Reading Netflow v9 packets in Python

Question

I'm trying to write a collector which listens to incoming Netflow v9 packets on a UDP port and unpacks the records and calculates the total number of bytes.

I have a sample collection of data (which I recorded with nfcapd): When I analyse this data with nfdump then it comes to 8.2GB.

nfdump -r netflowv9.201911081650

When I transmit this data (locally) using nfreplay, my Python code finds only about half the data compared to nfdump, and that's even when I set nfreplay to replay the netflow really really slowly.

nfreplay -r netflowv9.201911081650 -v 9 -d 10000

And then also some of the time I get just bad data and my Python script seems to report several petabytes.

Any hints?

My code: https://pastebin.com/hubPJ6tA (Just run it before the nfreplay as above. I'm using pypy 3.6)

My sample data: http://edward.filegooi.co.za/get2/f207e55ec37428e82d8ce91952fda85b/netflowv9.201911081650

@ArcherGodson I'm trying to make a tool to read the netflow v9 directly. I'm just using nfdump for now to compare my sample collection totals to my own collected netflow totals. — Edward van Kuik, Dec 11 '19 at 15:45

NickBroon · Answer 1 · 2020-11-11T00:25:18.147

python-ipfix can process Netflow V9 packets as well as IPFIX (V10) packets, despite its name.

The API documentation covers reading a stream from either a file or socket using the ipfix.reader class. It does not mention the ipfix.v9pdu class, but this works in exactly the same way. There are good example of both the V9 and IPFIX in the included ipfixstat script.

import ipfix.message
import ipfix.v9pdu


ipfix.reader.from_stream(open (args.file, mode="rb"))

Reading Netflow v9 packets in Python

1 Answers1