Linux 将 PCAP 跟踪转换为 NetFlow 格式
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/7523366/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Converting a PCAP trace to NetFlow format
提问by Regressor
I would like to convert some PCAP traces to Netflow format for further analysis with netflow tools. Is there any way to do that?
我想将一些 PCAP 跟踪转换为 Netflow 格式,以便使用 netflow 工具进行进一步分析。有没有办法做到这一点?
Specifically, I want to use "flow-export" tool in order to extract some fields of interest from a netflow trace as follows:
具体来说,我想使用“flow-export”工具从 netflow 跟踪中提取一些感兴趣的字段,如下所示:
$ flow-export -f2 -mUNIX_SECS,SYSUPTIME,DPKTS,DOCTETS < mynetflow.trace
In this case, the mynetflow.trace file is taken by converting a PCAP file using the following commands:
在这种情况下,通过使用以下命令转换 PCAP 文件来获取 mynetflow.trace 文件:
$ nfcapd -p 12345 -l ./
$ softflowd -n localhost:12345 -r mytrace.pcap
This, generates a netflow trace but it cannot be used by flow-export correctly, since it is not in the right format. I tried also to pipe the output of the following command to flow-export as follows:
这会生成一个 netflow 跟踪,但它不能被 flow-export 正确使用,因为它的格式不正确。我还尝试将以下命令的输出通过管道传输到流导出,如下所示:
$ flow-import -V1 -z0 -f0 <mynetflow.trace | flow-export -f2 -mUNIX_SECS,SYSUPTIME,DPKTS,DOCTETS
but the output of the first command generated zero timestamps.
但是第一个命令的输出生成零时间戳。
Any ideas?
有任何想法吗?
回答by Vince Berk
I took at look at the flow-export documentation and there are some acknowledged bugs with the pcap implementation. Not sure if they are fixed yet.
我查看了 flow-export 文档,发现 pcap 实现存在一些公认的错误。不确定它们是否已修复。
Depending on the content of your capture, you have a couple of other options: If you captured straight-up traffic from a link and you want to turn that into NetFlow format you can download a free netflow exporter tool that reads PCAP here:
根据您捕获的内容,您还有其他几个选项:如果您从链接捕获了直接流量,并且想要将其转换为 NetFlow 格式,您可以在此处下载读取 PCAP 的免费 netflow 导出器工具:
or here:
或在这里:
If you captured NetFlow traffic in transit (say UDP/2055), then you can replay it with a tool like 'tcpreplay', available in any linux distribution.
如果您捕获了传输中的 NetFlow 流量(例如 UDP/2055),那么您可以使用“tcpreplay”之类的工具重放它,该工具可在任何 Linux 发行版中使用。
回答by Vishnuteja Kandalam
If you are using a Linux environment, you can use the argusLinux package. Just install argususing aptor your distribution's package manager, and then you can use this with Argus' raclient to get the binetflow format.
如果您使用的是 Linux 环境,则可以使用argusLinux 包。只需安装argususingapt或您的发行版的包管理器,然后您就可以将其与 Argus 的ra客户端一起使用以获取 binetflow 格式。
Here is the command:
这是命令:
argus -F /mnt/argus.conf -r " +f+" -w - | ra -F /mnt/ra.conf -Z b -n >"+f.split(".")[0]+".binetflow
