diff options
author | Guy Harris <guy@alum.mit.edu> | 2002-09-04 20:23:55 +0000 |
---|---|---|
committer | Guy Harris <guy@alum.mit.edu> | 2002-09-04 20:23:55 +0000 |
commit | 6f25d0da7ce609defd653c4ee7498d3cdbb51761 (patch) | |
tree | 4e1e6dac81ef526b488a14b385b642a88d8414ac | |
parent | 4d56a350bd84f4e7c259879d24b1268bb34127eb (diff) |
From Matthew Smart: Cisco NetFlow protocol support.
svn path=/trunk/; revision=6178
-rw-r--r-- | AUTHORS | 4 | ||||
-rw-r--r-- | Makefile.am | 3 | ||||
-rw-r--r-- | Makefile.nmake | 3 | ||||
-rw-r--r-- | doc/ethereal.pod.template | 1 | ||||
-rw-r--r-- | packet-netflow.c | 233 | ||||
-rw-r--r-- | packet-netflow.h | 68 |
6 files changed, 310 insertions, 2 deletions
@@ -1400,6 +1400,10 @@ Ulf Lamping <ulf.lamping[AT]web.de> { Decoding of IEEE float and doubles for DCE-RPC } +Matthew Smart <smart[AT]monkey.org> { + Cisco NetFlow protocol support +} + Alain Magloire <alainm[AT]rcsm.ece.mcgill.ca> was kind enough to give his permission to use his version of snprintf.c. diff --git a/Makefile.am b/Makefile.am index 14e20c7fd8..0b4cdaa22d 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,7 +1,7 @@ # Makefile.am # Automake file for Ethereal # -# $Id: Makefile.am,v 1.466 2002/09/04 09:40:24 sahlberg Exp $ +# $Id: Makefile.am,v 1.467 2002/09/04 20:23:53 guy Exp $ # # Ethereal - Network traffic analyzer # By Gerald Combs <gerald@ethereal.com> @@ -226,6 +226,7 @@ DISSECTOR_SRC = \ packet-ncp2222.c \ packet-ndmp.c \ packet-netbios.c \ + packet-netflow.c \ packet-nfs.c \ packet-nfsacl.c \ packet-nfsauth.c \ diff --git a/Makefile.nmake b/Makefile.nmake index 70adb76acf..1cbff6a612 100644 --- a/Makefile.nmake +++ b/Makefile.nmake @@ -1,7 +1,7 @@ ## Makefile for building ethereal.exe with Microsoft C and nmake ## Use: $(MAKE) /$(MAKEFLAGS) -f makefile.nmake # -# $Id: Makefile.nmake,v 1.205 2002/09/04 09:40:24 sahlberg Exp $ +# $Id: Makefile.nmake,v 1.206 2002/09/04 20:23:53 guy Exp $ include config.nmake include <win32.mak> @@ -167,6 +167,7 @@ DISSECTOR_SRC = \ packet-ncp2222.c \ packet-ndmp.c \ packet-netbios.c \ + packet-netflow.c \ packet-nfs.c \ packet-nfsacl.c \ packet-nfsauth.c \ diff --git a/doc/ethereal.pod.template b/doc/ethereal.pod.template index 5c6b86da45..68ee936d86 100644 --- a/doc/ethereal.pod.template +++ b/doc/ethereal.pod.template @@ -1473,6 +1473,7 @@ B<http://www.ethereal.com>. Flavio Poletti <flavio[AT]polettix.it> Marcus Haebler <haeblerm[AT]yahoo.com> Ulf Lamping <ulf.lamping[AT]web.de> + Matthew Smart <smart[AT]monkey.org> Alain Magloire <alainm[AT]rcsm.ece.mcgill.ca> was kind enough to give his permission to use his version of snprintf.c. diff --git a/packet-netflow.c b/packet-netflow.c new file mode 100644 index 0000000000..a6152ed686 --- /dev/null +++ b/packet-netflow.c @@ -0,0 +1,233 @@ +/* packet-netflow.c + * Routines for Cisco NetFlow packet disassembly + * Matthew Smart <smart@monkey.org> + * + * $Id: packet-netflow.c,v 1.1 2002/09/04 20:23:53 guy Exp $ + * + * Ethereal - Network traffic analyzer + * By Gerald Combs <gerald@ethereal.com> + * Copyright 1998 Gerald Combs + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + +#include <glib.h> +#include <epan/packet.h> + +#include <stdio.h> +#include <string.h> + +#include "packet-netflow.h" + +static int proto_netflow = -1; +static int hf_netflow_version = -1; +static int hf_netflow_count = -1; +static int hf_netflow_sys_uptime = -1; +static int hf_netflow_unix_sec = -1; +static int hf_netflow_unix_nsec = -1; +static int hf_netflow_flow_sequence = -1; +static int hf_netflow_record = -1; + +static gint ett_netflow = -1; +static gint ett_netflow_rec = -1; + +static void +dissect_netflow(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) +{ + proto_tree *netflow_tree = NULL; + proto_tree *netflow_rec_tree = NULL; + proto_item *ti = NULL, *tf = NULL; + gint offset = 0; + struct netflow5_hdr nfh; + struct netflow5_rec nfr; + guint16 nfh_version, nfh_count; + guint32 nfh_sys_uptime, nfh_unix_sec, nfh_unix_nsec; + guint32 nfh_sequence; + int i; + + if (check_col(pinfo->cinfo, COL_PROTOCOL)) + col_set_str(pinfo->cinfo, COL_PROTOCOL, "NetFlow"); + if (check_col(pinfo->cinfo, COL_INFO)) + col_clear(pinfo->cinfo, COL_INFO); + + /* Determine NetFlow version and number of records */ + tvb_memcpy(tvb, (guint8 *)&nfh, offset, sizeof(nfh)); + nfh_version = ntohs(nfh.version); + nfh_count = ntohs(nfh.count); + nfh_sys_uptime = ntohl(nfh.sys_uptime); + nfh_unix_sec = ntohl(nfh.unix_sec); + nfh_unix_nsec = ntohl(nfh.unix_nsec); + nfh_sequence = ntohl(nfh.flow_sequence); + + if (check_col(pinfo->cinfo, COL_INFO)) + col_add_fstr(pinfo->cinfo, COL_INFO, + "v%u, %u records, sequence number %u", + nfh_version, nfh_count, nfh_sequence); + + if (tree != NULL) { + /* Add NetFlow to to the tree */ + ti = proto_tree_add_protocol_format(tree, proto_netflow, tvb, + offset, sizeof(nfh.version) + sizeof(nfh.count)*sizeof(nfr), + "Cisco Netflow, v%u, %u records, sequence number %u", + nfh_version, nfh_count, nfh_sequence); + netflow_tree = proto_item_add_subtree(ti, ett_netflow); + + /* Version */ + proto_tree_add_uint(netflow_tree, hf_netflow_version, + tvb, offset, sizeof(nfh.version), nfh_version); + + /* Number of records */ + proto_tree_add_uint(netflow_tree, hf_netflow_count, + tvb, offset + 2, sizeof(nfh.count), nfh_count); + + /* XXX only support version 5 right now */ + if (nfh_version != 5) + return; + + /* System (router) uptime */ + proto_tree_add_uint_format(netflow_tree, hf_netflow_sys_uptime, + tvb, offset + 4, sizeof(nfh.sys_uptime), nfh_sys_uptime, + "System uptime: %u msec", nfh_sys_uptime); + + /* Unix time in seconds */ + proto_tree_add_uint_format(netflow_tree, hf_netflow_unix_sec, + tvb, offset + 8, sizeof(nfh.unix_sec), nfh_unix_sec, + "Unix time: %u seconds", nfh_unix_sec); + + /* Unix time in seconds */ + proto_tree_add_uint_format(netflow_tree, hf_netflow_unix_nsec, + tvb, offset + 12, sizeof(nfh.unix_nsec), nfh_unix_nsec, + "Residual: %u nanoseconds", nfh_unix_nsec); + + for (i = 0; i < nfh_count; i++) { + guint rec_offset = sizeof(nfh) + i * sizeof(nfr); + + tf = proto_tree_add_uint_format(netflow_tree, + hf_netflow_record, tvb, rec_offset, sizeof(nfr), + i, "Record %d: %u packets, %u bytes", i+1, + tvb_get_ntohl(tvb, rec_offset + 16), + tvb_get_ntohl(tvb, rec_offset + 20)); + netflow_rec_tree = proto_item_add_subtree(tf, + ett_netflow_rec); + + proto_tree_add_text(netflow_rec_tree, tvb, + rec_offset + 0, 4, "Src Addr: %s", + ip_to_str(tvb_get_ptr(tvb, rec_offset + 0, 4))); + proto_tree_add_text(netflow_rec_tree, tvb, + rec_offset + 4, 4, "Dst Addr: %s", + ip_to_str(tvb_get_ptr(tvb, rec_offset + 4, 4))); + proto_tree_add_text(netflow_rec_tree, tvb, + rec_offset + 8, 4, "Next Hop: %s", + ip_to_str(tvb_get_ptr(tvb, rec_offset + 8, 4))); + proto_tree_add_text(netflow_rec_tree, tvb, + rec_offset + 12, 2, "Input Interface: %u", + tvb_get_ntohs(tvb, rec_offset + 12)); + proto_tree_add_text(netflow_rec_tree, tvb, + rec_offset + 14, 2, "Output Interface: %u", + tvb_get_ntohs(tvb, rec_offset + 14)); + proto_tree_add_text(netflow_rec_tree, tvb, + rec_offset + 16, 4, "Packets: %u", + tvb_get_ntohl(tvb, rec_offset + 16)); + proto_tree_add_text(netflow_rec_tree, tvb, + rec_offset + 20, 4, "Bytes: %u", + tvb_get_ntohl(tvb, rec_offset + 20)); + proto_tree_add_text(netflow_rec_tree, tvb, + rec_offset + 24, 4, "Start Time: %u", + tvb_get_ntohl(tvb, rec_offset + 24)); + proto_tree_add_text(netflow_rec_tree, tvb, + rec_offset + 28, 4, "End Time: %u", + tvb_get_ntohl(tvb, rec_offset + 28)); + proto_tree_add_text(netflow_rec_tree, tvb, + rec_offset + 32, 2, "Source Port: %u", + tvb_get_ntohs(tvb, rec_offset + 32)); + proto_tree_add_text(netflow_rec_tree, tvb, + rec_offset + 34, 2, "Dest Port: %u", + tvb_get_ntohs(tvb, rec_offset + 34)); + proto_tree_add_text(netflow_rec_tree, tvb, + rec_offset + 37, 1, "TCP Flags: 0x%0x", + tvb_get_guint8(tvb, rec_offset + 37)); + proto_tree_add_text(netflow_rec_tree, tvb, + rec_offset + 38, 1, "IP Protocol: %u", + tvb_get_guint8(tvb, rec_offset + 38)); + proto_tree_add_text(netflow_rec_tree, tvb, + rec_offset + 39, 1, "Type of service: 0x%02x", + tvb_get_guint8(tvb, rec_offset + 39)); + proto_tree_add_text(netflow_rec_tree, tvb, + rec_offset + 40, 2, "Source AS: %u", + tvb_get_ntohs(tvb, rec_offset + 40)); + proto_tree_add_text(netflow_rec_tree, tvb, + rec_offset + 42, 2, "Dest AS: %u", + tvb_get_ntohs(tvb, rec_offset + 42)); + proto_tree_add_text(netflow_rec_tree, tvb, + rec_offset + 44, 1, "Source Mask: %u", + tvb_get_guint8(tvb, rec_offset + 44)); + proto_tree_add_text(netflow_rec_tree, tvb, + rec_offset + 45, 1, "Dest Mask: %u", + tvb_get_guint8(tvb, rec_offset + 45)); + } + } +} + +void +proto_register_netflow(void) +{ + static hf_register_info hf[] = { + { &hf_netflow_version, + { "Version", "netflow.version", FT_UINT16, + BASE_DEC, NULL, 0x0, "", HFILL }}, + { &hf_netflow_count, + { "Number of records", "netflow.count", FT_UINT16, + BASE_DEC, NULL, 0x0, "", HFILL }}, + { &hf_netflow_sys_uptime, + { "System uptime", "netflow.sys_uptime", FT_UINT32, + BASE_DEC, NULL, 0x0, "", HFILL }}, + { &hf_netflow_unix_sec, + { "Unix seconds", "netflow.unix_sec", FT_UINT32, + BASE_DEC, NULL, 0x0, "", HFILL }}, + { &hf_netflow_unix_nsec, + { "Unix nanonseconds", "netflow.unix_nsec", FT_UINT32, + BASE_DEC, NULL, 0x0, "", HFILL }}, + { &hf_netflow_flow_sequence, + { "Sequence number", "netflow.flow_sequence", FT_UINT32, + BASE_DEC, NULL, 0x0, "", HFILL }}, + { &hf_netflow_record, + { "Record", "netflow.record", FT_UINT32, + BASE_DEC, NULL, 0x0, "", HFILL }}, + }; + + static gint *ett[] = { + &ett_netflow, + &ett_netflow_rec + }; + + proto_netflow = proto_register_protocol("Cisco NetFlow", + "NetFlow", "netflow"); + proto_register_field_array(proto_netflow, hf, array_length(hf)); + proto_register_subtree_array(ett, array_length(ett)); +} + +void +proto_reg_handoff_netflow(void) +{ + dissector_handle_t netflow_handle; + + netflow_handle = create_dissector_handle(dissect_netflow, + proto_netflow); + dissector_add("udp.port", UDP_PORT_NETFLOW, netflow_handle); +} diff --git a/packet-netflow.h b/packet-netflow.h new file mode 100644 index 0000000000..8e163b3f0e --- /dev/null +++ b/packet-netflow.h @@ -0,0 +1,68 @@ +/* packet-netflow.h + * Routines for Cisco NetFlow packet disassembly + * Matthew Smart <smart@monkey.org> + * + * $Id: packet-netflow.h,v 1.1 2002/09/04 20:23:54 guy Exp $ + * + * Ethereal - Network traffic analyzer + * By Gerald Combs <gerald@ethereal.com> + * Copyright 1998 Gerald Combs + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + +#ifndef __PACKET_NETFLOW_H +#define __PACKET_NETFLOW_H + +#include <glib.h> + +#define UDP_PORT_NETFLOW 5000 /* XXX */ + +struct netflow5_hdr { + guint16 version; + guint16 count; /* Number of records */ + guint32 sys_uptime; /* Time in msec since router booted */ + guint32 unix_sec; /* Seconds since 0000 UTC 1970 */ + guint32 unix_nsec; /* Residual nsec since 0000 UTC 1970 */ + guint32 flow_sequence; /* Sequence num of flows seen */ + guint8 engine_type; /* Type of flow switching engine */ + guint8 engine_id; /* Slot number of switching engine */ + guint16 reserved; +}; + +struct netflow5_rec { + guint32 src_addr; + guint32 dst_addr; + guint32 next_hop; + guint16 input_iface; + guint16 output_iface; + guint32 pkts_sent; /* Between start_time and end_time */ + guint32 bytes_sent; /* Between start_time and end_time */ + guint32 start_time; /* Milliseconds since sys_uptime */ + guint32 end_time; /* Milliseconds since sys_uptime */ + guint16 src_port; + guint16 dst_port; + guint8 pad1; + guint8 tcp_flags; + guint8 ip_prot; + guint8 tos; + guint16 src_as; + guint16 dst_as; + guint8 src_mask; + guint8 dst_mask; + guint16 pad2; +}; + +#endif |