Packet decoding in Snort 3
In the previous sections, we have seen how the encapsulation and decapsulation process works, and the role of packet decoding from an IDS/IPS point of view. In this section, we will look at how this is done in Snort 3; the module that does this functionality in Snort 3 is called the Codecs module.
Once the packet has been acquired by the DAQ layer, the packet data is processed and analyzed by the appropriate codecs. In the case where the data link layer is Ethernet, the first codec that analyzes the packet will be EthCodec. EthCodec parses the packet data based on the Ethernet header. The Ethernet header specifies the type of network protocol using the type field (2 bytes). The hex value of 0x0800 indicates that the network protocol is IP. If this is the case, the next codec that will handle the packet data will be the IPv4 codec. The transport layer protocol is specified by the protocol field (2 bytes) within the IPv4 header. The common values for transport...
