yaftab.h
Go to the documentation of this file.
1/*
2 * Copyright 2006-2023 Carnegie Mellon University
3 * See license information in LICENSE.txt.
4 */
5/*
6 * yaftab.h
7 * YAF Active Flow Table
8 *
9 * ------------------------------------------------------------------------
10 * Authors: Brian Trammell
11 * ------------------------------------------------------------------------
12 * @DISTRIBUTION_STATEMENT_BEGIN@
13 * YAF 2.15.0
14 *
15 * Copyright 2023 Carnegie Mellon University.
16 *
17 * NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING
18 * INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON
19 * UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
20 * AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR
21 * PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF
22 * THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF
23 * ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT
24 * INFRINGEMENT.
25 *
26 * Licensed under a GNU GPL 2.0-style license, please see LICENSE.txt or
27 * contact permission@sei.cmu.edu for full terms.
28 *
29 * [DISTRIBUTION STATEMENT A] This material has been approved for public
30 * release and unlimited distribution. Please see Copyright notice for
31 * non-US Government use and distribution.
32 *
33 * GOVERNMENT PURPOSE RIGHTS - Software and Software Documentation
34 * Contract No.: FA8702-15-D-0002
35 * Contractor Name: Carnegie Mellon University
36 * Contractor Address: 4500 Fifth Avenue, Pittsburgh, PA 15213
37 *
38 * The Government's rights to use, modify, reproduce, release, perform,
39 * display, or disclose this software are restricted by paragraph (b)(2) of
40 * the Rights in Noncommercial Computer Software and Noncommercial Computer
41 * Software Documentation clause contained in the above identified
42 * contract. No restrictions apply after the expiration date shown
43 * above. Any reproduction of the software or portions thereof marked with
44 * this legend must also reproduce the markings.
45 *
46 * This Software includes and/or makes use of Third-Party Software each
47 * subject to its own license.
48 *
49 * DM23-2313
50 * @DISTRIBUTION_STATEMENT_END@
51 * ------------------------------------------------------------------------
52 */
53
54/*
55 * This is the documentation for the _old_ yaftab.h; it is no longer current,
56 * and should not be read by anyone.
57 *
58 * Flow generation interface for YAF. This facility works by maintaining a
59 * current flow table. Packets may be added to the active flows within this
60 * table using the yfFlowPkt() call. Completed flows may be written to an
61 * IPFIX message buffer using yfFlowFlush().
62 *
63 * The flow table is configured by a number of global variables.
64 *
65 * <tt>yaf_idle</tt> sets
66 * the idle timeout in seconds. A flow that receives no packets for the idle
67 * timeout is assumed to be complete. The idle timeout is set to 300 seconds
68 * (five minutes) by default.
69 *
70 * <tt>yaf_active</tt> sets the active timeout in seconds.
71 * The maximum duration of a flow is the active timeout; additional packets
72 * for the same flow will be counted as part of a new flow. The active timeout
73 * is set to 1800 seconds (half an hour) by default.
74 *
75 * <tt>yaf_flowlim</tt> sets the maximum size of the flow table; flows
76 * exceeding
77 * this limit will be expired in least-recent order, as if they were idle. The
78 * flow limit defaults to zero, for no limit. Use this global to limit resource
79 * usage by the flow table.
80 *
81 * <tt>yaf_paylen</tt> sets the number of bytes of payload to capture from the
82 * start of each flow. The payload length defaults to zero, which disables
83 * payload capture.
84 *
85 * <tt>yaf_uniflow</tt>, if TRUE, exports flows in uniflow mode, using the
86 * record adjacency export method described in section 3 of
87 * draft-ietf-ipfix-biflow. Defaults to FALSE.
88 *
89 * <tt>yaf_macmode</tt>, if TRUE, exports layer 2 information with each flow;
90 * presently this is limited to VLAN tags but may be expanded to include the
91 * MPLS stack and MAC addresses in the future. Defaults to FALSE.
92 *
93 * <tt>yaf_silkmode</tt>, if TRUE, enables SiLK compatibility mode. In this
94 * mode, totalOctetCount and reverseTotalOctetCount are clamped to 32 bits.
95 * Any packet that would cause either of these counters to overflow 32 bits
96 * will force an active timeout. The high-order bit of the flowEndReason IE
97 * is set on any flow created on a counter overflow, as above, or on an active
98 * timeout. Defaults to FALSE.
99 *
100 * <tt>yaf_reqtype</tt> limits the flow table to collecting IPv4 or IPv6 flows
101 * only. Set to YF_TYPE_IPv4 for IPv4 flows only, YF_TYPE_IPv6 for IPv6 flows
102 * only, or YF_TYPE_IPANY (the default) to collect both IPv4 and IPv6 flows.
103 *
104 * This facility is used by YAF to assemble packets into flows.
105 */
106
115#ifndef _YAF_TAB_H_
116#define _YAF_TAB_H_
117
118#include <yaf/autoinc.h>
119#include <yaf/yafcore.h>
120#include <yaf/decode.h>
121
122
123struct yfFlowTab_st;
128typedef struct yfFlowTab_st yfFlowTab_t;
129
218yfFlowTab_t *
219yfFlowTabAlloc(
220 uint64_t idle_ms,
221 uint64_t active_ms,
222 uint32_t max_flows,
223 uint32_t max_payload,
224 gboolean uniflow,
225 gboolean silkmode,
226 gboolean macmode,
227 gboolean applabelmode,
228 gboolean entropymode,
229 gboolean fingerprintmode,
230 gboolean fpExportMode,
231 gboolean udp_max_payload,
232 uint16_t udp_uniflow_port,
233 char *pcap_dir,
234 char *pcap_meta_file,
235 uint64_t max_pcap,
236 gboolean pcap_per_flow,
237 gboolean force_read_all,
238 gboolean stats_mode,
239 gboolean index_pcap,
240 gboolean no_vlan_in_key,
241 gboolean ndpi,
242 char *ndpi_proto_file,
243 char *hash,
244 char *stime,
245 void **hfctx);
246
254void
255yfFlowTabFree(
256 yfFlowTab_t *flowtab);
257
258
265void
266yfUpdateRollingPcapFile(
267 yfFlowTab_t *flowtab,
268 char *new_file_name);
269
281void
282yfGetFlowTabStats(
283 yfFlowTab_t *flowtab,
284 uint64_t *packets,
285 uint64_t *flows,
286 uint64_t *rej_pkts,
287 uint32_t *peak,
288 uint32_t *flush);
289
301void
302yfFlowPBuf(
303 yfFlowTab_t *flowtab,
304 size_t pbuflen,
305 yfPBuf_t *pbuf);
306
320gboolean
321yfFlowTabFlush(
322 void *yfContext,
323 gboolean close,
324 GError **err);
325
332uint64_t
333yfFlowTabCurrentTime(
334 yfFlowTab_t *flowtab);
335
344uint64_t
345yfFlowDumpStats(
346 yfFlowTab_t *flowtab,
347 GTimer *timer);
348
349#endif /* ifndef _YAF_TAB_H_ */
yfPBuf_st
Full packet information structure.
Definition decode.h:146
yafcore.h
YAF Core Library.
yfFlowTabCurrentTime
uint64_t yfFlowTabCurrentTime(yfFlowTab_t *flowtab)
Get the current packet clock from a flow table.
yfUpdateRollingPcapFile
void yfUpdateRollingPcapFile(yfFlowTab_t *flowtab, char *new_file_name)
Update the Pcap Filename in the Flowtab for pcap meta data output.
yfFlowTabFree
void yfFlowTabFree(yfFlowTab_t *flowtab)
Free a previously allocated flow table.
yfFlowTabFlush
gboolean yfFlowTabFlush(void *yfContext, gboolean close, GError **err)
Flush closed flows in the given flow table to the given IPFIX Message Buffer.
yfFlowTabAlloc
yfFlowTab_t * yfFlowTabAlloc(uint64_t idle_ms, uint64_t active_ms, uint32_t max_flows, uint32_t max_payload, gboolean uniflow, gboolean silkmode, gboolean macmode, gboolean applabelmode, gboolean entropymode, gboolean fingerprintmode, gboolean fpExportMode, gboolean udp_max_payload, uint16_t udp_uniflow_port, char *pcap_dir, char *pcap_meta_file, uint64_t max_pcap, gboolean pcap_per_flow, gboolean force_read_all, gboolean stats_mode, gboolean index_pcap, gboolean no_vlan_in_key, gboolean ndpi, char *ndpi_proto_file, char *hash, char *stime, void **hfctx)
yfFlowTabAlloc
yfGetFlowTabStats
void yfGetFlowTabStats(yfFlowTab_t *flowtab, uint64_t *packets, uint64_t *flows, uint64_t *rej_pkts, uint32_t *peak, uint32_t *flush)
yfGetFlowTabStats Get Flow Table Stats for Export
yfFlowPBuf
void yfFlowPBuf(yfFlowTab_t *flowtab, size_t pbuflen, yfPBuf_t *pbuf)
Add a decoded packet buffer to a given flow table.
yfFlowDumpStats
uint64_t yfFlowDumpStats(yfFlowTab_t *flowtab, GTimer *timer)
Print flow table statistics to the log.
yfFlowTab_t
struct yfFlowTab_st yfFlowTab_t
A flow table.
Definition yaftab.h:128