/*
* status = check(rwrec, data, NULL);
*
* Check whether 'rwrec' passes the filter. Return
* SKPLUGIN_FILTER_PASS if it does; SKPLUGIN_FILTER_FAIL otherwise.
*
* Pass when application is non-zero and protocol is TCP or UDP and
* application is not equal to the sPort and the dPort
*/
static skplugin_err_t
check(
const rwRec *rwrec,
void UNUSED(*cbdata),
void UNUSED(**extra))
{
if ((rwRecGetApplication(rwrec) != 0)
&& ((rwRecGetProto(rwrec) == 17)
|| (rwRecGetProto(rwrec) == 6))
&& (rwRecGetApplication(rwrec) != rwRecGetSPort(rwrec))
&& (rwRecGetApplication(rwrec) != rwRecGetDPort(rwrec)))
{
return SKPLUGIN_FILTER_PASS;
}
return SKPLUGIN_FILTER_FAIL;
}
/*
* Pack the record 'rwrec' into an array of bytes 'ar'
*/
static int
genericioRecordPack_V1(
skstream_t *rwIOS,
const rwGenericRec_V5 *rwrec,
uint8_t *ar)
{
uint32_t tmp32;
/* Check sizes of fields we've expanded in later versions */
if (rwRecGetInput(rwrec) > 255 || rwRecGetOutput(rwrec) > 255) {
return SKSTREAM_ERR_SNMP_OVRFLO;
}
/* Check sizes of fields we've expanded in later versions */
if (rwRecGetSensor(rwrec) > 255) {
return SKSTREAM_ERR_SENSORID_OVRFLO;
}
/* sIP, dIP, sPort, dPort */
rwRecMemGetSIPv4(rwrec, &ar[0]);
rwRecMemGetDIPv4(rwrec, &ar[4]);
rwRecMemGetSPort(rwrec, &ar[8]);
rwRecMemGetDPort(rwrec, &ar[10]);
/* proto, flags, input, output */
ar[12] = rwRecGetProto(rwrec);
ar[13] = rwRecGetFlags(rwrec);
ar[14] = (uint8_t)rwRecGetInput(rwrec);
ar[15] = (uint8_t)rwRecGetOutput(rwrec);
/* nhIP */
rwRecMemGetNhIPv4(rwrec, &ar[16]);
/* sTime */
tmp32 = (uint32_t)(rwRecGetStartTime(rwrec) / 1000);
memcpy(&ar[20], &tmp32, 4);
/* pkts, bytes */
rwRecMemGetPkts(rwrec, &ar[24]);
rwRecMemGetBytes(rwrec, &ar[28]);
/* elapsed */
tmp32 = rwRecGetElapsed(rwrec) / 1000;
memcpy(&ar[32], &tmp32, 4);
/* sID */
ar[36] = (uint8_t)rwRecGetSensor(rwrec);
/* clear padding if present (for consistent output) */
if (rwIOS->recLen == 40) {
memset(&ar[37], 0, 3);
}
/* swap if required */
if (rwIOS->swapFlag) {
genericioRecordSwap_V1(ar);
}
return SKSTREAM_OK;
}
/*
* payload = getPayload(rwrec);
*
* Compute the bytes of payload contained in 'rwrec' by multiplying
* the number of packets by the packet overhead and subtracting
* that from the byte count. Return 0 if that value would be
* negative.
*
* This function assumes minimal packet headers---that is, there
* are no options in the packets. For TCP, assumes there are no
* TCP timestamps in the packet. The returned value will be the
* maximum possible bytes of payload.
*/
static uint64_t
getPayload(
const rwRec *rwrec)
{
uint64_t overhead;
#if SK_ENABLE_IPV6
if (rwRecIsIPv6(rwrec)) {
/* IPv6 IP-header header with no options is 40 bytes */
switch (rwRecGetProto(rwrec)) {
case IPPROTO_TCP:
/* TCP header is 20 (no TCP timestamps) */
overhead = rwRecGetPkts(rwrec) * 60;
break;
case IPPROTO_UDP:
/* UDP header is 8 bytes */
overhead = rwRecGetPkts(rwrec) * 48;
break;
default:
overhead = rwRecGetPkts(rwrec) * 40;
break;
}
} else
#endif /* SK_ENABLE_IPV6 */
{
/* IPv4 IP-header header with no options is 20 bytes */
switch (rwRecGetProto(rwrec)) {
case IPPROTO_TCP:
overhead = rwRecGetPkts(rwrec) * 40;
break;
case IPPROTO_UDP:
overhead = rwRecGetPkts(rwrec) * 28;
break;
default:
overhead = rwRecGetPkts(rwrec) * 20;
break;
}
}
if (overhead > rwRecGetBytes(rwrec)) {
return 0;
}
return (rwRecGetBytes(rwrec) - overhead);
}
/*
* This function is used to convert from an rwrec to a binary value
* for sorting or determining unique values.
*/
static skplugin_err_t
pmap_bin_fn(
const rwRec *rec,
uint8_t *dest,
void *data,
void UNUSED(**extra))
{
directed_pmap_data_t *dir_data = (directed_pmap_data_t *)data;
pmap_data_t *pmap_data = dir_data->data;
skipaddr_t addr;
skPrefixMapProtoPort_t pp;
uint32_t code;
if (SKPREFIXMAP_CONT_PROTO_PORT == pmap_data->type) {
pp.proto = rwRecGetProto(rec);
switch (dir_data->dir) {
case DIR_SOURCE:
pp.port = rwRecGetSPort(rec);
break;
case DIR_DEST:
pp.port = rwRecGetDPort(rec);
break;
case DIR_ANY:
skAbortBadCase(dir_data->dir);
}
code = htonl(skPrefixMapFindValue(pmap_data->pmap, &pp));
} else {
switch (dir_data->dir) {
case DIR_SOURCE:
rwRecMemGetSIP(rec, &addr);
break;
case DIR_DEST:
rwRecMemGetDIP(rec, &addr);
break;
case DIR_ANY:
skAbortBadCase(dir_data->dir);
}
code = htonl(skPrefixMapFindValue(pmap_data->pmap, &addr));
}
memcpy(dest, &code, sizeof(code));
return SKPLUGIN_OK;
}
/*
* This function is used to convert from an rwrec to a text value for
* a field.
*/
static skplugin_err_t
pmap_text_fn(
const rwRec *rec,
char *dest,
size_t width,
void *data,
void UNUSED(**extra))
{
directed_pmap_data_t *dir_data = (directed_pmap_data_t *)data;
pmap_data_t *pmap_data = dir_data->data;
skipaddr_t addr;
skPrefixMapProtoPort_t pp;
int rv;
if (SKPREFIXMAP_CONT_PROTO_PORT == pmap_data->type) {
pp.proto = rwRecGetProto(rec);
switch (dir_data->dir) {
case DIR_SOURCE:
pp.port = rwRecGetSPort(rec);
break;
case DIR_DEST:
pp.port = rwRecGetDPort(rec);
break;
case DIR_ANY:
skAbortBadCase(dir_data->dir);
}
rv = skPrefixMapFindString(pmap_data->pmap, &pp, dest, width);
} else {
switch (dir_data->dir) {
case DIR_SOURCE:
rwRecMemGetSIP(rec, &addr);
break;
case DIR_DEST:
rwRecMemGetDIP(rec, &addr);
break;
case DIR_ANY:
skAbortBadCase(dir_data->dir);
}
rv = skPrefixMapFindString(pmap_data->pmap, &addr, dest, width);
}
return (rv >= 0) ? SKPLUGIN_OK : SKPLUGIN_ERR;
}
/*
* Process a single input stream (file) of SiLK Flow records: Copy
* the header entries from the input stream to the output stream,
* read the file, fill a Key and Counter for each flow record, and
* add the Key and Counter to the AggBag.
*/
static int
processFile(
skstream_t *stream)
{
sk_aggbag_field_t k_it;
sk_aggbag_field_t c_it;
sk_aggbag_aggregate_t key;
sk_aggbag_aggregate_t counter;
skipaddr_t ip;
rwRec rwrec;
ssize_t rv;
ssize_t err;
/* copy invocation and notes (annotations) from the SiLK Flow
* files to the output stream; these headers will not be written
* to the output if --invocation-strip or --notes-strip was
* specified. */
rv = skHeaderCopyEntries(skStreamGetSilkHeader(output),
skStreamGetSilkHeader(stream),
SK_HENTRY_INVOCATION_ID);
if (rv) {
skStreamPrintLastErr(output, rv, &skAppPrintErr);
}
rv = skHeaderCopyEntries(skStreamGetSilkHeader(output),
skStreamGetSilkHeader(stream),
SK_HENTRY_ANNOTATION_ID);
if (rv) {
skStreamPrintLastErr(output, rv, &skAppPrintErr);
}
err = SKAGGBAG_OK;
while (SKSTREAM_OK == (rv = skStreamReadRecord(stream, &rwrec))) {
skAggBagInitializeKey(ab, &key, &k_it);
do {
switch (skAggBagFieldIterGetType(&k_it)) {
case SKAGGBAG_FIELD_SIPv6:
case SKAGGBAG_FIELD_SIPv4:
rwRecMemGetSIP(&rwrec, &ip);
skAggBagAggregateSetIPAddress(&key, &k_it, &ip);
break;
case SKAGGBAG_FIELD_DIPv6:
case SKAGGBAG_FIELD_DIPv4:
rwRecMemGetDIP(&rwrec, &ip);
skAggBagAggregateSetIPAddress(&key, &k_it, &ip);
break;
case SKAGGBAG_FIELD_NHIPv6:
case SKAGGBAG_FIELD_NHIPv4:
rwRecMemGetNhIP(&rwrec, &ip);
skAggBagAggregateSetIPAddress(&key, &k_it, &ip);
break;
case SKAGGBAG_FIELD_SPORT:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetSPort(&rwrec));
break;
case SKAGGBAG_FIELD_DPORT:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetDPort(&rwrec));
break;
case SKAGGBAG_FIELD_ICMP_TYPE:
skAggBagAggregateSetUnsigned(
&key, &k_it,
(rwRecIsICMP(&rwrec) ? rwRecGetIcmpType(&rwrec) : 0));
break;
case SKAGGBAG_FIELD_ICMP_CODE:
skAggBagAggregateSetUnsigned(
&key, &k_it,
(rwRecIsICMP(&rwrec) ? rwRecGetIcmpCode(&rwrec) : 0));
break;
case SKAGGBAG_FIELD_PROTO:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetProto(&rwrec));
break;
case SKAGGBAG_FIELD_PACKETS:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetPkts(&rwrec));
break;
case SKAGGBAG_FIELD_BYTES:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetBytes(&rwrec));
break;
case SKAGGBAG_FIELD_FLAGS:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetFlags(&rwrec));
break;
case SKAGGBAG_FIELD_SID:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetSensor(&rwrec));
break;
case SKAGGBAG_FIELD_INPUT:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetInput(&rwrec));
break;
case SKAGGBAG_FIELD_OUTPUT:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetOutput(&rwrec));
break;
case SKAGGBAG_FIELD_INIT_FLAGS:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetInitFlags(&rwrec));
break;
case SKAGGBAG_FIELD_REST_FLAGS:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetRestFlags(&rwrec));
break;
case SKAGGBAG_FIELD_TCP_STATE:
skAggBagAggregateSetUnsigned(
&key, &k_it,
(rwRecGetTcpState(&rwrec) & SK_TCPSTATE_ATTRIBUTE_MASK));
break;
case SKAGGBAG_FIELD_APPLICATION:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetApplication(&rwrec));
break;
case SKAGGBAG_FIELD_FTYPE_CLASS:
skAggBagAggregateSetUnsigned(
&key, &k_it,
sksiteFlowtypeGetClassID(rwRecGetFlowType(&rwrec)));
break;
case SKAGGBAG_FIELD_FTYPE_TYPE:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetFlowType(&rwrec));
break;
case SKAGGBAG_FIELD_STARTTIME:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetStartSeconds(&rwrec));
break;
case SKAGGBAG_FIELD_ELAPSED:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetElapsedSeconds(&rwrec));
break;
case SKAGGBAG_FIELD_ENDTIME:
skAggBagAggregateSetUnsigned(
&key, &k_it, rwRecGetEndSeconds(&rwrec));
break;
default:
break;
}
} while (skAggBagFieldIterNext(&k_it) == SK_ITERATOR_OK);
skAggBagInitializeCounter(ab, &counter, &c_it);
do {
switch (skAggBagFieldIterGetType(&c_it)) {
case SKAGGBAG_FIELD_RECORDS:
skAggBagAggregateSetUnsigned(&counter, &c_it, 1);
break;
case SKAGGBAG_FIELD_SUM_BYTES:
skAggBagAggregateSetUnsigned(
&counter, &c_it, rwRecGetBytes(&rwrec));
break;
case SKAGGBAG_FIELD_SUM_PACKETS:
skAggBagAggregateSetUnsigned(
&counter, &c_it, rwRecGetPkts(&rwrec));
break;
case SKAGGBAG_FIELD_SUM_ELAPSED:
skAggBagAggregateSetUnsigned(
&counter, &c_it, rwRecGetElapsedSeconds(&rwrec));
break;
default:
break;
}
} while (skAggBagFieldIterNext(&c_it) == SK_ITERATOR_OK);
err = skAggBagKeyCounterAdd(ab, &key, &counter, NULL);
if (err) {
skAppPrintErr("Unable to add to key: %s", skAggBagStrerror(err));
break;
}
}
if (rv != SKSTREAM_ERR_EOF) {
skStreamPrintLastErr(stream, rv, &skAppPrintErr);
return -1;
}
return 0;
}
/*
* skplugin_err_t pmap_filter(rwRec *rwrec, void *data, void **extra);
*
* The function actually used to implement filtering for the filter
* plugin. Returns SKPLUGIN_FILTER_PASS if the record passes the
* filter, SKPLUGIN_FILTER_FAIL if it fails the filter.
*/
static skplugin_err_t
pmap_filter_fn(
const rwRec *rwrec,
void *data,
void UNUSED(**extra))
{
pmap_data_t *pmap_data = (pmap_data_t *)data;
skipaddr_t addr;
skPrefixMapProtoPort_t pp;
uint32_t code;
assert(ignore_prefix_map == 0);
switch (pmap_data->type) {
case SKPREFIXMAP_CONT_ADDR_V4:
case SKPREFIXMAP_CONT_ADDR_V6:
if (pmap_data->sdir.val_bitmap) {
rwRecMemGetSIP(rwrec, &addr);
code = skPrefixMapFindValue(pmap_data->pmap, &addr);
if (!PMAP_BMAP_CHECK(pmap_data->sdir.val_bitmap,
pmap_data->sdir.size_bitmap, code))
{
return SKPLUGIN_FILTER_FAIL; /* Reject */
}
}
if (pmap_data->ddir.val_bitmap) {
rwRecMemGetDIP(rwrec, &addr);
code = skPrefixMapFindValue(pmap_data->pmap, &addr);
if (!PMAP_BMAP_CHECK(pmap_data->ddir.val_bitmap,
pmap_data->ddir.size_bitmap, code))
{
return SKPLUGIN_FILTER_FAIL; /* Reject */
}
}
if (pmap_data->adir.val_bitmap) {
rwRecMemGetSIP(rwrec, &addr);
code = skPrefixMapFindValue(pmap_data->pmap, &addr);
if (!PMAP_BMAP_CHECK(pmap_data->adir.val_bitmap,
pmap_data->adir.size_bitmap, code))
{
rwRecMemGetDIP(rwrec, &addr);
code = skPrefixMapFindValue(pmap_data->pmap, &addr);
if (!PMAP_BMAP_CHECK(pmap_data->adir.val_bitmap,
pmap_data->adir.size_bitmap, code))
{
return SKPLUGIN_FILTER_FAIL; /* Reject */
}
}
}
return SKPLUGIN_FILTER_PASS; /* Accept */
case SKPREFIXMAP_CONT_PROTO_PORT:
pp.proto = rwRecGetProto(rwrec);
if (pmap_data->sdir.val_bitmap) {
pp.port = rwRecGetSPort(rwrec);
code = skPrefixMapFindValue(pmap_data->pmap, &pp);
if (!PMAP_BMAP_CHECK(pmap_data->sdir.val_bitmap,
pmap_data->sdir.size_bitmap, code))
{
return SKPLUGIN_FILTER_FAIL; /* Reject */
}
}
if (pmap_data->ddir.val_bitmap) {
pp.port = rwRecGetDPort(rwrec);
code = skPrefixMapFindValue(pmap_data->pmap, &pp);
if (!PMAP_BMAP_CHECK(pmap_data->ddir.val_bitmap,
pmap_data->ddir.size_bitmap, code))
{
return SKPLUGIN_FILTER_FAIL; /* Reject */
}
}
if (pmap_data->adir.val_bitmap) {
pp.port = rwRecGetSPort(rwrec);
code = skPrefixMapFindValue(pmap_data->pmap, &pp);
if (!PMAP_BMAP_CHECK(pmap_data->adir.val_bitmap,
pmap_data->adir.size_bitmap, code))
{
pp.port = rwRecGetDPort(rwrec);
code = skPrefixMapFindValue(pmap_data->pmap, &pp);
if (!PMAP_BMAP_CHECK(pmap_data->adir.val_bitmap,
pmap_data->adir.size_bitmap, code))
{
return SKPLUGIN_FILTER_FAIL; /* Reject */
}
}
}
return SKPLUGIN_FILTER_PASS; /* Accept */
}
/* Unknown type: Accept all */
return SKPLUGIN_FILTER_PASS; /* NOTREACHED */
}
static void
printRecords(
const rwRec rec[])
{
char starttime[2][RWCOMPARE_BUFSIZ];
uint32_t elapsed[2];
uint32_t sport[2];
uint32_t dport[2];
uint32_t proto[2];
uint32_t flowtype[2];
uint32_t sensor[2];
uint32_t flags[2];
uint32_t initflags[2];
uint32_t restflags[2];
uint32_t tcpstate[2];
uint32_t application[2];
uint32_t memo[2];
uint32_t input[2];
uint32_t output[2];
uint32_t pkts[2];
uint32_t bytes[2];
char sip[2][RWCOMPARE_BUFSIZ];
char dip[2][RWCOMPARE_BUFSIZ];
char nhip[2][RWCOMPARE_BUFSIZ];
skipaddr_t ip;
unsigned i;
for (i = 0; i < 2; ++i) {
sktimestamp_r(
starttime[i], rwRecGetStartTime(&rec[i]), SKTIMESTAMP_EPOCH);
elapsed[i] = rwRecGetElapsed(&rec[i]);
sport[i] = rwRecGetSPort(&rec[i]);
dport[i] = rwRecGetDPort(&rec[i]);
proto[i] = rwRecGetProto(&rec[i]);
flowtype[i] = rwRecGetFlowType(&rec[i]);
sensor[i] = rwRecGetSensor(&rec[i]);
flags[i] = rwRecGetFlags(&rec[i]);
initflags[i] = rwRecGetInitFlags(&rec[i]);
restflags[i] = rwRecGetRestFlags(&rec[i]);
tcpstate[i] = rwRecGetTcpState(&rec[i]);
application[i] = rwRecGetApplication(&rec[i]);
memo[i] = rwRecGetMemo(&rec[i]);
input[i] = rwRecGetInput(&rec[i]);
output[i] = rwRecGetOutput(&rec[i]);
pkts[i] = rwRecGetPkts(&rec[i]);
bytes[i] = rwRecGetBytes(&rec[i]);
rwRecMemGetSIP(&rec[i], &ip);
skipaddrString(sip[i], &ip, SKIPADDR_HEXADECIMAL);
rwRecMemGetDIP(&rec[i], &ip);
skipaddrString(dip[i], &ip, SKIPADDR_HEXADECIMAL);
rwRecMemGetNhIP(&rec[i], &ip);
skipaddrString(nhip[i], &ip, SKIPADDR_HEXADECIMAL);
}
compareStrings("StartTime", starttime);
compareNumbers("Elapsed", elapsed);
compareNumbers("SPort", sport);
compareNumbers("DPort", dport);
compareNumbers("Proto", proto);
compareNumbers("FlowType", flowtype);
compareNumbers("Sensor", sensor);
compareNumbers("Flags", flags);
compareNumbers("InitFlags", initflags);
compareNumbers("RestFlags", restflags);
compareNumbers("TcpState", tcpstate);
compareNumbers("Application", application);
compareNumbers("Memo", memo);
compareNumbers("Input", input);
compareNumbers("Output", output);
compareNumbers("Pkts", pkts);
compareNumbers("Bytes", bytes);
compareStrings("SIP", sip);
compareStrings("DIP", dip);
compareStrings("NhIP", nhip);
}