README.md bug and question regarding sending unirec data as IPFIX over UDP

[MigNov]

Hello,
I've been trying to send the unirec data to the UDP netflow output and I tried to investigate the code but unfortunately I cannot find the way. Please let me explain the scenario I would like to do:

• I'm having a mirrored traffic on ens192
• I would like to use use multiple plugins from the ipfixprobe project to get the unirec data, let's say http, idpcontent and smtp plugin at once to be able to extract data from the mirrored traffic
• those unirec data should be then send using the ipfix format to IP address of 172.16.10.10

How could I do that? I have tried the following syntax but it does not work:
ipfixprobe -i 'raw;ifc=ens192' -p http -p idpcontent -p smtp -o 'unirec;i=b:,u:http:timeout=WAIT;p=http,(pstats,phists,idpcontent)'
I don't know how to define the output how to send unirec data using ipfix. Could you please help me?

Also, I am seeing a probable bug in the README.md. There's line:

# Capture from a COMBO card using ndp plugin, sends ipfix data to 127.0.0.1:4739 using TCP by default
./ipfixprobe -i 'ndp;dev=/dev/nfb0:0' -i 'ndp;dev=/dev/nfb0:1' -i 'ndp;dev=/dev/nfb0:2'

However there is no definition to send IPFIX data to 127.0.0.1:4739 over the TCP connection so I guess the comment is misleading. Could you please clarify whether am I reading/understanding it wrong?

Thanks a lot,
Michal

[hynekkar]

Hi, why do you want to use unirec and not ipfix output plugin?

Regarding to your issue:
ipfixprobe -i 'raw;ifc=ens192' -p http -p idpcontent -p smtp -o 'unirec;i=b:,u:http:timeout=WAIT;p=http,(pstats,phists,idpcontent)'

Let me explain the unirec output plugin parameters: -o 'unirec;i=u:http:timeout=WAIT,u:stats:timeout=WAIT;p=http,(pstats,phists,idpcontent)'

• "unirec" is name of the plugin
• "i=" is unirec output plugin argument for interface specification
• "u:http:timeout=WAIT" is first unirec interface with name http set in blocking mode (see https://nemea.liberouter.org/trap-ifcspec/ )
• "u:stats:timeout=WAIT" is second unirec interface with name stats
• "p=http,(pstats,phists,idpcontent)" is unirec output plugin argument for mapping process plugins data onto interfaces. Thus interface called http contains data from HTTP plugin, interface called stats gonna contains data from pstats, phists, and idpcontent plugins.

Thus I suppose, your desired arguments were:
ipfixprobe -i 'raw;ifc=ens192' -p http -p idpcontent -p smtp -o 'unirec;i=u:http:timeout=WAIT;p=(http,idpcontent,smtp)

Karel

[MigNov]

Hi Karel,
from what I understood now I can use:

ipfixprobe -i 'raw;ifc=ens192' -p http -p idpcontent -p smtp -o 'ipfix;u;host=${REMOTE_IP};port=${REMOTE_PORT}'

to use both idpcontent and smtp plugins and "convert" ens192 traffic to IPFIX format and send to ${REMOTE_IP} and ${REMOTE_PORT}. Is that correct?

Thanks,
Michal

[hynekkar]

Hi Michal,
Yes, you understand it correctly. IPFIX output plugin is going to send flow data enriched for http, idpcontent, and smtp, when applicable. Meaning, that when the flow does not contain HTTP or SMTP traffic, ipfixprobe will send flow enriched only for idpcontent. IDPContent does not export data when no payload is transmitted --- e.g. in the case of syn scan.

Karel

[MigNov]

Hi Karel,
thanks for your reply. It might be good to change the README.md to include this information along with the example I put above and after that I think this issue #81 can be closed.

Thanks,
Michal