N Code Execution Model
Home ] Up ] [ N Code Execution Model ] N Code Language ] N Code Data Types ] N Code Expressions ] N Code Statements ] N Code Variables and Scoping Rules ] N Code Filters ] N Code Function Definition ] N Code Tools ] N Code Triggers ]


N Code Execution Model

The NFR programming language is an interpreted language intended to be used to process data from network devices. It is a general purpose language, with typed variables, iteration constructs, and procedures. The language is parsed by a continuously running engine, which makes packet streams available to NFR code.

The engine runs as a daemon and is interpretive and single threaded. The engine is non preemptive, with an embedded yacc parser. Typically it reads data from a set of input descriptors, and listens on one input descriptor. The input descriptor is either a fifo, or a tcp socket. When another process connects to the engine, the engine creates a command interface to read requests from external program. A small number of commands control the engine:

read
directs the engine to read a file, parse, and include it in the execution environment. There is only one parameter to the read command, the name of the file to read.
intf
add another network listening device. The names of the devices which can be added as network interfaces is system dependent. Typically, the names can be discovered by using either the netstat command, or the ifconfig command.
stats
display statistics about engine operation There are a variety of statistics which the engine can display. These include statistics about packet gathering, network stack reassembly, network stack connection management, and function invocation.
pace
read an external fifo, which is providing packets. This command can be used to test new executable code in a non-sniffing environment. tcpdump sessions can be replayed in an external process (pace-pcap) and read by an engine with specific embedded NFR code.

The intended operation of the engine is to transfer data from the network traffic to processes behind the engine which are further reducing the data. These processes are called recorders. Recorders can save data for archival reasons, build graphic images rendering the data, construct relationships from the data to make new inferences. The NFR engine sifts though network traffic sending over interesting data to the recorders. Even though the primary role of the engine is to move data to the recorders, NFR code can perform substantial processing on the packet data before it is handed over to the recorders.

The engine processes data by listening for network traffic. The engine uses libpcap to direct the sniffing on network interfaces. This makes the engine portable to platforms that support libpcap. As a packet moves through network stacks in the engine, triggers are tested. If any trigger matches, then the associated NFR filter or function is interpreted.

The NFR engine interprets instructions, not source code. Instructions Are generated by parsing the NFR code when a command interface directed the engine to read a file.

NOTE: Variables are bound late, but function invocation is not. Types are associated with variables. A variables type can change over the execution of NFR code.


Home ] Up ] Next ]