yaftab.h
Go to the documentation of this file.
1 /*
2  ** yaftab.h
3  ** YAF Active Flow Table
4  **
5  ** ------------------------------------------------------------------------
6  ** Copyright (C) 2006-2015 Carnegie Mellon University. All Rights Reserved.
7  ** ------------------------------------------------------------------------
8  ** Authors: Brian Trammell
9  ** ------------------------------------------------------------------------
10  ** @OPENSOURCE_HEADER_START@
11  ** Use of the YAF system and related source code is subject to the terms
12  ** of the following licenses:
13  **
14  ** GNU Public License (GPL) Rights pursuant to Version 2, June 1991
15  ** Government Purpose License Rights (GPLR) pursuant to DFARS 252.227.7013
16  **
17  ** NO WARRANTY
18  **
19  ** ANY INFORMATION, MATERIALS, SERVICES, INTELLECTUAL PROPERTY OR OTHER
20  ** PROPERTY OR RIGHTS GRANTED OR PROVIDED BY CARNEGIE MELLON UNIVERSITY
21  ** PURSUANT TO THIS LICENSE (HEREINAFTER THE "DELIVERABLES") ARE ON AN
22  ** "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY
23  ** KIND, EITHER EXPRESS OR IMPLIED AS TO ANY MATTER INCLUDING, BUT NOT
24  ** LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE,
25  ** MERCHANTABILITY, INFORMATIONAL CONTENT, NONINFRINGEMENT, OR ERROR-FREE
26  ** OPERATION. CARNEGIE MELLON UNIVERSITY SHALL NOT BE LIABLE FOR INDIRECT,
27  ** SPECIAL OR CONSEQUENTIAL DAMAGES, SUCH AS LOSS OF PROFITS OR INABILITY
28  ** TO USE SAID INTELLECTUAL PROPERTY, UNDER THIS LICENSE, REGARDLESS OF
29  ** WHETHER SUCH PARTY WAS AWARE OF THE POSSIBILITY OF SUCH DAMAGES.
30  ** LICENSEE AGREES THAT IT WILL NOT MAKE ANY WARRANTY ON BEHALF OF
31  ** CARNEGIE MELLON UNIVERSITY, EXPRESS OR IMPLIED, TO ANY PERSON
32  ** CONCERNING THE APPLICATION OF OR THE RESULTS TO BE OBTAINED WITH THE
33  ** DELIVERABLES UNDER THIS LICENSE.
34  **
35  ** Licensee hereby agrees to defend, indemnify, and hold harmless Carnegie
36  ** Mellon University, its trustees, officers, employees, and agents from
37  ** all claims or demands made against them (and any related losses,
38  ** expenses, or attorney's fees) arising out of, or relating to Licensee's
39  ** and/or its sub licensees' negligent use or willful misuse of or
40  ** negligent conduct or willful misconduct regarding the Software,
41  ** facilities, or other rights or assistance granted by Carnegie Mellon
42  ** University under this License, including, but not limited to, any
43  ** claims of product liability, personal injury, death, damage to
44  ** property, or violation of any laws or regulations.
45  **
46  ** Carnegie Mellon University Software Engineering Institute authored
47  ** documents are sponsored by the U.S. Department of Defense under
48  ** Contract FA8721-05-C-0003. Carnegie Mellon University retains
49  ** copyrights in all material produced under this contract. The U.S.
50  ** Government retains a non-exclusive, royalty-free license to publish or
51  ** reproduce these documents, or allow others to do so, for U.S.
52  ** Government purposes only pursuant to the copyright license under the
53  ** contract clause at 252.227.7013.
54  **
55  ** @OPENSOURCE_HEADER_END@
56  ** ------------------------------------------------------------------------
57  */
58 
59 /*
60  * This is the documentation for the _old_ yaftab.h; it is no longer current,
61  * and should not be read by anyone.
62  *
63  * Flow generation interface for YAF. This facility works by maintaining a
64  * current flow table. Packets may be added to the active flows within this
65  * table using the yfFlowPkt() call. Completed flows may be written to an
66  * IPFIX message buffer using yfFlowFlush().
67  *
68  * The flow table is configured by a number of global variables.
69  *
70  * <tt>yaf_idle</tt> sets
71  * the idle timeout in seconds. A flow that receives no packets for the idle
72  * timeout is assumed to be complete. The idle timeout is set to 300 seconds
73  * (five minutes) by default.
74  *
75  * <tt>yaf_active</tt> sets the active timeout in seconds.
76  * The maximum duration of a flow is the active timeout; additional packets
77  * for the same flow will be counted as part of a new flow. The active timeout
78  * is set to 1800 seconds (half an hour) by default.
79  *
80  * <tt>yaf_flowlim</tt> sets the maximum size of the flow table; flows exceeding
81  * this limit will be expired in least-recent order, as if they were idle. The
82  * flow limit defaults to zero, for no limit. Use this global to limit resource
83  * usage by the flow table.
84  *
85  * <tt>yaf_paylen</tt> sets the number of bytes of payload to capture from the
86  * start of each flow. The payload length defaults to zero, which disables
87  * payload capture.
88  *
89  * <tt>yaf_uniflow</tt>, if TRUE, exports flows in uniflow mode, using the
90  * record adjacency export method described in section 3 of
91  * draft-ietf-ipfix-biflow. Defaults to FALSE.
92  *
93  * <tt>yaf_macmode</tt>, if TRUE, exports layer 2 information with each flow;
94  * presently this is limited to VLAN tags but may be expanded to include the
95  * MPLS stack and MAC addresses in the future. Defaults to FALSE.
96  *
97  * <tt>yaf_silkmode</tt>, if TRUE, enables SiLK compatibility mode. In this
98  * mode, totalOctetCount and reverseTotalOctetCount are clamped to 32 bits.
99  * Any packet that would cause either of these counters to overflow 32 bits
100  * will force an active timeout. The high-order bit of the flowEndReason IE
101  * is set on any flow created on a counter overflow, as above, or on an active
102  * timeout. Defaults to FALSE.
103  *
104  * <tt>yaf_reqtype</tt> limits the flow table to collecting IPv4 or IPv6 flows
105  * only. Set to YF_TYPE_IPv4 for IPv4 flows only, YF_TYPE_IPv6 for IPv6 flows
106  * only, or YF_TYPE_IPANY (the default) to collect both IPv4 and IPv6 flows.
107  *
108  * This facility is used by YAF to assemble packets into flows.
109  */
110 
119 #ifndef _YAF_TAB_H_
120 #define _YAF_TAB_H_
121 
122 #include <yaf/autoinc.h>
123 #include <yaf/yafcore.h>
124 #include <yaf/decode.h>
125 
126 
127 struct yfFlowTab_st;
132 typedef struct yfFlowTab_st yfFlowTab_t;
133 
218  uint64_t idle_ms,
219  uint64_t active_ms,
220  uint32_t max_flows,
221  uint32_t max_payload,
222  gboolean uniflow,
223  gboolean silkmode,
224  gboolean macmode,
225  gboolean applabelmode,
226  gboolean entropymode,
227  gboolean fingerprintmode,
228  gboolean fpExportMode,
229  gboolean udp_max_payload,
230  uint16_t udp_uniflow_port,
231  char *pcap_dir,
232  char *pcap_meta_file,
233  uint64_t max_pcap,
234  gboolean pcap_per_flow,
235  gboolean force_read_all,
236  gboolean stats_mode,
237  gboolean index_pcap,
238  gboolean no_vlan_in_key,
239  gboolean ndpi,
240  char *ndpi_proto_file,
241  char *hash,
242  char *stime,
243  void **hfctx);
244 
253 void yfFlowTabFree(
254  yfFlowTab_t *flowtab);
255 
256 
265  yfFlowTab_t *flowtab,
266  char *new_file_name);
267 
279 void yfGetFlowTabStats(
280  yfFlowTab_t *flowtab,
281  uint64_t *packets,
282  uint64_t *flows,
283  uint64_t *rej_pkts,
284  uint32_t *peak,
285  uint32_t *flush);
286 
299 void yfFlowPBuf(
300  yfFlowTab_t *flowtab,
301  size_t pbuflen,
302  yfPBuf_t *pbuf);
303 
318 gboolean yfFlowTabFlush(
319  void *yfContext,
320  gboolean close,
321  GError **err);
322 
330 uint64_t yfFlowTabCurrentTime(
331  yfFlowTab_t *flowtab);
332 
342 uint64_t yfFlowDumpStats(
343  yfFlowTab_t *flowtab,
344  GTimer *timer);
345 
346 #endif
void yfFlowTabFree(yfFlowTab_t *flowtab)
Free a previously allocated flow table.
uint64_t yfFlowDumpStats(yfFlowTab_t *flowtab, GTimer *timer)
Print flow table statistics to the log.
uint64_t yfFlowTabCurrentTime(yfFlowTab_t *flowtab)
Get the current packet clock from a flow table.
yfFlowTab_t * yfFlowTabAlloc(uint64_t idle_ms, uint64_t active_ms, uint32_t max_flows, uint32_t max_payload, gboolean uniflow, gboolean silkmode, gboolean macmode, gboolean applabelmode, gboolean entropymode, gboolean fingerprintmode, gboolean fpExportMode, gboolean udp_max_payload, uint16_t udp_uniflow_port, char *pcap_dir, char *pcap_meta_file, uint64_t max_pcap, gboolean pcap_per_flow, gboolean force_read_all, gboolean stats_mode, gboolean index_pcap, gboolean no_vlan_in_key, gboolean ndpi, char *ndpi_proto_file, char *hash, char *stime, void **hfctx)
yfFlowTabAlloc
YAF Core Library.
void yfUpdateRollingPcapFile(yfFlowTab_t *flowtab, char *new_file_name)
Update the Pcap Filename in the Flowtab for pcap meta data output.
gboolean yfFlowTabFlush(void *yfContext, gboolean close, GError **err)
Flush closed flows in the given flow table to the given IPFIX Message Buffer.
struct yfFlowTab_st yfFlowTab_t
A flow table.
Definition: yaftab.h:132
void yfGetFlowTabStats(yfFlowTab_t *flowtab, uint64_t *packets, uint64_t *flows, uint64_t *rej_pkts, uint32_t *peak, uint32_t *flush)
yfGetFlowTabStats Get Flow Table Stats for Export
void yfFlowPBuf(yfFlowTab_t *flowtab, size_t pbuflen, yfPBuf_t *pbuf)
Add a decoded packet buffer to a given flow table.
Full packet information structure.
Definition: decode.h:149