ipfixcol2 icon indicating copy to clipboard operation
ipfixcol2 copied to clipboard

Published 20 hours ago verified publisher icon CESNET

Contribution to ipfixcol2

Open alireza-moradi opened this issue 4 years ago • 4 comments

hi im interest in this project and thinking about developing intermediate plugins. is there any guideline document to start from?

alireza-moradi avatar May 17 '21 08:05 alireza-moradi

Hi,

what kind of intermediate plugin are you interested in?

Unfortunately, there is no tutorial that describes how to develop IPFIXcol2 plugins right now. Nevertheless, I recommend you to look at simple anonymization plugin for inspiration.

Each intermediate plugin must contain the following structure and 3 functions:

  • struct ipx_plugin_info ipx_plugin_info - structure with a description of the plugin (name, type, version, etc.)
  • int ipx_plugin_init(ipx_ctx_t *ctx, const char *params) - plugin initialization where XML configuration should be processed and all your data structures for flow processing must be prepared.
  • void ipx_plugin_destroy(ipx_ctx_t *ctx, void *cfg) - plugin destruction
  • int ipx_plugin_process(ipx_ctx_t *ctx, void *cfg, ipx_msg_t *msg) - main processing function

Documentation of the interface function is available here.

When a new NetFlow/IPFIX message arrives, your processing function ipx_plugin_process() is called. In the function you can go through bunch of annotated flows identified in the message and process them.

Lukas

Lukas955 avatar May 18 '21 08:05 Lukas955

I have geoip and filter plugins in mind.

alireza-moradi avatar May 18 '21 10:05 alireza-moradi

Internally we already have intermediate plugins for flow filtration (and traffic profiling). They will be published here probably within two months after code review.

GeoIP and ASN intermediate plugins would be welcomed.

For flow enrichment there is API interface ipx_ctx_ext_producer that allows intermediate plugins to register and fill additional data structure that will be part of each flow record. Other (usually output) plugins can then access them later through ipx_ctx_ext_consumer API. In other words, the extensions are not direct part of original flow records and it is necessary to later add support directly to particular output plugins to be able to process them. I know that it would be nice to enrich flow records by adding additional record fields directly into flow record, however, it is not available right now and it would require significant changes in internal design.

By the way, can I ask you if you are already using IPFIXcol2 for processing your flows or are you just experimenting?

Lukas955 avatar May 18 '21 12:05 Lukas955

if it needs significant changes maybe i need some other ways to enrich data. yes im using IPFIXcol2 for processing netflow records. any how i should thank you for this product.

alireza-moradi avatar May 22 '21 09:05 alireza-moradi