/* ** Copyright (C) 2005-2006 by Carnegie Mellon University. ** ** @OPENSOURCE_HEADER_START@ ** ** Use of the SILK system and related source code is subject to the terms ** of the following licenses: ** ** GNU Public License (GPL) Rights pursuant to Version 2, June 1991 ** Government Purpose License Rights (GPLR) pursuant to DFARS 252.225-7013 ** ** NO WARRANTY ** ** ANY INFORMATION, MATERIALS, SERVICES, INTELLECTUAL PROPERTY OR OTHER ** PROPERTY OR RIGHTS GRANTED OR PROVIDED BY CARNEGIE MELLON UNIVERSITY ** PURSUANT TO THIS LICENSE (HEREINAFTER THE "DELIVERABLES") ARE ON AN ** "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY ** KIND, EITHER EXPRESS OR IMPLIED AS TO ANY MATTER INCLUDING, BUT NOT ** LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, ** MERCHANTABILITY, INFORMATIONAL CONTENT, NONINFRINGEMENT, OR ERROR-FREE ** OPERATION. CARNEGIE MELLON UNIVERSITY SHALL NOT BE LIABLE FOR INDIRECT, ** SPECIAL OR CONSEQUENTIAL DAMAGES, SUCH AS LOSS OF PROFITS OR INABILITY ** TO USE SAID INTELLECTUAL PROPERTY, UNDER THIS LICENSE, REGARDLESS OF ** WHETHER SUCH PARTY WAS AWARE OF THE POSSIBILITY OF SUCH DAMAGES. ** LICENSEE AGREES THAT IT WILL NOT MAKE ANY WARRANTY ON BEHALF OF ** CARNEGIE MELLON UNIVERSITY, EXPRESS OR IMPLIED, TO ANY PERSON ** CONCERNING THE APPLICATION OF OR THE RESULTS TO BE OBTAINED WITH THE ** DELIVERABLES UNDER THIS LICENSE. ** ** Licensee hereby agrees to defend, indemnify, and hold harmless Carnegie ** Mellon University, its trustees, officers, employees, and agents from ** all claims or demands made against them (and any related losses, ** expenses, or attorney's fees) arising out of, or relating to Licensee's ** and/or its sub licensees' negligent use or willful misuse of or ** negligent conduct or willful misconduct regarding the Software, ** facilities, or other rights or assistance granted by Carnegie Mellon ** University under this License, including, but not limited to, any ** claims of product liability, personal injury, death, damage to ** property, or violation of any laws or regulations. ** ** Carnegie Mellon University Software Engineering Institute authored ** documents are sponsored by the U.S. Department of Defense under ** Contract F19628-00-C-0003. Carnegie Mellon University retains ** copyrights in all material produced under this contract. The U.S. ** Government retains a non-exclusive, royalty-free license to publish or ** reproduce these documents, or allow others to do so, for U.S. ** Government purposes only pursuant to the copyright license under the ** contract clause at 252.227.7013. ** ** @OPENSOURCE_HEADER_END@ */ /* ** rwaugwebio.c ** ** Suresh L Konda ** routines to do io stuff with augweb records. */ #include "silk.h" RCSIDENT("$SiLK: rwaugwebio.c 5924 2006-12-11 22:31:08Z mthomas $"); #include "librw_priv.h" /* Version to use when SK_FILE_VERSION_ANY is specified */ #define DEFAULT_FILE_VERSION 3 /* * Version where data compression is enabled. We support full * compression as of this version. For files one version below this, * we only support reading compressed files---files created with * SiLK-0.10.0 through SiLK-0.10.4 */ #define COMPMETHOD_SUPPORTED 3 /* ********************************************************************* */ /* ** RWAUGWEB VERSION 1 ** RWAUGWEB VERSION 2 ** RWAUGWEB VERSION 3 ** ** ipUnion sIP; // 0- 3 Source IP ** ipUnion dIP; // 4- 7 Destination IP ** ** uint32_t pkts_stime; // 8-11 ** // uint32_t pkts :20; // Count of packets ** // uint32_t sTime :12; // Start time--offset from hour ** ** uint32_t bbe; // 12-15 ** // uint32_t bPPkt :14; // Whole bytes-per-packet ** // uint32_t bPPFrac : 6; // Fractional bytes-per-packet ** // uint32_t elapsed :12; // Duration of flow ** ** uint32_t msec_prt_flags // 16-19 ** // uint32_t sTime_msec:10; // Fractional sTime (millisec) ** // uint32_t elaps_msec:10; // Fractional elapsed (millisec) ** // uint32_t pflag : 1; // 'pkts' requires multiplier? ** // uint32_t srcIsSrv : 1; // 1 if srv_port is src; 0 if dest ** // uint32_t srv_port : 2; // server port: 0=80; 1=443; 2=8080 ** // uint32_t a_1_flags : 8; // tcp_state==0: TCP flags/All pkts ** // tcp_state==1: TCP flags/1st pkt ** ** uint16_t clnt_port; // 20-21 Non-Web Port ** ** uint16_t application; // 22-23 Type of traffic ** ** uint8_t tcp_state; // 24 TCP state machine info ** uint8_t rest_flags; // 25 tcp_state==0: Empty ** // tcp_state==1: TCPflags/rest pkts ** ** ** 26 bytes on disk. */ #define RECLEN_RWAUGWEB_V1 26 #define RECLEN_RWAUGWEB_V2 26 #define RECLEN_RWAUGWEB_V3 26 /* * Unpack the array of bytes 'ar' into a record 'rwRP' */ static int _augwebioRecordUnpack_V1( rwIOStruct_t *rwIOS, rwGenericRec_V3 *rwRP, const uint8_t *ar) { uint32_t msec_prt_flags; uint16_t clnt_port, srv_port; uint8_t src_is_server, a_1_flags; /* sIP, dIP */ memcpy(&rwRP->sIP, &ar[ 0], 4); memcpy(&rwRP->dIP, &ar[ 4], 4); /* fractional-times, server-port, flags */ memcpy(&msec_prt_flags, &ar[16], 4); /* client (non-web) port */ memcpy(&clnt_port, &ar[20], 2); /* application */ memcpy(&rwRP->application, &ar[22], 2); /* msec_prt_flags: sTime_msec:10; elaps_msec:10; pflag:1; * srcIsSrv:1; srv_port:2; a_1_flags:8; */ src_is_server = GET_MASKED_BITS(msec_prt_flags, 10, 1); srv_port = (uint16_t)GET_MASKED_BITS(msec_prt_flags, 8, 2); a_1_flags = (uint8_t)GET_MASKED_BITS(msec_prt_flags, 0, 8); /* unpack server port */ srv_port = EXPAND_WEBPORT(srv_port); /* set source and destination ports */ if (src_is_server) { memcpy(&rwRP->sPort, &srv_port, 2); memcpy(&rwRP->dPort, &clnt_port, 2); } else { memcpy(&rwRP->dPort, &srv_port, 2); memcpy(&rwRP->sPort, &clnt_port, 2); } /* proto is fixed. Must make certain this is set before * calling _packUnpackTimeBytesPktsFlags(). */ rwRP->proto = 6; /* sTime, pkts, bytes, elapsed, proto, tcp-flags, bpp */ _packUnpackTimeBytesPktsFlags(rwRP, rwGetFileSTime(rwIOS), (uint32_t*)&ar[8], (uint32_t*)&ar[12], &msec_prt_flags); /* Augmented TCP information */ _packUnpackProtoFlags(rwRP, 1, a_1_flags, ar[24], ar[25]); /* sensor, flow_type from file name/header */ rwRP->sID = rwIOS->sID; rwRP->flow_type = rwIOS->flow_type; return LIBRW_OK; } /* * Pack the record 'rwRP' into an array of bytes 'ar' */ static int _augwebioRecordPack_V1( rwIOStruct_t *rwIOS, const rwGenericRec_V3 *rwRP, uint8_t *ar) { int rv = LIBRW_OK; /* return value */ uint32_t msec_prt_flags; uint8_t is_tcp, a_1_flags; unsigned int src_is_server; /* verify protocol is TCP. Should we also check that the port is * one of those we encode---i.e., should we do the entire IS_WEB() * check here, or do we assume the caller knows what they are * doing in choosing this file type? */ if (rwRP->proto != 6) { return LIBRW_ERR_PROTO_MISMATCH; } /* sTime, pkts, bytes, elapsed, proto, tcp-flags, bpp */ rv = _packPackTimeBytesPktsFlags((uint32_t*)&ar[8], (uint32_t*)&ar[12], &msec_prt_flags, rwRP, rwGetFileSTime(rwIOS)); if (rv) { return rv; } _packPackProtoFlags(&is_tcp, &a_1_flags, &ar[24], &ar[25], rwRP); /* Is the source port the server's port? */ src_is_server = WEBP(rwRP->sPort); /* msec_prt_flags: sTime_msec:10; elaps_msec:10; pflag:1; * srcIsSrv:1; srv_port:2; a_1_flags:8; */ /* overwrite the least significant 11 bits so that we get the * initial tcp flags if tcp_state!=0. */ msec_prt_flags = ((msec_prt_flags & (MASKARRAY_21 << 11)) | ((src_is_server == 0) ? 0 : (1 << 10)) | (WEBPORT(src_is_server ? rwRP->sPort : rwRP->dPort)<<8) | a_1_flags); /* sIP, dIP */ memcpy(&ar[ 0], &rwRP->sIP, 4); memcpy(&ar[ 4], &rwRP->dIP, 4); /* fractional-times, server-port, tcp-flags */ memcpy(&ar[16], &msec_prt_flags, 4); /* client (non-web) port */ memcpy(&ar[20], (src_is_server ? &rwRP->dPort : &rwRP->sPort), 2); /* application */ memcpy(&ar[22], &rwRP->application, 2); return LIBRW_OK; } /* * _augwebioRecordSwap_V1(dataPtr); * * Treat dataPtr as an RWAUGWEB_V1 record and byte-swap it in place. */ static void _augwebioRecordSwap_V1(uint8_t *dataPtr) { SWAP_DATA32(dataPtr + 0); /* sIP */ SWAP_DATA32(dataPtr + 4); /* dIP */ SWAP_DATA32(dataPtr + 8); /* pkts_stime */ SWAP_DATA32(dataPtr + 12); /* bbe */ SWAP_DATA32(dataPtr + 16); /* msec_prt_flags */ SWAP_DATA16(dataPtr + 20); /* client port */ SWAP_DATA16(dataPtr + 22); /* application */ /* Two single bytes: (24)tcp_state, (25)rest_flags */ } /* ********************************************************************* */ /* * Return length of record of specified version, or 0 if no such * version exists. See librw_priv.h for details. */ uint16_t _augwebioGetRecLen(fileVersion_t vers) { switch (vers) { case 1: return RECLEN_RWAUGWEB_V1; case 2: return RECLEN_RWAUGWEB_V2; case 3: return RECLEN_RWAUGWEB_V3; default: return 0; } } /* * status = _augwebioSetFuncs(&rwIOSPtr); * * Checks that the file's version is allowed by this type, and sets * the record length and the read and write functions for this type. */ static int _augwebioSetFuncs(rwIOStruct *rwIOS) { int rv = LIBRW_OK; /* return value */ assert(rwGetFileType(rwIOS) == FT_RWAUGWEB); /* version check; set values based on version */ switch (rwGetFileVersion(rwIOS)) { case 0: rv = LIBRW_ERR_UNSUPPORT_VERSION; goto END; case 1: case 2: case 3: /* V1 and V2 differ only in the padding of the header */ /* V2 and V3 differ only in that V3 supports compression on * read and write; V2 supports compression only on read */ rwIOS->rwUnpackFn = &_augwebioRecordUnpack_V1; rwIOS->rwPackFn = &_augwebioRecordPack_V1; rwIOS->rwSwapFn = &_augwebioRecordSwap_V1; rwIOS->writeHdrFn = &_packedfileheaderWriteV0; break; default: rv = LIBRW_ERR_UNSUPPORT_VERSION; goto END; } /* check compression */ if ((rwGetFileVersion(rwIOS) < COMPMETHOD_SUPPORTED) && (rwGetFileCompMethod(rwIOS) != SK_COMPMETHOD_NONE)) { if ((rwGetFileVersion(rwIOS) < (COMPMETHOD_SUPPORTED-1)) || (rwIOS->io_mode != SK_RWIO_READ)) { rv = LIBRW_ERR_UNSUPPORT_COMPRESS; goto END; } } rwIOS->recLen = _augwebioGetRecLen(rwGetFileVersion(rwIOS)); if (rwIOS->recLen == 0) { skAppPrintErr("Record length not set for RWAUGWEB version %u", (unsigned int)rwGetFileVersion(rwIOS)); assert(rwIOS->recLen > 0); abort(); } END: return rv; } /* * status = _augwebioPrepareWrite(&rwIOS, start_time) * * Fills out the rwIOStruct and header for a brand new output stream: * it checks that the version is valid for this type of file, sets * record and header lengths, adds the start time to the header * structure, and it sets reading and memswapping function pointers * appropriately for the file's type and version. * * The writing function pointer is set so that the file's header will * be printed when the first record is output. * * Do not call this function when appending records to an existing * file. * * Returns LIBRW_OK on success; otherwise prints an error and returns * error code on failure: bad version, unable to read header. */ int _augwebioPrepareWrite(rwIOStruct *rwIOS) { int rv = LIBRW_OK; /* return value */ /* Set version if none was selected by caller */ if (rwGetFileVersion(rwIOS) == SK_FILE_VERSION_ANY) { ((genericHeader*)rwIOS->hdr)->version = DEFAULT_FILE_VERSION; } /* check version; set reader/writer functions */ rv = _augwebioSetFuncs(rwIOS); if (rv) { goto END; } /* create the header */ rv = _packedfileheaderCreateV0(rwIOS); if (rv) { goto END; } END: return rv; } /* * Set sizes and functions by version; read header after * genericHeader. See librw_priv.h for details. */ int _augwebioPrepareRead(rwIOStruct *rwIOS) { int rv = LIBRW_OK; /* return value */ /* check version; set reader/writer functions */ rv = _augwebioSetFuncs(rwIOS); if (rv) { goto END; } /* read remainder of header */ rv = _packedfileheaderReadV0(rwIOS); if (rv) { goto END; } END: return rv; }