Coverage for /pythoncovmergedfiles/medio/medio/usr/local/lib/python3.11/site-packages/scapy/layers/netflow.py: 44%
Shortcuts on this page
r m x toggle line displays
j k next/prev highlighted chunk
0 (zero) top of page
1 (one) first highlighted chunk
1# SPDX-License-Identifier: GPL-2.0-only
2# This file is part of Scapy
3# See https://scapy.net/ for more information
4# Copyright (C) Philippe Biondi <phil@secdev.org>
6# Netflow V5 appended by spaceB0x and Guillaume Valadon
7# Netflow V9/10 appended by Gabriel Potter
9"""
10Cisco NetFlow protocol v1, v5, v9 and v10 (IPFix)
12HowTo dissect NetflowV9/10 (IPFix) packets
14# From a pcap / list of packets
16Using sniff and sessions::
18 >>> sniff(offline=open("my_great_pcap.pcap", "rb"), session=NetflowSession)
20Using the netflowv9_defragment/ipfix_defragment commands:
22- get a list of packets containing NetflowV9/10 packets
23- call `netflowv9_defragment(plist)` to defragment the list
25(ipfix_defragment is an alias for netflowv9_defragment)
27# Live / on-the-flow / other: use NetflowSession::
29 >>> sniff(session=NetflowSession, prn=[...])
31.. note:: You will find more examples over
32 https://scapy.readthedocs.io/en/latest/layers/netflow.html
33"""
35import dataclasses
36import socket
37import struct
39from collections import Counter
41from scapy.config import conf
42from scapy.data import IP_PROTOS
43from scapy.error import warning, Scapy_Exception
44from scapy.fields import (
45 BitEnumField,
46 BitField,
47 ByteEnumField,
48 ByteField,
49 ConditionalField,
50 Field,
51 FieldLenField,
52 FlagsField,
53 IntField,
54 IPField,
55 LongField,
56 MACField,
57 NBytesField,
58 PacketListField,
59 SecondsIntField,
60 ShortEnumField,
61 ShortField,
62 StrField,
63 StrFixedLenField,
64 StrLenField,
65 ThreeBytesField,
66 UTCTimeField,
67 XByteField,
68 XShortField,
69)
70from scapy.packet import Packet, bind_layers, bind_bottom_up
71from scapy.plist import PacketList
72from scapy.sessions import IPSession
74from scapy.layers.inet import UDP
75from scapy.layers.inet6 import IP6Field
77# Typing imports
78from typing import (
79 Any,
80 Dict,
81 Optional,
82)
85class NetflowHeader(Packet):
86 name = "Netflow Header"
87 fields_desc = [ShortField("version", 1)]
90for port in [2055, 2056, 9995, 9996, 6343]: # Classic NetFlow ports
91 bind_bottom_up(UDP, NetflowHeader, dport=port)
92 bind_bottom_up(UDP, NetflowHeader, sport=port)
93# However, we'll default to 2055, classic among classics :)
94bind_layers(UDP, NetflowHeader, dport=2055, sport=2055)
96###########################################
97# Netflow Version 1
98###########################################
101class NetflowHeaderV1(Packet):
102 name = "Netflow Header v1"
103 fields_desc = [ShortField("count", None),
104 IntField("sysUptime", 0),
105 UTCTimeField("unixSecs", 0),
106 UTCTimeField("unixNanoSeconds", 0, use_nano=True)]
108 def post_build(self, pkt, pay):
109 if self.count is None:
110 count = len(self.layers()) - 1
111 pkt = struct.pack("!H", count) + pkt[2:]
112 return pkt + pay
115class NetflowRecordV1(Packet):
116 name = "Netflow Record v1"
117 fields_desc = [IPField("ipsrc", "0.0.0.0"),
118 IPField("ipdst", "0.0.0.0"),
119 IPField("nexthop", "0.0.0.0"),
120 ShortField("inputIfIndex", 0),
121 ShortField("outpuIfIndex", 0),
122 IntField("dpkts", 0),
123 IntField("dbytes", 0),
124 IntField("starttime", 0),
125 IntField("endtime", 0),
126 ShortField("srcport", 0),
127 ShortField("dstport", 0),
128 ShortField("padding", 0),
129 ByteField("proto", 0),
130 ByteField("tos", 0),
131 IntField("padding1", 0),
132 IntField("padding2", 0)]
135bind_layers(NetflowHeader, NetflowHeaderV1, version=1)
136bind_layers(NetflowHeaderV1, NetflowRecordV1)
137bind_layers(NetflowRecordV1, NetflowRecordV1)
140#########################################
141# Netflow Version 5
142#########################################
145class NetflowHeaderV5(Packet):
146 name = "Netflow Header v5"
147 fields_desc = [ShortField("count", None),
148 IntField("sysUptime", 0),
149 UTCTimeField("unixSecs", 0),
150 UTCTimeField("unixNanoSeconds", 0, use_nano=True),
151 IntField("flowSequence", 0),
152 ByteField("engineType", 0),
153 ByteField("engineID", 0),
154 ShortField("samplingInterval", 0)]
156 def post_build(self, pkt, pay):
157 if self.count is None:
158 count = len(self.layers()) - 1
159 pkt = struct.pack("!H", count) + pkt[2:]
160 return pkt + pay
163class NetflowRecordV5(Packet):
164 name = "Netflow Record v5"
165 fields_desc = [IPField("src", "127.0.0.1"),
166 IPField("dst", "127.0.0.1"),
167 IPField("nexthop", "0.0.0.0"),
168 ShortField("input", 0),
169 ShortField("output", 0),
170 IntField("dpkts", 1),
171 IntField("dOctets", 60),
172 IntField("first", 0),
173 IntField("last", 0),
174 ShortField("srcport", 0),
175 ShortField("dstport", 0),
176 ByteField("pad1", 0),
177 FlagsField("tcpFlags", 0x2, 8, "FSRPAUEC"),
178 ByteEnumField("prot", socket.IPPROTO_TCP, IP_PROTOS),
179 ByteField("tos", 0),
180 ShortField("src_as", 0),
181 ShortField("dst_as", 0),
182 ByteField("src_mask", 0),
183 ByteField("dst_mask", 0),
184 ShortField("pad2", 0)]
187bind_layers(NetflowHeader, NetflowHeaderV5, version=5)
188bind_layers(NetflowHeaderV5, NetflowRecordV5)
189bind_layers(NetflowRecordV5, NetflowRecordV5)
191#########################################
192# Netflow Version 9/10
193#########################################
195# NetflowV9 RFC
196# https://www.ietf.org/rfc/rfc3954.txt
198# IPFix RFC
199# https://tools.ietf.org/html/rfc5101
200# https://tools.ietf.org/html/rfc5655
203@dataclasses.dataclass
204class _N910F:
205 name: str
206 length: int = 0
207 field: Field = None
208 kwargs: Dict[str, Any] = dataclasses.field(default_factory=dict)
209 isint: bool = False
212# NetflowV9 Ready-made fields
214class ShortOrInt(IntField):
215 def getfield(self, pkt, x):
216 if len(x) == 2:
217 Field.__init__(self, self.name, self.default, fmt="!H")
218 return Field.getfield(self, pkt, x)
221class _AdjustableNetflowField(IntField, LongField):
222 """Fields that can receive a length kwarg, even though they normally can't.
223 Netflow usage only."""
224 def __init__(self, name, default, length):
225 if length == 4:
226 IntField.__init__(self, name, default)
227 return
228 elif length == 8:
229 LongField.__init__(self, name, default)
230 return
231 LongField.__init__(self, name, default)
234class N9SecondsIntField(SecondsIntField, _AdjustableNetflowField):
235 """Defines dateTimeSeconds (without EPOCH: just seconds)"""
236 def __init__(self, name, default, *args, **kargs):
237 length = kargs.pop("length", 8)
238 SecondsIntField.__init__(self, name, default, *args, **kargs)
239 _AdjustableNetflowField.__init__(
240 self, name, default, length
241 )
244class N9UTCTimeField(UTCTimeField, _AdjustableNetflowField):
245 """Defines dateTimeSeconds (EPOCH)"""
246 def __init__(self, name, default, *args, **kargs):
247 length = kargs.pop("length", 8)
248 UTCTimeField.__init__(self, name, default, *args, **kargs)
249 _AdjustableNetflowField.__init__(
250 self, name, default, length
251 )
253# TODO: There are hundreds of entries to add to the following list :(
254# it's thus incomplete.
255# https://www.iana.org/assignments/ipfix/ipfix.xml
256# ==> feel free to contribute :D
258# XXX: we should probably switch the names below to IANA normalized ones.
260# This is v9_v10_template_types (with names from the rfc for the first 79)
261# https://github.com/wireshark/wireshark/blob/master/epan/dissectors/packet-netflow.c # noqa: E501
262# (it has all values external to the RFC)
265NTOP_BASE = 57472
266NetflowV910TemplateFields = {
267 1: _N910F("IN_BYTES", length=4,
268 isint=True),
269 2: _N910F("IN_PKTS", length=4,
270 isint=True),
271 3: _N910F("FLOWS", length=4),
272 4: _N910F("PROTOCOL", length=1,
273 field=ByteEnumField, kwargs={"enum": IP_PROTOS}),
274 5: _N910F("TOS", length=1,
275 field=XByteField),
276 6: _N910F("TCP_FLAGS", length=1,
277 field=ByteField),
278 7: _N910F("L4_SRC_PORT", length=2,
279 field=ShortField),
280 8: _N910F("IPV4_SRC_ADDR", length=4,
281 field=IPField),
282 9: _N910F("SRC_MASK", length=1,
283 field=ByteField),
284 10: _N910F("INPUT_SNMP",
285 isint=True),
286 11: _N910F("L4_DST_PORT", length=2,
287 field=ShortField),
288 12: _N910F("IPV4_DST_ADDR", length=4,
289 field=IPField),
290 13: _N910F("DST_MASK", length=1,
291 field=ByteField),
292 14: _N910F("OUTPUT_SNMP",
293 isint=True),
294 15: _N910F("IPV4_NEXT_HOP", length=4,
295 field=IPField),
296 16: _N910F("SRC_AS", length=2,
297 field=ShortOrInt),
298 17: _N910F("DST_AS", length=2,
299 field=ShortOrInt),
300 18: _N910F("BGP_IPV4_NEXT_HOP", length=4,
301 field=IPField),
302 19: _N910F("MUL_DST_PKTS", length=4,
303 isint=True),
304 20: _N910F("MUL_DST_BYTES", length=4,
305 isint=True),
306 21: _N910F("LAST_SWITCHED", length=4,
307 field=SecondsIntField,
308 kwargs={"use_msec": True}),
309 22: _N910F("FIRST_SWITCHED", length=4,
310 field=SecondsIntField,
311 kwargs={"use_msec": True}),
312 23: _N910F("OUT_BYTES", length=4,
313 isint=True),
314 24: _N910F("OUT_PKTS", length=4,
315 isint=True),
316 25: _N910F("IP_LENGTH_MINIMUM"),
317 26: _N910F("IP_LENGTH_MAXIMUM"),
318 27: _N910F("IPV6_SRC_ADDR", length=16,
319 field=IP6Field),
320 28: _N910F("IPV6_DST_ADDR", length=16,
321 field=IP6Field),
322 29: _N910F("IPV6_SRC_MASK", length=1,
323 field=ByteField),
324 30: _N910F("IPV6_DST_MASK", length=1,
325 field=ByteField),
326 31: _N910F("IPV6_FLOW_LABEL", length=3,
327 field=ThreeBytesField),
328 32: _N910F("ICMP_TYPE", length=2,
329 field=XShortField),
330 33: _N910F("MUL_IGMP_TYPE", length=1,
331 field=ByteField),
332 34: _N910F("SAMPLING_INTERVAL", length=4,
333 field=IntField),
334 35: _N910F("SAMPLING_ALGORITHM", length=1,
335 field=XByteField),
336 36: _N910F("FLOW_ACTIVE_TIMEOUT", length=2,
337 field=ShortField),
338 37: _N910F("FLOW_INACTIVE_TIMEOUT", length=2,
339 field=ShortField),
340 38: _N910F("ENGINE_TYPE", length=1,
341 field=ByteField),
342 39: _N910F("ENGINE_ID", length=1,
343 field=ByteField),
344 40: _N910F("TOTAL_BYTES_EXP", length=4,
345 isint=True),
346 41: _N910F("TOTAL_PKTS_EXP", length=4,
347 isint=True),
348 42: _N910F("TOTAL_FLOWS_EXP", length=4,
349 isint=True),
350 43: _N910F("IPV4_ROUTER_SC"),
351 44: _N910F("IP_SRC_PREFIX"),
352 45: _N910F("IP_DST_PREFIX"),
353 46: _N910F("MPLS_TOP_LABEL_TYPE", length=1,
354 field=ByteEnumField,
355 kwargs={"enum": {
356 0x00: "UNKNOWN",
357 0x01: "TE-MIDPT",
358 0x02: "ATOM",
359 0x03: "VPN",
360 0x04: "BGP",
361 0x05: "LDP",
362 }}),
363 47: _N910F("MPLS_TOP_LABEL_IP_ADDR", length=4,
364 field=IPField),
365 48: _N910F("FLOW_SAMPLER_ID", length=4), # from ERRATA
366 49: _N910F("FLOW_SAMPLER_MODE", length=1,
367 field=ByteField),
368 50: _N910F("FLOW_SAMPLER_RANDOM_INTERVAL", length=4,
369 field=IntField),
370 51: _N910F("FLOW_CLASS"),
371 52: _N910F("MIN_TTL"),
372 53: _N910F("MAX_TTL"),
373 54: _N910F("IPV4_IDENT"),
374 55: _N910F("DST_TOS", length=1,
375 field=XByteField),
376 56: _N910F("SRC_MAC", length=6,
377 field=MACField),
378 57: _N910F("DST_MAC", length=6,
379 field=MACField),
380 58: _N910F("SRC_VLAN", length=2,
381 field=ShortField),
382 59: _N910F("DST_VLAN", length=2,
383 field=ShortField),
384 60: _N910F("IP_PROTOCOL_VERSION", length=1,
385 field=ByteField),
386 61: _N910F("DIRECTION", length=1,
387 field=ByteEnumField,
388 kwargs={"enum": {0x00: "Ingress flow", 0x01: "Egress flow"}}),
389 62: _N910F("IPV6_NEXT_HOP", length=16,
390 field=IP6Field),
391 63: _N910F("BGP_IPV6_NEXT_HOP", length=16,
392 field=IP6Field),
393 64: _N910F("IPV6_OPTION_HEADERS", length=4),
394 70: _N910F("MPLS_LABEL_1", length=3,
395 field=ThreeBytesField),
396 71: _N910F("MPLS_LABEL_2", length=3,
397 field=ThreeBytesField),
398 72: _N910F("MPLS_LABEL_3", length=3,
399 field=ThreeBytesField),
400 73: _N910F("MPLS_LABEL_4", length=3,
401 field=ThreeBytesField),
402 74: _N910F("MPLS_LABEL_5", length=3,
403 field=ThreeBytesField),
404 75: _N910F("MPLS_LABEL_6", length=3,
405 field=ThreeBytesField),
406 76: _N910F("MPLS_LABEL_7", length=3,
407 field=ThreeBytesField),
408 77: _N910F("MPLS_LABEL_8", length=3,
409 field=ThreeBytesField),
410 78: _N910F("MPLS_LABEL_9", length=3,
411 field=ThreeBytesField),
412 79: _N910F("MPLS_LABEL_10", length=3,
413 field=ThreeBytesField),
414 80: _N910F("DESTINATION_MAC"),
415 81: _N910F("SOURCE_MAC"),
416 82: _N910F("IF_NAME"),
417 83: _N910F("IF_DESC"),
418 84: _N910F("SAMPLER_NAME"),
419 85: _N910F("BYTES_TOTAL"),
420 86: _N910F("PACKETS_TOTAL"),
421 88: _N910F("FRAGMENT_OFFSET"),
422 89: _N910F("FORWARDING_STATUS"),
423 90: _N910F("VPN_ROUTE_DISTINGUISHER"),
424 91: _N910F("mplsTopLabelPrefixLength"),
425 92: _N910F("SRC_TRAFFIC_INDEX"),
426 93: _N910F("DST_TRAFFIC_INDEX"),
427 94: _N910F("APPLICATION_DESC"),
428 95: _N910F("APPLICATION_ID"),
429 96: _N910F("APPLICATION_NAME"),
430 98: _N910F("postIpDiffServCodePoint"),
431 99: _N910F("multicastReplicationFactor"),
432 101: _N910F("classificationEngineId"),
433 128: _N910F("DST_AS_PEER"),
434 129: _N910F("SRC_AS_PEER"),
435 130: _N910F("exporterIPv4Address", length=4,
436 field=IPField),
437 131: _N910F("exporterIPv6Address", length=16,
438 field=IP6Field),
439 132: _N910F("DROPPED_BYTES"),
440 133: _N910F("DROPPED_PACKETS"),
441 134: _N910F("DROPPED_BYTES_TOTAL"),
442 135: _N910F("DROPPED_PACKETS_TOTAL"),
443 136: _N910F("flowEndReason"),
444 137: _N910F("commonPropertiesId"),
445 138: _N910F("observationPointId"),
446 139: _N910F("icmpTypeCodeIPv6"),
447 140: _N910F("MPLS_TOP_LABEL_IPv6_ADDRESS"),
448 141: _N910F("lineCardId"),
449 142: _N910F("portId"),
450 143: _N910F("meteringProcessId"),
451 144: _N910F("FLOW_EXPORTER"),
452 145: _N910F("templateId"),
453 146: _N910F("wlanChannelId"),
454 147: _N910F("wlanSSID"),
455 148: _N910F("flowId"),
456 149: _N910F("observationDomainId"),
457 150: _N910F("flowStartSeconds", length=8,
458 field=N9UTCTimeField),
459 151: _N910F("flowEndSeconds", length=8,
460 field=N9UTCTimeField),
461 152: _N910F("flowStartMilliseconds", length=8,
462 field=N9UTCTimeField,
463 kwargs={"use_msec": True}),
464 153: _N910F("flowEndMilliseconds", length=8,
465 field=N9UTCTimeField,
466 kwargs={"use_msec": True}),
467 154: _N910F("flowStartMicroseconds", length=8,
468 field=N9UTCTimeField,
469 kwargs={"use_micro": True}),
470 155: _N910F("flowEndMicroseconds", length=8,
471 field=N9UTCTimeField,
472 kwargs={"use_micro": True}),
473 156: _N910F("flowStartNanoseconds", length=8,
474 field=N9UTCTimeField,
475 kwargs={"use_nano": True}),
476 157: _N910F("flowEndNanoseconds", length=8,
477 field=N9UTCTimeField,
478 kwargs={"use_nano": True}),
479 158: _N910F("flowStartDeltaMicroseconds", length=8,
480 field=N9SecondsIntField,
481 kwargs={"use_micro": True}),
482 159: _N910F("flowEndDeltaMicroseconds", length=8,
483 field=N9SecondsIntField,
484 kwargs={"use_micro": True}),
485 160: _N910F("systemInitTimeMilliseconds", length=8,
486 field=N9UTCTimeField,
487 kwargs={"use_msec": True}),
488 161: _N910F("flowDurationMilliseconds", length=8,
489 field=N9SecondsIntField,
490 kwargs={"use_msec": True}),
491 162: _N910F("flowDurationMicroseconds", length=8,
492 field=N9SecondsIntField,
493 kwargs={"use_micro": True}),
494 163: _N910F("observedFlowTotalCount"),
495 164: _N910F("ignoredPacketTotalCount"),
496 165: _N910F("ignoredOctetTotalCount"),
497 166: _N910F("notSentFlowTotalCount"),
498 167: _N910F("notSentPacketTotalCount"),
499 168: _N910F("notSentOctetTotalCount"),
500 169: _N910F("destinationIPv6Prefix"),
501 170: _N910F("sourceIPv6Prefix"),
502 171: _N910F("postOctetTotalCount"),
503 172: _N910F("postPacketTotalCount"),
504 173: _N910F("flowKeyIndicator"),
505 174: _N910F("postMCastPacketTotalCount"),
506 175: _N910F("postMCastOctetTotalCount"),
507 176: _N910F("ICMP_IPv4_TYPE"),
508 177: _N910F("ICMP_IPv4_CODE"),
509 178: _N910F("ICMP_IPv6_TYPE"),
510 179: _N910F("ICMP_IPv6_CODE"),
511 180: _N910F("UDP_SRC_PORT"),
512 181: _N910F("UDP_DST_PORT"),
513 182: _N910F("TCP_SRC_PORT"),
514 183: _N910F("TCP_DST_PORT"),
515 184: _N910F("TCP_SEQ_NUM"),
516 185: _N910F("TCP_ACK_NUM"),
517 186: _N910F("TCP_WINDOW_SIZE"),
518 187: _N910F("TCP_URGENT_PTR"),
519 188: _N910F("TCP_HEADER_LEN"),
520 189: _N910F("IP_HEADER_LEN"),
521 190: _N910F("IP_TOTAL_LEN"),
522 191: _N910F("payloadLengthIPv6"),
523 192: _N910F("IP_TTL"),
524 193: _N910F("nextHeaderIPv6"),
525 194: _N910F("mplsPayloadLength"),
526 195: _N910F("IP_DSCP", length=1,
527 field=XByteField),
528 196: _N910F("IP_PRECEDENCE"),
529 197: _N910F("IP_FRAGMENT_FLAGS"),
530 198: _N910F("DELTA_BYTES_SQUARED"),
531 199: _N910F("TOTAL_BYTES_SQUARED"),
532 200: _N910F("MPLS_TOP_LABEL_TTL"),
533 201: _N910F("MPLS_LABEL_STACK_OCTETS"),
534 202: _N910F("MPLS_LABEL_STACK_DEPTH"),
535 203: _N910F("MPLS_TOP_LABEL_EXP"),
536 204: _N910F("IP_PAYLOAD_LENGTH"),
537 205: _N910F("UDP_LENGTH"),
538 206: _N910F("IS_MULTICAST"),
539 207: _N910F("IP_HEADER_WORDS"),
540 208: _N910F("IP_OPTION_MAP"),
541 209: _N910F("TCP_OPTION_MAP"),
542 210: _N910F("paddingOctets"),
543 211: _N910F("collectorIPv4Address", length=4,
544 field=IPField),
545 212: _N910F("collectorIPv6Address", length=16,
546 field=IP6Field),
547 213: _N910F("collectorInterface"),
548 214: _N910F("collectorProtocolVersion"),
549 215: _N910F("collectorTransportProtocol"),
550 216: _N910F("collectorTransportPort"),
551 217: _N910F("exporterTransportPort"),
552 218: _N910F("tcpSynTotalCount"),
553 219: _N910F("tcpFinTotalCount"),
554 220: _N910F("tcpRstTotalCount"),
555 221: _N910F("tcpPshTotalCount"),
556 222: _N910F("tcpAckTotalCount"),
557 223: _N910F("tcpUrgTotalCount"),
558 224: _N910F("ipTotalLength"),
559 225: _N910F("postNATSourceIPv4Address", length=4,
560 field=IPField),
561 226: _N910F("postNATDestinationIPv4Address", length=4,
562 field=IPField),
563 227: _N910F("postNAPTSourceTransportPort"),
564 228: _N910F("postNAPTDestinationTransportPort"),
565 229: _N910F("natOriginatingAddressRealm"),
566 230: _N910F("natEvent"),
567 231: _N910F("initiatorOctets"),
568 232: _N910F("responderOctets"),
569 233: _N910F("firewallEvent"),
570 234: _N910F("ingressVRFID"),
571 235: _N910F("egressVRFID"),
572 236: _N910F("VRFname"),
573 237: _N910F("postMplsTopLabelExp"),
574 238: _N910F("tcpWindowScale"),
575 239: _N910F("biflowDirection"),
576 240: _N910F("ethernetHeaderLength"),
577 241: _N910F("ethernetPayloadLength"),
578 242: _N910F("ethernetTotalLength"),
579 243: _N910F("dot1qVlanId"),
580 244: _N910F("dot1qPriority"),
581 245: _N910F("dot1qCustomerVlanId"),
582 246: _N910F("dot1qCustomerPriority"),
583 247: _N910F("metroEvcId"),
584 248: _N910F("metroEvcType"),
585 249: _N910F("pseudoWireId"),
586 250: _N910F("pseudoWireType"),
587 251: _N910F("pseudoWireControlWord"),
588 252: _N910F("ingressPhysicalInterface"),
589 253: _N910F("egressPhysicalInterface"),
590 254: _N910F("postDot1qVlanId"),
591 255: _N910F("postDot1qCustomerVlanId"),
592 256: _N910F("ethernetType"),
593 257: _N910F("postIpPrecedence"),
594 258: _N910F("collectionTimeMilliseconds", length=8,
595 field=N9SecondsIntField,
596 kwargs={"use_msec": True}),
597 259: _N910F("exportSctpStreamId"),
598 260: _N910F("maxExportSeconds", length=8,
599 field=N9SecondsIntField),
600 261: _N910F("maxFlowEndSeconds", length=8,
601 field=N9SecondsIntField),
602 262: _N910F("messageMD5Checksum"),
603 263: _N910F("messageScope"),
604 264: _N910F("minExportSeconds", length=8,
605 field=N9SecondsIntField),
606 265: _N910F("minFlowStartSeconds", length=8,
607 field=N9SecondsIntField),
608 266: _N910F("opaqueOctets"),
609 267: _N910F("sessionScope"),
610 268: _N910F("maxFlowEndMicroseconds", length=8,
611 field=N9UTCTimeField,
612 kwargs={"use_micro": True}),
613 269: _N910F("maxFlowEndMilliseconds", length=8,
614 field=N9UTCTimeField,
615 kwargs={"use_msec": True}),
616 270: _N910F("maxFlowEndNanoseconds", length=8,
617 field=N9UTCTimeField,
618 kwargs={"use_nano": True}),
619 271: _N910F("minFlowStartMicroseconds", length=8,
620 field=N9UTCTimeField,
621 kwargs={"use_micro": True}),
622 272: _N910F("minFlowStartMilliseconds", length=8,
623 field=N9UTCTimeField,
624 kwargs={"use_msec": True}),
625 273: _N910F("minFlowStartNanoseconds", length=8,
626 field=N9UTCTimeField,
627 kwargs={"use_nano": True}),
628 274: _N910F("collectorCertificate"),
629 275: _N910F("exporterCertificate"),
630 276: _N910F("dataRecordsReliability"),
631 277: _N910F("observationPointType"),
632 278: _N910F("newConnectionDeltaCount"),
633 279: _N910F("connectionSumDurationSeconds", length=8,
634 field=N9SecondsIntField),
635 280: _N910F("connectionTransactionId"),
636 281: _N910F("postNATSourceIPv6Address", length=16,
637 field=IP6Field),
638 282: _N910F("postNATDestinationIPv6Address", length=16,
639 field=IP6Field),
640 283: _N910F("natPoolId"),
641 284: _N910F("natPoolName"),
642 285: _N910F("anonymizationFlags"),
643 286: _N910F("anonymizationTechnique"),
644 287: _N910F("informationElementIndex"),
645 288: _N910F("p2pTechnology"),
646 289: _N910F("tunnelTechnology"),
647 290: _N910F("encryptedTechnology"),
648 291: _N910F("basicList"),
649 292: _N910F("subTemplateList"),
650 293: _N910F("subTemplateMultiList"),
651 294: _N910F("bgpValidityState"),
652 295: _N910F("IPSecSPI"),
653 296: _N910F("greKey"),
654 297: _N910F("natType"),
655 298: _N910F("initiatorPackets"),
656 299: _N910F("responderPackets"),
657 300: _N910F("observationDomainName"),
658 301: _N910F("selectionSequenceId"),
659 302: _N910F("selectorId"),
660 303: _N910F("informationElementId"),
661 304: _N910F("selectorAlgorithm"),
662 305: _N910F("samplingPacketInterval"),
663 306: _N910F("samplingPacketSpace"),
664 307: _N910F("samplingTimeInterval"),
665 308: _N910F("samplingTimeSpace"),
666 309: _N910F("samplingSize"),
667 310: _N910F("samplingPopulation"),
668 311: _N910F("samplingProbability"),
669 312: _N910F("dataLinkFrameSize"),
670 313: _N910F("IP_SECTION_HEADER"),
671 314: _N910F("IP_SECTION_PAYLOAD"),
672 315: _N910F("dataLinkFrameSection"),
673 316: _N910F("mplsLabelStackSection"),
674 317: _N910F("mplsPayloadPacketSection"),
675 318: _N910F("selectorIdTotalPktsObserved"),
676 319: _N910F("selectorIdTotalPktsSelected"),
677 320: _N910F("absoluteError"),
678 321: _N910F("relativeError"),
679 322: _N910F("observationTimeSeconds", length=8,
680 field=N9UTCTimeField),
681 323: _N910F("observationTimeMilliseconds", length=8,
682 field=N9UTCTimeField,
683 kwargs={"use_msec": True}),
684 324: _N910F("observationTimeMicroseconds", length=8,
685 field=N9UTCTimeField,
686 kwargs={"use_micro": True}),
687 325: _N910F("observationTimeNanoseconds", length=8,
688 field=N9UTCTimeField,
689 kwargs={"use_nano": True}),
690 326: _N910F("digestHashValue"),
691 327: _N910F("hashIPPayloadOffset"),
692 328: _N910F("hashIPPayloadSize"),
693 329: _N910F("hashOutputRangeMin"),
694 330: _N910F("hashOutputRangeMax"),
695 331: _N910F("hashSelectedRangeMin"),
696 332: _N910F("hashSelectedRangeMax"),
697 333: _N910F("hashDigestOutput"),
698 334: _N910F("hashInitialiserValue"),
699 335: _N910F("selectorName"),
700 336: _N910F("upperCILimit"),
701 337: _N910F("lowerCILimit"),
702 338: _N910F("confidenceLevel"),
703 339: _N910F("informationElementDataType"),
704 340: _N910F("informationElementDescription"),
705 341: _N910F("informationElementName"),
706 342: _N910F("informationElementRangeBegin"),
707 343: _N910F("informationElementRangeEnd"),
708 344: _N910F("informationElementSemantics"),
709 345: _N910F("informationElementUnits"),
710 346: _N910F("privateEnterpriseNumber"),
711 347: _N910F("virtualStationInterfaceId"),
712 348: _N910F("virtualStationInterfaceName"),
713 349: _N910F("virtualStationUUID"),
714 350: _N910F("virtualStationName"),
715 351: _N910F("layer2SegmentId"),
716 352: _N910F("layer2OctetDeltaCount"),
717 353: _N910F("layer2OctetTotalCount"),
718 354: _N910F("ingressUnicastPacketTotalCount"),
719 355: _N910F("ingressMulticastPacketTotalCount"),
720 356: _N910F("ingressBroadcastPacketTotalCount"),
721 357: _N910F("egressUnicastPacketTotalCount"),
722 358: _N910F("egressBroadcastPacketTotalCount"),
723 359: _N910F("monitoringIntervalStartMilliSeconds"),
724 360: _N910F("monitoringIntervalEndMilliSeconds"),
725 361: _N910F("portRangeStart"),
726 362: _N910F("portRangeEnd"),
727 363: _N910F("portRangeStepSize"),
728 364: _N910F("portRangeNumPorts"),
729 365: _N910F("staMacAddress", length=6,
730 field=MACField),
731 366: _N910F("staIPv4Address", length=4,
732 field=IPField),
733 367: _N910F("wtpMacAddress", length=6,
734 field=MACField),
735 368: _N910F("ingressInterfaceType"),
736 369: _N910F("egressInterfaceType"),
737 370: _N910F("rtpSequenceNumber"),
738 371: _N910F("userName"),
739 372: _N910F("applicationCategoryName"),
740 373: _N910F("applicationSubCategoryName"),
741 374: _N910F("applicationGroupName"),
742 375: _N910F("originalFlowsPresent"),
743 376: _N910F("originalFlowsInitiated"),
744 377: _N910F("originalFlowsCompleted"),
745 378: _N910F("distinctCountOfSourceIPAddress"),
746 379: _N910F("distinctCountOfDestinationIPAddress"),
747 380: _N910F("distinctCountOfSourceIPv4Address", length=4,
748 field=IPField),
749 381: _N910F("distinctCountOfDestinationIPv4Address", length=4,
750 field=IPField),
751 382: _N910F("distinctCountOfSourceIPv6Address", length=16,
752 field=IP6Field),
753 383: _N910F("distinctCountOfDestinationIPv6Address", length=16,
754 field=IP6Field),
755 384: _N910F("valueDistributionMethod"),
756 385: _N910F("rfc3550JitterMilliseconds"),
757 386: _N910F("rfc3550JitterMicroseconds"),
758 387: _N910F("rfc3550JitterNanoseconds"),
759 388: _N910F("dot1qDEI"),
760 389: _N910F("dot1qCustomerDEI"),
761 390: _N910F("flowSelectorAlgorithm"),
762 391: _N910F("flowSelectedOctetDeltaCount"),
763 392: _N910F("flowSelectedPacketDeltaCount"),
764 393: _N910F("flowSelectedFlowDeltaCount"),
765 394: _N910F("selectorIDTotalFlowsObserved"),
766 395: _N910F("selectorIDTotalFlowsSelected"),
767 396: _N910F("samplingFlowInterval"),
768 397: _N910F("samplingFlowSpacing"),
769 398: _N910F("flowSamplingTimeInterval"),
770 399: _N910F("flowSamplingTimeSpacing"),
771 400: _N910F("hashFlowDomain"),
772 401: _N910F("transportOctetDeltaCount"),
773 402: _N910F("transportPacketDeltaCount"),
774 403: _N910F("originalExporterIPv4Address", length=4,
775 field=IPField),
776 404: _N910F("originalExporterIPv6Address", length=16,
777 field=IP6Field),
778 405: _N910F("originalObservationDomainId"),
779 406: _N910F("intermediateProcessId"),
780 407: _N910F("ignoredDataRecordTotalCount"),
781 408: _N910F("dataLinkFrameType"),
782 409: _N910F("sectionOffset"),
783 410: _N910F("sectionExportedOctets"),
784 411: _N910F("dot1qServiceInstanceTag"),
785 412: _N910F("dot1qServiceInstanceId"),
786 413: _N910F("dot1qServiceInstancePriority"),
787 414: _N910F("dot1qCustomerSourceMacAddress", length=6,
788 field=MACField),
789 415: _N910F("dot1qCustomerDestinationMacAddress", length=6,
790 field=MACField),
791 416: _N910F("deprecated [dup of layer2OctetDeltaCount]"),
792 417: _N910F("postLayer2OctetDeltaCount"),
793 418: _N910F("postMCastLayer2OctetDeltaCount"),
794 419: _N910F("deprecated [dup of layer2OctetTotalCount"),
795 420: _N910F("postLayer2OctetTotalCount"),
796 421: _N910F("postMCastLayer2OctetTotalCount"),
797 422: _N910F("minimumLayer2TotalLength"),
798 423: _N910F("maximumLayer2TotalLength"),
799 424: _N910F("droppedLayer2OctetDeltaCount"),
800 425: _N910F("droppedLayer2OctetTotalCount"),
801 426: _N910F("ignoredLayer2OctetTotalCount"),
802 427: _N910F("notSentLayer2OctetTotalCount"),
803 428: _N910F("layer2OctetDeltaSumOfSquares"),
804 429: _N910F("layer2OctetTotalSumOfSquares"),
805 430: _N910F("layer2FrameDeltaCount"),
806 431: _N910F("layer2FrameTotalCount"),
807 432: _N910F("pseudoWireDestinationIPv4Address", length=4,
808 field=IPField),
809 433: _N910F("ignoredLayer2FrameTotalCount"),
810 434: _N910F("mibObjectValueInteger"),
811 435: _N910F("mibObjectValueOctetString"),
812 436: _N910F("mibObjectValueOID"),
813 437: _N910F("mibObjectValueBits"),
814 438: _N910F("mibObjectValueIPAddress"),
815 439: _N910F("mibObjectValueCounter"),
816 440: _N910F("mibObjectValueGauge"),
817 441: _N910F("mibObjectValueTimeTicks"),
818 442: _N910F("mibObjectValueUnsigned"),
819 443: _N910F("mibObjectValueTable"),
820 444: _N910F("mibObjectValueRow"),
821 445: _N910F("mibObjectIdentifier"),
822 446: _N910F("mibSubIdentifier"),
823 447: _N910F("mibIndexIndicator"),
824 448: _N910F("mibCaptureTimeSemantics"),
825 449: _N910F("mibContextEngineID"),
826 450: _N910F("mibContextName"),
827 451: _N910F("mibObjectName"),
828 452: _N910F("mibObjectDescription"),
829 453: _N910F("mibObjectSyntax"),
830 454: _N910F("mibModuleName"),
831 455: _N910F("mobileIMSI"),
832 456: _N910F("mobileMSISDN"),
833 457: _N910F("httpStatusCode"),
834 458: _N910F("sourceTransportPortsLimit"),
835 459: _N910F("httpRequestMethod"),
836 460: _N910F("httpRequestHost"),
837 461: _N910F("httpRequestTarget"),
838 462: _N910F("httpMessageVersion"),
839 463: _N910F("natInstanceID"),
840 464: _N910F("internalAddressRealm"),
841 465: _N910F("externalAddressRealm"),
842 466: _N910F("natQuotaExceededEvent"),
843 467: _N910F("natThresholdEvent"),
844 468: _N910F("httpUserAgent"),
845 469: _N910F("httpContentType"),
846 470: _N910F("httpReasonPhrase"),
847 471: _N910F("maxSessionEntries"),
848 472: _N910F("maxBIBEntries"),
849 473: _N910F("maxEntriesPerUser"),
850 474: _N910F("maxSubscribers"),
851 475: _N910F("maxFragmentsPendingReassembly"),
852 476: _N910F("addressPoolHighThreshold"),
853 477: _N910F("addressPoolLowThreshold"),
854 478: _N910F("addressPortMappingHighThreshold"),
855 479: _N910F("addressPortMappingLowThreshold"),
856 480: _N910F("addressPortMappingPerUserHighThreshold"),
857 481: _N910F("globalAddressMappingHighThreshold"),
859 # Ericsson NAT Logging
860 24628: _N910F("NAT_LOG_FIELD_IDX_CONTEXT_ID"),
861 24629: _N910F("NAT_LOG_FIELD_IDX_CONTEXT_NAME"),
862 24630: _N910F("NAT_LOG_FIELD_IDX_ASSIGN_TS_SEC"),
863 24631: _N910F("NAT_LOG_FIELD_IDX_UNASSIGN_TS_SEC"),
864 24632: _N910F("NAT_LOG_FIELD_IDX_IPV4_INT_ADDR", length=4,
865 field=IPField),
866 24633: _N910F("NAT_LOG_FIELD_IDX_IPV4_EXT_ADDR", length=4,
867 field=IPField),
868 24634: _N910F("NAT_LOG_FIELD_IDX_EXT_PORT_FIRST"),
869 24635: _N910F("NAT_LOG_FIELD_IDX_EXT_PORT_LAST"),
870 # Cisco ASA5500 Series NetFlow
871 33000: _N910F("INGRESS_ACL_ID"),
872 33001: _N910F("EGRESS_ACL_ID"),
873 33002: _N910F("FW_EXT_EVENT"),
874 # Cisco TrustSec
875 34000: _N910F("SGT_SOURCE_TAG"),
876 34001: _N910F("SGT_DESTINATION_TAG"),
877 34002: _N910F("SGT_SOURCE_NAME"),
878 34003: _N910F("SGT_DESTINATION_NAME"),
879 # medianet performance monitor
880 37000: _N910F("PACKETS_DROPPED"),
881 37003: _N910F("BYTE_RATE"),
882 37004: _N910F("APPLICATION_MEDIA_BYTES"),
883 37006: _N910F("APPLICATION_MEDIA_BYTE_RATE"),
884 37007: _N910F("APPLICATION_MEDIA_PACKETS"),
885 37009: _N910F("APPLICATION_MEDIA_PACKET_RATE"),
886 37011: _N910F("APPLICATION_MEDIA_EVENT"),
887 37012: _N910F("MONITOR_EVENT"),
888 37013: _N910F("TIMESTAMP_INTERVAL"),
889 37014: _N910F("TRANSPORT_PACKETS_EXPECTED"),
890 37016: _N910F("TRANSPORT_ROUND_TRIP_TIME"),
891 37017: _N910F("TRANSPORT_EVENT_PACKET_LOSS"),
892 37019: _N910F("TRANSPORT_PACKETS_LOST"),
893 37021: _N910F("TRANSPORT_PACKETS_LOST_RATE"),
894 37022: _N910F("TRANSPORT_RTP_SSRC"),
895 37023: _N910F("TRANSPORT_RTP_JITTER_MEAN"),
896 37024: _N910F("TRANSPORT_RTP_JITTER_MIN"),
897 37025: _N910F("TRANSPORT_RTP_JITTER_MAX"),
898 37041: _N910F("TRANSPORT_RTP_PAYLOAD_TYPE"),
899 37071: _N910F("TRANSPORT_BYTES_OUT_OF_ORDER"),
900 37074: _N910F("TRANSPORT_PACKETS_OUT_OF_ORDER"),
901 37083: _N910F("TRANSPORT_TCP_WINDOWS_SIZE_MIN"),
902 37084: _N910F("TRANSPORT_TCP_WINDOWS_SIZE_MAX"),
903 37085: _N910F("TRANSPORT_TCP_WINDOWS_SIZE_MEAN"),
904 37086: _N910F("TRANSPORT_TCP_MAXIMUM_SEGMENT_SIZE"),
905 # Cisco ASA 5500
906 40000: _N910F("AAA_USERNAME"),
907 40001: _N910F("XLATE_SRC_ADDR_IPV4", length=4,
908 field=IPField),
909 40002: _N910F("XLATE_DST_ADDR_IPV4", length=4,
910 field=IPField),
911 40003: _N910F("XLATE_SRC_PORT"),
912 40004: _N910F("XLATE_DST_PORT"),
913 40005: _N910F("FW_EVENT"),
914 # v9 nTop extensions
915 80 + NTOP_BASE: _N910F("SRC_FRAGMENTS"),
916 81 + NTOP_BASE: _N910F("DST_FRAGMENTS"),
917 82 + NTOP_BASE: _N910F("SRC_TO_DST_MAX_THROUGHPUT"),
918 83 + NTOP_BASE: _N910F("SRC_TO_DST_MIN_THROUGHPUT"),
919 84 + NTOP_BASE: _N910F("SRC_TO_DST_AVG_THROUGHPUT"),
920 85 + NTOP_BASE: _N910F("SRC_TO_SRC_MAX_THROUGHPUT"),
921 86 + NTOP_BASE: _N910F("SRC_TO_SRC_MIN_THROUGHPUT"),
922 87 + NTOP_BASE: _N910F("SRC_TO_SRC_AVG_THROUGHPUT"),
923 88 + NTOP_BASE: _N910F("NUM_PKTS_UP_TO_128_BYTES"),
924 89 + NTOP_BASE: _N910F("NUM_PKTS_128_TO_256_BYTES"),
925 90 + NTOP_BASE: _N910F("NUM_PKTS_256_TO_512_BYTES"),
926 91 + NTOP_BASE: _N910F("NUM_PKTS_512_TO_1024_BYTES"),
927 92 + NTOP_BASE: _N910F("NUM_PKTS_1024_TO_1514_BYTES"),
928 93 + NTOP_BASE: _N910F("NUM_PKTS_OVER_1514_BYTES"),
929 98 + NTOP_BASE: _N910F("CUMULATIVE_ICMP_TYPE"),
930 101 + NTOP_BASE: _N910F("SRC_IP_COUNTRY"),
931 102 + NTOP_BASE: _N910F("SRC_IP_CITY"),
932 103 + NTOP_BASE: _N910F("DST_IP_COUNTRY"),
933 104 + NTOP_BASE: _N910F("DST_IP_CITY"),
934 105 + NTOP_BASE: _N910F("FLOW_PROTO_PORT"),
935 106 + NTOP_BASE: _N910F("UPSTREAM_TUNNEL_ID"),
936 107 + NTOP_BASE: _N910F("LONGEST_FLOW_PKT"),
937 108 + NTOP_BASE: _N910F("SHORTEST_FLOW_PKT"),
938 109 + NTOP_BASE: _N910F("RETRANSMITTED_IN_PKTS"),
939 110 + NTOP_BASE: _N910F("RETRANSMITTED_OUT_PKTS"),
940 111 + NTOP_BASE: _N910F("OOORDER_IN_PKTS"),
941 112 + NTOP_BASE: _N910F("OOORDER_OUT_PKTS"),
942 113 + NTOP_BASE: _N910F("UNTUNNELED_PROTOCOL"),
943 114 + NTOP_BASE: _N910F("UNTUNNELED_IPV4_SRC_ADDR", length=4,
944 field=IPField),
945 115 + NTOP_BASE: _N910F("UNTUNNELED_L4_SRC_PORT"),
946 116 + NTOP_BASE: _N910F("UNTUNNELED_IPV4_DST_ADDR", length=4,
947 field=IPField),
948 117 + NTOP_BASE: _N910F("UNTUNNELED_L4_DST_PORT"),
949 118 + NTOP_BASE: _N910F("L7_PROTO"),
950 119 + NTOP_BASE: _N910F("L7_PROTO_NAME"),
951 120 + NTOP_BASE: _N910F("DOWNSTREAM_TUNNEL_ID"),
952 121 + NTOP_BASE: _N910F("FLOW_USER_NAME"),
953 122 + NTOP_BASE: _N910F("FLOW_SERVER_NAME"),
954 123 + NTOP_BASE: _N910F("CLIENT_NW_LATENCY_MS"),
955 124 + NTOP_BASE: _N910F("SERVER_NW_LATENCY_MS"),
956 125 + NTOP_BASE: _N910F("APPL_LATENCY_MS"),
957 126 + NTOP_BASE: _N910F("PLUGIN_NAME"),
958 127 + NTOP_BASE: _N910F("RETRANSMITTED_IN_BYTES"),
959 128 + NTOP_BASE: _N910F("RETRANSMITTED_OUT_BYTES"),
960 130 + NTOP_BASE: _N910F("SIP_CALL_ID"),
961 131 + NTOP_BASE: _N910F("SIP_CALLING_PARTY"),
962 132 + NTOP_BASE: _N910F("SIP_CALLED_PARTY"),
963 133 + NTOP_BASE: _N910F("SIP_RTP_CODECS"),
964 134 + NTOP_BASE: _N910F("SIP_INVITE_TIME"),
965 135 + NTOP_BASE: _N910F("SIP_TRYING_TIME"),
966 136 + NTOP_BASE: _N910F("SIP_RINGING_TIME"),
967 137 + NTOP_BASE: _N910F("SIP_INVITE_OK_TIME"),
968 138 + NTOP_BASE: _N910F("SIP_INVITE_FAILURE_TIME"),
969 139 + NTOP_BASE: _N910F("SIP_BYE_TIME"),
970 140 + NTOP_BASE: _N910F("SIP_BYE_OK_TIME"),
971 141 + NTOP_BASE: _N910F("SIP_CANCEL_TIME"),
972 142 + NTOP_BASE: _N910F("SIP_CANCEL_OK_TIME"),
973 143 + NTOP_BASE: _N910F("SIP_RTP_IPV4_SRC_ADDR", length=4,
974 field=IPField),
975 144 + NTOP_BASE: _N910F("SIP_RTP_L4_SRC_PORT"),
976 145 + NTOP_BASE: _N910F("SIP_RTP_IPV4_DST_ADDR", length=4,
977 field=IPField),
978 146 + NTOP_BASE: _N910F("SIP_RTP_L4_DST_PORT"),
979 147 + NTOP_BASE: _N910F("SIP_RESPONSE_CODE"),
980 148 + NTOP_BASE: _N910F("SIP_REASON_CAUSE"),
981 150 + NTOP_BASE: _N910F("RTP_FIRST_SEQ"),
982 151 + NTOP_BASE: _N910F("RTP_FIRST_TS"),
983 152 + NTOP_BASE: _N910F("RTP_LAST_SEQ"),
984 153 + NTOP_BASE: _N910F("RTP_LAST_TS"),
985 154 + NTOP_BASE: _N910F("RTP_IN_JITTER"),
986 155 + NTOP_BASE: _N910F("RTP_OUT_JITTER"),
987 156 + NTOP_BASE: _N910F("RTP_IN_PKT_LOST"),
988 157 + NTOP_BASE: _N910F("RTP_OUT_PKT_LOST"),
989 158 + NTOP_BASE: _N910F("RTP_OUT_PAYLOAD_TYPE"),
990 159 + NTOP_BASE: _N910F("RTP_IN_MAX_DELTA"),
991 160 + NTOP_BASE: _N910F("RTP_OUT_MAX_DELTA"),
992 161 + NTOP_BASE: _N910F("RTP_IN_PAYLOAD_TYPE"),
993 168 + NTOP_BASE: _N910F("SRC_PROC_PID"),
994 169 + NTOP_BASE: _N910F("SRC_PROC_NAME"),
995 180 + NTOP_BASE: _N910F("HTTP_URL"),
996 181 + NTOP_BASE: _N910F("HTTP_RET_CODE"),
997 182 + NTOP_BASE: _N910F("HTTP_REFERER"),
998 183 + NTOP_BASE: _N910F("HTTP_UA"),
999 184 + NTOP_BASE: _N910F("HTTP_MIME"),
1000 185 + NTOP_BASE: _N910F("SMTP_MAIL_FROM"),
1001 186 + NTOP_BASE: _N910F("SMTP_RCPT_TO"),
1002 187 + NTOP_BASE: _N910F("HTTP_HOST"),
1003 188 + NTOP_BASE: _N910F("SSL_SERVER_NAME"),
1004 189 + NTOP_BASE: _N910F("BITTORRENT_HASH"),
1005 195 + NTOP_BASE: _N910F("MYSQL_SRV_VERSION"),
1006 196 + NTOP_BASE: _N910F("MYSQL_USERNAME"),
1007 197 + NTOP_BASE: _N910F("MYSQL_DB"),
1008 198 + NTOP_BASE: _N910F("MYSQL_QUERY"),
1009 199 + NTOP_BASE: _N910F("MYSQL_RESPONSE"),
1010 200 + NTOP_BASE: _N910F("ORACLE_USERNAME"),
1011 201 + NTOP_BASE: _N910F("ORACLE_QUERY"),
1012 202 + NTOP_BASE: _N910F("ORACLE_RSP_CODE"),
1013 203 + NTOP_BASE: _N910F("ORACLE_RSP_STRING"),
1014 204 + NTOP_BASE: _N910F("ORACLE_QUERY_DURATION"),
1015 205 + NTOP_BASE: _N910F("DNS_QUERY"),
1016 206 + NTOP_BASE: _N910F("DNS_QUERY_ID"),
1017 207 + NTOP_BASE: _N910F("DNS_QUERY_TYPE"),
1018 208 + NTOP_BASE: _N910F("DNS_RET_CODE"),
1019 209 + NTOP_BASE: _N910F("DNS_NUM_ANSWERS"),
1020 210 + NTOP_BASE: _N910F("POP_USER"),
1021 220 + NTOP_BASE: _N910F("GTPV1_REQ_MSG_TYPE"),
1022 221 + NTOP_BASE: _N910F("GTPV1_RSP_MSG_TYPE"),
1023 222 + NTOP_BASE: _N910F("GTPV1_C2S_TEID_DATA"),
1024 223 + NTOP_BASE: _N910F("GTPV1_C2S_TEID_CTRL"),
1025 224 + NTOP_BASE: _N910F("GTPV1_S2C_TEID_DATA"),
1026 225 + NTOP_BASE: _N910F("GTPV1_S2C_TEID_CTRL"),
1027 226 + NTOP_BASE: _N910F("GTPV1_END_USER_IP"),
1028 227 + NTOP_BASE: _N910F("GTPV1_END_USER_IMSI"),
1029 228 + NTOP_BASE: _N910F("GTPV1_END_USER_MSISDN"),
1030 229 + NTOP_BASE: _N910F("GTPV1_END_USER_IMEI"),
1031 230 + NTOP_BASE: _N910F("GTPV1_APN_NAME"),
1032 231 + NTOP_BASE: _N910F("GTPV1_RAI_MCC"),
1033 232 + NTOP_BASE: _N910F("GTPV1_RAI_MNC"),
1034 233 + NTOP_BASE: _N910F("GTPV1_ULI_CELL_LAC"),
1035 234 + NTOP_BASE: _N910F("GTPV1_ULI_CELL_CI"),
1036 235 + NTOP_BASE: _N910F("GTPV1_ULI_SAC"),
1037 236 + NTOP_BASE: _N910F("GTPV1_RAT_TYPE"),
1038 240 + NTOP_BASE: _N910F("RADIUS_REQ_MSG_TYPE"),
1039 241 + NTOP_BASE: _N910F("RADIUS_RSP_MSG_TYPE"),
1040 242 + NTOP_BASE: _N910F("RADIUS_USER_NAME"),
1041 243 + NTOP_BASE: _N910F("RADIUS_CALLING_STATION_ID"),
1042 244 + NTOP_BASE: _N910F("RADIUS_CALLED_STATION_ID"),
1043 245 + NTOP_BASE: _N910F("RADIUS_NAS_IP_ADDR"),
1044 246 + NTOP_BASE: _N910F("RADIUS_NAS_IDENTIFIER"),
1045 247 + NTOP_BASE: _N910F("RADIUS_USER_IMSI"),
1046 248 + NTOP_BASE: _N910F("RADIUS_USER_IMEI"),
1047 249 + NTOP_BASE: _N910F("RADIUS_FRAMED_IP_ADDR"),
1048 250 + NTOP_BASE: _N910F("RADIUS_ACCT_SESSION_ID"),
1049 251 + NTOP_BASE: _N910F("RADIUS_ACCT_STATUS_TYPE"),
1050 252 + NTOP_BASE: _N910F("RADIUS_ACCT_IN_OCTETS"),
1051 253 + NTOP_BASE: _N910F("RADIUS_ACCT_OUT_OCTETS"),
1052 254 + NTOP_BASE: _N910F("RADIUS_ACCT_IN_PKTS"),
1053 255 + NTOP_BASE: _N910F("RADIUS_ACCT_OUT_PKTS"),
1054 260 + NTOP_BASE: _N910F("IMAP_LOGIN"),
1055 270 + NTOP_BASE: _N910F("GTPV2_REQ_MSG_TYPE"),
1056 271 + NTOP_BASE: _N910F("GTPV2_RSP_MSG_TYPE"),
1057 272 + NTOP_BASE: _N910F("GTPV2_C2S_S1U_GTPU_TEID"),
1058 273 + NTOP_BASE: _N910F("GTPV2_C2S_S1U_GTPU_IP"),
1059 274 + NTOP_BASE: _N910F("GTPV2_S2C_S1U_GTPU_TEID"),
1060 275 + NTOP_BASE: _N910F("GTPV2_S2C_S1U_GTPU_IP"),
1061 276 + NTOP_BASE: _N910F("GTPV2_END_USER_IMSI"),
1062 277 + NTOP_BASE: _N910F("GTPV2_END_USER_MSISDN"),
1063 278 + NTOP_BASE: _N910F("GTPV2_APN_NAME"),
1064 279 + NTOP_BASE: _N910F("GTPV2_ULI_MCC"),
1065 280 + NTOP_BASE: _N910F("GTPV2_ULI_MNC"),
1066 281 + NTOP_BASE: _N910F("GTPV2_ULI_CELL_TAC"),
1067 282 + NTOP_BASE: _N910F("GTPV2_ULI_CELL_ID"),
1068 283 + NTOP_BASE: _N910F("GTPV2_RAT_TYPE"),
1069 284 + NTOP_BASE: _N910F("GTPV2_PDN_IP"),
1070 285 + NTOP_BASE: _N910F("GTPV2_END_USER_IMEI"),
1071 290 + NTOP_BASE: _N910F("SRC_AS_PATH_1"),
1072 291 + NTOP_BASE: _N910F("SRC_AS_PATH_2"),
1073 292 + NTOP_BASE: _N910F("SRC_AS_PATH_3"),
1074 293 + NTOP_BASE: _N910F("SRC_AS_PATH_4"),
1075 294 + NTOP_BASE: _N910F("SRC_AS_PATH_5"),
1076 295 + NTOP_BASE: _N910F("SRC_AS_PATH_6"),
1077 296 + NTOP_BASE: _N910F("SRC_AS_PATH_7"),
1078 297 + NTOP_BASE: _N910F("SRC_AS_PATH_8"),
1079 298 + NTOP_BASE: _N910F("SRC_AS_PATH_9"),
1080 299 + NTOP_BASE: _N910F("SRC_AS_PATH_10"),
1081 300 + NTOP_BASE: _N910F("DST_AS_PATH_1"),
1082 301 + NTOP_BASE: _N910F("DST_AS_PATH_2"),
1083 302 + NTOP_BASE: _N910F("DST_AS_PATH_3"),
1084 303 + NTOP_BASE: _N910F("DST_AS_PATH_4"),
1085 304 + NTOP_BASE: _N910F("DST_AS_PATH_5"),
1086 305 + NTOP_BASE: _N910F("DST_AS_PATH_6"),
1087 306 + NTOP_BASE: _N910F("DST_AS_PATH_7"),
1088 307 + NTOP_BASE: _N910F("DST_AS_PATH_8"),
1089 308 + NTOP_BASE: _N910F("DST_AS_PATH_9"),
1090 309 + NTOP_BASE: _N910F("DST_AS_PATH_10"),
1091 320 + NTOP_BASE: _N910F("MYSQL_APPL_LATENCY_USEC"),
1092 321 + NTOP_BASE: _N910F("GTPV0_REQ_MSG_TYPE"),
1093 322 + NTOP_BASE: _N910F("GTPV0_RSP_MSG_TYPE"),
1094 323 + NTOP_BASE: _N910F("GTPV0_TID"),
1095 324 + NTOP_BASE: _N910F("GTPV0_END_USER_IP"),
1096 325 + NTOP_BASE: _N910F("GTPV0_END_USER_MSISDN"),
1097 326 + NTOP_BASE: _N910F("GTPV0_APN_NAME"),
1098 327 + NTOP_BASE: _N910F("GTPV0_RAI_MCC"),
1099 328 + NTOP_BASE: _N910F("GTPV0_RAI_MNC"),
1100 329 + NTOP_BASE: _N910F("GTPV0_RAI_CELL_LAC"),
1101 330 + NTOP_BASE: _N910F("GTPV0_RAI_CELL_RAC"),
1102 331 + NTOP_BASE: _N910F("GTPV0_RESPONSE_CAUSE"),
1103 332 + NTOP_BASE: _N910F("GTPV1_RESPONSE_CAUSE"),
1104 333 + NTOP_BASE: _N910F("GTPV2_RESPONSE_CAUSE"),
1105 334 + NTOP_BASE: _N910F("NUM_PKTS_TTL_5_32"),
1106 335 + NTOP_BASE: _N910F("NUM_PKTS_TTL_32_64"),
1107 336 + NTOP_BASE: _N910F("NUM_PKTS_TTL_64_96"),
1108 337 + NTOP_BASE: _N910F("NUM_PKTS_TTL_96_128"),
1109 338 + NTOP_BASE: _N910F("NUM_PKTS_TTL_128_160"),
1110 339 + NTOP_BASE: _N910F("NUM_PKTS_TTL_160_192"),
1111 340 + NTOP_BASE: _N910F("NUM_PKTS_TTL_192_224"),
1112 341 + NTOP_BASE: _N910F("NUM_PKTS_TTL_224_255"),
1113 342 + NTOP_BASE: _N910F("GTPV1_RAI_LAC"),
1114 343 + NTOP_BASE: _N910F("GTPV1_RAI_RAC"),
1115 344 + NTOP_BASE: _N910F("GTPV1_ULI_MCC"),
1116 345 + NTOP_BASE: _N910F("GTPV1_ULI_MNC"),
1117 346 + NTOP_BASE: _N910F("NUM_PKTS_TTL_2_5"),
1118 347 + NTOP_BASE: _N910F("NUM_PKTS_TTL_EQ_1"),
1119 348 + NTOP_BASE: _N910F("RTP_SIP_CALL_ID"),
1120 349 + NTOP_BASE: _N910F("IN_SRC_OSI_SAP"),
1121 350 + NTOP_BASE: _N910F("OUT_DST_OSI_SAP"),
1122 351 + NTOP_BASE: _N910F("WHOIS_DAS_DOMAIN"),
1123 352 + NTOP_BASE: _N910F("DNS_TTL_ANSWER"),
1124 353 + NTOP_BASE: _N910F("DHCP_CLIENT_MAC", length=6,
1125 field=MACField),
1126 354 + NTOP_BASE: _N910F("DHCP_CLIENT_IP", length=4,
1127 field=IPField),
1128 355 + NTOP_BASE: _N910F("DHCP_CLIENT_NAME"),
1129 356 + NTOP_BASE: _N910F("FTP_LOGIN"),
1130 357 + NTOP_BASE: _N910F("FTP_PASSWORD"),
1131 358 + NTOP_BASE: _N910F("FTP_COMMAND"),
1132 359 + NTOP_BASE: _N910F("FTP_COMMAND_RET_CODE"),
1133 360 + NTOP_BASE: _N910F("HTTP_METHOD"),
1134 361 + NTOP_BASE: _N910F("HTTP_SITE"),
1135 362 + NTOP_BASE: _N910F("SIP_C_IP"),
1136 363 + NTOP_BASE: _N910F("SIP_CALL_STATE"),
1137 364 + NTOP_BASE: _N910F("EPP_REGISTRAR_NAME"),
1138 365 + NTOP_BASE: _N910F("EPP_CMD"),
1139 366 + NTOP_BASE: _N910F("EPP_CMD_ARGS"),
1140 367 + NTOP_BASE: _N910F("EPP_RSP_CODE"),
1141 368 + NTOP_BASE: _N910F("EPP_REASON_STR"),
1142 369 + NTOP_BASE: _N910F("EPP_SERVER_NAME"),
1143 370 + NTOP_BASE: _N910F("RTP_IN_MOS"),
1144 371 + NTOP_BASE: _N910F("RTP_IN_R_FACTOR"),
1145 372 + NTOP_BASE: _N910F("SRC_PROC_USER_NAME"),
1146 373 + NTOP_BASE: _N910F("SRC_FATHER_PROC_PID"),
1147 374 + NTOP_BASE: _N910F("SRC_FATHER_PROC_NAME"),
1148 375 + NTOP_BASE: _N910F("DST_PROC_PID"),
1149 376 + NTOP_BASE: _N910F("DST_PROC_NAME"),
1150 377 + NTOP_BASE: _N910F("DST_PROC_USER_NAME"),
1151 378 + NTOP_BASE: _N910F("DST_FATHER_PROC_PID"),
1152 379 + NTOP_BASE: _N910F("DST_FATHER_PROC_NAME"),
1153 380 + NTOP_BASE: _N910F("RTP_RTT"),
1154 381 + NTOP_BASE: _N910F("RTP_IN_TRANSIT"),
1155 382 + NTOP_BASE: _N910F("RTP_OUT_TRANSIT"),
1156 383 + NTOP_BASE: _N910F("SRC_PROC_ACTUAL_MEMORY"),
1157 384 + NTOP_BASE: _N910F("SRC_PROC_PEAK_MEMORY"),
1158 385 + NTOP_BASE: _N910F("SRC_PROC_AVERAGE_CPU_LOAD"),
1159 386 + NTOP_BASE: _N910F("SRC_PROC_NUM_PAGE_FAULTS"),
1160 387 + NTOP_BASE: _N910F("DST_PROC_ACTUAL_MEMORY"),
1161 388 + NTOP_BASE: _N910F("DST_PROC_PEAK_MEMORY"),
1162 389 + NTOP_BASE: _N910F("DST_PROC_AVERAGE_CPU_LOAD"),
1163 390 + NTOP_BASE: _N910F("DST_PROC_NUM_PAGE_FAULTS"),
1164 391 + NTOP_BASE: _N910F("DURATION_IN"),
1165 392 + NTOP_BASE: _N910F("DURATION_OUT"),
1166 393 + NTOP_BASE: _N910F("SRC_PROC_PCTG_IOWAIT"),
1167 394 + NTOP_BASE: _N910F("DST_PROC_PCTG_IOWAIT"),
1168 395 + NTOP_BASE: _N910F("RTP_DTMF_TONES"),
1169 396 + NTOP_BASE: _N910F("UNTUNNELED_IPV6_SRC_ADDR", length=16,
1170 field=IP6Field),
1171 397 + NTOP_BASE: _N910F("UNTUNNELED_IPV6_DST_ADDR", length=16,
1172 field=IP6Field),
1173 398 + NTOP_BASE: _N910F("DNS_RESPONSE"),
1174 399 + NTOP_BASE: _N910F("DIAMETER_REQ_MSG_TYPE"),
1175 400 + NTOP_BASE: _N910F("DIAMETER_RSP_MSG_TYPE"),
1176 401 + NTOP_BASE: _N910F("DIAMETER_REQ_ORIGIN_HOST"),
1177 402 + NTOP_BASE: _N910F("DIAMETER_RSP_ORIGIN_HOST"),
1178 403 + NTOP_BASE: _N910F("DIAMETER_REQ_USER_NAME"),
1179 404 + NTOP_BASE: _N910F("DIAMETER_RSP_RESULT_CODE"),
1180 405 + NTOP_BASE: _N910F("DIAMETER_EXP_RES_VENDOR_ID"),
1181 406 + NTOP_BASE: _N910F("DIAMETER_EXP_RES_RESULT_CODE"),
1182 407 + NTOP_BASE: _N910F("S1AP_ENB_UE_S1AP_ID"),
1183 408 + NTOP_BASE: _N910F("S1AP_MME_UE_S1AP_ID"),
1184 409 + NTOP_BASE: _N910F("S1AP_MSG_EMM_TYPE_MME_TO_ENB"),
1185 410 + NTOP_BASE: _N910F("S1AP_MSG_ESM_TYPE_MME_TO_ENB"),
1186 411 + NTOP_BASE: _N910F("S1AP_MSG_EMM_TYPE_ENB_TO_MME"),
1187 412 + NTOP_BASE: _N910F("S1AP_MSG_ESM_TYPE_ENB_TO_MME"),
1188 413 + NTOP_BASE: _N910F("S1AP_CAUSE_ENB_TO_MME"),
1189 414 + NTOP_BASE: _N910F("S1AP_DETAILED_CAUSE_ENB_TO_MME"),
1190 415 + NTOP_BASE: _N910F("TCP_WIN_MIN_IN"),
1191 416 + NTOP_BASE: _N910F("TCP_WIN_MAX_IN"),
1192 417 + NTOP_BASE: _N910F("TCP_WIN_MSS_IN"),
1193 418 + NTOP_BASE: _N910F("TCP_WIN_SCALE_IN"),
1194 419 + NTOP_BASE: _N910F("TCP_WIN_MIN_OUT"),
1195 420 + NTOP_BASE: _N910F("TCP_WIN_MAX_OUT"),
1196 421 + NTOP_BASE: _N910F("TCP_WIN_MSS_OUT"),
1197 422 + NTOP_BASE: _N910F("TCP_WIN_SCALE_OUT"),
1198 423 + NTOP_BASE: _N910F("DHCP_REMOTE_ID"),
1199 424 + NTOP_BASE: _N910F("DHCP_SUBSCRIBER_ID"),
1200 425 + NTOP_BASE: _N910F("SRC_PROC_UID"),
1201 426 + NTOP_BASE: _N910F("DST_PROC_UID"),
1202 427 + NTOP_BASE: _N910F("APPLICATION_NAME"),
1203 428 + NTOP_BASE: _N910F("USER_NAME"),
1204 429 + NTOP_BASE: _N910F("DHCP_MESSAGE_TYPE"),
1205 430 + NTOP_BASE: _N910F("RTP_IN_PKT_DROP"),
1206 431 + NTOP_BASE: _N910F("RTP_OUT_PKT_DROP"),
1207 432 + NTOP_BASE: _N910F("RTP_OUT_MOS"),
1208 433 + NTOP_BASE: _N910F("RTP_OUT_R_FACTOR"),
1209 434 + NTOP_BASE: _N910F("RTP_MOS"),
1210 435 + NTOP_BASE: _N910F("GTPV2_S5_S8_GTPC_TEID"),
1211 436 + NTOP_BASE: _N910F("RTP_R_FACTOR"),
1212 437 + NTOP_BASE: _N910F("RTP_SSRC"),
1213 438 + NTOP_BASE: _N910F("PAYLOAD_HASH"),
1214 439 + NTOP_BASE: _N910F("GTPV2_C2S_S5_S8_GTPU_TEID"),
1215 440 + NTOP_BASE: _N910F("GTPV2_S2C_S5_S8_GTPU_TEID"),
1216 441 + NTOP_BASE: _N910F("GTPV2_C2S_S5_S8_GTPU_IP"),
1217 442 + NTOP_BASE: _N910F("GTPV2_S2C_S5_S8_GTPU_IP"),
1218 443 + NTOP_BASE: _N910F("SRC_AS_MAP"),
1219 444 + NTOP_BASE: _N910F("DST_AS_MAP"),
1220 445 + NTOP_BASE: _N910F("DIAMETER_HOP_BY_HOP_ID"),
1221 446 + NTOP_BASE: _N910F("UPSTREAM_SESSION_ID"),
1222 447 + NTOP_BASE: _N910F("DOWNSTREAM_SESSION_ID"),
1223 448 + NTOP_BASE: _N910F("SRC_IP_LONG"),
1224 449 + NTOP_BASE: _N910F("SRC_IP_LAT"),
1225 450 + NTOP_BASE: _N910F("DST_IP_LONG"),
1226 451 + NTOP_BASE: _N910F("DST_IP_LAT"),
1227 452 + NTOP_BASE: _N910F("DIAMETER_CLR_CANCEL_TYPE"),
1228 453 + NTOP_BASE: _N910F("DIAMETER_CLR_FLAGS"),
1229 454 + NTOP_BASE: _N910F("GTPV2_C2S_S5_S8_GTPC_IP"),
1230 455 + NTOP_BASE: _N910F("GTPV2_S2C_S5_S8_GTPC_IP"),
1231 456 + NTOP_BASE: _N910F("GTPV2_C2S_S5_S8_SGW_GTPU_TEID"),
1232 457 + NTOP_BASE: _N910F("GTPV2_S2C_S5_S8_SGW_GTPU_TEID"),
1233 458 + NTOP_BASE: _N910F("GTPV2_C2S_S5_S8_SGW_GTPU_IP"),
1234 459 + NTOP_BASE: _N910F("GTPV2_S2C_S5_S8_SGW_GTPU_IP"),
1235 460 + NTOP_BASE: _N910F("HTTP_X_FORWARDED_FOR"),
1236 461 + NTOP_BASE: _N910F("HTTP_VIA"),
1237 462 + NTOP_BASE: _N910F("SSDP_HOST"),
1238 463 + NTOP_BASE: _N910F("SSDP_USN"),
1239 464 + NTOP_BASE: _N910F("NETBIOS_QUERY_NAME"),
1240 465 + NTOP_BASE: _N910F("NETBIOS_QUERY_TYPE"),
1241 466 + NTOP_BASE: _N910F("NETBIOS_RESPONSE"),
1242 467 + NTOP_BASE: _N910F("NETBIOS_QUERY_OS"),
1243 468 + NTOP_BASE: _N910F("SSDP_SERVER"),
1244 469 + NTOP_BASE: _N910F("SSDP_TYPE"),
1245 470 + NTOP_BASE: _N910F("SSDP_METHOD"),
1246 471 + NTOP_BASE: _N910F("NPROBE_IPV4_ADDRESS", length=4,
1247 field=IPField),
1248}
1249NetflowV910TemplateFieldTypes = {
1250 k: v.name for k, v in NetflowV910TemplateFields.items()
1251}
1253ScopeFieldTypes = {
1254 1: "System",
1255 2: "Interface",
1256 3: "Line card",
1257 4: "Cache",
1258 5: "Template",
1259}
1262class NetflowHeaderV9(Packet):
1263 name = "Netflow Header V9"
1264 fields_desc = [ShortField("count", None),
1265 IntField("sysUptime", 0),
1266 UTCTimeField("unixSecs", None),
1267 IntField("packageSequence", 0),
1268 IntField("SourceID", 0)]
1270 def post_build(self, pkt, pay):
1272 def count_by_layer(layer):
1273 if type(layer) == NetflowFlowsetV9:
1274 return len(layer.templates)
1275 elif type(layer) == NetflowDataflowsetV9:
1276 return len(layer.records)
1277 elif type(layer) == NetflowOptionsFlowsetV9:
1278 return 1
1279 else:
1280 return 0
1282 if self.count is None:
1283 # https://www.rfc-editor.org/rfc/rfc3954#section-5.1
1284 count = sum(
1285 sum(count_by_layer(self.getlayer(layer_cls, nth))
1286 for nth in range(1, n + 1))
1287 for layer_cls, n in Counter(self.layers()).items()
1288 )
1289 pkt = struct.pack("!H", count) + pkt[2:]
1290 return pkt + pay
1293# https://tools.ietf.org/html/rfc5655#appendix-B.1.1
1294class NetflowHeaderV10(Packet):
1295 """IPFix (Netflow V10) Header"""
1296 name = "IPFix (Netflow V10) Header"
1297 fields_desc = [ShortField("length", None),
1298 UTCTimeField("ExportTime", 0),
1299 IntField("flowSequence", 0),
1300 IntField("ObservationDomainID", 0)]
1302 def post_build(self, pkt, pay):
1303 if self.length is None:
1304 length = len(pkt) + len(pay)
1305 pkt = struct.pack("!H", length) + pkt[2:]
1306 return pkt + pay
1309class NetflowTemplateFieldV9(Packet):
1310 name = "Netflow Flowset Template Field V9/10"
1311 fields_desc = [BitField("enterpriseBit", 0, 1),
1312 BitEnumField("fieldType", None, 15,
1313 NetflowV910TemplateFieldTypes),
1314 ShortField("fieldLength", None),
1315 ConditionalField(IntField("enterpriseNumber", 0),
1316 lambda p: p.enterpriseBit)]
1318 def __init__(self, *args, **kwargs):
1319 Packet.__init__(self, *args, **kwargs)
1320 if (self.fieldType is not None and
1321 self.fieldLength is None and
1322 self.fieldType in NetflowV910TemplateFields):
1323 self.fieldLength = NetflowV910TemplateFields[
1324 self.fieldType
1325 ].length or None
1327 def default_payload_class(self, p):
1328 return conf.padding_layer
1331class NetflowTemplateV9(Packet):
1332 name = "Netflow Flowset Template V9/10"
1333 fields_desc = [ShortField("templateID", 255),
1334 FieldLenField("fieldCount", None, count_of="template_fields"), # noqa: E501
1335 PacketListField("template_fields", [], NetflowTemplateFieldV9, # noqa: E501
1336 count_from=lambda pkt: pkt.fieldCount)]
1338 def default_payload_class(self, p):
1339 return conf.padding_layer
1342class NetflowFlowsetV9(Packet):
1343 name = "Netflow FlowSet V9/10"
1344 fields_desc = [ShortField("flowSetID", 0),
1345 FieldLenField("length", None, length_of="templates",
1346 adjust=lambda pkt, x:x + 4),
1347 PacketListField("templates", [], NetflowTemplateV9,
1348 length_from=lambda pkt: pkt.length - 4)]
1351class _CustomStrFixedLenField(StrFixedLenField):
1352 def i2repr(self, pkt, v):
1353 return repr(v)
1356def _GenNetflowRecordV9(cls, lengths_list):
1357 """
1358 Internal function used to generate the Records from
1359 their template.
1360 """
1361 _fields_desc = []
1362 for j, k in lengths_list:
1363 # For each field, if it's known in our template list,
1364 # try to make a nice field for it. Otherwise use an integer
1365 # or a string default.
1366 _f_type = None
1367 _f_kwargs = {}
1368 _f_isint = False
1369 if k in NetflowV910TemplateFields:
1370 _f = NetflowV910TemplateFields[k]
1371 _f_type = _f.field
1372 _f_kwargs = _f.kwargs
1373 _f_isint = _f.isint
1375 if _f_type:
1376 if issubclass(_f_type, _AdjustableNetflowField):
1377 _f_kwargs["length"] = j
1378 _fields_desc.append(
1379 _f_type(
1380 NetflowV910TemplateFieldTypes.get(k, "unknown_data"),
1381 0, **_f_kwargs
1382 )
1383 )
1384 elif _f_isint:
1385 _fields_desc.append(
1386 NBytesField(
1387 NetflowV910TemplateFieldTypes.get(k, "unknown_data"),
1388 0, sz=j
1389 )
1390 )
1391 else:
1392 _fields_desc.append(
1393 _CustomStrFixedLenField(
1394 NetflowV910TemplateFieldTypes.get(k, "unknown_data"),
1395 b"", length=j
1396 )
1397 )
1399 # This will act exactly like a NetflowRecordV9, but has custom fields
1400 class NetflowRecordV9I(cls):
1401 fields_desc = _fields_desc
1402 match_subclass = True
1403 NetflowRecordV9I.name = cls.name
1404 NetflowRecordV9I.__name__ = cls.__name__
1405 return NetflowRecordV9I
1408def GetNetflowRecordV9(flowset, templateID=None):
1409 """
1410 Get a NetflowRecordV9/10 for a specific NetflowFlowsetV9/10.
1412 Have a look at the online doc for examples.
1413 """
1414 definitions = {}
1415 for ntv9 in flowset.templates:
1416 llist = []
1417 for tmpl in ntv9.template_fields:
1418 llist.append((tmpl.fieldLength, tmpl.fieldType))
1419 if llist:
1420 cls = _GenNetflowRecordV9(NetflowRecordV9, llist)
1421 definitions[ntv9.templateID] = cls
1422 if not definitions:
1423 raise Scapy_Exception(
1424 "No template IDs detected"
1425 )
1426 if len(definitions) > 1:
1427 if templateID is None:
1428 raise Scapy_Exception(
1429 "Multiple possible templates ! Specify templateID=.."
1430 )
1431 return definitions[templateID]
1432 else:
1433 return list(definitions.values())[0]
1436class NetflowRecordV9(Packet):
1437 name = "Netflow DataFlowset Record V9/10"
1438 fields_desc = [StrField("fieldValue", "")]
1440 def default_payload_class(self, p):
1441 return conf.padding_layer
1444class NetflowDataflowsetV9(Packet):
1445 name = "Netflow DataFlowSet V9/10"
1446 fields_desc = [ShortField("templateID", 255),
1447 ShortField("length", None),
1448 PacketListField(
1449 "records", [],
1450 NetflowRecordV9,
1451 length_from=lambda pkt: pkt.length - 4)]
1453 @classmethod
1454 def dispatch_hook(cls, _pkt=None, *args, **kargs):
1455 if _pkt:
1456 # https://tools.ietf.org/html/rfc5655#appendix-B.1.2
1457 # NetflowV9
1458 if _pkt[:2] == b"\x00\x00":
1459 return NetflowFlowsetV9
1460 if _pkt[:2] == b"\x00\x01":
1461 return NetflowOptionsFlowsetV9
1462 # IPFix
1463 if _pkt[:2] == b"\x00\x02":
1464 return NetflowFlowsetV9
1465 if _pkt[:2] == b"\x00\x03":
1466 return NetflowOptionsFlowset10
1467 return cls
1469 def post_build(self, pkt, pay):
1470 if self.length is None:
1471 # Padding is optional, let's apply it on build
1472 length = len(pkt)
1473 pad = (-length) % 4
1474 pkt = pkt[:2] + struct.pack("!H", length + pad) + pkt[4:]
1475 pkt += b"\x00" * pad
1476 return pkt + pay
1479def _netflowv9_defragment_packet(pkt, definitions, definitions_opts, ignored):
1480 """Used internally to process a single packet during defragmenting"""
1481 # Dataflowset definitions
1482 if NetflowFlowsetV9 in pkt:
1483 current = pkt
1484 while NetflowFlowsetV9 in current:
1485 current = current[NetflowFlowsetV9]
1486 for ntv9 in current.templates:
1487 llist = []
1488 for tmpl in ntv9.template_fields:
1489 llist.append((tmpl.fieldLength, tmpl.fieldType))
1490 if llist:
1491 tot_len = sum(x[0] for x in llist)
1492 cls = _GenNetflowRecordV9(NetflowRecordV9, llist)
1493 definitions[ntv9.templateID] = (tot_len, cls)
1494 current = current.payload
1495 # Options definitions
1496 if NetflowOptionsFlowsetV9 in pkt:
1497 current = pkt
1498 while NetflowOptionsFlowsetV9 in current:
1499 current = current[NetflowOptionsFlowsetV9]
1500 # Load scopes
1501 llist = []
1502 for scope in current.scopes:
1503 llist.append((
1504 scope.scopeFieldlength,
1505 scope.scopeFieldType
1506 ))
1507 scope_tot_len = sum(x[0] for x in llist)
1508 scope_cls = _GenNetflowRecordV9(
1509 NetflowOptionsRecordScopeV9,
1510 llist
1511 )
1512 # Load options
1513 llist = []
1514 for opt in current.options:
1515 llist.append((
1516 opt.optionFieldlength,
1517 opt.optionFieldType
1518 ))
1519 option_tot_len = sum(x[0] for x in llist)
1520 option_cls = _GenNetflowRecordV9(
1521 NetflowOptionsRecordOptionV9,
1522 llist
1523 )
1524 # Storage
1525 definitions_opts[current.templateID] = (
1526 scope_tot_len, scope_cls,
1527 option_tot_len, option_cls
1528 )
1529 current = current.payload
1530 # Dissect flowsets
1531 if NetflowDataflowsetV9 in pkt:
1532 current = pkt
1533 while NetflowDataflowsetV9 in current:
1534 datafl = current[NetflowDataflowsetV9]
1535 tid = datafl.templateID
1536 if tid not in definitions and tid not in definitions_opts:
1537 ignored.add(tid)
1538 return
1539 # All data is stored in one record, awaiting to be split
1540 # If fieldValue is available, the record has not been
1541 # defragmented: pop it
1542 try:
1543 data = datafl.records[0].fieldValue
1544 datafl.records.pop(0)
1545 except (IndexError, AttributeError):
1546 return
1547 res = []
1548 # Flowset record
1549 # Now, according to the flow/option data,
1550 # let's re-dissect NetflowDataflowsetV9
1551 if tid in definitions:
1552 tot_len, cls = definitions[tid]
1553 while len(data) >= tot_len:
1554 res.append(cls(data[:tot_len]))
1555 data = data[tot_len:]
1556 # Inject dissected data
1557 datafl.records = res
1558 if data:
1559 if len(data) <= 4:
1560 datafl.add_payload(conf.padding_layer(data))
1561 else:
1562 datafl.do_dissect_payload(data)
1563 # Options
1564 elif tid in definitions_opts:
1565 (scope_len, scope_cls,
1566 option_len, option_cls) = definitions_opts[tid]
1567 # Dissect scopes
1568 if scope_len:
1569 res.append(scope_cls(data[:scope_len]))
1570 if option_len:
1571 res.append(
1572 option_cls(data[scope_len:scope_len + option_len])
1573 )
1574 if len(data) > scope_len + option_len:
1575 res.append(
1576 conf.padding_layer(data[scope_len + option_len:])
1577 )
1578 # Inject dissected data
1579 datafl.records = res
1580 datafl.name = "Netflow DataFlowSet V9/10 - OPTIONS"
1581 current = datafl.payload
1584def netflowv9_defragment(plist, verb=1):
1585 """Process all NetflowV9/10 Packets to match IDs of the DataFlowsets
1586 with the Headers
1588 params:
1589 - plist: the list of mixed NetflowV9/10 packets.
1590 - verb: verbose print (0/1)
1591 """
1592 if not isinstance(plist, (PacketList, list)):
1593 plist = [plist]
1594 # We need the whole packet to be dissected to access field def in
1595 # NetflowFlowsetV9 or NetflowOptionsFlowsetV9/10
1596 definitions = {}
1597 definitions_opts = {}
1598 ignored = set()
1599 # Iterate through initial list
1600 for pkt in plist:
1601 _netflowv9_defragment_packet(pkt,
1602 definitions,
1603 definitions_opts,
1604 ignored)
1605 if conf.verb >= 1 and ignored:
1606 warning("Ignored templateIDs (missing): %s" % list(ignored))
1607 return plist
1610def ipfix_defragment(*args, **kwargs):
1611 """Alias for netflowv9_defragment"""
1612 return netflowv9_defragment(*args, **kwargs)
1615class NetflowSession(IPSession):
1616 """Session used to defragment NetflowV9/10 packets on the flow.
1617 See help(scapy.layers.netflow) for more infos.
1618 """
1619 def __init__(self, *args, **kwargs):
1620 self.definitions = {}
1621 self.definitions_opts = {}
1622 self.ignored = set()
1623 super(NetflowSession, self).__init__(*args, **kwargs)
1625 def process(self, pkt: Packet) -> Optional[Packet]:
1626 pkt = super(NetflowSession, self).process(pkt)
1627 if not pkt:
1628 return
1629 _netflowv9_defragment_packet(pkt,
1630 self.definitions,
1631 self.definitions_opts,
1632 self.ignored)
1633 return pkt
1636class NetflowOptionsRecordScopeV9(NetflowRecordV9):
1637 name = "Netflow Options Template Record V9/10 - Scope"
1640class NetflowOptionsRecordOptionV9(NetflowRecordV9):
1641 name = "Netflow Options Template Record V9/10 - Option"
1644# Aka Set
1645class NetflowOptionsFlowsetOptionV9(Packet):
1646 name = "Netflow Options Template FlowSet V9/10 - Option"
1647 fields_desc = [BitField("enterpriseBit", 0, 1),
1648 BitEnumField("optionFieldType", None, 15,
1649 NetflowV910TemplateFieldTypes),
1650 ShortField("optionFieldlength", 0),
1651 ConditionalField(ShortField("enterpriseNumber", 0),
1652 lambda p: p.enterpriseBit)]
1654 def default_payload_class(self, p):
1655 return conf.padding_layer
1658# Aka Set
1659class NetflowOptionsFlowsetScopeV9(Packet):
1660 name = "Netflow Options Template FlowSet V9/10 - Scope"
1661 fields_desc = [ShortEnumField("scopeFieldType", None, ScopeFieldTypes),
1662 ShortField("scopeFieldlength", 0)]
1664 def default_payload_class(self, p):
1665 return conf.padding_layer
1668class NetflowOptionsFlowsetV9(Packet):
1669 name = "Netflow Options Template FlowSet V9"
1670 fields_desc = [ShortField("flowSetID", 1),
1671 ShortField("length", None),
1672 ShortField("templateID", 255),
1673 FieldLenField("option_scope_length", None,
1674 length_of="scopes"),
1675 FieldLenField("option_field_length", None,
1676 length_of="options"),
1677 # We can't use PadField as we have 2 PacketListField
1678 PacketListField(
1679 "scopes", [],
1680 NetflowOptionsFlowsetScopeV9,
1681 length_from=lambda pkt: pkt.option_scope_length),
1682 PacketListField(
1683 "options", [],
1684 NetflowOptionsFlowsetOptionV9,
1685 length_from=lambda pkt: pkt.option_field_length),
1686 StrLenField("pad", None, length_from=lambda pkt: (
1687 pkt.length - pkt.option_scope_length -
1688 pkt.option_field_length - 10))]
1690 def default_payload_class(self, p):
1691 return conf.padding_layer
1693 def post_build(self, pkt, pay):
1694 if self.pad is None:
1695 # Padding 4-bytes with b"\x00"
1696 start = 10 + self.option_scope_length + self.option_field_length
1697 pkt = pkt[:start] + (-len(pkt) % 4) * b"\x00"
1698 if self.length is None:
1699 pkt = pkt[:2] + struct.pack("!H", len(pkt)) + pkt[4:]
1700 return pkt + pay
1703# https://tools.ietf.org/html/rfc5101#section-3.4.2.2
1704class NetflowOptionsFlowset10(NetflowOptionsFlowsetV9):
1705 """Netflow V10 (IPFix) Options Template FlowSet"""
1706 name = "Netflow V10 (IPFix) Options Template FlowSet"
1707 fields_desc = [ShortField("flowSetID", 3),
1708 ShortField("length", None),
1709 ShortField("templateID", 255),
1710 # Slightly different counting than in its NetflowV9
1711 # counterpart: we count the total, and among them which
1712 # ones are scopes. Also, it's count, not length
1713 FieldLenField("field_count", None,
1714 count_of="options",
1715 adjust=lambda pkt, x: (
1716 x + pkt.get_field(
1717 "scope_field_count").i2m(pkt, None))),
1718 FieldLenField("scope_field_count", None,
1719 count_of="scopes"),
1720 # We can't use PadField as we have 2 PacketListField
1721 PacketListField(
1722 "scopes", [],
1723 NetflowOptionsFlowsetScopeV9,
1724 count_from=lambda pkt: pkt.scope_field_count),
1725 PacketListField(
1726 "options", [],
1727 NetflowOptionsFlowsetOptionV9,
1728 count_from=lambda pkt: (
1729 pkt.field_count - pkt.scope_field_count
1730 )),
1731 StrLenField("pad", None, length_from=lambda pkt: (
1732 pkt.length - (pkt.scope_field_count * 4) - 10))]
1734 def post_build(self, pkt, pay):
1735 if self.length is None:
1736 pkt = pkt[:2] + struct.pack("!H", len(pkt)) + pkt[4:]
1737 if self.pad is None:
1738 # Padding 4-bytes with b"\x00"
1739 start = 10 + self.scope_field_count * 4
1740 pkt = pkt[:start] + (-len(pkt) % 4) * b"\x00"
1741 return pkt + pay
1744bind_layers(NetflowHeader, NetflowHeaderV9, version=9)
1745bind_layers(NetflowHeaderV9, NetflowDataflowsetV9)
1746bind_layers(NetflowDataflowsetV9, NetflowDataflowsetV9)
1747bind_layers(NetflowOptionsFlowsetV9, NetflowDataflowsetV9)
1748bind_layers(NetflowFlowsetV9, NetflowDataflowsetV9)
1750# Apart from the first header, IPFix and NetflowV9 have the same format
1751# (except the Options Template)
1752# https://tools.ietf.org/html/rfc5655#appendix-B.1.2
1753bind_layers(NetflowHeader, NetflowHeaderV10, version=10)
1754bind_layers(NetflowHeaderV10, NetflowDataflowsetV9)