1================================================= 2:mod:`pyfixbuf` API Documentation 3================================================= 4 5.. automodule:: pyfixbuf 6 7InfoElement 8======================= 9 10Information Elements make up the IPFIX Information Model and IPFIX templates. 11All Information Elements consist of a unique and meaningful name, an 12enterprise number, a numeric identifier, a length, and a data type. 13libfixbuf_ adds, by default, the `IANA managed Information Elements`_ to the 14Information Model. IANA's Information Elements have a enterprise number of 0; 15a non-zero enterprise number is called a private enterprise number (PEN). 16 17To process data from YAF_ or `super_mediator`_, enterprise-specific 18information elements must be loaded into the information model. These 19information elements use the CERT PEN, 6871. One may load all CERT defined 20information elements into an :class:`InfoModel`, *model*, by importing the 21:mod:`pyfixbuf.cert` package and running 22:meth:`pyfixbuf.cert.add_elements_to_model` with *model* as its argument. 23 24There are two alternate ways to add those elements to an :class:`InfoModel`: 25 26# Download the `XML file`_ that defines those elements and invoke the model's 27 :meth:`InfoModel.read_from_xml_file` method. 28 29# Invoke :meth:`InfoModel.add_element_list` on the model and pass it one of 30 the :mod:`pyfixbuf.yaflists` variables. 31 32.. _libfixbuf: https://tools.netsa.cert.org/fixbuf/index.html 33.. _YAF: https://tools.netsa.cert.org/yaf/index.html 34.. _super_mediator: https://tools.netsa.cert.org/super_mediator/index.html 35.. _XML file: https://tools.netsa.cert.org/cert-ipfix-registry/index.html 36.. _IANA managed Information Elements: https://www.iana.org/assignments/ipfix/ipfix.xhtml 37 38If an Information Element (IE) is initialized with the ENDIAN flag set, the 39IE is an integer and will be endian-converted on transcode. 40If the REVERSIBLE flag is set, a second, reverse information element 41will be added to the Information Model. 42 43If an Information Element is initialized with a DataType then 44the appropriate Python data type will be returned. Otherwise, the 45value of the Information Element retrieved will be in a Byte Array. 46If the Information Element is of type STRING or LIST, the IE length 47should be VARLEN. OCTET_ARRAYS may or may not be variable length. 48The following is a list of acceptable data types, which are stored 49as an enumeration in libfixbuf. When defining an Information Element 50both the type and integer value are accepted. 51 52.. list-table:: 53 :header-rows: 1 54 :widths: 20, 8, 8, 20 55 56 * - Type 57 - Integer Value 58 - Length 59 - Python Return Type 60 * - DataType.OCTET_ARRAY 61 - 0 62 - VARLEN 63 - Byte Array 64 * - DataType.UINT8 65 - 1 66 - 1 67 - Integer 68 * - DataType.UINT16 69 - 2 70 - 2 71 - Long 72 * - DataType.UINT32 73 - 3 74 - 4 75 - Long 76 * - DataType.UINT64 77 - 4 78 - 8 79 - Long 80 * - DataType.INT8 81 - 5 82 - 1 83 - Long 84 * - DataType.INT16 85 - 6 86 - 2 87 - Long 88 * - DataType.INT32 89 - 7 90 - 4 91 - Long 92 * - DataType.INT64 93 - 8 94 - 8 95 - Long 96 * - DataType.FLOAT32 97 - 9 98 - 4 99 - Float 100 * - DataType.FLOAT64 101 - 10 102 - 8 103 - Float 104 * - DataType.BOOL 105 - 11 106 - 1 107 - Bool 108 * - DataType.MAC_ADDR 109 - 12 110 - 6 111 - String 112 * - DataType.STRING 113 - 13 114 - VARLEN 115 - String 116 * - DataType.SECONDS 117 - 14 118 - 4 119 - Long 120 * - DataType.MILLISECONDS 121 - 15 122 - 8 123 - Long 124 * - DataType.MICROSECONDS 125 - 16 126 - 8 127 - Long 128 * - DataType.NANOSECONDS 129 - 17 130 - 8 131 - Long 132 * - DataType.IP4ADDR 133 - 18 134 - 4 135 - String 136 * - DataType.IP6ADDR 137 - 19 138 - 16 139 - String 140 * - DataType.BASIC_LIST 141 - 20 142 - VARLEN 143 - BL 144 * - DataType.SUB_TMPL_LIST 145 - 21 146 - VARLEN 147 - STL 148 * - DataType.SUB_TMPL_MULTI_LIST 149 - 22 150 - VARLEN 151 - STML 152 153Units, min, max, semantic, and description are all optional parameters 154to further describe an information element. If the process is exporting 155Information Element Type Option Records (:rfc:`5610`), this information 156will help 157the collecting process identify the type of information contained in the value 158of an Information Element. Valid Units are listed in the table below. 159 160============================ ============= 161Units Integer Value 162============================ ============= 163Units.NONE 0 164Units.BITS 1 165Units.OCTETS 2 166Units.PACKETS 3 167Units.FLOWS 4 168Units.SECONDS 5 169Units.MILLISECONDS 6 170Units.MICROSECONDS 7 171Units.NANOSECONDS 8 172Units.WORDS 9 173Units.MESSAGES 10 174Units.HOPS 11 175Units.ENTRIES 12 176Units.FRAMES 13 177Units.PORTS 14 178UNITS.INFERRED 15 179============================ ============= 180 181 182The following table lists the available Semantic values: 183 184============================ ============= 185Semantic Integer Value 186============================ ============= 187Semantic.DEFAULT 0 188Semantic.QUANTITY 1 189Semantic.TOTALCOUNTER 2 190Semantic.DELTACOUNTER 3 191Semantic.IDENTIFIER 4 192Semantic.FLAGS 5 193Semantic.LIST 6 194Semantic.SNMPCOUNTER 7 195Semantic.SNMPGAUGE 8 196============================ ============= 197 198.. class:: InfoElement(name: str, enterprise_number: int, id: int[, length: int = VARLEN[, reversible: bool = False[, endian: bool = False[, type: DataType = DataType.OCTET_ARRAY[, units: Units = Units.NONE[, min: int = 0[, max: int = 0[, semantic: Semantic = Semantic.DEFAULT[, description: str = None]]]]]]]]]) 199 200 Creates a new Information Element (IE) using the given *name*, 201 *enterprise_number*, and *id*, and optional *length*, *reversible* flag, 202 *endian* flag, *datatype*, *units*, *min*, *max*, *semantic*, and 203 *description*. An Information Element identifies a type of data to be 204 stored and transmitted via IPFIX. 205 206 If no *length* is provided, the IE is defined as having a variable 207 length. All Strings should be variable length. 208 209 If *endian* is ``True``, the IE is assumed to be an integer and will be 210 converted to and from network byte order upon transcoding. 211 212 If *reversible* is ``True``, a second IE is created for the same information 213 in the reverse direction. (The reversed IE's name is created by 214 capitalizing the first character of *name* and prepending the string 215 ``reverse``.) 216 217 If *type* is set, pyfixbuf will know how to print values of this type. 218 Otherwise the value of the element will be DataType.OCTET_ARRAY. See the 219 above table for a list of types. 220 221 *units* optionally defines the units of an Information Element. See the 222 above table for a list of units. 223 224 *min* optionally defines the minimum value of an Information Element. 225 226 *max* optionally defines the maximum value of an Information Element. 227 228 *semantic* optionally defines the semantics of an Information Element. 229 See the above table for a list of semantics. 230 231 *description* optionally contains a human-readable description of an 232 Information Element. 233 234 .. attribute:: name : str 235 236 The name, a string, associated with the InfoElement. 237 238 .. attribute:: enterprise_number : int 239 240 The Enterprise Number associated with the InfoElement. Default 241 Information Elements have a enterprise number of 0. `enterprise` is a 242 32-bit unsigned integer (1--4,294,967,295). 243 244 .. attribute:: id : int 245 246 The Information Element ID that, with the enterprise number, uniquely 247 identifies the 248 Information Element. `id` is an unsigned 15-bit integer (1--32767). 249 250 .. attribute:: length : int 251 252 The length associated with the Information Element. This is the 253 amount of memory allocated for the Information Element. If the 254 Information Element is of variable length, length will contain the 255 size of the fbVarfield struct. 256 257 .. attribute:: type : DataType 258 259 The data type associated with the Information Element. This is stored 260 as an enumeration in pyfixbuf and can have values 0-22. If type is 261 not defined, the default type is 0, DataType.OCTET_ARRAY. If the 262 Information Element is defined as VARLEN, the default type is 14, 263 DataType.STRING. 264 265 .. attribute:: units : Units 266 267 The units associated with the Information Element. This is stored as 268 an enumeration in pyfixbuf and can have values 0-15. If units are 269 not defined, the default is Units.NONE. 270 271 .. attribute:: min : int 272 273 If a range is defined with the Information Element, min is the minimum 274 value accepted. Valid values are 0 - 2^64-1. 275 276 .. attribute:: max : int 277 278 If a range is defined for an Information Element, max is the maximum 279 value accepted. Valid values are 0 - 2^64-1. 280 281 .. attribute:: semantic : Semantic 282 283 Semantic value for an Information Element. This is stored as an 284 enumeration in pyfixbuf and can have values 0 - 8. The default 285 semantic is 0, Semantic.DEFAULT. 286 287 .. attribute:: description : str 288 289 Description of an Information Element. This is a string. Default is 290 None. 291 292 .. attribute:: reversible : bool 293 294 True if an Information Element is defined as reversible. 295 296 .. attribute:: endian : bool 297 298 True if an Information Element is defined as endian. 299 300 .. method:: as_dict() -> dict 301 302 Return a dictionary of key value pairs suitable for use as 303 keyword arguments to InfoElement's constructor. 304 305 .. attribute:: ent : int 306 307 An alias for `enterprise_number`. 308 309Examples:: 310 311 >>> foo = pyfixbuf.InfoElement('fooname', CERT_PEN, 722, units=pyfixbuf.Units.WORDS) 312 >>> bar = pyfixbuf.InfoElement('barname', 123, 565, 1, reversible=True, endian=True) 313 >>> foo2 = pyfixbuf.InfoElement('fooname2', 0, 888, 3, type=pyfixbuf.DataType.OCTET_ARRAY) 314 >>> flo = pyfixbuf.InfoElement('flo_element', 0, 452, 8, endian=True, type=8) 315 316 317DataType 318=========================== 319 320The DataType class holds the values for the `IPFIX Information Element 321Data Types`_ that are supported by pyfixbuf and some utility functions. 322This class may not be instantiated, and all methods are static. 323 324 .. _IPFIX Information Element Data Types: https://www.iana.org/assignments/ipfix/ipfix.xhtml#ipfix-information-element-data-types 325 326.. autoclass:: DataType 327 328 .. automethod:: get_name(value: int) -> str 329 330 .. automethod:: to_string(value: int) -> str 331 332 .. automethod:: by_name(name: String) -> DataType 333 334 .. automethod:: check_type(data_type: int, value: Any) -> bool 335 336 .. automethod:: get_length(data_type: int) -> int 337 338 .. automethod:: refine_type_for_length(data_type: int, len) -> DataType 339 340 .. automethod:: supports_RLE(data_type: int) -> bool 341 342Units 343=========================== 344 345The Units class holds the values for the `IPFIX Information Element 346Units`_ that are supported by pyfixbuf and some utility functions. 347This class may not be instantiated, and all methods are static. 348 349 .. _IPFIX Information Element Units: https://www.iana.org/assignments/ipfix/ipfix.xhtml#ipfix-information-element-units 350 351.. autoclass:: Units 352 353 .. automethod:: get_name(value: int) -> String 354 355 .. automethod:: to_string(value: int) -> String 356 357 .. automethod:: by_name(name: String) -> Units 358 359Semantic 360=========================== 361 362The Semantics class holds the values for the `IPFIX Information 363Element Semantics`_ that are supported by pyfixbuf and some utility 364functions. This class may not be instantiated, and all methods are 365static. 366 367 .. _IPFIX Information Element Semantics: https://www.iana.org/assignments/ipfix/ipfix.xhtml#ipfix-information-semantics 368 369.. autoclass:: Semantic 370 371 .. automethod:: get_name(value: int) -> String 372 373 .. automethod:: to_string(value: int) -> String 374 375 .. automethod:: by_name(name: String) -> Semantic 376 377InfoElementSpec 378=========================== 379 380An Information Element Specification (:class:`InfoElementSpec`) is used to 381name an Information Element (:class:`InfoElement`) for inclusion in a 382:class:`Template`. The Information Element must have already been defined and 383added to the Information Model (:class:`InfoModel`). An 384:class:`InfoElementSpec` contains the exact name of the defined Information 385Element and an optional length override. 386 387.. class:: InfoElementSpec(name: str[, length: int = 0]) 388 389 Creates a new Information Element Specification using the given *name*, 390 and optional override *length*. An IPFIX Template is made up of one or 391 more :class:`InfoElementSpec`\s. 392 393 The given *name* must be a defined Information Element in the Information 394 Model before adding the :class:`InfoElementSpec` to a :class:`Template`. 395 396 If *length* is nonzero, it is used instead of the default length of this 397 Information Element for reduced-length encoding. Not all Information 398 Element data types support reduced-length encoding, and *length* must be 399 smaller than the default length. When 0, the default length provided by 400 the :class:`InfoElement` in the :class:`InfoModel` is used. 401 402 Note that the values of *name* and *length* are only checked when the 403 :class:`InfoElementSpec` is added to a :class:`Template`. When an 404 :class:`InfoElementSpec` whose *length* is zero is added to a 405 :class:`Template`, the *length* of that :class:`InfoElementSpec` is 406 modified to reflect the default length of the :class:`InfoElement`. 407 408 Examples:: 409 410 >>> spec1 = pyfixbuf.InfoElementSpec("fooname") 411 >>> spec2 = pyfixbuf.InfoElementSpec("sourceTransportPort") 412 >>> spec3 = pyfixbuf.InfoElementSpec("flo_element", 4) 413 414 .. attribute:: name : str 415 416 The Information Element Specification name. 417 418 .. attribute:: length : int 419 420 The length override for the Information Element Specification. A 421 value of 0 indicates the length of the element is the default length 422 specified for that :class:`InfoElement` in the :class:`InfoModel`. 423 424 425InfoModel 426====================== 427 428The InfoModel type implements an IPFIX Information Model (:rfc:`7012`), 429adding the `IANA managed Information Elements`_ by default, and proving 430methods to add enterprise-specific information elements. 431 432.. autoclass:: InfoModel() 433 434 .. automethod:: add_element(element: InfoElement) 435 436 .. automethod:: add_element_list(elements: Iterable[InfoElement])) 437 438 .. automethod:: get_element_length(name: str[, type: int]) -> length 439 440 .. automethod:: get_element([name: str, id: int, ent: int]) -> InfoElement 441 442 .. automethod:: get_element_type(name: str) -> DataType 443 444 .. automethod:: add_options_element(rec: Record) 445 446 .. automethod:: read_from_xml_data(xml_data: Any) 447 448 .. automethod:: read_from_xml_file(filename: str) 449 450Examples:: 451 452 >>> model = pyfixbuf.InfoModel() 453 >>> model.add_element(foo); 454 >>> model.add_element_list([foo, bar, flo]) 455 >>> model.add_element_list(pyfixbuf.YAF_DNS_LIST) # adds all YAF DNS DPI elements 456 >>> length = model.get_element_length("sourceTransportPort") 457 >>> print length 458 2 459 460Template 461====================== 462 463The :class:`Template` type implements an IPFIX Template or an IPFIX Options 464Template. IPFIX templates contain one or more Information Elements. 465If a certain sequence of elements is desired, each Information Element 466(:class:`InfoElementSpec`) must be added to the template in the desired 467order. Templates are stored by Template ID and type (internal, external) 468per domain in a :class:`Session`. Template IDs of data sets are numbered from 469256 to 65535. Templates are given a template ID when they are added to 470a :class:`Session`. The only difference between Data Templates and Options 471Templates is that Options Templates have a scope associated with them, 472which gives the context of reported Information Elements in the Data 473Records. 474 475An Internal Template is how fixbuf decides what the data should look 476like when it is transcoded. For this reason, an internal template should 477match the corresponding :class:`Record`, in terms of the order of Information 478Elements. An External Template is sent before 479the exported data so that the Collecting Process is able to process 480IPFIX messages without necessarily knowing the interpretation of all data 481records. 482 483.. autoclass:: Template(model: InfoModel[, type: bool = False]) 484 485 An Information Model (:class:`InfoModel`) is needed to allocate and 486 initialize a new Template. 487 488 .. automethod:: copy() -> Template 489 490 .. automethod:: add_spec(spec: InfoElementSpec) 491 492 .. automethod:: add_spec_list(specs: Iterable[InfoElementSpec]) 493 494 .. automethod:: add_element(name: str) 495 496 .. automethod:: get_indexed_ie(index: int) -> InfoElement 497 498 .. automethod:: get_context() -> Any 499 500 .. automethod:: __contains__(element: Union[InfoElement, InfoElementSpec, str, int]) -> bool 501 502 .. automethod:: __getitem__(key: Union[InfoElement, InfoElementSpec, str, int]) -> InfoElementSpec 503 504 .. automethod:: __len__() -> int 505 506 .. automethod:: __iter__() -> Iterator[InfoElementSpec] 507 508 .. automethod:: ie_iter() -> Iterator[InfoElement] 509 510 .. attribute:: scope : int 511 512 Returns the scope associated with the :class:`Template`. 513 Setting scope to zero sets the scope to encompass the entire 514 template. Setting the scope to ``None`` removes the scope. 515 516 .. attribute:: template_id : int 517 518 Returns the template ID associated with the :class:`Template`. Template 519 ID can only be changed by adding the template to a :class:`Session`. 520 521 .. attribute:: type : bool 522 523 Returns ``True`` if template is an Information Element Type Information 524 Template. Returns ``False`` otherwise. This attribute may not be 525 changed. 526 527 .. attribute:: infomodel : InfoModel 528 529 Returns the :class:`InfoModel` associated with the Template. This 530 attribute may not be changed. 531 532 .. attribute:: read_only : bool 533 534 Returns True if this template has been added to a :class:`Session`. 535 This attribute may not be set. 536 537Examples:: 538 539 >>> tmpl = pyfixbuf.Template(model) 540 >>> spec = pyfixbuf.InfoElementSpec("sourceTransportPort") 541 >>> spec2 = pyfixbuf.InfoElementSpec("destinationTransportPort") 542 >>> tmpl.add_spec(spec) 543 >>> tmpl.add_spec(spec2) 544 >>> tmpl2 = pyfixbuf.Template(model) 545 >>> tmpl2.add_spec_list([pyfixbuf.InfoElementSpec("fooname"), 546 pyfixbuf.InfoElementSpec("barname")]) 547 >>> tmpl2.scope = 2 548 >>> if "sourceTransportPort" in tmpl: 549 >>> print "yes" 550 yes 551 552 553Session 554===================== 555 556The state of an IPFIX Transport Session is maintained in the :class:`Session` 557object. This includes all IPFIX Message Sequence Number tracking, and 558internal and external template management. A :class:`Session` is associated 559with an :class:`InfoModel`. :class:`Template` instances must be added before 560collecting (via a :class:`Collector` or :class:`Listener`) or exporting (see 561:class:`Exporter`) any data. 562 563.. autoclass:: Session(model: InfoModel) 564 565 .. automethod:: add_template(template: Template[, template_id: int = 0]) -> int 566 567 .. automethod:: add_internal_template(template: Template[, template_id: int = 0]) -> int 568 569 .. automethod:: add_external_template(template: Template[, template_id: int = 0]) -> int 570 571 .. automethod:: decode_only(id_list: Iterable[int]) 572 573 .. automethod:: ignore_templates(id_list: Iterable[int]) 574 575 .. automethod:: add_template_pair(external_template_id: int, internal_template_id: int) 576 577 .. method:: export_templates() 578 579 Exports the templates associated with this :class:`Session`. This is 580 necessary for an exporting session (see :class:`Exporter`) and must be 581 called before any records are appended to the :class:`Buffer`. 582 :class:`Buffer` must already have a :class:`Session` associated with it 583 using :meth:`Buffer.init_export`. 584 585 .. automethod:: get_template(template_id: int[, internal: bool = False]) -> Template 586 587 .. automethod:: add_template_callback(callback: Callable[[Session, Template, Any], Any]) 588 589 .. attribute:: domain : int 590 591 The observation domain on the :class:`Session`. 592 593Examples:: 594 595 >>> session = pyfixbuf.Session(model) 596 >>> session.add_internal_template(289, tmpl) 597 >>> auto_id = session.add_external_template(0, tmpl) 598 >>> session.decode_only([256, 257]) 599 600Exporter 601===================== 602 603An Exporter maintains the information needed for its connection 604to a corresponding Collecting Process. An Exporter can be created to 605connect via the network using one of the supported IPFIX transport 606protocols, or to write to IPFIX files. Depending on the type of 607Exporter desired, one will use one of the following methods: 608 609.. autoclass:: Exporter() 610 611 .. automethod:: init_file(filename: str) 612 613 .. automethod:: init_net(hostname: str[, transport: str = "tcp"[, port: int = 4739]]) 614 615Examples:: 616 617 >>> exporter = pyfixbuf.Exporter() 618 >>> exporter.init_file("/path/to/out.ipfix") 619 >>> exporter2 = pyfixbuf.Exporter() 620 >>> exporter2.init_net("localhost", "udp", 18000) 621 622 623Collector 624====================== 625 626An :class:`Collector` maintains the necessary information for 627the connection to a corresponding Exporting Process. A 628:class:`Collector` is used for reading from an IPFIX file. See 629:class:`Listener` for collecting IPFIX over a network. 630 631.. autoclass:: Collector() 632 633 .. automethod:: init_file(filename: str) 634 635Examples:: 636 637 >>> collector = pyfixbuf.Collector() 638 >>> collector.init_file("path/to/in.ipfix") 639 640Record 641================ 642 643A :class:`Record` is one of the "core" interfaces to the IPFIX data through 644libfixbuf. This is the main object for manipulating the data prior 645to export and following import. 646 647.. autoclass:: Record(model: InfoModel[, template: Template = None, record: Record = None]) 648 649 .. automethod:: add_element(key_name: str[, type: DataType = DataType.OCTET_ARRAY[, element_name: str = None[, length: int = 0]]]) 650 651 .. automethod:: add_element_list(name_list: Iterable[str]) 652 653 .. automethod:: clear_all_lists() 654 655 .. automethod:: clear() 656 657 .. automethod:: init_basic_list(basic_list_key: str[, count: int = 0[, element_name: str = None]]) 658 659 .. automethod:: clear_basic_list(basic_list_key: str) 660 661 .. automethod:: __getitem__(key: Union[str, int]) -> Any 662 663 .. automethod:: __setitem__ (key: Union[str, int], value: Any) 664 665 .. automethod:: copy(other: Record) 666 667 .. automethod:: is_list(key: str) -> bool 668 669 .. automethod:: get(key: str, default: Any = None) -> Any 670 671 .. automethod:: get_field(key: str) -> Record.Field 672 673 .. automethod:: get_stl_list_entry(key: str) -> STL 674 675 .. automethod:: get_stml_list_entry(key: str) -> STML 676 677 .. automethod:: as_dict() -> Dict[Union[str, Tuple(str, int)], Any] 678 679 .. automethod:: __len__() -> int 680 681 .. automethod:: __contains__(item: str) -> bool 682 683 .. automethod:: set_template(template: Template) 684 685 .. automethod:: __iter__() -> Iterator[Any] 686 687 .. automethod:: iterfields() -> Iterator[Record.Field] 688 689 .. automethod:: matches_template(template: Template, exact: bool = False) -> bool 690 691 .. automethod:: count(element_name: str) -> int 692 693 .. attribute:: template : Template 694 695 Returns the :class:`Template` used by this :class:`Record`. 696 697Record.Field 698============== 699 700.. class:: Record.Field(name: str, instance: int, ie: InfoElement, length: int, value: Any) 701 702 Represents a complete value field in a :class:`Record`, and is implemented 703 as a subclass of :class:`collection.namedtuple`. This is the type of 704 object returned by the :meth:`Record.iterfields` method. A 705 :class:`Record.Field` object includes the following attributes: 706 707 .. attribute:: name : str 708 709 The field name provided as the `key` parameter to 710 :meth:`Record.add_element`. For a :class:`Record` built from a 711 :class:`Template`, this is the name is the :class:`InfoElement`. 712 713 .. attribute:: instance : int 714 715 An integer that is non-zero when `name` is not unique. The value 716 represents the number of times `name` occurs in the :class:`Record` 717 before this one. 718 719 .. attribute:: ie : InfoElement 720 721 The canonical :class:`InfoElement` that describes this value. 722 723 .. attribute:: length : int 724 725 The length of this field specified to :meth:`Record.add_element` or in 726 the :class:`InfoElementSpec` associated with the :class:`Record`'s 727 :class:`Template`. May be different than the length specified in the 728 :class:`InfoElement` due to reduced length encoding. 729 730 .. attribute:: value : Any 731 732 The value of this field. 733 734 735Buffer 736============== 737 738The :class:`Buffer` implements a transcoding IPFIX Message buffer for both 739export and collection. The :class:`Buffer` is one of the "core" interfaces to 740the fixbuf library. Each :class:`Buffer` must be initialized to do either 741collecting or exporting. 742 743.. autoclass:: Buffer([record: Record = None][, auto: bool = False]) 744 745 .. automethod:: init_collection(session: Session, collector: Collector) 746 747 .. automethod:: init_export(session: Session, exporter: Exporter) 748 749 .. automethod:: set_internal_template(template_id: int) 750 751 .. automethod:: set_export_template(template_id: int) 752 753 .. automethod:: next_record(record: Record) -> Record 754 755 .. automethod:: next([record: Record]) -> Record 756 757 .. automethod:: __iter__() -> Iterator[Record] 758 759 .. automethod:: set_record(record: Record) 760 761 .. automethod:: next_template() -> Template 762 763 .. automethod:: get_template() -> Template 764 765 .. automethod:: append(Record[, int]) 766 767 .. automethod:: write_ie_options_record(name: str, template: Template) 768 769 .. automethod:: auto_insert() 770 771 .. automethod:: ignore_options(ignore: bool) 772 773 .. method:: emit() 774 775 Writes any pending :class:`Record` objects in the :class:`Buffer` to the 776 :class:`Exporter`. 777 778 .. method:: free() 779 780 Frees the :class:`Buffer`. This method may be invoked when using a 781 :class:`Buffer` for export to flush and close the stream. 782 783Examples:: 784 785 >>> buf = pyfixbuf.Buffer(my_rec) 786 >>> buf.init_collection(session, collector) 787 >>> buf.set_internal_template(999) 788 >>> for data in buf: 789 ... data = data.as_dict() 790 ... for key,value in data.items() 791 ... print key + ":" + str(value) + '\n' 792 793Examples:: 794 795 >>> buf = pyfixbuf.Buffer(my_rec) 796 >>> buf.init_export(session, exporter) 797 >>> buf.set_internal_template(999) 798 >>> buf.set_external_template(999) 799 >>> session.export_templates() 800 >>> while count < 10: 801 ... my_rec['sourceIPv4Address'] = "192.168.3.2" 802 ... my_rec['destinationIPv4Address'] = "192.168.4.5" 803 ... buf.append(my_rec) 804 >>> buf.emit() 805 806Examples:: 807 808 >> buf = pyfixbuf.Buffer(auto=True) 809 >> buf.init_collection(session, collector) 810 >> for data in buf: 811 ... data = data.as_dict() 812 ... for key,value in data.items() 813 ... print key + ":" + str(value) + '\n' 814 815STML 816================= 817 818A subTemplateMultiList is a list of zero or more instances of 819a structured data record, where the data records do not necessarily 820have to reference the same template. A subTemplateMultiList is made 821up of one or more :class:`STMLEntry` objects. Each :class:`STMLEntry` in the 822:class:`STML` typically has a different template associated with it, but that 823is not a requirement. The data in the :class:`STML` is accessed by iterating 824through each :class:`STMLEntry` in the list and setting a :class:`Record` on 825the :class:`STMLEntry`. 826 827.. autoclass:: STML([record: Record = None[, key_name:str = None[, type_count: int = -1]]]) 828 829 .. automethod:: clear() 830 831 .. automethod:: __iter__() -> Iterator[STMLEntry] 832 833 .. automethod:: next() -> STMLEntry 834 835 .. automethod:: iter_records(tmpl_id: int = 0) -> Iterator[Records] 836 837 .. automethod:: __len__() -> int 838 839 .. automethod:: __contains__(name: str) -> bool 840 841 .. automethod:: __getitem__(index: int) -> STMLEntry 842 843 .. automethod:: __setitem__(key: int, value: Iterable[Record]) 844 845 .. attribute:: semantic : int 846 847 The `structured data semantic value`_ for this :class:`STML`. 848 849 .. _structured data semantic value: https://www.iana.org/assignments/ipfix/ipfix.xhtml#ipfix-structured-data-types-semantics 850 851Decode Examples:: 852 853 >>> stml = my_rec["subTemplateMultiList"] 854 >>> for entry in stml: 855 ... if "tcpSequenceNumber" in entry: 856 ... entry.set_record(tcprec) 857 ... for tcp_record in entry: 858 ... tcp_record = tcp_record.as_dict() 859 ... for key,value in tcp_record.items() 860 ... print key + ": " + str(value) + '\n' 861 862Encode Examples:: 863 864 >>> stml = STML(type_count=3) 865 >>> stml.entry_init(rec, template, 2) #init first entry to 2 with template 866 >>> rec["sourceTransportPort"] = 3 867 >>> rec["destinationTransportPort"] = 5 868 >>> stml[0][0] = rec 869 >>> rec["sourceTransportPort"] = 6 870 >>> rec["destinationTransportPort"] = 7 871 >>> stml[0][1] = rec 872 >>> stml[1][0] = rec2 #init second entry to 1 item using rec2 873 >>> stml[2].entry_init(rec3, template3, 0) #init third entry to 0 874 875 876STMLEntry 877===================== 878 879Each :class:`STML` consists of one or more :class:`STMLEntry` objects. Each 880:class:`STMLEntry` is associated with a :class:`Template`, and therefore 881should have a corresponding :class:`Record`. An :class:`STMLEntry` can 882contain zero or more instances of the associated :class:`Record`. 883 884.. autoclass:: STMLEntry(stml: STML) 885 886 .. automethod:: entry_init(record: Record, template: Template[, count: int = 0]) 887 888 .. automethod:: set_record(record: Record) 889 890 .. automethod:: __contains__(name: str) -> bool 891 892 .. automethod:: set_template(template: Template) 893 894 .. automethod:: __iter__() -> Iterator[Record] 895 896 .. automethod:: next() -> Record 897 898 .. automethod:: __getitem__(item: Union[int, str]) -> Any 899 900 .. automethod:: __setitem__(key: int, value: Record) 901 902 .. automethod:: __len__() -> int 903 904 .. attribute:: template_id : int 905 906 The Template ID of the :class:`Template` that corresponds to this 907 :class:`STMLEntry` in the :class:`STML`. 908 909Examples:: 910 911 >>> stml = my_rec["subTemplateMultiList"] 912 >>> for entry in stml: 913 ... if "tcpSequenceNumber" in entry: 914 ... entry.set_record(tcp_rec) 915 ... for tcp_record in entry: 916 ... tcp_record = tcp_record.as_dict() 917 ... for key,value in tcp_record.items(): 918 ... print key + ": " + str(value) + '\n' 919 ... elif entry.template_id == 0xCE00: 920 ... entry.set_record(dns_rec) 921 ... 922 >>> stml.clear() 923 924 925STL 926=============== 927 928A subTemplateList is a list of zero or more instances of a 929structured data type where each entry corresponds to a 930single template. Since a single template is associated 931with an :class:`STL`, a :class:`Record` must also be associated with the 932:class:`STL`. Access each entry (a :class:`Record`) in the list by 933iterating through the :class:`STL`. 934 935.. autoclass:: STL([record: Record = None, key_name: str = None]) 936 937 .. automethod:: set_record(record: Record) 938 939 .. automethod:: __contains__(name: str) -> bool 940 941 .. automethod:: entry_init(record: Record, template: Template[, count: int = 0]) 942 943 .. automethod:: __iter__() -> Iterator[Record] 944 945 .. automethod:: next() -> Record 946 947 .. automethod:: iter_records(tmpl_id: int = 0) -> Iterator[Records] 948 949 .. automethod:: clear() 950 951 .. automethod:: __getitem__(item: Union[int, str]) -> Any 952 953 .. automethod:: __setitem__(key: int, value: Record) 954 955 .. automethod:: __len__() -> int 956 957 .. attribute:: template_id : int 958 959 The template ID of the :class:`Template` used for this :class:`STL`. 960 961 .. attribute:: semantic : int 962 963 The `structured data semantic value`_ for this :class:`STL`. 964 965 .. _structured data semantic value: https://www.iana.org/assignments/ipfix/ipfix.xhtml#ipfix-structured-data-types-semantics 966 967Decoding Examples:: 968 969 >>> stl = rec["dnsList"] 970 >>> stl.set_record(dnsRecord) 971 >>> for dnsRecord in stl: 972 ... dnsRecord = dnsRecord.as_dict() 973 ... for key,value in dnsRecord.items(): 974 ... print key + ": " + str(value) + '\n' 975 ... stl.clear() 976 977Encoding Examples:: 978 979 >>> stl = STL() 980 >>> stl.entry_init(dnsRecord, dnsTemplate, 2) 981 >>> dnsRecord["dnsQName"] = "google.com" 982 >>> dnsRecord["rrType"] = 1 983 >>> stl[0] = dnsRecord 984 >>> dnsRecord["dnsQName"] = "ns.google.com" 985 >>> dnsRecord["rrType"] = 2 986 >>> stl[1] = dnsRecord 987 >>> rec["subTemplateList"] = stl 988 989BL 990=============== 991 992A basicList is a list of zero or more instances of an Information Element. 993Examples include a list of port numbers, or a list of host names. 994The BL object acts similar to a Python list with additional attributes. 995 996.. autoclass:: BL(model: InfoModel, element: Union[InfoElement, InfoElementSpec, str][, count: int = 0[, semantic: int = 0]]) 997 998 .. automethod:: __len__() -> int 999 1000 .. automethod:: __iter__() -> Iterator[Any] 1001 1002 .. automethod:: __getitem__(index: int) -> Any 1003 1004 .. automethod:: __setitem__(key: int, value: Any) 1005 1006 .. automethod:: copy(other: Iterable[Any]) 1007 1008 .. automethod:: __contains__(item: Any) -> bool 1009 1010 .. automethod:: __str__() -> str 1011 1012 .. automethod:: __eq__(other: list) -> bool 1013 1014 .. method:: clear() 1015 1016 Clears and frees the basicList data. 1017 1018 .. attribute:: semantic : int 1019 1020 The `structured data semantic value`_ for this :class:`BL`. 1021 1022 .. _structured data semantic value: https://www.iana.org/assignments/ipfix/ipfix.xhtml#ipfix-structured-data-types-semantics 1023 1024 .. attribute:: element : InfoElement 1025 1026 The :class:`InfoElement` associated with this :class:`BL` that was set 1027 when the class:`BL` was created. This attribute may not be changed. 1028 1029 1030Decoding Examples:: 1031 1032 >>> bl = rec["basicList"] 1033 >>> for items in bl: 1034 ... print str(items) + '\n' 1035 ... bl.clear() 1036 1037Encoding Examples:: 1038 1039 >>> bl = BL(model, "httpUserAgent", 2) 1040 >>> bl[0] = "Mozilla/Firefox" 1041 >>> bl[1] = "Safari5.0" 1042 >>> rec["basicList"] = bl 1043 >>> if "Safari5.0" in bl: 1044 ... print "Apple" 1045 Apple 1046 >>> print bl 1047 ["Mozilla/Firefox", "Safari5.0"] 1048 1049 1050Listener 1051==================== 1052 1053The Listener manages the passive collection used to listen 1054for connections from Exporting Processes. 1055 1056.. autoclass:: Listener(session: Session, hostname: str[, transport: str = "tcp"[, port: int = 4739]]) 1057 1058 .. automethod:: wait([record: Record]) -> Buffer 1059 1060 1061=================================================== 1062pyfixbuf.cert: Information Elements for NetSA Tools 1063=================================================== 1064 1065.. automodule:: pyfixbuf.cert 1066 1067The :mod:`pyfixbuf.cert` package provides functions to update an 1068:class:`pyfixbuf.InfoModel` with the `Information Elements defined by CERT`_ 1069and used by the NetSA tools such as YAF. These functions load the information 1070elements from the ``cert_ipfix.xml`` file, which is included as a resource in 1071the pyfixbuf distribution. To load these elements into your Information 1072Model, use:: 1073 1074 import pyfixbuf 1075 import pyfixbuf.cert 1076 1077 model = pyfixbuf.InfoModel() 1078 pyfixbuf.cert.add_elements_to_model(model) 1079 1080.. _Information Elements defined by CERT: https://tools.netsa.cert.org/cert-ipfix-registry/cert_ipfix_formatted.html 1081 1082 .. autofunction:: add_elements_to_model(model: InfoModel) 1083 1084 .. autofunction:: info_element_xml() -> str 1085 1086 1087======================================================== 1088pyfixbuf.yaflists: Pre-defined Information Element Lists 1089======================================================== 1090 1091.. automodule:: pyfixbuf.yaflists 1092 1093This module defines variables which specify lists of CERT enterprise-specific 1094Information Elements. The Elements may be added to an Information Model by 1095invoking :meth:`InfoModel.add_element_list` with one of the list variables as 1096an argument. 1097 1098 **NOTE:** The following variables are incomplete should not be used in new 1099 code. Please change your code so it adds the CERT Information Elements to 1100 your model by loading them from the :mod:`pyfixbuf.cert` package, as shown 1101 in this example:: 1102 1103 # create your model as normal 1104 model = pyfixbuf.InfoModel() 1105 1106 # add this: 1107 import pyfixbuf.cert 1108 pyfixbuf.cert.add_elements_to_model(model) 1109 1110These variables are defined in the pyfixbuf.yaflist module. Currently an 1111alias is created to them in the pyfixbuf module, though that will be removed 1112in a future release. 1113 1114The :class:`InfoElement`\s in these lists use the CERT private enterprise 1115number (PEN) 6871. Each list contains Elements that are related to a 1116particular internet protocol (e.g., HTTP, DNS, SMTP). The variables 1117`YAF_LIST`_ and `YAF_STATS_LIST`_ are necessary for reading the IPFIX streams 1118created by YAF_ when its deep-packet inspection feature is disabled. 1119 1120.. _YAF: https://tools.netsa.cert.org/yaf/index.html 1121 1122YAF_LIST 1123==================== 1124 1125.. list-table:: 1126 :header-rows: 1 1127 :widths: 60, 1, 20, 100 1128 1129 * - Information Element 1130 - ID 1131 - TYPE 1132 - Description 1133 * - initialTCPFlags 1134 - 14 1135 - UINT8 1136 - Initial sequence number of the forward direction of the flow 1137 * - unionTCPFlags 1138 - 15 1139 - UINT8 1140 - Union of TCP flags of all packets other than the initial packet in the forward direction of the flow 1141 * - reverseFlowDeltaMilliseconds 1142 - 21 1143 - UINT32 1144 - Difference in time in milliseconds between first packet in forward direction and first packet in reverse direction 1145 * - silkAppLabel 1146 - 33 1147 - UINT16 1148 - Application label, defined as the primary well-known port associated with a given application. 1149 * - osName 1150 - 36 1151 - STRING 1152 - p0f OS Name for the forward flow based on the SYN packet and p0f SYN Fingerprints. 1153 * - payload 1154 - 36 1155 - OCTET ARRAY 1156 - Initial n bytes of forward direction of flow payload. 1157 * - osVersion 1158 - 37 1159 - STRING 1160 - p0f OS Version for the forward flow based on the SYN packet and p0f SYN Fingerprints. 1161 * - firstPacketBanner 1162 - 38 1163 - OCTET ARRAY 1164 - IP and transport headers for first packet in forward direction to be used for external OS Fingerprinters. 1165 * - secondPacketBanner 1166 - 39 1167 - OCTET ARRAY 1168 - IP and transport headers for first packet in forward direction to be used for external OS Fingerprinters. 1169 * - flowAttributes 1170 - 40 1171 - UINT16 1172 - Miscellaneous flow attributes for the forward direction of the flow 1173 * - osFingerPrint 1174 - 107 1175 - STRING 1176 - p0f OS Fingerprint for the forward flow based on the SYN packet and p0f SYN fingerprints. 1177 * - yafFlowKeyHash 1178 - 106 1179 - UINT32 1180 - The 32 bit hash of the 5-tuple and VLAN that is used as they key to YAF's internal flow table. 1181 1182YAF_STATS_LIST 1183==================== 1184 1185.. list-table:: 1186 :header-rows: 1 1187 :widths: 50, 1, 20, 100 1188 1189 * - Information Element 1190 - ID 1191 - TYPE 1192 - Description 1193 * - expiredFragmentCount 1194 - 100 1195 - UINT32 1196 - Total amount of fragments that have been expired since yaf start time. 1197 * - assembledFragmentCount 1198 - 101 1199 - UINT32 1200 - Total number of packets that been assembled from a series of fragments since yaf start time. 1201 * - meanFlowRate 1202 - 102 1203 - UINT32 1204 - The mean flow rate of the yaf flow sensor since yaf start time, rounded to the nearest integer. 1205 * - meanPacketRate 1206 - 103 1207 - UINT32 1208 - The mean packet rate of the yaf flow sensor since yaf start time, rounded to the nearest integer. 1209 * - flowTableFlushEventCount 1210 - 104 1211 - UINT32 1212 - Total number of times the yaf flow table has been flushed since yaf start time. 1213 * - flowTablePeakCount 1214 - 105 1215 - UINT32 1216 - The maximum number of flows in the yaf flow table at any one time since yaf start time. 1217 1218YAF_FLOW_STATS_LIST 1219==================== 1220 1221.. list-table:: 1222 :header-rows: 1 1223 :widths: 50, 1, 20, 100 1224 1225 * - Information Element 1226 - ID 1227 - TYPE 1228 - Description 1229 * - smallPacketCount 1230 - 500 1231 - UINT32 1232 - The number of packets that contain less than 60 bytes of payload. 1233 * - nonEmptyPacketCount 1234 - 501 1235 - UINT32 1236 - The number of packets that contain at least 1 byte of payload. 1237 * - dataByteCount 1238 - 502 1239 - UINT64 1240 - Total bytes transferred as payload. 1241 * - averageInterarrivalTime 1242 - 503 1243 - UINT64 1244 - Average number of milliseconds between packets. 1245 * - standardDeviationInterarrivalTime 1246 - 504 1247 - UINT64 1248 - Standard deviation of the interarrival time for up to the first ten packets. 1249 * - firstNonEmptyPacketSize 1250 - 505 1251 - UINT16 1252 - Payload length of the first non-empty packet. 1253 * - maxPacketSize 1254 - 506 1255 - UINT16 1256 - The largest payload length transferred in the flow. 1257 * - firstEightNonEmptyPacketDirections 1258 - 507 1259 - UINT8 1260 - Represents directionality for the first 8 non-empty packets. 0 for forward direction, 1 for reverse direction. 1261 * - standardDeviationPayloadLength 1262 - 508 1263 - UINT16 1264 - The standard deviation of the payload length for up to the first 10 non empty packets. 1265 * - tcpUrgCount 1266 - 509 1267 - UINT32 1268 - The number of TCP packets that have the URGENT Flag set. 1269 * - largePacketCount 1270 - 510 1271 - UINT32 1272 - The number of packets that contain at least 220 bytes of payload. 1273 1274 1275YAF_HTTP_LIST 1276==================== 1277 1278Descriptions of each Information Element can be found at http://tools.netsa.cert.org/yaf/yafdpi.html. 1279 1280.. list-table:: 1281 :header-rows: 1 1282 :widths: 50, 20, 40 1283 1284 * - Information Element 1285 - ID 1286 - TYPE 1287 * - httpServerString 1288 - 110 1289 - STRING 1290 * - httpUserAgent 1291 - 111 1292 - STRING 1293 * - httpGet 1294 - 112 1295 - STRING 1296 * - httpConnection 1297 - 113 1298 - STRING 1299 * - httpVersion 1300 - 114 1301 - STRING 1302 * - httpReferer 1303 - 115 1304 - STRING 1305 * - httpLocation 1306 - 116 1307 - STRING 1308 * - httpHost 1309 - 117 1310 - STRING 1311 * - httpContentLength 1312 - 118 1313 - STRING 1314 * - httpAge 1315 - 119 1316 - STRING 1317 * - httpAccept 1318 - 120 1319 - STRING 1320 * - httpAcceptLanguage 1321 - 121 1322 - STRING 1323 * - httpContentType 1324 - 122 1325 - STRING 1326 * - httpResponse 1327 - 123 1328 - STRING 1329 * - httpCookie 1330 - 220 1331 - STRING 1332 * - httpSetCookie 1333 - 221 1334 - STRING 1335 * - httpAuthorization 1336 - 252 1337 - STRING 1338 * - httpVia 1339 - 253 1340 - STRING 1341 * - httpX-Forwarded-For 1342 - 254 1343 - STRING 1344 * - httpRefresh 1345 - 256 1346 - STRING 1347 * - httpIMEI 1348 - 257 1349 - STRING 1350 * - httpIMSI 1351 - 258 1352 - STRING 1353 * - httpMSISDN 1354 - 259 1355 - STRING 1356 * - httpSubscriber 1357 - 260 1358 - STRING 1359 * - httpExpires 1360 - 255 1361 - STRING 1362 * - httpAcceptCharset 1363 - 261 1364 - STRING 1365 * - httpAcceptEncoding 1366 - 262 1367 - STRING 1368 * - httpAllow 1369 - 263 1370 - STRING 1371 * - httpDate 1372 - 264 1373 - STRING 1374 * - httpExpect 1375 - 265 1376 - STRING 1377 * - httpFrom 1378 - 266 1379 - STRING 1380 * - httpProxyAuthentication 1381 - 267 1382 - STRING 1383 * - httpUpgrade 1384 - 268 1385 - STRING 1386 * - httpWarning 1387 - 269 1388 - STRING 1389 * - httpDNT 1390 - 270 1391 - STRING 1392 * - httpX-Forwarded-Proto 1393 - 271 1394 - STRING 1395 * - httpX-Forwarded-Host 1396 - 272 1397 - STRING 1398 * - httpX-Forwarded-Server 1399 - 273 1400 - STRING 1401 * - httpX-DeviceID 1402 - 274 1403 - STRING 1404 * - httpX-Profile 1405 - 275 1406 - STRING 1407 * - httpLastModified 1408 - 276 1409 - STRING 1410 * - httpContentEncoding 1411 - 277 1412 - STRING 1413 * - httpContentLanguage 1414 - 278 1415 - STRING 1416 * - httpContentLocation 1417 - 279 1418 - STRING 1419 * - httpX-UA-Compatible 1420 - 280 1421 - STRING 1422 1423YAF_SLP_LIST 1424==================== 1425 1426Descriptions of each Information Element can be found at http://tools.netsa.cert.org/yaf/yafdpi.html. 1427 1428.. list-table:: 1429 :header-rows: 1 1430 :widths: 50, 20, 40 1431 1432 * - Information Element 1433 - ID 1434 - TYPE 1435 * - slpVersion 1436 - 128 1437 - UINT8 1438 * - slpMessageType 1439 - 129 1440 - UINT8 1441 * - slpString 1442 - 130 1443 - STRING 1444 1445YAF_FTP_LIST 1446==================== 1447 1448Descriptions of each Information Element can be found at http://tools.netsa.cert.org/yaf/yafdpi.html. 1449 1450.. list-table:: 1451 :header-rows: 1 1452 :widths: 50, 20, 40 1453 1454 * - Information Element 1455 - ID 1456 - TYPE 1457 * - ftpReturn 1458 - 131 1459 - STRING 1460 * - ftpUser 1461 - 132 1462 - STRING 1463 * - ftpPass 1464 - 133 1465 - STRING 1466 * - ftpType 1467 - 134 1468 - STRING 1469 * - ftpRespCode 1470 - 135 1471 - STRING 1472 1473YAF_IMAP_LIST 1474==================== 1475 1476Descriptions of each Information Element can be found at http://tools.netsa.cert.org/yaf/yafdpi.html. 1477 1478.. list-table:: 1479 :header-rows: 1 1480 :widths: 50, 20, 40 1481 1482 * - Information Element 1483 - ID 1484 - TYPE 1485 * - imapCapability 1486 - 136 1487 - STRING 1488 * - imapLogin 1489 - 137 1490 - STRING 1491 * - imapStartTLS 1492 - 138 1493 - STRING 1494 * - imapAuthenticate 1495 - 139 1496 - STRING 1497 * - imapCommand 1498 - 140 1499 - STRING 1500 * - imapExists 1501 - 141 1502 - STRING 1503 * - imapRecent 1504 - 142 1505 - STRING 1506 1507YAF_RTSP_LIST 1508==================== 1509 1510Descriptions of each Information Element can be found at http://tools.netsa.cert.org/yaf/yafdpi.html. 1511 1512.. list-table:: 1513 :header-rows: 1 1514 :widths: 50, 20, 40 1515 1516 * - Information Element 1517 - ID 1518 - TYPE 1519 * - rtspURL 1520 - 143 1521 - STRING 1522 * - rtspVersion 1523 - 144 1524 - STRING 1525 * - rtspReturnCode 1526 - 145 1527 - STRING 1528 * - rtspContentLength 1529 - 146 1530 - STRING 1531 * - rtspCommand 1532 - 147 1533 - STRING 1534 * - rtspContentType 1535 - 148 1536 - STRING 1537 * - rtspTransport 1538 - 149 1539 - STRING 1540 * - rtspCSeq 1541 - 150 1542 - STRING 1543 * - rtspLocation 1544 - 151 1545 - STRING 1546 * - rtspPacketsReceived 1547 - 152 1548 - STRING 1549 * - rtspUserAgent 1550 - 153 1551 - STRING 1552 * - rtspJitter 1553 - 154 1554 - STRING 1555 1556YAF_SIP_LIST 1557==================== 1558 1559Descriptions of each Information Element can be found at http://tools.netsa.cert.org/yaf/yafdpi.html. 1560 1561.. list-table:: 1562 :header-rows: 1 1563 :widths: 50, 20, 40 1564 1565 * - Information Element 1566 - ID 1567 - TYPE 1568 * - sipInvite 1569 - 155 1570 - STRING 1571 * - sipCommand 1572 - 156 1573 - STRING 1574 * - sipVia 1575 - 157 1576 - STRING 1577 * - sipMaxForwards 1578 - 158 1579 - STRING 1580 * - sipAddress 1581 - 159 1582 - STRING 1583 * - sipContentLength 1584 - 160 1585 - STRING 1586 * - sipUserAgent 1587 - 161 1588 - STRING 1589 1590 1591YAF_SMTP_LIST 1592==================== 1593 1594Descriptions of each Information Element can be found at http://tools.netsa.cert.org/yaf/yafdpi.html. 1595 1596.. list-table:: 1597 :header-rows: 1 1598 :widths: 50, 20, 40 1599 1600 * - Information Element 1601 - ID 1602 - TYPE 1603 * - smtpHello 1604 - 162 1605 - STRING 1606 * - smtpFrom 1607 - 163 1608 - STRING 1609 * - smtpTo 1610 - 164 1611 - STRING 1612 * - smtpContentType 1613 - 165 1614 - STRING 1615 * - smtpSubject 1616 - 166 1617 - STRING 1618 * - smtpFilename 1619 - 167 1620 - STRING 1621 * - smtpContentDisposition 1622 - 168 1623 - STRING 1624 * - smtpResponse 1625 - 169 1626 - STRING 1627 * - smtpEnhanced 1628 - 170 1629 - STRING 1630 * - smtpSize 1631 - 222 1632 - STRING 1633 * - smtpDate 1634 - 251 1635 - STRING 1636 1637 1638YAF_DNS_LIST 1639==================== 1640 1641Descriptions of each Information Element can be found at http://tools.netsa.cert.org/yaf/yafdpi.html. 1642 1643.. list-table:: 1644 :header-rows: 1 1645 :widths: 50, 20, 40 1646 1647 * - Information Element 1648 - ID 1649 - TYPE 1650 * - dnsQueryResponse 1651 - 174 1652 - UINT8 1653 * - dnsQRType 1654 - 175 1655 - UINT16 1656 * - dnsAuthoritative 1657 - 176 1658 - UINT8 1659 * - dnsNXDomain 1660 - 177 1661 - UINT8 1662 * - dnsRRSection 1663 - 178 1664 - UINT8 1665 * - dnsQName 1666 - 179 1667 - STRING 1668 * - dnsCName 1669 - 180 1670 - STRING 1671 * - dnsMXPreference 1672 - 181 1673 - UINT16 1674 * - dnsMXExchange 1675 - 182 1676 - STRING 1677 * - dnsNSDName 1678 - 183 1679 - STRING 1680 * - dnsPTRDName 1681 - 184 1682 - STRING 1683 * - dnsTTL 1684 - 199 1685 - UINT32 1686 * - dnsTXTData 1687 - 208 1688 - STRING 1689 * - dnsSOASerial 1690 - 209 1691 - UINT32 1692 * - dnsSOARefresh 1693 - 210 1694 - UINT32 1695 * - dnsSOARetry 1696 - 211 1697 - UINT32 1698 * - dnsSOAExpire 1699 - 212 1700 - UINT32 1701 * - dnsSOAMinimum 1702 - 213 1703 - UINT32 1704 * - dnsSOAMName 1705 - 214 1706 - STRING 1707 * - dnsSOARName 1708 - 215 1709 - STRING 1710 * - dnsSRVPriority 1711 - 216 1712 - UINT16 1713 * - dnsSRVWeight 1714 - 217 1715 - UINT16 1716 * - dnsSRVPort 1717 - 218 1718 - UINT16 1719 * - dnsSRVTarget 1720 - 219 1721 - STRING 1722 * - dnsID 1723 - 226 1724 - UINT16 1725 * - dnsAlgorithm 1726 - 227 1727 - UINT8 1728 * - dnsKeyTag 1729 - 228 1730 - UINT16 1731 * - dnsSigner 1732 - 229 1733 - STRING 1734 * - dnsSignature 1735 - 230 1736 - OCTET ARRAY 1737 * - dnsDigest 1738 - 231 1739 - OCTET ARRAY 1740 * - dnsPublicKey 1741 - 232 1742 - OCTET ARRAY 1743 * - dnsSalt 1744 - 233 1745 - OCTET ARRAY 1746 * - dnsHashData 1747 - 234 1748 - OCTET ARRAY 1749 * - dnsIterations 1750 - 235 1751 - UINT16 1752 * - dnsSignatureExpiration 1753 - 236 1754 - UINT32 1755 * - dnsSignatureInception 1756 - 237 1757 - UINT32 1758 * - dnsDigestType 1759 - 238 1760 - UINT8 1761 * - dnsLabels 1762 - 239 1763 - UINT8 1764 * - dnsTypeCovered 1765 - 240 1766 - UINT16 1767 * - dnsFlags 1768 - 241 1769 - UINT16 1770 1771YAF_SSL_LIST 1772==================== 1773 1774Descriptions of each Information Element can be found at http://tools.netsa.cert.org/yaf/yafdpi.html. 1775 1776.. list-table:: 1777 :header-rows: 1 1778 :widths: 50, 20, 40 1779 1780 * - Information Element 1781 - ID 1782 - TYPE 1783 * - sslCipher 1784 - 185 1785 - UINT32 1786 * - sslClientVersion 1787 - 186 1788 - UINT8 1789 * - sslServerCipher 1790 - 187 1791 - UINT32 1792 * - sslCompressionMethod 1793 - 188 1794 - UINT8 1795 * - sslCertVersion 1796 - 189 1797 - UINT8 1798 * - sslCertSignature 1799 - 190 1800 - STRING 1801 * - sslCertIssuerCountryName 1802 - 191 1803 - STRING 1804 * - sslCertIssuerOrgName 1805 - 192 1806 - STRING 1807 * - sslCertIssuerOrgUnitName 1808 - 193 1809 - STRING 1810 * - sslCertIssuerZipCode 1811 - 194 1812 - STRING 1813 * - sslCertIssuerState 1814 - 195 1815 - STRING 1816 * - sslCertIssuerCommonName 1817 - 196 1818 - STRING 1819 * - sslCertIssuerLocalityName 1820 - 197 1821 - STRING 1822 * - sslCertIssuerStreetAddress 1823 - 198 1824 - STRING 1825 * - sslCertSubCountryName 1826 - 200 1827 - STRING 1828 * - sslCertSubOrgName 1829 - 201 1830 - STRING 1831 * - sslCertSubOrgUnitName 1832 - 202 1833 - STRING 1834 * - sslCertSubZipCode 1835 - 203 1836 - STRING 1837 * - sslCertSubState 1838 - 204 1839 - STRING 1840 * - sslCertSubCommonName 1841 - 205 1842 - STRING 1843 * - sslCertSubLocalityName 1844 - 206 1845 - STRING 1846 * - sslCertSubStreetAddress 1847 - 207 1848 - STRING 1849 * - sslCertSerialNumber 1850 - 208 1851 - STRING 1852 * - sslObjectType 1853 - 245 1854 - UINT8 1855 * - sslObjectValue 1856 - 246 1857 - STRING 1858 * - sslCertValidityNotBefore 1859 - 247 1860 - STRING 1861 * - sslCertValidityNotAfter 1862 - 248 1863 - STRING 1864 * - sslCertPublicKeyAlgorithm 1865 - 249 1866 - STRING 1867 * - sslCertPublicKeyLength 1868 - 250 1869 - UINT16 1870 * - sslRecordVersion 1871 - 288 1872 - UINT16 1873 1874YAF_DPI_LIST 1875==================== 1876 1877This list contains miscellaneous Information Elements from the remaining protocols YAF decodes. Descriptions of each Information Element can be found at http://tools.netsa.cert.org/yaf/yafdpi.html. 1878 1879.. list-table:: 1880 :header-rows: 1 1881 :widths: 50, 20, 40 1882 1883 * - Information Element 1884 - ID 1885 - TYPE 1886 * - mysqlUsername 1887 - 223 1888 - STRING 1889 * - mysqlCommandCode 1890 - 224 1891 - UINT8 1892 * - mysqlCommandText 1893 - 225 1894 - STRING 1895 * - pop3TextMessage 1896 - 124 1897 - STRING 1898 * - ircTextMessage 1899 - 125 1900 - STRING 1901 * - tftpFilename 1902 - 126 1903 - STRING 1904 * - tftpMode 1905 - 127 1906 - STRING 1907 * - dhcpFingerPrint 1908 - 242 1909 - STRING 1910 * - dhcpVendorCode 1911 - 243 1912 - STRING 1913 * - dnp3SourceAddress 1914 - 281 1915 - UINT16 1916 * - dnp3DestinationAddress 1917 - 282 1918 - UINT16 1919 * - dnp3Function 1920 - 283 1921 - UINT8 1922 * - dnp3ObjectData 1923 - 284 1924 - OCTET_ARRAY 1925 * - modbusData 1926 - 285 1927 - OCTET_ARRAY 1928 * - ethernetIPData 1929 - 286 1930 - OCTET_ARRAY 1931 * - rtpPayloadType 1932 - 287 1933 - UINT8 1934 1935 1936.. 1937 Local Variables: 1938 fill-column:78 1939 End: 1940