flow_meter: incompatible http template about nemea-modules HOT 2 CLOSED

Isn't it easier and more "UNIX" to just use IPFIXcol[v2] for the conversion? Otherwise the inconsistencies will appear inevitably.

from nemea-modules.

Well... if flow_meter was primarily an IPFIX exporter, it would be better...

I feel that current status (and usage of flow_meter) is to run it as a standalone source of UniRec data for experiments and development of NEMEA modules.
It is probably the most frequent use-case for it.
In such case, we need to operate directly with UniRec templates in the flow_meter which are currently hard-coded.

@jaroslavh wishes to do his bachelor thesis about flow_meter and its deployment on OpenWrt. We should brainstorm for a while. (In fact, we have already started.)
What we need from flow_meter and what we can change before the thesis submission deadline?

My opinion, flow_meter could be reworked so the internal representation and the main format would be in IPFIX and then we can use translation into UniRec very similarly to IPFIXcol2 UniRec plugin...
Or naturally, we could use IPFIXcol2 to do the translation.

Disadvantage of IPFIXcol2 is quite clear for the "manual" experiments: instead of just starting flow_meter with UniRec output that can be "subscribed" by any NEMEA module, we would start the collector, which must be configured - this solution is not so easy-to-use.

This issue comes from the work of @sustefil, who is working on new blacklistfilters, because he tested the code with the output of flow_meter and he discovered incompatible templates during the deployment to our CESNET collector.

The point is that if anyone (from us) adds a new plugin into flow_meter we should try to make it compatible with existing modules (i.e., with the currently used templates on the collector) no matter if the collector is configurable (its configuration probably won't be changed in the future because of the already running modules).

from nemea-modules.