Recent Events for foo.be MainPageDiary (Blog)

NetflowBiFlowConstruct

Netflow is uni-directional. As described in the Internet-Draft (http://www.ietf.org/internet-drafts/draft-boschi-ipfix-biflow-01.txt), a biflow is A biflow is the product of matching the two uniflow sides of a bidirectional communication session (e.g., TCP session, UDP DNS question and answer) into a single entity. Biflows are often required to rebuild interesting TCP session or UDP traffic and alike.

Following a hard discussion (ok as usual ;-)) between Yann Berthier and Alexandre Dulaunoy. I tried to implement something rebuilding biflow from an uni-directional Netflow data.

Contents

  1. Testing data structure
      1. SQL
    2. Evaluating life time and scope of Biflow
    3. Building a software prototype

Testing data structure

SQL

create table biflows (
   flowID   varchar(32) primary key not null,
   ltime    bigint,
   htime    bigint,
   proto    smallint  unsigned not null,
   laddr    bigint    unsigned not null,
   haddr    bigint    unsigned not null,
   lport    int       unsigned not null,
   hport    int       unsigned not null,
   lpkts    bigint    unsigned,
   hpkts    bigint    unsigned,
   lbytes   bigint    unsigned,
   hbytes   bigint    unsigned,
   lcount   bigint    unsigned,
   hcount   bigint    unsigned,
   lflags   int       unsigned,
   hflags   int       unsigned,
   ltos     int       unsigned,
   htos     int       unsigned
);

mysql> describe biflows;
+--------+----------------------+------+-----+---------+-------+
| Field  | Type                 | Null | Key | Default | Extra |
+--------+----------------------+------+-----+---------+-------+
| flowID | varchar(16)          | NO   | PRI |         |       |
| ltime  | date                 | NO   |     |         |       |
| htime  | date                 | NO   |     |         |       |
| proto  | smallint(5) unsigned | NO   |     |         |       |
| laddr  | bigint(20) unsigned  | NO   |     |         |       |
| haddr  | bigint(20) unsigned  | NO   |     |         |       |
| lport  | int(10) unsigned     | NO   |     |         |       |
| hport  | int(10) unsigned     | NO   |     |         |       |
| lpkts  | bigint(20) unsigned  | YES  |     | NULL    |       |
| hpkts  | bigint(20) unsigned  | YES  |     | NULL    |       |
| lbytes | bigint(20) unsigned  | YES  |     | NULL    |       |
| hbytes | bigint(20) unsigned  | YES  |     | NULL    |       |
| lcount | bigint(20) unsigned  | YES  |     | NULL    |       |
| hcount | bigint(20) unsigned  | YES  |     | NULL    |       |
| lflags | int(10) unsigned     | YES  |     | NULL    |       |
| hflags | int(10) unsigned     | YES  |     | NULL    |       |
| ltos   | int(10) unsigned     | YES  |     | NULL    |       |
| htos   | int(10) unsigned     | YES  |     | NULL    |       |
+--------+----------------------+------+-----+---------+-------+
18 rows in set (0.00 sec)

mysql>

Evaluating life time and scope of Biflow

Building a software prototype

Recent Events for foo.be MainPageDiary (Blog)
This page is read-only View other revisions Administration
Last edited 2006-02-09 15:55 UTC by adulau (diff)

[FSF Associate Member] Librarything profile for adulau XFN Friendly
if not specified on the wiki page, Copyright © Alexandre (adulau) Dulaunoy. This work is licensed to you under version 2 of the GNU General Public License. Alternatively, you may choose to receive this work under any other license that grants the right to use, copy, modify, and/or distribute the work, as long as that license imposes the restriction that derivative works have to grant the same rights and impose the same restriction. For example, you may choose to receive this work under the GNU Free Documentation License, the CreativeCommons ShareAlike License, the XEmacs manual license, or similar free licenses.