All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.graylog.plugins.netflow.v5.NetFlowV5Parser Maven / Gradle / Ivy

There is a newer version: 6.1.4
Show newest version
/*
 * Copyright (C) 2020 Graylog, Inc.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the Server Side Public License, version 1,
 * as published by MongoDB, Inc.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * Server Side Public License for more details.
 *
 * You should have received a copy of the Server Side Public License
 * along with this program. If not, see
 * .
 */
package org.graylog.plugins.netflow.v5;

import com.google.common.collect.ImmutableList;
import io.netty.buffer.ByteBuf;
import org.graylog.plugins.netflow.flows.CorruptFlowPacketException;
import org.graylog.plugins.netflow.flows.InvalidFlowVersionException;
import org.graylog.plugins.netflow.utils.ByteBufUtils;

import java.net.InetAddress;

public class NetFlowV5Parser {
    private static final int HEADER_LENGTH = 24;
    private static final int RECORD_LENGTH = 48;

    public static NetFlowV5Packet parsePacket(ByteBuf bb) {
        final int readableBytes = bb.readableBytes();

        final NetFlowV5Header header = parseHeader(bb.slice(bb.readerIndex(), HEADER_LENGTH));
        final int packetLength = HEADER_LENGTH + header.count() * RECORD_LENGTH;
        if (header.count() <= 0 || readableBytes < packetLength) {
            throw new CorruptFlowPacketException("Insufficient data (expected: " + packetLength + " bytes, actual: " + readableBytes + " bytes)");
        }

        final ImmutableList.Builder records = ImmutableList.builder();
        int offset = HEADER_LENGTH;
        for (int i = 0; i < header.count(); i++) {
            records.add(parseRecord(bb.slice(offset + bb.readerIndex(), RECORD_LENGTH)));
            offset += RECORD_LENGTH;
        }

        return NetFlowV5Packet.create(header, records.build(), offset);
    }

    /**
     * 
     * | BYTES |     CONTENTS      |                                       DESCRIPTION                                        |
     * |-------|-------------------|------------------------------------------------------------------------------------------|
     * | 0-1   | version           | NetFlow export format version number                                                     |
     * | 2-3   | count             | Number of flows exported in this packet (1-30)                                           |
     * | 4-7   | sys_uptime        | Current time in milliseconds since the export device booted                              |
     * | 8-11  | unix_secs         | Current count of seconds since 0000 UTC 1970                                             |
     * | 12-15 | unix_nsecs        | Residual nanoseconds since 0000 UTC 1970                                                 |
     * | 16-19 | flow_sequence     | Sequence counter of total flows seen                                                     |
     * | 20    | engine_type       | Type of flow-switching engine                                                            |
     * | 21    | engine_id         | Slot number of the flow-switching engine                                                 |
     * | 22-23 | sampling_interval | First two bits hold the sampling mode; remaining 14 bits hold value of sampling interval |
     * 
*/ private static NetFlowV5Header parseHeader(ByteBuf bb) { final int version = bb.readUnsignedShort(); if (version != 5) { throw new InvalidFlowVersionException(version); } final int count = bb.readUnsignedShort(); final long sysUptime = bb.readUnsignedInt(); final long unixSecs = bb.readUnsignedInt(); final long unixNsecs = bb.readUnsignedInt(); final long flowSequence = bb.readUnsignedInt(); final short engineType = bb.readUnsignedByte(); final short engineId = bb.readUnsignedByte(); final short sampling = bb.readShort(); final int samplingMode = (sampling >> 14) & 3; final int samplingInterval = sampling & 0x3fff; return NetFlowV5Header.create( version, count, sysUptime, unixSecs, unixNsecs, flowSequence, engineType, engineId, samplingMode, samplingInterval); } /** *
     * | BYTES | CONTENTS  |                            DESCRIPTION                             |
     * |-------|-----------|--------------------------------------------------------------------|
     * | 0-3   | srcaddr   | Source IP address                                                  |
     * | 4-7   | dstaddr   | Destination IP address                                             |
     * | 8-11  | nexthop   | IP address of next hop router                                      |
     * | 12-13 | input     | SNMP index of input interface                                      |
     * | 14-15 | output    | SNMP index of output interface                                     |
     * | 16-19 | dPkts     | Packets in the flow                                                |
     * | 20-23 | dOctets   | Total number of Layer 3 bytes in the packets of the flow           |
     * | 24-27 | first     | SysUptime at start of flow                                         |
     * | 28-31 | last      | SysUptime at the time the last packet of the flow was received     |
     * | 32-33 | srcport   | TCP/UDP source port number or equivalent                           |
     * | 34-35 | dstport   | TCP/UDP destination port number or equivalent                      |
     * | 36    | pad1      | Unused (zero) bytes                                                |
     * | 37    | tcp_flags | Cumulative OR of TCP flags                                         |
     * | 38    | prot      | IP protocol type (for example, TCP = 6; UDP = 17)                  |
     * | 39    | tos       | IP type of service (ToS)                                           |
     * | 40-41 | src_as    | Autonomous system number of the source, either origin or peer      |
     * | 42-43 | dst_as    | Autonomous system number of the destination, either origin or peer |
     * | 44    | src_mask  | Source address prefix mask bits                                    |
     * | 45    | dst_mask  | Destination address prefix mask bits                               |
     * | 46-47 | pad2      | Unused (zero) bytes                                                |
     * 
*/ private static NetFlowV5Record parseRecord(ByteBuf bb) { final InetAddress srcAddr = ByteBufUtils.readInetAddress(bb); final InetAddress dstAddr = ByteBufUtils.readInetAddress(bb); final InetAddress nextHop = ByteBufUtils.readInetAddress(bb); final int inputIface = bb.readUnsignedShort(); final int outputIface = bb.readUnsignedShort(); final long packetCount = bb.readUnsignedInt(); final long octetCount = bb.readUnsignedInt(); final long first = bb.readUnsignedInt(); final long last = bb.readUnsignedInt(); final int srcPort = bb.readUnsignedShort(); final int dstPort = bb.readUnsignedShort(); bb.readByte(); // unused pad1 final short tcpFlags = bb.readUnsignedByte(); final short protocol = bb.readUnsignedByte(); final short tos = bb.readUnsignedByte(); final int srcAs = bb.readUnsignedShort(); final int dstAs = bb.readUnsignedShort(); final short srcMask = bb.readUnsignedByte(); final short dstMask = bb.readUnsignedByte(); return NetFlowV5Record.create(srcAddr, dstAddr, nextHop, inputIface, outputIface, packetCount, octetCount, first, last, srcPort, dstPort, tcpFlags, protocol, tos, srcAs, dstAs, srcMask, dstMask); } }




© 2015 - 2024 Weber Informatics LLC | Privacy Policy