22 May
2017
22 May
'17
6:20 a.m.
I've got the router daemon generating and sending what look like valid
Cisco netflow v5 packets, but the available specifications for the packets
don't include the values of the content of some fields in the packets.
It's always easier to reverse-engineer protocols when you have a few
example of valid packets. According to the Wikipedia article on netflow,
UDP packets to port 2055 are what I'm looking for. They consist of a
24-byte header followed by up to 30 data records of 48 bytes each, for
a maximum packet length of 1464 bytes.
If one of you who has an operational netflow setup would be kind enough
to capture ONE netflow packet using tcpdump and send me the hex dump
of the packet, I can extract the real-world values from the packet and
make mine conform. All I really need are the values of the 'engine_type'
and 'engine_id', bytes 21 and 22 (counting from zero as the first byte)
of the packet data. A dump of the netflow header (the first 24 bytes
of one packet) or a whole packet in hex would do very nicely, thank you.
Thanks!
- Brian
On Sun, May 21, 2017 at 09:10:52AM -0700, Brian Kantor wrote:
I think nsen (and softflowd) can read a
previously-captured pcap file,
derive flow data from the captured packets, and turn it in to Cisco
netflow packets to send to a collector.
Looks like I'm going to have to ditch the file I'm currently writing
(instead of altering its format) and concentrate on generating and
sending Cisco netflow packets to a collector, as that's apparently the
common format involved in this whole scheme.
Ah well, what's another socket write to the router daemon.
Thanks folks!
- Brian