Ipfixprobe

<div align="center"> <picture> <source srcset="https://raw.githubusercontent.com/CESNET/ipfixprobe/refs/heads/master/docs/images/logo/logo_horizontal_white.svg" width="450" media="(prefers-color-scheme: dark)"> <img src="https://raw.githubusercontent.com/CESNET/ipfixprobe/refs/heads/master/docs/images/logo/logo_horizontal_color.svg" width="450"> </picture> </div> </br>

The ipfixprobe is a high-performance, modular flow exporter that processes packets into bidirectional flows and exports them via a selected output plugin. It supports a wide range of application-layer protocol parsers, including TLS, QUIC, HTTP, DNS, and many others. These protocol-specific extensions can be enabled via process plugins in the configuration.

Need more details? Check out our documentation for a full list of supported protocols and usage examples.

✨ Key Features

• Modular input–parser–output architecture
• High-speed processing (DPDK, multi-threaded, NUMA-aware)
• Built-in protocol parsers: TLS, QUIC, HTTP, DNS, …
• Bidirectional flow (biflow) support
• Real-time telemetry and statistics

📦 Installation

If you are running a RHEL system or one of its derivatives (e.g. Oracle Linux, Rocky Linux, CentOS Stream), the easiest way to install ipfixprobe is from our copr repository.

$ dnf install dnf-plugins-core # Extra step necessary on some systems
$ dnf copr enable @CESNET/ipfixprobe
$ dnf install ipfixprobe

This installs the main ipfixprobe binary along with core functionality.

🗃️ Available Packages

The Copr repository provides modular RPM packages, so you can install only what you need. The following packages are available and can be installed individually as needed:

| Package Name | Description | |---------------------------------------------|-----------------------------------------------------------------------------| | ipfixprobe | Core binary with common process/output plugins. | | ipfixprobe-msec | Core binary with common process/output plugins. Uses millisecond timestamps (compatible with Flowmon collector) | | ipfixprobe-input-pcap | Input plugin for PCAP files and live capture | | ipfixprobe-input-dpdk | High-speed input plugin using DPDK | | ipfixprobe-input-nfb | Input plugin for CESNET NFB/NDP cards | | ipfixprobe-process-experimental | Extra (possibly unstable) process plugins |

For other systems, follow the build instructions below.

🛠️ Build

You can build ipfixprobe from source using standard CMake. This lets you customize the build by enabling optional plugins and features as needed.

Note: Some plugins may require additional dependencies beyond the basic requirements.

⚠️ C++23 support required: Make sure your compiler supports C++23 (GCC ≥14 recommended).

RHEL/CentOS:

🧰 Requirements

$ dnf install epel-release git make cmake gcc-c++ rpm-build
$ dnf install libunwind-devel lz4-devel openssl-devel fuse3-devel

# for RHEL 8/9
$ dnf install gcc-toolset-14-libatomic-devel

# for RHEL 10+
$ dnf install libatomic

🟢 Optional: Install GCC 14 (for C++23 support)

# Enable devtoolset
$ dnf install gcc-toolset-14
$ scl enable gcc-toolset-14 bash

# Verify version
$ g++ --version  # should show GCC 14.x

Debian/Ubuntu:

🧰 Requirements

$ apt install git make cmake g++ pkg-config rpm
$ apt install libunwind-dev liblz4-dev libssl-dev libfuse3-dev libatomic1

🧱 Build steps

git clone https://github.com/CESNET/ipfixprobe.git
cd ipfixprobe
mkdir build && cd build
cmake ..
make -j$(nproc)
# make install

⚙️ Optional build flags

You can enable or disable optional plugins and features via CMake flags:

| Flag | Default | Description | | ---------------------------------- | ------- | ---------------------------------------------------------------- | | -DENABLE_MILLISECONDS_TIMESTAMP=ON | OFF | Use millisecond precision timestamps (for Flowmon compatibility) | | -DENABLE_INPUT_PCAP=ON | OFF | Enable PCAP input plugin (live & file) (requires libpcap) | | -DENABLE_INPUT_DPDK=ON | OFF | Enable high-speed DPDK input plugin (requires dpdk-devel) | | -DENABLE_INPUT_NFB=ON | OFF | Enable input plugin for CESNET NFB/NDP cards (requires netcope-common) | | -DENABLE_PROCESS_EXPERIMENTAL=ON | OFF | Enable experimental process plugins | | -DENABLE_NEMEA=ON | OFF | Enable support for NEMEA modules (requires nemea-framework-devel ) |

Run the command to view all available build options:

cmake -LAH

Example

To build with DPDK and PCAP input support, and install to /usr:

cmake .. \
  -DCMAKE_INSTALL_PREFIX=/usr \
  -DENABLE_INPUT_PCAP=ON \
  -DENABLE_INPUT_DPDK=ON

🧩 Available Plugins

Input Plugins

List of input plugins with estimated performance and configuration complexity.

| Plugin | Max Throughput | Usage Complexity | Description | |---------------|----------------|------------------|-------------------------------------------| | pcap_live | ~1 Gbps | Easy | captures packets from a live network interface | | pcap_file | ~1 Gbps | Easy | reads packets from an offline PCAP file | | raw | ~1 Gbps | Easy | captures packets using a raw socket | | ndp | 400 Gbps | Medium | uses CESNET NFB/NDP hardware for packet input | | dpdk | 400 Gbps | Complex | receives packets via high-performance DPDK | | dpdk-ring | 400 Gbps | Complex | receives packets from a shared DPDK memory ring |

---

Process Plugins

These plugins extract protocol-specific or behavioral information from packets and enrich flow records with metadata.

| Plugin | Description | |---------------|--------------------------------------------------------------| | basic | extracts basic L3/L4 flow fields (IPs, ports, protocol) | | icmp | extracts ICMP type/code and related metadata | | http | extracts HTTP methods, hosts, URIs, status codes | | tls | extracts TLS handshake info (SNI, version, JA3, etc.) | | ovpn | extracts metadata from OpenVPN tunnels | | wg | parses WireGuard handshake and endpoint metadata | | quic | parses QUIC protocol including SNI, versions, ALPN | | basicplus | adds common L3/L4 flow fields (e.g., ports, IPs, TCP flags) | | bstats | basic flow statistics (packet/byte counters, duration, ...) | | dns | extracts DNS queries, responses, and domains | | dnssd | parses DNS Service Discovery (mDNS) traffic | | flowHash | extracts a flow hash | | idpContent | parses IDP content in flows | | mpls | extracts MPLS labels and encapsulation metadata | | mqtt | parses MQTT protocol traffic (IoT messaging) | | netbios | extracts NetBIOS session and name service info | | nettisa | parses NETTISA related metadata (experimental) | | ntp | extracts NTP timestamps and server info | | osquery | parses osquery-generated data streams | | passiveDns | generates passive DNS entries from observed DNS traffic | | phists | parses phishing-related signatures (heuristic) | | pstats | advanced packet statistics (e.g., inter-packet gaps) |