new templates

netflow collecting and processing tools

Brought to you by: phaag

#3 new templates

Status: open

Owner: nobody

Labels: Data processing (1)

Priority: 5

Updated: 2011-02-23

Created: 2011-02-23

Creator: Luca Di Stefano

Private: No

Hello,
I'm looking for add new netflow templates in nfdump. NProbe sends new templates about latencies and http infos and I will try to collect them with nscaptured and visualize with nfsen.

I added in nfx.c
{ EX_LATENCY, 24, 15, 0, "latency"},
(are 6 fields of 32 bit)

then in nffile.h added the new structure:
#define EX_LATENCY 26
typedef struct tpl_ext_26_s {
uint32_t client_nw_delay_usec;
uint32_t client_nw_delay_sec;
uint32_t server_nw_delay_usec;
uint32_t server_nw_delay_sec;
uint32_t appl_latency_usec;
uint32_t appl_latency_sec;
uint8_t data[4]; // points to further data
} tpl_ext_26_t;
and
added the fields in the master_record

The problem is that only the first field is filled.
They are other steps or hints that you can give me?

If the integration succeds, can I provide you a patch to integrate in the mainstream?

thanks!

Luca

P.S. I will try to document how implement a new template.

Discussion

Comment has been marked as spam.
Undo

View and moderate all "support-requests Discussion" comments posted by this user

Mark all as spam, and block user from posting to "Support Requests"

Anonymous - 2011-12-13

(Obligatory reference to http://xkcd.com/979/\)

Luca, any progress? I'm looking to add the template for a Palo Alto Networks firewall.

Last edit: Anonymous 2014-11-22

\(Obligatory reference to http://xkcd.com/979/\) Luca, any progress? I'm looking to add the template for a Palo Alto Networks firewall.

Add attachments
Cancel
You seem to have CSS turned off. Please don't fill out this field.

You seem to have CSS turned off. Please don't fill out this field.

New Attachment:

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Peter Haag - 2011-12-28

Hi Luca,
As for the LATENCY extension, is this still an issue, and if so, how should the data being displayed.
Peter

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Luca Di Stefano - 2012-01-25

Hello
yes is still an issue, actually we use an in house developed tool, but we are still looking for adapt nfdump because is a very powerful and widely used tool.
It would be interesting to find a easy way (if it is technically possible) to add templates because nProbe has implemented many custom templates .
I'm not expert on nfsen be/fe, anyway what should be displayed are the server/client/application latencies in ms for the selected networks.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Luca Di Stefano - 2012-01-25

nfsen latencies mock

nfsen-latency-mock.png

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Luca Di Stefano - 2012-01-25

I uploaded a mock of how should be displayed or better of what I had in mind...
Actually the protocol is http, but in the very near future all the most common application level protocols will be added: ftp sip citrix https oracle skype....
the network analysis at this level will gain even more importance.

let me know if such kind of integration can be possible or if it requires too much effort.
thanks
Luca

If you would like to refer to this comment somewhere else in this project, copy and paste the following link: