YAF
YAF: yfFlowTabConfig_st Struct Reference#include <yaftab.h>
Data Fields | |
| int32_t | active_sec |
| Active timeout in seconds. | |
| int32_t | idle_sec |
| Idle timeout in seconds. | |
| uint32_t | max_flows |
| Maximum number of active flows. | |
| uint32_t | max_payload |
| Maximum octets of payload to capture per flow direction. | |
| const char * | ndpi_proto_file |
| If not NULL, and ndpi is TRUE, use the provided protocol file to expand the sub-protocols list and port-based detection methods. | |
| const char * | pcap_dir |
| Directory to put pcap-per-flow files. | |
| const char * | pcap_meta_file |
| File for pcap meta output. | |
| uint64_t | pcap_max |
| Maximum size [in bytes] of a pcap file before rotating. | |
| uint32_t | pcap_search_flowkey |
| The flow key hash to create a PCAP for. | |
| const char * | pcap_search_stime |
| The start time to create a PCAP for. | |
| uint16_t | udp_uniflow_port |
| If not 0, then this will enable exporting a single UDP packet with this src/dst port as a flow. | |
| gboolean | applabel_mode |
| If TRUE, then the payload, (as limited by max_payload,) is sent through various plugins and code in order to determine which protocol is running on the flow by doing only payload inspection and exporting payload relevent information. | |
| gboolean | entropy_mode |
| If TRUE, then a Shannon Entropy measurement is made over the captured payload (as limited by max_payload). | |
| gboolean | flowstats_mode |
| If TRUE, then YAF will do some extra calculations on flows. | |
| gboolean | force_read_all |
| If TRUE, then yaf will process files that are out of sequence. | |
| gboolean | fpexport_mode |
| If TRUE, then this will enable exporting of full packet banners of the TCP negotiations for the first three packets (including IP and transport headers) for external fingerprinting. | |
| gboolean | mac_mode |
| If TRUE, collect and export source and destination Mac Addresses. | |
| gboolean | ndpi |
| If TRUE, enable nDPI application labeling with standard protocols. | |
| gboolean | no_vlan_in_key |
| If TRUE, this will remove the vlan in the calculation of the flow key hash. | |
| gboolean | p0f_mode |
| If TRUE, then this will enable passive OS finger printing using the p0f engine based mostly on TCP negotiation. | |
| gboolean | pcap_index |
| If TRUE, print one line per packet we export. | |
| gboolean | pcap_per_flow |
| If TRUE, then pcap_dir will be set to the directory to place pcap-per-flow files. | |
| gboolean | silk_mode |
| If TRUE, clamp totalOctetCount and maxTotalOctetCount to 32 bits and force active timeout on overflow. | |
| gboolean | udp_multipkt_payload |
If TRUE, then this will enable capturing payload for all UDP packets in a flow (instead of just the first packet) up to max_payload value. | |
| gboolean | uniflow_mode |
| If TRUE, export biflows using record adjacency (two uniflows exported back-to-back. | |
Detailed Description
Configuration settings used to initalize the flow table in yfFlowTabAlloc().
Field Documentation
◆ active_sec
| int32_t yfFlowTabConfig_st::active_sec |
Active timeout in seconds.
The maximum duration of a flow is the active timeout; additional packets for the same flow will be counted as part of a new flow.
◆ entropy_mode
| gboolean yfFlowTabConfig_st::entropy_mode |
If TRUE, then a Shannon Entropy measurement is made over the captured payload (as limited by max_payload).
The entropy value is exported as two values one for forward payload and one for reverse payload.
◆ idle_sec
| int32_t yfFlowTabConfig_st::idle_sec |
Idle timeout in seconds.
A flow that receives no packets for the idle timeout is assumed to be complete.
◆ max_flows
| uint32_t yfFlowTabConfig_st::max_flows |
Maximum number of active flows.
Flows exceeding this limit will be expired in least-recent order, as if they were idle. Used to limit resource usage of a flow table. A value of 0 disables flow count limits.
◆ max_payload
| uint32_t yfFlowTabConfig_st::max_payload |
Maximum octets of payload to capture per flow direction.
Requires at least max_payload octets of payload to be available in each packet buffer passed to yfFlowPBuf(). A value of 0 disables payload capture and export.
◆ pcap_index
| gboolean yfFlowTabConfig_st::pcap_index |
If TRUE, print one line per packet we export.
This will give offset and length into the pcap yaf writes.
◆ pcap_meta_file
| const char* yfFlowTabConfig_st::pcap_meta_file |
File for pcap meta output.
Default is stdout
◆ silk_mode
| gboolean yfFlowTabConfig_st::silk_mode |
If TRUE, clamp totalOctetCount and maxTotalOctetCount to 32 bits and force active timeout on overflow.
Set high order bit in flowEndReason for each flow created on an overflow or active timeout. Breaks IPFIX interoperability; use for direct export to SiLK rwflowpack or flowcap.
◆ uniflow_mode
| gboolean yfFlowTabConfig_st::uniflow_mode |
If TRUE, export biflows using record adjacency (two uniflows exported back-to-back.
Use this for interoperability with IPFIX collectors that do not implement RFC 5103.
The documentation for this struct was generated from the following file:
