File: primitives.lst.example

package info (click to toggle)
pmacct 1.7.8-4
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 11,904 kB
  • sloc: ansic: 110,430; sh: 4,794; cpp: 4,375; python: 3,632; makefile: 525
file content (108 lines) | stat: -rw-r--r-- 5,382 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
 
!
! aggregate_primitives: list of custom-defined primitives
!
! File syntax is key-based. Position of keys inside the same row (rule) is not
! relevant; Spaces are not allowed (ie. 'id = 1' is not valid). The first full
! match wins (like in firewall rules).
!
! list of currently supported keys follows:
!
! 'name'		SET: Primitive name: it will be used as identifier of
!			the primitive itself and hence must be unique. This
!			name can be used in 'aggregate' statements to include
!			the primitive as part of plugin aggregation methods.
! 'packet_ptr'		MATCH: Applies to pmacctd (libpcap), uacctd (NFLOG),
!			nfacctd (NetFlow v9/IPFIX dataLinkFrameSection IE #315)
!			and sFlow v5 sampled headers section: defines the base
!			pointer in the packet where to read the primitive value;
!			This is to be used in conjunction with 'len' to define
!			the portion of the packet to save (up to the maximum
!			captured length; in pmacctd and uacctd, this can be
!			adjusted via 'snaplen' config directive). The supported
!			syntax is: "<layer>:[<protocol value>]+[<offset>]".
!			Valid 'layer' keys are: 'packet', 'mac', 'vlan', 'mpls',
!			'l3', 'l4' and 'payload'; 'layer' keyword is mandatory.
!			'protocol value' is an optional key and can be supplied
!			in either decimal or hex format. 'offset' is an optional
!			key and is expected to be a positive decimal number. A
!			maximum of 8 'packet_ptr' definitions are allowed per
!			entry. 
! 'field_type'		MATCH: Applies to NetFlow v9/IPFIX collection and export:
!			defines which field type (Information Element ID) to
!			select. Optionally, a PEN value can be supplied as well
!			via the <PEN>:<value> format. As a reference the IPFIX
!			standard IEs definition table can be used:
!			http://www.iana.org/assignments/ipfix/ipfix.xhtml ; for
!			non-standard IEs, vendor tend to supply equivalent docs:
!			should this result unavailable, make a trace of the data,
!			ie. "tcpdump -i any -n -w <file> <daemon listening port>",
!			then analyse it, ie. with Wireshark, isolating templates
!			in order to find relevant information.
! 'len'			MATCH: Length of the primitive, in bytes. 'vlen' word
!			defines a primitive to be variable length. In pmacctd
!			and  uacctd only strings can be defined vlen; in nfacctd
!			string and raw semantics can be defined vlen.
! 'semantics'		SET: Specifies semantics of the primitive. Allowed values
!			are: 'u_int' (unsigned integer [1,2,4,8 bytes long],
!			presented as decimal number), 'hex' (unsigned integer
!			[1,2,4,8 bytes long], presented as hexadecimal number),
!			'ip' (IP address), 'mac' (L2 MAC address), 'str'
!			(string) and 'raw' (raw data, fixed or variable length
!			in hex format). Note: when selecting 'str' as semantics,
!			although some effort is put in ensuring null-termination
!			in pmacct, it is recommended that the original string is
!			null-terminated; alternatively pick 'raw' in order to
!			avoid undefined behaviours; 'raw' will require some
!			simple post processing in order to be converted back to
!			a string.
! 
! Examples:
!
! Defines a primitive called 'mtla': it picks NetFlow v9/IPFIX field type #47
! (mplsTopLabelIPv4Address), reads for 4 bytes (since it's expected to be an
! IPv4 address) and will present it as an IP address. 
! In an 'aggregate' statement this primitive would be intuitively recalled by
! its name, 'mtla'.
!
name=mtla	field_type=47	len=4	semantics=ip
!
! Defines a primitive called 'mtlpl': it picks NetFlow v9/IPFIX field type #91
! (mplsTopLabelPrefixLength), reads for 1 byte (since it's expected to be a
! prefix length/network mask) and will present it as a decimal unsigned int.
!
name=mtlpl	field_type=91	len=1	semantics=u_int
!
! Defines a primitive called 'alu_91': it picks NetFlow v9/IPFIX field type
! #91 and PEN #637 (Alcatel-Lucent), reads for 2 bytes and will present it as
! a hexadecimal.
!
name=alu_91	field_type=637:91	len=2	semantics=hex
!
! Defines a primitive called 'ttl_pm': if reading an IPv4 header (l3:0x800)
! the base pointer is offset by 8 bytes, if reading an IPv6 header (l3:0x86dd)
! it is offset by 7 bytes; it reads for 1 byte and will present it as unsigned
! int.
!
name=ttl_pm	packet_ptr=l3:0x800+8   packet_ptr=l3:0x86dd+7	len=1   semantics=u_int
!
! Defines a primitive called 'udp_len': base pointer is set to the UDP header
! (l4:17) plus 4 bytes offset, reads for 2 byte and will present it as unsigned
! int. Correct working of "l4" offset does require setting the configuration key
! [pm|u]acctd_force_frag_handling to true.
!
name=udp_len	packet_ptr=l4:17+4      len=2   semantics=u_int
!
! Defines a primitive called 'tcp_win': base pointer is set to the TCP header
! (l4:6) plus 14 bytes offset, reads for 2 byte and will present it as unsigned
! int. Correct working of "l4" offset does require setting the configuration key
! [pm|u]acctd_force_frag_handling to true.
!
name=tcp_win	packet_ptr=l4:6+14      len=2   semantics=u_int
!
! nfprobe example: defines a primitive called 'ttl_nf': if reading an IPv4
! header (l3:0x800) the base pointer is offset by 8 bytes, if reading an IPv6
! header (l3:0x86dd) it is offset by 7 bytes; it reads for 1 byte and will
! present it as unsigned int. The info is carried via NetFlow/IPFIX in field
! type #192.
!
name=ttl_nf	packet_ptr=l3:0x800+8   packet_ptr=l3:0x86dd+7  len=1   semantics=u_int	field_type=192