++

Author: Zainullin Damir

src/plugins/process/mqtt/README.md

@@ -16,25 +16,18 @@ The **MQTT Plugin** extends flow records with MQTT (Message Queuing Telemetry Tr
 
 ## Output Fields
 
-	MQTT_TYPE_CUMULATIVE = 0,
-	MQTT_VERSION,
-	MQTT_CONNECTION_FLAGS,
-	MQTT_KEEP_ALIVE,
-	MQTT_CONNECTION_RETURN_CODE,
-	MQTT_PUBLISH_FLAGS,
-	MQTT_TOPICS,
-
-
 | Field Name      | Data Type | Description                                                 |
 |-----------------|-----------|----------------------------------------|
-| `MQQT_TYPE_CUMULATIVE`| `uint16_t`  | Bitfield of messages that were detected during the communication.
-DISCONNECT \| PINGRESP(1b) \| PINGREQ(1b) \| UNSUBACK(1b) \| UNSUBSCRIBE(1b) /|
-	SUBACK(1b) | SUBSCRIBE(1b) | PUBCOMP(1b) | PUBREL(1b) | PUBREC(1b) | PUBACK(1b) | PUBLISH(1b) |
-	CONNACK(1b) | CONNECT(1b) | session present(1b) | 
-| `MQTT_VERSION`| `uint8_t`  |  |
-| `MQTT_CONNECTION_FLAGS`| `uint8_t`  |  |
-| `MQTT_KEEP_ALIVE`| `uint8_t`  |  |
-| `MQTT_VERSION`| `uint8_t`  |  |
+| `MQQT_TYPE_CUMULATIVE`| `uint16_t`  | Bitfield of messages that were detected during the communication. Each value takes 1 bit. 
+DISCONNECT \| PINGRESP \| PINGREQ \| UNSUBACK \| UNSUBSCRIBE \|
+	SUBACK \| SUBSCRIBE \| PUBCOMP \| PUBREL \| PUBREC \| PUBACK \| PUBLISH \|
+	CONNACK \| CONNECT \| session present flag from *connection* message\|
+| `MQTT_VERSION`| `uint8_t`  | Identifies the MQTT version being used. |
+| `MQTT_CONNECTION_FLAGS`| `uint8_t`  | Flags of *connection* message. |
+| `MQTT_KEEP_ALIVE`| `uint16_t`  | MQTT connection keep alive |
+| `MQTT_CONNECTION_RETURN_CODE`| `uint8_t`  | Return code value from *connack* message. |
+| `MQTT_PUBLISH_FLAGS`| `uint8_t`  | Cumulative of *publish* message flags. |
+| `MQTT_TOPICS`| `string`  | Concatenation of **topiccount** topics from *publish* messages. |
 
 ## Usage
 
@@ -44,13 +37,12 @@ Add the plugin to your ipfixprobe YAML configuration:
 
 ```yaml
 process_plugins:
-  - dnssd
+  - mqtt 
 ```
 
 ### CLI Usage
 
 You can also enable the plugin directly from the command line:
 
-```ipfixprobe -p dnssd ...```
-```ipfixprobe -p "dnssd;txt" ...```
-```ipfixprobe -p "dnssd;txt=<path_to_file>" ...```
+```ipfixprobe -p mqtt ...```
+```ipfixprobe -p "mqtt;tc=<topic_count>" ...```

src/plugins/process/netbios/README.md

@@ -0,0 +1,33 @@
+# NetBIOS Plugin
+
+This plugin provides in-depth analysis of NetBIOS traffic by capturing and exporting fields from NetBIOS packets.
+
+## Features
+
+- Extracts and exports NetBIOS name and suffix fields from NetBIOS packets.
+- Expects traffic to be on port 137.
+
+## Output Fields
+
+| Field Name      | Data Type | Description                                                 |
+|-----------------|-----------|-------------------------------------------------------------|
+| `NB_NAME`       | `string`  | NetBIOS name extracted from the packet                     |
+| `NB_SUFFIX`    | `char`    | NetBIOS suffix extracted from the packet                   |
+
+## Usage
+
+### YAML Configuration
+
+Add the plugin to your ipfixprobe YAML configuration:
+
+```yaml
+process_plugins:
+  - netbios
+```
+
+### CLI Usage
+
+You can also enable the plugin directly from the command line:
+
+```ipfixprobe -p netbios ...```
+

src/plugins/process/netbios/src/netbios.cpp

@@ -7,24 +7,24 @@
  *
  * Provides a plugin that extracts NetBIOS suffix and name from packets,
  * stores them in per-flow plugin data, and exposes fields via FieldManager.
- * 
+ *
  * @copyright Copyright (c) 2025 CESNET, z.s.p.o.
  */
 
 #include "netbios.hpp"
 
-#include <iostream>
 #include <cmath>
+#include <iostream>
 
-#include <pluginManifest.hpp>
-#include <pluginRegistrar.hpp>
-#include <pluginFactory.hpp>
+#include <dns-utils.hpp>
 #include <fieldGroup.hpp>
 #include <fieldManager.hpp>
-#include <dns-utils.hpp>
+#include <ipfixprobe/options.hpp>
+#include <pluginFactory.hpp>
+#include <pluginManifest.hpp>
+#include <pluginRegistrar.hpp>
 #include <utils/spanUtils.hpp>
 #include <utils/stringViewUtils.hpp>
-#include <ipfixprobe/options.hpp>
 
 namespace ipxp {
 
@@ -40,34 +40,41 @@ static const PluginManifest netbiosPluginManifest = {
 		},
 };
 
-static FieldGroup createNetBIOSSchema(FieldManager& fieldManager, FieldHandlers<NetBIOSFields>& fieldHandlers)
+static FieldGroup
+createNetBIOSSchema(FieldManager& fieldManager, FieldHandlers<NetBIOSFields>& fieldHandlers)
 {
 	FieldGroup schema = fieldManager.createFieldGroup("netbios");
 
-	fieldHandlers.insert(NetBIOSFields::NB_SUFFIX, schema.addScalarField(
-		"NB_SUFFIX",
-		[] (const void* context) { return static_cast<uint8_t>(static_cast<const NetBIOSData*>(context)->suffix); }
-	));
+	fieldHandlers.insert(
+		NetBIOSFields::NB_SUFFIX,
+		schema.addScalarField("NB_SUFFIX", [](const void* context) {
+			return static_cast<uint8_t>(static_cast<const NetBIOSData*>(context)->suffix);
+		}));
 
-	fieldHandlers.insert(NetBIOSFields::NB_NAME, schema.addScalarField(
-		"NB_NAME",
-		[] (const void* context) { return toStringView(static_cast<const NetBIOSData*>(context)->name); }
-	));
+	fieldHandlers.insert(
+		NetBIOSFields::NB_NAME,
+		schema.addScalarField("NB_NAME", [](const void* context) {
+			return toStringView(static_cast<const NetBIOSData*>(context)->name);
+		}));
 
 	return schema;
 }
 
-NetBIOSPlugin::NetBIOSPlugin([[maybe_unused]]const std::string& params, FieldManager& manager)
+NetBIOSPlugin::NetBIOSPlugin([[maybe_unused]] const std::string& params, FieldManager& manager)
 {
 	createNetBIOSSchema(manager, m_fieldHandlers);
 }
 
 PluginInitResult NetBIOSPlugin::onInit(const FlowContext& flowContext, void* pluginContext)
 {
 	constexpr uint8_t NETBIOS_PORT = 137;
-	if (flowContext.packet.src_port == NETBIOS_PORT || flowContext.packet.dst_port == NETBIOS_PORT) {
+	if (flowContext.packet.src_port == NETBIOS_PORT
+		|| flowContext.packet.dst_port == NETBIOS_PORT) {
 		auto* pluginData = std::construct_at(reinterpret_cast<NetBIOSData*>(pluginContext));
-		parseNetBIOS(flowContext.flowRecord, toSpan<const std::byte>(flowContext.packet.payload, flowContext.packet.payload_len), *pluginData);
+		parseNetBIOS(
+			flowContext.flowRecord,
+			toSpan<const std::byte>(flowContext.packet.payload, flowContext.packet.payload_len),
+			*pluginData);
 		return {
 			.constructionState = ConstructionState::Constructed,
 			.updateRequirement = UpdateRequirement::NoUpdateNeeded,
@@ -82,19 +89,21 @@ PluginInitResult NetBIOSPlugin::onInit(const FlowContext& flowContext, void* plu
 	};
 }
 
-constexpr static
-char compressCharPair(const char first, const char second)
+constexpr static char compressCharPair(const char first, const char second)
 {
 	return static_cast<char>(((first - 'A') << 4) | (second - 'A'));
 }
 
-void NetBIOSPlugin::parseNetBIOS(FlowRecord& flowRecord, std::span<const std::byte> payload, NetBIOSData& pluginData) noexcept
+void NetBIOSPlugin::parseNetBIOS(
+	FlowRecord& flowRecord,
+	std::span<const std::byte> payload,
+	NetBIOSData& pluginData) noexcept
 {
 	if (payload.size() < sizeof(dns_hdr) || !pluginData.name.empty()) {
 		return;
 	}
 
-	const std::size_t queryCount 
+	const std::size_t queryCount
 		= reinterpret_cast<const dns_hdr*>(payload.data())->question_rec_cnt;
 	if (queryCount == 0) {
 		return;
@@ -107,8 +116,8 @@ void NetBIOSPlugin::parseNetBIOS(FlowRecord& flowRecord, std::span<const std::by
 	}
 
 	auto nameIt = reinterpret_cast<const std::pair<char, char>*>(payload.data());
-	for (; reinterpret_cast<const std::byte*>(nameIt) 
-			!= payload.data() + payload.size() - 2; nameIt++) {
+	for (; reinterpret_cast<const std::byte*>(nameIt) != payload.data() + payload.size() - 2;
+		 nameIt++) {
 		pluginData.name.push_back(compressCharPair(nameIt->first, nameIt->second));
 	}
 	m_fieldHandlers[NetBIOSFields::NB_NAME].setAsAvailable(flowRecord);
@@ -130,7 +139,9 @@ PluginDataMemoryLayout NetBIOSPlugin::getDataMemoryLayout() const noexcept
 	};
 }
 
-static const PluginRegistrar<NetBIOSPlugin, PluginFactory<ProcessPlugin, const std::string&, FieldManager&>>
+static const PluginRegistrar<
+	NetBIOSPlugin,
+	PluginFactory<ProcessPlugin, const std::string&, FieldManager&>>
 	netbiosRegistrar(netbiosPluginManifest);
 
 } // namespace ipxp

src/plugins/process/netbios/src/netbios.hpp

@@ -7,20 +7,21 @@
  *
  * Provides a plugin that extracts NetBIOS suffix and name from packets,
  * stores them in per-flow plugin data, and exposes fields via FieldManager.
- * 
+ *
  * @copyright Copyright (c) 2025 CESNET, z.s.p.o.
  */
 
 #pragma once
 
+#include "netbiosData.hpp"
+#include "netbiosFields.hpp"
+
 #include <sstream>
 #include <string>
-#include <processPlugin.hpp>
-#include <fieldManager.hpp>
-#include <fieldHandlersEnum.hpp>
 
-#include "netbiosData.hpp"
-#include "netbiosFields.hpp"
+#include <fieldHandlersEnum.hpp>
+#include <fieldManager.hpp>
+#include <processPlugin.hpp>
 
 namespace ipxp {
 
@@ -30,7 +31,6 @@ namespace ipxp {
  */
 class NetBIOSPlugin : public ProcessPlugin {
 public:
-
 	/**
 	 * @brief Constructs the NetBIOS plugin.
 	 *
@@ -39,7 +39,6 @@ class NetBIOSPlugin : public ProcessPlugin {
 	 */
 	NetBIOSPlugin(const std::string& params, FieldManager& manager);
 
-
 	/**
 	 * @brief Initializes plugin data for a new flow.
 	 *
@@ -66,8 +65,11 @@ class NetBIOSPlugin : public ProcessPlugin {
 	PluginDataMemoryLayout getDataMemoryLayout() const noexcept override;
 
 private:
-	void parseNetBIOS(FlowRecord& flowRecord, std::span<const std::byte> payload, NetBIOSData& pluginData) noexcept;
-	
+	void parseNetBIOS(
+		FlowRecord& flowRecord,
+		std::span<const std::byte> payload,
+		NetBIOSData& pluginData) noexcept;
+
 	FieldHandlers<NetBIOSFields> m_fieldHandlers;
 };
 

src/plugins/process/netbios/src/netbiosData.hpp

@@ -11,8 +11,7 @@
 
 #include <string>
 
-namespace ipxp
-{
+namespace ipxp {
 
 /**
  * @struct NetBIOSData
@@ -21,7 +20,6 @@ namespace ipxp
 struct NetBIOSData {
 	std::string name;
 	char suffix;
-};  
+};
 
 } // namespace ipxp
-

src/plugins/process/netbios/src/netbiosFields.hpp

@@ -11,8 +11,7 @@
 
 #include <cstddef>
 
-namespace ipxp
-{
+namespace ipxp {
 
 /**
  * @enum NetBIOSFields
@@ -24,6 +23,6 @@ enum class NetBIOSFields : std::size_t {
 	NB_NAME = 0,
 	NB_SUFFIX,
 	FIELDS_SIZE,
-};    
-    
+};
+
 } // namespace ipxp

src/plugins/process/nettisa/README.md

@@ -0,0 +1,43 @@
+# NetTimeSeries Plugin
+
+This plugin analyzes network data as time series, enabling more comprehensive and insightful analysis.
+
+## Features
+
+- Calculates and exports statistical properties of the flow based on packet lengths.
+
+## Output Fields
+
+| Field Name      | Data Type | Description                                                 |
+|-----------------|-----------|----------------------------------------|
+| `NTS_MEAN`     | `float` | Mean packet length over the flow duration.                  |
+| `NTS_MIN`      | `uint16_t` | Minimum packet length over the flow duration.               |
+| `NTS_MAX`      | `uint16_t` | Maximum packet length over the flow duration.               |
+| `NTS_STDEV`    | `float` | Standard deviation of packet lengths over the flow duration.    |
+| `NTS_KURTOSIS` | `float` | Kurtosis of packet lengths over the flow duration.           |
+| `NTS_ROOT_MEAN_SQUARE` | `float` | Root mean square of packet lengths over the flow duration.        |
+| `NTS_AVERAGE_DISPERSION` | `float` | Average dispersion of packet lengths over the flow duration.      |
+| `NTS_MEAN_SCALED_TIME` | `float` | Mean of packet lengths scaled by time over the flow duration.    |
+| `NTS_MEAN_DIFFTIMES` | `float` | Mean of time differences between packets over the flow duration. |
+| `NTS_MIN_DIFFTIMES` | `float` | Minimum of time differences between packets over the flow duration.  |
+| `NTS_MAX_DIFFTIMES` | `float` | Maximum of time differences between packets over the flow duration.  |
+| `NTS_TIME_DISTRIBUTION` | `float` | Sum of deviations from mean interpacket arrival times.         |
+| `NTS_SWITCHING_RATIO` | `float` | Ratio of packets when payload length changed in comparison to previous packet.            |
+
+## Usage
+
+### YAML Configuration
+
+Add the plugin to your ipfixprobe YAML configuration:
+
+```yaml
+process_plugins:
+  - nettisa 
+```
+
+### CLI Usage
+
+You can also enable the plugin directly from the command line:
+
+```ipfixprobe -p nettisa ...```
+