Decode UDP Packet to Netflow

Question

I've come across the Wireshark decode as feature where I can decode UDP packet as CFLOW to get my Netflow data.

Is it possible to code a script that decode the UDP Packet and get the Netflow data?

Currently I am trying it out using python3-scapy. Where I sniff the interface and retrieve only UDP packet. I am stuck now as I don't know what I should do next.

Note: My focus is on Netflow Version 9

Below is my code:

from scapy.all import *

## Create a Packet Counter
counter = 0
INTERFACE = "<interface_name>"

## Define our Custom Action function
def custom_action(pkts):
    for packet in pkts:
        if (packet.haslayer(UDP)):
             # do something , what should i do?

if __name__ == "__main__":
    ## Setup sniff, filtering for IP traffic
    sniff(iface=INTERFACE, prn = custom_action, store=0)

Answer 1

FYI, you can use layer in pkt rather than the "old" pkt.haslayer(layer). This will work with the development version of Scapy (which works with Python 3).

The prn callback accepts a packet, not a packet list or generator.

If you want to use NetflowHeader() to (try to) dissect any UDP packet, you can do:

def custom_action(pkt):
    if UDP in pkt:
        pkt[UDP].payload = NetflowHeader(raw(pkt[UDP].payload))

pkts = sniff(iface=INTERFACE, prn=custom_action)

But the closest way to Wireshark's "decode as" functionality in Scapy would be to simply overwrite UDP's .payload_guess attribute:

UDP.payload_guess = [({}, NetflowHeader)] 
pkts = sniff(iface=INTERFACE)