Skip to main content

NetFlow Parser

This adapter supports NetFlow v5 and v9 and requires UDP Reader. Its single property is version, which has a default value of all. With this setting, the adapter will automatically detect the packet type and parse it accordingly.

The output type of a source using NetflowParser is WAEvent.

NetFlow Parser example

CREATE SOURCE NetflowV5Source USING UDPReader (
  IPAddress:'192.0.2.0',
  portno:'9915'
)
PARSE USING NetflowParser()
OUTPUT TO NetflowV5Stream;

The following application counts Type Of Service (TOS) in a NetFlow v9 export packet. The assumption is that a Cisco router has a NetFlow process running that is configured to monitor the type of service, which has three key fields, input interface, output interface, and TOS, plus two non-key fields, in_bytes and in_pkts. The collector address in the NetFlow process is the IP address and port of the Striim server running the application.

CREATE SOURCE NetflowV9Source USING UDPReader (
  IPAddress:'192.0.2.0', 
  portno:'9915'
)
PARSE USING NetflowParser ()
OUTPUT TO NetflowV9Stream;

CREATE TYPE NetflowTOS_Type (
  protocol string,
  source_ip string,
  dest_ip  string,
  input_interface integer,
  output_interface  integer,
  src_tos string,
  in_pkts integer,
  in_bytes integer
);

CREATE TYPE TOS_Type (
  source_ip string,
  dest_ip  string,
  input_interface integer,
  src_tos string,
  type_of_service String,
  count integer
);

CREATE STREAM NetflowTOSMonitorStream of NetflowTOS_Type;

CREATE JUMPING WINDOW NetflowTOSWindow
OVER NetflowTOSMonitorStream KEEP 10 ROWS
PARTITION BY src_tos;

CREATE STREAM TOSCountStream of TOS_Type;

CREATE CQ NetflowTOSMonitorCQ
INSERT INTO NetflowTOSMonitorStream
SELECT VALUE(x,'PROTOCOL').toString(),
  VALUE(x,'IPV4_SRC_ADDR'), 
  VALUE(x,'IPV4_DST_ADDR'),
  VALUE(x,'INPUT_SNMP'),
  VALUE(x,'OUTPUT_SNMP'),
  VALUE(x,'SRC_TOS').toString(),
  VALUE(x,'IN_PKTS'),
  VALUE(x,'IN_BYTES')
FROM NetflowV9Stream x
WHERE META(x,"RecordType").toString() = "Data";

CREATE CQ NetflowTOSCountCQ
INSERT INTO TOSCountStream
SELECT x.source_ip, x.dest_ip, x.input_interface, x.src_tos.toString(), 
CASE WHEN x.src_tos = '0' THEN "Routine"
  WHEN x.src_tos = '1' THEN "Priority"
  WHEN x.src_tos = '2' THEN "Immediate"
  WHEN x.src_tos = '3' THEN "Flash"
  WHEN x.src_tos = '4' THEN "Flash Override"
  WHEN x.src_tos = '5' THEN "CRITIC/ECP"
  WHEN x.src_tos = '6' THEN "Internetwork Control"
  WHEN x.src_tos = '7' THEN "Network Control"
  ELSE "Unsupported Type" END,
COUNT(x.src_tos.toString())
FROM NetflowTOSWindow x
GROUP BY src_tos.toString();

CREATE TARGET NetflowV9StreamDump 
USING SysOut(name:NetflowV9) 
INPUT FROM NetflowTOSMonitorStream;

CREATE TARGET OperationLog USING LogWriter(
  name:NetflowTOSMonitor,
  filename:'NetflowTOSMonitor.log'
)
INPUT FROM TOSCountStream;