High-performance flow exporter with DPDK support.
What is Ipfixprobe?
Ipfixprobe is a high-performance network probe. (flow exporter)
It processes packet data from various input sources (such as a network interface controller (NIC) or capture file) and generates bidirectional flow records. These records are then exported to an external system, such as a file, flow collector, or visualization tool.
Additionally, ipfixprobe supports a plugin architecture, with a rich selection of input, output, and processing plugins, allowing you to customize the probe for your specific needs.
ℹ️ Get started with ipfixprobe monitoring on your network.
Main Features
High Performance
- Ipfixprobe can support traffic up to 400 Gbps.
Versatility
- Ipfixprobe can be installed on anything from cutting-edge backbone infrastructure to small SOHO OpenWrt router.
Plugin Support
- Ipfixprobe supports a large number of plugins to tailor to your specific needs, including TLS, QUIC, HTTP, DNS, and many more.
DPDK Support
- Optimized for high-speed packet processing using DPDK.
Frequently asked questions
A flow is a sequence of packets (communication from A ↔ B) that share common characteristics (source, destination, protocol, etc.) and are treated as a single communication session.
Flow contains basic information about the communication, like the MAC address, IP address, transferred bits, errors, and more (based on what process plugins you use).
Types of Flows
- Bidirectional – (default) Communication from A → B and B → A is treated as a single flow.
- Unidirectional – Communication from A → B and B → A are treated as two distinct flows allowing you to analyze input and output communication separately.
ℹ️ Use -s 'cache;split' to change flow to uniderectional.
- Detect suspicious or anomalous behaviour.
- Read side-channel patterns.
- Identifying malware activity.
- Recognizing internet protocols in traffic.
- Detect cryptocurrency mining.
- Analyzing network performance and characteristics.
- …and many more
There are many plugins to choose from.
For input, we recommend using the PCAP plugin for network monitoring with speeds up to 1 Gbps. For networks faster than that, use DPDK plugin (up to 400 Gbps). (The RAW input plugin works out of the box and is good for testing and very small networks.)
As for output, use the IPFIX plugin to export data in a standardized format to any collector or use the Unirec plugin to export data directly into NEMEA modules. (The TEXT plugin is good for testing the probe.)
Yes, you can, but not directly with ipfixprobe. You can use the TEXT output plugin and export data to a text file, but this is not very effective. We recommend using our in-house collector, Ipfixcol2, which can export data into JSON, IPFIX, or FSD (efficient long-term storage) file formats.
Yes, you can, Ipfixprobe is an open-source project built to be highly modular. See developer section for detailed instructions on how to create your own plugin or contact us for help with getting your plugin up and running.
Yes, Ipfixprobe can export data in standardized IPFIX format. As long as your collector supports receiving data in this format, you should be able to use it.