[netsa-tools-discuss] IPFIX analysis using SiLK

Mark Thomas mthomas at cert.org
Mon Sep 14 17:26:25 EDT 2015


Abhishek-

There is no single SiLK tool that has the functionality you are
requesting.

For a flow record to be separated across multiple bins, you need to
use rwcount.  rwcount also supports bins that contain fractional
byte and packet counts.

Depending on the number of keys you have, what you could do is to
use rwfilter to filter the input by your key, and then feed the
result to rwcount.  That would create an output file for each of
your keys.  You could then use text processing tools (Perl, Python,
awk, etc) to merge the results.

The plug-in approach does not work since the plug-in API only allows
a record to add its volume to a single bin.

If you are looking to edit source code, you would want to edit the
rwcount sources.

I hope that helps.

-Mark


On Mon, 14 Sep 2015 18:00:56 +0530, Abhishek Dey wrote:

> Hello CERT-Netsa,I am using SiLK as an IPFIX collector and analyzer in
> my project.I need to count the total number of bytes and flows in each
> time slot of 10 minutes (this may change later) for each key field
> (eg. sIP, sPort, dIP, dPort etc) which will be an input. The rwcount
> tool does something similar(--load-scheme=4) but it doesn't have the
> support for specifying the key fields. Also rwuniq has a similar
> functionality but it it doesn't break a single record into multiple
> time slots (where a flow continued for more than one time
> slot). Therefore I need to know the following i) Is there any other
> tool that can help me achieve this functionality?ii) Do I need to
> write any plugin to do the same?iii) Do I need to modify any source
> code and if yes then which files should I modify?
>
> It would be very helpful if you can provide me with the necessary
> information. Thank and Regards,Abhishek


More information about the netsa-tools-discuss mailing list