def parse_line(cls, line): fields = { name[0]: val.strip() for name, val in izip(cls.fields, line.split(",")) } fields["proto"] = fields["proto"].lower() srv_idx = None if fields["proto"] == "icmp": # Looks like an nfdump anomaly, keeping "0.8" leads to nonsense # flows, whereas switching to "8.0" makes it sane again. if fields["port2"] == "0.8": fields["port2"] = "8.0" fields["type"], fields["code"] = [ int(x) for x in fields.pop("port2").split(".") ] # ICMP 0 is an answer to ICMP 8 if fields["type"] == 0: fields["type"] = 8 srv_idx = 1 else: srv_idx = 2 del fields["port1"] else: for field in ["port1", "port2"]: fields[field] = int(fields[field]) for field in ["start_time", "end_time"]: fields[field] = datetime.datetime.strptime(fields[field], cls.timefmt) if srv_idx is None: srv_idx = (1 if utils.guess_srv_port( fields["port1"], fields["port2"], proto=fields["proto"]) >= 0 else 2) cli_idx = 1 if srv_idx == 2 else 2 fields["src"] = fields.pop("addr%d" % cli_idx) fields["dst"] = fields.pop("addr%d" % srv_idx) if "port%s" % cli_idx in fields: fields["sport"] = fields.pop("port%d" % cli_idx) if "port%s" % srv_idx in fields: fields["dport"] = fields.pop("port%d" % srv_idx) fields["flow_name"] = "%(proto)s %(dport)s" % fields elif "type" in fields: fields["flow_name"] = "%(proto)s %(type)s" % fields else: fields["flow_name"] = fields['proto'] fields["scbytes"] = cls.str2int(fields.pop("bytes%d" % cli_idx)) fields["scpkts"] = cls.str2int(fields.pop("pkts%d" % cli_idx)) fields["csbytes"] = cls.str2int(fields.pop("bytes%d" % srv_idx)) fields["cspkts"] = cls.str2int(fields.pop("pkts%d" % srv_idx)) return fields
def parse_line(cls, line): fields = dict((name[0], val.strip()) for name, val in zip(cls.fields, line.split(","))) fields["proto"] = fields["proto"].lower() srv_idx = None if fields["proto"] == "icmp": # Looks like an nfdump anomaly, keeping "0.8" leads to nonsense # flows, whereas switching to "8.0" makes it sane again. if fields["port2"] == "0.8": fields["port2"] = "8.0" fields["type"], fields["code"] = [int(x) for x in fields.pop("port2").split(".")] # ICMP 0 is an answer to ICMP 8 if fields["type"] == 0: fields["type"] = 8 srv_idx = 1 else: srv_idx = 2 del fields["port1"] else: for field in ["port1", "port2"]: fields[field] = int(fields[field]) for field in ["start_time", "end_time"]: fields[field] = datetime.datetime.strptime(fields[field], cls.timefmt) if srv_idx is None: srv_idx = ( 1 if utils.guess_srv_port(fields["port1"], fields["port2"], proto=fields["proto"]) >= 0 else 2 ) cli_idx = 1 if srv_idx == 2 else 2 fields["src"] = fields.pop("addr%d" % cli_idx) fields["dst"] = fields.pop("addr%d" % srv_idx) if "port%s" % cli_idx in fields: fields["sport"] = fields.pop("port%d" % cli_idx) if "port%s" % srv_idx in fields: fields["dport"] = fields.pop("port%d" % srv_idx) fields["flow_name"] = "%(proto)s %(dport)s" % fields elif "type" in fields: fields["flow_name"] = "%(proto)s %(type)s" % fields else: fields["flow_name"] = fields['proto'] fields["scbytes"] = cls.str2int(fields.pop("bytes%d" % cli_idx)) fields["scpkts"] = cls.str2int(fields.pop("pkts%d" % cli_idx)) fields["csbytes"] = cls.str2int(fields.pop("bytes%d" % srv_idx)) fields["cspkts"] = cls.str2int(fields.pop("pkts%d" % srv_idx)) return fields