-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathngx_http_sflow.h
314 lines (268 loc) · 10.3 KB
/
ngx_http_sflow.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
/* Copyright (c) 2002-2014 InMon Corp. Licensed under the terms of the InMon sFlow licence: */
/* http://www.inmon.com/technology/sflowlicense.txt */
#ifndef SFLOW_H
#define SFLOW_H 1
#include <ngx_config.h>
#include <ngx_core.h>
#include <ngx_http.h>
typedef unsigned char byte_t;
/* #include <stdbool.h> */
#define true 1
#define false 0
/* use 32-bits for bool_t to help avoid unaligned fields */
typedef uint32_t bool_t;
typedef struct {
uint32_t addr;
} SFLIPv4;
typedef struct {
byte_t addr[16];
} SFLIPv6;
typedef union _SFLAddress_value {
SFLIPv4 ip_v4;
SFLIPv6 ip_v6;
} SFLAddress_value;
enum SFLAddress_type {
SFLADDRESSTYPE_UNDEFINED = 0,
SFLADDRESSTYPE_IP_V4 = 1,
SFLADDRESSTYPE_IP_V6 = 2
};
typedef struct _SFLAddress {
uint32_t type; /* enum SFLAddress_type */
SFLAddress_value address;
} SFLAddress;
enum SFL_DSCLASS {
SFL_DSCLASS_IFINDEX=0,
SFL_DSCLASS_VLAN=1,
SFL_DSCLASS_PHYSICAL_ENTITY=2,
SFL_DSCLASS_LOGICAL_ENTITY=3
};
/* Packet header data */
#define SFL_DEFAULT_HEADER_SIZE 128
#define SFL_DEFAULT_COLLECTOR_PORT 6343
#define SFL_DEFAULT_SAMPLING_RATE 400
#define SFL_DEFAULT_POLLING_INTERVAL 30
/* Extended data types */
typedef struct _SFLString {
uint32_t len;
const byte_t *str;
} SFLString;
/* Extended socket information,
Must be filled in for all application transactions associated with a network socket
Omit if transaction associated with non-network IPC */
/* IPv4 Socket */
/* opaque = flow_data; enterprise = 0; format = 2100 */
typedef struct _SFLExtended_socket_ipv4 {
uint32_t protocol; /* IP Protocol (e.g. TCP = 6, UDP = 17) */
SFLIPv4 local_ip; /* local IP address */
SFLIPv4 remote_ip; /* remote IP address */
uint32_t local_port; /* TCP/UDP local port number or equivalent */
uint32_t remote_port; /* TCP/UDP remote port number of equivalent */
} SFLExtended_socket_ipv4;
#define XDRSIZ_SFLEXTENDED_SOCKET4 20
/* IPv6 Socket */
/* opaque = flow_data; enterprise = 0; format = 2101 */
typedef struct _SFLExtended_socket_ipv6 {
uint32_t protocol; /* IP Protocol (e.g. TCP = 6, UDP = 17) */
SFLIPv6 local_ip; /* local IP address */
SFLIPv6 remote_ip; /* remote IP address */
uint32_t local_port; /* TCP/UDP local port number or equivalent */
uint32_t remote_port; /* TCP/UDP remote port number of equivalent */
} SFLExtended_socket_ipv6;
#define XDRSIZ_SFLEXTENDED_SOCKET6 44
typedef enum {
SFHTTP_OTHER = 0,
SFHTTP_OPTIONS = 1,
SFHTTP_GET = 2,
SFHTTP_HEAD = 3,
SFHTTP_POST = 4,
SFHTTP_PUT = 5,
SFHTTP_DELETE = 6,
SFHTTP_TRACE = 7,
SFHTTP_CONNECT = 8,
} SFLHTTP_method;
typedef struct _SFLSampled_http {
SFLHTTP_method method;
uint32_t protocol; /* 1.1 = 1001 */
SFLString uri; /* URI exactly as it came from the client */
SFLString host; /* Host value from request header */
SFLString referrer; /* Referer value from request header */
SFLString useragent; /* User-Agent value from request header */
SFLString xff; /* X-Forwarded-For from request header */
SFLString authuser; /* RFC 1413 identity of user*/
SFLString mimetype; /* Mime-Type */
uint64_t req_bytes; /* Content-Length of request */
uint64_t resp_bytes; /* Content-Length of response */
uint32_t uS; /* duration of the operation (microseconds) */
uint32_t status; /* HTTP status code */
} SFLSampled_http;
#define SFLHTTP_MAX_URI_LEN 255
#define SFLHTTP_MAX_HOST_LEN 64
#define SFLHTTP_MAX_REFERRER_LEN 255
#define SFLHTTP_MAX_USERAGENT_LEN 128
#define SFLHTTP_MAX_XFF_LEN 64
#define SFLHTTP_MAX_AUTHUSER_LEN 32
#define SFLHTTP_MAX_MIMETYPE_LEN 64
enum SFLFlow_type_tag {
/* enterprise = 0, format = ... */
SFLFLOW_EX_SOCKET4 = 2100,
SFLFLOW_EX_SOCKET6 = 2101,
/* SFLFLOW_MEMCACHE = 2200, */
SFLFLOW_HTTP = 2206,
};
typedef union _SFLFlow_type {
SFLSampled_http http;
SFLExtended_socket_ipv4 socket4;
SFLExtended_socket_ipv6 socket6;
} SFLFlow_type;
typedef struct _SFLFlow_sample_element {
struct _SFLFlow_sample_element *nxt;
uint32_t tag; /* SFLFlow_type_tag */
uint32_t length;
SFLFlow_type flowType;
} SFLFlow_sample_element;
enum SFL_sample_tag {
SFLFLOW_SAMPLE = 1, /* enterprise = 0 : format = 1 */
SFLCOUNTERS_SAMPLE = 2, /* enterprise = 0 : format = 2 */
SFLFLOW_SAMPLE_EXPANDED = 3, /* enterprise = 0 : format = 3 */
SFLCOUNTERS_SAMPLE_EXPANDED = 4 /* enterprise = 0 : format = 4 */
};
/* Format of a single flow sample */
typedef struct _SFLFlow_sample {
/* uint32_t tag; */ /* SFL_sample_tag -- enterprise = 0 : format = 1 */
/* uint32_t length; */
uint32_t sequence_number; /* Incremented with each flow sample
generated */
uint32_t source_id; /* fsSourceId */
uint32_t sampling_rate; /* fsPacketSamplingRate */
uint32_t sample_pool; /* Total number of packets that could have been
sampled (i.e. packets skipped by sampling
process + total number of samples) */
uint32_t drops; /* Number of times a packet was dropped due to
lack of resources */
uint32_t input; /* SNMP ifIndex of input interface.
0 if interface is not known. */
uint32_t output; /* SNMP ifIndex of output interface,
0 if interface is not known.
Set most significant bit to indicate
multiple destination interfaces
(i.e. in case of broadcast or multicast)
and set lower order bits to indicate
number of destination interfaces.
Examples:
0x00000002 indicates ifIndex = 2
0x00000000 ifIndex unknown.
0x80000007 indicates a packet sent
to 7 interfaces.
0x80000000 indicates a packet sent to
an unknown number of
interfaces greater than 1.*/
uint32_t num_elements;
SFLFlow_sample_element *elements;
} SFLFlow_sample;
/* same thing, but the expanded version (for full 32-bit ifIndex numbers) */
typedef struct _SFLFlow_sample_expanded {
/* uint32_t tag; */ /* SFL_sample_tag -- enterprise = 0 : format = 1 */
/* uint32_t length; */
uint32_t sequence_number; /* Incremented with each flow sample
generated */
uint32_t ds_class; /* EXPANDED */
uint32_t ds_index; /* EXPANDED */
uint32_t sampling_rate; /* fsPacketSamplingRate */
uint32_t sample_pool; /* Total number of packets that could have been
sampled (i.e. packets skipped by sampling
process + total number of samples) */
uint32_t drops; /* Number of times a packet was dropped due to
lack of resources */
uint32_t inputFormat; /* EXPANDED */
uint32_t input; /* SNMP ifIndex of input interface.
0 if interface is not known. */
uint32_t outputFormat; /* EXPANDED */
uint32_t output; /* SNMP ifIndex of output interface,
0 if interface is not known. */
uint32_t num_elements;
SFLFlow_sample_element *elements;
} SFLFlow_sample_expanded;
/* Counter types */
typedef struct _SFLHTTP_counters {
uint32_t method_option_count;
uint32_t method_get_count;
uint32_t method_head_count;
uint32_t method_post_count;
uint32_t method_put_count;
uint32_t method_delete_count;
uint32_t method_trace_count;
uint32_t method_connect_count;
uint32_t method_other_count;
uint32_t status_1XX_count;
uint32_t status_2XX_count;
uint32_t status_3XX_count;
uint32_t status_4XX_count;
uint32_t status_5XX_count;
uint32_t status_other_count;
} SFLHTTP_counters;
#define XDRSIZ_SFLHTTP_COUNTERS (15*4)
typedef struct _SFLHost_par_counters {
uint32_t dsClass; /* sFlowDataSource class */
uint32_t dsIndex; /* sFlowDataSource index */
} SFLHost_par_counters;
/* Counters data */
enum SFLCounters_type_tag {
/* enterprise = 0, format = ... */
SFLCOUNTERS_HOST_PAR = 2002, /* host parent */
SFLCOUNTERS_HTTP = 2201, /* http counters */
};
typedef union _SFLCounters_type {
SFLHost_par_counters host_par;
SFLHTTP_counters http;
} SFLCounters_type;
typedef struct _SFLCounters_sample_element {
struct _SFLCounters_sample_element *nxt; /* linked list */
uint32_t tag; /* SFLCounters_type_tag */
uint32_t length;
SFLCounters_type counterBlock;
} SFLCounters_sample_element;
typedef struct _SFLCounters_sample {
/* uint32_t tag; */ /* SFL_sample_tag -- enterprise = 0 : format = 2 */
/* uint32_t length; */
uint32_t sequence_number; /* Incremented with each counters sample
generated by this source_id */
uint32_t source_id; /* fsSourceId */
uint32_t num_elements;
SFLCounters_sample_element *elements;
} SFLCounters_sample;
/* same thing, but the expanded version, so ds_index can be a full 32 bits */
typedef struct _SFLCounters_sample_expanded {
/* uint32_t tag; */ /* SFL_sample_tag -- enterprise = 0 : format = 2 */
/* uint32_t length; */
uint32_t sequence_number; /* Incremented with each counters sample
generated by this source_id */
uint32_t ds_class; /* EXPANDED */
uint32_t ds_index; /* EXPANDED */
uint32_t num_elements;
SFLCounters_sample_element *elements;
} SFLCounters_sample_expanded;
#define SFLADD_ELEMENT(_sm, _el) do { (_el)->nxt = (_sm)->elements; (_sm)->elements = (_el); } while(0)
/* Format of a sample datagram */
enum SFLDatagram_version {
SFLDATAGRAM_VERSION2 = 2,
SFLDATAGRAM_VERSION4 = 4,
SFLDATAGRAM_VERSION5 = 5
};
typedef struct _SFLSample_datagram_hdr {
uint32_t datagram_version; /* (enum SFLDatagram_version) = VERSION5 = 5 */
SFLAddress agent_address; /* IP address of sampling agent */
uint32_t sub_agent_id; /* Used to distinguishing between datagram
streams from separate agent sub entities
within an device. */
uint32_t sequence_number; /* Incremented with each sample datagram
generated */
uint32_t uptime; /* Current time (in milliseconds since device
last booted). Should be set as close to
datagram transmission time as possible.*/
uint32_t num_records; /* Number of tag-len-val flow/counter records to follow */
} SFLSample_datagram_hdr;
#define SFL_MAX_DATAGRAM_SIZE 1500
#define SFL_MIN_DATAGRAM_SIZE 200
#define SFL_DEFAULT_DATAGRAM_SIZE 1400
#define SFL_DATA_PAD 400
#endif /* SFLOW_H */