[netsa-tools-discuss] Collection and analysis of Vendor specific IPFIX information elements using SiLK 3.10.2

Abhishek Dey abhishek_dey at outlook.com
Sun Sep 27 01:13:41 EDT 2015 

Hi,
I was modifying the SiLK sources to collect and store vendor specific IPFIX field and was able to do it when the element is a fixed width element. But now I need to add support to collect some variable length fields (string). I tried to use the fbVarfield_t structure in the ski_extrwrec_st structure. Also the ski_extrwrec_spec[] is modified accordingly and FB_IE_INIT and fbInfoModelAddElement is called for the element. But somehow, I am getting NULL in the fbVarfield_t buf. Please note that I have not added any code to allocate any memory for the buf pointer.
I would like to know if there is something I am missing. Any help in this regard is appreciated.
Thank you.
Regards,
- Abhishek

> From: mthomas at cert.org
> To: abhishek_dey at outlook.com
> CC: netsa-tools-discuss at cert.org; netsa-help at cert.org
> Subject: Re: [netsa-tools-discuss] Collection and analysis of Vendor specific IPFIX information elements using SiLK 3.10.2
> Date: Wed, 26 Aug 2015 14:45:42 -0400
> 
> Abhishek-
> 
> Thank you for your question.
> 
> While libfixbuf does support any IPFIX field, the SiLK record format
> in SiLK 3 is fairly rigid.  The next major version of SiLK will
> provide for a more flexible record format, but currently we do not
> have an estimated release data.
> 
> If you are only looking to use one or two enterprise-specific
> fields, you could "re-purpose" a little-used field such as the SNMP
> ingress and egress interfaces or the NextHop IP field.  For this
> approach, see
> https://lists.sei.cmu.edu/pipermail/netsa-tools-discuss/2014-November/000037.html
> 
> If that does not meet your needs, you will have to extend the rwRec
> structure, update skipfix.c to copy your enterprise-specific fields
> into the rwRec, manually add the fields to each application, and
> update the source files that read and write rwRecs from and to files
> on disk.  I mentioned the list of SiLK source code files that need
> to be updated in this post.
> https://lists.sei.cmu.edu/pipermail/netsa-tools-discuss/2015-May/000091.html
> 
> Best of luck,
> 
> -Mark
> 
> 
> -----Original Message-----
> From: Abhishek Dey <abhishek_dey at outlook.com>
> Date: Mon, 24 Aug 2015 15:23:46 +0530
> To: "netsa-tools-discuss at cert.org" <netsa-tools-discuss at cert.org>,
> 	"netsa-help at cert.org" <netsa-help at cert.org>
> Subject: [netsa-tools-discuss] Collection and analysis of Vendor specific
>  IPFIX information elements using SiLK 3.10.2
> 
> Hello CERT-Netsa,
> 
> 
> I am planning to use SiLK as
> an IPFIX collector and analyzer in my project. I need to collect some
> private enterprise specific information elements and store those
> fields together with RFC defined fields as SiLK records for
> analysis. I have noticed that SiLK uses libfixbuf library
> which supports collection of any vendor specific information element in IPFIX
> records.
> 
>  
> 
> Therefore I would like to know
> how can I add support for collection and analysis of enterprise specific
> fields in SiLK i.e. which source files should I modify to achieve the
> following: 
> 
> i.                    
> Collect and store
> the private enterprise specific information elements with RFC defined elements in SiLK record
> format
> 
> ii.                  
> Analyse the stored
> silk record formats containing both RFC defined and private enterprise specific fields and
> filter/display them using tools like rwfilter, rwcut, any other plugin which I need to modify to add the support.
> 
>  
> 
> It would be very helpful if you
> can provide me with the necessary information.
> 
>  
> 
> Thank and Regards,
> 
> Abhishek 		 	   		  
 		 	   		  
-------------- next part --------------
HTML attachment scrubbed and removed

More information about the netsa-tools-discuss mailing list