sys/netgraph/netflow/netflow.h


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214

/*-
 * Copyright (c) 2010-2011 Alexander V. Chernikov <melifaro@ipfw.ru>
 * Copyright (c) 2004 Gleb Smirnoff <glebius@FreeBSD.org>
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 *	 $SourceForge: netflow.h,v 1.8 2004/09/16 17:05:11 glebius Exp $
 *	 $FreeBSD$
 */

/* netflow timeouts in seconds */

#define	ACTIVE_TIMEOUT		(30*60)	/* maximum flow lifetime is 30 min */
#define	INACTIVE_TIMEOUT	15

/*
 * More info can be found in these Cisco documents:
 *
 * Cisco IOS NetFlow, White Papers.
 * http://www.cisco.com/en/US/products/ps6601/prod_white_papers_list.html
 *
 * Cisco CNS NetFlow Collection Engine User Guide, 5.0.2, NetFlow Export
 * Datagram Formats.
 * http://www.cisco.com/en/US/products/sw/netmgtsw/ps1964/products_user_guide_chapter09186a00803f3147.html#wp26453
 *
 * Cisco Systems NetFlow Services Export Version 9
 * http://www.ietf.org/rfc/rfc3954.txt
 *
 */

#define NETFLOW_V1 1
#define NETFLOW_V5 5
#define NETFLOW_V9 9

struct netflow_v1_header
{
  uint16_t version;	/* NetFlow version */
  uint16_t count;	/* Number of records in flow */
  uint32_t sys_uptime;	/* System uptime */
  uint32_t unix_secs;	/* Current seconds since 0000 UTC 1970 */
  uint32_t unix_nsecs;	/* Remaining nanoseconds since 0000 UTC 1970 */
} __attribute__((__packed__));

struct netflow_v5_header
{
  uint16_t version;	/* NetFlow version */
  uint16_t count;	/* Number of records in flow */
  uint32_t sys_uptime;	/* System uptime */
  uint32_t unix_secs;	/* Current seconds since 0000 UTC 1970 */
  uint32_t unix_nsecs;	/* Remaining nanoseconds since 0000 UTC 1970 */
  uint32_t flow_seq;	/* Sequence number of the first record */
  uint8_t engine_type;	/* Type of flow switching engine (RP,VIP,etc.) */
  uint8_t engine_id;	/* Slot number of the flow switching engine */
  uint16_t pad;		/* Pad to word boundary */
} __attribute__((__packed__));

struct netflow_v9_header
{
  uint16_t version;	/* NetFlow version */
  uint16_t count;	/* Total number of records in packet */
  uint32_t sys_uptime;	/* System uptime */
  uint32_t unix_secs;	/* Current seconds since 0000 UTC 1970 */
  uint32_t seq_num;	/* Sequence number */
  uint32_t source_id;	/* Observation Domain id */
} __attribute__((__packed__));

struct netflow_v1_record
{
  uint32_t src_addr;	/* Source IP address */
  uint32_t dst_addr;	/* Destination IP address */
  uint32_t next_hop;	/* Next hop IP address */
  uint16_t in_ifx;	/* Source interface index */
  uint16_t out_ifx;	/* Destination interface index */
  uint32_t packets;	/* Number of packets in a flow */
  uint32_t octets;	/* Number of octets in a flow */
  uint32_t first;	/* System uptime at start of a flow */
  uint32_t last;	/* System uptime at end of a flow */
  uint16_t s_port;	/* Source port */
  uint16_t d_port;	/* Destination port */
  uint16_t pad1;	/* Pad to word boundary */
  uint8_t prot;		/* IP protocol */
  uint8_t tos;		/* IP type of service */
  uint8_t flags;	/* Cumulative OR of tcp flags */
  uint8_t pad2;		/* Pad to word boundary */
  uint16_t pad3;	/* Pad to word boundary */
  uint8_t reserved[5];	/* Reserved for future use */
} __attribute__((__packed__));

struct netflow_v5_record
{
  uint32_t src_addr;	/* Source IP address */
  uint32_t dst_addr;	/* Destination IP address */
  uint32_t next_hop;	/* Next hop IP address */
  uint16_t i_ifx;	/* Source interface index */
  uint16_t o_ifx;	/* Destination interface index */
  uint32_t packets;	/* Number of packets in a flow */
  uint32_t octets;	/* Number of octets in a flow */
  uint32_t first;	/* System uptime at start of a flow */
  uint32_t last;	/* System uptime at end of a flow */
  uint16_t s_port;	/* Source port */
  uint16_t d_port;	/* Destination port */
  uint8_t pad1;		/* Pad to word boundary */
  uint8_t flags;	/* Cumulative OR of tcp flags */
  uint8_t prot;		/* IP protocol */
  uint8_t tos;		/* IP type of service */
  uint16_t src_as;	/* Src peer/origin Autonomous System */
  uint16_t dst_as;	/* Dst peer/origin Autonomous System */
  uint8_t src_mask;	/* Source route's mask bits */
  uint8_t dst_mask;	/* Destination route's mask bits */
  uint16_t pad2;	/* Pad to word boundary */
} __attribute__((__packed__));

#define NETFLOW_V1_MAX_RECORDS 24
#define NETFLOW_V5_MAX_RECORDS 30

#define NETFLOW_V1_MAX_SIZE (sizeof(netflow_v1_header)+ \
			     sizeof(netflow_v1_record)*NETFLOW_V1_MAX_RECORDS)
#define NETFLOW_V5_MAX_SIZE (sizeof(netflow_v5_header)+ \
			     sizeof(netflow_v5_record)*NETFLOW_V5_MAX_RECORDS)

struct netflow_v5_export_dgram {
	struct netflow_v5_header	header;
	struct netflow_v5_record	r[NETFLOW_V5_MAX_RECORDS];
} __attribute__((__packed__));


/* RFC3954 field definitions */
#define NETFLOW_V9_FIELD_IN_BYTES		1	/* Input bytes count for a flow. Default 4, can be 8 */
#define NETFLOW_V9_FIELD_IN_PKTS		2	/* Incoming counter with number of packets associated with an IP Flow. Default 4 */
#define NETFLOW_V9_FIELD_FLOWS			3	/* Number of Flows that were aggregated. Default 4 */
#define NETFLOW_V9_FIELD_PROTOCOL		4	/* IP protocol byte. 1 */
#define NETFLOW_V9_FIELD_TOS			5	/* Type of service byte setting when entering the incoming interface. 1 */
#define NETFLOW_V9_FIELD_TCP_FLAGS		6	/* TCP flags; cumulative of all the TCP flags seen in this Flow. 1 */
#define NETFLOW_V9_FIELD_L4_SRC_PORT		7	/* TCP/UDP source port number. 2 */
#define NETFLOW_V9_FIELD_IPV4_SRC_ADDR		8	/* IPv4 source address. 4 */
#define NETFLOW_V9_FIELD_SRC_MASK		9	/* The number of contiguous bits in the source subnet mask (i.e., the mask in slash notation). 1 */
#define NETFLOW_V9_FIELD_INPUT_SNMP		10	/* Input interface index. Default 2 */
#define NETFLOW_V9_FIELD_L4_DST_PORT		11	/* TCP/UDP destination port number. 2 */
#define NETFLOW_V9_FIELD_IPV4_DST_ADDR		12	/* IPv4 destination address. 4 */
#define NETFLOW_V9_FIELD_DST_MASK		13	/* The number of contiguous bits in the destination subnet mask (i.e., the mask in slash notation). 1 */
#define NETFLOW_V9_FIELD_OUTPUT_SNMP		14	/* Output interface index. Default 2 */
#define NETFLOW_V9_FIELD_IPV4_NEXT_HOP		15	/* IPv4 address of the next-hop router. 4 */
#define NETFLOW_V9_FIELD_SRC_AS			16	/* Source BGP autonomous system number. Default 2, can be 4 */
#define NETFLOW_V9_FIELD_DST_AS			17	/* Destination BGP autonomous system number. Default 2, can be 4 */
#define NETFLOW_V9_FIELD_BGP_IPV4_NEXT_HOP	18	/* Next-hop router's IP address in the BGP domain. 4 */
#define NETFLOW_V9_FIELD_MUL_DST_PKTS		19	/* IP multicast outgoing packet counter for packets associated with IP flow. Default 4 */
#define NETFLOW_V9_FIELD_MUL_DST_BYTES		20	/* IP multicast outgoing Octet (byte) counter for the number of bytes associated with IP flow. Default 4 */
#define NETFLOW_V9_FIELD_LAST_SWITCHED		21	/* sysUptime in msec at which the last packet of this Flow was switched. 4 */
#define NETFLOW_V9_FIELD_FIRST_SWITCHED		22	/* sysUptime in msec at which the first packet of this Flow was switched. 4 */
#define NETFLOW_V9_FIELD_OUT_BYTES		23	/* Outgoing counter for the number of bytes associated with an IP Flow. Default 4 */
#define NETFLOW_V9_FIELD_OUT_PKTS		24	/* Outgoing counter for the number of packets associated with an IP Flow. Default 4 */
#define NETFLOW_V9_FIELD_IPV6_SRC_ADDR		27	/* IPv6 source address. 16 */
#define NETFLOW_V9_FIELD_IPV6_DST_ADDR		28	/* IPv6 destination address. 16 */
#define NETFLOW_V9_FIELD_IPV6_SRC_MASK		29	/* Length of the IPv6 source mask in contiguous bits. 1 */
#define NETFLOW_V9_FIELD_IPV6_DST_MASK		30	/* Length of the IPv6 destination mask in contiguous bits. 1 */
#define NETFLOW_V9_FIELD_IPV6_FLOW_LABEL	31	/* IPv6 flow label as per RFC 2460 definition. 3 */
#define NETFLOW_V9_FIELD_ICMP_TYPE		32	/* Internet Control Message Protocol (ICMP) packet type; reported as ICMP Type * 256 + ICMP code. 2 */
#define NETFLOW_V9_FIELD_MUL_IGMP_TYPE		33	/* Internet Group Management Protocol (IGMP) packet type. 1 */
#define NETFLOW_V9_FIELD_SAMPLING_INTERVAL	34	/* When using sampled NetFlow, the rate at which packets are sampled; for example, a value of 100 indicates that one of every hundred packets is sampled. 4 */
#define NETFLOW_V9_FIELD_SAMPLING_ALGORITHM	35	/* For sampled NetFlow platform-wide: 0x01 deterministic sampling 0x02 random sampling. 1 */
#define NETFLOW_V9_FIELD_FLOW_ACTIVE_TIMEOUT	36	/* Timeout value (in seconds) for active flow entries in the NetFlow cache. 2 */
#define NETFLOW_V9_FIELD_FLOW_INACTIVE_TIMEOUT	37	/* Timeout value (in seconds) for inactive Flow entries in the NetFlow cache. 2 */
#define NETFLOW_V9_FIELD_ENGINE_TYPE		38	/* Type of Flow switching engine (route processor, linecard, etc...). 1 */
#define NETFLOW_V9_FIELD_ENGINE_ID		39	/* ID number of the Flow switching engine. 1 */
#define NETFLOW_V9_FIELD_TOTAL_BYTES_EXP	40	/* Counter with for the number of bytes exported by the Observation Domain. Default 4 */
#define NETFLOW_V9_FIELD_TOTAL_PKTS_EXP		41	/* Counter with for the number of packets exported by the Observation Domain. Default 4 */
#define NETFLOW_V9_FIELD_TOTAL_FLOWS_EXP	42	/* Counter with for the number of flows exported by the Observation Domain. Default 4 */
#define NETFLOW_V9_FIELD_MPLS_TOP_LABEL_TYPE	46	/* MPLS Top Label Type. 1 */
#define NETFLOW_V9_FIELD_MPLS_TOP_LABEL_IP_ADDR	47	/* Forwarding Equivalent Class corresponding to the MPLS Top Label. 4 */
#define NETFLOW_V9_FIELD_FLOW_SAMPLER_ID	48	/* Identifier shown in "show flow-sampler". 1 */
#define NETFLOW_V9_FIELD_FLOW_SAMPLER_MODE	49	/* The type of algorithm used for sampling data. 2 */
#define NETFLOW_V9_FIELD_FLOW_SAMPLER_RANDOM_INTERVAL		50	/* Packet interval at which to sample. 4. */
#define NETFLOW_V9_FIELD_DST_TOS		55	/* Type of Service byte setting when exiting outgoing interface. 1. */
#define NETFLOW_V9_FIELD_SRC_MAC		56	/* Source MAC Address. 6 */
#define NETFLOW_V9_FIELD_DST_MAC		57	/* Destination MAC Address. 6 */
#define NETFLOW_V9_FIELD_SRC_VLAN		58	/* Virtual LAN identifier associated with ingress interface. 2 */
#define NETFLOW_V9_FIELD_DST_VLAN		59	/* Virtual LAN identifier associated with egress interface. 2 */
#define NETFLOW_V9_FIELD_IP_PROTOCOL_VERSION	60	/* Internet Protocol Version. Set to 4 for IPv4, set to 6 for IPv6. If not present in the template, then version 4 is assumed. 1. */
#define NETFLOW_V9_FIELD_DIRECTION		61	/* Flow direction: 0 - ingress flow 1 - egress flow. 1 */
#define NETFLOW_V9_FIELD_IPV6_NEXT_HOP		62	/* IPv6 address of the next-hop router. 16 */
#define NETFLOW_V9_FIELD_BGP_IPV6_NEXT_HOP	63	/* Next-hop router in the BGP domain. 16 */
#define NETFLOW_V9_FIELD_IPV6_OPTION_HEADERS	64	/* Bit-encoded field identifying IPv6 option headers found in the flow */
#define NETFLOW_V9_FIELD_MPLS_LABEL_1		70	/* MPLS label at position 1 in the stack. 3 */
#define NETFLOW_V9_FIELD_MPLS_LABEL_2		71	/* MPLS label at position 2 in the stack. 3 */
#define NETFLOW_V9_FIELD_MPLS_LABEL_3		72	/* MPLS label at position 3 in the stack. 3 */
#define NETFLOW_V9_FIELD_MPLS_LABEL_4		73	/* MPLS label at position 4 in the stack. 3 */
#define NETFLOW_V9_FIELD_MPLS_LABEL_5		74	/* MPLS label at position 5 in the stack. 3 */
#define NETFLOW_V9_FIELD_MPLS_LABEL_6		75	/* MPLS label at position 6 in the stack. 3 */
#define NETFLOW_V9_FIELD_MPLS_LABEL_7		76	/* MPLS label at position 7 in the stack. 3 */
#define NETFLOW_V9_FIELD_MPLS_LABEL_8		77	/* MPLS label at position 8 in the stack. 3 */
#define NETFLOW_V9_FIELD_MPLS_LABEL_9		78	/* MPLS label at position 9 in the stack. 3 */
#define NETFLOW_V9_FIELD_MPLS_LABEL_10		79	/* MPLS label at position 10 in the stack. 3 */

#define NETFLOW_V9_MAX_RESERVED_FLOWSET		0xFF	/* Clause 5.2 */