[netsa-tools-discuss] SiLK - Netstream Support

Mark Thomas mthomas at cert.org
Fri Apr 23 16:17:31 EDT 2021 

Richard-

Our team does not have experience using Netstream.

Looking at the Netstream documentation, it appears that Netstream is a Huawei / Hewlett Packard Enterprise trademark for their support for exporting Cisco NetFlow.

The header formats for Netstream V5 and V9 are identical to NetFlow, and this page says explicitly that IPFIX is supported:

https://support.huawei.com/enterprise/en/doc/EDOC1100055050/d494430a/format-versions-of-netstream-packets

It is possible that their IPFIX output includes enterprise elements that are not known to SiLK.

I am sorry I cannot provide more information for you.

-Mark


-----Original Message-----
From: GOODALL Richard <Richard.goodall at ed.ac.uk>
Date: Thu, 15 Apr 2021 10:47:13 -0400
To: "netsa-tools-discuss at cert.org" <netsa-tools-discuss at cert.org>
Subject: [netsa-tools-discuss] SiLK - Netstream Support

Hi,

We currently use SiLK as a key part of our tool set in the investigation of security incidents.

Flow data is currently being exported from Cisco hardware using
NetFlow, however we are about to migrate our entire network estate
onto HP equipment which does not support NetFlow, but rather NetStream
and SFlow.

I can see from the FAQ that SiLK does support SFlow. However, this
seems less preferrable for security investigations as it is sampled
and does not appear to log time. The omission of time stamps in
addition with the use of sampled flow data (in the case of SFlow)
seems to reduce the benefit of the flow data in a security
investigation considerably.  Appreciate that this is not a limitation
of SiLK, but curious if other SiLK users have faced this problem and
if there are ways around it.

>From what I can gather, NetStream supports unsampled 1:1 flow data and
does log time, so seems like the best alternative to NetFlow in my
case.

I'd be extremely grateful if someone could confirm if SiLK supports NetStream?

Any other advice as to how I can continue to utilise SiLK practically
in this situation would also be very welcome. It is a great network
analysis tool and one that I am keen to continue using going forward
if at all practically possible.

Much appreciated
Richard


Communications Infrastructure Services
IT Infrastructure Division, Information Services
The University of Edinburgh
Argyle House,
3 Lady Lawson Street,
Edinburgh,
EH3 9DR

Richard.Goodall at ed.ac.uk



The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336. Is e buidheann
carthannais a th’ ann an Oilthigh Dhùn Èideann, clàraichte an Alba,
àireamh clàraidh SC005336.

More information about the netsa-tools-discuss mailing list