10

I would like to convert some PCAP traces to Netflow format for further analysis with netflow tools. Is there any way to do that?

Specifically, I want to use "flow-export" tool in order to extract some fields of interest from a netflow trace as follows: 

$ flow-export -f2 -mUNIX_SECS,SYSUPTIME,DPKTS,DOCTETS < mynetflow.trace

In this case, the mynetflow.trace file is taken by converting a PCAP file using the following commands:

$ nfcapd -p 12345 -l ./ 

$ softflowd -n localhost:12345 -r mytrace.pcap

This, generates a netflow trace but it cannot be used by flow-export correctly, since it is not in the right format. I tried also to pipe the output of the following command to flow-export as follows:

$ flow-import -V1 -z0 -f0 <mynetflow.trace | flow-export -f2 -mUNIX_SECS,SYSUPTIME,DPKTS,DOCTETS

but the output of the first command generated zero timestamps.

Any ideas?

4

2 回答 2

4

我查看了 flow-export 文档,发现 pcap 实现存在一些公认的错误。不确定它们是否已修复。

根据捕获的内容,您还有其他几个选择:如果您从链接捕获直接流量并且想要将其转换为 NetFlow 格式,您可以在此处下载读取 PCAP 的免费 netflow 导出器工具:

FlowTraq 免费出口商

或在这里:

探针

如果您捕获了传输中的 NetFlow 流量(例如 UDP/2055),那么您可以使用任何 linux 发行版中都可用的“tcpreplay”之类的工具来重放它。

于 2012-08-10T15:51:58.267 回答
1

如果您使用的是 Linux 环境,则可以使用argusLinux 软件包。只需argus使用apt或您的发行版的包管理器安装,然后您可以将其与 Argus 的ra客户端一起使用以获取 binetflow 格式。

这是命令:

argus -F /mnt/argus.conf -r " +f+" -w - | ra -F /mnt/ra.conf -Z b -n >"+f.split(".")[0]+".binetflow
于 2020-03-12T12:08:49.877 回答