/* Proposed standard sFlow data formats (draft 8) */ /* Revision History - version 5 Added stripped count to sampled_header Added POS header_protocol Added BGP next hop router Clarify definition of packet length Remove limit on packet header size. Adds host field to URL extension and clarifies url_direction. Define url as http request-line. Adds character set information to user data. Adds NAT support. Adds MPLS information. - version 4 adds support for BGP communities - version 3 adds support for extended_url information */ /* Enterprise = 0 refers to standard sFlow structures. An sFlow implementor should use the standard structures where possible, even if they can only be partially populated. Vendor specific structures are allowed, but should only be used to supplement the existing structures, or to carry information that hasn't yet been standardized. The following values should be used for fields that are unknown (unless otherwise indicated in the structure definitions). - Unknown integer value. Use a value of 0 to indicate that a value is unknown. - Unknown counter. Use the maximum counter value to indicate that the counter is not available. Within any given sFlow session a particular counter must be always available, or always unavailable. An available counter may temporarily have the max value just before it rolls to zero. This is permitted. */ - Unknown string. Use the zero length empty string. */ /* Flow Data Types A flow_sample must contain packet header information. The prefered format for reporting packet header information is the sampled_header. However, if the packet header is not available to the sampling process then one or more of sampled_ethernet, sampled_ipv4, sampled_ipv6 may be used. */ /* Packet Header Data */ /* The header_protocol enumeration may be expanded over time. Applications receiving sFlow must be prepared to receive sampled_header structures with unknown sampled_header values. The authoritative list of protocol numbers will be maintained at www.sflow.org */ enum header_protocol { ETHERNET-ISO88023 = 1, ISO88024-TOKENBUS = 2, ISO88025-TOKENRING = 3, FDDI = 4, FRAME-RELAY = 5, X25 = 6, PPP = 7, SMDS = 8, AAL5 = 9, AAL5-IP = 10, /* e.g. Cisco AAL5 mux */ IPv4 = 11, IPv6 = 12, MPLS = 13, POS = 14 /* RFC 1662, 2615 */ } /* Raw Packet Header */ /* opaque = flow_data; enterprise = 0; format = 1 */ struct sampled_header { header_protocol protocol; /* Format of sampled header */ unsigned int frame_length; /* Original length of packet before sampling. Note: For a layer 2 header_protocol, length is total number of octets of data received on the network (excluding framing bits but including FCS octets). Hardware limitations may prevent an exact reporting of the underlying frame length, but an agent should attempt to be as accurate as possible. Any octets added to the frame_length to compensate for encapsulations removed by the underlying hardware must also be added to the stripped count. */ unsigned int stripped; /* The number of octets removed from the packet before extracting the header<> octets. Trailing encapsulation data corresponding to any leading encapsulations that were stripped must also be stripped. Trailing encapsulation data for the outermost protocol layer included in the sampled header must be stripped. In the case of a non-encapsulated 802.3 packet stripped >= 4 since VLAN tag information might have been stripped off in addition to the FCS. Outer encapsulations that are ambiguous, or not one of the standard header_protocol must be stripped. */ opaque header<>; /* Header bytes */ } typedef opaque mac[6]; /* Ethernet Frame Data */ /* opaque = flow_data; enterprise = 0; format = 2 */ struct sampled_ethernet { unsigned int length; /* The length of the MAC packet received on the network, excluding lower layer encapsulations and framing bits but including FCS octets */ mac src_mac; /* Source MAC address */ mac dst_mac; /* Destination MAC address */ unsigned int type; /* Ethernet packet type */ } /* Packet IP version 4 data */ /* opaque = flow_data; enterprise = 0; format = 3 */ struct sampled_ipv4 { unsigned int length; /* The length of the IP packet excluding lower layer encapsulations */ unsigned int protocol; /* IP Protocol type (for example, TCP = 6, UDP = 17) */ ip_v4 src_ip; /* Source IP Address */ ip_v4 dst_ip; /* Destination IP Address */ unsigned int src_port; /* TCP/UDP source port number or equivalent */ unsigned int dst_port; /* TCP/UDP destination port number or equivalent */ unsigned int tcp_flags; /* TCP flags */ unsigned int tos; /* IP type of service */ } /* Packet IP Version 6 Data */ /* opaque = flow_data; enterprise = 0; format = 4 */ struct sampled_ipv6 { unsigned int length; /* The length of the IP packet excluding lower layer encapsulations */ unsigned int protocol; /* IP next header (for example, TCP = 6, UDP = 17) */ ip_v6 src_ip; /* Source IP Address */ ip_v6 dst_ip; /* Destination IP Address */ unsigned int src_port; /* TCP/UDP source port number or equivalent */ unsigned int dst_port; /* TCP/UDP destination port number or equivalent */ unsigned int tcp_flags; /* TCP flags */ unsigned int priority; /* IP priority */ } /* Extended Flow Data Extended data types provide supplimentary information about the sampled packet. All applicable extended flow records should be included with each flow sample. */ /* Extended Switch Data */ /* opaque = flow_data; enterprise = 0; format = 1001 */ struct extended_switch { unsigned int src_vlan; /* The 802.1Q VLAN id of incoming frame */ unsigned int src_priority; /* The 802.1p priority of incoming frame */ unsigned int dst_vlan; /* The 802.1Q VLAN id of outgoing frame */ unsigned int dst_priority; /* The 802.1p priority of outgoing frame */ } /* Extended Router Data */ /* opaque = flow_data; enterprise = 0; format = 1002 */ struct extended_router { address nexthop; /* IP address of next hop router */ unsigned int src_mask; /* Source address prefix mask (expressed as number of bits) */ unsigned int dst_mask; /* Destination address prefix mask (expressed as number of bits) */ } enum as_path_segment_type { AS_SET = 1, /* Unordered set of ASs */ AS_SEQUENCE = 2 /* Ordered set of ASs */ } union as_path_type (as_path_segment_type) { case AS_SET: unsigned int as_set<>; case AS_SEQUENCE: unsigned int as_sequence<>; } /* Extended Gateway Data */ /* opaque = flow_data; enterprise = 0; format = 1003 */ struct extended_gateway { address nexthop; /* Address of the border router that should be used for the destination network */ unsigned int as; /* Autonomous system number of router */ unsigned int src_as; /* Autonomous system number of source */ unsigned int src_peer_as; /* Autonomous system number of source peer */ as_path_type dst_as_path<>; /* Autonomous system path to the destination */ unsigned int communities<>; /* Communities associated with this route */ unsigned int localpref; /* LocalPref associated with this route */ } /* Character Set MIBEnum value of character set used to encode a string - See RFC 2978 Where possible UTF-8 encoding (MIBEnum=106) should be used. A value of zero indicates an unknown encoding. */ typedef unsigned int charset; /* Extended User Data */ /* opaque = flow_data; enterprise = 0; format = 1004 */ struct extended_user { charset src_charset; /* Character set for src_user */ opaque src_user<>; /* User ID associated with packet source */ charset dst_charset; /* Character set for dst_user */ opaque dst_user<>; /* User ID associated with packet destination */ } enum url_direction { src = 1, /* Source address is server */ dst = 2 /* Destination address is server */ } /* Extended URL Data */ /* opaque = flow_data; enterprise = 0; format = 1005 */ struct extended_url { url_direction direction; /* Direction of connection */ string url<>; /* The HTTP request-line (see RFC 2616) */ string host<>; /* The host field from the HTTP header */ } /* Extended MPLS Data */ /* opaque = flow_data; enterprise = 0; format = 1006 */ struct extended_mpls { address nexthop; /* Address of the next hop */ unsigned int in_label; /* Top label of received mpls packet (See RFC 3032 for label encoding) */ unsigned int out_label_stack<>; /* Label stack for transmitted mpls packet Note: First entry is top of stack. */ } /* Extended NAT Data Packet header records report addresses as seen at the sFlowDataSource. The extended_nat structure reports on translated source and/or destination addesses for this packet. If an address was not translated it should be equal to that reported for the header. */ /* opaque = flow_data; enterprise = 0; format = 1007 */ struct extended_nat { address src_address; /* Source address */ address dst_address; /* Destination address */ } /* Counter Data Types Wherever possible, the if_counters block should be included. Media specific counters can be included as well. */ /* Generic Interface Counters - see RFC 2233 */ /* opaque = counter_data; enterprise = 0; format = 1 */ struct if_counters { unsigned int ifIndex; unsigned int ifType; unsigned hyper ifSpeed; unsigned int ifDirection; /* derived from MAU MIB (RFC 2668) 0 = unkown, 1=full-duplex, 2=half-duplex, 3 = in, 4=out */ unsigned int ifStatus; /* bit field with the following bits assigned bit 0 = ifAdminStatus (0 = down, 1 = up) bit 1 = ifOperStatus (0 = down, 1 = up) */ unsigned hyper ifInOctets; unsigned int ifInUcastPkts; unsigned int ifInMulticastPkts; unsigned int ifInBroadcastPkts; unsigned int ifInDiscards; unsigned int ifInErrors; unsigned int ifInUnknownProtos; unsigned hyper ifOutOctets; unsigned int ifOutUcastPkts; unsigned int ifOutMulticastPkts; unsigned int ifOutBroadcastPkts; unsigned int ifOutDiscards; unsigned int ifOutErrors; unsigned int ifPromiscuousMode; } /* Ethernet Interface Counters - see RFC 2358 */ /* opaque = counter_data; enterprise = 0; format = 2 */ struct ethernet_counters { unsigned int dot3StatsAlignmentErrors; unsigned int dot3StatsFCSErrors; unsigned int dot3StatsSingleCollisionFrames; unsigned int dot3StatsMultipleCollisionFrames; unsigned int dot3StatsSQETestErrors; unsigned int dot3StatsDeferredTransmissions; unsigned int dot3StatsLateCollisions; unsigned int dot3StatsExcessiveCollisions; unsigned int dot3StatsInternalMacTransmitErrors; unsigned int dot3StatsCarrierSenseErrors; unsigned int dot3StatsFrameTooLongs; unsigned int dot3StatsInternalMacReceiveErrors; unsigned int dot3StatsSymbolErrors; } /* Token Ring Counters - see RFC 1748 */ /* opaque = counter_data; enterprise = 0; format = 3 */ struct tokenring_counters { unsigned int dot5StatsLineErrors; unsigned int dot5StatsBurstErrors; unsigned int dot5StatsACErrors; unsigned int dot5StatsAbortTransErrors; unsigned int dot5StatsInternalErrors; unsigned int dot5StatsLostFrameErrors; unsigned int dot5StatsReceiveCongestions; unsigned int dot5StatsFrameCopiedErrors; unsigned int dot5StatsTokenErrors; unsigned int dot5StatsSoftErrors; unsigned int dot5StatsHardErrors; unsigned int dot5StatsSignalLoss; unsigned int dot5StatsTransmitBeacons; unsigned int dot5StatsRecoverys; unsigned int dot5StatsLobeWires; unsigned int dot5StatsRemoves; unsigned int dot5StatsSingles; unsigned int dot5StatsFreqErrors; } /* 100 BaseVG interface counters - see RFC 2020 */ /* opaque = counter_data; enterprise = 0; format = 4 */ struct vg_counters { unsigned int dot12InHighPriorityFrames; unsigned hyper dot12InHighPriorityOctets; unsigned int dot12InNormPriorityFrames; unsigned hyper dot12InNormPriorityOctets; unsigned int dot12InIPMErrors; unsigned int dot12InOversizeFrameErrors; unsigned int dot12InDataErrors; unsigned int dot12InNullAddressedFrames; unsigned int dot12OutHighPriorityFrames; unsigned hyper dot12OutHighPriorityOctets; unsigned int dot12TransitionIntoTrainings; unsigned hyper dot12HCInHighPriorityOctets; unsigned hyper dot12HCInNormPriorityOctets; unsigned hyper dot12HCOutHighPriorityOctets; } /* VLAN Counters */ /* opaque = counter_data; enterprise = 0; format = 5 */ struct vlan_counters { unsigned int vlan_id; unsigned hyper octets; unsigned int ucastPkts; unsigned int multicastPkts; unsigned int broadcastPkts; unsigned int discards; }