Thread: netflow packet

  1. #1
    Registered User
    Join Date
    Sep 2008
    Posts
    8

    netflow packet

    Hello

    I want to capture NetFlow packets that was sent by fprobe.
    The fprobe is on my local machine and it send packets to 127.0.0.1:2055 via UDP.
    So, I have wrote program which open 2055 port (UDP) for any host (0.0.0.0) and do recvfrom. When I print (printf("%c", buf) buffer it print empty string.

    Also I have tried to print each element of buffer:
    Code:
    for(int i = 0; i < BUFSIZE; i++) {
        printf("%c", buf[i]);
    }
    it's show:
    >��H��uvP�...

    So, how can I decode or I don't know, in short how can I read the packet information?

    Thanks

  2. #2
    The superhaterodyne twomers's Avatar
    Join Date
    Dec 2005
    Location
    Ireland
    Posts
    2,273
    Well, do you know the format of the packets? A certain sections of the packets are designed for certain operations. In all likelihood only some of what you have is the 'payload'. Do you know what parts you need? Prolly best to read it in binary or hex format.

  3. #3
    Registered User
    Join Date
    Sep 2008
    Posts
    8
    I have also tried hex:
    Code:
    for(int i = 0; i < sizeof buf; i++) {
           printf("&#37;x\n", buf[i]);
    }
    here is output:
    0
    5
    0
    8
    3e
    ffffff80
    13
    ffffff84
    48
    ffffffd1
    37
    1c
    0
    6d
    ffffffc9
    78
    ...

  4. #4
    Registered User
    Join Date
    Sep 2008
    Posts
    8
    and yeah I know what parts I need:
    the packet have header http://www.packetshaper.com/document...ow5-header.htm for first I need the header

  5. #5
    Kernel hacker
    Join Date
    Jul 2007
    Location
    Farncombe, Surrey, England
    Posts
    15,677
    Quote Originally Posted by vgevorgy View Post
    I have also tried hex:
    Code:
    for(int i = 0; i < sizeof buf; i++) {
           printf("%x\n", buf[i]);
    }
    here is output:
    0
    5
    0
    8
    3e
    ffffff80
    13
    ffffff84
    48
    ffffffd1
    37
    1c
    0
    6d
    ffffffc9
    78
    ...
    Well, that is absolutely not text-data, so you obviously can't expect to get text-output using printf("%c") from it. I have no idea what the content is, but it is certainly not normal text.

    --
    Mats
    Compilers can produce warnings - make the compiler programmers happy: Use them!
    Please don't PM me for help - and no, I don't do help over instant messengers.

  6. #6
    Registered User
    Join Date
    Sep 2008
    Posts
    8
    that is netflow (version 5) packet

  7. #7
    Kernel hacker
    Join Date
    Jul 2007
    Location
    Farncombe, Surrey, England
    Posts
    15,677
    Quote Originally Posted by vgevorgy View Post
    that is netflow (version 5) packet
    Yes, and I have no idea what the content represensts, but printing it as characters is not meaningful, so you will get garbage stuff like what you posted in the first post. Your original code is just doing what you've told it to do.

    Assuming what you have is one of these:
    http://www.packetshaper.com/document...w5-records.htm

    --
    Mats
    Compilers can produce warnings - make the compiler programmers happy: Use them!
    Please don't PM me for help - and no, I don't do help over instant messengers.

  8. #8
    Registered User
    Join Date
    Sep 2008
    Posts
    8
    I think my problem is that I don't know how to use Offset and "Field Length in Bytes" information for getting the needed data from buffer

  9. #9
    Registered User
    Join Date
    Sep 2008
    Posts
    8
    I have created the struct for netflow header:
    Code:
    struct NF5_HEADER {
    	u_int16_t version;
    	u_int16_t flows;
    	u_int32_t uptime_ms;
    	u_int32_t time_sec;
    	u_int32_t time_nanosec;
    	u_int32_t flow_sequence;
    	u_int8_t engine_type; 
    	u_int8_t engine_id; 
    	u_int8_t reserved1; 
    	u_int8_t reserved2;
    };
    and tried to (struct NF5_HEADER *) buf
    but it doesn't show right version number.

  10. #10
    Kernel hacker
    Join Date
    Jul 2007
    Location
    Farncombe, Surrey, England
    Posts
    15,677
    Quote Originally Posted by vgevorgy View Post
    I think my problem is that I don't know how to use Offset and "Field Length in Bytes" information for getting the needed data from buffer
    Well, since you have posted a three-line snippet of code to show how you print the content, and NOTHING ELSE, I can't possibly comment on what you are doing right and what you are doing wrong. If you post the code, we may have a chance of commenting, but no guarantees.

    You may want to post the struct that you are using for the payload data.

    --
    Mats
    Compilers can produce warnings - make the compiler programmers happy: Use them!
    Please don't PM me for help - and no, I don't do help over instant messengers.

  11. #11
    Kernel hacker
    Join Date
    Jul 2007
    Location
    Farncombe, Surrey, England
    Posts
    15,677
    Quote Originally Posted by vgevorgy View Post
    I have created the struct for netflow header:
    Code:
    struct NF5_HEADER {
    	u_int16_t version;
    	u_int16_t flows;
    	u_int32_t uptime_ms;
    	u_int32_t time_sec;
    	u_int32_t time_nanosec;
    	u_int32_t flow_sequence;
    	u_int8_t engine_type; 
    	u_int8_t engine_id; 
    	u_int8_t reserved1; 
    	u_int8_t reserved2;
    };
    and tried to (struct NF5_HEADER *) buf
    but it doesn't show right version number.
    It does look about right. What number are you getting - you have 0x00, 0x05, so that is a big-endian 5, which is what the link says it should be. Are you getting 0x500 (1280)? If so, you need to use ntohs (and ntohl for the u_int32 types).

    --
    Mats
    Compilers can produce warnings - make the compiler programmers happy: Use them!
    Please don't PM me for help - and no, I don't do help over instant messengers.

  12. #12
    Registered User
    Join Date
    Sep 2008
    Posts
    8
    yeah

  13. #13
    Registered User
    Join Date
    Sep 2008
    Posts
    8
    the question changed

    now I have variable with type u_int32_t where is IP address, how to show it in the normal way?

  14. #14
    Kernel hacker
    Join Date
    Jul 2007
    Location
    Farncombe, Surrey, England
    Posts
    15,677
    Quote Originally Posted by vgevorgy View Post
    the question changed

    now I have variable with type u_int32_t where is IP address, how to show it in the normal way?
    Treat it as a array of unsigned char [4] and print each char as a %d?

    --
    Mats
    Compilers can produce warnings - make the compiler programmers happy: Use them!
    Please don't PM me for help - and no, I don't do help over instant messengers.

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Packet processing in Socket programming, please help
    By pumpkin in forum Networking/Device Communication
    Replies: 5
    Last Post: 05-28-2009, 01:33 AM
  2. Replies: 4
    Last Post: 05-05-2009, 05:35 AM
  3. How to make a Packet sniffer/filter?
    By shown in forum C++ Programming
    Replies: 2
    Last Post: 02-22-2009, 09:51 PM
  4. Global Variables
    By Taka in forum C Programming
    Replies: 34
    Last Post: 11-02-2007, 03:25 AM
  5. Raw Packet (sorry tripple weird Post)
    By Coder87C in forum Networking/Device Communication
    Replies: 6
    Last Post: 03-04-2006, 11:34 AM