Monitoring for Large-Scale Networks

fixbuf

IPFIX File Mediator

The source code below provides an example of using the fixbuf library. The source code is for libfixbuf 1.x; it has not been modified to support libfixbuf 2.x.

Once the code is compiled, the yaf_file_mediator program reads IPFIX files generated by YAF and writes the flow data as text to the standard output or to a text file. The program is able to read the Deep Packet Inspection (DPI) elements exported from YAF's DPI plugin or DHCP fingerprinting plugin.

For YAF to export DPI information, it must have been configured with --enable-plugins when it was built. You may check whether it was by running yaf --version. When running YAF, include the DPI plugin (dpacketplugin.la) as the argument to --plugin-name. See the YAF manual page for details.

The program requires GLIB 2.12 or later and libfixbuf 1.x. In order to use the included CMake configuration file, CMake version 2.8 or later is required.

Source Code

yaf_file_mediator-1.1.0.tar.gz (174KiB gz)

Source code v1.1.0, 2012-09-18

(SHA256=556861bb8f06554610029be20005e5a047f8fdde3a20e189eb67a8db8bcfc1f4)

Building

First, make sure you have libfixbuf 1.x (not 2.x) installed. You may need to set the PKG_CONFIG_PATH environment variable to the location of the libfixbuf.pc file. (If you used a package manager to install libfixbuf, ensure that the development headers and libraries are installed. These may be in a separate package with a -devel or -dev suffix.)

If you have CMake installed you can use the included configuration file.

export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
cmake .
make

Alternatively, run the configure script.

export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
./configure
make

Running

yaf_file_mediator takes an IPFIX file generated by YAF as input. It outputs text to a file or stdout.

./yaf_file_mediator --input file.yaf --output dest_file.txt

Each flow record has output similar to below:

Template ID is 45840
Application Label: 80
Source IP: 10.10.10.172
Destination IP: 10.10.172.10
Source Port: 1370
Destination Port: 80
flowStartTime: 1207802506600
flowEndTime: 1207802508331
flowEndReason: 4
Protocol: 6
Octet Total Count: 1839
Reverse Octet count: 69148
Packet Total Count: 35
Reverse Packet Total Count: 49
TCP Initial Seq Number: 3956172446
Initial TCP Flags: S
Union TCP Flags: AP
TCP Reverse Initial Seq Number: 3591133997
Reverse Initial TCP Flags: AS
Reverse Union TCP Flags: AP
HTTP userAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
HTTP GET: /wikipedia/en/6/60/Wikinews-logo-51px.png
HTTP Version: HTTP/1.1
HTTP Version: HTTP/1.0
HTTP Referer: http://en.wikipedia.org/wiki/Wikipedia
HTTP Host: upload.wikimedia.org
HTTP Age: 2025
HTTP Response: 200 OK

It also outputs YAF Process Statistics if YAF ran with stats output enabled (default):

----------OPTIONS--------------
Exported Flow Count: 27
Packet Total Count: 481
Dropped Packets: 0
Ignored Packets: 0
Expired Fragment Count: 0
Assembled Fragment Count: 0
FlowTable Flush Events: 5
FlowTable Peak Count: 22
Exporter IPv4 Address: 10.20.11.51
Exporting Process ID: 0
Mean Flow Rate: 7079
Mean Packet Rate: 126081

Known Issues

The source code has not been updated to support libfixbuf 2.x. The code compiles, but attempts to run it cause it to abort with message "ERROR: Attempt to set internal template 0xffff, which has a defaulted length".