-
Notifications
You must be signed in to change notification settings - Fork 83
/
README
265 lines (213 loc) · 8.24 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
# sflowtool
Print binary sFlow feed to ASCII, or forward it to other collectors.
This tool receives sFlow data, and generates either a simple-to-parse tagged-ASCII output,
or binary output in tcpdump(1) format. It can also generate Cisco NetFlow version 5 datagrams
and send them to a destination UDP host:port, or forward the original sFlow feed to a number
of additional collectors.
Please read the licence terms in ./COPYING.
For more details on the sFlow data format, see http://www.sflow.org.
# Build from sources
./boot.sh
./configure
make
sudo make install
(Start from ./configure if you downloaded a released version.)
# Usage examples
If sFlow is arriving on port 6343, you can pretty-print the data like this:
% ./sflowtool -p 6343
or get a line-by-line output like this:
% ./sflowtool -p 6343 -l
or a custom line-by-line output by listing fields like this:
% ./sflowtool -p 6343 -L localtime,srcIP,dstIP
or a JSON representation like this:
% ./sflowtool -p 6343 -J
In a typical application, this output would be parsed by an awk or perl script, perhaps to
extract MAC->IP address-mappings or to extract a particular counter for trending. The
usage might then look more like this:
% ./sflowtool -p 6343 | my_perl_script.pl > output
Alternatively, you can show packet decodes like this:
% ./sflowtool -p 6343 -t | tcpdump -r -
To forward Cisco NetFlow v5 records to UDP port 9991 on host collector.mysite.com, the
options would be:
% ./sflowtool -p 6343 -c collector.mysite.com -d 9991
If you compiled with -DSPOOFSOURCE, then you have the option of "spoofing" the IP source
address of the netflow packets to match the IP address(es) of the original sflow agent(s)...
% ./sflowtool -p 6343 -c collector.mysite.com -d 9991 -S
To replicate the input sflow stream to several collectors, use the "-f host/port" option
like this:
% ./sflowtool -p 6343 -f localhost/7777 -f localhost/7778 -f collector.mysite.com/6343
# Example Output
An example of the pretty-printed output is shown below. Note that every field can be
parsed as two space-separated tokens (tag and value). Newlines separate one field from
the next. The first field in a datagram is always the "unixSecondsUTC" field, and the
first field in a flow or counters sample is always the "sampleSequenceNo" field. In
this example, the datagram held two flow-samples and two counters-samples. Comments
have been added in <<>> brackets. These are not found in the output.
unixSecondsUTC 991362247 <<this is always the first field of a new datagram>>
datagramVersion 2
agent 10.0.0.254 <<the sFlow agent>>
sysUpTime 10391000
packetSequenceNo 5219 <<the sequence number for datagrams from this agent>>
samplesInPacket 4
sampleSequenceNo 9466 <<the sequence number for the first sample - a flow sample from 0:0>>
sourceId 0:0
sampleType FLOWSAMPLE
meanSkipCount 10
samplePool 94660
dropEvents 0
inputPort 14
outputPort 16
packetDataTag INMPACKETTYPE_HEADER
headerProtocol 1
sampledPacketSize 1014
headerLen 128
headerBytes 00-50-04-29-1B-D9-00-D0-B7-23-B7-D8-08-00-45-00-03-E8-37-44-40-00-40-06-EB-C6-0A-00-00-01-0A-00-00-05-0D-F1-17-70-A2-4C-D2-AF-B1-F0-BF-01-80-18-7C-70-82-E0-00-00-01-01-08-0A-23-BC-42-93-01-A9-
dstMAC 005004291bd9 <<a rudimentary decode, which assumes an ethernet packet format>>
srcMAC 00d0b723b7d8
srcIP 10.0.0.1
dstIP 10.0.0.5
IPProtocol 6
TCPSrcPort 3569
TCPDstPort 6000
TCPFlags 24
extendedType ROUTER <<we have some layer3 forwarding information here too>>
nextHop 129.250.28.33
srcSubnetMask 24
dstSubnetMask 24
sampleSequenceNo 346 <<the next sample is a counters sample from 0:92>>
sourceId 0:92
sampleType COUNTERSSAMPLE
statsSamplingInterval 20
counterBlockVersion 1
ifIndex 92
networkType 53
ifSpeed 0
ifDirection 0
ifStatus 0
ifInOctets 18176791
ifInUcastPkts 92270
ifInMulticastPkts 0
ifInBroadcastPkts 100
ifInDiscards 0
ifInErrors 0
ifInUnknownProtos 0
ifOutOctets 40077590
ifOutUcastPkts 191170
ifOutMulticastPkts 1684
ifOutBroadcastPkts 674
ifOutDiscards 0
ifOutErrors 0
ifPromiscuousMode 0
sampleSequenceNo 9467 <<another flow sample from 0:0>>
sourceId 0:0
sampleType FLOWSAMPLE
meanSkipCount 10
samplePool 94670
dropEvents 0
inputPort 16
outputPort 14
packetDataTag INMPACKETTYPE_HEADER
headerProtocol 1
sampledPacketSize 66
headerLen 66
headerBytes 00-D0-B7-23-B7-D8-00-50-04-29-1B-D9-08-00-45-00-00-34-1E-D7-40-00-40-06-07-E8-0A-00-00-05-0A-00-00-01-17-70-0D-F1-B1-F0-BF-01-A2-4C-E3-A3-80-10-7C-70-E2-62-00-00-01-01-08-0A-01-A9-7F-A0-23-BC-
dstMAC 00d0b723b7d8
srcMAC 005004291bd9
srcIP 10.0.0.5
dstIP 10.0.0.1
IPProtocol 6
TCPSrcPort 6000
TCPDstPort 3569
TCPFlags 16
extendedType ROUTER
nextHop 129.250.28.33
srcSubnetMask 24
dstSubnetMask 24
sampleSequenceNo 346 <<and another counters sample, this time from 0:93>>
sourceId 0:93
sampleType COUNTERSSAMPLE
statsSamplingInterval 30
counterBlockVersion 1
ifIndex 93
networkType 53
ifSpeed 0
ifDirection 0
ifStatus 0
ifInOctets 103959
ifInUcastPkts 448
ifInMulticastPkts 81
ifInBroadcastPkts 93
ifInDiscards 0
ifInErrors 0
ifInUnknownProtos 0
ifOutOctets 196980
ifOutUcastPkts 460
ifOutMulticastPkts 599
ifOutBroadcastPkts 153
ifOutDiscards 0
ifOutErrors 0
ifPromiscuousMode 0
# Other ExtendedTypes
If your sFlow agent is running BGP, you may also see GATEWAY extendedType sections like this:
extendedType GATEWAY
my_as 65001
src_as 0
src_peer_as 0
dst_as_path_len 3
dst_as_path 65000-2828-4908
The SWITCH, USER and URL extendedTypes may also appear. The SWITCH extendedType provides
information on input and output VLANs and priorities. The USER extendedType provides
information on the user-id that was allocated this IP address via a remote access session
(e.g. RADIUS or TACAS). The URL field indicates for an HTTP flow what the original requested
URL was for the flow. For more information, see the published sFlow documentation at
http://www.sflow.org.
# line-by-line csv output
If you run sflowtool using the "-l" option then only one row of output will be generated
for each flow or counter sample. It will look something like this:
[root@server src]# ./sflowtool -l
CNTR,10.0.0.254,17,6,100000000,0,2147483648,175283006,136405187,2578019,297011,0,3,0,0,0,0,0,0,0,1
FLOW,10.0.0.254,0,0,00902773db08,001083265e00,0x0800,0,0,10.0.0.1,10.0.0.254,17,0x00,64,35690,161,0x00,143,125,80
The counter samples are indicated with the "CNTR" entry in the first column.
The second column is the agent address. The remaining columns are the
fields from the generic counters structure (see SFLIf_counters in sflow.h).
The flow samples are indicated with the "FLOW" entry in the first column.
The second column is the agent address. The remaining columns are:
inputPort
outputPort
src_MAC
dst_MAC
ethernet_type
in_vlan
out_vlan
src_IP
dst_IP
IP_protocol
ip_tos
ip_ttl
udp_src_port OR tcp_src_port OR icmp_type
udp_dst_port OR tcp_dst_port OR icmp_code
tcp_flags
packet_size
IP_size
sampling_rate
To request a custom line output, use the -L <fields> option, like this:
% sflowtool -L localtime,srcIP,dstIP
# grep-friendly output
The "-g" option causes sflowtool to include contextual information on every
line of output. The fields are:
agentIP
agentSubId
datasource_sequenceNo
datasource_class
datasource_index
sampletype_tag
elementtype_tag
For example, this makes it much easier to extract a particular counter for each agent,
accumulate the deltas, and stream it to a time-series database.
# JSON output
The -J option prints human-readable JSON with a blank line between datagrams. To
print more compact JSON with each datagram on one line, use -j instead.
---
----------------------------------------
Neil McKee ([email protected])
InMon Corp. http://www.inmon.com