Use nfdump suite. First transform pcap into nfcapd-format. For that:
nfpcapd -r /path/to/.pcap -l /path/to/outputfolder
In case you have many pcap files, you can use a bash loop:
for file in *; do nfpcapd -r $file -l output/directory/; done
Mind the extra p in nfPcapd and don’t confuse it with nfcapd!
(“nfpcapd: is the pcap capture daemon of the nfdump tools. It reads network packets from an interface or from a file and directly creates nfdump netflow records.” from https://github.com/phaag/nfdump/blob/master/man/nfpcapd.1)
If nfpcapd complains that the option is unknown, you need to download its source and compile it with the necessary flags:
git clone https://github.com/phaag/nfdump.git
cd nfdump
autoreconf -fi
./configure --enable-readpcap --enable-nfpcapd
make
sudo make install
Finally you can use print the flow data:
nfdump/bin/nfdump -r nfcapd.200610050325
If you generated many nfcpad files and they are contained in one directory use -R:
nfdump/bin/nfdump -R /path/to/dir/with/capdfiles
You can now use the pcap files to generate netflow or ipfix-flows and write the flows to a csv-file to use with other program, e.g. python.
Was this helpful?
10 / 1