Merge pull request #161 from CESNET/nettisa

Introduce Nettisa plugin

Author: SiskaPavel

Makefile.am

@@ -128,7 +128,9 @@ ipfixprobe_process_src=\
 		process/ssadetector.hpp \
 		process/ssadetector.cpp \
 		process/icmp.hpp \
-		process/icmp.cpp
+		process/icmp.cpp \
+		process/nettisa.hpp \
+		process/nettisa.cpp
 
 if WITH_QUIC
 ipfixprobe_process_src+=\

README.md

@@ -239,6 +239,25 @@ Fields without `_REV` suffix are fields from source flow. Fields with `_REV` are
 | TCP_MSS_REV  | uint32 | TCP maximum segment size    |
 | TCP_SYN_SIZE | uint16 | TCP SYN packet size         |
 
+### NetTiSA
+List of unirec fields exported together with NetTiSA flow fields on interface by nettisa plugin.
+
+| Output field | Type   | Description                 |
+|:------------:|:------:|:---------------------------:|
+| NTS_MEAN               | float   |  The mean of the payload lengths of packets                                   |
+| NTS_MIN                | uint16   |  Minimal value from all packet payload lengths                |
+| NTS_MAX                | uint16   |  Maximum value from all packet payload lengths                    |
+| NTS_STDEV              | float   |  Represents a switching ratio between different values of the sequence of observation.                    |
+| NTS_KURTOSIS           | float  |  The standard deviation is measure of the variation of data from the mean.             |
+| NTS_ROOT_MEAN_SQUARE   | float  |  The measure of the magnitude of payload lengths of packets.             |
+| NTS_AVERAGE_DISPERSION | float  |  The average absolute difference between each payload length of packet and the mean value.        |
+| NTS_MEAN_SCALED_TIME   | float  |  The kurtosis is the measure describing the extent to which the tails of a distribution differ from the tails of a normal distribution.   |
+| NTS_MEAN_DIFFTIMES     | float  | The scaled times is defined as sequence $\{st\} = \{ t_1 - t_1, t_2 - t_1, \dots, t_n - t_1 \}$. We compute the mean of the value with same method as for feature \textit{Mean}.     |
+| NTS_MIN_DIFFTIMES      | float  | The time differences is defined as sequence $ \{dt\} = \{ t_j - t_i \| j = i + 1, i \in \{1, 2, \dots, n - 1\}\}$. We compute the mean of the value with same method as for feature \textit{Mean}.     |
+| NTS_MAX_DIFFTIMES      | float  | Minimal value from all time differences, i.e., min space between packets.          |
+| NTS_TIME_DISTRIBUTION  | float  | Maximum value from all time differences, i.e., max space between packets.          |
+| NTS_SWITCHING_RATIO    | float  | Describes the distribution of time differences between individual packets.          |
+
 ### HTTP
 List of unirec fields exported together with basic flow fields on interface by HTTP plugin.
 

include/ipfixprobe/byte-utils.hpp

@@ -31,8 +31,9 @@
 #ifndef IPXP_BYTE_UTILS_HPP
 #define IPXP_BYTE_UTILS_HPP
 
-#include <stdint.h>
+#include <arpa/inet.h>
 #include <endian.h>
+#include <stdint.h>
 
 namespace ipxp {
 
@@ -44,21 +45,29 @@ namespace ipxp {
 #if defined(__BYTE_ORDER) && __BYTE_ORDER == __BIG_ENDIAN
 static inline uint64_t swap_uint64(uint64_t value)
 {
-   return value;
+    return value;
 }
 #elif defined(__BYTE_ORDER) && __BYTE_ORDER == __LITTLE_ENDIAN
 static inline uint64_t swap_uint64(uint64_t value)
 {
-   value = ((value << 8) & 0xFF00FF00FF00FF00ULL ) | ((value >> 8) & 0x00FF00FF00FF00FFULL );
-   value = ((value << 16) & 0xFFFF0000FFFF0000ULL ) | ((value >> 16) & 0x0000FFFF0000FFFFULL );
-   return (value << 32) | (value >> 32);
+    value = ((value << 8) & 0xFF00FF00FF00FF00ULL) | ((value >> 8) & 0x00FF00FF00FF00FFULL);
+    value = ((value << 16) & 0xFFFF0000FFFF0000ULL) | ((value >> 16) & 0x0000FFFF0000FFFFULL);
+    return (value << 32) | (value >> 32);
 }
-# else
-#  error  "Please fix <endian.h>"
-# endif
+#else
+#error "Please fix <endian.h>"
+#endif
 
-void phton64(uint8_t *p, uint64_t v);
-uint64_t pntoh64(const void *p);
+void phton64(uint8_t* p, uint64_t v);
+uint64_t pntoh64(const void* p);
+
+/**
+ * \brief Swaps byte order of float value.
+ * @param value Value to swap
+ * @return Swapped value
+ */
+uint32_t htonf(float value);
+
+} // namespace ipxp
 
-}
 #endif /* IPXP_BYTE_UTILS_HPP */

include/ipfixprobe/ipfix-elements.hpp

@@ -260,6 +260,21 @@ namespace ipxp {
 #define WG_SRC_PEER(F)                F(8057,    1101,   4,   nullptr)
 #define WG_DST_PEER(F)                F(8057,    1102,   4,   nullptr)
 
+#define NTS_MEAN(F)                   F(8057,    1020,  4,    nullptr)
+#define NTS_MIN(F)                    F(8057,    1021,  2,    nullptr)
+#define NTS_MAX(F)                    F(8057,    1022,  2,    nullptr)
+#define NTS_STDEV(F)                  F(8057,    1023,  4,    nullptr)
+#define NTS_KURTOSIS(F)               F(8057,    1024,  4,    nullptr)
+#define NTS_ROOT_MEAN_SQUARE(F)       F(8057,    1025,  4,    nullptr)
+#define NTS_AVERAGE_DISPERSION(F)     F(8057,    1026,  4,    nullptr)
+#define NTS_MEAN_SCALED_TIME(F)       F(8057,    1027,  4,    nullptr)
+#define NTS_MEAN_DIFFTIMES(F)         F(8057,    1028,  4,    nullptr)
+#define NTS_MIN_DIFFTIMES(F)          F(8057,    1029,  4,    nullptr)
+#define NTS_MAX_DIFFTIMES(F)          F(8057,    1030,  4,    nullptr)
+#define NTS_TIME_DISTRIBUTION(F)      F(8057,    1031,  4,    nullptr)
+#define NTS_SWITCHING_RATIO(F)        F(8057,    1032,  4,    nullptr)
+
+
 /**
  * IPFIX Templates - list of elements
  *
@@ -494,6 +509,21 @@ namespace ipxp {
 #define IPFIX_ICMP_TEMPLATE(F) \
    F(L4_ICMP_TYPE_CODE)
 
+#define IPFIX_NETTISA_TEMPLATE(F) \
+  F(NTS_MEAN) \
+  F(NTS_MIN) \
+  F(NTS_MAX) \
+  F(NTS_STDEV) \
+  F(NTS_KURTOSIS) \
+  F(NTS_ROOT_MEAN_SQUARE) \
+  F(NTS_AVERAGE_DISPERSION) \
+  F(NTS_MEAN_SCALED_TIME) \
+  F(NTS_MEAN_DIFFTIMES) \
+  F(NTS_MIN_DIFFTIMES) \
+  F(NTS_MAX_DIFFTIMES) \
+  F(NTS_TIME_DISTRIBUTION) \
+  F(NTS_SWITCHING_RATIO)
+  
 #ifdef WITH_FLEXPROBE
 #define IPFIX_FLEXPROBE_DATA_TEMPLATE(F) F(FX_FRAME_SIGNATURE) F(FX_INPUT_INTERFACE)
 #define IPFIX_FLEXPROBE_TCP_TEMPLATE(F) F(FX_TCP_TRACKING)
@@ -537,7 +567,8 @@ namespace ipxp {
    IPFIX_FLEXPROBE_TCP_TEMPLATE(F) \
    IPFIX_FLEXPROBE_ENCR_TEMPLATE(F) \
    IPFIX_SSADETECTOR_TEMPLATE(F) \
-   IPFIX_ICMP_TEMPLATE(F)
+   IPFIX_ICMP_TEMPLATE(F) \
+   IPFIX_NETTISA_TEMPLATE(F)
 
 /**
  * Helper macro, convert FIELD into its name as a C literal.

process/nettisa.cpp

@@ -0,0 +1,111 @@
+/**
+ * \file nettisa.cpp
+ * \brief Plugin for creating NetTiSA flow.
+ * \author Josef Koumar [email protected]
+ * \date 2023
+ */
+
+#include "nettisa.hpp"
+
+#include <cmath>
+#include <iostream>
+
+namespace ipxp {
+
+int RecordExtNETTISA::REGISTERED_ID = -1;
+
+__attribute__((constructor)) static void register_this_plugin()
+{
+    static PluginRecord rec = PluginRecord("nettisa", []() { return new NETTISAPlugin(); });
+    register_plugin(&rec);
+    RecordExtNETTISA::REGISTERED_ID = register_extension();
+}
+
+NETTISAPlugin::NETTISAPlugin() {}
+
+NETTISAPlugin::~NETTISAPlugin() {}
+
+void NETTISAPlugin::init(const char* params) {}
+
+void NETTISAPlugin::close() {}
+
+ProcessPlugin* NETTISAPlugin::copy()
+{
+    return new NETTISAPlugin(*this);
+}
+
+void NETTISAPlugin::update_record(
+    RecordExtNETTISA* nettisa_data,
+    const Packet& pkt,
+    const Flow& rec)
+{
+    float variation_from_mean = pkt.payload_len_wire - nettisa_data->mean;
+    uint32_t n = rec.dst_packets + rec.src_packets;
+    long diff_time = pkt.ts.tv_usec - nettisa_data->prev_time;
+    nettisa_data->prev_time = pkt.ts.tv_usec;
+    // MEAN
+    nettisa_data->mean += (variation_from_mean) / n;
+    // MIN
+    nettisa_data->min = std::min(nettisa_data->min, pkt.payload_len_wire);
+    // MAX
+    nettisa_data->max = std::max(nettisa_data->max, pkt.payload_len_wire);
+    // ROOT MEAN SQUARE
+    nettisa_data->root_mean_square += pow(pkt.payload_len_wire, 2);
+    // AVERAGE DISPERSION
+    nettisa_data->average_dispersion += abs(variation_from_mean);
+    // KURTOSIS
+    nettisa_data->kurtosis += pow(variation_from_mean, 4);
+    // MEAN SCALED TIME
+    nettisa_data->mean_scaled_time
+        += (pkt.ts.tv_usec - rec.time_first.tv_usec - nettisa_data->mean_scaled_time) / n;
+    // MEAN TIME DIFFERENCES
+    nettisa_data->mean_difftimes += (diff_time - nettisa_data->mean_difftimes) / n;
+    // MIN
+    nettisa_data->min_difftimes = fmin(nettisa_data->min_difftimes, diff_time);
+    // MAX
+    nettisa_data->max_difftimes = fmax(nettisa_data->max_difftimes, diff_time);
+    // TIME DISTRIBUTION
+    nettisa_data->time_distribution += abs(nettisa_data->mean_difftimes - diff_time);
+    // SWITCHING RATIO
+    if (nettisa_data->prev_payload != pkt.packet_len_wire) {
+        nettisa_data->switching_ratio += 1;
+        nettisa_data->prev_payload = pkt.packet_len_wire;
+    }
+}
+
+int NETTISAPlugin::post_create(Flow& rec, const Packet& pkt)
+{
+    RecordExtNETTISA* nettisa_data = new RecordExtNETTISA();
+    rec.add_extension(nettisa_data);
+
+    nettisa_data->prev_time = pkt.ts.tv_usec;
+
+    update_record(nettisa_data, pkt, rec);
+    return 0;
+}
+
+int NETTISAPlugin::post_update(Flow& rec, const Packet& pkt)
+{
+    RecordExtNETTISA* nettisa_data
+        = (RecordExtNETTISA*) rec.get_extension(RecordExtNETTISA::REGISTERED_ID);
+    update_record(nettisa_data, pkt, rec);
+    return 0;
+}
+
+void NETTISAPlugin::pre_export(Flow& rec)
+{
+    RecordExtNETTISA* nettisa_data
+        = (RecordExtNETTISA*) rec.get_extension(RecordExtNETTISA::REGISTERED_ID);
+    uint32_t n = rec.src_packets + rec.dst_packets;
+    nettisa_data->switching_ratio = nettisa_data->switching_ratio / ((n - 1) / 2);
+    nettisa_data->stdev = pow(
+        (nettisa_data->root_mean_square / n) - pow((rec.src_bytes + rec.dst_bytes) / n, 2),
+        0.5);
+    nettisa_data->root_mean_square = pow(nettisa_data->root_mean_square / n, 0.5);
+    nettisa_data->average_dispersion = nettisa_data->average_dispersion / n;
+    nettisa_data->kurtosis = nettisa_data->kurtosis / (n * pow(nettisa_data->stdev, 4));
+    nettisa_data->time_distribution = (nettisa_data->time_distribution / (n - 1))
+        / (nettisa_data->max_difftimes - nettisa_data->min);
+}
+
+} // namespace ipxp