[netsa-tools-discuss] Cisco AireOS netflow support

Alex Hautequest hquest at hquest.pro.br
Thu Sep 14 21:24:51 EDT 2017 

Mark,

Thanks for the hint. Still did not work - I have the same output as before and no flows recorded.

I might try SiLK 4.0 as soon as I have a chance to review the documentation, in particular what changes on the configuration side.

Regards,

Alex

-----Original Message-----
From: Mark Thomas
Sent: Thursday, September 14, 2017 6:09 PM
To: Alex Hautequest
Cc: netsa-tools-discuss 
Subject: Re: [netsa-tools-discuss] Cisco AireOS netflow support

Alex-

I apologize.  I forgot that the IPFIX element IDs are used in one place, and there is one more change I should have told you to make.

On line 1315 of skipfix.c, change "case   8" (the numeric ID for
sourceIPv4Address) to "case 366".  The diff of that block of code (based on clean SiLK sources) is:

======================
@@ -1312,10 +1312,10 @@
             if (ie->ent == 0) {
                 /* STANDARD ELEMENT */
                 switch (ie->num) {
-                  case   8:
+                  case 366:
                   case  12:
-                    /* sourceIPv4Address and/or destinationIPv4Address */
-                    bmap |= TMPL_BIT_sourceIPv4Address;
+                    /* staIPv4Address and/or destinationIPv4Address */
+                    bmap |= TMPL_BIT_staIPv4Address;
                     break;
                   case  27:
                   case  28:
=======================

I have attached a patch file that should make all the necessary changes to a clean version of SiLK 3.16.0.  To apply the patch, go into the top directory of a clean SiLK distribution and run

  patch -p1 < /tmp/silk-3.16.0-AireOS.patch


Another option would be to experiment with SiLK 4.0, which provides support for additional IPFIX elements (called "sidecar fields") in addition to the traditional SiLK fields.  I can look at this next week to provide you with an example configuration file for rwflowpack.

Good luck!

-Mark


-----Original Message-----
From: Alex Hautequest
Date: Thu, 14 Sep 2017 13:17:34 -0400
To: netsa-tools-discuss
Subject: Re: [netsa-tools-discuss] Cisco AireOS netflow support

Hello Mark.

I did replaced all instances as per your suggestion, but it did not worked - still have the flows listed as ignored:

Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|356|35726|No IP addresses| Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|500|496939|No IP addresses| Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|9|1022|No IP addresses| Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|9|2692|No IP addresses| Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|14|4024|No IP addresses| Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|12|4443|No IP addresses| Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|18|1656|No IP addresses| Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|9|558|No IP addresses| Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|72|8082|No IP addresses| Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|72|5499|No IP addresses| Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|8|911|No IP addresses| Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|6|555|No IP addresses| Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|1|128|No IP addresses| Sep 14 11:13:24 darkstar rwflowpack[23631]: IGNORED|0.0.0.0|0.0.0.0|0|0|0|1|489|No IP addresses| Sep 14 11:13:25 darkstar rwflowpack[23631]: router: forward 15, reverse 0, ignored 0, nf9: missing-pkts 0 Sep 14 11:13:25 darkstar rwflowpack[23631]: 'wireless': forward 0, reverse 0, ignored 131, nf9: missing-pkts 0 Sep 14 11:13:25 darkstar rwflowpack[23631]: 'firewall': forward 1859, reverse 1453, ignored 5167, nf9: missing-pkts 0

Here is what I used to change the code:
root at server:/tmp/silk-3.16.0/src/libflowsource# sed s/sourceIPv4Address/staIPv4Address/g skipfix.c.orig > skipfix.c root at server:/tmp/ silk-3.16.0/src/libflowsource# sed s/sourceIPv4Address/staIPv4Address/g check-struct.c.orig > check-struct.c

Thanks and regards,

Alex
-----Original Message-----
From: Mark Thomas
Sent: Wednesday, September 13, 2017 3:23 PM
To: Alex Hautequest
Cc: netsa-tools-discuss
Subject: Re: [netsa-tools-discuss] Cisco AireOS netflow support

Alex-

Looking at the set of information elements that the Cisco AireOS exports in its NetFlow v9 data, I think there are only three that SiLK would use:

 * staIPv4Address    => sIP
 * packetDeltaCount  => packets
 * octetDeltaCount   => bytes

The packetDeltaCount and octetDeltaCount elements are already supported by SiLK.  To support data from the AireOS, SiLK would need to support using staIPv4Address as an additional location to check for an IP address.

If you would like to experiment with this, you could globally change "sourceIPv4Address" to "staIPv4Address" in the files

 silk/src/libflowsource/skipfix.c
 silk/src/libflowsource/check-struct.c

and then recompile and reinstall SiLK.  I believe that will allow SiLK to capture those flow records.

Cheers.

-Mark


-----Original Message-----
From: Alex Hautequest
Date: Fri, 25 Aug 2017 22:34:14 -0400
To: "netsa-tools-discuss"
Subject: [netsa-tools-discuss] Cisco AireOS netflow support

Hello.

Cisco AireOS (from the Wireless Lan Controllers) have the ability to export NetFlow v9 data off its WLANs. Unfortunately, Cisco decided to use a few non-standard fields [1] to the protocol [2], therefore rendering almost all but a few limited number of netflow collectors unusable. Also unfortunate is the fact Silk is too affected by their decision.

With that said, any chance this can be evaluated and incorporated into a newer Silk version?

Thanks and regards,

[1] https://www.cisco.com/c/en/us/products/collateral/wireless/8500-series-wireless-controllers/qa_c67-722538.html

[2]
Q.    Can AVC be used with third-party management tools?
A.  The information exported by AVC is in the standard NetFlow Version
9 format and certainly lends itself to use with third-party tools. One example third-party tool that can create custom reports for Cisco AVC is Plixer Scrutinizer.
Q.    What are the supported export formats?
A.  AVC currently supports the NetFlow Version 9 export format. The following unique elements are included in the current version of the wireless AVC NetFlow record:
 ●   applicationTag
 ●   ipDiffServCodePoint
 ●   octetDeltaCount
 ●   packetDeltaCount
 ●   postIpDiffServCodePoint
 ●   staIPv4Address
 ●   staMacAddress
 ●   wlanSSID
 ●   wtpMacAddress


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6107 bytes
Desc: not available
URL: <http://lists.sei.cmu.edu/pipermail/netsa-tools-discuss/attachments/20170914/8a2728d7/attachment.p7s>

More information about the netsa-tools-discuss mailing list