Net.h File Reference

#include "net_util.h"
#include "BPF_Program.h"
#include "List.h"
#include "PktSrc.h"
#include "Func.h"
#include "RemoteSerializer.h"

Include dependency graph for Net.h:

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Functions
void	net_init (name_list &interfaces, name_list &readfiles, const char *writefile, const char *transformed_writefile, const char *filter, const char *secondary_filter, int do_watchdog)
void	net_run ()
void	net_get_final_stats ()
void	net_finish (int drain_events)
void	net_delete ()
void	net_packet_arrival (double t, const struct pcap_pkthdr *hdr, const u_char *pkt, int hdr_size, PktSrc *src_ps)
int	net_packet_match (BPF_Program *fp, const u_char *pkt, u_int len, u_int caplen)
void	termination_signal ()
void	net_suspend_processing ()
void	net_continue_processing ()
bool	net_is_processing_suspended ()
	declare (PList, PktSrc)
	PList (PktSrc) pkt_srcs
Variables
int	_processing_suspended
int	reading_live
int	reading_traces
int	have_pending_timers
int	pseudo_realtime
char *	user_pcap_filter
double	processing_start_time
double	bro_start_time
bool	terminating
bool	using_communication
const struct pcap_pkthdr *	current_hdr
const u_char *	current_pkt
int	current_dispatched
PktSrc *	current_pktsrc
PktDumper *	pkt_dumper
PktDumper *	pkt_transformed_dumper
char *	writefile

---

Function Documentation

declare (  PList  , PktSrc  )

void net_continue_processing (   )

Definition at line 571 of file Net.cc. References _processing_suspended, bro_logger, and Logger::Log(). Referenced by RemoteSerializer::ProcessPhaseDone(). { if ( _processing_suspended == 1 ) bro_logger->Log("processing continued"); --_processing_suspended; }

void net_delete (   )

Definition at line 525 of file Net.cc. References ip_anonymizer, NUM_ADDR_ANONYMIZATION_METHODS, packet_sorter, sessions, and transformed_pkt_dump. Referenced by main(), and termination_signal(). { delete sessions; delete packet_sorter; // Can't put this in net_finish() because packets might be // dumped when connections are deleted. if ( transformed_pkt_dump ) delete transformed_pkt_dump; for ( int i = 0; i < NUM_ADDR_ANONYMIZATION_METHODS; ++i ) delete ip_anonymizer[i]; }

void net_finish (  int  drain_events  )

Definition at line 497 of file Net.cc. References NetSessions::Done(), EventMgr::Drain(), NetSessions::Drain(), mgr, num_packets_cleaned, num_packets_held, pkt_dumper, pkt_transformed_dumper, and sessions. Referenced by done_with_network(), and watchdog(). { if ( drain_events ) { if ( sessions ) sessions->Drain(); mgr.Drain(); if ( sessions ) sessions->Done(); } delete pkt_dumper; delete pkt_transformed_dumper; // fprintf(stderr, "uhash: %d/%d\n", hash_cnt_uhash, hash_cnt_all); #ifdef DEBUG extern int reassem_seen_bytes, reassem_copied_bytes; // DEBUG_MSG("Reassembly (TCP and IP/Frag): %d bytes seen, %d bytes copied\n", reassem_seen_bytes, reassem_copied_bytes); extern int num_packets_held, num_packets_cleaned; // DEBUG_MSG("packets clean up: %d/%d\n", num_packets_cleaned, num_packets_held); #endif }

void net_get_final_stats (   )

Definition at line 481 of file Net.cc. References PktSrc::Stats::dropped, PktSrc::Interface(), PktSrc::IsLive(), loop_over_list, PktSrc::Stats::received, and PktSrc::Statistics(). Referenced by net_run(), termination_signal(), and watchdog(). { loop_over_list(pkt_srcs, i) { PktSrc* ps = pkt_srcs[i]; if ( ps->IsLive() ) { struct PktSrc::Stats s; ps->Statistics(&s); fprintf(stderr, "%d packets received on interface %s, %d dropped\n", s.received, ps->Interface(), s.dropped); } } }

void net_init (  name_list &  interfaces, name_list &  readfiles, const char *  writefile, const char *  transformed_writefile, const char *  filter, const char *  secondary_filter, int  do_watchdog )

Definition at line 155 of file Net.cc. References PktSrc::AddSecondaryTablePrograms(), PktDumper::ErrorMsg(), PktSrc::ErrorMsg(), init_ip_addr_anonymizers(), init_net_var(), io_sources, ip_anonymizer, PktDumper::IsError(), IOSource::IsOpen(), NUM_ADDR_ANONYMIZATION_METHODS, packet_sort_window, packet_sorter, PktDumper::PcapDumper(), pkt_dumper, pkt_transformed_dumper, prog, pseudo_realtime, reading_live, reading_traces, IOSourceRegistry::Register(), sessions, setsignal(), source_pkt_dump, transformed_pkt_dump, TYPE_FILTER_SECONDARY, watchdog(), watchdog_interval, and writefile. Referenced by main(). { init_net_var(); if ( readfiles.length() > 0 ) { reading_live = pseudo_realtime; reading_traces = 1; for ( int i = 0; i < readfiles.length(); ++i ) { PktFileSrc* ps = new PktFileSrc(readfiles[i], filter); if ( ! ps->IsOpen() ) { fprintf(stderr, "%s: problem with trace file %s - %s\n", prog, readfiles[i], ps->ErrorMsg()); exit(1); } else { pkt_srcs.append(ps); io_sources.Register(ps); } if ( secondary_filter ) { // We use a second PktFileSrc for the // secondary path. PktFileSrc* ps = new PktFileSrc(readfiles[i], secondary_filter, TYPE_FILTER_SECONDARY); if ( ! ps->IsOpen() ) { fprintf(stderr, "%s: problem with trace file %s - %s\n", prog, readfiles[i], ps->ErrorMsg()); exit(1); } else { pkt_srcs.append(ps); io_sources.Register(ps); } ps->AddSecondaryTablePrograms(); } } } else if ( interfaces.length() > 0 ) { reading_live = 1; reading_traces = 0; for ( int i = 0; i < interfaces.length(); ++i ) { PktInterfaceSrc* ps = new PktInterfaceSrc(interfaces[i], filter); if ( ! ps->IsOpen() ) { fprintf(stderr, "%s: problem with interface %s - %s\n", prog, interfaces[i], ps->ErrorMsg()); exit(1); } else { pkt_srcs.append(ps); io_sources.Register(ps); } if ( secondary_filter ) { PktInterfaceSrc* ps = new PktInterfaceSrc(interfaces[i], filter, TYPE_FILTER_SECONDARY); if ( ! ps->IsOpen() ) { fprintf(stderr, "%s: problem with interface %s - %s\n", prog, interfaces[i], ps->ErrorMsg()); exit(1); } else { pkt_srcs.append(ps); io_sources.Register(ps); } ps->AddSecondaryTablePrograms(); } } } else // have_pending_timers = 1, possibly. We don't set // that here, though, because at this point we don't know // whether the user's bro_init() event will indeed set // a timer. reading_traces = reading_live = 0; if ( writefile ) { // ### This will fail horribly if there are multiple // interfaces with different-lengthed media. pkt_dumper = new PktDumper(writefile); if ( pkt_dumper->IsError() ) { fprintf(stderr, "%s: can't open write file \"%s\" - %s\n", prog, writefile, pkt_dumper->ErrorMsg()); exit(1); } } if ( transformed_writefile ) { pkt_transformed_dumper = new PktDumper(transformed_writefile); if ( pkt_transformed_dumper->IsError() ) { fprintf(stderr, "%s: can't open trace transformation write file \"%s\" - %s\n", prog, writefile, pkt_transformed_dumper->ErrorMsg()); exit(1); } transformed_pkt_dump = new PacketDumper(pkt_transformed_dumper->PcapDumper()); // If both -A and -w are specified, -A will be the transformed // trace file and -w will be the source packet trace file. // Otherwise the packets will go to the same file. if ( pkt_dumper ) source_pkt_dump = new PacketDumper(pkt_dumper->PcapDumper()); } else if ( pkt_dumper ) transformed_pkt_dump = new PacketDumper(pkt_dumper->PcapDumper()); if ( anonymize_ip_addr ) init_ip_addr_anonymizers(); else for ( int i = 0; i < NUM_ADDR_ANONYMIZATION_METHODS; ++i ) ip_anonymizer[i] = 0; if ( packet_sort_window > 0 ) packet_sorter = new PacketSortGlobalPQ(); sessions = new NetSessions(); if ( do_watchdog ) { // Set up the watchdog to make sure we don't wedge. (void) setsignal(SIGALRM, watchdog); (void) alarm(watchdog_interval); } }

bool net_is_processing_suspended (   )  [inline]

Definition at line 53 of file Net.h. References _processing_suspended. Referenced by PktSrc::ExtractNextPacket(), and RemoteSerializer::ProcessSerialization(). { return _processing_suspended > 0; }

void net_packet_arrival (  double  t, const struct pcap_pkthdr *  hdr, const u_char *  pkt, int  hdr_size, PktSrc *  src_ps )

Definition at line 373 of file Net.cc. References PacketSortGlobalPQ::Add(), net_packet_dispatch(), packet_sorter, and process_packet_sorter(). Referenced by PktSrc::Process(). { if ( packet_sorter ) { // Note that when we enable packet sorter, there will // be a small window between the time packet arrives // to Bro and when it is processed ("dispatched"). We // define network_time to be the latest timestamp for // packets *dispatched* so far (usually that's the // timestamp of the current packet). // Add the packet to the packet_sorter. packet_sorter->Add( new PacketSortElement(src_ps, t, hdr, pkt, hdr_size)); // Do we have any packets to dispatch from packet_sorter? process_packet_sorter(t); } else // Otherwise we dispatch the packet immediately net_packet_dispatch(t, hdr, pkt, hdr_size, src_ps, 0); }

int net_packet_match (  BPF_Program *  fp, const u_char *  pkt, u_int  len, u_int  caplen )

Definition at line 554 of file Net.cc. References bpf_program::bf_insns, bpf_filter(), BPF_Program::GetProgram(), and len. Referenced by NetSessions::NextPacketSecondary(). { // NOTE: I don't like too much un-const'ing the pkt variable. return bpf_filter(fp->GetProgram()->bf_insns, (u_char*) pkt, len, caplen); }

void net_run (   )

Definition at line 398 of file Net.cc. References TimerMgr::Advance(), current_dispatched, current_time(), EventMgr::Drain(), PacketSortGlobalPQ::Empty(), IOSourceRegistry::FindSoonest(), have_pending_timers, io_sources, max_timer_expires, mgr, net_get_final_stats(), network_time, packet_sort_window, packet_sorter, IOSource::Process(), process_packet_sorter(), processing_start_time, reading_live, reading_traces, signal_val, TimerMgr::Size(), IOSourceRegistry::Size(), termination_signal(), timer_mgr, and using_communication. Referenced by main(). { while ( io_sources.Size() || have_pending_timers ) { double ts; IOSource* src = io_sources.Size() ? io_sources.FindSoonest(&ts) : 0; if ( src ) src->Process(); // which will call net_packet_arrival() else if ( reading_live ) { double ct = current_time(); if ( packet_sorter && ! packet_sorter->Empty() ) process_packet_sorter(ct); else { // Take advantage of the lull to get up to // date on timers and events. network_time = ct; timer_mgr->Advance(network_time, max_timer_expires); } } else if ( have_pending_timers ) { // Take advantage of the lull to get up to // date on timers and events. Because we only // have timers as sources, going to sleep here // doesn't risk blocking on other inputs. network_time = current_time(); timer_mgr->Advance(network_time, max_timer_expires); // Avoid busy-waiting - pause for 100 ms. // We pick a sleep value of 100 msec that buys // us a lot of idle time, but doesn't delay near-term // timers too much. (Delaying them somewhat is okay, // since Bro timers are not high-precision anyway.) if ( ! using_communication ) usleep(100000); // Flawfinder says about usleep: // // This C routine is considered obsolete (as opposed // to the shell command by the same name). The // interaction of this function with SIGALRM and // other timer functions such as sleep(), alarm(), // setitimer(), and nanosleep() is unspecified. // Use nanosleep(2) or setitimer(2) instead. } mgr.Drain(); processing_start_time = 0.0; // = "we're not processing now" current_dispatched = 0; // Should we put the signal handling into an IOSource? extern void termination_signal(); if ( signal_val == SIGTERM || signal_val == SIGINT ) // We received a signal while processing the // current packet and its related events. termination_signal(); if ( ! reading_traces ) // Check whether we have timers scheduled for // the future on which we need to wait. have_pending_timers = timer_mgr->Size() > 0; } if ( packet_sorter ) { // Drain packets remaining in the packet sorter. process_packet_sorter(network_time + packet_sort_window + 100); } // Get the final statistics now, and not when net_finish() is // called, since that might happen quite a bit in the future // due to expiring pending timers, and we don't want to ding // for any packets dropped beyond this point. net_get_final_stats(); }

void net_suspend_processing (   )

Definition at line 564 of file Net.cc. References _processing_suspended, bro_logger, and Logger::Log(). Referenced by RemoteSerializer::HandshakeDone(). { if ( _processing_suspended == 0 ) bro_logger->Log("processing suspended"); ++_processing_suspended; }

PList (  PktSrc   )

void termination_signal (   )

Definition at line 240 of file main.cc. References BroFile::CloseCachedFiles(), done_with_network(), message(), net_delete(), net_get_final_stats(), rule_matcher, signal_val, terminate_bro(), and TYPE_COUNT. Referenced by PktSrc::ExtractNextPacket(), net_run(), and sig_handler(). { Val sval(signal_val, TYPE_COUNT); message("received termination signal"); net_get_final_stats(); done_with_network(); terminate_bro(); net_delete(); // Close files after net_delete(), because net_delete() // might write to connection content files. BroFile::CloseCachedFiles(); delete rule_matcher; exit(0); }

---

Variable Documentation

int _processing_suspended

Definition at line 52 of file Net.h. Referenced by net_continue_processing(), net_is_processing_suspended(), and net_suspend_processing().

double bro_start_time

Definition at line 83 of file Net.h. Referenced by main(), and RemoteSerializer::PeerConnected().

int current_dispatched

Definition at line 93 of file Net.h. Referenced by net_packet_dispatch(), net_run(), and watchdog().

const struct pcap_pkthdr* current_hdr

Definition at line 91 of file Net.h. Referenced by net_packet_dispatch(), and watchdog().

const u_char* current_pkt

Definition at line 92 of file Net.h. Referenced by net_packet_dispatch(), and watchdog().

PktSrc* current_pktsrc

Definition at line 94 of file Net.h. Referenced by net_packet_dispatch().

int have_pending_timers

Definition at line 69 of file Net.h. Referenced by main(), and net_run().

PktDumper* pkt_dumper

Definition at line 99 of file Net.h. Referenced by NetSessions::DumpPacket(), get_src_pkt_writer(), net_finish(), net_init(), and watchdog().

PktDumper* pkt_transformed_dumper

Definition at line 100 of file Net.h. Referenced by net_finish(), and net_init().

double processing_start_time

Definition at line 80 of file Net.h. Referenced by net_packet_dispatch(), net_run(), sig_handler(), and watchdog().

int pseudo_realtime

Definition at line 73 of file Net.h. Referenced by PktSrc::ExtractNextPacket(), PktSrc::GetFds(), RemoteSerializer::Init(), main(), net_init(), NetSessions::NetSessions(), and PktSrc::NextTimestamp().

int reading_live

Definition at line 57 of file Net.h. Referenced by TCP_Contents::AckReceived(), main(), net_init(), net_run(), and NetSessions::NetSessions().

int reading_traces

Definition at line 62 of file Net.h. Referenced by RemoteSerializer::Init(), main(), net_init(), net_run(), and PktSrc::Statistics().

bool terminating

Definition at line 86 of file Net.h. Referenced by IncrementalWriteTimer::Dispatch(), done_with_network(), UDP_DNS::ExpireTimer(), UDP_NetbiosSSN::ExpireTimer(), and terminate_bro().

char* user_pcap_filter

Definition at line 76 of file Net.h. Referenced by main().

bool using_communication

Definition at line 89 of file Net.h. Referenced by RemoteSerializer::Connect(), PktSrc::ExtractNextPacket(), RemoteSerializer::FatalError(), RemoteSerializer::Init(), RemoteSerializer::Listen(), main(), net_run(), NameExpr::ReferenceID(), RemoteSerializer::RequestEvents(), RemoteSerializer::RequestSync(), RemoteSerializer::SendCall(), RemoteSerializer::SendCaptureFilter(), RemoteSerializer::SendConnection(), RemoteSerializer::SendID(), RemoteSerializer::SendPacket(), and RemoteSerializer::SendPing().

char* writefile

Definition at line 102 of file Net.h. Referenced by main(), and net_init().

---