From aae at sumix.com Mon Apr 8 01:27:34 2019 From: aae at sumix.com (Oleksandr Yermolenko) Date: Mon, 08 Apr 2019 08:27:34 +0300 Subject: [netsa-tools-discuss] silk and flexible netflow with DPI integration, application key Message-ID: <87sgutgj7d.fsf@sumix.com> Hi, Could someone clarify if it's possible to use Silk for decoding and archiving "Application name/id" key generated by Cisco flexible netflow with DPI integration? Reviewed docs a few times and found only field name "application", field number 29, but it seems to me it's something different. SiLK Release 3.18.1, installed using forensics repo Thanks a lot for specification. -- Oleksandr Yermolenko systems engineer From mthomas at cert.org Mon Apr 8 13:12:05 2019 From: mthomas at cert.org (Mark Thomas) Date: Mon, 08 Apr 2019 13:12:05 -0400 Subject: [netsa-tools-discuss] silk and flexible netflow with DPI integration, application key In-Reply-To: <87sgutgj7d.fsf@sumix.com> (Oleksandr Yermolenko's message of "Mon, 8 Apr 2019 08:27:34 +0300") References: <87sgutgj7d.fsf@sumix.com> Message-ID: Thank you for your question. The short answer is no, SiLK does not understand the IPFIX/CISCO information element applicationId, ID 95, as defined by RFC6759. The "application" field in SiLK holds the "appLabel" field that YAF's DPI/application-labeling code generates. The YAF appLabel field is similar to the value produced by the "IANA-L4" classification in RFC6759: It is the well-known port number of the service that the flow record represents. As an enhancement of SiLK, it would be possible to have it store the Selector ID when the Classification Engine ID of the applicationId element is 3. There are no plans to do this at the current time. -Mark -----Original Message----- From: Oleksandr Yermolenko Date: Mon, 8 Apr 2019 08:27:34 +0300 To: Subject: [netsa-tools-discuss] silk and flexible netflow with DPI integration, application key Hi, Could someone clarify if it's possible to use Silk for decoding and archiving "Application name/id" key generated by Cisco flexible netflow with DPI integration? Reviewed docs a few times and found only field name "application", field number 29, but it seems to me it's something different. SiLK Release 3.18.1, installed using forensics repo Thanks a lot for specification. -- Oleksandr Yermolenko systems engineer