Package SSF.OS.NetFlow.Filter
The Filter Package: SSF.OS.NetFlow.Filter
See:
Description
|
Interface Summary |
| BasicFilter |
the interface of a basic filter |
| Range |
The range interface
When configuring a range:
equals -- exact match (ExactRange)
min, max -- numerical range. |
|
Class Summary |
| Decoder |
Decoder base class for all kinds of data records connected using monitors. |
| ExactRange |
This is for exact match. |
| Factor |
|
| Filter |
It's composed by one or more "Terms". |
| FilterData |
Just a wrapup data structure. |
| FilterPlayer |
It reads records from the net flow data file, pass all the records through
a filter. |
| IpNetFlowDecoder |
|
| NumericRange |
Basically, given a number, it checks whether the number is within a range or not. |
| RERange |
RERange
The range is specified by a Regular expression. |
| SetRange |
SetRange
this Range class uses a set as reference. |
| Term |
Like Filter, but it's composed by one or more "AND phrase"(Factor). |
Package SSF.OS.NetFlow.Filter Description
The Filter Package: SSF.OS.NetFlow.Filter
Contents
Overview
SSF.OS.NetFlow.Filter Implementation
Config Filters in DML
Examples and tests
Download
Overview
The SSF.OS.NetFlow.Filter package is a new package under development,
and it's expected to still have a lot of future changes and updates. The
idea is straight forward: After the NetFlow data is collected and saved,
the nature following step is to try to make use of it. In order to do it
efficiently, it would be nice if the users are provided the way to extract
just those NetFlow records that they are interested in for some more specific
problem, thus here comes the Filter package. This is the package that is
aimed to help the user specify the filter of their own interest and filter
the NetFlow data. The same as the other part of SSFNet, the user can still
config their filters using DML, as shown later below. There are reasons
why the traditional relationship database is not used here. For the NetFlow
data and the application using it, sequential operations counts for an
absolutely majority part. In fact, random accesses are rarely used. Most
of the relationship databases are optimized to have better performance
on random accesses and provide a lot of other things that might not be
very helpful here. Although there are also publications about stream
database, not a very mature product has got into our eyesight yet.
SSF.OS.NetFlow.Filter Implementation
The few following lines should seem to be familiar for people who have
the knowledge of BNF or Grammar or compilers.
<filter> = <term> OR <filter> | EMPTY
<term> = <factor> AND <term> | <factor>
<factor> = (filter) | BASECASE | NOT BASECASE
The above few lines are not exactly how the Filter is implemented, but
they are the concepts behind the implementation. As you can see, generally,
a filteris composed of several terms that are connected by logical OR
operation; each term is composed by a few factors connected by logical
AND
operation; and a factor can have NOT operation within it as well
as using another filter. With this general structure, the limitation of
a filter implemented totally depends on the BASECASE, which will
be explained in more detail later below. Together with the inheritance
and replacement features provided by DML, the user can write very
complicated filters of his own.
As for the basecase, let's first consider what a simplest filter will
do. It is given a record, check whether it's within some range, and return
a yes/no answer. The capability of the basecase totally lies in how the
range
can be described and how the check process is done. In the current
package, there is general interface specified for range.
public interface Range
{
public void config(Configuration cfg, byte dataType)
throws configException;
// describle the range
public boolean inRange(Object data, byte dataType);
// check whether the given data is in range.
} |
There are also two basic ranges provided in the package now. (A third one
is coming out very soon, it should be in the release of SSF.OS.NetFlow.Filter
package as well.) One of them is NumericRange, which is specified
by a minimum and a maximum numerical value. The other is RERange
(Regular Expression Range,it uses the gnu.regexp package by Wesley Warden Bigg.), which is specified by a regular expression.
The third one I mentioned is SetRange, which is speicified by a
given set. Of course the user defined range is also supported now, so that
the user can write their own range class and plug it it.
The basic process of the filter is to extract the data of the relevant
field and check whether it satisfies the requirement. The data extraction
is accomplished with the help of Decoders. Each record type has
its own decoder. Given a field name, the decoder will return the index
of the field data in the byte array received by the filter. It has the
following abstract base class:
public abstract class Decoder
{
public final static int FIELD_NOT_FOUND = -1;
/**
* If the field doesn't exsit, return FIELD_NOT_FOUND
* the fieldType is also passed in so that
the decoder can check
* whether the fieldType matches the one that
is retrieved by fieldName.
* @ret the index of the field, if not exist,
return FIELD_NOT_FOUND
*/
public abstract int getFieldIndex(String fieldName,
byte fieldType);
} |
To make a demonstration of how the Filter class can be used, there is also
a filterPlayer class within the package. (Actually, the Filter needs to
work with an BasicPlayer object or its decendants.) It's an extended class
of SSF.Util.Streams.BasicPlayer. The user can also write their own
filterPlayer by extending this class. As shown by its name, this player
would "show" those data records that can pass the given filter, and the
filter is configured using a DML file. The following section is the detail
on how to config the filter with DML.
Config Filters in DML
The configuration of a Filter has two main parts. The first part is composed
by the decoders that will be used by this filter, and the other is the
logic part. Below is a detailed explanation.
filter [
decoder [
name ......
#the record type name
use ......
#the decoder class that should be used
]
... ...
#------------------------------Other decoders
... ...
#------------------------------Logic part
term [
factor [
action ......
#deny or permit, the DEFAULT is permit. It's logically the "NOT" operation.
field_name ...... #the field from where the data
should be extracted
field_type ...... #the data type of
this field
range [
#range parameters
#if it is Numeric Range
min ......
max ......
#if it is Regular Expression Range, use attribute "reg_exp"
#if it is user defined range, use attribute "use" to specify the class
that should be used.
#example: use SSF.OS.NetFlow.Filter.SetRange
]
]
# other factors of
this term
......
#other terms of this filter
......
] |
Examples and tests
Examples and tests documents are here with the examples of the SSF.OS.NetFlow
packages.
Download
This SSF.OS.NetFlow package has included the Filter package and it should be extracted under $SSF_HOME/src/SSF/OS/. The FilterPlayer is not directly extended from SSF.Util.Streams.BasicPlayer, but it's mostly copied from it, and it will be integrated in the future.
Developed and maintained by Yougu Yuan (yuanyg@cs.dartmouth.edu).