goflow2
goflow2 copied to clipboard
netsampler
Add srv6
Hello
This is the first version that decodes the SRV6 SRH header (if present) and Tunneled Payload aka. inner frame (DT4 and DT6 encap are supported as of now). Raw flows are exported by using the Juniper Inline Monitoring solution which is a standard solution: IPFIX 315. Sflow is also supported as this is the same decoding functions used for both sFlow and IPFIX 315.
I attached a sample output when goflow2 exports flow records as JSON :
David
Would you be able to test the version in #342 using the following mapping file:
goflow2 -mapping=mapping_srv6.yaml
where mapping_srv6.yaml is:
formatter:
fields:
- type
- time_received_ns
- sequence_num
- sampling_rate
- sampler_address
- time_flow_start_ns
- time_flow_end_ns
- bytes
- packets
- src_addr
- src_net
- dst_addr
- dst_net
- etype
- proto
- in_if
- out_if
- src_mac
- dst_mac
- layer_stack
- layer_size
# srv6 fields
- ipv6_routing_header_seg_left
- srhLastEntryIPv6
- srhFlagsIPv6
- srhTagIPv6
- ipv6_routing_header_addresses
# inner frame
- innerFrame_src_addr
- innerFrame_dst_addr
- innerFrame_proto
- innerFrame_src_port
- innerFrame_dst_port
- innerFrame_icmp_type
- innerFrame_icmp_code
key:
- sampler_address
protobuf:
# srv6 fields
- name: srhLastEntryIPv6
index: 151
type: varint
- name: srhFlagsIPv6
index: 152
type: varint
- name: srhTagIPv6
index: 153
type: varint
# inner frame
- name: innerFrame_src_addr
index: 160
type: string
- name: innerFrame_dst_addr
index: 161
type: string
- name: innerFrame_proto
index: 162
type: varint
- name: innerFrame_src_port
index: 163
type: varint
- name: innerFrame_dst_port
index: 164
type: varint
# icmp
- name: innerFrame_icmp_type
index: 172
type: varint
- name: innerFrame_icmp_code
index: 173
type: varint
rename:
ipv6_routing_header_addresses: srhSegmentIPv6BasicList
ipv6_routing_header_seg_left: srhSegmentsIPv6Left
render:
innerFrame_src_addr: ip
innerFrame_dst_addr: ip
innerFrame_proto: proto
sflow:
mapping:
# srv6
- layer: "ipv6eh_routing"
offset: 32
length: 8
destination: srhLastEntryIPv6
- layer: "ipv6eh_routing"
offset: 40
length: 8
destination: srhFlagsIPv6
- layer: "ipv6eh_routing"
offset: 48
length: 16
destination: srhTagIPv6
# src/dst addresses
- layer: "ipv6"
encap: true
offset: 64
length: 128
destination: innerFrame_src_addr
- layer: "ipv6"
encap: true
offset: 192
length: 128
destination: innerFrame_dst_addr
- layer: "ipv4"
encap: true
offset: 96
length: 32
destination: innerFrame_src_addr
- layer: "ipv4"
encap: true
offset: 128
length: 32
destination: innerFrame_dst_addr
# proto
- layer: "ipv6"
encap: true
offset: 48
length: 8
destination: innerFrame_proto
- layer: "ipv4"
encap: true
offset: 72
length: 8
destination: innerFrame_proto
# ports
- layer: "udp"
encap: true
offset: 0
length: 16
destination: innerFrame_src_port
- layer: "udp"
encap: true
offset: 16
length: 16
destination: innerFrame_dst_port
- layer: "tcp"
encap: true
offset: 0
length: 16
destination: innerFrame_src_port
- layer: "tcp"
encap: true
offset: 16
length: 16
destination: innerFrame_dst_port
# icmp
- layer: "icmp"
encap: true
offset: 0
length: 8
destination: innerFrame_icmp_type
- layer: "icmp"
encap: true
offset: 8
length: 8
destination: innerFrame_icmp_code
I didn't add:
- innerFrame_ipv6_flow_label
- innerFrame_ip_tos
- innerFrame_ip_ttl
- innerFrame_ip_flags
- innerFrame_tcp_flags
- innerFrame_fragment_id
- innerFrame_fragment_offset
and innerFrame_payload_len can be derived from layer_size
