Net::Flow::Ie - decode NetFlow/IPFIX information elements.
The following script simply outputs the received Flow Records after decoding NetFlow/IPFIX datagrams by using Net::Flow. Net::Flow::Ie can decode binary data by giving element id and type of data.
use strict ; use Net::Flow qw(decode) ; use Net::Flow::Ie qw(decode addie) ; use Ie qw(iedecode addie) ; use IO::Socket::INET;
my $receive_port = 4739 ; my $packet = undef ; my $TemplateArrayRef = undef ; my $sock = IO::Socket::INET->new( LocalPort =>$receive_port, Proto => 'udp') ; my $ieRef = Net::Flow::Ie::addie() ;
while ($sock->recv($packet,1548)) {
my ($HeaderHashRef,$FlowArrayRef,$ErrorsArrayRef)=() ; ( $HeaderHashRef, $TemplateArrayRef, $FlowArrayRef, $ErrorsArrayRef) = Net::Flow::decode( \$packet, $TemplateArrayRef ) ; grep{ print "$_\n" }@{$ErrorsArrayRef} if( @{$ErrorsArrayRef} ) ; print "\n- Header Information -\n" ; foreach my $Key ( sort keys %{$HeaderHashRef} ){ printf " %s = %3d\n",$Key,$HeaderHashRef->{$Key} ; } foreach my $TemplateRef ( @{$TemplateArrayRef} ){ print "\n-- Template Information --\n" ; foreach my $TempKey ( sort {$a <=> $b} keys %{$TemplateRef} ){ if( $TempKey eq "Template" ){ printf " %s = \n",$TempKey ; foreach my $Ref ( @{$$TemplateRef{Template}} ){ foreach my $Key ( keys %{$Ref} ){ printf " %s=%-3d Name=%-30s Type=%-10s", $Key, $$Ref{$Key}, $$ieRef{$$Ref{$Key}}->{Name}, $$ieRef{$$Ref{$Key}}->{Type} if $Key eq "Id" ; printf " %s=%-3d", $Key, $$Ref{$Key} if $Key eq "Length" ; } print "\n" ; } }else{ printf " %s = %s\n", $TempKey, $$TemplateRef{$TempKey} ; } } } foreach my $FlowRef ( @{$FlowArrayRef} ){ print "\n-- Flow Information --\n" ; foreach my $Id ( sort {$a <=> $b} keys %{$FlowRef} ){ if( $Id eq "SetId" ){ print " $Id=$$FlowRef{$Id}\n" if defined $$FlowRef{$Id} ; }else{ printf " Id=%-3d Name=%-30s Value=%s\n", $Id, Net::Flow::Ie::decode($Id,$$FlowRef{$Id}) ; } } }
}
( $Name, $Value ) = Net::Flow::Ie::iedecode( $Id, $BinValue, $IeRef ) ;
It returns a pair of name and value of information element by giving the information element id and the binary data of associated information element. This module has information element data that includes id, name, and data type, such as "1", "octetDeltaCount" and "unsigned64". As default, if it can not find id number in the information element data, it change binary data to hex data. If you want to add new information elements, such as enterprise id, you can put $IeRef. $IeRef is the reference that points information elements data, as follows. And also, you can use the return value of addie function. The return value is merged into information element data kept in this module.
my $ieRef = { 0=>{ 'Name'=>'dummy', 'Type'=>'octetArray' }, 1=>{ 'Name'=>'octetDeltaCount', 'Type'=>'unsigned64' }, 1000.1=>{ 'Name'=>'enterprise.octetDeltaCount', 'Type'=>'unsigned64' }, } ;
In addition, if you want to decode multiple binary data in same id, you can set input $BinValue as the reference of Array including each binary data. In that case, the return $Value is shown as the concatenation string of multiple data values using delimiter. Regarding data type and information elements, please see for detail.
$IeRef = Net::Flow::Ie::addie( $AddRef ) ;
You can add your original information elements into data set kept in this module. The return value $IeRef indicates the reference of merged information elements data.
Atsushi Kobayashi
Copyright (c) 2007-2008 NTT Information Sharing Platform Laboratories
This package is free software and is provided "as is" without express or implied warranty. It may be used, redistributed and/or modified under the terms of the Perl Artistic License (see http://www.perl.com/perl/misc/Artistic.html)
1 POD Error
The following errors were encountered while parsing the POD:
=back without =over
To install Net::Flow::Ie, copy and paste the appropriate command in to your terminal.
cpanm
cpanm Net::Flow::Ie
CPAN shell
perl -MCPAN -e shell install Net::Flow::Ie
For more information on module installation, please visit the detailed CPAN module installation guide.