Parse ICMP code and type (#7)

* sflow: from packet sample * netflow/ipfix: * field 32 on NetFlow * fields 139, 176, 177, 178,179 on IPFIX * updated protobuf
cloudflare · May 23, 2018 · 0e715d6 · 0e715d6
1 parent b8cc786
commit 0e715d6
Show file tree

Hide file tree

Showing 5 changed files with 149 additions and 88 deletions.
diff --git a/goflow.go b/goflow.go
@@ -28,7 +28,7 @@ import (
 	"bytes"
 )
 
-const AppVersion = "GoFlow v2.0.3"
+const AppVersion = "GoFlow v2.0.4"
 
 var (
 	FEnable = flag.Bool("netflow", true, "Enable NetFlow")

diff --git a/pb/flow.pb.go b/pb/flow.pb.go
diff --git a/pb/flow.proto b/pb/flow.proto
@@ -75,4 +75,7 @@ message FlowMessage {
 
   // Layer 3 protocol (IPv4/IPv6/ARP/...)
   uint32 Etype = 30;
+
+  uint32 IcmpType = 31;
+  uint32 IcmpCode = 32;
 }
diff --git a/producer/producer_nf.go b/producer/producer_nf.go
@@ -223,6 +223,26 @@ func ConvertNetFlowDataSet(version uint16, baseTime uint32, uptime uint32, recor
 			flowMessage.IPversion = flowmessage.FlowMessage_IPv6
 			flowMessage.NextHop = v
 
+		// ICMP
+		case netflow.NFV9_FIELD_ICMP_TYPE:
+			var icmpTypeCode uint16
+			DecodeUNumber(v, &icmpTypeCode)
+			flowMessage.IcmpType = uint32(icmpTypeCode>>8)
+			flowMessage.IcmpCode = uint32(icmpTypeCode&0xff)
+		case netflow.IPFIX_FIELD_icmpTypeCodeIPv6:
+			var icmpTypeCode uint16
+			DecodeUNumber(v, &icmpTypeCode)
+			flowMessage.IcmpType = uint32(icmpTypeCode>>8)
+			flowMessage.IcmpCode = uint32(icmpTypeCode&0xff)
+		case netflow.IPFIX_FIELD_icmpTypeIPv4:
+			DecodeUNumber(v, &(flowMessage.IcmpType))
+		case netflow.IPFIX_FIELD_icmpTypeIPv6:
+			DecodeUNumber(v, &(flowMessage.IcmpType))
+		case netflow.IPFIX_FIELD_icmpCodeIPv4:
+			DecodeUNumber(v, &(flowMessage.IcmpCode))
+		case netflow.IPFIX_FIELD_icmpCodeIPv6:
+			DecodeUNumber(v, &(flowMessage.IcmpCode))
+
 		// Mac
 		case netflow.NFV9_FIELD_IN_SRC_MAC:
 			DecodeUNumber(v, &(flowMessage.SrcMac))

diff --git a/producer/producer_sf.go b/producer/producer_sf.go
@@ -89,6 +89,12 @@ func ParseSampledHeader(flowMessage *flowmessage.FlowMessage, sampledHeader *sfl
 			tcpflags = dataTransport[13]
 		}
 
+		// ICMP and ICMPv6
+		if len(dataTransport) >= 2 && (nextHeader == 1 || nextHeader == 58) {
+			(*flowMessage).IcmpType = uint32(dataTransport[0])
+			(*flowMessage).IcmpCode = uint32(dataTransport[1])
+		}
+
 		(*flowMessage).SrcIP = srcIP
 		(*flowMessage).DstIP = dstIP
 		(*flowMessage).Proto = uint32(nextHeader)
-Original file line number
+Diff line change
@@ Expand Up / @@ -28,7 +28,7 @@ import ( @@
     	"bytes"
     )
-    const AppVersion = "GoFlow v2.0.3"
+    const AppVersion = "GoFlow v2.0.4"
     var (
     	FEnable = flag.Bool("netflow", true, "Enable NetFlow")
@@ Expand Down @@