yafcore.h

Go to the documentation of this file.

/*
 *  Copyright 2006-2023 Carnegie Mellon University
 *  See license information in LICENSE.txt.
 */
/*
 *
 *  yafcore.h
 *  YAF core I/O routines
 *
 *  ------------------------------------------------------------------------
 *  Authors: Brian Trammell
 *  ------------------------------------------------------------------------
 *  @DISTRIBUTION_STATEMENT_BEGIN@
 *  YAF 2.15.0
 *
 *  Copyright 2023 Carnegie Mellon University.
 *
 *  NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING
 *  INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON
 *  UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
 *  AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR
 *  PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF
 *  THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF
 *  ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT
 *  INFRINGEMENT.
 *
 *  Licensed under a GNU GPL 2.0-style license, please see LICENSE.txt or
 *  contact permission@sei.cmu.edu for full terms.
 *
 *  [DISTRIBUTION STATEMENT A] This material has been approved for public
 *  release and unlimited distribution.  Please see Copyright notice for
 *  non-US Government use and distribution.
 *
 *  GOVERNMENT PURPOSE RIGHTS - Software and Software Documentation
 *  Contract No.: FA8702-15-D-0002
 *  Contractor Name: Carnegie Mellon University
 *  Contractor Address: 4500 Fifth Avenue, Pittsburgh, PA 15213
 *
 *  The Government's rights to use, modify, reproduce, release, perform,
 *  display, or disclose this software are restricted by paragraph (b)(2) of
 *  the Rights in Noncommercial Computer Software and Noncommercial Computer
 *  Software Documentation clause contained in the above identified
 *  contract. No restrictions apply after the expiration date shown
 *  above. Any reproduction of the software or portions thereof marked with
 *  this legend must also reproduce the markings.
 *
 *  This Software includes and/or makes use of Third-Party Software each
 *  subject to its own license.
 *
 *  DM23-2313
 *  @DISTRIBUTION_STATEMENT_END@
 *  ------------------------------------------------------------------------
 */
 
#ifndef _YAF_CORE_H_
#define _YAF_CORE_H_
 
#include <yaf/autoinc.h>
#include <fixbuf/public.h>
#include <stdlib.h>
#include <math.h>
#define CERT_PEN    6871
 
#define YAF_ERROR_DOMAIN        (g_quark_from_string("certYAFError"))
#define YAF_ERROR_HEADER        1
#define YAF_ERROR_ARGUMENT      2
#define YAF_ERROR_IO            3
#define YAF_ERROR_IPFIX         4
#define YAF_ERROR_IMPL          5
#define YAF_ERROR_INTERNAL      6
#define YAF_ERROR_LIMIT         7
#define YAF_ERROR_EOF           8
#define YAF_ERROR_ALIGNMENT         9
#define YAF_ERROR_PACKET_PAYLOAD    10
 
 
 
#define YAF_FLOW_ACTIVE         0
#define YAF_END_IDLE            1
#define YAF_END_ACTIVE          2
#define YAF_END_CLOSED          3
#define YAF_END_FORCED          4
#define YAF_END_RESOURCE        5
#define YAF_END_UDPFORCE        0x1F
#define YAF_END_MASK            0x7F
#define YAF_ENDF_ISCONT         0x80
 
#define YAF_SAME_SIZE           0x01
#define YAF_OUT_OF_SEQUENCE     0x02
#define YAF_MP_CAPABLE          0x04
#define YAF_FRAGMENTS           0x08
#define YAF_PARTIAL_FRAGS       0x10
#define YAF_FRAG_ACTIVE         0x03
#define YAF_FRAG_PASSIVE        0x04
 
#define YAF_IP_ICMP             1
#define YAF_IP_TCP              6
#define YAF_IP_UDP              17
 
#define YFP_IPTCPHEADER_SIZE    128
#define ETHERNET_MAC_ADDR_LENGTH 6
#define YAF_MAX_HOOKS            4
 
#define YAF_HOOKS_MAX_EXPORT    1500
#define YAF_MAX_PKT_BOUNDARY    25
#define YAF_PCAP_MAX            5000000
#define YAF_MAX_MPLS_LABELS     3
 
#define YAF_SMALL_PKT_BOUND     60
#define YAF_LARGE_PKT_BOUND     225
 
typedef struct yfFlowKey_st {
    uint16_t   sp;
    uint16_t   dp;
    uint8_t    proto;
    uint8_t    version;
    uint16_t   vlanId;
    uint8_t    tos;
#if YAF_ENABLE_DAG_SEPARATE_INTERFACES || YAF_ENABLE_SEPARATE_INTERFACES
    uint8_t    netIf;
#endif
    uint32_t   layer2Id;
    union {
        struct {
            uint32_t   sip;
            uint32_t   dip;
        } v4;
        struct {
            uint8_t   sip[16];
            uint8_t   dip[16];
        } v6;
    } addr;
} yfFlowKey_t;
 
typedef struct yfFlowStats_st {
    uint64_t   iaarray[10];
    uint32_t   pktsize[10];
    uint64_t   payoct;
    uint64_t   ltime;
    uint32_t   tcpurgct;
    uint32_t   smallpktct;
    uint32_t   nonemptypktct;
    uint32_t   largepktct;
    uint32_t   aitime;
    uint32_t   firstpktsize;
    uint32_t   maxpktsize;
} yfFlowStats_t;
 
typedef struct yfFlowVal_st {
    uint64_t        oct;
    uint64_t        pkt;
#if YAF_ENABLE_PAYLOAD
    uint32_t        paylen;
    uint8_t        *payload;
    size_t         *paybounds;
#endif /* if YAF_ENABLE_PAYLOAD */
    uint32_t        isn;
    uint32_t        lsn;
    uint16_t        first_pkt_size;
    uint16_t        attributes;
    uint8_t         iflags;
    uint8_t         uflags;
    uint8_t         appkt;
    uint16_t        vlan;
#if YAF_ENABLE_SEPARATE_INTERFACES
    uint8_t         netIf;
#endif
#if YAF_ENABLE_ENTROPY
    uint8_t         entropy;
    uint8_t         entpad[7];
#endif /* if YAF_ENABLE_ENTROPY */
#if YAF_ENABLE_P0F
    const char     *osname;
    const char     *osver;
    uint8_t         fuzzyMatch;
    uint8_t         fuzzyPad[7];
    char           *osFingerPrint;
#endif /* if YAF_ENABLE_P0F */
#if YAF_ENABLE_FPEXPORT
    uint32_t        firstPacketLen;
    uint32_t        secondPacketLen;
    uint8_t        *firstPacket;
    uint8_t        *secondPacket;
#endif /* if YAF_ENABLE_FPEXPORT */
    yfFlowStats_t  *stats;
} yfFlowVal_t;
 
#if YAF_MPLS
typedef struct yfMPLSNode_st {
    GHashTable  *tab;
    uint32_t     mpls_label[YAF_MAX_MPLS_LABELS];
    int          tab_count;
} yfMPLSNode_t;
#endif /* if YAF_MPLS */
 
typedef struct yfMPTCPFlow_st {
    uint64_t   idsn;
    uint32_t   token;
    uint16_t   mss;
    uint8_t    addrid;
    uint8_t    flags;
} yfMPTCPFlow_t;
 
 
typedef struct yfFlow_st {
    uint64_t        stime;
    uint64_t        etime;
#ifdef YAF_ENABLE_HOOKS
    void           *hfctx[YAF_MAX_HOOKS];
#endif
    /*
     * Reverse flow delta start time in milliseconds. Equivalent to initial
     * packet round-trip time; useful for decomposing biflows into uniflows.
     */
    int32_t         rdtime;
#if YAF_ENABLE_APPLABEL
    uint16_t        appLabel;
#endif
#if YAF_ENABLE_NDPI
    uint16_t        ndpi_master;
    uint16_t        ndpi_sub;
#endif
    uint8_t         reason;
    uint8_t         pcap_serial;
    uint8_t         sourceMacAddr[ETHERNET_MAC_ADDR_LENGTH];
    uint8_t         destinationMacAddr[ETHERNET_MAC_ADDR_LENGTH];
    uint8_t         pcap_file_no;
    uint8_t         pktdir;
    uint8_t         rtos;
    pcap_dumper_t  *pcap;
#if YAF_MPLS
    yfMPLSNode_t   *mpls;
#endif
    yfMPTCPFlow_t   mptcp;
    yfFlowVal_t     val;
    yfFlowVal_t     rval;
    yfFlowKey_t     key;
} yfFlow_t;
 
void
yfAlignmentCheck(
    void);
 
 
void
yfFlowPrepare(
    yfFlow_t  *flow);
 
void
yfFlowCleanup(
    yfFlow_t  *flow);
 
fBuf_t *
yfWriterForFile(
    const char  *path,
    uint32_t     domain,
    gboolean     export_meta,
    GError     **err);
 
fBuf_t *
yfWriterForFP(
    FILE      *fp,
    uint32_t   domain,
    gboolean   export_meta,
    GError   **err);
 
fBuf_t *
yfWriterForSpec(
    fbConnSpec_t  *spec,
    uint32_t       domain,
    gboolean       export_meta,
    GError       **err);
 
 
#ifdef HAVE_SPREAD
fBuf_t *
yfWriterForSpread(
    fbSpreadParams_t  *params,
    uint32_t           domain,
    uint16_t          *spreadGroupIndex,
    gboolean           export_meta,
    GError           **err);
#endif /* HAVE_SPREAD */
 
gboolean
yfWriteOptionsDataFlows(
    void      *yfContext,
    uint32_t   pcap_drop,
    GTimer    *timer,
    GError   **err);
 
gboolean
yfWriteStatsFlow(
    void      *yfContext,
    uint32_t   pcap_drop,
    GTimer    *timer,
    GError   **err);
 
gboolean
yfWriteTombstoneFlow(
    void    *yfContext,
    GError **err);
 
gboolean
yfWriteFlow(
    void      *yfContext,
    yfFlow_t  *flow,
    GError   **err);
 
gboolean
yfWriterClose(
    fBuf_t    *fbuf,
    gboolean   flush,
    GError   **err);
 
void
yfWriterExportPayload(
    int   max_payload);
 
#if YAF_ENABLE_APPLABEL
void
yfWriterExportPayloadApplabels(
    const GArray   *applabels);
#endif  /* YAF_ENABLE_APPLABEL */
 
void
yfWriterExportMappedV6(
    gboolean   map_mode);
 
fBuf_t *
yfReaderForFP(
    fBuf_t  *fbuf,
    FILE    *fp,
    GError **err);
 
fbListener_t *
yfListenerForSpec(
    fbConnSpec_t          *spec,
    fbListenerAppInit_fn   appinit,
    fbListenerAppFree_fn   appfree,
    GError               **err);
 
gboolean
yfReadFlow(
    fBuf_t    *fbuf,
    yfFlow_t  *flow,
    GError   **err);
 
gboolean
yfReadFlowExtended(
    fBuf_t    *fbuf,
    yfFlow_t  *flow,
    GError   **err);
 
void
yfPrintString(
    GString   *rstr,
    yfFlow_t  *flow);
 
void
yfPrintDelimitedString(
    GString   *rstr,
    yfFlow_t  *flow,
    gboolean   yaft_mac);
 
gboolean
yfPrint(
    FILE      *out,
    yfFlow_t  *flow,
    GError   **err);
 
gboolean
yfPrintDelimited(
    FILE      *out,
    yfFlow_t  *flow,
    gboolean   yaft_mac,
    GError   **err);
 
void
yfPrintColumnHeaders(
    FILE      *out,
    gboolean   yaft_mac,
    GError   **err);
 
#if YAF_ENABLE_HOOKS
fbInfoModel_t *
yfDPIInfoModel(
    void);
#endif /* if YAF_ENABLE_HOOKS */
 
#endif /* ifndef _YAF_CORE_H_ */