<div class="highlight"><pre><span class="c1">#!/usr/bin/perl</span>
<span class="c1">###################################</span>
<span class="c1"># #</span>
<span class="c1"># Simple NetFlow v5 packet parser #</span>
<span class="c1"># for ipt_NETFLOW #</span>
<span class="c1"># by Alexander Ptitsyn #</span>
<span class="c1"># modified by Fd #</span>
<span class="c1"># v0.001 (c) 2009 #</span>
<span class="c1"># #</span>
<span class="c1">###################################</span>
<span class="k">use</span> <span class="n">strict</span><span class="p">;</span>
<span class="k">use</span> <span class="n">warnings</span><span class="p">;</span>
<span class="k">use</span> <span class="nn">IO::</span><span class="n">Socket</span><span class="p">;</span>
<span class="k">my</span> <span class="p">(</span><span class="nv">$packet</span><span class="p">,</span> <span class="nv">$sourceAddress</span><span class="p">,</span> <span class="nv">$sourcePort</span><span class="p">,</span> <span class="nv">$sourceMaskPrefix</span><span class="p">,</span> <span class="nv">$destinationAddress</span><span class="p">,</span> <span class="nv">$destinationPort</span><span class="p">,</span>
<span class="nv">$destinationMaskPrefix</span><span class="p">,</span> <span class="nv">$packets</span><span class="p">,</span> <span class="nv">$octets</span><span class="p">,</span> <span class="nv">$proto</span><span class="p">,</span> <span class="nv">$tcpFlags</span><span class="p">,</span> <span class="nv">$typeOfService</span><span class="p">,</span> <span class="nv">$sourceAS</span><span class="p">,</span>
<span class="nv">$destinationAS</span><span class="p">,</span> <span class="nv">$nextHop</span><span class="p">,</span> <span class="nv">$snmpIn</span><span class="p">,</span> <span class="nv">$snmpOut</span><span class="p">,</span> <span class="nv">$systemUptimeFlowStart</span><span class="p">,</span> <span class="nv">$systemUptimeFlowStop</span><span class="p">);</span>
<span class="k">my</span> <span class="nv">%config</span> <span class="o">=</span> <span class="p">(</span>
<span class="n">hostname</span> <span class="o">=></span> <span class="s">'localhost'</span><span class="p">,</span>
<span class="n">port</span> <span class="o">=></span> <span class="mi">2055</span><span class="p">,</span>
<span class="n">proto</span> <span class="o">=></span> <span class="s">'udp'</span><span class="p">,</span>
<span class="n">headerTemplate</span> <span class="o">=></span> <span class="s">'nnNNNNCCn'</span><span class="p">,</span>
<span class="n">footerTemplate</span> <span class="o">=></span> <span class="s">'NNNnnNNNNnnCCCCnnCCn'</span><span class="p">,</span>
<span class="p">);</span>
<span class="k">my</span> <span class="nv">$sockObj</span> <span class="o">=</span> <span class="nn">IO::Socket::</span><span class="n">INET</span><span class="o">-></span><span class="k">new</span><span class="p">(</span>
<span class="n">LocalHost</span> <span class="o">=></span> <span class="nv">$config</span><span class="p">{</span><span class="n">hostname</span><span class="p">},</span>
<span class="n">LocalPort</span> <span class="o">=></span> <span class="nv">$config</span><span class="p">{</span><span class="n">port</span><span class="p">},</span>
<span class="n">Proto</span> <span class="o">=></span> <span class="nv">$config</span><span class="p">{</span><span class="n">proto</span><span class="p">},</span>
<span class="p">)</span> <span class="o">||</span> <span class="nb">die</span> <span class="s">"Can't open socket: $!"</span><span class="p">;</span>
<span class="k">while</span> <span class="p">(</span><span class="nv">$sockObj</span><span class="o">-></span><span class="nb">recv</span><span class="p">(</span><span class="nv">$packet</span><span class="p">,</span><span class="mi">1464</span><span class="p">))</span> <span class="p">{</span>
<span class="k">my</span> <span class="nv">@header</span> <span class="o">=</span> <span class="nb">unpack</span> <span class="nv">$config</span><span class="p">{</span><span class="n">headerTemplate</span><span class="p">},</span> <span class="nv">$packet</span><span class="p">;</span>
<span class="k">my</span> <span class="p">(</span><span class="nv">$flowVersion</span><span class="p">,</span> <span class="nv">$flowCount</span><span class="p">,</span> <span class="nv">$flowSysUptime</span><span class="p">,</span> <span class="nv">$flowUnixSeconds</span><span class="p">,</span> <span class="nv">$flowUnixNanoseconds</span><span class="p">,</span>
<span class="nv">$flowSequence</span><span class="p">,</span> <span class="nv">$flowEngineType</span><span class="p">,</span> <span class="nv">$flowEngineID</span><span class="p">,</span> <span class="nv">$flowSamplingInterval</span><span class="p">)</span> <span class="o">=</span> <span class="p">(</span><span class="nv">@header</span><span class="p">)[</span><span class="mi">0</span><span class="o">..</span><span class="mi">8</span><span class="p">];</span>
<span class="nb">die</span> <span class="vg">$!</span> <span class="k">if</span> <span class="nv">$flowVersion</span> <span class="o">!=</span> <span class="mi">5</span> <span class="o">&&</span> <span class="p">(</span><span class="nv">$flowCount</span> <span class="o"><</span> <span class="mi">0</span> <span class="o">||</span> <span class="nv">$flowCount</span> <span class="o">></span> <span class="mi">30</span><span class="p">);</span>
<span class="k">my</span> <span class="nv">$Template</span> <span class="o">=</span> <span class="nv">$config</span><span class="p">{</span><span class="n">headerTemplate</span><span class="p">};</span>
<span class="nv">$Template</span> <span class="o">.=</span> <span class="nv">$config</span><span class="p">{</span><span class="n">footerTemplate</span><span class="p">}</span> <span class="k">for</span> <span class="mi">0</span> <span class="o">..</span> <span class="nv">$flowCount</span><span class="p">;</span>
<span class="k">my</span> <span class="nv">@flow</span> <span class="o">=</span> <span class="nb">unpack</span> <span class="nv">$Template</span><span class="p">,</span> <span class="nv">$packet</span><span class="p">;</span>
<span class="k">if</span> <span class="p">(</span><span class="nv">$flowCount</span> <span class="o">></span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span>
<span class="k">for</span> <span class="p">(</span><span class="k">my</span> <span class="nv">$i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nv">$i</span> <span class="o"><</span> <span class="nv">$flowCount</span><span class="p">;</span> <span class="nv">$i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span>
<span class="nv">$sourceAddress</span> <span class="o">=</span> <span class="n">ip_to_str</span><span class="p">(</span><span class="nv">$flow</span><span class="p">[</span><span class="mi">9</span><span class="o">+</span><span class="nv">$i</span><span class="o">*</span><span class="mi">20</span><span class="p">]);</span>
<span class="nv">$sourcePort</span> <span class="o">=</span> <span class="nv">$flow</span><span class="p">[</span><span class="mi">18</span><span class="o">+</span><span class="nv">$i</span><span class="o">*</span><span class="mi">20</span><span class="p">];</span>
<span class="nv">$sourceMaskPrefix</span> <span class="o">=</span> <span class="nv">$flow</span><span class="p">[</span><span class="mi">26</span><span class="o">+</span><span class="nv">$i</span><span class="o">*</span><span class="mi">20</span><span class="p">];</span>
<span class="nv">$destinationAddress</span> <span class="o">=</span> <span class="n">ip_to_str</span><span class="p">(</span><span class="nv">$flow</span><span class="p">[</span><span class="mi">10</span><span class="o">+</span><span class="nv">$i</span><span class="o">*</span><span class="mi">20</span><span class="p">]);</span>
<span class="nv">$destinationPort</span> <span class="o">=</span> <span class="nv">$flow</span><span class="p">[</span><span class="mi">19</span><span class="o">+</span><span class="nv">$i</span><span class="o">*</span><span class="mi">20</span><span class="p">];</span>
<span class="nv">$destinationMaskPrefix</span> <span class="o">=</span> <span class="nv">$flow</span><span class="p">[</span><span class="mi">27</span><span class="o">+</span><span class="nv">$i</span><span class="o">*</span><span class="mi">20</span><span class="p">];</span>
<span class="nv">$packets</span> <span class="o">=</span> <span class="nv">$flow</span><span class="p">[</span><span class="mi">14</span><span class="o">+</span><span class="nv">$i</span><span class="o">*</span><span class="mi">20</span><span class="p">];</span>
<span class="nv">$octets</span> <span class="o">=</span> <span class="nv">$flow</span><span class="p">[</span><span class="mi">15</span><span class="o">+</span><span class="nv">$i</span><span class="o">*</span><span class="mi">20</span><span class="p">];</span>
<span class="nv">$proto</span> <span class="o">=</span> <span class="nv">$flow</span><span class="p">[</span><span class="mi">22</span><span class="o">+</span><span class="nv">$i</span><span class="o">*</span><span class="mi">20</span><span class="p">];</span>
<span class="nv">$tcpFlags</span> <span class="o">=</span> <span class="nv">$flow</span><span class="p">[</span><span class="mi">21</span><span class="o">+</span><span class="nv">$i</span><span class="o">*</span><span class="mi">20</span><span class="p">];</span>
<span class="nv">$typeOfService</span> <span class="o">=</span> <span class="nv">$flow</span><span class="p">[</span><span class="mi">23</span><span class="o">+</span><span class="nv">$i</span><span class="o">*</span><span class="mi">20</span><span class="p">];</span>
<span class="nv">$sourceAS</span> <span class="o">=</span> <span class="nv">$flow</span><span class="p">[</span><span class="mi">24</span><span class="o">+</span><span class="nv">$i</span><span class="o">*</span><span class="mi">20</span><span class="p">];</span>
<span class="nv">$destinationAS</span> <span class="o">=</span> <span class="nv">$flow</span><span class="p">[</span><span class="mi">25</span><span class="o">+</span><span class="nv">$i</span><span class="o">*</span><span class="mi">20</span><span class="p">];</span>
<span class="nv">$nextHop</span> <span class="o">=</span> <span class="nv">$flow</span><span class="p">[</span><span class="mi">11</span><span class="o">+</span><span class="nv">$i</span><span class="o">*</span><span class="mi">20</span><span class="p">];</span>
<span class="nv">$snmpIn</span> <span class="o">=</span> <span class="nv">$flow</span><span class="p">[</span><span class="mi">12</span><span class="o">+</span><span class="nv">$i</span><span class="o">*</span><span class="mi">20</span><span class="p">];</span>
<span class="nv">$snmpOut</span> <span class="o">=</span> <span class="nv">$flow</span><span class="p">[</span><span class="mi">13</span><span class="o">+</span><span class="nv">$i</span><span class="o">*</span><span class="mi">20</span><span class="p">];</span>
<span class="nv">$systemUptimeFlowStart</span> <span class="o">=</span> <span class="nv">$flow</span><span class="p">[</span><span class="mi">16</span><span class="o">+</span><span class="nv">$i</span><span class="o">*</span><span class="mi">20</span><span class="p">];</span>
<span class="nv">$systemUptimeFlowStop</span> <span class="o">=</span> <span class="nv">$flow</span><span class="p">[</span><span class="mi">17</span><span class="o">+</span><span class="nv">$i</span><span class="o">*</span><span class="mi">20</span><span class="p">];</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="k">sub </span><span class="nf">ip_to_str</span> <span class="p">{</span> <span class="n">inet_ntoa</span><span class="p">(</span> <span class="nb">pack</span><span class="p">(</span> <span class="s">'N'</span><span class="p">,</span> <span class="nb">shift</span> <span class="p">));</span> <span class="p">}</span>
<span class="cp">__END__</span>
<span class="cp">Bytes Contents Description</span>
<span class="cp">0-1 version NetFlow export format version number</span>
<span class="cp">2-3 count Number of flows exported in this packet (1-30)</span>
<span class="cp">4-7 sys_uptime Current time in milliseconds since the export device booted</span>
<span class="cp">8-11 unix_secs Current count of seconds since 0000 UTC 1970</span>
<span class="cp">12-15 unix_nsecs Residual nanoseconds since 0000 UTC 1970</span>
<span class="cp">16-19 flow_sequence Sequence counter of total flows seen</span>
<span class="cp">20 engine_type Type of flow-switching engine</span>
<span class="cp">21 engine_id Slot number of the flow-switching engine</span>
<span class="cp">22-23 sampling_interval First two bits hold the sampling mode; remaining 14 bits hold value of sampling interval</span>
<span class="cp">Flow record format</span>
<span class="cp">Bytes Contents Description</span>
<span class="cp">0-3 srcaddr Source IP address</span>
<span class="cp">4-7 dstaddr Destination IP address</span>
<span class="cp">8-11 nexthop IP address of next hop router</span>
<span class="cp">12-13 input SNMP index of input interface</span>
<span class="cp">14-15 output SNMP index of output interface</span>
<span class="cp">16-19 dPkts Packets in the flow</span>
<span class="cp">20-23 dOctets Total number of Layer 3 bytes in the packets of the flow</span>
<span class="cp">24-27 first SysUptime at start of flow</span>
<span class="cp">28-31 last SysUptime at the time the last packet of the flow was received</span>
<span class="cp">32-33 srcport TCP/UDP source port number or equivalent</span>
<span class="cp">34-35 dstport TCP/UDP destination port number or equivalent</span>
<span class="cp">36 pad1 Unused (zero) bytes</span>
<span class="cp">37 tcp_flags Cumulative OR of TCP flags</span>
<span class="cp">38 prot IP protocol type (for example, TCP = 6; UDP = 17)</span>
<span class="cp">39 tos IP type of service (ToS)</span>
<span class="cp">40-41 src_as Autonomous system number of the source, either origin or peer</span>
<span class="cp">42-43 dst_as Autonomous system number of the destination, either origin or peer</span>
<span class="cp">44 src_mask Source address prefix mask bits</span>
<span class="cp">45 dst_mask Destination address prefix mask bits</span>
<span class="cp">46-47 pad2 Unused (zero) bytes</span>
</pre></div>