np_tcpconn.py

该软件根据网络数据生成NetFlow记录。NetFlow可用于网络规划、负载均衡、安全监控等

###############################################################################
#                                                                             #
#   Copyright 2005 University of Cambridge Computer Laboratory.               #
#                                                                             #
#   This file is part of Nprobe.                                              #
#                                                                             #
#   Nprobe is free software; you can redistribute it and/or modify            #
#   it under the terms of the GNU General Public License as published by      #
#   the Free Software Foundation; either version 2 of the License, or         #
#   (at your option) any later version.                                       #
#                                                                             #
#   Nprobe is distributed in the hope that it will be useful,                 #
#   but WITHOUT ANY WARRANTY; without even the implied warranty of            #
#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the             #
#   GNU General Public License for more details.                              #
#                                                                             #
#   You should have received a copy of the GNU General Public License         #
#   along with Nprobe; if not, write to the Free Software                     #
#   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA #
#                                                                             #
###############################################################################


from string import rjust
from nprobe import intoa_string
from nprobe import TCP_CLIENT_SEEN, TCP_SERVER_SEEN
from nprobe import TCP_SERV_SYN, TCP_CLI_SYN, TCP_SERV_HTTP, SERVER, CLIENT, \
     TRANS_VAL, TRANS_DUMMY_UNSYNCH, TRANS_DUMMY_ERR, TRANS_ERR, \
     TRANS_INCOMPLETE, TRANS_FINISHED
from nprobe import TSP_SYN, TSP_DUP_SYN, TSP_FIN, TSP_ACKSYN, TSP_RST, \
     CT_NON_OBJECT
from  np_longutil import ul2l, ull2l, Longstring
from print_col import cprint, whoops, inform, F_GREEN, F_WHITE
from np_TCP import Trans_Tms_t, Trans_Tms_T, TCP_Machine, TCPNoModel, TCPModelPkts, TCPModelNoTrans

##############################################################################
##############################################################################

#
# Help for TCP
#

TH_SYN = 0x2
TH_RST = 0x4
TH_FIN = 0x1
TH_ACK = 0x10
TH_URG = 0x20
TH_PUSH = 0x08
        

#############################################################################
#############################################################################

L_RTMT_THRESH = 1500000
#
# Values for connection delay flags
#

D_DUPCSYN = 0x1
D_DUPFREQ = 0x2
D_CRETRANS = 0x4
D_NOT_CONNECTED = 0x8
D_REQNOTSEEN = 0x10
D_REPNOTSEEN = 0x20
D_SLOSS = 0x40
D_REPBDLY = 0x80
D_REPSDLY = 0x100
D_REPSLRTMT = 0x200
D_SFINDLY = 0x400
D_INTREE = 0x1000

D_BIGDEL = D_DUPCSYN | D_DUPFREQ | D_NOT_CONNECTED | D_REQNOTSEEN | D_REPNOTSEEN | D_REPBDLY

############################################################################
#############################################################################

#
# Represents a TCP connection
#

class TCPConn:

    def __init__(self, tconn, hdrlist, logfun=None, trace=0):
        
        self.trace = trace
        trace = 1 and trace

        if logfun:
            self.logfun = logfun
        else:
            logfun = self.logfun = self.f_null

        self.modelled = 0
	#self.do_state = do_state
	self.Class = 'TCPConn'
	self.id = tconn.get_conn_id()
	self.server = tconn.dhost()
	self.serverport = tconn.dport()
	self.client = tconn.shost()
        self.persist = 0
        self.intree = 0
        
        #self.obrec = FileRec(self.Class)

	open = self.abstart = ull2l(tconn.open())
        #print 'tcp #%d open at %d' % (self.id, open)
	close = self.abclose = ull2l(tconn.close())

        #if open == close:
            #close = self.abclose = hdrlist[-1].abtm
            
        self.dur = close - open
	# following are all relative to open time
	self.relclisyn = ul2l(tconn.clisyn())
	#print 'clisyn %s' % (ulstring(self.clisyn))
	self.relservsyn = ul2l(tconn.servsyn())
	self.relcliacksyn = ul2l(tconn.cliacksyn())
	self.relservacksyn = ul2l(tconn.servacksyn())
	self.relclifin = ul2l(tconn.clifin())
	self.relservfin = ul2l(tconn.servfin())
	self.relclirst = ul2l(tconn.clirst())
	self.relservrst = ul2l(tconn.servrst())

	self.relsfdata = ul2l(tconn.servfirstdata())
	self.relsldata = ul2l(tconn.servlastdata())
	self.relcfdata = ul2l(tconn.clifirstdata())
	self.relcldata = ul2l(tconn.clilastdata())

	self.slowseq = ul2l(tconn.slowseq())
	self.clowseq = ul2l(tconn.clowseq())
	self.slowack = ul2l(tconn.slowack())
	self.clowack = ul2l(tconn.clowack())

	smss = tconn.get_smss()
        if not smss:
            smss = 536
        self.smss = smss
	cmss = tconn.get_cmss()
        if not cmss:
            cmss = 536
        self.cmss = cmss

 	if open == 0 or close == 0:
            str = 'TCPConn #%d Zero open/close time:' % (self.id)
            whoops(str)
	    tconn.printself(0)
            logfun(str)
 	    #raw_input('anything to continue...\n')
	    

	if self.relclisyn < 0 or self.relservsyn < 0 or self.relcliacksyn < 0 \
	   or self.relservacksyn < 0 or self.relclifin < 0 or self.relservfin < 0 \
	   or self.relclirst < 0 or self.relservrst < 0:
            str = 'TCPConn #%d Negative relative time time:' % (self.id)
            whoops(str)
	    tconn.printself(0)
            logfun(str)
 	    #raw_input('anything to continue...\n')
	    
	if open > close:
            str = 'TCPConn #%d Connection opens after closing:' % (self.id)
            whoops(str)
	    tconn.printself(0)
            logfun(str)
 	    #raw_input('anything to continue...\n')

        # Some connection stuff
        



	# HTTP connection specific
	if tconn.flow_inner.serv_type == TCP_SERV_HTTP:
            self.translist = []
	    self.http_status = tconn.http_status()
	    self.http_verstr = tconn.http_vers_str()[:]
	    self.pers = tconn.http_persistent()
	    self.ntrans = tconn.http_ntrans() # all
            self.ncgood = 0 # good requests
            self.nsgood = 0 # do responses
	else:
	    self.http_status = 0
	    self.http_verstr = ''
	    self.pers = 0
	    
	self.flags = tconn.get_flags()
        if self.flags & TCP_CLIENT_SEEN: 
            self.cflags = tconn.get_cflags()
            self.cbytes = tconn.tot_client_octs()
            self.cpkts = tconn.tot_client_pkts()
            self.cdpkts = tconn.tot_client_dpkts()
            self.closs = tconn.c_rtmts()
            if self.closs:
                str = 'TCPConn #%d Client rtmts:' % (self.id)
                logfun(str)
        else:
            self.cflags = 0x00000000
            self.cbytes = 0
            self.cpkts = 0
            self.cdpkts = 0
            self.closs = 0
            
        if self.flags & TCP_SERVER_SEEN:
            self.sflags = tconn.get_sflags()
            self.sbytes = tconn.tot_server_octs()
            self.spkts = tconn.tot_server_pkts()
            self.sdpkts = tconn.tot_server_dpkts()
            self.sloss = tconn.s_rtmts()
            if self.sloss:
                str = 'TCPConn #%d Server rtmts:' % (self.id)
                logfun(str)
                
        else:
            self.sflags = 0x00000000
            self.sbytes = 0
            self.spkts = 0
            self.sdpkts = 0
            self.sloss = 0
            
        if self.cdpkts == 0:
            str1 = 'TCPConn #%d No client data packets:' % (self.id)
            str2 = 'WebClient #%s No client data packets:' % (intoa_string(self.client))
            if trace:
                inform(str1)
            logfun(str1)
            logfun(str2)
            
        if self.sdpkts == 0:
            str1 = 'TCPConn #%d No server data packets:' % (self.id)
            str2 = 'WebClient #%s No server data packets:' % (intoa_string(self.server))
            if trace:
                inform(str1)
            logfun(str1)
            logfun(str2)
            
	self.pktlist = hdrlist
	#self.pktlist = []
	self.objects = []

	self.noloss = tconn.no_rtmts_or_gaps()
        if self.sloss:
            self.soop = tconn.n_s_ooo_pkts()
            self.srtmtp = tconn.n_s_dup_pkts()
        
        #del(tconn)
	# TMP for debugging
	#self.tconn = tconn

##         # XXX TMP XXX
##         str = 'TCPConn #%d TCP Connection:' % (self.id)
##         logfun(str)

  ##   def __del__(self):
##         print 'Freeing TCPConn'

#############################################################################

    def f_null(self, arg):

        pass


#############################################################################

    #
    # Adjust all time offsets to common base 
    #

    def adjust_tm_offsets(self, base):
        
        #
        # **idempotent**
        #
	# self.abstart = absolute open time
	# absolute -> relative to start
	open = self.open = self.abstart - base
	#print 'conn open %s' % (tsLongstring(open))
	self.close = self.abclose - base
	# relative to open -> relative to start
	self.clisyn = open + self.relclisyn
	self.servsyn = open + self.relservsyn
	self.cliacksyn = open + self.relcliacksyn
	self.servacksyn = open + self.relservacksyn
	self.clifin = open + self.relclifin
	self.servfin = open + self.relservfin
	self.clirst = open + self.relclirst
	self.servrst = open + self.relservrst
        self.cldata = open + self.relcldata
        self.sldata = open + self.relsldata
        self.cfdata = open + self.relcfdata
        self.sfdata = open + self.relsfdata
	self.spktlist = [] # tmp
	self.cpktlist = [] # tmp

	slast = clast = None

	for pkt in self.pktlist:
            pkt.tm = pkt.abtm -base

            if pkt.dir == SERVER:
                self.spktlist.append(pkt)
                if slast != None:
                    slast.nxt = pkt
                slast = pkt  
            elif pkt.dir == CLIENT:
                self.cpktlist.append(pkt)
                if clast != None:
                    clast.nxt = pkt
                clast = pkt
            else:
                print 'Goof - unknown way pkt % d' % (pkt.indx)
                #self.printself_with_pkts()
		    #sys.exit(1)

	#print
        if slast:
            slast.nxt = slast
        if clast:
            clast.nxt = clast


#############################################################################

    def make_clusters(self):

        trace = 0 and self.trace
        
## 	i=0
## 	for p in self.pktlist:
## 	    p.indx = i
## 	    i = i+1

	#sdur = int(self.sldata-self.sfdata)
	sdur = self.sldata-self.sfdata
	if sdur == 0:
	    sdur = 1
	cdur = int(self.cldata-self.cfdata)
	if cdur == 0:
	    cdur = 1
	#print 'sdur = %.3f cdur = %.3f' % (sdur/1000.0, cdur/1000.0)
	try:
	    sthresh = (sdur/self.sdpkts)/2
	except ZeroDivisionError:
          ##   str = 'TCPConn #%d S Zero data packets:' % (self.id)
##             if trace:
##                 inform(str)
##             self.logfun(str)