-- Define a variable to the top level directory local workdir = "/var/rwflowpack" -- Define a variable giving the location of the data repository. -- Data will be written here (see the output table below). local rootdir = "/data" -- The rwflowpack configuration requires a table named 'log' log = { directory = workdir .. "/log", --level = "debug", } -- The rwflowpack configuration supports a table named 'daemon' daemon = { pid_file = workdir .. "/run/rwflowpack.pid", } -- The rwflowpack configuration requires a table named 'output' -- that specifies the final location of flow records. output = { mode = "local-storage", --flush_interval = 300, processing = { directory = workdir .. "/processing", error_directory = workdir .. "/error", }, root_directory = rootdir, } -- Ensure the silk.conf file is available. This checks for -- it in "rootdir/silk.conf" if not silk.site.have_site_config() then if not silk.site.init_site(nil, rootdir, true) then error("The silk.conf file was not found") end end -- Define variables for the flowtypes that are used. The AireOS does -- not provide enough fields to categorize the data, so just use -- "other" for everything. local ft_other = silk.site.flowtype_id("other") -- Define a variable that determines what record format is used for -- the files rwflowpack creates. Use the smallest IPv4 format. -- local file_info = { record_format = silk.file_format_id("FT_RWSPLIT"), } -- Create a sidecar description to hold the elements that SiLK does -- not traditionally support. Add it to the file_info table. -- do local sidecar_desc = silk.sidecar_create() -- applicationTag ==> use SiLK's application field if possible sidecar_desc["ipDiffServCodePoint"] = { type = "uint8", element_id = 195, } -- octetDeltaCount ==> use standard SiLK field -- packetDeltaCount ==> use standard SiLK field sidecar_desc["postIpDiffServCodePoint"] = { type = "uint8", element_id = 98, } -- staIPv4Address ==> store this in the source IPv4 address sidecar_desc["staMacAddress"] = { type = "binary", element_id = 365, } sidecar_desc["wlanSSID"] = { type = "string", element_id = 147, } sidecar_desc["wtpMacAddress"] = { type = "binary", element_id = 367, } silk.sidecar_freeze(sidecar_desc) file_info.sidecar = sidecar_desc end -- Create a local alias for a function local getval = silk.fixrec_get_value -- For packing NetFlow v9 data from a Cisco AireOS; arguments are the -- 'vars' setting on the probe, the forward SiLK record, the reverse -- SiLK record (always nil), and an IPFIX version of the NetFlow v9 -- record. -- function aireos_packer (probe, fwd_rec, rev_rec, ipfix) fwd_rec.classtype_id = ft_other fwd_rec.sensor_id = probe.sensor -- set the timestamp to the current time fwd_rec.stime = silk.datetime(1000 * os.time()) -- set the record's source IP address from the staIPv4Address; use -- the existing value if the field does not exist on the record fwd_rec.sip = getval(ipfix, "staIPv4Address", fwd_rec.sip) -- the 4 byte "applicationTag" is a one byte type and a three byte -- value. When the type is 3, the value is the well-known port -- number (a 2-byte value), which SiLK stores in the application -- field. Decode the 4-bytes as two 1-byte values and a short. local tag = getval(ipfix, "applicationId", "\0\0\0\0") local appType,_,application = string.unpack(">BBH", tag) if appType == 3 then few_rec.application = application end -- copy other values directly into the sidecar table fwd_rec.sidecar = { ipDiffServCodePoint = getval(ipfix, "ipDiffServCodePoint", 0), postIpDiffServCodePoint = getval(ipfix, "postIpDiffServCodePoint", 0), staMacAddress = getval(ipfix, "staMacAddress", "\0\0\0\0\0\0"), wlanSSID = getval(ipfix, "wlanSSID", ""), wtpMacAddress = getval(ipfix, "wtpMacAddress", "\0\0\0\0\0\0"), } -- Write the forward record write_rwrec(fwd_rec, file_info) end -- The rwflowpack configuration requires a table named 'input' that -- specifies the source of flow records -- input = { mode = "stream", probes = { AireOS = { name = "AireOS", type = "netflow-v9", packing_function = aireos_packer, vars = { sensor = silk.site.sensor_id("S1"), }, source = { protocol = "udp", listen = "203.0.113.200:4755", }, }, }, }