1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
|
/*
*
* (C) 2013-22 - ntop.org
*
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software Foundation,
* Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*
*/
#ifndef _HOST_STATS_H_
#define _HOST_STATS_H_
class Host;
class HostStats: public GenericTrafficElement {
protected:
NetworkInterface *iface;
Host *host;
u_int8_t client_flows_anomaly:1, server_flows_anomaly:1, client_score_anomaly:1, server_score_anomaly:1, _notused:4;
u_int32_t total_alerts;
u_int32_t unreachable_flows_as_client, unreachable_flows_as_server;
/* Used concurrently in view interfaces, possibly removed after https://github.com/ntop/ntopng/issues/4596 */
u_int32_t alerted_flows_as_client, alerted_flows_as_server;
u_int32_t host_unreachable_flows_as_client, host_unreachable_flows_as_server;
u_int32_t total_num_flows_as_client, total_num_flows_as_server;
u_int32_t num_flow_alerts;
u_int64_t udp_sent_unicast, udp_sent_non_unicast;
L4Stats l4stats;
u_int8_t consecutive_high_score;
time_t periodicUpdate, periodic_stats_update;
/* *************************************** */
/* Behavioural analysis regarding the host */
DESCounter active_flows_srv, active_flows_cli, score_cli, score_srv;
/* **************************************** */
/* Written by NetworkInterface::periodicStatsUpdate thread */
// NOTE: GenericTrafficElement inherited data is updated periodically too
u_int32_t total_activity_time /* sec */;
u_int32_t last_epoch_update; /* useful to avoid multiple updates */
#ifdef NTOPNG_PRO
HostPoolStats *quota_enforcement_stats, *quota_enforcement_stats_shadow;
#endif
/* Written by NetworkInterface::processPacket thread */
PacketStats sent_stats, recv_stats;
/* Used to store checkpoint data to build top talkers stats */
struct {
u_int64_t sent_bytes;
u_int64_t rcvd_bytes;
} checkpoints;
public:
HostStats(Host *_host);
virtual ~HostStats();
virtual void incStats(time_t when, u_int8_t l4_proto,
u_int ndpi_proto, ndpi_protocol_category_t ndpi_category,
custom_app_t custom_app,
u_int64_t sent_packets, u_int64_t sent_bytes, u_int64_t sent_goodput_bytes,
u_int64_t rcvd_packets, u_int64_t rcvd_bytes, u_int64_t rcvd_goodput_bytes,
bool peer_is_unicast);
void checkpoint(lua_State* vm);
virtual void getJSONObject(json_object *my_object, DetailsLevel details_level);
inline void incFlagStats(bool as_client, u_int8_t flags, bool cumulative_flags) {
if (as_client)
sent_stats.incFlagStats(flags, cumulative_flags);
else
recv_stats.incFlagStats(flags, cumulative_flags);
};
virtual void computeAnomalyIndex(time_t when) {};
inline Host* getHost() const { return(host); }
inline void incNumAlertedFlows(bool as_client) { if(as_client) alerted_flows_as_client++; else alerted_flows_as_server++; };
inline void incNumUnreachableFlows(bool as_server) { if(as_server) unreachable_flows_as_server++; else unreachable_flows_as_client++; }
inline void incNumHostUnreachableFlows(bool as_server) { if(as_server) host_unreachable_flows_as_server++; else host_unreachable_flows_as_client++; };
inline void incNumFlowAlerts() { num_flow_alerts++; };
inline void incTotalAlerts() { total_alerts++; };
inline u_int32_t getTotalAlertedNumFlowsAsClient() const { return(alerted_flows_as_client); };
inline u_int32_t getTotalAlertedNumFlowsAsServer() const { return(alerted_flows_as_server); };
inline u_int32_t getTotalUnreachableNumFlowsAsClient() const { return(unreachable_flows_as_client); };
inline u_int32_t getTotalUnreachableNumFlowsAsServer() const { return(unreachable_flows_as_server); };
inline u_int32_t getTotalHostUnreachableNumFlowsAsClient() const { return(host_unreachable_flows_as_client); };
inline u_int32_t getTotalHostUnreachableNumFlowsAsServer() const { return(host_unreachable_flows_as_server); };
u_int32_t getTotalAlerts() const;
inline u_int32_t getNumFlowAlerts() const { return(num_flow_alerts); };
void luaNdpiStats(lua_State *vm);
void luaActiveFlowsBehaviour(lua_State *vm);
void luaScoreBehaviour(lua_State *vm);
void luaStats(lua_State* vm, NetworkInterface *iface, bool host_details, bool verbose, bool tsLua = false);
virtual u_int16_t getNumActiveContactsAsClient() { return 0; }
virtual u_int16_t getNumActiveContactsAsServer() { return 0; }
virtual void resetTopSitesData() {};
virtual void addContactedDomainName(char* domain_name) {}
virtual u_int32_t getDomainNamesCardinality() {return (u_int32_t)-1; }
virtual void resetDomainNamesCardinality() {}
inline void incSentStats(u_int num_pkts, u_int pkt_len) { sent_stats.incStats(num_pkts, pkt_len); };
inline void incRecvStats(u_int num_pkts, u_int pkt_len) { recv_stats.incStats(num_pkts, pkt_len); };
inline void incnDPIFlows(u_int16_t l7_protocol) { if(ndpiStats) ndpiStats->incFlowsStats(l7_protocol); };
inline void incrConsecutiveHighScore() { consecutive_high_score++; };
inline void resetConsecutiveHighScore() { consecutive_high_score = 0; };
inline u_int8_t getConsecutiveHighScore() { return(consecutive_high_score); };
inline u_int32_t getTotalNumFlowsAsClient() const { return(total_num_flows_as_client); };
inline u_int32_t getTotalNumFlowsAsServer() const { return(total_num_flows_as_server); };
inline u_int32_t getTotalActivityTime() const { return(total_activity_time); };
virtual void deserialize(json_object *obj) {}
virtual void incNumFlows(bool as_client) { if(as_client) total_num_flows_as_client++; else total_num_flows_as_server++; } ;
virtual bool hasAnomalies(time_t when) { return false; };
virtual void luaAnomalies(lua_State* vm, time_t when) {};
virtual void luaPeers(lua_State *vm) {};
virtual void lua(lua_State* vm, bool mask_host, DetailsLevel details_level);
void updateStats(const struct timeval *tv);
virtual void luaHostBehaviour(lua_State* vm);
void luaCountriesBehaviour(lua_State* vm);
#ifdef NTOPNG_PRO
inline void incQuotaEnforcementStats(time_t when, u_int16_t ndpi_proto,
u_int64_t sent_packets, u_int64_t sent_bytes,
u_int64_t rcvd_packets, u_int64_t rcvd_bytes) {
if(quota_enforcement_stats)
quota_enforcement_stats->incStats(when, ndpi_proto, sent_packets, sent_bytes, rcvd_packets, rcvd_bytes);
};
inline void incQuotaEnforcementCategoryStats(time_t when,
ndpi_protocol_category_t category_id,
u_int64_t sent_bytes, u_int64_t rcvd_bytes) {
if(quota_enforcement_stats)
quota_enforcement_stats->incCategoryStats(when, category_id, sent_bytes, rcvd_bytes);
}
inline void resetQuotaStats() { if(quota_enforcement_stats) quota_enforcement_stats->resetStats(); };
void allocateQuotaEnforcementStats();
void deleteQuotaEnforcementStats();
inline HostPoolStats* getQuotaEnforcementStats() { return(quota_enforcement_stats); }
#endif
virtual void luaHTTP(lua_State *vm) {}
virtual void luaDNS(lua_State *vm, bool verbose) {}
virtual void luaICMP(lua_State *vm, bool isV4, bool verbose) {}
virtual void incrVisitedWebSite(char *hostname) {}
virtual HTTPstats* getHTTPstats() { return(NULL); }
virtual DnsStats* getDNSstats() { return(NULL); }
virtual ICMPstats* getICMPstats() { return(NULL); }
virtual void incCliContactedPorts(u_int16_t port) { ; }
virtual void incSrvPortsContacts(u_int16_t port) { ; }
virtual void incContactedService(char *name) { ; }
virtual void incCliContactedHosts(IpAddress *peer) { ; }
virtual void incSrvHostContacts(IpAddress *peer) { ; }
virtual void incCountriesContacts(char *country) { ; }
virtual void resetCountriesContacts() { ; }
virtual u_int8_t getCountriesContactsCardinality() { return((u_int8_t)-1); }
virtual u_int32_t getNTPContactCardinality() { return((u_int32_t)-1); }
virtual u_int32_t getDNSContactCardinality() { return((u_int32_t)-1); }
virtual u_int32_t getSMTPContactCardinality() { return((u_int32_t)-1); }
virtual void incNTPContactCardinality(Host *h) { ; }
virtual void incDNSContactCardinality(Host *h) { ; }
virtual void incSMTPContactCardinality(Host *h) { ; }
inline bool has_flows_anomaly(bool as_client) { return(as_client ? client_flows_anomaly : server_flows_anomaly); }
inline u_int64_t value_flows_anomaly(bool as_client) { return(as_client ? active_flows_cli.getLastValue() : active_flows_srv.getLastValue()); }
inline u_int64_t lower_bound_flows_anomaly(bool as_client) { return(as_client ? active_flows_cli.getLastLowerBound() : active_flows_srv.getLastLowerBound()); }
inline u_int64_t upper_bound_flows_anomaly(bool as_client) { return(as_client ? active_flows_cli.getLastUpperBound() : active_flows_srv.getLastUpperBound()); }
inline bool has_score_anomaly(bool as_client) { return(as_client ? client_score_anomaly : server_score_anomaly); }
inline u_int64_t lower_bound_score_anomaly(bool as_client) { return(as_client ? score_cli.getLastLowerBound() : score_srv.getLastLowerBound()); }
inline u_int64_t upper_bound_score_anomaly(bool as_client) { return(as_client ? score_cli.getLastUpperBound() : score_srv.getLastUpperBound()); }
};
#endif
|
