[netsa-tools-discuss] Some queries regarding analysis of variable length fields
Rima Saha
saharima at gmail.com
Mon Oct 5 12:01:06 EDT 2015
Greetings CERT-team,
We are using SiLK as an IPFIX collector and analyzer in our project.
We need to collect and analyse some variable length fields like Application
name exported by some exporters.
I understand the collection part, and right now I am able to collect
application name by changing skipfix.c (which has direct connection to
libfixbuf)
However I am confused regarding how to analyse the variable length field
using Silk tools like rwfilter etc. For e.g. I think I need to make some
changes in libsilk/skbag.c file in the bag_field_info[] array by specifying
the number of octets each field will occupy. However I dont know how many
octets my application field will contain since its variable length field.
So how should I handle this variable length field for analysis? That is
currently bag_field_info[] is like this
static const bag_field_info_t bag_field_info[] = {
{ 4, "sIPv4"}, /* SKBAG_FIELD_SIPv4 */
......
What value should I place here for the first member, in case of
application name in the array?
{<whatValueToPlace>,"appName,"} /* SKBAG_FIELD_APPNAME */
Also how should I add the field (what datatype to use )in
rwfilter/rwfiltercheck.c file in structure filter_checks_t and which
parsing function to use in filterOptionsHandler?
I would be really grateful if you can help me on this.
Many many thanks in advance.
Best Regards,
Rima
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the netsa-tools-discuss
mailing list