1 /* 2 * Copyright (c) 1998-2007 The TCPDUMP project 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that: (1) source code 6 * distributions retain the above copyright notice and this paragraph 7 * in its entirety, and (2) distributions including binary code include 8 * the above copyright notice and this paragraph in its entirety in 9 * the documentation or other materials provided with the distribution. 10 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND 11 * WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT 12 * LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 13 * FOR A PARTICULAR PURPOSE. 14 * 15 * The SFLOW protocol as per http://www.sflow.org/developers/specifications.php 16 * 17 * Original code by Carles Kishimoto <carles.kishimoto@gmail.com> 18 * 19 * Expansion and refactoring by Rick Jones <rick.jones2@hp.com> 20 */ 21 22 #include <sys/cdefs.h> 23 #ifndef lint 24 __RCSID("$NetBSD: print-sflow.c,v 1.6 2015/03/31 21:59:35 christos Exp $"); 25 #endif 26 27 #define NETDISSECT_REWORKED 28 #ifdef HAVE_CONFIG_H 29 #include "config.h" 30 #endif 31 32 #include <tcpdump-stdinc.h> 33 34 #include "interface.h" 35 #include "extract.h" 36 #include "addrtoname.h" 37 38 /* 39 * sFlow datagram 40 * 41 * 0 1 2 3 42 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 43 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 44 * | Sflow version (2,4,5) | 45 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 46 * | IP version (1 for IPv4 | 2 for IPv6) | 47 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 48 * | IP Address AGENT (4 or 16 bytes) | 49 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 50 * | Sub agent ID | 51 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 52 * | Datagram sequence number | 53 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 54 * | Switch uptime in ms | 55 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 56 * | num samples in datagram | 57 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 58 * 59 */ 60 61 struct sflow_datagram_t { 62 uint8_t version[4]; 63 uint8_t ip_version[4]; 64 uint8_t agent[4]; 65 uint8_t agent_id[4]; 66 uint8_t seqnum[4]; 67 uint8_t uptime[4]; 68 uint8_t samples[4]; 69 }; 70 71 struct sflow_sample_header { 72 uint8_t format[4]; 73 uint8_t len[4]; 74 }; 75 76 #define SFLOW_FLOW_SAMPLE 1 77 #define SFLOW_COUNTER_SAMPLE 2 78 #define SFLOW_EXPANDED_FLOW_SAMPLE 3 79 #define SFLOW_EXPANDED_COUNTER_SAMPLE 4 80 81 static const struct tok sflow_format_values[] = { 82 { SFLOW_FLOW_SAMPLE, "flow sample" }, 83 { SFLOW_COUNTER_SAMPLE, "counter sample" }, 84 { SFLOW_EXPANDED_FLOW_SAMPLE, "expanded flow sample" }, 85 { SFLOW_EXPANDED_COUNTER_SAMPLE, "expanded counter sample" }, 86 { 0, NULL} 87 }; 88 89 struct sflow_flow_sample_t { 90 uint8_t seqnum[4]; 91 uint8_t typesource[4]; 92 uint8_t rate[4]; 93 uint8_t pool[4]; 94 uint8_t drops[4]; 95 uint8_t in_interface[4]; 96 uint8_t out_interface[4]; 97 uint8_t records[4]; 98 99 }; 100 101 struct sflow_expanded_flow_sample_t { 102 uint8_t seqnum[4]; 103 uint8_t type[4]; 104 uint8_t index[4]; 105 uint8_t rate[4]; 106 uint8_t pool[4]; 107 uint8_t drops[4]; 108 uint8_t in_interface_format[4]; 109 uint8_t in_interface_value[4]; 110 uint8_t out_interface_format[4]; 111 uint8_t out_interface_value[4]; 112 uint8_t records[4]; 113 }; 114 115 #define SFLOW_FLOW_RAW_PACKET 1 116 #define SFLOW_FLOW_ETHERNET_FRAME 2 117 #define SFLOW_FLOW_IPV4_DATA 3 118 #define SFLOW_FLOW_IPV6_DATA 4 119 #define SFLOW_FLOW_EXTENDED_SWITCH_DATA 1001 120 #define SFLOW_FLOW_EXTENDED_ROUTER_DATA 1002 121 #define SFLOW_FLOW_EXTENDED_GATEWAY_DATA 1003 122 #define SFLOW_FLOW_EXTENDED_USER_DATA 1004 123 #define SFLOW_FLOW_EXTENDED_URL_DATA 1005 124 #define SFLOW_FLOW_EXTENDED_MPLS_DATA 1006 125 #define SFLOW_FLOW_EXTENDED_NAT_DATA 1007 126 #define SFLOW_FLOW_EXTENDED_MPLS_TUNNEL 1008 127 #define SFLOW_FLOW_EXTENDED_MPLS_VC 1009 128 #define SFLOW_FLOW_EXTENDED_MPLS_FEC 1010 129 #define SFLOW_FLOW_EXTENDED_MPLS_LVP_FEC 1011 130 #define SFLOW_FLOW_EXTENDED_VLAN_TUNNEL 1012 131 132 static const struct tok sflow_flow_type_values[] = { 133 { SFLOW_FLOW_RAW_PACKET, "Raw packet"}, 134 { SFLOW_FLOW_ETHERNET_FRAME, "Ethernet frame"}, 135 { SFLOW_FLOW_IPV4_DATA, "IPv4 Data"}, 136 { SFLOW_FLOW_IPV6_DATA, "IPv6 Data"}, 137 { SFLOW_FLOW_EXTENDED_SWITCH_DATA, "Extended Switch data"}, 138 { SFLOW_FLOW_EXTENDED_ROUTER_DATA, "Extended Router data"}, 139 { SFLOW_FLOW_EXTENDED_GATEWAY_DATA, "Extended Gateway data"}, 140 { SFLOW_FLOW_EXTENDED_USER_DATA, "Extended User data"}, 141 { SFLOW_FLOW_EXTENDED_URL_DATA, "Extended URL data"}, 142 { SFLOW_FLOW_EXTENDED_MPLS_DATA, "Extended MPLS data"}, 143 { SFLOW_FLOW_EXTENDED_NAT_DATA, "Extended NAT data"}, 144 { SFLOW_FLOW_EXTENDED_MPLS_TUNNEL, "Extended MPLS tunnel"}, 145 { SFLOW_FLOW_EXTENDED_MPLS_VC, "Extended MPLS VC"}, 146 { SFLOW_FLOW_EXTENDED_MPLS_FEC, "Extended MPLS FEC"}, 147 { SFLOW_FLOW_EXTENDED_MPLS_LVP_FEC, "Extended MPLS LVP FEC"}, 148 { SFLOW_FLOW_EXTENDED_VLAN_TUNNEL, "Extended VLAN Tunnel"}, 149 { 0, NULL} 150 }; 151 152 #define SFLOW_HEADER_PROTOCOL_ETHERNET 1 153 #define SFLOW_HEADER_PROTOCOL_IPV4 11 154 #define SFLOW_HEADER_PROTOCOL_IPV6 12 155 156 static const struct tok sflow_flow_raw_protocol_values[] = { 157 { SFLOW_HEADER_PROTOCOL_ETHERNET, "Ethernet"}, 158 { SFLOW_HEADER_PROTOCOL_IPV4, "IPv4"}, 159 { SFLOW_HEADER_PROTOCOL_IPV6, "IPv6"}, 160 { 0, NULL} 161 }; 162 163 struct sflow_expanded_flow_raw_t { 164 uint8_t protocol[4]; 165 uint8_t length[4]; 166 uint8_t stripped_bytes[4]; 167 uint8_t header_size[4]; 168 }; 169 170 struct sflow_ethernet_frame_t { 171 uint8_t length[4]; 172 uint8_t src_mac[8]; 173 uint8_t dst_mac[8]; 174 uint8_t type[4]; 175 }; 176 177 struct sflow_extended_switch_data_t { 178 uint8_t src_vlan[4]; 179 uint8_t src_pri[4]; 180 uint8_t dst_vlan[4]; 181 uint8_t dst_pri[4]; 182 }; 183 184 struct sflow_counter_record_t { 185 uint8_t format[4]; 186 uint8_t length[4]; 187 }; 188 189 struct sflow_flow_record_t { 190 uint8_t format[4]; 191 uint8_t length[4]; 192 }; 193 194 struct sflow_counter_sample_t { 195 uint8_t seqnum[4]; 196 uint8_t typesource[4]; 197 uint8_t records[4]; 198 }; 199 200 struct sflow_expanded_counter_sample_t { 201 uint8_t seqnum[4]; 202 uint8_t type[4]; 203 uint8_t index[4]; 204 uint8_t records[4]; 205 }; 206 207 #define SFLOW_COUNTER_GENERIC 1 208 #define SFLOW_COUNTER_ETHERNET 2 209 #define SFLOW_COUNTER_TOKEN_RING 3 210 #define SFLOW_COUNTER_BASEVG 4 211 #define SFLOW_COUNTER_VLAN 5 212 #define SFLOW_COUNTER_PROCESSOR 1001 213 214 static const struct tok sflow_counter_type_values[] = { 215 { SFLOW_COUNTER_GENERIC, "Generic counter"}, 216 { SFLOW_COUNTER_ETHERNET, "Ethernet counter"}, 217 { SFLOW_COUNTER_TOKEN_RING, "Token ring counter"}, 218 { SFLOW_COUNTER_BASEVG, "100 BaseVG counter"}, 219 { SFLOW_COUNTER_VLAN, "Vlan counter"}, 220 { SFLOW_COUNTER_PROCESSOR, "Processor counter"}, 221 { 0, NULL} 222 }; 223 224 #define SFLOW_IFACE_DIRECTION_UNKNOWN 0 225 #define SFLOW_IFACE_DIRECTION_FULLDUPLEX 1 226 #define SFLOW_IFACE_DIRECTION_HALFDUPLEX 2 227 #define SFLOW_IFACE_DIRECTION_IN 3 228 #define SFLOW_IFACE_DIRECTION_OUT 4 229 230 static const struct tok sflow_iface_direction_values[] = { 231 { SFLOW_IFACE_DIRECTION_UNKNOWN, "unknown"}, 232 { SFLOW_IFACE_DIRECTION_FULLDUPLEX, "full-duplex"}, 233 { SFLOW_IFACE_DIRECTION_HALFDUPLEX, "half-duplex"}, 234 { SFLOW_IFACE_DIRECTION_IN, "in"}, 235 { SFLOW_IFACE_DIRECTION_OUT, "out"}, 236 { 0, NULL} 237 }; 238 239 struct sflow_generic_counter_t { 240 uint8_t ifindex[4]; 241 uint8_t iftype[4]; 242 uint8_t ifspeed[8]; 243 uint8_t ifdirection[4]; 244 uint8_t ifstatus[4]; 245 uint8_t ifinoctets[8]; 246 uint8_t ifinunicastpkts[4]; 247 uint8_t ifinmulticastpkts[4]; 248 uint8_t ifinbroadcastpkts[4]; 249 uint8_t ifindiscards[4]; 250 uint8_t ifinerrors[4]; 251 uint8_t ifinunkownprotos[4]; 252 uint8_t ifoutoctets[8]; 253 uint8_t ifoutunicastpkts[4]; 254 uint8_t ifoutmulticastpkts[4]; 255 uint8_t ifoutbroadcastpkts[4]; 256 uint8_t ifoutdiscards[4]; 257 uint8_t ifouterrors[4]; 258 uint8_t ifpromiscmode[4]; 259 }; 260 261 struct sflow_ethernet_counter_t { 262 uint8_t alignerrors[4]; 263 uint8_t fcserrors[4]; 264 uint8_t single_collision_frames[4]; 265 uint8_t multiple_collision_frames[4]; 266 uint8_t test_errors[4]; 267 uint8_t deferred_transmissions[4]; 268 uint8_t late_collisions[4]; 269 uint8_t excessive_collisions[4]; 270 uint8_t mac_transmit_errors[4]; 271 uint8_t carrier_sense_errors[4]; 272 uint8_t frame_too_longs[4]; 273 uint8_t mac_receive_errors[4]; 274 uint8_t symbol_errors[4]; 275 }; 276 277 struct sflow_100basevg_counter_t { 278 uint8_t in_highpriority_frames[4]; 279 uint8_t in_highpriority_octets[8]; 280 uint8_t in_normpriority_frames[4]; 281 uint8_t in_normpriority_octets[8]; 282 uint8_t in_ipmerrors[4]; 283 uint8_t in_oversized[4]; 284 uint8_t in_data_errors[4]; 285 uint8_t in_null_addressed_frames[4]; 286 uint8_t out_highpriority_frames[4]; 287 uint8_t out_highpriority_octets[8]; 288 uint8_t transitioninto_frames[4]; 289 uint8_t hc_in_highpriority_octets[8]; 290 uint8_t hc_in_normpriority_octets[8]; 291 uint8_t hc_out_highpriority_octets[8]; 292 }; 293 294 struct sflow_vlan_counter_t { 295 uint8_t vlan_id[4]; 296 uint8_t octets[8]; 297 uint8_t unicast_pkt[4]; 298 uint8_t multicast_pkt[4]; 299 uint8_t broadcast_pkt[4]; 300 uint8_t discards[4]; 301 }; 302 303 static int 304 print_sflow_counter_generic(netdissect_options *ndo, 305 const u_char *pointer, u_int len) 306 { 307 const struct sflow_generic_counter_t *sflow_gen_counter; 308 309 if (len < sizeof(struct sflow_generic_counter_t)) 310 return 1; 311 312 313 sflow_gen_counter = (const struct sflow_generic_counter_t *)pointer; 314 ND_PRINT((ndo, "\n\t ifindex %u, iftype %u, ifspeed %" PRIu64 ", ifdirection %u (%s)", 315 EXTRACT_32BITS(sflow_gen_counter->ifindex), 316 EXTRACT_32BITS(sflow_gen_counter->iftype), 317 EXTRACT_64BITS(sflow_gen_counter->ifspeed), 318 EXTRACT_32BITS(sflow_gen_counter->ifdirection), 319 tok2str(sflow_iface_direction_values, "Unknown", 320 EXTRACT_32BITS(sflow_gen_counter->ifdirection)))); 321 ND_PRINT((ndo, "\n\t ifstatus %u, adminstatus: %s, operstatus: %s", 322 EXTRACT_32BITS(sflow_gen_counter->ifstatus), 323 EXTRACT_32BITS(sflow_gen_counter->ifstatus)&1 ? "up" : "down", 324 (EXTRACT_32BITS(sflow_gen_counter->ifstatus)>>1)&1 ? "up" : "down")); 325 ND_PRINT((ndo, "\n\t In octets %" PRIu64 326 ", unicast pkts %u, multicast pkts %u, broadcast pkts %u, discards %u", 327 EXTRACT_64BITS(sflow_gen_counter->ifinoctets), 328 EXTRACT_32BITS(sflow_gen_counter->ifinunicastpkts), 329 EXTRACT_32BITS(sflow_gen_counter->ifinmulticastpkts), 330 EXTRACT_32BITS(sflow_gen_counter->ifinbroadcastpkts), 331 EXTRACT_32BITS(sflow_gen_counter->ifindiscards))); 332 ND_PRINT((ndo, "\n\t In errors %u, unknown protos %u", 333 EXTRACT_32BITS(sflow_gen_counter->ifinerrors), 334 EXTRACT_32BITS(sflow_gen_counter->ifinunkownprotos))); 335 ND_PRINT((ndo, "\n\t Out octets %" PRIu64 336 ", unicast pkts %u, multicast pkts %u, broadcast pkts %u, discards %u", 337 EXTRACT_64BITS(sflow_gen_counter->ifoutoctets), 338 EXTRACT_32BITS(sflow_gen_counter->ifoutunicastpkts), 339 EXTRACT_32BITS(sflow_gen_counter->ifoutmulticastpkts), 340 EXTRACT_32BITS(sflow_gen_counter->ifoutbroadcastpkts), 341 EXTRACT_32BITS(sflow_gen_counter->ifoutdiscards))); 342 ND_PRINT((ndo, "\n\t Out errors %u, promisc mode %u", 343 EXTRACT_32BITS(sflow_gen_counter->ifouterrors), 344 EXTRACT_32BITS(sflow_gen_counter->ifpromiscmode))); 345 346 return 0; 347 } 348 349 static int 350 print_sflow_counter_ethernet(netdissect_options *ndo, 351 const u_char *pointer, u_int len) 352 { 353 const struct sflow_ethernet_counter_t *sflow_eth_counter; 354 355 if (len < sizeof(struct sflow_ethernet_counter_t)) 356 return 1; 357 358 sflow_eth_counter = (const struct sflow_ethernet_counter_t *)pointer; 359 ND_PRINT((ndo, "\n\t align errors %u, fcs errors %u, single collision %u, multiple collision %u, test error %u", 360 EXTRACT_32BITS(sflow_eth_counter->alignerrors), 361 EXTRACT_32BITS(sflow_eth_counter->fcserrors), 362 EXTRACT_32BITS(sflow_eth_counter->single_collision_frames), 363 EXTRACT_32BITS(sflow_eth_counter->multiple_collision_frames), 364 EXTRACT_32BITS(sflow_eth_counter->test_errors))); 365 ND_PRINT((ndo, "\n\t deferred %u, late collision %u, excessive collision %u, mac trans error %u", 366 EXTRACT_32BITS(sflow_eth_counter->deferred_transmissions), 367 EXTRACT_32BITS(sflow_eth_counter->late_collisions), 368 EXTRACT_32BITS(sflow_eth_counter->excessive_collisions), 369 EXTRACT_32BITS(sflow_eth_counter->mac_transmit_errors))); 370 ND_PRINT((ndo, "\n\t carrier error %u, frames too long %u, mac receive errors %u, symbol errors %u", 371 EXTRACT_32BITS(sflow_eth_counter->carrier_sense_errors), 372 EXTRACT_32BITS(sflow_eth_counter->frame_too_longs), 373 EXTRACT_32BITS(sflow_eth_counter->mac_receive_errors), 374 EXTRACT_32BITS(sflow_eth_counter->symbol_errors))); 375 376 return 0; 377 } 378 379 static int 380 print_sflow_counter_token_ring(netdissect_options *ndo _U_, 381 const u_char *pointer _U_, u_int len _U_) 382 { 383 return 0; 384 } 385 386 static int 387 print_sflow_counter_basevg(netdissect_options *ndo, 388 const u_char *pointer, u_int len) 389 { 390 const struct sflow_100basevg_counter_t *sflow_100basevg_counter; 391 392 if (len < sizeof(struct sflow_100basevg_counter_t)) 393 return 1; 394 395 sflow_100basevg_counter = (const struct sflow_100basevg_counter_t *)pointer; 396 ND_PRINT((ndo, "\n\t in high prio frames %u, in high prio octets %" PRIu64, 397 EXTRACT_32BITS(sflow_100basevg_counter->in_highpriority_frames), 398 EXTRACT_64BITS(sflow_100basevg_counter->in_highpriority_octets))); 399 ND_PRINT((ndo, "\n\t in norm prio frames %u, in norm prio octets %" PRIu64, 400 EXTRACT_32BITS(sflow_100basevg_counter->in_normpriority_frames), 401 EXTRACT_64BITS(sflow_100basevg_counter->in_normpriority_octets))); 402 ND_PRINT((ndo, "\n\t in ipm errors %u, oversized %u, in data errors %u, null addressed frames %u", 403 EXTRACT_32BITS(sflow_100basevg_counter->in_ipmerrors), 404 EXTRACT_32BITS(sflow_100basevg_counter->in_oversized), 405 EXTRACT_32BITS(sflow_100basevg_counter->in_data_errors), 406 EXTRACT_32BITS(sflow_100basevg_counter->in_null_addressed_frames))); 407 ND_PRINT((ndo, "\n\t out high prio frames %u, out high prio octets %" PRIu64 408 ", trans into frames %u", 409 EXTRACT_32BITS(sflow_100basevg_counter->out_highpriority_frames), 410 EXTRACT_64BITS(sflow_100basevg_counter->out_highpriority_octets), 411 EXTRACT_32BITS(sflow_100basevg_counter->transitioninto_frames))); 412 ND_PRINT((ndo, "\n\t in hc high prio octets %" PRIu64 413 ", in hc norm prio octets %" PRIu64 414 ", out hc high prio octets %" PRIu64, 415 EXTRACT_64BITS(sflow_100basevg_counter->hc_in_highpriority_octets), 416 EXTRACT_64BITS(sflow_100basevg_counter->hc_in_normpriority_octets), 417 EXTRACT_64BITS(sflow_100basevg_counter->hc_out_highpriority_octets))); 418 419 return 0; 420 } 421 422 static int 423 print_sflow_counter_vlan(netdissect_options *ndo, 424 const u_char *pointer, u_int len) 425 { 426 const struct sflow_vlan_counter_t *sflow_vlan_counter; 427 428 if (len < sizeof(struct sflow_vlan_counter_t)) 429 return 1; 430 431 sflow_vlan_counter = (const struct sflow_vlan_counter_t *)pointer; 432 ND_PRINT((ndo, "\n\t vlan_id %u, octets %" PRIu64 433 ", unicast_pkt %u, multicast_pkt %u, broadcast_pkt %u, discards %u", 434 EXTRACT_32BITS(sflow_vlan_counter->vlan_id), 435 EXTRACT_64BITS(sflow_vlan_counter->octets), 436 EXTRACT_32BITS(sflow_vlan_counter->unicast_pkt), 437 EXTRACT_32BITS(sflow_vlan_counter->multicast_pkt), 438 EXTRACT_32BITS(sflow_vlan_counter->broadcast_pkt), 439 EXTRACT_32BITS(sflow_vlan_counter->discards))); 440 441 return 0; 442 } 443 444 struct sflow_processor_counter_t { 445 uint8_t five_sec_util[4]; 446 uint8_t one_min_util[4]; 447 uint8_t five_min_util[4]; 448 uint8_t total_memory[8]; 449 uint8_t free_memory[8]; 450 }; 451 452 static int 453 print_sflow_counter_processor(netdissect_options *ndo, 454 const u_char *pointer, u_int len) 455 { 456 const struct sflow_processor_counter_t *sflow_processor_counter; 457 458 if (len < sizeof(struct sflow_processor_counter_t)) 459 return 1; 460 461 sflow_processor_counter = (const struct sflow_processor_counter_t *)pointer; 462 ND_PRINT((ndo, "\n\t 5sec %u, 1min %u, 5min %u, total_mem %" PRIu64 463 ", total_mem %" PRIu64, 464 EXTRACT_32BITS(sflow_processor_counter->five_sec_util), 465 EXTRACT_32BITS(sflow_processor_counter->one_min_util), 466 EXTRACT_32BITS(sflow_processor_counter->five_min_util), 467 EXTRACT_64BITS(sflow_processor_counter->total_memory), 468 EXTRACT_64BITS(sflow_processor_counter->free_memory))); 469 470 return 0; 471 } 472 473 static int 474 sflow_print_counter_records(netdissect_options *ndo, 475 const u_char *pointer, u_int len, u_int records) 476 { 477 u_int nrecords; 478 const u_char *tptr; 479 u_int tlen; 480 u_int counter_type; 481 u_int counter_len; 482 u_int enterprise; 483 const struct sflow_counter_record_t *sflow_counter_record; 484 485 nrecords = records; 486 tptr = pointer; 487 tlen = len; 488 489 while (nrecords > 0) { 490 /* do we have the "header?" */ 491 if (tlen < sizeof(struct sflow_counter_record_t)) 492 return 1; 493 sflow_counter_record = (const struct sflow_counter_record_t *)tptr; 494 495 enterprise = EXTRACT_32BITS(sflow_counter_record->format); 496 counter_type = enterprise & 0x0FFF; 497 enterprise = enterprise >> 20; 498 counter_len = EXTRACT_32BITS(sflow_counter_record->length); 499 ND_PRINT((ndo, "\n\t enterprise %u, %s (%u) length %u", 500 enterprise, 501 (enterprise == 0) ? tok2str(sflow_counter_type_values,"Unknown",counter_type) : "Unknown", 502 counter_type, 503 counter_len)); 504 505 tptr += sizeof(struct sflow_counter_record_t); 506 tlen -= sizeof(struct sflow_counter_record_t); 507 508 if (tlen < counter_len) 509 return 1; 510 if (enterprise == 0) { 511 switch (counter_type) { 512 case SFLOW_COUNTER_GENERIC: 513 if (print_sflow_counter_generic(ndo, tptr, tlen)) 514 return 1; 515 break; 516 case SFLOW_COUNTER_ETHERNET: 517 if (print_sflow_counter_ethernet(ndo, tptr, tlen)) 518 return 1; 519 break; 520 case SFLOW_COUNTER_TOKEN_RING: 521 if (print_sflow_counter_token_ring(ndo, tptr,tlen)) 522 return 1; 523 break; 524 case SFLOW_COUNTER_BASEVG: 525 if (print_sflow_counter_basevg(ndo, tptr, tlen)) 526 return 1; 527 break; 528 case SFLOW_COUNTER_VLAN: 529 if (print_sflow_counter_vlan(ndo, tptr, tlen)) 530 return 1; 531 break; 532 case SFLOW_COUNTER_PROCESSOR: 533 if (print_sflow_counter_processor(ndo, tptr, tlen)) 534 return 1; 535 break; 536 default: 537 if (ndo->ndo_vflag <= 1) 538 print_unknown_data(ndo, tptr, "\n\t\t", counter_len); 539 break; 540 } 541 } 542 tptr += counter_len; 543 tlen -= counter_len; 544 nrecords--; 545 546 } 547 548 return 0; 549 } 550 551 static int 552 sflow_print_counter_sample(netdissect_options *ndo, 553 const u_char *pointer, u_int len) 554 { 555 const struct sflow_counter_sample_t *sflow_counter_sample; 556 u_int nrecords; 557 u_int typesource; 558 u_int type; 559 u_int index; 560 561 562 if (len < sizeof(struct sflow_counter_sample_t)) 563 return 1; 564 565 sflow_counter_sample = (const struct sflow_counter_sample_t *)pointer; 566 567 typesource = EXTRACT_32BITS(sflow_counter_sample->typesource); 568 nrecords = EXTRACT_32BITS(sflow_counter_sample->records); 569 type = typesource >> 24; 570 index = typesource & 0x0FFF; 571 572 ND_PRINT((ndo, " seqnum %u, type %u, idx %u, records %u", 573 EXTRACT_32BITS(sflow_counter_sample->seqnum), 574 type, 575 index, 576 nrecords)); 577 578 return sflow_print_counter_records(ndo, pointer + sizeof(struct sflow_counter_sample_t), 579 len - sizeof(struct sflow_counter_sample_t), 580 nrecords); 581 582 } 583 584 static int 585 sflow_print_expanded_counter_sample(netdissect_options *ndo, 586 const u_char *pointer, u_int len) 587 { 588 const struct sflow_expanded_counter_sample_t *sflow_expanded_counter_sample; 589 u_int nrecords; 590 591 592 if (len < sizeof(struct sflow_expanded_counter_sample_t)) 593 return 1; 594 595 sflow_expanded_counter_sample = (const struct sflow_expanded_counter_sample_t *)pointer; 596 597 nrecords = EXTRACT_32BITS(sflow_expanded_counter_sample->records); 598 599 ND_PRINT((ndo, " seqnum %u, type %u, idx %u, records %u", 600 EXTRACT_32BITS(sflow_expanded_counter_sample->seqnum), 601 EXTRACT_32BITS(sflow_expanded_counter_sample->type), 602 EXTRACT_32BITS(sflow_expanded_counter_sample->index), 603 nrecords)); 604 605 return sflow_print_counter_records(ndo, pointer + sizeof(struct sflow_expanded_counter_sample_t), 606 len - sizeof(struct sflow_expanded_counter_sample_t), 607 nrecords); 608 609 } 610 611 static int 612 print_sflow_raw_packet(netdissect_options *ndo, 613 const u_char *pointer, u_int len) 614 { 615 const struct sflow_expanded_flow_raw_t *sflow_flow_raw; 616 617 if (len < sizeof(struct sflow_expanded_flow_raw_t)) 618 return 1; 619 620 sflow_flow_raw = (const struct sflow_expanded_flow_raw_t *)pointer; 621 ND_PRINT((ndo, "\n\t protocol %s (%u), length %u, stripped bytes %u, header_size %u", 622 tok2str(sflow_flow_raw_protocol_values,"Unknown",EXTRACT_32BITS(sflow_flow_raw->protocol)), 623 EXTRACT_32BITS(sflow_flow_raw->protocol), 624 EXTRACT_32BITS(sflow_flow_raw->length), 625 EXTRACT_32BITS(sflow_flow_raw->stripped_bytes), 626 EXTRACT_32BITS(sflow_flow_raw->header_size))); 627 628 /* QUESTION - should we attempt to print the raw header itself? 629 assuming of course there is wnough data present to do so... */ 630 631 return 0; 632 } 633 634 static int 635 print_sflow_ethernet_frame(netdissect_options *ndo, 636 const u_char *pointer, u_int len) 637 { 638 const struct sflow_ethernet_frame_t *sflow_ethernet_frame; 639 640 if (len < sizeof(struct sflow_ethernet_frame_t)) 641 return 1; 642 643 sflow_ethernet_frame = (const struct sflow_ethernet_frame_t *)pointer; 644 645 ND_PRINT((ndo, "\n\t frame len %u, type %u", 646 EXTRACT_32BITS(sflow_ethernet_frame->length), 647 EXTRACT_32BITS(sflow_ethernet_frame->type))); 648 649 return 0; 650 } 651 652 static int 653 print_sflow_extended_switch_data(netdissect_options *ndo, 654 const u_char *pointer, u_int len) 655 { 656 const struct sflow_extended_switch_data_t *sflow_extended_sw_data; 657 658 if (len < sizeof(struct sflow_extended_switch_data_t)) 659 return 1; 660 661 sflow_extended_sw_data = (const struct sflow_extended_switch_data_t *)pointer; 662 ND_PRINT((ndo, "\n\t src vlan %u, src pri %u, dst vlan %u, dst pri %u", 663 EXTRACT_32BITS(sflow_extended_sw_data->src_vlan), 664 EXTRACT_32BITS(sflow_extended_sw_data->src_pri), 665 EXTRACT_32BITS(sflow_extended_sw_data->dst_vlan), 666 EXTRACT_32BITS(sflow_extended_sw_data->dst_pri))); 667 668 return 0; 669 } 670 671 static int 672 sflow_print_flow_records(netdissect_options *ndo, 673 const u_char *pointer, u_int len, u_int records) 674 { 675 u_int nrecords; 676 const u_char *tptr; 677 u_int tlen; 678 u_int flow_type; 679 u_int enterprise; 680 u_int flow_len; 681 const struct sflow_flow_record_t *sflow_flow_record; 682 683 nrecords = records; 684 tptr = pointer; 685 tlen = len; 686 687 while (nrecords > 0) { 688 /* do we have the "header?" */ 689 if (tlen < sizeof(struct sflow_flow_record_t)) 690 return 1; 691 692 sflow_flow_record = (const struct sflow_flow_record_t *)tptr; 693 694 /* so, the funky encoding means we cannot blythly mask-off 695 bits, we must also check the enterprise. */ 696 697 enterprise = EXTRACT_32BITS(sflow_flow_record->format); 698 flow_type = enterprise & 0x0FFF; 699 enterprise = enterprise >> 12; 700 flow_len = EXTRACT_32BITS(sflow_flow_record->length); 701 ND_PRINT((ndo, "\n\t enterprise %u %s (%u) length %u", 702 enterprise, 703 (enterprise == 0) ? tok2str(sflow_flow_type_values,"Unknown",flow_type) : "Unknown", 704 flow_type, 705 flow_len)); 706 707 tptr += sizeof(struct sflow_flow_record_t); 708 tlen -= sizeof(struct sflow_flow_record_t); 709 710 if (tlen < flow_len) 711 return 1; 712 713 if (enterprise == 0) { 714 switch (flow_type) { 715 case SFLOW_FLOW_RAW_PACKET: 716 if (print_sflow_raw_packet(ndo, tptr, tlen)) 717 return 1; 718 break; 719 case SFLOW_FLOW_EXTENDED_SWITCH_DATA: 720 if (print_sflow_extended_switch_data(ndo, tptr, tlen)) 721 return 1; 722 break; 723 case SFLOW_FLOW_ETHERNET_FRAME: 724 if (print_sflow_ethernet_frame(ndo, tptr, tlen)) 725 return 1; 726 break; 727 /* FIXME these need a decoder */ 728 case SFLOW_FLOW_IPV4_DATA: 729 case SFLOW_FLOW_IPV6_DATA: 730 case SFLOW_FLOW_EXTENDED_ROUTER_DATA: 731 case SFLOW_FLOW_EXTENDED_GATEWAY_DATA: 732 case SFLOW_FLOW_EXTENDED_USER_DATA: 733 case SFLOW_FLOW_EXTENDED_URL_DATA: 734 case SFLOW_FLOW_EXTENDED_MPLS_DATA: 735 case SFLOW_FLOW_EXTENDED_NAT_DATA: 736 case SFLOW_FLOW_EXTENDED_MPLS_TUNNEL: 737 case SFLOW_FLOW_EXTENDED_MPLS_VC: 738 case SFLOW_FLOW_EXTENDED_MPLS_FEC: 739 case SFLOW_FLOW_EXTENDED_MPLS_LVP_FEC: 740 case SFLOW_FLOW_EXTENDED_VLAN_TUNNEL: 741 break; 742 default: 743 if (ndo->ndo_vflag <= 1) 744 print_unknown_data(ndo, tptr, "\n\t\t", flow_len); 745 break; 746 } 747 } 748 tptr += flow_len; 749 tlen -= flow_len; 750 nrecords--; 751 752 } 753 754 return 0; 755 } 756 757 static int 758 sflow_print_flow_sample(netdissect_options *ndo, 759 const u_char *pointer, u_int len) 760 { 761 const struct sflow_flow_sample_t *sflow_flow_sample; 762 u_int nrecords; 763 u_int typesource; 764 u_int type; 765 u_int index; 766 767 if (len < sizeof(struct sflow_flow_sample_t)) 768 return 1; 769 770 sflow_flow_sample = (struct sflow_flow_sample_t *)pointer; 771 772 typesource = EXTRACT_32BITS(sflow_flow_sample->typesource); 773 nrecords = EXTRACT_32BITS(sflow_flow_sample->records); 774 type = typesource >> 24; 775 index = typesource & 0x0FFF; 776 777 ND_PRINT((ndo, " seqnum %u, type %u, idx %u, rate %u, pool %u, drops %u, input %u output %u records %u", 778 EXTRACT_32BITS(sflow_flow_sample->seqnum), 779 type, 780 index, 781 EXTRACT_32BITS(sflow_flow_sample->rate), 782 EXTRACT_32BITS(sflow_flow_sample->pool), 783 EXTRACT_32BITS(sflow_flow_sample->drops), 784 EXTRACT_32BITS(sflow_flow_sample->in_interface), 785 EXTRACT_32BITS(sflow_flow_sample->out_interface), 786 nrecords)); 787 788 return sflow_print_flow_records(ndo, pointer + sizeof(struct sflow_flow_sample_t), 789 len - sizeof(struct sflow_flow_sample_t), 790 nrecords); 791 792 } 793 794 static int 795 sflow_print_expanded_flow_sample(netdissect_options *ndo, 796 const u_char *pointer, u_int len) 797 { 798 const struct sflow_expanded_flow_sample_t *sflow_expanded_flow_sample; 799 u_int nrecords; 800 801 if (len < sizeof(struct sflow_expanded_flow_sample_t)) 802 return 1; 803 804 sflow_expanded_flow_sample = (const struct sflow_expanded_flow_sample_t *)pointer; 805 806 nrecords = EXTRACT_32BITS(sflow_expanded_flow_sample->records); 807 808 ND_PRINT((ndo, " seqnum %u, type %u, idx %u, rate %u, pool %u, drops %u, records %u", 809 EXTRACT_32BITS(sflow_expanded_flow_sample->seqnum), 810 EXTRACT_32BITS(sflow_expanded_flow_sample->type), 811 EXTRACT_32BITS(sflow_expanded_flow_sample->index), 812 EXTRACT_32BITS(sflow_expanded_flow_sample->rate), 813 EXTRACT_32BITS(sflow_expanded_flow_sample->pool), 814 EXTRACT_32BITS(sflow_expanded_flow_sample->drops), 815 EXTRACT_32BITS(sflow_expanded_flow_sample->records))); 816 817 return sflow_print_flow_records(ndo, pointer + sizeof(struct sflow_expanded_flow_sample_t), 818 len - sizeof(struct sflow_expanded_flow_sample_t), 819 nrecords); 820 821 } 822 823 void 824 sflow_print(netdissect_options *ndo, 825 const u_char *pptr, u_int len) 826 { 827 const struct sflow_datagram_t *sflow_datagram; 828 const struct sflow_sample_header *sflow_sample; 829 830 const u_char *tptr; 831 u_int tlen; 832 uint32_t sflow_sample_type, sflow_sample_len; 833 uint32_t nsamples; 834 835 836 tptr = pptr; 837 tlen = len; 838 sflow_datagram = (const struct sflow_datagram_t *)pptr; 839 ND_TCHECK(*sflow_datagram); 840 841 /* 842 * Sanity checking of the header. 843 */ 844 if (EXTRACT_32BITS(sflow_datagram->version) != 5) { 845 ND_PRINT((ndo, "sFlow version %u packet not supported", 846 EXTRACT_32BITS(sflow_datagram->version))); 847 return; 848 } 849 850 if (ndo->ndo_vflag < 1) { 851 ND_PRINT((ndo, "sFlowv%u, %s agent %s, agent-id %u, length %u", 852 EXTRACT_32BITS(sflow_datagram->version), 853 EXTRACT_32BITS(sflow_datagram->ip_version) == 1 ? "IPv4" : "IPv6", 854 ipaddr_string(ndo, sflow_datagram->agent), 855 EXTRACT_32BITS(sflow_datagram->agent_id), 856 len)); 857 return; 858 } 859 860 /* ok they seem to want to know everything - lets fully decode it */ 861 nsamples=EXTRACT_32BITS(sflow_datagram->samples); 862 ND_PRINT((ndo, "sFlowv%u, %s agent %s, agent-id %u, seqnum %u, uptime %u, samples %u, length %u", 863 EXTRACT_32BITS(sflow_datagram->version), 864 EXTRACT_32BITS(sflow_datagram->ip_version) == 1 ? "IPv4" : "IPv6", 865 ipaddr_string(ndo, sflow_datagram->agent), 866 EXTRACT_32BITS(sflow_datagram->agent_id), 867 EXTRACT_32BITS(sflow_datagram->seqnum), 868 EXTRACT_32BITS(sflow_datagram->uptime), 869 nsamples, 870 len)); 871 872 /* skip Common header */ 873 tptr += sizeof(const struct sflow_datagram_t); 874 tlen -= sizeof(const struct sflow_datagram_t); 875 876 while (nsamples > 0 && tlen > 0) { 877 sflow_sample = (const struct sflow_sample_header *)tptr; 878 ND_TCHECK(*sflow_sample); 879 880 sflow_sample_type = (EXTRACT_32BITS(sflow_sample->format)&0x0FFF); 881 sflow_sample_len = EXTRACT_32BITS(sflow_sample->len); 882 883 if (tlen < sizeof(struct sflow_sample_header)) 884 goto trunc; 885 886 tptr += sizeof(struct sflow_sample_header); 887 tlen -= sizeof(struct sflow_sample_header); 888 889 ND_PRINT((ndo, "\n\t%s (%u), length %u,", 890 tok2str(sflow_format_values, "Unknown", sflow_sample_type), 891 sflow_sample_type, 892 sflow_sample_len)); 893 894 /* basic sanity check */ 895 if (sflow_sample_type == 0 || sflow_sample_len ==0) { 896 return; 897 } 898 899 if (tlen < sflow_sample_len) 900 goto trunc; 901 902 /* did we capture enough for fully decoding the sample ? */ 903 ND_TCHECK2(*tptr, sflow_sample_len); 904 905 switch(sflow_sample_type) { 906 case SFLOW_FLOW_SAMPLE: 907 if (sflow_print_flow_sample(ndo, tptr, tlen)) 908 goto trunc; 909 break; 910 911 case SFLOW_COUNTER_SAMPLE: 912 if (sflow_print_counter_sample(ndo, tptr,tlen)) 913 goto trunc; 914 break; 915 916 case SFLOW_EXPANDED_FLOW_SAMPLE: 917 if (sflow_print_expanded_flow_sample(ndo, tptr, tlen)) 918 goto trunc; 919 break; 920 921 case SFLOW_EXPANDED_COUNTER_SAMPLE: 922 if (sflow_print_expanded_counter_sample(ndo, tptr,tlen)) 923 goto trunc; 924 break; 925 926 default: 927 if (ndo->ndo_vflag <= 1) 928 print_unknown_data(ndo, tptr, "\n\t ", sflow_sample_len); 929 break; 930 } 931 tptr += sflow_sample_len; 932 tlen -= sflow_sample_len; 933 nsamples--; 934 } 935 return; 936 937 trunc: 938 ND_PRINT((ndo, "[|SFLOW]")); 939 } 940 941 /* 942 * Local Variables: 943 * c-style: whitesmith 944 * c-basic-offset: 4 945 * End: 946 */ 947