flow-stat.c

netflow,抓包

/*
 * Copyright (c) 2001 Mark Fullmer and The Ohio State University
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 *      $Id: flow-stat.c,v 1.44 2003/04/02 18:03:03 maf Exp $
 */

#include "ftconfig.h"
#include <ftlib.h>

#include <sys/types.h>
#include <sys/time.h>
#include <sys/uio.h>
#include <netinet/in.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <stddef.h>
#include <time.h>
#include <ctype.h>
#include <fcntl.h>

#if HAVE_STRINGS_H
 #include <strings.h>
#endif

#if HAVE_STRING_H
  #include <string.h>
#endif

#include "ftbuild.h"

/*
 * XXX TODO
 *
 * wide format to include bandwidth
 * 
 * format groups
 *
 * tally for all reports
 *
 * html formatting
 *
 * possible memory leaks with new allocation
 *
 * x src,dst,src/dst formats also need just 'x' like IP
 *
 * bw summary in f0
 *
 * bw report
 *
 */

#define FORMATS 33  /* # of types of output */

#define CUR_GET\
    cur.duration = *((u_int32*)(rec+fo.Last)) - *((u_int32*)(rec+fo.First));\
    cur.octets = *((u_int32*)(rec+fo.dOctets));\
    cur.packets = *((u_int32*)(rec+fo.dPkts));\

#define CUR_GET_PLUS_FLOWS\
    if (args->ftio.xfield & FT_XFIELD_DFLOWS)\
      cur.flows = *((u_int32*)(rec+fo.dFlows));\
    cur.duration = *((u_int32*)(rec+fo.Last)) - *((u_int32*)(rec+fo.First));\
    cur.octets = *((u_int32*)(rec+fo.dOctets));\
    cur.packets = *((u_int32*)(rec+fo.dPkts));\

#define TOTAL_INC\
    total.flows += cur.flows;\
    total.octets += cur.octets;\
    total.packets += cur.packets;\
    total.duration += cur.duration;\

#define STAT_INCP(A)\
    A->nflows += cur.flows;\
    A->noctets += cur.octets;\
    A->npackets += cur.packets;\
    A->etime += cur.duration;\

#define STAT_INCA(A)\
    stat.flows[A] += cur.flows;\
    stat.octets[A] += cur.octets;\
    stat.packets[A] += cur.packets;\
    stat.duration[A] += cur.duration;\

int debug;

static u_int64 *sort_i64;

static int sort_cmp64(const void *a, const void *b);


struct fopdi {
  u_int64 *flows, *octets, *packets, *duration;
  u_int32 *index;
};

struct fopd32 {
  u_int32 flows, octets, packets, duration;
};

struct fopd32p {
  u_int32 flows, octets, packets, duration;
};

struct fopd {
  u_int64 flows, octets, packets, duration;
};

struct fmtargs {
  struct ftio ftio;
  int sort_order;
  int options;
  int tally;
  char cc;
};

struct jump {
    int (*where)(struct fmtargs *args);
};

int fopdi_alloc(struct fopdi *fopdi, int n);
void fopdi_free(struct fopdi *fopdi);

int tbl_out1(struct fmtargs *args, u_int nindex, struct fopdi *stat,
  struct fopd *total, char *title, char *symfile);

int chash_c32_dump (struct ftchash *ftch, char cc, int sort_order, int options,
  struct fopd *total, char *title, char *symfile);

int chash_c322_dump (struct ftchash *ftch, char cc, int sort_order, int options,
  struct fopd *total, char *title, char *title2, char *symfile);

int chash_ip_dump (struct ftchash *ftch, char cc, int sort_order, int options,
  struct fopd *total);

int chash_ip2_dump (struct ftchash *ftch, char cc, int sort_order, int options,
  struct fopd *total);

int chash_as2_dump (struct ftchash *ftch, char cc, int sort_order, int options,
  struct fopd *total, char *symfile);

int chash_if2_dump (struct ftchash *ftch, char cc, int sort_order, int options,
  struct fopd *total);

int chash_pre_dump (struct ftchash *ftch, char cc, int sort_order, int options,
  struct fopd *total);

int chash_pre2_dump (struct ftchash *ftch, char cc, int sort_order, int options,
  struct fopd *total);


int format0(struct fmtargs *args); int format1(struct fmtargs *args);
int format2(struct fmtargs *args); int format3(struct fmtargs *args);
int format4(struct fmtargs *args); int format5(struct fmtargs *args);
int format6(struct fmtargs *args); int format7(struct fmtargs *args);
int format8(struct fmtargs *args); int format9(struct fmtargs *args);
int format10(struct fmtargs *args); int format11(struct fmtargs *args);
int format12(struct fmtargs *args); int format13(struct fmtargs *args);
int format14(struct fmtargs *args); int format15(struct fmtargs *args);
int format16(struct fmtargs *args); int format17(struct fmtargs *args);
int format18(struct fmtargs *args); int format19(struct fmtargs *args);
int format20(struct fmtargs *args); int format21(struct fmtargs *args);
int format22(struct fmtargs *args); int format23(struct fmtargs *args);
int format24(struct fmtargs *args); int format25(struct fmtargs *args);
int format26(struct fmtargs *args); int format27(struct fmtargs *args);
int format28(struct fmtargs *args); int format29(struct fmtargs *args);
int format30(struct fmtargs *args); int format31(struct fmtargs *args);
int format32(struct fmtargs *args);

struct jump format[] = {
          {format0}, {format1}, {format2}, {format3}, {format4}, {format5},
          {format6}, {format7}, {format8}, {format9}, {format10}, {format11},
          {format12}, {format13}, {format14}, {format15}, {format16},
          {format17}, {format18}, {format19}, {format20}, {format21},
          {format22}, {format23}, {format24}, {format25}, {format26},
          {format27}, {format28}, {format29}, {format30}, {format31},
          {format32}, 
          };

char *format_name[] = {
  "Overall Summary",
  "Average packet size distribution",
  "Packets per flow distribution",
  "Octets per flow distribution",
  "Bandwidth per flow distribution",
  "UDP/TCP destination port",
  "UDP/TCP source port",
  "UDP/TCP port",
  "Destination IP",
  "Source IP",
  "Source/Destination IP",
  "Source or Destination IP",
  "IP protocol",
  "octets for flow duration plot data",
  "packets for flow duration plot data",
  "short summary",
  "IP Next Hop",
  "Input interface",
  "Output interface",
  "Source AS",
  "Destination AS",
  "Source/Destination AS",
  "IP ToS",
  "Input/Output Interface",
  "Source Prefix",
  "Destination Prefix",
  "Source/Destination Prefix",
  "Exporter IP",
  "Engine Id",
  "Engine Type",
  "Source Tag",
  "Destination Tag",
  "Source/Destination Tag",
  };

struct stat0 {

  u_int64 nflows;     /* total # flows */
  u_int64 noctets;    /* total # octets */
  u_int64 npackets;   /* total # packets */

  u_int64 time;       /* total time in 1/1000 of flows */

  double  aflowtime;  /* average time of flow */
  double  aps;        /* average packet size */
  double  afs;        /* average flow size */
  double  apf;        /* average packets per flow */
  double  fps;        /* average flows per second */
  double  fps_real;   /* average flows per second (realtime) */
  double  aos;        /* average octets per second */
  double  aos_real;   /* average octets per second (realtime) */

  u_int64 start;      /* earliest flow time */
  u_int64 end;        /* latest flow time */

  u_int32 time_start; /* earliest flow (realtime) */
  u_int32 time_end;   /* last flow (realtime) */

  u_int32 time_real;  /* realtime duration */

  /* average packet sizes */
  u_int64 psize32;    /* bytes/packet 1    <= p <= 32 */
  u_int64 psize64;    /* bytes/packet 32   < p <= 64  */
  u_int64 psize96; u_int64 psize128; u_int64 psize160; u_int64 psize192;
  u_int64 psize224; u_int64 psize256; u_int64 psize288; u_int64 psize320;
  u_int64 psize352; u_int64 psize384; u_int64 psize416; u_int64 psize448;
  u_int64 psize480; u_int64 psize512; u_int64 psize544; u_int64 psize576;
  u_int64 psize1024; u_int64 psize1536; u_int64 psize2048; u_int64 psize2560;
  u_int64 psize3072; u_int64 psize3584; u_int64 psize4096; u_int64 psize4608;

  /* packets per flow */
  u_int64 fpsize1;    /* packets/flow = 1 */
  u_int64 fpsize2;    /* packets/flow = 2 */
  u_int64 fpsize4;    /* packets/flow 2 < p <= 4 */
  u_int64 fpsize8;    /* packets/flow 4 < p <= 8 */
  u_int64 fpsize12; u_int64 fpsize16; u_int64 fpsize20; u_int64 fpsize24;
  u_int64 fpsize28; u_int64 fpsize32; u_int64 fpsize36; u_int64 fpsize40;
  u_int64 fpsize44; u_int64 fpsize48; u_int64 fpsize52; u_int64 fpsize60;
  u_int64 fpsize100; u_int64 fpsize200; u_int64 fpsize300; u_int64 fpsize400;
  u_int64 fpsize500; u_int64 fpsize600; u_int64 fpsize700; u_int64 fpsize800;
  u_int64 fpsize900;
  u_int64 fpsize_other; /* packets/flow 200 < p */

  /* octets per flow */
  u_int64 fosize32;     /* octets/flow 1    <= p <= 32 */
  u_int64 fosize64;     /* octets/flow 32   < p <= 64 */
  u_int64 fosize128;    /* octets/flow 64   < p <= 128 */
  u_int64 fosize256;    /* octets/flow 128   < p <= 256 */
  u_int64 fosize512; u_int64 fosize1280; u_int64 fosize2048;
  u_int64 fosize2816; u_int64 fosize3584; u_int64 fosize4352;
  u_int64 fosize5120; u_int64 fosize5888; u_int64 fosize6656;
  u_int64 fosize7424; u_int64 fosize8192; u_int64 fosize8960;
  u_int64 fosize9728; u_int64 fosize10496; u_int64 fosize11264;
  u_int64 fosize12032; u_int64 fosize12800; u_int64 fosize13568;
  u_int64 fosize14336; u_int64 fosize15104; u_int64 fosize15872;
  u_int64 fosize_other; /* octets/flow 15872   < p */

  /* time per flow */
  u_int64 ftime10;    /* time/flow 1 <= p <= 10 */
  u_int64 ftime50;    /* time/flow 10 < p <= 50 */
  u_int64 ftime100; u_int64 ftime200; u_int64 ftime500; u_int64 ftime1000;
  u_int64 ftime2000; u_int64 ftime3000; u_int64 ftime4000; u_int64 ftime5000;
  u_int64 ftime6000; u_int64 ftime7000; u_int64 ftime8000; u_int64 ftime9000;
  u_int64 ftime10000; u_int64 ftime12000; u_int64 ftime14000;
  u_int64 ftime16000; u_int64 ftime18000; u_int64 ftime20000;
  u_int64 ftime22000; u_int64 ftime24000; u_int64 ftime26000;
  u_int64 ftime28000; u_int64 ftime30000;
  u_int64 ftime_other;  /* time/flow 2000 < p */

};

void usage(void);

int main(int argc, char **argv)
{
  struct fmtargs args;
  struct ftprof ftp;
  int x, y, ret, i, format_index, print_header, usage_call;
  char *title, *c;

  title = (char*)0L;
  usage_call = 0;

  /* init fterr */
  fterr_setid(argv[0]);

  /* profile */
  ftprof_start (&ftp);

  args.options = 0;
  format_index = 0;
  print_header = 0;
  args.cc = '#';
  args.sort_order = 0;

  while ((i = getopt(argc, argv, "c:d:f:h?npPs:S:t:T:w")) != -1)

    switch (i) {

    case 'c': /* comment character */
      args.cc = optarg[0];
      break;

    case 'd': /* debug */
      debug = atoi(optarg);
      break;

    case 'f': /* format */
      format_index = atoi(optarg);
      break;

    case 'h': /* help */
    case '?': /* help */
      usage();
      ++usage_call;
      break;

    case 'n': /* use names */
      args.options |= FT_OPT_NAMES;
      break;

    case 'p': /* print header */
      print_header = 1;
      break;

    case 'P': /* percent's */
      args.options |= FT_OPT_PERCENT;
      break;

    case 's': /* sort low to high on field n */
      args.sort_order = (atoi(optarg)+1) * -1;
      break;

    case 'S': /* sort high to low on field n */
      args.sort_order = (atoi(optarg)+1);
      break;

    case 't': /* tallies */
      args.options |= FT_OPT_TALLY;
      args.tally = atoi(optarg);
      break;

    case 'T': /* title */
      title = optarg;
      break;

    case 'w': /* wide output */
      args.options |= FT_OPT_WIDE;
      break;

    default:
      usage();
      exit (1);
      break;

    } /* switch */

  if (argc - optind)
    fterr_errx(1, "Extra arguments starting with %s.", argv[optind]);

  if (usage_call)
    exit (0);

  if (format_index >= FORMATS)
    fterr_errx(1, "No such format, %d\n", format_index);

  /* read from stdin */
  if (ftio_init(&args.ftio, 0, FT_IO_FLAG_READ) < 0)
    fterr_errx(1, "ftio_init(): failed");

  printf("%c  --- ---- ---- Report Information --- --- ---\n", args.cc);
  printf("%c\n", args.cc);

  if (title)
    printf("%c Title:     %s\n", args.cc, title);

  printf("%c Fields:    %sTotal\n", args.cc,
    (args.options & FT_OPT_PERCENT) ?  "Percent " : "");

  printf("%c Symbols:   %s\n", args.cc,
    (args.options & FT_OPT_NAMES) ? "Enabled" :
    "Disabled");

  if (!args.sort_order)
    c = "None";
  else if (args.sort_order > 0)
    c = "Descending";
  else
    c = "Ascending";
  printf("%c Sorting:   %s", args.cc, c);

  if (args.sort_order)
    printf(" Field %d\n", abs(args.sort_order)-1);
  else
    printf("\n");

  printf("%c Name:      %s\n", args.cc, format_name[format_index]);

  /* print cmdl args */
  printf("%c\n%c Args:      ", args.cc, args.cc);
  for (x = 0; x < argc; ++x) {
    for (y = 0; y < strlen(argv[x]); ++y) {
      if (isprint((int)argv[x][y])) putc(argv[x][y], stdout);
    }
    putc (' ', stdout);
  }
  putc ('\n', stdout);

  printf("%c\n", args.cc);

  if (print_header) {
    ftio_header_print(&args.ftio, stdout, args.cc);
  }

  ret = format[format_index].where(&args);

  if ((!ret) && (debug > 0)) {
    ftprof_end(&ftp, ftio_get_rec_total(&args.ftio));
    ftprof_print(&ftp, argv[0], stderr);
  }

  ret = 0;

  return ret;

} /* main */

/*
 * function: format0
 *
 *  prints long summary
 *
 * returns 0 for success.
 */
int format0(struct fmtargs *args)
{
  struct fts3rec_offsets fo;
  struct fopd32 cur;
  struct ftver ftv;
  struct stat0 fs0;
  u_long p;
  char fmt_buf[256];
  u_int32 time_tmp;
  char *rec;
  u_int32 First, Last, unix_secs;

  ftio_get_ver(&args->ftio, &ftv);

  if (ftio_check_xfield(&args->ftio, FT_XFIELD_DPKTS |
    FT_XFIELD_DOCTETS | FT_XFIELD_FIRST | FT_XFIELD_LAST |
    FT_XFIELD_UNIX_SECS)) {
    fterr_warnx("Flow record missing required field for format.");
    return -1;
  }

  fts3rec_compute_offsets(&fo, &ftv);

  bzero(&fs0, sizeof fs0);

  fs0.start = 0xFFFFFFFF;
  fs0.end = 0;
  fs0.time_start = 0xFFFFFFFF;
  fs0.time_end = 0;

  cur.flows = 1;

  while ((rec = ftio_read(&args->ftio))) {

    CUR_GET_PLUS_FLOWS;

    First = *((u_int32*)(rec+fo.First));
    Last = *((u_int32*)(rec+fo.Last));
    unix_secs = *((u_int32*)(rec+fo.unix_secs));

    if (!cur.packets) {
      fprintf(stderr, "Ignoring bogus flow dPkts=0\n");
      continue;
    }

    fs0.nflows += cur.flows;
    fs0.noctets += cur.octets;
    fs0.npackets += cur.packets;

    time_tmp = unix_secs;

    if (time_tmp < fs0.time_start)
      fs0.time_start = time_tmp;

    if (time_tmp > fs0.time_end)
      fs0.time_end = time_tmp;