From 4f639231c83b09ea004c03e95c702b7750bf9930 Mon Sep 17 00:00:00 2001 From: Ander Juaristi Date: Fri, 26 Apr 2019 09:58:06 +0200 Subject: IPFIX: Add IPFIX output plugin This patch adds an IPFIX output plugin to ulogd2. It generates NetFlow/IPFIX traces and sends them to a remote server (collector) via TCP or UDP. Based on original work by Holger Eitzenberger . How to test this ---------------- I am currently testing this with the NFCT input and Wireshark. Place the following in ulogd.conf: # this will print all flows on screen loglevel=1 # load NFCT and IPFIX plugins plugin="/lib/ulogd/ulogd_inpflow_NFCT.so" plugin="/lib/ulogd/ulogd_output_IPFIX.so" stack=ct1:NFCT,ipfix1:IPFIX [ct1] netlink_socket_buffer_size=217088 netlink_socket_buffer_maxsize=1085440 accept_proto_filter=tcp,sctp [ipfix1] oid=1 host="127.0.0.1" #port=4739 #send_template="once" I am currently testing it by launching a plain NetCat listener on port 4739 (the default for IPFIX) and then running Wireshark and see that it dissects the IPFIX/NetFlow traffic correctly (obviously this relies on the Wireshark NetFlow dissector being correct). First: nc -vvvv -l 127.0.0.1 4739 Then: sudo ulogd -vc ulogd.conf Signed-off-by: Ander Juaristi Signed-off-by: Pablo Neira Ayuso --- output/ipfix/ipfix.h | 89 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 output/ipfix/ipfix.h (limited to 'output/ipfix/ipfix.h') diff --git a/output/ipfix/ipfix.h b/output/ipfix/ipfix.h new file mode 100644 index 0000000..cdb5a6f --- /dev/null +++ b/output/ipfix/ipfix.h @@ -0,0 +1,89 @@ +/* + * ipfix.h + * + * Holger Eitzenberger , 2009. + */ +#ifndef IPFIX_H +#define IPFIX_H + +#include +#include + + +struct ipfix_hdr { +#define IPFIX_VERSION 0xa + uint16_t version; + uint16_t len; + uint32_t time; + uint32_t seqno; + uint32_t oid; /* Observation Domain ID */ + uint8_t data[]; +} __packed; + +#define IPFIX_HDRLEN sizeof(struct ipfix_hdr) + +/* + * IDs 0-255 are reserved for Template Sets. IDs of Data Sets are > 255. + */ +struct ipfix_templ_hdr { + uint16_t id; + uint16_t cnt; + uint8_t data[]; +} __packed; + +struct ipfix_set_hdr { +#define IPFIX_SET_TEMPL 2 +#define IPFIX_SET_OPT_TEMPL 3 + uint16_t id; + uint16_t len; + uint8_t data[]; +} __packed; + +#define IPFIX_SET_HDRLEN sizeof(struct ipfix_set_hdr) + +struct ipfix_msg { + struct llist_head link; + uint8_t *tail; + uint8_t *end; + unsigned nrecs; + struct ipfix_set_hdr *last_set; + uint8_t data[]; +}; + +struct vy_ipfix_data { + struct in_addr saddr; + struct in_addr daddr; + uint16_t ifi_in; + uint16_t ifi_out; + uint32_t packets; + uint32_t bytes; + uint32_t start; /* Unix time */ + uint32_t end; /* Unix time */ + uint16_t sport; + uint16_t dport; + uint32_t aid; /* Application ID */ + uint8_t l4_proto; + uint8_t dscp; + uint16_t __padding; +} __packed; + +#define VY_IPFIX_SID 256 + +#define VY_IPFIX_FLOWS 36 +#define VY_IPFIX_PKT_LEN (IPFIX_HDRLEN + IPFIX_SET_HDRLEN \ + + VY_IPFIX_FLOWS * sizeof(struct vy_ipfix_data)) + +/* template management */ +size_t ipfix_rec_len(uint16_t); + +/* message handling */ +struct ipfix_msg *ipfix_msg_alloc(size_t, uint32_t); +void ipfix_msg_free(struct ipfix_msg *); +struct ipfix_hdr *ipfix_msg_hdr(const struct ipfix_msg *); +size_t ipfix_msg_len(const struct ipfix_msg *); +void *ipfix_msg_data(struct ipfix_msg *); +struct ipfix_set_hdr *ipfix_msg_add_set(struct ipfix_msg *, uint16_t); +void *ipfix_msg_add_data(struct ipfix_msg *, size_t); +int ipfix_dump_msg(const struct ipfix_msg *); + +#endif /* IPFIX_H */ -- cgit v1.2.3