34 #ifdef HAVE_SYS_TIME_H
48 #ifdef WITH_PLUGIN_SIXT
51 #ifdef WITH_PLUGIN_DOS
52 #include "corsaro_dos.h"
59 typedef struct output_funcs
75 #define GENERATE_OUTPUT_FUNCS(o) \
76 {output_headers_##o, output_interval_start_##o, output_interval_end_##o, \
77 output_plugin_start_##o, output_plugin_end_##o, output_trailers_##o}
79 #define GENERATE_OUTPUT_FUNC_PROTOS(o) \
80 static int output_headers_##o(corsaro_t *corsaro, corsaro_file_t *file, \
81 corsaro_header_t *header); \
82 static int output_interval_start_##o(corsaro_t *corsaro, \
83 corsaro_file_t *file, \
84 corsaro_interval_t *int_start); \
85 static int output_interval_end_##o(corsaro_t *corsaro, \
86 corsaro_file_t *file, \
87 corsaro_interval_t *int_end); \
88 static int output_plugin_start_##o(corsaro_t *corsaro, corsaro_file_t *file, \
89 corsaro_plugin_t *plugin); \
90 static int output_plugin_end_##o(corsaro_t *corsaro, corsaro_file_t *file, \
91 corsaro_plugin_t *plugin); \
92 static int output_trailers_##o(corsaro_t *corsaro, corsaro_file_t *file, \
93 corsaro_trailer_t *trailer);
95 GENERATE_OUTPUT_FUNC_PROTOS(ascii);
96 GENERATE_OUTPUT_FUNC_PROTOS(binary);
98 static output_funcs_t output_funcs[] = {
99 GENERATE_OUTPUT_FUNCS(ascii),
100 GENERATE_OUTPUT_FUNCS(binary),
115 uint32_t bytes_out = 0;
139 "# CORSARO_VERSION %"PRIu8
".%"PRIu8
"\n",
156 "# CORSARO_PLUGIN %s\n",
165 "# CORSARO_PLUGIN %s\n",
181 uint8_t *ptr = &fbuffer[0];
185 uint32_t bytes_out = 0;
194 *ptr = CORSARO_MAJOR_VERSION;
196 *ptr = CORSARO_MID_VERSION;
210 corsaro_log(__func__, corsaro,
"could not dump byte array to file");
219 tmp_len = strlen(corsaro->
uridata);
223 corsaro_log(__func__, corsaro,
"could not dump traceuri length to file");
228 corsaro_log(__func__, corsaro,
"could not dump traceuri string to file");
231 bytes_out += 2 + tmp_len;
235 memset(&tmp[0], 0, 2);
238 corsaro_log(__func__, corsaro,
"could not dump zero traceuri length to file");
256 corsaro_log(__func__, corsaro,
"could not dump plugins cnt to file");
266 corsaro_log(__func__, corsaro,
"could not dump plugin magic to file");
284 "# CORSARO_INTERVAL_START %d %ld\n",
292 "# CORSARO_INTERVAL_END %d %ld\n",
304 uint8_t *iptr = &ibuff[0];
319 corsaro_log(__func__, corsaro,
"could not dump interval header to file");
334 corsaro_log(__func__, corsaro,
"could not dump interval header to file");
344 return write_interval_header_binary(corsaro, file, int_start);
350 return write_interval_header_binary(corsaro, file, int_end);
357 "# CORSARO_PLUGIN_DATA_START %s\n",
365 "# CORSARO_PLUGIN_DATA_END %s\n",
374 htonl(CORSARO_MAGIC_DATA),
375 htonl(plugin->
magic),
383 "could not dump interval data header to file");
392 return write_plugin_header_binary(corsaro, file, plugin);
398 return write_plugin_header_binary(corsaro, file, plugin);
411 uint32_t bytes_out = 0;
419 "# CORSARO_PACKETCNT %"PRIu64
"\n",
421 if(acnt != UINT64_MAX)
424 "# CORSARO_ACCEPTEDCNT %"PRIu64
"\n",
427 if(dcnt != UINT64_MAX)
430 "# CORSARO_DROPPEDCNT %"PRIu64
"\n",
451 uint8_t *ptr = &buff[0];
485 corsaro_log(__func__, corsaro,
"could not dump trailers to file");
493 static char *stradd(
const char *str,
char *bufp,
char *buflim)
495 while(bufp < buflim && (*bufp = *str++) !=
'\0')
502 static char *generate_file_name(
corsaro_t *corsaro,
const char *plugin,
515 char *buflim = buf+
sizeof(buf);
533 else if(*tmpl ==
'%')
549 bufp = stradd(plugin, bufp, buflim);
555 snprintf(secs,
sizeof(secs),
"%"PRIu32, interval->
time);
556 bufp = stradd(secs, bufp, buflim);
576 tv.tv_sec = interval->
time;
577 strftime(tbuf,
sizeof(tbuf), buf, gmtime(&tv.tv_sec));
610 interval->
time = ntohl(interval->
time);
630 pd->
magic != CORSARO_MAGIC_DATA)
654 t->
magic != CORSARO_MAGIC_TRAILER)
677 corsaro_log_in(__func__, corsaro,
"could not validate plugin data");
689 const char *plugin_name,
700 const char *plugin_name,
711 if((outfileuri = generate_file_name(corsaro, plugin_name,
712 interval, compress)) == NULL)
714 corsaro_log(__func__, corsaro,
"could not generate file name for %s",
726 corsaro_log(__func__, corsaro,
"could not open %s for writing",
742 corsaro_log(__func__, corsaro,
"output template must be set");
749 corsaro_log(__func__, corsaro,
"template string must contain %s",
800 fprintf(stdout,
"# CORSARO_VERSION %"PRIu8
".%"PRIu8
"\n",
802 fprintf(stdout,
"# CORSARO_INITTIME %"PRIu32
"\n",
804 fprintf(stdout,
"# CORSARO_INTERVAL %"PRIu16
"\n", header->
interval_length);
808 fprintf(stdout,
"# CORSARO_TRACEURI %s\n", header->
traceuri);
812 fprintf(stdout,
"# CORSARO_PLUGIN %s\n",
833 fprintf(stdout,
"# CORSARO_PACKETCNT %"PRIu64
"\n",
837 fprintf(stdout,
"# CORSARO_ACCEPTEDCNT %"PRIu64
"\n",
842 fprintf(stdout,
"# CORSARO_DROPPEDCNT %"PRIu64
"\n",
845 fprintf(stdout,
"# CORSARO_FIRSTPKT %"PRIu32
"\n",
847 fprintf(stdout,
"# CORSARO_LASTPKT %"PRIu32
"\n",
849 fprintf(stdout,
"# CORSARO_FINALTIME %"PRIu32
"\n",
851 fprintf(stdout,
"# CORSARO_RUNTIME %"PRIu32
"\n",
868 "# CORSARO_INTERVAL_START %d %"PRIu32
"\n",
884 "# CORSARO_INTERVAL_END %d %"PRIu32
"\n",
894 assert(plugin != NULL);
902 fprintf(stdout,
"# CORSARO_PLUGIN_DATA_START %s\n", plugin->
name);
910 assert(plugin != NULL);
918 fprintf(stdout,
"# CORSARO_PLUGIN_DATA_END %s\n", plugin->
name);
965 corsaro_log(__func__, corsaro,
"invalid plugin magic detected");
966 corsaro_log(__func__, corsaro,
"is corsaro built with all"
967 "necessary plugins?");
978 corsaro_log(__func__, corsaro,
"invalid plugin magic detected");
979 corsaro_log(__func__, corsaro,
"is corsaro built with all"
980 "necessary plugins?");
989 #ifdef WITH_PLUGIN_SIXT
992 corsaro_log(__func__, corsaro,
"corsaro is not built with flowtuple support");
1000 #ifdef WITH_PLUGIN_DOS
1003 corsaro_log(__func__, corsaro,
"corsaro is not built with dos support");
1009 corsaro_log(__func__, corsaro,
"invalid record type %d\n", (
int)record_type);
1053 fprintf(stderr,
"invalid plugin magic detected\n");
1054 fprintf(stderr,
"is corsaro built with all"
1055 "necessary plugins?\n");
1058 corsaro_io_print_plugin_start(plugin);
1066 fprintf(stderr,
"invalid plugin magic detected\n");
1067 fprintf(stderr,
"is corsaro built with all"
1068 "necessary plugins?\n");
1071 corsaro_io_print_plugin_end(plugin);
1077 #ifdef WITH_PLUGIN_SIXT
1080 fprintf(stdout,
"corsaro is not built with flowtuple support\n");
1088 #ifdef WITH_PLUGIN_DOS
1091 fprintf(stdout,
"corsaro is not built with dos support\n");
1097 fprintf(stderr,
"invalid record type %d\n", (
int)record_type);
1125 if(validate_header_static(header) != 1)
1132 if(header->traceuri_len == 0)
1134 header->traceuri = NULL;
1141 header->traceuri_len)) !=
1142 (bsbread+=header->traceuri_len))
1145 "failed to read traceuri from file");
1150 offset += header->traceuri_len;
1151 *(record->
buffer+offset) =
'\0';
1160 sizeof(uint16_t))) !=
1161 (bsbread+=
sizeof(uint16_t)))
1164 "failed to read plugin count from file");
1169 header->plugin_cnt = ntohs(header->plugin_cnt);
1171 if(header->plugin_cnt == 0)
1173 header->plugin_magics = NULL;
1181 *header->plugin_cnt)) !=
1182 (bsbread+=
sizeof(uint32_t)*header->plugin_cnt))
1185 "failed to read plugin magics from file");
1189 header->plugin_magics = (uint32_t*)(record->
buffer+offset);
1192 for(i =0; i<header->plugin_cnt;i++)
1194 header->plugin_magics[i] = ntohl(header->plugin_magics[i]);
1198 +header->traceuri_len+
sizeof(uint16_t)
1199 +(header->plugin_cnt*
sizeof(uint32_t)));
1248 corsaro_log_in(__func__, corsaro,
"could not validate interval");
1276 corsaro_log_in(__func__, corsaro,
"could not validate interval");
1293 off_t bread = read_plugin_data(corsaro, file, record_type, record);
1307 off_t bread = read_plugin_data(corsaro, file, record_type, record);
1328 off_t offset, off_t len)
1334 (record->
buffer)+offset, len);
Structure representing the start or end of an interval.
The start of a plugin data section.
An opaque structure defining an corsaro input file.
uint32_t last_packet_time
The trace time of the last packet (seconds)
off_t corsaro_io_write_record(corsaro_t *corsaro, corsaro_file_t *file, corsaro_in_record_type_t record_type, corsaro_in_record_t *record)
Write a generic corsaro record to the file.
#define CORSARO_FILE_BZ2_SUFFIX
The suffix used to detect bzip output is desired.
int interval
The number of seconds after which plugins will be asked to dump data.
off_t corsaro_io_read_plugin_start(corsaro_in_t *corsaro, corsaro_file_in_t *file, corsaro_in_record_type_t *record_type, corsaro_in_record_t *record)
Read the appropriate plugin header from the file.
const char * name
The name of this plugin used in the ascii output and eventually to allow plugins to be enabled and di...
Header file dealing with the corsaro plugin manager.
int compress_level
The compression level (ignored if not compressing)
Header file which exports the public libcorsaro API.
void corsaro_io_print_interval_start(corsaro_interval_t *int_start)
Write the interval headers to stdout.
void bytes_htonl(uint8_t *bytes, uint32_t u32)
Convert a host ordered long to a network ordered byte array.
Header file dealing with the corsaro logging sub-system.
Structure representing the start or end of a plugin data block.
uint64_t packet_cnt
The total number of packets that have been processed.
An opaque structure defining an corsaro output file.
off_t corsaro_file_printf(struct corsaro *corsaro, corsaro_file_t *file, const char *format,...)
Print a string to an corsaro file.
struct timeval init_time
The local wall time that corsaro was started at.
A reusable opaque structure for corsaro to read an input record into.
corsaro_file_mode_t output_mode
The default output mode for new files.
void corsaro_io_print_interval_end(corsaro_interval_t *int_end)
Write the interval trailers to stdout.
#define CORSARO_IO_PLUGIN_PATTERN
The character to replace with the name of the plugin.
uint32_t corsaro_magic
The global corsaro magic number.
size_t buffer_len
The length of the buffer.
corsaro_file_t * corsaro_io_prepare_file_full(corsaro_t *corsaro, const char *plugin_name, corsaro_interval_t *interval, corsaro_file_mode_t mode, corsaro_file_compress_t compress, int compress_level, int flags)
Uses the given settings to open an corsaro file for the given plugin.
uint32_t magic
The interval magic number.
off_t corsaro_flowtuple_record_fprint(corsaro_t *corsaro, corsaro_file_t *file, corsaro_in_record_type_t record_type, corsaro_in_record_t *record)
Print a record to a file in ASCII format.
off_t corsaro_io_read_plugin_end(corsaro_in_t *corsaro, corsaro_file_in_t *file, corsaro_in_record_type_t *record_type, corsaro_in_record_t *record)
Read the appropriate plugin trailer from the file.
off_t corsaro_io_read_trailer(corsaro_in_t *corsaro, corsaro_file_in_t *file, corsaro_in_record_type_t *record_type, corsaro_in_record_t *record)
Read the corsaro trailers from the file.
uint32_t plugin_magic
The plugin magic.
#define CORSARO_FILE_MODE(file)
Accessor macro for getting the mode of a file.
int corsaro_dos_record_print(corsaro_in_record_type_t record_type, corsaro_in_record_t *record)
Print any DoS record to a file in ASCII format.
corsaro_plugin_t * corsaro_plugin_next(corsaro_plugin_manager_t *manager, corsaro_plugin_t *plugin)
Retrieve the next plugin in the list.
uint16_t plugins_cnt
The number of active plugins.
uint32_t corsaro_magic
The global corsaro magic number.
struct timeval last_ts
The time of the most recent packet seen by corsaro.
Header file which exports corsaro_flowtuple plugin API.
void corsaro_io_print_trailer(corsaro_trailer_t *trailer)
Write the corsaro trailers to stdout.
corsaro_plugin_t * corsaro_plugin_get_by_magic(corsaro_plugin_manager_t *manager, uint32_t id)
Attempt to retrieve a plugin by magic number (not by using magic)
uint16_t number
The interval number (starts at 0)
corsaro header magic number - "HEAD"
off_t corsaro_io_read_bytes_offset(corsaro_in_t *corsaro, corsaro_in_record_t *record, off_t offset, off_t len)
Read the given number of bytes into the record buffer at the given offset.
uint16_t * plugins_enabled
An array of plugin ids that have been enabled by the user.
struct corsaro_header corsaro_header_t
Opaque struct representing a corsaro file header.
Header file for common utility functions.
struct corsaro_plugin_data corsaro_plugin_data_t
Opaque struct representing the start of end of a plugin data block.
corsaro_plugin_manager_t * plugin_manager
A pointer to the corsaro plugin manager state.
Holds the metadata for the plugin manager.
Overall corsaro magic number - "EDGR".
Structure representing a corsaro file trailer.
corsaro_file_t * corsaro_io_prepare_file(corsaro_t *corsaro, const char *plugin_name, corsaro_interval_t *interval)
Uses the current settings to open an corsaro file for the given plugin.
off_t corsaro_io_read_interval_end(corsaro_in_t *corsaro, corsaro_file_in_t *file, corsaro_in_record_type_t *record_type, corsaro_in_record_t *record)
Read the appropriate interval trailers from the file.
#define CORSARO_IO_HEADER_FIXED_BYTE_LEN
Length of the fixed part of the global corsaro header.
uint32_t first_packet_time
The trace time of the first packet (seconds)
The corsaro_flowtuple flowtuple record.
uint64_t packet_cnt
The total number of packets that corsaro processed.
off_t corsaro_io_write_interval_end(corsaro_t *corsaro, corsaro_file_t *file, corsaro_interval_t *int_end)
Write the appropriate interval trailers to the file.
#define CORSARO_IO_MONITOR_PATTERN
The character to replace with the monitor name.
const char * corsaro_plugin_get_name_by_magic(corsaro_plugin_manager_t *manager, uint32_t magic)
Get the name of a plugin given it's magic number.
uint64_t corsaro_get_accepted_packets(corsaro_t *corsaro)
Accessor function to get the number of accepted packets in this interval.
uint32_t magic
The trailer magic number.
Header file dealing with the low-level file IO.
off_t corsaro_io_write_header(corsaro_t *corsaro, corsaro_file_t *file, corsaro_header_t *header)
Write the corsaro headers to the file.
static int interval
The amount of time to wait until we dump the hash.
uint64_t accepted_cnt
The number of packets libtrace reports as accepted.
static corsaro_in_record_t * record
A pointer to a corsaro record.
void corsaro_log_in(const char *func, corsaro_in_t *corsaro, const char *format,...)
Write a formatted string to the logfile associated with an corsaro input object.
void bytes_htons(uint8_t *bytes, uint16_t u16)
Convert a host ordered short to a network ordered byte array.
off_t corsaro_io_read_interval_start(corsaro_in_t *corsaro, corsaro_file_in_t *file, corsaro_in_record_type_t *record_type, corsaro_in_record_t *record)
Read the appropriate interval headers from the file.
int corsaro_io_template_has_timestamp(corsaro_t *corsaro)
Determines whether there are any time-related patterns in the file template.
The overall corsaro trailer (currently only in global)
struct corsaro_interval corsaro_interval_t
Opaque struct representing the start or end of an interval.
off_t corsaro_io_read_bytes(corsaro_in_t *corsaro, corsaro_in_record_t *record, off_t len)
Read the given number of bytes into the record.
int corsaro_io_print_record(corsaro_plugin_manager_t *plugin_manager, corsaro_in_record_type_t record_type, corsaro_in_record_t *record)
Print a generic corsaro record to stdout.
#define CORSARO_FILE_ZLIB_SUFFIX
The suffix used to detect gzip output is desired.
enum corsaro_file_compress corsaro_file_compress_t
Supported compression types (must be kept in sync with wandio)
int corsaro_io_validate_template(corsaro_t *corsaro, char *template)
Validates a output file template for needed features.
The corsaro_flowtuple flowtuple classification type end record.
static corsaro_t * corsaro
A pointer to the instance of corsaro that we will drive.
off_t corsaro_dos_record_fprint(corsaro_t *corsaro, corsaro_file_t *file, corsaro_in_record_type_t record_type, corsaro_in_record_t *record)
Print any DoS record to stdout in ASCII format.
off_t corsaro_file_rread(corsaro_file_in_t *file, void *buffer, off_t len)
Reads from an corsaro input file into the provided buffer.
uint8_t * buffer
The buffer to read the record into.
off_t corsaro_io_write_plugin_end(corsaro_t *corsaro, corsaro_file_t *file, corsaro_plugin_t *plugin)
Write the appropriate plugin trailer to the file.
corsaro interval magic number - "INTR"
uint32_t time
The time this interval started/ended.
int corsaro_flowtuple_record_print(corsaro_in_record_type_t record_type, corsaro_in_record_t *record)
Print a record to stdout in ASCII format.
off_t corsaro_file_write(struct corsaro *corsaro, corsaro_file_t *file, const void *buffer, off_t len)
Writes the contents of a buffer using an corsaro output file.
char * monitorname
The name of the monitor that corsaro is running on.
The end of a plugin data section.
void corsaro_io_print_header(corsaro_plugin_manager_t *plugin_manager, corsaro_header_t *header)
Write the corsaro headers to stdout.
The corsaro_flowtuple flowtuple classification type start record.
uint32_t corsaro_magic
The global corsaro magic number.
The start of an interval.
The overall corsaro header (currently only in global)
char * uridata
The uri that was used to open the trace file.
The corsaro_dos attack vector record.
The corsaro_dos global header record.
The corsaro_dos header record.
uint32_t magic
The plugin data magic number.
corsaro_file_t * corsaro_file_open(struct corsaro *corsaro, const char *filename, corsaro_file_mode_t mode, corsaro_file_compress_t compress_type, int compress_level, int flags)
Creates a new corsaro file write and opens the provided file for writing.
corsaro_file_compress_t compress
The compression type (based on the file name)
uint16_t plugins_enabled_cnt
The number of plugin ids in the plugins_enabled array.
#define CORSARO_IO_TRAILER_BYTE_LEN
Length of the corsaro trailer.
Header file dealing with the corsaro file IO.
uint32_t local_final_time
The time that corsaro completed processing the trace.
struct timeval first_ts
The time of the the first packet seen by corsaro.
The null type used for wildcard matching.
void bytes_htonll(uint8_t *bytes, uint64_t u64)
Convert a host ordered long-long (64 bit) to a network ordered byte array.
void gettimeofday_wrap(struct timeval *tv)
Convenience function to get the current time of day.
uint64_t corsaro_get_dropped_packets(corsaro_t *corsaro)
Accessor function to get the number of dropped packets in this interval.
#define CORSARO_IO_INTERVAL_HEADER_BYTE_LEN
Length of the interval header.
uint32_t runtime
The number of (wall) seconds that corsaro took to process the trace.
off_t corsaro_io_write_trailer(corsaro_t *corsaro, corsaro_file_t *file, corsaro_trailer_t *trailer)
Write the corsaro trailers to the file.
off_t corsaro_io_write_interval_start(corsaro_t *corsaro, corsaro_file_t *file, corsaro_interval_t *int_start)
Write the appropriate interval headers to the file.
uint64_t dropped_cnt
The number of packets libtrace reports as dropped.
void corsaro_log(const char *func, corsaro_t *corsaro, const char *format,...)
Write a formatted string to the logfile associated with an corsaro object.
enum corsaro_file_mode corsaro_file_mode_t
Enum of supported file modes.
const uint32_t magic
The magic number for this plugin's data.
char * template
The template used to create corsaro output files.
off_t corsaro_io_write_plugin_start(corsaro_t *corsaro, corsaro_file_t *file, corsaro_plugin_t *plugin)
Write the appropriate plugin header to the file.
off_t corsaro_io_read_header(corsaro_in_t *corsaro, corsaro_file_in_t *file, corsaro_in_record_type_t *record_type, corsaro_in_record_t *record)
Read an corsaro header from the file.
enum corsaro_in_record_type corsaro_in_record_type_t
Corsaro input record types.
An corsaro packet processing plugin.
#define ntohll(x)
Byte-swap a 64-bit integer.
#define CORSARO_IO_PLUGIN_PATTERN_STR
The pattern to replace in the output file name with the name of the plugin.
corsaro_file_in_t * file
The corsaro input file to read data from.
Header file dealing with the internal corsaro functions.
![[CAIDA - Center for Applied Internet Data Analysis logo]](https://www.caida.org/images/caida_globe_faded.png)
![[CAIDA]](https://www.caida.org/images/caida_whitewords.png "Go to CAIDA home page"){kind=small}