4

I have a code sample from the MSDN website to create a UDP listener/client as I am trying to receive IPFIX/Netflow data from a firewall and then work with the data I receive. The code does work and starts to reveive data but its jargon (see below) so I guess I am not decoding it correctly.

Does anyone have any ideas what I need to do to be able to get the data in the correct format?

The code I am using is:

using System;
using System.Net;
using System.Net.Sockets;
using System.Text;

public class ConsoleApplication2
{
    private const int listenPort = 2055;

    private static void StartListener()
    {
        bool done = false;

        UdpClient listener = new UdpClient(listenPort);
        IPEndPoint groupEP = new IPEndPoint(IPAddress.Any, listenPort);

        try
        {
            while (!done)
            {
                Console.WriteLine("Waiting for broadcast");
                byte[] bytes = listener.Receive(ref groupEP);

                Console.WriteLine("Received broadcast from {0} :\n {1}\n",
                    groupEP.ToString(),
                    Encoding.ASCII.GetString(bytes, 0, bytes.Length));
            }

        }
        catch (Exception e)
        {
            Console.WriteLine(e.ToString());
        }
        finally
        {
            listener.Close();
        }
    }

    public static int Main()
    {
        StartListener();

        return 0;
    }
}

And the data I get back is:

?M?▼? '$▬+? ☺☺ ?M?▼???k` &??_?07????Q??E?U?j ♥ ☻
♠ P ♣ x ♣ ► ♥ → ♦ ☼?M?▼?M?▼? 1♠ ►?
? ☺

Thanks in advance,

James

Jimbo James
  • 727
  • 2
  • 9
  • 17

1 Answers1

2

You're assuming that the data being received is in ASCII format when in fact it's structured thusly: See here. The messages have a header and data sets etc. You need to evaluate the data based on the standard, not just a straight text conversion.

Here, for example is the message header format. A text conversion simply won't do anything with this:

3.1. Message Header Format

   The format of the IPFIX Message Header is shown in Figure F.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |       Version Number          |            Length             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                           Export Time                         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                       Sequence Number                         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Observation Domain ID                      |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Community
  • 1
  • 1
Paul Sasik
  • 79,492
  • 20
  • 149
  • 189
  • I dont know if I am understanding this correctly but does this mean that it's a specific encoding that I will have to write something specifically to decode? If so - I'm getting a little out my (coding) depth. Do you have any suggestions as to where I could start? – Jimbo James Apr 15 '11 at 11:32
  • @Jimbo: What I'm trying to show you with the header format above is that the message is not plain, old text. It's raw bytes organized in a very particular way. I would check to see if there is source code available out there that you could reuse or at least port to your language of choice. Why are you wanting to do this by the way? – Paul Sasik Apr 15 '11 at 12:06
  • @Jimbo: If you do decide to go ahead and decode the messages (go for it, stretch yourself) the BitArray class in .NET will be a big help. See here: http://msdn.microsoft.com/en-us/library/system.collections.bitarray.aspx I think you'd surprised how soon you would be turning those raw bits and bytes into actual data! Btw, i'm not sure that UDP is a good choice here. It sounds like the message may come in N packages and UDP does not guarantee delivery. TCP does though. – Paul Sasik Apr 15 '11 at 12:50
  • Am am trying to take the data from a Sonicwall firewall and store it for later viewing (the built in solution only hold 10 minutes!). All the pre made solutions I found in the internet wern't that good so I decided to make one my self. – Jimbo James Apr 19 '11 at 09:05
  • I have looked at the BitArray class and I am now passing the bytes to the bit array and breaking them down but I'm not receiving the data I would expect. byte[] bytes = listener.Receive(ref groupEP); BitArray bitarray = new BitArray(bytes); I am getting random values in the bit array e.g. [0] = -1945957888. I know i am close to wrapping my head around this but it's taking time. Have you any further advice as to what is happening? – Jimbo James Apr 19 '11 at 09:11
  • @Jimbo: Getting such strange values from your bitarray makes me think you have something wrong in the way you're using it. In any case I would suggest posting a new question on that topic. These comment blocks aren't really conducive to looking at code, and aren't meant to be used that way. – Paul Sasik Apr 19 '11 at 14:09
  • Sorry - I am new to Stack Overflow. Wouldn't creating another question be a duplication? – Jimbo James Apr 19 '11 at 14:36
  • No really. Your initial question was about string en/decoding a message, your new one would be about using the BitArray class to interpret a message header, for example. – Paul Sasik Apr 19 '11 at 15:19