simulating sflow output from existing PCAP

[Hanan Shteingart]

Hi,

I have a PCAP dump file collected from a sniffer (full packets 1:1 rate recording).

I would like to simulate "how it would have been seen if there was an sflow sampler?".

In other words, I would like to get sFlow data as if it was active at time of recording.

I found this https://justhackerthings.com/post/converting-pcap-files-to-network-flow-data/ but it is for netFlow no sFlow.

Is there a script I can run which will convert PCAP file to sFLOW format?

Thanks,

HS

[neil....@inmon.com]

If you compile the latest sflowtool,  it has an option for this.

git clone https://github.com/sflow/sflowtool

cd sflowtool

./boot.sh

./configure

make

sudo make install

and then:

sflowtool -r mypackets.pcap -R 100 -f 127.0.0.1/7777

will sample the packets at 1:100 and send to local UDP port 7777.  You can confirm they are arriving by running:

sflowtool -p 7777

in another window.

I plan to add options to set the agent address (it currently comes out as 0.0.0.0),  and to compress time so you can "playback" at different speeds (or as fast as possible).

The encoding routines in sflow_xdr.h are experimental and have not been tested thoroughly,  so please let me know if you find bugs.

(I was curious to see how efficiently the XDR encoding could be done.  The old sFlow encoding library does a lot of redundant copying and cross-checking.)