libfixbuf - IPFIX Protocol Library

Getting started with libfixbuf


libfixbuf is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Exchange of Flow Information" (RFC 7011). It supports the information model defined in "Information Model for IP Flow Information Export" (RFC 7012), extended as proposed by "Bidirectional Flow Export using IPFIX" (RFC 5103) to support information elements for representing biflows. libfixbuf supports structured data elements as described in "Export of Structured Data in IPFIX" (RFC 6313), which adds the ability to export basicLists, subTemplateLists, and subTemplateMultiLists. libfixbuf can export type information for IPFIX elements as described in "Exporting Type Information for IPFIX Information Elements" (RFC 5610), and it supports reading this information.

libfixbuf supports UDP, TCP, SCTP, TLS over TCP, and Spread as transport protocols. Support for DTLS over UDP and DTLS over SCTP is forthcoming. It also supports operation as an IPFIX File Writer or IPFIX File Reader as defined in "Specification of the IPFIX File Format" (RFC 5655).

libfixbuf's public API is defined in public.h; see the Getting started with libfixbuf section or public.h for general documentation on getting started with libfixbuf, as well as detailed documentation on the public API calls and data types.

ipfixDump is a command line tool for printing the contents of an IPFIX file as text. As of libfixbuf-2.3.0, ipfixDump is distributed with libfixbuf. (Previously it was distributed with YAF.)

A Python API to libfixbuf is available in the pyfixbuf package, distributed separately.


libfixbuf is distributed from


libfixbuf uses a reasonably standard autotools-based build system. The customary build procedure (./configure && make && make install) should work in most environments.

The ipfixDump application, its manual page, and a support file (cert_ipfix.xml) are built and installed by default (as of libfixbuf-2.3.0). Use –disable-tools to bulid and install the libfixbuf library only.

libfixbuf requires GLib-2.0 version 2.18 or later. GLib is available on most modern Linux distributions and BSD ports collections or in source form.

libfixbuf automatically uses the getaddrinfo(3) facility and the accompanying dual IPv4/IPv6 stack support if present. getaddrinfo(3) must be present to export or collect flows over IPv6.

libfixbuf does not build with SCTP support by default. The –with-sctp option must be given to the libfixbuf ./configure script to include SCTP support. Also note that SCTP requires kernel support, and applications built against libfixbuf with libsctp may fail at runtime if that kernel support is not present.

libfixbuf does not build with TLS support by default. The –with-openssl option must be given to the libfixbuf ./configure script to include TLS support.

Spread support requires Spread 4.1 or later. libfixbuf does not build with Spread support by default. The –with-spread option must be given to libfixbuf ./configure script to include Spread support.


The following are known issues with libfixbuf as of version 1.0.0:

  • There is no support for DTLS over UDP or DTLS over SCTP transport.
  • There is no support for application-selectable SCTP stream assignment or SCTP partial reliability. Templates are sent reliably on stream 0, and data sets are sent reliably on stream 1.
  • There is no automatic support for periodic template retransmission or periodic template expiration as required when transporting IPFIX over UDP. Applications using libfixbuf to transport IPFIX messages over UDP must maintain these timeouts and manually manage the session. However, inactive UDP collector sessions are timed out after 30 minutes, at which time the session is freed and all templates associated with the session are removed.


libfixbuf is copyright 2005-2023 Carnegie Mellon University, and is released under the GNU Lesser General Public License (LGPL) Version 3. See the LICENSE.txt file in the distribution for details.

libfixbuf was developed at Carnegie Mellon University by Brian Trammell and the CERT Network Situational Awareness Group Engineering Team for use in the YAF and SiLK tools.