yaftab.h

Go to the documentation of this file.

/*
 *  Copyright 2006-2025 Carnegie Mellon University
 *  See license information in LICENSE.txt.
 */
/*
 *  yaftab.h
 *  YAF Active Flow Table
 *
 *  ------------------------------------------------------------------------
 *  Authors: Brian Trammell
 *  ------------------------------------------------------------------------
 *  @DISTRIBUTION_STATEMENT_BEGIN@
 *  YAF 2.18
 *
 *  Copyright 2025 Carnegie Mellon University.
 *
 *  NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING
 *  INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON
 *  UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
 *  AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR
 *  PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF
 *  THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF
 *  ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT
 *  INFRINGEMENT.
 *
 *  Licensed under a GNU GPL 2.0-style license, please see LICENSE.txt or
 *  contact permission@sei.cmu.edu for full terms.
 *
 *  [DISTRIBUTION STATEMENT A] This material has been approved for public
 *  release and unlimited distribution.  Please see Copyright notice for
 *  non-US Government use and distribution.
 *
 *  This Software includes and/or makes use of Third-Party Software each
 *  subject to its own license.
 *
 *  DM25-1281
 *  @DISTRIBUTION_STATEMENT_END@
 *  ------------------------------------------------------------------------
 */
 
/*
 * This is the documentation for the _old_ yaftab.h; it is no longer current,
 * and should not be read by anyone.
 *
 * Flow generation interface for YAF. This facility works by maintaining a
 * current flow table. Packets may be added to the active flows within this
 * table using the yfFlowPkt() call. Completed flows may be written to an
 * IPFIX message buffer using yfFlowFlush().
 *
 * The flow table is configured by a number of global variables.
 *
 * <tt>yaf_idle</tt> sets
 * the idle timeout in seconds. A flow that receives no packets for the idle
 * timeout is assumed to be complete. The idle timeout is set to 300 seconds
 * (five minutes) by default.
 *
 * <tt>yaf_active</tt> sets the active timeout in seconds.
 * The maximum duration of a flow is the active timeout; additional packets
 * for the same flow will be counted as part of a new flow. The active timeout
 * is set to 1800 seconds (half an hour) by default.
 *
 * <tt>yaf_flowlim</tt> sets the maximum size of the flow table; flows
 * exceeding
 * this limit will be expired in least-recent order, as if they were idle. The
 * flow limit defaults to zero, for no limit. Use this global to limit resource
 * usage by the flow table.
 *
 * <tt>yaf_paylen</tt> sets the number of bytes of payload to capture from the
 * start of each flow. The payload length defaults to zero, which disables
 * payload capture.
 *
 * <tt>yaf_uniflow</tt>, if TRUE, exports flows in uniflow mode, using the
 * record adjacency export method described in section 3 of
 * draft-ietf-ipfix-biflow. Defaults to FALSE.
 *
 * <tt>yaf_macmode</tt>, if TRUE, exports layer 2 information with each flow;
 * presently this is limited to VLAN tags but may be expanded to include the
 * MPLS stack and MAC addresses in the future. Defaults to FALSE.
 *
 * <tt>yaf_silkmode</tt>, if TRUE, enables SiLK compatibility mode. In this
 * mode, totalOctetCount and reverseTotalOctetCount are clamped to 32 bits.
 * Any packet that would cause either of these counters to overflow 32 bits
 * will force an active timeout. The high-order bit of the flowEndReason IE
 * is set on any flow created on a counter overflow, as above, or on an active
 * timeout. Defaults to FALSE.
 *
 * <tt>yaf_reqtype</tt> limits the flow table to collecting IPv4 or IPv6 flows
 * only. Set to YF_TYPE_IPv4 for IPv4 flows only, YF_TYPE_IPv6 for IPv6 flows
 * only, or YF_TYPE_IPANY (the default) to collect both IPv4 and IPv6 flows.
 *
 * This facility is used by YAF to assemble packets into flows.
 */

 
#ifndef _YAF_TAB_H_
#define _YAF_TAB_H_
 
#include <yaf/autoinc.h>
#include <yaf/yafcore.h>
#include <yaf/decode.h>
 

#define YAF_STAT_CLOSED_SIZE  6
 

typedef struct yfFlowTab_st yfFlowTab_t;

typedef struct yfFlowTabConfig_st {
    int32_t     active_sec;
    int32_t     idle_sec;
    uint32_t    max_flows;
    uint32_t    max_payload;
    uint32_t    applabel_check_early;

    const char *ndpi_proto_file;

    const char *pcap_dir;
    const char *pcap_meta_file;
    uint64_t    pcap_max;
    uint32_t    pcap_search_flowkey;
    const char *pcap_search_stime;

    GArray     *applabel_max_paylen;

    uint16_t    udp_uniflow_port;

    gboolean    applabel_mode;
    gboolean    entropy_mode;
    gboolean    flowstats_mode;
    gboolean    force_read_all;
    gboolean    fpexport_mode;
    gboolean    mac_mode;
    gboolean    ndpi;
    gboolean    no_vlan_in_key;
    gboolean    p0f_mode;
    gboolean    pcap_index;
    gboolean    pcap_per_flow;
    gboolean    silk_mode;
    gboolean    udp_multipkt_payload;
    gboolean    uniflow_mode;
 
} yfFlowTabConfig_t;
 

typedef struct yfFlowTabStats_st {
    uint64_t   stat_octets;
    uint64_t   stat_packets;
    uint64_t   stat_seqrej;
    uint64_t   stat_flows;
    uint64_t   stat_uniflows;
    uint64_t   stat_opened;
    uint64_t   stat_closed[YAF_STAT_CLOSED_SIZE];
    uint32_t   stat_peak;
    uint32_t   stat_flush;
    uint32_t   stat_count;
#if YAF_MPLS
    uint32_t   max_mpls_labels;
    uint32_t   stat_mpls_labels;
#endif
} yfFlowTabStats_t;

yfFlowTab_t *
yfFlowTabAlloc(
    const yfFlowTabConfig_t  *ftconfig,
    void                    **hfctx);

void
yfFlowTabFree(
    yfFlowTab_t  *flowtab);
 

void
yfUpdateRollingPcapFile(
    yfFlowTab_t  *flowtab,
    char         *new_file_name);

void
yfFlowTabGetStats(
    const yfFlowTab_t  *flowtab,
    yfFlowTabStats_t   *tabstats);

void
yfFlowPBuf(
    yfFlowTab_t  *flowtab,
    size_t        pbuflen,
    yfPBuf_t     *pbuf);

gboolean
yfFlowTabFlush(
    void      *yfContext,
    gboolean   close,
    GError   **err);

void
yfFlowTabCurrentTime(
    const yfFlowTab_t  *flowtab,
    yfTime_t           *yftime);

uint64_t
yfFlowTabDumpStats(
    yfFlowTab_t  *flowtab,
    GTimer       *timer);
 
#endif /* ifndef _YAF_TAB_H_ */