]> The Tcpdump Group git mirrors - tcpdump/blob - print-sflow.c
projects / tcpdump / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
More bounds checking when fetching addresses and converting to strings.
[tcpdump] / print-sflow.c
1 /*
2 * Copyright (c) 1998-2007 The TCPDUMP project
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that: (1) source code
6 * distributions retain the above copyright notice and this paragraph
7 * in its entirety, and (2) distributions including binary code include
8 * the above copyright notice and this paragraph in its entirety in
9 * the documentation or other materials provided with the distribution.
10 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND
11 * WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT
12 * LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
13 * FOR A PARTICULAR PURPOSE.
14 *
15 * Original code by Carles Kishimoto <carles.kishimoto@gmail.com>
16 *
17 * Expansion and refactoring by Rick Jones <rick.jones2@hp.com>
18 */
19
20 /* \summary: sFlow protocol printer */
21
22 /* specification: https://sflow.org/developers/specifications.php */
23
24 #ifdef HAVE_CONFIG_H
25 #include <config.h>
26 #endif
27
28 #include "netdissect-stdinc.h"
29
30 #include "netdissect.h"
31 #include "extract.h"
32 #include "addrtoname.h"
33
34 /*
35 * sFlow datagram
36 *
37 * 0 1 2 3
38 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
39 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
40 * | Sflow version (2,4,5) |
41 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
42 * | IP version (1 for IPv4 | 2 for IPv6) |
43 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
44 * | IP Address AGENT (4 or 16 bytes) |
45 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
46 * | Sub agent ID |
47 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
48 * | Datagram sequence number |
49 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
50 * | Switch uptime in ms |
51 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
52 * | num samples in datagram |
53 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
54 *
55 */
56
57 struct sflow_datagram_t {
58 nd_uint32_t version;
59 nd_uint32_t ip_version;
60 nd_ipv4 agent;
61 nd_uint32_t agent_id;
62 nd_uint32_t seqnum;
63 nd_uint32_t uptime;
64 nd_uint32_t samples;
65 };
66
67 struct sflow_sample_header {
68 nd_uint32_t format;
69 nd_uint32_t len;
70 };
71
72 #define SFLOW_FLOW_SAMPLE 1
73 #define SFLOW_COUNTER_SAMPLE 2
74 #define SFLOW_EXPANDED_FLOW_SAMPLE 3
75 #define SFLOW_EXPANDED_COUNTER_SAMPLE 4
76
77 static const struct tok sflow_format_values[] = {
78 { SFLOW_FLOW_SAMPLE, "flow sample" },
79 { SFLOW_COUNTER_SAMPLE, "counter sample" },
80 { SFLOW_EXPANDED_FLOW_SAMPLE, "expanded flow sample" },
81 { SFLOW_EXPANDED_COUNTER_SAMPLE, "expanded counter sample" },
82 { 0, NULL}
83 };
84
85 struct sflow_flow_sample_t {
86 nd_uint32_t seqnum;
87 nd_uint8_t type;
88 nd_uint24_t index;
89 nd_uint32_t rate;
90 nd_uint32_t pool;
91 nd_uint32_t drops;
92 nd_uint32_t in_interface;
93 nd_uint32_t out_interface;
94 nd_uint32_t records;
95
96 };
97
98 struct sflow_expanded_flow_sample_t {
99 nd_uint32_t seqnum;
100 nd_uint32_t type;
101 nd_uint32_t index;
102 nd_uint32_t rate;
103 nd_uint32_t pool;
104 nd_uint32_t drops;
105 nd_uint32_t in_interface_format;
106 nd_uint32_t in_interface_value;
107 nd_uint32_t out_interface_format;
108 nd_uint32_t out_interface_value;
109 nd_uint32_t records;
110 };
111
112 #define SFLOW_FLOW_RAW_PACKET 1
113 #define SFLOW_FLOW_ETHERNET_FRAME 2
114 #define SFLOW_FLOW_IPV4_DATA 3
115 #define SFLOW_FLOW_IPV6_DATA 4
116 #define SFLOW_FLOW_EXTENDED_SWITCH_DATA 1001
117 #define SFLOW_FLOW_EXTENDED_ROUTER_DATA 1002
118 #define SFLOW_FLOW_EXTENDED_GATEWAY_DATA 1003
119 #define SFLOW_FLOW_EXTENDED_USER_DATA 1004
120 #define SFLOW_FLOW_EXTENDED_URL_DATA 1005
121 #define SFLOW_FLOW_EXTENDED_MPLS_DATA 1006
122 #define SFLOW_FLOW_EXTENDED_NAT_DATA 1007
123 #define SFLOW_FLOW_EXTENDED_MPLS_TUNNEL 1008
124 #define SFLOW_FLOW_EXTENDED_MPLS_VC 1009
125 #define SFLOW_FLOW_EXTENDED_MPLS_FEC 1010
126 #define SFLOW_FLOW_EXTENDED_MPLS_LVP_FEC 1011
127 #define SFLOW_FLOW_EXTENDED_VLAN_TUNNEL 1012
128
129 static const struct tok sflow_flow_type_values[] = {
130 { SFLOW_FLOW_RAW_PACKET, "Raw packet"},
131 { SFLOW_FLOW_ETHERNET_FRAME, "Ethernet frame"},
132 { SFLOW_FLOW_IPV4_DATA, "IPv4 Data"},
133 { SFLOW_FLOW_IPV6_DATA, "IPv6 Data"},
134 { SFLOW_FLOW_EXTENDED_SWITCH_DATA, "Extended Switch data"},
135 { SFLOW_FLOW_EXTENDED_ROUTER_DATA, "Extended Router data"},
136 { SFLOW_FLOW_EXTENDED_GATEWAY_DATA, "Extended Gateway data"},
137 { SFLOW_FLOW_EXTENDED_USER_DATA, "Extended User data"},
138 { SFLOW_FLOW_EXTENDED_URL_DATA, "Extended URL data"},
139 { SFLOW_FLOW_EXTENDED_MPLS_DATA, "Extended MPLS data"},
140 { SFLOW_FLOW_EXTENDED_NAT_DATA, "Extended NAT data"},
141 { SFLOW_FLOW_EXTENDED_MPLS_TUNNEL, "Extended MPLS tunnel"},
142 { SFLOW_FLOW_EXTENDED_MPLS_VC, "Extended MPLS VC"},
143 { SFLOW_FLOW_EXTENDED_MPLS_FEC, "Extended MPLS FEC"},
144 { SFLOW_FLOW_EXTENDED_MPLS_LVP_FEC, "Extended MPLS LVP FEC"},
145 { SFLOW_FLOW_EXTENDED_VLAN_TUNNEL, "Extended VLAN Tunnel"},
146 { 0, NULL}
147 };
148
149 #define SFLOW_HEADER_PROTOCOL_ETHERNET 1
150 #define SFLOW_HEADER_PROTOCOL_IPV4 11
151 #define SFLOW_HEADER_PROTOCOL_IPV6 12
152
153 static const struct tok sflow_flow_raw_protocol_values[] = {
154 { SFLOW_HEADER_PROTOCOL_ETHERNET, "Ethernet"},
155 { SFLOW_HEADER_PROTOCOL_IPV4, "IPv4"},
156 { SFLOW_HEADER_PROTOCOL_IPV6, "IPv6"},
157 { 0, NULL}
158 };
159
160 struct sflow_expanded_flow_raw_t {
161 nd_uint32_t protocol;
162 nd_uint32_t length;
163 nd_uint32_t stripped_bytes;
164 nd_uint32_t header_size;
165 };
166
167 struct sflow_ethernet_frame_t {
168 nd_uint32_t length;
169 nd_byte src_mac[8];
170 nd_byte dst_mac[8];
171 nd_uint32_t type;
172 };
173
174 struct sflow_extended_switch_data_t {
175 nd_uint32_t src_vlan;
176 nd_uint32_t src_pri;
177 nd_uint32_t dst_vlan;
178 nd_uint32_t dst_pri;
179 };
180
181 struct sflow_counter_record_t {
182 nd_uint32_t format;
183 nd_uint32_t length;
184 };
185
186 struct sflow_flow_record_t {
187 nd_uint32_t format;
188 nd_uint32_t length;
189 };
190
191 struct sflow_counter_sample_t {
192 nd_uint32_t seqnum;
193 nd_uint8_t type;
194 nd_uint24_t index;
195 nd_uint32_t records;
196 };
197
198 struct sflow_expanded_counter_sample_t {
199 nd_uint32_t seqnum;
200 nd_uint32_t type;
201 nd_uint32_t index;
202 nd_uint32_t records;
203 };
204
205 #define SFLOW_COUNTER_GENERIC 1
206 #define SFLOW_COUNTER_ETHERNET 2
207 #define SFLOW_COUNTER_TOKEN_RING 3
208 #define SFLOW_COUNTER_BASEVG 4
209 #define SFLOW_COUNTER_VLAN 5
210 #define SFLOW_COUNTER_PROCESSOR 1001
211
212 static const struct tok sflow_counter_type_values[] = {
213 { SFLOW_COUNTER_GENERIC, "Generic counter"},
214 { SFLOW_COUNTER_ETHERNET, "Ethernet counter"},
215 { SFLOW_COUNTER_TOKEN_RING, "Token ring counter"},
216 { SFLOW_COUNTER_BASEVG, "100 BaseVG counter"},
217 { SFLOW_COUNTER_VLAN, "Vlan counter"},
218 { SFLOW_COUNTER_PROCESSOR, "Processor counter"},
219 { 0, NULL}
220 };
221
222 #define SFLOW_IFACE_DIRECTION_UNKNOWN 0
223 #define SFLOW_IFACE_DIRECTION_FULLDUPLEX 1
224 #define SFLOW_IFACE_DIRECTION_HALFDUPLEX 2
225 #define SFLOW_IFACE_DIRECTION_IN 3
226 #define SFLOW_IFACE_DIRECTION_OUT 4
227
228 static const struct tok sflow_iface_direction_values[] = {
229 { SFLOW_IFACE_DIRECTION_UNKNOWN, "unknown"},
230 { SFLOW_IFACE_DIRECTION_FULLDUPLEX, "full-duplex"},
231 { SFLOW_IFACE_DIRECTION_HALFDUPLEX, "half-duplex"},
232 { SFLOW_IFACE_DIRECTION_IN, "in"},
233 { SFLOW_IFACE_DIRECTION_OUT, "out"},
234 { 0, NULL}
235 };
236
237 struct sflow_generic_counter_t {
238 nd_uint32_t ifindex;
239 nd_uint32_t iftype;
240 nd_uint64_t ifspeed;
241 nd_uint32_t ifdirection;
242 nd_uint32_t ifstatus;
243 nd_uint64_t ifinoctets;
244 nd_uint32_t ifinunicastpkts;
245 nd_uint32_t ifinmulticastpkts;
246 nd_uint32_t ifinbroadcastpkts;
247 nd_uint32_t ifindiscards;
248 nd_uint32_t ifinerrors;
249 nd_uint32_t ifinunkownprotos;
250 nd_uint64_t ifoutoctets;
251 nd_uint32_t ifoutunicastpkts;
252 nd_uint32_t ifoutmulticastpkts;
253 nd_uint32_t ifoutbroadcastpkts;
254 nd_uint32_t ifoutdiscards;
255 nd_uint32_t ifouterrors;
256 nd_uint32_t ifpromiscmode;
257 };
258
259 struct sflow_ethernet_counter_t {
260 nd_uint32_t alignerrors;
261 nd_uint32_t fcserrors;
262 nd_uint32_t single_collision_frames;
263 nd_uint32_t multiple_collision_frames;
264 nd_uint32_t test_errors;
265 nd_uint32_t deferred_transmissions;
266 nd_uint32_t late_collisions;
267 nd_uint32_t excessive_collisions;
268 nd_uint32_t mac_transmit_errors;
269 nd_uint32_t carrier_sense_errors;
270 nd_uint32_t frame_too_longs;
271 nd_uint32_t mac_receive_errors;
272 nd_uint32_t symbol_errors;
273 };
274
275 struct sflow_100basevg_counter_t {
276 nd_uint32_t in_highpriority_frames;
277 nd_uint64_t in_highpriority_octets;
278 nd_uint32_t in_normpriority_frames;
279 nd_uint64_t in_normpriority_octets;
280 nd_uint32_t in_ipmerrors;
281 nd_uint32_t in_oversized;
282 nd_uint32_t in_data_errors;
283 nd_uint32_t in_null_addressed_frames;
284 nd_uint32_t out_highpriority_frames;
285 nd_uint64_t out_highpriority_octets;
286 nd_uint32_t transitioninto_frames;
287 nd_uint64_t hc_in_highpriority_octets;
288 nd_uint64_t hc_in_normpriority_octets;
289 nd_uint64_t hc_out_highpriority_octets;
290 };
291
292 struct sflow_vlan_counter_t {
293 nd_uint32_t vlan_id;
294 nd_uint64_t octets;
295 nd_uint32_t unicast_pkt;
296 nd_uint32_t multicast_pkt;
297 nd_uint32_t broadcast_pkt;
298 nd_uint32_t discards;
299 };
300
301 static int
302 print_sflow_counter_generic(netdissect_options *ndo,
303 const u_char *pointer, u_int len)
304 {
305 const struct sflow_generic_counter_t *sflow_gen_counter;
306
307 if (len < sizeof(struct sflow_generic_counter_t))
308 return 1;
309
310 sflow_gen_counter = (const struct sflow_generic_counter_t *)pointer;
311 ND_TCHECK_SIZE(sflow_gen_counter);
312 ND_PRINT("\n\t ifindex %u, iftype %u, ifspeed %" PRIu64 ", ifdirection %u (%s)",
313 GET_BE_U_4(sflow_gen_counter->ifindex),
314 GET_BE_U_4(sflow_gen_counter->iftype),
315 GET_BE_U_8(sflow_gen_counter->ifspeed),
316 GET_BE_U_4(sflow_gen_counter->ifdirection),
317 tok2str(sflow_iface_direction_values, "Unknown",
318 GET_BE_U_4(sflow_gen_counter->ifdirection)));
319 ND_PRINT("\n\t ifstatus %u, adminstatus: %s, operstatus: %s",
320 GET_BE_U_4(sflow_gen_counter->ifstatus),
321 GET_BE_U_4(sflow_gen_counter->ifstatus)&1 ? "up" : "down",
322 (GET_BE_U_4(sflow_gen_counter->ifstatus)>>1)&1 ? "up" : "down");
323 ND_PRINT("\n\t In octets %" PRIu64
324 ", unicast pkts %u, multicast pkts %u, broadcast pkts %u, discards %u",
325 GET_BE_U_8(sflow_gen_counter->ifinoctets),
326 GET_BE_U_4(sflow_gen_counter->ifinunicastpkts),
327 GET_BE_U_4(sflow_gen_counter->ifinmulticastpkts),
328 GET_BE_U_4(sflow_gen_counter->ifinbroadcastpkts),
329 GET_BE_U_4(sflow_gen_counter->ifindiscards));
330 ND_PRINT("\n\t In errors %u, unknown protos %u",
331 GET_BE_U_4(sflow_gen_counter->ifinerrors),
332 GET_BE_U_4(sflow_gen_counter->ifinunkownprotos));
333 ND_PRINT("\n\t Out octets %" PRIu64
334 ", unicast pkts %u, multicast pkts %u, broadcast pkts %u, discards %u",
335 GET_BE_U_8(sflow_gen_counter->ifoutoctets),
336 GET_BE_U_4(sflow_gen_counter->ifoutunicastpkts),
337 GET_BE_U_4(sflow_gen_counter->ifoutmulticastpkts),
338 GET_BE_U_4(sflow_gen_counter->ifoutbroadcastpkts),
339 GET_BE_U_4(sflow_gen_counter->ifoutdiscards));
340 ND_PRINT("\n\t Out errors %u, promisc mode %u",
341 GET_BE_U_4(sflow_gen_counter->ifouterrors),
342 GET_BE_U_4(sflow_gen_counter->ifpromiscmode));
343
344 return 0;
345
346 trunc:
347 return 1;
348 }
349
350 static int
351 print_sflow_counter_ethernet(netdissect_options *ndo,
352 const u_char *pointer, u_int len)
353 {
354 const struct sflow_ethernet_counter_t *sflow_eth_counter;
355
356 if (len < sizeof(struct sflow_ethernet_counter_t))
357 return 1;
358
359 sflow_eth_counter = (const struct sflow_ethernet_counter_t *)pointer;
360 ND_TCHECK_SIZE(sflow_eth_counter);
361 ND_PRINT("\n\t align errors %u, fcs errors %u, single collision %u, multiple collision %u, test error %u",
362 GET_BE_U_4(sflow_eth_counter->alignerrors),
363 GET_BE_U_4(sflow_eth_counter->fcserrors),
364 GET_BE_U_4(sflow_eth_counter->single_collision_frames),
365 GET_BE_U_4(sflow_eth_counter->multiple_collision_frames),
366 GET_BE_U_4(sflow_eth_counter->test_errors));
367 ND_PRINT("\n\t deferred %u, late collision %u, excessive collision %u, mac trans error %u",
368 GET_BE_U_4(sflow_eth_counter->deferred_transmissions),
369 GET_BE_U_4(sflow_eth_counter->late_collisions),
370 GET_BE_U_4(sflow_eth_counter->excessive_collisions),
371 GET_BE_U_4(sflow_eth_counter->mac_transmit_errors));
372 ND_PRINT("\n\t carrier error %u, frames too long %u, mac receive errors %u, symbol errors %u",
373 GET_BE_U_4(sflow_eth_counter->carrier_sense_errors),
374 GET_BE_U_4(sflow_eth_counter->frame_too_longs),
375 GET_BE_U_4(sflow_eth_counter->mac_receive_errors),
376 GET_BE_U_4(sflow_eth_counter->symbol_errors));
377
378 return 0;
379
380 trunc:
381 return 1;
382 }
383
384 static int
385 print_sflow_counter_token_ring(netdissect_options *ndo _U_,
386 const u_char *pointer _U_, u_int len _U_)
387 {
388 return 0;
389 }
390
391 static int
392 print_sflow_counter_basevg(netdissect_options *ndo,
393 const u_char *pointer, u_int len)
394 {
395 const struct sflow_100basevg_counter_t *sflow_100basevg_counter;
396
397 if (len < sizeof(struct sflow_100basevg_counter_t))
398 return 1;
399
400 sflow_100basevg_counter = (const struct sflow_100basevg_counter_t *)pointer;
401 ND_TCHECK_SIZE(sflow_100basevg_counter);
402 ND_PRINT("\n\t in high prio frames %u, in high prio octets %" PRIu64,
403 GET_BE_U_4(sflow_100basevg_counter->in_highpriority_frames),
404 GET_BE_U_8(sflow_100basevg_counter->in_highpriority_octets));
405 ND_PRINT("\n\t in norm prio frames %u, in norm prio octets %" PRIu64,
406 GET_BE_U_4(sflow_100basevg_counter->in_normpriority_frames),
407 GET_BE_U_8(sflow_100basevg_counter->in_normpriority_octets));
408 ND_PRINT("\n\t in ipm errors %u, oversized %u, in data errors %u, null addressed frames %u",
409 GET_BE_U_4(sflow_100basevg_counter->in_ipmerrors),
410 GET_BE_U_4(sflow_100basevg_counter->in_oversized),
411 GET_BE_U_4(sflow_100basevg_counter->in_data_errors),
412 GET_BE_U_4(sflow_100basevg_counter->in_null_addressed_frames));
413 ND_PRINT("\n\t out high prio frames %u, out high prio octets %" PRIu64
414 ", trans into frames %u",
415 GET_BE_U_4(sflow_100basevg_counter->out_highpriority_frames),
416 GET_BE_U_8(sflow_100basevg_counter->out_highpriority_octets),
417 GET_BE_U_4(sflow_100basevg_counter->transitioninto_frames));
418 ND_PRINT("\n\t in hc high prio octets %" PRIu64
419 ", in hc norm prio octets %" PRIu64
420 ", out hc high prio octets %" PRIu64,
421 GET_BE_U_8(sflow_100basevg_counter->hc_in_highpriority_octets),
422 GET_BE_U_8(sflow_100basevg_counter->hc_in_normpriority_octets),
423 GET_BE_U_8(sflow_100basevg_counter->hc_out_highpriority_octets));
424
425 return 0;
426
427 trunc:
428 return 1;
429 }
430
431 static int
432 print_sflow_counter_vlan(netdissect_options *ndo,
433 const u_char *pointer, u_int len)
434 {
435 const struct sflow_vlan_counter_t *sflow_vlan_counter;
436
437 if (len < sizeof(struct sflow_vlan_counter_t))
438 return 1;
439
440 sflow_vlan_counter = (const struct sflow_vlan_counter_t *)pointer;
441 ND_TCHECK_SIZE(sflow_vlan_counter);
442 ND_PRINT("\n\t vlan_id %u, octets %" PRIu64
443 ", unicast_pkt %u, multicast_pkt %u, broadcast_pkt %u, discards %u",
444 GET_BE_U_4(sflow_vlan_counter->vlan_id),
445 GET_BE_U_8(sflow_vlan_counter->octets),
446 GET_BE_U_4(sflow_vlan_counter->unicast_pkt),
447 GET_BE_U_4(sflow_vlan_counter->multicast_pkt),
448 GET_BE_U_4(sflow_vlan_counter->broadcast_pkt),
449 GET_BE_U_4(sflow_vlan_counter->discards));
450
451 return 0;
452
453 trunc:
454 return 1;
455 }
456
457 struct sflow_processor_counter_t {
458 nd_uint32_t five_sec_util;
459 nd_uint32_t one_min_util;
460 nd_uint32_t five_min_util;
461 nd_uint64_t total_memory;
462 nd_uint64_t free_memory;
463 };
464
465 static int
466 print_sflow_counter_processor(netdissect_options *ndo,
467 const u_char *pointer, u_int len)
468 {
469 const struct sflow_processor_counter_t *sflow_processor_counter;
470
471 if (len < sizeof(struct sflow_processor_counter_t))
472 return 1;
473
474 sflow_processor_counter = (const struct sflow_processor_counter_t *)pointer;
475 ND_TCHECK_SIZE(sflow_processor_counter);
476 ND_PRINT("\n\t 5sec %u, 1min %u, 5min %u, total_mem %" PRIu64
477 ", total_mem %" PRIu64,
478 GET_BE_U_4(sflow_processor_counter->five_sec_util),
479 GET_BE_U_4(sflow_processor_counter->one_min_util),
480 GET_BE_U_4(sflow_processor_counter->five_min_util),
481 GET_BE_U_8(sflow_processor_counter->total_memory),
482 GET_BE_U_8(sflow_processor_counter->free_memory));
483
484 return 0;
485
486 trunc:
487 return 1;
488 }
489
490 static int
491 sflow_print_counter_records(netdissect_options *ndo,
492 const u_char *pointer, u_int len, u_int records)
493 {
494 u_int nrecords;
495 const u_char *tptr;
496 u_int tlen;
497 u_int counter_type;
498 u_int counter_len;
499 u_int enterprise;
500 const struct sflow_counter_record_t *sflow_counter_record;
501
502 nrecords = records;
503 tptr = pointer;
504 tlen = len;
505
506 while (nrecords > 0) {
507 /* do we have the "header?" */
508 if (tlen < sizeof(struct sflow_counter_record_t))
509 return 1;
510 sflow_counter_record = (const struct sflow_counter_record_t *)tptr;
511 ND_TCHECK_SIZE(sflow_counter_record);
512
513 enterprise = GET_BE_U_4(sflow_counter_record->format);
514 counter_type = enterprise & 0x0FFF;
515 enterprise = enterprise >> 20;
516 counter_len = GET_BE_U_4(sflow_counter_record->length);
517 ND_PRINT("\n\t enterprise %u, %s (%u) length %u",
518 enterprise,
519 (enterprise == 0) ? tok2str(sflow_counter_type_values,"Unknown",counter_type) : "Unknown",
520 counter_type,
521 counter_len);
522
523 tptr += sizeof(struct sflow_counter_record_t);
524 tlen -= sizeof(struct sflow_counter_record_t);
525
526 if (tlen < counter_len)
527 return 1;
528 if (enterprise == 0) {
529 switch (counter_type) {
530 case SFLOW_COUNTER_GENERIC:
531 if (print_sflow_counter_generic(ndo, tptr, tlen))
532 return 1;
533 break;
534 case SFLOW_COUNTER_ETHERNET:
535 if (print_sflow_counter_ethernet(ndo, tptr, tlen))
536 return 1;
537 break;
538 case SFLOW_COUNTER_TOKEN_RING:
539 if (print_sflow_counter_token_ring(ndo, tptr,tlen))
540 return 1;
541 break;
542 case SFLOW_COUNTER_BASEVG:
543 if (print_sflow_counter_basevg(ndo, tptr, tlen))
544 return 1;
545 break;
546 case SFLOW_COUNTER_VLAN:
547 if (print_sflow_counter_vlan(ndo, tptr, tlen))
548 return 1;
549 break;
550 case SFLOW_COUNTER_PROCESSOR:
551 if (print_sflow_counter_processor(ndo, tptr, tlen))
552 return 1;
553 break;
554 default:
555 if (ndo->ndo_vflag <= 1)
556 print_unknown_data(ndo, tptr, "\n\t\t", counter_len);
557 break;
558 }
559 }
560 tptr += counter_len;
561 tlen -= counter_len;
562 nrecords--;
563
564 }
565
566 return 0;
567
568 trunc:
569 return 1;
570 }
571
572 static int
573 sflow_print_counter_sample(netdissect_options *ndo,
574 const u_char *pointer, u_int len)
575 {
576 const struct sflow_counter_sample_t *sflow_counter_sample;
577 u_int nrecords;
578
579 if (len < sizeof(struct sflow_counter_sample_t))
580 return 1;
581
582 sflow_counter_sample = (const struct sflow_counter_sample_t *)pointer;
583 ND_TCHECK_SIZE(sflow_counter_sample);
584
585 nrecords = GET_BE_U_4(sflow_counter_sample->records);
586
587 ND_PRINT(" seqnum %u, type %u, idx %u, records %u",
588 GET_BE_U_4(sflow_counter_sample->seqnum),
589 GET_U_1(sflow_counter_sample->type),
590 GET_BE_U_3(sflow_counter_sample->index),
591 nrecords);
592
593 return sflow_print_counter_records(ndo, pointer + sizeof(struct sflow_counter_sample_t),
594 len - sizeof(struct sflow_counter_sample_t),
595 nrecords);
596
597 trunc:
598 return 1;
599 }
600
601 static int
602 sflow_print_expanded_counter_sample(netdissect_options *ndo,
603 const u_char *pointer, u_int len)
604 {
605 const struct sflow_expanded_counter_sample_t *sflow_expanded_counter_sample;
606 u_int nrecords;
607
608
609 if (len < sizeof(struct sflow_expanded_counter_sample_t))
610 return 1;
611
612 sflow_expanded_counter_sample = (const struct sflow_expanded_counter_sample_t *)pointer;
613 ND_TCHECK_SIZE(sflow_expanded_counter_sample);
614
615 nrecords = GET_BE_U_4(sflow_expanded_counter_sample->records);
616
617 ND_PRINT(" seqnum %u, type %u, idx %u, records %u",
618 GET_BE_U_4(sflow_expanded_counter_sample->seqnum),
619 GET_BE_U_4(sflow_expanded_counter_sample->type),
620 GET_BE_U_4(sflow_expanded_counter_sample->index),
621 nrecords);
622
623 return sflow_print_counter_records(ndo, pointer + sizeof(struct sflow_expanded_counter_sample_t),
624 len - sizeof(struct sflow_expanded_counter_sample_t),
625 nrecords);
626
627 trunc:
628 return 1;
629 }
630
631 static int
632 print_sflow_raw_packet(netdissect_options *ndo,
633 const u_char *pointer, u_int len)
634 {
635 const struct sflow_expanded_flow_raw_t *sflow_flow_raw;
636
637 if (len < sizeof(struct sflow_expanded_flow_raw_t))
638 return 1;
639
640 sflow_flow_raw = (const struct sflow_expanded_flow_raw_t *)pointer;
641 ND_TCHECK_SIZE(sflow_flow_raw);
642 ND_PRINT("\n\t protocol %s (%u), length %u, stripped bytes %u, header_size %u",
643 tok2str(sflow_flow_raw_protocol_values,"Unknown",GET_BE_U_4(sflow_flow_raw->protocol)),
644 GET_BE_U_4(sflow_flow_raw->protocol),
645 GET_BE_U_4(sflow_flow_raw->length),
646 GET_BE_U_4(sflow_flow_raw->stripped_bytes),
647 GET_BE_U_4(sflow_flow_raw->header_size));
648
649 /* QUESTION - should we attempt to print the raw header itself?
650 assuming of course there is wnough data present to do so... */
651
652 return 0;
653
654 trunc:
655 return 1;
656 }
657
658 static int
659 print_sflow_ethernet_frame(netdissect_options *ndo,
660 const u_char *pointer, u_int len)
661 {
662 const struct sflow_ethernet_frame_t *sflow_ethernet_frame;
663
664 if (len < sizeof(struct sflow_ethernet_frame_t))
665 return 1;
666
667 sflow_ethernet_frame = (const struct sflow_ethernet_frame_t *)pointer;
668 ND_TCHECK_SIZE(sflow_ethernet_frame);
669
670 ND_PRINT("\n\t frame len %u, type %u",
671 GET_BE_U_4(sflow_ethernet_frame->length),
672 GET_BE_U_4(sflow_ethernet_frame->type));
673
674 return 0;
675
676 trunc:
677 return 1;
678 }
679
680 static int
681 print_sflow_extended_switch_data(netdissect_options *ndo,
682 const u_char *pointer, u_int len)
683 {
684 const struct sflow_extended_switch_data_t *sflow_extended_sw_data;
685
686 if (len < sizeof(struct sflow_extended_switch_data_t))
687 return 1;
688
689 sflow_extended_sw_data = (const struct sflow_extended_switch_data_t *)pointer;
690 ND_TCHECK_SIZE(sflow_extended_sw_data);
691 ND_PRINT("\n\t src vlan %u, src pri %u, dst vlan %u, dst pri %u",
692 GET_BE_U_4(sflow_extended_sw_data->src_vlan),
693 GET_BE_U_4(sflow_extended_sw_data->src_pri),
694 GET_BE_U_4(sflow_extended_sw_data->dst_vlan),
695 GET_BE_U_4(sflow_extended_sw_data->dst_pri));
696
697 return 0;
698
699 trunc:
700 return 1;
701 }
702
703 static int
704 sflow_print_flow_records(netdissect_options *ndo,
705 const u_char *pointer, u_int len, u_int records)
706 {
707 u_int nrecords;
708 const u_char *tptr;
709 u_int tlen;
710 u_int flow_type;
711 u_int enterprise;
712 u_int flow_len;
713 const struct sflow_flow_record_t *sflow_flow_record;
714
715 nrecords = records;
716 tptr = pointer;
717 tlen = len;
718
719 while (nrecords > 0) {
720 /* do we have the "header?" */
721 if (tlen < sizeof(struct sflow_flow_record_t))
722 return 1;
723
724 sflow_flow_record = (const struct sflow_flow_record_t *)tptr;
725 ND_TCHECK_SIZE(sflow_flow_record);
726
727 /* so, the funky encoding means we cannot blythly mask-off
728 bits, we must also check the enterprise. */
729
730 enterprise = GET_BE_U_4(sflow_flow_record->format);
731 flow_type = enterprise & 0x0FFF;
732 enterprise = enterprise >> 12;
733 flow_len = GET_BE_U_4(sflow_flow_record->length);
734 ND_PRINT("\n\t enterprise %u %s (%u) length %u",
735 enterprise,
736 (enterprise == 0) ? tok2str(sflow_flow_type_values,"Unknown",flow_type) : "Unknown",
737 flow_type,
738 flow_len);
739
740 tptr += sizeof(struct sflow_flow_record_t);
741 tlen -= sizeof(struct sflow_flow_record_t);
742
743 if (tlen < flow_len)
744 return 1;
745
746 if (enterprise == 0) {
747 switch (flow_type) {
748 case SFLOW_FLOW_RAW_PACKET:
749 if (print_sflow_raw_packet(ndo, tptr, tlen))
750 return 1;
751 break;
752 case SFLOW_FLOW_EXTENDED_SWITCH_DATA:
753 if (print_sflow_extended_switch_data(ndo, tptr, tlen))
754 return 1;
755 break;
756 case SFLOW_FLOW_ETHERNET_FRAME:
757 if (print_sflow_ethernet_frame(ndo, tptr, tlen))
758 return 1;
759 break;
760 /* FIXME these need a decoder */
761 case SFLOW_FLOW_IPV4_DATA:
762 case SFLOW_FLOW_IPV6_DATA:
763 case SFLOW_FLOW_EXTENDED_ROUTER_DATA:
764 case SFLOW_FLOW_EXTENDED_GATEWAY_DATA:
765 case SFLOW_FLOW_EXTENDED_USER_DATA:
766 case SFLOW_FLOW_EXTENDED_URL_DATA:
767 case SFLOW_FLOW_EXTENDED_MPLS_DATA:
768 case SFLOW_FLOW_EXTENDED_NAT_DATA:
769 case SFLOW_FLOW_EXTENDED_MPLS_TUNNEL:
770 case SFLOW_FLOW_EXTENDED_MPLS_VC:
771 case SFLOW_FLOW_EXTENDED_MPLS_FEC:
772 case SFLOW_FLOW_EXTENDED_MPLS_LVP_FEC:
773 case SFLOW_FLOW_EXTENDED_VLAN_TUNNEL:
774 break;
775 default:
776 if (ndo->ndo_vflag <= 1)
777 print_unknown_data(ndo, tptr, "\n\t\t", flow_len);
778 break;
779 }
780 }
781 tptr += flow_len;
782 tlen -= flow_len;
783 nrecords--;
784
785 }
786
787 return 0;
788
789 trunc:
790 return 1;
791 }
792
793 static int
794 sflow_print_flow_sample(netdissect_options *ndo,
795 const u_char *pointer, u_int len)
796 {
797 const struct sflow_flow_sample_t *sflow_flow_sample;
798 u_int nrecords;
799
800 if (len < sizeof(struct sflow_flow_sample_t))
801 return 1;
802
803 sflow_flow_sample = (const struct sflow_flow_sample_t *)pointer;
804 ND_TCHECK_SIZE(sflow_flow_sample);
805
806 nrecords = GET_BE_U_4(sflow_flow_sample->records);
807
808 ND_PRINT(" seqnum %u, type %u, idx %u, rate %u, pool %u, drops %u, input %u output %u records %u",
809 GET_BE_U_4(sflow_flow_sample->seqnum),
810 GET_U_1(sflow_flow_sample->type),
811 GET_BE_U_3(sflow_flow_sample->index),
812 GET_BE_U_4(sflow_flow_sample->rate),
813 GET_BE_U_4(sflow_flow_sample->pool),
814 GET_BE_U_4(sflow_flow_sample->drops),
815 GET_BE_U_4(sflow_flow_sample->in_interface),
816 GET_BE_U_4(sflow_flow_sample->out_interface),
817 nrecords);
818
819 return sflow_print_flow_records(ndo, pointer + sizeof(struct sflow_flow_sample_t),
820 len - sizeof(struct sflow_flow_sample_t),
821 nrecords);
822
823 trunc:
824 return 1;
825 }
826
827 static int
828 sflow_print_expanded_flow_sample(netdissect_options *ndo,
829 const u_char *pointer, u_int len)
830 {
831 const struct sflow_expanded_flow_sample_t *sflow_expanded_flow_sample;
832 u_int nrecords;
833
834 if (len < sizeof(struct sflow_expanded_flow_sample_t))
835 return 1;
836
837 sflow_expanded_flow_sample = (const struct sflow_expanded_flow_sample_t *)pointer;
838 ND_TCHECK_SIZE(sflow_expanded_flow_sample);
839
840 nrecords = GET_BE_U_4(sflow_expanded_flow_sample->records);
841
842 ND_PRINT(" seqnum %u, type %u, idx %u, rate %u, pool %u, drops %u, records %u",
843 GET_BE_U_4(sflow_expanded_flow_sample->seqnum),
844 GET_BE_U_4(sflow_expanded_flow_sample->type),
845 GET_BE_U_4(sflow_expanded_flow_sample->index),
846 GET_BE_U_4(sflow_expanded_flow_sample->rate),
847 GET_BE_U_4(sflow_expanded_flow_sample->pool),
848 GET_BE_U_4(sflow_expanded_flow_sample->drops),
849 GET_BE_U_4(sflow_expanded_flow_sample->records));
850
851 return sflow_print_flow_records(ndo, pointer + sizeof(struct sflow_expanded_flow_sample_t),
852 len - sizeof(struct sflow_expanded_flow_sample_t),
853 nrecords);
854
855 trunc:
856 return 1;
857 }
858
859 void
860 sflow_print(netdissect_options *ndo,
861 const u_char *pptr, u_int len)
862 {
863 const struct sflow_datagram_t *sflow_datagram;
864 const struct sflow_sample_header *sflow_sample;
865
866 const u_char *tptr;
867 u_int tlen;
868 uint32_t sflow_sample_type, sflow_sample_len;
869 uint32_t nsamples;
870
871 ndo->ndo_protocol = "sflow";
872 tptr = pptr;
873 tlen = len;
874 sflow_datagram = (const struct sflow_datagram_t *)pptr;
875 if (len < sizeof(struct sflow_datagram_t)) {
876 ND_PRINT("sFlowv%u", GET_BE_U_4(sflow_datagram->version));
877 ND_PRINT(" [length %u < %zu]", len, sizeof(struct sflow_datagram_t));
878 nd_print_invalid(ndo);
879 return;
880 }
881 ND_TCHECK_SIZE(sflow_datagram);
882
883 /*
884 * Sanity checking of the header.
885 */
886 if (GET_BE_U_4(sflow_datagram->version) != 5) {
887 ND_PRINT("sFlow version %u packet not supported",
888 GET_BE_U_4(sflow_datagram->version));
889 return;
890 }
891
892 if (ndo->ndo_vflag < 1) {
893 ND_PRINT("sFlowv%u, %s agent %s, agent-id %u, length %u",
894 GET_BE_U_4(sflow_datagram->version),
895 GET_BE_U_4(sflow_datagram->ip_version) == 1 ? "IPv4" : "IPv6",
896 GET_IPADDR_STRING(sflow_datagram->agent),
897 GET_BE_U_4(sflow_datagram->agent_id),
898 len);
899 return;
900 }
901
902 /* ok they seem to want to know everything - lets fully decode it */
903 nsamples=GET_BE_U_4(sflow_datagram->samples);
904 ND_PRINT("sFlowv%u, %s agent %s, agent-id %u, seqnum %u, uptime %u, samples %u, length %u",
905 GET_BE_U_4(sflow_datagram->version),
906 GET_BE_U_4(sflow_datagram->ip_version) == 1 ? "IPv4" : "IPv6",
907 GET_IPADDR_STRING(sflow_datagram->agent),
908 GET_BE_U_4(sflow_datagram->agent_id),
909 GET_BE_U_4(sflow_datagram->seqnum),
910 GET_BE_U_4(sflow_datagram->uptime),
911 nsamples,
912 len);
913
914 /* skip Common header */
915 tptr += sizeof(struct sflow_datagram_t);
916 tlen -= sizeof(struct sflow_datagram_t);
917
918 while (nsamples > 0 && tlen > 0) {
919 sflow_sample = (const struct sflow_sample_header *)tptr;
920 ND_TCHECK_SIZE(sflow_sample);
921
922 sflow_sample_type = (GET_BE_U_4(sflow_sample->format)&0x0FFF);
923 sflow_sample_len = GET_BE_U_4(sflow_sample->len);
924
925 if (tlen < sizeof(struct sflow_sample_header))
926 goto trunc;
927
928 tptr += sizeof(struct sflow_sample_header);
929 tlen -= sizeof(struct sflow_sample_header);
930
931 ND_PRINT("\n\t%s (%u), length %u,",
932 tok2str(sflow_format_values, "Unknown", sflow_sample_type),
933 sflow_sample_type,
934 sflow_sample_len);
935
936 /* basic sanity check */
937 if (sflow_sample_type == 0 || sflow_sample_len ==0) {
938 return;
939 }
940
941 if (tlen < sflow_sample_len)
942 goto trunc;
943
944 /* did we capture enough for fully decoding the sample ? */
945 ND_TCHECK_LEN(tptr, sflow_sample_len);
946
947 switch(sflow_sample_type) {
948 case SFLOW_FLOW_SAMPLE:
949 if (sflow_print_flow_sample(ndo, tptr, tlen))
950 goto trunc;
951 break;
952
953 case SFLOW_COUNTER_SAMPLE:
954 if (sflow_print_counter_sample(ndo, tptr,tlen))
955 goto trunc;
956 break;
957
958 case SFLOW_EXPANDED_FLOW_SAMPLE:
959 if (sflow_print_expanded_flow_sample(ndo, tptr, tlen))
960 goto trunc;
961 break;
962
963 case SFLOW_EXPANDED_COUNTER_SAMPLE:
964 if (sflow_print_expanded_counter_sample(ndo, tptr,tlen))
965 goto trunc;
966 break;
967
968 default:
969 if (ndo->ndo_vflag <= 1)
970 print_unknown_data(ndo, tptr, "\n\t ", sflow_sample_len);
971 break;
972 }
973 tptr += sflow_sample_len;
974 tlen -= sflow_sample_len;
975 nsamples--;
976 }
977 return;
978
979 trunc:
980 nd_print_trunc(ndo);
981 }
[mirror] the TCPdump network dissector