1 /* Copyright (c) 2002-2014 InMon Corp. Licensed under the terms of the InMon sFlow licence: */
2 /* http://www.inmon.com/technology/sflowlicense.txt */
3 
4 #ifndef SFLOW_H
5 #define SFLOW_H 1
6 
7 #include <ngx_config.h>
8 #include <ngx_core.h>
9 #include <ngx_http.h>
10 
11 typedef unsigned char byte_t;
12 /* #include <stdbool.h> */
13 #define true 1
14 #define false 0
15 /* use 32-bits for bool_t to help avoid unaligned fields */
16 typedef uint32_t bool_t;
17 
18 typedef struct {
19   uint32_t addr;
20 } SFLIPv4;
21 
22 typedef struct {
23   byte_t addr[16];
24 } SFLIPv6;
25 
26 typedef union _SFLAddress_value {
27   SFLIPv4 ip_v4;
28   SFLIPv6 ip_v6;
29 } SFLAddress_value;
30 
31 enum SFLAddress_type {
32   SFLADDRESSTYPE_UNDEFINED = 0,
33   SFLADDRESSTYPE_IP_V4 = 1,
34   SFLADDRESSTYPE_IP_V6 = 2
35 };
36 
37 typedef struct _SFLAddress {
38   uint32_t type;           /* enum SFLAddress_type */
39   SFLAddress_value address;
40 } SFLAddress;
41 
42 enum SFL_DSCLASS {
43   SFL_DSCLASS_IFINDEX=0,
44   SFL_DSCLASS_VLAN=1,
45   SFL_DSCLASS_PHYSICAL_ENTITY=2,
46   SFL_DSCLASS_LOGICAL_ENTITY=3
47 };
48 
49 /* Packet header data */
50 
51 #define SFL_DEFAULT_HEADER_SIZE 128
52 #define SFL_DEFAULT_COLLECTOR_PORT 6343
53 #define SFL_DEFAULT_SAMPLING_RATE 400
54 #define SFL_DEFAULT_POLLING_INTERVAL 30
55 
56 /* Extended data types */
57 
58 typedef struct _SFLString {
59   uint32_t len;
60   const byte_t *str;
61 } SFLString;
62 
63 /* Extended socket information,
64    Must be filled in for all application transactions associated with a network socket
65    Omit if transaction associated with non-network IPC  */
66 
67 /* IPv4 Socket */
68 /* opaque = flow_data; enterprise = 0; format = 2100 */
69 typedef struct _SFLExtended_socket_ipv4 {
70   uint32_t protocol;     /* IP Protocol (e.g. TCP = 6, UDP = 17) */
71   SFLIPv4 local_ip;          /* local IP address */
72   SFLIPv4 remote_ip;         /* remote IP address */
73   uint32_t local_port;   /* TCP/UDP local port number or equivalent */
74   uint32_t remote_port;  /* TCP/UDP remote port number of equivalent */
75 } SFLExtended_socket_ipv4;
76 
77 #define XDRSIZ_SFLEXTENDED_SOCKET4 20
78 
79 /* IPv6 Socket */
80 /* opaque = flow_data; enterprise = 0; format = 2101 */
81 typedef struct _SFLExtended_socket_ipv6 {
82   uint32_t protocol;     /* IP Protocol (e.g. TCP = 6, UDP = 17) */
83   SFLIPv6 local_ip;          /* local IP address */
84   SFLIPv6 remote_ip;         /* remote IP address */
85   uint32_t local_port;   /* TCP/UDP local port number or equivalent */
86   uint32_t remote_port;  /* TCP/UDP remote port number of equivalent */
87 } SFLExtended_socket_ipv6;
88 
89 #define XDRSIZ_SFLEXTENDED_SOCKET6 44
90 
91 typedef enum {
92   SFHTTP_OTHER    = 0,
93   SFHTTP_OPTIONS  = 1,
94   SFHTTP_GET      = 2,
95   SFHTTP_HEAD     = 3,
96   SFHTTP_POST     = 4,
97   SFHTTP_PUT      = 5,
98   SFHTTP_DELETE   = 6,
99   SFHTTP_TRACE    = 7,
100   SFHTTP_CONNECT  = 8,
101 } SFLHTTP_method;
102 
103 typedef struct _SFLSampled_http {
104   SFLHTTP_method method;
105   uint32_t protocol;       /* 1.1 = 1001 */
106   SFLString uri;               /* URI exactly as it came from the client */
107   SFLString host;              /* Host value from request header */
108   SFLString referrer;          /* Referer value from request header */
109   SFLString useragent;         /* User-Agent value from request header */
110   SFLString xff;               /* X-Forwarded-For from request header */
111   SFLString authuser;          /* RFC 1413 identity of user*/
112   SFLString mimetype;          /* Mime-Type */
113   uint64_t req_bytes;          /* Content-Length of request */
114   uint64_t resp_bytes;         /* Content-Length of response */
115   uint32_t uS;             /* duration of the operation (microseconds) */
116   uint32_t status;         /* HTTP status code */
117 } SFLSampled_http;
118 
119 #define SFLHTTP_MAX_URI_LEN 255
120 #define SFLHTTP_MAX_HOST_LEN 64
121 #define SFLHTTP_MAX_REFERRER_LEN 255
122 #define SFLHTTP_MAX_USERAGENT_LEN 128
123 #define SFLHTTP_MAX_XFF_LEN 64
124 #define SFLHTTP_MAX_AUTHUSER_LEN 32
125 #define SFLHTTP_MAX_MIMETYPE_LEN 64
126 
127 enum SFLFlow_type_tag {
128   /* enterprise = 0, format = ... */
129   SFLFLOW_EX_SOCKET4      = 2100,
130   SFLFLOW_EX_SOCKET6      = 2101,
131   /* SFLFLOW_MEMCACHE        = 2200, */
132   SFLFLOW_HTTP            = 2206,
133 };
134 
135 typedef union _SFLFlow_type {
136   SFLSampled_http http;
137   SFLExtended_socket_ipv4 socket4;
138   SFLExtended_socket_ipv6 socket6;
139 } SFLFlow_type;
140 
141 typedef struct _SFLFlow_sample_element {
142   struct _SFLFlow_sample_element *nxt;
143   uint32_t tag;  /* SFLFlow_type_tag */
144   uint32_t length;
145   SFLFlow_type flowType;
146 } SFLFlow_sample_element;
147 
148 enum SFL_sample_tag {
149   SFLFLOW_SAMPLE = 1,              /* enterprise = 0 : format = 1 */
150   SFLCOUNTERS_SAMPLE = 2,          /* enterprise = 0 : format = 2 */
151   SFLFLOW_SAMPLE_EXPANDED = 3,     /* enterprise = 0 : format = 3 */
152   SFLCOUNTERS_SAMPLE_EXPANDED = 4  /* enterprise = 0 : format = 4 */
153 };
154 
155 /* Format of a single flow sample */
156 
157 typedef struct _SFLFlow_sample {
158   /* uint32_t tag;    */         /* SFL_sample_tag -- enterprise = 0 : format = 1 */
159   /* uint32_t length; */
160   uint32_t sequence_number;      /* Incremented with each flow sample
161 					generated */
162   uint32_t source_id;            /* fsSourceId */
163   uint32_t sampling_rate;        /* fsPacketSamplingRate */
164   uint32_t sample_pool;          /* Total number of packets that could have been
165 					sampled (i.e. packets skipped by sampling
166 					process + total number of samples) */
167   uint32_t drops;                /* Number of times a packet was dropped due to
168 					lack of resources */
169   uint32_t input;                /* SNMP ifIndex of input interface.
170 					0 if interface is not known. */
171   uint32_t output;               /* SNMP ifIndex of output interface,
172 					0 if interface is not known.
173 					Set most significant bit to indicate
174 					multiple destination interfaces
175 					(i.e. in case of broadcast or multicast)
176 					and set lower order bits to indicate
177 					number of destination interfaces.
178 					Examples:
179 					0x00000002  indicates ifIndex = 2
180 					0x00000000  ifIndex unknown.
181 					0x80000007  indicates a packet sent
182 					to 7 interfaces.
183 					0x80000000  indicates a packet sent to
184 					an unknown number of
185 					interfaces greater than 1.*/
186   uint32_t num_elements;
187   SFLFlow_sample_element *elements;
188 } SFLFlow_sample;
189 
190 /* same thing, but the expanded version (for full 32-bit ifIndex numbers) */
191 
192 typedef struct _SFLFlow_sample_expanded {
193   /* uint32_t tag;    */         /* SFL_sample_tag -- enterprise = 0 : format = 1 */
194   /* uint32_t length; */
195   uint32_t sequence_number;      /* Incremented with each flow sample
196 					generated */
197   uint32_t ds_class;             /* EXPANDED */
198   uint32_t ds_index;             /* EXPANDED */
199   uint32_t sampling_rate;        /* fsPacketSamplingRate */
200   uint32_t sample_pool;          /* Total number of packets that could have been
201 					sampled (i.e. packets skipped by sampling
202 					process + total number of samples) */
203   uint32_t drops;                /* Number of times a packet was dropped due to
204 					lack of resources */
205   uint32_t inputFormat;          /* EXPANDED */
206   uint32_t input;                /* SNMP ifIndex of input interface.
207 					0 if interface is not known. */
208   uint32_t outputFormat;         /* EXPANDED */
209   uint32_t output;               /* SNMP ifIndex of output interface,
210 					0 if interface is not known. */
211   uint32_t num_elements;
212   SFLFlow_sample_element *elements;
213 } SFLFlow_sample_expanded;
214 
215 /* Counter types */
216 
217 typedef struct _SFLHTTP_counters {
218   uint32_t method_option_count;
219   uint32_t method_get_count;
220   uint32_t method_head_count;
221   uint32_t method_post_count;
222   uint32_t method_put_count;
223   uint32_t method_delete_count;
224   uint32_t method_trace_count;
225   uint32_t method_connect_count;
226   uint32_t method_other_count;
227   uint32_t status_1XX_count;
228   uint32_t status_2XX_count;
229   uint32_t status_3XX_count;
230   uint32_t status_4XX_count;
231   uint32_t status_5XX_count;
232   uint32_t status_other_count;
233 } SFLHTTP_counters;
234 
235 #define XDRSIZ_SFLHTTP_COUNTERS (15*4)
236 
237 typedef struct _SFLHost_par_counters {
238   uint32_t dsClass;       /* sFlowDataSource class */
239   uint32_t dsIndex;       /* sFlowDataSource index */
240 } SFLHost_par_counters;
241 
242 /* Counters data */
243 
244 enum SFLCounters_type_tag {
245   /* enterprise = 0, format = ... */
246   SFLCOUNTERS_HOST_PAR      = 2002, /* host parent */
247   SFLCOUNTERS_HTTP          = 2201, /* http counters */
248 };
249 
250 typedef union _SFLCounters_type {
251   SFLHost_par_counters host_par;
252   SFLHTTP_counters http;
253 } SFLCounters_type;
254 
255 typedef struct _SFLCounters_sample_element {
256   struct _SFLCounters_sample_element *nxt; /* linked list */
257   uint32_t tag; /* SFLCounters_type_tag */
258   uint32_t length;
259   SFLCounters_type counterBlock;
260 } SFLCounters_sample_element;
261 
262 typedef struct _SFLCounters_sample {
263   /* uint32_t tag;    */       /* SFL_sample_tag -- enterprise = 0 : format = 2 */
264   /* uint32_t length; */
265   uint32_t sequence_number;    /* Incremented with each counters sample
266 				      generated by this source_id */
267   uint32_t source_id;          /* fsSourceId */
268   uint32_t num_elements;
269   SFLCounters_sample_element *elements;
270 } SFLCounters_sample;
271 
272 /* same thing, but the expanded version, so ds_index can be a full 32 bits */
273 typedef struct _SFLCounters_sample_expanded {
274   /* uint32_t tag;    */       /* SFL_sample_tag -- enterprise = 0 : format = 2 */
275   /* uint32_t length; */
276   uint32_t sequence_number;    /* Incremented with each counters sample
277 				      generated by this source_id */
278   uint32_t ds_class;           /* EXPANDED */
279   uint32_t ds_index;           /* EXPANDED */
280   uint32_t num_elements;
281   SFLCounters_sample_element *elements;
282 } SFLCounters_sample_expanded;
283 
284 #define SFLADD_ELEMENT(_sm, _el) do { (_el)->nxt = (_sm)->elements; (_sm)->elements = (_el); } while(0)
285 
286 /* Format of a sample datagram */
287 
288 enum SFLDatagram_version {
289   SFLDATAGRAM_VERSION2 = 2,
290   SFLDATAGRAM_VERSION4 = 4,
291   SFLDATAGRAM_VERSION5 = 5
292 };
293 
294 typedef struct _SFLSample_datagram_hdr {
295   uint32_t datagram_version;      /* (enum SFLDatagram_version) = VERSION5 = 5 */
296   SFLAddress agent_address;        /* IP address of sampling agent */
297   uint32_t sub_agent_id;          /* Used to distinguishing between datagram
298 					 streams from separate agent sub entities
299 					 within an device. */
300   uint32_t sequence_number;       /* Incremented with each sample datagram
301 					 generated */
302   uint32_t uptime;                /* Current time (in milliseconds since device
303 					 last booted). Should be set as close to
304 					 datagram transmission time as possible.*/
305   uint32_t num_records;           /* Number of tag-len-val flow/counter records to follow */
306 } SFLSample_datagram_hdr;
307 
308 #define SFL_MAX_DATAGRAM_SIZE 1500
309 #define SFL_MIN_DATAGRAM_SIZE 200
310 #define SFL_DEFAULT_DATAGRAM_SIZE 1400
311 
312 #define SFL_DATA_PAD 400
313 
314 #endif /* SFLOW_H */
315