[netsa-tools-discuss] app labeling for flowcap

Manickam manickam.subbiah at gmail.com
Sun Dec 20 11:51:32 EST 2015 

Thanks Mark.

I have another set of netflow data in form of a capture file. I wanted to
replay the file using nfreplay / nfdump utilites. But nf* tools throw a bad
magic error.

I am sure the file is valid. Not sure what is wrong.

In between, i thought i will use "rwpdu2silk" utility to convert to SiLK
format and store it to SiLK store. I am able to do this, but the flowtype
which is critical for my analysis is missing as rwpdu2silk is a conversion
of netflow -> binary format. Is there any way i can input a config file to
determine the flow type in parallel with silk conversion. This will ease up
my task.

Thanks in advance,
Manickam

On Fri, Dec 18, 2015 at 10:29 PM, Mark Thomas <mthomas at cert.org> wrote:

> There is no built-in support for setting an application label when
> reading NetFlow v5 data.
>
> (SiLK does not do any application labeling itself; it depends on a
> flow generator (such as YAF) to provide the label.)
>
> If you wanted to do your own application labeling, you could modify
> SiLK's C source code.  There are several places to do this:
>
> * Modify the NetFlow v5 records at the point at which they are
>   converted to the SiLK format.  This is handled by the
>   skPDUSourceGetGeneric() function in
>   silk/src/libflowsource/pdusource.c
>
> * Modify the SiLK records in flowcap before writing to the output
>   file.  To do this, edit the readerMainPDU() function in
>   silk/src/flowcap/flowcap.c
>
> * Modify the SiLK records in rwflowpack before they are written to
>   disk. Consider modifying the packRecord() function in
>   silk/src/rwflowpack/rwflowpack.c.
>
> The packing logic function is not expected to change the record, and
> the signature of the packing logic uses "const rwRec *rwrec".  That
> could be changed, of course.
>
> Good luck,
>
> -Mark
>
>
> -----Original Message-----
> From: Manickam <manickam.subbiah at gmail.com>
> Date: Thu, 17 Dec 2015 12:24:56 +0530
> To: <netsa-tools-discuss at cert.org>
> Subject: [netsa-tools-discuss] app labeling for flowcap
>
> Hi
>
> I have configured flowcap to listen on a device which generates netflow v5
> data. Is there any way to label the app based on sport and/or dport with
> packing logic??
>
> Thanks N Regards,
> Manickam
>
-------------- next part --------------
HTML attachment scrubbed and removed

More information about the netsa-tools-discuss mailing list