++

Author: Zainullin Damir

src/plugins/process/dnssd/README.md

@@ -16,17 +16,8 @@ The **DNSSD Plugin** extends flow records with DNS-SD (DNS Service Discovery) qu
 
 | Field Name      | Data Type | Description                                                 |
 |-----------------|-----------|----------------------------------------|
-| `DNS_ID`| `uint16_t`  | Unique identifier of the processed DNS query |
-| `DNS_ANSWERS`| `uint16_t`  | Number of answers in the processed DNS response |
-| `DNS_RCODE`| `uint8_t`  | Response code of the processed DNS response |
-| `DNS_QTYPE`| `uint16_t`  | Type of the DNS query |
-| `DNS_CLASS`| `uint16_t`  | Class of the DNS query |
-| `DNS_NAME`| `string`  | Domain name in the DNS query |
-| `DNS_RR_TTL`| `uint32_t`  | Time-to-live of the first DNS response |
-| `DNS_RLENGTH`| `uint16_t`  | Length of the first DNS response |
-| `DNS_RDATA`| `bytes`  | Data of the first DNS response |
-| `DNS_PSIZE`| `uint16_t`  | Length of the first DNS additional record from response |
-| `DNS_DO`| `uint8_t`  | DNSSEC OK flag of the first DNS additional record from response |
+| `DNSSD_QUERIES`| `string`  | Concatenated list of requested services | 
+| `DNSSD_RESPONSES`| `string`  | Concatenated list of processed DNS responses: name, src port, cpu, operating system, TXT record content |
 
 ## Usage
 
@@ -36,11 +27,13 @@ Add the plugin to your ipfixprobe YAML configuration:
 
 ```yaml
 process_plugins:
-  - dns
+  - dnssd
 ```
 
 ### CLI Usage
 
 You can also enable the plugin directly from the command line:
 
-```ipfixprobe -p dns ...```
+```ipfixprobe -p dnssd ...```
+```ipfixprobe -p "dnssd;txt" ...```
+```ipfixprobe -p "dnssd;txt=<path_to_file>" ...```

src/plugins/process/flowHash/README.md

@@ -0,0 +1,30 @@
+# FlowHash Plugin
+
+The **FlowHash Plugin** extends flow records with flow hashing information.
+
+## Features
+
+- Extracts and exports flow hash that ipfixprobe storage plugin assigned to given flow.
+
+## Output Fields
+
+| Field Name      | Data Type | Description                                                 |
+|-----------------|-----------|----------------------------------------|
+| `FLOW_ID`| `uint64_t`  | Assigned flow hash | 
+
+## Usage
+
+### YAML Configuration
+
+Add the plugin to your ipfixprobe YAML configuration:
+
+```yaml
+process_plugins:
+  - flowhash 
+```
+
+### CLI Usage
+
+You can also enable the plugin directly from the command line:
+
+```ipfixprobe -p flowhash ...```

src/plugins/process/http/README.md

@@ -0,0 +1,40 @@
+# HTTP Plugin
+
+Plugin enables detailed analysis of HTTP traffic by extracting key fields from HTTP headers.
+
+## Features
+
+- Extracts and exports HTTP request and response fields if flow contains HTTP information.
+- Terminates the flow if both HTTP request or response have been parsed.
+- Reinserts the flow if the second request or response is detected.
+
+## Output Fields
+
+| Field Name      | Data Type | Description                                                 |
+|-----------------|-----------|----------------------------------------|
+| `HTTP_REQUEST_METHOD`| `string`  | HTTP request method (e.g., GET, POST) | 
+| `HTTP_REQUEST_HOST`| `string`  | Requested HTTP host | 
+| `HTTP_REQUEST_URL`| `string`  | Requested URL | 
+| `HTTP_REQUEST_AGENT`| `string`  | User agent of the requester | 
+| `HTTP_REQUEST_REFERER`| `string`  | HTTP request referer | 
+| `HTTP_RESPONSE_STATUS_CODE`| `uint16_t`  | Response status code | 
+| `HTTP_RESPONSE_CONTENT_TYPE`| `string`  | Response content type | 
+| `HTTP_RESPONSE_SERVER`| `string`  | Response server | 
+| `HTTP_RESPONSE_SET_COOKIE_NAMES`| `string`  | Concatenated names of cookies that were set | 
+
+## Usage
+
+### YAML Configuration
+
+Add the plugin to your ipfixprobe YAML configuration:
+
+```yaml
+process_plugins:
+  - http
+```
+
+### CLI Usage
+
+You can also enable the plugin directly from the command line:
+
+```ipfixprobe -p http ...```

src/plugins/process/http/src/http.cpp

@@ -14,17 +14,17 @@
 
 #include "http.hpp"
 
-#include <pluginManifest.hpp>
-#include <pluginRegistrar.hpp>
-#include <pluginFactory.hpp>
+#include <ranges>
+
 #include <fieldGroup.hpp>
 #include <fieldManager.hpp>
+#include <ipfixprobe/options.hpp>
+#include <pluginFactory.hpp>
+#include <pluginManifest.hpp>
+#include <pluginRegistrar.hpp>
 #include <utils.hpp>
-#include <ranges>
-#include <utils/stringViewUtils.hpp>
 #include <utils/spanUtils.hpp>
-#include <ipfixprobe/options.hpp>
-
+#include <utils/stringViewUtils.hpp>
 
 namespace ipxp {
 
@@ -44,108 +44,119 @@ static FieldGroup createHTTPSchema(FieldManager& fieldManager, FieldHandlers<HTT
 {
 	FieldGroup schema = fieldManager.createFieldGroup("http");
 
-	handlers.insert(HTTPFields::HTTP_REQUEST_METHOD, schema.addScalarField(
-		"HTTP_REQUEST_METHOD",
-		[](const void* context) { return toStringView(reinterpret_cast<const HTTPData*>(context)->method); }
-	));
-	handlers.insert(HTTPFields::HTTP_REQUEST_HOST, schema.addScalarField(
-		"HTTP_REQUEST_HOST",
-		[](const void* context) { return toStringView(reinterpret_cast<const HTTPData*>(context)->host); }
-	));
-	handlers.insert(HTTPFields::HTTP_REQUEST_URL, schema.addScalarField(
-		"HTTP_REQUEST_URL",
-		[](const void* context) { return toStringView(reinterpret_cast<const HTTPData*>(context)->uri); }
-	));
-	handlers.insert(HTTPFields::HTTP_REQUEST_AGENT, schema.addScalarField(
-		"HTTP_REQUEST_AGENT",
-		[](const void* context) { return toStringView(reinterpret_cast<const HTTPData*>(context)->userAgent); }
-	));
-	handlers.insert(HTTPFields::HTTP_REQUEST_REFERER, schema.addScalarField(
-		"HTTP_REQUEST_REFERER",
-		[](const void* context) { return toStringView(reinterpret_cast<const HTTPData*>(context)->referer); }
-	));
-	handlers.insert(HTTPFields::HTTP_RESPONSE_STATUS_CODE, schema.addScalarField(
-		"HTTP_RESPONSE_STATUS_CODE",
-		[](const void* context) { return reinterpret_cast<const HTTPData*>(context)->statusCode; }
-	));
-	handlers.insert(HTTPFields::HTTP_RESPONSE_CONTENT_TYPE, schema.addScalarField(
-		"HTTP_RESPONSE_CONTENT_TYPE",
-		[](const void* context) { return toStringView(reinterpret_cast<const HTTPData*>(context)->contentType); }
-	));
-	handlers.insert(HTTPFields::HTTP_RESPONSE_SERVER, schema.addScalarField(
-		"HTTP_RESPONSE_SERVER",
-		[](const void* context) { return toStringView(reinterpret_cast<const HTTPData*>(context)->server); }
-	));
-	handlers.insert(HTTPFields::HTTP_RESPONSE_SET_COOKIE_NAMES, schema.addScalarField(
-		"HTTP_RESPONSE_SET_COOKIE_NAMES",
-		[](const void* context) { return toStringView(reinterpret_cast<const HTTPData*>(context)->cookies); }
-	));
+	handlers.insert(
+		HTTPFields::HTTP_REQUEST_METHOD,
+		schema.addScalarField("HTTP_REQUEST_METHOD", [](const void* context) {
+			return toStringView(reinterpret_cast<const HTTPData*>(context)->method);
+		}));
+	handlers.insert(
+		HTTPFields::HTTP_REQUEST_HOST,
+		schema.addScalarField("HTTP_REQUEST_HOST", [](const void* context) {
+			return toStringView(reinterpret_cast<const HTTPData*>(context)->host);
+		}));
+	handlers.insert(
+		HTTPFields::HTTP_REQUEST_URL,
+		schema.addScalarField("HTTP_REQUEST_URL", [](const void* context) {
+			return toStringView(reinterpret_cast<const HTTPData*>(context)->uri);
+		}));
+	handlers.insert(
+		HTTPFields::HTTP_REQUEST_AGENT,
+		schema.addScalarField("HTTP_REQUEST_AGENT", [](const void* context) {
+			return toStringView(reinterpret_cast<const HTTPData*>(context)->userAgent);
+		}));
+	handlers.insert(
+		HTTPFields::HTTP_REQUEST_REFERER,
+		schema.addScalarField("HTTP_REQUEST_REFERER", [](const void* context) {
+			return toStringView(reinterpret_cast<const HTTPData*>(context)->referer);
+		}));
+	handlers.insert(
+		HTTPFields::HTTP_RESPONSE_STATUS_CODE,
+		schema.addScalarField("HTTP_RESPONSE_STATUS_CODE", [](const void* context) {
+			return reinterpret_cast<const HTTPData*>(context)->statusCode;
+		}));
+	handlers.insert(
+		HTTPFields::HTTP_RESPONSE_CONTENT_TYPE,
+		schema.addScalarField("HTTP_RESPONSE_CONTENT_TYPE", [](const void* context) {
+			return toStringView(reinterpret_cast<const HTTPData*>(context)->contentType);
+		}));
+	handlers.insert(
+		HTTPFields::HTTP_RESPONSE_SERVER,
+		schema.addScalarField("HTTP_RESPONSE_SERVER", [](const void* context) {
+			return toStringView(reinterpret_cast<const HTTPData*>(context)->server);
+		}));
+	handlers.insert(
+		HTTPFields::HTTP_RESPONSE_SET_COOKIE_NAMES,
+		schema.addScalarField("HTTP_RESPONSE_SET_COOKIE_NAMES", [](const void* context) {
+			return toStringView(reinterpret_cast<const HTTPData*>(context)->cookies);
+		}));
 
 	return schema;
 }
 
-HTTPPlugin::HTTPPlugin([[maybe_unused]]const std::string& params, FieldManager& manager)
+HTTPPlugin::HTTPPlugin([[maybe_unused]] const std::string& params, FieldManager& manager)
 {
 	createHTTPSchema(manager, m_fieldHandlers);
 }
 
-void HTTPPlugin::saveParsedValues(const HTTPParser& parser, FlowRecord& flowRecord, HTTPData& httpData) noexcept
+void HTTPPlugin::saveParsedValues(
+	const HTTPParser& parser,
+	FlowRecord& flowRecord,
+	HTTPData& httpData) noexcept
 {
 	httpData.requestParsed |= parser.requestParsed;
 	httpData.responseParsed |= parser.responseParsed;
 
 	if (parser.method.has_value()) {
-		std::ranges::copy(*parser.method |
-			std::views::take(httpData.method.capacity()),
-		std::back_inserter(httpData.method));
+		std::ranges::copy(
+			*parser.method | std::views::take(httpData.method.capacity()),
+			std::back_inserter(httpData.method));
 		m_fieldHandlers[HTTPFields::HTTP_REQUEST_METHOD].setAsAvailable(flowRecord);
 	}
 	if (parser.uri.has_value()) {
-		std::ranges::copy(*parser.uri |
-			std::views::take(httpData.uri.capacity()),
-		std::back_inserter(httpData.uri));
+		std::ranges::copy(
+			*parser.uri | std::views::take(httpData.uri.capacity()),
+			std::back_inserter(httpData.uri));
 		m_fieldHandlers[HTTPFields::HTTP_REQUEST_URL].setAsAvailable(flowRecord);
 	}
 	if (parser.host.has_value()) {
-		std::ranges::copy(*parser.host |
-			std::views::take(httpData.host.capacity()),
-		std::back_inserter(httpData.host));
+		std::ranges::copy(
+			*parser.host | std::views::take(httpData.host.capacity()),
+			std::back_inserter(httpData.host));
 		m_fieldHandlers[HTTPFields::HTTP_REQUEST_HOST].setAsAvailable(flowRecord);
 	}
 	if (parser.userAgent.has_value()) {
-		std::ranges::copy(*parser.userAgent |
-			std::views::take(httpData.userAgent.capacity()),
-		std::back_inserter(httpData.userAgent));
+		std::ranges::copy(
+			*parser.userAgent | std::views::take(httpData.userAgent.capacity()),
+			std::back_inserter(httpData.userAgent));
 		m_fieldHandlers[HTTPFields::HTTP_REQUEST_AGENT].setAsAvailable(flowRecord);
 	}
 	if (parser.referer.has_value()) {
-		std::ranges::copy(*parser.referer |
-			std::views::take(httpData.referer.capacity()),
-		std::back_inserter(httpData.referer));
+		std::ranges::copy(
+			*parser.referer | std::views::take(httpData.referer.capacity()),
+			std::back_inserter(httpData.referer));
 		m_fieldHandlers[HTTPFields::HTTP_REQUEST_REFERER].setAsAvailable(flowRecord);
 	}
 	if (parser.statusCode.has_value()) {
 		httpData.statusCode = *parser.statusCode;
 		m_fieldHandlers[HTTPFields::HTTP_RESPONSE_STATUS_CODE].setAsAvailable(flowRecord);
 	}
 	if (parser.contentType.has_value()) {
-		std::ranges::copy(*parser.contentType |
-			std::views::take(httpData.contentType.capacity()),
-		std::back_inserter(httpData.contentType));
+		std::ranges::copy(
+			*parser.contentType | std::views::take(httpData.contentType.capacity()),
+			std::back_inserter(httpData.contentType));
 		m_fieldHandlers[HTTPFields::HTTP_RESPONSE_CONTENT_TYPE].setAsAvailable(flowRecord);
 	}
 	if (parser.server.has_value()) {
-		std::ranges::copy(*parser.server |
-			std::views::take(httpData.server.capacity()),
-		std::back_inserter(httpData.server));
+		std::ranges::copy(
+			*parser.server | std::views::take(httpData.server.capacity()),
+			std::back_inserter(httpData.server));
 		m_fieldHandlers[HTTPFields::HTTP_RESPONSE_SERVER].setAsAvailable(flowRecord);
 	}
 	if (parser.cookies.has_value()) {
 		std::ranges::for_each(*parser.cookies, [&](std::string_view cookie) {
-			std::ranges::copy(cookie |
-				std::views::take(
-					httpData.cookies.capacity() - httpData.cookies.size()),
-			std::back_inserter(httpData.cookies));
+			std::ranges::copy(
+				cookie | std::views::take(httpData.cookies.capacity() - httpData.cookies.size()),
+				std::back_inserter(httpData.cookies));
 			if (httpData.cookies.size() != httpData.cookies.capacity()) {
 				httpData.cookies.push_back(';');
 			}
@@ -166,7 +177,7 @@ void HTTPPlugin::saveParsedValues(const HTTPParser& parser, FlowRecord& flowReco
 			.flowAction = FlowAction::RemovePlugin,
 		};
 	}
-	
+
 	if (parser.requestParsed && httpData.requestParsed) {
 		// Must be flush and reinsert ????
 		return {
@@ -199,7 +210,8 @@ void HTTPPlugin::saveParsedValues(const HTTPParser& parser, FlowRecord& flowReco
 PluginInitResult HTTPPlugin::onInit(const FlowContext& flowContext, void* pluginContext)
 {
 	HTTPParser parser;
-	parser.parse(toSpan<const std::byte>(flowContext.packet.payload, flowContext.packet.payload_len));
+	parser.parse(
+		toSpan<const std::byte>(flowContext.packet.payload, flowContext.packet.payload_len));
 	if (!parser.method.has_value()) {
 		return {
 			.constructionState = ConstructionState::NotConstructed,
@@ -211,15 +223,15 @@ PluginInitResult HTTPPlugin::onInit(const FlowContext& flowContext, void* plugin
 	auto* pluginData = std::construct_at(reinterpret_cast<HTTPData*>(pluginContext));
 	saveParsedValues(parser, flowContext.flowRecord, *pluginData);
 	/*auto [updateRequirement, flowAction] = parseHTTP(
-		toSpan<const std::byte>(flowContext.packet.payload, flowContext.packet.payload_len), flowContext.flowRecord, *pluginData);*/
+		toSpan<const std::byte>(flowContext.packet.payload, flowContext.packet.payload_len),
+	   flowContext.flowRecord, *pluginData);*/
 	return {
 		.constructionState = ConstructionState::Constructed,
 		.updateRequirement = UpdateRequirement::RequiresUpdate,
 		.flowAction = FlowAction::NoAction,
 	};
 }
 
-
 PluginUpdateResult HTTPPlugin::beforeUpdate(const FlowContext& flowContext, void* pluginContext)
 {
 	auto* pluginData = reinterpret_cast<HTTPData*>(pluginContext);
@@ -240,21 +252,22 @@ PluginUpdateResult HTTPPlugin::onUpdate(const FlowContext& flowContext, void* pl
 {
 	auto* pluginData = reinterpret_cast<HTTPData*>(pluginContext);
 	HTTPParser parser;
-	parser.parse(toSpan<const std::byte>(flowContext.packet.payload, flowContext.packet.payload_len));
+	parser.parse(
+		toSpan<const std::byte>(flowContext.packet.payload, flowContext.packet.payload_len));
 	if (pluginData->requestParsed && pluginData->responseParsed) {
 		return {
 			.updateRequirement = UpdateRequirement::NoUpdateNeeded,
 			.flowAction = FlowAction::NoAction,
 		};
 	}
-	
+
 	return {
 		.updateRequirement = UpdateRequirement::RequiresUpdate,
 		.flowAction = FlowAction::NoAction,
 	};
 }
 
-void HTTPPlugin::onDestroy(void* pluginContext) 
+void HTTPPlugin::onDestroy(void* pluginContext)
 {
 	std::destroy_at(reinterpret_cast<HTTPData*>(pluginContext));
 }
@@ -267,7 +280,9 @@ PluginDataMemoryLayout HTTPPlugin::getDataMemoryLayout() const noexcept
 	};
 }
 
-static const PluginRegistrar<HTTPPlugin, PluginFactory<ProcessPlugin, const std::string&, FieldManager&>>
+static const PluginRegistrar<
+	HTTPPlugin,
+	PluginFactory<ProcessPlugin, const std::string&, FieldManager&>>
 	httpPluginRegistrar(httpPluginManifest);
 
 } // namespace ipxp