-
Notifications
You must be signed in to change notification settings - Fork 46
/
sflow_collect.c
2817 lines (2444 loc) · 103 KB
/
sflow_collect.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
/*
* nProbe - a Netflow v5/v9/IPFIX probe for IPv4/v6
*
* Copyright (C) 2009-11 Luca Deri <deri@ntop.org>
*
* http://www.ntop.org/
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/*
* ntop includes sFlow(TM), freely available from http://www.inmon.com/".
*
* Some code has been copied from the InMon sflowtool
*/
#include "nprobe.h"
/* #define DEBUG_FLOWS */
#define INET6 1
u_int32_t numsFlowsV2Rcvd = 0, numsFlowsV4Rcvd = 0, numsFlowsV5Rcvd = 0, numBadsFlowsVersionsRcvd = 0;
/* ********************************* */
enum SFLAddress_type {
SFLADDRESSTYPE_IP_V4 = 1,
SFLADDRESSTYPE_IP_V6 = 2
};
typedef union _SFLAddress_value {
struct in_addr ip_v4;
struct in6_addr ip_v6;
} SFLAddress_value;
typedef struct _SFLAddress {
u_int32_t type; /* enum SFLAddress_type */
SFLAddress_value address;
} SFLAddress;
/* Packet header data */
#define SFL_DEFAULT_HEADER_SIZE 128
#define SFL_DEFAULT_COLLECTOR_PORT 6343
#define SFL_DEFAULT_SAMPLING_RATE 400
/* The header protocol describes the format of the sampled header */
enum SFLHeader_protocol {
SFLHEADER_ETHERNET_ISO8023 = 1,
SFLHEADER_ISO88024_TOKENBUS = 2,
SFLHEADER_ISO88025_TOKENRING = 3,
SFLHEADER_FDDI = 4,
SFLHEADER_FRAME_RELAY = 5,
SFLHEADER_X25 = 6,
SFLHEADER_PPP = 7,
SFLHEADER_SMDS = 8,
SFLHEADER_AAL5 = 9,
SFLHEADER_AAL5_IP = 10, /* e.g. Cisco AAL5 mux */
SFLHEADER_IPv4 = 11,
SFLHEADER_IPv6 = 12,
SFLHEADER_MPLS = 13
};
/* raw sampled header */
typedef struct _SFLSampled_header {
u_int32_t header_protocol; /* (enum SFLHeader_protocol) */
u_int32_t frame_length; /* Original length of packet before sampling */
u_int32_t stripped; /* header/trailer bytes stripped by sender */
u_int32_t header_length; /* length of sampled header bytes to follow */
u_int8_t *header_bytes; /* Header bytes */
} SFLSampled_header;
/* decoded ethernet header */
typedef struct _SFLSampled_ethernet {
u_int32_t eth_len; /* The length of the MAC packet excluding
lower layer encapsulations */
u_int8_t src_mac[8]; /* 6 bytes + 2 pad */
u_int8_t dst_mac[8];
u_int32_t eth_type;
} SFLSampled_ethernet;
/* decoded IP version 4 header */
typedef struct _SFLSampled_ipv4 {
u_int32_t length; /* The length of the IP packet
excluding lower layer encapsulations */
u_int32_t protocol; /* IP Protocol type (for example, TCP = 6, UDP = 17) */
struct in_addr src_ip; /* Source IP Address */
struct in_addr dst_ip; /* Destination IP Address */
u_int32_t src_port; /* TCP/UDP source port number or equivalent */
u_int32_t dst_port; /* TCP/UDP destination port number or equivalent */
u_int32_t tcp_flags; /* TCP flags */
u_int32_t tos; /* IP type of service */
} SFLSampled_ipv4;
/* decoded IP version 6 data */
#ifdef INET6
typedef struct _SFLSampled_ipv6 {
u_int32_t length; /* The length of the IP packet
excluding lower layer encapsulations */
u_int32_t protocol; /* IP Protocol type (for example, TCP = 6, UDP = 17) */
struct in6_addr src_ip; /* Source IP Address */
struct in6_addr dst_ip; /* Destination IP Address */
u_int32_t src_port; /* TCP/UDP source port number or equivalent */
u_int32_t dst_port; /* TCP/UDP destination port number or equivalent */
u_int32_t tcp_flags; /* TCP flags */
u_int32_t priority; /* IP priority */
} SFLSampled_ipv6;
#endif
/* Extended data types */
/* Extended switch data */
typedef struct _SFLExtended_switch {
u_int32_t src_vlan; /* The 802.1Q VLAN id of incomming frame */
u_int32_t src_priority; /* The 802.1p priority */
u_int32_t dst_vlan; /* The 802.1Q VLAN id of outgoing frame */
u_int32_t dst_priority; /* The 802.1p priority */
} SFLExtended_switch;
/* Extended router data */
typedef struct _SFLExtended_router {
SFLAddress nexthop; /* IP address of next hop router */
u_int32_t src_mask; /* Source address prefix mask bits */
u_int32_t dst_mask; /* Destination address prefix mask bits */
} SFLExtended_router;
/* Extended gateway data */
enum SFLExtended_as_path_segment_type {
SFLEXTENDED_AS_SET = 1, /* Unordered set of ASs */
SFLEXTENDED_AS_SEQUENCE = 2 /* Ordered sequence of ASs */
};
typedef struct _SFLExtended_as_path_segment {
u_int32_t type; /* enum SFLExtended_as_path_segment_type */
u_int32_t length; /* number of AS numbers in set/sequence */
union {
u_int32_t *set;
u_int32_t *seq;
} as;
} SFLExtended_as_path_segment;
typedef struct _SFLExtended_gateway {
SFLAddress nexthop; /* Address of the border router that should
be used for the destination network */
u_int32_t as; /* AS number for this gateway */
u_int32_t src_as; /* AS number of source (origin) */
u_int32_t src_peer_as; /* AS number of source peer */
u_int32_t dst_as_path_segments; /* number of segments in path */
SFLExtended_as_path_segment *dst_as_path; /* list of seqs or sets */
u_int32_t communities_length; /* number of communities */
u_int32_t *communities; /* set of communities */
u_int32_t localpref; /* LocalPref associated with this route */
} SFLExtended_gateway;
typedef struct _SFLString {
u_int32_t len;
char *str;
} SFLString;
/* Extended user data */
typedef struct _SFLExtended_user {
u_int32_t src_charset; /* MIBEnum value of character set used to encode a string - See RFC 2978
Where possible UTF-8 encoding (MIBEnum=106) should be used. A value
of zero indicates an unknown encoding. */
SFLString src_user;
u_int32_t dst_charset;
SFLString dst_user;
} SFLExtended_user;
/* Extended URL data */
enum SFLExtended_url_direction {
SFLEXTENDED_URL_SRC = 1, /* URL is associated with source address */
SFLEXTENDED_URL_DST = 2 /* URL is associated with destination address */
};
typedef struct _SFLExtended_url {
u_int32_t direction; /* enum SFLExtended_url_direction */
SFLString url; /* URL associated with the packet flow.
Must be URL encoded */
SFLString host; /* The host field from the HTTP header */
} SFLExtended_url;
/* Extended MPLS data */
typedef struct _SFLLabelStack {
u_int32_t depth;
u_int32_t *stack; /* first entry is top of stack - see RFC 3032 for encoding */
} SFLLabelStack;
typedef struct _SFLExtended_mpls {
SFLAddress nextHop; /* Address of the next hop */
SFLLabelStack in_stack;
SFLLabelStack out_stack;
} SFLExtended_mpls;
/* Extended NAT data
Packet header records report addresses as seen at the sFlowDataSource.
The extended_nat structure reports on translated source and/or destination
addesses for this packet. If an address was not translated it should
be equal to that reported for the header. */
typedef struct _SFLExtended_nat {
SFLAddress src; /* Source address */
SFLAddress dst; /* Destination address */
} SFLExtended_nat;
/* additional Extended MPLS stucts */
typedef struct _SFLExtended_mpls_tunnel {
SFLString tunnel_lsp_name; /* Tunnel name */
u_int32_t tunnel_id; /* Tunnel ID */
u_int32_t tunnel_cos; /* Tunnel COS value */
} SFLExtended_mpls_tunnel;
typedef struct _SFLExtended_mpls_vc {
SFLString vc_instance_name; /* VC instance name */
u_int32_t vll_vc_id; /* VLL/VC instance ID */
u_int32_t vc_label_cos; /* VC Label COS value */
} SFLExtended_mpls_vc;
/* Extended MPLS FEC
- Definitions from MPLS-FTN-STD-MIB mplsFTNTable */
typedef struct _SFLExtended_mpls_FTN {
SFLString mplsFTNDescr;
u_int32_t mplsFTNMask;
} SFLExtended_mpls_FTN;
/* Extended MPLS LVP FEC
- Definition from MPLS-LDP-STD-MIB mplsFecTable
Note: mplsFecAddrType, mplsFecAddr information available
from packet header */
typedef struct _SFLExtended_mpls_LDP_FEC {
u_int32_t mplsFecAddrPrefixLength;
} SFLExtended_mpls_LDP_FEC;
/* Extended VLAN tunnel information
Record outer VLAN encapsulations that have
been stripped. extended_vlantunnel information
should only be reported if all the following conditions are satisfied:
1. The packet has nested vlan tags, AND
2. The reporting device is VLAN aware, AND
3. One or more VLAN tags have been stripped, either
because they represent proprietary encapsulations, or
because switch hardware automatically strips the outer VLAN
encapsulation.
Reporting extended_vlantunnel information is not a substitute for
reporting extended_switch information. extended_switch data must
always be reported to describe the ingress/egress VLAN information
for the packet. The extended_vlantunnel information only applies to
nested VLAN tags, and then only when one or more tags has been
stripped. */
typedef SFLLabelStack SFLVlanStack;
typedef struct _SFLExtended_vlan_tunnel {
SFLVlanStack stack; /* List of stripped 802.1Q TPID/TCI layers. Each
TPID,TCI pair is represented as a single 32 bit
integer. Layers listed from outermost to
innermost. */
} SFLExtended_vlan_tunnel;
enum SFLFlow_type_tag {
/* enterprise = 0, format = ... */
SFLFLOW_HEADER = 1, /* Packet headers are sampled */
SFLFLOW_ETHERNET = 2, /* MAC layer information */
SFLFLOW_IPV4 = 3, /* IP version 4 data */
SFLFLOW_IPV6 = 4, /* IP version 6 data */
SFLFLOW_EX_SWITCH = 1001, /* Extended switch information */
SFLFLOW_EX_ROUTER = 1002, /* Extended router information */
SFLFLOW_EX_GATEWAY = 1003, /* Extended gateway router information */
SFLFLOW_EX_USER = 1004, /* Extended TACAS/RADIUS user information */
SFLFLOW_EX_URL = 1005, /* Extended URL information */
SFLFLOW_EX_MPLS = 1006, /* Extended MPLS information */
SFLFLOW_EX_NAT = 1007, /* Extended NAT information */
SFLFLOW_EX_MPLS_TUNNEL = 1008, /* additional MPLS information */
SFLFLOW_EX_MPLS_VC = 1009,
SFLFLOW_EX_MPLS_FTN = 1010,
SFLFLOW_EX_MPLS_LDP_FEC = 1011,
SFLFLOW_EX_VLAN_TUNNEL = 1012, /* VLAN stack */
};
typedef union _SFLFlow_type {
SFLSampled_header header;
SFLSampled_ethernet ethernet;
SFLSampled_ipv4 ipv4;
#ifdef INET6
SFLSampled_ipv6 ipv6;
#endif
SFLExtended_switch sw;
SFLExtended_router router;
SFLExtended_gateway gateway;
SFLExtended_user user;
SFLExtended_url url;
SFLExtended_mpls mpls;
SFLExtended_nat nat;
SFLExtended_mpls_tunnel mpls_tunnel;
SFLExtended_mpls_vc mpls_vc;
SFLExtended_mpls_FTN mpls_ftn;
SFLExtended_mpls_LDP_FEC mpls_ldp_fec;
SFLExtended_vlan_tunnel vlan_tunnel;
} SFLFlow_type;
typedef struct _SFLFlow_sample_element {
struct _SFLFlow_sample_element *nxt;
u_int32_t tag; /* SFLFlow_type_tag */
u_int32_t length;
SFLFlow_type flowType;
} SFLFlow_sample_element;
enum SFL_sample_tag {
SFLFLOW_SAMPLE = 1, /* enterprise = 0 : format = 1 */
SFLCOUNTERS_SAMPLE = 2, /* enterprise = 0 : format = 2 */
SFLFLOW_SAMPLE_EXPANDED = 3, /* enterprise = 0 : format = 3 */
SFLCOUNTERS_SAMPLE_EXPANDED = 4 /* enterprise = 0 : format = 4 */
};
/* Format of a single flow sample */
typedef struct _SFLFlow_sample {
/* u_int32_t tag; */ /* SFL_sample_tag -- enterprise = 0 : format = 1 */
/* u_int32_t length; */
u_int32_t sequence_number; /* Incremented with each flow sample
generated */
u_int32_t source_id; /* fsSourceId */
u_int32_t sampling_rate; /* fsPacketSamplingRate */
u_int32_t sample_pool; /* Total number of packets that could have been
sampled (i.e. packets skipped by sampling
process + total number of samples) */
u_int32_t drops; /* Number of times a packet was dropped due to
lack of resources */
u_int32_t input; /* SNMP ifIndex of input interface.
0 if interface is not known. */
u_int32_t output; /* SNMP ifIndex of output interface,
0 if interface is not known.
Set most significant bit to indicate
multiple destination interfaces
(i.e. in case of broadcast or multicast)
and set lower order bits to indicate
number of destination interfaces.
Examples:
0x00000002 indicates ifIndex = 2
0x00000000 ifIndex unknown.
0x80000007 indicates a packet sent
to 7 interfaces.
0x80000000 indicates a packet sent to
an unknown number of
interfaces greater than 1.*/
u_int32_t num_elements;
SFLFlow_sample_element *elements;
} SFLFlow_sample;
/* same thing, but the expanded version (for full 32-bit ifIndex numbers) */
typedef struct _SFLFlow_sample_expanded {
/* u_int32_t tag; */ /* SFL_sample_tag -- enterprise = 0 : format = 1 */
/* u_int32_t length; */
u_int32_t sequence_number; /* Incremented with each flow sample
generated */
u_int32_t ds_class; /* EXPANDED */
u_int32_t ds_index; /* EXPANDED */
u_int32_t sampling_rate; /* fsPacketSamplingRate */
u_int32_t sample_pool; /* Total number of packets that could have been
sampled (i.e. packets skipped by sampling
process + total number of samples) */
u_int32_t drops; /* Number of times a packet was dropped due to
lack of resources */
u_int32_t inputFormat; /* EXPANDED */
u_int32_t input; /* SNMP ifIndex of input interface.
0 if interface is not known. */
u_int32_t outputFormat; /* EXPANDED */
u_int32_t output; /* SNMP ifIndex of output interface,
0 if interface is not known. */
u_int32_t num_elements;
SFLFlow_sample_element *elements;
} SFLFlow_sample_expanded;
/* Counter types */
/* Generic interface counters - see RFC 1573, 2233 */
typedef struct _SFLIf_counters {
u_int32_t ifIndex;
u_int32_t ifType;
u_int64_t ifSpeed;
u_int32_t ifDirection; /* Derived from MAU MIB (RFC 2668)
0 = unknown, 1 = full-duplex,
2 = half-duplex, 3 = in, 4 = out */
u_int32_t ifStatus; /* bit field with the following bits assigned:
bit 0 = ifAdminStatus (0 = down, 1 = up)
bit 1 = ifOperStatus (0 = down, 1 = up) */
u_int64_t ifInOctets;
u_int32_t ifInUcastPkts;
u_int32_t ifInMulticastPkts;
u_int32_t ifInBroadcastPkts;
u_int32_t ifInDiscards;
u_int32_t ifInErrors;
u_int32_t ifInUnknownProtos;
u_int64_t ifOutOctets;
u_int32_t ifOutUcastPkts;
u_int32_t ifOutMulticastPkts;
u_int32_t ifOutBroadcastPkts;
u_int32_t ifOutDiscards;
u_int32_t ifOutErrors;
u_int32_t ifPromiscuousMode;
} SFLIf_counters;
/* Ethernet interface counters - see RFC 2358 */
typedef struct _SFLEthernet_counters {
u_int32_t dot3StatsAlignmentErrors;
u_int32_t dot3StatsFCSErrors;
u_int32_t dot3StatsSingleCollisionFrames;
u_int32_t dot3StatsMultipleCollisionFrames;
u_int32_t dot3StatsSQETestErrors;
u_int32_t dot3StatsDeferredTransmissions;
u_int32_t dot3StatsLateCollisions;
u_int32_t dot3StatsExcessiveCollisions;
u_int32_t dot3StatsInternalMacTransmitErrors;
u_int32_t dot3StatsCarrierSenseErrors;
u_int32_t dot3StatsFrameTooLongs;
u_int32_t dot3StatsInternalMacReceiveErrors;
u_int32_t dot3StatsSymbolErrors;
} SFLEthernet_counters;
/* Token ring counters - see RFC 1748 */
typedef struct _SFLTokenring_counters {
u_int32_t dot5StatsLineErrors;
u_int32_t dot5StatsBurstErrors;
u_int32_t dot5StatsACErrors;
u_int32_t dot5StatsAbortTransErrors;
u_int32_t dot5StatsInternalErrors;
u_int32_t dot5StatsLostFrameErrors;
u_int32_t dot5StatsReceiveCongestions;
u_int32_t dot5StatsFrameCopiedErrors;
u_int32_t dot5StatsTokenErrors;
u_int32_t dot5StatsSoftErrors;
u_int32_t dot5StatsHardErrors;
u_int32_t dot5StatsSignalLoss;
u_int32_t dot5StatsTransmitBeacons;
u_int32_t dot5StatsRecoverys;
u_int32_t dot5StatsLobeWires;
u_int32_t dot5StatsRemoves;
u_int32_t dot5StatsSingles;
u_int32_t dot5StatsFreqErrors;
} SFLTokenring_counters;
/* 100 BaseVG interface counters - see RFC 2020 */
typedef struct _SFLVg_counters {
u_int32_t dot12InHighPriorityFrames;
u_int64_t dot12InHighPriorityOctets;
u_int32_t dot12InNormPriorityFrames;
u_int64_t dot12InNormPriorityOctets;
u_int32_t dot12InIPMErrors;
u_int32_t dot12InOversizeFrameErrors;
u_int32_t dot12InDataErrors;
u_int32_t dot12InNullAddressedFrames;
u_int32_t dot12OutHighPriorityFrames;
u_int64_t dot12OutHighPriorityOctets;
u_int32_t dot12TransitionIntoTrainings;
u_int64_t dot12HCInHighPriorityOctets;
u_int64_t dot12HCInNormPriorityOctets;
u_int64_t dot12HCOutHighPriorityOctets;
} SFLVg_counters;
typedef struct _SFLVlan_counters {
u_int32_t vlan_id;
u_int64_t octets;
u_int32_t ucastPkts;
u_int32_t multicastPkts;
u_int32_t broadcastPkts;
u_int32_t discards;
} SFLVlan_counters;
/* Counters data */
enum SFLCounters_type_tag {
/* enterprise = 0, format = ... */
SFLCOUNTERS_GENERIC = 1,
SFLCOUNTERS_ETHERNET = 2,
SFLCOUNTERS_TOKENRING = 3,
SFLCOUNTERS_VG = 4,
SFLCOUNTERS_VLAN = 5
};
typedef union _SFLCounters_type {
SFLIf_counters generic;
SFLEthernet_counters ethernet;
SFLTokenring_counters tokenring;
SFLVg_counters vg;
SFLVlan_counters vlan;
} SFLCounters_type;
typedef struct _SFLCounters_sample_element {
struct _SFLCounters_sample_element *nxt; /* linked list */
u_int32_t tag; /* SFLCounters_type_tag */
u_int32_t length;
SFLCounters_type counterBlock;
} SFLCounters_sample_element;
typedef struct _SFLCounters_sample {
/* u_int32_t tag; */ /* SFL_sample_tag -- enterprise = 0 : format = 2 */
/* u_int32_t length; */
u_int32_t sequence_number; /* Incremented with each counters sample
generated by this source_id */
u_int32_t source_id; /* fsSourceId */
u_int32_t num_elements;
SFLCounters_sample_element *elements;
} SFLCounters_sample;
/* same thing, but the expanded version, so ds_index can be a full 32 bits */
typedef struct _SFLCounters_sample_expanded {
/* u_int32_t tag; */ /* SFL_sample_tag -- enterprise = 0 : format = 2 */
/* u_int32_t length; */
u_int32_t sequence_number; /* Incremented with each counters sample
generated by this source_id */
u_int32_t ds_class; /* EXPANDED */
u_int32_t ds_index; /* EXPANDED */
u_int32_t num_elements;
SFLCounters_sample_element *elements;
} SFLCounters_sample_expanded;
#define SFLADD_ELEMENT(_sm, _el) do { (_el)->nxt = (_sm)->elements; (_sm)->elements = (_el); } while(0)
/* Format of a sample datagram */
enum SFLDatagram_version {
SFLDATAGRAM_VERSION2 = 2,
SFLDATAGRAM_VERSION4 = 4,
SFLDATAGRAM_VERSION5 = 5
};
typedef struct _SFLSample_datagram_hdr {
u_int32_t datagram_version; /* (enum SFLDatagram_version) = VERSION5 = 5 */
SFLAddress agent_address; /* IP address of sampling agent */
u_int32_t sub_agent_id; /* Used to distinguishing between datagram
streams from separate agent sub entities
within an device. */
u_int32_t sequence_number; /* Incremented with each sample datagram
generated */
u_int32_t uptime; /* Current time (in milliseconds since device
last booted). Should be set as close to
datagram transmission time as possible.*/
u_int32_t num_records; /* Number of tag-len-val flow/counter records to follow */
} SFLSample_datagram_hdr;
#define SFL_MAX_DATAGRAM_SIZE 1500
#define SFL_MIN_DATAGRAM_SIZE 200
#define SFL_DEFAULT_DATAGRAM_SIZE 1400
#define SFL_DATA_PAD 400
#define YES 1
#define NO 0
enum INMAddress_type {
INMADDRESSTYPE_IP_V4 = 1,
INMADDRESSTYPE_IP_V6 = 2
};
typedef union _INMAddress_value {
struct in_addr ip_v4;
#ifdef INET6
struct in6_addr ip_v6;
#endif
} INMAddress_value;
typedef struct _INMAddress {
u_int32_t type; /* enum INMAddress_type */
INMAddress_value address;
} INMAddress;
/* Packet header data */
#define INM_MAX_HEADER_SIZE 256 /* The maximum sampled header size. */
#define INM_DEFAULT_HEADER_SIZE 128
#define INM_DEFAULT_COLLECTOR_PORT 6343
#define INM_DEFAULT_SAMPLING_RATE 400
/* The header protocol describes the format of the sampled header */
enum INMHeader_protocol {
INMHEADER_ETHERNET_ISO8023 = 1,
INMHEADER_ISO88024_TOKENBUS = 2,
INMHEADER_ISO88025_TOKENRING = 3,
INMHEADER_FDDI = 4,
INMHEADER_FRAME_RELAY = 5,
INMHEADER_X25 = 6,
INMHEADER_PPP = 7,
INMHEADER_SMDS = 8,
INMHEADER_AAL5 = 9,
INMHEADER_AAL5_IP = 10, /* e.g. Cisco AAL5 mux */
INMHEADER_IPv4 = 11,
INMHEADER_IPv6 = 12
};
typedef struct _INMSampled_header {
u_int32_t header_protocol; /* (enum INMHeader_protocol) */
u_int32_t frame_length; /* Original length of packet before sampling */
u_int32_t header_length; /* length of sampled header bytes to follow */
u_int8_t header[INM_MAX_HEADER_SIZE]; /* Header bytes */
} INMSampled_header;
/* Packet IP version 4 data */
typedef struct _INMSampled_ipv4 {
u_int32_t length; /* The length of the IP packet
excluding lower layer encapsulations */
u_int32_t protocol; /* IP Protocol type (for example, TCP = 6, UDP = 17) */
struct in_addr src_ip; /* Source IP Address */
struct in_addr dst_ip; /* Destination IP Address */
u_int32_t src_port; /* TCP/UDP source port number or equivalent */
u_int32_t dst_port; /* TCP/UDP destination port number or equivalent */
u_int32_t tcp_flags; /* TCP flags */
u_int32_t tos; /* IP type of service */
} INMSampled_ipv4;
/* Packet IP version 6 data */
#ifdef INET6
typedef struct _INMSampled_ipv6 {
u_int32_t length; /* The length of the IP packet
excluding lower layer encapsulations */
u_int32_t protocol; /* IP Protocol type (for example, TCP = 6, UDP = 17) */
struct in6_addr src_ip; /* Source IP Address */
struct in6_addr dst_ip; /* Destination IP Address */
u_int32_t src_port; /* TCP/UDP source port number or equivalent */
u_int32_t dst_port; /* TCP/UDP destination port number or equivalent */
u_int32_t tcp_flags; /* TCP flags */
u_int32_t tos; /* IP type of service */
} INMSampled_ipv6;
#endif
/* Packet data */
enum INMPacket_information_type {
INMPACKETTYPE_HEADER = 1, /* Packet headers are sampled */
INMPACKETTYPE_IPV4 = 2, /* IP version 4 data */
INMPACKETTYPE_IPV6 = 3 /* IP version 4 data */
};
typedef union _INMPacket_data_type {
INMSampled_header header;
INMSampled_ipv4 ipv4;
#ifdef INET6
INMSampled_ipv6 ipv6;
#endif
} INMPacket_data_type;
/* Extended data types */
/* Extended switch data */
typedef struct _INMExtended_switch {
u_int32_t src_vlan; /* The 802.1Q VLAN id of incomming frame */
u_int32_t src_priority; /* The 802.1p priority */
u_int32_t dst_vlan; /* The 802.1Q VLAN id of outgoing frame */
u_int32_t dst_priority; /* The 802.1p priority */
} INMExtended_switch;
/* Extended router data */
typedef struct _INMExtended_router {
INMAddress nexthop; /* IP address of next hop router */
u_int32_t src_mask; /* Source address prefix mask bits */
u_int32_t dst_mask; /* Destination address prefix mask bits */
} INMExtended_router;
/* Extended gateway data */
enum INMExtended_as_path_segment_type {
INMEXTENDED_AS_SET = 1, /* Unordered set of ASs */
INMEXTENDED_AS_SEQUENCE = 2 /* Ordered sequence of ASs */
};
typedef struct _INMExtended_as_path_segment {
u_int32_t type; /* enum INMExtended_as_path_segment_type */
u_int32_t length; /* number of AS numbers in set/sequence */
union {
u_int32_t *set;
u_int32_t *seq;
} as;
} INMExtended_as_path_segment;
/* note: the INMExtended_gateway structure has changed between v2 and v4.
Here is the old version first... */
typedef struct _INMExtended_gateway_v2 {
u_int32_t as; /* AS number for this gateway */
u_int32_t src_as; /* AS number of source (origin) */
u_int32_t src_peer_as; /* AS number of source peer */
u_int32_t dst_as_path_length; /* number of AS numbers in path */
u_int32_t *dst_as_path;
} INMExtended_gateway_v2;
/* now here is the new version... */
typedef struct _INMExtended_gateway_v4 {
u_int32_t as; /* AS number for this gateway */
u_int32_t src_as; /* AS number of source (origin) */
u_int32_t src_peer_as; /* AS number of source peer */
u_int32_t dst_as_path_segments; /* number of segments in path */
INMExtended_as_path_segment *dst_as_path; /* list of seqs or sets */
u_int32_t communities_length; /* number of communities */
u_int32_t *communities; /* set of communities */
u_int32_t localpref; /* LocalPref associated with this route */
} INMExtended_gateway_v4;
/* Extended user data */
typedef struct _INMExtended_user {
u_int32_t src_user_len;
char *src_user;
u_int32_t dst_user_len;
char *dst_user;
} INMExtended_user;
enum INMExtended_url_direction {
INMEXTENDED_URL_SRC = 1, /* URL is associated with source address */
INMEXTENDED_URL_DST = 2 /* URL is associated with destination address */
};
typedef struct _INMExtended_url {
u_int32_t direction; /* enum INMExtended_url_direction */
u_int32_t url_len;
char *url;
} INMExtended_url;
/* Extended data */
enum INMExtended_information_type {
INMEXTENDED_SWITCH = 1, /* Extended switch information */
INMEXTENDED_ROUTER = 2, /* Extended router information */
INMEXTENDED_GATEWAY = 3, /* Extended gateway router information */
INMEXTENDED_USER = 4, /* Extended TACAS/RADIUS user information */
INMEXTENDED_URL = 5 /* Extended URL information */
};
/* Format of a single sample */
typedef struct _INMFlow_sample {
u_int32_t sequence_number; /* Incremented with each flow sample
generated */
u_int32_t source_id; /* fsSourceId */
u_int32_t sampling_rate; /* fsPacketSamplingRate */
u_int32_t sample_pool; /* Total number of packets that could have been
sampled (i.e. packets skipped by sampling
process + total number of samples) */
u_int32_t drops; /* Number of times a packet was dropped due to
lack of resources */
u_int32_t input; /* SNMP ifIndex of input interface.
0 if interface is not known. */
u_int32_t output; /* SNMP ifIndex of output interface,
0 if interface is not known.
Set most significant bit to indicate
multiple destination interfaces
(i.e. in case of broadcast or multicast)
and set lower order bits to indicate
number of destination interfaces.
Examples:
0x00000002 indicates ifIndex = 2
0x00000000 ifIndex unknown.
0x80000007 indicates a packet sent
to 7 interfaces.
0x80000000 indicates a packet sent to
an unknown number of
interfaces greater than 1.*/
u_int32_t packet_data_tag; /* enum INMPacket_information_type */
INMPacket_data_type packet_data; /* Information about sampled packet */
/* in the sFlow packet spec the next field is the number of extended objects
followed by the data for each one (tagged with the type). Here we just
provide space for each one, and flags to enable them. The correct format
is then put together by the serialization code */
int gotSwitch;
INMExtended_switch switchDevice;
int gotRouter;
INMExtended_router router;
int gotGateway;
union {
INMExtended_gateway_v2 v2; /* make the version explicit so that there is */
INMExtended_gateway_v4 v4; /* less danger of mistakes when upgrading code */
} gateway;
int gotUser;
INMExtended_user user;
int gotUrl;
INMExtended_url url;
} INMFlow_sample;
/* Counter types */
/* Generic interface counters - see RFC 1573, 2233 */
typedef struct _INMIf_counters {
u_int32_t ifIndex;
u_int32_t ifType;
u_int64_t ifSpeed;
u_int32_t ifDirection; /* Derived from MAU MIB (RFC 2239)
0 = unknown, 1 = full-duplex,
2 = half-duplex, 3 = in, 4 = out */
u_int32_t ifStatus; /* bit field with the following bits assigned:
bit 0 = ifAdminStatus (0 = down, 1 = up)
bit 1 = ifOperStatus (0 = down, 1 = up) */
u_int64_t ifInOctets;
u_int32_t ifInUcastPkts;
u_int32_t ifInMulticastPkts;
u_int32_t ifInBroadcastPkts;
u_int32_t ifInDiscards;
u_int32_t ifInErrors;
u_int32_t ifInUnknownProtos;
u_int64_t ifOutOctets;
u_int32_t ifOutUcastPkts;
u_int32_t ifOutMulticastPkts;
u_int32_t ifOutBroadcastPkts;
u_int32_t ifOutDiscards;
u_int32_t ifOutErrors;
u_int32_t ifPromiscuousMode;
} INMIf_counters;
/* Ethernet interface counters - see RFC 2358 */
typedef struct _INMEthernet_specific_counters {
u_int32_t dot3StatsAlignmentErrors;
u_int32_t dot3StatsFCSErrors;
u_int32_t dot3StatsSingleCollisionFrames;
u_int32_t dot3StatsMultipleCollisionFrames;
u_int32_t dot3StatsSQETestErrors;
u_int32_t dot3StatsDeferredTransmissions;
u_int32_t dot3StatsLateCollisions;
u_int32_t dot3StatsExcessiveCollisions;
u_int32_t dot3StatsInternalMacTransmitErrors;
u_int32_t dot3StatsCarrierSenseErrors;
u_int32_t dot3StatsFrameTooLongs;
u_int32_t dot3StatsInternalMacReceiveErrors;
u_int32_t dot3StatsSymbolErrors;
} INMEthernet_specific_counters;
typedef struct _INMEthernet_counters {
INMIf_counters generic;
INMEthernet_specific_counters ethernet;
} INMEthernet_counters;
/* FDDI interface counters - see RFC 1512 */
typedef struct _INMFddi_counters {
INMIf_counters generic;
} INMFddi_counters;
/* Token ring counters - see RFC 1748 */
typedef struct _INMTokenring_specific_counters {
u_int32_t dot5StatsLineErrors;
u_int32_t dot5StatsBurstErrors;
u_int32_t dot5StatsACErrors;
u_int32_t dot5StatsAbortTransErrors;
u_int32_t dot5StatsInternalErrors;
u_int32_t dot5StatsLostFrameErrors;
u_int32_t dot5StatsReceiveCongestions;
u_int32_t dot5StatsFrameCopiedErrors;
u_int32_t dot5StatsTokenErrors;
u_int32_t dot5StatsSoftErrors;
u_int32_t dot5StatsHardErrors;
u_int32_t dot5StatsSignalLoss;
u_int32_t dot5StatsTransmitBeacons;
u_int32_t dot5StatsRecoverys;
u_int32_t dot5StatsLobeWires;
u_int32_t dot5StatsRemoves;
u_int32_t dot5StatsSingles;
u_int32_t dot5StatsFreqErrors;
} INMTokenring_specific_counters;
typedef struct _INMTokenring_counters {
INMIf_counters generic;
INMTokenring_specific_counters tokenring;
} INMTokenring_counters;
/* 100 BaseVG interface counters - see RFC 2020 */
typedef struct _INMVg_specific_counters {
u_int32_t dot12InHighPriorityFrames;
u_int64_t dot12InHighPriorityOctets;
u_int32_t dot12InNormPriorityFrames;
u_int64_t dot12InNormPriorityOctets;
u_int32_t dot12InIPMErrors;
u_int32_t dot12InOversizeFrameErrors;
u_int32_t dot12InDataErrors;
u_int32_t dot12InNullAddressedFrames;
u_int32_t dot12OutHighPriorityFrames;
u_int64_t dot12OutHighPriorityOctets;
u_int32_t dot12TransitionIntoTrainings;
u_int64_t dot12HCInHighPriorityOctets;
u_int64_t dot12HCInNormPriorityOctets;
u_int64_t dot12HCOutHighPriorityOctets;
} INMVg_specific_counters;
typedef struct _INMVg_counters {
INMIf_counters generic;
INMVg_specific_counters vg;
} INMVg_counters;
/* WAN counters */
typedef struct _INMWan_counters {
INMIf_counters generic;
} INMWan_counters;
typedef struct _INMVlan_counters {
u_int32_t vlan_id;
u_int64_t octets;
u_int32_t ucastPkts;
u_int32_t multicastPkts;
u_int32_t broadcastPkts;
u_int32_t discards;
} INMVlan_counters;
/* Counters data */
enum INMCounters_version {
INMCOUNTERSVERSION_GENERIC = 1,
INMCOUNTERSVERSION_ETHERNET = 2,
INMCOUNTERSVERSION_TOKENRING = 3,
INMCOUNTERSVERSION_FDDI = 4,
INMCOUNTERSVERSION_VG = 5,
INMCOUNTERSVERSION_WAN = 6,
INMCOUNTERSVERSION_VLAN = 7
};
typedef union _INMCounters_type {
INMIf_counters generic;
INMEthernet_counters ethernet;
INMTokenring_counters tokenring;
INMFddi_counters fddi;
INMVg_counters vg;
INMWan_counters wan;
INMVlan_counters vlan;
} INMCounters_type;
typedef struct _INMCounters_sample_hdr {
u_int32_t sequence_number; /* Incremented with each counters sample
generated by this source_id */
u_int32_t source_id; /* fsSourceId */
u_int32_t sampling_interval; /* fsCounterSamplingInterval */
} INMCounters_sample_hdr;
typedef struct _INMCounters_sample {
INMCounters_sample_hdr hdr;
u_int32_t counters_type_tag; /* Enum INMCounters_version */
INMCounters_type counters; /* Counter set for this interface type */
} INMCounters_sample;
enum INMSample_types {
FLOWSAMPLE = 1,
COUNTERSSAMPLE = 2
};
typedef union _INMSample_type {
INMFlow_sample flowsample;
INMCounters_sample counterssample;
} INMSample_type;
/* Format of a sample datagram */
enum INMDatagram_version {
INMDATAGRAM_VERSION2 = 2,
INMDATAGRAM_VERSION4 = 4
};
typedef struct _INMSample_datagram_hdr {
u_int32_t datagram_version; /* (enum INMDatagram_version) = VERSION4 */
INMAddress agent_address; /* IP address of sampling agent */
u_int32_t sequence_number; /* Incremented with each sample datagram
generated */
u_int32_t uptime; /* Current time (in milliseconds since device
last booted). Should be set as close to
datagram transmission time as possible.*/
u_int32_t num_samples; /* Number of flow and counters samples to follow */
} INMSample_datagram_hdr;
#define INM_MAX_DATAGRAM_SIZE 1500
#define INM_MIN_DATAGRAM_SIZE 200
#define INM_DEFAULT_DATAGRAM_SIZE 1400
#define INM_DATA_PAD 400