flowparser-sflow 0.3.0

Parser for sFlow v5 datagrams
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159

pub mod counter_sample;
pub mod discarded_packet;
pub mod flow_sample;

use nom::number::complete::be_u32;
use serde::{Deserialize, Serialize};

use crate::error::{ParseContext, ParseErrorKind, SflowError};
pub use counter_sample::{CounterSample, ExpandedCounterSample};
pub use discarded_packet::DiscardedPacket;
pub use flow_sample::{ExpandedFlowSample, FlowSample};

/// An sFlow sample carried within a datagram.
///
/// Each datagram can contain a mix of flow samples (packet-level data)
/// and counter samples (interface statistics). Expanded variants use
/// separate fields for source ID type and index instead of a packed u32.
#[derive(Debug, Clone, PartialEq, Serialize, Deserialize)]
pub enum SflowSample {
    /// Standard flow sample (enterprise=0, format=1).
    Flow(FlowSample),
    /// Standard counter sample (enterprise=0, format=2).
    Counter(CounterSample),
    /// Expanded flow sample with unpacked source ID (enterprise=0, format=3).
    ExpandedFlow(ExpandedFlowSample),
    /// Expanded counter sample with unpacked source ID (enterprise=0, format=4).
    ExpandedCounter(ExpandedCounterSample),
    /// Discarded packet notification (enterprise=0, format=5).
    DiscardedPacket(DiscardedPacket),
    /// Unrecognized sample type, preserved as raw bytes.
    Unknown {
        /// Enterprise code from the sample header.
        enterprise: u32,
        /// Format code from the sample header.
        format: u32,
        /// Raw sample data.
        data: Vec<u8>,
    },
}

pub(crate) fn parse_samples(
    mut input: &[u8],
    num_samples: u32,
) -> Result<(&[u8], Vec<SflowSample>), SflowError> {
    // Cap capacity to prevent DoS: each sample needs at least 8 bytes (format + length)
    let cap = (num_samples as usize).min(input.len() / 8);
    let mut samples = Vec::with_capacity(cap);

    for _ in 0..num_samples {
        let (rest, data_format) =
            be_u32(input).map_err(|_: nom::Err<nom::error::Error<&[u8]>>| {
                SflowError::Incomplete {
                    available: input.len(),
                    expected: None,
                    context: ParseContext::SampleDataFormat,
                }
            })?;

        let enterprise = data_format >> 12;
        let format = data_format & 0xFFF;

        let (rest, sample_length) =
            be_u32(rest).map_err(|_: nom::Err<nom::error::Error<&[u8]>>| {
                SflowError::Incomplete {
                    available: rest.len(),
                    expected: None,
                    context: ParseContext::SampleLength,
                }
            })?;

        let sample_length = sample_length as usize;
        if rest.len() < sample_length {
            return Err(SflowError::Incomplete {
                available: rest.len(),
                expected: Some(sample_length),
                context: ParseContext::SampleData,
            });
        }

        let sample_data = &rest[..sample_length];
        let after_sample = &rest[sample_length..];

        let sample = if enterprise == 0 {
            match format {
                1 => {
                    let (_, fs) = flow_sample::parse_flow_sample(sample_data).map_err(|e| {
                        SflowError::ParseError {
                            offset: 0,
                            context: ParseContext::FlowSample,
                            kind: nom_err_to_kind(&e),
                        }
                    })?;
                    SflowSample::Flow(fs)
                }
                2 => {
                    let (_, cs) =
                        counter_sample::parse_counter_sample(sample_data).map_err(|e| {
                            SflowError::ParseError {
                                offset: 0,
                                context: ParseContext::CounterSample,
                                kind: nom_err_to_kind(&e),
                            }
                        })?;
                    SflowSample::Counter(cs)
                }
                3 => {
                    let (_, efs) = flow_sample::parse_expanded_flow_sample(sample_data)
                        .map_err(|e| SflowError::ParseError {
                            offset: 0,
                            context: ParseContext::ExpandedFlowSample,
                            kind: nom_err_to_kind(&e),
                        })?;
                    SflowSample::ExpandedFlow(efs)
                }
                4 => {
                    let (_, ecs) = counter_sample::parse_expanded_counter_sample(sample_data)
                        .map_err(|e| SflowError::ParseError {
                        offset: 0,
                        context: ParseContext::ExpandedCounterSample,
                        kind: nom_err_to_kind(&e),
                    })?;
                    SflowSample::ExpandedCounter(ecs)
                }
                5 => {
                    let (_, dp) = discarded_packet::parse_discarded_packet(sample_data)
                        .map_err(|e| SflowError::ParseError {
                            offset: 0,
                            context: ParseContext::DiscardedPacket,
                            kind: nom_err_to_kind(&e),
                        })?;
                    SflowSample::DiscardedPacket(dp)
                }
                _ => SflowSample::Unknown {
                    enterprise,
                    format,
                    data: sample_data.to_vec(),
                },
            }
        } else {
            SflowSample::Unknown {
                enterprise,
                format,
                data: sample_data.to_vec(),
            }
        };

        samples.push(sample);
        input = after_sample;
    }

    Ok((input, samples))
}

fn nom_err_to_kind(e: &nom::Err<nom::error::Error<&[u8]>>) -> ParseErrorKind {
    match e {
        nom::Err::Error(e) | nom::Err::Failure(e) => ParseErrorKind::NomError(e.code),
        nom::Err::Incomplete(_) => ParseErrorKind::NomError(nom::error::ErrorKind::Complete),
    }
}