BACKUP_COUNT = Config.getint('logging', 'backupCount')
BUFFER_OUTPUT = Config.getboolean('logging', 'useFileForOutput')
splunkLogger = SplunkLogger(path.join(LOG_PATH, 'output.log'), MAX_BYTES,
BACKUP_COUNT)
debugLogger = SplunkLogger(path.join(LOG_PATH, 'debug.log'), MAX_BYTES,
BACKUP_COUNT)
# ProcessPcap is about testing, we're reading a previously captured .pcap file
captureFile = Config.get('testing', 'file')
pkts = PcapReader(captureFile)
# For each packet in the pcap file, extract, decode and print AppFlow IPFIX records.
# NOTE: for testing, we want high log output (unless we care about speed)
debugLogger.setLevel(logging.WARNING)
f1 = time()
for p in pkts:
# assume layer 2 is Ethernet
l3type = unpack(">H", p[12:14])[0]
if l3type != 0x800: # not IP
debugLogger.info("DISCARD: Non-IP Packet")
continue
pos = 14 # Ethernet length
tmp = ord(p[pos])
ip_version = tmp >> 4
ip_hdr_len = (tmp & 0x0F) << 2
l4type = ord(p[pos + 9])
if ip_version != 4 or l4type != 17: # not ipv4 or UDP
PORT = Config.getint('network', 'port')
MAX_BYTES = Config.getint('logging', 'maxBytes')
BACKUP_COUNT = Config.getint('logging', 'backupCount')
BUFFER_OUTPUT = Config.getboolean('logging','useFileForOutput')
splunkLogger = SplunkLogger(path.join(LOG_PATH, 'output.log'), MAX_BYTES, BACKUP_COUNT)
debugLogger = SplunkLogger(path.join(LOG_PATH, 'debug.log'), MAX_BYTES, BACKUP_COUNT)
# ProcessPcap is about testing, we're reading a previously captured .pcap file
captureFile = Config.get('testing', 'file')
pkts = PcapReader(captureFile)
# For each packet in the pcap file, extract, decode and print AppFlow IPFIX records.
# NOTE: for testing, we want high log output (unless we care about speed)
debugLogger.setLevel(logging.WARNING)
f1 = time()
for p in pkts:
# assume layer 2 is Ethernet
l3type = unpack(">H", p[12:14])[0]
if l3type != 0x800: # not IP
debugLogger.info("DISCARD: Non-IP Packet")
continue
pos = 14 # Ethernet length
tmp = ord(p[pos])
ip_version = tmp >> 4
ip_hdr_len = (tmp & 0x0F) << 2
l4type = ord(p[pos + 9])
if ip_version != 4 or l4type != 17: # not ipv4 or UDP
PORT = Config.getint('network', 'port')
PROTOCOL = Config.get('network', 'protocol')
# These two options are how we mitigate disk IO and network bursts
BUFFER_BYTES = Config.getint('network','buffer')
LEVEL = Config.get('logging', 'level')
LOG_LEVEL = logging.getLevelName(LEVEL)
# These two options control file log rotation
BUFFER_OUTPUT = Config.getboolean('logging','useFileForOutput')
MAX_BYTES = Config.getint('logging', 'maxBytes')
BACKUP_COUNT = Config.getint('logging', 'backupCount')
splunkLogger = SplunkLogger(path.join(LOG_PATH, 'output.log'), MAX_BYTES, BACKUP_COUNT)
debugLogger = SplunkLogger(path.join(LOG_PATH, 'debug.log'), MAX_BYTES, BACKUP_COUNT)
debugLogger.setLevel(LOG_LEVEL)
# Currently, only support UDP
if PROTOCOL.lower() == 'udp':
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF, BUFFER_BYTES)
s.bind((HOST, PORT))
while 1:
# The IPFIX Message Header 16-bit Length field limits the length of an
# IPFIX Message to 65535 octets, including the header. A Collecting
# Process MUST be able to handle IPFIX Message lengths of up to 65535
# octets.
data, addr = s.recvfrom(65535)
ipfix = Parser(data, addr, logger=debugLogger)
if ipfix.data:
if BUFFER_OUTPUT:
# These two options are how we mitigate disk IO and network bursts
BUFFER_BYTES = Config.getint('network', 'buffer')
LEVEL = Config.get('logging', 'level')
LOG_LEVEL = logging.getLevelName(LEVEL)
# These two options control file log rotation
BUFFER_OUTPUT = Config.getboolean('logging', 'useFileForOutput')
MAX_BYTES = Config.getint('logging', 'maxBytes')
BACKUP_COUNT = Config.getint('logging', 'backupCount')
splunkLogger = SplunkLogger(path.join(LOG_PATH, 'output.log'), MAX_BYTES,
BACKUP_COUNT)
debugLogger = SplunkLogger(path.join(LOG_PATH, 'debug.log'), MAX_BYTES,
BACKUP_COUNT)
debugLogger.setLevel(LOG_LEVEL)
# Currently, only support UDP
if PROTOCOL.lower() == 'udp':
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF, BUFFER_BYTES)
s.bind((HOST, PORT))
while 1:
# The IPFIX Message Header 16-bit Length field limits the length of an
# IPFIX Message to 65535 octets, including the header. A Collecting
# Process MUST be able to handle IPFIX Message lengths of up to 65535
# octets.
data, addr = s.recvfrom(65535)
ipfix = Parser(data, addr, logger=debugLogger)
if ipfix.data:
if BUFFER_OUTPUT:
