scapy.layers.netflow¶

Cisco NetFlow protocol v1, v5, v9 and v10 (IPFix)

HowTo dissect NetflowV9/10 (IPFix) packets:

# From a pcap / list of packets

Using sniff and sessions: >>> sniff(offline=open(“my_great_pcap.pcap”, “rb”), session=NetflowSession)

Using the netflowv9_defragment/ipfix_defragment commands: - get a list of packets containing NetflowV9/10 packets - call netflowv9_defragment(plist) to defragment the list

(ipfix_defragment is an alias for netflowv9_defragment)

# Live / on-the-flow / other: use NetflowSession >>> sniff(session=NetflowSession, prn=[…])

scapy.layers.netflow.GetNetflowRecordV9(flowset, templateID=None)¶

Get a NetflowRecordV9/10 for a specific NetflowFlowsetV9/10.

Have a look at the online doc for examples.

class scapy.layers.netflow.N9SecondsIntField(name, default, *args, **kargs)¶

Bases: scapy.fields.SecondsIntField, scapy.layers.netflow._AdjustableNetflowField

Defines dateTimeSeconds (without EPOCH: just seconds)

class scapy.layers.netflow.N9UTCTimeField(name, default, *args, **kargs)¶

Bases: scapy.fields.UTCTimeField, scapy.layers.netflow._AdjustableNetflowField

Defines dateTimeSeconds (EPOCH)

class scapy.layers.netflow.NetflowDataflowsetV9¶

Bases: scapy.packet.Packet

aliastypes¶

classmethod dispatch_hook(_pkt=None, *args, **kargs)¶

fields_desc¶

NetflowDataflowsetV9 fields¶
templateID	`ShortField`	`255`
length	`FieldLenField`	`None`
records	`PadField`	`[]`

payload_guess¶: Possible sublayers: NetflowDataflowsetV9

class scapy.layers.netflow.NetflowFlowsetV9¶

Bases: scapy.packet.Packet

aliastypes¶

fields_desc¶

NetflowFlowsetV9 fields¶
flowSetID	`ShortField`	`0`
length	`FieldLenField`	`None`
templates	`PacketListField`	`[]`

payload_guess¶: Possible sublayers: NetflowDataflowsetV9

class scapy.layers.netflow.NetflowHeader¶

Bases: scapy.packet.Packet

aliastypes¶

fields_desc¶

NetflowHeader fields¶
version	`ShortField`	`1`

payload_guess¶: Possible sublayers: NetflowHeaderV10, NetflowHeaderV1, NetflowHeaderV5, NetflowHeaderV9

class scapy.layers.netflow.NetflowHeaderV1¶

Bases: scapy.packet.Packet

aliastypes¶

fields_desc¶

NetflowHeaderV1 fields¶
count	`ShortField`	`0`
sysUptime	`IntField`	`0`
unixSecs	`UTCTimeField`	`0`
unixNanoSeconds	`UTCTimeField`	`0`

payload_guess¶: Possible sublayers: NetflowRecordV1

class scapy.layers.netflow.NetflowHeaderV10¶

Bases: scapy.packet.Packet

IPFix (Netflow V10) Header

aliastypes¶

fields_desc¶

NetflowHeaderV10 fields¶
length	`ShortField`	`None`
ExportTime	`UTCTimeField`	`0`
flowSequence	`IntField`	`0`
ObservationDomainID	`IntField`	`0`

payload_guess¶: Possible sublayers: NetflowDataflowsetV9

class scapy.layers.netflow.NetflowHeaderV5¶

Bases: scapy.packet.Packet

aliastypes¶

fields_desc¶

NetflowHeaderV5 fields¶
count	`ShortField`	`0`
sysUptime	`IntField`	`0`
unixSecs	`UTCTimeField`	`0`
unixNanoSeconds	`UTCTimeField`	`0`
flowSequence	`IntField`	`0`
engineType	`ByteField`	`0`
engineID	`ByteField`	`0`
samplingInterval	`ShortField`	`0`

payload_guess¶: Possible sublayers: NetflowRecordV5

class scapy.layers.netflow.NetflowHeaderV9¶

Bases: scapy.packet.Packet

aliastypes¶

fields_desc¶

NetflowHeaderV9 fields¶
count	`ShortField`	`None`
sysUptime	`IntField`	`0`
unixSecs	`UTCTimeField`	`None`
packageSequence	`IntField`	`0`
SourceID	`IntField`	`0`

payload_guess¶: Possible sublayers: NetflowDataflowsetV9

post_build(pkt, pay)¶

class scapy.layers.netflow.NetflowOptionsFlowset10¶

Bases: scapy.layers.netflow.NetflowOptionsFlowsetV9

Netflow V10 (IPFix) Options Template FlowSet

aliastypes¶

extract_padding(s)¶

fields_desc¶

NetflowOptionsFlowset10 fields¶
flowSetID	`ShortField`	`3`
length	`ShortField`	`None`
templateID	`ShortField`	`255`
field_count	`FieldLenField`	`None`
scope_field_count	`FieldLenField`	`None`
scopes	`PacketListField`	`[]`
options	`PacketListField`	`[]`

class scapy.layers.netflow.NetflowOptionsFlowsetOptionV9¶

Bases: scapy.packet.Packet

aliastypes¶

default_payload_class(p)¶

fields_desc¶

NetflowOptionsFlowsetOptionV9 fields¶
enterpriseBit	`BitField` (1 bit)	`0`
optionFieldType	`BitEnumField` (15 bits)	`None`
optionFieldlength	`ShortField`	`0`
enterpriseNumber	`ShortField` (Cond)	`0`

class scapy.layers.netflow.NetflowOptionsFlowsetScopeV9¶

Bases: scapy.packet.Packet

aliastypes¶

default_payload_class(p)¶

fields_desc¶

NetflowOptionsFlowsetScopeV9 fields¶
scopeFieldType	`ShortEnumField`	`None`
scopeFieldlength	`ShortField`	`0`

class scapy.layers.netflow.NetflowOptionsFlowsetV9¶

Bases: scapy.packet.Packet

aliastypes¶

default_payload_class(p)¶

extract_padding(s)¶

fields_desc¶

NetflowOptionsFlowsetV9 fields¶
flowSetID	`ShortField`	`1`
length	`ShortField`	`None`
templateID	`ShortField`	`255`
option_scope_length	`FieldLenField`	`None`
option_field_length	`FieldLenField`	`None`
scopes	`PacketListField`	`[]`
options	`PacketListField`	`[]`

payload_guess¶: Possible sublayers: NetflowDataflowsetV9

post_build(pkt, pay)¶

class scapy.layers.netflow.NetflowOptionsRecordOptionV9¶

Bases: scapy.layers.netflow.NetflowRecordV9

aliastypes¶

fields_desc¶

NetflowOptionsRecordOptionV9 fields¶
fieldValue	`StrField`	`b''`

class scapy.layers.netflow.NetflowOptionsRecordScopeV9¶

Bases: scapy.layers.netflow.NetflowRecordV9

aliastypes¶

fields_desc¶

NetflowOptionsRecordScopeV9 fields¶
fieldValue	`StrField`	`b''`

class scapy.layers.netflow.NetflowRecordV1¶

Bases: scapy.packet.Packet

aliastypes¶

fields_desc¶

NetflowRecordV1 fields¶
ipsrc	`IPField`	`'0.0.0.0'`
ipdst	`IPField`	`'0.0.0.0'`
nexthop	`IPField`	`'0.0.0.0'`
inputIfIndex	`ShortField`	`0`
outpuIfIndex	`ShortField`	`0`
dpkts	`IntField`	`0`
dbytes	`IntField`	`0`
starttime	`IntField`	`0`
endtime	`IntField`	`0`
srcport	`ShortField`	`0`
dstport	`ShortField`	`0`
padding	`ShortField`	`0`
proto	`ByteField`	`0`
tos	`ByteField`	`0`
padding1	`IntField`	`0`
padding2	`IntField`	`0`

payload_guess¶: Possible sublayers: NetflowRecordV1

class scapy.layers.netflow.NetflowRecordV5¶

Bases: scapy.packet.Packet

aliastypes¶

fields_desc¶

NetflowRecordV5 fields¶
src	`IPField`	`'127.0.0.1'`
dst	`IPField`	`'127.0.0.1'`
nexthop	`IPField`	`'0.0.0.0'`
input	`ShortField`	`0`
output	`ShortField`	`0`
dpkts	`IntField`	`1`
dOctets	`IntField`	`60`
first	`IntField`	`0`
last	`IntField`	`0`
srcport	`ShortField`	`0`
dstport	`ShortField`	`0`
pad1	`ByteField`	`0`
tcpFlags	`FlagsField` (8 bits)	`<Flag 2 (S)>`
prot	`ByteEnumField`	`6`
tos	`ByteField`	`0`
src_as	`ShortField`	`0`
dst_as	`ShortField`	`0`
src_mask	`ByteField`	`0`
dst_mask	`ByteField`	`0`
pad2	`ShortField`	`0`

payload_guess¶: Possible sublayers: NetflowRecordV5

class scapy.layers.netflow.NetflowRecordV9¶

Bases: scapy.packet.Packet

aliastypes¶

default_payload_class(p)¶

fields_desc¶

NetflowRecordV9 fields¶
fieldValue	`StrField`	`b''`

class scapy.layers.netflow.NetflowSession(*args)¶

Bases: scapy.sessions.IPSession

Session used to defragment NetflowV9/10 packets on the flow. See help(scapy.layers.netflow) for more infos.

on_packet_received(pkt)¶

class scapy.layers.netflow.NetflowTemplateFieldV9(*args, **kwargs)¶

Bases: scapy.packet.Packet

aliastypes¶

default_payload_class(p)¶

fields_desc¶

NetflowTemplateFieldV9 fields¶
enterpriseBit	`BitField` (1 bit)	`0`
fieldType	`BitEnumField` (15 bits)	`None`
fieldLength	`ShortField`	`0`
enterpriseNumber	`IntField` (Cond)	`0`

class scapy.layers.netflow.NetflowTemplateV9¶

Bases: scapy.packet.Packet

aliastypes¶

default_payload_class(p)¶

fields_desc¶

NetflowTemplateV9 fields¶
templateID	`ShortField`	`255`
fieldCount	`FieldLenField`	`None`
template_fields	`PacketListField`	`[]`

class scapy.layers.netflow.ShortOrInt(name, default)¶

Bases: scapy.fields.IntField

getfield(pkt, x)¶

scapy.layers.netflow.ipfix_defragment(*args, **kwargs)¶: Alias for netflowv9_defragment

scapy.layers.netflow.netflowv9_defragment(plist, verb=1)¶

Process all NetflowV9/10 Packets to match IDs of the DataFlowsets with the Headers

params:

plist: the list of mixed NetflowV9/10 packets.
verb: verbose print (0/1)