-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathNetflowWorker.cs
175 lines (165 loc) · 12.2 KB
/
NetflowWorker.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
using IPFixCollector.DataModel;
using IPFixCollector.Modules.Netflow;
using IPFixCollector.Modules.Netflow.v10;
using IPFixCollector.Modules.Netflow.V5;
using IPFixCollector.Modules.Netflow.v9;
using Newtonsoft.Json;
using System;
using System.Linq;
using System.Net;
using System.Net.Sockets;
using System.Security.Cryptography.X509Certificates;
namespace IPFixCollector.NetflowCollection
{
class NetflowWorker
{
public void Start()
{
const bool debug_netflow = true;
TemplatesV10 _templates_v10 = new TemplatesV10();
TemplatesV9 _templates_v9 = new TemplatesV9();
try
{
Console.WriteLine("Listening for IPFix Packets\n");
Socket sock = new Socket(AddressFamily.InterNetwork, SocketType.Dgram, ProtocolType.Udp);
IPEndPoint iep = new IPEndPoint(IPAddress.Any, 9996);
sock.Bind(iep);
EndPoint ep = iep;
byte[] data = new byte[2048];
while (true)
{
int recv = sock.ReceiveFrom(data, ref ep);
byte[] _bytes = new byte[recv];
for (int i = 0; i < recv; i++)
{
_bytes[i] = data[i];
}
NetflowCommon common = new NetflowCommon(_bytes);
if (common._version == 5)
{
PacketV5 packet = new PacketV5(_bytes);
if (debug_netflow)
{
Console.WriteLine(String.Format("Received {0}v netflow packet: {1}", common._version, JsonConvert.SerializeObject(packet)));
}
}
else if ((common._version == 9))
{
if (_bytes.Count() > 16)
{
V9Packet packet = new V9Packet(_bytes, _templates_v9);
Modules.Netflow.v9.FlowSet _flowset = packet.FlowSet.FirstOrDefault(x => x.Template.Count() != 0);
if (_flowset != null)
{
foreach (Modules.Netflow.v9.Template _template in _flowset.Template.Where(x => x.Field.Any(y => y.Value.Count != 0)))
{
NetworkFlow networkFlow = new NetworkFlow();
NetworkFlow _netflow = networkFlow;
if (_template.Field.Exists(x => x.GetTypes() == (ushort)Modules.Netflow.v9.FieldType.IPV4_SRC_ADDR))
{
_netflow.Source_address = new IPAddress(_template.Field.FirstOrDefault(x => x.GetTypes() == (ushort)Modules.Netflow.v9.FieldType.IPV4_SRC_ADDR).Value.ToArray()).ToString();
_netflow.Target_address = new IPAddress(_template.Field.FirstOrDefault(x => x.GetTypes() == (ushort)Modules.Netflow.v9.FieldType.IPV4_DST_ADDR).Value.ToArray()).ToString();
}
else if (_template.Field.Exists(x => x.GetTypes() == (ushort)Modules.Netflow.v9.FieldType.IPV6_SRC_ADDR))
{
_netflow.Source_address = new IPAddress(_template.Field.FirstOrDefault(x => x.GetTypes() == (ushort)Modules.Netflow.v9.FieldType.IPV6_SRC_ADDR).Value.ToArray()).ToString();
_netflow.Target_address = new IPAddress(_template.Field.FirstOrDefault(x => x.GetTypes() == (ushort)Modules.Netflow.v9.FieldType.IPV6_DST_ADDR).Value.ToArray()).ToString();
}
if (_template.Field.Exists(x => x.GetTypes() == (ushort)Modules.Netflow.v9.FieldType.L4_SRC_PORT))
{
_netflow.Source_port = BitConverter.ToUInt16(_template.Field.FirstOrDefault(x => x.GetTypes() == (ushort)Modules.Netflow.v9.FieldType.L4_SRC_PORT).Value.ToArray().Reverse().ToArray(), 0);
}
if (_template.Field.Exists(x => x.GetTypes() == (ushort)Modules.Netflow.v9.FieldType.L4_DST_PORT))
{
_netflow.Target_port = BitConverter.ToUInt16(_template.Field.FirstOrDefault(x => x.GetTypes() == (ushort)Modules.Netflow.v9.FieldType.L4_DST_PORT).Value.ToArray().Reverse().ToArray(), 0);
}
if (_template.Field.Exists(x => x.GetTypes() == (ushort)Modules.Netflow.v9.FieldType.PROTOCOL))
{
_netflow.Protocol = _template.Field.FirstOrDefault(x => x.GetTypes() == (ushort)Modules.Netflow.v9.FieldType.PROTOCOL).Value[0];
}
if (_template.Field.Exists(x => x.GetTypes() == (ushort)Modules.Netflow.v9.FieldType.FIRST_SWITCHED))
{
_netflow.Start_timestamp = BitConverter.ToUInt16(_template.Field.FirstOrDefault(x => x.GetTypes() == (ushort)Modules.Netflow.v9.FieldType.FIRST_SWITCHED).Value.ToArray().Reverse().ToArray(), 0);
}
if (_template.Field.Exists(x => x.GetTypes() == (ushort)Modules.Netflow.v9.FieldType.LAST_SWITCHED))
{
_netflow.Stop_timestamp = BitConverter.ToUInt16(_template.Field.FirstOrDefault(x => x.GetTypes() == (ushort)Modules.Netflow.v9.FieldType.LAST_SWITCHED).Value.ToArray().Reverse().ToArray(), 0);
}
_netflow.Timestamp = DateTime.UtcNow;
if (_template.Field.Exists(x => x.GetTypes() == (ushort)Modules.Netflow.v9.FieldType.IN_PKTS))
{
_netflow.Packets = BitConverter.ToUInt16(_template.Field.FirstOrDefault(x => x.GetTypes() == (ushort)Modules.Netflow.v9.FieldType.IN_PKTS).Value.ToArray().Reverse().ToArray(), 0);
}
if (_template.Field.Exists(x => x.GetTypes() == (ushort)Modules.Netflow.v9.FieldType.IN_BYTES))
{
_netflow.Kbyte = BitConverter.ToUInt16(_template.Field.FirstOrDefault(x => x.GetTypes() == (ushort)Modules.Netflow.v9.FieldType.IN_BYTES).Value.ToArray().Reverse().ToArray(), 0);
}
_netflow.Id = Guid.NewGuid().ToString().Replace("-", "");
if (debug_netflow)
{
Console.WriteLine(String.Format("Received {0}v netflow packet: {1}", common._version, JsonConvert.SerializeObject(_netflow)));
}
}
}
}
}
else if (common._version == 10)
{
if (_bytes.Count() > 16)
{
V10Packet packet = new V10Packet(_bytes, _templates_v10);
Modules.Netflow.v10.FlowSet _flowset = packet.FlowSet.FirstOrDefault(x => x.Template.Count() != 0);
if (_flowset != null)
{
foreach (Modules.Netflow.v10.Template _template in _flowset.Template.Where(x => x.Field.Any(y => y.Type == "sourceTransportPort" && y.Value.Count > 0)))
{
NetworkFlow _netflow = new NetworkFlow
{
Id = Guid.NewGuid().ToString().Replace("-", ""),
Source_port = BitConverter.ToUInt16(_template.Field.FirstOrDefault(x => x.GetTypes() == (ushort)Modules.Netflow.v10.FieldType.sourceTransportPort).Value.ToArray().Reverse().ToArray(), 0),
Target_port = BitConverter.ToUInt16(_template.Field.FirstOrDefault(x => x.GetTypes() == (ushort)Modules.Netflow.v10.FieldType.destinationTransportPort).Value.ToArray().Reverse().ToArray(), 0),
Protocol = _template.Field.FirstOrDefault(x => x.GetTypes() == (ushort)Modules.Netflow.v10.FieldType.protocolIdentifier).Value[0],
Start_timestamp = (long)BitConverter.ToUInt64(_template.Field.FirstOrDefault(x => x.GetTypes() == (ushort)Modules.Netflow.v10.FieldType.flowStartMilliseconds).Value.ToArray().Reverse().ToArray(), 0),
Stop_timestamp = (long)BitConverter.ToUInt64(_template.Field.FirstOrDefault(x => x.GetTypes() == (ushort)Modules.Netflow.v10.FieldType.flowEndMilliseconds).Value.ToArray().Reverse().ToArray(), 0),
Timestamp = DateTime.UtcNow,
Packets = BitConverter.ToUInt16(_template.Field.FirstOrDefault(x => x.GetTypes() == (ushort)Modules.Netflow.v10.FieldType.packetDeltaCount).Value.ToArray().Reverse().ToArray(), 0),
Kbyte = BitConverter.ToUInt16(_template.Field.FirstOrDefault(x => x.GetTypes() == (ushort)Modules.Netflow.v10.FieldType.octetDeltaCount).Value.ToArray().Reverse().ToArray(), 0)
};
if (_template.Field.Exists(x => x.GetTypes() == (ushort)Modules.Netflow.v10.FieldType.sourceIPv4Address))
{
_netflow.Source_address = new IPAddress(_template.Field.FirstOrDefault(x => x.GetTypes() == (ushort)Modules.Netflow.v10.FieldType.sourceIPv4Address).Value.ToArray()).ToString();
_netflow.Target_address = new IPAddress(_template.Field.FirstOrDefault(x => x.GetTypes() == (ushort)Modules.Netflow.v10.FieldType.destinationIPv4Address).Value.ToArray()).ToString();
}
else if (_template.Field.Exists(x => x.GetTypes() == (ushort)Modules.Netflow.v10.FieldType.sourceIPv6Address))
{
_netflow.Source_address = new IPAddress(_template.Field.FirstOrDefault(x => x.GetTypes() == (ushort)Modules.Netflow.v10.FieldType.sourceIPv6Address).Value.ToArray()).ToString();
_netflow.Target_address = new IPAddress(_template.Field.FirstOrDefault(x => x.GetTypes() == (ushort)Modules.Netflow.v10.FieldType.destinationIPv6Address).Value.ToArray()).ToString();
}
if (debug_netflow)
{
Console.WriteLine(String.Format("Received {0}v netflow packet: {1}", common._version, JsonConvert.SerializeObject(_netflow), Formatting.Indented));
}
}
}
else
{
Console.WriteLine(String.Format("Template not known for this flow yet: {0}", packet.FlowSet.First().ID));
}
}
}
}
}
catch (Exception ex)
{
Console.WriteLine(String.Format("Fatal Error {0}", ex.Message));
}
}
public static DateTime UnixTimeStampToDateTime(double unixTimeStamp)
{
// Unix timestamp is seconds past epoch
System.DateTime dtDateTime = new DateTime(1970, 1, 1, 0, 0, 0, 0, System.DateTimeKind.Utc);
dtDateTime = dtDateTime.AddSeconds(unixTimeStamp).ToLocalTime();
return dtDateTime;
}
}
}