softflowd.h 10 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302
  1. /*
  2. * Copyright (c) 2002 Damien Miller. All rights reserved.
  3. *
  4. * Redistribution and use in source and binary forms, with or without
  5. * modification, are permitted provided that the following conditions
  6. * are met:
  7. * 1. Redistributions of source code must retain the above copyright
  8. * notice, this list of conditions and the following disclaimer.
  9. * 2. Redistributions in binary form must reproduce the above copyright
  10. * notice, this list of conditions and the following disclaimer in the
  11. * documentation and/or other materials provided with the distribution.
  12. *
  13. * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  14. * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  15. * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  16. * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  17. * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  18. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  19. * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  20. * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  21. * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  22. * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  23. */
  24. #ifndef _SOFTFLOWD_H
  25. #define _SOFTFLOWD_H
  26. #include "common.h"
  27. #include "sys-tree.h"
  28. #include "freelist.h"
  29. #include "treetype.h"
  30. #include <pcap.h>
  31. #ifdef ENABLE_PTHREAD
  32. #include <pthread.h>
  33. extern int use_thread;
  34. #endif /* ENABLE_PTHREAD */
  35. #ifdef ENABLE_NTOPNG
  36. #include <zmq.h>
  37. // The version field in NetFow and IPFIX headers is 16 bits unsiged int.
  38. // If the version number is over 0x7fff0000, it is unique number in softflowd.
  39. #define SOFTFLOWD_NF_VERSION_NTOPNG (0x7fff0001)
  40. #define SOFTFLOWD_NF_VERSION_NTOPNG_STRING "ntopng"
  41. struct ZMQ {
  42. void *context;
  43. void *socket;
  44. };
  45. #endif /* ENABLE_NTOPNG */
  46. /* User to setuid to and directory to chroot to when we drop privs */
  47. #ifndef PRIVDROP_USER
  48. #define PRIVDROP_USER "nobody"
  49. #endif
  50. #ifndef PRIVDROP_CHROOT_DIR
  51. #define PRIVDROP_CHROOT_DIR "/var/empty"
  52. #endif
  53. /*
  54. * Capture length for libpcap: Must fit the link layer header, plus
  55. * a maximally sized ip/ipv6 header and most of a TCP header
  56. */
  57. #define LIBPCAP_SNAPLEN_V4 96
  58. #define LIBPCAP_SNAPLEN_V6 160
  59. /*
  60. * Timeouts
  61. */
  62. #define DEFAULT_TCP_TIMEOUT 3600
  63. #define DEFAULT_TCP_RST_TIMEOUT 120
  64. #define DEFAULT_TCP_FIN_TIMEOUT 300
  65. #define DEFAULT_UDP_TIMEOUT 300
  66. #define DEFAULT_ICMP_TIMEOUT 300
  67. #define DEFAULT_GENERAL_TIMEOUT 3600
  68. #define DEFAULT_MAXIMUM_LIFETIME (3600*24*7)
  69. #define DEFAULT_EXPIRY_INTERVAL 60
  70. /*
  71. * Default maximum number of flow to track simultaneously
  72. * 8192 corresponds to just under 1Mb of flow data
  73. */
  74. #define DEFAULT_MAX_FLOWS 8192
  75. #define NF_VERSION_IPFIX 10
  76. /* Store a couple of statistics, maybe more in the future */
  77. struct STATISTIC {
  78. double min, mean, max;
  79. };
  80. /* Flow tracking levels */
  81. #define TRACK_FULL 1 /* src/dst/addr/port/proto/tos 6-tuple */
  82. #define TRACK_IP_PROTO_PORT 2 /* src/dst/addr/port/proto 5-tuple */
  83. #define TRACK_IP_PROTO 3 /* src/dst/proto 3-tuple */
  84. #define TRACK_IP_ONLY 4 /* src/dst tuple */
  85. #define TRACK_FULL_VLAN 5 /* src/dst/addr/port/proto/tos/vlanid 7-tuple */
  86. #define TRACK_FULL_VLAN_ETHER 6 /* src/dst/addr/port/proto/tos/vlanid/src-mac/dst-mac 9-tuple */
  87. #define SOFTFLOWD_MAX_DESTINATIONS 16
  88. /*
  89. * This structure contains optional information carried by Option Data
  90. * Record.
  91. */
  92. struct OPTION {
  93. uint32_t sample;
  94. pid_t meteringProcessId;
  95. };
  96. struct FLOWTRACKPARAMETERS {
  97. unsigned int num_flows; /* # of active flows */
  98. unsigned int max_flows; /* Max # of active flows */
  99. u_int64_t next_flow_seq; /* Next flow ID */
  100. /* Stuff related to flow export */
  101. struct timeval system_boot_time; /* SysUptime */
  102. int track_level; /* See TRACK_* above */
  103. /* Flow timeouts */
  104. int tcp_timeout; /* Open TCP connections */
  105. int tcp_rst_timeout; /* TCP flows after RST */
  106. int tcp_fin_timeout; /* TCP flows after bidi FIN */
  107. int udp_timeout; /* UDP flows */
  108. int icmp_timeout; /* ICMP flows */
  109. int general_timeout; /* Everything else */
  110. int maximum_lifetime; /* Maximum life for flows */
  111. int expiry_interval; /* Interval between expiries */
  112. /* Statistics */
  113. u_int64_t total_packets; /* # of good packets */
  114. u_int64_t non_sampled_packets; /* # of not sampled packets */
  115. u_int64_t frag_packets; /* # of fragmented packets */
  116. u_int64_t non_ip_packets; /* # of not-IP packets */
  117. u_int64_t bad_packets; /* # of bad packets */
  118. u_int64_t flows_expired; /* # expired */
  119. u_int64_t flows_exported; /* # of flows sent */
  120. u_int64_t flows_dropped; /* # of flows dropped */
  121. u_int64_t flows_force_expired; /* # of flows forced out */
  122. u_int64_t packets_sent; /* # netflow packets sent */
  123. u_int64_t records_sent; /* # netflow records sent */
  124. struct STATISTIC duration; /* Flow duration */
  125. struct STATISTIC octets; /* Bytes (bidir) */
  126. struct STATISTIC packets; /* Packets (bidir) */
  127. /* Per protocol statistics */
  128. u_int64_t flows_pp[256];
  129. u_int64_t octets_pp[256];
  130. u_int64_t packets_pp[256];
  131. struct STATISTIC duration_pp[256];
  132. /* Timeout statistics */
  133. u_int64_t expired_general;
  134. u_int64_t expired_tcp;
  135. u_int64_t expired_tcp_rst;
  136. u_int64_t expired_tcp_fin;
  137. u_int64_t expired_udp;
  138. u_int64_t expired_icmp;
  139. u_int64_t expired_maxlife;
  140. u_int64_t expired_overbytes;
  141. u_int64_t expired_maxflows;
  142. u_int64_t expired_flush;
  143. /* Optional information */
  144. struct OPTION option;
  145. char time_format;
  146. u_int8_t bidirection;
  147. u_int8_t adjust_time;
  148. u_int8_t is_psamp;
  149. struct timeval last_packet_time;
  150. };
  151. /*
  152. * This structure is the root of the flow tracking system.
  153. * It holds the root of the tree of active flows and the head of the
  154. * tree of expiry events. It also collects miscellaneous statistics
  155. */
  156. struct FLOWTRACK {
  157. /* The flows and their expiry events */
  158. FLOW_HEAD (FLOWS, FLOW) flows; /* Top of flow tree */
  159. EXPIRY_HEAD (EXPIRIES, EXPIRY) expiries; /* Top of expiries tree */
  160. struct freelist flow_freelist; /* Freelist for flows */
  161. struct freelist expiry_freelist; /* Freelist for expiry events */
  162. struct FLOWTRACKPARAMETERS param;
  163. };
  164. /*
  165. * This structure is an entry in the tree of flows that we are
  166. * currently tracking.
  167. *
  168. * Because flows are matched _bi-directionally_, they must be stored in
  169. * a canonical format: the numerically lowest address and port number must
  170. * be stored in the first address and port array slot respectively.
  171. */
  172. struct FLOW {
  173. /* Housekeeping */
  174. struct EXPIRY *expiry; /* Pointer to expiry record */
  175. FLOW_ENTRY (FLOW) trp; /* Tree pointer */
  176. /* Per-flow statistics (all in _host_ byte order) */
  177. u_int64_t flow_seq; /* Flow ID */
  178. struct timeval flow_start; /* Time of creation */
  179. struct timeval flow_last; /* Time of last traffic */
  180. /* Per-endpoint statistics (all in _host_ byte order) */
  181. u_int32_t octets[2]; /* Octets so far */
  182. u_int32_t packets[2]; /* Packets so far */
  183. /* Flow identity (all are in network byte order) */
  184. int af; /* Address family of flow */
  185. u_int32_t ip6_flowlabel[2]; /* IPv6 Flowlabel */
  186. union {
  187. struct in_addr v4;
  188. struct in6_addr v6;
  189. } addr[2]; /* Endpoint addresses */
  190. u_int16_t port[2]; /* Endpoint ports */
  191. u_int8_t tcp_flags[2]; /* Cumulative OR of flags */
  192. u_int8_t tos[2]; /* Tos */
  193. u_int16_t vlanid[2]; /* vlanid */
  194. uint8_t ethermac[2][6];
  195. u_int8_t protocol; /* Protocol */
  196. };
  197. /*
  198. * This is an entry in the tree of expiry events. The tree is used to
  199. * avoid traversion the whole tree of active flows looking for ones to
  200. * expire. "expires_at" is the time at which the flow should be discarded,
  201. * or zero if it is scheduled for immediate disposal.
  202. *
  203. * When a flow which hasn't been scheduled for immediate expiry registers
  204. * traffic, it is deleted from its current position in the tree and
  205. * re-inserted (subject to its updated timeout).
  206. *
  207. * Expiry scans operate by starting at the head of the tree and expiring
  208. * each entry with expires_at < now
  209. *
  210. */
  211. struct EXPIRY {
  212. EXPIRY_ENTRY (EXPIRY) trp; /* Tree pointer */
  213. struct FLOW *flow; /* pointer to flow */
  214. u_int32_t expires_at; /* time_t */
  215. enum {
  216. R_GENERAL, R_TCP, R_TCP_RST, R_TCP_FIN, R_UDP, R_ICMP,
  217. R_MAXLIFE, R_OVERBYTES, R_OVERFLOWS, R_FLUSH
  218. } reason;
  219. };
  220. struct DESTINATION {
  221. char *arg;
  222. int sock;
  223. struct sockaddr_storage ss;
  224. socklen_t sslen;
  225. char hostname[NI_MAXHOST];
  226. char servname[NI_MAXSERV];
  227. #ifdef ENABLE_NTOPNG
  228. struct ZMQ zmq;
  229. #endif
  230. };
  231. /* Describes a location where we send NetFlow packets to */
  232. struct NETFLOW_TARGET {
  233. int num_destinations;
  234. struct DESTINATION destinations[SOFTFLOWD_MAX_DESTINATIONS];
  235. const struct NETFLOW_SENDER *dialect;
  236. u_int8_t is_loadbalance;
  237. };
  238. struct SENDPARAMETER {
  239. struct FLOW **flows;
  240. int num_flows;
  241. struct NETFLOW_TARGET *target;
  242. u_int16_t ifidx;
  243. struct FLOWTRACKPARAMETERS *param;
  244. int verbose_flag;
  245. };
  246. /* Context for libpcap callback functions */
  247. struct CB_CTXT {
  248. struct FLOWTRACK *ft;
  249. struct NETFLOW_TARGET *target;
  250. int linktype;
  251. int fatal;
  252. int want_v6;
  253. };
  254. /* Prototype for functions shared from softflowd.c */
  255. u_int32_t timeval_sub_ms (const struct timeval *t1, const struct timeval *t2);
  256. int send_multi_destinations (int num_destinations,
  257. struct DESTINATION *destinations,
  258. u_int8_t is_loadbalnce, u_int8_t * packet,
  259. int size);
  260. void flow_cb (u_char * user_data, const struct pcap_pkthdr *phdr,
  261. const u_char * pkt);
  262. /* Prototypes for functions to send NetFlow packets, from netflow*.c */
  263. int send_netflow_v1 (struct SENDPARAMETER sp);
  264. int send_netflow_v5 (struct SENDPARAMETER sp);
  265. #ifdef ENABLE_NTOPNG
  266. /* Protypes for ntopng.c */
  267. int connect_ntopng (const char *host, const char *port, struct ZMQ *zmq);
  268. int send_ntopng (struct SENDPARAMETER sp);
  269. #endif /* ENABLE_NTOPNG */
  270. #endif /* _SOFTFLOWD_H */