sflow_parser/parsers/
datagram.rs

1//! Datagram and sample parsing
2//!
3//! This module contains top-level parsing functions for sFlow datagrams and samples.
4
5use super::error::{ParseError, Result};
6use super::Parser;
7use crate::models::*;
8use std::io::{self, Cursor, Read};
9
10impl<R: Read> Parser<R> {
11    /// Parse a compact flow sample
12    pub(super) fn parse_flow_sample(&mut self) -> Result<FlowSample> {
13        let sequence_number = self.read_u32()?;
14        let source_id = self.parse_data_source()?;
15        let sampling_rate = self.read_u32()?;
16        let sample_pool = self.read_u32()?;
17        let drops = self.read_u32()?;
18        let input = self.parse_interface()?;
19        let output = self.parse_interface()?;
20
21        // Parse flow records array
22        let num_records = self.read_u32()?;
23        // Limit capacity to prevent OOM attacks - allocate conservatively
24        let capacity = num_records.min(1024) as usize;
25        let mut flow_records = Vec::with_capacity(capacity);
26        for _ in 0..num_records {
27            flow_records.push(self.parse_flow_record()?);
28        }
29
30        Ok(FlowSample {
31            sequence_number,
32            source_id,
33            sampling_rate,
34            sample_pool,
35            drops,
36            input,
37            output,
38            flow_records,
39        })
40    }
41
42    /// Parse a compact counter sample
43    pub(super) fn parse_counters_sample(&mut self) -> Result<CountersSample> {
44        let sequence_number = self.read_u32()?;
45        let source_id = self.parse_data_source()?;
46
47        // Parse counter records array
48        let num_records = self.read_u32()?;
49        // Limit capacity to prevent OOM attacks - allocate conservatively
50        let capacity = num_records.min(1024) as usize;
51        let mut counters = Vec::with_capacity(capacity);
52        for _ in 0..num_records {
53            counters.push(self.parse_counter_record()?);
54        }
55
56        Ok(CountersSample {
57            sequence_number,
58            source_id,
59            counters,
60        })
61    }
62
63    /// Parse an expanded flow sample
64    pub(super) fn parse_flow_sample_expanded(&mut self) -> Result<FlowSampleExpanded> {
65        let sequence_number = self.read_u32()?;
66        let source_id = self.parse_data_source_expanded()?;
67        let sampling_rate = self.read_u32()?;
68        let sample_pool = self.read_u32()?;
69        let drops = self.read_u32()?;
70        let input = self.parse_interface_expanded()?;
71        let output = self.parse_interface_expanded()?;
72
73        // Parse flow records array
74        let num_records = self.read_u32()?;
75        // Limit capacity to prevent OOM attacks - allocate conservatively
76        let capacity = num_records.min(1024) as usize;
77        let mut flow_records = Vec::with_capacity(capacity);
78        for _ in 0..num_records {
79            flow_records.push(self.parse_flow_record()?);
80        }
81
82        Ok(FlowSampleExpanded {
83            sequence_number,
84            source_id,
85            sampling_rate,
86            sample_pool,
87            drops,
88            input,
89            output,
90            flow_records,
91        })
92    }
93
94    /// Parse an expanded counter sample
95    pub(super) fn parse_counters_sample_expanded(&mut self) -> Result<CountersSampleExpanded> {
96        let sequence_number = self.read_u32()?;
97        let source_id = self.parse_data_source_expanded()?;
98
99        // Parse counter records array
100        let num_records = self.read_u32()?;
101        // Limit capacity to prevent OOM attacks - allocate conservatively
102        let capacity = num_records.min(1024) as usize;
103        let mut counters = Vec::with_capacity(capacity);
104        for _ in 0..num_records {
105            counters.push(self.parse_counter_record()?);
106        }
107
108        Ok(CountersSampleExpanded {
109            sequence_number,
110            source_id,
111            counters,
112        })
113    }
114
115    /// Parse a discarded packet sample
116    pub(super) fn parse_discarded_packet(&mut self) -> Result<DiscardedPacket> {
117        let sequence_number = self.read_u32()?;
118        let source_id = self.parse_data_source_expanded()?;
119        let drops = self.read_u32()?;
120        let input_ifindex = self.read_u32()?;
121        let output_ifindex = self.read_u32()?;
122
123        // Parse drop reason
124        let reason_value = self.read_u32()?;
125        let reason = crate::models::record_flows::DropReason::from_u32(reason_value)
126            .unwrap_or(crate::models::record_flows::DropReason::Unknown);
127
128        // Parse flow records array
129        let num_records = self.read_u32()?;
130        // Limit capacity to prevent OOM attacks - allocate conservatively
131        let capacity = num_records.min(1024) as usize;
132        let mut flow_records = Vec::with_capacity(capacity);
133        for _ in 0..num_records {
134            flow_records.push(self.parse_flow_record()?);
135        }
136
137        Ok(DiscardedPacket {
138            sequence_number,
139            source_id,
140            drops,
141            input_ifindex,
142            output_ifindex,
143            reason,
144            flow_records,
145        })
146    }
147
148    /// Parse sample data based on format
149    fn parse_sample_data(&mut self, format: DataFormat, data: Vec<u8>) -> Result<SampleData> {
150        let mut cursor = Cursor::new(data.clone());
151        let mut parser = Parser::new(&mut cursor);
152
153        // Standard sFlow formats (enterprise = 0)
154        if format.enterprise() == 0 {
155            match format.format() {
156                1 => {
157                    let sample = parser.parse_flow_sample()?;
158                    Ok(SampleData::FlowSample(sample))
159                }
160                2 => {
161                    let sample = parser.parse_counters_sample()?;
162                    Ok(SampleData::CountersSample(sample))
163                }
164                3 => {
165                    let sample = parser.parse_flow_sample_expanded()?;
166                    Ok(SampleData::FlowSampleExpanded(sample))
167                }
168                4 => {
169                    let sample = parser.parse_counters_sample_expanded()?;
170                    Ok(SampleData::CountersSampleExpanded(sample))
171                }
172                5 => {
173                    let sample = parser.parse_discarded_packet()?;
174                    Ok(SampleData::DiscardedPacket(sample))
175                }
176                _ => Ok(SampleData::Unknown { format, data }),
177            }
178        } else {
179            // Vendor-specific format
180            Ok(SampleData::Unknown { format, data })
181        }
182    }
183
184    /// Parse a sample record
185    fn parse_sample_record(&mut self) -> Result<SampleRecord> {
186        let sample_type = self.parse_data_format()?;
187        let sample_data_raw = self.read_opaque()?;
188        let sample_data = self.parse_sample_data(sample_type, sample_data_raw)?;
189
190        Ok(SampleRecord {
191            sample_type,
192            sample_data,
193        })
194    }
195
196    /// Parse an sFlow v5 datagram
197    pub fn parse_datagram(&mut self) -> Result<SFlowDatagram> {
198        // Parse version
199        let version = self.read_u32()?;
200        if version != 5 {
201            return Err(ParseError::InvalidData(format!(
202                "Invalid version: expected 5, got {}",
203                version
204            )));
205        }
206
207        // Parse agent address
208        let agent_address = self.parse_address()?;
209
210        // Parse sub-agent ID
211        let sub_agent_id = self.read_u32()?;
212
213        // Parse sequence number
214        let sequence_number = self.read_u32()?;
215
216        // Parse uptime
217        let uptime = self.read_u32()?;
218
219        // Parse samples array
220        let num_samples = self.read_u32()?;
221        // Limit capacity to prevent OOM attacks - allocate conservatively
222        let capacity = num_samples.min(1024) as usize;
223        let mut samples = Vec::with_capacity(capacity);
224        for _ in 0..num_samples {
225            samples.push(self.parse_sample_record()?);
226        }
227
228        Ok(SFlowDatagram {
229            version: DatagramVersion::Version5,
230            agent_address,
231            sub_agent_id,
232            sequence_number,
233            uptime,
234            samples,
235        })
236    }
237}
238
239/// Parse an sFlow v5 datagram from a byte slice
240pub fn parse_datagram(data: &[u8]) -> Result<SFlowDatagram> {
241    let mut parser = Parser::new(Cursor::new(data));
242    parser.parse_datagram()
243}
244
245/// Parse multiple sFlow v5 datagrams from a byte slice
246/// This is useful when multiple datagrams are concatenated (like in our test file)
247pub fn parse_datagrams(data: &[u8]) -> Result<Vec<SFlowDatagram>> {
248    let mut datagrams = Vec::new();
249    let mut cursor = Cursor::new(data);
250
251    loop {
252        let pos = cursor.position();
253        if pos >= data.len() as u64 {
254            break;
255        }
256
257        match Parser::new(&mut cursor).parse_datagram() {
258            Ok(datagram) => datagrams.push(datagram),
259            Err(ParseError::Io(e)) if e.kind() == io::ErrorKind::UnexpectedEof => {
260                // End of data
261                break;
262            }
263            Err(e) => return Err(e),
264        }
265    }
266
267    Ok(datagrams)
268}
sflow_parser/parsers/datagram.rs

sflow_parser/parsers/
datagram.rs
