
SwitchDescriptionDefaultVerifier
-id"ICMP Echo ID"0(<= 0 x 65535)
-seq"ICMP Echo Sequence"0(<= 0 x 65535)
-data"ICMP Echo Data"""(string? x)

Accessors
AccessorCode
id(getint x 0 16)
seq(getint x 16 16)

Sub-Layers
LayerTransition Code

icmp4/timxceed

icmp4/timxceed is the nuff layer "ICMP Time Exceeded".

icmp4/timxceed is not post-processed.

Optional Arguments
SwitchDescriptionDefaultVerifier
-data"ICMP Time Exceeded Data"""(string? x)

Accessors
AccessorCode
data(substring x 4)

Sub-Layers
LayerTransition Code
>ip4(if (>= (strlen x-data) 20) x-data)

icmp4/unreach

icmp4/unreach is the nuff layer "ICMP Unreachable".

icmp4/unreach is not post-processed.

Optional Arguments
SwitchDescriptionDefaultVerifier
-data"ICMP Unreachable Data"""(string? x)

Accessors
AccessorCode
data(substring x 4)

Sub-Layers
LayerTransition Code
>ip4(if (>= (strlen x-data) 20) x-data)

dns

dns is the nuff layer "Domain Name System".

dns is not post-processed.

Initial verifier: (>= (strlen x) 12)

Optional Arguments
SwitchDescriptionDefaultVerifier
-id"DNS ID"(random 65536)(<= 0 x 65535)
-response"Is it a Response (ie not a Query)"
-opcode"Opcode"0(<= 0 x 15)
-aa"Authoritative Answer"
-tc"Truncated?"
-rd"Recursion Desired"
-ra"Recursion Available"
-errcode"Error return code"0(<= 0 x 15)
-question"DNS Question (host dns-type)"()(valid-dns-question? x)
-answers"DNS Answers ((host dns-type data ttl))"()(and (list? x) (true-for-all valid-dns-resource? x))
-auths"DNS Authoritative records ((host dns-type data ttl))"()(and (list? x) (true-for-all valid-dns-resource? x))
-additionals"DNS Additional records ((host dns-type data ttl))"()(and (list? x) (true-for-all valid-dns-resource? x))

Accessors
AccessorCode
id(getint x 0 16)
response(getint x 16 1)
opcode(getint x 17 4)
aa(getint x 21 1)
tc(getint x 22 1)
rd(getint x 23 1)
ra(getint x 24 1)
errcode(getint x 28 4)
numquestions(getint x 32 16)
numanswers(getint x 48 16)
numauths(getint x 64 16)
numadditionals(getint x 80 16)
dnsrecords(parse-dns-records x x-numquestions x-numanswers x-numauths x-numadditionals)
question(if (null? (car x-dnsrecords)) () (caar x-dnsrecords))
answers(cadr x-dnsrecords)
auths(caddr x-dnsrecords)
additionals(cadddr x-dnsrecords)

Sub-Layers
LayerTransition Code

All material is © Doug Hoyte and/or HCSW Labs unless otherwise noted or implied.