Last active
October 26, 2023 19:31
-
-
Save jjsantanna/f2ee2f1fe23208299f4a2ca392f8b23f to your computer and use it in GitHub Desktop.
Tutorial pcap to netflow
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| OS: Linux ubuntu 4.10.0-28-generic #32~16.04.2-Ubuntu | |
| Instructions: | |
| 1)Uncomment lines from /etc/apt/sources.list(needs root): | |
| deb-src http://us.archive.ubuntu.com/ubuntu/ xenial universe | |
| deb-src http://us.archive.ubuntu.com/ubuntu/ xenial-updates universe | |
| 2)Run: | |
| sudo apt-get update && sudo apt-get upgrade | |
| 3)Download the source files of nfdump and dependencies: | |
| sudo apt-get source nfdump | |
| sudo apt-get install libtool | |
| sudo apt-get install dh-autoreconf | |
| sudo apt-get install libpcap-dev | |
| sudo apt-get install libghc-bzlib-dev | |
| sudo apt-get install flex | |
| 4)Navigate into the directory and run autogen.sh | |
| cd nfdump | |
| chmod u+x autogen.sh && ./autogen.sh | |
| 5)Run: | |
| ./configure --enable-sflow --enable-readpcap --enable-nfpcapd | |
| 6)Run: | |
| make | |
| sudo make install | |
| sudo ldconfig | |
| 7)You can now convert pcaps to nflow by running: | |
| nfpcapd -r <path_to_pcap_file> -l <output_directory> | |
| 8)Then you can use nfdump to export the netflows: | |
| cd <output_directory> | |
| nfdump -r <nflow_file> -o extended -o csv > <output_file> |
sudo apt-get install libtool dh-autoreconf libpcap-dev libghc-bzlib-dev flex -y
In WSL:
autogen.sh: configure nfdump-1.6.18
autogen.sh: could not find PKG_CHECK_MODULES macro.
Either pkg-config is not installed on your system or
`pkg.m4' is missing or not found by aclocal.
If pkg.m4' is installed at an unusual location, re-run autogen.sh' by setting `ACLOCAL_FLAGS':
ACLOCAL_FLAGS="-I <prefix>/share/aclocal" ./autogen.sh
solution:
sudo apt-get install autoconf pkgconf -y
ensure you have bison as well otherwise you will get make errors when failing to find yacc
sudo apt-get install bison -y
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is a very helpful tutorial, however one last command was missing in my case to resolve the
nfdump: error while loading shared libraries: libnfdump-1.6.23.so: cannot open shared object file: No such file or directoryerror:After sudo make install run:
sudo ldconfigAlso, after step 7), you might end up with a folder of .nfcapd files. If you want to merge them to a single .csv output you can:
nfdump -R <directory_with_nfcapds> > merged_nfcapd.csv