|typedef struct yfFlowTab_st||yfFlowTab_t|
|A flow table. More...|
|yfFlowTab_t *||yfFlowTabAlloc (uint64_t idle_ms, uint64_t active_ms, uint32_t max_flows, uint32_t max_payload, gboolean uniflow, gboolean silkmode, gboolean macmode, gboolean applabelmode, gboolean entropymode, gboolean fingerprintmode, gboolean fpExportMode, gboolean udp_max_payload, uint16_t udp_uniflow_port, char *pcap_dir, char *pcap_meta_file, uint64_t max_pcap, gboolean pcap_per_flow, gboolean force_read_all, gboolean stats_mode, gboolean index_pcap, gboolean no_vlan_in_key, gboolean ndpi, char *ndpi_proto_file, char *hash, char *stime, void **hfctx)|
|void||yfFlowTabFree (yfFlowTab_t *flowtab)|
|Free a previously allocated flow table. More...|
|void||yfUpdateRollingPcapFile (yfFlowTab_t *flowtab, char *new_file_name)|
|Update the Pcap Filename in the Flowtab for pcap meta data output. More...|
|void||yfGetFlowTabStats (yfFlowTab_t *flowtab, uint64_t *packets, uint64_t *flows, uint64_t *rej_pkts, uint32_t *peak, uint32_t *flush)|
|yfGetFlowTabStats Get Flow Table Stats for Export More...|
|void||yfFlowPBuf (yfFlowTab_t *flowtab, size_t pbuflen, yfPBuf_t *pbuf)|
|Add a decoded packet buffer to a given flow table. More...|
|gboolean||yfFlowTabFlush (void *yfContext, gboolean close, GError **err)|
|Flush closed flows in the given flow table to the given IPFIX Message Buffer. More...|
|uint64_t||yfFlowTabCurrentTime (yfFlowTab_t *flowtab)|
|Get the current packet clock from a flow table. More...|
|uint64_t||yfFlowDumpStats (yfFlowTab_t *flowtab, GTimer *timer)|
|Print flow table statistics to the log. More...|
Flow generation interface for YAF.
[TODO - frontmatter]
This facility is used by YAF to assemble packets into flows.
|typedef struct yfFlowTab_st yfFlowTab_t|
|uint64_t yfFlowDumpStats||(||yfFlowTab_t *||flowtab,|
Print flow table statistics to the log.
|flowtab||flow table to dump stats for|
|timer||a GTimer containing the runtime (for packet and flow rate logging). May be NULL to suppress rate logging.|
Add a decoded packet buffer to a given flow table.
Adds the packet to the flow to which it belongs, creating a new flow if necessary. Causes the flow to which it belongs to time out if it is longer than the active timeout. Closes the flow if the flow closure conditions (TCP RST, TCP FIN four-way teardown) are met.
|flowtab||flow table to add the packet to|
|pbuflen||size of the packet buffer pbuf|
|pbuf||packet buffer containing decoded packet to add.|
Allocate a flow table.
|idle_ms||idle timeout in milliseconds. A flow that receives no packets for the idle timeout is assumed to be complete.|
|active_ms||active timeout in milliseconds. The maximum duration of a flow is the active timeout; additional packets for the same flow will be counted as part of a new flow.|
|max_flows||maximum number of active flows. Flows exceeding this limit will be expired in least-recent order, as if they were idle. Used to limit resource usage of a flow table. A value of 0 disables flow count limits.|
|max_payload||maximum octets of payload to capture per flow direction. Requires at least max_payload octets of payload to be available in each packet buffer passed to yfFlowPBuf(). A value of 0 disables payload capture and export.|
|uniflow||If TRUE, export biflows using record adjacency (two uniflows exported back-to-back. Use this for interoperability with IPFIX collectors that do not implement RFC 5103.|
|silkmode||If TRUE, clamp totalOctetCount and maxTotalOctetCount to 32 bits and force active timeout on overflow. Set high order bit in flowEndReason for each flow created on an overflow or active timeout. Breaks IPFIX interoperability; use for direct export to SiLK rwflowpack or flowcap.|
|macmode||If TRUE, collect and export source and destination Mac Addresses.|
|applabelmode||If TRUE, then the payload, (as limited by max_payload,) is sent through various plugins and code in order to determine which protocol is running on the flow by doing only payload inspection and exporting payload relevent information.|
|entropymode||If TRUE, then a Shannon Entropy measurement is made over the captured payload (as limited by max_payload). The entropy value is exported as two values one for forward payload and one for reverse payload.|
|fingerprintmode||If TRUE, then this will enable passive OS finger printing using the p0f engine based mostly on TCP negotiation|
|fpExportMode||If TRUE, then this will enable exporting of full packet banners of the TCP negotiations for the first three packets (including IP and transport headers) for external fingerprinting|
|udp_max_payload||If TRUE, then this will enable capturing up to max_payload value for udp flows (instead of just the first packet)|
|udp_uniflow_port||If not 0, then this will enable exporting a single UDP packet with this src/dst port as a flow.|
|pcap_dir||Directory to put pcap-per-flow files|
|pcap_meta_file||File for pcap meta output. Default is stdout|
|max_pcap||Maximum size [in bytes] of a pcap file before rotating.|
|pcap_per_flow||If TRUE, then pcap_dir will be set to the directory to place pcap-per-flow files.|
|force_read_all||If TRUE, then yaf will process files that are out of sequence.|
|stats_mode||If TRUE, then YAF will do some extra calculations on flows.|
|index_pcap||If TRUE, print one line per packet we export. This will give offset and length into the pcap yaf writes.|
|no_vlan_in_key||If TRUE, this will remove the vlan in the calculation of the flow key hash.|
|ndpi||If TRUE, enable nDPI application labeling with standard protocols.|
|ndpi_proto_file||If not NULL, and ndpi is TRUE, use the provided protocol file to expand the sub-protocols list and port-based detection methods.|
|hash||The flow key hash to create a PCAP for.|
|stime||The start time to create a PCAP for.|
|hfctx||The plugin hooks context variable (NULL if plugins not enabled)|
|uint64_t yfFlowTabCurrentTime||(||yfFlowTab_t *||flowtab||)|
Get the current packet clock from a flow table.
|flowtab||a flow table|
|gboolean yfFlowTabFlush||(||void *||yfContext,|
Flush closed flows in the given flow table to the given IPFIX Message Buffer.
Causes any idle flows to time out, removing them from the active flow table; also enforces the flow table's resource limit. If close is TRUE, additionally closes all active flows and flushes as well.
|yfContext||YAF thread context structure, holds pointers for the flowtable from which to flush flows and the fbuf, the destination to which the flows should be flushed|
|close||close all active flows before flushing|
|err||An error description pointer; must not be NULL.|
|void yfFlowTabFree||(||yfFlowTab_t *||flowtab||)|
Free a previously allocated flow table.
Discards any outstanding active flows without closing or flushing them; use yfFlowTabFlushAll() before yfFlowFree() to do this.
|flowtab||a flow table allocated by yfFlowTabAlloc()|
|void yfGetFlowTabStats||(||yfFlowTab_t *||flowtab,|
yfGetFlowTabStats Get Flow Table Stats for Export
|packets||number of packets processed|
|flows||number of flows created|
|rej_pkts||number of packets rejected due to out of sequence|
|peak||maximum number of flows in the flow table at any 1 time|
|flush||number of flush events called on flow table|
|void yfUpdateRollingPcapFile||(||yfFlowTab_t *||flowtab,|
Update the Pcap Filename in the Flowtab for pcap meta data output.
|flowtab||pointer to flow table|
|new_file_name||the filename of the next pcap file to write to|