-
Notifications
You must be signed in to change notification settings - Fork 0
/
store.h
294 lines (255 loc) · 9.17 KB
/
store.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
/* $Id$ */
/*
* Copyright (c) 2004,2005 Damien Miller <[email protected]>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* On-disk storage format */
#ifndef _STORE_H
#define _STORE_H
#include "flowd-common.h"
#include "addr.h"
/* On-disk address formats for v4 and v6 addresses */
struct store_addr6 {
u_int8_t d[16];
} __packed;
struct store_addr4 {
u_int8_t d[4];
} __packed;
#define STORE_VER_MIN_MASK ((1 << 5) - 1)
#define STORE_VER_MAJ_MASK ((1 << 3) - 1)
#define STORE_MKVER(maj,min) (((maj & STORE_VER_MAJ_MASK) << 5) | \
(min & STORE_VER_MIN_MASK))
#define STORE_VER_GET_MAJ(ver) ((ver >> 5) & STORE_VER_MAJ_MASK)
#define STORE_VER_GET_MIN(ver) (ver & STORE_VER_MIN_MASK)
#define STORE_VER_MAJOR 3
#define STORE_VER_MINOR 0
#define STORE_VERSION STORE_MKVER(STORE_VER_MAJOR, STORE_VER_MINOR)
/* Start of flow record - present for every flow */
struct store_flow {
u_int8_t version;
u_int8_t len_words; /* len in 4 byte words not inc hdr */
u_int16_t reserved;
u_int32_t fields;
} __packed;
/*
* Optional flow fields, specify what is stored for the flow
* NB - the flow records appear in this order on disk
*/
#define STORE_FIELD_TAG (1U)
#define STORE_FIELD_RECV_TIME (1U<<1)
#define STORE_FIELD_PROTO_FLAGS_TOS (1U<<2)
#define STORE_FIELD_AGENT_ADDR4 (1U<<3)
#define STORE_FIELD_AGENT_ADDR6 (1U<<4)
#define STORE_FIELD_SRC_ADDR4 (1U<<5)
#define STORE_FIELD_SRC_ADDR6 (1U<<6)
#define STORE_FIELD_DST_ADDR4 (1U<<7)
#define STORE_FIELD_DST_ADDR6 (1U<<8)
#define STORE_FIELD_GATEWAY_ADDR4 (1U<<9)
#define STORE_FIELD_GATEWAY_ADDR6 (1U<<10)
#define STORE_FIELD_SRCDST_PORT (1U<<11)
#define STORE_FIELD_PACKETS (1U<<12)
#define STORE_FIELD_OCTETS (1U<<13)
#define STORE_FIELD_IF_INDICES (1U<<14)
#define STORE_FIELD_AGENT_INFO (1U<<15)
#define STORE_FIELD_FLOW_TIMES (1U<<16)
#define STORE_FIELD_AS_INFO (1U<<17)
#define STORE_FIELD_FLOW_ENGINE_INFO (1U<<18)
/* ... more one day */
#define STORE_FIELD_CRC32 (1U<<30)
#define STORE_FIELD_RESERVED (1U<<31) /* For extension header */
#define STORE_FIELD_ALL (((1U<<19)-1)|STORE_FIELD_CRC32)
/* Useful combinations */
#define STORE_FIELD_AGENT_ADDR (STORE_FIELD_AGENT_ADDR4|\
STORE_FIELD_AGENT_ADDR6)
#define STORE_FIELD_SRC_ADDR (STORE_FIELD_SRC_ADDR4|\
STORE_FIELD_SRC_ADDR6)
#define STORE_FIELD_DST_ADDR (STORE_FIELD_DST_ADDR4|\
STORE_FIELD_DST_ADDR6)
#define STORE_FIELD_SRCDST_ADDR (STORE_FIELD_SRC_ADDR|\
STORE_FIELD_DST_ADDR)
#define STORE_FIELD_GATEWAY_ADDR (STORE_FIELD_GATEWAY_ADDR4|\
STORE_FIELD_GATEWAY_ADDR6)
#define STORE_DISPLAY_ALL STORE_FIELD_ALL
#define STORE_DISPLAY_BRIEF (STORE_FIELD_TAG|\
STORE_FIELD_RECV_TIME|\
STORE_FIELD_PROTO_FLAGS_TOS|\
STORE_FIELD_SRCDST_PORT|\
STORE_FIELD_PACKETS|\
STORE_FIELD_OCTETS|\
STORE_FIELD_SRCDST_ADDR|\
STORE_FIELD_AGENT_ADDR4|\
STORE_FIELD_AGENT_ADDR6)
/*
* Optional flow records
* NB. suffixes must match the corresponding STORE_FIELD_ define (see store.c)
*/
/* Optional flow field - present if STORE_FIELD_TAG */
struct store_flow_TAG {
u_int32_t tag; /* set by filter */
} __packed;
/* Optional flow field - present if STORE_FIELD_RECV_TIME */
struct store_flow_RECV_TIME {
u_int32_t recv_sec;
u_int32_t recv_usec;
} __packed;
/* Optional flow field - present if STORE_FIELD_PROTO_FLAGS_TOS */
struct store_flow_PROTO_FLAGS_TOS {
u_int8_t tcp_flags;
u_int8_t protocol;
u_int8_t tos;
u_int8_t pad;
} __packed;
/* Optional flow field - present if STORE_FIELD_AGENT_ADDR */
struct store_flow_AGENT_ADDR4 {
struct store_addr4 flow_agent_addr;
} __packed;
struct store_flow_AGENT_ADDR6 {
struct store_addr6 flow_agent_addr;
} __packed;
/* Optional flow field - present if STORE_FIELD_SRC_ADDR4 */
struct store_flow_SRC_ADDR4 {
struct store_addr4 src_addr;
} __packed;
/* Optional flow field - present if STORE_FIELD_DST_ADDR4 */
struct store_flow_DST_ADDR4 {
struct store_addr4 dst_addr;
} __packed;
/* Optional flow field - present if STORE_FIELD_SRC_ADDR6 */
struct store_flow_SRC_ADDR6 {
struct store_addr6 src_addr;
} __packed;
/* Optional flow field - present if STORE_FIELD_DST_ADDR6 */
struct store_flow_DST_ADDR6 {
struct store_addr6 dst_addr;
} __packed;
/* Optional flow field - present if STORE_FIELD_GATEWAY_ADDR */
struct store_flow_GATEWAY_ADDR4 {
struct store_addr4 gateway_addr;
} __packed;
struct store_flow_GATEWAY_ADDR6 {
struct store_addr6 gateway_addr;
} __packed;
/* Optional flow field - present if STORE_FIELD_SRCDST_PORT */
struct store_flow_SRCDST_PORT {
u_int16_t src_port;
u_int16_t dst_port;
} __packed;
/* Optional flow field - present if STORE_FIELD_PACKETS */
struct store_flow_PACKETS {
u_int64_t flow_packets;
} __packed;
/* Optional flow field - present if STORE_FIELD_OCTETS */
struct store_flow_OCTETS {
u_int64_t flow_octets;
} __packed;
/* Optional flow field - present if STORE_FIELD_IF_INDICES */
struct store_flow_IF_INDICES {
u_int32_t if_index_in;
u_int32_t if_index_out;
} __packed;
/* Optional flow field - present if STORE_FIELD_AGENT_INFO */
struct store_flow_AGENT_INFO {
u_int32_t sys_uptime_ms;
u_int32_t time_sec;
u_int32_t time_nanosec;
u_int16_t netflow_version;
u_int16_t pad;
} __packed;
/* Optional flow field - present if STORE_FIELD_FLOW_TIMES */
struct store_flow_FLOW_TIMES {
u_int32_t flow_start;
u_int32_t flow_finish;
} __packed;
/* Optional flow field - present if STORE_FIELD_AS_INFO */
struct store_flow_AS_INFO {
u_int32_t src_as;
u_int32_t dst_as;
u_int8_t src_mask;
u_int8_t dst_mask;
u_int16_t pad;
} __packed;
/* Optional flow field - present if STORE_FIELD_FLOW_ENGINE_INFO */
struct store_flow_FLOW_ENGINE_INFO {
u_int16_t engine_type;
u_int16_t engine_id;
u_int32_t flow_sequence;
u_int32_t source_id;
} __packed;
/* Optional flow field - present if STORE_FIELD_CRC32 */
struct store_flow_CRC32 {
u_int32_t crc32;
} __packed;
/* A abstract flow record (all fields included) */
struct store_flow_complete {
struct store_flow hdr;
struct store_flow_TAG tag;
struct store_flow_RECV_TIME recv_time;
struct store_flow_PROTO_FLAGS_TOS pft;
struct xaddr agent_addr;
struct xaddr src_addr;
struct xaddr dst_addr;
struct xaddr gateway_addr;
struct store_flow_SRCDST_PORT ports;
struct store_flow_PACKETS packets;
struct store_flow_OCTETS octets;
struct store_flow_IF_INDICES ifndx;
struct store_flow_AGENT_INFO ainfo;
struct store_flow_FLOW_TIMES ftimes;
struct store_flow_AS_INFO asinf;
struct store_flow_FLOW_ENGINE_INFO finf;
struct store_flow_CRC32 crc32;
} __packed;
/* Error codes for store log functions */
#define STORE_ERR_OK 0x00
#define STORE_ERR_EOF 0x01
#define STORE_ERR_BAD_MAGIC 0x02
#define STORE_ERR_UNSUP_VERSION 0x03
#define STORE_ERR_BUFFER_SIZE 0x04
#define STORE_ERR_FLOW_INVALID 0x05
#define STORE_ERR_CRC_MISMATCH 0x06
#define STORE_ERR_INTERNAL 0x07
#define STORE_ERR_IO 0x08
#define STORE_ERR_IO_SEEK 0x09
#define STORE_ERR_CORRUPT 0x10
/* file descriptor oriented interface (tries to back out on failure */
int store_put_buf(int fd, char *buf, int len, char *ebuf, int elen);
int store_get_flow(int fd, struct store_flow_complete *f, char *ebuf, int elen);
int store_put_flow(int fd, struct store_flow_complete *flow,
u_int32_t fieldmask, char *ebuf, int elen);
/* Simple FILE* oriented interface, doesn't backout on failure */
int store_read_flow(FILE *f, struct store_flow_complete *flow, char *ebuf,
int elen);
int store_write_flow(FILE *f, struct store_flow_complete *flow,
u_int32_t fieldmask, char *ebuf, int elen);
/* Serialisation and deserialisation */
int store_flow_deserialise(u_int8_t *buf, int len,
struct store_flow_complete *f, char *ebuf, int elen);
int store_flow_serialise(struct store_flow_complete *f, u_int8_t *buf, int buflen,
int *flowlen, char *ebuf, int elen);
int store_flow_serialise_masked(struct store_flow_complete *f, u_int32_t mask,
u_int8_t *buf, int buflen, int *flowlen, char *ebuf, int elen);
int store_calc_flow_len(struct store_flow *hdr);
/* Formatting and conversion */
void store_format_flow(struct store_flow_complete *flow, char *buf,
size_t len, int utc_flag, u_int32_t display_mask, int hostorder);
void store_format_flow_flowtools_csv(struct store_flow_complete *flow,
char *buf, size_t len, int utc_flag, u_int32_t display_mask,
int hostorder);
void store_swab_flow(struct store_flow_complete *flow, int to_net);
/* Utility functions */
const char *iso_time(time_t t, int utc_flag);
const char *interval_time(time_t t);
u_int64_t store_ntohll(u_int64_t v);
u_int64_t store_htonll(u_int64_t v);
#endif /* _STORE_H */