search

robcowart / elastiflow

Network flow analytics (Netflow, sFlow and IPFIX) with the Elastic Stack
Other
2.48k stars 595 forks source link

Missing some nProbe IDs #412

Closed novaksam closed 4 years ago

novaksam commented 5 years ago

Just passing this along :) Not sure what naming convention you use, so I thought I'd leave that up to you.

cat netflow.yml | grep : | grep -v - | cut -d':' -f1 | sort > Netflow_IDs.txt

nprobe -H | grep NFv9 | cut -d ']' -f1 | cut -d' ' -f2 | sort > Nprobe_IDs.txt

diff -u Netflow_IDs.txt Nprobe_IDs.txt | grep -v - | grep + | cut -d'+' -f2 > Missing_IDs.txt

nprobe -H | grep NFv9 > Nprobe_Items.txt

for E in $(cat Missing_IDs.txt); do grep $E Nprobe_Items.txt ; done

rm Netflow_IDs.txt Nprobe_Items.txt Nprobe_IDs.txt Missing_IDs.txt

[NFv9 57550][IPFIX 35632.78][Len 1] %CLIENT_TCP_FLAGS           Cumulative of all client TCP flags
[NFv9 57551][IPFIX 35632.79][Len 1] %SERVER_TCP_FLAGS           Cumulative of all server TCP flags
[NFv9 57788][IPFIX 35632.316][Len 96 varlen] %SIP_UAC                       SIP user-agent client
[NFv9 57789][IPFIX 35632.317][Len 96 varlen] %SIP_UAS                       SIP user-agent server
[NFv9 57944][IPFIX 35632.472][Len 8] %SRC_TO_DST_SECOND_BYTES       Bytes/sec (src->dst) [pro only]
[NFv9 57945][IPFIX 35632.473][Len 8] %DST_TO_SRC_SECOND_BYTES       Bytes/sec2 (dst->src) [pro only]
[NFv9 57952][IPFIX 35632.480][Len 64 varlen] %DICOM_IMPL_UID                DICOM Impl. UID
[NFv9 57953][IPFIX 35632.481][Len 64 varlen] %DICOM_IMPL_VERSION            DICOM Impl. Version
[NFv9 57954][IPFIX 35632.482][Len 64 varlen] %DICOM_MODALITY                DICOM Modality
[NFv9 57955][IPFIX 35632.483][Len 64 varlen] %DICOM_MANUFACTURER            DICOM Manufacturer
[NFv9 57956][IPFIX 35632.484][Len 64 varlen] %DICOM_INST_NAME               DICOM Institution Name
[NFv9 57957][IPFIX 35632.485][Len 64 varlen] %DICOM_INST_ADDR               DICOM Institution Address
[NFv9 57958][IPFIX 35632.486][Len 64 varlen] %DICOM_STATION_NAME            DICOM Station Name
[NFv9 57959][IPFIX 35632.487][Len 64 varlen] %DICOM_DEVICE_SERIAL           DICOM Device Serial
[NFv9 57960][IPFIX 35632.488][Len 64 varlen] %DICOM_SW_VERSION              DICOM Software Version
[NFv9 57961][IPFIX 35632.489][Len 32 varlen] %JA3C_HASH                     JA3 client hash
[NFv9 57962][IPFIX 35632.490][Len 32 varlen] %JA3S_HASH                     JA3 server hash
[NFv9 57963][IPFIX 35632.491][Len 48 varlen] %SRC_HOST_NAME                 Symbolic src host name
[NFv9 57964][IPFIX 35632.492][Len 48 varlen] %DST_HOST_NAME                 Symbolic dst host name
[NFv9 57965][IPFIX 35632.493][Len 2] %SSL_CIPHER                    SSL Connection Cipher
[NFv9 57966][IPFIX 35632.494][Len 1] %SSL_UNSAFE_CIPHER             SSL Safe(0)/unsafe(1) cipher
[NFv9 57967][IPFIX 35632.495][Len 2] %SSL_VERSION                   SSL Version
[NFv9 58500][IPFIX 35632.1028][Len 16] %PROTOCOL_MAP                IP protocol name
[NFv9 58503][IPFIX 35632.1031][Len 16] %L4_SRC_PORT_MAP             Layer 4 source port symbolic name
[NFv9 58507][IPFIX 35632.1035][Len 16] %L4_DST_PORT_MAP             Layer 4 destination port symbolic name
[NFv9 58508][IPFIX 35632.1036][Len 2] %L4_SRV_PORT                  Layer 4 server port
[NFv9 58509][IPFIX 35632.1037][Len 16] %L4_SRV_PORT_MAP             Layer 4 server port symbolic name
robcowart commented 4 years ago

Thanks for providing this information. These additional fields have been committed to master and will be in the next release.