[Flow-tools] Printing raw netflow v5
Glenn Hochberg
gah at research.att.com
Wed Apr 30 12:14:32 EDT 2008
On Apr 29, 2008, at 10:58 AM, Paul P Komkoff Jr wrote:
> Replying to Glenn Hochberg:
>> Fair question (as to how they got stored in the files), but I
>> don't know
>> the answer. There are collectors somewhere in another
>> organization that
>> store what appears to be the raw PDUs in v5 format (i.e. binary).
>> It appears to start with the Netflow V5 header, etc.
>>
>> In that case is there a way to transform it to the flow-tools format?
>> Where is the flow-tools format described, for that matter, if you
>> know (or
>> if anyone else on the list does)?
>
> Short answer: yes, it is possible.
>
> Slightly longer: yes, it is possible with the following python
> program:
>
> output = flowtools.FlowSet('blablabla', True)
>
> for host, pdu in (some host/pdu source):
> pdu = flowtools.FlowPDU(host, buf)
> output.write(pdu)
>
> assuming that your host always the same, you can do
> host = struct.unpack("!I", socket.inet_aton('127.0.0.1'))[0]
>
> how to deal with pdu source itself depends on do you have the length
> of each pdu in your stream, or not. On every iteration buf should
> contain exactly one PDU.
>
> You can get pyflowtools source from http://pyflowtools.googlecode.com/
> and updated flow-tools from http://flow-tools.googlecode.com
>
> --
> Paul P 'Stingray' Komkoff Jr // http://stingr.net/key <- my pgp key
> This message represents the official view of the voices in my head
Thanks to all who offered suggestions! Paul's solution worked out
great for me--especially since I needed to access the data from
Python anyway.
More information about the Flow-tools
mailing list