Beispiel #1
0
/*
 *  Unpack the array of bytes 'ar' into a record 'rwrec'
 */
static int
augsnmpoutioRecordUnpack_V4(
    skstream_t         *stream,
    rwGenericRec_V5    *rwrec,
    uint8_t            *ar)
{
    /* swap if required */
    if (stream->swapFlag) {
        augsnmpoutioRecordSwap_V4(ar);
    }

    /* sTime, elapsed, pkts, bytes, proto, tcp-flags, state, application */
    rwpackUnpackFlagsTimesVolumes(rwrec, ar, stream->hdr_starttime, 16, 0);

    /* sPort, dPort */
    rwRecMemSetSPort(rwrec, &ar[16]);
    rwRecMemSetDPort(rwrec, &ar[18]);

    /* sIP, dIP */
    rwRecMemSetSIPv4(rwrec, &ar[20]);
    rwRecMemSetDIPv4(rwrec, &ar[24]);

    /* output */
    rwRecMemSetOutput(rwrec, &ar[28]);

    /* sensor, flow_type from file name/header */
    rwRecSetSensor(rwrec, stream->hdr_sensor);
    rwRecSetFlowType(rwrec, stream->hdr_flowtype);

    return SKSTREAM_OK;
}
Beispiel #2
0
/*
 *  Unpack the array of bytes 'ar' into a record 'rwrec'
 */
static int
genericioRecordUnpack_V3(
    skstream_t         *rwIOS,
    rwGenericRec_V5    *rwrec,
    uint8_t            *ar)
{
    uint32_t quot;
    uint16_t rem;

    /* swap if required */
    if (rwIOS->swapFlag) {
        genericioRecordSwap_V3(ar);
    }

    /* sIP, dIP, sPort, dPort, nhIP, input, output */
    rwRecMemSetSIPv4(rwrec, &ar[0]);
    rwRecMemSetDIPv4(rwrec, &ar[4]);
    rwRecMemSetSPort(rwrec, &ar[8]);
    rwRecMemSetDPort(rwrec, &ar[10]);
    rwRecMemSetNhIPv4(rwrec, &ar[12]);
    rwRecMemSetInput(rwrec, &ar[16]);
    rwRecMemSetOutput(rwrec, &ar[18]);

    /* sTime, sTime_msec */
    memcpy(&quot, &ar[20], 4);
    memcpy(&rem, &ar[48], 2);
    rwRecSetStartTime(rwrec, sktimeCreate(quot, rem));

    /* elapsed, elapsed_msec */
    memcpy(&quot, &ar[24], 4);
    memcpy(&rem, &ar[50], 2);
    rwRecSetElapsed(rwrec, (1000 * quot + rem));

    /* pkts, bytes */
    rwRecMemSetPkts(rwrec, &ar[28]);
    rwRecMemSetBytes(rwrec, &ar[32]);

    /* proto, flowtype, sensor, flags, init_flags, rest_flags, tcp_state */
    rwRecMemSetProto(rwrec, &ar[36]);
    rwRecMemSetFlowType(rwrec, &ar[37]);
    rwRecMemSetSensor(rwrec, &ar[38]);
    rwRecMemSetFlags(rwrec, &ar[40]);
    rwRecMemSetInitFlags(rwrec, &ar[41]);
    rwRecMemSetRestFlags(rwrec, &ar[42]);
    rwRecMemSetTcpState(rwrec, &ar[43]);

    /* bpp field no longer exists */
    /* sTime_msec (above), elapsed_msec (above) */

    /* application */
    rwRecMemSetApplication(rwrec, &ar[52]);

    RWREC_MAYBE_CLEAR_TCPSTATE_EXPANDED(rwrec);

    return SKSTREAM_OK;
}
Beispiel #3
0
/*
 *  Unpack the array of bytes 'ar' into a record 'rwrec'
 */
static int
ipv6ioRecordUnpack_V2(
    skstream_t         *rwIOS,
    rwGenericRec_V5    *rwrec,
    uint8_t            *ar)
{
    uint32_t ip;

    /* swap if required */
    if (rwIOS->swapFlag) {
        ipv6ioRecordSwap_V2(ar);
    }

    /* Start time, TCP flags, Protocol, TCP State */
    rwpackUnpackTimesFlagsProto(rwrec, ar, rwIOS->hdr_starttime);

    /* application */
    rwRecMemSetApplication(rwrec, &ar[ 6]);

    /* sPort, dPort */
    rwRecMemSetSPort(rwrec, &ar[ 8]);
    rwRecMemSetDPort(rwrec, &ar[10]);

    /* Elapsed */
    rwRecMemSetElapsed(rwrec, &ar[12]);

    /* packets, bytes */
    rwRecMemSetPkts(rwrec,  &ar[16]);
    rwRecMemSetBytes(rwrec, &ar[20]);

    /* sIP, dIP */
    if (ar[5] & 0x80) {
        /* Record is IPv6 */
#if !SK_ENABLE_IPV6
        return SKSTREAM_ERR_UNSUPPORT_IPV6;
#else
        rwRecSetIPv6(rwrec);
        rwRecMemSetSIPv6(rwrec, &ar[24]);
        rwRecMemSetDIPv6(rwrec, &ar[40]);
#endif /* SK_ENABLE_IPV6 */
    } else {
        /* Record is IPv4 */
        memcpy(&ip, &ar[24+12], sizeof(ip));
        rwRecSetSIPv4(rwrec, ntohl(ip));

        memcpy(&ip, &ar[40+12], sizeof(ip));
        rwRecSetDIPv4(rwrec, ntohl(ip));
    }

    /* sensor, flow_type from file name/header */
    rwRecSetSensor(rwrec, rwIOS->hdr_sensor);
    rwRecSetFlowType(rwrec, rwIOS->hdr_flowtype);

    return SKSTREAM_OK;
}
Beispiel #4
0
/*
 *  Unpack the array of bytes 'ar' into a record 'rwrec'
 */
static int
ipv6ioRecordUnpack_V1(
    skstream_t         *rwIOS,
    rwGenericRec_V5    *rwrec,
    uint8_t            *ar)
{
    uint32_t ip;

    /* swap if required */
    if (rwIOS->swapFlag) {
        ipv6ioRecordSwap_V1(ar);
    }

    rwRecMemSetStartTime(rwrec, &ar[0]);
    rwRecMemSetElapsed(rwrec, &ar[8]);
    rwRecMemSetSPort(rwrec, &ar[12]);
    rwRecMemSetDPort(rwrec, &ar[14]);
    rwRecMemSetProto(rwrec, &ar[16]);
    rwRecMemSetFlowType(rwrec, &ar[17]);
    rwRecMemSetSensor(rwrec, &ar[18]);
    rwRecMemSetFlags(rwrec, &ar[20]);
    rwRecMemSetInitFlags(rwrec, &ar[21]);
    rwRecMemSetRestFlags(rwrec, &ar[22]);
    rwRecMemSetTcpState(rwrec, &ar[23]);
    rwRecMemSetApplication(rwrec, &ar[24]);
    rwRecMemSetMemo(rwrec, &ar[26]);
    rwRecMemSetPkts(rwrec, &ar[28]);
    rwRecMemSetBytes(rwrec, &ar[32]);

    if (ar[23] & 0x80) {
        /* Record is IPv6 */
#if !SK_ENABLE_IPV6
        return SKSTREAM_ERR_UNSUPPORT_IPV6;
#else
        rwRecSetIPv6(rwrec);
        rwRecMemSetSIPv6(rwrec, &ar[36]);
        rwRecMemSetDIPv6(rwrec, &ar[52]);
#endif /* SK_ENABLE_IPV6 */
    } else {
        /* Record is IPv4 */

        /* sIP */
        memcpy(&ip, &ar[48], sizeof(ip));
        rwRecSetSIPv4(rwrec, ntohl(ip));

        /* dIP */
        memcpy(&ip, &ar[64], sizeof(ip));
        rwRecSetDIPv4(rwrec, ntohl(ip));
    }

    RWREC_MAYBE_CLEAR_TCPSTATE_EXPANDED(rwrec);

    return SKSTREAM_OK;
}
Beispiel #5
0
/*
 *  Unpack the array of bytes 'ar' into a record 'rwrec'
 */
static int
genericioRecordUnpack_V2(
    skstream_t         *rwIOS,
    rwGenericRec_V5    *rwrec,
    uint8_t            *ar)
{
    uint32_t tmp32;

    /* swap if required */
    if (rwIOS->swapFlag) {
        genericioRecordSwap_V2(ar);
    }

    /* sIP, dIP, sPort, dPort, nhIP, input, output */
    rwRecMemSetSIPv4(rwrec, &ar[0]);
    rwRecMemSetDIPv4(rwrec, &ar[4]);
    rwRecMemSetSPort(rwrec, &ar[8]);
    rwRecMemSetDPort(rwrec, &ar[10]);
    rwRecMemSetNhIPv4(rwrec, &ar[12]);
    rwRecMemSetInput(rwrec, &ar[16]);
    rwRecMemSetOutput(rwrec, &ar[18]);

    /* sTime, elapsed */
    memcpy(&tmp32, &ar[20], 4);
    rwRecSetStartTime(rwrec, sktimeCreate(tmp32, 0));
    memcpy(&tmp32, &ar[24], 4);
    rwRecSetElapsed(rwrec, (1000 * tmp32));

    /* pkts, bytes */
    rwRecMemSetPkts(rwrec, &ar[28]);
    rwRecMemSetBytes(rwrec, &ar[32]);

    /* proto, flow_type, sID, flags, init_flags, rest_flags, tcp_state */
    rwRecMemSetProto(rwrec, &ar[36]);
    rwRecMemSetFlowType(rwrec, &ar[37]);
    rwRecMemSetSensor(rwrec, &ar[38]);
    rwRecMemSetFlags(rwrec, &ar[40]);
    rwRecMemSetInitFlags(rwrec, &ar[41]);
    rwRecMemSetRestFlags(rwrec, &ar[42]);
    rwRecMemSetTcpState(rwrec, &ar[43]);

    /* bpp field no longer exists */

    RWREC_MAYBE_CLEAR_TCPSTATE_EXPANDED(rwrec);

    return SKSTREAM_OK;
}
Beispiel #6
0
/*
 *  Unpack the array of bytes 'ar' into a record 'rwrec'
 */
static int
augsnmpoutioRecordUnpack_V1(
    skstream_t         *stream,
    rwGenericRec_V5    *rwrec,
    uint8_t            *ar)
{
    uint32_t msec_flags;
    uint8_t is_tcp, prot_flags;

    /* swap if required */
    if (stream->swapFlag) {
        augsnmpoutioRecordSwap_V1(ar);
    }

    /* sIP, dIP, sPort, dPort */
    rwRecMemSetSIPv4(rwrec, &ar[0]);
    rwRecMemSetDIPv4(rwrec, &ar[4]);
    rwRecMemSetSPort(rwrec, &ar[8]);
    rwRecMemSetDPort(rwrec, &ar[10]);

    /* msec times, proto or flags */
    memcpy(&msec_flags, &ar[20], 4);

    /* application */
    rwRecMemSetApplication(rwrec, &ar[24]);

    /* sTime, pkts, bytes, elapsed, proto, tcp-flags, bpp */
    rwpackUnpackTimeBytesPktsFlags(rwrec, stream->hdr_starttime,
                                   (uint32_t*)&ar[12], (uint32_t*)&ar[16],
                                   &msec_flags);

    /* extra TCP information */
    is_tcp = (uint8_t)GET_MASKED_BITS(msec_flags, 10, 1);
    prot_flags = (uint8_t)GET_MASKED_BITS(msec_flags, 0, 8);
    rwpackUnpackProtoFlags(rwrec, is_tcp, prot_flags, ar[26], ar[27]);

    /* output interfaces */
    rwRecMemSetOutput(rwrec, &ar[28]);

    /* sensor, flow_type from file name/header */
    rwRecSetSensor(rwrec, stream->hdr_sensor);
    rwRecSetFlowType(rwrec, stream->hdr_flowtype);

    return SKSTREAM_OK;
}
Beispiel #7
0
/*
 *  Unpack the array of bytes 'ar' into a record 'rwrec'
 */
static int
genericioRecordUnpack_V1(
    skstream_t         *rwIOS,
    rwGenericRec_V5    *rwrec,
    uint8_t            *ar)
{
    uint32_t tmp32;

    /* swap if required */
    if (rwIOS->swapFlag) {
        genericioRecordSwap_V1(ar);
    }

    /* sIP, dIP, sPort, dPort */
    rwRecMemSetSIPv4(rwrec, &ar[0]);
    rwRecMemSetDIPv4(rwrec, &ar[4]);
    rwRecMemSetSPort(rwrec, &ar[8]);
    rwRecMemSetDPort(rwrec, &ar[10]);

    /* proto, flags, input, output */
    rwRecSetProto(rwrec, ar[12]);
    rwRecSetFlags(rwrec, ar[13]);
    rwRecSetInput(rwrec, ar[14]);
    rwRecSetOutput(rwrec, ar[15]);

    /* nhIP */
    rwRecMemSetNhIPv4(rwrec, &ar[16]);

    /* sTime */
    memcpy(&tmp32, &ar[20], 4);
    rwRecSetStartTime(rwrec, sktimeCreate(tmp32, 0));

    /* pkts, bytes */
    rwRecMemSetPkts(rwrec, &ar[24]);
    rwRecMemSetBytes(rwrec, &ar[28]);

    /* elapsed */
    memcpy(&tmp32, &ar[32], 4);
    rwRecSetElapsed(rwrec, (1000 * tmp32));

    /* sID */
    rwRecSetSensor(rwrec, ar[36]);

    return SKSTREAM_OK;
}
Beispiel #8
0
/*
 *  Unpack the array of bytes 'ar' into a record 'rwrec'
 */
static int
augsnmpoutioRecordUnpack_V5(
    skstream_t         *stream,
    rwGenericRec_V5    *rwrec,
    uint8_t            *ar)
{
    /* swap if required */
    if (stream->swapFlag) {
        augsnmpoutioRecordSwap_V5(ar);
    }

    /* Start time, TCP flags, Protocol, TCP State */
    rwpackUnpackTimesFlagsProto(rwrec, ar, stream->hdr_starttime);

    /* application */
    rwRecMemSetApplication(rwrec, &ar[ 6]);

    /* sPort, dPort */
    rwRecMemSetSPort(rwrec, &ar[ 8]);
    rwRecMemSetDPort(rwrec, &ar[10]);

    /* Elapsed */
    rwRecMemSetElapsed(rwrec, &ar[12]);

    /* packets, bytes */
    rwRecMemSetPkts(rwrec,  &ar[16]);
    rwRecMemSetBytes(rwrec, &ar[20]);

    /* sIP, dIP */
    rwRecMemSetSIPv4(rwrec, &ar[24]);
    rwRecMemSetDIPv4(rwrec, &ar[28]);

    /* output */
    rwRecMemSetOutput(rwrec, &ar[32]);

    /* sensor, flow_type from file name/header */
    rwRecSetSensor(rwrec, stream->hdr_sensor);
    rwRecSetFlowType(rwrec, stream->hdr_flowtype);

    return SKSTREAM_OK;
}
Beispiel #9
0
/*
 *  Unpack the array of bytes 'ar' into a record 'rwrec'
 */
static int
genericioRecordUnpack_V5(
    skstream_t         *rwIOS,
    rwGenericRec_V5    *rwrec,
    uint8_t            *ar)
{
    /* swap if required */
    if (rwIOS->swapFlag) {
        genericioRecordSwap_V5(ar);
    }

#if  !SK_ENABLE_IPV6
    memcpy(rwrec, ar, RECLEN_RWGENERIC_V5);
#else
    rwRecMemSetStartTime(rwrec, &ar[0]);
    rwRecMemSetElapsed(rwrec, &ar[8]);
    rwRecMemSetSPort(rwrec, &ar[12]);
    rwRecMemSetDPort(rwrec, &ar[14]);
    rwRecMemSetProto(rwrec, &ar[16]);
    rwRecMemSetFlowType(rwrec, &ar[17]);
    rwRecMemSetSensor(rwrec, &ar[18]);
    rwRecMemSetFlags(rwrec, &ar[20]);
    rwRecMemSetInitFlags(rwrec, &ar[21]);
    rwRecMemSetRestFlags(rwrec, &ar[22]);
    rwRecMemSetTcpState(rwrec, &ar[23]);
    rwRecMemSetApplication(rwrec, &ar[24]);
    rwRecMemSetMemo(rwrec, &ar[26]);
    rwRecMemSetInput(rwrec, &ar[28]);
    rwRecMemSetOutput(rwrec, &ar[30]);
    rwRecMemSetPkts(rwrec, &ar[32]);
    rwRecMemSetBytes(rwrec, &ar[36]);
    rwRecMemSetSIPv4(rwrec, &ar[40]);
    rwRecMemSetDIPv4(rwrec, &ar[44]);
    rwRecMemSetNhIPv4(rwrec, &ar[48]);
#endif

    RWREC_MAYBE_CLEAR_TCPSTATE_EXPANDED(rwrec);

    return SKSTREAM_OK;
}
Beispiel #10
0
/*
 *  Unpack the array of bytes 'ar' into a record 'rwrec'
 */
static int
ipv6routingioRecordUnpack_V3(
    skstream_t         *stream,
    rwRec              *rwrec,
    uint8_t            *ar)
{
    uint32_t u32;
    uint64_t u64;

#if !SK_ENABLE_IPV6
    if (ar[23] & 0x80) {
        /* Record is IPv6 */
        return SKSTREAM_ERR_UNSUPPORT_IPV6;
    }
#endif

    /* swap if required */
    if (stream->swapFlag) {
        ipv6routingioRecordSwap_V3(ar);
    }

    rwRecMemSetStartTime(rwrec, &ar[0]);
    rwRecMemSetElapsed(rwrec, &ar[8]);
    rwRecMemSetSPort(rwrec, &ar[12]);
    rwRecMemSetDPort(rwrec, &ar[14]);
    rwRecMemSetProto(rwrec, &ar[16]);
    rwRecMemSetFlowType(rwrec, &ar[17]);
    rwRecMemSetSensor(rwrec, &ar[18]);
    rwRecMemSetFlags(rwrec, &ar[20]);
    rwRecMemSetInitFlags(rwrec, &ar[21]);
    rwRecMemSetRestFlags(rwrec, &ar[22]);
    rwRecMemSetTcpState(rwrec, &ar[23]);
    rwRecMemSetApplication(rwrec, &ar[24]);
    rwRecMemSetMemo(rwrec, &ar[26]);

    /* Input; set to UINT16_MAX if too large */
    memcpy(&u32, &ar[28], sizeof(u32));
    if (u32 > UINT16_MAX) {
        rwRecSetInput(rwrec, UINT16_MAX);
    } else {
        rwRecSetInput(rwrec, (uint16_t)u32);
    }

    /* Packets; set to UINT32_MAX if too large */
    memcpy(&u64, &ar[32], sizeof(u64));
    if (u64 > UINT32_MAX) {
        rwRecSetPkts(rwrec, UINT32_MAX);
    } else {
        rwRecSetPkts(rwrec, (uint32_t)u64);
    }

    /* Bytes; set to UINT32_MAX if too large */
    memcpy(&u64, &ar[40], sizeof(u64));
    if (u64 > UINT32_MAX) {
        rwRecSetBytes(rwrec, UINT32_MAX);
    } else {
        rwRecSetBytes(rwrec, (uint32_t)u64);
    }

    /* Output; set to UINT16_MAX if too large */
    memcpy(&u32, &ar[96], sizeof(u32));
    if (u32 > UINT16_MAX) {
        rwRecSetOutput(rwrec, UINT16_MAX);
    } else {
        rwRecSetOutput(rwrec, (uint16_t)u32);
    }

#if SK_ENABLE_IPV6
    if (ar[23] & 0x80) {
        /* Record is IPv6 */
        rwRecSetIPv6(rwrec);
        rwRecMemSetSIPv6(rwrec, &ar[48]);
        rwRecMemSetDIPv6(rwrec, &ar[64]);
        rwRecMemSetNhIPv6(rwrec, &ar[80]);
    } else
#endif  /* SK_ENABLE_IPV6 */
    {
        /* Record is IPv4, but data encoded as IPv6 */
        uint32_t ip;

        /* sIP */
        memcpy(&ip, &ar[60], sizeof(ip));
        rwRecSetSIPv4(rwrec, ntohl(ip));

        /* dIP */
        memcpy(&ip, &ar[76], sizeof(ip));
        rwRecSetDIPv4(rwrec, ntohl(ip));

        /* nhIP */
        memcpy(&ip, &ar[92], sizeof(ip));
        rwRecSetNhIPv4(rwrec, ntohl(ip));
    }

    /*
     * No need for this; file format is post SiLK-3.6.0
     * RWREC_MAYBE_CLEAR_TCPSTATE_EXPANDED(rwrec);
     */

    return SKSTREAM_OK;
}