Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Contribution to ipfixcol2 #52

Open
alireza-moradi opened this issue May 17, 2021 · 4 comments
Open

Contribution to ipfixcol2 #52

alireza-moradi opened this issue May 17, 2021 · 4 comments

Comments

@alireza-moradi
Copy link

hi im interest in this project and thinking about developing intermediate plugins. is there any guideline document to start from?
@Lukas955
Copy link
Collaborator

Hi,

what kind of intermediate plugin are you interested in?

Unfortunately, there is no tutorial that describes how to develop IPFIXcol2 plugins right now. Nevertheless, I recommend you to look at simple anonymization plugin for inspiration.

Each intermediate plugin must contain the following structure and 3 functions:

  • struct ipx_plugin_info ipx_plugin_info - structure with a description of the plugin (name, type, version, etc.)
  • int ipx_plugin_init(ipx_ctx_t *ctx, const char *params) - plugin initialization where XML configuration should be processed and all your data structures for flow processing must be prepared.
  • void ipx_plugin_destroy(ipx_ctx_t *ctx, void *cfg) - plugin destruction
  • int ipx_plugin_process(ipx_ctx_t *ctx, void *cfg, ipx_msg_t *msg) - main processing function

Documentation of the interface function is available here.

When a new NetFlow/IPFIX message arrives, your processing function ipx_plugin_process() is called. In the function you can go through bunch of annotated flows identified in the message and process them.

Lukas

@alireza-moradi
Copy link
Author

I have geoip and filter plugins in mind.

@Lukas955
Copy link
Collaborator

Internally we already have intermediate plugins for flow filtration (and traffic profiling). They will be published here probably within two months after code review.

GeoIP and ASN intermediate plugins would be welcomed.

For flow enrichment there is API interface ipx_ctx_ext_producer that allows intermediate plugins to register and fill additional data structure that will be part of each flow record. Other (usually output) plugins can then access them later through ipx_ctx_ext_consumer API. In other words, the extensions are not direct part of original flow records and it is necessary to later add support directly to particular output plugins to be able to process them. I know that it would be nice to enrich flow records by adding additional record fields directly into flow record, however, it is not available right now and it would require significant changes in internal design.

By the way, can I ask you if you are already using IPFIXcol2 for processing your flows or are you just experimenting?

@alireza-moradi
Copy link
Author

alireza-moradi commented May 22, 2021
edited
Loading

if it needs significant changes maybe i need some other ways to enrich data. yes im using IPFIXcol2 for processing netflow records.
any how i should thank you for this product.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Lukas955 @alireza-moradi