/* ** Copyright (C) 2001-2006 by Carnegie Mellon University. ** ** @OPENSOURCE_HEADER_START@ ** ** Use of the SILK system and related source code is subject to the terms ** of the following licenses: ** ** GNU Public License (GPL) Rights pursuant to Version 2, June 1991 ** Government Purpose License Rights (GPLR) pursuant to DFARS 252.225-7013 ** ** NO WARRANTY ** ** ANY INFORMATION, MATERIALS, SERVICES, INTELLECTUAL PROPERTY OR OTHER ** PROPERTY OR RIGHTS GRANTED OR PROVIDED BY CARNEGIE MELLON UNIVERSITY ** PURSUANT TO THIS LICENSE (HEREINAFTER THE "DELIVERABLES") ARE ON AN ** "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY ** KIND, EITHER EXPRESS OR IMPLIED AS TO ANY MATTER INCLUDING, BUT NOT ** LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, ** MERCHANTABILITY, INFORMATIONAL CONTENT, NONINFRINGEMENT, OR ERROR-FREE ** OPERATION. CARNEGIE MELLON UNIVERSITY SHALL NOT BE LIABLE FOR INDIRECT, ** SPECIAL OR CONSEQUENTIAL DAMAGES, SUCH AS LOSS OF PROFITS OR INABILITY ** TO USE SAID INTELLECTUAL PROPERTY, UNDER THIS LICENSE, REGARDLESS OF ** WHETHER SUCH PARTY WAS AWARE OF THE POSSIBILITY OF SUCH DAMAGES. ** LICENSEE AGREES THAT IT WILL NOT MAKE ANY WARRANTY ON BEHALF OF ** CARNEGIE MELLON UNIVERSITY, EXPRESS OR IMPLIED, TO ANY PERSON ** CONCERNING THE APPLICATION OF OR THE RESULTS TO BE OBTAINED WITH THE ** DELIVERABLES UNDER THIS LICENSE. ** ** Licensee hereby agrees to defend, indemnify, and hold harmless Carnegie ** Mellon University, its trustees, officers, employees, and agents from ** all claims or demands made against them (and any related losses, ** expenses, or attorney's fees) arising out of, or relating to Licensee's ** and/or its sub licensees' negligent use or willful misuse of or ** negligent conduct or willful misconduct regarding the Software, ** facilities, or other rights or assistance granted by Carnegie Mellon ** University under this License, including, but not limited to, any ** claims of product liability, personal injury, death, damage to ** property, or violation of any laws or regulations. ** ** Carnegie Mellon University Software Engineering Institute authored ** documents are sponsored by the U.S. Department of Defense under ** Contract F19628-00-C-0003. Carnegie Mellon University retains ** copyrights in all material produced under this contract. The U.S. ** Government retains a non-exclusive, royalty-free license to publish or ** reproduce these documents, or allow others to do so, for U.S. ** Government purposes only pursuant to the copyright license under the ** contract clause at 252.227.7013. ** ** @OPENSOURCE_HEADER_END@ */ /* ** rwsplitio.c ** ** Suresh L Konda ** routines to do io stuff with split records. */ #include "silk.h" RCSIDENT("$SiLK: rwsplitio.c 5883 2006-12-08 21:54:58Z mthomas $"); #include "librw_priv.h" /* Version to use when SK_FILE_VERSION_ANY is specified */ #define DEFAULT_FILE_VERSION 4 /* * Version where data compression is enabled. We support full * compression as of this version. For files one version below this, * we only support reading compressed files---files created with * SiLK-0.10.0 through SiLK-0.10.4 */ #define COMPMETHOD_SUPPORTED 4 /* ********************************************************************* */ /* ** RWSPLIT VERSION 1 ** RWSPLIT VERSION 2 ** ** ipUnion sIP; // 0- 3 Source IP ** ipUnion dIP; // 4- 7 Destination IP ** ** uint16_t sPort; // 8- 9 Source port ** uint16_t dPort; // 10-11 Destination port ** ** uint32_t pef; // 12-15 ** // uint32_t pkts :20; // Count of packets ** // uint32_t elapsed :11; // Duration of flow ** // uint32_t pflag : 1; // 'pkts' requires multiplier? ** ** uint32_t sbb; // 16-19 ** // uint32_t sTime :12; // Start time--offset from hour ** // uint32_t bPPkt :14; // Whole bytes-per-packet ** // uint32_t bPPFrac : 6; // Fractional bytes-per-packet ** ** uint8_t proto; // 20 IP protocol ** uint8_t flags; // 21 OR of all TCP flags on all pkts ** ** ** 22 bytes on disk. */ #define RECLEN_RWSPLIT_V1 22 #define RECLEN_RWSPLIT_V2 22 /* * Unpack the array of bytes 'ar' into a record 'rwRP' */ static int _splitioRecordUnpack_V1( rwIOStruct_t *rwIOS, rwGenericRec_V3 *rwRP, const uint8_t *ar) { /* sIP, dIP, sPort, dPort */ memcpy(&rwRP->sIP, &ar[0], 4); memcpy(&rwRP->dIP, &ar[4], 4); memcpy(&rwRP->sPort, &ar[8], 2); memcpy(&rwRP->dPort, &ar[10], 2); /* pkts, elapsed, sTime, bytes, bpp */ _packUnpackSbbPef(rwRP, rwGetFileSTime(rwIOS), (uint32_t*)&ar[16], (uint32_t*)&ar[12]); /* proto, flags */ rwRP->proto = ar[20]; rwRP->flags = ar[21]; /* sensor, flow_type from file name/header */ rwRP->sID = rwIOS->sID; rwRP->flow_type = rwIOS->flow_type; return LIBRW_OK; } /* * Pack the record 'rwRP' into an array of bytes 'ar' */ static int _splitioRecordPack_V1( rwIOStruct_t *rwIOS, const rwGenericRec_V3 *rwRP, uint8_t *ar) { int rv = LIBRW_OK; /* return value */ /* Check sizes of fields we've expanded in later versions */ /* Nothing to check for rwsplit */ /* pkts, elapsed, sTime, bytes, bpp */ rv = _packPackSbbPef((uint32_t*)&ar[16], (uint32_t*)&ar[12], rwRP, rwGetFileSTime(rwIOS)); if (rv) { return rv; } /* sIP, dIP, sPort, dPort */ memcpy(&ar[0], &rwRP->sIP, 4); memcpy(&ar[4], &rwRP->dIP, 4); memcpy(&ar[8], &rwRP->sPort, 2); memcpy(&ar[10], &rwRP->dPort, 2); /* proto, flags */ ar[20] = rwRP->proto; ar[21] = rwRP->flags; return LIBRW_OK; } /* * _splitioRecordSwap_V1(dataPtr); * * Treat dataPtr as an RWSPLIT_V{1,2} record and byte-swap it in place. */ static void _splitioRecordSwap_V1(uint8_t *dataPtr) { SWAP_DATA32(dataPtr + 0); /* sIP */ SWAP_DATA32(dataPtr + 4); /* dIP */ SWAP_DATA16(dataPtr + 8); /* sPort */ SWAP_DATA16(dataPtr + 10); /* dPort */ SWAP_DATA32(dataPtr + 12); /* pef */ SWAP_DATA32(dataPtr + 16); /* sbb */ /* Two single bytes: (20)proto, (21)flags */ } /* ********************************************************************* */ /* ** RWSPLIT VERSION 3 ** RWSPLIT VERSION 4 ** ** ipUnion sIP; // 0- 3 Source IP ** ipUnion dIP; // 4- 7 Destination IP ** ** uint16_t sPort; // 8- 9 Source port ** uint16_t dPort; // 10-11 Destination port ** ** uint32_t pkts_stime; // 12-15 ** // uint32_t pkts :20; // Count of packets ** // uint32_t sTime :12; // Start time--offset from hour ** ** uint32_t bbe; // 16-19 ** // uint32_t bPPkt :14; // Whole bytes-per-packet ** // uint32_t bPPFrac : 6; // Fractional bytes-per-packet ** // uint32_t elapsed :12; // Duration of flow ** ** uint32_t msec_flags // 20-23 ** // uint32_t sTime_msec:10; // Fractional sTime (millisec) ** // uint32_t elaps_msec:10; // Fractional elapsed (millisec) ** // uint32_t pflag : 1; // 'pkts' requires multiplier? ** // uint32_t is_tcp : 1; // 1 if flow is TCP; 0 otherwise ** // uint32_t padding : 2; // padding/reserved ** // uint32_t prot_flags: 8; // is_tcp==0: IP protocol ** // is_tcp==1: TCP flags ** ** ** 24 bytes on disk. */ #define RECLEN_RWSPLIT_V3 24 #define RECLEN_RWSPLIT_V4 24 /* * Unpack the array of bytes 'ar' into a record 'rwRP' */ static int _splitioRecordUnpack_V3( rwIOStruct_t *rwIOS, rwGenericRec_V3 *rwRP, const uint8_t *ar) { /* sIP, dIP, sPort, dPort */ memcpy(&rwRP->sIP, &ar[ 0], 4); memcpy(&rwRP->dIP, &ar[ 4], 4); memcpy(&rwRP->sPort, &ar[ 8], 2); memcpy(&rwRP->dPort, &ar[10], 2); /* sTime, pkts, bytes, elapsed, proto, tcp-flags, bpp */ _packUnpackTimeBytesPktsFlags(rwRP, rwGetFileSTime(rwIOS), (uint32_t*)&ar[12], (uint32_t*)&ar[16], (uint32_t*)&ar[20]); /* sensor, flow_type from file name/header */ rwRP->sID = rwIOS->sID; rwRP->flow_type = rwIOS->flow_type; return LIBRW_OK; } /* * Pack the record 'rwRP' into an array of bytes 'ar' */ static int _splitioRecordPack_V3( rwIOStruct_t *rwIOS, const rwGenericRec_V3 *rwRP, uint8_t *ar) { int rv = LIBRW_OK; /* return value */ /* sTime, pkts, bytes, elapsed, proto, tcp-flags, bpp */ rv = _packPackTimeBytesPktsFlags((uint32_t*)&ar[12], (uint32_t*)&ar[16], (uint32_t*)&ar[20], rwRP, rwGetFileSTime(rwIOS)); if (rv) { return rv; } /* sIP, dIP, sPort, dPort */ memcpy(&ar[ 0], &rwRP->sIP, 4); memcpy(&ar[ 4], &rwRP->dIP, 4); memcpy(&ar[ 8], &rwRP->sPort, 2); memcpy(&ar[10], &rwRP->dPort, 2); return LIBRW_OK; } /* * _splitioRecordSwap_V3(dataPtr); * * Treat dataPtr as an RWSPLIT_V3 record and byte-swap it in place. */ static void _splitioRecordSwap_V3(uint8_t *dataPtr) { SWAP_DATA32(dataPtr + 0); /* sIP */ SWAP_DATA32(dataPtr + 4); /* dIP */ SWAP_DATA16(dataPtr + 8); /* sPort */ SWAP_DATA16(dataPtr + 10); /* dPort */ SWAP_DATA32(dataPtr + 12); /* pkts_stime */ SWAP_DATA32(dataPtr + 16); /* bbe */ SWAP_DATA32(dataPtr + 20); /* msec_flags */ } /* ********************************************************************* */ /* * Return length of record of specified version, or 0 if no such * version exists. See librw_priv.h for details. */ uint16_t _splitioGetRecLen(fileVersion_t vers) { switch (vers) { case 1: return RECLEN_RWSPLIT_V1; case 2: return RECLEN_RWSPLIT_V2; case 3: return RECLEN_RWSPLIT_V3; case 4: return RECLEN_RWSPLIT_V4; default: return 0; } } /* * status = _splitioSetFuncs(&rwIOSPtr); * * Checks that the file's version is allowed by this type, and sets * the record length and the read and write functions for this type. */ static int _splitioSetFuncs(rwIOStruct *rwIOS) { int rv = LIBRW_OK; /* return value */ assert(rwGetFileType(rwIOS) == FT_RWSPLIT); /* version check; set values based on version */ switch (rwGetFileVersion(rwIOS)) { case 0: rv = LIBRW_ERR_UNSUPPORT_VERSION; goto END; case 1: case 2: /* V1 and V2 differ only in the padding of the header */ rwIOS->rwUnpackFn = &_splitioRecordUnpack_V1; rwIOS->rwPackFn = &_splitioRecordPack_V1; rwIOS->rwSwapFn = &_splitioRecordSwap_V1; rwIOS->writeHdrFn = &_packedfileheaderWriteV0; break; case 3: case 4: /* V3 and V4 differ only in that V4 supports compression on * read and write; V3 supports compression only on read */ rwIOS->rwUnpackFn = &_splitioRecordUnpack_V3; rwIOS->rwPackFn = &_splitioRecordPack_V3; rwIOS->rwSwapFn = &_splitioRecordSwap_V3; rwIOS->writeHdrFn = &_packedfileheaderWriteV0; break; default: rv = LIBRW_ERR_UNSUPPORT_VERSION; goto END; } /* check compression */ if ((rwGetFileVersion(rwIOS) < COMPMETHOD_SUPPORTED) && (rwGetFileCompMethod(rwIOS) != SK_COMPMETHOD_NONE)) { if ((rwGetFileVersion(rwIOS) < (COMPMETHOD_SUPPORTED-1)) || (rwIOS->io_mode != SK_RWIO_READ)) { rv = LIBRW_ERR_UNSUPPORT_COMPRESS; goto END; } } rwIOS->recLen = _splitioGetRecLen(rwGetFileVersion(rwIOS)); if (rwIOS->recLen == 0) { skAppPrintErr("Record length not set for RWSPLIT version %u", (unsigned int)rwGetFileVersion(rwIOS)); assert(rwIOS->recLen > 0); abort(); } END: return rv; } /* * status = _splitioPrepareWrite(&rwIOS, start_time) * * Fills out the rwIOStruct and header for a brand new output stream: * it checks that the version is valid for this type of file, sets * record and header lengths, adds the start time to the header * structure, and it sets reading and memswapping function pointers * appropriately for the file's type and version. * * The writing function pointer is set so that the file's header will * be printed when the first record is output. * * Do not call this function when appending records to an existing * file. * * Returns LIBRW_OK on success; otherwise prints an error and returns * error code on failure: bad version, unable to read header. */ int _splitioPrepareWrite(rwIOStruct *rwIOS) { int rv = LIBRW_OK; /* return value */ /* Set version if none was selected by caller */ if (rwGetFileVersion(rwIOS) == SK_FILE_VERSION_ANY) { ((genericHeader*)rwIOS->hdr)->version = DEFAULT_FILE_VERSION; } /* check version; set reader/writer functions */ rv = _splitioSetFuncs(rwIOS); if (rv) { goto END; } /* create the header */ rv = _packedfileheaderCreateV0(rwIOS); if (rv) { goto END; } END: return rv; } /* * Set sizes and functions by version; read header after * genericHeader. See librw_priv.h for details. */ int _splitioPrepareRead(rwIOStruct *rwIOS) { int rv = LIBRW_OK; /* return value */ /* check version; set reader/writer functions */ rv = _splitioSetFuncs(rwIOS); if (rv) { goto END; } /* read remainder of header */ rv = _packedfileheaderReadV0(rwIOS); if (rv) { goto END; } END: return rv; }