netflow5.c 5.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173
  1. /*
  2. * Copyright 2002 Damien Miller <djm@mindrot.org> All rights reserved.
  3. *
  4. * Redistribution and use in source and binary forms, with or without
  5. * modification, are permitted provided that the following conditions
  6. * are met:
  7. * 1. Redistributions of source code must retain the above copyright
  8. * notice, this list of conditions and the following disclaimer.
  9. * 2. Redistributions in binary form must reproduce the above copyright
  10. * notice, this list of conditions and the following disclaimer in the
  11. * documentation and/or other materials provided with the distribution.
  12. *
  13. * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  14. * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  15. * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  16. * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  17. * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  18. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  19. * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  20. * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  21. * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  22. * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  23. */
  24. /* $Id$ */
  25. #include "common.h"
  26. #include "log.h"
  27. #include "treetype.h"
  28. #include "softflowd.h"
  29. RCSID("$Id$");
  30. /*
  31. * This is the Cisco Netflow(tm) version 5 packet format
  32. * Based on:
  33. * http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/nfc/nfc_3_0/nfc_ug/nfcform.htm
  34. */
  35. struct NF5_HEADER {
  36. u_int16_t version, flows;
  37. u_int32_t uptime_ms, time_sec, time_nanosec, flow_sequence;
  38. u_int8_t engine_type, engine_id, reserved1, reserved2;
  39. };
  40. struct NF5_FLOW {
  41. u_int32_t src_ip, dest_ip, nexthop_ip;
  42. u_int16_t if_index_in, if_index_out;
  43. u_int32_t flow_packets, flow_octets;
  44. u_int32_t flow_start, flow_finish;
  45. u_int16_t src_port, dest_port;
  46. u_int8_t pad1;
  47. u_int8_t tcp_flags, protocol, tos;
  48. u_int16_t src_as, dest_as;
  49. u_int8_t src_mask, dst_mask;
  50. u_int16_t pad2;
  51. };
  52. #define NF5_MAXFLOWS 30
  53. #define NF5_MAXPACKET_SIZE (sizeof(struct NF5_HEADER) + \
  54. (NF5_MAXFLOWS * sizeof(struct NF5_FLOW)))
  55. /*
  56. * Given an array of expired flows, send netflow v5 report packets
  57. * Returns number of packets sent or -1 on error
  58. */
  59. int
  60. send_netflow_v5(struct FLOW **flows, int num_flows, int nfsock, u_int16_t ifidx,
  61. u_int64_t *flows_exported, struct timeval *system_boot_time,
  62. int verbose_flag)
  63. {
  64. struct timeval now;
  65. u_int32_t uptime_ms;
  66. u_int8_t packet[NF5_MAXPACKET_SIZE]; /* Maximum allowed packet size (24 flows) */
  67. struct NF5_HEADER *hdr = NULL;
  68. struct NF5_FLOW *flw = NULL;
  69. int i, j, offset, num_packets, err;
  70. socklen_t errsz;
  71. gettimeofday(&now, NULL);
  72. uptime_ms = timeval_sub_ms(&now, system_boot_time);
  73. hdr = (struct NF5_HEADER *)packet;
  74. for (num_packets = offset = j = i = 0; i < num_flows; i++) {
  75. if (j >= NF5_MAXFLOWS - 1) {
  76. if (verbose_flag)
  77. logit(LOG_DEBUG, "Sending flow packet len = %d", offset);
  78. hdr->flows = htons(hdr->flows);
  79. errsz = sizeof(err);
  80. getsockopt(nfsock, SOL_SOCKET, SO_ERROR,
  81. &err, &errsz); /* Clear ICMP errors */
  82. if (send(nfsock, packet, (size_t)offset, 0) == -1)
  83. return (-1);
  84. *flows_exported += j;
  85. j = 0;
  86. num_packets++;
  87. }
  88. if (j == 0) {
  89. memset(&packet, '\0', sizeof(packet));
  90. hdr->version = htons(5);
  91. hdr->flows = 0; /* Filled in as we go */
  92. hdr->uptime_ms = htonl(uptime_ms);
  93. hdr->time_sec = htonl(now.tv_sec);
  94. hdr->time_nanosec = htonl(now.tv_usec * 1000);
  95. hdr->flow_sequence = htonl(*flows_exported);
  96. /* Other fields are left zero */
  97. offset = sizeof(*hdr);
  98. }
  99. flw = (struct NF5_FLOW *)(packet + offset);
  100. flw->if_index_in = flw->if_index_out = htons(ifidx);
  101. /* NetFlow v.5 doesn't do IPv6 */
  102. if (flows[i]->af != AF_INET)
  103. continue;
  104. if (flows[i]->octets[0] > 0) {
  105. flw->src_ip = flows[i]->addr[0].v4.s_addr;
  106. flw->dest_ip = flows[i]->addr[1].v4.s_addr;
  107. flw->src_port = flows[i]->port[0];
  108. flw->dest_port = flows[i]->port[1];
  109. flw->flow_packets = htonl(flows[i]->packets[0]);
  110. flw->flow_octets = htonl(flows[i]->octets[0]);
  111. flw->flow_start =
  112. htonl(timeval_sub_ms(&flows[i]->flow_start,
  113. system_boot_time));
  114. flw->flow_finish =
  115. htonl(timeval_sub_ms(&flows[i]->flow_last,
  116. system_boot_time));
  117. flw->tcp_flags = flows[i]->tcp_flags[0];
  118. flw->protocol = flows[i]->protocol;
  119. offset += sizeof(*flw);
  120. j++;
  121. hdr->flows++;
  122. }
  123. flw = (struct NF5_FLOW *)(packet + offset);
  124. flw->if_index_in = flw->if_index_out = htons(ifidx);
  125. if (flows[i]->octets[1] > 0) {
  126. flw->src_ip = flows[i]->addr[1].v4.s_addr;
  127. flw->dest_ip = flows[i]->addr[0].v4.s_addr;
  128. flw->src_port = flows[i]->port[1];
  129. flw->dest_port = flows[i]->port[0];
  130. flw->flow_packets = htonl(flows[i]->packets[1]);
  131. flw->flow_octets = htonl(flows[i]->octets[1]);
  132. flw->flow_start =
  133. htonl(timeval_sub_ms(&flows[i]->flow_start,
  134. system_boot_time));
  135. flw->flow_finish =
  136. htonl(timeval_sub_ms(&flows[i]->flow_last,
  137. system_boot_time));
  138. flw->tcp_flags = flows[i]->tcp_flags[1];
  139. flw->protocol = flows[i]->protocol;
  140. offset += sizeof(*flw);
  141. j++;
  142. hdr->flows++;
  143. }
  144. }
  145. /* Send any leftovers */
  146. if (j != 0) {
  147. if (verbose_flag)
  148. logit(LOG_DEBUG, "Sending v5 flow packet len = %d",
  149. offset);
  150. hdr->flows = htons(hdr->flows);
  151. errsz = sizeof(err);
  152. getsockopt(nfsock, SOL_SOCKET, SO_ERROR,
  153. &err, &errsz); /* Clear ICMP errors */
  154. if (send(nfsock, packet, (size_t)offset, 0) == -1)
  155. return (-1);
  156. num_packets++;
  157. }
  158. *flows_exported += j;
  159. return (num_packets);
  160. }