capture 1.2.0
这是一个基于 PcapPlusPlus、PF_RING 和 ClickHouse 构建的高性能网络流量分析系统,专注于实时流量捕获、解析与存储。
Loading...
Searching...
No Matches
flowUniAttr.h
Go to the documentation of this file.
1
10
11#pragma once
12
13#include <vector>
14#include <unordered_map>
15#include <functional>
16#include <sstream>
17#include "TcpLayer.h"
18#include <UdpLayer.h>
19#include "IPv4Layer.h"
20#include "PayloadLayer.h"
21#include "PacketUtils.h"
22#include "SystemUtils.h"
23#include <ctime>
24#include<fstream>
25#include <headers/unifiedPacketAttr.h>
26
32#define MAX_SIZE_PAC_LEN 100
33
41struct flowUniAttr
42{
43 // 流标识信息
44 uint32_t hash_val;
45 std::string src_ip;
46 std::string dst_ip;
47 uint16_t protocol;
48 uint16_t src_port;
49 uint16_t dst_port;
50 size_t packet_count = 0;
51
52 // 通用包属性(按包到达顺序排列的序列)
53 std::vector<uint32_t> packet_len;
54 std::vector<uint32_t> tv_sec;
55 std::vector<uint32_t> tv_nsec;
56
57 // IPv4层属性
58 std::vector<uint16_t> ttl;
59 std::vector<uint16_t> tos;
60 std::vector<uint16_t> id;
61 std::vector<uint16_t> offset;
62 std::vector<uint16_t> protocol_ip;
63
64 // 传输层通用属性
65 std::vector<uint16_t> len_load;
66 std::vector<uint32_t> ack_num;
67 std::vector<uint32_t> seq_num;
68
69 // TCP特定属性
70 std::vector<uint16_t> flag;
71 std::vector<uint16_t> window;
72
73 // UDP特定属性
74 std::vector<uint16_t> len_udp;
75
76 // ICMP特定属性
77 std::vector<uint16_t> icmp_type;
78 std::vector<uint16_t> icmp_code;
79
85 void clear()
86 {
87 // TODO: 实现清空所有向量并重置计数器
88 }
89
95 void resize()
96 {
97 // TODO: 截断长度超过MAX_SIZE_PAC_LEN的数组并用零填充
98 }
99};
100
108template<typename T>
109void sequence_to_csv(const std::vector<T>& seq, std::ofstream& outputF) {
110 for (const auto& val : seq) {
111 outputF << val << ',';
112 }
113}
114
121class operator_UniAttr
122{
123 private:
128 std::unordered_map<uint32_t, flowUniAttr> m_FlowTable;
129
130 public:
135 long long packet_count = 0;
136
144 void handle_packet(pcpp::Packet* packet)
145 {
146 // 根据包的五元组计算会话ID
147 packet_count++;
148 unifiedPacketAttr packet_attr(packet); // 解析包以获取统一属性
149
150 uint32_t hashVal = packet_attr.hash_val;
151 if (m_FlowTable.find(hashVal) == m_FlowTable.end()) // 新会话 - 流的第一个包
152 {
153 m_FlowTable[hashVal].clear();
154
155 // 用五元组信息初始化流
156 m_FlowTable[hashVal].hash_val = hashVal;
157 m_FlowTable[hashVal].src_ip = packet_attr.src_ip ;
158 m_FlowTable[hashVal].dst_ip = packet_attr.dst_ip;
159 m_FlowTable[hashVal].src_port = packet_attr.src_port;
160 m_FlowTable[hashVal].dst_port = packet_attr.dst_port;
161 m_FlowTable[hashVal].protocol = packet_attr.protocol;
162 }
163
164 // 如果流已达到最大包数,则跳过处理
165 if (m_FlowTable[hashVal].packet_count >= MAX_SIZE_PAC_LEN)
166 {
167 return;
168 }
169
170 // 用包属性更新流统计信息
171 m_FlowTable[hashVal].packet_count++;
172
173 m_FlowTable[hashVal].packet_len.push_back(packet_attr.packet_len);
174 m_FlowTable[hashVal].tv_sec.push_back(packet_attr.tv_sec);
175 m_FlowTable[hashVal].tv_nsec.push_back(packet_attr.tv_nsec);
176 m_FlowTable[hashVal].ttl.push_back(packet_attr.ttl);
177 m_FlowTable[hashVal].tos.push_back(packet_attr.tos);
178 m_FlowTable[hashVal].id.push_back(packet_attr.id);
179 m_FlowTable[hashVal].offset.push_back(packet_attr.offset);
180 m_FlowTable[hashVal].protocol_ip.push_back(packet_attr.protocol_ip);
181 m_FlowTable[hashVal].len_load.push_back(packet_attr.len_load);
182 m_FlowTable[hashVal].ack_num.push_back(packet_attr.ack_num);
183 m_FlowTable[hashVal].seq_num.push_back(packet_attr.seq_num);
184 m_FlowTable[hashVal].flag.push_back(packet_attr.flag);
185 m_FlowTable[hashVal].window.push_back(packet_attr.window);
186 m_FlowTable[hashVal].len_udp.push_back(packet_attr.len_udp);
187 m_FlowTable[hashVal].icmp_type.push_back(packet_attr.icmp_type);
188 m_FlowTable[hashVal].icmp_code.push_back(packet_attr.icmp_code);
189 }
190
199 void to_csv(std::ofstream& outputFile, const std::string& tag)
200 {
201 // 收集满足最小包数要求的流
202 std::vector<flowUniAttr> attr_l;
203
204 for (auto& pair : m_FlowTable) {
205 if (pair.second.packet_count >= MAX_SIZE_PAC_LEN) // 过滤掉非常短的流
206 {
207 pair.second.resize();
208 attr_l.push_back(pair.second);
209 }
210 }
211
212 // 将每个符合条件的流写入CSV
213 for (const auto& item : attr_l) {
214 // 写入哈希值和五元组
215 outputFile << item.hash_val << ',';
216 outputFile << item.src_ip << ',';
217 outputFile << item.dst_ip << ',';
218 outputFile << item.src_port << ',';
219 outputFile << item.dst_port << ',';
220 outputFile << item.protocol << ',';
221
222 // 写入所有属性序列
223 sequence_to_csv(item.packet_len, outputFile);
224 sequence_to_csv(item.tv_sec, outputFile);
225 sequence_to_csv(item.tv_nsec, outputFile);
226 sequence_to_csv(item.ttl, outputFile);
227 sequence_to_csv(item.tos, outputFile);
228 sequence_to_csv(item.id, outputFile);
229 sequence_to_csv(item.offset, outputFile);
230 sequence_to_csv(item.protocol_ip, outputFile);
231 sequence_to_csv(item.len_load, outputFile);
232 sequence_to_csv(item.ack_num, outputFile);
233 sequence_to_csv(item.seq_num, outputFile);
234 sequence_to_csv(item.flag, outputFile);
235 sequence_to_csv(item.window, outputFile);
236 sequence_to_csv(item.len_udp, outputFile);
237 sequence_to_csv(item.icmp_type, outputFile);
238 sequence_to_csv(item.icmp_code, outputFile);
239 outputFile << tag << '\n'; // 每行以标签和换行符结束
240 }
241 }
242};
operator_UniAttr
处理网络包并提取流级属性的类
Definition flowUniAttr.h:122
operator_UniAttr::m_FlowTable
std::unordered_map< uint32_t, flowUniAttr > m_FlowTable
将流哈希值映射到流属性的哈希表
Definition flowUniAttr.h:128
operator_UniAttr::handle_packet
void handle_packet(pcpp::Packet *packet)
处理单个网络包
Definition flowUniAttr.h:144
operator_UniAttr::packet_count
long long packet_count
此操作器处理的总包数
Definition flowUniAttr.h:135
operator_UniAttr::to_csv
void to_csv(std::ofstream &outputFile, const std::string &tag)
将流数据导出为CSV格式
Definition flowUniAttr.h:199
unifiedPacketAttr
包统一属性基类,表征了IPv4的IP到传输层大多数有用的属性
Definition unifiedPacketAttr.h:46
unifiedPacketAttr::len_load
uint16_t len_load
负载长度
Definition unifiedPacketAttr.h:67
unifiedPacketAttr::protocol
uint8_t protocol
传输层协议类型:TCP=0, UDP=1, ICMP=2
Definition unifiedPacketAttr.h:66
unifiedPacketAttr::icmp_type
uint8_t icmp_type
ICMP类型
Definition unifiedPacketAttr.h:81
unifiedPacketAttr::ack_num
uint32_t ack_num
确认号(UDP无此字段)
Definition unifiedPacketAttr.h:70
unifiedPacketAttr::src_port
uint16_t src_port
源端口(ICMP无此字段)
Definition unifiedPacketAttr.h:68
unifiedPacketAttr::protocol_ip
uint8_t protocol_ip
IP协议类型字段
Definition unifiedPacketAttr.h:63
unifiedPacketAttr::icmp_code
uint8_t icmp_code
ICMP代码
Definition unifiedPacketAttr.h:82
unifiedPacketAttr::tv_sec
uint32_t tv_sec
时间戳(秒)
Definition unifiedPacketAttr.h:51
unifiedPacketAttr::dst_port
uint16_t dst_port
目的端口(ICMP无此字段)
Definition unifiedPacketAttr.h:69
unifiedPacketAttr::packet_len
uint32_t packet_len
包长度
Definition unifiedPacketAttr.h:50
unifiedPacketAttr::tos
uint8_t tos
服务类型(Type of Service)
Definition unifiedPacketAttr.h:58
unifiedPacketAttr::ttl
uint8_t ttl
生存时间(Time To Live)
Definition unifiedPacketAttr.h:57
unifiedPacketAttr::len_udp
uint16_t len_udp
UDP长度字段
Definition unifiedPacketAttr.h:78
unifiedPacketAttr::flag
uint16_t flag
TCP标志位
Definition unifiedPacketAttr.h:74
unifiedPacketAttr::dst_ip
std::string dst_ip
目的IP地址
Definition unifiedPacketAttr.h:54
unifiedPacketAttr::window
uint16_t window
TCP窗口大小
Definition unifiedPacketAttr.h:75
unifiedPacketAttr::src_ip
std::string src_ip
源IP地址
Definition unifiedPacketAttr.h:53
unifiedPacketAttr::tv_nsec
uint32_t tv_nsec
时间戳(纳秒)
Definition unifiedPacketAttr.h:52
unifiedPacketAttr::seq_num
uint32_t seq_num
序列号(UDP无此字段)
Definition unifiedPacketAttr.h:71
unifiedPacketAttr::id
uint16_t id
IP标识字段
Definition unifiedPacketAttr.h:59
unifiedPacketAttr::hash_val
uint32_t hash_val
五元组计算的流ID
Definition unifiedPacketAttr.h:49
unifiedPacketAttr::offset
uint16_t offset
片偏移字段
Definition unifiedPacketAttr.h:60
sequence_to_csv
void sequence_to_csv(const std::vector< T > &seq, std::ofstream &outputF)
将向量序列转换为CSV格式的模板函数
Definition flowUniAttr.h:109
MAX_SIZE_PAC_LEN
#define MAX_SIZE_PAC_LEN
每个流会话的最大包数
Definition flowUniAttr.h:32
flowUniAttr
存储网络流统一属性的结构体
Definition flowUniAttr.h:42
flowUniAttr::len_load
std::vector< uint16_t > len_load
负载长度序列
Definition flowUniAttr.h:65
flowUniAttr::icmp_type
std::vector< uint16_t > icmp_type
ICMP类型值序列
Definition flowUniAttr.h:77
flowUniAttr::src_port
uint16_t src_port
源端口号(ICMP不适用)
Definition flowUniAttr.h:48
flowUniAttr::src_ip
std::string src_ip
源IP地址
Definition flowUniAttr.h:45
flowUniAttr::tv_sec
std::vector< uint32_t > tv_sec
时间戳秒数序列
Definition flowUniAttr.h:54
flowUniAttr::seq_num
std::vector< uint32_t > seq_num
序列号序列(仅TCP)
Definition flowUniAttr.h:67
flowUniAttr::dst_ip
std::string dst_ip
目标IP地址
Definition flowUniAttr.h:46
flowUniAttr::ttl
std::vector< uint16_t > ttl
生存时间值序列
Definition flowUniAttr.h:58
flowUniAttr::id
std::vector< uint16_t > id
IP标识值序列
Definition flowUniAttr.h:60
flowUniAttr::protocol
uint16_t protocol
传输层协议类型(TCP=0, UDP=1, ICMP=2)
Definition flowUniAttr.h:47
flowUniAttr::flag
std::vector< uint16_t > flag
TCP标志值序列
Definition flowUniAttr.h:70
flowUniAttr::icmp_code
std::vector< uint16_t > icmp_code
ICMP代码值序列
Definition flowUniAttr.h:78
flowUniAttr::tos
std::vector< uint16_t > tos
服务类型值序列
Definition flowUniAttr.h:59
flowUniAttr::hash_val
uint32_t hash_val
流标识的哈希值
Definition flowUniAttr.h:44
flowUniAttr::packet_len
std::vector< uint32_t > packet_len
包长度序列
Definition flowUniAttr.h:53
flowUniAttr::len_udp
std::vector< uint16_t > len_udp
UDP长度值序列
Definition flowUniAttr.h:74
flowUniAttr::ack_num
std::vector< uint32_t > ack_num
确认号序列(仅TCP)
Definition flowUniAttr.h:66
flowUniAttr::tv_nsec
std::vector< uint32_t > tv_nsec
时间戳纳秒数序列
Definition flowUniAttr.h:55
flowUniAttr::packet_count
size_t packet_count
此流中的包数量
Definition flowUniAttr.h:50
flowUniAttr::dst_port
uint16_t dst_port
目标端口号(ICMP不适用)
Definition flowUniAttr.h:49
flowUniAttr::window
std::vector< uint16_t > window
TCP窗口大小序列
Definition flowUniAttr.h:71
flowUniAttr::clear
void clear()
清空所有流数据
Definition flowUniAttr.h:85
flowUniAttr::resize
void resize()
调整流数据数组大小
Definition flowUniAttr.h:95
flowUniAttr::offset
std::vector< uint16_t > offset
片偏移值序列
Definition flowUniAttr.h:61
flowUniAttr::protocol_ip
std::vector< uint16_t > protocol_ip
IP协议值序列
Definition flowUniAttr.h:62
unifiedPacketAttr.h
统一包属性类