nfdump icon indicating copy to clipboard operation
nfdump copied to clipboard
verified publisher icon phaag

Question: can nfcapd collect flows on a TCP port ?

Open nikita1211 opened this issue 11 months ago • 6 comments

Hi, I am looking for an IPFIX collector to receive traffic on a TCP port. I noticed that nfcapd uses a datagram socket to listen on a UDP port.

I want the channel to be a connection oriented one, any suggestions ? With socket changes will nfcapd be able to accept IPFIX traffic on a TCP port ?

Thank you!

nikita1211 avatar Mar 18 '25 14:03 nikita1211

Well - IPFIX is not defined to be transported over TCP, as far as I know. However, you would need to change the socket code, in order to switch to TCP. Although this is not a big issue, you would need an exporter, which can send IPFIX over TCP.

phaag avatar Mar 20 '25 13:03 phaag

Thank you for your response! Yes I have an exporter sending IPFIX over TCP. Other than the socket code in 'src/collector/nfnet.c', what other changes might be required, for example anything for extracting the TCP packet ? I'll try making the socket changes.

nikita1211 avatar Mar 20 '25 13:03 nikita1211

Thank you for your response! Yes I have an exporter sending IPFIX over TCP. Other than the socket code in 'src/collector/nfnet.c', what other changes might be required, for example anything for extracting the TCP packet ? I'll try making the socket changes.

Please have a look at the section Template Management in RFC7011. There are differences in the template management between TCP, SCTP and UDP as transport protocol.

matwei avatar Mar 20 '25 15:03 matwei

Thanks @matwei . I'll have a look at that. I real life, I have never came across to SCTP or TCP, as almost no one implements that. If I am going to implement other protocols, I need to be able to test all those scenarios properly. So far I have no SCTP or TCP exporter an my fingers. Any pointers are welcome! If it turns out, that SCTP or TCP is a need, I am happy to implement that.

@nikita1211 Besides the socket code in nfnet.c, you need to change the data accept part in nfcapd.c - recvfrom needs to be replaced be proper protocol handling. Proper also means handling multiple streams etc.

phaag avatar Mar 21 '25 08:03 phaag

I also didn't see an IPFIX exporter using SCTP or TCP before.

After some searching I found ipfixprobe from CESNET, that seems to be able to use tcp. I haven't had the time to look into it.

matwei avatar Mar 21 '25 11:03 matwei

If TCP and/or SCTP is a general user request, I'd happily will have a look at it. Please add comments. For now I suspend this request until more requests show up. As the next release is due in short time, I do not want to make any bigger changes other than bug fixes right now.

phaag avatar Mar 25 '25 12:03 phaag