#include <yaf/autoinc.h>
#include <yaf/yafcore.h>
#include <yaf/decode.h>

Typedefs
typedef struct yfFlowTab_st	yfFlowTab_t
	A flow table.

Functions
yfFlowTab_t *	yfFlowTabAlloc (uint64_t idle_ms, uint64_t active_ms, uint32_t max_flows, uint32_t max_payload, gboolean uniflow, gboolean silkmode, gboolean macmode, gboolean applabelmode, gboolean entropymode, gboolean fingerprintmode, gboolean fpExportMode, gboolean udp_max_payload, uint16_t udp_uniflow_port, char pcap_dir, char pcap_meta_file, uint64_t max_pcap, gboolean pcap_per_flow, gboolean force_read_all, gboolean stats_mode, gboolean index_pcap, gboolean no_vlan_in_key, gboolean ndpi, char ndpi_proto_file, char hash, char stime, void *hfctx)
	yfFlowTabAlloc

void	yfFlowTabFree (yfFlowTab_t *flowtab)
	Free a previously allocated flow table.

void	yfUpdateRollingPcapFile (yfFlowTab_t flowtab, char new_file_name)
	Update the Pcap Filename in the Flowtab for pcap meta data output.

void	yfGetFlowTabStats (yfFlowTab_t flowtab, uint64_t packets, uint64_t flows, uint64_t rej_pkts, uint32_t peak, uint32_t flush)
	yfGetFlowTabStats Get Flow Table Stats for Export

void	yfFlowPBuf (yfFlowTab_t flowtab, size_t pbuflen, yfPBuf_t pbuf)
	Add a decoded packet buffer to a given flow table.

gboolean	yfFlowTabFlush (void yfContext, gboolean close, GError *err)
	Flush closed flows in the given flow table to the given IPFIX Message Buffer.

uint64_t	yfFlowTabCurrentTime (yfFlowTab_t *flowtab)
	Get the current packet clock from a flow table.

uint64_t	yfFlowDumpStats (yfFlowTab_t flowtab, GTimer timer)
	Print flow table statistics to the log.

Detailed Description

Flow generation interface for YAF.

[TODO - frontmatter]

This facility is used by YAF to assemble packets into flows.

Typedef Documentation

◆ yfFlowTab_t

typedef struct yfFlowTab_st yfFlowTab_t

A flow table.

Opaque. Create with yfFlowTabAlloc() and free with yfFlowTabFree().

Function Documentation

◆ yfFlowDumpStats()

uint64_t yfFlowDumpStats	(	yfFlowTab_t *	flowtab,
		GTimer *	timer
	)

Print flow table statistics to the log.

Parameters

flowtab	flow table to dump stats for
timer	a GTimer containing the runtime (for packet and flow rate logging). May be NULL to suppress rate logging.

◆ yfFlowPBuf()

void yfFlowPBuf	(	yfFlowTab_t *	flowtab,
		size_t	pbuflen,
		yfPBuf_t *	pbuf
	)

Add a decoded packet buffer to a given flow table.

Adds the packet to the flow to which it belongs, creating a new flow if necessary. Causes the flow to which it belongs to time out if it is longer than the active timeout. Closes the flow if the flow closure conditions (TCP RST, TCP FIN four-way teardown) are met.

Parameters

flowtab	flow table to add the packet to
pbuflen	size of the packet buffer pbuf
pbuf	packet buffer containing decoded packet to add.

◆ yfFlowTabAlloc()

yfFlowTab_t * yfFlowTabAlloc	(	uint64_t	idle_ms,
		uint64_t	active_ms,
		uint32_t	max_flows,
		uint32_t	max_payload,
		gboolean	uniflow,
		gboolean	silkmode,
		gboolean	macmode,
		gboolean	applabelmode,
		gboolean	entropymode,
		gboolean	fingerprintmode,
		gboolean	fpExportMode,
		gboolean	udp_max_payload,
		uint16_t	udp_uniflow_port,
		char *	pcap_dir,
		char *	pcap_meta_file,
		uint64_t	max_pcap,
		gboolean	pcap_per_flow,
		gboolean	force_read_all,
		gboolean	stats_mode,
		gboolean	index_pcap,
		gboolean	no_vlan_in_key,
		gboolean	ndpi,
		char *	ndpi_proto_file,
		char *	hash,
		char *	stime,
		void **	hfctx
	)

yfFlowTabAlloc

Allocate a flow table.

Parameters

idle_ms	idle timeout in milliseconds. A flow that receives no packets for the idle timeout is assumed to be complete.
active_ms	active timeout in milliseconds. The maximum duration of a flow is the active timeout; additional packets for the same flow will be counted as part of a new flow.
max_flows	maximum number of active flows. Flows exceeding this limit will be expired in least-recent order, as if they were idle. Used to limit resource usage of a flow table. A value of 0 disables flow count limits.
max_payload	maximum octets of payload to capture per flow direction. Requires at least max_payload octets of payload to be available in each packet buffer passed to yfFlowPBuf(). A value of 0 disables payload capture and export.
uniflow	If TRUE, export biflows using record adjacency (two uniflows exported back-to-back. Use this for interoperability with IPFIX collectors that do not implement RFC 5103.
silkmode	If TRUE, clamp totalOctetCount and maxTotalOctetCount to 32 bits and force active timeout on overflow. Set high order bit in flowEndReason for each flow created on an overflow or active timeout. Breaks IPFIX interoperability; use for direct export to SiLK rwflowpack or flowcap.
macmode	If TRUE, collect and export source and destination Mac Addresses.
applabelmode	If TRUE, then the payload, (as limited by max_payload,) is sent through various plugins and code in order to determine which protocol is running on the flow by doing only payload inspection and exporting payload relevent information.
entropymode	If TRUE, then a Shannon Entropy measurement is made over the captured payload (as limited by max_payload). The entropy value is exported as two values one for forward payload and one for reverse payload.
fingerprintmode	If TRUE, then this will enable passive OS finger printing using the p0f engine based mostly on TCP negotiation
fpExportMode	If TRUE, then this will enable exporting of full packet banners of the TCP negotiations for the first three packets (including IP and transport headers) for external fingerprinting
udp_max_payload	If TRUE, then this will enable capturing up to max_payload value for udp flows (instead of just the first packet)
udp_uniflow_port	If not 0, then this will enable exporting a single UDP packet with this src/dst port as a flow.
pcap_dir	Directory to put pcap-per-flow files
pcap_meta_file	File for pcap meta output. Default is stdout
max_pcap	Maximum size [in bytes] of a pcap file before rotating.
pcap_per_flow	If TRUE, then pcap_dir will be set to the directory to place pcap-per-flow files.
force_read_all	If TRUE, then yaf will process files that are out of sequence.
stats_mode	If TRUE, then YAF will do some extra calculations on flows.
index_pcap	If TRUE, print one line per packet we export. This will give offset and length into the pcap yaf writes.
no_vlan_in_key	If TRUE, this will remove the vlan in the calculation of the flow key hash.
ndpi	If TRUE, enable nDPI application labeling with standard protocols.
ndpi_proto_file	If not NULL, and ndpi is TRUE, use the provided protocol file to expand the sub-protocols list and port-based detection methods.
hash	The flow key hash to create a PCAP for.
stime	The start time to create a PCAP for.
hfctx	The plugin hooks context variable (NULL if plugins not enabled)

Returns: a new flow table.

◆ yfFlowTabCurrentTime()

uint64_t yfFlowTabCurrentTime ( yfFlowTab_t * flowtab )

Get the current packet clock from a flow table.

Parameters

flowtab a flow table

Returns: current packet clock

◆ yfFlowTabFlush()

gboolean yfFlowTabFlush	(	void *	yfContext,
		gboolean	close,
		GError **	err
	)

Flush closed flows in the given flow table to the given IPFIX Message Buffer.

Causes any idle flows to time out, removing them from the active flow table; also enforces the flow table's resource limit. If close is TRUE, additionally closes all active flows and flushes as well.

Parameters

yfContext	YAF thread context structure, holds pointers for the flowtable from which to flush flows and the fbuf, the destination to which the flows should be flushed
close	close all active flows before flushing
err	An error description pointer; must not be NULL.

Returns: TRUE on success, FALSE otherwise.

◆ yfFlowTabFree()

void yfFlowTabFree ( yfFlowTab_t * flowtab )

Free a previously allocated flow table.

Discards any outstanding active flows without closing or flushing them; use yfFlowTabFlushAll() before yfFlowFree() to do this.

Parameters

flowtab a flow table allocated by yfFlowTabAlloc()

◆ yfGetFlowTabStats()

void yfGetFlowTabStats	(	yfFlowTab_t *	flowtab,
		uint64_t *	packets,
		uint64_t *	flows,
		uint64_t *	rej_pkts,
		uint32_t *	peak,
		uint32_t *	flush
	)

yfGetFlowTabStats Get Flow Table Stats for Export

Parameters

flowtab
packets	number of packets processed
flows	number of flows created
rej_pkts	number of packets rejected due to out of sequence
peak	maximum number of flows in the flow table at any 1 time
flush	number of flush events called on flow table

◆ yfUpdateRollingPcapFile()

void yfUpdateRollingPcapFile	(	yfFlowTab_t *	flowtab,
		char *	new_file_name
	)

Update the Pcap Filename in the Flowtab for pcap meta data output.

Parameters

flowtab	pointer to flow table
new_file_name	the filename of the next pcap file to write to

YAF

YAF

Typedefs

Functions

Detailed Description

Typedef Documentation

◆ yfFlowTab_t

Function Documentation

◆ yfFlowDumpStats()

◆ yfFlowPBuf()

◆ yfFlowTabAlloc()

◆ yfFlowTabCurrentTime()

◆ yfFlowTabFlush()

◆ yfFlowTabFree()

◆ yfGetFlowTabStats()

◆ yfUpdateRollingPcapFile()