ftdecode.c

netflow,抓包

          ftpdu->decodef = fts3rec_pdu_v8_14_decode;

          break;


        default:
          goto ftpdu_verify_out;

      } /* switch ph->agg_method */

      break; /* 8 */

      default:
          goto ftpdu_verify_out;

  } /* switch ph->version */

  ret = 0;

ftpdu_verify_out:

#if BYTE_ORDER == LITTLE_ENDIAN
  SWAPINT16(ph->version);
  SWAPINT16(ph->count);
#endif /* LITTLE_ENDIAN */

ftpdu_verify_out_quick:

  return ret;

}

/*
 * function: fts3rec_pdu_decode
 *
 * pdu must be in network byte order.  Caller must initialize
 * ftpdu->ftd.byte_order and ftpdu->ftd.as_sub
 *
 * stream records are returned in the byte order defined by
 * ftpdu->ftd.byte_order
 *
 * AS 0 is substituted with ftpdu->ftd.as_sub
 * 
 * ftpdu_verify() must be called first to ensure the packet will
 * not overrun buffers and to initialize the decode jump table
 *
 * returns: # of stream records decoded.  PDU is no longer valid
 * after calling (bytes may be swapped)
*/
int fts3rec_pdu_decode(struct ftpdu *ftpdu)
{
  int n;
  struct ftpdu_header *ph;

  n = -1;

  bzero(&ftpdu->ftd.buf, FT_IO_MAXDECODE);

  /* take advantage that all pdu's have a common header. */

  ph = (struct ftpdu_header*)&ftpdu->buf;

/*
 * If this is a LITTLE_ENDIAN architecture ph->version and ph->count
 * need to be swapped before being used.
 *
 * ftpdu->ftd->exporter_ip and ftpdu->ftd->as_sub are in LITTLE_ENDIAN, the
 * rest of the PDU is BIG_ENDIAN.  Flip these to BIG_ENDIAN to make the
 * conversions below easier (everything in the PDU is BIG)
 */

#if BYTE_ORDER == LITTLE_ENDIAN
  SWAPINT16(ph->version);
  SWAPINT16(ph->count);

  SWAPINT16(ftpdu->ftd.as_sub);
  SWAPINT32(ftpdu->ftd.exporter_ip);
#endif /* LITTLE_ENDIAN */

  ftpdu->ftd.count = ph->count;

  /* decode it */
  n = ftpdu->decodef(ftpdu);

  /* restore ftd */
#if BYTE_ORDER == LITTLE_ENDIAN
  SWAPINT16(ftpdu->ftd.as_sub);
  SWAPINT32(ftpdu->ftd.exporter_ip);
#endif /* LITTLE_ENDIAN */

  return n;

} /* fts3rec_pdu_decode */

/*
 * function: fts3rec_pdu_v1_decode
 *
 * subfunction to fts3rec_pdu_decode
 *
 * returns: # of stream records decoded
*/
int fts3rec_pdu_v1_decode(struct ftpdu *ftpdu)
{
  int n;
  struct ftpdu_header *ph;
  struct ftpdu_v1 *pdu_v1;
  struct fts3rec_v1 *rec_v1;

  ftpdu->ftd.rec_size = sizeof (struct fts3rec_v1);
  pdu_v1 = (struct ftpdu_v1*)&ftpdu->buf;
  ph = (struct ftpdu_header*)&ftpdu->buf;

  /* preswap */
  if (ftpdu->ftd.byte_order == FT_HEADER_LITTLE_ENDIAN) {
    SWAPINT32(ph->sysUpTime);
    SWAPINT32(ph->unix_secs);
    SWAPINT32(ph->unix_nsecs);
  }

  for (n = 0; n < ftpdu->ftd.count; ++n) {

    rec_v1 = (struct fts3rec_v1*) (ftpdu->ftd.buf + (n*ftpdu->ftd.rec_size));

    rec_v1->unix_nsecs = ph->unix_nsecs;
    rec_v1->unix_secs = ph->unix_secs;
    rec_v1->sysUpTime = ph->sysUpTime;

    rec_v1->srcaddr = pdu_v1->records[n].srcaddr;
    rec_v1->dstaddr = pdu_v1->records[n].dstaddr;
    rec_v1->nexthop = pdu_v1->records[n].nexthop;
    rec_v1->input = pdu_v1->records[n].input;
    rec_v1->output = pdu_v1->records[n].output;
    rec_v1->dPkts = pdu_v1->records[n].dPkts;
    rec_v1->dOctets = pdu_v1->records[n].dOctets;
    rec_v1->First = pdu_v1->records[n].First;
    rec_v1->Last = pdu_v1->records[n].Last;
    rec_v1->dstport = pdu_v1->records[n].dstport;
    rec_v1->srcport = pdu_v1->records[n].srcport;
    rec_v1->prot = pdu_v1->records[n].prot;
    rec_v1->tos = pdu_v1->records[n].tos;
    rec_v1->tcp_flags = pdu_v1->records[n].flags;

    /* copy in exporter IP */
    rec_v1->exaddr = ftpdu->ftd.exporter_ip;

    if (ftpdu->ftd.byte_order == FT_HEADER_LITTLE_ENDIAN) {

      SWAPINT32(rec_v1->srcaddr);
      SWAPINT32(rec_v1->dstaddr);
      SWAPINT32(rec_v1->nexthop);
      SWAPINT16(rec_v1->input);
      SWAPINT16(rec_v1->output);
      SWAPINT32(rec_v1->dPkts);
      SWAPINT32(rec_v1->dOctets);
      SWAPINT32(rec_v1->First);
      SWAPINT32(rec_v1->Last);
      SWAPINT16(rec_v1->dstport);
      SWAPINT16(rec_v1->srcport);

      SWAPINT32(rec_v1->exaddr);

    }

  } /* for n */

  return ftpdu->ftd.count;

} /* fts3rec_pdu_v1_decode */

/*
 * function: fts3rec_pdu_v5_decode
 *
 * subfunction to fts3rec_pdu_decode
 *
 * returns: # of stream records decoded
*/
int fts3rec_pdu_v5_decode(struct ftpdu *ftpdu)
{
  int n;
  struct ftpdu_header *ph;
  struct ftpdu_v5 *pdu_v5;
  struct fts3rec_v5 *rec_v5;

  ftpdu->ftd.rec_size = sizeof (struct fts3rec_v5);
  pdu_v5 = (struct ftpdu_v5*)&ftpdu->buf;
  ph = (struct ftpdu_header*)&ftpdu->buf;

  /* preswap */
  if (ftpdu->ftd.byte_order == FT_HEADER_LITTLE_ENDIAN) {
    SWAPINT32(ph->sysUpTime);
    SWAPINT32(ph->unix_secs);
    SWAPINT32(ph->unix_nsecs);
  }

  for (n = 0; n < pdu_v5->count; ++n) {

    rec_v5 = (struct fts3rec_v5*) (ftpdu->ftd.buf + (n*ftpdu->ftd.rec_size));

    rec_v5->unix_nsecs = ph->unix_nsecs;
    rec_v5->unix_secs = ph->unix_secs;
    rec_v5->sysUpTime = ph->sysUpTime;

    rec_v5->engine_type = pdu_v5->engine_type;
    rec_v5->engine_type = pdu_v5->engine_id;


    rec_v5->srcaddr = pdu_v5->records[n].srcaddr;
    rec_v5->dstaddr = pdu_v5->records[n].dstaddr;
    rec_v5->nexthop = pdu_v5->records[n].nexthop;
    rec_v5->input = pdu_v5->records[n].input;
    rec_v5->output = pdu_v5->records[n].output;
    rec_v5->dPkts = pdu_v5->records[n].dPkts;
    rec_v5->dOctets = pdu_v5->records[n].dOctets;
    rec_v5->First = pdu_v5->records[n].First;
    rec_v5->Last = pdu_v5->records[n].Last;
    rec_v5->dstport = pdu_v5->records[n].dstport;
    rec_v5->srcport = pdu_v5->records[n].srcport;
    rec_v5->prot = pdu_v5->records[n].prot;
    rec_v5->tos = pdu_v5->records[n].tos;
    rec_v5->tcp_flags = pdu_v5->records[n].tcp_flags;
    rec_v5->src_as = pdu_v5->records[n].src_as;
    rec_v5->dst_as = pdu_v5->records[n].dst_as;
    rec_v5->src_mask = pdu_v5->records[n].src_mask;
    rec_v5->dst_mask = pdu_v5->records[n].dst_mask;

    /* perform AS substitution */
    rec_v5->src_as = (rec_v5->src_as) ? rec_v5->src_as : ftpdu->ftd.as_sub;
    rec_v5->dst_as = (rec_v5->dst_as) ? rec_v5->dst_as : ftpdu->ftd.as_sub;

    /* copy in exporter IP */
    rec_v5->exaddr = ftpdu->ftd.exporter_ip;

    if (ftpdu->ftd.byte_order == FT_HEADER_LITTLE_ENDIAN) {

      SWAPINT32(rec_v5->srcaddr);
      SWAPINT32(rec_v5->dstaddr);
      SWAPINT32(rec_v5->nexthop);
      SWAPINT16(rec_v5->input);
      SWAPINT16(rec_v5->output);
      SWAPINT32(rec_v5->dPkts);
      SWAPINT32(rec_v5->dOctets);
      SWAPINT32(rec_v5->First);
      SWAPINT32(rec_v5->Last);
      SWAPINT16(rec_v5->dstport);
      SWAPINT16(rec_v5->srcport);
      SWAPINT16(rec_v5->src_as);
      SWAPINT16(rec_v5->dst_as);

      SWAPINT32(rec_v5->exaddr);

    }

  } /* for n */

  return ftpdu->ftd.count;

} /* fts3rec_pdu_v5_decode */

/*
 * function: fts3rec_pdu_v6_decode
 *
 * subfunction to fts3rec_pdu_decode
 *
 * returns: # of stream records decoded
*/
int fts3rec_pdu_v6_decode(struct ftpdu *ftpdu)
{
  int n;
  struct ftpdu_header *ph;
  struct ftpdu_v6 *pdu_v6;
  struct fts3rec_v6 *rec_v6;

  ftpdu->ftd.rec_size = sizeof (struct fts3rec_v6);
  pdu_v6 = (struct ftpdu_v6*)&ftpdu->buf;
  ph = (struct ftpdu_header*)&ftpdu->buf;

  /* preswap */
  if (ftpdu->ftd.byte_order == FT_HEADER_LITTLE_ENDIAN) {
    SWAPINT32(ph->sysUpTime);
    SWAPINT32(ph->unix_secs);
    SWAPINT32(ph->unix_nsecs);
  }

  for (n = 0; n < pdu_v6->count; ++n) {

    rec_v6 = (struct fts3rec_v6*) (ftpdu->ftd.buf + (n*ftpdu->ftd.rec_size));

    rec_v6->unix_nsecs = ph->unix_nsecs;
    rec_v6->unix_secs = ph->unix_secs;
    rec_v6->sysUpTime = ph->sysUpTime;

    rec_v6->engine_type = pdu_v6->engine_type;
    rec_v6->engine_type = pdu_v6->engine_id;


    rec_v6->srcaddr = pdu_v6->records[n].srcaddr;
    rec_v6->dstaddr = pdu_v6->records[n].dstaddr;
    rec_v6->nexthop = pdu_v6->records[n].nexthop;
    rec_v6->input = pdu_v6->records[n].input;
    rec_v6->output = pdu_v6->records[n].output;
    rec_v6->dPkts = pdu_v6->records[n].dPkts;
    rec_v6->dOctets = pdu_v6->records[n].dOctets;
    rec_v6->First = pdu_v6->records[n].First;
    rec_v6->Last = pdu_v6->records[n].Last;
    rec_v6->dstport = pdu_v6->records[n].dstport;
    rec_v6->srcport = pdu_v6->records[n].srcport;
    rec_v6->prot = pdu_v6->records[n].prot;
    rec_v6->tos = pdu_v6->records[n].tos;
    rec_v6->tcp_flags = pdu_v6->records[n].tcp_flags;
    rec_v6->src_as = pdu_v6->records[n].src_as;
    rec_v6->dst_as = pdu_v6->records[n].dst_as;
    rec_v6->src_mask = pdu_v6->records[n].src_mask;
    rec_v6->dst_mask = pdu_v6->records[n].dst_mask;

    /* perform AS substitution */
    rec_v6->src_as = (rec_v6->src_as) ? rec_v6->src_as : ftpdu->ftd.as_sub;
    rec_v6->dst_as = (rec_v6->dst_as) ? rec_v6->dst_as : ftpdu->ftd.as_sub;

    /* copy in exporter IP */
    rec_v6->exaddr = ftpdu->ftd.exporter_ip;

    if (ftpdu->ftd.byte_order == FT_HEADER_LITTLE_ENDIAN) {

      SWAPINT32(rec_v6->srcaddr);
      SWAPINT32(rec_v6->dstaddr);
      SWAPINT32(rec_v6->nexthop);
      SWAPINT16(rec_v6->input);
      SWAPINT16(rec_v6->output);
      SWAPINT32(rec_v6->dPkts);
      SWAPINT32(rec_v6->dOctets);
      SWAPINT32(rec_v6->First);
      SWAPINT32(rec_v6->Last);
      SWAPINT16(rec_v6->dstport);
      SWAPINT16(rec_v6->srcport);
      SWAPINT16(rec_v6->src_as);
      SWAPINT16(rec_v6->dst_as);

      SWAPINT32(rec_v6->exaddr);

    }

  } /* for n */

  return ftpdu->ftd.count;

} /* fts3rec_pdu_v6_decode */

/*
 * function: fts3rec_pdu_v7_decode
 *
 * subfunction to fts3rec_pdu_decode
 *
 * returns: # of stream records decoded
*/
int fts3rec_pdu_v7_decode(struct ftpdu *ftpdu)
{
  int n;
  struct ftpdu_header *ph;
  struct ftpdu_v7 *pdu_v7;
  struct fts3rec_v7 *rec_v7;

  ftpdu->ftd.rec_size = sizeof (struct fts3rec_v7);
  pdu_v7 = (struct ftpdu_v7*)&ftpdu->buf;
  ph = (struct ftpdu_header*)&ftpdu->buf;

  /* preswap */
  if (ftpdu->ftd.byte_order == FT_HEADER_LITTLE_ENDIAN) {
    SWAPINT32(ph->sysUpTime);
    SWAPINT32(ph->unix_secs);
    SWAPINT32(ph->unix_nsecs);
  }

  for (n = 0; n < pdu_v7->count; ++n) {

    rec_v7 = (struct fts3rec_v7*) (ftpdu->ftd.buf + (n*ftpdu->ftd.rec_size));

    rec_v7->unix_nsecs = ph->unix_nsecs;
    rec_v7->unix_secs = ph->unix_secs;
    rec_v7->sysUpTime = ph->sysUpTime;

    rec_v7->engine_type = pdu_v7->engine_type;
    rec_v7->engine_type = pdu_v7->engine_id;

    rec_v7->srcaddr = pdu_v7->records[n].srcaddr;
    rec_v7->dstaddr = pdu_v7->records[n].dstaddr;
    rec_v7->nexthop = pdu_v7->records[n].nexthop;
    rec_v7->input = pdu_v7->records[n].input;
    rec_v7->output = pdu_v7->records[n].output;
    rec_v7->dPkts = pdu_v7->records[n].dPkts;
    rec_v7->dOctets = pdu_v7->records[n].dOctets;
    rec_v7->First = pdu_v7->records[n].First;
    rec_v7->Last = pdu_v7->records[n].Last;
    rec_v7->dstport = pdu_v7->records[n].dstport;
    rec_v7->srcport = pdu_v7->records[n].srcport;
    rec_v7->prot = pdu_v7->records[n].prot;
    rec_v7->tos = pdu_v7->records[n].tos;
    rec_v7->tcp_flags = pdu_v7->records[n].tcp_flags;
    rec_v7->src_as = pdu_v7->records[n].src_as;
    rec_v7->dst_as = pdu_v7->records[n].dst_as;
    rec_v7->src_mask = pdu_v7->records[n].src_mask;
    rec_v7->dst_mask = pdu_v7->records[n].dst_mask;
    rec_v7->router_sc = pdu_v7->records[n].router_sc;

    /* perform AS substitution */
    rec_v7->src_as = (rec_v7->src_as) ? rec_v7->src_as : ftpdu->ftd.as_sub;
    rec_v7->dst_as = (rec_v7->dst_as) ? rec_v7->dst_as : ftpdu->ftd.as_sub;

    /* copy in exporter IP */
    rec_v7->exaddr = ftpdu->ftd.exporter_ip;

    if (ftpdu->ftd.byte_order == FT_HEADER_LITTLE_ENDIAN) {

      SWAPINT32(rec_v7->srcaddr);
      SWAPINT32(rec_v7->dstaddr);
      SWAPINT32(rec_v7->nexthop);
      SWAPINT16(rec_v7->input);
      SWAPINT16(rec_v7->output);
      SWAPINT32(rec_v7->dPkts);
      SWAPINT32(rec_v7->dOctets);
      SWAPINT32(rec_v7->First);
      SWAPINT32(rec_v7->Last);
      SWAPINT16(rec_v7->dstport);
      SWAPINT16(rec_v7->srcport);
      SWAPINT16(rec_v7->src_as);
      SWAPINT16(rec_v7->dst_as);
      SWAPINT32(rec_v7->router_sc);

      SWAPINT32(rec_v7->exaddr);

    }
  } /* for */

  return ftpdu->ftd.count;

} /* fts3rec_pdu_v7_decode */

/*
 * function: fts3rec_pdu_v8_1_decode
 *
 * subfunction to fts3rec_pdu_decode
 *
 * returns: # of stream records decoded
*/
int fts3rec_pdu_v8_1_decode(struct ftpdu *ftpdu)
{
  int n;
  struct ftpdu_header *ph;
  struct ftpdu_v8_1 *pdu_v8_1;
  struct fts3rec_v8_1 *rec_v8_1;

  ftpdu->ftd.rec_size = sizeof (struct fts3rec_v8_1);
  pdu_v8_1 = (struct ftpdu_v8_1*)&ftpdu->buf;
  ph = (struct ftpdu_header*)&ftpdu->buf;

  /* preswap */
  if (ftpdu->ftd.byte_order == FT_HEADER_LITTLE_ENDIAN) {
    SWAPINT32(ph->sysUpTime);
    SWAPINT32(ph->unix_secs);
    SWAPINT32(ph->unix_nsecs);
  }

  for (n = 0; n < pdu_v8_1->count; ++n) {

    rec_v8_1 = (struct fts3rec_v8_1*) (ftpdu->ftd.buf +
      (n*ftpdu->ftd.rec_size));

    rec_v8_1->unix_nsecs = ph->unix_nsecs;
    rec_v8_1->unix_secs = ph->unix_secs;
    rec_v8_1->sysUpTime = ph->sysUpTime;

    rec_v8_1->engine_type = pdu_v8_1->engine_type;
    rec_v8_1->engine_type = pdu_v8_1->engine_id;

    rec_v8_1->dFlows = pdu_v8_1->records[n].dFlows;
    rec_v8_1->dPkts = pdu_v8_1->records[n].dPkts;
    rec_v8_1->dOctets = pdu_v8_1->records[n].dOctets;
    rec_v8_1->First = pdu_v8_1->records[n].First;
    rec_v8_1->Last = pdu_v8_1->records[n].Last;
    rec_v8_1->src_as = pdu_v8_1->records[n].src_as;
    rec_v8_1->dst_as = pdu_v8_1->records[n].dst_as;
    rec_v8_1->input = pdu_v8_1->records[n].input;
    rec_v8_1->output = pdu_v8_1->records[n].output;

    /* perform AS substitution */
    rec_v8_1->src_as = (rec_v8_1->src_as) ? rec_v8_1->src_as :
      ftpdu->ftd.as_sub;
    rec_v8_1->dst_as = (rec_v8_1->dst_as) ? rec_v8_1->dst_as :
      ftpdu->ftd.as_sub;

    /* copy in exporter IP */
    rec_v8_1->exaddr = ftpdu->ftd.exporter_ip;

    if (ftpdu->ftd.byte_order == FT_HEADER_LITTLE_ENDIAN) {

      SWAPINT32(rec_v8_1->dFlows);
      SWAPINT32(rec_v8_1->dPkts);
      SWAPINT32(rec_v8_1->dOctets);
      SWAPINT32(rec_v8_1->First);
      SWAPINT32(rec_v8_1->Last);
      SWAPINT16(rec_v8_1->src_as);
      SWAPINT16(rec_v8_1->dst_as);
      SWAPINT16(rec_v8_1->input);
      SWAPINT16(rec_v8_1->output);

      SWAPINT32(rec_v8_1->exaddr);