[netsa-tools-discuss] Netflow v7

Michael Welsh Duggan mwd at cert.org
Thu Aug 28 11:58:04 EDT 2014


My response is in-line:

John Green <John.Green at ja.net> writes:

> We have a number of routers exporting both v5 and v7 netflow.   As Silk
> only supports v5 and v9, rwflowpack logs errors for the v7 PDUs.
>
> Does anyone have an experience of processing netflow containing v7 PDUs
> with Silk?  

I cannot recall anyone using Netflow v7 with SiLK in the past.

> v5 and v7 are very similar content wise (eg nfdump seems to treat v7 as
> v5 when processing).   I'll take a look at tweaking the source unless I
> missing an easier alternative?

Other than something intermediate changing the format from v7 to v5,
this is probably your best bet.  I've briefly looked at the format and
code, and can make the following suggestions based on the SiLK 3.8.3
sources.

The netflow packet format is described in src/libflowsource/v5pdu.h.
You would need to change the structures and macros (LEN, MAX_RECS,
MAX_RECS_STR) to match reality for NFv7.

The decoding happens in src/libflowsource/pdusource.c.  The major
differences between v5 and v7 that need to be accounted for seem to be:

1) version is 7 instead of 5 and packet sizes are different.  These are
   checked in pduSourceRejectPacket().  Specifically, the version is
   checked on line 301.

2) Support for different engines seems to have been removed from NFv7.
   The simplest change to fix this seems to be to replace the current
   engine calculation in pduSourceNextPkt(), specifically at line 546,
   where it calculates target.id.  Setting target.id to zero here
   instead should do the trick.  (Technically we could rip out the whole
   engine machinery from the code for this, but that might be considered
   beyond the scope of a simple change.)

3) byte 36 and bytes 46-47 seem to be flags added to the format in v7.
   You may need to determine whether any of these flags have pertinent
   data that needs to be payed attention to in the format.
   Specifically, the flags are marked as:
     Flags indicating, among other things, what flows are invalid. 
   If certain flows need to be ignored on the basis of these flags, this
   should probably be done in pduSourceGetNextRec().  (There are several
   examples already within that function.)  Unfortunately, I was unable
   to find out how to interpret these flags fields using a simple web
   search.

I hope this helps get you started.  Please let me know if you have any
other questions.

-- 
Michael Welsh Duggan
(mwd at cert.org)


More information about the netsa-tools-discuss mailing list