yafcore.h
Go to the documentation of this file.
1/*
2 * Copyright 2006-2025 Carnegie Mellon University
3 * See license information in LICENSE.txt.
4 */
5/*
6 *
7 * yafcore.h
8 * YAF core I/O routines
9 *
10 * ------------------------------------------------------------------------
11 * Authors: Brian Trammell
12 * ------------------------------------------------------------------------
13 * @DISTRIBUTION_STATEMENT_BEGIN@
14 * YAF 2.17
15 *
16 * Copyright 2025 Carnegie Mellon University.
17 *
18 * NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING
19 * INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON
20 * UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
21 * AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR
22 * PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF
23 * THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF
24 * ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT
25 * INFRINGEMENT.
26 *
27 * Licensed under a GNU GPL 2.0-style license, please see LICENSE.txt or
28 * contact permission@sei.cmu.edu for full terms.
29 *
30 * [DISTRIBUTION STATEMENT A] This material has been approved for public
31 * release and unlimited distribution. Please see Copyright notice for
32 * non-US Government use and distribution.
33 *
34 * This Software includes and/or makes use of Third-Party Software each
35 * subject to its own license.
36 *
37 * DM25-0934
38 * @DISTRIBUTION_STATEMENT_END@
39 * ------------------------------------------------------------------------
40 */
41
82#ifndef _YAF_CORE_H_
83#define _YAF_CORE_H_
84
85#include <yaf/autoinc.h>
86#include <fixbuf/public.h>
87#include <yaf/yaftime.h>
88
89
95#define CERT_PEN 6871
96
102#define YAF_ERROR_DOMAIN (g_quark_from_string("certYAFError"))
104#define YAF_ERROR_HEADER 1
106#define YAF_ERROR_ARGUMENT 2
108#define YAF_ERROR_IO 3
110#define YAF_ERROR_IPFIX 4
112#define YAF_ERROR_IMPL 5
114#define YAF_ERROR_INTERNAL 6
116#define YAF_ERROR_LIMIT 7
118#define YAF_ERROR_EOF 8
120#define YAF_ERROR_ALIGNMENT 9
122#define YAF_ERROR_PACKET_PAYLOAD 10
123
124
125
130#define YAF_FLOW_ACTIVE 0
132#define YAF_END_IDLE 1
134#define YAF_END_ACTIVE 2
136#define YAF_END_CLOSED 3
138#define YAF_END_FORCED 4
140#define YAF_END_RESOURCE 5
142#define YAF_END_UDPFORCE 0x1F
144#define YAF_END_MASK 0x7F
146#define YAF_ENDF_ISCONT 0x80
147
149#define YAF_SAME_SIZE 0x01
151#define YAF_OUT_OF_SEQUENCE 0x02
153#define YAF_MP_CAPABLE 0x04
155#define YAF_FRAGMENTS 0x08
157#define YAF_PARTIAL_FRAGS 0x10
159#define YAF_FRAG_ACTIVE 0x03
161#define YAF_FRAG_PASSIVE 0x04
162
164#define YAF_IP_ICMP 1
166#define YAF_IP_TCP 6
168#define YAF_IP_UDP 17
169
173#define YFP_IPTCPHEADER_SIZE 128
175#define ETHERNET_MAC_ADDR_LENGTH 6
177#define YAF_MAX_HOOKS 4
178
181#define YAF_HOOKS_MAX_EXPORT 1500
183#define YAF_MAX_PKT_BOUNDARY 25
185#define YAF_PCAP_MAX 5000000
187#define YAF_MAX_MPLS_LABELS 3
188
191#define YAF_SMALL_PKT_BOUND 60
194#define YAF_LARGE_PKT_BOUND 225
195
196
200typedef struct yfConfig_st yfConfig_t;
201
202
216
218#define YF_TIME_IE__FIRST YF_TIME_IE_MILLI
219
221#define YF_TIME_IE__LAST YF_TIME_IE_NANO
222
224#define YF_TIME_IE__DEFAULT (YF_TIME_IE_MILLI | YF_TIME_IE_MICRO)
225
229#define yfRecordTimeIEBitSet(t_) (1 << ((t_) - 1))
230
234#define yfRecordTimeIEBitCheck(bits_, t_) ((bits_) & yfRecordTimeIEBitSet(t_))
235
236
244typedef struct yfFlowKey_st {
246 uint16_t sp;
248 uint16_t dp;
250 uint8_t proto;
252 uint8_t version;
254 uint16_t vlanId;
256 uint8_t tos;
260#if YAF_ENABLE_DAG_SEPARATE_INTERFACES || YAF_ENABLE_SEPARATE_INTERFACES
261 uint8_t netIf;
262#endif
264 uint32_t layer2Id;
266 union {
267 struct {
269 uint32_t sip;
271 uint32_t dip;
272 } v4;
273 struct {
275 uint8_t sip[16];
277 uint8_t dip[16];
278 } v6;
279 } addr;
280} yfFlowKey_t;
281
285typedef struct yfFlowStats_st {
287 uint64_t iaarray[10];
289 uint32_t pktsize[10];
291 uint64_t payoct;
293 yfTime_t ltime;
295 uint32_t tcpurgct;
297 uint32_t smallpktct;
299 uint32_t nonemptypktct;
301 uint32_t largepktct;
303 uint32_t aitime;
305 uint32_t firstpktsize;
307 uint32_t maxpktsize;
308} yfFlowStats_t;
309
314typedef struct yfFlowVal_st {
316 uint64_t oct;
318 uint64_t pkt;
319#if YAF_ENABLE_PAYLOAD
321 uint32_t paylen;
323 uint8_t *payload;
325 size_t *paybounds;
326#endif /* if YAF_ENABLE_PAYLOAD */
328 uint32_t isn;
330 uint32_t lsn;
332 uint16_t first_pkt_size;
334 uint16_t attributes;
336 uint8_t iflags;
338 uint8_t uflags;
340 uint8_t appkt;
342 uint16_t vlan;
343#if YAF_ENABLE_SEPARATE_INTERFACES
344 uint8_t netIf;
345#endif
346#if YAF_ENABLE_ENTROPY
348 uint8_t entropy;
350 uint8_t entpad[7];
351#endif /* if YAF_ENABLE_ENTROPY */
352#if YAF_ENABLE_P0F
354 const char *osname;
356 const char *osver;
358 uint8_t fuzzyMatch;
360 uint8_t fuzzyPad[7];
362 char *osFingerPrint;
363#endif /* if YAF_ENABLE_P0F */
364#if YAF_ENABLE_FPEXPORT
366 uint32_t firstPacketLen;
368 uint32_t secondPacketLen;
370 uint8_t *firstPacket;
372 uint8_t *secondPacket;
373#endif /* if YAF_ENABLE_FPEXPORT */
375 yfFlowStats_t *stats;
376} yfFlowVal_t;
377
378#if YAF_MPLS
379typedef struct yfMPLSNode_st {
381 GHashTable *tab;
383 uint32_t mpls_label[YAF_MAX_MPLS_LABELS];
385 int tab_count;
386} yfMPLSNode_t;
387#endif /* if YAF_MPLS */
388
389typedef struct yaf_mptcp_st {
391 uint64_t idsn;
393 uint32_t token;
395 uint16_t mss;
397 uint8_t addrid;
399 uint8_t flags;
400} yaf_mptcp_t;
401
402
409typedef struct yfFlow_st {
411 yfTime_t stime;
413 yfTime_t etime;
414#ifdef YAF_ENABLE_HOOKS
419 void *hfctx[YAF_MAX_HOOKS];
420#endif
421 /*
422 * Reverse flow delta start time. Equivalent to initial packet round-trip
423 * time; useful for decomposing biflows into uniflows.
424 */
425 yfDiffTime_t rdtime;
426#if YAF_ENABLE_APPLABEL
428 uint16_t appLabel;
429#endif
430#if YAF_ENABLE_NDPI
431 uint16_t ndpi_master;
432 uint16_t ndpi_sub;
433#endif
435 uint8_t reason;
437 uint8_t pcap_serial;
439 uint8_t sourceMacAddr[ETHERNET_MAC_ADDR_LENGTH];
441 uint8_t destinationMacAddr[ETHERNET_MAC_ADDR_LENGTH];
443 uint8_t pcap_file_no;
445 uint8_t pktdir;
447 uint8_t rtos;
449 pcap_dumper_t *pcap;
450#if YAF_MPLS
452 yfMPLSNode_t *mpls;
453#endif
455 yaf_mptcp_t mptcp;
457 yfFlowVal_t val;
459 yfFlowVal_t rval;
461 yfFlowKey_t key;
462} yfFlow_t;
463
472void
473yfAlignmentCheck(
474 void);
475
476
485void
486yfFlowPrepare(
487 yfFlow_t *flow);
488
496void
497yfFlowCleanup(
498 yfFlow_t *flow);
499
510fBuf_t *
511yfWriterForFile(
512 const char *path,
513 const yfConfig_t *yfConfig,
514 GError **err);
515
528fBuf_t *
529yfWriterForFP(
530 FILE *fp,
531 const yfConfig_t *yfConfig,
532 GError **err);
533
542fBuf_t *
543yfWriterForSpec(
544 fbConnSpec_t *spec,
545 const yfConfig_t *yfConfig,
546 GError **err);
547
548
549#ifdef HAVE_SPREAD
561fBuf_t *
562yfWriterForSpread(
563 fbSpreadParams_t *params,
564 uint16_t *spreadGroupIndex,
565 const yfConfig_t *yfConfig,
566 GError **err);
567#endif /* HAVE_SPREAD */
568
581gboolean
582yfWriteOptionsDataFlows(
583 void *yfContext,
584 uint32_t pcap_drop,
585 GTimer *timer,
586 GError **err);
587
602gboolean
603yfWriteStatsFlow(
604 void *yfContext,
605 uint32_t pcap_drop,
606 GTimer *timer,
607 GError **err);
608
620gboolean
621yfWriteTombstoneFlow(
622 void *yfContext,
623 GError **err);
624
636gboolean
637yfWriteFlow(
638 void *yfContext,
639 yfFlow_t *flow,
640 GError **err);
641
653gboolean
654yfWriterClose(
655 fBuf_t *fbuf,
656 gboolean flush,
657 GError **err);
658
671fBuf_t *
672yfReaderForFP(
673 fBuf_t *fbuf,
674 FILE *fp,
675 GError **err);
676
692fbListener_t *
693yfListenerForSpec(
694 fbConnSpec_t *spec,
695 fbListenerAppInit_fn appinit,
696 fbListenerAppFree_fn appfree,
697 GError **err);
698
715gboolean
716yfReadFlow(
717 fBuf_t *fbuf,
718 yfFlow_t *flow,
719 GError **err);
720
738gboolean
739yfReadFlowExtended(
740 fBuf_t *fbuf,
741 yfFlow_t *flow,
742 GError **err);
743
754void
755yfPrintString(
756 GString *rstr,
757 const yfFlow_t *flow);
758
770void
771yfPrintDelimitedString(
772 GString *rstr,
773 const yfFlow_t *flow,
774 gboolean yaft_mac);
775
788gboolean
789yfPrint(
790 FILE *out,
791 const yfFlow_t *flow,
792 GError **err);
793
807gboolean
808yfPrintDelimited(
809 FILE *out,
810 const yfFlow_t *flow,
811 gboolean yaft_mac,
812 GError **err);
813
822void
823yfPrintColumnHeaders(
824 FILE *out,
825 gboolean yaft_mac,
826 GError **err);
827
828#if YAF_ENABLE_HOOKS
834fbInfoModel_t *
835yfDPIInfoModel(
836 void);
837#endif /* if YAF_ENABLE_HOOKS */
838
839#endif /* ifndef _YAF_CORE_H_ */
yaf_mptcp_st
Definition yafcore.h:389
yaf_mptcp_st::idsn
uint64_t idsn
initial data seq no.
Definition yafcore.h:391
yaf_mptcp_st::mss
uint16_t mss
max segment size
Definition yafcore.h:395
yaf_mptcp_st::flags
uint8_t flags
hash_flags
Definition yafcore.h:399
yaf_mptcp_st::token
uint32_t token
receiver token
Definition yafcore.h:393
yaf_mptcp_st::addrid
uint8_t addrid
addr id
Definition yafcore.h:397
yfDiffTime_st
YAF time difference: represents the difference of two yfTime_t.
Definition yaftime.h:55
yfFlow_st
A YAF flow.
Definition yafcore.h:409
yfFlow_st::rval
yfFlowVal_t rval
Reverse value.
Definition yafcore.h:459
yfFlow_st::mptcp
yaf_mptcp_t mptcp
MPTCP Flow.
Definition yafcore.h:455
yfFlow_st::pcap_serial
uint8_t pcap_serial
Keep track of number of pcap files for this flow.
Definition yafcore.h:437
yfFlow_st::etime
yfTime_t etime
Flow end time.
Definition yafcore.h:413
yfFlow_st::stime
yfTime_t stime
Flow start time.
Definition yafcore.h:411
yfFlow_st::rtos
uint8_t rtos
reverse ToS (fwd in flowKey)
Definition yafcore.h:447
yfFlow_st::pktdir
uint8_t pktdir
non empty packet directions, 1, or 0
Definition yafcore.h:445
yfFlow_st::key
yfFlowKey_t key
Flow key.
Definition yafcore.h:461
yfFlow_st::destinationMacAddr
uint8_t destinationMacAddr[ETHERNET_MAC_ADDR_LENGTH]
destination Mac Address
Definition yafcore.h:441
yfFlow_st::sourceMacAddr
uint8_t sourceMacAddr[ETHERNET_MAC_ADDR_LENGTH]
src Mac Address
Definition yafcore.h:439
yfFlow_st::pcap
pcap_dumper_t * pcap
Pcap File Ptr.
Definition yafcore.h:449
yfFlow_st::val
yfFlowVal_t val
Forward value.
Definition yafcore.h:457
yfFlow_st::pcap_file_no
uint8_t pcap_file_no
Pcap File "ID" so we know when to make entries in metadata file.
Definition yafcore.h:443
yfFlow_st::reason
uint8_t reason
Flow termination reason (YAF_END_ macros, per IPFIX standard)
Definition yafcore.h:435
yfFlowKey_st
A YAF flow key.
Definition yafcore.h:244
yfFlowKey_st::tos
uint8_t tos
Type of Service/Traffic Class.
Definition yafcore.h:256
yfFlowKey_st::version
uint8_t version
IP Version.
Definition yafcore.h:252
yfFlowKey_st::sip
uint32_t sip
Source IPv4 address.
Definition yafcore.h:269
yfFlowKey_st::dip
uint32_t dip
Destination IPv4 address.
Definition yafcore.h:271
yfFlowKey_st::sp
uint16_t sp
Source transport port.
Definition yafcore.h:246
yfFlowKey_st::dp
uint16_t dp
Destination transport port.
Definition yafcore.h:248
yfFlowKey_st::vlanId
uint16_t vlanId
VLAN Tag - only fwd.
Definition yafcore.h:254
yfFlowKey_st::addr
union yfFlowKey_st::@0 addr
IP address two-tuple union.
yfFlowKey_st::proto
uint8_t proto
IP protocol.
Definition yafcore.h:250
yfFlowKey_st::layer2Id
uint32_t layer2Id
for DAG cards need to record the interface, may only be seeing unidirectional flows on each interface...
Definition yafcore.h:264
yfFlowStats_st
yaf enhanced flow statistics
Definition yafcore.h:285
yfFlowStats_st::smallpktct
uint32_t smallpktct
Number of packets with fewer than YAF_SMALL_PKT_BOUND bytes of data.
Definition yafcore.h:297
yfFlowStats_st::nonemptypktct
uint32_t nonemptypktct
total number of non empty pkts
Definition yafcore.h:299
yfFlowStats_st::iaarray
uint64_t iaarray[10]
to calculate inter-packet delay
Definition yafcore.h:287
yfFlowStats_st::maxpktsize
uint32_t maxpktsize
largest pkt size
Definition yafcore.h:307
yfFlowStats_st::largepktct
uint32_t largepktct
Number of packets with more than YAF_LARGE_PKT_BOUND bytes of data.
Definition yafcore.h:301
yfFlowStats_st::aitime
uint32_t aitime
average interarrival time in milliseconds
Definition yafcore.h:303
yfFlowStats_st::firstpktsize
uint32_t firstpktsize
payload length of first non-empty pkt
Definition yafcore.h:305
yfFlowStats_st::tcpurgct
uint32_t tcpurgct
Number of urgent packets.
Definition yafcore.h:295
yfFlowStats_st::pktsize
uint32_t pktsize[10]
to calculate distribution of packet payload size
Definition yafcore.h:289
yfFlowStats_st::payoct
uint64_t payoct
total amount of payload data
Definition yafcore.h:291
yfFlowStats_st::ltime
yfTime_t ltime
used to calculate interarrival time
Definition yafcore.h:293
yfFlowVal_st
A YAF uniflow value.
Definition yafcore.h:314
yfFlowVal_st::pkt
uint64_t pkt
Packet count.
Definition yafcore.h:318
yfFlowVal_st::lsn
uint32_t lsn
Last TCP sequence number.
Definition yafcore.h:330
yfFlowVal_st::appkt
uint8_t appkt
packets with payload - don't care if this wraps.
Definition yafcore.h:340
yfFlowVal_st::iflags
uint8_t iflags
Initial TCP flags.
Definition yafcore.h:336
yfFlowVal_st::stats
yfFlowStats_t * stats
yaf flow statistics
Definition yafcore.h:375
yfFlowVal_st::oct
uint64_t oct
Octet count.
Definition yafcore.h:316
yfFlowVal_st::first_pkt_size
uint16_t first_pkt_size
First Packet Size - to determine whether to turn on fixed size flag.
Definition yafcore.h:332
yfFlowVal_st::attributes
uint16_t attributes
flowAttributes
Definition yafcore.h:334
yfFlowVal_st::uflags
uint8_t uflags
Union of remaining TCP flags.
Definition yafcore.h:338
yfFlowVal_st::vlan
uint16_t vlan
VLAN TAG (also in key, but want to record both sides)
Definition yafcore.h:342
yfFlowVal_st::isn
uint32_t isn
Initial TCP sequence number.
Definition yafcore.h:328
yfTime_st
YAF timestamp: represents a moment in time.
Definition yaftime.h:47
yfWriterForSpec
fBuf_t * yfWriterForSpec(fbConnSpec_t *spec, const yfConfig_t *yfConfig, GError **err)
Get an IPFIX message buffer for writing YAF flows to a socket.
YAF_MAX_MPLS_LABELS
#define YAF_MAX_MPLS_LABELS
Maximum number of labels we're going to keep around.
Definition yafcore.h:187
yfWriteOptionsDataFlows
gboolean yfWriteOptionsDataFlows(void *yfContext, uint32_t pcap_drop, GTimer *timer, GError **err)
A wrapper that calls both yfWriteStatsFlow and yfWriteDataFlow with appropriate condition checking.
yfFlowKey_t
struct yfFlowKey_st yfFlowKey_t
A YAF flow key.
yfRecordTimeIE_t
enum yfRecordTimeIE_en yfRecordTimeIE_t
Type to specify which timestamps are included.
YAF_MAX_HOOKS
#define YAF_MAX_HOOKS
maximum number of hooks (plugins) allowed at one time
Definition yafcore.h:177
yfReadFlowExtended
gboolean yfReadFlowExtended(fBuf_t *fbuf, yfFlow_t *flow, GError **err)
Read a single flow from an IPFIX message buffer.
yfPrint
gboolean yfPrint(FILE *out, const yfFlow_t *flow, GError **err)
Print a textual representation of a YAF flow to a file.
yfConfig_t
struct yfConfig_st yfConfig_t
YAF Configuration Settings.
Definition yafcore.h:200
yfReadFlow
gboolean yfReadFlow(fBuf_t *fbuf, yfFlow_t *flow, GError **err)
Read a single flow from an IPFIX message buffer.
yfWriteFlow
gboolean yfWriteFlow(void *yfContext, yfFlow_t *flow, GError **err)
Write a single flow to an IPFIX message buffer.
yfPrintString
void yfPrintString(GString *rstr, const yfFlow_t *flow)
Print a YAF flow to a GString.
yfAlignmentCheck
void yfAlignmentCheck(void)
yfAlignmentCheck
yfRecordTimeIE_en
yfRecordTimeIE_en
Type to specify which timestamps are included.
Definition yafcore.h:206
YF_TIME_IE_NANO
@ YF_TIME_IE_NANO
Include flowStartNanoseconds, etc in the export template.
Definition yafcore.h:214
YF_TIME_IE_MICRO
@ YF_TIME_IE_MICRO
Include flowStartMicrioseconds, etc in the export template.
Definition yafcore.h:212
YF_TIME_IE_MILLI
@ YF_TIME_IE_MILLI
Include flowStartMilliseconds, etc in the export template.
Definition yafcore.h:210
YF_TIME_IE__UNSET
@ YF_TIME_IE__UNSET
Unset value.
Definition yafcore.h:208
yfWriterForFile
fBuf_t * yfWriterForFile(const char *path, const yfConfig_t *yfConfig, GError **err)
Get an IPFIX message buffer for writing YAF flows to a named file.
yfFlowCleanup
void yfFlowCleanup(yfFlow_t *flow)
Clean up after a static flow buffer prepared by yfFlowPrepare().
yfWriteTombstoneFlow
gboolean yfWriteTombstoneFlow(void *yfContext, GError **err)
Write a tombstone options data record to an IPFIX Message buffer.
yfWriterForFP
fBuf_t * yfWriterForFP(FILE *fp, const yfConfig_t *yfConfig, GError **err)
Get an IPFIX message buffer for writing YAF flows to an open file pointer.
yfPrintDelimitedString
void yfPrintDelimitedString(GString *rstr, const yfFlow_t *flow, gboolean yaft_mac)
Print a YAF flow to a GString in pipe-delimited (columnar) format.
yfFlowPrepare
void yfFlowPrepare(yfFlow_t *flow)
Prepare a static flow buffer for use with yfReadFlow().
yfPrintDelimited
gboolean yfPrintDelimited(FILE *out, const yfFlow_t *flow, gboolean yaft_mac, GError **err)
Print a YAF flow to a file in pipe-delimited (columnar) format.
yfFlowVal_t
struct yfFlowVal_st yfFlowVal_t
A YAF uniflow value.
ETHERNET_MAC_ADDR_LENGTH
#define ETHERNET_MAC_ADDR_LENGTH
length of Ethernet MAC Address
Definition yafcore.h:175
yfWriteStatsFlow
gboolean yfWriteStatsFlow(void *yfContext, uint32_t pcap_drop, GTimer *timer, GError **err)
Write a statistics options data record to an IPFIX Message buffer.
yfReaderForFP
fBuf_t * yfReaderForFP(fBuf_t *fbuf, FILE *fp, GError **err)
Get an IPFIX message buffer for reading YAF flows from an open file pointer.
yfFlow_t
struct yfFlow_st yfFlow_t
A YAF flow.
yfWriterClose
gboolean yfWriterClose(fBuf_t *fbuf, gboolean flush, GError **err)
Close the connection underlying an IPFIX message buffer created by yfWriterForFP() or yfWriterForSpec...
yfPrintColumnHeaders
void yfPrintColumnHeaders(FILE *out, gboolean yaft_mac, GError **err)
Print column headers for the pipe-delimited (columnar) format.
yfListenerForSpec
fbListener_t * yfListenerForSpec(fbConnSpec_t *spec, fbListenerAppInit_fn appinit, fbListenerAppFree_fn appfree, GError **err)
Get an IPFIX connection listener for collecting YAF flows via IPFIX from the network.
yfFlowStats_t
struct yfFlowStats_st yfFlowStats_t
yaf enhanced flow statistics