1

I am working on a program that imports and exports net flow data. Because of our general architecture, it would make sense to describe this information in XML. Does there exist an XML for describing net flow data?

A good description of NetFlow data can be found in this Usenix paper http://www.usenix.org/events/lisa00/full_papers/navarro/navarro_html/

According to the paper, an SQL schema for describing net flow data is:

create table netflows (
   router_id  char(1)            not null,
   src_ipn    bigint    unsigned not null,
   dst_ipn    bigint    unsigned not null,
   nxt_ipn    bigint    unsigned not null,
   ifin       smallint  unsigned not null,
   ifout      smallint  unsigned not null,
   packets    integer   unsigned not null,
   octets     integer   unsigned not null,
   starttime  timestamp          not null,
   endtime    timestamp          not null,
   srcport    smallint  unsigned not null,
   dstport    smallint  unsigned not null,
   tcp        tinyint   unsigned not null,
   prot       tinyint   unsigned not null,
   tos        tinyint   unsigned not null,
   srcas      smallint  unsigned not null,
   dstas      smallint  unsigned not null,
   srcmask    tinyint   unsigned not null,
   dstmask    tinyint   unsigned not null
)

It's pretty easy to turn this into an XML schema. My interest is in knowing if someone has already done this, as I would rather not create a new, incompatible schema.

Thanks.

vy32
  • 28,461
  • 37
  • 122
  • 246

2 Answers2

1

I was looking for the same thing and I ended up using the Parse CVS Perl plugin which is included in the NFDump package if I remember well. This particular script converts the NetFlow cvs output into a readable format but if you make some modify it can create an XML as well (you can do it with very few line of codes). I suggest you that because it already offers some kind of official name for each field. However it does not describe the type of those fields nor the actual XML structure.

raz3r
  • 3,071
  • 8
  • 44
  • 66
  • Yes, it's pretty easy creating a new XML. I just want to know if someone has done it already. – vy32 Apr 06 '12 at 02:28
0

No, there is no standard schema. However, we have created one and put it in the open source tcpflow program. When tcpflow runs it can create an XML file that has all of the netflow data. However, it also decodes embedded objects, such as data sent by HTTP, reports each of those, decompresses what was compressed, and even calculates the MD5 of everything. All in one easy-to-use command-line program.

vy32
  • 28,461
  • 37
  • 122
  • 246