[netsa-tools-discuss] stand-alone silk installation (how to use yaf to create sample traffic for flowViewer)

asad a.alii85 at gmail.com
Tue Sep 15 11:03:54 EDT 2015 

Thanks Mark,

I wasn't aware of the poll-directory this will help a lot:).

On Tue, Sep 15, 2015 at 2:13 AM, Mark Thomas <mthomas at cert.org> wrote:

> asad
>
> The rwflowpack tool is normally the tool that writes data into the
> SiLK repository.
>
> If you have pcap files, you can use the YAF tool to convert the pcap
> files to IPFIX:
>
>   yaf --in FOO.pcap --out FOO.ipfix
>
> Put the IPFIX files into a directory, for example,
> /tmp/rwflowpack/incoming, and have rwflowpack read the IPFIX files
> from that directory and convert them to the SiLK format.  The probe
> block in the sensor.conf file should be similar to:
>
>   probe S0 ipfix
>     poll-directory /tmp/rwflowpack/incoming
>   end probe
>
> By default, rwflowpack deletes the IPFIX files once it is finished
> with them.
>
> I hope that helps.
>
> -Mark
>
>
> On Fri, 11 Sep 2015 23:40:54 +0500, asad wrote:
>
> > Hello,
> >
> > I'm using silk + flowViewer setup. I want @ipfix_devices to be populated
> > which is used by FlowViewer_Configuration.pm of Flowviewer.
> >
> > I want to know using yaf is is possible to play a pcap file with the
> effect
> > that it will produce the required folders structure in /data/flows.
> > The structure is needed by FlowViewer.
> >
> > I'm in test environment I cannot afford to sent real netflows from switch
> > or router.
> >
> >
> > I have used so far tcpreplay to generated sample netflow. This has
> resulted
> > into following dirs /data
> >
> > /data
> > ├── ext2ext
> > │   └── 2015
> > │   └── 09
> > │   └── 11
> > │   └── ext2ext-S0_20150911.14
> > ├── in
> > │   └── 2015
> > │   └── 09
> > │   └── 10
> > │   ├── in-S0_20150910.20
> > │   └── nohup.out
> > ├── int2int
> > │   └── 2015
> > │   └── 09
> > │   └── 10
> > │   └── int2int-S0_20150910.20
> > ├── nohup.out
> > ├── out
> > │   └── 2015
> > │   └── 09
> > │   └── 10
> > │   └── out-S0_20150910.20
> > ├── outweb
> > │   └── 2015
> > │   └── 09
> > │   └── 11
> > │   └── ow-S0_20150911.14
> > ├── sensors.conf
> > └── silk.conf
> >
> > Still, I see no device folder. My silk.conf is
> > #The layout of the tree below SILK_DATA_ROOTDIR.
> > \ #Use the default, which assumes a single class.
> > #path-format "%T/%Y/%m/%d/%x"
> >
> > Perhaps I need to change sensors.conf I'm not sure. Thanks.
> >
> > regards
> > asad
>
-------------- next part --------------
HTML attachment scrubbed and removed

More information about the netsa-tools-discuss mailing list