0

我需要为我的 logstash 收集器生成 netflow 测试数据。

我尝试了很多软件,但每个人都有很多问题。最后我尝试的是 Debian 下的 flow-tools,但我有以下问题:

  • 发送的时间戳设置在 1970 年;
  • 我不知道如何设置 sourceip:port/destip:port 来测试地理点等...

我使用这个命令:

flow-gen -V5 -n 1000 -d 1 | flow-send 0/127.0.0.1/2055 -d 1

这是我在 tcpdump 中收到的:

started 0.000, last 65471.207
    3.230.2.230/255:0:0 > 0.0.17.230/255:999:1000 >> 3.230.2.230
    3 tos 232, 999 (4294902759 octets) [|cnfp]

这是logstash生成的elasticsearch条目:

{
    "_index": "logstash-2021.04.12",
    "_type": "_doc",
    "_id": "nJxCxXgB6JaveisQTAD1",
    "_version": 1,
    "_seq_no": 0,
    "_primary_term": 1,
    "found": true,
    "_source": {
        "network": {
            "iana_number": 17,
            "packets": 282,
            "bytes": 282,
            "type": "ipv4",
            "transport": "UDP",
            "protocol": "smtp",
            "direction": "ingress"
        },
        "netflow": {
            "tcp_flags_label": "none",
            "tcp_flag_tags": [],
            "tos": 25,
            "ip_version": "4",
            "version": 5,
            "dst_mask_len": 0,
            "flow_seq_num": 270,
            "engine_type": 0,
            "engine_id": 0,
            "dst_as": 25,
            "sampling_algorithm": 0,
            "flow_records": 30,
            "src_as": 281,
            "next_hop": "0.0.0.0",
            "src_mask_len": 0,
            "sampling_interval": 0,
            "tcp_flags": 0
        },
        "tags": [
            "_geoip_lookup_failure"
        ],
        "ecs": {
            "version": "1.6.0"
        },
        "destination": {
            "packets": 282,
            "bytes": 282,
            "address": "255.255.1.25",
            "port": 25,
            "as": {},
            "ip": "255.255.1.25"
        },
        "event": {
            "module": "flow",
            "kind": "metric",
            "category": "network",
            "dataset": "netflow",
            "type": "connection",
            "start": "1970-01-01T00:00:01.281Z",
            "action": "netflow_flow",
            "end": "1970-02-19T17:01:43.041Z",
            "duration": 4294902
        },
        "agent": {
            "hostname": "debian",
            "type": "Logstash"
        },          
        "source": {
            "packets": 282,
            "bytes": 282,
            "address": "0.0.1.25",
            "port": 281,
            "as": {},
            "ip": "0.0.1.25"
        },
        "@timestamp": "1970-01-01T00:00:00.000Z",
        "observer": {
            "ip": "127.0.0.1",
            "ingress": {
                "interface": {
                    "id": 281
                }
            },
            "egress": {
                "interface": {
                    "id": 25
                }
            },
            "type": "netflow_exporter"
        },
        "related": {
            "ip": [
                "0.0.1.25",
                "255.255.1.25"
            ]
        },
        "@version": "1"
    }
}

更新:

这是logstash得到的:

"netflow" => {
                  "src_port" => 0,
                     "bytes" => 1,
            "first_switched" => "1970-01-01T00:00:00.000Z",
                 "direction" => "ingress",
                  "src_addr" => "0.0.0.0",
                  "dst_addr" => "255.255.0.0",
             "packet_format" => "data_flowset_format",
             "dst_port_name" => "__UNKNOWN",
             "last_switched" => "1970-02-19T17:01:42.760Z",
               "output_snmp" => 65280,
              "dst_locality" => "public",
                "input_snmp" => 0,
              "src_locality" => "private",
                   "packets" => 1,
                  "dst_port" => 65280,
             "protocol_name" => "UDP",
             "flow_locality" => "public",
                  "protocol" => 17,
             "src_port_name" => "__UNKNOWN"
        },
4

0 回答 0