I've got the router daemon generating and sending what look like valid Cisco netflow v5 packets, but the available specifications for the packets don't include the values of the content of some fields in the packets.
It's always easier to reverse-engineer protocols when you have a few example of valid packets. According to the Wikipedia article on netflow, UDP packets to port 2055 are what I'm looking for. They consist of a 24-byte header followed by up to 30 data records of 48 bytes each, for a maximum packet length of 1464 bytes.
If one of you who has an operational netflow setup would be kind enough to capture ONE netflow packet using tcpdump and send me the hex dump of the packet, I can extract the real-world values from the packet and make mine conform. All I really need are the values of the 'engine_type' and 'engine_id', bytes 21 and 22 (counting from zero as the first byte) of the packet data. A dump of the netflow header (the first 24 bytes of one packet) or a whole packet in hex would do very nicely, thank you.
Thanks! - Brian
On Sun, May 21, 2017 at 09:10:52AM -0700, Brian Kantor wrote:
I think nsen (and softflowd) can read a previously-captured pcap file, derive flow data from the captured packets, and turn it in to Cisco netflow packets to send to a collector.
Looks like I'm going to have to ditch the file I'm currently writing (instead of altering its format) and concentrate on generating and sending Cisco netflow packets to a collector, as that's apparently the common format involved in this whole scheme.
Ah well, what's another socket write to the router daemon.
Thanks folks!
- Brian