-
Notifications
You must be signed in to change notification settings - Fork 8
/
Flow.h
207 lines (179 loc) · 8.54 KB
/
Flow.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
/*
*
* (C) 2013-14 - ntop.org
*
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software Foundation,
* Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*
*/
#ifndef _FLOW_H_
#define _FLOW_H_
#include "ntop_includes.h"
typedef struct {
u_int32_t pktRetr, pktOOO, pktLost;
u_int64_t last, next;
} TCPPacketStats;
class Flow : public GenericHashEntry {
private:
Host *cli_host, *srv_host;
u_int16_t cli_port, srv_port;
u_int16_t vlanId;
u_int8_t protocol, src2dst_tcp_flags, dst2src_tcp_flags;
struct ndpi_flow_struct *ndpi_flow;
bool detection_completed, protocol_processed, blacklist_alarm_emitted,
cli2srv_direction, twh_over, dissect_next_http_packet, pass_verdict,
ssl_flow_without_certificate_name;
u_int16_t ndpi_detected_protocol;
void *cli_id, *srv_id;
char *json_info, *host_server_name;
struct {
char *last_url, *last_method;
u_int16_t last_return_code;
} http;
struct {
char *last_query;
} dns;
struct {
char *category;
bool flow_categorized;
} categorization;
/* Process Information */
ProcessInfo *client_proc, *server_proc;
/* Stats */
u_int32_t cli2srv_packets, srv2cli_packets;
u_int64_t cli2srv_bytes, srv2cli_bytes;
struct {
char *name;
} aggregationInfo;
/* TCP stats */
TCPPacketStats tcp_stats_s2d, tcp_stats_d2s;
struct timeval synTime, synAckTime, ackTime; /* network Latency (3-way handshake) */
struct timeval clientNwLatency; /* The RTT/2 between the client and nprobe */
struct timeval serverNwLatency; /* The RTT/2 between nprobe and the server */
struct {
struct timeval firstSeenSent, lastSeenSent;
struct timeval firstSeenRcvd, lastSeenRcvd;
}flowTimers;
/* Counter values at last host update */
struct {
u_int32_t cli2srv_packets, srv2cli_packets;
u_int64_t cli2srv_bytes, srv2cli_bytes;
u_int32_t last_dump;
} last_db_dump;
struct timeval last_update_time;
float bytes_thpt, top_bytes_thpt, pkts_thpt, top_pkts_thpt;
ValueTrend bytes_thpt_trend,pkts_thpt_trend;
u_int64_t cli2srv_last_packets, srv2cli_last_packets,
prev_cli2srv_last_packets, prev_srv2cli_last_packets;
u_int64_t cli2srv_last_bytes, srv2cli_last_bytes,
prev_cli2srv_last_bytes, prev_srv2cli_last_bytes;
// tcpFlags = tp->th_flags, tcpSeqNum = ntohl(tp->th_seq), tcpAckNum = ntohl(tp->th_ack), tcpWin = ntohs(tp->th_win);
char* intoaV4(unsigned int addr, char* buf, u_short bufLen);
void processLua(lua_State* vm, ProcessInfo *proc, bool client);
void processJson(bool is_src, json_object *my_object, ProcessInfo *proc);
void checkBlacklistedFlow();
void allocFlowMemory();
void makeVerdict();
public:
Flow(NetworkInterface *_iface,
u_int16_t _vlanId, u_int8_t _protocol,
u_int8_t cli_mac[6], IpAddress *_cli_ip, u_int16_t _cli_port,
u_int8_t srv_mac[6], IpAddress *_srv_ip, u_int16_t _srv_port);
Flow(NetworkInterface *_iface,
u_int16_t _vlanId, u_int8_t _protocol,
u_int8_t cli_mac[6], IpAddress *_cli_ip, u_int16_t _cli_port,
u_int8_t srv_mac[6], IpAddress *_srv_ip, u_int16_t _srv_port,
time_t _first_seen, time_t _last_seen);
~Flow();
char *getDomainCategory();
void deleteFlowMemory();
char* serialize(bool partial_dump = false, bool es_json = false);
json_object* flow2json(bool partial_dump);
json_object* flow2es(json_object *flow_object);
inline u_int8_t getTcpFlags() { return(src2dst_tcp_flags | dst2src_tcp_flags); };
inline bool getVerdict() { return(pass_verdict); };
u_int32_t getPid(bool client);
u_int32_t getFatherPid(bool client);
char* get_username(bool client);
char* get_proc_name(bool client);
u_int32_t getNextTcpSeq ( u_int8_t tcpFlags, u_int32_t tcpSeqNum, u_int32_t payloadLen) ;
double toMs(const struct timeval *t);
void timeval_diff(struct timeval *begin, const struct timeval *end, struct timeval *result, u_short divide_by_two) ;
void updateTcpFlags(const struct timeval *when, u_int8_t flags, bool src2dst_direction);
void updateTcpSeqNum(const struct timeval *when, u_int32_t seq_num,
u_int32_t ack_seq_num, u_int8_t flags,
u_int16_t payload_len, bool src2dst_direction);
void updateSeqNum(time_t when, u_int32_t sN, u_int32_t aN);
void processDetectedProtocol();
void setDetectedProtocol(u_int16_t proto_id);
void setJSONInfo(const char *json);
bool isFlowPeer(char *numIP, u_int16_t vlanId);
void incStats(bool cli2srv_direction, u_int pkt_len);
void updateActivities();
void addFlowStats(bool cli2srv_direction, u_int in_pkts, u_int in_bytes, u_int out_pkts, u_int out_bytes, time_t last_seen);
inline bool isDetectionCompleted() { return(detection_completed); };
inline struct ndpi_flow_struct* get_ndpi_flow() { return(ndpi_flow); };
inline void* get_cli_id() { return(cli_id); };
inline void* get_srv_id() { return(srv_id); };
inline u_int32_t get_cli_ipv4() { return(cli_host->get_ip()->get_ipv4()); };
inline u_int32_t get_srv_ipv4() { return(srv_host->get_ip()->get_ipv4()); };
inline u_int16_t get_cli_port() { return(ntohs(cli_port)); };
inline u_int16_t get_srv_port() { return(ntohs(srv_port)); };
inline u_int16_t get_vlan_id() { return(vlanId); };
inline u_int8_t get_protocol() { return(protocol); };
inline u_int64_t get_bytes() { return(cli2srv_bytes+srv2cli_bytes); };
inline u_int64_t get_packets() { return(cli2srv_packets+srv2cli_packets); };
/** */
/** */
inline char* get_protocol_name() { return(Utils::l4proto2name(protocol)); };
inline u_int16_t get_detected_protocol() { return(ndpi_detected_protocol); };
inline char* get_detected_protocol_name() { return(ndpi_get_proto_name(iface->get_ndpi_struct(), ndpi_detected_protocol)); };
inline Host* get_cli_host() { return(cli_host); };
inline Host* get_srv_host() { return(srv_host); };
inline char* get_json_info() { return(json_info); };
inline ndpi_protocol_breed_t get_protocol_breed() { return(ndpi_get_proto_breed(iface->get_ndpi_struct(), ndpi_detected_protocol)); };
inline char* get_protocol_breed_name() { return(ndpi_get_proto_breed_name(iface->get_ndpi_struct(),
ndpi_get_proto_breed(iface->get_ndpi_struct(),
ndpi_detected_protocol))); };
u_int32_t get_packetsLost();
u_int32_t get_packetsRetr();
u_int32_t get_packetsOOO();
u_int64_t get_current_bytes_cli2srv();
u_int64_t get_current_bytes_srv2cli();
u_int64_t get_current_packets_cli2srv();
u_int64_t get_current_packets_srv2cli();
void aggregateInfo(char *name, u_int16_t ndpi_proto_id,
AggregationType mode, bool aggregation_to_track);
void handle_process(ProcessInfo *pinfo, bool client_process);
bool idle();
int compare(Flow *fb);
char* print(char *buf, u_int buf_len);
void update_hosts_stats(struct timeval *tv);
void print_peers(lua_State* vm, patricia_tree_t * ptree, bool verbose);
u_int32_t key();
void lua(lua_State* vm, patricia_tree_t * ptree, bool detailed_dump);
bool equal(IpAddress *_cli_ip, IpAddress *_srv_ip,
u_int16_t _cli_port, u_int16_t _srv_port,
u_int16_t _vlanId, u_int8_t _protocol,
bool *src2srv_direction);
void sumStats(NdpiStats *stats);
void guessProtocol();
void dumpFlow(bool partial_dump);
bool match(patricia_tree_t *ptree);
inline Host* get_real_client() { return(cli2srv_direction ? cli_host : srv_host); };
inline Host* get_real_server() { return(cli2srv_direction ? srv_host : cli_host); };
void dissectHTTP(bool src2dst_direction, char *payload, u_int payload_len);
};
#endif /* _FLOW_H_ */