4 *****************************************************************************
5 ** (c) 2002 bill fumerola <fumerola@yahoo-inc.com>
6 ** All rights reserved.
8 ** This program is free software; you can redistribute it and/or
9 ** modify it under the terms of the GNU General Public License
10 ** as published by the Free Software Foundation; either version 2
11 ** of the License, or (at your option) any later version.
13 ** This program is distributed in the hope that it will be useful,
14 ** but WITHOUT ANY WARRANTY; without even the implied warranty of
15 ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 ** GNU General Public License for more details.
18 ** You should have received a copy of the GNU General Public License
19 ** along with this program; if not, write to the Free Software
20 ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
21 *****************************************************************************
23 ** Previous NetFlow dissector written by Matthew Smart <smart@monkey.org>
24 ** NetFlow v9 support added by same.
28 ** http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/tflow_wp.htm
30 ** for NetFlow v9 information.
32 *****************************************************************************
34 ** this code was written from the following documentation:
36 ** http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/nfc/nfc_3_6/iug/format.pdf
37 ** http://www.caida.org/tools/measurement/cflowd/configuration/configuration-9.html
39 ** some documentation is more accurate then others. in some cases, live data and
40 ** information contained in responses from vendors were also used. some fields
41 ** are dissected as vendor specific fields.
45 ** http://www.cisco.com/univercd/cc/td/doc/cisintwk/intsolns/netflsol/nfwhite.htm
47 ** $Yahoo: //depot/fumerola/packet-netflow/packet-netflow.c#14 $
48 ** $Id: packet-netflow.c,v 1.10 2003/03/07 00:43:30 guy Exp $
56 #include <epan/packet.h>
61 #define UDP_PORT_NETFLOW 2055
63 static guint global_netflow_udp_port = UDP_PORT_NETFLOW;
64 static guint netflow_udp_port = 0;
67 * pdu identifiers & sizes
70 #define V1PDU_SIZE (4 * 12)
71 #define V5PDU_SIZE (4 * 12)
72 #define V7PDU_SIZE (4 * 13)
73 #define V8PDU_AS_SIZE (4 * 7)
74 #define V8PDU_PROTO_SIZE (4 * 7)
75 #define V8PDU_SPREFIX_SIZE (4 * 8)
76 #define V8PDU_DPREFIX_SIZE (4 * 8)
77 #define V8PDU_MATRIX_SIZE (4 * 10)
78 #define V8PDU_DESTONLY_SIZE (4 * 8)
79 #define V8PDU_SRCDEST_SIZE (4 * 10)
80 #define V8PDU_FULL_SIZE (4 * 11)
81 #define V8PDU_TOSAS_SIZE (V8PDU_AS_SIZE + 4)
82 #define V8PDU_TOSPROTOPORT_SIZE (V8PDU_PROTO_SIZE + 4)
83 #define V8PDU_TOSSRCPREFIX_SIZE V8PDU_SPREFIX_SIZE
84 #define V8PDU_TOSDSTPREFIX_SIZE V8PDU_DPREFIX_SIZE
85 #define V8PDU_TOSMATRIX_SIZE V8PDU_MATRIX_SIZE
86 #define V8PDU_PREPORTPROTOCOL_SIZE (4 * 10)
95 V8PDU_DESTONLY_METHOD,
99 V8PDU_TOSPROTOPORT_METHOD,
100 V8PDU_TOSSRCPREFIX_METHOD,
101 V8PDU_TOSDSTPREFIX_METHOD,
102 V8PDU_TOSMATRIX_METHOD,
103 V8PDU_PREPORTPROTOCOL_METHOD
106 static const value_string v8_agg[] = {
107 {V8PDU_AS_METHOD, "V8 AS aggregation"},
108 {V8PDU_PROTO_METHOD, "V8 Proto/Port aggregation"},
109 {V8PDU_SPREFIX_METHOD, "V8 Source Prefix aggregation"},
110 {V8PDU_DPREFIX_METHOD, "V8 Destination Prefix aggregation"},
111 {V8PDU_MATRIX_METHOD, "V8 Network Matrix aggregation"},
112 {V8PDU_DESTONLY_METHOD, "V8 Destination aggregation (Cisco Catalyst)"},
113 {V8PDU_SRCDEST_METHOD, "V8 Src/Dest aggregation (Cisco Catalyst)"},
114 {V8PDU_FULL_METHOD, "V8 Full aggregation (Cisco Catalyst)"},
115 {V8PDU_TOSAS_METHOD, "V8 TOS+AS aggregation aggregation"},
116 {V8PDU_TOSPROTOPORT_METHOD, "V8 TOS+Protocol aggregation"},
117 {V8PDU_TOSSRCPREFIX_METHOD, "V8 TOS+Source Prefix aggregation"},
118 {V8PDU_TOSDSTPREFIX_METHOD, "V8 TOS+Destination Prefix aggregation"},
119 {V8PDU_TOSMATRIX_METHOD, "V8 TOS+Prefix Matrix aggregation"},
120 {V8PDU_PREPORTPROTOCOL_METHOD, "V8 Port+Protocol aggregation"},
124 /* Version 9 template cache structures */
125 #define V9TEMPLATE_MAX_ENTRIES 64
126 #define V9TEMPLATE_CACHE_MAX_ENTRIES 100
128 struct v9_template_entry {
139 struct v9_template_entry entries[V9TEMPLATE_MAX_ENTRIES];
142 static struct v9_template v9_template_cache[V9TEMPLATE_CACHE_MAX_ENTRIES];
145 * ethereal tree identifiers
148 static int proto_netflow = -1;
149 static int ett_netflow = -1;
150 static int ett_unixtime = -1;
151 static int ett_flow = -1;
152 static int ett_template = -1;
153 static int ett_dataflowset = -1;
159 static int hf_cflow_version = -1;
160 static int hf_cflow_count = -1;
161 static int hf_cflow_sysuptime = -1;
162 static int hf_cflow_unix_secs = -1;
163 static int hf_cflow_unix_nsecs = -1;
164 static int hf_cflow_timestamp = -1;
165 static int hf_cflow_samplerate = -1;
168 * cflow version specific info
170 static int hf_cflow_sequence = -1;
171 static int hf_cflow_engine_type = -1;
172 static int hf_cflow_engine_id = -1;
173 static int hf_cflow_source_id = -1;
175 static int hf_cflow_aggmethod = -1;
176 static int hf_cflow_aggversion = -1;
180 static int hf_cflow_template_flowset_id = -1;
181 static int hf_cflow_data_flowset_id = -1;
182 static int hf_cflow_options_flowset_id = -1;
183 static int hf_cflow_flowset_id = -1;
184 static int hf_cflow_flowset_length = -1;
185 static int hf_cflow_template_id = -1;
186 static int hf_cflow_template_field_count = -1;
187 static int hf_cflow_template_field_type = -1;
188 static int hf_cflow_template_field_length = -1;
193 static int hf_cflow_srcaddr = -1;
194 static int hf_cflow_srcaddr_v6 = -1;
195 static int hf_cflow_srcnet = -1;
196 static int hf_cflow_dstaddr = -1;
197 static int hf_cflow_dstaddr_v6 = -1;
198 static int hf_cflow_dstnet = -1;
199 static int hf_cflow_nexthop = -1;
200 static int hf_cflow_nexthop_v6 = -1;
201 static int hf_cflow_bgpnexthop = -1;
202 static int hf_cflow_bgpnexthop_v6 = -1;
203 static int hf_cflow_inputint = -1;
204 static int hf_cflow_outputint = -1;
205 static int hf_cflow_flows = -1;
206 static int hf_cflow_packets = -1;
207 static int hf_cflow_packets64 = -1;
208 static int hf_cflow_packetsout = -1;
209 static int hf_cflow_octets = -1;
210 static int hf_cflow_octets64 = -1;
211 static int hf_cflow_timestart = -1;
212 static int hf_cflow_timeend = -1;
213 static int hf_cflow_srcport = -1;
214 static int hf_cflow_dstport = -1;
215 static int hf_cflow_prot = -1;
216 static int hf_cflow_tos = -1;
217 static int hf_cflow_flags = -1;
218 static int hf_cflow_tcpflags = -1;
219 static int hf_cflow_dstas = -1;
220 static int hf_cflow_srcas = -1;
221 static int hf_cflow_dstmask = -1;
222 static int hf_cflow_srcmask = -1;
223 static int hf_cflow_routersc = -1;
224 static int hf_cflow_mulpackets = -1;
225 static int hf_cflow_muloctets = -1;
226 static int hf_cflow_octets_exp = -1;
227 static int hf_cflow_packets_exp = -1;
228 static int hf_cflow_flows_exp = -1;
230 void proto_reg_handoff_netflow(void);
232 typedef int dissect_pdu_t(proto_tree * pdutree, tvbuff_t * tvb, int offset,
234 static int dissect_pdu(proto_tree * tree, tvbuff_t * tvb, int offset,
236 static int dissect_v8_aggpdu(proto_tree * pdutree, tvbuff_t * tvb,
237 int offset, int verspec);
238 static int dissect_v8_flowpdu(proto_tree * pdutree, tvbuff_t * tvb,
239 int offset, int verspec);
240 static int dissect_v9_flowset(proto_tree * pdutree, tvbuff_t * tvb,
241 int offset, int verspec);
242 static int dissect_v9_data(proto_tree * pdutree, tvbuff_t * tvb,
243 int offset, guint16 id, guint length);
244 static void dissect_v9_pdu(proto_tree * pdutree, tvbuff_t * tvb,
245 int offset, struct v9_template * template);
247 static int dissect_v9_options(proto_tree * pdutree, tvbuff_t * tvb,
250 static int dissect_v9_template(proto_tree * pdutree, tvbuff_t * tvb,
252 static void v9_template_add(struct v9_template * template);
253 static struct v9_template *v9_template_get(guint16 id, guint32 src_addr,
256 static gchar *getprefix(const guint32 * address, int prefix);
257 static void dissect_netflow(tvbuff_t * tvb, packet_info * pinfo,
260 static int flow_process_ints(proto_tree * pdutree, tvbuff_t * tvb,
262 static int flow_process_ports(proto_tree * pdutree, tvbuff_t * tvb,
264 static int flow_process_timeperiod(proto_tree * pdutree, tvbuff_t * tvb,
266 static int flow_process_aspair(proto_tree * pdutree, tvbuff_t * tvb,
268 static int flow_process_sizecount(proto_tree * pdutree, tvbuff_t * tvb,
270 static int flow_process_textfield(proto_tree * pdutree, tvbuff_t * tvb,
271 int offset, int bytes,
276 dissect_netflow(tvbuff_t * tvb, packet_info * pinfo, proto_tree * tree)
278 proto_tree *netflow_tree = NULL;
280 proto_item *timeitem, *pduitem;
281 proto_tree *timetree, *pdutree;
282 unsigned int pduret, ver = 0, pdus = 0, x = 1, vspec;
283 size_t available, pdusize, offset = 0;
285 dissect_pdu_t *pduptr;
287 if (check_col(pinfo->cinfo, COL_PROTOCOL))
288 col_set_str(pinfo->cinfo, COL_PROTOCOL, "CFLOW");
289 if (check_col(pinfo->cinfo, COL_INFO))
290 col_clear(pinfo->cinfo, COL_INFO);
293 ti = proto_tree_add_item(tree, proto_netflow, tvb,
295 netflow_tree = proto_item_add_subtree(ti, ett_netflow);
298 ver = tvb_get_ntohs(tvb, offset);
302 pdusize = V1PDU_SIZE;
303 pduptr = &dissect_pdu;
306 pdusize = V5PDU_SIZE;
307 pduptr = &dissect_pdu;
310 pdusize = V7PDU_SIZE;
311 pduptr = &dissect_pdu;
314 pdusize = -1; /* deferred */
315 pduptr = &dissect_v8_aggpdu;
318 pdusize = -1; /* deferred */
319 pduptr = &dissect_v9_flowset;
326 proto_tree_add_uint(netflow_tree, hf_cflow_version, tvb,
330 pdus = tvb_get_ntohs(tvb, offset);
334 proto_tree_add_uint(netflow_tree, hf_cflow_count, tvb,
339 * set something interesting in the display now that we have info
341 if (check_col(pinfo->cinfo, COL_INFO)) {
343 col_add_fstr(pinfo->cinfo, COL_INFO,
344 "total: %u (v%u) FlowSets", pdus, ver);
346 col_add_fstr(pinfo->cinfo, COL_INFO,
347 "total: %u (v%u) flows", pdus, ver);
352 * the rest is only interesting if we're displaying/searching the
358 proto_tree_add_item(netflow_tree, hf_cflow_sysuptime, tvb,
362 ts.secs = tvb_get_ntohl(tvb, offset);
363 ts.nsecs = tvb_get_ntohl(tvb, offset + 4);
364 timeitem = proto_tree_add_time(netflow_tree,
365 hf_cflow_timestamp, tvb, offset,
367 timetree = proto_item_add_subtree(timeitem, ett_unixtime);
369 proto_tree_add_item(timetree, hf_cflow_unix_secs, tvb,
374 proto_tree_add_item(timetree, hf_cflow_unix_nsecs, tvb,
380 * version specific header
382 if (ver == 5 || ver == 7 || ver == 8 || ver == 9) {
383 proto_tree_add_item(netflow_tree, hf_cflow_sequence,
384 tvb, offset, 4, FALSE);
387 if (ver == 5 || ver == 8) {
388 proto_tree_add_item(netflow_tree, hf_cflow_engine_type,
389 tvb, offset++, 1, FALSE);
390 proto_tree_add_item(netflow_tree, hf_cflow_engine_id,
391 tvb, offset++, 1, FALSE);
392 } else if (ver == 9) {
393 proto_tree_add_item(netflow_tree, hf_cflow_source_id,
394 tvb, offset, 4, FALSE);
398 vspec = tvb_get_guint8(tvb, offset);
400 case V8PDU_AS_METHOD:
401 pdusize = V8PDU_AS_SIZE;
403 case V8PDU_PROTO_METHOD:
404 pdusize = V8PDU_PROTO_SIZE;
406 case V8PDU_SPREFIX_METHOD:
407 pdusize = V8PDU_SPREFIX_SIZE;
409 case V8PDU_DPREFIX_METHOD:
410 pdusize = V8PDU_DPREFIX_SIZE;
412 case V8PDU_MATRIX_METHOD:
413 pdusize = V8PDU_MATRIX_SIZE;
415 case V8PDU_DESTONLY_METHOD:
416 pdusize = V8PDU_DESTONLY_SIZE;
417 pduptr = &dissect_v8_flowpdu;
419 case V8PDU_SRCDEST_METHOD:
420 pdusize = V8PDU_SRCDEST_SIZE;
421 pduptr = &dissect_v8_flowpdu;
423 case V8PDU_FULL_METHOD:
424 pdusize = V8PDU_FULL_SIZE;
425 pduptr = &dissect_v8_flowpdu;
427 case V8PDU_TOSAS_METHOD:
428 pdusize = V8PDU_TOSAS_SIZE;
430 case V8PDU_TOSPROTOPORT_METHOD:
431 pdusize = V8PDU_TOSPROTOPORT_SIZE;
433 case V8PDU_TOSSRCPREFIX_METHOD:
434 pdusize = V8PDU_TOSSRCPREFIX_SIZE;
436 case V8PDU_TOSDSTPREFIX_METHOD:
437 pdusize = V8PDU_TOSDSTPREFIX_SIZE;
439 case V8PDU_TOSMATRIX_METHOD:
440 pdusize = V8PDU_TOSMATRIX_SIZE;
442 case V8PDU_PREPORTPROTOCOL_METHOD:
443 pdusize = V8PDU_PREPORTPROTOCOL_SIZE;
450 proto_tree_add_uint(netflow_tree, hf_cflow_aggmethod,
451 tvb, offset++, 1, vspec);
452 proto_tree_add_item(netflow_tree, hf_cflow_aggversion,
453 tvb, offset++, 1, FALSE);
455 if (ver == 7 || ver == 8)
456 offset = flow_process_textfield(netflow_tree, tvb, offset, 4,
459 proto_tree_add_item(netflow_tree, hf_cflow_samplerate,
460 tvb, offset, 2, FALSE);
465 * everything below here should be payload
467 for (x = 1; x < pdus + 1; x++) {
469 * make sure we have a pdu's worth of data
471 available = tvb_length_remaining(tvb, offset);
472 if (ver == 9 && available >= 4) {
473 /* pdusize can be different for each v9 flowset */
474 pdusize = tvb_get_ntohs(tvb, offset + 2);
477 if (available < pdusize)
481 pduitem = proto_tree_add_text(netflow_tree, tvb,
482 offset, pdusize, "FlowSet %u/%u", x, pdus);
484 pduitem = proto_tree_add_text(netflow_tree, tvb,
485 offset, pdusize, "pdu %u/%u", x, pdus);
487 pdutree = proto_item_add_subtree(pduitem, ett_flow);
489 pduret = pduptr(pdutree, tvb, offset, vspec);
492 * if we came up short, stop processing
494 if (pduret == pdusize)
502 * flow_process_* == common groups of fields, probably could be inline
506 flow_process_ints(proto_tree * pdutree, tvbuff_t * tvb, int offset)
508 proto_tree_add_item(pdutree, hf_cflow_inputint, tvb, offset, 2, FALSE);
511 proto_tree_add_item(pdutree, hf_cflow_outputint, tvb, offset, 2,
519 flow_process_ports(proto_tree * pdutree, tvbuff_t * tvb, int offset)
521 proto_tree_add_item(pdutree, hf_cflow_srcport, tvb, offset, 2, FALSE);
524 proto_tree_add_item(pdutree, hf_cflow_dstport, tvb, offset, 2, FALSE);
531 flow_process_timeperiod(proto_tree * pdutree, tvbuff_t * tvb, int offset)
535 ts.secs = tvb_get_ntohl(tvb, offset) / 1000;
536 ts.nsecs = ((tvb_get_ntohl(tvb, offset) % 1000) * 1000000);
537 proto_tree_add_time(pdutree, hf_cflow_timestart, tvb, offset, 4, &ts);
540 ts.secs = tvb_get_ntohl(tvb, offset) / 1000;
541 ts.nsecs = ((tvb_get_ntohl(tvb, offset) % 1000) * 1000000);
542 proto_tree_add_time(pdutree, hf_cflow_timeend, tvb, offset, 4, &ts);
550 flow_process_aspair(proto_tree * pdutree, tvbuff_t * tvb, int offset)
552 proto_tree_add_item(pdutree, hf_cflow_srcas, tvb, offset, 2, FALSE);
555 proto_tree_add_item(pdutree, hf_cflow_dstas, tvb, offset, 2, FALSE);
562 flow_process_sizecount(proto_tree * pdutree, tvbuff_t * tvb, int offset)
564 proto_tree_add_item(pdutree, hf_cflow_packets, tvb, offset, 4, FALSE);
567 proto_tree_add_item(pdutree, hf_cflow_octets, tvb, offset, 4, FALSE);
574 flow_process_textfield(proto_tree * pdutree, tvbuff_t * tvb, int offset,
575 int bytes, const char *text)
577 proto_tree_add_text(pdutree, tvb, offset, bytes, text);
584 dissect_v8_flowpdu(proto_tree * pdutree, tvbuff_t * tvb, int offset,
587 int startoffset = offset;
589 proto_tree_add_item(pdutree, hf_cflow_dstaddr, tvb, offset, 4, FALSE);
592 if (verspec != V8PDU_DESTONLY_METHOD) {
593 proto_tree_add_item(pdutree, hf_cflow_srcaddr, tvb, offset, 4,
597 if (verspec == V8PDU_FULL_METHOD) {
598 proto_tree_add_item(pdutree, hf_cflow_dstport, tvb, offset, 2,
601 proto_tree_add_item(pdutree, hf_cflow_srcport, tvb, offset, 2,
606 offset = flow_process_sizecount(pdutree, tvb, offset);
607 offset = flow_process_timeperiod(pdutree, tvb, offset);
609 proto_tree_add_item(pdutree, hf_cflow_outputint, tvb, offset, 2,
613 if (verspec != V8PDU_DESTONLY_METHOD) {
614 proto_tree_add_item(pdutree, hf_cflow_inputint, tvb, offset, 2,
619 proto_tree_add_item(pdutree, hf_cflow_tos, tvb, offset++, 1, FALSE);
620 if (verspec == V8PDU_FULL_METHOD)
621 proto_tree_add_item(pdutree, hf_cflow_prot, tvb, offset++, 1,
623 offset = flow_process_textfield(pdutree, tvb, offset, 1, "marked tos");
625 if (verspec == V8PDU_SRCDEST_METHOD)
627 flow_process_textfield(pdutree, tvb, offset, 2,
629 else if (verspec == V8PDU_FULL_METHOD)
631 flow_process_textfield(pdutree, tvb, offset, 1, "padding");
634 flow_process_textfield(pdutree, tvb, offset, 4, "extra packets");
636 proto_tree_add_item(pdutree, hf_cflow_routersc, tvb, offset, 4, FALSE);
639 return (offset - startoffset);
643 * dissect a version 8 pdu, returning the length of the pdu processed
647 dissect_v8_aggpdu(proto_tree * pdutree, tvbuff_t * tvb, int offset,
650 int startoffset = offset;
652 proto_tree_add_item(pdutree, hf_cflow_flows, tvb, offset, 4, FALSE);
655 offset = flow_process_sizecount(pdutree, tvb, offset);
656 offset = flow_process_timeperiod(pdutree, tvb, offset);
659 case V8PDU_AS_METHOD:
660 case V8PDU_TOSAS_METHOD:
661 offset = flow_process_aspair(pdutree, tvb, offset);
663 if (verspec == V8PDU_TOSAS_METHOD) {
664 proto_tree_add_item(pdutree, hf_cflow_tos, tvb,
667 flow_process_textfield(pdutree, tvb, offset, 1,
670 flow_process_textfield(pdutree, tvb, offset, 2,
674 case V8PDU_PROTO_METHOD:
675 case V8PDU_TOSPROTOPORT_METHOD:
676 proto_tree_add_item(pdutree, hf_cflow_prot, tvb, offset++, 1,
679 if (verspec == V8PDU_PROTO_METHOD)
681 flow_process_textfield(pdutree, tvb, offset, 1,
683 else if (verspec == V8PDU_TOSPROTOPORT_METHOD)
684 proto_tree_add_item(pdutree, hf_cflow_tos, tvb,
688 flow_process_textfield(pdutree, tvb, offset, 2,
690 offset = flow_process_ports(pdutree, tvb, offset);
692 if (verspec == V8PDU_TOSPROTOPORT_METHOD)
693 offset = flow_process_ints(pdutree, tvb, offset);
695 case V8PDU_SPREFIX_METHOD:
696 case V8PDU_DPREFIX_METHOD:
697 case V8PDU_TOSSRCPREFIX_METHOD:
698 case V8PDU_TOSDSTPREFIX_METHOD:
699 proto_tree_add_item(pdutree,
701 V8PDU_SPREFIX_METHOD ?
702 hf_cflow_srcnet : hf_cflow_dstnet, tvb,
706 proto_tree_add_item(pdutree,
708 V8PDU_SPREFIX_METHOD ?
709 hf_cflow_srcmask : hf_cflow_dstmask, tvb,
712 if (verspec == V8PDU_SPREFIX_METHOD
713 || verspec == V8PDU_DPREFIX_METHOD)
715 flow_process_textfield(pdutree, tvb, offset, 1,
717 else if (verspec == V8PDU_TOSSRCPREFIX_METHOD
718 || verspec == V8PDU_TOSDSTPREFIX_METHOD)
719 proto_tree_add_item(pdutree, hf_cflow_tos, tvb,
722 proto_tree_add_item(pdutree,
724 V8PDU_SPREFIX_METHOD ? hf_cflow_srcas
725 : hf_cflow_dstas, tvb, offset, 2, FALSE);
728 proto_tree_add_item(pdutree,
730 V8PDU_SPREFIX_METHOD ?
731 hf_cflow_inputint : hf_cflow_outputint,
732 tvb, offset, 2, FALSE);
736 flow_process_textfield(pdutree, tvb, offset, 2,
739 case V8PDU_MATRIX_METHOD:
740 case V8PDU_TOSMATRIX_METHOD:
741 case V8PDU_PREPORTPROTOCOL_METHOD:
742 proto_tree_add_item(pdutree, hf_cflow_srcnet, tvb, offset, 4,
746 proto_tree_add_item(pdutree, hf_cflow_dstnet, tvb, offset, 4,
750 proto_tree_add_item(pdutree, hf_cflow_srcmask, tvb, offset++,
753 proto_tree_add_item(pdutree, hf_cflow_dstmask, tvb, offset++,
756 if (verspec == V8PDU_TOSMATRIX_METHOD ||
757 verspec == V8PDU_PREPORTPROTOCOL_METHOD) {
758 proto_tree_add_item(pdutree, hf_cflow_tos, tvb,
760 if (verspec == V8PDU_TOSMATRIX_METHOD) {
762 flow_process_textfield(pdutree, tvb,
765 } else if (verspec == V8PDU_PREPORTPROTOCOL_METHOD) {
766 proto_tree_add_item(pdutree, hf_cflow_prot,
767 tvb, offset++, 1, FALSE);
771 flow_process_textfield(pdutree, tvb, offset, 2,
775 if (verspec == V8PDU_MATRIX_METHOD
776 || verspec == V8PDU_TOSMATRIX_METHOD) {
777 offset = flow_process_aspair(pdutree, tvb, offset);
778 } else if (verspec == V8PDU_PREPORTPROTOCOL_METHOD) {
779 offset = flow_process_ports(pdutree, tvb, offset);
782 offset = flow_process_ints(pdutree, tvb, offset);
787 return (offset - startoffset);
790 /* Dissect a version 9 FlowSet and return the length we processed. */
793 dissect_v9_flowset(proto_tree * pdutree, tvbuff_t * tvb, int offset, int ver)
801 flowset_id = tvb_get_ntohs(tvb, offset);
802 if (flowset_id == 0) {
804 proto_tree_add_item(pdutree, hf_cflow_template_flowset_id, tvb,
808 length = tvb_get_ntohs(tvb, offset);
809 proto_tree_add_item(pdutree, hf_cflow_flowset_length, tvb,
813 dissect_v9_template(pdutree, tvb, offset);
814 } else if (flowset_id == 1) {
816 proto_tree_add_item(pdutree, hf_cflow_options_flowset_id, tvb,
820 length = tvb_get_ntohs(tvb, offset);
821 proto_tree_add_item(pdutree, hf_cflow_flowset_length, tvb,
825 /* dissect_v9_options(pdutree, tvb, offset); */
826 } else if (flowset_id >= 2 && flowset_id <= 255) {
828 proto_tree_add_item(pdutree, hf_cflow_flowset_id, tvb,
832 length = tvb_get_ntohs(tvb, offset);
833 proto_tree_add_item(pdutree, hf_cflow_flowset_length, tvb,
838 proto_tree_add_item(pdutree, hf_cflow_data_flowset_id, tvb,
842 length = tvb_get_ntohs(tvb, offset);
843 proto_tree_add_item(pdutree, hf_cflow_flowset_length, tvb,
848 * The length includes the length of the FlowSet ID and
849 * the length field itself.
853 dissect_v9_data(pdutree, tvb, offset, flowset_id,
862 dissect_v9_data(proto_tree * pdutree, tvbuff_t * tvb, int offset,
863 guint16 id, guint length)
865 struct v9_template *template;
866 proto_tree *data_tree;
867 proto_item *data_item;
869 template = v9_template_get(id, 0, 0);
870 if (template != NULL && template->length != 0) {
874 while (length >= template->length) {
875 data_item = proto_tree_add_text(pdutree, tvb,
876 offset, template->length, "pdu %d", count++);
877 data_tree = proto_item_add_subtree(data_item,
880 dissect_v9_pdu(data_tree, tvb, offset, template);
882 offset += template->length;
883 length -= template->length;
886 proto_tree_add_text(pdutree, tvb, offset, length,
887 "Padding (%u byte%s)",
888 length, plurality(length, "", "s"));
891 proto_tree_add_text(pdutree, tvb, offset, length,
892 "Data (%u byte%s), no template found",
893 length, plurality(length, "", "s"));
900 dissect_v9_pdu(proto_tree * pdutree, tvbuff_t * tvb, int offset,
901 struct v9_template * template)
905 for (i = 0; i < template->count; i++) {
908 guint16 type, length;
911 type = template->entries[i].type;
912 length = template->entries[i].length;
917 proto_tree_add_item(pdutree, hf_cflow_octets,
918 tvb, offset, length, FALSE);
919 } else if (length == 8) {
920 proto_tree_add_item(pdutree, hf_cflow_octets64,
921 tvb, offset, length, FALSE);
923 proto_tree_add_text(pdutree,
925 "Octets: length %u", length);
929 case 2: /* packets */
931 proto_tree_add_item(pdutree, hf_cflow_packets,
932 tvb, offset, length, FALSE);
933 } else if (length == 8) {
934 proto_tree_add_item(pdutree, hf_cflow_packets64,
935 tvb, offset, length, FALSE);
937 proto_tree_add_text(pdutree,
939 "Packets: length %u", length);
945 proto_tree_add_item(pdutree, hf_cflow_flows,
946 tvb, offset, length, FALSE);
948 proto_tree_add_text(pdutree,
950 "Flows: length %u", length);
955 proto_tree_add_item(pdutree, hf_cflow_prot,
956 tvb, offset, length, FALSE);
960 proto_tree_add_item(pdutree, hf_cflow_tos,
961 tvb, offset, length, FALSE);
964 case 6: /* TCP flags */
965 proto_tree_add_item(pdutree, hf_cflow_tcpflags,
966 tvb, offset, length, FALSE);
969 case 7: /* source port */
970 proto_tree_add_item(pdutree, hf_cflow_srcport,
971 tvb, offset, length, FALSE);
974 case 8: /* source IP */
976 tvb_memcpy(tvb, (guint8 *)&ipv4addr, offset,
978 proto_tree_add_ipv4(pdutree, hf_cflow_srcaddr,
979 tvb, offset, length, ipv4addr);
980 } else if (length == 16) {
981 tvb_memcpy(tvb, ipv6addr, offset,
983 proto_tree_add_ipv6(pdutree, hf_cflow_srcaddr_v6,
984 tvb, offset, length, ipv6addr);
986 proto_tree_add_text(pdutree,
988 "SrcAddr: length %u", length);
992 case 9: /* source mask */
993 proto_tree_add_item(pdutree, hf_cflow_srcmask,
994 tvb, offset, length, FALSE);
997 case 10: /* input SNMP */
998 proto_tree_add_item(pdutree, hf_cflow_inputint,
999 tvb, offset, length, FALSE);
1002 case 11: /* dest port */
1003 proto_tree_add_item(pdutree, hf_cflow_dstport,
1004 tvb, offset, length, FALSE);
1007 case 12: /* dest IP */
1009 tvb_memcpy(tvb, (guint8 *)&ipv4addr, offset,
1011 proto_tree_add_ipv4(pdutree, hf_cflow_dstaddr,
1012 tvb, offset, length, ipv4addr);
1013 } else if (length == 16) {
1014 tvb_memcpy(tvb, ipv6addr, offset,
1016 proto_tree_add_ipv6(pdutree, hf_cflow_dstaddr_v6,
1017 tvb, offset, length, ipv6addr);
1019 proto_tree_add_text(pdutree,
1020 tvb, offset, length,
1021 "DstAddr: length %u", length);
1025 case 13: /* dest mask */
1026 proto_tree_add_item(pdutree, hf_cflow_dstmask,
1027 tvb, offset, length, FALSE);
1030 case 14: /* output SNMP */
1031 proto_tree_add_item(pdutree, hf_cflow_outputint,
1032 tvb, offset, length, FALSE);
1035 case 15: /* nexthop IP */
1037 tvb_memcpy(tvb, (guint8 *)&ipv4addr, offset,
1039 proto_tree_add_ipv4(pdutree, hf_cflow_nexthop,
1040 tvb, offset, length, ipv4addr);
1041 } else if (length == 16) {
1042 tvb_memcpy(tvb, ipv6addr, offset,
1044 proto_tree_add_ipv6(pdutree, hf_cflow_nexthop_v6,
1045 tvb, offset, length, ipv6addr);
1047 proto_tree_add_text(pdutree,
1048 tvb, offset, length,
1049 "NextHop: length %u", length);
1053 case 16: /* source AS */
1054 proto_tree_add_item(pdutree, hf_cflow_srcas,
1055 tvb, offset, length, FALSE);
1058 case 17: /* dest AS */
1059 proto_tree_add_item(pdutree, hf_cflow_dstas,
1060 tvb, offset, length, FALSE);
1063 case 18: /* BGP nexthop IP */
1065 tvb_memcpy(tvb, (guint8 *)&ipv4addr, offset,
1067 proto_tree_add_ipv4(pdutree, hf_cflow_bgpnexthop,
1068 tvb, offset, length, ipv4addr);
1069 } else if (length == 16) {
1070 tvb_memcpy(tvb, ipv6addr, offset,
1072 proto_tree_add_ipv6(pdutree, hf_cflow_bgpnexthop_v6,
1073 tvb, offset, length, ipv6addr);
1075 proto_tree_add_text(pdutree,
1076 tvb, offset, length,
1077 "BGPNextHop: length %u", length);
1081 case 19: /* multicast packets */
1082 proto_tree_add_item(pdutree, hf_cflow_mulpackets,
1083 tvb, offset, length, FALSE);
1086 case 20: /* multicast octets */
1087 proto_tree_add_item(pdutree, hf_cflow_muloctets,
1088 tvb, offset, length, FALSE);
1091 case 21: /* last switched */
1092 ts.secs = tvb_get_ntohl(tvb, offset) / 1000;
1094 proto_tree_add_time(pdutree, hf_cflow_timeend,
1095 tvb, offset, length, &ts);
1098 case 22: /* first switched */
1099 ts.secs = tvb_get_ntohl(tvb, offset) / 1000;
1101 proto_tree_add_time(pdutree, hf_cflow_timestart,
1102 tvb, offset, length, &ts);
1105 case 40: /* bytes exported */
1106 proto_tree_add_item(pdutree, hf_cflow_octets_exp,
1107 tvb, offset, length, FALSE);
1110 case 41: /* packets exported */
1111 proto_tree_add_item(pdutree, hf_cflow_packets_exp,
1112 tvb, offset, length, FALSE);
1115 case 42: /* flows exported */
1116 proto_tree_add_item(pdutree, hf_cflow_flows_exp,
1117 tvb, offset, length, FALSE);
1121 proto_tree_add_text(pdutree, tvb, offset, length,
1132 dissect_v9_options(proto_tree * pdutree, tvbuff_t * tvb, int offset)
1139 dissect_v9_template(proto_tree * pdutree, tvbuff_t * tvb, int offset)
1141 struct v9_template template;
1142 proto_tree *template_tree;
1143 proto_item *template_item;
1147 id = tvb_get_ntohs(tvb, offset);
1148 proto_tree_add_item(pdutree, hf_cflow_template_id, tvb,
1152 count = tvb_get_ntohs(tvb, offset);
1153 proto_tree_add_item(pdutree, hf_cflow_template_field_count, tvb,
1157 /* Cache template */
1158 memset(&template, 0, sizeof(template));
1160 template.count = count;
1161 template.source_addr = 0; /* XXX */
1162 template.source_id = 0; /* XXX */
1163 tvb_memcpy(tvb, (guint8 *)template.entries, offset,
1164 count * sizeof(struct v9_template_entry));
1165 v9_template_add(&template);
1167 for (i = 1; i <= count; i++) {
1168 guint16 type, length;
1170 type = tvb_get_ntohs(tvb, offset);
1171 length = tvb_get_ntohs(tvb, offset + 2);
1173 template_item = proto_tree_add_text(pdutree, tvb,
1174 offset, 4, "Field (%u/%u)", i, count);
1175 template_tree = proto_item_add_subtree(template_item, ett_template);
1177 proto_tree_add_item(template_tree,
1178 hf_cflow_template_field_type, tvb, offset, 2, FALSE);
1181 proto_tree_add_item(template_tree,
1182 hf_cflow_template_field_length, tvb, offset, 2, FALSE);
1189 static value_string v9_template_types[] = {
1196 { 7, "L4_SRC_PORT" },
1197 { 8, "IP_SRC_ADDR" },
1199 { 10, "INPUT_SNMP" },
1200 { 11, "L4_DST_PORT" },
1201 { 12, "IP_DST_ADDR" },
1203 { 14, "OUTPUT_SNMP" },
1204 { 15, "IP_NEXT_HOP" },
1207 { 18, "BGP_NEXT_HOP" },
1208 { 19, "MUL_DPKTS" },
1209 { 20, "MUL_DOCTETS" },
1210 { 21, "LAST_SWITCHED" },
1211 { 22, "FIRST_SWITCHED" },
1213 { 40, "TOTAL_BYTES_EXP" },
1214 { 41, "TOTAL_PKTS_EXP" },
1215 { 42, "TOTAL_FLOWS_EXP" },
1220 v9_template_add(struct v9_template *template)
1224 /* Add up the actual length of the data and store in proper byte order */
1225 template->length = 0;
1226 for (i = 0; i < template->count; i++) {
1227 template->entries[i].type = g_ntohs(template->entries[i].type);
1228 template->entries[i].length = g_ntohs(template->entries[i].length);
1229 template->length += template->entries[i].length;
1232 memmove(&v9_template_cache[template->id % V9TEMPLATE_CACHE_MAX_ENTRIES],
1233 template, sizeof(*template));
1236 static struct v9_template *
1237 v9_template_get(guint16 id, guint32 src_addr, guint32 src_id)
1239 struct v9_template *template;
1242 template = &v9_template_cache[id % V9TEMPLATE_CACHE_MAX_ENTRIES];
1244 if (template->id != id ||
1245 template->source_addr != src_addr ||
1246 template->source_id != src_id) {
1254 * dissect a version 1, 5, or 7 pdu and return the length of the pdu we
1259 dissect_pdu(proto_tree * pdutree, tvbuff_t * tvb, int offset, int ver)
1261 int startoffset = offset;
1262 guint32 srcaddr, dstaddr;
1266 memset(&ts, '\0', sizeof(ts));
1269 * memcpy so we can use the values later to calculate a prefix
1271 tvb_memcpy(tvb, (guint8 *) & srcaddr, offset, 4);
1272 proto_tree_add_ipv4(pdutree, hf_cflow_srcaddr, tvb, offset, 4,
1276 tvb_memcpy(tvb, (guint8 *) & dstaddr, offset, 4);
1277 proto_tree_add_ipv4(pdutree, hf_cflow_dstaddr, tvb, offset, 4,
1281 proto_tree_add_item(pdutree, hf_cflow_nexthop, tvb, offset, 4, FALSE);
1284 offset = flow_process_ints(pdutree, tvb, offset);
1285 offset = flow_process_sizecount(pdutree, tvb, offset);
1286 offset = flow_process_timeperiod(pdutree, tvb, offset);
1287 offset = flow_process_ports(pdutree, tvb, offset);
1290 * and the similarities end here
1294 flow_process_textfield(pdutree, tvb, offset, 2, "padding");
1296 proto_tree_add_item(pdutree, hf_cflow_prot, tvb, offset++, 1,
1299 proto_tree_add_item(pdutree, hf_cflow_tos, tvb, offset++, 1,
1302 proto_tree_add_item(pdutree, hf_cflow_tcpflags, tvb, offset++,
1306 flow_process_textfield(pdutree, tvb, offset, 3, "padding");
1309 flow_process_textfield(pdutree, tvb, offset, 4,
1314 flow_process_textfield(pdutree, tvb, offset, 1,
1317 proto_tree_add_item(pdutree, hf_cflow_flags, tvb,
1318 offset++, 1, FALSE);
1321 proto_tree_add_item(pdutree, hf_cflow_tcpflags, tvb, offset++,
1324 proto_tree_add_item(pdutree, hf_cflow_prot, tvb, offset++, 1,
1327 proto_tree_add_item(pdutree, hf_cflow_tos, tvb, offset++, 1,
1330 offset = flow_process_aspair(pdutree, tvb, offset);
1332 mask = tvb_get_guint8(tvb, offset);
1333 proto_tree_add_text(pdutree, tvb, offset, 1,
1334 "SrcMask: %u (prefix: %s/%u)",
1335 mask, getprefix(&srcaddr, mask),
1336 mask != 0 ? mask : 32);
1337 proto_tree_add_uint_hidden(pdutree, hf_cflow_srcmask, tvb,
1340 mask = tvb_get_guint8(tvb, offset);
1341 proto_tree_add_text(pdutree, tvb, offset, 1,
1342 "DstMask: %u (prefix: %s/%u)",
1343 mask, getprefix(&dstaddr, mask),
1344 mask != 0 ? mask : 32);
1345 proto_tree_add_uint_hidden(pdutree, hf_cflow_dstmask, tvb,
1349 flow_process_textfield(pdutree, tvb, offset, 2, "padding");
1352 proto_tree_add_item(pdutree, hf_cflow_routersc, tvb,
1358 return (offset - startoffset);
1362 getprefix(const guint32 * address, int prefix)
1366 gprefix = *address & g_htonl((0xffffffff << (32 - prefix)));
1368 return (ip_to_str((const guint8 *)&gprefix));
1372 proto_register_netflow(void)
1374 static hf_register_info hf[] = {
1379 {"Version", "cflow.version",
1380 FT_UINT16, BASE_DEC, NULL, 0x0,
1381 "NetFlow Version", HFILL}
1384 {"Count", "cflow.count",
1385 FT_UINT16, BASE_DEC, NULL, 0x0,
1386 "Count of PDUs", HFILL}
1388 {&hf_cflow_sysuptime,
1389 {"SysUptime", "cflow.sysuptime",
1390 FT_UINT32, BASE_DEC, NULL, 0x0,
1391 "Time since router booted (in milliseconds)", HFILL}
1394 {&hf_cflow_timestamp,
1395 {"Timestamp", "cflow.timestamp",
1396 FT_ABSOLUTE_TIME, BASE_NONE, NULL, 0x0,
1397 "Current seconds since epoch", HFILL}
1399 {&hf_cflow_unix_secs,
1400 {"CurrentSecs", "cflow.unix_secs",
1401 FT_UINT32, BASE_DEC, NULL, 0x0,
1402 "Current seconds since epoch", HFILL}
1404 {&hf_cflow_unix_nsecs,
1405 {"CurrentNSecs", "cflow.unix_nsecs",
1406 FT_UINT32, BASE_DEC, NULL, 0x0,
1407 "Residual nanoseconds since epoch", HFILL}
1409 {&hf_cflow_samplerate,
1410 {"SampleRate", "cflow.samplerate",
1411 FT_UINT16, BASE_DEC, NULL, 0x0,
1412 "Sample Frequency of exporter", HFILL}
1416 * end version-agnostic header
1417 * version-specific flow header
1419 {&hf_cflow_sequence,
1420 {"FlowSequence", "cflow.sequence",
1421 FT_UINT32, BASE_DEC, NULL, 0x0,
1422 "Sequence number of flows seen", HFILL}
1424 {&hf_cflow_engine_type,
1425 {"EngineType", "cflow.engine_type",
1426 FT_UINT8, BASE_DEC, NULL, 0x0,
1427 "Flow switching engine type", HFILL}
1429 {&hf_cflow_engine_id,
1430 {"EngineId", "cflow.engine_id",
1431 FT_UINT8, BASE_DEC, NULL, 0x0,
1432 "Slot number of switching engine", HFILL}
1434 {&hf_cflow_source_id,
1435 {"SourceId", "cflow.source_id",
1436 FT_UINT32, BASE_DEC, NULL, 0x0,
1437 "Identifier for export device", HFILL}
1439 {&hf_cflow_aggmethod,
1440 {"AggMethod", "cflow.aggmethod",
1441 FT_UINT8, BASE_DEC, VALS(v8_agg), 0x0,
1442 "CFlow V8 Aggregation Method", HFILL}
1444 {&hf_cflow_aggversion,
1445 {"AggVersion", "cflow.aggversion",
1446 FT_UINT8, BASE_DEC, NULL, 0x0,
1447 "CFlow V8 Aggregation Version", HFILL}
1450 * end version specific header storage
1455 {&hf_cflow_flowset_id,
1456 {"FlowSet Id", "cflow.flowset_id",
1457 FT_UINT16, BASE_DEC, NULL, 0x0,
1458 "FlowSet Id", HFILL}
1460 {&hf_cflow_data_flowset_id,
1461 {"Data FlowSet (Template Id)", "cflow.data_flowset_id",
1462 FT_UINT16, BASE_DEC, NULL, 0x0,
1463 "Data FlowSet with corresponding to a template Id", HFILL}
1465 {&hf_cflow_options_flowset_id,
1466 {"Options FlowSet", "cflow.options_flowset_id",
1467 FT_UINT16, BASE_DEC, NULL, 0x0,
1468 "Options FlowSet", HFILL}
1470 {&hf_cflow_template_flowset_id,
1471 {"Template FlowSet", "cflow.template_flowset_id",
1472 FT_UINT16, BASE_DEC, NULL, 0x0,
1473 "Template FlowSet", HFILL}
1475 {&hf_cflow_flowset_length,
1476 {"FlowSet Length", "cflow.flowset_length",
1477 FT_UINT16, BASE_DEC, NULL, 0x0,
1478 "FlowSet length", HFILL}
1480 {&hf_cflow_template_id,
1481 {"Template Id", "cflow.template_id",
1482 FT_UINT16, BASE_DEC, NULL, 0x0,
1483 "Template Id", HFILL}
1485 {&hf_cflow_template_field_count,
1486 {"Field Count", "cflow.template_field_count",
1487 FT_UINT16, BASE_DEC, NULL, 0x0,
1488 "Template field count", HFILL}
1490 {&hf_cflow_template_field_type,
1491 {"Type", "cflow.template_field_type",
1492 FT_UINT16, BASE_DEC, VALS(v9_template_types), 0x0,
1493 "Template field type", HFILL}
1495 {&hf_cflow_template_field_length,
1496 {"Length", "cflow.template_field_length",
1497 FT_UINT16, BASE_DEC, NULL, 0x0,
1498 "Template field length", HFILL}
1501 * begin pdu content storage
1504 {"SrcAddr", "cflow.srcaddr",
1505 FT_IPv4, BASE_NONE, NULL, 0x0,
1506 "Flow Source Address", HFILL}
1508 {&hf_cflow_srcaddr_v6,
1509 {"SrcAddr", "cflow.srcaddrv6",
1510 FT_IPv6, BASE_NONE, NULL, 0x0,
1511 "Flow Source Address", HFILL}
1514 {"SrcNet", "cflow.srcnet",
1515 FT_IPv4, BASE_NONE, NULL, 0x0,
1516 "Flow Source Network", HFILL}
1519 {"DstAddr", "cflow.dstaddr",
1520 FT_IPv4, BASE_NONE, NULL, 0x0,
1521 "Flow Destination Address", HFILL}
1523 {&hf_cflow_dstaddr_v6,
1524 {"DstAddr", "cflow.dstaddrv6",
1525 FT_IPv6, BASE_NONE, NULL, 0x0,
1526 "Flow Destination Address", HFILL}
1529 {"DstNet", "cflow.dstaddr",
1530 FT_IPv4, BASE_NONE, NULL, 0x0,
1531 "Flow Destination Network", HFILL}
1534 {"NextHop", "cflow.nexthop",
1535 FT_IPv4, BASE_NONE, NULL, 0x0,
1536 "Router nexthop", HFILL}
1538 {&hf_cflow_nexthop_v6,
1539 {"NextHop", "cflow.nexthopv6",
1540 FT_IPv6, BASE_NONE, NULL, 0x0,
1541 "Router nexthop", HFILL}
1543 {&hf_cflow_bgpnexthop,
1544 {"BGPNextHop", "cflow.bgpnexthop",
1545 FT_IPv4, BASE_NONE, NULL, 0x0,
1546 "BGP Router Nexthop", HFILL}
1548 {&hf_cflow_bgpnexthop_v6,
1549 {"BGPNextHop", "cflow.bgpnexthopv6",
1550 FT_IPv6, BASE_NONE, NULL, 0x0,
1551 "BGP Router Nexthop", HFILL}
1553 {&hf_cflow_inputint,
1554 {"InputInt", "cflow.inputint",
1555 FT_UINT16, BASE_DEC, NULL, 0x0,
1556 "Flow Input Interface", HFILL}
1558 {&hf_cflow_outputint,
1559 {"OutputInt", "cflow.outputint",
1560 FT_UINT16, BASE_DEC, NULL, 0x0,
1561 "Flow Output Interface", HFILL}
1564 {"Flows", "cflow.flows",
1565 FT_UINT32, BASE_DEC, NULL, 0x0,
1566 "Flows Aggregated in PDU", HFILL}
1569 {"Packets", "cflow.packets",
1570 FT_UINT32, BASE_DEC, NULL, 0x0,
1571 "Count of packets", HFILL}
1573 {&hf_cflow_packets64,
1574 {"Packets", "cflow.packets64",
1575 FT_UINT64, BASE_DEC, NULL, 0x0,
1576 "Count of packets", HFILL}
1578 {&hf_cflow_packetsout,
1579 {"PacketsOut", "cflow.packetsout",
1580 FT_UINT64, BASE_DEC, NULL, 0x0,
1581 "Count of packets going out", HFILL}
1584 {"Octets", "cflow.octets",
1585 FT_UINT32, BASE_DEC, NULL, 0x0,
1586 "Count of bytes", HFILL}
1588 {&hf_cflow_octets64,
1589 {"Octets", "cflow.octets64",
1590 FT_UINT64, BASE_DEC, NULL, 0x0,
1591 "Count of bytes", HFILL}
1593 {&hf_cflow_timestart,
1594 {"StartTime", "cflow.timestart",
1595 FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
1596 "Uptime at start of flow", HFILL}
1599 {"EndTime", "cflow.timeend",
1600 FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0,
1601 "Uptime at end of flow", HFILL}
1604 {"SrcPort", "cflow.srcport",
1605 FT_UINT16, BASE_DEC, NULL, 0x0,
1606 "Flow Source Port", HFILL}
1609 {"DstPort", "cflow.dstport",
1610 FT_UINT16, BASE_DEC, NULL, 0x0,
1611 "Flow Destination Port", HFILL}
1614 {"Protocol", "cflow.protocol",
1615 FT_UINT8, BASE_DEC, NULL, 0x0,
1616 "IP Protocol", HFILL}
1619 {"IP ToS", "cflow.tos",
1620 FT_UINT8, BASE_HEX, NULL, 0x0,
1621 "IP Type of Service", HFILL}
1624 {"Export Flags", "cflow.flags",
1625 FT_UINT8, BASE_HEX, NULL, 0x0,
1626 "CFlow Flags", HFILL}
1628 {&hf_cflow_tcpflags,
1629 {"TCP Flags", "cflow.tcpflags",
1630 FT_UINT8, BASE_HEX, NULL, 0x0,
1634 {"SrcAS", "cflow.srcas",
1635 FT_UINT16, BASE_DEC, NULL, 0x0,
1639 {"DstAS", "cflow.dstas",
1640 FT_UINT16, BASE_DEC, NULL, 0x0,
1641 "Destination AS", HFILL}
1644 {"SrcMask", "cflow.srcmask",
1645 FT_UINT8, BASE_DEC, NULL, 0x0,
1646 "Source Prefix Mask", HFILL}
1649 {"DstMask", "cflow.dstmask",
1650 FT_UINT8, BASE_DEC, NULL, 0x0,
1651 "Destination Prefix Mask", HFILL}
1653 {&hf_cflow_routersc,
1654 {"Router Shortcut", "cflow.routersc",
1655 FT_IPv4, BASE_NONE, NULL, 0x0,
1656 "Router shortcut by switch", HFILL}
1658 {&hf_cflow_mulpackets,
1659 {"MulticastPackets", "cflow.mulpackets",
1660 FT_UINT32, BASE_DEC, NULL, 0x0,
1661 "Count of multicast packets", HFILL}
1663 {&hf_cflow_muloctets,
1664 {"MulticastOctets", "cflow.muloctets",
1665 FT_UINT32, BASE_DEC, NULL, 0x0,
1666 "Count of multicast octets", HFILL}
1668 {&hf_cflow_octets_exp,
1669 {"OctetsExp", "cflow.octetsexp",
1670 FT_UINT32, BASE_DEC, NULL, 0x0,
1671 "Octets exported", HFILL}
1673 {&hf_cflow_packets_exp,
1674 {"PacketsExp", "cflow.packetsexp",
1675 FT_UINT32, BASE_DEC, NULL, 0x0,
1676 "Packets exported", HFILL}
1678 {&hf_cflow_flows_exp,
1679 {"FlowsExp", "cflow.flowsexp",
1680 FT_UINT32, BASE_DEC, NULL, 0x0,
1681 "Flows exported", HFILL}
1684 * end pdu content storage
1688 static gint *ett[] = {
1696 module_t *netflow_module;
1698 proto_netflow = proto_register_protocol("Cisco NetFlow", "CFLOW",
1701 proto_register_field_array(proto_netflow, hf, array_length(hf));
1702 proto_register_subtree_array(ett, array_length(ett));
1704 /* Register our configuration options for NetFlow */
1705 netflow_module = prefs_register_protocol(proto_netflow,
1706 proto_reg_handoff_netflow);
1708 prefs_register_uint_preference(netflow_module, "udp.port",
1709 "NetFlow UDP Port", "Set the port for NetFlow messages",
1710 10, &global_netflow_udp_port);
1712 register_dissector("cflow", dissect_netflow, proto_netflow);
1717 * protocol/port association
1720 proto_reg_handoff_netflow(void)
1722 static int netflow_prefs_initialized = FALSE;
1723 static dissector_handle_t netflow_handle;
1725 if (!netflow_prefs_initialized) {
1726 netflow_handle = create_dissector_handle(dissect_netflow,
1728 netflow_prefs_initialized = TRUE;
1730 dissector_delete("udp.port", netflow_udp_port, netflow_handle);
1733 /* Set out port number for future use */
1734 netflow_udp_port = global_netflow_udp_port;
1736 dissector_add("udp.port", netflow_udp_port, netflow_handle);
git.samba.org / obnox / wireshark / wip.git / blob