counters.c

该软件根据网络数据生成NetFlow记录。NetFlow可用于网络规划、负载均衡、安全监控等

/******************************************************************************
*                                                                             *
*   Copyright 2005 University of Cambridge Computer Laboratory.               *
*                                                                             *
*   This file is part of Nprobe.                                              *
*                                                                             *
*   Nprobe is free software; you can redistribute it and/or modify            *
*   it under the terms of the GNU General Public License as published by      *
*   the Free Software Foundation; either version 2 of the License, or         *
*   (at your option) any later version.                                       *
*                                                                             *
*   Nprobe is distributed in the hope that it will be useful,                 *
*   but WITHOUT ANY WARRANTY; without even the implied warranty of            *
*   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the             *
*   GNU General Public License for more details.                              *
*                                                                             *
*   You should have received a copy of the GNU General Public License         *
*   along with Nprobe; if not, write to the Free Software                     *
*   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA *
*                                                                             *
******************************************************************************/


#include <stdio.h>
#include <ctype.h>
#include <stdlib.h>
#include <sys/param.h>
#include <string.h>
#include <linux/limits.h>
#include <sys/types.h>
#include <sys/time.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/socket.h>
#ifdef __alpha__
#include <sys/mbuf.h>
#endif
#include <net/route.h>
#include <net/if.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#undef __STDC__
#include <netinet/ip.h>

#ifdef __alpha__
#include <netinet/ip_var.h>
#endif

#include <netinet/tcp.h>
#include <netinet/if_ether.h>

#include <assert.h>

#include "config.h"
#include "basic_defs.h"
#include "list.h"
#include "pkt.h"
#include "interface.h"
#include "flows.h"
#include "service.h"
#include "http.h"
#include "tcp.h"
#include "udp.h"
#include "udp_ns.h"
//#include "timeouts.h"
#include "if_nprobe.h"
#include "seq.h"
//#include "pool.h"
#include "output.h"
#include "arr_his.h"
//#include "probe_config.h"
#define _COUNTERS_C_
#include "timeouts.h"

#ifdef TCPDUMP_FED
extern char* o_infnm;
#endif

#include "probe_config.h"

/* print_util.c */
char *time_string(tmval *tvp);
char *ts_string(tmval *tvp);
char *get_hname(char *ap);

#ifndef MAX
#define MAX(x, y)  ((x) > (y) ? (x) : (y))
#endif

void
tvsub(tmval *tdiff, tmval *t1, tmval *t0)
{
    tdiff->tv_sec = t1->tv_sec - t0->tv_sec;
    tdiff->tv_usec = t1->tv_usec - t0->tv_usec;
    if (tdiff->tv_usec < 0)
	tdiff->tv_sec--, tdiff->tv_usec += 1000000;
}

#ifndef SWIG_ONLY
//long long
ll_t
utvsub(tmval *t1, tmval *t0)
{
  tmval tdiff;
  tdiff.tv_sec = t1->tv_sec - t0->tv_sec;
  tdiff.tv_usec = t1->tv_usec - t0->tv_usec;
  if (tdiff.tv_usec < 0)
    tdiff.tv_sec--, tdiff.tv_usec += 1000000;

  return ((long long)tdiff.tv_sec*1000000) + tdiff.tv_usec;
}
#endif

unsigned int 
mtvsub(tmval *t1, tmval *t0)
{
  tmval tdiff;
  tdiff.tv_sec = t1->tv_sec - t0->tv_sec;
  tdiff.tv_usec = t1->tv_usec - t0->tv_usec;
  if (tdiff.tv_usec < 0)
    tdiff.tv_sec--, tdiff.tv_usec += 1000000;

  return ((unsigned long)tdiff.tv_sec*1000) + tdiff.tv_usec/1000;
}

/*
 * Kludgy way of establishing #CPUs
 */

#define BUFLEN 2048
void 
ncpus_and_freq(counters_t *counters)
{
  int fd, cpus = 0;
  char *cp;
  char buf[BUFLEN];

  if ((fd = open("/proc/cpuinfo", O_RDONLY)) == -1)
    error("ncpus()", "open()");

  if (read(fd, buf, (BUFLEN -1)) <= 0)
    error("ncpus_and_freq()", "read()");

  cp = buf;
  while ((cp = strstr(cp, "processor")) != NULL)
    {
      cp += 1;
      cpus++;
    }

  counters->fh.ncpus = cpus;

  if ((counters->fh.hz = sysconf(_SC_CLK_TCK)) == -1)
    error("ncpus_and_freq()", "sysconf()");

  if ((counters->fh.pgsz = sysconf(_SC_PAGESIZE)) == -1)
    error("ncpus_and_freq()", "sysconf()");

  close(fd);
  
  return;
}


#if defined FINAL_REPORT || defined REPORT || defined WREAD

char 
*get_prefix(int i)
{
  char *prefix;

  if (i < 51)
    prefix = "client";
  else if (i < 101)
    prefix = "server";
  else if (i < 151)
    prefix = "";
  else if (i < 176)
    prefix = "client";
  else if (i < 201)
    prefix = "server";
  else prefix = "";

  return prefix;
}
  

void 
report_counters(counters_t *counters, FILE *file, char *leader)
{
  int i;
  double wire_pkts = counters->wire.pkts;
  double wire_octs = counters->wire.octs;
  double ip_pkts = counters->TRAFF_IP.pkts;
  double ip_octs = counters->TRAFF_IP.octs;
  double tcp_pkts = counters->TRAFF_TCP.pkts;
  double tcp_octs = counters->TRAFF_TCP.octs;
  double udp_pkts = counters->TRAFF_UDP.pkts;
  double udp_octs = counters->TRAFF_UDP.octs;

  int tot_http_errs = 0;
  
  double pkts, octs;

  struct timeval period_tv;
  unsigned int period = mtvsub(&counters->stop, &counters->start);

  double tot_drop_pkts = counters->MACHdr.pkts
    + counters->wrong_encaps.pkts
      + counters->wrong_llc_type.pkts
	+counters->notIP.pkts 
	  + counters->IPHdr.pkts
	    +counters->IPversion.pkts 
	      + counters->IPFrag.pkts
		+ counters->IPLen.pkts
		  + counters->IPHdr_opts.pkts
		    + counters->IPSum.pkts
		      +counters->UDPHdr.pkts
			+counters->UDPSum.pkts 
			  + counters->not_TCPUDP.pkts
			    + counters->TCPHdr.pkts
			      + counters->TCPSum.pkts
				+ counters->port_filtered_out.pkts
				  +counters->Nprobe_errpkts.pkts  
				    + counters->TCPHdr_opts.pkts
				      +counters->startup_nosyn.pkts
					+ counters->SYN_too_late.pkts 
					  + counters->serv_orig.pkts
					    +counters->ffilter.pkts;
  
  double tot_drop_octs = counters->MACHdr.octs
    + counters->wrong_encaps.octs
      + counters->wrong_llc_type.octs
	+counters->notIP.octs 
	  + counters->IPHdr.octs
	    +counters->IPversion.octs 
	      + counters->IPFrag.octs
		+ counters->IPLen.octs
		  + counters->IPHdr_opts.octs
		    + counters->IPHdr_opts.pkts
		      + counters->IPSum.octs
			+counters->UDPHdr.octs
			  +counters->UDPSum.octs 
			    + counters->not_TCPUDP.octs
			      + counters->TCPHdr.octs
				+ counters->TCPSum.octs
				  + counters->port_filtered_out.octs
				    +counters->Nprobe_errpkts.octs	      
				      + counters->TCPHdr_opts.octs
					+counters->startup_nosyn.octs 
					  + counters->SYN_too_late.octs 
					    + counters->serv_orig.octs
					      +counters->ffilter.octs;
  
  tvsub(&period_tv, &counters->stop, &counters->start);
  
  
  /* Header info */
  printf("Wan v %c.%u\n", counters->fh.vers_pre, counters->fh.vers_n);
  if (counters->fh.how_collected == TCPDUMP_COLL)
    REP_L(file, "Results from dump file %s:\n", counters->fh.data);
  else
    REP_L(file, "Results from online run:\n");

  if (counters->fh.quick_close)
    REP_L(file, "Using TCP quick close\n");
  if (counters->fh.accept_nosyn)
    REP_L(file, "Accepting non-SYNed TCP flows\n");

  REP_L(file, "%lu records\n", counters->nrecords);

  /* Time info */
  REP_L(file, "Start: %s ", time_string(&counters->start));
  REP_L(file, "End: %s\n", time_string(&counters->stop));
  REP_L(file, "Period %s (%lu ms)\n", ts_string(&period_tv), period);

  REP_L(file, "Timeout periods us: TCP %u  TCP seq %u  UDP %u\n", 
	counters->fh.tcp_timeout, counters->fh.tcp_seq_timeout, 
	counters->fh.udp_timeout);

  if (counters->buf_alloc_fails)
    REP_L(file, "XXX %u sk_buff alloc fails XXX\n", counters->buf_alloc_fails);
  else
    REP_L(file, "%u sk_buff alloc fails\n", counters->buf_alloc_fails);

  if (counters->nic_fails)
    REP_L(file, "XXX %u NIC fails XXX\n", counters->nic_fails);
  else
    REP_L(file, "%u NIC fails\n", counters->nic_fails);
  
  /* Traffic type info */
  REP_L(file, "Total wire: %.0f pkts %.0f octets\n", wire_pkts, wire_octs);
  SHOW_CTR(file, TCPDump_trunc, "truncated by tcpdump", wire, "wire");
  REP_L(file, "Total IP: %10.0f pkts %10.0f octets  %4.2f%%/%4.2f%% of wire\n", 
      ip_pkts, ip_octs, PCENT(ip_pkts, wire_pkts), PCENT(ip_octs, wire_octs));
  
  REP_L(file, "\t%-10s: %10.0f pkts %10.0f octets  %4.2f%%/%4.2f%% of IP\n", "TCP",
      tcp_pkts, tcp_octs, PCENT(tcp_pkts, ip_pkts), PCENT(tcp_octs, ip_octs));

  SHOW_TTYPE(file, TRAFF_TCP_HTTP, HTTP, tcp_pkts, tcp_octs, TCP);
  SHOW_TTYPE(file, TRAFF_TCP_FTP, FTP, tcp_pkts, tcp_octs, TCP);
  SHOW_TTYPE(file, TRAFF_TCP_FTP_DATA, FTP data, tcp_pkts, tcp_octs, TCP);
  SHOW_TTYPE(file, TRAFF_TCP_TELNET, TELNET, tcp_pkts, tcp_octs, TCP);
  SHOW_TTYPE(file, TRAFF_TCP_SMTP, SMTP, tcp_pkts, tcp_octs, TCP);
  SHOW_TTYPE(file, TRAFF_TCP_POP3, POP3, tcp_pkts, tcp_octs, TCP);
  SHOW_TTYPE(file, TRAFF_TCP_NNTP, NNTP, tcp_pkts, tcp_octs, TCP);
  SHOW_TTYPE(file, TRAFF_TCP_NETBIOS_SSN, NETBIOS_SSN, tcp_pkts, tcp_octs, TCP);
  SHOW_TTYPE(file, TRAFF_TCP_RTSP, RTSP, tcp_pkts, tcp_octs, TCP);
  SHOW_TTYPE(file, TRAFF_TCP_PNM, PNM, tcp_pkts, tcp_octs, TCP);
  SHOW_TTYPE(file, TRAFF_TCP_BGP, BGP, tcp_pkts, tcp_octs, TCP);

  if ((pkts = counters->startup_nosyn.pkts))
    {
      octs = counters->startup_nosyn.octs;
      REP_L(file, "\t\t%-10s: %10.0f pkts %10.0f octets  %4.2f%%/%4.2f%% of TCP\n", "Startup no syn",
	    pkts, octs, PCENT(pkts, tcp_pkts), PCENT(octs, tcp_octs));
    }
  
  SHOW_TTYPE(file, TRAFF_TCP_OTHER, Other, tcp_pkts, tcp_octs, TCP);

  REP_L(file, "\t%-10s: %10.0f pkts %10.0f octets  %4.2f%%/%4.2f%% of IP\n", "UDP",
      udp_pkts, udp_octs, PCENT(udp_pkts, ip_pkts), PCENT(udp_octs, ip_octs));
  pkts = counters->TRAFF_UDP_NFS.pkts;
  octs = counters->TRAFF_UDP_NFS.octs;
  REP_L(file, "\t\t%-10s: %10.0f pkts %10.0f octets  %4.2f%%/%4.2f%% of UDP\n", "NFS",
      pkts, octs, PCENT(pkts, udp_pkts), PCENT(octs, udp_octs));


  SHOW_TTYPE(file, TRAFF_UDP_DNS, DNS, udp_pkts, udp_octs, UDP);
  SHOW_TTYPE(file, TRAFF_UDP_ICQ, ICQ, udp_pkts, udp_octs, UDP);
  SHOW_TTYPE(file, TRAFF_UDP_OTHER, Other, udp_pkts, udp_octs, UDP);


  pkts = counters->TRAFF_ICMP.pkts;
  octs = counters->TRAFF_ICMP.octs;
  REP_L(file, "\t%-10s: %10.0f pkts %10.0f octets  %4.2f%%/%4.2f%% of IP\n", "ICMP",
      pkts, octs, PCENT(pkts, ip_pkts), PCENT(octs, ip_octs));


  pkts = counters->TRAFF_ICMP_UNREACH.pkts;
  octs = counters->TRAFF_ICMP_UNREACH.octs;
  REP_L(file, "\t%-10s: %10.0f pkts %10.0f octets  %4.2f%%/%4.2f%% of ICMP\n", "ICMP Unreachable",
      pkts, octs, PCENT(pkts, counters->TRAFF_ICMP.pkts), 
	PCENT(octs, counters->TRAFF_ICMP.octs));

  pkts = counters->TRAFF_IP_OTHER.pkts;
  octs = counters->TRAFF_IP_OTHER.octs;
  REP_L(file, "\t%-10s: %10.0f pkts %10.0f octets  %4.2f%%/%4.2f%% of IP\n", "Other IP",
      pkts, octs, PCENT(pkts, ip_pkts), PCENT(octs, ip_octs));

  REP_L(file, "\n");

  /* Analysis - connections, flows, etc. */
  REP_L(file, "\t%10llu host/host flows (max concurrent %u)\n", 
      counters->host_flows, counters->max_ctrs.hostconns.max);
  REP_L(file, "\t%10llu tcp connections (max concurrent %u) (one-way %llu)\n", 
      counters->tcpconns, counters->max_ctrs.tconns.max, 
	counters->tcp_one_way_only);
  REP_L(file, "\t%llu server only %llu client only)\n", 
      counters->tcp_serv_only, counters->tcp_cli_only);
  REP_L(file, "\t%10llu udp connections (max concurrent %u) (one-way %llu)\n", 
      counters->udpconns, counters->max_ctrs.uconns.max, 
	counters->udp_one_way_only);
  REP_L(file, "\t%10llu HTTP transactions (max concurrent %u)\n", 
      counters->http_trans, counters->max_ctrs.trans.max);
  if (counters->html_parsed.pkts)
    REP_L(file, "\t%lu HTML bytes parsed (%lu packets)\n", 
	  counters->html_parsed.octs, counters->html_parsed.pkts);
  REP_L(file, "\t%10llu buffers got %10llu buffers released (max concurrent %u)\n",
      counters->buffers_got, counters->buffers_released, counters->max_ctrs.buffers_held.max);
  REP_L(file, "\t\tmaximum pkt buffers held %u\n", counters->max_ctrs.heldpkts.max);
  REP_L(file, "\t\tmaximum saved header buffers held %u\n", counters->max_ctrs.saved_hdr_buffs.max);
  REP_L(file, "\t\tmaximum links buffers held %u\n", counters->max_ctrs.links_buffs.max);
  REP_L(file, "\t\tmaximum links chars held %u\n", counters->max_ctrs.links_chars.max);
  REP_L(file, "\t\tns records held %u\n", counters->max_ctrs.ns_recs.max);
  REP_L(file, "\t\tlarge tag buffers held %u\n", counters->max_ctrs.tag_bufs.max);
  REP_L(file, "\n");

  /* Ave. and max. bandwidths etc. */
  REP_L(file, "Ave. b/w wire %.2f Mbs HTTP %.2f Mb/s\n", 
      (((double)wire_octs*8)/period)/1000, (((double)counters->TRAFF_TCP_HTTP.octs*8)/period)/1000);
  REP_L(file, "\t(%.0f pkts/s %.0f pkts/s\n", 
      ((double)wire_pkts*1000)/period, 
      ((double)counters->TRAFF_TCP_HTTP.pkts*1000)/period);
  REP_L(file, "Max b/w wire %.2f Mbs HTTP %.2f Mbs (over 2s intervals)\n", 
      counters->max_ctrs.wire_bw, counters->max_ctrs.http_bw);
  REP_L(file, "Max inter get loop (sched) %u us\n", counters->max_ctrs.int_get);
  REP_L(file, "Max inter fetch loop (sched) %u us\n", counters->max_ctrs.int_fetch);
  REP_L(file, "\n");

  /* HTTP errors */
  for (i = 0; i < N_HTTP_ERRS; i++)
    tot_http_errs += counters->http_errs[i];
  REP_L(file, "HTTP errors: %d (%.2f%%)\n", 
	tot_http_errs, ((float)tot_http_errs*100)/counters->http_trans);
  for (i = 1; i < N_HTTP_ERRS; i++)
    if (counters->http_errs[i])
      REP_L(file, "\t%3d %52s %4d\n", -i, http_err_string(-i), counters->http_errs[i]);

  REP_L(file, "\n");

  /* HTTP disposal */