Differences

This shows you the differences between two versions of the page.

--- en:dpi:dpi_components:utilities:ipfixreceiver [2018/05/15 13:59] – [InfoModel] kvazikrav
+++ en:dpi:dpi_components:utilities:ipfixreceiver [2023/09/01 11:09] (current) – removed elena.krasnobryzh
@@ Line 1: / Line 1: @@
-====== IPFIX receiver utility ======
-===== Introduction =====
-IPFIX receiver is used for receiving an IPFIX (Netflow 10) stream from DPI devices and store the stream to a local file. The stored file can be processed as a text file any unix utilities.
-===== Installation and upgrade =====
-==== CentOS6 ====
-  - use VAS Experts repository according to p.1 of the [[en:dpi:dpi_components:platform:dpi_update:dpi_update_10:dpi_10_update:start|DPI installation instruction]].
-  - install ipfixreceiver:\\ <code>yum install -y ipfixreceiver</code>
-  - check changes in configuration files for installed version look at part "Important changes in version ..."
-==== CentOS7 ====
-  - use VAS Experts repository according to p.1 of the [[en:dpi:dpi_components:platform:dpi_update:dpi_update_10:dpi_10_update:start|DPI installation instruction]].
-  - add the epel repository <code>yum -y install epel-release</code>
-  - add the forensics repository <code>rpm --import https://forensics.cert.org/forensics.asc
-rpm -Uvh https://forensics.cert.org/cert-forensics-tools-release-el7.rpm</code>
-  - install ipfixreceiver:\\ <code>yum install -y ipfixreceiver</code>
-  - check changes in configuration files for installed version look at part "Important changes in version ..."
-===== Important changes in version 1.0.3 vs 1.0.2 =====
-  - chenged configuration file in part of IP address transformation, since 1.0.3 version use decodeipv4, decodeipv6 in Export model to exoprt IP in readable mode. Example:<code>  source_ip4, decodeipv4</code><code>  destination_ip4, decodeipv4</code>
-  - saving data now in separate process, important if DPI has more than 25 000 session per second, it can load upto 2 proccesor cores. In DEBUG loging added check records to controll save processing\\ (a)cnt=NNNNN - send NNNNN buffer\\ (b)cnt=YYYYY - saved YYYYY buffer.
-  - buffer_size parameter added - size of buffer to interchange between receiver and saver processes, use it in [dump] section, default value - 100000 records (for 20Gbe or 25 000 seesion per second). If the buffer size is not reached then 30sec timeout is used to push buffer into saver process.
-===== Supplied files =====
-  - configuration expamples:\\ <code>/etc/dpiui/ipfixreceiver.conf - clickstream example (http/https clickstream)
-/etc/dpiui/ipfixreceiverflow.conf - session example (netflow 10/IPFIX full session export)
-/etc/dpiui/ipfixreceiversip.conf - meta information (sip connections) example </code>
-  - programm files directory:\\ <code>/usr/local/lib/ipfixreceiver.d/</code>
-  - additional files:\\ <code>/etc/dpiui/port_proto.txt - for translation protocol number to text protocol name</code>
-  - link to executable:\\ <code>/usr/local/bin/ipfixreceiver -> link to /usr/local/lib/ipfixreceiver.d/ipfixreceiver</code>
-===== Additional OS settings =====
-  - set iptables for receive external data\\ Ipfixreceiver is requred to open ports that will be used to receive IPFIX streams (in configuration see section [connect])\\ For instance you  are using TCP protocol, 1500 port and IP=212.12.11.10\\ <code>[connect]
-protocol=tcp
-host=212.12.11.10
-port=1500</code>\\ For ipfixreceiver working in /etc/sysconfig/iptables you have to insert the next rule:\\ <code>-A INPUT -p tcp -m state --state NEW -m tcp --dport 1500 -j ACCEPT</code> Do not forget that after changes iptables r - restart service is requried:\\ <code>service iptables restart</code>
-  - configure logrotate\\ Example for logrotate file /var/log/dpiuiflow.log, create in /etc/logrotate.d/ the file "flowlog" with the next content <code>
-/var/log/dpiui*.log {
-    rotate 5
-    missingok
-    notifempty
-    compress
-    size 10M
-    daily
-    copytruncate
-    nocreate
-    postrotate
-    endscript
-}</code> \\ Using copytruncate is requred, otherwise the log file will be recreated and log write to the file in stopped.\\ According to ipfixreceiver configuration in section [handler_ipfixreceiverlogger] is setted the next:\\ <code>args=('/var/log/dpiuiflow.log', 'a+')</code>
-  - configure remove old files. Example, removing old archive files (more then 31 days) with session records in gzip:\\ <code>15 4 * * * /bin/find /var/dump/dpiui/ -name url_\*.dump.gz -cmin +44640 -delete > /dev/null 2>&1</code>\\ Change it to meet you requirements and put into the file /var/spool/cron/root.
-===== Execution parameters =====
-ipfixreceiver utility has next parameters:
-<code>usage: ipfixreceiver start|stop|restart|status|-v [-f <config file>]
-где
-  start   - start as service
-  stop    - stop service
-  state   - get state of service
-  restart - restart service
-  -v      - version info
-  -f <config file> - config file name (required)
-Example:
-  ipfixreceiver start -f /etc/dpiui/ipfixreceiverflow.conf
-</code>
-===== Configuration =====
-By default config file /etc/dpiui/ipfixreceiver.conf is used .\\
-:!: More information about config parameter you can find by link [[https://docs.python.org/2.6/library/logging.html | Logging ]]
-==== Logging sections ====
-  - loggers - define logging identifiers
-  - handlers - define used logging workers
-  - formatters - define used logging formats
-==== logger_root ====
-  - level - log level\\ Values:<code>
-CRITICAL  - critical errors only, minimum log level
-ERROR     - errors included
-WARNING   - warnings included
-INFO      - information included
-DEBUG     - debug messages included
-NOTSET    - all, maximum log level
-</code>\\ Example:\\ <code>level=DEBUG</code>
-  - handlers - used message handlers\\ Example: <code>handlers=ipfixreceiverlogger</code>
-==== handler_ipfixreceiverlogger ====
-  - class - class of the message handler\\ Example: <code>class=FileHandler</code>
-  - level - log level <code>level=DEBUG</code>
-  - formatter - name of formatter that is used<code>formatter=ipfixreceiverlogger</code>
-  - args - handlers' parameters <code>args=('/var/log/dpiuiflow.log', 'a+')</code>
-==== formatter_ipfixreceiverlogger ====
-  - format - log message format description\\ Example: <code>format=%(asctime)s - %(name)s - %(levelname)s - %(message)s
-here:
-%(name)s      - logger name
-%(levelname)s - level ('DEBUG', 'INFO', 'WARNING', 'ERROR', 'CRITICAL').
-%(asctime)s   - daye, default - “2003-07-08 16:49:45,896” (with milliseconds after comma).
-%(message)s   - message
-</code>
-  - datefmt - date format\\ Example: <code>datefmt='%m-%d %H:%M'</code>
-==== connect ====
-  - protocol - protocol(tcp or udp). <code>protocol=udp</code>
-  - host - IP or server name or 0.0.0.0 (to receive from all devices). <code>host=localhost</code>
-  - port - port number. <code>port=9996</code>
-==== dump ====
-  - rotate_minutes - rotation period in minuties, after it temp file will be moved to dumpfiledir/<port>.url.dump and new tempfile will be created.<code>rotate_minutes=10</code>
-  - processcmd - command that will be executed to process new data file after rotation, parameter is full file name.<code>processcmd=gzip %%s</code>
-  - dumpfiledir - directory where received data files will be stored. <code>dumpfiledir=/var/dump/dpiui/ipfixflow/</code>
-  - buffer_size - size of buffer to interchange between receiver and saver processes, use it in [dump] section, default value - 100000 records (for 20Gbe or 25 000 seesion per second). If the buffer size is not reached then 30sec timeout is used to push buffer into saver process.
-==== InfoModel ====
-the section describes IPFIX receiveng template.
-  - InfoElements - parameter with description of information model elements for IPFIX template <code>InfoElements =  octetDeltaCount,       0,    1, UINT64, True
-                packetDeltaCount,      0,    2, UINT64, True
-                protocolIdentifier,    0,    3, UINT8
-                session_id,        43823, 2000, UINT64, True
-here,
-  session_id - field name according to IPFIX description table (see according sections)
-  - enterprise number or general IPFIX protocol number
-      - unique field name
-  UINT64 - field type
-  True   - endian (True or empty).
-</code>
-Field types:\\
-^ Type      ^ Length       ^ Type IPFIX          ^
-| OCTET_ARRAY    | VARLEN     | octetArray        |
-| UINT8          | 1          | unsigned8         |
-| UINT16         | 2          | unsigned16        |
-| UINT32         | 4          | unsigned32        |
-| UINT64         | 8          | unsigned64        |
-| INT8           | 1          | signed8           |
-| INT16          | 2          | signed16          |
-| INT32          | 4          | signed32          |
-| INT64          | 8          | signed64          |
-| FLOAT32        | 4          | float32           |
-| FLOAT64        | 8          | float64           |
-| BOOL           | 1          | boolean           |
-| MAC_ADDR       | 6          | macAddress        |
-| STRING         | VARLEN     | string            |
-| SECONDS        | 4          | dateTimeSeconds   |
-| MILLISECONDS   | 8          | dateTimeMilliseconds |
-| MICROSECONDS   | 8          | dateTimeMicroseconds |
-| NANOSECONDS    | 8          | dateTimeNanoseconds  |
-| IP4ADDR        | 4          | ipv4Address       |
-| IP6ADDR        | 16         | ipv6Address       |
-Field names and their description:\\
-  - [[en:dpi:dpi_options:base_functionality:opt_statistics:statistics_ipfix:start|Flow export template in IPFIX]]
-  - [[en:dpi:dpi_options:base_functionality:opt_li:li_ipfix:start|Meta information export template]]
-  - [[en:dpi:dpi_components:radius:radmon_acct_ipfix:start|AAA template export using IPFIX]]
-additional information:\\
-[[https://tools.ietf.org/html/rfc5102.html | Information Model for IP Flow Information Export]]
-==== ExportModel ====
-defines the export model parameters, reserved for future use.
-  - Mode - type used export (File only) <code>Mode = File</code>
-==== ExportModelFile ====
-defines the File export model.
-  - Delimiter field delimiter ( \t - TAB, examples - |,;) <code>Delimiter = \t</code>
-  - ExportElements - fields description that will be saved to file. <code>ExportElements = timestamp, seconds, %%Y-%%m-%%d %%H:%%M:%%S.000+03
-                 login
-                 source_ip4
-                 destination_ip4
-                 host, decodehost
-                 path, decodepath
-                 referal, decodereferer
-                 session_id
-here:
-  name - field name from infornation model described before [InfoModel] (login, session_id и т.п.)
-  worker - internal transformation routune
-               seconds       - field in seconds, format requred
-               milliseconds  - field in milliseconds, microsecconds, nanoseconds, format requred
-               decodehost    - decoder from punycode to UTF-8
-               decodepath    - decoder from urlencoding to UTF-8
-               decodereferer - decoder from (punycode,urlencoding) to UTF-8
-               decodeproto   - decoder from protocol number to protocol port
-               decodeipv4    - decoder from decimal number to IP address string
-  format - format for seconds, milliseconds.
-           Example: %%Y-%%m-%%d %%H:%%M:%%S.%%f+0300
-           Result: 2016-05-25 13:13:35.621000+0300
-</code>
-==== Centos7 service for ipfixreceiver ====
-Centos7 service creation step by step, service name **ipfix1**, config file name **/etc/dpiui/ipfixreceiver.conf**, used port **1500**. \\
-Create the file /etc/systemd/system/ipfix1.service with:
-<code>
-[Unit]
-Description=ipfix test restart
-After=network.target
-After=syslog.target
-[Service]
-Type=forking
-PIDFile=/tmp/ipfixreceiver.1500.pid
-ExecStart=/usr/local/bin/ipfixreceiver start -f /etc/dpiui/ipfixreceiver.conf
-ExecStop=/usr/local/bin/ipfixreceiver stop -f /etc/dpiui/ipfixreceiver.conf
-ExecReload=/usr/local/bin/ipfixreceiver restart -f /etc/dpiui/ipfixreceiver.conf
-Restart=always
-RestartSec=10s
-[Install]
-WantedBy=multi-user.target
-</code>
-Execute to register and run service:
-  systemctl enable ipfix1.service
-  systemctl start ipfix1.service
-  systemctl daemon-reload
-Check status:
-  systemctl status ipfix1.service -l
-:!: check service start after reboot
-===== Troubleshooting =====
-  - how can I get version?\\ Use:\\ <code>ipfixreceiver -v</code><code>yum info ipfixreceiver</code>
-  - can I send IPFIX streams fom differ DPI deveces to one port?\\ Yes, for UDP. Ipfixreceiver will write it to the same output files.
-  - How can I learn that utility is working?\\ a) check port is lissening, example 1500:<code>netstat -nlp | grep 1500</code> b) check utility log for errors\\ c) chech that data is writing to temporary file, example for 9996 port (dump directory - /var/dump/dpiui/ipfixurl): <code>tail -f /var/dump/dpiui/ipfixurl/9996.url.dump</code>
-  - all checked, but no data is received?\\ a) check iptables rules.\\ b) check ipfixreceiver configuration for IP server address.
-  - DPI sends more then 2 millions session per second, in DEBUG level I see that counter in saver is slower  then counter in receiver. How can I tune performance ?\\ a) remove decoder date to string, it'll lower processing time and reduce file size\\ b) remove decodeipv4, it'll also a little lower processing\\ c) check buffer_size for more 30 000 session per sec\\ d) upgrade processor for more frequency

Profile

Settings

Differences