counters.c

该软件根据网络数据生成NetFlow记录。NetFlow可用于网络规划、负载均衡、安全监控等

  REP_L(file, "Transaction completion:\n");
  REP_L(file, "\t%llu started %llu complete  %llu incomplete %llu finished  (%llu/2 resynched) %llu server only %llu client only %llu timing invalid\n", 
      counters->http_trans, counters->http_trans_comp, 
	counters->http_trans_incomp, counters->http_trans_fin, 
	counters->http_trans_resynch, counters->http_trans_serv_only, 
	counters->http_trans_cli_only, counters->http_trans_timeinvalid);
  REP_L(file, "\t%llu/2 dummy %llu/2 error %llu/2 lost synch\n\n", 
	counters->http_trans_dummy, counters->http_trans_err, 
	counters->http_trans_lost_synch);

  /* Fragmented HTTP headers etc*/
  if (counters->frag_hdr_trans)
    {
      SHOW_CTR(file, frag_hdr_pkts, "Fragmented HTTP hdrs", TRAFF_TCP_HTTP, "HTTP");
      REP_L(file, "\t(%u transactions - %u parsed ok)\n", counters->frag_hdr_trans,
	    counters->frag_hdr_trans_ok);
    }
  if (counters->http_trans_chunked)
    REP_L(file, "\t%llu chunked transfers\n", counters->http_trans_chunked);
  if (counters->http_trans_trailer_perm)
    REP_L(file, "\t%llu use trailer invitations\n", 
	  counters->http_trans_trailer_perm);
  if (counters->http_trans_trailer)
    REP_L(file, "\t%llu trailer fields used\n", 
	  counters->http_trans_trailer);
  if (counters->http_dump_objects_dropped)
    REP_L(file, "\t%llu objects not dumped\n", 
	  counters->http_dump_objects_dropped);

  REP_L(file, "\n");

  /* Analysis - dropped packets */
  REP_L(file, "Total drops:      %10.0f pkts %10.0f octets\n", 
      tot_drop_pkts, tot_drop_octs);

  SHOW_CTR(file, filter, "filtered out", wire, "wire");
  SHOW_CTR(file, notIP, "not IP", wire, "wire");
  SHOW_CTR(file, not_TCPUDP, "not TCP/UDP", TRAFF_IP, "IP");

  SHOW_CTR(file, MACHdr, "MAC header truncated", wire, "wire");
  SHOW_CTR(file, wrong_encaps, "unrecognised encapsulation", wire, "wire");
  SHOW_CTR(file, wrong_llc_type, "wrong llc type", wire, "wire");

  SHOW_CTR(file, IPHdr, "IP header truncated", TRAFF_IP, "IP");
  SHOW_CTR(file, IPversion, "IP version wrong", TRAFF_IP, "IP");
  SHOW_CTR(file, IPFrag, "IP fragmented", TRAFF_IP, "IP");
  SHOW_CTR(file, IPLen, "incorrect IP length", TRAFF_IP, "IP");
  SHOW_CTR(file, IPHdr_opts, "truncated IP header options", TRAFF_IP, "IP");
  SHOW_CTR(file, IPSum, "IP Hdr Checksum", TRAFF_IP, "IP");

  SHOW_CTR(file, ICMP_len, "ICMP message length", TRAFF_IP, "IP");

  SHOW_CTR(file, TCPHdr, "TCP header truncated", TRAFF_IP, "IP");
  SHOW_CTR(file, TCPSum, "TCP Checksum", TRAFF_IP, "IP");


  SHOW_CTR(file, UDPHdr, "UDP header truncated", TRAFF_IP, "IP");
  SHOW_CTR(file, UDPSum, "UDP Checksum", TRAFF_IP, "IP");

#ifdef FILTER_PORTS
  SHOW_CTR(file, port_filtered_out, "port filtered out", TRAFF_IP, "IP");
#endif
  SHOW_CTR(file, TCPHdr_opts, "truncated TCP header options", TRAFF_IP, "IP");
  if (!counters->fh.accept_nosyn)
    SHOW_CTR(file, startup_nosyn, "No syn seen during start up period", TRAFF_TCP, "TCP");
  SHOW_CTR(file, SYN_too_late, "SYN too late", TRAFF_TCP, "TCP");
  SHOW_CTR(file, serv_orig, "connection originated by server", TRAFF_IP, "IP");
  SHOW_CTR(file, Nprobe_errpkts, "Nprobe error packets", TRAFF_IP, "IP");
  SHOW_CTR(file, HTTP_port, "Pkts on HTTP port dumped", TRAFF_TCP, "TCP");
  SHOW_CTR(file, ffilter, "Rejected by flow filter", TRAFF_IP, "IP");
  REP_L(file, "<IP len pkt %llu pkts\n", counters->IP_ulen.pkts);
  

  REP_L(file, "\n");

  /* TCP timeouts, closes, mavericks, etc. */
  REP_L(file, "Info:\n");
  if (counters->tcp_maverick_SYN)
    REP_L(file, "\tMaverick SYN %llu\n", counters->tcp_maverick_SYN);
  if (counters->tcp_duplicate_SYN)
    REP_L(file, "\tDuplicate SYN %llu\n", counters->tcp_duplicate_SYN);
  REP_L(file, "\tTCP conn timeouts %llu\n", counters->tcp_timeo);
  REP_L(file, "\tTCP forced connections %llu\n", counters->tcp_forced_alt);
  REP_L(file, "\tTCP option confusion %llu\n", counters->tcp_opt_fail);
  REP_L(file, "\tTCP seq timeouts: to %llu tf %llu ta %llu tq %llu\n",
	counters->tcp_seq_timeo, counters->tcp_seq_timeo_forced,
	counters->tcp_seq_timeo_ack, counters->tcp_seq_timeo_ql);
  REP_L(file, "\tMinimum forced seq timeout %ums\n", counters->max_ctrs.min_tcp_seq_to);
  REP_L(file, "\tTCP close:\n");
  REP_L(file, "\t\t%-10s %10llu\n%s\t\t%-10s %10llu\n%s\t\t%-10s %10llu\n%s\t\t%-10s %10llu\n%s\t\t%-10s %10llu\n",
	"full", counters->tcp_full_close,
	leader, "effective", counters->tcp_eff_close,
	leader, "forced", counters->tcp_forced_close,
	leader, "quick", counters->tcp_quick_close,
	leader, "timed out", counters->tcp_timeo);
  if (counters->tcp_end_close)
    REP_L(file, "\t\t%-10s %10llu\n", "open", counters->tcp_end_close);

  if (counters->tcp_payload_dropped)
    REP_L(file, "\t%llu TCP payloads not dumped\n", 
	  counters->tcp_payload_dropped);

  REP_L(file, "\tTCP unidirectional %llu\n", counters->tcp_one_way_only);
  SHOW_CTR(file, IPLen_media_minpkt, "media min. segment", wire, "wire");
  SHOW_CTR(file, IP_pkt_too_long, "overlength packet", wire, "wire");
  SHOW_CTR(file, held_pkts, "held packets", TRAFF_IP, "IP");
  SHOW_CTR(file, held_epkts, "held epackets", TRAFF_IP, "IP");
  SHOW_CTR(file, http_unsynched, "unsynchronised HTTP", TRAFF_TCP_HTTP, "HTTP");


  
  REP_L(file, "\n");


  
  return;
}


void 
add_ctrs(counters_t *acc, counters_t *add)
{
  int i;

  acc->fh = add->fh;

  if (acc->fh.vers_pre != add->fh.vers_pre 
      || acc->fh.vers_n != add->fh.vers_n)
    wr_error("Attempting to accumulate counters from different versions");

  acc->fh.vers_pre = add->fh.vers_pre;
  acc->fh.vers_n = add->fh.vers_n;

  ADD_CTRS(wire);

  ADD_CTRS(TRAFF_IP);

  ADD_CTRS(TRAFF_TCP);
  ADD_CTRS(TRAFF_UDP);
  ADD_CTRS(TRAFF_ICMP);
  ADD_CTRS(TRAFF_ICMP_UNREACH);
  ADD_CTRS(TRAFF_IP_OTHER);

  ADD_CTRS(TRAFF_TCP_HTTP);
  ADD_CTRS(TRAFF_TCP_FTP);
  ADD_CTRS(TRAFF_TCP_FTP_DATA);
  ADD_CTRS(TRAFF_TCP_TELNET);
  ADD_CTRS(TRAFF_TCP_SMTP);
  ADD_CTRS(TRAFF_TCP_POP3);
  ADD_CTRS(TRAFF_TCP_NNTP);
  ADD_CTRS(TRAFF_TCP_NETBIOS_SSN);
  ADD_CTRS(TRAFF_TCP_RTSP);
  ADD_CTRS(TRAFF_TCP_PNM);
  ADD_CTRS(TRAFF_TCP_OTHER);
  ADD_CTRS(TRAFF_TCP_BGP);
  ADD_CTRS(TRAFF_TCP_TEST);

  ADD_CTRS(TRAFF_UDP_DNS);
  ADD_CTRS(TRAFF_UDP_NFS);
  ADD_CTRS(TRAFF_UDP_ICQ);
  ADD_CTRS(TRAFF_UDP_OTHER);

  ADD_CTRS(MACHdr);
  ADD_CTRS(wrong_encaps);
  ADD_CTRS(wrong_llc_type);
  ADD_CTRS(notIP);
  ADD_CTRS(IPHdr);
  ADD_CTRS(IPversion);
  ADD_CTRS(IPFrag);
  ADD_CTRS(IPLen);
  ADD_CTRS(IPHdr_opts);
  ADD_CTRS(IPSum);
  ADD_CTRS(UDPHdr);
  ADD_CTRS(UDPSum);
  ADD_CTRS(not_TCPUDP);
  ADD_CTRS(TCPHdr);
  ADD_CTRS(TCPSum);
  ADD_CTRS(port_filtered_out);
  ADD_CTRS(Nprobe_errpkts);
  ADD_CTRS(TCPHdr_opts);
  ADD_CTRS(startup_nosyn);
  ADD_CTRS(SYN_too_late);
  ADD_CTRS(serv_orig);
  ADD_CTRS(filter);
  ADD_CTRS(HTTP_port);
  ADD_CTRS(ICMP_len);
  ADD_CTRS(ffilter);
  ADD_CTRS(IP_ulen);

  ADD_CTRS(TCPDump_trunc);
  ADD_CTRS(IPLen_media_minpkt);
  ADD_CTRS(IP_pkt_too_long);
  ADD_CTRS(held_pkts);
  ADD_CTRS(held_epkts);
  ADD_CTRS(frag_hdr_pkts);
  ADD_CTRS(html_parsed);
  ADD_VAL(frag_hdr_trans);
  ADD_VAL(frag_hdr_trans_ok);
  ADD_VAL(dump_bytes_written);
  ADD_VAL(dump_blks_dumped);
  ADD_VAL(rep_bytes_written);
  ADD_VAL(rep_blks_dumped);

  ADD_VAL(host_flows);
  ADD_VAL(tcpconns);
  ADD_VAL(udpconns);
  ADD_VAL(buffers_got);
  ADD_VAL(buffers_released);

  ADD_VAL(tcp_timeo);
  ADD_VAL(tcp_seq_timeo);
  ADD_VAL(tcp_full_close);
  ADD_VAL(tcp_eff_close);
  ADD_VAL(tcp_quick_close);
  ADD_VAL(tcp_forced_close);
  ADD_VAL(tcp_end_close);
  ADD_VAL(tcp_one_way_only);
  ADD_VAL(tcp_seq_timeo_forced);
  ADD_VAL(tcp_seq_timeo_ack);
  ADD_VAL(tcp_seq_timeo_ql);
  ADD_VAL(tcp_maverick_SYN);
  ADD_VAL(tcp_duplicate_SYN);
  ADD_VAL(tcp_forced_alt);
  ADD_VAL(tcp_opt_fail);

  ADD_VAL(udp_one_way_only);
  ADD_VAL(udp_timeo);
  ADD_VAL(udp_open);

  ADD_VAL(buf_alloc_fails);
  ADD_VAL(nic_fails);

  ADD_VAL(tcp_cli_only);
  ADD_VAL(tcp_serv_only);

  if (acc->start.tv_sec == 0L && acc->start.tv_usec == 0L)
    acc->start = add->start;
  else
    acc->start = EARLIEST(acc->start, add->start);

  acc->stop = LATEST(acc->stop, add->stop);

  ADD_VAL(nrecords);

  for (i = 0; i < N_HTTP_ERRS; i++)
    acc->http_errs[i] += add->http_errs[i];

  ADD_VAL(http_trans);
  ADD_VAL(http_trans_comp);
  ADD_VAL(http_trans_incomp);
  ADD_VAL(http_trans_fin);
  ADD_VAL(http_trans_cli_only);
  ADD_VAL(http_trans_dummy);
  ADD_VAL(http_trans_err);
  ADD_VAL(http_trans_lost_synch);
  ADD_VAL(http_trans_resynch);
  ADD_VAL(http_trans_timeinvalid);
  ADD_VAL(http_trans_chunked);
  ADD_VAL(http_trans_trailer_perm);
  ADD_VAL(http_trans_trailer);
  ADD_VAL(http_trans_serv_only);

  ADD_CTRS(http_unsynched);

  ACCUM_MAX_CTR(hostconns);
  ACCUM_MAX_CTR(tconns);
  ACCUM_MAX_CTR(uconns);
  ACCUM_MAX_CTR(trans);
  ACCUM_MAX_CTR(heldpkts);
  ACCUM_MAX_CTR(buffers_held);
  ACCUM_MAX_CTR(saved_hdr_buffs);
  ACCUM_MAX_CTR(links_buffs);
  ACCUM_MAX_CTR(links_chars);
  ACCUM_MAX_CTR(ns_recs);
  ACCUM_MAX_CTR(tag_bufs);
  acc->max_ctrs.int_get = MAX(acc->max_ctrs.int_get, add->max_ctrs.int_get);
  acc->max_ctrs.int_fetch = MAX(acc->max_ctrs.int_fetch, add->max_ctrs.int_fetch);
  acc->max_ctrs.wire_bw = MAX(acc->max_ctrs.wire_bw, add->max_ctrs.wire_bw);
  acc->max_ctrs.http_bw = MAX(acc->max_ctrs.http_bw, add->max_ctrs.http_bw);
  acc->max_ctrs.min_tcp_seq_to = MIN(acc->max_ctrs.min_tcp_seq_to, add->max_ctrs.min_tcp_seq_to);

#if 0
  /* XXX TODO - this is wrong - these are cumulative anyway */
  ACCUM_RUN_CTR(wire_all);
  ACCUM_RUN_CTR(IP_all);
#endif

  return;
}
  

#endif /* if defined FINAL_REPORT || defined REPORT || defined WREAD */


void 
counters_init(counters_t *cp, tmval *start, unsigned int magic)
{

  memset(cp, 0, sizeof(counters_t));

  cp->fh.magic = WAN_MAGIC;
  cp->fh.vers_pre = VERS_PRE;
  cp->fh.vers_n = VERS_N;

  cp->start = *start;		/* struct assignment */
  ncpus_and_freq(cp);

#ifdef TCPDUMP_FED
  cp->fh.how_collected = TCPDUMP_COLL;
  strcpy(cp->fh.data, o_infnm);
#else
  cp->fh.how_collected = NPROBE_COLL;
#endif
  
  cp->fh.compressed = 0;

#ifndef WREAD
  cp->fh.quick_close = tcp_quickclose;
  cp->fh.accept_nosyn = tcp_accept_nosyn;

  cp->fh.rep_fsz = report_file_sz;
  cp->fh.dump_fsz = dump_file_sz;
#endif

  cp->fh.tcp_timeout = TCP_FLOW_TIMEO_US/1000;
  cp->fh.tcp_seq_timeout = TCP_SEQ_TIMEO_US/1000;
  cp->fh.udp_timeout =  UDP_FLOW_TIMEO_US/1000;

  cp->max_ctrs.int_get = 0U;
  cp->max_ctrs.int_fetch = 0U;
  cp->max_ctrs.wire_bw = 0.0;
  cp->max_ctrs.http_bw = 0.0;
  cp->max_ctrs.min_tcp_seq_to = SEQ_TIMEO_US;

  return;
}

/*
 * reset counters at file cycle - carry over as necessary 
 */

void 
reset_counters(counters_t *cp, tmval *cycle_time)
{
  
  max_ctrs_t max_tmp;
  run_ctrs_t run_tmp;

  max_tmp = cp->max_ctrs;	/* save max state */
  run_tmp = cp->run_ctrs;	/* and whole run counters */
  
  counters_init(cp, cycle_time, WAN_MAGIC);/* clear for next file cycle */

  cp->max_ctrs = max_tmp;	/* and restore */
  MAX_CTR_RESET(hostconns);
  MAX_CTR_RESET(tconns);
  MAX_CTR_RESET(trans);
  MAX_CTR_RESET(heldpkts);
  MAX_CTR_RESET(buffers_held);
  MAX_CTR_RESET(saved_hdr_buffs);
  MAX_CTR_RESET(links_buffs);
  MAX_CTR_RESET(links_chars);
  MAX_CTR_RESET(ns_recs);
  MAX_CTR_RESET(tag_bufs);
  cp->max_ctrs.int_get = 0U;
  cp->max_ctrs.int_fetch = 0U;
  cp->max_ctrs.wire_bw = 0.0;
  cp->max_ctrs.http_bw = 0.0;
  cp->max_ctrs.min_tcp_seq_to = SEQ_TIMEO_US;
  cp->run_ctrs = run_tmp;

  return;
}


void 
accumulate_run_counters(counters_t *cp)
{
  cp->run_ctrs.wire_all.pkts += cp->wire.pkts;
  cp->run_ctrs.wire_all.octs += cp->wire.octs;
  cp->run_ctrs.IP_all.pkts += cp->TRAFF_IP.pkts;
  cp->run_ctrs.IP_all.octs += cp->TRAFF_IP.octs;
  cp->run_ctrs.TCP_all.pkts += cp->TRAFF_TCP.pkts;
  cp->run_ctrs.TCP_all.octs += cp->TRAFF_TCP.octs;
  cp->run_ctrs.HTTP_all.pkts += cp->TRAFF_TCP_HTTP.pkts;
  cp->run_ctrs.HTTP_all.octs += cp->TRAFF_TCP_HTTP.octs;
  cp->run_ctrs.HTML_all.pkts += cp->html_parsed.pkts;
  cp->run_ctrs.HTML_all.octs += cp->html_parsed.octs;
  cp->run_ctrs.UDP_all.pkts += cp->TRAFF_UDP.pkts;
  cp->run_ctrs.UDP_all.octs += cp->TRAFF_UDP.octs;
  cp->run_ctrs.tot_records += cp->nrecords;
  cp->run_ctrs.rep_blks_all += cp->rep_blks_dumped;
  cp->run_ctrs.dump_blks_all += cp->dump_blks_dumped;
  cp->run_ctrs.rep_bytes_all += cp->rep_bytes_written;
  cp->run_ctrs.dump_bytes_all += cp->dump_bytes_written;
  cp->run_ctrs.IP_ulen_all.pkts += cp->IP_ulen.pkts;
  cp->run_ctrs.IP_ulen_all.octs += cp->IP_ulen.octs;

  return;
}