1 /*
2  *  Copyright (c) 2009-2020, Peter Haag
3  *  Copyright (c) 2004-2008, SWITCH - Teleinformatikdienste fuer Lehre und Forschung
4  *  All rights reserved.
5  *
6  *  Redistribution and use in source and binary forms, with or without
7  *  modification, are permitted provided that the following conditions are met:
8  *
9  *   * Redistributions of source code must retain the above copyright notice,
10  *     this list of conditions and the following disclaimer.
11  *   * Redistributions in binary form must reproduce the above copyright notice,
12  *     this list of conditions and the following disclaimer in the documentation
13  *     and/or other materials provided with the distribution.
14  *   * Neither the name of the author nor the names of its contributors may be
15  *     used to endorse or promote products derived from this software without
16  *     specific prior written permission.
17  *
18  *  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
19  *  AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20  *  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21  *  ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
22  *  LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
23  *  CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
24  *  SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
25  *  INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
26  *  CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
27  *  ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28  *  POSSIBILITY OF SUCH DAMAGE.
29  *
30  */
31 
32 /* v9 structures */
33 
34 /*   Packet Header Field Descriptions
35  *
36  *   Version
37  *         Version of Flow Record format exported in this packet.  The
38  *         value of this field is 9 for the current version.
39  *
40  *   Count
41  *         The total number of records in the Export Packet, which is the
42  *         sum of Options FlowSet records, Template FlowSet records, and
43  *         Data FlowSet records.
44  *
45  *   sysUpTime
46  *         Time in milliseconds since this device was first booted.
47  *
48  *   UNIX Secs
49  *         Time in seconds since 0000 UTC 1970, at which the Export Packet
50  *         leaves the Exporter.
51  *
52  *   Sequence Number
53  *         Incremental sequence counter of all Export Packets sent from
54  *         the current Observation Domain by the Exporter.  This value
55  *         MUST be cumulative, and SHOULD be used by the Collector to
56  *         identify whether any Export Packets have been missed.
57  *
58  *   Source ID
59  *         A 32-bit value that identifies the Exporter Observation Domain.
60  *         NetFlow Collectors SHOULD use the combination of the source IP
61  *         address and the Source ID field to separate different export
62  *         streams originating from the same Exporter.
63  */
64 
65 #ifndef _NETFLOW_V9_H
66 #define _NETFLOW_V9_H 1
67 
68 #include "config.h"
69 
70 #include <sys/types.h>
71 #ifdef HAVE_STDINT_H
72 #include <stdint.h>
73 #endif
74 
75 #include "collector.h"
76 #include "nfnet.h"
77 #include "nffile.h"
78 
79 typedef struct netflow_v9_header {
80 	uint16_t  version;
81 	uint16_t  count;
82 	uint32_t  SysUptime;
83 	uint32_t  unix_secs;
84 	uint32_t  sequence;
85 	uint32_t  source_id;
86 } netflow_v9_header_t;
87 
88 #define NETFLOW_V9_HEADER_LENGTH sizeof(netflow_v9_header_t)
89 
90 /* FlowSet ID
91  *         FlowSet ID value of 0 is reserved for the Template FlowSet.
92  *   Length
93  *         Total length of this FlowSet.  Because an individual Template
94  *         FlowSet MAY contain multiple Template Records, the Length value
95  *         MUST be used to determine the position of the next FlowSet
96  *         record, which could be any type of FlowSet.  Length is the sum
97  *         of the lengths of the FlowSet ID, the Length itself, and all
98  *         Template Records within this FlowSet.
99  *
100  *   Template ID
101  *         Each of the newly generated Template Records is given a unique
102  *         Template ID.  This uniqueness is local to the Observation
103  *         Domain that generated the Template ID.  Template IDs 0-255 are
104  *         reserved for Template FlowSets, Options FlowSets, and other
105  *         reserved FlowSets yet to be created.  Template IDs of Data
106  *         FlowSets are numbered from 256 to 65535.
107  *
108  *   Field Count
109  *         Number of fields in this Template Record.   Because a Template
110  *         FlowSet usually contains multiple Template Records, this field
111  *         allows the Collector to determine the end of the current
112  *         Template Record and the start of the next.
113  *
114  *   Field Type
115  *         A numeric value that represents the type of the field.  Refer
116  *         to the "Field Type Definitions" section.
117  *
118  *   Field Length
119  *         The length of the corresponding Field Type, in bytes.  Refer to
120  *         the "Field Type Definitions" section.
121  */
122 
123 typedef struct template_record_s {
124 	uint16_t  	template_id;
125 	uint16_t  	count;
126 	struct {
127 		uint16_t  type;
128 		uint16_t  length;
129 	} record[1];
130 } template_record_t;
131 
132 typedef struct template_flowset_s {
133 	uint16_t  	flowset_id;
134 	uint16_t  	length;
135 	template_record_t	fields[1];
136 } template_flowset_t;
137 
138 typedef struct data_flowset_s {
139 	uint16_t  	flowset_id;
140 	uint16_t  	length;
141 	uint8_t		data[4];
142 } data_flowset_t;
143 
144 typedef struct option_template_flowset_s {
145 	uint16_t  	flowset_id;
146 	uint16_t  	length;
147 	uint16_t	template_id;
148 	uint16_t	option_scope_length;
149 	uint16_t	option_length;
150 	struct {
151 		uint16_t  type;
152 		uint16_t  length;
153 	} record[1];
154 } option_template_flowset_t;
155 
156 typedef struct common_header_s {
157 	uint16_t  	flowset_id;
158 	uint16_t  	length;
159 } common_header_t;
160 
161 #define _1byte    1
162 #define _2bytes   2
163 #define _3bytes   3
164 #define _4bytes   4
165 #define _6bytes   6
166 #define _8bytes   8
167 #define _12bytes  12
168 #define _16bytes  16
169 #define _20bytes  20
170 #define _24bytes  24
171 #define _65bytes  65
172 #define _72bytes  72
173 
174 #define NF9_TEMPLATE_FLOWSET_ID     0
175 #define NF9_OPTIONS_FLOWSET_ID      1
176 #define NF9_MIN_RECORD_FLOWSET_ID   256
177 
178 // Flowset record types
179 #define NF9_IN_BYTES            1
180 #define NF9_IN_PACKETS          2
181 #define NF9_FLOWS_AGGR			3
182 #define NF9_IN_PROTOCOL         4
183 #define NF9_SRC_TOS         	5
184 #define NF9_TCP_FLAGS           6
185 #define NF9_L4_SRC_PORT         7
186 #define NF9_IPV4_SRC_ADDR       8
187 #define NF9_SRC_MASK			9
188 #define NF9_INPUT_SNMP          10
189 #define NF9_L4_DST_PORT         11
190 #define NF9_IPV4_DST_ADDR       12
191 #define NF9_DST_MASK			13
192 #define NF9_OUTPUT_SNMP         14
193 #define NF9_V4_NEXT_HOP			15
194 #define NF9_SRC_AS          	16
195 #define NF9_DST_AS          	17
196 #define NF9_BGP_V4_NEXT_HOP		18
197 
198 #define NF9_LAST_SWITCHED       21
199 #define NF9_FIRST_SWITCHED      22
200 #define NF9_OUT_BYTES       	23
201 #define NF9_OUT_PKTS    		24
202 
203 #define NF9_IPV6_SRC_ADDR       27
204 #define NF9_IPV6_DST_ADDR       28
205 #define NF9_IPV6_SRC_MASK		29
206 #define NF9_IPV6_DST_MASK		30
207 
208 #define NF9_IPV6_FLOW_LABEL		31
209 #define NF9_ICMP_TYPE			32
210 
211 #define NF9_SAMPLING_INTERVAL	34
212 #define NF9_SAMPLING_ALGORITHM	35
213 
214 #define NF9_ENGINE_TYPE			38
215 #define NF9_ENGINE_ID			39
216 
217 #define NF9_FLOW_SAMPLER_ID 	48
218 #define FLOW_SAMPLER_MODE 		49
219 #define NF9_FLOW_SAMPLER_RANDOM_INTERVAL 50
220 
221 #define NF_SELECTOR_ID			302
222 #define NF_SELECTOR_ALGORITHM	304
223 #define NF_SAMPLING_INTERVAL	305
224 
225 // #define NF9_MIN_TTL			52
226 // #define NF9_MAX_TTL			53
227 // #define NF9_IPV4_IDENT		54
228 
229 #define NF9_DST_TOS         	55
230 #define NF9_IN_SRC_MAC			56
231 #define NF9_OUT_DST_MAC			57
232 #define NF9_SRC_VLAN			58
233 #define NF9_DST_VLAN			59
234 
235 #define NF9_DIRECTION	        61
236 #define NF9_V6_NEXT_HOP 		62
237 #define NF9_BPG_V6_NEXT_HOP   	63
238 // #define NF9_V6_OPTION_HEADERS 64
239 
240 #define NF9_MPLS_LABEL_1		70
241 #define NF9_MPLS_LABEL_2		71
242 #define NF9_MPLS_LABEL_3		72
243 #define NF9_MPLS_LABEL_4		73
244 #define NF9_MPLS_LABEL_5		74
245 #define NF9_MPLS_LABEL_6		75
246 #define NF9_MPLS_LABEL_7		76
247 #define NF9_MPLS_LABEL_8		77
248 #define NF9_MPLS_LABEL_9		78
249 #define NF9_MPLS_LABEL_10		79
250 #define NF9_IN_DST_MAC			80
251 #define NF9_OUT_SRC_MAC			81
252 
253 
254 #define NF9_FORWARDING_STATUS	89
255 
256 #define NF9_BGP_ADJ_NEXT_AS 	128
257 #define NF9_BGP_ADJ_PREV_AS 	129
258 #define NF9_dot1qVlanId			243
259 #define NF9_postDot1qVlanId		254
260 
261 // CISCO ASA NSEL extension - Network Security Event Logging
262 #define NF_F_FLOW_BYTES				   85
263 #define NF_F_CONN_ID                  148
264 #define NF_F_FLOW_CREATE_TIME_MSEC	  152
265 #define NF_F_FLOW_END_TIME_MSEC		  153
266 #define NF_F_ICMP_TYPE                176
267 #define NF_F_ICMP_CODE                177
268 #define NF_F_ICMP_TYPE_IPV6           178
269 #define NF_F_ICMP_CODE_IPV6           179
270 #define NF_F_FWD_FLOW_DELTA_BYTES	  231
271 #define NF_F_REV_FLOW_DELTA_BYTES	  232
272 #define NF_F_EVENT_TIME_MSEC          323
273 #define NF_F_INGRESS_ACL_ID         33000
274 #define NF_F_EGRESS_ACL_ID          33001
275 #define NF_F_FW_EXT_EVENT           33002
276 #define NF_F_USERNAME               40000
277 
278 #define NF_F_XLATE_SRC_ADDR_IPV4	  225
279 #define NF_F_XLATE_DST_ADDR_IPV4	  226
280 #define NF_F_XLATE_SRC_PORT			  227
281 #define NF_F_XLATE_DST_PORT			  228
282 #define NF_F_XLATE_SRC_ADDR_IPV6	  281
283 #define NF_F_XLATE_DST_ADDR_IPV6	  282
284 #define NF_F_FW_EVENT				  233
285 
286 // ASA 8.4 compat elements
287 #define NF_F_XLATE_SRC_ADDR_84		40001
288 #define NF_F_XLATE_DST_ADDR_84		40002
289 #define NF_F_XLATE_SRC_PORT_84      40003
290 #define NF_F_XLATE_DST_PORT_84      40004
291 #define NF_F_FW_EVENT_84            40005
292 
293 // ASA 9.x packet counters: initiatorPackets and responderPackets
294 // see https://www.iana.org/assignments/ipfix/ipfix.xhtml
295 #define NF_F_INITIATORPACKETS		298
296 #define NF_F_RESPONDERPACKETS		299
297 
298 // Zone-Based Firewall Logging
299 #define NF_FW_CTS_SRC_SGT			34000
300 
301 // Cisco ASR 1000 series NEL extension - Nat Event Logging
302 #define NF_N_NAT_EVENT				230
303 #define NF_N_INGRESS_VRFID			234
304 #define NF_N_EGRESS_VRFID			235
305 
306 #define NF_F_XLATE_PORT_BLOCK_START 361
307 #define NF_F_XLATE_PORT_BLOCK_END   362
308 #define NF_F_XLATE_PORT_BLOCK_STEP  363
309 #define NF_F_XLATE_PORT_BLOCK_SIZE  364
310 
311 // nprobe latency extensions
312 #define NF9_NPROBE_CLIENT_NW_DELAY_SEC	57554
313 #define NF9_NPROBE_CLIENT_NW_DELAY_USEC	57555
314 #define NF9_NPROBE_SERVER_NW_DELAY_SEC	57556
315 #define NF9_NPROBE_SERVER_NW_DELAY_USEC 57557
316 #define NF9_NPROBE_APPL_LATENCY_SEC		57558
317 #define NF9_NPROBE_APPL_LATENCY_USEC	57559
318 
319 /* prototypes */
320 int Init_v9(int v, uint32_t sampling, uint32_t overwrite);
321 
322 void Process_v9(void *in_buff, ssize_t in_buff_cnt, FlowSource_t *fs);
323 
324 void Init_v9_output(send_peer_t *peer);
325 
326 int Add_v9_output_record(master_record_t *master_record, send_peer_t *peer);
327 
328 #endif //_NETFLOW_V9_H 1
329