Skip to Content
[CAIDA - Cooperative Association for Internet Data Analysis logo]
The Cooperative Association for Internet Data Analysis
Data Structures
corsaro_flowtuple.h File Reference

Header file which exports corsaro_flowtuple plugin API. More...

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures

struct  corsaro_flowtuple
 Represents the eight important fields in the ip header that we will use to 'uniquely' identify a packet. More...
struct  corsaro_flowtuple_class_start
 Represents the start record of a flowtuple class. More...
struct  corsaro_flowtuple_class_end
 Represents the end record of a flowtuple class. More...

Functions

FlowTuple Convenience Functions

These functions can be used to do some higher-level manipulation with flowtuple records that have been read from a file.

They are 'class' functions that can be used without needing an instance of the actual plugin. Note that writing to a file always requires an corsaro output object however.

uint32_t corsaro_flowtuple_get_source_ip (corsaro_flowtuple_t *flowtuple)
 Get the source IP of the tuple in network byte order.
uint32_t corsaro_flowtuple_get_destination_ip (corsaro_flowtuple_t *flowtuple)
 Get the destination IP of the tuple in network byte order.
off_t corsaro_flowtuple_fprint (corsaro_t *corsaro, corsaro_file_t *file, corsaro_flowtuple_t *flowtuple)
 Write a flowtuple to the given corsaro file in ascii.
void corsaro_flowtuple_print (corsaro_flowtuple_t *flowtuple)
 Write a flowtuple to stdout in ascii format.
off_t corsaro_flowtuple_class_start_fprint (corsaro_t *corsaro, corsaro_file_t *file, corsaro_flowtuple_class_start_t *class)
 Write a flowtuple class start record to the given corsaro file in ascii.
void corsaro_flowtuple_class_start_print (corsaro_flowtuple_class_start_t *flowtuple)
 Write a flowtuple class start record to stdout in ascii format.
off_t corsaro_flowtuple_class_end_fprint (corsaro_t *corsaro, corsaro_file_t *file, corsaro_flowtuple_class_end_t *class)
 Write a flowtuple class end record to the given corsaro file in ascii.
void corsaro_flowtuple_class_end_print (corsaro_flowtuple_class_end_t *flowtuple)
 Write a flowtuple class end record to stdout in ascii format.
off_t corsaro_flowtuple_record_fprint (corsaro_t *corsaro, corsaro_file_t *file, corsaro_in_record_type_t record_type, corsaro_in_record_t *record)
 Write a generic flowtuple record to the given corsaro file in ascii.
int corsaro_flowtuple_record_print (corsaro_in_record_type_t record_type, corsaro_in_record_t *record)
 Write a generic flowtuple record to stdout in ascii format.

FlowTuple Structures

These data structures are used when reading flowtuple files.

enum  corsaro_flowtuple_class_type { CORSARO_FLOWTUPLE_CLASS_BACKSCATTER = 0, CORSARO_FLOWTUPLE_CLASS_ICMPREQ = 1, CORSARO_FLOWTUPLE_CLASS_OTHER = 2, CORSARO_FLOWTUPLE_CLASS_MAX = CORSARO_FLOWTUPLE_CLASS_OTHER }
 Possible classification types for a flowtuple. More...
typedef struct corsaro_flowtuple corsaro_flowtuple_t
 Represents the eight important fields in the ip header that we will use to 'uniquely' identify a packet.
typedef enum
corsaro_flowtuple_class_type 		corsaro_flowtuple_class_type_t
 Possible classification types for a flowtuple.
typedef struct
corsaro_flowtuple_class_start 		corsaro_flowtuple_class_start_t
 Represents the start record of a flowtuple class.
typedef struct
corsaro_flowtuple_class_end 		corsaro_flowtuple_class_end_t
 Represents the end record of a flowtuple class.

FlowTuple Hashing Functions

These functions and data structures can be used by third-party programs to efficiently store eight tuple records in a hash table.

#define CORSARO_FLOWTUPLE_BYTECNT   (sizeof(corsaro_flowtuple_t)) /* (4+3+2+2+1+1+1+2)+4*/
 Used to give the length of the binary representation of a flowtuple.
#define CORSARO_FLOWTUPLE_IP_TO_SIXT(n32, flowtuple)
 Convert a 32bit network order IP address into the 3 byte flowtuple format.
#define CORSARO_FLOWTUPLE_SIXT_TO_IP(flowtuple)   ((flowtuple)->dst_ip)
 Convert the 3byte flowtuple dest ip to 32bits of network ordered uint32.
#define CORSARO_FLOWTUPLE_SHIFT_AND_XOR(value)   h ^= (h<<5) + (h>>27) + (value)
 Convenience macro to help with the hashing function.
#define corsaro_flowtuple_hash_equal(alpha, bravo)
 Tests two flowtuples for equality.
#define corsaro_flowtuple_lt(alpha, bravo)
 Tests if one flowtuple is less than another.
static khint32_t corsaro_flowtuple_hash_func (corsaro_flowtuple_t *t)
 Hashes the flowtuple based on the following table.
void corsaro_flowtuple_free (corsaro_flowtuple_t *t)
 Free memory allocated for a flowtuple structure.
int corsaro_flowtuple_add_inc (void *hash, corsaro_flowtuple_t *t, int increment)
 Either add the given flowtuple to the hash, or increment the current count.

Detailed Description

Header file which exports corsaro_flowtuple plugin API.

Author:
Alistair King

Definition in file corsaro_flowtuple.h.

Macro Definition Documentation

#define CORSARO_FLOWTUPLE_BYTECNT   (sizeof(corsaro_flowtuple_t)) /* (4+3+2+2+1+1+1+2)+4*/

Used to give the length of the binary representation of a flowtuple.

These values correspond to: 

       0                              32                              64
       ----------------------------------------------------------------
       |            src_ip             |      dst_ip >> 8      |  src_    
       ----------------------------------------------------------------
        port   |   dst_port    | proto |  ttl  |tcp_flg|    ip_len    |
       ----------------------------------------------------------------
       | value...     | 
       —————-

DEPRECATED: Note that the 'value' field is not considered part of the flowtuple and as such, the total record length will be FLOWTUPLE_BITCNT + value_len which, given the current implementation is FLOWTUPLE_BITCNT + 4 or (4+3+2+2+1+1+1+2) + 4 or 160 bits (20 bytes)

Definition at line 278 of file corsaro_flowtuple.h.

Referenced by binary_dump().

#define corsaro_flowtuple_hash_equal (   alpha,
  bravo 
)
Value:
( \
(alpha)->src_ip == (bravo)->src_ip && \
(alpha)->dst_ip == (bravo)->dst_ip && \
(alpha)->src_port == (bravo)->src_port && \
(alpha)->dst_port == (bravo)->dst_port && \
(alpha)->protocol == (bravo)->protocol && \
(alpha)->ttl == (bravo)->ttl && \
(alpha)->tcp_flags == (bravo)->tcp_flags && \
(alpha)->ip_len == (bravo)->ip_len \
)

Tests two flowtuples for equality.

Definition at line 374 of file corsaro_flowtuple.h.

#define CORSARO_FLOWTUPLE_IP_TO_SIXT (   n32,
  flowtuple 
)
Value:
{ \
(flowtuple)->dst_ip = n32; \
}

Convert a 32bit network order IP address into the 3 byte flowtuple format.

Definition at line 290 of file corsaro_flowtuple.h.

#define corsaro_flowtuple_lt (   alpha,
  bravo 
)

Tests if one flowtuple is less than another.

This sort macro has been optimized to provide the best compression when dumping the flowtuple to binary and using GZIP compression

Definition at line 452 of file corsaro_flowtuple.h.

#define CORSARO_FLOWTUPLE_SHIFT_AND_XOR (   value)    h ^= (h<<5) + (h>>27) + (value)

Convenience macro to help with the hashing function.

Definition at line 311 of file corsaro_flowtuple.h.

Referenced by corsaro_flowtuple_hash_func().

#define CORSARO_FLOWTUPLE_SIXT_TO_IP (   flowtuple)    ((flowtuple)->dst_ip)

Convert the 3byte flowtuple dest ip to 32bits of network ordered uint32.

Definition at line 306 of file corsaro_flowtuple.h.

Referenced by corsaro_flowtuple_fprint(), corsaro_flowtuple_get_destination_ip(), and corsaro_flowtuple_print().

Typedef Documentation

typedef struct corsaro_flowtuple_class_end corsaro_flowtuple_class_end_t

Represents the end record of a flowtuple class.

All values will be in HOST byte order

typedef struct corsaro_flowtuple_class_start corsaro_flowtuple_class_start_t

Represents the start record of a flowtuple class.

All values will be in HOST byte order

typedef enum corsaro_flowtuple_class_type corsaro_flowtuple_class_type_t

Possible classification types for a flowtuple.

typedef struct corsaro_flowtuple corsaro_flowtuple_t

Represents the eight important fields in the ip header that we will use to 'uniquely' identify a packet.

Alberto and i think that most other analysis can be derived from this distribution

This struct will be used as the key for the hash.

Values are stored in network byte order to allow easy (de)serialization Note that since we have a /8, only 3 bytes of the destination IP address are kept (if configured/built with –with-slash-eight)

The 'PACKED' attribute instructs GCC to not do any byte alignment. This allows us to directly write the structure to disk

Todo:
make the /8 optimizations generic for any darknet size

Enumeration Type Documentation

enum corsaro_flowtuple_class_type

Possible classification types for a flowtuple.

Enumerator:
CORSARO_FLOWTUPLE_CLASS_BACKSCATTER 

This packet is a backscatter packet.

CORSARO_FLOWTUPLE_CLASS_ICMPREQ 

This packet is an ICMP Request packet.

CORSARO_FLOWTUPLE_CLASS_OTHER 

The packet is not backscatter, not ICMP Request.

CORSARO_FLOWTUPLE_CLASS_MAX 

The highest class value currently in use.

Definition at line 112 of file corsaro_flowtuple.h.

Function Documentation

int corsaro_flowtuple_add_inc ( void *  hash,
corsaro_flowtuple_t t,
int  increment 
)

Either add the given flowtuple to the hash, or increment the current count.

Parameters:
hashThe hash to check/add to
tThe flowtuple to look for
Returns:
0 if the operation completed successfully, -1 if an error occurs

Definition at line 991 of file corsaro_flowtuple.c.

References corsaro_flowtuple::packet_cnt.

off_t corsaro_flowtuple_class_end_fprint ( corsaro_t corsaro,
corsaro_file_t file,
corsaro_flowtuple_class_end_t class 
)

Write a flowtuple class end record to the given corsaro file in ascii.

Parameters:
corsaroThe corsaro object associated with the file
fileThe corsaro file to write to
classThe class end record to write out
Returns:
the number of bytes written, -1 if an error occurs

Definition at line 913 of file corsaro_flowtuple.c.

References class_names.

Referenced by ascii_dump(), and corsaro_flowtuple_record_fprint().

void corsaro_flowtuple_class_end_print ( corsaro_flowtuple_class_end_t flowtuple)

Write a flowtuple class end record to stdout in ascii format.

Parameters:
classThe class end record to write out

Definition at line 920 of file corsaro_flowtuple.c.

References class_names.

Referenced by corsaro_flowtuple_record_print().

off_t corsaro_flowtuple_class_start_fprint ( corsaro_t corsaro,
corsaro_file_t file,
corsaro_flowtuple_class_start_t class 
)

Write a flowtuple class start record to the given corsaro file in ascii.

Parameters:
corsaroThe corsaro object associated with the file
fileThe corsaro file to write to
classThe class start record to write out
Returns:
the number of bytes written, -1 if an error occurs

Definition at line 898 of file corsaro_flowtuple.c.

References class_names.

Referenced by ascii_dump(), and corsaro_flowtuple_record_fprint().

void corsaro_flowtuple_class_start_print ( corsaro_flowtuple_class_start_t flowtuple)

Write a flowtuple class start record to stdout in ascii format.

Parameters:
classThe class start record to write out

Definition at line 907 of file corsaro_flowtuple.c.

References class_names.

Referenced by corsaro_flowtuple_record_print().

off_t corsaro_flowtuple_fprint ( corsaro_t corsaro,
corsaro_file_t file,
corsaro_flowtuple_t flowtuple 
)

Write a flowtuple to the given corsaro file in ascii.

Parameters:
corsaroThe corsaro object associated with the file
fileThe corsaro file to write to
flowtupleThe flowtuple to write out
Returns:
the number of bytes written, -1 if an error occurs

Definition at line 839 of file corsaro_flowtuple.c.

References CORSARO_FLOWTUPLE_SIXT_TO_IP, corsaro_flowtuple::dst_port, corsaro_flowtuple::ip_len, corsaro_flowtuple::packet_cnt, corsaro_flowtuple::protocol, corsaro_flowtuple::src_ip, corsaro_flowtuple::src_port, corsaro_flowtuple::tcp_flags, and corsaro_flowtuple::ttl.

Referenced by ascii_dump(), and corsaro_flowtuple_record_fprint().

void corsaro_flowtuple_free ( corsaro_flowtuple_t t)

Free memory allocated for a flowtuple structure.

Parameters:
tThe flowtuple to free

Definition at line 985 of file corsaro_flowtuple.c.

Referenced by main().

uint32_t corsaro_flowtuple_get_destination_ip ( corsaro_flowtuple_t flowtuple)

Get the destination IP of the tuple in network byte order.

Parameters:
flowtupleThe flowtuple record to extract the IP from
Returns:
the destination IP of the flowtuple

Definition at line 832 of file corsaro_flowtuple.c.

References CORSARO_FLOWTUPLE_SIXT_TO_IP.

uint32_t corsaro_flowtuple_get_source_ip ( corsaro_flowtuple_t flowtuple)

Get the source IP of the tuple in network byte order.

Parameters:
flowtupleThe flowtuple record to extract the IP from
Returns:
the source IP of the flowtuple

Definition at line 825 of file corsaro_flowtuple.c.

References corsaro_flowtuple::src_ip.

static khint32_t corsaro_flowtuple_hash_func ( corsaro_flowtuple_t t)
inlinestatic

Hashes the flowtuple based on the following table.

With slash eight optimization:

| SRC_IP * 59 |

| | DST_IP << 8 | PROTO |

| SRC_PORT <<16 | DST_PORT |

| TTL |TCP_FLG| LEN |

Without slash eight optimization:

| SRC_IP * 59 |

| DST_IP |

| SRC_PORT <<16 | DST_PORT |

| TTL |TCP_FLG|PROTO| LEN |

Definition at line 338 of file corsaro_flowtuple.h.

References CORSARO_FLOWTUPLE_SHIFT_AND_XOR, corsaro_flowtuple::dst_ip, corsaro_flowtuple::dst_port, corsaro_flowtuple::ip_len, corsaro_flowtuple::protocol, corsaro_flowtuple::src_ip, corsaro_flowtuple::src_port, corsaro_flowtuple::tcp_flags, and corsaro_flowtuple::ttl.

void corsaro_flowtuple_print ( corsaro_flowtuple_t flowtuple)

Write a flowtuple to stdout in ascii format.

Parameters:
flowtupleThe flowtuple to write out

Definition at line 870 of file corsaro_flowtuple.c.

References CORSARO_FLOWTUPLE_SIXT_TO_IP, corsaro_flowtuple::dst_port, corsaro_flowtuple::ip_len, corsaro_flowtuple::packet_cnt, corsaro_flowtuple::protocol, corsaro_flowtuple::src_ip, corsaro_flowtuple::src_port, corsaro_flowtuple::tcp_flags, and corsaro_flowtuple::ttl.

Referenced by corsaro_flowtuple_record_print().

off_t corsaro_flowtuple_record_fprint ( corsaro_t corsaro,
corsaro_file_t file,
corsaro_in_record_type_t  record_type,
corsaro_in_record_t record 
)

Write a generic flowtuple record to the given corsaro file in ascii.

Parameters:
corsaroThe corsaro object associated with the file
fileThe corsaro file to write to
record_typeThe type of the record
recordThe record to write out
Returns:
the number of bytes written, -1 if an error occurs

Definition at line 925 of file corsaro_flowtuple.c.

References corsaro_in_record::buffer, corsaro_flowtuple_class_end_fprint(), corsaro_flowtuple_class_start_fprint(), corsaro_flowtuple_fprint(), CORSARO_IN_RECORD_TYPE_FLOWTUPLE_CLASS_END, CORSARO_IN_RECORD_TYPE_FLOWTUPLE_CLASS_START, and CORSARO_IN_RECORD_TYPE_FLOWTUPLE_FLOWTUPLE.

Referenced by corsaro_io_write_record().

int corsaro_flowtuple_record_print ( corsaro_in_record_type_t  record_type,
corsaro_in_record_t record 
)

Write a generic flowtuple record to stdout in ascii format.

Parameters:
record_typeThe type of the record
recordThe record to write out
Returns:
0 if successful, -1 if an error occurs

Definition at line 956 of file corsaro_flowtuple.c.

References corsaro_in_record::buffer, corsaro_flowtuple_class_end_print(), corsaro_flowtuple_class_start_print(), corsaro_flowtuple_print(), CORSARO_IN_RECORD_TYPE_FLOWTUPLE_CLASS_END, CORSARO_IN_RECORD_TYPE_FLOWTUPLE_CLASS_START, and CORSARO_IN_RECORD_TYPE_FLOWTUPLE_FLOWTUPLE.

Referenced by corsaro_io_print_record().