/* ** Copyright (C) 2005-2006 by Carnegie Mellon University. ** ** @OPENSOURCE_HEADER_START@ ** ** Use of the SILK system and related source code is subject to the terms ** of the following licenses: ** ** GNU Public License (GPL) Rights pursuant to Version 2, June 1991 ** Government Purpose License Rights (GPLR) pursuant to DFARS 252.225-7013 ** ** NO WARRANTY ** ** ANY INFORMATION, MATERIALS, SERVICES, INTELLECTUAL PROPERTY OR OTHER ** PROPERTY OR RIGHTS GRANTED OR PROVIDED BY CARNEGIE MELLON UNIVERSITY ** PURSUANT TO THIS LICENSE (HEREINAFTER THE "DELIVERABLES") ARE ON AN ** "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY ** KIND, EITHER EXPRESS OR IMPLIED AS TO ANY MATTER INCLUDING, BUT NOT ** LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, ** MERCHANTABILITY, INFORMATIONAL CONTENT, NONINFRINGEMENT, OR ERROR-FREE ** OPERATION. CARNEGIE MELLON UNIVERSITY SHALL NOT BE LIABLE FOR INDIRECT, ** SPECIAL OR CONSEQUENTIAL DAMAGES, SUCH AS LOSS OF PROFITS OR INABILITY ** TO USE SAID INTELLECTUAL PROPERTY, UNDER THIS LICENSE, REGARDLESS OF ** WHETHER SUCH PARTY WAS AWARE OF THE POSSIBILITY OF SUCH DAMAGES. ** LICENSEE AGREES THAT IT WILL NOT MAKE ANY WARRANTY ON BEHALF OF ** CARNEGIE MELLON UNIVERSITY, EXPRESS OR IMPLIED, TO ANY PERSON ** CONCERNING THE APPLICATION OF OR THE RESULTS TO BE OBTAINED WITH THE ** DELIVERABLES UNDER THIS LICENSE. ** ** Licensee hereby agrees to defend, indemnify, and hold harmless Carnegie ** Mellon University, its trustees, officers, employees, and agents from ** all claims or demands made against them (and any related losses, ** expenses, or attorney's fees) arising out of, or relating to Licensee's ** and/or its sub licensees' negligent use or willful misuse of or ** negligent conduct or willful misconduct regarding the Software, ** facilities, or other rights or assistance granted by Carnegie Mellon ** University under this License, including, but not limited to, any ** claims of product liability, personal injury, death, damage to ** property, or violation of any laws or regulations. ** ** Carnegie Mellon University Software Engineering Institute authored ** documents are sponsored by the U.S. Department of Defense under ** Contract F19628-00-C-0003. Carnegie Mellon University retains ** copyrights in all material produced under this contract. The U.S. ** Government retains a non-exclusive, royalty-free license to publish or ** reproduce these documents, or allow others to do so, for U.S. ** Government purposes only pursuant to the copyright license under the ** contract clause at 252.227.7013. ** ** @OPENSOURCE_HEADER_END@ */ /* ** rwaugmentedio.c ** ** Suresh L Konda ** routines to do io stuff with augmented records. */ #include "silk.h" RCSIDENT("$SiLK: rwaugmentedio.c 5883 2006-12-08 21:54:58Z mthomas $"); #include "librw_priv.h" /* Version to use when SK_FILE_VERSION_ANY is specified */ #define DEFAULT_FILE_VERSION 3 /* * Version where data compression is enabled. We support full * compression as of this version. For files one version below this, * we only support reading compressed files---files created with * SiLK-0.10.0 through SiLK-0.10.4 */ #define COMPMETHOD_SUPPORTED 3 /* ********************************************************************* */ /* ** RWAUGMENTED VERSION 1 ** RWAUGMENTED VERSION 2 ** RWAUGMENTED VERSION 3 ** ** ipUnion sIP; // 0- 3 Source IP ** ipUnion dIP; // 4- 7 Destination IP ** ** uint16_t sPort; // 8- 9 Source port ** uint16_t dPort; // 10-11 Destination port ** ** uint32_t pkts_stime; // 12-15 ** // uint32_t pkts :20; // Count of packets ** // uint32_t sTime :12; // Start time--offset from hour ** ** uint32_t bbe; // 16-19 ** // uint32_t bPPkt :14; // Whole bytes-per-packet ** // uint32_t bPPFrac : 6; // Fractional bytes-per-packet ** // uint32_t elapsed :12; // Duration of flow ** ** uint32_t msec_flags // 20-23 ** // uint32_t sTime_msec:10; // Fractional sTime (millisec) ** // uint32_t elaps_msec:10; // Fractional elapsed (millisec) ** // uint32_t pflag : 1; // 'pkts' requires multiplier? ** // uint32_t is_tcp : 1; // 1 if flow is TCP; 0 otherwise ** // uint32_t padding : 2; // padding/reserved ** // uint32_t prot_flags: 8; // is_tcp==0: IP protocol ** // is_tcp==1 && ** // tcp_state==0:TCPflags/All pkts ** // tcp_state==1:TCPflags/1st pkt ** ** uint16_t application; // 24-25 Type of traffic ** ** uint8_t tcp_state; // 26 TCP state machine info ** uint8_t rest_flags; // 27 is_tcp==0: Flow's reported flags ** // is_tcp==1 && ** // tcp_state==0:Empty ** // tcp_state==1:TCPflags/!1st pkt ** ** ** 28 bytes on disk. */ #define RECLEN_RWAUGMENTED_V1 28 #define RECLEN_RWAUGMENTED_V2 28 #define RECLEN_RWAUGMENTED_V3 28 /* * Unpack the array of bytes 'ar' into a record 'rwRP' */ static int _augmentedioRecordUnpack_V1( rwIOStruct_t *rwIOS, rwGenericRec_V3 *rwRP, const uint8_t *ar) { uint32_t msec_flags; uint8_t is_tcp, prot_flags; /* sIP, dIP, sPort, dPort */ memcpy(&rwRP->sIP, &ar[ 0], 4); memcpy(&rwRP->dIP, &ar[ 4], 4); memcpy(&rwRP->sPort, &ar[ 8], 2); memcpy(&rwRP->dPort, &ar[10], 2); /* msec times, proto or flags */ memcpy(&msec_flags, &ar[20], 4); /* application */ memcpy(&rwRP->application, &ar[24], 2); /* sTime, pkts, bytes, elapsed, proto, tcp-flags, bpp */ _packUnpackTimeBytesPktsFlags(rwRP, rwGetFileSTime(rwIOS), (uint32_t*)&ar[12], (uint32_t*)&ar[16], &msec_flags); /* Augmented TCP information */ is_tcp = (uint8_t)GET_MASKED_BITS(msec_flags, 10, 1); prot_flags = (uint8_t)GET_MASKED_BITS(msec_flags, 0, 8); _packUnpackProtoFlags(rwRP, is_tcp, prot_flags, ar[26], ar[27]); /* sensor, flow_type from file name/header */ rwRP->sID = rwIOS->sID; rwRP->flow_type = rwIOS->flow_type; return LIBRW_OK; } /* * Pack the record 'rwRP' into an array of bytes 'ar' */ static int _augmentedioRecordPack_V1( rwIOStruct_t *rwIOS, const rwGenericRec_V3 *rwRP, uint8_t *ar) { int rv = LIBRW_OK; /* return value */ uint32_t msec_flags; uint8_t is_tcp, prot_flags; /* sTime, pkts, bytes, elapsed, proto, tcp-flags, bpp */ rv = _packPackTimeBytesPktsFlags((uint32_t*)&ar[12], (uint32_t*)&ar[16], &msec_flags,rwRP,rwGetFileSTime(rwIOS)); if (rv) { return rv; } _packPackProtoFlags(&is_tcp, &prot_flags, &ar[26], &ar[27], rwRP); /* msec_flags: sTime_msec:10; elaps_msec:10; pflag:1; * is_tcp:1; pad:2; prot_flags:8; */ /* overwrite the least significant 11 bits */ msec_flags = ((msec_flags & (MASKARRAY_21 << 11)) | (is_tcp ? (1 << 10) : 0) | prot_flags); /* sIP, dIP, sPort, dPort */ memcpy(&ar[ 0], &rwRP->sIP, 4); memcpy(&ar[ 4], &rwRP->dIP, 4); memcpy(&ar[ 8], &rwRP->sPort, 2); memcpy(&ar[10], &rwRP->dPort, 2); /* msec_flags */ memcpy(&ar[20], &msec_flags, 4); /* application */ memcpy(&ar[24], &rwRP->application, 2); return LIBRW_OK; } /* * _augmentedioRecordSwap_V1(dataPtr); * * Treat dataPtr as an RWAUGMENTED_V1 record and byte-swap it in place. */ static void _augmentedioRecordSwap_V1(uint8_t *dataPtr) { SWAP_DATA32(dataPtr + 0); /* sIP */ SWAP_DATA32(dataPtr + 4); /* dIP */ SWAP_DATA16(dataPtr + 8); /* sPort */ SWAP_DATA16(dataPtr + 10); /* dPort */ SWAP_DATA32(dataPtr + 12); /* pkts_stime */ SWAP_DATA32(dataPtr + 16); /* bbe */ SWAP_DATA32(dataPtr + 20); /* msec_flags */ SWAP_DATA16(dataPtr + 24); /* application */ /* Two single bytes: (26)tcp_state, (27)rest_flags */ } /* ********************************************************************* */ /* * Return length of record of specified version, or 0 if no such * version exists. See librw_priv.h for details. */ uint16_t _augmentedioGetRecLen(fileVersion_t vers) { switch (vers) { case 1: return RECLEN_RWAUGMENTED_V1; case 2: return RECLEN_RWAUGMENTED_V2; case 3: return RECLEN_RWAUGMENTED_V3; default: return 0; } } /* * status = _augmentedioSetFuncs(&rwIOSPtr); * * Checks that the file's version is allowed by this type, and sets * the record length and the read and write functions for this type. */ static int _augmentedioSetFuncs(rwIOStruct *rwIOS) { int rv = LIBRW_OK; /* return value */ assert(rwGetFileType(rwIOS) == FT_RWAUGMENTED); /* version check; set values based on version */ switch (rwGetFileVersion(rwIOS)) { case 0: rv = LIBRW_ERR_UNSUPPORT_VERSION; goto END; case 1: case 2: case 3: /* V1 and V2 differ only in the padding of the header */ /* V2 and V3 differ only in that V3 supports compression on * read and write; V2 supports compression only on read */ rwIOS->rwUnpackFn = &_augmentedioRecordUnpack_V1; rwIOS->rwPackFn = &_augmentedioRecordPack_V1; rwIOS->rwSwapFn = &_augmentedioRecordSwap_V1; rwIOS->writeHdrFn = &_packedfileheaderWriteV0; break; default: rv = LIBRW_ERR_UNSUPPORT_VERSION; goto END; } /* check compression */ if ((rwGetFileVersion(rwIOS) < COMPMETHOD_SUPPORTED) && (rwGetFileCompMethod(rwIOS) != SK_COMPMETHOD_NONE)) { if ((rwGetFileVersion(rwIOS) < (COMPMETHOD_SUPPORTED-1)) || (rwIOS->io_mode != SK_RWIO_READ)) { rv = LIBRW_ERR_UNSUPPORT_COMPRESS; goto END; } } rwIOS->recLen = _augmentedioGetRecLen(rwGetFileVersion(rwIOS)); if (rwIOS->recLen == 0) { skAppPrintErr("Record length not set for RWAUGMENTED version %u", (unsigned int)rwGetFileVersion(rwIOS)); assert(rwIOS->recLen > 0); abort(); } END: return rv; } /* * status = _augmentedioPrepareWrite(&rwIOS, start_time) * * Fills out the rwIOStruct and header for a brand new output stream: * it checks that the version is valid for this type of file, sets * record and header lengths, adds the start time to the header * structure, and it sets reading and memswapping function pointers * appropriately for the file's type and version. * * The writing function pointer is set so that the file's header will * be printed when the first record is output. * * Do not call this function when appending records to an existing * file. * * Returns LIBRW_OK on success; otherwise prints an error and returns * error code on failure: bad version, unable to read header. */ int _augmentedioPrepareWrite(rwIOStruct *rwIOS) { int rv = LIBRW_OK; /* return value */ /* Set version if none was selected by caller */ if (rwGetFileVersion(rwIOS) == SK_FILE_VERSION_ANY) { ((genericHeader*)rwIOS->hdr)->version = DEFAULT_FILE_VERSION; } /* check version; set reader/writer functions */ rv = _augmentedioSetFuncs(rwIOS); if (rv) { goto END; } /* create the header */ rv = _packedfileheaderCreateV0(rwIOS); if (rv) { goto END; } END: return rv; } /* * Set sizes and functions by version; read header after * genericHeader. See librw_priv.h for details. */ int _augmentedioPrepareRead(rwIOStruct *rwIOS) { int rv = LIBRW_OK; /* return value */ /* check version; set reader/writer functions */ rv = _augmentedioSetFuncs(rwIOS); if (rv) { goto END; } /* read remainder of header */ rv = _packedfileheaderReadV0(rwIOS); if (rv) { goto END; } END: return rv; }