0

I manage to collect some raw Netflow Data and with the usuage of scapy to decode my packets to Netflow version 9. However, I am stuck and unable to move on to convert the field values to human readable text. The code below is how I view the data with scapy:

from scapy.all import *

def handle(self, ip, data):     
    logging.info('Receiving Data from %s with %s bytes of data.' % (ip, len(data)))
    a = NetflowHeader(raw(data))
    a.show()

This is the output i get:

enter image description here

z.yea
  • 73
  • 1
  • 7

1 Answers1

1

Update: newer Scapy versions have support for on-the-flow netflow v9 parsing (use the GitHub master version).

# Live / on-the-flow / other: use NetflowSession
>>> sniff(session=NetflowSession, prn=[...])

Original post:

Netflow v9 is a poor format, because each packet needs some previous packets to be dissected. Scapy does not support this functionality on-the-go, but it instead provides a function callable on a packet list.

You need to collect a list of the netflowV9 packets then call netflowv9_defragment(thelist)

See https://github.com/secdev/scapy/blob/master/scapy/layers/netflow.py#L11

This only means you can’t use prn with NetflowV9

Cukic0d
  • 5,111
  • 2
  • 19
  • 48
  • I see, I understand what the function can do and I got the result exactly how I wanted them to be but there is one one issue left. That is i really need to run this job in streaming. Meaning to say, I think I have to use the `prn`. Is there a way for me to convert every single record into human readable text without putting them into a list ? – z.yea Jul 20 '18 at 01:56
  • In current scapy, there is no built-in ways of doing so. We have some plans of creating “sessions”, but no release date (we haven’t really got time to work on it)... – Cukic0d Jul 20 '18 at 08:13
  • The thing is some packets contain the “plan” on how to create some other packets. We need to have all of them at once in order to be able to dissect them. The `netflowv9_defragment` is a temporary function (as said in the doc of the netflow.py file: “this API is up to change”) – Cukic0d Jul 20 '18 at 08:14
  • @z.yea FTR I have updated the answer. Newer Scapy versions have integrated this functionality :-) – Cukic0d Apr 24 '19 at 23:01