IPFIX File Collectors

How-To Read IPFIX Files

Using fixbuf to read from IPFIX Files as a Collecting Process is very much like the Export case.

Create an fbInfoModel_t using fbInfoModelAlloc(). If needed, add any vendor-specific information elements using fbInfoModelAddElement(), fbInfoModelAddElementArray(), fbInfoModelReadXMLFile(), or fbInfoModelReadXMLData().

Create an fbSession_t state container using fbSessionAlloc().

For each type of record you expect to read, create an internal template to describe it: Use fbTemplateAlloc() to allocate the template and fbTemplateAppendSpecArray(), fbTemplateAppendSpec(), fbTemplateAppend(), fbTemplateAppendArraySpecId(), or fbTemplateAppendSpecId(), to specify its elements. Unlike when exporting data, external templates do not need to be added for collection as they are defined by the templates in the file.

Use fbSessionAddTemplate() to add each Template to the Session.

Create the fbCollector_t to encapsulate the file, using the fbCollectorAllocFP() or fbCollectorAllocFile() calls. (For network collection, see Network Collectors).

With an fbSession_t and an fbCollector_t available, create a Buffer (fBuf_t) for reading via fBufAllocForCollection().

To read all records using a single template, set the internal template with fBufSetInternalTemplate(). Call fBufNext() to read records from the IPFIX Messages in the input stream until it returns FALSE.

To vary the internal template depending on the external template, the main reading loop is slightly different. First call fBufNextCollectionTemplate() to examine the template of the next record, then use fBufSetInternalTemplate() and fBufNext() to get that record.

By default, fBufNext() will consume an IPFIX Message from the input stream when the end of the message buffer is reached on read. The fBufSetAutomaticNextMessage() call can be used to modify this behavior, causing fBufNext() to return FB_ERROR_EOM when at end of message. Use this if your application requires manual control of message collection. In this case, fBufNextMessage() will consume a Message from the input stream.

Complete sample_collector.c program:

#include <fixbuf/public.h>
#define FATAL(e) \
{ fprintf(stderr, "Failed at %s:%d: %s\n", \
__FILE__, __LINE__, e->message); \
exit(1); }
int main()
{
fbInfoElementSpec_t collectTemplate[] = {
{"flowStartMilliseconds", 8, 0 },
{"flowEndMilliseconds", 8, 0 },
{"sourceIPv4Address", 4, 0 },
{"destinationIPv4Address", 4, 0 },
{"sourceTransportPort", 2, 0 },
{"destinationTransportPort", 2, 0 },
{"protocolIdentifier", 1, 0 },
{"paddingOctets", 3, 0 },
{"packetTotalCount", 8, 0 },
{"octetTotalCount", 8, 0 },
{"ipPayloadPacketSection", 0, 0 },
FB_IESPEC_NULL
};
struct collectRecord_st {
uint64_t flowStartMilliseconds;
uint64_t flowEndMilliseconds;
uint32_t sourceIPv4Address;
uint32_t destinationIPv4Address;
uint16_t sourceTransportPort;
uint16_t destinationTransportPort;
uint8_t protocolIdentifier;
uint8_t padding[3];
uint64_t packetTotalCount;
uint64_t octetTotalCount;
fbVarfield_t payload;
} collectRecord;
fbInfoModel_t *model;
fbSession_t *session;
fbCollector_t *collector;
fbTemplate_t *tmpl;
fBuf_t *fbuf;
uint16_t tid;
size_t reclen;
GError *err = NULL;
memset(&collectRecord, 0, sizeof(collectRecord));
model = fbInfoModelAlloc();
// Use if needed to define elements used by YAF.
//if (!fbInfoModelReadXMLFile(model, "cert_ipfix.xml", &err))
// FATAL(err);
session = fbSessionAlloc(model);
tmpl = fbTemplateAlloc(model);
if (!fbTemplateAppendSpecArray(tmpl, collectTemplate, ~0, &err))
FATAL(err);
if (!(tid = fbSessionAddTemplate(
session, TRUE, FB_TID_AUTO, tmpl, NULL, &err)))
FATAL(err);
collector = fbCollectorAllocFP(NULL, stdin);
fbuf = fBufAllocForCollection(session, collector);
if (!fBufSetInternalTemplate(fbuf, tid, &err))
FATAL(err);
reclen = sizeof(collectRecord);
while (fBufNext(fbuf, (uint8_t *)&collectRecord, &reclen, &err)) {
// Print or process the collectRecord
fbTemplate_st
An IPFIX template or options template structure.
Definition: private.h:108
public.h
Fixbuf IPFIX protocol library public interface.
fBufNext
gboolean fBufNext(fBuf_t *fbuf, uint8_t *recbase, size_t *recsize, GError **err)
Retrieves a record from a Buffer associated with a collecting process.
fbSessionAlloc
fbSession_t * fbSessionAlloc(fbInfoModel_t *model)
Allocates an empty transport session state container.
fbInfoModelAlloc
fbInfoModel_t * fbInfoModelAlloc(void)
Allocates a new information model.
FB_TID_AUTO
#define FB_TID_AUTO
Template ID argument used when adding an fbTemplate_t to an fbSession_t that automatically assigns a ...
Definition: public.h:1574
fBufSetInternalTemplate
gboolean fBufSetInternalTemplate(fBuf_t *fbuf, uint16_t int_tid, GError **err)
Sets the internal template on a buffer to the given template ID.
fBufAllocForCollection
fBuf_t * fBufAllocForCollection(fbSession_t *session, fbCollector_t *collector)
Allocates a new buffer for collection.
fbSessionAddTemplate
uint16_t fbSessionAddTemplate(fbSession_t *session, gboolean internal, uint16_t tid, fbTemplate_t *tmpl, fbTemplateInfo_t *tmplInfo, GError **err)
Adds a Template to a Session.
fbInfoModel_t
struct fbInfoModel_st fbInfoModel_t
An IPFIX information model.
Definition: public.h:164
fbSession_t
struct fbSession_st fbSession_t
An IPFIX Transport Session state container.
Definition: public.h:1711
fBuf_t
struct fBuf_st fBuf_t
An IPFIX message buffer.
Definition: public.h:139
fbCollectorAllocFP
fbCollector_t * fbCollectorAllocFP(void *ctx, FILE *fp)
Allocates a collecting process endpoint for an open file.
fbTemplateAlloc
fbTemplate_t * fbTemplateAlloc(fbInfoModel_t *model)
Allocates a new empty template.
fbCollector_t
struct fbCollector_st fbCollector_t
IPFIX Collecting Process endpoint.
Definition: public.h:2086
FB_IESPEC_NULL
#define FB_IESPEC_NULL
Convenience macro defining a null information element specification initializer (fbInfoElementSpec_t)...
Definition: public.h:1596
fbTemplateAppendSpecArray
gboolean fbTemplateAppendSpecArray(fbTemplate_t *tmpl, const fbInfoElementSpec_t *spec, uint32_t wantedFlags, GError **err)
Appends information elements described by a specifier array to a template.
fbInfoElementSpec_st
A single IPFIX Information Element specification.
Definition: public.h:1606
fbVarfield_st
A variable-length field value.
Definition: public.h:147
}
if (!g_error_matches(err, FB_ERROR_DOMAIN, FB_ERROR_EOF))
FATAL(err);
g_clear_error(&err);
// This frees the Buffer, Session, Templates, and Collector.
fBufFree(fbuf);
fbInfoModelFree(model);
return 0;
}
// EndOfExample
fBufFree
void fBufFree(fBuf_t *fbuf)
Frees a buffer.
FB_ERROR_DOMAIN
#define FB_ERROR_DOMAIN
All fixbuf errors are returned within the FB_ERROR_DOMAIN domain.
Definition: public.h:52
FB_ERROR_EOF
#define FB_ERROR_EOF
End of IPFIX Message stream.
Definition: public.h:69
fbInfoModelFree
void fbInfoModelFree(fbInfoModel_t *model)
Frees an information model.

Previous: Exporter Usage | Next: Template Definition