166

I'm using jnca library to collect NetFlow records sent by a router. The version of the NetFlow record sent by the router is version 9.

When the NetFlow packet is observed from the Wireshark the flow sets with the template id 263 contains the data about initiator octets and responder octets which can be used to determine the number of bytes associated with a flow. wireshark record

But the problem is these values cannot be obtained by the jcna. It shows always zero for the octets.

currOffset = t.getTypeOffset(FieldDefinition.InBYTES_32);
currLen = t.getTypeLen(FieldDefinition.InBYTES_32);
if (currOffset >= 0 && currLen > 0) {
    dOctets = Util.to_number(buf, off + currOffset, currLen) * t.getSamplingRate();
}

This is the code segment which is used to get the dOctets. This returns zero even for the template ID 263.

But when it's calculated with respect to the NetFlow template id 263 it gives the correct data. (gives the initiator octets and to get responder octet 46 should be replaced with 50 as the length of the particular record is 4 bytes)

dOctets = Util.to_number(buf, off + 46, 4)

46 is where the Initiator Octets record lies in that particular NetFlow packet.(got using the Wireshark record.)

Is it a problem with jnca? Hopefully, somebody who's familiar with jcna can give me some help on this.

Community
  • 1
  • 1
Asiri Liyana Arachchi
  • 2,663
  • 5
  • 24
  • 43
  • 6
    This link might help: http://cdwijayarathna.blogspot.in/2014/03/retrieving-network-usage-information.html – Mandar Pandit Jun 26 '14 at 09:55
  • 1
    Did you check what values are returned from method `getTypeOffset` and `getTypeLen` ? – Lukino Apr 27 '15 at 16:30
  • The offsets returned by from JNCA's `Template.getTypeOffset()` appear to be relative to the flowset. Does this work with what you are doing? (You didn't show enough code to tell; what is `buf`?) – rakslice Jul 24 '17 at 10:13
  • 1
    The actual NetFlow V9 spec might help too: http://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.html :D – rakslice Jul 24 '17 at 10:14
  • Also, stringly-typed `java.util.Properties` in code parsing a low level format? Nuke from orbit. Did Java not have generics at the time this library was written? – rakslice Jul 24 '17 at 10:19
  • Is this still reproducible after 3 1/2 years? Some one should add a link to a stream dump that triggers the bug. JNCA isn't maintained since 2013/4/15. – yacc Aug 19 '17 at 16:40

1 Answers1

1

Retrieving Network Usage Information from NetFlow Version 9 Records

Netflow is a feature that was introduced on Cisco routers that give the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data that is provided by Netflow a network administrator can determine things such as the source and destination of the traffic, class of service, and the cause of congestion. Netflow consists of three components: flow caching, Flow Collector, and Data Analyzer. In Netflow, router forwards details of network usage as UDP packets to a specified port of a destination.

Java NetFlow Collect-Analyzer

More Info

Kondal
  • 2,870
  • 5
  • 26
  • 40