flow-filter.c

netflow,抓包

  if (acl_ext_name) xflag |= (FT_XFIELD_SRCADDR | FT_XFIELD_DSTADDR);

  if (ftio_check_xfield(&ftio_in, xflag)) {
    fterr_warnx("Flow record missing required field for format.");
    exit (1);
  }

  fts3rec_compute_offsets(&fo, &ftv);

  /* output to stdout */
  if (ftio_init(&ftio_out, 1, FT_IO_FLAG_WRITE |
    ((ftset.z_level) ? FT_IO_FLAG_ZINIT : 0) ) < 0)
    fterr_errx(1, "ftio_init(): failed");

  /* preserve start/end time from input stream? */
  if (keep_input_time) {

    time_start = ftio_get_cap_start(&ftio_in);
    time_end = ftio_get_cap_end(&ftio_in);

    if (time_start && time_end) {

      ftio_set_preloaded(&ftio_out, 1);
      ftio_set_cap_time(&ftio_out, time_start, time_end);

    }

  } /* keep_input_time */

  ftio_set_comment(&ftio_out, ftset.comments);
  ftio_set_byte_order(&ftio_out, ftset.byte_order);
  ftio_set_z_level(&ftio_out, ftset.z_level);
  ftio_set_streaming(&ftio_out, 1);
  ftio_set_debug(&ftio_out, debug);

  if (ftio_set_ver(&ftio_out, &ftv) < 0)
    fterr_errx(1, "ftio_set_ver(): failed");

  /*
   * load acl's
   * XXX add fname check and close
   */
  if ((yyin = fopen(acl_fname ? acl_fname : "flow.acl", "r")))
    while (!feof(yyin))
      yyparse();

  /*
   * normalize masks
   */
  /* XXX TODO */

  if (debug > 5) 
    acl_dump(acl_list);

  if (acl_std_src_name) {
    if ((acl_std_src_index = acl_find(acl_list, acl_std_src_name)) == -1)
      fterr_errx(1, "Couldn't find list %s\n", acl_std_src_name);

    acl_std_src_index2 = acl_list.names[acl_std_src_index].num;

  }

  if (acl_std_dst_name) {
    if ((acl_std_dst_index = acl_find(acl_list, acl_std_dst_name)) == -1)
      fterr_errx(1, "Couldn't find list %s\n", acl_std_dst_name);

    acl_std_dst_index2 = acl_list.names[acl_std_dst_index].num;
  }

  if (acl_ext_name) {
    if ((acl_ext_index = acl_find(acl_list, acl_ext_name)) == -1)
      fterr_errx(1, "Couldn't find list %s\n", acl_ext_name);

    acl_ext_index2 = acl_list.names[acl_ext_index].num;
  }

 if (acl_std_nexthop_name) {
    if ((acl_std_nexthop_index = acl_find(acl_list, acl_std_nexthop_name))
      == -1)
      fterr_errx(1, "Couldn't find list %s\n", acl_std_nexthop_name);

    acl_std_nexthop_index2 = acl_list.names[acl_std_nexthop_index].num;
  }

  /* header first */
  if (ftio_write_header(&ftio_out) < 0)
    fterr_errx(1, "ftio_write_header(): failed");

  /* profile */
  ftprof_start (&ftp);

  /* grab 1 flow */
  while ((rec = ftio_read(&ftio_in))) {

    cur.srcaddr = ((u_int32*)(rec+fo.srcaddr));
    cur.dstaddr = ((u_int32*)(rec+fo.dstaddr));
    cur.nexthop = ((u_int32*)(rec+fo.nexthop));
    cur.input = ((u_int16*)(rec+fo.input));
    cur.output = ((u_int16*)(rec+fo.output));
    cur.srcport = ((u_int16*)(rec+fo.srcport));
    cur.dstport = ((u_int16*)(rec+fo.dstport));
    cur.src_as = ((u_int16*)(rec+fo.src_as));
    cur.dst_as = ((u_int16*)(rec+fo.dst_as));
    cur.prot = ((u_int8*)(rec+fo.prot));
    cur.tcp_flags = ((u_int8*)(rec+fo.tcp_flags));
    cur.tos = ((u_int8*)(rec+fo.tos));

    ++ total_flows;

    /* filter on input interface */
    if (filter_input) {
      if (!in_tbl[*cur.input]) {
        if (!first_match)
          continue;
      } else if (first_match) {
        goto found;
      }
    }

    /* filter on output interface */
    if (filter_output) {
      if (!out_tbl[*cur.output]) {
        if (!first_match)
          continue;
      } else if (first_match) {
        goto found;
      }
    }

    /* filter on src port */
    if (filter_srcport) {
      if (!src_tbl[*cur.srcport]) {
        if (!first_match)
          continue;
      } else if (first_match) {
        goto found;
      }
    }

    /* filter on dst port */
    if (filter_dstport) {
      if (!dst_tbl[*cur.dstport]) {
        if (!first_match)
          continue;
      } else if (first_match) {
        goto found;
      }
    }

    /* filter on protocol */
    if (filter_prot) {
      if (!prot_tbl[*cur.prot]) {
        if (!first_match)
          continue;
      } else if (first_match) {
        goto found;
      }
    }

    /* filter on ToS */
      if (filter_tos) {
        tos = *cur.tos & tos_mask;
        if (!tos_tbl[tos]) {
          if (!first_match)
            continue;
        } else if (first_match) {
          goto found;
        }
      }

    /* filter on tcp_flags */
      if (filter_tcp_flags && (*cur.prot == IPPROTO_TCP)) {
        tcp_flags = *cur.tcp_flags & tcp_flags_mask;
        if (!tcp_flags_tbl[tcp_flags]) {
          if (!first_match)
            continue;
        } else if (first_match) {
          goto found;
        }
      }

    if (filter_srcas) {
      if (!srcas_tbl[*cur.src_as]) {
        if (!first_match)
          continue;
      } else if (first_match) {
        goto found;
      }
    }

    /* filter on src AS */
    if (filter_dstas) {
      if (!dstas_tbl[*cur.dst_as]) {
        if (!first_match)
          continue;
      } else if (first_match) {
        goto found;
      }
    }

   /* eval flow nexthop addr and nexthop standard acl */
   if (acl_std_nexthop_index != -1) {
      ret = acl_eval_std(acl_list, acl_std_nexthop_index2, *cur.nexthop);
      if (ret == 1) {
        if (!first_match)
          continue;
      } else if (first_match) {
        goto found;
      }
    }

    /* eval flow src addr and source standard acl */
    if (acl_std_src_index != -1) {
      ret = acl_eval_std(acl_list, acl_std_src_index2, *cur.srcaddr);
      if (ret == 1) {
        if (!first_match)
          continue;
      } else if (first_match) {
        goto found;
      }
    }

    /* eval flow dst addr and destination standard acl */
    if (acl_std_dst_index != -1) {
      ret = acl_eval_std(acl_list, acl_std_dst_index2, *cur.dstaddr);
      if (ret == 1) {
        if (!first_match)
          continue;
      } else if (first_match) {
        goto found;
      }
    }

    /* eval flow and extended acl */
    if (acl_ext_index != -1) {

      tmp_ext.protocol = *cur.prot;
      tmp_ext.tos = *cur.tos;

      /* XXX */
      tmp_ext.type = 0;
      tmp_ext.type_code = 0;
      tmp_ext.message = 0;

      tmp_ext.src_addr = *cur.srcaddr;
      tmp_ext.src_port = *cur.srcport;


      tmp_ext.dst_addr = *cur.dstaddr;
      tmp_ext.dst_port = *cur.dstport;

      ret = acl_eval_ext(acl_list, acl_ext_index2, tmp_ext);
      if (ret == 1) {
        if (!first_match)
          continue;
      } else if (first_match) {
        goto found;
      }
    }

    if (first_match) /* No matches yet? next try.. */
      continue;

    /*
     * made it by the filters, write it
     */

found:
    if (ftio_write(&ftio_out, rec) < 0)
      fterr_errx(1, "ftio_write(): failed");

  } /* while more flows to read */

  if (ftio_close(&ftio_in) < 0)
    fterr_errx(1, "ftio_close(): failed");

  if (ftio_close(&ftio_out) < 0)
    fterr_errx(1, "ftio_close(): failed");

  if (debug > 0) {
    ftprof_end (&ftp, total_flows);
    ftprof_print(&ftp, argv[0], stderr);
  }   

  if (debug > 1) {
    acl_dump_std(acl_list, acl_std_src_index);
    acl_dump_std(acl_list, acl_std_dst_index);
    acl_dump_std(acl_list, acl_std_nexthop_index);
  }

  return 0;

} /* main */

void yyerror(const char *msg)
{
  fterr_warnx("%s at '%s'\n", msg, yytext);
}

void usage(void) {

  fprintf(stderr, "Usage: flow-filter [-hko] [-a src_as_filter] [-A dst_as_filter] [-b big|little]\n");
  fprintf(stderr, "       [-C comment] [-D dstaddr_filter_name] [-d debug_level] [-f acl_fname]\n");
  fprintf(stderr, "       [-i input_filter] [-I output_filter]  [-p srcport_filter]\n");
  fprintf(stderr, "       [-P dstport_filter] [-r ipprot_filter] [-S srcaddr_filter_name]\n");
  fprintf(stderr, "       [-t tos_filter] [-T tcp_flags_filter] [-x nexthop_filter_name]\n");
  fprintf(stderr, "       [-z z_level]\n");
  fprintf(stderr, "\n%s version %s: built by %s\n", PACKAGE, VERSION, FT_PROG_BUILD);

} /* usage */