ftencode.c

netflow,抓包

/*
 * Copyright (c) 2001 Mark Fullmer and The Ohio State University
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 *      $Id: ftencode.c,v 1.13 2003/02/13 02:38:41 maf Exp $
 */

#include "ftconfig.h"
#include "ftlib.h"

#if HAVE_STRINGS_H
 #include <strings.h>
#endif
#if HAVE_STRING_H
  #include <string.h>
#endif

/*
 * function: ftencode_init
 * 
 * Initialize a ftencode structure, must be called before
 * first attempt to encode pdu with fts3rec_*_encode()
*/
void ftencode_init(struct ftencode *enc, int flags)
{

  bzero(enc, sizeof (struct ftencode));

  enc->flags = flags;

  if (enc->flags & FT_ENC_FLAGS_IPHDR)
    enc->buf_enc = (char*)&enc->buf + FT_ENC_IPHDR_LEN;
  else
    enc->buf_enc = (char*)&enc->buf;
  
} /* ftencode_init */

/*
 * function: ftencode_reset
 * 
 * Use between successive calls to f2s2rec_*_encode()
*/
void ftencode_reset(struct ftencode *enc)
{
  int len;

  if (enc->flags & FT_ENC_FLAGS_IPHDR)
    len = FT_IO_MAXENCODE -  FT_ENC_IPHDR_LEN;
  else
    len = FT_IO_MAXENCODE;

  bzero (enc->buf_enc, len);

  enc->buf_size = 0;

} /* ftencode_reset */

/*
 * function: ftencode_sum_data
 *          
 * calculate checksum of PDU (just the data)
 *
 */
void ftencode_sum_data(struct ftencode *enc)
{         
  int size;
  u_short *word;
  int sum;
  
  sum = 0;
  size = enc->buf_size;
  word = (u_short*)enc->buf_enc;
            
  for (size = enc->buf_size; size > 1; size -=2)
    sum += *word++;
            
  /* odd byte */
  if (size == 1)
    sum += htons(*(u_char*)word<<8);

  enc->d_sum = sum;

} /* ftencode_cksum_data */


/*
 * function: fts3rec_pdu_encode
 *
 * Encode any type f2s2rec_* into a PDU
 * wrapper function for other f2s2rec_pdu_*_encode
 *
 * Note ftencode_init() must be called on the ftencode
 * first, and ftencode_reset() must be called after each
 * PDU is processed by the caller before calling this
 * function again.
 *
 * returns: -1 error encoding, PDU not encoded.
 *           0 PDU encoded.  Hint next call will fail.
 *           1 PDU encoded.  Room for more.
 * 
*/
int fts3rec_pdu_encode(struct ftencode *enc, void *rec)
{

  switch (enc->ver.d_version) {

    case 1:
      return (fts3rec_pdu_v1_encode(enc, (struct fts3rec_v1*)rec));
      break;

    case 5:
      return (fts3rec_pdu_v5_encode(enc, (struct fts3rec_v5*)rec));
      break;

    case 6:
      return (fts3rec_pdu_v6_encode(enc, (struct fts3rec_v6*)rec));
      break;

    case 7:
      return (fts3rec_pdu_v7_encode(enc, (struct fts3rec_v7*)rec));
      break;

    case 8:

      switch (enc->ver.agg_method) {

        case 1:
          return (fts3rec_pdu_v8_1_encode(enc, (struct fts3rec_v8_1*)rec));
          break;

        case 2:
          return (fts3rec_pdu_v8_2_encode(enc, (struct fts3rec_v8_2*)rec));
          break;

        case 3:
          return (fts3rec_pdu_v8_3_encode(enc, (struct fts3rec_v8_3*)rec));
          break;

        case 4:
          return (fts3rec_pdu_v8_4_encode(enc, (struct fts3rec_v8_4*)rec));
          break;

        case 5:
          return (fts3rec_pdu_v8_5_encode(enc, (struct fts3rec_v8_5*)rec));
          break;

        case 6:
          return (fts3rec_pdu_v8_6_encode(enc, (struct fts3rec_v8_6*)rec));
          break;

        case 7:
          return (fts3rec_pdu_v8_7_encode(enc, (struct fts3rec_v8_7*)rec));
          break;

        case 8:
          return (fts3rec_pdu_v8_8_encode(enc, (struct fts3rec_v8_8*)rec));
          break;

        case 9:
          return (fts3rec_pdu_v8_9_encode(enc, (struct fts3rec_v8_9*)rec));
          break;

        case 10:
          return (fts3rec_pdu_v8_10_encode(enc, (struct fts3rec_v8_10*)rec));
          break;

        case 11:
          return (fts3rec_pdu_v8_11_encode(enc, (struct fts3rec_v8_11*)rec));
          break;

        case 12:
          return (fts3rec_pdu_v8_12_encode(enc, (struct fts3rec_v8_12*)rec));
          break;

        case 13:
          return (fts3rec_pdu_v8_13_encode(enc, (struct fts3rec_v8_13*)rec));
          break;

        case 14:
          return (fts3rec_pdu_v8_14_encode(enc, (struct fts3rec_v8_14*)rec));
          break;

      } /* switch */
      break;

  } /* switch */

  return -1;

} /* fts3rec_pdu_encode */

/*
 * function: fts3rec_pdu_v1_encode
 *
 * Encode a fts3rec into a version 1 PDU
 *
 * returns: -1 error encoding, PDU not encoded.
 *           0 PDU encoded.  Hint next call will fail.
 *           1 PDU encoded.  Room for more.
 * 
*/
int fts3rec_pdu_v1_encode(struct ftencode *enc, struct fts3rec_v1 *rec_v1)
{
  struct ftpdu_v1 *pdu_v1;
  int i;

  pdu_v1 = (struct ftpdu_v1*) enc->buf_enc;

  i = pdu_v1->count;

  /* space to encode more ? */
  if (i >= FT_PDU_V1_MAXFLOWS)
    return -1;

  /* if this is the first record, fill in the header */
  if (!i) {

    pdu_v1->version = 1;
    pdu_v1->sysUpTime = rec_v1->sysUpTime;
    pdu_v1->unix_secs = rec_v1->unix_secs;
    pdu_v1->unix_nsecs = rec_v1->unix_nsecs;
    enc->buf_size = 16; /* pdu header size */

  } else {

    /*  sysUpTime, unix_secs, and unix_nsecs must match for
     *  each pdu.  If a stream is being re-encoded this will normally
     *  work out fine, if the stream was sorted or changed in some way
     *  the PDU may only be able to hold one record.
    */

    if ((pdu_v1->sysUpTime != rec_v1->sysUpTime) ||
        (pdu_v1->unix_secs != rec_v1->unix_secs) ||
        (pdu_v1->unix_nsecs != rec_v1->unix_nsecs))
        return -1;

  }

  pdu_v1->records[i].srcaddr = rec_v1->srcaddr;
  pdu_v1->records[i].dstaddr = rec_v1->dstaddr;
  pdu_v1->records[i].nexthop = rec_v1->nexthop;
  pdu_v1->records[i].input = rec_v1->input;
  pdu_v1->records[i].output = rec_v1->output;
  pdu_v1->records[i].dPkts = rec_v1->dPkts;
  pdu_v1->records[i].dOctets = rec_v1->dOctets;
  pdu_v1->records[i].First = rec_v1->First;
  pdu_v1->records[i].Last = rec_v1->Last;
  pdu_v1->records[i].srcport = rec_v1->srcport;
  pdu_v1->records[i].dstport = rec_v1->dstport;
  pdu_v1->records[i].prot = rec_v1->prot;
  pdu_v1->records[i].tos = rec_v1->tos;
  pdu_v1->records[i].flags = rec_v1->tcp_flags;

  pdu_v1->count ++;
  enc->buf_size += sizeof (struct ftrec_v1);

  if (pdu_v1->count >= FT_PDU_V1_MAXFLOWS)
    return 0;
  else
    return 1;
}

/*
 * function: fts3rec_pdu_v5_encode
 *
 * Encode a fts3rec into a version 5 PDU
 *
 * returns: -1 error encoding, PDU not encoded.
 *           0 PDU encoded.  Hint next call will fail.
 *           1 PDU encoded.  Room for more.
 * 
*/
int fts3rec_pdu_v5_encode(struct ftencode *enc, struct fts3rec_v5 *rec_v5)
{
  struct ftpdu_v5 *pdu_v5;
  u_int seq_index;
  int i;

  pdu_v5 = (struct ftpdu_v5*) enc->buf_enc;

  i = pdu_v5->count;

  /* index to sequence # */
  seq_index = rec_v5->engine_id<<8 | rec_v5->engine_type;

  /* space to encode more ? */
  if (i >= FT_PDU_V5_MAXFLOWS)
    return -1;

  /* if this is the first record, fill in the header */
  if (!i) {

    pdu_v5->version = 5;
    pdu_v5->sysUpTime = rec_v5->sysUpTime;
    pdu_v5->unix_secs = rec_v5->unix_secs;
    pdu_v5->unix_nsecs = rec_v5->unix_nsecs;
    pdu_v5->engine_type = rec_v5->engine_type;
    pdu_v5->engine_id = rec_v5->engine_id;
    pdu_v5->flow_sequence = enc->seq_next[seq_index];
    enc->buf_size = 24; /* pdu header size */

  } else {

    /*  sysUpTime, unix_secs, unix_nsecs, and engine_* must match for
     *  each pdu.  If a stream is being re-encoded this will normally
     *  work out fine, if the stream was sorted or changed in some way
     *  the PDU may only be able to hold one record.
    */

    if ((pdu_v5->sysUpTime != rec_v5->sysUpTime) ||
        (pdu_v5->unix_secs != rec_v5->unix_secs) ||
        (pdu_v5->unix_nsecs != rec_v5->unix_nsecs) ||
        (pdu_v5->engine_id != rec_v5->engine_id) ||
        (pdu_v5->engine_type != rec_v5->engine_type))
        return -1;

  }

  pdu_v5->records[i].srcaddr = rec_v5->srcaddr;
  pdu_v5->records[i].dstaddr = rec_v5->dstaddr;
  pdu_v5->records[i].nexthop = rec_v5->nexthop;
  pdu_v5->records[i].input = rec_v5->input;
  pdu_v5->records[i].output = rec_v5->output;
  pdu_v5->records[i].dPkts = rec_v5->dPkts;
  pdu_v5->records[i].dOctets = rec_v5->dOctets;
  pdu_v5->records[i].First = rec_v5->First;
  pdu_v5->records[i].Last = rec_v5->Last;
  pdu_v5->records[i].srcport = rec_v5->srcport;
  pdu_v5->records[i].dstport = rec_v5->dstport;
  pdu_v5->records[i].prot = rec_v5->prot;
  pdu_v5->records[i].tos = rec_v5->tos;
  pdu_v5->records[i].tcp_flags = rec_v5->tcp_flags;
  pdu_v5->records[i].src_as = rec_v5->src_as;
  pdu_v5->records[i].dst_as = rec_v5->dst_as;
  pdu_v5->records[i].src_mask = rec_v5->src_mask;
  pdu_v5->records[i].dst_mask = rec_v5->dst_mask;

  /* increment sequence # */
  enc->seq_next[seq_index]++;

  pdu_v5->count ++;
  enc->buf_size += sizeof (struct ftrec_v5);

  if (pdu_v5->count >= FT_PDU_V5_MAXFLOWS)
    return 0;
  else
    return 1;

} /* fts3rec_pdu_v5_encode */

/*
 * function: fts3rec_pdu_v6_encode
 *
 * Encode a fts3rec into a version 6 PDU
 *
 * returns: -1 error encoding, PDU not encoded.
 *           0 PDU encoded.  Hint next call will fail.
 *           1 PDU encoded.  Room for more.
 * 
*/
int fts3rec_pdu_v6_encode(struct ftencode *enc, struct fts3rec_v6 *rec_v6)
{
  struct ftpdu_v6 *pdu_v6;
  u_int seq_index;
  int i;

  pdu_v6 = (struct ftpdu_v6*) enc->buf_enc;

  /* index to sequence # */
  seq_index = rec_v6->engine_id<<8 | rec_v6->engine_type;

  i = pdu_v6->count;

  /* space to encode more ? */
  if (i >= FT_PDU_V6_MAXFLOWS)
    return -1;

  /* if this is the first record, fill in the header */
  if (!i) {

    pdu_v6->version = 6;
    pdu_v6->sysUpTime = rec_v6->sysUpTime;
    pdu_v6->unix_secs = rec_v6->unix_secs;
    pdu_v6->unix_nsecs = rec_v6->unix_nsecs;
    pdu_v6->engine_type = rec_v6->engine_type;
    pdu_v6->engine_id = rec_v6->engine_id;
    pdu_v6->flow_sequence = enc->seq_next[seq_index];
    enc->buf_size = 24; /* pdu header size */

  } else {

    /*  sysUpTime, unix_secs, unix_nsecs, and engine_* must match for
     *  each pdu.  If a stream is being re-encoded this will normally
     *  work out fine, if the stream was sorted or changed in some way
     *  the PDU may only be able to hold one record.
    */

    if ((pdu_v6->sysUpTime != rec_v6->sysUpTime) ||
        (pdu_v6->unix_secs != rec_v6->unix_secs) ||
        (pdu_v6->unix_nsecs != rec_v6->unix_nsecs) ||
        (pdu_v6->engine_id != rec_v6->engine_id) ||
        (pdu_v6->engine_type != rec_v6->engine_type))
        return -1;

  }

  pdu_v6->records[i].srcaddr = rec_v6->srcaddr;