Code which uses libcorsaro to convert an corsaro output file to ascii. More...
Go to the source code of this file.
Macros | |
| #define | FIELD_ENABLED 1 |
| Value if field is enabled. More... | |
Typedefs | |
| typedef enum field_index | field_index_t |
| Set of FlowTuple fields that can be used for aggregation. More... | |
Enumerations | |
| enum | field_index { SRC_IP = 0, DST_IP = 1, SRC_PORT = 2, DST_PORT = 3, PROTO = 4, TTL = 5, TCP_FLAGS = 6, IP_LEN = 7, VALUE = 8, FIELD_CNT = 9 } |
| Set of FlowTuple fields that can be used for aggregation. More... | |
Functions | |
| KHASH_INIT (sixt_map, corsaro_flowtuple_t *, kh_64xx_t *, 1, corsaro_flowtuple_hash_func, corsaro_flowtuple_hash_equal) | |
| Initialize the hash functions and datatypes. More... | |
| KHASH_INIT (sixt_int, corsaro_flowtuple_t *, uint64_t, 1, corsaro_flowtuple_hash_func, corsaro_flowtuple_hash_equal) | |
| Hash to use when we are aggregating on packets. More... | |
| static void | clean () |
| Cleanup and free state. More... | |
| static int | init_corsaro (char *corsarouri) |
| Initialize a corsaro_in instance for the given input file name. More... | |
| static int | add_inc_map (void *h, corsaro_flowtuple_t *t, uint32_t value) |
| Either add the given flowtuple to the hash, or add the value to the map. More... | |
| int | add_inc_hash (kh_sixt_int_t *hash, corsaro_flowtuple_t *t, uint32_t increment) |
| Either add the given flowtuple to the hash, or increment the current count. More... | |
| static void | flowtuple_print_64 (corsaro_flowtuple_t *flowtuple, uint64_t value) |
| Print a flowtuple with a 64 bit value field. More... | |
| static void | dump_hash_map (kh_sixt_map_t *hash) |
| Dump a map of flowtuple records. More... | |
| static void | dump_hash_int (kh_sixt_int_t *hash) |
| Dump a hash of flowtuple records. More... | |
| static void | dump_hash () |
| Dump the aggregated FlowTuple records. More... | |
| static int | process_flowtuple (corsaro_flowtuple_t *tuple) |
| Process a FlowTuple record. More... | |
| int | process_flowtuple_file (char *file) |
| Process a flowtuple file. More... | |
| static void | usage (const char *name) |
| Print usage information to stderr. More... | |
| int | main (int argc, char *argv[]) |
| Entry point for the cors-ft-aggregate tool. More... | |
Variables | |
| static kh_sixt_map_t * | sixt_f = NULL |
| A map of aggregated flowtuple records. More... | |
| static kh_sixt_int_t * | sixt_v = NULL |
| A hash of aggregated flowtuple records. More... | |
| static corsaro_in_t * | corsaro = NULL |
| The corsaro_in instance to read from. More... | |
| static corsaro_in_record_t * | record = NULL |
| The record object to read into. More... | |
| static int | interval = 0 |
| The amount of time to wait until we dump the hash. More... | |
| static char * | field_names [] |
| Array of strings corresponding to FlowTuple fields. More... | |
| static int | legacy = 0 |
| Set if reading from a legacy FlowTuple file. More... | |
| static field_index_t | fields [FIELD_CNT] |
| An array of enabled fields for aggregation. More... | |
| static int | value_field = -1 |
| The field to use as the value in aggregation. More... | |
| static uint64_t | flowtuple_cnt = 0 |
| The number of flowtuple records we have processed. More... | |
| static corsaro_interval_t | last_dump_end |
| the END time of the interval that we last dumped data More... | |
| static int | next_interval = 0 |
| The time that we need to dump the next interval at. More... | |
| static corsaro_interval_t | last_interval_end |
| The time that the last interval ended. More... | |
Code which uses libcorsaro to convert an corsaro output file to ascii.
extend to allow to write out to binary again
respect the tuple classes for reaggregation (currently classes are discarded).
add a BPF-like filter
Definition in file cors-ft-aggregate.c.
| #define FIELD_ENABLED 1 |
Value if field is enabled.
Definition at line 104 of file cors-ft-aggregate.c.
Referenced by main(), and process_flowtuple().
| typedef enum field_index field_index_t |
Set of FlowTuple fields that can be used for aggregation.
| enum field_index |
Set of FlowTuple fields that can be used for aggregation.
Definition at line 79 of file cors-ft-aggregate.c.
| int add_inc_hash | ( | kh_sixt_int_t * | hash, |
| corsaro_flowtuple_t * | t, | ||
| uint32_t | increment | ||
| ) |
Either add the given flowtuple to the hash, or increment the current count.
Definition at line 242 of file cors-ft-aggregate.c.
References corsaro_log_file().
Referenced by process_flowtuple().
|
static |
Either add the given flowtuple to the hash, or add the value to the map.
Definition at line 195 of file cors-ft-aggregate.c.
References corsaro_log_file(), VALUE, and value_field.
Referenced by process_flowtuple().
|
static |
Cleanup and free state.
Definition at line 150 of file cors-ft-aggregate.c.
References corsaro_finalize_input(), corsaro_in_free_record(), and record.
Referenced by init_corsaro(), process_flowtuple(), and process_flowtuple_file().
|
static |
Dump the aggregated FlowTuple records.
Definition at line 363 of file cors-ft-aggregate.c.
References corsaro_io_print_interval_end(), corsaro_io_print_interval_start(), dump_hash_int(), dump_hash_map(), corsaro_interval::number, sixt_f, sixt_v, and corsaro_interval::time.
Referenced by main(), and process_flowtuple_file().
|
static |
Dump a hash of flowtuple records.
Definition at line 338 of file cors-ft-aggregate.c.
References corsaro_flowtuple_free(), and flowtuple_print_64().
Referenced by dump_hash().
|
static |
Dump a map of flowtuple records.
Definition at line 311 of file cors-ft-aggregate.c.
References corsaro_flowtuple_free(), and flowtuple_print_64().
Referenced by dump_hash().
|
static |
Print a flowtuple with a 64 bit value field.
Definition at line 282 of file cors-ft-aggregate.c.
References CORSARO_FLOWTUPLE_SIXT_TO_IP.
Referenced by dump_hash_int(), and dump_hash_map().
|
static |
Initialize a corsaro_in instance for the given input file name.
Definition at line 166 of file cors-ft-aggregate.c.
References clean(), corsaro_alloc_input(), corsaro_in_alloc_record(), corsaro_start_input(), and record.
Referenced by process_flowtuple_file().
| KHASH_INIT | ( | sixt_map | , |
| corsaro_flowtuple_t * | , | ||
| kh_64xx_t * | , | ||
| 1 | , | ||
| corsaro_flowtuple_hash_func | , | ||
| corsaro_flowtuple_hash_equal | |||
| ) |
Initialize the hash functions and datatypes.
| KHASH_INIT | ( | sixt_int | , |
| corsaro_flowtuple_t * | , | ||
| uint64_t | , | ||
| 1 | , | ||
| corsaro_flowtuple_hash_func | , | ||
| corsaro_flowtuple_hash_equal | |||
| ) |
Hash to use when we are aggregating on packets.
| int main | ( | int | argc, |
| char * | argv[] | ||
| ) |
Entry point for the cors-ft-aggregate tool.
A pointer to the file which contains the list of input files
The file currently being processed by corsaro
Definition at line 618 of file cors-ft-aggregate.c.
References corsaro_flowtuple_free(), dump_hash(), FIELD_CNT, FIELD_ENABLED, field_names, fields, interval, legacy, process_flowtuple_file(), sixt_f, sixt_v, usage(), VALUE, and value_field.
|
static |
Process a FlowTuple record.
Definition at line 389 of file cors-ft-aggregate.c.
References add_inc_hash(), add_inc_map(), clean(), CORSARO_FLOWTUPLE_IP_TO_SIXT, CORSARO_FLOWTUPLE_SIXT_TO_IP, DST_IP, DST_PORT, FIELD_CNT, FIELD_ENABLED, fields, IP_LEN, PROTO, sixt_f, sixt_v, SRC_IP, SRC_PORT, TCP_FLAGS, TTL, VALUE, and value_field.
Referenced by process_flowtuple_file().
| int process_flowtuple_file | ( | char * | file | ) |
Process a flowtuple file.
Definition at line 496 of file cors-ft-aggregate.c.
References clean(), corsaro_in_get_record_data(), corsaro_in_read_record(), CORSARO_IN_RECORD_TYPE_FLOWTUPLE_FLOWTUPLE, CORSARO_IN_RECORD_TYPE_IO_INTERVAL_END, CORSARO_IN_RECORD_TYPE_IO_INTERVAL_START, CORSARO_IN_RECORD_TYPE_NULL, dump_hash(), flowtuple_cnt, init_corsaro(), interval, legacy, next_interval, process_flowtuple(), record, and corsaro_interval::time.
Referenced by main().
|
static |
Print usage information to stderr.
Definition at line 597 of file cors-ft-aggregate.c.
Referenced by main().
|
static |
The corsaro_in instance to read from.
Definition at line 71 of file cors-ft-aggregate.c.
|
static |
Array of strings corresponding to FlowTuple fields.
Definition at line 107 of file cors-ft-aggregate.c.
Referenced by main().
|
static |
An array of enabled fields for aggregation.
Definition at line 123 of file cors-ft-aggregate.c.
Referenced by main(), and process_flowtuple().
|
static |
The number of flowtuple records we have processed.
Definition at line 129 of file cors-ft-aggregate.c.
Referenced by process_flowtuple_file().
|
static |
The amount of time to wait until we dump the hash.
Definition at line 76 of file cors-ft-aggregate.c.
Referenced by corsaro_per_record(), main(), and process_flowtuple_file().
|
static |
the END time of the interval that we last dumped data
Definition at line 132 of file cors-ft-aggregate.c.
|
static |
The time that the last interval ended.
Definition at line 142 of file cors-ft-aggregate.c.
|
static |
Set if reading from a legacy FlowTuple file.
Definition at line 120 of file cors-ft-aggregate.c.
Referenced by main(), and process_flowtuple_file().
|
static |
The time that we need to dump the next interval at.
Definition at line 140 of file cors-ft-aggregate.c.
Referenced by process_flowtuple_file().
|
static |
The record object to read into.
Definition at line 73 of file cors-ft-aggregate.c.
Referenced by clean(), init_corsaro(), and process_flowtuple_file().
|
static |
A map of aggregated flowtuple records.
Definition at line 66 of file cors-ft-aggregate.c.
Referenced by dump_hash(), main(), and process_flowtuple().
|
static |
A hash of aggregated flowtuple records.
Definition at line 68 of file cors-ft-aggregate.c.
Referenced by dump_hash(), main(), and process_flowtuple().
|
static |
The field to use as the value in aggregation.
Definition at line 126 of file cors-ft-aggregate.c.
Referenced by add_inc_map(), main(), and process_flowtuple().
![[CAIDA - Center for Applied Internet Data Analysis logo]](https://www.caida.org/images/caida_globe_faded.png)
![[CAIDA]](https://www.caida.org/images/caida_whitewords.png "Go to CAIDA home page"){kind=small}