Net.cc File Reference

#include "config.h"
#include <sys/types.h>
#include <time.h>
#include <errno.h>
#include <signal.h>
#include <stdlib.h>
#include <unistd.h>
#include "NetVar.h"
#include "Sessions.h"
#include "Event.h"
#include "Timer.h"
#include "Var.h"
#include "Logger.h"
#include "Net.h"
#include "TCP_Rewriter.h"
#include "Anon.h"
#include "PacketSort.h"
#include "Serializer.h"
#include "setsignal.h"

Include dependency graph for Net.cc:

Go to the source code of this file.

Functions
int	select (int, fd_set *, fd_set *, fd_set *, struct timeval *)
	PList (PktSrc) pkt_srcs
RETSIGTYPE	watchdog (int)
void	net_init (name_list &interfaces, name_list &readfiles, const char *writefile, const char *transformed_writefile, const char *filter, const char *secondary_filter, int do_watchdog)
void	net_packet_dispatch (double t, const struct pcap_pkthdr *hdr, const u_char *pkt, int hdr_size, PktSrc *src_ps, PacketSortElement *pkt_elem)
int	process_packet_sorter (double lastest_packet_time)
void	net_packet_arrival (double t, const struct pcap_pkthdr *hdr, const u_char *pkt, int hdr_size, PktSrc *src_ps)
void	net_run ()
void	net_get_final_stats ()
void	net_finish (int drain_events)
void	net_delete ()
int	net_packet_match (BPF_Program *fp, const u_char *pkt, u_int len, u_int caplen)
void	net_suspend_processing ()
void	net_continue_processing ()
Variables
PktDumper *	pkt_dumper = 0
PktDumper *	pkt_transformed_dumper = 0
PacketDumper *	transformed_pkt_dump = 0
PacketDumper *	source_pkt_dump = 0
int	transformed_pkt_dump_MTU = 1514
int	reading_live = 0
int	reading_traces = 0
int	have_pending_timers = 0
int	pseudo_realtime = 0
char *	user_pcap_filter = 0
bool	using_communication = false
double	network_time = 0.0
double	processing_start_time = 0.0
double	bro_start_time = 0.0
double	last_watchdog_proc_time = 0.0
bool	terminating = false
PacketSortGlobalPQ *	packet_sorter = 0
const struct pcap_pkthdr *	current_hdr = 0
const u_char *	current_pkt = 0
int	current_dispatched = 0
PktSrc *	current_pktsrc = 0
int	_processing_suspended = 0

---

Function Documentation

void net_continue_processing (   )

Definition at line 571 of file Net.cc. References _processing_suspended, bro_logger, and Logger::Log(). Referenced by RemoteSerializer::ProcessPhaseDone(). { if ( _processing_suspended == 1 ) bro_logger->Log("processing continued"); --_processing_suspended; }

void net_delete (   )

Definition at line 525 of file Net.cc. References ip_anonymizer, NUM_ADDR_ANONYMIZATION_METHODS, packet_sorter, sessions, and transformed_pkt_dump. Referenced by main(), and termination_signal(). { delete sessions; delete packet_sorter; // Can't put this in net_finish() because packets might be // dumped when connections are deleted. if ( transformed_pkt_dump ) delete transformed_pkt_dump; for ( int i = 0; i < NUM_ADDR_ANONYMIZATION_METHODS; ++i ) delete ip_anonymizer[i]; }

void net_finish (  int  drain_events  )

Definition at line 497 of file Net.cc. References NetSessions::Done(), NetSessions::Drain(), EventMgr::Drain(), mgr, num_packets_cleaned, num_packets_held, pkt_dumper, pkt_transformed_dumper, and sessions. Referenced by done_with_network(), and watchdog(). { if ( drain_events ) { if ( sessions ) sessions->Drain(); mgr.Drain(); if ( sessions ) sessions->Done(); } delete pkt_dumper; delete pkt_transformed_dumper; // fprintf(stderr, "uhash: %d/%d\n", hash_cnt_uhash, hash_cnt_all); #ifdef DEBUG extern int reassem_seen_bytes, reassem_copied_bytes; // DEBUG_MSG("Reassembly (TCP and IP/Frag): %d bytes seen, %d bytes copied\n", reassem_seen_bytes, reassem_copied_bytes); extern int num_packets_held, num_packets_cleaned; // DEBUG_MSG("packets clean up: %d/%d\n", num_packets_cleaned, num_packets_held); #endif }

void net_get_final_stats (   )

Definition at line 481 of file Net.cc. References PktSrc::Stats::dropped, PktSrc::Interface(), PktSrc::IsLive(), loop_over_list, PktSrc::Stats::received, and PktSrc::Statistics(). Referenced by net_run(), termination_signal(), and watchdog(). { loop_over_list(pkt_srcs, i) { PktSrc* ps = pkt_srcs[i]; if ( ps->IsLive() ) { struct PktSrc::Stats s; ps->Statistics(&s); fprintf(stderr, "%d packets received on interface %s, %d dropped\n", s.received, ps->Interface(), s.dropped); } } }

void net_init (  name_list &  interfaces, name_list &  readfiles, const char *  writefile, const char *  transformed_writefile, const char *  filter, const char *  secondary_filter, int  do_watchdog )

Definition at line 155 of file Net.cc. References PktSrc::AddSecondaryTablePrograms(), PktSrc::ErrorMsg(), PktDumper::ErrorMsg(), init_ip_addr_anonymizers(), init_net_var(), io_sources, ip_anonymizer, PktDumper::IsError(), IOSource::IsOpen(), NUM_ADDR_ANONYMIZATION_METHODS, packet_sort_window, packet_sorter, PktDumper::PcapDumper(), pkt_dumper, pkt_transformed_dumper, prog, pseudo_realtime, reading_live, reading_traces, IOSourceRegistry::Register(), sessions, setsignal(), source_pkt_dump, transformed_pkt_dump, TYPE_FILTER_SECONDARY, watchdog(), watchdog_interval, and writefile. Referenced by main(). { init_net_var(); if ( readfiles.length() > 0 ) { reading_live = pseudo_realtime; reading_traces = 1; for ( int i = 0; i < readfiles.length(); ++i ) { PktFileSrc* ps = new PktFileSrc(readfiles[i], filter); if ( ! ps->IsOpen() ) { fprintf(stderr, "%s: problem with trace file %s - %s\n", prog, readfiles[i], ps->ErrorMsg()); exit(1); } else { pkt_srcs.append(ps); io_sources.Register(ps); } if ( secondary_filter ) { // We use a second PktFileSrc for the // secondary path. PktFileSrc* ps = new PktFileSrc(readfiles[i], secondary_filter, TYPE_FILTER_SECONDARY); if ( ! ps->IsOpen() ) { fprintf(stderr, "%s: problem with trace file %s - %s\n", prog, readfiles[i], ps->ErrorMsg()); exit(1); } else { pkt_srcs.append(ps); io_sources.Register(ps); } ps->AddSecondaryTablePrograms(); } } } else if ( interfaces.length() > 0 ) { reading_live = 1; reading_traces = 0; for ( int i = 0; i < interfaces.length(); ++i ) { PktInterfaceSrc* ps = new PktInterfaceSrc(interfaces[i], filter); if ( ! ps->IsOpen() ) { fprintf(stderr, "%s: problem with interface %s - %s\n", prog, interfaces[i], ps->ErrorMsg()); exit(1); } else { pkt_srcs.append(ps); io_sources.Register(ps); } if ( secondary_filter ) { PktInterfaceSrc* ps = new PktInterfaceSrc(interfaces[i], filter, TYPE_FILTER_SECONDARY); if ( ! ps->IsOpen() ) { fprintf(stderr, "%s: problem with interface %s - %s\n", prog, interfaces[i], ps->ErrorMsg()); exit(1); } else { pkt_srcs.append(ps); io_sources.Register(ps); } ps->AddSecondaryTablePrograms(); } } } else // have_pending_timers = 1, possibly. We don't set // that here, though, because at this point we don't know // whether the user's bro_init() event will indeed set // a timer. reading_traces = reading_live = 0; if ( writefile ) { // ### This will fail horribly if there are multiple // interfaces with different-lengthed media. pkt_dumper = new PktDumper(writefile); if ( pkt_dumper->IsError() ) { fprintf(stderr, "%s: can't open write file \"%s\" - %s\n", prog, writefile, pkt_dumper->ErrorMsg()); exit(1); } } if ( transformed_writefile ) { pkt_transformed_dumper = new PktDumper(transformed_writefile); if ( pkt_transformed_dumper->IsError() ) { fprintf(stderr, "%s: can't open trace transformation write file \"%s\" - %s\n", prog, writefile, pkt_transformed_dumper->ErrorMsg()); exit(1); } transformed_pkt_dump = new PacketDumper(pkt_transformed_dumper->PcapDumper()); // If both -A and -w are specified, -A will be the transformed // trace file and -w will be the source packet trace file. // Otherwise the packets will go to the same file. if ( pkt_dumper ) source_pkt_dump = new PacketDumper(pkt_dumper->PcapDumper()); } else if ( pkt_dumper ) transformed_pkt_dump = new PacketDumper(pkt_dumper->PcapDumper()); if ( anonymize_ip_addr ) init_ip_addr_anonymizers(); else for ( int i = 0; i < NUM_ADDR_ANONYMIZATION_METHODS; ++i ) ip_anonymizer[i] = 0; if ( packet_sort_window > 0 ) packet_sorter = new PacketSortGlobalPQ(); sessions = new NetSessions(); if ( do_watchdog ) { // Set up the watchdog to make sure we don't wedge. (void) setsignal(SIGALRM, watchdog); (void) alarm(watchdog_interval); } }

void net_packet_arrival (  double  t, const struct pcap_pkthdr *  hdr, const u_char *  pkt, int  hdr_size, PktSrc *  src_ps )

Definition at line 373 of file Net.cc. References PacketSortGlobalPQ::Add(), net_packet_dispatch(), packet_sorter, and process_packet_sorter(). Referenced by PktSrc::Process(). { if ( packet_sorter ) { // Note that when we enable packet sorter, there will // be a small window between the time packet arrives // to Bro and when it is processed ("dispatched"). We // define network_time to be the latest timestamp for // packets *dispatched* so far (usually that's the // timestamp of the current packet). // Add the packet to the packet_sorter. packet_sorter->Add( new PacketSortElement(src_ps, t, hdr, pkt, hdr_size)); // Do we have any packets to dispatch from packet_sorter? process_packet_sorter(t); } else // Otherwise we dispatch the packet immediately net_packet_dispatch(t, hdr, pkt, hdr_size, src_ps, 0); }

void net_packet_dispatch (  double  t, const struct pcap_pkthdr *  hdr, const u_char *  pkt, int  hdr_size, PktSrc *  src_ps, PacketSortElement *  pkt_elem )

Definition at line 320 of file Net.cc. References TimerMgr::Advance(), current_dispatched, current_hdr, current_pkt, current_pktsrc, NetSessions::DispatchPacket(), EventMgr::Drain(), max_timer_expires, mgr, network_time, processing_start_time, segment_logger, sessions, and timer_mgr. Referenced by net_packet_arrival(), and process_packet_sorter(). { // network_time never goes back. if ( t > network_time ) network_time = t; processing_start_time = t; SegmentProfiler(segment_logger, "expiring-timers"); current_dispatched = timer_mgr->Advance(network_time, max_timer_expires); current_hdr = hdr; current_pkt = pkt; current_pktsrc = src_ps; sessions->DispatchPacket(t, hdr, pkt, hdr_size, src_ps, pkt_elem); mgr.Drain(); current_hdr = 0; // done with these current_pkt = 0; current_pktsrc = 0; processing_start_time = 0.0; // = "we're not processing now" current_dispatched = 0; }

int net_packet_match (  BPF_Program *  fp, const u_char *  pkt, u_int  len, u_int  caplen )

Definition at line 554 of file Net.cc. References bpf_program::bf_insns, bpf_filter(), BPF_Program::GetProgram(), and len. Referenced by NetSessions::NextPacketSecondary(). { // NOTE: I don't like too much un-const'ing the pkt variable. return bpf_filter(fp->GetProgram()->bf_insns, (u_char*) pkt, len, caplen); }

void net_run (   )

Definition at line 398 of file Net.cc. References TimerMgr::Advance(), current_dispatched, current_time(), EventMgr::Drain(), PacketSortGlobalPQ::Empty(), IOSourceRegistry::FindSoonest(), have_pending_timers, io_sources, max_timer_expires, mgr, net_get_final_stats(), network_time, packet_sort_window, packet_sorter, IOSource::Process(), process_packet_sorter(), processing_start_time, reading_live, reading_traces, signal_val, IOSourceRegistry::Size(), TimerMgr::Size(), termination_signal(), timer_mgr, and using_communication. Referenced by main(). { while ( io_sources.Size() || have_pending_timers ) { double ts; IOSource* src = io_sources.Size() ? io_sources.FindSoonest(&ts) : 0; if ( src ) src->Process(); // which will call net_packet_arrival() else if ( reading_live ) { double ct = current_time(); if ( packet_sorter && ! packet_sorter->Empty() ) process_packet_sorter(ct); else { // Take advantage of the lull to get up to // date on timers and events. network_time = ct; timer_mgr->Advance(network_time, max_timer_expires); } } else if ( have_pending_timers ) { // Take advantage of the lull to get up to // date on timers and events. Because we only // have timers as sources, going to sleep here // doesn't risk blocking on other inputs. network_time = current_time(); timer_mgr->Advance(network_time, max_timer_expires); // Avoid busy-waiting - pause for 100 ms. // We pick a sleep value of 100 msec that buys // us a lot of idle time, but doesn't delay near-term // timers too much. (Delaying them somewhat is okay, // since Bro timers are not high-precision anyway.) if ( ! using_communication ) usleep(100000); // Flawfinder says about usleep: // // This C routine is considered obsolete (as opposed // to the shell command by the same name). The // interaction of this function with SIGALRM and // other timer functions such as sleep(), alarm(), // setitimer(), and nanosleep() is unspecified. // Use nanosleep(2) or setitimer(2) instead. } mgr.Drain(); processing_start_time = 0.0; // = "we're not processing now" current_dispatched = 0; // Should we put the signal handling into an IOSource? extern void termination_signal(); if ( signal_val == SIGTERM || signal_val == SIGINT ) // We received a signal while processing the // current packet and its related events. termination_signal(); if ( ! reading_traces ) // Check whether we have timers scheduled for // the future on which we need to wait. have_pending_timers = timer_mgr->Size() > 0; } if ( packet_sorter ) { // Drain packets remaining in the packet sorter. process_packet_sorter(network_time + packet_sort_window + 100); } // Get the final statistics now, and not when net_finish() is // called, since that might happen quite a bit in the future // due to expiring pending timers, and we don't want to ding // for any packets dropped beyond this point. net_get_final_stats(); }

void net_suspend_processing (   )

Definition at line 564 of file Net.cc. References _processing_suspended, bro_logger, and Logger::Log(). Referenced by RemoteSerializer::HandshakeDone(). { if ( _processing_suspended == 0 ) bro_logger->Log("processing suspended"); ++_processing_suspended; }

PList (  PktSrc   )

int process_packet_sorter (  double  lastest_packet_time  )

Definition at line 349 of file Net.cc. References PacketSortElement::Hdr(), PacketSortElement::HdrSize(), net_packet_dispatch(), packet_sort_window, packet_sorter, PacketSortElement::Pkt(), PacketSortGlobalPQ::RemoveMin(), PacketSortElement::Src(), and PacketSortElement::TimeStamp(). Referenced by net_packet_arrival(), and net_run(). { if ( ! packet_sorter ) return 0; double min_t = lastest_packet_time - packet_sort_window; int num_pkts_dispatched = 0; PacketSortElement* pkt_elem; // Dispatch packets in the packet_sorter until timestamp min_t. // It's possible that zero or multiple packets are dispatched. while ( (pkt_elem = packet_sorter->RemoveMin(min_t)) != 0 ) { net_packet_dispatch(pkt_elem->TimeStamp(), pkt_elem->Hdr(), pkt_elem->Pkt(), pkt_elem->HdrSize(), pkt_elem->Src(), pkt_elem); ++num_pkts_dispatched; } return num_pkts_dispatched; }

int select (  int  , fd_set *  , fd_set *  , fd_set *  , struct timeval *  )

Referenced by ChunkedIOFd::CanRead(), IOSourceRegistry::FindSoonest(), ChunkedIOFd::ReadChunk(), DNS_Mgr::Resolve(), and SocketComm::Run().

RETSIGTYPE watchdog (  int   )

Definition at line 94 of file Net.cc. References bro_logger, current_dispatched, current_hdr, current_pkt, current_time(), PktDumper::Dump(), int, last_watchdog_proc_time, Logger::Log(), net_finish(), net_get_final_stats(), pkt_dumper, processing_start_time, RETSIGTYPE, RETSIGVAL, run_time(), safe_snprintf(), and watchdog_interval. Referenced by net_init(). { if ( processing_start_time != 0.0 ) { // The signal arrived while we're processing a packet and/or // its corresponding event queue. Check whether we've been // spending too much time, which we take to mean we've wedged. // Note that it's subtle how exactly to test this. In // processing_start_time we have the timestamp of the packet // we're currently working on. But that *doesn't* mean that // we began work on the packet at that time; we could have // begun at a much later time, depending on how long the // packet filter waited (to fill its buffer) before handing // up this packet. So what we require is that the current // processing_start_time matches the processing_start_time we // observed last time the watchdog went off. If so, then // we've been working on the current packet for at least // watchdog_interval seconds. if ( processing_start_time == last_watchdog_proc_time ) { // snprintf() calls alloc/free routines if you use %f! // We need to avoid doing that given we're in a single // handler and the allocation routines are not // reentrant. double ct = current_time(); int int_ct = int(ct); int frac_ct = int((ct - int_ct) * 1e6); int int_pst = int(processing_start_time); int frac_pst = int((processing_start_time - int_pst) * 1e6); char msg[512]; safe_snprintf(msg, sizeof(msg), "**watchdog timer expired, t = %d.%06d, start = %d.%06d, dispatched = %d", int_ct, frac_ct, int_pst, frac_pst, current_dispatched); bro_logger->Log(msg); run_time("watchdog timer expired"); if ( current_hdr && pkt_dumper) pkt_dumper->Dump(current_hdr, current_pkt); net_get_final_stats(); net_finish(0); abort(); exit(1); } } last_watchdog_proc_time = processing_start_time; (void) alarm(watchdog_interval); return RETSIGVAL; }

---

Variable Documentation

int _processing_suspended = 0

Definition at line 562 of file Net.cc. Referenced by net_continue_processing(), net_is_processing_suspended(), and net_suspend_processing().

double bro_start_time = 0.0

Definition at line 83 of file Net.cc. Referenced by main(), and RemoteSerializer::PeerConnected().

int current_dispatched = 0

Definition at line 91 of file Net.cc. Referenced by net_packet_dispatch(), net_run(), and watchdog().

const struct pcap_pkthdr* current_hdr = 0

Definition at line 89 of file Net.cc. Referenced by net_packet_dispatch(), and watchdog().

const u_char* current_pkt = 0

Definition at line 90 of file Net.cc. Referenced by net_packet_dispatch(), and watchdog().

PktSrc* current_pktsrc = 0

Definition at line 92 of file Net.cc. Referenced by net_packet_dispatch().

int have_pending_timers = 0

Definition at line 76 of file Net.cc. Referenced by main(), and net_run().

double last_watchdog_proc_time = 0.0

Definition at line 84 of file Net.cc. Referenced by watchdog().

double network_time = 0.0

Definition at line 81 of file Net.cc. Referenced by CQ_TimerMgr::Add(), FragReassembler::AddFragment(), TCP_TracePacket::AppendData(), BackDoorAnalyzer::BackDoorAnalyzer(), TCP_EndpointStats::DataSent(), ProfileTimer::Dispatch(), TableVal::DoExpire(), RuleConditionPayloadSize::DoMatch(), TCP_Rewriter::DumpPacket(), RuleMatcher::DumpStateStats(), RuleMatcher::DumpStats(), Connection::EnableStatusUpdateTimer(), ScheduleExpr::Eval(), RuleMatcher::EvalRuleConditions(), ExprListStmt::Exec(), RuleMatcher::ExecRulePurely(), ChunkedIOFd::FlushWriteBuffer(), HTTP_Message::HTTP_Message(), RuleMatcher::InitEndpoint(), TableVal::InitTimer(), BroFile::InstallRotateTimer(), InterConnAnalyzer::InterConnAnalyzer(), ProfileLogger::Log(), Logger::Log(), TraceState::LogTrace(), TableVal::Lookup(), main(), RuleMatcher::Match(), MutableVal::Modified(), MutableVal::MutableVal(), net_packet_dispatch(), net_run(), TCP_Connection::NextPacket(), ConnCompressor::NextPacket(), EventPlayer::NextTimestamp(), PktDumper::Open(), BroFile::Open(), pinpoint(), BroObj::PinPoint(), TCP_RewriterEndpoint::PushPacket(), ChunkedIOFd::PutIntoWriteBuffer(), SerializationCache::Register(), Stmt::RegisterAccess(), TCP_RewriterEndpoint::Reset(), rotate_file(), RPC_CallInfo::RPC_CallInfo(), PersistenceSerializer::RunSerialization(), TCP_RewriterEndpoint::ScheduleFlush(), ProfileLogger::SegmentProfile(), Serializer::Serialize(), Connection::SetInactivityTimeout(), Connection::SetLifetime(), Connection::StatusUpdateTimer(), TableEntryVal::TableEntryVal(), Packet::Unserialize(), X509_Cert::verify(), X509_Cert::verifyChain(), NetSessions::Weird(), and Connection::Weird().

PacketSortGlobalPQ* packet_sorter = 0

Definition at line 87 of file Net.cc. Referenced by net_delete(), net_init(), net_packet_arrival(), net_run(), and process_packet_sorter().

PktDumper* pkt_dumper = 0

Definition at line 65 of file Net.cc. Referenced by NetSessions::DumpPacket(), get_src_pkt_writer(), net_finish(), net_init(), and watchdog().

PktDumper* pkt_transformed_dumper = 0

Definition at line 66 of file Net.cc. Referenced by net_finish(), and net_init().

double processing_start_time = 0.0

Definition at line 82 of file Net.cc. Referenced by net_packet_dispatch(), net_run(), sig_handler(), and watchdog().

int pseudo_realtime = 0

Definition at line 77 of file Net.cc. Referenced by PktSrc::ExtractNextPacket(), PktSrc::GetFds(), RemoteSerializer::Init(), main(), net_init(), NetSessions::NetSessions(), and PktSrc::NextTimestamp().

int reading_live = 0

Definition at line 74 of file Net.cc. Referenced by TCP_Contents::AckReceived(), main(), net_init(), net_run(), and NetSessions::NetSessions().

int reading_traces = 0

Definition at line 75 of file Net.cc. Referenced by RemoteSerializer::Init(), main(), net_init(), net_run(), and PktSrc::Statistics().

PacketDumper* source_pkt_dump = 0

Definition at line 71 of file Net.cc. Referenced by TCP_Connection::Init(), and net_init().

bool terminating = false

Definition at line 85 of file Net.cc. Referenced by IncrementalWriteTimer::Dispatch(), done_with_network(), UDP_NetbiosSSN::ExpireTimer(), UDP_DNS::ExpireTimer(), and terminate_bro().

PacketDumper* transformed_pkt_dump = 0

Definition at line 69 of file Net.cc. Referenced by get_trace_rewriter(), TCP_Connection::Init(), net_delete(), and net_init().

int transformed_pkt_dump_MTU = 1514

Definition at line 72 of file Net.cc. Referenced by TCP_Connection::Init().

char* user_pcap_filter = 0

Definition at line 78 of file Net.cc. Referenced by main().

bool using_communication = false

Definition at line 79 of file Net.cc. Referenced by RemoteSerializer::Connect(), PktSrc::ExtractNextPacket(), RemoteSerializer::FatalError(), RemoteSerializer::Init(), RemoteSerializer::Listen(), main(), net_run(), NameExpr::ReferenceID(), RemoteSerializer::RequestEvents(), RemoteSerializer::RequestSync(), RemoteSerializer::SendCall(), RemoteSerializer::SendCaptureFilter(), RemoteSerializer::SendConnection(), RemoteSerializer::SendID(), RemoteSerializer::SendPacket(), and RemoteSerializer::SendPing().

---