[netsa-tools-discuss] Eavesdropping and collecting Netflow v9

George Warnagiris George.Warnagiris at II-VI.com
Tue Dec 1 12:40:12 EST 2015 

Thanks for the great work you do.  The CERT tools are a public service and I commend you for them.

I have a YaF sensor (and SiLK v3.10.2 collector on a Redhat OS) connected to a SPAN port on a network boundary.  Using tcpdump, I can see several devices sending Netflow v9 records across this boundary to a collector, 192.168.1.1, on UDP port 5999.  With the permission of the owner, I am trying to listen to these messages and pack the (3rd party) records into the repository.

I tried:

probe S1 netflow-v9
    listen-as-host 192.168.1.1
    listen-on-port 5999
    protocol udp
end probe
sensor S1
    netflow-v9-probes S1
    internal-ipblock @intip
end sensor

, but that didn't work.  I also tried to set the IP address of the YaF sensor's listening interface to 192.168.1.1 and its MAC address to the one observed with tcpdump.  This did not accomplish the result either.  Besides the probe creation message, rwflowpack debug only provides,

'S1': forward 0, reverse 0, ignored 0, nf9: missing-pkts 0

I thought I might have to wait to see a netflow v9 template before collection would start, but it has been running for several hours without results.  Perhaps I have a misunderstanding about how the Redhat TCP/IP stack works.  I suspected a VLAN problem, but have since discounted that theory.

Can you give me advice on how to setup netflow collection in this situation?  How does rwflowpack behave under these circumstances?  I would appreciate any tips on where to look for more ideas or details.  Or if you could put me out of my misery by telling me it won't work, that would be good too.  I can't stop thinking about how to approach this one!

Warm Regards,
George

The information contained in this transmission is intended only for the person or entity
to which it is addressed and may contain II-VI Proprietary and/or II-VI Business Sensitive
material. If you are not the intended recipient, please contact the sender immediately
and destroy the material in its entirety, whether electronic or hard copy. You are
notified that any review, retransmission, copying, disclosure, dissemination or other
use of, or taking of any action in reliance upon this information by persons or entities 
other than the intended recipient is prohibited.

More information about the netsa-tools-discuss mailing list