Skip to Content
[CAIDA - Center for Applied Internet Data Analysis logo]
The Center for Applied Internet Data Analysis
corsaro_main.c
Go to the documentation of this file.
1 /*
2  * corsaro
3  *
4  * Alistair King, CAIDA, UC San Diego
5  * corsaro-info@caida.org
6  *
7  * Copyright (C) 2012 The Regents of the University of California.
8  *
9  * This file is part of corsaro.
10  *
11  * corsaro is free software: you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation, either version 3 of the License, or
14  * (at your option) any later version.
15  *
16  * corsaro is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License
22  * along with corsaro. If not, see <http://www.gnu.org/licenses/>.
23  *
24  */
25 
26 #include "config.h"
27 
28 #include <assert.h>
29 #include <signal.h>
30 #include <stdio.h>
31 #include <stdlib.h>
32 #include <string.h>
33 #include <unistd.h>
34 
35 #include "libtrace.h"
36 
37 #include "utils.h"
38 
39 #include "corsaro.h"
40 #include "corsaro_log.h"
41 
42 #ifdef WITH_PLUGIN_SIXT
43 #include "corsaro_flowtuple.h"
44 #endif
45 
55 #define LEGACY_INTERVAL_CNT 60
56 
58 volatile sig_atomic_t corsaro_shutdown = 0;
59 
61 #define HARD_SHUTDOWN 3
62 
63 /* for when we are reading trace files */
65 static libtrace_t *trace = NULL;
67 static libtrace_packet_t *packet = NULL;
69 static libtrace_filter_t *filter = NULL;
70 
71 #ifdef WITH_PLUGIN_SIXT
72 /* for when we are reading flowtuple files */
74 static corsaro_in_t *corsaro_in = NULL;
76 static corsaro_in_record_t *record = NULL;
77 #endif
78 
80 static corsaro_t *corsaro = NULL;
82 static int promisc = 0;
84 static int legacy_intervals = 0;
85 
87 static void catch_sigint(int sig)
88 {
89  corsaro_shutdown++;
90  if(corsaro_shutdown == HARD_SHUTDOWN)
91  {
92  fprintf(stderr, "caught %d SIGINT's. shutting down NOW\n",
93  HARD_SHUTDOWN);
94  exit(-1);
95  }
96 
97  fprintf(stderr, "caught SIGINT, shutting down at the next opportunity\n");
98 
99  /* this is a global flag for libtrace, so probably doesn't hurt to call it but
100  lets be a little careful */
101  if(trace != NULL)
102  {
103  trace_interrupt();
104  }
105 
106  signal(sig, catch_sigint);
107 }
108 
110 static void clean()
111 {
112  if(packet != NULL)
113  {
114  trace_destroy_packet(packet);
115  packet = NULL;
116  }
117 
118 #ifdef WITH_PLUGIN_SIXT
119  if(record != NULL)
120  {
121  corsaro_in_free_record(record);
122  record = NULL;
123  }
124 #endif
125 
126  if(corsaro != NULL)
127  {
128  corsaro_finalize_output(corsaro);
129  }
130 }
131 
133 static int init_trace(char *tracefile)
134 {
135  /* create a packet buffer */
136  if (packet == NULL &&
137  (packet = trace_create_packet()) == NULL) {
138  perror("Creating libtrace packet");
139  return -1;
140  }
141 
142  trace = trace_create(tracefile);
143 
144  if (trace_is_err(trace)) {
145  trace_perror(trace,"Opening trace file");
146  return -1;
147  }
148 
149  /* just in case someone is being dumb */
150  if(legacy_intervals == 1)
151  {
152  fprintf(stderr, "WARNING: -l makes no sense when used with a pcap file\n");
153  }
154 
155  /* enable promisc mode on the input if desired by the user */
156  if(promisc == 1)
157  {
158  corsaro_log(__func__, corsaro,
159  "switching input to promiscuous mode");
160  if(trace_config(trace,TRACE_OPTION_PROMISC,&promisc)) {
161  trace_perror(trace,"ignoring: ");
162  }
163  }
164 
165  if (trace_start(trace) == -1) {
166  trace_perror(trace,"Starting trace");
167  return -1;
168  }
169 
170  return 0;
171 }
172 
174 static void close_trace()
175 {
176  if(trace != NULL)
177  {
178  trace_destroy(trace);
179  trace = NULL;
180  }
181 }
182 
184 static int process_trace(char *traceuri)
185 {
186  if(init_trace(traceuri) != 0)
187  {
188  corsaro_log(__func__, corsaro,
189  "could not init trace for reading %s",
190  traceuri);
191  return -1;
192  }
193 
194  /* let corsaro have the trace pointer */
195  corsaro_set_trace(corsaro, trace);
196 
197  while (corsaro_shutdown == 0 && trace_read_packet(trace, packet)>0) {
198  if((filter == NULL || trace_apply_filter(filter, packet) > 0) &&
199  corsaro_per_packet(corsaro, packet) != 0)
200  {
201  corsaro_log(__func__, corsaro, "corsaro_per_packet failed");
202  return -1;
203  }
204  }
205 
206  if (trace_is_err(trace)) {
207  trace_perror(trace,"Reading packets");
208  corsaro_log(__func__, corsaro, "libtrace had an error reading packets");
209  return 1;
210  }
211 
212  if(trace_get_dropped_packets(trace) != UINT64_MAX)
213  {
214  corsaro_log(__func__, corsaro, "dropped pkt cnt: %"PRIu64"\n",
215  trace_get_dropped_packets(trace));
216  }
217 
218  return 0;
219 }
220 
221 #ifdef WITH_PLUGIN_SIXT
222 
223 static int init_flowtuple(const char *tuplefile)
224 {
225  /* get the corsaro_in object we need to use to read the tuple file */
226  if((corsaro_in = corsaro_alloc_input(tuplefile)) == NULL)
227  {
228  corsaro_log(__func__, corsaro,
229  "could not alloc corsaro_in to read %s",
230  tuplefile);
231  return -1;
232  }
233 
234  /* get a record buffer */
235  if((record = corsaro_in_alloc_record(corsaro_in)) == NULL)
236  {
237  corsaro_log(__func__, corsaro, "could not alloc record");
238  return -1;
239  }
240 
241  /* start corsaro */
242  if(corsaro_start_input(corsaro_in) != 0)
243  {
244  corsaro_log(__func__, corsaro, "could not start corsaro");
245  return -1;
246  }
247 
248  return 0;
249 }
250 
252 static void close_flowtuple()
253 {
254  if(record != NULL)
255  {
256  corsaro_in_free_record(record);
257  record = NULL;
258  }
259 
260  if(corsaro_in != NULL)
261  {
262  corsaro_finalize_input(corsaro_in);
263  corsaro_in = NULL;
264  }
265 }
266 
268 static int process_corsaro(const char *corsuri)
269 {
270  off_t len = 0;
271  corsaro_in_record_type_t type = CORSARO_IN_RECORD_TYPE_NULL;
272  corsaro_interval_t *int_end = NULL;
273 
274  if(init_flowtuple(corsuri) != 0)
275  {
276  corsaro_log(__func__, corsaro,
277  "could not init flowtuple reading for %s", corsuri);
278  return -1;
279  }
280 
281  while (corsaro_shutdown == 0 &&
282  (len = corsaro_in_read_record(corsaro_in, &type, record)) > 0) {
283 
284  /* if we are in legacy interval mode, and this is an interval end
285  record, then subtract one from the time, unless it is the last
286  interval in the input file */
287  /* because only CAIDA has legacy flowtuple files, we make an assumption
288  that every 60 intervals we will see a 'last interval' style interval */
289  if(legacy_intervals == 1 &&
290  type == CORSARO_IN_RECORD_TYPE_IO_INTERVAL_END)
291  {
292  int_end = (corsaro_interval_t*)corsaro_in_get_record_data(record);
293 
294  assert(int_end->number <= LEGACY_INTERVAL_CNT);
295 
296  if(int_end->number < (LEGACY_INTERVAL_CNT - 1))
297  {
298  int_end->time--;
299  }
300  }
301 
302  corsaro_per_record(corsaro, type, record);
303 
304  /* reset the type to NULL to indicate we don't care */
305  type = CORSARO_IN_RECORD_TYPE_NULL;
306  }
307 
308  if(len < 0)
309  {
310  corsaro_log(__func__, corsaro,
311  "corsaro_in_read_record failed to read record\n");
312  return -1;
313  }
314 
315  close_flowtuple();
316  return 0;
317 }
318 #endif
319 
321 static void usage(const char *name)
322 {
323  int i;
324  char **plugin_names;
325  int plugin_cnt;
326  if((plugin_cnt = corsaro_get_plugin_names(&plugin_names)) < 0)
327  {
328  /* not much we can do */
329  fprintf(stderr, "corsaro_get_plugin_names failed\n");
330  return;
331  }
332 
333  fprintf(stderr,
334  "usage: %s [-alP] -o outfile [-i interval] [-m mode] [-n name]\n"
335  " [-p plugin] [-f filter] [-r intervals]"
336  " trace_uri [trace_uri...]\n"
337  " -a align the end time of the first interval\n"
338  " -o <outfile> use <outfile> as a template for file names.\n"
339  " - %%P => plugin name\n"
340  " - %%N => monitor name\n"
341  " - see man strftime(3) for more options\n"
342  " -f <filter> BPF filter to apply to packets\n"
343  " -G disable the global metadata output file\n"
344  " -i <interval> distribution interval in seconds (default: %d)\n"
345  " -l the input file has legacy intervals (FlowTuple only)\n"
346  " -L disable logging to a file\n"
347  " -m <mode> output in 'ascii' or 'binary'. (default: binary)\n"
348  " -n <name> monitor name (default: "
349  STR(CORSARO_MONITOR_NAME)")\n"
350  " -p <plugin> enable the given plugin, -p can be used "
351  "multiple times (default: all)\n"
352  " available plugins:\n",
353  name, CORSARO_INTERVAL_DEFAULT);
354 
355  for(i = 0; i < plugin_cnt; i++)
356  {
357  fprintf(stderr, " - %s\n", plugin_names[i]);
358  }
359  fprintf(stderr,
360  " use -p \"<plugin_name> -?\" to see plugin options\n"
361  " -P enable promiscuous mode on the input"
362  " (if supported)\n"
363  " -r rotate output files after n intervals\n"
364  " -R rotate corsaro meta files after n intervals\n"
365  );
366 
367  corsaro_free_plugin_names(plugin_names, plugin_cnt);
368 }
369 
371 int main(int argc, char *argv[])
372 {
373  int opt;
374  int prevoptind;
375  /* we MUST not use any of the getopt global vars outside of arg parsing */
376  /* this is because the plugins can use get opt to parse their config */
377  int lastopt;
378  char *tmpl = NULL;
379  char *name = NULL;
380  char *bpf_filter = NULL;
381  int i = -1000;
382  int mode = CORSARO_FILE_MODE_BINARY;
383  char *plugins[CORSARO_PLUGIN_ID_MAX];
384  int plugin_cnt = 0;
385  char *plugin_arg_ptr = NULL;
386  int tracefile_cnt = 0;
387  char *traceuri = "Multiple Traces";
388  int align = 0;
389  int rotate = 0;
390  int meta_rotate = -1;
391  int logfile_disable = 0;
392  int global_file_disable = 0;
393 
394  signal(SIGINT, catch_sigint);
395 
396  while(prevoptind = optind,
397  (opt = getopt(argc, argv, ":f:i:m:n:o:p:r:R:aGlLPv?")) >= 0)
398  {
399  if (optind == prevoptind + 2 && *optarg == '-' ) {
400  opt = ':';
401  -- optind;
402  }
403  switch(opt)
404  {
405  case 'G':
406  global_file_disable = 1;
407  break;
408 
409  case 'i':
410  i = atoi(optarg);
411  break;
412 
413  case 'l':
414  legacy_intervals = 1;
415  break;
416 
417  case 'L':
418  logfile_disable = 1;
419  break;
420 
421  case 'm':
422  if(strcmp(optarg, "ascii") == 0)
423  {
424  /* ascii output format */
425  mode = CORSARO_FILE_MODE_ASCII;
426  }
427  else if(strcmp(optarg, "binary") == 0)
428  {
429  mode = CORSARO_FILE_MODE_BINARY;
430  }
431  else
432  {
433  fprintf(stderr,
434  "ERROR: mode parameter must be 'ascii' or 'binary'\n");
435  usage(argv[0]);
436  exit(-1);
437  }
438  break;
439 
440  case 'n':
441  name = strdup(optarg);
442  break;
443 
444  case 'o':
445  tmpl = strdup(optarg);
446  break;
447 
448  case 'p':
449  plugins[plugin_cnt++] = strdup(optarg);
450  break;
451 
452  case 'f':
453  bpf_filter = strdup(optarg);
454  break;
455 
456  case 'a':
457  align = 1;
458  break;
459 
460  case 'P':
461  promisc = 1;
462  break;
463 
464  case 'r':
465  rotate = atoi(optarg);
466  break;
467 
468  case 'R':
469  meta_rotate = atoi(optarg);
470  break;
471 
472  case ':':
473  fprintf(stderr, "ERROR: Missing option argument for -%c\n", optopt);
474  usage(argv[0]);
475  exit(-1);
476  break;
477 
478  case '?':
479  case 'v':
480  fprintf(stderr, "corsaro version %d.%d.%d\n", CORSARO_MAJOR_VERSION,
481  CORSARO_MID_VERSION, CORSARO_MINOR_VERSION);
482  usage(argv[0]);
483  exit(0);
484  break;
485 
486  default:
487  usage(argv[0]);
488  exit(-1);
489  }
490  }
491 
492  /* store the value of the last index*/
493  lastopt = optind;
494 
495  /* reset getopt for others */
496  optind = 1;
497 
498  /* -- call NO library functions which may use getopt before here -- */
499  /* this ESPECIALLY means corsaro_enable_plugin */
500 
501  /* ensure that there is at least one trace file given */
502  if(lastopt > argc - 1)
503  {
504  fprintf(stderr, "ERROR: At least one trace file must be specified\n");
505  usage(argv[0]);
506  goto err;
507  }
508 
509  tracefile_cnt = argc-lastopt;
510 
511  /* argv[lastopt] is the pcap file */
512  /* if there is only one trace file, we want to tell corsaro what the uri was
513  rather than the silly "Multiple Traces" default */
514  if(tracefile_cnt == 1)
515  {
516  traceuri = argv[lastopt];
517  }
518 
519  if(tmpl == NULL)
520  {
521  fprintf(stderr,
522  "ERROR: An output file template must be specified using -o\n");
523  usage(argv[0]);
524  goto err;
525  }
526 
527  /* alloc corsaro */
528  if((corsaro = corsaro_alloc_output(tmpl, mode)) == NULL)
529  {
530  usage(argv[0]);
531  goto err;
532  }
533 
534  /* create the bpf filter if specified */
535  if(bpf_filter != NULL)
536  {
537  corsaro_log(__func__, corsaro, "compiling filter: \"%s\"",
538  bpf_filter);
539  filter = trace_create_filter(bpf_filter);
540  }
541 
542  /* keep a record of what this file was called */
543  if(corsaro_set_traceuri(corsaro, traceuri) != 0)
544  {
545  corsaro_log(__func__, corsaro, "failed to set trace uri");
546  goto err;
547  }
548 
549  if(name != NULL && corsaro_set_monitorname(corsaro, name) != 0)
550  {
551  corsaro_log(__func__, corsaro, "failed to set monitor name");
552  goto err;
553  }
554 
555  if(i > -1000)
556  {
557  corsaro_set_interval(corsaro, i);
558  }
559 
560  if(align == 1)
561  {
562  corsaro_set_interval_alignment(corsaro, CORSARO_INTERVAL_ALIGN_YES);
563  }
564 
565  if(rotate > 0)
566  {
567  corsaro_set_output_rotation(corsaro, rotate);
568  }
569 
570  if(meta_rotate >= 0)
571  {
572  corsaro_set_meta_output_rotation(corsaro, meta_rotate);
573  }
574 
575  for(i=0;i<plugin_cnt;i++)
576  {
577  /* the string at plugins[i] will contain the name of the plugin,
578  optionally followed by a space and then the arguments to pass
579  to the plugin */
580  if((plugin_arg_ptr = strchr(plugins[i], ' ')) != NULL)
581  {
582  /* set the space to a nul, which allows plugins[i] to be used
583  for the plugin name, and then increment plugin_arg_ptr to
584  point to the next character, which will be the start of the
585  arg string (or at worst case, the terminating \0 */
586  *plugin_arg_ptr = '\0';
587  plugin_arg_ptr++;
588  }
589 
590  if(corsaro_enable_plugin(corsaro, plugins[i], plugin_arg_ptr) != 0)
591  {
592  fprintf(stderr, "ERROR: Could not enable plugin %s\n",
593  plugins[i]);
594  usage(argv[0]);
595  goto err;
596  }
597  }
598 
599  if(logfile_disable != 0)
600  {
601  corsaro_disable_logfile(corsaro);
602  }
603 
604  if(global_file_disable != 0)
605  {
606  corsaro_disable_globalfile(corsaro);
607  }
608 
609  if(corsaro_start_output(corsaro) != 0)
610  {
611  /* 02/25/13 - ak comments debug message */
612  /*
613  corsaro_log(__func__, corsaro, "failed to start corsaro");
614  */
615  usage(argv[0]);
616  goto err;
617  }
618 
619  for(i = lastopt; i < argc && corsaro_shutdown == 0; i++)
620  {
621  /* this should be a new file we're dealing with */
622  assert(trace == NULL);
623 #ifdef WITH_PLUGIN_SIXT
624  assert(corsaro_in == NULL);
625 #endif
626 
627  corsaro_log(__func__, corsaro, "processing %s", argv[i]);
628 
629 #ifdef WITH_PLUGIN_SIXT
630  /* are we dealing with a flowtuple file ? */
631  /* @todo replace this with a corsaro_flowtuple call to check the magic */
632  if(corsaro_flowtuple_probe_file(NULL, argv[i]) == 1)
633  {
634  if(process_corsaro(argv[i]) != 0)
635  {
636  /* let process_corsaro log the error */
637  goto err;
638  }
639  }
640  else
641  {
642 #endif
643  if(process_trace(argv[i]) != 0)
644  {
645  /* let process_trace log the error */
646  goto err;
647  }
648  /* close the trace unless this is the last trace */
649  if(i < argc-1)
650  {
651  close_trace();
652  }
653 #ifdef WITH_PLUGIN_SIXT
654  }
655 #endif
656  }
657 
658  /* free the plugin strings */
659  for(i=0;i<plugin_cnt;i++)
660  {
661  if(plugins[i] != NULL)
662  free(plugins[i]);
663  }
664 
665  /* free the template string */
666  if(tmpl != NULL)
667  free(tmpl);
668 
669  corsaro_finalize_output(corsaro);
670  close_trace();
671  corsaro = NULL;
672 
673  clean();
674  return 0;
675 
676  err:
677  /* if we bail early, let us be responsible and up the memory we alloc'd */
678  for(i=0;i<plugin_cnt;i++)
679  {
680  if(plugins[i] != NULL)
681  free(plugins[i]);
682  }
683 
684  if(tmpl != NULL)
685  free(tmpl);
686 
687  clean();
688 
689  return -1;
690 }
corsaro_interval
Structure representing the start or end of an interval.
Definition: corsaro_int.h:156
init_flowtuple
static int init_flowtuple(const char *tuplefile)
Prepare for processing a FlowTuple file.
Definition: corsaro_main.c:223
main
int main(int argc, char *argv[])
Entry point for the Corsaro tool.
Definition: corsaro_main.c:371
corsaro_in_free_record
void corsaro_in_free_record(corsaro_in_record_t *record)
Free an corsaro record object.
Definition: corsaro.c:1542
corsaro_finalize_output
int corsaro_finalize_output(corsaro_t *corsaro)
Write the final interval and free resources allocated by corsaro.
Definition: corsaro.c:1382
corsaro_disable_globalfile
void corsaro_disable_globalfile(corsaro_t *corsaro)
Accessor function to disable the global metadata file.
Definition: corsaro.c:1119
corsaro_per_record
int corsaro_per_record(corsaro_t *corsaro, corsaro_in_record_type_t type, corsaro_in_record_t *record)
Perform corsaro processing on a given corsaro record.
Definition: corsaro.c:1327
close_flowtuple
static void close_flowtuple()
Close a flowtuple input file.
Definition: corsaro_main.c:252
corsaro_alloc_input
corsaro_in_t * corsaro_alloc_input(const char *corsarouri)
Allocate an corsaro object for reading an corsaro file.
Definition: corsaro.c:1414
corsaro.h
Header file which exports the public libcorsaro API.
corsaro_get_plugin_names
int corsaro_get_plugin_names(char ***plugin_names)
Return an array of the names of plugins which are compiled into corsaro.
Definition: corsaro.c:1135
process_corsaro
static int process_corsaro(const char *corsuri)
Process a FlowTuple input file.
Definition: corsaro_main.c:268
corsaro_log.h
Header file dealing with the corsaro logging sub-system.
corsaro_in_record
A reusable opaque structure for corsaro to read an input record into.
Definition: corsaro_int.h:350
corsaro_free_plugin_names
void corsaro_free_plugin_names(char **plugin_names, int plugin_cnt)
Free the array of plugin names returned by corsaro_get_plugin_names.
Definition: corsaro.c:1170
CORSARO_FILE_MODE_ASCII
ASCII IO mode.
Definition: corsaro.h:153
CORSARO_FILE_MODE_BINARY
Binary IO mode.
Definition: corsaro.h:155
corsaro_start_output
int corsaro_start_output(corsaro_t *corsaro)
Initialize an corsaro object that has already been allocated.
Definition: corsaro.c:917
corsaro_set_trace
int corsaro_set_trace(corsaro_t *corsaro, libtrace_t *trace)
Accessor function to set the trace pointer.
Definition: corsaro.c:1059
LEGACY_INTERVAL_CNT
#define LEGACY_INTERVAL_CNT
The number of intervals in CAIDA's legacy flowtuple files.
Definition: corsaro_main.c:55
corsaro_flowtuple.h
Header file which exports corsaro_flowtuple plugin API.
clean
static void clean()
Clean up all state before exit.
Definition: corsaro_main.c:110
packet
static libtrace_packet_t * packet
A pointer to a libtrace packet.
Definition: corsaro_main.c:67
corsaro_interval::number
uint16_t number
The interval number (starts at 0)
Definition: corsaro_int.h:163
corsaro_finalize_input
int corsaro_finalize_input(corsaro_in_t *corsaro)
Close the input file and free resources allocated by corsaro.
Definition: corsaro.c:1588
utils.h
Header file for common utility functions.
usage
static void usage(const char *name)
Print usage information to stderr.
Definition: corsaro_main.c:321
corsaro_set_output_rotation
void corsaro_set_output_rotation(corsaro_t *corsaro, int intervals)
Accessor function to set the rotation frequency of output files.
Definition: corsaro.c:1000
corsaro_flowtuple_probe_file
int corsaro_flowtuple_probe_file(corsaro_in_t *corsaro, const char *fturi)
Check if an input file is a FlowTuple file.
Definition: corsaro_flowtuple.c:1033
STR
#define STR(a)
Stringify a macro value.
Definition: utils.h:57
corsaro_start_input
int corsaro_start_input(corsaro_in_t *corsaro)
Initialize an corsaro input object that has already been allocated.
Definition: corsaro.c:1428
CORSARO_IN_RECORD_TYPE_IO_INTERVAL_END
The end of an interval.
Definition: corsaro.h:115
catch_sigint
static void catch_sigint(int sig)
Handles SIGINT gracefully and shuts down.
Definition: corsaro_main.c:87
record
static corsaro_in_record_t * record
A pointer to a corsaro record.
Definition: corsaro_main.c:76
trace
static libtrace_t * trace
A pointer to a libtrace object.
Definition: corsaro_main.c:65
corsaro_in_alloc_record
corsaro_in_record_t * corsaro_in_alloc_record(corsaro_in_t *corsaro)
Allocate a reusable corsaro record object.
Definition: corsaro.c:1514
CORSARO_INTERVAL_DEFAULT
#define CORSARO_INTERVAL_DEFAULT
The interval after which we will end an interval.
Definition: corsaro_int.h:185
corsaro_per_packet
int corsaro_per_packet(corsaro_t *corsaro, libtrace_packet_t *ltpacket)
Perform corsaro processing on a given libtrace packet.
Definition: corsaro.c:1246
close_trace
static void close_trace()
Close a trace file.
Definition: corsaro_main.c:174
corsaro_interval::time
uint32_t time
The time this interval started/ended.
Definition: corsaro_int.h:165
corsaro_set_interval_alignment
void corsaro_set_interval_alignment(corsaro_t *corsaro, corsaro_interval_align_t align)
Accessor function to enable/disable the alignment of the initial interval.
Definition: corsaro.c:975
corsaro_in
Corsaro input state.
Definition: corsaro_int.h:323
process_trace
static int process_trace(char *traceuri)
Process a trace file.
Definition: corsaro_main.c:184
corsaro_set_monitorname
int corsaro_set_monitorname(corsaro_t *corsaro, char *name)
Accessor function to set the monitor name.
Definition: corsaro.c:1207
init_trace
static int init_trace(char *tracefile)
Prepare a new trace file for reading.
Definition: corsaro_main.c:133
HARD_SHUTDOWN
#define HARD_SHUTDOWN
The number of SIGINTs to catch before aborting.
Definition: corsaro_main.c:61
promisc
static int promisc
Should a live interface be set to promiscuous mode?
Definition: corsaro_main.c:82
CORSARO_PLUGIN_ID_MAX
Maximum plugin ID assigned.
Definition: corsaro_plugin.h:201
corsaro_alloc_output
corsaro_t * corsaro_alloc_output(char *template, corsaro_file_mode_t mode)
Allocate an corsaro object.
Definition: corsaro.c:893
corsaro_shutdown
volatile sig_atomic_t corsaro_shutdown
Indicates that Corsaro is waiting to shutdown.
Definition: corsaro_main.c:58
CORSARO_IN_RECORD_TYPE_NULL
The null type used for wildcard matching.
Definition: corsaro.h:100
corsaro_in_get_record_data
void * corsaro_in_get_record_data(corsaro_in_record_t *record)
Get a pointer data in a record.
Definition: corsaro.c:1583
corsaro_set_interval
void corsaro_set_interval(corsaro_t *corsaro, unsigned int i)
Accessor function to set the interval length.
Definition: corsaro.c:988
corsaro
Corsaro output state.
Definition: corsaro_int.h:230
legacy_intervals
static int legacy_intervals
The number of legacy intervals we have processed.
Definition: corsaro_main.c:84
corsaro_enable_plugin
int corsaro_enable_plugin(corsaro_t *corsaro, const char *plugin_name, const char *plugin_args)
Attempt to enable a plugin using the given plugin name.
Definition: corsaro.c:1125
corsaro_set_traceuri
int corsaro_set_traceuri(corsaro_t *corsaro, char *uri)
Accessor function to set the trace uri string.
Definition: corsaro.c:1081
corsaro_log
void corsaro_log(const char *func, corsaro_t *corsaro, const char *format,...)
Write a formatted string to the logfile associated with an corsaro object.
Definition: corsaro_log.c:113
corsaro_in_read_record
off_t corsaro_in_read_record(corsaro_in_t *corsaro, corsaro_in_record_type_t *record_type, corsaro_in_record_t *record)
Read the next corsaro record from the given corsaro input file.
Definition: corsaro.c:1562
corsaro_set_meta_output_rotation
void corsaro_set_meta_output_rotation(corsaro_t *corsaro, int intervals)
Accessor function to set the rotation frequency of meta output files.
Definition: corsaro.c:1027
corsaro_in_record_type_t
enum corsaro_in_record_type corsaro_in_record_type_t
Corsaro input record types.
corsaro_disable_logfile
void corsaro_disable_logfile(corsaro_t *corsaro)
Accessor function to disable logging to a file.
Definition: corsaro.c:1113
filter
static libtrace_filter_t * filter
A pointer to a libtrace BPF filter.
Definition: corsaro_main.c:69