nfdump浅窥
2016-06-23 本文已影响135人
丁不想被任何狗咬
想知道nfdump抓取分割session的方法,尤其是tcp session。
因为看到文档说不是按照syn fin这些来进行分割的,而是整合了相似的包们,形成一个flow。
简单看了看源代码。没有仔细看,可能有错,未来的我,别相信下面的文字!
nfcapd.c里
args的定义:
typedef struct p_packet_thread_args_s {
// common thread info struct
pthread_t tid;
int done;
int exit;
// the parent
pthread_t parent;
// arguments
NodeList_t *NodeList; // push new nodes into this list
pcap_dev_t *pcap_dev;
time_t t_win;
int subdir_index;
char *pcap_datadir;
int live;
} p_packet_thread_args_t;
typedef struct p_flow_thread_args_s {
// common thread info struct
pthread_t tid;
int done;
int exit;
// the parent
pthread_t parent;
// arguments
NodeList_t *NodeList; // pop new nodes from this list
FlowSource_t *fs;
time_t t_win;
int subdir_index;
int compress;
} p_flow_thread_args_t;
处理packet,Push_Node的位置:
__attribute__((noreturn)) static void *p_packet_thread(void *thread_data);
将packet整合为flow,Pop_Node的位置:
__attribute__((noreturn)) static void *p_flow_thread(void *thread_data) {
t_start = 0;
t_clock = 0;
t_udp_flush = 0;
while ( 1 ) {
struct FlowNode * Node;
Node = Pop_Node(args->NodeList, &args->done);
if ( Node ) {
t_clock = Node->t_last.tv_sec;
dbg_printf("p_flow_thread() Next Node\n");
} else {
done = args->done;
dbg_printf("p_flow_thread() NULL Node\n");
}
if ( t_start == 0 ) {
t_udp_flush = t_start = t_clock - (t_clock % t_win);
}
if (((t_clock - t_start) >= t_win) || done) { /* rotate file */
......
if(done)
break;
t_start = t_clock - (t_clock % t_win);
}
if (((t_clock - t_udp_flush) >= 10) || !done) { /* flush inactive UDP list */
UDPexpire(fs, t_clock - 10 );
t_udp_flush = t_clock;
}
}
while ( fs ) {
DisposeFile(fs->nffile);
fs = fs->next;
}
}
