1 /* 2 * Copyright (c) 2017, Peter Haag 3 * Copyright (c) 2014, Peter Haag 4 * Copyright (c) 2009, Peter Haag 5 * Copyright (c) 2004-2008, SWITCH - Teleinformatikdienste fuer Lehre und Forschung 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions are met: 10 * 11 * * Redistributions of source code must retain the above copyright notice, 12 * this list of conditions and the following disclaimer. 13 * * Redistributions in binary form must reproduce the above copyright notice, 14 * this list of conditions and the following disclaimer in the documentation 15 * and/or other materials provided with the distribution. 16 * * Neither the name of the author nor the names of its contributors may be 17 * used to endorse or promote products derived from this software without 18 * specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 24 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 25 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 26 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 27 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 28 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 30 * POSSIBILITY OF SUCH DAMAGE. 31 * 32 */ 33 34 #ifndef _NFX_H 35 #define _NFX_H 1 36 37 #include "config.h" 38 39 #include <sys/types.h> 40 #ifdef HAVE_STDINT_H 41 #include <stdint.h> 42 #endif 43 44 #include "nffile.h" 45 46 // MAX_EXTENSION_MAPS must be a power of 2 47 #define MAX_EXTENSION_MAPS 65536 48 #define EXTENSION_MAP_MASK (MAX_EXTENSION_MAPS-1) 49 50 #ifdef NSEL 51 // Defaults for NSEL 52 #define DefaultExtensions "1,8,26,27,28,29,30,31" 53 #else 54 // Collector netflow defaults 55 #define DefaultExtensions "1,2" 56 #endif 57 58 59 #define NEEDS_EXTENSION_LIST 1 60 #define NO_EXTENSION_LIST 0 61 62 // new extended Common Record as intermediate solution to overcome 255 exporters 63 // requires moderate changes till 1.7 64 #define CommonRecordType 10 65 66 /* 67 * All records are 32bit aligned and layouted in a 64bit array. The numbers placed in () refer to the netflow v9 type id. 68 * 69 * Record type 1 70 * ============= 71 * The record type 1 describes a netflow data record incl. all optional extensions for this record. 72 * A netflow data record requires at least the first 3 extensions 1..3. All other extensions are optional 73 * and described in the extensiion map. The common record contains a reference to the extension map which 74 * applies for this record. 75 * 76 * flags: 77 * bit 0: 0: IPv4 1: IPv6 78 * bit 1: 0: 32bit dPkts 1: 64bit dPkts 79 * bit 2: 0: 32bit dOctets 1: 64bit dOctets 80 * bit 3: 0: IPv4 next hop 1: IPv6 next hop 81 * bit 4: 0: IPv4 BGP next hop 1: BGP IPv6 next hop 82 * bit 5: 0: IPv4 exporter IP 1: IPv6 exporter IP 83 * bit 6: 0: flow 1: event 84 * bit 7: 0: unsampled 1: sampled flow - sampling applied 85 * 86 * Required extensions: 1,2,3 87 * ------------------------------ 88 * A netflow record consists at least of a common record ( extension 0 ) and 3 required extension: 89 * 90 * Extension 1: IPv4 or IPv4 src and dst addresses Flags bit 0: 0: IPv4, 1: IPv6 91 * Extension 2: 32 or 64 bit packet counter Flags bit 1: 0: 32bit, 1: 64bit 92 * Extension 3: 32 or 64 bit byte counter Flags bit 2: 0: 32bit, 1: 64bit 93 * 94 * Commmon record - extension 0 95 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 96 * | - | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 97 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 98 * | 0 | record type == 1 | size | flags | tag | ext. map | 99 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 100 * | 1 | msec_first | msec_last | first (22) | 101 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 102 * | 2 | last (21) |fwd_status(89)| tcpflags (6) | proto (4) | src tos (5) | 103 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 104 * | 3 | srcport (7) | dstport(11)/ICMP (32) | 105 * +----+--------------+--------------+--------------+--------------+ 106 * 107 * Commmon record - extension 0 - Type 10 108 * required for larger exporter ID reference 109 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 110 * | - | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 111 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 112 * | 0 | record type == 10 | size | flags | ext. map | 113 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 114 * | 1 | msec_first | msec_last | first (22) | 115 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 116 * | 2 | last (21) |fwd_status(89)| tcpflags (6) | proto (4) | src tos (5) | 117 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 118 * | 3 | srcport (7) | dstport(11)/ICMP (32) | exporter ID | reserved icmp type/code | 119 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 120 121 * 122 */ 123 124 #define COMMON_BLOCK_ID 0 125 126 127 typedef struct common_record_s { 128 // record head 129 uint16_t type; 130 uint16_t size; 131 132 // record meta data 133 uint16_t flags; 134 #define FLAG_IPV6_ADDR 1 135 #define FLAG_PKG_64 2 136 #define FLAG_BYTES_64 4 137 #define FLAG_IPV6_NH 8 138 #define FLAG_IPV6_NHB 16 139 #define FLAG_IPV6_EXP 32 140 #define FLAG_EVENT 64 141 #define FLAG_SAMPLED 128 142 143 uint16_t ext_map; 144 145 // netflow common record 146 uint16_t msec_first; 147 uint16_t msec_last; 148 uint32_t first; 149 uint32_t last; 150 151 uint8_t fwd_status; 152 uint8_t tcp_flags; 153 uint8_t prot; 154 uint8_t tos; 155 uint16_t srcport; 156 uint16_t dstport; 157 158 uint16_t exporter_sysid; 159 uint16_t reserved; 160 161 // link to extensions 162 uint32_t data[1]; 163 } common_record_t; 164 165 #define COMMON_RECORD_DATA_SIZE (sizeof(common_record_t) - sizeof(uint32_t) ) 166 167 #define COMMON_BLOCK 0 168 169 /* 170 * Required extensions: 171 * -------------------- 172 * Extension 1: 173 * IPv4/v6 address type 174 * IP version: IPv4 175 * | 176 * Flags: xxxx xxx0 177 * IPv4: 178 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 179 * | 0 | srcip (8) | dstip (12) | 180 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 181 * 182 * IPv6: 183 * IP version: IPv6 184 * | 185 * Flags: xxxx xxx1 186 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 187 * | 0 | srcip (27) | 188 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 189 * | 1 | srcip (27) | 190 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 191 * | 2 | dstip (28) | 192 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 193 * | 3 | dstip (28) | 194 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 195 * 196 */ 197 198 #define EX_IPv4v6 1 199 200 typedef struct ipv4_block_s { 201 uint32_t srcaddr; 202 uint32_t dstaddr; 203 uint8_t data[4]; // .. more data below 204 } ipv4_block_t; 205 206 typedef struct ipv6_block_s { 207 uint64_t srcaddr[2]; 208 uint64_t dstaddr[2]; 209 uint8_t data[4]; // .. more data below 210 } ipv6_block_t; 211 212 213 214 /* 215 * Extension 2: 216 * In packet counter size 217 * 218 * In packet counter size 4byte 219 * | 220 * Flags: xxxx xx0x 221 * +---++--------------+--------------+--------------+--------------+ 222 * | 0 | in pkts (2) | 223 * +---++--------------+--------------+--------------+--------------+ 224 * 225 * In packet counter size 8byte 226 * | 227 * Flags: xxxx xx1x 228 * +---++--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 229 * | 0 | in pkts (2) | 230 * +---++--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 231 * 232 */ 233 234 #define EX_PACKET_4_8 2 235 236 typedef struct value32_s { 237 uint32_t val; 238 uint8_t data[4]; // .. more data below 239 } value32_t; 240 241 typedef struct value64_s { 242 union val_s { 243 uint64_t val64; 244 uint32_t val32[2]; 245 } val; 246 uint8_t data[4]; // .. more data below 247 } value64_t; 248 249 250 /* Extension 3: 251 * in byte counter size 252 * In byte counter size 4byte 253 * | 254 * Flags: xxxx x0xx 255 * 256 * +---++--------------+--------------+--------------+--------------+ 257 * | 0 | in bytes (1) | 258 * +---++--------------+--------------+--------------+--------------+ 259 * 260 * In byte counter size 8byte 261 * | 262 * Flags: xxxx x1xx 263 * +---++--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 264 * | 0 | in bytes (1) | 265 * +---++--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 266 */ 267 268 #define EX_BYTE_4_8 3 269 270 /* 271 * 272 * Optional extension: 273 * =================== 274 * 275 * Interface record 276 * ---------------- 277 * Interface records are optional and accepted as either 2 or 4 bytes numbers 278 * Extension 4: 279 * +---++--------------+--------------+--------------+--------------+ 280 * | 0 | input (10) | output (14) | 281 * +---++--------------+--------------+--------------+--------------+ 282 */ 283 #define EX_IO_SNMP_2 4 284 typedef struct tpl_ext_4_s { 285 uint16_t input; 286 uint16_t output; 287 uint8_t data[4]; // points to further data 288 } tpl_ext_4_t; 289 290 /* 291 * Extension 5: 292 * +---++--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 293 * | 0 | input (10) | output (14) | 294 * +---++--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 295 * Extension 4 and 5 are mutually exclusive in the extension map 296 */ 297 #define EX_IO_SNMP_4 5 298 typedef struct tpl_ext_5_s { 299 uint32_t input; 300 uint32_t output; 301 uint8_t data[4]; // points to further data 302 } tpl_ext_5_t; 303 304 305 /* 306 * AS record 307 * --------- 308 * AS records are optional and accepted as either 2 or 4 bytes numbers 309 * Extension 6: 310 * +---++--------------+--------------+--------------+--------------+ 311 * | 0 | src as (16) | dst as (17) | 312 * +---++--------------+--------------+--------------+--------------+ 313 */ 314 #define EX_AS_2 6 315 typedef struct tpl_ext_6_s { 316 uint16_t src_as; 317 uint16_t dst_as; 318 uint8_t data[4]; // points to further data 319 } tpl_ext_6_t; 320 321 /* 322 * Extension 7: 323 * +---++--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 324 * | 0 | src as (16) | dst as (17) | 325 * +---++--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 326 * Extension 6 and 7 are mutually exclusive in the extension map 327 */ 328 #define EX_AS_4 7 329 typedef struct tpl_ext_7_s { 330 uint32_t src_as; 331 uint32_t dst_as; 332 uint8_t data[4]; // points to further data 333 } tpl_ext_7_t; 334 335 336 /* 337 * Multiple fields record 338 * ---------------------- 339 * These 4 different fields are grouped together in a 32bit value. 340 * Extension 8: 341 * +---++--------------+--------------+--------------+--------------+ 342 * | 3 | dst tos(55) | dir(61) | srcmask(9,29)|dstmask(13,30)| 343 * +---++--------------+--------------+--------------+--------------+ 344 */ 345 #define EX_MULIPLE 8 346 typedef struct tpl_ext_8_s { 347 union { 348 struct { 349 uint8_t dst_tos; 350 uint8_t dir; 351 uint8_t src_mask; 352 uint8_t dst_mask; 353 }; 354 uint32_t any; 355 }; 356 uint8_t data[4]; // points to further data 357 } tpl_ext_8_t; 358 359 /* 360 * IP next hop 361 * ------------- 362 * IPv4: 363 * Extension 9: 364 * IP version: IPv6 365 * | 366 * Flags: xxxx 0xxx 367 * +----+--------------+--------------+--------------+--------------+ 368 * | 0 | next hop ip (15) | 369 * +----+--------------+--------------+--------------+--------------+ 370 */ 371 #define EX_NEXT_HOP_v4 9 372 typedef struct tpl_ext_9_s { 373 uint32_t nexthop; 374 uint8_t data[4]; // points to further data 375 } tpl_ext_9_t; 376 377 /* 378 * IPv6: 379 * Extension 10: 380 * IP version: IPv6 381 * | 382 * Flags: xxxx 1xxx 383 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 384 * | 0 | next hop ip (62) | 385 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 386 * | 1 | next hop ip (62) | 387 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 388 * Extension 9 and 10 are mutually exclusive in the extension map 389 */ 390 #define EX_NEXT_HOP_v6 10 391 typedef struct tpl_ext_10_s { 392 uint64_t nexthop[2]; 393 uint8_t data[4]; // points to further data 394 } tpl_ext_10_t; 395 396 397 /* 398 * BGP next hop IP 399 * ------------------ 400 * IPv4: 401 * Extension 11: 402 * IP version: IPv6 403 * | 404 * Flags: xxx0 xxxx 405 * +----+--------------+--------------+--------------+--------------+ 406 * | 0 | bgp next ip (18) | 407 * +----+--------------+--------------+--------------+--------------+ 408 */ 409 #define EX_NEXT_HOP_BGP_v4 11 410 typedef struct tpl_ext_11_s { 411 uint32_t bgp_nexthop; 412 uint8_t data[4]; // points to further data 413 } tpl_ext_11_t; 414 415 /* 416 * IPv6: 417 * Extension 12: 418 * IP version: IPv6 419 * | 420 * Flags: xxx1 xxxx 421 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 422 * | 0 | bgp next ip (63) | 423 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 424 * | 1 | bgp next ip (63) | 425 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 426 */ 427 #define EX_NEXT_HOP_BGP_v6 12 428 typedef struct tpl_ext_12_s { 429 uint64_t bgp_nexthop[2]; 430 uint8_t data[4]; // points to further data 431 } tpl_ext_12_t; 432 433 434 /* 435 * VLAN record 436 * ----------- 437 * Extension 13: 438 * +----+--------------+--------------+--------------+--------------+ 439 * | 0 | src vlan(58) | dst vlan (59) | 440 * +----+--------------+--------------+--------------+--------------+ 441 */ 442 #define EX_VLAN 13 443 typedef struct tpl_ext_13_s { 444 uint16_t src_vlan; 445 uint16_t dst_vlan; 446 uint8_t data[4]; // points to further data 447 } tpl_ext_13_t; 448 449 450 /* 451 * Out packet counter size 452 * ------------------------ 453 * 4 byte 454 * Extension 14: 455 * +----+--------------+--------------+--------------+--------------+ 456 * | 0 | out pkts (24) | 457 * +----+--------------+--------------+--------------+--------------+ 458 */ 459 #define EX_OUT_PKG_4 14 460 typedef struct tpl_ext_14_s { 461 uint32_t out_pkts; 462 uint8_t data[4]; // points to further data 463 } tpl_ext_14_t; 464 465 /* 466 * 4 byte 467 * Extension 15: 468 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 469 * | 0 | out pkts (24) | 470 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 471 * Extension 14 and 15 are mutually exclusive in the extension map 472 */ 473 #define EX_OUT_PKG_8 15 474 typedef struct tpl_ext_15_s { 475 union { 476 uint64_t out_pkts; 477 uint32_t v[2]; // for strict alignment use 2x32bits 478 }; 479 uint8_t data[4]; // points to further data 480 } tpl_ext_15_t; 481 482 483 /* 484 * Out byte counter size 485 * --------------------- 486 * 4 byte 487 * Extension 16: 488 * +----+--------------+--------------+--------------+--------------+ 489 * | 0 | out bytes (23) | 490 * +----+--------------+--------------+--------------+--------------+ 491 */ 492 #define EX_OUT_BYTES_4 16 493 typedef struct tpl_ext_16_s { 494 uint32_t out_bytes; 495 uint8_t data[4]; // points to further data 496 } tpl_ext_16_t; 497 498 499 /* 8 byte 500 * Extension 17: 501 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 502 * | 0 | out bytes (23) | 503 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 504 * Extension 16 and 17 are mutually exclusive in the extension map 505 */ 506 #define EX_OUT_BYTES_8 17 507 typedef struct tpl_ext_17_s { 508 union { 509 uint64_t out_bytes; 510 uint32_t v[2]; // potential 32bit alignment 511 }; 512 uint8_t data[4]; // points to further data 513 } tpl_ext_17_t; 514 515 /* 516 * Aggr flows 517 * ---------- 518 * 4 byte 519 * Extension 18: 520 * +----+--------------+--------------+--------------+--------------+ 521 * | 0 | aggr flows (3) | 522 * +----+--------------+--------------+--------------+--------------+ 523 */ 524 #define EX_AGGR_FLOWS_4 18 525 typedef struct tpl_ext_18_s { 526 uint32_t aggr_flows; 527 uint8_t data[4]; // points to further data 528 } tpl_ext_18_t; 529 530 531 /* 8 byte 532 * Extension 19: 533 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 534 * | 0 | aggr flows (3) | 535 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 536 * Extension 18 and 19 are mutually exclusive in the extension map 537 */ 538 #define EX_AGGR_FLOWS_8 19 539 typedef struct tpl_ext_19_s { 540 union { 541 uint64_t aggr_flows; 542 uint32_t v[2]; // 32bit alignment 543 }; 544 uint8_t data[4]; // points to further data 545 } tpl_ext_19_t; 546 547 /* 16 byte 548 * Extension 20: 549 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 550 * | 0 | 0 | in src mac (56) | 551 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 552 * | 1 | 0 | out dst mac (57) | 553 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 554 */ 555 #define EX_MAC_1 20 556 typedef struct tpl_ext_20_s { 557 union { 558 uint64_t in_src_mac; 559 uint32_t v1[2]; 560 }; 561 union { 562 uint64_t out_dst_mac; 563 uint32_t v2[2]; 564 }; 565 uint8_t data[4]; // points to further data 566 } tpl_ext_20_t; 567 568 /* 16 byte 569 * Extension 21: 570 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 571 * | 0 | 0 | in dst mac (80) | 572 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 573 * | 1 | 0 | out src mac (81) | 574 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 575 */ 576 #define EX_MAC_2 21 577 typedef struct tpl_ext_21_s { 578 union { 579 uint64_t in_dst_mac; 580 uint32_t v1[2]; 581 }; 582 union { 583 uint64_t out_src_mac; 584 uint32_t v2[2]; 585 }; 586 uint8_t data[4]; // points to further data 587 } tpl_ext_21_t; 588 589 /* 40 byte 590 * Extension 22: 591 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 592 * | 0 | 0 | MPLS_LABEL_2 (71) | 0 | MPLS_LABEL_1 (70) | 593 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 594 * | 1 | 0 | MPLS_LABEL_4 (73) | 0 | MPLS_LABEL_3 (72) | 595 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 596 * | 2 | 0 | MPLS_LABEL_6 (75) | 0 | MPLS_LABEL_5 (74) | 597 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 598 * | 3 | 0 | MPLS_LABEL_8 (77) | 0 | MPLS_LABEL_7 (76) | 599 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 600 * | 4 | 0 | MPLS_LABEL_10 (79) | 0 | MPLS_LABEL_9 (78) | 601 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 602 */ 603 #define EX_MPLS 22 604 typedef struct tpl_ext_22_s { 605 uint32_t mpls_label[10]; 606 uint8_t data[4]; // points to further data 607 } tpl_ext_22_t; 608 609 /* 610 * Sending router IP 611 * ----------------- 612 * IPv4: 613 * Extension 23: 614 * IP version: IPv6 615 * | 616 * Flags: xx0x xxxx 617 * +----+--------------+--------------+--------------+--------------+ 618 * | 0 | router ipv4 () | 619 * +----+--------------+--------------+--------------+--------------+ 620 */ 621 #define EX_ROUTER_IP_v4 23 622 typedef struct tpl_ext_23_s { 623 uint32_t router_ip; 624 uint8_t data[4]; // points to further data 625 } tpl_ext_23_t; 626 627 /* 628 * IPv6: 629 * Extension 24: 630 * IP version: IPv6 631 * | 632 * Flags: xx1x xxxx 633 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 634 * | 0 | router ip v6 () | 635 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 636 * | 1 | router ip v6 () | 637 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 638 * Extension 23 and 24 are mutually exclusive in the extension map 639 */ 640 #define EX_ROUTER_IP_v6 24 641 typedef struct tpl_ext_24_s { 642 uint64_t router_ip[2]; 643 uint8_t data[4]; // points to further data 644 } tpl_ext_24_t; 645 646 /* 647 * router source ID 648 * ---------------- 649 * For v5 netflow, it's engine type/engine ID 650 * for v9 it's the source_id 651 * Extension 25: 652 * +----+--------------+--------------+--------------+--------------+ 653 * | 0 | fill |engine tpe(38)|engine ID(39) | 654 * +----+--------------+--------------+--------------+--------------+ 655 */ 656 #define EX_ROUTER_ID 25 657 typedef struct tpl_ext_25_s { 658 uint16_t fill; 659 uint8_t engine_type; 660 uint8_t engine_id; 661 uint8_t data[4]; // points to further data 662 } tpl_ext_25_t; 663 664 /* 665 * BGP prev/next adjacent AS 666 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 667 * | 0 | bgpNextAdjacentAsNumber(128) | bgpPrevAdjacentAsNumber(129) | 668 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 669 */ 670 #define EX_BGPADJ 26 671 typedef struct tpl_ext_26_s { 672 uint32_t bgpNextAdjacentAS; 673 uint32_t bgpPrevAdjacentAS; 674 uint8_t data[4]; // points to further data 675 } tpl_ext_26_t; 676 677 /* 678 * time flow received in ms 679 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 680 * | 0 | T received() | 681 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 682 */ 683 #define EX_RECEIVED 27 684 typedef struct tpl_ext_27_s { 685 union { 686 uint64_t received; 687 uint32_t v[2]; 688 }; 689 uint8_t data[4]; // points to further data 690 } tpl_ext_27_t; 691 692 693 694 #define EX_RESERVED_1 28 695 #define EX_RESERVED_2 29 696 #define EX_RESERVED_3 30 697 #define EX_RESERVED_4 31 698 #define EX_RESERVED_5 32 699 #define EX_RESERVED_6 33 700 #define EX_RESERVED_7 34 701 #define EX_RESERVED_8 35 702 #define EX_RESERVED_9 36 703 704 /* 705 * NSEL Common block 706 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 707 * | 0 | NF_F_EVENT_TIME_MSEC(323) | 708 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 709 * | 1 | NF_F_CONN_ID(148) |i type(176/8) |i code(177/9) |EVT(40005/233)| fill | 710 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 711 * | 2 | NF_F_FW_EXT_EVENT(33002) | FW_CTS_SRC_SGT(34000) | 712 * +----+--------------+--------------+--------------+--------------+ 713 * * EVT: NF_F_FW_EVENT 714 * * XEVT: NF_F_FW_EXT_EVENT 715 */ 716 #define EX_NSEL_COMMON 37 717 typedef struct tpl_ext_37_s { 718 union { 719 uint64_t event_time; 720 uint32_t v[2]; 721 }; 722 uint32_t conn_id; 723 union { 724 struct { 725 #ifdef WORDS_BIGENDIAN 726 uint8_t icmp_type; 727 uint8_t icmp_code; 728 #else 729 uint8_t icmp_code; 730 uint8_t icmp_type; 731 #endif 732 }; 733 uint16_t nsel_icmp; 734 }; 735 uint8_t fw_event; 736 uint8_t fill; 737 uint16_t fw_xevent; 738 uint16_t sec_group_tag; 739 uint8_t data[4]; // points to further data 740 } tpl_ext_37_t; 741 742 /* 743 * NSEL/NEL xlate ports 744 * +----+--------------+--------------+--------------+--------------+ 745 * | 0 | NF_F_XLATE_SRC_PORT(227) | NF_F_XLATE_DST_PORT(228) | 746 * +----+--------------+--------------+--------------+--------------+ 747 * ASA 8.4 compatibility mapping 40003 -> 227 748 * ASA 8.4 compatibility mapping 40004 -> 228 749 */ 750 #define EX_NSEL_XLATE_PORTS 38 751 typedef struct tpl_ext_38_s { 752 uint16_t xlate_src_port; 753 uint16_t xlate_dst_port; 754 uint8_t data[4]; // points to further data 755 } tpl_ext_38_t; 756 757 /* 758 * NSEL xlate v4 IP address 759 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 760 * | 0 | NF_F_XLATE_SRC_ADDR_IPV4(225) | NF_F_XLATE_DST_ADDR_IPV4(226) | 761 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 762 * ASA 8.4 compatibility mapping 40001 -> 225 763 * ASA 8.4 compatibility mapping 40002 -> 226 764 */ 765 #define EX_NSEL_XLATE_IP_v4 39 766 typedef struct tpl_ext_39_s { 767 uint32_t xlate_src_ip; 768 uint32_t xlate_dst_ip; 769 uint8_t data[4]; // points to further data 770 } tpl_ext_39_t; 771 772 /* 773 * NSEL xlate v6 IP address - not yet implemented by CISCO 774 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 775 * | 0 | xlate src ip (281) | 776 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 777 * | 1 | xlate src ip (281) | 778 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 779 * | 2 | xlate dst ip (282) | 780 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 781 * | 3 | xlate dst ip (282) | 782 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 783 */ 784 #define EX_NSEL_XLATE_IP_v6 40 785 typedef struct tpl_ext_40_s { 786 uint64_t xlate_src_ip[2]; 787 uint64_t xlate_dst_ip[2]; 788 uint8_t data[4]; // points to further data 789 } tpl_ext_40_t; 790 791 792 /* 793 * NSEL ACL ingress/egress acl ID 794 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 795 * | 0 | NF_F_INGRESS_ACL_ID(33000) | 796 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 797 * | 1 | NF_F_INGRESS_ACL_ID(33000) | NF_F_EGRESS_ACL_ID(33001) | 798 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 799 * | 2 | NF_F_EGRESS_ACL_ID(33001) | 800 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 801 */ 802 #define EX_NSEL_ACL 41 803 typedef struct tpl_ext_41_s { 804 uint32_t ingress_acl_id[3]; 805 uint32_t egress_acl_id[3]; 806 uint8_t data[4]; // points to further data 807 } tpl_ext_41_t; 808 809 /* 810 * NSEL ACL username 811 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 812 * | 0 | NF_F_USERNAME(40000) | 813 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 814 * | 1 | | 815 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 816 * | 2 | | 817 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 818 */ 819 #define EX_NSEL_USER 42 820 typedef struct tpl_ext_42_s { 821 char username[24]; 822 uint8_t data[4]; // points to further data 823 } tpl_ext_42_t; 824 825 /* 826 * NSEL ACL username max 827 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 828 * | 0 | NF_F_USERNAME(40000) | 829 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 830 * | .. | | 831 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 832 * | 8 | | 833 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 834 */ 835 #define EX_NSEL_USER_MAX 43 836 typedef struct tpl_ext_43_s { 837 char username[72]; 838 uint8_t data[4]; // points to further data 839 } tpl_ext_43_t; 840 841 842 #define EX_NSEL_RESERVED 44 843 844 /* 845 * latency extensions, used by nprobe and nfpcapd 846 */ 847 848 /* 849 * latency extension 850 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 851 * | 0 | client_nw_delay_usec (57554/57554) | 852 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 853 * | 1 | server_nw_delay_usec (57556/57557) | 854 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 855 * | 2 | appl_latency_usec (57558/57559) | 856 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 857 */ 858 #define EX_LATENCY 45 859 typedef struct tpl_ext_latency_s { 860 uint64_t client_nw_delay_usec; 861 uint64_t server_nw_delay_usec; 862 uint64_t appl_latency_usec; 863 uint8_t data[4]; // points to further data 864 } tpl_ext_latency_t; 865 866 /* 867 * NEL xlate ports 868 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 869 * | 0 |NAT_EVENT(230)| flags | fill | NF_N_EGRESS_VRFID(235) | 870 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 871 * | 1 | NF_N_INGRESS_VRFID(234) | 872 * +----+--------------+--------------+--------------+--------------+ 873 */ 874 #define EX_NEL_COMMON 46 875 typedef struct tpl_ext_46_s { 876 uint8_t nat_event; 877 uint8_t flags; 878 uint16_t fill; 879 uint32_t egress_vrfid; 880 uint32_t ingress_vrfid; 881 uint8_t data[4]; // points to further data 882 } tpl_ext_46_t; 883 884 #define EX_NEL_GLOBAL_IP_v4 47 885 /* 886 * no longer used. Mapped to NSEL extension EX_NSEL_XLATE_IP_v4 887 */ 888 typedef struct tpl_ext_47_s { 889 uint32_t nat_inside; 890 uint32_t nat_outside; 891 uint8_t data[4]; // points to further data 892 } tpl_ext_47_t; 893 894 /* 895 * NEL Port Block Allocation 896 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 897 * | 0 | NF_F_XLATE_PORT_BLOCK_START | NF_F_XLATE_PORT_BLOCK_END | NF_F_XLATE_PORT_BLOCK_STEP | NF_F_XLATE_PORT_BLOCK_SIZE | 898 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 899 */ 900 #define EX_PORT_BLOCK_ALLOC 48 901 typedef struct tpl_ext_48_s { 902 uint16_t block_start; 903 uint16_t block_end; 904 uint16_t block_step; 905 uint16_t block_size; 906 uint8_t data[4]; // points to further data 907 } tpl_ext_48_t; 908 909 #define EX_NEL_RESERVED_1 49 910 911 /* 912 * V1 Extension map: 913 * ================= 914 * The extension map replaces the individual flags in v1 layout. With many possible extensions and combination of extensions 915 * an extension map is more efficient and flexible while reading and decoding the record. 916 * In current version of nfdump, up to 65535 individual extension maps are supported, which is considered to be enough. 917 * 918 * For each available extension record, the ids are recorded in the extension map in the order they appear. 919 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 920 * | - | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 921 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 922 * | 0 | record type == 2 | size | map id | extension size | 923 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 924 * | 0 | extension id 1 | extension id 2 | extension id 3 | extension id 4 | 925 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 926 * ... 927 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 928 * | 0 | extension id n | extension id n+1 | extension id n+2 | extension id n+3 | 929 * +----+--------------+--------------+--------------+--------------+--------------+--------------+--------------+--------------+ 930 * ... 931 * +----+--------------+--------------+--------------+--------------+ 932 * | 0 | 0 | opt. 32bit alignment: 0 | 933 * +----+--------------+--------------+--------------+--------------+ 934 */ 935 936 typedef struct extension_map_s { 937 // record head 938 uint16_t type; // is ExtensionMapType 939 uint16_t size; // size of full map incl. header 940 941 // map data 942 #define INIT_ID 0xFFFF 943 uint16_t map_id; // identifies this map 944 uint16_t extension_size; // size of all extensions 945 uint16_t ex_id[1]; // extension id array 946 } extension_map_t; 947 948 typedef struct extension_descriptor_s { 949 uint16_t id; // id number 950 uint16_t size; // number of bytes 951 uint32_t user_index; // index specified by the user to enable this extension 952 uint32_t enabled; // extension is enabled or not 953 char *description; 954 } extension_descriptor_t; 955 956 typedef struct extension_info_s { 957 struct extension_info_s *next; 958 extension_map_t *map; 959 extension_map_t *exportMap; 960 uint32_t ref_count; 961 uint32_t *offset_cache; 962 master_record_t master_record; 963 } extension_info_t; 964 965 typedef struct extension_map_list_s { 966 extension_info_t *slot[MAX_EXTENSION_MAPS]; 967 extension_info_t *map_list; 968 extension_info_t **last_map; 969 uint32_t max_used; 970 } extension_map_list_t; 971 972 extension_map_list_t *InitExtensionMaps(int AllocateList); 973 974 void FreeExtensionMaps(extension_map_list_t *extension_map_list); 975 976 void PackExtensionMapList(extension_map_list_t *extension_map_list); 977 978 int Insert_Extension_Map(extension_map_list_t *extension_map_list, extension_map_t *map); 979 980 void SetupExtensionDescriptors(char *options); 981 982 void PrintExtensionMap(extension_map_t *map); 983 984 void DumpExMaps(char *filename); 985 986 #endif //_NFX_H 987