ipfixcat
ipfixcat is a utility to parse and print an IPFIX stream, as defined by RFC
- It's also the minimal demo of how to use the github.com/calmh/ipfix package.
Installation
Grab a binary release from https://github.com/calmh/ipfixcat/releases.
You can also build from source. Make sure you have Go 1.1 installed. See http://golang.org/doc/install.
$ go install github.com/calmh/ipfixcatOutput
The output format is JSON with one object per line. Each object has fields
exportTime (UNIX epoch seconds), templateId and elements. The latter is an
array containing the information elements in the same order as received by the
exporter.
Each information element has the fields name, enterprise, field, value
and rawvalue. For vendor fields that are not described by a user dictionary,
name and value will be empty and rawvalue contains a byte array. For fully
understood fields, value contains the parsed value and rawvalue is empty.
There are some statistics that can be enabled as well, see ipfixcat -help for
more information.
Examples
Parse a UDP IPFIX stream, using a custom dictionary to interpret vendor fields. Note that it might take a while to start displaying datasets, because we need to receive the periodically sent template sets first in order to be able to parse them.
$ socat udp-recv:4739 stdout | ipfixcat -dict procera-fields.ini
{"exportTime":1374745620,"templateId":49836,"fields":[{"name":"destinationIPv4Address","field":12,"value":"194.153....
{"exportTime":1374745620,"templateId":10299,"fields":[{"name":"destinationIPv6Address","field":28,"value":"2001:470...
{"exportTime":1374745620,"templateId":10299,"fields":[{"name":"destinationIPv6Address","field":28,"value":"2001:470...
...Don't attempt to use netcat (nc) for reading UDP streams. Almost all
distributed versions are broken and truncate UDP packets at 1024 bytes.
License
The MIT License.