问题描述
我想将一些PCAP跟踪转换为Netflow格式,以使用netflow工具进行进一步分析.有什么办法吗?
I would like to convert some PCAP traces to Netflow format for further analysis with netflow tools. Is there any way to do that?
具体来说,我想使用"flow-export"工具来从netflow跟踪中提取一些感兴趣的字段,如下所示:
Specifically, I want to use "flow-export" tool in order to extract some fields of interest from a netflow trace as follows:
$ flow-export -f2 -mUNIX_SECS,SYSUPTIME,DPKTS,DOCTETS < mynetflow.trace
在这种情况下,通过使用以下命令转换PCAP文件来获取mynetflow.trace文件:
In this case, the mynetflow.trace file is taken by converting a PCAP file using the following commands:
$ nfcapd -p 12345 -l ./
$ softflowd -n localhost:12345 -r mytrace.pcap
这会生成一个netflow跟踪,但由于其格式不正确,因此无法正确用于流导出.我还尝试将以下命令的输出通过管道传递到flow-export,如下所示:
This, generates a netflow trace but it cannot be used by flow-export correctly, since it is not in the right format. I tried also to pipe the output of the following command to flow-export as follows:
$ flow-import -V1 -z0 -f0 <mynetflow.trace | flow-export -f2 -mUNIX_SECS,SYSUPTIME,DPKTS,DOCTETS
,但是第一个命令的输出生成零时间戳.
but the output of the first command generated zero timestamps.
有什么想法吗?
推荐答案
我看了一下flow-export文档,pcap实现中存在一些公认的错误.不确定它们是否已修复.
I took at look at the flow-export documentation and there are some acknowledged bugs with the pcap implementation. Not sure if they are fixed yet.
根据捕获内容的不同,您还有两个其他选择:如果您从链接捕获了直接流量,并且想要将其转换为NetFlow格式,则可以在此处下载一个免费的netflow导出器工具,该工具读取PCAP:
Depending on the content of your capture, you have a couple of other options:If you captured straight-up traffic from a link and you want to turn that into NetFlow format you can download a free netflow exporter tool that reads PCAP here:
或此处:
如果您捕获了传输中的NetFlow流量(例如UDP/2055),则可以使用任何Linux发行版中提供的"tcpreplay"之类的工具来重放它.
If you captured NetFlow traffic in transit (say UDP/2055), then you can replay it with a tool like 'tcpreplay', available in any linux distribution.
这篇关于将PCAP跟踪转换为NetFlow格式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!