Add additional field types (ASA, PANOS) and set fallback type to 0
refs #4 @ Github
This commit is contained in:
parent
9395aafa71
commit
5c7ec0aef8
|
@ -17,6 +17,11 @@ import sys
|
||||||
|
|
||||||
|
|
||||||
field_types = {
|
field_types = {
|
||||||
|
0: 'UNKNOWN_FIELD_TYPE', # fallback for unknown field types
|
||||||
|
|
||||||
|
# Cisco specs for NetFlow v9
|
||||||
|
# https://tools.ietf.org/html/rfc3954
|
||||||
|
# https://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.html
|
||||||
1: 'IN_BYTES',
|
1: 'IN_BYTES',
|
||||||
2: 'IN_PKTS',
|
2: 'IN_PKTS',
|
||||||
3: 'FLOWS',
|
3: 'FLOWS',
|
||||||
|
@ -101,7 +106,50 @@ field_types = {
|
||||||
86: 'IN_PERMANENT_PKTS',
|
86: 'IN_PERMANENT_PKTS',
|
||||||
# 87 vendor property
|
# 87 vendor property
|
||||||
88: 'FRAGMENT_OFFSET',
|
88: 'FRAGMENT_OFFSET',
|
||||||
89: 'FORWARDING STATUS',
|
89: 'FORWARDING_STATUS',
|
||||||
|
90: 'MPLS_PAL_RD',
|
||||||
|
91: 'MPLS_PREFIX_LEN', # Number of consecutive bits in the MPLS prefix length.
|
||||||
|
92: 'SRC_TRAFFIC_INDEX', # BGP Policy Accounting Source Traffic Index
|
||||||
|
93: 'DST_TRAFFIC_INDEX', # BGP Policy Accounting Destination Traffic Index
|
||||||
|
94: 'APPLICATION_DESCRIPTION', # Application description
|
||||||
|
95: 'APPLICATION_TAG', # 8 bits of engine ID, followed by n bits of classification
|
||||||
|
96: 'APPLICATION_NAME', # Name associated with a classification
|
||||||
|
98: 'postipDiffServCodePoint', # The value of a Differentiated Services Code Point (DSCP) encoded in the Differentiated Services Field, after modification
|
||||||
|
99: 'replication_factor', # Multicast replication factor
|
||||||
|
100: 'DEPRECATED', # DEPRECATED
|
||||||
|
102: 'layer2packetSectionOffset', # Layer 2 packet section offset. Potentially a generic offset
|
||||||
|
103: 'layer2packetSectionSize', # Layer 2 packet section size. Potentially a generic size
|
||||||
|
104: 'layer2packetSectionData', # Layer 2 packet section data
|
||||||
|
# 105-127 reserved for future use by Cisco
|
||||||
|
|
||||||
|
# ASA extensions
|
||||||
|
# https://www.cisco.com/c/en/us/td/docs/security/asa/special/netflow/guide/asa_netflow.html
|
||||||
|
148: 'NF_F_CONN_ID', # An identifier of a unique flow for the device
|
||||||
|
176: 'NF_F_ICMP_TYPE', # ICMP type value
|
||||||
|
177: 'NF_F_ICMP_CODE', # ICMP code value
|
||||||
|
178: 'NF_F_ICMP_TYPE_IPV6', # ICMP IPv6 type value
|
||||||
|
179: 'NF_F_ICMP_CODE_IPV6', # ICMP IPv6 code value
|
||||||
|
225: 'NF_F_XLATE_SRC_ADDR_IPV4', # Post NAT Source IPv4 Address
|
||||||
|
226: 'NF_F_XLATE_DST_ADDR_IPV4', # Post NAT Destination IPv4 Address
|
||||||
|
227: 'NF_F_XLATE_SRC_PORT', # Post NATT Source Transport Port
|
||||||
|
228: 'NF_F_XLATE_DST_PORT', # Post NATT Destination Transport Port
|
||||||
|
281: 'NF_F_XLATE_SRC_ADDR_IPV6', # Post NAT Source IPv6 Address
|
||||||
|
282: 'NF_F_XLATE_DST_ADDR_IPV6', # Post NAT Destination IPv6 Address
|
||||||
|
233: 'NF_F_FW_EVENT', # High-level event code
|
||||||
|
33002: 'NF_F_FW_EXT_EVENT', # Extended event code
|
||||||
|
323: 'NF_F_EVENT_TIME_MSEC', # The time that the event occurred, which comes from IPFIX
|
||||||
|
152: 'NF_F_FLOW_CREATE_TIME_MSEC',
|
||||||
|
231: 'NF_F_FWD_FLOW_DELTA_BYTES', # The delta number of bytes from source to destination
|
||||||
|
232: 'NF_F_REV_FLOW_DELTA_BYTES', # The delta number of bytes from destination to source
|
||||||
|
33000: 'NF_F_INGRESS_ACL_ID', # The input ACL that permitted or denied the flow
|
||||||
|
33001: 'NF_F_EGRESS_ACL_ID', # The output ACL that permitted or denied a flow
|
||||||
|
40000: 'NF_F_USERNAME', # AAA username
|
||||||
|
|
||||||
|
# PaloAlto PAN-OS 8.0
|
||||||
|
# https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/monitoring/netflow-monitoring/netflow-templates
|
||||||
|
346: 'PANOS_privateEnterpriseNumber',
|
||||||
|
56701: 'PANOS_APPID',
|
||||||
|
56702: 'PANOS_USERID'
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -216,6 +264,8 @@ class TemplateFlowSet:
|
||||||
# Get all fields of this template
|
# Get all fields of this template
|
||||||
offset += 4
|
offset += 4
|
||||||
field_type, field_length = struct.unpack('!HH', data[offset:offset+4])
|
field_type, field_length = struct.unpack('!HH', data[offset:offset+4])
|
||||||
|
if field_type not in field_types:
|
||||||
|
field_type = 0 # Set field_type to UNKNOWN_FIELD_TYPE as fallback
|
||||||
field = TemplateField(field_type, field_length)
|
field = TemplateField(field_type, field_length)
|
||||||
fields.append(field)
|
fields.append(field)
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue