tcpflow  1.6.1
About: tcpflow is a TCP/IP packet demultiplexer that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging.
  Fossies Dox: tcpflow-1.6.1.tar.gz  ("unofficial" and yet experimental doxygen-generated source code documentation)  

tcpdemux Class Reference

#include <tcpdemux.h>

Collaboration diagram for tcpdemux:
[legend]

Classes

struct  flow_addr_hash
 
struct  flow_addr_key_eq
 
class  options
 

Public Types

enum  { WARN_TOO_MANY_FILES =10000 }
 

Public Member Functions

virtual ~tcpdemux ()
 
void alter_processing_core ()
 
void openDB ()
 
void write_flow_record (const std::string &starttime, const std::string &endtime, const std::string &src_ipn, const std::string &dst_ipn, const std::string &mac_daddr, const std::string &mac_saddr, uint64_t packets, uint16_t srcport, uint16_t dstport, const std::string &hashdigest_md5)
 
void save_unk_packets (const std::string &wfname, const std::string &ifname)
 
void post_process (tcpip *tcp)
 
void close_tcpip_fd (tcpip *)
 
void close_oldest_fd ()
 
void remove_flow (const flow_addr &flow)
 
void remove_all_flows ()
 
int retrying_open (const std::string &filename, int oflag, int mask)
 
tcpipcreate_tcpip (const flow_addr &flow, be13::tcp_seq isn, const be13::packet_info &pi)
 
tcpipfind_tcpip (const flow_addr &flow)
 
void save_flow (tcpip *)
 
int process_tcp (const ipaddr &src, const ipaddr &dst, sa_family_t family, const u_char *tcp_data, uint32_t tcp_length, const be13::packet_info &pi)
 
int dissect_tcp (const ipaddr &src, const ipaddr &dst, sa_family_t family, const u_char *tcp_data, uint32_t tcp_length, const be13::packet_info &pi)
 
int process_ip4 (const be13::packet_info &pi)
 
int process_ip6 (const be13::packet_info &pi)
 
int process_pkt (const be13::packet_info &pi)
 

Static Public Member Functions

static unsigned int get_max_fds (void)
 
static tcpdemuxgetInstance ()
 

Public Attributes

std::string outdir
 
uint64_t flow_counter
 
uint64_t packet_counter
 
dfxml_writer * xreport
 
pcap_writerpwriter
 
unsigned int max_open_flows
 
unsigned int max_fds
 
uint64_t unique_id
 
flow_map_t flow_map
 
intrusive_list< tcpipopen_flows
 
saved_flow_map_t saved_flow_map
 
sparse_saved_flow_map_t flow_fd_cache_map
 
saved_flows_t saved_flows
 
bool start_new_connections
 
options opt
 
class feature_recorder_setfs
 

Static Public Attributes

static uint32_t tcp_timeout = 0
 
static std::string tcp_cmd = ""
 
static int tcp_subproc_max = 10
 
static int tcp_subproc = 0
 
static int tcp_alert_fd = -1
 
static uint32_t max_saved_flows = 100
 

Private Types

typedef std::unordered_map< flow_addr, tcpip *, flow_addr_hash, flow_addr_key_eqflow_map_t
 
typedef std::unordered_map< flow_addr, saved_flow *, flow_addr_hash, flow_addr_key_eqsaved_flow_map_t
 
typedef std::unordered_map< flow_addr, sparse_saved_flow *, flow_addr_hash, flow_addr_key_eqsparse_saved_flow_map_t
 
typedef std::vector< class saved_flow * > saved_flows_t
 

Private Member Functions

 tcpdemux ()
 
 tcpdemux (const tcpdemux &t)
 
tcpdemuxoperator= (const tcpdemux &that)
 

Private Attributes

pcap_writerflow_sorter
 
int(tcpdemux::* tcp_processor )(const ipaddr &src, const ipaddr &dst, sa_family_t family, const u_char *tcp_data, uint32_t tcp_length, const be13::packet_info &pi)
 

Detailed Description

tcpdemux.h

a tcpip demultiplier.

Defines the basic classes used by the tcpflow program. This includes:

  • IP, TCP and UDP structures
  • class ipaddr - IP address (IPv4 and IPv6)
  • class flow_addr - The flow address (source addr & port; dest addr & port; family)
  • class flow - All of the information for a flow that's being tracked
  • class tcp_header_t - convenience class for working with TCP headers
  • class tcpip - A one-sided TCP implementation
  • class tcpdemux - Processes individual packets, identifies flows, and creates tcpip objects as required the tcp demultiplixer This is a singleton class; we only need a single demultiplexer.

Definition at line 48 of file tcpdemux.h.

Member Typedef Documentation

◆ flow_map_t

typedef std::unordered_map<flow_addr,tcpip *,flow_addr_hash,flow_addr_key_eq> tcpdemux::flow_map_t
private

Definition at line 63 of file tcpdemux.h.

◆ saved_flow_map_t

Definition at line 64 of file tcpdemux.h.

◆ saved_flows_t

typedef std::vector<class saved_flow *> tcpdemux::saved_flows_t
private

Definition at line 67 of file tcpdemux.h.

◆ sparse_saved_flow_map_t

Definition at line 65 of file tcpdemux.h.

Member Enumeration Documentation

◆ anonymous enum

anonymous enum
Enumerator
WARN_TOO_MANY_FILES 

Definition at line 127 of file tcpdemux.h.

Constructor & Destructor Documentation

◆ tcpdemux() [1/2]

tcpdemux::tcpdemux ( )
private

Definition at line 33 of file tcpdemux.cpp.

References process_tcp(), and tcp_processor.

Referenced by getInstance().

◆ ~tcpdemux()

virtual tcpdemux::~tcpdemux ( )
inlinevirtual

Definition at line 90 of file tcpdemux.h.

References pwriter, and xreport.

◆ tcpdemux() [2/2]

tcpdemux::tcpdemux ( const tcpdemux t)
private

Member Function Documentation

◆ alter_processing_core()

void tcpdemux::alter_processing_core ( )

Definition at line 47 of file tcpdemux.cpp.

References DEBUG, dissect_tcp(), flow_sorter, and tcp_processor.

Referenced by main().

◆ close_oldest_fd()

void tcpdemux::close_oldest_fd ( )

find the flow that has been written to in the furthest past and close it.

Definition at line 113 of file tcpdemux.cpp.

References intrusive_list< T >::begin(), tcpip::close_file(), and open_flows.

Referenced by retrying_open().

◆ close_tcpip_fd()

void tcpdemux::close_tcpip_fd ( tcpip )

Referenced by tcpip::store_packet().

◆ create_tcpip()

tcpip * tcpdemux::create_tcpip ( const flow_addr flow,
be13::tcp_seq  isn,
const be13::packet_info pi 
)

◆ dissect_tcp()

int tcpdemux::dissect_tcp ( const ipaddr src,
const ipaddr dst,
sa_family_t  family,
const u_char *  ip_data,
uint32_t  ip_payload_len,
const be13::packet_info pi 
)

dissect_tcp():

Called to process tcp pkts in a way that dissected or isolated pcap flows are emerging afterwards. Similar notions go into the direction of "sorting" pcap pkts as per flow context.

Returns 0 if packet is processed, 1 if it is not processed, -1 if error

Definition at line 393 of file tcpdemux.cpp.

References sparse_saved_flow::addr, DEBUG, flow_fd_cache_map, flow_sorter, flow::new_pcap_filename(), be13::packet_info::pcap_data, be13::packet_info::pcap_dlt, be13::packet_info::pcap_hdr, pcap_writer::refresh_sink(), be13::tcphdr::th_dport, be13::tcphdr::th_sport, pcap_writer::update_sink(), pcap_writer::writepkt(), and pcap_writer::yield_sink().

Referenced by alter_processing_core().

◆ find_tcpip()

tcpip * tcpdemux::find_tcpip ( const flow_addr flow)

Definition at line 144 of file tcpdemux.cpp.

References flow_map.

Referenced by process_tcp().

◆ get_max_fds()

unsigned int tcpdemux::get_max_fds ( void  )
static

tcpdemultiplexer

Definition at line 293 of file tcpdemux.cpp.

References DEBUG, and MAX_FD_GUESS.

Referenced by usage().

◆ getInstance()

tcpdemux * tcpdemux::getInstance ( )
static

◆ openDB()

void tcpdemux::openDB ( )

Definition at line 54 of file tcpdemux.cpp.

◆ operator=()

tcpdemux& tcpdemux::operator= ( const tcpdemux that)
private

◆ post_process()

void tcpdemux::post_process ( tcpip tcp)

Remove a flow from the database. Close the flow file. Write to the report.xml object. Save in the sqlite database. This is the ONLY place where a tcpip object is deleted so there is no chance of finding it again.

Flows are post-processed when a FIN is received and all bytes are received. If a FIN is received and bytes are outstanding, they are post-processed when the last byte is received. When the program shut down, all open flows are post-processed.

Amended to trigger the packet/data location index sort as part of the post-processing. This sorts the (potentially out of order) index to make it simple for external applications. No processing is done if the (-I) index generation feature is turned off. –GDD

After the flow is finished, if more than a byte was written, then put it in an SBUF and process it. if we are doing post-processing. This is called from tcpip::~tcpip() in tcpip.cpp.

Before we delete the tcp structure, save information about the saved flow

Definition at line 200 of file tcpdemux.cpp.

References tcpip::close_file(), die(), tcpip::dump_xml(), tcpip::fd, tcpip::file_created, tcpip::flow_pathname, fs, tcpip::last_byte, sbuf_t::map_file(), tcpip::open_file(), opt, scanner_params::PHASE_SCAN, tcpdemux::options::post_processing, be13::plugin::process_sbuf(), save_flow(), tcpdemux::options::store_output, tcp_alert_fd, tcp_cmd, tcp_subproc, tcp_subproc_max, and xreport.

Referenced by remove_all_flows(), and remove_flow().

◆ process_ip4()

◆ process_ip6()

◆ process_pkt()

◆ process_tcp()

◆ remove_all_flows()

void tcpdemux::remove_all_flows ( )

Definition at line 273 of file tcpdemux.cpp.

References DEBUG, flow_fd_cache_map, flow_map, and post_process().

Referenced by main().

◆ remove_flow()

void tcpdemux::remove_flow ( const flow_addr flow)

Definition at line 264 of file tcpdemux.cpp.

References flow_map, and post_process().

Referenced by process_pkt(), and process_tcp().

◆ retrying_open()

int tcpdemux::retrying_open ( const std::string &  filename,
int  oflag,
int  mask 
)

◆ save_flow()

void tcpdemux::save_flow ( tcpip tcp)

Definition at line 367 of file tcpdemux.cpp.

References saved_flow::addr, max_saved_flows, saved_flow_map, and saved_flows.

Referenced by post_process().

◆ save_unk_packets()

void tcpdemux::save_unk_packets ( const std::string &  wfname,
const std::string &  ifname 
)

Definition at line 358 of file tcpdemux.cpp.

References pcap_writer::open_copy(), and pwriter.

Referenced by main().

◆ write_flow_record()

void tcpdemux::write_flow_record ( const std::string &  starttime,
const std::string &  endtime,
const std::string &  src_ipn,
const std::string &  dst_ipn,
const std::string &  mac_daddr,
const std::string &  mac_saddr,
uint64_t  packets,
uint16_t  srcport,
uint16_t  dstport,
const std::string &  hashdigest_md5 
)

Definition at line 93 of file tcpdemux.cpp.

Member Data Documentation

◆ flow_counter

uint64_t tcpdemux::flow_counter

Definition at line 130 of file tcpdemux.h.

Referenced by create_tcpip(), and main().

◆ flow_fd_cache_map

sparse_saved_flow_map_t tcpdemux::flow_fd_cache_map

Definition at line 142 of file tcpdemux.h.

Referenced by dissect_tcp(), and remove_all_flows().

◆ flow_map

flow_map_t tcpdemux::flow_map

Definition at line 138 of file tcpdemux.h.

Referenced by create_tcpip(), find_tcpip(), main(), process_pkt(), remove_all_flows(), and remove_flow().

◆ flow_sorter

pcap_writer* tcpdemux::flow_sorter
private

Definition at line 75 of file tcpdemux.h.

Referenced by alter_processing_core(), and dissect_tcp().

◆ fs

class feature_recorder_set* tcpdemux::fs

Definition at line 147 of file tcpdemux.h.

Referenced by main(), and post_process().

◆ max_fds

unsigned int tcpdemux::max_fds

Definition at line 135 of file tcpdemux.h.

Referenced by main(), and retrying_open().

◆ max_open_flows

unsigned int tcpdemux::max_open_flows

Definition at line 134 of file tcpdemux.h.

Referenced by main(), and tcpip::open_file().

◆ max_saved_flows

uint32_t tcpdemux::max_saved_flows = 100
static

tcpdemux.cpp A tcpip demultiplier.

This file is part of tcpflow by Simson Garfinkel, originally by Jeremy Elson jelso.nosp@m.n@ci.nosp@m.rclem.nosp@m.ud.o.nosp@m.rg

This source code is under the GNU Public License (GPL). See LICENSE for details.

Definition at line 149 of file tcpdemux.h.

Referenced by save_flow().

◆ open_flows

◆ opt

◆ outdir

std::string tcpdemux::outdir

Definition at line 129 of file tcpdemux.h.

Referenced by main().

◆ packet_counter

uint64_t tcpdemux::packet_counter

Definition at line 131 of file tcpdemux.h.

Referenced by main(), and process_tcp().

◆ pwriter

pcap_writer* tcpdemux::pwriter

Definition at line 133 of file tcpdemux.h.

Referenced by process_pkt(), save_unk_packets(), and ~tcpdemux().

◆ saved_flow_map

saved_flow_map_t tcpdemux::saved_flow_map

Definition at line 141 of file tcpdemux.h.

Referenced by process_tcp(), and save_flow().

◆ saved_flows

saved_flows_t tcpdemux::saved_flows

Definition at line 143 of file tcpdemux.h.

Referenced by save_flow().

◆ start_new_connections

bool tcpdemux::start_new_connections

Definition at line 144 of file tcpdemux.h.

Referenced by main(), and process_tcp().

◆ tcp_alert_fd

int tcpdemux::tcp_alert_fd = -1
static

Definition at line 87 of file tcpdemux.h.

Referenced by post_process(), and process_tcp().

◆ tcp_cmd

std::string tcpdemux::tcp_cmd = ""
static

Definition at line 84 of file tcpdemux.h.

Referenced by post_process().

◆ tcp_processor

int(tcpdemux::* tcpdemux::tcp_processor) (const ipaddr &src, const ipaddr &dst, sa_family_t family, const u_char *tcp_data, uint32_t tcp_length, const be13::packet_info &pi)
private

Definition at line 78 of file tcpdemux.h.

Referenced by alter_processing_core(), process_ip4(), process_ip6(), and tcpdemux().

◆ tcp_subproc

int tcpdemux::tcp_subproc = 0
static

Definition at line 86 of file tcpdemux.h.

Referenced by post_process().

◆ tcp_subproc_max

int tcpdemux::tcp_subproc_max = 10
static

Definition at line 85 of file tcpdemux.h.

Referenced by post_process().

◆ tcp_timeout

uint32_t tcpdemux::tcp_timeout = 0
static

Definition at line 83 of file tcpdemux.h.

Referenced by process_pkt().

◆ unique_id

uint64_t tcpdemux::unique_id

Definition at line 136 of file tcpdemux.h.

Referenced by process_tcp().

◆ xreport

dfxml_writer* tcpdemux::xreport

Definition at line 132 of file tcpdemux.h.

Referenced by droproot(), main(), post_process(), and ~tcpdemux().


The documentation for this class was generated from the following files: