The AMP Protocol Authors: A. Mitchell and G. Vigna November 2002 This document describes the AMP configuration protocol. It is the protocol utilized by the Mnemosyne project to support dynamic configuration. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Version | Reserved | Total Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Stream Identification - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Reserved | Codeword | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Variable Length Payload - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Version: 8 bits The version field indicates the format of the AMP header. The header this document describes is version 0. Reserved: 8 bits This field is reserved for future expansion. Total Length: 16 bits Total Length is the length of the AMP datagram, measured in octets, including the header and payload. This allows a datagram to be 65535 octets in size, though it is unlikely that this size will be necessary. Stream Identification: 64 bits The Stream Identification field assigned by the sender used to uniquely identify a filtered stream. Type: 8 bits This field indicates the type of payload the packet carries. The values for various packets are as follows: 0x01 Create Stream 0x02 Change Filter 0x04 Change Callback 0x08 Remove Stream 0x10 Stream Parameter Control 0x20 Query Storage Reserved: 8 bits This field is reserved for future expansion. Codeword: 16 bits This field is used to pass additional flags and parameters to a running instance of mnemosyne. Suggested Use: ICMP replies from spoofed addresses. Checksum: 32 bits A checksum on the entire AMP packet. For purposes of computing the checksum, this field is considered zeroed. The checksum function is . Variable Length Payload: variable 0x01 Create Stream 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Filter Payload - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Callback Payload - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Filter Payload: variable 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Payload(filter) - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 8 bits The first field is used to identify the type of filter. The values for various filters are as follows: 0x01 TCPDump Filter Expression 0x02 BPF program Payload(filter): variable 0x01 TCPDump Filter Expression 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length | Null-terminated String - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Length: 16 bits This field specifies the length in octets of the null terminated string that represents the TCPDump Filter Expression. Null-terminated String: variable This field represents an TCPDump Filter Expression in standard ASCII. The string is terminated by a null(0) character. The first and only null-terminating character must be in the location specified by the length field. 0x02 BPF program 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Instruction Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | BPF Instruction Chain - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Instruction Count: 32 bits This field represents the number of instructions that are in the BPF Instruction Chain that immediately follows. The actual length of the chain in octets is 8 times this number. BPF Instruction Chain: variable, multiple of 64 bits 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | code | jt | jf | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | k * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ For information regarding these field please see a BPF reference. Callback Payload: variable 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Payload(callback) - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 8 bits This field is used to determine the manner in which the callback is to be retrieved. The values for various techniques are as follows 0x01 Preloaded .so Fetch 0x02 Default Handler Payload(callback): variable 0x01 Preloaded .so Fetch 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Library Name Payload - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Function Name Payload - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Library Name Payload: variable 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length | Null-terminated String - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Length: 16 bits This field specifies the length in octets of the null terminated string that represents the library filename. Null-terminated String: variable This field represents the library filename in standard ASCII. The string is terminated by a null(0) character. The first and only null-terminating character must be in the location specified by the length field. Function Name Payload: variable 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length | Null-terminated String - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Length: 16 bits This field specifies the length in octets of the null terminated string that represents the function name within the library. Null-terminated String: variable This field represents the function name in library using standard ASCII. The string is terminated by a null(0) character. The first and only null-terminating character must be in the location specified by the length field. 0x02 Default Handler This packet does not have any further payload. 0x02 Change Filter 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Filter Payload - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Filter Payload: variable, described above 0x04 Change Callback 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Callback Payload - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Callback Payload: variable, described above 0x08 Remove Stream This packet does not have a Variable Length Payload. 0x10 Stream Parameter Control 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Cookie Counter | Payload(parameters) Chain - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Cookie Counter: 16 bits This field represents the number of cookie style parameters that are in the Payload(parameters) Chain that immediately follows. Payload(parameters) Chain: variable 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length | Null-terminated String - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length | Null-terminated String * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Length: 16 bits The first field specifies the length in octets of the null terminated string that represents the parameter name to be changed. Null-terminated String: variable This first field represents the parameter name using standard ASCII. The string is terminated by a null(0) character. The first and only null-terminating character must be in the location specified by the length field. Length: 16 bits The second field specifies the length in octets of the null terminated string that represents the value to which the parameter is being changed Null-terminated String: variable This second field represents the value using standard ASCII. The string is terminated by a null(0) character. The first and only null-terminating character must be in the location specified by the length field. Valid parameter names and values are specific to the application that is interpreting the protocol. 0x20 Query Storage This action ignores the StreamID field. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length | Null-terminated String - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length | Null-terminated String - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Length: 16 bits The first field specifies the length in octets of the null terminated string that represents the query string. Null-terminated String: variable This first string is the TCPDump filter expression to be evaluated over the storage unit. Length: 16 bits The second field specifies the length in octets of the null terminated string that represents the filename where the query is to be stored. Null-terminated String: variable This second string is the filename where the results of the query are to be stored.