Coverage for /pythoncovmergedfiles/medio/medio/usr/local/lib/python3.11/site-packages/scapy/layers/netflow.py: 44%
Shortcuts on this page
r m x toggle line displays
j k next/prev highlighted chunk
0 (zero) top of page
1 (one) first highlighted chunk
1# SPDX-License-Identifier: GPL-2.0-only
2# This file is part of Scapy
3# See https://scapy.net/ for more information
4# Copyright (C) Philippe Biondi <phil@secdev.org>
6# Netflow V5 appended by spaceB0x and Guillaume Valadon
7# Netflow V9/10 appended by Gabriel Potter
9"""
10Cisco NetFlow protocol v1, v5, v9 and v10 (IPFix)
12HowTo dissect NetflowV9/10 (IPFix) packets
14# From a pcap / list of packets
16Using sniff and sessions::
18 >>> sniff(offline=open("my_great_pcap.pcap", "rb"), session=NetflowSession)
20Using the netflowv9_defragment/ipfix_defragment commands:
22- get a list of packets containing NetflowV9/10 packets
23- call `netflowv9_defragment(plist)` to defragment the list
25(ipfix_defragment is an alias for netflowv9_defragment)
27# Live / on-the-flow / other: use NetflowSession::
29 >>> sniff(session=NetflowSession, prn=[...])
31"""
33import dataclasses
34import socket
35import struct
37from collections import Counter
39from scapy.config import conf
40from scapy.data import IP_PROTOS
41from scapy.error import warning, Scapy_Exception
42from scapy.fields import (
43 BitEnumField,
44 BitField,
45 ByteEnumField,
46 ByteField,
47 ConditionalField,
48 Field,
49 FieldLenField,
50 FlagsField,
51 IPField,
52 IntField,
53 LongField,
54 MACField,
55 PacketListField,
56 SecondsIntField,
57 ShortEnumField,
58 ShortField,
59 StrField,
60 StrFixedLenField,
61 StrLenField,
62 ThreeBytesField,
63 UTCTimeField,
64 XByteField,
65 XShortField,
66)
67from scapy.packet import Packet, bind_layers, bind_bottom_up
68from scapy.plist import PacketList
69from scapy.sessions import IPSession
71from scapy.layers.inet import UDP
72from scapy.layers.inet6 import IP6Field
74# Typing imports
75from typing import (
76 Any,
77 Dict,
78 Optional,
79)
82class NetflowHeader(Packet):
83 name = "Netflow Header"
84 fields_desc = [ShortField("version", 1)]
87for port in [2055, 2056, 9995, 9996, 6343]: # Classic NetFlow ports
88 bind_bottom_up(UDP, NetflowHeader, dport=port)
89 bind_bottom_up(UDP, NetflowHeader, sport=port)
90# However, we'll default to 2055, classic among classics :)
91bind_layers(UDP, NetflowHeader, dport=2055, sport=2055)
93###########################################
94# Netflow Version 1
95###########################################
98class NetflowHeaderV1(Packet):
99 name = "Netflow Header v1"
100 fields_desc = [ShortField("count", None),
101 IntField("sysUptime", 0),
102 UTCTimeField("unixSecs", 0),
103 UTCTimeField("unixNanoSeconds", 0, use_nano=True)]
105 def post_build(self, pkt, pay):
106 if self.count is None:
107 count = len(self.layers()) - 1
108 pkt = struct.pack("!H", count) + pkt[2:]
109 return pkt + pay
112class NetflowRecordV1(Packet):
113 name = "Netflow Record v1"
114 fields_desc = [IPField("ipsrc", "0.0.0.0"),
115 IPField("ipdst", "0.0.0.0"),
116 IPField("nexthop", "0.0.0.0"),
117 ShortField("inputIfIndex", 0),
118 ShortField("outpuIfIndex", 0),
119 IntField("dpkts", 0),
120 IntField("dbytes", 0),
121 IntField("starttime", 0),
122 IntField("endtime", 0),
123 ShortField("srcport", 0),
124 ShortField("dstport", 0),
125 ShortField("padding", 0),
126 ByteField("proto", 0),
127 ByteField("tos", 0),
128 IntField("padding1", 0),
129 IntField("padding2", 0)]
132bind_layers(NetflowHeader, NetflowHeaderV1, version=1)
133bind_layers(NetflowHeaderV1, NetflowRecordV1)
134bind_layers(NetflowRecordV1, NetflowRecordV1)
137#########################################
138# Netflow Version 5
139#########################################
142class NetflowHeaderV5(Packet):
143 name = "Netflow Header v5"
144 fields_desc = [ShortField("count", None),
145 IntField("sysUptime", 0),
146 UTCTimeField("unixSecs", 0),
147 UTCTimeField("unixNanoSeconds", 0, use_nano=True),
148 IntField("flowSequence", 0),
149 ByteField("engineType", 0),
150 ByteField("engineID", 0),
151 ShortField("samplingInterval", 0)]
153 def post_build(self, pkt, pay):
154 if self.count is None:
155 count = len(self.layers()) - 1
156 pkt = struct.pack("!H", count) + pkt[2:]
157 return pkt + pay
160class NetflowRecordV5(Packet):
161 name = "Netflow Record v5"
162 fields_desc = [IPField("src", "127.0.0.1"),
163 IPField("dst", "127.0.0.1"),
164 IPField("nexthop", "0.0.0.0"),
165 ShortField("input", 0),
166 ShortField("output", 0),
167 IntField("dpkts", 1),
168 IntField("dOctets", 60),
169 IntField("first", 0),
170 IntField("last", 0),
171 ShortField("srcport", 0),
172 ShortField("dstport", 0),
173 ByteField("pad1", 0),
174 FlagsField("tcpFlags", 0x2, 8, "FSRPAUEC"),
175 ByteEnumField("prot", socket.IPPROTO_TCP, IP_PROTOS),
176 ByteField("tos", 0),
177 ShortField("src_as", 0),
178 ShortField("dst_as", 0),
179 ByteField("src_mask", 0),
180 ByteField("dst_mask", 0),
181 ShortField("pad2", 0)]
184bind_layers(NetflowHeader, NetflowHeaderV5, version=5)
185bind_layers(NetflowHeaderV5, NetflowRecordV5)
186bind_layers(NetflowRecordV5, NetflowRecordV5)
188#########################################
189# Netflow Version 9/10
190#########################################
192# NetflowV9 RFC
193# https://www.ietf.org/rfc/rfc3954.txt
195# IPFix RFC
196# https://tools.ietf.org/html/rfc5101
197# https://tools.ietf.org/html/rfc5655
200@dataclasses.dataclass
201class _N910F:
202 name: str
203 length: int = 0
204 field: Field = None
205 kwargs: Dict[str, Any] = dataclasses.field(default_factory=dict)
208# NetflowV9 Ready-made fields
210class ShortOrInt(IntField):
211 def getfield(self, pkt, x):
212 if len(x) == 2:
213 Field.__init__(self, self.name, self.default, fmt="!H")
214 return Field.getfield(self, pkt, x)
217class _AdjustableNetflowField(IntField, LongField):
218 """Fields that can receive a length kwarg, even though they normally can't.
219 Netflow usage only."""
220 def __init__(self, name, default, length):
221 if length == 4:
222 IntField.__init__(self, name, default)
223 return
224 elif length == 8:
225 LongField.__init__(self, name, default)
226 return
227 LongField.__init__(self, name, default)
230class N9SecondsIntField(SecondsIntField, _AdjustableNetflowField):
231 """Defines dateTimeSeconds (without EPOCH: just seconds)"""
232 def __init__(self, name, default, *args, **kargs):
233 length = kargs.pop("length", 8)
234 SecondsIntField.__init__(self, name, default, *args, **kargs)
235 _AdjustableNetflowField.__init__(
236 self, name, default, length
237 )
240class N9UTCTimeField(UTCTimeField, _AdjustableNetflowField):
241 """Defines dateTimeSeconds (EPOCH)"""
242 def __init__(self, name, default, *args, **kargs):
243 length = kargs.pop("length", 8)
244 UTCTimeField.__init__(self, name, default, *args, **kargs)
245 _AdjustableNetflowField.__init__(
246 self, name, default, length
247 )
249# TODO: There are hundreds of entries to add to the following list :(
250# it's thus incomplete.
251# https://www.iana.org/assignments/ipfix/ipfix.xml
252# ==> feel free to contribute :D
254# XXX: we should probably switch the names below to IANA normalized ones.
256# This is v9_v10_template_types (with names from the rfc for the first 79)
257# https://github.com/wireshark/wireshark/blob/master/epan/dissectors/packet-netflow.c # noqa: E501
258# (it has all values external to the RFC)
261NTOP_BASE = 57472
262NetflowV910TemplateFields = {
263 1: _N910F("IN_BYTES", length=4),
264 2: _N910F("IN_PKTS", length=4),
265 3: _N910F("FLOWS", length=4),
266 4: _N910F("PROTOCOL", length=1,
267 field=ByteEnumField, kwargs={"enum": IP_PROTOS}),
268 5: _N910F("TOS", length=1,
269 field=XByteField),
270 6: _N910F("TCP_FLAGS", length=1,
271 field=ByteField),
272 7: _N910F("L4_SRC_PORT", length=2,
273 field=ShortField),
274 8: _N910F("IPV4_SRC_ADDR", length=4,
275 field=IPField),
276 9: _N910F("SRC_MASK", length=1,
277 field=ByteField),
278 10: _N910F("INPUT_SNMP"),
279 11: _N910F("L4_DST_PORT", length=2,
280 field=ShortField),
281 12: _N910F("IPV4_DST_ADDR", length=4,
282 field=IPField),
283 13: _N910F("DST_MASK", length=1,
284 field=ByteField),
285 14: _N910F("OUTPUT_SNMP"),
286 15: _N910F("IPV4_NEXT_HOP", length=4,
287 field=IPField),
288 16: _N910F("SRC_AS", length=2,
289 field=ShortOrInt),
290 17: _N910F("DST_AS", length=2,
291 field=ShortOrInt),
292 18: _N910F("BGP_IPV4_NEXT_HOP", length=4,
293 field=IPField),
294 19: _N910F("MUL_DST_PKTS", length=4),
295 20: _N910F("MUL_DST_BYTES", length=4),
296 21: _N910F("LAST_SWITCHED", length=4,
297 field=SecondsIntField,
298 kwargs={"use_msec": True}),
299 22: _N910F("FIRST_SWITCHED", length=4,
300 field=SecondsIntField,
301 kwargs={"use_msec": True}),
302 23: _N910F("OUT_BYTES", length=4),
303 24: _N910F("OUT_PKTS", length=4),
304 25: _N910F("IP_LENGTH_MINIMUM"),
305 26: _N910F("IP_LENGTH_MAXIMUM"),
306 27: _N910F("IPV6_SRC_ADDR", length=16,
307 field=IP6Field),
308 28: _N910F("IPV6_DST_ADDR", length=16,
309 field=IP6Field),
310 29: _N910F("IPV6_SRC_MASK", length=1,
311 field=ByteField),
312 30: _N910F("IPV6_DST_MASK", length=1,
313 field=ByteField),
314 31: _N910F("IPV6_FLOW_LABEL", length=3,
315 field=ThreeBytesField),
316 32: _N910F("ICMP_TYPE", length=2,
317 field=XShortField),
318 33: _N910F("MUL_IGMP_TYPE", length=1,
319 field=ByteField),
320 34: _N910F("SAMPLING_INTERVAL", length=4,
321 field=IntField),
322 35: _N910F("SAMPLING_ALGORITHM", length=1,
323 field=XByteField),
324 36: _N910F("FLOW_ACTIVE_TIMEOUT", length=2,
325 field=ShortField),
326 37: _N910F("FLOW_INACTIVE_TIMEOUT", length=2,
327 field=ShortField),
328 38: _N910F("ENGINE_TYPE", length=1,
329 field=ByteField),
330 39: _N910F("ENGINE_ID", length=1,
331 field=ByteField),
332 40: _N910F("TOTAL_BYTES_EXP", length=4),
333 41: _N910F("TOTAL_PKTS_EXP", length=4),
334 42: _N910F("TOTAL_FLOWS_EXP", length=4),
335 43: _N910F("IPV4_ROUTER_SC"),
336 44: _N910F("IP_SRC_PREFIX"),
337 45: _N910F("IP_DST_PREFIX"),
338 46: _N910F("MPLS_TOP_LABEL_TYPE", length=1,
339 field=ByteEnumField,
340 kwargs={"enum": {
341 0x00: "UNKNOWN",
342 0x01: "TE-MIDPT",
343 0x02: "ATOM",
344 0x03: "VPN",
345 0x04: "BGP",
346 0x05: "LDP",
347 }}),
348 47: _N910F("MPLS_TOP_LABEL_IP_ADDR", length=4,
349 field=IPField),
350 48: _N910F("FLOW_SAMPLER_ID", length=4), # from ERRATA
351 49: _N910F("FLOW_SAMPLER_MODE", length=1,
352 field=ByteField),
353 50: _N910F("FLOW_SAMPLER_RANDOM_INTERVAL", length=4,
354 field=IntField),
355 51: _N910F("FLOW_CLASS"),
356 52: _N910F("MIN_TTL"),
357 53: _N910F("MAX_TTL"),
358 54: _N910F("IPV4_IDENT"),
359 55: _N910F("DST_TOS", length=1,
360 field=XByteField),
361 56: _N910F("SRC_MAC", length=6,
362 field=MACField),
363 57: _N910F("DST_MAC", length=6,
364 field=MACField),
365 58: _N910F("SRC_VLAN", length=2,
366 field=ShortField),
367 59: _N910F("DST_VLAN", length=2,
368 field=ShortField),
369 60: _N910F("IP_PROTOCOL_VERSION", length=1,
370 field=ByteField),
371 61: _N910F("DIRECTION", length=1,
372 field=ByteEnumField,
373 kwargs={"enum": {0x00: "Ingress flow", 0x01: "Egress flow"}}),
374 62: _N910F("IPV6_NEXT_HOP", length=16,
375 field=IP6Field),
376 63: _N910F("BGP_IPV6_NEXT_HOP", length=16,
377 field=IP6Field),
378 64: _N910F("IPV6_OPTION_HEADERS", length=4),
379 70: _N910F("MPLS_LABEL_1", length=3),
380 71: _N910F("MPLS_LABEL_2", length=3),
381 72: _N910F("MPLS_LABEL_3", length=3),
382 73: _N910F("MPLS_LABEL_4", length=3),
383 74: _N910F("MPLS_LABEL_5", length=3),
384 75: _N910F("MPLS_LABEL_6", length=3),
385 76: _N910F("MPLS_LABEL_7", length=3),
386 77: _N910F("MPLS_LABEL_8", length=3),
387 78: _N910F("MPLS_LABEL_9", length=3),
388 79: _N910F("MPLS_LABEL_10", length=3),
389 80: _N910F("DESTINATION_MAC"),
390 81: _N910F("SOURCE_MAC"),
391 82: _N910F("IF_NAME"),
392 83: _N910F("IF_DESC"),
393 84: _N910F("SAMPLER_NAME"),
394 85: _N910F("BYTES_TOTAL"),
395 86: _N910F("PACKETS_TOTAL"),
396 88: _N910F("FRAGMENT_OFFSET"),
397 89: _N910F("FORWARDING_STATUS"),
398 90: _N910F("VPN_ROUTE_DISTINGUISHER"),
399 91: _N910F("mplsTopLabelPrefixLength"),
400 92: _N910F("SRC_TRAFFIC_INDEX"),
401 93: _N910F("DST_TRAFFIC_INDEX"),
402 94: _N910F("APPLICATION_DESC"),
403 95: _N910F("APPLICATION_ID"),
404 96: _N910F("APPLICATION_NAME"),
405 98: _N910F("postIpDiffServCodePoint"),
406 99: _N910F("multicastReplicationFactor"),
407 101: _N910F("classificationEngineId"),
408 128: _N910F("DST_AS_PEER"),
409 129: _N910F("SRC_AS_PEER"),
410 130: _N910F("exporterIPv4Address", length=4,
411 field=IPField),
412 131: _N910F("exporterIPv6Address", length=16,
413 field=IP6Field),
414 132: _N910F("DROPPED_BYTES"),
415 133: _N910F("DROPPED_PACKETS"),
416 134: _N910F("DROPPED_BYTES_TOTAL"),
417 135: _N910F("DROPPED_PACKETS_TOTAL"),
418 136: _N910F("flowEndReason"),
419 137: _N910F("commonPropertiesId"),
420 138: _N910F("observationPointId"),
421 139: _N910F("icmpTypeCodeIPv6"),
422 140: _N910F("MPLS_TOP_LABEL_IPv6_ADDRESS"),
423 141: _N910F("lineCardId"),
424 142: _N910F("portId"),
425 143: _N910F("meteringProcessId"),
426 144: _N910F("FLOW_EXPORTER"),
427 145: _N910F("templateId"),
428 146: _N910F("wlanChannelId"),
429 147: _N910F("wlanSSID"),
430 148: _N910F("flowId"),
431 149: _N910F("observationDomainId"),
432 150: _N910F("flowStartSeconds", length=8,
433 field=N9UTCTimeField),
434 151: _N910F("flowEndSeconds", length=8,
435 field=N9UTCTimeField),
436 152: _N910F("flowStartMilliseconds", length=8,
437 field=N9UTCTimeField,
438 kwargs={"use_msec": True}),
439 153: _N910F("flowEndMilliseconds", length=8,
440 field=N9UTCTimeField,
441 kwargs={"use_msec": True}),
442 154: _N910F("flowStartMicroseconds", length=8,
443 field=N9UTCTimeField,
444 kwargs={"use_micro": True}),
445 155: _N910F("flowEndMicroseconds", length=8,
446 field=N9UTCTimeField,
447 kwargs={"use_micro": True}),
448 156: _N910F("flowStartNanoseconds", length=8,
449 field=N9UTCTimeField,
450 kwargs={"use_nano": True}),
451 157: _N910F("flowEndNanoseconds", length=8,
452 field=N9UTCTimeField,
453 kwargs={"use_nano": True}),
454 158: _N910F("flowStartDeltaMicroseconds", length=8,
455 field=N9SecondsIntField,
456 kwargs={"use_micro": True}),
457 159: _N910F("flowEndDeltaMicroseconds", length=8,
458 field=N9SecondsIntField,
459 kwargs={"use_micro": True}),
460 160: _N910F("systemInitTimeMilliseconds", length=8,
461 field=N9UTCTimeField,
462 kwargs={"use_msec": True}),
463 161: _N910F("flowDurationMilliseconds", length=8,
464 field=N9SecondsIntField,
465 kwargs={"use_msec": True}),
466 162: _N910F("flowDurationMicroseconds", length=8,
467 field=N9SecondsIntField,
468 kwargs={"use_micro": True}),
469 163: _N910F("observedFlowTotalCount"),
470 164: _N910F("ignoredPacketTotalCount"),
471 165: _N910F("ignoredOctetTotalCount"),
472 166: _N910F("notSentFlowTotalCount"),
473 167: _N910F("notSentPacketTotalCount"),
474 168: _N910F("notSentOctetTotalCount"),
475 169: _N910F("destinationIPv6Prefix"),
476 170: _N910F("sourceIPv6Prefix"),
477 171: _N910F("postOctetTotalCount"),
478 172: _N910F("postPacketTotalCount"),
479 173: _N910F("flowKeyIndicator"),
480 174: _N910F("postMCastPacketTotalCount"),
481 175: _N910F("postMCastOctetTotalCount"),
482 176: _N910F("ICMP_IPv4_TYPE"),
483 177: _N910F("ICMP_IPv4_CODE"),
484 178: _N910F("ICMP_IPv6_TYPE"),
485 179: _N910F("ICMP_IPv6_CODE"),
486 180: _N910F("UDP_SRC_PORT"),
487 181: _N910F("UDP_DST_PORT"),
488 182: _N910F("TCP_SRC_PORT"),
489 183: _N910F("TCP_DST_PORT"),
490 184: _N910F("TCP_SEQ_NUM"),
491 185: _N910F("TCP_ACK_NUM"),
492 186: _N910F("TCP_WINDOW_SIZE"),
493 187: _N910F("TCP_URGENT_PTR"),
494 188: _N910F("TCP_HEADER_LEN"),
495 189: _N910F("IP_HEADER_LEN"),
496 190: _N910F("IP_TOTAL_LEN"),
497 191: _N910F("payloadLengthIPv6"),
498 192: _N910F("IP_TTL"),
499 193: _N910F("nextHeaderIPv6"),
500 194: _N910F("mplsPayloadLength"),
501 195: _N910F("IP_DSCP", length=1,
502 field=XByteField),
503 196: _N910F("IP_PRECEDENCE"),
504 197: _N910F("IP_FRAGMENT_FLAGS"),
505 198: _N910F("DELTA_BYTES_SQUARED"),
506 199: _N910F("TOTAL_BYTES_SQUARED"),
507 200: _N910F("MPLS_TOP_LABEL_TTL"),
508 201: _N910F("MPLS_LABEL_STACK_OCTETS"),
509 202: _N910F("MPLS_LABEL_STACK_DEPTH"),
510 203: _N910F("MPLS_TOP_LABEL_EXP"),
511 204: _N910F("IP_PAYLOAD_LENGTH"),
512 205: _N910F("UDP_LENGTH"),
513 206: _N910F("IS_MULTICAST"),
514 207: _N910F("IP_HEADER_WORDS"),
515 208: _N910F("IP_OPTION_MAP"),
516 209: _N910F("TCP_OPTION_MAP"),
517 210: _N910F("paddingOctets"),
518 211: _N910F("collectorIPv4Address", length=4,
519 field=IPField),
520 212: _N910F("collectorIPv6Address", length=16,
521 field=IP6Field),
522 213: _N910F("collectorInterface"),
523 214: _N910F("collectorProtocolVersion"),
524 215: _N910F("collectorTransportProtocol"),
525 216: _N910F("collectorTransportPort"),
526 217: _N910F("exporterTransportPort"),
527 218: _N910F("tcpSynTotalCount"),
528 219: _N910F("tcpFinTotalCount"),
529 220: _N910F("tcpRstTotalCount"),
530 221: _N910F("tcpPshTotalCount"),
531 222: _N910F("tcpAckTotalCount"),
532 223: _N910F("tcpUrgTotalCount"),
533 224: _N910F("ipTotalLength"),
534 225: _N910F("postNATSourceIPv4Address", length=4,
535 field=IPField),
536 226: _N910F("postNATDestinationIPv4Address", length=4,
537 field=IPField),
538 227: _N910F("postNAPTSourceTransportPort"),
539 228: _N910F("postNAPTDestinationTransportPort"),
540 229: _N910F("natOriginatingAddressRealm"),
541 230: _N910F("natEvent"),
542 231: _N910F("initiatorOctets"),
543 232: _N910F("responderOctets"),
544 233: _N910F("firewallEvent"),
545 234: _N910F("ingressVRFID"),
546 235: _N910F("egressVRFID"),
547 236: _N910F("VRFname"),
548 237: _N910F("postMplsTopLabelExp"),
549 238: _N910F("tcpWindowScale"),
550 239: _N910F("biflowDirection"),
551 240: _N910F("ethernetHeaderLength"),
552 241: _N910F("ethernetPayloadLength"),
553 242: _N910F("ethernetTotalLength"),
554 243: _N910F("dot1qVlanId"),
555 244: _N910F("dot1qPriority"),
556 245: _N910F("dot1qCustomerVlanId"),
557 246: _N910F("dot1qCustomerPriority"),
558 247: _N910F("metroEvcId"),
559 248: _N910F("metroEvcType"),
560 249: _N910F("pseudoWireId"),
561 250: _N910F("pseudoWireType"),
562 251: _N910F("pseudoWireControlWord"),
563 252: _N910F("ingressPhysicalInterface"),
564 253: _N910F("egressPhysicalInterface"),
565 254: _N910F("postDot1qVlanId"),
566 255: _N910F("postDot1qCustomerVlanId"),
567 256: _N910F("ethernetType"),
568 257: _N910F("postIpPrecedence"),
569 258: _N910F("collectionTimeMilliseconds", length=8,
570 field=N9SecondsIntField,
571 kwargs={"use_msec": True}),
572 259: _N910F("exportSctpStreamId"),
573 260: _N910F("maxExportSeconds", length=8,
574 field=N9SecondsIntField),
575 261: _N910F("maxFlowEndSeconds", length=8,
576 field=N9SecondsIntField),
577 262: _N910F("messageMD5Checksum"),
578 263: _N910F("messageScope"),
579 264: _N910F("minExportSeconds", length=8,
580 field=N9SecondsIntField),
581 265: _N910F("minFlowStartSeconds", length=8,
582 field=N9SecondsIntField),
583 266: _N910F("opaqueOctets"),
584 267: _N910F("sessionScope"),
585 268: _N910F("maxFlowEndMicroseconds", length=8,
586 field=N9UTCTimeField,
587 kwargs={"use_micro": True}),
588 269: _N910F("maxFlowEndMilliseconds", length=8,
589 field=N9UTCTimeField,
590 kwargs={"use_msec": True}),
591 270: _N910F("maxFlowEndNanoseconds", length=8,
592 field=N9UTCTimeField,
593 kwargs={"use_nano": True}),
594 271: _N910F("minFlowStartMicroseconds", length=8,
595 field=N9UTCTimeField,
596 kwargs={"use_micro": True}),
597 272: _N910F("minFlowStartMilliseconds", length=8,
598 field=N9UTCTimeField,
599 kwargs={"use_msec": True}),
600 273: _N910F("minFlowStartNanoseconds", length=8,
601 field=N9UTCTimeField,
602 kwargs={"use_nano": True}),
603 274: _N910F("collectorCertificate"),
604 275: _N910F("exporterCertificate"),
605 276: _N910F("dataRecordsReliability"),
606 277: _N910F("observationPointType"),
607 278: _N910F("newConnectionDeltaCount"),
608 279: _N910F("connectionSumDurationSeconds", length=8,
609 field=N9SecondsIntField),
610 280: _N910F("connectionTransactionId"),
611 281: _N910F("postNATSourceIPv6Address", length=16,
612 field=IP6Field),
613 282: _N910F("postNATDestinationIPv6Address", length=16,
614 field=IP6Field),
615 283: _N910F("natPoolId"),
616 284: _N910F("natPoolName"),
617 285: _N910F("anonymizationFlags"),
618 286: _N910F("anonymizationTechnique"),
619 287: _N910F("informationElementIndex"),
620 288: _N910F("p2pTechnology"),
621 289: _N910F("tunnelTechnology"),
622 290: _N910F("encryptedTechnology"),
623 291: _N910F("basicList"),
624 292: _N910F("subTemplateList"),
625 293: _N910F("subTemplateMultiList"),
626 294: _N910F("bgpValidityState"),
627 295: _N910F("IPSecSPI"),
628 296: _N910F("greKey"),
629 297: _N910F("natType"),
630 298: _N910F("initiatorPackets"),
631 299: _N910F("responderPackets"),
632 300: _N910F("observationDomainName"),
633 301: _N910F("selectionSequenceId"),
634 302: _N910F("selectorId"),
635 303: _N910F("informationElementId"),
636 304: _N910F("selectorAlgorithm"),
637 305: _N910F("samplingPacketInterval"),
638 306: _N910F("samplingPacketSpace"),
639 307: _N910F("samplingTimeInterval"),
640 308: _N910F("samplingTimeSpace"),
641 309: _N910F("samplingSize"),
642 310: _N910F("samplingPopulation"),
643 311: _N910F("samplingProbability"),
644 312: _N910F("dataLinkFrameSize"),
645 313: _N910F("IP_SECTION_HEADER"),
646 314: _N910F("IP_SECTION_PAYLOAD"),
647 315: _N910F("dataLinkFrameSection"),
648 316: _N910F("mplsLabelStackSection"),
649 317: _N910F("mplsPayloadPacketSection"),
650 318: _N910F("selectorIdTotalPktsObserved"),
651 319: _N910F("selectorIdTotalPktsSelected"),
652 320: _N910F("absoluteError"),
653 321: _N910F("relativeError"),
654 322: _N910F("observationTimeSeconds", length=8,
655 field=N9UTCTimeField),
656 323: _N910F("observationTimeMilliseconds", length=8,
657 field=N9UTCTimeField,
658 kwargs={"use_msec": True}),
659 324: _N910F("observationTimeMicroseconds", length=8,
660 field=N9UTCTimeField,
661 kwargs={"use_micro": True}),
662 325: _N910F("observationTimeNanoseconds", length=8,
663 field=N9UTCTimeField,
664 kwargs={"use_nano": True}),
665 326: _N910F("digestHashValue"),
666 327: _N910F("hashIPPayloadOffset"),
667 328: _N910F("hashIPPayloadSize"),
668 329: _N910F("hashOutputRangeMin"),
669 330: _N910F("hashOutputRangeMax"),
670 331: _N910F("hashSelectedRangeMin"),
671 332: _N910F("hashSelectedRangeMax"),
672 333: _N910F("hashDigestOutput"),
673 334: _N910F("hashInitialiserValue"),
674 335: _N910F("selectorName"),
675 336: _N910F("upperCILimit"),
676 337: _N910F("lowerCILimit"),
677 338: _N910F("confidenceLevel"),
678 339: _N910F("informationElementDataType"),
679 340: _N910F("informationElementDescription"),
680 341: _N910F("informationElementName"),
681 342: _N910F("informationElementRangeBegin"),
682 343: _N910F("informationElementRangeEnd"),
683 344: _N910F("informationElementSemantics"),
684 345: _N910F("informationElementUnits"),
685 346: _N910F("privateEnterpriseNumber"),
686 347: _N910F("virtualStationInterfaceId"),
687 348: _N910F("virtualStationInterfaceName"),
688 349: _N910F("virtualStationUUID"),
689 350: _N910F("virtualStationName"),
690 351: _N910F("layer2SegmentId"),
691 352: _N910F("layer2OctetDeltaCount"),
692 353: _N910F("layer2OctetTotalCount"),
693 354: _N910F("ingressUnicastPacketTotalCount"),
694 355: _N910F("ingressMulticastPacketTotalCount"),
695 356: _N910F("ingressBroadcastPacketTotalCount"),
696 357: _N910F("egressUnicastPacketTotalCount"),
697 358: _N910F("egressBroadcastPacketTotalCount"),
698 359: _N910F("monitoringIntervalStartMilliSeconds"),
699 360: _N910F("monitoringIntervalEndMilliSeconds"),
700 361: _N910F("portRangeStart"),
701 362: _N910F("portRangeEnd"),
702 363: _N910F("portRangeStepSize"),
703 364: _N910F("portRangeNumPorts"),
704 365: _N910F("staMacAddress", length=6,
705 field=MACField),
706 366: _N910F("staIPv4Address", length=4,
707 field=IPField),
708 367: _N910F("wtpMacAddress", length=6,
709 field=MACField),
710 368: _N910F("ingressInterfaceType"),
711 369: _N910F("egressInterfaceType"),
712 370: _N910F("rtpSequenceNumber"),
713 371: _N910F("userName"),
714 372: _N910F("applicationCategoryName"),
715 373: _N910F("applicationSubCategoryName"),
716 374: _N910F("applicationGroupName"),
717 375: _N910F("originalFlowsPresent"),
718 376: _N910F("originalFlowsInitiated"),
719 377: _N910F("originalFlowsCompleted"),
720 378: _N910F("distinctCountOfSourceIPAddress"),
721 379: _N910F("distinctCountOfDestinationIPAddress"),
722 380: _N910F("distinctCountOfSourceIPv4Address", length=4,
723 field=IPField),
724 381: _N910F("distinctCountOfDestinationIPv4Address", length=4,
725 field=IPField),
726 382: _N910F("distinctCountOfSourceIPv6Address", length=16,
727 field=IP6Field),
728 383: _N910F("distinctCountOfDestinationIPv6Address", length=16,
729 field=IP6Field),
730 384: _N910F("valueDistributionMethod"),
731 385: _N910F("rfc3550JitterMilliseconds"),
732 386: _N910F("rfc3550JitterMicroseconds"),
733 387: _N910F("rfc3550JitterNanoseconds"),
734 388: _N910F("dot1qDEI"),
735 389: _N910F("dot1qCustomerDEI"),
736 390: _N910F("flowSelectorAlgorithm"),
737 391: _N910F("flowSelectedOctetDeltaCount"),
738 392: _N910F("flowSelectedPacketDeltaCount"),
739 393: _N910F("flowSelectedFlowDeltaCount"),
740 394: _N910F("selectorIDTotalFlowsObserved"),
741 395: _N910F("selectorIDTotalFlowsSelected"),
742 396: _N910F("samplingFlowInterval"),
743 397: _N910F("samplingFlowSpacing"),
744 398: _N910F("flowSamplingTimeInterval"),
745 399: _N910F("flowSamplingTimeSpacing"),
746 400: _N910F("hashFlowDomain"),
747 401: _N910F("transportOctetDeltaCount"),
748 402: _N910F("transportPacketDeltaCount"),
749 403: _N910F("originalExporterIPv4Address", length=4,
750 field=IPField),
751 404: _N910F("originalExporterIPv6Address", length=16,
752 field=IP6Field),
753 405: _N910F("originalObservationDomainId"),
754 406: _N910F("intermediateProcessId"),
755 407: _N910F("ignoredDataRecordTotalCount"),
756 408: _N910F("dataLinkFrameType"),
757 409: _N910F("sectionOffset"),
758 410: _N910F("sectionExportedOctets"),
759 411: _N910F("dot1qServiceInstanceTag"),
760 412: _N910F("dot1qServiceInstanceId"),
761 413: _N910F("dot1qServiceInstancePriority"),
762 414: _N910F("dot1qCustomerSourceMacAddress", length=6,
763 field=MACField),
764 415: _N910F("dot1qCustomerDestinationMacAddress", length=6,
765 field=MACField),
766 416: _N910F("deprecated [dup of layer2OctetDeltaCount]"),
767 417: _N910F("postLayer2OctetDeltaCount"),
768 418: _N910F("postMCastLayer2OctetDeltaCount"),
769 419: _N910F("deprecated [dup of layer2OctetTotalCount"),
770 420: _N910F("postLayer2OctetTotalCount"),
771 421: _N910F("postMCastLayer2OctetTotalCount"),
772 422: _N910F("minimumLayer2TotalLength"),
773 423: _N910F("maximumLayer2TotalLength"),
774 424: _N910F("droppedLayer2OctetDeltaCount"),
775 425: _N910F("droppedLayer2OctetTotalCount"),
776 426: _N910F("ignoredLayer2OctetTotalCount"),
777 427: _N910F("notSentLayer2OctetTotalCount"),
778 428: _N910F("layer2OctetDeltaSumOfSquares"),
779 429: _N910F("layer2OctetTotalSumOfSquares"),
780 430: _N910F("layer2FrameDeltaCount"),
781 431: _N910F("layer2FrameTotalCount"),
782 432: _N910F("pseudoWireDestinationIPv4Address", length=4,
783 field=IPField),
784 433: _N910F("ignoredLayer2FrameTotalCount"),
785 434: _N910F("mibObjectValueInteger"),
786 435: _N910F("mibObjectValueOctetString"),
787 436: _N910F("mibObjectValueOID"),
788 437: _N910F("mibObjectValueBits"),
789 438: _N910F("mibObjectValueIPAddress"),
790 439: _N910F("mibObjectValueCounter"),
791 440: _N910F("mibObjectValueGauge"),
792 441: _N910F("mibObjectValueTimeTicks"),
793 442: _N910F("mibObjectValueUnsigned"),
794 443: _N910F("mibObjectValueTable"),
795 444: _N910F("mibObjectValueRow"),
796 445: _N910F("mibObjectIdentifier"),
797 446: _N910F("mibSubIdentifier"),
798 447: _N910F("mibIndexIndicator"),
799 448: _N910F("mibCaptureTimeSemantics"),
800 449: _N910F("mibContextEngineID"),
801 450: _N910F("mibContextName"),
802 451: _N910F("mibObjectName"),
803 452: _N910F("mibObjectDescription"),
804 453: _N910F("mibObjectSyntax"),
805 454: _N910F("mibModuleName"),
806 455: _N910F("mobileIMSI"),
807 456: _N910F("mobileMSISDN"),
808 457: _N910F("httpStatusCode"),
809 458: _N910F("sourceTransportPortsLimit"),
810 459: _N910F("httpRequestMethod"),
811 460: _N910F("httpRequestHost"),
812 461: _N910F("httpRequestTarget"),
813 462: _N910F("httpMessageVersion"),
814 463: _N910F("natInstanceID"),
815 464: _N910F("internalAddressRealm"),
816 465: _N910F("externalAddressRealm"),
817 466: _N910F("natQuotaExceededEvent"),
818 467: _N910F("natThresholdEvent"),
819 468: _N910F("httpUserAgent"),
820 469: _N910F("httpContentType"),
821 470: _N910F("httpReasonPhrase"),
822 471: _N910F("maxSessionEntries"),
823 472: _N910F("maxBIBEntries"),
824 473: _N910F("maxEntriesPerUser"),
825 474: _N910F("maxSubscribers"),
826 475: _N910F("maxFragmentsPendingReassembly"),
827 476: _N910F("addressPoolHighThreshold"),
828 477: _N910F("addressPoolLowThreshold"),
829 478: _N910F("addressPortMappingHighThreshold"),
830 479: _N910F("addressPortMappingLowThreshold"),
831 480: _N910F("addressPortMappingPerUserHighThreshold"),
832 481: _N910F("globalAddressMappingHighThreshold"),
834 # Ericsson NAT Logging
835 24628: _N910F("NAT_LOG_FIELD_IDX_CONTEXT_ID"),
836 24629: _N910F("NAT_LOG_FIELD_IDX_CONTEXT_NAME"),
837 24630: _N910F("NAT_LOG_FIELD_IDX_ASSIGN_TS_SEC"),
838 24631: _N910F("NAT_LOG_FIELD_IDX_UNASSIGN_TS_SEC"),
839 24632: _N910F("NAT_LOG_FIELD_IDX_IPV4_INT_ADDR", length=4,
840 field=IPField),
841 24633: _N910F("NAT_LOG_FIELD_IDX_IPV4_EXT_ADDR", length=4,
842 field=IPField),
843 24634: _N910F("NAT_LOG_FIELD_IDX_EXT_PORT_FIRST"),
844 24635: _N910F("NAT_LOG_FIELD_IDX_EXT_PORT_LAST"),
845 # Cisco ASA5500 Series NetFlow
846 33000: _N910F("INGRESS_ACL_ID"),
847 33001: _N910F("EGRESS_ACL_ID"),
848 33002: _N910F("FW_EXT_EVENT"),
849 # Cisco TrustSec
850 34000: _N910F("SGT_SOURCE_TAG"),
851 34001: _N910F("SGT_DESTINATION_TAG"),
852 34002: _N910F("SGT_SOURCE_NAME"),
853 34003: _N910F("SGT_DESTINATION_NAME"),
854 # medianet performance monitor
855 37000: _N910F("PACKETS_DROPPED"),
856 37003: _N910F("BYTE_RATE"),
857 37004: _N910F("APPLICATION_MEDIA_BYTES"),
858 37006: _N910F("APPLICATION_MEDIA_BYTE_RATE"),
859 37007: _N910F("APPLICATION_MEDIA_PACKETS"),
860 37009: _N910F("APPLICATION_MEDIA_PACKET_RATE"),
861 37011: _N910F("APPLICATION_MEDIA_EVENT"),
862 37012: _N910F("MONITOR_EVENT"),
863 37013: _N910F("TIMESTAMP_INTERVAL"),
864 37014: _N910F("TRANSPORT_PACKETS_EXPECTED"),
865 37016: _N910F("TRANSPORT_ROUND_TRIP_TIME"),
866 37017: _N910F("TRANSPORT_EVENT_PACKET_LOSS"),
867 37019: _N910F("TRANSPORT_PACKETS_LOST"),
868 37021: _N910F("TRANSPORT_PACKETS_LOST_RATE"),
869 37022: _N910F("TRANSPORT_RTP_SSRC"),
870 37023: _N910F("TRANSPORT_RTP_JITTER_MEAN"),
871 37024: _N910F("TRANSPORT_RTP_JITTER_MIN"),
872 37025: _N910F("TRANSPORT_RTP_JITTER_MAX"),
873 37041: _N910F("TRANSPORT_RTP_PAYLOAD_TYPE"),
874 37071: _N910F("TRANSPORT_BYTES_OUT_OF_ORDER"),
875 37074: _N910F("TRANSPORT_PACKETS_OUT_OF_ORDER"),
876 37083: _N910F("TRANSPORT_TCP_WINDOWS_SIZE_MIN"),
877 37084: _N910F("TRANSPORT_TCP_WINDOWS_SIZE_MAX"),
878 37085: _N910F("TRANSPORT_TCP_WINDOWS_SIZE_MEAN"),
879 37086: _N910F("TRANSPORT_TCP_MAXIMUM_SEGMENT_SIZE"),
880 # Cisco ASA 5500
881 40000: _N910F("AAA_USERNAME"),
882 40001: _N910F("XLATE_SRC_ADDR_IPV4", length=4,
883 field=IPField),
884 40002: _N910F("XLATE_DST_ADDR_IPV4", length=4,
885 field=IPField),
886 40003: _N910F("XLATE_SRC_PORT"),
887 40004: _N910F("XLATE_DST_PORT"),
888 40005: _N910F("FW_EVENT"),
889 # v9 nTop extensions
890 80 + NTOP_BASE: _N910F("SRC_FRAGMENTS"),
891 81 + NTOP_BASE: _N910F("DST_FRAGMENTS"),
892 82 + NTOP_BASE: _N910F("SRC_TO_DST_MAX_THROUGHPUT"),
893 83 + NTOP_BASE: _N910F("SRC_TO_DST_MIN_THROUGHPUT"),
894 84 + NTOP_BASE: _N910F("SRC_TO_DST_AVG_THROUGHPUT"),
895 85 + NTOP_BASE: _N910F("SRC_TO_SRC_MAX_THROUGHPUT"),
896 86 + NTOP_BASE: _N910F("SRC_TO_SRC_MIN_THROUGHPUT"),
897 87 + NTOP_BASE: _N910F("SRC_TO_SRC_AVG_THROUGHPUT"),
898 88 + NTOP_BASE: _N910F("NUM_PKTS_UP_TO_128_BYTES"),
899 89 + NTOP_BASE: _N910F("NUM_PKTS_128_TO_256_BYTES"),
900 90 + NTOP_BASE: _N910F("NUM_PKTS_256_TO_512_BYTES"),
901 91 + NTOP_BASE: _N910F("NUM_PKTS_512_TO_1024_BYTES"),
902 92 + NTOP_BASE: _N910F("NUM_PKTS_1024_TO_1514_BYTES"),
903 93 + NTOP_BASE: _N910F("NUM_PKTS_OVER_1514_BYTES"),
904 98 + NTOP_BASE: _N910F("CUMULATIVE_ICMP_TYPE"),
905 101 + NTOP_BASE: _N910F("SRC_IP_COUNTRY"),
906 102 + NTOP_BASE: _N910F("SRC_IP_CITY"),
907 103 + NTOP_BASE: _N910F("DST_IP_COUNTRY"),
908 104 + NTOP_BASE: _N910F("DST_IP_CITY"),
909 105 + NTOP_BASE: _N910F("FLOW_PROTO_PORT"),
910 106 + NTOP_BASE: _N910F("UPSTREAM_TUNNEL_ID"),
911 107 + NTOP_BASE: _N910F("LONGEST_FLOW_PKT"),
912 108 + NTOP_BASE: _N910F("SHORTEST_FLOW_PKT"),
913 109 + NTOP_BASE: _N910F("RETRANSMITTED_IN_PKTS"),
914 110 + NTOP_BASE: _N910F("RETRANSMITTED_OUT_PKTS"),
915 111 + NTOP_BASE: _N910F("OOORDER_IN_PKTS"),
916 112 + NTOP_BASE: _N910F("OOORDER_OUT_PKTS"),
917 113 + NTOP_BASE: _N910F("UNTUNNELED_PROTOCOL"),
918 114 + NTOP_BASE: _N910F("UNTUNNELED_IPV4_SRC_ADDR", length=4,
919 field=IPField),
920 115 + NTOP_BASE: _N910F("UNTUNNELED_L4_SRC_PORT"),
921 116 + NTOP_BASE: _N910F("UNTUNNELED_IPV4_DST_ADDR", length=4,
922 field=IPField),
923 117 + NTOP_BASE: _N910F("UNTUNNELED_L4_DST_PORT"),
924 118 + NTOP_BASE: _N910F("L7_PROTO"),
925 119 + NTOP_BASE: _N910F("L7_PROTO_NAME"),
926 120 + NTOP_BASE: _N910F("DOWNSTREAM_TUNNEL_ID"),
927 121 + NTOP_BASE: _N910F("FLOW_USER_NAME"),
928 122 + NTOP_BASE: _N910F("FLOW_SERVER_NAME"),
929 123 + NTOP_BASE: _N910F("CLIENT_NW_LATENCY_MS"),
930 124 + NTOP_BASE: _N910F("SERVER_NW_LATENCY_MS"),
931 125 + NTOP_BASE: _N910F("APPL_LATENCY_MS"),
932 126 + NTOP_BASE: _N910F("PLUGIN_NAME"),
933 127 + NTOP_BASE: _N910F("RETRANSMITTED_IN_BYTES"),
934 128 + NTOP_BASE: _N910F("RETRANSMITTED_OUT_BYTES"),
935 130 + NTOP_BASE: _N910F("SIP_CALL_ID"),
936 131 + NTOP_BASE: _N910F("SIP_CALLING_PARTY"),
937 132 + NTOP_BASE: _N910F("SIP_CALLED_PARTY"),
938 133 + NTOP_BASE: _N910F("SIP_RTP_CODECS"),
939 134 + NTOP_BASE: _N910F("SIP_INVITE_TIME"),
940 135 + NTOP_BASE: _N910F("SIP_TRYING_TIME"),
941 136 + NTOP_BASE: _N910F("SIP_RINGING_TIME"),
942 137 + NTOP_BASE: _N910F("SIP_INVITE_OK_TIME"),
943 138 + NTOP_BASE: _N910F("SIP_INVITE_FAILURE_TIME"),
944 139 + NTOP_BASE: _N910F("SIP_BYE_TIME"),
945 140 + NTOP_BASE: _N910F("SIP_BYE_OK_TIME"),
946 141 + NTOP_BASE: _N910F("SIP_CANCEL_TIME"),
947 142 + NTOP_BASE: _N910F("SIP_CANCEL_OK_TIME"),
948 143 + NTOP_BASE: _N910F("SIP_RTP_IPV4_SRC_ADDR", length=4,
949 field=IPField),
950 144 + NTOP_BASE: _N910F("SIP_RTP_L4_SRC_PORT"),
951 145 + NTOP_BASE: _N910F("SIP_RTP_IPV4_DST_ADDR", length=4,
952 field=IPField),
953 146 + NTOP_BASE: _N910F("SIP_RTP_L4_DST_PORT"),
954 147 + NTOP_BASE: _N910F("SIP_RESPONSE_CODE"),
955 148 + NTOP_BASE: _N910F("SIP_REASON_CAUSE"),
956 150 + NTOP_BASE: _N910F("RTP_FIRST_SEQ"),
957 151 + NTOP_BASE: _N910F("RTP_FIRST_TS"),
958 152 + NTOP_BASE: _N910F("RTP_LAST_SEQ"),
959 153 + NTOP_BASE: _N910F("RTP_LAST_TS"),
960 154 + NTOP_BASE: _N910F("RTP_IN_JITTER"),
961 155 + NTOP_BASE: _N910F("RTP_OUT_JITTER"),
962 156 + NTOP_BASE: _N910F("RTP_IN_PKT_LOST"),
963 157 + NTOP_BASE: _N910F("RTP_OUT_PKT_LOST"),
964 158 + NTOP_BASE: _N910F("RTP_OUT_PAYLOAD_TYPE"),
965 159 + NTOP_BASE: _N910F("RTP_IN_MAX_DELTA"),
966 160 + NTOP_BASE: _N910F("RTP_OUT_MAX_DELTA"),
967 161 + NTOP_BASE: _N910F("RTP_IN_PAYLOAD_TYPE"),
968 168 + NTOP_BASE: _N910F("SRC_PROC_PID"),
969 169 + NTOP_BASE: _N910F("SRC_PROC_NAME"),
970 180 + NTOP_BASE: _N910F("HTTP_URL"),
971 181 + NTOP_BASE: _N910F("HTTP_RET_CODE"),
972 182 + NTOP_BASE: _N910F("HTTP_REFERER"),
973 183 + NTOP_BASE: _N910F("HTTP_UA"),
974 184 + NTOP_BASE: _N910F("HTTP_MIME"),
975 185 + NTOP_BASE: _N910F("SMTP_MAIL_FROM"),
976 186 + NTOP_BASE: _N910F("SMTP_RCPT_TO"),
977 187 + NTOP_BASE: _N910F("HTTP_HOST"),
978 188 + NTOP_BASE: _N910F("SSL_SERVER_NAME"),
979 189 + NTOP_BASE: _N910F("BITTORRENT_HASH"),
980 195 + NTOP_BASE: _N910F("MYSQL_SRV_VERSION"),
981 196 + NTOP_BASE: _N910F("MYSQL_USERNAME"),
982 197 + NTOP_BASE: _N910F("MYSQL_DB"),
983 198 + NTOP_BASE: _N910F("MYSQL_QUERY"),
984 199 + NTOP_BASE: _N910F("MYSQL_RESPONSE"),
985 200 + NTOP_BASE: _N910F("ORACLE_USERNAME"),
986 201 + NTOP_BASE: _N910F("ORACLE_QUERY"),
987 202 + NTOP_BASE: _N910F("ORACLE_RSP_CODE"),
988 203 + NTOP_BASE: _N910F("ORACLE_RSP_STRING"),
989 204 + NTOP_BASE: _N910F("ORACLE_QUERY_DURATION"),
990 205 + NTOP_BASE: _N910F("DNS_QUERY"),
991 206 + NTOP_BASE: _N910F("DNS_QUERY_ID"),
992 207 + NTOP_BASE: _N910F("DNS_QUERY_TYPE"),
993 208 + NTOP_BASE: _N910F("DNS_RET_CODE"),
994 209 + NTOP_BASE: _N910F("DNS_NUM_ANSWERS"),
995 210 + NTOP_BASE: _N910F("POP_USER"),
996 220 + NTOP_BASE: _N910F("GTPV1_REQ_MSG_TYPE"),
997 221 + NTOP_BASE: _N910F("GTPV1_RSP_MSG_TYPE"),
998 222 + NTOP_BASE: _N910F("GTPV1_C2S_TEID_DATA"),
999 223 + NTOP_BASE: _N910F("GTPV1_C2S_TEID_CTRL"),
1000 224 + NTOP_BASE: _N910F("GTPV1_S2C_TEID_DATA"),
1001 225 + NTOP_BASE: _N910F("GTPV1_S2C_TEID_CTRL"),
1002 226 + NTOP_BASE: _N910F("GTPV1_END_USER_IP"),
1003 227 + NTOP_BASE: _N910F("GTPV1_END_USER_IMSI"),
1004 228 + NTOP_BASE: _N910F("GTPV1_END_USER_MSISDN"),
1005 229 + NTOP_BASE: _N910F("GTPV1_END_USER_IMEI"),
1006 230 + NTOP_BASE: _N910F("GTPV1_APN_NAME"),
1007 231 + NTOP_BASE: _N910F("GTPV1_RAI_MCC"),
1008 232 + NTOP_BASE: _N910F("GTPV1_RAI_MNC"),
1009 233 + NTOP_BASE: _N910F("GTPV1_ULI_CELL_LAC"),
1010 234 + NTOP_BASE: _N910F("GTPV1_ULI_CELL_CI"),
1011 235 + NTOP_BASE: _N910F("GTPV1_ULI_SAC"),
1012 236 + NTOP_BASE: _N910F("GTPV1_RAT_TYPE"),
1013 240 + NTOP_BASE: _N910F("RADIUS_REQ_MSG_TYPE"),
1014 241 + NTOP_BASE: _N910F("RADIUS_RSP_MSG_TYPE"),
1015 242 + NTOP_BASE: _N910F("RADIUS_USER_NAME"),
1016 243 + NTOP_BASE: _N910F("RADIUS_CALLING_STATION_ID"),
1017 244 + NTOP_BASE: _N910F("RADIUS_CALLED_STATION_ID"),
1018 245 + NTOP_BASE: _N910F("RADIUS_NAS_IP_ADDR"),
1019 246 + NTOP_BASE: _N910F("RADIUS_NAS_IDENTIFIER"),
1020 247 + NTOP_BASE: _N910F("RADIUS_USER_IMSI"),
1021 248 + NTOP_BASE: _N910F("RADIUS_USER_IMEI"),
1022 249 + NTOP_BASE: _N910F("RADIUS_FRAMED_IP_ADDR"),
1023 250 + NTOP_BASE: _N910F("RADIUS_ACCT_SESSION_ID"),
1024 251 + NTOP_BASE: _N910F("RADIUS_ACCT_STATUS_TYPE"),
1025 252 + NTOP_BASE: _N910F("RADIUS_ACCT_IN_OCTETS"),
1026 253 + NTOP_BASE: _N910F("RADIUS_ACCT_OUT_OCTETS"),
1027 254 + NTOP_BASE: _N910F("RADIUS_ACCT_IN_PKTS"),
1028 255 + NTOP_BASE: _N910F("RADIUS_ACCT_OUT_PKTS"),
1029 260 + NTOP_BASE: _N910F("IMAP_LOGIN"),
1030 270 + NTOP_BASE: _N910F("GTPV2_REQ_MSG_TYPE"),
1031 271 + NTOP_BASE: _N910F("GTPV2_RSP_MSG_TYPE"),
1032 272 + NTOP_BASE: _N910F("GTPV2_C2S_S1U_GTPU_TEID"),
1033 273 + NTOP_BASE: _N910F("GTPV2_C2S_S1U_GTPU_IP"),
1034 274 + NTOP_BASE: _N910F("GTPV2_S2C_S1U_GTPU_TEID"),
1035 275 + NTOP_BASE: _N910F("GTPV2_S2C_S1U_GTPU_IP"),
1036 276 + NTOP_BASE: _N910F("GTPV2_END_USER_IMSI"),
1037 277 + NTOP_BASE: _N910F("GTPV2_END_USER_MSISDN"),
1038 278 + NTOP_BASE: _N910F("GTPV2_APN_NAME"),
1039 279 + NTOP_BASE: _N910F("GTPV2_ULI_MCC"),
1040 280 + NTOP_BASE: _N910F("GTPV2_ULI_MNC"),
1041 281 + NTOP_BASE: _N910F("GTPV2_ULI_CELL_TAC"),
1042 282 + NTOP_BASE: _N910F("GTPV2_ULI_CELL_ID"),
1043 283 + NTOP_BASE: _N910F("GTPV2_RAT_TYPE"),
1044 284 + NTOP_BASE: _N910F("GTPV2_PDN_IP"),
1045 285 + NTOP_BASE: _N910F("GTPV2_END_USER_IMEI"),
1046 290 + NTOP_BASE: _N910F("SRC_AS_PATH_1"),
1047 291 + NTOP_BASE: _N910F("SRC_AS_PATH_2"),
1048 292 + NTOP_BASE: _N910F("SRC_AS_PATH_3"),
1049 293 + NTOP_BASE: _N910F("SRC_AS_PATH_4"),
1050 294 + NTOP_BASE: _N910F("SRC_AS_PATH_5"),
1051 295 + NTOP_BASE: _N910F("SRC_AS_PATH_6"),
1052 296 + NTOP_BASE: _N910F("SRC_AS_PATH_7"),
1053 297 + NTOP_BASE: _N910F("SRC_AS_PATH_8"),
1054 298 + NTOP_BASE: _N910F("SRC_AS_PATH_9"),
1055 299 + NTOP_BASE: _N910F("SRC_AS_PATH_10"),
1056 300 + NTOP_BASE: _N910F("DST_AS_PATH_1"),
1057 301 + NTOP_BASE: _N910F("DST_AS_PATH_2"),
1058 302 + NTOP_BASE: _N910F("DST_AS_PATH_3"),
1059 303 + NTOP_BASE: _N910F("DST_AS_PATH_4"),
1060 304 + NTOP_BASE: _N910F("DST_AS_PATH_5"),
1061 305 + NTOP_BASE: _N910F("DST_AS_PATH_6"),
1062 306 + NTOP_BASE: _N910F("DST_AS_PATH_7"),
1063 307 + NTOP_BASE: _N910F("DST_AS_PATH_8"),
1064 308 + NTOP_BASE: _N910F("DST_AS_PATH_9"),
1065 309 + NTOP_BASE: _N910F("DST_AS_PATH_10"),
1066 320 + NTOP_BASE: _N910F("MYSQL_APPL_LATENCY_USEC"),
1067 321 + NTOP_BASE: _N910F("GTPV0_REQ_MSG_TYPE"),
1068 322 + NTOP_BASE: _N910F("GTPV0_RSP_MSG_TYPE"),
1069 323 + NTOP_BASE: _N910F("GTPV0_TID"),
1070 324 + NTOP_BASE: _N910F("GTPV0_END_USER_IP"),
1071 325 + NTOP_BASE: _N910F("GTPV0_END_USER_MSISDN"),
1072 326 + NTOP_BASE: _N910F("GTPV0_APN_NAME"),
1073 327 + NTOP_BASE: _N910F("GTPV0_RAI_MCC"),
1074 328 + NTOP_BASE: _N910F("GTPV0_RAI_MNC"),
1075 329 + NTOP_BASE: _N910F("GTPV0_RAI_CELL_LAC"),
1076 330 + NTOP_BASE: _N910F("GTPV0_RAI_CELL_RAC"),
1077 331 + NTOP_BASE: _N910F("GTPV0_RESPONSE_CAUSE"),
1078 332 + NTOP_BASE: _N910F("GTPV1_RESPONSE_CAUSE"),
1079 333 + NTOP_BASE: _N910F("GTPV2_RESPONSE_CAUSE"),
1080 334 + NTOP_BASE: _N910F("NUM_PKTS_TTL_5_32"),
1081 335 + NTOP_BASE: _N910F("NUM_PKTS_TTL_32_64"),
1082 336 + NTOP_BASE: _N910F("NUM_PKTS_TTL_64_96"),
1083 337 + NTOP_BASE: _N910F("NUM_PKTS_TTL_96_128"),
1084 338 + NTOP_BASE: _N910F("NUM_PKTS_TTL_128_160"),
1085 339 + NTOP_BASE: _N910F("NUM_PKTS_TTL_160_192"),
1086 340 + NTOP_BASE: _N910F("NUM_PKTS_TTL_192_224"),
1087 341 + NTOP_BASE: _N910F("NUM_PKTS_TTL_224_255"),
1088 342 + NTOP_BASE: _N910F("GTPV1_RAI_LAC"),
1089 343 + NTOP_BASE: _N910F("GTPV1_RAI_RAC"),
1090 344 + NTOP_BASE: _N910F("GTPV1_ULI_MCC"),
1091 345 + NTOP_BASE: _N910F("GTPV1_ULI_MNC"),
1092 346 + NTOP_BASE: _N910F("NUM_PKTS_TTL_2_5"),
1093 347 + NTOP_BASE: _N910F("NUM_PKTS_TTL_EQ_1"),
1094 348 + NTOP_BASE: _N910F("RTP_SIP_CALL_ID"),
1095 349 + NTOP_BASE: _N910F("IN_SRC_OSI_SAP"),
1096 350 + NTOP_BASE: _N910F("OUT_DST_OSI_SAP"),
1097 351 + NTOP_BASE: _N910F("WHOIS_DAS_DOMAIN"),
1098 352 + NTOP_BASE: _N910F("DNS_TTL_ANSWER"),
1099 353 + NTOP_BASE: _N910F("DHCP_CLIENT_MAC", length=6,
1100 field=MACField),
1101 354 + NTOP_BASE: _N910F("DHCP_CLIENT_IP", length=4,
1102 field=IPField),
1103 355 + NTOP_BASE: _N910F("DHCP_CLIENT_NAME"),
1104 356 + NTOP_BASE: _N910F("FTP_LOGIN"),
1105 357 + NTOP_BASE: _N910F("FTP_PASSWORD"),
1106 358 + NTOP_BASE: _N910F("FTP_COMMAND"),
1107 359 + NTOP_BASE: _N910F("FTP_COMMAND_RET_CODE"),
1108 360 + NTOP_BASE: _N910F("HTTP_METHOD"),
1109 361 + NTOP_BASE: _N910F("HTTP_SITE"),
1110 362 + NTOP_BASE: _N910F("SIP_C_IP"),
1111 363 + NTOP_BASE: _N910F("SIP_CALL_STATE"),
1112 364 + NTOP_BASE: _N910F("EPP_REGISTRAR_NAME"),
1113 365 + NTOP_BASE: _N910F("EPP_CMD"),
1114 366 + NTOP_BASE: _N910F("EPP_CMD_ARGS"),
1115 367 + NTOP_BASE: _N910F("EPP_RSP_CODE"),
1116 368 + NTOP_BASE: _N910F("EPP_REASON_STR"),
1117 369 + NTOP_BASE: _N910F("EPP_SERVER_NAME"),
1118 370 + NTOP_BASE: _N910F("RTP_IN_MOS"),
1119 371 + NTOP_BASE: _N910F("RTP_IN_R_FACTOR"),
1120 372 + NTOP_BASE: _N910F("SRC_PROC_USER_NAME"),
1121 373 + NTOP_BASE: _N910F("SRC_FATHER_PROC_PID"),
1122 374 + NTOP_BASE: _N910F("SRC_FATHER_PROC_NAME"),
1123 375 + NTOP_BASE: _N910F("DST_PROC_PID"),
1124 376 + NTOP_BASE: _N910F("DST_PROC_NAME"),
1125 377 + NTOP_BASE: _N910F("DST_PROC_USER_NAME"),
1126 378 + NTOP_BASE: _N910F("DST_FATHER_PROC_PID"),
1127 379 + NTOP_BASE: _N910F("DST_FATHER_PROC_NAME"),
1128 380 + NTOP_BASE: _N910F("RTP_RTT"),
1129 381 + NTOP_BASE: _N910F("RTP_IN_TRANSIT"),
1130 382 + NTOP_BASE: _N910F("RTP_OUT_TRANSIT"),
1131 383 + NTOP_BASE: _N910F("SRC_PROC_ACTUAL_MEMORY"),
1132 384 + NTOP_BASE: _N910F("SRC_PROC_PEAK_MEMORY"),
1133 385 + NTOP_BASE: _N910F("SRC_PROC_AVERAGE_CPU_LOAD"),
1134 386 + NTOP_BASE: _N910F("SRC_PROC_NUM_PAGE_FAULTS"),
1135 387 + NTOP_BASE: _N910F("DST_PROC_ACTUAL_MEMORY"),
1136 388 + NTOP_BASE: _N910F("DST_PROC_PEAK_MEMORY"),
1137 389 + NTOP_BASE: _N910F("DST_PROC_AVERAGE_CPU_LOAD"),
1138 390 + NTOP_BASE: _N910F("DST_PROC_NUM_PAGE_FAULTS"),
1139 391 + NTOP_BASE: _N910F("DURATION_IN"),
1140 392 + NTOP_BASE: _N910F("DURATION_OUT"),
1141 393 + NTOP_BASE: _N910F("SRC_PROC_PCTG_IOWAIT"),
1142 394 + NTOP_BASE: _N910F("DST_PROC_PCTG_IOWAIT"),
1143 395 + NTOP_BASE: _N910F("RTP_DTMF_TONES"),
1144 396 + NTOP_BASE: _N910F("UNTUNNELED_IPV6_SRC_ADDR", length=16,
1145 field=IP6Field),
1146 397 + NTOP_BASE: _N910F("UNTUNNELED_IPV6_DST_ADDR", length=16,
1147 field=IP6Field),
1148 398 + NTOP_BASE: _N910F("DNS_RESPONSE"),
1149 399 + NTOP_BASE: _N910F("DIAMETER_REQ_MSG_TYPE"),
1150 400 + NTOP_BASE: _N910F("DIAMETER_RSP_MSG_TYPE"),
1151 401 + NTOP_BASE: _N910F("DIAMETER_REQ_ORIGIN_HOST"),
1152 402 + NTOP_BASE: _N910F("DIAMETER_RSP_ORIGIN_HOST"),
1153 403 + NTOP_BASE: _N910F("DIAMETER_REQ_USER_NAME"),
1154 404 + NTOP_BASE: _N910F("DIAMETER_RSP_RESULT_CODE"),
1155 405 + NTOP_BASE: _N910F("DIAMETER_EXP_RES_VENDOR_ID"),
1156 406 + NTOP_BASE: _N910F("DIAMETER_EXP_RES_RESULT_CODE"),
1157 407 + NTOP_BASE: _N910F("S1AP_ENB_UE_S1AP_ID"),
1158 408 + NTOP_BASE: _N910F("S1AP_MME_UE_S1AP_ID"),
1159 409 + NTOP_BASE: _N910F("S1AP_MSG_EMM_TYPE_MME_TO_ENB"),
1160 410 + NTOP_BASE: _N910F("S1AP_MSG_ESM_TYPE_MME_TO_ENB"),
1161 411 + NTOP_BASE: _N910F("S1AP_MSG_EMM_TYPE_ENB_TO_MME"),
1162 412 + NTOP_BASE: _N910F("S1AP_MSG_ESM_TYPE_ENB_TO_MME"),
1163 413 + NTOP_BASE: _N910F("S1AP_CAUSE_ENB_TO_MME"),
1164 414 + NTOP_BASE: _N910F("S1AP_DETAILED_CAUSE_ENB_TO_MME"),
1165 415 + NTOP_BASE: _N910F("TCP_WIN_MIN_IN"),
1166 416 + NTOP_BASE: _N910F("TCP_WIN_MAX_IN"),
1167 417 + NTOP_BASE: _N910F("TCP_WIN_MSS_IN"),
1168 418 + NTOP_BASE: _N910F("TCP_WIN_SCALE_IN"),
1169 419 + NTOP_BASE: _N910F("TCP_WIN_MIN_OUT"),
1170 420 + NTOP_BASE: _N910F("TCP_WIN_MAX_OUT"),
1171 421 + NTOP_BASE: _N910F("TCP_WIN_MSS_OUT"),
1172 422 + NTOP_BASE: _N910F("TCP_WIN_SCALE_OUT"),
1173 423 + NTOP_BASE: _N910F("DHCP_REMOTE_ID"),
1174 424 + NTOP_BASE: _N910F("DHCP_SUBSCRIBER_ID"),
1175 425 + NTOP_BASE: _N910F("SRC_PROC_UID"),
1176 426 + NTOP_BASE: _N910F("DST_PROC_UID"),
1177 427 + NTOP_BASE: _N910F("APPLICATION_NAME"),
1178 428 + NTOP_BASE: _N910F("USER_NAME"),
1179 429 + NTOP_BASE: _N910F("DHCP_MESSAGE_TYPE"),
1180 430 + NTOP_BASE: _N910F("RTP_IN_PKT_DROP"),
1181 431 + NTOP_BASE: _N910F("RTP_OUT_PKT_DROP"),
1182 432 + NTOP_BASE: _N910F("RTP_OUT_MOS"),
1183 433 + NTOP_BASE: _N910F("RTP_OUT_R_FACTOR"),
1184 434 + NTOP_BASE: _N910F("RTP_MOS"),
1185 435 + NTOP_BASE: _N910F("GTPV2_S5_S8_GTPC_TEID"),
1186 436 + NTOP_BASE: _N910F("RTP_R_FACTOR"),
1187 437 + NTOP_BASE: _N910F("RTP_SSRC"),
1188 438 + NTOP_BASE: _N910F("PAYLOAD_HASH"),
1189 439 + NTOP_BASE: _N910F("GTPV2_C2S_S5_S8_GTPU_TEID"),
1190 440 + NTOP_BASE: _N910F("GTPV2_S2C_S5_S8_GTPU_TEID"),
1191 441 + NTOP_BASE: _N910F("GTPV2_C2S_S5_S8_GTPU_IP"),
1192 442 + NTOP_BASE: _N910F("GTPV2_S2C_S5_S8_GTPU_IP"),
1193 443 + NTOP_BASE: _N910F("SRC_AS_MAP"),
1194 444 + NTOP_BASE: _N910F("DST_AS_MAP"),
1195 445 + NTOP_BASE: _N910F("DIAMETER_HOP_BY_HOP_ID"),
1196 446 + NTOP_BASE: _N910F("UPSTREAM_SESSION_ID"),
1197 447 + NTOP_BASE: _N910F("DOWNSTREAM_SESSION_ID"),
1198 448 + NTOP_BASE: _N910F("SRC_IP_LONG"),
1199 449 + NTOP_BASE: _N910F("SRC_IP_LAT"),
1200 450 + NTOP_BASE: _N910F("DST_IP_LONG"),
1201 451 + NTOP_BASE: _N910F("DST_IP_LAT"),
1202 452 + NTOP_BASE: _N910F("DIAMETER_CLR_CANCEL_TYPE"),
1203 453 + NTOP_BASE: _N910F("DIAMETER_CLR_FLAGS"),
1204 454 + NTOP_BASE: _N910F("GTPV2_C2S_S5_S8_GTPC_IP"),
1205 455 + NTOP_BASE: _N910F("GTPV2_S2C_S5_S8_GTPC_IP"),
1206 456 + NTOP_BASE: _N910F("GTPV2_C2S_S5_S8_SGW_GTPU_TEID"),
1207 457 + NTOP_BASE: _N910F("GTPV2_S2C_S5_S8_SGW_GTPU_TEID"),
1208 458 + NTOP_BASE: _N910F("GTPV2_C2S_S5_S8_SGW_GTPU_IP"),
1209 459 + NTOP_BASE: _N910F("GTPV2_S2C_S5_S8_SGW_GTPU_IP"),
1210 460 + NTOP_BASE: _N910F("HTTP_X_FORWARDED_FOR"),
1211 461 + NTOP_BASE: _N910F("HTTP_VIA"),
1212 462 + NTOP_BASE: _N910F("SSDP_HOST"),
1213 463 + NTOP_BASE: _N910F("SSDP_USN"),
1214 464 + NTOP_BASE: _N910F("NETBIOS_QUERY_NAME"),
1215 465 + NTOP_BASE: _N910F("NETBIOS_QUERY_TYPE"),
1216 466 + NTOP_BASE: _N910F("NETBIOS_RESPONSE"),
1217 467 + NTOP_BASE: _N910F("NETBIOS_QUERY_OS"),
1218 468 + NTOP_BASE: _N910F("SSDP_SERVER"),
1219 469 + NTOP_BASE: _N910F("SSDP_TYPE"),
1220 470 + NTOP_BASE: _N910F("SSDP_METHOD"),
1221 471 + NTOP_BASE: _N910F("NPROBE_IPV4_ADDRESS", length=4,
1222 field=IPField),
1223}
1224NetflowV910TemplateFieldTypes = {
1225 k: v.name for k, v in NetflowV910TemplateFields.items()
1226}
1228ScopeFieldTypes = {
1229 1: "System",
1230 2: "Interface",
1231 3: "Line card",
1232 4: "Cache",
1233 5: "Template",
1234}
1237class NetflowHeaderV9(Packet):
1238 name = "Netflow Header V9"
1239 fields_desc = [ShortField("count", None),
1240 IntField("sysUptime", 0),
1241 UTCTimeField("unixSecs", None),
1242 IntField("packageSequence", 0),
1243 IntField("SourceID", 0)]
1245 def post_build(self, pkt, pay):
1247 def count_by_layer(layer):
1248 if type(layer) == NetflowFlowsetV9:
1249 return len(layer.templates)
1250 elif type(layer) == NetflowDataflowsetV9:
1251 return len(layer.records)
1252 elif type(layer) == NetflowOptionsFlowsetV9:
1253 return 1
1254 else:
1255 return 0
1257 if self.count is None:
1258 # https://www.rfc-editor.org/rfc/rfc3954#section-5.1
1259 count = sum(
1260 sum(count_by_layer(self.getlayer(layer_cls, nth))
1261 for nth in range(1, n + 1))
1262 for layer_cls, n in Counter(self.layers()).items()
1263 )
1264 pkt = struct.pack("!H", count) + pkt[2:]
1265 return pkt + pay
1268# https://tools.ietf.org/html/rfc5655#appendix-B.1.1
1269class NetflowHeaderV10(Packet):
1270 """IPFix (Netflow V10) Header"""
1271 name = "IPFix (Netflow V10) Header"
1272 fields_desc = [ShortField("length", None),
1273 UTCTimeField("ExportTime", 0),
1274 IntField("flowSequence", 0),
1275 IntField("ObservationDomainID", 0)]
1277 def post_build(self, pkt, pay):
1278 if self.length is None:
1279 length = len(pkt) + len(pay)
1280 pkt = struct.pack("!H", length) + pkt[2:]
1281 return pkt + pay
1284class NetflowTemplateFieldV9(Packet):
1285 name = "Netflow Flowset Template Field V9/10"
1286 fields_desc = [BitField("enterpriseBit", 0, 1),
1287 BitEnumField("fieldType", None, 15,
1288 NetflowV910TemplateFieldTypes),
1289 ShortField("fieldLength", None),
1290 ConditionalField(IntField("enterpriseNumber", 0),
1291 lambda p: p.enterpriseBit)]
1293 def __init__(self, *args, **kwargs):
1294 Packet.__init__(self, *args, **kwargs)
1295 if (self.fieldType is not None and
1296 self.fieldLength is None and
1297 self.fieldType in NetflowV910TemplateFields):
1298 self.fieldLength = NetflowV910TemplateFields[
1299 self.fieldType
1300 ].length or None
1302 def default_payload_class(self, p):
1303 return conf.padding_layer
1306class NetflowTemplateV9(Packet):
1307 name = "Netflow Flowset Template V9/10"
1308 fields_desc = [ShortField("templateID", 255),
1309 FieldLenField("fieldCount", None, count_of="template_fields"), # noqa: E501
1310 PacketListField("template_fields", [], NetflowTemplateFieldV9, # noqa: E501
1311 count_from=lambda pkt: pkt.fieldCount)]
1313 def default_payload_class(self, p):
1314 return conf.padding_layer
1317class NetflowFlowsetV9(Packet):
1318 name = "Netflow FlowSet V9/10"
1319 fields_desc = [ShortField("flowSetID", 0),
1320 FieldLenField("length", None, length_of="templates",
1321 adjust=lambda pkt, x:x + 4),
1322 PacketListField("templates", [], NetflowTemplateV9,
1323 length_from=lambda pkt: pkt.length - 4)]
1326class _CustomStrFixedLenField(StrFixedLenField):
1327 def i2repr(self, pkt, v):
1328 return repr(v)
1331def _GenNetflowRecordV9(cls, lengths_list):
1332 """Internal function used to generate the Records from
1333 their template.
1334 """
1335 _fields_desc = []
1336 for j, k in lengths_list:
1337 _f_type = None
1338 _f_kwargs = {}
1339 if k in NetflowV910TemplateFields:
1340 _f = NetflowV910TemplateFields[k]
1341 _f_type = _f.field
1342 _f_kwargs = _f.kwargs
1344 if _f_type:
1345 if issubclass(_f_type, _AdjustableNetflowField):
1346 _f_kwargs["length"] = j
1347 print(k, _f_kwargs)
1348 _fields_desc.append(
1349 _f_type(
1350 NetflowV910TemplateFieldTypes.get(k, "unknown_data"),
1351 0, **_f_kwargs
1352 )
1353 )
1354 else:
1355 _fields_desc.append(
1356 _CustomStrFixedLenField(
1357 NetflowV910TemplateFieldTypes.get(k, "unknown_data"),
1358 b"", length=j
1359 )
1360 )
1362 # This will act exactly like a NetflowRecordV9, but has custom fields
1363 class NetflowRecordV9I(cls):
1364 fields_desc = _fields_desc
1365 match_subclass = True
1366 NetflowRecordV9I.name = cls.name
1367 NetflowRecordV9I.__name__ = cls.__name__
1368 return NetflowRecordV9I
1371def GetNetflowRecordV9(flowset, templateID=None):
1372 """
1373 Get a NetflowRecordV9/10 for a specific NetflowFlowsetV9/10.
1375 Have a look at the online doc for examples.
1376 """
1377 definitions = {}
1378 for ntv9 in flowset.templates:
1379 llist = []
1380 for tmpl in ntv9.template_fields:
1381 llist.append((tmpl.fieldLength, tmpl.fieldType))
1382 if llist:
1383 cls = _GenNetflowRecordV9(NetflowRecordV9, llist)
1384 definitions[ntv9.templateID] = cls
1385 if not definitions:
1386 raise Scapy_Exception(
1387 "No template IDs detected"
1388 )
1389 if len(definitions) > 1:
1390 if templateID is None:
1391 raise Scapy_Exception(
1392 "Multiple possible templates ! Specify templateID=.."
1393 )
1394 return definitions[templateID]
1395 else:
1396 return list(definitions.values())[0]
1399class NetflowRecordV9(Packet):
1400 name = "Netflow DataFlowset Record V9/10"
1401 fields_desc = [StrField("fieldValue", "")]
1403 def default_payload_class(self, p):
1404 return conf.padding_layer
1407class NetflowDataflowsetV9(Packet):
1408 name = "Netflow DataFlowSet V9/10"
1409 fields_desc = [ShortField("templateID", 255),
1410 ShortField("length", None),
1411 PacketListField(
1412 "records", [],
1413 NetflowRecordV9,
1414 length_from=lambda pkt: pkt.length - 4)]
1416 @classmethod
1417 def dispatch_hook(cls, _pkt=None, *args, **kargs):
1418 if _pkt:
1419 # https://tools.ietf.org/html/rfc5655#appendix-B.1.2
1420 # NetflowV9
1421 if _pkt[:2] == b"\x00\x00":
1422 return NetflowFlowsetV9
1423 if _pkt[:2] == b"\x00\x01":
1424 return NetflowOptionsFlowsetV9
1425 # IPFix
1426 if _pkt[:2] == b"\x00\x02":
1427 return NetflowFlowsetV9
1428 if _pkt[:2] == b"\x00\x03":
1429 return NetflowOptionsFlowset10
1430 return cls
1432 def post_build(self, pkt, pay):
1433 if self.length is None:
1434 # Padding is optional, let's apply it on build
1435 length = len(pkt)
1436 pad = (-length) % 4
1437 pkt = pkt[:2] + struct.pack("!H", length + pad) + pkt[4:]
1438 pkt += b"\x00" * pad
1439 return pkt + pay
1442def _netflowv9_defragment_packet(pkt, definitions, definitions_opts, ignored):
1443 """Used internally to process a single packet during defragmenting"""
1444 # Dataflowset definitions
1445 if NetflowFlowsetV9 in pkt:
1446 current = pkt
1447 while NetflowFlowsetV9 in current:
1448 current = current[NetflowFlowsetV9]
1449 for ntv9 in current.templates:
1450 llist = []
1451 for tmpl in ntv9.template_fields:
1452 llist.append((tmpl.fieldLength, tmpl.fieldType))
1453 if llist:
1454 tot_len = sum(x[0] for x in llist)
1455 cls = _GenNetflowRecordV9(NetflowRecordV9, llist)
1456 definitions[ntv9.templateID] = (tot_len, cls)
1457 current = current.payload
1458 # Options definitions
1459 if NetflowOptionsFlowsetV9 in pkt:
1460 current = pkt
1461 while NetflowOptionsFlowsetV9 in current:
1462 current = current[NetflowOptionsFlowsetV9]
1463 # Load scopes
1464 llist = []
1465 for scope in current.scopes:
1466 llist.append((
1467 scope.scopeFieldlength,
1468 scope.scopeFieldType
1469 ))
1470 scope_tot_len = sum(x[0] for x in llist)
1471 scope_cls = _GenNetflowRecordV9(
1472 NetflowOptionsRecordScopeV9,
1473 llist
1474 )
1475 # Load options
1476 llist = []
1477 for opt in current.options:
1478 llist.append((
1479 opt.optionFieldlength,
1480 opt.optionFieldType
1481 ))
1482 option_tot_len = sum(x[0] for x in llist)
1483 option_cls = _GenNetflowRecordV9(
1484 NetflowOptionsRecordOptionV9,
1485 llist
1486 )
1487 # Storage
1488 definitions_opts[current.templateID] = (
1489 scope_tot_len, scope_cls,
1490 option_tot_len, option_cls
1491 )
1492 current = current.payload
1493 # Dissect flowsets
1494 if NetflowDataflowsetV9 in pkt:
1495 current = pkt
1496 while NetflowDataflowsetV9 in current:
1497 datafl = current[NetflowDataflowsetV9]
1498 tid = datafl.templateID
1499 if tid not in definitions and tid not in definitions_opts:
1500 ignored.add(tid)
1501 return
1502 # All data is stored in one record, awaiting to be split
1503 # If fieldValue is available, the record has not been
1504 # defragmented: pop it
1505 try:
1506 data = datafl.records[0].fieldValue
1507 datafl.records.pop(0)
1508 except (IndexError, AttributeError):
1509 return
1510 res = []
1511 # Flowset record
1512 # Now, according to the flow/option data,
1513 # let's re-dissect NetflowDataflowsetV9
1514 if tid in definitions:
1515 tot_len, cls = definitions[tid]
1516 while len(data) >= tot_len:
1517 res.append(cls(data[:tot_len]))
1518 data = data[tot_len:]
1519 # Inject dissected data
1520 datafl.records = res
1521 if data:
1522 if len(data) <= 4:
1523 datafl.add_payload(conf.padding_layer(data))
1524 else:
1525 datafl.do_dissect_payload(data)
1526 # Options
1527 elif tid in definitions_opts:
1528 (scope_len, scope_cls,
1529 option_len, option_cls) = definitions_opts[tid]
1530 # Dissect scopes
1531 if scope_len:
1532 res.append(scope_cls(data[:scope_len]))
1533 if option_len:
1534 res.append(
1535 option_cls(data[scope_len:scope_len + option_len])
1536 )
1537 if len(data) > scope_len + option_len:
1538 res.append(
1539 conf.padding_layer(data[scope_len + option_len:])
1540 )
1541 # Inject dissected data
1542 datafl.records = res
1543 datafl.name = "Netflow DataFlowSet V9/10 - OPTIONS"
1544 current = datafl.payload
1547def netflowv9_defragment(plist, verb=1):
1548 """Process all NetflowV9/10 Packets to match IDs of the DataFlowsets
1549 with the Headers
1551 params:
1552 - plist: the list of mixed NetflowV9/10 packets.
1553 - verb: verbose print (0/1)
1554 """
1555 if not isinstance(plist, (PacketList, list)):
1556 plist = [plist]
1557 # We need the whole packet to be dissected to access field def in
1558 # NetflowFlowsetV9 or NetflowOptionsFlowsetV9/10
1559 definitions = {}
1560 definitions_opts = {}
1561 ignored = set()
1562 # Iterate through initial list
1563 for pkt in plist:
1564 _netflowv9_defragment_packet(pkt,
1565 definitions,
1566 definitions_opts,
1567 ignored)
1568 if conf.verb >= 1 and ignored:
1569 warning("Ignored templateIDs (missing): %s" % list(ignored))
1570 return plist
1573def ipfix_defragment(*args, **kwargs):
1574 """Alias for netflowv9_defragment"""
1575 return netflowv9_defragment(*args, **kwargs)
1578class NetflowSession(IPSession):
1579 """Session used to defragment NetflowV9/10 packets on the flow.
1580 See help(scapy.layers.netflow) for more infos.
1581 """
1582 def __init__(self, *args, **kwargs):
1583 self.definitions = {}
1584 self.definitions_opts = {}
1585 self.ignored = set()
1586 super(NetflowSession, self).__init__(*args, **kwargs)
1588 def process(self, pkt: Packet) -> Optional[Packet]:
1589 pkt = super(NetflowSession, self).process(pkt)
1590 if not pkt:
1591 return
1592 _netflowv9_defragment_packet(pkt,
1593 self.definitions,
1594 self.definitions_opts,
1595 self.ignored)
1596 return pkt
1599class NetflowOptionsRecordScopeV9(NetflowRecordV9):
1600 name = "Netflow Options Template Record V9/10 - Scope"
1603class NetflowOptionsRecordOptionV9(NetflowRecordV9):
1604 name = "Netflow Options Template Record V9/10 - Option"
1607# Aka Set
1608class NetflowOptionsFlowsetOptionV9(Packet):
1609 name = "Netflow Options Template FlowSet V9/10 - Option"
1610 fields_desc = [BitField("enterpriseBit", 0, 1),
1611 BitEnumField("optionFieldType", None, 15,
1612 NetflowV910TemplateFieldTypes),
1613 ShortField("optionFieldlength", 0),
1614 ConditionalField(ShortField("enterpriseNumber", 0),
1615 lambda p: p.enterpriseBit)]
1617 def default_payload_class(self, p):
1618 return conf.padding_layer
1621# Aka Set
1622class NetflowOptionsFlowsetScopeV9(Packet):
1623 name = "Netflow Options Template FlowSet V9/10 - Scope"
1624 fields_desc = [ShortEnumField("scopeFieldType", None, ScopeFieldTypes),
1625 ShortField("scopeFieldlength", 0)]
1627 def default_payload_class(self, p):
1628 return conf.padding_layer
1631class NetflowOptionsFlowsetV9(Packet):
1632 name = "Netflow Options Template FlowSet V9"
1633 fields_desc = [ShortField("flowSetID", 1),
1634 ShortField("length", None),
1635 ShortField("templateID", 255),
1636 FieldLenField("option_scope_length", None,
1637 length_of="scopes"),
1638 FieldLenField("option_field_length", None,
1639 length_of="options"),
1640 # We can't use PadField as we have 2 PacketListField
1641 PacketListField(
1642 "scopes", [],
1643 NetflowOptionsFlowsetScopeV9,
1644 length_from=lambda pkt: pkt.option_scope_length),
1645 PacketListField(
1646 "options", [],
1647 NetflowOptionsFlowsetOptionV9,
1648 length_from=lambda pkt: pkt.option_field_length),
1649 StrLenField("pad", None, length_from=lambda pkt: (
1650 pkt.length - pkt.option_scope_length -
1651 pkt.option_field_length - 10))]
1653 def default_payload_class(self, p):
1654 return conf.padding_layer
1656 def post_build(self, pkt, pay):
1657 if self.pad is None:
1658 # Padding 4-bytes with b"\x00"
1659 start = 10 + self.option_scope_length + self.option_field_length
1660 pkt = pkt[:start] + (-len(pkt) % 4) * b"\x00"
1661 if self.length is None:
1662 pkt = pkt[:2] + struct.pack("!H", len(pkt)) + pkt[4:]
1663 return pkt + pay
1666# https://tools.ietf.org/html/rfc5101#section-3.4.2.2
1667class NetflowOptionsFlowset10(NetflowOptionsFlowsetV9):
1668 """Netflow V10 (IPFix) Options Template FlowSet"""
1669 name = "Netflow V10 (IPFix) Options Template FlowSet"
1670 fields_desc = [ShortField("flowSetID", 3),
1671 ShortField("length", None),
1672 ShortField("templateID", 255),
1673 # Slightly different counting than in its NetflowV9
1674 # counterpart: we count the total, and among them which
1675 # ones are scopes. Also, it's count, not length
1676 FieldLenField("field_count", None,
1677 count_of="options",
1678 adjust=lambda pkt, x: (
1679 x + pkt.get_field(
1680 "scope_field_count").i2m(pkt, None))),
1681 FieldLenField("scope_field_count", None,
1682 count_of="scopes"),
1683 # We can't use PadField as we have 2 PacketListField
1684 PacketListField(
1685 "scopes", [],
1686 NetflowOptionsFlowsetScopeV9,
1687 count_from=lambda pkt: pkt.scope_field_count),
1688 PacketListField(
1689 "options", [],
1690 NetflowOptionsFlowsetOptionV9,
1691 count_from=lambda pkt: (
1692 pkt.field_count - pkt.scope_field_count
1693 )),
1694 StrLenField("pad", None, length_from=lambda pkt: (
1695 pkt.length - (pkt.scope_field_count * 4) - 10))]
1697 def post_build(self, pkt, pay):
1698 if self.length is None:
1699 pkt = pkt[:2] + struct.pack("!H", len(pkt)) + pkt[4:]
1700 if self.pad is None:
1701 # Padding 4-bytes with b"\x00"
1702 start = 10 + self.scope_field_count * 4
1703 pkt = pkt[:start] + (-len(pkt) % 4) * b"\x00"
1704 return pkt + pay
1707bind_layers(NetflowHeader, NetflowHeaderV9, version=9)
1708bind_layers(NetflowHeaderV9, NetflowDataflowsetV9)
1709bind_layers(NetflowDataflowsetV9, NetflowDataflowsetV9)
1710bind_layers(NetflowOptionsFlowsetV9, NetflowDataflowsetV9)
1711bind_layers(NetflowFlowsetV9, NetflowDataflowsetV9)
1713# Apart from the first header, IPFix and NetflowV9 have the same format
1714# (except the Options Template)
1715# https://tools.ietf.org/html/rfc5655#appendix-B.1.2
1716bind_layers(NetflowHeader, NetflowHeaderV10, version=10)
1717bind_layers(NetflowHeaderV10, NetflowDataflowsetV9)