scapy.layers.netflow module¶
Cisco NetFlow protocol v1, v5, v9 and v10 (IPFix)
HowTo dissect NetflowV9/10 (IPFix) packets:
# From a pcap / list of packets
Using sniff and sessions: >>> sniff(offline=open(“my_great_pcap.pcap”, “rb”), session=NetflowSession)
Using the netflowv9_defragment/ipfix_defragment commands: - get a list of packets containing NetflowV9/10 packets - call netflowv9_defragment(plist) to defragment the list
(ipfix_defragment is an alias for netflowv9_defragment)
# Live / on-the-flow / other: use NetflowSession >>> sniff(session=NetflowSession, prn=[…])
-
class
scapy.layers.netflow.N9SecondsIntField(name, default, *args, **kargs)¶ Bases:
scapy.fields.SecondsIntField,scapy.layers.netflow._AdjustableNetflowFieldDefines dateTimeSeconds (without EPOCH: just seconds)
-
class
scapy.layers.netflow.N9UTCTimeField(name, default, *args, **kargs)¶ Bases:
scapy.fields.UTCTimeField,scapy.layers.netflow._AdjustableNetflowFieldDefines dateTimeSeconds (EPOCH)
-
class
scapy.layers.netflow.NetflowDataflowsetV9¶ Bases:
scapy.packet.Packet-
aliastypes= [<class 'scapy.layers.netflow.NetflowDataflowsetV9'>, <class 'scapy.packet.Packet'>]¶
-
classmethod
dispatch_hook(_pkt=None, *args, **kargs)¶
-
fields_desc= [<Field (NetflowDataflowsetV9).templateID>, <Field (NetflowDataflowsetV9).length>, <scapy.fields.PadField object>]¶
-
payload_guess= [({}, <class 'scapy.layers.netflow.NetflowDataflowsetV9'>)]¶
-
-
class
scapy.layers.netflow.NetflowFlowsetV9¶ Bases:
scapy.packet.Packet-
aliastypes= [<class 'scapy.layers.netflow.NetflowFlowsetV9'>, <class 'scapy.packet.Packet'>]¶
-
fields_desc= [<Field (NetflowFlowsetV9).flowSetID>, <Field (NetflowFlowsetV9).length>, <Field (NetflowFlowsetV9).templates>]¶
-
payload_guess= [({}, <class 'scapy.layers.netflow.NetflowDataflowsetV9'>)]¶
-
-
class
scapy.layers.netflow.NetflowHeader¶ Bases:
scapy.packet.Packet-
aliastypes= [<class 'scapy.layers.netflow.NetflowHeader'>, <class 'scapy.packet.Packet'>]¶
-
fields_desc= [<Field (NetflowHeader).version>]¶
-
payload_guess= [({'version': 1}, <class 'scapy.layers.netflow.NetflowHeaderV1'>), ({'version': 5}, <class 'scapy.layers.netflow.NetflowHeaderV5'>), ({'version': 9}, <class 'scapy.layers.netflow.NetflowHeaderV9'>), ({'version': 10}, <class 'scapy.layers.netflow.NetflowHeaderV10'>)]¶
-
-
class
scapy.layers.netflow.NetflowHeaderV1¶ Bases:
scapy.packet.Packet-
aliastypes= [<class 'scapy.layers.netflow.NetflowHeaderV1'>, <class 'scapy.packet.Packet'>]¶
-
fields_desc= [<Field (NetflowHeaderV1).count>, <Field (NetflowHeaderV1).sysUptime>, <Field (NetflowHeaderV1).unixSecs>, <Field (NetflowHeaderV1).unixNanoSeconds>]¶
-
payload_guess= [({}, <class 'scapy.layers.netflow.NetflowRecordV1'>)]¶
-
-
class
scapy.layers.netflow.NetflowHeaderV10¶ Bases:
scapy.packet.PacketIPFix (Netflow V10) Header
-
aliastypes= [<class 'scapy.layers.netflow.NetflowHeaderV10'>, <class 'scapy.packet.Packet'>]¶
-
fields_desc= [<Field (NetflowHeaderV10).length>, <Field (NetflowHeaderV10).ExportTime>, <Field (NetflowHeaderV10).flowSequence>, <Field (NetflowHeaderV10).ObservationDomainID>]¶
-
payload_guess= [({}, <class 'scapy.layers.netflow.NetflowDataflowsetV9'>)]¶
-
-
class
scapy.layers.netflow.NetflowHeaderV5¶ Bases:
scapy.packet.Packet-
aliastypes= [<class 'scapy.layers.netflow.NetflowHeaderV5'>, <class 'scapy.packet.Packet'>]¶
-
fields_desc= [<Field (NetflowHeaderV5).count>, <Field (NetflowHeaderV5).sysUptime>, <Field (NetflowHeaderV5).unixSecs>, <Field (NetflowHeaderV5).unixNanoSeconds>, <Field (NetflowHeaderV5).flowSequence>, <Field (NetflowHeaderV5).engineType>, <Field (NetflowHeaderV5).engineID>, <Field (NetflowHeaderV5).samplingInterval>]¶
-
payload_guess= [({}, <class 'scapy.layers.netflow.NetflowRecordV5'>)]¶
-
-
class
scapy.layers.netflow.NetflowHeaderV9¶ Bases:
scapy.packet.Packet-
aliastypes= [<class 'scapy.layers.netflow.NetflowHeaderV9'>, <class 'scapy.packet.Packet'>]¶
-
fields_desc= [<Field (NetflowHeaderV9).count>, <Field (NetflowHeaderV9).sysUptime>, <Field (NetflowHeaderV9).unixSecs>, <Field (NetflowHeaderV9).packageSequence>, <Field (NetflowHeaderV9).SourceID>]¶
-
payload_guess= [({}, <class 'scapy.layers.netflow.NetflowDataflowsetV9'>)]¶
-
post_build(pkt, pay)¶ DEV: called right after the current layer is build.
Parameters: - pkt (str) – the current packet (build by self_buil function)
- pay (str) – the packet payload (build by do_build_payload function)
Returns: a string of the packet with the payload
-
-
class
scapy.layers.netflow.NetflowOptionsFlowset10¶ Bases:
scapy.layers.netflow.NetflowOptionsFlowsetV9Netflow V10 (IPFix) Options Template FlowSet
-
aliastypes= [<class 'scapy.layers.netflow.NetflowOptionsFlowset10'>, <class 'scapy.layers.netflow.NetflowOptionsFlowsetV9'>, <class 'scapy.packet.Packet'>]¶
-
extract_padding(s)¶ DEV: to be overloaded to extract current layer’s padding.
Parameters: s (str) – the current layer Returns: a couple of strings (actual layer, padding)
-
fields_desc= [<Field (NetflowOptionsFlowset10).flowSetID>, <Field (NetflowOptionsFlowset10).length>, <Field (NetflowOptionsFlowset10).templateID>, <Field (NetflowOptionsFlowset10).field_count>, <Field (NetflowOptionsFlowset10).scope_field_count>, <Field (NetflowOptionsFlowset10).scopes>, <Field (NetflowOptionsFlowset10).options>]¶
-
-
class
scapy.layers.netflow.NetflowOptionsFlowsetOptionV9¶ Bases:
scapy.packet.Packet-
aliastypes= [<class 'scapy.layers.netflow.NetflowOptionsFlowsetOptionV9'>, <class 'scapy.packet.Packet'>]¶
-
default_payload_class(p)¶ DEV: Returns the default payload class if nothing has been found by the guess_payload_class() method.
Parameters: payload (str) – the layer’s payload Returns: the default payload class define inside the configuration file
-
fields_desc= [<Field (NetflowOptionsFlowsetOptionV9).optionFieldType>, <Field (NetflowOptionsFlowsetOptionV9).optionFieldlength>]¶
-
-
class
scapy.layers.netflow.NetflowOptionsFlowsetScopeV9¶ Bases:
scapy.packet.Packet-
aliastypes= [<class 'scapy.layers.netflow.NetflowOptionsFlowsetScopeV9'>, <class 'scapy.packet.Packet'>]¶
-
default_payload_class(p)¶ DEV: Returns the default payload class if nothing has been found by the guess_payload_class() method.
Parameters: payload (str) – the layer’s payload Returns: the default payload class define inside the configuration file
-
fields_desc= [<Field (NetflowOptionsFlowsetScopeV9).scopeFieldType>, <Field (NetflowOptionsFlowsetScopeV9).scopeFieldlength>]¶
-
-
class
scapy.layers.netflow.NetflowOptionsFlowsetV9¶ Bases:
scapy.packet.Packet-
aliastypes= [<class 'scapy.layers.netflow.NetflowOptionsFlowsetV9'>, <class 'scapy.packet.Packet'>]¶
-
default_payload_class(p)¶ DEV: Returns the default payload class if nothing has been found by the guess_payload_class() method.
Parameters: payload (str) – the layer’s payload Returns: the default payload class define inside the configuration file
-
extract_padding(s)¶ DEV: to be overloaded to extract current layer’s padding.
Parameters: s (str) – the current layer Returns: a couple of strings (actual layer, padding)
-
fields_desc= [<Field (NetflowOptionsFlowsetV9).flowSetID>, <Field (NetflowOptionsFlowsetV9).length>, <Field (NetflowOptionsFlowsetV9).templateID>, <Field (NetflowOptionsFlowsetV9).option_scope_length>, <Field (NetflowOptionsFlowsetV9).option_field_length>, <Field (NetflowOptionsFlowsetV9).scopes>, <Field (NetflowOptionsFlowsetV9).options>]¶
-
payload_guess= [({}, <class 'scapy.layers.netflow.NetflowDataflowsetV9'>)]¶
-
post_build(pkt, pay)¶ DEV: called right after the current layer is build.
Parameters: - pkt (str) – the current packet (build by self_buil function)
- pay (str) – the packet payload (build by do_build_payload function)
Returns: a string of the packet with the payload
-
-
class
scapy.layers.netflow.NetflowOptionsRecordOptionV9¶ Bases:
scapy.layers.netflow.NetflowRecordV9-
aliastypes= [<class 'scapy.layers.netflow.NetflowOptionsRecordOptionV9'>, <class 'scapy.layers.netflow.NetflowRecordV9'>, <class 'scapy.packet.Packet'>]¶
-
fields_desc= [<Field (NetflowRecordV9,NetflowOptionsRecordScopeV9,NetflowOptionsRecordOptionV9).fieldValue>]¶
-
-
class
scapy.layers.netflow.NetflowOptionsRecordScopeV9¶ Bases:
scapy.layers.netflow.NetflowRecordV9-
aliastypes= [<class 'scapy.layers.netflow.NetflowOptionsRecordScopeV9'>, <class 'scapy.layers.netflow.NetflowRecordV9'>, <class 'scapy.packet.Packet'>]¶
-
fields_desc= [<Field (NetflowRecordV9,NetflowOptionsRecordScopeV9,NetflowOptionsRecordOptionV9).fieldValue>]¶
-
-
class
scapy.layers.netflow.NetflowRecordV1¶ Bases:
scapy.packet.Packet-
aliastypes= [<class 'scapy.layers.netflow.NetflowRecordV1'>, <class 'scapy.packet.Packet'>]¶
-
fields_desc= [<Field (NetflowRecordV1).ipsrc>, <Field (NetflowRecordV1).ipdst>, <Field (NetflowRecordV1).nexthop>, <Field (NetflowRecordV1).inputIfIndex>, <Field (NetflowRecordV1).outpuIfIndex>, <Field (NetflowRecordV1).dpkts>, <Field (NetflowRecordV1).dbytes>, <Field (NetflowRecordV1).starttime>, <Field (NetflowRecordV1).endtime>, <Field (NetflowRecordV1).srcport>, <Field (NetflowRecordV1).dstport>, <Field (NetflowRecordV1).padding>, <Field (NetflowRecordV1).proto>, <Field (NetflowRecordV1).tos>, <Field (NetflowRecordV1).padding1>, <Field (NetflowRecordV1).padding2>]¶
-
payload_guess= [({}, <class 'scapy.layers.netflow.NetflowRecordV1'>)]¶
-
-
class
scapy.layers.netflow.NetflowRecordV5¶ Bases:
scapy.packet.Packet-
aliastypes= [<class 'scapy.layers.netflow.NetflowRecordV5'>, <class 'scapy.packet.Packet'>]¶
-
fields_desc= [<Field (NetflowRecordV5).src>, <Field (NetflowRecordV5).dst>, <Field (NetflowRecordV5).nexthop>, <Field (NetflowRecordV5).input>, <Field (NetflowRecordV5).output>, <Field (NetflowRecordV5).dpkts>, <Field (NetflowRecordV5).dOctets>, <Field (NetflowRecordV5).first>, <Field (NetflowRecordV5).last>, <Field (NetflowRecordV5).srcport>, <Field (NetflowRecordV5).dstport>, <Field (NetflowRecordV5).pad1>, <Field (NetflowRecordV5).tcpFlags>, <Field (NetflowRecordV5).prot>, <Field (NetflowRecordV5).tos>, <Field (NetflowRecordV5).src_as>, <Field (NetflowRecordV5).dst_as>, <Field (NetflowRecordV5).src_mask>, <Field (NetflowRecordV5).dst_mask>, <Field (NetflowRecordV5).pad2>]¶
-
payload_guess= [({}, <class 'scapy.layers.netflow.NetflowRecordV5'>)]¶
-
-
class
scapy.layers.netflow.NetflowRecordV9¶ Bases:
scapy.packet.Packet-
aliastypes= [<class 'scapy.layers.netflow.NetflowRecordV9'>, <class 'scapy.packet.Packet'>]¶
-
default_payload_class(p)¶ DEV: Returns the default payload class if nothing has been found by the guess_payload_class() method.
Parameters: payload (str) – the layer’s payload Returns: the default payload class define inside the configuration file
-
fields_desc= [<Field (NetflowRecordV9,NetflowOptionsRecordScopeV9,NetflowOptionsRecordOptionV9).fieldValue>]¶
-
-
class
scapy.layers.netflow.NetflowSession(*args)¶ Bases:
scapy.sessions.IPSessionSession used to defragment NetflowV9/10 packets on the flow. See help(scapy.layers.netflow) for more infos.
-
on_packet_received(pkt)¶ DEV: entry point. Will be called by sniff() for each received packet (that passes the filters).
-
-
class
scapy.layers.netflow.NetflowTemplateFieldV9(*args, **kwargs)¶ Bases:
scapy.packet.Packet-
aliastypes= [<class 'scapy.layers.netflow.NetflowTemplateFieldV9'>, <class 'scapy.packet.Packet'>]¶
-
default_payload_class(p)¶ DEV: Returns the default payload class if nothing has been found by the guess_payload_class() method.
Parameters: payload (str) – the layer’s payload Returns: the default payload class define inside the configuration file
-
fields_desc= [<Field (NetflowTemplateFieldV9).fieldType>, <Field (NetflowTemplateFieldV9).fieldLength>]¶
-
-
class
scapy.layers.netflow.NetflowTemplateV9¶ Bases:
scapy.packet.Packet-
aliastypes= [<class 'scapy.layers.netflow.NetflowTemplateV9'>, <class 'scapy.packet.Packet'>]¶
-
default_payload_class(p)¶ DEV: Returns the default payload class if nothing has been found by the guess_payload_class() method.
Parameters: payload (str) – the layer’s payload Returns: the default payload class define inside the configuration file
-
fields_desc= [<Field (NetflowTemplateV9).templateID>, <Field (NetflowTemplateV9).fieldCount>, <Field (NetflowTemplateV9).template_fields>]¶
-
-
class
scapy.layers.netflow.ShortOrInt(name, default)¶ Bases:
scapy.fields.IntField-
getfield(pkt, x)¶ Extract an internal value from a string
Extract from the raw packet s the field value belonging to layer pkt.
Returns a two-element list, first the raw packet string after having removed the extracted field, second the extracted field itself in internal representation.
-
-
scapy.layers.netflow.ipfix_defragment(*args, **kwargs)¶ Alias for netflowv9_defragment
-
scapy.layers.netflow.netflowv9_defragment(plist, verb=1)¶ Process all NetflowV9/10 Packets to match IDs of the DataFlowsets with the Headers
- params:
- plist: the list of mixed NetflowV9/10 packets.
- verb: verbose print (0/1)