Ask Your Question
0

How to add some field to decode netflow

asked 2019-06-13 17:19:49 +0000

Bercut gravatar image

Hi all.

We have collected dump of netflow traffic. And I want to see names of PEN 9 (cisco private) fields. I have the fields name from cisco, like this:

  _____________________________________________________________________________
  |                 Field                   |    ID | Ent.ID | Offset |  Size |
  -----------------------------------------------------------------------------
  | connection client ipv4 address          | 12236 |      9 |      0 |     4 |
  | connection server ipv4 address          | 12237 |      9 |      4 |     4 |
  | connection client transport port        | 12240 |      9 |      8 |     2 |
  | connection server transport port        | 12241 |      9 |     10 |     2 |
  | routing vrf input                       |   234 |        |     12 |     4 |
  | interface input snmp                    |    10 |        |     16 |     4 |
  | connection initiator                    |   239 |        |     20 |     1 |
  | connection id                           | 12242 |      9 |     21 |     4 |
  | application id                          |    95 |        |     25 |     4 |
  | interface output snmp                   |    14 |        |     29 |     4 |
  | flow sampler                            |    48 |        |     33 |     1 |
  | services waas segment                   |  9252 |      9 |     34 |     1 |
  | services waas passthrough-reason        |  9253 |      9 |     35 |     1 |
  | application http uri statistics         |  9357 |      9 |     36 |   var |
  | application http host                   | 12235 |      9 |     38 |   var |
  | timestamp sys-uptime first              |    22 |        |     40 |     4 |
  | timestamp sys-uptime last               |    21 |        |     44 |     4 |
  | connection new-connections              |   278 |        |     48 |     4 |
  | connection server counter bytes long    |   232 |        |     52 |     8 |
  | connection server counter packets long  |   299 |        |     60 |     8 |
  | connection client counter bytes long    |   231 |        |     68 |     8 |
  | connection client counter packets long  |   298 |        |     76 |     8 |
  | connection delay response to-server sum |  9303 |      9 |     84 |     4 |
  | connection server counter responses     |  9292 |      9 |     88 |     4 |
  | connection delay response to-server his |  9300 |      9 |     92 |     4 |
  | connection delay network to-server sum  |  9319 |      9 |     96 |     4 |
  | connection delay network to-client sum  |  9316 |      9 |    100 |     4 |
  | connection client counter packets retra |  9268 |      9 |    104 |     4 |
  | connection delay network client-to-serv |  9313 |      9 |    108 |     4 |
  | connection delay application sum        |  9306 |      9 |    112 |     4 |
  | connection delay application max        |  9307 |      9 |    116 |     4 |
  | connection delay response client-to-ser |  9309 |      9 |    120 |     4 |
  | connection transaction duration sum     |  9273 |      9 |    124 |     4 |
  | connection transaction counter complete |  9272 |      9 |    128 |     4 |
  -----------------------------------------------------------------------------

and so on.

How I can do it??

edit retag flag offensive close merge delete

Comments

Hi,

Are you able to see other fields (like SrcAddr, DstAddr, etc.) but not Cisco privates or no fields at all?

Are you running the latest version of Wireshark?

Cheers,

JFD

Spooky gravatar imageSpooky ( 2019-06-13 22:03:21 +0000 )edit

Hi, Spooky

I`m able to see other fields (like SrcAddr, DstAddr, etc.) but Cisco privates fields I see only by number like next:

Flow 1
Enterprise Private entry: (ciscoSystems) Type 12236: Value (hex bytes): 0a 0a 12 12

I have table of correspondence between numbers and names, see the question. And I want to see Cisco privates fields by names.

Bercut gravatar imageBercut ( 2019-06-14 13:54:08 +0000 )edit

Hi Bercut, Based on the code for netflow dissector these proprietary fields probably need to be added. The code looks modular but I'm not a programmer so I wouldn't know how to do that. Maybe ask this as a new specific question in the forum. Good luck. JFD

Spooky gravatar imageSpooky ( 2019-06-14 21:40:58 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-06-15 14:02:38 +0000

Guy Harris gravatar image

As Spooky notes, this would require code changes.

You should submit an enhancement request on the Wireshark Bugzilla for this; that, rather than asking here, the best way to request new features in Wireshark. Put a link to this question into the enhancement request.

Note that the best way to do this might be to have Wireshark read a text file giving descriptions of the fields in question, so that code doesn't have to be changed in the future; that approach is already used for RADIUS and DIAMETER parameters. Unlike RADIUS, where the FreeRADIUS file format can be and is used, I don't know of a standard format for describing Netflow/IPFIX fields in a text file; Elastiflow appears to have a YAML-based format for that, but 1) that file doesn't have a lot of fields, 2) I don't know if any other programs use that format, so it's not as obvious a choice as FreeRADIUS form is for RADIUS dictionaries.

edit flag offensive delete link more

Comments

Bug 15850 has been successfully created

Bercut gravatar imageBercut ( 2019-06-17 08:16:15 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2019-06-13 17:19:49 +0000

Seen: 37 times

Last updated: 2 days ago