[netsa-tools-discuss] Cisco AireOS netflow support

Alex Hautequest hquest at hquest.pro.br
Thu Sep 14 13:17:34 EDT 2017 

Hello Mark.

I did replaced all instances as per your suggestion, but it did not worked - still have the flows listed as ignored:

Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|356|35726|No IP addresses|
Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|500|496939|No IP addresses|
Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|9|1022|No IP addresses|
Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|9|2692|No IP addresses|
Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|14|4024|No IP addresses|
Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|12|4443|No IP addresses|
Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|18|1656|No IP addresses|
Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|9|558|No IP addresses|
Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|72|8082|No IP addresses|
Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|72|5499|No IP addresses|
Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|8|911|No IP addresses|
Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|6|555|No IP addresses|
Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|1|128|No IP addresses|
Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|1|489|No IP addresses|
Sep 14 11:13:25 darkstar rwflowpack[23631]: router: forward 15, reverse 0, ignored 0, nf9: missing-pkts 0
Sep 14 11:13:25 darkstar rwflowpack[23631]: 'wireless': forward 0, reverse 0, ignored 131, nf9: missing-pkts 0
Sep 14 11:13:25 darkstar rwflowpack[23631]: 'firewall': forward 1859, reverse 1453, ignored 5167, nf9: missing-pkts 0

Here is what I used to change the code:
root at server:/tmp/silk-3.16.0/src/libflowsource# sed s/sourceIPv4Address/staIPv4Address/g skipfix.c.orig > skipfix.c
root at server:/tmp/ silk-3.16.0/src/libflowsource# sed s/sourceIPv4Address/staIPv4Address/g check-struct.c.orig > check-struct.c

Thanks and regards,

Alex
-----Original Message-----
From: Mark Thomas
Sent: Wednesday, September 13, 2017 3:23 PM
To: Alex Hautequest
Cc: netsa-tools-discuss 
Subject: Re: [netsa-tools-discuss] Cisco AireOS netflow support

Alex-

Looking at the set of information elements that the Cisco AireOS exports in its NetFlow v9 data, I think there are only three that SiLK would use:

 * staIPv4Address    => sIP
 * packetDeltaCount  => packets
 * octetDeltaCount   => bytes

The packetDeltaCount and octetDeltaCount elements are already supported by SiLK.  To support data from the AireOS, SiLK would need to support using staIPv4Address as an additional location to check for an IP address.

If you would like to experiment with this, you could globally change "sourceIPv4Address" to "staIPv4Address" in the files

 silk/src/libflowsource/skipfix.c
 silk/src/libflowsource/check-struct.c

and then recompile and reinstall SiLK.  I believe that will allow SiLK to capture those flow records.

Cheers.

-Mark


-----Original Message-----
From: Alex Hautequest
Date: Fri, 25 Aug 2017 22:34:14 -0400
To: "netsa-tools-discuss"
Subject: [netsa-tools-discuss] Cisco AireOS netflow support

Hello.

Cisco AireOS (from the Wireless Lan Controllers) have the ability to export NetFlow v9 data off its WLANs. Unfortunately, Cisco decided to use a few non-standard fields [1] to the protocol [2], therefore rendering almost all but a few limited number of netflow collectors unusable. Also unfortunate is the fact Silk is too affected by their decision.

With that said, any chance this can be evaluated and incorporated into a newer Silk version?

Thanks and regards,

[1] https://www.cisco.com/c/en/us/products/collateral/wireless/8500-series-wireless-controllers/qa_c67-722538.html

[2]
Q.    Can AVC be used with third-party management tools?
A.     The information exported by AVC is in the standard NetFlow Version 9 format and certainly lends itself to use with third-party tools. One example third-party tool that can create custom reports for Cisco AVC is Plixer Scrutinizer.
Q.    What are the supported export formats?
A.     AVC currently supports the NetFlow Version 9 export format. The following unique elements are included in the current version of the wireless AVC NetFlow record:
 ●   applicationTag
 ●   ipDiffServCodePoint
 ●   octetDeltaCount
 ●   packetDeltaCount
 ●   postIpDiffServCodePoint
 ●   staIPv4Address
 ●   staMacAddress
 ●   wlanSSID
 ●   wtpMacAddress

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6107 bytes
Desc: not available
URL: <http://lists.sei.cmu.edu/pipermail/netsa-tools-discuss/attachments/20170914/613f3203/attachment.p7s>

More information about the netsa-tools-discuss mailing list