cesnet / ipfixprobe Goto Github PK

View Code? Open in Web Editor NEW

36.0 14.0 18.0 3.12 MB

License: BSD 3-Clause "New" or "Revised" License

Makefile 0.86% C++ 91.92% C 1.73% Shell 1.04% M4 4.45%

ipfix flow nemea liberouter flow-exporter

ipfixprobe's Introduction

ipfixprobe - IPFIX flow exporter

Description

This application creates biflows from packet input and exports them to output interface.

Requirements

libatomic
kernel version at least 3.19 when using raw sockets input plugin enabled by default (disable with --without-raw parameter for ./configure)
libpcap when compiling with pcap plugin (--with-pcap parameter)
netcope-common COMBO cards when compiling with ndp plugin (--with-ndp parameter)
libunwind-devel when compiling with stack unwind on crash feature (--with-unwind parameter)
nemea when compiling with unirec output plugin (--with-nemea parameter)
cloned submodule with googletest framework to enabled optional tests (--with-gtest parameter)

To compile DPDK interfaces, make sure you have DPDK libraries (and development files) installed and set the PKG_CONFIG_PATH environment variable if necessary. You can obtain the latest DPDK at http://core.dpdk.org/download/ Use --with-dpdk parameter of the configure script to enable it.

Build & Installation

Source codes

This project uses a standard process of:

git clone --recurse-submodules https://github.com/CESNET/ipfixprobe
cd ipfixprobe
autoreconf -i
./configure
make
sudo make install

Check ./configure --help for more details and settings.

RPM packages

RPM package can be created in the following versions using --with parameter of rpmbuild:

--with pcap enables RPM with pcap input plugin
--with ndp enables RPM with netcope-common, i.e., ndp input plugin
--with nemea enables RPM with unirec output plugin
--without raw disables RPM with default raw socket input plugin
--with unwind enables RPM with stack unwinding feature

These parameters affect required dependencies of the RPM and build process.

The default configuration of the RPM can be created using simply: make rpm

Alternative versions (described in the following section) can be created by:

NEMEA version of RPM: make rpm-nemea
NDP version of RPM: make rpm-ndp

We use COPR infrastructure to build and serve RPM packages for EPEL7 and EPEL8. It is not possible to pass arguments to rpmbuild, so there is an option in configure to enforce NEMEA dependency:

./configure --enable-coprrpm && make srpm

The output source RPM can be uploaded to copr.

To install ipfixprobe with NEMEA dependency from binary RPM packages, it is possible to follow instructions on: https://copr.fedorainfracloud.org/coprs/g/CESNET/NEMEA/

Windows 10 CygWin

Install CygWin and the following packages:

git
pkg-config
make
automake
autoconf
libtool
binutils
gcc-core
gcc-g++
libunwind-devel

Download npcap SDK https://nmap.org/npcap/dist/npcap-sdk-1.07.zip and copy content of the Include folder to /usr/include folder in your cygwin root installation folder (C:\cygwin64\usr\include for example). Then copy files of the Lib folder to /lib folder (or Lib/x64/ based on your architecture).

Download npcap library https://nmap.org/npcap/dist/npcap-1.31.exe and install.

Add the following line to the ~/.bashrc file

export PATH="/cygdrive/c/Windows/system32/Npcap:$PATH"

Build project using commands in previous sections. Tested on cygwin version 2.908

Input / Output of the flow exporter

Input and output interfaces are dependent on the configuration (by configure). The default setting uses raw sockets input plugin and the output is in IPFIX format only.

When the project is configured with ./configure --with-nemea, the flow exporter supports NEMEA output via TRAP IFC besides the default IPFIX output. For more information about NEMEA, visit https://nemea.liberouter.org.

The flow exporter supports compilation with libpcap (./configure --with-pcap), which allows for receiving packets from PCAP file or network interface card.

When the project is configured with ./configure --with-ndp, it is prepared for high-speed packet transfer from special HW acceleration FPGA cards. For more information about the cards, visit COMBO cards or contact us.

Output

There are several currently available output plugins, such as:

ipfix standard IPFIX RFC 5101
unirec data source for the NEMEA system, the output is in the UniRec format sent via a configurable interface using https://nemea.liberouter.org/trap-ifcspec/
text output in human readable text format on standard output file descriptor (stdout)

The output flow records are composed of information provided by the enabled plugins (using -p parameter, see Flow Data Extension - Processing Plugins).

See ipfixprobe -h output for more information and complete list of output plugins and their parameters.

Parameters

Module specific parameters

-i ARGS Activate input plugin (-h input for help)
-s ARGS Activate storage plugin (-h storage for help)
-o ARGS Activate output plugin (-h output for help)
-p ARGS Activate processing plugin (-h process for help)
-q SIZE Size of queue between input and storage plugins
-b SIZE Size of input queue packet block
-Q SIZE Size of queue between storage and output plugins
-B SIZE Size of packet buffer
-f NUM Export max flows per second
-c SIZE Quit after number of packets are processed on each interface
-P FILE Create pid file
-d Run as a standalone process
-h [PLUGIN] Print help text. Supported help for input, storage, output and process plugins
-V Show version and exit

Help

Printing general help is done using the -h parameter. To print help for specific plugins, -h with parameter is used. This parameter accepts input, storage, process, output or name of a plugin (or path to a .so file with plugin).

Example

Here are the examples of various plugins usage:

# Capture from wlp2s0 interface using raw sockets, print flows to console
./ipfixprobe -i 'raw;ifc=wlp2s0' -o 'text'

# Capture from wlp2s0 interface and scale packet processing using 2 instances of plugins, send flow to ifpfix collector using UDP
./ipfixprobe -i 'raw;ifc=wlp2s0;f' -i 'raw;ifc=wlp2s0;f' -o 'ipfix;u;host=collector.example.com;port=4739'

# Capture from a COMBO card using ndp plugin, sends ipfix data to 127.0.0.1:4739 using TCP by default
./ipfixprobe -i 'ndp;dev=/dev/nfb0:0' -i 'ndp;dev=/dev/nfb0:1' -i 'ndp;dev=/dev/nfb0:2'

# Capture from eth0 interface using pcap plugin, split biflows into flows and prints them to console without mac addresses
./ipfixprobe -i 'pcap;ifc=eth0' -s 'cache;split' -o 'text;m'

# Read packets from pcap file, enable 4 processing plugins, sends L7 HTTP extended biflows to unirec interface named `http` and data from 3 other plugins to the `stats` interface
./ipfixprobe -i 'pcap;file=pcaps/http.pcap' -p http -p pstats -p idpcontent -p phists -o 'unirec;i=u:http:timeout=WAIT,u:stats:timeout=WAIT;p=http,(pstats,phists,idpcontent)'

# Read packets using DPDK input interface and 1 DPDK queue, enable plugins for basic statistics, http and tls, output to IPFIX on a local machine
# DPDK EAL parameters are passed in `e, eal` parameters
# DPDK plugin configuration has to be specified in the first input interface.
# The following `dpdk` interfaces are given without parameters; their configuration is inherited from the first one.
# Example for the queue of 3 DPDK input plugins (q=3):
`./ipfixprobe -i "dpdk;p=0;q=3;e=-c 0x1 -a  <[domain:]bus:devid.func>" -i dpdk -i dpdk -p http "-p" bstats -p tls -o "ipfix;h=127.0.0.1"`

# Same example for the multiport read from ports 0 and 1, note comma separated ports:
`./ipfixprobe -i "dpdk;p=0,1;q=3;e=-c 0x1 -a  <[domain:]bus:devid.func>" -i dpdk -i dpdk -p http "-p" bstats -p tls -o "ipfix;h=127.0.0.1"`


# Read packets using DPDK input interface as secondary process with shared memory (DPDK rings) - in this case, 4 DPDK rings are used
`./ipfixprobe -i 'dpdk-ring;r=rx_ipfixprobe_0;e= --proc-type=secondary' -i 'dpdk-ring;r=rx_ipfixprobe_1' -i 'dpdk-ring;r=rx_ipfixprobe_2' -i 'dpdk-ring;r=rx_ipfixprobe_3' -o 'text'`

Flow Data Extension - Processing Plugins

ipfixprobe can be extended by new plugins for exporting various new information from flow. There are already some existing plugins that export e.g. DNS, HTTP, SIP, NTP, PassiveDNS.

To enable a plugin, add -p option with argument (it can be used multiple times). Each plugin provides a set of information described in section Output data.

See ipfixprobe -h process for more information and complete list of processing plugins and their parameters.

Adding new plugin

To create new plugin use process/create_plugin.sh script. This interactive script will generate .cpp and .h file template and will also print TODO guide what needs to be done.

Possible issues

Flows are not send to output interface when reading small pcap file (NEMEA output)

Turn off message buffering using buffer=off option and set timeout=WAIT on output interfaces.

./ipfixprobe -i 'pcap;file=traffic.pcap' -o 'unirec;i=u:out:timeout=WAIT:buffer=off'

Output data

The following sections describe set of information fields provided by the processing plugins. The columns Output field and Type represent the name and type of UniRec elements (NEMEA output); however, the equivalent fields are exported in other output plugins as well --- e.g., in IPFIX format.

Note: to lookup IPFIX enterprise id and element id have a look into header file with the mapping to IPFIX elements.

Basic

Basic unirec fields exported on interface with basic (pseudo) plugin. These fields are also exported on interfaces where HTTP, DNS, SIP and NTP plugins are active.

Output field	Type	Description
DST_MAC	macaddr	destination MAC address
SRC_MAC	macaddr	source MAC address
DST_IP	ipaddr	destination IP address
SRC_IP	ipaddr	source IP address
BYTES	uint64	number of bytes in data flow (src to dst)
BYTES_REV	uint64	number of bytes in data flow (dst to src)
LINK_BIT_FIELD or ODID	uint64 or uint32	exporter identification
TIME_FIRST	time	first time stamp
TIME_LAST	time	last time stamp
PACKETS	uint32	number of packets in data flow (src to dst)
PACKETS_REV	uint32	number of packets in data flow (dst to src)
DST_PORT	uint16	transport layer destination port
SRC_PORT	uint16	transport layer source port
DIR_BIT_FIELD	uint8	bit field for determining outgoing/incoming traffic
PROTOCOL	uint8	transport protocol
TCP_FLAGS	uint8	TCP protocol flags (src to dst)
TCP_FLAGS_REV	uint8	TCP protocol flags (dst to src)

Basic plus

List of unirec fields exported together with basic flow fields on interface by basicplus plugin. Fields without _REV suffix are fields from source flow. Fields with _REV are from the opposite direction.

Output field	Type	Description
IP_TTL	uint8	IP TTL field
IP_TTL_REV	uint8	IP TTL field
IP_FLG	uint8	IP FLAGS
IP_FLG_REV	uint8	IP FLAGS
TCP_WIN	uint16	TCP window size
TCP_WIN_REV	uint16	TCP window size
TCP_OPT	uint64	TCP options bitfield
TCP_OPT_REV	uint64	TCP options bitfield
TCP_MSS	uint32	TCP maximum segment size
TCP_MSS_REV	uint32	TCP maximum segment size
TCP_SYN_SIZE	uint16	TCP SYN packet size

NetTiSA

List of unirec fields exported together with NetTiSA flow fields on interface by nettisa plugin.

Output field	Type	Description
NTS_MEAN	float	The mean of the payload lengths of packets
NTS_MIN	uint16	Minimal value from all packet payload lengths
NTS_MAX	uint16	Maximum value from all packet payload lengths
NTS_STDEV	float	Represents a switching ratio between different values of the sequence of observation.
NTS_KURTOSIS	float	The standard deviation is measure of the variation of data from the mean.
NTS_ROOT_MEAN_SQUARE	float	The measure of the magnitude of payload lengths of packets.
NTS_AVERAGE_DISPERSION	float	The average absolute difference between each payload length of packet and the mean value.
NTS_MEAN_SCALED_TIME	float	The kurtosis is the measure describing the extent to which the tails of a distribution differ from the tails of a normal distribution.
NTS_MEAN_DIFFTIMES	float	The scaled times is defined as sequence ${st} = { t_1 - t_1, t_2 - t_1, \dots, t_n - t_1 }$. We compute the mean of the value with same method as for feature \textit{Mean}.
NTS_MIN_DIFFTIMES	float	The time differences is defined as sequence $ {dt} = { t_j - t_i \| j = i + 1, i \in {1, 2, \dots, n - 1}}$. We compute the mean of the value with same method as for feature \textit{Mean}.
NTS_MAX_DIFFTIMES	float	Minimal value from all time differences, i.e., min space between packets.
NTS_TIME_DISTRIBUTION	float	Maximum value from all time differences, i.e., max space between packets.
NTS_SWITCHING_RATIO	float	Describes the distribution of time differences between individual packets.

HTTP

List of unirec fields exported together with basic flow fields on interface by HTTP plugin.

Output field	Type	Description
HTTP_REQUEST_METHOD	string	HTTP request method
HTTP_REQUEST_HOST	string	HTTP request host
HTTP_REQUEST_URL	string	HTTP request url
HTTP_REQUEST_AGENT	string	HTTP request user agent
HTTP_REQUEST_REFERER	string	HTTP request referer
HTTP_RESPONSE_STATUS_CODE	uint16	HTTP response code
HTTP_RESPONSE_CONTENT_TYPE	string	HTTP response content type
HTTP_RESPONSE_SERVER	string	HTTP response server
HTTP_RESPONSE_SET_COOKIE_NAMES	string	HTTP response all set-cookie names separated by a delimiter

RTSP

List of unirec fields exported together with basic flow fields on interface by RTSP plugin.

Output field	Type	Description
RTSP_REQUEST_METHOD	string	RTSP request method name
RTSP_REQUEST_AGENT	string	RTSP request user agent
RTSP_REQUEST_URI	string	RTSP request URI
RTSP_RESPONSE_STATUS_CODE	uint16	RTSP response status code
RTSP_RESPONSE_SERVER	string	RTSP response server field
RTSP_RESPONSE_CONTENT_TYPE	string	RTSP response content type

TLS

List of unirec fields exported together with basic flow fields on interface by TLS plugin.

Output field	Type	Description
TLS_SNI	string	TLS server name indication field from client
TLS_ALPN	string	TLS application protocol layer negotiation field from server
TLS_VERSION	uint16	TLS client protocol version
TLS_JA3	string	TLS client JA3 fingerprint
TLS_EXT_TYPE	uint16*	TLS extensions in the TLS Client Hello
TLS_EXT_LEN	uint16*	Length of each TLS extension

DNS

List of unirec fields exported together with basic flow fields on interface by DNS plugin.

Output field	Type	Description
DNS_ID	uint16	transaction ID
DNS_ANSWERS	uint16	number of DNS answer records
DNS_RCODE	uint8	response code field
DNS_NAME	string	question domain name
DNS_QTYPE	uint16	question type field
DNS_CLASS	uint16	class field of DNS question
DNS_RR_TTL	uint32	resource record TTL field
DNS_RLENGTH	uint16	length of DNS_RDATA
DNS_RDATA	bytes	resource record specific data
DNS_PSIZE	uint16	requestor's payload size
DNS_DO	uint8	DNSSEC OK bit

DNS_RDATA format

DNS_RDATA formatting is implemented for some base DNS RR Types in human-readable output. Same as here:

Record	Format
A	<IPv4 in dotted decimal representation>
AAAA	<IPv6 represented as groups separated by semicolons>
NS	<parsed hostname>
CNAME	<parsed hostname>
PTR	<parsed hostname>
DNAME	<parsed hostname>
SOA	<mname> <rname> <serial> <refresh> <retry> <expire> <min ttl>
SRV	<service> <protocol> <name> <target> <priority> <weight> <port>
MX	<priority> <mx hostname>
TXT	<txt string>
MINFO	<rmailbx> <emailbx>
HINFO	<txt string>
ISDN	<txt string>
DS	<keytag> <algorithm> <digest> <publickey>*
RRSIG	<type_covered> <algorithm> <labels> <original_ttl> <signature_exp> <signature_inc> <keytag> <signer_signature>*
DNSKEY	<flags> <protocol> <algorithm> <publickey>*
other	<not impl>*

* binary data are skipped and not printed

PassiveDNS

List of unirec fields exported together with basic flow fields on interface by PassiveDNS plugin.

Output field	Type	Description
DNS_ID	uint16	transaction ID
DNS_ATYPE	uint8	response record type
DNS_NAME	string	question domain name
DNS_RR_TTL	uint32	resource record TTL field
DNS_IP	ipaddr	IP address from PTR, A or AAAA record

SIP

List of unirec fields exported together with basic flow fields on interface by SIP plugin.

Output field	Type	Description
SIP_MSG_TYPE	uint16	SIP message code
SIP_STATUS_CODE	uint16	status of the SIP request
SIP_CSEQ	string	CSeq field of SIP packet
SIP_CALLING_PARTY	string	calling party (from) URI
SIP_CALLED_PARTY	string	called party (to) URI
SIP_CALL_ID	string	call ID
SIP_USER_AGENT	string	user agent field of SIP packet
SIP_REQUEST_URI	string	SIP request URI
SIP_VIA	string	via field of SIP packet

NTP

List of unirec fields exported together with basic flow fields on interface by NTP plugin.

Output field	Type	Description
NTP_LEAP	uint8	NTP leap field
NTP_VERSION	uint8	NTP message version
NTP_MODE	uint8	NTP mode field
NTP_STRATUM	uint8	NTP stratum field
NTP_POLL	uint8	NTP poll interval
NTP_PRECISION	uint8	NTP precision field
NTP_DELAY	uint32	NTP root delay
NTP_DISPERSION	uint32	NTP root dispersion
NTP_REF_ID	string	NTP reference ID
NTP_REF	string	NTP reference timestamp
NTP_ORIG	string	NTP origin timestamp
NTP_RECV	string	NTP receive timestamp
NTP_SENT	string	NTP transmit timestamp

SMTP

List of unirec fields exported on interface by SMTP plugin

Output field	Type	Description
SMTP_2XX_STAT_CODE_COUNT	uint32	number of 2XX status codes
SMTP_3XX_STAT_CODE_COUNT	uint32	number of 3XX status codes
SMTP_4XX_STAT_CODE_COUNT	uint32	number of 4XX status codes
SMTP_5XX_STAT_CODE_COUNT	uint32	number of 5XX status codes
SMTP_COMMAND_FLAGS	uint32	bit array of commands present
SMTP_MAIL_CMD_COUNT	uint32	number of MAIL commands
SMTP_RCPT_CMD_COUNT	uint32	number of RCPT commands
SMTP_STAT_CODE_FLAGS	uint32	bit array of status codes present
SMTP_DOMAIN	string	domain name of the SMTP client
SMTP_FIRST_SENDER	string	first sender in MAIL command
SMTP_FIRST_RECIPIENT	string	first recipient in RCPT command

SMTP_COMMAND_FLAGS

The following table shows bit values of SMTP\_COMMAND\_FLAGS for each SMTP command present in communication.

Command	Value
EHLO	0x0001
HELO	0x0002
MAIL	0x0004
RCPT	0x0008
DATA	0x0010
RSET	0x0020
VRFY	0x0040
EXPN	0x0080
HELP	0x0100
NOOP	0x0200
QUIT	0x0400
UNKNOWN	0x8000

SMTP_STAT_CODE_FLAGS

The following table shows bit values of SMTP\_STAT_CODE\_FLAGS for each present in communication.

Status code	Value
211	0x00000001
214	0x00000002
220	0x00000004
221	0x00000008
250	0x00000010
251	0x00000020
252	0x00000040
354	0x00000080
421	0x00000100
450	0x00000200
451	0x00000400
452	0x00000800
455	0x00001000
500	0x00002000
501	0x00004000
502	0x00008000
503	0x00010000
504	0x00020000
550	0x00040000
551	0x00080000
552	0x00100000
553	0x00200000
554	0x00400000
555	0x00800000
*	0x40000000
UNKNOWN	0x80000000

Bit is set if answer contains SPAM keyword.

PSTATS

List of unirec fields exported on interface by PSTATS plugin. The plugin is compiled to gather statistics for the first PSTATS_MAXELEMCOUNT (30 by default) packets in the biflow record. Note: the following fields are UniRec arrays (or basicList in IPFIX).

Output field	Type	Description
PPI_PKT_LENGTHS	uint16*	sizes of the first packets
PPI_PKT_TIMES	time*	timestamps of the first packets
PPI_PKT_DIRECTIONS	int8*	directions of the first packets
PPI_PKT_FLAGS	uint8*	TCP flags for each packet

Plugin parameters:

includezeros - Include zero-length packets in the lists.
skipdup - Skip retransmitted (duplicated) TCP packets.

Example:

ipfixprobe 'pcap;file=pcaps/http.pcap' -p "pstats;includezeros" -o 'unirec;i=u:stats:timeout=WAIT;p=stats'"

OSQUERY

List of unirec fields exported together with basic flow fields on interface by OSQUERY plugin.

Output field	Type	Description
PROGRAM_NAME	string	The name of the program that handles the connection
USERNAME	string	The name of the user who starts the process
OS_NAME	string	Distribution or product name
OS_MAJOR	uint16	Major release version
OS_MINOR	uint16	Minor release version
OS_BUILD	string	Optional build-specific or variant string
OS_PLATFORM	string	OS Platform or ID
OS_PLATFORM_LIKE	string	Closely related platforms
OS_ARCH	string	OS Architecture
KERNEL_VERSION	string	Kernel version
SYSTEM_HOSTNAME	string	Network hostname including domain

SSDP

List of unirec fields exported together with basic flow fields on interface by SSDP plugin.

Output field	Type	Description
SSDP_LOCATION_PORT	uint16	service port
SSDP_NT	string	list of advertised service urns
SSDP_SERVER	string	server info
SSDP_ST	string	list of queried service urns
SSDP_USER_AGENT	string	list of user agents

All lists are semicolon separated.

DNS-SD

List of unirec fields exported together with basic flow fields on interface by DNS-SD plugin.

Output field	Type	Description
DNSSD_QUERIES	string	list of queries for services
DNSSD_RESPONSES	string	list of advertised services

Format of DNSSD_QUERIES: [service_instance_name;][...]

Format of DNSSD_RESPONSES: [service_instance_name;service_port;service_target;hinfo;txt;][...]

Plugin parameters:

txt - Activates processing of txt records.
- Allows to pass a filepath to .csv file with whitelist filter of txt records.
- File line format: service.domain,txt_key1,txt_key2,...
- If no filepath is provided, all txt records will be aggregated.

OVPN (OpenVPN)

List of fields exported together with basic flow fields on interface by OVPN plugin.

Output field	Type	Description
OVPN_CONF_LEVEL	uint8	level of confidence that the flow record is an OpenVPN tunnel

IDPContent (Initial Data Packets Content)

List of fields exported together with basic flow fields on the interface by IDPContent plugin. The plugin is compiled to export IDPCONTENT_SIZE (100 by default) bytes from the first data packet in SRC -> DST direction, and the first data packet in DST -> SRC direction.

Output field	Type	Description
IDP_CONTENT	bytes	Content of first data packet from SRC -> DST
IDP_CONTENT_REV	bytes	Content of first data packet from DST -> SRC

NetBIOS

List of fields exported together with basic flow fields on interface by NetBIOS plugin.

Output field	Type	Description
NB_NAME	string	NetBIOS Name Service name
NB_SUFFIX	uint8	NetBIOS Name Service suffix

PHISTS

List of fields exported together with basic flow fields on the interface by PHISTS plugin. The plugin exports the histograms of Payload sizes and Inter-Packet-Times for each direction. The histograms bins are scaled logarithmicaly and are shown in following table:

Bin Number	Size Len	Inter Packet Time
1	0-15 B	0-15 ms
2	16-31 B	16-31 ms
3	32-63 B	32-63 ms
4	64-127 B	64-127 ms
5	128-255 B	128-255 ms
6	256-511 B	256-511 ms
7	512-1023 B	512-1023 ms
8	> 1024 B	> 1024 ms

The exported unirec fields and IPFIX basiclists is shown in following table:

Output field	Type	Description
D_PHISTS_IPT	uint32*	DST->SRC: Histogram of interpacket times
D_PHISTS_SIZES	uint32*	DST->SRC: Histogram of packet sizes
S_PHISTS_IPT	uint32*	SRC->DST: Histogram of interpacket times
S_PHISTS_SIZES	uint32*	SRC->DST: Histogram of packet sizes

Plugin parameters:

includezeros - Include zero-length packets in the lists.

Example:

ipfixprobe 'pcap;file=pcaps/http.pcap' -p "phists;includezeros" -o 'unirec;i=u:hists:timeout=WAIT;p=phists'"

BSTATS

List of fields exported together with basic flow fields on the interface by BSTATS plugin. The plugin is compiled to export the first BSTATS_MAXELENCOUNT (15 by default) burst in each direction. The bursts are computed separately for each direction. Burst is defined by MINIMAL_PACKETS_IN_BURST (3 by default) and by MAXIMAL_INTERPKT_TIME (1000 ms by default) between packets to be included in a burst. When the flow contains less then MINIMAL_PACKETS_IN_BURST packets, the fields are not exported to reduce output bandwidth.

Output field	Type	Description
SBI_BRST_PACKETS	uint32*	SRC->DST: Number of packets transmitted in i^th burst
SBI_BRST_BYTES	uint32*	SRC->DST: Number of bytes transmitted in i^th burst
SBI_BRST_TIME_START	time*	SRC->DST: Start time of the i^th burst
SBI_BRST_TIME_STOP	time*	SRC->DST: End time of the i^th burst
DBI_BRST_PACKETS	uint32*	DST->SRC: Number of packets transmitted in i^th burst
DBI_BRST_BYTES	uint32*	DST->SRC: Number of bytes transmitted in i^th burst
DBI_BRST_TIME_START	time*	DST->SRC: Start time of the i^th burst
DBI_BRST_TIME_STOP	time*	DST->SRC: End time of the i^th burst

WG (WireGuard)

List of fields exported together with basic flow fields on interface by WG plugin.

Output field	Type	Description
WG_CONF_LEVEL	uint8	level of confidence that the flow record is a WireGuard tunnel
WG_SRC_PEER	uint32	ephemeral SRC peer identifier
WG_DST_PEER	uint32	ephemeral DST peer identifier

QUIC

List of fields exported together with basic flow fields on interface by quic plugin. -with-quic-ch-full-tls-ext enables extraction of all TLS extensions in the Client Hello.

Output field	Type	Description
QUIC_SNI	string	Decrypted server name
QUIC_USER_AGENT	string	Decrypted user agent
QUIC_VERSION	uint32	QUIC version from first server long header packets
QUIC_CLIENT_VERSION	uint32	QUIC version from first client long header packet
QUIC_TOKEN_LENGTH	uint64	Token length from Initial and Retry packets
QUIC_OCCID	bytes	Source Connection ID from first client packet
QUIC_OSCID	bytes	Destination Connection ID from first client packet
QUIC_SCID	bytes	Source Connection ID from first server packet
QUIC_RETRY_SCID	bytes	Source Connection ID from Retry packet
QUIC_MULTIPLEXED	uint8	> 0 if multiplexed (at least two different QUIC_OSCIDs or SNIs)
QUIC_ZERO_RTT	uint8	Number of 0-RTT packets in flow.
QUIC_SERVER_PORT	uint16	TODO Server Port determined by packet type and TLS message
QUIC_PACKETS	uint8*	QUIC long header packet type (v1 encoded), version negotiation, QUIC bit
QUIC_CH_PARSED	uint8	>0 if TLS Client Hello parsed without errors
QUIC_TLS_EXT_TYPE	uint16*	TLS extensions in the TLS Client Hello
QUIC_TLS_EXT_LEN	uint16*	Length of each TLS extension
QUIC_TLS_EXT	string	Payload of all/application_layer_protocol_negotiation and quic_transport params TLS extension

ICMP

List of fields exported together with basic flow fields on interface by icmp plugin.

Output field	Type	Description
L4_ICMP_TYPE_CODE	uint16	ICMP type (MSB) and code (LSB)

SSADetector

List of fields exported together with basic flow fields on interface by ssadetector plugin. The detector search for the SYN SYN-ACK ACK pattern in packet lengths. Multiple occurrences of this pattern suggest a tunneled connection.

Output field	Type	Description
SSA_CONF_LEVEL	uint8	1 if SSA sequence detected, 0 otherwise

VLAN

List of fields exported together with basic flow fields on the interface by VLAN plugin.

Output field	Type	Description
VLAN_ID	uint16	Vlan ID (used in flow key)

Flow Hash

List of fields exported together with basic flow fields on interface by flow_hash plugin.

Output field	Type	Description
FLOW_ID	uint64	Hash of the flow - unique flow id

MPLS

List of fields exported together with basic flow fields on interface by mpls plugin.

Output field	Type	Description
MPLS_TOP_LABEL_STACK_SECTION	bytes	MPLS label section (without TTL), always 3 bytes

Simplified function diagram

Diagram below shows how ipfixprobe works.

Packet is read from pcap file or network interface
Packet is processed by PcapReader and is about to put to flow cache
Flow cache create or update flow and call pre_create, post_create, pre_update, post_update and pre_export functions for each active plugin at appropriate time
Flow is put into exporter when considered as expired, flow cache is full or is forced to by a plugin
Exporter fills unirec record, which is then send it to output libtrap interface

       +--------------------------------+
       | pcap file or network interface |
       +-----+--------------------------+
             |
          1. |
             |                                  +-----+
    +--------v---------+                              |
    |                  |             +-----------+    |
    |    PcapReader    |      +------>  Plugin1  |    |
    |                  |      |      +-----------+    |
    +--------+---------+      |                       |
             |                |      +-----------+    |
          2. |                +------>  Plugin2  |    |
             |                |      +-----------+    |
    +--------v---------+      |                       |
    |                  |  3.  |      +-----------+    +----+ active plugins
    |   NHTFlowCache   +------------->  Plugin3  |    |
    |                  |      |      +-----------+    |
    +--------+---------+      |                       |
             |                |            .          |
          4. |                |            .          |
             |                |            .          |
    +--------v---------+      |                       |
    |                  |      |      +-----------+    |
    |  UnirecExporter  |      +------>  PluginN  |    |
    |                  |             +-----------+    |
    +--------+---------+                              |
             |                                  +-----+
          5. |
             |
       +-----v--------------------------+
       |    libtrap output interface    |
       +--------------------------------+

ipfixprobe's People

Contributors

Stargazers

Watchers

Forkers

paulosv domeniqo david-maison-trustinsoft mzovico ackstorm23 xdanos jan-kala jaroslavpesek honzov bonnyad9 dakevid rrader koumajos hyperreap siskapavel netd-tud zadamsa hulakmat

ipfixprobe's Issues

Deb package does not have libatomic1 as dependency

Deb package can be installed without libatomic1 library, which is in fact always needed.

Moreover, the dependencies of the deb package should probably change depending in the build options.

IPFIXProbe does not work on RPi4

Hello,
I've been trying to compile IPFIXProbe project on the RPi4 and RPi CM4 but it seems to be not supported as it's returning the "Bus error". According to several sources, including https://forums.raspberrypi.com/viewtopic.php?f=33&t=102400, it seems to have the issue with hard-floating ABI but when I try to set the CFLAGS to "-mcpu=cortex-a72 -mfloat-abi=soft -mfpu=crypto-neon-fp-armv8" it breaks the compilation entirely. Is this project going to support ARM/RPi4?

Thanks a lot for your answer,
Michal

MTU cannot be set in DPDK input plugin

MTU is always set to RTE_ETHER_MAX_LEN = 1518. There should be a command line parameter to change this value.

https://github.com/CESNET/ipfixprobe/blob/master/input/dpdk/dpdkDevice.cpp#L140C45-L140C62

Multiple flows with same 5-tuples and times

I get multiple flows with the same 5-tuples (IPs, ports, protocol) and same times.

ipfixprobe is running as follows:

/usr/bin/ipfixprobe -i 'dpdk;p=0;q=1;e=ipfixprobe-eal --lcores (0-7)@(1,3,5,7,9,11,13,15,17,19,21,23) -a 0000:d8:00.0 --file-prefix=11263' -s 'cache;size=20;active=300;inactive=60;split' -p basicplus -p dns -p http -p tls -p quic -p passivedns -o ipfix;host=target-host;port=target-port;id=216;dir=216;

Observe the following:

The IP addresses for combinations of ports in the screenshot are the same. I'm quite certain that it is impossible to export that much traffic in a single millisecond.

Setup

OS: Ubuntu 22.04 LTS
Compilation as deb package using make deb with modified dh_auto_configure in debian/rules

Full configure params:

 ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu --libexecdir=\${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-d
ependency-tracking --with-pcap --with-quic --with-msects --with-dpdk --enable-debug

QUIC description is not up-to-date

Some fields are missing in the README list of plugins.

Additionally, I'd suggest to split README and describe plugins in a separate file from the global README (which is too long now).

IPFIX output: input interface number is incorrect

I use IPFIX output with dir=59. However, the exporter sends 30779 instead.

Looking at it bitwise, the difference is

30779: 0b01111000 00111011
59:    0b00000000 00111011

So it seems that the first byte is not zeroed out properly.

As a side note, why is the input interface field called dir?

Setup

OS: Ubuntu 22.04 LTS
Compilation as deb package using make deb with modified dh_auto_configure in debian/rules

Full configure params:

 ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu --libexecdir=\${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-d
ependency-tracking --with-pcap --with-quic --with-msects --with-dpdk --enable-debug

DPDK input segfault

I'm running the ipfixprobe as follows:

/usr/bin/ipfixprobe -i 'dpdk;p=0;q=1;e=ipfixprobe-eal --lcores (0-7)@(1,3,5,7,9,11,13,15,17,19,21,23) -a 0000:d8:00.0 --file-prefix=11263' -s 'cache;size=20;active=300;inactive=60;split' -p basicplus -p dns -p http -p tls -p quic -p passivedns -o 'ipfix;host=target-host;port=4739;id=216;dir=216;'

There are quite a lot of segfaults:

Dec 16 13:45:50 hostname kernel: ipfixprobe[10853]: segfault at 0 ip 00007f07c71aa279 sp 00007ffea2cf58a0 error 4 in librte_eal.so.22.0[7f07c7185000+30000]
Dec 16 13:47:53 hostname kernel: ipfixprobe[10868]: segfault at 0 ip 00007f31d396e279 sp 00007ffff8642790 error 4 in librte_eal.so.22.0[7f31d3949000+30000]
Dec 19 13:45:45 hostname kernel: ipfixprobe[6696]: segfault at f300000002 ip 000056240332bfcc sp 00007f32be5f79b0 error 4 in ipfixprobe[56240330f000+56000]
Dec 19 14:47:33 hostname kernel: ipfixprobe[7357]: segfault at f900000002 ip 000055728698587c sp 00007f0eb98259b0 error 4 in ipfixprobe[557286960000+53000]
Dec 19 15:47:57 hostname kernel: ipfixprobe[8298]: segfault at 0 ip 000055a4e9a1287c sp 00007fb6cc24f9b0 error 4 in ipfixprobe[55a4e99ed000+53000]
Dec 19 15:51:16 hostname kernel: ipfixprobe[8367]: segfault at 0 ip 000055d40f68a87c sp 00007f152205d9b0 error 4 in ipfixprobe[55d40f665000+53000]
Dec 19 16:04:16 hostname kernel: ipfixprobe[8456]: segfault at 0 ip 00007f6a4e83a279 sp 00007ffc3aad4b20 error 4 in librte_eal.so.22.0[7f6a4e815000+30000]
Dec 19 21:05:33 hostname kernel: ipfixprobe[9904]: segfault at 0 ip 000055d719e2c4ec sp 00007f2897e3d9c0 error 4 in ipfixprobe[55d719e10000+52000]
Dec 19 21:24:52 hostname kernel: ipfixprobe[9983]: segfault at f800000002 ip 0000561085d574ec sp 00007f85266529c0 error 4 in ipfixprobe[561085d3b000+52000]
Dec 19 22:24:11 hostname kernel: ipfixprobe[10017]: segfault at f400000002 ip 0000557276e594ec sp 00007ff00fe699c0 error 4 in ipfixprobe[557276e3d000+52000]
Dec 20 00:19:32 hostname kernel: ipfixprobe[10079]: segfault at 0 ip 00005559c69c84ec sp 00007fb8562fd9c0 error 4 in ipfixprobe[5559c69ac000+52000]
Dec 20 01:14:10 hostname kernel: ipfixprobe[10306]: segfault at f400000002 ip 000055a1321244ec sp 00007f0ea50de9c0 error 4 in ipfixprobe[55a132108000+52000]

The monitored link utilization is 100k-200k pkt/s.

Setup

OS: Ubuntu 22.04 LTS
Compilation as deb package using make deb with modified dh_auto_configure in debian/rules

Full configure params:

 ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu --libexecdir=\${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-d
ependency-tracking --with-pcap --with-quic --with-msects --with-dpdk --enable-debug

Flows exported very late

I've exported almost an hour of traffic, quite low number of packets to keep it manageable (15453 packets in 2862 flows).

ipfixprobe was running as follows:

/usr/bin/ipfixprobe -i 'dpdk;p=0;q=1;e=ipfixprobe-eal --lcores (0-7)@(1,3,5,7,9,11,13,15,17,19,21,23) -a 0000:d8:00.0 --file-prefix=11263' -s 'cache;size=20;active=300;inactive=60;split' -p basicplus -p dns -p http -p tls -p quic -p passivedns -o ipfix;host=target-host;port=target-port;id=216;dir=216;

I've looked at how late the flows are exported. For active timeout, it is fine, the difference between flow end and export time is less than two seconds.

However, for inactive timeout, I get anything from 73 seconds (which is fine, minimum is 60) to 2375 seconds, which is totally unacceptable. My guess is that the flow cache maintenance algorithm just does not find these flows in time.

Setup

OS: Ubuntu 22.04 LTS
Compilation as deb package using make deb with modified dh_auto_configure in debian/rules

Full configure params:

 ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu --libexecdir=\${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-d
ependency-tracking --with-pcap --with-quic --with-msects --with-dpdk --enable-debug

DPDK input plugin takes first eal parameter as application name

I'm running ipfixprobe with DPDK input as follows:

/usr/bin/ipfixprobe -i 'dpdk;p=0;q=1;e=-c 0x01 -a 0000:3b:00.1'

In journalctl, I see

Dec 20 09:48:55 hostname -c[11346]: EAL: VFIO support initialized                                                      
Dec 20 09:48:55 hostname -c[11346]: EAL: Probe PCI driver: mlx5_pci (15b3:1017) device: 0000:3b:00.1 (socket 0)        
Dec 20 09:48:56 hostname -c[11346]: TELEMETRY: No legacy callbacks, legacy socket not created

So the first parameter -c is used as an application name. I've also confirmed, that it is being ignored, i.e. has no effect.

Setup

OS: Ubuntu 22.04 LTS
Compilation as deb package using make deb with modified dh_auto_configure in debian/rules

Full configure params:

 ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu --libexecdir=\${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-d
ependency-tracking --with-pcap --with-quic --with-msects --with-dpdk --enable-debug

Plugins

Could you please tell me where I can download some plugins, e.g. http, dns etc. I would also highly appreciate instructions how to import plugins into ipfixprobe.

Thank you very much.

Cannot set CPU affinity in DPDK input

I have two NICs and I need to run two ipfixprobe processes to monitor the traffic. When I start as follows

ipfixprobe  --input 'dpdk;port=0;eal=ipfixprobe-eal -c 0x1 -a 0000:d8:00.0;q=1'

ipfixprobe  --input 'dpdk;port=0;eal=ipfixprobe-eal -c 0x2 -a 0000:3b:00.0 --file-prefix aaa;q=1'

both processes end up on first CPU, which is a great problem while actively polling for traffic - each process shows only 50% CPU usage, the packet reading often stalls in one or the other.

Possible solution

I've come up with the following workaround:

Comment out the call to set_thread_affinity function: https://github.com/CESNET/ipfixprobe/blob/master/input/dpdk.cpp#L330

Run with eal set as follows:

/usr/bin/ipfixprobe -i 'dpdk;p=0;q=1;e=ipfixprobe-eal --lcores (0-7)@(0,2,4,6,8,10,12,14,16,18,20,22) -a 0000:3b:00.0'
/usr/bin/ipfixprobe -i 'dpdk;p=0;q=1;e=ipfixprobe-eal --lcores (0-7)@(1,3,5,7,9,11,13,15,17,19,21,23) -a 0000:d8:00.0 --file-prefix=aaa'

The list of cores is set to the appropriate CPU by checking /sys/class/net/$ifc/device/local_cpulist.

Setup

OS: Ubuntu 22.04 LTS
Compilation as deb package using make deb with modified dh_auto_configure in debian/rules

Full configure params:

 ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu --libexecdir=\${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-d
ependency-tracking --with-pcap --with-quic --with-msects --with-dpdk --enable-debug

ipfixprobe segfaults when there are more output plugin groups than output files

I have accidentally triggered a segfault while trying to convert a PCAP file to UniRec format.
This was the command:

$ ipfixprobe -i 'pcap;file=./test1/2023-08-24-out_wan.pcap' -p pstats -p phists -o "unirec;i=f:test1.trapcap:w;p=pstats,phists"
ERROR: trap_ctx_vset_data_fmt: Uninitialized libtrap context or bad parameters.
Segmentation fault (core dumped)

There are two output plugin groups - pstats, phists - but only one output file - test1.trapcap.

NDP input: Incorrect timestamps with new NDK firmwares

Hello,

the current NDP input module only supports timestamps in Hanic firmware format, which is no longer being developed.

Unfortunately, new firmwares for FPGA cards based on the NDK platform (especially NDK-APP-NIC for the metering infrastructure) use a different metadata format, which causes the current software to use invalid timestamps for individual packets and thus flows. The format is also newly flexible and the card can use a different format (from the defined set) even for each individual packet depending on the configuration and firmware application.

The input module should read the DeviceTree on startup. Find and process the "cesnet,ofm,ndp-header-rx" components in it, which contain the "header_id" and name/size/position of the individual metadata items. Then, when reading packets from the NIC, it should use the NDP function to find out for each individual packet what specific header it received and extract the timestamp accordingly.

For backward compatibility reasons, the old fixed format should be used when older firmware (i.e. Hanic) is detected.

Lukas

Flow end time before flow start time

I see quite a lot of flows with end time before the start time.

ipfixprobe is running as follows

/usr/bin/ipfixprobe -i 'dpdk;p=0;q=1;e=ipfixprobe-eal --lcores (0-7)@(1,3,5,7,9,11,13,15,17,19,21,23) -a 0000:d8:00.0 --file-prefix=11263' -s 'cache;size=20;active=300;inactive=60;split' -p basicplus -p dns -p http -p tls -p quic -p passivedns -o ipfix;host=target-host;port=target-port;id=216;dir=216;

What i get is:

It is all part of the same connection (the IP addresses are the same for all shown flows).

Setup

OS: Ubuntu 22.04 LTS
Compilation as deb package using make deb with modified dh_auto_configure in debian/rules

Full configure params:

 ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu --libexecdir=\${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-d
ependency-tracking --with-pcap --with-quic --with-msects --with-dpdk --enable-debug

Make error if '--with-nemea' is used

Hi all,

It seems while adding the " --with-nemea" build option, this error is thrown across version v4, v4.4, v4.5 and v4.6:
Is something missing or is anyone else seeing this issue?
`
user@user-virtual-machine:~/ipfixprobe-4.6.0$ ./configure --with-pcap --with-nemea
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a race-free mkdir -p... /usr/bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking whether make supports nested variables... (cached) yes
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking how to print strings... printf
checking whether make supports the include directive... yes (GNU style)
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether the compiler supports GNU C... yes
checking whether gcc accepts -g... yes
checking for gcc option to enable C11 features... none needed
checking whether gcc understands -c and -o together... yes
checking dependency style of gcc... gcc3
checking for a sed that does not truncate output... /usr/bin/sed
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for fgrep... /usr/bin/grep -F
checking for ld used by gcc... /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld... yes
checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
checking the name lister (/usr/bin/nm -B) interface... BSD nm
checking whether ln -s works... yes
checking the maximum length of command line arguments... 1572864
checking how to convert x86_64-pc-linux-gnu file names to x86_64-pc-linux-gnu format... func_convert_file_noop
checking how to convert x86_64-pc-linux-gnu file names to toolchain format... func_convert_file_noop
checking for /usr/bin/ld option to reload object files... -r
checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for dlltool... no
checking how to associate runtime and link libraries... printf %s\n
checking for ar... ar
checking for archiver @file support... @
checking for strip... strip
checking for ranlib... ranlib
checking command to parse /usr/bin/nm -B output from gcc object... ok
checking for sysroot... no
checking for a working dd... /usr/bin/dd
checking how to truncate binary pipes... /usr/bin/dd bs=4096 count=1
checking for mt... mt
checking if mt is a manifest tool... no
checking for stdio.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for strings.h... yes
checking for sys/stat.h... yes
checking for sys/types.h... yes
checking for unistd.h... yes
checking for dlfcn.h... yes
checking for objdir... .libs
checking if gcc supports -fno-rtti -fno-exceptions... no
checking for gcc option to produce PIC... -fPIC -DPIC
checking if gcc PIC flag -fPIC -DPIC works... yes
checking if gcc static flag -static works... yes
checking if gcc supports -c -o file.o... yes
checking if gcc supports -c -o file.o... (cached) yes
checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... yes
checking for g++... g++
checking whether the compiler supports GNU C++... yes
checking whether g++ accepts -g... yes
checking for g++ option to enable C++11 features... none needed
checking dependency style of g++... gcc3
checking how to run the C++ preprocessor... g++ -E
checking for ld used by g++... /usr/bin/ld -m elf_x86_64
checking if the linker (/usr/bin/ld -m elf_x86_64) is GNU ld... yes
checking whether the g++ linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
checking for g++ option to produce PIC... -fPIC -DPIC
checking if g++ PIC flag -fPIC -DPIC works... yes
checking if g++ static flag -static works... yes
checking if g++ supports -c -o file.o... yes
checking if g++ supports -c -o file.o... (cached) yes
checking whether the g++ linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
checking dynamic linker characteristics... (cached) GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking how to run the C preprocessor... gcc -E
checking for rpmbuild... no
checking for debuild... no
checking for arpa/inet.h... yes
checking for inttypes.h... (cached) yes
checking for netdb.h... yes
checking for netinet/in.h... yes
checking for stddef.h... yes
checking for stdint.h... (cached) yes
checking for stdlib.h... (cached) yes
checking for string.h... (cached) yes
checking for sys/socket.h... yes
checking for sys/time.h... yes
checking for unistd.h... (cached) yes
checking for _Bool... yes
checking for stdbool.h that conforms to C99... yes
checking for inline... inline
checking for int32_t... yes
checking for int8_t... yes
checking for size_t... yes
checking for ssize_t... yes
checking for uint16_t... yes
checking for uint32_t... yes
checking for uint64_t... yes
checking for uint8_t... yes
checking whether byte ordering is bigendian... no
checking for __atomic_store in -latomic... yes
checking for EVP_PKEY_CTX_new_id in -lcrypto... yes
checking for linux/if_packet.h... yes
checking for net/ethernet.h... yes
checking for net/if.h... yes
checking for ifaddrs.h... yes
checking for struct tpacket3_hdr... yes
checking for pcap.h... yes
checking for pcap_open_live in -lpcap... yes
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking for libtrap... yes
checking for trap2man.sh... /usr/bin/nemea/trap2man.sh
checking for ur_processor.sh... /usr/bin/nemea/ur_processor.sh
checking for unirec... no
checking for unirec in parent directory... checking for unirec/unirec.h... yes
checking for unirec/inline.h... yes
checking for unirec/ipaddr_cpp.h... no
no
checking for unirec/ipaddr.h... yes
checking for unirec/links.h... yes
checking for unirec/ur_time.h... yes
checking for unirec/ur_values.h... yes
checking for ur_create_template in -lunirec... yes
checking for error_at_line... yes
checking for working strtod... yes
checking for gettimeofday... yes
checking for inet_ntoa... yes
checking for memset... yes
checking for socket... yes
checking for strchr... yes
checking for strerror... yes
checking for strncasecmp... yes
checking for strstr... yes
checking for strtol... yes
checking for strtoul... yes
checking for strtoull... yes
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating ipfixprobe.spec
config.status: creating ipfixprobe.bash
config.status: creating input/nfbCInterface/Makefile
config.status: creating init/Makefile
config.status: creating tests/Makefile
config.status: creating tests/functional/Makefile
config.status: creating tests/unit/Makefile
config.status: creating config.h
config.status: executing depfiles commands
config.status: executing libtool commands

ipfixprobe 4.6.0

Configuration Options Summary:

ASM.(32 bit only)......:
Static binary..........:

Documentation............:

UniRec processor.........: /usr/bin/nemea/ur_processor.sh
trap2man.sh..............: /usr/bin/nemea/trap2man.sh
Compilation..............: make (or gmake)
CPPFLAGS...............: -I/usr/local/include -DNDEBUG=1
CFLAGS.................: -Wall -g -O3
CXXFLAGS...............: -Wall -g -O3
LDFLAGS................:
LIBS...................: -L/usr/local/lib -lssl -lcrypto -lrt -ltrap -lpcap -lcrypto
Enforced NEMEA (for copr): no
FlexProbe Data Interface.: no
DPDK Interface...........: no

Installation.............: make install (as root if needed, with 'su' or 'sudo')
prefix.................: /usr/local

user@user-virtual-machine:~/ipfixprobe-4.6.0$ make
/usr/bin/nemea/ur_processor.sh -i ./ -o ./
make all-recursive
make[1]: Entering directory '/home/user/ipfixprobe-4.6.0'
Making all in .
make[2]: Entering directory '/home/user/ipfixprobe-4.6.0'
CXX input/ipfixprobe-benchmark.o
CXX input/ipfixprobe-parser.o
CXX input/ipfixprobe-raw.o
CXX input/ipfixprobe-pcap.o
CXX storage/ipfixprobe-cache.o
CC storage/ipfixprobe-xxhash.o
CXX output/ipfixprobe-ipfix.o
CXX output/ipfixprobe-text.o
CXX output/ipfixprobe-ipfix-basiclist.o
CXX output/ipfixprobe-unirec.o
CC ipfixprobe-fields.o
CXX process/ipfixprobe-http.o
In file included from ./fields.h:5,
from process/http.hpp:55,
from process/http.cpp:54:
process/http.hpp: In member function ‘virtual void ipxp::RecordExtHTTP::fill_unirec(ur_template_t*, void*)’:
process/http.hpp:119:36: error: ‘F_HTTP_REQUEST_METHOD’ was not declared in this scope
119 | ur_set_string(tmplt, record, F_HTTP_REQUEST_METHOD, method);
| ^~~~~~~~~~~~~~~~~~~~~
process/http.hpp:120:36: error: ‘F_HTTP_REQUEST_HOST’ was not declared in this scope
120 | ur_set_string(tmplt, record, F_HTTP_REQUEST_HOST, host);
| ^~~~~~~~~~~~~~~~~~~
process/http.hpp:121:36: error: ‘F_HTTP_REQUEST_URL’ was not declared in this scope; did you mean ‘SIP_REQUEST_URI’?
121 | ur_set_string(tmplt, record, F_HTTP_REQUEST_URL, uri);
| ^~~~~~~~~~~~~~~~~~
process/http.hpp:122:36: error: ‘F_HTTP_REQUEST_AGENT’ was not declared in this scope
122 | ur_set_string(tmplt, record, F_HTTP_REQUEST_AGENT, user_agent);
| ^~~~~~~~~~~~~~~~~~~~
process/http.hpp:123:36: error: ‘F_HTTP_REQUEST_REFERER’ was not declared in this scope
123 | ur_set_string(tmplt, record, F_HTTP_REQUEST_REFERER, referer);
| ^~~~~~~~~~~~~~~~~~~~~~
process/http.hpp:124:36: error: ‘F_HTTP_RESPONSE_CONTENT_TYPE’ was not declared in this scope
124 | ur_set_string(tmplt, record, F_HTTP_RESPONSE_CONTENT_TYPE, content_type);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
process/http.hpp:125:29: error: ‘F_HTTP_RESPONSE_STATUS_CODE_T’ was not declared in this scope
125 | ur_set(tmplt, record, F_HTTP_RESPONSE_STATUS_CODE, code);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~
process/http.hpp:125:7: error: expected primary-expression before ‘)’ token
125 | ur_set(tmplt, record, F_HTTP_RESPONSE_STATUS_CODE, code);
| ^~~~~~
process/http.hpp:125:29: error: ‘F_HTTP_RESPONSE_STATUS_CODE’ was not declared in this scope
125 | ur_set(tmplt, record, F_HTTP_RESPONSE_STATUS_CODE, code);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~
make[2]: *** [Makefile:1980: process/ipfixprobe-http.o] Error 1
make[2]: Leaving directory '/home/user/ipfixprobe-4.6.0'
make[1]: *** [Makefile:2573: all-recursive] Error 1
make[1]: Leaving directory '/home/user/ipfixprobe-4.6.0'
make: *** [Makefile:927: all] Error 2
`

Discrepancy between parsed and output packets

There is a difference between number of parsed packets and number of output packets. I'd expect these numbers to differ at most by the number of dropped packets, but it is not the case. What is the reason of this difference?

ipfixprobed[11664]: Input stats:                                                            
ipfixprobed[11664]:   #   packets    parsed           bytes   dropped     qtime status      
ipfixprobed[11664]:   0     15879     15879         1484197         0  40003445     ok      
ipfixprobed[11664]: Output stats:                                                           
ipfixprobed[11664]:   #   biflows   packets           bytes   dropped status                
ipfixprobed[11664]:   0      2862     15453         1267570         0     ok

Cannot run two processes with DPDK without --file-prefix setting for eal

One cannot run two processes as follows:

/usr/bin/ipfixprobe -i 'dpdk;p=0;q=1;e=ipfixprobe-eal --lcores (0-7)@(0,2,4,6,8,10,12,14,16,18,20,22) -a 0000:3b:00.0'
/usr/bin/ipfixprobe -i 'dpdk;p=0;q=1;e=ipfixprobe-eal --lcores (0-7)@(1,3,5,7,9,11,13,15,17,19,21,23) -a 0000:d8:00.0'

The second process gives this output:

EAL: Detected CPU lcores: 24
EAL: Detected NUMA nodes: 2
EAL: Detected shared linkage of DPDK
EAL: Cannot create lock on '/var/run/dpdk/rte/config'. Is another primary process running?
EAL: FATAL: Cannot init config
EAL: Cannot init config
EAL: Error - exiting with code: 1
  Cause: Cannot initialize RTE_EAL: Success

This problem should be noted in the documentation.

Possible solution

I've enhanced my local ipfixprobed script to include --file-prefix=$$ when setting up DPDK parameters. If there are no other uses for the --file-prefix, maybe the process itself could do it so that the user does not need to concern with this issue? Of course, it needs to be documented in any case.

Setup

OS: Ubuntu 22.04 LTS
Compilation as deb package using make deb with modified dh_auto_configure in debian/rules

Full configure params:

 ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu --libexecdir=\${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-d
ependency-tracking --with-pcap --with-quic --with-msects --with-dpdk --enable-debug

Active timeout is not honored

I expect active timeout to always be less then that set limit. It is not the case.

ipfixprobe is running as follows:

/usr/bin/ipfixprobe -i 'dpdk;p=0;q=1;e=ipfixprobe-eal --lcores (0-7)@(1,3,5,7,9,11,13,15,17,19,21,23) -a 0000:d8:00.0 --file-prefix=11263' -s 'cache;size=20;active=300;inactive=60;split' -p basicplus -p dns -p http -p tls -p quic -p passivedns -o ipfix;host=target-host;port=target-port;id=216;dir=216;

I expect all flows to be at most 300 seconds long. However, I get a lot of flows of duration between 300 and 360 seconds (but not more, expect for those mentioned in #122) . Therefore, I guess that when a packet is encountered after active timeout, it is incorrectly added to the flow before the flow is exported. I suggest that the flow is exported first and the new packets becomes the first packet of the new flow.

Setup

OS: Ubuntu 22.04 LTS
Compilation as deb package using make deb with modified dh_auto_configure in debian/rules

Full configure params:

 ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu --libexecdir=\${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-d
ependency-tracking --with-pcap --with-quic --with-msects --with-dpdk --enable-debug

README.md bug and question regarding sending unirec data as IPFIX over UDP

Hello,
I've been trying to send the unirec data to the UDP netflow output and I tried to investigate the code but unfortunately I cannot find the way. Please let me explain the scenario I would like to do:

I'm having a mirrored traffic on ens192
I would like to use use multiple plugins from the ipfixprobe project to get the unirec data, let's say http, idpcontent and smtp plugin at once to be able to extract data from the mirrored traffic
those unirec data should be then send using the ipfix format to IP address of 172.16.10.10

How could I do that? I have tried the following syntax but it does not work:
ipfixprobe -i 'raw;ifc=ens192' -p http -p idpcontent -p smtp -o 'unirec;i=b:,u:http:timeout=WAIT;p=http,(pstats,phists,idpcontent)'
I don't know how to define the output how to send unirec data using ipfix. Could you please help me?

Also, I am seeing a probable bug in the README.md. There's line:

# Capture from a COMBO card using ndp plugin, sends ipfix data to 127.0.0.1:4739 using TCP by default
./ipfixprobe -i 'ndp;dev=/dev/nfb0:0' -i 'ndp;dev=/dev/nfb0:1' -i 'ndp;dev=/dev/nfb0:2'

However there is no definition to send IPFIX data to 127.0.0.1:4739 over the TCP connection so I guess the comment is misleading. Could you please clarify whether am I reading/understanding it wrong?

Thanks a lot,
Michal

cesnet / ipfixprobe Goto Github PK

ipfixprobe's Introduction

ipfixprobe - IPFIX flow exporter

Description

Requirements

Build & Installation

Source codes

RPM packages

Windows 10 CygWin

Input / Output of the flow exporter

Output

Parameters

Module specific parameters

Help

Example

Flow Data Extension - Processing Plugins

Adding new plugin

Possible issues

Flows are not send to output interface when reading small pcap file (NEMEA output)

Output data

Basic

Basic plus

NetTiSA

HTTP

RTSP

TLS

DNS

DNS_RDATA format

PassiveDNS

SIP

NTP

SMTP

SMTP_COMMAND_FLAGS

SMTP_STAT_CODE_FLAGS

PSTATS

Plugin parameters:

Example:

OSQUERY

SSDP

DNS-SD

Plugin parameters:

OVPN (OpenVPN)

IDPContent (Initial Data Packets Content)

NetBIOS

PHISTS

Plugin parameters:

Example:

BSTATS

WG (WireGuard)

QUIC

ICMP

SSADetector

VLAN

Flow Hash

MPLS

Simplified function diagram

ipfixprobe's People

Contributors

Stargazers

Watchers

Forkers

ipfixprobe's Issues

Setup

Setup

Setup

Setup

Setup

Possible solution

Setup

Setup

ipfixprobe 4.6.0

Possible solution

Setup

Setup

Recommend Projects

Recommend Topics

Recommend Org