BACKUP_COUNT = Config.getint('logging', 'backupCount') BUFFER_OUTPUT = Config.getboolean('logging', 'useFileForOutput') splunkLogger = SplunkLogger(path.join(LOG_PATH, 'output.log'), MAX_BYTES, BACKUP_COUNT) debugLogger = SplunkLogger(path.join(LOG_PATH, 'debug.log'), MAX_BYTES, BACKUP_COUNT) # ProcessPcap is about testing, we're reading a previously captured .pcap file captureFile = Config.get('testing', 'file') pkts = PcapReader(captureFile) # For each packet in the pcap file, extract, decode and print AppFlow IPFIX records. # NOTE: for testing, we want high log output (unless we care about speed) debugLogger.setLevel(logging.WARNING) f1 = time() for p in pkts: # assume layer 2 is Ethernet l3type = unpack(">H", p[12:14])[0] if l3type != 0x800: # not IP debugLogger.info("DISCARD: Non-IP Packet") continue pos = 14 # Ethernet length tmp = ord(p[pos]) ip_version = tmp >> 4 ip_hdr_len = (tmp & 0x0F) << 2 l4type = ord(p[pos + 9]) if ip_version != 4 or l4type != 17: # not ipv4 or UDP
PORT = Config.getint('network', 'port') MAX_BYTES = Config.getint('logging', 'maxBytes') BACKUP_COUNT = Config.getint('logging', 'backupCount') BUFFER_OUTPUT = Config.getboolean('logging','useFileForOutput') splunkLogger = SplunkLogger(path.join(LOG_PATH, 'output.log'), MAX_BYTES, BACKUP_COUNT) debugLogger = SplunkLogger(path.join(LOG_PATH, 'debug.log'), MAX_BYTES, BACKUP_COUNT) # ProcessPcap is about testing, we're reading a previously captured .pcap file captureFile = Config.get('testing', 'file') pkts = PcapReader(captureFile) # For each packet in the pcap file, extract, decode and print AppFlow IPFIX records. # NOTE: for testing, we want high log output (unless we care about speed) debugLogger.setLevel(logging.WARNING) f1 = time() for p in pkts: # assume layer 2 is Ethernet l3type = unpack(">H", p[12:14])[0] if l3type != 0x800: # not IP debugLogger.info("DISCARD: Non-IP Packet") continue pos = 14 # Ethernet length tmp = ord(p[pos]) ip_version = tmp >> 4 ip_hdr_len = (tmp & 0x0F) << 2 l4type = ord(p[pos + 9]) if ip_version != 4 or l4type != 17: # not ipv4 or UDP
PORT = Config.getint('network', 'port') PROTOCOL = Config.get('network', 'protocol') # These two options are how we mitigate disk IO and network bursts BUFFER_BYTES = Config.getint('network','buffer') LEVEL = Config.get('logging', 'level') LOG_LEVEL = logging.getLevelName(LEVEL) # These two options control file log rotation BUFFER_OUTPUT = Config.getboolean('logging','useFileForOutput') MAX_BYTES = Config.getint('logging', 'maxBytes') BACKUP_COUNT = Config.getint('logging', 'backupCount') splunkLogger = SplunkLogger(path.join(LOG_PATH, 'output.log'), MAX_BYTES, BACKUP_COUNT) debugLogger = SplunkLogger(path.join(LOG_PATH, 'debug.log'), MAX_BYTES, BACKUP_COUNT) debugLogger.setLevel(LOG_LEVEL) # Currently, only support UDP if PROTOCOL.lower() == 'udp': s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) s.setsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF, BUFFER_BYTES) s.bind((HOST, PORT)) while 1: # The IPFIX Message Header 16-bit Length field limits the length of an # IPFIX Message to 65535 octets, including the header. A Collecting # Process MUST be able to handle IPFIX Message lengths of up to 65535 # octets. data, addr = s.recvfrom(65535) ipfix = Parser(data, addr, logger=debugLogger) if ipfix.data: if BUFFER_OUTPUT:
# These two options are how we mitigate disk IO and network bursts BUFFER_BYTES = Config.getint('network', 'buffer') LEVEL = Config.get('logging', 'level') LOG_LEVEL = logging.getLevelName(LEVEL) # These two options control file log rotation BUFFER_OUTPUT = Config.getboolean('logging', 'useFileForOutput') MAX_BYTES = Config.getint('logging', 'maxBytes') BACKUP_COUNT = Config.getint('logging', 'backupCount') splunkLogger = SplunkLogger(path.join(LOG_PATH, 'output.log'), MAX_BYTES, BACKUP_COUNT) debugLogger = SplunkLogger(path.join(LOG_PATH, 'debug.log'), MAX_BYTES, BACKUP_COUNT) debugLogger.setLevel(LOG_LEVEL) # Currently, only support UDP if PROTOCOL.lower() == 'udp': s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) s.setsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF, BUFFER_BYTES) s.bind((HOST, PORT)) while 1: # The IPFIX Message Header 16-bit Length field limits the length of an # IPFIX Message to 65535 octets, including the header. A Collecting # Process MUST be able to handle IPFIX Message lengths of up to 65535 # octets. data, addr = s.recvfrom(65535) ipfix = Parser(data, addr, logger=debugLogger) if ipfix.data: if BUFFER_OUTPUT: