BACnet input plugin

Plugin gets packets from a PCAP interface, parses them and prepares flow record structures. Plugin is able to parse standard IP packets as well as specific low level protocols including BACnet (over IP and over Ethernet), ARP, ISMP, LLDP, etc. Also VLAN encapsulation is supported. MPLS encapsulation is currently not supported. More...


Data Structures
struct	bacnet_input_private_t
	Plugin's private structure with information passed from init to the calls of main plugin functions. More...
struct	bacnet_record_t
	BACnet specific part of the flow record. More...
Defines
#define	PCAP_SIZE 1500
#define	PCAP_TIMEOUT 500
#define	PRINT(format, args...)
#define	PRINTERR(format, args...) fprintf(stderr,format,##args)
#define	PRINTWARN(format, args...) fprintf(stderr,format,##args)
Functions
int	parse_eth (unsigned char buf, uint32_t caplen, flow_record_t record, bacnet_record_t *pr)
	Parse Ethernet header and fill required information into the flow record.
int	parse_llc (unsigned char buf, uint32_t caplen, flow_record_t record, bacnet_record_t *pr)
	Parse Logical Link Control header and fill required information into the flow record.
int	parse_bacnet_vlc (unsigned char buf, uint32_t caplen, flow_record_t record, bacnet_record_t *pr)
	Parse BACnet Virtual Link Control header and fill required information into the flow record.
int	parse_bacnet_ip (uint16_t ethtype, unsigned char buf, uint32_t caplen, flow_record_t record, bacnet_record_t *pr)
	Parse IP header and fill required information into the flow record.
int	parse_bacnet (unsigned char buf, uint32_t caplen, flow_record_t record, bacnet_record_t *pr)
	Parse BACnet headers and fill required information into the flow record.
plugin_desc_t *	plugin_input_desc ()
	API for flowmonexp to get plugin description structure.
int	validity_control (void self, flow_record_t r)
	Validity checker for BACnet record's control field.
int	validity_fail (void self, flow_record_t r)
	General validity checker that always fails.
int	validity_ethertype (void self, flow_record_t r)
	Validity checker for BACnet record's ethertype field.
int	validity_dst (void self, flow_record_t r)
	Validity checker for BACnet record's hop count and dnet fields.
int	validity_dstadr (void self, flow_record_t r)
	Validity checker for BACnet record's hop dadr field.
int	validity_src (void self, flow_record_t r)
	Validity checker for BACnet record's snet field.
int	validity_srcadr (void self, flow_record_t r)
	Validity checker for BACnet record's sadr field.
int	validity_msg_type (void self, flow_record_t r)
	Validity checker for BACnet record's msg_type field.
int	value_length_8 (void self, flow_record_t r)
	Get actual length for BACnet record's 8bit static fields.
int	value_length_16 (void self, flow_record_t r)
	Get actual length for BACnet record's 16bit static fields.
int	value_length_dadr (void self, flow_record_t r)
	Get actual length of the BACnet record's dadr field.
int	value_length_sadr (void self, flow_record_t r)
	Get actual length of the BACnet record's sadr field.
void	value_fill_ethertype (void self, flow_record_t record, void *dst, int len, int to_network_byte_order)
	Get value of the BACnet record's ethertype field.
void	value_fill_control (void self, flow_record_t record, void *dst, int len, int to_network_byte_order)
	Get value of the BACnet record's control field.
void	value_fill_hops (void self, flow_record_t record, void *dst, int len, int to_network_byte_order)
	Get value of the BACnet record's hop_count field.
void	value_fill_msg_type (void self, flow_record_t record, void *dst, int len, int to_network_byte_order)
	Get value of the BACnet record's msg_type field.
void	value_fill_vendor_id (void self, flow_record_t record, void *dst, int len, int to_network_byte_order)
	Get value of the BACnet record's vendor_id field.
void	value_fill_dnet (void self, flow_record_t record, void *dst, int len, int to_network_byte_order)
	Get value of the BACnet record's dnet field.
void	value_fill_dadr (void self, flow_record_t record, void *dst, int len, int to_network_byte_order)
	Get value of the BACnet record's dadr field.
void	value_fill_snet (void self, flow_record_t record, void *dst, int len, int to_network_byte_order)
	Get value of the BACnet record's snet field.
void	value_fill_sadr (void self, flow_record_t record, void *dst, int len, int to_network_byte_order)
	Get value of the BACnet record's sadr field.
void	plugin_input_getter_init (void plugin_private, flow_record_getter_t *getter_list)
	Init flowmonexp's getters for BACnet record's specific fields.
void *	plugin_input_init (char *params, int full_packet, int data_offset)
	Initialize all needed structures/devices/files etc. The function is called once as the first part of the plugin.
uint64_t	plugin_input_get_final_flow (void plugin_private, flow_record_t record)
	Get flow record implementation - returned flow is immediatelly marked as expired.
uint64_t	plugin_input_get_flow (void plugin_private, flow_record_t record)
	Get flow record implementation - add flow record into the flowmonexp's flow cache.
Variables
unsigned int	plugin_type = (PLUGIN_TYPE_INPUT)

Detailed Description

Plugin gets packets from a PCAP interface, parses them and prepares flow record structures. Plugin is able to parse standard IP packets as well as specific low level protocols including BACnet (over IP and over Ethernet), ARP, ISMP, LLDP, etc. Also VLAN encapsulation is supported. MPLS encapsulation is currently not supported.

By default, plugin reads input data (in PCAP format) from stdin. This can be changed by parameter given to the plugin via flowmonexp command. Parameter can be in a form of path to the input PCAP file or PCAP interface starting with a '@' character. Examples of starting flowmonexp follow.

Read data from stdin:

$ flowmonexp -X input-bacnet.so -I input-bacnet

or

$ flowmonexp -X input-bacnet.so -I input-bacnet:-

Read data from local file data.pcap:

$ flowmonexp -X input-bacnet.so -I input-bacnet:data.pcap

Read data from PCAP's interface eth0:

$ flowmonexp -X input-bacnet.so:@eth0 -I input-bacnet

After the input type parameter there can be also specified file with BPF filter for the input data:

$ flowmonexp -X input-bacnet.so:-,filter.bpf -I input-bacnet

Plugin is able to work in a Single Packet Flow mode when each received packet is immediatelly marked as expired flow. This way flowmonexp exports only 1-packet flows. This feature can be enabled by defining macro SPF (e.g. in time of compilation by GCC's -DSPF option). Plugin then uses plugin_input_get_final_flow() function instead of plugin_input_get_flow().

Define Documentation

#define PCAP_SIZE 1500

Snapshot length of the PCAP packet

Definition at line 125 of file input-bacnet.c.

#define PCAP_TIMEOUT 500

PCAP read timeout in milliseconds

Definition at line 126 of file input-bacnet.c.

#define PRINT	(	format,
		args...		)

Message printer

Definition at line 136 of file input-bacnet.c.

#define PRINTERR	(	format,
		args...		)	fprintf(stderr,format,##args)

Error message printer

Definition at line 142 of file input-bacnet.c.

#define PRINTWARN	(	format,
		args...		)	fprintf(stderr,format,##args)

Warning message printer

Definition at line 147 of file input-bacnet.c.

Function Documentation

int parse_bacnet	(	unsigned char *	buf,
		uint32_t	caplen,
		flow_record_t *	record,
		bacnet_record_t *	pr
	)

Parse BACnet headers and fill required information into the flow record.

Parameters:

`[in]`	buf	Data buffer.
`[in]`	caplen	Length of portion present.
`[in,out]`	record	Flow record structure.
`[in]`	pr	Plugin's private structure with BACnet specific record offset

Return values:

0

on success, nonzero otherwise.

Definition at line 1073 of file input-bacnet.c.

int parse_bacnet_ip	(	uint16_t	ethtype,
		unsigned char *	buf,
		uint32_t	caplen,
		flow_record_t *	record,
		bacnet_record_t *	pr
	)

Parse IP header and fill required information into the flow record.

Parameters:

`[in]`	ethtype	Packet's EtherType value.
`[in]`	buf	Data buffer.
`[in]`	caplen	Length of portion present.
`[in,out]`	record	Flow record structure.
`[in]`	pr	Plugin's private structure with BACnet specific record offset

Return values:

0

on success, nonzero otherwise.

Definition at line 959 of file input-bacnet.c.

int parse_bacnet_vlc	(	unsigned char *	buf,
		uint32_t	caplen,
		flow_record_t *	record,
		bacnet_record_t *	pr
	)

Parse BACnet Virtual Link Control header and fill required information into the flow record.

Parameters:

`[in]`	buf	Data buffer.
`[in]`	caplen	Length of portion present.
`[in,out]`	record	Flow record structure.
`[in]`	pr	Plugin's private structure with BACnet specific record offset

Return values:

0

on success, nonzero otherwise.

Definition at line 998 of file input-bacnet.c.

int parse_eth	(	unsigned char *	buf,
		uint32_t	caplen,
		flow_record_t *	record,
		bacnet_record_t *	pr
	)

Parse Ethernet header and fill required information into the flow record.

Parameters:

`[in]`	buf	Data buffer.
`[in]`	caplen	Length of portion present.
`[in,out]`	record	Flow record structure.
`[in]`	pr	Plugin's private structure with BACnet specific record offset

Return values:

0

on success, nonzero otherwise.

Definition at line 831 of file input-bacnet.c.

int parse_llc	(	unsigned char *	buf,
		uint32_t	caplen,
		flow_record_t *	record,
		bacnet_record_t *	pr
	)

Parse Logical Link Control header and fill required information into the flow record.

Parameters:

`[in]`	buf	Data buffer.
`[in]`	caplen	Length of portion present.
`[in,out]`	record	Flow record structure.
`[in]`	pr	Plugin's private structure with BACnet specific record offset

Return values:

0

on success, nonzero otherwise.

Definition at line 1038 of file input-bacnet.c.

plugin_desc_t* plugin_input_desc ( )

API for flowmonexp to get plugin description structure.

Returns:: Plugin description structure

Definition at line 258 of file input-bacnet.c.

uint64_t plugin_input_get_final_flow	(	void *	plugin_private,
		flow_record_t *	record
	)

Get flow record implementation - returned flow is immediatelly marked as expired.

Parameters:

`[in]`	plugin_private	Plugin's private structure from init with all necessary information
`[in]`	record	Flow record from input plugin(s)

Returns:

zero on success,
nonzero on error

uint64_t plugin_input_get_flow	(	void *	plugin_private,
		flow_record_t *	record
	)

Get flow record implementation - add flow record into the flowmonexp's flow cache.

Parameters:

`[in]`	plugin_private	Plugin's private structure from init with all necessary information
`[in,out]`	record	Flow record from input plugin(s)

Returns:

zero on error,
hash of the flow record (actually of the flow key items)

Definition at line 763 of file input-bacnet.c.

void plugin_input_getter_init	(	void *	plugin_private,
		flow_record_getter_t **	getter_list
	)

Init flowmonexp's getters for BACnet record's specific fields.

Parameters:

`[in]`	plugin_private	Plugin's private structure from init with all necessary information
`[in,out]`	getter_list	List of available getters for a complete flow record

Definition at line 606 of file input-bacnet.c.

void* plugin_input_init	(	char *	params,
		int	full_packet,
		int	data_offset
	)

Initialize all needed structures/devices/files etc. The function is called once as the first part of the plugin.

Parameters:

`[in]`	params	Plugin parameters as string from command line
`[in]`	full_packet	Specify if plugin_input_get_packet() function (if implemented) is forced to return full packet or some cropping can be done
`[in]`	data_offset	Offset of the plugin specific data (bacnet_record_t) in flowmonexp's standard flow record

Returns:: Created and initialized plugin internal structure (bacnet_eth_private_t)

Definition at line 631 of file input-bacnet.c.

int validity_control	(	void *	self,
		flow_record_t *	r
	)

Validity checker for BACnet record's control field.

Parameters:

`[in]`	self	Plugin's specific record part (bacnet_record_t) allocated after standard flow record
`[in]`	r	Standard flowmonexp's flow record

Returns:

zero as invalid
nonzero as valid

Definition at line 271 of file input-bacnet.c.

int validity_dst	(	void *	self,
		flow_record_t *	r
	)

Validity checker for BACnet record's hop count and dnet fields.

Parameters:

`[in]`	self	Plugin's specific record part (bacnet_record_t) allocated after standard flow record
`[in]`	r	Standard flowmonexp's flow record

Returns:

zero as invalid
nonzero as valid

Definition at line 322 of file input-bacnet.c.

int validity_dstadr	(	void *	self,
		flow_record_t *	r
	)

Validity checker for BACnet record's hop dadr field.

Parameters:

`[in]`	self	Plugin's specific record part (bacnet_record_t) allocated after standard flow record
`[in]`	r	Standard flowmonexp's flow record

Returns:

zero as invalid
nonzero as valid

Definition at line 341 of file input-bacnet.c.

int validity_ethertype	(	void *	self,
		flow_record_t *	r
	)

Validity checker for BACnet record's ethertype field.

Parameters:

`[in]`	self	Plugin's specific record part (bacnet_record_t) allocated after standard flow record
`[in]`	r	Standard flowmonexp's flow record

Returns:

zero as invalid
nonzero as valid

Definition at line 303 of file input-bacnet.c.

int validity_fail	(	void *	self,
		flow_record_t *	r
	)

General validity checker that always fails.

Parameters:

`[in]`	self	Plugin's specific record part (bacnet_record_t) allocated after standard flow record
`[in]`	r	Standard flowmonexp's flow record

Returns:

zero as invalid
nonzero as valid

Definition at line 290 of file input-bacnet.c.

int validity_msg_type	(	void *	self,
		flow_record_t *	r
	)

Validity checker for BACnet record's msg_type field.

Parameters:

`[in]`	self	Plugin's specific record part (bacnet_record_t) allocated after standard flow record
`[in]`	r	Standard flowmonexp's flow record

Returns:

zero as invalid
nonzero as valid

Definition at line 398 of file input-bacnet.c.

int validity_src	(	void *	self,
		flow_record_t *	r
	)

Validity checker for BACnet record's snet field.

Parameters:

`[in]`	self	Plugin's specific record part (bacnet_record_t) allocated after standard flow record
`[in]`	r	Standard flowmonexp's flow record

Returns:

zero as invalid
nonzero as valid

Definition at line 360 of file input-bacnet.c.

int validity_srcadr	(	void *	self,
		flow_record_t *	r
	)

Validity checker for BACnet record's sadr field.

Parameters:

`[in]`	self	Plugin's specific record part (bacnet_record_t) allocated after standard flow record
`[in]`	r	Standard flowmonexp's flow record

Returns:

zero as invalid
nonzero as valid

Definition at line 379 of file input-bacnet.c.

void value_fill_control	(	void *	self,
		flow_record_t *	record,
		void *	dst,
		int	len,
		int	to_network_byte_order
	)

Get value of the BACnet record's control field.

Parameters:

`[in]`	self	Plugin's specific record part (bacnet_record_t) allocated after standard flow record
`[in]`	record	Standard flowmonexp's flow record
`[in]`	dst	Where to copy resulted data
`[in]`	len	Data length
`[in]`	to_network_byte_order	if other than zero, convert value to network byte order (work only for lengths: 1,2,4,8)

Definition at line 488 of file input-bacnet.c.

void value_fill_dadr	(	void *	self,
		flow_record_t *	record,
		void *	dst,
		int	len,
		int	to_network_byte_order
	)

Get value of the BACnet record's dadr field.

Parameters:

`[in]`	self	Plugin's specific record part (bacnet_record_t) allocated after standard flow record
`[in]`	record	Standard flowmonexp's flow record
`[in]`	dst	Where to copy resulted data
`[in]`	len	Data length
`[in]`	to_network_byte_order	if other than zero, convert value to network byte order (work only for lengths: 1,2,4,8)

Definition at line 563 of file input-bacnet.c.

void value_fill_dnet	(	void *	self,
		flow_record_t *	record,
		void *	dst,
		int	len,
		int	to_network_byte_order
	)

Get value of the BACnet record's dnet field.

Parameters:

`[in]`	self	Plugin's specific record part (bacnet_record_t) allocated after standard flow record
`[in]`	record	Standard flowmonexp's flow record
`[in]`	dst	Where to copy resulted data
`[in]`	len	Data length
`[in]`	to_network_byte_order	if other than zero, convert value to network byte order (work only for lengths: 1,2,4,8)

Definition at line 548 of file input-bacnet.c.

void value_fill_ethertype	(	void *	self,
		flow_record_t *	record,
		void *	dst,
		int	len,
		int	to_network_byte_order
	)

Get value of the BACnet record's ethertype field.

Parameters:

`[in]`	self	Plugin's specific record part (bacnet_record_t) allocated after standard flow record
`[in]`	record	Standard flowmonexp's flow record
`[in]`	dst	Where to copy resulted data
`[in]`	len	Data length
`[in]`	to_network_byte_order	if other than zero, convert value to network byte order (work only for lengths: 1,2,4,8)

Definition at line 473 of file input-bacnet.c.

void value_fill_hops	(	void *	self,
		flow_record_t *	record,
		void *	dst,
		int	len,
		int	to_network_byte_order
	)

Get value of the BACnet record's hop_count field.

Parameters:

`[in]`	self	Plugin's specific record part (bacnet_record_t) allocated after standard flow record
`[in]`	record	Standard flowmonexp's flow record
`[in]`	dst	Where to copy resulted data
`[in]`	len	Data length
`[in]`	to_network_byte_order	if other than zero, convert value to network byte order (work only for lengths: 1,2,4,8)

Definition at line 503 of file input-bacnet.c.

void value_fill_msg_type	(	void *	self,
		flow_record_t *	record,
		void *	dst,
		int	len,
		int	to_network_byte_order
	)

Get value of the BACnet record's msg_type field.

Parameters:

`[in]`	self	Plugin's specific record part (bacnet_record_t) allocated after standard flow record
`[in]`	record	Standard flowmonexp's flow record
`[in]`	dst	Where to copy resulted data
`[in]`	len	Data length
`[in]`	to_network_byte_order	if other than zero, convert value to network byte order (work only for lengths: 1,2,4,8)

Definition at line 518 of file input-bacnet.c.

void value_fill_sadr	(	void *	self,
		flow_record_t *	record,
		void *	dst,
		int	len,
		int	to_network_byte_order
	)

Get value of the BACnet record's sadr field.

Parameters:

`[in]`	self	Plugin's specific record part (bacnet_record_t) allocated after standard flow record
`[in]`	record	Standard flowmonexp's flow record
`[in]`	dst	Where to copy resulted data
`[in]`	len	Data length
`[in]`	to_network_byte_order	if other than zero, convert value to network byte order (work only for lengths: 1,2,4,8)

Definition at line 593 of file input-bacnet.c.

void value_fill_snet	(	void *	self,
		flow_record_t *	record,
		void *	dst,
		int	len,
		int	to_network_byte_order
	)

Get value of the BACnet record's snet field.

Parameters:

`[in]`	self	Plugin's specific record part (bacnet_record_t) allocated after standard flow record
`[in]`	record	Standard flowmonexp's flow record
`[in]`	dst	Where to copy resulted data
`[in]`	len	Data length
`[in]`	to_network_byte_order	if other than zero, convert value to network byte order (work only for lengths: 1,2,4,8)

Definition at line 578 of file input-bacnet.c.

void value_fill_vendor_id	(	void *	self,
		flow_record_t *	record,
		void *	dst,
		int	len,
		int	to_network_byte_order
	)

Get value of the BACnet record's vendor_id field.

Parameters:

`[in]`	self	Plugin's specific record part (bacnet_record_t) allocated after standard flow record
`[in]`	record	Standard flowmonexp's flow record
`[in]`	dst	Where to copy resulted data
`[in]`	len	Data length
`[in]`	to_network_byte_order	if other than zero, convert value to network byte order (work only for lengths: 1,2,4,8)

Definition at line 533 of file input-bacnet.c.

int value_length_16	(	void *	self,
		flow_record_t *	r
	)

Get actual length for BACnet record's 16bit static fields.

Parameters:

`[in]`	self	Plugin's specific record part (bacnet_record_t) allocated after standard flow record
`[in]`	r	Standard flowmonexp's flow record

Returns:

zero as invalid
nonzero as valid

Definition at line 430 of file input-bacnet.c.

int value_length_8	(	void *	self,
		flow_record_t *	r
	)

Get actual length for BACnet record's 8bit static fields.

Parameters:

`[in]`	self	Plugin's specific record part (bacnet_record_t) allocated after standard flow record
`[in]`	r	Standard flowmonexp's flow record

Returns:

zero as invalid
nonzero as valid

Definition at line 417 of file input-bacnet.c.

int value_length_dadr	(	void *	self,
		flow_record_t *	r
	)

Get actual length of the BACnet record's dadr field.

Parameters:

`[in]`	self	Plugin's specific record part (bacnet_record_t) allocated after standard flow record
`[in]`	r	Standard flowmonexp's flow record

Returns:

zero as invalid
nonzero as valid

Definition at line 443 of file input-bacnet.c.

int value_length_sadr	(	void *	self,
		flow_record_t *	r
	)

Get actual length of the BACnet record's sadr field.

Parameters:

`[in]`	self	Plugin's specific record part (bacnet_record_t) allocated after standard flow record
`[in]`	r	Standard flowmonexp's flow record

Returns:

zero as invalid
nonzero as valid

Definition at line 458 of file input-bacnet.c.

Variable Documentation

unsigned int plugin_type = (PLUGIN_TYPE_INPUT)

Set type of the flowmonexp's plugin

Definition at line 131 of file input-bacnet.c.

BACnet input plugin

Data Structures

Defines

Functions

Variables

Detailed Description

Define Documentation

Function Documentation

Variable Documentation