cleaned up IGMP

trisulnsm · Oct 14, 2022 · 6c4231f · 6c4231f
1 parent a0c997e
commit 6c4231f
Show file tree

Hide file tree

Showing 7 changed files with 67 additions and 57 deletions.
diff --git a/analyzers/IGMP_multicast/README.md b/analyzers/IGMP_multicast/README.md
@@ -0,0 +1,43 @@
+# IGMP Multicast monitor 
+
+This Trisul APP provides the following features.
+
+
+Adds three new counter groups
+1.  Multicast Hosts - tracks all 224.0.0.0 through 239.255.255.255 multicast space IPs
+2.  Multicast Members - tracks individual unicast members of the multicast group 
+3.  Exchange XFlow - tracks flows UnicastDestIP/DestPort/UnicastSourceIP/MulticastDestIP
+
+
+## Use case
+
+When you want to disaggregate multicast group traffic and account for individual IPs. 
+
+
+## How to use 
+
+Go to Retro > Retro Counters
+Then Select "Multicast Hosts" and "Multicast Members" to see traffic.
+
+Select "Exchange XFlow" to view individual multicast flows 
+
+
+Example 
+
+``` 
+10.22.100.10\172.19.1.2\18001\239.50.50.50   250MB 
+```
+
+This should be interpreted as 
+
+IP 172.19.1.2 is sending 250MB to the multicast address 239.50.50.50 port 18001 and received by member 10.22.100.10 
+
+
+UPDATES
+=======
+
+````
+0.0.4   Oct 13 2022     Added README.md 
+````
+
+
diff --git a/analyzers/IGMP_multicast/newcg-crosskey.lua b/analyzers/IGMP_multicast/newcg-crosskey.lua
@@ -1,6 +1,8 @@
 --
--- crosskey multicast 
---
+-- Exchange X Flow 
+--    counts TCP Recv/Xmit/UDP multicast 
+-- 
+--    actual-destination-ip/actual-source-ip/port/destination-multicast-ip 
 -- 
 -- 
 TrisulPlugin = { 
@@ -22,17 +24,17 @@ TrisulPlugin = {
     control = {
       guid = "{942AB99F-7A65-4B2E-6F6C-A3050F0F7B35}", 
       name = "Exchange XFlow",
-      description = "Crosskey flow IP/IP/Port",
+      description = "Crosskey flow IP/IP/Port/MCastIP",
       bucketsize = 60,
     },
 
     -- meters table
     -- id, type of meter, toppers to track, bottom-ers to track, Name, units, units-short 
     -- 
     meters = {
-        {  0, T.K.vartype.RATE_COUNTER, 100, 0, "TCP Recv",  "bytes",    "Bps" },
-        {  1, T.K.vartype.RATE_COUNTER, 100, 0, "TCP Xmit",  "bytes",    "Bps" },
-        {  2, T.K.vartype.RATE_COUNTER, 100, 0, "Multicast",  "bytes",    "Bps" },
+        {  0, T.K.vartype.RATE_COUNTER, 100, 0, "bytes/sec",  "TCP Recv",    "Bps" },
+        {  1, T.K.vartype.RATE_COUNTER, 100, 0, "bytes/sec",  "TCP Xmit",    "Bps" },
+        {  2, T.K.vartype.RATE_COUNTER, 100, 0, "bytes/sec",  "Multicast",    "Bps" },
     },  
 
   },

diff --git a/analyzers/IGMP_multicast/newcg-ip-multicast.lua b/analyzers/IGMP_multicast/newcg-ip-multicast.lua
@@ -1,46 +1,29 @@
---
--- new_counter_group.lua skeleton
---
--- TYPE:        FRONTEND SCRIPT
--- PURPOSE:     Create a new counter group
--- DESCRIPTION: Use this to create your own Metrics counter group with associated
---              meters and key mappings 
---
--- 
+-- Multicast Hosts
+--  	Tracks all the 224.0.0.0 hosts 
 -- 
 TrisulPlugin = { 
 
   -- the ID block, you can skip the fields marked 'optional '
   -- 
   id =  {
-    name = "IP x Multicast",
-    description = "Mapping ip to multicast", -- optional
+    name = "MCast Host ",
+    description = "Mcast host", -- optional
     author = "Unleash", -- optional
-    version_major = 1, -- optional
-    version_minor = 0, -- optional
   },
 
-  -- countergroup block
-  -- 
   countergroup = {
 
-    -- control table 
-	-- specify details of your new counter group you can use 
-	-- 'trisulctl_probe testbench guid' to get a new GUID
     control = {
       guid = "{2792D434-496E-40C9-5E2D-73B60623A631}", 
       name = "Multicast Hosts",
       description = "Count multicast traffic for members ",
       bucketsize = 60,
     },
 
-    -- meters table
-    -- id, type of meter, toppers to track, bottom-ers to track, Name, units, units-short 
-    -- 
     meters = {
-        {  0, T.K.vartype.RATE_COUNTER, 1000, 0, "Total", "bytes",    "Bps" },
-        {  1, T.K.vartype.RATE_COUNTER, 1000, 0, "Recv", "bytes",    "Bps" },
-        {  2, T.K.vartype.RATE_COUNTER, 1000, 0, "Transmit", "bytes",    "Bps" },
+        {  0, T.K.vartype.RATE_COUNTER, 1000, 0, "bytes", 		"Total",    "Bps" },
+        {  1, T.K.vartype.RATE_COUNTER, 1000, 0, "bytes", 		"Recv",    "Bps" },
+        {  2, T.K.vartype.RATE_COUNTER, 1000, 0, "bytes", 	"Transmit",    "Bps" },
     },  
 
   },

diff --git a/analyzers/IGMP_multicast/newcg-multicast-member.lua b/analyzers/IGMP_multicast/newcg-multicast-member.lua
@@ -1,32 +1,17 @@
---
--- new_counter_group.lua skeleton
---
--- TYPE:        FRONTEND SCRIPT
--- PURPOSE:     Create a new counter group
--- DESCRIPTION: Use this to create your own Metrics counter group with associated
---              meters and key mappings 
---
--- 
+-- Multicast Members 
 -- 
 TrisulPlugin = { 
 
   -- the ID block, you can skip the fields marked 'optional '
   -- 
   id =  {
     name = "Multicast Members",
-    description = "Meter packet lengths ", -- optional
+    description = "Unicast IP that are members of multicast group hosts", -- optional
     author = "Unleash", -- optional
-    version_major = 1, -- optional
-    version_minor = 0, -- optional
   },
 
-  -- countergroup block
-  -- 
   countergroup = {
 
-    -- control table 
-	-- specify details of your new counter group you can use 
-	-- 'trisulctl_probe testbench guid' to get a new GUID
     control = {
       guid = "{51177E0A-7535-46B7-1477-9F0E0E0F9808}", 
       name = "Multicast Members",
@@ -38,9 +23,9 @@ TrisulPlugin = {
     -- id, type of meter, toppers to track, bottom-ers to track, Name, units, units-short 
     -- 
     meters = {
-        {  0, T.K.vartype.RATE_COUNTER, 10, 0, "Total", "bytes",    "Bps" },
-        {  1, T.K.vartype.RATE_COUNTER, 10, 0, "Recv", "bytes",    "Bps" },
-        {  2, T.K.vartype.RATE_COUNTER, 10, 0, "Transmit", "bytes",    "Bps" },
+        {  0, T.K.vartype.RATE_COUNTER, 1000, 0, "bytes", 		"Total",    "Bps" },
+        {  1, T.K.vartype.RATE_COUNTER, 1000, 0, "bytes", 		"Recv",    "Bps" },
+        {  2, T.K.vartype.RATE_COUNTER, 1000, 0, "bytes", 	"Transmit",    "Bps" },
     },  
 
   },

diff --git a/analyzers/IGMP_multicast/pkg.yaml b/analyzers/IGMP_multicast/pkg.yaml
@@ -1,6 +1,6 @@
 name: IGMP Multicast
 
-version: 0.0.3
+version: 0.0.4
 
 author: trisul
 

diff --git a/analyzers/IGMP_multicast/tcp-counter.lua b/analyzers/IGMP_multicast/tcp-counter.lua
@@ -1,8 +1,5 @@
 --
 -- TCP - TCP packet counter 
---
--- TYPE:        FRONTEND SCRIPT
--- PURPOSE:     Protocol Handler, 
 -- 
 
 local SWP= require'sweepbuf'
@@ -24,9 +21,6 @@ TrisulPlugin = {
     --attach to TCP  protocol
     protocol_guid = "{77E462AB-2E42-42EC-9A58-C1A6821D6B31}" ,
 
-    -- WHEN CALLED: when the Trisul platform detects a packet at the protocol_guid layer
-    --              above. In this case, every DNS packet
-    -- 
     onpacket = function(engine,layer)
 
 		local swb=SWP.new(layer:rawbytes():tostring())
@@ -43,6 +37,8 @@ TrisulPlugin = {
 		local dip = ipswb:next_ipv4()
 
 		local key=""
+		-- create the crosskey sip\dip\dport 
+		-- for TCP no multicast group 
 		if sport > dport then
 			key = sip.."\\"..dip.."\\"..dport 
 			engine:update_counter_bytes( "{942AB99F-7A65-4B2E-6F6C-A3050F0F7B35}", key, 0)

diff --git a/analyzers/IGMP_multicast/udp-counter.lua b/analyzers/IGMP_multicast/udp-counter.lua
@@ -76,6 +76,7 @@ TrisulPlugin = {
 
 		-- check if DIP has a mapping 
 		-- if no mapping dont do anything.. this is only for multicast mapping
+		-- a 4 tuple multicast mapping 
 		local mmap = T.multicast_mapping[dip]
 		if mmap then