[netsa-tools-discuss] Cisco AireOS netflow support

Mark Thomas mthomas at cert.org
Thu Sep 14 18:08:54 EDT 2017


Alex-

I apologize.  I forgot that the IPFIX element IDs are used in one
place, and there is one more change I should have told you to make.

On line 1315 of skipfix.c, change "case   8" (the numeric ID for
sourceIPv4Address) to "case 366".  The diff of that block of code
(based on clean SiLK sources) is:

======================
@@ -1312,10 +1312,10 @@
             if (ie->ent == 0) {
                 /* STANDARD ELEMENT */
                 switch (ie->num) {
-                  case   8:
+                  case 366:
                   case  12:
-                    /* sourceIPv4Address and/or destinationIPv4Address */
-                    bmap |= TMPL_BIT_sourceIPv4Address;
+                    /* staIPv4Address and/or destinationIPv4Address */
+                    bmap |= TMPL_BIT_staIPv4Address;
                     break;
                   case  27:
                   case  28:
=======================

I have attached a patch file that should make all the necessary
changes to a clean version of SiLK 3.16.0.  To apply the patch, go
into the top directory of a clean SiLK distribution and run

  patch -p1 < /tmp/silk-3.16.0-AireOS.patch


Another option would be to experiment with SiLK 4.0, which provides
support for additional IPFIX elements (called "sidecar fields") in
addition to the traditional SiLK fields.  I can look at this next
week to provide you with an example configuration file for
rwflowpack.

Good luck!

-Mark


-----Original Message-----
From: Alex Hautequest <hquest at hquest.pro.br>
Date: Thu, 14 Sep 2017 13:17:34 -0400
To: <netsa-tools-discuss at cert.org>
Subject: Re: [netsa-tools-discuss] Cisco AireOS netflow support

Hello Mark.

I did replaced all instances as per your suggestion, but it did not worked - still have the flows listed as ignored:

Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|356|35726|No IP addresses|
Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|500|496939|No IP addresses|
Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|9|1022|No IP addresses|
Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|9|2692|No IP addresses|
Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|14|4024|No IP addresses|
Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|12|4443|No IP addresses|
Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|18|1656|No IP addresses|
Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|9|558|No IP addresses|
Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|72|8082|No IP addresses|
Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|72|5499|No IP addresses|
Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|8|911|No IP addresses|
Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|6|555|No IP addresses|
Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|1|128|No IP addresses|
Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|1|489|No IP addresses|
Sep 14 11:13:25 darkstar rwflowpack[23631]: router: forward 15, reverse 0, ignored 0, nf9: missing-pkts 0
Sep 14 11:13:25 darkstar rwflowpack[23631]: 'wireless': forward 0, reverse 0, ignored 131, nf9: missing-pkts 0
Sep 14 11:13:25 darkstar rwflowpack[23631]: 'firewall': forward 1859, reverse 1453, ignored 5167, nf9: missing-pkts 0

Here is what I used to change the code:
root at server:/tmp/silk-3.16.0/src/libflowsource# sed s/sourceIPv4Address/staIPv4Address/g skipfix.c.orig > skipfix.c
root at server:/tmp/ silk-3.16.0/src/libflowsource# sed s/sourceIPv4Address/staIPv4Address/g check-struct.c.orig > check-struct.c

Thanks and regards,

Alex
-----Original Message-----
From: Mark Thomas
Sent: Wednesday, September 13, 2017 3:23 PM
To: Alex Hautequest
Cc: netsa-tools-discuss 
Subject: Re: [netsa-tools-discuss] Cisco AireOS netflow support

Alex-

Looking at the set of information elements that the Cisco AireOS
exports in its NetFlow v9 data, I think there are only three that SiLK
would use:

 * staIPv4Address    => sIP
 * packetDeltaCount  => packets
 * octetDeltaCount   => bytes

The packetDeltaCount and octetDeltaCount elements are already
supported by SiLK.  To support data from the AireOS, SiLK would need
to support using staIPv4Address as an additional location to check for
an IP address.

If you would like to experiment with this, you could globally change "sourceIPv4Address" to "staIPv4Address" in the files

 silk/src/libflowsource/skipfix.c
 silk/src/libflowsource/check-struct.c

and then recompile and reinstall SiLK.  I believe that will allow SiLK to capture those flow records.

Cheers.

-Mark


-----Original Message-----
From: Alex Hautequest
Date: Fri, 25 Aug 2017 22:34:14 -0400
To: "netsa-tools-discuss"
Subject: [netsa-tools-discuss] Cisco AireOS netflow support

Hello.

Cisco AireOS (from the Wireless Lan Controllers) have the ability to
export NetFlow v9 data off its WLANs. Unfortunately, Cisco decided to
use a few non-standard fields [1] to the protocol [2], therefore
rendering almost all but a few limited number of netflow collectors
unusable. Also unfortunate is the fact Silk is too affected by their
decision.

With that said, any chance this can be evaluated and incorporated into a newer Silk version?

Thanks and regards,

[1] https://www.cisco.com/c/en/us/products/collateral/wireless/8500-series-wireless-controllers/qa_c67-722538.html

[2]
Q.    Can AVC be used with third-party management tools?
A.  The information exported by AVC is in the standard NetFlow Version
9 format and certainly lends itself to use with third-party tools. One
example third-party tool that can create custom reports for Cisco AVC
is Plixer Scrutinizer.
Q.    What are the supported export formats?
A.  AVC currently supports the NetFlow Version 9 export format. The
following unique elements are included in the current version of the
wireless AVC NetFlow record:
 ●   applicationTag
 ●   ipDiffServCodePoint
 ●   octetDeltaCount
 ●   packetDeltaCount
 ●   postIpDiffServCodePoint
 ●   staIPv4Address
 ●   staMacAddress
 ●   wlanSSID
 ●   wtpMacAddress


-------------- next part --------------
A non-text attachment was scrubbed...
Name: silk-3.16.0-AireOS.patch
Type: text/x-patch
Size: 12504 bytes
Desc: not available
URL: <http://lists.sei.cmu.edu/pipermail/netsa-tools-discuss/attachments/20170914/0ced28d3/attachment.bin>


More information about the netsa-tools-discuss mailing list