[netsa-tools-discuss] Collection and analysis of Vendor specific IPFIX information elements using SiLK 3.10.2

Mark Thomas mthomas at cert.org
Mon Sep 28 13:45:21 EDT 2015 

libfixbuf allocates and frees the 'buf' member of the fbVarfield_t
for each record.  The 'buf' member is only valid until the next call
to fBufNext() or other calls that cause libfixbuf to read a record
(e.g., fBufNextCollectionTemplate()).

You will need to copy the 'buf' into some memory that SiLK
maintains.

Also note that 'buf' is probably not terminated by '\0'; you need to
account for that if you plan to treat it as a C "string".

-Mark


On Sun, 27 Sep 2015 10:43:41 +0530, Abhishek Dey wrote:

> Hi,
> I was modifying the SiLK sources to collect and store vendor specific
> IPFIX field and was able to do it when the element is a fixed width
> element. But now I need to add support to collect some variable length
> fields (string). I tried to use the fbVarfield_t structure in the
> ski_extrwrec_st structure. Also the ski_extrwrec_spec[] is modified
> accordingly and FB_IE_INIT and fbInfoModelAddElement is called for the
> element. But somehow, I am getting NULL in the fbVarfield_t
> buf. Please note that I have not added any code to allocate any memory
> for the buf pointer.
> I would like to know if there is something I am missing. Any help in this regard is appreciated.
> Thank you.
> Regards,
> - Abhishek
>
>> From: mthomas at cert.org
>> To: abhishek_dey at outlook.com
>> CC: netsa-tools-discuss at cert.org; netsa-help at cert.org
>> Subject: Re: [netsa-tools-discuss] Collection and analysis of Vendor specific IPFIX information elements using SiLK 3.10.2
>> Date: Wed, 26 Aug 2015 14:45:42 -0400
>> 
>> Abhishek-
>> 
>> Thank you for your question.
>> 
>> While libfixbuf does support any IPFIX field, the SiLK record format
>> in SiLK 3 is fairly rigid.  The next major version of SiLK will
>> provide for a more flexible record format, but currently we do not
>> have an estimated release data.
>> 
>> If you are only looking to use one or two enterprise-specific
>> fields, you could "re-purpose" a little-used field such as the SNMP
>> ingress and egress interfaces or the NextHop IP field.  For this
>> approach, see
>> https://lists.sei.cmu.edu/pipermail/netsa-tools-discuss/2014-November/000037.html
>> 
>> If that does not meet your needs, you will have to extend the rwRec
>> structure, update skipfix.c to copy your enterprise-specific fields
>> into the rwRec, manually add the fields to each application, and
>> update the source files that read and write rwRecs from and to files
>> on disk.  I mentioned the list of SiLK source code files that need
>> to be updated in this post.
>> https://lists.sei.cmu.edu/pipermail/netsa-tools-discuss/2015-May/000091.html
>> 
>> Best of luck,
>> 
>> -Mark
>> 
>> 
>> -----Original Message-----
>> From: Abhishek Dey <abhishek_dey at outlook.com>
>> Date: Mon, 24 Aug 2015 15:23:46 +0530
>> To: "netsa-tools-discuss at cert.org" <netsa-tools-discuss at cert.org>,
>> 	"netsa-help at cert.org" <netsa-help at cert.org>
>> Subject: [netsa-tools-discuss] Collection and analysis of Vendor specific
>>  IPFIX information elements using SiLK 3.10.2
>> 
>> Hello CERT-Netsa,
>> 
>> 
>> I am planning to use SiLK as
>> an IPFIX collector and analyzer in my project. I need to collect some
>> private enterprise specific information elements and store those
>> fields together with RFC defined fields as SiLK records for
>> analysis. I have noticed that SiLK uses libfixbuf library
>> which supports collection of any vendor specific information element in IPFIX
>> records.
>> 
>>  
>> 
>> Therefore I would like to know
>> how can I add support for collection and analysis of enterprise specific
>> fields in SiLK i.e. which source files should I modify to achieve the
>> following: 
>> 
>> i.                    
>> Collect and store
>> the private enterprise specific information elements with RFC defined elements in SiLK record
>> format
>> 
>> ii.                  
>> Analyse the stored
>> silk record formats containing both RFC defined and private enterprise specific fields and
>> filter/display them using tools like rwfilter, rwcut, any other plugin which I need to modify to add the support.
>> 
>>  
>> 
>> It would be very helpful if you
>> can provide me with the necessary information.
>> 
>>  
>> 
>> Thank and Regards,
>> 
>> Abhishek 		 	   		  
>

More information about the netsa-tools-discuss mailing list