/*
* status = check(rwrec, data, NULL);
*
* Check whether 'rwrec' passes the filter. Return
* SKPLUGIN_FILTER_PASS if it does; SKPLUGIN_FILTER_FAIL otherwise.
*
* Pass when application is non-zero and protocol is TCP or UDP and
* application is not equal to the sPort and the dPort
*/
static skplugin_err_t
check(
const rwRec *rwrec,
void UNUSED(*cbdata),
void UNUSED(**extra))
{
if ((rwRecGetApplication(rwrec) != 0)
&& ((rwRecGetProto(rwrec) == 17)
|| (rwRecGetProto(rwrec) == 6))
&& (rwRecGetApplication(rwrec) != rwRecGetSPort(rwrec))
&& (rwRecGetApplication(rwrec) != rwRecGetDPort(rwrec)))
{
return SKPLUGIN_FILTER_PASS;
}
return SKPLUGIN_FILTER_FAIL;
}
/*
* Process a single input stream (file) of SiLK Flow records: Copy
* the header entries from the input stream to the output stream,
* read the file, fill a Key and Counter for each flow record, and
* add the Key and Counter to the AggBag.
*/
static int
processFile(
skstream_t *stream)
{
sk_aggbag_field_t k_it;
sk_aggbag_field_t c_it;
sk_aggbag_aggregate_t key;
sk_aggbag_aggregate_t counter;
skipaddr_t ip;
rwRec rwrec;
ssize_t rv;
ssize_t err;
/* copy invocation and notes (annotations) from the SiLK Flow
* files to the output stream; these headers will not be written
* to the output if --invocation-strip or --notes-strip was
* specified. */
rv = skHeaderCopyEntries(skStreamGetSilkHeader(output),
skStreamGetSilkHeader(stream),
SK_HENTRY_INVOCATION_ID);
if (rv) {
skStreamPrintLastErr(output, rv, &skAppPrintErr);
}
rv = skHeaderCopyEntries(skStreamGetSilkHeader(output),
skStreamGetSilkHeader(stream),
SK_HENTRY_ANNOTATION_ID);
if (rv) {
skStreamPrintLastErr(output, rv, &skAppPrintErr);
}
err = SKAGGBAG_OK;
while (SKSTREAM_OK == (rv = skStreamReadRecord(stream, &rwrec))) {
skAggBagInitializeKey(ab, &key, &k_it);
do {
switch (skAggBagFieldIterGetType(&k_it)) {
case SKAGGBAG_FIELD_SIPv6:
case SKAGGBAG_FIELD_SIPv4:
rwRecMemGetSIP(&rwrec, &ip);
skAggBagAggregateSetIPAddress(&key, &k_it, &ip);
break;
case SKAGGBAG_FIELD_DIPv6:
case SKAGGBAG_FIELD_DIPv4:
rwRecMemGetDIP(&rwrec, &ip);
skAggBagAggregateSetIPAddress(&key, &k_it, &ip);
break;
case SKAGGBAG_FIELD_NHIPv6:
case SKAGGBAG_FIELD_NHIPv4:
rwRecMemGetNhIP(&rwrec, &ip);
skAggBagAggregateSetIPAddress(&key, &k_it, &ip);
break;
case SKAGGBAG_FIELD_SPORT:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetSPort(&rwrec));
break;
case SKAGGBAG_FIELD_DPORT:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetDPort(&rwrec));
break;
case SKAGGBAG_FIELD_ICMP_TYPE:
skAggBagAggregateSetUnsigned(
&key, &k_it,
(rwRecIsICMP(&rwrec) ? rwRecGetIcmpType(&rwrec) : 0));
break;
case SKAGGBAG_FIELD_ICMP_CODE:
skAggBagAggregateSetUnsigned(
&key, &k_it,
(rwRecIsICMP(&rwrec) ? rwRecGetIcmpCode(&rwrec) : 0));
break;
case SKAGGBAG_FIELD_PROTO:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetProto(&rwrec));
break;
case SKAGGBAG_FIELD_PACKETS:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetPkts(&rwrec));
break;
case SKAGGBAG_FIELD_BYTES:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetBytes(&rwrec));
break;
case SKAGGBAG_FIELD_FLAGS:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetFlags(&rwrec));
break;
case SKAGGBAG_FIELD_SID:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetSensor(&rwrec));
break;
case SKAGGBAG_FIELD_INPUT:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetInput(&rwrec));
break;
case SKAGGBAG_FIELD_OUTPUT:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetOutput(&rwrec));
break;
case SKAGGBAG_FIELD_INIT_FLAGS:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetInitFlags(&rwrec));
break;
case SKAGGBAG_FIELD_REST_FLAGS:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetRestFlags(&rwrec));
break;
case SKAGGBAG_FIELD_TCP_STATE:
skAggBagAggregateSetUnsigned(
&key, &k_it,
(rwRecGetTcpState(&rwrec) & SK_TCPSTATE_ATTRIBUTE_MASK));
break;
case SKAGGBAG_FIELD_APPLICATION:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetApplication(&rwrec));
break;
case SKAGGBAG_FIELD_FTYPE_CLASS:
skAggBagAggregateSetUnsigned(
&key, &k_it,
sksiteFlowtypeGetClassID(rwRecGetFlowType(&rwrec)));
break;
case SKAGGBAG_FIELD_FTYPE_TYPE:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetFlowType(&rwrec));
break;
case SKAGGBAG_FIELD_STARTTIME:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetStartSeconds(&rwrec));
break;
case SKAGGBAG_FIELD_ELAPSED:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetElapsedSeconds(&rwrec));
break;
case SKAGGBAG_FIELD_ENDTIME:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetEndSeconds(&rwrec));
break;
default:
break;
}
} while (skAggBagFieldIterNext(&k_it) == SK_ITERATOR_OK);
skAggBagInitializeCounter(ab, &counter, &c_it);
do {
switch (skAggBagFieldIterGetType(&c_it)) {
case SKAGGBAG_FIELD_RECORDS:
skAggBagAggregateSetUnsigned(&counter, &c_it, 1);
break;
case SKAGGBAG_FIELD_SUM_BYTES:
skAggBagAggregateSetUnsigned(
&counter, &c_it, rwRecGetBytes(&rwrec));
break;
case SKAGGBAG_FIELD_SUM_PACKETS:
skAggBagAggregateSetUnsigned(
&counter, &c_it, rwRecGetPkts(&rwrec));
break;
case SKAGGBAG_FIELD_SUM_ELAPSED:
skAggBagAggregateSetUnsigned(
&counter, &c_it, rwRecGetElapsedSeconds(&rwrec));
break;
default:
break;
}
} while (skAggBagFieldIterNext(&c_it) == SK_ITERATOR_OK);
err = skAggBagKeyCounterAdd(ab, &key, &counter, NULL);
if (err) {
skAppPrintErr("Unable to add to key: %s", skAggBagStrerror(err));
break;
}
}
if (rv != SKSTREAM_ERR_EOF) {
skStreamPrintLastErr(stream, rv, &skAppPrintErr);
return -1;
}
return 0;
}
static void
printRecords(
const rwRec rec[])
{
char starttime[2][RWCOMPARE_BUFSIZ];
uint32_t elapsed[2];
uint32_t sport[2];
uint32_t dport[2];
uint32_t proto[2];
uint32_t flowtype[2];
uint32_t sensor[2];
uint32_t flags[2];
uint32_t initflags[2];
uint32_t restflags[2];
uint32_t tcpstate[2];
uint32_t application[2];
uint32_t memo[2];
uint32_t input[2];
uint32_t output[2];
uint32_t pkts[2];
uint32_t bytes[2];
char sip[2][RWCOMPARE_BUFSIZ];
char dip[2][RWCOMPARE_BUFSIZ];
char nhip[2][RWCOMPARE_BUFSIZ];
skipaddr_t ip;
unsigned i;
for (i = 0; i < 2; ++i) {
sktimestamp_r(
starttime[i], rwRecGetStartTime(&rec[i]), SKTIMESTAMP_EPOCH);
elapsed[i] = rwRecGetElapsed(&rec[i]);
sport[i] = rwRecGetSPort(&rec[i]);
dport[i] = rwRecGetDPort(&rec[i]);
proto[i] = rwRecGetProto(&rec[i]);
flowtype[i] = rwRecGetFlowType(&rec[i]);
sensor[i] = rwRecGetSensor(&rec[i]);
flags[i] = rwRecGetFlags(&rec[i]);
initflags[i] = rwRecGetInitFlags(&rec[i]);
restflags[i] = rwRecGetRestFlags(&rec[i]);
tcpstate[i] = rwRecGetTcpState(&rec[i]);
application[i] = rwRecGetApplication(&rec[i]);
memo[i] = rwRecGetMemo(&rec[i]);
input[i] = rwRecGetInput(&rec[i]);
output[i] = rwRecGetOutput(&rec[i]);
pkts[i] = rwRecGetPkts(&rec[i]);
bytes[i] = rwRecGetBytes(&rec[i]);
rwRecMemGetSIP(&rec[i], &ip);
skipaddrString(sip[i], &ip, SKIPADDR_HEXADECIMAL);
rwRecMemGetDIP(&rec[i], &ip);
skipaddrString(dip[i], &ip, SKIPADDR_HEXADECIMAL);
rwRecMemGetNhIP(&rec[i], &ip);
skipaddrString(nhip[i], &ip, SKIPADDR_HEXADECIMAL);
}
compareStrings("StartTime", starttime);
compareNumbers("Elapsed", elapsed);
compareNumbers("SPort", sport);
compareNumbers("DPort", dport);
compareNumbers("Proto", proto);
compareNumbers("FlowType", flowtype);
compareNumbers("Sensor", sensor);
compareNumbers("Flags", flags);
compareNumbers("InitFlags", initflags);
compareNumbers("RestFlags", restflags);
compareNumbers("TcpState", tcpstate);
compareNumbers("Application", application);
compareNumbers("Memo", memo);
compareNumbers("Input", input);
compareNumbers("Output", output);
compareNumbers("Pkts", pkts);
compareNumbers("Bytes", bytes);
compareStrings("SIP", sip);
compareStrings("DIP", dip);
compareStrings("NhIP", nhip);
}
