[netflow-tools] Softflowd patches for ICMP type/code and DESTDIR support

Damien Miller djm at mindrot.org
Wed Mar 15 10:09:57 EST 2006 

On Fri, 3 Mar 2006, Steve Snodgrass wrote:

> Greetings,
> 
> First I must say thanks to Damien for this very useful program.  I have
> recently started using softflowd and I found a few minor problems with it.

Thanks!

> 1. The Makefile doesn't support 'make install DESTDIR=' which is very
> useful for building RPMs (more on that in another message).  I've attached
> a small patch that adds this support.

Applied.

> 2. When Cisco routers generate Netflow v5 for ICMP, they encode the ICMP
> type and code into the Netflow destination port field as type*256 + code.
> Unfortunately softflowd does not do this, so you have no way of knowing
> what ICMP it is logging - until now!  The other attached patch enables
> the same ICMP type/code reporting you get with Cisco Netflow.

Thanks for this. I tweaked the patch slightly because "struct icmphdr" 
appears to be a Linuxism, and is not present on OpenBSD or Solaris. 
What was committed uses "struct icmp" which is everywhere.

Please give this a try - it might need some incantation of _BSD_SOURCE
defined on glibc, or maybe not.

-d

Index: common.h
===================================================================
RCS file: /var/cvs/softflowd/common.h,v
retrieving revision 1.22
diff -u -p -r1.22 common.h
--- common.h	15 Jan 2005 04:08:56 -0000	1.22
+++ common.h	14 Mar 2006 22:56:16 -0000
@@ -41,6 +41,7 @@
 #include <netinet/in_systm.h>
 #include <netinet/ip.h>
 #include <netinet/ip6.h>
+#include <netinet/ip_icmp.h>
 #include <netinet/tcp.h>
 #include <netinet/udp.h>
 #include <arpa/inet.h>
Index: softflowd.c
===================================================================
RCS file: /var/cvs/softflowd/softflowd.c,v
retrieving revision 1.90
diff -u -p -r1.90 softflowd.c
--- softflowd.c	14 Mar 2006 22:51:48 -0000	1.90
+++ softflowd.c	14 Mar 2006 23:04:09 -0000
@@ -285,6 +285,7 @@ transport_to_flowrec(struct FLOW *flow, 
 {
 	const struct tcphdr *tcp = (const struct tcphdr *)pkt;
 	const struct udphdr *udp = (const struct udphdr *)pkt;
+	const struct icmp *icmp = (const struct icmp *)pkt;
 
 	/*
 	 * XXX to keep flow in proper canonical format, it may be necessary
@@ -308,6 +309,15 @@ transport_to_flowrec(struct FLOW *flow, 
 			return (isfrag ? 0 : 1);
 		flow->port[ndx] = udp->uh_sport;
 		flow->port[ndx ^ 1] = udp->uh_dport;
+		break;
+	case IPPROTO_ICMP:
+		/*
+		 * Encode ICMP type * 256 + code into dest port like
+		 * Cisco routers
+		 */
+		flow->port[ndx] = 0;
+		flow->port[ndx ^ 1] = htons(icmp->icmp_type * 256 +
+		    icmp->icmp_code);
 		break;
 	}
 	return (0);

More information about the netflow-tools mailing list