flow-stat.c

netflow,抓包

    if (First < fs0.start)
      fs0.start = First;

    if (Last > fs0.end)
      fs0.end = Last;

    p = cur.octets / cur.packets;

    if (p <= 32) ++ fs0.psize32;
    else if (p <= 64) ++ fs0.psize64; else if (p <= 96) ++ fs0.psize96;
    else if (p <= 128) ++ fs0.psize128; else if (p <= 160) ++ fs0.psize160;
    else if (p <= 192) ++ fs0.psize192; else if (p <= 224) ++ fs0.psize224;
    else if (p <= 256) ++ fs0.psize256; else if (p <= 288) ++ fs0.psize288;
    else if (p <= 320) ++ fs0.psize320; else if (p <= 352) ++ fs0.psize352;
    else if (p <= 384) ++ fs0.psize384; else if (p <= 416) ++ fs0.psize416;
    else if (p <= 448) ++ fs0.psize448; else if (p <= 480) ++ fs0.psize480;
    else if (p <= 512) ++ fs0.psize512; else if (p <= 544) ++ fs0.psize544;
    else if (p <= 576) ++ fs0.psize576; else if (p <= 1024) ++ fs0.psize1024;
    else if (p <= 1536) ++ fs0.psize1536; else if (p <= 2048) ++ fs0.psize2048;
    else if (p <= 2560) ++ fs0.psize2560; else if (p <= 3072) ++ fs0.psize3072;
    else if (p <= 3584) ++ fs0.psize3584; else if (p <= 4096) ++ fs0.psize4096;
    else if (p <= 4608) ++ fs0.psize4608;

    p = cur.packets;
    if (p <= 1) ++ fs0.fpsize1; else if (p <= 2) ++ fs0.fpsize2;
    else if (p <= 4) ++ fs0.fpsize4; else if (p <= 8) ++ fs0.fpsize8;
    else if (p <= 12) ++ fs0.fpsize12; else if (p <= 16) ++ fs0.fpsize16;
    else if (p <= 20) ++ fs0.fpsize20; else if (p <= 24) ++ fs0.fpsize24;
    else if (p <= 28) ++ fs0.fpsize28; else if (p <= 32) ++ fs0.fpsize32;
    else if (p <= 36) ++ fs0.fpsize36; else if (p <= 40) ++ fs0.fpsize40;
    else if (p <= 44) ++ fs0.fpsize44; else if (p <= 48) ++ fs0.fpsize48;
    else if (p <= 52) ++ fs0.fpsize52; else if (p <= 60) ++ fs0.fpsize60;
    else if (p <= 100) ++ fs0.fpsize100; else if (p <= 200) ++ fs0.fpsize200;
    else if (p <= 300) ++ fs0.fpsize300; else if (p <= 400) ++ fs0.fpsize400;
    else if (p <= 500) ++ fs0.fpsize500; else if (p <= 600) ++ fs0.fpsize600;
    else if (p <= 700) ++ fs0.fpsize700; else if (p <= 800) ++ fs0.fpsize800;
    else if (p <= 900) ++ fs0.fpsize900; else ++ fs0.fpsize_other;

    p = cur.octets;
    if (p <= 32) ++ fs0.fosize32;
    else if (p <= 64) ++ fs0.fosize64; else if (p <= 128) ++ fs0.fosize128;
    else if (p <= 256) ++ fs0.fosize256; else if (p <= 512) ++ fs0.fosize512;
    else if (p <= 1280) ++ fs0.fosize1280;
    else if (p <= 2048) ++ fs0.fosize2048;
    else if (p <= 2816) ++ fs0.fosize2816;
    else if (p <= 3584) ++ fs0.fosize3584;
    else if (p <= 4352) ++ fs0.fosize4352;
    else if (p <= 5120) ++ fs0.fosize5120;
    else if (p <= 5888) ++ fs0.fosize5888;
    else if (p <= 6656) ++ fs0.fosize6656;
    else if (p <= 7424) ++ fs0.fosize7424;
    else if (p <= 8192) ++ fs0.fosize8192;
    else if (p <= 8960) ++ fs0.fosize8960;
    else if (p <= 9728) ++ fs0.fosize9728;
    else if (p <= 10496) ++ fs0.fosize10496;
    else if (p <= 11264) ++ fs0.fosize11264;
    else if (p <= 12032) ++ fs0.fosize12032;
    else if (p <= 12800) ++ fs0.fosize12800;
    else if (p <= 13568) ++ fs0.fosize13568;
    else if (p <= 14336) ++ fs0.fosize14336;
    else if (p <= 15104) ++ fs0.fosize15104;
    else if (p <= 15872) ++ fs0.fosize15872;
    else ++ fs0.fosize_other;


    p = Last - First;
    fs0.time += p;

    if (p <= 10) ++ fs0.ftime10;
    else if (p <= 50) ++ fs0.ftime50; else if (p <= 100) ++ fs0.ftime100;
    else if (p <= 200) ++ fs0.ftime200; else if (p <= 500) ++ fs0.ftime500;
    else if (p <= 1000) ++ fs0.ftime1000; else if (p <= 2000) ++ fs0.ftime2000;
    else if (p <= 3000) ++ fs0.ftime3000; else if (p <= 4000) ++ fs0.ftime4000;
    else if (p <= 5000) ++ fs0.ftime5000; else if (p <= 6000) ++ fs0.ftime6000;
    else if (p <= 7000) ++ fs0.ftime7000; else if (p <= 8000) ++ fs0.ftime8000;
    else if (p <= 9000) ++ fs0.ftime9000;
    else if (p <= 10000) ++ fs0.ftime10000;
    else if (p <= 12000) ++ fs0.ftime12000;
    else if (p <= 14000) ++ fs0.ftime14000;
    else if (p <= 16000) ++ fs0.ftime16000;
    else if (p <= 18000) ++ fs0.ftime18000;
    else if (p <= 20000) ++ fs0.ftime20000;
    else if (p <= 22000) ++ fs0.ftime22000;
    else if (p <= 24000) ++ fs0.ftime24000;
    else if (p <= 26000) ++ fs0.ftime26000;
    else if (p <= 28000) ++ fs0.ftime28000;
    else if (p <= 30000) ++ fs0.ftime30000;
    else ++ fs0.ftime_other;

  }

  fs0.aflowtime = fs0.time / fs0.nflows;
  fs0.aps = fs0.noctets / fs0.npackets;
  fs0.afs = fs0.noctets / fs0.nflows;
  fs0.apf = fs0.npackets / fs0.nflows;
  fs0.fps = (float)fs0.nflows / ((fs0.end - fs0.start) / 1000);
  fs0.aos = ((float)(fs0.noctets*8) / 1000) / ((fs0.end - fs0.start) / 1000);
  fs0.time_real = fs0.time_end - fs0.time_start;

  fs0.fps_real = (float)fs0.nflows / (float)fs0.time_real;
  fs0.aos_real = ((float)(fs0.noctets*8) / 1000) / (fs0.time_real);

  strcpy(fmt_buf, "Total Flows                     : ");
  fmt_uint64(fmt_buf+34, fs0.nflows, FMT_JUST_LEFT);
  puts(fmt_buf);

  strcpy(fmt_buf, "Total Octets                    : ");
  fmt_uint64(fmt_buf+34, fs0.noctets, FMT_JUST_LEFT);
  puts(fmt_buf);

  strcpy(fmt_buf, "Total Packets                   : ");
  fmt_uint64(fmt_buf+34, fs0.npackets, FMT_JUST_LEFT);
  puts(fmt_buf);

  strcpy(fmt_buf, "Total Time (1/1000 secs) (flows): ");
  fmt_uint64(fmt_buf+34, fs0.time, FMT_JUST_LEFT);
  puts(fmt_buf);

  strcpy(fmt_buf, "Duration of data  (realtime)    : ");
  fmt_uint32(fmt_buf+34, fs0.time_real, FMT_JUST_LEFT);
  puts(fmt_buf);

  strcpy(fmt_buf, "Duration of data (1/1000 secs)  : ");
  fmt_uint64(fmt_buf+34, (fs0.end - fs0.start), FMT_JUST_LEFT);
  puts(fmt_buf);

  printf("Average flow time (1/1000 secs) : %4.4f\n", fs0.aflowtime);
  printf("Average packet size (octets)    : %4.4f\n", fs0.aps);
  printf("Average flow size (octets)      : %4.4f\n", fs0.afs);
  printf("Average packets per flow        : %4.4f\n", fs0.apf);
  printf("Average flows / second (flow)   : %4.4f\n", fs0.fps);
  printf("Average flows / second (real)   : %4.4f\n", fs0.fps_real);
  printf("Average Kbits / second (flow)   : %4.4f\n", fs0.aos);
  printf("Average Kbits / second (real)   : %4.4f\n", fs0.aos_real);

  printf("\n\n");

  printf("IP packet size distribution:\n");
  printf("   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480\n   ");
  print_3float((float)fs0.psize32 / fs0.nflows);
  print_3float((float)fs0.psize64 / fs0.nflows);
  print_3float((float)fs0.psize96 / fs0.nflows);
  print_3float((float)fs0.psize128 / fs0.nflows);
  print_3float((float)fs0.psize160 / fs0.nflows);
  print_3float((float)fs0.psize192 / fs0.nflows);
  print_3float((float)fs0.psize224 / fs0.nflows);
  print_3float((float)fs0.psize256 / fs0.nflows);
  print_3float((float)fs0.psize288 / fs0.nflows);
  print_3float((float)fs0.psize320 / fs0.nflows);
  print_3float((float)fs0.psize352 / fs0.nflows);
  print_3float((float)fs0.psize384 / fs0.nflows);
  print_3float((float)fs0.psize416 / fs0.nflows);
  print_3float((float)fs0.psize448 / fs0.nflows);
  print_3float((float)fs0.psize480 / fs0.nflows);
  printf("\n\n");

  printf("    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608\n   ");
  print_3float((float)fs0.psize512 / fs0.nflows);
  print_3float((float)fs0.psize544 / fs0.nflows);
  print_3float((float)fs0.psize576 / fs0.nflows);
  print_3float((float)fs0.psize1024 / fs0.nflows);
  print_3float((float)fs0.psize1536 / fs0.nflows);
  print_3float((float)fs0.psize2048 / fs0.nflows);
  print_3float((float)fs0.psize2560 / fs0.nflows);
  print_3float((float)fs0.psize3072 / fs0.nflows);
  print_3float((float)fs0.psize3584 / fs0.nflows);
  print_3float((float)fs0.psize4096 / fs0.nflows);
  print_3float((float)fs0.psize4608 / fs0.nflows);
  printf("\n\n");

  printf("Packets per flow distribution:\n");
  printf("      1    2    4    8   12   16   20   24   28   32   36   40   44   48   52\n   ");

  print_3float((float)fs0.fpsize1 / fs0.nflows);
  print_3float((float)fs0.fpsize2 / fs0.nflows);
  print_3float((float)fs0.fpsize4 / fs0.nflows);
  print_3float((float)fs0.fpsize8 / fs0.nflows);
  print_3float((float)fs0.fpsize12 / fs0.nflows);
  print_3float((float)fs0.fpsize16 / fs0.nflows);
  print_3float((float)fs0.fpsize20 / fs0.nflows);
  print_3float((float)fs0.fpsize24 / fs0.nflows);
  print_3float((float)fs0.fpsize28 / fs0.nflows);
  print_3float((float)fs0.fpsize32 / fs0.nflows);
  print_3float((float)fs0.fpsize36 / fs0.nflows);
  print_3float((float)fs0.fpsize40 / fs0.nflows);
  print_3float((float)fs0.fpsize44 / fs0.nflows);
  print_3float((float)fs0.fpsize48 / fs0.nflows);
  print_3float((float)fs0.fpsize52 / fs0.nflows);
  printf("\n\n     60  100  200  300  400  500  600  700  800  900 >900\n   ");
  print_3float((float)fs0.fpsize60 / fs0.nflows);
  print_3float((float)fs0.fpsize100 / fs0.nflows);
  print_3float((float)fs0.fpsize200 / fs0.nflows);
  print_3float((float)fs0.fpsize300 / fs0.nflows);
  print_3float((float)fs0.fpsize400 / fs0.nflows);
  print_3float((float)fs0.fpsize500 / fs0.nflows);
  print_3float((float)fs0.fpsize600 / fs0.nflows);
  print_3float((float)fs0.fpsize700 / fs0.nflows);
  print_3float((float)fs0.fpsize800 / fs0.nflows);
  print_3float((float)fs0.fpsize900 / fs0.nflows);
  print_3float((float)fs0.fpsize_other / fs0.nflows);
  printf("\n\n");
             
  printf("Octets per flow distribution:\n");
  printf("     32   64  128  256  512 1280 2048 2816 3584 4352 5120 5888 6656 7424 8192\n   ");
  print_3float((float)fs0.fosize32 / fs0.nflows);
  print_3float((float)fs0.fosize64 / fs0.nflows);
  print_3float((float)fs0.fosize128 / fs0.nflows);
  print_3float((float)fs0.fosize256 / fs0.nflows);
  print_3float((float)fs0.fosize512 / fs0.nflows);
  print_3float((float)fs0.fosize1280 / fs0.nflows);
  print_3float((float)fs0.fosize2048 / fs0.nflows);
  print_3float((float)fs0.fosize2816 / fs0.nflows);
  print_3float((float)fs0.fosize3584 / fs0.nflows);
  print_3float((float)fs0.fosize4352 / fs0.nflows);
  print_3float((float)fs0.fosize5120 / fs0.nflows);
  print_3float((float)fs0.fosize5888 / fs0.nflows);
  print_3float((float)fs0.fosize6656 / fs0.nflows);
  print_3float((float)fs0.fosize7424 / fs0.nflows);
  print_3float((float)fs0.fosize8192 / fs0.nflows);
  printf("\n\n   8960 9728 10496 11264 12032 12800 13568 14336 15104 15872 >15872\n   ");
  print_3float((float)fs0.fosize8960 / fs0.nflows);
  print_3float2((float)fs0.fosize9728 / fs0.nflows);
  print_3float2((float)fs0.fosize10496 / fs0.nflows);
  print_3float2((float)fs0.fosize11264 / fs0.nflows);
  print_3float2((float)fs0.fosize12032 / fs0.nflows);
  print_3float2((float)fs0.fosize12800 / fs0.nflows);
  print_3float2((float)fs0.fosize13568 / fs0.nflows);
  print_3float2((float)fs0.fosize14336 / fs0.nflows);
  print_3float2((float)fs0.fosize15104 / fs0.nflows);
  print_3float2((float)fs0.fosize15872 / fs0.nflows);
  print_3float2((float)fs0.fosize_other / fs0.nflows);
  printf("\n\n");

  printf("Flow time distribution:\n");
  printf("    10    50  100  200  500 1000 2000 3000 4000 5000 6000 7000 8000 9000 10000\n   ");
  print_3float((float)fs0.ftime10 / fs0.nflows);
  print_3float((float)fs0.ftime50 / fs0.nflows);
  print_3float((float)fs0.ftime100 / fs0.nflows);
  print_3float((float)fs0.ftime200 / fs0.nflows);
  print_3float((float)fs0.ftime500 / fs0.nflows);
  print_3float((float)fs0.ftime1000 / fs0.nflows);
  print_3float((float)fs0.ftime2000 / fs0.nflows);
  print_3float((float)fs0.ftime3000 / fs0.nflows);
  print_3float((float)fs0.ftime4000 / fs0.nflows);
  print_3float((float)fs0.ftime5000 / fs0.nflows);
  print_3float((float)fs0.ftime6000 / fs0.nflows);
  print_3float((float)fs0.ftime7000 / fs0.nflows);
  print_3float((float)fs0.ftime8000 / fs0.nflows);
  print_3float2((float)fs0.ftime9000 / fs0.nflows);
  print_3float2((float)fs0.ftime10000 / fs0.nflows);
  printf("\n\n  12000 14000 16000 18000 20000 22000 24000 26000 28000 30000 >30000\n   ");
  print_3float2((float)fs0.ftime12000 / fs0.nflows);
  print_3float2((float)fs0.ftime14000 / fs0.nflows);
  print_3float2((float)fs0.ftime16000 / fs0.nflows);
  print_3float2((float)fs0.ftime18000 / fs0.nflows);
  print_3float2((float)fs0.ftime20000 / fs0.nflows);
  print_3float2((float)fs0.ftime22000 / fs0.nflows);
  print_3float2((float)fs0.ftime24000 / fs0.nflows);
  print_3float2((float)fs0.ftime26000 / fs0.nflows);
  print_3float2((float)fs0.ftime28000 / fs0.nflows);
  print_3float2((float)fs0.ftime30000 / fs0.nflows);
  print_3float2((float)fs0.ftime_other / fs0.nflows);
  printf("\n\n");

  return 0;

} /* format0 */

/*
 * function: format1
 *
 *  Average packet size distribution histogram
 *
 * returns 0 for success.
 */
int format1(struct fmtargs *args)
{
  struct fts3rec_offsets fo;
  struct ftchash *ftch;
  struct ftchash_rec_c32 ftch_recc32, *ftch_recc32p;
  struct fopd32 cur;
  struct ftver ftv;
  struct fopd total;
  u_int32 hash;
  char *rec;

  ftio_get_ver(&args->ftio, &ftv);

  if (ftio_check_xfield(&args->ftio, FT_XFIELD_DPKTS |
    FT_XFIELD_DOCTETS | FT_XFIELD_FIRST | FT_XFIELD_LAST)) {
    fterr_warnx("Flow record missing required field for format.");
    return -1;
  }

  fts3rec_compute_offsets(&fo, &ftv);

  bzero(&ftch_recc32, sizeof ftch_recc32);

  bzero(&total, sizeof total);

  if (!(ftch = ftchash_new(65536, sizeof (struct ftchash_rec_c32), 4, 65536))) {
    fterr_warnx("ftchash_new(): failed");
    return -1;
  }

  cur.flows = 1;

  while ((rec = ftio_read(&args->ftio))) {

    CUR_GET_PLUS_FLOWS;
  
    TOTAL_INC;

    if (!cur.packets) {
      fprintf(stderr, "Ignoring bogus flow dPkts=0\n");
      continue;
    }

    ftch_recc32.c32 = cur.octets / cur.packets;

    hash = (ftch_recc32.c32>>16) ^ (ftch_recc32.c32 & 0xFFFF);
    
    if (!(ftch_recc32p = ftchash_update(ftch, &ftch_recc32, hash))) {
      fterr_warnx("ftch_update(): failed");
      ftchash_free(ftch);
      return -1;
    }

    STAT_INCP(ftch_recc32p);

  }

  chash_c32_dump(ftch, args->cc, args->sort_order, args->options, &total,
    "Pkt Size", (char*)0L);

  ftchash_free(ftch);

  return 0;

} /* format1 */


/*
 * function: format2
 *
 *  Packets per flow distribution histogram
 *
 * returns 0 for success.
 */
int format2(struct fmtargs *args)
{
  struct fts3rec_offsets fo;
  struct ftchash *ftch;
  struct ftchash_rec_c32 ftch_recc32, *ftch_recc32p;
  struct fopd32 cur;
  struct ftver ftv;
  struct fopd total;
  u_int32 hash;
  char *rec;

  ftio_get_ver(&args->ftio, &ftv);

  if (ftio_check_xfield(&args->ftio, FT_XFIELD_DPKTS |
    FT_XFIELD_DOCTETS | FT_XFIELD_FIRST | FT_XFIELD_LAST)) {
    fterr_warnx("Flow record missing required field for format.");
    return -1;
  }

  fts3rec_compute_offsets(&fo, &ftv);
  
  bzero(&ftch_recc32, sizeof ftch_recc32);

  bzero(&total, sizeof total);

  if (!(ftch = ftchash_new(65536, sizeof (struct ftchash_rec_ip), 4, 65536))) {
    fterr_warnx("ftchash_new(): failed");
    return -1;
  }

  cur.flows = 1;

  while ((rec = ftio_read(&args->ftio))) {

    CUR_GET_PLUS_FLOWS;
       
    TOTAL_INC;

    ftch_recc32.c32 = cur.packets;

    hash = (ftch_recc32.c32>>16) ^ (ftch_recc32.c32 & 0xFFFF);
   
    if (!(ftch_recc32p = ftchash_update(ftch, &ftch_recc32, hash))) {
      fterr_warnx("ftch_update(): failed");
      ftchash_free(ftch);
      return -1;
    }

    STAT_INCP(ftch_recc32p);
       
  }

  chash_c32_dump(ftch, args->cc, args->sort_order, args->options, &total,
    "Packets ", (char*)0L);

  ftchash_free(ftch);

  return 0;

} /* format2 */

/*
 * function: format3
 *
 *  Octets per flow flow distribution histogram
 *
 * returns 0 for success.
 */
int format3(struct fmtargs *args)
{
  struct fts3rec_offsets fo;
  struct fopd32 cur;
  struct ftchash *ftch;
  struct ftchash_rec_c32 ftch_recc32, *ftch_recc32p;
  struct ftver ftv;
  struct fopd total;
  char *rec;
  u_int32 hash;

  ftio_get_ver(&args->ftio, &ftv);

  if (ftio_check_xfield(&args->ftio, FT_XFIELD_DPKTS |
    FT_XFIELD_DOCTETS | FT_XFIELD_FIRST | FT_XFIELD_LAST)) {
    fterr_warnx("Flow record missing required field for format.");
    return -1;
  }

  fts3rec_compute_offsets(&fo, &ftv);
  
  bzero(&ftch_recc32, sizeof ftch_recc32);
  
  bzero(&total, sizeof total);

  if (!(ftch = ftchash_new(65536, sizeof (struct ftchash_rec_c32), 4, 65536))) {
    fterr_warnx("ftchash_new(): failed");
    return -1;
  }
 
  cur.flows = 1;

  while ((rec = ftio_read(&args->ftio))) {

    CUR_GET_PLUS_FLOWS;
  
    TOTAL_INC;

    ftch_recc32.c32 = cur.octets;

    hash = (ftch_recc32.c32>>16) ^ (ftch_recc32.c32 & 0xFFFF);
   
    if (!(ftch_recc32p = ftchash_update(ftch, &ftch_recc32, hash))) {
      fterr_warnx("ftch_update(): failed");
      ftchash_free(ftch);
      return -1;
    }

    STAT_INCP(ftch_recc32p);

  }

  chash_c32_dump(ftch, args->cc, args->sort_order, args->options, &total,
    "Octets  ", (char*)0L);
     
  ftchash_free(ftch);
    
  return 0;

} /* format3 */

/*
 * function: format4
 *
 *  ??
 *
 */
int format4(struct fmtargs *args)
{

  printf("Not implemented.\n");
  return 0;
}

/*
 * function: format5
 *
 *  UDP/TCP destination port flows,octets,packets,duration histogram
 *
 * returns 0 for success.
 */
int format5(struct fmtargs *args)
{
  struct fts3rec_offsets fo;
  struct fopd32 cur;
  struct ftver ftv;
  struct fopdi stat;
  struct fopd total;
  char *rec;
  u_int8 prot;
  u_int16 dstport;

  ftio_get_ver(&args->ftio, &ftv);

  if (ftio_check_xfield(&args->ftio, FT_XFIELD_DPKTS |
    FT_XFIELD_DOCTETS | FT_XFIELD_FIRST | FT_XFIELD_LAST |
    FT_XFIELD_PROT | FT_XFIELD_DSTPORT)) {
    fterr_warnx("Flow record missing required field for format.");
    return -1;
  }

  fts3rec_compute_offsets(&fo, &ftv);

  if (fopdi_alloc(&stat, 65536) < 0)
    return -1;
      
  bzero(&total, sizeof total);

  cur.flows = 1;

  while ((rec = ftio_read(&args->ftio))) {

    prot = *((u_int8*)(rec+fo.prot));