YAF
YAF: yfFlowTabConfig_st Struct Reference#include <yaftab.h>
Data Fields | |
| int32_t | active_sec |
| Active timeout in seconds. | |
| int32_t | idle_sec |
| Idle timeout in seconds. | |
| uint32_t | max_flows |
| Maximum number of active flows. | |
| uint32_t | max_payload |
| Maximum octets of payload to capture per flow direction. | |
| uint32_t | applabel_check_early |
| A non-zero value enables early appLabel detection. | |
| const char * | ndpi_proto_file |
| If not NULL, and ndpi is TRUE, use the provided protocol file to expand the sub-protocols list and port-based detection methods. | |
| const char * | pcap_dir |
| Directory to put pcap-per-flow files. | |
| const char * | pcap_meta_file |
| File for pcap meta output. | |
| uint64_t | pcap_max |
| Maximum size [in bytes] of a pcap file before rotating. | |
| uint32_t | pcap_search_flowkey |
| The flow key hash to create a PCAP for. | |
| const char * | pcap_search_stime |
| The start time to create a PCAP for. | |
| GArray * | applabel_max_paylen |
| Max payload length to store per appLabel. | |
| uint16_t | udp_uniflow_port |
| If not 0, then this will enable exporting a single UDP packet with this src/dst port as a flow. | |
| gboolean | applabel_mode |
| If TRUE, then the payload, (as limited by max_payload,) is sent through various plugins and code in order to determine which protocol is running on the flow by doing only payload inspection and exporting payload relevent information. | |
| gboolean | entropy_mode |
| If TRUE, then a Shannon Entropy measurement is made over the captured payload (as limited by max_payload). | |
| gboolean | flowstats_mode |
| If TRUE, then YAF will do some extra calculations on flows. | |
| gboolean | force_read_all |
| If TRUE, then yaf will process files that are out of sequence. | |
| gboolean | fpexport_mode |
| If TRUE, then this will enable exporting of full packet banners of the TCP negotiations for the first three packets (including IP and transport headers) for external fingerprinting. | |
| gboolean | mac_mode |
| If TRUE, collect and export source and destination Mac Addresses. | |
| gboolean | ndpi |
| If TRUE, enable nDPI application labeling with standard protocols. | |
| gboolean | no_vlan_in_key |
| If TRUE, this will remove the vlan in the calculation of the flow key hash. | |
| gboolean | p0f_mode |
| If TRUE, then this will enable passive OS finger printing using the p0f engine based mostly on TCP negotiation. | |
| gboolean | pcap_index |
| If TRUE, print one line per packet we export. | |
| gboolean | pcap_per_flow |
| If TRUE, then pcap_dir will be set to the directory to place pcap-per-flow files. | |
| gboolean | silk_mode |
| If TRUE, clamp totalOctetCount and maxTotalOctetCount to 32 bits and force active timeout on overflow. | |
| gboolean | udp_multipkt_payload |
| If TRUE, then this will enable capturing payload for all UDP packets in a flow (instead of just the first packet) up to max_payload
value. | |
| gboolean | uniflow_mode |
| If TRUE, export biflows using record adjacency (two uniflows exported back-to-back. | |
Detailed Description
Configuration settings used to initalize the flow table in yfFlowTabAlloc().
Field Documentation
◆ active_sec
| int32_t yfFlowTabConfig_st::active_sec |
Active timeout in seconds.
The maximum duration of a flow is the active timeout; additional packets for the same flow will be counted as part of a new flow.
◆ applabel_check_early
| uint32_t yfFlowTabConfig_st::applabel_check_early |
A non-zero value enables early appLabel detection.
The value is number of payload octets one side of a flow (FlowVal) has to have to trigger running the appLabel detector.
◆ applabel_max_paylen
| GArray* yfFlowTabConfig_st::applabel_max_paylen |
Max payload length to store per appLabel.
Must be NULL if not in use. Array contains uint32_t added in pairs, where the first is the appLabel and the second is the payload-length. An appLabel of UINT32_MAX indicates the payload to use for any appLabel that is not mentioned in array. yfFlowTabAlloc() expects the array's appLabel entries to be unique and sorted (ascending) by appLabel.
yfFlowTabAlloc() frees the GAarray.
◆ entropy_mode
| gboolean yfFlowTabConfig_st::entropy_mode |
If TRUE, then a Shannon Entropy measurement is made over the captured payload (as limited by max_payload).
The entropy value is exported as two values one for forward payload and one for reverse payload.
◆ idle_sec
| int32_t yfFlowTabConfig_st::idle_sec |
Idle timeout in seconds.
A flow that receives no packets for the idle timeout is assumed to be complete.
◆ max_flows
| uint32_t yfFlowTabConfig_st::max_flows |
Maximum number of active flows.
Flows exceeding this limit will be expired in least-recent order, as if they were idle. Used to limit resource usage of a flow table. A value of 0 disables flow count limits.
◆ max_payload
| uint32_t yfFlowTabConfig_st::max_payload |
Maximum octets of payload to capture per flow direction.
Requires at least max_payload octets of payload to be available in each packet buffer passed to yfFlowPBuf(). A value of 0 disables payload capture and export.
◆ pcap_index
| gboolean yfFlowTabConfig_st::pcap_index |
If TRUE, print one line per packet we export.
This will give offset and length into the pcap yaf writes.
◆ pcap_meta_file
| const char* yfFlowTabConfig_st::pcap_meta_file |
File for pcap meta output.
Default is stdout
◆ silk_mode
| gboolean yfFlowTabConfig_st::silk_mode |
If TRUE, clamp totalOctetCount and maxTotalOctetCount to 32 bits and force active timeout on overflow.
Set high order bit in flowEndReason for each flow created on an overflow or active timeout. Breaks IPFIX interoperability; use for direct export to SiLK rwflowpack or flowcap.
◆ uniflow_mode
| gboolean yfFlowTabConfig_st::uniflow_mode |
If TRUE, export biflows using record adjacency (two uniflows exported back-to-back.
Use this for interoperability with IPFIX collectors that do not implement RFC 5103.
The documentation for this struct was generated from the following file:
