Home > Uncategorized > Understanding ipFixPrinter module for Vermont

Understanding ipFixPrinter module for Vermont

Here is the output of the various stdout formats available from ipfixprinter:

table:

srcip   dstip   srcport dstport prot    srcpkts dstpkts srcoct  dstoct  srcstart        srcend  dststart        dstend  srcplen dstplen forcedexp       revart     flowcnt tranoct revtranoct
8.8.8.8  192.168.100.27   443     2050    0       4631    0       6889619 0       1367430677347   1367430688342   0       0       0       0       0  0       13105524809039621472    13160276945998446592
 192.168.100.27   8.8.8.8  2050    443     0       2149    0       85960   0       1367430677347   1367430688342   0       0       0       0       0  0       13105480347538162928    13160276945998446592
 192.168.100.170   192.168.100.23   22      5199    0       13      0       1532    0       1367430677348   1367430680400   0       0       0       0       0  0       13105524809039621472    13160276945998446592
192.168.101.22     192.168.100.36   34773   5432    0       83      0       12106   0       1367430677349   1367430688237   0       0       0       0       0  0       13105480347538162928    13160276945998446592

tree:

-+--- Ipfix Data Data Record (id=997, preceding=0) from non-IPv4 address:0 (0)
 `- fixed data
 '   `- protocolIdentifier (id=4, length=1)                         : UDP
 `- variable data
 '   `- sourceIPv4Address (id=8, length=5)                          : 192.168.100.111/32
 '   `- destinationIPv4Address (id=12, length=5)                    : 192.168.100.251/32
 '   `- sourceTransportPort (id=7, length=2)                        : 62523
 '   `- destinationTransportPort (id=11, length=2)                  : 53
 '   `- flowStartMilliSeconds (id=152, length=8)                    : 1367431737884 (Wed May  1 14:08:57 2013)
 '   `- flowEndMilliSeconds (id=153, length=8)                      : 1367431737884 (Wed May  1 14:08:57 2013)
 '   `- octetDeltaCount (id=1, length=8)                            : 67
 '   `- packetDeltaCount (id=2, length=8)                           : 1
 `---


-+--- Ipfix Data Data Record (id=997, preceding=0) from non-IPv4 address:0 (0)
 `- fixed data
 '   `- protocolIdentifier (id=4, length=1)                         : UDP
 `- variable data
 '   `- sourceIPv4Address (id=8, length=5)                          : 192.168.100.251/32
 '   `- destinationIPv4Address (id=12, length=5)                    : 192.168.100.111/32
 '   `- sourceTransportPort (id=7, length=2)                        : 53
 '   `- destinationTransportPort (id=11, length=2)                  : 62523
 '   `- flowStartMilliSeconds (id=152, length=8)                    : 1367431737890 (Wed May  1 14:08:57 2013)
 '   `- flowEndMilliSeconds (id=153, length=8)                      : 1367431737890 (Wed May  1 14:08:57 2013)
 '   `- octetDeltaCount (id=1, length=8)                            : 230
 '   `- packetDeltaCount (id=2, length=8)                           : 1
 `---

line:

           Flow recvd.           Flow start   Duratn  Prot           Src IP:Port           Dst IP:Port Pckts Bytes
-----------------------------------------------------------------------------------------------------------------
2013-05-01 14:10:25.120  2013-05-01 14:10:24 2799331.0944   ---   192.168.100.21:49357      4.2.2.1:443     1   130
2013-05-01 14:10:25.120  2013-05-01 14:10:24 2799332.0944   ---      4.2.2.1:443   192.168.100.21:49321     1    40

It appears that the best way to be able to use the stdout is via the `table` option.

Here is a way to create output in command separated list using awk:

/usr/local/bin/vermont -f /usr/local/share/vermont/configs/flow-inspector-stdout_table.xml | awk '{$1=$1}1' OFS=","

The field output is:

srcip,dstip,srcport,dstport,prot,srcpkts,dstpkts,srcoct,dstoct,srcstart,srcend,dststart,dstend,srcplen,dstplen,forcedexp,revstart,flowcnt,tranoct,revtranoct

./src/modules/ipfix/IpfixPrinter.cpp contains:

void IpfixPrinter::printTableRecord(IpfixDataRecord* record)
{
    Connection c(record);
    fprintf(fh, "%s\t%s\t%hu\t%hu\t%hhu\t%llu\t%llu\t%llu\t%llu\t%llu\t%llu\t%llu\t%llu\t%u\t%u\t%hhu\t%hhu\t%u\t%llu\t%llu\n", IPToString(c.srcIP).c_str(), IPToString(c.dstIP).c_str(), ntohs(c.srcPort), ntohs(c.dstPort), c.protocol, (long long unsigned)ntohll(c.srcPackets), (long long unsigned)ntohll(c.dstPackets), (long long unsigned)ntohll(c.srcOctets), (long long unsigned)ntohll(c.dstOctets), (long long unsigned)c.srcTimeStart, (long long unsigned)c.srcTimeEnd, (long long unsigned)c.dstTimeStart, (long long unsigned)c.dstTimeEnd, c.srcPayloadLen, c.dstPayloadLen, c.dpaForcedExport, c.dpaReverseStart, c.dpaFlowCount, (long long unsigned)c.srcTransOctets, (long long unsigned)c.dstTransOctets);
}

An IpfixDataRecord is defined in ./src/modules/ipfix/IpfixRecord.hpp:

class IpfixDataRecord : public IpfixRecord, public ManagedInstance<IpfixDataRecord> {
        public:
                IpfixDataRecord(InstanceManager<IpfixDataRecord>* im) : ManagedInstance<IpfixDataRecord>(im) {}

                boost::shared_ptr<TemplateInfo> templateInfo;
                int dataLength;
                boost::shared_array<IpfixRecord::Data> message; /**< data block that contains @c data */
                IpfixRecord::Data* data; /**< pointer to start of field data in @c message. Undefined after @c message goes out of scope. */

                // redirector to reference remover of ManagedInstance
                virtual void removeReference() { ManagedInstance<IpfixDataRecord>::removeReference(); }
                virtual void addReference(int count = 1) { ManagedInstance<IpfixDataRecord>::addReference(count); }
};

Connection is defined in: ./src/modules/ipfix/Connection.h:

Back to redis for flow-inspector:
So, we need the following IPFIX information elements for input:
sourceIPv4Address = Connection.srcIP = first column
destinationIPv4Address = Connection.dstIP = second column
sourceTransportPort = Connection.srcPort = third column
destinationTransportPort = Connection.dstPort = fourth column
protocolIdentifier = Connection.protocol = fifth column
packetDeltaCount = n/a
octetDeltaCount = n/a

Both the latter are available in the “line” view of the ipFixPrinter module according to code in: ./src/modules/ipfix/IpfixPrinter.cpp as long as the fields aren’t NULL, so I guess they are null? hmm…

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: