Converting a PCAP trace to NetFlow format

Question

I would like to convert some PCAP traces to Netflow format for further analysis with netflow tools. Is there any way to do that?

Specifically, I want to use "flow-export" tool in order to extract some fields of interest from a netflow trace as follows:

$ flow-export -f2 -mUNIX_SECS,SYSUPTIME,DPKTS,DOCTETS < mynetflow.trace

In this case, the mynetflow.trace file is taken by converting a PCAP file using the following commands:

$ nfcapd -p 12345 -l ./ 

$ softflowd -n localhost:12345 -r mytrace.pcap

This, generates a netflow trace but it cannot be used by flow-export correctly, since it is not in the right format. I tried also to pipe the output of the following command to flow-export as follows:

$ flow-import -V1 -z0 -f0 <mynetflow.trace | flow-export -f2 -mUNIX_SECS,SYSUPTIME,DPKTS,DOCTETS

but the output of the first command generated zero timestamps.

Any ideas?

Answer 1

I took at look at the flow-export documentation and there are some acknowledged bugs with the pcap implementation. Not sure if they are fixed yet.

Depending on the content of your capture, you have a couple of other options: If you captured straight-up traffic from a link and you want to turn that into NetFlow format you can download a free netflow exporter tool that reads PCAP here:

FlowTraq Free Exporter

or here:

NProbe

If you captured NetFlow traffic in transit (say UDP/2055), then you can replay it with a tool like 'tcpreplay', available in any linux distribution.

Answer 2

If you are using a Linux environment, you can use the argus Linux package. Just install argus using apt or your distribution's package manager, and then you can use this with Argus' ra client to get the binetflow format.

Here is the command:

argus -F /mnt/argus.conf -r " +f+" -w - | ra -F /mnt/ra.conf -Z b -n >"+f.split(".")[0]+".binetflow