Software Engineering Institute | Carnegie Mellon©
CERT NetSA Security Suite
Monitoring for Large-Scale Networks

YAF

Documentation

YAF

  • Documentation
  • Downloads
  • Main Page
  • Data Structures
  • Files
  • File List
  • Globals

yaftab.h

Go to the documentation of this file.
00001 /*
00002  ** yaftab.h
00003  ** YAF Active Flow Table
00004  **
00005  ** ------------------------------------------------------------------------
00006  ** Copyright (C) 2006-2013 Carnegie Mellon University. All Rights Reserved.
00007  ** ------------------------------------------------------------------------
00008  ** Authors: Brian Trammell
00009  ** ------------------------------------------------------------------------
00010  ** @OPENSOURCE_HEADER_START@
00011  ** Use of the YAF system and related source code is subject to the terms
00012  ** of the following licenses:
00013  **
00014  ** GNU Public License (GPL) Rights pursuant to Version 2, June 1991
00015  ** Government Purpose License Rights (GPLR) pursuant to DFARS 252.227.7013
00016  **
00017  ** NO WARRANTY
00018  **
00019  ** ANY INFORMATION, MATERIALS, SERVICES, INTELLECTUAL PROPERTY OR OTHER
00020  ** PROPERTY OR RIGHTS GRANTED OR PROVIDED BY CARNEGIE MELLON UNIVERSITY
00021  ** PURSUANT TO THIS LICENSE (HEREINAFTER THE "DELIVERABLES") ARE ON AN
00022  ** "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY
00023  ** KIND, EITHER EXPRESS OR IMPLIED AS TO ANY MATTER INCLUDING, BUT NOT
00024  ** LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE,
00025  ** MERCHANTABILITY, INFORMATIONAL CONTENT, NONINFRINGEMENT, OR ERROR-FREE
00026  ** OPERATION. CARNEGIE MELLON UNIVERSITY SHALL NOT BE LIABLE FOR INDIRECT,
00027  ** SPECIAL OR CONSEQUENTIAL DAMAGES, SUCH AS LOSS OF PROFITS OR INABILITY
00028  ** TO USE SAID INTELLECTUAL PROPERTY, UNDER THIS LICENSE, REGARDLESS OF
00029  ** WHETHER SUCH PARTY WAS AWARE OF THE POSSIBILITY OF SUCH DAMAGES.
00030  ** LICENSEE AGREES THAT IT WILL NOT MAKE ANY WARRANTY ON BEHALF OF
00031  ** CARNEGIE MELLON UNIVERSITY, EXPRESS OR IMPLIED, TO ANY PERSON
00032  ** CONCERNING THE APPLICATION OF OR THE RESULTS TO BE OBTAINED WITH THE
00033  ** DELIVERABLES UNDER THIS LICENSE.
00034  **
00035  ** Licensee hereby agrees to defend, indemnify, and hold harmless Carnegie
00036  ** Mellon University, its trustees, officers, employees, and agents from
00037  ** all claims or demands made against them (and any related losses,
00038  ** expenses, or attorney's fees) arising out of, or relating to Licensee's
00039  ** and/or its sub licensees' negligent use or willful misuse of or
00040  ** negligent conduct or willful misconduct regarding the Software,
00041  ** facilities, or other rights or assistance granted by Carnegie Mellon
00042  ** University under this License, including, but not limited to, any
00043  ** claims of product liability, personal injury, death, damage to
00044  ** property, or violation of any laws or regulations.
00045  **
00046  ** Carnegie Mellon University Software Engineering Institute authored
00047  ** documents are sponsored by the U.S. Department of Defense under
00048  ** Contract FA8721-05-C-0003. Carnegie Mellon University retains
00049  ** copyrights in all material produced under this contract. The U.S.
00050  ** Government retains a non-exclusive, royalty-free license to publish or
00051  ** reproduce these documents, or allow others to do so, for U.S.
00052  ** Government purposes only pursuant to the copyright license under the
00053  ** contract clause at 252.227.7013.
00054  **
00055  ** @OPENSOURCE_HEADER_END@
00056  ** ------------------------------------------------------------------------
00057  */
00058 
00059 /*
00060  * This is the documentation for the _old_ yaftab.h; it is no longer current,
00061  * and should not be read by anyone.
00062  *
00063  * Flow generation interface for YAF. This facility works by maintaining a
00064  * current flow table. Packets may be added to the active flows within this
00065  * table using the yfFlowPkt() call. Completed flows may be written to an
00066  * IPFIX message buffer using yfFlowFlush().
00067  *
00068  * The flow table is configured by a number of global variables.
00069  *
00070  * <tt>yaf_idle</tt> sets
00071  * the idle timeout in seconds. A flow that receives no packets for the idle
00072  * timeout is assumed to be complete. The idle timeout is set to 300 seconds
00073  * (five minutes) by default.
00074  *
00075  * <tt>yaf_active</tt> sets the active timeout in seconds.
00076  * The maximum duration of a flow is the active timeout; additional packets
00077  * for the same flow will be counted as part of a new flow. The active timeout
00078  * is set to 1800 seconds (half an hour) by default.
00079  *
00080  * <tt>yaf_flowlim</tt> sets the maximum size of the flow table; flows exceeding
00081  * this limit will be expired in least-recent order, as if they were idle. The
00082  * flow limit defaults to zero, for no limit. Use this global to limit resource
00083  * usage by the flow table.
00084  *
00085  * <tt>yaf_paylen</tt> sets the number of bytes of payload to capture from the
00086  * start of each flow. The payload length defaults to zero, which disables
00087  * payload capture.
00088  *
00089  * <tt>yaf_uniflow</tt>, if TRUE, exports flows in uniflow mode, using the
00090  * record adjacency export method described in section 3 of
00091  * draft-ietf-ipfix-biflow. Defaults to FALSE.
00092  *
00093  * <tt>yaf_macmode</tt>, if TRUE, exports layer 2 information with each flow;
00094  * presently this is limited to VLAN tags but may be expanded to include the
00095  * MPLS stack and MAC addresses in the future. Defaults to FALSE.
00096  *
00097  * <tt>yaf_silkmode</tt>, if TRUE, enables SiLK compatibility mode. In this
00098  * mode, totalOctetCount and reverseTotalOctetCount are clamped to 32 bits.
00099  * Any packet that would cause either of these counters to overflow 32 bits
00100  * will force an active timeout. The high-order bit of the flowEndReason IE
00101  * is set on any flow created on a counter overflow, as above, or on an active
00102  * timeout. Defaults to FALSE.
00103  *
00104  * <tt>yaf_reqtype</tt> limits the flow table to collecting IPv4 or IPv6 flows
00105  * only. Set to YF_TYPE_IPv4 for IPv4 flows only, YF_TYPE_IPv6 for IPv6 flows
00106  * only, or YF_TYPE_IPANY (the default) to collect both IPv4 and IPv6 flows.
00107  *
00108  * This facility is used by YAF to assemble packets into flows.
00109  */
00110 
00119 #ifndef _YAF_TAB_H_
00120 #define _YAF_TAB_H_
00121 
00122 #include <yaf/autoinc.h>
00123 #include <yaf/yafcore.h>
00124 #include <yaf/decode.h>
00125 
00126 
00127 struct yfFlowTab_st;
00132 typedef struct yfFlowTab_st yfFlowTab_t;
00133 
00207 yfFlowTab_t *yfFlowTabAlloc(
00208     uint64_t        idle_ms,
00209     uint64_t        active_ms,
00210     uint32_t        max_flows,
00211     uint32_t        max_payload,
00212     gboolean        uniflow,
00213     gboolean        silkmode,
00214     gboolean        macmode,
00215     gboolean        applabelmode,
00216     gboolean        entropymode,
00217     gboolean        fingerprintmode,
00218     gboolean        fpExportMode,
00219     gboolean        udp_max_payload,
00220     uint16_t        udp_uniflow_port,
00221     char            *pcap_dir,
00222     char            *pcap_meta_file,
00223     uint64_t        max_pcap,
00224     gboolean        pcap_per_flow,
00225     gboolean        force_read_all,
00226     gboolean        stats_mode,
00227     gboolean        index_pcap);
00228 
00237 void yfFlowTabFree(
00238     yfFlowTab_t     *flowtab);
00239 
00240 
00248 void yfUpdateRollingPcapFile(
00249     yfFlowTab_t                *flowtab,
00250     GString                    *new_file_name);
00251 
00263 void yfGetFlowTabStats(
00264     yfFlowTab_t *flowtab,
00265     uint64_t *packets,
00266     uint64_t *flows,
00267     uint64_t *rej_pkts,
00268     uint32_t *peak,
00269     uint32_t *flush);
00270 
00283 void yfFlowPBuf(
00284     yfFlowTab_t                 *flowtab,
00285     size_t                      pbuflen,
00286     yfPBuf_t                    *pbuf);
00287 
00302 gboolean yfFlowTabFlush(
00303     void            *yfContext,
00304     gboolean        close,
00305     GError          **err);
00306 
00314 uint64_t yfFlowTabCurrentTime(
00315     yfFlowTab_t     *flowtab);
00316 
00326 uint64_t yfFlowDumpStats(
00327     yfFlowTab_t     *flowtab,
00328     GTimer          *timer);
00329 
00330 #endif
© 2006-2013 Carnegie Mellon University