yafcore.h

Go to the documentation of this file.

/*
 *  Copyright 2006-2025 Carnegie Mellon University
 *  See license information in LICENSE.txt.
 */
/*
 *
 *  yafcore.h
 *  YAF core I/O routines
 *
 *  ------------------------------------------------------------------------
 *  Authors: Brian Trammell
 *  ------------------------------------------------------------------------
 *  @DISTRIBUTION_STATEMENT_BEGIN@
 *  YAF 2.18
 *
 *  Copyright 2025 Carnegie Mellon University.
 *
 *  NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING
 *  INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON
 *  UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
 *  AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR
 *  PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF
 *  THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF
 *  ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT
 *  INFRINGEMENT.
 *
 *  Licensed under a GNU GPL 2.0-style license, please see LICENSE.txt or
 *  contact permission@sei.cmu.edu for full terms.
 *
 *  [DISTRIBUTION STATEMENT A] This material has been approved for public
 *  release and unlimited distribution.  Please see Copyright notice for
 *  non-US Government use and distribution.
 *
 *  This Software includes and/or makes use of Third-Party Software each
 *  subject to its own license.
 *
 *  DM25-1281
 *  @DISTRIBUTION_STATEMENT_END@
 *  ------------------------------------------------------------------------
 */


 
#ifndef _YAF_CORE_H_
#define _YAF_CORE_H_
 
#include <yaf/autoinc.h>
#include <fixbuf/public.h>
#include <yaf/yaftime.h>
 

#define CERT_PEN    6871

#define YAF_ERROR_DOMAIN        (g_quark_from_string("certYAFError"))
#define YAF_ERROR_HEADER        1
#define YAF_ERROR_ARGUMENT      2
#define YAF_ERROR_IO            3
#define YAF_ERROR_IPFIX         4
#define YAF_ERROR_IMPL          5
#define YAF_ERROR_INTERNAL      6
#define YAF_ERROR_LIMIT         7
#define YAF_ERROR_EOF           8
#define YAF_ERROR_ALIGNMENT         9
#define YAF_ERROR_PACKET_PAYLOAD    10
 
 
 
/*  The YAF_END_* values are used as indexes into the
 *  yfFlowTabStats_t.stat_closed[] array in yaftab.h. */

#define YAF_FLOW_ACTIVE         0
#define YAF_END_IDLE            1
#define YAF_END_ACTIVE          2
#define YAF_END_CLOSED          3
#define YAF_END_FORCED          4
#define YAF_END_RESOURCE        5
#define YAF_END_UDPFORCE        0x1F
#define YAF_END_MASK            0x7F
#define YAF_ENDF_ISCONT         0x80

/* YAF_ATTR_SAME_SIZE in yaf-3 */
#define YAF_SAME_SIZE           0x01
/* YAF_ATTR_OUT_OF_SEQUENCE in yaf-3 */
#define YAF_OUT_OF_SEQUENCE     0x02
/* YAF_ATTR_MP_CAPABLE in yaf-3 */
#define YAF_MP_CAPABLE          0x04
/* YAF_ATTR_FRAGMENTS in yaf-3 */
#define YAF_FRAGMENTS           0x08
#define YAF_PARTIAL_FRAGS       0x10
#define YAF_FRAG_ACTIVE         0x03
#define YAF_FRAG_PASSIVE        0x04

#define YAF_IP_ICMP             1
#define YAF_IP_TCP              6
#define YAF_IP_UDP              17

#define YFP_IPTCPHEADER_SIZE    128
#define ETHERNET_MAC_ADDR_LENGTH 6
#define YAF_MAX_HOOKS            4

#define YAF_HOOKS_MAX_EXPORT    1500
#define YAF_MAX_PKT_BOUNDARY    25
#define YAF_PCAP_MAX            5000000
#define YAF_MAX_MPLS_LABELS     3

#define YAF_SMALL_PKT_BOUND     60
#define YAF_LARGE_PKT_BOUND     225
 

typedef struct yfConfig_st yfConfig_t;
 

typedef enum yfRecordTimeIE_en {
    YF_TIME_IE__UNSET,
    YF_TIME_IE_MILLI,
    YF_TIME_IE_MICRO,
    YF_TIME_IE_NANO
} yfRecordTimeIE_t;

#define YF_TIME_IE__FIRST   YF_TIME_IE_MILLI

#define YF_TIME_IE__LAST    YF_TIME_IE_NANO

#define YF_TIME_IE__DEFAULT (YF_TIME_IE_MILLI | YF_TIME_IE_MICRO)

#define yfRecordTimeIEBitSet(t_)          (1 << ((t_) - 1))

#define yfRecordTimeIEBitCheck(bits_, t_) ((bits_) & yfRecordTimeIEBitSet(t_))
 

typedef struct yfFlowKey_st {
    uint16_t   sp;
    uint16_t   dp;
    uint8_t    proto;
    uint8_t    version;
    uint16_t   vlanId;
    uint8_t    tos;
#if YAF_ENABLE_DAG_SEPARATE_INTERFACES || YAF_ENABLE_SEPARATE_INTERFACES
    uint8_t    netIf;
#endif
    uint32_t   layer2Id;
    union {
        struct {
            uint32_t   sip;
            uint32_t   dip;
        } v4;
        struct {
            uint8_t   sip[16];
            uint8_t   dip[16];
        } v6;
    } addr;
} yfFlowKey_t;

typedef struct yfFlowStats_st {
    uint64_t   iaarray[10];
    uint32_t   pktsize[10];
    uint64_t   payoct;
    yfTime_t   ltime;
    uint32_t   tcpurgct;
    uint32_t   smallpktct;
    uint32_t   nonemptypktct;
    uint32_t   largepktct;
    uint32_t   aitime;
    uint32_t   firstpktsize;
    uint32_t   maxpktsize;
} yfFlowStats_t;

typedef struct yfFlowVal_st {
    uint64_t        oct;
    uint64_t        pkt;
#if YAF_ENABLE_PAYLOAD
    uint32_t       *paybounds;
    uint8_t        *payload;
    uint32_t        paylen;
#endif /* if YAF_ENABLE_PAYLOAD */
    uint32_t        isn;
    uint32_t        lsn;
    uint16_t        first_pkt_size;
    uint16_t        attributes;
    uint16_t        vlan;
    uint8_t         iflags;
    uint8_t         uflags;
    uint8_t         appkt;
    bool            applabel_tried;
#if YAF_ENABLE_SEPARATE_INTERFACES
    uint8_t         netIf;
#endif
#if YAF_ENABLE_ENTROPY
    uint8_t         entropy;
#endif /* if YAF_ENABLE_ENTROPY */
#if YAF_ENABLE_P0F
    const char     *osname;
    const char     *osver;
    char           *osFingerPrint;
#endif /* if YAF_ENABLE_P0F */
#if YAF_ENABLE_FPEXPORT
    uint32_t        firstPacketLen;
    uint32_t        secondPacketLen;
    uint8_t        *firstPacket;
    uint8_t        *secondPacket;
#endif /* if YAF_ENABLE_FPEXPORT */
    yfFlowStats_t  *stats;
} yfFlowVal_t;
 
#if YAF_MPLS
typedef struct yfMPLSNode_st {
    GHashTable  *tab;
    uint32_t     mpls_label[YAF_MAX_MPLS_LABELS];
    int          tab_count;
} yfMPLSNode_t;
#endif /* if YAF_MPLS */
 
typedef struct yaf_mptcp_st {
    uint64_t   idsn;
    uint32_t   token;
    uint16_t   mss;
    uint8_t    addrid;
    uint8_t    flags;
} yaf_mptcp_t;
 

typedef struct yfFlow_st {
    yfTime_t        stime;
    yfTime_t        etime;
#ifdef YAF_ENABLE_HOOKS
    void           *hfctx[YAF_MAX_HOOKS];
#endif
    /*
     * Reverse flow delta start time. Equivalent to initial packet round-trip
     * time; useful for decomposing biflows into uniflows.
     */
    yfDiffTime_t    rdtime;
#if YAF_ENABLE_APPLABEL
    uint16_t        appLabel;
#endif
#if YAF_ENABLE_NDPI
    uint16_t        ndpi_master;
    uint16_t        ndpi_sub;
#endif
    uint8_t         reason;
    uint8_t         pcap_serial;
    uint8_t         sourceMacAddr[ETHERNET_MAC_ADDR_LENGTH];
    uint8_t         destinationMacAddr[ETHERNET_MAC_ADDR_LENGTH];
    uint8_t         pcap_file_no;
    uint8_t         pktdir;
    uint8_t         rtos;
    pcap_dumper_t  *pcap;
#if YAF_MPLS
    yfMPLSNode_t   *mpls;
#endif
    yaf_mptcp_t     mptcp;
    yfFlowVal_t     val;
    yfFlowVal_t     rval;
    yfFlowKey_t     key;
} yfFlow_t;

void
yfAlignmentCheck(
    void);
 

void
yfFlowPrepare(
    yfFlow_t  *flow);

void
yfFlowCleanup(
    yfFlow_t  *flow);

fBuf_t *
yfWriterForFile(
    const char        *path,
    const yfConfig_t  *yfConfig,
    GError           **err);

fBuf_t *
yfWriterForFP(
    FILE              *fp,
    const yfConfig_t  *yfConfig,
    GError           **err);

fBuf_t *
yfWriterForSpec(
    fbConnSpec_t      *spec,
    const yfConfig_t  *yfConfig,
    GError           **err);
 
 
#ifdef HAVE_SPREAD
fBuf_t *
yfWriterForSpread(
    fbSpreadParams_t  *params,
    uint16_t          *spreadGroupIndex,
    const yfConfig_t  *yfConfig,
    GError           **err);
#endif /* HAVE_SPREAD */

gboolean
yfWriteOptionsDataFlows(
    void      *yfContext,
    uint32_t   pcap_drop,
    GTimer    *timer,
    GError   **err);

gboolean
yfWriteStatsFlow(
    void      *yfContext,
    uint32_t   pcap_drop,
    GTimer    *timer,
    GError   **err);

gboolean
yfWriteTombstoneFlow(
    void    *yfContext,
    GError **err);

gboolean
yfWriteFlow(
    void      *yfContext,
    yfFlow_t  *flow,
    GError   **err);

gboolean
yfWriterClose(
    fBuf_t    *fbuf,
    gboolean   flush,
    GError   **err);

fBuf_t *
yfReaderForFP(
    fBuf_t  *fbuf,
    FILE    *fp,
    GError **err);

fbListener_t *
yfListenerForSpec(
    fbConnSpec_t          *spec,
    fbListenerAppInit_fn   appinit,
    fbListenerAppFree_fn   appfree,
    GError               **err);

gboolean
yfReadFlow(
    fBuf_t    *fbuf,
    yfFlow_t  *flow,
    GError   **err);

gboolean
yfReadFlowExtended(
    fBuf_t    *fbuf,
    yfFlow_t  *flow,
    GError   **err);

void
yfPrintString(
    GString         *rstr,
    const yfFlow_t  *flow);

void
yfPrintDelimitedString(
    GString         *rstr,
    const yfFlow_t  *flow,
    gboolean         yaft_mac);

gboolean
yfPrint(
    FILE            *out,
    const yfFlow_t  *flow,
    GError         **err);

gboolean
yfPrintDelimited(
    FILE            *out,
    const yfFlow_t  *flow,
    gboolean         yaft_mac,
    GError         **err);

void
yfPrintColumnHeaders(
    FILE      *out,
    gboolean   yaft_mac,
    GError   **err);
 
#if YAF_ENABLE_HOOKS
fbInfoModel_t *
yfDPIInfoModel(
    void);
#endif /* if YAF_ENABLE_HOOKS */
 
#endif /* ifndef _YAF_CORE_H_ */