Gidday Li,
> i've tried importing the csv'd data (using cisco's binary conversion
> tool):
>
> # flow-import -f2 -m0x00000000007831F0 -V5 < csv_netflow_file
>
> and all the fields become corrupt (note that when i use -
> m0x0000000000783000, everything is fine, except that the octets and
> the packets on a flow-print are empty)
>
> the ascii format is:
>
> srcaddr,dstaddr,srcport,dstport,prot,tos,pkts,octets,flows,sta
> rttime,end time,activetime
You need to format your input into flow-import in exactly the same
format as flow-export would export it, with the columns in the right
order.
Note that there are two types of time timestamps used in the netflow
fields
sysuptime (100ths seconds since router reboot) used by
sysuptime, first & last
unixtime (seconds since 1 Jan 1970) used by unix_secs &
unix_nsecs Make sure your timestamps are appropriate for the fields the
are to be imported into.
In your example you are trying to import via -m0x00000000007831F0
% flow-cat -m ft-v07.2006-03-31.120728+0000 2>/dev/null |
flow-export -f2 -m0x00000000007831F0 | head -n1
#:unix_secs,unix_nsecs,sysuptime,exaddr,last,engine_type,nexthop,input,o
utput
These are clearly not the fields you want to import.
You seem to need these fields (maybe plus some other time fields)
UNIX_SECS 0x0000000000000001LL
DPKTS 0x0000000000000020LL
DOCTETS 0x0000000000000040LL
SRCADDR 0x0000000000001000LL
DSTADDR 0x0000000000002000LL
SRCPORT 0x0000000000080000LL
DSTPORT 0x0000000000100000LL
PROT 0x0000000000200000LL
TOS 0x0000000000400000LL
= 0x783061
Testing this number with some flow-gen traffic:
% flow-gen -n1 | flow-export -f2 -m0x783061
#:unix_secs,dpkts,doctets,srcaddr,dstaddr,srcport,dstport,prot,tos
0,1,1,0.0.0.0,255.255.0.0,0,65280,17,0
flow-export: Exported 1 records
Looks about right.
This is the column order you will need to import in so I suggest writing
a perl script to re-format the data.
while (<> ) {
chomp;
# Orig order:
#
srcaddr,dstaddr,srcport,dstport,prot,tos,pkts,octets,flows,starttime,end
time,activetime
# 0 1 2 3 4 5 6 7 8 9
10 11
my @original_order = split/,/;
# Insert timestamp munge if necessary.
# Need:
#:unix_secs,dpkts,doctets,srcaddr,dstaddr,srcport,dstport,prot,tos
# 9 6 7 0 1 2 3 4
5
print join (",". @original_order[9,6,7,0,1,2,3,4,5]),"\n";
}
Here's a worked example of flow-import in action.
% cat test.csv
#:unix_secs,dpkts,doctets,srcaddr,dstaddr,srcport,dstport,prot,tos
1143806848,1,116,10.1.2.3,10.4.5.6,2365,80,6,0
% flow-import -f2 -V5 -m0x783061 < test.csv > ft-out
flow-import: Imported 1 records.
% flow-cat -m ft-out | flow-export -f2 -m0x783061
#:unix_secs,dpkts,doctets,srcaddr,dstaddr,srcport,dstport,prot,tos
1143806848,1,116,10.1.2.3,10.4.5.6,2365,80,6,0
flow-export: Exported 1 records
Wrapping it all together you're going to need to:
cat ciso_data.csv | perl munge_columns.pl | flow-import -f2 -V5
-m0x783061 > ft-flow_data
HTH
Cheers,
Alistair
**********************************************************************
Registered Office:
Marks and Spencer plc
Waterside House
35 North Wharf Road
London
W2 1NW
Registered No. 214436 in England and Wales.
Telephone (020) 7935 4422
Facsimile (020) 7487 2670
<<www.marksandspencer.com>>
Please note that electronic mail may be monitored.
This e-mail is confidential. If you received it by mistake, please let us know
and then delete it from your system; you should not copy, disclose, or
distribute its contents to anyone nor act in reliance on this e-mail, as this
is prohibited and may be unlawful.
2005
_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools
