How to add some field to decode netflow
Hi all.
We have collected dump of netflow traffic. And I want to see names of PEN 9 (cisco private) fields. I have the fields name from cisco, like this:
_____________________________________________________________________________
| Field | ID | Ent.ID | Offset | Size |
-----------------------------------------------------------------------------
| connection client ipv4 address | 12236 | 9 | 0 | 4 |
| connection server ipv4 address | 12237 | 9 | 4 | 4 |
| connection client transport port | 12240 | 9 | 8 | 2 |
| connection server transport port | 12241 | 9 | 10 | 2 |
| routing vrf input | 234 | | 12 | 4 |
| interface input snmp | 10 | | 16 | 4 |
| connection initiator | 239 | | 20 | 1 |
| connection id | 12242 | 9 | 21 | 4 |
| application id | 95 | | 25 | 4 |
| interface output snmp | 14 | | 29 | 4 |
| flow sampler | 48 | | 33 | 1 |
| services waas segment | 9252 | 9 | 34 | 1 |
| services waas passthrough-reason | 9253 | 9 | 35 | 1 |
| application http uri statistics | 9357 | 9 | 36 | var |
| application http host | 12235 | 9 | 38 | var |
| timestamp sys-uptime first | 22 | | 40 | 4 |
| timestamp sys-uptime last | 21 | | 44 | 4 |
| connection new-connections | 278 | | 48 | 4 |
| connection server counter bytes long | 232 | | 52 | 8 |
| connection server counter packets long | 299 | | 60 | 8 |
| connection client counter bytes long | 231 | | 68 | 8 |
| connection client counter packets long | 298 | | 76 | 8 |
| connection delay response to-server sum | 9303 | 9 | 84 | 4 |
| connection server counter responses | 9292 | 9 | 88 | 4 |
| connection delay response to-server his | 9300 | 9 | 92 | 4 |
| connection delay network to-server sum | 9319 | 9 | 96 | 4 |
| connection delay network to-client sum | 9316 | 9 | 100 | 4 |
| connection client counter packets retra | 9268 | 9 | 104 | 4 |
| connection delay network client-to-serv | 9313 | 9 | 108 | 4 |
| connection delay application sum | 9306 | 9 | 112 | 4 |
| connection delay application max | 9307 | 9 | 116 | 4 |
| connection delay response client-to-ser | 9309 | 9 | 120 | 4 |
| connection transaction duration sum | 9273 | 9 | 124 | 4 |
| connection transaction counter complete | 9272 | 9 | 128 | 4 |
-----------------------------------------------------------------------------
and so on.
How I can do it??
Hi,
Are you able to see other fields (like SrcAddr, DstAddr, etc.) but not Cisco privates or no fields at all?
Are you running the latest version of Wireshark?
Cheers,
JFD
Hi, Spooky
I`m able to see other fields (like SrcAddr, DstAddr, etc.) but Cisco privates fields I see only by number like next:
I have table of correspondence between numbers and names, see the question. And I want to see Cisco privates fields by names.
Hi Bercut, Based on the code for netflow dissector these proprietary fields probably need to be added. The code looks modular but I'm not a programmer so I wouldn't know how to do that. Maybe ask this as a new specific question in the forum. Good luck. JFD