Solved: Stealthwatch export from sensor?

Scott.ODonnell@gmail.com · ‎07-18-2017

All ,

I'm looking to see if it's possible to leverage flow information collected by a stealthwatch sensor in another application.

Based on my research , the stealthwatch sensor will provide flow information including application layer information like URL, etc.

I'm trying to avoid having to place yet another span collector into the environment.

Is it possible to glean this information from Stealthwatch?

If so, what format would it be in?

-Scott

jamegill · ‎07-18-2017

The Stealthwatch Flow Sensor exports data in IPFIX format (see RFCs 7011, 7012). Any system that can consume IPFIX (or NetFlow or any of the compatible formats) should be able to consume it. Some of the datapoints encoded in the Flow Sensor's data are recorded in "enterprise fields". Those fields which are publicly labeled will use IANA standard IP Flow Information Export (IPFIX) Entities.

View solution in original post

brford · ‎07-18-2017

Scott,

The current version (6.9) of Stealthwatch Flow Sensor exports data in IPFIX format.

I hope this helps.

Brian

Brian Ford | brford@cisco.com | brford@yahoo.com | 51 75 61 6c 69 74 79 20 6d 65 61 6e 73 20 64 6f 69 6e 67 20 69 74 20 72 69 67 68 74 20 77 68 65 6e 20 6e 6f 20 6f 6e 65 20 69 73 20 6c 6f 6f 6b 69 6e 67 2e | Email me when you figure this out.

Scott.ODonnell@gmail.com · ‎07-18-2017

Thanks for the reply Brian.

Is there a sample export or documentation that details the included information?

-Scott

jamegill · ‎07-18-2017

The Stealthwatch Flow Sensor exports data in IPFIX format (see RFCs 7011, 7012). Any system that can consume IPFIX (or NetFlow or any of the compatible formats) should be able to consume it. Some of the datapoints encoded in the Flow Sensor's data are recorded in "enterprise fields". Those fields which are publicly labeled will use IANA standard IP Flow Information Export (IPFIX) Entities.