Created
September 16, 2018 17:50
-
-
Save codeout/fab919ef72d01a79184f2bf7ab7974ec to your computer and use it in GitHub Desktop.
Decoded sFlow data with libwireshark
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"_index": "packets-2018-09-16", | |
"_type": "pcap_file", | |
"_score": null, | |
"_source": { | |
"layers": { | |
"frame_raw": ["080027f854e2080027a13a3b0800450000f800000000fe116792a9fe0002a9fe0064c88f18c700e4b6e50000000500000001a9fe000200000000000002fe0044de260000000100000001000000b8000004cb0000020000000001000004cc000000000000020000000000000000020000000100000078000000010000006a0000000400000066020586717403020586716403884700010140450000544a9500004001aec0c0a80002c0a800010800b31d400e004d5b1d85c70008389708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f30313233343536370000000003e90000001000000000000000000000000000000000", 0, 262, 0, 1], | |
"frame": { | |
"frame.encap_type": "1", | |
"frame.number": "1", | |
"frame.len": "262", | |
"frame.cap_len": "262", | |
"frame.marked": "0", | |
"frame.ignored": "0", | |
"frame.protocols": "eth:ethertype:ip:udp:sflow:eth:ethertype:mpls:ip:icmp:data" | |
}, | |
"eth_raw": ["080027f854e2080027a13a3b0800", 0, 14, 0, 1], | |
"eth": { | |
"eth.dst_raw": ["080027f854e2", 0, 6, 0, 29], | |
"eth.dst": "08:00:27:f8:54:e2", | |
"eth.dst_tree": { | |
"eth.dst_resolved_raw": ["080027f854e2", 0, 6, 0, 26], | |
"eth.dst_resolved": "PcsCompu_f8:54:e2", | |
"eth.addr_raw": ["080027f854e2", 0, 6, 0, 29], | |
"eth.addr": "08:00:27:f8:54:e2", | |
"eth.addr_resolved_raw": ["080027f854e2", 0, 6, 0, 26], | |
"eth.addr_resolved": "PcsCompu_f8:54:e2", | |
"eth.lg_raw": ["0", 0, 3, 131072, 2], | |
"eth.lg": "0", | |
"eth.ig_raw": ["0", 0, 3, 65536, 2], | |
"eth.ig": "0" | |
}, | |
"eth.src_raw": ["080027a13a3b", 6, 6, 0, 29], | |
"eth.src": "08:00:27:a1:3a:3b", | |
"eth.src_tree": { | |
"eth.src_resolved_raw": ["080027a13a3b", 6, 6, 0, 26], | |
"eth.src_resolved": "PcsCompu_a1:3a:3b", | |
"eth.addr_raw": ["080027a13a3b", 6, 6, 0, 29], | |
"eth.addr": "08:00:27:a1:3a:3b", | |
"eth.addr_resolved_raw": ["080027a13a3b", 6, 6, 0, 26], | |
"eth.addr_resolved": "PcsCompu_a1:3a:3b", | |
"eth.lg_raw": ["0", 6, 3, 131072, 2], | |
"eth.lg": "0", | |
"eth.ig_raw": ["0", 6, 3, 65536, 2], | |
"eth.ig": "0" | |
}, | |
"eth.type_raw": ["0800", 12, 2, 0, 5], | |
"eth.type": "0x00000800" | |
}, | |
"ip_raw": ["450000f800000000fe116792a9fe0002a9fe0064", 14, 20, 0, 1], | |
"ip": { | |
"ip.version_raw": ["4", 14, 1, 240, 4], | |
"ip.version": "4", | |
"ip.hdr_len_raw": ["45", 14, 1, 0, 4], | |
"ip.hdr_len": "20", | |
"ip.dsfield_raw": ["00", 15, 1, 0, 4], | |
"ip.dsfield": "0x00000000", | |
"ip.dsfield_tree": { | |
"ip.dsfield.dscp_raw": ["0", 15, 1, 252, 4], | |
"ip.dsfield.dscp": "0", | |
"ip.dsfield.ecn_raw": ["0", 15, 1, 3, 4], | |
"ip.dsfield.ecn": "0" | |
}, | |
"ip.len_raw": ["00f8", 16, 2, 0, 5], | |
"ip.len": "248", | |
"ip.id_raw": ["0000", 18, 2, 0, 5], | |
"ip.id": "0x00000000", | |
"ip.flags_raw": ["00", 20, 1, 0, 4], | |
"ip.flags": "0x00000000", | |
"ip.flags_tree": { | |
"ip.flags.rb_raw": ["00", 20, 1, 0, 2], | |
"ip.flags.rb": "0", | |
"ip.flags.df_raw": ["00", 20, 1, 0, 2], | |
"ip.flags.df": "0", | |
"ip.flags.mf_raw": ["00", 20, 1, 0, 2], | |
"ip.flags.mf": "0" | |
}, | |
"ip.frag_offset_raw": ["0000", 20, 2, 0, 5], | |
"ip.frag_offset": "0", | |
"ip.ttl_raw": ["fe", 22, 1, 0, 4], | |
"ip.ttl": "254", | |
"ip.proto_raw": ["11", 23, 1, 0, 4], | |
"ip.proto": "17", | |
"ip.checksum_raw": ["6792", 24, 2, 0, 5], | |
"ip.checksum": "0x00006792", | |
"ip.checksum.status": "2", | |
"ip.src_raw": ["a9fe0002", 26, 4, 0, 32], | |
"ip.src": "169.254.0.2", | |
"ip.addr_raw": ["a9fe0002", 26, 4, 0, 32], | |
"ip.addr": "169.254.0.2", | |
"ip.src_host_raw": ["a9fe0002", 26, 4, 0, 26], | |
"ip.src_host": "169.254.0.2", | |
"ip.host_raw": ["a9fe0002", 26, 4, 0, 26], | |
"ip.host": "169.254.0.2", | |
"ip.dst_raw": ["a9fe0064", 30, 4, 0, 32], | |
"ip.dst": "169.254.0.100", | |
"ip.addr_raw": ["a9fe0064", 30, 4, 0, 32], | |
"ip.addr": "169.254.0.100", | |
"ip.dst_host_raw": ["a9fe0064", 30, 4, 0, 26], | |
"ip.dst_host": "169.254.0.100", | |
"ip.host_raw": ["a9fe0064", 30, 4, 0, 26], | |
"ip.host": "169.254.0.100", | |
"Source GeoIP: Unknown": "", | |
"Destination GeoIP: Unknown": "" | |
}, | |
"udp_raw": ["c88f18c700e4b6e5", 34, 8, 0, 1], | |
"udp": { | |
"udp.srcport_raw": ["c88f", 34, 2, 0, 5], | |
"udp.srcport": "51343", | |
"udp.dstport_raw": ["18c7", 36, 2, 0, 5], | |
"udp.dstport": "6343", | |
"udp.port_raw": ["c88f", 34, 2, 0, 5], | |
"udp.port": "51343", | |
"udp.port_raw": ["18c7", 36, 2, 0, 5], | |
"udp.port": "6343", | |
"udp.length_raw": ["00e4", 38, 2, 0, 5], | |
"udp.length": "228", | |
"udp.checksum_raw": ["b6e5", 40, 2, 0, 5], | |
"udp.checksum": "0x0000b6e5", | |
"udp.checksum.status": "2", | |
"udp.stream": "0" | |
}, | |
"sflow_raw": ["0000000500000001a9fe000200000000000002fe0044de260000000100000001000000b8000004cb0000020000000001000004cc000000000000020000000000000000020000000100000078000000010000006a0000000400000066020586717403020586716403884700010140450000544a9500004001aec0c0a80002c0a800010800b31d400e004d5b1d85c70008389708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f30313233343536370000000003e90000001000000000000000000000000000000000", 42, 220, 0, 1], | |
"sflow": { | |
"sflow_245.version_raw": ["00000005", 42, 4, 0, 7], | |
"sflow_245.version": "5", | |
"sflow_245.agenttype_raw": ["00000001", 46, 4, 0, 7], | |
"sflow_245.agenttype": "1", | |
"sflow_245.agent_raw": ["a9fe0002", 50, 4, 0, 32], | |
"sflow_245.agent": "169.254.0.2", | |
"sflow_245.sub_agent_id_raw": ["00000000", 54, 4, 0, 7], | |
"sflow_245.sub_agent_id": "0", | |
"sflow_245.sequence_number_raw": ["000002fe", 58, 4, 0, 7], | |
"sflow_245.sequence_number": "766", | |
"sflow_245.sysuptime_raw": ["0044de26", 62, 4, 0, 7], | |
"sflow_245.sysuptime": "4513318", | |
"sflow_245.numsamples_raw": ["00000001", 66, 4, 0, 7], | |
"sflow_245.numsamples": "1", | |
"Flow sample, seq 1227": { | |
"sflow.enterprise_raw": ["0", 70, 4, 4294963200, 7], | |
"sflow.enterprise": "0", | |
"sflow_245.sampletype_raw": ["1", 70, 4, 4095, 7], | |
"sflow_245.sampletype": "1", | |
"sflow_5.sample_length_raw": ["000000b8", 74, 4, 0, 7], | |
"sflow_5.sample_length": "184", | |
"sflow.flow_sample.sequence_number_raw": ["000004cb", 78, 4, 0, 7], | |
"sflow.flow_sample.sequence_number": "1227", | |
"sflow.flow_sample.source_id_class_raw": ["0", 82, 4, 4278190080, 7], | |
"sflow.flow_sample.source_id_class": "0", | |
"sflow.flow_sample.index_raw": ["200", 82, 4, 16777215, 7], | |
"sflow.flow_sample.index": "512", | |
"sflow.flow_sample.sampling_rate_raw": ["00000001", 86, 4, 0, 7], | |
"sflow.flow_sample.sampling_rate": "1", | |
"sflow.flow_sample.sample_pool_raw": ["000004cc", 90, 4, 0, 7], | |
"sflow.flow_sample.sample_pool": "1228", | |
"sflow.flow_sample.dropped_packets_raw": ["00000000", 94, 4, 0, 7], | |
"sflow.flow_sample.dropped_packets": "0", | |
"sflow.flow_sample.input_interface_raw": ["00000200", 98, 4, 0, 7], | |
"sflow.flow_sample.input_interface": "512", | |
"sflow.flow_sample.output_interface_raw": ["0", 102, 4, 2147483647, 7], | |
"sflow.flow_sample.output_interface": "0", | |
"sflow.flow_sample.flow_record_raw": ["00000002", 106, 4, 0, 7], | |
"sflow.flow_sample.flow_record": "2", | |
"Raw packet header": { | |
"sflow.enterprise_raw": ["0", 110, 4, 4294963200, 7], | |
"sflow.enterprise": "0", | |
"sflow_245.flow_record_format_raw": ["00000001", 110, 4, 0, 7], | |
"sflow_245.flow_record_format": "1", | |
"sflow_5.flow_data_length_raw": ["00000078", 114, 4, 0, 7], | |
"sflow_5.flow_data_length": "120", | |
"sflow_245.header_protocol_raw": ["00000001", 118, 4, 0, 7], | |
"sflow_245.header_protocol": "1", | |
"sflow_245.header.frame_length_raw": ["0000006a", 122, 4, 0, 7], | |
"sflow_245.header.frame_length": "106", | |
"sflow_245.header.payload_removed_raw": ["00000004", 126, 4, 0, 7], | |
"sflow_245.header.payload_removed": "4", | |
"sflow_245.header.original_packet_header_length_raw": ["00000066", 130, 4, 0, 7], | |
"sflow_245.header.original_packet_header_length": "102", | |
"sflow_245.header_raw": ["020586717403020586716403884700010140450000544a9500004001aec0c0a80002c0a800010800b31d400e004d5b1d85c70008389708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f30313233343536370000", 134, 104, 0, 30], | |
"sflow_245.header": "02:05:86:71:74:03:02:05:86:71:64:03:88:47:00:01:01:40:45:00:00:54:4a:95:00:00:40:01:ae:c0:c0:a8:00:02:c0:a8:00:01:08:00:b3:1d:40:0e:00:4d:5b:1d:85:c7:00:08:38:97:08:09:0a:0b:0c:0d:0e:0f:10:11:12:13:14:15:16:17:18:19:1a:1b:1c:1d:1e:1f:20:21:22:23:24:25:26:27:28:29:2a:2b:2c:2d:2e:2f:30:31:32:33:34:35:36:37:00:00", | |
"sflow_245.header_tree": { | |
"eth_raw": ["0205867174030205867164038847", 134, 14, 0, 1], | |
"eth": { | |
"eth.dst_raw": ["020586717403", 134, 6, 0, 29], | |
"eth.dst": "02:05:86:71:74:03", | |
"eth.dst_tree": { | |
"eth.dst_resolved_raw": ["020586717403", 134, 6, 0, 26], | |
"eth.dst_resolved": "MS-NLB-PhysServer-05_86:71:74:03", | |
"eth.addr_raw": ["020586717403", 134, 6, 0, 29], | |
"eth.addr": "02:05:86:71:74:03", | |
"eth.addr_resolved_raw": ["020586717403", 134, 6, 0, 26], | |
"eth.addr_resolved": "MS-NLB-PhysServer-05_86:71:74:03", | |
"eth.lg_raw": ["1", 134, 3, 131072, 2], | |
"eth.lg": "1", | |
"eth.ig_raw": ["0", 134, 3, 65536, 2], | |
"eth.ig": "0" | |
}, | |
"eth.src_raw": ["020586716403", 140, 6, 0, 29], | |
"eth.src": "02:05:86:71:64:03", | |
"eth.src_tree": { | |
"eth.src_resolved_raw": ["020586716403", 140, 6, 0, 26], | |
"eth.src_resolved": "MS-NLB-PhysServer-05_86:71:64:03", | |
"eth.addr_raw": ["020586716403", 140, 6, 0, 29], | |
"eth.addr": "02:05:86:71:64:03", | |
"eth.addr_resolved_raw": ["020586716403", 140, 6, 0, 26], | |
"eth.addr_resolved": "MS-NLB-PhysServer-05_86:71:64:03", | |
"eth.lg_raw": ["1", 140, 3, 131072, 2], | |
"eth.lg": "1", | |
"eth.ig_raw": ["0", 140, 3, 65536, 2], | |
"eth.ig": "0" | |
}, | |
"eth.type_raw": ["8847", 146, 2, 0, 5], | |
"eth.type": "0x00008847", | |
"eth.trailer_raw": ["0000", 236, 2, 0, 30], | |
"eth.trailer": "00:00" | |
}, | |
"mpls_raw": ["00010140", 148, 4, 0, 1], | |
"mpls": { | |
"mpls.label_raw": ["10", 148, 4, 4294963200, 7], | |
"mpls.label": "16", | |
"mpls.exp_raw": ["0", 148, 4, 3584, 7], | |
"mpls.exp": "0", | |
"mpls.bottom_raw": ["1", 148, 4, 256, 7], | |
"mpls.bottom": "1", | |
"mpls.ttl_raw": ["40", 148, 4, 255, 7], | |
"mpls.ttl": "64" | |
}, | |
"ip_raw": ["450000544a9500004001aec0c0a80002c0a80001", 152, 20, 0, 1], | |
"ip": { | |
"ip.version_raw": ["4", 152, 1, 240, 4], | |
"ip.version": "4", | |
"ip.hdr_len_raw": ["45", 152, 1, 0, 4], | |
"ip.hdr_len": "20", | |
"ip.dsfield_raw": ["00", 153, 1, 0, 4], | |
"ip.dsfield": "0x00000000", | |
"ip.dsfield_tree": { | |
"ip.dsfield.dscp_raw": ["0", 153, 1, 252, 4], | |
"ip.dsfield.dscp": "0", | |
"ip.dsfield.ecn_raw": ["0", 153, 1, 3, 4], | |
"ip.dsfield.ecn": "0" | |
}, | |
"ip.len_raw": ["0054", 154, 2, 0, 5], | |
"ip.len": "84", | |
"ip.id_raw": ["4a95", 156, 2, 0, 5], | |
"ip.id": "0x00004a95", | |
"ip.flags_raw": ["00", 158, 1, 0, 4], | |
"ip.flags": "0x00000000", | |
"ip.flags_tree": { | |
"ip.flags.rb_raw": ["00", 158, 1, 0, 2], | |
"ip.flags.rb": "0", | |
"ip.flags.df_raw": ["00", 158, 1, 0, 2], | |
"ip.flags.df": "0", | |
"ip.flags.mf_raw": ["00", 158, 1, 0, 2], | |
"ip.flags.mf": "0" | |
}, | |
"ip.frag_offset_raw": ["0000", 158, 2, 0, 5], | |
"ip.frag_offset": "0", | |
"ip.ttl_raw": ["40", 160, 1, 0, 4], | |
"ip.ttl": "64", | |
"ip.proto_raw": ["01", 161, 1, 0, 4], | |
"ip.proto": "1", | |
"ip.checksum_raw": ["aec0", 162, 2, 0, 5], | |
"ip.checksum": "0x0000aec0", | |
"ip.checksum.status": "2", | |
"ip.src_raw": ["c0a80002", 164, 4, 0, 32], | |
"ip.src": "192.168.0.2", | |
"ip.addr_raw": ["c0a80002", 164, 4, 0, 32], | |
"ip.addr": "192.168.0.2", | |
"ip.src_host_raw": ["c0a80002", 164, 4, 0, 26], | |
"ip.src_host": "192.168.0.2", | |
"ip.host_raw": ["c0a80002", 164, 4, 0, 26], | |
"ip.host": "192.168.0.2", | |
"ip.dst_raw": ["c0a80001", 168, 4, 0, 32], | |
"ip.dst": "192.168.0.1", | |
"ip.addr_raw": ["c0a80001", 168, 4, 0, 32], | |
"ip.addr": "192.168.0.1", | |
"ip.dst_host_raw": ["c0a80001", 168, 4, 0, 26], | |
"ip.dst_host": "192.168.0.1", | |
"ip.host_raw": ["c0a80001", 168, 4, 0, 26], | |
"ip.host": "192.168.0.1", | |
"Source GeoIP: Unknown": "", | |
"Destination GeoIP: Unknown": "" | |
}, | |
"icmp_raw": ["0800b31d400e004d5b1d85c70008389708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637", 172, 64, 0, 1], | |
"icmp": { | |
"icmp.type_raw": ["08", 172, 1, 0, 4], | |
"icmp.type": "8", | |
"icmp.code_raw": ["00", 173, 1, 0, 4], | |
"icmp.code": "0", | |
"icmp.checksum_raw": ["b31d", 174, 2, 0, 5], | |
"icmp.checksum": "0x0000b31d", | |
"icmp.checksum.status": "2", | |
"icmp.ident_raw": ["400e", 176, 2, 0, 5], | |
"icmp.ident": "16398", | |
"icmp.ident_raw": ["400e", 176, 2, 0, 5], | |
"icmp.ident": "3648", | |
"icmp.seq_raw": ["004d", 178, 2, 0, 5], | |
"icmp.seq": "77", | |
"icmp.seq_le_raw": ["004d", 178, 2, 0, 5], | |
"icmp.seq_le": "19712", | |
"data_raw": ["5b1d85c70008389708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637", 180, 56, 0, 1], | |
"data": { | |
"data.data_raw": ["5b1d85c70008389708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637", 180, 56, 0, 30], | |
"data.data": "5b:1d:85:c7:00:08:38:97:08:09:0a:0b:0c:0d:0e:0f:10:11:12:13:14:15:16:17:18:19:1a:1b:1c:1d:1e:1f:20:21:22:23:24:25:26:27:28:29:2a:2b:2c:2d:2e:2f:30:31:32:33:34:35:36:37", | |
"data.len": "56" | |
} | |
} | |
} | |
}, | |
"Extended switch data": { | |
"sflow.enterprise_raw": ["0", 238, 4, 4294963200, 7], | |
"sflow.enterprise": "0", | |
"sflow_245.flow_record_format_raw": ["000003e9", 238, 4, 0, 7], | |
"sflow_245.flow_record_format": "1001", | |
"sflow_5.flow_data_length_raw": ["00000010", 242, 4, 0, 7], | |
"sflow_5.flow_data_length": "16", | |
"sflow_245.vlan.in_raw": ["00000000", 246, 4, 0, 7], | |
"sflow_245.vlan.in": "0", | |
"sflow_245.pri.in_raw": ["00000000", 250, 4, 0, 7], | |
"sflow_245.pri.in": "0", | |
"sflow_245.vlan.out_raw": ["00000000", 254, 4, 0, 7], | |
"sflow_245.vlan.out": "0", | |
"sflow_245.pri.out_raw": ["00000000", 258, 4, 0, 7], | |
"sflow_245.pri.out": "0" | |
} | |
} | |
} | |
} | |
} | |
} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment