[GTER] netflow - headers

André Proto andreproto at acmesecurity.org
Wed Feb 4 08:33:10 -02 2009 

Oi Alexandre,

Experimente executar o comando dessa forma:

flow-cat ft-v05.2001-05-01.xxxxxxxxxxxxxxxxxx | flow-export -f 2

A primeira linha gerada pelo flow-export descreve a ordem dos campos do
netflow. Como você usou o "grep" para remover as linhas que iniciam com
"#", ela não apareceu.

#:unix_secs,unix_nsecs,sysuptime,exaddr,dpkts,doctets,first,last,engine_type,engine_id,srcaddr,dstaddr,nexthop,input,output,srcport,dstport,prot,tos,tcp_flags,src_mask,dst_mask,
src_as,dst_as
1233367199,856797732,1855521940,127.0.0.1,1,256,1855506504,1855506504,0,0,192.168.209.5,10.0.253.253,192.168.0.194,16,28,53,11057,17,0,16,24,0,0,0
1233367199,856797732,1855521940,127.0.0.1,1,103,1855506512,1855506512,0,0,192.168.203.42,10.0.170.170,192.168.0.194,18,28,6881,6881,17,0,16,24,0,0,0
...


Atenciosamente,

André Proto


Alexandre J. Correa - Onda Internet wrote:
> Caros,
>
> executando o comando
>
> flow-cat ft-v05.2001-05-01.xxxxxxxxxxxxxxxxxx | flow-export -f 2 |
> grep -v \# | ./flow-asn.pl
>
> ele me retorna o conteudo do flow ja atualizado com os AS´s ...
> corretamente...
>
> 1233726600,483724374,1967359884,189.84.0.1,7,384,1967324036,1967344676,0,0,41.215.176.209,189.84.0.3,189.84.0.3,3,1,52843,46542,6,0,2,0,24,36959,28362
>
> 1233726600,483724374,1967359884,189.84.0.1,2,294,1967330272,1967344488,0,0,189.84.1.102,119.113.139.122,189.112.98.54,1,3,54058,19074,17,0,16,24,0,28362,4837
>
> 1233726600,483724374,1967359884,189.84.0.1,6,812,1967330748,1967344640,0,0,189.84.1.102,189.74.142.164,189.112.98.54,1,3,13873,3144,6,0,26,24,0,28362,8167
>
> 1233726600,483724374,1967359884,189.84.0.1,9,901,1967327668,1967343188,0,0,193.39.71.2,189.84.1.102,189.84.0.2,3,1,2918,13873,6,0,26,0,24,41796,28362
>
> 1233726600,483724374,1967359884,189.84.0.1,4,168,1967333108,1967343168,0,0,189.84.1.119,85.58.70.45,189.112.98.54,1,3,13257,59008,17,0,16,24,0,28362,12479
>
>
> alguem sabe me dizer o nome de cada campo ?? achei o rfc mas nao esta
> batendo a quantidade de campos ....
>
>
> obrigado !!!
> -- 
> gter list    https://eng.registro.br/mailman/listinfo/gter

More information about the gter mailing list