softflowd.h 10 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307
  1. /*
  2. * Copyright (c) 2002 Damien Miller. All rights reserved.
  3. *
  4. * Redistribution and use in source and binary forms, with or without
  5. * modification, are permitted provided that the following conditions
  6. * are met:
  7. * 1. Redistributions of source code must retain the above copyright
  8. * notice, this list of conditions and the following disclaimer.
  9. * 2. Redistributions in binary form must reproduce the above copyright
  10. * notice, this list of conditions and the following disclaimer in the
  11. * documentation and/or other materials provided with the distribution.
  12. *
  13. * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  14. * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  15. * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  16. * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  17. * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  18. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  19. * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  20. * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  21. * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  22. * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  23. */
  24. #ifndef _SOFTFLOWD_H
  25. #define _SOFTFLOWD_H
  26. #include "common.h"
  27. #include "sys-tree.h"
  28. #include "freelist.h"
  29. #include "treetype.h"
  30. #include <pcap.h>
  31. #ifdef ENABLE_PTHREAD
  32. #include <pthread.h>
  33. extern int use_thread;
  34. #endif /* ENABLE_PTHREAD */
  35. #ifdef ENABLE_NTOPNG
  36. #include <zmq.h>
  37. // The version field in NetFow and IPFIX headers is 16 bits unsiged int.
  38. // If the version number is over 0x7fff0000, it is unique number in softflowd.
  39. #define SOFTFLOWD_NF_VERSION_NTOPNG (0x7fff0001)
  40. #define SOFTFLOWD_NF_VERSION_NTOPNG_STRING "ntopng"
  41. struct ZMQ {
  42. void *context;
  43. void *socket;
  44. };
  45. #endif /* ENABLE_NTOPNG */
  46. /* User to setuid to and directory to chroot to when we drop privs */
  47. #ifndef PRIVDROP_USER
  48. #define PRIVDROP_USER "nobody"
  49. #endif
  50. #ifndef PRIVDROP_CHROOT_DIR
  51. #define PRIVDROP_CHROOT_DIR "/var/empty"
  52. #endif
  53. /*
  54. * Capture length for libpcap: Must fit the link layer header, plus
  55. * a maximally sized ip/ipv6 header and most of a TCP header
  56. */
  57. #define LIBPCAP_SNAPLEN_V4 96
  58. #define LIBPCAP_SNAPLEN_V6 160
  59. /*
  60. * Timeouts
  61. */
  62. #define DEFAULT_TCP_TIMEOUT 3600
  63. #define DEFAULT_TCP_RST_TIMEOUT 120
  64. #define DEFAULT_TCP_FIN_TIMEOUT 300
  65. #define DEFAULT_UDP_TIMEOUT 300
  66. #define DEFAULT_ICMP_TIMEOUT 300
  67. #define DEFAULT_GENERAL_TIMEOUT 3600
  68. #define DEFAULT_MAXIMUM_LIFETIME (3600*24*7)
  69. #define DEFAULT_EXPIRY_INTERVAL 60
  70. /*
  71. * Default maximum number of flow to track simultaneously
  72. * 8192 corresponds to just under 1Mb of flow data
  73. */
  74. #define DEFAULT_MAX_FLOWS 8192
  75. #define NF_VERSION_IPFIX 10
  76. /* Store a couple of statistics, maybe more in the future */
  77. struct STATISTIC {
  78. double min, mean, max;
  79. };
  80. /* Flow tracking levels */
  81. #define TRACK_FULL 1 /* src/dst/addr/port/proto/tos 6-tuple */
  82. #define TRACK_IP_PROTO_PORT 2 /* src/dst/addr/port/proto 5-tuple */
  83. #define TRACK_IP_PROTO 3 /* src/dst/proto 3-tuple */
  84. #define TRACK_IP_ONLY 4 /* src/dst tuple */
  85. #define TRACK_FULL_VLAN 5 /* src/dst/addr/port/proto/tos/vlanid 7-tuple */
  86. #define TRACK_FULL_VLAN_ETHER 6 /* src/dst/addr/port/proto/tos/vlanid/src-mac/dst-mac 9-tuple */
  87. #define SOFTFLOWD_MAX_DESTINATIONS 16
  88. /*
  89. * This structure contains optional information carried by Option Data
  90. * Record.
  91. */
  92. struct OPTION {
  93. uint32_t sample;
  94. pid_t meteringProcessId;
  95. char interfaceName[IFNAMSIZ];
  96. };
  97. struct FLOWTRACKPARAMETERS {
  98. unsigned int num_flows; /* # of active flows */
  99. unsigned int max_flows; /* Max # of active flows */
  100. u_int64_t next_flow_seq; /* Next flow ID */
  101. /* Stuff related to flow export */
  102. struct timeval system_boot_time; /* SysUptime */
  103. int track_level; /* See TRACK_* above */
  104. /* Flow timeouts */
  105. int tcp_timeout; /* Open TCP connections */
  106. int tcp_rst_timeout; /* TCP flows after RST */
  107. int tcp_fin_timeout; /* TCP flows after bidi FIN */
  108. int udp_timeout; /* UDP flows */
  109. int icmp_timeout; /* ICMP flows */
  110. int general_timeout; /* Everything else */
  111. int maximum_lifetime; /* Maximum life for flows */
  112. int expiry_interval; /* Interval between expiries */
  113. /* Statistics */
  114. u_int64_t total_packets; /* # of good packets */
  115. u_int64_t non_sampled_packets; /* # of not sampled packets */
  116. u_int64_t frag_packets; /* # of fragmented packets */
  117. u_int64_t non_ip_packets; /* # of not-IP packets */
  118. u_int64_t bad_packets; /* # of bad packets */
  119. u_int64_t flows_expired; /* # expired */
  120. u_int64_t flows_exported; /* # of flows sent */
  121. u_int64_t flows_dropped; /* # of flows dropped */
  122. u_int64_t flows_force_expired; /* # of flows forced out */
  123. u_int64_t packets_sent; /* # netflow packets sent */
  124. u_int64_t records_sent; /* # netflow records sent */
  125. struct STATISTIC duration; /* Flow duration */
  126. struct STATISTIC octets; /* Bytes (bidir) */
  127. struct STATISTIC packets; /* Packets (bidir) */
  128. /* Per protocol statistics */
  129. u_int64_t flows_pp[256];
  130. u_int64_t octets_pp[256];
  131. u_int64_t packets_pp[256];
  132. struct STATISTIC duration_pp[256];
  133. /* Timeout statistics */
  134. u_int64_t expired_general;
  135. u_int64_t expired_tcp;
  136. u_int64_t expired_tcp_rst;
  137. u_int64_t expired_tcp_fin;
  138. u_int64_t expired_udp;
  139. u_int64_t expired_icmp;
  140. u_int64_t expired_maxlife;
  141. u_int64_t expired_overbytes;
  142. u_int64_t expired_maxflows;
  143. u_int64_t expired_flush;
  144. /* Optional information */
  145. struct OPTION option;
  146. char time_format;
  147. u_int8_t bidirection;
  148. u_int8_t adjust_time;
  149. u_int8_t is_psamp;
  150. u_int8_t max_num_label;
  151. struct timeval last_packet_time;
  152. };
  153. /*
  154. * This structure is the root of the flow tracking system.
  155. * It holds the root of the tree of active flows and the head of the
  156. * tree of expiry events. It also collects miscellaneous statistics
  157. */
  158. struct FLOWTRACK {
  159. /* The flows and their expiry events */
  160. FLOW_HEAD (FLOWS, FLOW) flows; /* Top of flow tree */
  161. EXPIRY_HEAD (EXPIRIES, EXPIRY) expiries; /* Top of expiries tree */
  162. struct freelist flow_freelist; /* Freelist for flows */
  163. struct freelist expiry_freelist; /* Freelist for expiry events */
  164. struct FLOWTRACKPARAMETERS param;
  165. };
  166. /*
  167. * This structure is an entry in the tree of flows that we are
  168. * currently tracking.
  169. *
  170. * Because flows are matched _bi-directionally_, they must be stored in
  171. * a canonical format: the numerically lowest address and port number must
  172. * be stored in the first address and port array slot respectively.
  173. */
  174. struct FLOW {
  175. /* Housekeeping */
  176. struct EXPIRY *expiry; /* Pointer to expiry record */
  177. FLOW_ENTRY (FLOW) trp; /* Tree pointer */
  178. /* Per-flow statistics (all in _host_ byte order) */
  179. u_int64_t flow_seq; /* Flow ID */
  180. struct timeval flow_start; /* Time of creation */
  181. struct timeval flow_last; /* Time of last traffic */
  182. /* Per-endpoint statistics (all in _host_ byte order) */
  183. u_int32_t octets[2]; /* Octets so far */
  184. u_int32_t packets[2]; /* Packets so far */
  185. /* Flow identity (all are in network byte order) */
  186. int af; /* Address family of flow */
  187. u_int32_t ip6_flowlabel[2]; /* IPv6 Flowlabel */
  188. union {
  189. struct in_addr v4;
  190. struct in6_addr v6;
  191. } addr[2]; /* Endpoint addresses */
  192. u_int16_t port[2]; /* Endpoint ports */
  193. u_int8_t tcp_flags[2]; /* Cumulative OR of flags */
  194. u_int8_t tos[2]; /* Tos */
  195. u_int16_t vlanid[2]; /* vlanid */
  196. uint8_t ethermac[2][6];
  197. u_int8_t protocol; /* Protocol */
  198. u_int8_t flowEndReason;
  199. u_int32_t mplsLabelStackDepth;
  200. u_int32_t mplsLabels[10];
  201. };
  202. /*
  203. * This is an entry in the tree of expiry events. The tree is used to
  204. * avoid traversion the whole tree of active flows looking for ones to
  205. * expire. "expires_at" is the time at which the flow should be discarded,
  206. * or zero if it is scheduled for immediate disposal.
  207. *
  208. * When a flow which hasn't been scheduled for immediate expiry registers
  209. * traffic, it is deleted from its current position in the tree and
  210. * re-inserted (subject to its updated timeout).
  211. *
  212. * Expiry scans operate by starting at the head of the tree and expiring
  213. * each entry with expires_at < now
  214. *
  215. */
  216. struct EXPIRY {
  217. EXPIRY_ENTRY (EXPIRY) trp; /* Tree pointer */
  218. struct FLOW *flow; /* pointer to flow */
  219. u_int32_t expires_at; /* time_t */
  220. enum {
  221. R_GENERAL, R_TCP, R_TCP_RST, R_TCP_FIN, R_UDP, R_ICMP,
  222. R_MAXLIFE, R_OVERBYTES, R_OVERFLOWS, R_FLUSH
  223. } reason;
  224. };
  225. struct DESTINATION {
  226. char *arg;
  227. int sock;
  228. struct sockaddr_storage ss;
  229. socklen_t sslen;
  230. char hostname[NI_MAXHOST];
  231. char servname[NI_MAXSERV];
  232. #ifdef ENABLE_NTOPNG
  233. struct ZMQ zmq;
  234. #endif
  235. };
  236. /* Describes a location where we send NetFlow packets to */
  237. struct NETFLOW_TARGET {
  238. int num_destinations;
  239. struct DESTINATION destinations[SOFTFLOWD_MAX_DESTINATIONS];
  240. const struct NETFLOW_SENDER *dialect;
  241. u_int8_t is_loadbalance;
  242. };
  243. struct SENDPARAMETER {
  244. struct FLOW **flows;
  245. int num_flows;
  246. struct NETFLOW_TARGET *target;
  247. u_int16_t ifidx;
  248. struct FLOWTRACKPARAMETERS *param;
  249. int verbose_flag;
  250. };
  251. /* Context for libpcap callback functions */
  252. struct CB_CTXT {
  253. struct FLOWTRACK *ft;
  254. struct NETFLOW_TARGET *target;
  255. int linktype;
  256. int fatal;
  257. int want_v6;
  258. };
  259. /* Prototype for functions shared from softflowd.c */
  260. u_int32_t timeval_sub_ms (const struct timeval *t1, const struct timeval *t2);
  261. int send_multi_destinations (int num_destinations,
  262. struct DESTINATION *destinations,
  263. u_int8_t is_loadbalnce, u_int8_t * packet,
  264. int size);
  265. void flow_cb (u_char * user_data, const struct pcap_pkthdr *phdr,
  266. const u_char * pkt);
  267. /* Prototypes for functions to send NetFlow packets, from netflow*.c */
  268. int send_netflow_v1 (struct SENDPARAMETER sp);
  269. int send_netflow_v5 (struct SENDPARAMETER sp);
  270. #ifdef ENABLE_NTOPNG
  271. /* Protypes for ntopng.c */
  272. int connect_ntopng (const char *host, const char *port, struct ZMQ *zmq);
  273. int send_ntopng (struct SENDPARAMETER sp);
  274. #endif /* ENABLE_NTOPNG */
  275. #endif /* _SOFTFLOWD_H */