Perl Extensions

Net::Silk

NAME

Net::Silk::RWRec - SiLK Flow records

SYNOPSIS

  use Net::Silk::RWRec;

DESCRIPTION

Net::Silk::RWRec objects SiLK flow records such as those produced by rwfilter(1). Net::Silk::RWRec objects are written and read from a Net::Silk::File.

METHODS

The following methods are available:

CONSTRUCTORS

new(%params)

Returns a new Net::Silk::RWRec object. Accepts the following keyword parameters. See their corresponding accessor method names for acceptable values and defaults:

  application
  bytes
  classtype
  classtype_id
  dip
  dport
  duration
  duration_secs
  etime
  etime_epoch_secs
  initial_tcpflags
  icmpcode
  icmptype
  input
  nhip
  output
  packets
  protocol
  sensor
  sensor_id
  session_tcpflags
  sip
  sport
  stime
  stime_epoch_secs
  tcpflags
  timeout_killed
  timeout_started
  uniform_packets

copy()

Returns a new RWRec that is a copy of this one.

to_ipv6()

Returns a new RWRec with the IP addresses (sip, dip, and nhip) converted to IPv6. Specifically, maps the IPv4 addresses into the ::ffff:0:0/96 prefix.

to_ipv4()

Returns a new RWRec with the IP addresses (sip, dip, and nhip) converted to IPv4. If any of these addresses cannot be converted to IPv4 (that is, if any address is not in the ::ffff:0:0/96 prefix), returns undef.

ACCESSOR METHODS

With no arguments, all accessor methods return their current values.

application($val)

Return or set the service port of the flow, as set by the flow meter if the meter supports it, a 16-bit integer. The yaf(1) flow meter refers to this value as the appLabel. Defaults to 0.

bytes($val)

Return or set the number of bytes in the flow, a 32-bit integer. Defaults to 0.

classname()

Return (not set) the class name string assigned to this flow record. Initializes Net::Silk::Site if it hasn't been already. Defaults to '?'. In order to modify the classname, use classtype() or classtype_id().

classtype($class, $type)

classtype($classtype)

Return or set the classname and typename of this flow record. Can be given as separate arguments or as an array ref containing the two arguments. Returns a two-element list of classname and typename. Initializes Net::Silk::Site if it hasn't been already.

classtype_id($id)

Return or set the integer ID for the class and type of this flow record. Defaults to 0.

dip($ip)

Return or set the destination IP of this flow record as a Net::Silk::IPAddr. The given IP can be a string or Net::Silk::IPAddr.

dport($port)

Return or set the destination port of this flow record as a 16-bit integer. Defaults to 0. Since the destination port field is also used to store the values for the ICMP type and code, setting this value may modify icmptype and icmpcode.

duration($dt)

Return or set the duration of this flow record, either as a DateTime::Duration or an integer number of seconds. Defaults to 0. Changing the duration will modify etime such that the difference between etime and stime is the new duration. Returns a DateTime::Duration.

duration_ms($ms)

Return or set the duration of this flow record in milliseconds. Defaults to 0. Changing the duration will modify etime as described for duration().

etime(%dt_params)

etime($dt_or_secs)

Return or set the end time of this flow record, either as a DateTime, seconds since epoch, or as the keyword arguments that would be passed to DateTime->new(). Defaults to the UNIX epoch time. Changing the etime will modify duration of this record.

etime_epoch_ms($ms)

Return or set the end time of this flow record as a number of milliseconds since the epoch time. Defaults to 0. Changing this will modify the duration of this record.

initial_tcpflags($flags)

Return or set the TCP flags on the first packet of this flow, as a Net::Silk::TCPFlags object or string or number acceptable to Net::Silk::TCPFlags->new(). Setting initial_tcpflags when session_tcpflags is undef will set the latter to an empty-string Net::Silk::TCPFlags. Setting initial_tcpflags or session_tcpflags sets tcpflags to the binary OR of their values. Trying to set initial_tcpflags when protocol is not 6 (TCP) will croak.

icmpcode($val)

Return or set the ICMP code of this flow record, an 8-bit integer. Defaults to 0. The value is only meaningful when protocol is ICMP (1) or when is_ipv6() is true and protocol is ICMPv6 (58). Since ICMP type and code are stored in the dport field, setting this value may modify dport.

icmptype($val)

Return or set the ICMP type of this flow record, an 8-bit integer. Defaults to 0. The value is only meaningful when protocol is ICMP (1) or when is_ipv6() is true and protocol is ICMPv6 (58). Since ICMP type and code are stored in the dport field, setting this value may modify dport.

input($val)

The SNMP interface where this flow record entered the router or the vlanId if the packing tools are configured to capture it (see sensor.conf(5)), as a 16-bit integer. Defaults to 0.

nhip($ip)

Return or set the next-hop IP of this flow record as a Net::Silk::IPAddr. The given IP can be a string or Net::Silk::IPAddr.

output($val)

The SNMP interface where this flow record exited the router or the postVlanId if the packing tools are configured to capture it (see sensor.conf(5)), as a 16-bit integer. Defaults to 0.

packets($val)

Return or set the packet count for this flow record, a 32-bit integer. Defaults to 0.

protocol($val)

Return or set the IP protocol of this flow record, an 8-bit integer. Defaults to 0. Setting protocol to anything other than 6 (TCP) causes initial_tcpflags and session_tcpflags to be set to undef.

sensor($name)

Return or set the name of the sensor where this flow record was collected. Initializes Net::Silk::Site if it hasn't been already. Defaults to '?'.

sensor_id($id)

Return or set the sensor ID where this flow record was collected, a 16-bit integer. Defaults to 0.

session_tcpflags($flags)

Return or set the union of the flags of all but the first packet in this flow record, as a Net::Silk::TCPFlags or as a string or number acceptable to Net::Silk::TCPFlags->new(). Setting session_tcpflags when initial_tcpflags is undef sets the latter to an empty-string Net::Silk::TCPFlags. Setting initial_tcpflags or session_tcpflags sets tcpflags to the binary OR of their values. Trying to set session_tcpflags when protocol is not 6 (TCP) will croak.

sip($ip)

Return or set the source IP of this flow record as a Net::Silk::IPAddr. The given IP can be a string or Net::Silk::IPAddr.

sport($port)

Return or set the source port of this flow record. Defaults to 0.

stime(%dt_params)

stime($dt_or_secs)

Return or set the start time of this flow record, either as a DateTime, seconds since epoch, or as the keyword arguments that would be passed to DateTime->new(). Defaults to the UNIX epoch time. Changing the stime will modify etime such that duration stays constant. The maximum possible stime is 2038-01-19 03:14:07 UTC.

stime_epoch_ms($ms)

Return or set the start time of this flow record as the number of milliseconds since the epoch time. Defaults to 0. Changing this will modify etime such that duration stays constant.

tcpflags($flags)

Return or set the union of the flags of all packets in this flow record, as a Net::Silk::TCPFlags or as a string or number acceptable to Net::Silk::TCPFlags->new(). Setting tcpflags sets initial_tcpflags and session_tcpflags to undef. Setting initial_tcpflags or session_tcpflags changes tcpflags to the binary OR of their values.

timeout_killed($bool)

Return or set whether this flow record was closed early due to timeout by the collector. Defaults to 0.

timeout_started($bool)

Return or set whether this flow record is a continuation from a timed-out flow. Defaults to 0.

typename()

Return (not set) the type name of this flow record. Initializes Net::Silk::Site if it hasn't been already. Defaults to 255. In order to modify typename, use the classtype() or classtype_id() methods.

uniform_packets($bool)

Return or set whether this flow record contained only packets of the same size. Defaults to 0.

REGULAR METHODS

as_hash()

Return a hash representing the contents of this RWRec. This will implicitely initialize Net::Silk::Site if it hasn't been already.

is_icmp()

Return whether or not the protocol of this flow record is 1 (ICMP) or if the protocol is 58 (ICMPv6) while is_ipv6() is true.

is_ipv6()

Return whether or not this flow record contains IPv6 addresses.

is_web()

Return whether or not this flow record can be represented as a web record. A record can be represented as a web record if the protocol is TCP (6) and either the source or destination port is one of 80, 443, or 8080.

OPERATORS

The following operators are overloaded and work with Net::Silk::RWRec objects:

  eq
  ne
  ==
  !=
  ""

SEE ALSO

Net::Silk, Net::Silk::IPSet, Net::Silk::Bag, Net::Silk::Pmap, Net::Silk::IPWildcard, Net::Silk::Range, Net::Silk::CIDR, Net::Silk::IPAddr, Net::Silk::TCPFlags, Net::Silk::ProtoPort, Net::Silk::File, Net::Silk::Site, silk(7)

COPYRIGHT & LICENSE

Copyright (C) 2011-2016 by Carnegie Mellon University

Use of the Net-Silk library and related source code is subject to the terms of the following licenses:

GNU General Public License (GPL) Rights pursuant to Version 2, June 1991 Government Purpose License Rights (GPLR) pursuant to DFARS 252.227.7013

NO WARRANTY

See GPL.txt and LICENSE.txt for more details.

© 2006-2019 Carnegie Mellon University Legal | Privacy Notice |