Read contents of a netflow package

Asked

Viewed 68 times

1

I’m developing a tool that captures every UDP package that goes through my firewall (an Openbsd 5.4, simulated by a virtual machine), but I’m having trouble extracting the information I need from these packages.

My code is basically:

try
{
DatagramSocket serverSocket = new DatagramSocket(9876);        
byte[] receiveData = new byte [1024];
DatagramPacket receivePacket = new DatagramPacket(receiveData, receiveData.length);
serverSocket.receive(receivePacket);
String sentence = new String(receivePacket.getData());
InetAddress IPAddress = receivePacket.getAddress();
Connection conn = DriverManager.getConnection(url, user, password);
String sql = "INSERT INTO tabela_netflow (fluxo) values (?)";
PreparedStatement statement = conn.prepareStatement(sql);
statement.setBytes(1,receivePacket.getData());
int row = statement.executeUpdate();
if (row > 0) 
{
   System.out.println("Pacote salvo:" +receivePacket.getData());
}

} catch (SQLException ex) 
{
   ex.printStackTrace();
}

The code works (the packages are being properly saved in the database), the problem is that I cannot see the contents of the packages (I believe because it is in binary). Here’s what I see when I click on "open value in editor" in Mysql: Conteúdo Banco

The netflow header has a known format, that is, it is possible to know the fields and how many bytes each one occupies, the header format is this: Netflow header

The table of my bank is very simple, only has code and flow, where flow is a varbinary(10000), that is, I at first am saving the entire stream, but I want to obtain and save each header field in a respective variable in the bank, to be able to manipulate later. Does anyone have any idea how I could get the information that’s in this package? I believe all the information is in receivePacket.getData(), but I can’t find a way in which I can separate the right bytes to get each information contained in the header..

Remembering that it is a package in Netflow format, if you have a client that sends a common package (code very similar to this, usually sends a string to the collector), receivePacket.getData() will be with the value of the sent string, I mean, it’s not the case that fits my problem.

Can someone help me?

java mysql

1 answer

1

From what I understand of your question, you want to separate each information according to the format of the netflow package. Then just manipulate an array of bytes:

private void manipularStream(byte[] dadosCabecalho) throws IOException {
    ByteArrayOutputStream out = new ByteArrayOutputStream();
    out.write(dadosCabecalho,0,2); //lê os bytes 0 e 1
    String versao=out.toString("UTF-8");
    out.reset();
    out.write(dadosCabecalho,2,2); //lê os bytes 2 e 3
    String count=out.toString("UTF-8");
    ... //faça o mesmo para os outros campos
}

  • brevleq, it didn’t go so well.. Separation until it works, but out.toString("UTF-8"); returns whitespace values in variables.. Debugging, I could see that in the content of the version would have the value 5 and for Count I got numbers between 1-30, until it worked, but sysuptime no longer worked, and srcaddr no longer.. any suggestions?

  • @Goose you would have to deal with these blanks. As for the fields that didn’t work out, you’re getting the right range of bytes?

Browser other questions tagged java mysql

You are not signed in. Login or sign up in order to post.