diff --git a/.gitignore b/.gitignore index dfc5d537..4c9d4ebb 100644 --- a/.gitignore +++ b/.gitignore @@ -116,4 +116,8 @@ tests/unit/utils # vscode settings files .vscode - +# jekyll files +docs/_site/ +docs/.sass-cache/ +docs/.jekyll-metadata/ +docs/.jekyll-cache/ \ No newline at end of file diff --git a/README.md b/README.md index cf8e914f..73dd0914 100644 --- a/README.md +++ b/README.md @@ -1,122 +1,21 @@ -# ipfixprobe - IPFIX flow exporter +

+ +

-## Description -This application creates biflows from packet input and exports them to output interface. +[![](https://img.shields.io/badge/license-BSD-blue.svg)](https://github.com/CESNET/ipfixprobe/blob/master/LICENSE) +![Coverity Scan](https://img.shields.io/coverity/scan/22112) +![GitHub top language](https://img.shields.io/github/languages/top/CESNET/ipfixprobe) -## Requirements -- libatomic -- kernel version at least 3.19 when using raw sockets input plugin enabled by default (disable with `--without-raw` parameter for `./configure`) -- [libpcap](http://www.tcpdump.org/) when compiling with pcap plugin (`--with-pcap` parameter) -- netcope-common [COMBO cards](https://www.liberouter.org/technologies/cards/) when compiling with ndp plugin (`--with-ndp` parameter) -- libunwind-devel when compiling with stack unwind on crash feature (`--with-unwind` parameter) -- [nemea](http://github.com/CESNET/Nemea-Framework) when compiling with unirec output plugin (`--with-nemea` parameter) -- cloned submodule with googletest framework to enabled optional tests (`--with-gtest` parameter) - -To compile DPDK interfaces, make sure you have DPDK libraries (and development files) installed and set the `PKG_CONFIG_PATH` environment variable if necessary. You can obtain the latest DPDK at http://core.dpdk.org/download/ Use `--with-dpdk` parameter of the `configure` script to enable it. - -## Build & Installation - -### Source codes +ipfixprobe is a high-performance flow exporter. It creates bidirectional flows from packet input and exports them to output interface. The ipfixprobe support vide variety of flow extenstion for application layer protocol information. The flow extension can be turned on with process plugins. We support TLS, QUIC, HTTP, DNS and many more. Just check our [documentation](#). -This project uses a standard process of: +## Installation +The RPM packages for RHEL based distributions can be downloaded from our [copr repository](https://copr.fedorainfracloud.org/coprs/g/CESNET/NEMEA/package/ipfixprobe/). Or just simply run: ``` -git clone --recurse-submodules https://github.com/CESNET/ipfixprobe -cd ipfixprobe -autoreconf -i -./configure -make -sudo make install +dnf install -y dnf-plugins-core && dnf copr -y enable @CESNET/NEMEA +dnf install ipfixprobe ``` -Check `./configure --help` for more details and settings. - -### RPM packages - -RPM package can be created in the following versions using `--with` parameter of `rpmbuild`: -- `--with pcap` enables RPM with pcap input plugin -- `--with ndp` enables RPM with netcope-common, i.e., ndp input plugin -- `--with nemea` enables RPM with unirec output plugin -- `--without raw` disables RPM with default raw socket input plugin -- `--with unwind` enables RPM with stack unwinding feature - -These parameters affect required dependencies of the RPM and build process. - -The default configuration of the RPM can be created using simply: `make rpm` - -Alternative versions (described in the following section) can be created by: -- NEMEA version of RPM: `make rpm-nemea` -- NDP version of RPM: `make rpm-ndp` - -We use [COPR infrastructure](https://copr.fedorainfracloud.org/coprs/g/CESNET/NEMEA/) to build and serve RPM packages for EPEL7 and EPEL8. -It is not possible to pass arguments to rpmbuild, so there is an option in configure to enforce NEMEA dependency: - -`./configure --enable-coprrpm && make srpm` - -The output source RPM can be uploaded to copr. - -To install ipfixprobe with NEMEA dependency from binary RPM packages, it is possible to follow instructions on: -[https://copr.fedorainfracloud.org/coprs/g/CESNET/NEMEA/](https://copr.fedorainfracloud.org/coprs/g/CESNET/NEMEA/) - -### Windows 10 CygWin - -Install CygWin and the following packages: -- git -- pkg-config -- make -- automake -- autoconf -- libtool -- binutils -- gcc-core -- gcc-g++ -- libunwind-devel - -Download npcap SDK [https://nmap.org/npcap/dist/npcap-sdk-1.07.zip](https://nmap.org/npcap/dist/npcap-sdk-1.07.zip) and copy content of the `Include` folder to `/usr/include` folder in your cygwin root installation folder (`C:\cygwin64\usr\include` for example). Then copy files of the `Lib` folder to `/lib` folder (or `Lib/x64/` based on your architecture). - -Download npcap library [https://nmap.org/npcap/dist/npcap-1.31.exe](https://nmap.org/npcap/dist/npcap-1.31.exe) and install. - -Add the following line to the `~/.bashrc` file -``` -export PATH="/cygdrive/c/Windows/system32/Npcap:$PATH" -``` - -Build project using commands in previous sections. Tested on cygwin version 2.908 - - -## Input / Output of the flow exporter - -Input and output interfaces are dependent on the configuration (by `configure`). -The default setting uses raw sockets input plugin and the output is in IPFIX format only. - -When the project is configured with `./configure --with-nemea`, the flow -exporter supports NEMEA output via TRAP IFC besides the default IPFIX output. -For more information about NEMEA, visit -[https://nemea.liberouter.org](https://nemea.liberouter.org). - -The flow exporter supports compilation with libpcap (`./configure --with-pcap`), which allows for receiving packets -from PCAP file or network interface card. - -When the project is configured with `./configure --with-ndp`, it is prepared for high-speed packet transfer -from special HW acceleration FPGA cards. For more information about the cards, -visit [COMBO cards](https://www.liberouter.org/technologies/cards/) or contact -us. - -### Output - -There are several currently available output plugins, such as: - -- `ipfix` standard IPFIX [RFC 5101](https://tools.ietf.org/html/rfc5101) -- `unirec` data source for the [NEMEA system](https://nemea.liberouter.org), the output is in the UniRec format sent via a configurable interface using [https://nemea.liberouter.org/trap-ifcspec/](https://nemea.liberouter.org/trap-ifcspec/) -- `text` output in human readable text format on standard output file descriptor (stdout) - -The output flow records are composed of information provided by the enabled plugins (using `-p` parameter, see [Flow Data Extension - Processing Plugins](./README.md#flow-data-extension---processing-plugins)). - -See `ipfixprobe -h output` for more information and complete list of output plugins and their parameters. - -LZ4 compression: -ipfix plugin supports LZ4 compression algorithm over tcp. See plugin's help for more information. - ## Parameters ### Module specific parameters - `-i ARGS` Activate input plugin (-h input for help) @@ -172,576 +71,105 @@ Here are the examples of various plugins usage: `./ipfixprobe -i 'dpdk-ring;r=rx_ipfixprobe_0;e= --proc-type=secondary' -i 'dpdk-ring;r=rx_ipfixprobe_1' -i 'dpdk-ring;r=rx_ipfixprobe_2' -i 'dpdk-ring;r=rx_ipfixprobe_3' -o 'text'` ``` -## Telemetry - -`ipfixprobe` can expose telemetry data using the appFs library, which leverages the fuse3 library (filesystem in userspace) to allow telemetry data to be accessed and manipulated -through standard filesystem operations. - -## Flow Data Extension - Processing Plugins - -`ipfixprobe` can be extended by new plugins for exporting various new information from flow. -There are already some existing plugins that export e.g. `DNS`, `HTTP`, `SIP`, `NTP`, `PassiveDNS`. - -To enable a plugin, add `-p` option with argument (it can be used multiple times). Each plugin provides a set of information described in section Output data. - -See `ipfixprobe -h process` for more information and complete list of processing plugins and their parameters. +## Build -## Adding new plugin - -To create new plugin use [process/create_plugin.sh](process/create_plugin.sh) script. This interactive script will generate .cpp and .h -file template and will also print `TODO` guide what needs to be done. +### Requirements +- libatomic +- kernel version at least 3.19 when using raw sockets input plugin enabled by default (disable with `--without-raw` parameter for `./configure`) +- [libpcap](http://www.tcpdump.org/) when compiling with pcap plugin (`--with-pcap` parameter) +- netcope-common [COMBO cards](https://www.liberouter.org/technologies/cards/) when compiling with ndp plugin (`--with-ndp` parameter) +- libunwind-devel when compiling with stack unwind on crash feature (`--with-unwind` parameter) +- [nemea](http://github.com/CESNET/Nemea-Framework) when compiling with unirec output plugin (`--with-nemea` parameter) +- cloned submodule with googletest framework to enabled optional tests (`--with-gtest` parameter) -## Possible issues -### Flows are not send to output interface when reading small pcap file (NEMEA output) +To compile DPDK interfaces, make sure you have DPDK libraries (and development files) installed and set the `PKG_CONFIG_PATH` environment variable if necessary. You can obtain the latest DPDK at http://core.dpdk.org/download/ Use `--with-dpdk` parameter of the `configure` script to enable it. -Turn off message buffering using `buffer=off` option and set `timeout=WAIT` on output interfaces. +### Source codes -``` -./ipfixprobe -i 'pcap;file=traffic.pcap' -o 'unirec;i=u:out:timeout=WAIT:buffer=off' -``` +This project uses a standard process of: -## Output data - -The following sections describe set of information fields provided by the processing plugins. -The columns `Output field` and `Type` represent the name and type of UniRec elements (NEMEA output); however, the equivalent fields are exported in other output plugins as well --- e.g., in IPFIX format. - -Note: to lookup IPFIX enterprise id and element id have a look into [header file](https://github.com/CESNET/ipfixprobe/blob/master/include/ipfixprobe/ipfix-elements.hpp#L85) with the mapping to IPFIX elements. - -### Basic -Basic unirec fields exported on interface with basic (pseudo) plugin. These fields are also exported on interfaces where HTTP, DNS, SIP and NTP plugins are active. - -| Output field | Type | Description | -|:----------------------:|:----------------:|:---------------------------------------------------:| -| DST_MAC | macaddr | destination MAC address | -| SRC_MAC | macaddr | source MAC address | -| DST_IP | ipaddr | destination IP address | -| SRC_IP | ipaddr | source IP address | -| BYTES | uint64 | number of bytes in data flow (src to dst) | -| BYTES_REV | uint64 | number of bytes in data flow (dst to src) | -| LINK_BIT_FIELD or ODID | uint64 or uint32 | exporter identification | -| TIME_FIRST | time | first time stamp | -| TIME_LAST | time | last time stamp | -| PACKETS | uint32 | number of packets in data flow (src to dst) | -| PACKETS_REV | uint32 | number of packets in data flow (dst to src) | -| DST_PORT | uint16 | transport layer destination port | -| SRC_PORT | uint16 | transport layer source port | -| DIR_BIT_FIELD | uint8 | bit field for determining outgoing/incoming traffic | -| PROTOCOL | uint8 | transport protocol | -| TCP_FLAGS | uint8 | TCP protocol flags (src to dst) | -| TCP_FLAGS_REV | uint8 | TCP protocol flags (dst to src) | - -### Basic plus -List of unirec fields exported together with basic flow fields on interface by basicplus plugin. -Fields without `_REV` suffix are fields from source flow. Fields with `_REV` are from the opposite direction. - -| Output field | Type | Description | -|:------------:|:------:|:---------------------------:| -| IP_TTL | uint8 | IP TTL field | -| IP_TTL_REV | uint8 | IP TTL field | -| IP_FLG | uint8 | IP FLAGS | -| IP_FLG_REV | uint8 | IP FLAGS | -| TCP_WIN | uint16 | TCP window size | -| TCP_WIN_REV | uint16 | TCP window size | -| TCP_OPT | uint64 | TCP options bitfield | -| TCP_OPT_REV | uint64 | TCP options bitfield | -| TCP_MSS | uint32 | TCP maximum segment size | -| TCP_MSS_REV | uint32 | TCP maximum segment size | -| TCP_SYN_SIZE | uint16 | TCP SYN packet size | - -### NetTiSA -List of unirec fields exported together with NetTiSA flow fields on interface by nettisa plugin. - -| Output field | Type | Description | -|:------------:|:------:|:---------------------------:| -| NTS_MEAN | float | The mean of the payload lengths of packets | -| NTS_MIN | uint16 | Minimal value from all packet payload lengths | -| NTS_MAX | uint16 | Maximum value from all packet payload lengths | -| NTS_STDEV | float | Represents a switching ratio between different values of the sequence of observation. | -| NTS_KURTOSIS | float | The standard deviation is measure of the variation of data from the mean. | -| NTS_ROOT_MEAN_SQUARE | float | The measure of the magnitude of payload lengths of packets. | -| NTS_AVERAGE_DISPERSION | float | The average absolute difference between each payload length of packet and the mean value. | -| NTS_MEAN_SCALED_TIME | float | The kurtosis is the measure describing the extent to which the tails of a distribution differ from the tails of a normal distribution. | -| NTS_MEAN_DIFFTIMES | float | The scaled times is defined as sequence $\{st\} = \{ t_1 - t_1, t_2 - t_1, \dots, t_n - t_1 \}$. We compute the mean of the value with same method as for feature \textit{Mean}. | -| NTS_MIN_DIFFTIMES | float | The time differences is defined as sequence $ \{dt\} = \{ t_j - t_i \| j = i + 1, i \in \{1, 2, \dots, n - 1\}\}$. We compute the mean of the value with same method as for feature \textit{Mean}. | -| NTS_MAX_DIFFTIMES | float | Minimal value from all time differences, i.e., min space between packets. | -| NTS_TIME_DISTRIBUTION | float | Maximum value from all time differences, i.e., max space between packets. | -| NTS_SWITCHING_RATIO | float | Describes the distribution of time differences between individual packets. | - -### HTTP -List of unirec fields exported together with basic flow fields on interface by HTTP plugin. - -| Output field | Type | Description | -|:------------------------------:|:------:|:-----------------------------------------------------------:| -| HTTP_REQUEST_METHOD | string | HTTP request method | -| HTTP_REQUEST_HOST | string | HTTP request host | -| HTTP_REQUEST_URL | string | HTTP request url | -| HTTP_REQUEST_AGENT | string | HTTP request user agent | -| HTTP_REQUEST_REFERER | string | HTTP request referer | -| HTTP_RESPONSE_STATUS_CODE | uint16 | HTTP response code | -| HTTP_RESPONSE_CONTENT_TYPE | string | HTTP response content type | -| HTTP_RESPONSE_SERVER | string | HTTP response server | -| HTTP_RESPONSE_SET_COOKIE_NAMES | string | HTTP response all set-cookie names separated by a delimiter | - -### RTSP -List of unirec fields exported together with basic flow fields on interface by RTSP plugin. - -| Output field | Type | Description | -|:----------------------------:|:------:|:---------------------------:| -| RTSP_REQUEST_METHOD | string | RTSP request method name | -| RTSP_REQUEST_AGENT | string | RTSP request user agent | -| RTSP_REQUEST_URI | string | RTSP request URI | -| RTSP_RESPONSE_STATUS_CODE | uint16 | RTSP response status code | -| RTSP_RESPONSE_SERVER | string | RTSP response server field | -| RTSP_RESPONSE_CONTENT_TYPE | string | RTSP response content type | - -### TLS -List of unirec fields exported together with basic flow fields on interface by TLS plugin. - -| Output field | Type | Description | -|:------------:|:--------:|:------------------------------------------------------------:| -| TLS_SNI | string | TLS server name indication field from client | -| TLS_ALPN | string | TLS application protocol layer negotiation field from server | -| TLS_VERSION | uint16 | TLS client protocol version | -| TLS_JA3 | string | TLS client JA3 fingerprint | -| TLS_EXT_TYPE | uint16\* | TLS extensions in the TLS Client Hello | -| TLS_EXT_LEN | uint16\* | Length of each TLS extension | - -### DNS -List of unirec fields exported together with basic flow fields on interface by DNS plugin. - -| Output field | Type | Description | -|:------------:|:------:|:-------------------------------:| -| DNS_ID | uint16 | transaction ID | -| DNS_ANSWERS | uint16 | number of DNS answer records | -| DNS_RCODE | uint8 | response code field | -| DNS_NAME | string | question domain name | -| DNS_QTYPE | uint16 | question type field | -| DNS_CLASS | uint16 | class field of DNS question | -| DNS_RR_TTL | uint32 | resource record TTL field | -| DNS_RLENGTH | uint16 | length of DNS_RDATA | -| DNS_RDATA | bytes | resource record specific data | -| DNS_PSIZE | uint16 | requestor's payload size | -| DNS_DO | uint8 | DNSSEC OK bit | - -#### DNS_RDATA format - -DNS_RDATA formatting is implemented for some base DNS RR Types in human-readable output. -Same as [here](https://www.liberouter.org/technologies/exporter/dns-plugin/): - -| Record | Format | -|:------:|:------:| -| A | | -| AAAA | | -| NS | | -| CNAME | | -| PTR | | -| DNAME | | -| SOA | | -| SRV | | -| MX | | -| TXT | | -| MINFO | | -| HINFO | | -| ISDN | | -| DS | \* | -| RRSIG | \* | -| DNSKEY | \* | -| other | \* | - - \* binary data are skipped and not printed - -### PassiveDNS -List of unirec fields exported together with basic flow fields on interface by PassiveDNS plugin. - -| Output field | Type | Description | -|:------------:|:------:|:---------------------------------------:| -| DNS_ID | uint16 | transaction ID | -| DNS_ATYPE | uint8 | response record type | -| DNS_NAME | string | question domain name | -| DNS_RR_TTL | uint32 | resource record TTL field | -| DNS_IP | ipaddr | IP address from PTR, A or AAAA record | - - -### MQTT -List of unirec fields exported together with basic flow fields on interface by MQTT plugin. - -| Output field | Type | Description | -|:-----------------------------:|:------:|:-----------------------------------------------------:| -| MQTT_TYPE_CUMULATIVE | uint16 | types of packets and session present flag cumulative | -| MQTT_VERSION | uint8 | MQTT version | -| MQTT_CONNECTION_FLAGS | uint8 | last CONNECT packet flags | -| MQTT_KEEP_ALIVE | uint16 | last CONNECT keep alive | -| MQTT_CONNECTION_RETURN_CODE | uint8 | last CONNECT return code | -| MQTT_PUBLISH_FLAGS | uint8 | cumulative of PUBLISH packet flags | -| MQTT_TOPICS | string | topics from PUBLISH packets headers | - -### SIP -List of unirec fields exported together with basic flow fields on interface by SIP plugin. - -| Output field | Type | Description | -|:-----------------:|:------:|:-------------------------------:| -| SIP_MSG_TYPE | uint16 | SIP message code | -| SIP_STATUS_CODE | uint16 | status of the SIP request | -| SIP_CSEQ | string | CSeq field of SIP packet | -| SIP_CALLING_PARTY | string | calling party (from) URI | -| SIP_CALLED_PARTY | string | called party (to) URI | -| SIP_CALL_ID | string | call ID | -| SIP_USER_AGENT | string | user agent field of SIP packet | -| SIP_REQUEST_URI | string | SIP request URI | -| SIP_VIA | string | via field of SIP packet | - -### NTP -List of unirec fields exported together with basic flow fields on interface by NTP plugin. - -| Output field | Type | Description | -|:--------------:|:------:|:-------------------------:| -| NTP_LEAP | uint8 | NTP leap field | -| NTP_VERSION | uint8 | NTP message version | -| NTP_MODE | uint8 | NTP mode field | -| NTP_STRATUM | uint8 | NTP stratum field | -| NTP_POLL | uint8 | NTP poll interval | -| NTP_PRECISION | uint8 | NTP precision field | -| NTP_DELAY | uint32 | NTP root delay | -| NTP_DISPERSION | uint32 | NTP root dispersion | -| NTP_REF_ID | string | NTP reference ID | -| NTP_REF | string | NTP reference timestamp | -| NTP_ORIG | string | NTP origin timestamp | -| NTP_RECV | string | NTP receive timestamp | -| NTP_SENT | string | NTP transmit timestamp | - -### SMTP -List of unirec fields exported on interface by SMTP plugin - -| Output field | Type | Description | -|:-------------------------:|:------:|:-----------------------------------:| -| SMTP_2XX_STAT_CODE_COUNT | uint32 | number of 2XX status codes | -| SMTP_3XX_STAT_CODE_COUNT | uint32 | number of 3XX status codes | -| SMTP_4XX_STAT_CODE_COUNT | uint32 | number of 4XX status codes | -| SMTP_5XX_STAT_CODE_COUNT | uint32 | number of 5XX status codes | -| SMTP_COMMAND_FLAGS | uint32 | bit array of commands present | -| SMTP_MAIL_CMD_COUNT | uint32 | number of MAIL commands | -| SMTP_RCPT_CMD_COUNT | uint32 | number of RCPT commands | -| SMTP_STAT_CODE_FLAGS | uint32 | bit array of status codes present | -| SMTP_DOMAIN | string | domain name of the SMTP client | -| SMTP_FIRST_SENDER | string | first sender in MAIL command | -| SMTP_FIRST_RECIPIENT | string | first recipient in RCPT command | - -#### SMTP\_COMMAND\_FLAGS -The following table shows bit values of `SMTP\_COMMAND\_FLAGS` for each SMTP command present in communication. - -| Command | Value | -|:--------:|:------:| -| EHLO | 0x0001 | -| HELO | 0x0002 | -| MAIL | 0x0004 | -| RCPT | 0x0008 | -| DATA | 0x0010 | -| RSET | 0x0020 | -| VRFY | 0x0040 | -| EXPN | 0x0080 | -| HELP | 0x0100 | -| NOOP | 0x0200 | -| QUIT | 0x0400 | -| UNKNOWN | 0x8000 | - -#### SMTP\_STAT\_CODE\_FLAGS -The following table shows bit values of `SMTP\_STAT_CODE\_FLAGS` for each present in communication. - -| Status code | Value | -|:-----------:|:----------:| -| 211 | 0x00000001 | -| 214 | 0x00000002 | -| 220 | 0x00000004 | -| 221 | 0x00000008 | -| 250 | 0x00000010 | -| 251 | 0x00000020 | -| 252 | 0x00000040 | -| 354 | 0x00000080 | -| 421 | 0x00000100 | -| 450 | 0x00000200 | -| 451 | 0x00000400 | -| 452 | 0x00000800 | -| 455 | 0x00001000 | -| 500 | 0x00002000 | -| 501 | 0x00004000 | -| 502 | 0x00008000 | -| 503 | 0x00010000 | -| 504 | 0x00020000 | -| 550 | 0x00040000 | -| 551 | 0x00080000 | -| 552 | 0x00100000 | -| 553 | 0x00200000 | -| 554 | 0x00400000 | -| 555 | 0x00800000 | -| * | 0x40000000 | -| UNKNOWN | 0x80000000 | - -* Bit is set if answer contains SPAM keyword. - -### PSTATS -List of unirec fields exported on interface by PSTATS plugin. The plugin is compiled to gather statistics for the first `PSTATS_MAXELEMCOUNT` (30 by default) packets in the biflow record. -Note: the following fields are UniRec arrays (or basicList in IPFIX). - -| Output field | Type | Description | -|:--------------------------:|:--------:|:--------------------------------------:| -| PPI_PKT_LENGTHS | uint16\* | sizes of the first packets | -| PPI_PKT_TIMES | time\* | timestamps of the first packets | -| PPI_PKT_DIRECTIONS | int8\* | directions of the first packets | -| PPI_PKT_FLAGS | uint8\* | TCP flags for each packet | - -#### Plugin parameters: -- includezeros - Include zero-length packets in the lists. -- skipdup - Skip retransmitted (duplicated) TCP packets. - -##### Example: ``` -ipfixprobe 'pcap;file=pcaps/http.pcap' -p "pstats;includezeros" -o 'unirec;i=u:stats:timeout=WAIT;p=stats'" +git clone --recurse-submodules https://github.com/CESNET/ipfixprobe +cd ipfixprobe +autoreconf -i +./configure +make +sudo make install ``` -### OSQUERY -List of unirec fields exported together with basic flow fields on interface by OSQUERY plugin. +Check `./configure --help` for more details and settings. -| Output field | Type | Description | -|:--------------------------:|:--------:|:---------------------------------------------------:| -| PROGRAM_NAME | string | The name of the program that handles the connection | -| USERNAME | string | The name of the user who starts the process | -| OS_NAME | string | Distribution or product name | -| OS_MAJOR | uint16 | Major release version | -| OS_MINOR | uint16 | Minor release version | -| OS_BUILD | string | Optional build-specific or variant string | -| OS_PLATFORM | string | OS Platform or ID | -| OS_PLATFORM_LIKE | string | Closely related platforms | -| OS_ARCH | string | OS Architecture | -| KERNEL_VERSION | string | Kernel version | -| SYSTEM_HOSTNAME | string | Network hostname including domain | +### RPM packages -### SSDP -List of unirec fields exported together with basic flow fields on interface by SSDP plugin. +RPM package can be created in the following versions using `--with` parameter of `rpmbuild`: +- `--with pcap` enables RPM with pcap input plugin +- `--with ndp` enables RPM with netcope-common, i.e., ndp input plugin +- `--with nemea` enables RPM with unirec output plugin +- `--without raw` disables RPM with default raw socket input plugin +- `--with unwind` enables RPM with stack unwinding feature -| Output field | Type | Description | -|:------------------:|:------:|:-------------------------------:| -| SSDP_LOCATION_PORT | uint16 | service port | -| SSDP_NT | string | list of advertised service urns | -| SSDP_SERVER | string | server info | -| SSDP_ST | string | list of queried service urns | -| SSDP_USER_AGENT | string | list of user agents | +These parameters affect required dependencies of the RPM and build process. -All lists are semicolon separated. +The default configuration of the RPM can be created using simply: `make rpm` -### DNS-SD -List of unirec fields exported together with basic flow fields on interface by DNS-SD plugin. +Alternative versions (described in the following section) can be created by: +- NEMEA version of RPM: `make rpm-nemea` +- NDP version of RPM: `make rpm-ndp` -| Output field | Type | Description | -|:---------------:|:------:|:-------------------------------:| -| DNSSD_QUERIES | string | list of queries for services | -| DNSSD_RESPONSES | string | list of advertised services | +We use [COPR infrastructure](https://copr.fedorainfracloud.org/coprs/g/CESNET/NEMEA/) to build and serve RPM packages for EPEL9. +It is not possible to pass arguments to rpmbuild, so there is an option in configure to enforce NEMEA dependency: -Format of DNSSD_QUERIES: [service_instance_name;][...] +`./configure --enable-coprrpm && make srpm` -Format of DNSSD_RESPONSES: [service_instance_name;service_port;service_target;hinfo;txt;][...] +The output source RPM can be uploaded to copr. -#### Plugin parameters: -- txt - Activates processing of txt records. - - Allows to pass a filepath to .csv file with whitelist filter of txt records. - - File line format: service.domain,txt_key1,txt_key2,... - - If no filepath is provided, all txt records will be aggregated. +To install ipfixprobe with NEMEA dependency from binary RPM packages, it is possible to follow instructions on: +[https://copr.fedorainfracloud.org/coprs/g/CESNET/NEMEA/](https://copr.fedorainfracloud.org/coprs/g/CESNET/NEMEA/) -### OVPN (OpenVPN) +## Telemetry -List of fields exported together with basic flow fields on interface by OVPN plugin. +`ipfixprobe` can expose telemetry data using the appFs library, which leverages the fuse3 library (filesystem in userspace) to allow telemetry data to be accessed and manipulated +through standard filesystem operations. -| Output field | Type | Description | -|:------------------:|:------:|:-------------------------------:| -| OVPN_CONF_LEVEL | uint8 | level of confidence that the flow record is an OpenVPN tunnel | +## Input / Output of the flow exporter +The availability of the input and output interfaces depends on the ipfixprobe build settings. By default, we provide RPM package with pcap and raw inputs. The default provided outpus are ipfix and text. -### IDPContent (Initial Data Packets Content) +When the project is configured with `./configure --with-nemea`, the flow +exporter supports NEMEA output via TRAP IFC besides the default IPFIX output. +For more information about NEMEA, visit +[https://nemea.liberouter.org](https://nemea.liberouter.org). -List of fields exported together with basic flow fields on the interface by IDPContent plugin. -The plugin is compiled to export `IDPCONTENT_SIZE` (100 by default) bytes from the first data packet in SRC -> DST direction, -and the first data packet in DST -> SRC direction. +The flow exporter supports compilation with libpcap (`./configure --with-pcap`), which allows for receiving packets +from PCAP file or network interface card. -| Output field | Type | Description | -|:------------------:|:------:|:-------------------------------:| -| IDP_CONTENT | bytes | Content of first data packet from SRC -> DST| -| IDP_CONTENT_REV | bytes | Content of first data packet from DST -> SRC| +When the project is configured with `./configure --with-ndp`, it is prepared for high-speed packet transfer +from special HW acceleration FPGA cards. For more information about the cards, +visit [COMBO cards](https://www.liberouter.org/technologies/cards/) or contact +us. -### NetBIOS +### Output -List of fields exported together with basic flow fields on interface by NetBIOS plugin. +There are several currently available output plugins, such as: -| Output field | Type | Description | -|:-------------:|:------:|:---------------------------:| -| NB_NAME | string | NetBIOS Name Service name | -| NB_SUFFIX | uint8 | NetBIOS Name Service suffix | +- `ipfix` standard IPFIX [RFC 5101](https://tools.ietf.org/html/rfc5101) +- `unirec` data source for the [NEMEA system](https://nemea.liberouter.org), the output is in the UniRec format sent via a configurable interface using [https://nemea.liberouter.org/trap-ifcspec/](https://nemea.liberouter.org/trap-ifcspec/) +- `text` output in human readable text format on standard output file descriptor (stdout) -### PHISTS +The output flow records are composed of information provided by the enabled plugins (using `-p` parameter, see [Flow Data Extension - Processing Plugins](./README.md#flow-data-extension---processing-plugins)). -List of fields exported together with basic flow fields on the interface by PHISTS plugin. -The plugin exports the histograms of Payload sizes and Inter-Packet-Times for each direction. The -histograms bins are scaled logarithmicaly and are shown in following table: +See `ipfixprobe -h output` for more information and complete list of output plugins and their parameters. -| Bin Number | Size Len | Inter Packet Time | -|:----------:|:----------:|:-----------------:| -| 1 | 0-15 B | 0-15 ms | -| 2 | 16-31 B | 16-31 ms | -| 3 | 32-63 B | 32-63 ms | -| 4 | 64-127 B | 64-127 ms | -| 5 | 128-255 B | 128-255 ms | -| 6 | 256-511 B | 256-511 ms | -| 7 | 512-1023 B | 512-1023 ms | -| 8 | > 1024 B | > 1024 ms | +LZ4 compression: +ipfix plugin supports LZ4 compression algorithm over tcp. See plugin's help for more information. -The exported unirec fields and IPFIX basiclists is shown in following table: -| Output field | Type | Description | -|:-------------------:|:-------:|:---------------------------------------:| -| D_PHISTS_IPT | uint32\*| DST->SRC: Histogram of interpacket times| -| D_PHISTS_SIZES | uint32\*| DST->SRC: Histogram of packet sizes | -| S_PHISTS_IPT | uint32\*| SRC->DST: Histogram of interpacket times| -| S_PHISTS_SIZES | uint32\*| SRC->DST: Histogram of packet sizes | +## Possible issues +### Flows are not send to output interface when reading small pcap file (NEMEA output) -#### Plugin parameters: -- includezeros - Include zero-length packets in the lists. +Turn off message buffering using `buffer=off` option and set `timeout=WAIT` on output interfaces. -##### Example: ``` -ipfixprobe 'pcap;file=pcaps/http.pcap' -p "phists;includezeros" -o 'unirec;i=u:hists:timeout=WAIT;p=phists'" +./ipfixprobe -i 'pcap;file=traffic.pcap' -o 'unirec;i=u:out:timeout=WAIT:buffer=off' ``` -### BSTATS - -List of fields exported together with basic flow fields on the interface by BSTATS plugin. -The plugin is compiled to export the first `BSTATS_MAXELENCOUNT` (15 by default) burst in each direction. -The bursts are computed separately for each direction. Burst is defined by `MINIMAL_PACKETS_IN_BURST` (3 by default) and by `MAXIMAL_INTERPKT_TIME` (1000 ms by default) between packets to be included in a burst. When the flow contains less then `MINIMAL_PACKETS_IN_BURST` packets, the fields are not exported to reduce output bandwidth. - -| Output field | Type | Description | -|:-------------------:|:-------:|:---------------------------------------------------------------:| -| SBI_BRST_PACKETS | uint32\* | SRC->DST: Number of packets transmitted in ith burst| -| SBI_BRST_BYTES | uint32\* | SRC->DST: Number of bytes transmitted in ith burst | -| SBI_BRST_TIME_START | time\* | SRC->DST: Start time of the ith burst | -| SBI_BRST_TIME_STOP | time\* | SRC->DST: End time of the ith burst | -| DBI_BRST_PACKETS | uint32\* | DST->SRC: Number of packets transmitted in ith burst| -| DBI_BRST_BYTES | uint32\* | DST->SRC: Number of bytes transmitted in ith burst | -| DBI_BRST_TIME_START | time\* | DST->SRC: Start time of the ith burst | -| DBI_BRST_TIME_STOP | time\* | DST->SRC: End time of the ith burst | - -### WG (WireGuard) - -List of fields exported together with basic flow fields on interface by WG plugin. -| Output field | Type | Description | -|:------------------:|:------:|:-------------------------------:| -| WG_CONF_LEVEL | uint8 | level of confidence that the flow record is a WireGuard tunnel| -| WG_SRC_PEER | uint32 | ephemeral SRC peer identifier | -| WG_DST_PEER | uint32 | ephemeral DST peer identifier | - -### QUIC - -List of fields exported together with basic flow fields on interface by quic plugin. -`-with-quic-ch-full-tls-ext` enables extraction of all TLS extensions in the Client Hello. - -| Output field | Type | Description | -|:-------------------:|:--------:|:---------------------------------------------------------------------------------------------:| -| QUIC_SNI | string | Decrypted server name | -| QUIC_USER_AGENT | string | Decrypted user agent | -| QUIC_VERSION | uint32 | QUIC version from first server long header packets | -| QUIC_CLIENT_VERSION | uint32 | QUIC version from first client long header packet | -| QUIC_TOKEN_LENGTH | uint64 | Token length from Initial and Retry packets | -| QUIC_OCCID | bytes | Source Connection ID from first client packet | -| QUIC_OSCID | bytes | Destination Connection ID from first client packet | -| QUIC_SCID | bytes | Source Connection ID from first server packet | -| QUIC_RETRY_SCID | bytes | Source Connection ID from Retry packet | -| QUIC_MULTIPLEXED | uint8 | > 0 if multiplexed (at least two different QUIC_OSCIDs or SNIs) | -| QUIC_ZERO_RTT | uint8 | Number of 0-RTT packets in flow. | -| QUIC_SERVER_PORT | uint16 | TODO Server Port determined by packet type and TLS message | -| QUIC_PACKETS | uint8\* | QUIC long header packet type (v1 encoded), version negotiation, QUIC bit | -| QUIC_CH_PARSED | uint8 | >0 if TLS Client Hello parsed without errors | -| QUIC_TLS_EXT_TYPE | uint16\* | TLS extensions in the TLS Client Hello | -| QUIC_TLS_EXT_LEN | uint16\* | Length of each TLS extension | -| QUIC_TLS_EXT | string | Payload of all/application_layer_protocol_negotiation and quic_transport params TLS extension | - -### ICMP - -List of fields exported together with basic flow fields on interface by icmp plugin. - -| Output field | Type | Description | -|:------------------:|:------:|:-------------------------------:| -| L4_ICMP_TYPE_CODE | uint16 | ICMP type (MSB) and code (LSB) | - -### SSADetector - -List of fields exported together with basic flow fields on interface by ssadetector plugin. -The detector search for the SYN SYN-ACK ACK pattern in packet lengths. Multiple occurrences of this pattern suggest a tunneled connection. - -| Output field | Type | Description | -|:------------------:|:------:|:---------------------------------------:| -| SSA_CONF_LEVEL | uint8 | 1 if SSA sequence detected, 0 otherwise | - -### VLAN - -List of fields exported together with basic flow fields on the interface by VLAN plugin. - -| Output field | Type | Description | -|:------------:|:------:|:--------------------------:| -| VLAN_ID | uint16 | Vlan ID (used in flow key) | - -### Flow Hash - -List of fields exported together with basic flow fields on interface by flow_hash plugin. - -| Output field | Type | Description | -|:------------------:|:------:|:---------------------------------:| -| FLOW_ID | uint64 | Hash of the flow - unique flow id | - -### MPLS - -List of fields exported together with basic flow fields on interface by mpls plugin. - -| Output field | Type | Description | -|:----------------------------:|:-----:|:------------------------------------------------:| -| MPLS_TOP_LABEL_STACK_SECTION | bytes | MPLS label section (without TTL), always 3 bytes | - -## Simplified function diagram -Diagram below shows how `ipfixprobe` works. - -1. `Packet` is read from pcap file or network interface -2. `Packet` is processed by PcapReader and is about to put to flow cache -3. Flow cache create or update flow and call `pre_create`, `post_create`, `pre_update`, `post_update` and `pre_export` functions for each active plugin at appropriate time -4. `Flow` is put into exporter when considered as expired, flow cache is full or is forced to by a plugin -5. Exporter fills `unirec record`, which is then send it to output libtrap interface - -``` - +--------------------------------+ - | pcap file or network interface | - +-----+--------------------------+ - | - 1. | - | +-----+ - +--------v---------+ | - | | +-----------+ | - | PcapReader | +------> Plugin1 | | - | | | +-----------+ | - +--------+---------+ | | - | | +-----------+ | - 2. | +------> Plugin2 | | - | | +-----------+ | - +--------v---------+ | | - | | 3. | +-----------+ +----+ active plugins - | NHTFlowCache +-------------> Plugin3 | | - | | | +-----------+ | - +--------+---------+ | | - | | . | - 4. | | . | - | | . | - +--------v---------+ | | - | | | +-----------+ | - | UnirecExporter | +------> PluginN | | - | | +-----------+ | - +--------+---------+ | - | +-----+ - 5. | - | - +-----v--------------------------+ - | libtrap output interface | - +--------------------------------+ -``` diff --git a/docs/404.html b/docs/404.html new file mode 100644 index 00000000..1590ef26 --- /dev/null +++ b/docs/404.html @@ -0,0 +1,6 @@ +--- +title: Not Found +description: This does not exist +permalink: /404.html +sitemap: false +--- diff --git a/docs/Gemfile b/docs/Gemfile new file mode 100644 index 00000000..984db5ee --- /dev/null +++ b/docs/Gemfile @@ -0,0 +1,11 @@ +source 'https://rubygems.org' +gem "webrick" +gem 'jekyll', '~> 4.2.0' + +group :jekyll_plugins do + gem 'jekyll-archives', '~> 2.2.1' + gem 'jekyll-feed', '~> 0.15.1' + gem 'jekyll-paginate', '~> 1.1.0' + gem 'jekyll-seo-tag', '~> 2.7.1' + gem 'jekyll-sitemap', '~> 1.4.0' +end diff --git a/docs/Gemfile.lock b/docs/Gemfile.lock new file mode 100644 index 00000000..444faada --- /dev/null +++ b/docs/Gemfile.lock @@ -0,0 +1,83 @@ +GEM + remote: https://rubygems.org/ + specs: + addressable (2.7.0) + public_suffix (>= 2.0.2, < 5.0) + colorator (1.1.0) + concurrent-ruby (1.1.9) + em-websocket (0.5.2) + eventmachine (>= 0.12.9) + http_parser.rb (~> 0.6.0) + eventmachine (1.2.7) + ffi (1.15.1) + forwardable-extended (2.6.0) + http_parser.rb (0.6.0) + i18n (1.8.10) + concurrent-ruby (~> 1.0) + jekyll (4.2.0) + addressable (~> 2.4) + colorator (~> 1.0) + em-websocket (~> 0.5) + i18n (~> 1.0) + jekyll-sass-converter (~> 2.0) + jekyll-watch (~> 2.0) + kramdown (~> 2.3) + kramdown-parser-gfm (~> 1.0) + liquid (~> 4.0) + mercenary (~> 0.4.0) + pathutil (~> 0.9) + rouge (~> 3.0) + safe_yaml (~> 1.0) + terminal-table (~> 2.0) + jekyll-archives (2.2.1) + jekyll (>= 3.6, < 5.0) + jekyll-feed (0.15.1) + jekyll (>= 3.7, < 5.0) + jekyll-paginate (1.1.0) + jekyll-sass-converter (2.1.0) + sassc (> 2.0.1, < 3.0) + jekyll-seo-tag (2.7.1) + jekyll (>= 3.8, < 5.0) + jekyll-sitemap (1.4.0) + jekyll (>= 3.7, < 5.0) + jekyll-watch (2.2.1) + listen (~> 3.0) + kramdown (2.3.1) + rexml + kramdown-parser-gfm (1.1.0) + kramdown (~> 2.0) + liquid (4.0.3) + listen (3.5.1) + rb-fsevent (~> 0.10, >= 0.10.3) + rb-inotify (~> 0.9, >= 0.9.10) + mercenary (0.4.0) + pathutil (0.16.2) + forwardable-extended (~> 2.6) + public_suffix (4.0.6) + rb-fsevent (0.11.0) + rb-inotify (0.10.1) + ffi (~> 1.0) + rexml (3.2.5) + rouge (3.26.0) + safe_yaml (1.0.5) + sassc (2.4.0) + ffi (~> 1.9) + terminal-table (2.0.0) + unicode-display_width (~> 1.1, >= 1.1.1) + unicode-display_width (1.7.0) + webrick (1.8.1) + +PLATFORMS + ruby + +DEPENDENCIES + jekyll (~> 4.2.0) + jekyll-archives (~> 2.2.1) + jekyll-feed (~> 0.15.1) + jekyll-paginate (~> 1.1.0) + jekyll-seo-tag (~> 2.7.1) + jekyll-sitemap (~> 1.4.0) + webrick + +BUNDLED WITH + 1.17.3 diff --git a/docs/LICENSE b/docs/LICENSE new file mode 100644 index 00000000..a4de04d2 --- /dev/null +++ b/docs/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2016-2020 CloudCannon + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/docs/README.md b/docs/README.md new file mode 100644 index 00000000..02147072 --- /dev/null +++ b/docs/README.md @@ -0,0 +1,71 @@ +# ipfixprobe website Hydra + +Based on Hydra opensource template [live demo](https://proud-alligator.cloudvent.net/) + +## Features + +* Contact form +* Pre-built pages +* Pre-styled components +* Blog with pagination +* Post category pages +* Disqus comments for posts +* Staff and author system +* Configurable footer +* Optimised for editing in [CloudCannon](http://cloudcannon.com/) +* RSS/Atom feed +* SEO tags +* Google Analytics + +## Setup + +1. Add your site and author details in `_config.yml`. +2. Add your Google Analytics and Disqus keys to `_config.yml`. +3. Get a workflow going to see your site's output (with [CloudCannon](https://app.cloudcannon.com/) or Jekyll locally). + +## Develop + +Hydra was built with [Jekyll](http://jekyllrb.com/) version 3.3.1, but should support newer versions as well. + +Install the dependencies with [Bundler](http://bundler.io/): + +~~~bash +$ bundle install +~~~ + +Run `jekyll` commands through Bundler to ensure you're using the right versions: + +~~~bash +$ bundle exec jekyll serve +~~~ + +## Editing + +Hydra is already optimised for adding, updating and removing pages, staff, advice, company details and footer elements in CloudCannon. + +### Posts + +* Add, update or remove a post in the *Posts* collection. +* The **Staff Author** field links to members in the **Staff** collection. +* Documentation pages are organised in the navigation by category, with URLs based on the path inside the `_docs` folder. +* Change the defaults when new posts are created in `_posts/_defaults.md`. + +### Contact Form + +* Preconfigured to work with CloudCannon, but easily changed to another provider (e.g. [FormSpree](https://formspree.io/)). +* Sends email to the address listed in company details. + +### Staff + +* Reused around the site to save multiple editing locations. +* Add `excluded_in_search: true` to any documentation page's front matter to exclude that page in the search results. + +### Navigation + +* Exposed as a data file to give clients better access. +* Set in the *Data* / *Navigation* section. + +### Footer + +* Exposed as a data file to give clients better access. +* Set in the *Data* / *Footer* section. diff --git a/docs/_config.yml b/docs/_config.yml new file mode 100644 index 00000000..35b62d6b --- /dev/null +++ b/docs/_config.yml @@ -0,0 +1,117 @@ +# ---- +# Site + +title: ipfixprobe +url: "https://hynekkar.github.io/ipfixprobe-docs/" +baseurl: +google_analytics_key: +google_maps_javascript_api_key: +disqus_shortname: + +# Values for the jekyll-seo-tag gem (https://github.com/jekyll/jekyll-seo-tag) +logo: /siteicon.svg +description: "ipfixprobe is a tool for collecting and processing IPFIX data." +author: + name: "Karel Hynek (CESNET z.s.p.o.)" + email: "hynekkar@cesnet.cz" + twitter: # twitter username without the @ symbol +social: + name: "Hydra Template" + links: + - https://github.com/CloudCannon/hydra-jekyll-template + +# ----- +# Build + +timezone: Etc/UTC + +collections: + staff_members: + _hide_content: true + get_options: + _hide_content: true + how: + _hide_content: true + output: true + export: + _hide_content: true + +paginate: 10 +paginate_path: "/blog/:num/" +permalink: pretty + +defaults: + - scope: + path: "" + type: "posts" + values: + layout: "post" + _options: + content: + width: 1500 + height: 2500 + - scope: + path: "" + type: "staff_members" + values: + _options: + image_path: + width: 600 + height: 600 + - scope: + path: "" + values: + layout: "page" + - scope: + path: "index.html" + values: + layout: "default" + - scope: + path: "get_options" + values: + layout: "post" + - scope: + path: "contact.html" + values: + full_width: true + +jekyll-archives: + enabled: + - categories + +plugins: + - jekyll-archives + - jekyll-sitemap + - jekyll-seo-tag + - jekyll-feed + - jekyll-paginate + +exclude: + - Gemfile + - Gemfile.lock + - README.md + - LICENCE + +# ----------- +# CloudCannon + +_select_data: + social_icons: + - Facebook + - Instagram + - LinkedIn + - Pinterest + - Tumblr + - Twitter + - YouTube + - RSS + +_comments: + map: Update the map location and display settings. + latitude: Coordinates for the center marker on the map. + longitude: Coordinates for the center marker on the map. + zoom: The zoom level for the map. + pricing_table: Update the information in the pricing tables. + highlight: Emphasis the text + color: The background colour used in the plan name and call to action. + new_window: Open link in new window diff --git a/docs/_data/footer.yml b/docs/_data/footer.yml new file mode 100644 index 00000000..6c20371a --- /dev/null +++ b/docs/_data/footer.yml @@ -0,0 +1,5 @@ +- links: + - name: GitHub + link: https://github.com/CESNET/ipfixprobe + new_window: true + social_icon: GitHub \ No newline at end of file diff --git a/docs/_data/navigation.yml b/docs/_data/navigation.yml new file mode 100644 index 00000000..3de74271 --- /dev/null +++ b/docs/_data/navigation.yml @@ -0,0 +1,16 @@ +- name: "Get Ipfixprobe" + link: /get_options/ + new_window: false + highlight: false +- name: "How to use it" + link: /how/ + new_window: false + highlight: false +- name: "Developer" + link: /developer/ + new_window: false + highlight: false +- name: "Export Data" + link: /export/ + new_window: false + highlight: false \ No newline at end of file diff --git a/docs/_export/BSTATS.md b/docs/_export/BSTATS.md new file mode 100644 index 00000000..a25544eb --- /dev/null +++ b/docs/_export/BSTATS.md @@ -0,0 +1,45 @@ +--- +title: BSTATS +description: List of fields exported together with basic flow fields on the interface by BSTATS plugin. The plugin is compiled to export the first BSTATS_MAXELENCOUNT (15 by default) burst in each direction. The bursts are computed separately for each direction. Burst is defined by MINIMAL_PACKETS_IN_BURST (3 by default) and by MAXIMAL_INTERPKT_TIME (1000 ms by default) between packets to be included in a burst. When the flow contains less then MINIMAL_PACKETS_IN_BURST packets, the fields are not exported to reduce output bandwidth. +fields: + - + name: "SBI_BRST_PACKETS" + type: "uint32*" + ipfix: "0/291" + value: " SRC->DST: Number of packets transmitted in ith burst" + - + name: "SBI_BRST_BYTES" + type: "uint32*" + ipfix: "0/291" + value: " SRC->DST: Number of bytes transmitted in ith burst" + - + name: "SBI_BRST_TIME_START" + type: "time*" + ipfix: "0/291" + value: " SRC->DST: Start time of the ith burst" + - + name: "SBI_BRST_TIME_STOP" + type: "time*" + ipfix: "0/291" + value: " SRC->DST: End time of the ith burst" + - + name: "DBI_BRST_PACKETS" + type: "uint32*" + ipfix: "0/291" + value: " DST->SRC: Number of packets transmitted in ith burst" + - + name: "DBI_BRST_BYTES" + type: "uint32*" + ipfix: "0/291" + value: " DST->SRC: Number of bytes transmitted in ith burst" + - + name: "DBI_BRST_TIME_START" + type: "time*" + ipfix: "0/291" + value: " DST->SRC: Start time of the ith burst" + - + name: "DBI_BRST_TIME_STOP" + type: "time*" + ipfix: "0/291" + value: " DST->SRC: End time of the ith burst" +--- \ No newline at end of file diff --git a/docs/_export/DNS-SD.md b/docs/_export/DNS-SD.md new file mode 100644 index 00000000..8e3a00e9 --- /dev/null +++ b/docs/_export/DNS-SD.md @@ -0,0 +1,15 @@ +--- +title: DNS-SD +description: List of unirec fields exported together with basic flow fields on interface by DNS-SD plugin. +fields: + - + name: "DNSSD_QUERIES" + type: "string" + ipfix: "8057/826" + value: " list of queries for services" + - + name: "DNSSD_RESPONSES" + type: "string" + ipfix: "8057/827" + value: " list of advertised services" +--- \ No newline at end of file diff --git a/docs/_export/DNS.md b/docs/_export/DNS.md new file mode 100644 index 00000000..d9ce1c52 --- /dev/null +++ b/docs/_export/DNS.md @@ -0,0 +1,60 @@ +--- +title: DNS +description: List of unirec fields exported together with basic flow fields on interface by DNS plugin. +fields: + - + name: "DNS_ID" + type: "uint16" + ipfix: "8057/10" + value: "transaction ID" + - + name: "DNS_ANSWERS" + type: "uint16" + ipfix: "8057/14" + value: "number of DNS answer records" + - + name: "DNS_RCODE" + type: "uint8" + ipfix: "8057/1" + value: "response code field" + - + name: "DNS_NAME" + type: "string" + ipfix: "8057/2" + value: "question domain name" + - + name: "DNS_QTYPE" + type: "uint16" + ipfix: "8057/3" + value: "question type field" + - + name: "DNS_CLASS" + type: "uint16" + ipfix: "8057/4" + value: "class field of DNS question" + - + name: "DNS_RR_TTL" + type: "uint32" + ipfix: "8057/5" + value: "resource record TTL field" + - + name: "DNS_RLENGTH" + type: "uint16" + ipfix: "8057/6" + value: "length of DNS_RDATA" + - + ipfix: "8057/7" + name: "DNS_RDATA" + type: "bytes" + value: "resource record specific data" + - + name: "DNS_PSIZE" + type: "uint16" + ipfix: "8057/8" + value: "requestor's payload size" + - + name: "DNS_DO" + type: "uint8" + ipfix: "8057/9" + value: "DNSSEC OK bit" +--- \ No newline at end of file diff --git a/docs/_export/Flow Hash.md b/docs/_export/Flow Hash.md new file mode 100644 index 00000000..99fa1b73 --- /dev/null +++ b/docs/_export/Flow Hash.md @@ -0,0 +1,10 @@ +--- +title: Flow Hash +description: List of fields exported together with basic flow fields on interface by flow_hash plugin. +fields: + - + name: "FLOW_ID" + type: "uint64" + ipfix: "0/148" + value: " Hash of the flow - unique flow id" +--- \ No newline at end of file diff --git a/docs/_export/HTTP.md b/docs/_export/HTTP.md new file mode 100644 index 00000000..7d6a57c7 --- /dev/null +++ b/docs/_export/HTTP.md @@ -0,0 +1,50 @@ +--- +title: HTTP +description: List of unirec fields exported together with basic flow fields on interface by HTTP plugin. +fields: + - + name: "HTTP_DOMAIN" + type: "string" + ipfix: "39499/1" + value: "HTTP request host" + - + name: "HTTP_URI" + type: "string" + ipfix: "39499/2" + value: "HTTP request url" + - + name: "HTTP_USERAGENT" + type: "string" + ipfix: "39499/20" + value: "HTTP request user agent" + - + name: "HTTP_REFERER" + type: "string" + ipfix: "39499/3" + value: "HTTP request referer" + - + name: "HTTP_STATUS" + type: "uint16" + ipfix: "39499/12" + value: "HTTP response code" + - + name: "HTTP_CONTENT_TYPE" + type: "string" + ipfix: "39499/10" + value: "HTTP response content type" + - + name: "HTTP_METHOD" + type: "string" + ipfix: "39499/200" + value: "HTTP request method" + - + name: "HTTP_SERVER" + type: "string" + ipfix: "39499/201" + value: "HTTP response server" + - + name: "HTTP_SET_COOKIE_NAMES" + type: "string" + ipfix: "39499/202" + value: "HTTP response all set-cookie names separated by a delimiter" +--- \ No newline at end of file diff --git a/docs/_export/ICMP.md b/docs/_export/ICMP.md new file mode 100644 index 00000000..25bbb093 --- /dev/null +++ b/docs/_export/ICMP.md @@ -0,0 +1,11 @@ +--- +title: ICMP +description: List of fields exported together with basic flow fields on interface by icmp plugin. +fields: + - + name: "L4_ICMP_TYPE_CODE" + type: "uint16" + ipfix: "0/32" + value: " ICMP type (MSB) and code (LSB)" + +--- \ No newline at end of file diff --git a/docs/_export/IDPContent.md b/docs/_export/IDPContent.md new file mode 100644 index 00000000..387a4e7a --- /dev/null +++ b/docs/_export/IDPContent.md @@ -0,0 +1,15 @@ +--- +title: IDPContent +description: List of fields exported together with basic flow fields on the interface by IDPContent plugin. The plugin is compiled to export IDPCONTENT_SIZE (100 by default) bytes from the first data packet in SRC -> DST direction, and the first data packet in DST -> SRC direction. +fields: + - + name: "IDP_CONTENT" + type: "bytes" + ipfix: "8057/850" + value: " Content of first data packet from SRC -> DST" + - + name: "IDP_CONTENT_REV" + type: "bytes" + ipfix: "8057/851" + value: " Content of first data packet from DST -> SRC" +--- \ No newline at end of file diff --git a/docs/_export/MPLS.md b/docs/_export/MPLS.md new file mode 100644 index 00000000..3d3d318d --- /dev/null +++ b/docs/_export/MPLS.md @@ -0,0 +1,10 @@ +--- +title: MPLS +description: List of fields exported together with basic flow fields on interface by mpls plugin. +fields: + - + name: "MPLS_TOP_LABEL_STACK_SECTION" + type: "bytes" + ipfix: "0/70" + value: " MPLS label section (without TTL), always 3 bytes" +--- \ No newline at end of file diff --git a/docs/_export/MQTT.md b/docs/_export/MQTT.md new file mode 100644 index 00000000..7227e492 --- /dev/null +++ b/docs/_export/MQTT.md @@ -0,0 +1,40 @@ +--- +title: MQTT +description: List of unirec fields exported together with basic flow fields on interface by MQTT plugin. +fields: + - + name: "MQTT_TYPE_CUMULATIVE" + type: "uint16" + ipfix: "8057/1033" + value: " types of packets and session present flag cumulative" + - + name: "MQTT_VERSION" + type: "uint8" + ipfix: "8057/1034" + value: " MQTT version" + - + name: "MQTT_CONNECTION_FLAGS" + type: "uint8" + ipfix: "8057/1035" + value: " last CONNECT packet flags" + - + name: "MQTT_KEEP_ALIVE" + type: "uint16" + ipfix: "8057/1036" + value: " last CONNECT keep alive" + - + name: "MQTT_CONNECTION_RETURN_CODE" + type: "uint8" + ipfix: "8057/1037" + value: " last CONNECT return code" + - + name: "MQTT_PUBLISH_FLAGS" + type: "uint8" + ipfix: "8057/1038" + value: " cumulative of PUBLISH packet flags" + - + name: "MQTT_TOPICS" + type: "string" + ipfix: "8057/1039" + value: " topics from PUBLISH packets headers" +--- \ No newline at end of file diff --git a/docs/_export/NTP.md b/docs/_export/NTP.md new file mode 100644 index 00000000..4dded8e4 --- /dev/null +++ b/docs/_export/NTP.md @@ -0,0 +1,70 @@ +--- +title: NTP +description: List of unirec fields exported together with basic flow fields on interface by NTP plugin. +fields: + - + name: "NTP_LEAP" + type: "uint8" + ipfix: "8057/18" + value: " NTP leap field" + - + name: "NTP_VERSION" + type: "uint8" + ipfix: "8057/19" + value: " NTP message version" + - + name: "NTP_MODE" + type: "uint8" + ipfix: "8057/20" + value: " NTP mode field" + - + name: "NTP_STRATUM" + type: "uint8" + ipfix: "8057/21" + value: " NTP stratum field" + - + name: "NTP_POLL" + type: "uint8" + ipfix: "8057/22" + value: " NTP poll interval" + - + name: "NTP_PRECISION" + type: "uint8" + ipfix: "8057/23" + value: " NTP precision field" + - + name: "NTP_DELAY" + type: "uint32" + ipfix: "8057/24" + value: " NTP root delay" + - + name: "NTP_DISPERSION" + type: "uint32" + ipfix: "8057/25" + value: " NTP root dispersion" + - + name: "NTP_REF_ID" + type: "string" + ipfix: "8057/26" + value: " NTP reference ID" + - + name: "NTP_REF" + type: "string" + ipfix: "8057/27" + value: " NTP reference timestamp" + - + name: "NTP_ORIG" + type: "string" + ipfix: "8057/28" + value: " NTP origin timestamp" + - + name: "NTP_RECV" + type: "string" + ipfix: "8057/29" + value: " NTP receive timestamp" + - + name: "NTP_SENT" + type: "string" + ipfix: "8057/30" + value: " NTP transmit timestamp" +--- \ No newline at end of file diff --git a/docs/_export/NetBIOS.md b/docs/_export/NetBIOS.md new file mode 100644 index 00000000..b719854a --- /dev/null +++ b/docs/_export/NetBIOS.md @@ -0,0 +1,15 @@ +--- +title: NetBIOS +description: List of fields exported together with basic flow fields on interface by NetBIOS plugin. +fields: + - + name: "NB_NAME" + type: "string" + ipfix: "8057/831" + value: " NetBIOS Name Service name" + - + name: "NB_SUFFIX" + type: "uint8" + ipfix: "8057/832" + value: " NetBIOS Name Service suffix" +--- \ No newline at end of file diff --git a/docs/_export/NetTiSA.md b/docs/_export/NetTiSA.md new file mode 100644 index 00000000..c61fb67c --- /dev/null +++ b/docs/_export/NetTiSA.md @@ -0,0 +1,70 @@ +--- +title: NetTiSA +description: List of unirec fields exported together with NetTiSA flow fields on interface by nettisa plugin. +fields: + - + name: "NTS_MEAN" + type: "float" + ipfix: "8057/1020" + value: "The mean of the payload lengths of packets" + - + name: "NTS_MIN" + type: "uint16" + ipfix: "8057/1021" + value: "Minimal value from all packet payload lengths" + - + name: "NTS_MAX" + type: "uint16" + ipfix: "8057/1022" + value: "Maximum value from all packet payload lengths" + - + name: "NTS_STDEV" + type: "float" + ipfix: "8057/1023" + value: "Represents a switching ratio between different values of the sequence of observation." + - + name: "NTS_KURTOSIS" + type: "float" + ipfix: "8057/1024" + value: "The standard deviation is measure of the variation of data from the mean." + - + name: "NTS_ROOT_MEAN_SQUARE" + type: "float" + ipfix: "8057/1025" + value: "The measure of the magnitude of payload lengths of packets." + - + name: "NTS_AVERAGE_DISPERSION" + type: "float" + ipfix: "8057/1026" + value: "The average absolute difference between each payload length of packet and the mean value." + - + name: "NTS_MEAN_SCALED_TIME" + type: "float" + ipfix: "8057/1027" + value: "The kurtosis is the measure describing the extent to which the tails of a distribution differ from the tails of a normal distribution." + - + name: "NTS_MEAN_DIFFTIMES" + type: "float" + ipfix: "8057/1028" + value: "The scaled times is defined as sequence s(t) = t1 − t1 , t2 − t1 , … , tn − t1 . We compute the mean of the value with same method as for feature Mean." + - + name: "NTS_MIN_DIFFTIMES" + type: "float" + ipfix: "8057/1029" + value: "The time differences is defined as sequence dt = tj - ti | j = i + 1, i in 1, 2, ... n - 1. We compute the mean of the value with same method as for feature Mean." + - + name: "NTS_MAX_DIFFTIMES" + type: "float" + ipfix: "8057/1030" + value: "Minimal value from all time differences, i.e., min space between packets." + - + name: "NTS_TIME_DISTRIBUTION" + type: "float" + ipfix: "8057/1031" + value: "Maximum value from all time differences, i.e., max space between packets." + - + name: "NTS_SWITCHING_RATIO" + type: "float" + ipfix: "8057/1032" + value: "Describes the distribution of time differences between individual packets." +--- \ No newline at end of file diff --git a/docs/_export/OSQUERY.md b/docs/_export/OSQUERY.md new file mode 100644 index 00000000..98df7e19 --- /dev/null +++ b/docs/_export/OSQUERY.md @@ -0,0 +1,60 @@ +--- +title: OSQUERY +description: List of unirec fields exported together with basic flow fields on interface by OSQUERY plugin. +fields: + - + name: "PROGRAM_NAME" + type: "string" + ipfix: "8057/852" + value: " The name of the program that handles the connection" + - + name: "USERNAME" + type: "string" + ipfix: "8057/853" + value: " The name of the user who starts the process" + - + name: "OS_NAME" + type: "string" + ipfix: "8057/854" + value: " Distribution or product name" + - + name: "OS_MAJOR" + type: "uint16" + ipfix: "8057/855" + value: " Major release version" + - + name: "OS_MINOR" + type: "uint16" + ipfix: "8057/856" + value: " Minor release version" + - + name: "OS_BUILD" + type: "string" + ipfix: "8057/857" + value: " Optional build-specific or variant string" + - + name: "OS_PLATFORM" + type: "string" + ipfix: "8057/858" + value: " OS Platform or ID" + - + name: "OS_PLATFORM_LIKE" + type: "string" + ipfix: "8057/859" + value: " Closely related platforms" + - + name: "OS_ARCH" + type: "string" + ipfix: "8057/860" + value: " OS Architecture" + - + name: "KERNEL_VERSION" + type: "string" + ipfix: "8057/861" + value: " Kernel version" + - + name: "SYSTEM_HOSTNAME" + type: "string" + ipfix: "8057/862" + value: " Network hostname including domain" +--- \ No newline at end of file diff --git a/docs/_export/OVPN.md b/docs/_export/OVPN.md new file mode 100644 index 00000000..17901ea9 --- /dev/null +++ b/docs/_export/OVPN.md @@ -0,0 +1,11 @@ +--- +title: OVPN +description: List of fields exported together with basic flow fields on interface by OVPN plugin. +fields: + - + name: "OVPN_CONF_LEVEL" + type: "uint8" + ipfix: "8057/828" + value: " level of confidence that the flow record is an OpenVPN tunnel" + +--- \ No newline at end of file diff --git a/docs/_export/PHISTS.md b/docs/_export/PHISTS.md new file mode 100644 index 00000000..98729462 --- /dev/null +++ b/docs/_export/PHISTS.md @@ -0,0 +1,26 @@ +--- +title: PHISTS +description: List of fields exported together with basic flow fields on the interface by PHISTS plugin. The plugin exports the histograms of Payload sizes and Inter-Packet-Times for each direction. The histograms bins are scaled logarithmicaly and are shown in following table. +fields: + - + name: "D_PHISTS_IPT" + type: "uint32*" + ipfix: "0/291" + value: " DST->SRC: Histogram of interpacket times" + - + name: "D_PHISTS_SIZES" + type: "uint32*" + ipfix: "0/291" + value: " DST->SRC: Histogram of packet sizes" + - + name: "S_PHISTS_IPT" + type: "uint32*" + ipfix: "0/291" + value: " SRC->DST: Histogram of interpacket times" + - + name: "S_PHISTS_SIZES" + type: "uint32*" + ipfix: "0/291" + value: " SRC->DST: Histogram of packet sizes" + +--- \ No newline at end of file diff --git a/docs/_export/PSTATS.md b/docs/_export/PSTATS.md new file mode 100644 index 00000000..9715d3bd --- /dev/null +++ b/docs/_export/PSTATS.md @@ -0,0 +1,25 @@ +--- +title: PSTATS +description: "List of unirec fields exported on interface by PSTATS plugin. The plugin is compiled to gather statistics for the first PSTATS_MAXELEMCOUNT (30 by default) packets in the biflow record. Note: the following fields are UniRec arrays (or basicList in IPFIX)." +fields: + - + name: "PPI_PKT_LENGTHS" + type: "uint16*" + ipfix: "0/291" + value: " sizes of the first packets" + - + name: "PPI_PKT_TIMES" + type: "time*" + ipfix: "0/291" + value: " timestamps of the first packets" + - + name: "PPI_PKT_DIRECTIONS" + type: "int8*" + ipfix: "0/291" + value: " directions of the first packets" + - + name: "PPI_PKT_FLAGS" + type: "uint8*" + ipfix: "0/291" + value: " TCP flags for each packet" +--- \ No newline at end of file diff --git a/docs/_export/PassiveDNS.md b/docs/_export/PassiveDNS.md new file mode 100644 index 00000000..0a401d97 --- /dev/null +++ b/docs/_export/PassiveDNS.md @@ -0,0 +1,26 @@ +--- +title: PassiveDNS +description: List of unirec fields exported together with basic flow fields on interface by PassiveDNS plugin. +fields: + - + name: "DNS_ID" + type: "uint16" + ipfix: "8057/10" + value: " transaction ID" + - + name: "DNS_ATYPE" + type: "uint8" + ipfix: "8057/11" + value: " response record type" + - + name: "DNS_NAME" + type: "string" + ipfix: "8057/2" + value: " question domain name" + - + name: "DNS_RR_TTL" + type: "uint32" + ipfix: "8057/5" + value: " resource record TTL field" + +--- \ No newline at end of file diff --git a/docs/_export/QUIC.md b/docs/_export/QUIC.md new file mode 100644 index 00000000..b2f2395a --- /dev/null +++ b/docs/_export/QUIC.md @@ -0,0 +1,90 @@ +--- +title: QUIC +description: List of fields exported together with basic flow fields on interface by quic plugin. -with-quic-ch-full-tls-ext enables extraction of all TLS extensions in the Client Hello. +fields: + - + name: "QUIC_SNI" + type: "string" + ipfix: "8057/890" + value: " Decrypted server name" + - + name: "QUIC_USER_AGENT" + type: "string" + ipfix: "8057/891" + value: " Decrypted user agent" + - + name: "QUIC_VERSION" + type: "uint32" + ipfix: "8057/892" + value: " QUIC version from first server long header packets" + - + name: "QUIC_CLIENT_VERSION" + type: "uint32" + ipfix: "8057/893" + value: " QUIC version from first client long header packet" + - + name: "QUIC_TOKEN_LENGTH" + type: "uint64" + ipfix: "8057/894" + value: " Token length from Initial and Retry packets" + - + name: "QUIC_OCCID" + type: "bytes" + ipfix: "8057/895" + value: " Source Connection ID from first client packet" + - + name: "QUIC_OSCID" + type: "bytes" + ipfix: "8057/896" + value: " Destination Connection ID from first client packet" + - + name: "QUIC_SCID" + type: "bytes" + ipfix: "8057/897" + value: " Source Connection ID from first server packet" + - + name: "QUIC_RETRY_SCID" + type: "bytes" + ipfix: "8057/898" + value: " Source Connection ID from Retry packet" + - + name: "QUIC_MULTIPLEXED" + type: "uint8" + ipfix: "8057/899" + value: " > 0 if multiplexed (at least two different QUIC_OSCIDs or SNIs)" + - + name: "QUIC_ZERO_RTT" + type: "uint8" + ipfix: "8057/889" + value: " Number of 0-RTT packets in flow." + - + name: "QUIC_SERVER_PORT" + type: "uint16" + ipfix: "8057/887" + value: " TODO Server Port determined by packet type and TLS message" + - + name: "QUIC_PACKETS" + type: "uint8*" + ipfix: "0/291" + value: " QUIC long header packet type (v1 encoded), version negotiation, QUIC bit" + - + name: "QUIC_CH_PARSED" + type: "uint8" + ipfix: "8057/886" + value: " >0 if TLS Client Hello parsed without errors" + - + name: "QUIC_TLS_EXT_TYPE" + type: "uint16*" + ipfix: "0/291" + value: " TLS extensions in the TLS Client Hello" + - + name: "QUIC_TLS_EXT_LEN" + type: "uint16*" + ipfix: "0/291" + value: " Length of each TLS extension" + - + name: "QUIC_TLS_EXT" + type: "string" + ipfix: "8057/883" + value: " Payload of all/application_layer_protocol_negotiation and quic_transport params TLS extension" +--- \ No newline at end of file diff --git a/docs/_export/RTSP.md b/docs/_export/RTSP.md new file mode 100644 index 00000000..1f7aa25c --- /dev/null +++ b/docs/_export/RTSP.md @@ -0,0 +1,35 @@ +--- +title: RTSP +description: List of unirec fields exported together with basic flow fields on interface by RTSP plugin. +fields: + - + name: "RTSP_REQUEST_METHOD" + type: "string" + ipfix: "16982/600" + value: "RTSP request method name" + - + name: "RTSP_REQUEST_AGENT" + type: "string" + ipfix: "16982/601" + value: "RTSP request user agent" + - + name: "RTSP_REQUEST_URI" + type: "string" + ipfix: "16982/602" + value: "RTSP request URI" + - + name: "RTSP_RESPONSE_STATUS_CODE" + type: "uint16" + ipfix: "16982/603" + value: "RTSP response status code" + - + name: "RTSP_RESPONSE_SERVER" + type: "string" + ipfix: "16982/605" + value: "RTSP response server field" + - + name: "RTSP_RESPONSE_CONTENT_TYPE" + type: "string" + ipfix: "16982/604" + value: "RTSP response content type" +--- \ No newline at end of file diff --git a/docs/_export/SIP.md b/docs/_export/SIP.md new file mode 100644 index 00000000..c6466b04 --- /dev/null +++ b/docs/_export/SIP.md @@ -0,0 +1,50 @@ +--- +title: SIP +description: List of unirec fields exported together with basic flow fields on interface by SIP plugin. +fields: + - + name: "SIP_MSG_TYPE" + type: "uint16" + ipfix: "8057/100" + value: " SIP message code" + - + name: "SIP_STATUS_CODE" + type: "uint16" + ipfix: "8057/101" + value: " status of the SIP request" + - + name: "SIP_CSEQ" + type: "string" + ipfix: "8057/108" + value: " CSeq field of SIP packet" + - + name: "SIP_CALLING_PARTY" + type: "string" + ipfix: "8057/103" + value: " calling party (from) URI" + - + name: "SIP_CALLED_PARTY" + type: "string" + ipfix: "8057/104" + value: " called party (to) URI" + - + name: "SIP_CALL_ID" + type: "string" + ipfix: "8057/102" + value: " call ID" + - + name: "SIP_USER_AGENT" + type: "string" + ipfix: "8057/106" + value: " user agent field of SIP packet" + - + name: "SIP_REQUEST_URI" + type: "string" + ipfix: "8057/107" + value: " SIP request URI" + - + name: "SIP_VIA" + type: "string" + ipfix: "8057/105" + value: " via field of SIP packet" +--- \ No newline at end of file diff --git a/docs/_export/SMTP.md b/docs/_export/SMTP.md new file mode 100644 index 00000000..e5f5526c --- /dev/null +++ b/docs/_export/SMTP.md @@ -0,0 +1,60 @@ +--- +title: SMTP +description: List of unirec fields exported on interface by SMTP plugin. +fields: + - + name: "SMTP_2XX_STAT_CODE_COUNT" + type: "uint32" + ipfix: "8057/816" + value: " number of 2XX status codes" + - + name: "SMTP_3XX_STAT_CODE_COUNT" + type: "uint32" + ipfix: "8057/817" + value: " number of 3XX status codes" + - + name: "SMTP_4XX_STAT_CODE_COUNT" + type: "uint32" + ipfix: "8057/818" + value: " number of 4XX status codes" + - + name: "SMTP_5XX_STAT_CODE_COUNT" + type: "uint32" + ipfix: "8057/819" + value: " number of 5XX status codes" + - + name: "SMTP_COMMAND_FLAGS" + type: "uint32" + ipfix: "8057/810" + value: " bit array of commands present" + - + name: "SMTP_MAIL_CMD_COUNT" + type: "uint32" + ipfix: "8057/811" + value: " number of MAIL commands" + - + name: "SMTP_RCPT_CMD_COUNT" + type: "uint32" + ipfix: "8057/812" + value: " number of RCPT commands" + - + name: "SMTP_STAT_CODE_FLAGS" + type: "uint32" + ipfix: "8057/815" + value: " bit array of status codes present" + - + name: "SMTP_DOMAIN" + type: "string" + ipfix: "8057/820" + value: " domain name of the SMTP client" + - + name: "SMTP_FIRST_SENDER" + type: "string" + ipfix: "8057/813" + value: " first sender in MAIL command" + - + name: "SMTP_FIRST_RECIPIENT" + type: "string" + ipfix: "8057/814" + value: " first recipient in RCPT command" +--- \ No newline at end of file diff --git a/docs/_export/SSADetector.md b/docs/_export/SSADetector.md new file mode 100644 index 00000000..561bc0b5 --- /dev/null +++ b/docs/_export/SSADetector.md @@ -0,0 +1,10 @@ +--- +title: SSADetector +description: List of fields exported together with basic flow fields on interface by ssadetector plugin. The detector search for the SYN SYN-ACK ACK pattern in packet lengths. Multiple occurrences of this pattern suggest a tunneled connection. +fields: + - + name: "SSA_CONF_LEVEL" + type: "uint8" + ipfix: "8057/903" + value: " 1 if SSA sequence detected, 0 otherwise" +--- \ No newline at end of file diff --git a/docs/_export/SSDP.md b/docs/_export/SSDP.md new file mode 100644 index 00000000..b2ca6bfd --- /dev/null +++ b/docs/_export/SSDP.md @@ -0,0 +1,30 @@ +--- +title: SSDP +description: List of unirec fields exported together with basic flow fields on interface by SSDP plugin. +fields: + - + name: "SSDP_LOCATION_PORT" + type: "uint16" + ipfix: "8057/821" + value: " service port" + - + name: "SSDP_NT" + type: "string" + ipfix: "8057/824" + value: " list of advertised service urns" + - + name: "SSDP_SERVER" + type: "string" + ipfix: "8057/822" + value: " server info" + - + name: "SSDP_ST" + type: "string" + ipfix: "8057/825" + value: " list of queried service urns" + - + name: "SSDP_USER_AGENT" + type: "string" + ipfix: "8057/823" + value: " list of user agents" +--- \ No newline at end of file diff --git a/docs/_export/TLS.md b/docs/_export/TLS.md new file mode 100644 index 00000000..7c51c81e --- /dev/null +++ b/docs/_export/TLS.md @@ -0,0 +1,35 @@ +--- +title: TLS +description: List of unirec fields exported together with basic flow fields on interface by TLS plugin. +fields: + - + name: "TLS_SNI" + type: "string" + ipfix: "8057/808" + value: "TLS server name indication field from client" + - + name: "TLS_ALPN" + type: "string" + ipfix: "39499/337" + value: "TLS application protocol layer negotiation field from server" + - + name: "TLS_VERSION" + type: "uint16" + ipfix: "39499/333" + value: "TLS client protocol version" + - + name: "TLS_JA3" + type: "string" + ipfix: "39499/357" + value: "TLS client JA3 fingerprint" + - + name: "TLS_EXT_TYPE" + type: "uint16" + ipfix: "0/291" + value: "TLS extensions in the TLS Client Hello" + - + name: "TLS_EXT_LEN" + type: "uint16" + ipfix: "0/291" + value: "Length of each TLS extension" +--- \ No newline at end of file diff --git a/docs/_export/VLAN.md b/docs/_export/VLAN.md new file mode 100644 index 00000000..9b7777c9 --- /dev/null +++ b/docs/_export/VLAN.md @@ -0,0 +1,11 @@ +--- +title: VLAN +description: List of fields exported together with basic flow fields on the interface by VLAN plugin. +fields: + - + name: "VLAN_ID" + type: "uint16" + ipfix: "0/58" + value: " Vlan ID (used in flow key)" + +--- \ No newline at end of file diff --git a/docs/_export/WG.md b/docs/_export/WG.md new file mode 100644 index 00000000..75658e31 --- /dev/null +++ b/docs/_export/WG.md @@ -0,0 +1,21 @@ +--- +title: WG +description: List of fields exported together with basic flow fields on interface by WG plugin. +fields: + - + name: "WG_CONF_LEVEL" + type: "uint8" + ipfix: "8057/1100" + value: " level of confidence that the flow record is a WireGuard tunnel" + - + name: "WG_SRC_PEER" + type: "uint32" + ipfix: "8057/1101" + value: " ephemeral SRC peer identifier" + - + name: "WG_DST_PEER" + type: "uint32" + ipfix: "8057/1102" + value: " ephemeral DST peer identifier" + +--- \ No newline at end of file diff --git a/docs/_export/basic.md b/docs/_export/basic.md new file mode 100644 index 00000000..3c2a7d1c --- /dev/null +++ b/docs/_export/basic.md @@ -0,0 +1,90 @@ +--- +title: Basic +description: Basic unirec fields exported on interface with basic (pseudo) plugin. These fields are also exported on interfaces where HTTP, DNS, SIP and NTP plugins are active. +fields: + - + name: "DST_MAC" + type: "macaddr" + ipfix: "0/80" + value: "destination MAC address" + - + name: "SRC_MAC" + type: "macaddr" + ipfix: "0/56" + value: "source MAC address" + - + name: "DST_IP" + type: "ipaddr" + ipfix: "0/12 or 0/28" + value: "destination IP address" + - + name: "SRC_IP" + type: "ipaddr" + ipfix: "0/8 or 0/27" + value: "source IP address" + - + name: "BYTES" + type: "uint64" + ipfix: "0/1" + value: "number of bytes in data flow (src to dst)" + - + name: "BYTES_REV" + type: "uint64" + ipfix: "29305/1" + value: "number of bytes in data flow (dst to src)" + - + name: "LINK_BIT_FIELD or ODID" + type: "uint64 or uint32" + ipfix: "-" + value: "exporter identification" + - + name: "TIME_FIRST" + type: "time" + ipfix: "0/152" + value: "first time stamp" + - + name: "TIME_LAST" + type: "time" + ipfix: "0/153" + value: "last time stamp" + - + name: "PACKETS" + type: "uint32" + ipfix: "0/2" + value: "number of packets in data flow (src to dst)" + - + name: "PACKETS_REV" + type: "uint32" + ipfix: "29305/2" + value: "number of packets in data flow (dst to src)" + - + name: "DST_PORT" + type: "uint16" + ipfix: "0/11" + value: "transport layer destination port" + - + name: "SRC_PORT" + type: "uint16" + ipfix: "0/7" + value: "transport layer source port" + - + name: "DIR_BIT_FIELD" + type: "uint8" + ipfix: "0/10" + value: "bit field for determining outgoing/incoming traffic" + - + name: "PROTOCOL" + type: "uint8" + ipfix: "0/60" + value: "transport protocol" + - + name: "TCP_FLAGS" + type: "uint8" + ipfix: "0/6" + value: "TCP protocol flags (src to dst)" + - + name: "TCP_FLAGS_REV" + type: "uint8" + ipfix: "29305/6" + value: "TCP protocol flags (dst to src)" +--- \ No newline at end of file diff --git a/docs/_export/basic_plus.md b/docs/_export/basic_plus.md new file mode 100644 index 00000000..98f75a33 --- /dev/null +++ b/docs/_export/basic_plus.md @@ -0,0 +1,60 @@ +--- +title: Basic plus +description: List of unirec fields exported together with basic flow fields on interface by basicplus plugin. Fields without _REV suffix are fields from source flow. Fields with _REV are from the opposite direction. +fields: + - + name: "IP_TTL" + type: "uint8" + ipfix: "0/192" + value: "IP TTL field" + - + name: "IP_TTL_REV" + type: "uint8" + ipfix: "29305/192" + value: "IP TTL field" + - + name: "IP_FLG" + type: "uint8" + ipfix: "0/197" + value: "IP FLAGS" + - + name: "IP_FLG_REV" + type: "uint8" + ipfix: "29305/197" + value: "IP FLAGS" + - + name: "TCP_WIN" + type: "uint16" + ipfix: "0/186" + value: "TCP window size" + - + name: "TCP_WIN_REV" + type: "uint16" + ipfix: "29305/186" + value: "TCP window size" + - + name: "TCP_OPT" + type: "uint64" + ipfix: "0/209" + value: "TCP options bitfield" + - + name: "TCP_OPT_REV" + type: "uint64" + ipfix: "29305/209" + value: "TCP options bitfield" + - + name: "TCP_MSS" + type: "uint32" + ipfix: "8057/900" + value: "TCP maximum segment size" + - + name: "TCP_MSS_REV" + type: "uint32" + ipfix: "8057/901" + value: "TCP maximum segment size" + - + name: "TCP_SYN_SIZE" + type: "uint16" + ipfix: "8057/902" + value: "TCP SYN packet size" +--- \ No newline at end of file diff --git a/docs/_get_options/_defaults.md b/docs/_get_options/_defaults.md new file mode 100644 index 00000000..9e20ae37 --- /dev/null +++ b/docs/_get_options/_defaults.md @@ -0,0 +1,5 @@ +--- +title: +description: +code: +--- \ No newline at end of file diff --git a/docs/_get_options/a_rhel_packages.md b/docs/_get_options/a_rhel_packages.md new file mode 100644 index 00000000..5a8dec4b --- /dev/null +++ b/docs/_get_options/a_rhel_packages.md @@ -0,0 +1,17 @@ +--- +title: Get ipfixprobe from repository! +description: We use COPR infrastructure to build and serve ipfixprobe packages. Currently, we generate RPM packages for RHEL-based distributions + +instructions: + - + description: "Install copr repository." + code: + - "dnf install -y dnf-plugins-core && dnf copr -y enable @CESNET/NEMEA" + + - + description: "After succesfull instalation of COPR, you can install the ipfixprobe via yum or dnf." + code: + - "dnf install ipfixprobe" + + +--- \ No newline at end of file diff --git a/docs/_get_options/build_from_source.md b/docs/_get_options/build_from_source.md new file mode 100644 index 00000000..0c408d80 --- /dev/null +++ b/docs/_get_options/build_from_source.md @@ -0,0 +1,33 @@ +--- +title: Build ipfixprobe from source! +description: You can build ipfixprobe from source codes available at github. + +instructions: + - + description: "Install requirements" + code: + - "yum -y install wget curl net-tools gcc gcc-c++ git libtool libpcap-devel libunwind libssl-devel libpcap-devel" + - + description: "Now get the ipfixprobe source codes" + code: + - "git clone https://github.com/CESNET/ipfixprobe.git" + - cd ipfixprobe + - autoreconf -i + - + description: "Ipfixprobe uses autotools to setup the build process. We encourage you to explore ./configure.sh -h to see all the available options. Nevertheless, for standard (max 1Gbps) network monitoroing without any specialized tools, you should use following configuration." + code: + - "./configure.sh --with-pcap --with-quic --with-unwind" + - + description: "Then just make the ipfixprobe and install it. You might need root privileges for installation." + code: + - "make -j 2" + - "sudo make install" + + - + description: "Optional NEMEA plugin. Ipfixprobe can export data directly to NEMEA framework. If you want to use this feature, you need to install NEMEA dependencies and enable this feature in autotools script." + code: + - "dnf install libtrap-devel unirec-devel" + - "./configure.sh --with-pcap --with-quic --with-unwind --with-nemea" + - "make -j 2" + - sudo make install +--- \ No newline at end of file diff --git a/docs/_how/Input plugin.md b/docs/_how/Input plugin.md new file mode 100644 index 00000000..9a68b2dc --- /dev/null +++ b/docs/_how/Input plugin.md @@ -0,0 +1,132 @@ +--- +title: Input plugin +description: Input plugin defines source of incoming packets. Use -i to specify input plugin. + +options: + - + title: "Pcap reader" + description: "Input plugin for reading packets from a pcap file or a network interface" + parameters: + - + name: "f or file" + description: "Defines path to pcap file." + - + name: "i or ifc" + description: "Defines interface name." + - + name: "F or filter" + description: "Defines filter string." + - + name: "s or snaplen" + description: "Defines snapshot length in bytes (live capture only)." + - + name: "l or list" + description: "Print list of available interfaces." + runs: + - + explanation: "Read the pcap file specified by PATH value. Possible PATH value 'pcaps/bstats.pcap' " + code: "./ipfixprobe -i 'pcap;file=PATH;' -s 'cache'" + - + explanation: "Read packets from interface specified by IFC value. Possible IFC value 'eth0'" + code: "./ipfixprobe -i 'pcap;i=IFC;' -s 'cache'" + - + title: "DPDK" + description: "Input plugin for reading packets using DPDK interface" + parameters: + - + name: "b or bsize" + description: "Size of the MBUF packet buffer. Default: 64." + - + name: "p or port" + description: "DPDK port to be used as an input interface." + - + name: "m or mem" + description: "Size of the memory pool for received packets. Default: 16384." + - + name: "q or queue" + description: "Number of RX queues. Default: 1." + - + name: "e or eal" + description: "DPDK eal." + - + name: "M or mtu" + description: "Input interface MTU. Default: 1518." + runs: + - + explanation: "Read packets using DPDK input interface and 1 DPDK queue, enable plugins for basic statistics, http and tls, output to IPFIX on a local machine + DPDK EAL parameters are passed in `e, eal` parameters + DPDK plugin configuration has to be specified in the first input interface. + The following `dpdk` interfaces are given without parameters; their configuration is inherited from the first one. + Example for the queue of 3 DPDK input plugins (q=3): " + code: "./ipfixprobe -i 'dpdk;p=0;q=3;e=-c 0x1 -a <[domain:]bus:devid.func>' -i dpdk -i dpdk -p http -p bstats -p tls -o 'ipfix;h=127.0.0.1'" + - + explanation: "Same example for the multiport read from ports 0 and 1, note comma separated ports:" + code: "./ipfixprobe -i 'dpdk;p=0,1;q=3;e=-c 0x1 -a <[domain:]bus:devid.func>' -i dpdk -i dpdk -p http -p bstats -p tls -o 'ipfix;h=127.0.0.1'" + - + title: "DPDK-ring" + description: "DPDK ring input interface for ipfixprobe (secondary DPDK app)." + parameters: + - + name: "b or bsize" + description: "Size of the MBUF packet buffer. Default: 64." + - + name: "r or ring" + description: "Name of the ring to read packets from. Need to be specified explicitly thus no default provided." + - + name: "e or eal" + description: "DPDK eal." + runs: + - + explanation: "Read packets using DPDK input interface as secondary process with shared memory (DPDK rings) - in this case, 4 DPDK rings are used" + code: "./ipfixprobe -i 'dpdk-ring;r=rx_ipfixprobe_0;e= --proc-type=secondary' -i 'dpdk-ring;r=rx_ipfixprobe_1' -i 'dpdk-ring;r=rx_ipfixprobe_2' -i 'dpdk-ring;r=rx_ipfixprobe_3' -o 'text'" + - + title: "Raw" + description: "Input plugin for reading packets from raw interface" + parameters: + - + name: "i or ifc" + description: "Defines network interface name." + - + name: "b or blocks" + description: "Defines number of packet blocks." + - + name: "f or fanout" + description: "Enables packet fanout." + - + name: "p or pkts" + description: "Defines number of packets in block." + - + name: "l or list" + description: "Print list of available interfaces." + runs: + - + explanation: "Read packets from interface specified by IFC value. Possible IFC value 'eth0'" + code: "./ipfixprobe -i 'raw;ifc=IFC;' -s 'cache'" + - + title: "Benchmark" + description: "Input plugin for various benchmarking purposes." + parameters: + - + name: "m or mode" + description: "Defines benchmark mode: 1f (1x N-packet flow) or nf (Nx 1-packet flow)." + - + name: "S or seed" + description: "Defines string seed for random generator." + - + name: "d or duration" + description: "Defines duration in seconds." + - + name: "p or count" + description: "Defines packet count." + - + name: "s or size" + description: "Defines packet size." + - + name: "I or id" + description: "Defines link identifier number." + runs: + - + explanation: "Read packets from interface specified with DPDK ports 0 and 1" + code: "`./ipfixprobe -i 'dpdk;p=0,1;' -s 'cache'" + +--- \ No newline at end of file diff --git a/docs/_how/output plugin.md b/docs/_how/output plugin.md new file mode 100644 index 00000000..349c290c --- /dev/null +++ b/docs/_how/output plugin.md @@ -0,0 +1,88 @@ +--- +title: Output plugin +description: Output plugin defines how flows are expoted. Use -o to specify output plugin. + +options: +- + title: "Text" + description: "Provides human readable output to the terminal or file." + parameters: + - + name: "f or file" + description: "Defines path to savefile to write output in instead of stdout." + - + name: "m or mac" + description: "Boolean flag. Mac addresses are hidden if set." + + runs: + - + explanation: "Print expoted flows to the terminal without mac adresses " + code: "./ipfixprobe -o 'text;mac'-i 'pcap;file=...;' -s 'cache'" + - + explanation: "Print expoted flows to the FILE" + code: "./ipfixprobe -o 'text;f=FILE'-i 'pcap;file=...;' -s 'cache'" +- + title: "IPFIX" + description: "Exports data in the IPFIX format" + parameters: + - + name: "h or host" + description: "Defines ip address of remote collector." + - + name: "p or port " + description: "Defines collector port to send data to." + - + name: "m or mtu" + description: "Defines maximum size of ipfix packet payload sent." + - + name: "u or udp" + description: "Boolean flag. UDP is used if set." + - + name: "n or non-blocking-tcp" + description: "Boolean flag. Non-blocking-tcp socket is used if set." + - + name: "I or id" + description: "Defines exporter id." + - + name: "t or template" + description: "Defines template refresh rate in seconds." + runs: + - + explanation: "Send exported data to the localhost using UDP as an exporter 3." + code: "./ipfixprobe -o 'ipfix;h=127.0.0.1,u,I=3'-i 'pcap;file=...;' -s 'cache'" + - + explanation: "Send exported data to the localhost:4739 using non-blocking tcp as an exporter 3 with maximal transfer unit set to 2000." + code: "./ipfixprobe -o 'ipfix;h=127.0.0.1,p=4739,n,mtu=2000'-i 'pcap;file=...;' -s 'cache'" +- + title: "UNIREC" + description: "Exports data in the UNIREC format" + parameters: + - + name: "i or ifc" + description: "Defines unirec interface to use." + - + name: "p or plugins" + description: "Defines plugin-interface mapping. Plugins can be grouped like '(p1,p2,p3),p4,(p5,p6)." + - + name: "o or odid" + description: "Boolean flag.If set exports ODID field." + - + name: "e or eof" + description: "Boolean flag.If set sends eof messag on exit." + - + name: "I or id" + description: "Defines exporter id." + - + name: "h or help" + description: "Prints libtrap help." + runs: + - + explanation: "Send exported data to the Unix socket 'ipfixprobe'" + code: "./ipfixprobe -o 'unirec;i=u:ipfixprobe'-i 'pcap;file=...;' -s 'cache'" + - + explanation: "Same as previous, but should be used with small pcap files to avoid not sending data" + code: "./ipfixprobe -o 'unirec;i=u:ipfixprobe:timeout=WAIT:buffer=off'-i 'pcap;file=...;' -s 'cache'" + - + explanation: "Save exported data to the data.trapcap" + code: "./ipfixprobe -o 'unirec;i=f:data.trapcap'-i 'pcap;file=...;' -s 'cache'" +--- \ No newline at end of file diff --git a/docs/_how/storage plugin.md b/docs/_how/storage plugin.md new file mode 100644 index 00000000..1d182936 --- /dev/null +++ b/docs/_how/storage plugin.md @@ -0,0 +1,32 @@ +--- +title: Storage plugin +description: Storage plugin defines how flows are internally stored. Use -s to specify storage plugin. + +options: +- + title: "Cache" + description: "Currently only available plugin. Hash table is used to keep flows. Hash table is divided into rows. Each row is managed as LRU. " + parameters: + - + name: "s or size" + description: "Defines count of flows that are kept in the cache at once. Cache size is 2s." + - + name: "l or line" + description: "Defines length of the cache line. Line length is 2l." + - + name: "a or active" + description: "Defines active timeout. When there is a flow, that is active for more than -a seconds, its exported." + - + name: "i or inactive" + description: "Defines inactive timeout. When there is a flow, that is inactive for more than -i seconds, its exported." + - + name: "S or split " + description: "Boolean flag. Defines if the bidirectional flow between two nodes is splitted into 2 separate unidirectional flows." + - + name: "fe/frag-enable, fs/frag-size, ft/frag-timeout" + description: "Used to enable completing fragmented packets into one packet. Framentation cache size is fs and timeout to consider fragments belong to same packet is ft." + runs: + - + explanation: "Store flows using 'cache' " + code: "./ipfixprobe -s 'cache' -i 'pcap;file=PATH;'" +--- \ No newline at end of file diff --git a/docs/_includes/list-posts.html b/docs/_includes/list-posts.html new file mode 100644 index 00000000..0dd91fa9 --- /dev/null +++ b/docs/_includes/list-posts.html @@ -0,0 +1,10 @@ +{% for post in include.posts %} +
  • +

    {{ post.title }}

    + {% include post-title.html post=post %} +
    + {{ post.excerpt }} +
    Read More
    +
    +
    • +{% endfor %} diff --git a/docs/_includes/navigation.html b/docs/_includes/navigation.html new file mode 100644 index 00000000..19153d82 --- /dev/null +++ b/docs/_includes/navigation.html @@ -0,0 +1,15 @@ + diff --git a/docs/_includes/post-title.html b/docs/_includes/post-title.html new file mode 100644 index 00000000..ce63dfee --- /dev/null +++ b/docs/_includes/post-title.html @@ -0,0 +1,10 @@ +

    + {% for category in include.post.categories %} + + {{ category | capitalize }} + + {% endfor %} + {% if include.post.date %} + {{ include.post.date | date: "%B %d, %Y" }} + {% endif %} +

    diff --git a/docs/_includes/relative-src.html b/docs/_includes/relative-src.html new file mode 100644 index 00000000..fb32308f --- /dev/null +++ b/docs/_includes/relative-src.html @@ -0,0 +1 @@ +{% assign prefix = include.src | slice: 0, 2 %}{% assign protocol = include.src | slice: 0, 4 %}{% unless protocol == 'http' or prefix == "//" %}{{ site.baseurl }}{% endunless %}{{ include.src }} diff --git a/docs/_includes/social-icon.html b/docs/_includes/social-icon.html new file mode 100644 index 00000000..052a4c19 --- /dev/null +++ b/docs/_includes/social-icon.html @@ -0,0 +1,20 @@ +{% case include.icon %} + {% when "Facebook" %} + + {% when "Instagram" %} + + {% when "LinkedIn" %} + + {% when "Pinterest" %} + + {% when "Tumblr" %} + + {% when "Twitter" %} + + {% when "YouTube" %} + + {% when "RSS" %} + + {% when "GitHub" %} + +{% endcase %} diff --git a/docs/_layouts/archive.html b/docs/_layouts/archive.html new file mode 100644 index 00000000..4e8073ce --- /dev/null +++ b/docs/_layouts/archive.html @@ -0,0 +1,23 @@ +--- +layout: page +--- + +
    + {% assign blog = site.pages | where: "path", "blog/index.html" | first %} + + {% if blog.title %} +

    {{ blog.title }}

    + {% endif %} + + {% if blog.description %} +

    {{ blog.description }}

    + {% endif %} + +
    + {{ page.title | capitalize }} +
    + +
      + {% include list-posts.html posts=page.posts %} +
    +
    diff --git a/docs/_layouts/default.html b/docs/_layouts/default.html new file mode 100644 index 00000000..19664e4a --- /dev/null +++ b/docs/_layouts/default.html @@ -0,0 +1,58 @@ + + + + + + + + {% seo %} + {% feed_meta %} + + + + + {% if jekyll.environment == 'production' and site.google_analytics_key != '' %} + + + {% endif %} + + +
    +
    +
    Hydra Logo
    + {% include navigation.html %} +
    +
    + {{ content }} + + + + diff --git a/docs/_layouts/page.html b/docs/_layouts/page.html new file mode 100644 index 00000000..1a1c7373 --- /dev/null +++ b/docs/_layouts/page.html @@ -0,0 +1,18 @@ +--- +layout: default +--- +
    +
    +
    + {% if page.heading %} +

    {{ page.heading }}

    + {% elsif page.title and page.layout != 'archive' %} +

    {{ page.title }}

    + {% endif %} + {% if page.description %} +

    {{ page.description }}

    + {% endif %} + {{ content }} +
    +
    +
    diff --git a/docs/_layouts/post.html b/docs/_layouts/post.html new file mode 100644 index 00000000..3617143d --- /dev/null +++ b/docs/_layouts/post.html @@ -0,0 +1,37 @@ +--- +layout: page +--- +
    + {% include post-title.html post=page %} +
    + {{ content }} + +
    + {% if page.previous.url %} + + {% endif %} + {% if page.next.url %} + + {% endif %} +
    + + {% if site.disqus_shortname and page.comments %} +
    + + + {% endif %} +
    +
    diff --git a/docs/_sass/blog.scss b/docs/_sass/blog.scss new file mode 100644 index 00000000..cbae2baa --- /dev/null +++ b/docs/_sass/blog.scss @@ -0,0 +1,125 @@ +.blog-posts { + list-style: none; + padding: 0; + + li { + margin: 100px 0; + } +} + +.blog-post { + .author { + padding: 30px 0 0 0; + border: 1px solid #eee; + margin: 30px 0; + font-size: .8em; + + .square-image { + width: 125px; + height: 125px; + margin-top: 0; + } + .blurb { + text-align: center; + } + } + + h3 { + margin: 0; + a { + color: #000; + text-decoration: none; + font-weight: normal; + font-size: 1.3em; + } + } + + h2 { + text-align: left; + } + + .blog-navigation { + font-size: 14px; + display: block; + width: auto; + overflow: hidden; + a { + display: block; + width: 50%; + float: left; + margin: 1em 0; + } + + .next { + text-align: right; + } + } + + .post-details { + border-bottom: 1px solid #eee; + font-size: .9em; + + .blog-filter { + display: inline-block; + text-align: left; + + a { + position: relative; + top: -5px; + } + } + + a { + text-decoration: none; + } + + .post-date { + float: right; + } + + &:after { + content: ""; + display: table; + clear: both; + } + } + + .post-content { + .button { + margin: 30px 0 0 0; + } + } +} + +.pagination { + text-align: center; +} + +.blog-filter { + text-align: center; + a { + background: #eee; + padding: 3px 5px; + font-size: .8em; + border-radius: 5px; + color: #888; + transition: .2s ease-in-out; + + &:hover { + color: #555; + text-decoration: none; + } + } +} + +.blog-filter.cross a { + padding-right: 8px; + + &:after { + content: "x"; + font-size: .5em; + position: relative; + bottom: 4px; + right: -3px; + } +} diff --git a/docs/_sass/cloudcannon.scss b/docs/_sass/cloudcannon.scss new file mode 100644 index 00000000..0c27b69c --- /dev/null +++ b/docs/_sass/cloudcannon.scss @@ -0,0 +1,37 @@ +.editor-link, .nav-open nav .editor-link { + display: none; + margin-top: 0; + + .btn { + border: 0; + border-radius: 2px; + width: 100%; + max-width: 500px; + box-sizing: border-box; + font-size: 2rem; + text-decoration: none; + padding: 10px 15px; + margin: 0; + font-size: 18px; + } + + nav &, .btn { + cursor: pointer; + background-color: #f7e064; + color: #333; + box-shadow: 1px 1px 5px 0 rgba(0, 0, 0, 0.2); + + &:hover { + background-color: #f4d525; + color: #333; + } + } +} + +.cms-editor-active .editor-link { + display: block; +} + +.cms-editor-active nav .editor-link { + display: inline; +} diff --git a/docs/_sass/contact.scss b/docs/_sass/contact.scss new file mode 100644 index 00000000..dbf6d065 --- /dev/null +++ b/docs/_sass/contact.scss @@ -0,0 +1,19 @@ +.map { + width: 100%; + margin: 100px 0; + height: 400px; +} + +.contact-box { + max-width: 750px; + margin: 0 auto; + text-align: center; + + form { + width: 100% + } + + p { + margin: 0; + } +} diff --git a/docs/_sass/developer.scss b/docs/_sass/developer.scss new file mode 100644 index 00000000..b65022ce --- /dev/null +++ b/docs/_sass/developer.scss @@ -0,0 +1,27 @@ + + +hr { + margin-top: 10px; + width: 100%; + } +table { + border-collapse: collapse; + width: 100%; + } +th, td { + border: 1px solid black; + padding: 8px; + text-align: left; + } +.hidden { + display: none; + } +.clickable { + cursor: pointer; + padding: 0.2em; + } +.clickable:hover { + color: #D3163C; + background-color: #CCCCCC; + padding: 0.2em; + } \ No newline at end of file diff --git a/docs/_sass/elements.scss b/docs/_sass/elements.scss new file mode 100644 index 00000000..a55f7414 --- /dev/null +++ b/docs/_sass/elements.scss @@ -0,0 +1,56 @@ +html { + background: #2b2b40; +} + +html, body { + margin: 0; + padding: 0; +} + +body { + font-family: "San Francisco", "Helvetica Neue", "Helvetica", "Arial"; + word-wrap:break-word; +} + +table { + overflow-x: scroll; + display:block; +} + +a { + color: #00a4ca; + text-decoration: none; +} + +a:hover { + text-decoration: underline; +} + +h1 strong, h2 strong { + font-weight: 700; +} + +h1 { + font-weight: 300; + font-size: 2.3em; + margin: 0; +} + +h2 { + font-weight: 300; + font-size: 2.2em; + margin: 0 0 13px 0; +} + +h3 { + margin: 20px 0 10px 0; +} + + +p, address { + font-size: 1.1em; + color: #666; + margin-bottom: 20px; + font-weight: 300; + line-height: 1.4em; +} diff --git a/docs/_sass/footer.scss b/docs/_sass/footer.scss new file mode 100644 index 00000000..a0206997 --- /dev/null +++ b/docs/_sass/footer.scss @@ -0,0 +1,121 @@ +.footer-links { + width: 100%; + margin: 10px; + padding: 0; + + @media #{$tablet} { + -webkit-flex: 1 0 180px; + flex: 1 0 180px; + } + + li { + list-style: none; + margin: 15px auto; + + @media #{$tablet} { + max-width: 150px; + } + a { + + &:hover { + text-decoration: none; + } + svg { + fill: #999; + margin-right: 10px; + transition: fill 0.2s ease; + vertical-align: middle; + position: relative; + top: -2px; + width: 22px; + height: 22px; + } + + &:hover svg { + fill: #fff; + } + + &.twitter-icon:hover svg { + fill: #55acee; + } + + &.google-plus-icon:hover svg { + fill: #db4437; + } + + &.youtube-icon:hover svg { + fill: #cd201f; + } + + &.instagram-icon:hover svg { + fill: #f167f5; + } + + &.linkedin-icon:hover svg { + fill: #0077b5; + } + + &.pinterest-icon:hover svg { + fill: #bd081c; + } + + &.rss-icon:hover svg { + fill: #f26522; + } + } + } +} + +footer { + padding: 50px 0 50px 0; + font-size: 1.1em; + position: relative; + background: $footer-color; + color: #fff; + + .copyright { + font-size: .8em; + margin: 0 auto; + + @media #{$tablet} { + text-align: center; + } + + } + + &, + a { + color: #999; + } + + h2 { + font-size: 1.4em; + margin: 30px 0; + color: #ccc; + } + + .footer-columns { + @extend %flexbox; + @include flex-flow(wrap); + margin: -10px -10px 10px -10px; + } + + a { + text-decoration: none; + + &:hover { + color: #fff; + } + } + + .legal-line { + width: 100%; + padding: 30px 0; + margin: 0; + background-color: #222527; + + a { + font-weight: 600; + } + } +} diff --git a/docs/_sass/forms.scss b/docs/_sass/forms.scss new file mode 100644 index 00000000..0011e06d --- /dev/null +++ b/docs/_sass/forms.scss @@ -0,0 +1,67 @@ +.button a, input[type=submit] { + color: #fff; + text-decoration: none; + padding: 10px 30px; + background: $brand-color; + border-radius: 3px; + border: 1px solid rgba(255,255,255,.5); + transition: .2s ease-in-out; +} + +.button a:hover, input[type=submit]:hover { + border: 1px solid #fff; + background: $secondary-brand-color; + cursor: pointer; +} + +.button.alt a { + background: rgba(255,255,255,0.15); + border-radius: 3px; + border: 1px solid rgba(255, 255, 255, 0.3); + padding: 16px 50px; +} + +.button.alt a:hover { + background: #fff; + color: $brand-color; +} + +textarea, input, button, select { font-family: inherit; font-size: inherit; } + +input[type=submit] { + margin: 20px 0 0 0; +} + +label, input, textarea { + display: block; + width: 100%; + box-sizing: border-box; +} + +textarea { + resize: vertical; + height: 150px; +} + +label { + margin: 20px 0 5px 0; +} + +input, textarea { + padding: 10px; + font-size: 1em; +} + +input, textarea { + -webkit-transition: all 0.30s ease-in-out; + -moz-transition: all 0.30s ease-in-out; + -ms-transition: all 0.30s ease-in-out; + -o-transition: all 0.30s ease-in-out; + outline: none; + border: 1px solid #DDDDDD; +} + +input[type=text]:focus, input[type=email]:focus, input[type=password]:focus, textarea:focus { + box-shadow: 0 0 5px rgba(81, 203, 238, 1); + border: 1px solid rgba(81, 203, 238, 1); +} diff --git a/docs/_sass/get_options.scss b/docs/_sass/get_options.scss new file mode 100644 index 00000000..ba683115 --- /dev/null +++ b/docs/_sass/get_options.scss @@ -0,0 +1,8 @@ + + +section span { + background-color: #eee; + border: 1px solid #999; + display: block; + padding: 20px; + } \ No newline at end of file diff --git a/docs/_sass/how.scss b/docs/_sass/how.scss new file mode 100644 index 00000000..41e290cb --- /dev/null +++ b/docs/_sass/how.scss @@ -0,0 +1,28 @@ + + +section span { + background-color: #eee; + border: 1px solid #999; + display: block; + padding: 20px; + margin-bottom: 10px; + } + +p { + font-weight: normal; + margin: 0px; + } + +hr { + margin-top: 10px; + width: 100%; + } +ul, ol { + margin: 0.25em 0 0 0; + + } + +h2 { + font-size: 1.5em; + margin: 0.5em 0 0.5em 0; + } \ No newline at end of file diff --git a/docs/_sass/landing-page.scss b/docs/_sass/landing-page.scss new file mode 100644 index 00000000..581b6978 --- /dev/null +++ b/docs/_sass/landing-page.scss @@ -0,0 +1,63 @@ +.bottom-cta { + background: linear-gradient(to bottom, $brand-color 0%, $middle-gradient-color 100%); + color: #fff; + text-align: center; + margin: 0; + padding: 100px 0; + + h2 { + margin-bottom: 50px; + } +} + +.testimonial { + background: #f5f5f5; + margin: 0; + padding: 100px 0; + + .testimonial-block { + max-width: 750px; + width: 98%; + margin: 0 auto; + + @media #{$tablet} { + @include flexbox; + + blockquote { + -webkit-flex: 1; + flex: 1; + } + } + } +} + +.hero { + color: #ffffff; + text-align: center; + background: linear-gradient(to bottom, $middle-gradient-color 0%, $secondary-brand-color 100%) no-repeat #a05fb7; + padding-top: 50px; + + p { + color: #fff; + } +} + + + +@media #{$desktop} { + .flex { + @include flexbox; + align-items: center; + flex-direction: row; + + .text, .image { + -webkit-flex: 1; + flex: 1; + padding: 0 20px; + } + } + + .content section:nth-child(even) .flex { + flex-direction: row-reverse; + } +} diff --git a/docs/_sass/layout.scss b/docs/_sass/layout.scss new file mode 100644 index 00000000..8467ba8e --- /dev/null +++ b/docs/_sass/layout.scss @@ -0,0 +1,174 @@ +.container, .text-container { + margin: 0 auto; + position: relative; + padding: 0 20px; +} + +.text-container { + max-width: 750px; +} + +.container { + max-width: 1140px; + + &.max-container { + max-width: 100%; + padding: 0; + } +} + +header { + color: #fff; + padding: 20px 0; + background: $brand-color; /* Old browsers */ + background: linear-gradient(to bottom, $brand-color 0%, $middle-gradient-color 100%) no-repeat $brand-color; + + a { + color: #fff; + text-decoration: none; + z-index: 1; + position: relative; + + &:hover { + text-decoration: none; + } + } + + .company-name { + font-size: 1.7em; + line-height: 0; + + a { + display: inline-block; + } + + img { + display: block; + width: auto; + } + } +} + +.content { + background: #fff; + padding: 1px 0 0 0; + position: relative; +} + +.screenshot{ + max-width: 100%; + height: auto; + display: block; + box-shadow: 0 1px 0 #ccc, 0 1px 0 1px #eee; + border-radius: 2px; + margin-left: auto; + margin-right: auto; + background: #DDD url('data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20width%3D%2244%22%20height%3D%2212%22%20viewBox%3D%220%200%2044%2012%22%3E%3Ccircle%20cx%3D%226%22%20cy%3D%226%22%20r%3D%224%22%20fill%3D%22%23eee%22%20%2F%3E%3Ccircle%20cx%3D%2222%22%20cy%3D%226%22%20r%3D%224%22%20fill%3D%22%23eee%22%20%2F%3E%3Ccircle%20cx%3D%2238%22%20cy%3D%226%22%20r%3D%224%22%20fill%3D%22%23eee%22%20%2F%3E%3C%2Fsvg%3E') 4px 4px no-repeat; + padding: 20px 0 0 0; + position: relative; +} + +section { + padding: 100px 0; +} + +section + section { + padding-top: 0; +} + +.subtext { + margin-top: 10px; + text-align: center; +} + + +.cta { + margin: 60px 0; +} + +.page h2 { + text-align: center; +} + +blockquote { + padding: 18px 25px; + margin: 0; + quotes: "\201C""\201D""\2018""\2019"; + font-style: italic; + + .author { + display: block; + font-weight: bold; + margin: 10px 0 0 0; + font-size: .85em; + font-style: normal; + } + + p { + display: inline; + } +} + +blockquote:before { + color: #ccc; + content: open-quote; + font-size: 4em; + line-height: 0.1em; + margin-right: 0.25em; + vertical-align: -0.4em; +} + +.square-image { + width: 150px; + height: 150px; + overflow: hidden; + margin: 25px auto 0 auto; + position: relative; + border-radius: 200px; + + img { + position: absolute; + left: -1000%; + right: -1000%; + top: -1000%; + bottom: -1000%; + margin: auto; + width: 300px; + } +} + +.page { + margin-bottom: 0; + padding-bottom: 80px; +} + +.center-text { + text-align: center; +} + +.editor-link { + display: none; + margin-top: 0; + .btn { + border: 0; + border-radius: 2px; + width: 100%; + max-width: 500px; + box-sizing: border-box; + font-size: 2rem; + text-decoration: none; + padding: 10px 15px; + margin: 0; + font-size: 18px; + cursor: pointer; + background-color: #f7e064; + color: #333; + box-shadow: 1px 1px 5px 0 rgba(0, 0, 0, 0.2); + + &:hover { + background-color: #f4d525; + color: #333; + } + } + +} diff --git a/docs/_sass/mixins/columns.scss b/docs/_sass/mixins/columns.scss new file mode 100644 index 00000000..010eae98 --- /dev/null +++ b/docs/_sass/mixins/columns.scss @@ -0,0 +1,5 @@ +@mixin columns($value) { + columns: $value; + -webkit-columns: $value; + -moz-columns: $value; +} diff --git a/docs/_sass/mixins/flexbox.scss b/docs/_sass/mixins/flexbox.scss new file mode 100644 index 00000000..92a03fd2 --- /dev/null +++ b/docs/_sass/mixins/flexbox.scss @@ -0,0 +1,394 @@ +// Flexbox Mixins +// http://philipwalton.github.io/solved-by-flexbox/ +// https://github.com/philipwalton/solved-by-flexbox +// +// Copyright (c) 2013 Brian Franco +// +// Permission is hereby granted, free of charge, to any person obtaining a +// copy of this software and associated documentation files (the +// "Software"), to deal in the Software without restriction, including +// without limitation the rights to use, copy, modify, merge, publish, +// distribute, sublicense, and/or sell copies of the Software, and to +// permit persons to whom the Software is furnished to do so, subject to +// the following conditions: +// The above copyright notice and this permission notice shall be included +// in all copies or substantial portions of the Software. +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +// IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY +// CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, +// TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE +// SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +// +// This is a set of mixins for those who want to mess around with flexbox +// using the native support of current browsers. For full support table +// check: http://caniuse.com/flexbox +// +// Basically this will use: +// +// * Fallback, old syntax (IE10, mobile webkit browsers - no wrapping) +// * Final standards syntax (FF, Safari, Chrome, IE11, Opera) +// +// This was inspired by: +// +// * http://dev.opera.com/articles/view/advanced-cross-browser-flexbox/ +// +// With help from: +// +// * http://w3.org/tr/css3-flexbox/ +// * http://the-echoplex.net/flexyboxes/ +// * http://msdn.microsoft.com/en-us/library/ie/hh772069(v=vs.85).aspx +// * http://css-tricks.com/using-flexbox/ +// * http://dev.opera.com/articles/view/advanced-cross-browser-flexbox/ +// * https://developer.mozilla.org/en-us/docs/web/guide/css/flexible_boxes + +//---------------------------------------------------------------------- + +// Flexbox Containers +// +// The 'flex' value causes an element to generate a block-level flex +// container box. +// +// The 'inline-flex' value causes an element to generate a inline-level +// flex container box. +// +// display: flex | inline-flex +// +// http://w3.org/tr/css3-flexbox/#flex-containers +// +// (Placeholder selectors for each type, for those who rather @extend) + +@mixin flexbox { + display: -webkit-box; + display: -webkit-flex; + display: -moz-flex; + display: -ms-flexbox; + display: flex; +} + +%flexbox { @include flexbox; } + +//---------------------------------- + +@mixin inline-flex { + display: -webkit-inline-box; + display: -webkit-inline-flex; + display: -moz-inline-flex; + display: -ms-inline-flexbox; + display: inline-flex; +} + +%inline-flex { @include inline-flex; } + +//---------------------------------------------------------------------- + +// Flexbox Direction +// +// The 'flex-direction' property specifies how flex items are placed in +// the flex container, by setting the direction of the flex container's +// main axis. This determines the direction that flex items are laid out in. +// +// Values: row | row-reverse | column | column-reverse +// Default: row +// +// http://w3.org/tr/css3-flexbox/#flex-direction-property + +@mixin flex-direction($value: row) { + @if $value == row-reverse { + -webkit-box-direction: reverse; + -webkit-box-orient: horizontal; + } @else if $value == column { + -webkit-box-direction: normal; + -webkit-box-orient: vertical; + } @else if $value == column-reverse { + -webkit-box-direction: reverse; + -webkit-box-orient: vertical; + } @else { + -webkit-box-direction: normal; + -webkit-box-orient: horizontal; + } + -webkit-flex-direction: $value; + -moz-flex-direction: $value; + -ms-flex-direction: $value; + flex-direction: $value; +} + // Shorter version: + @mixin flex-dir($args...) { @include flex-direction($args...); } + +//---------------------------------------------------------------------- + +// Flexbox Wrap +// +// The 'flex-wrap' property controls whether the flex container is single-line +// or multi-line, and the direction of the cross-axis, which determines +// the direction new lines are stacked in. +// +// Values: nowrap | wrap | wrap-reverse +// Default: nowrap +// +// http://w3.org/tr/css3-flexbox/#flex-wrap-property + +@mixin flex-wrap($value: nowrap) { + // No Webkit Box fallback. + -webkit-flex-wrap: $value; + -moz-flex-wrap: $value; + @if $value == nowrap { + -ms-flex-wrap: none; + } @else { + -ms-flex-wrap: $value; + } + flex-wrap: $value; +} + +//---------------------------------------------------------------------- + +// Flexbox Flow (shorthand) +// +// The 'flex-flow' property is a shorthand for setting the 'flex-direction' +// and 'flex-wrap' properties, which together define the flex container's +// main and cross axes. +// +// Values: | +// Default: row nowrap +// +// http://w3.org/tr/css3-flexbox/#flex-flow-property + +@mixin flex-flow($values: (row nowrap)) { + // No Webkit Box fallback. + -webkit-flex-flow: $values; + -moz-flex-flow: $values; + -ms-flex-flow: $values; + flex-flow: $values; +} + +//---------------------------------------------------------------------- + +// Flexbox Order +// +// The 'order' property controls the order in which flex items appear within +// their flex container, by assigning them to ordinal groups. +// +// Default: 0 +// +// http://w3.org/tr/css3-flexbox/#order-property + +@mixin order($int: 0) { + -webkit-box-ordinal-group: $int + 1; + -webkit-order: $int; + -moz-order: $int; + -ms-flex-order: $int; + order: $int; +} + +//---------------------------------------------------------------------- + +// Flexbox Grow +// +// The 'flex-grow' property sets the flex grow factor. Negative numbers +// are invalid. +// +// Default: 0 +// +// http://w3.org/tr/css3-flexbox/#flex-grow-property + +@mixin flex-grow($int: 0) { + -webkit-box-flex: $int; + -webkit-flex-grow: $int; + -moz-flex-grow: $int; + -ms-flex-positive: $int; + flex-grow: $int; +} + +//---------------------------------------------------------------------- + +// Flexbox Shrink +// +// The 'flex-shrink' property sets the flex shrink factor. Negative numbers +// are invalid. +// +// Default: 1 +// +// http://w3.org/tr/css3-flexbox/#flex-shrink-property + +@mixin flex-shrink($int: 1) { + -webkit-flex-shrink: $int; + -moz-flex-shrink: $int; + -ms-flex-negative: $int; + flex-shrink: $int; +} + +//---------------------------------------------------------------------- + +// Flexbox Basis +// +// The 'flex-basis' property sets the flex basis. Negative lengths are invalid. +// +// Values: Like "width" +// Default: auto +// +// http://www.w3.org/TR/css3-flexbox/#flex-basis-property + +@mixin flex-basis($value: auto) { + -webkit-flex-basis: $value; + -moz-flex-basis: $value; + -ms-flex-preferred-size: $value; + flex-basis: $value; +} + +//---------------------------------------------------------------------- + +// Flexbox "Flex" (shorthand) +// +// The 'flex' property specifies the components of a flexible length: the +// flex grow factor and flex shrink factor, and the flex basis. When an +// element is a flex item, 'flex' is consulted instead of the main size +// property to determine the main size of the element. If an element is +// not a flex item, 'flex' has no effect. +// +// Values: none | || +// Default: See individual properties (1 1 0). +// +// http://w3.org/tr/css3-flexbox/#flex-property + +@mixin flex($fg: 1, $fs: null, $fb: null) { + + // Set a variable to be used by box-flex properties + $fg-boxflex: $fg; + + // Box-Flex only supports a flex-grow value so let's grab the + // first item in the list and just return that. + @if type-of($fg) == 'list' { + $fg-boxflex: nth($fg, 1); + } + + -webkit-box-flex: $fg-boxflex; + -webkit-flex: $fg $fs $fb; + -moz-box-flex: $fg-boxflex; + -moz-flex: $fg $fs $fb; + -ms-flex: $fg $fs $fb; + flex: $fg $fs $fb; +} + +//---------------------------------------------------------------------- + +// Flexbox Justify Content +// +// The 'justify-content' property aligns flex items along the main axis +// of the current line of the flex container. This is done after any flexible +// lengths and any auto margins have been resolved. Typically it helps distribute +// extra free space leftover when either all the flex items on a line are +// inflexible, or are flexible but have reached their maximum size. It also +// exerts some control over the alignment of items when they overflow the line. +// +// Note: 'space-*' values not supported in older syntaxes. +// +// Values: flex-start | flex-end | center | space-between | space-around +// Default: flex-start +// +// http://w3.org/tr/css3-flexbox/#justify-content-property + +@mixin justify-content($value: flex-start) { + @if $value == flex-start { + -webkit-box-pack: start; + -ms-flex-pack: start; + } @else if $value == flex-end { + -webkit-box-pack: end; + -ms-flex-pack: end; + } @else if $value == space-between { + -webkit-box-pack: justify; + -ms-flex-pack: justify; + } @else if $value == space-around { + -ms-flex-pack: distribute; + } @else { + -webkit-box-pack: $value; + -ms-flex-pack: $value; + } + -webkit-justify-content: $value; + -moz-justify-content: $value; + justify-content: $value; +} + // Shorter version: + @mixin flex-just($args...) { @include justify-content($args...); } + +//---------------------------------------------------------------------- + +// Flexbox Align Items +// +// Flex items can be aligned in the cross axis of the current line of the +// flex container, similar to 'justify-content' but in the perpendicular +// direction. 'align-items' sets the default alignment for all of the flex +// container's items, including anonymous flex items. 'align-self' allows +// this default alignment to be overridden for individual flex items. (For +// anonymous flex items, 'align-self' always matches the value of 'align-items' +// on their associated flex container.) +// +// Values: flex-start | flex-end | center | baseline | stretch +// Default: stretch +// +// http://w3.org/tr/css3-flexbox/#align-items-property + +@mixin align-items($value: stretch) { + @if $value == flex-start { + -webkit-box-align: start; + -ms-flex-align: start; + } @else if $value == flex-end { + -webkit-box-align: end; + -ms-flex-align: end; + } @else { + -webkit-box-align: $value; + -ms-flex-align: $value; + } + -webkit-align-items: $value; + -moz-align-items: $value; + align-items: $value; +} + +//---------------------------------- + +// Flexbox Align Self +// +// Values: auto | flex-start | flex-end | center | baseline | stretch +// Default: auto + +@mixin align-self($value: auto) { + // No Webkit Box Fallback. + -webkit-align-self: $value; + -moz-align-self: $value; + @if $value == flex-start { + -ms-flex-item-align: start; + } @else if $value == flex-end { + -ms-flex-item-align: end; + } @else { + -ms-flex-item-align: $value; + } + align-self: $value; +} + +//---------------------------------------------------------------------- + +// Flexbox Align Content +// +// The 'align-content' property aligns a flex container's lines within the +// flex container when there is extra space in the cross-axis, similar to +// how 'justify-content' aligns individual items within the main-axis. Note, +// this property has no effect when the flexbox has only a single line. +// +// Values: flex-start | flex-end | center | space-between | space-around | stretch +// Default: stretch +// +// http://w3.org/tr/css3-flexbox/#align-content-property + +@mixin align-content($value: stretch) { + // No Webkit Box Fallback. + -webkit-align-content: $value; + -moz-align-content: $value; + @if $value == flex-start { + -ms-flex-line-pack: start; + } @else if $value == flex-end { + -ms-flex-line-pack: end; + } @else { + -ms-flex-line-pack: $value; + } + align-content: $value; +} diff --git a/docs/_sass/navigation.scss b/docs/_sass/navigation.scss new file mode 100644 index 00000000..b2a4b62c --- /dev/null +++ b/docs/_sass/navigation.scss @@ -0,0 +1,86 @@ +.nav-open nav { + border-bottom: 1px dotted rgba(255, 255, 255, .2); + padding: 10px 0; + a { + display: block; + } + + @media #{$mid-point} { + border: 0; + padding: 0 20px; + + a { + display: inline; + } + } +} + +nav { + text-transform: uppercase; + font-size: .8em; + width: 100%; + + @media #{$mid-point} { + text-align: right; + position: absolute; + top: 13px; + right: 0; + padding: 0 20px; + } + + + a { + margin: 0 3px; + padding: 20px 10px; + border-bottom: 1px solid rgba(255,255,255,0); + color: rgba(255,255,255,.8); + transition: .2s ease-in-out; + display: none; + + @media #{$mid-point} { + display: inline; + padding: 10px; + } + + + &.nav-toggle { + display: inline; + position: absolute; + right: 10px; + top: -22px; + font-size: 1.9em; + border: 0; + + @media #{$mid-point} { + display: none; + } + + &:hover { + border: 0; + } + } + } + + a:hover { + + border-bottom: 1px solid rgba(255,255,255,.3); + color: #fff; + } + + @media #{$mid-point} { + a.highlight { + border: 1px #ccc solid; + border-radius: 5px; + + &:hover { + background: #fff; + color: $brand-color; + } + } + } + + a.active { + color: #fff; + } + +} diff --git a/docs/_sass/pricing.scss b/docs/_sass/pricing.scss new file mode 100644 index 00000000..19b92ed3 --- /dev/null +++ b/docs/_sass/pricing.scss @@ -0,0 +1,71 @@ +.plans { + @extend %flexbox; + @include flex-flow(wrap); + padding: 50px 0 30px 0; + + .plan { + list-style: none; + padding: 0; + margin: 0 10px 50px 10px; + text-align: center; + border: 1px solid #eee; + border-radius: 5px; + box-shadow: 0px 0px 10px #eee; + width: 100%; + + .highlighted { + font-size: 1.2em + } + + .pricing-cta { + padding: 0; + + a { + display: block; + box-sizing: border-box; + padding: 20px 0; + border-radius: 0 0 2px 2px; + border: 0; + } + } + + @media #{$desktop} { + -webkit-flex: 1; + flex: 1; + } + + li { + border-top-right-radius: 5px; + border-top-left-radius: 5px; + padding: 20px 0; + h3 { + padding: 0; + margin: 0; + color: #fff; + font-weight: normal; + } + } + } +} + +.faq { + @media #{$desktop} { + @include columns(2); + } + color: #666; + div { + break-inside: avoid; + padding: 25px 0; + } + + dt { + font-weight: bold; + margin: 0 0 5px 0; + } + + dd { + padding: 0; + margin: 0; + + } +} diff --git a/docs/_sass/staff.scss b/docs/_sass/staff.scss new file mode 100644 index 00000000..78cc262b --- /dev/null +++ b/docs/_sass/staff.scss @@ -0,0 +1,38 @@ +.staff { + padding: 0; + list-style: none; + @extend %flexbox; + @include flex-flow(wrap); + text-align: center; + li { + padding: 30px 20px; + box-sizing: border-box; + width: 100%; + + @media #{$tablet} { + @include flex(1, 1, 45%); + } + + @media #{$desktop} { + @include flex(1, 1, 29%); + } + + } + + .square-image { + width: 200px; + height: 200px; + img { + border-radius: 200px; + } + } + + .name { + font-size: 1.3em; + margin-top: 20px; + } + + .position { + color: #666; + } +} diff --git a/docs/_sass/variables.scss b/docs/_sass/variables.scss new file mode 100644 index 00000000..6ce421ac --- /dev/null +++ b/docs/_sass/variables.scss @@ -0,0 +1,9 @@ +$brand-color: #333333; +$secondary-brand-color: #333333; +$footer-color: #000000; +$middle-gradient-color: mix($brand-color, $secondary-brand-color, 95%); + +// Breakpoints +$tablet: "(min-width: 450px)"; +$mid-point: "(min-width: 620px)"; +$desktop: "(min-width: 768px)"; diff --git a/docs/apple-touch-icon.png b/docs/apple-touch-icon.png new file mode 100644 index 00000000..65b56de5 Binary files /dev/null and b/docs/apple-touch-icon.png differ diff --git a/docs/blog/index.html b/docs/blog/index.html new file mode 100644 index 00000000..80ce1e32 --- /dev/null +++ b/docs/blog/index.html @@ -0,0 +1,26 @@ +--- +title: Blog +description: Keep up with the latest news. +--- + +
    +

    Add Post

    +
      + {% include list-posts.html posts=paginator.posts %} +
    + + {% if paginator.total_pages > 1 %} + + + {% endif %} +
    diff --git a/docs/css/screen.scss b/docs/css/screen.scss new file mode 100644 index 00000000..d14200c2 --- /dev/null +++ b/docs/css/screen.scss @@ -0,0 +1,19 @@ +--- +--- +@import "mixins/flexbox"; +@import "mixins/columns"; +@import "variables"; +@import "elements"; +@import "landing-page"; +@import "layout"; +@import "pricing"; +@import "staff"; +@import "contact"; +@import "blog"; +@import "forms"; +@import "navigation"; +@import "footer"; +@import "cloudcannon"; +@import "get_options"; +@import "developer"; +@import "how"; \ No newline at end of file diff --git a/docs/developer.html b/docs/developer.html new file mode 100644 index 00000000..8451a504 --- /dev/null +++ b/docs/developer.html @@ -0,0 +1,49 @@ +--- +title: Developer info +heading: Developer info +--- +
    +
    +
    +

    The architecture of the ipfixprobe can be described by the following diagram:

    + +

    Process plugin

    +

    The ipfixprobe contains script that creates template for new process plugin. To use it follow these steps:
    +

    +

    Run the script:

    + +

    cd process

    +

    ./create_plugin.sh

    +     + +

    To create the process plugin follow these steps:

    +
      +

    1. Add plugin_name.hpp and plugin_name.cpp files to ipfixprobe_process_src variable in Makefile.am.

      2. +

    2. Implement process plugin event functions. Don't forget to remove unused events to keep default implementation.

      3. +

    3. Set PLUGIN_NAME_UNIREC_TEMPLATE and IPFIX_PLUGIN_NAME_TEMPLATE macros to export Unirec or IPFIX data respectively.

      4. +

    4. Define Unirec and IPFIX fields to export Unirec or IPFIX respectively.

      5. +

    5. Implement fill_ipfix and fill_unirec.

      6. +

    6. Update README.md.

      7. +
    +     +

    Process plugin events

    +

    pre_create Is called before the creation of new flow from the initial packet.

    +

    post_create is called after the flow is created, taket newly created flow and initial packet.

    +

    pre_update is called when incoming packet belongs to the existing flow, before the data from the packet are added to the flow.

    +

    post_update is called after the data of the packet are added to the flow.

    +

    pre_export is called right before the flow is exported.

    +
    +

    Input plugin

    +

    You can also create own input plugin.

    + +

    To create the input plugin follow these steps:

    +
      +
    1. Create plugin_name.hpp and plugin_name.cpp in the input directory.
      2. +
    2. Add plugin_name.hpp and plugin_name.cpp files to ipfixprobe_input_src variable in Makefile.am.
      3. +
    3. Create a plugin class that inherites from the Input plugin class.
      4. +
    4. Override virtual Plugin class methods (init, close, get_parser, get_name) and Input plugin method to receive new packets(get).
      5. +
    +     +
    +
    +
    \ No newline at end of file diff --git a/docs/export.html b/docs/export.html new file mode 100644 index 00000000..a89b6735 --- /dev/null +++ b/docs/export.html @@ -0,0 +1,57 @@ +--- +title: Export data +heading: Export data +--- + + +{% assign sorted_export = site.export | sort: 'title' %} +
    +
    +
    +

    Process plugins can export data. Export format of each plugin is described in this section

    +
    + {% for export_table in sorted_export %} +
    +

    {{export_table.title}}

    + {% assign textId = export_table.title | append: "_text" %} + + {% assign tableId = export_table.title | append: "_table" %} + + + + + + + + + + + {% for row in export_table.fields %} + + + + + + + {% endfor %} + + + {% endfor %} +
    +
    +
    +
    + + diff --git a/docs/favicon.png b/docs/favicon.png new file mode 100644 index 00000000..2a03ccec Binary files /dev/null and b/docs/favicon.png differ diff --git a/docs/get_options.html b/docs/get_options.html new file mode 100644 index 00000000..34325c3d --- /dev/null +++ b/docs/get_options.html @@ -0,0 +1,29 @@ +--- +title: Get ipfixprobe +heading: Start using ipfixprobe +--- + +{% for option in site.get_options %} +
    +
    +
    +

    {{ option.title }}

    +

    {{ option.description }}

    +
    +
    + {%if option.instructions %} + {% for instruction in option.instructions %} +

    {{ instruction.description }}

    + + {% for line in instruction.code %} + {{line}}
    + {% endfor %} +     + {% endfor %} + + + {% endif %} +
    +
    +
    +{% endfor %} diff --git a/docs/how.html b/docs/how.html new file mode 100644 index 00000000..3dc1f72e --- /dev/null +++ b/docs/how.html @@ -0,0 +1,206 @@ +--- +title: How to use ipfixprobe +heading: ipfixprobe usage +--- + +
    +
    +
    +

    The simplest way to use ipfixprobe is to process PCAP file using PCAP plugin (need to be ./configured with --with-pcap)

    +
    + +

    ./ipfixprobe -s cache -i "pcap;file=pcaps/http.pcap" -o "text;m"

    +     +

    {{ plugin.title | raw }}

    +

    {{ plugin.description | raw }}

    +
    +
    +

    Command line

    +

    The ipfixprobe consists of one input, zero or one output, one storage and zero or more process plugins.

    + {% for plugin in site.how %} +
    +

    +

    {{ plugin.title | raw }}

    +

    {{ plugin.description | raw }}

    +
    + {% for option in plugin.options %} +
    +

    {{ option.title }}

    +

    {{ option.description }}

    + {% if plugin.options %} + + Command line parameters used by {{ option.title }} plugin:
    + {% for parameter in option.parameters %} + {{ parameter.name | raw }} : {{ parameter.description}}
    + {% endfor %} +     + {% endif %} + {% for run in option.runs %} + +

    {{ run.explanation }}

    +

    {{ run.code }}

    +     + {% endfor %} + {% endfor %} + {% endfor %} +
    +

    One-time convertion of PCAP file to CSV

    +

    The ipfixprobe can be used to convert given PCAP file to the CSV containing flows from that file in the Unirec format.

    + + Requirements:
    +
      +
    • Docker or Podman
      • +
    • bash
      • +
    • which, mktemp
      • +
    +     + + This container performs the following tasks:
    +
      +
    1. Copies a pcap file and processing script into the container
      2. +
    2. Runs the ipfixprobe tool to export flows
      3. +
    3. Logs the results in CSV format
      4. +
    +     +

    Build

    +

    The script builds the image automatically, but be sure that Dockerfile is in the same directory.
    + To build the manually image, navigate to the directory containing the Dockerfile and run:

    + +

    docker build -t docker_ipfixprobe .

    +     +

    Run

    + + Parameters:
    +
      +
    • process_script.sh Script for processing the pcap file inside the container
      • +
    • input_file.pcap Path to the input pcap file
      • +
    • output_file.csv Path to the output CSV file
      • +
    +     + +

    bash ./ipfixprobe_wrapper.sh <process_script.sh> <input_file.pcap> <output_file.csv>

    +     +

    To process a file ../pcaps/mixed.pcap using a processing script process_script.sh and output the results to output.csv, use the following wrapper script:

    + +

    bash ./ipfixprobe_wrapper.sh ./process_script.sh ../pcaps/mixed.pcap ./output.csv

    +     +
    +

    ipfixprobe as a service

    +

    The ipfxprobe can be set up to be used as a daemon to continuously process incoming packets from the boot up:

    +

    On linux server

    +

    Install the ipfixprobe:

    + +

    sudo make install

    +     +

    Create your instance.conf configuration inspired by example configurations from the init directory and save it into the /etc/ipfixprobe/
    + Prepare the service configuration file:

    + +

    sudo mv init/ipfixprobe@.service /etc/systemd/system/ipfixprobe@instance.service

    +     +

    Set up the ExecStart from ipfixprobe@instance.service to point to the ipfixprobed script.

    +

    To start the service use:

    + +

    sudo systemctl start ipfixprobe@instance.service

    +     +

    To start the service at system startup, run:

    + +

    sudo systemctl enable ipfixprobe@instance.service

    +     +

    OpenWRT

    +

    Create and save the configuration file to the /etc/config/ipfixprobe. Example of configuration file:

    + +

    NEMEA ipfixprobe + # Copyright (C) 2022-2023 CESNET + + # Available options for profiles, 'list' options can be used repeatedly: + # list interfaces - list of NIC, e.g., eth0, enp0s1, ... + # list plugins - list of plugin names, see 'ipfixprobe -h process' for help + # ipfix_host - address of IPFIX collector + # ipfix_port - port of IPFIX collector, default: 4739 + # ipfix_udp - 1 to export to IPFIX collector via UDP, 0 via TCP + # cache_size - size of flow cache as exponent of 2, default: 1024 + # cache_line - size of flow cache line as exponent of 2, default: 4 + # active_timeout - active timeout in seconds, default: 300 + # inactive_timeout - inactive timeout in seconds, default: 30 + # link - unsigned integer as identification of link/router + # dir - unsigned integer as identification of direction/NIC + # split_biflow - 1 to split biflow to uniflow, default: 0 to use biflow + # ipfix_mtu - size of max transmission unit (MTU), default: 1452 + # + # respawn - enable respawn of crashed process + # respawn_threshold - timeout in seconds for restarting a service after it closes + # respawn_timeout - max time in seconds to wait for a process respawn to complete + # respawn_retry - max number of attempts to respawn before giving up, 0 means newer stop trying to respawn + # core - size of coredump, '0' - not generate, 'unlimited' - unlimited size + # + # enabled - 1 to enable start daemon instance for that profile, NOTE: if profile is directly specified for start script + # (example: '/etc/init.d/ipfixprobe start wan profileX profileY lan'), this option is ignored + + config profile 'lan' + option enabled '0' + list interfaces 'br-lan' + list plugins 'basicplus' + list plugins 'dns' + list plugins 'http' + list plugins 'pstats' + list plugins 'ovpn' + list plugins 'wg' + list plugins 'dnssd;txt' + list plugins 'ssdp' + list plugins 'tls' + list plugins 'quic' + option ipfix_host '127.0.0.1' + option ipfix_port '4739' + option ipfix_udp '1' + option link '1' + option dir '1'

    +     +

    Prepare the init script:

    + +

    wget https://raw.githubusercontent.com/CESNET/Nemea-OpenWRT/master/net/ipfixprobe/files/init.d/ipfixprobe

    +

    sudo mv ipfixprobe /etc/init.d/ipfixprobe

    +     +

    To run the script manually use:

    + +

    /etc/init.d/ipfixprobe start

    +     +

    To start the service at system startup:

    + +

    /etc/init.d/ipfixprobe enable

    +     +
    +
    +
    +
    + \ No newline at end of file diff --git a/docs/images/_screenshot.png b/docs/images/_screenshot.png new file mode 100644 index 00000000..3cbd8be8 Binary files /dev/null and b/docs/images/_screenshot.png differ diff --git a/docs/images/dashboard.png b/docs/images/dashboard.png new file mode 100644 index 00000000..c10df9fb Binary files /dev/null and b/docs/images/dashboard.png differ diff --git a/docs/images/datacenter.jpeg b/docs/images/datacenter.jpeg new file mode 100644 index 00000000..4d54d918 Binary files /dev/null and b/docs/images/datacenter.jpeg differ diff --git a/docs/images/github.png b/docs/images/github.png new file mode 100644 index 00000000..f121cbe5 Binary files /dev/null and b/docs/images/github.png differ diff --git a/docs/images/ipfixprobe-horizontal.svg b/docs/images/ipfixprobe-horizontal.svg new file mode 100644 index 00000000..fbb88f0a --- /dev/null +++ b/docs/images/ipfixprobe-horizontal.svg @@ -0,0 +1,313 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/images/ipfixprobe_architecture.jpg b/docs/images/ipfixprobe_architecture.jpg new file mode 100644 index 00000000..bdfb4bc3 Binary files /dev/null and b/docs/images/ipfixprobe_architecture.jpg differ diff --git a/docs/images/logo.svg b/docs/images/logo.svg new file mode 100644 index 00000000..b31aa32c --- /dev/null +++ b/docs/images/logo.svg @@ -0,0 +1,310 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/docs/images/network.jpg b/docs/images/network.jpg new file mode 100644 index 00000000..c4a12d5d Binary files /dev/null and b/docs/images/network.jpg differ diff --git a/docs/images/router.jpeg b/docs/images/router.jpeg new file mode 100644 index 00000000..afb74f0a Binary files /dev/null and b/docs/images/router.jpeg differ diff --git a/docs/index.html b/docs/index.html new file mode 100644 index 00000000..88686727 --- /dev/null +++ b/docs/index.html @@ -0,0 +1,51 @@ +--- +title: ipfixprobe +description: free and high-performance flow monitoring probe! +--- +
    +
    +

    High-performance flow monitoring probe.

    +

    Monitor and analyze your network traffic for free!

    +
    Get Started
    +
    +
    + +
    +
    +
    +
    +

    Does ipfixprobe support small routers?

    +

    The ipfixprobe exporter can be deployed to small SOHO routers with OpenWRT operating systems. In case of Turris routers, ipfixprobe is available in its standard repositories.

    +
    + +
    +
    + +
    +
    +
    +

    How shall I deploy ipfixprobe on my network?

    +

    The ipfixprobe supports multiple inputs. From the high-speed DPDK or NDP inputs produced by specialized 100 Gbps network monitoring cards, + to slower interfaces such as libpcap that is supported in any operating system.

    +
    + +
    +
    + +
    +
    +
    +

    How can I get the data?

    +

    The ipfixprobe support multiple output plugins. From the basic ones, where flow data are dumped to standard output in form of text to the standard IPFIX format, that can be used together with IPFIX collectors such as ipfixcol2, which enables multiple additional format outputs. Just check out the documentation to learn how to use ipfixprobe and ipfixcol2 together with systems like Apache Kafka or ELK.

    +
    + +
    +
    + + + +
    +

    Let's monitor your network now!

    +
    Get Started
    +
    +
    diff --git a/docs/robots.txt b/docs/robots.txt new file mode 100644 index 00000000..41370029 --- /dev/null +++ b/docs/robots.txt @@ -0,0 +1,6 @@ +--- +layout: null +sitemap: false +--- +User-agent: * +Sitemap: {{ site.url }}/sitemap.xml diff --git a/docs/siteicon.svg b/docs/siteicon.svg new file mode 100644 index 00000000..a133ac66 --- /dev/null +++ b/docs/siteicon.svg @@ -0,0 +1,267 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/touch-icon.png b/docs/touch-icon.png new file mode 100644 index 00000000..5af55cd9 Binary files /dev/null and b/docs/touch-icon.png differ