nfdump

package module
v0.0.0-...-a6987ca Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 26, 2023 License: MIT Imports: 8 Imported by: 0

README

nfdump

NFDump File Reader

This library allows Go programs to read file produced by nfdump.

https://github.com/phaag/nfdump

nfdump is a toolset in order to collect and process netflow and sflow data, sent from netflow/sflow compatible devices. The toolset supports netflow v1, v5/v7,v9,IPFIX and SFLOW. nfdump supports IPv4 as well as IPv6.

ParseReader Example

Read whole file and return struct with all meta data and records.


package main

import (
	"bufio"
	"log"
	"os"
	"time"

	"github.com/chrispassas/nfdump"

)

func main() {
    var filePath = "testdata/nfcapd-small-lzo"
    var nff *nfdump.NFFile
	  var err error
    var f *os.File
	  
    f, err = os.Open(filePath)
	  
    if err != nil {
		    log.Fatalf("[ERROR] os.Open error:%#+v", err)
	  }
	  defer f.Close()
    
    var reader = bufio.NewReader(f)
	  nff, err = nfdump.ParseReader(reader)
	  
    if err != nil {
		    log.Fatalf("[ERROR] nfdump.ParseReader error:%#+v", err)
	  }
    
    for _, record := range nff.Records {
        log.Printf("Received:%s routerIP:%s srcIP:%s dstIP:%s srcPort:%d dstPort:%d srcMask:%d dstMask:%d ipNextHop:%s srcAS:%d dstAS:%d",
        record.ReceivedTime().Format(time.RFC3339),
			  record.RouterIP.String(),
			  record.DstIP.String(),
			  record.SrcIP.String(),
			  record.SrcPort,
			  record.DstPort,
			  record.SrcMask,
			  record.DstMask,
			  record.NextHopIP.String(),
			  record.SrcAS,
			  record.DstAS,
		)
    
    }
}

StreamReader Example

Reads file one row at a time and returns records. This is generally faster and uses a lot less memory.

package main

import (
	"bufio"
	"io"
	"log"
	"os"

	"github.com/chrispassas/nfdump"
)

func main() {

    var filePath = "testdata/nfcapd-large-lzo"
    var err error
    var nfs *nfdump.NFStream
    var f *os.File
    f, err = os.Open(filePath)
    if err != nil {
        log.Fatalf("[ERROR] os.Open error:%#+v", err)
    }
    defer f.Close()

    var reader = bufio.NewReader(f)
    nfs, err = nfdump.StreamReader(reader)
    if err != nil {
        log.Fatalf("[ERROR] nfdump.StreamReader error:%#+v", err)
    }
    
    var record *NFRecord
    for {
	if record, err = nfs.Row(); err == io.EOF {
	    goto Stop
	} else if err != nil {
	    log.Printf("[ERROR] nfs.Row() error:%v", err)
	    goto Stop
	}

	log.Printf("Received:%s routerIP:%s srcIP:%s dstIP:%s srcPort:%d dstPort:%d srcMask:%d dstMask:%d ipNextHop:%s srcAS:%d dstAS:%d",
        record.ReceivedTime().Format(time.RFC3339),
			  record.RouterIP.String(),
			  record.DstIP.String(),
			  record.SrcIP.String(),
			  record.SrcPort,
			  record.DstPort,
			  record.SrcMask,
			  record.DstMask,
			  record.NextHopIP.String(),
			  record.SrcAS,
			  record.DstAS,
		)

	}
Stop:

}

Documentation

Overview

Package nfdump this libraries purpose is to allow a Go program to natively proess NFDump files without the need for CLI tools.

Index

Constants

View Source 
const (
	ExtensionMapRecordHeadType = 2
	ExporterInfoRecordHeadType = 7
	ExporterStatRecordHeadType = 8
	SamplerInfoRecordHeadType  = 9
	EmptyRecordHeadType        = 0
)

Variables

View Source 
var (
	// ErrBadMagic file magic does not match expected value
	ErrBadMagic               = fmt.Errorf("bad file magic")
	ErrUnsupportedFileVersion = fmt.Errorf("Unsupported File Version")
	ErrFailedReadStatRecord   = fmt.Errorf("Failed read StatRecord")
	ErrFailedReadBlockHeader  = fmt.Errorf("Failed read BlockHeader")
	ErrFailedReadFileHeader   = fmt.Errorf("Failed read NFFile Header")
)

Functions

This section is empty.

Types

type NFBlockHeader 

type NFBlockHeader struct {
	NumRecords uint32
	Size       uint32
	ID         uint16
	Flags      uint16
}

NFBlockHeader NFDump Block Header

type NFExporterInfoRecord 

type NFExporterInfoRecord struct {
	// exporter version
	Version uint32
	// IP address
	IPAddr   net.IP
	SAFamily uint16
	// internal assigned ID
	SysID uint16
	// exporter ID/Domain ID/Observation Domain ID assigned by the device
	ID uint32
}

NFExporterInfoRecord exporter info record

type NFExporterStatRecord 

type NFExporterStatRecord struct {
	// internal assigned ID
	SysID uint32
	// total sequence failures/drops
	SequenceFailures uint32
	// packets per exporter
	Packets uint64
	// flows per exporter
	Flows uint64
}

NFExporterStatRecord exporter stats record

type NFFile 

type NFFile struct {
	Header        NFHeader
	StatRecord    NFStatRecord
	Records       []NFRecord
	Meta          NFMeta
	Exporters     map[uint16]NFExporterInfoRecord
	ExporterStats map[uint32]NFExporterStatRecord
	SamplerInfo   map[uint16]NFSamplerInfoRecord
}

NFFile NFDump Go structure representation

func ParseReader 

func ParseReader(r io.Reader) (nff *NFFile, err error)

ParseReader parse NFDump file content in io.Reader and return netflow records and stats

type NFHeader 

type NFHeader struct {
	Magic     uint16
	Version   uint16
	Flags     uint32
	NumBlocks uint32
	Ident     [128]byte
}

NFHeader NFDump file header

type NFMeta 

type NFMeta struct {
	RecordIDCount map[uint16]int
	BlockIDCount  map[uint16]int
	IPv6Count     int
	IPv4Count     int
	ExtUsage      map[uint16]int
}

NFMeta store extra meta data/stats about NFDump file contents

type NFRecord 

type NFRecord struct {

	// Common Record Type
	Flags uint16

	// MsecFirst Flow Start Time Milliseconds
	MsecFirst uint16

	// MsecLast Flow End Time Milliseconds
	MsecLast uint16

	// First Flow Start Time Seconds since epoch
	First uint32

	// Last Flow End Time Seconds since epoch
	Last uint32

	FwdStatus     uint8
	TCPFlags      uint8
	Proto         uint8
	Tos           uint8
	SrcPort       uint16
	DstPort       uint16
	ExporterSysID uint16
	Reserved      uint16
	ICMPType      uint8
	ICMPCode      uint8

	// Required Extension 1
	SrcIP net.IP
	DstIP net.IP

	// Required Extension 2
	PacketCount uint64

	// Required Extension 3
	ByteCount uint64

	// Extension 4 & 5
	Input  uint32
	Output uint32

	// Extension 6 & 7
	SrcAS uint32
	DstAS uint32

	// Extension 8
	DstTos  uint8
	Dir     uint8
	SrcMask uint8
	DstMask uint8

	// Extension 9 & 10
	NextHopIP net.IP

	// Extension 11 & 12
	BGPNextIP net.IP

	// Extension 13
	SrcVlan uint16
	DstVLan uint16

	// Extension 14 & 15
	OutPkts uint64

	// Extension 16 & 17
	OutBytes uint64

	// Extension 18 & 19
	AggeFlows uint64

	// Extension 23
	RouterIP net.IP // Sending router IP

	// Extension 27
	// Received Received Time Milliseconds
	Received uint64
}

NFRecord Size 32 bytes Most appear to be size 96 bytes (remainder 64)

func (NFRecord) Duration 

func (r NFRecord) Duration() time.Duration

Duration return Go time.Duration of flow

func (NFRecord) DurationMilliseconds 

func (r NFRecord) DurationMilliseconds() int64

DurationMilliseconds returns duration in milliseconds (better for high performance)

func (NFRecord) EndTime 

func (r NFRecord) EndTime() time.Time

EndTime return Go time.Time representation of flow End Time

func (NFRecord) EndTimeMS 

func (r NFRecord) EndTimeMS() int64

EndTimeMS return end time in milliseconds (better for high performance)

func (NFRecord) ReceivedTime 

func (r NFRecord) ReceivedTime() time.Time

ReceivedTime return Go time.Time representation of flow Received Time

func (NFRecord) StartTime 

func (r NFRecord) StartTime() time.Time

StartTime return Go time.Time representation of flow Start Time

func (NFRecord) StartTimeMS 

func (r NFRecord) StartTimeMS() int64

StartTimeMS return end time in milliseconds (better for high performance)

type NFRecordHeader 

type NFRecordHeader struct {
	Type uint16
	Size uint16
}

NFRecordHeader NFDump record header Size 4 bytes

type NFSamplerInfoRecord 

type NFSamplerInfoRecord struct {
	// sampler data
	// id assigned by the exporting device
	ID uint32
	// sampling interval
	Interval uint32
	// sampling mode
	Mode uint16
	// internal reference to exporter
	ExporterSysID uint16
}

NFSamplerInfoRecord store router sampling information

type NFStatRecord 

type NFStatRecord struct {
	NumFlows        uint64
	NumBytes        uint64
	NumPackets      uint64
	NumFlowsTCP     uint64
	NumFlowsUDP     uint64
	NumFlowsICMP    uint64
	NumFlowsOther   uint64
	NumBytesTCP     uint64
	NumBytesUDP     uint64
	NumBytesICMP    uint64
	NumBytesOther   uint64
	NumPacketsTCP   uint64
	NumPacketsUDP   uint64
	NumPacketsICMP  uint64
	NumPacketsOther uint64
	FirstSeen       uint32
	LastSeen        uint32
	MSecFirst       uint16
	MSecLast        uint16
	SequenceFailure uint32
}

NFStatRecord NFDump file aggregate stats

type NFStream 

type NFStream struct {
	Header     NFHeader
	StatRecord NFStatRecord

	Exporters     map[uint16]NFExporterInfoRecord
	ExporterStats map[uint32]NFExporterStatRecord
	SamplerInfo   map[uint16]NFSamplerInfoRecord
	// contains filtered or unexported fields
}

NFStream keeps track of non record fields while stream processing file

func StreamReader 

func StreamReader(r io.Reader) (nfs *NFStream, err error)

StreamReader read nfdump file record by record with minimal memory usage

func (*NFStream) Row 

func (nfs *NFStream) Row() (record NFRecord, err error)

Row each call will return an NFRecord struct or an error. io.EOF error means end of file.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.