Header file which exports corsaro_flowtuple plugin API. More...

This graph shows which files directly or indirectly include this file:

Data Structures
struct	corsaro_flowtuple
	Represents the eight important fields in the ip header that we will use to 'uniquely' identify a packet. More...

struct	corsaro_flowtuple_class_start
	Represents the start record of a flowtuple class. More...

struct	corsaro_flowtuple_class_end
	Represents the end record of a flowtuple class. More...

Functions
FlowTuple Convenience Functions
These functions can be used to do some higher-level manipulation with flowtuple records that have been read from a file. They are 'class' functions that can be used without needing an instance of the actual plugin. Note that writing to a file always requires an corsaro output object however.
int	corsaro_flowtuple_probe_file (corsaro_in_t corsaro, const char fturi)
	Determine if the file given contains flowtuple data. More...

uint32_t	corsaro_flowtuple_get_source_ip (struct corsaro_flowtuple *flowtuple)
	Get the source IP of the tuple in network byte order. More...

uint32_t	corsaro_flowtuple_get_destination_ip (struct corsaro_flowtuple *flowtuple)
	Get the destination IP of the tuple in network byte order. More...

off_t	corsaro_flowtuple_fprint (corsaro_t corsaro, corsaro_file_t file, struct corsaro_flowtuple *flowtuple)
	Write a flowtuple to the given corsaro file in ascii. More...

void	corsaro_flowtuple_print (struct corsaro_flowtuple *flowtuple)
	Write a flowtuple to stdout in ascii format. More...

off_t	corsaro_flowtuple_class_start_fprint (corsaro_t corsaro, corsaro_file_t file, corsaro_flowtuple_class_start_t *class)
	Write a flowtuple class start record to the given corsaro file in ascii. More...

void	corsaro_flowtuple_class_start_print (corsaro_flowtuple_class_start_t *class)
	Write a flowtuple class start record to stdout in ascii format. More...

off_t	corsaro_flowtuple_class_end_fprint (corsaro_t corsaro, corsaro_file_t file, corsaro_flowtuple_class_end_t *class)
	Write a flowtuple class end record to the given corsaro file in ascii. More...

void	corsaro_flowtuple_class_end_print (corsaro_flowtuple_class_end_t *class)
	Write a flowtuple class end record to stdout in ascii format. More...

off_t	corsaro_flowtuple_record_fprint (corsaro_t corsaro, corsaro_file_t file, corsaro_in_record_type_t record_type, corsaro_in_record_t *record)
	Write a generic flowtuple record to the given corsaro file in ascii. More...

int	corsaro_flowtuple_record_print (corsaro_in_record_type_t record_type, corsaro_in_record_t *record)
	Write a generic flowtuple record to stdout in ascii format. More...

FlowTuple Structures
These data structures are used when reading flowtuple files.
enum	corsaro_flowtuple_class_type { CORSARO_FLOWTUPLE_CLASS_BACKSCATTER = 0, CORSARO_FLOWTUPLE_CLASS_ICMPREQ = 1, CORSARO_FLOWTUPLE_CLASS_OTHER = 2, CORSARO_FLOWTUPLE_CLASS_MAX = CORSARO_FLOWTUPLE_CLASS_OTHER }
	Possible classification types for a flowtuple. More...

typedef enum corsaro_flowtuple_class_type	corsaro_flowtuple_class_type_t
	Possible classification types for a flowtuple. More...

struct corsaro_flowtuple	PACKED

FlowTuple Hashing Functions
These functions and data structures can be used by third-party programs to efficiently store eight tuple records in a hash table.
#define	CORSARO_FLOWTUPLE_BYTECNT (sizeof(struct corsaro_flowtuple)) /* (4+3+2+2+1+1+1+2)+4*/
	Used to give the length of the binary representation of a flowtuple. More...

#define	CORSARO_FLOWTUPLE_IP_TO_SIXT(n32, flowtuple)
	Convert a 32bit network order IP address into the 3 byte flowtuple format. More...

#define	CORSARO_FLOWTUPLE_SIXT_TO_IP(flowtuple) ((flowtuple)->dst_ip)
	Convert the 3byte flowtuple dest ip to 32bits of network ordered uint32. More...

#define	CORSARO_FLOWTUPLE_SHIFT_AND_XOR(value) h ^= (h<<5) + (h>>27) + (value)
	Convenience macro to help with the hashing function. More...

#define	corsaro_flowtuple_hash_equal(alpha, bravo)
	Tests two flowtuples for equality. More...

#define	corsaro_flowtuple_lt(alpha, bravo)
	Tests if one flowtuple is less than another. More...

khint32_t	corsaro_flowtuple_hash_func (struct corsaro_flowtuple *ft)
	Hash the given flowtuple into a 32bit value. More...

void	corsaro_flowtuple_free (struct corsaro_flowtuple *t)
	Free memory allocated for a flowtuple structure. More...

int	corsaro_flowtuple_add_inc (void hash, struct corsaro_flowtuple t, uint32_t increment)
	Either add the given flowtuple to the hash, or increment the current count. More...

Detailed Description

Header file which exports corsaro_flowtuple plugin API.

Author: Alistair King

Definition in file corsaro_flowtuple.h.

Macro Definition Documentation

#define CORSARO_FLOWTUPLE_BYTECNT (sizeof(struct corsaro_flowtuple)) /* (4+3+2+2+1+1+1+2)+4*/

Used to give the length of the binary representation of a flowtuple.

These values correspond to:

     0                              32                              64
     ----------------------------------------------------------------
     |            src_ip             |      dst_ip >> 8      |  src_    
     ----------------------------------------------------------------
      port   |   dst_port    | proto |  ttl  |tcp_flg|    ip_len    |
     ----------------------------------------------------------------
     | value...     | 
     ----------------

DEPRECATED: Note that the 'value' field is not considered part of the flowtuple and as such, the total record length will be FLOWTUPLE_BITCNT + value_len which, given the current implementation is FLOWTUPLE_BITCNT + 4 or (4+3+2+2+1+1+1+2) + 4 or 160 bits (20 bytes)

Definition at line 291 of file corsaro_flowtuple.h.

Referenced by binary_dump().

#define corsaro_flowtuple_hash_equal	(	alpha,
		bravo
	)

Value:

(                                                                       \
   (alpha)->src_ip    == (bravo)->src_ip    &&                          \
   (alpha)->dst_ip    == (bravo)->dst_ip    &&                          \
   (alpha)->src_port  == (bravo)->src_port  &&                          \
   (alpha)->dst_port  == (bravo)->dst_port  &&                          \
   (alpha)->protocol  == (bravo)->protocol  &&                          \
   (alpha)->ttl       == (bravo)->ttl       &&                          \
   (alpha)->tcp_flags == (bravo)->tcp_flags &&                          \
   (alpha)->ip_len    == (bravo)->ip_len                                \
                                                                        )

Tests two flowtuples for equality.

Definition at line 373 of file corsaro_flowtuple.h.

#define CORSARO_FLOWTUPLE_IP_TO_SIXT	(	n32,
		flowtuple
	)

Value:

{                                                                       \
    (flowtuple)->dst_ip = n32;                                          \
  }

Convert a 32bit network order IP address into the 3 byte flowtuple format.

Definition at line 303 of file corsaro_flowtuple.h.

Referenced by corsaro_flowtuple_process_packet(), and process_flowtuple().

#define corsaro_flowtuple_lt	(	alpha,
		bravo
	)

Tests if one flowtuple is less than another.

This sort macro has been optimized to provide the best compression when dumping the flowtuple to binary and using GZIP compression

Definition at line 451 of file corsaro_flowtuple.h.

#define CORSARO_FLOWTUPLE_SHIFT_AND_XOR ( value ) h ^= (h<<5) + (h>>27) + (value)

Convenience macro to help with the hashing function.

Definition at line 324 of file corsaro_flowtuple.h.

Referenced by corsaro_flowtuple_hash_func().

#define CORSARO_FLOWTUPLE_SIXT_TO_IP ( flowtuple ) ((flowtuple)->dst_ip)

Convert the 3byte flowtuple dest ip to 32bits of network ordered uint32.

Definition at line 319 of file corsaro_flowtuple.h.

Referenced by corsaro_flowtuple_fprint(), corsaro_flowtuple_get_destination_ip(), corsaro_flowtuple_print(), flowtuple_print_64(), and process_flowtuple().

Typedef Documentation

typedef enum corsaro_flowtuple_class_type corsaro_flowtuple_class_type_t

Possible classification types for a flowtuple.

Enumeration Type Documentation

enum corsaro_flowtuple_class_type

Possible classification types for a flowtuple.

Enumerator
CORSARO_FLOWTUPLE_CLASS_BACKSCATTER	This packet is a backscatter packet.
CORSARO_FLOWTUPLE_CLASS_ICMPREQ	This packet is an ICMP Request packet.
CORSARO_FLOWTUPLE_CLASS_OTHER	The packet is not backscatter, not ICMP Request.
CORSARO_FLOWTUPLE_CLASS_MAX	The highest class value currently in use.

Definition at line 114 of file corsaro_flowtuple.h.

Function Documentation

int corsaro_flowtuple_add_inc	(	void *	hash,
		struct corsaro_flowtuple *	t,
		uint32_t	increment
	)

Either add the given flowtuple to the hash, or increment the current count.

Parameters

hash	The hash to check/add to
t	The flowtuple to look for
increment	The amount to increment by

Returns: 0 if the operation completed successfully, -1 if an error occurs

off_t corsaro_flowtuple_class_end_fprint	(	corsaro_t *	corsaro,
		corsaro_file_t *	file,
		corsaro_flowtuple_class_end_t *	class
	)

Write a flowtuple class end record to the given corsaro file in ascii.

Parameters

corsaro	The corsaro object associated with the file
file	The corsaro file to write to
class	The class end record to write out

Returns: the number of bytes written, -1 if an error occurs

Write a flowtuple class end record to the given corsaro file in ascii.

Definition at line 1155 of file corsaro_flowtuple.c.

References class_names, and corsaro_file_printf().

Referenced by ascii_dump(), and corsaro_flowtuple_record_fprint().

void corsaro_flowtuple_class_end_print ( corsaro_flowtuple_class_end_t * class )

Write a flowtuple class end record to stdout in ascii format.

Parameters

class The class end record to write out

Write a flowtuple class end record to stdout in ascii format.

Definition at line 1164 of file corsaro_flowtuple.c.

References class_names.

Referenced by corsaro_flowtuple_record_print().

off_t corsaro_flowtuple_class_start_fprint	(	corsaro_t *	corsaro,
		corsaro_file_t *	file,
		corsaro_flowtuple_class_start_t *	class
	)

Write a flowtuple class start record to the given corsaro file in ascii.

Parameters

corsaro	The corsaro object associated with the file
file	The corsaro file to write to
class	The class start record to write out

Returns: the number of bytes written, -1 if an error occurs

Write a flowtuple class start record to the given corsaro file in ascii.

Definition at line 1137 of file corsaro_flowtuple.c.

References class_names, and corsaro_file_printf().

Referenced by ascii_dump(), and corsaro_flowtuple_record_fprint().

void corsaro_flowtuple_class_start_print ( corsaro_flowtuple_class_start_t * class )

Write a flowtuple class start record to stdout in ascii format.

Parameters

class The class start record to write out

Write a flowtuple class start record to stdout in ascii format.

Definition at line 1148 of file corsaro_flowtuple.c.

References class_names.

Referenced by corsaro_flowtuple_record_print().

off_t corsaro_flowtuple_fprint	(	corsaro_t *	corsaro,
		corsaro_file_t *	file,
		struct corsaro_flowtuple *	flowtuple
	)

Write a flowtuple to the given corsaro file in ascii.

Parameters

corsaro	The corsaro object associated with the file
file	The corsaro file to write to
flowtuple	The flowtuple to write out

Returns: the number of bytes written, -1 if an error occurs

void corsaro_flowtuple_free ( struct corsaro_flowtuple * t )

Free memory allocated for a flowtuple structure.

Parameters

t	The flowtuple to free

uint32_t corsaro_flowtuple_get_destination_ip ( struct corsaro_flowtuple * flowtuple )

Get the destination IP of the tuple in network byte order.

Parameters

flowtuple The flowtuple record to extract the IP from

Returns: the destination IP of the flowtuple

uint32_t corsaro_flowtuple_get_source_ip ( struct corsaro_flowtuple * flowtuple )

Get the source IP of the tuple in network byte order.

Parameters

flowtuple The flowtuple record to extract the IP from

Returns: the source IP of the flowtuple

khint32_t corsaro_flowtuple_hash_func ( struct corsaro_flowtuple * ft )

Hash the given flowtuple into a 32bit value.

Parameters

ft	Pointer to the flowtuple record to hash

Returns: the hashed value

The flowtuple is hashed based on the following table:

With slash eight optimization:

| SRC_IP * 59 |

| | DST_IP << 8 | PROTO |

| SRC_PORT <<16 | DST_PORT |

| TTL |TCP_FLG| LEN |

Without slash eight optimization:

| SRC_IP * 59 |

| DST_IP |

| SRC_PORT <<16 | DST_PORT |

| TTL |TCP_FLG|PROTO| LEN |

Definition at line 1306 of file corsaro_flowtuple.c.

References CORSARO_FLOWTUPLE_SHIFT_AND_XOR, corsaro_flowtuple::dst_ip, corsaro_flowtuple::dst_port, corsaro_flowtuple::ip_len, corsaro_flowtuple::protocol, corsaro_flowtuple::src_ip, corsaro_flowtuple::src_port, corsaro_flowtuple::tcp_flags, and corsaro_flowtuple::ttl.

void corsaro_flowtuple_print ( struct corsaro_flowtuple * flowtuple )

Write a flowtuple to stdout in ascii format.

Parameters

flowtuple The flowtuple to write out

int corsaro_flowtuple_probe_file	(	corsaro_in_t *	corsaro,
		const char *	fturi
	)

Determine if the file given contains flowtuple data.

Parameters

corsaro	The corsaro object to associate with the file
fturi	The file name to check

This function first checks the filename, and then failing that, the magic number in the header of the file to determine if it is a flowtuple file.

Determine if the file given contains flowtuple data.

Definition at line 1033 of file corsaro_flowtuple.c.

References CORSARO_FILE_MODE, CORSARO_FILE_MODE_BINARY, corsaro_file_rclose(), corsaro_file_ropen(), corsaro_flowtuple_probe_filename(), and corsaro_flowtuple_probe_magic().

Referenced by main().

off_t corsaro_flowtuple_record_fprint	(	corsaro_t *	corsaro,
		corsaro_file_t *	file,
		corsaro_in_record_type_t	record_type,
		corsaro_in_record_t *	record
	)

Write a generic flowtuple record to the given corsaro file in ascii.

Parameters

corsaro	The corsaro object associated with the file
file	The corsaro file to write to
record_type	The type of the record
record	The record to write out

Returns: the number of bytes written, -1 if an error occurs

Write a generic flowtuple record to the given corsaro file in ascii.

Definition at line 1170 of file corsaro_flowtuple.c.

References corsaro_in_record::buffer, corsaro_flowtuple_class_end_fprint(), corsaro_flowtuple_class_start_fprint(), corsaro_flowtuple_fprint(), CORSARO_IN_RECORD_TYPE_FLOWTUPLE_CLASS_END, CORSARO_IN_RECORD_TYPE_FLOWTUPLE_CLASS_START, CORSARO_IN_RECORD_TYPE_FLOWTUPLE_FLOWTUPLE, and corsaro_log().

Referenced by corsaro_io_write_record().

int corsaro_flowtuple_record_print	(	corsaro_in_record_type_t	record_type,
		corsaro_in_record_t *	record
	)

Write a generic flowtuple record to stdout in ascii format.

Parameters

record_type	The type of the record
record	The record to write out

Returns: 0 if successful, -1 if an error occurs

Write a generic flowtuple record to stdout in ascii format.

Definition at line 1202 of file corsaro_flowtuple.c.

References corsaro_in_record::buffer, corsaro_flowtuple_class_end_print(), corsaro_flowtuple_class_start_print(), corsaro_flowtuple_print(), CORSARO_IN_RECORD_TYPE_FLOWTUPLE_CLASS_END, CORSARO_IN_RECORD_TYPE_FLOWTUPLE_CLASS_START, CORSARO_IN_RECORD_TYPE_FLOWTUPLE_FLOWTUPLE, and corsaro_log_file().

Referenced by corsaro_io_print_record().

Data Structures

Functions

FlowTuple Structures

FlowTuple Hashing Functions

Detailed Description

Macro Definition Documentation

Typedef Documentation

Enumeration Type Documentation

Function Documentation

With slash eight optimization:

| SRC_IP * 59 |

| | DST_IP << 8 | PROTO |

| SRC_PORT <<16 | DST_PORT |

| TTL |TCP_FLG| LEN |

Without slash eight optimization:

| SRC_IP * 59 |

| DST_IP |

| SRC_PORT <<16 | DST_PORT |

| TTL |TCP_FLG|PROTO| LEN |