NFDUMP - Netflow processing tools

in 1.6.6 .you may add %eng which identifies engine type/id. You'll need
to enable extension 14 see nfcapd(1). In combination, you may identify
what you are looking for?

	- Peter

On 9/13/12 17:04, James A. T. Rice wrote:
> Hi Folks,
> 
> When tracing back spoofed traffic on the network, the custom output field 
> %in is useful to show the input interface index, however if using data 
> from multiple netflow sources, it doesn't show which netflow source this 
> index is related to, so a field to show that would be useful.
> 
> Or am I missing something?
> 
> Cheers
> James
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Nfdump-discuss mailing list
> Nfdump-discuss@...
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
> 

-- 
--
Be nice to your netflow data

On 09/14/2012 10:09 AM, Peter Haag wrote:
> in 1.6.6 .you may add %eng which identifies engine type/id. You'll need
> to enable extension 14 see nfcapd(1). In combination, you may identify
> what you are looking for?

%ra?

>
> 	- Peter
>
> On 9/13/12 17:04, James A. T. Rice wrote:
>> Hi Folks,
>>
>> When tracing back spoofed traffic on the network, the custom output field
>> %in is useful to show the input interface index, however if using data
>> from multiple netflow sources, it doesn't show which netflow source this
>> index is related to, so a field to show that would be useful.
>>
>> Or am I missing something?
>>

On 9/14/12 11:13, Phil Mayers wrote:
> On 09/14/2012 10:09 AM, Peter Haag wrote:
>> in 1.6.6 .you may add %eng which identifies engine type/id. You'll need
>> to enable extension 14 see nfcapd(1). In combination, you may identify
>> what you are looking for?
> 
> %ra?

Sure! router IP is also always an (additional) option.

	- Peter
> 
>>
>> 	- Peter
>>
>> On 9/13/12 17:04, James A. T. Rice wrote:
>>> Hi Folks,
>>>
>>> When tracing back spoofed traffic on the network, the custom output field
>>> %in is useful to show the input interface index, however if using data
>>> from multiple netflow sources, it doesn't show which netflow source this
>>> index is related to, so a field to show that would be useful.
>>>
>>> Or am I missing something?
>>>
> 
> ------------------------------------------------------------------------------
> Got visibility?
> Most devs has no idea what their production app looks like.
> Find out how fast your code is with AppDynamics Lite.
> http://ad.doubleclick.net/clk;262219671;13503038;y?
> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> _______________________________________________
> Nfdump-discuss mailing list
> Nfdump-discuss@...
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
> 

-- 
--
Be nice to your netflow data

Hi Folks,


>> On 09/14/2012 10:09 AM, Peter Haag wrote:

>>> in 1.6.6 .you may add %eng which identifies engine type/id. You'll need
>>> to enable extension 14 see nfcapd(1). In combination, you may identify
>>> what you are looking for?


> On 9/14/12 11:13, Phil Mayers wrote:

>> %ra?


On Fri, 14 Sep 2012, Peter Haag wrote:

> Sure! router IP is also always an (additional) option.



Interesting - niether %eng nor %ra are documented in the list of 
specifiers at the start of bin/nfdump.c , is there somewhere else I should 
be looking for where all the available specifiers are documented?

It sounded like one or the other of those would be ideal, but actually 
it appears not:

** nfdump -M /flows/nfsen/profiles-data/live/sup-tfm1:sup-tfm4  -T  -r 2012/09/14/nfcapd.201209140145 -o 'fmt:%eng %ra %in %ts %td %pr %sap -> %dap %pkt %byt %fl' -c 1
nfdump filter:
any
  engine        Router IP  Input Date flow start          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Packets    Bytes Flows
   0/0            0.0.0.0     19 2012-09-14 01:44:49.820     0.000 UDP       mumblemumble:61486 ->   mumblemumble:53          13      910     1

So I have input interface index '19', but on which router? I could go 
through each source individually (in my case there's only two), but isn't 
there a better way of making it print which source that flow came from?

Cheers
James

This works with nudump 1.6.6:

./nfdump  -r /data/nfsen/profile-data/live/any/2012/09/09/09/nfcapd.201209090900  -o 'fmt:%eng %ra %in %ts %td %pr %sap
-> %dap %pkt %byt %fl' -c 1
 engine        Router IP  Input Date flow start          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port
  Packets    Bytes Flows
  0/0       zz.zz.34.3      8 2012-09-09 07:31:07.712    57.000 TCP       xx.xxx.52.32:179   ->     xx.xxx.52.44:29474
      3      218     1
Summary: total flows: 1, total bytes: 218, total packets: 3, avg bps: 30, avg pps: 0, avg bpp: 72

The tags are documented in nfdump(1) man page.

Hope this helps

	- Peter

On 9/14/12 15:04, James A. T. Rice wrote:
> Hi Folks,
> 
> 
>>> On 09/14/2012 10:09 AM, Peter Haag wrote:
> 
>>>> in 1.6.6 .you may add %eng which identifies engine type/id. You'll need
>>>> to enable extension 14 see nfcapd(1). In combination, you may identify
>>>> what you are looking for?
> 
> 
>> On 9/14/12 11:13, Phil Mayers wrote:
> 
>>> %ra?
> 
> 
> On Fri, 14 Sep 2012, Peter Haag wrote:
> 
>> Sure! router IP is also always an (additional) option.
> 
> 
> 
> Interesting - niether %eng nor %ra are documented in the list of 
> specifiers at the start of bin/nfdump.c , is there somewhere else I should 
> be looking for where all the available specifiers are documented?
> 
> It sounded like one or the other of those would be ideal, but actually 
> it appears not:
> 
> ** nfdump -M /flows/nfsen/profiles-data/live/sup-tfm1:sup-tfm4  -T  -r 2012/09/14/nfcapd.201209140145 -o 'fmt:%eng %ra %in %ts %td %pr %sap -> %dap %pkt %byt %fl' -c 1
> nfdump filter:
> any
>   engine        Router IP  Input Date flow start          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Packets    Bytes Flows
>    0/0            0.0.0.0     19 2012-09-14 01:44:49.820     0.000 UDP       mumblemumble:61486 ->   mumblemumble:53          13      910     1
> 
> So I have input interface index '19', but on which router? I could go 
> through each source individually (in my case there's only two), but isn't 
> there a better way of making it print which source that flow came from?
> 
> Cheers
> James
> 
> ------------------------------------------------------------------------------
> Got visibility?
> Most devs has no idea what their production app looks like.
> Find out how fast your code is with AppDynamics Lite.
> http://ad.doubleclick.net/clk;262219671;13503038;y?
> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> _______________________________________________
> Nfdump-discuss mailing list
> Nfdump-discuss@...
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
> 

-- 
--
Be nice to your netflow data

Got it,

I hadn't realised that: "Sure! router IP is also always an (additional) 
option." was a hint I needed to change the nfcapd options.

Doing "-T all" now (via "$EXTENSIONS = 'all';" in nfsen.con), and the 
router IP shows up. Thanks!

Next: Any clues as to how to have nfsen show something a bit immediately 
usuable than just the Router IP and ifindex though? For example the 
ability to resolve from a static file with Router IP and IfIndex mappings 
to interface names or descriptions would remove one step from the process 
of finding ingress interfaces of evil traffic, which can only be a good 
thing.

Cheers
James