Jool icon indicating copy to clipboard operation
Jool copied to clipboard

Published 20 hours ago verified publisher icon NICMx

sessions logs to NETFLOW v9

Open 1223421 opened this issue 11 months ago • 4 comments

feature request in subj, please

1223421 avatar Mar 11 '24 16:03 1223421

Please elaborate. I've never used Netflow.

  • What is Jool supposed to do?
  • What constitutes a "session log"?
  • Can't you just parse the output of stats display --csv and feed it to Netflow?

ydahhrk avatar Mar 12 '24 21:03 ydahhrk

Please elaborate. I've never used Netflow.

* What is Jool supposed to do?

* What constitutes a "session log"?

* Can't you just parse the output of [`stats display --csv`](https://nicmx.github.io/Jool/en/usr-flags-stats.html) and feed it to Netflow?

i need log all connections... netflow is the best way.. example for netflow - https://github.com/aabc/ipt-netflow (natevents), just like "global update logging-session yes" but to netflow...

or maybe you can add "follow" option for "stats display --csv" to echo all new connections to stdout like daemon ? without "follow" may be lost fast connections if i do it with crontab ... like this: jool session display --csv --numeric --folow | script_for_parse_and_save

i can do it with "logging-session yes" and "dmesg -w | grep Jool | script_for_parse_and_save" but this way is many trash in dmesg

thank you, sorry for bad English, i hope you understand me

1223421 avatar Mar 12 '24 21:03 1223421

Er... I don't know if you're still around, but this seems like a good idea. I don't have time to make something very formal, but I left a simple prototype in the jnetflow branch. Maybe it's all you need.

Assuming you have 4.1.12 installed, here's the installation recipe:

git clone https://github.com/NICMx/Jool.git
cd Jool
git checkout jnetflow
./autogen.sh
./configure
make
cd src/usr/jnetflow # No need to install anything else because you already have it
sudo make install

Then, once you have Jool running (and assuming its instance name is potato), do

$ sudo jool g u ss-enabled true
$ sudo jool g u ss-flush-asap false # Recommended, not actually necessary
$ jnetflow potato
2001:db8::5,1634,64:ff9b::c000:205,1634,192.0.2.2,2958,192.0.2.5,2958,ICMP,57248
2001:db8::5,1634,64:ff9b::c000:205,1634,192.0.2.2,2958,192.0.2.5,2958,ICMP,58248
2001:db8::5,1634,64:ff9b::c000:205,1634,192.0.2.2,2958,192.0.2.5,2958,ICMP,58248
2001:db8::5,1634,64:ff9b::c000:205,1634,192.0.2.2,2958,192.0.2.5,2958,ICMP,59248
2001:db8::5,1634,64:ff9b::c000:205,1634,192.0.2.2,2958,192.0.2.5,2958,ICMP,59248

(The instance name defaults to "default" as usual.)

For TCP and UDP, the columns are

  • IPv6 peer address
  • IPv6 peer port
  • IPv6-masked IPv4 peer address
  • IPv4 peer port (yes, this is redundant)
  • IPv4-masked IPv6 peer address
  • IPv4-masked IPv6 peer port
  • IPv4 peer address
  • IPv4 peer port
  • Layer 4 Protocol (pretends ICMP is L4)
  • Milliseconds to expiration

For ICMP,

  • IPv6 peer address
  • IPv6 ICMP identifier
  • IPv6-masked IPv4 peer address
  • IPv6 ICMP identifier (yes, this is redundant)
  • IPv4-masked IPv6 peer address
  • IPv4 identifier
  • IPv4 peer address
  • IPv4 identifier (yes, this is redundant)
  • Layer 4 Protocol (pretends ICMP is L4)
  • Milliseconds to expiration

Are you sure this is what you want? I feel like what you really want is BIB entries, not session entries.

ydahhrk avatar Jun 24 '24 21:06 ydahhrk

Are you sure this is what you want? I feel like what you really want is BIB entries, not session entries.

yes, need sessions.

it's work, thank you!

1223421 avatar Jun 25 '24 07:06 1223421

Hello again.

I've been trying to formalize this for Jool 4.1.13. I made three changes:

1

Streamline the program count by dropping the extra binary. Instead of

jnetflow potato

you will now have to run

jool -i potato session follow

2

Drop the IPv6-masked IPv4 peer address and the corresponding port. (Sorry, but this simplifies the code, as the address is the only field not readily available.) The output now looks like this:

$ jool session follow
2001:db8::5,1634,192.0.2.2,2958,192.0.2.5,2958,ICMP,57248
2001:db8::5,1634,192.0.2.2,2958,192.0.2.5,2958,ICMP,58248
2001:db8::5,1634,192.0.2.2,2958,192.0.2.5,2958,ICMP,58248
2001:db8::5,1634,192.0.2.2,2958,192.0.2.5,2958,ICMP,59248
2001:db8::5,1634,192.0.2.2,2958,192.0.2.5,2958,ICMP,59248

I'm hoping this is not going to matter, because the address always equals the pool6 prefix plus the IPv4 peer address, and the port was always redundant, as stated before.

Updated documentation here.

3

Deprecate ss-flush-asap.

You no longer need this:

sudo jool g u ss-flush-asap false

Because the latest Jool hardcodes ss-flush-asap as false, and ignores changes to it.

One more thing: I noticed there's an accidental significant difference between jool session follow and logging-session: The latter prints session deaths, while the former does not. Furthermore, the expiration date cannot really be estimated from the output, because it doesn't print the current time. Is this a problem?

Feedback would be appreciated. I'm planning to release 4.1.13 during the next weekend.

ydahhrk avatar Aug 04 '24 01:08 ydahhrk

Version 4.1.13 released; closing.

ydahhrk avatar Aug 24 '24 05:08 ydahhrk