Ipfixprobe is a project created by CESNET. CESNET is an association of universities and the Academy of Sciences of the Czech Republic that operates and develops a national e-infrastructure for science, research and education, including a computer network, computing grids, data repositories, collaborative environments and offering a wide range of services.
Ipfixprobe, as its name states, creates biflows from packet input and exports them to the output interface. The goal of this tutorial is to provide ipfixprobe installation steps and test http and dns plugins that are part of the ipfixprobe.
The network infrastructure with IPFIX exporter (ipfixprobe) and the IPFIX collector Noction Flow Analyzer (NFA) is depicted on the Figure 1.
Figure 1 - IPFIX Exporter and Flow Collector
1. Ipfixprobe Installation
First we need to install the dependencies needed to compile ipfixprobe.
$ sudo apt install git build-essential autoconf libtool libsssl-dev libunwind-dev
$ git clone --recurse-submodules https://github.com/CESNET/ipfixprobe
$ cd ipfixprobe
$ autoreconf -i
$ ./configure
$ make
$ sudo make install
Note: If you get the following error message during configuration phase, you need to install nemea. NEMEA (Network Measurements Analysis) system is a stream-wise, flow-based and modular detection system for network traffic analysis.
./configure: line 12907: syntax error near unexpected token `libtrap,'
./configure: line 12907: ` PKG_CHECK_MODULES(libtrap, libtrap, HAVE_TRAPLIB="yes")'
Nemea Installation:
$ sudo apt install -y gawk bc autoconf automake gcc g++ libtool libxml2-dev make pkg-config libpcap-dev libidn11-dev bison flex
$ git clone --recursive https://github.com/CESNET/nemea
$ cd nemea
$ ./bootstrap.sh
$ ./configure --enable-repobuild --prefix=/usr --bindir=/usr/bin/nemea --sysconfdir=/etc/nemea --libdir=/usr/lib64
$ make
$ sudo make install
After the installation of ipfixprobe is complete, we can check its version (Figure 2).
Figure 2 - Checking Ipfixprobe Version
2. Testing Ipfixprobe HTTP and DNS Plugins
The command below starts capturing packets on the Gi1 interface, and exporting IPFIX messages to the flow collector using UDP.
$ sudo ipfixprobe -i 'raw;ifc=Gi1;f' -p http -p dns -o 'ipfix;u;host=10.0.0.1;port=2055'
The NFA is listening for IPFIX messages on the socket 10.0.0.1:2055. The Figure 3 is a partial screenshot from the NFA dashboard panel which confirms that flows have been successfully exported.
Picture 3 - NFA Dashboard
The HTTP plugin is enabled, so ipfixprobe should be able to export Layer 7 HTTP flow fields. We can confirm this connecting to NFA using SSH and starting tcpdump on the interface enp0s3. The output from tcpdump is redirected over SSH connection to Wireshark instance which is started on the local machine.
$ ssh ubuntu@192.168.88.100 'sudo -S tcpdump -i enp0s3 -s0 -c 1000 -nn -w - port 2055' | wireshark-gtk -k -i -
Figure 4 is a screenshot from Wireshark. It confirms that the following HTTP L7 information is successfully sent from ipfixprobe to NFA:
- HTTP request user agent
- HTTP request method
- HTTP request host
- HTTP request url
Figure 4 - HTTP Fields Inside IPFIX Message
Note: To view only packets containing flows with HTTP traffic, use the following Wireshark display filter:
cflow.dstport == 80
We have started ipfixprobe with the DNS plugin, so we should collect L7 DNS fields as well. The ipfixprobe reports the domain name cdnjs.cloudflare.com and the IP address 104.16.1.9.94 in flow 6 (Figure 5). This is a DNS response sent from the server 192.168.88.1 to host 192.168.88.239.
Figure 5 - DNS Fields Inside IPFIX Message
Note: The display filter DNS traffic fields, use the display filter:
cflow.dstport == 53
Conclusion
Ipfixprobe is an open source project that does not have as many features as commercial products such as nProbe. On the one hand, there is no guarantee that you will receive support if it is needed. On the other hand, this tool is free, so try it and see if it suits your needs.