├── boot.sh ├── Makefile.am ├── src ├── Makefile.am ├── sflow_drop.h ├── sflow_xdr.h ├── sflow_v2v4.h └── sflow.h ├── NEWS ├── AUTHORS ├── configure.ac ├── sflowtool.spec ├── scripts ├── sflowcapture └── sflowenable ├── config.h.in ├── ChangeLog ├── README ├── README.md └── COPYING /boot.sh: -------------------------------------------------------------------------------- 1 | autoreconf --install --force 2 | -------------------------------------------------------------------------------- /Makefile.am: -------------------------------------------------------------------------------- 1 | SUBDIRS=src 2 | EXTRA_DIST=sflowtool.spec scripts/sflowenable scripts/sflowcapture 3 | -------------------------------------------------------------------------------- /src/Makefile.am: -------------------------------------------------------------------------------- 1 | bin_PROGRAMS=sflowtool 2 | sflowtool_SOURCES = sflow.h sflow_v2v4.h sflow_drop.h sflowtool.c sflow_xdr.h 3 | -------------------------------------------------------------------------------- /NEWS: -------------------------------------------------------------------------------- 1 | Feb-24-2015 http://www.sflow.com 2 | Jun-1-2007 http://www.inmon.com/products/sFlowTrend.php 3 | Apr-17-2007 http://www.inmon.com/support/sentinel2_release.php 4 | Feb-5-2002 http://www.sflow.org now online 5 | -------------------------------------------------------------------------------- /AUTHORS: -------------------------------------------------------------------------------- 1 | Neil McKee (mailto:neil.mckee@inmon.com) InMon Corp. https://www.inmon.com 2 | Rowan Thorpe 3 | Philip Kovacs 4 | Andre Grunenberg 5 | Nick Hilliard 6 | Rick Jones 7 | Sven Eshenberg 8 | Marc Lavine 9 | Sergey Drazhnikov 10 | Rita Hiu 11 | Wolfgang Powisch 12 | Richard Clayton 13 | Chris Cook 14 | Bogdan Ionescu 15 | Naoki Ogawa 16 | Nick Gudov -------------------------------------------------------------------------------- /configure.ac: -------------------------------------------------------------------------------- 1 | # -*- Autoconf -*- 2 | # Process this file with autoconf to produce a configure script. 3 | 4 | AC_PREREQ([2.71]) 5 | # change version in spec file too 6 | AC_INIT([sflowtool],[6.09]) 7 | AC_CONFIG_SRCDIR([src/sflowtool.c]) 8 | AM_INIT_AUTOMAKE 9 | AC_PROG_CC 10 | AC_CONFIG_HEADERS(config.h) 11 | 12 | # Checks for libraries. 13 | 14 | AC_CANONICAL_HOST 15 | case "$host" in 16 | *-*-solaris*) 17 | LDFLAGS="$LDFLAGS -lsocket -lnsl" 18 | ;; 19 | esac 20 | 21 | # Checks for header files. 22 | AC_CHECK_HEADERS([fcntl.h netdb.h netinet/in.h stdlib.h string.h sys/socket.h sys/time.h unistd.h byteswap.h]) 23 | 24 | # Checks for typedefs, structures, and compiler characteristics. 25 | AC_C_CONST 26 | AC_CHECK_HEADERS_ONCE([sys/time.h]) 27 | 28 | # Checks for library functions. 29 | AC_FUNC_SELECT_ARGTYPES 30 | AC_FUNC_STRFTIME 31 | AC_FUNC_VPRINTF 32 | AC_CHECK_FUNCS([getaddrinfo memset select socket strdup strerror strspn strtol]) 33 | 34 | AC_CONFIG_FILES([Makefile 35 | src/Makefile]) 36 | AC_OUTPUT 37 | -------------------------------------------------------------------------------- /sflowtool.spec: -------------------------------------------------------------------------------- 1 | Summary: tool to ascii-print or forward sFlow datagrams 2 | Name: sflowtool 3 | Version: 6.09 4 | Release: 1%{?dist} 5 | License: https://www.inmon.com/technology/sflowlicense.txt 6 | Group: Productivity/Networking/Diagnostic 7 | URL: https://inmon.com/technology/sflowTools.php 8 | Source: https://github.com/sflow/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.gz 9 | BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) 10 | 11 | %description 12 | The sFlow toolkit provides command line utilities and scripts for analyzing 13 | sFlow data. sflowtool interfaces to utilities such as tcpdump, Wireshark and Snort 14 | for detailed packet tracing and analysis, NetFlow compatible collectors for IP 15 | flow accounting, and provides text based output that can be used in scripts to 16 | provide customized analysis and reporting and for integrating with other tools 17 | such as Graphite or rrdtool. 18 | 19 | %prep 20 | %setup -q -n %{name}-%{version} 21 | 22 | %build 23 | %configure 24 | make 25 | 26 | %install 27 | make DESTDIR=%{buildroot} install 28 | 29 | %clean 30 | rm -rf %{buildroot} 31 | 32 | %files 33 | %defattr(-,root,root) 34 | %doc AUTHORS NEWS ChangeLog README 35 | %license COPYING 36 | %{_bindir}/sflowtool 37 | 38 | %changelog 39 | * Mon Jun 4 2012 Neil McKee - 3.26-1 40 | - Initial spec to build sflowtool RPM 41 | -------------------------------------------------------------------------------- /scripts/sflowcapture: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | PROG="$0" 4 | ARGS="$@" 5 | UDPPORT=6343 6 | LOGSECS=60 7 | CAPTURE=/var/log/sflowcapture.pcap 8 | 9 | while [[ $# -gt 0 ]]; do 10 | key="$1" 11 | case $key in 12 | -p|--port) 13 | shift 14 | UDPPORT="$1" 15 | shift 16 | ;; 17 | -f|--file) 18 | shift 19 | CAPTURE="$1" 20 | shift 21 | ;; 22 | -l|--log-secs) 23 | shift 24 | LOGSECS="$1" 25 | shift 26 | ;; 27 | *) 28 | echo "Usage: $PROG [-p ] [-f ] [-l "] 29 | exit -1 30 | ;; 31 | esac 32 | done 33 | 34 | function run_capture() { 35 | startIt="$1" 36 | if [[ $SFTPID ]]; then 37 | echo "$PROG caught signal - killing sflowtool pid=SFTPID $SFTPID" 38 | kill -TERM "$SFTPID" 39 | fi 40 | if [ "$startIt" = "true" ]; then 41 | sflowtool -p "$UDPPORT" -M > "$CAPTURE" & 42 | SFTPID=$! 43 | else 44 | exit 1 45 | fi 46 | } 47 | 48 | trap "run_capture true" SIGHUP 49 | trap "run_capture false" SIGTERM SIGINT 50 | run_capture true 51 | 52 | function shallow_sleep() { 53 | # A wait(1) on a background sleep(1) will terminate immediately 54 | # on receipt of a SIGHUP so that the trap runs right away. 55 | # Otherwise the the trap is only executed when the sleep is done. 56 | seconds="$1" 57 | sleep $seconds & 58 | pid=$! 59 | wait $pid 60 | } 61 | 62 | while true; do 63 | if [ "$LOGSECS" = "0" ]; then 64 | shallow_sleep 60 65 | else 66 | shallow_sleep "$LOGSECS" 67 | info=`du -h "$CAPTURE"` 68 | echo "$PROG $ARGS : $info" 69 | fi 70 | done 71 | -------------------------------------------------------------------------------- /config.h.in: -------------------------------------------------------------------------------- 1 | /* config.h.in. Generated from configure.ac by autoheader. */ 2 | 3 | /* Define to 1 if you have the header file. */ 4 | #undef HAVE_BYTESWAP_H 5 | 6 | /* Define to 1 if you don't have `vprintf' but do have `_doprnt.' */ 7 | #undef HAVE_DOPRNT 8 | 9 | /* Define to 1 if you have the header file. */ 10 | #undef HAVE_FCNTL_H 11 | 12 | /* Define to 1 if you have the `getaddrinfo' function. */ 13 | #undef HAVE_GETADDRINFO 14 | 15 | /* Define to 1 if you have the header file. */ 16 | #undef HAVE_INTTYPES_H 17 | 18 | /* Define to 1 if you have the `memset' function. */ 19 | #undef HAVE_MEMSET 20 | 21 | /* Define to 1 if you have the header file. */ 22 | #undef HAVE_NETDB_H 23 | 24 | /* Define to 1 if you have the header file. */ 25 | #undef HAVE_NETINET_IN_H 26 | 27 | /* Define to 1 if you have the `select' function. */ 28 | #undef HAVE_SELECT 29 | 30 | /* Define to 1 if you have the `socket' function. */ 31 | #undef HAVE_SOCKET 32 | 33 | /* Define to 1 if you have the header file. */ 34 | #undef HAVE_STDINT_H 35 | 36 | /* Define to 1 if you have the header file. */ 37 | #undef HAVE_STDIO_H 38 | 39 | /* Define to 1 if you have the header file. */ 40 | #undef HAVE_STDLIB_H 41 | 42 | /* Define to 1 if you have the `strdup' function. */ 43 | #undef HAVE_STRDUP 44 | 45 | /* Define to 1 if you have the `strerror' function. */ 46 | #undef HAVE_STRERROR 47 | 48 | /* Define to 1 if you have the `strftime' function. */ 49 | #undef HAVE_STRFTIME 50 | 51 | /* Define to 1 if you have the header file. */ 52 | #undef HAVE_STRINGS_H 53 | 54 | /* Define to 1 if you have the header file. */ 55 | #undef HAVE_STRING_H 56 | 57 | /* Define to 1 if you have the `strspn' function. */ 58 | #undef HAVE_STRSPN 59 | 60 | /* Define to 1 if you have the `strtol' function. */ 61 | #undef HAVE_STRTOL 62 | 63 | /* Define to 1 if you have the header file. */ 64 | #undef HAVE_SYS_SELECT_H 65 | 66 | /* Define to 1 if you have the header file. */ 67 | #undef HAVE_SYS_SOCKET_H 68 | 69 | /* Define to 1 if you have the header file. */ 70 | #undef HAVE_SYS_STAT_H 71 | 72 | /* Define to 1 if you have the header file. */ 73 | #undef HAVE_SYS_TIME_H 74 | 75 | /* Define to 1 if you have the header file. */ 76 | #undef HAVE_SYS_TYPES_H 77 | 78 | /* Define to 1 if you have the header file. */ 79 | #undef HAVE_UNISTD_H 80 | 81 | /* Define to 1 if you have the `vprintf' function. */ 82 | #undef HAVE_VPRINTF 83 | 84 | /* Name of package */ 85 | #undef PACKAGE 86 | 87 | /* Define to the address where bug reports for this package should be sent. */ 88 | #undef PACKAGE_BUGREPORT 89 | 90 | /* Define to the full name of this package. */ 91 | #undef PACKAGE_NAME 92 | 93 | /* Define to the full name and version of this package. */ 94 | #undef PACKAGE_STRING 95 | 96 | /* Define to the one symbol short name of this package. */ 97 | #undef PACKAGE_TARNAME 98 | 99 | /* Define to the home page for this package. */ 100 | #undef PACKAGE_URL 101 | 102 | /* Define to the version of this package. */ 103 | #undef PACKAGE_VERSION 104 | 105 | /* Define to the type of arg 1 for `select'. */ 106 | #undef SELECT_TYPE_ARG1 107 | 108 | /* Define to the type of args 2, 3 and 4 for `select'. */ 109 | #undef SELECT_TYPE_ARG234 110 | 111 | /* Define to the type of arg 5 for `select'. */ 112 | #undef SELECT_TYPE_ARG5 113 | 114 | /* Define to 1 if all of the C90 standard headers exist (not just the ones 115 | required in a freestanding environment). This macro is provided for 116 | backward compatibility; new code need not use it. */ 117 | #undef STDC_HEADERS 118 | 119 | /* Version number of package */ 120 | #undef VERSION 121 | 122 | /* Define to empty if `const' does not conform to ANSI C. */ 123 | #undef const 124 | -------------------------------------------------------------------------------- /src/sflow_drop.h: -------------------------------------------------------------------------------- 1 | SFL_DROP(net_unreachable,0) 2 | SFL_DROP(host_unreachable,1) 3 | SFL_DROP(protocol_unreachable,2) 4 | SFL_DROP(port_unreachable,3) 5 | SFL_DROP(frag_needed,4) 6 | SFL_DROP(src_route_failed,5) 7 | SFL_DROP(dst_net_unknown,6) /* ipv4_lpm_miss, ipv6_lpm_miss */ 8 | SFL_DROP(dst_host_unknown,7) 9 | SFL_DROP(src_host_isolated,8) 10 | SFL_DROP(dst_net_prohibited,9) /* reject_route */ 11 | SFL_DROP(dst_host_prohibited,10) 12 | SFL_DROP(dst_net_tos_unreachable,11) 13 | SFL_DROP(dst_host_tos_unreacheable,12) 14 | SFL_DROP(comm_admin_prohibited,13) 15 | SFL_DROP(host_precedence_violation,14) 16 | SFL_DROP(precedence_cutoff,15) 17 | SFL_DROP(unknown,256) 18 | SFL_DROP(ttl_exceeded,257) /* ttl_value_is_too_small */ 19 | SFL_DROP(acl,258) /* ingress_flow_action_drop, egress_flow_action_drop, group acl_drops */ 20 | SFL_DROP(no_buffer_space,259) /* tail_drop */ 21 | SFL_DROP(red,260) 22 | SFL_DROP(traffic_shaping,261) 23 | SFL_DROP(pkt_too_big,262) /* mtu_value_is_too_small */ 24 | SFL_DROP(src_mac_is_multicast,263) 25 | SFL_DROP(vlan_tag_mismatch,264) 26 | SFL_DROP(ingress_vlan_filter,265) 27 | SFL_DROP(ingress_spanning_tree_filter,266) 28 | SFL_DROP(port_list_is_empty,267) 29 | SFL_DROP(port_loopback_filter,268) 30 | SFL_DROP(blackhole_route,269) 31 | SFL_DROP(non_ip,270) 32 | SFL_DROP(uc_dip_over_mc_dmac,271) 33 | SFL_DROP(dip_is_loopback_address,272) 34 | SFL_DROP(sip_is_mc,273) 35 | SFL_DROP(sip_is_loopback_address,274) 36 | SFL_DROP(ip_header_corrupted,275) 37 | SFL_DROP(ipv4_sip_is_limited_bc,276) 38 | SFL_DROP(ipv6_mc_dip_reserved_scope,277) 39 | SFL_DROP(ipv6_mc_dip_interface_local_scope,278) 40 | SFL_DROP(unresolved_neigh,279) 41 | SFL_DROP(mc_reverse_path_forwarding,280) 42 | SFL_DROP(non_routable_packet,281) 43 | SFL_DROP(decap_error,282) 44 | SFL_DROP(overlay_smac_is_mc,283) 45 | SFL_DROP(unknown_l2,284) /* group l2_drops */ 46 | SFL_DROP(unknown_l3,285) /* group l3_drops */ 47 | SFL_DROP(unknown_l3_exception,286) /* group l3_exceptions */ 48 | SFL_DROP(unknown_buffer,287) /* group buffer_drops */ 49 | SFL_DROP(unknown_tunnel,288) /* group tunnel_drops */ 50 | SFL_DROP(unknown_l4,289) 51 | SFL_DROP(sip_is_unspecified,290) 52 | SFL_DROP(mlag_port_isolation,291) 53 | SFL_DROP(blackhole_arp_neigh,292) 54 | SFL_DROP(src_mac_is_dmac,293) 55 | SFL_DROP(dmac_is_reserved,294) 56 | SFL_DROP(sip_is_class_e,295) 57 | SFL_DROP(mc_dmac_mismatch,296) 58 | SFL_DROP(sip_is_dip,297) 59 | SFL_DROP(dip_is_local_network,298) 60 | SFL_DROP(dip_is_link_local,299) 61 | SFL_DROP(overlay_smac_is_dmac,300) 62 | SFL_DROP(egress_vlan_filter,301) 63 | SFL_DROP(uc_reverse_path_forwarding,302) 64 | SFL_DROP(split_horizon,303) 65 | SFL_DROP(locked_port,304) 66 | SFL_DROP(dmac_filter,305) 67 | SFL_DROP(blackhole_nexthop,306) 68 | SFL_DROP(vxlan_parsing,307) 69 | SFL_DROP(llc_snap_parsing,308) 70 | SFL_DROP(vlan_parsing,309) 71 | SFL_DROP(pppoe_ppp_parsing,310) 72 | SFL_DROP(mpls_parsing,311) 73 | SFL_DROP(arp_parsing,312) 74 | SFL_DROP(ip_1_parsing,313) 75 | SFL_DROP(ip_n_parsing,314) 76 | SFL_DROP(gre_parsing,315) 77 | SFL_DROP(udp_parsing,316) 78 | SFL_DROP(tcp_parsing,317) 79 | SFL_DROP(ipsec_parsing,318) 80 | SFL_DROP(sctp_parsing,319) 81 | SFL_DROP(dccp_parsing,320) 82 | SFL_DROP(gtp_parsing,321) 83 | SFL_DROP(esp_parsing,322) 84 | SFL_DROP(unknown_parsing,323) /* group parser_error_drops */ 85 | SFL_DROP(pkt_too_small,324) 86 | SFL_DROP(unhandled_proto,325) 87 | SFL_DROP(ipv6disabled,326) 88 | SFL_DROP(invalid_proto,327) 89 | SFL_DROP(ip_noproto,328) 90 | SFL_DROP(skb_csum,329) 91 | SFL_DROP(skb_ucopy_fault,330) 92 | SFL_DROP(dev_ready,331) 93 | SFL_DROP(dev_hdr,33) 94 | SFL_DROP(dup_frag,333) 95 | SFL_DROP(skb_gso_seg,334) 96 | SFL_DROP(reverse_path_forwarding,335) /* ip_rpfilter */ 97 | SFL_DROP(icmp_parsing,336) /* icmp_csum */ 98 | SFL_DROP(tcp_md5notfound,337) 99 | SFL_DROP(tcp_md5unexpected,338) 100 | SFL_DROP(tcp_md5failure,339) 101 | SFL_DROP(tcp_flags,340) 102 | SFL_DROP(tcp_zerowindow,341) 103 | SFL_DROP(tcp_old_data,342) 104 | SFL_DROP(tcp_overwindow,343) 105 | SFL_DROP(tcp_ofomerge,344) 106 | SFL_DROP(tcp_rfc7323_paws,345) 107 | SFL_DROP(tcp_invalid_sequence,346) 108 | SFL_DROP(tcp_reset,347) 109 | SFL_DROP(tcp_invalid_syn,348) 110 | SFL_DROP(tcp_close,349) 111 | SFL_DROP(tcp_fastopen,350) 112 | SFL_DROP(tcp_old_ack,351) 113 | SFL_DROP(tcp_too_old_ack,352) 114 | SFL_DROP(tcp_ack_unsent_data,353) 115 | SFL_DROP(tcp_ofo_queue_prune,354) 116 | SFL_DROP(tcp_ofo_drop,355) 117 | SFL_DROP(tcp_minttl,356) 118 | SFL_DROP(ipv6_bad_exthdr,357) 119 | SFL_DROP(ipv6_ndisc_frag,358) 120 | SFL_DROP(ipv6_ndisc_hop_limit,359) 121 | SFL_DROP(ipv6_ndisc_bad_code,360) 122 | SFL_DROP(ipv6_ndisc_bad_options,361) 123 | SFL_DROP(ipv6_ndisc_ns_otherhost,362) 124 | SFL_DROP(tap_filter,363) 125 | SFL_DROP(tap_txfilter,364) 126 | SFL_DROP(tc_ingress,365) 127 | SFL_DROP(tc_egress,36) 128 | SFL_DROP(xdp,367) 129 | SFL_DROP(cpu_backlog,368) 130 | SFL_DROP(bpf_cgroup_egress,369) 131 | SFL_DROP(xfrm_policy,370) 132 | SFL_DROP(socket_filter,371) 133 | -------------------------------------------------------------------------------- /scripts/sflowenable: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Script to turn on sFlow(R) sampling using the sFlow version 5 MIB, see: 3 | # http://www.sflow.org/ 4 | # 5 | # Copyright (c) 2001 InMon Corp. Licensed under the terms of the InMon sFlow licence: 6 | # http://www.inmon.com/technology/sflowlicense.txt 7 | 8 | MINPARAMS=3 9 | if [ $# -lt "$MINPARAMS" ] 10 | then 11 | echo "Usage: $0 switch community receiver [port] [rate] [interval] [timeout] [force]" 12 | echo " where:" 13 | echo " switch, IP address of sFlow enabled switch/router" 14 | echo " community, SNMP community string" 15 | echo " receiver, destination IP address for sFlow datagrams" 16 | echo " port, destination UDP port for sFlow datagrams (default=6343)" 17 | echo " rate, packet sampling rate (default=512)" 18 | echo " interval, counter polling interval (default=60)" 19 | echo " timeout, number of seconds to maintain sampling (default=3600)" 20 | echo " force, 0 = respect existing reservations, 1 = force settings" 21 | echo "Note: Setting timeout to 0 stops sampling and frees resources" 22 | exit 1 23 | fi 24 | 25 | # initialize mandatory variables 26 | SWITCH=$1 27 | COMMUNITY=$2 28 | RECEIVER=$3 29 | 30 | # initialize optional variables 31 | PORT=${4:-6343} 32 | RATE=${5:-512} 33 | INTERVAL=${6:-60} 34 | TIMEOUT=${7:-3600} 35 | USEFORCE=${8:-0} 36 | 37 | # initialize static variables 38 | OWNER="$HOSTNAME;$0" 39 | ADDRESSTYPE=1 # IP v4 40 | SFLOWMIB=".1.3.6.1.4.1.14706.1" 41 | IFINDEX="11.1.3.6.1.2.1.2.2.1.1" 42 | 43 | echo "Finding a free slot in in the sFlowRcvrTable" 44 | 45 | RCVRINDEX=$(snmpwalk -v 2c -Oqn -c $COMMUNITY $SWITCH $SFLOWMIB.1.4.1.2 | awk -v me=$OWNER -v useforce=$USEFORCE --source ' 46 | BEGIN{lastFree=0; lastMine=0; last=0;} 47 | { 48 | split($1,parts,"."); 49 | idx = parts[14]; 50 | owner = $2; 51 | gsub("\"","",owner); # remove quotes 52 | last = idx; 53 | if(owner == me) lastOwner = idx; 54 | if(owner == "") lastFree = idx; 55 | } 56 | END{ 57 | if(lastOwner) print lastOwner; 58 | else if(lastFree) print lastFree; 59 | else if(useforce) print last; 60 | }') 61 | 62 | if [ ! $RCVRINDEX ] 63 | then 64 | echo "No free sFlowRcvrTable entries found, current sFlowRcvrOwners:" 65 | snmpwalk -v 2c -Oqn -c $COMMUNITY $SWITCH $SFLOWMIB.1.4.1.2 | awk --source '{print $2}' 66 | exit 1 67 | fi 68 | 69 | if [ $TIMEOUT -eq 0 ] 70 | then 71 | echo "Free sFlowRcvrTable entry $RCVRINDEX" 72 | snmpset -v 2c -c $COMMUNITY $SWITCH $SFLOWMIB.1.4.1.2.$RCVRINDEX s "" 73 | exit 1 74 | fi 75 | 76 | HEXRECEIVER=$(echo $RECEIVER | awk --source '{split($0,parts,"."); printf "%.2X%.2X%.2X%.2X",parts[1],parts[2],parts[3],parts[4]}') 77 | 78 | echo "Grabbing entry in sFlowRcvrTable:" 79 | echo "sFlowRcvrIndex = $RCVRINDEX" 80 | echo "sFlowRcvrOwner = $OWNER" 81 | echo "sFlowRcvrTimeout = $TIMEOUT" 82 | echo "sFlowRcvrAddressType = $ADDRESSTYPE" 83 | echo "sFlowRcvrAddress = $RECEIVER ($HEXRECEIVER)" 84 | echo "sFlowRcvrPort = $PORT" 85 | 86 | 87 | snmpset -v 2c -c $COMMUNITY $SWITCH $SFLOWMIB.1.4.1.2.$RCVRINDEX s $OWNER $SFLOWMIB.1.4.1.3.$RCVRINDEX i $TIMEOUT $SFLOWMIB.1.4.1.5.$RCVRINDEX i $ADDRESSTYPE $SFLOWMIB.1.4.1.6.$RCVRINDEX x $HEXRECEIVER $SFLOWMIB.1.4.1.7.$RCVRINDEX i $PORT 88 | 89 | if [ $? -ne 0 ] 90 | then 91 | echo "SNMP set failed" 92 | exit 1; 93 | fi 94 | 95 | echo "Grabbing entries in sFlowFsTable" 96 | 97 | for ENTRY in $(snmpwalk -v 2c -Oqn -c $COMMUNITY $SWITCH $SFLOWMIB.1.5.1.3.$IFINDEX | awk -v myRcvrIndex=$RCVRINDEX -v useforce=$USEFORCE --source ' 98 | { 99 | split($1,parts,"."); 100 | ifIndex = parts[25]; 101 | instance = parts[26]; 102 | 103 | reciever = $2; 104 | 105 | last[ifIndex] = instance; 106 | if(receiver == myRcvrIndex) lastOwner[ifIndex] = instance; 107 | if(receiver == 0) lastFree[ifIndex] = instance; 108 | } 109 | END{ 110 | for (i in last) { 111 | if(lastOwner[i]) print i "." lastOwner[i]; 112 | else if(lastFree[i]) print i "." lastFree[i]; 113 | else if(useforce) print i "." last[i]; 114 | } 115 | }'); do 116 | echo "sFlowFsDataSource.sFlowFsInstance=$ENTRY sFlowFsPacketSamplingRate=$RATE" 117 | 118 | if [ "$USEFORCE" -ne "0" ] 119 | then 120 | echo "Using force, clear entry first" 121 | snmpset -v 2c -c $COMMUNITY $SWITCH $SFLOWMIB.1.5.1.3.$IFINDEX.$ENTRY i 0 122 | echo "Now set values" 123 | fi 124 | snmpset -v 2c -c $COMMUNITY $SWITCH $SFLOWMIB.1.5.1.3.$IFINDEX.$ENTRY i $RCVRINDEX $SFLOWMIB.1.5.1.4.$IFINDEX.$ENTRY i $RATE 125 | done 126 | 127 | echo "Grabbing entries in sFlowCpTable" 128 | 129 | for ENTRY in $(snmpwalk -v 2c -Oqn -c $COMMUNITY $SWITCH $SFLOWMIB.1.6.1.3.$IFINDEX | awk -v myRcvrIndex=$RCVRINDEX -v useforce=$USEFORCE --source ' 130 | { 131 | split($1,parts,"."); 132 | ifIndex = parts[25]; 133 | instance = parts[26]; 134 | 135 | reciever = $2; 136 | 137 | last[ifIndex] = instance; 138 | if(receiver == myRcvrIndex) lastOwner[ifIndex] = instance; 139 | if(receiver == 0) lastFree[ifIndex] = instance; 140 | } 141 | END{ 142 | for (i in last) { 143 | if(lastOwner[i]) print i "." lastOwner[i]; 144 | else if(lastFree[i]) print i "." lastFree[i]; 145 | else if(useforce) print i "." last[i]; 146 | } 147 | }'); do 148 | 149 | echo "sFlowCpDataSource.sFlowCpInstance=$ENTRY sFlowCpInterval=$INTERVAL" 150 | 151 | if [ "$USEFORCE" -ne "0" ] 152 | then 153 | echo "Using force, clear entry first" 154 | snmpset -v 2c -c $COMMUNITY $SWITCH $SFLOWMIB.1.6.1.3.$IFINDEX.$ENTRY i 0 155 | echo "Now set values" 156 | fi 157 | 158 | snmpset -v 2c -c $COMMUNITY $SWITCH $SFLOWMIB.1.6.1.3.$IFINDEX.$ENTRY i $RCVRINDEX $SFLOWMIB.1.6.1.4.$IFINDEX.$ENTRY i $INTERVAL 159 | done 160 | -------------------------------------------------------------------------------- /ChangeLog: -------------------------------------------------------------------------------- 1 | Dec-05-2018: 2 | 5.01 - option to emit JSON 3 | - adopt ISO8601 compatible timestamp format 4 | - fix IPv6 tos and label decide. Thanks to jabersmith 5 | Jul-20-2017: 6 | 4.01: - option to emit NetFlow v9. Thanks to Philip Kovacs. 7 | Mar-31-2017: 8 | 3.41: - print Open vSwitch datapath performance counters 9 | Mar-08-2017: 10 | 3.40: - print OpenFlow port structure 11 | Oct-18-2016: 12 | 3.39: - print SFP optical counters 13 | Oct-17-2016: 14 | 3.38: - fix pcap_file_header.snaplen 15 | - drop "-z pad" option 16 | - add "tcpinfo" struct 17 | Oct-5-2015: 18 | 3.37: - print rtmetric and rtflow samples 19 | - include timestamp in grep-friendly (-g) output 20 | Aug-13-2015: 21 | 3.36: - incorporate buffer-overrun protection suggestions from Andre Gruenenberg 22 | - incorporate portability changes from Rowan Thorpe 23 | - incorporate IPv6 forwarding changes from Rowan Thorpe 24 | - print IPID field from IPv4 sampled headers 25 | Feb-24-2015: 26 | 3.35: - add Broadcom ASIC counters structure 27 | - add TCP/IP counters structure 28 | Dec-04-2014: 29 | 3.34: - decode new counters in host cpu struct (steal, guest, and guest_nice) 30 | Dec-01-2014: 31 | 3.33: - bugfix: app-sample status and duration_uS fields were reversed 32 | May-27-2014: 33 | 3.32 - fix UUID printing (bug introduced in 3.31) 34 | - move compiler pragmas outside function boundry (to avoid compile errors with older compilers) 35 | Apr-11-2014: 36 | 3.31 - Accepted patches from Rowan Thope clean up code, including: 37 | adjust interpreter locations 38 | improve option parsing 39 | new '-k' option to keep going even in the event of a select() error 40 | - accept new Linux pcap encapsulation 41 | - new '-g' option to output in 'grep-friendly' format to make scripting easier 42 | Oct-18-2013: 43 | 3.30 - exit if printf() fails. Important for detecting streaming errors. Thanks to Nick Hilliard. 44 | - add tunnel structures (http://sflow.org/sflow_tunnels.txt) 45 | Oct-2-2013: 46 | 3.29 - added decode for nat_port structure 47 | - include intypes.h for PRIu64 etc. 48 | - minor bugfixes - thanks to Rowan Thorpe 49 | Sep-27-2012: 50 | 3.28 - added decodes for proxy structures 51 | - added decode for LAG/MLAG structure 52 | Jul-19-2012: 53 | 3.27 - compile with -DDEBUG to abort() on exception and force error output to stdout stream 54 | - added decode for NVML structure 55 | Jun-4-2012: 56 | 3.26 - allowing forwarding to apply to packets read from pcap as well as from udp socket 57 | - include spec file for building rpms 58 | Mar-23-2012: 59 | 3.25 - when reading pcap, try harder to parse the header properly to get to the sFlow datagram 60 | Feb-7-2012: 61 | 3.24 - include config_windows.h and Visual C++ express solution and project files with dist 62 | Dec-16-2011: 63 | 3.23 - add decode for counters struct 0:2204 (memcached) 64 | - add decode for counters struct 0:2106 (Java JMX) 65 | - add decodes for experimental generic application (APP_*) structures 66 | Apr-14-2011: 67 | 3.20 - compiles clean on MS Visual C++ (with project->options->advanced->compile-as = C++) 68 | - make listening for ipv4 only an option: "-4" 69 | Apr-7-2011: 70 | 3.19 - open and bind ipv4 socket if ipv6 socket fails 71 | - fix print format string error - thanks to Rick Jones 72 | Dec-22-2010 73 | 3.18 - add decodes for sflow-httpd, and common-logfile-format output (experimental) 74 | Sep-23-2010 75 | 3.17 - add decodes for sflow-memcached (experimental) 76 | - add decodes for virtual host-sflow structs 77 | May-17-2010 78 | 3.16 - host-sflow memory counters changed to 64-bit 79 | April-8-2010 80 | 3.15 - add host-sflow structure decodes 81 | - add more wifi-sflow structure decodes 82 | - fix bug/overrun vulnerability in getData32 - thanks to Sven Eshenberg 83 | April-22-2009 84 | 3.14 - clear dst_peer_as,dst_as every time - thanks to Marc Lavine 85 | October-10-2008 86 | 3.13 - revert to using select() for WIN32 - thanks to Marc Lavine 87 | - allow NetFlow forwarding when input was IPV4 structure - thanks to Sergey Drazhnikov 88 | - detect missing command-line arguments 89 | August-14-2007 90 | - allow new POS and 80211 header-protocol types 91 | June-4-2007 92 | 3.12 - clear the gotIPV6 flag for each sampled header - thanks to Rita Hiu 93 | June-1-2007 94 | 3.11 - use non-blocking I/O - thanks to Wolfgang Powisch 95 | - avoid struct timeval in pcap header because time_t is 64-bits on some platforms 96 | March-28-2006 97 | 3.10 - use poll() instead of select() 98 | - removed dcd_srcIP, dcd_dstIP and used the SFLAddress fields ipsrc and ipdst instead 99 | - finished the decode of the SFLSampled_ipv6 structure 100 | - option to filter by vlan - thanks to Christian Hammers 101 | - option (-x) to strip IP payload when writing tcpdump format - thanks to Richard Clayton 102 | - bugfix: all diganostics to stderr when output is tcpdump - thanks to Richard Clayton 103 | - if netflow output, then normal text output is suppressed 104 | - bugfix: use u_char when printing MAC addresses from SFLSampled_ethernet struct 105 | Sep-19-2005 106 | 3.9 - bugfix: windows printf needs %I64 instead of %ll for 64-bit integer output 107 | Jun-28-2005 108 | 3.8 - added IPv6 header decode 109 | - on windows, now sets stdout to binary for pcap output (for piping into snort or windump) 110 | Apr-11-2005 111 | 3.7 - added experimental "process" struct entension 112 | Nov-26-2004 113 | 3.6 - bugfix: skipping over unknown structures 114 | - added "-f host/port" option to forward sflow to (multiple) collectors 115 | - added "-l" options to generate csv output with 1-line per flow or counter sample 116 | - added decode for "Processor" structure, as defined in sflow5 spec. 117 | Jul-14-2004 118 | 3.5 fixed compile problem on Opteron 119 | - added "-r " option to read sflow from tcpdump capture file instead of from UDP socket 120 | Jun-17-2004 121 | 3.4 support for SFLFLOW_SAMPLE_EXPANDED and SFLCOUNTERS_SAMPLE_EXPANDED 122 | Dec-09-2003 123 | 3.3 new MPLS and VLAN structures added 124 | Jun-18-2003 125 | 3.2 "stripped" field added to sFlow v5 126 | Jun-19-2003 127 | 3.1 BGP next hop field added to sFlow v5 128 | Feb-10-2003 129 | 3.0 sFlow version 5 support 130 | Oct-17-2002 131 | 2.3 bugfixes to counter value reporting 132 | Oct-8-2002 133 | 2.2 bugfixes to SNAP and IP decodes (thanks to Marc Lavine of Foundry Networks) 134 | - CFLAGS option -DSPOOFSOURCE now works on Solaris as well as Linux 135 | - bugfix to NetFlow scaling (was defaulting OFF, when supposed to be defaulting ON) 136 | July-31-2002 137 | 2.0 support for sFlow version 4 datagram (RFC 3176) 138 | May-16-2002 139 | 1.5 allow compiling with -DSPOOFSOURCE, which then enables the "-S" flag, to spoof the source 140 | address of netflow packets to match the IP address of the original sflow agent. Note that this 141 | is only necessary for netflow output. In the case of sFlow output there is a separate field for 142 | the agent IP address, so the receiver can always read it from there. 143 | May-3-2002 144 | 1.4 handle ip fragments better - especially important for udp 145 | + netflow v5 export, bytes counted from start of ipv4 header. 146 | Feb-7-2002 147 | 1.3 bugfixes to timestamps in NetFlow v5 export - thanks to Chris Cook of Asta Networks 148 | + changes to configure.in and sflowtool.h to try and improve portability across unix platforms 149 | Jan-15-2002 150 | 1.2 changes to allow compilation on Solaris - thanks to Bogdan Ionescu from University of Ottowa 151 | May-31-2001 152 | 1.0 initial release, works with sFlow version 2 153 | 154 | -------------------------------------------------------------------------------- /README: -------------------------------------------------------------------------------- 1 | # sflowtool 2 | Print binary sFlow feed to ASCII, or forward it to other collectors. 3 | 4 | This tool receives sFlow data, and generates either a simple-to-parse tagged-ASCII output, 5 | or binary output in tcpdump(1) format. It can also generate Cisco NetFlow version 5 datagrams 6 | and send them to a destination UDP host:port, or forward the original sFlow feed to a number 7 | of additional collectors. 8 | 9 | Please read the licence terms in ./COPYING. 10 | 11 | For more details on the sFlow data format, see http://www.sflow.org. 12 | 13 | # Build from sources 14 | 15 | ./boot.sh 16 | ./configure 17 | make 18 | sudo make install 19 | 20 | (Start from ./configure if you downloaded a released version.) 21 | 22 | # Usage examples 23 | 24 | If sFlow is arriving on port 6343, you can pretty-print the data like this: 25 | 26 | % ./sflowtool -p 6343 27 | 28 | or get a line-by-line output like this: 29 | 30 | % ./sflowtool -p 6343 -l 31 | 32 | or a custom line-by-line output by listing fields like this: 33 | 34 | % ./sflowtool -p 6343 -L localtime,srcIP,dstIP 35 | 36 | or a JSON representation like this: 37 | 38 | % ./sflowtool -p 6343 -J 39 | 40 | In a typical application, this output would be parsed by an awk or perl script, perhaps to 41 | extract MAC->IP address-mappings or to extract a particular counter for trending. The 42 | usage might then look more like this: 43 | 44 | % ./sflowtool -p 6343 | my_perl_script.pl > output 45 | 46 | Alternatively, you can show packet decodes like this: 47 | 48 | % ./sflowtool -p 6343 -t | tcpdump -r - 49 | 50 | To forward Cisco NetFlow v5 records to UDP port 9991 on host collector.mysite.com, the 51 | options would be: 52 | 53 | % ./sflowtool -p 6343 -c collector.mysite.com -d 9991 54 | 55 | If you compiled with -DSPOOFSOURCE, then you have the option of "spoofing" the IP source 56 | address of the netflow packets to match the IP address(es) of the original sflow agent(s)... 57 | 58 | % ./sflowtool -p 6343 -c collector.mysite.com -d 9991 -S 59 | 60 | To replicate the input sflow stream to several collectors, use the "-f host/port" option 61 | like this: 62 | 63 | % ./sflowtool -p 6343 -f localhost/7777 -f localhost/7778 -f collector.mysite.com/6343 64 | 65 | 66 | # Example Output 67 | 68 | An example of the pretty-printed output is shown below. Note that every field can be 69 | parsed as two space-separated tokens (tag and value). Newlines separate one field from 70 | the next. The first field in a datagram is always the "unixSecondsUTC" field, and the 71 | first field in a flow or counters sample is always the "sampleSequenceNo" field. In 72 | this example, the datagram held two flow-samples and two counters-samples. Comments 73 | have been added in <<>> brackets. These are not found in the output. 74 | 75 | unixSecondsUTC 991362247 <> 76 | datagramVersion 2 77 | agent 10.0.0.254 <> 78 | sysUpTime 10391000 79 | packetSequenceNo 5219 <> 80 | samplesInPacket 4 81 | sampleSequenceNo 9466 <> 82 | sourceId 0:0 83 | sampleType FLOWSAMPLE 84 | meanSkipCount 10 85 | samplePool 94660 86 | dropEvents 0 87 | inputPort 14 88 | outputPort 16 89 | packetDataTag INMPACKETTYPE_HEADER 90 | headerProtocol 1 91 | sampledPacketSize 1014 92 | headerLen 128 93 | headerBytes 00-50-04-29-1B-D9-00-D0-B7-23-B7-D8-08-00-45-00-03-E8-37-44-40-00-40-06-EB-C6-0A-00-00-01-0A-00-00-05-0D-F1-17-70-A2-4C-D2-AF-B1-F0-BF-01-80-18-7C-70-82-E0-00-00-01-01-08-0A-23-BC-42-93-01-A9- 94 | dstMAC 005004291bd9 <> 95 | srcMAC 00d0b723b7d8 96 | srcIP 10.0.0.1 97 | dstIP 10.0.0.5 98 | IPProtocol 6 99 | TCPSrcPort 3569 100 | TCPDstPort 6000 101 | TCPFlags 24 102 | extendedType ROUTER <> 103 | nextHop 129.250.28.33 104 | srcSubnetMask 24 105 | dstSubnetMask 24 106 | sampleSequenceNo 346 <> 107 | sourceId 0:92 108 | sampleType COUNTERSSAMPLE 109 | statsSamplingInterval 20 110 | counterBlockVersion 1 111 | ifIndex 92 112 | networkType 53 113 | ifSpeed 0 114 | ifDirection 0 115 | ifStatus 0 116 | ifInOctets 18176791 117 | ifInUcastPkts 92270 118 | ifInMulticastPkts 0 119 | ifInBroadcastPkts 100 120 | ifInDiscards 0 121 | ifInErrors 0 122 | ifInUnknownProtos 0 123 | ifOutOctets 40077590 124 | ifOutUcastPkts 191170 125 | ifOutMulticastPkts 1684 126 | ifOutBroadcastPkts 674 127 | ifOutDiscards 0 128 | ifOutErrors 0 129 | ifPromiscuousMode 0 130 | sampleSequenceNo 9467 <> 131 | sourceId 0:0 132 | sampleType FLOWSAMPLE 133 | meanSkipCount 10 134 | samplePool 94670 135 | dropEvents 0 136 | inputPort 16 137 | outputPort 14 138 | packetDataTag INMPACKETTYPE_HEADER 139 | headerProtocol 1 140 | sampledPacketSize 66 141 | headerLen 66 142 | headerBytes 00-D0-B7-23-B7-D8-00-50-04-29-1B-D9-08-00-45-00-00-34-1E-D7-40-00-40-06-07-E8-0A-00-00-05-0A-00-00-01-17-70-0D-F1-B1-F0-BF-01-A2-4C-E3-A3-80-10-7C-70-E2-62-00-00-01-01-08-0A-01-A9-7F-A0-23-BC- 143 | dstMAC 00d0b723b7d8 144 | srcMAC 005004291bd9 145 | srcIP 10.0.0.5 146 | dstIP 10.0.0.1 147 | IPProtocol 6 148 | TCPSrcPort 6000 149 | TCPDstPort 3569 150 | TCPFlags 16 151 | extendedType ROUTER 152 | nextHop 129.250.28.33 153 | srcSubnetMask 24 154 | dstSubnetMask 24 155 | sampleSequenceNo 346 <> 156 | sourceId 0:93 157 | sampleType COUNTERSSAMPLE 158 | statsSamplingInterval 30 159 | counterBlockVersion 1 160 | ifIndex 93 161 | networkType 53 162 | ifSpeed 0 163 | ifDirection 0 164 | ifStatus 0 165 | ifInOctets 103959 166 | ifInUcastPkts 448 167 | ifInMulticastPkts 81 168 | ifInBroadcastPkts 93 169 | ifInDiscards 0 170 | ifInErrors 0 171 | ifInUnknownProtos 0 172 | ifOutOctets 196980 173 | ifOutUcastPkts 460 174 | ifOutMulticastPkts 599 175 | ifOutBroadcastPkts 153 176 | ifOutDiscards 0 177 | ifOutErrors 0 178 | ifPromiscuousMode 0 179 | 180 | 181 | # Other ExtendedTypes 182 | 183 | If your sFlow agent is running BGP, you may also see GATEWAY extendedType sections like this: 184 | 185 | extendedType GATEWAY 186 | my_as 65001 187 | src_as 0 188 | src_peer_as 0 189 | dst_as_path_len 3 190 | dst_as_path 65000-2828-4908 191 | 192 | 193 | The SWITCH, USER and URL extendedTypes may also appear. The SWITCH extendedType provides 194 | information on input and output VLANs and priorities. The USER extendedType provides 195 | information on the user-id that was allocated this IP address via a remote access session 196 | (e.g. RADIUS or TACAS). The URL field indicates for an HTTP flow what the original requested 197 | URL was for the flow. For more information, see the published sFlow documentation at 198 | http://www.sflow.org. 199 | 200 | 201 | # line-by-line csv output 202 | 203 | If you run sflowtool using the "-l" option then only one row of output will be generated 204 | for each flow or counter sample. It will look something like this: 205 | 206 | [root@server src]# ./sflowtool -l 207 | CNTR,10.0.0.254,17,6,100000000,0,2147483648,175283006,136405187,2578019,297011,0,3,0,0,0,0,0,0,0,1 208 | FLOW,10.0.0.254,0,0,00902773db08,001083265e00,0x0800,0,0,10.0.0.1,10.0.0.254,17,0x00,64,35690,161,0x00,143,125,80 209 | 210 | The counter samples are indicated with the "CNTR" entry in the first column. 211 | The second column is the agent address. The remaining columns are the 212 | fields from the generic counters structure (see SFLIf_counters in sflow.h). 213 | 214 | The flow samples are indicated with the "FLOW" entry in the first column. 215 | The second column is the agent address. The remaining columns are: 216 | 217 | inputPort 218 | outputPort 219 | src_MAC 220 | dst_MAC 221 | ethernet_type 222 | in_vlan 223 | out_vlan 224 | src_IP 225 | dst_IP 226 | IP_protocol 227 | ip_tos 228 | ip_ttl 229 | udp_src_port OR tcp_src_port OR icmp_type 230 | udp_dst_port OR tcp_dst_port OR icmp_code 231 | tcp_flags 232 | packet_size 233 | IP_size 234 | sampling_rate 235 | 236 | To request a custom line output, use the -L option, like this: 237 | 238 | % sflowtool -L localtime,srcIP,dstIP 239 | 240 | # grep-friendly output 241 | 242 | The "-g" option causes sflowtool to include contextual information on every 243 | line of output. The fields are: 244 | 245 | agentIP 246 | agentSubId 247 | datasource_sequenceNo 248 | datasource_class 249 | datasource_index 250 | sampletype_tag 251 | elementtype_tag 252 | 253 | For example, this makes it much easier to extract a particular counter for each agent, 254 | accumulate the deltas, and stream it to a time-series database. 255 | 256 | # JSON output 257 | 258 | The -J option prints human-readable JSON with a blank line between datagrams. To 259 | print more compact JSON with each datagram on one line, use -j instead. 260 | 261 | --- 262 | ---------------------------------------- 263 | Neil McKee (neil.mckee@inmon.com) 264 | InMon Corp. http://www.inmon.com 265 | 266 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # sflowtool 2 | Print binary sFlow feed to ASCII, or forward it to other collectors. 3 | 4 | This tool receives sFlow data, and generates ASCII, JSON, CSV, tcpdump(1) or NetFlow(TM) output. 5 | Options are also available to forward the sFlow feed to additional collectors, or read packets 6 | from a capture file and forward as sFlow samples. 7 | 8 | Please read the licence terms in ./COPYING. 9 | 10 | - For more details on the sFlow data format, see: http://www.sflow.org 11 | - For example switch and router configs see: https://github.com/sflow/config 12 | - For freeware agent on Linux server see: https://github.com/sflow/host-sflow 13 | - For scalable, real-time sFlow analytics see: https://sflow-rt.com 14 | 15 | # Run under docker 16 | docker run sflow/sflowtool 17 | 18 | # Build from sources 19 | 20 | ./boot.sh 21 | ./configure 22 | make 23 | sudo make install 24 | 25 | (Start from ./configure if you downloaded a released version.) 26 | 27 | # Usage examples 28 | 29 | If sFlow is arriving on port 6343, you can pretty-print the data like this: 30 | 31 | % ./sflowtool -p 6343 32 | 33 | or get a line-by-line output like this: 34 | 35 | % ./sflowtool -p 6343 -l 36 | 37 | or a custom line-by-line output by listing fields like this: 38 | 39 | % ./sflowtool -p 6343 -L localtime,srcIP,dstIP 40 | 41 | or a JSON representation like this: 42 | 43 | % ./sflowtool -p 6343 -J 44 | 45 | In a typical application, this output would be parsed by an awk or perl script, perhaps to 46 | extract MAC->IP address-mappings or to extract a particular counter for trending. The 47 | usage might then look more like this: 48 | 49 | % ./sflowtool -p 6343 | my_perl_script.pl > output 50 | 51 | Alternatively, you can show packet decodes like this: 52 | 53 | % ./sflowtool -p 6343 -t | tcpdump -r - 54 | 55 | To forward Cisco NetFlow v5 records to UDP port 9991 on host collector.mysite.com, the 56 | options would be: 57 | 58 | % ./sflowtool -p 6343 -c collector.mysite.com -d 9991 59 | 60 | If you compiled with -DSPOOFSOURCE, then you have the option of "spoofing" the IP source 61 | address of the netflow packets to match the IP address(es) of the original sflow agent(s)... 62 | 63 | % ./sflowtool -p 6343 -c collector.mysite.com -d 9991 -S 64 | 65 | To replicate the input sflow stream to several collectors, use the "-f host/port" option 66 | like this: 67 | 68 | % ./sflowtool -p 6343 -f localhost/7777 -f localhost/7778 -f collector.mysite.com/6343 69 | 70 | To replay an sFlow feed captured in a tcpdump file with 10x time compression: 71 | 72 | % ./sflowtool -r sflow.pcap -f localhost/7778 -f -P 10 73 | 74 | # Example Output 75 | 76 | An example of the pretty-printed output is shown below. Note that every field can be 77 | parsed as two space-separated tokens (tag and value). Newlines separate one field from 78 | the next. The first field in a datagram is always the "unixSecondsUTC" field, and the 79 | first field in a flow or counters sample is always the "sampleSequenceNo" field. In 80 | this example, the datagram held two flow-samples and two counters-samples. Comments 81 | have been added in <<>> brackets. These are not found in the output. 82 | 83 | unixSecondsUTC 991362247 <> 84 | datagramVersion 2 85 | agent 10.0.0.254 <> 86 | sysUpTime 10391000 87 | packetSequenceNo 5219 <> 88 | samplesInPacket 4 89 | sampleSequenceNo 9466 <> 90 | sourceId 0:0 91 | sampleType FLOWSAMPLE 92 | meanSkipCount 10 93 | samplePool 94660 94 | dropEvents 0 95 | inputPort 14 96 | outputPort 16 97 | packetDataTag INMPACKETTYPE_HEADER 98 | headerProtocol 1 99 | sampledPacketSize 1014 100 | headerLen 128 101 | headerBytes 00-50-04-29-1B-D9-00-D0-B7-23-B7-D8-08-00-45-00-03-E8-37-44-40-00-40-06-EB-C6-0A-00-00-01-0A-00-00-05-0D-F1-17-70-A2-4C-D2-AF-B1-F0-BF-01-80-18-7C-70-82-E0-00-00-01-01-08-0A-23-BC-42-93-01-A9- 102 | dstMAC 005004291bd9 <> 103 | srcMAC 00d0b723b7d8 104 | srcIP 10.0.0.1 105 | dstIP 10.0.0.5 106 | IPProtocol 6 107 | TCPSrcPort 3569 108 | TCPDstPort 6000 109 | TCPFlags 24 110 | extendedType ROUTER <> 111 | nextHop 129.250.28.33 112 | srcSubnetMask 24 113 | dstSubnetMask 24 114 | sampleSequenceNo 346 <> 115 | sourceId 0:92 116 | sampleType COUNTERSSAMPLE 117 | statsSamplingInterval 20 118 | counterBlockVersion 1 119 | ifIndex 92 120 | networkType 53 121 | ifSpeed 0 122 | ifDirection 0 123 | ifStatus 0 124 | ifInOctets 18176791 125 | ifInUcastPkts 92270 126 | ifInMulticastPkts 0 127 | ifInBroadcastPkts 100 128 | ifInDiscards 0 129 | ifInErrors 0 130 | ifInUnknownProtos 0 131 | ifOutOctets 40077590 132 | ifOutUcastPkts 191170 133 | ifOutMulticastPkts 1684 134 | ifOutBroadcastPkts 674 135 | ifOutDiscards 0 136 | ifOutErrors 0 137 | ifPromiscuousMode 0 138 | sampleSequenceNo 9467 <> 139 | sourceId 0:0 140 | sampleType FLOWSAMPLE 141 | meanSkipCount 10 142 | samplePool 94670 143 | dropEvents 0 144 | inputPort 16 145 | outputPort 14 146 | packetDataTag INMPACKETTYPE_HEADER 147 | headerProtocol 1 148 | sampledPacketSize 66 149 | headerLen 66 150 | headerBytes 00-D0-B7-23-B7-D8-00-50-04-29-1B-D9-08-00-45-00-00-34-1E-D7-40-00-40-06-07-E8-0A-00-00-05-0A-00-00-01-17-70-0D-F1-B1-F0-BF-01-A2-4C-E3-A3-80-10-7C-70-E2-62-00-00-01-01-08-0A-01-A9-7F-A0-23-BC- 151 | dstMAC 00d0b723b7d8 152 | srcMAC 005004291bd9 153 | srcIP 10.0.0.5 154 | dstIP 10.0.0.1 155 | IPProtocol 6 156 | TCPSrcPort 6000 157 | TCPDstPort 3569 158 | TCPFlags 16 159 | extendedType ROUTER 160 | nextHop 129.250.28.33 161 | srcSubnetMask 24 162 | dstSubnetMask 24 163 | sampleSequenceNo 346 <> 164 | sourceId 0:93 165 | sampleType COUNTERSSAMPLE 166 | statsSamplingInterval 30 167 | counterBlockVersion 1 168 | ifIndex 93 169 | networkType 53 170 | ifSpeed 0 171 | ifDirection 0 172 | ifStatus 0 173 | ifInOctets 103959 174 | ifInUcastPkts 448 175 | ifInMulticastPkts 81 176 | ifInBroadcastPkts 93 177 | ifInDiscards 0 178 | ifInErrors 0 179 | ifInUnknownProtos 0 180 | ifOutOctets 196980 181 | ifOutUcastPkts 460 182 | ifOutMulticastPkts 599 183 | ifOutBroadcastPkts 153 184 | ifOutDiscards 0 185 | ifOutErrors 0 186 | ifPromiscuousMode 0 187 | 188 | 189 | # Other ExtendedTypes 190 | 191 | If your sFlow agent is running BGP, you may also see GATEWAY extendedType sections like this: 192 | 193 | extendedType GATEWAY 194 | my_as 65001 195 | src_as 0 196 | src_peer_as 0 197 | dst_as_path_len 3 198 | dst_as_path 65000-2828-4908 199 | 200 | 201 | The SWITCH, USER and URL extendedTypes may also appear. The SWITCH extendedType provides 202 | information on input and output VLANs and priorities. The USER extendedType provides 203 | information on the user-id that was allocated this IP address via a remote access session 204 | (e.g. RADIUS or TACAS). The URL field indicates for an HTTP flow what the original requested 205 | URL was for the flow. For more information, see the published sFlow documentation at 206 | http://www.sflow.org. 207 | 208 | 209 | # line-by-line csv output 210 | 211 | If you run sflowtool using the "-l" option then only one row of output will be generated 212 | for each flow or counter sample. It will look something like this: 213 | 214 | [root@server src]# ./sflowtool -l 215 | CNTR,10.0.0.254,17,6,100000000,0,2147483648,175283006,136405187,2578019,297011,0,3,0,0,0,0,0,0,0,1 216 | FLOW,10.0.0.254,0,0,00902773db08,001083265e00,0x0800,0,0,10.0.0.1,10.0.0.254,17,0x00,64,35690,161,0x00,143,125,80 217 | 218 | The counter samples are indicated with the "CNTR" entry in the first column. 219 | The second column is the agent address. The remaining columns are the 220 | fields from the generic counters structure (see SFLIf_counters in sflow.h). 221 | 222 | The flow samples are indicated with the "FLOW" entry in the first column. 223 | The second column is the agent address. The remaining columns are: 224 | 225 | inputPort 226 | outputPort 227 | src_MAC 228 | dst_MAC 229 | ethernet_type 230 | in_vlan 231 | out_vlan 232 | src_IP 233 | dst_IP 234 | IP_protocol 235 | ip_tos 236 | ip_ttl 237 | udp_src_port OR tcp_src_port OR icmp_type 238 | udp_dst_port OR tcp_dst_port OR icmp_code 239 | tcp_flags 240 | packet_size 241 | IP_size 242 | sampling_rate 243 | 244 | To request a custom line output, use the -L option, like this: 245 | 246 | % sflowtool -L localtime,srcIP,dstIP 247 | 248 | # grep-friendly output 249 | 250 | The "-g" option causes sflowtool to include contextual information on every 251 | line of output. The fields are: 252 | 253 | agentIP 254 | agentSubId 255 | datasource_sequenceNo 256 | datasource_class 257 | datasource_index 258 | sampletype_tag 259 | elementtype_tag 260 | 261 | For example, this makes it much easier to extract a particular counter for each agent, 262 | accumulate the deltas, and stream it to a time-series database. 263 | 264 | # JSON output 265 | 266 | The -J option prints human-readable JSON with a blank line between datagrams. To 267 | print more compact JSON with each datagram on one line, use -j instead. 268 | 269 | --- 270 | ---------------------------------------- 271 | Neil McKee (neil.mckee@inmon.com) 272 | InMon Corp. http://www.inmon.com 273 | 274 | -------------------------------------------------------------------------------- /src/sflow_xdr.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2002-2022 InMon Corp. Licensed under the terms of the InMon sFlow licence: */ 2 | /* http://www.inmon.com/technology/sflowlicense.txt */ 3 | 4 | #ifndef SFLOW_XDR_H 5 | #define SFLOW_XDR_H 1 6 | 7 | #if defined(__cplusplus) 8 | extern "C" { 9 | #endif 10 | 11 | // sFlow datagram encoding (XDR) 12 | // Multi-threading considerations: 13 | // The SFD* functions may require synchronization if the counter-samples are 14 | // supplied by a different thread than the packet samples or discards, but 15 | // the sfd_xdr_* functions operate on a separate SFDBuf that can always 16 | // be private to one thread. So theoretically several threads could work 17 | // on encoding samples in parallel and only the operations involving SFDDgram 18 | // would need a semaphore. 19 | 20 | // Set an upper-limit on the size of any flow/counter/discard sample. 21 | #define SFD_MAX_SAMPLE_SIZE 512 22 | #define SFD_MAX_SAMPLE_QUADS (SFD_MAX_SAMPLE_SIZE >> 2) 23 | // Set an upper limit on the number of flow/counter/discard samples in one datagram. 24 | #define SFD_MAX_DATAGRAM_SAMPLES 16 25 | // Set an upper limit on the nesting of XDR structures. 26 | #define SFD_XDR_MAX_STACKDEPTH 16 27 | 28 | // #define SFD_ASSERT(x) assert(x) 29 | #define SFD_ASSERT(x) 30 | 31 | // Each flow/counter/discard sample will be one SFDBuf which can 32 | // encode multiple nested elements within it. For example, a flow-sample 33 | // may contain the elements packet-header, extended-switch and extended-router. 34 | // Simularly, a counter-sample may contain generic-counters, ethernet-counters 35 | // and optical-counter elements. 36 | 37 | typedef struct _SFDBuf { 38 | struct _SFDBuf *nxt; 39 | uint32_t cursor; 40 | uint32_t nstack; 41 | uint32_t stack[SFD_XDR_MAX_STACKDEPTH]; 42 | uint32_t xdr[SFD_MAX_SAMPLE_QUADS]; 43 | } SFDBuf; 44 | 45 | // XDR encoding is quad-aligned, network-byte order. 46 | 47 | static void sfd_xdr_init(SFDBuf *buf) { 48 | buf->cursor = 0; 49 | buf->nstack = 0; 50 | buf->nxt = NULL; 51 | } 52 | 53 | static uint32_t *sfd_xdr_ptr(SFDBuf *buf) { 54 | return (buf->xdr + buf->cursor); 55 | } 56 | 57 | static void sfd_xdr_enc_int32(SFDBuf *buf, uint32_t val32) { 58 | SFD_ASSERT(buf->cursor < SFD_MAX_SAMPLE_QUADS-1); 59 | buf->xdr[buf->cursor++] = htonl(val32); 60 | } 61 | 62 | static void sfd_xdr_enc_int64(SFDBuf *buf, uint64_t val64) { 63 | uint32_t hi = (val64 >> 32); 64 | uint32_t lo = val64; 65 | sfd_xdr_enc_int32(buf, hi); 66 | sfd_xdr_enc_int32(buf, lo); 67 | } 68 | 69 | static void sfd_xdr_enc_float(SFDBuf *buf, float valf) { 70 | uint32_t val; 71 | memcpy(&val, &valf, 4); 72 | sfd_xdr_enc_int32(buf, val); 73 | } 74 | 75 | static void sfd_xdr_enc_dbl(SFDBuf *buf, double vald) { 76 | uint64_t val64; 77 | memcpy(&val64, &vald, 8); 78 | sfd_xdr_enc_int64(buf, val64); 79 | } 80 | 81 | static void sfd_xdr_enc_bytes(SFDBuf *buf, u_char *data, uint32_t len) { 82 | if(len) { 83 | uint32_t quads = (len + 3) >> 2; 84 | u_char *ptr = (u_char *)sfd_xdr_ptr(buf); 85 | buf->cursor += quads; 86 | SFD_ASSERT(buf->cursor < SFD_MAX_SAMPLE_QUADS-1); 87 | buf->xdr[buf->cursor] = 0; // Clear the 'landing pad' (so any pad bytes are 00s). 88 | memcpy(ptr, data, len); 89 | } 90 | } 91 | 92 | static void sfd_xdr_enc_str(SFDBuf *buf, const char *str, uint32_t len) { 93 | sfd_xdr_enc_int32(buf, len); 94 | sfd_xdr_enc_bytes(buf, (u_char *)str, len); 95 | } 96 | 97 | static void sfd_xdr_enc_mac(SFDBuf *buf, u_char *mac) { 98 | sfd_xdr_enc_bytes(buf, mac, 6); 99 | } 100 | 101 | static void sfd_xdr_enc_ip(SFDBuf *buf, SFLAddress *ip) { 102 | SFD_ASSERT(buf->cursor < (SFD_MAX_SAMPLE_QUADS-2)); 103 | sfd_xdr_enc_int32(buf, ip->type); 104 | if(ip->type == SFLADDRESSTYPE_IP_V6) 105 | sfd_xdr_enc_bytes(buf, (u_char *)&ip->address.ip_v6.addr, 16); 106 | else 107 | sfd_xdr_enc_bytes(buf, (u_char *)&ip->address.ip_v4.addr, 4); 108 | } 109 | 110 | static void sfd_xdr_start_tlv(SFDBuf *buf, uint32_t tag) { 111 | SFD_ASSERT(buf->cursor < (SFD_MAX_SAMPLE_QUADS-2)); 112 | SFD_ASSERT(buf->nstack < (SFD_XDR_MAX_STACKDEPTH-1)); 113 | buf->xdr[buf->cursor++] = htonl(tag); 114 | buf->stack[buf->nstack++] = buf->cursor; // remember cursor offset 115 | buf->xdr[buf->cursor++] = htonl(0); // place-holder for length 116 | } 117 | 118 | static void sfd_xdr_end_tlv(SFDBuf *buf) { 119 | SFD_ASSERT(buf->nstack > 0); 120 | uint32_t c_len = buf->stack[--buf->nstack]; 121 | SFD_ASSERT(c_len < (SFD_MAX_SAMPLE_QUADS-1)); 122 | buf->xdr[c_len] = htonl((buf->cursor - c_len - 1) << 2); 123 | } 124 | 125 | // Datagram functions. 126 | 127 | // The datagram object knows how to encode the header and 128 | // compose datagrams with minimal copying. 129 | 130 | typedef void (*f_send_t)(void *magic, struct iovec *iov, int iovcnt); 131 | typedef uint64_t (*f_now_mS_t)(void *magic); 132 | typedef void *(*f_alloc_t)(void *magic, size_t bytes); 133 | typedef void (*f_free_t)(void *magic, void *obj); 134 | typedef void (*f_lock_t)(void *magic, int on); 135 | typedef void (*f_err_t)(void *magic, char *msg); 136 | 137 | typedef struct { 138 | SFLAddress agentAddress; 139 | uint32_t agentSubId; 140 | uint32_t dgramSeqNo; 141 | uint64_t bootTime_mS; 142 | uint64_t lastSend_mS; 143 | uint32_t dgramLen; 144 | uint32_t maxDgramLen; 145 | uint32_t cursor0; 146 | uint32_t headerLen; 147 | SFDBuf hdr; 148 | SFDBuf *bufs; 149 | uint32_t nsamples; 150 | SFDBuf *samples[SFD_MAX_DATAGRAM_SAMPLES]; 151 | struct iovec iov[SFD_MAX_DATAGRAM_SAMPLES + 1]; 152 | void *magic; 153 | f_send_t f_send; 154 | f_now_mS_t f_now_mS; 155 | f_alloc_t f_alloc; 156 | f_free_t f_free; 157 | f_lock_t f_lock; 158 | f_err_t f_err; 159 | } SFDDgram; 160 | 161 | static SFDDgram *SFDNew(uint32_t maxDgramLen, 162 | SFLAddress *agentAddress, 163 | uint32_t agentSubId, 164 | void *magic, 165 | f_alloc_t allocFn, 166 | f_free_t freeFn, 167 | f_now_mS_t nowFn, 168 | f_send_t sendFn, 169 | f_lock_t lockFn, 170 | f_err_t errFn) { 171 | SFD_ASSERT(agentAddress->type == SFLADDRESSTYPE_IP_V4 172 | || agentAddress->type == SFLADDRESSTYPE_IP_V6); 173 | SFD_ASSERT(allocFn != NULL); 174 | SFDDgram *sfdg = (SFDDgram *)allocFn(magic, sizeof(SFDDgram)); 175 | memset(sfdg, 0, sizeof(*sfdg)); 176 | sfdg->maxDgramLen = maxDgramLen; 177 | sfdg->agentAddress = *agentAddress; 178 | sfdg->agentSubId = agentSubId; 179 | sfdg->magic = magic; 180 | sfdg->f_alloc = allocFn; 181 | sfdg->f_free = freeFn; 182 | sfdg->f_now_mS = nowFn; 183 | sfdg->f_send = sendFn; 184 | sfdg->f_lock = lockFn; 185 | sfdg->f_err = errFn; 186 | sfdg->bootTime_mS = sfdg->f_now_mS(sfdg->magic); 187 | // We can do the first part of the header encoding here 188 | // because it is always the same. 189 | SFDBuf *hdr = &(sfdg->hdr); 190 | sfd_xdr_enc_int32(hdr, SFLDATAGRAM_VERSION5); 191 | sfd_xdr_enc_ip(hdr, &sfdg->agentAddress); 192 | sfd_xdr_enc_int32(hdr, sfdg->agentSubId); 193 | // Remember where we should reset to. 194 | sfdg->cursor0 = hdr->cursor; 195 | // And we already know what iov[0] will be 196 | // after we add three more fields... 197 | sfdg->headerLen = ((hdr->cursor + 3) << 2); 198 | sfdg->dgramLen = sfdg->headerLen; 199 | sfdg->iov[0].iov_base = hdr->xdr; 200 | sfdg->iov[0].iov_len = sfdg->headerLen; 201 | return sfdg; 202 | } 203 | 204 | // If lock fn supplied, it will be called for thread mutual-exclusion. 205 | #define SFD_LOCK(dg,on) if((dg)->f_lock) (dg)->f_lock((dg)->magic, (on)) 206 | 207 | // Datagram recycles xdr buffers, but only if allocated here. 208 | #define SFD_RECYCLE (SFDBuf *)0xD1CEC0DE 209 | 210 | static SFDBuf *SFDSampleNew(SFDDgram *sfdg) { 211 | SFD_LOCK(sfdg, 1); 212 | SFDBuf *buf = sfdg->bufs; 213 | if(buf) 214 | sfdg->bufs = buf->nxt; 215 | else 216 | buf = (SFDBuf *)sfdg->f_alloc(sfdg->magic, sizeof(SFDBuf)); 217 | sfd_xdr_init(buf); 218 | // Sheep-brand buf as coming from here. 219 | buf->nxt = SFD_RECYCLE; 220 | SFD_LOCK(sfdg, 0); 221 | return buf; 222 | } 223 | 224 | static void SFDSend_nolock(SFDDgram *sfdg) { 225 | // Something to send? 226 | if(sfdg->nsamples == 0) 227 | return; 228 | // Get timestamp. 229 | sfdg->lastSend_mS = sfdg->f_now_mS(sfdg->magic); 230 | // Complete the header. 231 | SFDBuf *hdr = &(sfdg->hdr); 232 | hdr->cursor = sfdg->cursor0; 233 | sfd_xdr_enc_int32(hdr, ++sfdg->dgramSeqNo); 234 | sfd_xdr_enc_int32(hdr, (sfdg->lastSend_mS - sfdg->bootTime_mS)); 235 | sfd_xdr_enc_int32(hdr, sfdg->nsamples); 236 | // Send out datagram. 237 | sfdg->f_send(sfdg->magic, sfdg->iov, sfdg->nsamples + 1); 238 | // And reset. 239 | // Recycle bufs if they were mine. 240 | // TODO: should maybe insist that they be mine? 241 | for(uint32_t ii=0; iinsamples; ii++) { 242 | SFDBuf *buf = sfdg->samples[ii]; 243 | if(buf->nxt == SFD_RECYCLE) { 244 | buf->nxt = sfdg->bufs; 245 | sfdg->bufs = buf; 246 | } 247 | else if(sfdg->f_err) 248 | sfdg->f_err(sfdg->magic, "sample not allocated by SFDSampleNew"); 249 | } 250 | // And reset for next datagram. 251 | sfdg->nsamples = 0; 252 | sfdg->dgramLen = sfdg->headerLen; 253 | } 254 | 255 | static void SFDSend(SFDDgram *sfdg) { 256 | SFD_LOCK(sfdg, 1); 257 | SFDSend_nolock(sfdg); 258 | SFD_LOCK(sfdg, 0); 259 | } 260 | 261 | static uint64_t SFDLastSend_mS(SFDDgram *sfdg) { 262 | return sfdg->lastSend_mS; 263 | } 264 | 265 | static void SFDAddSample(SFDDgram *sfdg, SFDBuf *buf) { 266 | SFD_LOCK(sfdg, 1); 267 | SFD_ASSERT(buf->nstack == 0); 268 | SFD_ASSERT(sfdg->nsamples <= SFD_MAX_DATAGRAM_SAMPLES); 269 | // May need to send what we have first. 270 | uint32_t len = (buf->cursor << 2); 271 | if((sfdg->dgramLen + len) >= sfdg->maxDgramLen) 272 | SFDSend_nolock(sfdg); 273 | // Count the samples that are submitted. 274 | sfdg->samples[sfdg->nsamples++] = buf; 275 | // Add to iovec. 276 | sfdg->iov[sfdg->nsamples].iov_base = buf->xdr; 277 | sfdg->iov[sfdg->nsamples].iov_len = len; 278 | // Update datagram length. 279 | sfdg->dgramLen += len; 280 | SFD_LOCK(sfdg, 0); 281 | } 282 | 283 | static void SFDFree(SFDDgram *sfdg) { 284 | SFD_ASSERT(sfdg->f_free != NULL); 285 | for(uint32_t ii=0; iinsamples; ii++) { 286 | SFDBuf *buf = sfdg->samples[ii]; 287 | if(buf->nxt == SFD_RECYCLE) 288 | sfdg->f_free(sfdg->magic, buf); 289 | } 290 | sfdg->f_free(sfdg->magic, sfdg); 291 | } 292 | 293 | 294 | #if defined(__cplusplus) 295 | } /* extern "C" */ 296 | #endif 297 | 298 | #endif /* SFLOW_XDR_H */ 299 | -------------------------------------------------------------------------------- /COPYING: -------------------------------------------------------------------------------- 1 | LICENSE AGREEMENT 2 | 3 | PLEASE READ THIS LICENSE AGREEMENT ("AGREEMENT") CAREFULLY BEFORE REPRODUCING OR IN ANY WAY 4 | UTILIZING THE sFlow(R) SOFTWARE ("SOFTWARE") AND/OR ANY ACCOMPANYING DOCUMENTATION 5 | ("DOCUMENTATION") AND/OR THE RELATED SPECIFICATIONS ("SPECIFICATIONS"). YOUR REPRODUCTION 6 | OR USE OF THE SOFTWARE AND/OR THE DOCUMENTATION AND/OR THE SPECIFICATIONS CONSTITUTES YOUR 7 | ACCEPTANCE OF THE TERMS AND CONDITIONS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO BE BOUND 8 | BY THE TERMS AND CONDITIONS OF THIS AGREEMENT, YOU MAY NOT REPRODUCE OR IN ANY WAY UTILIZE 9 | THE SOFTWARE OR THE DOCUMENTATION OR THE SPECIFICATIONS. 10 | 11 | 1. Definitions. 12 | 13 | "Documentation" means the user manuals, training materials, and operating materials, if any, 14 | InMon provides to Licensee under this Agreement. 15 | 16 | "InMon" means InMon Corporation, its affiliates and subsidiaries. 17 | 18 | "Intellectual Property Rights" means any trade secrets, patents, including without 19 | limitation any patents covering the Software, copyrights, know-how, moral rights and 20 | similar rights of any type under the laws of any governmental authority, domestic or 21 | foreign, including all applications and registrations relating to any of the foregoing. 22 | 23 | "Licensee Hardware" means all computers, routers, or other equipment owned or controlled by 24 | or on behalf of Licensee. 25 | 26 | "Products" means any and all software applications, computers, routers, or other equipment 27 | manufactured by or on behalf of Licensee for the purpose of resale or lease to any other 28 | third party, or otherwise made available by Licensee free of charge. 29 | 30 | "Software" means the sFlow(R) software programs, in source or binary code format, that 31 | Licensee licenses from InMon under this Agreement and any bug fixes or error corrections 32 | which InMon may provide to Licensee. 33 | 34 | "Specifications" means the published specifications provided or otherwise made available by 35 | InMon at: http://www.sflow.org. 36 | 37 | "Trademark" means InMon's "sFlow(R)" trademark. 38 | 39 | 2. License Grant. 40 | 41 | 2.1 Software, Documentation and Specifications License Grant. InMon hereby grants to 42 | Licensee, under all of InMon's Intellectual Property Rights therein, a perpetual (subject 43 | to InMon's termination rights under Section 7 below), nonexclusive, royalty-free, worldwide, 44 | transferable, sublicensable license, to: (i) use and reproduce the Software, the 45 | Documentation, and the Specifications; (ii) modify the Software; (iii) implement the 46 | Specifications in the Products; (iv) install the Software, or software in which the 47 | Specifications have been implemented, on Licensee Hardware and Products, and (v) distribute 48 | any Products that include the Software, the Documentation, or software in which the 49 | Specifications have been implemented. 50 | 51 | 2.2 Trademark License. InMon hereby grants to Licensee a perpetual (subject to InMon's 52 | termination rights under Section 7 below), nonexclusive, royalty-free, worldwide, 53 | transferable, sublicensable license to use the Trademark on or in connection with the 54 | Software, the Documentation, the Specifications and any software that implements the 55 | Specifications. 56 | 57 | 2.3 Restrictions. Licensee agrees that it will not use the Software in a way 58 | inconsistent with the license granted in Section 2.1. Further, Licensee agrees that, in 59 | exercising its rights under the license granted to it in this Agreement, Licensee will: 60 | (i) strictly adhere to and fully comply with the Specifications; (ii) use the Trademark, 61 | and no other mark, to identify the Software, the Documentation, the Specifications and any 62 | Products that implement the Specifications; (iii) place, in a font or graphic design 63 | designated by InMon, the phrase "sFlow(R)" on any technical documentation, 64 | sales/marketing materials, catalogs, or other such materials relating to products it 65 | manufactures or markets which it has configured to be compatible with the Software or 66 | otherwise implement the Specifications; (iv) in connection with any Products shipped to or 67 | sold in other countries that include the Software or any software that implements the 68 | Specifications, comply with the patent and trademark laws and practice of such other 69 | country; and (v) not alter or impair any acknowledgment of copyright or trademark rights of 70 | InMon that may appear in or on the Software, the Documentation or the Specifications. In 71 | the event InMon determines that Licensee is not complying with its obligations under 72 | clauses (i)-(v) above, InMon shall notify Licensee of such non-compliance, and if Licensee 73 | fails to correct such non-compliance within three (3) months, InMon may immediately 74 | terminate this Agreement as provided under paragraph 7 below and pursue any and all 75 | actions and remedies as it deems necessary, including, but not limited to breach of 76 | contract. 77 | 78 | 3. Ownership. Except for the license expressly granted in Section 2, Inmon hereby 79 | retains all right, title, and interest in and to the Trademark and all its Intellectual 80 | Property Rights in the Software, the Documentation and the Specifications. Licensee 81 | obtains no rights hereunder in the Trademark, Software, Documentation or Specifications by 82 | implication, estoppel or otherwise. Licensee acknowledges that the Trademark, Software, 83 | Documentation and Specifications are being licensed and not sold under this Agreement, and 84 | that this Agreement does not transfer title in the Trademark, Software, Documentation or 85 | Specifications, or any copy thereof, to Licensee. 86 | 87 | 4. Support. Inmon shall have no obligation under this Agreement to (a) supply 88 | maintenance or support, bug fixes or error corrections to the Licensed Software, 89 | (b) supply future versions of the Licensed Software or (c) provide Licensed Software 90 | development tools to Licensee. 91 | 92 | 5. Warranty. INMON HEREBY DISCLAIMS ALL WARRANTIES, EITHER EXPRESS, IMPLIED OR 93 | STATUTORY, WITH RESPECT TO THE TRADEMARK, THE SOFTWARE, THE DOCUMENTATION, THE 94 | SPECIFICATIONS. OR OTHERWISE, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF 95 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT OF ANY INTELLECTUAL 96 | PROPERTY RIGHTS. 97 | 98 | 6. Limitation of Liability. IN NO EVENT SHALL INMON OR ITS SUPPLIERS OR LICENSORS BE 99 | LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL, SPECIAL, INDIRECT OR EXEMPLARY DAMAGES WHATSOEVER, 100 | WHETHER RELATED TO OR ARISING OUT OF THIS AGREEMENT, THE TRADEMARK, THE SOFTWARE, THE 101 | DOCUMENTATION, THE SPECIFICATIONS, OR OTHERWISE, INCLUDING WITHOUT LIMITATION, DAMAGES FOR 102 | LOSS OF PROFITS, BUSINESS INTERRUPTION, LOSS OF DATA, COSTS OF PROCUREMENT OF SUBSTITUTE 103 | GOODS OR SERVICES OR FOR ANY CLAIM OR DEMAND AGAINST LICENSEE BY ANY OTHER PARTY, OR OTHER 104 | PECUNIARY LOSS, EVEN IF INMON HAS BEEN ADVISED OF OR KNOWS OF THE POSSIBILITY OF SUCH 105 | DAMAGES. 106 | 107 | 7. Term and Termination. The term of this Agreement will begin on the Effective Date, 108 | which shall be deemed to be the date of delivery of the Software and/or Documentation and/or 109 | Specifications to Licensee, and shall continue indefinitely unless and until terminated by 110 | Licensee's giving written notice of termination to InMon, or by InMon pursuant to InMon's 111 | termination rights as set forth in Section 2.3 above. Upon any termination of this 112 | Agreement, Licensee shall cease exercising its license rights under this Agreement, 113 | including the right to distribute Products that incorporate the Software or Documentation 114 | or that implement the Specifications. The rights and obligations contained in Sections 1, 115 | 3, 5, 6, 7, and 8 shall survive any termination of this Agreement. 116 | 117 | 8. General Provisions. 118 | 119 | 8.1 Assignment. This Agreement shall be binding upon and inure to the benefit of the 120 | parties hereto and their permitted successors and permitted assigns. InMon will have the 121 | right to assign this Agreement without notice to Licensee. Licensee may assign or transfer 122 | (whether by merger, operation of law or in any other manner) any of its rights or delegate 123 | any of its obligations hereunder without the prior written consent of InMon, provided the 124 | assignee assumes in writing all of Licensee's obligations hereunder. 125 | 126 | 8.2 Notices. All notices permitted or required under this Agreement shall be in 127 | writing and shall be delivered in person or mailed by first class, registered or certified 128 | mail, postage prepaid, to the address of the party specified in this Agreement or such 129 | other address as either party may specify in writing. Such notice shall be deemed to have 130 | been given upon receipt. 131 | 132 | 8.3 Non-Waiver. No term or provision hereof shall be deemed waived, and no breach 133 | excused, unless such waiver or consent shall be in writing and signed by the party claimed 134 | to have waived or consented. Any consent or waiver, whether express or implied, shall not 135 | constitute a consent or waiver of, or excuse for any separate, different or subsequent 136 | breach. 137 | 138 | 8.4 Independent Contractor. The parties' relationship shall be solely that of 139 | independent contractors, and nothing contained in this Agreement shall be construed to make 140 | either party an agent, partner, representative or principal of the other for any purpose. 141 | 142 | 8.5 Choice of Law and Forum. This Agreement shall be governed by and construed under 143 | the laws of the State of California, without giving effect to such state's conflict of laws 144 | principles. The parties hereby submit to the personal jurisdiction of, and agree that any 145 | legal proceeding with respect to or arising under this Agreement shall be brought in, the 146 | United States District Court for the Northern District of California or the state courts 147 | of the State of California for the County of San Francisco. 148 | 149 | 8.6 U.S. Government Licenses. The Software and Documentation are considered a 150 | "commercial item" as that term is defined at 48 C.F.R 2.101, or "commercial computer 151 | software" and "commercial computer software documentation" as such terms are used in 152 | 48 C.F.R 12.212 of the Federal Acquisition Regulations and its successors, and 153 | 48 C.F.R. 227.7202 of the DoD FAR Supplement and its successors. 154 | 155 | 8.7 Severability. If any provision of this Agreement is held to be unenforceable under 156 | applicable law, then such provision shall be excluded from this Agreement and the balance 157 | of this Agreement shall be interpreted as if such provision were so excluded and shall be 158 | enforceable in accordance with its terms. The court in its discretion may substitute for 159 | the excluded provision an enforceable provision which in economic substance reasonably 160 | approximates the excluded provision. 161 | 162 | 8.8 Compliance With Law. Licensee shall comply with all applicable laws and 163 | regulations (including privacy laws and regulations) having application to or governing its 164 | use and/or operation of the Software and agrees to indemnify and hold InMon harmless from 165 | and against any claims, damages, losses or obligations suffered or incurred by InMon 166 | arising from its failure to so comply. 167 | 168 | 8.9 Entire Agreement; Amendment. This Agreement constitutes the final, complete and 169 | entire agreement between the parties with respect to the subject matter hereof, and 170 | supersedes any previous proposals, negotiations, agreements, or arrangements, whether 171 | verbal or written, made between the parties with respect to such subject matter. This 172 | Agreement shall control over any additional or conflicting terms in any of Licensee's 173 | purchase orders or other business forms. This Agreement may only be amended or modified 174 | by mutual agreement of authorized representatives of the parties in writing. 175 | 176 | InMon Corp. 177 | 580 California Street, 5th Floor, San Francisco, CA 94104 178 | Phone: (415) 283-3260 179 | URL: www.inmon.com 180 | Email: info@inmon.com 181 | -------------------------------------------------------------------------------- /src/sflow_v2v4.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2002-2011 InMon Corp. Licensed under the terms of the InMon sFlow licence: */ 2 | /* http://www.inmon.com/technology/sflowlicense.txt */ 3 | 4 | #ifndef SFLOW_V2V4_H 5 | #define SFLOW_V2V4_H 1 6 | 7 | #if defined(__cplusplus) 8 | extern "C" { 9 | #endif 10 | 11 | enum INMAddress_type { 12 | INMADDRESSTYPE_IP_V4 = 1, 13 | INMADDRESSTYPE_IP_V6 = 2 14 | }; 15 | 16 | typedef union _INMAddress_value { 17 | SFLIPv4 ip_v4; 18 | SFLIPv6 ip_v6; 19 | } INMAddress_value; 20 | 21 | typedef struct _INMAddress { 22 | uint32_t type; /* enum INMAddress_type */ 23 | INMAddress_value address; 24 | } INMAddress; 25 | 26 | /* Packet header data */ 27 | 28 | #define INM_MAX_HEADER_SIZE 256 /* The maximum sampled header size. */ 29 | #define INM_DEFAULT_HEADER_SIZE 128 30 | #define INM_DEFAULT_COLLECTOR_PORT 6343 31 | #define INM_DEFAULT_SAMPLING_RATE 400 32 | 33 | /* The header protocol describes the format of the sampled header */ 34 | enum INMHeader_protocol { 35 | INMHEADER_ETHERNET_ISO8023 = 1, 36 | INMHEADER_ISO88024_TOKENBUS = 2, 37 | INMHEADER_ISO88025_TOKENRING = 3, 38 | INMHEADER_FDDI = 4, 39 | INMHEADER_FRAME_RELAY = 5, 40 | INMHEADER_X25 = 6, 41 | INMHEADER_PPP = 7, 42 | INMHEADER_SMDS = 8, 43 | INMHEADER_AAL5 = 9, 44 | INMHEADER_AAL5_IP = 10, /* e.g. Cisco AAL5 mux */ 45 | INMHEADER_IPv4 = 11, 46 | INMHEADER_IPv6 = 12 47 | }; 48 | 49 | typedef struct _INMSampled_header { 50 | uint32_t header_protocol; /* (enum INMHeader_protocol) */ 51 | uint32_t frame_length; /* Original length of packet before sampling */ 52 | uint32_t header_length; /* length of sampled header bytes to follow */ 53 | uint8_t header[INM_MAX_HEADER_SIZE]; /* Header bytes */ 54 | } INMSampled_header; 55 | 56 | /* Packet IP version 4 data */ 57 | 58 | typedef struct _INMSampled_ipv4 { 59 | uint32_t length; /* The length of the IP packet 60 | excluding lower layer encapsulations */ 61 | uint32_t protocol; /* IP Protocol type (for example, TCP = 6, UDP = 17) */ 62 | SFLIPv4 src_ip; /* Source IP Address */ 63 | SFLIPv4 dst_ip; /* Destination IP Address */ 64 | uint32_t src_port; /* TCP/UDP source port number or equivalent */ 65 | uint32_t dst_port; /* TCP/UDP destination port number or equivalent */ 66 | uint32_t tcp_flags; /* TCP flags */ 67 | uint32_t tos; /* IP type of service */ 68 | } INMSampled_ipv4; 69 | 70 | /* Packet IP version 6 data */ 71 | 72 | typedef struct _INMSampled_ipv6 { 73 | uint32_t length; /* The length of the IP packet 74 | excluding lower layer encapsulations */ 75 | uint32_t protocol; /* IP Protocol type (for example, TCP = 6, UDP = 17) */ 76 | SFLIPv6 src_ip; /* Source IP Address */ 77 | SFLIPv6 dst_ip; /* Destination IP Address */ 78 | uint32_t src_port; /* TCP/UDP source port number or equivalent */ 79 | uint32_t dst_port; /* TCP/UDP destination port number or equivalent */ 80 | uint32_t tcp_flags; /* TCP flags */ 81 | uint32_t tos; /* IP type of service */ 82 | } INMSampled_ipv6; 83 | 84 | 85 | /* Packet data */ 86 | 87 | enum INMPacket_information_type { 88 | INMPACKETTYPE_HEADER = 1, /* Packet headers are sampled */ 89 | INMPACKETTYPE_IPV4 = 2, /* IP version 4 data */ 90 | INMPACKETTYPE_IPV6 = 3 /* IP version 4 data */ 91 | }; 92 | 93 | typedef union _INMPacket_data_type { 94 | INMSampled_header header; 95 | INMSampled_ipv4 ipv4; 96 | INMSampled_ipv6 ipv6; 97 | } INMPacket_data_type; 98 | 99 | /* Extended data types */ 100 | 101 | /* Extended switch data */ 102 | 103 | typedef struct _INMExtended_switch { 104 | uint32_t src_vlan; /* The 802.1Q VLAN id of incomming frame */ 105 | uint32_t src_priority; /* The 802.1p priority */ 106 | uint32_t dst_vlan; /* The 802.1Q VLAN id of outgoing frame */ 107 | uint32_t dst_priority; /* The 802.1p priority */ 108 | } INMExtended_switch; 109 | 110 | /* Extended router data */ 111 | 112 | typedef struct _INMExtended_router { 113 | INMAddress nexthop; /* IP address of next hop router */ 114 | uint32_t src_mask; /* Source address prefix mask bits */ 115 | uint32_t dst_mask; /* Destination address prefix mask bits */ 116 | } INMExtended_router; 117 | 118 | /* Extended gateway data */ 119 | 120 | enum INMExtended_as_path_segment_type { 121 | INMEXTENDED_AS_SET = 1, /* Unordered set of ASs */ 122 | INMEXTENDED_AS_SEQUENCE = 2 /* Ordered sequence of ASs */ 123 | }; 124 | 125 | typedef struct _INMExtended_as_path_segment { 126 | uint32_t type; /* enum INMExtended_as_path_segment_type */ 127 | uint32_t length; /* number of AS numbers in set/sequence */ 128 | union { 129 | uint32_t *set; 130 | uint32_t *seq; 131 | } as; 132 | } INMExtended_as_path_segment; 133 | 134 | /* note: the INMExtended_gateway structure has changed between v2 and v4. 135 | Here is the old version first... */ 136 | 137 | typedef struct _INMExtended_gateway_v2 { 138 | uint32_t as; /* AS number for this gateway */ 139 | uint32_t src_as; /* AS number of source (origin) */ 140 | uint32_t src_peer_as; /* AS number of source peer */ 141 | uint32_t dst_as_path_length; /* number of AS numbers in path */ 142 | uint32_t *dst_as_path; 143 | } INMExtended_gateway_v2; 144 | 145 | /* now here is the new version... */ 146 | 147 | typedef struct _INMExtended_gateway_v4 { 148 | uint32_t as; /* AS number for this gateway */ 149 | uint32_t src_as; /* AS number of source (origin) */ 150 | uint32_t src_peer_as; /* AS number of source peer */ 151 | uint32_t dst_as_path_segments; /* number of segments in path */ 152 | INMExtended_as_path_segment *dst_as_path; /* list of seqs or sets */ 153 | uint32_t communities_length; /* number of communities */ 154 | uint32_t *communities; /* set of communities */ 155 | uint32_t localpref; /* LocalPref associated with this route */ 156 | } INMExtended_gateway_v4; 157 | 158 | /* Extended user data */ 159 | typedef struct _INMExtended_user { 160 | uint32_t src_user_len; 161 | char *src_user; 162 | uint32_t dst_user_len; 163 | char *dst_user; 164 | } INMExtended_user; 165 | enum INMExtended_url_direction { 166 | INMEXTENDED_URL_SRC = 1, /* URL is associated with source address */ 167 | INMEXTENDED_URL_DST = 2 /* URL is associated with destination address */ 168 | }; 169 | 170 | typedef struct _INMExtended_url { 171 | uint32_t direction; /* enum INMExtended_url_direction */ 172 | uint32_t url_len; 173 | char *url; 174 | } INMExtended_url; 175 | 176 | /* Extended data */ 177 | 178 | enum INMExtended_information_type { 179 | INMEXTENDED_SWITCH = 1, /* Extended switch information */ 180 | INMEXTENDED_ROUTER = 2, /* Extended router information */ 181 | INMEXTENDED_GATEWAY = 3, /* Extended gateway router information */ 182 | INMEXTENDED_USER = 4, /* Extended TACAS/RADIUS user information */ 183 | INMEXTENDED_URL = 5 /* Extended URL information */ 184 | }; 185 | 186 | /* Format of a single sample */ 187 | 188 | typedef struct _INMFlow_sample { 189 | uint32_t sequence_number; /* Incremented with each flow sample 190 | generated */ 191 | uint32_t source_id; /* fsSourceId */ 192 | uint32_t sampling_rate; /* fsPacketSamplingRate */ 193 | uint32_t sample_pool; /* Total number of packets that could have been 194 | sampled (i.e. packets skipped by sampling 195 | process + total number of samples) */ 196 | uint32_t drops; /* Number of times a packet was dropped due to 197 | lack of resources */ 198 | uint32_t input; /* SNMP ifIndex of input interface. 199 | 0 if interface is not known. */ 200 | uint32_t output; /* SNMP ifIndex of output interface, 201 | 0 if interface is not known. 202 | Set most significant bit to indicate 203 | multiple destination interfaces 204 | (i.e. in case of broadcast or multicast) 205 | and set lower order bits to indicate 206 | number of destination interfaces. 207 | Examples: 208 | 0x00000002 indicates ifIndex = 2 209 | 0x00000000 ifIndex unknown. 210 | 0x80000007 indicates a packet sent 211 | to 7 interfaces. 212 | 0x80000000 indicates a packet sent to 213 | an unknown number of 214 | interfaces greater than 1.*/ 215 | uint32_t packet_data_tag; /* enum INMPacket_information_type */ 216 | INMPacket_data_type packet_data; /* Information about sampled packet */ 217 | 218 | /* in the sFlow packet spec the next field is the number of extended objects 219 | followed by the data for each one (tagged with the type). Here we just 220 | provide space for each one, and flags to enable them. The correct format 221 | is then put together by the serialization code */ 222 | int gotSwitch; 223 | INMExtended_switch switchDevice; 224 | int gotRouter; 225 | INMExtended_router router; 226 | int gotGateway; 227 | union { 228 | INMExtended_gateway_v2 v2; /* make the version explicit so that there is */ 229 | INMExtended_gateway_v4 v4; /* less danger of mistakes when upgrading code */ 230 | } gateway; 231 | int gotUser; 232 | INMExtended_user user; 233 | int gotUrl; 234 | INMExtended_url url; 235 | } INMFlow_sample; 236 | 237 | /* Counter types */ 238 | 239 | /* Generic interface counters - see RFC 1573, 2233 */ 240 | 241 | typedef struct _INMIf_counters { 242 | uint32_t ifIndex; 243 | uint32_t ifType; 244 | uint64_t ifSpeed; 245 | uint32_t ifDirection; /* Derived from MAU MIB (RFC 2239) 246 | 0 = unknown, 1 = full-duplex, 247 | 2 = half-duplex, 3 = in, 4 = out */ 248 | uint32_t ifStatus; /* bit field with the following bits assigned: 249 | bit 0 = ifAdminStatus (0 = down, 1 = up) 250 | bit 1 = ifOperStatus (0 = down, 1 = up) */ 251 | uint64_t ifInOctets; 252 | uint32_t ifInUcastPkts; 253 | uint32_t ifInMulticastPkts; 254 | uint32_t ifInBroadcastPkts; 255 | uint32_t ifInDiscards; 256 | uint32_t ifInErrors; 257 | uint32_t ifInUnknownProtos; 258 | uint64_t ifOutOctets; 259 | uint32_t ifOutUcastPkts; 260 | uint32_t ifOutMulticastPkts; 261 | uint32_t ifOutBroadcastPkts; 262 | uint32_t ifOutDiscards; 263 | uint32_t ifOutErrors; 264 | uint32_t ifPromiscuousMode; 265 | } INMIf_counters; 266 | 267 | /* Ethernet interface counters - see RFC 2358 */ 268 | typedef struct _INMEthernet_specific_counters { 269 | uint32_t dot3StatsAlignmentErrors; 270 | uint32_t dot3StatsFCSErrors; 271 | uint32_t dot3StatsSingleCollisionFrames; 272 | uint32_t dot3StatsMultipleCollisionFrames; 273 | uint32_t dot3StatsSQETestErrors; 274 | uint32_t dot3StatsDeferredTransmissions; 275 | uint32_t dot3StatsLateCollisions; 276 | uint32_t dot3StatsExcessiveCollisions; 277 | uint32_t dot3StatsInternalMacTransmitErrors; 278 | uint32_t dot3StatsCarrierSenseErrors; 279 | uint32_t dot3StatsFrameTooLongs; 280 | uint32_t dot3StatsInternalMacReceiveErrors; 281 | uint32_t dot3StatsSymbolErrors; 282 | } INMEthernet_specific_counters; 283 | 284 | typedef struct _INMEthernet_counters { 285 | INMIf_counters generic; 286 | INMEthernet_specific_counters ethernet; 287 | } INMEthernet_counters; 288 | 289 | /* FDDI interface counters - see RFC 1512 */ 290 | typedef struct _INMFddi_counters { 291 | INMIf_counters generic; 292 | } INMFddi_counters; 293 | 294 | /* Token ring counters - see RFC 1748 */ 295 | 296 | typedef struct _INMTokenring_specific_counters { 297 | uint32_t dot5StatsLineErrors; 298 | uint32_t dot5StatsBurstErrors; 299 | uint32_t dot5StatsACErrors; 300 | uint32_t dot5StatsAbortTransErrors; 301 | uint32_t dot5StatsInternalErrors; 302 | uint32_t dot5StatsLostFrameErrors; 303 | uint32_t dot5StatsReceiveCongestions; 304 | uint32_t dot5StatsFrameCopiedErrors; 305 | uint32_t dot5StatsTokenErrors; 306 | uint32_t dot5StatsSoftErrors; 307 | uint32_t dot5StatsHardErrors; 308 | uint32_t dot5StatsSignalLoss; 309 | uint32_t dot5StatsTransmitBeacons; 310 | uint32_t dot5StatsRecoverys; 311 | uint32_t dot5StatsLobeWires; 312 | uint32_t dot5StatsRemoves; 313 | uint32_t dot5StatsSingles; 314 | uint32_t dot5StatsFreqErrors; 315 | } INMTokenring_specific_counters; 316 | 317 | typedef struct _INMTokenring_counters { 318 | INMIf_counters generic; 319 | INMTokenring_specific_counters tokenring; 320 | } INMTokenring_counters; 321 | 322 | /* 100 BaseVG interface counters - see RFC 2020 */ 323 | 324 | typedef struct _INMVg_specific_counters { 325 | uint32_t dot12InHighPriorityFrames; 326 | uint64_t dot12InHighPriorityOctets; 327 | uint32_t dot12InNormPriorityFrames; 328 | uint64_t dot12InNormPriorityOctets; 329 | uint32_t dot12InIPMErrors; 330 | uint32_t dot12InOversizeFrameErrors; 331 | uint32_t dot12InDataErrors; 332 | uint32_t dot12InNullAddressedFrames; 333 | uint32_t dot12OutHighPriorityFrames; 334 | uint64_t dot12OutHighPriorityOctets; 335 | uint32_t dot12TransitionIntoTrainings; 336 | uint64_t dot12HCInHighPriorityOctets; 337 | uint64_t dot12HCInNormPriorityOctets; 338 | uint64_t dot12HCOutHighPriorityOctets; 339 | } INMVg_specific_counters; 340 | 341 | typedef struct _INMVg_counters { 342 | INMIf_counters generic; 343 | INMVg_specific_counters vg; 344 | } INMVg_counters; 345 | 346 | /* WAN counters */ 347 | 348 | typedef struct _INMWan_counters { 349 | INMIf_counters generic; 350 | } INMWan_counters; 351 | 352 | typedef struct _INMVlan_counters { 353 | uint32_t vlan_id; 354 | uint64_t octets; 355 | uint32_t ucastPkts; 356 | uint32_t multicastPkts; 357 | uint32_t broadcastPkts; 358 | uint32_t discards; 359 | } INMVlan_counters; 360 | 361 | /* Counters data */ 362 | 363 | enum INMCounters_version { 364 | INMCOUNTERSVERSION_GENERIC = 1, 365 | INMCOUNTERSVERSION_ETHERNET = 2, 366 | INMCOUNTERSVERSION_TOKENRING = 3, 367 | INMCOUNTERSVERSION_FDDI = 4, 368 | INMCOUNTERSVERSION_VG = 5, 369 | INMCOUNTERSVERSION_WAN = 6, 370 | INMCOUNTERSVERSION_VLAN = 7 371 | }; 372 | 373 | typedef union _INMCounters_type { 374 | INMIf_counters generic; 375 | INMEthernet_counters ethernet; 376 | INMTokenring_counters tokenring; 377 | INMFddi_counters fddi; 378 | INMVg_counters vg; 379 | INMWan_counters wan; 380 | INMVlan_counters vlan; 381 | } INMCounters_type; 382 | 383 | typedef struct _INMCounters_sample_hdr { 384 | uint32_t sequence_number; /* Incremented with each counters sample 385 | generated by this source_id */ 386 | uint32_t source_id; /* fsSourceId */ 387 | uint32_t sampling_interval; /* fsCounterSamplingInterval */ 388 | } INMCounters_sample_hdr; 389 | 390 | typedef struct _INMCounters_sample { 391 | INMCounters_sample_hdr hdr; 392 | uint32_t counters_type_tag; /* Enum INMCounters_version */ 393 | INMCounters_type counters; /* Counter set for this interface type */ 394 | } INMCounters_sample; 395 | 396 | /* when I turn on optimisation with the Microsoft compiler it seems to change 397 | the values of these enumerated types and break the program - not sure why */ 398 | enum INMSample_types { 399 | FLOWSAMPLE = 1, 400 | COUNTERSSAMPLE = 2 401 | }; 402 | 403 | typedef union _INMSample_type { 404 | INMFlow_sample flowsample; 405 | INMCounters_sample counterssample; 406 | } INMSample_type; 407 | 408 | /* Format of a sample datagram */ 409 | 410 | enum INMDatagram_version { 411 | INMDATAGRAM_VERSION2 = 2, 412 | INMDATAGRAM_VERSION4 = 4 413 | }; 414 | 415 | typedef struct _INMSample_datagram_hdr { 416 | uint32_t datagram_version; /* (enum INMDatagram_version) = VERSION4 */ 417 | INMAddress agent_address; /* IP address of sampling agent */ 418 | uint32_t sequence_number; /* Incremented with each sample datagram 419 | generated */ 420 | uint32_t uptime; /* Current time (in milliseconds since device 421 | last booted). Should be set as close to 422 | datagram transmission time as possible.*/ 423 | uint32_t num_samples; /* Number of flow and counters samples to follow */ 424 | } INMSample_datagram_hdr; 425 | 426 | #define INM_MAX_DATAGRAM_SIZE 1500 427 | #define INM_MIN_DATAGRAM_SIZE 200 428 | #define INM_DEFAULT_DATAGRAM_SIZE 1400 429 | 430 | #define INM_DATA_PAD 400 431 | 432 | #if defined(__cplusplus) 433 | } /* extern "C" */ 434 | #endif 435 | 436 | #endif /* SFLOW_V2V4_H */ 437 | -------------------------------------------------------------------------------- /src/sflow.h: -------------------------------------------------------------------------------- 1 | /* Copyright (c) 2002-2011 InMon Corp. Licensed under the terms of the InMon sFlow licence: */ 2 | /* http://www.inmon.com/technology/sflowlicense.txt */ 3 | 4 | /* 5 | ///////////////////////////////////////////////////////////////////////////////// 6 | /////////////////////// sFlow Sampling Packet Data Types //////////////////////// 7 | ///////////////////////////////////////////////////////////////////////////////// 8 | */ 9 | 10 | #ifndef SFLOW_H 11 | #define SFLOW_H 1 12 | 13 | #if defined(__cplusplus) 14 | extern "C" { 15 | #endif 16 | 17 | typedef struct { 18 | uint32_t addr; 19 | } SFLIPv4; 20 | 21 | typedef struct { 22 | uint8_t addr[16]; 23 | } SFLIPv6; 24 | 25 | typedef union _SFLAddress_value { 26 | SFLIPv4 ip_v4; 27 | SFLIPv6 ip_v6; 28 | } SFLAddress_value; 29 | 30 | enum SFLAddress_type { 31 | SFLADDRESSTYPE_UNDEFINED = 0, 32 | SFLADDRESSTYPE_IP_V4 = 1, 33 | SFLADDRESSTYPE_IP_V6 = 2 34 | }; 35 | 36 | typedef struct _SFLAddress { 37 | uint32_t type; /* enum SFLAddress_type */ 38 | SFLAddress_value address; 39 | } SFLAddress; 40 | 41 | /* Packet header data */ 42 | 43 | #define SFL_DEFAULT_HEADER_SIZE 128 44 | #define SFL_DEFAULT_COLLECTOR_PORT 6343 45 | #define SFL_DEFAULT_SAMPLING_RATE 400 46 | 47 | /* The header protocol describes the format of the sampled header */ 48 | enum SFLHeader_protocol { 49 | SFLHEADER_ETHERNET_ISO8023 = 1, 50 | SFLHEADER_ISO88024_TOKENBUS = 2, 51 | SFLHEADER_ISO88025_TOKENRING = 3, 52 | SFLHEADER_FDDI = 4, 53 | SFLHEADER_FRAME_RELAY = 5, 54 | SFLHEADER_X25 = 6, 55 | SFLHEADER_PPP = 7, 56 | SFLHEADER_SMDS = 8, 57 | SFLHEADER_AAL5 = 9, 58 | SFLHEADER_AAL5_IP = 10, /* e.g. Cisco AAL5 mux */ 59 | SFLHEADER_IPv4 = 11, 60 | SFLHEADER_IPv6 = 12, 61 | SFLHEADER_MPLS = 13, 62 | SFLHEADER_POS = 14, 63 | SFLHEADER_IEEE80211MAC = 15, 64 | SFLHEADER_IEEE80211_AMPDU = 16, 65 | SFLHEADER_IEEE80211_AMSDU_SUBFRAME = 17, 66 | SFLHEADER_INFINIBAND = 18 67 | }; 68 | 69 | /* raw sampled header */ 70 | 71 | typedef struct _SFLSampled_header { 72 | uint32_t header_protocol; /* (enum SFLHeader_protocol) */ 73 | uint32_t frame_length; /* Original length of packet before sampling */ 74 | uint32_t stripped; /* header/trailer bytes stripped by sender */ 75 | uint32_t header_length; /* length of sampled header bytes to follow */ 76 | uint8_t *header_bytes; /* Header bytes */ 77 | } SFLSampled_header; 78 | 79 | /* decoded ethernet header */ 80 | 81 | typedef struct _SFLSampled_ethernet { 82 | uint32_t eth_len; /* The length of the MAC packet excluding 83 | lower layer encapsulations */ 84 | uint8_t src_mac[8]; /* 6 bytes + 2 pad */ 85 | uint8_t dst_mac[8]; 86 | uint32_t eth_type; 87 | } SFLSampled_ethernet; 88 | 89 | /* decoded IP version 4 header */ 90 | 91 | typedef struct _SFLSampled_ipv4 { 92 | uint32_t length; /* The length of the IP packet 93 | excluding lower layer encapsulations */ 94 | uint32_t protocol; /* IP Protocol type (for example, TCP = 6, UDP = 17) */ 95 | SFLIPv4 src_ip; /* Source IP Address */ 96 | SFLIPv4 dst_ip; /* Destination IP Address */ 97 | uint32_t src_port; /* TCP/UDP source port number or equivalent */ 98 | uint32_t dst_port; /* TCP/UDP destination port number or equivalent */ 99 | uint32_t tcp_flags; /* TCP flags */ 100 | uint32_t tos; /* IP type of service */ 101 | } SFLSampled_ipv4; 102 | 103 | /* decoded IP version 6 data */ 104 | 105 | typedef struct _SFLSampled_ipv6 { 106 | uint32_t length; /* The length of the IP packet 107 | excluding lower layer encapsulations */ 108 | uint32_t protocol; /* IP Protocol type (for example, TCP = 6, UDP = 17) */ 109 | SFLIPv6 src_ip; /* Source IP Address */ 110 | SFLIPv6 dst_ip; /* Destination IP Address */ 111 | uint32_t src_port; /* TCP/UDP source port number or equivalent */ 112 | uint32_t dst_port; /* TCP/UDP destination port number or equivalent */ 113 | uint32_t tcp_flags; /* TCP flags */ 114 | uint32_t priority; /* IP priority */ 115 | } SFLSampled_ipv6; 116 | 117 | /* Extended data types */ 118 | 119 | /* Extended switch data */ 120 | 121 | typedef struct _SFLExtended_switch { 122 | uint32_t src_vlan; /* The 802.1Q VLAN id of incomming frame */ 123 | uint32_t src_priority; /* The 802.1p priority */ 124 | uint32_t dst_vlan; /* The 802.1Q VLAN id of outgoing frame */ 125 | uint32_t dst_priority; /* The 802.1p priority */ 126 | } SFLExtended_switch; 127 | 128 | /* Extended router data */ 129 | 130 | typedef struct _SFLExtended_router { 131 | SFLAddress nexthop; /* IP address of next hop router */ 132 | uint32_t src_mask; /* Source address prefix mask bits */ 133 | uint32_t dst_mask; /* Destination address prefix mask bits */ 134 | } SFLExtended_router; 135 | 136 | /* Extended gateway data */ 137 | enum SFLExtended_as_path_segment_type { 138 | SFLEXTENDED_AS_SET = 1, /* Unordered set of ASs */ 139 | SFLEXTENDED_AS_SEQUENCE = 2 /* Ordered sequence of ASs */ 140 | }; 141 | 142 | typedef struct _SFLExtended_as_path_segment { 143 | uint32_t type; /* enum SFLExtended_as_path_segment_type */ 144 | uint32_t length; /* number of AS numbers in set/sequence */ 145 | union { 146 | uint32_t *set; 147 | uint32_t *seq; 148 | } as; 149 | } SFLExtended_as_path_segment; 150 | 151 | typedef struct _SFLExtended_gateway { 152 | SFLAddress nexthop; /* Address of the border router that should 153 | be used for the destination network */ 154 | uint32_t as; /* AS number for this gateway */ 155 | uint32_t src_as; /* AS number of source (origin) */ 156 | uint32_t src_peer_as; /* AS number of source peer */ 157 | uint32_t dst_as_path_segments; /* number of segments in path */ 158 | SFLExtended_as_path_segment *dst_as_path; /* list of seqs or sets */ 159 | uint32_t communities_length; /* number of communities */ 160 | uint32_t *communities; /* set of communities */ 161 | uint32_t localpref; /* LocalPref associated with this route */ 162 | } SFLExtended_gateway; 163 | 164 | typedef struct _SFLString { 165 | uint32_t len; 166 | char *str; 167 | } SFLString; 168 | 169 | /* Extended user data */ 170 | 171 | typedef struct _SFLExtended_user { 172 | uint32_t src_charset; /* MIBEnum value of character set used to encode a string - See RFC 2978 173 | Where possible UTF-8 encoding (MIBEnum=106) should be used. A value 174 | of zero indicates an unknown encoding. */ 175 | SFLString src_user; 176 | uint32_t dst_charset; 177 | SFLString dst_user; 178 | } SFLExtended_user; 179 | 180 | /* Extended URL data */ 181 | 182 | enum SFLExtended_url_direction { 183 | SFLEXTENDED_URL_SRC = 1, /* URL is associated with source address */ 184 | SFLEXTENDED_URL_DST = 2 /* URL is associated with destination address */ 185 | }; 186 | 187 | typedef struct _SFLExtended_url { 188 | uint32_t direction; /* enum SFLExtended_url_direction */ 189 | SFLString url; /* URL associated with the packet flow. 190 | Must be URL encoded */ 191 | SFLString host; /* The host field from the HTTP header */ 192 | } SFLExtended_url; 193 | 194 | /* Extended MPLS data */ 195 | 196 | typedef struct _SFLLabelStack { 197 | uint32_t depth; 198 | uint32_t *stack; /* first entry is top of stack - see RFC 3032 for encoding */ 199 | } SFLLabelStack; 200 | 201 | typedef struct _SFLExtended_mpls { 202 | SFLAddress nextHop; /* Address of the next hop */ 203 | SFLLabelStack in_stack; 204 | SFLLabelStack out_stack; 205 | } SFLExtended_mpls; 206 | 207 | /* Extended NAT data 208 | Packet header records report addresses as seen at the sFlowDataSource. 209 | The extended_nat structure reports on translated source and/or destination 210 | addesses for this packet. If an address was not translated it should 211 | be equal to that reported for the header. */ 212 | 213 | typedef struct _SFLExtended_nat { 214 | SFLAddress src; /* Source address */ 215 | SFLAddress dst; /* Destination address */ 216 | } SFLExtended_nat; 217 | 218 | typedef struct _SFLExtended_nat_port { 219 | uint32_t src_port; 220 | uint32_t dst_port; 221 | } SFLExtended_nat_port; 222 | 223 | /* additional Extended MPLS stucts */ 224 | 225 | typedef struct _SFLExtended_mpls_tunnel { 226 | SFLString tunnel_lsp_name; /* Tunnel name */ 227 | uint32_t tunnel_id; /* Tunnel ID */ 228 | uint32_t tunnel_cos; /* Tunnel COS value */ 229 | } SFLExtended_mpls_tunnel; 230 | 231 | typedef struct _SFLExtended_mpls_vc { 232 | SFLString vc_instance_name; /* VC instance name */ 233 | uint32_t vll_vc_id; /* VLL/VC instance ID */ 234 | uint32_t vc_label_cos; /* VC Label COS value */ 235 | } SFLExtended_mpls_vc; 236 | 237 | /* Extended MPLS FEC 238 | - Definitions from MPLS-FTN-STD-MIB mplsFTNTable */ 239 | 240 | typedef struct _SFLExtended_mpls_FTN { 241 | SFLString mplsFTNDescr; 242 | uint32_t mplsFTNMask; 243 | } SFLExtended_mpls_FTN; 244 | 245 | /* Extended MPLS LVP FEC 246 | - Definition from MPLS-LDP-STD-MIB mplsFecTable 247 | Note: mplsFecAddrType, mplsFecAddr information available 248 | from packet header */ 249 | 250 | typedef struct _SFLExtended_mpls_LDP_FEC { 251 | uint32_t mplsFecAddrPrefixLength; 252 | } SFLExtended_mpls_LDP_FEC; 253 | 254 | /* Extended VLAN tunnel information 255 | Record outer VLAN encapsulations that have 256 | been stripped. extended_vlantunnel information 257 | should only be reported if all the following conditions are satisfied: 258 | 1. The packet has nested vlan tags, AND 259 | 2. The reporting device is VLAN aware, AND 260 | 3. One or more VLAN tags have been stripped, either 261 | because they represent proprietary encapsulations, or 262 | because switch hardware automatically strips the outer VLAN 263 | encapsulation. 264 | Reporting extended_vlantunnel information is not a substitute for 265 | reporting extended_switch information. extended_switch data must 266 | always be reported to describe the ingress/egress VLAN information 267 | for the packet. The extended_vlantunnel information only applies to 268 | nested VLAN tags, and then only when one or more tags has been 269 | stripped. */ 270 | 271 | typedef SFLLabelStack SFLVlanStack; 272 | typedef struct _SFLExtended_vlan_tunnel { 273 | SFLVlanStack stack; /* List of stripped 802.1Q TPID/TCI layers. Each 274 | TPID,TCI pair is represented as a single 32 bit 275 | integer. Layers listed from outermost to 276 | innermost. */ 277 | } SFLExtended_vlan_tunnel; 278 | 279 | /* 280 | ////////////////// IEEE 802.11 Extension structs //////////////////// 281 | 282 | The 4-byte cipher_suite identifier follows the format of the cipher suite 283 | selector value from the 802.11i (TKIP/CCMP amendment to 802.11i) 284 | The most significant three bytes contain the OUI and the least significant 285 | byte contains the Suite Type. 286 | 287 | The currently assigned values are: 288 | 289 | OUI |Suite type |Meaning 290 | ---------------------------------------------------- 291 | 00-0F-AC | 0 | Use group cipher suite 292 | 00-0F-AC | 1 | WEP-40 293 | 00-0F-AC | 2 | TKIP 294 | 00-0F-AC | 3 | Reserved 295 | 00-0F-AC | 4 | CCMP 296 | 00-0F-AC | 5 | WEP-104 297 | 00-0F-AC | 6-255 | Reserved 298 | Vendor OUI | Other | Vendor specific 299 | Other | Any | Reserved 300 | ---------------------------------------------------- 301 | */ 302 | 303 | typedef uint32_t SFLCipherSuite; 304 | 305 | /* Extended wifi Payload 306 | Used to provide unencrypted version of 802.11 MAC data. If the 307 | MAC data is not encrypted then the agent must not include an 308 | extended_wifi_payload structure. 309 | If 802.11 MAC data is encrypted then the sampled_header structure 310 | should only contain the MAC header (since encrypted data cannot 311 | be decoded by the sFlow receiver). If the sFlow agent has access to 312 | the unencrypted payload, it should add an extended_wifi_payload 313 | structure containing the unencrypted data bytes from the sampled 314 | packet header, starting at the beginning of the 802.2 LLC and not 315 | including any trailing encryption footers. */ 316 | /* opaque = flow_data; enterprise = 0; format = 1013 */ 317 | 318 | typedef struct _SFLExtended_wifi_payload { 319 | SFLCipherSuite cipherSuite; 320 | SFLSampled_header header; 321 | } SFLExtended_wifi_payload; 322 | 323 | typedef enum { 324 | IEEE80211_A=1, 325 | IEEE80211_B=2, 326 | IEEE80211_G=3, 327 | IEEE80211_N=4, 328 | } SFL_IEEE80211_version; 329 | 330 | /* opaque = flow_data; enterprise = 0; format = 1014 */ 331 | 332 | #define SFL_MAX_SSID_LEN 256 333 | 334 | typedef struct _SFLExtended_wifi_rx { 335 | uint32_t ssid_len; 336 | char *ssid; 337 | char bssid[6]; /* BSSID */ 338 | SFL_IEEE80211_version version; /* version */ 339 | uint32_t channel; /* channel number */ 340 | uint64_t speed; 341 | uint32_t rsni; /* received signal to noise ratio, see dot11FrameRprtRSNI */ 342 | uint32_t rcpi; /* received channel power, see dot11FrameRprtLastRCPI */ 343 | uint32_t packet_duration_us; /* amount of time that the successfully received pkt occupied RF medium.*/ 344 | } SFLExtended_wifi_rx; 345 | 346 | /* opaque = flow_data; enterprise = 0; format = 1015 */ 347 | 348 | typedef struct _SFLExtended_wifi_tx { 349 | uint32_t ssid_len; 350 | char *ssid; /* SSID string */ 351 | char bssid[6]; /* BSSID */ 352 | SFL_IEEE80211_version version; /* version */ 353 | uint32_t transmissions; /* number of transmissions for sampled 354 | packet. 355 | 0 = unkown 356 | 1 = packet was successfully transmitted 357 | on first attempt 358 | n > 1 = n - 1 retransmissions */ 359 | uint32_t packet_duration_us; /* amount of time that the successfully 360 | transmitted packet occupied the 361 | RF medium */ 362 | uint32_t retrans_duration_us; /* amount of time that failed transmission 363 | attempts occupied the RF medium */ 364 | uint32_t channel; /* channel number */ 365 | uint64_t speed; 366 | uint32_t power_mw; /* transmit power in mW. */ 367 | } SFLExtended_wifi_tx; 368 | 369 | /* Extended 802.11 Aggregation Data */ 370 | /* A flow_sample of an aggregated frame would consist of a packet 371 | header for the whole frame + any other extended structures that 372 | apply (e.g. 80211_tx/rx etc.) + an extended_wifi_aggregation 373 | structure which would contain an array of pdu structures (one 374 | for each PDU in the aggregate). A pdu is simply an array of 375 | flow records, in the simplest case a packet header for each PDU, 376 | but extended structures could be included as well. */ 377 | 378 | /* opaque = flow_data; enterprise = 0; format = 1016 */ 379 | 380 | struct _SFLFlow_Pdu; /* forward decl */ 381 | 382 | typedef struct _SFLExtended_aggregation { 383 | uint32_t num_pdus; 384 | struct _SFFlow_Pdu *pdus; 385 | } SFLExtended_aggregation; 386 | /* TCP connection state */ 387 | /* Based on struct tcp_info in /usr/include/linux/tcp.h */ 388 | /* opaque = flow_data; enterprise=0; format=2209 */ 389 | 390 | typedef enum { 391 | PKTDIR_unknown = 0, 392 | PKTDIR_received = 1, 393 | PKTDIR_sent = 2 394 | } EnumPktDirection; 395 | 396 | typedef struct _SFLExtended_TCP_info { 397 | uint32_t dirn; /* EnumPktDirection: Sampled packet direction */ 398 | uint32_t snd_mss; /* Cached effective mss, not including SACKS */ 399 | uint32_t rcv_mss; /* Max. recv. segment size */ 400 | uint32_t unacked; /* Packets which are "in flight" */ 401 | uint32_t lost; /* Lost packets */ 402 | uint32_t retrans; /* Retransmitted packets */ 403 | uint32_t pmtu; /* Last pmtu seen by socket */ 404 | uint32_t rtt; /* smoothed RTT (microseconds) */ 405 | uint32_t rttvar; /* RTT variance (microseconds) */ 406 | uint32_t snd_cwnd; /* Sending congestion window */ 407 | uint32_t reordering; /* Reordering */ 408 | uint32_t min_rtt; /* Minimum RTT (microseconds) */ 409 | } SFLExtended_TCP_info; 410 | 411 | #define XDRSIZ_SFLEXTENDED_TCP_INFO 48 412 | 413 | /* Physical or virtual host description 414 | opaque = flow_data; enterprise = 0; format = 2210 415 | Set Data source to all zeroes if unknown */ 416 | typedef struct _SFLExtended_entities { 417 | uint32_t src_dsClass; /* Data Source associated with packet source */ 418 | uint32_t src_dsIndex; 419 | uint32_t dst_dsClass; /* Data Source associated with packet destination */ 420 | uint32_t dst_dsIndex; 421 | } SFLExtended_entities; 422 | 423 | #define XDRSIZ_SFLEXTENDED_ENTITIES 16 424 | 425 | /* Extended socket information, 426 | Must be filled in for all application transactions associated with a network socket 427 | Omit if transaction associated with non-network IPC */ 428 | 429 | /* IPv4 Socket */ 430 | /* opaque = flow_data; enterprise = 0; format = 2100 */ 431 | typedef struct _SFLExtended_socket_ipv4 { 432 | uint32_t protocol; /* IP Protocol (e.g. TCP = 6, UDP = 17) */ 433 | SFLIPv4 local_ip; /* local IP address */ 434 | SFLIPv4 remote_ip; /* remote IP address */ 435 | uint32_t local_port; /* TCP/UDP local port number or equivalent */ 436 | uint32_t remote_port; /* TCP/UDP remote port number of equivalent */ 437 | } SFLExtended_socket_ipv4; 438 | 439 | #define XDRSIZ_SFLEXTENDED_SOCKET4 20 440 | 441 | /* IPv6 Socket */ 442 | /* opaque = flow_data; enterprise = 0; format = 2101 */ 443 | typedef struct _SFLExtended_socket_ipv6 { 444 | uint32_t protocol; /* IP Protocol (e.g. TCP = 6, UDP = 17) */ 445 | SFLIPv6 local_ip; /* local IP address */ 446 | SFLIPv6 remote_ip; /* remote IP address */ 447 | uint32_t local_port; /* TCP/UDP local port number or equivalent */ 448 | uint32_t remote_port; /* TCP/UDP remote port number of equivalent */ 449 | } SFLExtended_socket_ipv6; 450 | 451 | #define XDRSIZ_SFLEXTENDED_SOCKET6 44 452 | 453 | typedef enum { 454 | MEMCACHE_PROT_OTHER = 0, 455 | MEMCACHE_PROT_ASCII = 1, 456 | MEMCACHE_PROT_BINARY = 2 457 | } SFLMemcache_prot; 458 | 459 | typedef enum { 460 | MEMCACHE_CMD_OTHER = 0, 461 | MEMCACHE_CMD_SET = 1, 462 | MEMCACHE_CMD_ADD = 2, 463 | MEMCACHE_CMD_REPLACE = 3, 464 | MEMCACHE_CMD_APPEND = 4, 465 | MEMCACHE_CMD_PREPEND = 5, 466 | MEMCACHE_CMD_CAS = 6, 467 | MEMCACHE_CMD_GET = 7, 468 | MEMCACHE_CMD_GETS = 8, 469 | MEMCACHE_CMD_INCR = 9, 470 | MEMCACHE_CMD_DECR = 10, 471 | MEMCACHE_CMD_DELETE = 11, 472 | MEMCACHE_CMD_STATS = 12, 473 | MEMCACHE_CMD_FLUSH = 13, 474 | MEMCACHE_CMD_VERSION = 14, 475 | MEMCACHE_CMD_QUIT = 15, 476 | MEMCACHE_CMD_TOUCH = 16 477 | } SFLMemcache_cmd; 478 | 479 | enum SFLMemcache_operation_status { 480 | MEMCACHE_OP_UNKNOWN = 0, 481 | MEMCACHE_OP_OK = 1, 482 | MEMCACHE_OP_ERROR = 2, 483 | MEMCACHE_OP_CLIENT_ERROR = 3, 484 | MEMCACHE_OP_SERVER_ERROR = 4, 485 | MEMCACHE_OP_STORED = 5, 486 | MEMCACHE_OP_NOT_STORED = 6, 487 | MEMCACHE_OP_EXISTS = 7, 488 | MEMCACHE_OP_NOT_FOUND = 8, 489 | MEMCACHE_OP_DELETED = 9 490 | }; 491 | 492 | #define SFL_MAX_MEMCACHE_KEY 255 493 | 494 | typedef struct _SFLSampled_memcache { 495 | uint32_t protocol; /* SFLMemcache_prot */ 496 | uint32_t command; /* SFLMemcache_cmd */ 497 | SFLString key; /* up to 255 chars */ 498 | uint32_t nkeys; 499 | uint32_t value_bytes; 500 | uint32_t duration_uS; 501 | uint32_t status; /* SFLMemcache_operation_status */ 502 | } SFLSampled_memcache; 503 | 504 | typedef enum { 505 | SFHTTP_OTHER = 0, 506 | SFHTTP_OPTIONS = 1, 507 | SFHTTP_GET = 2, 508 | SFHTTP_HEAD = 3, 509 | SFHTTP_POST = 4, 510 | SFHTTP_PUT = 5, 511 | SFHTTP_DELETE = 6, 512 | SFHTTP_TRACE = 7, 513 | SFHTTP_CONNECT = 8 514 | } SFLHTTP_method; 515 | 516 | #define SFL_MAX_HTTP_URI 255 517 | #define SFL_MAX_HTTP_HOST 64 518 | #define SFL_MAX_HTTP_REFERRER 255 519 | #define SFL_MAX_HTTP_USERAGENT 128 520 | #define SFL_MAX_HTTP_XFF 64 521 | #define SFL_MAX_HTTP_AUTHUSER 32 522 | #define SFL_MAX_HTTP_MIMETYPE 64 523 | 524 | typedef struct _SFLSampled_http { 525 | SFLHTTP_method method; 526 | uint32_t protocol; /* 1.1=1001 */ 527 | SFLString uri; /* URI exactly as it came from the client (up to 255 bytes) */ 528 | SFLString host; /* Host value from request header (<= 64 bytes) */ 529 | SFLString referrer; /* Referer value from request header (<=255 bytes) */ 530 | SFLString useragent; /* User-Agent value from request header (<= 128 bytes)*/ 531 | SFLString xff; /* X-Forwarded-For value from request header (<= 64 bytes)*/ 532 | SFLString authuser; /* RFC 1413 identity of user (<=32 bytes)*/ 533 | SFLString mimetype; /* Mime-Type (<=64 bytes) */ 534 | uint64_t req_bytes; /* Content-Length of request */ 535 | uint64_t resp_bytes; /* Content-Length of response */ 536 | uint32_t uS; /* duration of the operation (microseconds) */ 537 | uint32_t status; /* HTTP status code */ 538 | } SFLSampled_http; 539 | 540 | 541 | typedef enum { 542 | SFLAPP_SUCCESS = 0, 543 | SFLAPP_OTHER = 1, 544 | SFLAPP_TIMEOUT = 2, 545 | SFLAPP_INTERNAL_ERROR = 3, 546 | SFLAPP_BAD_REQUEST = 4, 547 | SFLAPP_FORBIDDEN = 5, 548 | SFLAPP_TOO_LARGE = 6, 549 | SFLAPP_NOT_IMPLEMENTED = 7, 550 | SFLAPP_NOT_FOUND = 8, 551 | SFLAPP_UNAVAILABLE = 9, 552 | SFLAPP_UNAUTHORIZED = 10, 553 | SFLAPP_NUM_STATUS_CODES 554 | } EnumSFLAPPStatus; 555 | 556 | static const char *SFL_APP_STATUS_names[] = { "SUCCESS", 557 | "OTHER", 558 | "TIMEOUT", 559 | "INTERNAL_ERROR", 560 | "BAD_REQUEST", 561 | "FORBIDDEN", 562 | "TOO_LARGE", 563 | "NOT_IMPLEMENTED", 564 | "NOT_FOUND", 565 | "UNAVAILABLE", 566 | "UNATHORIZED" }; 567 | 568 | /* Operation context */ 569 | typedef struct { 570 | SFLString application; 571 | SFLString operation; /* type of operation (e.g. authorization, payment) */ 572 | SFLString attributes; /* specific attributes associated operation */ 573 | } SFLSampled_APP_CTXT; 574 | 575 | #define SFLAPP_MAX_APPLICATION_LEN 32 576 | #define SFLAPP_MAX_OPERATION_LEN 32 577 | #define SFLAPP_MAX_ATTRIBUTES_LEN 255 578 | 579 | /* Sampled Enterprise Operation */ 580 | /* opaque = flow_data; enterprise = 0; format = 2202 */ 581 | typedef struct { 582 | SFLSampled_APP_CTXT context; /* attributes describing the operation */ 583 | SFLString status_descr; /* additional text describing status (e.g. "unknown client") */ 584 | uint64_t req_bytes; /* size of request body (exclude headers) */ 585 | uint64_t resp_bytes; /* size of response body (exclude headers) */ 586 | uint32_t duration_uS; /* duration of the operation (microseconds) */ 587 | EnumSFLAPPStatus status; /* status code */ 588 | } SFLSampled_APP; 589 | 590 | #define SFLAPP_MAX_STATUS_LEN 32 591 | 592 | typedef struct { 593 | SFLString actor; 594 | } SFLSampled_APP_ACTOR; 595 | 596 | #define SFLAPP_MAX_ACTOR_LEN 64 597 | 598 | typedef struct _SFLExtended_vni { 599 | uint32_t vni; /* virtual network identifier */ 600 | } SFLExtended_vni; 601 | 602 | typedef struct _SFLExtended_decap { 603 | uint32_t innerHeaderOffset; 604 | } SFLExtended_decap; 605 | 606 | /* Selected egress queue */ 607 | /* Output port number must be provided in enclosing structure */ 608 | /* opaque = flow_data; enterprise = 0; format = 1036 */ 609 | typedef struct { 610 | unsigned int queue; /* eqress queue number selected for sampled packet */ 611 | } SFLExtended_egress_queue; 612 | #define XDRSIZ_SFLEXTENDED_EGRESS_Q 4 613 | 614 | /* Software function */ 615 | /* Name of software function generating this event */ 616 | /* opaque = flow_data; enterprise = 0; format = 1038 */ 617 | typedef struct _SFLExtended_function { 618 | SFLString symbol; 619 | } SFLExtended_function; 620 | #define SFL_MAX_FUNCTION_SYMBOL_LEN 64 621 | 622 | /* Delay for sampled packet traversing switch */ 623 | /* opaque = flow_data; enterprise = 0; format = 1039 */ 624 | typedef struct { 625 | unsigned int delay; /* transit delay in nanoseconds 626 | 0xffffffff indicates value >= 0xffffffff */ 627 | } SFLExtended_transit_delay; 628 | #define XDRSIZ_SFLEXTENDED_TRANSIT 4 629 | 630 | /* Queue depth for sampled packet traversing switch */ 631 | /* extended_egress_queue structure must be included */ 632 | /* opaque = flow_data; enterprise = 0; format = 1040 */ 633 | typedef struct { 634 | unsigned int depth; /* queue depth in bytes */ 635 | } SFLExtended_queue_depth; 636 | #define XDRSIZ_SFLEXTENDED_Q_DEPTH 4 637 | 638 | // Devlink Trap Name 639 | // opaque = flow_data; enterprise = 0; format = 1041 640 | // https://www.kernel.org/doc/html/latest/networking/devlink/devlink-trap.html 641 | // XDR spec: 642 | // struct extended_hw_trap { 643 | // string group<>; /* NET_DM_ATTR_HW_TRAP_GROUP_NAME */ 644 | // string trap<>; /* NET_DM_ATTR_HW_TRAP_NAME */ 645 | // } 646 | typedef struct _SFLExtended_hw_trap { 647 | SFLString group; 648 | SFLString trap; 649 | } SFLExtended_hw_trap; 650 | #define SFL_MAX_HW_TRAP_LEN 64 651 | 652 | // Linux drop_monitor reason 653 | // opaque = flow_data; enterprise = 0; format = 1042 654 | // https://github.com/torvalds/linux/blob/master/include/net/dropreason.h 655 | // XDR spec: 656 | // struct extended_linux_drop_reason { 657 | // string reason<>; /* NET_DM_ATTR_REASON */ 658 | // } 659 | typedef struct _SFLExtended_linux_reason { 660 | SFLString reason; 661 | } SFLExtended_linux_reason; 662 | #define SFL_MAX_LINUX_REASON_LEN 64 663 | 664 | /* Precision Timestamp */ 665 | /* opaque = flow_data; enterprise = 0; format = 1043 */ 666 | /* Time in relative to the UNIX epoch starting in 1970 using the 667 | Coordinated Universal Time (UTC). Agent should report most accurate 668 | synchronized time available, e.g. Atomic, PTP, NTP, etc. */ 669 | 670 | typedef struct { 671 | uint64_t nanoseconds; 672 | } SFLExtended_timestamp; 673 | 674 | enum SFLFlow_type_tag { 675 | /* enterprise = 0, format = ... */ 676 | SFLFLOW_HEADER = 1, /* Packet headers are sampled */ 677 | SFLFLOW_ETHERNET = 2, /* MAC layer information */ 678 | SFLFLOW_IPV4 = 3, /* IP version 4 data */ 679 | SFLFLOW_IPV6 = 4, /* IP version 6 data */ 680 | SFLFLOW_EX_SWITCH = 1001, /* Extended switch information */ 681 | SFLFLOW_EX_ROUTER = 1002, /* Extended router information */ 682 | SFLFLOW_EX_GATEWAY = 1003, /* Extended gateway router information */ 683 | SFLFLOW_EX_USER = 1004, /* Extended TACAS/RADIUS user information */ 684 | SFLFLOW_EX_URL = 1005, /* Extended URL information */ 685 | SFLFLOW_EX_MPLS = 1006, /* Extended MPLS information */ 686 | SFLFLOW_EX_NAT = 1007, /* Extended NAT information */ 687 | SFLFLOW_EX_MPLS_TUNNEL = 1008, /* additional MPLS information */ 688 | SFLFLOW_EX_MPLS_VC = 1009, 689 | SFLFLOW_EX_MPLS_FTN = 1010, 690 | SFLFLOW_EX_MPLS_LDP_FEC = 1011, 691 | SFLFLOW_EX_VLAN_TUNNEL = 1012, /* VLAN stack */ 692 | SFLFLOW_EX_80211_PAYLOAD = 1013, 693 | SFLFLOW_EX_80211_RX = 1014, 694 | SFLFLOW_EX_80211_TX = 1015, 695 | SFLFLOW_EX_AGGREGATION = 1016, 696 | SFLFLOW_EX_NAT_PORT = 1020, /* Extended NAT port information */ 697 | SFLFLOW_EX_L2_TUNNEL_OUT = 1021, /* http://sflow.org/sflow_tunnels.txt */ 698 | SFLFLOW_EX_L2_TUNNEL_IN = 1022, 699 | SFLFLOW_EX_IPV4_TUNNEL_OUT = 1023, 700 | SFLFLOW_EX_IPV4_TUNNEL_IN = 1024, 701 | SFLFLOW_EX_IPV6_TUNNEL_OUT = 1025, 702 | SFLFLOW_EX_IPV6_TUNNEL_IN = 1026, 703 | SFLFLOW_EX_DECAP_OUT = 1027, 704 | SFLFLOW_EX_DECAP_IN = 1028, 705 | SFLFLOW_EX_VNI_OUT = 1029, 706 | SFLFLOW_EX_VNI_IN = 1030, 707 | SFLFLOW_EX_EGRESS_Q = 1036, 708 | SFLFLOW_EX_FUNCTION = 1038, 709 | SFLFLOW_EX_TRANSIT = 1039, 710 | SFLFLOW_EX_Q_DEPTH = 1040, 711 | SFLFLOW_EX_HW_TRAP = 1041, 712 | SFLFLOW_EX_LINUX_REASON = 1042, 713 | SFLFLOW_EX_TIMESTAMP = 1043, 714 | SFLFLOW_EX_SOCKET4 = 2100, 715 | SFLFLOW_EX_SOCKET6 = 2101, 716 | SFLFLOW_EX_PROXYSOCKET4 = 2102, 717 | SFLFLOW_EX_PROXYSOCKET6 = 2103, 718 | SFLFLOW_MEMCACHE = 2200, 719 | SFLFLOW_HTTP = 2201, 720 | SFLFLOW_APP = 2202, /* transaction sample */ 721 | SFLFLOW_APP_CTXT = 2203, /* enclosing server context */ 722 | SFLFLOW_APP_ACTOR_INIT = 2204, /* initiator */ 723 | SFLFLOW_APP_ACTOR_TGT = 2205, /* target */ 724 | SFLFLOW_HTTP2 = 2206, 725 | SFLFLOW_EX_TCP_INFO = 2209, 726 | SFLFLOW_EX_ENTITIES = 2210, 727 | }; 728 | 729 | typedef union _SFLFlow_type { 730 | SFLSampled_header header; 731 | SFLSampled_ethernet ethernet; 732 | SFLSampled_ipv4 ipv4; 733 | SFLSampled_ipv6 ipv6; 734 | SFLSampled_memcache memcache; 735 | SFLSampled_http http; 736 | SFLSampled_APP app; 737 | SFLSampled_APP_CTXT appCtxt; 738 | SFLSampled_APP_ACTOR appActor; 739 | SFLExtended_switch sw; 740 | SFLExtended_router router; 741 | SFLExtended_gateway gateway; 742 | SFLExtended_user user; 743 | SFLExtended_url url; 744 | SFLExtended_mpls mpls; 745 | SFLExtended_nat nat; 746 | SFLExtended_nat_port nat_port; 747 | SFLExtended_mpls_tunnel mpls_tunnel; 748 | SFLExtended_mpls_vc mpls_vc; 749 | SFLExtended_mpls_FTN mpls_ftn; 750 | SFLExtended_mpls_LDP_FEC mpls_ldp_fec; 751 | SFLExtended_vlan_tunnel vlan_tunnel; 752 | SFLExtended_wifi_payload wifi_payload; 753 | SFLExtended_wifi_rx wifi_rx; 754 | SFLExtended_wifi_tx wifi_tx; 755 | SFLExtended_aggregation aggregation; 756 | SFLExtended_socket_ipv4 socket4; 757 | SFLExtended_socket_ipv6 socket6; 758 | SFLExtended_vni tunnel_vni; 759 | SFLExtended_decap tunnel_decap; 760 | SFLExtended_TCP_info tcp_info; 761 | SFLExtended_entities entities; 762 | SFLExtended_function function; 763 | SFLExtended_egress_queue egress_queue; 764 | SFLExtended_queue_depth queue_depth; 765 | SFLExtended_transit_delay transit_delay; 766 | SFLExtended_timestamp timestamp; 767 | } SFLFlow_type; 768 | 769 | typedef struct _SFLFlow_sample_element { 770 | struct _SFLFlow_sample_element *nxt; 771 | uint32_t tag; /* SFLFlow_type_tag */ 772 | uint32_t length; 773 | SFLFlow_type flowType; 774 | } SFLFlow_sample_element; 775 | 776 | enum SFL_sample_tag { 777 | SFLFLOW_SAMPLE = 1, /* enterprise = 0 : format = 1 */ 778 | SFLCOUNTERS_SAMPLE = 2, /* enterprise = 0 : format = 2 */ 779 | SFLFLOW_SAMPLE_EXPANDED = 3, /* enterprise = 0 : format = 3 */ 780 | SFLCOUNTERS_SAMPLE_EXPANDED = 4, /* enterprise = 0 : format = 4 */ 781 | SFLEVENT_DISCARDED_PACKET = 5, /* enterprise = 0 : format = 5 */ 782 | SFLRTMETRIC = ((4300 << 12) + 1002), 783 | SFLRTFLOW = ((4300 << 12) + 1003) 784 | }; 785 | 786 | typedef struct _SFLFlow_Pdu { 787 | struct _SFLFlow_Pdu *nxt; 788 | uint32_t num_elements; 789 | SFLFlow_sample_element *elements; 790 | } SFLFlow_Pdu; 791 | 792 | 793 | /* Format of a single flow sample */ 794 | 795 | typedef struct _SFLFlow_sample { 796 | /* uint32_t tag; */ /* SFL_sample_tag -- enterprise = 0 : format = 1 */ 797 | /* uint32_t length; */ 798 | uint32_t sequence_number; /* Incremented with each flow sample 799 | generated */ 800 | uint32_t source_id; /* fsSourceId */ 801 | uint32_t sampling_rate; /* fsPacketSamplingRate */ 802 | uint32_t sample_pool; /* Total number of packets that could have been 803 | sampled (i.e. packets skipped by sampling 804 | process + total number of samples) */ 805 | uint32_t drops; /* Number of times a packet was dropped due to 806 | lack of resources */ 807 | uint32_t input; /* SNMP ifIndex of input interface. 808 | 0 if interface is not known. */ 809 | uint32_t output; /* SNMP ifIndex of output interface, 810 | 0 if interface is not known. 811 | Set most significant bit to indicate 812 | multiple destination interfaces 813 | (i.e. in case of broadcast or multicast) 814 | and set lower order bits to indicate 815 | number of destination interfaces. 816 | Examples: 817 | 0x00000002 indicates ifIndex = 2 818 | 0x00000000 ifIndex unknown. 819 | 0x80000007 indicates a packet sent 820 | to 7 interfaces. 821 | 0x80000000 indicates a packet sent to 822 | an unknown number of 823 | interfaces greater than 1.*/ 824 | uint32_t num_elements; 825 | SFLFlow_sample_element *elements; 826 | } SFLFlow_sample; 827 | 828 | /* same thing, but the expanded version (for full 32-bit ifIndex numbers) */ 829 | 830 | typedef struct _SFLFlow_sample_expanded { 831 | /* uint32_t tag; */ /* SFL_sample_tag -- enterprise = 0 : format = 1 */ 832 | /* uint32_t length; */ 833 | uint32_t sequence_number; /* Incremented with each flow sample 834 | generated */ 835 | uint32_t ds_class; /* EXPANDED */ 836 | uint32_t ds_index; /* EXPANDED */ 837 | uint32_t sampling_rate; /* fsPacketSamplingRate */ 838 | uint32_t sample_pool; /* Total number of packets that could have been 839 | sampled (i.e. packets skipped by sampling 840 | process + total number of samples) */ 841 | uint32_t drops; /* Number of times a packet was dropped due to 842 | lack of resources */ 843 | uint32_t inputFormat; /* EXPANDED */ 844 | uint32_t input; /* SNMP ifIndex of input interface. 845 | 0 if interface is not known. */ 846 | uint32_t outputFormat; /* EXPANDED */ 847 | uint32_t output; /* SNMP ifIndex of output interface, 848 | 0 if interface is not known. */ 849 | uint32_t num_elements; 850 | SFLFlow_sample_element *elements; 851 | } SFLFlow_sample_expanded; 852 | 853 | /* Counter types */ 854 | 855 | /* Generic interface counters - see RFC 1573, 2233 */ 856 | 857 | typedef struct _SFLIf_counters { 858 | uint32_t ifIndex; 859 | uint32_t ifType; 860 | uint64_t ifSpeed; 861 | uint32_t ifDirection; /* Derived from MAU MIB (RFC 2668) 862 | 0 = unknown, 1 = full-duplex, 863 | 2 = half-duplex, 3 = in, 4 = out */ 864 | uint32_t ifStatus; /* bit field with the following bits assigned: 865 | bit 0 = ifAdminStatus (0 = down, 1 = up) 866 | bit 1 = ifOperStatus (0 = down, 1 = up) */ 867 | uint64_t ifInOctets; 868 | uint32_t ifInUcastPkts; 869 | uint32_t ifInMulticastPkts; 870 | uint32_t ifInBroadcastPkts; 871 | uint32_t ifInDiscards; 872 | uint32_t ifInErrors; 873 | uint32_t ifInUnknownProtos; 874 | uint64_t ifOutOctets; 875 | uint32_t ifOutUcastPkts; 876 | uint32_t ifOutMulticastPkts; 877 | uint32_t ifOutBroadcastPkts; 878 | uint32_t ifOutDiscards; 879 | uint32_t ifOutErrors; 880 | uint32_t ifPromiscuousMode; 881 | } SFLIf_counters; 882 | 883 | /* Ethernet interface counters - see RFC 2358 */ 884 | typedef struct _SFLEthernet_counters { 885 | uint32_t dot3StatsAlignmentErrors; 886 | uint32_t dot3StatsFCSErrors; 887 | uint32_t dot3StatsSingleCollisionFrames; 888 | uint32_t dot3StatsMultipleCollisionFrames; 889 | uint32_t dot3StatsSQETestErrors; 890 | uint32_t dot3StatsDeferredTransmissions; 891 | uint32_t dot3StatsLateCollisions; 892 | uint32_t dot3StatsExcessiveCollisions; 893 | uint32_t dot3StatsInternalMacTransmitErrors; 894 | uint32_t dot3StatsCarrierSenseErrors; 895 | uint32_t dot3StatsFrameTooLongs; 896 | uint32_t dot3StatsInternalMacReceiveErrors; 897 | uint32_t dot3StatsSymbolErrors; 898 | } SFLEthernet_counters; 899 | 900 | /* Token ring counters - see RFC 1748 */ 901 | 902 | typedef struct _SFLTokenring_counters { 903 | uint32_t dot5StatsLineErrors; 904 | uint32_t dot5StatsBurstErrors; 905 | uint32_t dot5StatsACErrors; 906 | uint32_t dot5StatsAbortTransErrors; 907 | uint32_t dot5StatsInternalErrors; 908 | uint32_t dot5StatsLostFrameErrors; 909 | uint32_t dot5StatsReceiveCongestions; 910 | uint32_t dot5StatsFrameCopiedErrors; 911 | uint32_t dot5StatsTokenErrors; 912 | uint32_t dot5StatsSoftErrors; 913 | uint32_t dot5StatsHardErrors; 914 | uint32_t dot5StatsSignalLoss; 915 | uint32_t dot5StatsTransmitBeacons; 916 | uint32_t dot5StatsRecoverys; 917 | uint32_t dot5StatsLobeWires; 918 | uint32_t dot5StatsRemoves; 919 | uint32_t dot5StatsSingles; 920 | uint32_t dot5StatsFreqErrors; 921 | } SFLTokenring_counters; 922 | 923 | /* 100 BaseVG interface counters - see RFC 2020 */ 924 | 925 | typedef struct _SFLVg_counters { 926 | uint32_t dot12InHighPriorityFrames; 927 | uint64_t dot12InHighPriorityOctets; 928 | uint32_t dot12InNormPriorityFrames; 929 | uint64_t dot12InNormPriorityOctets; 930 | uint32_t dot12InIPMErrors; 931 | uint32_t dot12InOversizeFrameErrors; 932 | uint32_t dot12InDataErrors; 933 | uint32_t dot12InNullAddressedFrames; 934 | uint32_t dot12OutHighPriorityFrames; 935 | uint64_t dot12OutHighPriorityOctets; 936 | uint32_t dot12TransitionIntoTrainings; 937 | uint64_t dot12HCInHighPriorityOctets; 938 | uint64_t dot12HCInNormPriorityOctets; 939 | uint64_t dot12HCOutHighPriorityOctets; 940 | } SFLVg_counters; 941 | 942 | typedef struct _SFLVlan_counters { 943 | uint32_t vlan_id; 944 | uint64_t octets; 945 | uint32_t ucastPkts; 946 | uint32_t multicastPkts; 947 | uint32_t broadcastPkts; 948 | uint32_t discards; 949 | } SFLVlan_counters; 950 | 951 | typedef struct _SFLWifi_counters { 952 | uint32_t dot11TransmittedFragmentCount; 953 | uint32_t dot11MulticastTransmittedFrameCount; 954 | uint32_t dot11FailedCount; 955 | uint32_t dot11RetryCount; 956 | uint32_t dot11MultipleRetryCount; 957 | uint32_t dot11FrameDuplicateCount; 958 | uint32_t dot11RTSSuccessCount; 959 | uint32_t dot11RTSFailureCount; 960 | uint32_t dot11ACKFailureCount; 961 | uint32_t dot11ReceivedFragmentCount; 962 | uint32_t dot11MulticastReceivedFrameCount; 963 | uint32_t dot11FCSErrorCount; 964 | uint32_t dot11TransmittedFrameCount; 965 | uint32_t dot11WEPUndecryptableCount; 966 | uint32_t dot11QoSDiscardedFragmentCount; 967 | uint32_t dot11AssociatedStationCount; 968 | uint32_t dot11QoSCFPollsReceivedCount; 969 | uint32_t dot11QoSCFPollsUnusedCount; 970 | uint32_t dot11QoSCFPollsUnusableCount; 971 | uint32_t dot11QoSCFPollsLostCount; 972 | } SFLWifi_counters; 973 | 974 | /* Processor Information */ 975 | /* opaque = counter_data; enterprise = 0; format = 1001 */ 976 | 977 | typedef struct _SFLProcessor_counters { 978 | uint32_t five_sec_cpu; /* 5 second average CPU utilization */ 979 | uint32_t one_min_cpu; /* 1 minute average CPU utilization */ 980 | uint32_t five_min_cpu; /* 5 minute average CPU utilization */ 981 | uint64_t total_memory; /* total memory (in bytes) */ 982 | uint64_t free_memory; /* free memory (in bytes) */ 983 | } SFLProcessor_counters; 984 | 985 | typedef struct _SFLRadio_counters { 986 | uint32_t elapsed_time; /* elapsed time in ms */ 987 | uint32_t on_channel_time; /* time in ms spent on channel */ 988 | uint32_t on_channel_busy_time; /* time in ms spent on channel and busy */ 989 | } SFLRadio_counters; 990 | 991 | /* host sflow */ 992 | 993 | enum SFLMachine_type { 994 | SFLMT_unknown = 0, 995 | SFLMT_other = 1, 996 | SFLMT_x86 = 2, 997 | SFLMT_x86_64 = 3, 998 | SFLMT_ia64 = 4, 999 | SFLMT_sparc = 5, 1000 | SFLMT_alpha = 6, 1001 | SFLMT_powerpc = 7, 1002 | SFLMT_m68k = 8, 1003 | SFLMT_mips = 9, 1004 | SFLMT_arm = 10, 1005 | SFLMT_hppa = 11, 1006 | SFLMT_s390 = 12 1007 | }; 1008 | 1009 | enum SFLOS_name { 1010 | SFLOS_unknown = 0, 1011 | SFLOS_other = 1, 1012 | SFLOS_linux = 2, 1013 | SFLOS_windows = 3, 1014 | SFLOS_darwin = 4, 1015 | SFLOS_hpux = 5, 1016 | SFLOS_aix = 6, 1017 | SFLOS_dragonfly = 7, 1018 | SFLOS_freebsd = 8, 1019 | SFLOS_netbsd = 9, 1020 | SFLOS_openbsd = 10, 1021 | SFLOS_osf = 11, 1022 | SFLOS_solaris = 12 1023 | }; 1024 | 1025 | typedef struct _SFLMacAddress { 1026 | uint8_t mac[8]; 1027 | } SFLMacAddress; 1028 | 1029 | typedef struct _SFLAdaptor { 1030 | uint32_t ifIndex; 1031 | uint32_t num_macs; 1032 | SFLMacAddress macs[1]; 1033 | } SFLAdaptor; 1034 | 1035 | typedef struct _SFLAdaptorList { 1036 | uint32_t capacity; 1037 | uint32_t num_adaptors; 1038 | SFLAdaptor **adaptors; 1039 | } SFLAdaptorList; 1040 | 1041 | typedef struct _SFLHost_parent { 1042 | uint32_t dsClass; /* sFlowDataSource class */ 1043 | uint32_t dsIndex; /* sFlowDataSource index */ 1044 | } SFLHost_parent; 1045 | 1046 | 1047 | #define SFL_MAX_HOSTNAME_LEN 64 1048 | #define SFL_MAX_OSRELEASE_LEN 32 1049 | 1050 | typedef struct _SFLHostId { 1051 | SFLString hostname; 1052 | uint8_t uuid[16]; 1053 | uint32_t machine_type; /* enum SFLMachine_type */ 1054 | uint32_t os_name; /* enum SFLOS_name */ 1055 | SFLString os_release; /* max len 32 bytes */ 1056 | } SFLHostId; 1057 | 1058 | typedef struct _SFLHost_nio_counters { 1059 | uint64_t bytes_in; 1060 | uint32_t pkts_in; 1061 | uint32_t errs_in; 1062 | uint32_t drops_in; 1063 | uint64_t bytes_out; 1064 | uint32_t pkts_out; 1065 | uint32_t errs_out; 1066 | uint32_t drops_out; 1067 | } SFLHost_nio_counters; 1068 | 1069 | typedef struct _SFLHost_cpu_counters { 1070 | float load_one; /* 1 minute load avg. */ 1071 | float load_five; /* 5 minute load avg. */ 1072 | float load_fifteen; /* 15 minute load avg. */ 1073 | uint32_t proc_run; /* running threads */ 1074 | uint32_t proc_total; /* total threads */ 1075 | uint32_t cpu_num; /* # CPU cores */ 1076 | uint32_t cpu_speed; /* speed in MHz of CPU */ 1077 | uint32_t uptime; /* seconds since last reboot */ 1078 | uint32_t cpu_user; /* time executing in user mode processes (ms) */ 1079 | uint32_t cpu_nice; /* time executing niced processs (ms) */ 1080 | uint32_t cpu_system; /* time executing kernel mode processes (ms) */ 1081 | uint32_t cpu_idle; /* idle time (ms) */ 1082 | uint32_t cpu_wio; /* time waiting for I/O to complete (ms) */ 1083 | uint32_t cpu_intr; /* time servicing interrupts (ms) */ 1084 | uint32_t cpu_sintr; /* time servicing softirqs (ms) */ 1085 | uint32_t interrupts; /* interrupt count */ 1086 | uint32_t contexts; /* context switch count */ 1087 | uint32_t cpu_steal; /* time spent in other OS instances (virtual env) (ms) */ 1088 | uint32_t cpu_guest; /* time spent running vcpu for guest OS */ 1089 | uint32_t cpu_guest_nice; /* time spent running vcpu for "niced" guest OS */ 1090 | } SFLHost_cpu_counters; 1091 | 1092 | typedef struct _SFLHost_mem_counters { 1093 | uint64_t mem_total; /* total bytes */ 1094 | uint64_t mem_free; /* free bytes */ 1095 | uint64_t mem_shared; /* shared bytes */ 1096 | uint64_t mem_buffers; /* buffers bytes */ 1097 | uint64_t mem_cached; /* cached bytes */ 1098 | uint64_t swap_total; /* swap total bytes */ 1099 | uint64_t swap_free; /* swap free bytes */ 1100 | uint32_t page_in; /* page in count */ 1101 | uint32_t page_out; /* page out count */ 1102 | uint32_t swap_in; /* swap in count */ 1103 | uint32_t swap_out; /* swap out count */ 1104 | } SFLHost_mem_counters; 1105 | 1106 | typedef struct _SFLHost_dsk_counters { 1107 | uint64_t disk_total; 1108 | uint64_t disk_free; 1109 | uint32_t part_max_used; /* as percent * 100, so 100==1% */ 1110 | uint32_t reads; /* reads issued */ 1111 | uint64_t bytes_read; /* bytes read */ 1112 | uint32_t read_time; /* read time (ms) */ 1113 | uint32_t writes; /* writes completed */ 1114 | uint64_t bytes_written; /* bytes written */ 1115 | uint32_t write_time; /* write time (ms) */ 1116 | } SFLHost_dsk_counters; 1117 | 1118 | /* Virtual Node Statistics */ 1119 | /* opaque = counter_data; enterprise = 0; format = 2100 */ 1120 | 1121 | typedef struct _SFLHost_vrt_node_counters { 1122 | uint32_t mhz; /* expected CPU frequency */ 1123 | uint32_t cpus; /* the number of active CPUs */ 1124 | uint64_t memory; /* memory size in bytes */ 1125 | uint64_t memory_free; /* unassigned memory in bytes */ 1126 | uint32_t num_domains; /* number of active domains */ 1127 | } SFLHost_vrt_node_counters; 1128 | 1129 | /* Virtual Domain Statistics */ 1130 | /* opaque = counter_data; enterprise = 0; format = 2101 */ 1131 | 1132 | /* virDomainState imported from libvirt.h */ 1133 | enum SFLVirDomainState { 1134 | SFL_VIR_DOMAIN_NOSTATE = 0, /* no state */ 1135 | SFL_VIR_DOMAIN_RUNNING = 1, /* the domain is running */ 1136 | SFL_VIR_DOMAIN_BLOCKED = 2, /* the domain is blocked on resource */ 1137 | SFL_VIR_DOMAIN_PAUSED = 3, /* the domain is paused by user */ 1138 | SFL_VIR_DOMAIN_SHUTDOWN= 4, /* the domain is being shut down */ 1139 | SFL_VIR_DOMAIN_SHUTOFF = 5, /* the domain is shut off */ 1140 | SFL_VIR_DOMAIN_CRASHED = 6 /* the domain is crashed */ 1141 | }; 1142 | 1143 | typedef struct _SFLHost_vrt_cpu_counters { 1144 | uint32_t state; /* virtDomainState */ 1145 | uint32_t cpuTime; /* the CPU time used in mS */ 1146 | uint32_t cpuCount; /* number of virtual CPUs for the domain */ 1147 | } SFLHost_vrt_cpu_counters; 1148 | 1149 | /* Virtual Domain Memory statistics */ 1150 | /* opaque = counter_data; enterprise = 0; format = 2102 */ 1151 | 1152 | typedef struct _SFLHost_vrt_mem_counters { 1153 | uint64_t memory; /* memory in bytes used by domain */ 1154 | uint64_t maxMemory; /* memory in bytes allowed */ 1155 | } SFLHost_vrt_mem_counters; 1156 | 1157 | /* Virtual Domain Disk statistics */ 1158 | /* opaque = counter_data; enterprise = 0; format = 2103 */ 1159 | 1160 | typedef struct _SFLHost_vrt_dsk_counters { 1161 | uint64_t capacity; /* logical size in bytes */ 1162 | uint64_t allocation; /* current allocation in bytes */ 1163 | uint64_t available; /* remaining free bytes */ 1164 | uint32_t rd_req; /* number of read requests */ 1165 | uint64_t rd_bytes; /* number of read bytes */ 1166 | uint32_t wr_req; /* number of write requests */ 1167 | uint64_t wr_bytes; /* number of written bytes */ 1168 | uint32_t errs; /* read/write errors */ 1169 | } SFLHost_vrt_dsk_counters; 1170 | 1171 | /* Virtual Domain Network statistics */ 1172 | /* opaque = counter_data; enterprise = 0; format = 2104 */ 1173 | 1174 | typedef struct _SFLHost_vrt_nio_counters { 1175 | uint64_t bytes_in; 1176 | uint32_t pkts_in; 1177 | uint32_t errs_in; 1178 | uint32_t drops_in; 1179 | uint64_t bytes_out; 1180 | uint32_t pkts_out; 1181 | uint32_t errs_out; 1182 | uint32_t drops_out; 1183 | } SFLHost_vrt_nio_counters; 1184 | 1185 | /* NVML statistics */ 1186 | /* opaque = counter_data; enterprise = 5703, format=1 */ 1187 | typedef struct _SFLHost_gpu_nvml { 1188 | uint32_t device_count; /* see nvmlGetDeviceCount */ 1189 | uint32_t processes; /* see nvmlDeviceGetComputeRunningProcesses */ 1190 | uint32_t gpu_time; /* total milliseconds in which one or more kernels was executing on GPU */ 1191 | uint32_t mem_time; /* total milliseconds during which global device memory was being read/written */ 1192 | uint64_t mem_total; /* bytes. see nvmlDeviceGetMemoryInfo */ 1193 | uint64_t mem_free; /* bytes. see nvmlDeviceGetMemoryInfo */ 1194 | uint32_t ecc_errors; /* see nvmlDeviceGetTotalEccErrors */ 1195 | uint32_t energy; /* mJ. see nvmlDeviceGetPowerUsage */ 1196 | uint32_t temperature; /* C. maximum across devices - see nvmlDeviceGetTemperature */ 1197 | uint32_t fan_speed; /* %. maximum across devices - see nvmlDeviceGetFanSpeed */ 1198 | } SFLHost_gpu_nvml; 1199 | 1200 | /* Broadcom switch ASIC table utilizations */ 1201 | /* opaque = counter_data; enterprise = 4413 (Broadcom); format = 3 */ 1202 | typedef struct { 1203 | uint32_t bcm_host_entries; 1204 | uint32_t bcm_host_entries_max; 1205 | uint32_t bcm_ipv4_entries; 1206 | uint32_t bcm_ipv4_entries_max; 1207 | uint32_t bcm_ipv6_entries; 1208 | uint32_t bcm_ipv6_entries_max; 1209 | uint32_t bcm_ipv4_ipv6_entries; 1210 | uint32_t bcm_ipv4_ipv6_entries_max; 1211 | uint32_t bcm_long_ipv6_entries; 1212 | uint32_t bcm_long_ipv6_entries_max; 1213 | uint32_t bcm_total_routes; 1214 | uint32_t bcm_total_routes_max; 1215 | uint32_t bcm_ecmp_nexthops; 1216 | uint32_t bcm_ecmp_nexthops_max; 1217 | uint32_t bcm_mac_entries; 1218 | uint32_t bcm_mac_entries_max; 1219 | uint32_t bcm_ipv4_neighbors; 1220 | uint32_t bcm_ipv6_neighbors; 1221 | uint32_t bcm_ipv4_routes; 1222 | uint32_t bcm_ipv6_routes; 1223 | uint32_t bcm_acl_ingress_entries; 1224 | uint32_t bcm_acl_ingress_entries_max; 1225 | uint32_t bcm_acl_ingress_counters; 1226 | uint32_t bcm_acl_ingress_counters_max; 1227 | uint32_t bcm_acl_ingress_meters; 1228 | uint32_t bcm_acl_ingress_meters_max; 1229 | uint32_t bcm_acl_ingress_slices; 1230 | uint32_t bcm_acl_ingress_slices_max; 1231 | uint32_t bcm_acl_egress_entries; 1232 | uint32_t bcm_acl_egress_entries_max; 1233 | uint32_t bcm_acl_egress_counters; 1234 | uint32_t bcm_acl_egress_counters_max; 1235 | uint32_t bcm_acl_egress_meters; 1236 | uint32_t bcm_acl_egress_meters_max; 1237 | uint32_t bcm_acl_egress_slices; 1238 | uint32_t bcm_acl_egress_slices_max; 1239 | } SFLBCM_tables; 1240 | 1241 | ///////////// TCP/UDP/ICMP from MIB-II /////////////////////// 1242 | 1243 | /* IP Group - see MIB-II */ 1244 | /* opaque = counter_data; enterprise = 0; format = 2007 */ 1245 | 1246 | typedef struct _SFLHost_IP_counters { 1247 | uint32_t ipForwarding; 1248 | uint32_t ipDefaultTTL; 1249 | uint32_t ipInReceives; 1250 | uint32_t ipInHdrErrors; 1251 | uint32_t ipInAddrErrors; 1252 | uint32_t ipForwDatagrams; 1253 | uint32_t ipInUnknownProtos; 1254 | uint32_t ipInDiscards; 1255 | uint32_t ipInDelivers; 1256 | uint32_t ipOutRequests; 1257 | uint32_t ipOutDiscards; 1258 | uint32_t ipOutNoRoutes; 1259 | uint32_t ipReasmTimeout; 1260 | uint32_t ipReasmReqds; 1261 | uint32_t ipReasmOKs; 1262 | uint32_t ipReasmFails; 1263 | uint32_t ipFragOKs; 1264 | uint32_t ipFragFails; 1265 | uint32_t ipFragCreates; 1266 | } SFLHost_IP_counters; 1267 | 1268 | /* ICMP Group - see MIB-II */ 1269 | /* opaque = counter_data; enterprise = 0; format = 2008 */ 1270 | 1271 | typedef struct _SFLHost_ICMP_counters { 1272 | uint32_t icmpInMsgs; 1273 | uint32_t icmpInErrors; 1274 | uint32_t icmpInDestUnreachs; 1275 | uint32_t icmpInTimeExcds; 1276 | uint32_t icmpInParamProbs; 1277 | uint32_t icmpInSrcQuenchs; 1278 | uint32_t icmpInRedirects; 1279 | uint32_t icmpInEchos; 1280 | uint32_t icmpInEchoReps; 1281 | uint32_t icmpInTimestamps; 1282 | uint32_t icmpInAddrMasks; 1283 | uint32_t icmpInAddrMaskReps; 1284 | uint32_t icmpOutMsgs; 1285 | uint32_t icmpOutErrors; 1286 | uint32_t icmpOutDestUnreachs; 1287 | uint32_t icmpOutTimeExcds; 1288 | uint32_t icmpOutParamProbs; 1289 | uint32_t icmpOutSrcQuenchs; 1290 | uint32_t icmpOutRedirects; 1291 | uint32_t icmpOutEchos; 1292 | uint32_t icmpOutEchoReps; 1293 | uint32_t icmpOutTimestamps; 1294 | uint32_t icmpOutTimestampReps; 1295 | uint32_t icmpOutAddrMasks; 1296 | uint32_t icmpOutAddrMaskReps; 1297 | } SFLHost_ICMP_counters; 1298 | 1299 | /* TCP Group - see MIB-II */ 1300 | /* opaque = counter_data; enterprise = 0; format = 2009 */ 1301 | 1302 | typedef struct _SFLHost_TCP_counters { 1303 | uint32_t tcpRtoAlgorithm; 1304 | uint32_t tcpRtoMin; 1305 | uint32_t tcpRtoMax; 1306 | uint32_t tcpMaxConn; 1307 | uint32_t tcpActiveOpens; 1308 | uint32_t tcpPassiveOpens; 1309 | uint32_t tcpAttemptFails; 1310 | uint32_t tcpEstabResets; 1311 | uint32_t tcpCurrEstab; 1312 | uint32_t tcpInSegs; 1313 | uint32_t tcpOutSegs; 1314 | uint32_t tcpRetransSegs; 1315 | uint32_t tcpInErrs; 1316 | uint32_t tcpOutRsts; 1317 | uint32_t tcpInCsumErrors; 1318 | } SFLHost_TCP_counters; 1319 | 1320 | /* UDP Group - see MIB-II */ 1321 | /* opaque = counter_data; enterprise = 0; format = 2010 */ 1322 | 1323 | typedef struct _SFLHost_UDP_counters { 1324 | uint32_t udpInDatagrams; 1325 | uint32_t udpNoPorts; 1326 | uint32_t udpInErrors; 1327 | uint32_t udpOutDatagrams; 1328 | uint32_t udpRcvbufErrors; 1329 | uint32_t udpSndbufErrors; 1330 | uint32_t udpInCsumErrors; 1331 | } SFLHost_UDP_counters; 1332 | 1333 | /* memcache */ 1334 | /* opaque = counter_data; enterprise = 0; format = 2204 */ 1335 | 1336 | typedef struct _SFLMemcache_counters { 1337 | uint32_t uptime; /* not in 2204 */ 1338 | uint32_t rusage_user; /* not in 2204 */ 1339 | uint32_t rusage_system; /* not in 2204 */ 1340 | uint32_t cmd_get; /* not in 2204 */ 1341 | uint32_t accepting_conns; /* not in 2204 */ 1342 | uint32_t cmd_set; 1343 | uint32_t cmd_touch; /* added for 2204 */ 1344 | uint32_t cmd_flush; 1345 | uint32_t get_hits; 1346 | uint32_t get_misses; 1347 | uint32_t delete_hits; 1348 | uint32_t delete_misses; 1349 | uint32_t incr_hits; 1350 | uint32_t incr_misses; 1351 | uint32_t decr_hits; 1352 | uint32_t decr_misses; 1353 | uint32_t cas_hits; 1354 | uint32_t cas_misses; 1355 | uint32_t cas_badval; 1356 | uint32_t auth_cmds; 1357 | uint32_t auth_errors; 1358 | uint32_t threads; 1359 | uint32_t conn_yields; 1360 | uint32_t listen_disabled_num; 1361 | uint32_t curr_connections; 1362 | uint32_t rejected_connections; /* added for 2204 */ 1363 | uint32_t total_connections; 1364 | uint32_t connection_structures; 1365 | uint32_t evictions; 1366 | uint32_t reclaimed; /* added for 2204 */ 1367 | uint32_t curr_items; 1368 | uint32_t total_items; 1369 | uint64_t bytes_read; 1370 | uint64_t bytes_written; 1371 | uint64_t bytes; 1372 | uint64_t limit_maxbytes; /* converted to 64-bit for structure 2204 */ 1373 | } SFLMemcache_counters; 1374 | 1375 | /* http */ 1376 | /* opaque = counter_data; enterprise = 0; format = 2201 */ 1377 | 1378 | typedef struct _SFLHTTP_counters { 1379 | uint32_t method_option_count; 1380 | uint32_t method_get_count; 1381 | uint32_t method_head_count; 1382 | uint32_t method_post_count; 1383 | uint32_t method_put_count; 1384 | uint32_t method_delete_count; 1385 | uint32_t method_trace_count; 1386 | uint32_t methd_connect_count; 1387 | uint32_t method_other_count; 1388 | uint32_t status_1XX_count; 1389 | uint32_t status_2XX_count; 1390 | uint32_t status_3XX_count; 1391 | uint32_t status_4XX_count; 1392 | uint32_t status_5XX_count; 1393 | uint32_t status_other_count; 1394 | } SFLHTTP_counters; 1395 | 1396 | 1397 | /* Enterprise counters */ 1398 | /* opaque = counter_data; enterprise = 0; format = 2202 */ 1399 | typedef struct _SFLAPP_counters { 1400 | SFLString application; 1401 | uint32_t status_OK; 1402 | uint32_t errors_OTHER; 1403 | uint32_t errors_TIMEOUT; 1404 | uint32_t errors_INTERNAL_ERROR; 1405 | uint32_t errors_BAD_REQUEST; 1406 | uint32_t errors_FORBIDDEN; 1407 | uint32_t errors_TOO_LARGE; 1408 | uint32_t errors_NOT_IMPLEMENTED; 1409 | uint32_t errors_NOT_FOUND; 1410 | uint32_t errors_UNAVAILABLE; 1411 | uint32_t errors_UNAUTHORIZED; 1412 | } SFLAPP_counters; 1413 | 1414 | /* Enterprise resource counters */ 1415 | /* opaque = counter_data; enterprise = 0; format = 2203 */ 1416 | typedef struct { 1417 | uint32_t user_time; /* in milliseconds */ 1418 | uint32_t system_time; /* in milliseconds */ 1419 | uint64_t mem_used; 1420 | uint64_t mem_max; 1421 | uint32_t fd_open; 1422 | uint32_t fd_max; 1423 | uint32_t conn_open; 1424 | uint32_t conn_max; 1425 | } SFLAPP_resources; 1426 | 1427 | /* Enterprise application workers */ 1428 | /* opaque = counter_data; enterprise = 0; format = 2206 */ 1429 | 1430 | typedef struct { 1431 | uint32_t workers_active; 1432 | uint32_t workers_idle; 1433 | uint32_t workers_max; 1434 | uint32_t req_delayed; 1435 | uint32_t req_dropped; 1436 | } SFLAPP_workers; 1437 | 1438 | typedef struct _SFLJVM_ID { 1439 | SFLString vm_name; 1440 | SFLString vm_vendor; 1441 | SFLString vm_version; 1442 | } SFLJVM_ID; 1443 | 1444 | #define SFLJVM_MAX_VMNAME_LEN 64 1445 | #define SFLJVM_MAX_VENDOR_LEN 32 1446 | #define SFLJVM_MAX_VERSION_LEN 32 1447 | 1448 | typedef struct _SFLJMX_counters { 1449 | uint64_t hmem_initial; 1450 | uint64_t hmem_used; 1451 | uint64_t hmem_committed; 1452 | uint64_t hmem_max; 1453 | uint64_t nhmem_initial; 1454 | uint64_t nhmem_used; 1455 | uint64_t nhmem_committed; 1456 | uint64_t nhmem_max; 1457 | uint32_t gc_count; 1458 | uint32_t gc_ms; 1459 | uint32_t cls_loaded; 1460 | uint32_t cls_total; 1461 | uint32_t cls_unloaded; 1462 | uint32_t comp_ms; 1463 | uint32_t thread_live; 1464 | uint32_t thread_daemon; 1465 | uint32_t thread_started; 1466 | uint32_t fds_open; 1467 | uint32_t fds_max; 1468 | } SFLJMX_counters; 1469 | 1470 | #define XDRSIZ_JMX_COUNTERS 108 1471 | 1472 | typedef struct _SFLVdi_counters { 1473 | uint32_t sessions_current; /* number of current sessions */ 1474 | uint32_t sessions_total; /* total sessions started */ 1475 | uint32_t sessions_duration; /* cumulative session time (in seconds) 1476 | across all sessions, such that average 1477 | session duration = sessions_duration 1478 | / sessions_total */ 1479 | uint32_t rx_bytes; /* total bytes received */ 1480 | uint32_t tx_bytes; /* total bytes sent */ 1481 | uint32_t rx_packets; /* total packet received */ 1482 | uint32_t tx_packets; /* total packets sent */ 1483 | uint32_t rx_packets_lost; /* total received packets lost */ 1484 | uint32_t tx_packets_lost; /* total sent packets lost */ 1485 | uint32_t rtt_min_ms; /* minimum round trip latency with client 1486 | across all current sessions 1487 | measured in milliseconds */ 1488 | uint32_t rtt_max_ms; /* maximum round trip latency with client 1489 | across all current sessions 1490 | measured in millisecond */ 1491 | uint32_t rtt_avg_ms; /* average round trip latency with client 1492 | across all current sessions 1493 | measured in milliseconds */ 1494 | uint32_t audio_rx_bytes; /* total bytes of audio data received */ 1495 | uint32_t audio_tx_bytes; /* total bytes of audio data sent */ 1496 | uint32_t audio_tx_limit; /* administrative limit on audio transmission 1497 | bandwidth (in bits per second) */ 1498 | uint32_t img_rx_bytes; /* total bytes of imaging data recieved */ 1499 | uint32_t img_tx_bytes; /* total bytes of imaging data sent */ 1500 | uint32_t img_frames; /* total image frames encoded */ 1501 | uint32_t img_qual_min; /* minimum image encoding quality across 1502 | current sessions, on a scale of 0 to 100 */ 1503 | uint32_t img_qual_max; /* best image encoding quality across 1504 | current sessions, on a scale of 0 to 100 */ 1505 | uint32_t img_qual_avg; /* average image encoding quality across 1506 | current sessions, on a scale of 0 to 100 */ 1507 | uint32_t usb_rx_bytes; /* total bytes of usb data received */ 1508 | uint32_t usb_tx_bytes; /* total bytes of usb data sent */ 1509 | } SFLVdi_counters; 1510 | 1511 | /* LAG Port Statistics - see IEEE8023-LAG-MIB */ 1512 | /* opaque = counter_data; enterprise = 0; format = 7 */ 1513 | typedef union _SFLLACP_portState { 1514 | uint32_t all; 1515 | struct { 1516 | uint8_t actorAdmin; 1517 | uint8_t actorOper; 1518 | uint8_t partnerAdmin; 1519 | uint8_t partnerOper; 1520 | } v; 1521 | } SFLLACP_portState; 1522 | 1523 | typedef struct _SFLLACP_counters { 1524 | uint8_t actorSystemID[8]; /* 6 bytes + 2 pad */ 1525 | uint8_t partnerSystemID[8]; /* 6 bytes + 2 pad */ 1526 | uint32_t attachedAggID; 1527 | SFLLACP_portState portState; 1528 | uint32_t LACPDUsRx; 1529 | uint32_t markerPDUsRx; 1530 | uint32_t markerResponsePDUsRx; 1531 | uint32_t unknownRx; 1532 | uint32_t illegalRx; 1533 | uint32_t LACPDUsTx; 1534 | uint32_t markerPDUsTx; 1535 | uint32_t markerResponsePDUsTx; 1536 | } SFLLACP_counters; 1537 | 1538 | #define XDRSIZ_LACP_COUNTERS 56 1539 | 1540 | /* openflow port */ 1541 | /* opaque = counter_data; enterprise = 0; format = 1004 */ 1542 | typedef struct { 1543 | uint64_t datapath_id; 1544 | uint32_t port_no; 1545 | } SFLOFPort; 1546 | 1547 | #define XDRSIZ_OFPORT 12 1548 | 1549 | /* port name */ 1550 | /* opaque = counter_data; enterprise = 0; format = 1005 */ 1551 | typedef struct { 1552 | SFLString portName; 1553 | } SFLPortName; 1554 | 1555 | #define SFL_MAX_PORTNAME_LEN 255 1556 | 1557 | /* OVS datapath stats */ 1558 | typedef struct _SFLOVSDP_counters { 1559 | uint32_t n_hit; 1560 | uint32_t n_missed; 1561 | uint32_t n_lost; 1562 | uint32_t n_mask_hit; 1563 | uint32_t n_flows; 1564 | uint32_t n_masks; 1565 | } SFLOVSDP_counters; 1566 | 1567 | #define XDRSIZE_OVSDP 24 1568 | 1569 | /* Optical SFP/QSFP metrics */ 1570 | /* opaque = counter_data; enterprise = 0; format = 10 */ 1571 | 1572 | typedef struct { 1573 | uint32_t lane_index; /* index of lane in module - starting from 1 */ 1574 | uint32_t tx_bias_current; /* microamps */ 1575 | uint32_t tx_power; /* microwatts */ 1576 | uint32_t tx_power_min; /* microwatts */ 1577 | uint32_t tx_power_max; /* microwatts */ 1578 | uint32_t tx_wavelength; /* nanometers */ 1579 | uint32_t rx_power; /* microwatts */ 1580 | uint32_t rx_power_min; /* microwatts */ 1581 | uint32_t rx_power_max; /* microwatts */ 1582 | uint32_t rx_wavelength; /* nanometers */ 1583 | } SFLLane; 1584 | 1585 | #define XDRSIZ_LANE_COUNTERS 40 1586 | 1587 | typedef struct { 1588 | uint32_t module_id; 1589 | uint32_t module_total_lanes; /* total lanes in module */ 1590 | uint32_t module_supply_voltage; /* millivolts */ 1591 | int32_t module_temperature; /* signed - in oC / 1000 */ 1592 | uint32_t num_lanes; /* number of active lane structs to come */ 1593 | SFLLane *lanes; 1594 | } SFLSFP_counters; 1595 | 1596 | /* Counters data */ 1597 | 1598 | enum SFLCounters_type_tag { 1599 | /* enterprise = 0, format = ... */ 1600 | SFLCOUNTERS_GENERIC = 1, 1601 | SFLCOUNTERS_ETHERNET = 2, 1602 | SFLCOUNTERS_TOKENRING = 3, 1603 | SFLCOUNTERS_VG = 4, 1604 | SFLCOUNTERS_VLAN = 5, 1605 | SFLCOUNTERS_80211 = 6, 1606 | SFLCOUNTERS_LACP = 7, 1607 | SFLCOUNTERS_SFP = 10, 1608 | SFLCOUNTERS_PROCESSOR = 1001, 1609 | SFLCOUNTERS_RADIO = 1002, 1610 | SFLCOUNTERS_OFPORT = 1004, 1611 | SFLCOUNTERS_PORTNAME = 1005, 1612 | SFLCOUNTERS_HOST_HID = 2000, /* host id */ 1613 | SFLCOUNTERS_ADAPTORS = 2001, /* host adaptors */ 1614 | SFLCOUNTERS_HOST_PAR = 2002, /* host parent */ 1615 | SFLCOUNTERS_HOST_CPU = 2003, /* host cpu */ 1616 | SFLCOUNTERS_HOST_MEM = 2004, /* host memory */ 1617 | SFLCOUNTERS_HOST_DSK = 2005, /* host storage I/O */ 1618 | SFLCOUNTERS_HOST_NIO = 2006, /* host network I/O */ 1619 | SFLCOUNTERS_HOST_IP = 2007, 1620 | SFLCOUNTERS_HOST_ICMP = 2008, 1621 | SFLCOUNTERS_HOST_TCP = 2009, 1622 | SFLCOUNTERS_HOST_UDP = 2010, 1623 | SFLCOUNTERS_HOST_VRT_NODE = 2100, /* host virt node */ 1624 | SFLCOUNTERS_HOST_VRT_CPU = 2101, /* host virt cpu */ 1625 | SFLCOUNTERS_HOST_VRT_MEM = 2102, /* host virt mem */ 1626 | SFLCOUNTERS_HOST_VRT_DSK = 2103, /* host virt storage */ 1627 | SFLCOUNTERS_HOST_VRT_NIO = 2104, /* host virt network I/O */ 1628 | SFLCOUNTERS_JVM = 2105, /* java runtime */ 1629 | SFLCOUNTERS_JMX = 2106, /* java JMX stats */ 1630 | SFLCOUNTERS_MEMCACHE = 2200, /* memcached (deprecated) */ 1631 | SFLCOUNTERS_HTTP = 2201, /* http */ 1632 | SFLCOUNTERS_APP = 2202, 1633 | SFLCOUNTERS_APP_RESOURCE = 2203, 1634 | SFLCOUNTERS_MEMCACHE2 = 2204, /* memcached */ 1635 | SFLCOUNTERS_VDI = 2205, 1636 | SFLCOUNTERS_APP_WORKERS = 2206, 1637 | SFLCOUNTERS_OVSDP = 2207, 1638 | SFLCOUNTERS_HOST_GPU_NVML = (5703 << 12) + 1, /* = 23359489 */ 1639 | SFLCOUNTERS_BCM_TABLES = (4413 << 12) + 3, 1640 | }; 1641 | 1642 | typedef union _SFLCounters_type { 1643 | SFLIf_counters generic; 1644 | SFLEthernet_counters ethernet; 1645 | SFLTokenring_counters tokenring; 1646 | SFLVg_counters vg; 1647 | SFLVlan_counters vlan; 1648 | SFLWifi_counters wifi; 1649 | SFLProcessor_counters processor; 1650 | SFLRadio_counters radio; 1651 | SFLHostId hostId; 1652 | SFLAdaptorList *adaptors; 1653 | SFLHost_parent host_par; 1654 | SFLHost_cpu_counters host_cpu; 1655 | SFLHost_mem_counters host_mem; 1656 | SFLHost_dsk_counters host_dsk; 1657 | SFLHost_nio_counters host_nio; 1658 | SFLHost_IP_counters host_ip; 1659 | SFLHost_ICMP_counters host_icmp; 1660 | SFLHost_TCP_counters host_tcp; 1661 | SFLHost_UDP_counters host_udp; 1662 | SFLHost_vrt_node_counters host_vrt_node; 1663 | SFLHost_vrt_cpu_counters host_vrt_cpu; 1664 | SFLHost_vrt_mem_counters host_vrt_mem; 1665 | SFLHost_vrt_dsk_counters host_vrt_dsk; 1666 | SFLHost_vrt_nio_counters host_vrt_nio; 1667 | SFLHost_gpu_nvml host_gpu_nvml; 1668 | SFLBCM_tables bcm_tables; 1669 | SFLMemcache_counters memcache; 1670 | SFLHTTP_counters http; 1671 | SFLJVM_ID jvm; 1672 | SFLJMX_counters jmx; 1673 | SFLAPP_counters app; 1674 | SFLAPP_resources appResources; 1675 | SFLAPP_workers appWorkers; 1676 | SFLVdi_counters vdi; 1677 | SFLLACP_counters lacp; 1678 | SFLPortName portName; 1679 | SFLSFP_counters sfp; 1680 | SFLOVSDP_counters ovsdp; 1681 | } SFLCounters_type; 1682 | 1683 | typedef struct _SFLCounters_sample_element { 1684 | struct _SFLCounters_sample_element *nxt; /* linked list */ 1685 | uint32_t tag; /* SFLCounters_type_tag */ 1686 | uint32_t length; 1687 | SFLCounters_type counterBlock; 1688 | } SFLCounters_sample_element; 1689 | 1690 | typedef struct _SFLCounters_sample { 1691 | /* uint32_t tag; */ /* SFL_sample_tag -- enterprise = 0 : format = 2 */ 1692 | /* uint32_t length; */ 1693 | uint32_t sequence_number; /* Incremented with each counters sample 1694 | generated by this source_id */ 1695 | uint32_t source_id; /* fsSourceId */ 1696 | uint32_t num_elements; 1697 | SFLCounters_sample_element *elements; 1698 | } SFLCounters_sample; 1699 | 1700 | /* same thing, but the expanded version, so ds_index can be a full 32 bits */ 1701 | typedef struct _SFLCounters_sample_expanded { 1702 | /* uint32_t tag; */ /* SFL_sample_tag -- enterprise = 0 : format = 2 */ 1703 | /* uint32_t length; */ 1704 | uint32_t sequence_number; /* Incremented with each counters sample 1705 | generated by this source_id */ 1706 | uint32_t ds_class; /* EXPANDED */ 1707 | uint32_t ds_index; /* EXPANDED */ 1708 | uint32_t num_elements; 1709 | SFLCounters_sample_element *elements; 1710 | } SFLCounters_sample_expanded; 1711 | 1712 | #define SFL_DROP(name, code) SFLDrop_ ## name=code, 1713 | typedef enum { 1714 | #include "sflow_drop.h" 1715 | } EnumSFLDropReason; 1716 | #undef SFL_DROP 1717 | 1718 | typedef struct _SFLEvent_discarded_packet { 1719 | uint32_t sequence_number; 1720 | uint32_t ds_class; /* EXPANDED */ 1721 | uint32_t ds_index; /* EXPANDED */ 1722 | uint32_t drops; 1723 | uint32_t input; /* ifIndex */ 1724 | uint32_t output; /* ifIndex */ 1725 | EnumSFLDropReason reason; 1726 | uint32_t num_elements; 1727 | SFLFlow_sample_element *elements; 1728 | } SFLEvent_discarded_packet; 1729 | 1730 | #define SFLADD_ELEMENT(_sm, _el) do { (_el)->nxt = (_sm)->elements; (_sm)->elements = (_el); } while(0) 1731 | 1732 | /* Format of a sample datagram */ 1733 | 1734 | enum SFLDatagram_version { 1735 | SFLDATAGRAM_VERSION2 = 2, 1736 | SFLDATAGRAM_VERSION4 = 4, 1737 | SFLDATAGRAM_VERSION5 = 5 1738 | }; 1739 | 1740 | typedef struct _SFLSample_datagram_hdr { 1741 | uint32_t datagram_version; /* (enum SFLDatagram_version) = VERSION5 = 5 */ 1742 | SFLAddress agent_address; /* IP address of sampling agent */ 1743 | uint32_t sub_agent_id; /* Used to distinguishing between datagram 1744 | streams from separate agent sub entities 1745 | within an device. */ 1746 | uint32_t sequence_number; /* Incremented with each sample datagram 1747 | generated */ 1748 | uint32_t uptime; /* Current time (in milliseconds since device 1749 | last booted). Should be set as close to 1750 | datagram transmission time as possible.*/ 1751 | uint32_t num_records; /* Number of tag-len-val flow/counter records to follow */ 1752 | } SFLSample_datagram_hdr; 1753 | 1754 | #define SFL_MAX_DATAGRAM_SIZE 1500 1755 | #define SFL_MIN_DATAGRAM_SIZE 200 1756 | #define SFL_DEFAULT_DATAGRAM_SIZE 1400 1757 | 1758 | #define SFL_DATA_PAD 400 1759 | 1760 | #if defined(__cplusplus) 1761 | } /* extern "C" */ 1762 | #endif 1763 | 1764 | #endif /* SFLOW_H */ 1765 | --------------------------------------------------------------------------------