fdsdump: printer: define flow printer components

Author: Lukas Hutak

src/tools/fdsdump/src/jsonPrinter.cpp

@@ -0,0 +1,52 @@
+
+#pragma once
+
+#include <string>
+
+#include "field.hpp"
+#include "printer.hpp"
+
+class JsonPrinter : public Printer {
+public:
+    JsonPrinter(const shared_iemgr &iemgr, const std::string &args);
+
+    virtual
+    ~JsonPrinter();
+
+    virtual void
+    print_prologue() override;
+
+    virtual unsigned int
+    print_record(Flow *flow) override;
+
+    virtual void
+    print_epilogue() override;
+
+private:
+    void parse_fields(const std::string &str, const shared_iemgr &iemgr);
+    void parse_opts(const std::string &str);
+
+    void print_record(struct fds_drec *rec, bool reverse);
+
+    void append_value(struct fds_drec *rec, Field &field, bool reverse);
+    void append_value(const struct fds_drec_field &field);
+
+    void append_octet_array(const fds_drec_field &field);
+    void append_uint(const fds_drec_field &field);
+    void append_int(const fds_drec_field &field);
+    void append_float(const fds_drec_field &field);
+    void append_boolean(const fds_drec_field &field);
+    void append_timestamp(const fds_drec_field &field);
+    void append_string(const fds_drec_field &field);
+    void append_mac(const fds_drec_field &field);
+    void append_ip(const fds_drec_field &field);
+
+    void append_null();
+    void append_invalid();
+    void append_unsupported();
+
+    std::vector<Field> m_fields;
+    std::string m_buffer;
+    unsigned int m_rec_printed = 0;
+    bool m_biflow_split = true;
+};

src/tools/fdsdump/src/jsonPrinter.hpp

@@ -0,0 +1,95 @@
+
+#include <cstdlib>
+#include <iostream>
+#include <string>
+#include <stdexcept>
+#include <vector>
+
+#include "common.hpp"
+#include "jsonRawPrinter.hpp"
+
+JsonRawPrinter::JsonRawPrinter(const shared_iemgr &iemgr, const std::string &args)
+{
+    const std::vector<std::string> args_vec = string_split(args, ",");
+
+    m_iemgr = iemgr;
+
+    if (args.empty()) {
+        return;
+    }
+
+    for (const std::string &arg_raw : args_vec) {
+        const std::string arg = string_trim_copy(arg_raw);
+
+        if (strcasecmp(arg.c_str(), "biflow-split") == 0) {
+            m_biflow_split = true;
+        } else if (strcasecmp(arg.c_str(), "hide-reverse") == 0) {
+            m_biflow_hide_reverse = true;
+        } else {
+            throw std::invalid_argument("JSON output: unknown option '" + arg + "'");
+        }
+    }
+
+    if (m_biflow_hide_reverse && !m_biflow_split) {
+        throw std::invalid_argument(
+            "JSON output: reverse field hidding requires enabled biflow splitting");
+    }
+}
+
+JsonRawPrinter::~JsonRawPrinter()
+{
+    if (m_buffer) {
+        free(m_buffer);
+    }
+}
+
+void
+JsonRawPrinter::print_record(struct fds_drec *rec, uint32_t flags)
+{
+    const uint32_t base_flags =
+        FDS_CD2J_ALLOW_REALLOC | FDS_CD2J_OCTETS_NOINT | FDS_CD2J_TS_FORMAT_MSEC;
+    int ret;
+
+    flags |= base_flags;
+
+    ret = fds_drec2json(rec, flags, m_iemgr.get(), &m_buffer, &m_buffer_size);
+    if (ret < 0) {
+        throw std::runtime_error("JSON conversion failed: " + std::to_string(ret));
+    }
+
+    std::cout << m_buffer << "\n";
+}
+
+unsigned int
+JsonRawPrinter::print_record(Flow *flow)
+{
+    uint32_t flags = 0;
+    int printed = 0;
+    int ret;
+
+    if (m_biflow_hide_reverse) {
+        flags |= FDS_CD2J_REVERSE_SKIP;
+    }
+
+    switch (flow->dir) {
+    case DIRECTION_NONE:
+        return 0;
+    case DIRECTION_FWD:
+        print_record(&flow->rec, flags);
+        return 1;
+    case DIRECTION_REV:
+        print_record(&flow->rec, flags | FDS_CD2J_BIFLOW_REVERSE);
+        return 1;
+    case DIRECTION_BOTH:
+        if (m_biflow_split) {
+            print_record(&flow->rec, flags);
+            print_record(&flow->rec, flags | FDS_CD2J_BIFLOW_REVERSE);
+            return 2;
+        } else {
+            print_record(&flow->rec, flags);
+            return 1;
+        }
+    }
+
+    return 0;
+}

src/tools/fdsdump/src/jsonRawPrinter.cpp

@@ -0,0 +1,33 @@
+
+#pragma once
+
+#include <string>
+
+#include "printer.hpp"
+
+class JsonRawPrinter : public Printer {
+public:
+    JsonRawPrinter(const shared_iemgr &iemgr, const std::string &args);
+
+    virtual
+    ~JsonRawPrinter();
+
+    virtual void
+    print_prologue() override {};
+
+    virtual unsigned int
+    print_record(Flow *flow) override;
+
+    virtual void
+    print_epilogue() override {};
+
+private:
+    void print_record(struct fds_drec *rec, uint32_t flags);
+
+    shared_iemgr m_iemgr {};
+    char *m_buffer = nullptr;
+    size_t m_buffer_size = 0;
+
+    bool m_biflow_split = false;
+    bool m_biflow_hide_reverse = false;
+};

src/tools/fdsdump/src/jsonRawPrinter.hpp

@@ -0,0 +1,56 @@
+
+#include <algorithm>
+#include <cassert>
+#include <functional>
+#include <stdexcept>
+#include <vector>
+
+#include "common.hpp"
+#include "printer.hpp"
+#include "jsonPrinter.hpp"
+#include "jsonRawPrinter.hpp"
+#include "tablePrinter.hpp"
+
+struct PrinterFactory {
+    const char *name;
+    std::function<Printer *(const shared_iemgr &iemgr, const std::string &)> create_fn;
+};
+
+static const std::vector<struct PrinterFactory> g_printers {
+    {"json", [](const shared_iemgr &iemgr, const std::string &args) {
+        return new JsonPrinter(iemgr, args); }
+    },
+    {"json-raw",  [](const shared_iemgr &iemgr, const std::string &args) {
+        return new JsonRawPrinter(iemgr, args); }
+    },
+    {"table", [](const shared_iemgr &iemgr, const std::string &args){
+        return new TablePrinter(iemgr, args); }
+    },
+};
+
+std::unique_ptr<Printer>
+printer_factory(const shared_iemgr &iemgr, const std::string &manual)
+{
+    std::string type;
+    std::string args;
+    size_t delim_pos;
+
+    delim_pos = manual.find(':');
+    type = manual.substr(0, delim_pos);
+    args = (delim_pos != std::string::npos)
+        ? manual.substr(delim_pos + 1, std::string::npos)
+        : "";
+
+    // Convert type to lower case
+    std::for_each(type.begin(), type.end(), [](char &c) { c = std::tolower(c); });
+
+    for (const auto &it : g_printers) {
+        if (type != it.name) {
+            continue;
+        }
+
+        return std::unique_ptr<Printer>(it.create_fn(iemgr, args));
+    }
+
+    throw std::invalid_argument("Unsupported output type '" + type + "'");
+}

src/tools/fdsdump/src/printer.cpp

@@ -0,0 +1,33 @@
+
+#pragma once
+
+#include <functional>
+#include <memory>
+#include <string>
+
+#include <libfds.h>
+
+#include "common.hpp"
+#include "flow.hpp"
+
+/**
+ * @brief Interface of an output printer for flow records.
+ *
+ */
+class Printer {
+public:
+    virtual
+    ~Printer() {};
+
+    virtual void
+    print_prologue() = 0;
+
+    virtual unsigned int
+    print_record(Flow *flow) = 0;
+
+    virtual void
+    print_epilogue() = 0;
+};
+
+std::unique_ptr<Printer>
+printer_factory(const shared_iemgr &iemgr, const std::string &manual);