On 1/26/2018 4:52 AM, Leandro wrote: > Hi, Alan , thanks for the response. > It think the most difficult part of this is how to insert asn number > on the flow data structure. > First I need to read the data file , then iterate over all flows > (perhaps using pcap library ?) then take the ips involved in the > flow and insert their asn. > The idea is that this modification allow us to keep using nfsen > graphics and filter for further analisys. > I think it is necessary to have a very deep knowledge of the necessary > development tools. > Do you know some tool / api to analize and edit the flow data file at > a higher level ?
After an uncanny sequence of events, I do, in fact have an answer to this. We have a flow analysis project going and not long after your question, I was tasked with doing the very same thing here. It turns out that two of our border routers are Juniper QFX, which appear only to export SFlow, and they don't write ASNs in the records, even though they have BGP tables. I found a Perl module https://metacpan.org/pod/Net::NfDump which has the necessary capabilities. While I was in the process of getting something working to insert AS numbers into flow files, I found that the example program, "nfasnupd" not only inserts AS numbers, but also geo info, which I had thought about as a next step! > Command updates nfdump file and adds AS and geoIP information > > Usage: > > nfasnupd [ -d <level> ] -b -g [ -a -5 -4 -6 ] [ -c <ASN_db_file> ] > <nfdump_file> > > Options: > > -d <level> : debug level (dafault: 1) > > -B do NOT update AS numbers (srcas, dstas) > -g update country code (*xsrcport, *xdstport) > > -a <file> : path to BGPDB file (default: /var/tmp/asns-0.gz) > -5 <file> : path to BGPDB MD5 (default: /var/tmp/asns-0.gz.md5) > -c <file> : path to additional textfile with ASN mapping (default: > /usr/local/etc/asns.txt) > -4 <file> : path to IPv4 GeoIP database (default: > /var/db/flowtools/geo/GeoIP.dat) > -6 <file> : path to IPv6 GeoIP database (default: > /var/db/flowtools/geo/GeoIPv6.dat) > > Part of libnf.net project, version: 1.10 I am only at the stage of running it on sample files, not yet committing to bulk operations, but it is promising. It does make the flow file smaller. I haven't yet figured out why. If you hand it a flow file, it effectively rewrites it in place (probably writes a temp and then moves it to the original). the Geo stuff doesn't happen by default, so one only has to complete dependencies and run ./nfasnupd flowfile.nfdump If you're not Perl-proficient, send me an off list message. I'm going to try to move toward bulk conversion, with appropriate backups first. -Alan > Thanks, > Leo. > > > > > > On 26/01/18 00:08, Alan Whinery wrote: >> Of course, generally when you export flows from a BGP router with a full >> table, it should already have ASNs populated. >> >> If you have flow data with no ASN, probably the easiest way to fill it >> in would be to script something with MaxMind's open source ASN data: >> >> https://www.maxmind.com/en/open-source-data-and-api-for-ip-geolocation >> >> I don't know off-hand of software that updates fields in nfdump files, >> but there must be something out there, or some Perl or Python modules to >> do so. >> >> In the past, I've rolled my own ASN-to-prefix cross-ref by grabbing the >> global routing table from a BGP router and then annotating it with the >> asn lists from cidr-report.org: >> >> >> http://www.cidr-report.org/as2.0/autnums.html >> >> which is linked from: >> http://www.cidr-report.org/as2.0/ >> >> >> On 1/25/2018 5:37 AM, Leandro wrote: >>> Hi guys , Im trying to analyze incoming traffic from an specific asn , >>> I can not filter this using source ip since this operator uses a lot >>> of subnets (about 7k). >>> My idea is to grab a flow file and insert the asn for further >>> analysis. Is there something about this ? >>> Any idea would help , >>> Regards , >>> Leo. >>> >>> >>> ------------------------------------------------------------------------------ >>> >>> >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Nfsen-discuss mailing list >>> Nfsen-discuss@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss >> >> ------------------------------------------------------------------------------ >> >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Nfsen-discuss mailing list >> Nfsen-discuss@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss > > > ------------------------------------------------------------------------------ > > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Nfsen-discuss mailing list > Nfsen-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/nfsen-discuss ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
