I had an odd hankering to view AWS VPC Flow Logs for my local server while looking into an issue with TCPDump.
The closest I could get to the AWS VPC Flow Logs format was:
sudo tcpdump -n -tt 'tcp or udp or icmp or icmp6' -l 2>/dev/null | awk '
BEGIN {
protocols["TCP"] = 6;
protocols["UDP"] = 17;
protocols["ICMP"] = 1;
protocols["ICMPV6"] = 58;
}
{
version=2;
account_id="local";
interface_id="enp4s0";
proto=toupper($2);
gsub(/\[|\]|:|,/, "", proto);
if (proto == "IP6") {
if ($3 ~ /ICMPv6/) proto = "ICMPV6";
else if ($3 ~ /UDP/) proto = "UDP";
else proto = "TCP";
}
else if (proto == "IP") {
if ($3 ~ /ICMP/) proto = "ICMP";
else if ($3 ~ /UDP/) proto = "UDP";
else proto = "TCP";
}
protocol=protocols[proto];
if ($0 ~ /ICMP/) {
split($3, parts, ">")
srcip=parts[1]
gsub(/:/, "", srcip)
dstip=$5
gsub(/:/, "", dstip)
srcport="-"
dstport="-"
protocol=1
}
else {
# Remove colons from ports
gsub(/:/, "", $6);
if ($3 ~ /::/ || $3 ~ /^[0-9a-fA-F]*:/) {
split($3, src, "\\.");
srcip=src[1];
srcport=src[2];
if (!srcport) srcport=$4;
split($5, dst, "\\.");
dstip=dst[1];
dstport=dst[2];
if (!dstport) dstport=$6;
}
else {
split($3, src, ".");
srcip=src[1] "." src[2] "." src[3] "." src[4];
srcport=src[5];
if (!srcport) srcport=$4;
split($5, dst, ".");
dstip=dst[1] "." dst[2] "." dst[3] "." dst[4];
dstport=dst[5];
if (!dstport) dstport=$6;
if (dstport == "") dstport="-";
}
}
gsub(/[.:]/, "", srcport);
gsub(/[.:]/, "", dstport);
action="ACCEPT";
packets=1;
bytes=$NF;
timestamp=strftime("%s");
printf "%s %s %s %s %s %s %s %s %s - - %d %d %s -\n",
version, account_id, interface_id, srcip, dstip,
srcport, dstport, protocol, action, packets, bytes,
timestamp;
}'
Boom, “VPC Flow Logs” for your local server.
3 local enp4s0 10.2.0.1 172.217.25.174 40720 443 6 ACCEPT - - 1 0 1736511323 -
3 local enp4s0 172.217.25.174 10.2.0.1 443 40720 6 ACCEPT - - 1 0 1736511323 -
3 local enp4s0 10.2.0.1 172.217.25.174 40720 443 6 ACCEPT - - 1 0 1736511323 -
3 local enp4s0 10.2.0.1 172.217.25.174 40720 443 6 ACCEPT - - 1 382 1736511323 -
3 local enp4s0 172.217.25.174 10.2.0.1 443 40720 6 ACCEPT - - 1 0 1736511323 -
3 local enp4s0 172.217.25.174 10.2.0.1 443 40720 6 ACCEPT - - 1 1428 1736511323 -
3 local enp4s0 10.2.0.1 172.217.25.174 40720 443 6 ACCEPT - - 1 0 1736511323 -
3 local enp4s0 172.217.25.174 10.2.0.1 443 40720 6 ACCEPT - - 1 2856 1736511323 -
3 local enp4s0 10.2.0.1 172.217.25.174 40720 443 6 ACCEPT - - 1 0 1736511323 -
3 local enp4s0 172.217.25.174 10.2.0.1 443 40720 6 ACCEPT - - 1 1222 1736511323 -
3 local enp4s0 10.2.0.1 172.217.25.174 40720 443 6 ACCEPT - - 1 0 1736511323 -
3 local enp4s0 10.2.0.1 172.217.25.174 40720 443 6 ACCEPT - - 1 333 1736511323 -
3 local enp4s0 172.217.25.174 10.2.0.1 443 40720 6 ACCEPT - - 1 0 1736511323 -
3 local enp4s0 172.217.25.174 10.2.0.1 443 40720 6 ACCEPT - - 1 146 1736511323 -
3 local enp4s0 172.217.25.174 10.2.0.1 443 40720 6 ACCEPT - - 1 1428 1736511323 -
3 local enp4s0 10.2.0.1 172.217.25.174 40720 443 6 ACCEPT - - 1 0 1736511323 -
3 local enp4s0 172.217.25.174 10.2.0.1 443 40720 6 ACCEPT - - 1 108 1736511323 -
3 local enp4s0 10.2.0.1 172.217.25.174 40720 443 6 ACCEPT - - 1 24 1736511323 -
3 local enp4s0 10.2.0.1 172.217.25.174 40720 443 6 ACCEPT - - 1 0 1736511323 -
3 local enp4s0 172.217.25.174 10.2.0.1 443 40720 6 ACCEPT - - 1 0 1736511323 -
3 local enp4s0 192.168.20.27 255.255.255.255 49154 6667 6 ACCEPT - - 1 188 1736511323 -
3 local enp4s0 192.168.20.44 255.255.255.255 49154 6667 6 ACCEPT - - 1 188 1736511323 -