forked from pavel-odintsov/fastnetmon
-
Notifications
You must be signed in to change notification settings - Fork 33
/
Copy pathsflow_hooks.lua
222 lines (187 loc) · 5.63 KB
/
sflow_hooks.lua
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
local json = require("json")
-- We have this library bundled only in luajit:
-- g++ lua_integration.cpp -lluajit-5.1
-- Before production use, please call your code with luajit CLI
local ffi = require("ffi")
-- Load declaration from the inside separate header file
-- This code should be in sync with https://github.com/FastVPSEestiOu/fastnetmon/blob/master/src/sflow_plugin/sflow_data.h
-- We have changed all defines to actual values
ffi.cdef([[
typedef unsigned char u_char;
typedef long time_t;
typedef struct _SFLIf_counters {
uint32_t ifIndex;
uint32_t ifType;
uint64_t ifSpeed;
uint32_t ifDirection; /* Derived from MAU MIB (RFC 2668)
0 = unknown, 1 = full-duplex,
2 = half-duplex, 3 = in, 4 = out */
uint32_t ifStatus; /* bit field with the following bits assigned:
bit 0 = ifAdminStatus (0 = down, 1 = up)
bit 1 = ifOperStatus (0 = down, 1 = up) */
uint64_t ifInOctets;
uint32_t ifInUcastPkts;
uint32_t ifInMulticastPkts;
uint32_t ifInBroadcastPkts;
uint32_t ifInDiscards;
uint32_t ifInErrors;
uint32_t ifInUnknownProtos;
uint64_t ifOutOctets;
uint32_t ifOutUcastPkts;
uint32_t ifOutMulticastPkts;
uint32_t ifOutBroadcastPkts;
uint32_t ifOutDiscards;
uint32_t ifOutErrors;
uint32_t ifPromiscuousMode;
} SFLIf_counters;
typedef struct { uint32_t addr; } SFLIPv4;
typedef struct { u_char addr[16]; } SFLIPv6;
typedef union _SFLAddress_value {
SFLIPv4 ip_v4;
SFLIPv6 ip_v6;
} SFLAddress_value;
typedef struct _SFLAddress {
uint32_t type; /* enum SFLAddress_type */
SFLAddress_value address;
} SFLAddress;
typedef struct _SFSample {
SFLAddress sourceIP;
SFLAddress agent_addr;
uint32_t agentSubId;
/* the raw pdu */
uint8_t* rawSample;
uint32_t rawSampleLen;
uint8_t* endp;
time_t pcapTimestamp;
/* decode cursor */
uint32_t* datap;
uint32_t datagramVersion;
uint32_t sampleType;
uint32_t elementType;
uint32_t ds_class;
uint32_t ds_index;
/* generic interface counter sample */
SFLIf_counters ifCounters;
/* sample stream info */
uint32_t sysUpTime;
uint32_t sequenceNo;
uint32_t sampledPacketSize;
uint32_t samplesGenerated;
uint32_t meanSkipCount;
uint32_t samplePool;
uint32_t dropEvents;
/* the sampled header */
uint32_t packet_data_tag;
uint32_t headerProtocol;
uint8_t* header;
int headerLen;
uint32_t stripped;
/* header decode */
int gotIPV4;
int gotIPV4Struct;
int offsetToIPV4;
int gotIPV6;
int gotIPV6Struct;
int offsetToIPV6;
int offsetToPayload;
SFLAddress ipsrc;
SFLAddress ipdst;
uint32_t dcd_ipProtocol;
uint32_t dcd_ipTos;
uint32_t dcd_ipTTL;
uint32_t dcd_sport;
uint32_t dcd_dport;
uint32_t dcd_tcpFlags;
uint32_t ip_fragmentOffset;
uint32_t udp_pduLen;
/* ports */
uint32_t inputPortFormat;
uint32_t outputPortFormat;
uint32_t inputPort;
uint32_t outputPort;
/* ethernet */
uint32_t eth_type;
uint32_t eth_len;
uint8_t eth_src[8];
uint8_t eth_dst[8];
/* vlan */
uint32_t in_vlan;
uint32_t in_priority;
uint32_t internalPriority;
uint32_t out_vlan;
uint32_t out_priority;
int vlanFilterReject;
/* extended data fields */
uint32_t num_extended;
uint32_t extended_data_tag;
/* IP forwarding info */
SFLAddress nextHop;
uint32_t srcMask;
uint32_t dstMask;
/* BGP info */
SFLAddress bgp_nextHop;
uint32_t my_as;
uint32_t src_as;
uint32_t src_peer_as;
uint32_t dst_as_path_len;
uint32_t* dst_as_path;
/* note: version 4 dst as path segments just get printed, not stored here, however
* the dst_peer and dst_as are filled in, since those are used for netflow encoding
*/
uint32_t dst_peer_as;
uint32_t dst_as;
uint32_t communities_len;
uint32_t* communities;
uint32_t localpref;
/* user id */
uint32_t src_user_charset;
uint32_t src_user_len;
char src_user[200 + 1];
uint32_t dst_user_charset;
uint32_t dst_user_len;
char dst_user[200 + 1];
/* url */
uint32_t url_direction;
uint32_t url_len;
char url[200 + 1];
uint32_t host_len;
char host[200 + 1];
/* mpls */
SFLAddress mpls_nextHop;
/* nat */
SFLAddress nat_src;
SFLAddress nat_dst;
/* counter blocks */
uint32_t statsSamplingInterval;
uint32_t counterBlockVersion;
/* exception handler context */
//jmp_buf env;
} SFSample;
]])
-- Load json file once
local json_file = io.open("/usr/src/fastnetmon/src/tests/netflow_exclude.json", "r")
local decoded = json.decode(json_file:read("*all"))
function process_sflow(flow_agent_ip, flow)
local sflow_t = ffi.typeof('SFSample*')
local lua_sflow = ffi.cast(sflow_t, flow)
--print ("We got this packets from: ", flow_agent_ip)
-- TODO: PLEASE BE AWARE! Thid code will read json file for every packet
--print ("Flow packets and bytes: ", lua_flow.flow_packets, lua_flow.flow_octets)
print ("Agent IP", flow_agent_ip," in interface :", lua_sflow.inputPort, " out interface: ", lua_sflow.outputPort)
for agent_ip, ports_table in pairs(decoded) do
if agent_ip == flow_agent_ip then
for port_number, port_description in pairs(ports_table) do
if lua_sflow.outputPort == port_number then
-- We found this port in ignore list
return false
end
end
end
end
--for k,v in pairs(decoded) do
-- for kk, vv in pairs(v) do
-- --print(k, kk, vv)
-- end
--end
return true
end