From db100d7eb5115fb8d9c4f0f4594e4e7c59141c11 Mon Sep 17 00:00:00 2001 From: Peter Haag Date: Sun, 24 Jun 2018 14:18:47 +0200 Subject: [PATCH] Add CISCO ASA elements initiatorPackets (298) responderPackets (299) --- bin/netflow_v9.c | 16 ++++++++++++++-- bin/netflow_v9.h | 4 ++++ bin/nf_common.c | 4 ++-- 3 files changed, 20 insertions(+), 4 deletions(-) diff --git a/bin/netflow_v9.c b/bin/netflow_v9.c index 21e7f2e..b35e2e5 100644 --- a/bin/netflow_v9.c +++ b/bin/netflow_v9.c @@ -210,6 +210,7 @@ static struct v9_element_map_s { { NF9_IN_BYTES, "bytes", _8bytes, _8bytes, move64_sampling, zero64, COMMON_BLOCK }, { NF9_IN_PACKETS, "packets", _4bytes, _8bytes, move32_sampling, zero64, COMMON_BLOCK }, { NF9_IN_PACKETS, "packets", _8bytes, _8bytes, move64_sampling, zero64, COMMON_BLOCK }, + { NF_F_INITIATORPACKETS, "packets", _8bytes, _8bytes, move64_sampling, zero64, COMMON_BLOCK }, { NF9_FLOWS_AGGR, "flows", _4bytes, _4bytes, move32, zero32, EX_AGGR_FLOWS_4 }, { NF9_FLOWS_AGGR, "flows", _8bytes, _8bytes, move64, zero64, EX_AGGR_FLOWS_8 }, @@ -242,6 +243,7 @@ static struct v9_element_map_s { { NF9_OUT_BYTES, "out bytes", _8bytes, _8bytes, move64_sampling, zero64, EX_OUT_BYTES_8 }, { NF9_OUT_PKTS, "out packets", _4bytes, _8bytes, move32_sampling, zero64, EX_OUT_PKG_8 }, { NF9_OUT_PKTS, "out packets", _8bytes, _8bytes, move64_sampling, zero64, EX_OUT_PKG_8 }, + { NF_F_RESPONDERPACKETS, "out packets", _8bytes, _8bytes, move64_sampling, zero64, EX_OUT_PKG_8 }, { NF9_IPV6_SRC_ADDR, "V6 src addr", _16bytes, _16bytes, move128, zero128, COMMON_BLOCK }, { NF9_IPV6_DST_ADDR, "V6 dst addr", _16bytes, _16bytes, move128, zero128, COMMON_BLOCK }, { NF9_IPV6_SRC_MASK, "V6 src mask", _1byte, _1byte, move8, zero8, EX_MULIPLE }, @@ -783,7 +785,12 @@ size_t size_required; * This record is expected in the output stream. If not available * in the template, assume empty 4 bytes value */ - PushSequence( table, NF9_IN_PACKETS, &offset, &table->packets, 0); + if ( cache.lookup_info[NF_F_INITIATORPACKETS].found ) { + PushSequence( table, NF_F_INITIATORPACKETS, &offset, &table->packets, 0); + dbg_printf("Push NF_F_INITIATORPACKETS\n"); + } else { + PushSequence( table, NF9_IN_PACKETS, &offset, &table->packets, 0); + } // fix: always have 64bit counters due to possible sampling SetFlag(table->flags, FLAG_PKG_64); @@ -866,7 +873,12 @@ size_t size_required; PushSequence( table, NF9_OUT_PKTS, &offset, &table->out_packets, 0); break; case EX_OUT_PKG_8: - PushSequence( table, NF9_OUT_PKTS, &offset, &table->out_packets, 0); + if ( cache.lookup_info[NF_F_RESPONDERPACKETS].found ) { + PushSequence( table, NF_F_RESPONDERPACKETS, &offset, &table->out_packets, 0); + dbg_printf("Push NF_F_RESPONDERPACKETS\n"); + } else { + PushSequence( table, NF9_OUT_PKTS, &offset, &table->out_packets, 0); + } break; case EX_OUT_BYTES_4: if ( cache.lookup_info[NF_F_REV_FLOW_DELTA_BYTES].found ) { diff --git a/bin/netflow_v9.h b/bin/netflow_v9.h index b07775f..77400e8 100644 --- a/bin/netflow_v9.h +++ b/bin/netflow_v9.h @@ -290,6 +290,10 @@ typedef struct common_header_s { #define NF_F_XLATE_DST_PORT_84 40004 #define NF_F_FW_EVENT_84 40005 +// ASA 5508 +#define NF_F_INITIATORPACKETS 298 +#define NF_F_RESPONDERPACKETS 299 + // Cisco ASR 1000 series NEL extension - Nat Event Logging #define NF_N_NAT_EVENT 230 #define NF_N_INGRESS_VRFID 234 diff --git a/bin/nf_common.c b/bin/nf_common.c index f844fbd..dfe3845 100644 --- a/bin/nf_common.c +++ b/bin/nf_common.c @@ -658,7 +658,7 @@ char *Get_fwd_status_name(uint32_t id) { } // End of Get_fwd_status_name -void format_file_block_header(void *header, char ** s, int tag) { +void format_file_block_header(void *header, char **s, int tag) { data_block_header_t *h = (data_block_header_t *)header; snprintf(data_string,STRINGSIZE-1 ,"" @@ -673,7 +673,7 @@ data_block_header_t *h = (data_block_header_t *)header; } // End of format_file_block_header -void format_file_block_record(void *record, char ** s, int tag) { +void format_file_block_record(void *record, char **s, int tag) { char *_s, as[IP_STRING_LEN], ds[IP_STRING_LEN], datestr1[64], datestr2[64], datestr3[64], flags_str[16]; char s_snet[IP_STRING_LEN], s_dnet[IP_STRING_LEN], s_proto[32]; int i, id;