[netsa-tools-discuss] Extracting fields from Netflow V9 using SiLK

Sukrit Dasgupta sukdasgu at cisco.com
Tue Nov 18 10:17:21 EST 2014 

(including the netsa mailing list to keep record if others have the same query).

Thanks for your response Mark.

This is sad (However I still have long term plans to continue to use it because it is very useful). Few questions:

1. Any chance I could get some pointers on where the code is if we needed to implement these changes ourselves (for the time being)?

2. Any way I could get a chance to work on an early alpha/pre-alpha release?


Thanks!
-- Sukrit

On Nov 18, 2014, at 9:53 AM, Mark Thomas <mthomas at cert.org> wrote:

> Sukrit-
> 
> Thank you for your email.  It is very nice to read that you find the
> NetSA tools so useful.
> 
> Unfortunately, the answer to your question is that the current
> version of SiLK supports a fixed set of fields, and adding new
> fields to the core of SiLK is fairly involved.
> 
> The next major release of SiLK will support flexible file formats,
> and adding additional fields to at that point should be
> straightforward.  Currently there is no estimate as to when the next
> release of SiLK will be available.
> 
> Thanks again for your question.
> 
> -Mark
> 
> 
> On Mon, 17 Nov 2014 12:23:45 -0500, Sukrit Dasgupta wrote:
> 
>> Hi SiLK team,
>> 
>> I started using SiLK about 3 weeks ago for large scale NFv9 record
>> analysis and it has proven to be invaluable!
>> 
>> Is it possible to extract other non 5-tuple fields that have been
>> configured to be exported using NFv9 on a Cisco router?
>> 
>> For example, in a record configuration like this (Cisco IOS):
>> 
>> match ipv4 protocol  
>> match ipv4 source address  
>> match ipv4 destination address  
>> match transport source-port  
>> match transport destination-port  
>> collect datalink mac source address input
>> collect datalink mac destination address output
>> 
>> How could we extract the fields that have been specified as "collect":
>> the MAC addresses in this case. As NFv9 sends out templates, I was
>> hoping this was doable.
>> 
>> Any help will be great!
>> 
>> Thanks in advance,
>> -- Sukrit

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.sei.cmu.edu/pipermail/netsa-tools-discuss/attachments/20141118/6be8aa49/attachment.sig>

More information about the netsa-tools-discuss mailing list