(Optional) Configure a Decoder to Capture NetFlow Data

Note: The information in this topic applies to RSA NetWitness® Platform Version 11.4 and later.

The Decoder can natively capture flow data from NetFlow generators. NetFlow support is implemented as a capture device named flow_events. Currently, only NetFlow V5 is supported.

By default, the Decoder listens for flow data on port 9995. This is configurable by modifying the /decoder/config/capture.device.params settings in the Decoder's Explorer view, and specifying the port using the port parameter (for example, port=2225). Changing the port does not take affect until capture is restarted.

The Decoder maps NetFlow field values to meta keys as shown in the following table:

NetFlow V5 Header

NetFlow Field Meta Key Description
version version NetFlow version number.
srcaddr ip.src Source IP address.
dstaddr ip.dst Destination IP address.
dPkts packets Packets in the flow.
dOctets payload Total number of Layer 3 bytes in the packets of the flow.
First lifetime SysUptime at the start of the flow. lifetime is set equal to (Last - First) x 1000
Last lifetime SysUptime at the time the last packet of the flow was received. lifetime is set equal to (Last - First) x 1000.
srcport udp.srcport / tcp.srcport TCP/UDP source port number or equivalent. The exact meta key depends on whether the flow is a UDP or TCP flow.
dstport udp.dstport / tcp.dstport TCP/UDP destination port number or equivalent. The exact meta key depends on whether the flow is a UDP or TCP flow.
tcp_flags tcp.flags Cumulative OR of TCP flags.
prot ip.proto IP protocol type (for example, TCP = 6; UDP = 17).