From 0db0d7ffd658db4c0182abdc11e359cb5a6363f8 Mon Sep 17 00:00:00 2001 From: Peter Haag Date: Sat, 7 May 2016 11:18:33 +0200 Subject: [PATCH] Add %ff record flags to custom output format --- bin/nf_common.c | 8 ++++++++ man/nfdump.1 | 30 ++++++++++++++++++++++++++++-- 2 files changed, 36 insertions(+), 2 deletions(-) diff --git a/bin/nf_common.c b/bin/nf_common.c index 1cc9c89..241a818 100644 --- a/bin/nf_common.c +++ b/bin/nf_common.c @@ -96,6 +96,8 @@ static void AddToken(int index); static void AddString(char *string); +static void String_FlowFlags(master_record_t *r, char *string); + static void String_FirstSeen(master_record_t *r, char *string); static void String_LastSeen(master_record_t *r, char *string); @@ -269,6 +271,7 @@ static struct format_token_list_s { char *header; // header line description string_function_t string_function; // function generation output string } format_token_list[] = { + { "%ff", 0, "Flow Flags", String_FlowFlags }, // flow flags in hex { "%tfs", 0, "Date first seen ", String_FirstSeen }, // Start Time - first seen { "%ts", 0, "Date first seen ", String_FirstSeen }, // Start Time - first seen { "%te", 0, "Date last seen ", String_LastSeen }, // End Time - last seen @@ -1809,6 +1812,11 @@ static inline void ICMP_Port_decode(master_record_t *r, char *string) { } // End of ICMP_Port_decode /* functions, which create the individual strings for the output line */ +static void String_FlowFlags(master_record_t *r, char *string) { + snprintf(string, MAX_STRING_LENGTH-1, "0x%.2x", r->flags); + string[MAX_STRING_LENGTH-1] = '\0'; +} + static void String_FirstSeen(master_record_t *r, char *string) { time_t tt; struct tm * ts; diff --git a/man/nfdump.1 b/man/nfdump.1 index 326e569..1eec0be 100755 --- a/man/nfdump.1 +++ b/man/nfdump.1 @@ -573,7 +573,7 @@ are aggregated this results in the average bps during this periode of time. \fBBpp:\fR The calculated bytes per packet: number of bytes / number of packets. If flows are aggregated this results in the average bpp during this periode of time. .P -\fBFlows:\fR Number of flows. If flows are listed only, this number is alwasy 1. If flows +\fBFlows:\fR Number of flows. If flows are listed only, this number is always 1. If flows are aggregated, this shows the number of aggregated flows to one record. .RE .PD @@ -597,6 +597,8 @@ and format specifier as described below .RS 3 \fB%\fR Inserts the predefined \fBformat\fR at this position. e.g. \fB%line\fR .br +\fB%ff\fR flow record flags in hex. +.br \fB%ts\fR Start Time \- first seen .br \fB%te\fR End Time \- last seen @@ -785,6 +787,30 @@ Nprobe formats .RE .PD .P + +The "flow flags" format (%ff) prints the internal record flags as a single hexadecimal number, +consisting of any of these flag values or-ed together: +.P +.RS 3 +.br +1 Record contains IPv6 addresses +.br +2 Packet counters are 64-bit +.br +4 Byte counters are 64-bit +.br +8 IP next hop is an IPv6 address +.br +16 BGP next hop is an IPv6 address +.br +32 Exporting router is an IPv6 address +.br +64 Record is an EVENT record +.br +128 Record is sampled +.RE +.P + Example: the standard output format \fBlong\fR can be created as .RS 3 \fB\-o "fmt:%ts %td %pr %sap \-> %dap %flg %tos %pkt %byt %fl"\fR @@ -810,7 +836,7 @@ Record line: 2004-07-11 10:30:00,2004-07-11 10:30:10,10.010,... .PD .P All records are in ASCII readable form. Numbers are not scaled, so each line -can easly be parsed. +can easily be parsed. .P Indices used in nfdump 1.6: .P