- Notifications
You must be signed in to change notification settings - Fork1
go-nfdump: A Go module to read and process nfdump files
License
phaag/go-nfdump
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
This Go module allows to read and process files created bynfdump, the netflow/ipfix/sflow collector and processing tools.
This module is experimental and does not yet decode all available nfdump record extensions. It reads and processes only nfdump v2 files, which are created by nfdump-1.7.x. Files created with nfdump-1.6.x are recogized but skipped for decoding.
Expample to read and process a flow file:
package mainimport ("flag""fmt""os"nfdump"github.com/phaag/go-nfdump")var (fileName=flag.String("r","","nfdump file to read"))funcmain() {flag.CommandLine.Usage=func() {fmt.Fprintf(os.Stderr,"Usage of %s [flags]\n",os.Args[0])flag.PrintDefaults()}flag.Parse()iflen(*fileName)==0 {fmt.Printf("Filename required\n")flag.PrintDefaults()os.Exit(255)}nffile:=nfdump.New()iferr:=nffile.Open(*fileName);err!=nil {fmt.Printf("Failed to open nf file: %v\n",err)os.Exit(255)}// print nffile statsfmt.Printf("nffile:\n%v",nffile)// Dump flow recordsrecordChannel,_:=nffile.AllRecords()cnt:=0forrecord:=rangerecordChannel {cnt++// check IP addresses in record for IPv4, or IPv6ifrecord.IsIPv4() {fmt.Printf("Record %d is IPv4\n",cnt)}elseifrecord.IsIPv6() {fmt.Printf("Record %d is IPv6\n",cnt)}else {fmt.Printf("Record %d has no IPs\n",cnt)}// samplingpacketInterval,spaceInterval:=record.SamplerInfo(nffile)fmt.Printf("Record sampler info: packet interval: %d, space interval: %d\n",packetInterval,spaceInterval)// print the entire record using %vfmt.Printf("%v\n",record)// get generic extension and print ports// see nfxV3.go for all fields in genericFlowifgenericFlow:=record.GenericFlow();genericFlow!=nil {fmt.Printf("SrcPort: %d\n",genericFlow.SrcPort)fmt.Printf("DstPort: %d\n",genericFlow.DstPort)}// get src, dst ip address extension of record// can contain IPv4 or IPv6ipAddr:=record.IP()ifipAddr!=nil {// when printing as %v, Golang takes care about proper formating// as IPv4 or IPv6// see Golang standard library net.IP for more details to process IPsfmt.Printf("SrcIP: %v\n",ipAddr.SrcIP)fmt.Printf("DstIP: %v\n",ipAddr.DstIP)}// get NAT xlate IP adressesifnatXlateIP=flowRecord.NatXlateIP();natXlateIP!=nil {fmt.Sprintf(" SrcXlateIP : %v\n",natXlateIP.SrcXIP)fmt.Sprintf(" DstXlateIP : %v\n",natXlateIP.DstXIP) }// get NAT xlate portsifnatXlatePort:=flowRecord.NatXlatePort();natXlatePort!=nil {fmt.Printf(" Src X-Port : %d\n",natXlatePort.XlateSrcPort)fmt.Printf(" Dst X-Port : %d\n",natXlatePort.XlateDstPort) }// get nat port block and printifnatPortBlock:=flowRecord.NatPortBlock();natPortBlock!=nil {fmt.Printf(" NAT pstart : %d\n",natPortBlock.BlockStart)fmt.Printf(" NAT pend : %d\n",natPortBlock.BlockEnd)fmt.Printf(" NAT pstep : %d\n",natPortBlock.BlockStep)fmt.Printf(" NAT psize : %d\n",natPortBlock.BlockSize)}// get IP info extensionifipInfo:=flowRecord.IpInfo();ipInfo!=nil {fmt.Pprintf(" IP ttl : %d\n",ipInfo.Ttl)fmt.Pprintf(" IP fragment : %s%s\n",ipInfo.FragmentFlags) }/*// other extension// see nfxV3.go for all fields in the respectiv records// always check for nil return value as not every extension// is availableflowMisc := record.FlowMisc()cntFlow := record.CntFlow()vLan := record.VLan()asRouting := record.AsRouting()bgpNextHop := record.BgpNextHop()ipNextHop := record.IpNextHop()// please note, sampling contains only references to exporter list// use record.SamplerInfo(nffile) to retrieve true sampling valuessampling := record.Sampling()*/}// retrieve exporter list *after* all records are processedexporterList:=nffile.GetExporterList()fmt.Printf("Exporter list:\n")forid,exporter:=rangeexporterList {ifexporter.IP!=nil&&id==int(exporter.SysId) {// valid exporterfmt.Printf(" SysID: %d, ID: %d, IP: %v, version: %d",exporter.SysId,exporter.Id,exporter.IP,exporter.Version)fmt.Printf(" Sequence failures: %d, packets: %d, flows: %d\n",exporter.SequenceFailures,exporter.Packets,exporter.Flows)}}}
Thedefs.go file includes nfdump'snfxV3.h header file to convert individual record extensions into appropriate Golang records. So far the generic, misc, flowCount, vlan and asRouting extensions as well as IPv4/IPv6 addresses are available through the interface. See the nfxV3.go file for its definitions.
If you modify thedefs.go file, generatenfxV3.go use the go command
go generate ./...
All available extensions are visible innfxV3.go.
Please note, that the interface may be subject to change, as this module is work in progress.
More element data blocks will follow, including the famous nfdump filter engine.Please submit your pull requests and/or bug reports viaGitHub.
About
go-nfdump: A Go module to read and process nfdump files