# Basic Information
Ipfixprobe supports various plugins, allowing you to **customize the probe** for your specific use case.
To use any plugin other than the (default), you **must install Ipfixprobe from source**. Refer to our [[en:get_started|installation guide]] for more details.
## To enable a plugin:
- Install the necessary dependencies.
- Run ''cmake'' in the build folder with the -D flag and the plugin name. (e.g., for PCAP: ''cmake -DENABLE_INPUT_PCAP=ON ..'')
- Compile and install Ipfixprobe.
➡️ For plugin-specific details, refer to the sections below.
## List of Plugins
^ INPUT ^ STORAGE ^ PROCESS (default) ^ OUTPUT ^
| RAW_SOCKET (default) | CACHE (default) | HTTP | TXT (default) |
| BENCHMARK (default) | | NETTISA | IPFIX (default) |
| DPDK | | DNS | UniRec (NEMEA) |
| DPDK RING | | PSTATS | |
| PCAP | | --others-- | |
| NDP (FPGA) | | | |
*(default) - plugins installed by default
⚠️ Be careful about the difference between **; (semicolon)** and **, (comma)** when using ipfixprobes parameters
***semicolon ;** is used for separating individual (plugin) parameters
***comma ,** is used for separating values given to the same (plugin) parameter
## Plugin Details
**This documentation is written primarily for RHEL distributions.**\\
If you're having trouble installing dependencies, the package names **might differ** on different distributions. (e.g., libpcap-devel -> libpcap-dev) or
check out [[https://copr.fedorainfracloud.org/groups/g/CESNET/coprs/|CESNET COPR]] repository (you can add necessary copr repositories or build dependencies from source).
You may also need to **enable certain repositories**, for example:
* for RHEL - ''%%sudo yum-config-manager --add-repo https://yum.oracle.com/repo/OracleLinux/OL9/codeready/builder/x86_64/%%''
### INPUT
Input plugins define the source of **incoming packets**.
⚠️ You can choose **only one type of input plugin** (although more sources at one are possible)
##### Command line
Use **-i** to specify the input plugin.
##### Systemd service
To specify **input** in the configuration file, use ''%%input_plugin:%%'' followed by the **plugin name** (e.g., raw:, pcap_file:, pcap_live:, ndp:, dpdk_ring:, dpdk:) on a new line. After that, you can specify **parameters** for the plugin.
##### Example of configuration file
input_plugin:
raw:
interface: eth0
ℹ️ **Run ''ip link show'' to see possible IFC values. (for example ''eth0'')**
#### Plugins description
Input plugin for reading packets from a **raw interface**.
*Works by capturing sockets directly from the **INC** by bypassing the TCP stack.
*A simple but not very efficient way to **quickly check** small networks.
*Does **NOT** require any **additional libraries**.
*Good for **sniffing specific packets**, not for general network monitoring.
### Installation
This plugin is **installed by default**. Recommended for small networks with a simple monitoring setup.
### Command line
#### Parameters
***i** or **ifc** : Defines network interface name.
***b** or **blocks** : Defines number of packet blocks.
***f** or **fanout** : Enables packet fanout.
***p** or **pkts** : Defines number of packets in block.
***l** or **list** : Print list of available interfaces.
#### Example usage
Read packets from the interface specified by the **IFC value**.
ipfixprobe -i 'raw;ifc=IFC;' -s 'cache'
Capture from IFC interface and scale packet processing **using 2 instances** of raw plugin, send flow to ifpfix collector using UDP.
ipfixprobe -i 'raw;ifc=IFC;f' -i 'raw;ifc=IFC;f' -o 'ipfix;u;host=collector.example.com;port=4739'
### Systemd parameters
input_plugin:
raw:
interface: (name) # Network interface name to capture traffic from [required]
blocks_count: (number) # Number of blocks in the circular buffer (must be a power of 2)
packets_in_block: (number) # Number of packets per block (must be a power of 2)
[[https://www.solarwinds.com/resources/it-glossary/pcap|Pcap (Packet Capture)]] provides an API for capturing network traffic. Ipfixprobe can use `libpcap` to quickly capture packets from an INC or a binary `.pcap` file format.
***Recommended option** for monitoring **small** to **medium** networks (up to 1 Gbps).
*Exporting into `.pcap` file is **NOT** supported.
*If you encounter performance problems (many dropped packets ..), try **limiting the number of process plugins** or move to a faster input plugin (DPDK).
### Installation
#### Binary Package
sudo dnf install ipfixprobe-input-pcap
#### Build from source
dnf install libpcap libpcap-devel
cd build
cmake -DENABLE_INPUT_PCAP=ON ..
cd ..
make -j2
sudo make install
### Command line
#### Parameters
***f** or **file** : Defines path to pcap file.
***i** or **ifc** : Defines interface name.
***F** or **filter** : Defines filter string.
***s** or **snaplen** : Defines snapshot length in bytes (live capture only).
***l** or **list** : Print list of available interfaces.
#### Example usage
Process the pcap file and output to the terminal.
ipfixprobe -s cache -i "pcap;file=PATH_TO_PCAP_FILE" -o "text;m"
Read packets from the interface specified by the **IFC value**.
ipfixprobe -i 'pcap;i=IFC;' -s 'cache'
Capture from IFC interface using pcap plugin, **split biflows into flows** and prints them to console without mac addresses, **telemetry data is exposed** via the appFs library in ''/var/run/ipfixprobe'' directory.
ipfixprobe -i 'pcap;ifc=IFC' -s 'cache;split' -o 'text;m' -t /var/run/ipfixprobe
Read packets from a pcap file, **enable 4 processing** plugins, send L7 HTTP extended biflows to the unirec interface named ''http'', and data from 3 other plugins to the ''stats'' interface.
ipfixprobe -i 'pcap;file=pcaps/http.pcap' -p http -p pstats -p idpcontent -p phists -o 'unirec;i=u:http:timeout=WAIT,u:stats:timeout=WAIT;p=http,(pstats,phists,idpcontent)'
### Systemd parameters
input_plugin:
pcap_file:
file: (path) # Path to the PCAP file to read from [required]
bpf_filter: null # Optional BPF filter (e.g., "port 80"), null = no filter
# OR
pcap_live:
interface: (name) # Network interface for live packet capture [required]
bpf_filter: null # Optional BPF filter (null = no filter)
snap_length: (number) # Maximum packet capture length
[[https://www.dpdk.org/|DPDK (Data Plane Development Kit)]] is an **ultrafast way** to capture packets.
***Very efficient setup** suitable for high-speed networks (up to 400 Gbps).
*Works by **bypassing the kernel layer**, offloading TCP packet processing to user space.
⚠️ Setting up DPDK is **difficult** and should not be used unless necessary. **Try PCAP first** and switch to DPDK later if PCAP is not enough.ℹ️ This manual is **simplified** to get you up and running with DPDK. For detailed instruction see offitial [[https://doc.dpdk.org/guides/linux_gsg/index.html|DPDK manual]]
### Installation
### Binary package
1️⃣ **Install the required DPDK [[https://doc.dpdk.org/guides/linux_gsg/sys_reqs.html#bios-setting-prerequisite-on-x86|tools and libraries]] described here (section 2.2). **
2️⃣ **Install DPDK**.
sudo dnf install dpdk dpdk-devel dpdk-tools
----
### Compiling from source
1️⃣ **Download the latest stable version of DPDK from [[https://core.dpdk.org/download/|here]].**
2️⃣ **Install the required DPDK [[https://doc.dpdk.org/guides/linux_gsg/sys_reqs.html#bios-setting-prerequisite-on-x86|tools and libraries]] described here (section 2.2).**
3️⃣ **Extract sources**.
tar xJf dpdk-.tar.xz
cd dpdk-
4️⃣ **Build libraries, drivers, and test applications.**
meson setup build
cd build
ninja
meson install
ldconfig
ℹ️ See mason setup options [[https://doc.dpdk.org/guides/linux_gsg/build_dpdk.html|here]].
⚠️ On some Linux distributions, such as Fedora or RedHat, paths in `/usr/local` are not in the default paths for the loader. Therefore, on these distributions, `/usr/local/lib` and `/usr/local/lib64` **should be added** to a file in `/etc/ld.so.conf.d/` before running `ldconfig`.
### Binary Package
sudo dnf install ipfixprobe-dpdk
----
### Build from source
cd build
cmake -DENABLE_INPUT_DPDK=ON ..
cd ..
make -j
sudo make install
----
### Setup
There are a few steps needed to set up DPDK correctly.
ℹ️ DPDK provides a few useful tools (dpdk-hugepages.py, dpdk-devbin.py, ...) for configuration. Depending on your chosen installation, you can find them either on PATH or in build files. [[https://doc.dpdk.org/guides/tools/index.html|DPDK tools]]
Check if your **kernel** and **glibc** versions are up to date.
Kernel version >= `4.19`- see:
uname -r
glibc >= `2.7` - see:
ldd --version
Hugepages allocation is **needed to reduce TLB miss rate** (that would occur when using standard 4k
pages). This can **greatly increase performance**.
See `/sys/kernel/mm/hugepages/` to see what **sizes of huge** pages are available.
See `/sys/devices/system/nodes/` to see the **number of nodes** you have on the NUMA (Non-uniform memory access) system. (Only 1 node (node0) means NUMA is not used).
For a 64-bit system, it is recommended to use **1G hugepages** if available. Some kernel versions
may **NOT** allow reserving 1 GB hugepages at **run time**, so reserving them at **boot time** may be the only option.
There are **two** ways you can allocate hugepages.
### At run time
Use this to allocate 1024 hugepages of size 2M at run time.
On NUMA, this command allocates hugepages **equally across nodes**.
echo 1024 > /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages
You can also **reserve hugepages for nodes** (node0, node1, node2, ...)
echo 1024 > /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages
### At boot time
Allocation at boot time helps **prevent fragmentation** of memory when allocating lots of **continuous memory**.
To reserve hugepages at **boot time**, a parameter is passed to the **Linux kernel** on the kernel command line.
***default_hugepagesz** set default hugepage size for the system (important later)
***hugepagesz** size of hugepages to use
***hugepages** number of hugepages to allocate
default_hugepagesz=1G hugepagesz=1G hugepages=4
If secondary process is **NOT required**, you can use DPDK (ela) parameter `--in-memory`.
If secondary process is **required**, you need to use a **mount point** for hugepages at `/dev/hugepages/`. This mount point is using the system's **DEFAULT** hugepage size.
If you want to use hugepages **other than DEFAULT**, you need to create a mount point at `/mnt/huge/`.
mkdir /mnt/huge
mount -t hugetlbfs pagesize=1GB /mnt/huge
Or a **permanent mount** point by adding this line to `/etc/fstab/`
nodev /mnt/huge hugetlbfs pagesize=1GB 0 0
1️⃣ **Figure out what NICs are available** (use dpdk-tools).
dpdk-devbind.py --status
➡️ **This should return a table of available NICs with their drives.**
2️⃣ **Find the NIC/s you want to use for DPDK and check if they support `Bifurcated drives`.** (how???)
*If yes, skip to the next part..???
*If they do NOT, you need to unbind this NIC from the kernel.
ℹ️ If your NIC supports **Bifurcated drives**, it can operate both with the kernel and the DPDK application. It is important to **NOT unbind** such NIC from the kernel because DPDK expects it not to be. ⚠️ If you unbind your NIC from the kernel, it will no longer be visible from your system, and no other application can use it.
3️⃣ **Bind your NIC to PMD (Pull Mode Driver)**
There are two options to choose from if your NIC does not support `Bifurcated drives`
#### VFIO (Virtual Function IO) (Recommended)
This option **SHOULD** be chosen in all cases if available. VIFO is robust and secure driver that relies on IOMMU protection.
3️⃣.1️⃣ **Load `vfio-pci` module.**
sudo modprobe vfio-pci
⚠️ Make sure that both kernel and BIOS support IO virtualization.
3️⃣.2️⃣ **Figure out whether your system supports IOMMU (Input-Output Memory Management Unit)**
In most cases, specifying `iommu=on` as a kernel parameter should be enough to configure the Linux kernel to use IOMMU.
You can use both **VIFO with or without IOMMU mode**. If your system does **NOT support** IOMMU, use:
echo 1 > /sys/module/vfio/parameters/enable_unsafe_noiommu_mode
⚠️ No IOMMU mode is inherently unsafe. Be careful with the usage.
3️⃣.3️⃣ **Bind the NIC to `vfio-pci`** (use `dpdk-devbind.py --status` to see NIC IDs)
dpdk-devbind.py --bind=vfio-pci 04:00.1
OR
dpdk-devbind.py --bind=vfio-pci eth1
#### UIO (not recommended) (maybe later)
Memory mappings are limited by the kernel. There are two main limitations.
#### RLIMIT_MEMLOCK
This limit defines how much data can process lock (rlimit). You may want to increase it from the default limit if you need more memory for DPDK process.
ulimit -l
or temporarily with `/etc/security/limits.conf`.
#### dma_entry_limit
This limit defines how many DMA map entries DPDK can make. You might want to change this limit if you are not using huge pages `--no-huge`.
echo 512000 > /sys/module/vfio_iommu_type1/parameters/dma_entry_limit
----
### Command line
#### Parameters
***b** or **bsize** : Size of the MBUF packet buffer. (Default: 64).
***p** or **port** : DPDK port to be used as an input interface.
***m** or **mem** : Size of the memory pool for received packets. (Default: 16384).
***q** or **queue** : Number of RX queues. (Default: 1).
***e** or **eal** : DPDK [[https://doc.dpdk.org/guides/linux_gsg/linux_eal_parameters.html|parameters]].
***M** or **mtu** : Input interface MTU. (Default: 1518).
#### Example usage
Read packets using DPDK input interface and 1 DPDK queue, enable plugins for basic statistics, http and tls, output to IPFIX on a local machine DPDK EAL parameters are passed in ''e, eal'' parameters DPDK plugin configuration has to be specified in the first input interface. The following **dpdk** interfaces are given without parameters; their configuration is inherited from the first one. Example for the queue of 3 DPDK input plugins (q=3):
ipfixprobe -i 'dpdk;p=0;q=3;e=-c 0x1 -a <[domain:]bus:devid.func>' -i dpdk -i dpdk -p http -p bstats -p tls -o 'ipfix;h=127.0.0.1'
Same example for the multiport read from ports 0 and 1, note comma-separated ports:
ipfixprobe -i 'dpdk;p=0,1;q=3;e=-c 0x1 -a <[domain:]bus:devid.func>' -i dpdk -i dpdk -p http -p bstats -p tls -o 'ipfix;h=127.0.0.1'
### Systemd parameters
dpdk:
allowed_nics: "0000:00:00.0,0000:00:00.1" # List of allowed NICs (PCI addresses) [required]
burst_size: 64 # Number of packets processed in each burst (cycle)
mempool_size: 8192 # Size of the memory pool (must be a power of 2)
rx_queues: 1 # Number of RX (receive) queues
workers_cpu_list: [0] # List of CPU cores assigned to RX queues (must match rx_queues)
eal_opts: null # EAL options (null = default options)
mtu: null # Maximum Transmission Unit (defaults to RTE_ETHER_MAX_LEN)
### Installation
This plugin is installed with the DPDK input plugin.
### Command line
#### Parameters
***b** or **bsize** : Size of the MBUF packet buffer. (Default: 64).
***r** or **ring** : Name of the ring to read packets from. Need to be specified explicitly, thus no default provided.
***e** or **eal** : DPDK eal.
#### Example usage
Read packets using DPDK input interface as a secondary process with shared memory (DPDK rings) - in this case, 4 DPDK rings are used.
ipfixprobe -i 'dpdk-ring;r=rx_ipfixprobe_0;e= --proc-type=secondary' -i 'dpdk-ring;r=rx_ipfixprobe_1' -i 'dpdk-ring;r=rx_ipfixprobe_2' -i 'dpdk-ring;r=rx_ipfixprobe_3' -o 'text'
### Systemd parameters
dpdk_ring:
ring_name: ring0 # Name of the shared DPDK ring buffer [required]
eal_opts: null # EAL options (null = default options)
burst_size: 64 # Number of packets processed in each burst (cycle)
Input plugin for reading packets **directly from an FPGA-based NIC**. Unless you are using **Netcope** (CESNET FPGA cards) hardware, this plugin is NOT the right option.
### Installation
#### Binary package
sudo dnf install epel-release
sudo dnf copr enable @CESNET/nfb-framework
sudo dnf install nfb-framework numactl-devel
sudo dnf install ipfixprobe-input-ndp
#### Build from source
You can also build nfb-framework from source from this [[https://github.com/CESNET/ndk-sw|repo]].
sudo dnf install epel-release
sudo dnf copr enable @CESNET/nfb-framework
sudo dnf install nfb-framework numactl-devel
cd build
cmake -DENABLE_INPUT_NFB=ON ..
cd ..
make -j
sudo make install
### Command line
#### Parameters
***d** or **dev** : Path to a device file.
***I** or **id** : Link identifier number.
#### Example usage
Capture from a COMBO card using the NDP plugin sends IPFIX data to 127.0.0.1:4739 using TCP by default.
ipfixprobe -i 'ndp;dev=/dev/nfb0:0' -i 'ndp;dev=/dev/nfb0:1' -i 'ndp;dev=/dev/nfb0:2' -o 'ipfix;h=127.0.0.1;p=4739'
### Systemd parameters
input_plugin:
ndp:
device: PATH # Device for packet capture (e.g., /dev/nfb0) [required]
queues: "0-15" # List of queue IDs (e.g., "0,1,2-3,7") [required]
ℹ️ You can run ''ipfixprobe -h input'' for installed input plugins
----
### STORAGE
Storage plugins define how flows are **internally stored**. The **CACHE plugin** is activated by default.
##### Command line
Used **-s** to specify storage plugin.
##### Systemd service
To specify storage in the configuration file, use ''storage:''
#### Plugin description
Currently, **only available** storage plugin.
*A hash table is used to keep flows.
*The hash table is divided into **rows**.
*Each row is managed as LRU (Least Recently Used).
### Installation
This plugin is **installed by default**.
### Command line
#### Parameters
***s** or **size** : Defines the count of flows that are kept in the cache at once. Cache size is 2^s.
***l** or **line** : Defines length of the cache line. Line length is 2^l.
***a** or **active** : Defines active timeout. When there is a flow that is active for more than **-a** seconds, it's exported.
***i** or **inactive** : Defines inactive timeout. When there is a flow that is inactive for more than **-i** seconds, it's exported.
***S** or **split** : Boolean flag. Defines if the bidirectional flow between two nodes is **split into 2 separate** unidirectional flows.
***fe** or **frag-enable** : Used to enable completing fragmented packets into one packet.
***fs** or **frag-size** : Size of fragmentation cache.
***ft** or **frag-timeout** : The Timeout to consider fragments belonging to the same packets.
#### Example usage
Store flows using **cache split into two unidirectional** flows.
ipfixprobe -s 'cache;split' -i 'pcap;file=PATH'
### Systemd parameters
storage:
cache:
size_exponent: (number) # Cache size as a power of 2 (e.g., 2^20)
line_size_exponent: (number) # Cache line size as a power of 2 (e.g., 2^4)
timeouts:
active: (number) # Active timeout duration (in seconds)
inactive: (number) # Inactive timeout duration (in seconds)
split_biflow: (bool) # Whether to split biflow into uniflow (true/false)
fragmentation_cache:
enabled: (bool) # Enable fragmentation cache (true/false)
size: (number) # Fragmentation cache size (minimum 1)
timeout: (number) # Timeout for fragments in the cache (in seconds)
ℹ️ You can run ''ipfixprobe -h storage'' to see installed storage plugins.
----
### PROCESS
Process plugins can specify what data to export.
By default, the **Basic** plugin is activated, giving you core information about network traffic like (i/o: mac address, IP, transmitted bits ..., for a complete list see below).\\
⚠️ Every process plugin adds **additional** information **on top of the Basic plugin**. This comes with a **big performance hit**, so **ALWAYS** enable the **minimum amount of plugins required**.
#### Installation
**Most** process plugins are **installed by default**. Some experimental plugins (sip, rtsp, mpls, ntp, nettisa) **must** be installed separately.
##### Binary Packages
sudo dnf install ipfixprobe-nemea ipfixprobe-nemea-process-experimental
##### Build from source
cd build
cmake -DENABLE_PROCESS_EXPERIMENTAL=ON -DENABLE_NEMEA=ON ..
cd ..
make -j
sudo make install
#### Command line
Use **-p** to specify the process plugin.
##### Example usage
ipfixprobe -i raw;ifc=IFC' -s cache -p basicplus -p vlan -o text
#### Systemd service
Use ''process_plugins:'' to specify process plugins in a configuration file.
##### Example usage
process_plugins:
- http # HTTP protocol plugin
- dns # DNS protocol plugin
- quic # QUIC protocol plugin
- tls # TLS protocol plugin
# ...
Each plugin exports data either in Unirec (our in-house standard) or IPFIX (standard flow output). Each table consists of the following fields
***Unirec Field** : name of the field in Unirec format
***IPFIX Field** : name of the field in IPFIX (as used in Ipfixprobe)
***IANA Name** : name of STANDARDIZED IPFIX fields
***Unirec Type (size)** : data type of Unirec field and its size in bytes (8 bits)
***IPFIX Type (size)** : data type of IPFIX field and its size in bytes (8 bits)
***PEN** : Private Enterprise Number:
*0 represents an IANA standard field (with IANA Name)
*>0 represents a custome field defined by third-party: see [[https://www.iana.org/assignments/enterprise-numbers/|iana pen site]] for specific
***ID** : Represents a unique ID for a specific PEN set of values: see [[https://www.iana.org/assignments/ipfix/ipfix.xhtml|iana site]] for IANA standard fields (with PEN = 0)
***Description** : simple description of the field (Unirec and IPFIX)
***Direction** : possible values:
*src : field represents information about the source
*dst : field represents information about the destination
*src -> dst : field represents information about communication from the source to the destination
*dst -> src : field represents information about communication from the destination to the source
For Unirec output plugin fields: **Unirec Field, Unirec Type (size), Description, Direction** are
important.
For IPFIX output plugin fields: **IPFIX Field, IANA Name, IPFIX Type (size), PEN, ID, Description,
Direction** are important.
ℹ️ **For IPFIX**: PEN and ID field together, create a unique identifier of the field. Sometimes the format of **ePENidID** is used as a name of the field (especially when the IANA name is not available).
*for field L2_DST_MAC with PEN = 0 and ID = 80 : **e0id80**
*for field BYTES_REV with PEN = 29305 and ID = 1 : **e29305id1**
----
#### Plugins description
This plugin is activated by default, any other process plugin adds on top of this one. These fields are also exported on interfaces where HTTP, DNS, SIP, and NTP plugins are active.
***LINK_BIT_FIELD** or **ODID** (only used by Unirec) : only one at a time, based on the used parameters.
***DST/SRC_IP**: IPv4 or IPv6, only one at the time.
***TIME_FIRST/LAST**: either MSEC or USEC, based on what CMake parameters were Ipfixprobe compiled with.
*Ipfixprobe uses 1 byte for **TCP_FLAGS** (tcpControlBits) instead of 2 (as does the IPFIX standard).
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| DST_MAC | L2_DST_MAC | destinationMacAddress | macaddr (6) | macAddress (6) | 0 | 80 | destination MAC address | dst |
| SRC_MAC | L2_SRC_MAC | sourceMacAddress | macaddr (6) | macAddress (6) | 0 | 56 | source MAC address | src |
| DST_IP | L3_IPV4_ADDR_DST | destinationIPv4Address | ipaddr (16) | ipv4Address (4) | 0 | 12 | destination IPv4 address | dst |
| DST_IP | L3_IPV6_ADDR_DST | destinationIPv6Address | ipaddr (16) | ipv6Address (16) | 0 | 28 | destination IPv6 address | dst |
| SRC_IP | L3_IPV4_ADDR_SRC | sourceIPv4Address | ipaddr (16) | ipv4Address (4) | 0 | 8 | source IPv4 address | src |
| SRC_IP | L3_IPV6_ADDR_SRC | sourceIPv6Address | ipaddr (16) | ipv6Address (16) | 0 | 27 | source IPv6 address | src |
| BYTES | BYTES | octetDeltaCount | uint64 (8) | unsigned64 (8) | 0 | 1 | number of bytes in data flow | src -> dst |
| BYTES_REV | BYTES_REV | - | uint64 (8) | unsigned64 (8) | 29305 | 1 | number of bytes in data flow | dst -> src |
| LINK_BIT_FIELD | - | - | uint64 (8) | - | - | - | exporter identification | - |
| ODID | - | - | uint32 (4) | - | - | - | exporter identification | - |
| TIME_FIRST | FLOW_START_MSEC | flowStartMilliseconds | time (8) | dateTimeMilliseconds (8) | 0 | 152 | first time stamp (in ms) | - |
| TIME_FIRST | FLOW_START_USEC | flowStartMicroseconds | time (8) | dateTimeMicroseconds (8) | 0 | 154 | first time stamp (in us) | - |
| TIME_LAST | FLOW_END_MSEC | flowEndMilliseconds | time (8) | dateTimeMilliseconds (8) | 0 | 153 | last time stamp (in ms) | - |
| TIME_LAST | FLOW_END_USEC | flowEndMicroseconds | time (8) | dateTimeMicroseconds (8) | 0 | 155 | last time stamp (in us) | - |
| PACKETS | PACKETS | packetDeltaCount | uint32 (4) | unsigned64 (8) | 0 | 2 | number of packets in data flow | src -> dst |
| PACKETS_REV | PACKETS_REV | - | uint32 (4) | unsigned64 (8) | 29305 | 2 | number of packets in data flow | dst -> src |
| DST_PORT | L4_PORT_DST | destinationTransportPort | uint16 (2) | unsigned16 (2) | 0 | 11 | transport layer destination port | dst |
| SRC_PORT | L4_PORT_SRC | sourceTransportPort | uint16 (2) | unsigned16 (2) | 0 | 7 | transport layer source port | src |
| DIR_BIT_FIELD | INPUT_INTERFACE | ingressInterface | uint8 (1) | unsigned32 (4) | 0 | 10 | bit field for determining outgoing/incomming traffic | - |
| - | L3_PROTO | ipVersion | uint8 (1) | unsigned8 (1) | 0 | 60 | ip version | - |
| PROTOCOL | L4_PROTO | protocolIdentifier | uint8 (1) | unsigned8 (1) | 0 | 4 | transport protocol | - |
| TCP_FLAGS | L4_TCP_FLAGS | tcpControlBits | uint8 (1) | unsigned8 (1) | 0 | 6 | TCP protocol flags | src -> dst |
| TCP_FLAGS_REV | L4_TCP_FLAGS_REV | - | uint8 (1) | unsigned8 (1) | 29305 | 6 | TCP protocol flags | dst -> src |
| - | FLOW_END_REASON | flowEndReason | - | unsigned8 (1) | 0 | 136 | Reason for Flow termination | - |
List of fields exported together with BASIC on the interface.
***REV** = source flow fields
***without REV** = opposite direction flow
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| IP_TTL | L3_TTL | ipTTL | uint8 (1) | unsigned8 (1) | 0 | 192 | IP Time To Live field | src -> dst |
| IP_TTL_REV | L3_TTL_REV | - | uint8 (1) | unsigned8 (1) | 29305 | 192 | IP Time To Live field | dst -> src |
| IP_FLG | L3_FLAGS | fragmentFlags | uint8 (1) | unsigned8 (1) | 0 | 197 | IP FLAGS | src -> dst |
| IP_FLG_REV | L3_FLAGS_REV | - | uint8 (1) | unsigned8 (1) | 29305 | 197 | IP FLAGS | dst -> src |
| TCP_WIN | L4_TCP_WIN | tcpWindowSize | uint16 (2) | unsigned16 (2) | 0 | 186 | TCP window size | src -> dst |
| TCP_WIN_REV | L4_TCP_WIN_REV | - | uint16 (2) | unsigned16 (2) | 29305 | 186 | TCP window size | dst -> src |
| TCP_OPT | L4_TCP_OPTIONS | tcpOptions | uint64 (8) | unsigned64 (8) | 0 | 209 | TCP options bitfield | src -> dst |
| TCP_OPT_REV | L4_TCP_OPTIONS_REV | - | uint64 (8) | unsigned64 (8) | 29305 | 209 | TCP options bitfield | dst -> src |
| TCP_MSS | L4_TCP_MSS | - | uint32 (4) | unsigned32 (4) | 8057 | 900 | TCP maximum segments size | src -> dst |
| TCP_MSS_REV | L4_TCP_MSS_REV | - | uint32 (4) | unsigned32 (4) | 8057 | 901 | TCP maximum segments size | dst -> src |
| TCP_SYN_SIZE | L4_TCP_SYN_SIZE | - | uint16 (2) | unsigned16 (2) | 8057 | 902 | TCP SYN packet size | - |
List of fields exported together with BASIC on the interface.
***BSTATS_MAXELENCOUNT** (15 by default)
*Number of bursts in each direction exported by the plugin
*The bursts are computed **separately** for each direction.
***MINIMAL_PACKETS_IN_BURST** (3 by default)
*When minimal packets are not reached, the fields are not exported to reduce output bandwidth.
***MAXIMAL_INTERPKT_TIME** (1000 ms by default)
*Time between packets to be included in a burst.
Use for example: **-DBSTATS_MAXELENCOUNT=30** while recompiling with cmake to change
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| SBI_BRST_PACKETS | SBI_BRST_PACKETS | basicList | uint32* (-) | list (-) | 0 | 291 | Number of packets transmitted in ith burst (e8057id1050) | src -> dst |
| SBI_BRST_BYTES | SBI_BRST_BYTES | basicList | uint32* (-) | list (-) | 0 | 291 | Number of bytes transmitted in ith burst (e8057id1051) | src -> dst |
| SBI_BRST_TIME_START | SBI_BRST_TIME_START | basicList | time* (-) | list (-) | 0 | 291 | Start time of the ith burst (e8057id1052) | src -> dst |
| SBI_BRST_TIME_STOP | SBI_BRST_TIME_STOP | basicList | time* (-) | list (-) | 0 | 291 | End time of the ith burst (e8057id1053) | src -> dst |
| DBI_BRST_PACKETS | DBI_BRST_PACKETS | basicList | uint32* (-) | list (-) | 0 | 291 | Number of packets transmitted in ith burst (e8057id1054) | dst -> src |
| DBI_BRST_BYTES | DBI_BRST_BYTES | basicList | uint32* (-) | list (-) | 0 | 291 | Number of bytes transmitted in ith burst (e8057id1055) | dst -> src |
| DBI_BRST_TIME_START | DBI_BRST_TIME_START | basicList | time* (-) | list (-) | 0 | 291 | Start time of the ith burst (e8057id1056) | dst -> src |
| DBI_BRST_TIME_STOP | DBI_BRST_TIME_STOP | basicList | time* (-) | list (-) | 0 | 291 | End time of the ith burst (e8057id1057) | dst -> src |
List of fields exported together with BASIC on the interface.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| DNS_ID | DNS_ID | - | uint16 (2) | unsigned16 (2) | 8057 | 10 | transaction ID | - |
| DNS_ANSWERS | DNS_ANSWERS | - | uint16 (2) | unsigned16 (2) | 8057 | 14 | number of DNS answer records | - |
| DNS_RCODE | DNS_RCODE | - | uint8 (1) | unsigned8 (1) | 8057 | 1 | response code field | - |
| DNS_NAME | DNS_NAME | - | string (-) | string (-) | 8057 | 2 | requested domain name | - |
| DNS_QTYPE | DNS_QTYPE | - | uint16 (2) | unsigned16 (2) | 8057 | 3 | requested type field | - |
| DNS_CLASS | DNS_CLASS | - | uint16 (2) | unsigned16 (2) | 8057 | 4 | class field of DNS question | - |
| DNS_RR_TTL | DNS_RR_TTL | - | uint32 (4) | unsigned32 (4) | 8057 | 5 | resource record TTL field | - |
| DNS_RLENGTH | DNS_RLENGTH | - | uint16 (2) | unsigned16 (2) | 8057 | 6 | length of DNS_RDATA | - |
| DNS_RDATA | DNS_RDATA | - | bytes (-) | octetArray (-) | 8057 | 7 | resource record specific data | - |
| DNS_PSIZE | DNS_PSIZE | - | uint16 (2) | unsigned16 (2) | 8057 | 8 | requestor's payload size | - |
| DNS_DO | DNS_DO | - | uint8 (1) | unsigned8 (1) | 8057 | 9 | DNSSEC OK bit | - |
List of fields exported together with BASIC on the interface.
### Command line parameters
***t** or **txt** : [FILE] Activates processing of all txt records. Allow to specify whitelist TXT records file (file line format: service.domain,txt_key1,txt_key2,...)
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| DNSSD_QUERIES | DNSSD_QUERIES | - | string (-) | string (-) | 8057 | 826 | list of queries for serivces | - |
| DNSSD_RESPONSES | DNSSD_RESPONSES | - | string (-) | string (-) | 8057 | 827 | list of advertised serivces | - |
List of fields exported together with BASIC on the interface.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| FLOW_ID | FLOW_ID | flowId | uint64 (8) | unsigned64 (8) | 0 | 148 | Hash of the flow - unique flow id | - |
List of fields exported together with BASIC on the interface.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| HTTP_REQUEST_HOST | HTTP_DOMAIN | - | string (-) | string (-) | 39499 | 1 | HTTP request host | - |
| HTTP_REQUEST_URI | HTTP_URI | - | string (-) | string (-) | 39499 | 2 | HTTP request url | - |
| HTTP_REQUEST_AGENT | HTTP_USERAGENT | - | string (-) | string (-) | 39499 | 20 | HTTP request user agent | - |
| HTTP_REQUEST_REFERER | HTTP_REFERER | - | string (-) | string (-) | 39499 | 3 | HTTP request referer | - |
| HTTP_RESPONSE_STATUS_CODE | HTTP_STATUS | - | uint16 (2) | unsigned16 (2) | 39499 | 12 | HTTP request code | - |
| HTTP_RESPONSE_CONTENT_TYPE | HTTP_CONTENT_TYPE | - | string (-) | string (-) | 39499 | 10 | HTTP request content type | - |
| HTTP_REQUEST_METHOD | HTTP_METHOD | - | string (-) | string (-) | 8057 | 200 | HTTP request method | - |
| HTTP_RESPONSE_SERVER | HTTP_SERVER | - | string (-) | string (-) | 8057 | 201 | HTTP response server | - |
| HTTP_RESPONSE_SET_COOKIE_NAMES | HTTP_SET_COOKIE_NAMES | - | string (-) | string (-) | 8057 | 202 | HTTP response all set-cookie names separated by a delimiter | - |
List of fields exported together with BASIC on the interface.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| L4_ICMP_TYPE_CODE | L4_ICMP_TYPE_CODE | icmpTypeCodeIPv4 | uint16 (2) | unsigned16 (2) | 0 | 32 | ICMP type (MSB) and code (LSB) | - |
List of fields exported together with BASIC on the interface.
***IDPCONTENT_SIZE** (100 by default)
*Number of bytes exported from the first data packet in the SRC -> DST direction, and the first data packet in the DST -> SRC direction.
Use **-DIDPCONTENT_SIZE=number** while recompiling with cmake to change.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| IDP_CONTENT | IDP_CONTENT | - | bytes (-) | octetArray (-) | 8057 | 850 | Content of first data packet | src -> dst |
| IDP_CONTENT_REV | IDP_CONTENT_REV | - | bytes (-) | octetArray (-) | 8057 | 851 | Content of first data packet | dst -> src |
⚠️ This plugin is experimental and must be installed separately. For more details, check the installation information above.
List of fields exported together with BASIC on the interface.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| MPLS_TOP_LABEL_STACK_SECTION | MPLS_TOP_LABEL_STACK_SECTION | mplsTopLabelStackSection | bytes (-) | octetArray (-) | 0 | 70 | MPLS label section (without TTL), always 3 bytes | - |
List of fields exported together with BASIC on the interface.
### Command line parameters
***tc** or **topiccount** : Export the first **tc** topics from the Publish packet header. Topics are separated by #. The default value is 0.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| MQTT_TYPE_CUMULATIVE | MQTT_TYPE_CUMULATIVE | - | uint16 (2) | unsigned16 (2) | 8057 | 1033 | types of packets and session present flag cumulative | - |
| MQTT_VERSION | MQTT_VERSION | - | uint8 (1) | unsigned8 (1) | 8057 | 1034 | MQTT version | - |
| MQTT_CONNECTION_FLAGS | MQTT_CONNECTION_FLAGS | - | uint8 (1) | unsigned8 (1) | 8057 | 1035 | last CONNECT packet flags | - |
| MQTT_KEEP_ALIVE | MQTT_KEEP_ALIVE | - | uint16 (2) | unsigned16 (2) | 8057 | 1036 | last CONNECT keep alive | - |
| MQTT_CONNECTION_RETURN_CODE | MQTT_CONNECTION_RETURN_CODE | - | uint8 (1) | unsigned8 (1) | 8057 | 1037 | last CONNECT return code | - |
| MQTT_PUBLISH_FLAGS | MQTT_PUBLISH_FLAGS | - | uint8 (1) | unsigned8 (1) | 8057 | 1038 | cumulative of PUBLISH packet flags | - |
| MQTT_TOPICS | MQTT_TOPICS | - | string (-) | string (-) | 8057 | 1039 | topics from PUBLISH packets headers | - |
List of fields exported together with BASIC on the interface.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| NB_NAME | NB_NAME | - | string (-) | string (-) | 8057 | 831 | NetBIOS Name Service name | - |
| NB_SUFFIX | NB_SUFFIX | - | uint8 (1) | unsigned8 (1) | 8057 | 832 | NetBIOS Name Service suffix | - |
⚠️ This plugin is experimental and must be installed separately. For more details, check the installation information above.
List of fields exported together with BASIC on the interface.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| NTS_MEAN | NTS_MEAN | - | float (4) | float (4) | 8057 | 1020 | The mean of the payload lengths of packets. | - |
| NTS_MIN | NTS_MIN | - | uint16 (2) | unsigned16 (2) | 8057 | 1021 | Minimal value from all packet payload lengths. | - |
| NTS_MAX | NTS_MAX | - | uint16 (2) | unsigned16 (2) | 8057 | 1022 | Maximum value from all packet payload lengths. | - |
| NTS_STDEV | NTS_STDEV | - | float (4) | float (4) | 8057 | 1023 | The standard deviation is a measure of the variation of data from the mean. | - |
| NTS_KURTOSIS | NTS_KURTOSIS | - | float (4) | float (4) | 8057 | 1024 | The kurtosis is the measure describing the extent to which the tails of a distribution differ from the tails of a normal distribution. | - |
| NTS_ROOT_MEAN_SQUARE | NTS_ROOT_MEAN_SQUARE | - | float (4) | float (4) | 8057 | 1025 | The measure of the magnitude of payload lengths of packets. | - |
| NTS_AVERAGE_DISPERSION | NTS_AVERAGE_DISPERSION | - | float (4) | float (4) | 8057 | 1026 | The average absolute difference between each payload length of a packet and the mean value. | - |
| NTS_MEAN_SCALED_TIME | NTS_MEAN_SCALED_TIME | - | float (4) | float (4) | 8057 | 1027 | The scaled times is defined as sequence s(t) = t1 − t1 , t2 − t1 , … , tn − t1 . We compute the mean of the value with the same method as for the feature Mean. | - |
| NTS_MEAN_DIFFTIMES | NTS_MEAN_DIFFTIMES | - | float (4) | float (4) | 8057 | 1028 | The time differences is defined as sequence dt = tj - ti %%|%% j = i + 1, i in 1, 2, ... n - 1. We compute the mean of the value with the same method as for the feature Mean. | - |
| NTS_MIN_DIFFTIMES | NTS_MIN_DIFFTIMES | - | float (4) | float (4) | 8057 | 1029 | Minimal value from all time differences, i.e., min space between packets. | - |
| NTS_MAX_DIFFTIMES | NTS_MAX_DIFFTIMES | - | float (4) | float (4) | 8057 | 1030 | Maximum value from all time differences, i.e., max space between packets. | - |
| NTS_TIME_DISTRIBUTION | NTS_TIME_DISTRIBUTION | - | float (4) | float (4) | 8057 | 1031 | Describes the distribution of time differences between individual packets.
| NTS_SWITCHING_RATIO | NTS_SWITCHING_RATIO | - | float (4) | float (4) | 8057 | 1032 | Represents a switching ratio between different values of the sequence of observation. | - |
⚠️ This plugin is experimental and must be installed separately. For more details, check the installation information above.
List of fields exported together with BASIC on the interface.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| NTP_LEAP | NTP_LEAP | - | uint8 (1) | unsigned8 (1) | 8057 | 18 | NTP leap field | - |
| NTP_VERSION | NTP_VERSION | - | uint8 (1) | unsigned8 (1) | 8057 | 19 | NTP message version | - |
| NTP_MODE | NTP_MODE | - | uint8 (1) | unsigned8 (1) | 8057 | 20 | NTP mode field | - |
| NTP_STRATUM | NTP_STRATUM | - | uint8 (1) | unsigned8 (1) | 8057 | 21 | NTP stratum field | - |
| NTP_POLL | NTP_POLL | - | uint8 (1) | unsigned8 (1) | 8057 | 22 | NTP poll interval | - |
| NTP_PRECISION | NTP_PRECISION | - | uint8 (1) | unsigned8 (1) | 8057 | 23 | NTP precision field | - |
| NTP_DELAY | NTP_DELAY | - | uint32 (4) | unsigned32 (4) | 8057 | 24 | NTP root delay | - |
| NTP_DISPERSION | NTP_DISPERSION | - | uint32 (4) | unsigned32 (4) | 8057 | 25 | NTP root dispersion | - |
| NTP_REF_ID | NTP_REF_ID | - | string (-) | string (-) | 8057 | 26 | NTP reference ID | - |
| NTP_REF | NTP_REF | - | string (-) | string (-) | 8057 | 27 | NTP reference timestamp | - |
| NTP_ORIG | NTP_ORIG | - | string (-) | string (-) | 8057 | 28 | NTP origin timestamp | - |
| NTP_RECV | NTP_RECV | - | string (-) | string (-) | 8057 | 29 | NTP receive timestamp | - |
| NTP_SENT | NTP_SENT | - | string (-) | string (-) | 8057 | 30 | NTP transmit timestamp | - |
List of fields exported together with BASIC on the interface.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| OSQUERY_PROGRAM_NAME | OSQUERY_PROGRAM_NAME | - | string (-) | string (-) | 8057 | 852 | The name of the program that handles the connection. | - |
| OSQUERY_USERNAME | OSQUERY_USERNAME | - | string (-) | string (-) | 8057 | 853 | The name of the user who starts the process. | - |
| OSQUERY_OS_NAME | OSQUERY_OS_NAME | - | string (-) | string (-) | 8057 | 854 | Distribution or product name. | - |
| OSQUERY_OS_MAJOR | OSQUERY_OS_MAJOR | - | uint16 (2) | unsigned16 (2) | 8057 | 855 | Major release version. | - |
| OSQUERY_OS_MINOR | OSQUERY_OS_MINOR | - | uint16 (2) | unsigned16 (2) | 8057 | 856 | Minor release version. | - |
| OSQUERY_OS_BUILD | OSQUERY_OS_BUILD | - | string (-) | string (-) | 8057 | 857 | Optional build-specific or variant string. | - |
| OSQUERY_OS_PLATFORM | OSQUERY_OS_PLATFORM | - | string (-) | string (-) | 8057 | 858 | OS Platform or ID. | - |
| OSQUERY_OS_PLATFORM_LIKE | OSQUERY_OS_PLATFORM_LIKE | - | string (-) | string (-) | 8057 | 859 | Closely related platforms. | - |
| OSQUERY_OS_ARCH | OSQUERY_OS_ARCH | - | string (-) | string (-) | 8057 | 860 | OS Architecture. | - |
| OSQUERY_KERNEL_VERSION | OSQUERY_KERNEL_VERSION | - | string (-) | string (-) | 8057 | 861 | Kernel version. | - |
| OSQUERY_SYSTEM_HOSTNAME | OSQUERY_SYSTEM_HOSTNAME | - | string (-) | string (-) | 8057 | 862 | Network hostname including domain. | - |
List of fields exported together with BASIC on the interface.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| OVPN_CONF_LEVEL | OVPN_CONF_LEVEL | - | uint8 (1) | unsigned8 (1) | 8057 | 828 | level of confidence that the flow record is an OpenVPN tunnel | - |
List of fields exported together with BASIC on the interface.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| DNS_ID | DNS_ID | - | uint16 (2) | unsigned16 (2) | 8057 | 10 | transaction ID | - |
| DNS_ATYPE | DNS_ATYPE | - | uint16 (2) | unsigned16 (2) | 8057 | 11 | response record type | - |
| DNS_NAME | DNS_NAME | - | string (-) | string (-) | 8057 | 2 | question domain name | - |
| DNS_RR_TTL | DNS_RR_TTL | - | uint32 (4) | unsigned32 (4) | 8057 | 5 | resource record TTL field | - |
| - | DNS_RDATA | - | - | octetArray (-) | 8057 | 7 | resource record specific data | - |
| DNS_IP | - | - | ipaddr (4-16) | - | - | - | dns ip address | - |
List of fields exported together with BASIC on the interface.
*The plugin exports the histograms of **Payload** sizes and **Inter-Packet-Times** for each direction.
*The **histograms** bins are scaled logarithmically and are shown in the following table.
### Commnad line parameters
***i** or **includezeroes** : Include zero payload packets.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| D_PHISTS_IPT | D_PHISTS_IPT | basicList | uint32* (-) | list (-) | 0 | 291 | Histogram of interpacket times (e8057id1063) | dst -> src |
| D_PHISTS_SIZES | D_PHISTS_SIZES | basicList | uint32* (-) | list (-) | 0 | 291 | Histogram of packet size (e8057id1062) | dst -> src |
| S_PHISTS_IPT | S_PHISTS_IPT | basicList | uint32* (-) | list (-) | 0 | 291 | Histogram of interpacket times (e8057id1060) | src -> dst |
| S_PHISTS_SIZES | S_PHISTS_SIZES | basicList | uint32* (-) | list (-) | 0 | 291 | Histogram of packet sizes (e8057id1061) | src -> dst |
List of fields exported together with BASIC on the interface.
*This plugin gathers statistics for the first `PSTATS_MAXELEMCOUNT` packets in the **biflow** record (30 by default).
*Use `-DPSTATS_MAXELEMCOUNT=number` while recompiling with cmake to change.
### Command line parameters
***i** or **includezerous** : Include zero payloud packets.
***s** or **skipdup** : Skip duplicate TCP packets.
### Fields description
The following fields are **UniRec arrays** (or **basicList in IPFIX**)
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| PPI_PKT_LENGTHS | STATS_PCKT_SIZES | basicList | uint16* (-) | list (-) | 0 | 291 | sizes of the first packets (e8057id1013) | - |
| PPI_PKT_TIMES | STATS_PCKT_TIMESTAMPS | basicList | time* (-) | list (-) | 0 | 291 | timestamps of the first packets (e8057id1014) | - |
| PPI_PKT_DIRECTIONS | STATS_PCKT_DIRECTIONS | basicList | int8* (-) | list (-) | 0 | 291 | directions of the first packets (e8057id1016) | - |
| PPI_PKT_FLAGS | STATS_PCKT_TCPFLGS | basicList | uint8* (-) | list (-) | 0 | 291 | TCP flags for each packet (e8057id1015) | - |
List of fields exported together with BASIC on the interface.
***-with-quic-ch-full-tls-ext**
*enables the extraction of all TLS extensions in the Client Hello.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| QUIC_SNI | QUIC_SNI | - | string (-) | string (-) | 8057 | 890 | Decrypted server name. | - |
| QUIC_USER_AGENT | QUIC_USER_AGENT | - | string (-) | string (-) | 8057 | 891 | Decrypted user agent. | - |
| QUIC_VERSION | QUIC_VERSION | - | uint32 (4) | unsigned32 (4) | 8057 | 892 | QUIC version from first server long header packets. | - |
| QUIC_CLIENT_VERSION | QUIC_CLIENT_VERSION | - | uint32 (4) | unsigned32 (4) | 8057 | 893 | QUIC version from first client long header packet. | - |
| QUIC_TOKEN_LENGTH | QUIC_TOKEN_LENGTH | - | uint64 (8) | unsigned64 (8) | 8057 | 894 | Token length from Initial and Retry packets. | - |
| QUIC_OCCID | QUIC_OCCID | - | bytes (-) | octetArray (-) | 8057 | 895 | Source Connection ID from first client packet. | - |
| QUIC_OSCID | QUIC_OSCID | - | bytes (-) | octetArray (-) | 8057 | 896 | Destination Connection ID from first client packet. | - |
| QUIC_SCID | QUIC_SCID | - | bytes (-) | octetArray (-) | 8057 | 897 | Source Connection ID from first server packet. | - |
| QUIC_RETRY_SCID | QUIC_RETRY_SCID | - | bytes (-) | octetArray (-) | 8057 | 898 | Source Connection ID from Retry packet. | - |
| QUIC_MULTIPLEXED | QUIC_MULTIPLEXED | - | uint8 (1) | unsigned8 (1) | 8057 | 899 | > 0 if multiplexed (at least two different QUIC_OSCIDs or SNIs). | - |
| QUIC_ZERO_RTT | QUIC_ZERO_RTT | - | uint8 (1) | unsigned8 (1) | 8057 | 889 | Number of 0-RTT packets in flow. | - |
| QUIC_SERVER_PORT | QUIC_SERVER_PORT | - | uint16 (2) | unsigned16 (2) | 8057 | 887 | TODO Server Port determined by packet type and TLS message. | - |
| QUIC_PACKETS | QUIC_PACKETS | basicList | uint8* (-) | list (-) | 0 | 291 | QUIC long header packet type (v1 encoded), version negotiation, QUIC bit. (e8057id888) | - |
| QUIC_CH_PARSED | QUIC_CH_PARSED | - | uint8 (1) | unsigned8 (1) | 8057 | 886 | >0 if TLS Client Hello parsed without errors. | - |
| QUIC_TLS_EXT_TYPE | QUIC_TLS_EXT_TYPE | basicList | uint16* (-) | list (-) | 0 | 291 | TLS extensions in the TLS Client Hello. (e8057id885) | - |
| QUIC_TLS_EXT_LEN | QUIC_TLS_EXT_LEN | basicList | uint16* (-) | list (-) | 0 | 291 | Length of each TLS extension. (e8057id884) | - |
| QUIC_TLS_EXT | QUIC_TLS_EXT | - | bytes (-) | octetArray (-) | 8057 | 883 | Payload of all/application_layer_protocol_negotiation and quic_transport params TLS extension. | - |
⚠️ This plugin is experimental and must be installed separately. For more details, check the installation information above.
List of fields exported together with BASIC on the interface.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| RTSP_REQUEST_METHOD | RTSP_METHOD | - | string (-) | string (-) | 16982 | 600 | RTSP request method name. | - |
| RTSP_REQUEST_AGENT | RTSP_USERAGENT | - | string (-) | string (-) | 16982 | 601 | RTSP request user agent. | - |
| RTSP_REQUEST_URI | RTSP_URI | - | string (-) | string (-) | 16982 | 602 | RTSP request URI. | - |
| RTSP_RESPONSE_STATUS_CODE | RTSP_STATUS | - | uint16 (2) | unsigned16 (2) | 16982 | 603 | RTSP response status code. | - |
| RTSP_RESPONSE_CONTENT_TYPE | RTSP_CONTENT_TYPE | - | string (-) | string (-) | 16982 | 604 | RTSP response content type. | - |
| RTSP_RESPONSE_SERVER | RTSP_SERVER | - | string (-) | string (-) | 16982 | 605 | RTSP response server field. | - |
⚠️ This plugin is experimental and must be installed separately. For more details, check the installation information above.
List of fields exported together with BASIC on the interface.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| SIP_MSG_TYPE | SIP_MSG_TYPE | - | uint16 (2) | unsigned16 (2) | 8057 | 100 | SIP message code | - |
| SIP_STATUS_CODE | SIP_STATUS_CODE | - | uint16 (2) | unsigned16 (2) | 8057 | 101 | status of the SIP request | - |
| SIP_CSEQ | SIP_CSEQ | - | string (-) | string (-) | 8057 | 108 | CSeq field of SIP packet | - |
| SIP_CALLING_PARTY | SIP_CALLING_PARTY | - | string (-) | string (-) | 8057 | 103 | calling party (from) URI | - |
| SIP_CALLED_PARTY | SIP_CALLED_PARTY | - | string (-) | string (-) | 8057 | 104 | called party (to) URI | - |
| SIP_CALL_ID | SIP_CALL_ID | - | string (-) | string (-) | 8057 | 102 | call ID | - |
| SIP_USER_AGENT | SIP_USER_AGENT | - | string (-) | string (-) | 8057 | 106 | user agent field of SIP packet | - |
| SIP_REQUEST_URI | SIP_REQUEST_URI | - | string (-) | string (-) | 8057 | 107 | SIP request URI | - |
| SIP_VIA | SIP_VIA | - | string (-) | string (-) | 8057 | 105 | via field of SIP packet | - |
List of fields exported together with BASIC on the interface.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| SMTP_2XX_STAT_CODE_COUNT | SMTP_CODE_2XX_COUNT | - | uint32 (4) | unsigned32 (4) | 8057 | 816 | number of 2XX status codes | - |
| SMTP_3XX_STAT_CODE_COUNT | SMTP_CODE_3XX_COUNT | - | uint32 (4) | unsigned32 (4) | 8057 | 817 | number of 3XX status codes | - |
| SMTP_4XX_STAT_CODE_COUNT | SMTP_CODE_4XX_COUNT | - | uint32 (4) | unsigned32 (4) | 8057 | 818 | number of 4XX status codes | - |
| SMTP_5XX_STAT_CODE_COUNT | SMTP_CODE_5XX_COUNT | - | uint32 (4) | unsigned32 (4) | 8057 | 819 | number of 5XX status codes | - |
| SMTP_COMMAND_FLAGS | SMTP_COMMANDS | - | uint32 (4) | unsigned32 (4) | 8057 | 810 | bit array of commands present | - |
| SMTP_MAIL_CMD_COUNT | SMTP_MAIL_COUNT | - | uint32 (4) | unsigned32 (4) | 8057 | 811 | number of MAIL commands | - |
| SMTP_RCPT_CMD_COUNT | SMTP_RCPT_COUNT | - | uint32 (4) | unsigned32 (4) | 8057 | 812 | number of RCPT commands | - |
| SMTP_STAT_CODE_FLAGS | SMTP_STATUS_CODES | - | uint32 (4) | unsigned32 (4) | 8057 | 815 | bit array of status codes present | - |
| SMTP_DOMAIN | SMTP_DOMAIN | - | string (-) | string (-) | 8057 | 820 | domain name of the SMTP client | - |
| SMTP_FIRST_SENDER | SMTP_SENDER | - | string (-) | string (-) | 8057 | 813 | first sender in MAIL command | - |
| SMTP_FIRST_RECIPIENT | SMTP_RECIPIENT | - | string (-) | string (-) | 8057 | 814 | first recipient in RCPT command | - |
List of fields exported together with BASIC on the interface.
The detector searches for the SYN SYN-ACK ACK pattern in packet lengths.
Multiple occurrences of this pattern suggest a tunneled connection.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| SSA_CONF_LEVEL | SSA_CONF_LEVEL | - | uint8 (1) | unsigned8 (1) | 8057 | 903 | 1 if SSA sequence detected, 0 otherwise | - |
List of fields exported together with BASIC on the interface.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| SSDP_LOCATION_PORT | SSDP_LOCATION_PORT | - | uint16 (2) | unsigned16 (2) | 8057 | 821 | service port | - |
| SSDP_SERVER | SSDP_SERVER | - | string (-) | string (-) | 8057 | 822 | server info | - |
| SSDP_USER_AGENT | SSDP_USER_AGENT | - | string (-) | string (-) | 8057 | 823 | list of user agents | - |
| SSDP_NT | SSDP_NT | - | string (-) | string (-) | 8057 | 824 | list of advertised service urns | - |
| SSDP_ST | SSDP_ST | - | string (-) | string (-) | 8057 | 825 | list of queried service urns | - |
List of fields exported together with BASIC on the interface.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| TLS_SNI | TLS_SNI | - | string (-) | string (-) | 8057 | 808 | TLS server name indication field from client | - |
| TLS_ALPN | TLS_ALPN | - | string (-) | string (-) | 39499 | 337 | TLS application protocol layer negotiation field from server | - |
| TLS_VERSION | TLS_VERSION | - | uint16 (2) | unsigned16 (2) | 39499 | 333 | TLS client protocol version | - |
| TLS_JA3 | TLS_JA3 | - | bytes (-) | octetArray (-) | 39499 | 357 | TLS client JA3 fingerprint | - |
| TLS_JA4 | TLS_JA4 | - | string (-) | string (-) | 39499 | 358 | TLS client JA4 fingerprint | - |
| TLS_EXT_TYPE | TLS_EXT_TYPE | basicList | uint16* (-) | list (2) | 0 | 291 | TLS extensions in the TLS Client Hello | - |
| TLS_EXT_LEN | TLS_EXT_LEN | basicList | uint16* (-) | list (2) | 0 | 291 | Length of each TLS extension | - |
List of fields exported together with BASIC on the interface.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| VLAN_ID | VLAN_ID | vlanId | uint16 | unsigned16 | 0 | 58 | Vlan ID (used in flow key) | - |
List of fields exported together with BASIC on the interface.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| WG_CONF_LEVEL | WG_CONF_LEVEL | - | uint8 (1) | unsigned8 (1) | 8057 | 1100 | level of confidence that the flow record is a WireGuard tunnel | - |
| WG_SRC_PEER | WG_SRC_PEER | - | uint32 (4) | unsigned32 (4) | 8057 | 1101 | ephemeral SRC peer identifier | src |
| WG_DST_PEER | WG_DST_PEER | - | uint32 (4) | unsigned32 (4) | 8057 | 1102 | ephemeral DST peer identifier | dst |
ℹ️ You can run ''ipfixprobe -h process'' to see installed process plugins.
----
### OUTPUT
Output plugins define how **flows are exported**.
⚠️ You can choose **only one type of output plugin**
##### Command line
Use **-o** to specify the output plugin.
##### Systemd service
To specify the output plugin in the configuration file, use ''%%output_plugin:%%'' followed by the **plugin name** (e.g., ipfix:, unirec:, text:) on a new line. After that, you can specify **parameters** for the plugin.
##### Example of configuration file
input_plugin:
ipfix:
collector:
host: localhost
port: 4739
#### Plugins description
Use the text plugin to output directly to the **terminal** or **text file**.
### Installation
This plugin is **installed by default**.
### Command line
#### Parameters
***f** or **file** : Defines path to save file to write output in instead of stdout.
***m** or **mac** : Boolean flag. MAC addresses are hidden if set.
#### Example usage
Print exported flows to the terminal without MAC addresses
ipfixprobe -o 'text;mac' -i 'pcap;file=...;' -s 'cache'
Print exported flows to the FILE
ipfixprobe -o 'text;f=FILE' -i 'pcap;file=...;' -s 'cache'
### Systemd parameters
output_plugin:
text:
file: (path) # Path to output file (use null for stdout)
**IP Flow Information Export** is a standard protocol for exporting **network flow information** from probes running on routers, switches, firewalls, directly to **collectors** on the local network. We recommend using our collector [[https://github.com/CESNET/ipfixcol2|ipfixcol2]], but you can use any collector with support for IPFIX input.
### Installation
This plugin is **installed by default**.
### Command line
#### Parameters
***h** or **host** : Defines the IP address of the remote collector.
***p** or **port** : Defines the collector port to send data to.
***m** or **mtu** : Defines the maximum size of IPFIX packet payload sent.
***u** or **udp** : Boolean flag. UDP is used if set.
***n** or **non-blocking-tcp** : Boolean flag. Non-blocking TCP socket is used if set.
***I** or **id** : Defines exporter ID.
***t** or **template** : Defines template refresh rate in seconds.
***d** or **dir** : (NUM) Dir bit field value.
***v** or **verbose** : Enable verbose mode.
***c** or **lz4-compression** : Enable lz4 compression.
***s** or **lz4-buffer-size** : Lz4 compression buffer size (default (minimum): mtu*3).
#### Example usage
Send exported data to the localhost using UDP as an exporter with ID 3.
ipfixprobe -o 'ipfix;h=127.0.0.1;u;I=3'-i 'pcap;file=...;' -s 'cache'
Send exported data to the `localhost:4739` using non-blocking TCP as an exporter 3 with a maximal transfer unit set to 2000.
ipfixprobe -o 'ipfix;h=127.0.0.1;p=4739;n;mtu=2000' -i 'pcap;file=...;' -s 'cache'
### Systemd parameters
output_plugin:
ipfix:
collector:
host: localhost # IPFIX collector address [required]
port: (number) # IPFIX collector port [required]
mtu: (number) # Maximum size of IPFIX packets
exporter:
id: (number) # Exporter ID for IPFIX [required]
dir: (number) # Direction bit field value (0 = incoming, 1 = outgoing)
protocol:
# IMPORTANT: Only one protocol can be selected: UDP or TCP.
udp:
template_refresh: (number) # Template refresh rate for UDP protocol (in seconds)
tcp:
non_blocking: (bool) # Whether to use non-blocking TCP sockets (true/false)
compression:
lz4:
enabled: (bool) # Enable LZ4 compression for IPFIX (true/false)
buffer_size: (number) # Buffer size for LZ4 compression (default: mtu * 3)
This plugin exports data in our [[https://github.com/CESNET/Nemea-Framework/tree/master/unirec|UNIREC format]]. It is mainly used to **send data directly to NEMEA modules**. It is defined by a fixed list of **key-value pairs**. To see a list of **UNIREC fields**, check out the specific **process plugins** you are currently using.
### Installation
#### Binary Packages
sudo dnf install ipfixprobe-nemea ipfixprobe-nemea-output-unirec
#### Build from source
dnf install libtrap libtrap-devel unirec-devel unirec
cd build
cmake -DENABLE_NEMEA=ON -DENABLE_OUTPUT_UNIREC=ON ..
cd ..
make -j
sudo make install
### Command line
#### Parameters
***i** or **ifc** : Defines unirec interface to use. [[https://github.com/CESNET/Nemea-Framework/blob/master/libtrap/README.ifcspec.md|guide here]]
***p** or **plugins** : Defines plugin-interface mapping. Plugins can be grouped like '(p1,p2,p3),p4,(p5,p6).
***o** or **odid** : Boolean flag. If set, exports the ODID field.
***e** or **eof** : Boolean flag. If set, sends EOF message on exit.
***I** or **id** : Defines exporter id.
***h** or **help** : Prints libtrap help.
***d** or **dir** : (NUM) Dir bit field value.
***v** or **verbose** : Increase verbosity.
#### Example usage
Send exported data to the Unix socket ''ipfixprobe''.
ipfixprobe -o 'unirec;i=u:ipfixprobe' -i 'pcap;file=...' -s 'cache'
Same as previous, but should be used with small pcap files to avoid data not being sent.
ipfixprobe -o 'unirec;i=u:ipfixprobe:timeout=WAIT:buffer=off' -i 'pcap;file=...' -s 'cache'
Save the exported data to the ''data.trapcap''.
ipfixprobe -o 'unirec;i=f:data.trapcap' -i 'pcap;file=...' -s 'cache'
Read packets from a pcap file, enable 4 processing plugins, send L7 HTTP extended biflows to the unirec interface named ''http,'' and data from 3 other plugins to the ''stats'' interface
ipfixprobe -i 'pcap;file=pcaps/http.pcap' -p http -p pstats -p idpcontent -p phists -o 'unirec;i=u:http:timeout=WAIT,u:stats:timeout=WAIT;p=http,(pstats,phists,idpcontent)'
### Systemd parameters
Unirec is not yet available for use as a systemd.
ℹ️ You can run ''ipfixprobe -h output'' to see installed output plugins.