0

I've come across the Wireshark decode as feature where I can decode UDP packet as CFLOW to get my Netflow data.

Is it possible to code a script that decode the UDP Packet and get the Netflow data?

Currently I am trying it out using python3-scapy. Where I sniff the interface and retrieve only UDP packet. I am stuck now as I don't know what I should do next.

Note: My focus is on Netflow Version 9

Below is my code:

from scapy.all import *

## Create a Packet Counter
counter = 0
INTERFACE = "<interface_name>"

## Define our Custom Action function
def custom_action(pkts):
    for packet in pkts:
        if (packet.haslayer(UDP)):
             # do something , what should i do?

if __name__ == "__main__":
    ## Setup sniff, filtering for IP traffic
    sniff(iface=INTERFACE, prn = custom_action, store=0)
z.yea
  • 73
  • 1
  • 7

1 Answers1

1

FYI, you can use layer in pkt rather than the "old" pkt.haslayer(layer). This will work with the development version of Scapy (which works with Python 3).

The prn callback accepts a packet, not a packet list or generator.

If you want to use NetflowHeader() to (try to) dissect any UDP packet, you can do:

def custom_action(pkt):
    if UDP in pkt:
        pkt[UDP].payload = NetflowHeader(raw(pkt[UDP].payload))

pkts = sniff(iface=INTERFACE, prn=custom_action)

But the closest way to Wireshark's "decode as" functionality in Scapy would be to simply overwrite UDP's .payload_guess attribute:

UDP.payload_guess = [({}, NetflowHeader)] 
pkts = sniff(iface=INTERFACE)
Pierre
  • 6,047
  • 1
  • 30
  • 49
  • Where can I get the `NetflowHeader()` and what are the usage? p.s. I am fairly new to scapy. thank you – z.yea Dec 06 '17 at 09:29
  • `NetflowHeader()` is the Scapy layer that you need to use to decode data as Netflow. Get the latest version from https://github.com/secdev/scapy. – Pierre Dec 06 '17 at 15:31
  • Thanks! I manage to make the NetflowHeader() works. As I read the documentation for Netflow v9 for scapy. Does it mean when I want to decode UDP packet to Netflow v9 i just have to change this to this instead: `pkt[UDP].payload = NetflowHeaderV9(Raw(pkt[UDP].payload))`? It will return me the Raw Netflow v9 object. Is that it? – z.yea Dec 07 '17 at 02:42
  • No. You will see `NetflowHeaderV9` layers when the `NetflowHeader` decodes version as 9. A NetflowHeader should start with the version number. – Pierre Dec 07 '17 at 12:49