netflow php parser

1. <?php
2. /**************************
3. nfdump output parser script
4. Use: nfcapd -l ... -D -x '/path_to_php/php /path_to_script/all_traf_stats.php %d/%f'
5. Script collects data into array $stats
6. (
7.     [dst_cnt] => Array
8.         (
9.             [ip] => hits            
10.         )
11.     [src_cnt] => Array
12.         (
13.             [ip] => hits            
14.         )
15.     [dst_traf] => Array
16.         (
17.             [ip] => octets (bytes)            
18.         )
19.     [src_traf] => Array
20.         (
21.             [ip] => octets (bytes)
22.         )
23.     [proto] => Array
24.         (
25.             [proto:port] => bytes
26.         )
27. )
28.  
29. (c) Ross Vladislav, 2011
30. vladislav.ross@gmail.com
31. ***************************/
32.  
33. /*  Settings    */
34. define('STATFILE', 'stats.dat'); //Stats file name
35. define('LOGFILE', 'all_traf_stats.log'); //Logfile name
36.  
37. //Local networks, "address/mask" format
38. $localnets = array(
39.     '192.168.0.0/255.255.255.0',
40.     '192.168.4.0/255.255.254.0',
41. );
42.  
43. //Do not gather statistics for these ports:
44. $skipPorts = array(80, 21);
45.  
46.  
47. error_reporting(E_ALL ^ E_NOTICE);
48. chdir(dirname(__FILE__));
49.  
50. if(!isset($argv[1]) || !file_exists($argv[1])) exit(1);
51. else $file = $argv[1];
52.  
53. if(@$_SERVER['REMOTE_ADDR']) exit;
54.  
55. $try = 0;
56. while($try < 5 && !file_exists($file))
57. {
58.     $try++;
59.     sleep(2);
60. }
61.  
62. if($try == 5)
63. {
64.     file_put_contents(LOGFILE, date('d.m.Y H:i:s'). " " . $file . " not exists!\r\n", FILE_APPEND);
65.     exit(1);
66. }
67.  
68. file_put_contents(LOGFILE, date('d.m.Y H:i:s'). " " . $file . " started...\r\n", FILE_APPEND);
69.    
70. $prefixes = array(
71.     '1048576' => 'M',
72.     '1073741824' => 'G',
73.     '1099511627776' => 'T'
74. );
75.    
76. function is_local($ip)
77. {
78.     global $localnets;
79.     list(, $ip) = unpack('l',pack('l', ip2long($ip)));
80.     foreach($localnets as $localnet)
81.     {
82.         if($ip >= $localnet['start'] && $ip <= $localnet['end']) return true;
83.     }
84.     return false;
85. }
86.  
87. foreach($localnets as $k => $net)
88. {
89.    
90.     list($addr, $mask) = explode('/', $net);
91.     list(, $addr) = unpack('l',pack('l', ip2long($addr)));
92.     list(, $mask) = unpack('l',pack('l', ip2long($mask)));
93.     $start = ($addr & $mask) + 1;
94.     $end = $start + (~ $mask) - 1;
95.     $localnets[$k] = array('start' => $start, 'end' => $end);
96. }
97.  
98.  
99. $traf_size = array();
100. $traf_connections = array();
101.  
102. touch(STATFILE);
103. $stats = unserialize(file_get_contents(STATFILE));
104.  
105. file_put_contents(LOGFILE, date('d.m.Y H:i:s'). " Executing nfdump\r\n", FILE_APPEND);
106.  
107. $fp = popen("nfdump -r $file -q", 'r');
108. while(($row = fgets($fp)) !== false)
109. {
110.     $row = preg_split("/[\s]+/", $row);
111.     $rc = count($row);
112.     if($rc != 11 && $rc != 12)
113.     {
114.         file_put_contents(LOGFILE, date('d.m.Y H:i:s'). " Wrong nfdump output format!\r\n", FILE_APPEND);
115.         print_r($row);
116.         pclose($fp);
117.         die("Wrong nfdump output format!\r\n");
118.     }
119.    
120.     list($src_ip, $src_port) = explode(':', $row[3]);
121.     list($dst_ip, $dst_port) = explode(':', $row[6]);
122.    
123.     if(is_local($src_ip) != is_local($dst_ip))
124.     {
125.         if(is_local($src_ip))
126.         {
127.             $local_ip = $src_ip;
128.             $ext_ip = $dst_ip;
129.             $port = $dst_port;
130.         }
131.         else
132.         {
133.             $local_ip = $dst_ip;
134.             $ext_ip = $src_ip; 
135.             $port = $src_port;         
136.         }
137.        
138.            
139.         $prefix_value = in_array($row[10], $prefixes);
140.         if($prefix_value !== FALSE) $bytes = $prefix_value * $row[9];
141.         else $bytes = $row[9];
142.        
143.         if(in_array($port, $skipPorts) === FALSE)
144.         {
145.             $traf_size[$local_ip] += $bytes;
146.             $traf_connections[$local_ip]++;
147.         }
148.         $proto = strtolower($row[2]);
149.        
150.         $stats['dst_cnt'][$dst_ip]++;
151.         $stats['src_cnt'][$src_ip]++;
152.        
153.         if($bytes > 0)
154.         {
155.             $stats['dst_traf'][$dst_ip] += $bytes;     
156.             $stats['src_traf'][$src_ip] += $bytes;
157.             if($proto == 'udp' || $proto == 'tcp') $stats['proto'][$proto . ":" . $dst_port] += $bytes;
158.             else $stats['proto'][$proto] += $bytes;
159.         }  
160.        
161.     }  
162. }
163.  
164. pclose($fp);
165.  
166. /***** uncomment this block if you want to use nfdump with squid+sams *********
167. if(!mysql_connect("localhost", "sams", "password")) exit(1);
168. if(!mysql_select_db("squidctrl")) exit(1);
169. foreach($traf_size as $ip => $traf)
170. {
171.     if($traf > 0)
172.     {
173.         mysql_query("UPDATE `squidctrl`.`squidusers` SET size=size+$traf, hit=hit+{$traf_connections[$ip]} WHERE `ip`='$ip' LIMIT 1");
174.         $mar += mysql_affected_rows();
175.         $sum += $traf;
176.     }
177. }
178. *******************************************************************************/
179.  
180. file_put_contents(STATFILE, serialize($stats));
181. file_put_contents(LOGFILE, date('d.m.Y H:i:s'). " " . $file . "finished! \r\n", FILE_APPEND);
182. ?>