问题描述
我想将一些 PCAP 跟踪转换为 Netflow 格式,以便使用 netflow 工具进行进一步分析.有没有办法做到这一点?
I would like to convert some PCAP traces to Netflow format for further analysis with netflow tools. Is there any way to do that?
具体来说,我想使用流导出"工具从 netflow 跟踪中提取一些感兴趣的字段,如下所示:
Specifically, I want to use "flow-export" tool in order to extract some fields of interest from a netflow trace as follows:
$ flow-export -f2 -mUNIX_SECS,SYSUPTIME,DPKTS,DOCTETS < mynetflow.trace
在这种情况下,mynetflow.trace 文件是通过使用以下命令转换 PCAP 文件来获取的:
In this case, the mynetflow.trace file is taken by converting a PCAP file using the following commands:
$ nfcapd -p 12345 -l ./
$ softflowd -n localhost:12345 -r mytrace.pcap
这会生成一个 netflow 跟踪,但它不能被 flow-export 正确使用,因为它的格式不正确.我还尝试将以下命令的输出通过管道传输到流导出,如下所示:
This, generates a netflow trace but it cannot be used by flow-export correctly, since it is not in the right format. I tried also to pipe the output of the following command to flow-export as follows:
$ flow-import -V1 -z0 -f0 <mynetflow.trace | flow-export -f2 -mUNIX_SECS,SYSUPTIME,DPKTS,DOCTETS
但第一个命令的输出生成的时间戳为零.
but the output of the first command generated zero timestamps.
有什么想法吗?
推荐答案
我查看了 flow-export 文档,发现 pcap 实现存在一些公认的错误.不确定它们是否已修复.
I took at look at the flow-export documentation and there are some acknowledged bugs with the pcap implementation. Not sure if they are fixed yet.
根据捕获的内容,您还有其他几种选择:如果您从链接中捕获直接流量并且希望将其转换为 NetFlow 格式,您可以在此处下载免费的 Netflow 导出器工具,该工具读取 PCAP:
Depending on the content of your capture, you have a couple of other options:If you captured straight-up traffic from a link and you want to turn that into NetFlow format you can download a free netflow exporter tool that reads PCAP here:
或这里:
如果您捕获了传输中的 NetFlow 流量(例如 UDP/2055),那么您可以使用tcpreplay"之类的工具重放它,该工具可在任何 Linux 发行版中使用.
If you captured NetFlow traffic in transit (say UDP/2055), then you can replay it with a tool like 'tcpreplay', available in any linux distribution.
这篇关于将 PCAP 跟踪转换为 NetFlow 格式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!