From 07d17e30ed0c2adfb8d27195115235af806387fd Mon Sep 17 00:00:00 2001
From: Peter Haag <peter@people.ops-trust.net>
Date: Mon, 23 Dec 2024 15:34:21 +0100
Subject: [PATCH] Wire ipfix tags 150/151 - seconds accuracy first/last seen
 timestamps. #585

---
 src/netflow/ipfix.c      | 8 ++++++++
 src/netflow/netflow_v9.c | 7 +++++++
 src/netflow/netflow_v9.h | 2 ++
 src/nfcapd/nfcapd.c      | 2 +-
 4 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/src/netflow/ipfix.c b/src/netflow/ipfix.c
index 48878d40..1b317a0a 100755
--- a/src/netflow/ipfix.c
+++ b/src/netflow/ipfix.c
@@ -64,6 +64,8 @@ enum {
     STACK_ICMPCODE,
     STACK_DSTPORT,
     STACK_SAMPLER,
+    STACK_SECFIRST,
+    STACK_SECLAST,
     STACK_MSECFIRST,
     STACK_MSECLAST,
     STACK_DURATION,
@@ -155,6 +157,8 @@ static const struct ipfixTranslationMap_s {
     {IPFIX_bgpSourceAsNumber, SIZEsrcAS, NumberCopy, EXasRoutingID, OFFsrcAS, STACK_NONE, "src AS"},
     {IPFIX_bgpDestinationAsNumber, SIZEdstAS, NumberCopy, EXasRoutingID, OFFdstAS, STACK_NONE, "dst AS"},
     {IPFIX_bgpNextHopIPv4Address, SIZEbgp4NextIP, NumberCopy, EXbgpNextHopV4ID, OFFbgp4NextIP, STACK_NONE, "IPv4 bgp next hop"},
+    {IPFIX_flowStartSeconds, Stack_ONLY, NumberCopy, EXnull, 0, STACK_SECLAST, "sec first seen"},
+    {IPFIX_flowEndSeconds, Stack_ONLY, NumberCopy, EXnull, 0, STACK_SECFIRST, "sec last seen"},
     {IPFIX_flowEndSysUpTime, Stack_ONLY, NumberCopy, EXnull, 0, STACK_MSECLAST, "msec last SysupTime"},
     {IPFIX_flowStartSysUpTime, Stack_ONLY, NumberCopy, EXnull, 0, STACK_MSECFIRST, "msec first SysupTime"},
     {IPFIX_SystemInitTimeMiliseconds, Stack_ONLY, NumberCopy, EXnull, 0, STACK_SYSUPTIME, "SysupTime msec"},
@@ -1446,6 +1450,10 @@ static void Process_ipfix_data(exporterDomain_t *exporter, uint32_t ExportTime,
                 dbg_printf("Calculate first/last from option SysUpTime\n");
                 genericFlow->msecFirst = exporter->SysUpTime + stack[STACK_MSECFIRST];
                 genericFlow->msecLast = exporter->SysUpTime + stack[STACK_MSECLAST];
+            } else if (stack[STACK_SECFIRST]) {
+                dbg_printf("first/last sec abs.\n");
+                genericFlow->msecFirst = stack[STACK_SECFIRST] * (uint64_t)1000;
+                genericFlow->msecLast = stack[STACK_SECLAST] * (uint64_t)1000;
             }
 
             if (genericFlow->msecFirst < fs->msecFirst) fs->msecFirst = genericFlow->msecFirst;
diff --git a/src/netflow/netflow_v9.c b/src/netflow/netflow_v9.c
index 555253e6..253d5108 100755
--- a/src/netflow/netflow_v9.c
+++ b/src/netflow/netflow_v9.c
@@ -70,6 +70,8 @@ enum {
     STACK_MSECFIRST,
     STACK_MSECLAST,
     STACK_SAMPLER,
+    STACK_SECFIRST,
+    STACK_SECLAST,
     STACK_MSEC,
     STACK_SYSUPTIME,
     STACK_CLIENT_USEC,
@@ -160,6 +162,8 @@ static const struct v9TranslationMap_s {
     {NF9_BGP_V4_NEXT_HOP, SIZEbgp4NextIP, NumberCopy, EXbgpNextHopV4ID, OFFbgp4NextIP, STACK_NONE, "IPv4 bgp next hop"},
     {NF9_LAST_SWITCHED, Stack_ONLY, NumberCopy, EXgenericFlowID, OFFmsecLast, STACK_MSECLAST, "msec last SysupTime"},
     {NF9_FIRST_SWITCHED, Stack_ONLY, NumberCopy, EXgenericFlowID, OFFmsecFirst, STACK_MSECFIRST, "msec first SysupTime"},
+    {NF_F_flowStartSeconds, Stack_ONLY, NumberCopy, EXnull, 0, STACK_SECLAST, "sec first seen"},
+    {NF_F_flowEndSeconds, Stack_ONLY, NumberCopy, EXnull, 0, STACK_SECFIRST, "sec last seen"},
     {NF9_OUT_BYTES, SIZEoutBytes, NumberCopy, EXcntFlowID, OFFoutBytes, STACK_NONE, "output bytes delta counter"},
     {NF9_OUT_PKTS, SIZEoutPackets, NumberCopy, EXcntFlowID, OFFoutPackets, STACK_NONE, "output packet delta counter"},
     {NF9_IPV6_SRC_ADDR, SIZEsrc6Addr, NumberCopy, EXipv6FlowID, OFFsrc6Addr, STACK_NONE, "IPv6 src addr"},
@@ -1193,6 +1197,9 @@ static inline void Process_v9_data(exporterDomain_t *exporter, void *data_flowse
 
                 // end time in msecs
                 genericFlow->msecLast = (uint64_t)Last + exporter->boot_time;
+            } else if (stack[STACK_SECFIRST]) {
+                genericFlow->msecFirst = stack[STACK_SECFIRST] * (uint64_t)1000;
+                genericFlow->msecLast = stack[STACK_SECLAST] * (uint64_t)1000;
             }
 
             if (genericFlow->msecFirst < fs->msecFirst) fs->msecFirst = genericFlow->msecFirst;
diff --git a/src/netflow/netflow_v9.h b/src/netflow/netflow_v9.h
index f006af8f..a0132fa4 100644
--- a/src/netflow/netflow_v9.h
+++ b/src/netflow/netflow_v9.h
@@ -226,6 +226,8 @@ typedef struct common_header_s {
 // IPFIX elements in v9 ( # > 127 )
 #define NF_F_BGP_ADJ_NEXT_AS 128
 #define NF_F_BGP_ADJ_PREV_AS 129
+#define NF_F_flowStartSeconds 150
+#define NF_F_flowEndSeconds 151
 #define NF_F_flowEndReason 136
 #define NF_F_dot1qVlanId 243
 #define NF_F_postDot1qVlanId 254
diff --git a/src/nfcapd/nfcapd.c b/src/nfcapd/nfcapd.c
index 8bcf69c7..fc43c815 100644
--- a/src/nfcapd/nfcapd.c
+++ b/src/nfcapd/nfcapd.c
@@ -450,7 +450,7 @@ static void run(packet_function_t receive_packet, int socket, int pfd, int rfd,
                 break;
             default:
                 // data error, while reading data from socket
-                LogError("Ident: %s, Error reading netflow header: Unexpected netflow version %i", fs->Ident, version);
+                LogError("Ident: %s, Error packet %llu: reading netflow header: Unexpected netflow version %i", fs->Ident, packets, version);
                 fs->bad_packets++;
                 continue;