Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Capturing flow templates with tcpdump

 

Information

 

Summary:

Sometimes, it is necessary to capture only flow templates. For example, when there are a lot of flows per second, only a few of them are required for analysis, and flow templates appear only once in 5 minutes. Capturing 5 minutes of traffic may generate a huge pcap while only templates and a few flows are useful. In such cases, only templates can be captured, and later on, the short pcap with flows.

Environment:

Product: Flowmon Collector

Version: Any

Platform: Any

Question/Problem Description:

How to capture only flow templates with tcpdump?

Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  
Cause:  
Resolution:

There aren't specific tcpdump filters for flow templates, so it is necessary to filter specific bytes defining the template.

IPFIX:

tcpdump -i eth0 -w /data/tmp/templates.pcap 'port <listening_port> and udp[8:2] = 0x000a and udp[24:2] = 0x0002'

udp[8:2] = 0x000a - filtering version, version 10 represents IPFIX

udp[24:2] = 0x0002 - filtering data template in the first flowset (it is not easily possible to filter the same in the following flowsets due to variable flowset length)

Netflow v9:

tcpdump -i eth0 -w /data/tmp/templates.pcap 'port <listening_port> and udp[8:2] = 0x0009 and udp[28:2] = 0x0000'

udp[8:2] = 0x0009 - filtering version, netflow version 9

udp[28:2] = 0x0000 - filtering data template in the first flowset (it is not easily possible to filter the same in the following flowsets due to variable flowset length)

Workaround:  
Notes:  

Was this article helpful?
0 out of 0 found this helpful

Comments