++

Author: Zainullin Damir

src/plugins/process/bstats/README.md

@@ -11,14 +11,14 @@ The **BurstStats Plugin** extends flow records with burst packet statistics to p
 
 | Field Name      | Data Type | Description                                                 |
 |-----------------|-----------|-------------------------------------------------------------|
-| `SBI_BRST_PACKETS`| `uint32_t`  | Array of packet counts in each burst (source -> destination)                  |
-| `SBI_BRST_BYTES`  | `uint32_t`  | Array of bytes in each burst in source-to-destination direction                    |
-| `SBI_BRST_TIME_START` | `Timestamp` | Array of burst start times in source-to-destination direction                   |
-| `SBI_BRST_TIME_STOP`  | `Timestamp` | Array of burst end times in source-to-destination direction                     |
-| `DBI_BRST_PACKETS`| `uint32_t`  | Array of packets in each burst in destination-to-source direction                  |
-| `DBI_BRST_BYTES`  | `uint32_t`  | Array of bytes in each burst in destination-to-source direction                    |
-| `DBI_BRST_TIME_START` | `Timestamp` | Array of burst start times in destination-to-source direction                   |
-| `DBI_BRST_TIME_STOP`  | `Timestamp` | Array of burst end times in destination-to-source direction                     |
+| `SBI_BRST_PACKETS`| `uint32_t`  | Array of packet counts in each burst (source → destination)                  |
+| `SBI_BRST_BYTES`  | `uint32_t`  | Array of bytes in each burst (source → destination)                    |
+| `SBI_BRST_TIME_START` | `Timestamp` | Array of burst start times (source → destination)                   |
+| `SBI_BRST_TIME_STOP`  | `Timestamp` | Array of burst end times (source → destination)                     |
+| `DBI_BRST_PACKETS`| `uint32_t`  | Array of packets in each burst (destination → source)                  |
+| `DBI_BRST_BYTES`  | `uint32_t`  | Array of bytes in each burst (destination → source)                    |
+| `DBI_BRST_TIME_START` | `Timestamp` | Array of burst start times (destination → source)                   |
+| `DBI_BRST_TIME_STOP`  | `Timestamp` | Array of burst end times (destination → source)                     |
 
 ## Usage
 

src/plugins/process/dns/README.md

@@ -1,37 +1,41 @@
 # DNS Plugin
 
-The **DNS Plugin** is a module for the IPFIXprobe exporter, designed to analyze DNS traffic.
+The **DNS Plugin** extends flow records with DNS query and response information.
 
 ## Features
 
-- Extends basic flow export data. 
-- Extracts and exports additional fields from network flows.
-
+- Immediately removes flow if DNS query or response has been parsed.
+- Extracts and exports DNS fields if flow contains DNS information.
 
 ## Output Fields
 
 | Field Name      | Data Type | Description                                                 |
-|-----------------|-----------|-------------------------------------------------------------|
-| IP_TTL          | uint8_t   | IP time-to-live in source-to-destination direction          |
-| IP_TTL_REV      | uint8_t   | IP time-to-live in destination-to-source direction          |
-| IP_FLG          | uint8_t   | IP flags in source-to-destination direction                 |
-| IP_FLG_REV      | uint8_t   | IP flags in destination-to-source direction                 |
-| TCP_WIN         | uint16_t  | TCP window size in source-to-destination direction          |
-| TCP_WIN_REV     | uint16_t  | TCP window size in destination-to-source direction          |
-| TCP_OPT         | uint64_t   | TCP options in source-to-destination direction              |
-| TCP_OPT_REV     | uint64_t   | TCP options in destination-to-source direction              |
-| TCP_MSS         | uint32_t  | TCP maximum segment size in source-to-destination direction |
-| TCP_MSS_REV     | uint32_t  | TCP maximum segment size in destination-to-source direction |
-| TCP_SYN_SIZE    | uint16_t  | TCP syn packet size (only one in bidirectional flow)        |
+|-----------------|-----------|----------------------------------------|
+| `DNS_ID`| `uint16_t`  | Unique identifier of the processed DNS query |
+| `DNS_ANSWERS`| `uint16_t`  | Number of answers in the processed DNS response |
+| `DNS_RCODE`| `uint8_t`  | Response code of the processed DNS response |
+| `DNS_QTYPE`| `uint16_t`  | Type of the DNS query |
+| `DNS_CLASS`| `uint16_t`  | Class of the DNS query |
+| `DNS_NAME`| `string`  | Domain name in the DNS query |
+| `DNS_RR_TTL`| `uint32_t`  | Time-to-live of the first DNS response |
+| `DNS_RLENGTH`| `uint16_t`  | Length of the first DNS response |
+| `DNS_RDATA`| `bytes`  | Data of the first DNS response |
+| `DNS_PSIZE`| `uint16_t`  | Length of the first DNS additional record from response |
+| `DNS_DO`| `uint8_t`  | DNSSEC OK flag of the first DNS additional record from response |
 
 ## Usage
 
-Once enabled, the plugin will automatically process flows and add the export fields to each record.
+### YAML Configuration
+
+Add the plugin to your ipfixprobe YAML configuration:
+
+```yaml
+process_plugins:
+  - dns
+```
 
-1. ``` make install ```.
-2. ``` ipfixprobe -p "basicplus" ... " ```
-3. Extracted values are exported to the output interface.
+### CLI Usage
 
-## Support
+You can also enable the plugin directly from the command line:
 
-For issues or feature requests, please open an issue in the [IPFIXprobe repository](https://github.com/CESNET/ipfixprobe).
+```ipfixprobe -p dns ...```

src/plugins/process/dnssd/README.md

@@ -0,0 +1,46 @@
+# DNSSD Plugin
+
+The **DNSSD Plugin** extends flow records with DNS-SD (DNS Service Discovery) query and response information.
+
+## Features
+
+- Extracts and exports DNS-SD fields if flow contains DNS-SD information.
+
+## Parameters
+
+| Long name | Short name | Type   | Default | Description                                                 |
+|-----------|------------|--------|---------|-------------------------------------------------------------|
+| `txt`     | `t`       | `Path to file`   | **Disabled** | If no file provided, processes all DNSSD TXT records. If a file is provided, only processes TXT records listed in the file. Whitelist format is `service.domain,txt_key1,txt_key2,...` |
+
+## Output Fields
+
+| Field Name      | Data Type | Description                                                 |
+|-----------------|-----------|----------------------------------------|
+| `DNS_ID`| `uint16_t`  | Unique identifier of the processed DNS query |
+| `DNS_ANSWERS`| `uint16_t`  | Number of answers in the processed DNS response |
+| `DNS_RCODE`| `uint8_t`  | Response code of the processed DNS response |
+| `DNS_QTYPE`| `uint16_t`  | Type of the DNS query |
+| `DNS_CLASS`| `uint16_t`  | Class of the DNS query |
+| `DNS_NAME`| `string`  | Domain name in the DNS query |
+| `DNS_RR_TTL`| `uint32_t`  | Time-to-live of the first DNS response |
+| `DNS_RLENGTH`| `uint16_t`  | Length of the first DNS response |
+| `DNS_RDATA`| `bytes`  | Data of the first DNS response |
+| `DNS_PSIZE`| `uint16_t`  | Length of the first DNS additional record from response |
+| `DNS_DO`| `uint8_t`  | DNSSEC OK flag of the first DNS additional record from response |
+
+## Usage
+
+### YAML Configuration
+
+Add the plugin to your ipfixprobe YAML configuration:
+
+```yaml
+process_plugins:
+  - dns
+```
+
+### CLI Usage
+
+You can also enable the plugin directly from the command line:
+
+```ipfixprobe -p dns ...```

src/plugins/process/dnssd/src/dnssd.cpp

@@ -14,24 +14,20 @@
 
 #include "dnssd.hpp"
 
-#include <iostream>
+#include "dnssdOptionsParser.hpp"
 
-#include <ipfixprobe/pluginFactory/pluginManifest.hpp>
-#include <ipfixprobe/pluginFactory/pluginRegistrar.hpp>
+#include <iostream>
 
-//#include <pluginManifest.hpp>
-//#include <pluginRegistrar.hpp>
-//#include <pluginFactory.hpp>
+#include <dnsParser/dnsParser.hpp>
+#include <dnsParser/dnsQueryType.hpp>
 #include <fieldGroup.hpp>
 #include <fieldManager.hpp>
+#include <ipfixprobe/pluginFactory/pluginManifest.hpp>
+#include <ipfixprobe/pluginFactory/pluginRegistrar.hpp>
 #include <utils.hpp>
-#include <dnsParser/dnsParser.hpp>
-#include <dnsParser/dnsQueryType.hpp>
-#include <utils/stringViewUtils.hpp>
-#include <utils/stringUtils.hpp>
 #include <utils/spanUtils.hpp>
-
-#include "dnssdOptionsParser.hpp"
+#include <utils/stringUtils.hpp>
+#include <utils/stringViewUtils.hpp>
 
 namespace ipxp {
 
@@ -47,31 +43,35 @@ static const PluginManifest dnssdPluginManifest = {
 		},
 };
 
-static FieldGroup createDNSSDSchema(FieldManager& fieldManager, FieldHandlers<DNSSDFields>& handlers)
+static FieldGroup
+createDNSSDSchema(FieldManager& fieldManager, FieldHandlers<DNSSDFields>& handlers)
 {
 	FieldGroup schema = fieldManager.createFieldGroup("dnssd");
 
-	handlers.insert(DNSSDFields::DNSSD_QUERIES, schema.addScalarField("DNSSD_QUERIES", [](const void* context) {
-		return toStringView(static_cast<const DNSSDData*>(context)->queries);
-	}));
+	handlers.insert(
+		DNSSDFields::DNSSD_QUERIES,
+		schema.addScalarField("DNSSD_QUERIES", [](const void* context) {
+			return toStringView(static_cast<const DNSSDData*>(context)->queries);
+		}));
 
-	handlers.insert(DNSSDFields::DNSSD_RESPONSES, schema.addScalarField("DNSSD_RESPONSES", [](const void* context) {
-		return toStringView(static_cast<const DNSSDData*>(context)->responses);
-	}));
+	handlers.insert(
+		DNSSDFields::DNSSD_RESPONSES,
+		schema.addScalarField("DNSSD_RESPONSES", [](const void* context) {
+			return toStringView(static_cast<const DNSSDData*>(context)->responses);
+		}));
 
 	return schema;
 }
 
-DNSSDPlugin::DNSSDPlugin([[maybe_unused]]const std::string& params, FieldManager& manager)
+DNSSDPlugin::DNSSDPlugin([[maybe_unused]] const std::string& params, FieldManager& manager)
 {
 	createDNSSDSchema(manager, m_fieldHandlers);
 }
 
 PluginInitResult DNSSDPlugin::onInit(const FlowContext& flowContext, void* pluginContext)
 {
 	constexpr uint16_t DNSSD_PORT = 5353;
-	if (flowContext.packet.src_port != DNSSD_PORT && 
-		flowContext.packet.dst_port != DNSSD_PORT) {
+	if (flowContext.packet.src_port != DNSSD_PORT && flowContext.packet.dst_port != DNSSD_PORT) {
 		return {
 			.constructionState = ConstructionState::NotConstructed,
 			.updateRequirement = UpdateRequirement::NoUpdateNeeded,
@@ -83,7 +83,10 @@ PluginInitResult DNSSDPlugin::onInit(const FlowContext& flowContext, void* plugi
 	// TODO USE VALUES FROM DISSECTOR
 	constexpr std::size_t TCP = 6;
 	const bool isDNSoverTCP = (flowContext.packet.ip_proto == TCP);
-	if (!parseDNSSD(toSpan<const std::byte>(flowContext.packet.payload, flowContext.packet.payload_len), isDNSoverTCP, *pluginData)) {
+	if (!parseDNSSD(
+			toSpan<const std::byte>(flowContext.packet.payload, flowContext.packet.payload_len),
+			isDNSoverTCP,
+			*pluginData)) {
 		return {
 			.constructionState = ConstructionState::Constructed,
 			.updateRequirement = UpdateRequirement::NoUpdateNeeded,
@@ -104,7 +107,10 @@ PluginUpdateResult DNSSDPlugin::onUpdate(const FlowContext& flowContext, void* p
 	// TODO USE VALUES FROM DISSECTOR
 	constexpr std::size_t TCP = 6;
 	const bool isDNSoverTCP = (flowContext.packet.ip_proto == TCP);
-	if (!parseDNSSD(toSpan<const std::byte>(flowContext.packet.payload, flowContext.packet.payload_len), isDNSoverTCP, *pluginData)) {
+	if (!parseDNSSD(
+			toSpan<const std::byte>(flowContext.packet.payload, flowContext.packet.payload_len),
+			isDNSoverTCP,
+			*pluginData)) {
 		return {
 			.updateRequirement = UpdateRequirement::NoUpdateNeeded,
 			.flowAction = FlowAction::RemovePlugin,
@@ -133,7 +139,7 @@ bool DNSSDPlugin::parseAnswer(const DNSRecord& answer, DNSSDData& pluginData) no
 			return true;
 		}
 
-		DNSSDRecord& record = pluginData.findOrInsert(answer.name);		
+		DNSSDRecord& record = pluginData.findOrInsert(answer.name);
 		record.txtContent.append(txt.content);
 		record.txtContent.push_back(':');
 	}
@@ -149,25 +155,22 @@ bool DNSSDPlugin::parseAnswer(const DNSRecord& answer, DNSSDData& pluginData) no
 }
 
 bool DNSSDPlugin::parseDNSSD(
-	std::span<const std::byte> payload, 
+	std::span<const std::byte> payload,
 	const bool isDNSOverTCP,
 	DNSSDData& pluginData) noexcept
 {
 	DNSParser parser;
 
-	std::function<bool(const DNSQuestion& query)>
-	queryParser = [&](const DNSQuestion& query) {
+	std::function<bool(const DNSQuestion& query)> queryParser = [&](const DNSQuestion& query) {
 		pluginData.findOrInsert(query.name);
 		return false;
 	};
 
-	auto answerParser = [&](const DNSRecord& answer) {
-		return parseAnswer(answer, pluginData);
-	};
+	auto answerParser = [&](const DNSRecord& answer) { return parseAnswer(answer, pluginData); };
 
-	const bool parsed = parser.parse(
-		payload, isDNSOverTCP, queryParser, answerParser,
-		answerParser, answerParser);
+	const bool parsed
+		= parser
+			  .parse(payload, isDNSOverTCP, queryParser, answerParser, answerParser, answerParser);
 	if (!parsed) {
 		return false;
 	}
@@ -185,13 +188,18 @@ PluginExportResult DNSSDPlugin::onExport(const FlowRecord& flowRecord, void* plu
 		};
 	}
 
-	concatenateRangeTo(pluginData.requests | std::views::transform([](const DNSSDRecord& record) {
-		return record.requestName.toString();
-	}), pluginData.queries, ';');
-	concatenateRangeTo(pluginData.requests | std::views::transform([](const DNSSDRecord& record) {
-		return record.toString();
-	}), pluginData.responses, ';');
-	
+	concatenateRangeTo(
+		pluginData.requests | std::views::transform([](const DNSSDRecord& record) {
+			return record.requestName.toString();
+		}),
+		pluginData.queries,
+		';');
+	concatenateRangeTo(
+		pluginData.requests
+			| std::views::transform([](const DNSSDRecord& record) { return record.toString(); }),
+		pluginData.responses,
+		';');
+
 	m_fieldHandlers[DNSSDFields::DNSSD_QUERIES].setAsAvailable(flowRecord);
 	m_fieldHandlers[DNSSDFields::DNSSD_RESPONSES].setAsAvailable(flowRecord);
 
@@ -200,7 +208,7 @@ PluginExportResult DNSSDPlugin::onExport(const FlowRecord& flowRecord, void* plu
 	};
 }
 
-void DNSSDPlugin::onDestroy(void* pluginContext) 
+void DNSSDPlugin::onDestroy(void* pluginContext)
 {
 	std::destroy_at(reinterpret_cast<DNSSDData*>(pluginContext));
 }
@@ -213,6 +221,9 @@ PluginDataMemoryLayout DNSSDPlugin::getDataMemoryLayout() const noexcept
 	};
 }
 
-static const PluginRegistrar<DNSSDPlugin, PluginFactory<ProcessPlugin, const std::string&, FieldManager&>> dnssdRegistrar(dnssdPluginManifest);
+static const PluginRegistrar<
+	DNSSDPlugin,
+	PluginFactory<ProcessPlugin, const std::string&, FieldManager&>>
+	dnssdRegistrar(dnssdPluginManifest);
 
 } // namespace ipxp

src/plugins/process/dnssd/src/dnssd.hpp

@@ -14,16 +14,17 @@
 
 #pragma once
 
-#include <sstream>
-#include <string>
-#include <processPlugin.hpp>
-#include <fieldManager.hpp>
-#include <fieldHandlersEnum.hpp>
-
 #include "dnssdData.hpp"
 #include "dnssdFields.hpp"
 #include "serviceFilter.hpp"
 
+#include <sstream>
+#include <string>
+
+#include <fieldHandlersEnum.hpp>
+#include <fieldManager.hpp>
+#include <processPlugin.hpp>
+
 namespace ipxp {
 
 /**
@@ -32,7 +33,6 @@ namespace ipxp {
  */
 class DNSSDPlugin : public ProcessPlugin {
 public:
-
 	/**
 	 * @brief Constructs the DNSSD plugin.
 	 *
@@ -91,12 +91,12 @@ class DNSSDPlugin : public ProcessPlugin {
 
 private:
 	bool parseDNSSD(
-		std::span<const std::byte> payload, 
+		std::span<const std::byte> payload,
 		const bool isDNSoverTCP,
 		DNSSDData& pluginData) noexcept;
 	bool parseAnswer(const DNSRecord& answer, DNSSDData& pluginData) noexcept;
 
-	//std::optional<std::string> m_configFilename;
+	// std::optional<std::string> m_configFilename;
 	FieldHandlers<DNSSDFields> m_fieldHandlers;
 	std::optional<ServiceFilter> m_serviceFilter;
 };

src/plugins/process/dnssd/src/dnssdData.hpp

@@ -9,12 +9,11 @@
 
 #pragma once
 
-#include <boost/static_string.hpp>
-
 #include "dnssdRecord.hpp"
 
-namespace ipxp
-{
+#include <boost/static_string.hpp>
+
+namespace ipxp {
 
 /**
  * @struct DNSSDData
@@ -46,7 +45,6 @@ struct DNSSDData {
 		requests.emplace_back(name);
 		return requests.back();
 	}
-};  
+};
 
 } // namespace ipxp
-