[netsa-tools-discuss] stand-alone silk installation (how to use yaf to create sample traffic for flowViewer)

Mark Thomas mthomas at cert.org
Mon Sep 14 17:13:52 EDT 2015


asad

The rwflowpack tool is normally the tool that writes data into the
SiLK repository.

If you have pcap files, you can use the YAF tool to convert the pcap
files to IPFIX:

  yaf --in FOO.pcap --out FOO.ipfix

Put the IPFIX files into a directory, for example,
/tmp/rwflowpack/incoming, and have rwflowpack read the IPFIX files
from that directory and convert them to the SiLK format.  The probe
block in the sensor.conf file should be similar to:

  probe S0 ipfix
    poll-directory /tmp/rwflowpack/incoming
  end probe

By default, rwflowpack deletes the IPFIX files once it is finished
with them.

I hope that helps.

-Mark


On Fri, 11 Sep 2015 23:40:54 +0500, asad wrote:

> Hello,
>
> I'm using silk + flowViewer setup. I want @ipfix_devices to be populated
> which is used by FlowViewer_Configuration.pm of Flowviewer.
>
> I want to know using yaf is is possible to play a pcap file with the effect
> that it will produce the required folders structure in /data/flows.
> The structure is needed by FlowViewer.
>
> I'm in test environment I cannot afford to sent real netflows from switch
> or router.
>
>
> I have used so far tcpreplay to generated sample netflow. This has resulted
> into following dirs /data
>
> /data
> ├── ext2ext
> │   └── 2015
> │   └── 09
> │   └── 11
> │   └── ext2ext-S0_20150911.14
> ├── in
> │   └── 2015
> │   └── 09
> │   └── 10
> │   ├── in-S0_20150910.20
> │   └── nohup.out
> ├── int2int
> │   └── 2015
> │   └── 09
> │   └── 10
> │   └── int2int-S0_20150910.20
> ├── nohup.out
> ├── out
> │   └── 2015
> │   └── 09
> │   └── 10
> │   └── out-S0_20150910.20
> ├── outweb
> │   └── 2015
> │   └── 09
> │   └── 11
> │   └── ow-S0_20150911.14
> ├── sensors.conf
> └── silk.conf
>
> Still, I see no device folder. My silk.conf is
> #The layout of the tree below SILK_DATA_ROOTDIR.
> \ #Use the default, which assumes a single class.
> #path-format "%T/%Y/%m/%d/%x"
>
> Perhaps I need to change sensors.conf I'm not sure. Thanks.
>
> regards
> asad


More information about the netsa-tools-discuss mailing list