logstash-codec-netflow 4.1.0 → 4.1.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (10) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +4 -0
  3. data/CONTRIBUTORS +1 -0
  4. data/docs/index.asciidoc +8 -6
  5. data/lib/logstash/codecs/netflow.rb +151 -80
  6. data/logstash-codec-netflow.gemspec +1 -1
  7. data/spec/codecs/benchmarks/flowStartMilliseconds.rb +73 -0
  8. data/spec/codecs/benchmarks/ipfix_bench_sonicwall.py +209 -0
  9. data/spec/codecs/benchmarks/ipfix_bench_yaf.py +1078 -0
  10. metadata +161 -153
data/spec/codecs/benchmarks/ipfix_bench_yaf.py ADDED
@@ -0,0 +1,1078 @@
1
+ #!/usr/bin/env python2
2
+ import socket
3
+ import sys
4
+ import time
5
+
6
+
7
+ # IPFIX template
8
+ tpl = "000a03605b6cb59300008a310000000000020228c013000600b80004800e000100001ad7800f000100001ad7c00e000100001ad7c00f000100001ad780b8000400007279c015001781f6000800001ad781f7000800001ad781f8000800001ad700df000481f4000400001ad781f5000400001ad781fe000400001ad781f9000200001ad781fa000200001ad781fc000200001ad781fb000100001ad700d20001c1f6000800001ad7c1f7000800001ad7c1f8000800001ad780df000400007279c1f4000400001ad7c1f5000400001ad7c1fe000400001ad7c1f9000200001ad7c1fa000200001ad7c1fc000200001ad700d20002b301000e0098000800990008005500040056000400080004000c000400070002000b00028028000200001ad70004000100880001003a0002000500010125ffffc01800028012ffff00001ad7c012ffff00001ad7b80000270098000800990008005500088055000800007279005600088056000800007279000100088001000800007279000200088002000800007279001b0010001c001000080004000c000400070002000b00028028000200001ad7c028000200001ad7000400010088000100d200028015000400001ad700b8000480b8000400007279800e000100001ad7800f000100001ad7c00e000100001ad7c00f000100001ad7003a0002803a000200007279000a0004000e000400050001800500010000727900460003004700030048000300d200050125ffffc003000300b80004800e000100001ad7800f000100001ad70003007cd000000e000200a00008002a0008005600080087000800a4000800a700088064000400001ad78065000400001ad78068000400001ad78069000400001ad700820004009000048066000400001ad78067000400001ad7d001000400028227000200001ad78228000200001ad78226000400001ad70124ffff000200acd00200020090000401420004c00400020038000600500006c005000b81f6000800001ad781f7000800001ad781f8000800001ad700df000481f4000400001ad781f5000400001ad781fe000400001ad781f9000200001ad781fa000200001ad781fc000200001ad781fb000100001ad7c00900058121000800001ad78122000400001ad78123000200001ad78124000100001ad78125000100001ad7c00800018012ffff00001ad7".decode("hex")
9
+
10
+ '''
11
+ Cisco NetFlow/IPFIX
12
+ Version: 10
13
+ Length: 864
14
+ Timestamp: Aug 9, 2018 15:43:47.000000000 MDT
15
+ ExportTime: 1533851027
16
+ FlowSequence: 35377
17
+ Observation Domain Id: 0
18
+ Set 1 [id=2] (Data Template): 49171,49173,45825,49176,47104,49155
19
+ FlowSet Id: Data Template (V10 [IPFIX]) (2)
20
+ FlowSet Length: 552
21
+ Template (Id = 49171, Count = 6)
22
+ Template Id: 49171
23
+ Field Count: 6
24
+ Field (1/6): TCP_SEQ_NUM
25
+ 0... .... .... .... = Pen provided: No
26
+ .000 0000 1011 1000 = Type: TCP_SEQ_NUM (184)
27
+ Length: 4
28
+ Field (2/6): 14 [pen: CERT Coordination Center]
29
+ 1... .... .... .... = Pen provided: Yes
30
+ .000 0000 0000 1110 = Type: 14 [pen: CERT Coordination Center]
31
+ Length: 1
32
+ PEN: CERT Coordination Center (6871)
33
+ Field (3/6): 15 [pen: CERT Coordination Center]
34
+ 1... .... .... .... = Pen provided: Yes
35
+ .000 0000 0000 1111 = Type: 15 [pen: CERT Coordination Center]
36
+ Length: 1
37
+ PEN: CERT Coordination Center (6871)
38
+ Field (4/6): 16398 [pen: CERT Coordination Center]
39
+ 1... .... .... .... = Pen provided: Yes
40
+ .100 0000 0000 1110 = Type: 16398 [pen: CERT Coordination Center]
41
+ Length: 1
42
+ PEN: CERT Coordination Center (6871)
43
+ Field (5/6): 16399 [pen: CERT Coordination Center]
44
+ 1... .... .... .... = Pen provided: Yes
45
+ .100 0000 0000 1111 = Type: 16399 [pen: CERT Coordination Center]
46
+ Length: 1
47
+ PEN: CERT Coordination Center (6871)
48
+ Field (6/6): TCP_SEQ_NUM [Reverse]
49
+ 1... .... .... .... = Pen provided: Yes
50
+ .000 0000 1011 1000 = Type: TCP_SEQ_NUM (184) [Reverse]
51
+ Length: 4
52
+ PEN: IPFIX Reverse Information Element Private Enterprise (29305)
53
+ Template (Id = 49173, Count = 23)
54
+ Template Id: 49173
55
+ Field Count: 23
56
+ Field (1/23): 502 [pen: CERT Coordination Center]
57
+ 1... .... .... .... = Pen provided: Yes
58
+ .000 0001 1111 0110 = Type: 502 [pen: CERT Coordination Center]
59
+ Length: 8
60
+ PEN: CERT Coordination Center (6871)
61
+ Field (2/23): 503 [pen: CERT Coordination Center]
62
+ 1... .... .... .... = Pen provided: Yes
63
+ .000 0001 1111 0111 = Type: 503 [pen: CERT Coordination Center]
64
+ Length: 8
65
+ PEN: CERT Coordination Center (6871)
66
+ Field (3/23): 504 [pen: CERT Coordination Center]
67
+ 1... .... .... .... = Pen provided: Yes
68
+ .000 0001 1111 1000 = Type: 504 [pen: CERT Coordination Center]
69
+ Length: 8
70
+ PEN: CERT Coordination Center (6871)
71
+ Field (4/23): tcpUrgTotalCount
72
+ 0... .... .... .... = Pen provided: No
73
+ .000 0000 1101 1111 = Type: tcpUrgTotalCount (223)
74
+ Length: 4
75
+ Field (5/23): 500 [pen: CERT Coordination Center]
76
+ 1... .... .... .... = Pen provided: Yes
77
+ .000 0001 1111 0100 = Type: 500 [pen: CERT Coordination Center]
78
+ Length: 4
79
+ PEN: CERT Coordination Center (6871)
80
+ Field (6/23): 501 [pen: CERT Coordination Center]
81
+ 1... .... .... .... = Pen provided: Yes
82
+ .000 0001 1111 0101 = Type: 501 [pen: CERT Coordination Center]
83
+ Length: 4
84
+ PEN: CERT Coordination Center (6871)
85
+ Field (7/23): 510 [pen: CERT Coordination Center]
86
+ 1... .... .... .... = Pen provided: Yes
87
+ .000 0001 1111 1110 = Type: 510 [pen: CERT Coordination Center]
88
+ Length: 4
89
+ PEN: CERT Coordination Center (6871)
90
+ Field (8/23): 505 [pen: CERT Coordination Center]
91
+ 1... .... .... .... = Pen provided: Yes
92
+ .000 0001 1111 1001 = Type: 505 [pen: CERT Coordination Center]
93
+ Length: 2
94
+ PEN: CERT Coordination Center (6871)
95
+ Field (9/23): 506 [pen: CERT Coordination Center]
96
+ 1... .... .... .... = Pen provided: Yes
97
+ .000 0001 1111 1010 = Type: 506 [pen: CERT Coordination Center]
98
+ Length: 2
99
+ PEN: CERT Coordination Center (6871)
100
+ Field (10/23): 508 [pen: CERT Coordination Center]
101
+ 1... .... .... .... = Pen provided: Yes
102
+ .000 0001 1111 1100 = Type: 508 [pen: CERT Coordination Center]
103
+ Length: 2
104
+ PEN: CERT Coordination Center (6871)
105
+ Field (11/23): 507 [pen: CERT Coordination Center]
106
+ 1... .... .... .... = Pen provided: Yes
107
+ .000 0001 1111 1011 = Type: 507 [pen: CERT Coordination Center]
108
+ Length: 1
109
+ PEN: CERT Coordination Center (6871)
110
+ Field (12/23): paddingOctets
111
+ 0... .... .... .... = Pen provided: No
112
+ .000 0000 1101 0010 = Type: paddingOctets (210)
113
+ Length: 1
114
+ Field (13/23): 16886 [pen: CERT Coordination Center]
115
+ 1... .... .... .... = Pen provided: Yes
116
+ .100 0001 1111 0110 = Type: 16886 [pen: CERT Coordination Center]
117
+ Length: 8
118
+ PEN: CERT Coordination Center (6871)
119
+ Field (14/23): 16887 [pen: CERT Coordination Center]
120
+ 1... .... .... .... = Pen provided: Yes
121
+ .100 0001 1111 0111 = Type: 16887 [pen: CERT Coordination Center]
122
+ Length: 8
123
+ PEN: CERT Coordination Center (6871)
124
+ Field (15/23): 16888 [pen: CERT Coordination Center]
125
+ 1... .... .... .... = Pen provided: Yes
126
+ .100 0001 1111 1000 = Type: 16888 [pen: CERT Coordination Center]
127
+ Length: 8
128
+ PEN: CERT Coordination Center (6871)
129
+ Field (16/23): tcpUrgTotalCount [Reverse]
130
+ 1... .... .... .... = Pen provided: Yes
131
+ .000 0000 1101 1111 = Type: tcpUrgTotalCount (223) [Reverse]
132
+ Length: 4
133
+ PEN: IPFIX Reverse Information Element Private Enterprise (29305)
134
+ Field (17/23): 16884 [pen: CERT Coordination Center]
135
+ 1... .... .... .... = Pen provided: Yes
136
+ .100 0001 1111 0100 = Type: 16884 [pen: CERT Coordination Center]
137
+ Length: 4
138
+ PEN: CERT Coordination Center (6871)
139
+ Field (18/23): 16885 [pen: CERT Coordination Center]
140
+ 1... .... .... .... = Pen provided: Yes
141
+ .100 0001 1111 0101 = Type: 16885 [pen: CERT Coordination Center]
142
+ Length: 4
143
+ PEN: CERT Coordination Center (6871)
144
+ Field (19/23): 16894 [pen: CERT Coordination Center]
145
+ 1... .... .... .... = Pen provided: Yes
146
+ .100 0001 1111 1110 = Type: 16894 [pen: CERT Coordination Center]
147
+ Length: 4
148
+ PEN: CERT Coordination Center (6871)
149
+ Field (20/23): 16889 [pen: CERT Coordination Center]
150
+ 1... .... .... .... = Pen provided: Yes
151
+ .100 0001 1111 1001 = Type: 16889 [pen: CERT Coordination Center]
152
+ Length: 2
153
+ PEN: CERT Coordination Center (6871)
154
+ Field (21/23): 16890 [pen: CERT Coordination Center]
155
+ 1... .... .... .... = Pen provided: Yes
156
+ .100 0001 1111 1010 = Type: 16890 [pen: CERT Coordination Center]
157
+ Length: 2
158
+ PEN: CERT Coordination Center (6871)
159
+ Field (22/23): 16892 [pen: CERT Coordination Center]
160
+ 1... .... .... .... = Pen provided: Yes
161
+ .100 0001 1111 1100 = Type: 16892 [pen: CERT Coordination Center]
162
+ Length: 2
163
+ PEN: CERT Coordination Center (6871)
164
+ Field (23/23): paddingOctets
165
+ 0... .... .... .... = Pen provided: No
166
+ .000 0000 1101 0010 = Type: paddingOctets (210)
167
+ Length: 2
168
+ Template (Id = 45825, Count = 14)
169
+ Template Id: 45825
170
+ Field Count: 14
171
+ Field (1/14): flowStartMilliseconds
172
+ 0... .... .... .... = Pen provided: No
173
+ .000 0000 1001 1000 = Type: flowStartMilliseconds (152)
174
+ Length: 8
175
+ Field (2/14): flowEndMilliseconds
176
+ 0... .... .... .... = Pen provided: No
177
+ .000 0000 1001 1001 = Type: flowEndMilliseconds (153)
178
+ Length: 8
179
+ Field (3/14): BYTES_TOTAL
180
+ 0... .... .... .... = Pen provided: No
181
+ .000 0000 0101 0101 = Type: BYTES_TOTAL (85)
182
+ Length: 4
183
+ Field (4/14): PACKETS_TOTAL
184
+ 0... .... .... .... = Pen provided: No
185
+ .000 0000 0101 0110 = Type: PACKETS_TOTAL (86)
186
+ Length: 4
187
+ Field (5/14): IP_SRC_ADDR
188
+ 0... .... .... .... = Pen provided: No
189
+ .000 0000 0000 1000 = Type: IP_SRC_ADDR (8)
190
+ Length: 4
191
+ Field (6/14): IP_DST_ADDR
192
+ 0... .... .... .... = Pen provided: No
193
+ .000 0000 0000 1100 = Type: IP_DST_ADDR (12)
194
+ Length: 4
195
+ Field (7/14): L4_SRC_PORT
196
+ 0... .... .... .... = Pen provided: No
197
+ .000 0000 0000 0111 = Type: L4_SRC_PORT (7)
198
+ Length: 2
199
+ Field (8/14): L4_DST_PORT
200
+ 0... .... .... .... = Pen provided: No
201
+ .000 0000 0000 1011 = Type: L4_DST_PORT (11)
202
+ Length: 2
203
+ Field (9/14): 40 [pen: CERT Coordination Center]
204
+ 1... .... .... .... = Pen provided: Yes
205
+ .000 0000 0010 1000 = Type: 40 [pen: CERT Coordination Center]
206
+ Length: 2
207
+ PEN: CERT Coordination Center (6871)
208
+ Field (10/14): PROTOCOL
209
+ 0... .... .... .... = Pen provided: No
210
+ .000 0000 0000 0100 = Type: PROTOCOL (4)
211
+ Length: 1
212
+ Field (11/14): flowEndReason
213
+ 0... .... .... .... = Pen provided: No
214
+ .000 0000 1000 1000 = Type: flowEndReason (136)
215
+ Length: 1
216
+ Field (12/14): SRC_VLAN
217
+ 0... .... .... .... = Pen provided: No
218
+ .000 0000 0011 1010 = Type: SRC_VLAN (58)
219
+ Length: 2
220
+ Field (13/14): IP_TOS
221
+ 0... .... .... .... = Pen provided: No
222
+ .000 0000 0000 0101 = Type: IP_TOS (5)
223
+ Length: 1
224
+ Field (14/14): subTemplateMultiList
225
+ 0... .... .... .... = Pen provided: No
226
+ .000 0001 0010 0101 = Type: subTemplateMultiList (293)
227
+ Length: 65535 [i.e.: "Variable Length"]
228
+ Template (Id = 49176, Count = 2)
229
+ Template Id: 49176
230
+ Field Count: 2
231
+ Field (1/2): 18 [pen: CERT Coordination Center]
232
+ 1... .... .... .... = Pen provided: Yes
233
+ .000 0000 0001 0010 = Type: 18 [pen: CERT Coordination Center]
234
+ Length: 65535 [i.e.: "Variable Length"]
235
+ PEN: CERT Coordination Center (6871)
236
+ Field (2/2): 16402 [pen: CERT Coordination Center]
237
+ 1... .... .... .... = Pen provided: Yes
238
+ .100 0000 0001 0010 = Type: 16402 [pen: CERT Coordination Center]
239
+ Length: 65535 [i.e.: "Variable Length"]
240
+ PEN: CERT Coordination Center (6871)
241
+ Template (Id = 47104, Count = 39)
242
+ Template Id: 47104
243
+ Field Count: 39
244
+ Field (1/39): flowStartMilliseconds
245
+ 0... .... .... .... = Pen provided: No
246
+ .000 0000 1001 1000 = Type: flowStartMilliseconds (152)
247
+ Length: 8
248
+ Field (2/39): flowEndMilliseconds
249
+ 0... .... .... .... = Pen provided: No
250
+ .000 0000 1001 1001 = Type: flowEndMilliseconds (153)
251
+ Length: 8
252
+ Field (3/39): BYTES_TOTAL
253
+ 0... .... .... .... = Pen provided: No
254
+ .000 0000 0101 0101 = Type: BYTES_TOTAL (85)
255
+ Length: 8
256
+ Field (4/39): BYTES_TOTAL [Reverse]
257
+ 1... .... .... .... = Pen provided: Yes
258
+ .000 0000 0101 0101 = Type: BYTES_TOTAL (85) [Reverse]
259
+ Length: 8
260
+ PEN: IPFIX Reverse Information Element Private Enterprise (29305)
261
+ Field (5/39): PACKETS_TOTAL
262
+ 0... .... .... .... = Pen provided: No
263
+ .000 0000 0101 0110 = Type: PACKETS_TOTAL (86)
264
+ Length: 8
265
+ Field (6/39): PACKETS_TOTAL [Reverse]
266
+ 1... .... .... .... = Pen provided: Yes
267
+ .000 0000 0101 0110 = Type: PACKETS_TOTAL (86) [Reverse]
268
+ Length: 8
269
+ PEN: IPFIX Reverse Information Element Private Enterprise (29305)
270
+ Field (7/39): BYTES
271
+ 0... .... .... .... = Pen provided: No
272
+ .000 0000 0000 0001 = Type: BYTES (1)
273
+ Length: 8
274
+ Field (8/39): BYTES [Reverse]
275
+ 1... .... .... .... = Pen provided: Yes
276
+ .000 0000 0000 0001 = Type: BYTES (1) [Reverse]
277
+ Length: 8
278
+ PEN: IPFIX Reverse Information Element Private Enterprise (29305)
279
+ Field (9/39): PKTS
280
+ 0... .... .... .... = Pen provided: No
281
+ .000 0000 0000 0010 = Type: PKTS (2)
282
+ Length: 8
283
+ Field (10/39): PKTS [Reverse]
284
+ 1... .... .... .... = Pen provided: Yes
285
+ .000 0000 0000 0010 = Type: PKTS (2) [Reverse]
286
+ Length: 8
287
+ PEN: IPFIX Reverse Information Element Private Enterprise (29305)
288
+ Field (11/39): IPV6_SRC_ADDR
289
+ 0... .... .... .... = Pen provided: No
290
+ .000 0000 0001 1011 = Type: IPV6_SRC_ADDR (27)
291
+ Length: 16
292
+ Field (12/39): IPV6_DST_ADDR
293
+ 0... .... .... .... = Pen provided: No
294
+ .000 0000 0001 1100 = Type: IPV6_DST_ADDR (28)
295
+ Length: 16
296
+ Field (13/39): IP_SRC_ADDR
297
+ 0... .... .... .... = Pen provided: No
298
+ .000 0000 0000 1000 = Type: IP_SRC_ADDR (8)
299
+ Length: 4
300
+ Field (14/39): IP_DST_ADDR
301
+ 0... .... .... .... = Pen provided: No
302
+ .000 0000 0000 1100 = Type: IP_DST_ADDR (12)
303
+ Length: 4
304
+ Field (15/39): L4_SRC_PORT
305
+ 0... .... .... .... = Pen provided: No
306
+ .000 0000 0000 0111 = Type: L4_SRC_PORT (7)
307
+ Length: 2
308
+ Field (16/39): L4_DST_PORT
309
+ 0... .... .... .... = Pen provided: No
310
+ .000 0000 0000 1011 = Type: L4_DST_PORT (11)
311
+ Length: 2
312
+ Field (17/39): 40 [pen: CERT Coordination Center]
313
+ 1... .... .... .... = Pen provided: Yes
314
+ .000 0000 0010 1000 = Type: 40 [pen: CERT Coordination Center]
315
+ Length: 2
316
+ PEN: CERT Coordination Center (6871)
317
+ Field (18/39): 16424 [pen: CERT Coordination Center]
318
+ 1... .... .... .... = Pen provided: Yes
319
+ .100 0000 0010 1000 = Type: 16424 [pen: CERT Coordination Center]
320
+ Length: 2
321
+ PEN: CERT Coordination Center (6871)
322
+ Field (19/39): PROTOCOL
323
+ 0... .... .... .... = Pen provided: No
324
+ .000 0000 0000 0100 = Type: PROTOCOL (4)
325
+ Length: 1
326
+ Field (20/39): flowEndReason
327
+ 0... .... .... .... = Pen provided: No
328
+ .000 0000 1000 1000 = Type: flowEndReason (136)
329
+ Length: 1
330
+ Field (21/39): paddingOctets
331
+ 0... .... .... .... = Pen provided: No
332
+ .000 0000 1101 0010 = Type: paddingOctets (210)
333
+ Length: 2
334
+ Field (22/39): 21 [pen: CERT Coordination Center]
335
+ 1... .... .... .... = Pen provided: Yes
336
+ .000 0000 0001 0101 = Type: 21 [pen: CERT Coordination Center]
337
+ Length: 4
338
+ PEN: CERT Coordination Center (6871)
339
+ Field (23/39): TCP_SEQ_NUM
340
+ 0... .... .... .... = Pen provided: No
341
+ .000 0000 1011 1000 = Type: TCP_SEQ_NUM (184)
342
+ Length: 4
343
+ Field (24/39): TCP_SEQ_NUM [Reverse]
344
+ 1... .... .... .... = Pen provided: Yes
345
+ .000 0000 1011 1000 = Type: TCP_SEQ_NUM (184) [Reverse]
346
+ Length: 4
347
+ PEN: IPFIX Reverse Information Element Private Enterprise (29305)
348
+ Field (25/39): 14 [pen: CERT Coordination Center]
349
+ 1... .... .... .... = Pen provided: Yes
350
+ .000 0000 0000 1110 = Type: 14 [pen: CERT Coordination Center]
351
+ Length: 1
352
+ PEN: CERT Coordination Center (6871)
353
+ Field (26/39): 15 [pen: CERT Coordination Center]
354
+ 1... .... .... .... = Pen provided: Yes
355
+ .000 0000 0000 1111 = Type: 15 [pen: CERT Coordination Center]
356
+ Length: 1
357
+ PEN: CERT Coordination Center (6871)
358
+ Field (27/39): 16398 [pen: CERT Coordination Center]
359
+ 1... .... .... .... = Pen provided: Yes
360
+ .100 0000 0000 1110 = Type: 16398 [pen: CERT Coordination Center]
361
+ Length: 1
362
+ PEN: CERT Coordination Center (6871)
363
+ Field (28/39): 16399 [pen: CERT Coordination Center]
364
+ 1... .... .... .... = Pen provided: Yes
365
+ .100 0000 0000 1111 = Type: 16399 [pen: CERT Coordination Center]
366
+ Length: 1
367
+ PEN: CERT Coordination Center (6871)
368
+ Field (29/39): SRC_VLAN
369
+ 0... .... .... .... = Pen provided: No
370
+ .000 0000 0011 1010 = Type: SRC_VLAN (58)
371
+ Length: 2
372
+ Field (30/39): SRC_VLAN [Reverse]
373
+ 1... .... .... .... = Pen provided: Yes
374
+ .000 0000 0011 1010 = Type: SRC_VLAN (58) [Reverse]
375
+ Length: 2
376
+ PEN: IPFIX Reverse Information Element Private Enterprise (29305)
377
+ Field (31/39): INPUT_SNMP
378
+ 0... .... .... .... = Pen provided: No
379
+ .000 0000 0000 1010 = Type: INPUT_SNMP (10)
380
+ Length: 4
381
+ Field (32/39): OUTPUT_SNMP
382
+ 0... .... .... .... = Pen provided: No
383
+ .000 0000 0000 1110 = Type: OUTPUT_SNMP (14)
384
+ Length: 4
385
+ Field (33/39): IP_TOS
386
+ 0... .... .... .... = Pen provided: No
387
+ .000 0000 0000 0101 = Type: IP_TOS (5)
388
+ Length: 1
389
+ Field (34/39): IP_TOS [Reverse]
390
+ 1... .... .... .... = Pen provided: Yes
391
+ .000 0000 0000 0101 = Type: IP_TOS (5) [Reverse]
392
+ Length: 1
393
+ PEN: IPFIX Reverse Information Element Private Enterprise (29305)
394
+ Field (35/39): MPLS_LABEL_1
395
+ 0... .... .... .... = Pen provided: No
396
+ .000 0000 0100 0110 = Type: MPLS_LABEL_1 (70)
397
+ Length: 3
398
+ Field (36/39): MPLS_LABEL_2
399
+ 0... .... .... .... = Pen provided: No
400
+ .000 0000 0100 0111 = Type: MPLS_LABEL_2 (71)
401
+ Length: 3
402
+ Field (37/39): MPLS_LABEL_3
403
+ 0... .... .... .... = Pen provided: No
404
+ .000 0000 0100 1000 = Type: MPLS_LABEL_3 (72)
405
+ Length: 3
406
+ Field (38/39): paddingOctets
407
+ 0... .... .... .... = Pen provided: No
408
+ .000 0000 1101 0010 = Type: paddingOctets (210)
409
+ Length: 5
410
+ Field (39/39): subTemplateMultiList
411
+ 0... .... .... .... = Pen provided: No
412
+ .000 0001 0010 0101 = Type: subTemplateMultiList (293)
413
+ Length: 65535 [i.e.: "Variable Length"]
414
+ Template (Id = 49155, Count = 3)
415
+ Template Id: 49155
416
+ Field Count: 3
417
+ Field (1/3): TCP_SEQ_NUM
418
+ 0... .... .... .... = Pen provided: No
419
+ .000 0000 1011 1000 = Type: TCP_SEQ_NUM (184)
420
+ Length: 4
421
+ Field (2/3): 14 [pen: CERT Coordination Center]
422
+ 1... .... .... .... = Pen provided: Yes
423
+ .000 0000 0000 1110 = Type: 14 [pen: CERT Coordination Center]
424
+ Length: 1
425
+ PEN: CERT Coordination Center (6871)
426
+ Field (3/3): 15 [pen: CERT Coordination Center]
427
+ 1... .... .... .... = Pen provided: Yes
428
+ .000 0000 0000 1111 = Type: 15 [pen: CERT Coordination Center]
429
+ Length: 1
430
+ PEN: CERT Coordination Center (6871)
431
+ Set 2 [id=3] (Options Template): 53248,53249
432
+ FlowSet Id: Options Template (V10 [IPFIX]) (3)
433
+ FlowSet Length: 124
434
+ Options Template (Id = 53248) (Scope Count = 2; Data Count = 12)
435
+ Template Id: 53248
436
+ Total Field Count: 14
437
+ Scope Field Count: 2
438
+ Field (1/2) [Scope]: systemInitTimeMilliseconds
439
+ 0... .... .... .... = Pen provided: No
440
+ .000 0000 1010 0000 = Type: systemInitTimeMilliseconds (160)
441
+ Length: 8
442
+ Field (2/2) [Scope]: TOTAL_FLOWS_EXP
443
+ 0... .... .... .... = Pen provided: No
444
+ .000 0000 0010 1010 = Type: TOTAL_FLOWS_EXP (42)
445
+ Length: 8
446
+ Field (1/12): PACKETS_TOTAL
447
+ 0... .... .... .... = Pen provided: No
448
+ .000 0000 0101 0110 = Type: PACKETS_TOTAL (86)
449
+ Length: 8
450
+ Field (2/12): DROPPED_PACKETS_TOTAL
451
+ 0... .... .... .... = Pen provided: No
452
+ .000 0000 1000 0111 = Type: DROPPED_PACKETS_TOTAL (135)
453
+ Length: 8
454
+ Field (3/12): ignoredPacketTotalCount
455
+ 0... .... .... .... = Pen provided: No
456
+ .000 0000 1010 0100 = Type: ignoredPacketTotalCount (164)
457
+ Length: 8
458
+ Field (4/12): notSentPacketTotalCount
459
+ 0... .... .... .... = Pen provided: No
460
+ .000 0000 1010 0111 = Type: notSentPacketTotalCount (167)
461
+ Length: 8
462
+ Field (5/12): 100 [pen: CERT Coordination Center]
463
+ 1... .... .... .... = Pen provided: Yes
464
+ .000 0000 0110 0100 = Type: 100 [pen: CERT Coordination Center]
465
+ Length: 4
466
+ PEN: CERT Coordination Center (6871)
467
+ Field (6/12): 101 [pen: CERT Coordination Center]
468
+ 1... .... .... .... = Pen provided: Yes
469
+ .000 0000 0110 0101 = Type: 101 [pen: CERT Coordination Center]
470
+ Length: 4
471
+ PEN: CERT Coordination Center (6871)
472
+ Field (7/12): 104 [pen: CERT Coordination Center]
473
+ 1... .... .... .... = Pen provided: Yes
474
+ .000 0000 0110 1000 = Type: 104 [pen: CERT Coordination Center]
475
+ Length: 4
476
+ PEN: CERT Coordination Center (6871)
477
+ Field (8/12): 105 [pen: CERT Coordination Center]
478
+ 1... .... .... .... = Pen provided: Yes
479
+ .000 0000 0110 1001 = Type: 105 [pen: CERT Coordination Center]
480
+ Length: 4
481
+ PEN: CERT Coordination Center (6871)
482
+ Field (9/12): exporterIPv4Address
483
+ 0... .... .... .... = Pen provided: No
484
+ .000 0000 1000 0010 = Type: exporterIPv4Address (130)
485
+ Length: 4
486
+ Field (10/12): FLOW_EXPORTER
487
+ 0... .... .... .... = Pen provided: No
488
+ .000 0000 1001 0000 = Type: FLOW_EXPORTER (144)
489
+ Length: 4
490
+ Field (11/12): 102 [pen: CERT Coordination Center]
491
+ 1... .... .... .... = Pen provided: Yes
492
+ .000 0000 0110 0110 = Type: 102 [pen: CERT Coordination Center]
493
+ Length: 4
494
+ PEN: CERT Coordination Center (6871)
495
+ Field (12/12): 103 [pen: CERT Coordination Center]
496
+ 1... .... .... .... = Pen provided: Yes
497
+ .000 0000 0110 0111 = Type: 103 [pen: CERT Coordination Center]
498
+ Length: 4
499
+ PEN: CERT Coordination Center (6871)
500
+ Options Template (Id = 53249) (Scope Count = 2; Data Count = 2)
501
+ Template Id: 53249
502
+ Total Field Count: 4
503
+ Scope Field Count: 2
504
+ Field (1/2) [Scope]: 551 [pen: CERT Coordination Center]
505
+ 1... .... .... .... = Pen provided: Yes
506
+ .000 0010 0010 0111 = Type: 551 [pen: CERT Coordination Center]
507
+ Length: 2
508
+ PEN: CERT Coordination Center (6871)
509
+ Field (2/2) [Scope]: 552 [pen: CERT Coordination Center]
510
+ 1... .... .... .... = Pen provided: Yes
511
+ .000 0010 0010 1000 = Type: 552 [pen: CERT Coordination Center]
512
+ Length: 2
513
+ PEN: CERT Coordination Center (6871)
514
+ Field (1/2): 550 [pen: CERT Coordination Center]
515
+ 1... .... .... .... = Pen provided: Yes
516
+ .000 0010 0010 0110 = Type: 550 [pen: CERT Coordination Center]
517
+ Length: 4
518
+ PEN: CERT Coordination Center (6871)
519
+ Field (2/2): subTemplateList
520
+ 0... .... .... .... = Pen provided: No
521
+ .000 0001 0010 0100 = Type: subTemplateList (292)
522
+ Length: 65535 [i.e.: "Variable Length"]
523
+ Set 3 [id=2] (Data Template): 53250,49156,49157,49161,49160
524
+ FlowSet Id: Data Template (V10 [IPFIX]) (2)
525
+ FlowSet Length: 172
526
+ Template (Id = 53250, Count = 2)
527
+ Template Id: 53250
528
+ Field Count: 2
529
+ Field (1/2): FLOW_EXPORTER
530
+ 0... .... .... .... = Pen provided: No
531
+ .000 0000 1001 0000 = Type: FLOW_EXPORTER (144)
532
+ Length: 4
533
+ Field (2/2): observationTimeSeconds
534
+ 0... .... .... .... = Pen provided: No
535
+ .000 0001 0100 0010 = Type: observationTimeSeconds (322)
536
+ Length: 4
537
+ Template (Id = 49156, Count = 2)
538
+ Template Id: 49156
539
+ Field Count: 2
540
+ Field (1/2): SRC_MAC
541
+ 0... .... .... .... = Pen provided: No
542
+ .000 0000 0011 1000 = Type: SRC_MAC (56)
543
+ Length: 6
544
+ Field (2/2): DESTINATION_MAC
545
+ 0... .... .... .... = Pen provided: No
546
+ .000 0000 0101 0000 = Type: DESTINATION_MAC (80)
547
+ Length: 6
548
+ Template (Id = 49157, Count = 11)
549
+ Template Id: 49157
550
+ Field Count: 11
551
+ Field (1/11): 502 [pen: CERT Coordination Center]
552
+ 1... .... .... .... = Pen provided: Yes
553
+ .000 0001 1111 0110 = Type: 502 [pen: CERT Coordination Center]
554
+ Length: 8
555
+ PEN: CERT Coordination Center (6871)
556
+ Field (2/11): 503 [pen: CERT Coordination Center]
557
+ 1... .... .... .... = Pen provided: Yes
558
+ .000 0001 1111 0111 = Type: 503 [pen: CERT Coordination Center]
559
+ Length: 8
560
+ PEN: CERT Coordination Center (6871)
561
+ Field (3/11): 504 [pen: CERT Coordination Center]
562
+ 1... .... .... .... = Pen provided: Yes
563
+ .000 0001 1111 1000 = Type: 504 [pen: CERT Coordination Center]
564
+ Length: 8
565
+ PEN: CERT Coordination Center (6871)
566
+ Field (4/11): tcpUrgTotalCount
567
+ 0... .... .... .... = Pen provided: No
568
+ .000 0000 1101 1111 = Type: tcpUrgTotalCount (223)
569
+ Length: 4
570
+ Field (5/11): 500 [pen: CERT Coordination Center]
571
+ 1... .... .... .... = Pen provided: Yes
572
+ .000 0001 1111 0100 = Type: 500 [pen: CERT Coordination Center]
573
+ Length: 4
574
+ PEN: CERT Coordination Center (6871)
575
+ Field (6/11): 501 [pen: CERT Coordination Center]
576
+ 1... .... .... .... = Pen provided: Yes
577
+ .000 0001 1111 0101 = Type: 501 [pen: CERT Coordination Center]
578
+ Length: 4
579
+ PEN: CERT Coordination Center (6871)
580
+ Field (7/11): 510 [pen: CERT Coordination Center]
581
+ 1... .... .... .... = Pen provided: Yes
582
+ .000 0001 1111 1110 = Type: 510 [pen: CERT Coordination Center]
583
+ Length: 4
584
+ PEN: CERT Coordination Center (6871)
585
+ Field (8/11): 505 [pen: CERT Coordination Center]
586
+ 1... .... .... .... = Pen provided: Yes
587
+ .000 0001 1111 1001 = Type: 505 [pen: CERT Coordination Center]
588
+ Length: 2
589
+ PEN: CERT Coordination Center (6871)
590
+ Field (9/11): 506 [pen: CERT Coordination Center]
591
+ 1... .... .... .... = Pen provided: Yes
592
+ .000 0001 1111 1010 = Type: 506 [pen: CERT Coordination Center]
593
+ Length: 2
594
+ PEN: CERT Coordination Center (6871)
595
+ Field (10/11): 508 [pen: CERT Coordination Center]
596
+ 1... .... .... .... = Pen provided: Yes
597
+ .000 0001 1111 1100 = Type: 508 [pen: CERT Coordination Center]
598
+ Length: 2
599
+ PEN: CERT Coordination Center (6871)
600
+ Field (11/11): 507 [pen: CERT Coordination Center]
601
+ 1... .... .... .... = Pen provided: Yes
602
+ .000 0001 1111 1011 = Type: 507 [pen: CERT Coordination Center]
603
+ Length: 1
604
+ PEN: CERT Coordination Center (6871)
605
+ Template (Id = 49161, Count = 5)
606
+ Template Id: 49161
607
+ Field Count: 5
608
+ Field (1/5): 289 [pen: CERT Coordination Center]
609
+ 1... .... .... .... = Pen provided: Yes
610
+ .000 0001 0010 0001 = Type: 289 [pen: CERT Coordination Center]
611
+ Length: 8
612
+ PEN: CERT Coordination Center (6871)
613
+ Field (2/5): 290 [pen: CERT Coordination Center]
614
+ 1... .... .... .... = Pen provided: Yes
615
+ .000 0001 0010 0010 = Type: 290 [pen: CERT Coordination Center]
616
+ Length: 4
617
+ PEN: CERT Coordination Center (6871)
618
+ Field (3/5): 291 [pen: CERT Coordination Center]
619
+ 1... .... .... .... = Pen provided: Yes
620
+ .000 0001 0010 0011 = Type: 291 [pen: CERT Coordination Center]
621
+ Length: 2
622
+ PEN: CERT Coordination Center (6871)
623
+ Field (4/5): 292 [pen: CERT Coordination Center]
624
+ 1... .... .... .... = Pen provided: Yes
625
+ .000 0001 0010 0100 = Type: 292 [pen: CERT Coordination Center]
626
+ Length: 1
627
+ PEN: CERT Coordination Center (6871)
628
+ Field (5/5): 293 [pen: CERT Coordination Center]
629
+ 1... .... .... .... = Pen provided: Yes
630
+ .000 0001 0010 0101 = Type: 293 [pen: CERT Coordination Center]
631
+ Length: 1
632
+ PEN: CERT Coordination Center (6871)
633
+ Template (Id = 49160, Count = 1)
634
+ Template Id: 49160
635
+ Field Count: 1
636
+ Field (1/1): 18 [pen: CERT Coordination Center]
637
+ 1... .... .... .... = Pen provided: Yes
638
+ .000 0000 0001 0010 = Type: 18 [pen: CERT Coordination Center]
639
+ Length: 65535 [i.e.: "Variable Length"]
640
+ PEN: CERT Coordination Center (6871)
641
+ '''
642
+
643
+ data = "000a05875b6b68f5000088b200000000b30105770000015ded6dc31a0000015ded6dc32b00000528000000080ac8c91d12dcd028ad96005000000603000000ff000b03c003000a38334ace02190000015ded6dc31a0000015ded6dc32b000009b70000000712dcd0280ac8c91d0050ad9600000603000000ff000b03c003000a1745a14812190000015ded6dd6b80000015ded6dd6c300000528000000080ac8c91d12dcd028ad98005000000603000000ff000b03c003000a85b1530202190000015ded6dd6b90000015ded6dd6c3000009b70000000712dcd0280ac8c91d0050ad9800000603000000ff000b03c003000a3f3b674812190000015ded6dea500000015ded6dea5b00000531000000080ac8c91d12dcd028ad9a005000000603000000ff000b03c003000a026c56b402190000015ded6dea510000015ded6dea5b000009b70000000712dcd0280ac8c91d0050ad9a00000603000000ff000b03c003000acb867d0e12190000015ded6dfde80000015ded6dfdf200000531000000080ac8c91d12dcd028ad9c005000000603000000ff000b03c003000acb4dc8f502190000015ded6dfde90000015ded6dfdf2000009b70000000712dcd0280ac8c91d0050ad9c00000603000000ff000b03c003000a74f818c812190000015ded6e11800000015ded6e119400000528000000080ac8c91d12dcd028ad9e005000000603000000ff000b03c003000a929f7b7402190000015ded6e11800000015ded6e1194000009b70000000712dcd0280ac8c91d0050ad9e00000603000000ff000b03c003000ac86498bf12190000015ded6e25210000015ded6e252f0000052d000000080ac8c91d12dcd028ada0005000000603000000ff000b03c003000adbea55d802190000015ded6e25220000015ded6e252f000009b70000000712dcd0280ac8c91d0050ada000000603000000ff000b03c003000a886d0ec012190000015ded6e38b90000015ded6e38c400000528000000080ac8c91d12dcd028ada2005000000603000000ff000b03c003000a3dae2bc102190000015ded6e38ba0000015ded6e38c4000009b70000000712dcd0280ac8c91d0050ada200000603000000ff000b03c003000a452f533212190000015ded6e4c510000015ded6e4c6400000528000000080ac8c91d12dcd028ada4005000000603000000ff000b03c003000a0dbf625a02190000015ded6e4c510000015ded6e4c64000009b70000000712dcd0280ac8c91d0050ada400000603000000ff000b03c003000a3e60ed8012190000015ded69afe90000015ded69afe900000164000000010ac8c9010ac8c91d00000303000001010000c0ff0001030000015ded69afe80000015ded69bb7700000290000000020ac8c91d0ac8c9010044004300011101000000ff0001030000015ded69bb770000015ded69bb7700000166000000010ac8c9010ac8c91d0043004400001101000010ff0001030000015ded6e5fed0000015ded6e5ff800000528000000080ac8c91d12dcd028ada6005000000603000000ff000b03c003000a396b41ae02190000015ded6e5fee0000015ded6e5ff8000009b70000000712dcd0280ac8c91d0050ada600000603000000ff000b03c003000ae064716712190000015ded6e73860000015ded6e73980000052d000000080ac8c91d12dcd028ada8005000000603000000ff000b03c003000a2d7a9ea002190000015ded6e73860000015ded6e7398000009b70000000712dcd0280ac8c91d0050ada800000603000000ff000b03c003000ad64507af12190000015ded6e87250000015ded6e87300000052d000000080ac8c91d12dcd028adaa005000000603000000ff000b03c003000ae954052702190000015ded6e87260000015ded6e8730000009b70000000712dcd0280ac8c91d0050adaa00000603000000ff000b03c003000a4d792e001219".decode("hex")
644
+
645
+ '''
646
+ Cisco NetFlow/IPFIX
647
+ Version: 10
648
+ Length: 1415
649
+ Timestamp: Aug 8, 2018 16:04:37.000000000 MDT
650
+ ExportTime: 1533765877
651
+ FlowSequence: 34994
652
+ Observation Domain Id: 0
653
+ Set 1 [id=45825] (25 flows)
654
+ FlowSet Id: (Data) (45825)
655
+ FlowSet Length: 1399
656
+ [Template Frame: 214138]
657
+ Flow 1
658
+ [Duration: 0.017000000 seconds (milliseconds)]
659
+ StartTime: Aug 16, 2017 17:42:59.866000000 MDT
660
+ EndTime: Aug 16, 2017 17:42:59.883000000 MDT
661
+ Permanent Octets: 1320
662
+ Permanent Packets: 8
663
+ SrcAddr: 10.200.201.29
664
+ DstAddr: 18.220.208.40
665
+ SrcPort: 44438
666
+ DstPort: 80
667
+ Enterprise Private entry: (CERT Coordination Center) Type 40: Value (hex bytes): 00 00
668
+ Protocol: TCP (6)
669
+ Flow End Reason: End of Flow detected (3)
670
+ Vlan Id: 0
671
+ IP ToS: 0x00
672
+ Enterprise Private entry: ((null)) Type 293: Value (hex bytes): 03 c0 03 00 0a 38 33 4a ce 02 19
673
+ String_len_short: 255
674
+ String_len_short: 11
675
+ Flow 2
676
+ [Duration: 0.017000000 seconds (milliseconds)]
677
+ StartTime: Aug 16, 2017 17:42:59.866000000 MDT
678
+ EndTime: Aug 16, 2017 17:42:59.883000000 MDT
679
+ Permanent Octets: 2487
680
+ Permanent Packets: 7
681
+ SrcAddr: 18.220.208.40
682
+ DstAddr: 10.200.201.29
683
+ SrcPort: 80
684
+ DstPort: 44438
685
+ Enterprise Private entry: (CERT Coordination Center) Type 40: Value (hex bytes): 00 00
686
+ Protocol: TCP (6)
687
+ Flow End Reason: End of Flow detected (3)
688
+ Vlan Id: 0
689
+ IP ToS: 0x00
690
+ Enterprise Private entry: ((null)) Type 293: Value (hex bytes): 03 c0 03 00 0a 17 45 a1 48 12 19
691
+ String_len_short: 255
692
+ String_len_short: 11
693
+ Flow 3
694
+ [Duration: 0.011000000 seconds (milliseconds)]
695
+ StartTime: Aug 16, 2017 17:43:04.888000000 MDT
696
+ EndTime: Aug 16, 2017 17:43:04.899000000 MDT
697
+ Permanent Octets: 1320
698
+ Permanent Packets: 8
699
+ SrcAddr: 10.200.201.29
700
+ DstAddr: 18.220.208.40
701
+ SrcPort: 44440
702
+ DstPort: 80
703
+ Enterprise Private entry: (CERT Coordination Center) Type 40: Value (hex bytes): 00 00
704
+ Protocol: TCP (6)
705
+ Flow End Reason: End of Flow detected (3)
706
+ Vlan Id: 0
707
+ IP ToS: 0x00
708
+ Enterprise Private entry: ((null)) Type 293: Value (hex bytes): 03 c0 03 00 0a 85 b1 53 02 02 19
709
+ Flow 4
710
+ [Duration: 0.010000000 seconds (milliseconds)]
711
+ StartTime: Aug 16, 2017 17:43:04.889000000 MDT
712
+ EndTime: Aug 16, 2017 17:43:04.899000000 MDT
713
+ Permanent Octets: 2487
714
+ Permanent Packets: 7
715
+ SrcAddr: 18.220.208.40
716
+ DstAddr: 10.200.201.29
717
+ SrcPort: 80
718
+ DstPort: 44440
719
+ Enterprise Private entry: (CERT Coordination Center) Type 40: Value (hex bytes): 00 00
720
+ Protocol: TCP (6)
721
+ Flow End Reason: End of Flow detected (3)
722
+ Vlan Id: 0
723
+ IP ToS: 0x00
724
+ Enterprise Private entry: ((null)) Type 293: Value (hex bytes): 03 c0 03 00 0a 3f 3b 67 48 12 19
725
+ Flow 5
726
+ [Duration: 0.011000000 seconds (milliseconds)]
727
+ StartTime: Aug 16, 2017 17:43:09.904000000 MDT
728
+ EndTime: Aug 16, 2017 17:43:09.915000000 MDT
729
+ Permanent Octets: 1329
730
+ Permanent Packets: 8
731
+ SrcAddr: 10.200.201.29
732
+ DstAddr: 18.220.208.40
733
+ SrcPort: 44442
734
+ DstPort: 80
735
+ Enterprise Private entry: (CERT Coordination Center) Type 40: Value (hex bytes): 00 00
736
+ Protocol: TCP (6)
737
+ Flow End Reason: End of Flow detected (3)
738
+ Vlan Id: 0
739
+ IP ToS: 0x00
740
+ Enterprise Private entry: ((null)) Type 293: Value (hex bytes): 03 c0 03 00 0a 02 6c 56 b4 02 19
741
+ Flow 6
742
+ [Duration: 0.010000000 seconds (milliseconds)]
743
+ StartTime: Aug 16, 2017 17:43:09.905000000 MDT
744
+ EndTime: Aug 16, 2017 17:43:09.915000000 MDT
745
+ Permanent Octets: 2487
746
+ Permanent Packets: 7
747
+ SrcAddr: 18.220.208.40
748
+ DstAddr: 10.200.201.29
749
+ SrcPort: 80
750
+ DstPort: 44442
751
+ Enterprise Private entry: (CERT Coordination Center) Type 40: Value (hex bytes): 00 00
752
+ Protocol: TCP (6)
753
+ Flow End Reason: End of Flow detected (3)
754
+ Vlan Id: 0
755
+ IP ToS: 0x00
756
+ Enterprise Private entry: ((null)) Type 293: Value (hex bytes): 03 c0 03 00 0a cb 86 7d 0e 12 19
757
+ Flow 7
758
+ [Duration: 0.010000000 seconds (milliseconds)]
759
+ StartTime: Aug 16, 2017 17:43:14.920000000 MDT
760
+ EndTime: Aug 16, 2017 17:43:14.930000000 MDT
761
+ Permanent Octets: 1329
762
+ Permanent Packets: 8
763
+ SrcAddr: 10.200.201.29
764
+ DstAddr: 18.220.208.40
765
+ SrcPort: 44444
766
+ DstPort: 80
767
+ Enterprise Private entry: (CERT Coordination Center) Type 40: Value (hex bytes): 00 00
768
+ Protocol: TCP (6)
769
+ Flow End Reason: End of Flow detected (3)
770
+ Vlan Id: 0
771
+ IP ToS: 0x00
772
+ Enterprise Private entry: ((null)) Type 293: Value (hex bytes): 03 c0 03 00 0a cb 4d c8 f5 02 19
773
+ Flow 8
774
+ [Duration: 0.009000000 seconds (milliseconds)]
775
+ StartTime: Aug 16, 2017 17:43:14.921000000 MDT
776
+ EndTime: Aug 16, 2017 17:43:14.930000000 MDT
777
+ Permanent Octets: 2487
778
+ Permanent Packets: 7
779
+ SrcAddr: 18.220.208.40
780
+ DstAddr: 10.200.201.29
781
+ SrcPort: 80
782
+ DstPort: 44444
783
+ Enterprise Private entry: (CERT Coordination Center) Type 40: Value (hex bytes): 00 00
784
+ Protocol: TCP (6)
785
+ Flow End Reason: End of Flow detected (3)
786
+ Vlan Id: 0
787
+ IP ToS: 0x00
788
+ Enterprise Private entry: ((null)) Type 293: Value (hex bytes): 03 c0 03 00 0a 74 f8 18 c8 12 19
789
+ Flow 9
790
+ [Duration: 0.020000000 seconds (milliseconds)]
791
+ StartTime: Aug 16, 2017 17:43:19.936000000 MDT
792
+ EndTime: Aug 16, 2017 17:43:19.956000000 MDT
793
+ Permanent Octets: 1320
794
+ Permanent Packets: 8
795
+ SrcAddr: 10.200.201.29
796
+ DstAddr: 18.220.208.40
797
+ SrcPort: 44446
798
+ DstPort: 80
799
+ Enterprise Private entry: (CERT Coordination Center) Type 40: Value (hex bytes): 00 00
800
+ Protocol: TCP (6)
801
+ Flow End Reason: End of Flow detected (3)
802
+ Vlan Id: 0
803
+ IP ToS: 0x00
804
+ Enterprise Private entry: ((null)) Type 293: Value (hex bytes): 03 c0 03 00 0a 92 9f 7b 74 02 19
805
+ Flow 10
806
+ [Duration: 0.020000000 seconds (milliseconds)]
807
+ StartTime: Aug 16, 2017 17:43:19.936000000 MDT
808
+ EndTime: Aug 16, 2017 17:43:19.956000000 MDT
809
+ Permanent Octets: 2487
810
+ Permanent Packets: 7
811
+ SrcAddr: 18.220.208.40
812
+ DstAddr: 10.200.201.29
813
+ SrcPort: 80
814
+ DstPort: 44446
815
+ Enterprise Private entry: (CERT Coordination Center) Type 40: Value (hex bytes): 00 00
816
+ Protocol: TCP (6)
817
+ Flow End Reason: End of Flow detected (3)
818
+ Vlan Id: 0
819
+ IP ToS: 0x00
820
+ Enterprise Private entry: ((null)) Type 293: Value (hex bytes): 03 c0 03 00 0a c8 64 98 bf 12 19
821
+ Flow 11
822
+ [Duration: 0.014000000 seconds (milliseconds)]
823
+ StartTime: Aug 16, 2017 17:43:24.961000000 MDT
824
+ EndTime: Aug 16, 2017 17:43:24.975000000 MDT
825
+ Permanent Octets: 1325
826
+ Permanent Packets: 8
827
+ SrcAddr: 10.200.201.29
828
+ DstAddr: 18.220.208.40
829
+ SrcPort: 44448
830
+ DstPort: 80
831
+ Enterprise Private entry: (CERT Coordination Center) Type 40: Value (hex bytes): 00 00
832
+ Protocol: TCP (6)
833
+ Flow End Reason: End of Flow detected (3)
834
+ Vlan Id: 0
835
+ IP ToS: 0x00
836
+ Enterprise Private entry: ((null)) Type 293: Value (hex bytes): 03 c0 03 00 0a db ea 55 d8 02 19
837
+ Flow 12
838
+ [Duration: 0.013000000 seconds (milliseconds)]
839
+ StartTime: Aug 16, 2017 17:43:24.962000000 MDT
840
+ EndTime: Aug 16, 2017 17:43:24.975000000 MDT
841
+ Permanent Octets: 2487
842
+ Permanent Packets: 7
843
+ SrcAddr: 18.220.208.40
844
+ DstAddr: 10.200.201.29
845
+ SrcPort: 80
846
+ DstPort: 44448
847
+ Enterprise Private entry: (CERT Coordination Center) Type 40: Value (hex bytes): 00 00
848
+ Protocol: TCP (6)
849
+ Flow End Reason: End of Flow detected (3)
850
+ Vlan Id: 0
851
+ IP ToS: 0x00
852
+ Enterprise Private entry: ((null)) Type 293: Value (hex bytes): 03 c0 03 00 0a 88 6d 0e c0 12 19
853
+ Flow 13
854
+ [Duration: 0.011000000 seconds (milliseconds)]
855
+ StartTime: Aug 16, 2017 17:43:29.977000000 MDT
856
+ EndTime: Aug 16, 2017 17:43:29.988000000 MDT
857
+ Permanent Octets: 1320
858
+ Permanent Packets: 8
859
+ SrcAddr: 10.200.201.29
860
+ DstAddr: 18.220.208.40
861
+ SrcPort: 44450
862
+ DstPort: 80
863
+ Enterprise Private entry: (CERT Coordination Center) Type 40: Value (hex bytes): 00 00
864
+ Protocol: TCP (6)
865
+ Flow End Reason: End of Flow detected (3)
866
+ Vlan Id: 0
867
+ IP ToS: 0x00
868
+ Enterprise Private entry: ((null)) Type 293: Value (hex bytes): 03 c0 03 00 0a 3d ae 2b c1 02 19
869
+ Flow 14
870
+ [Duration: 0.010000000 seconds (milliseconds)]
871
+ StartTime: Aug 16, 2017 17:43:29.978000000 MDT
872
+ EndTime: Aug 16, 2017 17:43:29.988000000 MDT
873
+ Permanent Octets: 2487
874
+ Permanent Packets: 7
875
+ SrcAddr: 18.220.208.40
876
+ DstAddr: 10.200.201.29
877
+ SrcPort: 80
878
+ DstPort: 44450
879
+ Enterprise Private entry: (CERT Coordination Center) Type 40: Value (hex bytes): 00 00
880
+ Protocol: TCP (6)
881
+ Flow End Reason: End of Flow detected (3)
882
+ Vlan Id: 0
883
+ IP ToS: 0x00
884
+ Enterprise Private entry: ((null)) Type 293: Value (hex bytes): 03 c0 03 00 0a 45 2f 53 32 12 19
885
+ Flow 15
886
+ [Duration: 0.019000000 seconds (milliseconds)]
887
+ StartTime: Aug 16, 2017 17:43:34.993000000 MDT
888
+ EndTime: Aug 16, 2017 17:43:35.012000000 MDT
889
+ Permanent Octets: 1320
890
+ Permanent Packets: 8
891
+ SrcAddr: 10.200.201.29
892
+ DstAddr: 18.220.208.40
893
+ SrcPort: 44452
894
+ DstPort: 80
895
+ Enterprise Private entry: (CERT Coordination Center) Type 40: Value (hex bytes): 00 00
896
+ Protocol: TCP (6)
897
+ Flow End Reason: End of Flow detected (3)
898
+ Vlan Id: 0
899
+ IP ToS: 0x00
900
+ Enterprise Private entry: ((null)) Type 293: Value (hex bytes): 03 c0 03 00 0a 0d bf 62 5a 02 19
901
+ Flow 16
902
+ [Duration: 0.019000000 seconds (milliseconds)]
903
+ StartTime: Aug 16, 2017 17:43:34.993000000 MDT
904
+ EndTime: Aug 16, 2017 17:43:35.012000000 MDT
905
+ Permanent Octets: 2487
906
+ Permanent Packets: 7
907
+ SrcAddr: 18.220.208.40
908
+ DstAddr: 10.200.201.29
909
+ SrcPort: 80
910
+ DstPort: 44452
911
+ Enterprise Private entry: (CERT Coordination Center) Type 40: Value (hex bytes): 00 00
912
+ Protocol: TCP (6)
913
+ Flow End Reason: End of Flow detected (3)
914
+ Vlan Id: 0
915
+ IP ToS: 0x00
916
+ Enterprise Private entry: ((null)) Type 293: Value (hex bytes): 03 c0 03 00 0a 3e 60 ed 80 12 19
917
+ Flow 17
918
+ [Duration: 0.000000000 seconds (milliseconds)]
919
+ StartTime: Aug 16, 2017 17:38:32.809000000 MDT
920
+ EndTime: Aug 16, 2017 17:38:32.809000000 MDT
921
+ Permanent Octets: 356
922
+ Permanent Packets: 1
923
+ SrcAddr: 10.200.201.1
924
+ DstAddr: 10.200.201.29
925
+ SrcPort: 0
926
+ DstPort: 771
927
+ Enterprise Private entry: (CERT Coordination Center) Type 40: Value (hex bytes): 00 00
928
+ Protocol: ICMP (1)
929
+ Flow End Reason: Idle timeout (1)
930
+ Vlan Id: 0
931
+ IP ToS: 0xc0
932
+ Enterprise Private entry: ((null)) Type 293: Value (hex bytes): 03
933
+ Flow 18
934
+ [Duration: 2.959000000 seconds (milliseconds)]
935
+ StartTime: Aug 16, 2017 17:38:32.808000000 MDT
936
+ EndTime: Aug 16, 2017 17:38:35.767000000 MDT
937
+ Permanent Octets: 656
938
+ Permanent Packets: 2
939
+ SrcAddr: 10.200.201.29
940
+ DstAddr: 10.200.201.1
941
+ SrcPort: 68
942
+ DstPort: 67
943
+ Enterprise Private entry: (CERT Coordination Center) Type 40: Value (hex bytes): 00 01
944
+ Protocol: UDP (17)
945
+ Flow End Reason: Idle timeout (1)
946
+ Vlan Id: 0
947
+ IP ToS: 0x00
948
+ Enterprise Private entry: ((null)) Type 293: Value (hex bytes): 03
949
+ Flow 19
950
+ [Duration: 0.000000000 seconds (milliseconds)]
951
+ StartTime: Aug 16, 2017 17:38:35.767000000 MDT
952
+ EndTime: Aug 16, 2017 17:38:35.767000000 MDT
953
+ Permanent Octets: 358
954
+ Permanent Packets: 1
955
+ SrcAddr: 10.200.201.1
956
+ DstAddr: 10.200.201.29
957
+ SrcPort: 67
958
+ DstPort: 68
959
+ Enterprise Private entry: (CERT Coordination Center) Type 40: Value (hex bytes): 00 00
960
+ Protocol: UDP (17)
961
+ Flow End Reason: Idle timeout (1)
962
+ Vlan Id: 0
963
+ IP ToS: 0x10
964
+ Enterprise Private entry: ((null)) Type 293: Value (hex bytes): 03
965
+ Flow 20
966
+ [Duration: 0.011000000 seconds (milliseconds)]
967
+ StartTime: Aug 16, 2017 17:43:40.013000000 MDT
968
+ EndTime: Aug 16, 2017 17:43:40.024000000 MDT
969
+ Permanent Octets: 1320
970
+ Permanent Packets: 8
971
+ SrcAddr: 10.200.201.29
972
+ DstAddr: 18.220.208.40
973
+ SrcPort: 44454
974
+ DstPort: 80
975
+ Enterprise Private entry: (CERT Coordination Center) Type 40: Value (hex bytes): 00 00
976
+ Protocol: TCP (6)
977
+ Flow End Reason: End of Flow detected (3)
978
+ Vlan Id: 0
979
+ IP ToS: 0x00
980
+ Enterprise Private entry: ((null)) Type 293: Value (hex bytes): 03 c0 03 00 0a 39 6b 41 ae 02 19
981
+ Flow 21
982
+ [Duration: 0.010000000 seconds (milliseconds)]
983
+ StartTime: Aug 16, 2017 17:43:40.014000000 MDT
984
+ EndTime: Aug 16, 2017 17:43:40.024000000 MDT
985
+ Permanent Octets: 2487
986
+ Permanent Packets: 7
987
+ SrcAddr: 18.220.208.40
988
+ DstAddr: 10.200.201.29
989
+ SrcPort: 80
990
+ DstPort: 44454
991
+ Enterprise Private entry: (CERT Coordination Center) Type 40: Value (hex bytes): 00 00
992
+ Protocol: TCP (6)
993
+ Flow End Reason: End of Flow detected (3)
994
+ Vlan Id: 0
995
+ IP ToS: 0x00
996
+ Enterprise Private entry: ((null)) Type 293: Value (hex bytes): 03 c0 03 00 0a e0 64 71 67 12 19
997
+ Flow 22
998
+ [Duration: 0.018000000 seconds (milliseconds)]
999
+ StartTime: Aug 16, 2017 17:43:45.030000000 MDT
1000
+ EndTime: Aug 16, 2017 17:43:45.048000000 MDT
1001
+ Permanent Octets: 1325
1002
+ Permanent Packets: 8
1003
+ SrcAddr: 10.200.201.29
1004
+ DstAddr: 18.220.208.40
1005
+ SrcPort: 44456
1006
+ DstPort: 80
1007
+ Enterprise Private entry: (CERT Coordination Center) Type 40: Value (hex bytes): 00 00
1008
+ Protocol: TCP (6)
1009
+ Flow End Reason: End of Flow detected (3)
1010
+ Vlan Id: 0
1011
+ IP ToS: 0x00
1012
+ Enterprise Private entry: ((null)) Type 293: Value (hex bytes): 03 c0 03 00 0a 2d 7a 9e a0 02 19
1013
+ Flow 23
1014
+ [Duration: 0.018000000 seconds (milliseconds)]
1015
+ StartTime: Aug 16, 2017 17:43:45.030000000 MDT
1016
+ EndTime: Aug 16, 2017 17:43:45.048000000 MDT
1017
+ Permanent Octets: 2487
1018
+ Permanent Packets: 7
1019
+ SrcAddr: 18.220.208.40
1020
+ DstAddr: 10.200.201.29
1021
+ SrcPort: 80
1022
+ DstPort: 44456
1023
+ Enterprise Private entry: (CERT Coordination Center) Type 40: Value (hex bytes): 00 00
1024
+ Protocol: TCP (6)
1025
+ Flow End Reason: End of Flow detected (3)
1026
+ Vlan Id: 0
1027
+ IP ToS: 0x00
1028
+ Enterprise Private entry: ((null)) Type 293: Value (hex bytes): 03 c0 03 00 0a d6 45 07 af 12 19
1029
+ Flow 24
1030
+ [Duration: 0.011000000 seconds (milliseconds)]
1031
+ StartTime: Aug 16, 2017 17:43:50.053000000 MDT
1032
+ EndTime: Aug 16, 2017 17:43:50.064000000 MDT
1033
+ Permanent Octets: 1325
1034
+ Permanent Packets: 8
1035
+ SrcAddr: 10.200.201.29
1036
+ DstAddr: 18.220.208.40
1037
+ SrcPort: 44458
1038
+ DstPort: 80
1039
+ Enterprise Private entry: (CERT Coordination Center) Type 40: Value (hex bytes): 00 00
1040
+ Protocol: TCP (6)
1041
+ Flow End Reason: End of Flow detected (3)
1042
+ Vlan Id: 0
1043
+ IP ToS: 0x00
1044
+ Enterprise Private entry: ((null)) Type 293: Value (hex bytes): 03 c0 03 00 0a e9 54 05 27 02 19
1045
+ Flow 25
1046
+ [Duration: 0.010000000 seconds (milliseconds)]
1047
+ StartTime: Aug 16, 2017 17:43:50.054000000 MDT
1048
+ EndTime: Aug 16, 2017 17:43:50.064000000 MDT
1049
+ Permanent Octets: 2487
1050
+ Permanent Packets: 7
1051
+ SrcAddr: 18.220.208.4
1052
+ DstAddr: 10.200.201.29
1053
+ SrcPort: 80
1054
+ DstPort: 44458
1055
+ Enterprise Private entry: (CERT Coordination Center) Type 40: Value (hex bytes): 00 00
1056
+ Protocol: TCP (6)
1057
+ Flow End Reason: End of Flow detected (3)
1058
+ Vlan Id: 0
1059
+ IP ToS: 0x00
1060
+ Enterprise Private entry: ((null)) Type 293: Value (hex bytes): 03 c0 03 00 0a 4d 79 2e 00 12 19
1061
+ '''
1062
+
1063
+ host = sys.argv[1]
1064
+ port = 2055
1065
+ N = 150000
1066
+ flowsPerPacket = 25
1067
+
1068
+ sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
1069
+ sock.sendto(tpl, (host, port))
1070
+
1071
+ time.sleep(0.2)
1072
+
1073
+ ts = time.time()
1074
+ print("%d: started sending %d YAF flows in %d packets totaling %d bytes" % (ts,N*flowsPerPacket, N, N*len(data)))
1075
+ print("%d: flow size %d, packet size %d" % (ts, len(data) / flowsPerPacket, len(data)))
1076
+
1077
+ for i in range(0, N):
1078
+ sock.sendto(data, (host, port))