GitHub - unbeatencoder/hflow

Branches Tags

Name		Name	Last commit message	Last commit date
Latest commit History 17 Commits
init.d		init.d
misc		misc
AUTHORS		AUTHORS
COPYING		COPYING
ChangeLog		ChangeLog
INSTALL		INSTALL
Makefile.am		Makefile.am
NEWS		NEWS
README		README
acconfig.h		acconfig.h
active_ipv4_flow_db.hpp		active_ipv4_flow_db.hpp
bidir_flow_maker_block.hpp		bidir_flow_maker_block.hpp
bpf_filter_block.hpp		bpf_filter_block.hpp
config.guess		config.guess
config.h.in		config.h.in
config.sub		config.sub
configure.in		configure.in
copy_packet.hpp		copy_packet.hpp
depcomp		depcomp
element.h		element.h
entropy_flow_tagger_block.hpp		entropy_flow_tagger_block.hpp
flow_db_inserter_block.hpp		flow_db_inserter_block.hpp
frag_drop.hpp		frag_drop.hpp
hflow.cpp		hflow.cpp
hflow.spec		hflow.spec
hflow_sebek_block.hpp		hflow_sebek_block.hpp
hflowd.schema		hflowd.schema
install-sh		install-sh
l2_helpers.hpp		l2_helpers.hpp
marker_filter_block.hpp		marker_filter_block.hpp
missing		missing
mkinstalldirs		mkinstalldirs
p0f_block.hpp		p0f_block.hpp
packet_capture.cpp		packet_capture.cpp
pcap_ipv4_infile_block.hpp		pcap_ipv4_infile_block.hpp
pcap_outfile_block.hpp		pcap_outfile_block.hpp
pcap_raw_infile_block.hpp		pcap_raw_infile_block.hpp
pcre.rules		pcre.rules
pcre_flow_tagger_block.hpp		pcre_flow_tagger_block.hpp
snort.conf		snort.conf
snort_block.hpp		snort_block.hpp
ulog_live_ipv4_block.hpp		ulog_live_ipv4_block.hpp

Repository files navigation

-----
Hflow2 

What is this?
This is the next genertion for hflow, there where several objectives behind it:
-- Higher troughput
-- Better directionality detectio
-- Lower runtime dependenciers
-- Lower latency with DB


To achieve this a modular architecture was designed. 
The architecture can be tought as a packet processing language and can be used
without hflow, in fact it hflow2 became a subproject of the packet language.


How we do this?


What do I need?



-----------
FAQ



--I see a patch file.. what is this?
In order to use snort, snort must be compuliled with a special patch
to apply go to the snort directory and:

>>patch -p0 < spo_unified.c.patch

------

Small FAQ

-What is this?
yet another flow tool, but with three objectives in mind:
simplicity, modularity and a new definition of flow

-New definition of netflow, please stop waisting my time?
Not really the definition of netwflow used in this tool
includes not only the true 'in band' packets of a bidirectional
flow, but also those icmp messages that are generated by the end host.
icmp messages that are related to a flow but are generated by intermediate routers
affect the icmp packet count of the flow, but also create a new flow.
The approach is to try to capture the causality of the flows, but also to
convey as much information as possible.

-Ok why not use argus then?
There are two probles with argus:
a. The code complexity is enormous, as it tries to capture a great deal of information.
 what I try to do is similar but I am only dealing with ipv4 flows and i dont care
 much about performance metrics. (still they can be calculated).
 Just to make a quick comparison this program has (including client side) 2189 lines of code
 argus has:25014 lines of code (just argus and common code '.c' files,argus 3.0.0rc17). 
b. due to the code complexity I have found errors on both argus 2.x and 3.x
 2.x (problems with bad direction (try a  tcp syn/ack scan))
 3.x (problems with traceroute with icmp (tested on 3.0.0.rc14)


is this done yet?
no, much more is needed for this to be done, but we are getting closer!




This an early version of the pcap language stuff

a simple block of the form:


-------       --------------     ----------
|Input| ----> | Flow_Maker | --> |pcap out|
-------       --------------     ----------
                    |
                    V
            ------------------------
            |Flow Database inserter|
            ------------------------
                    |
                    V
               ----------
               | Mysqld |
               ----------