The V1DataFlow and V5DataFlow classes used a verbose way of unpacking the hex byte stream to the specific fields until now. With this commit, both use a list of field names, one struct.unpack call and then a mapping for-loop for each field. Additionally the upper boundary of the passed data slice was added. With the self.__dict__.update() call all fields are now also accessible as direct attributes of the corresponding instance, e.g. flow.PROTO to access flow.data["PROTO"]. This works for flows of all three versions. The tests were adapted to reflect this new implementation.
87 lines
2.4 KiB
Python
87 lines
2.4 KiB
Python
#!/usr/bin/env python3
|
|
|
|
"""
|
|
Netflow V1 collector and parser implementation in Python 3.
|
|
This file belongs to https://github.com/bitkeks/python-netflow-v9-softflowd.
|
|
Created purely for fun. Not battled tested nor will it be.
|
|
|
|
Reference https://www.cisco.com/c/en/us/td/docs/net_mgmt/netflow_collection_engine/3-6/user/guide/format.html
|
|
This script is specifically implemented in combination with softflowd. See https://github.com/djmdjm/softflowd
|
|
"""
|
|
|
|
import struct
|
|
|
|
__all__ = ["V1DataFlow", "V1ExportPacket", "V1Header"]
|
|
|
|
|
|
class V1DataFlow:
|
|
"""Holds one v1 DataRecord
|
|
"""
|
|
length = 48
|
|
|
|
def __init__(self, data):
|
|
pack = struct.unpack('!IIIHHIIIIHHxxBBBxxxxxxx', data)
|
|
fields = [
|
|
'IPV4_SRC_ADDR',
|
|
'IPV4_DST_ADDR',
|
|
'NEXT_HOP',
|
|
'INPUT',
|
|
'OUTPUT',
|
|
'IN_PACKETS',
|
|
'IN_OCTETS',
|
|
'FIRST_SWITCHED',
|
|
'LAST_SWITCHED',
|
|
'SRC_PORT',
|
|
'DST_PORT',
|
|
# Word at 36-37 is used for padding
|
|
'PROTO',
|
|
'TOS',
|
|
'TCP_FLAGS',
|
|
# Data at 41-47 is padding/reserved
|
|
]
|
|
|
|
self.data = {}
|
|
for idx, field in enumerate(fields):
|
|
self.data[field] = pack[idx]
|
|
self.__dict__.update(self.data) # Make data dict entries accessible as object attributes
|
|
|
|
def __repr__(self):
|
|
return "<DataRecord with data {}>".format(self.data)
|
|
|
|
|
|
class V1Header:
|
|
"""The header of the V1ExportPacket
|
|
"""
|
|
length = 16
|
|
|
|
def __init__(self, data):
|
|
pack = struct.unpack('!HHIII', data[:self.length])
|
|
self.version = pack[0]
|
|
self.count = pack[1]
|
|
self.uptime = pack[2]
|
|
self.timestamp = pack[3]
|
|
self.timestamp_nano = pack[4]
|
|
|
|
def to_dict(self):
|
|
return self.__dict__
|
|
|
|
|
|
class V1ExportPacket:
|
|
"""The flow record holds the header and data flowsets.
|
|
"""
|
|
|
|
def __init__(self, data):
|
|
self.flows = []
|
|
self.header = V1Header(data)
|
|
|
|
offset = self.header.length
|
|
for flow_count in range(0, self.header.count):
|
|
end = offset + V1DataFlow.length
|
|
flow = V1DataFlow(data[offset:end])
|
|
self.flows.append(flow)
|
|
offset += flow.length
|
|
|
|
def __repr__(self):
|
|
return "<ExportPacket v{} with {} records>".format(
|
|
self.header.version, self.header.count)
|