netflow9

package
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 6, 2022 License: Apache-2.0 Imports: 10 Imported by: 0

Documentation

Overview

Package netflow9 implements NetFlow version 9 as specified in RFC 3954.

About

NetFlow version 9 is the IETF standard mechanism for information export.

Structure

The basic output of NetFlow is a flow record. Several different formats for flow records have evolved as NetFlow has matured. The most recent evolution of the NetFlow flow-record format is known as NetFlow version 9. The distinguishing feature of the NetFlow Version 9 format, which is the basis for an IETF standard, is that it is template-based.

Templates provide an extensible design to the record format, a feature that should allow future enhancements to NetFlow services without requiring concurrent changes to the basic flow-record format.

Index

Constants

View Source 
const (
	// Version word in the Packet Header
	Version uint16 = 0x0009
)

Variables

This section is empty.

Functions

func Dump 

func Dump(p *Packet)

Types

type DataFlowSet 

type DataFlowSet struct {
	Header  FlowSetHeader
	Records []DataRecord
	Bytes   []byte
}

func (*DataFlowSet) Unmarshal 

func (dfs *DataFlowSet) Unmarshal(r io.Reader, tr TemplateRecord, t *Translate) error

type DataRecord 

type DataRecord struct {
	TemplateID uint16
	Fields     Fields
}

func (*DataRecord) Unmarshal 

func (dr *DataRecord) Unmarshal(r io.Reader, fss FieldSpecifiers, t *Translate) error

type Decoder 

type Decoder struct {
	io.Reader
	session.Session
	*Translate
}

Decoder can decode multiple IPFIX messages from a stream.

func NewDecoder 

func NewDecoder(r io.Reader, s session.Session) *Decoder

func (*Decoder) Decode 

func (d *Decoder) Decode(data []byte) (*Packet, error)

Decode decodes a single message from a buffer of bytes.

func (*Decoder) Next 

func (d *Decoder) Next() (*Packet, error)

Next decodes the next message from the stream. Note that if there is an exception, depending on where the exception originated from, the decoder results can no longer be trusted and the stream should be reset.

type Field 

type Field struct {
	Type       uint16
	Length     uint16
	Translated *TranslatedField
	Bytes      []byte
}

func (*Field) Unmarshal 

func (f *Field) Unmarshal(r io.Reader) error

type FieldSpecifier 

type FieldSpecifier struct {
	Type   uint16
	Length uint16
}

func (*FieldSpecifier) String 

func (fs *FieldSpecifier) String() string

func (*FieldSpecifier) Unmarshal 

func (f *FieldSpecifier) Unmarshal(r io.Reader) error

type FieldSpecifiers 

type FieldSpecifiers []FieldSpecifier

func (FieldSpecifiers) String 

func (fs FieldSpecifiers) String() string

func (*FieldSpecifiers) Unmarshal 

func (fs *FieldSpecifiers) Unmarshal(r io.Reader) error

type Fields 

type Fields []Field

type FlowSetHeader 

type FlowSetHeader struct {
	ID     uint16
	Length uint16
}

func (*FlowSetHeader) Len 

func (h *FlowSetHeader) Len() int

func (*FlowSetHeader) Unmarshal 

func (h *FlowSetHeader) Unmarshal(r io.Reader) error

type OptionsDataFlowSet 

type OptionsDataFlowSet struct {
	Header  FlowSetHeader
	Bytes   []byte
	Records []OptionsDataRecord
}

func (*OptionsDataFlowSet) Unmarshal 

func (ods *OptionsDataFlowSet) Unmarshal(r io.Reader, otr OptionsTemplateRecord, t *Translate) error

type OptionsDataRecord 

type OptionsDataRecord struct {
	TemplateID  uint16
	ScopeFields Fields
	Fields      Fields
}

func (*OptionsDataRecord) Unmarshal 

func (odr *OptionsDataRecord) Unmarshal(r io.Reader, scopeFss FieldSpecifiers, fss FieldSpecifiers, t *Translate) error

type OptionsTemplateFlowSet 

type OptionsTemplateFlowSet struct {
	Header  FlowSetHeader
	Records []OptionsTemplateRecord
}

OptionsTemplateRecord (and its corresponding OptionsDataRecord) is used to supply information about the NetFlow process configuration or NetFlow process specific data, rather than supplying information about IP Flows.

For example, the Options Template FlowSet can report the sample rate of a specific interface, if sampling is supported, along with the sampling method used.

The format of the Options Template FlowSet follows: 

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|       FlowSet ID = 1          |          Length               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|         Template ID           |      Option Scope Length      |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|        Option Length          |       Scope 1 Field Type      |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|     Scope 1 Field Length      |               ...             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|     Scope N Field Length      |      Option 1 Field Type      |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|     Option 1 Field Length     |             ...               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|     Option M Field Length     |           Padding             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

func (OptionsTemplateFlowSet) String 

func (ots OptionsTemplateFlowSet) String() string

func (*OptionsTemplateFlowSet) UnmarshalRecords 

func (ots *OptionsTemplateFlowSet) UnmarshalRecords(r io.Reader) error

type OptionsTemplateRecord 

type OptionsTemplateRecord struct {
	// Each Options Template Record is given a unique Template ID in the
	// range 256 to 65535.
	TemplateID uint16

	// Number of scope fields in this Options Template Record. The Scope
	// Fields are normal Fields, except that they are interpreted as
	// scope at the Collector. A scope field count of N specifies that
	// the first N Field Specifiers in the Template Record are Scope
	// Fields. The Scope Field Count MUST NOT be zero.
	ScopeFieldCount uint16
	ScopeFields     FieldSpecifiers

	// Number of non-scope fields in this Options Template Record
	FieldCount uint16
	Fields     FieldSpecifiers
}

func (OptionsTemplateRecord) ID 

func (otr OptionsTemplateRecord) ID() uint16

func (OptionsTemplateRecord) String 

func (otr OptionsTemplateRecord) String() string

func (*OptionsTemplateRecord) Unmarshal 

func (otr *OptionsTemplateRecord) Unmarshal(r io.Reader) error

type Packet 

type Packet struct {
	Header                  PacketHeader
	TemplateFlowSets        []TemplateFlowSet
	OptionsTemplateFlowSets []OptionsTemplateFlowSet
	DataFlowSets            []DataFlowSet
	OptionsDataFlowSets     []OptionsDataFlowSet
}

Packet consists of a Packet Header followed by one or more FlowSets. The FlowSets can be any of the possible three types: Template, Data, or Options Template.

The format of the Packet on the wire is: 

+--------+-------------------------------------------+
|        | +----------+ +---------+ +----------+     |
| Packet | | Template | | Data    | | Options  |     |
| Header | | FlowSet  | | FlowSet | | Template | ... |
|        | |          | |         | | FlowSet  |     |
|        | +----------+ +---------+ +----------+     |
+--------+-------------------------------------------+

func Read 

func Read(r io.Reader, s session.Session, t *Translate) (*Packet, error)

Read a single Netflow packet from the provided reader and decode all the sets.

func (*Packet) UnmarshalFlowSets 

func (p *Packet) UnmarshalFlowSets(r io.Reader, s session.Session, t *Translate) error

type PacketHeader 

type PacketHeader struct {
	Version        uint16
	Count          uint16
	SysUpTime      uint32
	UnixSecs       uint32
	SequenceNumber uint32
	SourceID       uint32
}

PacketHeader is a Packet Header (RFC 3954 section 5.1)

func (PacketHeader) Len 

func (h PacketHeader) Len() int

func (*PacketHeader) Unmarshal 

func (h *PacketHeader) Unmarshal(r io.Reader) error

type TemplateFlowSet 

type TemplateFlowSet struct {
	Header  FlowSetHeader
	Records []TemplateRecord
}

TemplateFlowSet enhance the flexibility of the Flow Record format because they allow the NetFlow Collector to process Flow Records without necessarily knowing the interpretation of all the data in the Flow Record.

The format of the Template FlowSet is as follows: 

0                   1                   2                   3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|       FlowSet ID = 0          |          Length               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|      Template ID 256          |         Field Count           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|        Field Type 1           |         Field Length 1        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|        Field Type 2           |         Field Length 2        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|             ...               |              ...              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|        Field Type N           |         Field Length N        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|      Template ID 257          |         Field Count           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|        Field Type 1           |         Field Length 1        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|        Field Type 2           |         Field Length 2        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|             ...               |              ...              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|        Field Type M           |         Field Length M        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|             ...               |              ...              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|        Template ID K          |         Field Count           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|             ...               |              ...              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

func (*TemplateFlowSet) UnmarshalRecords 

func (tfs *TemplateFlowSet) UnmarshalRecords(r io.Reader) error

type TemplateRecord 

type TemplateRecord struct {
	TemplateID uint16
	FieldCount uint16
	Fields     FieldSpecifiers
}

TemplateRecord is a Template Record as per RFC3964 section 5.2

func (TemplateRecord) ID 

func (tr TemplateRecord) ID() uint16

func (TemplateRecord) Size 

func (tr TemplateRecord) Size() int

func (TemplateRecord) String 

func (tr TemplateRecord) String() string

func (*TemplateRecord) Unmarshal 

func (tr *TemplateRecord) Unmarshal(r io.Reader) error

type Translate 

type Translate struct {
	*translate.Translate
}

func NewTranslate 

func NewTranslate(s session.Session) *Translate

func (*Translate) Record 

func (t *Translate) Record(templateID uint16, fields Fields, fss FieldSpecifiers) error

type TranslatedField 

type TranslatedField struct {
	Name  string
	Type  uint16
	Value interface{}
	Bytes []byte
}

func (TranslatedField) String 

func (tf TranslatedField) String() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.