From 7ecbffbccc8a91a084bca69cbd68246cff25c2d5 Mon Sep 17 00:00:00 2001
From: Junzy <523909343@qq.com>
Date: Thu, 10 Oct 2024 14:06:57 +0800
Subject: [PATCH] add hw_binary

---
 src/nat_format.cpp | 287 ++++++++++++++++++++++++++++++++++++++++-----
 src/nat_format.h   |  90 ++++++++++++--
 2 files changed, 337 insertions(+), 40 deletions(-)

diff --git a/src/nat_format.cpp b/src/nat_format.cpp
index ecec192..72f99a5 100644
--- a/src/nat_format.cpp
+++ b/src/nat_format.cpp
@@ -21,10 +21,25 @@
 #define HW_EVENT_ADD "SESSION_BUILT"
 #define HW_EVENT_DEL "SESSION_TEARDOWN"
 
+#define HW_EVENT_NEW 0x01
+#define HW_EVENT_AGED 0x02
+#define HW_EVENT_PERIOD 0x03
+
+#define HS_EVENT_ADD "Session created"
+#define HS_EVENT_DEL_1 "Normal over"
+#define HS_EVENT_DEL_2 "Aged for timeout"
+#define HS_EVENT_DEL_3 "Active data flow timeout"
+#define HS_EVENT_DEL_4 "Aged for reset or config-change"
+#define HS_EVENT_DEL_5 "Other"
+
 #define FORMAT_LOG_PROTOCOL_ICMP 0x01
 #define FORMAT_LOG_PROTOCOL_TCP 0x06
 #define FORMAT_LOG_PROTOCOL_UDP 0x17
 
+#define HW_BINARY_PROT_ICMP 1
+#define HW_BINARY_PROT_TCP 6
+#define HW_BINARY_PROT_UDP 17
+
 struct nat_format_global_info g_nat_format_info;
 
 char *multicast_payload;
@@ -74,7 +89,7 @@ int extract_time(char *data, int data_len, const char *key, unsigned int *dst) {
     return 0;
 }
 // 函数：从字符串中提取字符串并转为标识
-int extract_protocol(char *data, int data_len, const char *key, char *dst) {
+int extract_protocol_hw(char *data, int data_len, const char *key, char *dst) {
     int offset;
     char protocol_str[20];
     if ((offset = get_value_offset(data, data_len, key)) == -1) { return -1; }
@@ -90,6 +105,57 @@ int extract_protocol(char *data, int data_len, const char *key, char *dst) {
     }
     return 0;
 }
+int extract_protocol_hs(char *data, int data_len, const char *key, char *dst) {
+    int offset;
+    char protocol_str[20];
+    if ((offset = get_value_offset(data, data_len, key)) == -1) { return -1; }
+    if (sscanf(data+offset, "%[^,]", protocol_str) != 1) { return -1; }
+    if (strcmp(protocol_str, "TCP") == 0) {
+        *dst = FORMAT_LOG_PROTOCOL_TCP;
+    } else if (strcmp(protocol_str, "UDP") == 0) {
+        *dst = FORMAT_LOG_PROTOCOL_UDP;
+    } else if (strcmp(protocol_str, "ICMP") == 0) {
+        *dst = FORMAT_LOG_PROTOCOL_ICMP;
+    } else {
+        return -1;
+    }
+    return 0;
+}
+// 函数：从字符串中提取字符串并转为标识
+int extract_action_hs(char *data, int data_len, const char *key, char *dst) {
+    int offset;
+    char action_str[50];
+    if ((offset = get_value_offset(data, data_len, key)) == -1) { return -1; }
+    if (sscanf(data+offset, "(%*d)%[^,]", action_str) != 1) { return -1; }
+    if (strcmp(action_str, HS_EVENT_ADD) == 0) {
+        *dst = FORMAT_LOG_ACTION_ADD;
+    } else if (strcmp(action_str, HS_EVENT_DEL_1) == 0 || strcmp(action_str, HS_EVENT_DEL_2) == 0 || strcmp(action_str, HS_EVENT_DEL_3) == 0 || strcmp(action_str, HS_EVENT_DEL_4) == 0 || strcmp(action_str, HS_EVENT_DEL_5) == 0) {
+        *dst = FORMAT_LOG_ACTION_DEL;
+    } else {
+        return -1;
+    }
+    return 0;
+}
+
+// 组播报文发送
+int send_multicast() {
+    // 发之前统一填充发送时间
+    time_t now;
+    time(&now);
+    unsigned int now_timestamp = (int)now;
+    for (int i = 0; i < g_nat_format_info.batch_size; i++) {
+        memcpy(multicast_payload + i*PAYLOAD_LEN+SEND_TIME_OFFSET, &now_timestamp, 4);
+    }
+    // 进行发送
+    if (sendto(udp_socket, multicast_payload, PAYLOAD_LEN*g_nat_format_info.batch_size, 0, (struct sockaddr *)&dst_addr, sizeof(dst_addr)) < 0) {
+        MESA_handle_runtime_log(g_nat_format_info.log, RLOG_LV_INFO, "nat_format", "Send multicast failed: %s", strerror(errno));
+        cur_pkt--;
+        return -1;
+    }
+
+    cur_pkt = 0;
+    return 0;
+}
 
 // 初始化函数
 int nat_format_init(void) {
@@ -97,7 +163,7 @@ int nat_format_init(void) {
     MESA_load_profile_uint_def(NAT_FORMAT_CONFIG_FILE, "NAT_FORMAT", "magic_num", &g_nat_format_info.magic_num, 0x004e4154);
     MESA_load_profile_uint_def(NAT_FORMAT_CONFIG_FILE, "NAT_FORMAT", "version", &g_nat_format_info.version, 0x0200);
 
-    MESA_load_profile_uint_def(NAT_FORMAT_CONFIG_FILE, "NAT_FORMAT_SEND", "batch_size", &g_nat_format_info.batch_size, 20);
+    MESA_load_profile_int_def(NAT_FORMAT_CONFIG_FILE, "NAT_FORMAT_SEND", "batch_size", &g_nat_format_info.batch_size, 20);
     MESA_load_profile_string_def(NAT_FORMAT_CONFIG_FILE, "NAT_FORMAT_SEND", "host_ip", g_nat_format_info.host_ip, 16, "127.0.0.1");
     MESA_load_profile_int_def(NAT_FORMAT_CONFIG_FILE, "NAT_FORMAT_SEND", "host_port", &g_nat_format_info.host_port, 5678);
     MESA_load_profile_string_def(NAT_FORMAT_CONFIG_FILE, "NAT_FORMAT_SEND", "multicast_ip", g_nat_format_info.multicast_ip, 16, "224.88.88.88");
@@ -177,13 +243,14 @@ char nat_format_entry(struct streaminfo *a_udp, void **pme, int thread_seq, void
     int32_t udp_data_len = a_udp->pudpdetail->datalen;
     unsigned short udp_port = ntohs(a_udp->addr.tuple4_v4->dest);
 
-    // 提取nat信息
+    // 相同的nat基础信息
     struct nat_payload nat_payload;
     nat_payload.magic_num = htonl(g_nat_format_info.magic_num);
     nat_payload.version = htons((unsigned short)g_nat_format_info.version);
     nat_payload.fw_ip = a_udp->addr.tuple4_v4->saddr;   // 防火墙ip为源ip，本身为二进制格式
-    // 根据数据来源的端口采取不同的处理策略
-    // 华为syslog格式：防火墙日志生成时间需要转换为时间戳、动作字符串需要转换为序号、点分十进制格式ip需要转换为二进制
+    
+    // 需要分别提取的nat信息 -- syslog格式每个报文只携带一条日志，二进制格式每个报文携带多条日志
+    // 华为syslog
     if (udp_port == g_nat_format_info.hw_syslog_port) {
         // <190>2024-01-25 01:41:37 JXNC_LTGC_Eudemon_A %%01SECLOG/6/SESSION_TEARDOWN(l):IPVer=4,Protocol=udp,SourceIP=10.119.25.34,DestinationIP=220.248.192.13,SourcePort=35040,DestinationPort=53,SourceNatIP=118.212.209.248,SourceNatPort=6438,BeginTime=1706147236,EndTime=1706147236,SourceVpnID=0,DestinationVpnID=0,SourceZone=pscenet,DestinationZone=untrust,PolicyName=---,CloseReason=aged-out.
         // sscanf(udp_data, "%*[^>]>%20[0-9: -]%*[^/]/%*[0-9]/%19[A-Z_]%*[^:]:IPVer=%*[^,],Protocol=%*[^,],SourceIP=%19[^,],DestinationIP=%19[^,],SourcePort=%hu,DestinationPort=%hu,SourceNatIP=%19[^,],SourceNatPort=%hu,BeginTime=%u,EndTime=%u", fw_log_time, action_str, src_intra_ip, dst_ip, &nat_payload.src_intra_port, &nat_payload.dst_port, src_extra_ip, &nat_payload.src_extra_port, &nat_payload.stream_start_timestamp, &nat_payload.stream_end_timestamp);
@@ -212,8 +279,8 @@ char nat_format_entry(struct streaminfo *a_udp, void **pme, int thread_seq, void
             return APP_STATE_GIVEME;
         }
         
-        // 字段部分（按顺序排列）：SourceIP、DestinationIP、SourcePort、DestinationPort、SourceNatIP、SourceNatPort、BeginTime、EndTime
-        // 依次对应nat_payload的：src_intra_ip, dst_ip, src_intra_port, &dst_port, src_extra_ip, src_extra_port, stream_start_timestamp, stream_end_timestamp
+        // 字段部分（按顺序排列）：SourceIP、DestinationIP、SourcePort、DestinationPort、SourceNatIP、SourceNatPort、BeginTime、EndTime、Protocol
+        // 依次对应nat_payload的：src_intra_ip, dst_ip, src_intra_port, &dst_port, src_extra_ip, src_extra_port, stream_start_timestamp, stream_end_timestamp, protocol
 
         if (extract_ip(udp_data, udp_data_len, "SourceIP", &nat_payload.src_intra_ip) < 0) {
             MESA_handle_runtime_log(g_nat_format_info.log, RLOG_LV_INFO, "nat_format Huawei syslog", "SourceIP Not Found");
@@ -255,33 +322,199 @@ char nat_format_entry(struct streaminfo *a_udp, void **pme, int thread_seq, void
             return APP_STATE_GIVEME;
         }
 
-        if (extract_protocol(udp_data, udp_data_len, "Protocol", &nat_payload.protocol) < 0) {
+        if (extract_protocol_hw(udp_data, udp_data_len, "Protocol", &nat_payload.protocol) < 0) {
             MESA_handle_runtime_log(g_nat_format_info.log, RLOG_LV_INFO, "nat_format Huawei syslog", "Protocol Not Found");
             return APP_STATE_GIVEME;
         }
 
-    } else if (udp_port == g_nat_format_info.hw_binary_port) {
-        return APP_STATE_GIVEME;
-    } else if (udp_port == g_nat_format_info.h3_syslog_port) {
-        return APP_STATE_GIVEME;
-    } else if (udp_port == g_nat_format_info.h3_binary_port) {
-        return APP_STATE_GIVEME;
-    } else if (udp_port == g_nat_format_info.dp_syslog_port) {
-        return APP_STATE_GIVEME;
-    } else if (udp_port == g_nat_format_info.dp_binary_port) {
+        // 将提取出来的信息写进组播载荷
+        memcpy(multicast_payload + cur_pkt*PAYLOAD_LEN, &nat_payload, PAYLOAD_LEN);
+        cur_pkt++;
+        
+        // 攒够20个进行发送
+        if (cur_pkt == g_nat_format_info.batch_size) {
+            send_multicast();
+        }
+    } 
+    // 华三syslog
+    else if (udp_port == g_nat_format_info.h3_syslog_port) {
+        // <6> Jan 25 09:08:33 2024 JXNC_HJZ_N6FW_H3C9014_1 %%10session/6/SESSION_IPV4_FLOW: -Slot=12.1; Protocol(1001)=UDP;Application(1002)=dns;SrcIPAddr(1003)=10.128.168.99;SrcPort(1004)=39000;NatSrcIPAddr(1005)=113.194.224.20;NatSrcPort(1006)=17306;DstIPAddr(1007)=220.248.192.13;DstPort(1008)=53;NatDstIPAddr(1009)=220.248.192.13;NatDstPort(1010)=53;InitPktCount(1044)=0;InitByteCount(1046)=0;RplyPktCount(1045)=0;RplyByteCount(1047)=0;RcvVPNInstance(1042)=;SndVPNInstance(1043)=;RcvDSLiteTunnelPeer(1040)=;SndDSLiteTunnelPeer(1041)=;BeginTime_e(1013)=01252024090804;EndTime_e(1014)=01252024090834;Event(1048)=(2)Aged for timeout;
+        
+        // 字段前的部分：防火墙日志生成时间
+        char fw_log_time_month[10];
+        char fw_log_time_other[15];
+        char fw_log_time[25];
+        if (sscanf(udp_data, "%*[^>]> %s %15[0-9: ]", fw_log_time_month, fw_log_time_other) != 2) {
+            MESA_handle_runtime_log(g_nat_format_info.log, RLOG_LV_INFO, "nat_format Huasan syslog", "NAT extraction fw_log_time or action_str failed");
+            return APP_STATE_GIVEME;
+        }
+        sprintf(fw_log_time, "%s %s", fw_log_time_month, fw_log_time_other);
+        struct tm fw_time;
+        if (strptime(fw_log_time, "%b %d %H:%M:%S %Y ", &fw_time) == NULL) {
+            MESA_handle_runtime_log(g_nat_format_info.log, RLOG_LV_INFO, "nat_format Huasan syslog", "firewall log generation time extraction failed: %s", fw_log_time);
+            return APP_STATE_GIVEME;
+        }
+        nat_payload.fw_log_timestamp = (unsigned int)mktime(&fw_time);
+
+        // 字段部分（按顺序排列）：Protocol(1001)、SrcIPAddr(1003)、SrcPort(1004)、NatSrcIPAddr(1005)、NatSrcPort(1006)、DstIPAddr(1007)、DstPort(1008)、BeginTime_e(1013)、EndTime_e(1014)、Event(1048)
+
+        if (extract_protocol_hs(udp_data, udp_data_len, "Protocol(1001)", &nat_payload.protocol) < 0) {
+            MESA_handle_runtime_log(g_nat_format_info.log, RLOG_LV_INFO, "nat_format Huasan syslog", "Protocol(1001) Not Found");
+            return APP_STATE_GIVEME;
+        }
+
+        if (extract_ip(udp_data, udp_data_len, "SrcIPAddr(1003)", &nat_payload.src_intra_ip) < 0) {
+            MESA_handle_runtime_log(g_nat_format_info.log, RLOG_LV_INFO, "nat_format Huasan syslog", "SrcIPAddr(1003) Not Found");
+            return APP_STATE_GIVEME;
+        }
+
+        if (extract_port(udp_data, udp_data_len, "SrcPort(1004)", &nat_payload.src_intra_port) < 0) {
+            MESA_handle_runtime_log(g_nat_format_info.log, RLOG_LV_INFO, "nat_format Huasan syslog", "SrcPort(1004) Not Found");
+            return APP_STATE_GIVEME;
+        }
+
+        if (extract_ip(udp_data, udp_data_len, "NatSrcIPAddr(1005)", &nat_payload.src_extra_ip) < 0) {
+            MESA_handle_runtime_log(g_nat_format_info.log, RLOG_LV_INFO, "nat_format Huasan syslog", "NatSrcIPAddr(1005) Not Found");
+            return APP_STATE_GIVEME;
+        }
+
+        if (extract_port(udp_data, udp_data_len, "NATSrcPort(1006)", &nat_payload.src_extra_port) < 0) {
+            MESA_handle_runtime_log(g_nat_format_info.log, RLOG_LV_INFO, "nat_format Huasan syslog", "NATSrcPort(1006) Not Found");
+            return APP_STATE_GIVEME;
+        }
+
+        if (extract_ip(udp_data, udp_data_len, "DstIPAddr(1007)", &nat_payload.dst_ip) < 0) {
+            MESA_handle_runtime_log(g_nat_format_info.log, RLOG_LV_INFO, "nat_format Huasan syslog", "DstIPAddr(1007) Not Found");
+            return APP_STATE_GIVEME;
+        }
+
+        if (extract_port(udp_data, udp_data_len, "DstPort(1008)", &nat_payload.dst_port) < 0) {
+            MESA_handle_runtime_log(g_nat_format_info.log, RLOG_LV_INFO, "nat_format Huasan syslog", "DstPort(1008) Not Found");
+            return APP_STATE_GIVEME;
+        }
+
+        if (extract_time(udp_data, udp_data_len, "BeginTime_e(1013)", &nat_payload.stream_start_timestamp) < 0) {
+            MESA_handle_runtime_log(g_nat_format_info.log, RLOG_LV_INFO, "nat_format Huawei syslog", "BeginTime_e(1013) Not Found");
+            return APP_STATE_GIVEME;
+        }
+
+        if (extract_time(udp_data, udp_data_len, "EndTime_e(1014)", &nat_payload.stream_end_timestamp) < 0) {
+            MESA_handle_runtime_log(g_nat_format_info.log, RLOG_LV_INFO, "nat_format Huasan syslog", "EndTime_e(1014) Not Found");
+            return APP_STATE_GIVEME;
+        }
+
+        if (extract_action_hs(udp_data, udp_data_len, "Event(1048)", &nat_payload.action) < 0) {
+            MESA_handle_runtime_log(g_nat_format_info.log, RLOG_LV_INFO, "nat_format Huasan syslog", "EndTime_e(1014) Not Found");
+            return APP_STATE_GIVEME;
+        }        
+
+        // 将提取出来的信息写进组播载荷
+        memcpy(multicast_payload + cur_pkt*PAYLOAD_LEN, &nat_payload, PAYLOAD_LEN);
+        cur_pkt++;
+        
+        // 攒够20个进行发送
+        if (cur_pkt == g_nat_format_info.batch_size) {
+            send_multicast();
+        }
+    }
+    // 迪普syslog TODO
+    else if (udp_port == g_nat_format_info.dp_syslog_port) {
         return APP_STATE_GIVEME;
     }
-
-    // 将提取出来的信息写进组播载荷
-    memcpy(multicast_payload + cur_pkt*PAYLOAD_LEN, &nat_payload, PAYLOAD_LEN);
-    cur_pkt++;
-
-    // 攒够20个进行发送
-    if (cur_pkt == 20) {
-        if (sendto(udp_socket, multicast_payload, PAYLOAD_LEN*g_nat_format_info.batch_size, 0, (struct sockaddr *)&dst_addr, sizeof(dst_addr)) < 0) {
-            MESA_handle_runtime_log(g_nat_format_info.log, RLOG_LV_INFO, "nat_format Huawei syslog", "Send multicast failed: %s", strerror(errno));
+    // 华为二进制
+    else if (udp_port == g_nat_format_info.hw_binary_port) {
+        // 从head提取必要信息
+        struct hw_binary_log_head *hb_head = (struct hw_binary_log_head *)udp_data;
+        int body_len = 0;
+        int event_offset = 0;
+        if (hb_head->Version == HW_BINARY_VERSION_3) {
+            event_offset = HW_BINARY_BODY_V3_EVENT_OFFSET;
+            if (hb_head->LogType == HW_BINARY_TYPE_IPV4) { body_len = HW_BINARY_BODY_LENGTH_V3_IPV4; }
+            else {
+                MESA_handle_runtime_log(g_nat_format_info.log, RLOG_LV_INFO, "nat_format Huawei Binary", "Unknown LogType %d for Version 0x03", hb_head->LogType);
+                return APP_STATE_GIVEME;
+            }
+        } else if (hb_head->Version == HW_BINARY_VERSION_8) {
+            event_offset = HW_BINARY_BODY_V8_EVENT_OFFSET;
+            if (hb_head->LogType == HW_BINARY_TYPE_IPV4) { body_len = HW_BINARY_BODY_LENGTH_V8_IPV4; }
+            else if (hb_head->LogType == HW_BINARY_TYPE_NOPAT) { body_len = HW_BINARY_BODY_LENGTH_V8_NOPAT; }
+            else if (hb_head->LogType == HW_BINARY_TYPE_USER) { body_len = HW_BINARY_BODY_LENGTH_V8_USER; }
+            else if (hb_head->LogType != HW_BINARY_TYPE_URL || hb_head->LogType != HW_BINARY_TYPE_TLV) {
+                MESA_handle_runtime_log(g_nat_format_info.log, RLOG_LV_INFO, "nat_format Huawei Binary", "Unknown LogType %d for Version 0x08", hb_head->LogType);
+                return APP_STATE_GIVEME;
+            }
+        } else { 
+            MESA_handle_runtime_log(g_nat_format_info.log, RLOG_LV_INFO, "nat_format Huawei Binary", "Unknown Version %d", hb_head->Version);
+            return APP_STATE_GIVEME;
         }
-        cur_pkt = 0;
+        u_int16_t log_num = hb_head->Count;
+        // 提取防火墙日志生成时间
+        nat_payload.fw_log_timestamp = hb_head->Second;
+        // 分别处理每一个body
+        struct hw_binary_log_body *hb_body;
+        int offset = sizeof(struct hw_binary_log_head);
+        for (int i = 0; i < log_num; i++) {
+            // 提取字段
+            hb_body = (struct hw_binary_log_body *)(udp_data + offset);
+            if (hb_body->Prot == HW_BINARY_PROT_ICMP) {
+                nat_payload.protocol = FORMAT_LOG_PROTOCOL_ICMP;
+            } else if (hb_body->Prot == HW_BINARY_PROT_TCP) {
+                nat_payload.protocol = FORMAT_LOG_PROTOCOL_TCP;
+            } else if (hb_body->Prot == HW_BINARY_PROT_UDP) {
+                nat_payload.protocol = FORMAT_LOG_PROTOCOL_UDP;
+            } else {
+                MESA_handle_runtime_log(g_nat_format_info.log, RLOG_LV_INFO, "nat_format Huawei Binary", "Prot %d Not Define", hb_body->Prot);
+                return APP_STATE_GIVEME;
+            }
+            nat_payload.src_intra_ip = hb_body->SourceIP;
+            nat_payload.src_extra_ip = hb_body->SrcNatIP;
+            nat_payload.dst_ip = hb_body->DestIP;
+            nat_payload.src_intra_port = hb_body->SrcPort;
+            nat_payload.src_extra_port = hb_body->SrcNatPort;
+            nat_payload.dst_port = hb_body->DestPort;
+            nat_payload.stream_start_timestamp = hb_body->StartTime;
+            nat_payload.stream_end_timestamp = hb_body->EndTime;
+            // 动作字段跳到后面的EventTrend判断
+            char EventTrend = *(udp_data + offset + event_offset);
+            if (EventTrend == HW_EVENT_NEW) {
+                nat_payload.action = FORMAT_LOG_ACTION_ADD;
+            } else if (EventTrend == HW_EVENT_AGED) {
+                nat_payload.action = FORMAT_LOG_ACTION_DEL;
+            } else {
+                MESA_handle_runtime_log(g_nat_format_info.log, RLOG_LV_INFO, "nat_format Huawei Binary", "EventTrend %d Not Define",  EventTrend);
+                return APP_STATE_GIVEME;
+            }
+
+            // 将提取出来的信息写进组播载荷
+            memcpy(multicast_payload + cur_pkt*PAYLOAD_LEN, &nat_payload, PAYLOAD_LEN);
+            cur_pkt++;
+
+            // 攒够20个进行发送
+            if (cur_pkt == g_nat_format_info.batch_size) {
+                send_multicast();
+            }
+
+            // 定位下一个body的offset -- 03版本28,08版本的IPV4、NOPAT为44，USER为209，URL、TLV每个不同，由附加长度确定
+            if (i < log_num - 1) {
+                if (body_len > 0) {
+                    offset += body_len;
+                } else {
+                    char *tmp = (char *)hb_body;
+                    u_int16_t AppendLength = *(u_int16_t *)(tmp + sizeof(struct hw_binary_log_body) + HW_BINARY_BODY_V8_TLV_OFFSET);
+                    offset += (HW_BINARY_BODY_LENGTH_V8_IPV4 + AppendLength);
+                }
+            }
+        }
+    }
+    else if (udp_port == g_nat_format_info.h3_binary_port) {
+        return APP_STATE_GIVEME;
+    }
+    else if (udp_port == g_nat_format_info.dp_binary_port) {
+        return APP_STATE_GIVEME;
+    }
+    else {
+        MESA_handle_runtime_log(g_nat_format_info.log, RLOG_LV_INFO, "nat_format", "Unknown Port.");
+        return APP_STATE_GIVEME;
     }
 
     return APP_STATE_GIVEME;
diff --git a/src/nat_format.h b/src/nat_format.h
index ec6048f..8cfdc5b 100644
--- a/src/nat_format.h
+++ b/src/nat_format.h
@@ -5,12 +5,34 @@
 #include <MESA/MESA_handle_logger.h>
 #include <MESA/MESA_prof_load.h>
 
+#pragma pack(1)
+
+#define SEND_TIME_OFFSET 10
+
+#define HW_BINARY_VERSION_3 0x03
+#define HW_BINARY_VERSION_8 0x08
+
+#define HW_BINARY_TYPE_IPV4 0x04
+#define HW_BINARY_TYPE_NOPAT 0x10
+#define HW_BINARY_TYPE_USER 0x20
+#define HW_BINARY_TYPE_URL 0xF1
+#define HW_BINARY_TYPE_TLV 0x21
+
+#define HW_BINARY_BODY_LENGTH_V3_IPV4 64
+#define HW_BINARY_BODY_LENGTH_V8_IPV4 80
+#define HW_BINARY_BODY_LENGTH_V8_NOPAT 80
+#define HW_BINARY_BODY_LENGTH_V8_USER 209
+#define HW_BINARY_BODY_V8_TLV_OFFSET 38
+
+#define HW_BINARY_BODY_V3_EVENT_OFFSET 57
+#define HW_BINARY_BODY_V8_EVENT_OFFSET 72
+
 // 全局配置信息
 struct nat_format_global_info {
     u_int32_t magic_num;
     u_int32_t version;
 
-    u_int32_t batch_size;
+    int32_t batch_size;
     char host_ip[64];
     int32_t host_port;
     char multicast_ip[64];
@@ -30,22 +52,64 @@ struct nat_format_global_info {
 
 // 格式化NAT报文载荷
 struct nat_payload {
-    unsigned int magic_num;
-    unsigned short version;
-    unsigned int fw_log_timestamp;
-    unsigned int fw_ip;
+    u_int32_t magic_num;
+    u_int16_t version;
+    u_int32_t fw_log_timestamp;
+    u_int32_t send_timestamp = 0;
+    u_int32_t fw_ip;
     char action;
-    unsigned int stream_start_timestamp;
-    unsigned int stream_end_timestamp;
-    unsigned int src_intra_ip;
-    unsigned short src_intra_port;
-    unsigned int src_extra_ip;
-    unsigned short src_extra_port;
-    unsigned int dst_ip;
-    unsigned short dst_port;
+    u_int32_t stream_start_timestamp;
+    u_int32_t stream_end_timestamp;
+    u_int32_t src_intra_ip;
+    u_int16_t src_intra_port;
+    u_int32_t src_extra_ip;
+    u_int16_t src_extra_port;
+    u_int32_t dst_ip;
+    u_int16_t dst_port;
     char protocol;
 };
 
+// 华为二进制数据结构
+struct hw_binary_log_head {
+    char Version;
+    char LogType;
+    u_int16_t Count;
+    u_int32_t Second;
+    u_int32_t FlowSequence;
+    u_int16_t DeviceId;
+    char Slot;
+    char Reserved;
+};
+struct hw_binary_log_body {
+    char Prot;
+    char Operator;
+    char IpVersion;
+    char TosIPv4;
+    u_int32_t SourceIP;
+    u_int32_t SrcNatIP;
+    u_int32_t DestIP;
+    u_int32_t DestNatIP;
+    u_int16_t SrcPort;
+    u_int16_t SrcNatPort;
+    u_int16_t DestPort;
+    u_int16_t DestNatPort;
+    u_int32_t StartTime;
+    u_int32_t EndTime;
+    // u_int16_t OurVpnIndex;
+    // u_int16_t DestVpnIndex;
+    // u_int32_t InTotalPkg;
+    // u_int32_t OutTotalPkg;
+    // u_int64_t InTotalByte;
+    // u_int64_t OutTotalByte;
+    // u_int16_t AppSubtypeId;
+    // u_int16_t AppTypeId;
+    // u_int32_t AppId;
+    // char EventTrend;
+    // char Reserved1;
+    // u_int16_t Reserved2;
+    // u_int32_t Reserved3;
+};
+
 extern "C" int nat_format_init(void);
 extern "C" void nat_format_destroy(void);
 extern "C" char nat_format_entry(struct streaminfo *a_udp, void **pme, int thread_seq, void *a_packet);