Verified Commit 403939ec authored by Martin Petráček's avatar Martin Petráček
Browse files

don't squash flows without hostname into one (preserve dest_ip)

parent 1663fe34
......@@ -75,10 +75,12 @@ def squash(from_details, to_details, up_to, window, size_threshold):
first = True
for entry in tmp.execute('SELECT rowid, start, (start+duration) AS end, duration, src_mac, src_ip, src_port, dest_ip, dest_port, proto, app_proto, bytes_send, bytes_received, app_hostname FROM traffic WHERE details = ? AND start > ? AND start <= ? AND src_mac = ? AND dest_port = ? AND proto = ? ORDER BY start', (from_details, current_start, current_start+window, row['src_mac'], row['dest_port'], row['proto'])):
#hostname comparison done here (not in SQL query) because of None values
#we want to merge records with unknown hostname together (in python None==None)
if entry['app_hostname']!=row['app_hostname']:
continue
logging.debug("joining with:")
#if hostname is Null, we only want to merge flows with equal dest_ip
if not entry['app_hostname'] and entry['dest_ip']!=row['dest_ip']:
continue
logging.debug("merging with:")
logging.debug(tuple(entry))
current_end = max(current_end, float(entry['end']))
current_bytes_send += int(entry['bytes_send'])
......
......@@ -92,9 +92,9 @@ def query(query):
domains = []
if aggregate:
last2 = [0,0]
result=c.execute("""select start,duration,src_mac,app_hostname,(dest_port || '/' || lower(proto)) as dest_port,app_proto,bytes_send,bytes_received from traffic where flow_id IS NULL AND """+where_clause+"""
result=c.execute("""select start,duration,src_mac,coalesce(app_hostname,dest_ip) as app_hostname,(dest_port || '/' || lower(proto)) as dest_port,app_proto,bytes_send,bytes_received from traffic where flow_id IS NULL AND """+where_clause+"""
UNION ALL
select start,duration,src_mac,app_hostname,(dest_port || '/' || lower(proto)) as dest_port,app_proto,bytes_send,bytes_received from archive.traffic where """+where_clause+"""
select start,duration,src_mac,coalesce(app_hostname,dest_ip) as app_hostname,(dest_port || '/' || lower(proto)) as dest_port,app_proto,bytes_send,bytes_received from archive.traffic where """+where_clause+"""
ORDER BY src_mac,app_hostname,dest_port,start""", where_parameters + where_parameters)
last=c.fetchone()
if last:
......@@ -135,7 +135,7 @@ def query(query):
else:
result = c.execute("""select start,duration,src_mac,coalesce(app_hostname,dest_ip) as app_hostname,(dest_port || '/' || lower(proto)) as dest_port,app_proto,bytes_send,bytes_received from traffic where flow_id IS NULL AND """+where_clause+"""
UNION ALL
select start,duration,src_mac,app_hostname,(dest_port || '/' || lower(proto)) as dest_port,app_proto,bytes_send,bytes_received from archive.traffic where """+where_clause+"""
select start,duration,src_mac,coalesce(app_hostname,dest_ip) as app_hostname,(dest_port || '/' || lower(proto)) as dest_port,app_proto,bytes_send,bytes_received from archive.traffic where """+where_clause+"""
ORDER BY app_hostname,app_proto,start""", where_parameters + where_parameters)
last=c.fetchone()
if last:
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment