Packages

  • package root

    This is documentation for Mothra, a collection of Scala and Spark library functions for working with Internet-related data.

    This is documentation for Mothra, a collection of Scala and Spark library functions for working with Internet-related data. Some modules contain APIs of general use to Scala programmers. Some modules make those tools more useful on Spark data-processing systems.

    Please see the documentation for the individual packages for more details on their use.

    Scala Packages

    These packages are useful in Scala code without involving Spark:

    org.cert.netsa.data

    This package, which is collected as the netsa-data library, provides types for working with various kinds of information:

    org.cert.netsa.io.ipfix

    The netsa-io-ipfix library provides tools for reading and writing IETF IPFIX data from various connections and files.

    org.cert.netsa.io.silk

    To read and write CERT NetSA SiLK file formats and configuration files, use the netsa-io-silk library.

    org.cert.netsa.util

    The "junk drawer" of netsa-util so far provides only two features: First, a method for equipping Scala scala.collection.Iterators with exception handling. And second, a way to query the versions of NetSA libraries present in a JVM at runtime.

    Spark Packages

    These packages require the use of Apache Spark:

    org.cert.netsa.mothra.datasources

    Spark datasources for CERT file types. This package contains utility features which add methods to Apache Spark DataFrameReader objects, allowing IPFIX and SiLK flows to be opened using simple spark.read... calls.

    The mothra-datasources library contains both IPFIX and SiLK functionality, while mothra-datasources-ipfix and mothra-datasources-silk contain only what's needed for the named datasource.

    org.cert.netsa.mothra.analysis

    A grab-bag of analysis helper functions and example analyses.

    org.cert.netsa.mothra.functions

    This single Scala object provides Spark SQL functions for working with network data. It is the entirety of the mothra-functions library.

    Definition Classes
    root
  • package org
    Definition Classes
    root
  • package cert
    Definition Classes
    org
  • package netsa
    Definition Classes
    cert
  • package mothra
    Definition Classes
    netsa
  • package datasources

    This package contains the Mothra datasources, along with mechanisms for working with those datasources.

    This package contains the Mothra datasources, along with mechanisms for working with those datasources. The primary novel feature of these datasources is the fields mechanism.

    To use the IPFIX or SiLK data sources, you can use the following methods added by the implicit CERTDataFrameReader on DataFrameReader after importing from this package:

    import org.cert.netsa.mothra.datasources._
val silkDF = spark.read.silkFlow()                                    // to read from the default SiLK repository
val silkRepoDF = spark.read.silkFlow(repository="...")                // to read from an alternate SiLK repository
val silkFilesDF = spark.read.silkFlow("/path/to/silk/files")          // to read from loose SiLK files
val ipfixDF = spark.read.ipfix(repository="/path/to/mothra/data/dir") // for packed Mothra IPFIX data
val ipfixS3DF = spark.read.ipfix(s3Repository="bucket-name")          // for packed Mothra IPFIX data from an S3 bucket
val ipfixFilesDF = spark.read.ipfix("/path/to/ipfix/files")           // for loose IPFIX files

    (The additional methods are defined on the implicit class CERTDataFrameReader.)

    Using the fields method allows you to configure which SiLK or IPFIX fields you wish to retrieve. (This is particularly important for IPFIX data, as IPFIX files may contains many many possible fields organized in various ways.)

    import org.cert.netsa.mothra.datasources._
val silkDF = spark.read.fields("sIP", "dIP").silkFlow(...)
val ipfixDF = spark.read.fields("sourceIPAddress", "destinationIPAddress").ipfix(...)

    Both of these dataframes will contain only the source and destination IP addresses from the specified data sources. You may also provide column names different from the source field names:

    val silkDF = spark.read.fields("server" -> "sIP", "client" -> "dIP").silkFlow(...)
val ipfixDF = spark.read.fields("server" -> "sourceIPAddress", "client" -> "destinationIPAddress").ipfix(...)

    You may also mix the mapped and the default names in one call:

    val df = spark.read.fields("sIP", "dIP", "s" -> "sensor").silkFlow(...)
    Definition Classes
    mothra
    See also

    IPFIX datasource

    SiLK flow datasource

  • package ipfix

    A data source as defined by the Spark Data Source API for reading IPFIX records from Mothra data spools and from loose files.

    A data source as defined by the Spark Data Source API for reading IPFIX records from Mothra data spools and from loose files.

    You can use this by importing org.cert.netsa.mothra.datasources._ like this:

    import org.cert.netsa.mothra.datasources._
val df1 = spark.read.ipfix("path/to/mothra/data/dir") // for packed Mothra IPFIX data
val df2 = spark.read.ipfix("path/to/ipfix/files")     // for loose IPFIX files

    The IPFIX datasource uses the fields mechanism from org.cert.netsa.mothra.datasources. You can make use of this mechanism like these examples:

    import org.cert.netsa.mothra.datasources._
val df1 = spark.read.fields(
  "startTime", "endTime", "sourceIPAddress", "destinationIPAddress"
).ipfix(...)

val df2 = spark.read.fields(
  "startTime", "endTime", "TOS" -> "ipClassOfService"
).ipfix(...)

    with arbitrary sets of fields and field name mappings.

    Default Fields

    The default set of fields (defined in IPFIXFields.default) is:

    • "startTime" -> "func:startTime"
    • "endTime" -> "func:endTime"
    • "sourceIPAddress" -> "func:sourceIPAddress"
    • "sourcePort" -> "func:sourcePort"
    • "destinationIPAddress" -> "func:destinationIPAddress"
    • "destinationPort" -> "func:destinationPort"
    • "protocolIdentifier"
    • "observationDomainId"
    • "vlanId"
    • "reverseVlanId"
    • "silkAppLabel"
    • "packetCount" -> "packetTotalCount|packetDeltaCount"
    • "reversePacketCount" -> "reversePacketTotalCount|reversePacketDeltaCount"
    • "octetCount" -> "octetTotalCount|octetDeltaDcount"
    • "reverseOctetCount" -> "reverseOctetTotalCount|reverseOctetDeltaCount"
    • "initialTCPFlags"
    • "reverseInitialTCPFlags"
    • "unionTCPFlags"
    • "reverseUnionTCPFlags"

    Some of these defaults are defined simply as IPFIX Information Elements. For example, "protocolIdentifier" and "vlanId" are exactly the Information Elements that are named. No "right-hand-side" is given for these definitions, because the name of the field is the same as the name of the Information Element.

    Others have simple expressions. For example, packetCount is defined as "packetTotalCount|packetDeltaCount". This expressions means that the value should be found from the packetTotalCount IE, or if that is not set from the packetDeltaCount IE. This allows this field to be used regardless of which Information Element contains the data.

    Some others are derived in more complex ways from basic IPFIX fields. For example, the startTime field is produced using "func:startTime", which runs the "gauntlet of time" to determine the start time for a flow by whatever means possible. Other time fields are similarly defined.

    Some of the "func:..." fields are actually quite simple. For example, "func:sourceIPAddress", practically speaking, is the same as "sourceIPv4Address|sourceIPv6Address". However, these fields are defined using the func: extension mechanism so that partitioning on them is possible. (This restriction may be lifted in a future Mothra version.)

    Field Types

    The mappings between IPFIX types and Spark types are:

    • octetArray → Array[Byte]
    • unsigned8 → Short
    • unsigned16 → Int
    • unsigned32 → Long
    • unsigned64 → Long
    • signed8 → Byte
    • signed16 → Short
    • signed32 → Int
    • signed64 → Long
    • float32 → Float
    • float64 → Double
    • boolean → Boolean
    • macAddress → String
    • string → String
    • dateTimeSeconds → Timestamp
    • dateTimeMilliseconds → Timestamp
    • dateTimeMicroseconds → Timestamp
    • dateTimeNanoseconds → Timestamp
    • ipv4Address → String
    • ipv6Address → String

    IPFIX's basicList, subTemplateList, and subTemplateMultiList data types are handled differently.

    Field Expressions

    As noted above, field expressions may contain simple IPFIX Information Element names, or collections of names separated by pipe characters to indicate taking the first matching choice. This language has a number of other capabilities which are documented for now in the IPFIX field parser object.

    Functional Fields

    A number of pre-defined "functional fields" are available. Some of these combine other information elements in ways that the expression language cannot (applying the so-called "gauntlet of time", for example). Others provide support for the Mothra repository partitioning system. And finally, a few are for debugging purposes and provide high-level overviews of IPFIX records or point to file locations on disk.

    Function fields are all defined and described in the org.cert.netsa.mothra.datasources.ipfix.fields.func package.

    Definition Classes
    datasources
  • package fields

    Most of these classes and traits relate to the definition of IPFIX fields as IPFIX record processing objects.

    Most of these classes and traits relate to the definition of IPFIX fields as IPFIX record processing objects.

    The IPFIXFieldParsing object defines the parser used for IPFIX field expressions, and includes the documentation for that language.

    Other mechanisms, including implementations of the IPFIXField trait, provide the ability to define new "function" fields and register them into the Func registry. This is an experimental capabilty and is likely to be deprecated and then removed from public access in the future.

    Definition Classes
    ipfix
    Note

    This is an experimental interface and is likely to be removed or made private in a future version.

  • package func

    The objects in this package represent "function fields" usable in the IPFIX data source.

    The objects in this package represent "function fields" usable in the IPFIX data source. These fields may each be accessed by the field expression "func:<fieldName>", for example "func:recordInfo" in a field expression will produce a human-readable string record as described below.

    Definition Classes
    fields
    See also

    org.cert.netsa.mothra.datasources.ipfix for examples of field expressions

    IPFIXFieldParsing for details about the field path grammar

  • TCPFlags
  • appLabel
  • destinationIPAddress
  • destinationPort
  • durationMicroseconds
  • durationMilliseconds
  • endTime
  • filename
  • icmpCode
  • icmpType
  • initialTCPFlags
  • isIPv6
  • nextHopIPAddress
  • octetCount
  • packetCount
  • recordInfo
  • reverseOctetCount
  • reversePacketCount
  • sourceIPAddress
  • sourcePort
  • startTime
  • unionTCPFlags

package func

The objects in this package represent "function fields" usable in the IPFIX data source. These fields may each be accessed by the field expression "func:<fieldName>", for example "func:recordInfo" in a field expression will produce a human-readable string record as described below.

See also

org.cert.netsa.mothra.datasources.ipfix for examples of field expressions

IPFIXFieldParsing for details about the field path grammar

Linear Supertypes
AnyRef, Any
Ordering
  1. Alphabetic
  2. By Inheritance
Inherited
  1. func
  2. AnyRef
  3. Any
  1. Hide All
  2. Show All
Visibility
  1. Public
  2. Protected

Value Members

  1. case object TCPFlags extends IPFIXField[Int] with Product with Serializable

    The numeric bit-wise union of all TCP flags from the CERT IPFIX initialTCPFlags (only first packet) and unionTCPFlags (all packets after first packet) Information Elements.

    The numeric bit-wise union of all TCP flags from the CERT IPFIX initialTCPFlags (only first packet) and unionTCPFlags (all packets after first packet) Information Elements.

    See also

    unionTCPFlags Information Element

    initialTCPFlags Information Element

  2. case object appLabel extends IPFIXField[String] with Product with Serializable

    The name of the service associated with the CERT IPFIX silkAppLabel Information Element, if a name is defined.

    The name of the service associated with the CERT IPFIX silkAppLabel Information Element, if a name is defined. For most values, this is the same as the IANA service name for the appLabel as a port number. For some, such as "dns", they differ from the official ("domain" in this case).

    See also

    silkAppLabel Information Element

    org.cert.netsa.data.net.ApplicationLabel

  3. case object destinationIPAddress extends SimpleField[String] with Product with Serializable

    Either the IPv4 or the IPv6 destination address of this record.

    Either the IPv4 or the IPv6 destination address of this record. This is equivalent to the path expression "destinationIPv4Address | destinationIPv6Address", except that when filtering on this function, partitions on either field are used to improve efficiency in Mothra IPFIX repositories.

    See also

    IANA registry for these Information Elements

  4. case object destinationPort extends SimpleField[Int] with Product with Serializable

    The destination transport port, stored in any of the common Information Elements.

    The destination transport port, stored in any of the common Information Elements. This is equivalent to the path expression "destinationTransportPort | tcpDestinationPort | udpDestinationPort", except that when filtering on this function, partitions on either field are used to improve efficiency in Mothra IPFIX repositories.

    See also

    IANA registry for these Information Elements

  5. case object durationMicroseconds extends IPFIXField[Long] with Product with Serializable

    The duration in microseconds of this record, computed using TimeGauntlet.computeDurationNanos.

  6. case object durationMilliseconds extends IPFIXField[Long] with Product with Serializable

    The duration in milliseconds of this record, computed using TimeGauntlet.computeDurationNanos.

  7. case object endTime extends IPFIXField[Timestamp] with Product with Serializable

    The flow end time of this record, extracted or computed using TimeGauntlet.computeEndTime.

    The flow end time of this record, extracted or computed using TimeGauntlet.computeEndTime. When filtering on this field, time-based partitioning is used to improve efficiency in Mothra IPFIX repositories.

  8. case object filename extends IPFIXField[String] with LazyLogging with Product with Serializable

    The filename of the file or the key of the S3 object which stores this record.

    The filename of the file or the key of the S3 object which stores this record. Mostly useful for debugging.

  9. case object icmpCode extends IPFIXField[Int] with Product with Serializable

    The ICMP code, stored in any of the common Information Elements.

    The ICMP code, stored in any of the common Information Elements. When protocolIdentifier is not 1 (ICMP) or 46 (IPv6-ICMP), this is always null. Otherwise, it checks icmpTypeCodeIPv4, icmpTypeCodeIPv6, icmpCodeIPv4, icmpCodeIPv6, and destinationTransportPort for data, and extracts the code from those fields if necessary.

    When filtering on this field, all of the candidate fields are checked for partitions and used to select partitions.

    See also

    IANA registry for these Information Elements

  10. case object icmpType extends IPFIXField[Int] with Product with Serializable

    The ICMP type, stored in any of the common Information Elements.

    The ICMP type, stored in any of the common Information Elements. When protocolIdentifier is not 1 (ICMP) or 46 (IPv6-ICMP), this is always null. Otherwise, it checks icmpTypeCodeIPv4, icmpTypeCodeIPv6, icmpCTypeIPv4, icmpTypeIPv6, and destinationTransportPort for data, and extracts the code from those fields if necessary.

    When filtering on this field, all of the candidate fields are checked for partitions and used to select partitions.

    See also

    IANA registry for these Information Elements

  11. case object initialTCPFlags extends SimpleField[Int] with Product with Serializable

    Finds initial TCP flags from deeper within the record to support legacy YAF versions.

  12. case object isIPv6 extends IPFIXField[Boolean] with Product with Serializable

    True if the record contains a sourceIPv6Address or destinationIPv6Address Information Element.

  13. case object nextHopIPAddress extends SimpleField[String] with Product with Serializable

    For Either IPv4 or IPv6, the BGP or IP next-hop address of this record.

    For Either IPv4 or IPv6, the BGP or IP next-hop address of this record. This is equivalent to the path expression "ipNextHopIPv4Address | ipNextHopIPv6Address | bgpNextHopIPv4Address | bgpNextHopIPv6Address", except that when filtering on this function, partitions on either field are used to improve efficiency in Mothra IPFIX repositories.

    See also

    IANA registry for these Information Elements

  14. case object octetCount extends SimpleField[Long] with Product with Serializable

    The number of octets in this record, from whatever source possible.

    The number of octets in this record, from whatever source possible. This is equivalent to the path expression "octetDeltaCount | octetTotalCount | initiatorOctets | postOctetDeltaCount | postOctetTotalCount".

    See also

    IANA registry for these Information Elements

  15. case object packetCount extends SimpleField[Long] with Product with Serializable

    The number of packets in this record, from whatever source possible.

    The number of packets in this record, from whatever source possible. This is equivalent to the path expression "packetDeltaCount | packetTotalCount | initiatorPackets | postPacketDeltaCount | postPacketTotalCount".

    See also

    IANA registry for these Information Elements

  16. case object recordInfo extends IPFIXField[String] with Product with Serializable

    A human-readable text representation of this record (also works in sub-records).

    A human-readable text representation of this record (also works in sub-records). The format is similar to JSON, but is not parsable as JSON. Most useful for debugging or exploring data.

  17. case object reverseOctetCount extends SimpleField[Long] with Product with Serializable

    The number of reverse-direction octets in this record, from whatever source possible.

    The number of reverse-direction octets in this record, from whatever source possible. This is equivalent to the path expression "reverseOctetDeltaCount | reverseOctetTotalCount | responderOctets | reversePostOctetDeltaCount | reversePostOctetTotalCount".

    See also

    IANA registry for these Information Elements

  18. case object reversePacketCount extends SimpleField[Long] with Product with Serializable

    The number of reverse-direction packets in this record, from whatever source possible.

    The number of reverse-direction packets in this record, from whatever source possible. This is equivalent to the path expression "reversePacketDeltaCount | reversePacketTotalCount | responderPackets | reversePostPacketDeltaCount | reversePostPacketTotalCount".

    See also

    IANA registry for these Information Elements

  19. case object sourceIPAddress extends SimpleField[String] with Product with Serializable

    Either the IPv4 or the IPv6 source address of this record.

    Either the IPv4 or the IPv6 source address of this record. This is equivalent to the path expression "sourceIPv4Address | sourceIPv6Address", except that when filtering on this function, partitions on either field are used to improve efficiency in Mothra IPFIX repositories.

    See also

    IANA registry for these Information Elements

  20. case object sourcePort extends SimpleField[Int] with Product with Serializable

    The source transport port, stored in any of the common Information Elements.

    The source transport port, stored in any of the common Information Elements. This is equivalent to the path expression "sourceTransportPort | tcpSourcePort | udpSourcePort", except that when filtering on this function, partitions on either field are used to improve efficiency in Mothra IPFIX repositories.

    See also

    IANA registry for these Information Elements

  21. case object startTime extends IPFIXField[Timestamp] with Product with Serializable

    The flow start time of this record, extracted or computed using TimeGauntlet.computeStartTime.

    The flow start time of this record, extracted or computed using TimeGauntlet.computeStartTime. When filtering on this field, time-based partitioning is used to improve efficiency in Mothra IPFIX repositories.

  22. case object unionTCPFlags extends SimpleField[Int] with Product with Serializable

    Finds union TCP flags from deeper within the record to support legacy YAF versions.

Inherited from AnyRef

Inherited from Any

Ungrouped