[netsa-tools-discuss] Beginner's Question

Kees Leune leune at adelphi.edu
Tue Sep 16 10:51:06 EDT 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Greetings and Salutations,


We are currently in the process of evaluating if SiLK is a viable
alternative for nfdump/nfsen. While we are not unhappy about the
latter, but I believe that considering alternatives is good practice.

We configured one of our smaller routers to send v9 flowdata to a
rwflowpack instance, which, at first glance, seems to work well. Data
is being written to directories and a simple 'cat' of those files
filtered through rwcut does indeed produce results that look reasonable.

If I understand the Analyst's Handbook correctly, the preferred SiLK
workflow is to use rwfilter to narrow down results to a working set
and then use another tool, like rwcut, to visualize the results.

Unfortunately, rwfilter doesn't seem to select any data; I suspect a
simple configuration error somewhere, but I have not been able to find
anything.

For example:

kees at delaware:~/opt/data/out/2014/09/16$ cat out-S0_20140916.14 |rwcut
|head -2
                                    sIP|
      dIP|sPort|dPort|pro|   packets|     bytes|   flags|
     sTime| duration|                  eTime|sen|
                            10.73.2.243|
72.73.207.40| 3074| 3074| 17|         6|       468|
|2014/09/16T14:24:42.250|    0.750|2014/09/16T14:24:43.000| S0|

in total, this rwcut produces 253 lines of output. However, I would
have expected that rwfilter with a sIP of 10.0/8 would produce similar
results. Unfortunately, it does not:

kees at delaware:~/opt/data/out/2014/09/16$ rwfilter
- --start-date=2014/09/16  --saddress 10.0.0.0/8 --print-statistics
Files     0.  Read          0.  Pass          0. Fail           0.

kees at delaware:~/opt/data/out/2014/09/16$ rwfilter
- --start-date=2014/09/16  --saddress 10.0.0.0/8 --pass stdout |rwcut
                                    sIP|
      dIP|sPort|dPort|pro|   packets|     bytes|   flags|
     sTime| duration|                  eTime|sen|


Any clues as to where to look for this discrepancy, or, even better,
how to solve it, would be greatly appreciated! The current
configuration is set up to do all processing on a single host.

Thank you for any assistance that could be offered.

- -- 
Dr. Kees Leune
Adelphi University
Information Security Officer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org

iQEcBAEBCgAGBQJUGE5aAAoJEFryue4yn40Z9R0IAIXJt2izH47IAQ1yLy0/VciJ
vnt8AZqxMVotRS+mMfw1ej0VF59PRrG1AjPHLujIPlvAwi9HiaRWVokhF0MZCCMi
R6vpyxAu4wCNroKiWjkrFEIA3fLMvIAZcUFQHndt6zF2Z8DxN8S+agTGGenRotkV
Jx9yXZFZ8OSSEYk+H2XHBPssMg78REi02AzciyPFRAewvgMuaW4UsrqjxohL5DmQ
7Rpx14sjB0dVj3kl2MF7Fc4wxX+NHi9D0vdWGEDNFcGYbdOroa9a5oBoV/6xWFMD
SkEFRqq4JyVjNcRgSjSwgvsb6hHlTGTfvFmwRojAwdx4dMSplHA3SxRDO3Xx5+k=
=I/oW
-----END PGP SIGNATURE-----

More information about the netsa-tools-discuss mailing list