2 * Copyright (c) 1998-2007 The TCPDUMP project
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that: (1) source code
6 * distributions retain the above copyright notice and this paragraph
7 * in its entirety, and (2) distributions including binary code include
8 * the above copyright notice and this paragraph in its entirety in
9 * the documentation or other materials provided with the distribution.
10 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND
11 * WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT
12 * LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
13 * FOR A PARTICULAR PURPOSE.
15 * Original code by Carles Kishimoto <carles.kishimoto@gmail.com>
17 * Expansion and refactoring by Rick Jones <rick.jones2@hp.com>
20 /* \summary: sFlow protocol printer */
22 /* specification: https://sflow.org/developers/specifications.php */
28 #include "netdissect-stdinc.h"
30 #define ND_LONGJMP_FROM_TCHECK
31 #include "netdissect.h"
33 #include "addrtoname.h"
39 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
40 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
41 * | Sflow version (2,4,5) |
42 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
43 * | IP version (1 for IPv4 | 2 for IPv6) |
44 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
45 * | IP Address AGENT (4 or 16 bytes) |
46 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
48 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
49 * | Datagram sequence number |
50 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
51 * | Switch uptime in ms |
52 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
53 * | num samples in datagram |
54 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
58 struct sflow_datagram_t {
60 nd_uint32_t ip_version;
68 struct sflow_sample_header {
73 #define SFLOW_FLOW_SAMPLE 1
74 #define SFLOW_COUNTER_SAMPLE 2
75 #define SFLOW_EXPANDED_FLOW_SAMPLE 3
76 #define SFLOW_EXPANDED_COUNTER_SAMPLE 4
78 static const struct tok sflow_format_values[] = {
79 { SFLOW_FLOW_SAMPLE, "flow sample" },
80 { SFLOW_COUNTER_SAMPLE, "counter sample" },
81 { SFLOW_EXPANDED_FLOW_SAMPLE, "expanded flow sample" },
82 { SFLOW_EXPANDED_COUNTER_SAMPLE, "expanded counter sample" },
86 struct sflow_flow_sample_t {
93 nd_uint32_t in_interface;
94 nd_uint32_t out_interface;
99 struct sflow_expanded_flow_sample_t {
106 nd_uint32_t in_interface_format;
107 nd_uint32_t in_interface_value;
108 nd_uint32_t out_interface_format;
109 nd_uint32_t out_interface_value;
113 #define SFLOW_FLOW_RAW_PACKET 1
114 #define SFLOW_FLOW_ETHERNET_FRAME 2
115 #define SFLOW_FLOW_IPV4_DATA 3
116 #define SFLOW_FLOW_IPV6_DATA 4
117 #define SFLOW_FLOW_EXTENDED_SWITCH_DATA 1001
118 #define SFLOW_FLOW_EXTENDED_ROUTER_DATA 1002
119 #define SFLOW_FLOW_EXTENDED_GATEWAY_DATA 1003
120 #define SFLOW_FLOW_EXTENDED_USER_DATA 1004
121 #define SFLOW_FLOW_EXTENDED_URL_DATA 1005
122 #define SFLOW_FLOW_EXTENDED_MPLS_DATA 1006
123 #define SFLOW_FLOW_EXTENDED_NAT_DATA 1007
124 #define SFLOW_FLOW_EXTENDED_MPLS_TUNNEL 1008
125 #define SFLOW_FLOW_EXTENDED_MPLS_VC 1009
126 #define SFLOW_FLOW_EXTENDED_MPLS_FEC 1010
127 #define SFLOW_FLOW_EXTENDED_MPLS_LVP_FEC 1011
128 #define SFLOW_FLOW_EXTENDED_VLAN_TUNNEL 1012
130 static const struct tok sflow_flow_type_values[] = {
131 { SFLOW_FLOW_RAW_PACKET, "Raw packet"},
132 { SFLOW_FLOW_ETHERNET_FRAME, "Ethernet frame"},
133 { SFLOW_FLOW_IPV4_DATA, "IPv4 Data"},
134 { SFLOW_FLOW_IPV6_DATA, "IPv6 Data"},
135 { SFLOW_FLOW_EXTENDED_SWITCH_DATA, "Extended Switch data"},
136 { SFLOW_FLOW_EXTENDED_ROUTER_DATA, "Extended Router data"},
137 { SFLOW_FLOW_EXTENDED_GATEWAY_DATA, "Extended Gateway data"},
138 { SFLOW_FLOW_EXTENDED_USER_DATA, "Extended User data"},
139 { SFLOW_FLOW_EXTENDED_URL_DATA, "Extended URL data"},
140 { SFLOW_FLOW_EXTENDED_MPLS_DATA, "Extended MPLS data"},
141 { SFLOW_FLOW_EXTENDED_NAT_DATA, "Extended NAT data"},
142 { SFLOW_FLOW_EXTENDED_MPLS_TUNNEL, "Extended MPLS tunnel"},
143 { SFLOW_FLOW_EXTENDED_MPLS_VC, "Extended MPLS VC"},
144 { SFLOW_FLOW_EXTENDED_MPLS_FEC, "Extended MPLS FEC"},
145 { SFLOW_FLOW_EXTENDED_MPLS_LVP_FEC, "Extended MPLS LVP FEC"},
146 { SFLOW_FLOW_EXTENDED_VLAN_TUNNEL, "Extended VLAN Tunnel"},
150 #define SFLOW_HEADER_PROTOCOL_ETHERNET 1
151 #define SFLOW_HEADER_PROTOCOL_IPV4 11
152 #define SFLOW_HEADER_PROTOCOL_IPV6 12
154 static const struct tok sflow_flow_raw_protocol_values[] = {
155 { SFLOW_HEADER_PROTOCOL_ETHERNET, "Ethernet"},
156 { SFLOW_HEADER_PROTOCOL_IPV4, "IPv4"},
157 { SFLOW_HEADER_PROTOCOL_IPV6, "IPv6"},
161 struct sflow_expanded_flow_raw_t {
162 nd_uint32_t protocol;
164 nd_uint32_t stripped_bytes;
165 nd_uint32_t header_size;
168 struct sflow_ethernet_frame_t {
175 struct sflow_extended_switch_data_t {
176 nd_uint32_t src_vlan;
178 nd_uint32_t dst_vlan;
182 struct sflow_counter_record_t {
187 struct sflow_flow_record_t {
192 struct sflow_counter_sample_t {
199 struct sflow_expanded_counter_sample_t {
206 #define SFLOW_COUNTER_GENERIC 1
207 #define SFLOW_COUNTER_ETHERNET 2
208 #define SFLOW_COUNTER_TOKEN_RING 3
209 #define SFLOW_COUNTER_BASEVG 4
210 #define SFLOW_COUNTER_VLAN 5
211 #define SFLOW_COUNTER_PROCESSOR 1001
213 static const struct tok sflow_counter_type_values[] = {
214 { SFLOW_COUNTER_GENERIC, "Generic counter"},
215 { SFLOW_COUNTER_ETHERNET, "Ethernet counter"},
216 { SFLOW_COUNTER_TOKEN_RING, "Token ring counter"},
217 { SFLOW_COUNTER_BASEVG, "100 BaseVG counter"},
218 { SFLOW_COUNTER_VLAN, "Vlan counter"},
219 { SFLOW_COUNTER_PROCESSOR, "Processor counter"},
223 #define SFLOW_IFACE_DIRECTION_UNKNOWN 0
224 #define SFLOW_IFACE_DIRECTION_FULLDUPLEX 1
225 #define SFLOW_IFACE_DIRECTION_HALFDUPLEX 2
226 #define SFLOW_IFACE_DIRECTION_IN 3
227 #define SFLOW_IFACE_DIRECTION_OUT 4
229 static const struct tok sflow_iface_direction_values[] = {
230 { SFLOW_IFACE_DIRECTION_UNKNOWN, "unknown"},
231 { SFLOW_IFACE_DIRECTION_FULLDUPLEX, "full-duplex"},
232 { SFLOW_IFACE_DIRECTION_HALFDUPLEX, "half-duplex"},
233 { SFLOW_IFACE_DIRECTION_IN, "in"},
234 { SFLOW_IFACE_DIRECTION_OUT, "out"},
238 struct sflow_generic_counter_t {
242 nd_uint32_t ifdirection;
243 nd_uint32_t ifstatus;
244 nd_uint64_t ifinoctets;
245 nd_uint32_t ifinunicastpkts;
246 nd_uint32_t ifinmulticastpkts;
247 nd_uint32_t ifinbroadcastpkts;
248 nd_uint32_t ifindiscards;
249 nd_uint32_t ifinerrors;
250 nd_uint32_t ifinunkownprotos;
251 nd_uint64_t ifoutoctets;
252 nd_uint32_t ifoutunicastpkts;
253 nd_uint32_t ifoutmulticastpkts;
254 nd_uint32_t ifoutbroadcastpkts;
255 nd_uint32_t ifoutdiscards;
256 nd_uint32_t ifouterrors;
257 nd_uint32_t ifpromiscmode;
260 struct sflow_ethernet_counter_t {
261 nd_uint32_t alignerrors;
262 nd_uint32_t fcserrors;
263 nd_uint32_t single_collision_frames;
264 nd_uint32_t multiple_collision_frames;
265 nd_uint32_t test_errors;
266 nd_uint32_t deferred_transmissions;
267 nd_uint32_t late_collisions;
268 nd_uint32_t excessive_collisions;
269 nd_uint32_t mac_transmit_errors;
270 nd_uint32_t carrier_sense_errors;
271 nd_uint32_t frame_too_longs;
272 nd_uint32_t mac_receive_errors;
273 nd_uint32_t symbol_errors;
276 struct sflow_100basevg_counter_t {
277 nd_uint32_t in_highpriority_frames;
278 nd_uint64_t in_highpriority_octets;
279 nd_uint32_t in_normpriority_frames;
280 nd_uint64_t in_normpriority_octets;
281 nd_uint32_t in_ipmerrors;
282 nd_uint32_t in_oversized;
283 nd_uint32_t in_data_errors;
284 nd_uint32_t in_null_addressed_frames;
285 nd_uint32_t out_highpriority_frames;
286 nd_uint64_t out_highpriority_octets;
287 nd_uint32_t transitioninto_frames;
288 nd_uint64_t hc_in_highpriority_octets;
289 nd_uint64_t hc_in_normpriority_octets;
290 nd_uint64_t hc_out_highpriority_octets;
293 struct sflow_vlan_counter_t {
296 nd_uint32_t unicast_pkt;
297 nd_uint32_t multicast_pkt;
298 nd_uint32_t broadcast_pkt;
299 nd_uint32_t discards;
303 print_sflow_counter_generic(netdissect_options *ndo,
304 const u_char *pointer, u_int len)
306 const struct sflow_generic_counter_t *sflow_gen_counter;
308 if (len < sizeof(struct sflow_generic_counter_t))
311 sflow_gen_counter = (const struct sflow_generic_counter_t *)pointer;
312 ND_PRINT("\n\t ifindex %u, iftype %u, ifspeed %" PRIu64 ", ifdirection %u (%s)",
313 GET_BE_U_4(sflow_gen_counter->ifindex),
314 GET_BE_U_4(sflow_gen_counter->iftype),
315 GET_BE_U_8(sflow_gen_counter->ifspeed),
316 GET_BE_U_4(sflow_gen_counter->ifdirection),
317 tok2str(sflow_iface_direction_values, "Unknown",
318 GET_BE_U_4(sflow_gen_counter->ifdirection)));
319 ND_PRINT("\n\t ifstatus %u, adminstatus: %s, operstatus: %s",
320 GET_BE_U_4(sflow_gen_counter->ifstatus),
321 GET_BE_U_4(sflow_gen_counter->ifstatus)&1 ? "up" : "down",
322 (GET_BE_U_4(sflow_gen_counter->ifstatus)>>1)&1 ? "up" : "down");
323 ND_PRINT("\n\t In octets %" PRIu64
324 ", unicast pkts %u, multicast pkts %u, broadcast pkts %u, discards %u",
325 GET_BE_U_8(sflow_gen_counter->ifinoctets),
326 GET_BE_U_4(sflow_gen_counter->ifinunicastpkts),
327 GET_BE_U_4(sflow_gen_counter->ifinmulticastpkts),
328 GET_BE_U_4(sflow_gen_counter->ifinbroadcastpkts),
329 GET_BE_U_4(sflow_gen_counter->ifindiscards));
330 ND_PRINT("\n\t In errors %u, unknown protos %u",
331 GET_BE_U_4(sflow_gen_counter->ifinerrors),
332 GET_BE_U_4(sflow_gen_counter->ifinunkownprotos));
333 ND_PRINT("\n\t Out octets %" PRIu64
334 ", unicast pkts %u, multicast pkts %u, broadcast pkts %u, discards %u",
335 GET_BE_U_8(sflow_gen_counter->ifoutoctets),
336 GET_BE_U_4(sflow_gen_counter->ifoutunicastpkts),
337 GET_BE_U_4(sflow_gen_counter->ifoutmulticastpkts),
338 GET_BE_U_4(sflow_gen_counter->ifoutbroadcastpkts),
339 GET_BE_U_4(sflow_gen_counter->ifoutdiscards));
340 ND_PRINT("\n\t Out errors %u, promisc mode %u",
341 GET_BE_U_4(sflow_gen_counter->ifouterrors),
342 GET_BE_U_4(sflow_gen_counter->ifpromiscmode));
348 print_sflow_counter_ethernet(netdissect_options *ndo,
349 const u_char *pointer, u_int len)
351 const struct sflow_ethernet_counter_t *sflow_eth_counter;
353 if (len < sizeof(struct sflow_ethernet_counter_t))
356 sflow_eth_counter = (const struct sflow_ethernet_counter_t *)pointer;
357 ND_PRINT("\n\t align errors %u, fcs errors %u, single collision %u, multiple collision %u, test error %u",
358 GET_BE_U_4(sflow_eth_counter->alignerrors),
359 GET_BE_U_4(sflow_eth_counter->fcserrors),
360 GET_BE_U_4(sflow_eth_counter->single_collision_frames),
361 GET_BE_U_4(sflow_eth_counter->multiple_collision_frames),
362 GET_BE_U_4(sflow_eth_counter->test_errors));
363 ND_PRINT("\n\t deferred %u, late collision %u, excessive collision %u, mac trans error %u",
364 GET_BE_U_4(sflow_eth_counter->deferred_transmissions),
365 GET_BE_U_4(sflow_eth_counter->late_collisions),
366 GET_BE_U_4(sflow_eth_counter->excessive_collisions),
367 GET_BE_U_4(sflow_eth_counter->mac_transmit_errors));
368 ND_PRINT("\n\t carrier error %u, frames too long %u, mac receive errors %u, symbol errors %u",
369 GET_BE_U_4(sflow_eth_counter->carrier_sense_errors),
370 GET_BE_U_4(sflow_eth_counter->frame_too_longs),
371 GET_BE_U_4(sflow_eth_counter->mac_receive_errors),
372 GET_BE_U_4(sflow_eth_counter->symbol_errors));
378 print_sflow_counter_token_ring(netdissect_options *ndo _U_,
379 const u_char *pointer _U_, u_int len _U_)
385 print_sflow_counter_basevg(netdissect_options *ndo,
386 const u_char *pointer, u_int len)
388 const struct sflow_100basevg_counter_t *sflow_100basevg_counter;
390 if (len < sizeof(struct sflow_100basevg_counter_t))
393 sflow_100basevg_counter = (const struct sflow_100basevg_counter_t *)pointer;
394 ND_PRINT("\n\t in high prio frames %u, in high prio octets %" PRIu64,
395 GET_BE_U_4(sflow_100basevg_counter->in_highpriority_frames),
396 GET_BE_U_8(sflow_100basevg_counter->in_highpriority_octets));
397 ND_PRINT("\n\t in norm prio frames %u, in norm prio octets %" PRIu64,
398 GET_BE_U_4(sflow_100basevg_counter->in_normpriority_frames),
399 GET_BE_U_8(sflow_100basevg_counter->in_normpriority_octets));
400 ND_PRINT("\n\t in ipm errors %u, oversized %u, in data errors %u, null addressed frames %u",
401 GET_BE_U_4(sflow_100basevg_counter->in_ipmerrors),
402 GET_BE_U_4(sflow_100basevg_counter->in_oversized),
403 GET_BE_U_4(sflow_100basevg_counter->in_data_errors),
404 GET_BE_U_4(sflow_100basevg_counter->in_null_addressed_frames));
405 ND_PRINT("\n\t out high prio frames %u, out high prio octets %" PRIu64
406 ", trans into frames %u",
407 GET_BE_U_4(sflow_100basevg_counter->out_highpriority_frames),
408 GET_BE_U_8(sflow_100basevg_counter->out_highpriority_octets),
409 GET_BE_U_4(sflow_100basevg_counter->transitioninto_frames));
410 ND_PRINT("\n\t in hc high prio octets %" PRIu64
411 ", in hc norm prio octets %" PRIu64
412 ", out hc high prio octets %" PRIu64,
413 GET_BE_U_8(sflow_100basevg_counter->hc_in_highpriority_octets),
414 GET_BE_U_8(sflow_100basevg_counter->hc_in_normpriority_octets),
415 GET_BE_U_8(sflow_100basevg_counter->hc_out_highpriority_octets));
421 print_sflow_counter_vlan(netdissect_options *ndo,
422 const u_char *pointer, u_int len)
424 const struct sflow_vlan_counter_t *sflow_vlan_counter;
426 if (len < sizeof(struct sflow_vlan_counter_t))
429 sflow_vlan_counter = (const struct sflow_vlan_counter_t *)pointer;
430 ND_PRINT("\n\t vlan_id %u, octets %" PRIu64
431 ", unicast_pkt %u, multicast_pkt %u, broadcast_pkt %u, discards %u",
432 GET_BE_U_4(sflow_vlan_counter->vlan_id),
433 GET_BE_U_8(sflow_vlan_counter->octets),
434 GET_BE_U_4(sflow_vlan_counter->unicast_pkt),
435 GET_BE_U_4(sflow_vlan_counter->multicast_pkt),
436 GET_BE_U_4(sflow_vlan_counter->broadcast_pkt),
437 GET_BE_U_4(sflow_vlan_counter->discards));
442 struct sflow_processor_counter_t {
443 nd_uint32_t five_sec_util;
444 nd_uint32_t one_min_util;
445 nd_uint32_t five_min_util;
446 nd_uint64_t total_memory;
447 nd_uint64_t free_memory;
451 print_sflow_counter_processor(netdissect_options *ndo,
452 const u_char *pointer, u_int len)
454 const struct sflow_processor_counter_t *sflow_processor_counter;
456 if (len < sizeof(struct sflow_processor_counter_t))
459 sflow_processor_counter = (const struct sflow_processor_counter_t *)pointer;
460 ND_PRINT("\n\t 5sec %u, 1min %u, 5min %u, total_mem %" PRIu64
461 ", total_mem %" PRIu64,
462 GET_BE_U_4(sflow_processor_counter->five_sec_util),
463 GET_BE_U_4(sflow_processor_counter->one_min_util),
464 GET_BE_U_4(sflow_processor_counter->five_min_util),
465 GET_BE_U_8(sflow_processor_counter->total_memory),
466 GET_BE_U_8(sflow_processor_counter->free_memory));
472 sflow_print_counter_records(netdissect_options *ndo,
473 const u_char *pointer, u_int len, u_int records)
481 const struct sflow_counter_record_t *sflow_counter_record;
487 while (nrecords > 0) {
488 /* do we have the "header?" */
489 if (tlen < sizeof(struct sflow_counter_record_t))
491 sflow_counter_record = (const struct sflow_counter_record_t *)tptr;
493 enterprise = GET_BE_U_4(sflow_counter_record->format);
494 counter_type = enterprise & 0x0FFF;
495 enterprise = enterprise >> 20;
496 counter_len = GET_BE_U_4(sflow_counter_record->length);
497 ND_PRINT("\n\t enterprise %u, %s (%u) length %u",
499 (enterprise == 0) ? tok2str(sflow_counter_type_values,"Unknown",counter_type) : "Unknown",
503 tptr += sizeof(struct sflow_counter_record_t);
504 tlen -= sizeof(struct sflow_counter_record_t);
506 if (tlen < counter_len)
508 if (enterprise == 0) {
509 switch (counter_type) {
510 case SFLOW_COUNTER_GENERIC:
511 if (print_sflow_counter_generic(ndo, tptr, tlen))
514 case SFLOW_COUNTER_ETHERNET:
515 if (print_sflow_counter_ethernet(ndo, tptr, tlen))
518 case SFLOW_COUNTER_TOKEN_RING:
519 if (print_sflow_counter_token_ring(ndo, tptr,tlen))
522 case SFLOW_COUNTER_BASEVG:
523 if (print_sflow_counter_basevg(ndo, tptr, tlen))
526 case SFLOW_COUNTER_VLAN:
527 if (print_sflow_counter_vlan(ndo, tptr, tlen))
530 case SFLOW_COUNTER_PROCESSOR:
531 if (print_sflow_counter_processor(ndo, tptr, tlen))
535 if (ndo->ndo_vflag <= 1)
536 print_unknown_data(ndo, tptr, "\n\t\t", counter_len);
550 sflow_print_counter_sample(netdissect_options *ndo,
551 const u_char *pointer, u_int len)
553 const struct sflow_counter_sample_t *sflow_counter_sample;
556 if (len < sizeof(struct sflow_counter_sample_t))
559 sflow_counter_sample = (const struct sflow_counter_sample_t *)pointer;
561 nrecords = GET_BE_U_4(sflow_counter_sample->records);
563 ND_PRINT(" seqnum %u, type %u, idx %u, records %u",
564 GET_BE_U_4(sflow_counter_sample->seqnum),
565 GET_U_1(sflow_counter_sample->type),
566 GET_BE_U_3(sflow_counter_sample->index),
569 return sflow_print_counter_records(ndo, pointer + sizeof(struct sflow_counter_sample_t),
570 len - sizeof(struct sflow_counter_sample_t),
575 sflow_print_expanded_counter_sample(netdissect_options *ndo,
576 const u_char *pointer, u_int len)
578 const struct sflow_expanded_counter_sample_t *sflow_expanded_counter_sample;
582 if (len < sizeof(struct sflow_expanded_counter_sample_t))
585 sflow_expanded_counter_sample = (const struct sflow_expanded_counter_sample_t *)pointer;
587 nrecords = GET_BE_U_4(sflow_expanded_counter_sample->records);
589 ND_PRINT(" seqnum %u, type %u, idx %u, records %u",
590 GET_BE_U_4(sflow_expanded_counter_sample->seqnum),
591 GET_BE_U_4(sflow_expanded_counter_sample->type),
592 GET_BE_U_4(sflow_expanded_counter_sample->index),
595 return sflow_print_counter_records(ndo, pointer + sizeof(struct sflow_expanded_counter_sample_t),
596 len - sizeof(struct sflow_expanded_counter_sample_t),
601 print_sflow_raw_packet(netdissect_options *ndo,
602 const u_char *pointer, u_int len)
604 const struct sflow_expanded_flow_raw_t *sflow_flow_raw;
606 if (len < sizeof(struct sflow_expanded_flow_raw_t))
609 sflow_flow_raw = (const struct sflow_expanded_flow_raw_t *)pointer;
610 ND_PRINT("\n\t protocol %s (%u), length %u, stripped bytes %u, header_size %u",
611 tok2str(sflow_flow_raw_protocol_values,"Unknown",GET_BE_U_4(sflow_flow_raw->protocol)),
612 GET_BE_U_4(sflow_flow_raw->protocol),
613 GET_BE_U_4(sflow_flow_raw->length),
614 GET_BE_U_4(sflow_flow_raw->stripped_bytes),
615 GET_BE_U_4(sflow_flow_raw->header_size));
617 /* QUESTION - should we attempt to print the raw header itself?
618 assuming of course there is enough data present to do so... */
624 print_sflow_ethernet_frame(netdissect_options *ndo,
625 const u_char *pointer, u_int len)
627 const struct sflow_ethernet_frame_t *sflow_ethernet_frame;
629 if (len < sizeof(struct sflow_ethernet_frame_t))
632 sflow_ethernet_frame = (const struct sflow_ethernet_frame_t *)pointer;
634 ND_PRINT("\n\t frame len %u, type %u",
635 GET_BE_U_4(sflow_ethernet_frame->length),
636 GET_BE_U_4(sflow_ethernet_frame->type));
642 print_sflow_extended_switch_data(netdissect_options *ndo,
643 const u_char *pointer, u_int len)
645 const struct sflow_extended_switch_data_t *sflow_extended_sw_data;
647 if (len < sizeof(struct sflow_extended_switch_data_t))
650 sflow_extended_sw_data = (const struct sflow_extended_switch_data_t *)pointer;
651 ND_PRINT("\n\t src vlan %u, src pri %u, dst vlan %u, dst pri %u",
652 GET_BE_U_4(sflow_extended_sw_data->src_vlan),
653 GET_BE_U_4(sflow_extended_sw_data->src_pri),
654 GET_BE_U_4(sflow_extended_sw_data->dst_vlan),
655 GET_BE_U_4(sflow_extended_sw_data->dst_pri));
661 sflow_print_flow_records(netdissect_options *ndo,
662 const u_char *pointer, u_int len, u_int records)
670 const struct sflow_flow_record_t *sflow_flow_record;
676 while (nrecords > 0) {
677 /* do we have the "header?" */
678 if (tlen < sizeof(struct sflow_flow_record_t))
681 sflow_flow_record = (const struct sflow_flow_record_t *)tptr;
683 /* so, the funky encoding means we cannot blythly mask-off
684 bits, we must also check the enterprise. */
686 enterprise = GET_BE_U_4(sflow_flow_record->format);
687 flow_type = enterprise & 0x0FFF;
688 enterprise = enterprise >> 12;
689 flow_len = GET_BE_U_4(sflow_flow_record->length);
690 ND_PRINT("\n\t enterprise %u %s (%u) length %u",
692 (enterprise == 0) ? tok2str(sflow_flow_type_values,"Unknown",flow_type) : "Unknown",
696 tptr += sizeof(struct sflow_flow_record_t);
697 tlen -= sizeof(struct sflow_flow_record_t);
702 if (enterprise == 0) {
704 case SFLOW_FLOW_RAW_PACKET:
705 if (print_sflow_raw_packet(ndo, tptr, tlen))
708 case SFLOW_FLOW_EXTENDED_SWITCH_DATA:
709 if (print_sflow_extended_switch_data(ndo, tptr, tlen))
712 case SFLOW_FLOW_ETHERNET_FRAME:
713 if (print_sflow_ethernet_frame(ndo, tptr, tlen))
716 /* FIXME these need a decoder */
717 case SFLOW_FLOW_IPV4_DATA:
718 case SFLOW_FLOW_IPV6_DATA:
719 case SFLOW_FLOW_EXTENDED_ROUTER_DATA:
720 case SFLOW_FLOW_EXTENDED_GATEWAY_DATA:
721 case SFLOW_FLOW_EXTENDED_USER_DATA:
722 case SFLOW_FLOW_EXTENDED_URL_DATA:
723 case SFLOW_FLOW_EXTENDED_MPLS_DATA:
724 case SFLOW_FLOW_EXTENDED_NAT_DATA:
725 case SFLOW_FLOW_EXTENDED_MPLS_TUNNEL:
726 case SFLOW_FLOW_EXTENDED_MPLS_VC:
727 case SFLOW_FLOW_EXTENDED_MPLS_FEC:
728 case SFLOW_FLOW_EXTENDED_MPLS_LVP_FEC:
729 case SFLOW_FLOW_EXTENDED_VLAN_TUNNEL:
732 if (ndo->ndo_vflag <= 1)
733 print_unknown_data(ndo, tptr, "\n\t\t", flow_len);
747 sflow_print_flow_sample(netdissect_options *ndo,
748 const u_char *pointer, u_int len)
750 const struct sflow_flow_sample_t *sflow_flow_sample;
753 if (len < sizeof(struct sflow_flow_sample_t))
756 sflow_flow_sample = (const struct sflow_flow_sample_t *)pointer;
758 nrecords = GET_BE_U_4(sflow_flow_sample->records);
760 ND_PRINT(" seqnum %u, type %u, idx %u, rate %u, pool %u, drops %u, input %u output %u records %u",
761 GET_BE_U_4(sflow_flow_sample->seqnum),
762 GET_U_1(sflow_flow_sample->type),
763 GET_BE_U_3(sflow_flow_sample->index),
764 GET_BE_U_4(sflow_flow_sample->rate),
765 GET_BE_U_4(sflow_flow_sample->pool),
766 GET_BE_U_4(sflow_flow_sample->drops),
767 GET_BE_U_4(sflow_flow_sample->in_interface),
768 GET_BE_U_4(sflow_flow_sample->out_interface),
771 return sflow_print_flow_records(ndo, pointer + sizeof(struct sflow_flow_sample_t),
772 len - sizeof(struct sflow_flow_sample_t),
777 sflow_print_expanded_flow_sample(netdissect_options *ndo,
778 const u_char *pointer, u_int len)
780 const struct sflow_expanded_flow_sample_t *sflow_expanded_flow_sample;
783 if (len < sizeof(struct sflow_expanded_flow_sample_t))
786 sflow_expanded_flow_sample = (const struct sflow_expanded_flow_sample_t *)pointer;
788 nrecords = GET_BE_U_4(sflow_expanded_flow_sample->records);
790 ND_PRINT(" seqnum %u, type %u, idx %u, rate %u, pool %u, drops %u, records %u",
791 GET_BE_U_4(sflow_expanded_flow_sample->seqnum),
792 GET_BE_U_4(sflow_expanded_flow_sample->type),
793 GET_BE_U_4(sflow_expanded_flow_sample->index),
794 GET_BE_U_4(sflow_expanded_flow_sample->rate),
795 GET_BE_U_4(sflow_expanded_flow_sample->pool),
796 GET_BE_U_4(sflow_expanded_flow_sample->drops),
799 return sflow_print_flow_records(ndo, pointer + sizeof(struct sflow_expanded_flow_sample_t),
800 len - sizeof(struct sflow_expanded_flow_sample_t),
805 sflow_print(netdissect_options *ndo,
806 const u_char *pptr, u_int len)
808 const struct sflow_datagram_t *sflow_datagram;
809 const struct sflow_sample_header *sflow_sample;
813 uint32_t sflow_sample_type, sflow_sample_len;
816 ndo->ndo_protocol = "sflow";
819 sflow_datagram = (const struct sflow_datagram_t *)pptr;
820 if (len < sizeof(struct sflow_datagram_t)) {
821 ND_PRINT("sFlowv%u", GET_BE_U_4(sflow_datagram->version));
822 ND_PRINT(" [length %u < %zu]", len, sizeof(struct sflow_datagram_t));
823 nd_print_invalid(ndo);
826 ND_TCHECK_SIZE(sflow_datagram);
829 * Sanity checking of the header.
831 if (GET_BE_U_4(sflow_datagram->version) != 5) {
832 ND_PRINT("sFlow version %u packet not supported",
833 GET_BE_U_4(sflow_datagram->version));
837 if (ndo->ndo_vflag < 1) {
838 ND_PRINT("sFlowv%u, %s agent %s, agent-id %u, length %u",
839 GET_BE_U_4(sflow_datagram->version),
840 GET_BE_U_4(sflow_datagram->ip_version) == 1 ? "IPv4" : "IPv6",
841 GET_IPADDR_STRING(sflow_datagram->agent),
842 GET_BE_U_4(sflow_datagram->agent_id),
847 /* ok they seem to want to know everything - lets fully decode it */
848 nsamples=GET_BE_U_4(sflow_datagram->samples);
849 ND_PRINT("sFlowv%u, %s agent %s, agent-id %u, seqnum %u, uptime %u, samples %u, length %u",
850 GET_BE_U_4(sflow_datagram->version),
851 GET_BE_U_4(sflow_datagram->ip_version) == 1 ? "IPv4" : "IPv6",
852 GET_IPADDR_STRING(sflow_datagram->agent),
853 GET_BE_U_4(sflow_datagram->agent_id),
854 GET_BE_U_4(sflow_datagram->seqnum),
855 GET_BE_U_4(sflow_datagram->uptime),
859 /* skip Common header */
860 tptr += sizeof(struct sflow_datagram_t);
861 tlen -= sizeof(struct sflow_datagram_t);
863 while (nsamples > 0 && tlen > 0) {
864 sflow_sample = (const struct sflow_sample_header *)tptr;
866 sflow_sample_type = (GET_BE_U_4(sflow_sample->format)&0x0FFF);
867 sflow_sample_len = GET_BE_U_4(sflow_sample->len);
869 if (tlen < sizeof(struct sflow_sample_header))
872 tptr += sizeof(struct sflow_sample_header);
873 tlen -= sizeof(struct sflow_sample_header);
875 ND_PRINT("\n\t%s (%u), length %u,",
876 tok2str(sflow_format_values, "Unknown", sflow_sample_type),
880 /* basic sanity check */
881 if (sflow_sample_type == 0 || sflow_sample_len ==0) {
885 if (tlen < sflow_sample_len)
888 /* did we capture enough for fully decoding the sample ? */
889 ND_TCHECK_LEN(tptr, sflow_sample_len);
891 switch(sflow_sample_type) {
892 case SFLOW_FLOW_SAMPLE:
893 if (sflow_print_flow_sample(ndo, tptr, tlen))
897 case SFLOW_COUNTER_SAMPLE:
898 if (sflow_print_counter_sample(ndo, tptr,tlen))
902 case SFLOW_EXPANDED_FLOW_SAMPLE:
903 if (sflow_print_expanded_flow_sample(ndo, tptr, tlen))
907 case SFLOW_EXPANDED_COUNTER_SAMPLE:
908 if (sflow_print_expanded_counter_sample(ndo, tptr,tlen))
913 if (ndo->ndo_vflag <= 1)
914 print_unknown_data(ndo, tptr, "\n\t ", sflow_sample_len);
917 tptr += sflow_sample_len;
918 tlen -= sflow_sample_len;
924 nd_print_invalid(ndo);
925 ND_TCHECK_LEN(tptr, tlen);
projects / dragonfly.git / blob