ipfixcat
is a utility to parse and print an IPFIX stream, as defined by RFC
5101. It's also the minimal demo of how to use the github.com/calmh/ipfix
package.
Grab a binary release from https://github.com/calmh/ipfixcat/releases.
You can also build from source. Make sure you have Go 1.1 installed. See http://golang.org/doc/install.
$ go install github.com/calmh/ipfixcat
The output format is JSON with one object per line. Each object has fields
exportTime
(UNIX epoch seconds), templateId
and elements
. The latter is an
array containing the information elements in the same order as received by the
exporter.
Each information element has the fields name
, enterprise
, field
, value
and rawvalue
. For vendor fields that are not described by a user dictionary,
name
and value
will be empty and rawvalue
contains a byte array. For fully
understood fields, value
contains the parsed value and rawvalue
is empty.
There are some statistics that can be enabled as well, see ipfixcat -help
for
more information.
Parse a UDP IPFIX stream, using a custom dictionary to interpret vendor fields. Note that it might take a while to start displaying datasets, because we need to receive the periodically sent template sets first in order to be able to parse them.
$ socat udp-recv:4739 stdout | ipfixcat -dict procera-fields.ini
{"exportTime":1374745620,"templateId":49836,"fields":[{"name":"destinationIPv4Address","field":12,"value":"194.153....
{"exportTime":1374745620,"templateId":10299,"fields":[{"name":"destinationIPv6Address","field":28,"value":"2001:470...
{"exportTime":1374745620,"templateId":10299,"fields":[{"name":"destinationIPv6Address","field":28,"value":"2001:470...
...
Don't attempt to use netcat (nc
) for reading UDP streams. Almost all
distributed versions are broken and truncate UDP packets at 1024 bytes.
The MIT License.