void RaProcessRecord (struct ArgusParserStruct *parser, struct ArgusRecordStruct *ns) { { double nowTime = ArgusFetchStartTime(ns); if (parser->ArgusLastRecordTime == 0) { parser->ArgusLastRecordTime = nowTime; } else { if (parser->ArgusLastRecordTime > nowTime) parser->RaSortedInput = 0; parser->ArgusLastRecordTime = nowTime; } } ArgusClientTimeout(); switch (ns->hdr.type & 0xF0) { case ARGUS_MAR: case ARGUS_EVENT: case ARGUS_NETFLOW: break; case ARGUS_FAR: { struct ArgusFlow *flow = (struct ArgusFlow *) ns->dsrs[ARGUS_FLOW_INDEX]; if (flow != NULL) { switch(flow->hdr.subtype & 0x3F) { case ARGUS_FLOW_LAYER_3_MATRIX: case ARGUS_FLOW_CLASSIC5TUPLE: { switch (flow->hdr.argus_dsrvl8.qual & 0x1F) { case ARGUS_FLOW_ARP: { switch (flow->hdr.argus_dsrvl8.qual & 0x1F) { case ARGUS_TYPE_ARP: case ARGUS_TYPE_RARP: { ArgusProcessServiceAvailability(parser, ns); if (ns->status & RA_SVCPASSED) { #ifdef ARGUSDEBUG ArgusDebug (3, "RaProcessRecord (%p, %p) service test failed", parser, ns); #endif RaProcessThisRecord(parser, ns); } break; } } break; } } break; } case ARGUS_FLOW_ARP: { if (RaValidateArpFlowRecord(parser, ns)) { ArgusProcessServiceAvailability(parser, ns); if (ns->status & RA_SVCPASSED) RaProcessThisRecord(parser, ns); } break; } } } break; } } }
void RaProcessRecord (struct ArgusParserStruct *parser, struct ArgusRecordStruct *ns) { switch (ns->hdr.type & 0xF0) { case ARGUS_MAR: case ARGUS_EVENT: { break; } case ARGUS_NETFLOW: case ARGUS_FAR: { struct ArgusFlow *flow = (struct ArgusFlow *) ns->dsrs[ARGUS_FLOW_INDEX]; if (parser->Vflag || parser->Aflag) { ArgusProcessServiceAvailability(parser, ns); if (parser->xflag) { if ((parser->vflag && (ns->status & RA_SVCPASSED)) || (!parser->vflag && (ns->status & RA_SVCFAILED))) { #ifdef ARGUSDEBUG ArgusDebug (3, "RaProcessRecord (0x%x, 0x%x) service test failed", parser, ns); #endif return; } } } if (parser->RaMonMode && (flow != NULL)) { struct ArgusRecordStruct *tns = ArgusCopyRecordStruct(ns); struct ArgusFlow *flow; if ((flow = (void *)ns->dsrs[ARGUS_FLOW_INDEX]) != NULL) { flow->hdr.subtype &= ~ARGUS_REVERSE; flow->hdr.argus_dsrvl8.qual &= ~ARGUS_DIRECTION; } RaProcessThisRecord(parser, ns); ArgusReverseRecord(tns); if ((flow = (void *)tns->dsrs[ARGUS_FLOW_INDEX]) != NULL) { flow->hdr.subtype &= ~ARGUS_REVERSE; flow->hdr.argus_dsrvl8.qual &= ~ARGUS_DIRECTION; } RaProcessThisRecord(parser, tns); ArgusDeleteRecordStruct(parser, tns); } else { struct ArgusAggregatorStruct *agg = parser->ArgusAggregator; if (flow && agg && agg->ArgusMatrixMode) { if (agg->mask & ((0x01LL << ARGUS_MASK_SADDR) | (0x01LL << ARGUS_MASK_DADDR))) { switch (flow->hdr.subtype & 0x3F) { case ARGUS_FLOW_LAYER_3_MATRIX: case ARGUS_FLOW_CLASSIC5TUPLE: { switch (flow->hdr.argus_dsrvl8.qual & 0x1F) { case ARGUS_TYPE_IPV4: { if (flow->ip_flow.ip_src > flow->ip_flow.ip_dst) ArgusReverseRecord(ns); } break; case ARGUS_TYPE_IPV6: { int i; for (i = 0; i < 4; i++) { if (flow->ipv6_flow.ip_src[i] < flow->ipv6_flow.ip_dst[i]) break; if (flow->ipv6_flow.ip_src[i] > flow->ipv6_flow.ip_dst[i]) { ArgusReverseRecord(ns); break; } } } break; } break; } default: break; } } else if (agg->mask & ((0x01LL << ARGUS_MASK_SMAC) | (0x01LL << ARGUS_MASK_DMAC))) { struct ArgusMacStruct *m1 = NULL; if ((m1 = (struct ArgusMacStruct *) ns->dsrs[ARGUS_MAC_INDEX]) != NULL) { switch (m1->hdr.subtype) { case ARGUS_TYPE_ETHER: { struct ether_header *e1 = &m1->mac.mac_union.ether.ehdr; int i; for (i = 0; i < 6; i++) { #if defined(HAVE_SOLARIS) if (e1->ether_shost.ether_addr_octet[i] < e1->ether_dhost.ether_addr_octet[i]) break; if (e1->ether_shost.ether_addr_octet[i] > e1->ether_dhost.ether_addr_octet[i]) { ArgusReverseRecord(ns); break; } #else if (e1->ether_shost[i] < e1->ether_dhost[i]) break; if (e1->ether_shost[i] > e1->ether_dhost[i]) { ArgusReverseRecord(ns); break; } #endif } break; } } } } } RaProcessThisRecord(parser, ns); } break; } } }