So now that you have this great code running in your kernel, what now?  Well, once you've enabled HiPPIE on some interface and started analyzing traffic, you need to then start getting information back out of HiPPIE.  The way to achieve this is through the HiPPIE /proc filesystem interfaces.  All of these interfaces exist in /proc/net/hippie.  Below is a list of the various interfaces, and what they do:

stat Interface

The stat interface gives a few basic statistical pieces about HiPPIE, such as packets processed, sessions processed, and some instantatneous snapshots of HiPPIE's status as well.  Below is a sample HiPPIE /proc/net/hippie/stat interface output.

HiPPIE Statistics
Total Sessions Processed: 12297271
Current Active Sessions: 19873
Total Packets Processed: 633033395
Total Bytes Processed: 2050495144
Total Packets Inspected: 24867009
Total Sessions Predicted: 1333
Total Predictions Converted: 1258
Active Buckets: 14447
Max session bucket size: 40 (68/210)
Avg session bucket size: 0
Avg non-zero bucket size: 1
Buckets over 10 sessions: 135
Buckets over 25 sessions: 17
Buckets over 50 sessions: 0

protocols Interface

The protocols interface will give a list of all the protocols that are loaded for analysis in HiPPIE, as well as statistics about those protocols.  These statistics first are for all packets that contain any header of the given protocol, and secondly for packets in sessions whose final header is the given protocol type.  For application protocols, these numbers will almost without exception be the same, where as encapsulating protocols such as IP, TCP, UDP, and so forth, will most likely contain other protocol headers inside of them to be classified, and the first numbers will be much larger than the last.  Below is an example output from the protocols interface.

ID    Proto        Type    Encap    Persist    Insps    [Pkts    Conns    Bytes]    [Pkts    Conns    Bytes]    [Preds    Used]
1    ipv4        NET    TAG    No    0    640121513    12423352816321456    80640    38589    20076329    1356    1281
2    tcp        TRANS    TAG    No    1897744    476647803    46662801478434870    139966800    1477819    175932678    1078    1078
3    udp        TRANS    TAG    No    13113133    159674941    6699963    1090546892    148373522    3426134    3399213734    278    203
4    icmp        TRANS    TAG    No    0    3709014    1018513    226056509    3709014    1018513    226056509    0    0
5    gre        TRANS    TAG    No    0    0    0    0    0
6    esp        TRANS    TAG    No    0    9115    6    12068569115    6    1206856    0    0
7    http        APP    NONE    No    10125092    301539715    2517308    3179728409    301081027    2490829    3032520439    0    0
8    httptunnel    APP    NOTAG    No    10    47    2    13355    47    2    13355    0    0
9    ssl        APP    NONE    No    0    22935383    545861    1928640535    22935383    545861    1928640535    0    0
10    storm        APP    NONE    No    0    294    152    15675    294    152    15675    0    0
11    dns        APP    NONE    No    0    4406999    1385198    700336446    4406999    1385198    700336446    0    0
12    smtp        APP    NONE    No    0    907367    57810    102716990    907367    57810    102716990    0    0
13    ftp        APP    NONE    Yes    0    35838    1352    224490735838    1352    2244907    0    0
14    ftp-data    APP    NONE    No    0    4191835    0    4197709705    4191835    0    4197709705    1077    1077
15    irc        APP    NONE    Yes    0    8881    14    11828318881    14    1182831    0    0
16    irc-dcc        APP    NONE    No    0    53265    0    534673953265    0    53467393    1    1
17    rdp        APP    NONE    No    0    726513    37    443637113    726513    37    443637113    0    0
18    ssh        APP    NONE    No    0    45121    11    158112545121    11    15811253    0    0
19    socks        APP    NOTAG    No    82    534    41    24892    534    41    24892    0    0
20    pop3        APP    NONE    No    0    51567    1265    204582151567    1265    20458213    0    0
21    nntp        APP    NONE    No    0    0    0    0    0
22    novellcp    APP    NONE    No    0    191708    231    1679044191708    231    16790445    0    0
23    aim        APP    NONE    No    0    317585    1807    3887767317585    1807    38877674    0    0
24    msnim        APP    NONE    No    0    396264    1729    4179372396264    1729    41793727    0    0
25    yahooim        APP    NONE    No    0    111768    472    9632353111768    472    9632353    0    0
26    ares        APP    NONE    No    0    203405    17511    1164781203405    17511    11647816    0    0
27    bittorrent    APP    NONE    No    0    4341308    1170626    1288271628    4341308    1170626    1288271628    0    0
28    edonkey        APP    NONE    No    0    195642    8904    7879964195642    8904    78799649    0    0
29    gnutella    APP    NONE    No    0    510664    305896    142201483    510664    305896    142201483    0    0
30    mp2p        APP    NONE    No    0    3854849    471948    769724370    3854849    471948    769724370    0    0
31    rtsp        APP    NONE    Yes    0    3403767    299    3274944173    3403767    299    3274944173    278    203
32    sip        APP    NONE    Yes    0    10791    295    224146910791    295    2241469    0    0

Normally this data is tab-spaced and is more readable on your console, but it doesn't represent properly on the webpage.

sessions/all Interface

The sessions/all proc Interface allows for the text dumping of the entire current active session table.  Below is an example output of a very small session table.  The addresses have been obfuscated for the hosts protection.

SessID    Proto    Packets    Timeout    State    Protocol Information
3532    ssh    174    299        [ ipv4 src x.x.0.4 dst y.y.255.245 proto 6 ][ tcp sport 63520 dport: 22 state TCP_NORMAL ][ ssh  ]
3533    dns    4    15        [ ipv4 src x.x.255.245 dst y.y.254.2 proto 17 ][ udp sport 32768 dport: 53 State: UDP_UNANS ][ dns  ]

interfaces/* Interfaces

In the interfaces directory will exist one proc file for each network interface on your system.  These are currently the only read/write proc interfaces within HiPPIE, and are used for enabling and disabling packet reading from an interface for HiPPIE analysis.  To enable packet reading from an interface for inbound read only, simply echo 1 into that interface file as root.  (NOTE:  To do a passive span interface, you'll need to turn this interface on for promiscuous mode by using ifconfig [interface] promisc)  To enabled packet reading from an interface for both inbound and outbound, simply echo 2 into that interface file as root.  To disable the interface, echo 0 into that interface file as root.  Or if you're just curious whether the interface is currently enabled or not, just cat the interface file and it will present the values 0 or 1 of disabled or enabled, respectively.

Back to HiPPIE Documentation.