-
Notifications
You must be signed in to change notification settings - Fork 1
home
libnfdump The program nfreader of nfdump-1.6.2 was mutated the library libnfdump. The goal is to access directly from external programs the master_record_t structure without having to pass through standard output and standard input or other temporary files. In addition, only a minimal amount of unused operations should be done on netflow records in order to gain in performance. For instance, the conversion of an IP address to dotted decimal notation is not necessarily useful if the IP address can be processed in its binary form. This library is based on nfreader.c from nfdump-1.6.2. Hence, all potential restriction related to nfdump-1.6.2 are still applicable for libnfdump. Multiple libnfdump instances could be used in parallel. However, the functions themselves are not thread save.
Initialize a libnfdump instance. This function takes three strings as pararameters. The Mdirs parameter corresponds to the -M option of nfdump, the rfile parameter corresponds to the -r option of nfdump and the Rfile argument corresponds to the option of nfdump. Only one parameter should be used and the other parameters should set to NULL. For instance, if only the file nfcapd.201212261503 should be opened, the following parameters are set for initlib ( NULL, nfcapd.201212261503, NULL ). On success a pointer to libnfstates_t structure is returned and when there was an error, NULL is returned.
This function can be used in a loop to access the netflow records without any interpretation. A pointer to the master_record structure is returned which is defined in nffile.h. If no record is available NULL is returned.
A master_record_t pointer can be passed to this function. This function prints the records in human readable format and is meant for debugging only because not all the fields are printed. The function was taken from nfreader.c included in nfdump-1.6.2.
Frees data structures and file descriptors used by the libnfdump instances identified by the libnfstates_t data structure
The full master_record_t structure is defined in the file nffile.h of nfdump. A few fields with their types are listed below. The destination port of a flow can be printed like printf("%d",rec->dstport) assuming that the rec is a pointer to a master_record_t structure. The definitions of stdint.h are used.
- uint32_t ipv4.srcaddr
- uint32_t ipv4.dstaddr
- uint64_t ipv6.srcaddr
- uint64_t ipv6.dstaddr
- uint16_t srcport
- uint16_t dstport
- uint16_t msec_first
- uint16_t msec_last
- uint32_t first
- uint32_t last
- uint16_t type
- uint16_t size
- uint8_t flags
- uint8_t exporter_ref
- uint16_t ext_map
- uint8_t fwd_status
- uint8_t tcp_flags
- uint8_t prot
- uint8_t tos
- uint32_t input
- uint32_t output
- uint32_t srcas
- uint32_t dstas
- uint64_t dPkts
- uint64_t dOctets
- ip_addr_t ip_nexthop
- ip_addr_t bgp_nexthop
- uint16_t src_vlan
- uint16_t dst_vlan
- uint64_t out_pkts
- uint64_t out_bytes
- uint64_t aggr_flows
- uint64_t in_src_mac
- uint64_t out_dst_mac
- uint64_t in_dst_mac
- uint64_t out_src_mac
- uint32_t mpls_label[10]
- ip_addr_t ip_router
- uint8_t engine_type
- uint8_t engine_id
union uint32_t any
- uint8_t dst_tos
- uint8_t dir
- uint8_t src_mask
- uint8_t dst_mask
User extensions
- uint64_t u64_1
- uint32_t u32_1
- uint32_t u32_2