yaftab.h File Reference
#include <yaf/autoinc.h>
#include <yaf/yafcore.h>
#include <yaf/decode.h>

Go to the source code of this file.

Typedefs

typedef struct yfFlowTab_st yfFlowTab_t
 A flow table. More...
 

Functions

yfFlowTab_tyfFlowTabAlloc (uint64_t idle_ms, uint64_t active_ms, uint32_t max_flows, uint32_t max_payload, gboolean uniflow, gboolean silkmode, gboolean macmode, gboolean applabelmode, gboolean entropymode, gboolean fingerprintmode, gboolean fpExportMode, gboolean udp_max_payload, uint16_t udp_uniflow_port, char *pcap_dir, char *pcap_meta_file, uint64_t max_pcap, gboolean pcap_per_flow, gboolean force_read_all, gboolean stats_mode, gboolean index_pcap, gboolean no_vlan_in_key, gboolean ndpi, char *ndpi_proto_file, char *hash, char *stime, void **hfctx)
 yfFlowTabAlloc More...
 
void yfFlowTabFree (yfFlowTab_t *flowtab)
 Free a previously allocated flow table. More...
 
void yfUpdateRollingPcapFile (yfFlowTab_t *flowtab, char *new_file_name)
 Update the Pcap Filename in the Flowtab for pcap meta data output. More...
 
void yfGetFlowTabStats (yfFlowTab_t *flowtab, uint64_t *packets, uint64_t *flows, uint64_t *rej_pkts, uint32_t *peak, uint32_t *flush)
 yfGetFlowTabStats Get Flow Table Stats for Export More...
 
void yfFlowPBuf (yfFlowTab_t *flowtab, size_t pbuflen, yfPBuf_t *pbuf)
 Add a decoded packet buffer to a given flow table. More...
 
gboolean yfFlowTabFlush (void *yfContext, gboolean close, GError **err)
 Flush closed flows in the given flow table to the given IPFIX Message Buffer. More...
 
uint64_t yfFlowTabCurrentTime (yfFlowTab_t *flowtab)
 Get the current packet clock from a flow table. More...
 
uint64_t yfFlowDumpStats (yfFlowTab_t *flowtab, GTimer *timer)
 Print flow table statistics to the log. More...
 

Detailed Description

Flow generation interface for YAF.

[TODO - frontmatter]

This facility is used by YAF to assemble packets into flows.

Typedef Documentation

typedef struct yfFlowTab_st yfFlowTab_t

A flow table.

Opaque. Create with yfFlowTabAlloc() and free with yfFlowTabFree().

Function Documentation

uint64_t yfFlowDumpStats ( yfFlowTab_t flowtab,
GTimer *  timer 
)

Print flow table statistics to the log.

Parameters
flowtabflow table to dump stats for
timera GTimer containing the runtime (for packet and flow rate logging). May be NULL to suppress rate logging.
void yfFlowPBuf ( yfFlowTab_t flowtab,
size_t  pbuflen,
yfPBuf_t pbuf 
)

Add a decoded packet buffer to a given flow table.

Adds the packet to the flow to which it belongs, creating a new flow if necessary. Causes the flow to which it belongs to time out if it is longer than the active timeout. Closes the flow if the flow closure conditions (TCP RST, TCP FIN four-way teardown) are met.

Parameters
flowtabflow table to add the packet to
pbuflensize of the packet buffer pbuf
pbufpacket buffer containing decoded packet to add.
yfFlowTab_t* yfFlowTabAlloc ( uint64_t  idle_ms,
uint64_t  active_ms,
uint32_t  max_flows,
uint32_t  max_payload,
gboolean  uniflow,
gboolean  silkmode,
gboolean  macmode,
gboolean  applabelmode,
gboolean  entropymode,
gboolean  fingerprintmode,
gboolean  fpExportMode,
gboolean  udp_max_payload,
uint16_t  udp_uniflow_port,
char *  pcap_dir,
char *  pcap_meta_file,
uint64_t  max_pcap,
gboolean  pcap_per_flow,
gboolean  force_read_all,
gboolean  stats_mode,
gboolean  index_pcap,
gboolean  no_vlan_in_key,
gboolean  ndpi,
char *  ndpi_proto_file,
char *  hash,
char *  stime,
void **  hfctx 
)

yfFlowTabAlloc

Allocate a flow table.

Parameters
idle_msidle timeout in milliseconds. A flow that receives no packets for the idle timeout is assumed to be complete.
active_msactive timeout in milliseconds. The maximum duration of a flow is the active timeout; additional packets for the same flow will be counted as part of a new flow.
max_flowsmaximum number of active flows. Flows exceeding this limit will be expired in least-recent order, as if they were idle. Used to limit resource usage of a flow table. A value of 0 disables flow count limits.
max_payloadmaximum octets of payload to capture per flow direction. Requires at least max_payload octets of payload to be available in each packet buffer passed to yfFlowPBuf(). A value of 0 disables payload capture and export.
uniflowIf TRUE, export biflows using record adjacency (two uniflows exported back-to-back. Use this for interoperability with IPFIX collectors that do not implement RFC 5103.
silkmodeIf TRUE, clamp totalOctetCount and maxTotalOctetCount to 32 bits and force active timeout on overflow. Set high order bit in flowEndReason for each flow created on an overflow or active timeout. Breaks IPFIX interoperability; use for direct export to SiLK rwflowpack or flowcap.
macmodeIf TRUE, collect and export source and destination Mac Addresses.
applabelmodeIf TRUE, then the payload, (as limited by max_payload,) is sent through various plugins and code in order to determine which protocol is running on the flow by doing only payload inspection and exporting payload relevent information.
entropymodeIf TRUE, then a Shannon Entropy measurement is made over the captured payload (as limited by max_payload). The entropy value is exported as two values one for forward payload and one for reverse payload.
fingerprintmodeIf TRUE, then this will enable passive OS finger printing using the p0f engine based mostly on TCP negotiation
fpExportModeIf TRUE, then this will enable exporting of full packet banners of the TCP negotiations for the first three packets (including IP and transport headers) for external fingerprinting
udp_max_payloadIf TRUE, then this will enable capturing up to max_payload value for udp flows (instead of just the first packet)
udp_uniflow_portIf not 0, then this will enable exporting a single UDP packet with this src/dst port as a flow.
pcap_dirDirectory to put pcap-per-flow files
pcap_meta_fileFile for pcap meta output. Default is stdout
max_pcapMaximum size [in bytes] of a pcap file before rotating.
pcap_per_flowIf TRUE, then pcap_dir will be set to the directory to place pcap-per-flow files.
force_read_allIf TRUE, then yaf will process files that are out of sequence.
stats_modeIf TRUE, then YAF will do some extra calculations on flows.
index_pcapIf TRUE, print one line per packet we export. This will give offset and length into the pcap yaf writes.
no_vlan_in_keyIf TRUE, this will remove the vlan in the calculation of the flow key hash.
ndpiIf TRUE, enable nDPI application labeling with standard protocols.
ndpi_proto_fileIf not NULL, and ndpi is TRUE, use the provided protocol file to expand the sub-protocols list and port-based detection methods.
hashThe flow key hash to create a PCAP for.
stimeThe start time to create a PCAP for.
hfctxThe plugin hooks context variable (NULL if plugins not enabled)
Returns
a new flow table.
uint64_t yfFlowTabCurrentTime ( yfFlowTab_t flowtab)

Get the current packet clock from a flow table.

Parameters
flowtaba flow table
Returns
current packet clock
gboolean yfFlowTabFlush ( void *  yfContext,
gboolean  close,
GError **  err 
)

Flush closed flows in the given flow table to the given IPFIX Message Buffer.

Causes any idle flows to time out, removing them from the active flow table; also enforces the flow table's resource limit. If close is TRUE, additionally closes all active flows and flushes as well.

Parameters
yfContextYAF thread context structure, holds pointers for the flowtable from which to flush flows and the fbuf, the destination to which the flows should be flushed
closeclose all active flows before flushing
errAn error description pointer; must not be NULL.
Returns
TRUE on success, FALSE otherwise.
void yfFlowTabFree ( yfFlowTab_t flowtab)

Free a previously allocated flow table.

Discards any outstanding active flows without closing or flushing them; use yfFlowTabFlushAll() before yfFlowFree() to do this.

Parameters
flowtaba flow table allocated by yfFlowTabAlloc()
void yfGetFlowTabStats ( yfFlowTab_t flowtab,
uint64_t *  packets,
uint64_t *  flows,
uint64_t *  rej_pkts,
uint32_t *  peak,
uint32_t *  flush 
)

yfGetFlowTabStats Get Flow Table Stats for Export

Parameters
flowtab
packetsnumber of packets processed
flowsnumber of flows created
rej_pktsnumber of packets rejected due to out of sequence
peakmaximum number of flows in the flow table at any 1 time
flushnumber of flush events called on flow table
void yfUpdateRollingPcapFile ( yfFlowTab_t flowtab,
char *  new_file_name 
)

Update the Pcap Filename in the Flowtab for pcap meta data output.

Parameters
flowtabpointer to flow table
new_file_namethe filename of the next pcap file to write to