[netsa-tools-discuss] Collection and analysis of Vendor specific IPFIX information elements using SiLK 3.10.2

Mark Thomas mthomas at cert.org
Wed Aug 26 14:45:42 EDT 2015 

Abhishek-

Thank you for your question.

While libfixbuf does support any IPFIX field, the SiLK record format
in SiLK 3 is fairly rigid.  The next major version of SiLK will
provide for a more flexible record format, but currently we do not
have an estimated release data.

If you are only looking to use one or two enterprise-specific
fields, you could "re-purpose" a little-used field such as the SNMP
ingress and egress interfaces or the NextHop IP field.  For this
approach, see
https://lists.sei.cmu.edu/pipermail/netsa-tools-discuss/2014-November/000037.html

If that does not meet your needs, you will have to extend the rwRec
structure, update skipfix.c to copy your enterprise-specific fields
into the rwRec, manually add the fields to each application, and
update the source files that read and write rwRecs from and to files
on disk.  I mentioned the list of SiLK source code files that need
to be updated in this post.
https://lists.sei.cmu.edu/pipermail/netsa-tools-discuss/2015-May/000091.html

Best of luck,

-Mark


-----Original Message-----
From: Abhishek Dey <abhishek_dey at outlook.com>
Date: Mon, 24 Aug 2015 15:23:46 +0530
To: "netsa-tools-discuss at cert.org" <netsa-tools-discuss at cert.org>,
	"netsa-help at cert.org" <netsa-help at cert.org>
Subject: [netsa-tools-discuss] Collection and analysis of Vendor specific
 IPFIX information elements using SiLK 3.10.2

Hello CERT-Netsa,


I am planning to use SiLK as
an IPFIX collector and analyzer in my project. I need to collect some
private enterprise specific information elements and store those
fields together with RFC defined fields as SiLK records for
analysis. I have noticed that SiLK uses libfixbuf library
which supports collection of any vendor specific information element in IPFIX
records.

 

Therefore I would like to know
how can I add support for collection and analysis of enterprise specific
fields in SiLK i.e. which source files should I modify to achieve the
following: 

i.                    
Collect and store
the private enterprise specific information elements with RFC defined elements in SiLK record
format

ii.                  
Analyse the stored
silk record formats containing both RFC defined and private enterprise specific fields and
filter/display them using tools like rwfilter, rwcut, any other plugin which I need to modify to add the support.

 

It would be very helpful if you
can provide me with the necessary information.

 

Thank and Regards,

Abhishek

More information about the netsa-tools-discuss mailing list