Using PERL to Interpret NetFlow Show Command Output

Author
Peter Welcher
Architect, Operations Technical Advisor

For example, “show ip cache flow” produces output like the following:

rtr1841#show ip cac flo 
IP packet size distribution (98655 total packets): 
1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480 
.000 .921 .014 .010 .040 .000 .001 .002 .000 .000 .000 .000 .000 .000 .000 512  544  576 1024 1536 2048 2560 3072 3584 4096 4608 
.000 .000 .000 .000 .007 .000 .000 .000 .000 .000 .000 

IP Flow Switching Cache, 278544 bytes 
17 active, 4079 inactive, 19629 added 
715321 ager polls, 0 flow alloc failures 
Active flows timeout in 30 minutes 
Inactive flows timeout in 15 seconds 
IP Sub Flow Cache, 25736 bytes 
15 active, 1009 inactive, 16457 added, 16457 added to flow 
0 alloc failures, 0 force free 
1 chunk, 1 chunk added 
last clearing of statistics never 
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec) 
——–         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow 
TCP-WWW             38      0.0         5    45      0.0       0.2       1.4 
TCP-other           38      0.0         3    48      0.0       0.9      15.4 
UDP-NTP            909      0.0         1    76      0.0       0.0      15.5 
UDP-other        17822      0.2         1   115      0.3       1.8      15.5 
ICMP                 2      0.0         1   204      0.0       0.0      15.4 
GRE                  1      0.0        12    80      0.0      18.9      15.3 
IP-other           210      0.0       353    60      1.0    1627.3       3.4 
Total:           19020      0.2         5    73      1.4      19.6      15.3 

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts 
Fa0/0.77      10.20.77.1      Null          224.0.0.10      58 0000 0000    69 
Fa0/0.3       192.168.1.4     Null          224.0.1.40      11 0002 01F0     1 
Fa0/0.17      192.168.1.4     Null          224.0.1.40      11 0002 01F0     1 
Fa0/0.3       192.168.1.4     Null          224.0.1.39      11 0001 01F0     1 
Fa0/0.17      192.168.1.4     Null          224.0.1.39      11 0001 01F0     1 

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts 
Fa0/0         192.168.1.4     Null          224.0.1.40      11 0002 01F0     1 
Fa0/1         192.168.1.3     Null          224.0.1.40      11 0002 01F0     1 
Fa0/1         192.168.1.3     Null          224.0.1.39      11 0001 01F0     1 
Fa0/0         192.168.1.4     Null          224.0.1.39      11 0001 01F0     1 
Fa0/1         192.168.1.130   Null          192.168.1.255   11 19F6 19F6     8 
Fa0/0.17      10.20.17.1      Null          224.0.0.10      58 0000 0000    66 
Fa0/0         10.20.1.1       Null          224.0.0.10      58 0000 0000    70 
Fa0/0.3       10.20.3.1       Null          224.0.0.10      58 0000 0000    68 
Fa0/1         192.168.1.3     Null          224.0.0.10      58 0000 0000    66 
Fa0/0.17      10.20.254.1     Null          224.0.1.40      11 01F0 01F0     1 
Fa0/0.3       10.20.254.1     Null          224.0.1.40      11 01F0 01F0     1 
Fa0/0.3       10.20.254.1     Null          224.0.1.39      11 01F0 01F0     1 
Fa0/0.17      10.20.254.1     Null          224.0.1.39      11 01F0 01F0     1 
Fa0/0         10.20.254.1     Null          224.0.1.39      11 01F0 01F0     1 
Fa0/0         10.20.254.1     Null          224.0.1.40      11 01F0 01F0     1 
Fa0/0         192.168.1.131   Local         10.20.1.15      06 05A1 0017    44 

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts 
Fa0/0.77      10.20.77.1      Null          224.0.0.10      58 0000 0000    86 
Fa0/1         192.168.1.130   Null          192.168.1.255   11 19F6 19F6     1 
Fa0/0.17      10.20.17.1      Null          224.0.0.10      58 0000 0000    82 
Fa0/0         10.20.1.1       Null          224.0.0.10      58 0000 0000    84 
Fa0/0.3       10.20.3.1       Null          224.0.0.10      58 0000 0000    82 
Fa0/0         192.168.1.131   Local         10.20.1.15      06 06F2 0017    74 
Fa0/1         192.168.1.3     Null          224.0.0.10      58 0000 0000    81 
rtr1841#

The one problem with that is most of us aren’t quick at mental gymnastics to convert hex to decimal. And we all know what IP protocols 6 and 17 are, don’t we?

To help with interpreting such output, I wrote a PERL script. Here is sample output from it

rtr1841#show ip cac flo
IP packet size distribution (98655 total packets):
1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
.000 .921 .014 .010 .040 .000 .001 .002 .000 .000 .000 .000 .000 .000 .000512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .000 .007 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 278544 bytes
17 active, 4079 inactive, 19629 added
715321 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 25736 bytes
15 active, 1009 inactive, 16457 added, 16457 added to flow
0 alloc failures, 0 force free
1 chunk, 1 chunk added
last clearing of statistics never
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
——–         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow
TCP-WWW             38      0.0         5    45      0.0       0.2       1.4
TCP-other           38      0.0         3    48      0.0       0.9      15.4
UDP-NTP            909      0.0         1    76      0.0       0.0      15.5
UDP-other        17822      0.2         1   115      0.3       1.8      15.5
ICMP                 2      0.0         1   204      0.0       0.0      15.4
GRE                  1      0.0        12    80      0.0      18.9      15.3
IP-other           210      0.0       353    60      1.0    1627.3       3.4
Total:           19020      0.2         5    73      1.4      19.6      15.3

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr      SrcP            DstP             Pkts
Fa0/0.77      10.20.77.1      Null          224.0.0.10      EIGRP   Reserved        Reserved           69
Fa0/0.3       192.168.1.4     Null          224.0.1.40      UDP     compressnet     pim-rp-disc         1
Fa0/0.17      192.168.1.4     Null          224.0.1.40      UDP     compressnet     pim-rp-disc         1
Fa0/0.3       192.168.1.4     Null          224.0.1.39      UDP     tcpmux          pim-rp-disc         1
Fa0/0.17      192.168.1.4     Null          224.0.1.39      UDP     tcpmux          pim-rp-disc         1
Fa0/0         192.168.1.4     Null          224.0.1.40      UDP     compressnet     pim-rp-disc         1
Fa0/1         192.168.1.3     Null          224.0.1.40      UDP     compressnet     pim-rp-disc         1
Fa0/1         192.168.1.3     Null          224.0.1.39      UDP     tcpmux          pim-rp-disc         1
Fa0/0         192.168.1.4     Null          224.0.1.39      UDP     tcpmux          pim-rp-disc         1
Fa0/1         192.168.1.130   Null          192.168.1.255   UDP     6646            6646                8
Fa0/0.17      10.20.17.1      Null          224.0.0.10      EIGRP   Reserved        Reserved           66
Fa0/0         10.20.1.1       Null          224.0.0.10      EIGRP   Reserved        Reserved           70
Fa0/0.3       10.20.3.1       Null          224.0.0.10      EIGRP   Reserved        Reserved           68
Fa0/1         192.168.1.3     Null          224.0.0.10      EIGRP   Reserved        Reserved           66
Fa0/0.17      10.20.254.1     Null          224.0.1.40      UDP     pim-rp-disc     pim-rp-disc         1
Fa0/0.3       10.20.254.1     Null          224.0.1.40      UDP     pim-rp-disc     pim-rp-disc         1
Fa0/0.3       10.20.254.1     Null          224.0.1.39      UDP     pim-rp-disc     pim-rp-disc         1
Fa0/0.17      10.20.254.1     Null          224.0.1.39      UDP     pim-rp-disc     pim-rp-disc         1
Fa0/0         10.20.254.1     Null          224.0.1.39      UDP     pim-rp-disc     pim-rp-disc         1
Fa0/0         10.20.254.1     Null          224.0.1.40      UDP     pim-rp-disc     pim-rp-disc         1
Fa0/0         192.168.1.131   Local         10.20.1.15      TCP     cadis-1         telnet             44
Fa0/0.77      10.20.77.1      Null          224.0.0.10      EIGRP   Reserved        Reserved           86
Fa0/1         192.168.1.130   Null          192.168.1.255   UDP     6646            6646                1
Fa0/0.17      10.20.17.1      Null          224.0.0.10      EIGRP   Reserved        Reserved           82
Fa0/0         10.20.1.1       Null          224.0.0.10      EIGRP   Reserved        Reserved           84
Fa0/0.3       10.20.3.1       Null          224.0.0.10      EIGRP   Reserved        Reserved           82
Fa0/0         192.168.1.131   Local         10.20.1.15      TCP     prodigy-intrnet telnet             74
Fa0/1         192.168.1.3     Null          224.0.0.10      EIGRP   Reserved        Reserved           81
rtr1841#

It’s the same information, but the tail end is replaced by converting hex to decimal and then looking up names of IP protocols or assigned UDP and TCP ports based on the official assigned numbers information.

The PERL script a bit large due to the protocol / port lookup tables. Copy the text to a text file named nf.pl, and run it on captured output like the sample with hex above.

6 responses to “Using PERL to Interpret NetFlow Show Command Output

  1. You can run with any good PERL distribution on Windows or Linux. Active PERL is very good, free. See [url]http://www.activestate.com/activeperl/[/url]

    Yes, to use it, capture the show ip cache flow output and then run it through the PERL script.

    The router interface is included as part of the standard NetFlow information, but the show output isn’t that fancy. So you can’t get interface loading, nor time-based graphs, from this script. This is just basic what flows were seen in some period of time.

    For better reporting, you might look into the NASA sponsored FlowViewer (free web GUI front end to the CAIDA tools), it’s pretty good. Or Scrutinizer from Plixer.com, enterprise license is about $3500 I believe, it isn’t as fancy as the $100,000 tools but I hear very good things about it. It breaks out NetFlow by interface and I believe can show a stacked area graph of which applications are consuming the bandwidth. Plus it saves historical usage (summarized).

  2. I get the below message:

    C:>perl nf.pl
    Use of uninitialized value $filename in open at test1.pl line 2155.
    Use of uninitialized value $filename in concatenation (.) or string at nf.pl
    line 2155.
    Can’t open file

    C:>

  3. Try "perl nf.pl filename" where "filename" is the name of the file (captured show output from the router).

    Hey, it’s a minimal script!

  4. Hello, thanks for the script. It does not work for me either.
    I get this:

    Use of uninitialized value $line in pattern match (m//) at ./netflow.pl line 2160.
    Use of uninitialized value $line in print at ./netflow.pl line 2174.

  5. Apparently the line read failed or some error occurred. Sorry, my intent was to provide the rudiments of a script, I can’t take on troubleshooting it. Check your input and make sure only the show output is there. It may be the format of the box you captured from is problematic or changed from what it was when I wrote the script.

Leave a Reply

 

Nick Kelly

Cybersecurity Engineer, Cisco

Nick has over 20 years of experience in Security Operations and Security Sales. He is an avid student of cybersecurity and regularly engages with the Infosec community at events like BSides, RVASec, Derbycon and more. The son of an FBI forensics director, Nick holds a B.S. in Criminal Justice and is one of Cisco’s Fire Jumper Elite members. When he’s not working, he writes cyberpunk and punches aliens on his Playstation.

 

Virgilio “BONG” dela Cruz Jr.

CCDP, CCNA V, CCNP, Cisco IPS Express Security for AM/EE
Field Solutions Architect, Tech Data

Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.

 

John Cavanaugh

CCIE #1066, CCDE #20070002, CCAr
Chief Technology Officer, Practice Lead Security Services, NetCraftsmen

John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services.  Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.

He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.