-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathnetflow.h
134 lines (118 loc) · 3.32 KB
/
netflow.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
/*
* Copyright (c) 2004-2025 by Motonori Shindo <[email protected]>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*
*/
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/time.h>
#define EXPR_TYPE_SEQ 1 /* Sequential */
#define EXPR_TYPE_RND 2 /* Random */
#define EXPR_TYPE_PRB 3 /* Probabilistic */
typedef struct val_expr {
int mode; /* EXPR_TYPE_SEQ, EXPR_TYPE_RND or EXPR_TYPE_PRB */
long start; /* inclusive */
long end; /* inclusive */
long step;
long vals[100];
long cur;
} val_expr_t;
typedef struct ipaddr_expr {
val_expr_t exp[4];
} ipaddr_expr_t;
#define TRUE 1
#define FALSE 0
#define ETH_MTU 1500
#define NF_VERSION_V1 1
#define NF_VERSION_V5 5
#define NF_VERSION_V7 7
#define NF_VERSION_V8 8
#define NF_VERSION_V9 9
/* (1500 - 20 - 8 - 24) / 48 = 30 flow records */
#define NF5_MAX_FLOWREC 30
#define MAX_FLOW_INFO NF5_MAX_FLOWREC
struct nf_v5_hdr { /* 24 octets */
u_int16_t version; /* 5 */
u_int16_t count;
u_int32_t sysup_time;
u_int32_t unix_secs;
u_int32_t unix_nsecs;
u_int32_t flow_sequence; /* # of total flows seen (this differs in V9) */
u_int8_t engine_type; /* 0: RP, 1: VIP/LC */
u_int8_t engine_id;
u_int16_t sampling;
};
struct nf_v5_rec { /* 48 octets */
struct in_addr src_addr;
struct in_addr dst_addr;
struct in_addr nexthop;
u_int16_t in_if;
u_int16_t out_if;
u_int32_t packets;
u_int32_t octets;
u_int32_t first;
u_int32_t last;
u_int16_t src_port;
u_int16_t dst_port;
u_int8_t pad1;
u_int8_t tcp_flags;
u_int8_t ip_proto;
u_int8_t tos;
u_int16_t src_as;
u_int16_t dst_as;
u_int8_t src_mask;
u_int8_t dst_mask;
u_int16_t pad2;
};
struct nf_v5_pdu {
struct nf_v5_hdr hdr;
struct nf_v5_rec rec[NF5_MAX_FLOWREC];
};
struct flow_info {
struct in_addr src_addr;
struct in_addr dst_addr;
struct in_addr nexthop;
u_int16_t in_if;
u_int16_t out_if;
u_int32_t packets;
u_int32_t octets;
u_int32_t first;
u_int32_t last;
u_int16_t src_port;
u_int16_t dst_port;
u_int8_t pad1;
u_int8_t tcp_flags;
u_int8_t ip_proto;
u_int8_t tos;
u_int16_t src_as;
u_int16_t dst_as;
u_int8_t src_mask;
u_int8_t dst_mask;
};
struct flow_exporter {
struct in_addr collector; /* address of collector */
u_int16_t port;
int sock;
struct sockaddr_in to;
struct timeval start; /* start time of this exporter */
val_expr_t engine_type;
val_expr_t engine_id;
long flow_seen; /* accumulative number of flow record seen */
long pdu_sent; /* accumulative number of flow PDU sent */
int flow_cnt; /* # of flow_info occupied */
int bucket_size; /* when flow_cnt reaches bucket_size, flow_info will be flushed */
struct flow_info fi[MAX_FLOW_INFO];
};