[netsa-tools-discuss] app labeling for flowcap

Mark Thomas mthomas at cert.org
Mon Jan 4 11:15:59 EST 2016


Manickam-

By "flowtype" I assume you are referring to the "type of service
(TOS)" field of the NetFlow v5 record.

SiLK does not store the TOS field.  The only way to have SiLK store
this field is to edit SiLK's source code.

-Mark


On Sun, 20 Dec 2015 22:21:32 +0530, Manickam wrote:

> Thanks Mark.
>
> I have another set of netflow data in form of a capture file. I wanted to
> replay the file using nfreplay / nfdump utilites. But nf* tools throw a bad
> magic error.
>
> I am sure the file is valid. Not sure what is wrong.
>
> In between, i thought i will use "rwpdu2silk" utility to convert to SiLK
> format and store it to SiLK store. I am able to do this, but the flowtype
> which is critical for my analysis is missing as rwpdu2silk is a conversion
> of netflow -> binary format. Is there any way i can input a config file to
> determine the flow type in parallel with silk conversion. This will ease up
> my task.
>
> Thanks in advance,
> Manickam
>
> On Fri, Dec 18, 2015 at 10:29 PM, Mark Thomas <mthomas at cert.org> wrote:
>
>> There is no built-in support for setting an application label when
>> reading NetFlow v5 data.
>>
>> (SiLK does not do any application labeling itself; it depends on a
>> flow generator (such as YAF) to provide the label.)
>>
>> If you wanted to do your own application labeling, you could modify
>> SiLK's C source code.  There are several places to do this:
>>
>> * Modify the NetFlow v5 records at the point at which they are
>>   converted to the SiLK format.  This is handled by the
>>   skPDUSourceGetGeneric() function in
>>   silk/src/libflowsource/pdusource.c
>>
>> * Modify the SiLK records in flowcap before writing to the output
>>   file.  To do this, edit the readerMainPDU() function in
>>   silk/src/flowcap/flowcap.c
>>
>> * Modify the SiLK records in rwflowpack before they are written to
>>   disk. Consider modifying the packRecord() function in
>>   silk/src/rwflowpack/rwflowpack.c.
>>
>> The packing logic function is not expected to change the record, and
>> the signature of the packing logic uses "const rwRec *rwrec".  That
>> could be changed, of course.
>>
>> Good luck,
>>
>> -Mark
>>
>>
>> -----Original Message-----
>> From: Manickam <manickam.subbiah at gmail.com>
>> Date: Thu, 17 Dec 2015 12:24:56 +0530
>> To: <netsa-tools-discuss at cert.org>
>> Subject: [netsa-tools-discuss] app labeling for flowcap
>>
>> Hi
>>
>> I have configured flowcap to listen on a device which generates netflow v5
>> data. Is there any way to label the app based on sport and/or dport with
>> packing logic??
>>
>> Thanks N Regards,
>> Manickam
>>


More information about the netsa-tools-discuss mailing list