New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nDPId: Add simil-netflow, UDP-based outgoing stream support #3
Comments
If I understood you correctly, you want But a good idea in general. On my OpenWrt devices, |
Instead of connecting to an existing UNIX-domain-socket, I need This is UNRELATED to Netflow/IPFIX: sorry for the misunderstanding! I mentioned Netflow/IPFIX just to say that in Netflow scenarios, the agent runs locally on the system and send the flows (Netflows....) via UDP port. But, again, Netflow it's unrelated to my desire (BTW: I'm already fetching/enriching real-netflow stream, with Again: I'd like Thanks for replying! |
Uau! I'm going to try to build the package really soon! Thanks for mentioning this. BTW: my journey with OpenWRT packaging is... a bit long: maybe you will find useful what I wrote, lots of time ago, about this topic . Feel free to link, if you want (or cut/paste, or whatever) :-) |
The implementation effort implementing UDP/TCP support for the collector sink shouldn't be that much. I will work on that. |
With PR #4 it is possible to use custom UDP endpoints for nDPId. UDP endpoints can be specified with e.g. Any feedback appreciated. |
I've just been able to package the I properly received UDP-messages, even if I saw lots of error in the console. I fired the binary with: I'm attaching:
Please, let me know if those are enough information for your "testing requirements" or if you need further informations. If you confirm that the error messages in console are not important, I'll start working on the "real" receiver side, to process UDP-stream "in production". Thanks a lot for your support! |
Strange. // EDIT: It is a // EDIT: I've updated and improved error messages if the connection/datagram is refused by the endpoint |
I'm succesfully running:
on my OpenWRT box, since two days ago... with no problem at all. Furthermore, I've just launched a NodeJS-based UDP-server on 192.168.0.128 and... being able to properly receive the feed. Some rough counters follows ("evt"s are mine; "flows" and "packets" are the one coming from nDPId):
So I'd say.... it's definitely working! (...and now I can succesfully start investigating what those events represents.... [other than info/detected ones] :-)) |
Awesome!
I've added another PR (#5) which adds some more documentation in the README.md about events and flow states. If you have any questions or suggestions, please do not hesitate to contact me. P.S.: I am interested in your work. If it will be FOSS, it might be a good idea to provide a link in the README or even add it to the examples. |
It's DEFINITELY F/OSS (GPL-v2 license, at the moment). I'm developing it within our own community environment (we're running a self-hosted & internal GitLab instance - BTW: I'm speaking about GARRLab infrastructure ). Not 'cause we're gelous about what we do.... but simply 'cause we're not 150% sure to NOT make mistakes, and start sending out some security-related info (access tokens, password, and so on). Anyway, as you requested it... here it is: I've added ad additional "remote" to my local git-repo, and current nDPId-rt-analyzer has just been pushed to public GitLab. Feel free to do with it whatever you want :-) BTW: I'll (re)start giving a look to your documentation, soon. Thanks. |
Your documentation about EVENTS (expecially PACKET-related and FLOW-related ones) and STATES (flow-states) are very clear. I'll carefully re-read them, to understand how integrate them in the rt-analyzer. Based on such documentation, unfortunately, I saw that LOTS of the UDP-streaming are related to PACKET-events (as, if I understand correctly) for every single packet processed by nDPId/libNDPI, a packet-event is streamed out... From my point of view, this is a problem, 'cause: 1) I'm NOT really interested in "packet events", as they really give me close-to-nothing information; 2) in medium/large environment (> 100 hosts), such a streaming consume LOTS of bandwidth. I can surely filter events on the receiving side... but bandwidth problem will still be present. Of course, based on your initial approach (reading LOCALLY via UNIX-socket, and filter LOCALY with An easily "fix" would be an option, passed as an argument to ...but I cannot help, you, on this side, as I'm not exactly a C/C++ developer :-( |
Ok, I need to extend the README and provide some information about "fine tuning" which can be done via |
Is that ok for you if I add ndpid-rt-analyzer as git submodule to |
No problem at all! I appreciate it! BTW: I took the chance to even improve the documentation... (and push some more |
BTW: an IMPORTANT detail. Please note that I changed the license, from GPL-v2 to A-GPL, as I really want ndpid-rt-analyzer to stay "public", even in case of its adoption within some "server-side" web-service. With A-GPL, such a behaviour (using it, on server-side, without releasing the code to the public), will be forbidden (aka: using it "on-the-server", stick to general GPL requirements). Let me know if this is OK for you |
Sure. I fully agree with this. =) |
* CI Fix #3 Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
I'm interested in the possibility, for nDPId, to directly send out the JSON-stream of events, via UDP, to a remote host.
I'm thinking to a behaviour much similar to NetFlow/IPFIX, that I'm succesfully using in OpenWRT (at home, inside my WDR4300 wireless router), collecting flows with softflowd and relaying them to a remote location, via UDP. As such, I'm able to off-load/enrich netflow analysis, with no technical constraint. Indeed: at my remote location, I'm enriching received flows with geo-referential data (provided by MaxMind free library ) and pushing them to an opensearch instance.
I'm trying to further enrich my data with high-level protocol information (provided by lib-nDPI), and
nDPId
fit perfectly in such a role. The only missing bit is the possibility to stream out flows, directly.Of course I can run a local "gateway" (fetching from
nDPId
and writing to remote location) but this is not easy, as the whole stuff need to be run inside OpenWRT boxes, that are VERY resource-constrained (BTW: libndpi and softflowd are already packaged for OpenWRT) and... I'm lacking C/C++ knowledge :-(Is this an interesting feature, for the
nDPId
project?BTW: thanks for developing
nDPId
The text was updated successfully, but these errors were encountered: