/flowgen

Netflow generator from JSON to PCAP

Primary LanguagePythonMIT LicenseMIT

flowgen

GitHub license Language: Python

Flowgen generates a pcap file containing netflows described in a JSON file. It can be used to test any tools or detection methods based on netflow.

Pcap can be replay by TCPReplay.

Usage

Usage: main.py command -f flows

Command:
      generate        : Generate Pcap containing netflows

Options:
      -h, --help      : Show help
      -f, --flows     : Input file (JSON flows) - required
      -o, --output    : Output file (default: output.pcap)
      -s, --sensor    : Flow sensor (IP:PORT)
      -c, --collector : Flow collector (IP:PORT)
      -v, --version   : Flow version (default: 9)
      --strict        : Disable flow autocompletion

Limitations

  • Netflow V9 only.

  • 30 supported fields

    IN_BYTES IN_PKTS FLOWS PROTOCOL IP_TOS
    L4_SRC_PORT IPV4_SRC_ADDR INPUT_SNMP L4_DST_PORT IPV4_DST_ADDR
    OUTPUT_SNMP IPV4_NEXT_HOP SRC_AS DST_AS BGP_IPV4_NEXT_HOP
    MUL_DST_BYTES LAST_SWITCHED FIRST_SWITCHED OUT_BYTES OUT_PKTS
    MAX_PKT_LNGTH IPV6_SRC_ADDR IPV6_DST_ADDR IPV6_SRC_MASK IPV6_DST_MASK
    TCP_FLAGS IPV4_DST_MASK MUL_DST_PKTS MIN_PKT_LNGTH IP_PROTOCOL_VERSION

Output examples

cat example_flows.json
    
[
  {
    "IPV6_SRC_ADDR": "fe80::5153:e252:7215:3e53",
    "IPV6_DST_ADDR": "ff02::1:3",
    "IN_BYTES": 200000000,
    "IN_PKTS": 200000,
    "L4_SRC_PORT": 45543,
    "L4_DST_PORT": 8888,
    "PROTOCOL": 6
  }
]
./flowgen/main.py generate -f example_flows.json --sensor 10.83.178.113 --collector 10.83.178.126

[+] Loading flows from example_flows.json
[+] Building flow template
[+] Building flow data
    fe80::5153:e252:7215:3e53:45543 --[190.73 MB]--> ff02::1:3:8888 
[+] Writing to output.pcap    

example