2004-09-16 20:24:23 +00:00
/*-
2017-11-27 15:23:17 +00:00
* SPDX - License - Identifier : BSD - 2 - Clause - FreeBSD
*
2011-03-02 16:15:11 +00:00
* Copyright ( c ) 2010 - 2011 Alexander V . Chernikov < melifaro @ ipfw . ru >
2004-09-17 19:58:03 +00:00
* Copyright ( c ) 2004 Gleb Smirnoff < glebius @ FreeBSD . org >
2004-09-16 20:24:23 +00:00
* All rights reserved .
*
* Redistribution and use in source and binary forms , with or without
* modification , are permitted provided that the following conditions
* are met :
* 1. Redistributions of source code must retain the above copyright
* notice , this list of conditions and the following disclaimer .
* 2. Redistributions in binary form must reproduce the above copyright
* notice , this list of conditions and the following disclaimer in the
* documentation and / or other materials provided with the distribution .
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ` ` AS IS ' ' AND
* ANY EXPRESS OR IMPLIED WARRANTIES , INCLUDING , BUT NOT LIMITED TO , THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED . IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT , INDIRECT , INCIDENTAL , SPECIAL , EXEMPLARY , OR CONSEQUENTIAL
* DAMAGES ( INCLUDING , BUT NOT LIMITED TO , PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES ; LOSS OF USE , DATA , OR PROFITS ; OR BUSINESS INTERRUPTION )
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY , WHETHER IN CONTRACT , STRICT
* LIABILITY , OR TORT ( INCLUDING NEGLIGENCE OR OTHERWISE ) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE , EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE .
*
* $ SourceForge : netflow . h , v 1.8 2004 / 09 / 16 17 : 05 : 11 glebius Exp $
* $ FreeBSD $
*/
/* netflow timeouts in seconds */
# define ACTIVE_TIMEOUT (30*60) /* maximum flow lifetime is 30 min */
# define INACTIVE_TIMEOUT 15
2006-04-25 20:01:50 +00:00
/*
* More info can be found in these Cisco documents :
*
* Cisco IOS NetFlow , White Papers .
* http : //www.cisco.com/en/US/products/ps6601/prod_white_papers_list.html
*
* Cisco CNS NetFlow Collection Engine User Guide , 5.0 .2 , NetFlow Export
* Datagram Formats .
* http : //www.cisco.com/en/US/products/sw/netmgtsw/ps1964/products_user_guide_chapter09186a00803f3147.html#wp26453
*
2011-03-02 16:15:11 +00:00
* Cisco Systems NetFlow Services Export Version 9
* http : //www.ietf.org/rfc/rfc3954.txt
*
2004-09-16 20:24:23 +00:00
*/
# define NETFLOW_V1 1
# define NETFLOW_V5 5
2011-03-02 16:15:11 +00:00
# define NETFLOW_V9 9
2004-09-16 20:24:23 +00:00
struct netflow_v1_header
{
uint16_t version ; /* NetFlow version */
uint16_t count ; /* Number of records in flow */
uint32_t sys_uptime ; /* System uptime */
uint32_t unix_secs ; /* Current seconds since 0000 UTC 1970 */
uint32_t unix_nsecs ; /* Remaining nanoseconds since 0000 UTC 1970 */
} __attribute__ ( ( __packed__ ) ) ;
struct netflow_v5_header
{
uint16_t version ; /* NetFlow version */
uint16_t count ; /* Number of records in flow */
uint32_t sys_uptime ; /* System uptime */
uint32_t unix_secs ; /* Current seconds since 0000 UTC 1970 */
uint32_t unix_nsecs ; /* Remaining nanoseconds since 0000 UTC 1970 */
uint32_t flow_seq ; /* Sequence number of the first record */
uint8_t engine_type ; /* Type of flow switching engine (RP,VIP,etc.) */
uint8_t engine_id ; /* Slot number of the flow switching engine */
uint16_t pad ; /* Pad to word boundary */
} __attribute__ ( ( __packed__ ) ) ;
2011-03-02 16:15:11 +00:00
struct netflow_v9_header
{
uint16_t version ; /* NetFlow version */
uint16_t count ; /* Total number of records in packet */
uint32_t sys_uptime ; /* System uptime */
uint32_t unix_secs ; /* Current seconds since 0000 UTC 1970 */
uint32_t seq_num ; /* Sequence number */
uint32_t source_id ; /* Observation Domain id */
} __attribute__ ( ( __packed__ ) ) ;
2004-09-16 20:24:23 +00:00
struct netflow_v1_record
{
uint32_t src_addr ; /* Source IP address */
uint32_t dst_addr ; /* Destination IP address */
uint32_t next_hop ; /* Next hop IP address */
uint16_t in_ifx ; /* Source interface index */
uint16_t out_ifx ; /* Destination interface index */
uint32_t packets ; /* Number of packets in a flow */
uint32_t octets ; /* Number of octets in a flow */
uint32_t first ; /* System uptime at start of a flow */
uint32_t last ; /* System uptime at end of a flow */
uint16_t s_port ; /* Source port */
uint16_t d_port ; /* Destination port */
uint16_t pad1 ; /* Pad to word boundary */
2006-04-25 20:01:50 +00:00
uint8_t prot ; /* IP protocol */
2004-09-16 20:24:23 +00:00
uint8_t tos ; /* IP type of service */
uint8_t flags ; /* Cumulative OR of tcp flags */
2006-04-25 20:01:50 +00:00
uint8_t pad2 ; /* Pad to word boundary */
2004-09-16 20:24:23 +00:00
uint16_t pad3 ; /* Pad to word boundary */
uint8_t reserved [ 5 ] ; /* Reserved for future use */
} __attribute__ ( ( __packed__ ) ) ;
struct netflow_v5_record
{
uint32_t src_addr ; /* Source IP address */
uint32_t dst_addr ; /* Destination IP address */
uint32_t next_hop ; /* Next hop IP address */
uint16_t i_ifx ; /* Source interface index */
uint16_t o_ifx ; /* Destination interface index */
uint32_t packets ; /* Number of packets in a flow */
uint32_t octets ; /* Number of octets in a flow */
uint32_t first ; /* System uptime at start of a flow */
uint32_t last ; /* System uptime at end of a flow */
uint16_t s_port ; /* Source port */
uint16_t d_port ; /* Destination port */
2006-04-25 20:01:50 +00:00
uint8_t pad1 ; /* Pad to word boundary */
2004-09-16 20:24:23 +00:00
uint8_t flags ; /* Cumulative OR of tcp flags */
2006-04-25 20:01:50 +00:00
uint8_t prot ; /* IP protocol */
2004-09-16 20:24:23 +00:00
uint8_t tos ; /* IP type of service */
uint16_t src_as ; /* Src peer/origin Autonomous System */
uint16_t dst_as ; /* Dst peer/origin Autonomous System */
uint8_t src_mask ; /* Source route's mask bits */
uint8_t dst_mask ; /* Destination route's mask bits */
uint16_t pad2 ; /* Pad to word boundary */
} __attribute__ ( ( __packed__ ) ) ;
# define NETFLOW_V1_MAX_RECORDS 24
# define NETFLOW_V5_MAX_RECORDS 30
# define NETFLOW_V1_MAX_SIZE (sizeof(netflow_v1_header)+ \
sizeof ( netflow_v1_record ) * NETFLOW_V1_MAX_RECORDS )
# define NETFLOW_V5_MAX_SIZE (sizeof(netflow_v5_header)+ \
sizeof ( netflow_v5_record ) * NETFLOW_V5_MAX_RECORDS )
2005-05-11 11:26:24 +00:00
struct netflow_v5_export_dgram {
struct netflow_v5_header header ;
struct netflow_v5_record r [ NETFLOW_V5_MAX_RECORDS ] ;
} __attribute__ ( ( __packed__ ) ) ;
2011-03-02 16:15:11 +00:00
/* RFC3954 field definitions */
# define NETFLOW_V9_FIELD_IN_BYTES 1 /* Input bytes count for a flow. Default 4, can be 8 */
# define NETFLOW_V9_FIELD_IN_PKTS 2 /* Incoming counter with number of packets associated with an IP Flow. Default 4 */
# define NETFLOW_V9_FIELD_FLOWS 3 /* Number of Flows that were aggregated. Default 4 */
# define NETFLOW_V9_FIELD_PROTOCOL 4 /* IP protocol byte. 1 */
# define NETFLOW_V9_FIELD_TOS 5 /* Type of service byte setting when entering the incoming interface. 1 */
# define NETFLOW_V9_FIELD_TCP_FLAGS 6 /* TCP flags; cumulative of all the TCP flags seen in this Flow. 1 */
# define NETFLOW_V9_FIELD_L4_SRC_PORT 7 /* TCP/UDP source port number. 2 */
# define NETFLOW_V9_FIELD_IPV4_SRC_ADDR 8 /* IPv4 source address. 4 */
# define NETFLOW_V9_FIELD_SRC_MASK 9 /* The number of contiguous bits in the source subnet mask (i.e., the mask in slash notation). 1 */
# define NETFLOW_V9_FIELD_INPUT_SNMP 10 /* Input interface index. Default 2 */
# define NETFLOW_V9_FIELD_L4_DST_PORT 11 /* TCP/UDP destination port number. 2 */
# define NETFLOW_V9_FIELD_IPV4_DST_ADDR 12 /* IPv4 destination address. 4 */
# define NETFLOW_V9_FIELD_DST_MASK 13 /* The number of contiguous bits in the destination subnet mask (i.e., the mask in slash notation). 1 */
# define NETFLOW_V9_FIELD_OUTPUT_SNMP 14 /* Output interface index. Default 2 */
# define NETFLOW_V9_FIELD_IPV4_NEXT_HOP 15 /* IPv4 address of the next-hop router. 4 */
# define NETFLOW_V9_FIELD_SRC_AS 16 /* Source BGP autonomous system number. Default 2, can be 4 */
# define NETFLOW_V9_FIELD_DST_AS 17 /* Destination BGP autonomous system number. Default 2, can be 4 */
# define NETFLOW_V9_FIELD_BGP_IPV4_NEXT_HOP 18 /* Next-hop router's IP address in the BGP domain. 4 */
# define NETFLOW_V9_FIELD_MUL_DST_PKTS 19 /* IP multicast outgoing packet counter for packets associated with IP flow. Default 4 */
# define NETFLOW_V9_FIELD_MUL_DST_BYTES 20 /* IP multicast outgoing Octet (byte) counter for the number of bytes associated with IP flow. Default 4 */
# define NETFLOW_V9_FIELD_LAST_SWITCHED 21 /* sysUptime in msec at which the last packet of this Flow was switched. 4 */
# define NETFLOW_V9_FIELD_FIRST_SWITCHED 22 /* sysUptime in msec at which the first packet of this Flow was switched. 4 */
# define NETFLOW_V9_FIELD_OUT_BYTES 23 /* Outgoing counter for the number of bytes associated with an IP Flow. Default 4 */
# define NETFLOW_V9_FIELD_OUT_PKTS 24 /* Outgoing counter for the number of packets associated with an IP Flow. Default 4 */
# define NETFLOW_V9_FIELD_IPV6_SRC_ADDR 27 /* IPv6 source address. 16 */
# define NETFLOW_V9_FIELD_IPV6_DST_ADDR 28 /* IPv6 destination address. 16 */
# define NETFLOW_V9_FIELD_IPV6_SRC_MASK 29 /* Length of the IPv6 source mask in contiguous bits. 1 */
# define NETFLOW_V9_FIELD_IPV6_DST_MASK 30 /* Length of the IPv6 destination mask in contiguous bits. 1 */
# define NETFLOW_V9_FIELD_IPV6_FLOW_LABEL 31 /* IPv6 flow label as per RFC 2460 definition. 3 */
# define NETFLOW_V9_FIELD_ICMP_TYPE 32 /* Internet Control Message Protocol (ICMP) packet type; reported as ICMP Type * 256 + ICMP code. 2 */
# define NETFLOW_V9_FIELD_MUL_IGMP_TYPE 33 /* Internet Group Management Protocol (IGMP) packet type. 1 */
# define NETFLOW_V9_FIELD_SAMPLING_INTERVAL 34 /* When using sampled NetFlow, the rate at which packets are sampled; for example, a value of 100 indicates that one of every hundred packets is sampled. 4 */
# define NETFLOW_V9_FIELD_SAMPLING_ALGORITHM 35 /* For sampled NetFlow platform-wide: 0x01 deterministic sampling 0x02 random sampling. 1 */
# define NETFLOW_V9_FIELD_FLOW_ACTIVE_TIMEOUT 36 /* Timeout value (in seconds) for active flow entries in the NetFlow cache. 2 */
# define NETFLOW_V9_FIELD_FLOW_INACTIVE_TIMEOUT 37 /* Timeout value (in seconds) for inactive Flow entries in the NetFlow cache. 2 */
# define NETFLOW_V9_FIELD_ENGINE_TYPE 38 /* Type of Flow switching engine (route processor, linecard, etc...). 1 */
# define NETFLOW_V9_FIELD_ENGINE_ID 39 /* ID number of the Flow switching engine. 1 */
# define NETFLOW_V9_FIELD_TOTAL_BYTES_EXP 40 /* Counter with for the number of bytes exported by the Observation Domain. Default 4 */
# define NETFLOW_V9_FIELD_TOTAL_PKTS_EXP 41 /* Counter with for the number of packets exported by the Observation Domain. Default 4 */
# define NETFLOW_V9_FIELD_TOTAL_FLOWS_EXP 42 /* Counter with for the number of flows exported by the Observation Domain. Default 4 */
# define NETFLOW_V9_FIELD_MPLS_TOP_LABEL_TYPE 46 /* MPLS Top Label Type. 1 */
# define NETFLOW_V9_FIELD_MPLS_TOP_LABEL_IP_ADDR 47 /* Forwarding Equivalent Class corresponding to the MPLS Top Label. 4 */
# define NETFLOW_V9_FIELD_FLOW_SAMPLER_ID 48 /* Identifier shown in "show flow-sampler". 1 */
# define NETFLOW_V9_FIELD_FLOW_SAMPLER_MODE 49 /* The type of algorithm used for sampling data. 2 */
# define NETFLOW_V9_FIELD_FLOW_SAMPLER_RANDOM_INTERVAL 50 /* Packet interval at which to sample. 4. */
# define NETFLOW_V9_FIELD_DST_TOS 55 /* Type of Service byte setting when exiting outgoing interface. 1. */
# define NETFLOW_V9_FIELD_SRC_MAC 56 /* Source MAC Address. 6 */
# define NETFLOW_V9_FIELD_DST_MAC 57 /* Destination MAC Address. 6 */
# define NETFLOW_V9_FIELD_SRC_VLAN 58 /* Virtual LAN identifier associated with ingress interface. 2 */
# define NETFLOW_V9_FIELD_DST_VLAN 59 /* Virtual LAN identifier associated with egress interface. 2 */
# define NETFLOW_V9_FIELD_IP_PROTOCOL_VERSION 60 /* Internet Protocol Version. Set to 4 for IPv4, set to 6 for IPv6. If not present in the template, then version 4 is assumed. 1. */
# define NETFLOW_V9_FIELD_DIRECTION 61 /* Flow direction: 0 - ingress flow 1 - egress flow. 1 */
# define NETFLOW_V9_FIELD_IPV6_NEXT_HOP 62 /* IPv6 address of the next-hop router. 16 */
# define NETFLOW_V9_FIELD_BGP_IPV6_NEXT_HOP 63 /* Next-hop router in the BGP domain. 16 */
# define NETFLOW_V9_FIELD_IPV6_OPTION_HEADERS 64 /* Bit-encoded field identifying IPv6 option headers found in the flow */
# define NETFLOW_V9_FIELD_MPLS_LABEL_1 70 /* MPLS label at position 1 in the stack. 3 */
# define NETFLOW_V9_FIELD_MPLS_LABEL_2 71 /* MPLS label at position 2 in the stack. 3 */
# define NETFLOW_V9_FIELD_MPLS_LABEL_3 72 /* MPLS label at position 3 in the stack. 3 */
# define NETFLOW_V9_FIELD_MPLS_LABEL_4 73 /* MPLS label at position 4 in the stack. 3 */
# define NETFLOW_V9_FIELD_MPLS_LABEL_5 74 /* MPLS label at position 5 in the stack. 3 */
# define NETFLOW_V9_FIELD_MPLS_LABEL_6 75 /* MPLS label at position 6 in the stack. 3 */
# define NETFLOW_V9_FIELD_MPLS_LABEL_7 76 /* MPLS label at position 7 in the stack. 3 */
# define NETFLOW_V9_FIELD_MPLS_LABEL_8 77 /* MPLS label at position 8 in the stack. 3 */
# define NETFLOW_V9_FIELD_MPLS_LABEL_9 78 /* MPLS label at position 9 in the stack. 3 */
# define NETFLOW_V9_FIELD_MPLS_LABEL_10 79 /* MPLS label at position 10 in the stack. 3 */
# define NETFLOW_V9_MAX_RESERVED_FLOWSET 0xFF /* Clause 5.2 */