diff options
Diffstat (limited to 'examples')
| -rw-r--r-- | examples/c-captured/c-captured.c | 8 | ||||
| -rwxr-xr-x | examples/py-flow-info/flow-info.py | 25 | ||||
| -rwxr-xr-x | examples/py-semantic-validation/py-semantic-validation.py | 34 |
3 files changed, 37 insertions, 30 deletions
diff --git a/examples/c-captured/c-captured.c b/examples/c-captured/c-captured.c index 443762ced..d7e7600c3 100644 --- a/examples/c-captured/c-captured.c +++ b/examples/c-captured/c-captured.c @@ -372,8 +372,8 @@ static enum nDPIsrvd_callback_return captured_json_callback(struct nDPIsrvd_sock return CALLBACK_ERROR; } - nDPIsrvd_ull thread_ts_msec = 0ull; - perror_ull(TOKEN_VALUE_TO_ULL(TOKEN_GET_SZ(sock, "thread_ts_msec"), &thread_ts_msec), "thread_ts_msec"); + nDPIsrvd_ull thread_ts_usec = 0ull; + perror_ull(TOKEN_VALUE_TO_ULL(TOKEN_GET_SZ(sock, "thread_ts_usec"), &thread_ts_usec), "thread_ts_usec"); nDPIsrvd_ull pkt_len = 0ull; perror_ull(TOKEN_VALUE_TO_ULL(TOKEN_GET_SZ(sock, "pkt_len"), &pkt_len), "pkt_len"); @@ -384,8 +384,8 @@ static enum nDPIsrvd_callback_return captured_json_callback(struct nDPIsrvd_sock nDPIsrvd_ull pkt_l4_offset = 0ull; perror_ull(TOKEN_VALUE_TO_ULL(TOKEN_GET_SZ(sock, "pkt_l4_offset"), &pkt_l4_offset), "pkt_l4_offset"); - struct packet_data pd = {.packet_ts_sec = thread_ts_msec / 1000, - .packet_ts_usec = (thread_ts_msec % 1000) * 1000, + struct packet_data pd = {.packet_ts_sec = thread_ts_usec / (1000 * 1000), + .packet_ts_usec = (thread_ts_usec % (1000 * 1000)), .packet_len = pkt_len, .base64_packet_size = pkt->value_length, .base64_packet_const = pkt->value}; diff --git a/examples/py-flow-info/flow-info.py b/examples/py-flow-info/flow-info.py index d341f6c26..770058978 100755 --- a/examples/py-flow-info/flow-info.py +++ b/examples/py-flow-info/flow-info.py @@ -182,7 +182,7 @@ def checkEventFilter(json_dict): 'guessed': args.guessed, 'detected': args.detected, 'detection-update': args.detection_update, 'not-detected': args.not_detected, - 'update': args.update} + 'update': args.update, 'analysis': args.analysis} if flow_events[json_dict['flow_event_name']] is True: return True @@ -237,26 +237,27 @@ def onJsonLineRecvd(json_dict, instance, current_flow, global_user_data): basic_daemon_event_prefix = '' timestamp = '' if args.print_timestamp is True: - if 'thread_ts_msec' in json_dict: + if 'thread_ts_usec' in json_dict: timestamp += '[{}]'.format(time.strftime('%H:%M:%S', - time.localtime(json_dict['thread_ts_msec'] / 1000))) - elif 'global_ts_msec' in json_dict: + time.localtime(nDPIsrvd.toSeconds(json_dict['thread_ts_usec'])))) + elif 'global_ts_usec' in json_dict: timestamp += '[{}]'.format(time.strftime('%H:%M:%S', - time.localtime(json_dict['global_ts_msec'] / 1000))) + time.localtime(nDPIsrvd.toSeconds(json_dict['global_ts_usec'])))) first_seen = '' if args.print_first_seen is True: basic_daemon_event_prefix += ' ' * 11 if 'flow_first_seen' in json_dict: - first_seen = '[' + prettifyTimediff(json_dict['flow_first_seen'] / 1000, - json_dict['thread_ts_msec'] / 1000) + ']' + first_seen = '[' + prettifyTimediff(nDPIsrvd.toSeconds(json_dict['flow_first_seen']), + nDPIsrvd.toSeconds(json_dict['thread_ts_usec']) + ']' last_seen = '' if args.print_last_seen is True: basic_daemon_event_prefix += ' ' * 11 - if 'flow_last_seen' in json_dict: - last_seen = '[' + prettifyTimediff(json_dict['flow_last_seen'] / 1000, - json_dict['thread_ts_msec'] / 1000) + ']' + if current_flow is not None: + flow_last_seen = nDPIsrvd.FlowManager.getLastPacketTime(instance, current_flow.flow_id, json_dict) + last_seen = '[' + prettifyTimediff(nDPIsrvd.toSeconds(flow_last_seen), + nDPIsrvd.toSeconds(json_dict['thread_ts_usec']) + ']' if 'daemon_event_id' in json_dict: if json_dict['daemon_event_name'] == 'status': @@ -345,6 +346,9 @@ def onJsonLineRecvd(json_dict, instance, current_flow, global_user_data): elif json_dict['flow_event_name'] == 'not-detected': flow_event_name += '{}{:>16}{}'.format(TermColor.WARNING + TermColor.BOLD + TermColor.BLINK, json_dict['flow_event_name'], TermColor.END) + elif json_dict['flow_event_name'] == 'analysis': + flow_event_name += '{}{:>16}{}'.format(TermColor.WARNING + TermColor.BLINK, + json_dict['flow_event_name'], TermColor.END) else: if json_dict['flow_event_name'] == 'new': line_suffix = '' @@ -414,6 +418,7 @@ if __name__ == '__main__': argparser.add_argument('--end', action='store_true', default=False, help='Print only end flow events.') argparser.add_argument('--idle', action='store_true', default=False, help='Print only idle flow events.') argparser.add_argument('--update', action='store_true', default=False, help='Print only update flow events.') + argparser.add_argument('--analysis', action='store_true', default=False, help='Print only analysis flow events.') argparser.add_argument('--detection', action='store_true', default=False, help='Print only detected/detection-update flow events.') argparser.add_argument('--ipwhois', action='store_true', default=False, help='Use Python-IPWhois to print additional location information.') args = argparser.parse_args() diff --git a/examples/py-semantic-validation/py-semantic-validation.py b/examples/py-semantic-validation/py-semantic-validation.py index 4b495487c..01e4faf11 100755 --- a/examples/py-semantic-validation/py-semantic-validation.py +++ b/examples/py-semantic-validation/py-semantic-validation.py @@ -21,7 +21,7 @@ class Stats: def resetEventCounter(self): keys = ['init','reconnect','shutdown','status', \ - 'new','end','idle','update', + 'new','end','idle','update','analyse', \ 'guessed','detected','detection-update','not-detected', \ 'packet', 'packet-flow'] for k in keys: @@ -174,9 +174,11 @@ def onJsonLineRecvd(json_dict, instance, current_flow, global_user_data): elif json_dict['packet_event_name'] != 'packet-flow': raise SemanticValidationException(current_flow, 'Layer4 protocol not found in JSON') - if 'flow_last_seen' in json_dict: - if json_dict['flow_last_seen'] != current_flow.flow_last_seen: - raise SemanticValidationException(current_flow, 'Flow last seen: {} != {}'.format(json_dict['flow_last_seen'], + flow_last_seen = None + if 'flow_src_last_pkt_time' in json_dict or 'flow_dst_last_pkt_time' in json_dict: + flow_last_seen = max(json_dict['flow_src_last_pkt_time'], json_dict['flow_dst_last_pkt_time']) + if flow_last_seen != current_flow.flow_last_seen: + raise SemanticValidationException(current_flow, 'Flow last seen: {} != {}'.format(flow_last_seen, current_flow.flow_last_seen)) if 'flow_idle_time' in json_dict: @@ -184,15 +186,14 @@ def onJsonLineRecvd(json_dict, instance, current_flow, global_user_data): raise SemanticValidationException(current_flow, 'Flow idle time mismatch: {} != {}'.format(json_dict['flow_idle_time'], current_flow.flow_idle_time)) - if ('flow_last_seen' in json_dict and 'flow_idle_time' not in json_dict) or \ - ('flow_last_seen' not in json_dict and 'flow_idle_time' in json_dict): + if (flow_last_seen is not None and 'flow_idle_time' not in json_dict) or \ + (flow_last_seen is None and 'flow_idle_time' in json_dict): raise SemanticValidationException(current_flow, - 'Got a JSON string with only one of both keys, ' \ - 'both required for timeout handling:' \ - 'flow_last_seen, flow_idle_time') + 'Got a JSON string with only 2 of 3 keys, ' \ + 'required for timeout handling: flow_idle_time') - if 'thread_ts_msec' in json_dict: - current_flow.thread_ts_msec = int(json_dict['thread_ts_msec']) + if 'thread_ts_usec' in json_dict: + current_flow.thread_ts_usec = int(json_dict['thread_ts_usec']) if 'flow_packet_id' in json_dict: try: @@ -254,6 +255,7 @@ def onJsonLineRecvd(json_dict, instance, current_flow, global_user_data): current_flow.flow_finished = True if current_flow.flow_finished == True and \ + json_dict['flow_event_name'] != 'analyse' and \ json_dict['flow_event_name'] != 'update' and \ json_dict['flow_event_name'] != 'idle' and \ json_dict['flow_event_name'] != 'end': @@ -264,14 +266,14 @@ def onJsonLineRecvd(json_dict, instance, current_flow, global_user_data): pass try: - if json_dict['flow_first_seen'] > current_flow.thread_ts_msec or \ - json_dict['flow_last_seen'] > current_flow.thread_ts_msec or \ - json_dict['flow_first_seen'] > json_dict['flow_last_seen']: + if json_dict['flow_first_seen'] > current_flow.thread_ts_usec or \ + flow_last_seen > current_flow.thread_ts_usec or \ + json_dict['flow_first_seen'] > flow_last_seen: raise SemanticValidationException(current_flow, 'Last packet timestamp is invalid: ' \ 'first_seen({}) <= {} >= last_seen({})'.format(json_dict['flow_first_seen'], - current_flow.thread_ts_msec, - json_dict['flow_last_seen'])) + current_flow.thread_ts_usec, + flow_last_seen)) except AttributeError: if json_dict['flow_event_name'] == 'new': pass |