[netsa-tools-discuss] Cisco AireOS netflow support

Mark Thomas mthomas at cert.org
Wed Sep 13 15:23:28 EDT 2017 

Alex-

Looking at the set of information elements that the Cisco AireOS
exports in its NetFlow v9 data, I think there are only three that
SiLK would use:

 * staIPv4Address    => sIP
 * packetDeltaCount  => packets
 * octetDeltaCount   => bytes

The packetDeltaCount and octetDeltaCount elements are already
supported by SiLK.  To support data from the AireOS, SiLK would need
to support using staIPv4Address as an additional location to check
for an IP address.

If you would like to experiment with this, you could globally
change "sourceIPv4Address" to "staIPv4Address" in the files

 silk/src/libflowsource/skipfix.c
 silk/src/libflowsource/check-struct.c

and then recompile and reinstall SiLK.  I believe that will allow
SiLK to capture those flow records.

Cheers.

-Mark


-----Original Message-----
From: Alex Hautequest <hquest at hquest.pro.br>
Date: Fri, 25 Aug 2017 22:34:14 -0400
To: "netsa-tools-discuss at cert.org" <netsa-tools-discuss at cert.org>
Subject: [netsa-tools-discuss] Cisco AireOS netflow support

Hello.

Cisco AireOS (from the Wireless Lan Controllers) have the ability to
export NetFlow v9 data off its WLANs. Unfortunately, Cisco decided to
use a few non-standard fields [1] to the protocol [2], therefore
rendering almost all but a few limited number of netflow collectors
unusable. Also unfortunate is the fact Silk is too affected by their
decision.

With that said, any chance this can be evaluated and incorporated into a newer Silk version?

Thanks and regards,

[1] https://www.cisco.com/c/en/us/products/collateral/wireless/8500-series-wireless-controllers/qa_c67-722538.html

[2] 
Q.    Can AVC be used with third-party management tools?
A.     The information exported by AVC is in the standard NetFlow
Version 9 format and certainly lends itself to use with third-party
tools. One example third-party tool that can create custom reports for
Cisco AVC is Plixer Scrutinizer.
Q.    What are the supported export formats?
A.     AVC currently supports the NetFlow Version 9 export format. The
following unique elements are included in the current version of the
wireless AVC NetFlow record:
 ●   applicationTag
 ●   ipDiffServCodePoint
 ●   octetDeltaCount
 ●   packetDeltaCount
 ●   postIpDiffServCodePoint
 ●   staIPv4Address
 ●   staMacAddress
 ●   wlanSSID
 ●   wtpMacAddress

More information about the netsa-tools-discuss mailing list