yafcore.h

Go to the documentation of this file.
00001 /*
00002  ** yafcore.h
00003  ** YAF core I/O routines
00004  **
00005  ** ------------------------------------------------------------------------
00006  ** Copyright (C) 2006-2008 Carnegie Mellon University. All Rights Reserved.
00007  ** ------------------------------------------------------------------------
00008  ** Authors: Brian Trammell <bht@cert.org>
00009  ** ------------------------------------------------------------------------
00010  ** GNU General Public License (GPL) Rights pursuant to Version 2, June 1991
00011  ** Government Purpose License Rights (GPLR) pursuant to DFARS 252.225-7013
00012  ** ------------------------------------------------------------------------
00013  */
00014 
00059 #ifndef _YAF_CORE_H_
00060 #define _YAF_CORE_H_
00061 
00062 #include <yaf/autoinc.h>
00063 #include <fixbuf/public.h>
00064 
00070 #define YAF_ERROR_DOMAIN        (g_quark_from_string("certYAFError"))
00071 
00072 #define YAF_ERROR_HEADER        1
00073 
00074 #define YAF_ERROR_ARGUMENT      2
00075 
00076 #define YAF_ERROR_IO            3
00077 
00078 #define YAF_ERROR_IPFIX         4
00079 
00080 #define YAF_ERROR_IMPL          5
00081 
00082 #define YAF_ERROR_INTERNAL      6
00083 
00084 #define YAF_ERROR_LIMIT         7
00085 
00086 #define YAF_ERROR_EOF           8
00087 
00092 #define YAF_FLOW_ACTIVE         0
00093 
00094 #define YAF_END_IDLE            1
00095 
00096 #define YAF_END_ACTIVE          2
00097 
00098 #define YAF_END_CLOSED          3
00099 
00100 #define YAF_END_FORCED          4
00101 
00102 #define YAF_END_RESOURCE        5
00103 
00105 #define YAF_END_MASK            0x7f
00106 
00108 #define YAF_ENDF_ISCONT         0x80
00109 
00111 #define YAF_IP_ICMP             1
00112 
00113 #define YAF_IP_TCP              6
00114 
00115 #define YAF_IP_UDP              17
00116 
00117 
00119 #define YAF_MAX_HOOKS           4
00120 
00122 #define YAF_HOOKS_MAX_EXPORT    256
00123 
00128 typedef struct yfFlowKey_st {
00130     uint16_t            sp;
00132     uint16_t            dp;
00134     uint8_t             proto;
00136     uint8_t             version;
00138     union {
00139         struct {
00141             uint32_t    sip;
00143             uint32_t    dip;
00144         }               v4;
00145         struct {    
00147             uint8_t     sip[16];
00149             uint8_t     dip[16];
00150         }               v6;
00151     }                   addr;
00152 } yfFlowKey_t;
00153 
00154 
00159 typedef struct yfFlowVal_st {
00161     uint64_t    oct;
00163     uint64_t    pkt;
00164 #   if YAF_ENABLE_PAYLOAD == 1
00165 
00166     uint32_t    paylen;
00168     uint8_t     *payload;
00169 #   endif
00170 
00171     uint32_t    isn;
00173     uint8_t     iflags;
00175     uint8_t     uflags;
00176 #   ifdef YAF_ENABLE_ENTROPY
00177     uint8_t     entropyDist[256];
00178     uint8_t     entropyVal;
00179 #   endif
00180 
00181     uint16_t    tag;
00182 } yfFlowVal_t;
00183 
00184 #ifdef YAF_ENABLE_APPLABEL
00185 typedef struct yfFlowAppLabelerState_st {
00186     uint8_t protoClassified:1;
00187     uint8_t forwardClassComplete:1;
00188     uint8_t reverseClassComplete:1;
00189     uint8_t :5;
00190 } yfFlowAppLabelerState_t;
00191 #define YAF_FLOW_APPLABELER_STATE_UNCLASSIFIED 0
00192 #endif
00193 
00200 typedef struct yfFlow_st {
00202     uint64_t        stime;
00204     uint64_t        etime;
00205     #ifdef YAF_ENABLE_APPLABEL
00206 
00207     yfFlowAppLabelerState_t appLabelerState;
00208     uint16_t        appLabel;
00209     #endif
00210 
00214     int32_t         rdtime;
00216     uint8_t         reason;
00218     yfFlowVal_t     val;
00220     yfFlowVal_t     rval;
00222     yfFlowKey_t     key;
00223 } yfFlow_t;
00224 
00233 void yfFlowPrepare(
00234     yfFlow_t          *flow);
00235 
00243 void yfFlowCleanup(
00244     yfFlow_t          *flow);
00245 
00257 fBuf_t *yfWriterForFile(
00258     const char              *path,
00259     uint32_t                domain,
00260     GError                  **err);
00261 
00275 fBuf_t *yfWriterForFP(
00276     FILE                    *fp,
00277     uint32_t                domain,
00278     GError                  **err);
00279 
00289 fBuf_t *yfWriterForSpec(
00290     fbConnSpec_t            *spec,
00291     uint32_t                domain,
00292     GError                  **err);
00293 
00305 gboolean yfWriteFlow(
00306     fBuf_t              *fbuf,
00307     yfFlow_t            *flow,
00308     GError              **err);
00309 
00322 gboolean yfWriterClose(
00323     fBuf_t          *fbuf,
00324     gboolean        flush,
00325     GError          **err);
00326 
00339 fBuf_t *yfReaderForFP(
00340     fBuf_t          *fbuf,
00341     FILE            *fp,
00342     GError          **err);
00343 
00360 fbListener_t *yfListenerForSpec(
00361     fbConnSpec_t        *spec,
00362     fbListenerAppInit_fn    appinit,
00363     fbListenerAppFree_fn    appfree,
00364     GError              **err);
00365 
00381 gboolean yfReadFlow(
00382     fBuf_t          *fbuf,
00383     yfFlow_t        *flow,
00384     GError          **err);
00385 
00404 gboolean yfReadFlowExtended(
00405     fBuf_t                  *fbuf,
00406     yfFlow_t                *flow,
00407     GError                  **err);
00408 
00416 void yfPrintString(
00417     GString             *rstr,
00418     yfFlow_t            *flow);
00419 
00427 void yfPrintDelimitedString(
00428     GString                 *rstr,
00429     yfFlow_t                *flow);
00430 
00440 gboolean yfPrint(
00441     FILE                *out,
00442     yfFlow_t            *flow,
00443     GError              **err);
00444 
00454 gboolean yfPrintDelimited(
00455     FILE                *out,
00456     yfFlow_t            *flow,
00457     GError              **err);
00458 
00459 #endif