I've come across the Wireshark decode as
feature where I can decode UDP packet as CFLOW
to get my Netflow data.
Is it possible to code a script that decode the UDP Packet and get the Netflow data?
Currently I am trying it out using python3-scapy. Where I sniff the interface and retrieve only UDP packet. I am stuck now as I don't know what I should do next.
Note: My focus is on Netflow Version 9
Below is my code:
from scapy.all import *
## Create a Packet Counter
counter = 0
INTERFACE = "<interface_name>"
## Define our Custom Action function
def custom_action(pkts):
for packet in pkts:
if (packet.haslayer(UDP)):
# do something , what should i do?
if __name__ == "__main__":
## Setup sniff, filtering for IP traffic
sniff(iface=INTERFACE, prn = custom_action, store=0)
FYI, you can use
layer in pkt
rather than the "old"pkt.haslayer(layer)
. This will work with the development version of Scapy (which works with Python 3).The
prn
callback accepts a packet, not a packet list or generator.If you want to use
NetflowHeader()
to (try to) dissect any UDP packet, you can do:But the closest way to Wireshark's "decode as" functionality in Scapy would be to simply overwrite
UDP
's.payload_guess
attribute: