/* Proposed standard sFlow data formats (draft 3) */ Enterprise = 0 refers to standard sFlow structures. An sFlow implementor should use the standard structures where possible, even if they can only be partially populated. Vendor specific structures are allowed, but should only be used to supplement the existing structures, or to carry information that hasn't yet been standardized. The following values should be used for fields that are unknown (unless otherwise indicated in the structure definitions). - Unknown integer value. Use a value of 0 to indicate that a value is unknown. - Unknown counter. Use the maximum counter value to indicate that the counter is not available. Within any given sFlow session a particular counter must be always available, or always unavailable. An available counter may temporarily have the max value just before it rolls to zero. This is permitted. */ - Unknown string. Use the zero length empty string. */ /* Flow Data Types A flow_sample must contain packet header information. The prefered format for reporting packet header information is the sampled_header. However, if the packet header is not available to the sampling process then one or more of sampled_ethernet, sampled_ipv4, sampled_ipv6 may be used. */ /* Packet Header Data */ enum header_protocol { ETHERNET-ISO88023 = 1, ISO88024-TOKENBUS = 2, ISO88025-TOKENRING = 3, FDDI = 4, FRAME-RELAY = 5, X25 = 6, PPP = 7, SMDS = 8, AAL5 = 9, AAL5-IP = 10, /* e.g. Cisco AAL5 mux */ IPv4 = 11, IPv6 = 12, MPLS = 13 } /* Raw Packet Header */ /* opaque = flow_data; enterprise = 0; format = 1 */ struct sampled_header { header_protocol protocol; /* Format of sampled header */ unsigned int frame_length; /* Original length of packet before sampling */ opaque header<>; /* Header bytes */ } typedef opaque mac[6]; /* Ethernet Frame Data */ /* opaque = flow_data; enterprise = 0; format = 2 */ struct sampled_ethernet { unsigned int length; /* The length of the MAC packet excluding lower layer encapsulations */ mac src_mac; /* Source MAC address */ mac dst_mac; /* Destination MAC address */ unsigned int type; /* Ethernet packet type */ } /* Packet IP version 4 data */ /* opaque = flow_data; enterprise = 0; format = 3 */ struct sampled_ipv4 { unsigned int length; /* The length of the IP packet excluding lower layer encapsulations */ unsigned int protocol; /* IP Protocol type (for example, TCP = 6, UDP = 17) */ ip_v4 src_ip; /* Source IP Address */ ip_v4 dst_ip; /* Destination IP Address */ unsigned int src_port; /* TCP/UDP source port number or equivalent */ unsigned int dst_port; /* TCP/UDP destination port number or equivalent */ unsigned int tcp_flags; /* TCP flags */ unsigned int tos; /* IP type of service */ } /* Packet IP Version 6 Data */ /* opaque = flow_data; enterprise = 0; format = 4 */ struct sampled_ipv6 { unsigned int length; /* The length of the IP packet excluding lower layer encapsulations */ unsigned int protocol; /* IP next header (for example, TCP = 6, UDP = 17) */ ip_v6 src_ip; /* Source IP Address */ ip_v6 dst_ip; /* Destination IP Address */ unsigned int src_port; /* TCP/UDP source port number or equivalent */ unsigned int dst_port; /* TCP/UDP destination port number or equivalent */ unsigned int tcp_flags; /* TCP flags */ unsigned int priority; /* IP priority */ } /* Extended Flow Data Extended data types provide supplimentary information about the sampled packet. All applicable extended flow records should be included with each flow sample. */ /* Extended Switch Data */ /* opaque = flow_data; enterprise = 0; format = 1001 */ struct extended_switch { unsigned int src_vlan; /* The 802.1Q VLAN id of incoming frame */ unsigned int src_priority; /* The 802.1p priority of incoming frame */ unsigned int dst_vlan; /* The 802.1Q VLAN id of outgoing frame */ unsigned int dst_priority; /* The 802.1p priority of outgoing frame */ } /* Extended Router Data */ /* opaque = flow_data; enterprise = 0; format = 1002 */ struct extended_router { address nexthop; /* IP address of next hop router */ unsigned int src_mask; /* Source address prefix mask (expressed as number of bits) */ unsigned int dst_mask; /* Destination address prefix mask (expressed as number of bits) */ } enum as_path_segment_type { AS_SET = 1, /* Unordered set of ASs */ AS_SEQUENCE = 2 /* Ordered set of ASs */ } union as_path_type (as_path_segment_type) { case AS_SET: unsigned int as_set<>; case AS_SEQUENCE: unsigned int as_sequence<>; } /* Extended Gateway Data */ /* opaque = flow_data; enterprise = 0; format = 1003 */ struct extended_gateway { unsigned int as; /* Autonomous system number of router */ unsigned int src_as; /* Autonomous system number of source */ unsigned int src_peer_as; /* Autonomous system number of source peer */ as_path_type dst_as_path<>; /* Autonomous system path to the destination */ unsigned int communities<>; /* Communities associated with this route */ unsigned int localpref; /* LocalPref associated with this route */ } /* Extended User Data */ /* opaque = flow_data; enterprise = 0; format = 1004 */ struct extended_user { unsigned int charset; /* MIBEnum value of character set used to encode user information - See RFC 2978 Where possible UTF-8 encoding (MIBEnum=106) should be used. */ string src_user<>; /* User ID associated with packet source */ string dst_user<>; /* User ID associated with packet destination */ } enum url_direction { src = 1, /* Source address is server */ dst = 2 /* Destination address is server */ } /* Extended URL Data */ /* opaque = flow_data; enterprise = 0; format = 1005 */ struct extended_url { url_direction direction; /* Direction of connection */ string url<>; /* URL associated with the packet flow. Must be URL encoded. */ string host<>; /* The host field from the HTTP header */ } /* Extended MPLS Data */ /* opaque = flow_data; enterprise = 0; format = 1006 */ struct extended_mpls { address mplsNextHop; /* Address of the next hop */ unsigned int mplsInLabel; /* Top label of received mpls packet (See RFC 3032 for label encoding) */ unsigned int mplsOutLabelStack<>; /* Label stack for transmitted mpls packet Note: First entry is top of stack. */ } /* Extended NAT Data Packet header records report addresses as seen at the sFlowDataSource. The extended_nat structure reports on translated source and/or destination addesses for this packet. If an address was not translated it should be equal to that reported for the header. */ /* opaque = flow_data; enterprise = 0; format = 1007 */ struct extended_nat { address src_address; /* Source address */ address dst_address; /* Destination address */ } /* Counter Data Types Wherever possible, the if_counters block should be included. Media specific counters can be included as well. */ /* Generic Interface Counters - see RFC 2233 */ /* opaque = counter_data; enterprise = 0; format = 1 */ struct if_counters { unsigned int ifIndex; unsigned int ifType; unsigned hyper ifSpeed; unsigned int ifDirection; /* derived from MAU MIB (RFC 2668) 0 = unkown, 1=full-duplex, 2=half-duplex, 3 = in, 4=out */ unsigned int ifStatus; /* bit field with the following bits assigned bit 0 = ifAdminStatus (0 = down, 1 = up) bit 1 = ifOperStatus (0 = down, 1 = up) */ unsigned hyper ifInOctets; unsigned int ifInUcastPkts; unsigned int ifInMulticastPkts; unsigned int ifInBroadcastPkts; unsigned int ifInDiscards; unsigned int ifInErrors; unsigned int ifInUnknownProtos; unsigned hyper ifOutOctets; unsigned int ifOutUcastPkts; unsigned int ifOutMulticastPkts; unsigned int ifOutBroadcastPkts; unsigned int ifOutDiscards; unsigned int ifOutErrors; unsigned int ifPromiscuousMode; } /* Ethernet Interface Counters - see RFC 2358 */ /* opaque = counter_data; enterprise = 0; format = 2 */ struct ethernet_counters { unsigned int dot3StatsAlignmentErrors; unsigned int dot3StatsFCSErrors; unsigned int dot3StatsSingleCollisionFrames; unsigned int dot3StatsMultipleCollisionFrames; unsigned int dot3StatsSQETestErrors; unsigned int dot3StatsDeferredTransmissions; unsigned int dot3StatsLateCollisions; unsigned int dot3StatsExcessiveCollisions; unsigned int dot3StatsInternalMacTransmitErrors; unsigned int dot3StatsCarrierSenseErrors; unsigned int dot3StatsFrameTooLongs; unsigned int dot3StatsInternalMacReceiveErrors; unsigned int dot3StatsSymbolErrors; } /* Token Ring Counters - see RFC 1748 */ /* opaque = counter_data; enterprise = 0; format = 3 */ struct tokenring_counters { unsigned int dot5StatsLineErrors; unsigned int dot5StatsBurstErrors; unsigned int dot5StatsACErrors; unsigned int dot5StatsAbortTransErrors; unsigned int dot5StatsInternalErrors; unsigned int dot5StatsLostFrameErrors; unsigned int dot5StatsReceiveCongestions; unsigned int dot5StatsFrameCopiedErrors; unsigned int dot5StatsTokenErrors; unsigned int dot5StatsSoftErrors; unsigned int dot5StatsHardErrors; unsigned int dot5StatsSignalLoss; unsigned int dot5StatsTransmitBeacons; unsigned int dot5StatsRecoverys; unsigned int dot5StatsLobeWires; unsigned int dot5StatsRemoves; unsigned int dot5StatsSingles; unsigned int dot5StatsFreqErrors; } /* 100 BaseVG interface counters - see RFC 2020 */ /* opaque = counter_data; enterprise = 0; format = 4 */ struct vg_counters { unsigned int dot12InHighPriorityFrames; unsigned hyper dot12InHighPriorityOctets; unsigned int dot12InNormPriorityFrames; unsigned hyper dot12InNormPriorityOctets; unsigned int dot12InIPMErrors; unsigned int dot12InOversizeFrameErrors; unsigned int dot12InDataErrors; unsigned int dot12InNullAddressedFrames; unsigned int dot12OutHighPriorityFrames; unsigned hyper dot12OutHighPriorityOctets; unsigned int dot12TransitionIntoTrainings; unsigned hyper dot12HCInHighPriorityOctets; unsigned hyper dot12HCInNormPriorityOctets; unsigned hyper dot12HCOutHighPriorityOctets; } /* VLAN Counters */ /* opaque = counter_data; enterprise = 0; format = 5 */ struct vlan_counters { unsigned int vlan_id; unsigned hyper octets; unsigned int ucastPkts; unsigned int multicastPkts; unsigned int broadcastPkts; unsigned int discards; }