SPRUI30H November 2015 – May 2024 DRA745 , DRA746 , DRA750 , DRA756
The activity of the static packet filter is logged by the intrusion event logger. Based on the configuration, the event logger writes specific fields of the incoming packet that violate a particular rule to the system memory for software diagnostics.
The logging module allows controlling the frequency at which events are logged to the memory. A set of nine counters are provided and, of these, eight can be mapped to any address of the rule engine’s instruction RAM using map registers. This mapping logically associates the log information with the instruction that caused the packet to be dropped. The 9th counter is not associated with any particular instruction and it can be used to count the packets that were dropped at instructions not mapped to any of the other eight counters.
For each of the nine counters, there is a register to store the minimum number of attacks that must be detected before any information is logged to memory. Only when this threshold is met and logging is enabled, the host interface module writes log data in system memory. The memory area used to log is specified by the host in the SPF_LOG_BEGIN address and SPF_LOG_END address registers.
The event logger continues to write data to memory until it runs out of space and the log overwrite is disabled. With each update of the log, the SPF_LOG_HWPTR is updated. This information can be used by the host to determine how much data has been logged. The software in turn keeps the SPF_LOG_SWPTR updated to inform the SPF about the next address from where information will be read by the host software. It is required that software program correct value of SPF_LOG_END address to enable hardware to determine roll-over location. The SPF considers all space before the SPF_LOG_SWPTR as available for logging. In case SPF_CONTROL[9] SPF_LOGOW_EN control bit is set, SPF ignores SPF_LOG_SWPTR and logs data irrespective of software read log status. Note that the memory space allocated for logging is a multiple of four 32-bit words and end address SPF_LOG_END should be loaded with byte address of the next byte following the last log entry. For example if 16 bytes space is allocated for SPF logging from address 0x1400_0000, then SPF_LOG_BEGIN should be 0x1400_0000 and SPF_LOG_END should be 0x1400_0010.
The host software must set SPF_CONTROL[8] SPF_LOG_EN bit to activate logging. The setting of SPF_LOG_EN bit has no effect on the threshold based counters and they are always active. In addition to the log counters, SPF has one master drop count register (SPF_DROPCNT) which tracks the total number of packets dropped thus far. This counter does not roll over and must be cleared for re-run by the host processor once it reaches the maximum value.
The format in which packet information is written in the memory by the event logger is shown in Table 24-890 and Table 24-891.
| Drop Code | - | - | Protocol |
| Source IP Address | |||
| Destination IP Address | |||
| Source TCP/UDP Port | Destination TCP/UDP Port | ||
| Drop Code | - | - | Protocol |
| Source IP Address | |||
| Destination IP Address | |||
| Type | Code | Checksum | |
Each entry logged to memory has a drop code associated with it. The drop code is the address in instruction memory that actually triggered the drop. Up to eight drop codes can be monitored in this manner. In addition to drop code, the protocol, IP addresses and source/destination ports associated with the dropped packet are recorded.
Log data can be supplied by either Extractor module or by Rule engine. The SPF_CONTROL[3] SPF_RULE_LOG bit must be set to use log data from Rule Engine and cleared to use data supplied by the Extractor.
When logging is done through the Rule Engine, contents of internal registers R4-R7 are written to memory. The format of packet information stored can be programmed in the rule engine except for the drop code field which is static and cannot be changed. The format in which rule engine information is written in the memory by the event logger is shown in Table 24-892.
| Drop Code | Register 4[23:0] | ||
| Register 5[31:0] | |||
| Register 6[31:0] | |||
| Register 7[31:0] | |||
The rule engine programming must ensure that these registers contain all required information that is to be recorded before the packet drop instruction is executed. As soon as the drop instruction is executed, the logging module starts to send data from the registers R4, R5, R6 and R7 to the system memory and is not possible to modify the contents of these registers.