Process plugins - Introduce NetBIOS process plugin

Author: Zainullin Damir

src/plugins/process/netbios/CMakeLists.txt

@@ -3,16 +3,21 @@ project(ipfixprobe-process-netbios VERSION 1.0.0 DESCRIPTION "ipfixprobe-process
 add_library(ipfixprobe-process-netbios MODULE
 	src/netbios.cpp
 	src/netbios.hpp
+	src/netbiosContext.hpp
+	src/netbiosFields.hpp
 )
 
 set_target_properties(ipfixprobe-process-netbios PROPERTIES
 	CXX_VISIBILITY_PRESET hidden
 	VISIBILITY_INLINES_HIDDEN YES
 )
 
-target_include_directories(ipfixprobe-process-netbios PRIVATE
+target_include_directories(ipfixprobe-process-netbios PRIVATE 
 	${CMAKE_SOURCE_DIR}/include/
+	${CMAKE_SOURCE_DIR}/include/ipfixprobe/processPlugin
+	${CMAKE_SOURCE_DIR}/include/ipfixprobe/pluginFactory
 	${CMAKE_SOURCE_DIR}/src/plugins/process/common
+	${adaptmon_SOURCE_DIR}/lib/include/public/
 )
 
 if(ENABLE_NEMEA)

src/plugins/process/netbios/README.md

@@ -0,0 +1,32 @@
+# NetBIOS Plugin
+
+This plugin provides in-depth analysis of NetBIOS traffic by capturing and exporting fields from NetBIOS packets.
+
+## Features
+
+- Extracts and exports NetBIOS name and suffix fields from NetBIOS packets.
+- Expects traffic to be on port 137.
+
+## Output Fields
+
+| Field Name  | Data Type | Description                              |
+| ----------- | --------- | ---------------------------------------- |
+| `NB_NAME`   | `string`  | NetBIOS name extracted from the packet   |
+| `NB_SUFFIX` | `char`    | NetBIOS suffix extracted from the packet |
+
+## Usage
+
+### YAML Configuration
+
+Add the plugin to your ipfixprobe YAML configuration:
+
+```yaml
+process_plugins:
+  - netbios
+```
+
+### CLI Usage
+
+You can also enable the plugin directly from the command line:
+
+`ipfixprobe -p netbios ...`

src/plugins/process/netbios/src/netbios.cpp

@@ -5,23 +5,31 @@
  * @author Pavel Siska <[email protected]>
  * @date 2025
  *
- * Copyright (c) 2025 CESNET
+ * Provides a plugin that extracts NetBIOS suffix and name from packets,
+ * stores them in per-flow plugin data, and exposes fields via FieldManager.
  *
- * SPDX-License-Identifier: BSD-3-Clause
+ * @copyright Copyright (c) 2025 CESNET, z.s.p.o.
  */
 
 #include "netbios.hpp"
 
-#ifdef WITH_NEMEA
-#include <unirec/unirec.h>
-#endif
+#include "netbiosGetters.hpp"
 
+#include <cmath>
 #include <iostream>
 
-#include <ipfixprobe/pluginFactory/pluginManifest.hpp>
-#include <ipfixprobe/pluginFactory/pluginRegistrar.hpp>
+#include <dns-utils.hpp>
+#include <fieldGroup.hpp>
+#include <fieldManager.hpp>
+#include <flowRecord.hpp>
+#include <ipfixprobe/options.hpp>
+#include <pluginFactory.hpp>
+#include <pluginManifest.hpp>
+#include <pluginRegistrar.hpp>
+#include <utils/spanUtils.hpp>
+#include <utils/stringViewUtils.hpp>
 
-namespace ipxp {
+namespace ipxp::process::netbios {
 
 static const PluginManifest netbiosPluginManifest = {
 	.name = "netbios",
@@ -34,121 +42,95 @@ static const PluginManifest netbiosPluginManifest = {
 			parser.usage(std::cout);
 		},
 };
-NETBIOSPlugin::NETBIOSPlugin(const std::string& params, int pluginID)
-	: ProcessPlugin(pluginID)
-	, total_netbios_packets(0)
-{
-	init(params.c_str());
-}
 
-NETBIOSPlugin::~NETBIOSPlugin()
+static FieldGroup
+createNetBIOSSchema(FieldManager& fieldManager, FieldHandlers<NetBIOSFields>& fieldHandlers)
 {
-	close();
-}
+	FieldGroup schema = fieldManager.createFieldGroup("netbios");
 
-void NETBIOSPlugin::init(const char* params)
-{
-	(void) params;
-}
+	fieldHandlers.insert(
+		NetBIOSFields::NB_SUFFIX,
+		schema.addScalarField("NB_SUFFIX", getNBSuffixField));
 
-void NETBIOSPlugin::close() {}
+	fieldHandlers.insert(NetBIOSFields::NB_NAME, schema.addScalarField("NB_NAME", getNBNameField));
 
-ProcessPlugin* NETBIOSPlugin::copy()
-{
-	return new NETBIOSPlugin(*this);
+	return schema;
 }
 
-int NETBIOSPlugin::post_create(Flow& rec, const Packet& pkt)
+NetBIOSPlugin::NetBIOSPlugin([[maybe_unused]] const std::string& params, FieldManager& manager)
 {
-	if (pkt.dst_port == 137 || pkt.src_port == 137) {
-		return add_netbios_ext(rec, pkt);
-	}
-
-	return 0;
+	createNetBIOSSchema(manager, m_fieldHandlers);
 }
 
-int NETBIOSPlugin::post_update(Flow& rec, const Packet& pkt)
+OnInitResult NetBIOSPlugin::onInit(const FlowContext& flowContext, void* pluginContext)
 {
-	if (pkt.dst_port == 137 || pkt.src_port == 137) {
-		return add_netbios_ext(rec, pkt);
+	constexpr uint8_t NETBIOS_PORT = 137;
+	if (flowContext.flowRecord.flowKey.srcPort == NETBIOS_PORT
+		|| flowContext.flowRecord.flowKey.dstPort == NETBIOS_PORT) {
+		auto& netbiosContext = *std::construct_at(reinterpret_cast<NetBIOSContext*>(pluginContext));
+		parseNetBIOS(
+			flowContext.flowRecord,
+			getPayload(*flowContext.packetContext.packet),
+			netbiosContext);
+		return OnInitResult::ConstructedFinal;
 	}
 
-	return 0;
+	return OnInitResult::Irrelevant;
 }
 
-int NETBIOSPlugin::add_netbios_ext(Flow& rec, const Packet& pkt)
+constexpr static char compressCharPair(const char first, const char second)
 {
-	RecordExtNETBIOS* ext = new RecordExtNETBIOS(m_pluginID);
-	if (parse_nbns(ext, pkt)) {
-		total_netbios_packets++;
-		rec.add_extension(ext);
-	} else {
-		delete ext;
-	}
-
-	return 0;
+	return static_cast<char>(((first - 'A') << 4) | (second - 'A'));
 }
 
-bool NETBIOSPlugin::parse_nbns(RecordExtNETBIOS* rec, const Packet& pkt)
+void NetBIOSPlugin::parseNetBIOS(
+	FlowRecord& flowRecord,
+	std::span<const std::byte> payload,
+	NetBIOSContext& netbiosContext) noexcept
 {
-	const char* payload = reinterpret_cast<const char*>(pkt.payload);
-
-	int qry_cnt = get_query_count(payload, pkt.payload_len);
-	payload += sizeof(struct dns_hdr);
-	if (qry_cnt < 1) {
-		return false;
+	if (payload.size() < sizeof(dns_hdr) || !netbiosContext.name.empty()) {
+		return;
 	}
 
-	return store_first_query(payload, rec);
-}
-
-int NETBIOSPlugin::get_query_count(const char* payload, uint16_t payload_length)
-{
-	if (payload_length < sizeof(struct dns_hdr)) {
-		return -1;
+	const std::size_t queryCount
+		= reinterpret_cast<const dns_hdr*>(payload.data())->question_rec_cnt;
+	if (queryCount == 0) {
+		return;
 	}
 
-	struct dns_hdr* hdr = (struct dns_hdr*) payload;
-	return ntohs(hdr->question_rec_cnt);
-}
-
-bool NETBIOSPlugin::store_first_query(const char* payload, RecordExtNETBIOS* rec)
-{
-	uint8_t nb_name_length = *payload++;
-	if (nb_name_length != 32) {
-		return false;
+	const uint8_t nameLength = *reinterpret_cast<const uint8_t*>(payload.data() + sizeof(dns_hdr));
+	constexpr std::size_t VALID_NB_NAME_LENGTH = 32;
+	if (nameLength != VALID_NB_NAME_LENGTH) {
+		return;
 	}
 
-	rec->netbios_name = "";
-	for (int i = 0; i < nb_name_length; i += 2, payload += 2) {
-		if (i != 30) {
-			rec->netbios_name += compress_nbns_name_char(payload);
-		} else {
-			rec->netbios_suffix = get_nbns_suffix(payload);
-		}
+	auto nameIt = reinterpret_cast<const std::pair<char, char>*>(payload.data());
+	for (; reinterpret_cast<const std::byte*>(nameIt) != payload.data() + payload.size() - 2;
+		 nameIt++) {
+		netbiosContext.name.push_back(compressCharPair(nameIt->first, nameIt->second));
 	}
-	return true;
-}
+	m_fieldHandlers[NetBIOSFields::NB_NAME].setAsAvailable(flowRecord);
 
-char NETBIOSPlugin::compress_nbns_name_char(const char* uncompressed)
-{
-	return (((uncompressed[0] - 'A') << 4) | (uncompressed[1] - 'A'));
+	netbiosContext.suffix = compressCharPair(nameIt->first, nameIt->second);
+	m_fieldHandlers[NetBIOSFields::NB_SUFFIX].setAsAvailable(flowRecord);
 }
 
-uint8_t NETBIOSPlugin::get_nbns_suffix(const char* uncompressed)
+void NetBIOSPlugin::onDestroy(void* pluginContext) noexcept
 {
-	return compress_nbns_name_char(uncompressed);
+	std::destroy_at(reinterpret_cast<NetBIOSContext*>(pluginContext));
 }
 
-void NETBIOSPlugin::finish(bool print_stats)
+PluginDataMemoryLayout NetBIOSPlugin::getDataMemoryLayout() const noexcept
 {
-	if (print_stats) {
-		std::cout << "NETBIOS plugin stats:" << std::endl;
-		std::cout << "   Parsed NBNS packets in total: " << total_netbios_packets << std::endl;
-	}
+	return {
+		.size = sizeof(NetBIOSContext),
+		.alignment = alignof(NetBIOSContext),
+	};
 }
 
-static const PluginRegistrar<NETBIOSPlugin, ProcessPluginFactory>
+static const PluginRegistrar<
+	NetBIOSPlugin,
+	PluginFactory<ProcessPlugin, const std::string&, FieldManager&>>
 	netbiosRegistrar(netbiosPluginManifest);
 
-} // namespace ipxp
+} // namespace ipxp::process::netbios