ftlib.h

netflow,抓包

  u_int32 flows_misordered;       /* # misordered flows */
  u_int32 pkts_corrupt;           /* # corrupt packets */
  u_int32 seq_reset;              /* # times sequence # was so far off
                                   *   lost/misordered state could not be 
                                   *   guessed */
  u_int8 vendor;                   /* vendor ID FT_VENDOR */
  u_int8 filler1;
  u_int16 filler2;
  char *cap_hostname;             /* hostname of capture device */
  char *comments;                 /* comments */
  struct ftmap *ftmap;            /* mappings */
  u_int32 enc_len;                /* length of encoded header */
};


struct fts1header {
  /*
   * following four 4 fields are not byte order dependent
   */
  u_int8  magic1;                 /* 0xCF */
  u_int8  magic2;                 /* 0xL0 (cisco flow) */
  u_int8  byte_order;             /* 1 for little endian (VAX) */
                                  /* 2 for big endian (Motorolla) */
  u_int8  s_version;              /* flow stream format version 1 or 2 */
  /*
   * byte order specified by byte_order
   */
  u_int16 d_version;                  /* 1 or 5  - stream version 1 */
                                      /* 1,5,7,8 - stream version 2 */
  u_int32 start;                      /* start time of flow capture */
  u_int32 end;                        /* end time of flow capture */
  u_int32 flags;                      /* FT_HEADER_FLAG_* */
  u_int32 rotation;                   /* rotation schedule */
  u_int32 nflows;                     /* # of flows */
  u_int32 pdu_drops;                  /* # of dropped pdu's detected */
  u_int32 pdu_misordered;             /* # of detected misordered packets */
  char hostname[FT_HEADER1_HN_LEN];   /* 0 terminated name of capture device */
  char comments[FT_HEADER1_CMNT_LEN]; /* 0 terminated ascii comments */
};

/* offsets to all possible entries in export structure */

struct fts3rec_offsets {
  struct ftver ftv;
  u_int64 xfields;
  u_int16 unix_secs;
  u_int16 unix_nsecs;
  u_int16 sysUpTime;
  u_int16 exaddr;
  u_int16 srcaddr;
  u_int16 dstaddr;
  u_int16 nexthop;
  u_int16 input;
  u_int16 output;
  u_int16 dFlows;
  u_int16 dPkts;
  u_int16 dOctets;
  u_int16 First;
  u_int16 Last;
  u_int16 srcport;
  u_int16 dstport;
  u_int16 prot;
  u_int16 tos;
  u_int16 tcp_flags;
  u_int16 pad;
  u_int16 engine_type;
  u_int16 engine_id;
  u_int16 src_mask;
  u_int16 dst_mask;
  u_int16 src_as;
  u_int16 dst_as;
  u_int16 in_encaps;
  u_int16 out_encaps;
  u_int16 peer_nexthop;
  u_int16 router_sc;
  u_int16 src_tag;
  u_int16 dst_tag;
  u_int16 extra_pkts;
  u_int16 marked_tos;
};

/* "all" fields */
struct fts3rec_all {
  u_int32 *unix_secs;
  u_int32 *unix_nsecs;
  u_int32 *sysUpTime;
  u_int32 *exaddr;
  u_int32 *srcaddr;
  u_int32 *dstaddr;
  u_int32 *nexthop;
  u_int16 *input;
  u_int16 *output;
  u_int32 *dFlows;
  u_int32 *dPkts;
  u_int32 *dOctets;
  u_int32 *First;
  u_int32 *Last;
  u_int16 *srcport;
  u_int16 *dstport;
  u_int8  *prot;
  u_int8  *tos;
  u_int8  *tcp_flags;
  u_int8  *engine_type;
  u_int8  *engine_id;
  u_int8  *src_mask;
  u_int8  *dst_mask;
  u_int16 *src_as;
  u_int16 *dst_as;
  u_int8  *in_encaps;
  u_int8  *out_encaps;
  u_int32 *peer_nexthop;
  u_int32 *router_sc;
  u_int32 *src_tag;
  u_int32 *dst_tag;
  u_int32 *extra_pkts;
  u_int8  *marked_tos;
};

/* "all" fields */
struct fts3rec_all2 {
  u_int64 dFlows64;
  u_int64 dPkts64;
  u_int64 dOctets64;
  u_int32 unix_secs;
  u_int32 unix_nsecs;
  u_int32 sysUpTime;
  u_int32 exaddr;
  u_int32 srcaddr;
  u_int32 dstaddr;
  u_int32 nexthop;
  u_int16 input;
  u_int16 output;
  u_int32 dFlows;
  u_int32 dPkts;
  u_int32 dOctets;
  u_int32 First;
  u_int32 Last;
  u_int16 srcport;
  u_int16 dstport;
  u_int8  prot;
  u_int8  tos;
  u_int8  tcp_flags;
  u_int8  engine_type;
  u_int8  engine_id;
  u_int8  src_mask;
  u_int8  dst_mask;
  u_int16 src_as;
  u_int16 dst_as;
  u_int8  in_encaps;
  u_int8  out_encaps;
  u_int32 peer_nexthop;
  u_int32 router_sc;
  u_int32 src_tag;
  u_int32 dst_tag;
  u_int32 extra_pkts;
  u_int8  marked_tos;
};

#define FT_RECGET_UNIX_SECS(A,B,C) A.unix_secs =\
  *((u_int32*)(B+(C).unix_secs));
#define FT_RECGET_UNIX_NSECS(A,B,C) A.unix_nsecs =\
  *((u_int32*)(B+(C).unix_nsecs));
#define FT_RECGET_SYSUPTIME(A,B,C) A.sysUpTime =\
  *((u_int32*)(B+(C).sysUpTime));
#define FT_RECGET_EXADDR(A,B,C) A.exaddr =\
  *((u_int32*)(B+(C).exaddr));
#define FT_RECGET_DFLOWS(A,B,C) A.dFlows =\
  *((u_int32*)(B+(C).dFlows));
#define FT_RECGET64_DFLOWS(A,B,C) A.dFlows64 =\
  *((u_int32*)(B+(C).dFlows));
#define FT_RECGET_DPKTS(A,B,C) A.dPkts =\
  *((u_int32*)(B+(C).dPkts));
#define FT_RECGET64_DPKTS(A,B,C) A.dPkts64 =\
  *((u_int32*)(B+(C).dPkts));
#define FT_RECGET_DOCTETS(A,B,C) A.dOctets =\
  *((u_int32*)(B+(C).dOctets));
#define FT_RECGET64_DOCTETS(A,B,C) A.dOctets64 =\
  *((u_int32*)(B+(C).dOctets));
#define FT_RECGET_FIRST(A,B,C) A.First =\
  *((u_int32*)(B+(C).First));
#define FT_RECGET_LAST(A,B,C) A.Last =\
  *((u_int32*)(B+(C).Last));
#define FT_RECGET_ENGINE_TYPE(A,B,C) A.engine_type =\
  *((u_int8*)(B+(C).engine_type));
#define FT_RECGET_ENGINE_ID(A,B,C) A.engine_id =\
  *((u_int8*)(B+(C).engine_id));
#define FT_RECGET_SRCADDR(A,B,C) A.srcaddr =\
  *((u_int32*)(B+(C).srcaddr));
#define FT_RECGET_DSTADDR(A,B,C) A.dstaddr =\
  *((u_int32*)(B+(C).dstaddr));
#define FT_RECGET_NEXTHOP(A,B,C) A.nexthop =\
  *((u_int32*)(B+(C).nexthop));
#define FT_RECGET_INPUT(A,B,C) A.input =\
  *((u_int16*)(B+(C).input));
#define FT_RECGET_OUTPUT(A,B,C) A.output =\
  *((u_int16*)(B+(C).output));
#define FT_RECGET_SRCPORT(A,B,C) A.srcport =\
  *((u_int16*)(B+(C).srcport));
#define FT_RECGET_DSTPORT(A,B,C) A.dstport =\
  *((u_int16*)(B+(C).dstport));
#define FT_RECGET_PROT(A,B,C) A.prot =\
  *((u_int8*)(B+(C).prot));
#define FT_RECGET_TOS(A,B,C) A.tos =\
  *((u_int8*)(B+(C).tos));
#define FT_RECGET_TCP_FLAGS(A,B,C) A.tcp_flags =\
  *((u_int8*)(B+(C).tcp_flags));
#define FT_RECGET_SRC_MASK(A,B,C) A.src_mask =\
  *((u_int8*)(B+(C).src_mask));
#define FT_RECGET_DST_MASK(A,B,C) A.dst_mask =\
  *((u_int8*)(B+(C).dst_mask));
#define FT_RECGET_SRC_AS(A,B,C) A.src_as =\
  *((u_int16*)(B+(C).src_as));
#define FT_RECGET_DST_AS(A,B,C) A.dst_as =\
  *((u_int16*)(B+(C).dst_as));
#define FT_RECGET_IN_ENCAPS(A,B,C) A.in_encaps =\
  *((u_int8*)(B+(C).in_encaps));
#define FT_RECGET_OUT_ENCAPS(A,B,C) A.out_encaps =\
  *((u_int8*)(B+(C).out_encaps));
#define FT_RECGET_PEER_NEXTHOP(A,B,C) A.peer_nexthop =\
  *((u_int32*)(B+(C).peer_nexthop));
#define FT_RECGET_EXTRA_PKTS(A,B,C) A.extra_pkts =\
  *((u_int32*)(B+(C).extra_pkts));
#define FT_RECGET_MARKED_TOS(A,B,C) A.marked_tos =\
  *((u_int8*)(B+(C).marked_tos));
#define FT_RECGET_SRC_TAG(A,B,C) A.src_tag =\
  *((u_int32*)(B+(C).src_tag));
#define FT_RECGET_DST_TAG(A,B,C) A.dst_tag =\
  *((u_int32*)(B+(C).dst_tag));

struct fts3rec_gen {
  u_int32 unix_secs;      /* Current seconds since 0000 UTC 1970 */
  u_int32 unix_nsecs;     /* Residual nanoseconds since 0000 UTC 1970 */
  u_int32 sysUpTime;      /* Current time in millisecs since router booted */
  u_int32 exaddr;         /* Exporter IP address */
  u_int32 srcaddr;        /* Source IP Address */
  u_int32 dstaddr;        /* Destination IP Address */
  u_int32 nexthop;        /* Next hop router's IP Address */
  u_int16 input;          /* Input interface index */
  u_int16 output;         /* Output interface index */
  u_int32 dPkts;          /* Packets sent in Duration */
  u_int32 dOctets;        /* Octets sent in Duration. */
  u_int32 First;          /* SysUptime at start of flow */
  u_int32 Last;           /* and of last packet of flow */
  u_int16 srcport;        /* TCP/UDP source port number or equivalent */
  u_int16 dstport;        /* TCP/UDP destination port number or equiv */
  u_int8  prot;           /* IP protocol, e.g., 6=TCP, 17=UDP, ... */
  u_int8  tos;            /* IP Type-of-Service */
  u_int8  tcp_flags;      /* OR of TCP header bits */
  u_int8  pad;
};

struct fts3rec_v5_gen {
  u_int32 unix_secs;      /* Current seconds since 0000 UTC 1970 */
  u_int32 unix_nsecs;     /* Residual nanoseconds since 0000 UTC 1970 */
  u_int32 sysUpTime;      /* Current time in millisecs since router booted */
  u_int32 exaddr;         /* Exporter IP address */
  u_int32 srcaddr;        /* Source IP Address */
  u_int32 dstaddr;        /* Destination IP Address */
  u_int32 nexthop;        /* Next hop router's IP Address */
  u_int16 input;          /* Input interface index */
  u_int16 output;         /* Output interface index */
  u_int32 dPkts;          /* Packets sent in Duration */
  u_int32 dOctets;        /* Octets sent in Duration. */
  u_int32 First;          /* SysUptime at start of flow */
  u_int32 Last;           /* and of last packet of flow */
  u_int16 srcport;        /* TCP/UDP source port number or equivalent */
  u_int16 dstport;        /* TCP/UDP destination port number or equiv */
  u_int8  prot;           /* IP protocol, e.g., 6=TCP, 17=UDP, ... */
  u_int8  tos;            /* IP Type-of-Service */
  u_int8  tcp_flags;      /* OR of TCP header bits */
  u_int8  pad;
  u_int8  engine_type;    /* Type of flow switching engine (RP,VIP,etc.) */
  u_int8  engine_id;      /* Slot number of the flow switching engine */
  u_int8  src_mask;       /* mask length of source address */
  u_int8  dst_mask;       /* mask length of destination address */
  u_int16 src_as;         /* AS of source address */
  u_int16 dst_as;         /* AS of destination address */
};

struct fts3rec_v1 {
  u_int32 unix_secs;      /* Current seconds since 0000 UTC 1970 */
  u_int32 unix_nsecs;     /* Residual nanoseconds since 0000 UTC 1970 */
  u_int32 sysUpTime;      /* Current time in millisecs since router booted */
  u_int32 exaddr;         /* Exporter IP address */
  u_int32 srcaddr;        /* Source IP Address */
  u_int32 dstaddr;        /* Destination IP Address */
  u_int32 nexthop;        /* Next hop router's IP Address */
  u_int16 input;          /* Input interface index */
  u_int16 output;         /* Output interface index */
  u_int32 dPkts;          /* Packets sent in Duration */
  u_int32 dOctets;        /* Octets sent in Duration. */
  u_int32 First;          /* SysUptime at start of flow */
  u_int32 Last;           /* and of last packet of flow */
  u_int16 srcport;        /* TCP/UDP source port number or equivalent */
  u_int16 dstport;        /* TCP/UDP destination port number or equiv */
  u_int8  prot;           /* IP protocol, e.g., 6=TCP, 17=UDP, ... */
  u_int8  tos;            /* IP Type-of-Service */
  u_int8  tcp_flags;      /* OR of TCP header bits */
  u_int8  pad;
  u_int32 reserved;
};

/* note the v5 struct is a subset of v6 and v7.  v6 and v7 are assumed
 *  to be in the same order so the engine_* src_mask, dst_mask, src_as and
 *  dst_as are in the same place.  v5 is like a generic v5, v6, v7
 */
struct fts3rec_v5 {
  u_int32 unix_secs;      /* Current seconds since 0000 UTC 1970 */
  u_int32 unix_nsecs;     /* Residual nanoseconds since 0000 UTC 1970 */
  u_int32 sysUpTime;      /* Current time in millisecs since router booted */
  u_int32 exaddr;         /* Exporter IP address */