175115Sfenner/* $OpenBSD: print-cnfp.c,v 1.2 1998/06/25 20:26:59 mickey Exp $ */ 275115Sfenner 375115Sfenner/* 475115Sfenner * Copyright (c) 1998 Michael Shalayeff 575115Sfenner * All rights reserved. 675115Sfenner * 775115Sfenner * Redistribution and use in source and binary forms, with or without 875115Sfenner * modification, are permitted provided that the following conditions 975115Sfenner * are met: 1075115Sfenner * 1. Redistributions of source code must retain the above copyright 1175115Sfenner * notice, this list of conditions and the following disclaimer. 1275115Sfenner * 2. Redistributions in binary form must reproduce the above copyright 1375115Sfenner * notice, this list of conditions and the following disclaimer in the 1475115Sfenner * documentation and/or other materials provided with the distribution. 1575115Sfenner * 3. All advertising materials mentioning features or use of this software 1675115Sfenner * must display the following acknowledgement: 1775115Sfenner * This product includes software developed by Michael Shalayeff. 1875115Sfenner * 4. The name of the author may not be used to endorse or promote products 1975115Sfenner * derived from this software without specific prior written permission. 2075115Sfenner * 2175115Sfenner * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 2275115Sfenner * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 2375115Sfenner * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 2475115Sfenner * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 2575115Sfenner * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 2675115Sfenner * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 2775115Sfenner * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 2875115Sfenner * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 2975115Sfenner * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 3075115Sfenner * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 3175115Sfenner */ 3275115Sfenner 3375115Sfenner/* Cisco NetFlow protocol */ 3475115Sfenner 3575115Sfenner#ifndef lint 36127668Sbmsstatic const char rcsid[] _U_ = 37190207Srpaulo "@(#) $Header: /tcpdump/master/tcpdump/print-cnfp.c,v 1.17 2005-04-20 20:53:18 guy Exp $"; 3875115Sfenner#endif 3975115Sfenner 4075115Sfenner#ifdef HAVE_CONFIG_H 4175115Sfenner#include "config.h" 4275115Sfenner#endif 4375115Sfenner 44127668Sbms#include <tcpdump-stdinc.h> 4575115Sfenner 4675115Sfenner#include <stdio.h> 4775115Sfenner#include <string.h> 4875115Sfenner 4975115Sfenner#include "interface.h" 50127668Sbms#include "addrtoname.h" 51127668Sbms#include "extract.h" 5275115Sfenner 5375115Sfenner#include "tcp.h" 54127668Sbms#include "ipproto.h" 5575115Sfenner 5675115Sfennerstruct nfhdr { 5775115Sfenner u_int32_t ver_cnt; /* version [15], and # of records */ 5875115Sfenner u_int32_t msys_uptime; 5975115Sfenner u_int32_t utc_sec; 6075115Sfenner u_int32_t utc_nsec; 6175115Sfenner u_int32_t sequence; /* v5 flow sequence number */ 6275115Sfenner u_int32_t reserved; /* v5 only */ 6375115Sfenner}; 6475115Sfenner 6575115Sfennerstruct nfrec { 6675115Sfenner struct in_addr src_ina; 6775115Sfenner struct in_addr dst_ina; 6875115Sfenner struct in_addr nhop_ina; 6975115Sfenner u_int32_t ifaces; /* src,dst ifaces */ 7075115Sfenner u_int32_t packets; 7175115Sfenner u_int32_t octets; 7275115Sfenner u_int32_t start_time; /* sys_uptime value */ 7375115Sfenner u_int32_t last_time; /* sys_uptime value */ 7475115Sfenner u_int32_t ports; /* src,dst ports */ 7575115Sfenner u_int32_t proto_tos; /* proto, tos, pad, flags(v5) */ 7675115Sfenner u_int32_t asses; /* v1: flags; v5: src,dst AS */ 7798524Sfenner u_int32_t masks; /* src,dst addr prefix; v6: encaps */ 7898524Sfenner struct in_addr peer_nexthop; /* v6: IP address of the nexthop within the peer (FIB)*/ 7975115Sfenner}; 8075115Sfenner 8175115Sfennervoid 82147899Ssamcnfp_print(const u_char *cp, const u_char *bp _U_) 8375115Sfenner{ 8475115Sfenner register const struct nfhdr *nh; 8575115Sfenner register const struct nfrec *nr; 8675115Sfenner struct protoent *pent; 8775115Sfenner int nrecs, ver; 88147899Ssam#if 0 8975115Sfenner time_t t; 90147899Ssam#endif 9175115Sfenner 9298524Sfenner nh = (const struct nfhdr *)cp; 9375115Sfenner 9498524Sfenner if ((const u_char *)(nh + 1) > snapend) 9575115Sfenner return; 9675115Sfenner 97127668Sbms nrecs = EXTRACT_32BITS(&nh->ver_cnt) & 0xffff; 98127668Sbms ver = (EXTRACT_32BITS(&nh->ver_cnt) & 0xffff0000) >> 16; 99147899Ssam#if 0 100147899Ssam /* 101147899Ssam * This is seconds since the UN*X epoch, and is followed by 102147899Ssam * nanoseconds. XXX - format it, rather than just dumping the 103147899Ssam * raw seconds-since-the-Epoch. 104147899Ssam */ 105127668Sbms t = EXTRACT_32BITS(&nh->utc_sec); 106147899Ssam#endif 10775115Sfenner 10875115Sfenner printf("NetFlow v%x, %u.%03u uptime, %u.%09u, ", ver, 109127668Sbms EXTRACT_32BITS(&nh->msys_uptime)/1000, 110127668Sbms EXTRACT_32BITS(&nh->msys_uptime)%1000, 111127668Sbms EXTRACT_32BITS(&nh->utc_sec), EXTRACT_32BITS(&nh->utc_nsec)); 11275115Sfenner 11398524Sfenner if (ver == 5 || ver == 6) { 114127668Sbms printf("#%u, ", EXTRACT_32BITS(&nh->sequence)); 11598524Sfenner nr = (const struct nfrec *)&nh[1]; 11675115Sfenner snaplen -= 24; 11775115Sfenner } else { 11898524Sfenner nr = (const struct nfrec *)&nh->sequence; 11975115Sfenner snaplen -= 16; 12075115Sfenner } 12175115Sfenner 12275115Sfenner printf("%2u recs", nrecs); 12375115Sfenner 12498524Sfenner for (; nrecs-- && (const u_char *)(nr + 1) <= snapend; nr++) { 12575115Sfenner char buf[20]; 12675115Sfenner char asbuf[20]; 12775115Sfenner 12875115Sfenner printf("\n started %u.%03u, last %u.%03u", 129127668Sbms EXTRACT_32BITS(&nr->start_time)/1000, 130127668Sbms EXTRACT_32BITS(&nr->start_time)%1000, 131127668Sbms EXTRACT_32BITS(&nr->last_time)/1000, 132127668Sbms EXTRACT_32BITS(&nr->last_time)%1000); 13375115Sfenner 13475115Sfenner asbuf[0] = buf[0] = '\0'; 13598524Sfenner if (ver == 5 || ver == 6) { 13675115Sfenner snprintf(buf, sizeof(buf), "/%u", 137127668Sbms (EXTRACT_32BITS(&nr->masks) >> 24) & 0xff); 13898524Sfenner snprintf(asbuf, sizeof(asbuf), ":%u", 139127668Sbms (EXTRACT_32BITS(&nr->asses) >> 16) & 0xffff); 14075115Sfenner } 141127668Sbms printf("\n %s%s%s:%u ", intoa(nr->src_ina.s_addr), buf, asbuf, 142127668Sbms EXTRACT_32BITS(&nr->ports) >> 16); 14375115Sfenner 14498524Sfenner if (ver == 5 || ver ==6) { 14575115Sfenner snprintf(buf, sizeof(buf), "/%d", 146127668Sbms (EXTRACT_32BITS(&nr->masks) >> 16) & 0xff); 14798524Sfenner snprintf(asbuf, sizeof(asbuf), ":%u", 148127668Sbms EXTRACT_32BITS(&nr->asses) & 0xffff); 14975115Sfenner } 150127668Sbms printf("> %s%s%s:%u ", intoa(nr->dst_ina.s_addr), buf, asbuf, 151127668Sbms EXTRACT_32BITS(&nr->ports) & 0xffff); 15275115Sfenner 153127668Sbms printf(">> %s\n ", intoa(nr->nhop_ina.s_addr)); 15475115Sfenner 155127668Sbms pent = getprotobynumber((EXTRACT_32BITS(&nr->proto_tos) >> 8) & 0xff); 15675115Sfenner if (!pent || nflag) 15775115Sfenner printf("%u ", 158127668Sbms (EXTRACT_32BITS(&nr->proto_tos) >> 8) & 0xff); 15975115Sfenner else 16075115Sfenner printf("%s ", pent->p_name); 16175115Sfenner 16275115Sfenner /* tcp flags for tcp only */ 16375115Sfenner if (pent && pent->p_proto == IPPROTO_TCP) { 16475115Sfenner int flags; 16575115Sfenner if (ver == 1) 166127668Sbms flags = (EXTRACT_32BITS(&nr->asses) >> 24) & 0xff; 16775115Sfenner else 168127668Sbms flags = (EXTRACT_32BITS(&nr->proto_tos) >> 16) & 0xff; 16975115Sfenner if (flags & TH_FIN) putchar('F'); 17075115Sfenner if (flags & TH_SYN) putchar('S'); 17175115Sfenner if (flags & TH_RST) putchar('R'); 17275115Sfenner if (flags & TH_PUSH) putchar('P'); 17375115Sfenner if (flags & TH_ACK) putchar('A'); 17475115Sfenner if (flags & TH_URG) putchar('U'); 17575115Sfenner if (flags) 17675115Sfenner putchar(' '); 17775115Sfenner } 17898524Sfenner 17998524Sfenner buf[0]='\0'; 18098524Sfenner if (ver == 6) { 18198524Sfenner snprintf(buf, sizeof(buf), "(%u<>%u encaps)", 182127668Sbms (EXTRACT_32BITS(&nr->masks) >> 8) & 0xff, 183127668Sbms (EXTRACT_32BITS(&nr->masks)) & 0xff); 18498524Sfenner } 18598524Sfenner printf("tos %u, %u (%u octets) %s", 186127668Sbms EXTRACT_32BITS(&nr->proto_tos) & 0xff, 187127668Sbms EXTRACT_32BITS(&nr->packets), 188127668Sbms EXTRACT_32BITS(&nr->octets), buf); 18975115Sfenner } 19075115Sfenner} 191