将 PCAP 跟踪转换为 NetFlow 格式
我想将一些 PCAP 跟踪转换为 Netflow 格式,以便使用 netflow 工具进行进一步分析。有什么办法可以做到这一点吗?
具体来说,我想使用“flow-export”工具从 netflow 跟踪中提取一些感兴趣的字段,如下所示:
$ flow-export -f2 -mUNIX_SECS,SYSUPTIME,DPKTS,DOCTETS < mynetflow.trace
在本例中,mynetflow.trace 文件是通过使用以下命令转换 PCAP 文件来获取的
$ nfcapd -p 12345 -l ./
$ softflowd -n localhost:12345 -r mytrace.pcap
:生成网络流跟踪,但流导出无法正确使用它,因为它的格式不正确。我还尝试将以下命令的输出通过管道传输到 flow-export,如下所示:
$ flow-import -V1 -z0 -f0 <mynetflow.trace | flow-export -f2 -mUNIX_SECS,SYSUPTIME,DPKTS,DOCTETS
但第一个命令的输出生成零时间戳。
有什么想法吗?
I would like to convert some PCAP traces to Netflow format for further analysis with netflow tools. Is there any way to do that?
Specifically, I want to use "flow-export" tool in order to extract some fields of interest from a netflow trace as follows:
$ flow-export -f2 -mUNIX_SECS,SYSUPTIME,DPKTS,DOCTETS < mynetflow.trace
In this case, the mynetflow.trace file is taken by converting a PCAP file using the following commands:
$ nfcapd -p 12345 -l ./
$ softflowd -n localhost:12345 -r mytrace.pcap
This, generates a netflow trace but it cannot be used by flow-export correctly, since it is not in the right format. I tried also to pipe the output of the following command to flow-export as follows:
$ flow-import -V1 -z0 -f0 <mynetflow.trace | flow-export -f2 -mUNIX_SECS,SYSUPTIME,DPKTS,DOCTETS
but the output of the first command generated zero timestamps.
Any ideas?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我查看了流导出文档,发现 pcap 实现存在一些公认的错误。不确定它们是否已修复。
根据捕获的内容,您还有其他几个选项:
如果您从链接捕获直接流量并希望将其转换为 NetFlow 格式,您可以下载一个免费的 Netflow 导出工具,该工具在此处读取 PCAP:
FlowTraq 免费导出器
或此处:
NProbe
如果您捕获了传输中的 NetFlow 流量(例如 UDP/2055),那么您可以使用任何 Linux 发行版中提供的“tcpreplay”等工具重播它。
I took at look at the flow-export documentation and there are some acknowledged bugs with the pcap implementation. Not sure if they are fixed yet.
Depending on the content of your capture, you have a couple of other options:
If you captured straight-up traffic from a link and you want to turn that into NetFlow format you can download a free netflow exporter tool that reads PCAP here:
FlowTraq Free Exporter
or here:
NProbe
If you captured NetFlow traffic in transit (say UDP/2055), then you can replay it with a tool like 'tcpreplay', available in any linux distribution.
如果您使用的是 Linux 环境,则可以使用
argusLinux 软件包。只需使用apt或您的发行版的包管理器安装argus,然后您就可以将其与 Argus 的ra客户端一起使用来获取 binetflow 格式。这是命令:
If you are using a Linux environment, you can use the
argusLinux package. Just installargususingaptor your distribution's package manager, and then you can use this with Argus'raclient to get the binetflow format.Here is the command: