Decoder: (Optional) Configure a Decoder to Capture NetFlow Data

Document created by RSA Information Design and Development Employee on Sep 8, 2020Last modified by RSA Information Design and Development Employee on Sep 8, 2020
Version 2Show Document
  • View in full screen mode
 

Note: The information in this topic applies to RSA NetWitness Platform Version 11.4 and later.

The Decoder can natively capture flow data from NetFlow generators. NetFlow support is implemented as a capture device named flow_events. Currently, only NetFlow V5 is supported.

By default, the Decoder listens for flow data on port 9995. This is configurable by modifying the /decoder/config/capture.device.params settings in the Decoder's Explorer view, and specifying the port using the port parameter (for example, port=2225). Changing the port does not take affect until capture is restarted.

The Decoder maps NetFlow field values to meta keys as shown in the following table:

NetFlow V5 Header

                                                                    
NetFlow FieldMeta KeyDescription
version version NetFlow version number.
srcaddrip.src Source IP address.
dstaddrip.dst Destination IP address.
dPkts packets Packets in the flow.
dOctetspayload Total number of Layer 3 bytes in the packets of the flow.
First lifetime SysUptime at the start of the flow. lifetime is set equal to (Last - First) x 1000
Last lifetime SysUptime at the time the last packet of the flow was received. lifetime is set equal to (Last - First) x 1000.
srcport udp.srcport / tcp.srcport TCP/UDP source port number or equivalent. The exact meta key depends on whether the flow is a UDP or TCP flow.
dstportudp.dstport / tcp.dstport TCP/UDP destination port number or equivalent. The exact meta key depends on whether the flow is a UDP or TCP flow.
tcp_flagstcp.flags Cumulative OR of TCP flags.
protip.proto IP protocol type (for example, TCP = 6; UDP = 17).

You are here
Table of Contents > Decoder: (Optional) Configure a Decoder to Capture NetFlow Data

Attachments

    Outcomes