wanderer/ fastnetmon-ng
1
1
Fork 0
Code Issues 2 Pull Requests Projects 1 Releases Activity

Switch to 16 byte sampler fiel for netflow v5

This commit is contained in:
Pavel Odintsov 2015-05-30 00:53:10 +03:00
parent a43dfac47e
commit 657d811968
2 changed files with 10 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/netflow_plugin/netflow.h
View File

@ -89,7 +89,11 @@ struct NF1_FLOW {
struct NF5_HEADER {
struct NF_HEADER_COMMON c;
u_int32_t uptime_ms, time_sec, time_nanosec, flow_sequence;
u_int8_t engine_type, engine_id, reserved1, reserved2;
u_int8_t engine_type, engine_id;
// "First two bits hold the sampling mode; remaining 14 bits hold value of sampling interval"
// accoring to https://www.plixer.com/support/netflow_v5.html
// http://www.cisco.com/c/en/us/td/docs/net_mgmt/netflow_collection_engine/3-6/user/guide/format.html
u_int16_t sampling_rate;
} __packed;
struct NF5_FLOW {
u_int32_t src_ip, dest_ip, nexthop_ip;

12
src/netflow_plugin/netflow_collector.cpp
View File

@ -863,6 +863,10 @@ void process_netflow_packet_v5(u_int8_t* packet, u_int len) {
return;
}
// Yes, but we whould zeroify two bits where sampling type stored
//uint16_t netflow5_sampling_ratio = fast_ntoh(nf5_hdr->sampling_rate);
uint16_t netflow5_sampling_ratio = sampling_rate;
for (u_int i = 0; i < nflows; i++) {
size_t offset = NF5_PACKET_SIZE(i);
struct NF5_FLOW* nf5_flow = (struct NF5_FLOW*)(packet + offset);
@ -891,14 +895,8 @@ void process_netflow_packet_v5(u_int8_t* packet, u_int len) {
current_packet.number_of_packets = fast_ntoh(nf5_flow->flow_packets);
// TODO: use sampling data from packet, disable customization here
// accoring to https://www.plixer.com/support/netflow_v5.html
// fields: reserved1, reserved2
// should be implemented as single 16 byte value which consist os 2 byte (mode)
// and 14 byte integer representation of sampling rate
// "First two bits hold the sampling mode; remaining 14 bits hold value of sampling interval"
// Wireshark dump approves this idea
current_packet.sample_ratio = sampling_rate;
current_packet.sample_ratio = netflow5_sampling_ratio;
current_packet.source_port = fast_ntoh(nf5_flow->src_port);
current_packet.destination_port = fast_ntoh(nf5_flow->dest_port);