[netsa-tools-discuss] silk and flexible netflow with DPI integration, application key
Mark Thomas
mthomas at cert.org
Mon Apr 8 13:12:05 EDT 2019
Thank you for your question.
The short answer is no, SiLK does not understand the IPFIX/CISCO information element applicationId, ID 95, as defined by RFC6759.
The "application" field in SiLK holds the "appLabel" field that YAF's DPI/application-labeling code generates.
The YAF appLabel field is similar to the value produced by the "IANA-L4" classification in RFC6759: It is the well-known port number of the service that the flow record represents.
As an enhancement of SiLK, it would be possible to have it store the Selector ID when the Classification Engine ID of the applicationId element is 3. There are no plans to do this at the current time.
-Mark
-----Original Message-----
From: Oleksandr Yermolenko <aae at sumix.com>
Date: Mon, 8 Apr 2019 08:27:34 +0300
To: <netsa-tools-discuss at cert.org>
Subject: [netsa-tools-discuss] silk and flexible netflow with DPI
integration, application key
Hi,
Could someone clarify if it's possible to use Silk for decoding
and archiving "Application name/id" key generated by Cisco
flexible netflow with DPI integration?
Reviewed docs a few times and found only field name "application",
field number 29, but it seems to me it's something different.
SiLK Release 3.18.1, installed using forensics repo
Thanks a lot for specification.
--
Oleksandr Yermolenko
systems engineer
More information about the netsa-tools-discuss
mailing list