forked from elastic/logstash
-
Notifications
You must be signed in to change notification settings - Fork 0
netflow Input Filter Research
grigorescu edited this page Dec 13, 2011
·
1 revision
There is some code for parsing netflows with Ruby available at https://github.com/seeingidog/netflow
This code seems to parse netflow v5 flows (untested) but doesn't support v9 flows.
netflow v5 is the historical version of netflow data. v9 is the successor, and it has support for custom fields. Devices uses this support for fancy things like IPv6. v9 netflow data has template and data fields, where the templates define the length of each data entry. This makes it very flexible, but non-trivial to parse, since you have to keep track of each template, and the length of data.
- Test seeingidog/netflow with v5 flows.
- Add support for v9 flows.
- Determine the best way to integrate existing code with Logstash. (seeingidog/netflow uses EventMachine, and BinData for the actual heavy lifting. Sounds like simply writing a BinData parser for netflow would go a long way).