fluent-plugin-netflow-enchanced 1.0.0.rc1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/.gitignore +24 -0
- data/.travis.yml +18 -0
- data/Gemfile +3 -0
- data/README.md +180 -0
- data/Rakefile +14 -0
- data/VERSION +1 -0
- data/example/fluentd.conf +9 -0
- data/fluent-plugin-netflow.gemspec +24 -0
- data/lib/fluent/plugin/in_netflow.rb +80 -0
- data/lib/fluent/plugin/netflow_fields.yaml +302 -0
- data/lib/fluent/plugin/netflow_records.rb +160 -0
- data/lib/fluent/plugin/parser_netflow.rb +403 -0
- data/lib/fluent/plugin/vash.rb +75 -0
- data/test/dump/netflow.v5.dump +0 -0
- data/test/dump/netflow.v9.dump +0 -0
- data/test/dump/netflow.v9.flowStartMilliseconds.dump +0 -0
- data/test/dump/netflow.v9.mpls-data.dump +0 -0
- data/test/dump/netflow.v9.mpls-template.dump +0 -0
- data/test/dump/netflow.v9.sampler.dump +0 -0
- data/test/dump/netflow.v9.sampler_template.dump +0 -0
- data/test/dump/netflow.v9.template.as2.dump +0 -0
- data/test/dump/netflow.v9.template.dump +0 -0
- data/test/dump/netflow.v9.template.flowStartMilliseconds.dump +0 -0
- data/test/helper.rb +26 -0
- data/test/test_in_netflow.rb +34 -0
- data/test/test_parser_netflow.rb +380 -0
- data/test/test_parser_netflow9.rb +223 -0
- metadata +132 -0
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA1:
|
3
|
+
metadata.gz: 4c76eebf8b18910e2ac39ab145f110dd01237496
|
4
|
+
data.tar.gz: e4b6d605e9fe93e9d26024e3bca00abd940e5341
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: e3160293b97bece1d8dba37b608e044c90782907b17ee2c055ac4309ee72b44e2d98fb10f9e23f0b2318cf850bd6718b8ad6f62f1a2f1fd7063d9c38d6f26c5b
|
7
|
+
data.tar.gz: 5b1dabb47633997098275b699ae9c642a8956fbb0869688844f0db8790f5007a8ca625045c19f0cc65c262c2c2b6c562a95ce086744b06ae2dfbdd8c98b45556
|
data/.gitignore
ADDED
@@ -0,0 +1,24 @@
|
|
1
|
+
*.gem
|
2
|
+
*.rbc
|
3
|
+
.bundle
|
4
|
+
.config
|
5
|
+
.yardoc
|
6
|
+
Gemfile.lock
|
7
|
+
InstalledFiles
|
8
|
+
_yardoc
|
9
|
+
coverage
|
10
|
+
doc/
|
11
|
+
lib/bundler/man
|
12
|
+
pkg
|
13
|
+
rdoc
|
14
|
+
spec/reports
|
15
|
+
test/tmp
|
16
|
+
test/version_tmp
|
17
|
+
tmp
|
18
|
+
# For TextMate, emacs, vim
|
19
|
+
*.tmproj
|
20
|
+
tmtags
|
21
|
+
*~
|
22
|
+
\#*
|
23
|
+
.\#*
|
24
|
+
*.swp
|
data/.travis.yml
ADDED
data/Gemfile
ADDED
data/README.md
ADDED
@@ -0,0 +1,180 @@
|
|
1
|
+
# Netflow plugin for Fluentd
|
2
|
+
|
3
|
+
[](https://travis-ci.org/repeatedly/fluent-plugin-netflow)
|
4
|
+
|
5
|
+
|
6
|
+
## Overview
|
7
|
+
|
8
|
+
[Fluentd](http://fluentd.org/) input plugin that acts as Netflow v5/v9 collector.
|
9
|
+
|
10
|
+
|
11
|
+
## Installation
|
12
|
+
|
13
|
+
Use RubyGems:
|
14
|
+
|
15
|
+
fluent-gem install fluent-plugin-netflow
|
16
|
+
|
17
|
+
|
18
|
+
## Configuration
|
19
|
+
|
20
|
+
<source>
|
21
|
+
type netflow
|
22
|
+
tag netflow.event
|
23
|
+
|
24
|
+
# optional parameters
|
25
|
+
bind 192.168.0.1
|
26
|
+
port 2055
|
27
|
+
cache_ttl 6000
|
28
|
+
versions [5, 9]
|
29
|
+
definitions /path/to/custom_fields.yaml
|
30
|
+
</source>
|
31
|
+
|
32
|
+
**bind**
|
33
|
+
|
34
|
+
IP address on which the plugin will accept Netflow.
|
35
|
+
(Default: '0.0.0.0')
|
36
|
+
|
37
|
+
**port**
|
38
|
+
|
39
|
+
UDP port number on which tpe plugin will accept Netflow.
|
40
|
+
(Default: 5140)
|
41
|
+
|
42
|
+
**cache_ttl**
|
43
|
+
|
44
|
+
Template cache TTL for Netflow v9 in seconds. Templates not refreshed from the Netflow v9 exporter within the TTL are expired at the plugin.
|
45
|
+
(Default: 4000)
|
46
|
+
|
47
|
+
**versions**
|
48
|
+
|
49
|
+
Netflow versions which are acceptable.
|
50
|
+
(Default:[5, 9])
|
51
|
+
|
52
|
+
**switched_times_from_uptime**
|
53
|
+
|
54
|
+
When set to true, the plugin stores system uptime for ```first_switched``` and ```last_switched``` instead of ISO8601-formatted absolute time.
|
55
|
+
(Defaults: false)
|
56
|
+
|
57
|
+
**definitions**
|
58
|
+
|
59
|
+
YAML file containing Netflow field definitions to overfide pre-defined templates. Example is like below
|
60
|
+
|
61
|
+
---
|
62
|
+
4: # field value
|
63
|
+
- :uint8 # field length
|
64
|
+
- :protocol # field type
|
65
|
+
|
66
|
+
|
67
|
+
## Performance Evaluation
|
68
|
+
|
69
|
+
Benchmark for v5 protocol on Macbook Air (Early 2014, 1.7 GHz Intel Core i7):
|
70
|
+
* 0 packets dropped in 32,000 records/second (for 3,000,000 packets)
|
71
|
+
* 45,000 records/second in maximum (for flooding netflow packets)
|
72
|
+
|
73
|
+
Tested with the packet generator below:
|
74
|
+
|
75
|
+
* https://github.com/mshindo/NetFlow-Generator
|
76
|
+
* `./flowgen -n3000000 -i50 -w1 -p5140 localhost`
|
77
|
+
|
78
|
+
And configuration:
|
79
|
+
|
80
|
+
<source>
|
81
|
+
@type netflow
|
82
|
+
tag netflow.event
|
83
|
+
bind 0.0.0.0
|
84
|
+
port 5140
|
85
|
+
switched_times_from_uptime yes
|
86
|
+
</source>
|
87
|
+
<match netflow.event>
|
88
|
+
@type flowcounter
|
89
|
+
unit minute
|
90
|
+
count_keys count # missing column for counting events only
|
91
|
+
tag flowcount
|
92
|
+
</match>
|
93
|
+
<match flowcount>
|
94
|
+
@type stdout
|
95
|
+
</match>
|
96
|
+
|
97
|
+
|
98
|
+
## Tips
|
99
|
+
|
100
|
+
### Use netflow parser in other plugins
|
101
|
+
|
102
|
+
```ruby
|
103
|
+
require 'fluent/plugin/parser_netflow'
|
104
|
+
|
105
|
+
parser = Fluent::Plugin::NetflowParser.new
|
106
|
+
parser.configure(conf)
|
107
|
+
|
108
|
+
# Netflow v5
|
109
|
+
parser.call(payload) do |time, record|
|
110
|
+
# do something
|
111
|
+
end
|
112
|
+
|
113
|
+
# Netflow v9
|
114
|
+
parser.call(payload, source_ip_address) do |time, record|
|
115
|
+
# do something
|
116
|
+
end
|
117
|
+
```
|
118
|
+
|
119
|
+
**NOTE:**
|
120
|
+
If the plugin receives Netflow v9 from multiple sources, provide ```source_ip_address``` argument to parse correctly.
|
121
|
+
|
122
|
+
### Field definition for Netflow v9
|
123
|
+
|
124
|
+
Both option and scope fields for Netflow v9 are defined in [YAML](https://www.ietf.org/rfc/rfc3954.txt) where two parameters are described for each field value like:
|
125
|
+
|
126
|
+
```yaml
|
127
|
+
option:
|
128
|
+
...
|
129
|
+
4: # field value
|
130
|
+
- :uint8 # field length
|
131
|
+
- :protocol # field type
|
132
|
+
```
|
133
|
+
|
134
|
+
See [RFC3954 document](https://www.ietf.org/rfc/rfc3954.txt) for more details.
|
135
|
+
|
136
|
+
When int value specified for field length, the template parser in this plugin will prefer a field length in received template flowset over YAML. The int value in YAML will be used as a default value only when the length in received flowset is invalid.
|
137
|
+
|
138
|
+
```yaml
|
139
|
+
option:
|
140
|
+
1:
|
141
|
+
- 4 # means :unit32, which is just a default
|
142
|
+
- :in_bytes
|
143
|
+
```
|
144
|
+
|
145
|
+
When ```:skip``` is described for a field, the template parser will learn the length from received template flowset and skip the field when data flowsets are processed.
|
146
|
+
|
147
|
+
```yaml
|
148
|
+
option:
|
149
|
+
...
|
150
|
+
43:
|
151
|
+
- :skip
|
152
|
+
```
|
153
|
+
|
154
|
+
**NOTE:**
|
155
|
+
The definitions don't exactly reflect RFC3954 in order to cover some illegal implementations which export Netflow v9 in bad field length.
|
156
|
+
|
157
|
+
```yaml
|
158
|
+
31:
|
159
|
+
- 3 # Some system exports in 4 bytes despite of RFC
|
160
|
+
- :ipv6_flow_label
|
161
|
+
...
|
162
|
+
48:
|
163
|
+
- 1 # Some system exports in 2 bytes despite of RFC
|
164
|
+
- :flow_sampler_id
|
165
|
+
```
|
166
|
+
|
167
|
+
### PaloAlto Netflow
|
168
|
+
|
169
|
+
PaloAlto Netflow has different field definitionas:
|
170
|
+
See this definitions for PaloAlto Netflow: https://github.com/repeatedly/fluent-plugin-netflow/issues/27#issuecomment-269197495
|
171
|
+
|
172
|
+
### More speed ?
|
173
|
+
|
174
|
+
:bullettrain_side: Try ```switched_times_from_uptime true``` option !
|
175
|
+
|
176
|
+
|
177
|
+
## TODO
|
178
|
+
|
179
|
+
* Netflow v9 protocol parser optimization
|
180
|
+
* Use Fluentd feature instead of own handlers
|
data/Rakefile
ADDED
@@ -0,0 +1,14 @@
|
|
1
|
+
|
2
|
+
require 'bundler'
|
3
|
+
Bundler::GemHelper.install_tasks
|
4
|
+
|
5
|
+
require 'rake/testtask'
|
6
|
+
|
7
|
+
Rake::TestTask.new(:test) do |test|
|
8
|
+
test.libs << 'lib' << 'test'
|
9
|
+
test.test_files = FileList['test/**/test_*.rb']
|
10
|
+
test.verbose = true
|
11
|
+
end
|
12
|
+
|
13
|
+
task :default => [:build]
|
14
|
+
|
data/VERSION
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
1.0.0.rc1
|
@@ -0,0 +1,24 @@
|
|
1
|
+
# encoding: utf-8
|
2
|
+
$:.push File.expand_path('../lib', __FILE__)
|
3
|
+
|
4
|
+
Gem::Specification.new do |gem|
|
5
|
+
gem.name = "fluent-plugin-netflow-enchanced"
|
6
|
+
gem.description = "Netflow plugin for Fluentd"
|
7
|
+
gem.homepage = "https://github.com/repeatedly/fluent-plugin-netflow"
|
8
|
+
gem.summary = gem.description
|
9
|
+
gem.version = File.read("VERSION").strip
|
10
|
+
gem.authors = ["Masahiro Nakagawa"]
|
11
|
+
gem.email = "repeatedly@gmail.com"
|
12
|
+
gem.has_rdoc = false
|
13
|
+
#gem.platform = Gem::Platform::RUBY
|
14
|
+
gem.license = 'Apache License (2.0)'
|
15
|
+
gem.files = `git ls-files`.split("\n")
|
16
|
+
gem.test_files = `git ls-files -- {test,spec,features}/*`.split("\n")
|
17
|
+
gem.executables = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
|
18
|
+
gem.require_paths = ['lib']
|
19
|
+
|
20
|
+
gem.add_dependency "fluentd", [">= 0.14.10", "< 2"]
|
21
|
+
gem.add_dependency "bindata", "~> 2.1"
|
22
|
+
gem.add_development_dependency "rake", ">= 0.9.2"
|
23
|
+
gem.add_development_dependency "test-unit", "~> 3.0"
|
24
|
+
end
|
@@ -0,0 +1,80 @@
|
|
1
|
+
#
|
2
|
+
# Fluent
|
3
|
+
#
|
4
|
+
# Copyright (C) 2014 Masahiro Nakagawa
|
5
|
+
#
|
6
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
7
|
+
# you may not use this file except in compliance with the License.
|
8
|
+
# You may obtain a copy of the License at
|
9
|
+
#
|
10
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
11
|
+
#
|
12
|
+
# Unless required by applicable law or agreed to in writing, software
|
13
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
14
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
15
|
+
# See the License for the specific language governing permissions and
|
16
|
+
# limitations under the License.
|
17
|
+
#
|
18
|
+
|
19
|
+
require 'fluent/plugin/input'
|
20
|
+
require 'fluent/plugin/parser_netflow'
|
21
|
+
|
22
|
+
module Fluent::Plugin
|
23
|
+
class NetflowInput < Input
|
24
|
+
Fluent::Plugin.register_input('netflow', self)
|
25
|
+
|
26
|
+
helpers :server
|
27
|
+
|
28
|
+
config_param :port, :integer, default: 5140
|
29
|
+
config_param :bind, :string, default: '0.0.0.0'
|
30
|
+
config_param :tag, :string
|
31
|
+
config_param :protocol_type, default: :udp do |val|
|
32
|
+
case val.downcase
|
33
|
+
when 'udp'
|
34
|
+
:udp
|
35
|
+
else
|
36
|
+
raise Fluent::ConfigError, "netflow input protocol type should be 'udp'"
|
37
|
+
end
|
38
|
+
end
|
39
|
+
config_param :max_bytes, :integer, default: 2048
|
40
|
+
|
41
|
+
def configure(conf)
|
42
|
+
super
|
43
|
+
|
44
|
+
@parser = Fluent::Plugin::NetflowParser.new
|
45
|
+
@parser.configure(conf)
|
46
|
+
end
|
47
|
+
|
48
|
+
def start
|
49
|
+
super
|
50
|
+
server_create(:in_netflow_server, @port, bind: @bind, proto: @protocol_type, max_bytes: @max_bytes) do |data, sock|
|
51
|
+
receive_data(sock.remote_host, data)
|
52
|
+
end
|
53
|
+
end
|
54
|
+
|
55
|
+
def shutdown
|
56
|
+
super
|
57
|
+
end
|
58
|
+
|
59
|
+
protected
|
60
|
+
|
61
|
+
def receive_data(host, data)
|
62
|
+
log.on_debug { log.debug "received logs", :host => host, :data => data }
|
63
|
+
|
64
|
+
@parser.call(data, host) { |time, record|
|
65
|
+
unless time && record
|
66
|
+
log.warn "pattern not match: #{data.inspect}"
|
67
|
+
return
|
68
|
+
end
|
69
|
+
|
70
|
+
record['host'] = host
|
71
|
+
record['process_time'] = Time.new.strftime("%Y-%m-%dT%H:%M:%S.%LZ")
|
72
|
+
|
73
|
+
router.emit(@tag, time, record)
|
74
|
+
}
|
75
|
+
rescue => e
|
76
|
+
log.warn "unexpected error on parsing", data: data.dump, error_class: e.class, error: e.message
|
77
|
+
log.warn_backtrace
|
78
|
+
end
|
79
|
+
end
|
80
|
+
end
|
@@ -0,0 +1,302 @@
|
|
1
|
+
---
|
2
|
+
option:
|
3
|
+
1:
|
4
|
+
- 4
|
5
|
+
- :in_bytes
|
6
|
+
2:
|
7
|
+
- 4
|
8
|
+
- :in_pkts
|
9
|
+
3:
|
10
|
+
- 4
|
11
|
+
- :flows
|
12
|
+
4:
|
13
|
+
- :uint8
|
14
|
+
- :protocol
|
15
|
+
5:
|
16
|
+
- :uint8
|
17
|
+
- :src_tos
|
18
|
+
6:
|
19
|
+
- :uint8
|
20
|
+
- :tcp_flags
|
21
|
+
7:
|
22
|
+
- :uint16
|
23
|
+
- :l4_src_port
|
24
|
+
8:
|
25
|
+
- :ip4_addr
|
26
|
+
- :ipv4_src_addr
|
27
|
+
9:
|
28
|
+
- :uint8
|
29
|
+
- :src_mask
|
30
|
+
10:
|
31
|
+
- 2
|
32
|
+
- :input_snmp
|
33
|
+
11:
|
34
|
+
- :uint16
|
35
|
+
- :l4_dst_port
|
36
|
+
12:
|
37
|
+
- :ip4_addr
|
38
|
+
- :ipv4_dst_addr
|
39
|
+
13:
|
40
|
+
- :uint8
|
41
|
+
- :dst_mask
|
42
|
+
14:
|
43
|
+
- 2
|
44
|
+
- :output_snmp
|
45
|
+
15:
|
46
|
+
- :ip4_addr
|
47
|
+
- :ipv4_next_hop
|
48
|
+
16:
|
49
|
+
- 2
|
50
|
+
- :src_as
|
51
|
+
17:
|
52
|
+
- 2
|
53
|
+
- :dst_as
|
54
|
+
18:
|
55
|
+
- :ip4_addr
|
56
|
+
- :bgp_ipv4_next_hop
|
57
|
+
19:
|
58
|
+
- 4
|
59
|
+
- :mul_dst_pkts
|
60
|
+
20:
|
61
|
+
- 4
|
62
|
+
- :mul_dst_bytes
|
63
|
+
21:
|
64
|
+
- :uint32
|
65
|
+
- :last_switched
|
66
|
+
22:
|
67
|
+
- :uint32
|
68
|
+
- :first_switched
|
69
|
+
23:
|
70
|
+
- 4
|
71
|
+
- :out_bytes
|
72
|
+
24:
|
73
|
+
- 4
|
74
|
+
- :out_pkts
|
75
|
+
25:
|
76
|
+
- :uint16
|
77
|
+
- :min_pkt_length
|
78
|
+
26:
|
79
|
+
- :uint16
|
80
|
+
- :max_pkt_length
|
81
|
+
27:
|
82
|
+
- :ip6_addr
|
83
|
+
- :ipv6_src_addr
|
84
|
+
28:
|
85
|
+
- :ip6_addr
|
86
|
+
- :ipv6_dst_addr
|
87
|
+
29:
|
88
|
+
- :uint8
|
89
|
+
- :ipv6_src_mask
|
90
|
+
30:
|
91
|
+
- :uint8
|
92
|
+
- :ipv6_dst_mask
|
93
|
+
31:
|
94
|
+
- 3
|
95
|
+
- :ipv6_flow_label
|
96
|
+
32:
|
97
|
+
- :uint16
|
98
|
+
- :icmp_type
|
99
|
+
33:
|
100
|
+
- :uint8
|
101
|
+
- :mul_igmp_type
|
102
|
+
34:
|
103
|
+
- :uint32
|
104
|
+
- :sampling_interval
|
105
|
+
35:
|
106
|
+
- :uint8
|
107
|
+
- :sampling_algorithm
|
108
|
+
36:
|
109
|
+
- :uint16
|
110
|
+
- :flow_active_timeout
|
111
|
+
37:
|
112
|
+
- :uint16
|
113
|
+
- :flow_inactive_timeout
|
114
|
+
38:
|
115
|
+
- :uint8
|
116
|
+
- :engine_type
|
117
|
+
39:
|
118
|
+
- :uint8
|
119
|
+
- :engine_id
|
120
|
+
40:
|
121
|
+
- 4
|
122
|
+
- :total_bytes_exp
|
123
|
+
41:
|
124
|
+
- 4
|
125
|
+
- :total_pkts_exp
|
126
|
+
42:
|
127
|
+
- 4
|
128
|
+
- :total_flows_exp
|
129
|
+
43:
|
130
|
+
- :skip
|
131
|
+
44:
|
132
|
+
- :ip4_addr
|
133
|
+
- :ipv4_src_prefix
|
134
|
+
45:
|
135
|
+
- :ip4_addr
|
136
|
+
- :ipv4_dst_prefix
|
137
|
+
46:
|
138
|
+
- :uint8
|
139
|
+
- :mpls_top_label_type
|
140
|
+
47:
|
141
|
+
- :uint32
|
142
|
+
- :mpls_top_label_ip_addr
|
143
|
+
48:
|
144
|
+
- 1
|
145
|
+
- :flow_sampler_id
|
146
|
+
49:
|
147
|
+
- :uint8
|
148
|
+
- :flow_sampler_mode
|
149
|
+
50:
|
150
|
+
- :uint32
|
151
|
+
- :flow_sampler_random_interval
|
152
|
+
51:
|
153
|
+
- :skip
|
154
|
+
52:
|
155
|
+
- :uint8
|
156
|
+
- :min_ttl
|
157
|
+
53:
|
158
|
+
- :uint8
|
159
|
+
- :max_ttl
|
160
|
+
54:
|
161
|
+
- :uint16
|
162
|
+
- :ipv4_ident
|
163
|
+
55:
|
164
|
+
- :uint8
|
165
|
+
- :dst_tos
|
166
|
+
56:
|
167
|
+
- :mac_addr
|
168
|
+
- :in_src_mac
|
169
|
+
57:
|
170
|
+
- :mac_addr
|
171
|
+
- :out_dst_mac
|
172
|
+
58:
|
173
|
+
- :uint16
|
174
|
+
- :src_vlan
|
175
|
+
59:
|
176
|
+
- :uint16
|
177
|
+
- :dst_vlan
|
178
|
+
60:
|
179
|
+
- :uint8
|
180
|
+
- :ip_protocol_version
|
181
|
+
61:
|
182
|
+
- :uint8
|
183
|
+
- :direction
|
184
|
+
62:
|
185
|
+
- :ip6_addr
|
186
|
+
- :ipv6_next_hop
|
187
|
+
63:
|
188
|
+
- :ip6_addr
|
189
|
+
- :bgp_ipv6_next_hop
|
190
|
+
64:
|
191
|
+
- :uint32
|
192
|
+
- :ipv6_option_headers
|
193
|
+
65:
|
194
|
+
- :skip
|
195
|
+
66:
|
196
|
+
- :skip
|
197
|
+
67:
|
198
|
+
- :skip
|
199
|
+
68:
|
200
|
+
- :skip
|
201
|
+
69:
|
202
|
+
- :skip
|
203
|
+
70:
|
204
|
+
- :mpls_label
|
205
|
+
- :mpls_label_1
|
206
|
+
71:
|
207
|
+
- :mpls_label
|
208
|
+
- :mpls_label_2
|
209
|
+
72:
|
210
|
+
- :mpls_label
|
211
|
+
- :mpls_label_3
|
212
|
+
73:
|
213
|
+
- :mpls_label
|
214
|
+
- :mpls_label_4
|
215
|
+
74:
|
216
|
+
- :mpls_label
|
217
|
+
- :mpls_label_5
|
218
|
+
75:
|
219
|
+
- :mpls_label
|
220
|
+
- :mpls_label_6
|
221
|
+
76:
|
222
|
+
- :mpls_label
|
223
|
+
- :mpls_label_7
|
224
|
+
77:
|
225
|
+
- :mpls_label
|
226
|
+
- :mpls_label_8
|
227
|
+
78:
|
228
|
+
- :mpls_label
|
229
|
+
- :mpls_label_9
|
230
|
+
79:
|
231
|
+
- :mpls_label
|
232
|
+
- :mpls_label_10
|
233
|
+
80:
|
234
|
+
- :mac_addr
|
235
|
+
- :in_dst_mac
|
236
|
+
81:
|
237
|
+
- :mac_addr
|
238
|
+
- :out_src_mac
|
239
|
+
82:
|
240
|
+
- :string
|
241
|
+
- :if_name
|
242
|
+
83:
|
243
|
+
- :string
|
244
|
+
- :if_desc
|
245
|
+
84:
|
246
|
+
- :string
|
247
|
+
- :sampler_name
|
248
|
+
89:
|
249
|
+
- :uint8
|
250
|
+
- :forwarding_status
|
251
|
+
91:
|
252
|
+
- :uint8
|
253
|
+
- :mpls_prefix_len
|
254
|
+
95:
|
255
|
+
- 4
|
256
|
+
- :app_id
|
257
|
+
150:
|
258
|
+
- :uint32
|
259
|
+
- :flowStartSeconds
|
260
|
+
151:
|
261
|
+
- :uint32
|
262
|
+
- :flowEndSeconds
|
263
|
+
152:
|
264
|
+
- :uint64
|
265
|
+
- :flowStartMilliseconds
|
266
|
+
153:
|
267
|
+
- :uint64
|
268
|
+
- :flowEndMilliseconds
|
269
|
+
154:
|
270
|
+
- :uint64
|
271
|
+
- :flowStartMicroseconds
|
272
|
+
155:
|
273
|
+
- :uint64
|
274
|
+
- :flowEndMicroseconds
|
275
|
+
156:
|
276
|
+
- :uint64
|
277
|
+
- :flowStartNanoseconds
|
278
|
+
157:
|
279
|
+
- :uint64
|
280
|
+
- :flowEndNanoseconds
|
281
|
+
234:
|
282
|
+
- :uint32
|
283
|
+
- :ingress_vrf_id
|
284
|
+
235:
|
285
|
+
- :uint32
|
286
|
+
- :egress_vrf_id
|
287
|
+
236:
|
288
|
+
- :string
|
289
|
+
- :vrf_name
|
290
|
+
|
291
|
+
scope:
|
292
|
+
1:
|
293
|
+
- :ip4_addr
|
294
|
+
- :system
|
295
|
+
2:
|
296
|
+
- :skip
|
297
|
+
3:
|
298
|
+
- :skip
|
299
|
+
4:
|
300
|
+
- :skip
|
301
|
+
5:
|
302
|
+
- :skip
|