void CollectorInterface::collect_flows() { struct zmq_msg_hdr h; char payload[8192]; u_int payload_len = sizeof(payload)-1; zmq_pollitem_t items[CONST_MAX_NUM_ZMQ_SUBSCRIBERS]; int rc, size; ntop->getTrace()->traceEvent(TRACE_NORMAL, "Collecting flows on %s", ifname); while(isRunning()) { while(idle()) { purgeIdle(time(NULL)); sleep(1); if(ntop->getGlobals()->isShutdown()) return; } for(int i=0; i<num_subscribers; i++) items[i].socket = subscriber[i].socket, items[i].fd = 0, items[i].events = ZMQ_POLLIN, items[i].revents = 0; do { rc = zmq_poll(items, num_subscribers, 1000 /* 1 sec */); if((rc < 0) || (!isRunning())) return; if(rc == 0) purgeIdle(time(NULL)); } while(rc == 0); for(int source_id=0; source_id<num_subscribers; source_id++) { if(items[source_id].revents & ZMQ_POLLIN) { size = zmq_recv(items[source_id].socket, &h, sizeof(h), 0); if((size != sizeof(h)) || (h.version != MSG_VERSION)) { ntop->getTrace()->traceEvent(TRACE_WARNING, "Unsupported publisher version [%d]: your nProbe sender is outdated?", h.version); continue; } size = zmq_recv(items[source_id].socket, payload, payload_len, 0); if(size > 0) { payload[size] = '\0'; parse_flows(payload, sizeof(payload) , source_id, this); ntop->getTrace()->traceEvent(TRACE_INFO, "[%u] %s", h.size, payload); } } } /* for */ } ntop->getTrace()->traceEvent(TRACE_NORMAL, "Flow collection is over."); }
void NetworkInterface::flow_processing(ZMQ_Flow *zflow) { bool src2dst_direction; Flow *flow; if((time_t)zflow->last_switched > (time_t)last_pkt_rcvd) last_pkt_rcvd = zflow->last_switched; /* Updating Flow */ flow = getFlow(zflow->src_mac, zflow->dst_mac, zflow->vlan_id, &zflow->src_ip, &zflow->dst_ip, zflow->src_port, zflow->dst_port, zflow->l4_proto, &src2dst_direction, zflow->first_switched, zflow->last_switched); if(flow == NULL) return; if(zflow->l4_proto == IPPROTO_TCP) flow->updateTcpFlags(zflow->tcp_flags); flow->addFlowStats(src2dst_direction, zflow->pkt_sampling_rate*zflow->in_pkts, zflow->pkt_sampling_rate*zflow->in_bytes, zflow->pkt_sampling_rate*zflow->out_pkts, zflow->pkt_sampling_rate*zflow->out_bytes, zflow->last_switched); flow->setDetectedProtocol(zflow->l7_proto); flow->setJSONInfo(json_object_to_json_string(zflow->additional_fields)); flow->updateActivities(); incStats(zflow->src_ip.isIPv4() ? ETHERTYPE_IP : ETHERTYPE_IPV6, flow->get_detected_protocol(), zflow->pkt_sampling_rate*(zflow->in_bytes + zflow->out_bytes), zflow->pkt_sampling_rate*(zflow->in_pkts + zflow->out_pkts), 24 /* 8 Preamble + 4 CRC + 12 IFG */ + 14 /* Ethernet header */); purgeIdle(zflow->last_switched); }