suricata
output-json-flow.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2013 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  * Implements Flow JSON logging portion of the engine.
24  */
25 
26 #include "suricata-common.h"
27 #include "debug.h"
28 #include "detect.h"
29 #include "pkt-var.h"
30 #include "conf.h"
31 
32 #include "threads.h"
33 #include "threadvars.h"
34 #include "tm-threads.h"
35 
36 #include "util-print.h"
37 #include "util-unittest.h"
38 
39 #include "util-debug.h"
40 
41 #include "output.h"
42 #include "util-privs.h"
43 #include "util-buffer.h"
44 #include "util-proto-name.h"
45 #include "util-logopenfile.h"
46 #include "util-time.h"
47 #include "output-json.h"
48 #include "output-json-flow.h"
49 
50 #include "stream-tcp-private.h"
51 
52 #ifdef HAVE_LIBJANSSON
53 
54 typedef struct LogJsonFileCtx_ {
55  LogFileCtx *file_ctx;
56  uint32_t flags; /** Store mode */
57  OutputJsonCommonSettings cfg;
58 } LogJsonFileCtx;
59 
60 typedef struct JsonFlowLogThread_ {
61  LogJsonFileCtx *flowlog_ctx;
62  /** LogFileCtx has the pointer to the file and a mutex to allow multithreading */
63  MemBuffer *buffer;
64 } JsonFlowLogThread;
65 
66 static json_t *CreateJSONHeaderFromFlow(const Flow *f, const char *event_type)
67 {
68  char timebuf[64];
69  char srcip[46] = {0}, dstip[46] = {0};
70  Port sp, dp;
71 
72  json_t *js = json_object();
73  if (unlikely(js == NULL))
74  return NULL;
75 
76  struct timeval tv;
77  memset(&tv, 0x00, sizeof(tv));
78  TimeGet(&tv);
79 
80  CreateIsoTimeString(&tv, timebuf, sizeof(timebuf));
81 
82  if ((f->flags & FLOW_DIR_REVERSED) == 0) {
83  if (FLOW_IS_IPV4(f)) {
84  PrintInet(AF_INET, (const void *)&(f->src.addr_data32[0]), srcip, sizeof(srcip));
85  PrintInet(AF_INET, (const void *)&(f->dst.addr_data32[0]), dstip, sizeof(dstip));
86  } else if (FLOW_IS_IPV6(f)) {
87  PrintInet(AF_INET6, (const void *)&(f->src.address), srcip, sizeof(srcip));
88  PrintInet(AF_INET6, (const void *)&(f->dst.address), dstip, sizeof(dstip));
89  }
90  sp = f->sp;
91  dp = f->dp;
92  } else {
93  if (FLOW_IS_IPV4(f)) {
94  PrintInet(AF_INET, (const void *)&(f->dst.addr_data32[0]), srcip, sizeof(srcip));
95  PrintInet(AF_INET, (const void *)&(f->src.addr_data32[0]), dstip, sizeof(dstip));
96  } else if (FLOW_IS_IPV6(f)) {
97  PrintInet(AF_INET6, (const void *)&(f->dst.address), srcip, sizeof(srcip));
98  PrintInet(AF_INET6, (const void *)&(f->src.address), dstip, sizeof(dstip));
99  }
100  sp = f->dp;
101  dp = f->sp;
102  }
103 
104  char proto[16];
105  if (SCProtoNameValid(f->proto) == TRUE) {
106  strlcpy(proto, known_proto[f->proto], sizeof(proto));
107  } else {
108  snprintf(proto, sizeof(proto), "%03" PRIu32, f->proto);
109  }
110 
111  /* time */
112  json_object_set_new(js, "timestamp", json_string(timebuf));
113 
114  CreateJSONFlowId(js, (const Flow *)f);
115 
116 #if 0 // TODO
117  /* sensor id */
118  if (sensor_id >= 0)
119  json_object_set_new(js, "sensor_id", json_integer(sensor_id));
120 #endif
121  if (event_type) {
122  json_object_set_new(js, "event_type", json_string(event_type));
123  }
124 #if 0
125  /* vlan */
126  if (f->vlan_id[0] > 0) {
127  json_t *js_vlan;
128  switch (f->vlan_idx) {
129  case 1:
130  json_object_set_new(js, "vlan",
131  json_integer(f->vlan_id[0]));
132  break;
133  case 2:
134  js_vlan = json_array();
135  if (unlikely(js != NULL)) {
136  json_array_append_new(js_vlan,
137  json_integer(VLAN_GET_ID1(p)));
138  json_array_append_new(js_vlan,
139  json_integer(VLAN_GET_ID2(p)));
140  json_object_set_new(js, "vlan", js_vlan);
141  }
142  break;
143  default:
144  /* shouldn't get here */
145  break;
146  }
147  }
148 #endif
149  /* tuple */
150  json_object_set_new(js, "src_ip", json_string(srcip));
151  switch(f->proto) {
152  case IPPROTO_ICMP:
153  break;
154  case IPPROTO_UDP:
155  case IPPROTO_TCP:
156  case IPPROTO_SCTP:
157  json_object_set_new(js, "src_port", json_integer(sp));
158  break;
159  }
160  json_object_set_new(js, "dest_ip", json_string(dstip));
161  switch(f->proto) {
162  case IPPROTO_ICMP:
163  break;
164  case IPPROTO_UDP:
165  case IPPROTO_TCP:
166  case IPPROTO_SCTP:
167  json_object_set_new(js, "dest_port", json_integer(dp));
168  break;
169  }
170  json_object_set_new(js, "proto", json_string(proto));
171  switch (f->proto) {
172  case IPPROTO_ICMP:
173  case IPPROTO_ICMPV6:
174  json_object_set_new(js, "icmp_type",
175  json_integer(f->icmp_s.type));
176  json_object_set_new(js, "icmp_code",
177  json_integer(f->icmp_s.code));
178  if (f->tosrcpktcnt) {
179  json_object_set_new(js, "response_icmp_type",
180  json_integer(f->icmp_d.type));
181  json_object_set_new(js, "response_icmp_code",
182  json_integer(f->icmp_d.code));
183  }
184  break;
185  }
186  return js;
187 }
188 
189 void JsonAddFlow(Flow *f, json_t *js, json_t *hjs)
190 {
191  json_object_set_new(js, "app_proto",
192  json_string(AppProtoToString(f->alproto)));
193  if (f->alproto_ts != f->alproto) {
194  json_object_set_new(js, "app_proto_ts",
195  json_string(AppProtoToString(f->alproto_ts)));
196  }
197  if (f->alproto_tc != f->alproto) {
198  json_object_set_new(js, "app_proto_tc",
199  json_string(AppProtoToString(f->alproto_tc)));
200  }
201  if (f->alproto_orig != f->alproto && f->alproto_orig != ALPROTO_UNKNOWN) {
202  json_object_set_new(js, "app_proto_orig",
203  json_string(AppProtoToString(f->alproto_orig)));
204  }
205  if (f->alproto_expect != f->alproto && f->alproto_expect != ALPROTO_UNKNOWN) {
206  json_object_set_new(js, "app_proto_expected",
207  json_string(AppProtoToString(f->alproto_expect)));
208  }
209 
210  json_object_set_new(hjs, "pkts_toserver",
211  json_integer(f->todstpktcnt));
212  json_object_set_new(hjs, "pkts_toclient",
213  json_integer(f->tosrcpktcnt));
214  json_object_set_new(hjs, "bytes_toserver",
215  json_integer(f->todstbytecnt));
216  json_object_set_new(hjs, "bytes_toclient",
217  json_integer(f->tosrcbytecnt));
218 
219  char timebuf1[64];
220  CreateIsoTimeString(&f->startts, timebuf1, sizeof(timebuf1));
221  json_object_set_new(hjs, "start", json_string(timebuf1));
222 }
223 
224 /* JSON format logging */
225 static void JsonFlowLogJSON(JsonFlowLogThread *aft, json_t *js, Flow *f)
226 {
227  LogJsonFileCtx *flow_ctx = aft->flowlog_ctx;
228  json_t *hjs = json_object();
229  if (hjs == NULL) {
230  return;
231  }
232 
233  JsonAddFlow(f, js, hjs);
234 
235  char timebuf2[64];
236  CreateIsoTimeString(&f->lastts, timebuf2, sizeof(timebuf2));
237  json_object_set_new(hjs, "end", json_string(timebuf2));
238 
239  int32_t age = f->lastts.tv_sec - f->startts.tv_sec;
240  json_object_set_new(hjs, "age",
241  json_integer(age));
242 
244  json_object_set_new(hjs, "emergency", json_true());
245  const char *state = NULL;
247  state = "new";
249  state = "established";
251  state = "closed";
253  state = "bypassed";
254  int flow_state = SC_ATOMIC_GET(f->flow_state);
255  switch (flow_state) {
257  json_object_set_new(hjs, "bypass",
258  json_string("local"));
259  break;
261  json_object_set_new(hjs, "bypass",
262  json_string("capture"));
263  break;
264  default:
266  "Invalid flow state: %d, contact developers",
267  flow_state);
268  }
269  }
270 
271  json_object_set_new(hjs, "state",
272  json_string(state));
273 
274  const char *reason = NULL;
276  reason = "timeout";
277  else if (f->flow_end_flags & FLOW_END_FLAG_FORCED)
278  reason = "forced";
280  reason = "shutdown";
281 
282  json_object_set_new(hjs, "reason",
283  json_string(reason));
284 
285  json_object_set_new(hjs, "alerted", json_boolean(FlowHasAlerts(f)));
286  if (f->flags & FLOW_WRONG_THREAD)
287  json_object_set_new(hjs, "wrong_thread", json_true());
288 
289  json_object_set_new(js, "flow", hjs);
290 
291  JsonAddCommonOptions(&flow_ctx->cfg, NULL, f, js);
292 
293  /* TCP */
294  if (f->proto == IPPROTO_TCP) {
295  json_t *tjs = json_object();
296  if (tjs == NULL) {
297  return;
298  }
299 
300  TcpSession *ssn = f->protoctx;
301 
302  char hexflags[3];
303  snprintf(hexflags, sizeof(hexflags), "%02x",
304  ssn ? ssn->tcp_packet_flags : 0);
305  json_object_set_new(tjs, "tcp_flags", json_string(hexflags));
306 
307  snprintf(hexflags, sizeof(hexflags), "%02x",
308  ssn ? ssn->client.tcp_flags : 0);
309  json_object_set_new(tjs, "tcp_flags_ts", json_string(hexflags));
310 
311  snprintf(hexflags, sizeof(hexflags), "%02x",
312  ssn ? ssn->server.tcp_flags : 0);
313  json_object_set_new(tjs, "tcp_flags_tc", json_string(hexflags));
314 
315  JsonTcpFlags(ssn ? ssn->tcp_packet_flags : 0, tjs);
316 
317  if (ssn) {
318  const char *tcp_state = NULL;
319  switch (ssn->state) {
320  case TCP_NONE:
321  tcp_state = "none";
322  break;
323  case TCP_LISTEN:
324  tcp_state = "listen";
325  break;
326  case TCP_SYN_SENT:
327  tcp_state = "syn_sent";
328  break;
329  case TCP_SYN_RECV:
330  tcp_state = "syn_recv";
331  break;
332  case TCP_ESTABLISHED:
333  tcp_state = "established";
334  break;
335  case TCP_FIN_WAIT1:
336  tcp_state = "fin_wait1";
337  break;
338  case TCP_FIN_WAIT2:
339  tcp_state = "fin_wait2";
340  break;
341  case TCP_TIME_WAIT:
342  tcp_state = "time_wait";
343  break;
344  case TCP_LAST_ACK:
345  tcp_state = "last_ack";
346  break;
347  case TCP_CLOSE_WAIT:
348  tcp_state = "close_wait";
349  break;
350  case TCP_CLOSING:
351  tcp_state = "closing";
352  break;
353  case TCP_CLOSED:
354  tcp_state = "closed";
355  break;
356  }
357  json_object_set_new(tjs, "state", json_string(tcp_state));
359  json_object_set_new(tjs, "gap_ts", json_true());
361  json_object_set_new(tjs, "gap_tc", json_true());
362  }
363 
364  json_object_set_new(js, "tcp", tjs);
365  }
366 }
367 
368 static int JsonFlowLogger(ThreadVars *tv, void *thread_data, Flow *f)
369 {
370  SCEnter();
371  JsonFlowLogThread *jhl = (JsonFlowLogThread *)thread_data;
372 
373  /* reset */
374  MemBufferReset(jhl->buffer);
375 
376  json_t *js = CreateJSONHeaderFromFlow(f, "flow");
377  if (unlikely(js == NULL))
378  return TM_ECODE_OK;
379 
380  JsonFlowLogJSON(jhl, js, f);
381 
382  OutputJSONBuffer(js, jhl->flowlog_ctx->file_ctx, &jhl->buffer);
383  json_object_del(js, "http");
384 
385  json_object_clear(js);
386  json_decref(js);
387 
389 }
390 
391 static void OutputFlowLogDeinit(OutputCtx *output_ctx)
392 {
393  LogJsonFileCtx *flow_ctx = output_ctx->data;
394  LogFileCtx *logfile_ctx = flow_ctx->file_ctx;
395  LogFileFreeCtx(logfile_ctx);
396  SCFree(flow_ctx);
397  SCFree(output_ctx);
398 }
399 
400 #define DEFAULT_LOG_FILENAME "flow.json"
401 static OutputInitResult OutputFlowLogInit(ConfNode *conf)
402 {
403  OutputInitResult result = { NULL, false };
404  LogFileCtx *file_ctx = LogFileNewCtx();
405  if(file_ctx == NULL) {
406  SCLogError(SC_ERR_FLOW_LOG_GENERIC, "couldn't create new file_ctx");
407  return result;
408  }
409 
410  if (SCConfLogOpenGeneric(conf, file_ctx, DEFAULT_LOG_FILENAME, 1) < 0) {
411  LogFileFreeCtx(file_ctx);
412  return result;
413  }
414 
415  LogJsonFileCtx *flow_ctx = SCMalloc(sizeof(LogJsonFileCtx));
416  if (unlikely(flow_ctx == NULL)) {
417  LogFileFreeCtx(file_ctx);
418  return result;
419  }
420 
421  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
422  if (unlikely(output_ctx == NULL)) {
423  LogFileFreeCtx(file_ctx);
424  SCFree(flow_ctx);
425  return result;
426  }
427 
428  flow_ctx->file_ctx = file_ctx;
429  output_ctx->data = flow_ctx;
430  output_ctx->DeInit = OutputFlowLogDeinit;
431 
432  result.ctx = output_ctx;
433  result.ok = true;
434  return result;
435 }
436 
437 static void OutputFlowLogDeinitSub(OutputCtx *output_ctx)
438 {
439  LogJsonFileCtx *flow_ctx = output_ctx->data;
440  SCFree(flow_ctx);
441  SCFree(output_ctx);
442 }
443 
444 static OutputInitResult OutputFlowLogInitSub(ConfNode *conf, OutputCtx *parent_ctx)
445 {
446  OutputInitResult result = { NULL, false };
447  OutputJsonCtx *ojc = parent_ctx->data;
448 
449  LogJsonFileCtx *flow_ctx = SCMalloc(sizeof(LogJsonFileCtx));
450  if (unlikely(flow_ctx == NULL))
451  return result;
452 
453  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
454  if (unlikely(output_ctx == NULL)) {
455  SCFree(flow_ctx);
456  return result;
457  }
458 
459  flow_ctx->file_ctx = ojc->file_ctx;
460  flow_ctx->cfg = ojc->cfg;
461 
462  output_ctx->data = flow_ctx;
463  output_ctx->DeInit = OutputFlowLogDeinitSub;
464 
465  result.ctx = output_ctx;
466  result.ok = true;
467  return result;
468 }
469 
470 #define OUTPUT_BUFFER_SIZE 65535
471 static TmEcode JsonFlowLogThreadInit(ThreadVars *t, const void *initdata, void **data)
472 {
473  JsonFlowLogThread *aft = SCMalloc(sizeof(JsonFlowLogThread));
474  if (unlikely(aft == NULL))
475  return TM_ECODE_FAILED;
476  memset(aft, 0, sizeof(JsonFlowLogThread));
477 
478  if(initdata == NULL)
479  {
480  SCLogDebug("Error getting context for EveLogFlow. \"initdata\" argument NULL");
481  SCFree(aft);
482  return TM_ECODE_FAILED;
483  }
484 
485  /* Use the Ouptut Context (file pointer and mutex) */
486  aft->flowlog_ctx = ((OutputCtx *)initdata)->data; //TODO
487 
488  aft->buffer = MemBufferCreateNew(OUTPUT_BUFFER_SIZE);
489  if (aft->buffer == NULL) {
490  SCFree(aft);
491  return TM_ECODE_FAILED;
492  }
493 
494  *data = (void *)aft;
495  return TM_ECODE_OK;
496 }
497 
498 static TmEcode JsonFlowLogThreadDeinit(ThreadVars *t, void *data)
499 {
500  JsonFlowLogThread *aft = (JsonFlowLogThread *)data;
501  if (aft == NULL) {
502  return TM_ECODE_OK;
503  }
504 
505  MemBufferFree(aft->buffer);
506  /* clear memory */
507  memset(aft, 0, sizeof(JsonFlowLogThread));
508 
509  SCFree(aft);
510  return TM_ECODE_OK;
511 }
512 
513 void JsonFlowLogRegister (void)
514 {
515  /* register as separate module */
516  OutputRegisterFlowModule(LOGGER_JSON_FLOW, "JsonFlowLog", "flow-json-log",
517  OutputFlowLogInit, JsonFlowLogger, JsonFlowLogThreadInit,
518  JsonFlowLogThreadDeinit, NULL);
519 
520  /* also register as child of eve-log */
521  OutputRegisterFlowSubModule(LOGGER_JSON_FLOW, "eve-log", "JsonFlowLog",
522  "eve-log.flow", OutputFlowLogInitSub, JsonFlowLogger,
523  JsonFlowLogThreadInit, JsonFlowLogThreadDeinit, NULL);
524 }
525 
526 #else
527 
529 {
530 }
531 
532 #endif
AppProto alproto_expect
Definition: flow.h:413
struct Flow_::@116::@120 icmp_s
MemBuffer * MemBufferCreateNew(uint32_t size)
Definition: util-buffer.c:32
#define FLOW_IS_IPV4(f)
Definition: flow.h:133
char * known_proto[256]
uint16_t flags
void JsonFlowLogRegister(void)
uint8_t SCProtoNameValid(uint16_t proto)
Function to check if the received protocol number is valid and do we have corresponding name entry fo...
#define SCLogDebug(...)
Definition: util-debug.h:335
AppProto alproto_tc
Definition: flow.h:406
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: util-strlcpyu.c:43
uint64_t todstbytecnt
Definition: flow.h:457
uint32_t event_type
uint8_t proto
Definition: flow.h:343
Port sp
Definition: flow.h:330
#define FLOW_END_FLAG_STATE_ESTABLISHED
Definition: flow.h:209
#define unlikely(expr)
Definition: util-optimize.h:35
#define STREAMTCP_STREAM_FLAG_GAP
int FlowHasAlerts(const Flow *f)
Check if flow has alerts.
Definition: flow.c:208
#define FLOW_END_FLAG_TIMEOUT
Definition: flow.h:212
#define MemBufferReset(mem_buffer)
Reset the mem buffer.
Definition: util-buffer.h:42
#define FLOW_END_FLAG_FORCED
Definition: flow.h:213
#define FLOW_DIR_REVERSED
Definition: flow.h:105
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:84
struct timeval startts
Definition: flow.h:453
uint32_t todstpktcnt
Definition: flow.h:455
#define FLOW_END_FLAG_STATE_BYPASSED
Definition: flow.h:215
#define TRUE
void * protoctx
Definition: flow.h:395
FlowAddress dst
Definition: flow.h:328
void OutputRegisterFlowModule(LoggerId id, const char *name, const char *conf_name, OutputInitFunc InitFunc, FlowLogger FlowLogFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a flow output module.
Definition: output.c:577
AppProto alproto_orig
Definition: flow.h:410
uint16_t vlan_id[2]
Definition: flow.h:345
AppProto alproto_ts
Definition: flow.h:405
uint64_t tosrcbytecnt
Definition: flow.h:458
#define SCCalloc(nm, a)
Definition: util-mem.h:197
#define FLOW_END_FLAG_STATE_NEW
Definition: flow.h:208
void CreateIsoTimeString(const struct timeval *ts, char *str, size_t size)
Definition: util-time.c:179
union FlowAddress_::@115 address
void TimeGet(struct timeval *tv)
Definition: util-time.c:138
const char * AppProtoToString(AppProto alproto)
Maps the ALPROTO_*, to its string equivalent.
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
#define VLAN_GET_ID2(p)
Definition: decode-vlan.h:41
#define SCEnter(...)
Definition: util-debug.h:337
LogFileCtx * LogFileNewCtx(void)
LogFileNewCtx() Get a new LogFileCtx.
#define FLOW_END_FLAG_STATE_CLOSED
Definition: flow.h:210
int SCConfLogOpenGeneric(ConfNode *conf, LogFileCtx *log_ctx, const char *default_filename, int rotate)
open a generic output "log file", which may be a regular file or a socket
const char * PrintInet(int af, const void *src, char *dst, socklen_t size)
Definition: util-print.c:267
uint8_t proto
#define SCReturnInt(x)
Definition: util-debug.h:341
uint16_t Port
Definition: decode.h:233
struct timeval lastts
Definition: flow.h:353
uint8_t flow_end_flags
Definition: flow.h:401
void OutputRegisterFlowSubModule(LoggerId id, const char *parent_name, const char *name, const char *conf_name, OutputInitSubFunc InitFunc, FlowLogger FlowLogFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a flow output sub-module.
Definition: output.c:616
Definition: conf.h:32
OutputCtx * ctx
Definition: output.h:42
#define DEFAULT_LOG_FILENAME
#define SCMalloc(a)
Definition: util-mem.h:166
int LogFileFreeCtx(LogFileCtx *lf_ctx)
LogFileFreeCtx() Destroy a LogFileCtx (Close the file and free memory)
#define SCFree(a)
Definition: util-mem.h:228
#define VLAN_GET_ID1(p)
Definition: decode-vlan.h:40
Port dp
Definition: flow.h:337
#define FLOW_IS_IPV6(f)
Definition: flow.h:135
#define FLOW_END_FLAG_EMERGENCY
Definition: flow.h:211
#define FLOW_WRONG_THREAD
Definition: flow.h:103
void * data
Definition: tm-modules.h:81
struct Flow_::@118::@121 icmp_d
#define SC_ATOMIC_GET(name)
Get the value from the atomic variable.
Definition: util-atomic.h:192
FlowAddress src
Definition: flow.h:328
Per thread variable structure.
Definition: threadvars.h:57
AppProto alproto
application level protocol
Definition: flow.h:404
#define FLOW_END_FLAG_SHUTDOWN
Definition: flow.h:214
uint8_t tcp_packet_flags
#define OUTPUT_BUFFER_SIZE
Definition: log-httplog.c:58
Flow data structure.
Definition: flow.h:324
uint32_t flags
Definition: flow.h:374
void MemBufferFree(MemBuffer *buffer)
Definition: util-buffer.c:82
uint32_t tosrcpktcnt
Definition: flow.h:456