Corsaro FlowTuple plugin implementation. More...

Macros
#define	CORSARO_FLOWTUPLE_MAGIC 0x53495855
	The magic number for this plugin when not using /8 opts - "SIXU".
#define	PLUGIN_NAME "flowtuple"
	The name of this plugin.
#define	STATE(corsaro) (CORSARO_PLUGIN_STATE(corsaro, flowtuple, CORSARO_PLUGIN_ID_FLOWTUPLE))
	Extends the generic plugin state convenience macro in corsaro_plugin.h.
#define	STATE_IN(corsaro) (CORSARO_PLUGIN_STATE(corsaro, flowtuple_in, CORSARO_PLUGIN_ID_FLOWTUPLE))
	Extends the generic plugin state convenience macro in corsaro_plugin.h.
#define	PLUGIN(corsaro) (CORSARO_PLUGIN_PLUGIN(corsaro, CORSARO_PLUGIN_ID_FLOWTUPLE))
	Extends the generic plugin plugin convenience macro in corsaro_plugin.h.

Functions
	KSORT_INIT (sixt, corsaro_flowtuple_t *, corsaro_flowtuple_lt)
	Initialize the sorting functions and datatypes.
	KHASH_INIT (sixt, corsaro_flowtuple_t *, char, 0, corsaro_flowtuple_hash_func, corsaro_flowtuple_hash_equal)
	Initialize the hash functions and datatypes.
static int	flowtuple_classify_packet (corsaro_t corsaro, libtrace_packet_t packet)
	Determines the traffic class for a packet; possible options are CORSARO_FLOWTUPLE_CLASS_BACKSCATTER, CORSARO_FLOWTUPLE_CLASS_ICMPREQ, CLASS_OTHER.
static int	sort_hash (corsaro_t corsaro, kh_sixt_t hash, corsaro_flowtuple_t ***sorted)
	Given a st hash, malloc and return a sorted array of pointers.
static int	binary_dump (corsaro_t *corsaro, corsaro_flowtuple_class_type_t dist)
	Dump the given flowtuple to the plugin's outfile in binary format.
static int	ascii_dump (corsaro_t *corsaro, corsaro_flowtuple_class_type_t dist)
	Dump the given flowtuple to the plugin's outfile in ASCII format.
static int	validate_class_start (corsaro_flowtuple_class_start_t *class)
static int	read_class_start (corsaro_in_t corsaro, corsaro_in_record_type_t record_type, corsaro_in_record_t *record)
static int	validate_class_end (corsaro_flowtuple_class_end_t *class)
static int	read_class_end (corsaro_in_t corsaro, corsaro_in_record_type_t record_type, corsaro_in_record_t *record)
static int	validate_flowtuple (corsaro_flowtuple_t *flowtuple)
static int	read_flowtuple (corsaro_in_t corsaro, corsaro_in_record_type_t record_type, corsaro_in_record_t *record)
corsaro_plugin_t *	corsaro_flowtuple_alloc (corsaro_t *corsaro)
int	corsaro_flowtuple_probe_filename (const char *fname)
int	corsaro_flowtuple_probe_magic (corsaro_in_t corsaro, corsaro_file_in_t file)
int	corsaro_flowtuple_init_output (corsaro_t *corsaro)
int	corsaro_flowtuple_init_input (corsaro_in_t *corsaro)
int	corsaro_flowtuple_close_input (corsaro_in_t *corsaro)
int	corsaro_flowtuple_close_output (corsaro_t *corsaro)
off_t	corsaro_flowtuple_read_record (struct corsaro_in corsaro, corsaro_in_record_type_t record_type, corsaro_in_record_t *record)
off_t	corsaro_flowtuple_read_global_data_record (struct corsaro_in corsaro, enum corsaro_in_record_type record_type, struct corsaro_in_record *record)
int	corsaro_flowtuple_start_interval (corsaro_t corsaro, corsaro_interval_t int_start)
int	corsaro_flowtuple_end_interval (corsaro_t corsaro, corsaro_interval_t int_end)
int	corsaro_flowtuple_process_packet (corsaro_t corsaro, corsaro_packet_t packet)
uint32_t	corsaro_flowtuple_get_source_ip (corsaro_flowtuple_t *flowtuple)
	Get the source IP of the tuple in network byte order.
uint32_t	corsaro_flowtuple_get_destination_ip (corsaro_flowtuple_t *flowtuple)
	Get the destination IP of the tuple in network byte order.
off_t	corsaro_flowtuple_fprint (corsaro_t corsaro, corsaro_file_t file, corsaro_flowtuple_t *flowtuple)
	Write a flowtuple to the given corsaro file in ascii.
void	corsaro_flowtuple_print (corsaro_flowtuple_t *flowtuple)
	Write a flowtuple to stdout in ascii format.
off_t	corsaro_flowtuple_class_start_fprint (corsaro_t corsaro, corsaro_file_t file, corsaro_flowtuple_class_start_t *class)
	Write a flowtuple class start record to the given corsaro file in ascii.
void	corsaro_flowtuple_class_start_print (corsaro_flowtuple_class_start_t *class)
	Write a flowtuple class start record to stdout in ascii format.
off_t	corsaro_flowtuple_class_end_fprint (corsaro_t corsaro, corsaro_file_t file, corsaro_flowtuple_class_end_t *class)
	Write a flowtuple class end record to the given corsaro file in ascii.
void	corsaro_flowtuple_class_end_print (corsaro_flowtuple_class_end_t *class)
	Write a flowtuple class end record to stdout in ascii format.
off_t	corsaro_flowtuple_record_fprint (corsaro_t corsaro, corsaro_file_t file, corsaro_in_record_type_t record_type, corsaro_in_record_t *record)
	Write a generic flowtuple record to the given corsaro file in ascii.
int	corsaro_flowtuple_record_print (corsaro_in_record_type_t record_type, corsaro_in_record_t *record)
	Write a generic flowtuple record to stdout in ascii format.
void	corsaro_flowtuple_free (corsaro_flowtuple_t *t)
	Free memory allocated for a flowtuple structure.
int	corsaro_flowtuple_add_inc (void h, corsaro_flowtuple_t t, int increment)
	Either add the given flowtuple to the hash, or increment the current count.

Variables
static corsaro_plugin_t	corsaro_flowtuple_plugin
	Common plugin information across all instances.
static const char *	class_names []
	Array of string names for classes.

Detailed Description

Corsaro FlowTuple plugin implementation.

Author:: Alistair King

Definition in file corsaro_flowtuple.c.

Macro Definition Documentation

#define CORSARO_FLOWTUPLE_MAGIC 0x53495855

The magic number for this plugin when not using /8 opts - "SIXU".

Definition at line 61 of file corsaro_flowtuple.c.

Referenced by ascii_dump(), and binary_dump().

#define PLUGIN ( corsaro ) (CORSARO_PLUGIN_PLUGIN(corsaro, CORSARO_PLUGIN_ID_FLOWTUPLE))

Extends the generic plugin plugin convenience macro in corsaro_plugin.h.

Definition at line 116 of file corsaro_flowtuple.c.

Referenced by corsaro_flowtuple_init_output().

#define PLUGIN_NAME "flowtuple"

The name of this plugin.

Definition at line 65 of file corsaro_flowtuple.c.

#define STATE ( corsaro ) (CORSARO_PLUGIN_STATE(corsaro, flowtuple, CORSARO_PLUGIN_ID_FLOWTUPLE))

Extends the generic plugin state convenience macro in corsaro_plugin.h.

Definition at line 110 of file corsaro_flowtuple.c.

Referenced by ascii_dump(), and binary_dump().

#define STATE_IN ( corsaro ) (CORSARO_PLUGIN_STATE(corsaro, flowtuple_in, CORSARO_PLUGIN_ID_FLOWTUPLE))

Extends the generic plugin state convenience macro in corsaro_plugin.h.

Definition at line 113 of file corsaro_flowtuple.c.

Function Documentation

static int ascii_dump	(	corsaro_t *	corsaro,
		corsaro_flowtuple_class_type_t	dist
	)

static

Dump the given flowtuple to the plugin's outfile in ASCII format.

Definition at line 298 of file corsaro_flowtuple.c.

References corsaro_flowtuple_class_start::class_type, corsaro_flowtuple_class_end::class_type, corsaro_flowtuple_class_end_fprint(), corsaro_flowtuple_class_start_fprint(), corsaro_flowtuple_fprint(), CORSARO_FLOWTUPLE_MAGIC, corsaro_flowtuple_class_start::count, corsaro_flowtuple_class_start::magic, corsaro_flowtuple_class_end::magic, sort_hash(), and STATE.

static int binary_dump	(	corsaro_t *	corsaro,
		corsaro_flowtuple_class_type_t	dist
	)

static

Dump the given flowtuple to the plugin's outfile in binary format.

Definition at line 230 of file corsaro_flowtuple.c.

References CORSARO_FLOWTUPLE_BYTECNT, CORSARO_FLOWTUPLE_MAGIC, sort_hash(), and STATE.

int corsaro_flowtuple_add_inc	(	void *	hash,
		corsaro_flowtuple_t *	t,
		int	increment
	)

Either add the given flowtuple to the hash, or increment the current count.

Parameters:

hash	The hash to check/add to
t	The flowtuple to look for

Returns:: 0 if the operation completed successfully, -1 if an error occurs

Definition at line 991 of file corsaro_flowtuple.c.

References corsaro_flowtuple::packet_cnt.

off_t corsaro_flowtuple_class_end_fprint	(	corsaro_t *	corsaro,
		corsaro_file_t *	file,
		corsaro_flowtuple_class_end_t *	class
	)

Write a flowtuple class end record to the given corsaro file in ascii.

Parameters:

corsaro	The corsaro object associated with the file
file	The corsaro file to write to
class	The class end record to write out

Returns:: the number of bytes written, -1 if an error occurs

Definition at line 913 of file corsaro_flowtuple.c.

References class_names.

Referenced by ascii_dump(), and corsaro_flowtuple_record_fprint().

void corsaro_flowtuple_class_end_print ( corsaro_flowtuple_class_end_t * flowtuple )

Write a flowtuple class end record to stdout in ascii format.

Parameters:

class The class end record to write out

Definition at line 920 of file corsaro_flowtuple.c.

References class_names.

Referenced by corsaro_flowtuple_record_print().

off_t corsaro_flowtuple_class_start_fprint	(	corsaro_t *	corsaro,
		corsaro_file_t *	file,
		corsaro_flowtuple_class_start_t *	class
	)

Write a flowtuple class start record to the given corsaro file in ascii.

Parameters:

corsaro	The corsaro object associated with the file
file	The corsaro file to write to
class	The class start record to write out

Returns:: the number of bytes written, -1 if an error occurs

Definition at line 898 of file corsaro_flowtuple.c.

References class_names.

Referenced by ascii_dump(), and corsaro_flowtuple_record_fprint().

void corsaro_flowtuple_class_start_print ( corsaro_flowtuple_class_start_t * flowtuple )

Write a flowtuple class start record to stdout in ascii format.

Parameters:

class The class start record to write out

Definition at line 907 of file corsaro_flowtuple.c.

References class_names.

Referenced by corsaro_flowtuple_record_print().

off_t corsaro_flowtuple_fprint	(	corsaro_t *	corsaro,
		corsaro_file_t *	file,
		corsaro_flowtuple_t *	flowtuple
	)

Write a flowtuple to the given corsaro file in ascii.

Parameters:

corsaro	The corsaro object associated with the file
file	The corsaro file to write to
flowtuple	The flowtuple to write out

Returns:: the number of bytes written, -1 if an error occurs

Definition at line 839 of file corsaro_flowtuple.c.

References CORSARO_FLOWTUPLE_SIXT_TO_IP, corsaro_flowtuple::dst_port, corsaro_flowtuple::ip_len, corsaro_flowtuple::packet_cnt, corsaro_flowtuple::protocol, corsaro_flowtuple::src_ip, corsaro_flowtuple::src_port, corsaro_flowtuple::tcp_flags, and corsaro_flowtuple::ttl.

Referenced by ascii_dump(), and corsaro_flowtuple_record_fprint().

void corsaro_flowtuple_free ( corsaro_flowtuple_t * t )

Free memory allocated for a flowtuple structure.

Parameters:

t	The flowtuple to free

Definition at line 985 of file corsaro_flowtuple.c.

Referenced by main().

uint32_t corsaro_flowtuple_get_destination_ip ( corsaro_flowtuple_t * flowtuple )

Get the destination IP of the tuple in network byte order.

Parameters:

flowtuple The flowtuple record to extract the IP from

Returns:: the destination IP of the flowtuple

Definition at line 832 of file corsaro_flowtuple.c.

References CORSARO_FLOWTUPLE_SIXT_TO_IP.

uint32_t corsaro_flowtuple_get_source_ip ( corsaro_flowtuple_t * flowtuple )

Get the source IP of the tuple in network byte order.

Parameters:

flowtuple The flowtuple record to extract the IP from

Returns:: the source IP of the flowtuple

Definition at line 825 of file corsaro_flowtuple.c.

References corsaro_flowtuple::src_ip.

int corsaro_flowtuple_init_output ( corsaro_t * corsaro )

Todo:: dump full corsaro headers

Definition at line 536 of file corsaro_flowtuple.c.

References CORSARO_FLOWTUPLE_CLASS_MAX, corsaro_plugin::name, PLUGIN, and corsaro::plugin_manager.

void corsaro_flowtuple_print ( corsaro_flowtuple_t * flowtuple )

Write a flowtuple to stdout in ascii format.

Parameters:

flowtuple The flowtuple to write out

Definition at line 870 of file corsaro_flowtuple.c.

References CORSARO_FLOWTUPLE_SIXT_TO_IP, corsaro_flowtuple::dst_port, corsaro_flowtuple::ip_len, corsaro_flowtuple::packet_cnt, corsaro_flowtuple::protocol, corsaro_flowtuple::src_ip, corsaro_flowtuple::src_port, corsaro_flowtuple::tcp_flags, and corsaro_flowtuple::ttl.

Referenced by corsaro_flowtuple_record_print().

off_t corsaro_flowtuple_record_fprint	(	corsaro_t *	corsaro,
		corsaro_file_t *	file,
		corsaro_in_record_type_t	record_type,
		corsaro_in_record_t *	record
	)

Write a generic flowtuple record to the given corsaro file in ascii.

Parameters:

corsaro	The corsaro object associated with the file
file	The corsaro file to write to
record_type	The type of the record
record	The record to write out

Returns:: the number of bytes written, -1 if an error occurs

Definition at line 925 of file corsaro_flowtuple.c.

References corsaro_in_record::buffer, corsaro_flowtuple_class_end_fprint(), corsaro_flowtuple_class_start_fprint(), corsaro_flowtuple_fprint(), CORSARO_IN_RECORD_TYPE_FLOWTUPLE_CLASS_END, CORSARO_IN_RECORD_TYPE_FLOWTUPLE_CLASS_START, and CORSARO_IN_RECORD_TYPE_FLOWTUPLE_FLOWTUPLE.

Referenced by corsaro_io_write_record().

int corsaro_flowtuple_record_print	(	corsaro_in_record_type_t	record_type,
		corsaro_in_record_t *	record
	)

Write a generic flowtuple record to stdout in ascii format.

Parameters:

record_type	The type of the record
record	The record to write out

Returns:: 0 if successful, -1 if an error occurs

Definition at line 956 of file corsaro_flowtuple.c.

References corsaro_in_record::buffer, corsaro_flowtuple_class_end_print(), corsaro_flowtuple_class_start_print(), corsaro_flowtuple_print(), CORSARO_IN_RECORD_TYPE_FLOWTUPLE_CLASS_END, CORSARO_IN_RECORD_TYPE_FLOWTUPLE_CLASS_START, and CORSARO_IN_RECORD_TYPE_FLOWTUPLE_FLOWTUPLE.

Referenced by corsaro_io_print_record().

static int flowtuple_classify_packet	(	corsaro_t *	corsaro,
		libtrace_packet_t *	packet
	)

static

Determines the traffic class for a packet; possible options are CORSARO_FLOWTUPLE_CLASS_BACKSCATTER, CORSARO_FLOWTUPLE_CLASS_ICMPREQ, CLASS_OTHER.

This code is ported from crl_attack_flow.c::get_traffic_type

Definition at line 126 of file corsaro_flowtuple.c.

References CORSARO_FLOWTUPLE_CLASS_BACKSCATTER, CORSARO_FLOWTUPLE_CLASS_ICMPREQ, and CORSARO_FLOWTUPLE_CLASS_OTHER.

KHASH_INIT	(	sixt	,
		corsaro_flowtuple_t *	,
		char	,
		0	,
		corsaro_flowtuple_hash_func	,
		corsaro_flowtuple_hash_equal
	)

Initialize the hash functions and datatypes.

KSORT_INIT	(	sixt	,
		corsaro_flowtuple_t *	,
		corsaro_flowtuple_lt
	)

Initialize the sorting functions and datatypes.

static int sort_hash	(	corsaro_t *	corsaro,
		kh_sixt_t *	hash,
		corsaro_flowtuple_t ***	sorted
	)

static

Given a st hash, malloc and return a sorted array of pointers.

Definition at line 198 of file corsaro_flowtuple.c.

Referenced by ascii_dump(), and binary_dump().

Variable Documentation

const char* class_names[]

static

Initial value:

 {
  "flowtuple_backscatter",
  "flowtuple_icmpreq",
  "flowtuple_other",
}

Array of string names for classes.

Definition at line 77 of file corsaro_flowtuple.c.

Referenced by corsaro_flowtuple_class_end_fprint(), corsaro_flowtuple_class_end_print(), corsaro_flowtuple_class_start_fprint(), and corsaro_flowtuple_class_start_print().

corsaro_plugin_t corsaro_flowtuple_plugin

static

Initial value:

 {
  PLUGIN_NAME,                                 
  CORSARO_PLUGIN_ID_FLOWTUPLE,                    
  CORSARO_FLOWTUPLE_MAGIC,                        
  CORSARO_PLUGIN_GENERATE_PTRS(corsaro_flowtuple),   
  NULL,                                        
}

Common plugin information across all instances.

Definition at line 68 of file corsaro_flowtuple.c.

Macros

Functions

Variables

Detailed Description

Macro Definition Documentation

Function Documentation

Variable Documentation