struct NFHeaderV5{
uint16_t version; // flow-export version number
uint16_t count; // number of flow entries
uint32_t sysUptime;
uint32_t unix_secs;
uint32_t unix_nsecs;
uint32_t flow_sequence; // sequence number
uint8_t engine_type; // no VIP = 0, VIP2 = 1
uint8_t engine_id; // VIP2 slot number
uint16_t reserved; // reserved1,2
} ;
Total 24 bytes.
SO, the way to analysis the netflow packets is :
pHeader = (NFHeaderV5 *)pData;
NFV5 *pEntry = (NFV5 *)(pData + 24);
thus we get pHeader to know how many entrys in the packets by pHeader->count;
struct NFV5{
ipv4addr_t srcaddr; // source IP address
ipv4addr_t dstaddr; // destination IP address
ipv4addr_t nexthop; // next hop router's IP address
uint16_t input; // input interface index
uint16_t output; // output interface index
uint32_t pkts; // packets sent in duration
uint32_t bytes; // octets sent in duration
uint32_t first; // SysUptime at start of flow
uint32_t last; // and of last packet of flow
uint16_t srcport; // TCP/UDP source port number or equivalent
uint16_t dstport; // TCP/UDP destination port number or equivalent
uint8_t pad;
uint8_t tcp_flags; // bitwise OR of all TCP flags in flow; 0x10
// for non-TCP flows
uint8_t prot; // IP protocol, e.g., 6=TCP, 17=UDP, ...
uint8_t tos; // IP Type-of-Service
uint16_t src_as; // originating AS of source address
uint16_t dst_as; // originating AS of destination address
uint8_t src_mask; // source address prefix mask bits
uint8_t dst_mask; // destination address prefix mask bits
uint16_t reserved;
} ;
Thus, pEntry->srcaddr, pEntry->dstaddr, pEntry->bytes, pEntry->bytes, pEntry->...... are very helpful in the following progress.
That's all about netflow packets.
Enjoy yourselves!