Beispiel #1
0
 def parse_line(cls, line):
     fields = {
         name[0]: val.strip()
         for name, val in izip(cls.fields, line.split(","))
     }
     fields["proto"] = fields["proto"].lower()
     srv_idx = None
     if fields["proto"] == "icmp":
         # Looks like an nfdump anomaly, keeping "0.8" leads to nonsense
         # flows, whereas switching to "8.0" makes it sane again.
         if fields["port2"] == "0.8":
             fields["port2"] = "8.0"
         fields["type"], fields["code"] = [
             int(x) for x in fields.pop("port2").split(".")
         ]
         # ICMP 0 is an answer to ICMP 8
         if fields["type"] == 0:
             fields["type"] = 8
             srv_idx = 1
         else:
             srv_idx = 2
         del fields["port1"]
     else:
         for field in ["port1", "port2"]:
             fields[field] = int(fields[field])
     for field in ["start_time", "end_time"]:
         fields[field] = datetime.datetime.strptime(fields[field],
                                                    cls.timefmt)
     if srv_idx is None:
         srv_idx = (1 if utils.guess_srv_port(
             fields["port1"], fields["port2"], proto=fields["proto"]) >= 0
                    else 2)
     cli_idx = 1 if srv_idx == 2 else 2
     fields["src"] = fields.pop("addr%d" % cli_idx)
     fields["dst"] = fields.pop("addr%d" % srv_idx)
     if "port%s" % cli_idx in fields:
         fields["sport"] = fields.pop("port%d" % cli_idx)
     if "port%s" % srv_idx in fields:
         fields["dport"] = fields.pop("port%d" % srv_idx)
         fields["flow_name"] = "%(proto)s %(dport)s" % fields
     elif "type" in fields:
         fields["flow_name"] = "%(proto)s %(type)s" % fields
     else:
         fields["flow_name"] = fields['proto']
     fields["scbytes"] = cls.str2int(fields.pop("bytes%d" % cli_idx))
     fields["scpkts"] = cls.str2int(fields.pop("pkts%d" % cli_idx))
     fields["csbytes"] = cls.str2int(fields.pop("bytes%d" % srv_idx))
     fields["cspkts"] = cls.str2int(fields.pop("pkts%d" % srv_idx))
     return fields
Beispiel #2
0
 def parse_line(cls, line):
     fields = dict((name[0], val.strip())
                   for name, val in zip(cls.fields, line.split(",")))
     fields["proto"] = fields["proto"].lower()
     srv_idx = None
     if fields["proto"] == "icmp":
         # Looks like an nfdump anomaly, keeping "0.8" leads to nonsense
         # flows, whereas switching to "8.0" makes it sane again.
         if fields["port2"] == "0.8":
             fields["port2"] = "8.0"
         fields["type"], fields["code"] = [int(x) for x in
                                           fields.pop("port2").split(".")]
         # ICMP 0 is an answer to ICMP 8
         if fields["type"] == 0:
             fields["type"] = 8
             srv_idx = 1
         else:
             srv_idx = 2
         del fields["port1"]
     else:
         for field in ["port1", "port2"]:
             fields[field] = int(fields[field])
     for field in ["start_time", "end_time"]:
         fields[field] = datetime.datetime.strptime(fields[field],
                                                    cls.timefmt)
     if srv_idx is None:
         srv_idx = (
             1 if
             utils.guess_srv_port(fields["port1"], fields["port2"],
                                  proto=fields["proto"]) >= 0
             else 2
         )
     cli_idx = 1 if srv_idx == 2 else 2
     fields["src"] = fields.pop("addr%d" % cli_idx)
     fields["dst"] = fields.pop("addr%d" % srv_idx)
     if "port%s" % cli_idx in fields:
         fields["sport"] = fields.pop("port%d" % cli_idx)
     if "port%s" % srv_idx in fields:
         fields["dport"] = fields.pop("port%d" % srv_idx)
         fields["flow_name"] = "%(proto)s %(dport)s" % fields
     elif "type" in fields:
         fields["flow_name"] = "%(proto)s %(type)s" % fields
     else:
         fields["flow_name"] = fields['proto']
     fields["scbytes"] = cls.str2int(fields.pop("bytes%d" % cli_idx))
     fields["scpkts"] = cls.str2int(fields.pop("pkts%d" % cli_idx))
     fields["csbytes"] = cls.str2int(fields.pop("bytes%d" % srv_idx))
     fields["cspkts"] = cls.str2int(fields.pop("pkts%d" % srv_idx))
     return fields