186d7f5d3SJohn Marino /*- 286d7f5d3SJohn Marino * Copyright (c) 2004 Gleb Smirnoff <glebius@FreeBSD.org> 386d7f5d3SJohn Marino * All rights reserved. 486d7f5d3SJohn Marino * 586d7f5d3SJohn Marino * Redistribution and use in source and binary forms, with or without 686d7f5d3SJohn Marino * modification, are permitted provided that the following conditions 786d7f5d3SJohn Marino * are met: 886d7f5d3SJohn Marino * 1. Redistributions of source code must retain the above copyright 986d7f5d3SJohn Marino * notice, this list of conditions and the following disclaimer. 1086d7f5d3SJohn Marino * 2. Redistributions in binary form must reproduce the above copyright 1186d7f5d3SJohn Marino * notice, this list of conditions and the following disclaimer in the 1286d7f5d3SJohn Marino * documentation and/or other materials provided with the distribution. 1386d7f5d3SJohn Marino * 1486d7f5d3SJohn Marino * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 1586d7f5d3SJohn Marino * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 1686d7f5d3SJohn Marino * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 1786d7f5d3SJohn Marino * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 1886d7f5d3SJohn Marino * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 1986d7f5d3SJohn Marino * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 2086d7f5d3SJohn Marino * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 2186d7f5d3SJohn Marino * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 2286d7f5d3SJohn Marino * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 2386d7f5d3SJohn Marino * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 2486d7f5d3SJohn Marino * SUCH DAMAGE. 2586d7f5d3SJohn Marino * 2686d7f5d3SJohn Marino * $SourceForge: netflow.h,v 1.8 2004/09/16 17:05:11 glebius Exp $ 2786d7f5d3SJohn Marino * $FreeBSD: src/sys/netgraph/netflow/netflow.h,v 1.4 2006/04/25 20:01:50 maxim Exp $ 2886d7f5d3SJohn Marino */ 2986d7f5d3SJohn Marino 3086d7f5d3SJohn Marino /* netflow timeouts in seconds */ 3186d7f5d3SJohn Marino 3286d7f5d3SJohn Marino #define ACTIVE_TIMEOUT (30*60) /* maximum flow lifetime is 30 min */ 3386d7f5d3SJohn Marino #define INACTIVE_TIMEOUT 15 3486d7f5d3SJohn Marino 3586d7f5d3SJohn Marino /* 3686d7f5d3SJohn Marino * More info can be found in these Cisco documents: 3786d7f5d3SJohn Marino * 3886d7f5d3SJohn Marino * Cisco IOS NetFlow, White Papers. 3986d7f5d3SJohn Marino * http://www.cisco.com/en/US/products/ps6601/prod_white_papers_list.html 4086d7f5d3SJohn Marino * 4186d7f5d3SJohn Marino * Cisco CNS NetFlow Collection Engine User Guide, 5.0.2, NetFlow Export 4286d7f5d3SJohn Marino * Datagram Formats. 4386d7f5d3SJohn Marino * http://www.cisco.com/en/US/products/sw/netmgtsw/ps1964/products_user_guide_chapter09186a00803f3147.html#wp26453 4486d7f5d3SJohn Marino * 4586d7f5d3SJohn Marino */ 4686d7f5d3SJohn Marino 4786d7f5d3SJohn Marino #define NETFLOW_V1 1 4886d7f5d3SJohn Marino #define NETFLOW_V5 5 4986d7f5d3SJohn Marino 5086d7f5d3SJohn Marino struct netflow_v1_header 5186d7f5d3SJohn Marino { 5286d7f5d3SJohn Marino uint16_t version; /* NetFlow version */ 5386d7f5d3SJohn Marino uint16_t count; /* Number of records in flow */ 5486d7f5d3SJohn Marino uint32_t sys_uptime; /* System uptime */ 5586d7f5d3SJohn Marino uint32_t unix_secs; /* Current seconds since 0000 UTC 1970 */ 5686d7f5d3SJohn Marino uint32_t unix_nsecs; /* Remaining nanoseconds since 0000 UTC 1970 */ 5786d7f5d3SJohn Marino } __attribute__((__packed__)); 5886d7f5d3SJohn Marino 5986d7f5d3SJohn Marino struct netflow_v5_header 6086d7f5d3SJohn Marino { 6186d7f5d3SJohn Marino uint16_t version; /* NetFlow version */ 6286d7f5d3SJohn Marino uint16_t count; /* Number of records in flow */ 6386d7f5d3SJohn Marino uint32_t sys_uptime; /* System uptime */ 6486d7f5d3SJohn Marino uint32_t unix_secs; /* Current seconds since 0000 UTC 1970 */ 6586d7f5d3SJohn Marino uint32_t unix_nsecs; /* Remaining nanoseconds since 0000 UTC 1970 */ 6686d7f5d3SJohn Marino uint32_t flow_seq; /* Sequence number of the first record */ 6786d7f5d3SJohn Marino uint8_t engine_type; /* Type of flow switching engine (RP,VIP,etc.) */ 6886d7f5d3SJohn Marino uint8_t engine_id; /* Slot number of the flow switching engine */ 6986d7f5d3SJohn Marino uint16_t pad; /* Pad to word boundary */ 7086d7f5d3SJohn Marino } __attribute__((__packed__)); 7186d7f5d3SJohn Marino 7286d7f5d3SJohn Marino struct netflow_v1_record 7386d7f5d3SJohn Marino { 7486d7f5d3SJohn Marino uint32_t src_addr; /* Source IP address */ 7586d7f5d3SJohn Marino uint32_t dst_addr; /* Destination IP address */ 7686d7f5d3SJohn Marino uint32_t next_hop; /* Next hop IP address */ 7786d7f5d3SJohn Marino uint16_t in_ifx; /* Source interface index */ 7886d7f5d3SJohn Marino uint16_t out_ifx; /* Destination interface index */ 7986d7f5d3SJohn Marino uint32_t packets; /* Number of packets in a flow */ 8086d7f5d3SJohn Marino uint32_t octets; /* Number of octets in a flow */ 8186d7f5d3SJohn Marino uint32_t first; /* System uptime at start of a flow */ 8286d7f5d3SJohn Marino uint32_t last; /* System uptime at end of a flow */ 8386d7f5d3SJohn Marino uint16_t s_port; /* Source port */ 8486d7f5d3SJohn Marino uint16_t d_port; /* Destination port */ 8586d7f5d3SJohn Marino uint16_t pad1; /* Pad to word boundary */ 8686d7f5d3SJohn Marino uint8_t prot; /* IP protocol */ 8786d7f5d3SJohn Marino uint8_t tos; /* IP type of service */ 8886d7f5d3SJohn Marino uint8_t flags; /* Cumulative OR of tcp flags */ 8986d7f5d3SJohn Marino uint8_t pad2; /* Pad to word boundary */ 9086d7f5d3SJohn Marino uint16_t pad3; /* Pad to word boundary */ 9186d7f5d3SJohn Marino uint8_t reserved[5]; /* Reserved for future use */ 9286d7f5d3SJohn Marino } __attribute__((__packed__)); 9386d7f5d3SJohn Marino 9486d7f5d3SJohn Marino struct netflow_v5_record 9586d7f5d3SJohn Marino { 9686d7f5d3SJohn Marino uint32_t src_addr; /* Source IP address */ 9786d7f5d3SJohn Marino uint32_t dst_addr; /* Destination IP address */ 9886d7f5d3SJohn Marino uint32_t next_hop; /* Next hop IP address */ 9986d7f5d3SJohn Marino uint16_t i_ifx; /* Source interface index */ 10086d7f5d3SJohn Marino uint16_t o_ifx; /* Destination interface index */ 10186d7f5d3SJohn Marino uint32_t packets; /* Number of packets in a flow */ 10286d7f5d3SJohn Marino uint32_t octets; /* Number of octets in a flow */ 10386d7f5d3SJohn Marino uint32_t first; /* System uptime at start of a flow */ 10486d7f5d3SJohn Marino uint32_t last; /* System uptime at end of a flow */ 10586d7f5d3SJohn Marino uint16_t s_port; /* Source port */ 10686d7f5d3SJohn Marino uint16_t d_port; /* Destination port */ 10786d7f5d3SJohn Marino uint8_t pad1; /* Pad to word boundary */ 10886d7f5d3SJohn Marino uint8_t flags; /* Cumulative OR of tcp flags */ 10986d7f5d3SJohn Marino uint8_t prot; /* IP protocol */ 11086d7f5d3SJohn Marino uint8_t tos; /* IP type of service */ 11186d7f5d3SJohn Marino uint16_t src_as; /* Src peer/origin Autonomous System */ 11286d7f5d3SJohn Marino uint16_t dst_as; /* Dst peer/origin Autonomous System */ 11386d7f5d3SJohn Marino uint8_t src_mask; /* Source route's mask bits */ 11486d7f5d3SJohn Marino uint8_t dst_mask; /* Destination route's mask bits */ 11586d7f5d3SJohn Marino uint16_t pad2; /* Pad to word boundary */ 11686d7f5d3SJohn Marino } __attribute__((__packed__)); 11786d7f5d3SJohn Marino 11886d7f5d3SJohn Marino #define NETFLOW_V1_MAX_RECORDS 24 11986d7f5d3SJohn Marino #define NETFLOW_V5_MAX_RECORDS 30 12086d7f5d3SJohn Marino 12186d7f5d3SJohn Marino #define NETFLOW_V1_MAX_SIZE (sizeof(netflow_v1_header)+ \ 12286d7f5d3SJohn Marino sizeof(netflow_v1_record)*NETFLOW_V1_MAX_RECORDS) 12386d7f5d3SJohn Marino #define NETFLOW_V5_MAX_SIZE (sizeof(netflow_v5_header)+ \ 12486d7f5d3SJohn Marino sizeof(netflow_v5_record)*NETFLOW_V5_MAX_RECORDS) 12586d7f5d3SJohn Marino 12686d7f5d3SJohn Marino struct netflow_v5_export_dgram { 12786d7f5d3SJohn Marino struct netflow_v5_header header; 12886d7f5d3SJohn Marino struct netflow_v5_record r[NETFLOW_V5_MAX_RECORDS]; 12986d7f5d3SJohn Marino } __attribute__((__packed__)); 130