ftio.c

netflow,抓包

        ftio->compat_v5.input = compat->input;
        ftio->compat_v5.output = compat->output;
        ftio->compat_v5.dPkts = compat->dPkts;
        ftio->compat_v5.dOctets = compat->dOctets;
        ftio->compat_v5.Last = compat->Last;
        ftio->compat_v5.First = compat->First;
        ftio->compat_v5.srcport = compat->srcport;
        ftio->compat_v5.dstport = compat->dstport;
        ftio->compat_v5.prot = compat->prot;
        ftio->compat_v5.tos = compat->tos;
        ftio->compat_v5.tcp_flags = compat->flags;
        ftio->compat_v5.src_as = compat->src_as;
        ftio->compat_v5.dst_as = compat->dst_as;
        ftio->compat_v5.src_mask = compat->src_mask;
        ftio->compat_v5.dst_mask = compat->dst_mask;

        ret = (void*)&ftio->compat_v5;

      } /* v5 compat */
    } /* need compat hack */

  } /* ret is set */

  return ret;

}

/*
 * function: ftio_write_header
 *
 * A ftio stream consists of a header and n records.  ftio_write_header()
 * must be called before ftio_write() to output the header portion of
 * the stream
 *
 * Stream must be first initialized with ftio_init() 
 *
 * returns: <0   error
 *          >= 0 okay
 *
 */
int ftio_write_header(struct ftio *ftio)
{
  struct ftheader_gen head_gen;
  struct ftmap_ifname *ftmin;
  struct ftmap_ifalias *ftmia;
  u_int32 head_off_d;
  int n, ret, restore, flip, len;
  char *enc_buf;

  ret = -1;
  restore = 0;
  enc_buf = (char*)0L;

  /* if this is not the first time, rewind */
  if (ftio->flags & FT_IO_FLAG_HEADER_DONE) {

    if (lseek(ftio->fd, (off_t)0L, SEEK_SET) == -1) {
      fterr_warn("lseek()");
      goto ftio_write_header_out;
    }

    /* flag to seek back to end of file */
    restore = 1;

    /* mark the file as complete.  Assume that the second call to write_header
     * is actually the last
     */
    ftio->fth.flags |= FT_HEADER_FLAG_DONE;

  }

  ftio->fth.magic1 = FT_HEADER_MAGIC1;
  ftio->fth.magic2 = FT_HEADER_MAGIC2;

  ftio->fth.s_version = 3;

  if ((!ftio->fth.d_version) || (!ftio->fth.byte_order)) {
    fterr_warnx("Set d_version and byte_order first");
    goto ftio_write_header_out;
  }

  if (!(ftio->flags & FT_IO_FLAG_WRITE)) {
    fterr_warnx("Stream not initialized for writing");
    goto ftio_write_header_out;
  }

#if BYTE_ORDER == BIG_ENDIAN
    if (ftio->fth.byte_order == FT_HEADER_LITTLE_ENDIAN)
      flip = 1;
    else
      flip = 0;
#endif /* BYTE_ORDER == BIG_ENDIAN */

#if BYTE_ORDER == LITTLE_ENDIAN
    if (ftio->fth.byte_order == FT_HEADER_BIG_ENDIAN)
      flip = 1;
    else
      flip = 0;
#endif /* BYTE_ORDER == LITTLE_ENDIAN */

  /* max header size */
  len = FT_IO_MAXHEADER;

  /* allocate encode buffer + extra 4 bytes to guarantee alignment */
  if (!(enc_buf = (char*)malloc(len+4))) {
    fterr_warn("malloc()");
    goto ftio_write_header_out;
  }

  /* clear encode buffer */
  bzero(enc_buf, len+4);

  head_gen.magic1 = ftio->fth.magic1;
  head_gen.magic2 = ftio->fth.magic2;
  head_gen.byte_order = ftio->fth.byte_order;
  head_gen.s_version = ftio->fth.s_version;

  /* encode generic header */
  bcopy(&head_gen, enc_buf, sizeof head_gen);

  /* leave room to encode head_off_d later */
  head_off_d = sizeof head_gen + sizeof head_off_d;

  /*
   * encode each TLV
   */

  if (ftio->fth.fields & FT_FIELD_VENDOR) {
    if ((n = fttlv_enc_uint8(enc_buf+head_off_d, len-head_off_d,
      flip, FT_TLV_VENDOR, ftio->fth.vendor)) < 0)
      goto ftio_write_header_out;
    else
      head_off_d += n;
  }

  if (ftio->fth.fields & FT_FIELD_EX_VER) {
    if ((n = fttlv_enc_uint16(enc_buf+head_off_d, len-head_off_d,
      flip, FT_TLV_EX_VER, ftio->fth.d_version)) < 0)
      goto ftio_write_header_out;
    else
      head_off_d += n;
  }

  if (ftio->fth.fields & FT_FIELD_AGG_VER) {
    if ((n = fttlv_enc_uint8(enc_buf+head_off_d, len-head_off_d,
      flip, FT_TLV_AGG_VER, ftio->fth.agg_version)) < 0)
      goto ftio_write_header_out;
    else
      head_off_d += n;
  }

  if (ftio->fth.fields & FT_FIELD_AGG_METHOD) {
    if ((n = fttlv_enc_uint8(enc_buf+head_off_d, len-head_off_d,
      flip, FT_TLV_AGG_METHOD, ftio->fth.agg_method)) < 0)
      goto ftio_write_header_out;
    else
      head_off_d += n;
  }

  if (ftio->fth.fields & FT_FIELD_EXPORTER_IP) {
    if ((n = fttlv_enc_uint32(enc_buf+head_off_d, len-head_off_d,
      flip, FT_TLV_EXPORTER_IP, ftio->fth.exporter_ip)) < 0)
      goto ftio_write_header_out;
    else
      head_off_d += n;
  }

  if (ftio->fth.fields & FT_FIELD_CAP_START) {
    if ((n = fttlv_enc_uint32(enc_buf+head_off_d, len-head_off_d,
      flip, FT_TLV_CAP_START, ftio->fth.cap_start)) < 0)
      goto ftio_write_header_out;
    else
      head_off_d += n;
  }

  if (ftio->fth.fields & FT_FIELD_CAP_END) {
    if ((n = fttlv_enc_uint32(enc_buf+head_off_d, len-head_off_d,
      flip, FT_TLV_CAP_END, ftio->fth.cap_end)) < 0)
      goto ftio_write_header_out;
    else
      head_off_d += n;
  }

  if (ftio->fth.fields & FT_FIELD_HEADER_FLAGS) {
    if ((n = fttlv_enc_uint32(enc_buf+head_off_d, len-head_off_d,
      flip, FT_TLV_HEADER_FLAGS, ftio->fth.flags)) < 0)
      goto ftio_write_header_out;
    else
      head_off_d += n;
  }

  if (ftio->fth.fields & FT_FIELD_ROT_SCHEDULE) {
    if ((n = fttlv_enc_uint32(enc_buf+head_off_d, len-head_off_d,
      flip, FT_TLV_ROT_SCHEDULE, ftio->fth.rotation)) < 0)
      goto ftio_write_header_out;
    else
      head_off_d += n;
  }

  if (ftio->fth.fields & FT_FIELD_FLOW_COUNT) {
    if ((n = fttlv_enc_uint32(enc_buf+head_off_d, len-head_off_d,
      flip, FT_TLV_FLOW_COUNT, ftio->fth.flows_count)) < 0)
      goto ftio_write_header_out;
    else
      head_off_d += n;
  }

  if (ftio->fth.fields & FT_FIELD_FLOW_LOST) {
    if ((n = fttlv_enc_uint32(enc_buf+head_off_d, len-head_off_d,
      flip, FT_TLV_FLOW_LOST, ftio->fth.flows_lost)) < 0)
      goto ftio_write_header_out;
    else
      head_off_d += n;
  }

  if (ftio->fth.fields & FT_FIELD_FLOW_MISORDERED) {
    if ((n = fttlv_enc_uint32(enc_buf+head_off_d, len-head_off_d,
      flip, FT_TLV_FLOW_MISORDERED, ftio->fth.flows_misordered)) < 0)
      goto ftio_write_header_out;
    else
      head_off_d += n;
  }

  if (ftio->fth.fields & FT_FIELD_PKT_CORRUPT) {
    if ((n = fttlv_enc_uint32(enc_buf+head_off_d, len-head_off_d,
      flip, FT_TLV_PKT_CORRUPT, ftio->fth.pkts_corrupt)) < 0)
      goto ftio_write_header_out;
    else
      head_off_d += n;
  }

  if (ftio->fth.fields & FT_FIELD_SEQ_RESET) {
    if ((n = fttlv_enc_uint32(enc_buf+head_off_d, len-head_off_d,
      flip, FT_TLV_SEQ_RESET, ftio->fth.seq_reset)) < 0)
      goto ftio_write_header_out;
    else
      head_off_d += n;
  }

  if (ftio->fth.fields & FT_FIELD_CAP_HOSTNAME) {
    if ((n = fttlv_enc_str(enc_buf+head_off_d, len-head_off_d,
      flip, FT_TLV_CAP_HOSTNAME, ftio->fth.cap_hostname)) < 0)
      goto ftio_write_header_out;
    else
      head_off_d += n;
  }

  if (ftio->fth.fields & FT_FIELD_COMMENTS) {
    if ((n = fttlv_enc_str(enc_buf+head_off_d, len-head_off_d,
      flip, FT_TLV_COMMENTS, ftio->fth.comments)) < 0)
      goto ftio_write_header_out;
    else
      head_off_d += n;
  }

  if (ftio->fth.fields & FT_FIELD_IF_NAME) {
    FT_LIST_FOREACH(ftmin, &ftio->fth.ftmap->ifname, chain) {
      if ((n = fttlv_enc_ifname(enc_buf+head_off_d, len-head_off_d,
        flip, FT_TLV_IF_NAME, ftmin->ip, ftmin->ifIndex, ftmin->name)) < 0)
        goto ftio_write_header_out;
      else
        head_off_d += n;
    }
  }

  if (ftio->fth.fields & FT_FIELD_IF_ALIAS) {
    FT_LIST_FOREACH(ftmia, &ftio->fth.ftmap->ifalias, chain) {
      if ((n = fttlv_enc_ifalias(enc_buf+head_off_d, len-head_off_d,
        flip, FT_TLV_IF_ALIAS, ftmia->ip, ftmia->ifIndex_list, ftmia->entries,
          ftmia->name)) < 0)
        goto ftio_write_header_out;
      else
        head_off_d += n;
    }
  }

  /* head_off_d must be longword aligned */
  if (head_off_d & 0x00000003)
    head_off_d = (head_off_d & 0xFFFFFFFC) + 4;

  /* if rewriting, ensure header area has not grown or shrunk */
  if (restore) {
    if (head_off_d != ftio->fth.size) {
      fterr_warnx("Header size change during rewrite not supported");
      goto ftio_write_header_out;
    }
  }

  /* byte order of target */
  if (flip)
    SWAPINT32(head_off_d);

  /* encode offset to data */
  bcopy(&head_off_d, enc_buf+sizeof head_gen, sizeof head_off_d);

  /* restore */
  if (flip)
    SWAPINT32(head_off_d);

  n = writen(ftio->fd, enc_buf, head_off_d);

  if (n < 0) {
    fterr_warn("writen()");
    goto ftio_write_header_out;
  }

  if (n == 0) {
    fterr_warnx("writen(): EOF");
    goto ftio_write_header_out;
  }

  /* flag header has been written */
  ftio->flags |= FT_IO_FLAG_HEADER_DONE;

  /* save write size */
  ftio->fth.size = head_off_d;

  ret = n;

ftio_write_header_out:

  if (restore) {

    if (lseek(ftio->fd, (off_t)0L, SEEK_END) == -1) {
      fterr_warn("lseek()");
    }

  }

  if (enc_buf)
    free(enc_buf);

  return ret;

}

/*
 * function: ftio_write
 *
 * Schedule fts3rec_* for output.  ftio_write_header() must be called
 * on a stream before ftio_write().  If ftio_close() is not called
 * records may not be written.
 *
 * Stream must be first initialized with ftio_init() 
 *
 * returns: <0   error
 *          >= 0 okay
 *
 */
int ftio_write(struct ftio *ftio, void *data)
{
  int ret, n, nbytes;

  ret = -1;
  nbytes = 0;
 
  if (!(ftio->flags & FT_IO_FLAG_NO_SWAP)) {
#if BYTE_ORDER == BIG_ENDIAN
    if (ftio->fth.byte_order == FT_HEADER_LITTLE_ENDIAN)
      ftio->swapf((void*)data);
#endif /* BYTE_ORDER == BIG_ENDIAN */

#if BYTE_ORDER == LITTLE_ENDIAN
    if (ftio->fth.byte_order == FT_HEADER_BIG_ENDIAN)
      ftio->swapf((void*)data);
#endif /* BYTE_ORDER == LITTLE_ENDIAN */
  }

  /* compressed stream? */
  if (ftio->fth.flags & FT_HEADER_FLAG_COMPRESS) {

    ftio->zs.next_in = (Bytef*)data;
    ftio->zs.avail_in = ftio->rec_size;

    while (1) {

      if (deflate(&ftio->zs, Z_NO_FLUSH) != Z_OK) {
        fterr_warnx("deflate(): failed");
        goto ftio_write_out;
      }

      /* need to flush */
      if (!ftio->zs.avail_out) {

        n = writen(ftio->fd, ftio->z_buf, FT_Z_BUFSIZE);

        if (n < 0) {
          fterr_warn("writen()");
          goto ftio_write_out;
        }

        if (n == 0) {
          fterr_warnx("writen(): EOF");
          goto ftio_write_out;
        }

        ftio->zs.next_out = (Bytef*)ftio->z_buf;
        ftio->zs.avail_out = FT_Z_BUFSIZE;

        nbytes += n;

        ret = 0; /* success */

      } else {

        ret = 0; /* success */
        break;

      }

    } /* deflating */

  /* no, uncompressed stream */

  } else {

    /* flush full buffer */
    if ((ftio->d_start + ftio->rec_size) > ftio->d_end) {

      n = writen(ftio->fd, ftio->d_buf, ftio->d_start);

      if (n < 0) {
        fterr_warn("writen()");
        goto ftio_write_out;
      }

      if (n == 0) {
        fterr_warnx("writen(): EOF");
        goto ftio_write_out;
      }

      ftio->d_start = 0;

      nbytes += n;

    }

    bcopy(data, ftio->d_buf+ftio->d_start, ftio->rec_size);

    ftio->d_start += ftio->rec_size;

    ret = 0; /* success */

  }

ftio_write_out:

  if (!(ftio->flags & FT_IO_FLAG_NO_SWAP)) {
#if BYTE_ORDER == BIG_ENDIAN
    if (ftio->fth.byte_order == FT_HEADER_LITTLE_ENDIAN)
      ftio->swapf((void*)data);
#endif /* BYTE_ORDER == BIG_ENDIAN */

#if BYTE_ORDER == LITTLE_ENDIAN
    if (ftio->fth.byte_order == FT_HEADER_BIG_ENDIAN)
      ftio->swapf((void*)data);
#endif /* BYTE_ORDER == LITTLE_ENDIAN */
  }

  if (ret < 0)
    return ret;
  else
    return nbytes;

} /* ftio_write */

/*
 * function: ftio_header_print
 *
 * Dump ftio header in readable format
 *
 * Stream must be first initialized with ftio_init() 
 *
 */
void ftio_header_print(struct ftio *ftio, FILE *std, char cc)
{
  struct ftiheader *fth;
  struct ftmap_ifname *ftmin;
  struct ftmap_ifalias *ftmia;
  char agg_ver, agg_method;
  char *agg_name;
  char fmt_buf[32];
  u_int32 flags, fields;
  u_long period;
  int n, streaming2;

  fth = &ftio->fth;

  fields = ftio->fth.fields;

  if (fields & FT_FIELD_HEADER_FLAGS)
    flags = ftio->fth.flags;
  else 
    flags = 0;

  streaming2 = (flags & FT_HEADER_FLAG_STREAMING);
  if (flags & FT_HEADER_FLAG_PRELOADED)
    streaming2 = 0;

  if (flags & FT_HEADER_FLAG_STREAMING)
    fprintf(std, "%c\n%c mode:                 streaming\n", cc, cc);
  else
    fprintf(std, "%c\n%c mode:                 normal\n", cc, cc);

  if (flags & FT_HEADER_FLAG_XLATE)
    fprintf(std, "%c translated:           yes\n", cc);

  if (!(flags & FT_HEADER_FLAG_STREAMING))
    if (fields & FT_FIELD_CAP_HOSTNAME)
      fprintf(std, "%c capture hostname:     %s\n", cc, fth->cap_hostname);

  if (!(flags & FT_HEADER_FLAG_STREAMING)) {
    if (fields & FT_FIELD_EXPORTER_IP) {
      fmt_ipv4(fmt_buf, fth->exporter_ip, FMT_JUST_LEFT);
      fprintf(std, "%c exporter IP address:  %s\n", cc, fmt_buf);
    }
  }

  if (!streaming2)
    if (fields & FT_FIELD_CAP_START)
      fprintf(std, "%c capture start:        %s", cc,
        ctime((time_t*)&fth->cap_start));

  if (!streaming2) {

    if ((flags & FT_HEADER_FLAG_DONE) || (flags & FT_HEADER_FLAG_PRELOADED)) {

      if (fields & FT_FIELD_CAP_END)
        fprintf(std, "%c capture end:          %s", cc,
          ctime((time_t*)&fth->cap_end));

      period = fth->cap_end - fth->cap_start;
      if ((fields & FT_FIELD_CAP_END) && (fields & FT_FIELD_CAP_START))
        fprintf(std, "%c capture period:       %lu seconds\n", cc, period);

    }

  }

  fprintf(std, "%c compress:             %s\n", cc, 
    (flags & FT_HEADER_FLAG_COMPRESS) ? "on" : "off");

  fprintf(std, "%c byte order:           ", cc);
  if (fth->byte_order == FT_HEADER_LITTLE_ENDIAN)
    fprintf(std, "little\n");
  else if (fth->byte_order == FT_HEADER_BIG_ENDIAN)
    fprintf(std, "big\n");
  else
    fprintf(std, "BROKEN\n");

/*
  if (!(flags & FT_HEADER_FLAG_STREAMING))
    fprintf(std, "%c multiple pdu types:   %s\n", cc,
      (fth->flags & FT_HEADER_FLAG_MULT_PDU) ? "yes" : "no");
 */

  fprintf(std, "%c stream version:       %u\n", cc, (int)fth->s_version);

  if (fields & FT_FIELD_EX_VER)
    fprintf(std, "%c export version:       %u\n", cc, (int)fth->d_version);