/*
* status = recToBin(rwrec, bin_val, &index, NULL);
*
* Given the SiLK Flow record 'rwrec', lookup the Address Type
* specified by '*index', and write a binary representation of
* that value into 'bin_val'.
*/
static skplugin_err_t
recToBin(
const rwRec *rwrec,
uint8_t *bin_value,
void *idx,
void UNUSED(**extra))
{
skipaddr_t addr;
uint32_t code;
switch (*((unsigned int*)(idx))) {
case ADDRTYPE_STYPE:
rwRecMemGetSIP(rwrec, &addr);
break;
case ADDRTYPE_DTYPE:
rwRecMemGetDIP(rwrec, &addr);
break;
default:
return SKPLUGIN_ERR_FATAL;
}
code = skPrefixMapFindValue(addrtype_map, &addr);
*bin_value = (uint8_t)code;
return SKPLUGIN_OK;
}
/*
* status = recToText(rwrec, text_val, text_len, &index, NULL);
*
* Given the SiLK Flow record 'rwrec', lookup the Country Code
* specified by '*index', and write a textual representation of
* that value into 'text_val', a buffer of 'text_len' characters.
*/
static skplugin_err_t
recToText(
const rwRec *rwrec,
char *text_value,
size_t text_size,
void *idx,
void UNUSED(**extra))
{
skipaddr_t addr;
uint32_t code;
switch (*((unsigned int*)(idx))) {
case ADDRTYPE_STYPE:
rwRecMemGetSIP(rwrec, &addr);
break;
case ADDRTYPE_DTYPE:
rwRecMemGetDIP(rwrec, &addr);
break;
default:
return SKPLUGIN_ERR_FATAL;
}
code = skPrefixMapFindValue(addrtype_map, &addr);
snprintf(text_value, text_size, ("%" PRIu32), code);
return SKPLUGIN_OK;
}
static void
externalIp(
skipaddr_t *return_value,
const rwRec *rec)
{
if (skBitmapGetBit(incoming_flowtypes, rwRecGetFlowType(rec))) {
/* flow is incoming, so source is external */
rwRecMemGetSIP(rec, return_value);
return;
}
if (skBitmapGetBit(outgoing_flowtypes, rwRecGetFlowType(rec))) {
/* flow is outgoing, so destination is external */
rwRecMemGetDIP(rec, return_value);
return;
}
/* set value to 0. */
skipaddrClear(return_value);
}
/*
* This function is used to convert from an rwrec to a binary value
* for sorting or determining unique values.
*/
static skplugin_err_t
pmap_bin_fn(
const rwRec *rec,
uint8_t *dest,
void *data,
void UNUSED(**extra))
{
directed_pmap_data_t *dir_data = (directed_pmap_data_t *)data;
pmap_data_t *pmap_data = dir_data->data;
skipaddr_t addr;
skPrefixMapProtoPort_t pp;
uint32_t code;
if (SKPREFIXMAP_CONT_PROTO_PORT == pmap_data->type) {
pp.proto = rwRecGetProto(rec);
switch (dir_data->dir) {
case DIR_SOURCE:
pp.port = rwRecGetSPort(rec);
break;
case DIR_DEST:
pp.port = rwRecGetDPort(rec);
break;
case DIR_ANY:
skAbortBadCase(dir_data->dir);
}
code = htonl(skPrefixMapFindValue(pmap_data->pmap, &pp));
} else {
switch (dir_data->dir) {
case DIR_SOURCE:
rwRecMemGetSIP(rec, &addr);
break;
case DIR_DEST:
rwRecMemGetDIP(rec, &addr);
break;
case DIR_ANY:
skAbortBadCase(dir_data->dir);
}
code = htonl(skPrefixMapFindValue(pmap_data->pmap, &addr));
}
memcpy(dest, &code, sizeof(code));
return SKPLUGIN_OK;
}
/*
* This function is used to convert from an rwrec to a text value for
* a field.
*/
static skplugin_err_t
pmap_text_fn(
const rwRec *rec,
char *dest,
size_t width,
void *data,
void UNUSED(**extra))
{
directed_pmap_data_t *dir_data = (directed_pmap_data_t *)data;
pmap_data_t *pmap_data = dir_data->data;
skipaddr_t addr;
skPrefixMapProtoPort_t pp;
int rv;
if (SKPREFIXMAP_CONT_PROTO_PORT == pmap_data->type) {
pp.proto = rwRecGetProto(rec);
switch (dir_data->dir) {
case DIR_SOURCE:
pp.port = rwRecGetSPort(rec);
break;
case DIR_DEST:
pp.port = rwRecGetDPort(rec);
break;
case DIR_ANY:
skAbortBadCase(dir_data->dir);
}
rv = skPrefixMapFindString(pmap_data->pmap, &pp, dest, width);
} else {
switch (dir_data->dir) {
case DIR_SOURCE:
rwRecMemGetSIP(rec, &addr);
break;
case DIR_DEST:
rwRecMemGetDIP(rec, &addr);
break;
case DIR_ANY:
skAbortBadCase(dir_data->dir);
}
rv = skPrefixMapFindString(pmap_data->pmap, &addr, dest, width);
}
return (rv >= 0) ? SKPLUGIN_OK : SKPLUGIN_ERR;
}
/*
* status = addrtypeFilter(rwrec, data, NULL);
*
* The function implements filtering for the plugin. Returns
* SKPLUGIN_FILTER_PASS if the record passes the filter,
* SKPLUGIN_FILTER_FAIL if it fails the filter.
*/
static skplugin_err_t
addrtypeFilter(
const rwRec *rwrec,
void *idx,
void UNUSED(**extra))
{
skipaddr_t addr;
uint32_t code;
uint32_t wanted;
switch (*((unsigned int*)(idx))) {
case ADDRTYPE_STYPE:
rwRecMemGetSIP(rwrec, &addr);
wanted = stype;
break;
case ADDRTYPE_DTYPE:
rwRecMemGetDIP(rwrec, &addr);
wanted = dtype;
break;
default:
return SKPLUGIN_ERR_FATAL;
}
code = skPrefixMapFindValue(addrtype_map, &addr);
/* Given that this IP returns 'code', see how this compare against
* what the user wanted. */
if (ADDRTYPE_NONINTERNAL == wanted) {
/* anything except internal is fine */
if (ADDRTYPE_INTERNAL == code) {
return SKPLUGIN_FILTER_FAIL;
}
} else if (wanted != code) {
return SKPLUGIN_FILTER_FAIL;
}
return SKPLUGIN_FILTER_PASS;
}
/*
* Process a single input stream (file) of SiLK Flow records: Copy
* the header entries from the input stream to the output stream,
* read the file, fill a Key and Counter for each flow record, and
* add the Key and Counter to the AggBag.
*/
static int
processFile(
skstream_t *stream)
{
sk_aggbag_field_t k_it;
sk_aggbag_field_t c_it;
sk_aggbag_aggregate_t key;
sk_aggbag_aggregate_t counter;
skipaddr_t ip;
rwRec rwrec;
ssize_t rv;
ssize_t err;
/* copy invocation and notes (annotations) from the SiLK Flow
* files to the output stream; these headers will not be written
* to the output if --invocation-strip or --notes-strip was
* specified. */
rv = skHeaderCopyEntries(skStreamGetSilkHeader(output),
skStreamGetSilkHeader(stream),
SK_HENTRY_INVOCATION_ID);
if (rv) {
skStreamPrintLastErr(output, rv, &skAppPrintErr);
}
rv = skHeaderCopyEntries(skStreamGetSilkHeader(output),
skStreamGetSilkHeader(stream),
SK_HENTRY_ANNOTATION_ID);
if (rv) {
skStreamPrintLastErr(output, rv, &skAppPrintErr);
}
err = SKAGGBAG_OK;
while (SKSTREAM_OK == (rv = skStreamReadRecord(stream, &rwrec))) {
skAggBagInitializeKey(ab, &key, &k_it);
do {
switch (skAggBagFieldIterGetType(&k_it)) {
case SKAGGBAG_FIELD_SIPv6:
case SKAGGBAG_FIELD_SIPv4:
rwRecMemGetSIP(&rwrec, &ip);
skAggBagAggregateSetIPAddress(&key, &k_it, &ip);
break;
case SKAGGBAG_FIELD_DIPv6:
case SKAGGBAG_FIELD_DIPv4:
rwRecMemGetDIP(&rwrec, &ip);
skAggBagAggregateSetIPAddress(&key, &k_it, &ip);
break;
case SKAGGBAG_FIELD_NHIPv6:
case SKAGGBAG_FIELD_NHIPv4:
rwRecMemGetNhIP(&rwrec, &ip);
skAggBagAggregateSetIPAddress(&key, &k_it, &ip);
break;
case SKAGGBAG_FIELD_SPORT:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetSPort(&rwrec));
break;
case SKAGGBAG_FIELD_DPORT:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetDPort(&rwrec));
break;
case SKAGGBAG_FIELD_ICMP_TYPE:
skAggBagAggregateSetUnsigned(
&key, &k_it,
(rwRecIsICMP(&rwrec) ? rwRecGetIcmpType(&rwrec) : 0));
break;
case SKAGGBAG_FIELD_ICMP_CODE:
skAggBagAggregateSetUnsigned(
&key, &k_it,
(rwRecIsICMP(&rwrec) ? rwRecGetIcmpCode(&rwrec) : 0));
break;
case SKAGGBAG_FIELD_PROTO:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetProto(&rwrec));
break;
case SKAGGBAG_FIELD_PACKETS:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetPkts(&rwrec));
break;
case SKAGGBAG_FIELD_BYTES:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetBytes(&rwrec));
break;
case SKAGGBAG_FIELD_FLAGS:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetFlags(&rwrec));
break;
case SKAGGBAG_FIELD_SID:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetSensor(&rwrec));
break;
case SKAGGBAG_FIELD_INPUT:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetInput(&rwrec));
break;
case SKAGGBAG_FIELD_OUTPUT:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetOutput(&rwrec));
break;
case SKAGGBAG_FIELD_INIT_FLAGS:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetInitFlags(&rwrec));
break;
case SKAGGBAG_FIELD_REST_FLAGS:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetRestFlags(&rwrec));
break;
case SKAGGBAG_FIELD_TCP_STATE:
skAggBagAggregateSetUnsigned(
&key, &k_it,
(rwRecGetTcpState(&rwrec) & SK_TCPSTATE_ATTRIBUTE_MASK));
break;
case SKAGGBAG_FIELD_APPLICATION:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetApplication(&rwrec));
break;
case SKAGGBAG_FIELD_FTYPE_CLASS:
skAggBagAggregateSetUnsigned(
&key, &k_it,
sksiteFlowtypeGetClassID(rwRecGetFlowType(&rwrec)));
break;
case SKAGGBAG_FIELD_FTYPE_TYPE:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetFlowType(&rwrec));
break;
case SKAGGBAG_FIELD_STARTTIME:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetStartSeconds(&rwrec));
break;
case SKAGGBAG_FIELD_ELAPSED:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetElapsedSeconds(&rwrec));
break;
case SKAGGBAG_FIELD_ENDTIME:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetEndSeconds(&rwrec));
break;
default:
break;
}
} while (skAggBagFieldIterNext(&k_it) == SK_ITERATOR_OK);
skAggBagInitializeCounter(ab, &counter, &c_it);
do {
switch (skAggBagFieldIterGetType(&c_it)) {
case SKAGGBAG_FIELD_RECORDS:
skAggBagAggregateSetUnsigned(&counter, &c_it, 1);
break;
case SKAGGBAG_FIELD_SUM_BYTES:
skAggBagAggregateSetUnsigned(
&counter, &c_it, rwRecGetBytes(&rwrec));
break;
case SKAGGBAG_FIELD_SUM_PACKETS:
skAggBagAggregateSetUnsigned(
&counter, &c_it, rwRecGetPkts(&rwrec));
break;
case SKAGGBAG_FIELD_SUM_ELAPSED:
skAggBagAggregateSetUnsigned(
&counter, &c_it, rwRecGetElapsedSeconds(&rwrec));
break;
default:
break;
}
} while (skAggBagFieldIterNext(&c_it) == SK_ITERATOR_OK);
err = skAggBagKeyCounterAdd(ab, &key, &counter, NULL);
if (err) {
skAppPrintErr("Unable to add to key: %s", skAggBagStrerror(err));
break;
}
}
if (rv != SKSTREAM_ERR_EOF) {
skStreamPrintLastErr(stream, rv, &skAppPrintErr);
return -1;
}
return 0;
}
/*
* skplugin_err_t pmap_filter(rwRec *rwrec, void *data, void **extra);
*
* The function actually used to implement filtering for the filter
* plugin. Returns SKPLUGIN_FILTER_PASS if the record passes the
* filter, SKPLUGIN_FILTER_FAIL if it fails the filter.
*/
static skplugin_err_t
pmap_filter_fn(
const rwRec *rwrec,
void *data,
void UNUSED(**extra))
{
pmap_data_t *pmap_data = (pmap_data_t *)data;
skipaddr_t addr;
skPrefixMapProtoPort_t pp;
uint32_t code;
assert(ignore_prefix_map == 0);
switch (pmap_data->type) {
case SKPREFIXMAP_CONT_ADDR_V4:
case SKPREFIXMAP_CONT_ADDR_V6:
if (pmap_data->sdir.val_bitmap) {
rwRecMemGetSIP(rwrec, &addr);
code = skPrefixMapFindValue(pmap_data->pmap, &addr);
if (!PMAP_BMAP_CHECK(pmap_data->sdir.val_bitmap,
pmap_data->sdir.size_bitmap, code))
{
return SKPLUGIN_FILTER_FAIL; /* Reject */
}
}
if (pmap_data->ddir.val_bitmap) {
rwRecMemGetDIP(rwrec, &addr);
code = skPrefixMapFindValue(pmap_data->pmap, &addr);
if (!PMAP_BMAP_CHECK(pmap_data->ddir.val_bitmap,
pmap_data->ddir.size_bitmap, code))
{
return SKPLUGIN_FILTER_FAIL; /* Reject */
}
}
if (pmap_data->adir.val_bitmap) {
rwRecMemGetSIP(rwrec, &addr);
code = skPrefixMapFindValue(pmap_data->pmap, &addr);
if (!PMAP_BMAP_CHECK(pmap_data->adir.val_bitmap,
pmap_data->adir.size_bitmap, code))
{
rwRecMemGetDIP(rwrec, &addr);
code = skPrefixMapFindValue(pmap_data->pmap, &addr);
if (!PMAP_BMAP_CHECK(pmap_data->adir.val_bitmap,
pmap_data->adir.size_bitmap, code))
{
return SKPLUGIN_FILTER_FAIL; /* Reject */
}
}
}
return SKPLUGIN_FILTER_PASS; /* Accept */
case SKPREFIXMAP_CONT_PROTO_PORT:
pp.proto = rwRecGetProto(rwrec);
if (pmap_data->sdir.val_bitmap) {
pp.port = rwRecGetSPort(rwrec);
code = skPrefixMapFindValue(pmap_data->pmap, &pp);
if (!PMAP_BMAP_CHECK(pmap_data->sdir.val_bitmap,
pmap_data->sdir.size_bitmap, code))
{
return SKPLUGIN_FILTER_FAIL; /* Reject */
}
}
if (pmap_data->ddir.val_bitmap) {
pp.port = rwRecGetDPort(rwrec);
code = skPrefixMapFindValue(pmap_data->pmap, &pp);
if (!PMAP_BMAP_CHECK(pmap_data->ddir.val_bitmap,
pmap_data->ddir.size_bitmap, code))
{
return SKPLUGIN_FILTER_FAIL; /* Reject */
}
}
if (pmap_data->adir.val_bitmap) {
pp.port = rwRecGetSPort(rwrec);
code = skPrefixMapFindValue(pmap_data->pmap, &pp);
if (!PMAP_BMAP_CHECK(pmap_data->adir.val_bitmap,
pmap_data->adir.size_bitmap, code))
{
pp.port = rwRecGetDPort(rwrec);
code = skPrefixMapFindValue(pmap_data->pmap, &pp);
if (!PMAP_BMAP_CHECK(pmap_data->adir.val_bitmap,
pmap_data->adir.size_bitmap, code))
{
return SKPLUGIN_FILTER_FAIL; /* Reject */
}
}
}
return SKPLUGIN_FILTER_PASS; /* Accept */
}
/* Unknown type: Accept all */
return SKPLUGIN_FILTER_PASS; /* NOTREACHED */
}
static void
printRecords(
const rwRec rec[])
{
char starttime[2][RWCOMPARE_BUFSIZ];
uint32_t elapsed[2];
uint32_t sport[2];
uint32_t dport[2];
uint32_t proto[2];
uint32_t flowtype[2];
uint32_t sensor[2];
uint32_t flags[2];
uint32_t initflags[2];
uint32_t restflags[2];
uint32_t tcpstate[2];
uint32_t application[2];
uint32_t memo[2];
uint32_t input[2];
uint32_t output[2];
uint32_t pkts[2];
uint32_t bytes[2];
char sip[2][RWCOMPARE_BUFSIZ];
char dip[2][RWCOMPARE_BUFSIZ];
char nhip[2][RWCOMPARE_BUFSIZ];
skipaddr_t ip;
unsigned i;
for (i = 0; i < 2; ++i) {
sktimestamp_r(
starttime[i], rwRecGetStartTime(&rec[i]), SKTIMESTAMP_EPOCH);
elapsed[i] = rwRecGetElapsed(&rec[i]);
sport[i] = rwRecGetSPort(&rec[i]);
dport[i] = rwRecGetDPort(&rec[i]);
proto[i] = rwRecGetProto(&rec[i]);
flowtype[i] = rwRecGetFlowType(&rec[i]);
sensor[i] = rwRecGetSensor(&rec[i]);
flags[i] = rwRecGetFlags(&rec[i]);
initflags[i] = rwRecGetInitFlags(&rec[i]);
restflags[i] = rwRecGetRestFlags(&rec[i]);
tcpstate[i] = rwRecGetTcpState(&rec[i]);
application[i] = rwRecGetApplication(&rec[i]);
memo[i] = rwRecGetMemo(&rec[i]);
input[i] = rwRecGetInput(&rec[i]);
output[i] = rwRecGetOutput(&rec[i]);
pkts[i] = rwRecGetPkts(&rec[i]);
bytes[i] = rwRecGetBytes(&rec[i]);
rwRecMemGetSIP(&rec[i], &ip);
skipaddrString(sip[i], &ip, SKIPADDR_HEXADECIMAL);
rwRecMemGetDIP(&rec[i], &ip);
skipaddrString(dip[i], &ip, SKIPADDR_HEXADECIMAL);
rwRecMemGetNhIP(&rec[i], &ip);
skipaddrString(nhip[i], &ip, SKIPADDR_HEXADECIMAL);
}
compareStrings("StartTime", starttime);
compareNumbers("Elapsed", elapsed);
compareNumbers("SPort", sport);
compareNumbers("DPort", dport);
compareNumbers("Proto", proto);
compareNumbers("FlowType", flowtype);
compareNumbers("Sensor", sensor);
compareNumbers("Flags", flags);
compareNumbers("InitFlags", initflags);
compareNumbers("RestFlags", restflags);
compareNumbers("TcpState", tcpstate);
compareNumbers("Application", application);
compareNumbers("Memo", memo);
compareNumbers("Input", input);
compareNumbers("Output", output);
compareNumbers("Pkts", pkts);
compareNumbers("Bytes", bytes);
compareStrings("SIP", sip);
compareStrings("DIP", dip);
compareStrings("NhIP", nhip);
}
