Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

How to decode ipfix315 payload using Tshark

I am trying to decode ipfix315 payload , i tried using option -d like this :

tshark -i eth1 -d udp.port==2000,cflow -V src 110.0.0.1 , but still i am able to see the Data portion for my ipfix 315 validation

Frame 19: 78 bytes on wire (624 bits), 78 bytes captured (624 bits) on interface 0 Interface id: 0 WTAP_ENCAP: 1 Arrival Time: Mar 26, 2018 01:09:40.071456375 PDT [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1522051780.071456375 seconds [Time delta from previous captured frame: 2.000134457 seconds] [Time delta from previous displayed frame: 2.000134457 seconds] [Time since reference or first frame: 14.001339583 seconds] Frame Number: 19 Frame Length: 78 bytes (624 bits) Capture Length: 78 bytes (624 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:udp:data] Ethernet II, Src: Cisco_96:ec:c0 (c4:71:fe:96:ec:c0), Dst: Vmware_27:12:30 (00:0c:29:27:12:30) Destination: Vmware_27:12:30 (00:0c:29:27:12:30) Address: Vmware_27:12:30 (00:0c:29:27:12:30) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Cisco_96:ec:c0 (c4:71:fe:96:ec:c0) Address: Cisco_96:ec:c0 (c4:71:fe:96:ec:c0) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 110.0.0.1 (110.0.0.1), Dst: 1.70.29.16 (1.70.29.16) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x1c (DSCP 0x07: Unknown DSCP; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0001 11.. = Differentiated Services Codepoint: Unknown (0x07) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 64 Identification: 0x17a0 (6048) Flags: 0x00 0... .... = Reserved bit: Not set .0.. .... = Don't fragment: Not set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 254 Protocol: UDP (17) Header checksum: 0x189a [correct] [Good: True] [Bad: False] Source: 110.0.0.1 (110.0.0.1) Destination: 1.70.29.16 (1.70.29.16) User Datagram Protocol, Src Port: 48117 (48117), Dst Port: ici (2200) Source port: 48117 (48117) Destination port: ici (2200) Length: 44 Checksum: 0x0000 (none) [Good Checksum: False] [Bad Checksum: False] Data (36 bytes)

0000 00 0a 00 24 5a b8 48 88 00 00 17 a0 00 00 00 00 ...$Z.H......... 0010 00 02 00 14 01 4f 00 03 00 0a 00 04 00 0e 00 04 .....O.......... 0020 01 3b ff ff .;.. Data: 000a00245ab84888000017a00000000000020014014f0003... [Length: 36]

How to decode ipfix315 payload using Tshark

I am trying to decode ipfix315 payload , i tried using option -d like this :

tshark -i eth1 -d udp.port==2000,cflow -V src 110.0.0.1 110.0.0.1 , but still i am able to see the Data portion for my ipfix 315 validation

Frame 19: 78 bytes on wire (624 bits), 78 bytes captured (624 bits) on interface 0
    Interface id: 0
    WTAP_ENCAP: 1
    Arrival Time: Mar 26, 2018 01:09:40.071456375 PDT
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1522051780.071456375 seconds
    [Time delta from previous captured frame: 2.000134457 seconds]
    [Time delta from previous displayed frame: 2.000134457 seconds]
    [Time since reference or first frame: 14.001339583 seconds]
    Frame Number: 19
    Frame Length: 78 bytes (624 bits)
    Capture Length: 78 bytes (624 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ip:udp:data]
Ethernet II, Src: Cisco_96:ec:c0 (c4:71:fe:96:ec:c0), Dst: Vmware_27:12:30 (00:0c:29:27:12:30)
    Destination: Vmware_27:12:30 (00:0c:29:27:12:30)
        Address: Vmware_27:12:30 (00:0c:29:27:12:30)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: Cisco_96:ec:c0 (c4:71:fe:96:ec:c0)
        Address: Cisco_96:ec:c0 (c4:71:fe:96:ec:c0)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IP (0x0800)
Internet Protocol Version 4, Src: 110.0.0.1 (110.0.0.1), Dst: 1.70.29.16 (1.70.29.16)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x1c (DSCP 0x07: Unknown DSCP; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
        0001 11.. = Differentiated Services Codepoint: Unknown (0x07)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
    Total Length: 64
    Identification: 0x17a0 (6048)
    Flags: 0x00
        0... .... = Reserved bit: Not set
        .0.. .... = Don't fragment: Not set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 254
    Protocol: UDP (17)
    Header checksum: 0x189a [correct]
        [Good: True]
        [Bad: False]
    Source: 110.0.0.1 (110.0.0.1)
    Destination: 1.70.29.16 (1.70.29.16)
User Datagram Protocol, Src Port: 48117 (48117), Dst Port: ici (2200)
    Source port: 48117 (48117)
    Destination port: ici (2200)
    Length: 44
    Checksum: 0x0000 (none)
        [Good Checksum: False]
        [Bad Checksum: False]
Data (36 bytes)

bytes)

0000 00 0a 00 24 5a b8 48 88 00 00 17 a0 00 00 00 00 ...$Z.H......... 0010 00 02 00 14 01 4f 00 03 00 0a 00 04 00 0e 00 04 .....O.......... 0020 01 3b ff ff .;.. Data: 000a00245ab84888000017a00000000000020014014f0003... [Length: 36]

36]

How to decode ipfix315 payload using Tshark

I am trying to decode ipfix315 payload , i tried using option -d like this :

tshark -i eth1 -d udp.port==2000,cflow udp.port==2200,cflow -V src 110.0.0.1 , but still i am able to see the Data portion for my ipfix 315 validationvalidation , is there a way to get the decoded payload , as we get in wire shark GUI.

Frame 19: 78 bytes on wire (624 bits), 78 bytes captured (624 bits) on interface 0
    Interface id: 0
    WTAP_ENCAP: 1
    Arrival Time: Mar 26, 2018 01:09:40.071456375 PDT
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1522051780.071456375 seconds
    [Time delta from previous captured frame: 2.000134457 seconds]
    [Time delta from previous displayed frame: 2.000134457 seconds]
    [Time since reference or first frame: 14.001339583 seconds]
    Frame Number: 19
    Frame Length: 78 bytes (624 bits)
    Capture Length: 78 bytes (624 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ip:udp:data]
Ethernet II, Src: Cisco_96:ec:c0 (c4:71:fe:96:ec:c0), Dst: Vmware_27:12:30 (00:0c:29:27:12:30)
    Destination: Vmware_27:12:30 (00:0c:29:27:12:30)
        Address: Vmware_27:12:30 (00:0c:29:27:12:30)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: Cisco_96:ec:c0 (c4:71:fe:96:ec:c0)
        Address: Cisco_96:ec:c0 (c4:71:fe:96:ec:c0)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IP (0x0800)
Internet Protocol Version 4, Src: 110.0.0.1 (110.0.0.1), Dst: 1.70.29.16 (1.70.29.16)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x1c (DSCP 0x07: Unknown DSCP; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
        0001 11.. = Differentiated Services Codepoint: Unknown (0x07)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
    Total Length: 64
    Identification: 0x17a0 (6048)
    Flags: 0x00
        0... .... = Reserved bit: Not set
        .0.. .... = Don't fragment: Not set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 254
    Protocol: UDP (17)
    Header checksum: 0x189a [correct]
        [Good: True]
        [Bad: False]
    Source: 110.0.0.1 (110.0.0.1)
    Destination: 1.70.29.16 (1.70.29.16)
User Datagram Protocol, Src Port: 48117 (48117), Dst Port: ici (2200)
    Source port: 48117 (48117)
    Destination port: ici (2200)
    Length: 44
    Checksum: 0x0000 (none)
        [Good Checksum: False]
        [Bad Checksum: False]
Data (36 bytes)

0000  00 0a 00 24 5a b8 48 88 00 00 17 a0 00 00 00 00   ...$Z.H.........
0010  00 02 00 14 01 4f 00 03 00 0a 00 04 00 0e 00 04   .....O..........
0020  01 3b ff ff                                       .;..
    Data: 000a00245ab84888000017a00000000000020014014f0003...
    [Length: 36]