yaftab.h File Reference

Flow generation interface for YAF. More...

#include <yaf/autoinc.h>
#include <yaf/yafcore.h>


Functions
void	yfFlowInit (int datalink)
	Initialize or reinitialize the current flow table.
void	yfFlowPkt (uint8_t vctx, const struct pcap_pkthdr hdr, const uint8_t *pkt)
	Add a packet to the current flow table.
gboolean	yfFlowFlush (fBuf_t fbuf, gboolean flush_all, GError *err)
	Flush the current flow table to an IPFIX Message Buffer.
gboolean	yfFlowNext (yfFlow_t *flow, gboolean flush_all)
	Retrieve and copy the next available closed flow from the flow table.
void	yfFlowDumpStats (GTimer *timer)
	Print flow table statistics to the log.

Detailed Description

Flow generation interface for YAF.

This facility works by maintaining a current flow table. Packets may be added to the active flows within this table using the yfFlowPkt() call. Completed flows may be written to an IPFIX message buffer using yfFlowFlush().

The flow table is configured by a number of global variables.

yaf_idle sets the idle timeout in seconds. A flow that receives no packets for the idle timeout is assumed to be complete. The idle timeout is set to 300 seconds (five minutes) by default.

yaf_active sets the active timeout in seconds. The maximum duration of a flow is the active timeout; additional packets for the same flow will be counted as part of a new flow. The active timeout is set to 1800 seconds (half an hour) by default.

yaf_flowlim sets the maximum size of the flow table; flows exceeding this limit will be expired in least-recent order, as if they were idle. The flow limit defaults to zero, for no limit. Use this global to limit resource usage by the flow table.

yaf_paylen sets the number of bytes of payload to capture from the start of each flow. The payload length defaults to zero, which disables payload capture.

yaf_uniflow, if TRUE, exports flows in uniflow mode, using the record adjacency export method described in section 3 of draft-ietf-ipfix-biflow. Defaults to FALSE.

yaf_macmode, if TRUE, exports layer 2 information with each flow; presently this is limited to VLAN tags but may be expanded to include the MPLS stack and MAC addresses in the future. Defaults to FALSE.

yaf_silkmode, if TRUE, enables SiLK compatibility mode. In this mode, totalOctetCount and reverseTotalOctetCount are clamped to 32 bits. Any packet that would cause either of these counters to overflow 32 bits will force an active timeout. The high-order bit of the flowEndReason IE is set on any flow created on a counter overflow, as above, or on an active timeout. Defaults to FALSE.

yaf_reqtype limits the flow table to collecting IPv4 or IPv6 flows only. Set to YF_TYPE_IPv4 for IPv4 flows only, YF_TYPE_IPv6 for IPv6 flows only, or YF_TYPE_IPANY (the default) to collect both IPv4 and IPv6 flows.

This facility is used by YAF to assemble packets into flows.

Function Documentation

void yfFlowDumpStats ( GTimer * timer )

Print flow table statistics to the log.

Parameters:

timer

a GTimer containing the runtime (for packet and flow rate logging). May be NULL to suppress rate logging.

gboolean yfFlowFlush	(	fBuf_t *	fbuf,
		gboolean	flush_all,
		GError **	err
	)

Flush the current flow table to an IPFIX Message Buffer.

Causes any idle flows to time out, removing them from the flow table, and enforces the yaf_flowlim resource limit. If flush_all is TRUE, flushes all active flows, as well. Writes the flows to the given IPFIX message buffer.

Parameters:

	fbuf	message buffer to write flushed flows to.
	flush_all	TRUE to flush all flows, FALSE to flush closed, idled, and resource limited flows only.
	err	An error description pointer; must not be NULL.

Returns:: TRUE on success, FALSE otherwise.

void yfFlowInit ( int datalink )

Initialize or reinitialize the current flow table.

The flow table may only accept layer 2 packets of a single given datalink encoding at a time.

Parameters:

datalink

libpcap DLT_ constant describing the layer 2 headers on each packet that will be passed to yfFlowPkt(). Supported datalink types are DLT_EN10MB (Ethernet), DLT_CHDLC (Cisco HDLC), DLT_LINUX_SLL (Linux "cooked" capture interface), DLT_RAW (raw IP packet, no layer 2), DLT_NULL (loopback), and DLT_LOOP (OpenBSD loopback).

gboolean yfFlowNext	(	yfFlow_t *	flow,
		gboolean	flush_all
	)

Retrieve and copy the next available closed flow from the flow table.

Times out idle flows and enforces the yaf_flowlim resource limit. If flush_all is TRUE, removes all active flows from the flow table as well.

Parameters:

	flow	pointer to yfFlow_t buffer to copy flow to.
	flush_all	TRUE to flush all flows, FALSE to flush closed, idled, and resource limited flows only.

Returns:: TRUE if a flow was available and copied, FALSE otherwise.

void yfFlowPkt	(	uint8_t *	vctx,
		const struct pcap_pkthdr *	hdr,
		const uint8_t *	pkt
	)

Add a packet to the current flow table.

Decodes the packet and adds it to the flow to which it belongs, creating a new flow if necessary. Causes the flow to which it belongs to time out if it is longer than the active timeout. Closes the flow if the flow closure conditions (TCP RST, TCP FIN four-way teardown) are met. This function is suitable for use as a PCAP packet handler.

Parameters:

	vctx	Void context, as passed to the libpcap dispatcher. Presently ignored; may be allowed to use multiple flow tables in a single process in future revisions.
	hdr	libpcap packet header, containing timing and capture length information.
	pkt	packet to decode and add.

yaftab.h File Reference

Functions

Detailed Description

Function Documentation