-
Notifications
You must be signed in to change notification settings - Fork 1
/
netflow.h
159 lines (130 loc) · 3.35 KB
/
netflow.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
#ifndef netflow_h_included
#define netflow_h_included
#include <netinet/in.h>
#include <sys/types.h>
#include <stdint.h>
#include "xenoeye.h"
#define MAX_FLOWS_PER_PACKET 100
#define MAX_FIELDS_PER_FLOW 100
#define MAX_FLOW_VAL_LEN 32
enum NF_FIELD_TYPE
{
NF_FIELD_IP_ADDR,
NF_FIELD_INT,
NF_FIELD_STRING,
NF_FIELD_BYTES
};
/* netflow v5 */
struct nf5_header
{
uint16_t version;
uint16_t count;
uint32_t sys_uptime;
uint32_t unix_secs;
uint32_t unix_nsecs;
uint32_t flow_sequence;
uint8_t engine_type;
uint8_t engine_id;
uint16_t sampling;
} __attribute__ ((__packed__));
#define NF5_FIELDS \
FIELD(1, uint32_t, src_addr, ip4_src_addr, 8) \
FIELD(1, uint32_t, dst_addr, ip4_dst_addr, 12) \
FIELD(1, uint32_t, next_hop, ip4_next_hop, 15) \
FIELD(1, uint16_t, input_snmp, input_snmp, 10) \
FIELD(1, uint16_t, output_snmp, output_snmp, 14) \
FIELD(1, uint32_t, packets, in_pkts, 2) \
FIELD(1, uint32_t, octets, in_bytes, 1) \
FIELD(1, uint32_t, first, first_switched, 22) \
FIELD(1, uint32_t, last, last_switched, 21) \
FIELD(1, uint16_t, src_port, l4_src_port, 7) \
FIELD(1, uint16_t, dst_port, l4_dst_port, 11) \
FIELD(0, uint8_t, pad1, pad1, 65530) \
FIELD(1, uint8_t, tcp_flags, tcp_flags, 6) \
FIELD(1, uint8_t, protocol, protocol, 4) \
FIELD(1, uint8_t, tos, src_tos, 5) \
FIELD(1, uint16_t, src_as, src_as, 16) \
FIELD(1, uint16_t, dst_as, dst_as, 17) \
FIELD(1, uint8_t, src_mask, src_mask, 9) \
FIELD(1, uint8_t, dst_mask, dst_mask, 13) \
FIELD(0, uint16_t, pad2, pad2, 65531)
struct nf5_flow
{
#define FIELD(USE, TYPE, V5, V9, ID) \
TYPE V5;
NF5_FIELDS
#undef FIELD
} __attribute__ ((__packed__));
struct nf5_packet
{
struct nf5_header header;
struct nf5_flow flows[1];
} __attribute__ ((__packed__));
/* netflow v9 */
struct nf9_header
{
uint16_t version;
uint16_t count;
uint32_t sys_uptime;
uint32_t unix_secs;
uint32_t package_sequence;
uint32_t source_id;
} __attribute__ ((__packed__));
struct nf9_fieldtype_and_len
{
uint16_t type;
uint16_t length;
} __attribute__ ((__packed__));
struct nf9_flowset_header
{
uint16_t flowset_id;
uint16_t length;
} __attribute__ ((__packed__));
struct nf9_template_item
{
uint16_t template_id;
uint16_t field_count;
struct nf9_fieldtype_and_len typelen[1];
} __attribute__ ((__packed__));
/* IPFIX */
struct ipfix_header
{
uint16_t version;
uint16_t length;
uint32_t export_time;
uint32_t sequence_number;
uint32_t observation_domain;
} __attribute__ ((__packed__));
/* IPFIX templates */
struct ipfix_template_header
{
uint16_t template_id;
uint16_t field_count;
} __attribute__ ((__packed__));
struct ipfix_inf_element_iana
{
uint16_t id;
uint16_t length;
} __attribute__ ((__packed__));
struct ipfix_inf_element_enterprise
{
uint16_t id;
uint16_t length;
uint32_t number;
} __attribute__ ((__packed__));
struct ipfix_stored_template
{
struct ipfix_template_header header;
struct ipfix_inf_element_enterprise elements[1];
} __attribute__ ((__packed__));
/* flowset */
struct ipfix_flowset_header
{
uint16_t flowset_id;
uint16_t length;
} __attribute__ ((__packed__));
struct flow_packet_info;
void netflow_process_init(void);
int netflow_process(struct xe_data *data, size_t thread_id,
struct flow_packet_info *npi, int len);
#endif