2002-09-22 16:13:22 +00:00
|
|
|
/*
|
|
|
|
** packet-netflow.c
|
|
|
|
**
|
|
|
|
*****************************************************************************
|
|
|
|
** (c) 2002 bill fumerola <fumerola@yahoo-inc.com>
|
2006-09-12 19:11:45 +00:00
|
|
|
** (C) 2005-06 Luca Deri <deri@ntop.org>
|
|
|
|
**
|
2002-09-22 16:13:22 +00:00
|
|
|
** All rights reserved.
|
|
|
|
**
|
|
|
|
** This program is free software; you can redistribute it and/or
|
|
|
|
** modify it under the terms of the GNU General Public License
|
|
|
|
** as published by the Free Software Foundation; either version 2
|
|
|
|
** of the License, or (at your option) any later version.
|
|
|
|
**
|
|
|
|
** This program is distributed in the hope that it will be useful,
|
|
|
|
** but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
** GNU General Public License for more details.
|
|
|
|
**
|
|
|
|
** You should have received a copy of the GNU General Public License
|
|
|
|
** along with this program; if not, write to the Free Software
|
|
|
|
** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
|
|
|
|
*****************************************************************************
|
|
|
|
**
|
2003-02-12 08:36:48 +00:00
|
|
|
** Previous NetFlow dissector written by Matthew Smart <smart@monkey.org>
|
|
|
|
** NetFlow v9 support added by same.
|
2002-09-22 16:13:22 +00:00
|
|
|
**
|
2004-09-09 06:27:43 +00:00
|
|
|
** NetFlow v9 patches by Luca Deri <deri@ntop.org>
|
|
|
|
**
|
Add in some additional Cisco URLs for NetFlow documentation.
According to the V9 documentation at the first of those URLs, the length
field in a data flowset includes the lengths of the flowset ID and
length fields, so subtract that before calling "dissect_v9_data()" - and
don't call "dissect_v9_data()" if the length isn't positive after that's
done.
Don't bother checking whether there's data in the tvbuff in the loop
that dissects V9 data flowsets - if there isn't, we *want* an exception
to be thrown, as that's a short or malformed frame. Do, however, make
sure we have at least as much data left in the flowset as the template
claims should be there - otherwise, we have padding, not a record.
Display that padding as such.
Make the length argument to "dissect_v9_data()" unsigned, so that we
don't get compiler warnings when comparing it with the unsigned "length"
field of a template.
If we don't find the template for a data flowset, just show the data as
such.
svn path=/trunk/; revision=7306
2003-03-07 00:43:30 +00:00
|
|
|
** See
|
|
|
|
**
|
|
|
|
** http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/tflow_wp.htm
|
|
|
|
**
|
|
|
|
** for NetFlow v9 information.
|
|
|
|
**
|
2006-09-12 19:11:45 +00:00
|
|
|
** http://www.ietf.org/internet-drafts/draft-ietf-ipfix-info-11.txt
|
|
|
|
** http://www.ietf.org/internet-drafts/draft-ietf-ipfix-protocol-19.txt
|
|
|
|
** for IPFIX
|
|
|
|
**
|
2002-09-22 16:13:22 +00:00
|
|
|
*****************************************************************************
|
|
|
|
**
|
|
|
|
** this code was written from the following documentation:
|
|
|
|
**
|
|
|
|
** http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/nfc/nfc_3_6/iug/format.pdf
|
|
|
|
** http://www.caida.org/tools/measurement/cflowd/configuration/configuration-9.html
|
|
|
|
**
|
|
|
|
** some documentation is more accurate then others. in some cases, live data and
|
|
|
|
** information contained in responses from vendors were also used. some fields
|
|
|
|
** are dissected as vendor specific fields.
|
|
|
|
**
|
Add in some additional Cisco URLs for NetFlow documentation.
According to the V9 documentation at the first of those URLs, the length
field in a data flowset includes the lengths of the flowset ID and
length fields, so subtract that before calling "dissect_v9_data()" - and
don't call "dissect_v9_data()" if the length isn't positive after that's
done.
Don't bother checking whether there's data in the tvbuff in the loop
that dissects V9 data flowsets - if there isn't, we *want* an exception
to be thrown, as that's a short or malformed frame. Do, however, make
sure we have at least as much data left in the flowset as the template
claims should be there - otherwise, we have padding, not a record.
Display that padding as such.
Make the length argument to "dissect_v9_data()" unsigned, so that we
don't get compiler warnings when comparing it with the unsigned "length"
field of a template.
If we don't find the template for a data flowset, just show the data as
such.
svn path=/trunk/; revision=7306
2003-03-07 00:43:30 +00:00
|
|
|
** See also
|
|
|
|
**
|
|
|
|
** http://www.cisco.com/univercd/cc/td/doc/cisintwk/intsolns/netflsol/nfwhite.htm
|
|
|
|
**
|
2002-09-22 16:13:22 +00:00
|
|
|
** $Yahoo: //depot/fumerola/packet-netflow/packet-netflow.c#14 $
|
2004-07-18 00:24:25 +00:00
|
|
|
** $Id$
|
2002-09-04 20:23:55 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
#ifdef HAVE_CONFIG_H
|
|
|
|
# include "config.h"
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#include <glib.h>
|
|
|
|
#include <epan/packet.h>
|
2002-10-08 08:50:04 +00:00
|
|
|
#include <string.h>
|
2002-09-04 20:23:55 +00:00
|
|
|
|
2004-09-27 22:55:15 +00:00
|
|
|
#include <epan/prefs.h>
|
2003-03-04 03:37:12 +00:00
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
#define UDP_PORT_NETFLOW 2055
|
|
|
|
|
2006-09-12 19:11:45 +00:00
|
|
|
#define UDP_PORT_IPFIX 4739
|
|
|
|
|
2003-03-04 03:37:12 +00:00
|
|
|
static guint global_netflow_udp_port = UDP_PORT_NETFLOW;
|
|
|
|
static guint netflow_udp_port = 0;
|
2006-09-12 19:11:45 +00:00
|
|
|
static guint global_ipfix_port = UDP_PORT_IPFIX;
|
|
|
|
static guint ipfix_port = 0;
|
2003-03-04 03:37:12 +00:00
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
/*
|
|
|
|
* pdu identifiers & sizes
|
|
|
|
*/
|
|
|
|
|
|
|
|
#define V1PDU_SIZE (4 * 12)
|
|
|
|
#define V5PDU_SIZE (4 * 12)
|
|
|
|
#define V7PDU_SIZE (4 * 13)
|
|
|
|
#define V8PDU_AS_SIZE (4 * 7)
|
|
|
|
#define V8PDU_PROTO_SIZE (4 * 7)
|
|
|
|
#define V8PDU_SPREFIX_SIZE (4 * 8)
|
|
|
|
#define V8PDU_DPREFIX_SIZE (4 * 8)
|
|
|
|
#define V8PDU_MATRIX_SIZE (4 * 10)
|
|
|
|
#define V8PDU_DESTONLY_SIZE (4 * 8)
|
|
|
|
#define V8PDU_SRCDEST_SIZE (4 * 10)
|
|
|
|
#define V8PDU_FULL_SIZE (4 * 11)
|
|
|
|
#define V8PDU_TOSAS_SIZE (V8PDU_AS_SIZE + 4)
|
|
|
|
#define V8PDU_TOSPROTOPORT_SIZE (V8PDU_PROTO_SIZE + 4)
|
|
|
|
#define V8PDU_TOSSRCPREFIX_SIZE V8PDU_SPREFIX_SIZE
|
|
|
|
#define V8PDU_TOSDSTPREFIX_SIZE V8PDU_DPREFIX_SIZE
|
|
|
|
#define V8PDU_TOSMATRIX_SIZE V8PDU_MATRIX_SIZE
|
|
|
|
#define V8PDU_PREPORTPROTOCOL_SIZE (4 * 10)
|
|
|
|
|
2004-06-01 18:43:30 +00:00
|
|
|
static const value_string v5_sampling_mode[] = {
|
|
|
|
{0, "No sampling mode configured"},
|
|
|
|
{1, "Packet Interval sampling mode configured"},
|
|
|
|
{0, NULL}
|
|
|
|
};
|
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
enum {
|
|
|
|
V8PDU_NO_METHOD = 0,
|
|
|
|
V8PDU_AS_METHOD,
|
|
|
|
V8PDU_PROTO_METHOD,
|
|
|
|
V8PDU_SPREFIX_METHOD,
|
|
|
|
V8PDU_DPREFIX_METHOD,
|
|
|
|
V8PDU_MATRIX_METHOD,
|
|
|
|
V8PDU_DESTONLY_METHOD,
|
|
|
|
V8PDU_SRCDEST_METHOD,
|
|
|
|
V8PDU_FULL_METHOD,
|
|
|
|
V8PDU_TOSAS_METHOD,
|
|
|
|
V8PDU_TOSPROTOPORT_METHOD,
|
|
|
|
V8PDU_TOSSRCPREFIX_METHOD,
|
|
|
|
V8PDU_TOSDSTPREFIX_METHOD,
|
|
|
|
V8PDU_TOSMATRIX_METHOD,
|
|
|
|
V8PDU_PREPORTPROTOCOL_METHOD
|
|
|
|
};
|
|
|
|
|
|
|
|
static const value_string v8_agg[] = {
|
|
|
|
{V8PDU_AS_METHOD, "V8 AS aggregation"},
|
|
|
|
{V8PDU_PROTO_METHOD, "V8 Proto/Port aggregation"},
|
|
|
|
{V8PDU_SPREFIX_METHOD, "V8 Source Prefix aggregation"},
|
|
|
|
{V8PDU_DPREFIX_METHOD, "V8 Destination Prefix aggregation"},
|
|
|
|
{V8PDU_MATRIX_METHOD, "V8 Network Matrix aggregation"},
|
|
|
|
{V8PDU_DESTONLY_METHOD, "V8 Destination aggregation (Cisco Catalyst)"},
|
|
|
|
{V8PDU_SRCDEST_METHOD, "V8 Src/Dest aggregation (Cisco Catalyst)"},
|
|
|
|
{V8PDU_FULL_METHOD, "V8 Full aggregation (Cisco Catalyst)"},
|
|
|
|
{V8PDU_TOSAS_METHOD, "V8 TOS+AS aggregation aggregation"},
|
|
|
|
{V8PDU_TOSPROTOPORT_METHOD, "V8 TOS+Protocol aggregation"},
|
|
|
|
{V8PDU_TOSSRCPREFIX_METHOD, "V8 TOS+Source Prefix aggregation"},
|
|
|
|
{V8PDU_TOSDSTPREFIX_METHOD, "V8 TOS+Destination Prefix aggregation"},
|
|
|
|
{V8PDU_TOSMATRIX_METHOD, "V8 TOS+Prefix Matrix aggregation"},
|
|
|
|
{V8PDU_PREPORTPROTOCOL_METHOD, "V8 Port+Protocol aggregation"},
|
|
|
|
{0, NULL}
|
|
|
|
};
|
|
|
|
|
2003-03-04 03:37:12 +00:00
|
|
|
/* Version 9 template cache structures */
|
|
|
|
#define V9TEMPLATE_CACHE_MAX_ENTRIES 100
|
|
|
|
|
|
|
|
struct v9_template_entry {
|
|
|
|
guint16 type;
|
|
|
|
guint16 length;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct v9_template {
|
|
|
|
guint16 id;
|
|
|
|
guint16 count;
|
|
|
|
guint32 length;
|
|
|
|
guint32 source_id;
|
2006-12-21 06:41:11 +00:00
|
|
|
address source_addr;
|
2004-09-09 06:27:43 +00:00
|
|
|
guint16 option_template; /* 0=data template, 1=option template */
|
2007-05-04 06:07:30 +00:00
|
|
|
guint16 count_scopes;
|
|
|
|
struct v9_template_entry *scopes;
|
2004-03-09 20:08:26 +00:00
|
|
|
struct v9_template_entry *entries;
|
2003-03-04 03:37:12 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
static struct v9_template v9_template_cache[V9TEMPLATE_CACHE_MAX_ENTRIES];
|
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
/*
|
2006-05-21 04:49:01 +00:00
|
|
|
* wireshark tree identifiers
|
2002-09-22 16:13:22 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
static int proto_netflow = -1;
|
|
|
|
static int ett_netflow = -1;
|
|
|
|
static int ett_unixtime = -1;
|
|
|
|
static int ett_flow = -1;
|
2007-05-11 06:21:18 +00:00
|
|
|
static int ett_flowtime = -1;
|
2003-02-12 08:36:48 +00:00
|
|
|
static int ett_template = -1;
|
2006-03-15 06:19:15 +00:00
|
|
|
static int ett_field = -1;
|
2003-03-04 03:37:12 +00:00
|
|
|
static int ett_dataflowset = -1;
|
2002-09-22 16:13:22 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* cflow header
|
|
|
|
*/
|
|
|
|
|
|
|
|
static int hf_cflow_version = -1;
|
|
|
|
static int hf_cflow_count = -1;
|
2006-09-12 19:11:45 +00:00
|
|
|
static int hf_cflow_len = -1;
|
2002-09-22 16:13:22 +00:00
|
|
|
static int hf_cflow_sysuptime = -1;
|
2006-09-12 19:11:45 +00:00
|
|
|
static int hf_cflow_exporttime = -1;
|
2002-09-22 16:13:22 +00:00
|
|
|
static int hf_cflow_unix_secs = -1;
|
|
|
|
static int hf_cflow_unix_nsecs = -1;
|
|
|
|
static int hf_cflow_timestamp = -1;
|
2004-06-01 18:39:13 +00:00
|
|
|
static int hf_cflow_samplingmode = -1;
|
2002-09-22 16:13:22 +00:00
|
|
|
static int hf_cflow_samplerate = -1;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* cflow version specific info
|
|
|
|
*/
|
|
|
|
static int hf_cflow_sequence = -1;
|
|
|
|
static int hf_cflow_engine_type = -1;
|
|
|
|
static int hf_cflow_engine_id = -1;
|
2003-02-12 08:36:48 +00:00
|
|
|
static int hf_cflow_source_id = -1;
|
2002-09-22 16:13:22 +00:00
|
|
|
|
|
|
|
static int hf_cflow_aggmethod = -1;
|
|
|
|
static int hf_cflow_aggversion = -1;
|
|
|
|
|
2003-02-12 08:36:48 +00:00
|
|
|
/* Version 9 */
|
|
|
|
|
|
|
|
static int hf_cflow_template_flowset_id = -1;
|
|
|
|
static int hf_cflow_data_flowset_id = -1;
|
2006-09-12 19:11:45 +00:00
|
|
|
static int hf_cflow_data_datarecord_id = -1;
|
2003-02-12 08:36:48 +00:00
|
|
|
static int hf_cflow_options_flowset_id = -1;
|
|
|
|
static int hf_cflow_flowset_id = -1;
|
|
|
|
static int hf_cflow_flowset_length = -1;
|
2006-09-12 19:11:45 +00:00
|
|
|
static int hf_cflow_datarecord_length = -1;
|
2003-02-12 08:36:48 +00:00
|
|
|
static int hf_cflow_template_id = -1;
|
|
|
|
static int hf_cflow_template_field_count = -1;
|
|
|
|
static int hf_cflow_template_field_type = -1;
|
|
|
|
static int hf_cflow_template_field_length = -1;
|
2004-09-09 06:27:43 +00:00
|
|
|
static int hf_cflow_option_scope_length = -1;
|
|
|
|
static int hf_cflow_option_length = -1;
|
|
|
|
static int hf_cflow_template_scope_field_type = -1;
|
|
|
|
static int hf_cflow_template_scope_field_length = -1;
|
|
|
|
|
2007-05-04 06:07:30 +00:00
|
|
|
static int hf_cflow_scope_system = -1;
|
|
|
|
static int hf_cflow_scope_interface = -1;
|
|
|
|
static int hf_cflow_scope_linecard = -1;
|
|
|
|
static int hf_cflow_scope_cache = -1;
|
|
|
|
static int hf_cflow_scope_template = -1;
|
|
|
|
static int hf_cflow_scope_unknown = -1;
|
2003-02-12 08:36:48 +00:00
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
/*
|
|
|
|
* pdu storage
|
|
|
|
*/
|
|
|
|
static int hf_cflow_srcaddr = -1;
|
2003-03-04 03:37:12 +00:00
|
|
|
static int hf_cflow_srcaddr_v6 = -1;
|
2002-09-22 16:13:22 +00:00
|
|
|
static int hf_cflow_srcnet = -1;
|
|
|
|
static int hf_cflow_dstaddr = -1;
|
2003-03-04 03:37:12 +00:00
|
|
|
static int hf_cflow_dstaddr_v6 = -1;
|
2002-09-22 16:13:22 +00:00
|
|
|
static int hf_cflow_dstnet = -1;
|
|
|
|
static int hf_cflow_nexthop = -1;
|
2003-03-04 03:37:12 +00:00
|
|
|
static int hf_cflow_nexthop_v6 = -1;
|
|
|
|
static int hf_cflow_bgpnexthop = -1;
|
|
|
|
static int hf_cflow_bgpnexthop_v6 = -1;
|
2002-09-22 16:13:22 +00:00
|
|
|
static int hf_cflow_inputint = -1;
|
|
|
|
static int hf_cflow_outputint = -1;
|
|
|
|
static int hf_cflow_flows = -1;
|
|
|
|
static int hf_cflow_packets = -1;
|
2003-03-04 03:37:12 +00:00
|
|
|
static int hf_cflow_packets64 = -1;
|
|
|
|
static int hf_cflow_packetsout = -1;
|
2002-09-22 16:13:22 +00:00
|
|
|
static int hf_cflow_octets = -1;
|
2003-03-04 03:37:12 +00:00
|
|
|
static int hf_cflow_octets64 = -1;
|
2007-05-04 06:07:30 +00:00
|
|
|
static int hf_cflow_length_min = -1;
|
|
|
|
static int hf_cflow_length_max = -1;
|
2007-05-11 06:21:18 +00:00
|
|
|
static int hf_cflow_timedelta = -1;
|
2002-09-22 16:13:22 +00:00
|
|
|
static int hf_cflow_timestart = -1;
|
|
|
|
static int hf_cflow_timeend = -1;
|
|
|
|
static int hf_cflow_srcport = -1;
|
|
|
|
static int hf_cflow_dstport = -1;
|
|
|
|
static int hf_cflow_prot = -1;
|
|
|
|
static int hf_cflow_tos = -1;
|
|
|
|
static int hf_cflow_flags = -1;
|
|
|
|
static int hf_cflow_tcpflags = -1;
|
|
|
|
static int hf_cflow_dstas = -1;
|
|
|
|
static int hf_cflow_srcas = -1;
|
|
|
|
static int hf_cflow_dstmask = -1;
|
|
|
|
static int hf_cflow_srcmask = -1;
|
|
|
|
static int hf_cflow_routersc = -1;
|
2003-03-04 03:37:12 +00:00
|
|
|
static int hf_cflow_mulpackets = -1;
|
|
|
|
static int hf_cflow_muloctets = -1;
|
|
|
|
static int hf_cflow_octets_exp = -1;
|
2007-05-04 06:07:30 +00:00
|
|
|
static int hf_cflow_octets_exp64 = -1;
|
2003-03-04 03:37:12 +00:00
|
|
|
static int hf_cflow_packets_exp = -1;
|
2007-05-04 06:07:30 +00:00
|
|
|
static int hf_cflow_packets_exp64 = -1;
|
2003-03-04 03:37:12 +00:00
|
|
|
static int hf_cflow_flows_exp = -1;
|
2007-05-04 06:07:30 +00:00
|
|
|
static int hf_cflow_flows_exp64 = -1;
|
|
|
|
static int hf_cflow_srcprefix = -1;
|
|
|
|
static int hf_cflow_dstprefix = -1;
|
|
|
|
static int hf_cflow_flow_class = -1;
|
|
|
|
static int hf_cflow_ttl_minimum = -1;
|
|
|
|
static int hf_cflow_ttl_maximum = -1;
|
|
|
|
static int hf_cflow_ipv4_id = -1;
|
|
|
|
static int hf_cflow_ip_version = -1;
|
|
|
|
static int hf_cflow_icmp_type = -1;
|
|
|
|
static int hf_cflow_igmp_type = -1;
|
2004-09-09 06:27:43 +00:00
|
|
|
static int hf_cflow_sampling_interval = -1;
|
|
|
|
static int hf_cflow_sampling_algorithm = -1;
|
|
|
|
static int hf_cflow_flow_active_timeout = -1;
|
|
|
|
static int hf_cflow_flow_inactive_timeout = -1;
|
2006-02-09 09:11:06 +00:00
|
|
|
static int hf_cflow_mpls_top_label_type = -1;
|
|
|
|
static int hf_cflow_mpls_pe_addr = -1;
|
2007-05-04 06:07:30 +00:00
|
|
|
static int hf_cflow_sampler_mode = -1;
|
|
|
|
static int hf_cflow_sampler_random_interval = -1;
|
|
|
|
static int hf_cflow_direction = -1;
|
|
|
|
static int hf_cflow_if_name = -1;
|
|
|
|
static int hf_cflow_if_descr = -1;
|
|
|
|
static int hf_cflow_sampler_name = -1;
|
|
|
|
static int hf_cflow_forwarding_status = -1;
|
|
|
|
static int hf_cflow_forwarding_code = -1;
|
|
|
|
static int hf_cflow_peer_srcas = -1;
|
|
|
|
static int hf_cflow_peer_dstas = -1;
|
|
|
|
static int hf_cflow_flow_exporter = -1;
|
|
|
|
static int hf_cflow_icmp_ipv4_type = -1;
|
|
|
|
static int hf_cflow_icmp_ipv4_code = -1;
|
|
|
|
static int hf_cflow_icmp_ipv6_type = -1;
|
|
|
|
static int hf_cflow_icmp_ipv6_code = -1;
|
|
|
|
static int hf_cflow_tcp_window_size = -1;
|
|
|
|
static int hf_cflow_ip_total_length = -1;
|
|
|
|
static int hf_cflow_ip_ttl = -1;
|
|
|
|
static int hf_cflow_ip_tos = -1;
|
|
|
|
static int hf_cflow_ip_dscp = -1;
|
|
|
|
static int hf_cflow_octets_squared64 = -1;
|
|
|
|
static int hf_cflow_udp_length = -1;
|
|
|
|
static int hf_cflow_is_multicast = -1;
|
|
|
|
static int hf_cflow_ip_header_words = -1;
|
|
|
|
static int hf_cflow_option_map = -1;
|
|
|
|
static int hf_cflow_section_header = -1;
|
|
|
|
static int hf_cflow_section_payload = -1;
|
|
|
|
|
2006-02-09 09:11:06 +00:00
|
|
|
const value_string special_mpls_top_label_type[] = {
|
|
|
|
{0, "Unknown"},
|
|
|
|
{1, "TE-MIDPT"},
|
|
|
|
{2, "ATOM"},
|
|
|
|
{3, "VPN"},
|
|
|
|
{4, "BGP"},
|
|
|
|
{5, "LDP"},
|
|
|
|
|
|
|
|
{0, NULL }
|
|
|
|
};
|
|
|
|
|
|
|
|
void
|
|
|
|
proto_tree_add_mpls_label(proto_tree * pdutree, tvbuff_t * tvb, int offset, int length, int level)
|
|
|
|
{
|
|
|
|
if( length == 3) {
|
|
|
|
guint8 b0 = tvb_get_guint8(tvb, offset);
|
|
|
|
guint8 b1 = tvb_get_guint8(tvb, offset + 1);
|
|
|
|
guint8 b2 = tvb_get_guint8(tvb, offset + 2);
|
|
|
|
proto_tree_add_text(pdutree, tvb, offset, length,
|
|
|
|
"MPLS-Label%d: %u exp-bits: %u %s", level,
|
|
|
|
((b0<<12)+(b1<<4)+(b2>>4)),
|
|
|
|
((b2>>1)&0x7),
|
|
|
|
((b2&0x1)?"top-of-stack":""));
|
|
|
|
} else {
|
|
|
|
proto_tree_add_text(pdutree, tvb, offset, length,
|
|
|
|
"MPLS-Label%d: bad lengh %d", level, length);
|
|
|
|
}
|
|
|
|
}
|
2003-03-04 03:37:12 +00:00
|
|
|
|
|
|
|
void proto_reg_handoff_netflow(void);
|
2002-09-22 16:13:22 +00:00
|
|
|
|
2006-12-21 06:41:11 +00:00
|
|
|
typedef struct _hdrinfo_t {
|
|
|
|
guint8 vspec;
|
|
|
|
guint32 src_id; /* SourceID in NetFlow V9, Observation Domain ID in IPFIX */
|
|
|
|
address net_src;
|
|
|
|
} hdrinfo_t;
|
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
typedef int dissect_pdu_t(proto_tree * pdutree, tvbuff_t * tvb, int offset,
|
2006-12-21 06:41:11 +00:00
|
|
|
hdrinfo_t * hdrinfo);
|
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
static int dissect_pdu(proto_tree * tree, tvbuff_t * tvb, int offset,
|
2006-12-21 06:41:11 +00:00
|
|
|
hdrinfo_t * hdrinfo);
|
2002-09-22 16:13:22 +00:00
|
|
|
static int dissect_v8_aggpdu(proto_tree * pdutree, tvbuff_t * tvb,
|
2006-12-21 06:41:11 +00:00
|
|
|
int offset, hdrinfo_t * hdrinfo);
|
2002-09-22 16:13:22 +00:00
|
|
|
static int dissect_v8_flowpdu(proto_tree * pdutree, tvbuff_t * tvb,
|
2006-12-21 06:41:11 +00:00
|
|
|
int offset, hdrinfo_t * hdrinfo);
|
2003-03-04 03:37:12 +00:00
|
|
|
static int dissect_v9_flowset(proto_tree * pdutree, tvbuff_t * tvb,
|
2006-12-21 06:41:11 +00:00
|
|
|
int offset, hdrinfo_t * hdrinfo);
|
2003-02-12 08:36:48 +00:00
|
|
|
static int dissect_v9_data(proto_tree * pdutree, tvbuff_t * tvb,
|
2006-12-21 06:41:11 +00:00
|
|
|
int offset, guint16 id, guint length, hdrinfo_t * hdrinfo);
|
2003-03-04 03:37:12 +00:00
|
|
|
static void dissect_v9_pdu(proto_tree * pdutree, tvbuff_t * tvb,
|
|
|
|
int offset, struct v9_template * template);
|
2003-02-12 08:36:48 +00:00
|
|
|
static int dissect_v9_options(proto_tree * pdutree, tvbuff_t * tvb,
|
2006-12-21 06:41:11 +00:00
|
|
|
int offset, hdrinfo_t * hdrinfo);
|
2003-02-12 08:36:48 +00:00
|
|
|
static int dissect_v9_template(proto_tree * pdutree, tvbuff_t * tvb,
|
2006-12-21 06:41:11 +00:00
|
|
|
int offset, int len, hdrinfo_t * hdrinfo);
|
|
|
|
static int v9_template_hash(guint16 id, const address * net_src,
|
|
|
|
guint32 src_id);
|
2003-03-04 03:37:12 +00:00
|
|
|
static void v9_template_add(struct v9_template * template);
|
2006-12-21 06:41:11 +00:00
|
|
|
static struct v9_template *v9_template_get(guint16 id, address * net_src,
|
2003-03-04 03:37:12 +00:00
|
|
|
guint32 src_id);
|
2007-05-04 06:07:30 +00:00
|
|
|
static const char * decode_v9_template_types(int type);
|
2002-09-22 16:13:22 +00:00
|
|
|
|
|
|
|
static gchar *getprefix(const guint32 * address, int prefix);
|
|
|
|
static void dissect_netflow(tvbuff_t * tvb, packet_info * pinfo,
|
|
|
|
proto_tree * tree);
|
|
|
|
|
|
|
|
static int flow_process_ints(proto_tree * pdutree, tvbuff_t * tvb,
|
|
|
|
int offset);
|
|
|
|
static int flow_process_ports(proto_tree * pdutree, tvbuff_t * tvb,
|
|
|
|
int offset);
|
|
|
|
static int flow_process_timeperiod(proto_tree * pdutree, tvbuff_t * tvb,
|
|
|
|
int offset);
|
|
|
|
static int flow_process_aspair(proto_tree * pdutree, tvbuff_t * tvb,
|
|
|
|
int offset);
|
|
|
|
static int flow_process_sizecount(proto_tree * pdutree, tvbuff_t * tvb,
|
|
|
|
int offset);
|
|
|
|
static int flow_process_textfield(proto_tree * pdutree, tvbuff_t * tvb,
|
|
|
|
int offset, int bytes,
|
|
|
|
const char *text);
|
|
|
|
|
2002-09-04 20:23:55 +00:00
|
|
|
|
2002-09-09 20:22:51 +00:00
|
|
|
static void
|
2002-09-22 16:13:22 +00:00
|
|
|
dissect_netflow(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree)
|
2002-09-09 20:22:51 +00:00
|
|
|
{
|
2002-09-22 16:13:22 +00:00
|
|
|
proto_tree *netflow_tree = NULL;
|
|
|
|
proto_tree *ti;
|
|
|
|
proto_item *timeitem, *pduitem;
|
|
|
|
proto_tree *timetree, *pdutree;
|
2006-12-21 06:41:11 +00:00
|
|
|
unsigned int pduret, ver = 0, pdus = 0, x = 1;
|
|
|
|
hdrinfo_t hdrinfo;
|
|
|
|
gint flow_len = -1;
|
2002-09-22 16:13:22 +00:00
|
|
|
size_t available, pdusize, offset = 0;
|
|
|
|
nstime_t ts;
|
|
|
|
dissect_pdu_t *pduptr;
|
|
|
|
|
|
|
|
if (check_col(pinfo->cinfo, COL_PROTOCOL))
|
|
|
|
col_set_str(pinfo->cinfo, COL_PROTOCOL, "CFLOW");
|
|
|
|
if (check_col(pinfo->cinfo, COL_INFO))
|
|
|
|
col_clear(pinfo->cinfo, COL_INFO);
|
|
|
|
|
|
|
|
if (tree) {
|
|
|
|
ti = proto_tree_add_item(tree, proto_netflow, tvb,
|
|
|
|
offset, -1, FALSE);
|
|
|
|
netflow_tree = proto_item_add_subtree(ti, ett_netflow);
|
|
|
|
}
|
|
|
|
|
|
|
|
ver = tvb_get_ntohs(tvb, offset);
|
2006-12-21 06:41:11 +00:00
|
|
|
|
|
|
|
hdrinfo.vspec = ver;
|
|
|
|
hdrinfo.src_id = 0;
|
|
|
|
COPY_ADDRESS(&hdrinfo.net_src, &pinfo->net_src);
|
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
switch (ver) {
|
|
|
|
case 1:
|
|
|
|
pdusize = V1PDU_SIZE;
|
|
|
|
pduptr = &dissect_pdu;
|
|
|
|
break;
|
|
|
|
case 5:
|
|
|
|
pdusize = V5PDU_SIZE;
|
|
|
|
pduptr = &dissect_pdu;
|
|
|
|
break;
|
|
|
|
case 7:
|
|
|
|
pdusize = V7PDU_SIZE;
|
|
|
|
pduptr = &dissect_pdu;
|
|
|
|
break;
|
|
|
|
case 8:
|
|
|
|
pdusize = -1; /* deferred */
|
|
|
|
pduptr = &dissect_v8_aggpdu;
|
|
|
|
break;
|
2003-02-12 08:36:48 +00:00
|
|
|
case 9:
|
2006-09-12 19:11:45 +00:00
|
|
|
case 10: /* IPFIX */
|
2003-02-12 08:36:48 +00:00
|
|
|
pdusize = -1; /* deferred */
|
2003-03-04 03:37:12 +00:00
|
|
|
pduptr = &dissect_v9_flowset;
|
2003-02-12 08:36:48 +00:00
|
|
|
break;
|
2002-09-22 16:13:22 +00:00
|
|
|
default:
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (tree)
|
|
|
|
proto_tree_add_uint(netflow_tree, hf_cflow_version, tvb,
|
|
|
|
offset, 2, ver);
|
|
|
|
offset += 2;
|
2002-09-09 20:22:51 +00:00
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
pdus = tvb_get_ntohs(tvb, offset);
|
2006-09-12 19:11:45 +00:00
|
|
|
if (tree) {
|
2006-09-13 01:28:07 +00:00
|
|
|
if(ver == 10) {
|
2006-09-12 19:11:45 +00:00
|
|
|
proto_tree_add_uint(netflow_tree, hf_cflow_len, tvb,
|
2006-09-13 01:28:07 +00:00
|
|
|
offset, 2, pdus);
|
|
|
|
flow_len = pdus;
|
|
|
|
} else {
|
2006-09-12 19:11:45 +00:00
|
|
|
proto_tree_add_uint(netflow_tree, hf_cflow_count, tvb,
|
|
|
|
offset, 2, pdus);
|
2006-09-13 01:28:07 +00:00
|
|
|
flow_len = -1;
|
|
|
|
}
|
2006-09-12 19:11:45 +00:00
|
|
|
}
|
2002-09-22 16:13:22 +00:00
|
|
|
offset += 2;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* set something interesting in the display now that we have info
|
|
|
|
*/
|
2003-02-12 08:36:48 +00:00
|
|
|
if (check_col(pinfo->cinfo, COL_INFO)) {
|
|
|
|
if (ver == 9) {
|
|
|
|
col_add_fstr(pinfo->cinfo, COL_INFO,
|
2006-09-12 19:11:45 +00:00
|
|
|
"total: %u (v%u) record%s", pdus, ver,
|
|
|
|
plurality(pdus, "", "s"));
|
|
|
|
} else if (ver == 10) {
|
2006-09-13 01:28:07 +00:00
|
|
|
gint remaining = tvb_length_remaining(tvb, offset)+4;
|
2006-09-12 19:11:45 +00:00
|
|
|
|
|
|
|
if(remaining == flow_len)
|
|
|
|
col_add_fstr(pinfo->cinfo, COL_INFO, "IPFIX flow (%d bytes)", flow_len);
|
|
|
|
else
|
|
|
|
col_add_fstr(pinfo->cinfo, COL_INFO,
|
|
|
|
"IPFIX partial flow (%u/%u bytes)",
|
|
|
|
remaining, flow_len);
|
2003-02-12 08:36:48 +00:00
|
|
|
} else {
|
|
|
|
col_add_fstr(pinfo->cinfo, COL_INFO,
|
2006-03-22 17:19:56 +00:00
|
|
|
"total: %u (v%u) flow%s", pdus, ver,
|
|
|
|
plurality(pdus, "", "s"));
|
2003-02-12 08:36:48 +00:00
|
|
|
}
|
|
|
|
}
|
2002-09-22 16:13:22 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* the rest is only interesting if we're displaying/searching the
|
|
|
|
* packet
|
|
|
|
*/
|
|
|
|
if (!tree)
|
|
|
|
return;
|
|
|
|
|
2006-09-12 19:11:45 +00:00
|
|
|
if(ver == 10) {
|
|
|
|
proto_tree_add_item(netflow_tree, hf_cflow_exporttime, tvb,
|
|
|
|
offset, 4, FALSE);
|
|
|
|
offset += 4;
|
|
|
|
} else {
|
|
|
|
proto_tree_add_item(netflow_tree, hf_cflow_sysuptime, tvb,
|
|
|
|
offset, 4, FALSE);
|
|
|
|
offset += 4;
|
2002-09-09 20:22:51 +00:00
|
|
|
|
2006-09-12 19:11:45 +00:00
|
|
|
ts.secs = tvb_get_ntohl(tvb, offset);
|
|
|
|
if ((ver != 9) && (ver != 10)) {
|
|
|
|
ts.nsecs = tvb_get_ntohl(tvb, offset + 4);
|
|
|
|
timeitem = proto_tree_add_time(netflow_tree,
|
|
|
|
hf_cflow_timestamp, tvb, offset,
|
|
|
|
8, &ts);
|
|
|
|
} else {
|
|
|
|
ts.nsecs = 0;
|
|
|
|
timeitem = proto_tree_add_time(netflow_tree,
|
|
|
|
hf_cflow_timestamp, tvb, offset,
|
|
|
|
4, &ts);
|
|
|
|
}
|
2002-09-09 20:22:51 +00:00
|
|
|
|
2006-09-12 19:11:45 +00:00
|
|
|
timetree = proto_item_add_subtree(timeitem, ett_unixtime);
|
|
|
|
|
|
|
|
proto_tree_add_item(timetree, hf_cflow_unix_secs, tvb,
|
2003-02-12 08:36:48 +00:00
|
|
|
offset, 4, FALSE);
|
|
|
|
offset += 4;
|
2006-09-12 19:11:45 +00:00
|
|
|
|
|
|
|
if (ver != 9) {
|
|
|
|
proto_tree_add_item(timetree, hf_cflow_unix_nsecs, tvb,
|
|
|
|
offset, 4, FALSE);
|
|
|
|
offset += 4;
|
|
|
|
}
|
2003-02-12 08:36:48 +00:00
|
|
|
}
|
2002-09-09 20:22:51 +00:00
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
/*
|
|
|
|
* version specific header
|
|
|
|
*/
|
2006-09-12 19:11:45 +00:00
|
|
|
if (ver == 5 || ver == 7 || ver == 8 || ver == 9 || ver == 10) {
|
2002-09-22 16:13:22 +00:00
|
|
|
proto_tree_add_item(netflow_tree, hf_cflow_sequence,
|
|
|
|
tvb, offset, 4, FALSE);
|
|
|
|
offset += 4;
|
|
|
|
}
|
|
|
|
if (ver == 5 || ver == 8) {
|
|
|
|
proto_tree_add_item(netflow_tree, hf_cflow_engine_type,
|
|
|
|
tvb, offset++, 1, FALSE);
|
|
|
|
proto_tree_add_item(netflow_tree, hf_cflow_engine_id,
|
|
|
|
tvb, offset++, 1, FALSE);
|
2006-09-12 19:11:45 +00:00
|
|
|
} else if ((ver == 9) || (ver == 10)) {
|
2003-02-12 08:36:48 +00:00
|
|
|
proto_tree_add_item(netflow_tree, hf_cflow_source_id,
|
|
|
|
tvb, offset, 4, FALSE);
|
2006-12-21 06:41:11 +00:00
|
|
|
hdrinfo.src_id = tvb_get_ntohl(tvb, offset);
|
2003-02-12 08:36:48 +00:00
|
|
|
offset += 4;
|
2002-09-22 16:13:22 +00:00
|
|
|
}
|
|
|
|
if (ver == 8) {
|
2006-12-21 06:41:11 +00:00
|
|
|
hdrinfo.vspec = tvb_get_guint8(tvb, offset);
|
|
|
|
switch (hdrinfo.vspec) {
|
2002-09-22 16:13:22 +00:00
|
|
|
case V8PDU_AS_METHOD:
|
|
|
|
pdusize = V8PDU_AS_SIZE;
|
|
|
|
break;
|
|
|
|
case V8PDU_PROTO_METHOD:
|
|
|
|
pdusize = V8PDU_PROTO_SIZE;
|
|
|
|
break;
|
|
|
|
case V8PDU_SPREFIX_METHOD:
|
|
|
|
pdusize = V8PDU_SPREFIX_SIZE;
|
|
|
|
break;
|
|
|
|
case V8PDU_DPREFIX_METHOD:
|
|
|
|
pdusize = V8PDU_DPREFIX_SIZE;
|
|
|
|
break;
|
|
|
|
case V8PDU_MATRIX_METHOD:
|
|
|
|
pdusize = V8PDU_MATRIX_SIZE;
|
|
|
|
break;
|
|
|
|
case V8PDU_DESTONLY_METHOD:
|
|
|
|
pdusize = V8PDU_DESTONLY_SIZE;
|
|
|
|
pduptr = &dissect_v8_flowpdu;
|
|
|
|
break;
|
|
|
|
case V8PDU_SRCDEST_METHOD:
|
|
|
|
pdusize = V8PDU_SRCDEST_SIZE;
|
|
|
|
pduptr = &dissect_v8_flowpdu;
|
|
|
|
break;
|
|
|
|
case V8PDU_FULL_METHOD:
|
|
|
|
pdusize = V8PDU_FULL_SIZE;
|
|
|
|
pduptr = &dissect_v8_flowpdu;
|
|
|
|
break;
|
|
|
|
case V8PDU_TOSAS_METHOD:
|
|
|
|
pdusize = V8PDU_TOSAS_SIZE;
|
|
|
|
break;
|
|
|
|
case V8PDU_TOSPROTOPORT_METHOD:
|
|
|
|
pdusize = V8PDU_TOSPROTOPORT_SIZE;
|
|
|
|
break;
|
|
|
|
case V8PDU_TOSSRCPREFIX_METHOD:
|
|
|
|
pdusize = V8PDU_TOSSRCPREFIX_SIZE;
|
|
|
|
break;
|
|
|
|
case V8PDU_TOSDSTPREFIX_METHOD:
|
|
|
|
pdusize = V8PDU_TOSDSTPREFIX_SIZE;
|
|
|
|
break;
|
|
|
|
case V8PDU_TOSMATRIX_METHOD:
|
|
|
|
pdusize = V8PDU_TOSMATRIX_SIZE;
|
|
|
|
break;
|
|
|
|
case V8PDU_PREPORTPROTOCOL_METHOD:
|
|
|
|
pdusize = V8PDU_PREPORTPROTOCOL_SIZE;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
pdusize = -1;
|
2006-12-21 06:41:11 +00:00
|
|
|
hdrinfo.vspec = 0;
|
2002-09-22 16:13:22 +00:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
proto_tree_add_uint(netflow_tree, hf_cflow_aggmethod,
|
2006-12-21 06:41:11 +00:00
|
|
|
tvb, offset++, 1, hdrinfo.vspec);
|
2002-09-22 16:13:22 +00:00
|
|
|
proto_tree_add_item(netflow_tree, hf_cflow_aggversion,
|
|
|
|
tvb, offset++, 1, FALSE);
|
|
|
|
}
|
|
|
|
if (ver == 7 || ver == 8)
|
|
|
|
offset = flow_process_textfield(netflow_tree, tvb, offset, 4,
|
|
|
|
"reserved");
|
|
|
|
else if (ver == 5) {
|
2004-06-01 18:39:13 +00:00
|
|
|
proto_tree_add_item(netflow_tree, hf_cflow_samplingmode,
|
|
|
|
tvb, offset, 2, FALSE);
|
2002-09-22 16:13:22 +00:00
|
|
|
proto_tree_add_item(netflow_tree, hf_cflow_samplerate,
|
|
|
|
tvb, offset, 2, FALSE);
|
|
|
|
offset += 2;
|
|
|
|
}
|
|
|
|
|
2007-05-04 06:07:30 +00:00
|
|
|
if (pdus <= 0) { /* no payload to decode - in theory */
|
|
|
|
/* This is absurd, but does happens in practice. */
|
|
|
|
proto_tree_add_text(netflow_tree, tvb, offset, tvb_length_remaining(tvb, offset),
|
|
|
|
"FlowSets impossibles - PDU Count is %d", pdus);
|
|
|
|
return;
|
|
|
|
}
|
2002-09-22 16:13:22 +00:00
|
|
|
/*
|
|
|
|
* everything below here should be payload
|
|
|
|
*/
|
|
|
|
for (x = 1; x < pdus + 1; x++) {
|
2004-09-09 06:27:43 +00:00
|
|
|
/*
|
2002-09-22 16:13:22 +00:00
|
|
|
* make sure we have a pdu's worth of data
|
|
|
|
*/
|
|
|
|
available = tvb_length_remaining(tvb, offset);
|
2006-09-12 19:11:45 +00:00
|
|
|
if(((ver == 9) || (ver == 10)) && available >= 4) {
|
2003-02-12 08:36:48 +00:00
|
|
|
/* pdusize can be different for each v9 flowset */
|
|
|
|
pdusize = tvb_get_ntohs(tvb, offset + 2);
|
|
|
|
}
|
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
if (available < pdusize)
|
|
|
|
break;
|
|
|
|
|
2006-09-12 19:11:45 +00:00
|
|
|
if ((ver == 9) || (ver == 10)) {
|
2003-02-12 08:36:48 +00:00
|
|
|
pduitem = proto_tree_add_text(netflow_tree, tvb,
|
2006-09-12 19:11:45 +00:00
|
|
|
offset, pdusize,
|
|
|
|
(ver == 9) ? "FlowSet %u" : "DataRecord %u", x);
|
2003-02-12 08:36:48 +00:00
|
|
|
} else {
|
|
|
|
pduitem = proto_tree_add_text(netflow_tree, tvb,
|
|
|
|
offset, pdusize, "pdu %u/%u", x, pdus);
|
|
|
|
}
|
2002-09-22 16:13:22 +00:00
|
|
|
pdutree = proto_item_add_subtree(pduitem, ett_flow);
|
|
|
|
|
2006-12-21 06:41:11 +00:00
|
|
|
pduret = pduptr(pdutree, tvb, offset, &hdrinfo);
|
2002-09-22 16:13:22 +00:00
|
|
|
|
2004-09-09 06:27:43 +00:00
|
|
|
if (pduret < pdusize) pduret = pdusize; /* padding */
|
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
/*
|
|
|
|
* if we came up short, stop processing
|
|
|
|
*/
|
|
|
|
if (pduret == pdusize)
|
|
|
|
offset += pduret;
|
|
|
|
else
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* flow_process_* == common groups of fields, probably could be inline
|
|
|
|
*/
|
|
|
|
|
|
|
|
static int
|
|
|
|
flow_process_ints(proto_tree * pdutree, tvbuff_t * tvb, int offset)
|
|
|
|
{
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_inputint, tvb, offset, 2, FALSE);
|
2002-09-09 20:22:51 +00:00
|
|
|
offset += 2;
|
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
proto_tree_add_item(pdutree, hf_cflow_outputint, tvb, offset, 2,
|
|
|
|
FALSE);
|
2002-09-09 20:22:51 +00:00
|
|
|
offset += 2;
|
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
return offset;
|
|
|
|
}
|
2002-09-09 20:22:51 +00:00
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
static int
|
|
|
|
flow_process_ports(proto_tree * pdutree, tvbuff_t * tvb, int offset)
|
|
|
|
{
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_srcport, tvb, offset, 2, FALSE);
|
|
|
|
offset += 2;
|
2002-09-09 20:22:51 +00:00
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
proto_tree_add_item(pdutree, hf_cflow_dstport, tvb, offset, 2, FALSE);
|
|
|
|
offset += 2;
|
|
|
|
|
|
|
|
return offset;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
|
|
|
flow_process_timeperiod(proto_tree * pdutree, tvbuff_t * tvb, int offset)
|
|
|
|
{
|
2007-05-11 06:21:18 +00:00
|
|
|
nstime_t ts_start, ts_end;
|
|
|
|
int offset_s, offset_e;
|
|
|
|
nstime_t ts_delta;
|
|
|
|
guint32 msec_start, msec_end;
|
|
|
|
guint32 msec_delta;
|
|
|
|
proto_tree * timetree = 0;
|
|
|
|
proto_item * timeitem = 0;
|
|
|
|
|
|
|
|
|
|
|
|
msec_start = tvb_get_ntohl(tvb, offset);
|
|
|
|
ts_start.secs = msec_start / 1000;
|
|
|
|
ts_start.nsecs = (msec_start % 1000) * 1000000;
|
|
|
|
offset_s = offset;
|
2002-09-09 20:22:51 +00:00
|
|
|
offset += 4;
|
|
|
|
|
2007-05-11 06:21:18 +00:00
|
|
|
msec_end = tvb_get_ntohl(tvb, offset);
|
|
|
|
ts_end.secs = msec_end / 1000;
|
|
|
|
ts_end.nsecs = (msec_end % 1000) * 1000000;
|
|
|
|
offset_e = offset;
|
2002-09-09 20:22:51 +00:00
|
|
|
offset += 4;
|
|
|
|
|
2007-05-11 06:21:18 +00:00
|
|
|
msec_delta = msec_end - msec_start;
|
|
|
|
ts_delta.secs = msec_delta / 1000;
|
|
|
|
ts_delta.nsecs = (msec_delta % 1000) * 1000000;
|
|
|
|
|
|
|
|
|
|
|
|
timeitem = proto_tree_add_time(pdutree, hf_cflow_timedelta, tvb,
|
|
|
|
offset_s, 8, &ts_delta);
|
|
|
|
timetree = proto_item_add_subtree(timeitem, ett_flowtime);
|
|
|
|
|
|
|
|
proto_tree_add_time(timetree, hf_cflow_timestart, tvb, offset_s, 4,
|
|
|
|
&ts_start);
|
|
|
|
proto_tree_add_time(timetree, hf_cflow_timeend, tvb, offset_e, 4,
|
|
|
|
&ts_end);
|
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
return offset;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
flow_process_aspair(proto_tree * pdutree, tvbuff_t * tvb, int offset)
|
|
|
|
{
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_srcas, tvb, offset, 2, FALSE);
|
2002-09-09 20:22:51 +00:00
|
|
|
offset += 2;
|
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
proto_tree_add_item(pdutree, hf_cflow_dstas, tvb, offset, 2, FALSE);
|
2002-09-09 20:22:51 +00:00
|
|
|
offset += 2;
|
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
return offset;
|
|
|
|
}
|
2002-09-09 20:22:51 +00:00
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
static int
|
|
|
|
flow_process_sizecount(proto_tree * pdutree, tvbuff_t * tvb, int offset)
|
|
|
|
{
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_packets, tvb, offset, 4, FALSE);
|
|
|
|
offset += 4;
|
2002-09-09 20:22:51 +00:00
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
proto_tree_add_item(pdutree, hf_cflow_octets, tvb, offset, 4, FALSE);
|
|
|
|
offset += 4;
|
2002-09-09 20:22:51 +00:00
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
return offset;
|
|
|
|
}
|
2002-09-09 20:22:51 +00:00
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
static int
|
|
|
|
flow_process_textfield(proto_tree * pdutree, tvbuff_t * tvb, int offset,
|
|
|
|
int bytes, const char *text)
|
|
|
|
{
|
|
|
|
proto_tree_add_text(pdutree, tvb, offset, bytes, text);
|
|
|
|
offset += bytes;
|
2002-09-09 20:22:51 +00:00
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
return offset;
|
|
|
|
}
|
2002-09-09 20:22:51 +00:00
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
static int
|
|
|
|
dissect_v8_flowpdu(proto_tree * pdutree, tvbuff_t * tvb, int offset,
|
2006-12-21 06:41:11 +00:00
|
|
|
hdrinfo_t * hdrinfo)
|
2002-09-22 16:13:22 +00:00
|
|
|
{
|
|
|
|
int startoffset = offset;
|
2006-12-21 06:41:11 +00:00
|
|
|
guint8 verspec;
|
2002-09-09 20:22:51 +00:00
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
proto_tree_add_item(pdutree, hf_cflow_dstaddr, tvb, offset, 4, FALSE);
|
|
|
|
offset += 4;
|
|
|
|
|
2006-12-21 06:41:11 +00:00
|
|
|
verspec = hdrinfo->vspec;
|
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
if (verspec != V8PDU_DESTONLY_METHOD) {
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_srcaddr, tvb, offset, 4,
|
|
|
|
FALSE);
|
|
|
|
offset += 4;
|
|
|
|
}
|
|
|
|
if (verspec == V8PDU_FULL_METHOD) {
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_dstport, tvb, offset, 2,
|
|
|
|
FALSE);
|
|
|
|
offset += 2;
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_srcport, tvb, offset, 2,
|
|
|
|
FALSE);
|
2002-09-09 20:22:51 +00:00
|
|
|
offset += 2;
|
2002-09-22 16:13:22 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
offset = flow_process_sizecount(pdutree, tvb, offset);
|
|
|
|
offset = flow_process_timeperiod(pdutree, tvb, offset);
|
2002-09-09 20:22:51 +00:00
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
proto_tree_add_item(pdutree, hf_cflow_outputint, tvb, offset, 2,
|
|
|
|
FALSE);
|
|
|
|
offset += 2;
|
|
|
|
|
|
|
|
if (verspec != V8PDU_DESTONLY_METHOD) {
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_inputint, tvb, offset, 2,
|
|
|
|
FALSE);
|
2002-09-09 20:22:51 +00:00
|
|
|
offset += 2;
|
2002-09-22 16:13:22 +00:00
|
|
|
}
|
2002-09-09 20:22:51 +00:00
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
proto_tree_add_item(pdutree, hf_cflow_tos, tvb, offset++, 1, FALSE);
|
|
|
|
if (verspec == V8PDU_FULL_METHOD)
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_prot, tvb, offset++, 1,
|
|
|
|
FALSE);
|
|
|
|
offset = flow_process_textfield(pdutree, tvb, offset, 1, "marked tos");
|
2002-09-09 20:22:51 +00:00
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
if (verspec == V8PDU_SRCDEST_METHOD)
|
|
|
|
offset =
|
|
|
|
flow_process_textfield(pdutree, tvb, offset, 2,
|
|
|
|
"reserved");
|
|
|
|
else if (verspec == V8PDU_FULL_METHOD)
|
|
|
|
offset =
|
|
|
|
flow_process_textfield(pdutree, tvb, offset, 1, "padding");
|
2002-09-09 20:22:51 +00:00
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
offset =
|
|
|
|
flow_process_textfield(pdutree, tvb, offset, 4, "extra packets");
|
2002-09-09 20:22:51 +00:00
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
proto_tree_add_item(pdutree, hf_cflow_routersc, tvb, offset, 4, FALSE);
|
|
|
|
offset += 4;
|
|
|
|
|
|
|
|
return (offset - startoffset);
|
2002-09-09 20:22:51 +00:00
|
|
|
}
|
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
/*
|
|
|
|
* dissect a version 8 pdu, returning the length of the pdu processed
|
|
|
|
*/
|
|
|
|
|
|
|
|
static int
|
|
|
|
dissect_v8_aggpdu(proto_tree * pdutree, tvbuff_t * tvb, int offset,
|
2006-12-21 06:41:11 +00:00
|
|
|
hdrinfo_t * hdrinfo)
|
2002-09-04 20:23:55 +00:00
|
|
|
{
|
2002-09-22 16:13:22 +00:00
|
|
|
int startoffset = offset;
|
2006-12-21 06:41:11 +00:00
|
|
|
guint8 verspec;
|
2002-09-04 20:23:55 +00:00
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
proto_tree_add_item(pdutree, hf_cflow_flows, tvb, offset, 4, FALSE);
|
|
|
|
offset += 4;
|
2002-09-04 20:23:55 +00:00
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
offset = flow_process_sizecount(pdutree, tvb, offset);
|
|
|
|
offset = flow_process_timeperiod(pdutree, tvb, offset);
|
2002-09-09 20:22:51 +00:00
|
|
|
|
2006-12-21 06:41:11 +00:00
|
|
|
verspec = hdrinfo->vspec;
|
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
switch (verspec) {
|
|
|
|
case V8PDU_AS_METHOD:
|
|
|
|
case V8PDU_TOSAS_METHOD:
|
|
|
|
offset = flow_process_aspair(pdutree, tvb, offset);
|
2002-09-04 20:23:55 +00:00
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
if (verspec == V8PDU_TOSAS_METHOD) {
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_tos, tvb,
|
|
|
|
offset++, 1, FALSE);
|
|
|
|
offset =
|
|
|
|
flow_process_textfield(pdutree, tvb, offset, 1,
|
|
|
|
"padding");
|
|
|
|
offset =
|
|
|
|
flow_process_textfield(pdutree, tvb, offset, 2,
|
|
|
|
"reserved");
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case V8PDU_PROTO_METHOD:
|
|
|
|
case V8PDU_TOSPROTOPORT_METHOD:
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_prot, tvb, offset++, 1,
|
|
|
|
FALSE);
|
2002-09-04 20:23:55 +00:00
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
if (verspec == V8PDU_PROTO_METHOD)
|
|
|
|
offset =
|
|
|
|
flow_process_textfield(pdutree, tvb, offset, 1,
|
|
|
|
"padding");
|
|
|
|
else if (verspec == V8PDU_TOSPROTOPORT_METHOD)
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_tos, tvb,
|
|
|
|
offset++, 1, FALSE);
|
|
|
|
|
|
|
|
offset =
|
|
|
|
flow_process_textfield(pdutree, tvb, offset, 2,
|
|
|
|
"reserved");
|
|
|
|
offset = flow_process_ports(pdutree, tvb, offset);
|
|
|
|
|
|
|
|
if (verspec == V8PDU_TOSPROTOPORT_METHOD)
|
|
|
|
offset = flow_process_ints(pdutree, tvb, offset);
|
2002-09-09 20:22:51 +00:00
|
|
|
break;
|
2002-09-22 16:13:22 +00:00
|
|
|
case V8PDU_SPREFIX_METHOD:
|
|
|
|
case V8PDU_DPREFIX_METHOD:
|
|
|
|
case V8PDU_TOSSRCPREFIX_METHOD:
|
|
|
|
case V8PDU_TOSDSTPREFIX_METHOD:
|
|
|
|
proto_tree_add_item(pdutree,
|
|
|
|
verspec ==
|
|
|
|
V8PDU_SPREFIX_METHOD ?
|
|
|
|
hf_cflow_srcnet : hf_cflow_dstnet, tvb,
|
|
|
|
offset, 4, FALSE);
|
|
|
|
offset += 4;
|
|
|
|
|
|
|
|
proto_tree_add_item(pdutree,
|
|
|
|
verspec ==
|
|
|
|
V8PDU_SPREFIX_METHOD ?
|
|
|
|
hf_cflow_srcmask : hf_cflow_dstmask, tvb,
|
|
|
|
offset++, 1, FALSE);
|
|
|
|
|
|
|
|
if (verspec == V8PDU_SPREFIX_METHOD
|
|
|
|
|| verspec == V8PDU_DPREFIX_METHOD)
|
|
|
|
offset =
|
|
|
|
flow_process_textfield(pdutree, tvb, offset, 1,
|
|
|
|
"padding");
|
|
|
|
else if (verspec == V8PDU_TOSSRCPREFIX_METHOD
|
|
|
|
|| verspec == V8PDU_TOSDSTPREFIX_METHOD)
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_tos, tvb,
|
|
|
|
offset++, 1, FALSE);
|
|
|
|
|
|
|
|
proto_tree_add_item(pdutree,
|
|
|
|
verspec ==
|
|
|
|
V8PDU_SPREFIX_METHOD ? hf_cflow_srcas
|
|
|
|
: hf_cflow_dstas, tvb, offset, 2, FALSE);
|
|
|
|
offset += 2;
|
|
|
|
|
|
|
|
proto_tree_add_item(pdutree,
|
|
|
|
verspec ==
|
|
|
|
V8PDU_SPREFIX_METHOD ?
|
|
|
|
hf_cflow_inputint : hf_cflow_outputint,
|
|
|
|
tvb, offset, 2, FALSE);
|
|
|
|
offset += 2;
|
|
|
|
|
|
|
|
offset =
|
|
|
|
flow_process_textfield(pdutree, tvb, offset, 2,
|
|
|
|
"reserved");
|
2002-09-09 20:22:51 +00:00
|
|
|
break;
|
2002-09-22 16:13:22 +00:00
|
|
|
case V8PDU_MATRIX_METHOD:
|
|
|
|
case V8PDU_TOSMATRIX_METHOD:
|
|
|
|
case V8PDU_PREPORTPROTOCOL_METHOD:
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_srcnet, tvb, offset, 4,
|
|
|
|
FALSE);
|
|
|
|
offset += 4;
|
|
|
|
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_dstnet, tvb, offset, 4,
|
|
|
|
FALSE);
|
|
|
|
offset += 4;
|
|
|
|
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_srcmask, tvb, offset++,
|
|
|
|
1, FALSE);
|
|
|
|
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_dstmask, tvb, offset++,
|
|
|
|
1, FALSE);
|
|
|
|
|
|
|
|
if (verspec == V8PDU_TOSMATRIX_METHOD ||
|
|
|
|
verspec == V8PDU_PREPORTPROTOCOL_METHOD) {
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_tos, tvb,
|
|
|
|
offset++, 1, FALSE);
|
|
|
|
if (verspec == V8PDU_TOSMATRIX_METHOD) {
|
|
|
|
offset =
|
|
|
|
flow_process_textfield(pdutree, tvb,
|
|
|
|
offset, 1,
|
|
|
|
"padding");
|
|
|
|
} else if (verspec == V8PDU_PREPORTPROTOCOL_METHOD) {
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_prot,
|
|
|
|
tvb, offset++, 1, FALSE);
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
offset =
|
|
|
|
flow_process_textfield(pdutree, tvb, offset, 2,
|
|
|
|
"reserved");
|
|
|
|
}
|
|
|
|
|
|
|
|
if (verspec == V8PDU_MATRIX_METHOD
|
|
|
|
|| verspec == V8PDU_TOSMATRIX_METHOD) {
|
|
|
|
offset = flow_process_aspair(pdutree, tvb, offset);
|
|
|
|
} else if (verspec == V8PDU_PREPORTPROTOCOL_METHOD) {
|
|
|
|
offset = flow_process_ports(pdutree, tvb, offset);
|
|
|
|
}
|
|
|
|
|
|
|
|
offset = flow_process_ints(pdutree, tvb, offset);
|
2002-09-09 20:22:51 +00:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
return (offset - startoffset);
|
|
|
|
}
|
2002-09-09 20:22:51 +00:00
|
|
|
|
2003-03-04 03:37:12 +00:00
|
|
|
/* Dissect a version 9 FlowSet and return the length we processed. */
|
2003-02-12 08:36:48 +00:00
|
|
|
|
|
|
|
static int
|
2006-12-21 06:41:11 +00:00
|
|
|
dissect_v9_flowset(proto_tree * pdutree, tvbuff_t * tvb, int offset, hdrinfo_t * hdrinfo)
|
2003-02-12 08:36:48 +00:00
|
|
|
{
|
2003-03-04 03:37:12 +00:00
|
|
|
int length;
|
|
|
|
guint16 flowset_id;
|
2006-12-21 06:41:11 +00:00
|
|
|
guint8 ver;
|
|
|
|
|
|
|
|
ver = hdrinfo->vspec;
|
2003-02-12 08:36:48 +00:00
|
|
|
|
2006-09-12 19:11:45 +00:00
|
|
|
if ((ver != 9) && (ver != 10))
|
2003-02-12 08:36:48 +00:00
|
|
|
return (0);
|
|
|
|
|
|
|
|
flowset_id = tvb_get_ntohs(tvb, offset);
|
2006-09-12 19:11:45 +00:00
|
|
|
if ((flowset_id == 0) || (flowset_id == 2)) {
|
2003-02-12 08:36:48 +00:00
|
|
|
/* Template */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_template_flowset_id, tvb,
|
2006-09-12 19:11:45 +00:00
|
|
|
offset, 2, FALSE);
|
2003-02-12 08:36:48 +00:00
|
|
|
offset += 2;
|
|
|
|
|
|
|
|
length = tvb_get_ntohs(tvb, offset);
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_flowset_length, tvb,
|
2006-09-12 19:11:45 +00:00
|
|
|
offset, 2, FALSE);
|
2003-02-12 08:36:48 +00:00
|
|
|
offset += 2;
|
|
|
|
|
2006-12-21 06:41:11 +00:00
|
|
|
dissect_v9_template(pdutree, tvb, offset, length - 4, hdrinfo);
|
2006-09-12 19:11:45 +00:00
|
|
|
} else if ((flowset_id == 1) || (flowset_id == 3)) {
|
2003-02-12 08:36:48 +00:00
|
|
|
/* Options */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_options_flowset_id, tvb,
|
|
|
|
offset, 2, FALSE);
|
|
|
|
offset += 2;
|
|
|
|
|
|
|
|
length = tvb_get_ntohs(tvb, offset);
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_flowset_length, tvb,
|
|
|
|
offset, 2, FALSE);
|
|
|
|
offset += 2;
|
|
|
|
|
2006-12-21 06:41:11 +00:00
|
|
|
dissect_v9_options(pdutree, tvb, offset, hdrinfo);
|
2006-09-12 19:11:45 +00:00
|
|
|
} else if (flowset_id >= 4 && flowset_id <= 255) {
|
2003-02-12 08:36:48 +00:00
|
|
|
/* Reserved */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_flowset_id, tvb,
|
|
|
|
offset, 2, FALSE);
|
|
|
|
offset += 2;
|
|
|
|
|
|
|
|
length = tvb_get_ntohs(tvb, offset);
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_flowset_length, tvb,
|
|
|
|
offset, 2, FALSE);
|
|
|
|
offset += 2;
|
|
|
|
} else {
|
2006-09-12 19:11:45 +00:00
|
|
|
/* Data */
|
|
|
|
proto_tree_add_item(pdutree, (ver == 9) ? hf_cflow_data_flowset_id : hf_cflow_data_datarecord_id, tvb,
|
|
|
|
offset, 2, FALSE);
|
2003-02-12 08:36:48 +00:00
|
|
|
offset += 2;
|
|
|
|
|
|
|
|
length = tvb_get_ntohs(tvb, offset);
|
2006-09-12 19:11:45 +00:00
|
|
|
proto_tree_add_item(pdutree, (ver == 9) ? hf_cflow_flowset_length : hf_cflow_datarecord_length, tvb,
|
|
|
|
offset, 2, FALSE);
|
2003-02-12 08:36:48 +00:00
|
|
|
offset += 2;
|
|
|
|
|
Add in some additional Cisco URLs for NetFlow documentation.
According to the V9 documentation at the first of those URLs, the length
field in a data flowset includes the lengths of the flowset ID and
length fields, so subtract that before calling "dissect_v9_data()" - and
don't call "dissect_v9_data()" if the length isn't positive after that's
done.
Don't bother checking whether there's data in the tvbuff in the loop
that dissects V9 data flowsets - if there isn't, we *want* an exception
to be thrown, as that's a short or malformed frame. Do, however, make
sure we have at least as much data left in the flowset as the template
claims should be there - otherwise, we have padding, not a record.
Display that padding as such.
Make the length argument to "dissect_v9_data()" unsigned, so that we
don't get compiler warnings when comparing it with the unsigned "length"
field of a template.
If we don't find the template for a data flowset, just show the data as
such.
svn path=/trunk/; revision=7306
2003-03-07 00:43:30 +00:00
|
|
|
/*
|
|
|
|
* The length includes the length of the FlowSet ID and
|
|
|
|
* the length field itself.
|
|
|
|
*/
|
|
|
|
length -= 4;
|
|
|
|
if (length > 0) {
|
|
|
|
dissect_v9_data(pdutree, tvb, offset, flowset_id,
|
2006-12-21 06:41:11 +00:00
|
|
|
(guint)length, hdrinfo);
|
Add in some additional Cisco URLs for NetFlow documentation.
According to the V9 documentation at the first of those URLs, the length
field in a data flowset includes the lengths of the flowset ID and
length fields, so subtract that before calling "dissect_v9_data()" - and
don't call "dissect_v9_data()" if the length isn't positive after that's
done.
Don't bother checking whether there's data in the tvbuff in the loop
that dissects V9 data flowsets - if there isn't, we *want* an exception
to be thrown, as that's a short or malformed frame. Do, however, make
sure we have at least as much data left in the flowset as the template
claims should be there - otherwise, we have padding, not a record.
Display that padding as such.
Make the length argument to "dissect_v9_data()" unsigned, so that we
don't get compiler warnings when comparing it with the unsigned "length"
field of a template.
If we don't find the template for a data flowset, just show the data as
such.
svn path=/trunk/; revision=7306
2003-03-07 00:43:30 +00:00
|
|
|
}
|
2003-02-12 08:36:48 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return (length);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
2003-03-04 03:37:12 +00:00
|
|
|
dissect_v9_data(proto_tree * pdutree, tvbuff_t * tvb, int offset,
|
2006-12-21 06:41:11 +00:00
|
|
|
guint16 id, guint length, hdrinfo_t * hdrinfo)
|
2003-02-12 08:36:48 +00:00
|
|
|
{
|
2003-03-04 03:37:12 +00:00
|
|
|
struct v9_template *template;
|
|
|
|
proto_tree *data_tree;
|
|
|
|
proto_item *data_item;
|
|
|
|
|
2006-12-21 06:41:11 +00:00
|
|
|
template = v9_template_get(id, &hdrinfo->net_src, hdrinfo->src_id);
|
Add in some additional Cisco URLs for NetFlow documentation.
According to the V9 documentation at the first of those URLs, the length
field in a data flowset includes the lengths of the flowset ID and
length fields, so subtract that before calling "dissect_v9_data()" - and
don't call "dissect_v9_data()" if the length isn't positive after that's
done.
Don't bother checking whether there's data in the tvbuff in the loop
that dissects V9 data flowsets - if there isn't, we *want* an exception
to be thrown, as that's a short or malformed frame. Do, however, make
sure we have at least as much data left in the flowset as the template
claims should be there - otherwise, we have padding, not a record.
Display that padding as such.
Make the length argument to "dissect_v9_data()" unsigned, so that we
don't get compiler warnings when comparing it with the unsigned "length"
field of a template.
If we don't find the template for a data flowset, just show the data as
such.
svn path=/trunk/; revision=7306
2003-03-07 00:43:30 +00:00
|
|
|
if (template != NULL && template->length != 0) {
|
2007-05-04 06:07:30 +00:00
|
|
|
int count = 1;
|
2003-03-04 03:37:12 +00:00
|
|
|
|
Add in some additional Cisco URLs for NetFlow documentation.
According to the V9 documentation at the first of those URLs, the length
field in a data flowset includes the lengths of the flowset ID and
length fields, so subtract that before calling "dissect_v9_data()" - and
don't call "dissect_v9_data()" if the length isn't positive after that's
done.
Don't bother checking whether there's data in the tvbuff in the loop
that dissects V9 data flowsets - if there isn't, we *want* an exception
to be thrown, as that's a short or malformed frame. Do, however, make
sure we have at least as much data left in the flowset as the template
claims should be there - otherwise, we have padding, not a record.
Display that padding as such.
Make the length argument to "dissect_v9_data()" unsigned, so that we
don't get compiler warnings when comparing it with the unsigned "length"
field of a template.
If we don't find the template for a data flowset, just show the data as
such.
svn path=/trunk/; revision=7306
2003-03-07 00:43:30 +00:00
|
|
|
while (length >= template->length) {
|
2003-03-04 03:37:12 +00:00
|
|
|
data_item = proto_tree_add_text(pdutree, tvb,
|
2006-09-12 19:11:45 +00:00
|
|
|
offset, template->length, "Flow %d", count++);
|
2003-03-04 03:37:12 +00:00
|
|
|
data_tree = proto_item_add_subtree(data_item,
|
|
|
|
ett_dataflowset);
|
|
|
|
|
|
|
|
dissect_v9_pdu(data_tree, tvb, offset, template);
|
|
|
|
|
|
|
|
offset += template->length;
|
|
|
|
length -= template->length;
|
|
|
|
}
|
Add in some additional Cisco URLs for NetFlow documentation.
According to the V9 documentation at the first of those URLs, the length
field in a data flowset includes the lengths of the flowset ID and
length fields, so subtract that before calling "dissect_v9_data()" - and
don't call "dissect_v9_data()" if the length isn't positive after that's
done.
Don't bother checking whether there's data in the tvbuff in the loop
that dissects V9 data flowsets - if there isn't, we *want* an exception
to be thrown, as that's a short or malformed frame. Do, however, make
sure we have at least as much data left in the flowset as the template
claims should be there - otherwise, we have padding, not a record.
Display that padding as such.
Make the length argument to "dissect_v9_data()" unsigned, so that we
don't get compiler warnings when comparing it with the unsigned "length"
field of a template.
If we don't find the template for a data flowset, just show the data as
such.
svn path=/trunk/; revision=7306
2003-03-07 00:43:30 +00:00
|
|
|
if (length != 0) {
|
|
|
|
proto_tree_add_text(pdutree, tvb, offset, length,
|
|
|
|
"Padding (%u byte%s)",
|
|
|
|
length, plurality(length, "", "s"));
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
proto_tree_add_text(pdutree, tvb, offset, length,
|
|
|
|
"Data (%u byte%s), no template found",
|
|
|
|
length, plurality(length, "", "s"));
|
2003-03-04 03:37:12 +00:00
|
|
|
}
|
|
|
|
|
2003-02-12 08:36:48 +00:00
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
2003-03-04 03:37:12 +00:00
|
|
|
static void
|
|
|
|
dissect_v9_pdu(proto_tree * pdutree, tvbuff_t * tvb, int offset,
|
|
|
|
struct v9_template * template)
|
|
|
|
{
|
|
|
|
int i;
|
2007-05-11 06:21:18 +00:00
|
|
|
nstime_t ts_start, ts_end;
|
|
|
|
int offset_s = 0, offset_e = 0;
|
|
|
|
nstime_t ts_delta;
|
|
|
|
guint32 msec_start = 0, msec_end = 0;
|
|
|
|
guint32 msec_delta;
|
|
|
|
proto_tree * timetree = 0;
|
|
|
|
proto_item * timeitem = 0;
|
2003-03-04 03:37:12 +00:00
|
|
|
|
2007-05-04 06:07:30 +00:00
|
|
|
if( (template->count_scopes > 0) && (template->scopes != NULL)) {
|
|
|
|
for(i = 0; i < template->count_scopes; i++) {
|
|
|
|
guint16 type = template->scopes[i].type;
|
|
|
|
guint16 length = template->scopes[i].length;
|
|
|
|
switch( type ) {
|
|
|
|
case 1: /* system */
|
|
|
|
if( length <= 4) {
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_scope_system,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
} else {
|
|
|
|
proto_tree_add_text(pdutree,
|
|
|
|
tvb, offset, length,
|
|
|
|
"ScopeSystem: invalid size %d", length );
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case 2: /* interface */
|
|
|
|
if( length <= 4) {
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_scope_interface,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
} else {
|
|
|
|
proto_tree_add_text(pdutree,
|
|
|
|
tvb, offset, length,
|
|
|
|
"ScopeInterface: invalid size %d", length );
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case 3: /* linecard */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_scope_linecard,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
case 4: /* netflow cache */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_scope_cache,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
case 5: /* template */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_scope_template,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
default: /* unknown */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_scope_unknown,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
offset += length;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2003-03-04 03:37:12 +00:00
|
|
|
for (i = 0; i < template->count; i++) {
|
|
|
|
guint16 type, length;
|
|
|
|
|
|
|
|
type = template->entries[i].type;
|
|
|
|
length = template->entries[i].length;
|
|
|
|
|
|
|
|
switch (type) {
|
2007-05-04 06:07:30 +00:00
|
|
|
|
|
|
|
case 85: /* BYTES_PERMANENT */
|
2003-03-04 03:37:12 +00:00
|
|
|
case 1: /* bytes */
|
|
|
|
if (length == 4) {
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_octets,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
} else if (length == 8) {
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_octets64,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
} else {
|
|
|
|
proto_tree_add_text(pdutree,
|
|
|
|
tvb, offset, length,
|
|
|
|
"Octets: length %u", length);
|
|
|
|
}
|
2004-09-09 06:27:43 +00:00
|
|
|
break;
|
2003-03-04 03:37:12 +00:00
|
|
|
|
2007-05-04 06:07:30 +00:00
|
|
|
case 86: /* PACKETS_PERMANENT */
|
2003-03-04 03:37:12 +00:00
|
|
|
case 2: /* packets */
|
|
|
|
if (length == 4) {
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_packets,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
} else if (length == 8) {
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_packets64,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
} else {
|
|
|
|
proto_tree_add_text(pdutree,
|
|
|
|
tvb, offset, length,
|
|
|
|
"Packets: length %u", length);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 3: /* flows */
|
|
|
|
if (length == 4) {
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_flows,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
} else {
|
|
|
|
proto_tree_add_text(pdutree,
|
|
|
|
tvb, offset, length,
|
|
|
|
"Flows: length %u", length);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 4: /* proto */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_prot,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 5: /* TOS */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_tos,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 6: /* TCP flags */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_tcpflags,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 7: /* source port */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_srcport,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 8: /* source IP */
|
|
|
|
if (length == 4) {
|
2005-09-11 21:25:37 +00:00
|
|
|
proto_tree_add_item(pdutree, hf_cflow_srcaddr,
|
|
|
|
tvb, offset, length, FALSE);
|
2003-03-04 03:37:12 +00:00
|
|
|
} else if (length == 16) {
|
2005-09-11 21:25:37 +00:00
|
|
|
proto_tree_add_item(pdutree, hf_cflow_srcaddr_v6,
|
|
|
|
tvb, offset, length, FALSE);
|
2003-03-04 03:37:12 +00:00
|
|
|
} else {
|
|
|
|
proto_tree_add_text(pdutree,
|
|
|
|
tvb, offset, length,
|
|
|
|
"SrcAddr: length %u", length);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 9: /* source mask */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_srcmask,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 10: /* input SNMP */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_inputint,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 11: /* dest port */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_dstport,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 12: /* dest IP */
|
|
|
|
if (length == 4) {
|
2005-09-11 21:25:37 +00:00
|
|
|
proto_tree_add_item(pdutree, hf_cflow_dstaddr,
|
|
|
|
tvb, offset, length, FALSE);
|
2003-03-04 03:37:12 +00:00
|
|
|
} else if (length == 16) {
|
2005-09-11 21:25:37 +00:00
|
|
|
proto_tree_add_item(pdutree, hf_cflow_dstaddr_v6,
|
|
|
|
tvb, offset, length, FALSE);
|
2003-03-04 03:37:12 +00:00
|
|
|
} else {
|
|
|
|
proto_tree_add_text(pdutree,
|
|
|
|
tvb, offset, length,
|
|
|
|
"DstAddr: length %u", length);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 13: /* dest mask */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_dstmask,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 14: /* output SNMP */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_outputint,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 15: /* nexthop IP */
|
|
|
|
if (length == 4) {
|
2005-09-11 21:25:37 +00:00
|
|
|
proto_tree_add_item(pdutree, hf_cflow_nexthop,
|
|
|
|
tvb, offset, length, FALSE);
|
2003-03-04 03:37:12 +00:00
|
|
|
} else if (length == 16) {
|
2005-09-11 21:25:37 +00:00
|
|
|
proto_tree_add_item(pdutree, hf_cflow_nexthop_v6,
|
|
|
|
tvb, offset, length, FALSE);
|
2003-03-04 03:37:12 +00:00
|
|
|
} else {
|
|
|
|
proto_tree_add_text(pdutree,
|
|
|
|
tvb, offset, length,
|
|
|
|
"NextHop: length %u", length);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 16: /* source AS */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_srcas,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 17: /* dest AS */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_dstas,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 18: /* BGP nexthop IP */
|
|
|
|
if (length == 4) {
|
2005-09-11 21:25:37 +00:00
|
|
|
proto_tree_add_item(pdutree, hf_cflow_bgpnexthop,
|
|
|
|
tvb, offset, length, FALSE);
|
2003-03-04 03:37:12 +00:00
|
|
|
} else if (length == 16) {
|
2005-09-11 21:25:37 +00:00
|
|
|
proto_tree_add_item(pdutree, hf_cflow_bgpnexthop_v6,
|
|
|
|
tvb, offset, length, FALSE);
|
2003-03-04 03:37:12 +00:00
|
|
|
} else {
|
|
|
|
proto_tree_add_text(pdutree,
|
|
|
|
tvb, offset, length,
|
|
|
|
"BGPNextHop: length %u", length);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 19: /* multicast packets */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_mulpackets,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 20: /* multicast octets */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_muloctets,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 22: /* first switched */
|
2007-05-11 06:21:18 +00:00
|
|
|
case 21: /* last switched */
|
|
|
|
if(type == 22) {
|
|
|
|
offset_s = offset;
|
|
|
|
msec_start = tvb_get_ntohl(tvb, offset);
|
|
|
|
ts_start.secs = msec_start / 1000;
|
|
|
|
ts_start.nsecs = (msec_start % 1000) * 1000000;
|
|
|
|
} else {
|
|
|
|
offset_e = offset;
|
|
|
|
msec_end = tvb_get_ntohl(tvb, offset);
|
|
|
|
ts_end.secs = msec_end / 1000;
|
|
|
|
ts_end.nsecs = (msec_end % 1000) * 1000000;
|
|
|
|
}
|
|
|
|
if(offset_s && offset_e) {
|
|
|
|
msec_delta = msec_end - msec_start;
|
|
|
|
ts_delta.secs = msec_delta / 1000;
|
|
|
|
ts_delta.nsecs = (msec_delta % 1000) * 1000000;
|
|
|
|
|
|
|
|
timeitem =
|
|
|
|
proto_tree_add_time(pdutree, hf_cflow_timedelta, tvb,
|
|
|
|
offset_s, 0, &ts_delta);
|
|
|
|
timetree = proto_item_add_subtree(timeitem, ett_flowtime);
|
|
|
|
|
|
|
|
proto_tree_add_time(timetree, hf_cflow_timestart, tvb,
|
|
|
|
offset_s, 4, &ts_start);
|
|
|
|
proto_tree_add_time(timetree, hf_cflow_timeend, tvb,
|
|
|
|
offset_e, 4, &ts_end);
|
|
|
|
}
|
2003-03-04 03:37:12 +00:00
|
|
|
break;
|
2006-09-12 19:11:45 +00:00
|
|
|
|
2007-05-04 06:07:30 +00:00
|
|
|
case 25: /* length_min */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_length_min,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 26: /* length_max */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_length_max,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 32: /* ICMP_TYPE */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_icmp_type,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 33: /* IGMP_TYPE */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_igmp_type,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
2004-09-09 06:27:43 +00:00
|
|
|
case 34: /* sampling interval */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_sampling_interval,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 35: /* sampling algorithm */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_sampling_algorithm,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 36: /* flow active timeout */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_flow_active_timeout,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 37: /* flow inactive timeout */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_flow_inactive_timeout,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
2003-03-04 03:37:12 +00:00
|
|
|
|
|
|
|
case 40: /* bytes exported */
|
2007-05-04 06:07:30 +00:00
|
|
|
if( length == 8 ) {
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_octets_exp64,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
} else {
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_octets_exp,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
}
|
2003-03-04 03:37:12 +00:00
|
|
|
break;
|
|
|
|
|
|
|
|
case 41: /* packets exported */
|
2007-05-04 06:07:30 +00:00
|
|
|
if( length == 8 ) {
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_packets_exp64,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
} else {
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_packets_exp,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
}
|
2003-03-04 03:37:12 +00:00
|
|
|
break;
|
|
|
|
|
|
|
|
case 42: /* flows exported */
|
2007-05-04 06:07:30 +00:00
|
|
|
if( length == 8 ) {
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_flows_exp64,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
} else {
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_flows_exp,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 44: /* IP source prefix */
|
|
|
|
if (length == 4) {
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_srcprefix,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
} else {
|
|
|
|
proto_tree_add_text(pdutree, tvb, offset, length,
|
|
|
|
"SrcPrefix: length %u", length);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 45: /* IP destination prefix */
|
|
|
|
if (length == 4) {
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_dstprefix,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
} else {
|
|
|
|
proto_tree_add_text(pdutree, tvb, offset, length,
|
|
|
|
"DstPrefix: length %u", length);
|
|
|
|
}
|
2003-03-04 03:37:12 +00:00
|
|
|
break;
|
|
|
|
|
2006-02-09 09:11:06 +00:00
|
|
|
case 46: /* top MPLS label type*/
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_mpls_top_label_type,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
2007-05-04 06:07:30 +00:00
|
|
|
|
2006-02-09 09:11:06 +00:00
|
|
|
case 47: /* top MPLS label PE address*/
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_mpls_pe_addr,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
2007-05-04 06:07:30 +00:00
|
|
|
|
|
|
|
case 48: /* Flow Sampler ID */
|
|
|
|
proto_tree_add_text(pdutree, tvb, offset, length,
|
|
|
|
"FlowSamplerID: %d", tvb_get_guint8(tvb, offset));
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 49: /* FLOW_SAMPLER_MODE */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_sampler_mode,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 50: /* FLOW_SAMPLER_RANDOM_INTERVAL */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_sampler_random_interval,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 51: /* FLOW_CLASS */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_flow_class,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 52: /* TTL_MINIMUM */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_ttl_minimum,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 53: /* TTL_MAXIMUM */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_ttl_maximum,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 54: /* IPV4_ID */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_ipv4_id,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 60: /* IP_VERSION */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_ip_version,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 61: /* DIRECTION */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_direction,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
2006-02-09 09:11:06 +00:00
|
|
|
case 70: /* MPLS label1*/
|
|
|
|
proto_tree_add_mpls_label(pdutree, tvb, offset, length, 1);
|
|
|
|
break;
|
2007-05-04 06:07:30 +00:00
|
|
|
|
2006-02-09 09:11:06 +00:00
|
|
|
case 71: /* MPLS label2*/
|
|
|
|
proto_tree_add_mpls_label(pdutree, tvb, offset, length, 2);
|
|
|
|
break;
|
2007-05-04 06:07:30 +00:00
|
|
|
|
2006-02-09 09:11:06 +00:00
|
|
|
case 72: /* MPLS label3*/
|
|
|
|
proto_tree_add_mpls_label(pdutree, tvb, offset, length, 3);
|
|
|
|
break;
|
2007-05-04 06:07:30 +00:00
|
|
|
|
2006-02-09 09:11:06 +00:00
|
|
|
case 73: /* MPLS label4*/
|
|
|
|
proto_tree_add_mpls_label(pdutree, tvb, offset, length, 4);
|
|
|
|
break;
|
2007-05-04 06:07:30 +00:00
|
|
|
|
|
|
|
case 82: /* IF_NAME */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_if_name,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 83: /* IF_DESCR */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_if_descr,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 84: /* SAMPLER_NAME */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_sampler_name,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 89: /* FORWARDING_STATUS */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_forwarding_status,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_forwarding_code,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 128: /* source AS Peer */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_peer_srcas,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 129: /* dest AS Peer*/
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_peer_dstas,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 144: /* FLOW EXPORTER */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_flow_exporter,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 176: /* ICMP_IPv4_TYPE */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_icmp_ipv4_type,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 177: /* ICMP_IPv4_CODE */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_icmp_ipv4_code,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 178: /* ICMP_IPv6_TYPE */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_icmp_ipv6_type,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 179: /* ICMP_IPv6_CODE */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_icmp_ipv6_code,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 186: /* TCP_WINDOWS_SIZE */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_tcp_window_size,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 190: /* IP_TOTAL_LENGTH */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_ip_total_length,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 192: /* IP_TTL */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_ip_ttl,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 194: /* IP_TOS */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_ip_tos,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 195: /* IP_DSCP */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_ip_dscp,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 198: /* BYTES_SQUARED */
|
|
|
|
case 199: /* BYTES_SQUARED_PERMANENT */
|
|
|
|
if( length == 8 ) {
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_octets_squared64,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
} else {
|
|
|
|
proto_tree_add_text(pdutree, tvb, offset, length,
|
|
|
|
"Bytes Squared: length %u", length);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 205: /* UDP_LENGTH */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_udp_length,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 206: /* IS_MULTICAST */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_is_multicast,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 207: /* IP_HEADER_WORDS */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_ip_header_words,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 208: /* OPTION_MAP */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_option_map,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 313: /* SECTION_HEADER */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_section_header,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case 314: /* SECTION_PAYLOAD */
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_section_payload,
|
|
|
|
tvb, offset, length, FALSE);
|
|
|
|
break;
|
|
|
|
|
2003-03-04 03:37:12 +00:00
|
|
|
default:
|
|
|
|
proto_tree_add_text(pdutree, tvb, offset, length,
|
2007-05-04 06:07:30 +00:00
|
|
|
"Type %u %s", type, decode_v9_template_types(type));
|
2003-03-04 03:37:12 +00:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
offset += length;
|
|
|
|
}
|
2007-05-11 06:21:18 +00:00
|
|
|
if (!(offset_s && offset_e)) {
|
|
|
|
if (offset_s) {
|
|
|
|
proto_tree_add_time(pdutree, hf_cflow_timestart, tvb,
|
|
|
|
offset_s, 4, &ts_start);
|
|
|
|
}
|
|
|
|
if (offset_e) {
|
|
|
|
proto_tree_add_time(pdutree, hf_cflow_timeend, tvb,
|
|
|
|
offset_e, 4, &ts_end);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2003-03-04 03:37:12 +00:00
|
|
|
}
|
|
|
|
|
2003-02-12 08:36:48 +00:00
|
|
|
static int
|
2006-12-21 06:41:11 +00:00
|
|
|
dissect_v9_options(proto_tree * pdutree, tvbuff_t * tvb, int offset, hdrinfo_t * hdrinfo)
|
2003-02-12 08:36:48 +00:00
|
|
|
{
|
2004-09-09 06:27:43 +00:00
|
|
|
guint16 length, option_scope_len, option_len, i, id, size;
|
|
|
|
struct v9_template template;
|
|
|
|
int template_offset;
|
2007-05-04 06:07:30 +00:00
|
|
|
int scopes_offset;
|
2004-09-09 06:27:43 +00:00
|
|
|
|
|
|
|
id = tvb_get_ntohs(tvb, offset);
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_template_id, tvb,
|
|
|
|
offset, 2, FALSE);
|
|
|
|
offset += 2;
|
|
|
|
|
|
|
|
option_scope_len = length = tvb_get_ntohs(tvb, offset);
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_option_scope_length, tvb,
|
|
|
|
offset, 2, FALSE);
|
|
|
|
offset += 2;
|
|
|
|
|
|
|
|
option_len = length = tvb_get_ntohs(tvb, offset);
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_option_length, tvb,
|
|
|
|
offset, 2, FALSE);
|
|
|
|
offset += 2;
|
|
|
|
|
2007-05-04 06:07:30 +00:00
|
|
|
scopes_offset = offset;
|
|
|
|
|
2004-09-09 06:27:43 +00:00
|
|
|
for(i=0; i<option_scope_len; i++) {
|
|
|
|
length = tvb_get_ntohs(tvb, offset);
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_template_scope_field_type, tvb,
|
|
|
|
offset, 2, FALSE);
|
|
|
|
offset += 2; i += 2;
|
|
|
|
|
|
|
|
length = tvb_get_ntohs(tvb, offset);
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_template_scope_field_length, tvb,
|
|
|
|
offset, 2, FALSE);
|
|
|
|
offset += 2; i += 2;
|
|
|
|
}
|
|
|
|
|
|
|
|
template_offset = offset;
|
|
|
|
|
|
|
|
for(i=0; i<option_len;) {
|
|
|
|
length = tvb_get_ntohs(tvb, offset);
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_template_field_type, tvb,
|
|
|
|
offset, 2, FALSE);
|
|
|
|
offset += 2; i += 2;
|
|
|
|
|
|
|
|
length = tvb_get_ntohs(tvb, offset);
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_template_field_length, tvb,
|
|
|
|
offset, 2, FALSE);
|
|
|
|
offset += 2; i += 2;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Cache template */
|
|
|
|
memset(&template, 0, sizeof(template));
|
|
|
|
template.id = id;
|
|
|
|
template.count = option_len/4;
|
2006-12-21 06:41:11 +00:00
|
|
|
COPY_ADDRESS(&template.source_addr, &hdrinfo->net_src);
|
|
|
|
template.source_id = hdrinfo->src_id;
|
2007-05-04 06:07:30 +00:00
|
|
|
/* Option scopes */
|
|
|
|
template.count_scopes = option_scope_len/4;
|
|
|
|
size = template.count_scopes * sizeof(struct v9_template_entry);
|
|
|
|
template.scopes = g_malloc( size );
|
|
|
|
tvb_memcpy(tvb, (guint8 *)template.scopes, scopes_offset, size);
|
|
|
|
|
2004-09-09 06:27:43 +00:00
|
|
|
template.option_template = 1; /* Option template */
|
|
|
|
size = template.count * sizeof(struct v9_template_entry);
|
|
|
|
template.entries = g_malloc(size);
|
|
|
|
tvb_memcpy(tvb, (guint8 *)template.entries, template_offset, size);
|
|
|
|
|
|
|
|
v9_template_add(&template);
|
|
|
|
|
|
|
|
return (0);
|
2003-02-12 08:36:48 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
2006-12-21 06:41:11 +00:00
|
|
|
dissect_v9_template(proto_tree * pdutree, tvbuff_t * tvb, int offset, int len, hdrinfo_t * hdrinfo)
|
2003-02-12 08:36:48 +00:00
|
|
|
{
|
2003-03-04 03:37:12 +00:00
|
|
|
struct v9_template template;
|
2003-02-12 08:36:48 +00:00
|
|
|
proto_tree *template_tree;
|
|
|
|
proto_item *template_item;
|
2006-03-15 06:19:15 +00:00
|
|
|
proto_tree *field_tree;
|
|
|
|
proto_item *field_item;
|
2003-03-04 03:37:12 +00:00
|
|
|
guint16 id, count;
|
2006-03-15 06:19:15 +00:00
|
|
|
int remaining = len;
|
2003-02-12 08:36:48 +00:00
|
|
|
gint32 i;
|
|
|
|
|
2006-03-15 06:19:15 +00:00
|
|
|
while (remaining > 0) {
|
|
|
|
|
2006-09-12 19:11:45 +00:00
|
|
|
id = tvb_get_ntohs(tvb, offset);
|
|
|
|
count = tvb_get_ntohs(tvb, offset + 2);
|
|
|
|
|
|
|
|
template_item = proto_tree_add_text(pdutree, tvb, offset,
|
|
|
|
4 + sizeof(struct v9_template_entry) * count,
|
|
|
|
"Template (Id = %u, Count = %u)", id, count);
|
|
|
|
template_tree = proto_item_add_subtree(template_item, ett_template);
|
|
|
|
|
|
|
|
proto_tree_add_item(template_tree, hf_cflow_template_id, tvb,
|
|
|
|
offset, 2, FALSE);
|
|
|
|
offset += 2;
|
|
|
|
|
|
|
|
proto_tree_add_item(template_tree, hf_cflow_template_field_count,
|
|
|
|
tvb, offset, 2, FALSE);
|
|
|
|
offset += 2;
|
|
|
|
|
|
|
|
/* Cache template */
|
|
|
|
memset(&template, 0, sizeof(template));
|
|
|
|
template.id = id;
|
|
|
|
template.count = count;
|
2006-12-21 06:41:11 +00:00
|
|
|
COPY_ADDRESS(&template.source_addr, &hdrinfo->net_src);
|
|
|
|
template.source_id = hdrinfo->src_id;
|
2007-05-04 06:07:30 +00:00
|
|
|
template.count_scopes = 0;
|
|
|
|
template.scopes = NULL;
|
2006-09-12 19:11:45 +00:00
|
|
|
template.option_template = 0; /* Data template */
|
|
|
|
template.entries = g_malloc(count * sizeof(struct v9_template_entry));
|
|
|
|
tvb_memcpy(tvb, (guint8 *)template.entries, offset,
|
|
|
|
count * sizeof(struct v9_template_entry));
|
|
|
|
v9_template_add(&template);
|
|
|
|
|
|
|
|
for (i = 1; i <= count; i++) {
|
|
|
|
guint16 type, length;
|
|
|
|
|
|
|
|
type = tvb_get_ntohs(tvb, offset);
|
|
|
|
length = tvb_get_ntohs(tvb, offset + 2);
|
|
|
|
|
|
|
|
field_item = proto_tree_add_text(template_tree, tvb,
|
|
|
|
offset, 4, "Field (%u/%u)", i, count);
|
|
|
|
field_tree = proto_item_add_subtree(field_item, ett_field);
|
|
|
|
|
|
|
|
proto_tree_add_item(field_tree,
|
|
|
|
hf_cflow_template_field_type, tvb, offset, 2, FALSE);
|
|
|
|
offset += 2;
|
|
|
|
|
|
|
|
proto_tree_add_item(field_tree,
|
|
|
|
hf_cflow_template_field_length, tvb, offset, 2, FALSE);
|
|
|
|
offset += 2;
|
|
|
|
}
|
|
|
|
remaining -= 4 + sizeof(struct v9_template_entry) * count;
|
2003-02-12 08:36:48 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
2003-03-04 03:37:12 +00:00
|
|
|
static value_string v9_template_types[] = {
|
2003-02-12 08:36:48 +00:00
|
|
|
{ 1, "BYTES" },
|
|
|
|
{ 2, "PKTS" },
|
|
|
|
{ 3, "FLOWS" },
|
2007-05-04 06:07:30 +00:00
|
|
|
{ 4, "PROTOCOL" },
|
|
|
|
{ 5, "IP_TOS" },
|
2003-02-12 08:36:48 +00:00
|
|
|
{ 6, "TCP_FLAGS" },
|
|
|
|
{ 7, "L4_SRC_PORT" },
|
|
|
|
{ 8, "IP_SRC_ADDR" },
|
|
|
|
{ 9, "SRC_MASK" },
|
|
|
|
{ 10, "INPUT_SNMP" },
|
|
|
|
{ 11, "L4_DST_PORT" },
|
|
|
|
{ 12, "IP_DST_ADDR" },
|
|
|
|
{ 13, "DST_MASK" },
|
|
|
|
{ 14, "OUTPUT_SNMP" },
|
|
|
|
{ 15, "IP_NEXT_HOP" },
|
|
|
|
{ 16, "SRC_AS" },
|
|
|
|
{ 17, "DST_AS" },
|
|
|
|
{ 18, "BGP_NEXT_HOP" },
|
|
|
|
{ 19, "MUL_DPKTS" },
|
|
|
|
{ 20, "MUL_DOCTETS" },
|
|
|
|
{ 21, "LAST_SWITCHED" },
|
|
|
|
{ 22, "FIRST_SWITCHED" },
|
2006-02-09 09:11:06 +00:00
|
|
|
{ 23, "OUT_BYTES" },
|
|
|
|
{ 24, "OUT_PKTS" },
|
2007-05-04 06:07:30 +00:00
|
|
|
{ 25, "IP LENGTH MINIMUM" },
|
|
|
|
{ 26, "IP LENGTH MAXIMUM" },
|
2004-09-09 06:27:43 +00:00
|
|
|
{ 27, "IPV6_SRC_ADDR" },
|
|
|
|
{ 28, "IPV6_DST_ADDR" },
|
|
|
|
{ 29, "IPV6_SRC_MASK" },
|
|
|
|
{ 30, "IPV6_DST_MASK" },
|
|
|
|
{ 31, "FLOW_LABEL" },
|
|
|
|
{ 32, "ICMP_TYPE" },
|
|
|
|
{ 33, "IGMP_TYPE" },
|
|
|
|
{ 34, "SAMPLING_INTERVAL" },
|
|
|
|
{ 35, "SAMPLING_ALGORITHM" },
|
|
|
|
{ 36, "FLOW_ACTIVE_TIMEOUT" },
|
|
|
|
{ 37, "FLOW_INACTIVE_TIMEOUT" },
|
|
|
|
{ 38, "ENGINE_TYPE" },
|
|
|
|
{ 39, "ENGINE_ID" },
|
2003-02-12 08:36:48 +00:00
|
|
|
{ 40, "TOTAL_BYTES_EXP" },
|
|
|
|
{ 41, "TOTAL_PKTS_EXP" },
|
|
|
|
{ 42, "TOTAL_FLOWS_EXP" },
|
2007-05-04 06:07:30 +00:00
|
|
|
{ 44, "IP_SRC_PREFIX" },
|
|
|
|
{ 45, "IP_DST_PREFIX" },
|
2006-02-09 09:11:06 +00:00
|
|
|
{ 46, "MPLS_TOP_LABEL_TYPE" },
|
|
|
|
{ 47, "MPLS_TOP_LABEL_ADDR" },
|
|
|
|
{ 48, "FLOW_SAMPLER_ID" },
|
|
|
|
{ 49, "FLOW_SAMPLER_MODE" },
|
|
|
|
{ 50, "FLOW_SAMPLER_RANDOM_INTERVAL" },
|
2007-05-04 06:07:30 +00:00
|
|
|
{ 51, "FLOW_CLASS" },
|
|
|
|
{ 52, "IP TTL MINIMUM" },
|
|
|
|
{ 53, "IP TTL MAXIMUM" },
|
|
|
|
{ 54, "IPv4 ID" },
|
2006-02-09 09:11:06 +00:00
|
|
|
{ 55, "DST_TOS" },
|
2004-09-09 06:27:43 +00:00
|
|
|
{ 56, "SRC_MAC" },
|
|
|
|
{ 57, "DST_MAC" },
|
|
|
|
{ 58, "SRC_VLAN" },
|
|
|
|
{ 59, "DST_VLAN" },
|
|
|
|
{ 60, "IP_PROTOCOL_VERSION" },
|
|
|
|
{ 61, "DIRECTION" },
|
|
|
|
{ 62, "IPV6_NEXT_HOP" },
|
|
|
|
{ 63, "BPG_IPV6_NEXT_HOP" },
|
|
|
|
{ 64, "IPV6_OPTION_HEADERS" },
|
|
|
|
{ 70, "MPLS_LABEL_1" },
|
|
|
|
{ 71, "MPLS_LABEL_2" },
|
|
|
|
{ 72, "MPLS_LABEL_3" },
|
|
|
|
{ 73, "MPLS_LABEL_4" },
|
|
|
|
{ 74, "MPLS_LABEL_5" },
|
|
|
|
{ 75, "MPLS_LABEL_6" },
|
|
|
|
{ 76, "MPLS_LABEL_7" },
|
2006-02-09 09:11:06 +00:00
|
|
|
{ 77, "MPLS_LABEL_8" },
|
|
|
|
{ 78, "MPLS_LABEL_9" },
|
|
|
|
{ 79, "MPLS_LABEL_10" },
|
2007-05-04 06:07:30 +00:00
|
|
|
{ 80, "DESTINATION_MAC" },
|
|
|
|
{ 81, "SOURCE_MAC" },
|
|
|
|
{ 82, "IF_NAME" },
|
|
|
|
{ 83, "IF_DESC" },
|
|
|
|
{ 84, "SAMPLER_NAME" },
|
|
|
|
{ 85, "BYTES_TOTAL" },
|
|
|
|
{ 86, "PACKETS_TOTAL" },
|
|
|
|
{ 88, "FRAGMENT_OFFSET" },
|
|
|
|
{ 89, "FORWARDING_STATUS" },
|
|
|
|
{ 90, "VPN_ROUTE_DISTINGUISHER" },
|
|
|
|
{ 92, "SRC_TRAFFIC_INDEX" },
|
|
|
|
{ 93, "DST_TRAFFIC_INDEX" },
|
|
|
|
{ 128, "SRC_AS_PEER" },
|
|
|
|
{ 129, "DST_AS_PEER" },
|
|
|
|
{ 130, "DROPPED_BYTES" },
|
|
|
|
{ 131, "DROPPED_PACKETS" },
|
|
|
|
{ 132, "DROPPED_BYTES_TOTAL" },
|
|
|
|
{ 133, "DROPPED_PACKETS_TOTAL" },
|
|
|
|
{ 140, "MPLS_TOP_LABEL_IPv6_ADDRESS" },
|
|
|
|
{ 144, "FLOW_EXPORTER" },
|
|
|
|
{ 176, "ICMP_IPv4_TYPE" },
|
|
|
|
{ 177, "ICMP_IPv4_CODE" },
|
|
|
|
{ 178, "ICMP_IPv6_TYPE" },
|
|
|
|
{ 179, "ICMP_IPv6_CODE" },
|
|
|
|
{ 180, "UDP_SRC_PORT" },
|
|
|
|
{ 181, "UDP_DST_PORT" },
|
|
|
|
{ 182, "TCP_SRC_PORT" },
|
|
|
|
{ 183, "TCP_DST_PORT" },
|
|
|
|
{ 184, "TCP_SEQ_NUM" },
|
|
|
|
{ 184, "TCP_ACK_NUM" },
|
|
|
|
{ 186, "TCP_WINDOW_SIZE" },
|
|
|
|
{ 187, "TCP_URGENT_PTR" },
|
|
|
|
{ 188, "TCP_HEADER_LEN" },
|
|
|
|
{ 189, "IP_HEADER_LEN" },
|
|
|
|
{ 190, "IP_TOTAL_LEN" },
|
|
|
|
{ 192, "IP_TTL" },
|
|
|
|
{ 194, "IP_TOS" },
|
|
|
|
{ 195, "IP_DSCP" },
|
|
|
|
{ 196, "IP_PRECEDENCE" },
|
|
|
|
{ 196, "IP_FRAGMENT_FLAGS" },
|
|
|
|
{ 198, "BYTES_SQUARED" },
|
|
|
|
{ 199, "BYTES_SQUARED_PERMANENT" },
|
|
|
|
{ 200, "MPLS_TOP_LABEL_TTL" },
|
|
|
|
{ 201, "MPLS_LABEL_STACK_OCTETS" },
|
|
|
|
{ 202, "MPLS_LABEL_STACK_DEPTH" },
|
|
|
|
{ 203, "MPLS_TOP_LABEL_EXP" },
|
|
|
|
{ 204, "IP_PAYLOAD_LENGTH" },
|
|
|
|
{ 205, "UDP_LENGTH" },
|
|
|
|
{ 206, "IS_MULTICAST" },
|
|
|
|
{ 207, "IP_HEADER_WORDS" },
|
|
|
|
{ 208, "IP_OPTION_MAP" },
|
|
|
|
{ 208, "TPC_OPTION_MAP" },
|
|
|
|
{ 313, "IP_SECTION HEADER" },
|
|
|
|
{ 314, "IP_SECTION PAYLOAD" },
|
2004-09-09 06:27:43 +00:00
|
|
|
{ 0, NULL },
|
|
|
|
};
|
|
|
|
|
|
|
|
static value_string v9_scope_field_types[] = {
|
|
|
|
{ 1, "System" },
|
|
|
|
{ 2, "Interface" },
|
|
|
|
{ 3, "Line Card" },
|
|
|
|
{ 4, "NetFlow Cache" },
|
|
|
|
{ 5, "Template" },
|
2003-03-04 03:37:12 +00:00
|
|
|
{ 0, NULL },
|
2003-02-12 08:36:48 +00:00
|
|
|
};
|
|
|
|
|
2007-05-04 06:07:30 +00:00
|
|
|
static const char *
|
|
|
|
decode_v9_template_types(int type) {
|
|
|
|
const char *v = match_strval(type, v9_template_types);
|
|
|
|
return ((v==NULL)?"Unknown" : v);
|
|
|
|
}
|
|
|
|
|
|
|
|
static value_string v9_sampler_mode[] = {
|
|
|
|
{ 0, "Determinist" },
|
|
|
|
{ 1, "Unknown" },
|
|
|
|
{ 2, "Random" },
|
|
|
|
{ 0, NULL },
|
|
|
|
};
|
|
|
|
static value_string v9_direction[] = {
|
|
|
|
{ 0, "Ingress" },
|
|
|
|
{ 1, "Egress" },
|
|
|
|
{ 0, NULL },
|
|
|
|
};
|
|
|
|
static value_string v9_forwarding_status[] = {
|
|
|
|
{ 0, "Unknown"}, /* Observed on IOS-XR 3.2 */
|
|
|
|
{ 1, "Forward"}, /* Observed on 7200 12.4(9)T */
|
|
|
|
{ 2, "Drop"}, /* Observed on 7200 12.4(9)T */
|
|
|
|
{ 3, "Consume"}, /* Observed on 7200 12.4(9)T */
|
|
|
|
{ 0, NULL },
|
|
|
|
};
|
|
|
|
|
2006-12-21 06:41:11 +00:00
|
|
|
static int
|
|
|
|
v9_template_hash(guint16 id, const address * net_src, guint32 src_id)
|
|
|
|
{
|
|
|
|
guint32 val = 0;
|
|
|
|
const guint32 *p;
|
|
|
|
int i;
|
|
|
|
|
|
|
|
p = (guint32 *)net_src->data;
|
|
|
|
|
|
|
|
val += id;
|
|
|
|
|
|
|
|
if (net_src->type == AT_IPv4) {
|
|
|
|
val += *p;
|
|
|
|
} else if (net_src->type == AT_IPv6) {
|
|
|
|
for (i=0; i < 4; i++) {
|
|
|
|
val += *p++;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
val += src_id;
|
|
|
|
|
|
|
|
return val % V9TEMPLATE_CACHE_MAX_ENTRIES;
|
|
|
|
}
|
|
|
|
|
2003-03-04 03:37:12 +00:00
|
|
|
static void
|
|
|
|
v9_template_add(struct v9_template *template)
|
2003-02-12 08:36:48 +00:00
|
|
|
{
|
2003-03-04 03:37:12 +00:00
|
|
|
int i;
|
|
|
|
|
|
|
|
/* Add up the actual length of the data and store in proper byte order */
|
|
|
|
template->length = 0;
|
2007-05-04 06:07:30 +00:00
|
|
|
/* Options scope */
|
|
|
|
for(i = 0; i < template->count_scopes; i++) {
|
|
|
|
template->scopes[i].type = g_ntohs(template->scopes[i].type);
|
|
|
|
template->scopes[i].length = g_ntohs(template->scopes[i].length);
|
|
|
|
template->length += template->scopes[i].length;
|
|
|
|
}
|
|
|
|
|
2003-03-04 03:37:12 +00:00
|
|
|
for (i = 0; i < template->count; i++) {
|
|
|
|
template->entries[i].type = g_ntohs(template->entries[i].type);
|
|
|
|
template->entries[i].length = g_ntohs(template->entries[i].length);
|
|
|
|
template->length += template->entries[i].length;
|
|
|
|
}
|
2003-02-12 08:36:48 +00:00
|
|
|
|
2007-04-26 05:40:48 +00:00
|
|
|
memcpy(&v9_template_cache[v9_template_hash(template->id,
|
2006-12-21 06:41:11 +00:00
|
|
|
&template->source_addr, template->source_id)],
|
2003-03-04 03:37:12 +00:00
|
|
|
template, sizeof(*template));
|
|
|
|
}
|
|
|
|
|
|
|
|
static struct v9_template *
|
2006-12-21 06:41:11 +00:00
|
|
|
v9_template_get(guint16 id, address * net_src, guint32 src_id)
|
2003-03-04 03:37:12 +00:00
|
|
|
{
|
|
|
|
struct v9_template *template;
|
|
|
|
|
2006-12-21 06:41:11 +00:00
|
|
|
template = &v9_template_cache[v9_template_hash(id, net_src, src_id)];
|
2003-03-04 03:37:12 +00:00
|
|
|
|
|
|
|
if (template->id != id ||
|
2006-12-21 06:41:11 +00:00
|
|
|
!ADDRESSES_EQUAL(&template->source_addr, net_src) ||
|
2003-03-04 03:37:12 +00:00
|
|
|
template->source_id != src_id) {
|
|
|
|
template = NULL;
|
2003-02-12 08:36:48 +00:00
|
|
|
}
|
|
|
|
|
2003-03-04 03:37:12 +00:00
|
|
|
return (template);
|
2003-02-12 08:36:48 +00:00
|
|
|
}
|
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
/*
|
|
|
|
* dissect a version 1, 5, or 7 pdu and return the length of the pdu we
|
|
|
|
* processed
|
|
|
|
*/
|
2002-09-04 20:23:55 +00:00
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
static int
|
2006-12-21 06:41:11 +00:00
|
|
|
dissect_pdu(proto_tree * pdutree, tvbuff_t * tvb, int offset, hdrinfo_t * hdrinfo)
|
2002-09-22 16:13:22 +00:00
|
|
|
{
|
|
|
|
int startoffset = offset;
|
|
|
|
guint32 srcaddr, dstaddr;
|
|
|
|
guint8 mask;
|
|
|
|
nstime_t ts;
|
2006-12-21 06:41:11 +00:00
|
|
|
guint8 ver;
|
2002-09-22 16:13:22 +00:00
|
|
|
|
|
|
|
memset(&ts, '\0', sizeof(ts));
|
2002-09-09 20:22:51 +00:00
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
/*
|
|
|
|
* memcpy so we can use the values later to calculate a prefix
|
|
|
|
*/
|
2005-09-11 21:25:37 +00:00
|
|
|
srcaddr = tvb_get_ipv4(tvb, offset);
|
2002-09-22 16:13:22 +00:00
|
|
|
proto_tree_add_ipv4(pdutree, hf_cflow_srcaddr, tvb, offset, 4,
|
|
|
|
srcaddr);
|
2002-09-09 20:22:51 +00:00
|
|
|
offset += 4;
|
|
|
|
|
2005-09-11 21:25:37 +00:00
|
|
|
dstaddr = tvb_get_ipv4(tvb, offset);
|
2002-09-22 16:13:22 +00:00
|
|
|
proto_tree_add_ipv4(pdutree, hf_cflow_dstaddr, tvb, offset, 4,
|
|
|
|
dstaddr);
|
2002-09-09 20:22:51 +00:00
|
|
|
offset += 4;
|
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
proto_tree_add_item(pdutree, hf_cflow_nexthop, tvb, offset, 4, FALSE);
|
2002-09-09 20:22:51 +00:00
|
|
|
offset += 4;
|
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
offset = flow_process_ints(pdutree, tvb, offset);
|
|
|
|
offset = flow_process_sizecount(pdutree, tvb, offset);
|
|
|
|
offset = flow_process_timeperiod(pdutree, tvb, offset);
|
|
|
|
offset = flow_process_ports(pdutree, tvb, offset);
|
2002-09-09 20:22:51 +00:00
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
/*
|
|
|
|
* and the similarities end here
|
|
|
|
*/
|
2006-12-21 06:41:11 +00:00
|
|
|
|
|
|
|
ver = hdrinfo->vspec;
|
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
if (ver == 1) {
|
|
|
|
offset =
|
|
|
|
flow_process_textfield(pdutree, tvb, offset, 2, "padding");
|
2002-09-09 20:22:51 +00:00
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
proto_tree_add_item(pdutree, hf_cflow_prot, tvb, offset++, 1,
|
|
|
|
FALSE);
|
2002-09-09 20:22:51 +00:00
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
proto_tree_add_item(pdutree, hf_cflow_tos, tvb, offset++, 1,
|
|
|
|
FALSE);
|
2002-09-09 20:22:51 +00:00
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
proto_tree_add_item(pdutree, hf_cflow_tcpflags, tvb, offset++,
|
|
|
|
1, FALSE);
|
2002-09-09 20:22:51 +00:00
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
offset =
|
|
|
|
flow_process_textfield(pdutree, tvb, offset, 3, "padding");
|
2002-09-09 20:22:51 +00:00
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
offset =
|
|
|
|
flow_process_textfield(pdutree, tvb, offset, 4,
|
|
|
|
"reserved");
|
|
|
|
} else {
|
|
|
|
if (ver == 5)
|
|
|
|
offset =
|
|
|
|
flow_process_textfield(pdutree, tvb, offset, 1,
|
|
|
|
"padding");
|
|
|
|
else {
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_flags, tvb,
|
|
|
|
offset++, 1, FALSE);
|
|
|
|
}
|
2002-09-09 20:22:51 +00:00
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
proto_tree_add_item(pdutree, hf_cflow_tcpflags, tvb, offset++,
|
2002-09-09 20:22:51 +00:00
|
|
|
1, FALSE);
|
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
proto_tree_add_item(pdutree, hf_cflow_prot, tvb, offset++, 1,
|
|
|
|
FALSE);
|
|
|
|
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_tos, tvb, offset++, 1,
|
|
|
|
FALSE);
|
|
|
|
|
|
|
|
offset = flow_process_aspair(pdutree, tvb, offset);
|
|
|
|
|
|
|
|
mask = tvb_get_guint8(tvb, offset);
|
|
|
|
proto_tree_add_text(pdutree, tvb, offset, 1,
|
|
|
|
"SrcMask: %u (prefix: %s/%u)",
|
|
|
|
mask, getprefix(&srcaddr, mask),
|
|
|
|
mask != 0 ? mask : 32);
|
|
|
|
proto_tree_add_uint_hidden(pdutree, hf_cflow_srcmask, tvb,
|
|
|
|
offset++, 1, mask);
|
|
|
|
|
|
|
|
mask = tvb_get_guint8(tvb, offset);
|
|
|
|
proto_tree_add_text(pdutree, tvb, offset, 1,
|
|
|
|
"DstMask: %u (prefix: %s/%u)",
|
|
|
|
mask, getprefix(&dstaddr, mask),
|
|
|
|
mask != 0 ? mask : 32);
|
|
|
|
proto_tree_add_uint_hidden(pdutree, hf_cflow_dstmask, tvb,
|
|
|
|
offset++, 1, mask);
|
|
|
|
|
|
|
|
offset =
|
|
|
|
flow_process_textfield(pdutree, tvb, offset, 2, "padding");
|
|
|
|
|
|
|
|
if (ver == 7) {
|
|
|
|
proto_tree_add_item(pdutree, hf_cflow_routersc, tvb,
|
|
|
|
offset, 4, FALSE);
|
|
|
|
offset += 4;
|
2002-09-04 20:23:55 +00:00
|
|
|
}
|
|
|
|
}
|
2002-09-09 20:22:51 +00:00
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
return (offset - startoffset);
|
|
|
|
}
|
2002-09-09 20:22:51 +00:00
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
static gchar *
|
|
|
|
getprefix(const guint32 * address, int prefix)
|
|
|
|
{
|
|
|
|
guint32 gprefix;
|
2002-09-09 20:22:51 +00:00
|
|
|
|
2002-10-08 19:26:37 +00:00
|
|
|
gprefix = *address & g_htonl((0xffffffff << (32 - prefix)));
|
2002-09-09 20:22:51 +00:00
|
|
|
|
2002-10-08 08:50:04 +00:00
|
|
|
return (ip_to_str((const guint8 *)&gprefix));
|
2002-09-04 20:23:55 +00:00
|
|
|
}
|
|
|
|
|
2004-03-09 20:08:26 +00:00
|
|
|
|
|
|
|
static void
|
|
|
|
netflow_reinit(void)
|
|
|
|
{
|
|
|
|
int i;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Clear out the template cache.
|
|
|
|
* Free the table of fields for each entry, and then zero out
|
|
|
|
* the cache.
|
|
|
|
*/
|
|
|
|
for (i = 0; i < V9TEMPLATE_CACHE_MAX_ENTRIES; i++)
|
|
|
|
g_free(v9_template_cache[i].entries);
|
|
|
|
memset(v9_template_cache, 0, sizeof v9_template_cache);
|
|
|
|
}
|
|
|
|
|
2002-09-04 20:23:55 +00:00
|
|
|
void
|
|
|
|
proto_register_netflow(void)
|
|
|
|
{
|
|
|
|
static hf_register_info hf[] = {
|
2002-09-22 16:13:22 +00:00
|
|
|
/*
|
|
|
|
* flow header
|
|
|
|
*/
|
|
|
|
{&hf_cflow_version,
|
|
|
|
{"Version", "cflow.version",
|
|
|
|
FT_UINT16, BASE_DEC, NULL, 0x0,
|
|
|
|
"NetFlow Version", HFILL}
|
2006-09-12 19:11:45 +00:00
|
|
|
},
|
|
|
|
{&hf_cflow_len,
|
|
|
|
{"Length", "cflow.len",
|
|
|
|
FT_UINT16, BASE_DEC, NULL, 0x0,
|
|
|
|
"Length of PDUs", HFILL}
|
|
|
|
},
|
2002-09-22 16:13:22 +00:00
|
|
|
{&hf_cflow_count,
|
|
|
|
{"Count", "cflow.count",
|
|
|
|
FT_UINT16, BASE_DEC, NULL, 0x0,
|
|
|
|
"Count of PDUs", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_sysuptime,
|
|
|
|
{"SysUptime", "cflow.sysuptime",
|
|
|
|
FT_UINT32, BASE_DEC, NULL, 0x0,
|
|
|
|
"Time since router booted (in milliseconds)", HFILL}
|
2006-09-12 19:11:45 +00:00
|
|
|
},
|
|
|
|
{&hf_cflow_exporttime,
|
|
|
|
{"ExportTime", "cflow.exporttime",
|
|
|
|
FT_UINT32, BASE_DEC, NULL, 0x0,
|
|
|
|
"Time when the flow has been exported", HFILL}
|
|
|
|
},
|
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
|
|
|
|
{&hf_cflow_timestamp,
|
|
|
|
{"Timestamp", "cflow.timestamp",
|
|
|
|
FT_ABSOLUTE_TIME, BASE_NONE, NULL, 0x0,
|
|
|
|
"Current seconds since epoch", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_unix_secs,
|
|
|
|
{"CurrentSecs", "cflow.unix_secs",
|
|
|
|
FT_UINT32, BASE_DEC, NULL, 0x0,
|
|
|
|
"Current seconds since epoch", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_unix_nsecs,
|
|
|
|
{"CurrentNSecs", "cflow.unix_nsecs",
|
|
|
|
FT_UINT32, BASE_DEC, NULL, 0x0,
|
|
|
|
"Residual nanoseconds since epoch", HFILL}
|
|
|
|
},
|
2004-06-01 18:39:13 +00:00
|
|
|
{&hf_cflow_samplingmode,
|
|
|
|
{"SamplingMode", "cflow.samplingmode",
|
2004-06-01 18:43:30 +00:00
|
|
|
FT_UINT16, BASE_DEC, VALS(v5_sampling_mode), 0xC000,
|
2004-06-01 18:39:13 +00:00
|
|
|
"Sampling Mode of exporter", HFILL}
|
|
|
|
},
|
2002-09-22 16:13:22 +00:00
|
|
|
{&hf_cflow_samplerate,
|
|
|
|
{"SampleRate", "cflow.samplerate",
|
2004-06-01 18:39:13 +00:00
|
|
|
FT_UINT16, BASE_DEC, NULL, 0x3FFF,
|
2002-09-22 16:13:22 +00:00
|
|
|
"Sample Frequency of exporter", HFILL}
|
|
|
|
},
|
|
|
|
|
|
|
|
/*
|
|
|
|
* end version-agnostic header
|
|
|
|
* version-specific flow header
|
|
|
|
*/
|
|
|
|
{&hf_cflow_sequence,
|
|
|
|
{"FlowSequence", "cflow.sequence",
|
|
|
|
FT_UINT32, BASE_DEC, NULL, 0x0,
|
|
|
|
"Sequence number of flows seen", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_engine_type,
|
|
|
|
{"EngineType", "cflow.engine_type",
|
|
|
|
FT_UINT8, BASE_DEC, NULL, 0x0,
|
|
|
|
"Flow switching engine type", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_engine_id,
|
|
|
|
{"EngineId", "cflow.engine_id",
|
|
|
|
FT_UINT8, BASE_DEC, NULL, 0x0,
|
|
|
|
"Slot number of switching engine", HFILL}
|
|
|
|
},
|
2003-02-12 08:36:48 +00:00
|
|
|
{&hf_cflow_source_id,
|
|
|
|
{"SourceId", "cflow.source_id",
|
|
|
|
FT_UINT32, BASE_DEC, NULL, 0x0,
|
|
|
|
"Identifier for export device", HFILL}
|
|
|
|
},
|
2002-09-22 16:13:22 +00:00
|
|
|
{&hf_cflow_aggmethod,
|
|
|
|
{"AggMethod", "cflow.aggmethod",
|
|
|
|
FT_UINT8, BASE_DEC, VALS(v8_agg), 0x0,
|
|
|
|
"CFlow V8 Aggregation Method", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_aggversion,
|
|
|
|
{"AggVersion", "cflow.aggversion",
|
|
|
|
FT_UINT8, BASE_DEC, NULL, 0x0,
|
|
|
|
"CFlow V8 Aggregation Version", HFILL}
|
|
|
|
},
|
|
|
|
/*
|
|
|
|
* end version specific header storage
|
|
|
|
*/
|
2003-02-12 08:36:48 +00:00
|
|
|
/*
|
|
|
|
* Version 9
|
|
|
|
*/
|
|
|
|
{&hf_cflow_flowset_id,
|
|
|
|
{"FlowSet Id", "cflow.flowset_id",
|
|
|
|
FT_UINT16, BASE_DEC, NULL, 0x0,
|
|
|
|
"FlowSet Id", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_data_flowset_id,
|
|
|
|
{"Data FlowSet (Template Id)", "cflow.data_flowset_id",
|
|
|
|
FT_UINT16, BASE_DEC, NULL, 0x0,
|
|
|
|
"Data FlowSet with corresponding to a template Id", HFILL}
|
2006-09-12 19:11:45 +00:00
|
|
|
},
|
|
|
|
{&hf_cflow_data_datarecord_id,
|
|
|
|
{"DataRecord (Template Id)", "cflow.data_datarecord_id",
|
|
|
|
FT_UINT16, BASE_DEC, NULL, 0x0,
|
|
|
|
"DataRecord with corresponding to a template Id", HFILL}
|
|
|
|
},
|
2003-02-12 08:36:48 +00:00
|
|
|
{&hf_cflow_options_flowset_id,
|
|
|
|
{"Options FlowSet", "cflow.options_flowset_id",
|
|
|
|
FT_UINT16, BASE_DEC, NULL, 0x0,
|
|
|
|
"Options FlowSet", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_template_flowset_id,
|
|
|
|
{"Template FlowSet", "cflow.template_flowset_id",
|
|
|
|
FT_UINT16, BASE_DEC, NULL, 0x0,
|
|
|
|
"Template FlowSet", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_flowset_length,
|
|
|
|
{"FlowSet Length", "cflow.flowset_length",
|
|
|
|
FT_UINT16, BASE_DEC, NULL, 0x0,
|
|
|
|
"FlowSet length", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_template_id,
|
|
|
|
{"Template Id", "cflow.template_id",
|
|
|
|
FT_UINT16, BASE_DEC, NULL, 0x0,
|
|
|
|
"Template Id", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_template_field_count,
|
|
|
|
{"Field Count", "cflow.template_field_count",
|
|
|
|
FT_UINT16, BASE_DEC, NULL, 0x0,
|
|
|
|
"Template field count", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_template_field_type,
|
|
|
|
{"Type", "cflow.template_field_type",
|
2003-03-04 03:37:12 +00:00
|
|
|
FT_UINT16, BASE_DEC, VALS(v9_template_types), 0x0,
|
2003-02-12 08:36:48 +00:00
|
|
|
"Template field type", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_template_field_length,
|
|
|
|
{"Length", "cflow.template_field_length",
|
|
|
|
FT_UINT16, BASE_DEC, NULL, 0x0,
|
|
|
|
"Template field length", HFILL}
|
|
|
|
},
|
2004-09-09 06:27:43 +00:00
|
|
|
|
|
|
|
/* options */
|
|
|
|
{&hf_cflow_option_scope_length,
|
|
|
|
{"Option Scope Length", "cflow.option_scope_length",
|
|
|
|
FT_UINT16, BASE_DEC, NULL, 0x0,
|
|
|
|
"Option scope length", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_option_length,
|
|
|
|
{"Option Length", "cflow.option_length",
|
|
|
|
FT_UINT16, BASE_DEC, NULL, 0x0,
|
|
|
|
"Option length", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_template_scope_field_type,
|
|
|
|
{"Scope Type", "cflow.scope_field_type",
|
|
|
|
FT_UINT16, BASE_DEC, VALS(v9_scope_field_types), 0x0,
|
|
|
|
"Scope field type", HFILL}
|
2006-09-12 19:11:45 +00:00
|
|
|
},
|
2004-09-09 06:27:43 +00:00
|
|
|
{&hf_cflow_template_scope_field_length,
|
|
|
|
{"Scope Field Length", "cflow.scope_field_length",
|
|
|
|
FT_UINT16, BASE_DEC, NULL, 0x0,
|
|
|
|
"Scope field length", HFILL}
|
|
|
|
},
|
2007-05-04 06:07:30 +00:00
|
|
|
{&hf_cflow_icmp_type,
|
|
|
|
{"ICMP Type", "cflow.icmp_type",
|
|
|
|
FT_UINT8, BASE_DEC, NULL, 0x0,
|
|
|
|
"ICMP type", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_igmp_type,
|
|
|
|
{"IGMP Type", "cflow.igmp_type",
|
|
|
|
FT_UINT8, BASE_DEC, NULL, 0x0,
|
|
|
|
"IGMP type", HFILL}
|
|
|
|
},
|
2004-09-09 06:27:43 +00:00
|
|
|
{&hf_cflow_sampling_interval,
|
|
|
|
{"Sampling interval", "cflow.sampling_interval",
|
|
|
|
FT_UINT32, BASE_DEC, NULL, 0x0,
|
|
|
|
"Sampling interval", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_sampling_algorithm,
|
|
|
|
{"Sampling algorithm", "cflow.sampling_algorithm",
|
|
|
|
FT_UINT8, BASE_DEC, NULL, 0x0,
|
|
|
|
"Sampling algorithm", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_flow_active_timeout,
|
|
|
|
{"Flow active timeout", "cflow.flow_active_timeout",
|
|
|
|
FT_UINT16, BASE_DEC, NULL, 0x0,
|
|
|
|
"Flow active timeout", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_flow_inactive_timeout,
|
|
|
|
{"Flow inactive timeout", "cflow.flow_inactive_timeout",
|
|
|
|
FT_UINT16, BASE_DEC, NULL, 0x0,
|
|
|
|
"Flow inactive timeout", HFILL}
|
|
|
|
},
|
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
/*
|
|
|
|
* begin pdu content storage
|
|
|
|
*/
|
|
|
|
{&hf_cflow_srcaddr,
|
|
|
|
{"SrcAddr", "cflow.srcaddr",
|
|
|
|
FT_IPv4, BASE_NONE, NULL, 0x0,
|
|
|
|
"Flow Source Address", HFILL}
|
|
|
|
},
|
2003-03-04 03:37:12 +00:00
|
|
|
{&hf_cflow_srcaddr_v6,
|
|
|
|
{"SrcAddr", "cflow.srcaddrv6",
|
|
|
|
FT_IPv6, BASE_NONE, NULL, 0x0,
|
|
|
|
"Flow Source Address", HFILL}
|
|
|
|
},
|
2002-09-22 16:13:22 +00:00
|
|
|
{&hf_cflow_srcnet,
|
|
|
|
{"SrcNet", "cflow.srcnet",
|
|
|
|
FT_IPv4, BASE_NONE, NULL, 0x0,
|
|
|
|
"Flow Source Network", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_dstaddr,
|
|
|
|
{"DstAddr", "cflow.dstaddr",
|
|
|
|
FT_IPv4, BASE_NONE, NULL, 0x0,
|
|
|
|
"Flow Destination Address", HFILL}
|
|
|
|
},
|
2003-03-04 03:37:12 +00:00
|
|
|
{&hf_cflow_dstaddr_v6,
|
|
|
|
{"DstAddr", "cflow.dstaddrv6",
|
|
|
|
FT_IPv6, BASE_NONE, NULL, 0x0,
|
|
|
|
"Flow Destination Address", HFILL}
|
|
|
|
},
|
2002-09-22 16:13:22 +00:00
|
|
|
{&hf_cflow_dstnet,
|
|
|
|
{"DstNet", "cflow.dstaddr",
|
|
|
|
FT_IPv4, BASE_NONE, NULL, 0x0,
|
|
|
|
"Flow Destination Network", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_nexthop,
|
|
|
|
{"NextHop", "cflow.nexthop",
|
|
|
|
FT_IPv4, BASE_NONE, NULL, 0x0,
|
|
|
|
"Router nexthop", HFILL}
|
|
|
|
},
|
2003-03-04 03:37:12 +00:00
|
|
|
{&hf_cflow_nexthop_v6,
|
|
|
|
{"NextHop", "cflow.nexthopv6",
|
|
|
|
FT_IPv6, BASE_NONE, NULL, 0x0,
|
|
|
|
"Router nexthop", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_bgpnexthop,
|
|
|
|
{"BGPNextHop", "cflow.bgpnexthop",
|
|
|
|
FT_IPv4, BASE_NONE, NULL, 0x0,
|
|
|
|
"BGP Router Nexthop", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_bgpnexthop_v6,
|
|
|
|
{"BGPNextHop", "cflow.bgpnexthopv6",
|
|
|
|
FT_IPv6, BASE_NONE, NULL, 0x0,
|
|
|
|
"BGP Router Nexthop", HFILL}
|
|
|
|
},
|
2002-09-22 16:13:22 +00:00
|
|
|
{&hf_cflow_inputint,
|
|
|
|
{"InputInt", "cflow.inputint",
|
|
|
|
FT_UINT16, BASE_DEC, NULL, 0x0,
|
|
|
|
"Flow Input Interface", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_outputint,
|
|
|
|
{"OutputInt", "cflow.outputint",
|
|
|
|
FT_UINT16, BASE_DEC, NULL, 0x0,
|
|
|
|
"Flow Output Interface", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_flows,
|
|
|
|
{"Flows", "cflow.flows",
|
|
|
|
FT_UINT32, BASE_DEC, NULL, 0x0,
|
|
|
|
"Flows Aggregated in PDU", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_packets,
|
|
|
|
{"Packets", "cflow.packets",
|
|
|
|
FT_UINT32, BASE_DEC, NULL, 0x0,
|
|
|
|
"Count of packets", HFILL}
|
|
|
|
},
|
2003-03-04 03:37:12 +00:00
|
|
|
{&hf_cflow_packets64,
|
|
|
|
{"Packets", "cflow.packets64",
|
|
|
|
FT_UINT64, BASE_DEC, NULL, 0x0,
|
|
|
|
"Count of packets", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_packetsout,
|
|
|
|
{"PacketsOut", "cflow.packetsout",
|
|
|
|
FT_UINT64, BASE_DEC, NULL, 0x0,
|
|
|
|
"Count of packets going out", HFILL}
|
|
|
|
},
|
2002-09-22 16:13:22 +00:00
|
|
|
{&hf_cflow_octets,
|
|
|
|
{"Octets", "cflow.octets",
|
|
|
|
FT_UINT32, BASE_DEC, NULL, 0x0,
|
|
|
|
"Count of bytes", HFILL}
|
|
|
|
},
|
2003-03-04 03:37:12 +00:00
|
|
|
{&hf_cflow_octets64,
|
|
|
|
{"Octets", "cflow.octets64",
|
|
|
|
FT_UINT64, BASE_DEC, NULL, 0x0,
|
|
|
|
"Count of bytes", HFILL}
|
|
|
|
},
|
2007-05-04 06:07:30 +00:00
|
|
|
{&hf_cflow_length_min,
|
|
|
|
{"MinLength", "cflow.length_min",
|
|
|
|
FT_UINT16, BASE_DEC, NULL, 0x0,
|
|
|
|
"Packet Length Min", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_length_max,
|
|
|
|
{"MaxLength", "cflow.length_max",
|
|
|
|
FT_UINT16, BASE_DEC, NULL, 0x0,
|
|
|
|
"Packet Length Max", HFILL}
|
|
|
|
},
|
2007-05-11 06:21:18 +00:00
|
|
|
{&hf_cflow_timedelta,
|
|
|
|
{"Duration", "cflow.timedelta",
|
|
|
|
FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
|
|
|
|
"Duration of flow sample (end - start)", HFILL}
|
|
|
|
},
|
2002-09-22 16:13:22 +00:00
|
|
|
{&hf_cflow_timestart,
|
|
|
|
{"StartTime", "cflow.timestart",
|
|
|
|
FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
|
|
|
|
"Uptime at start of flow", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_timeend,
|
|
|
|
{"EndTime", "cflow.timeend",
|
|
|
|
FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
|
|
|
|
"Uptime at end of flow", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_srcport,
|
|
|
|
{"SrcPort", "cflow.srcport",
|
|
|
|
FT_UINT16, BASE_DEC, NULL, 0x0,
|
|
|
|
"Flow Source Port", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_dstport,
|
|
|
|
{"DstPort", "cflow.dstport",
|
|
|
|
FT_UINT16, BASE_DEC, NULL, 0x0,
|
|
|
|
"Flow Destination Port", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_prot,
|
|
|
|
{"Protocol", "cflow.protocol",
|
|
|
|
FT_UINT8, BASE_DEC, NULL, 0x0,
|
|
|
|
"IP Protocol", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_tos,
|
|
|
|
{"IP ToS", "cflow.tos",
|
|
|
|
FT_UINT8, BASE_HEX, NULL, 0x0,
|
|
|
|
"IP Type of Service", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_flags,
|
|
|
|
{"Export Flags", "cflow.flags",
|
|
|
|
FT_UINT8, BASE_HEX, NULL, 0x0,
|
|
|
|
"CFlow Flags", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_tcpflags,
|
|
|
|
{"TCP Flags", "cflow.tcpflags",
|
|
|
|
FT_UINT8, BASE_HEX, NULL, 0x0,
|
|
|
|
"TCP Flags", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_srcas,
|
|
|
|
{"SrcAS", "cflow.srcas",
|
|
|
|
FT_UINT16, BASE_DEC, NULL, 0x0,
|
|
|
|
"Source AS", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_dstas,
|
|
|
|
{"DstAS", "cflow.dstas",
|
|
|
|
FT_UINT16, BASE_DEC, NULL, 0x0,
|
|
|
|
"Destination AS", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_srcmask,
|
|
|
|
{"SrcMask", "cflow.srcmask",
|
|
|
|
FT_UINT8, BASE_DEC, NULL, 0x0,
|
|
|
|
"Source Prefix Mask", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_dstmask,
|
|
|
|
{"DstMask", "cflow.dstmask",
|
|
|
|
FT_UINT8, BASE_DEC, NULL, 0x0,
|
|
|
|
"Destination Prefix Mask", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_routersc,
|
|
|
|
{"Router Shortcut", "cflow.routersc",
|
|
|
|
FT_IPv4, BASE_NONE, NULL, 0x0,
|
|
|
|
"Router shortcut by switch", HFILL}
|
2003-03-04 03:37:12 +00:00
|
|
|
},
|
|
|
|
{&hf_cflow_mulpackets,
|
|
|
|
{"MulticastPackets", "cflow.mulpackets",
|
|
|
|
FT_UINT32, BASE_DEC, NULL, 0x0,
|
|
|
|
"Count of multicast packets", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_muloctets,
|
|
|
|
{"MulticastOctets", "cflow.muloctets",
|
|
|
|
FT_UINT32, BASE_DEC, NULL, 0x0,
|
|
|
|
"Count of multicast octets", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_octets_exp,
|
|
|
|
{"OctetsExp", "cflow.octetsexp",
|
|
|
|
FT_UINT32, BASE_DEC, NULL, 0x0,
|
|
|
|
"Octets exported", HFILL}
|
|
|
|
},
|
2007-05-04 06:07:30 +00:00
|
|
|
{&hf_cflow_octets_exp64,
|
|
|
|
{"OctetsExp ", "cflow.octetsexp",
|
|
|
|
FT_UINT64, BASE_DEC, NULL, 0x0,
|
|
|
|
"Octets exported", HFILL}
|
|
|
|
},
|
2003-03-04 03:37:12 +00:00
|
|
|
{&hf_cflow_packets_exp,
|
|
|
|
{"PacketsExp", "cflow.packetsexp",
|
|
|
|
FT_UINT32, BASE_DEC, NULL, 0x0,
|
|
|
|
"Packets exported", HFILL}
|
|
|
|
},
|
2007-05-04 06:07:30 +00:00
|
|
|
{&hf_cflow_packets_exp64,
|
|
|
|
{"PacketsExp", "cflow.packetsexp",
|
|
|
|
FT_UINT64, BASE_DEC, NULL, 0x0,
|
|
|
|
"Packets exported", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_flows_exp,
|
|
|
|
{"FlowsExp ", "cflow.flowsexp",
|
|
|
|
FT_UINT32, BASE_DEC, NULL, 0x0,
|
|
|
|
"Flows exported", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_flows_exp64,
|
|
|
|
{"FlowsExp ", "cflow.flowsexp",
|
|
|
|
FT_UINT64, BASE_DEC, NULL, 0x0,
|
|
|
|
"Flows exported", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_srcprefix,
|
|
|
|
{"SrcPrefix", "cflow.srcprefix",
|
|
|
|
FT_IPv4, BASE_NONE, NULL, 0x0,
|
|
|
|
"Flow Source Prefix", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_dstprefix,
|
|
|
|
{"DstPrefix", "cflow.dstprefix",
|
|
|
|
FT_IPv4, BASE_NONE, NULL, 0x0,
|
|
|
|
"Flow Destination Prefix", HFILL}
|
|
|
|
},
|
2006-02-09 09:11:06 +00:00
|
|
|
{&hf_cflow_mpls_top_label_type,
|
|
|
|
{"TopLabelType", "cflow.toplabeltype",
|
|
|
|
FT_UINT8, BASE_DEC, VALS(special_mpls_top_label_type), 0x0,
|
|
|
|
"Top MPLS label Type", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_mpls_pe_addr,
|
|
|
|
{"TopLabelAddr", "cflow.toplabeladdr",
|
|
|
|
FT_IPv4, BASE_NONE, NULL, 0x0,
|
|
|
|
"Top MPLS label PE address", HFILL}
|
|
|
|
},
|
2007-05-04 06:07:30 +00:00
|
|
|
{&hf_cflow_sampler_mode ,
|
|
|
|
{"SamplerMode", "cflow.sampler_mode",
|
|
|
|
FT_UINT8, BASE_DEC, VALS(v9_sampler_mode), 0x0,
|
|
|
|
"Flow Sampler Mode", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_sampler_random_interval ,
|
|
|
|
{"SamplerRandomInterval", "cflow.sampler_random_interval",
|
2003-03-04 03:37:12 +00:00
|
|
|
FT_UINT32, BASE_DEC, NULL, 0x0,
|
2007-05-04 06:07:30 +00:00
|
|
|
"Flow Sampler Random Interval", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_flow_class ,
|
|
|
|
{"FlowClass", "cflow.flow_class",
|
|
|
|
FT_UINT8, BASE_DEC, NULL, 0x0,
|
|
|
|
"Flow Class", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_ttl_minimum ,
|
|
|
|
{"MinTTL", "cflow.ttl_min",
|
|
|
|
FT_UINT8, BASE_DEC, NULL, 0x0,
|
|
|
|
"TTL minimum", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_ttl_maximum ,
|
|
|
|
{"MaxTTL", "cflow.ttl_max",
|
|
|
|
FT_UINT8, BASE_DEC, NULL, 0x0,
|
|
|
|
"TTL maximum", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_ipv4_id ,
|
|
|
|
{"IPv4Ident", "cflow.ipv4_ident",
|
|
|
|
FT_UINT16, BASE_DEC, NULL, 0x0,
|
|
|
|
"IPv4 Identifier", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_ip_version ,
|
|
|
|
{"IPVersion", "cflow.ip_version",
|
|
|
|
FT_BYTES, BASE_HEX, NULL, 0x0,
|
|
|
|
"IP Version", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_direction ,
|
|
|
|
{"Direction", "cflow.direction",
|
|
|
|
FT_UINT8, BASE_DEC, VALS(v9_direction), 0x0,
|
|
|
|
"Direction", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_if_name ,
|
|
|
|
{"IfName", "cflow.if_name",
|
|
|
|
FT_STRINGZ/*FT_BYTES*/, BASE_HEX, NULL, 0x0,
|
|
|
|
"SNMP Interface Name", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_if_descr ,
|
|
|
|
{"IfDescr", "cflow.if_descr",
|
|
|
|
FT_STRINGZ/*FT_BYTES*/, BASE_HEX, NULL, 0x0,
|
|
|
|
"SNMP Interface Description", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_sampler_name ,
|
|
|
|
{"SamplerName", "cflow.sampler_name",
|
|
|
|
FT_STRINGZ/*FT_BYTES*/, BASE_HEX, NULL, 0x0,
|
|
|
|
"Sampler Name", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_forwarding_status ,
|
|
|
|
{"ForwdStat", "cflow.forwarding_status",
|
|
|
|
FT_UINT8, BASE_DEC, VALS(v9_forwarding_status), 0xC0,
|
|
|
|
"Forwarding Status", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_forwarding_code ,
|
|
|
|
{"ForwdCode", "cflow.forwarding_code",
|
|
|
|
FT_UINT8, BASE_DEC, NULL, 0x3F,
|
|
|
|
"Forwarding Code", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_peer_srcas,
|
|
|
|
{"PeerSrcAS", "cflow.peer_srcas",
|
|
|
|
FT_UINT16, BASE_DEC, NULL, 0x0,
|
|
|
|
"Peer Source AS", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_peer_dstas,
|
|
|
|
{"PeerDstAS", "cflow.peer_dstas",
|
|
|
|
FT_UINT16, BASE_DEC, NULL, 0x0,
|
|
|
|
"Peer Destination AS", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_flow_exporter,
|
|
|
|
{"FlowExporter", "cflow.flow_exporter",
|
|
|
|
FT_BYTES/*FT_IPv4*/, BASE_HEX, NULL, 0x0,
|
|
|
|
"Flow Exporter", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_icmp_ipv4_type,
|
|
|
|
{"IPv4 ICMP Type", "cflow.icmp_ipv4_type",
|
|
|
|
FT_UINT8, BASE_DEC, NULL, 0x0,
|
|
|
|
"IPv4 ICMP type", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_icmp_ipv4_code,
|
|
|
|
{"IPv4 ICMP Code", "cflow.icmp_ipv4_code",
|
|
|
|
FT_UINT8, BASE_DEC, NULL, 0x0,
|
|
|
|
"IPv4 ICMP code", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_icmp_ipv6_type,
|
|
|
|
{"IPv6 ICMP Type", "cflow.icmp_ipv6_type",
|
|
|
|
FT_UINT8, BASE_DEC, NULL, 0x0,
|
|
|
|
"IPv6 ICMP type", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_icmp_ipv6_code,
|
|
|
|
{"IPv6 ICMP Code", "cflow.icmp_ipv6_code",
|
|
|
|
FT_UINT8, BASE_DEC, NULL, 0x0,
|
|
|
|
"IPv6 ICMP code", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_tcp_window_size,
|
|
|
|
{"TCP Windows Size", "cflow.tcp_windows_size",
|
|
|
|
FT_UINT16, BASE_DEC, NULL, 0x0,
|
|
|
|
"TCP Windows size", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_ip_total_length,
|
|
|
|
{"IP Total Length", "cflow.ip_total_length",
|
|
|
|
FT_UINT8, BASE_DEC, NULL, 0x0,
|
|
|
|
"IP total length", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_ip_ttl,
|
|
|
|
{"IP TTL", "cflow.ip_ttl",
|
|
|
|
FT_UINT8, BASE_DEC, NULL, 0x0,
|
|
|
|
"IP time to live", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_ip_tos,
|
|
|
|
{"IP TOS", "cflow.ip_tos",
|
|
|
|
FT_UINT8, BASE_DEC, NULL, 0x0,
|
|
|
|
"IP type of service", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_ip_dscp,
|
|
|
|
{"DSCP", "cflow.ip_dscp",
|
|
|
|
FT_UINT8, BASE_DEC, NULL, 0x0,
|
|
|
|
"IP DSCP", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_octets_squared64,
|
|
|
|
{"OctetsSquared ", "cflow.octets_squared",
|
|
|
|
FT_UINT64, BASE_DEC, NULL, 0x0,
|
|
|
|
"Octets Squared", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_udp_length,
|
|
|
|
{"UDP Length", "cflow.udp_length",
|
|
|
|
FT_UINT16, BASE_DEC, NULL, 0x0,
|
|
|
|
"UDP length", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_is_multicast,
|
|
|
|
{"IsMulticast", "cflow.is_multicast",
|
|
|
|
FT_UINT8, BASE_DEC, NULL, 0x0,
|
|
|
|
"Is Multicast", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_ip_header_words,
|
|
|
|
{"IPHeaderLen", "cflow.ip_header_words",
|
|
|
|
FT_UINT8, BASE_DEC, NULL, 0x0,
|
|
|
|
"IPHeaderLen", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_option_map,
|
|
|
|
{"OptionMap", "cflow.option_map",
|
|
|
|
FT_BYTES, BASE_HEX, NULL, 0x0,
|
|
|
|
"Option Map", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_section_header ,
|
|
|
|
{"SectionHeader", "cflow.section_header",
|
|
|
|
FT_BYTES, BASE_HEX, NULL, 0x0,
|
|
|
|
"Header of Packet", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_section_payload ,
|
|
|
|
{"SectionPayload", "cflow.section_payload",
|
|
|
|
FT_BYTES, BASE_HEX, NULL, 0x0,
|
|
|
|
"Payload of Packet", HFILL}
|
|
|
|
},
|
2002-09-22 16:13:22 +00:00
|
|
|
/*
|
|
|
|
* end pdu content storage
|
|
|
|
*/
|
2007-05-04 06:07:30 +00:00
|
|
|
{&hf_cflow_scope_system ,
|
|
|
|
{"ScopeSystem", "cflow.scope_system",
|
|
|
|
FT_IPv4, BASE_HEX, NULL, 0x0,
|
|
|
|
"Option Scope System", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_scope_interface ,
|
|
|
|
{"ScopeInterface", "cflow.scope_interface",
|
|
|
|
FT_UINT32, BASE_DEC, NULL, 0x0,
|
|
|
|
"Option Scope Interface", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_scope_linecard ,
|
|
|
|
{"ScopeLinecard", "cflow.scope_linecard",
|
|
|
|
FT_BYTES, BASE_HEX, NULL, 0x0,
|
|
|
|
"Option Scope Linecard", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_scope_cache ,
|
|
|
|
{"ScopeCache", "cflow.scope_cache",
|
|
|
|
FT_BYTES, BASE_HEX, NULL, 0x0,
|
|
|
|
"Option Scope Cache", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_scope_template ,
|
|
|
|
{"ScopeTemplate", "cflow.scope_template",
|
|
|
|
FT_BYTES, BASE_HEX, NULL, 0x0,
|
|
|
|
"Option Scope Template", HFILL}
|
|
|
|
},
|
|
|
|
{&hf_cflow_scope_unknown ,
|
|
|
|
{"Scope Unknown", "cflow.scope",
|
|
|
|
FT_BYTES, BASE_HEX, NULL, 0x0,
|
|
|
|
"Option Scope Unknown", HFILL}
|
|
|
|
},
|
2002-09-04 20:23:55 +00:00
|
|
|
};
|
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
static gint *ett[] = {
|
2002-09-04 20:23:55 +00:00
|
|
|
&ett_netflow,
|
2002-09-22 16:13:22 +00:00
|
|
|
&ett_unixtime,
|
2003-02-12 08:36:48 +00:00
|
|
|
&ett_flow,
|
2007-05-11 06:21:18 +00:00
|
|
|
&ett_flowtime,
|
2003-03-04 03:37:12 +00:00
|
|
|
&ett_template,
|
2006-03-15 06:19:15 +00:00
|
|
|
&ett_field,
|
2003-03-04 03:37:12 +00:00
|
|
|
&ett_dataflowset
|
2002-09-04 20:23:55 +00:00
|
|
|
};
|
|
|
|
|
2003-03-04 03:37:12 +00:00
|
|
|
module_t *netflow_module;
|
|
|
|
|
2006-09-12 19:11:45 +00:00
|
|
|
proto_netflow = proto_register_protocol("Cisco NetFlow/IPFIX", "CFLOW",
|
2002-09-22 16:13:22 +00:00
|
|
|
"cflow");
|
|
|
|
|
2002-09-04 20:23:55 +00:00
|
|
|
proto_register_field_array(proto_netflow, hf, array_length(hf));
|
|
|
|
proto_register_subtree_array(ett, array_length(ett));
|
2002-09-22 16:13:22 +00:00
|
|
|
|
2003-03-04 03:37:12 +00:00
|
|
|
/* Register our configuration options for NetFlow */
|
|
|
|
netflow_module = prefs_register_protocol(proto_netflow,
|
|
|
|
proto_reg_handoff_netflow);
|
|
|
|
|
|
|
|
prefs_register_uint_preference(netflow_module, "udp.port",
|
|
|
|
"NetFlow UDP Port", "Set the port for NetFlow messages",
|
|
|
|
10, &global_netflow_udp_port);
|
|
|
|
|
2004-03-09 20:08:26 +00:00
|
|
|
register_init_routine(&netflow_reinit);
|
2002-09-04 20:23:55 +00:00
|
|
|
}
|
|
|
|
|
2002-09-22 16:13:22 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* protocol/port association
|
|
|
|
*/
|
2002-09-04 20:23:55 +00:00
|
|
|
void
|
|
|
|
proto_reg_handoff_netflow(void)
|
|
|
|
{
|
2003-03-04 03:37:12 +00:00
|
|
|
static int netflow_prefs_initialized = FALSE;
|
|
|
|
static dissector_handle_t netflow_handle;
|
|
|
|
|
|
|
|
if (!netflow_prefs_initialized) {
|
|
|
|
netflow_handle = create_dissector_handle(dissect_netflow,
|
|
|
|
proto_netflow);
|
|
|
|
netflow_prefs_initialized = TRUE;
|
|
|
|
} else {
|
|
|
|
dissector_delete("udp.port", netflow_udp_port, netflow_handle);
|
2006-09-12 19:11:45 +00:00
|
|
|
dissector_delete("udp.port", ipfix_port, netflow_handle);
|
|
|
|
dissector_delete("tcp.port", ipfix_port, netflow_handle);
|
|
|
|
dissector_delete("sctp.port", ipfix_port, netflow_handle);
|
2003-03-04 03:37:12 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Set out port number for future use */
|
|
|
|
netflow_udp_port = global_netflow_udp_port;
|
2002-09-04 20:23:55 +00:00
|
|
|
|
2003-03-04 03:37:12 +00:00
|
|
|
dissector_add("udp.port", netflow_udp_port, netflow_handle);
|
2006-09-12 19:11:45 +00:00
|
|
|
|
|
|
|
ipfix_port = global_ipfix_port;
|
|
|
|
dissector_add("udp.port", ipfix_port, netflow_handle);
|
|
|
|
dissector_add("tcp.port", ipfix_port, netflow_handle);
|
|
|
|
dissector_add("sctp.port", ipfix_port, netflow_handle);
|
2002-09-04 20:23:55 +00:00
|
|
|
}
|
2007-05-04 06:07:30 +00:00
|
|
|
|