Converting a PCAP trace to NetFlow format

前提是你 提交于 2019-11-30 03:06:47

问题


I would like to convert some PCAP traces to Netflow format for further analysis with netflow tools. Is there any way to do that?

Specifically, I want to use "flow-export" tool in order to extract some fields of interest from a netflow trace as follows:

$ flow-export -f2 -mUNIX_SECS,SYSUPTIME,DPKTS,DOCTETS < mynetflow.trace

In this case, the mynetflow.trace file is taken by converting a PCAP file using the following commands:

$ nfcapd -p 12345 -l ./ 

$ softflowd -n localhost:12345 -r mytrace.pcap

This, generates a netflow trace but it cannot be used by flow-export correctly, since it is not in the right format. I tried also to pipe the output of the following command to flow-export as follows:

$ flow-import -V1 -z0 -f0 <mynetflow.trace | flow-export -f2 -mUNIX_SECS,SYSUPTIME,DPKTS,DOCTETS

but the output of the first command generated zero timestamps.

Any ideas?


回答1:


I took at look at the flow-export documentation and there are some acknowledged bugs with the pcap implementation. Not sure if they are fixed yet.

Depending on the content of your capture, you have a couple of other options: If you captured straight-up traffic from a link and you want to turn that into NetFlow format you can download a free netflow exporter tool that reads PCAP here:

FlowTraq Free Exporter

or here:

NProbe

If you captured NetFlow traffic in transit (say UDP/2055), then you can replay it with a tool like 'tcpreplay', available in any linux distribution.



来源:https://stackoverflow.com/questions/7523366/converting-a-pcap-trace-to-netflow-format

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!