[netsa-tools-discuss] app labeling for flowcap
Mark Thomas
mthomas at cert.org
Fri Dec 18 11:59:41 EST 2015
There is no built-in support for setting an application label when
reading NetFlow v5 data.
(SiLK does not do any application labeling itself; it depends on a
flow generator (such as YAF) to provide the label.)
If you wanted to do your own application labeling, you could modify
SiLK's C source code. There are several places to do this:
* Modify the NetFlow v5 records at the point at which they are
converted to the SiLK format. This is handled by the
skPDUSourceGetGeneric() function in
silk/src/libflowsource/pdusource.c
* Modify the SiLK records in flowcap before writing to the output
file. To do this, edit the readerMainPDU() function in
silk/src/flowcap/flowcap.c
* Modify the SiLK records in rwflowpack before they are written to
disk. Consider modifying the packRecord() function in
silk/src/rwflowpack/rwflowpack.c.
The packing logic function is not expected to change the record, and
the signature of the packing logic uses "const rwRec *rwrec". That
could be changed, of course.
Good luck,
-Mark
-----Original Message-----
From: Manickam <manickam.subbiah at gmail.com>
Date: Thu, 17 Dec 2015 12:24:56 +0530
To: <netsa-tools-discuss at cert.org>
Subject: [netsa-tools-discuss] app labeling for flowcap
Hi
I have configured flowcap to listen on a device which generates netflow v5
data. Is there any way to label the app based on sport and/or dport with
packing logic??
Thanks N Regards,
Manickam
More information about the netsa-tools-discuss
mailing list