First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How to add some field to decode netflow

Hi all.

We have collected dump of netflow traffic. And I want to see names of PEN 9 (cisco private) fields. I have the fields name from cisco, like this:

  _____________________________________________________________________________
  |                 Field                   |    ID | Ent.ID | Offset |  Size |
  -----------------------------------------------------------------------------
  | connection client ipv4 address          | 12236 |      9 |      0 |     4 |
  | connection server ipv4 address          | 12237 |      9 |      4 |     4 |
  | connection client transport port        | 12240 |      9 |      8 |     2 |
  | connection server transport port        | 12241 |      9 |     10 |     2 |
  | routing vrf input                       |   234 |        |     12 |     4 |
  | interface input snmp                    |    10 |        |     16 |     4 |
  | connection initiator                    |   239 |        |     20 |     1 |
  | connection id                           | 12242 |      9 |     21 |     4 |
  | application id                          |    95 |        |     25 |     4 |
  | interface output snmp                   |    14 |        |     29 |     4 |
  | flow sampler                            |    48 |        |     33 |     1 |
  | services waas segment                   |  9252 |      9 |     34 |     1 |
  | services waas passthrough-reason        |  9253 |      9 |     35 |     1 |
  | application http uri statistics         |  9357 |      9 |     36 |   var |
  | application http host                   | 12235 |      9 |     38 |   var |
  | timestamp sys-uptime first              |    22 |        |     40 |     4 |
  | timestamp sys-uptime last               |    21 |        |     44 |     4 |
  | connection new-connections              |   278 |        |     48 |     4 |
  | connection server counter bytes long    |   232 |        |     52 |     8 |
  | connection server counter packets long  |   299 |        |     60 |     8 |
  | connection client counter bytes long    |   231 |        |     68 |     8 |
  | connection client counter packets long  |   298 |        |     76 |     8 |
  | connection delay response to-server sum |  9303 |      9 |     84 |     4 |
  | connection server counter responses     |  9292 |      9 |     88 |     4 |
  | connection delay response to-server his |  9300 |      9 |     92 |     4 |
  | connection delay network to-server sum  |  9319 |      9 |     96 |     4 |
  | connection delay network to-client sum  |  9316 |      9 |    100 |     4 |
  | connection client counter packets retra |  9268 |      9 |    104 |     4 |
  | connection delay network client-to-serv |  9313 |      9 |    108 |     4 |
  | connection delay application sum        |  9306 |      9 |    112 |     4 |
  | connection delay application max        |  9307 |      9 |    116 |     4 |
  | connection delay response client-to-ser |  9309 |      9 |    120 |     4 |
  | connection transaction duration sum     |  9273 |      9 |    124 |     4 |
  | connection transaction counter complete |  9272 |      9 |    128 |     4 |
  -----------------------------------------------------------------------------

and so on.

How I can do it??

Bercut's avatar
1
Bercut
asked 2019-06-13 17:19:49 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Hi,

Are you able to see other fields (like SrcAddr, DstAddr, etc.) but not Cisco privates or no fields at all?

Are you running the latest version of Wireshark?

Cheers,

JFD

Spooky's avatar Spooky (2019-06-13 22:03:21 +0000) edit
more
  • delete

Hi, Spooky

I`m able to see other fields (like SrcAddr, DstAddr, etc.) but Cisco privates fields I see only by number like next:

Flow 1
Enterprise Private entry: (ciscoSystems) Type 12236: Value (hex bytes): 0a 0a 12 12

I have table of correspondence between numbers and names, see the question. And I want to see Cisco privates fields by names.

Bercut's avatar Bercut (2019-06-14 13:54:08 +0000) edit
more
  • delete

Hi Bercut, Based on the code for netflow dissector these proprietary fields probably need to be added. The code looks modular but I'm not a programmer so I wouldn't know how to do that. Maybe ask this as a new specific question in the forum. Good luck. JFD

Spooky's avatar Spooky (2019-06-14 21:40:58 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

As Spooky notes, this would require code changes.

You should submit an enhancement request on the Wireshark Bugzilla for this; that, rather than asking here, the best way to request new features in Wireshark. Put a link to this question into the enhancement request.

Note that the best way to do this might be to have Wireshark read a text file giving descriptions of the fields in question, so that code doesn't have to be changed in the future; that approach is already used for RADIUS and DIAMETER parameters. Unlike RADIUS, where the FreeRADIUS file format can be and is used, I don't know of a standard format for describing Netflow/IPFIX fields in a text file; Elastiflow appears to have a YAML-based format for that, but 1) that file doesn't have a lot of fields, 2) I don't know if any other programs use that format, so it's not as obvious a choice as FreeRADIUS form is for RADIUS dictionaries.

Guy Harris's avatar
19.9k
Guy Harris
answered 2019-06-15 14:02:38 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Bug 15850 has been successfully created

Bug 15850 - How to add some field to decode netflow

Bercut's avatar Bercut (2019-06-17 08:16:15 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer