创建

16 files changed, 1897 insertions, 0 deletions

diff --git a/src/Makefile b/src/Makefile
new file mode 100644
index 0000000..0b7f212
--- /dev/null
+++ b/src/Makefile
@@ -0,0 +1,28 @@
+CC = gcc
+CCC = g++
+CFLAGS = -Wall -g -fPIC -I ./inc/
+
+#LIBS += /opt/MESA/lib/libdigapis.a
+LIBS += -Bdynamic -lMESA_handle_logger -lMESA_prof_load -ldigapis
+
+OBJ = T2_HTTP_DIG_BIZ.o
+TARGET = T2_HTTP_DIG_BIZ.so
+SOURCES = T2_HTTP_DIG_BIZ.cpp
+
+all: $(TARGET)
+
+.c.o:
+	$(CC) -c $(CFLAGS) $(INC) $(abspath $<)
+.cpp.o:
+	$(CCC) -c $(CFLAGS) $(INC)  $<
+
+$(TARGET): $(OBJ)
+	$(CCC) -o $@ $(OBJ) $(CFLAGS) $(LDFLAGS) $(LIBS) -shared
+	cp $(TARGET) ../bin/T2_HTTP_DIG_BIZ.so
+	@awk '/VERSION/{print $$2}' $(SOURCES) |xargs -i  echo -e "make \033[32;49;1m$@({})\033[32;49;0m \033[31;49;1m[success]\033[31;49;0m"
+
+clean:
+	rm -rf $(OBJ) $(TARGET)
+
+.PHONY:clean
+
diff --git a/src/T2_HTTP_DIG_BIZ.cpp b/src/T2_HTTP_DIG_BIZ.cpp
new file mode 100644
index 0000000..1f38505
--- /dev/null
+++ b/src/T2_HTTP_DIG_BIZ.cpp
@@ -0,0 +1,201 @@
+#include <iconv.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/time.h>
+#include <arpa/inet.h>
+
+#include "T2_HTTP_DIG_BIZ.h"
+
+static const char *module_name = "T2_HTTP_DIG_BIZ";
+static const char *t2_biz_conf_file = "./t2conf/T2_HTTP_DIG_BIZ.conf";
+
+static char T2_HTTP_DIG_BIZ_VERSION_20190121 = 0;
+static g_http_dig_biz_info_t g_http_dig_biz_info;
+
+static int init_t2_dig_context(t2_digapis_context_t **param, soq_protocol_t proto, int thread_seq)
+{
+	t2_digapis_context_t *pme;
+
+	pme = (t2_digapis_context_t *)calloc(1, sizeof(t2_digapis_context_t));
+	*param = pme;
+	return 0;
+}
+
+static void destroy_t2_dig_context(t2_digapis_context_t *pme)
+{
+	int ret;
+	digapis_error_msg dig_emsg;
+	digapis_detector_result result;
+
+	ret = digapis_detector_thread_init();
+	if(ret < 0)
+	{
+		MESA_handle_runtime_log(g_http_dig_biz_info.run_log_handle, RLOG_LV_FATAL, module_name, "<%s>%d: digapis_detector_thread_init error", __FILE__, __LINE__);
+	}
+	
+	memset(&result, 0, sizeof(digapis_detector_result));
+	result.is_ipv4 = pme->is_ipv4;
+	snprintf(result.sip, 128, "%s", pme->sip);
+	snprintf(result.dip, 128, "%s", pme->dip);
+	result.sport = pme->sport;
+	result.dport = pme->dport;
+    MESA_handle_runtime_log(g_http_dig_biz_info.run_log_handle, RLOG_LV_INFO, module_name, "<%s>%d: HTTP stream.", __FILE__, __LINE__);
+
+	ret = digapis_detector_process_request((const unsigned char*)pme->request, pme->request_len, &result, &dig_emsg);
+	if(ret != 0)
+	{
+		MESA_handle_runtime_log(g_http_dig_biz_info.run_log_handle, RLOG_LV_FATAL, module_name, "<%s>%d: digapis_detector_process_request error! request_msg:%s", __FILE__, __LINE__, pme->request);
+	}
+	else
+	{
+		if(result.request_category_1 != 0)
+		{
+			ret = digapis_detector_process_response((const unsigned char*)pme->request, pme->request_len, (const unsigned char*)pme->response, pme->response_len, &result, &dig_emsg);
+			if(ret != 0)
+			{
+				MESA_handle_runtime_log(g_http_dig_biz_info.run_log_handle, RLOG_LV_FATAL, module_name, "<%s>%d: digapis_detector_process_response error! response_msg:%s", __FILE__, __LINE__, pme->response);
+			}
+			else
+			{
+				MESA_handle_runtime_log(g_http_dig_biz_info.run_log_handle, RLOG_LV_INFO, module_name, "<%s>%d: digapis_detector_process_response success.", __FILE__, __LINE__);
+			}
+		}
+	}
+	free(pme);
+	pme = NULL;
+}
+
+int T2_HTTP_DIGAPI_ENTRY(stSessionInfo* session_info, void **param, int thread_seq, struct streaminfo *a_stream, void *a_packet)
+{
+	t2_digapis_context_t *pme = (t2_digapis_context_t *)*param;
+	http_infor* http_info = (http_infor*)session_info->app_info;
+
+	if(NULL == session_info)
+	{
+		destroy_t2_dig_context(pme);
+		*param = NULL;
+		MESA_handle_runtime_log(g_http_dig_biz_info.run_log_handle, RLOG_LV_FATAL, module_name, "session_info is NULL");
+		return PROT_STATE_DROPME;
+	}
+
+	if(session_info->session_state&SESSION_STATE_PENDING)
+	{
+		if((init_t2_dig_context(&pme, PROTO_HTTP, thread_seq)) < 0)
+		{
+			MESA_handle_runtime_log(g_http_dig_biz_info.run_log_handle, RLOG_LV_FATAL, module_name, "init_process_context failed ...");
+			return PROT_STATE_DROPME;
+		}
+		*param = pme;
+		if(ADDR_TYPE_IPV4 == a_stream->addr.addrtype)
+		{
+			pme->is_ipv4 = 1;
+			inet_ntop(AF_INET, &(((struct stream_tuple4_v4*)a_stream->addr.tuple4_v4)->saddr), pme->sip, 128);
+			inet_ntop(AF_INET, &(((struct stream_tuple4_v4*)a_stream->addr.tuple4_v4)->daddr), pme->dip, 128);
+			pme->sport = ntohs(((struct stream_tuple4_v4*)a_stream->addr.tuple4_v4)->source);
+			pme->dport = ntohs(((struct stream_tuple4_v4*)a_stream->addr.tuple4_v4)->dest);
+		}
+		if(ADDR_TYPE_IPV6 == a_stream->addr.addrtype)
+		{
+			pme->is_ipv4 = 0;
+			inet_ntop(AF_INET6, ((struct stream_tuple4_v6*)a_stream->addr.tuple4_v6)->saddr, pme->sip, 128);
+			inet_ntop(AF_INET6, ((struct stream_tuple4_v6*)a_stream->addr.tuple4_v6)->daddr, pme->dip, 128);
+			pme->sport = ntohs(((struct stream_tuple4_v6*)a_stream->addr.tuple4_v6)->source);
+			pme->dport = ntohs(((struct stream_tuple4_v6*)a_stream->addr.tuple4_v6)->dest);
+		}
+	}
+
+	if(HTTP_REQ_LINE == session_info->prot_flag && (pme->request_len+session_info->buflen+2)< REQUEST_MAX_LENGTH)
+	{
+		memcpy(pme->request+pme->request_len, session_info->buf, session_info->buflen);
+		pme->request_len += session_info->buflen;
+		memcpy(pme->request+pme->request_len, "\r\n", 2);
+		pme->request_len += 2;
+	}
+	if(HTTP_RES_LINE == session_info->prot_flag &&(pme->response_len+session_info->buflen+2)<RESPONSE_MAX_LENGTH)
+	{
+		memcpy(pme->response+pme->response_len, session_info->buf, session_info->buflen);
+		pme->response_len += session_info->buflen;
+		memcpy(pme->response+pme->response_len, "\r\n", 2);
+		pme->response_len += 2;
+	}
+	if(HTTP_UNGZIP_CONTENT == session_info->prot_flag && 0x01 == a_stream->curdir && (pme->request_len+session_info->buflen+4)< REQUEST_MAX_LENGTH)
+	{
+		memcpy(pme->request+pme->request_len, "\r\n", 2);
+		pme->request_len += 2;
+		memcpy(pme->request+pme->request_len, session_info->buf, session_info->buflen);
+		pme->request_len += session_info->buflen;
+		memcpy(pme->request+pme->request_len, "\r\n", 2);
+		pme->request_len += 2;
+	}
+	if(HTTP_UNGZIP_CONTENT == session_info->prot_flag && 0x02 == a_stream->curdir && (pme->response_len+session_info->buflen+4)<RESPONSE_MAX_LENGTH)
+	{
+		memcpy(pme->response+pme->response_len, "\r\n", 2);
+		pme->response_len += 2;
+		memcpy(pme->response+pme->response_len, session_info->buf, session_info->buflen);
+		pme->response_len += session_info->buflen;
+		memcpy(pme->response+pme->response_len, "\r\n", 2);
+		pme->response_len += 2;
+	}
+
+	if(http_info->append_infor.contlen > 0)
+	{
+		if(http_info->curdir == 1 && (pme->request_len+http_info->append_infor.contlen+2)< REQUEST_MAX_LENGTH)
+		{
+			memcpy(pme->request+pme->request_len, http_info->append_infor.content, http_info->append_infor.contlen);
+			pme->request_len += http_info->append_infor.contlen;
+			memcpy(pme->request+pme->request_len, "\r\n", 2);
+			pme->request_len += 2;
+		}
+		else if((pme->response_len+http_info->append_infor.contlen+2)<RESPONSE_MAX_LENGTH)
+		{
+			memcpy(pme->response+pme->response_len, http_info->append_infor.content, http_info->append_infor.contlen);
+			pme->response_len += http_info->append_infor.contlen;
+			memcpy(pme->response+pme->response_len, "\r\n", 2);
+			pme->response_len += 2;
+		}
+	}
+
+	if((session_info->session_state&SESSION_STATE_CLOSE))
+	{	
+		destroy_t2_dig_context(pme);
+		*param = NULL;
+	}
+	return PROT_STATE_GIVEME;
+}
+
+int T2_HTTP_DIG_BIZ_INIT(void)
+{
+	digapis_detector_cfg dig_cfg;
+	digapis_error_msg dig_emsg;
+
+	memset(&g_http_dig_biz_info, 0, sizeof(g_http_dig_biz_info_t));
+	
+	MESA_load_profile_int_def(t2_biz_conf_file, "HTTP_BIZ", "RUN_RLOG_LV", &g_http_dig_biz_info.run_rlog_lv, 10);
+	MESA_load_profile_string_def(t2_biz_conf_file, "HTTP_BIZ", "RUN_LOG_PATH", g_http_dig_biz_info.run_log_path, MAX_PATH_LEN, "./t2log/T2_HTTP_DIG_BIZ.log");
+
+	g_http_dig_biz_info.run_log_handle =  MESA_create_runtime_log_handle(g_http_dig_biz_info.run_log_path, g_http_dig_biz_info.run_rlog_lv);
+	if(g_http_dig_biz_info.run_log_handle == NULL)
+	{
+		printf("<%s>%d: MESA_create_runtime_log_handle failed ...\n", __FILE__, __LINE__);
+		return -1;
+	}
+
+	memset(&dig_cfg, 0, sizeof(digapis_detector_cfg));
+	MESA_load_profile_string_def(t2_biz_conf_file, "HTTP_BIZ", "ES_URL", dig_cfg.es_url, MAX_PATH_LEN, "http://elastic:[email protected]:39200/");
+	MESA_load_profile_string_def(t2_biz_conf_file, "HTTP_BIZ", "ES_INDEX", dig_cfg.es_index, 128, "aiids_tcp_");
+	MESA_load_profile_string_def(t2_biz_conf_file, "HTTP_BIZ", "ES_DOC_TYPE", dig_cfg.es_doc_type, 128, "vulnerability");
+
+	int ret = digapis_detector_init(&dig_cfg, &dig_emsg);
+	if(ret != 0)
+	{
+		MESA_handle_runtime_log(g_http_dig_biz_info.run_log_handle, RLOG_LV_FATAL, module_name, "<%s>%d: digapis_detector_init error", __FILE__, __LINE__);
+		return -1;
+	}
+	return 0;
+}
+
+void T2_HTTP_DIG_BIZ_DESTROY()
+{
+
+}
+
diff --git a/src/T2_HTTP_DIG_BIZ.h b/src/T2_HTTP_DIG_BIZ.h
new file mode 100644
index 0000000..aa3f144
--- /dev/null
+++ b/src/T2_HTTP_DIG_BIZ.h
@@ -0,0 +1,53 @@
+#ifndef __GIVEN_TROJAN_DIG_H__
+#define __GIVEN_TROJAN_DIG_H__
+
+#include <MESA/http.h>
+#include <MESA/MESA_prof_load.h>
+#include <MESA/MESA_handle_logger.h>
+#include <soq/t2_public.h>
+#include <stdlib.h>
+#include <time.h>
+#include <netinet/in.h>  
+#include <sys/socket.h>  
+#include <sys/types.h>  
+#include <arpa/inet.h>
+
+extern "C"{
+#include "inc/digapis_detector.h"
+}
+
+#define	MAX_PATH_LEN 256
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+typedef struct _g_http_dig_biz_info
+{
+	int 	run_rlog_lv;
+	char 	run_log_path[MAX_PATH_LEN];
+	void *	run_log_handle;
+}g_http_dig_biz_info_t;
+
+typedef struct _t2_digapis_context
+{
+	int is_ipv4;
+	char sip[128];
+	UINT16 sport;
+	char dip[128];
+	UINT16 dport;
+	int request_len;
+	char request[REQUEST_MAX_LENGTH];
+	int response_len;
+	char response[RESPONSE_MAX_LENGTH];
+}t2_digapis_context_t;
+
+int T2_HTTP_DIGAPI_ENTRY(stSessionInfo* session_info, void **param, int thread_seq, struct streaminfo *a_tcp, void *a_packet);
+int T2_HTTP_DIG_BIZ_INIT(void);
+void T2_HTTP_DIG_BIZ_DESTROY(void);
+
+#ifdef __cplusplus
+}
+#endif
+#endif
diff --git a/src/T2_HTTP_DIG_BIZ.o b/src/T2_HTTP_DIG_BIZ.o
new file mode 100644
index 0000000..5c5eee2
--- /dev/null
+++ b/src/T2_HTTP_DIG_BIZ.o
diff --git a/src/T2_HTTP_DIG_BIZ.so b/src/T2_HTTP_DIG_BIZ.so
new file mode 100644
index 0000000..90eaeec
--- /dev/null
+++ b/src/T2_HTTP_DIG_BIZ.so
diff --git a/src/inc/digapis_detector.h b/src/inc/digapis_detector.h
new file mode 100644
index 0000000..aef98ea
--- /dev/null
+++ b/src/inc/digapis_detector.h
@@ -0,0 +1,166 @@
+/*
+ * flow.h
+ *
+ *  Created on: 2019-04-19
+ *      Author: peiyuefeng
+ */
+
+#include <stdint.h>
+#include <inttypes.h>
+#include <unistd.h>
+
+
+// 请求体建议最大长度,单位:byte,过长影响性能 
+#define  REQUEST_MAX_LENGTH   5120 
+
+// 响应体建议最大长度,单位:byte,过长影响性能  
+#define RESPONSE_MAX_LENGTH  5120
+
+
+/*
+ * 引擎初使化结构体
+ */
+typedef struct _digapis_detector_cfg {
+    int    debug_flag;    // 调试标记
+    char   log_path[1024];     // 日志目录，存放日志文件
+    char   work_path[1024];    // 工作目录，存放依赖的配置文件
+    char   es_url[1024];    // es url: http://username:password@[ip|host]:port/ , !!强制以/结尾
+    char   es_index[128];    // es index name
+    char   es_doc_type[128];    // es doc type
+} digapis_detector_cfg;
+
+/*
+ * 攻击检测结果
+ */
+typedef struct _digapis_detector_result {
+    char sip[128];                    // HTTP请求源IP
+    char dip[128];                    // HTTP请求目标IP
+    uint16_t is_ipv4;                 // 0:is ipv4,     1:is ipv6
+    uint16_t sport;                  // HTTP请求源端口
+    uint16_t dport;                  // HTTP请求目标端口
+    uint16_t request_category_1;        // 攻击类型1, 0: normal 正常流量
+    uint16_t request_category_2;        // 攻击类型2, 0: normal 正常流量
+    uint16_t response_category;         // 攻击类别3, 0: attack_failed 攻击失败
+    uint16_t reserved1;                     // 预留
+    uint16_t reserved2;                     // 预留
+} digapis_detector_result;
+
+
+#define DIGAPIS_ERR_MSG_LEN 1024
+/*
+ * 错误信息结构体
+ */
+typedef struct _digapis_error_msg {
+    char msg[DIGAPIS_ERR_MSG_LEN];
+} digapis_error_msg ;
+
+/*
+ * 告警结构体
+ */
+typedef struct _digapis_attack_alert  {
+    uint64_t attack_timestamp;       // 攻击时间戳
+    uint64_t rec_timestamp;          // 记录时间戳
+    uint32_t sip;                    // HTTP请求源IP
+    uint32_t dip;                    // HTTP请求目标IP
+    uint16_t sport;                  // HTTP请求源端口
+    uint16_t dport;                  // HTTP请求目标端口
+    uint16_t protocol;               // 协议，固定填7， 预留, 
+    uint16_t request_category1;      // 攻击类别1
+    uint16_t request_category2;      // 攻击类别2
+    uint16_t response_category;      // 攻击类别3
+    uint16_t reserved1;              // 预留
+    uint16_t reserved2;              // 预留
+    uint16_t request_len;            // request长度
+    uint16_t response_len;           // response长度
+} digapis_attack_alert;
+
+
+/*
+ *   description:
+ *       引擎初使化
+ *   parameters:
+ *       cfg: digapis_detector_cfg*
+ *           初使化设置
+ *       error_msg: digapis_error_msg
+ *           出错后，返回错误信息
+ *   return value: int
+ *       初使化是否成功
+ *       0：成功
+ *       1：失败
+ */
+int digapis_detector_init(digapis_detector_cfg* cfg, digapis_error_msg* error_msg);
+
+/*
+ *   description: 
+ *     初使化线程资源
+ *   return value: int
+ *       初使化是否成功
+ *       0：成功
+ *       1：失败
+ */
+int digapis_detector_thread_init();
+
+/*
+ *   description: 
+ *     线程资源释放
+ *   return value: int
+ *       初使化是否成功
+ *       0：成功
+ *       1：失败
+ */
+int digapis_detector_thread_free();
+
+/*
+ *   description:
+ *       关闭引擎,释放资源
+ *   parameters:
+ *       error_msg: digapis_error_msg
+ *           出错后，返回错误信息
+ *   return value: int
+ *       初使化是否成功
+ *       0：成功
+ *       1：失败
+ */
+int digapis_detector_close(digapis_error_msg* error_msg);
+
+/*
+ *   description:
+ *       对request进行攻击检测， 返回攻击类型request_category1, request_category2.  【线程安全】
+ *   parameters:
+ *       request:  const unsigned char*
+ *           http请求体
+ *       request_len: unsigned int
+ *           http请求体长度
+ *       result: digapis_detector_result *
+ *           返回攻击检测结果, 当前步骤只检测request,修改request_category1, request_category2.
+ *       error_msg: digapis_error_msg*
+ *           出错后，返回错误信息
+ *   return value:
+ *       检测是否成功
+ *       0：成功
+ *       1：失败
+ */
+int digapis_detector_process_request(const unsigned char* request, unsigned int request_len, 
+        digapis_detector_result* result, digapis_error_msg* error_msg);
+
+
+/*
+ *   description:
+ *       依据request的检测结果，对response进行检测，返回category_level3.   【线程安全】
+ *   parameters:
+ *       response: const unsigned char*
+ *           http响应体
+ *       response_len: unsigned int
+ *           http响应体长度
+ *       result: digapis_detector_result*
+ *           返回攻击检测结果，当前步骤将根据request_category1, request_category2, 对response进行检测,修改response_category.
+ *       error_msg: digapis_error_msg*
+ *           出错后，返回错误信息
+ *   return value:
+ *       检测是否成功
+ *       0：成功
+ *       1：失败
+ */
+int digapis_detector_process_response(const unsigned char* request, unsigned int request_len, 
+        const unsigned char* response, unsigned int response_len, 
+        digapis_detector_result* result, digapis_error_msg* error_msg);
diff --git a/src/inc/http.h b/src/inc/http.h
new file mode 100644
index 0000000..f4cb7f3
--- /dev/null
+++ b/src/inc/http.h
@@ -0,0 +1,234 @@
+#ifndef HTTP_H_
+#define HTTP_H_
+
+#define    HTTP_H_VERSION_4_20160429     	0
+//20150320 add ifdef
+
+#ifndef uchar
+typedef unsigned char           uchar;
+#endif
+#ifndef int64
+typedef long long               int64;
+#endif
+#ifndef uint8
+typedef unsigned char           uint8;
+#endif
+#ifndef uint64
+typedef unsigned long long      uint64;
+#endif
+#ifndef uint32
+typedef unsigned int            uint32;
+#endif
+#ifndef uint16
+typedef unsigned short          uint16;
+#endif
+
+/*interest region*/
+typedef enum
+{
+	/*#http_special1*/
+	HTTP_INTEREST_KEY_MASK=0,		
+	HTTP_ALL_MASK,
+	HTTP_OTHER_REGIONS_MASK,
+	HTTP_STATE_MASK,
+	HTTP_REQ_LINE_MASK,
+	HTTP_RES_LINE_MASK,	
+	HTTP_CONTENT_MASK,             
+	HTTP_UNGZIP_CONTENT_MASK,
+	HTTP_MESSAGE_URL_MASK,
+	HTTP_URI_MASK,
+
+	/*#http_request*/
+	HTTP_HOST_MASK,	
+	HTTP_REFERER_MASK,
+	HTTP_USER_AGENT_MASK,
+	HTTP_COOKIE_MASK,
+	HTTP_PROXY_AUTHORIZATION_MASK,
+	HTTP_AUTHORIZATION_MASK,
+	
+	/*#http_response*/	
+	HTTP_LOCATION_MASK,
+	HTTP_SERVER_MASK,
+	HTTP_ETAG_MASK,
+
+	/*#http_general*/	
+	HTTP_DATE_MASK,
+	HTTP_TRAILER_MASK,
+	HTTP_TRANSFER_ENCODING_MASK,
+	HTTP_VIA_MASK,
+	HTTP_PRAGMA_MASK,
+	HTTP_CONNECTION_MASK,
+
+	/*#http_content*/	
+	HTTP_CONT_ENCODING_MASK,
+	HTTP_CONT_LANGUAGE_MASK,
+	HTTP_CONT_LOCATION_MASK,	
+	HTTP_CONT_DISPOSITION_MASK,
+	HTTP_CONT_RANGE_MASK,
+	HTTP_CONT_LENGTH_MASK,
+	HTTP_CONT_TYPE_MASK,
+	HTTP_CHARSET_MASK,
+	HTTP_EXPIRES_MASK,
+	HTTP_X_FLASH_VERSION_MASK,	
+	HTTP_TRANSFER_LENGTH_MASK,
+
+	HTTP_REGION_NUM=36,	
+}interested_region_mask;
+/*HTTP_REGION_NUM=36*/
+#define HTTP_INTEREST_KEY				((long long)1<<HTTP_INTEREST_KEY_MASK)
+#define HTTP_ALL						((long long)1<<HTTP_ALL_MASK)
+#define HTTP_OTHER_REGIONS				((long long)1<<HTTP_OTHER_REGIONS_MASK)
+#define HTTP_STATE						((long long)1<<HTTP_STATE_MASK)
+#define HTTP_REQ_LINE					((long long)1<<HTTP_REQ_LINE_MASK)
+#define HTTP_RES_LINE					((long long)1<<HTTP_RES_LINE_MASK)
+#define HTTP_CONTENT					((long long)1<<HTTP_CONTENT_MASK)
+#define HTTP_UNGZIP_CONTENT				((long long)1<<HTTP_UNGZIP_CONTENT_MASK)
+#define HTTP_MESSAGE_URL				((long long)1<<HTTP_MESSAGE_URL_MASK)
+#define HTTP_URI						((long long)1<<HTTP_URI_MASK)
+
+#define HTTP_HOST						((long long)1<<HTTP_HOST_MASK)
+#define HTTP_REFERER					((long long)1<<HTTP_REFERER_MASK)
+#define HTTP_USER_AGENT					((long long)1<<HTTP_USER_AGENT_MASK)
+#define HTTP_COOKIE						((long long)1<<HTTP_COOKIE_MASK)
+#define HTTP_PROXY_AUTHORIZATION		((long long)1<<HTTP_PROXY_AUTHORIZATION_MASK)
+#define HTTP_AUTHORIZATION				((long long)1<<HTTP_AUTHORIZATION_MASK)
+
+#define HTTP_LOCATION					((long long)1<<HTTP_LOCATION_MASK)
+#define HTTP_SERVER						((long long)1<<HTTP_SERVER_MASK)
+#define HTTP_ETAG 						((long long)1<<HTTP_ETAG_MASK)
+
+#define HTTP_DATE 						((long long)1<<HTTP_DATE_MASK)
+#define HTTP_TRAILER 					((long long)1<<HTTP_TRAILER_MASK)
+#define HTTP_TRANSFER_ENCODING			((long long)1<<HTTP_TRANSFER_ENCODING_MASK)
+#define HTTP_VIA						((long long)1<<HTTP_VIA_MASK)
+#define HTTP_PRAGMA						((long long)1<<HTTP_PRAGMA_MASK)
+#define HTTP_CONNECTION 				((long long)1<<HTTP_CONNECTION_MASK)
+
+#define HTTP_CONT_ENCODING 				((long long)1<<HTTP_CONT_ENCODING_MASK)
+#define HTTP_CONT_LANGUAGE 				((long long)1<<HTTP_CONT_LANGUAGE_MASK)
+#define HTTP_CONT_LOCATION 				((long long)1<<HTTP_CONT_LOCATION_MASK)
+#define HTTP_CONT_RANGE 				((long long)1<<HTTP_CONT_RANGE_MASK)
+#define HTTP_CONT_LENGTH 				((long long)1<<HTTP_CONT_LENGTH_MASK)
+#define HTTP_CONT_TYPE 					((long long)1<<HTTP_CONT_TYPE_MASK)
+#define HTTP_CONT_DISPOSITION			((long long)1<<HTTP_CONT_DISPOSITION_MASK)
+#define HTTP_CHARSET 					((long long)1<<HTTP_CHARSET_MASK)
+#define HTTP_EXPIRES 					((long long)1<<HTTP_EXPIRES_MASK)
+#define HTTP_X_FLASH_VERSION 			((long long)1<<HTTP_X_FLASH_VERSION_MASK)
+#define HTTP_TRANSFER_LENGTH 			((long long)1<<HTTP_TRANSFER_LENGTH_MASK)
+
+/*http_state*/
+#define HTTP_STATE_UNKNOWN 				0x00
+#define HTTP_START_LINE					0x01 /*start line over*/
+#define HTTP_REGION 						0x02 
+#define HTTP_DATA_BEGIN 					0x03 /*header over*/
+#define HTTP_DATA 						0x04 /*have entity*/
+#define HTTP_DATA_END 					0x05
+
+/*���ݱ��뷽ʽcont_encoding*/
+#define HTTP_CONT_ENCOD_UNKNOWN 		0X00//��ʼ״̬
+#define HTTP_CONT_ENCOD_DEFAULT 		0X01
+#define HTTP_CONT_ENCOD_GZIP 			0X02
+#define HTTP_CONT_ENCOD_COMPRESS 		0X03
+#define HTTP_CONT_ENCOD_DEFLATE 		0X04
+#define HTTP_CONT_ENCOD_OTHERS 			0X05
+
+/*������뷽ʽtran_encoding*/
+#define HTTP_TRANS_ENCOD_UNKNOWN 		0X00//��ʼ״̬
+#define HTTP_TRANS_ENCOD_CHUNKED 		0X01//chunked����13
+#define HTTP_TRANS_ENCOD_DEFAULT 		0X02//default
+#define HTTP_TRANS_ENCOD_OTHERS 		0X03//����״̬
+
+/*���󷽷�method*/
+#define HTTP_METHOD_UNKNOWN				0X00//��ʼ״̬
+#define HTTP_METHOD_GET 					0X01
+#define HTTP_METHOD_POST 				0X02
+#define HTTP_METHOD_CONNECT				0X03
+#define HTTP_METHOD_HEAD				0X04
+#define HTTP_METHOD_PUT					0X05
+#define HTTP_METHOD_OPTIONS				0X06
+#define HTTP_METHOD_DELETE				0X07
+#define HTTP_METHOD_TRACE				0X08
+
+
+typedef struct _cont_range_t
+{
+	uint64 	start;
+	uint64 	end;
+	uint64 	len;
+}cont_range_t;
+
+typedef struct _append_infor_t
+{	
+	char* 					content;   //data: origin data when ungzip;     region:all complete line when enpand region
+	uint32 					contlen;
+}append_infor_t;
+
+typedef struct _region_t
+{	
+	char* 					pdata;   
+	uint32 					datalen;
+}region_t;
+
+typedef struct _field_infor_t
+{
+	long long 					prot_flag;       //��ǰ�ֶ�flag
+	void*						buf;			   //��ǰ����֮����ֶ�
+	void*						src_buf;		   //��չ�ֶ�ָ�������У�����ָ��ԭʼ����(��ѹ��֮ǰ����ͬ�Ľ������Խ���)
+	int							buflen;		   //��ǰ�ֶγ���
+	int							src_buflen;	    //��ǰ�ֶγ���
+}field_infor_t;
+
+typedef struct _batch_infor_t
+{
+	int							field_cnt;     	 //���������ֶ���Ŀ
+	field_infor_t*				field;	     		 //�ֶ���Ϣ��stFieldInfo
+}batch_infor_t;
+
+typedef struct http_infor_t
+{	
+	char*					p_url;		
+	uint32 					url_len;	
+	int 					http_session_seq;			
+	uint64 					cont_length;			
+	cont_range_t* 			cont_range;	
+	
+	uchar					curdir;	
+	uchar 					http_state;		    
+	uchar 					cont_encoding;
+	uchar 					trans_encoding;  
+	
+	uchar					method;	
+	uchar 					_pad_;	
+	uint16 					res_code;
+	append_infor_t			append_infor;	
+	batch_infor_t*			batch_infor;
+}http_infor;
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+*����������(key:value)���key ��key_len
+*����ֵ0�ɹ���-1:ʧ��
+*_key_:_value,ֻ����key
+*/
+int http_line2region(const char *line, uint32 line_len, char** region, uint32* region_len);
+/*
+* �����ֶ�����region ����ֶε�proto_flag
+* region : ������host (in pcap)��Ҳ������HTTP_HOST(in http.conf)
+*/
+long long http_region2proto_flag(const char *region, uint32 region_len);
+/*
+*����proto_flag����ֶ�����
+*����ֵ��http.conf�е��ַ���
+*/
+const char* http_proto_flag2region(long long proto_flag);
+const char* http_get_method(uchar method);
+char* http_url_decode(char *data,  int* data_len);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif 
diff --git a/src/inc/stream.h b/src/inc/stream.h
new file mode 100644
index 0000000..0b94854
--- /dev/null
+++ b/src/inc/stream.h
@@ -0,0 +1,85 @@
+#ifndef _APP_STREAM_H_
+#define _APP_STREAM_H_           
+
+#include "stream_inc/stream_base.h"
+#include "stream_inc/stream_proxy.h"
+#include "stream_inc/stream_project.h"
+#include "stream_inc/stream_inject.h"
+#include "stream_inc/stream_control.h"
+#include "stream_inc/stream_entry.h"
+#include "stream_inc/stream_rawpkt.h"
+#include "stream_inc/stream_tunnel.h"
+
+#define STREAM_H_VERSION		(20160901)
+
+#define STREAM_BASE_MD5		"fa41d78b6f2b00870fa383cde8dc2041"
+#define STREAM_CONTROL_MD5 	"2a2484f4fb65e5a3240245b66ba787a2"
+#define STREAM_ENTRY_MD5		"7dab86d65114ebe5438e85e0d008645d"
+#define STREAM_INJECT_MD5		"9cf15f1e5c982e4ff0d09a58819fc5b0"
+#define STREAM_PROJECT_MD5	"fc2b981f7e2c99e73d8857e206cb4977"
+#define STREAM_PROXY_MD5		"25cec664c9b44a8cac29f6e3e117eaa6"
+#define STREAM_RAWPKT_MD5	"a63889f97f25917df9ce8540dd860b95"
+#define STREAM_TUNNEL_MD5		"9d326a5e32c413cafdb97e89e6d7abc3"
+
+#endif
+
+/***********************************************************************************
+	Update log:
+	2015-02-03 lijia,
+		�޸�stream_base.h,
+		�������Ͷ���PKT_TYPE_IP_FRAG;
+		����stream_addr_list_ntop, stream_addr_list_ptonϵ�к���.
+		
+	2015-01-23 lqy
+		�޸�stream_base.h, ��pkttyp��������չ�������˶��tcppkt�Ķ���
+		��pktipfragtype ��pkttype�ж���Ϊһ������
+
+	2015-01-04 lijia, 
+		�޸�stream_base.h, ��pkttype�ƶ���struct layer_addr�ṹ��, 
+		��routedir��չΪuchar����;
+		����MESA_dir_reverse()����, ���ڷ���ʱ����routedir.
+		stream.h���Ӱ汾�ź�MD5��ֵ֤.
+
+	2014-12-30 lqy,
+		��ԭstream.h�����������Ϊ7��stream_xxx.h, 
+		��ƽ̨�ڲ���������, public���ͶԲ���ɼ�, privateΪ�ڲ�ʹ�ö��ⲻ�ɼ�.
+
+	2015-11-12 lijia,
+		�����º���MESA_set_stream_opt(),
+		�������õ�ǰ���Ķ�������.
+
+	2015-12-30 lijia,
+		�޸�stream_base.h,
+		��struct tcpdetail, struct udpdetail�еİ������ֽ���ͳ���ƶ���project.
+		Ϊ��������, ��ʱ������Щ������֤�ڴ����к;ɰ�һ��, ֻ�Dz��ٸ���, ��ֵҲ������.
+	
+	2016-01-18 lijia,
+		����Ӣ��ע��, ����ijЩ������SHELL�޷���ʾ���ĵ�����.
+
+	2016-01-18 lijia,
+		stream_base.h����printaddr_r������汾, �����ڷDz��������̴߳�ӡ��ַ.
+
+	2016-03-23 lijia,
+		stream_base.h����layer_addr_dup, layer_addr_free.
+
+	2016-04-18 lijia,
+		stream_control.h����MSO_TCP_ISN_C2S, MSO_TCP_ISN_S2C.
+
+	2016-04-27 lijia,
+		�޸�stream_inject.h����.
+
+	2016-07-08 lijia,
+		�޸�stream_control.h, ����ѡ��MSO_TCP_SYN_OPT, MSO_TCP_SYNACK_OPT.
+		�����ӿ�MESA_get_tcp_pkt_opts().
+
+	2016-07-14 ���,
+		����get_rawpkt_opt_from_streaminfo(), ����û��ԭʼ��ָ��IJ����ȡԭʼ���е���Ϣ��
+
+	2016-07-25 lijia		
+		����enum stream_carry_tunnel_t, ���ڱ�ʾ��ǰ���ײ���������.
+
+	2016-09-01 lijia		
+		1)���������ӿ�streaminfo_dup, streaminfo_free;
+		2)����stream_tunnel.h, ����soq��Ŀ��������Э�������Ϣ�Ļ�ȡ;
+*************************************************************************************/
+
diff --git a/src/inc/stream_inc/stream_base.h b/src/inc/stream_inc/stream_base.h
new file mode 100644
index 0000000..5bce6eb
--- /dev/null
+++ b/src/inc/stream_inc/stream_base.h
@@ -0,0 +1,458 @@
+#ifndef _APP_STREAM_BASE_H_
+#define _APP_STREAM_BASE_H_ 
+
+#define STREAM_BASE_H_VERSION		(20160901)
+
+#include <sys/types.h>
+#include <netinet/in.h>            
+#include <netinet/ip.h>            
+#include <netinet/ip6.h>   
+#include <netinet/tcp.h>   
+#include <netinet/udp.h>   
+#include <stdlib.h>
+#include <string.h>
+
+#ifndef UINT8
+typedef unsigned char		UINT8;
+#endif
+#ifndef UCHAR
+typedef unsigned char		UCHAR;
+#endif
+#ifndef UINT16
+typedef unsigned short		UINT16;
+#endif
+
+#ifndef UINT32
+typedef unsigned int			UINT32;
+#endif
+#ifndef UINT64
+typedef unsigned long long	UINT64;
+#endif
+
+/* CHN : ���ķ����� */
+/* ENG : stream direction definition*/
+#define DIR_C2S 			0x01
+#define DIR_S2C 			0x02
+#define DIR_DOUBLE 			0x03
+
+/* CHN : ����ײ㴫�䷽����,����ģʽ������ */
+/* ENG : network topology route direction, is valid in serial mode */
+#define DIR_ROUTE_UP		0x00
+#define DIR_ROUTE_DOWN 		0x01
+
+/* CHN : ���������Ͷ��� */
+/* ENG : single packet type definition */
+#define PKT_TYPE_NORMAL  			(0x0)	/* normal, common */
+#define PKT_TYPE_IPREBUILD 			(1<<0)  /* ip frag reassembled packet;  ip��Ƭ���鱨�� */
+#define PKT_TYPE_TCPUNORDER 		(1<<1)  /* TCP out of order packet;  TCP������ */
+#define PKT_TYPE_TCPREORDER 		(1<<2)  /* TCP sequential packet;  TCP��������õ����ݰ� */ 
+#define PKT_TYPE_TCPRETRANS 		(1<<3)  /* TCP retransmit packet;  TCP�ش����� */
+#define PKT_TYPE_IP_FRAG			(1<<4)  /* IP frag packet;  IP��Ƭ�� */
+
+/* CHN : ��ַ���Ͷ���, ��ͨ������ addr_type_to_string() ת���ַ�����ʽ. */
+/* ENG : address type, transform to string mode by call addr_type_to_string(). */
+enum addr_type_t{
+	__ADDR_TYPE_INIT = 0,
+	ADDR_TYPE_IPV4,				/* 1, struct stream_tuple4_v4 */
+	ADDR_TYPE_IPV6,				/* 2, struct stream_tuple4_v6 */
+	ADDR_TYPE_VLAN,				/* 3 */
+	ADDR_TYPE_MAC,				/* 4 */
+	ADDR_TYPE_ARP = 5,			/* 5 */
+	ADDR_TYPE_GRE,				/* 6 */
+	ADDR_TYPE_MPLS,				/* 7 */
+	ADDR_TYPE_PPPOE_SES,		/* 8 */
+	ADDR_TYPE_TCP,				/* 9 */
+	ADDR_TYPE_UDP = 10,			/* 10 */
+	ADDR_TYPE_L2TP,				/* 11 */
+	__ADDR_TYPE_IP_PAIR_V4,		/* 12, ipv4 layer in tunnel mode */
+	__ADDR_TYPE_IP_PAIR_V6,		/* 13, ipv6 layer in tunnel mode */
+	ADDR_TYPE_PPP,				/* 14 */
+	__ADDR_TYPE_MAX,			/* 15 */
+};
+
+#define TCP_TAKEOVER_STATE_FLAG_OFF	0
+#define TCP_TAKEOVER_STATE_FLAG_ON	1
+
+
+/* CHN : Ӧ�ò㿴��������״̬���� */
+/* ENG : stream state for protocol or business plug*/
+#define OP_STATE_PENDING   0
+#define OP_STATE_REMOVE_ME 1
+#define OP_STATE_CLOSE     2
+#define OP_STATE_DATA      3
+
+/* CHN : Ӧ�ò㷵�ؽ������ */
+/* ENG : return value of plug */
+#define APP_STATE_GIVEME   0x00
+#define APP_STATE_DROPME   0x01
+#define APP_STATE_FAWPKT   0x00
+#define APP_STATE_DROPPKT  0x10
+
+/* CHN : �������Ͷ��� */
+/* ENG : stream type */
+enum stream_type_t{
+	STREAM_TYPE_NON = 0, /* No stream concept indeed, such as vlan, IP, etc.;  �����ĸ���, ��VLAN, IP��� */
+	STREAM_TYPE_TCP,
+	STREAM_TYPE_UDP,	 /* there is no stream of UDP in RFC, but in MESA platform, we build a UDP stream with same tuple4 packet */
+	STREAM_TYPE_VLAN,
+	STREAM_TYPE_SOCKS4,
+	STREAM_TYPE_SOCKS5,
+	STREAM_TYPE_HTTP_PROXY,
+	STREAM_TYPE_PPPOE,
+	STREAM_TYPE_L2TP,
+};
+
+/*
+   CHN: ���ĵײ������������, ��ͬ��stream_type_t, ���統ǰ��ΪSTREAM_TYPE_TCP, ���ײ�����������STREAM_TUNNLE_PPTP.
+        ��Ϊ���������Ƕ��ֲ�ͬ����Ƕ�����, ֻ��¼��ײ����������.
+*/
+enum stream_carry_tunnel_t{
+	STREAM_TUNNLE_NON = 0, 	/* default is 0, not tunnel; Ĭ��Ϊ0, ������; */
+	STREAM_TUNNLE_6OVER4 	= 1,
+	STREAM_TUNNLE_GRE			= 2,
+	STREAM_TUNNLE_IP_IN_IP	= 4,
+	STREAM_TUNNLE_PPTP		= 8,
+	STREAM_TUNNLE_L2TP		= 16,
+	STREAM_TUNNLE_TEREDO		= 32,
+};
+
+typedef struct raw_ipfrag_list{
+    void *frag_packet;
+    int pkt_len;
+    int type; /* IPv4 or IPv6 */
+    struct raw_ipfrag_list *next;
+}raw_ipfrag_list_t;
+
+
+#ifndef STRUCT_TUPLE4_DEFINED
+#define STRUCT_TUPLE4_DEFINED (1)
+/* compat for start, papp;  ����start, papp */
+struct tuple4 {
+  u_int saddr;
+  u_int daddr;
+  u_short source;
+  u_short dest;
+};
+#endif
+
+struct tuple6
+{
+	UCHAR saddr[16] ;
+	UCHAR daddr[16] ;
+	UINT16 source;
+	UINT16 dest;
+};
+
+/* network-order */
+struct stream_tuple4_v4{
+	UINT32 saddr;	/* network order */
+	UINT32 daddr;	/* network order */
+	UINT16 source;	/* network order */
+	UINT16 dest;	/* network order */
+};
+
+
+#ifndef IPV6_ADDR_LEN
+#define IPV6_ADDR_LEN	(sizeof(struct in6_addr))
+#endif
+
+struct stream_tuple4_v6
+{
+	UCHAR saddr[IPV6_ADDR_LEN] ;
+	UCHAR daddr[IPV6_ADDR_LEN] ;
+	UINT16 source;	/* network order */
+	UINT16 dest;	/* network order */
+};
+
+
+#define GRE_TAG_LEN 		(4)
+struct layer_addr_gre
+{
+	UINT16 gre_id;
+};
+
+
+#define VLAN_ID_MASK		(0x0FFF)
+#define VLAN_TAG_LEN 		(4)
+struct layer_addr_vlan
+{
+	UINT16 vlan_id;	/* network order */
+};
+
+#define VLAN_ID_LEN 4
+struct tuplevlan
+{
+	UCHAR vlan_id[VLAN_ID_LEN];
+};
+
+struct layer_addr_pppoe_session
+{
+#if __BYTE_ORDER == __LITTLE_ENDIAN
+	unsigned int ver:4;   
+	unsigned int type:4;  
+#endif
+#if __BYTE_ORDER == __BIG_ENDIAN
+	unsigned int type:4; 
+	unsigned int ver:4; 
+#endif
+  	unsigned char code;
+	unsigned short session_id;
+};
+
+#ifndef MAC_ADDR_LEN
+#define MAC_ADDR_LEN		(6)
+#endif
+
+struct layer_addr_mac
+{
+	UCHAR dst_mac[MAC_ADDR_LEN]; /* network order */
+	UCHAR src_mac[MAC_ADDR_LEN]; /* network order */
+};
+
+struct layer_addr_ipv4
+{
+	UINT32 saddr; 	/* network order */
+	UINT32 daddr; 	/* network order */
+	/* 2014-04-21 lijia add, 
+	   Ϊ�˽�Լ�ڴ�ռ䡢�ʹ���Ч��, ��ǿ�ư�Э���δ���,
+	   IP���TCP����Ϊһ����,
+	   �����������IP, �˿���ϢΪ0;
+	*/
+	UINT16 source;	/* network order */
+	UINT16 dest;		/* network order */
+};
+
+struct layer_addr_ipv6
+{
+	UCHAR saddr[IPV6_ADDR_LEN] ; /* network order */
+	UCHAR daddr[IPV6_ADDR_LEN] ; /* network order */
+	/* 2014-04-21 lijia add, 
+	   Ϊ�˽�Լ�ڴ�ռ䡢�ʹ���Ч��, ��ǿ�ư�Э���δ���,
+	   IP���TCP����Ϊһ����,
+	   �����������IP, �˿���ϢΪ0;
+	*/
+	UINT16 source;/* network order */
+	UINT16 dest;/* network order */
+};
+
+struct layer_addr_tcp
+{
+	UINT16 source; /* network order */
+	UINT16 dest;    /* network order */
+};
+
+struct layer_addr_udp
+{
+	UINT16 source; /* network order */
+	UINT16 dest;    /* network order */
+};
+
+
+struct layer_addr_l2tp_v2_t{
+	UINT16 tunnelid_C2S; /* network order, �Դ���㴴�����ķ���Ϊ׼ */
+	UINT16 tunnelid_S2C; /* network order, �Դ���㴴�����ķ���Ϊ׼ */
+	UINT16 sessionlid_C2S; /* network order, �Դ���㴴�����ķ���Ϊ׼ */
+	UINT16 sessionlid_S2C; /* network order, �Դ���㴴�����ķ���Ϊ׼ */
+};
+
+struct layer_addr_l2tp_v3_t{
+	UINT32 sessionlid; /* network order */
+};
+		
+struct layer_addr_l2tp
+{
+	UCHAR version; /* v2 or v3 */
+	union
+	{	
+ 		struct layer_addr_l2tp_v2_t l2tp_addr_v2;
+		struct layer_addr_l2tp_v3_t l2tp_addr_v3;
+	}l2tpun;
+};
+
+struct layer_addr_mpls
+{
+	unsigned int mpls_pkt;
+};
+
+
+struct layer_addr
+{
+	UCHAR addrtype; /*  definition in enum addr_type_t */
+	UCHAR addrlen;	
+	UCHAR pkttype;	   	/* packet special features, definition in MACRO PKT_TYPE_xxx */
+	UCHAR pktipfragtype;	/* ip frag packetfeatures, definition in MACRO PKT_TYPE_xxx */
+	
+	UCHAR __pad[4]; /* pad for alignment */
+	union
+	{
+		struct stream_tuple4_v4 *tuple4_v4;
+		struct stream_tuple4_v6 *tuple4_v6;
+		struct layer_addr_ipv4	*ipv4;
+		struct layer_addr_ipv6	*ipv6;
+		struct layer_addr_vlan	*vlan;
+		struct layer_addr_mac	*mac;
+		struct layer_addr_gre	*gre;
+		struct layer_addr_tcp	*tcp;
+		struct layer_addr_udp	*udp;
+		struct layer_addr_pppoe_session *pppoe_ses;		
+		struct layer_addr_l2tp	*l2tp;
+		void 					*paddr;
+	};
+
+};
+
+/* CHN : �����˽ṹ���ں�papp����, ����ָ��ʱ, ����struct layer_addrǿת */
+/* ENG : compat for papp, can be transform to struct layer_addr pointer */
+struct ipaddr
+{
+	UCHAR addrtype; /*  definition in enum addr_type_t */
+	UCHAR addrlen;
+	UCHAR  pkttype;	  /* packet special features, definition in MACRO PKT_TYPE_xxx */
+	UCHAR  pktipfragtype;	   		/* ip frag packetfeatures, definition in MACRO PKT_TYPE_xxx */
+	UCHAR __pad[4]; /* pad for alignment */
+	union
+	{
+		struct stream_tuple4_v4 *v4;
+		struct stream_tuple4_v6 *v6;
+		void *paddr;
+	};
+
+};
+
+struct tcpdetail
+{
+	void  *pdata;		 
+	UINT32 datalen;		
+	UINT32 lostlen;		/* lost data len, not accumulated, current procedure */
+	UINT32 serverpktnum; 	/* this value indicate TCP-ALL packet, include syn, ack, rst, if want get tcp data status, use stream_project.h : struct tcp_flow_stat */
+	UINT32 clientpktnum;  	/* this value indicate TCP-ALL packet, include syn, ack, rst, if want get tcp data status, use stream_project.h : struct tcp_flow_stat */
+	UINT32 serverbytes;   	/* this value indicate TCP-ALL packet, include syn, ack, rst, if want get tcp data status, use stream_project.h : struct tcp_flow_stat */
+	UINT32 clientbytes;     /* this value indicate TCP-ALL packet, include syn, ack, rst, if want get tcp data status, use stream_project.h : struct tcp_flow_stat */
+	UINT64 createtime; 
+	UINT64 lastmtime;
+};
+
+struct udpdetail
+{
+ 	void *pdata;		     
+ 	UINT32 datalen;			 
+	UINT32 pad;			
+	UINT32 serverpktnum; 	 /* you should better use stream_project.h : struct udp_flow_stat */
+	UINT32 clientpktnum;	/* you should better use stream_project.h : struct udp_flow_stat */
+	UINT32 serverbytes;	/* you should better use stream_project.h : struct udp_flow_stat */
+	UINT32 clientbytes;	/* you should better use stream_project.h : struct udp_flow_stat */
+	UINT64 createtime; 
+	UINT64 lastmtime;
+};
+
+struct streaminfo
+{
+	struct layer_addr addr;      
+	struct streaminfo *pfather; /* this stream's carry layer stream; �ϲ����ṹ�� */
+	UCHAR type;			/* stream type, definition in enum stream_type_t */
+	UCHAR threadnum;	     
+	UCHAR  dir;           	/*  valid in all stream life, current stream direction state, 0x01:c-->s; 0x02:s-->c; 0x03 c<-->s; */
+	UCHAR  curdir;         /* valid in current procedure, current packet direction, 0x01:c-->s;  0x02:s-->c */
+	UCHAR  opstate;		/* stream state, definition in MACRO OP_STATE_xxx */
+	UCHAR  pktstate;	/* for TCPALL plug, stream state, definition in MACRO OP_STATE_xxx */
+	UCHAR  routedir;	     /* network topology route direction, is valid in serial mode */
+	UCHAR  stream_state;	/* stream management state, for example, in TCP stream, maybe SYN, DATA, NOUSE */
+	UINT32 hash_index;		/* stream hash index, maybe reduplicate with other stream when hash algorithm collide */      
+	UINT32 stream_index;    /* stream global index per thread  */	
+	union
+	{
+		struct tcpdetail *ptcpdetail;
+		struct udpdetail *pudpdetail;
+		void   *pdetail;
+	};
+ };
+
+
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* CHN : �ڴ������غ���, ����ƽ̨�IJ������ʹ�ô��ຯ��������ͷ��ڴ� */
+/* ENG : memory management function, plugs must call these functions instead of malloc, free in <stdlib.h> */
+void *dictator_malloc(int thread_seq,size_t size);
+void dictator_free(int thread_seq,void *pbuf);
+void *dictator_realloc(int thread_seq, void* pbuf, size_t size);
+
+/* CHN : ��ȡ��ǰϵͳ���еIJ��������߳����� */
+/* ENG : get current total thread of platfomr */
+int get_thread_count(void);
+
+/* CHN : ����enum addr_type_tַ����ת���ɿɴ�ӡ���ַ�����ʽ */
+/* ENG : transform binary addr_type_t to string mode */
+const char *addr_type_to_string(enum addr_type_t type);
+
+/*
+	ENG : transform tuple4 to string mode, muse used in packet process thread context;
+	CHN : ��layer_addr��ַת�����ַ�����ʽ, �������ڰ������߳�.
+*/
+const char *printaddr (const struct layer_addr *paddrinfo, int threadindex);
+
+/*
+	ENG : a reentrant version of printaddr, thread safe;
+	CHN : printaddr�Ŀ�����汾, ���̰߳�ȫ��.
+*/
+const char *printaddr_r(const struct layer_addr *paddrinfo, char *out_buf, int out_buf_len);
+
+/* 
+	ENG : duplicate a same layer_addr struct, memory obtained with malloc(3);
+	CHN : ����һ����ȫ��ͬ��layer_addr�ṹ��, �ڴ�ͨ��malloc(3)��ȡ.
+*/
+struct layer_addr * layer_addr_dup(const struct layer_addr *paddrinfo);
+
+/* 
+	ENG: used to free all memory of paddrinfo;
+	CHN: �����ͷ�paddrinfo�ڴ�.
+*/
+void layer_addr_free(struct layer_addr *paddrinfo);
+
+
+/* 
+	ENG : duplicate a same streaminfo list, memory obtained with malloc(3);
+	CHN : ����һ����ȫ��ͬ��streaminfo�ṹ�弰�����ṹ, �ڴ�ͨ��malloc(3)��ȡ.
+*/
+struct streaminfo *streaminfo_dup(const struct streaminfo *stream);
+
+/* 
+	ENG: used to free all memory of streaminfo;
+	CHN: �����ͷŽṹ�弰�����ṹ���ڴ�.
+*/
+void streaminfo_free(struct streaminfo *stream);
+
+
+/* 
+	addr list transform function, like inet_ntop(), inet_pton(),
+	use '<' as delimitation between layer,
+	if direction is double, for ip, port, use '-' as delimitation between source and destination,
+	
+	for example:
+		"T4T:6005-1673<IP4:61.147.112.53-11.215.62.23<MAC:0000ea60040d-0200000003b6"
+
+	args:
+		pstream	: stream info;
+		dst		: buf to store result;
+		size		: dst buf's size;
+		addr_list_str: addr list string;
+		thread_index : thread index;
+
+	����ֵ:
+		>0:ת����Ľ��ʵ��ռ���ڴ泤��, stream_addr_list_ntop()�������ַ���ĩβ��'\0';
+		-1:dst����ռ䳤�Ȳ���;
+		-2:��ʽ����;
+		-3:��������;
+*/
+int stream_addr_list_ntop(const struct streaminfo *pstream, char *dst, int size);
+int stream_addr_list_pton(const char *addr_list_str, void *dst, int size, int thread_index);
+
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
+
diff --git a/src/inc/stream_inc/stream_control.h b/src/inc/stream_inc/stream_control.h
new file mode 100644
index 0000000..9d10833
--- /dev/null
+++ b/src/inc/stream_inc/stream_control.h
@@ -0,0 +1,123 @@
+#ifndef _APP_STREAM_CONTROL_H_
+#define _APP_STREAM_CONTROL_H_ 
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define STREAM_CONTROL_H_VERSION		(20160726)
+
+#define TCP_CTEAT_LINK_BYSYN   			0x01
+#define TCP_CTEAT_LINK_BYDATA 			0x02
+
+/*
+	option of stream, 
+
+	MSO_IGNORE_RST_FIN: will not be terminated by RST, FIN packet, only if timeout or in LRU tail, it will be eliminated. 
+*/
+enum MESA_stream_opt{
+	__MSO_PAD			=	0,
+	MSO_MAX_UNORDER	=	1,  	/* opt_val type must be struct max_unorder_opt */
+	MSO_NEED_ACK,				/* opt_val type must be unsigned char */
+	MSO_TAKEOVER,				/* opt_val type must be int */
+	MSO_TIMEOUT,				/* opt_val type must be unsigned short */
+	MSO_IGNORE_RST_FIN, 		/* opt_val type must be unsigned char */
+	MSO_TCP_CREATE_LINK_MODE,  /* opt_val must be unsigned char, refer to TCP_CTEAT_LINK_xxx */
+	MSO_TCP_ISN_C2S, /* Host-order, opt_val type must be unsigned int */
+	MSO_TCP_ISN_S2C, /* Host-order, opt_val type must be unsigned int */
+	MSO_TCP_SYN_OPT, /* opt_val must be struct tcp_option **, opt_val_len [OUT} is struct tcp_option number, valid only if SYN packet is captured */
+	MSO_TCP_SYNACK_OPT, /* opt_val must be struct tcp_option **, opt_val_len [OUT} is struct tcp_option number, valid only if SYN/ACK packet is captured */
+	MSO_STREAM_TUNNEL_TYPE,  /* opt_val must be unsigned short, refer to enum stream_carry_tunnel_t */
+	__MSO_MAX,
+};
+
+/* for MSO_MAX_UNORDER  */
+struct max_unorder_opt{
+	unsigned short stream_dir; /* refer to stream_base.h, DIR_C2S, DIR_S2C, DIR_DOUBLE */
+	unsigned short max_unorder_val;
+};
+
+#define MAX_TCP_OPT_LEN	(38) /* TCPͷ�������Ϊ60�ֽ�, ȥ����׼ͷ��ʣ��ѡ����40�ֽ�, ѡ�����ݲ����38�ֽ� */
+#define MAX_TCP_OPT_NUM	(20) /* ����TCP�����ѡ������ */
+
+enum tcp_option_value{
+	TCP_OPT_EOL = 0,
+	TCP_OPT_NOP = 1,
+	TCP_OPT_MSS = 2,
+	TCP_OPT_WIN_SCALE = 3,
+	TCP_OPT_SACK = 4,
+	TCP_OPT_TIME_STAMP = 8,	/* refer to struct tcp_option_ts */
+	TCP_OPT_MD5 = 19,
+};
+
+struct tcp_option_ts{
+	unsigned int ts_self;
+	unsigned int ts_echo_reply;	
+};
+
+struct tcp_option{
+	unsigned char type;
+	unsigned char len;
+	union{
+		unsigned char char_value;
+		unsigned short short_value;
+		unsigned int int_value;
+		unsigned long long long_value;
+		char *variable_value;
+		struct tcp_option_ts opt_ts_val;
+	};	
+} __attribute__((packed, aligned(1)));
+
+/*
+	plug call MESA_set_stream_opt() to set feature of specified stream.
+		opt: option type, refer to enum MESA_stream_opt;
+		opt_val: option value, depend on opt type;
+		opt_val_len: opt_val size;
+	
+	return value:
+		0 :OK;
+		<0:error;
+*/
+int MESA_set_stream_opt(const struct streaminfo *pstream, enum MESA_stream_opt opt, void *opt_val, int opt_val_len);
+
+
+/*
+	plug call MESA_get_stream_opt() to get feature of specified stream.
+		opt: option type, refer to enum MESA_stream_opt;
+		opt_val: option value, depend on opt type;
+		opt_val_len: value-result argment, IN:opt_val buf size, OUT:opt_val actual size;
+	
+	return value:
+		0 :OK;
+		<0:error;
+*/
+int MESA_get_stream_opt(const struct streaminfo *pstream, enum MESA_stream_opt opt, void *opt_val, int *opt_val_len);
+
+
+/*
+	Get options from tcphdr, and store them in raw_result.
+	return value:
+		= 0: no option;
+		> 0: opt number;
+		< 0: error.	
+*/
+int MESA_get_tcp_pkt_opts(const struct tcphdr *tcphdr, struct tcp_option *raw_result, int res_num);
+
+/****************************************************************************************
+	CHN : ��Ϊ��ʷ��������,���ຯ��������Ϊ������,��ʹ���½ӿ�:MESA_set_stream_opt().
+	ENG : for compat old version, keep these functions, but we suggest you use new API MESA_set_stream_opt().
+*****************************************************************************************/
+int tcp_set_single_stream_max_unorder(const struct streaminfo *stream, UCHAR dir, unsigned short unorder_num);
+int tcp_set_single_stream_needack(const struct streaminfo *pstream);
+int tcp_set_single_stream_takeoverflag(const struct streaminfo *pstream,int flag);
+int stream_set_single_stream_timeout(const struct streaminfo *pstream,unsigned short timeout);
+/****************************************************************************************
+****************************************************************************************
+****************************************************************************************/
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
+
diff --git a/src/inc/stream_inc/stream_entry.h b/src/inc/stream_inc/stream_entry.h
new file mode 100644
index 0000000..c145a45
--- /dev/null
+++ b/src/inc/stream_inc/stream_entry.h
@@ -0,0 +1,83 @@
+#ifndef _APP_STREAM_ENTRY_H_
+#define _APP_STREAM_ENTRY_H_ 
+
+#define STREAM_ENTRY_H_VERSION		(20160118)
+
+/*
+	CHN : ҵ�����ý�����ʱsession_state״̬;
+*/
+#define SESSION_STATE_PENDING	0x01
+#define SESSION_STATE_DATA		0x02
+#define SESSION_STATE_CLOSE	0x04
+
+//���������ҵ���ʱ�ķ���ֵ��
+#define PROT_STATE_GIVEME   0x01
+#define PROT_STATE_DROPME	0x02
+#define PROT_STATE_DROPPKT	0x04
+
+//������������ҵ�����ʱ�������
+typedef struct _plugin_session_info
+{
+	unsigned short  plugid;			//plugid��ƽ̨����
+	char session_state;	//�Ự״̬��PENDING,DATA,CLOSE
+	char _pad_;			//����
+	int buflen;			//��ǰ�ֶγ���
+	long long prot_flag;	//��ǰ�ֶε�flagֵ
+	void *buf;			//��ǰ�ֶ�
+	void* app_info;		//��������������Ϣ
+}stSessionInfo;
+
+
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+typedef char (*STREAM_CB_FUN_T)(const struct streaminfo *pstream,void **pme, int thread_seq,const void *ip_hdr);
+typedef char (*IPv4_CB_FUN_T)(const struct streaminfo *pstream,unsigned char routedir,int thread_seq,  const void *ipv4_hdr);
+typedef char (*IPv6_CB_FUN_T)(const struct streaminfo *pstream,unsigned char routedir,int thread_seq,  const void *ipv6_hdr);
+
+
+typedef char (*SAPP_PKT_CB_FUN_T)(const struct streaminfo *pstream, const void *this_hdr, const void *raw_pkt);
+typedef char (*SAPP_STREAM_FUN_T)(const struct streaminfo *pstream, const void *this_hdr, const void *raw_pkt, void **pme);
+
+
+/*����������
+	a_*, pstream:	������������Ϣ;
+	raw_pkt:	ԭʼ��ָ��,��ȡ�����Ϣʹ��get_opt_from_rawpkt()�ӿ�;
+	pme:		˽������ָ��;
+	thread_seq���߳����;
+
+��������ֵ������Ϊ�����ĸ�ֵ������
+
+	APP_STATE_GIVEME�������򱾺����Ͱ���
+	APP_STATE_DROPME�������򱾺����Ͱ���
+	APP_STATE_FAWPKT����ע�����ݰ�
+	APP_STATE_DROPPKT������ע�����ݰ�
+*/
+char IPv4_ENTRY_EXAMPLE(const struct streaminfo *pstream,unsigned char routedir,int thread_seq, const void *ipv4_hdr);
+char IPv6_ENTRY_EXAMPLE(const struct streaminfo *pstream,unsigned char routedir,int thread_seq,const void *ipv6_hdr);
+char TCP_ENTRY_EXAMPLE(const struct streaminfo *a_tcp,  void **pme, int thread_seq,const void *ip_hdr);
+char UDP_ENTRY_EXAMPLE(const struct streaminfo *a_udp,  void **pme, int thread_seq,const void *ip_hdr);
+
+char SAPP_PKT_EXAMPLE(const struct streaminfo *pstream, const void *this_hdr, const void *raw_pkt);
+char SAPP_STREAM_EXAMPLE(const struct streaminfo *pstream, const void *this_hdr, const void *raw_pkt, void **pme);
+
+
+/* 
+	CHN : ҵ���ص��ӿ� ;
+	ENG : business plug API ;
+*/
+
+char PROT_PROCESS(stSessionInfo* session_info,  void **pme, int thread_seq,struct streaminfo *a_stream,const void *a_packet);
+
+
+
+#ifdef __cplusplus
+}
+#endif
+
+
+#endif
+
diff --git a/src/inc/stream_inc/stream_inject.h b/src/inc/stream_inc/stream_inject.h
new file mode 100644
index 0000000..0d4cf61
--- /dev/null
+++ b/src/inc/stream_inc/stream_inject.h
@@ -0,0 +1,113 @@
+#ifndef _APP_STREAM_INJECT_H_
+#define _APP_STREAM_INJECT_H_ 
+
+#include <sys/types.h>
+#include "stream_base.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define STREAM_INJECT_H_VERSION		(20161010)
+
+
+/* 
+	CHN : ����GK��غ��� 
+	ENG : to force terminate a stream;
+
+	MESA_kill_tcp: use RST to terminate a TCP stream;
+	MESA_kill_tcp_synack: send phony SYN/ACK packet to cheat client and server.
+	MESA_kill_connection: for non-TCP stream, such as UDP stream, only available in serial mode.
+
+    return value:
+		>= 0: success.
+		-1  : error.
+*/
+int MESA_kill_tcp(struct streaminfo *stream, const void *raw_pkt);
+int MESA_kill_tcp_synack(struct streaminfo *stream, const void *raw_pkt);
+int MESA_kill_connection(struct streaminfo *stream, const void *ext_raw_pkt);
+
+/*
+	���������ܵ�MESA_kill_xxxϵ�к���.
+	���ӹ���Ϊ: 
+	    ��ʵ�ʷ��͵����ݰ�copy��feedback_buf�ռ���, ������feedback_buf_lenΪʵ�����ݰ�����.
+
+	ע��: feedback_buf_lenΪ���봫����, �����ʾfeedback_buf����, ������ʾʵ�ʷ��͵����ݰ�����.
+
+    return value:
+		>= 0: success.
+		-1  : error.	
+		-2  : feedback_buf or feedback_buf_len error.
+*/
+int MESA_kill_tcp_feedback(struct streaminfo *stream, const void *raw_pkt, char *feedback_buf, int *feedback_buf_len);
+int MESA_kill_tcp_synack_feedback(struct streaminfo *stream, const void *raw_pkt, char *feedback_buf, int *feedback_buf_len);
+int MESA_kill_connection_feedback(struct streaminfo *stream, const void *raw_pkt, char *feedback_buf, int *feedback_buf_len);
+
+/* 
+	CHN : ����route_dir����, Ϊ�˼���papp;
+	ENG : compat for papp, dir reverse.
+ */
+unsigned char MESA_dir_reverse(unsigned char raw_route_dir);
+
+/*
+	ARG:
+		stream: ���ṹ��ָ��;
+		payload: Ҫ���͵�����ָ��;
+		payload_len: Ҫ���͵����ݸ��س���;
+		raw_pkt: ԭʼ��ָ��;
+		snd_routedir: Ҫ�������ݵ�route����, 
+			 ��������͵İ��뵱ǰ��ͬ��, snd_routedir = stream->routedir, 
+			 ��������͵İ��뵱ǰ������, snd_routedir = MESA_dir_reverse(stream->routedir).
+	return value:
+		-1: error.
+		>0: ���͵����ݰ�ʵ���ܳ���(payload_len + �ײ��ͷ����);
+*/
+int MESA_inject_pkt(struct streaminfo *stream, const char *payload, int payload_len, const void *raw_pkt, UCHAR snd_routedir);
+
+
+/*
+	���������ܵ�MESA_inject_pkt_feedback����, ����ͬMESA_inject_pkt().
+	��ʵ�ʷ��͵����ݰ�copy��feedback_buf�ռ���, ������feedback_buf_lenΪʵ�����ݰ�����.
+
+	ע��: feedback_buf_lenΪ���봫����, �����ʾfeedback_buf����, ������ʾʵ�ʷ��͵����ݰ�����.
+
+    return value:
+		>= 0: success.
+		-1  : error.	
+		-2  : feedback_buf or feedback_buf_len error.
+*/
+int MESA_inject_pkt_feedback(struct streaminfo *stream, const char *payload, int payload_len, 
+						const void *ext_raw_pkt, UCHAR snd_routedir,
+						char *feedback_buf, int *feedback_buf_len);
+						
+int MESA_sendpacket_ethlayer(int thread_index,const char *buf, int buf_len, unsigned int target_id);//papp online, shuihu
+
+/* �����ѹ���õ�����IP��, У��͵Ⱦ�������߼��� */
+int MESA_sendpacket_iplayer(int thread_index,const char *buf,  int buf_len, __uint8_t dir);
+
+/* ����ָ������IP��, ��ָ����������, У�����ƽ̨�Զ�����,
+   sip, dip������. */
+int MESA_fakepacket_send_ipv4(int thread_index,__uint8_t ttl,__uint8_t protocol,
+							u_int32_t sip_host_order, u_int32_t dip_host_order, 
+							const char *payload, int payload_len,__uint8_t dir);
+
+/* ����ָ������TCP��, ��ָ����������, У�����ƽ̨�Զ�����,
+   sip, dip,sport,dport,sseq,sack��������. */
+int MESA_fakepacket_send_tcp(int thread_index,u_int sip_host_order,u_int dip_host_order,
+							u_short sport_host_order,u_short dport_host_order,
+							u_int sseq_host_order,u_int sack_host_order,
+							u_char control,const char* payload,int payload_len, u_int8_t dir);
+
+/* ����ָ������UDP��, ��ָ����������, У�����ƽ̨�Զ�����,
+   sip, dip,sport,dport��������. */
+int MESA_fakepacket_send_udp(int thread_index, u_int sip_host_order, u_int dip_host_order, 
+							u_short sport_host_order,u_short dport_host_order, 
+							const char *payload, int payload_len,u_int8_t dir);
+							
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
+
diff --git a/src/inc/stream_inc/stream_project.h b/src/inc/stream_inc/stream_project.h
new file mode 100644
index 0000000..41f453e
--- /dev/null
+++ b/src/inc/stream_inc/stream_project.h
@@ -0,0 +1,147 @@
+#ifndef _STREAM_PROJECT_H_
+#define _STREAM_PROJECT_H_
+
+#include "stream_base.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define STREAM_PROJECT_H_VERSION			(20160118)
+
+#define PROJECT_REQ_NAME_MAX_LEN			(64)
+
+typedef void (project_req_free_t)(int thread_seq, void *project_req_value);
+
+#define PROJECT_VAL_TYPE_CHAR				"char"
+#define PROJECT_VAL_TYPE_SHORT			"short"
+#define PROJECT_VAL_TYPE_INT				"int"
+#define PROJECT_VAL_TYPE_LONG				"long"
+#define PROJECT_VAL_TYPE_STRUCT			"struct"
+
+/* 
+	CHN : ���ڴ洢ȫ��IP��Ƭԭʼ�� 
+	ENG : for store all ip frag packet in non-ip-frag entry.
+*/
+#define PROJECT_REQ_IPV4_FRAG_LIST			"ipv4_frag_list"
+#define PROJECT_REQ_IPV6_FRAG_LIST			"ipv6_frag_list"
+
+
+/* 
+	CHN : �˺궨���ʾTCP����ͳ�ƹ�����project_list.conf������, ��Ӧ��project_id��Ҫʹ�����º�����ȡ:
+	ENG : this MARCO is use for tcp flow statistics, should enable this in project_list.conf. 		
+	project_customer_register(PROJECT_REQ_TCP_FLOW, "struct");
+*/
+#define PROJECT_REQ_TCP_FLOW				"tcp_flow_stat"
+
+/* 
+	CHN : UDP����ͳ�ƹ���ƽ̨�̶�����, ������project_list.conf����, ��Ӧ��project_id��Ҫʹ�����º�����ȡ:
+	ENG : this MARCO is use for tcp flow statistics, it's always enable.
+		project_customer_register(PROJECT_REQ_UDP_FLOW, "struct");
+*/	
+#define PROJECT_REQ_UDP_FLOW				"udp_flow_stat"
+
+/* 
+	CHN : ������,�ֽ���ͳ��ֵ��pdetail���ƶ���project 
+	ENG : before 2015-12-31, this statistics in struct streaminfo, after 2015-12-31, you must get these use project_req_get_struct().
+*/
+struct tcp_flow_stat
+{
+	UINT32 C2S_all_pkt;		/* All tcp packets, include SYN, ACK, FIN, RST, etc. */
+	UINT32 C2S_data_pkt;	/* TCP reassemble packet, there is not payload size is zero, not retransmit packet */
+	UINT32 S2C_all_pkt;
+	UINT32 S2C_data_pkt;
+	UINT64 C2S_all_byte;	/* All tcp packet's data size, include retransmit packet */
+	UINT64 C2S_data_byte;	
+	UINT64 S2C_all_byte;
+	UINT64 S2C_data_byte;
+};
+
+struct udp_flow_stat
+{
+	UINT32 C2S_pkt;
+	UINT32 S2C_pkt;
+	UINT64 C2S_byte;
+	UINT64 S2C_byte;
+};
+
+/*	
+	must call this function in initialization, only one times,
+	the 'free_cb' should be NULL if 'project_req_val_type' is simple type,
+	otherwise must implement it by youself.
+
+	args:
+		project_req_name: for example, "terminal_tag", "stream_id", "tcp_flow_stat".
+		project_req_val_type: support "char","short","int","long","struct".
+		free_cb: used to free resource when 'project_req_val_type' is "struct".
+	
+	return value: 'project_req_id' of this project_req_name, must use this id in following functions.
+		>= 0 : success;
+		  -1 : error.
+*/
+int project_producer_register(const char *project_req_name, const char *project_req_val_type, project_req_free_t *free_cb);
+
+/* args and return value same with project_producer_register() */
+int project_customer_register(const char *project_req_name, const char *project_req_val_type);
+
+/*	
+	Function project_req_add_struct(): 'project_req_value' must be a pointer to heap memory(obtain by malloc).
+	
+	return value:
+		0 : success;
+		-1: error.
+*/
+int project_req_add_char(struct streaminfo *stream, int project_req_id, char project_req_value);
+int project_req_add_short(struct streaminfo *stream, int project_req_id, short project_req_value);
+int project_req_add_int(struct streaminfo *stream, int project_req_id, int project_req_value);
+int project_req_add_long(struct streaminfo *stream, int project_req_id, long project_req_value);
+
+int project_req_add_uchar(struct streaminfo *stream, int project_req_id, unsigned char project_req_value);
+int project_req_add_ushort(struct streaminfo *stream, int project_req_id, unsigned short project_req_value);
+int project_req_add_uint(struct streaminfo *stream, int project_req_id, unsigned int project_req_value);
+int project_req_add_ulong(struct streaminfo *stream, int project_req_id, unsigned long project_req_value);
+
+
+int project_req_add_struct(struct streaminfo *stream, int project_req_id, const void *project_req_value);
+
+
+/*
+	return value:
+		-1(or all bit is '1' in Hex mode, 0xFF, 0xFFFF, etc.): 
+			maybe error, maybe the actual project_req_value is -1 indeed, 
+			must check tht 'errno' in this case, 
+			the 'errno' will be set to 'ERANGE' indicate an error.
+		other: success, get the stored value.    
+
+	For example:
+		int value = project_req_get_int(stream, req_id);
+		if((-1 == value) && (ERANGE == errno)){
+			error_handle();
+		}else{
+			// this is not an error!!
+			do_something();
+		}
+*/
+char project_req_get_char(const struct streaminfo *stream, int project_req_id);
+short project_req_get_short(const struct streaminfo *stream, int project_req_id);
+int project_req_get_int(const struct streaminfo *stream, int project_req_id);
+long project_req_get_long(const struct streaminfo *stream, int project_req_id);
+
+unsigned char project_req_get_uchar(const struct streaminfo *stream, int project_req_id);
+unsigned short project_req_get_ushort(const struct streaminfo *stream, int project_req_id);
+unsigned int project_req_get_uint(const struct streaminfo *stream, int project_req_id);
+unsigned long project_req_get_ulong(const struct streaminfo *stream, int project_req_id);
+
+/*
+	return value:
+		NULL  : error;
+		others: success.    
+*/
+const void *project_req_get_struct(const struct streaminfo *stream, int project_req_id);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
+
diff --git a/src/inc/stream_inc/stream_proxy.h b/src/inc/stream_inc/stream_proxy.h
new file mode 100644
index 0000000..4f8408e
--- /dev/null
+++ b/src/inc/stream_inc/stream_proxy.h
@@ -0,0 +1,53 @@
+#ifndef _STREAM_PROXY_H_
+#define _STREAM_PROXY_H_
+
+#include "stream_base.h"
+
+#define STREAM_PROXY_H_VERSION		(20151230)
+
+
+#define PROXY_STATE_SEL 0
+#define PROXY_STATE_LINK_IN 1
+
+//	������Ϣ
+struct proxydetail
+{	
+	UINT16 iType;		//	��������, 0 ��ʾ��Ч
+	UINT16  uiPort;		//	��������ʵ�������˿�
+	UINT16	uiUserLen;
+	UINT16  uiPwdLen;
+	UINT16  uiApendLen;
+	
+	UCHAR  pad;		
+	UCHAR  dealstate;	//��������״̬	
+	UINT32  uiIP;		//	��������ʵ������IP��ַv4, �������ֽ���
+	UCHAR	*pIpv6;		//	��������ʵ������IP��ַ, v6��ַ
+	UCHAR	*pUser;		//    �����û���
+	UCHAR   *pPwd;		//    ��������
+	UCHAR 	*append;	//   ����������Ϣ������url
+	void   *apme;		  //Ӧ�ò�������
+	void   *pAllpktpme;   //��״̬��tcp����������
+	UINT32 serverpktnum;
+	UINT32 clientpktnum;
+	UINT32 serverbytes;
+	UINT32 clientbytes;
+} ;
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*��һ����������Ϣ�����һ��fatherstream,���ҹ��ص�stream��*/
+void set_proxy_fstream(struct streaminfo *pstream,struct streaminfo *pProxy);
+
+/*��������������Ϣ������ɺ󣬽��� �ڲ� ����*/
+int deal_tcp_in_proxy_stream(struct streaminfo *a_tcp,void * a_packet,struct streaminfo *pProxy);
+
+/*�ص��ϲ���Ϣ���ͷŴ�������������Ϣ*/
+void free_tcp_proxy_stream(struct streaminfo *pstream,struct streaminfo *pProxy);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
diff --git a/src/inc/stream_inc/stream_rawpkt.h b/src/inc/stream_inc/stream_rawpkt.h
new file mode 100644
index 0000000..2f0dc57
--- /dev/null
+++ b/src/inc/stream_inc/stream_rawpkt.h
@@ -0,0 +1,91 @@
+#ifndef _APP_STREAM_RAWPKT_H_
+#define _APP_STREAM_RAWPKT_H_ 
+
+#define STREAM_RAWPKT_H_VERSION		(20160714)
+
+#include "stream_base.h"
+
+enum{
+	RAW_PKT_GET_DATA	= 1,	//value type: void *, out_value should be void **
+	RAW_PKT_GET_RAW_PKT_TYPE,	//value type: enum addr_type_t in stream_base.h, out_value should be enum addr_type_t*
+	RAW_PKT_GET_TOT_LEN,		//value type: int , out_value should be int *
+	RAW_PKT_GET_TIMESTAMP,		//value type: struct timeval , out_value should be struct timeval *
+	RAW_PKT_GET_THIS_LAYER_HDR,	//value type: void *, out_value should be void **
+	RAW_PKT_GET_THIS_LAYER_REMAIN_LEN, //value type: int , out_value should be int *
+};
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+	get option from raw packet.
+
+for example:
+	CHN : ��ȡԭʼ������, (���ݲ������͵IJ�ͬ, ���ܴ�MAC��ʼ, Ҳ���ܴ�IPͷ����ʼ, ��Ҫʹ��RAW_PKT_GET_RAW_PKT_TYPE��ȡ);
+	ENG : get raw packet header, header's type depend on raw pacekt type, you should use RAW_PKT_GET_RAW_PKT_TYPE first;
+	
+	void *raw_pkt_data;
+	get_opt_from_rawpkt(voidpkt, RAW_PKT_GET_DATA, &raw_pkt_data);	
+	
+	CHN : ��ȡԭʼ���ܳ���;
+	ENG : get raw packet size;
+	int tot_len;
+	get_opt_from_rawpkt(voidpkt, RAW_PKT_GET_TOT_LEN, &tot_len);
+	 
+	CHN : ��ȡ�����ͷ��ʼ��ַ:
+	ENG : get this layer header;
+	void *this_layer_hdr;
+	get_opt_from_rawpkt(voidpkt, RAW_PKT_GET_THIS_LAYER_HDR, &this_layer_hdr); 
+
+	CHN : ��ȡԭʼ��ʱ���, ���������ײ㲶���ⲻ֧��ʱ�������, ֵΪȫ0:
+	ENG : get raw packet timestamp, maybe zero if network card or library not support.
+	struct timeval pkt_stamp;
+	get_opt_from_rawpkt(voidpkt, RAW_PKT_GET_TIMESTAMP, &pkt_stamp); 
+
+	return value:
+		0:success;
+		-1:error, or not support.
+*/
+int get_opt_from_rawpkt(const void *rawpkt, int type, void *out_value);
+
+/*
+	CHN: ����ͬ��, ���������ͬ.
+	ENG: Function ibid, except args pstream.
+*/
+int get_rawpkt_opt_from_streaminfo(const struct streaminfo *pstream, int type, void *out_value);
+
+/* 	
+	��ȡ��������ԭʼ���ж�Ӧ��ͷ����ַ,
+	���豾��������ΪTCP, ���ô˺�����, �õ�ԭʼ���ж�Ӧ��TCPͷ����ַ.
+*/
+const void *get_this_layer_header(const struct streaminfo *pstream);
+
+/*
+	CHN : ���ݰ�ͷ��ƫ�ƺ���.
+	ENG : 
+
+	����:
+		raw_data: ��ǰ���ͷ��ָ��;
+		raw_layer_type: ��ǰ��ĵ�ַ����;
+		expect_layer_type: ������ת���ĵ�ַ����;
+
+	����ֵ:
+		NULL: �޴˵�ַ;
+		NON-NULL: ��Ӧ���ͷ����ַ.
+	
+
+	����:
+		���赱ǰ��ΪEthernet, ��ʼ��ͷ��ַΪthis_layer_hdr, ����ת��IPv6��ͷ��:
+		struct ip6_hdr *ip6_header;
+		ip6_header = MESA_net_jump_to_layer(this_layer_hdr, ADDR_TYPE_MAC, ADDR_TYPE_IPV6);
+*/
+const void *MESA_net_jump_to_layer(const void *raw_data,  int raw_layer_type, int expect_layer_type);
+
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
+
diff --git a/src/inc/stream_inc/stream_tunnel.h b/src/inc/stream_inc/stream_tunnel.h
new file mode 100644
index 0000000..412d0c4
--- /dev/null
+++ b/src/inc/stream_inc/stream_tunnel.h
@@ -0,0 +1,62 @@
+#ifndef _APP_STREAM_TUNNEL_H_
+#define _APP_STREAM_TUNNEL_H_ 1 
+
+#define STREAM_TUNNEL_H_VERSION		(20160830)
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+enum tunnel_link_type_t{
+	TUNNEL_LINK_TYPE_CONTROL = 1, /* ������������� */
+	TUNNEL_LINK_TYPE_DATA 	= 2, /* �������������� */
+};
+
+struct pptp_info{
+	int link_type;
+	int encryt_pro;
+	int authentication_pro;
+};
+
+
+struct l2tp_info{
+	int link_type;
+	int encryt_pro;
+};
+
+struct isakmp_info{
+	unsigned long long init_cookie;
+	unsigned long long resp_cookie;
+	unsigned short encry_algo;
+	unsigned short hash_algo;
+	unsigned short auth_method;
+	unsigned char major_version;
+	unsigned char minor_version;
+};
+
+typedef enum{
+	IPSEC_OPT_IKE_VERSION,  	/* opt_val type must be char ** */
+}ipsec_opt_t;
+
+typedef enum{
+	PPTP_OPT_LINK_TYPE,		/* opt_val type must be char ** */
+	PPTP_OPT_ENCRY_PRO,		/* opt_val type must be char ** */
+	PPTO_OPT_AUTHEN_PRO,		/* opt_val type must be char ** */
+}pptp_opt_t;
+
+typedef enum{
+	L2TP_OPT_LINK_TYPE,		/* opt_val type must be char ** */
+	L2TP_OPT_ENCRY_PRO,		/* opt_val type must be char ** */
+}l2tp_opt_t;
+
+int soq_get_ipsec_info(const struct isakmp_info *ikp_info, ipsec_opt_t opt, void *opt_val, int *opt_val_len);
+
+int soq_get_pptp_info(const struct pptp_info *pptp_info, pptp_opt_t opt, void *opt_val, int *opt_val_len);
+
+int soq_get_l2tp_info(const struct l2tp_info *l2tp_info, l2tp_opt_t opt, void *opt_val, int *opt_val_len);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif