narutaro/How to decode NetFlow version with tcpdump.md

Last active June 13, 2019 14:31

Star (4) You must be signed in to star a gist
Fork (0) You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/narutaro/0c3ecc000644214fc600.js"></script>
Save narutaro/0c3ecc000644214fc600 to your computer and use it in GitHub Desktop.

Download ZIP

How to decode NetFlow version with tcpdump

Raw

How to decode NetFlow version with tcpdump.md

Here you go.

sudo tcpdump -i <if> -n udp port <port_num> -T cnfp

You see:

05:10:47.244695 IP (tos 0x0, ttl 56, id 28920, offset 0, flags [none], proto UDP (17), length 1484)
    129.250.0.131.26559 > 165.254.42.212.5678: NetFlow v9, 1049742.039 uptime, 1458018714.016532042, 22 recs
  started 0.275, last 0.281
    0.0.8.1:16017 > 1.4.5.156:32924 >> 0.0.0.1
    128 tos 156, 3007102979 (94059791 octets)

Version 9.