-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I have a requirement to process sFlow data without access to any
content... [this is to meet legal and ethical standards].
Inspection of the output from the switches shows that they're recording
128 bytes of information come what may... so besides all the TCP/IP
header information some of the packet content is turning up :-(
Fixing this in the general case, for IPv6 and for when sflowtool is
generating netflow output I leave as an exercise for the interested
reader.
However, in the hope that this will stimulate someone to do this (and
just to be generally helpful), here's the diffs for stripping "content"
from IPv4 packets when outputting data in tcpdump format.
The changes add a new "-x" command and if this option is given the
packet is truncated as appropriate just before it is written out.
The code seems to work for me... but I'd suggest careful code review
before using it to meet _your_ legal and ethical standards!
*** sflowtool.was Mon Sep 19 19:08:45 2005
- --- sflowtool.c Mon Feb 6 18:20:29 2006
***************
*** 165,170 ****
- --- 165,171 ----
#endif
SFForwardingTarget *forwardingTargets;
+ u_int16_t removeContent;
} SFConfig;
/* make the options structure global to the program */
***************
*** 941,947 ****
- --- 942,977 ----
struct pcap_pkthdr hdr;
hdr.ts.tv_sec = time(NULL);
hdr.ts.tv_usec = 0;
+
+ // remove content if asked to do so
+
+ if (sfConfig.removeContent) {
+ if (sample->gotIPV4) {
+ struct myiphdr * ip = (struct myiphdr *)(sample->header + sample->offsetToIPV4);
+ int ipSize = (ip->version_and_headerLen & 0xF) << 2;
+
+ switch(sample->dcd_ipProtocol) {
+ case 1: /* ICMP */
+ hdr.caplen = sample->offsetToIPV4 + ipSize + 4;
+ break;
+ case 6: /* TCP */
+ {
+ struct mytcphdr * tcp = (struct mytcphdr *)(sample->header + sample->offsetToIPV4 + ipSize);
+ int tcpSize = (tcp->th_off_and_unused & 0xF0) >> 2;
+ hdr.caplen = sample->offsetToIPV4 + ipSize + tcpSize;
+ break;
+ }
+ case 17: /* UDP */
+ hdr.caplen = sample->offsetToIPV4 + ipSize + 8;
+ break;
+ default: /* some other protocol - only keep IP header */
+ hdr.caplen = sample->offsetToIPV4 + ipSize;
+ break;
+ }
+ }
+ } else {
hdr.caplen = sample->headerLen;
+ }
hdr.len = sample->sampledPacketSize;
// prepare the whole thing in a buffer first, in case we are piping the output
***************
*** 952,959 ****
memcpy(buf+bytes, sfConfig.zeroPad, sfConfig.tcpdumpHdrPad);
bytes += sfConfig.tcpdumpHdrPad;
}
! memcpy(buf+bytes, sample->header, sample->headerLen);
! bytes += sample->headerLen;
if(fwrite(buf, bytes, 1, stdout) != 1) {
fprintf(stderr, "writePcapPacket: packet write failed: %s\n", strerror(errno));
- --- 982,989 ----
memcpy(buf+bytes, sfConfig.zeroPad, sfConfig.tcpdumpHdrPad);
bytes += sfConfig.tcpdumpHdrPad;
}
! memcpy(buf+bytes, sample->header, hdr.caplen);
! bytes += hdr.caplen;
if(fwrite(buf, bytes, 1, stdout) != 1) {
fprintf(stderr, "writePcapPacket: packet write failed: %s\n", strerror(errno));
***************
*** 2592,2597 ****
- --- 2622,2628 ----
fprintf(stderr,"tcpdump output:\n");
fprintf(stderr, " -t - (output in binary tcpdump(1) format)\n");
fprintf(stderr, " -r file - (read binary tcpdump(1) format)\n");
+ fprintf(stderr, " -x - (remove all IPV4 content)\n");
fprintf(stderr, " -z pad - (extend tcpdump pkthdr with this many zeros\n");
fprintf(stderr, " e.g. try -z 8 for tcpdump on Red Hat Linux 6.2)\n");
fprintf(stderr,"\n");
***************
*** 2627,2632 ****
- --- 2658,2664 ----
case 't': sfConfig.outputFormat = SFLFMT_PCAP; break;
case 'l': sfConfig.outputFormat = SFLFMT_LINE; break;
case 'r': sfConfig.readPcapFileName = strdup(argv[arg++]); break;
+ case 'x': sfConfig.removeContent = YES; break;
case 'z': sfConfig.tcpdumpHdrPad = atoi(argv[arg++]); break;
case 'c':
{
- --
richard @ highwayman . com "Nothing seems the same
Still you never see the change from day to day
And no-one notices the customs slip away"
-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1
iQA/AwUBQ+eVJpoAxkTY1oPiEQIknQCgm/YUf5GQNhXUZASkQthvfzc3pKMAoNuF
q/aB0Oub22ecVz7+Bk+Q4/ru
=h9Pt
-----END PGP SIGNATURE-----
Received on Mon Feb 6 10:37:07 2006
This archive was generated by hypermail 2.1.8 : 02/06/06 PST