{{ :background.png }} {{:horizontal_white.svg?450}} **High-performance flow exporter with DPDK support.** ---- # What is Ipfixprobe? **Ipfixprobe** is a **high-performance network probe**. (flow exporter) It processes packet data from various **input sources** (such as a [[https://en.wikipedia.org/wiki/Network_interface_controller|network interface controller (NIC)]] or capture file) and generates **bidirectional flow** records. These records are then exported to an external system, such as a **file**, **flow collector**, or **visualization tool**. Additionally, ipfixprobe supports a **plugin architecture**, with a rich selection of **input, output, and processing plugins**, allowing you to customize the probe for your specific needs. ℹ️ **[[en:get_started|Get started]] with ipfixprobe monitoring on your network.** ## Main Features ### High Performance *Ipfixprobe can support traffic up to **400 Gbps**. ### Versatility *Ipfixprobe can be installed on anything from **cutting-edge backbone infrastructure** to small **SOHO OpenWrt router**.\\ ### Plugin Support *Ipfixprobe supports a large number of plugins to tailor to your specific needs, including **TLS, QUIC, HTTP, DNS**, and many more. ### DPDK Support *Optimized for **high-speed packet processing** using **DPDK**. ---- # Frequently asked questions What is a Flow? A **flow** is a sequence of packets (**communication from A <-> B**) that share common characteristics (**source, destination, protocol, etc.**) and are treated as a single communication session. Flow contains basic information about the communication, like the **MAC address, IP address, transferred bits, errors**, and more (based on what **process** plugins you use). **Types of Flows** ***Bidirectional** – (default) Communication from **A → B** and **B → A** is treated as a **single flow**. ***Unidirectional** – Communication from **A → B** and **B → A** are treated as **two distinct flows** allowing you to analyze input and output communication separately. ℹ️ **Use ''%%-s 'cache;split'%%'' to change flow to uniderectional**. What is Ipfixprobe for? *Detect **suspicious or anomalous behaviour.** *Read side-channel patterns. *Identifying **malware activity.** *Recognizing **internet protocols** in traffic. *Detect cryptocurrency mining. *Analyzing network **performance and characteristics**. *...and many more What plugins should I use? There are many plugins to choose from. For input, we recommend using the **PCAP** plugin for network monitoring with speeds up to **1 Gbps**. For networks faster than that, use **DPDK** plugin (up to 400 Gbps). (The RAW input plugin works out of the box and is good for testing and very small networks.) As for output, use the **IPFIX** plugin to export data in a standardized format to any collector or use the **Unirec** plugin to export data directly into NEMEA modules. (The TEXT plugin is good for testing the probe.) Can I store data for later analysis? **Yes, you can**, but not directly with ipfixprobe. You can use the TEXT output plugin and export data to a text file, but this is not very effective. We recommend using our in-house collector, [[https://github.com/CESNET/ipfixcol2|Ipfixcol2]], which can export data into **JSON**, **IPFIX**, or **FSD** (efficient long-term storage) file formats. Can I developed new plugins for Ipfixprobe? **Yes, you can**, Ipfixprobe is an **open-source project built to be highly modular**. See [[..:developer|developer]] section for detailed instructions on how to create your own plugin or contact us for help with getting your plugin up and running. Can I use Ipfixprobe with any collector? **Yes**, Ipfixprobe can export data in **standardized IPFIX format**. As long as your collector supports receiving data in this format, you should be able to use it.