Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix for #202, missing parts of multinet aggregates #208

Merged
merged 2 commits into from
Jul 20, 2020
Merged

fix for #202, missing parts of multinet aggregates #208

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a1c4129
added missing parts of multinet aggregates
pmikkila Apr 6, 2020
4c7b07b
use digest of networks as multinet identifier instead of random
pmikkila Apr 11, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Format.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ In more detail, the JSON format consists of a bracketed sequence of records in b

* The "Event" field specifies what kind of event is being reported. This field can take on the following values: "new" for newly seen connections, "change" when the connection's identifying parameters such as port numbers of QUIC connection identifiers change, "delete" for connections deleted, "spinflip" for a flip of the QUIC spin bit in a connection, "spin" for any value of a spin bit in a QUIC connection, "measurement" for new RTT measurements, and "ecnce" for ECN-related events. In addition, the "packet" signals any other update of the counters, and "periodic" signals a periodic report made every N seconds but without a preceding event such as the reception of a packet.
* The "Type" field specifies the type of a connection. This field can take on the following basic values: "UDP", "TCP", "QUIC", "DNS", "COAP", "ICMP" and "SCTP". In addition, it is possible to specify aggregate connections; these take on the following types: "HOSTS" for a host-to-host aggregate, "H2NET" for a host-to-network aggregate, "NET2NET" for a network-to-network aggregate, "H2MUL" for a host to multiple networks aggregate, NET2MUL for a network to multiple networks aggregate and "MCAST" for a multicast group aggregate.
* The "Addrs" field specifies addresses associated with the connection or aggregate. In the case of an H2MUL or NET2MUL connection, the right hand address is always zero.
* The "Addrs" field specifies addresses associated with the connection or aggregate. In the case of an H2MUL or NET2MUL connection, the right hand address is a digest of the right side networks associated with that connection, represented as an IPv4 address.
* The "Session" field specifies the session identifiers associated with the connection, if any. For TCP and UDP connections these are the port numbers, for QUIC the connection IDs, for ICMP the identifier field and for SCTP the verification tags and the port numbers.
* The "Ts" is the timestamp, number of microseconds since the start of January 1, 1970. Note that the number is represented as an integer, given that the 53 bits of integer precision in JSON integers is sufficient. About 20 bits are needed for the microseconds part, which leaves 43 bits for the integer seconds parts; enough until year 280892.
* The "State" field is the state of the connection, either "Starting", "Up", "Closing", or "Closed".
Expand Down
55 changes: 43 additions & 12 deletions src/spindump_analyze_event.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -257,6 +257,21 @@ spindump_analyze_event_parseside1host(const struct spindump_event* event) {
return(1);
}

//
// Check that the given event side2 address/network is indeed a host
// not a network
//

static int
spindump_analyze_event_parseside2host(const struct spindump_event* event) {
int host = spindump_network_ishost(&event->responderAddress);
if (!host) {
spindump_errorf("responder in this aggregate connection must be a host address");
return(0);
}
return(1);
}

//
// Parse the session id of an event representing an TCP/UDP/etc
// connection that has two ports.
Expand Down Expand Up @@ -596,15 +611,6 @@ spindump_analyze_processevent_new_connection(struct spindump_analyze* state,
state->table);
break;

case spindump_connection_aggregate_hostmultinet:
if (!spindump_analyze_event_parseside1host(event)) return;
*p_connection =
spindump_connections_newconnection_aggregate_hostmultinet(&event->initiatorAddress.address,
&when,
0,
state->table);
break;

case spindump_connection_aggregate_networknetwork:
*p_connection =
spindump_connections_newconnection_aggregate_networknetwork(0,
Expand All @@ -615,9 +621,21 @@ spindump_analyze_processevent_new_connection(struct spindump_analyze* state,
state->table);
break;

case spindump_connection_aggregate_hostmultinet:
if (!spindump_analyze_event_parsehostpair(event)) return;
*p_connection =
spindump_connections_newconnection_aggregate_hostmultinet(&event->initiatorAddress.address,
&event->responderAddress.address,
&when,
0,
state->table);
break;

case spindump_connection_aggregate_networkmultinet:
if (!spindump_analyze_event_parseside2host(event)) return;
*p_connection =
spindump_connections_newconnection_aggregate_networkmultinet(&event->initiatorAddress,
&event->responderAddress.address,
&when,
0,
state->table);
Expand Down Expand Up @@ -1165,16 +1183,29 @@ spindump_analyze_processevent_find_connection(struct spindump_analyze* state,
state->table);
break;

case spindump_connection_aggregate_hostmultinet:
if (!spindump_analyze_event_parsehostpair(event)) return(0);
connection =
spindump_connections_searchconnection_aggregate_hostmultinet(&event->initiatorAddress.address,
&event->responderAddress.address,
state->table);
break;

case spindump_connection_aggregate_networkmultinet:
if (!spindump_analyze_event_parseside2host(event)) return(0);
connection =
spindump_connections_searchconnection_aggregate_networkmultinet(&event->initiatorAddress,
&event->responderAddress.address,
state->table);
break;

case spindump_connection_aggregate_multicastgroup:
if (!spindump_analyze_event_parseside1host(event)) return(0);
connection =
spindump_connections_searchconnection_aggregate_multicastgroup(&event->initiatorAddress.address,
state->table);
break;

case spindump_connection_aggregate_hostmultinet:
case spindump_connection_aggregate_networkmultinet:
return(0); // TBD ... not supported yet

default:
spindump_errorf("invalid connection type %u", event->connectionType);
Expand Down
24 changes: 16 additions & 8 deletions src/spindump_connections.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -152,15 +152,21 @@ spindump_connections_getaddresses(struct spindump_connection* connection,
*p_side2address = &connection->u.aggregatehostpair.side2peerAddress;
break;
case spindump_connection_aggregate_hostnetwork:
case spindump_connection_aggregate_hostmultinet:
*p_side1address = &connection->u.aggregatehostnetwork.side1peerAddress;
*p_side2address = 0;
break;
case spindump_connection_aggregate_networknetwork:
case spindump_connection_aggregate_networkmultinet:
*p_side1address = 0;
*p_side2address = 0;
break;
case spindump_connection_aggregate_hostmultinet:
*p_side1address = &connection->u.aggregatehostmultinet.side1peerAddress;
*p_side2address = &connection->u.aggregatehostmultinet.identifier;
break;
case spindump_connection_aggregate_networkmultinet:
*p_side1address = 0;
*p_side2address = &connection->u.aggregatenetworkmultinet.identifier;
break;
case spindump_connection_aggregate_multicastgroup:
*p_side1address = 0;
*p_side2address = &connection->u.aggregatemulticastgroup.group;
Expand Down Expand Up @@ -230,12 +236,12 @@ spindump_connections_getnetworks(struct spindump_connection* connection,
*p_side2network = connection->u.aggregatenetworknetwork.side2Network;
break;
case spindump_connection_aggregate_hostmultinet:
spindump_network_fromaddress(&connection->u.aggregatehostnetwork.side1peerAddress,p_side1network);
spindump_network_fromempty(AF_INET,p_side2network);
spindump_network_fromaddress(&connection->u.aggregatehostmultinet.side1peerAddress,p_side1network);
spindump_network_fromaddress(&connection->u.aggregatehostmultinet.identifier,p_side2network);
break;
case spindump_connection_aggregate_networkmultinet:
*p_side1network = connection->u.aggregatenetworknetwork.side1Network;
spindump_network_fromempty(AF_INET,p_side2network);
*p_side1network = connection->u.aggregatenetworkmultinet.side1Network;
spindump_network_fromaddress(&connection->u.aggregatenetworkmultinet.identifier,p_side2network);
break;
case spindump_connection_aggregate_multicastgroup:
spindump_network_fromempty(AF_INET,p_side1network);
Expand Down Expand Up @@ -767,7 +773,8 @@ spindump_connections_matches_aggregate_connection(int seenMatch,

case spindump_connection_aggregate_hostmultinet:
case spindump_connection_aggregate_networkmultinet:
return(0); // TBD ... not implemented yet
spindump_errorf("cannot do direct matching with a multinet aggregate");
return(0);

default:
spindump_errorf("invalid connection type %u in spindump_connections_matches_aggregate_connection",
Expand Down Expand Up @@ -824,7 +831,8 @@ spindump_connections_matches_aggregate_srcdst(const spindump_address* source,

case spindump_connection_aggregate_hostmultinet:
case spindump_connection_aggregate_networkmultinet:
return(0); // TBD ... not implemented yet
spindump_errorf("cannot do direct matching with a multinet aggregate");
return(0);

default:
spindump_errorf("invalid connection type %u in spindump_connections_matches_aggregate_srcdst", aggregate->type);
Expand Down
10 changes: 10 additions & 0 deletions src/spindump_connections.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -147,11 +147,13 @@ spindump_connections_newconnection_aggregate_networknetwork(int defaultMatch,
struct spindump_connectionstable* table);
struct spindump_connection*
spindump_connections_newconnection_aggregate_hostmultinet(const spindump_address* side1address,
const spindump_address* identifier,
const struct timeval* when,
int manuallyCreated,
struct spindump_connectionstable* table);
struct spindump_connection*
spindump_connections_newconnection_aggregate_networkmultinet(const spindump_network* side1network,
const spindump_address* identifier,
const struct timeval* when,
int manuallyCreated,
struct spindump_connectionstable* table);
Expand Down Expand Up @@ -283,6 +285,14 @@ spindump_connections_searchconnection_aggregate_networknetwork(const spindump_ne
const spindump_network* side2network,
struct spindump_connectionstable* table);
struct spindump_connection*
spindump_connections_searchconnection_aggregate_hostmultinet(const spindump_address* side1address,
const spindump_address* side2address,
struct spindump_connectionstable* table);
struct spindump_connection*
spindump_connections_searchconnection_aggregate_networkmultinet(const spindump_network* side1network,
const spindump_address* side2address,
struct spindump_connectionstable* table);
struct spindump_connection*
spindump_connections_searchconnection_aggregate_multicastgroup(const spindump_address* address,
struct spindump_connectionstable* table);
unsigned long
Expand Down
4 changes: 4 additions & 0 deletions src/spindump_connections_new.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -776,6 +776,7 @@ spindump_connections_newconnection_aggregate_networknetwork(int defaultMatch,

struct spindump_connection*
spindump_connections_newconnection_aggregate_hostmultinet(const spindump_address* side1address,
const spindump_address* identifier,
const struct timeval* when,
int manuallyCreated,
struct spindump_connectionstable* table) {
Expand All @@ -789,6 +790,7 @@ spindump_connections_newconnection_aggregate_hostmultinet(const spindump_address

connection->state = spindump_connection_state_static;
connection->u.aggregatehostmultinet.side1peerAddress = *side1address;
connection->u.aggregatehostmultinet.identifier = *identifier;
spindump_debugf("created a new host-multinet aggregate onnection %u", connection->id);
return(connection);
}
Expand All @@ -800,6 +802,7 @@ spindump_connections_newconnection_aggregate_hostmultinet(const spindump_address

struct spindump_connection*
spindump_connections_newconnection_aggregate_networkmultinet(const spindump_network* side1network,
const spindump_address* identifier,
const struct timeval* when,
int manuallyCreated,
struct spindump_connectionstable* table) {
Expand All @@ -813,6 +816,7 @@ spindump_connections_newconnection_aggregate_networkmultinet(const spindump_netw

connection->state = spindump_connection_state_static;
connection->u.aggregatenetworkmultinet.side1Network = *side1network;
connection->u.aggregatenetworkmultinet.identifier = *identifier;
spindump_debugf("created a new network-multinet aggregate onnection %u", connection->id);
return(connection);
}
Expand Down
24 changes: 17 additions & 7 deletions src/spindump_connections_print.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -462,9 +462,9 @@ spindump_connection_report_networknetwork(struct spindump_connection* connection
FILE* file,
int anonymize,
struct spindump_reverse_dns* querier) {
fprintf(file," network 1: %40s\n",
fprintf(file," network 1: %40s\n",
spindump_network_tostring(&connection->u.aggregatenetworknetwork.side1Network));
fprintf(file," network 2: %40s\n",
fprintf(file," network 2: %40s\n",
spindump_network_tostring(&connection->u.aggregatenetworknetwork.side2Network));
fprintf(file," aggregates: %40s\n",
spindump_connections_set_listids(&connection->u.aggregatenetworknetwork.connections));
Expand All @@ -483,7 +483,10 @@ spindump_connection_report_hostmultinet(struct spindump_connection* connection,
spindump_connection_address_tostring(anonymize,
&connection->u.aggregatehostmultinet.side1peerAddress,
querier));
fprintf(file," network: multiple\n");
fprintf(file," identifier: %40s\n",
spindump_connection_address_tostring(0,
&connection->u.aggregatehostmultinet.identifier,
querier));
fprintf(file," aggregates: %40s\n",
spindump_connections_set_listids(&connection->u.aggregatehostmultinet.connections));
}
Expand All @@ -497,9 +500,12 @@ spindump_connection_report_networkmultinet(struct spindump_connection* connectio
FILE* file,
int anonymize,
struct spindump_reverse_dns* querier) {
fprintf(file," network 1: %40s\n",
fprintf(file," network 1: %40s\n",
spindump_network_tostring(&connection->u.aggregatenetworkmultinet.side1Network));
fprintf(file," network 2: multiple\n");
fprintf(file," identifier: %40s\n",
spindump_connection_address_tostring(0,
&connection->u.aggregatenetworkmultinet.identifier,
querier));
fprintf(file," aggregates: %40s\n",
spindump_connections_set_listids(&connection->u.aggregatenetworkmultinet.connections));
}
Expand Down Expand Up @@ -787,12 +793,16 @@ spindump_connection_addresses(struct spindump_connection* connection,
spindump_connection_address_tostring(anonymizeLeft,&connection->u.aggregatehostmultinet.side1peerAddress,querier),
sizeof(buf));
spindump_strlcat(buf,middle,sizeof(buf));
spindump_strlcat(buf,"multiple",sizeof(buf));
spindump_strlcat(buf,
spindump_connection_address_tostring(anonymizeLeft,&connection->u.aggregatehostmultinet.identifier,querier),
sizeof(buf));
break;
case spindump_connection_aggregate_networkmultinet:
spindump_strlcpy(buf,spindump_network_tostring(&connection->u.aggregatenetworkmultinet.side1Network),sizeof(buf));
spindump_strlcat(buf,middle,sizeof(buf));
spindump_strlcat(buf,"multiple",sizeof(buf));
spindump_strlcat(buf,
spindump_connection_address_tostring(anonymizeLeft,&connection->u.aggregatenetworkmultinet.identifier,querier),
sizeof(buf));
break;
case spindump_connection_aggregate_multicastgroup:
spindump_strlcpy(buf,spindump_address_tostring(&connection->u.aggregatemulticastgroup.group),sizeof(buf));
Expand Down
Loading