MODULE NETFLOWDEF IDENT "NETFLOWDEF-1-X"; /*++ /* Facility: /* Cisco NetFlow services /* /* Abstract: /* This is an interface module contains data structures definitions, /* constants. /* /* Author: /* Ruslan R. Laishev /* /* Creation Date: 5-DEC-2002 /* /* Modification History: /* /* 3-SEP-2003 RRL Added sysip field to nf_pktv5 structure. /*-- AGGREGATE sqlstate UNION PREFIX sqlstate$; sts CHARACTER DIMENSION 5; s STRUCTURE; class CHARACTER DIMENSION 2; code CHARACTER DIMENSION 3; END s; END sqlstate; AGGREGATE sqlcode STRUCTURE PREFIX sqlcode$; sts STRUCTURE LONGWORD; severity BITFIELD MASK DIMENSION 1; code BITFIELD MASK DIMENSION 3; END sts; END sqlcode; AGGREGATE message_vector STRUCTURE PREFIX RDB$ TAG "rdb$"; acnt LONGWORD UNSIGNED; /* Number of arguments in the vector sts LONGWORD UNSIGNED; /* Primary status code of the last SQL statement fcnt LONGWORD UNSIGNED; /* Number of FAO arguments to primary message /* Return status for follow-on messages, if any args LONGWORD UNSIGNED DIMENSION 17; END message_vector; /*++ /** /** NetFlow Export Header Formats /** /*-- AGGREGATE nf_hdrv1 STRUCTURE PREFIX nf_hdr$; version WORD UNSIGNED; /* Current version=1 count WORD UNSIGNED; /* The number of records in PDU. uptime LONGWORD UNSIGNED; /* Current time in msecs since router booted. secs LONGWORD UNSIGNED; /* Current seconds since 0000 UTC 1970 nsecs LONGWORD UNSIGNED; /* Residual nanoseconds since 0000 UTC 1970 END nf_hdrv1; AGGREGATE nf_hdrv5 STRUCTURE PREFIX nf_hdr$; version WORD UNSIGNED; /* Current version=5 count WORD UNSIGNED; /* The number of records in PDU. uptime LONGWORD UNSIGNED; /* Current time in msecs since router booted. secs LONGWORD UNSIGNED; /* Current seconds since 0000 UTC 1970 nsecs LONGWORD UNSIGNED; /* Residual nanoseconds since 0000 UTC 1970 seq LONGWORD UNSIGNED; /* Sequence number of total flows seen etype WORD UNSIGNED; /* ??Type of flow switching engine (RP,VIP,etc.) eid WORD UNSIGNED; /* ??Slot number of the flow switching engine END nf_hdrv5; AGGREGATE nf_hdrv7 STRUCTURE PREFIX nf_hdr$; version WORD UNSIGNED; /* Current version=7 count WORD UNSIGNED; /* The number of records in PDU. uptime LONGWORD UNSIGNED; /* Current time in msecs since router booted. secs LONGWORD UNSIGNED; /* Current seconds since 0000 UTC 1970 nsecs LONGWORD UNSIGNED; /* Residual nanoseconds since 0000 UTC 1970 seq LONGWORD UNSIGNED; /* Sequence number of total flows seen reserved LONGWORD UNSIGNED; END nf_hdrv7; AGGREGATE nf_hdrv8 STRUCTURE PREFIX nf_hdr$; version WORD UNSIGNED; /* Current version=8 count WORD UNSIGNED; /* The number of records in PDU. uptime LONGWORD UNSIGNED; /* Current time in msecs since router booted. secs LONGWORD UNSIGNED; /* Current seconds since 0000 UTC 1970 nsecs LONGWORD UNSIGNED; /* Residual nanoseconds since 0000 UTC 1970 seq LONGWORD UNSIGNED; /* Sequence number of total flows seen etype BYTE UNSIGNED; /* Type of flow switching engine (RP,VIP,etc.) eid BYTE UNSIGNED; /* Slot number of the flow switching engine agg BYTE UNSIGNED; /* Aggregation method being used aggver BYTE UNSIGNED; /* Version of the aggregation export=2 END nf_hdrv8; /*++ /** /** NetFlow Export datagram formats /** /*-- AGGREGATE nf_pktv1 STRUCTURE PREFIX nf_pkt$; srcaddr LONGWORD UNSIGNED; /* Source IP Address dstaddr LONGWORD UNSIGNED; /* Destination IP Address nexthop LONGWORD UNSIGNED; /* Next hop router's IP Address input WORD UNSIGNED; /* Input interface index output WORD UNSIGNED; /* Output interface index dPkts LONGWORD UNSIGNED; /* Packets sent in Duration (milliseconds between 1st & last packet in /* this flow) dOctets LONGWORD UNSIGNED; /* Octets sent in Duration (milliseconds between 1st & last packet in /* this flow) First LONGWORD UNSIGNED; /* SysUptime at start of flow Last LONGWORD UNSIGNED; /* and of last packet of the flow srcport WORD UNSIGNED; /* TCP/UDP source port number (.e.g, FTP, Telnet, etc.,or equivalent) dstport WORD UNSIGNED; /* TCP/UDP destination port number (.e.g, FTP, Telnet, etc.,or equivalent) pad0 WORD UNSIGNED; /* pad to word boundary prot BYTE UNSIGNED; /* IP protocol, e.g., 6=TCP, 17=UDP, etc... tos BYTE UNSIGNED; /* IP Type-of-Service tcp_flags BYTE UNSIGNED; /* Cumulative OR of tcp flags pad1 BYTE UNSIGNED; /* pad to word boundary pad2 WORD UNSIGNED; /* pad to word boundary reserved BYTE UNSIGNED DIMENSION 8;/* reserved for future use END nf_pktv1; AGGREGATE nf_pktv5 STRUCTURE PREFIX nf_pkt$; srcaddr LONGWORD UNSIGNED; /* Source IP Address dstaddr LONGWORD UNSIGNED; /* Destination IP Address nexthop LONGWORD UNSIGNED; /* Next hop router's IP Address input WORD UNSIGNED; /* Input interface index output WORD UNSIGNED; /* Output interface index dPkts LONGWORD UNSIGNED; /* Packets sent in Duration (milliseconds between 1st & last packet in /* this flow) dOctets LONGWORD UNSIGNED; /* Octets sent in Duration (milliseconds between 1st & last packet in /* this flow) First LONGWORD UNSIGNED; /* SysUptime at start of flow Last LONGWORD UNSIGNED; /* and of last packet of the flow srcport WORD UNSIGNED; /* TCP/UDP source port number (.e.g, FTP, Telnet, etc.,or equivalent) dstport WORD UNSIGNED; /* TCP/UDP destination port number (.e.g, FTP, Telnet, etc.,or equivalent) pad0 BYTE UNSIGNED; /* pad to word boundary tcp_flags BYTE UNSIGNED; /* Cumulative OR of tcp flags prot BYTE UNSIGNED; /* IP protocol, e.g., 6=TCP, 17=UDP, etc... tos BYTE UNSIGNED; /* IP Type-of-Service dst_as WORD UNSIGNED; /* dst peer/origin Autonomous System src_as WORD UNSIGNED; /* source peer/origin Autonomous System dst_mask BYTE UNSIGNED; /* destination route's mask bits src_mask BYTE UNSIGNED; /* source route's mask bits pad1 WORD UNSIGNED; /* pad to word boundary END nf_pktv5; AGGREGATE nf_pktv7 STRUCTURE PREFIX nf_pkt$; srcaddr LONGWORD UNSIGNED; /* Source IP Address dstaddr LONGWORD UNSIGNED; /* Destination IP Address nexthop LONGWORD UNSIGNED; /* Next hop router's IP Address input WORD UNSIGNED; /* Input interface index output WORD UNSIGNED; /* Output interface index dPkts LONGWORD UNSIGNED; /* Packets sent in Duration (milliseconds between 1st & last packet in /* this flow) dOctets LONGWORD UNSIGNED; /* Octets sent in Duration (milliseconds between 1st & last packet in /* this flow) First LONGWORD UNSIGNED; /* SysUptime at start of flow Last LONGWORD UNSIGNED; /* and of last packet of the flow srcport WORD UNSIGNED; /* TCP/UDP source port number (.e.g, FTP, Telnet, etc.,or equivalent) dstport WORD UNSIGNED; /* TCP/UDP destination port number (.e.g, FTP, Telnet, etc.,or equivalent) pad0 WORD UNSIGNED; /* pad to word boundary flags BYTE UNSIGNED; /* Shortcut mode(dest only,src only,full flows tcp_flags BYTE UNSIGNED; /* Cumulative OR of tcp flags prot BYTE UNSIGNED; /* IP protocol, e.g., 6=TCP, 17=UDP, etc... tos BYTE UNSIGNED; /* IP Type-of-Service src_as WORD UNSIGNED; /* source peer/origin Autonomous System dst_as WORD UNSIGNED; /* dst peer/origin Autonomous System src_mask BYTE UNSIGNED; /* source route's mask bits dst_mask BYTE UNSIGNED; /* destination route's mask bits pad1 WORD UNSIGNED; /* pad to word boundary router_sc LONGWORD UNSIGNED; /* Router which is shortcut by switch END nf_pktv7; AGGREGATE nf_asmv8 STRUCTURE PREFIX nf_asm$;/* ASMatrix v8 aggregation scheme flows LONGWORD UNSIGNED; /* Number of flows dPkts LONGWORD UNSIGNED; /* Packets sent in Duration (milliseconds between 1st & last packet in /* this flow) dOctets LONGWORD UNSIGNED; /* Octets sent in Duration (milliseconds between 1st & last packet in /* this flow) First LONGWORD UNSIGNED; /* SysUptime at start of flow Last LONGWORD UNSIGNED; /* and of last packet of the flow src_as WORD UNSIGNED; /* source peer/origin Autonomous System dst_as WORD UNSIGNED; /* dst peer/origin Autonomous System input WORD UNSIGNED; /* Input interface index output WORD UNSIGNED; /* Output interface index END nf_asmv8; AGGREGATE nf_ppmv8 STRUCTURE PREFIX nf_ppm$;/* ProtocolPortMatrix v8 aggregation scheme flows LONGWORD UNSIGNED; /* Number of flows dPkts LONGWORD UNSIGNED; /* Packets sent in Duration (milliseconds between 1st & last packet in /* this flow) dOctets LONGWORD UNSIGNED; /* Octets sent in Duration (milliseconds between 1st & last packet in /* this flow) First LONGWORD UNSIGNED; /* SysUptime at start of flow Last LONGWORD UNSIGNED; /* and of last packet of the flow prot BYTE UNSIGNED; /* IP protocol, e.g., 6=TCP, 17=UDP, etc... pad BYTE UNSIGNED; /* pad to word boundary reserved WORD UNSIGNED; srcport WORD UNSIGNED; /* TCP/UDP source port number (.e.g, FTP, Telnet, etc.,or equivalent) dstport WORD UNSIGNED; /* TCP/UDP destination port number (.e.g, FTP, Telnet, etc.,or equivalent) END nf_ppmv8; AGGREGATE nf_spmv8 STRUCTURE PREFIX nf_spm$;/* SourcePrefixMatrix v8 aggregation scheme: flows LONGWORD UNSIGNED; /* Number of flows dPkts LONGWORD UNSIGNED; /* Packets sent in Duration (milliseconds between 1st & last packet in /* this flow) dOctets LONGWORD UNSIGNED; /* Octets sent in Duration (milliseconds between 1st & last packet in /* this flow) First LONGWORD UNSIGNED; /* SysUptime at start of flow Last LONGWORD UNSIGNED; /* and of last packet of the flow src_prefix LONGWORD UNSIGNED; /* Source prefix src_mask BYTE UNSIGNED; /* source route's mask bits pad BYTE UNSIGNED; /* pad to word boundary src_as WORD UNSIGNED; /* source peer/origin Autonomous System input WORD UNSIGNED; /* Input interface index END nf_spmv8; AGGREGATE nf_dpmv8 STRUCTURE PREFIX nf_dpm$;/* DestinationPrefixMatrix v8 aggregation scheme flows LONGWORD UNSIGNED; /* Number of flows dPkts LONGWORD UNSIGNED; /* Packets sent in Duration (milliseconds between 1st & last packet in /* this flow) dOctets LONGWORD UNSIGNED; /* Octets sent in Duration (milliseconds between 1st & last packet in /* this flow) First LONGWORD UNSIGNED; /* SysUptime at start of flow Last LONGWORD UNSIGNED; /* and of last packet of the flow dst_prefix LONGWORD UNSIGNED; /* Destination prefix dst_mask BYTE UNSIGNED; /* destination address prefix mask bits pad BYTE UNSIGNED; /* pad to word boundary dst_as WORD UNSIGNED; /* originating AS of destination address output WORD UNSIGNED; /* Output interface index END nf_dpmv8; AGGREGATE nf_pmv8 STRUCTURE PREFIX nf_pm$; /* PrefixMatrix v8 aggregation scheme flows LONGWORD UNSIGNED; /* Number of flows dPkts LONGWORD UNSIGNED; /* Packets sent in Duration (milliseconds between 1st & last packet in /* this flow) dOctets LONGWORD UNSIGNED; /* Octets sent in Duration (milliseconds between 1st & last packet in /* this flow) First LONGWORD UNSIGNED; /* SysUptime at start of flow Last LONGWORD UNSIGNED; /* and of last packet of the flow src_prefix LONGWORD UNSIGNED; /* Source prefix dst_prefix LONGWORD UNSIGNED; /* Destination prefix src_mask BYTE UNSIGNED; /* source route's mask bits dst_mask BYTE UNSIGNED; /* destination address prefix mask bits pad WORD UNSIGNED; /* pad to word boundary src_as WORD UNSIGNED; /* source peer/origin Autonomous System dst_as WORD UNSIGNED; /* originating AS of destination address input WORD UNSIGNED; /* Input interface index output WORD UNSIGNED; /* Output interface index END nf_pmv8; /*++ /** /** NetFlow Export file record formats /** /*-- AGGREGATE nf_recv5 STRUCTURE PREFIX nf_rec$; timestamp QUADWORD UNSIGNED; /* A record time stamp sysip CHARACTER LENGTH 15; /* From where packet was originated, NBO srcaddr CHARACTER LENGTH 15; /* Source IP Address dstaddr CHARACTER LENGTH 15; /* Destination IP Address nexthop CHARACTER LENGTH 15; /* Next hop router's IP Address input WORD UNSIGNED; /* Input interface index output WORD UNSIGNED; /* Output interface index dPkts LONGWORD UNSIGNED; /* Packets sent in Duration (milliseconds between 1st & last packet in /* this flow) dOctets LONGWORD UNSIGNED; /* Octets sent in Duration (milliseconds between 1st & last packet in /* this flow) First LONGWORD UNSIGNED; /* SysUptime at start of flow Last LONGWORD UNSIGNED; /* and of last packet of the flow srcport WORD UNSIGNED; /* TCP/UDP source port number (.e.g, FTP, Telnet, etc.,or equivalent) dstport WORD UNSIGNED; /* TCP/UDP destination port number (.e.g, FTP, Telnet, etc.,or equivalent) tcp_flags BYTE UNSIGNED; /* Cumulative OR of tcp flags prot BYTE UNSIGNED; /* IP protocol, e.g., 6=TCP, 17=UDP, etc... tos BYTE UNSIGNED; /* IP Type-of-Service dst_as WORD UNSIGNED; /* dst peer/origin Autonomous System src_as WORD UNSIGNED; /* source peer/origin Autonomous System dst_mask BYTE UNSIGNED; /* destination route's mask bits src_mask BYTE UNSIGNED; /* source route's mask bits END nf_recv5; END_MODULE NETFLOWDEF;