I am working on a program that imports and exports net flow data. Because of our general architecture, it would make sense to describe this information in XML. Does there exist an XML for describing net flow data?
A good description of NetFlow data can be found in this Usenix paper http://www.usenix.org/events/lisa00/full_papers/navarro/navarro_html/
According to the paper, an SQL schema for describing net flow data is:
create table netflows (
router_id char(1) not null,
src_ipn bigint unsigned not null,
dst_ipn bigint unsigned not null,
nxt_ipn bigint unsigned not null,
ifin smallint unsigned not null,
ifout smallint unsigned not null,
packets integer unsigned not null,
octets integer unsigned not null,
starttime timestamp not null,
endtime timestamp not null,
srcport smallint unsigned not null,
dstport smallint unsigned not null,
tcp tinyint unsigned not null,
prot tinyint unsigned not null,
tos tinyint unsigned not null,
srcas smallint unsigned not null,
dstas smallint unsigned not null,
srcmask tinyint unsigned not null,
dstmask tinyint unsigned not null
)
It's pretty easy to turn this into an XML schema. My interest is in knowing if someone has already done this, as I would rather not create a new, incompatible schema.
Thanks.
No, there is no standard schema. However, we have created one and put it in the open source tcpflow program. When tcpflow runs it can create an XML file that has all of the netflow data. However, it also decodes embedded objects, such as data sent by HTTP, reports each of those, decompresses what was compressed, and even calculates the MD5 of everything. All in one easy-to-use command-line program.