# Basic Information
Ipfixprobe supports various plugins, allowing you to **customize the probe** for your specific use case.
To use any plugin other than the (default), you **must install Ipfixprobe from source**. Refer to our [[en:get_started|installation guide]] for more details.
## To enable a plugin:
- Install the necessary dependencies.
- Run ''cmake'' in the build folder with the -D flag and the plugin name. (e.g., for PCAP: ''cmake -DENABLE_INPUT_PCAP=ON ..'')
- Compile and install Ipfixprobe.
➡️ For plugin-specific details, refer to the sections below.
## List of Plugins
^ INPUT ^ STORAGE ^ PROCESS (default) ^ OUTPUT ^
| RAW_SOCKET (default) | CACHE (default) | HTTP | TXT (default) |
| BENCHMARK (default) | | NETTISA | IPFIX (default) |
| DPDK | | DNS | UniRec (NEMEA) |
| DPDK RING | | PSTATS | |
| PCAP | | --others-- | |
| NDP (FPGA) | | | |
*(default) - plugins installed by default
⚠️ Be careful about the difference between **; (semicolon)** and **, (comma)** when using ipfixprobes parameters
***semicolon ;** is used for separating individual (plugin) parameters
***comma ,** is used for separating values given to the same (plugin) parameter
## Plugin Details
**This documentation is written primarily for RHEL distributions.**\\
If you're having trouble installing dependencies, the package names **might differ** on different distributions. (e.g., libpcap-devel -> libpcap-dev) or
check out [[https://copr.fedorainfracloud.org/groups/g/CESNET/coprs/|CESNET COPR]] repository (you can add necessary copr repositories or build dependencies from source).
You may also need to **enable certain repositories**, for example:
* for RHEL - ''%%sudo yum-config-manager --add-repo https://yum.oracle.com/repo/OracleLinux/OL9/codeready/builder/x86_64/%%''
### INPUT
Input plugins define the source of **incoming packets**.
⚠️ You can choose **only one type of input plugin** (although more sources at one are possible)
##### Command line
Use **-i** to specify the input plugin.
##### Systemd service
To specify **input** in the configuration file, use ''%%input_plugin:%%'' followed by the **plugin name** (e.g., raw:, pcap_file:, pcap_live:, ndp:, dpdk_ring:, dpdk:) on a new line. After that, you can specify **parameters** for the plugin.
##### Example of configuration file
input_plugin:
raw:
interface: eth0
ℹ️ **Run ''ip link show'' to see possible IFC values. (for example ''eth0'')**
#### Plugins description
Input plugin for reading packets from a **raw interface**.
*Works by capturing sockets directly from the **INC** by bypassing the TCP stack.
*A simple but not very efficient way to **quickly check** small networks.
*Does **NOT** require any **additional libraries**.
*Good for **sniffing specific packets**, not for general network monitoring.
### Installation
This plugin is **installed by default**. Recommended for small networks with a simple monitoring setup.
### Command line
#### Parameters
***i** or **ifc** : Defines network interface name.
***b** or **blocks** : Defines number of packet blocks.
***f** or **fanout** : Enables packet fanout.
***p** or **pkts** : Defines number of packets in block.
***l** or **list** : Print list of available interfaces.
#### Example usage
Read packets from the interface specified by the **IFC value**.
ipfixprobe -i 'raw;ifc=IFC;' -s 'cache'
Capture from IFC interface and scale packet processing **using 2 instances** of raw plugin, send flow to ifpfix collector using UDP.
ipfixprobe -i 'raw;ifc=IFC;f' -i 'raw;ifc=IFC;f' -o 'ipfix;u;host=collector.example.com;port=4739'
### Systemd parameters
input_plugin:
raw:
interface: (name) # Network interface name to capture traffic from [required]
blocks_count: (number) # Number of blocks in the circular buffer (must be a power of 2)
packets_in_block: (number) # Number of packets per block (must be a power of 2)
[[https://www.solarwinds.com/resources/it-glossary/pcap|Pcap (Packet Capture)]] provides an API for capturing network traffic. Ipfixprobe can use `libpcap` to quickly capture packets from an INC or a binary `.pcap` file format.
***Recommended option** for monitoring **small** to **medium** networks (up to 1 Gbps).
*Exporting into `.pcap` file is **NOT** supported.
*If you encounter performance problems (many dropped packets ..), try **limiting the number of process plugins** or move to a faster input plugin (DPDK).
### Installation
#### Binary Package
sudo dnf install ipfixprobe-input-pcap
#### Build from source
dnf install libpcap libpcap-devel
cd build
cmake -DENABLE_INPUT_PCAP=ON ..
cd ..
make -j2
sudo make install
### Command line
#### Parameters
***f** or **file** : Defines path to pcap file.
***i** or **ifc** : Defines interface name.
***F** or **filter** : Defines filter string.
***s** or **snaplen** : Defines snapshot length in bytes (live capture only).
***l** or **list** : Print list of available interfaces.
#### Example usage
Process the pcap file and output to the terminal.
ipfixprobe -s cache -i "pcap;file=PATH_TO_PCAP_FILE" -o "text;m"
Read packets from the interface specified by the **IFC value**.
ipfixprobe -i 'pcap;i=IFC;' -s 'cache'
Capture from IFC interface using pcap plugin, **split biflows into flows** and prints them to console without mac addresses, **telemetry data is exposed** via the appFs library in ''/var/run/ipfixprobe'' directory.
ipfixprobe -i 'pcap;ifc=IFC' -s 'cache;split' -o 'text;m' -t /var/run/ipfixprobe
Read packets from a pcap file, **enable 4 processing** plugins, send L7 HTTP extended biflows to the unirec interface named ''http'', and data from 3 other plugins to the ''stats'' interface.
ipfixprobe -i 'pcap;file=pcaps/http.pcap' -p http -p pstats -p idpcontent -p phists -o 'unirec;i=u:http:timeout=WAIT,u:stats:timeout=WAIT;p=http,(pstats,phists,idpcontent)'
### Systemd parameters
input_plugin:
pcap_file:
file: (path) # Path to the PCAP file to read from [required]
bpf_filter: null # Optional BPF filter (e.g., "port 80"), null = no filter
# OR
pcap_live:
interface: (name) # Network interface for live packet capture [required]
bpf_filter: null # Optional BPF filter (null = no filter)
snap_length: (number) # Maximum packet capture length
DPDK (Data Plane Development Kit) is used for high-performance packet processing. It enables
direct access to network interfaces, bypassing the kernel, and is suitable for use in environments
requiring high throughput, low latency, and high packet processing rates.
### Installation
#### Binary Package
sudo dnf install ipfixprobe-input-dpdk
#### Build from source
dnf install dpdk-devel
mkdir build
cd build
cmake -DENABLE_INPUT_DPDK=ON ..
make -j
sudo make install
===== Example configuration =====
```yaml
input_plugin:
dpdk:
allowed_nics: "0000:ca:00.0"
### Optional parameters
burst_size: 64
mempool_size: 8192
rx_queues: 8
workers_cpu_list: []
eal_opts: null
mtu: 1518
```
===== Parameters =====
**Mandatory parameters**
^ Parameter ^ Description ^
| **allowed_nics** | List of allowed NICs in PCI address format `0000:XX:YY.Z` separated with `,` |
**Optional parameters**
^ Parameter ^ Default ^ Description ^
| **burst_size** | 64 | Number of packets processed in each burst cycle. Affects batch processing efficiency. |
| **mempool_size** | 8192 | Size of the memory pool used for buffering incoming packets. Must be a power of 2. |
| **rx_queues** | 1 | Number of RX queues workers. Increasing this can help distribute load across multiple CPU cores. |
| **workers_cpu_list** | [] (autofill) | List of CPU cores assigned to RX queues (must match number of rx_queues). |
| **eal_opts** | null | Extra options passed to the DPDK EAL (Environment Abstraction Layer) for fine-tuning. |
| **mtu** | 1518 | Maximum Transmission Unit size for the interface. Defines the maximum packet size that can be received. |
===== How to use =====
To use the DPDK input plugin, your system must be properly configured for DPDK operation.
This includes the following steps:
==== 1. Install DPDK Tools ====
To begin, install DPDK and its tools:
* **RHEL/CentOS**
```bash
dnf install dpdk-tools
```
* **Debian/Ubuntu**
```bash
apt-get install dpdk
```
==== 2. Identify the PCI Address of the Network Interface ====
DPDK works directly with PCI addresses (e.g. `0000:ca:00.0`) instead of traditional interface names like `eth0` or `ens3`.
To list all interfaces with their PCI addresses:
```bash
dpdk-devbind.py --status
```
If the NIC is not bound to a DPDK driver (e.g. `vfio-pci`), you can bind it using the same tool.
==== 3. Identify the NUMA Node of the Interface ====
Each NIC belongs to a specific **NUMA node**, which affects memory locality and performance.
To find the NUMA node:
```bash
cat /sys/bus/pci/devices/0000:ca:00.0/numa_node
```
If the output is `-1`, NUMA is not supported or not assigned.
==== 4. Allocate Hugepages ====
DPDK requires hugepages for optimal performance.
**Configuring Hugepages via Kernel Parameters (recommended)**
```bash
grubby --update-kernel ALL --args "default_hugepagesz=1GB hugepagesz=1G hugepages=4"
```
Reboot after applying.
**Allocating Hugepages at Runtime**
You can also allocate hugepages dynamically:
```bash
dpdk-hugepages.py -p 1G --setup 2G --node 0
```
For high-speed links:
* **100G:**
```bash
dpdk-hugepages.py -p 1G --setup 4G --node 0
```
* **200G:**
```bash
dpdk-hugepages.py -p 1G --setup 8G --node 0
```
* **400G:**
```bash
dpdk-hugepages.py -p 1G --setup 16G --node 0
```
**Verify Allocation**
```bash
dpdk-hugepages -s
```
==== 5. Configure the DPDK Driver ====
TODO: Mellanox, Broadcom, Intel
Input plugin for reading packets **directly from an FPGA-based NIC**. Unless you are using **Netcope** (CESNET FPGA cards) hardware, this plugin is NOT the right option.
### Installation
#### Binary package
sudo dnf install epel-release
sudo dnf copr enable @CESNET/nfb-framework
sudo dnf install nfb-framework numactl-devel
sudo dnf install ipfixprobe-input-ndp
#### Build from source
You can also build nfb-framework from source from this [[https://github.com/CESNET/ndk-sw|repo]].
sudo dnf install epel-release
sudo dnf copr enable @CESNET/nfb-framework
sudo dnf install nfb-framework numactl-devel
cd build
cmake -DENABLE_INPUT_NFB=ON ..
cd ..
make -j
sudo make install
### Command line
#### Parameters
***d** or **dev** : Path to a device file.
***I** or **id** : Link identifier number.
#### Example usage
Capture from a COMBO card using the NDP plugin sends IPFIX data to 127.0.0.1:4739 using TCP by default.
ipfixprobe -i 'ndp;dev=/dev/nfb0:0' -i 'ndp;dev=/dev/nfb0:1' -i 'ndp;dev=/dev/nfb0:2' -o 'ipfix;h=127.0.0.1;p=4739'
### Systemd parameters
input_plugin:
ndp:
device: PATH # Device for packet capture (e.g., /dev/nfb0) [required]
queues: "0-15" # List of queue IDs (e.g., "0,1,2-3,7") [required]
ℹ️ You can run ''ipfixprobe -h input'' for installed input plugins
----
### STORAGE
Storage plugins define how flows are **internally stored**. The **CACHE plugin** is activated by default.
##### Command line
Used **-s** to specify storage plugin.
##### Systemd service
To specify storage in the configuration file, use ''storage:''
#### Plugin description
Currently, **only available** storage plugin.
*A hash table is used to keep flows.
*The hash table is divided into **rows**.
*Each row is managed as LRU (Least Recently Used).
### Installation
This plugin is **installed by default**.
### Command line
#### Parameters
***s** or **size** : Defines the count of flows that are kept in the cache at once. Cache size is 2^s.
***l** or **line** : Defines length of the cache line. Line length is 2^l.
***a** or **active** : Defines active timeout. When there is a flow that is active for more than **-a** seconds, it's exported.
***i** or **inactive** : Defines inactive timeout. When there is a flow that is inactive for more than **-i** seconds, it's exported.
***S** or **split** : Boolean flag. Defines if the bidirectional flow between two nodes is **split into 2 separate** unidirectional flows.
***fe** or **frag-enable** : Used to enable completing fragmented packets into one packet.
***fs** or **frag-size** : Size of fragmentation cache.
***ft** or **frag-timeout** : The Timeout to consider fragments belonging to the same packets.
#### Example usage
Store flows using **cache split into two unidirectional** flows.
ipfixprobe -s 'cache;split' -i 'pcap;file=PATH'
### Systemd parameters
storage:
cache:
size_exponent: (number) # Cache size as a power of 2 (e.g., 2^20)
line_size_exponent: (number) # Cache line size as a power of 2 (e.g., 2^4)
timeouts:
active: (number) # Active timeout duration (in seconds)
inactive: (number) # Inactive timeout duration (in seconds)
split_biflow: (bool) # Whether to split biflow into uniflow (true/false)
fragmentation_cache:
enabled: (bool) # Enable fragmentation cache (true/false)
size: (number) # Fragmentation cache size (minimum 1)
timeout: (number) # Timeout for fragments in the cache (in seconds)
ℹ️ You can run ''ipfixprobe -h storage'' to see installed storage plugins.
----
### PROCESS
Process plugins can specify what data to export.
By default, the **Basic** plugin is activated, giving you core information about network traffic like (i/o: mac address, IP, transmitted bits ..., for a complete list see below).\\
⚠️ Every process plugin adds **additional** information **on top of the Basic plugin**. This comes with a **big performance hit**, so **ALWAYS** enable the **minimum amount of plugins required**.
#### Installation
**Most** process plugins are **installed by default**. Some experimental plugins (sip, rtsp, mpls, ntp, nettisa) **must** be installed separately.
##### Binary Packages
sudo dnf install ipfixprobe-nemea ipfixprobe-nemea-process-experimental
##### Build from source
cd build
cmake -DENABLE_PROCESS_EXPERIMENTAL=ON -DENABLE_NEMEA=ON ..
cd ..
make -j
sudo make install
#### Command line
Use **-p** to specify the process plugin.
##### Example usage
ipfixprobe -i raw;ifc=IFC' -s cache -p basicplus -p vlan -o text
#### Systemd service
Use ''process_plugins:'' to specify process plugins in a configuration file.
##### Example usage
process_plugins:
- http # HTTP protocol plugin
- dns # DNS protocol plugin
- quic # QUIC protocol plugin
- tls # TLS protocol plugin
# ...
Each plugin exports data either in Unirec (our in-house standard) or IPFIX (standard flow output). Each table consists of the following fields
***Unirec Field** : name of the field in Unirec format
***IPFIX Field** : name of the field in IPFIX (as used in Ipfixprobe)
***IANA Name** : name of STANDARDIZED IPFIX fields
***Unirec Type (size)** : data type of Unirec field and its size in bytes (8 bits)
***IPFIX Type (size)** : data type of IPFIX field and its size in bytes (8 bits)
***PEN** : Private Enterprise Number:
*0 represents an IANA standard field (with IANA Name)
*>0 represents a custome field defined by third-party: see [[https://www.iana.org/assignments/enterprise-numbers/|iana pen site]] for specific
***ID** : Represents a unique ID for a specific PEN set of values: see [[https://www.iana.org/assignments/ipfix/ipfix.xhtml|iana site]] for IANA standard fields (with PEN = 0)
***Description** : simple description of the field (Unirec and IPFIX)
***Direction** : possible values:
*src : field represents information about the source
*dst : field represents information about the destination
*src -> dst : field represents information about communication from the source to the destination
*dst -> src : field represents information about communication from the destination to the source
For Unirec output plugin fields: **Unirec Field, Unirec Type (size), Description, Direction** are
important.
For IPFIX output plugin fields: **IPFIX Field, IANA Name, IPFIX Type (size), PEN, ID, Description,
Direction** are important.
ℹ️ **For IPFIX**: PEN and ID field together, create a unique identifier of the field. Sometimes the format of **ePENidID** is used as a name of the field (especially when the IANA name is not available).
*for field L2_DST_MAC with PEN = 0 and ID = 80 : **e0id80**
*for field BYTES_REV with PEN = 29305 and ID = 1 : **e29305id1**
----
#### Plugins description
This plugin is activated by default, any other process plugin adds on top of this one. These fields are also exported on interfaces where HTTP, DNS, SIP, and NTP plugins are active.
***LINK_BIT_FIELD** or **ODID** (only used by Unirec) : only one at a time, based on the used parameters.
***DST/SRC_IP**: IPv4 or IPv6, only one at the time.
***TIME_FIRST/LAST**: either MSEC or USEC, based on what CMake parameters were Ipfixprobe compiled with.
*Ipfixprobe uses 1 byte for **TCP_FLAGS** (tcpControlBits) instead of 2 (as does the IPFIX standard).
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| DST_MAC | L2_DST_MAC | destinationMacAddress | macaddr (6) | macAddress (6) | 0 | 80 | destination MAC address | dst |
| SRC_MAC | L2_SRC_MAC | sourceMacAddress | macaddr (6) | macAddress (6) | 0 | 56 | source MAC address | src |
| DST_IP | L3_IPV4_ADDR_DST | destinationIPv4Address | ipaddr (16) | ipv4Address (4) | 0 | 12 | destination IPv4 address | dst |
| DST_IP | L3_IPV6_ADDR_DST | destinationIPv6Address | ipaddr (16) | ipv6Address (16) | 0 | 28 | destination IPv6 address | dst |
| SRC_IP | L3_IPV4_ADDR_SRC | sourceIPv4Address | ipaddr (16) | ipv4Address (4) | 0 | 8 | source IPv4 address | src |
| SRC_IP | L3_IPV6_ADDR_SRC | sourceIPv6Address | ipaddr (16) | ipv6Address (16) | 0 | 27 | source IPv6 address | src |
| BYTES | BYTES | octetDeltaCount | uint64 (8) | unsigned64 (8) | 0 | 1 | number of bytes in data flow | src -> dst |
| BYTES_REV | BYTES_REV | - | uint64 (8) | unsigned64 (8) | 29305 | 1 | number of bytes in data flow | dst -> src |
| LINK_BIT_FIELD | - | - | uint64 (8) | - | - | - | exporter identification | - |
| ODID | - | - | uint32 (4) | - | - | - | exporter identification | - |
| TIME_FIRST | FLOW_START_MSEC | flowStartMilliseconds | time (8) | dateTimeMilliseconds (8) | 0 | 152 | first time stamp (in ms) | - |
| TIME_FIRST | FLOW_START_USEC | flowStartMicroseconds | time (8) | dateTimeMicroseconds (8) | 0 | 154 | first time stamp (in us) | - |
| TIME_LAST | FLOW_END_MSEC | flowEndMilliseconds | time (8) | dateTimeMilliseconds (8) | 0 | 153 | last time stamp (in ms) | - |
| TIME_LAST | FLOW_END_USEC | flowEndMicroseconds | time (8) | dateTimeMicroseconds (8) | 0 | 155 | last time stamp (in us) | - |
| PACKETS | PACKETS | packetDeltaCount | uint32 (4) | unsigned64 (8) | 0 | 2 | number of packets in data flow | src -> dst |
| PACKETS_REV | PACKETS_REV | - | uint32 (4) | unsigned64 (8) | 29305 | 2 | number of packets in data flow | dst -> src |
| DST_PORT | L4_PORT_DST | destinationTransportPort | uint16 (2) | unsigned16 (2) | 0 | 11 | transport layer destination port | dst |
| SRC_PORT | L4_PORT_SRC | sourceTransportPort | uint16 (2) | unsigned16 (2) | 0 | 7 | transport layer source port | src |
| DIR_BIT_FIELD | INPUT_INTERFACE | ingressInterface | uint8 (1) | unsigned32 (4) | 0 | 10 | bit field for determining outgoing/incomming traffic | - |
| - | L3_PROTO | ipVersion | uint8 (1) | unsigned8 (1) | 0 | 60 | ip version | - |
| PROTOCOL | L4_PROTO | protocolIdentifier | uint8 (1) | unsigned8 (1) | 0 | 4 | transport protocol | - |
| TCP_FLAGS | L4_TCP_FLAGS | tcpControlBits | uint8 (1) | unsigned8 (1) | 0 | 6 | TCP protocol flags | src -> dst |
| TCP_FLAGS_REV | L4_TCP_FLAGS_REV | - | uint8 (1) | unsigned8 (1) | 29305 | 6 | TCP protocol flags | dst -> src |
| - | FLOW_END_REASON | flowEndReason | - | unsigned8 (1) | 0 | 136 | Reason for Flow termination | - |
List of fields exported together with BASIC on the interface.
***REV** = source flow fields
***without REV** = opposite direction flow
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| IP_TTL | L3_TTL | ipTTL | uint8 (1) | unsigned8 (1) | 0 | 192 | IP Time To Live field | src -> dst |
| IP_TTL_REV | L3_TTL_REV | - | uint8 (1) | unsigned8 (1) | 29305 | 192 | IP Time To Live field | dst -> src |
| IP_FLG | L3_FLAGS | fragmentFlags | uint8 (1) | unsigned8 (1) | 0 | 197 | IP FLAGS | src -> dst |
| IP_FLG_REV | L3_FLAGS_REV | - | uint8 (1) | unsigned8 (1) | 29305 | 197 | IP FLAGS | dst -> src |
| TCP_WIN | L4_TCP_WIN | tcpWindowSize | uint16 (2) | unsigned16 (2) | 0 | 186 | TCP window size | src -> dst |
| TCP_WIN_REV | L4_TCP_WIN_REV | - | uint16 (2) | unsigned16 (2) | 29305 | 186 | TCP window size | dst -> src |
| TCP_OPT | L4_TCP_OPTIONS | tcpOptions | uint64 (8) | unsigned64 (8) | 0 | 209 | TCP options bitfield | src -> dst |
| TCP_OPT_REV | L4_TCP_OPTIONS_REV | - | uint64 (8) | unsigned64 (8) | 29305 | 209 | TCP options bitfield | dst -> src |
| TCP_MSS | L4_TCP_MSS | - | uint32 (4) | unsigned32 (4) | 8057 | 900 | TCP maximum segments size | src -> dst |
| TCP_MSS_REV | L4_TCP_MSS_REV | - | uint32 (4) | unsigned32 (4) | 8057 | 901 | TCP maximum segments size | dst -> src |
| TCP_SYN_SIZE | L4_TCP_SYN_SIZE | - | uint16 (2) | unsigned16 (2) | 8057 | 902 | TCP SYN packet size | - |
List of fields exported together with BASIC on the interface.
***BSTATS_MAXELENCOUNT** (15 by default)
*Number of bursts in each direction exported by the plugin
*The bursts are computed **separately** for each direction.
***MINIMAL_PACKETS_IN_BURST** (3 by default)
*When minimal packets are not reached, the fields are not exported to reduce output bandwidth.
***MAXIMAL_INTERPKT_TIME** (1000 ms by default)
*Time between packets to be included in a burst.
Use for example: **-DBSTATS_MAXELENCOUNT=30** while recompiling with cmake to change
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| SBI_BRST_PACKETS | SBI_BRST_PACKETS | basicList | uint32* (-) | list (-) | 0 | 291 | Number of packets transmitted in ith burst (e8057id1050) | src -> dst |
| SBI_BRST_BYTES | SBI_BRST_BYTES | basicList | uint32* (-) | list (-) | 0 | 291 | Number of bytes transmitted in ith burst (e8057id1051) | src -> dst |
| SBI_BRST_TIME_START | SBI_BRST_TIME_START | basicList | time* (-) | list (-) | 0 | 291 | Start time of the ith burst (e8057id1052) | src -> dst |
| SBI_BRST_TIME_STOP | SBI_BRST_TIME_STOP | basicList | time* (-) | list (-) | 0 | 291 | End time of the ith burst (e8057id1053) | src -> dst |
| DBI_BRST_PACKETS | DBI_BRST_PACKETS | basicList | uint32* (-) | list (-) | 0 | 291 | Number of packets transmitted in ith burst (e8057id1054) | dst -> src |
| DBI_BRST_BYTES | DBI_BRST_BYTES | basicList | uint32* (-) | list (-) | 0 | 291 | Number of bytes transmitted in ith burst (e8057id1055) | dst -> src |
| DBI_BRST_TIME_START | DBI_BRST_TIME_START | basicList | time* (-) | list (-) | 0 | 291 | Start time of the ith burst (e8057id1056) | dst -> src |
| DBI_BRST_TIME_STOP | DBI_BRST_TIME_STOP | basicList | time* (-) | list (-) | 0 | 291 | End time of the ith burst (e8057id1057) | dst -> src |
List of fields exported together with BASIC on the interface.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| DNS_ID | DNS_ID | - | uint16 (2) | unsigned16 (2) | 8057 | 10 | transaction ID | - |
| DNS_ANSWERS | DNS_ANSWERS | - | uint16 (2) | unsigned16 (2) | 8057 | 14 | number of DNS answer records | - |
| DNS_RCODE | DNS_RCODE | - | uint8 (1) | unsigned8 (1) | 8057 | 1 | response code field | - |
| DNS_NAME | DNS_NAME | - | string (-) | string (-) | 8057 | 2 | requested domain name | - |
| DNS_QTYPE | DNS_QTYPE | - | uint16 (2) | unsigned16 (2) | 8057 | 3 | requested type field | - |
| DNS_CLASS | DNS_CLASS | - | uint16 (2) | unsigned16 (2) | 8057 | 4 | class field of DNS question | - |
| DNS_RR_TTL | DNS_RR_TTL | - | uint32 (4) | unsigned32 (4) | 8057 | 5 | resource record TTL field | - |
| DNS_RLENGTH | DNS_RLENGTH | - | uint16 (2) | unsigned16 (2) | 8057 | 6 | length of DNS_RDATA | - |
| DNS_RDATA | DNS_RDATA | - | bytes (-) | octetArray (-) | 8057 | 7 | resource record specific data | - |
| DNS_PSIZE | DNS_PSIZE | - | uint16 (2) | unsigned16 (2) | 8057 | 8 | requestor's payload size | - |
| DNS_DO | DNS_DO | - | uint8 (1) | unsigned8 (1) | 8057 | 9 | DNSSEC OK bit | - |
List of fields exported together with BASIC on the interface.
### Command line parameters
***t** or **txt** : [FILE] Activates processing of all txt records. Allow to specify whitelist TXT records file (file line format: service.domain,txt_key1,txt_key2,...)
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| DNSSD_QUERIES | DNSSD_QUERIES | - | string (-) | string (-) | 8057 | 826 | list of queries for serivces | - |
| DNSSD_RESPONSES | DNSSD_RESPONSES | - | string (-) | string (-) | 8057 | 827 | list of advertised serivces | - |
List of fields exported together with BASIC on the interface.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| FLOW_ID | FLOW_ID | flowId | uint64 (8) | unsigned64 (8) | 0 | 148 | Hash of the flow - unique flow id | - |
List of fields exported together with BASIC on the interface.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| HTTP_REQUEST_HOST | HTTP_DOMAIN | - | string (-) | string (-) | 39499 | 1 | HTTP request host | - |
| HTTP_REQUEST_URI | HTTP_URI | - | string (-) | string (-) | 39499 | 2 | HTTP request url | - |
| HTTP_REQUEST_AGENT | HTTP_USERAGENT | - | string (-) | string (-) | 39499 | 20 | HTTP request user agent | - |
| HTTP_REQUEST_REFERER | HTTP_REFERER | - | string (-) | string (-) | 39499 | 3 | HTTP request referer | - |
| HTTP_RESPONSE_STATUS_CODE | HTTP_STATUS | - | uint16 (2) | unsigned16 (2) | 39499 | 12 | HTTP request code | - |
| HTTP_RESPONSE_CONTENT_TYPE | HTTP_CONTENT_TYPE | - | string (-) | string (-) | 39499 | 10 | HTTP request content type | - |
| HTTP_REQUEST_METHOD | HTTP_METHOD | - | string (-) | string (-) | 8057 | 200 | HTTP request method | - |
| HTTP_RESPONSE_SERVER | HTTP_SERVER | - | string (-) | string (-) | 8057 | 201 | HTTP response server | - |
| HTTP_RESPONSE_SET_COOKIE_NAMES | HTTP_SET_COOKIE_NAMES | - | string (-) | string (-) | 8057 | 202 | HTTP response all set-cookie names separated by a delimiter | - |
List of fields exported together with BASIC on the interface.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| L4_ICMP_TYPE_CODE | L4_ICMP_TYPE_CODE | icmpTypeCodeIPv4 | uint16 (2) | unsigned16 (2) | 0 | 32 | ICMP type (MSB) and code (LSB) | - |
List of fields exported together with BASIC on the interface.
***IDPCONTENT_SIZE** (100 by default)
*Number of bytes exported from the first data packet in the SRC -> DST direction, and the first data packet in the DST -> SRC direction.
Use **-DIDPCONTENT_SIZE=number** while recompiling with cmake to change.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| IDP_CONTENT | IDP_CONTENT | - | bytes (-) | octetArray (-) | 8057 | 850 | Content of first data packet | src -> dst |
| IDP_CONTENT_REV | IDP_CONTENT_REV | - | bytes (-) | octetArray (-) | 8057 | 851 | Content of first data packet | dst -> src |
⚠️ This plugin is experimental and must be installed separately. For more details, check the installation information above.
List of fields exported together with BASIC on the interface.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| MPLS_TOP_LABEL_STACK_SECTION | MPLS_TOP_LABEL_STACK_SECTION | mplsTopLabelStackSection | bytes (-) | octetArray (-) | 0 | 70 | MPLS label section (without TTL), always 3 bytes | - |
List of fields exported together with BASIC on the interface.
### Command line parameters
***tc** or **topiccount** : Export the first **tc** topics from the Publish packet header. Topics are separated by #. The default value is 0.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| MQTT_TYPE_CUMULATIVE | MQTT_TYPE_CUMULATIVE | - | uint16 (2) | unsigned16 (2) | 8057 | 1033 | types of packets and session present flag cumulative | - |
| MQTT_VERSION | MQTT_VERSION | - | uint8 (1) | unsigned8 (1) | 8057 | 1034 | MQTT version | - |
| MQTT_CONNECTION_FLAGS | MQTT_CONNECTION_FLAGS | - | uint8 (1) | unsigned8 (1) | 8057 | 1035 | last CONNECT packet flags | - |
| MQTT_KEEP_ALIVE | MQTT_KEEP_ALIVE | - | uint16 (2) | unsigned16 (2) | 8057 | 1036 | last CONNECT keep alive | - |
| MQTT_CONNECTION_RETURN_CODE | MQTT_CONNECTION_RETURN_CODE | - | uint8 (1) | unsigned8 (1) | 8057 | 1037 | last CONNECT return code | - |
| MQTT_PUBLISH_FLAGS | MQTT_PUBLISH_FLAGS | - | uint8 (1) | unsigned8 (1) | 8057 | 1038 | cumulative of PUBLISH packet flags | - |
| MQTT_TOPICS | MQTT_TOPICS | - | string (-) | string (-) | 8057 | 1039 | topics from PUBLISH packets headers | - |
List of fields exported together with BASIC on the interface.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| NB_NAME | NB_NAME | - | string (-) | string (-) | 8057 | 831 | NetBIOS Name Service name | - |
| NB_SUFFIX | NB_SUFFIX | - | uint8 (1) | unsigned8 (1) | 8057 | 832 | NetBIOS Name Service suffix | - |
⚠️ This plugin is experimental and must be installed separately. For more details, check the installation information above.
List of fields exported together with BASIC on the interface.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| NTS_MEAN | NTS_MEAN | - | float (4) | float (4) | 8057 | 1020 | The mean of the payload lengths of packets. | - |
| NTS_MIN | NTS_MIN | - | uint16 (2) | unsigned16 (2) | 8057 | 1021 | Minimal value from all packet payload lengths. | - |
| NTS_MAX | NTS_MAX | - | uint16 (2) | unsigned16 (2) | 8057 | 1022 | Maximum value from all packet payload lengths. | - |
| NTS_STDEV | NTS_STDEV | - | float (4) | float (4) | 8057 | 1023 | The standard deviation is a measure of the variation of data from the mean. | - |
| NTS_KURTOSIS | NTS_KURTOSIS | - | float (4) | float (4) | 8057 | 1024 | The kurtosis is the measure describing the extent to which the tails of a distribution differ from the tails of a normal distribution. | - |
| NTS_ROOT_MEAN_SQUARE | NTS_ROOT_MEAN_SQUARE | - | float (4) | float (4) | 8057 | 1025 | The measure of the magnitude of payload lengths of packets. | - |
| NTS_AVERAGE_DISPERSION | NTS_AVERAGE_DISPERSION | - | float (4) | float (4) | 8057 | 1026 | The average absolute difference between each payload length of a packet and the mean value. | - |
| NTS_MEAN_SCALED_TIME | NTS_MEAN_SCALED_TIME | - | float (4) | float (4) | 8057 | 1027 | The scaled times is defined as sequence s(t) = t1 − t1 , t2 − t1 , … , tn − t1 . We compute the mean of the value with the same method as for the feature Mean. | - |
| NTS_MEAN_DIFFTIMES | NTS_MEAN_DIFFTIMES | - | float (4) | float (4) | 8057 | 1028 | The time differences is defined as sequence dt = tj - ti %%|%% j = i + 1, i in 1, 2, ... n - 1. We compute the mean of the value with the same method as for the feature Mean. | - |
| NTS_MIN_DIFFTIMES | NTS_MIN_DIFFTIMES | - | float (4) | float (4) | 8057 | 1029 | Minimal value from all time differences, i.e., min space between packets. | - |
| NTS_MAX_DIFFTIMES | NTS_MAX_DIFFTIMES | - | float (4) | float (4) | 8057 | 1030 | Maximum value from all time differences, i.e., max space between packets. | - |
| NTS_TIME_DISTRIBUTION | NTS_TIME_DISTRIBUTION | - | float (4) | float (4) | 8057 | 1031 | Describes the distribution of time differences between individual packets.
| NTS_SWITCHING_RATIO | NTS_SWITCHING_RATIO | - | float (4) | float (4) | 8057 | 1032 | Represents a switching ratio between different values of the sequence of observation. | - |
⚠️ This plugin is experimental and must be installed separately. For more details, check the installation information above.
List of fields exported together with BASIC on the interface.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| NTP_LEAP | NTP_LEAP | - | uint8 (1) | unsigned8 (1) | 8057 | 18 | NTP leap field | - |
| NTP_VERSION | NTP_VERSION | - | uint8 (1) | unsigned8 (1) | 8057 | 19 | NTP message version | - |
| NTP_MODE | NTP_MODE | - | uint8 (1) | unsigned8 (1) | 8057 | 20 | NTP mode field | - |
| NTP_STRATUM | NTP_STRATUM | - | uint8 (1) | unsigned8 (1) | 8057 | 21 | NTP stratum field | - |
| NTP_POLL | NTP_POLL | - | uint8 (1) | unsigned8 (1) | 8057 | 22 | NTP poll interval | - |
| NTP_PRECISION | NTP_PRECISION | - | uint8 (1) | unsigned8 (1) | 8057 | 23 | NTP precision field | - |
| NTP_DELAY | NTP_DELAY | - | uint32 (4) | unsigned32 (4) | 8057 | 24 | NTP root delay | - |
| NTP_DISPERSION | NTP_DISPERSION | - | uint32 (4) | unsigned32 (4) | 8057 | 25 | NTP root dispersion | - |
| NTP_REF_ID | NTP_REF_ID | - | string (-) | string (-) | 8057 | 26 | NTP reference ID | - |
| NTP_REF | NTP_REF | - | string (-) | string (-) | 8057 | 27 | NTP reference timestamp | - |
| NTP_ORIG | NTP_ORIG | - | string (-) | string (-) | 8057 | 28 | NTP origin timestamp | - |
| NTP_RECV | NTP_RECV | - | string (-) | string (-) | 8057 | 29 | NTP receive timestamp | - |
| NTP_SENT | NTP_SENT | - | string (-) | string (-) | 8057 | 30 | NTP transmit timestamp | - |
List of fields exported together with BASIC on the interface.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| OSQUERY_PROGRAM_NAME | OSQUERY_PROGRAM_NAME | - | string (-) | string (-) | 8057 | 852 | The name of the program that handles the connection. | - |
| OSQUERY_USERNAME | OSQUERY_USERNAME | - | string (-) | string (-) | 8057 | 853 | The name of the user who starts the process. | - |
| OSQUERY_OS_NAME | OSQUERY_OS_NAME | - | string (-) | string (-) | 8057 | 854 | Distribution or product name. | - |
| OSQUERY_OS_MAJOR | OSQUERY_OS_MAJOR | - | uint16 (2) | unsigned16 (2) | 8057 | 855 | Major release version. | - |
| OSQUERY_OS_MINOR | OSQUERY_OS_MINOR | - | uint16 (2) | unsigned16 (2) | 8057 | 856 | Minor release version. | - |
| OSQUERY_OS_BUILD | OSQUERY_OS_BUILD | - | string (-) | string (-) | 8057 | 857 | Optional build-specific or variant string. | - |
| OSQUERY_OS_PLATFORM | OSQUERY_OS_PLATFORM | - | string (-) | string (-) | 8057 | 858 | OS Platform or ID. | - |
| OSQUERY_OS_PLATFORM_LIKE | OSQUERY_OS_PLATFORM_LIKE | - | string (-) | string (-) | 8057 | 859 | Closely related platforms. | - |
| OSQUERY_OS_ARCH | OSQUERY_OS_ARCH | - | string (-) | string (-) | 8057 | 860 | OS Architecture. | - |
| OSQUERY_KERNEL_VERSION | OSQUERY_KERNEL_VERSION | - | string (-) | string (-) | 8057 | 861 | Kernel version. | - |
| OSQUERY_SYSTEM_HOSTNAME | OSQUERY_SYSTEM_HOSTNAME | - | string (-) | string (-) | 8057 | 862 | Network hostname including domain. | - |
List of fields exported together with BASIC on the interface.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| OVPN_CONF_LEVEL | OVPN_CONF_LEVEL | - | uint8 (1) | unsigned8 (1) | 8057 | 828 | level of confidence that the flow record is an OpenVPN tunnel | - |
List of fields exported together with BASIC on the interface.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| DNS_ID | DNS_ID | - | uint16 (2) | unsigned16 (2) | 8057 | 10 | transaction ID | - |
| DNS_ATYPE | DNS_ATYPE | - | uint16 (2) | unsigned16 (2) | 8057 | 11 | response record type | - |
| DNS_NAME | DNS_NAME | - | string (-) | string (-) | 8057 | 2 | question domain name | - |
| DNS_RR_TTL | DNS_RR_TTL | - | uint32 (4) | unsigned32 (4) | 8057 | 5 | resource record TTL field | - |
| - | DNS_RDATA | - | - | octetArray (-) | 8057 | 7 | resource record specific data | - |
| DNS_IP | - | - | ipaddr (4-16) | - | - | - | dns ip address | - |
List of fields exported together with BASIC on the interface.
*The plugin exports the histograms of **Payload** sizes and **Inter-Packet-Times** for each direction.
*The **histograms** bins are scaled logarithmically and are shown in the following table.
### Commnad line parameters
***i** or **includezeroes** : Include zero payload packets.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| D_PHISTS_IPT | D_PHISTS_IPT | basicList | uint32* (-) | list (-) | 0 | 291 | Histogram of interpacket times (e8057id1063) | dst -> src |
| D_PHISTS_SIZES | D_PHISTS_SIZES | basicList | uint32* (-) | list (-) | 0 | 291 | Histogram of packet size (e8057id1062) | dst -> src |
| S_PHISTS_IPT | S_PHISTS_IPT | basicList | uint32* (-) | list (-) | 0 | 291 | Histogram of interpacket times (e8057id1060) | src -> dst |
| S_PHISTS_SIZES | S_PHISTS_SIZES | basicList | uint32* (-) | list (-) | 0 | 291 | Histogram of packet sizes (e8057id1061) | src -> dst |
List of fields exported together with BASIC on the interface.
*This plugin gathers statistics for the first `PSTATS_MAXELEMCOUNT` packets in the **biflow** record (30 by default).
*Use `-DPSTATS_MAXELEMCOUNT=number` while recompiling with cmake to change.
### Command line parameters
***i** or **includezerous** : Include zero payloud packets.
***s** or **skipdup** : Skip duplicate TCP packets.
### Fields description
The following fields are **UniRec arrays** (or **basicList in IPFIX**)
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| PPI_PKT_LENGTHS | STATS_PCKT_SIZES | basicList | uint16* (-) | list (-) | 0 | 291 | sizes of the first packets (e8057id1013) | - |
| PPI_PKT_TIMES | STATS_PCKT_TIMESTAMPS | basicList | time* (-) | list (-) | 0 | 291 | timestamps of the first packets (e8057id1014) | - |
| PPI_PKT_DIRECTIONS | STATS_PCKT_DIRECTIONS | basicList | int8* (-) | list (-) | 0 | 291 | directions of the first packets (e8057id1016) | - |
| PPI_PKT_FLAGS | STATS_PCKT_TCPFLGS | basicList | uint8* (-) | list (-) | 0 | 291 | TCP flags for each packet (e8057id1015) | - |
List of fields exported together with BASIC on the interface.
***-with-quic-ch-full-tls-ext**
*enables the extraction of all TLS extensions in the Client Hello.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| QUIC_SNI | QUIC_SNI | - | string (-) | string (-) | 8057 | 890 | Decrypted server name. | - |
| QUIC_USER_AGENT | QUIC_USER_AGENT | - | string (-) | string (-) | 8057 | 891 | Decrypted user agent. | - |
| QUIC_VERSION | QUIC_VERSION | - | uint32 (4) | unsigned32 (4) | 8057 | 892 | QUIC version from first server long header packets. | - |
| QUIC_CLIENT_VERSION | QUIC_CLIENT_VERSION | - | uint32 (4) | unsigned32 (4) | 8057 | 893 | QUIC version from first client long header packet. | - |
| QUIC_TOKEN_LENGTH | QUIC_TOKEN_LENGTH | - | uint64 (8) | unsigned64 (8) | 8057 | 894 | Token length from Initial and Retry packets. | - |
| QUIC_OCCID | QUIC_OCCID | - | bytes (-) | octetArray (-) | 8057 | 895 | Source Connection ID from first client packet. | - |
| QUIC_OSCID | QUIC_OSCID | - | bytes (-) | octetArray (-) | 8057 | 896 | Destination Connection ID from first client packet. | - |
| QUIC_SCID | QUIC_SCID | - | bytes (-) | octetArray (-) | 8057 | 897 | Source Connection ID from first server packet. | - |
| QUIC_RETRY_SCID | QUIC_RETRY_SCID | - | bytes (-) | octetArray (-) | 8057 | 898 | Source Connection ID from Retry packet. | - |
| QUIC_MULTIPLEXED | QUIC_MULTIPLEXED | - | uint8 (1) | unsigned8 (1) | 8057 | 899 | > 0 if multiplexed (at least two different QUIC_OSCIDs or SNIs). | - |
| QUIC_ZERO_RTT | QUIC_ZERO_RTT | - | uint8 (1) | unsigned8 (1) | 8057 | 889 | Number of 0-RTT packets in flow. | - |
| QUIC_SERVER_PORT | QUIC_SERVER_PORT | - | uint16 (2) | unsigned16 (2) | 8057 | 887 | TODO Server Port determined by packet type and TLS message. | - |
| QUIC_PACKETS | QUIC_PACKETS | basicList | uint8* (-) | list (-) | 0 | 291 | QUIC long header packet type (v1 encoded), version negotiation, QUIC bit. (e8057id888) | - |
| QUIC_CH_PARSED | QUIC_CH_PARSED | - | uint8 (1) | unsigned8 (1) | 8057 | 886 | >0 if TLS Client Hello parsed without errors. | - |
| QUIC_TLS_EXT_TYPE | QUIC_TLS_EXT_TYPE | basicList | uint16* (-) | list (-) | 0 | 291 | TLS extensions in the TLS Client Hello. (e8057id885) | - |
| QUIC_TLS_EXT_LEN | QUIC_TLS_EXT_LEN | basicList | uint16* (-) | list (-) | 0 | 291 | Length of each TLS extension. (e8057id884) | - |
| QUIC_TLS_EXT | QUIC_TLS_EXT | - | bytes (-) | octetArray (-) | 8057 | 883 | Payload of all/application_layer_protocol_negotiation and quic_transport params TLS extension. | - |
⚠️ This plugin is experimental and must be installed separately. For more details, check the installation information above.
List of fields exported together with BASIC on the interface.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| RTSP_REQUEST_METHOD | RTSP_METHOD | - | string (-) | string (-) | 8057| 1040 | RTSP request method name. | - |
| RTSP_REQUEST_AGENT | RTSP_USERAGENT | - | string (-) | string (-) | 8057| 1041 | RTSP request user agent. | - |
| RTSP_REQUEST_URI | RTSP_URI | - | string (-) | string (-) | 8057| 1042 | RTSP request URI. | - |
| RTSP_RESPONSE_STATUS_CODE | RTSP_STATUS | - | uint16 (2) | unsigned16 (2) | 8057| 1043 | RTSP response status code. | - |
| RTSP_RESPONSE_CONTENT_TYPE | RTSP_CONTENT_TYPE | - | string (-) | string (-) | 8057| 1044 | RTSP response content type. | - |
| RTSP_RESPONSE_SERVER | RTSP_SERVER | - | string (-) | string (-) | 8057| 1045 | RTSP response server field. | - |
List of fields exported together with BASIC on the interface.
*Compute TCP handshake round-trip time
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| TCPRTT_TIME | TCP_RTT | - | uint64 (8) | unsigned64 (8) | 8057| 904 | TCP handshake round-trip time. | - |
⚠️ This plugin is experimental and must be installed separately. For more details, check the installation information above.
List of fields exported together with BASIC on the interface.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| SIP_MSG_TYPE | SIP_MSG_TYPE | - | uint16 (2) | unsigned16 (2) | 8057 | 100 | SIP message code | - |
| SIP_STATUS_CODE | SIP_STATUS_CODE | - | uint16 (2) | unsigned16 (2) | 8057 | 101 | status of the SIP request | - |
| SIP_CSEQ | SIP_CSEQ | - | string (-) | string (-) | 8057 | 108 | CSeq field of SIP packet | - |
| SIP_CALLING_PARTY | SIP_CALLING_PARTY | - | string (-) | string (-) | 8057 | 103 | calling party (from) URI | - |
| SIP_CALLED_PARTY | SIP_CALLED_PARTY | - | string (-) | string (-) | 8057 | 104 | called party (to) URI | - |
| SIP_CALL_ID | SIP_CALL_ID | - | string (-) | string (-) | 8057 | 102 | call ID | - |
| SIP_USER_AGENT | SIP_USER_AGENT | - | string (-) | string (-) | 8057 | 106 | user agent field of SIP packet | - |
| SIP_REQUEST_URI | SIP_REQUEST_URI | - | string (-) | string (-) | 8057 | 107 | SIP request URI | - |
| SIP_VIA | SIP_VIA | - | string (-) | string (-) | 8057 | 105 | via field of SIP packet | - |
List of fields exported together with BASIC on the interface.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| SMTP_2XX_STAT_CODE_COUNT | SMTP_CODE_2XX_COUNT | - | uint32 (4) | unsigned32 (4) | 8057 | 816 | number of 2XX status codes | - |
| SMTP_3XX_STAT_CODE_COUNT | SMTP_CODE_3XX_COUNT | - | uint32 (4) | unsigned32 (4) | 8057 | 817 | number of 3XX status codes | - |
| SMTP_4XX_STAT_CODE_COUNT | SMTP_CODE_4XX_COUNT | - | uint32 (4) | unsigned32 (4) | 8057 | 818 | number of 4XX status codes | - |
| SMTP_5XX_STAT_CODE_COUNT | SMTP_CODE_5XX_COUNT | - | uint32 (4) | unsigned32 (4) | 8057 | 819 | number of 5XX status codes | - |
| SMTP_COMMAND_FLAGS | SMTP_COMMANDS | - | uint32 (4) | unsigned32 (4) | 8057 | 810 | bit array of commands present | - |
| SMTP_MAIL_CMD_COUNT | SMTP_MAIL_COUNT | - | uint32 (4) | unsigned32 (4) | 8057 | 811 | number of MAIL commands | - |
| SMTP_RCPT_CMD_COUNT | SMTP_RCPT_COUNT | - | uint32 (4) | unsigned32 (4) | 8057 | 812 | number of RCPT commands | - |
| SMTP_STAT_CODE_FLAGS | SMTP_STATUS_CODES | - | uint32 (4) | unsigned32 (4) | 8057 | 815 | bit array of status codes present | - |
| SMTP_DOMAIN | SMTP_DOMAIN | - | string (-) | string (-) | 8057 | 820 | domain name of the SMTP client | - |
| SMTP_FIRST_SENDER | SMTP_SENDER | - | string (-) | string (-) | 8057 | 813 | first sender in MAIL command | - |
| SMTP_FIRST_RECIPIENT | SMTP_RECIPIENT | - | string (-) | string (-) | 8057 | 814 | first recipient in RCPT command | - |
List of fields exported together with BASIC on the interface.
The detector searches for the SYN SYN-ACK ACK pattern in packet lengths.
Multiple occurrences of this pattern suggest a tunneled connection.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| SSA_CONF_LEVEL | SSA_CONF_LEVEL | - | uint8 (1) | unsigned8 (1) | 8057 | 903 | 1 if SSA sequence detected, 0 otherwise | - |
List of fields exported together with BASIC on the interface.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| SSDP_LOCATION_PORT | SSDP_LOCATION_PORT | - | uint16 (2) | unsigned16 (2) | 8057 | 821 | service port | - |
| SSDP_SERVER | SSDP_SERVER | - | string (-) | string (-) | 8057 | 822 | server info | - |
| SSDP_USER_AGENT | SSDP_USER_AGENT | - | string (-) | string (-) | 8057 | 823 | list of user agents | - |
| SSDP_NT | SSDP_NT | - | string (-) | string (-) | 8057 | 824 | list of advertised service urns | - |
| SSDP_ST | SSDP_ST | - | string (-) | string (-) | 8057 | 825 | list of queried service urns | - |
List of fields exported together with BASIC on the interface.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| TLS_SNI | TLS_SNI | - | string (-) | string (-) | 8057 | 808 | TLS server name indication field from client | - |
| TLS_ALPN | TLS_ALPN | - | string (-) | string (-) | 39499 | 337 | TLS application protocol layer negotiation field from server | - |
| TLS_VERSION | TLS_VERSION | - | uint16 (2) | unsigned16 (2) | 39499 | 333 | TLS client protocol version | - |
| TLS_JA3 | TLS_JA3 | - | bytes (-) | octetArray (-) | 39499 | 357 | TLS client JA3 fingerprint | - |
| TLS_JA4 | TLS_JA4 | - | string (-) | string (-) | 8057 | 809 | TLS client JA4 fingerprint | - |
| TLS_EXT_TYPE | TLS_EXT_TYPE | basicList | uint16* (-) | list (2) | 0 | 291 | TLS extensions in the TLS Client Hello | - |
| TLS_EXT_LEN | TLS_EXT_LEN | basicList | uint16* (-) | list (2) | 0 | 291 | Length of each TLS extension | - |
List of fields exported together with BASIC on the interface.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| VLAN_ID | VLAN_ID | vlanId | uint16 | unsigned16 | 0 | 58 | Vlan ID (used in flow key) | - |
List of fields exported together with BASIC on the interface.
### Fields description
^ Unirec Field ^ IPFIX Field ^ IANA Name ^ Unirec Type (size) ^ IPFIX Type (size) ^ PEN ^ ID ^ Description ^ Direction ^
| WG_CONF_LEVEL | WG_CONF_LEVEL | - | uint8 (1) | unsigned8 (1) | 8057 | 1100 | level of confidence that the flow record is a WireGuard tunnel | - |
| WG_SRC_PEER | WG_SRC_PEER | - | uint32 (4) | unsigned32 (4) | 8057 | 1101 | ephemeral SRC peer identifier | src |
| WG_DST_PEER | WG_DST_PEER | - | uint32 (4) | unsigned32 (4) | 8057 | 1102 | ephemeral DST peer identifier | dst |
ℹ️ You can run ''ipfixprobe -h process'' to see installed process plugins.
---
-
### OUTPUT
Output plugins define how **flows are exported**.
⚠️ You can choose **only one type of output plugin**
##### Command line
Use **-o** to specify the output plugin.
##### Systemd service
To specify the output plugin in the configuration file, use ''%%output_plugin:%%'' followed by the **plugin name** (e.g., ipfix:, unirec:, text:) on a new line. After that, you can specify **parameters** for the plugin.
##### Example of configuration file
input_plugin:
ipfix:
collector:
host: localhost
port: 4739
#### Plugins description
Use the text plugin to output directly to the **terminal** or **text file**.
### Installation
This plugin is **installed by default**.
### Command line
#### Parameters
***f** or **file** : Defines path to save file to write output in instead of stdout.
***m** or **mac** : Boolean flag. MAC addresses are hidden if set.
#### Example usage
Print exported flows to the terminal without MAC addresses
ipfixprobe -o 'text;mac' -i 'pcap;file=...;' -s 'cache'
Print exported flows to the FILE
ipfixprobe -o 'text;f=FILE' -i 'pcap;file=...;' -s 'cache'
### Systemd parameters
output_plugin:
text:
file: (path) # Path to output file (use null for stdout)
**IP Flow Information Export** is a standard protocol for exporting **network flow information** from probes running on routers, switches, firewalls, directly to **collectors** on the local network. We recommend using our collector [[https://github.com/CESNET/ipfixcol2|ipfixcol2]], but you can use any collector with support for IPFIX input.
### Installation
This plugin is **installed by default**.
### Command line
#### Parameters
***h** or **host** : Defines the IP address of the remote collector.
***p** or **port** : Defines the collector port to send data to.
***m** or **mtu** : Defines the maximum size of IPFIX packet payload sent.
***u** or **udp** : Boolean flag. UDP is used if set.
***n** or **non-blocking-tcp** : Boolean flag. Non-blocking TCP socket is used if set.
***I** or **id** : Defines exporter ID.
***t** or **template** : Defines template refresh rate in seconds.
***d** or **dir** : (NUM) Dir bit field value.
***v** or **verbose** : Enable verbose mode.
***c** or **lz4-compression** : Enable lz4 compression.
***s** or **lz4-buffer-size** : Lz4 compression buffer size (default (minimum): mtu*3).
#### Example usage
Send exported data to the localhost using UDP as an exporter with ID 3.
ipfixprobe -o 'ipfix;h=127.0.0.1;u;I=3'-i 'pcap;file=...;' -s 'cache'
Send exported data to the `localhost:4739` using non-blocking TCP as an exporter 3 with a maximal transfer unit set to 2000.
ipfixprobe -o 'ipfix;h=127.0.0.1;p=4739;n;mtu=2000' -i 'pcap;file=...;' -s 'cache'
### Systemd parameters
output_plugin:
ipfix:
collector:
host: localhost # IPFIX collector address [required]
port: (number) # IPFIX collector port [required]
mtu: (number) # Maximum size of IPFIX packets
exporter:
id: (number) # Exporter ID for IPFIX [required]
dir: (number) # Direction bit field value (0 = incoming, 1 = outgoing)
protocol:
# IMPORTANT: Only one protocol can be selected: UDP or TCP.
udp:
template_refresh: (number) # Template refresh rate for UDP protocol (in seconds)
tcp:
non_blocking: (bool) # Whether to use non-blocking TCP sockets (true/false)
compression:
lz4:
enabled: (bool) # Enable LZ4 compression for IPFIX (true/false)
buffer_size: (number) # Buffer size for LZ4 compression (default: mtu * 3)
This plugin exports data in our [[https://github.com/CESNET/Nemea-Framework/tree/master/unirec|UNIREC format]]. It is mainly used to **send data directly to NEMEA modules**. It is defined by a fixed list of **key-value pairs**. To see a list of **UNIREC fields**, check out the specific **process plugins** you are currently using.
### Installation
#### Binary Packages
sudo dnf install ipfixprobe-nemea ipfixprobe-nemea-output-unirec
#### Build from source
dnf install libtrap libtrap-devel unirec-devel unirec
cd build
cmake -DENABLE_NEMEA=ON -DENABLE_OUTPUT_UNIREC=ON ..
cd ..
make -j
sudo make install
### Command line
#### Parameters
***i** or **ifc** : Defines unirec interface to use. [[https://github.com/CESNET/Nemea-Framework/blob/master/libtrap/README.ifcspec.md|guide here]]
***p** or **plugins** : Defines plugin-interface mapping. Plugins can be grouped like '(p1,p2,p3),p4,(p5,p6).
***o** or **odid** : Boolean flag. If set, exports the ODID field.
***e** or **eof** : Boolean flag. If set, sends EOF message on exit.
***I** or **id** : Defines exporter id.
***h** or **help** : Prints libtrap help.
***d** or **dir** : (NUM) Dir bit field value.
***v** or **verbose** : Increase verbosity.
#### Example usage
Send exported data to the Unix socket ''ipfixprobe''.
ipfixprobe -o 'unirec;i=u:ipfixprobe' -i 'pcap;file=...' -s 'cache'
Same as previous, but should be used with small pcap files to avoid data not being sent.
ipfixprobe -o 'unirec;i=u:ipfixprobe:timeout=WAIT:buffer=off' -i 'pcap;file=...' -s 'cache'
Save the exported data to the ''data.trapcap''.
ipfixprobe -o 'unirec;i=f:data.trapcap' -i 'pcap;file=...' -s 'cache'
Read packets from a pcap file, enable 4 processing plugins, send L7 HTTP extended biflows to the unirec interface named ''http,'' and data from 3 other plugins to the ''stats'' interface
ipfixprobe -i 'pcap;file=pcaps/http.pcap' -p http -p pstats -p idpcontent -p phists -o 'unirec;i=u:http:timeout=WAIT,u:stats:timeout=WAIT;p=http,(pstats,phists,idpcontent)'
### Systemd parameters
Unirec is not yet available for use as a systemd.
ℹ️ You can run ''ipfixprobe -h output'' to see installed output plugins.