netflow5.c 8.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233
  1. /*
  2. * Copyright 2002 Damien Miller <djm@mindrot.org> All rights reserved.
  3. *
  4. * Redistribution and use in source and binary forms, with or without
  5. * modification, are permitted provided that the following conditions
  6. * are met:
  7. * 1. Redistributions of source code must retain the above copyright
  8. * notice, this list of conditions and the following disclaimer.
  9. * 2. Redistributions in binary form must reproduce the above copyright
  10. * notice, this list of conditions and the following disclaimer in the
  11. * documentation and/or other materials provided with the distribution.
  12. *
  13. * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  14. * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
  15. * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  16. * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  17. * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  18. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  19. * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  20. * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  21. * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  22. * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  23. */
  24. #include "common.h"
  25. #include "log.h"
  26. #include "treetype.h"
  27. #include "softflowd.h"
  28. /*
  29. * This is the Cisco Netflow(tm) version 5 packet format
  30. * Based on:
  31. * http://www.cisco.com/en/US/products/sw/netmgtsw/ps1964/products_implementation_design_guide09186a00800d6a11.html
  32. * https://www.cisco.com/c/en/us/td/docs/net_mgmt/netflow_collection_engine/3-6/user/guide/format.html#wp1007472
  33. */
  34. struct NF5_HEADER {
  35. u_int16_t version, flows; // same as netflow v1
  36. u_int32_t uptime_ms, time_sec, time_nanosec; // same as netflow v1
  37. u_int32_t flow_sequence;
  38. u_int8_t engine_type, engine_id;
  39. u_int16_t sampling_interval;
  40. };
  41. struct NF5_FLOW {
  42. u_int32_t src_ip, dest_ip, nexthop_ip; // same as netflow v1
  43. u_int16_t if_index_in, if_index_out; // same as netflow v1
  44. u_int32_t flow_packets, flow_octets; // same as netflow v1
  45. u_int32_t flow_start, flow_finish; // same as netflow v1
  46. u_int16_t src_port, dest_port; // same as netflow v1
  47. u_int8_t pad1;
  48. u_int8_t tcp_flags, protocol, tos;
  49. u_int16_t src_as, dest_as;
  50. u_int8_t src_mask, dst_mask;
  51. u_int16_t pad2;
  52. };
  53. struct NF1_FLOW_PROTO_TOS_TCPF {
  54. u_int16_t pad1;
  55. u_int8_t protocol, tos, tcp_flags;
  56. u_int8_t pad2, pad3, pad4;
  57. u_int32_t reserved1;
  58. };
  59. #define NF5_MAXFLOWS 30
  60. #define NF5_MAXPACKET_SIZE (sizeof(struct NF5_HEADER) + \
  61. (NF5_MAXFLOWS * sizeof(struct NF5_FLOW)))
  62. #define NF1_HEADER_SIZE 16
  63. #define NF5_NF1_FLOW_COMMON_SIZE (sizeof(struct NF5_FLOW) - \
  64. sizeof(struct NF1_FLOW_PROTO_TOS_TCPF))
  65. static void
  66. fill_netflow_v1_proto_tos_tcp (u_int8_t * pkt, u_int8_t proto, u_int8_t tos,
  67. u_int8_t tcpf) {
  68. struct NF1_FLOW_PROTO_TOS_TCPF *flw =
  69. (struct NF1_FLOW_PROTO_TOS_TCPF *) pkt;
  70. memset (pkt, 0, sizeof (struct NF1_FLOW_PROTO_TOS_TCPF));
  71. flw->protocol = proto;
  72. flw->tos = tos;
  73. flw->tcp_flags = tcpf;
  74. }
  75. /*
  76. * Given an array of expired flows, send netflow v5 report packets
  77. * Returns number of packets sent or -1 on error
  78. */
  79. static int
  80. send_netflow_v5_v1 (struct SENDPARAMETER sp, u_int16_t version) {
  81. struct FLOW **flows = sp.flows;
  82. int num_flows = sp.num_flows;
  83. u_int16_t ifidx = sp.ifidx;
  84. struct FLOWTRACKPARAMETERS *param = sp.param;
  85. int verbose_flag = sp.verbose_flag;
  86. struct timeval now;
  87. u_int32_t uptime_ms;
  88. u_int8_t packet[NF5_MAXPACKET_SIZE]; /* Maximum allowed packet size (24 flows) */
  89. struct NF5_HEADER *hdr = NULL;
  90. struct NF5_FLOW *flw = NULL;
  91. int i, j, offset, num_packets;
  92. struct timeval *system_boot_time = &param->system_boot_time;
  93. u_int64_t *flows_exported = &param->flows_exported;
  94. struct OPTION *option = &param->option;
  95. if (version != 5 && version != 1)
  96. return (-1);
  97. if (param->adjust_time)
  98. now = param->last_packet_time;
  99. else
  100. gettimeofday (&now, NULL);
  101. uptime_ms = timeval_sub_ms (&now, system_boot_time);
  102. hdr = (struct NF5_HEADER *) packet;
  103. for (num_packets = offset = j = i = 0; i < num_flows; i++) {
  104. if (j >= NF5_MAXFLOWS - 1) {
  105. if (verbose_flag)
  106. logit (LOG_DEBUG, "Sending flow packet len = %d", offset);
  107. param->records_sent += hdr->flows;
  108. hdr->flows = htons (hdr->flows);
  109. if (send_multi_destinations
  110. (sp.target->num_destinations, sp.target->destinations,
  111. sp.target->is_loadbalance, packet, offset) < 0)
  112. return (-1);
  113. *flows_exported += j;
  114. j = 0;
  115. num_packets++;
  116. }
  117. if (j == 0) {
  118. memset (&packet, '\0', sizeof (packet));
  119. hdr->version = htons (version);
  120. hdr->flows = 0; /* Filled in as we go */
  121. hdr->uptime_ms = htonl (uptime_ms);
  122. hdr->time_sec = htonl (now.tv_sec);
  123. hdr->time_nanosec = htonl (now.tv_usec * 1000);
  124. hdr->flow_sequence = htonl (*flows_exported);
  125. if (option->sample > 0) {
  126. hdr->sampling_interval =
  127. htons ((0x01 << 14) | (option->sample & 0x3FFF));
  128. }
  129. /* Other fields are left zero */
  130. offset = sizeof (*hdr);
  131. if (version == 1)
  132. offset = NF1_HEADER_SIZE;
  133. }
  134. flw = (struct NF5_FLOW *) (packet + offset);
  135. flw->if_index_in = flw->if_index_out = htons (ifidx);
  136. /* NetFlow v.5 doesn't do IPv6 */
  137. if (flows[i]->af != AF_INET)
  138. continue;
  139. if (flows[i]->octets[0] > 0) {
  140. flw->src_ip = flows[i]->addr[0].v4.s_addr;
  141. flw->dest_ip = flows[i]->addr[1].v4.s_addr;
  142. flw->src_port = flows[i]->port[0];
  143. flw->dest_port = flows[i]->port[1];
  144. flw->flow_packets = htonl (flows[i]->packets[0]);
  145. flw->flow_octets = htonl (flows[i]->octets[0]);
  146. flw->flow_start =
  147. htonl (timeval_sub_ms (&flows[i]->flow_start, system_boot_time));
  148. flw->flow_finish =
  149. htonl (timeval_sub_ms (&flows[i]->flow_last, system_boot_time));
  150. flw->tcp_flags = flows[i]->tcp_flags[0];
  151. flw->protocol = flows[i]->protocol;
  152. flw->tos = flows[i]->tos[0];
  153. if (version == 1) {
  154. fill_netflow_v1_proto_tos_tcp (packet + offset +
  155. NF5_NF1_FLOW_COMMON_SIZE,
  156. flows[i]->protocol, flows[i]->tos[0],
  157. flows[i]->tcp_flags[0]);
  158. }
  159. offset += sizeof (*flw);
  160. j++;
  161. hdr->flows++;
  162. }
  163. flw = (struct NF5_FLOW *) (packet + offset);
  164. flw->if_index_in = flw->if_index_out = htons (ifidx);
  165. if (flows[i]->octets[1] > 0) {
  166. flw->src_ip = flows[i]->addr[1].v4.s_addr;
  167. flw->dest_ip = flows[i]->addr[0].v4.s_addr;
  168. flw->src_port = flows[i]->port[1];
  169. flw->dest_port = flows[i]->port[0];
  170. flw->flow_packets = htonl (flows[i]->packets[1]);
  171. flw->flow_octets = htonl (flows[i]->octets[1]);
  172. flw->flow_start =
  173. htonl (timeval_sub_ms (&flows[i]->flow_start, system_boot_time));
  174. flw->flow_finish =
  175. htonl (timeval_sub_ms (&flows[i]->flow_last, system_boot_time));
  176. flw->tcp_flags = flows[i]->tcp_flags[1];
  177. flw->protocol = flows[i]->protocol;
  178. flw->tos = flows[i]->tos[1];
  179. if (version == 1) {
  180. fill_netflow_v1_proto_tos_tcp (packet + offset +
  181. NF5_NF1_FLOW_COMMON_SIZE,
  182. flows[i]->protocol, flows[i]->tos[1],
  183. flows[i]->tcp_flags[1]);
  184. }
  185. offset += sizeof (*flw);
  186. j++;
  187. hdr->flows++;
  188. }
  189. }
  190. /* Send any leftovers */
  191. if (j != 0) {
  192. if (verbose_flag)
  193. logit (LOG_DEBUG, "Sending v5 flow packet len = %d", offset);
  194. param->records_sent += hdr->flows;
  195. hdr->flows = htons (hdr->flows);
  196. if (send_multi_destinations
  197. (sp.target->num_destinations, sp.target->destinations,
  198. sp.target->is_loadbalance, packet, offset) < 0)
  199. return (-1);
  200. num_packets++;
  201. }
  202. *flows_exported += j;
  203. param->packets_sent += num_packets;
  204. #ifdef ENABLE_PTHREAD
  205. if (use_thread)
  206. free (sp.flows);
  207. #endif /* ENABLE_PTHREAD */
  208. return (num_packets);
  209. }
  210. int
  211. send_netflow_v5 (struct SENDPARAMETER sp) {
  212. return send_netflow_v5_v1 (sp, 5);
  213. }
  214. #ifndef ENABLE_LEGACY
  215. int
  216. send_netflow_v1 (struct SENDPARAMETER sp) {
  217. return send_netflow_v5_v1 (sp, 1);
  218. }
  219. #endif /* ENABLE_LEGACY */