读取netflow/rflow (dd-wrt)数据包内容
我目前正在开发一个 IDS/IPS,它使用 NetFlow 数据来假设是否存在正在进行的攻击。我买不起昂贵的CISCO路由器,所以我买了一个LINKSYS路由器并在上面安装了DD-WRT。 DD-WRT 将 netflow v5 数据包发送到您的首选计算机,因此它就像拥有 CISCO 路由器但较旧。基本上你花 80 美元就可以得到一个 200-500 美元的路由器,再加上一些调整。 我已经设置了路由器,正在获取数据包,我什至使用 DD-WRT 提供的工具来捕获 rFlow(他们这样命名,但它是 netflow v5),一切正常。
我的应用程序必须在内部完成所有工作,这意味着我需要捕获 rflow 数据包,读取它们并根据我的读数得出假设。 我开始用JAVA进行开发,并设置了一个UDP守护进程来监听2055(接收rflow数据包的端口)。一切都很好,我收到了数据包,但是当我尝试查看内容时,我得到了一些奇怪的字符,就像我从内存中转储东西一样。
这是我设置守护程序和读取数据的代码。
try {
serverSocket = new DatagramSocket(2055);
while (true) {
DatagramPacket receivedPacket = new DatagramPacket(received, received.length);
serverSocket.receive(receivedPacket);
ByteArrayInputStream byteIn = new ByteArrayInputStream(receivedPacket.getData(),0,receivedPacket.getLength());
DataInputStream in = new DataInputStream(byteIn);
String input = "";
while( (input = in.readLine()) != null) {
System.out.println(input + "\n");
}
Inet4Address from = (Inet4Address) receivedPacket.getAddress();
System.out.println("FROM: " + from + "\nDATA: " + data[4]);
}
} catch (SocketException ex) {
System.out.println(ex.getMessage());
}
我找到了一个名为 jflow 的库..但没有源代码,所以我对使用它持怀疑态度。我想知道是否有人可以告诉我如何真正读取发送给我的数据包的内容。由于我处于开发的早期阶段,我不一定会使用 JAVA,我可以选择 C++。无论编程语言如何,我最大的问题是如何读取这些数据包的内容,以便我可以得出其他模块所需的正确结论。
I'm currently developing an IDS/IPS that uses NetFlow data to draw assumptions whether there is an ongoing attack. I didn't afford an expensive CISCO router so I bought a LINKSYS router on which I installed DD-WRT. DD-WRT sends netflow v5 packets to your preferred machine so it's like having a CISCO router but older. Basically you get a $200-$500 router for $80 and a little tweaking.
I've set up the router, I'm getting the packets, I even used the DD-WRT provided tool for capturing rFlow (they named it like that but it's netflow v5) and everything works.
My application will have to do everything internally so that means i need to capture rflow packets, read them and draw the assumptions based on my readings.
I started developing in JAVA and set up a UDP daemon to listen on 2055 (port for receiving rflow packets). All good, i'm getting the packets but when i try to view the content i get some weird characters, like I'm dumping stuff from memory.
Here's my code for setting up the deamon and reading data.
try {
serverSocket = new DatagramSocket(2055);
while (true) {
DatagramPacket receivedPacket = new DatagramPacket(received, received.length);
serverSocket.receive(receivedPacket);
ByteArrayInputStream byteIn = new ByteArrayInputStream(receivedPacket.getData(),0,receivedPacket.getLength());
DataInputStream in = new DataInputStream(byteIn);
String input = "";
while( (input = in.readLine()) != null) {
System.out.println(input + "\n");
}
Inet4Address from = (Inet4Address) receivedPacket.getAddress();
System.out.println("FROM: " + from + "\nDATA: " + data[4]);
}
} catch (SocketException ex) {
System.out.println(ex.getMessage());
}
I have found a library called jflow..but there is no source code so i'm pretty skeptical on using it. I was wondering if somebody can tell me how can i actually read the content of the packets being sent to me. Since i'm at an early stage of development I am not bound to use JAVA, i could go for C++. My biggest problem, no matter the programming language is how to read the content of those packets so that I can draw the correct conclusions that i need for my other modules.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
rFlow / NetFlow v5 数据包是二进制数据包布局,因此以文本形式查看它们将显得不可读。
v5 数据包的数据包格式是已知的,可以通过 google 搜索找到。 这似乎是一个很好的参考。
请注意,dd-wrt 上的 rFlow 守护程序有一个长期存在的错误,即它无法正确填写输入或输出接口字段。
The rFlow / NetFlow v5 packets are a binary packet layout, so viewed as text they will appear, well, unreadable.
The packet format for the v5 packets is known, and can be found with a google search. This seems a good reference.
Note that the rFlow daemon on the dd-wrt has a long standing bug where it does not fill in the input or output interface fields correctly.