forked from calmh/ipfix
-
Notifications
You must be signed in to change notification settings - Fork 5
/
walker.go
379 lines (351 loc) · 8.49 KB
/
walker.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
package ipfix
import (
"errors"
"io"
)
var (
ErrNilCallback = errors.New("nil callback")
)
type RecordCallback func(*Record, uint32, uint16, []byte) error
type Record struct {
MessageHeader
SetID int
DataRecordID int
EndOfRecord bool
Err error
}
type Walker struct {
cb RecordCallback
f *Filter
filtering bool
headerOnly bool
trbuf []TemplateRecord
fidbuf []TemplateFieldSpecifier
}
// NewWalker creates a new Walker object. It will use the given Filter
// to perform pre-filtering of entries. trbufsize and fidbufsize give
// sizes to use when pre-allocating the template record buffer
// and the template field specifier buffer, respectively; 64 and 4096
// would be safe defaults to use.
func NewWalker(f *Filter, trbufsize, fidbufsize int) (w *Walker, err error) {
if trbufsize <= 0 {
trbufsize = 32
}
if fidbufsize <= 0 {
fidbufsize = 1024
}
w = &Walker{
f: f,
filtering: f != nil,
trbuf: make([]TemplateRecord, 0, trbufsize), //eeeh, sure
fidbuf: make([]TemplateFieldSpecifier, 0, fidbufsize), //eeeh, sure
}
return
}
// SetHeaderOnly can be used to enable header-only parsing via the
// walker. If set to true, the WalkBuffer function will call the
// callback only once, with an EID and FID of 0.
func (w *Walker) SetHeaderOnly(v bool) {
w.headerOnly = v
}
// WalkBuffer walks an IPFIX or Netflow V9 packet in buf, calling
// the callback function in accordance with the following rules:
//
// 1. If SetHeaderOnly(true) was called, the callback will be called
// precisely once, with EndOfRecord set in the record parameter,
// EID and FID set to zero, and a nil buffer. This allows code
// to view the packet header only.
//
// 2. If a nil Filter was passed when building the Walker, the callback
// will be called for every field in each record. When a record has
// been fully processed, the callback will be called again with
// EndOfRecord set to true, EID and FID set to zero, and a nil buffer.
// The next record will then be processed, and so on until the message
// has been fully read.
//
// 3. If a non-nil Filter was passed, the function will behave exactly
// as in case #2 except that only those EID and FID combinations registered
// with the Filter will trigger a callback. The EndOfRecord callback
// will still occur as normal.
func (w *Walker) WalkBuffer(buf []byte, cb RecordCallback) (err error) {
var r Record
if cb == nil {
err = ErrNilCallback
return
}
w.cb = cb
sl := slice{bs: buf}
r.MessageHeader.unmarshal(&sl)
if w.filtering && w.f.FilterHeader(r.DomainID, r.Version) {
return
}
if w.headerOnly {
// only processing the header
r.EndOfRecord = true
err = w.cb(&r, 0, 0, nil)
} else {
switch r.Version {
case ipfixVersion:
err = w.walkIpfixBuffer(&sl, &r)
case nfv9Version:
err = w.walkNfv9Buffer(&sl, &r)
default:
err = ErrVersion
}
}
return
}
func (w *Walker) walkIpfixBuffer(sl *slice, r *Record) (err error) {
var sh setHeader
var nsl slice
//reset the template record buffer
w.trbuf = w.trbuf[0:0]
//reset our template filds buffer
w.fidbuf = w.fidbuf[0:0]
for {
l := sl.Len()
if l == 0 {
break
} else if l < setHeaderLength {
err = io.ErrUnexpectedEOF
break
}
sh.unmarshal(sl)
if sh.Length < setHeaderLength {
err = io.ErrUnexpectedEOF
break
}
// Grab the bytes representing the set
setLen := int(sh.Length) - setHeaderLength
nsl.bs = sl.Cut(setLen)
if err = sl.Error(); err != nil {
break
}
if err = w.walkIPFixSet(r, &sh, &nsl); err != nil {
break
}
r.SetID++
}
return
}
func (w *Walker) walkIPFixSet(r *Record, sh *setHeader, sl *slice) (err error) {
var tmpl TemplateRecord
var ok bool
r.DataRecordID = 0
var minLen uint16
for sl.Len() > 0 && sl.Error() == nil {
if sl.Len() < int(minLen) {
if debug {
dl.Println("ignoring padding")
}
// Padding
return
}
switch {
case sh.SetID < 2:
// Unused, shouldn't happen
//make the callback with a parse error
err = ErrProtocol
return
case sh.SetID == 2:
if err = w.readTemplateRecord(sl); err != nil {
return
}
case sh.SetID == 3:
// Options Template Set, not handled
sl.Cut(sl.Len())
case sh.SetID > 3 && sh.SetID < 256:
// Reserved, shouldn't happen
err = ErrProtocol
return
default:
// actual data record
if tmpl, ok = w.lookupTemplateRecord(sh.SetID); !ok {
//run the callback with the unknown template
err = ErrUnknownTemplate
return
}
if minLen == 0 {
minLen = calcMinRecLen(tmpl.FieldSpecifiers)
}
if err = w.handleDataRecord(r, sh, tmpl.FieldSpecifiers, sl); err != nil {
return
}
}
r.DataRecordID++
}
return
}
func (w *Walker) handleDataRecord(r *Record, sh *setHeader, tpl []TemplateFieldSpecifier, sl *slice) (err error) {
var val []byte
var l int
var lo uint8
var hit bool
//reset the record items
r.Err = nil
r.EndOfRecord = false
for i := range tpl {
if l = int(tpl[i].Length); l == 0xffff {
if len(sl.bs) == 0 {
return ErrRead
}
if lo = sl.bs[0]; lo < 0xff {
l = int(lo)
sl.bs = sl.bs[1:]
} else {
if len(sl.bs) < 2 {
return ErrRead
}
l = int((uint16(sl.bs[0]) << 8) | uint16(sl.bs[1]))
sl.bs = sl.bs[2:]
}
}
if l > len(sl.bs) {
return ErrRead
}
val = sl.bs[:l]
sl.bs = sl.bs[l:]
/* old code using this cut nonsense
val = sl.Cut(l)
if err = sl.Error(); err != nil {
return err
}
*/
if w.filtering && !w.f.IsSet(tpl[i].EnterpriseID, tpl[i].FieldID) {
continue //not looking at this item
}
hit = true
if err = w.cb(r, tpl[i].EnterpriseID, tpl[i].FieldID, val); err != nil {
return
}
}
err = sl.Error()
if hit {
r.Err = err
r.EndOfRecord = true
w.cb(r, 0, 0, nil)
}
return
}
func (w *Walker) readTemplateRecord(sl *slice) (err error) {
var tr TemplateRecord
var th templateHeader
th.unmarshal(sl)
if err = sl.Error(); err != nil {
return
}
tr.TemplateID = th.TemplateID
specs := w.allocateTemplateFieldSpecifiers(th.FieldCount)
for i := uint16(0); i < th.FieldCount; i++ {
specs[i].EnterpriseID = uint32(0)
specs[i].FieldID = sl.Uint16()
specs[i].Length = sl.Uint16()
if specs[i].FieldID >= 0x8000 {
specs[i].FieldID -= 0x8000
specs[i].EnterpriseID = sl.Uint32()
}
if err = sl.Error(); err != nil {
return
}
}
tr.FieldSpecifiers = specs
w.trbuf = append(w.trbuf, tr)
return
}
func (w *Walker) lookupTemplateRecord(sid uint16) (tmp TemplateRecord, ok bool) {
for i := range w.trbuf {
if w.trbuf[i].TemplateID == sid {
tmp = w.trbuf[i]
ok = true
break
}
}
return
}
func (w *Walker) allocateTemplateFieldSpecifiers(cnt uint16) (r []TemplateFieldSpecifier) {
c := cap(w.fidbuf)
l := len(w.fidbuf)
if int(cnt) < (c - l) {
e := l + int(cnt) //mark the new end
r = w.fidbuf[l:e]
w.fidbuf = w.fidbuf[0:e] //set the new length
} else {
//we ran out of space, allocate :(
r = make([]TemplateFieldSpecifier, cnt)
}
return
}
func (w *Walker) walkNfv9Buffer(sl *slice, r *Record) (err error) {
var sh setHeader
var nsl slice
//reset the template record buffer
w.trbuf = w.trbuf[0:0]
//reset our template filds buffer
w.fidbuf = w.fidbuf[0:0]
for {
l := sl.Len()
if l == 0 {
break
} else if l < setHeaderLength {
err = io.ErrUnexpectedEOF
break
}
sh.unmarshal(sl)
if sh.Length < setHeaderLength {
err = io.ErrUnexpectedEOF
break
}
// Grab the bytes representing the set
setLen := int(sh.Length) - setHeaderLength
nsl.bs = sl.Cut(setLen)
if err = sl.Error(); err != nil {
break
}
if err = w.walkNFv9Set(r, &sh, &nsl); err != nil {
break
}
}
return
}
func (w *Walker) walkNFv9Set(r *Record, sh *setHeader, sl *slice) (err error) {
var tmpl TemplateRecord
var ok bool
r.DataRecordID = 0
var minLen uint16
for sl.Len() > 0 && sl.Error() == nil {
if sl.Len() < int(minLen) {
if debug {
dl.Println("ignoring padding")
}
// Padding
return
}
switch {
case sh.SetID == 0:
if err = w.readTemplateRecord(sl); err != nil {
return
}
case sh.SetID == 1:
// Options Template Set, not handled
sl.Cut(sl.Len())
case sh.SetID > 2 && sh.SetID < 256:
// Reserved, shouldn't happen
err = ErrProtocol
return
default:
// actual data record
if tmpl, ok = w.lookupTemplateRecord(sh.SetID); !ok {
//run the callback with the unknown template
err = ErrUnknownTemplate
return
}
if minLen == 0 {
minLen = calcMinRecLen(tmpl.FieldSpecifiers)
}
if err = w.handleDataRecord(r, sh, tmpl.FieldSpecifiers, sl); err != nil {
return
}
}
}
return
}