From 6c4231f4118da6250255399da14ffd707d297ed3 Mon Sep 17 00:00:00 2001 From: Vivek Rajagopalan Date: Fri, 14 Oct 2022 17:18:20 +0530 Subject: [PATCH] cleaned up IGMP --- analyzers/IGMP_multicast/README.md | 43 +++++++++++++++++++ analyzers/IGMP_multicast/newcg-crosskey.lua | 14 +++--- .../IGMP_multicast/newcg-ip-multicast.lua | 31 +++---------- .../IGMP_multicast/newcg-multicast-member.lua | 25 +++-------- analyzers/IGMP_multicast/pkg.yaml | 2 +- analyzers/IGMP_multicast/tcp-counter.lua | 8 +--- analyzers/IGMP_multicast/udp-counter.lua | 1 + 7 files changed, 67 insertions(+), 57 deletions(-) create mode 100644 analyzers/IGMP_multicast/README.md diff --git a/analyzers/IGMP_multicast/README.md b/analyzers/IGMP_multicast/README.md new file mode 100644 index 0000000..da3d00b --- /dev/null +++ b/analyzers/IGMP_multicast/README.md @@ -0,0 +1,43 @@ +# IGMP Multicast monitor + +This Trisul APP provides the following features. + + +Adds three new counter groups +1. Multicast Hosts - tracks all 224.0.0.0 through 239.255.255.255 multicast space IPs +2. Multicast Members - tracks individual unicast members of the multicast group +3. Exchange XFlow - tracks flows UnicastDestIP/DestPort/UnicastSourceIP/MulticastDestIP + + +## Use case + +When you want to disaggregate multicast group traffic and account for individual IPs. + + +## How to use + +Go to Retro > Retro Counters +Then Select "Multicast Hosts" and "Multicast Members" to see traffic. + +Select "Exchange XFlow" to view individual multicast flows + + +Example + +``` +10.22.100.10\172.19.1.2\18001\239.50.50.50 250MB +``` + +This should be interpreted as + +IP 172.19.1.2 is sending 250MB to the multicast address 239.50.50.50 port 18001 and received by member 10.22.100.10 + + +UPDATES +======= + +```` +0.0.4 Oct 13 2022 Added README.md +```` + + diff --git a/analyzers/IGMP_multicast/newcg-crosskey.lua b/analyzers/IGMP_multicast/newcg-crosskey.lua index 6c3ebb6..ba9ca66 100644 --- a/analyzers/IGMP_multicast/newcg-crosskey.lua +++ b/analyzers/IGMP_multicast/newcg-crosskey.lua @@ -1,6 +1,8 @@ -- --- crosskey multicast --- +-- Exchange X Flow +-- counts TCP Recv/Xmit/UDP multicast +-- +-- actual-destination-ip/actual-source-ip/port/destination-multicast-ip -- -- TrisulPlugin = { @@ -22,7 +24,7 @@ TrisulPlugin = { control = { guid = "{942AB99F-7A65-4B2E-6F6C-A3050F0F7B35}", name = "Exchange XFlow", - description = "Crosskey flow IP/IP/Port", + description = "Crosskey flow IP/IP/Port/MCastIP", bucketsize = 60, }, @@ -30,9 +32,9 @@ TrisulPlugin = { -- id, type of meter, toppers to track, bottom-ers to track, Name, units, units-short -- meters = { - { 0, T.K.vartype.RATE_COUNTER, 100, 0, "TCP Recv", "bytes", "Bps" }, - { 1, T.K.vartype.RATE_COUNTER, 100, 0, "TCP Xmit", "bytes", "Bps" }, - { 2, T.K.vartype.RATE_COUNTER, 100, 0, "Multicast", "bytes", "Bps" }, + { 0, T.K.vartype.RATE_COUNTER, 100, 0, "bytes/sec", "TCP Recv", "Bps" }, + { 1, T.K.vartype.RATE_COUNTER, 100, 0, "bytes/sec", "TCP Xmit", "Bps" }, + { 2, T.K.vartype.RATE_COUNTER, 100, 0, "bytes/sec", "Multicast", "Bps" }, }, }, diff --git a/analyzers/IGMP_multicast/newcg-ip-multicast.lua b/analyzers/IGMP_multicast/newcg-ip-multicast.lua index a85a7af..1f08422 100644 --- a/analyzers/IGMP_multicast/newcg-ip-multicast.lua +++ b/analyzers/IGMP_multicast/newcg-ip-multicast.lua @@ -1,32 +1,18 @@ --- --- new_counter_group.lua skeleton --- --- TYPE: FRONTEND SCRIPT --- PURPOSE: Create a new counter group --- DESCRIPTION: Use this to create your own Metrics counter group with associated --- meters and key mappings --- --- +-- Multicast Hosts +-- Tracks all the 224.0.0.0 hosts -- TrisulPlugin = { -- the ID block, you can skip the fields marked 'optional ' -- id = { - name = "IP x Multicast", - description = "Mapping ip to multicast", -- optional + name = "MCast Host ", + description = "Mcast host", -- optional author = "Unleash", -- optional - version_major = 1, -- optional - version_minor = 0, -- optional }, - -- countergroup block - -- countergroup = { - -- control table - -- specify details of your new counter group you can use - -- 'trisulctl_probe testbench guid' to get a new GUID control = { guid = "{2792D434-496E-40C9-5E2D-73B60623A631}", name = "Multicast Hosts", @@ -34,13 +20,10 @@ TrisulPlugin = { bucketsize = 60, }, - -- meters table - -- id, type of meter, toppers to track, bottom-ers to track, Name, units, units-short - -- meters = { - { 0, T.K.vartype.RATE_COUNTER, 1000, 0, "Total", "bytes", "Bps" }, - { 1, T.K.vartype.RATE_COUNTER, 1000, 0, "Recv", "bytes", "Bps" }, - { 2, T.K.vartype.RATE_COUNTER, 1000, 0, "Transmit", "bytes", "Bps" }, + { 0, T.K.vartype.RATE_COUNTER, 1000, 0, "bytes", "Total", "Bps" }, + { 1, T.K.vartype.RATE_COUNTER, 1000, 0, "bytes", "Recv", "Bps" }, + { 2, T.K.vartype.RATE_COUNTER, 1000, 0, "bytes", "Transmit", "Bps" }, }, }, diff --git a/analyzers/IGMP_multicast/newcg-multicast-member.lua b/analyzers/IGMP_multicast/newcg-multicast-member.lua index 20ef96e..fae65cb 100644 --- a/analyzers/IGMP_multicast/newcg-multicast-member.lua +++ b/analyzers/IGMP_multicast/newcg-multicast-member.lua @@ -1,12 +1,4 @@ --- --- new_counter_group.lua skeleton --- --- TYPE: FRONTEND SCRIPT --- PURPOSE: Create a new counter group --- DESCRIPTION: Use this to create your own Metrics counter group with associated --- meters and key mappings --- --- +-- Multicast Members -- TrisulPlugin = { @@ -14,19 +6,12 @@ TrisulPlugin = { -- id = { name = "Multicast Members", - description = "Meter packet lengths ", -- optional + description = "Unicast IP that are members of multicast group hosts", -- optional author = "Unleash", -- optional - version_major = 1, -- optional - version_minor = 0, -- optional }, - -- countergroup block - -- countergroup = { - -- control table - -- specify details of your new counter group you can use - -- 'trisulctl_probe testbench guid' to get a new GUID control = { guid = "{51177E0A-7535-46B7-1477-9F0E0E0F9808}", name = "Multicast Members", @@ -38,9 +23,9 @@ TrisulPlugin = { -- id, type of meter, toppers to track, bottom-ers to track, Name, units, units-short -- meters = { - { 0, T.K.vartype.RATE_COUNTER, 10, 0, "Total", "bytes", "Bps" }, - { 1, T.K.vartype.RATE_COUNTER, 10, 0, "Recv", "bytes", "Bps" }, - { 2, T.K.vartype.RATE_COUNTER, 10, 0, "Transmit", "bytes", "Bps" }, + { 0, T.K.vartype.RATE_COUNTER, 1000, 0, "bytes", "Total", "Bps" }, + { 1, T.K.vartype.RATE_COUNTER, 1000, 0, "bytes", "Recv", "Bps" }, + { 2, T.K.vartype.RATE_COUNTER, 1000, 0, "bytes", "Transmit", "Bps" }, }, }, diff --git a/analyzers/IGMP_multicast/pkg.yaml b/analyzers/IGMP_multicast/pkg.yaml index f13b5eb..3d7f6a9 100644 --- a/analyzers/IGMP_multicast/pkg.yaml +++ b/analyzers/IGMP_multicast/pkg.yaml @@ -1,6 +1,6 @@ name: IGMP Multicast -version: 0.0.3 +version: 0.0.4 author: trisul diff --git a/analyzers/IGMP_multicast/tcp-counter.lua b/analyzers/IGMP_multicast/tcp-counter.lua index e892020..e9df7e8 100644 --- a/analyzers/IGMP_multicast/tcp-counter.lua +++ b/analyzers/IGMP_multicast/tcp-counter.lua @@ -1,8 +1,5 @@ -- -- TCP - TCP packet counter --- --- TYPE: FRONTEND SCRIPT --- PURPOSE: Protocol Handler, -- local SWP= require'sweepbuf' @@ -24,9 +21,6 @@ TrisulPlugin = { --attach to TCP protocol protocol_guid = "{77E462AB-2E42-42EC-9A58-C1A6821D6B31}" , - -- WHEN CALLED: when the Trisul platform detects a packet at the protocol_guid layer - -- above. In this case, every DNS packet - -- onpacket = function(engine,layer) local swb=SWP.new(layer:rawbytes():tostring()) @@ -43,6 +37,8 @@ TrisulPlugin = { local dip = ipswb:next_ipv4() local key="" + -- create the crosskey sip\dip\dport + -- for TCP no multicast group if sport > dport then key = sip.."\\"..dip.."\\"..dport engine:update_counter_bytes( "{942AB99F-7A65-4B2E-6F6C-A3050F0F7B35}", key, 0) diff --git a/analyzers/IGMP_multicast/udp-counter.lua b/analyzers/IGMP_multicast/udp-counter.lua index 7f909a1..87a4a0b 100644 --- a/analyzers/IGMP_multicast/udp-counter.lua +++ b/analyzers/IGMP_multicast/udp-counter.lua @@ -76,6 +76,7 @@ TrisulPlugin = { -- check if DIP has a mapping -- if no mapping dont do anything.. this is only for multicast mapping + -- a 4 tuple multicast mapping local mmap = T.multicast_mapping[dip] if mmap then