29 #include <arpa/inet.h>
57 #ifdef CORSARO_SLASH_EIGHT
59 #define CORSARO_FLOWTUPLE_MAGIC 0x53495854
62 #define CORSARO_FLOWTUPLE_MAGIC 0x53495855
82 #define OUTFILE_POINTERS 2
85 #define PLUGIN_NAME "flowtuple"
98 "flowtuple_backscatter",
108 KHASH_INIT(sixt, corsaro_flowtuple_t*,
char, 0,
112 struct corsaro_flowtuple_state_t {
116 uint16_t current_class;
128 struct corsaro_flowtuple_in_state_t {
138 #define STATE(corsaro) \
139 (CORSARO_PLUGIN_STATE(corsaro, flowtuple, CORSARO_PLUGIN_ID_FLOWTUPLE))
141 #define STATE_IN(corsaro) \
142 (CORSARO_PLUGIN_STATE(corsaro, flowtuple_in, CORSARO_PLUGIN_ID_FLOWTUPLE))
144 #define PLUGIN(corsaro) \
145 (CORSARO_PLUGIN_PLUGIN(corsaro, CORSARO_PLUGIN_ID_FLOWTUPLE))
151 "plugin usage: %s [-s]\n"
152 " -s disable flowtuple output sorting\n",
160 struct corsaro_flowtuple_state_t *state =
STATE(corsaro);
163 if(plugin->
argc <= 0)
171 while((opt = getopt(plugin->
argc, plugin->
argv,
"s?")) >= 0)
188 if(optind != plugin->
argc)
205 libtrace_packet_t *
packet)
211 libtrace_tcp_t *tcp_hdr = NULL;
212 libtrace_icmp_t *icmp_hdr = NULL;
217 if((temp = trace_get_transport(packet, &proto, &remaining)) == NULL)
224 if(proto == TRACE_IPPROTO_TCP && remaining >= 4)
226 tcp_hdr = (libtrace_tcp_t *)temp;
229 if((tcp_hdr->syn && tcp_hdr->ack) || tcp_hdr->rst)
239 else if(proto == TRACE_IPPROTO_ICMP && remaining >= 2)
241 icmp_hdr = (libtrace_icmp_t *)temp;
242 if(icmp_hdr->type == 0 ||
243 icmp_hdr->type == 3 ||
244 icmp_hdr->type == 4 ||
245 icmp_hdr->type == 5 ||
246 icmp_hdr->type == 11 ||
247 icmp_hdr->type == 12 ||
248 icmp_hdr->type == 14 ||
249 icmp_hdr->type == 16 ||
250 icmp_hdr->type == 18)
269 corsaro_flowtuple_t ***sorted)
272 corsaro_flowtuple_t **ptr;
274 if((ptr = malloc(
sizeof(corsaro_flowtuple_t*)*kh_size(hash))) == NULL)
276 corsaro_log(__func__, corsaro,
"could not malloc array for sorted keys");
281 if(kh_size(hash) == 0)
287 for(i = kh_begin(hash); i != kh_end(hash); ++i)
289 if(kh_exist(hash, i))
291 *ptr = kh_key(hash, i);
296 ks_introsort(sixt, kh_size(hash), *sorted);
303 struct corsaro_flowtuple_state_t *state =
STATE(corsaro);
304 kh_sixt_t *h = state->st_hash[dist];
307 corsaro_flowtuple_t **sorted_keys;
311 uint8_t *hptr = &hbuf[0];
324 "could not dump byte flowtuple header to file");
333 if(
sort_hash(corsaro, h, &sorted_keys) != 0)
335 corsaro_log(__func__, corsaro,
"could not sort keys");
338 for(j = 0; j < kh_size(h); j++)
346 "could not write flowtuple to file");
350 free(sorted_keys[j]);
357 for(i = kh_begin(h); i != kh_end(h); ++i)
367 "could not write flowtuple to file");
378 corsaro_log(__func__, corsaro,
"could not dump flowtuple trailer to file");
387 struct corsaro_flowtuple_state_t *state =
STATE(corsaro);
388 kh_sixt_t *h = state->st_hash[dist];
390 corsaro_flowtuple_t **sorted_keys;
395 corsaro_flowtuple_class_start_t class_start;
396 corsaro_flowtuple_class_end_t class_end;
399 class_start.class_type = dist;
400 class_start.count = kh_size(h);
403 class_end.class_type = dist;
413 if(
sort_hash(corsaro, h, &sorted_keys) != 0)
415 corsaro_log(__func__, corsaro,
"could not sort keys");
418 for(j = 0; j < kh_size(h); j++)
423 free(sorted_keys[j]);
430 for(i = kh_begin(h); i != kh_end(h); ++i)
435 STATE(corsaro)->outfile,
452 class->magic = ntohl(class->magic);
453 class->class_type = ntohs(class->class_type);
454 class->count = ntohl(class->count);
474 sizeof(corsaro_flowtuple_class_start_t))) !=
475 sizeof(corsaro_flowtuple_class_start_t))
483 corsaro_log_in(__func__, corsaro,
"could not validate flowtuple class");
485 "it is possible this flowtuple file was written "
486 #ifdef CORSARO_SLASH_EIGHT
491 "optimizations enabled");
493 #ifdef CORSARO_SLASH_EIGHT
494 "--without-slash-eight "
496 "--with-slash-eight=0 "
503 assert(bytes_read ==
sizeof(corsaro_flowtuple_class_start_t));
506 STATE_IN(corsaro)->tuple_total = ((corsaro_flowtuple_class_start_t *)
520 class->magic = ntohl(class->magic);
521 class->class_type = ntohs(class->class_type);
541 sizeof(corsaro_flowtuple_class_end_t))) !=
542 sizeof(corsaro_flowtuple_class_end_t))
550 corsaro_log_in(__func__, corsaro,
"could not validate flowtuple class end");
555 assert(bytes_read ==
sizeof(corsaro_flowtuple_class_end_t));
558 STATE_IN(corsaro)->expected_type = (((corsaro_flowtuple_class_end_t *)
559 record->
buffer)->class_type ==
584 sizeof(corsaro_flowtuple_t))) !=
585 sizeof(corsaro_flowtuple_t))
593 corsaro_log_in(__func__, corsaro,
"could not validate flowtuple");
605 assert(bytes_read ==
sizeof(corsaro_flowtuple_t));
637 buffer[i++] ==
'S' && buffer[i++] ==
'I' &&
638 buffer[i++] ==
'X' && (buffer[i] ==
'T' || buffer[i] ==
'U'))
650 struct corsaro_flowtuple_state_t *state;
652 assert(plugin != NULL);
654 if((state =
malloc_zero(
sizeof(
struct corsaro_flowtuple_state_t))) == NULL)
657 "could not malloc corsaro_flowtuple_state_t");
675 assert(state->st_hash[i] == NULL);
676 state->st_hash[i] = kh_init(sixt);
677 assert(state->st_hash[i] != NULL);
690 struct corsaro_flowtuple_in_state_t *state;
692 assert(plugin != NULL);
694 if((state =
malloc_zero(
sizeof(
struct corsaro_flowtuple_in_state_t))) == NULL)
697 "could not malloc corsaro_flowtuple_state_t");
717 struct corsaro_flowtuple_in_state_t *state =
STATE_IN(corsaro);
730 struct corsaro_flowtuple_state_t *state =
STATE(corsaro);
736 if(state->st_hash[i] != NULL)
739 kh_destroy(sixt, state->st_hash[i]);
740 state->st_hash[i] = NULL;
747 if(state->outfile_p[i] != NULL)
750 state->outfile_p[i] = NULL;
753 state->outfile = NULL;
765 struct corsaro_flowtuple_in_state_t *state =
STATE_IN(corsaro);
767 off_t bytes_read = -1;
770 switch(state->expected_type)
775 record_type, record);
800 record_type, record);
808 corsaro_log_in(__func__, corsaro,
"invalid expected record type");
827 if(
STATE(corsaro)->outfile == NULL)
830 STATE(corsaro)->outfile_p[
STATE(corsaro)->outfile_n] =
835 corsaro_log(__func__, corsaro,
"could not open %s output file",
840 outfile_p[
STATE(corsaro)->outfile_n];
851 struct corsaro_flowtuple_state_t *state =
STATE(corsaro);
858 assert(state->st_hash[i] != NULL);
870 corsaro_log(__func__, corsaro,
"could not dump hash");
879 kh_clear(sixt, state->st_hash[i]);
887 assert(state->outfile != NULL);
890 state->outfile_n = (state->outfile_n+1) %
893 if(state->outfile_p[state->outfile_n] != NULL)
897 state->outfile_p[state->outfile_n]);
898 state->outfile_p[state->outfile_n] = NULL;
901 state->outfile = NULL;
910 libtrace_packet_t *ltpacket =
LT_PKT(packet);
911 libtrace_ip_t *ip_hdr = NULL;
912 libtrace_icmp_t *icmp_hdr = NULL;
913 libtrace_tcp_t *tcp_hdr = NULL;
914 corsaro_flowtuple_t t;
924 if((ip_hdr = trace_get_ip(ltpacket)) == NULL)
930 t.ip_len = ip_hdr->ip_len;
932 t.src_ip = ip_hdr->ip_src.s_addr;
935 t.protocol = ip_hdr->ip_p;
938 t.ttl = ip_hdr->ip_ttl;
940 if(ip_hdr->ip_p == TRACE_IPPROTO_ICMP &&
941 (icmp_hdr = trace_get_icmp(ltpacket)) != NULL)
943 t.src_port = htons(icmp_hdr->type);
944 t.dst_port = htons(icmp_hdr->code);
948 if(ip_hdr->ip_p == TRACE_IPPROTO_TCP &&
949 (tcp_hdr = trace_get_tcp(ltpacket)) != NULL)
954 (tcp_hdr->cwr << 7) |
955 (tcp_hdr->ece << 6) |
956 (tcp_hdr->urg << 5) |
957 (tcp_hdr->ack << 4) |
958 (tcp_hdr->psh << 3) |
959 (tcp_hdr->rst << 2) |
960 (tcp_hdr->syn << 1) |
965 t.src_port = htons(trace_get_source_port(ltpacket));
966 t.dst_port = htons(trace_get_destination_port(ltpacket));
972 corsaro_log(__func__, corsaro,
"could not classify packet");
984 "could not increment value for flowtuple");
992 corsaro_flowtuple_t *flowtuple,
1003 st_hash[
STATE(corsaro)->current_class],
1005 ntohl(flowtuple->packet_cnt)) != 0)
1008 "could not increment value for flowtuple");
1016 corsaro_flowtuple_class_start_t *
class)
1018 STATE(corsaro)->current_class =
class->class_type;
1024 corsaro_flowtuple_class_end_t *
class)
1062 assert(flowtuple != NULL);
1064 return flowtuple->src_ip;
1070 assert(flowtuple != NULL);
1077 corsaro_flowtuple_t *flowtuple)
1079 char ip_a[INET_ADDRSTRLEN];
1080 char ip_b[INET_ADDRSTRLEN];
1083 assert(corsaro != NULL);
1084 assert(file != NULL);
1085 assert(flowtuple != NULL);
1087 tmp = flowtuple->src_ip;
1088 inet_ntop(AF_INET,&tmp, &ip_a[0], 16);
1090 inet_ntop(AF_INET, &tmp, &ip_b[0], 16);
1093 "|%"PRIu16
"|%"PRIu16
1094 "|%"PRIu8
"|%"PRIu8
"|0x%02"PRIx8
1098 ntohs(flowtuple->src_port),
1099 ntohs(flowtuple->dst_port),
1100 flowtuple->protocol,
1102 flowtuple->tcp_flags,
1103 ntohs(flowtuple->ip_len),
1104 ntohl(flowtuple->packet_cnt));
1114 assert(flowtuple != NULL);
1116 tmp = flowtuple->src_ip;
1117 inet_ntop(AF_INET,&tmp, &ip_a[0], 16);
1119 inet_ntop(AF_INET, &tmp, &ip_b[0], 16);
1121 fprintf(stdout,
"%s|%s"
1122 "|%"PRIu16
"|%"PRIu16
1123 "|%"PRIu8
"|%"PRIu8
"|0x%02"PRIx8
1127 ntohs(flowtuple->src_port),
1128 ntohs(flowtuple->dst_port),
1129 flowtuple->protocol,
1131 flowtuple->tcp_flags,
1132 ntohs(flowtuple->ip_len),
1133 ntohl(flowtuple->packet_cnt));
1139 corsaro_flowtuple_class_start_t *
class)
1142 "START %s %"PRIu32
"\n",
1150 fprintf(stdout,
"START %s %"PRIu32
"\n",
class_names[class->class_type],
1157 corsaro_flowtuple_class_end_t *
class)
1166 fprintf(stdout,
"END %s\n",
class_names[class->class_type]);
1178 (corsaro_flowtuple_class_start_t *)record->
buffer);
1183 (corsaro_flowtuple_class_end_t *)record->
buffer);
1188 (corsaro_flowtuple_t *)record->
buffer);
1192 corsaro_log(__func__, corsaro,
"record_type %d not a flowtuple record",
1209 (corsaro_flowtuple_class_start_t *)record->
buffer);
1214 (corsaro_flowtuple_class_end_t *)record->
buffer);
1241 kh_sixt_t *hash = (kh_sixt_t *)h;
1244 corsaro_flowtuple_t *new_6t = NULL;
1246 assert(hash != NULL);
1249 if((khiter = kh_get(sixt, hash, t)) == kh_end(hash))
1252 if((new_6t = malloc(
sizeof(corsaro_flowtuple_t))) == NULL)
1259 memcpy(new_6t, t,
sizeof(corsaro_flowtuple_t));
1262 khiter = kh_put(sixt, hash, new_6t, &khret);
1265 new_6t->packet_cnt = htonl(increment);
1271 new_6t = kh_key(hash, khiter);
1274 assert((UINT32_MAX - ntohl(new_6t->packet_cnt)) > increment);
1276 new_6t->packet_cnt = htonl(ntohl(new_6t->packet_cnt)+increment);
1308 khint32_t h = (khint32_t)ft->
src_ip*59;
1309 #ifdef CORSARO_SLASH_EIGHT
1318 #ifdef CORSARO_SLASH_EIGHT
Structure representing the start or end of an interval.
An opaque structure defining an corsaro input file.
Plugins which write output should ignore this packet.
int corsaro_flowtuple_end_interval(corsaro_t *corsaro, corsaro_interval_t *int_end)
Implements the end_interval function of the plugin API.
Header file dealing with the corsaro plugin manager.
static void usage(corsaro_plugin_t *plugin)
Print usage information to stderr.
int corsaro_flowtuple_process_packet(corsaro_t *corsaro, corsaro_packet_t *packet)
Implements the process_packet function of the plugin API.
int corsaro_flowtuple_process_flowtuple_class_end(corsaro_t *corsaro, corsaro_flowtuple_class_end_t *class)
Implements the process_flowtuple_class_end function of the plugin API.
The highest class value currently in use.
KHASH_INIT(sixt, corsaro_flowtuple_t *, char, 0, corsaro_flowtuple_hash_func, corsaro_flowtuple_hash_equal)
Initialize the hash functions and datatypes.
void bytes_htonl(uint8_t *bytes, uint32_t u32)
Convert a host ordered long to a network ordered byte array.
Header file dealing with the corsaro logging sub-system.
#define CORSARO_FLOWTUPLE_IP_TO_SIXT(n32, flowtuple)
Convert a 32bit network order IP address into the 3 byte flowtuple format.
An opaque structure defining an corsaro output file.
off_t corsaro_flowtuple_class_end_fprint(corsaro_t *corsaro, corsaro_file_t *file, corsaro_flowtuple_class_end_t *class)
Print a class end record to a file in ASCII format.
corsaro_plugin_t * corsaro_flowtuple_alloc(corsaro_t *corsaro)
Implements the alloc function of the plugin API.
This packet is a backscatter packet.
off_t corsaro_file_printf(struct corsaro *corsaro, corsaro_file_t *file, const char *format,...)
Print a string to an corsaro file.
void corsaro_flowtuple_print(corsaro_flowtuple_t *flowtuple)
Print a FlowTuple to stdout in ASCII format.
A reusable opaque structure for corsaro to read an input record into.
corsaro_plugin_manager_t * plugin_manager
A pointer to the corsaro plugin manager state.
char ** argv
Array of plugin arguments This is populated by the plugin manager in corsaro_plugin_enable_plugin.
uint32_t corsaro_flowtuple_get_destination_ip(corsaro_flowtuple_t *flowtuple)
Convenience function to get the destination IP address from a FlowTuple.
#define LT_PKT(corsaro_packet)
Convenience macro to get to the libtrace packet inside an corsaro packet.
#define STATE(corsaro)
Extends the generic plugin state convenience macro in corsaro_plugin.h.
static int read_class_start(corsaro_in_t *corsaro, corsaro_in_record_type_t *record_type, corsaro_in_record_t *record)
Read a class start record.
off_t corsaro_flowtuple_read_global_data_record(struct corsaro_in *corsaro, enum corsaro_in_record_type *record_type, struct corsaro_in_record *record)
Implements the read_global_data_record function of the plugin API.
int corsaro_flowtuple_close_output(corsaro_t *corsaro)
Implements the close_output function of the plugin API.
corsaro_flowtuple_sort
Possible states for FlowTuple output sorting.
off_t corsaro_flowtuple_record_fprint(corsaro_t *corsaro, corsaro_file_t *file, corsaro_in_record_type_t record_type, corsaro_in_record_t *record)
Print a record to a file in ASCII format.
static int validate_class_end(corsaro_flowtuple_class_end_t *class)
Check that a class end record is valid.
Default FlowTuple output sorting behavior (enabled)
void corsaro_flowtuple_class_end_print(corsaro_flowtuple_class_end_t *class)
Print a class end record to stdout in ASCII format.
FlowTuple output sorting is enabled.
int corsaro_flowtuple_probe_filename(const char *fname)
Implements the probe_filename function of the plugin API.
#define CORSARO_FILE_MODE(file)
Accessor macro for getting the mode of a file.
#define corsaro_flowtuple_hash_equal(alpha, bravo)
Tests two flowtuples for equality.
off_t corsaro_file_rpeek(corsaro_file_in_t *file, void *buffer, off_t len)
Reads from an corsaro input file into the provided buffer, but does not update the read pointer...
void corsaro_file_close(struct corsaro *corsaro, corsaro_file_t *file)
Closes an corsaro output file and frees the writer structure.
#define corsaro_flowtuple_lt(alpha, bravo)
Tests if one flowtuple is less than another.
Header file which exports corsaro_flowtuple plugin API.
static libtrace_packet_t * packet
A pointer to a libtrace packet.
void corsaro_plugin_free_state(corsaro_plugin_manager_t *manager, corsaro_plugin_t *plugin)
Free the state for a plugin.
uint16_t ip_len
Length of the IP packet (from the IP header)
This packet is an ICMP Request packet.
off_t corsaro_flowtuple_read_record(struct corsaro_in *corsaro, corsaro_in_record_type_t *record_type, corsaro_in_record_t *record)
Implements the read_record function of the plugin API.
int corsaro_flowtuple_process_flowtuple_class_start(corsaro_t *corsaro, corsaro_flowtuple_class_start_t *class)
Implements the process_flowtuple_class_start function of the plugin API.
uint32_t dst_ip
A Structure which represents the 3 useful bytes of the destination ip.
Header file for common utility functions.
A lightweight wrapper around a libtrace packet.
corsaro_plugin_manager_t * plugin_manager
A pointer to the corsaro plugin manager state.
int corsaro_flowtuple_process_flowtuple(corsaro_t *corsaro, corsaro_flowtuple_t *flowtuple, corsaro_packet_state_t *state)
Implements the process_flowtuple function of the plugin API.
KSORT_INIT(sixt, corsaro_flowtuple_t *, corsaro_flowtuple_lt)
Initialize the sorting functions and datatypes.
corsaro_in_record_type
Corsaro input record types.
void corsaro_flowtuple_free(corsaro_flowtuple_t *t)
Free a FlowTuple record.
static int ascii_dump(corsaro_t *corsaro, corsaro_flowtuple_class_type_t dist)
Dump the given flowtuple to the plugin's outfile in ASCII format.
corsaro_file_t * corsaro_io_prepare_file(corsaro_t *corsaro, const char *plugin_name, corsaro_interval_t *interval)
Uses the current settings to open an corsaro file for the given plugin.
off_t corsaro_io_read_interval_end(corsaro_in_t *corsaro, corsaro_file_in_t *file, corsaro_in_record_type_t *record_type, corsaro_in_record_t *record)
Read the appropriate interval trailers from the file.
void corsaro_plugin_register_state(corsaro_plugin_manager_t *manager, corsaro_plugin_t *plugin, void *state)
Register the state for a plugin.
uint32_t corsaro_flowtuple_get_source_ip(corsaro_flowtuple_t *flowtuple)
Convenience function to get the source IP address from a FlowTuple.
The corsaro_flowtuple flowtuple record.
void corsaro_file_rclose(corsaro_file_in_t *file)
Closes an corsaro input file and frees the reader structure.
int corsaro_plugin_probe_filename(const char *fname, corsaro_plugin_t *plugin)
Check a filename to see if it contains a plugin's name.
static int sort_hash(corsaro_t *corsaro, kh_sixt_t *hash, corsaro_flowtuple_t ***sorted)
Given a st hash, malloc and return a sorted array of pointers.
off_t corsaro_io_write_interval_end(corsaro_t *corsaro, corsaro_file_t *file, corsaro_interval_t *int_end)
Write the appropriate interval trailers to the file.
static int parse_args(corsaro_t *corsaro)
Parse the arguments given to the plugin.
int corsaro_flowtuple_probe_file(corsaro_in_t *corsaro, const char *fturi)
Check if an input file is a FlowTuple file.
#define CORSARO_PLUGIN_GENERATE_TAIL
Convenience macro that defines all the 'remaining' blank fields in a corsaro plugin object...
void * malloc_zero(const size_t size)
Allocate memory and set it to zero.
Header file dealing with the low-level file IO.
#define CORSARO_FLOWTUPLE_SIXT_TO_IP(flowtuple)
Convert the 3byte flowtuple dest ip to 32bits of network ordered uint32.
uint16_t dst_port
The destination port (or ICMP code)
int corsaro_flowtuple_add_inc(void *h, corsaro_flowtuple_t *t, uint32_t increment)
Either add the given flowtuple to the hash, or increment the current count.
enum corsaro_flowtuple_class_type corsaro_flowtuple_class_type_t
Possible classification types for a flowtuple.
FlowTuple output sorting is disabled.
static corsaro_in_record_t * record
A pointer to a corsaro record.
int argc
Count of arguments in argv.
khint32_t corsaro_flowtuple_hash_func(struct corsaro_flowtuple *ft)
Hash the given flowtuple into a 32bit value.
void corsaro_log_in(const char *func, corsaro_in_t *corsaro, const char *format,...)
Write a formatted string to the logfile associated with an corsaro input object.
void bytes_htons(uint8_t *bytes, uint16_t u16)
Convert a host ordered short to a network ordered byte array.
off_t corsaro_io_read_interval_start(corsaro_in_t *corsaro, corsaro_file_in_t *file, corsaro_in_record_type_t *record_type, corsaro_in_record_t *record)
Read the appropriate interval headers from the file.
int corsaro_is_rotate_interval(corsaro_t *corsaro)
Convenience function to determine if the output files should be rotated.
off_t corsaro_io_read_bytes(corsaro_in_t *corsaro, corsaro_in_record_t *record, off_t len)
Read the given number of bytes into the record.
#define CORSARO_FLOWTUPLE_BYTECNT
Used to give the length of the binary representation of a flowtuple.
The corsaro_flowtuple flowtuple classification type end record.
corsaro_packet_state_t state
The corsaro state associated with this packet.
uint8_t flags
Features of the packet that have been identified by earlier plugins.
uint8_t * buffer
The buffer to read the record into.
corsaro_interval_t interval_start
State for the current interval.
int corsaro_flowtuple_init_input(corsaro_in_t *corsaro)
Implements the init_input function of the plugin API.
uint16_t src_port
The source port (or ICMP type)
Represents the eight important fields in the ip header that we will use to 'uniquely' identify a pack...
The packet is classified as backscatter.
void corsaro_log_file(const char *func, corsaro_file_t *logfile, const char *format,...)
Write a formatted string to a generic log file.
int corsaro_flowtuple_start_interval(corsaro_t *corsaro, corsaro_interval_t *int_start)
Implements the start_interval function of the plugin API.
int corsaro_flowtuple_record_print(corsaro_in_record_type_t record_type, corsaro_in_record_t *record)
Print a record to stdout in ASCII format.
off_t corsaro_file_write(struct corsaro *corsaro, corsaro_file_t *file, const void *buffer, off_t len)
Writes the contents of a buffer using an corsaro output file.
The corsaro_flowtuple flowtuple classification type start record.
The start of an interval.
#define CORSARO_FLOWTUPLE_SHIFT_AND_XOR(value)
Convenience macro to help with the hashing function.
#define CORSARO_FLOWTUPLE_MAGIC
The magic number for this plugin when not using /8 opts - "SIXU".
uint8_t tcp_flags
TCP Flags (excluding NS)
Corsaro state for a packet.
#define STATE_IN(corsaro)
Extends the generic plugin state convenience macro in corsaro_plugin.h.
void corsaro_flowtuple_class_start_print(corsaro_flowtuple_class_start_t *class)
Print a class start record to stdout in ASCII format.
static int flowtuple_classify_packet(corsaro_t *corsaro, libtrace_packet_t *packet)
Determines the traffic class for a packet; possible options are CORSARO_FLOWTUPLE_CLASS_BACKSCATTER, CORSARO_FLOWTUPLE_CLASS_ICMPREQ, CLASS_OTHER.
static int binary_dump(corsaro_t *corsaro, corsaro_flowtuple_class_type_t dist)
Dump the given flowtuple to the plugin's outfile in binary format.
int corsaro_flowtuple_probe_magic(corsaro_in_t *corsaro, corsaro_file_in_t *file)
Implements the probe_magic function of the plugin API.
Header file dealing with the corsaro file IO.
#define OUTFILE_POINTERS
The number of output file pointers to support non-blocking close at the end of an interval...
The packet is not backscatter, not ICMP Request.
The null type used for wildcard matching.
static int read_flowtuple(corsaro_in_t *corsaro, corsaro_in_record_type_t *record_type, corsaro_in_record_t *record)
Read a flowtuple record.
static int read_class_end(corsaro_in_t *corsaro, corsaro_in_record_type_t *record_type, corsaro_in_record_t *record)
Read a class end record.
off_t corsaro_flowtuple_fprint(corsaro_t *corsaro, corsaro_file_t *file, corsaro_flowtuple_t *flowtuple)
Print a flowtuple to a file in ASCII format.
#define CORSARO_IO_INTERVAL_HEADER_BYTE_LEN
Length of the interval header.
static int validate_flowtuple(corsaro_flowtuple_t *flowtuple)
Attempt to validate a flowtuple record (no-op)
int corsaro_flowtuple_close_input(corsaro_in_t *corsaro)
Implements the close_input function of the plugin API.
corsaro_file_in_t * corsaro_file_ropen(const char *filename)
Creates a new corsaro file reader and opens the provided file for reading.
#define PLUGIN_NAME
The name of this plugin.
off_t corsaro_io_write_interval_start(corsaro_t *corsaro, corsaro_file_t *file, corsaro_interval_t *int_start)
Write the appropriate interval headers to the file.
void corsaro_log(const char *func, corsaro_t *corsaro, const char *format,...)
Write a formatted string to the logfile associated with an corsaro object.
uint32_t src_ip
The source IP.
off_t corsaro_flowtuple_class_start_fprint(corsaro_t *corsaro, corsaro_file_t *file, corsaro_flowtuple_class_start_t *class)
Print a class start record to a file in ASCII format.
uint8_t protocol
The protocol.
int corsaro_flowtuple_init_output(corsaro_t *corsaro)
Implements the init_output function of the plugin API.
enum corsaro_in_record_type corsaro_in_record_type_t
Corsaro input record types.
An corsaro packet processing plugin.
enum corsaro_flowtuple_sort corsaro_flowtuple_sort_t
Possible states for FlowTuple output sorting.
static int validate_class_start(corsaro_flowtuple_class_start_t *class)
Check that a class start record is valid.
#define PLUGIN(corsaro)
Extends the generic plugin plugin convenience macro in corsaro_plugin.h.
static corsaro_plugin_t corsaro_flowtuple_plugin
Common plugin information across all instances.
corsaro_file_in_t * file
The corsaro input file to read data from.
Header file dealing with the internal corsaro functions.
static const char * class_names[]
Array of string names for classes.
![[CAIDA - Center for Applied Internet Data Analysis logo]](https://www.caida.org/images/caida_globe_faded.png)
![[CAIDA]](https://www.caida.org/images/caida_whitewords.png "Go to CAIDA home page"){kind=small}