Installation
Install latest version using Golang (recommended)
go get -insecure github.com/lflxp//sflowtool
sflowtool
sflow V5 and Netflow V5 parse by golang
SflowV5 Struct
NetFlowV5 Struct
Installation
go get github.com/lflxp//sflowtool
Usage
sudo ./sflowtool -ee enp1s0 -p 9999 -t all -ises
Usage of ./sflowtool:
-chost string
udp CounterSample 传输主机:端口 (default "127.0.0.1:7777")
-d string
Enable certain debug selectors
-debug
是否开启debug model
-e Log to stderr and disable syslog/file output
-ee string
网卡名 (default "en0")
-es string
elasticsearch 5.6 接口地址 (default "http://127.0.0.1:9200")
-graceful
listen on open fd (after forking)
-host string
udp SFlowSample And Netflow 传输主机:端口 (default "127.0.0.1:6666")
-index string
es index name, example: sflow-2019-09-06 (default "sflow")
-ises
是否开启output到elasticsearch
-p string
端口 (default "6343")
-s string
协议 (default "udp")
-socketorder string
previous initialization order - used when more than one listener was started
-strict.perms
Strict permission checking on config files (default true)
-t string
类型:all(sflowSample|Counter),counter(SflowCounter),sample(SflowSample),netflow (default "all")
-udp
是否开启udp数据传输,默认不开启
-v Log at INFO level
OutPut
those functions output json used by logstash to collected
Example
SFlowSample
SFlowSample just only detectd 5 layers SFlowRawPacketFlowRecord SFlowExtendedSwitchFlowRecord SFlowExtendedRouterFlowRecord SFlowExtendedGatewayFlowRecord SFlowExtendedUserFlow
{
"Data": {
"Datagram": {
"SrcMac": "70:99:99:04:99:99",
"DstMac": "70:4d:99:99:99:99",
"SrcIP": "99.99.99.205",
"DstIP": "99.99.99.8",
"SrcPort": "9999(distinct)",
"DstPort": "9999(distinct)"
},
"DatagramVersion": 5,
"AgentAddress": "99.99.99.53",
"SubAgentID": 2,
"SequenceNumber": 1275756,
"AgentUptime": 3164307152,
"SampleCount": 2
},
"EnterpriseID": "Standard SFlow",
"Format": "Expanded Flow Sample",
"SampleLength": 244,
"SequenceNumber": 1251869,
"SourceIDClass": "Single Interface",
"SourceIDIndex": "71",
"SamplingRate": 20000,
"SamplePool": 3990725044,
"Dropped": 0,
"InputInterfaceFormat": 0,
"InputInterface": 71,
"OutputInterfaceFormat": 0,
"OutputInterface": 114,
"RecordCount": 3,
"SFlowRawPacketFlowRecord": {
"SFlowBaseFlowRecord": {
"EnterpriseID": "Standard SFlow",
"Format": "Raw Packet Flow Record",
"FlowDataLength": 144
},
"HeaderProtocol": "ETHERNET-ISO88023",
"FrameLength": 1518,
"PayloadRemoved": 4,
"HeaderLength": 128,
"Header": {
"FlowRecords": 144,
"Packets": 1,
"Bytes": 1518,
"SrcMac": "99:8c:40:99:99:99",
"DstMac": "99:8c:40:99:99:ab",
"SrcIP": "99.99.99.26",
"DstIP": "99.99.99.57",
"Ipv4_version": 4,
"Ipv4_ihl": 5,
"Ipv4_tos": 0,
"Ipv4_ttl": 62,
"Ipv4_protocol": "TCP",
"SrcPort": "49165",
"DstPort": "33851"
}
},
"SFlowExtendedSwitchFlowRecord": {
"SFlowBaseFlowRecord": {
"EnterpriseID": "Standard SFlow",
"Format": "Extended Switch Flow Record",
"FlowDataLength": 16
},
"IncomingVLAN": 0,
"IncomingVLANPriority": 0,
"OutgoingVLAN": 0,
"OutgoingVLANPriority": 0
},
"SFlowExtendedRouterFlowRecord": {
"SFlowBaseFlowRecord": {
"EnterpriseID": "Standard SFlow",
"Format": "Extended Router Flow Record",
"FlowDataLength": 16
},
"NextHop": "99.99.99.206",
"NextHopSourceMask": 22,
"NextHopDestinationMask": 21
},
"SFlowExtendedGatewayFlowRecord": {
"SFlowBaseFlowRecord": {
"EnterpriseID": "",
"Format": "",
"FlowDataLength": 0
},
"NextHop": "",
"AS": 0,
"SourceAS": 0,
"PeerAS": 0,
"ASPathCount": 0,
"ASPath": null,
"Communities": null,
"LocalPref": 0
},
"SFlowExtendedUserFlow": {
"SFlowBaseFlowRecord": {
"EnterpriseID": "",
"Format": "",
"FlowDataLength": 0
},
"SourceCharSet": "",
"SourceUserID": "",
"DestinationCharSet": "",
"DestinationUserID": ""
}
}
SFlowCounter
SFlowCounterSample contain 3 layers SFlowGenericInterfaceCounters SFlowEthernetCounters SFlowProcessorCounters
{
"Data": {
"Datagram": {
"SrcMac": "99:99:ef:04:99:99",
"DstMac": "99:99:7b:b8:99:99",
"SrcIP": "99.99.99.205",
"DstIP": "99.99.99.8",
"SrcPort": "9999(distinct)",
"DstPort": "9999(distinct)"
},
"DatagramVersion": 5,
"AgentAddress": "99.99.99.53",
"SubAgentID": 2,
"SequenceNumber": 1280989,
"AgentUptime": 3164899152,
"SampleCount": 3
},
"EnterpriseID": "Standard SFlow",
"Format": "Expanded Counter Sample",
"SampleLength": 172,
"SequenceNumber": 2865,
"SourceIDClass": "Single Interface",
"SourceIDIndex": "72",
"RecordCount": 2,
"SFlowGenericInterfaceCounters": {
"SFlowBaseCounterRecord": {
"EnterpriseID": "Standard SFlow",
"Format": "Generic Interface Counters",
"FlowDataLength": 88
},
"IfIndex": 72,
"IfType": 6,
"IfSpeed": 10000000000,
"IfDirection": 1,
"IfStatus": 3,
"IfInOctets": 104160000662999,
"IfInUcastPkts": 92171299,
"IfInMulticastPkts": 82243,
"IfInBroadcastPkts": 1,
"IfInDiscards": 0,
"IfInErrors": 0,
"IfInUnknownProtos": 0,
"IfOutOctets": 992414418961899,
"IfOutUcastPkts": 9939958927,
"IfOutMulticastPkts": 82489,
"IfOutBroadcastPkts": 0,
"IfOutDiscards": 28017,
"IfOutErrors": 0,
"IfPromiscuousMode": 2
},
"SFlowEthernetCounters": {
"SFlowBaseCounterRecord": {
"EnterpriseID": "Standard SFlow",
"Format": "Ethernet Interface Counters",
"FlowDataLength": 99
},
"AlignmentErrors": 0,
"FCSErrors": 0,
"SingleCollisionFrames": 0,
"MultipleCollisionFrames": 0,
"SQETestErrors": 0,
"DeferredTransmissions": 0,
"LateCollisions": 0,
"ExcessiveCollisions": 0,
"InternalMacTransmitErrors": 0,
"CarrierSenseErrors": 0,
"FrameTooLongs": 0,
"InternalMacReceiveErrors": 0,
"SymbolErrors": 0
},
"SFlowProcessorCounters": {
"SFlowBaseCounterRecord": {
"EnterpriseID": "",
"Format": "",
"FlowDataLength": 0
},
"FiveSecCpu": 0,
"OneMinCpu": 0,
"FiveMinCpu": 0,
"TotalMemory": 0,
"FreeMemory": 0
}
}
NetFlowV5
{
"version": 5,
"flow_records": 30,
"uptime": 537043304,
"unix_sec": 1509090197,
"unix_nsec": 0,
"flow_seq_num": 245226516,
"engine_type": 0,
"engine_id": 1,
"sampling_interval": 0,
"input_snmp": 50,
"output_snmp": 0,
"in_pkts": 1,
"in_bytes": 476,
"first_switched": 537025674,
"last_switched": 537025674,
"l4_src_port": 53,
"l4_dst_port": 60657,
"tcp_flags": 0,
"protocol": 17,
"src_tos": 0,
"src_as": 0,
"dst_as": 0,
"src_mask": 0,
"dst_mask": 32,
"host": "99.99.99.6",
"sampling_algorithm": 0,
"ipv4_src_addr": "99.99.99.19",
"ipv4_dst_addr": "99.99.99.25",
"ipv4_next_hop": "0.0.0.0"
}