Book Creator
 Add this page to your book
Book Creator
 Remove this page from your book  

 Manage book(0 page(s))
 Help

Metadata export

Cubro SG allows to export IPFIX data to third-party systems. It supports any ipfix collector with template customization or ipfixreceiver2 utility which is already included to the main package. The utility allows to export received data into text format for next processing and inserting data into the database, as well as further copy and re-exporting data via ipfix protocol to multiply destinations.

Cubro SG supports 4 type of IPFIX channels:

  • fullflow
  • clickstream
  • metadata
  • extended metadata
  • dns

Fullflow — ipfix flow contains information about connections pass through DPI, full session statistics and enriched DPI information (dpi protocol, subscriber information: login if exists).

Clickstream — ipfix flow contains information about subscriber’s visits to web pages (HTTP, HTTPS, QUIC).

Metadata — ipfix flow contains fields specified for protocols SIP, XMPP, MAIL (POP, IMAP, SMTP), FTP.

Extended (Raw) metadata — ipfix flow contains raw truncated IP packets for some protocols like STUN sequences and voip control protocol sessions. DPI sends raw data to LI-subsystem to postprocess data if needed.

DNS — ipfix flow contains all domain name service requests.

Full flow template

Bytes Type IANA Description Comment
1 8 int64 0 OCTET_DELTA_COUNT same NetFlow v9 IN_BYTES
2 8 int64 0 PACKET_DELTA_COUNT same NetFlow v9 IN_PKTS
4 1 int8 0 PROTOCOL_IDENTIFIER same NetFlow v9 PROTOCOL
5 1 int8 0 IP_CLASS_OF_SERVICE same NetFlow v9 TOS
7 2 int16 0 SOURCE_TRANSPORT_PORT same NetFlow v9 L4_SRC_PORT
8 4 int32 0 SOURCE_IPV4_ADDRESS same NetFlow v9 IPV4_SRC_ADDR
11 2 int16 0 DESTINATION_TRANSPORT_PORT same NetFlow v9 L4_DST_PORT
12 4 int32 0 DESTINATION_IPV4_ADDRESS same NetFlow v9 IPV4_DST_ADDR
16 4 int32 0 BGP_SOURCE_AS_NUMBER same NetFlow v9 SRC_AS
17 4 int32 0 BGP_DESTINATION_AS_NUMBER same NetFlow v9 DST_AS
152 8 int64 0 FLOW_START_MILLISECOND
153 8 int64 0 FLOW_END_MILLISECOND
10 2 int16 0 INPUT_SNMP same NetFlow v9 IngressInterface
14 2 int16 0 OUTPUT_SNMP same NetFlow v9 EgressInterface
60 1 int8 0 IP_VERSION same NetFlow v9 IP_PROTOCOL_VERSION
2000 8 int64 43823 SESSION_ID
2001 - string 43823 HTTP_HOST или CN_HTTPS
2002 2 int16 43823 DPI_PROTOCOL
2003 - string 43823 LOGIN same Radius User-Name
225 4 int32 0 POST_NAT_SOURCE_IPV4_ADDRESS
227 2 int16 0 POST_NAPT_SOURCE_TRANSPORT_PORT
2010 2 int16 43823 FRGMT_DELTA_PACKS Fragmented pkts delta
2011 2 int16 43823 REPEAT_DELTA_PACK Retransmission pkts delta
2012 4 int32 43823 PACKET_DELIVER_TIME deliver (RTT/2) in ms (RTT=round-trip time).
2016 2 int16 43823 BRIDGE_CHANNEL_NUM ISP or virtual channel ID
6 2 int16 0 TCP_FLAGS
58 2 int16 0 SRC_VLAN VLAN ID
59 2 int16 0 DST_VLAN VLAN ID
56 6 mac_address 0 SRC_MAC MAC source addr
57 6 mac_address 0 DST_MAC MAC destination addr
2017 - raw 43823 MPLS Lables
132 8 int64 0 DROPPED_BYTES Dropped bytes delta
133 8 int64 0 DROPPED_PACKETS Dropped bytes delta
2019 1 int8 43823 originalTOS Original TOS value from IP header

IPFIX export template for IPv6.
IPv6 template excluded fields:

  • SOURCE_IPV4_ADDRES
  • DESTINATION_IPV4_ADDRES
  • POST_NAT_SOURCE_IPV4_ADDRESS
  • POST_NAT_SOURCE_TRANSPORT_PORT

The following fields are present:

IPv6 specific fields
Bytes Type IANA Description Comment
27 16 int128 0 SOURCE_IPV6_ADDRESS same NetFlow v9 IPV6_SRC_ADDR
28 16 int128 0 DESTINATION_IPV6_ADDRESS same NetFlow v9 IPV6_DST_ADDR

Clickstream template

IPFIX format template for Clickstream
Size in bytes Type IANA Description Note
1001 4 int32 43823 TIME_STAMP timestamp
1002 - string 43823 LOGIN Subscriber’s ID
1003 4 IPv4 43823 IP_SOURCE Source IP address
1004 4 IPv4 43823 IP_DESTINATION Destination IP address
1005 - string 43823 HOSTNAME/CNAME TLS SNI, CNAME or HTTP domain
1006 - string 43823 PATH System environment
1007 - string 43823 REFER Customer request header
1008 - string 43823 USER_AGENT User Agent
1009 - string 43823 COOKIE Cookie
2000 8 int64 43823 SESSION_ID Session ID
1010 8 int64 43823 LOCKED Is blocked by DPI
1011 1 int8 43823 HOST_TYPE
1012 1 int8 43823 METHOD Method POST GET PUT etc
1013 2 int16 43823 PORT_SOURCE
1014 2 int16 43823 PORT_DESTINATION
2016 2 int16 43823 BRIDGE_CHANNEL_NUM ISP id or channel number
1024 2 int16 43823 CipherSuitesLen (TLS) Size in bytes of the set of available CipherSuites encryption methods in the Client Hello message
1025 - raw 43823 CipherSuites (TLS) CipherSuites array in Client Hello (max 16 values)
58 2 int16 - VlanId VLAN
59 2 int16 - postVlanID POST VLAN
56 6 mac_address - Source MAC Address
57 6 mac_adress - Destination MAC Address
2017 - raw 43823 MPLS Labels
2018 4 int32 43823 TCP Sequence

IPFIX export template for IPv6.
The format of IPFIX templates for IPV6 differs in the format of the IP_SOURCE and IP_DESTINATION fields.

Bytes Type IANA Description Comment
1103 16 IPv6 43823 IP_SOURCE
1104 16 IPv6 43823 IP_DESTINATION

Note:
LOCKED = 1 — blocked by HTTPS, 2 — HTTP redirect, 3 — blocked by HTTP (bitmask)
HOST_TYPE = 1 — HTTP, 2 — CNAME, 3 — SNI, 4 — QUIC
METHOD = 1 — GET, 2 — POST, 3 — PUT, 4 — DELETE
If the http_parse_reply=1 setting is enabled, information from responses to requests will be additionally transmitted. You can bind them to the responses by session identifier SESSION_ID.

Clickstream export template IPFIX format for HTTP responses 1)
Size in bytes Type IANA Description Note
1001 4 int32 43823 TIME_STAMP timestamp
1002 - string 43823 LOGIN Username (AAA)
1003 4 IPv4 43823 IP_SOURCE
1004 4 IPv4 43823 IP_DESTINATION
1020 4 int32 43823 RESULT_CODE HTTP RESPONSE CODE
1021 8 int64 43823 CONTENT_LENGTH Count of sent bytes
1022 - string 43823 CONTENT_TYPE Content type / MIME
2000 8 int64 43823 SESSION_ID
1023 - string 43823 LOCATION
2016 2 int16 43823 BRIDGE_CHANNEL_NUM
58 2 int16 - VlanId VLAN
59 2 int16 - postVlanID POST VLAN
56 6 mac_address - Source MAC Address
57 6 mac_adress - Destination MAC Address
2017 - raw 43823 MPLS Labels

If the ssl_parse_reply=1 setting is enabled, information from the responses to requests will be sent in addition. You can link bind to the responses by session ID SESSION_ID, taking into account the order of the responses.

Clickstream export template IPFIX format for responses over SSL/TLS, HTTPS
Size in bytes Type IANA Description Note
1001 4 int32 43823 TIME_STAMP Timestamp
1002 - string 43823 LOGIN Username (AAA)
1003 4 IPv4 43823 IP_SOURCE
1004 4 IPv4 43823 IP_DESTINATION
2000 8 int64 43823 SESSION_ID
1030 2 int16 43823 SSL_VERSION Version of SSL, TLS
1031 2 int16 43823 CIPHER_SUITE Cipher suite
1032 1 int8 43823 COMPRESSION_METHOD
2016 2 int16 43823 BRIDGE_CHANNEL_NUM
58 2 int16 - VlanId VLAN
59 2 int16 - postVlanID POST VLAN
56 6 mac_address - Source MAC Address
57 6 mac_adress - Destination MAC Address
2017 - raw 43823 MPLS Labels
1011 1 int8 43823 type_host
1005 - string 43823 cname

Metadata template

SIP metadata

SIP metadata export template
Size in bytes Type IANA Description Note
1001 4 int32 43823 TIME_STAMP
1002 - string 43823 LOGIN
1003 4 IPv4 43823 IP_SRC
1004 4 IPv4 43823 IP_DST
2000 8 int64 43823 SESSION_ID
3000 - string 43823 MSG_CODE
3001 2 int16 43823 STATUS_CODE
3002 - string 43823 URI
3003 - string 43823 FROM
3004 - string 43823 TO
3005 - string 43823 CALLID
3006 - string 43823 UAGENT
3007 - string 43823 CTYPE
3008 - string 43823 GATEWAYS
58 2 int16 - VlanId
59 2 int16 - postVlanID
56 6 mac_address - Source MAC Address
57 6 mac_adress - Destination MAC Address
2017 - raw 43823 MPLS Labels

Note:
IP_SRC — IP_SOURCE.
IP_DST — IP_DESTINATION.
GATEWAYS — comma separated list of gateways (IP or hostname).

FTP metadata

FTP metadata export template
Size in bytes Type IANA Description Note
1001 4 int32 43823 TIME_STAMP
1002 - string 43823 LOGIN
1003 4 IPv4 43823 IP_SRC
1004 4 IPv4 43823 IP_DST
2000 8 int64 43823 SESSION_ID
3050 - string 43823 SERVER_NAME
3051 - string 43823 USER ftp user
3052 - string 43823 PASSWORD ftp password
3053 1 int8 43823 MODE Passive or active mode
1020 4 int32 43823 RESULT_CODE ftp result code
58 2 int16 - VlanId VLAN
59 2 int16 - postVlanID POST VLAN
56 6 mac_address - Source MAC Address
57 6 mac_adress - Destination MAC Address
2017 - raw 43823 MPLS Labels

Note: field “MODE” contains the type of FTP connection: (0 — active, 1 — passive).

XMPP metadata

XMPP metadata export template
Size in bytes Type IANA Description Note
1001 4 int32 43823 TIME_STAMP
1002 - string 43823 LOGIN
1003 4 IPv4 43823 IP_SRC
1004 4 IPv4 43823 IP_DST
2000 8 int64 43823 SESSION_ID
3100 - string 43823 IM_LOGIN
3101 - string 43823 IM_PASSW
3102 - string 43823 IM_SCREEN_NAME
3103 - string 43823 IM_UIN
3104 1 int8 43823 IM_PROTOCOL
3105 - string 43823 IM_RECEIVERS
1020 4 int32 43823 RESULT_CODE
58 2 int16 - VlanId VLAN
59 2 int16 - postVlanID POST VLAN
56 6 mac_address - Source MAC Address
57 6 mac_adress - Destination MAC Address
2017 - raw 43823 MPLS Labels

Note: IM_PROTOCOL field contains the type of protocol used: 0 — ICQ, 7 — XMPP, 106 — ZELLO

Mail metadata

POP, IMAP, SMTP metadata export template
Size in bytes Type IANA Description Note
1001 4 int32 43823 TIME_STAMP
1002 - string 43823 LOGIN
1003 4 IPv4 43823 IP_SRC
1004 4 IPv4 43823 IP_DST
2000 8 int64 43823 SESSION_ID
3150 - string 43823 MAIL_SENDER
3151 - string 43823 MAIL_RECEIVER
3152 - string 43823 MAIL_CC Copy receiver
3153 - string 43823 MAIL_SUBJECT
3154 - string 43823 MAIL_SERVERS
3155 - string 43823 MAIL_REPLY
3156 1 int8 43823 EVENT
3157 1 int8 43823 ATTACHMENT If attachment
3158 1 int8 43823 MAIL_PROTOCOL Type of protocol
1020 4 int32 43823 RESULT_CODE Result Code
58 2 int16 - VlanId VLAN
59 2 int16 - postVlanID POST VLAN
56 6 mac_address - Source MAC Address
57 6 mac_adress - Destination MAC Address
2017 - raw 43823 MPLS Labels

Note: EVENT field indicates the type of event: 1 — send, 2 — receive,
ATTACHMENT — sign of attachment: mail_protocol = 0 — smtp, 1 — pop3, 2 — imap

Extended (Raw) metadata

Raw metadata export template
Size in bytes Type IANA Description Note
1001 4 int32 43823 TIME_STAMP
1002 - string 43823 LOGIN
1003 4 IPv4 43823 IP_SRC
1004 4 IPv4 43823 IP_DST
2000 8 int64 43823 SESSION_ID
2013 1 int8 43823 FLW_DIR
2014 1 int8 43823 DIR_DATA
2015 2 int16 43823 VDPI_PROTO
2900 2 int16 43823 META_PROTO
2901 - string 43823 RAW_DATA Truncated IP packets
4 1 int8 - protocolIdentifier PROTOCOL
7 2 int16 - sourceTransportPort
11 2 int16 - destinationTransportPort
6 2 int16 - tcpControlBits
2018 4 int32 - TCP Sequence
58 2 int16 - VlanId VLAN
59 2 int16 - postVlanID POST VLAN
56 6 mac_address - Source MAC Address
57 6 mac_adress - Destination MAC Address
2017 - raw 43823 MPLS Labels

Note:
FLW_DIR — packet direction by interface: 0: sub — inet, 1: inet — subs.
DIR_DATA — packet direction by session: for TCP 0: client → server, 1: server → client, for UDP — from whom the first packet is recorded, the first packet is considered to be a client.
VDPI_PROTO — DPI protocol
META_PROTO — internal protocol identifier (3 — SIP, 4 — FTP, 5 — SMTP, 6 — POP3, 7 — IMAP, 8 — XMPP, 9 — ICQ, 10 — RSS, 11 — NNTP, 12 — H323, 13 — ZELLO, ETC).
RAW_DATA — Truncated IP packets.

DNS requests flow

DNS requests flow
Number of bytes Data type IANA Description
1001 4 int32 43823 TIME_STAMP
1002 - string 43823 LOGIN
1003 4 IPv4 43823 IP_SOURCE
1004 4 IPv4 43823 IP_DESTINATION
1013 2 int16 43823 SOURCE PORT
1014 2 int16 43823 DESTINATION PORT
2000 8 int64 43823 SESSION_ID
3200 1 int8 43823 UDP/TCP Transport: 0 — UDP, 1 — TCP
3201 - string 43823 DOMAIN
3202 2 int16 43823 RRCLASS
3203 2 int16 43823 RRTYPE
3204 4 int32 43823 TTL
3205 - raw 43823 RDATA
58 2 int16 - VlanId VLAN
59 2 int16 - postVlanID POST VLAN
56 6 mac_address - Source MAC Address
57 6 mac_adress - Destination MAC Address
2017 - raw 43823 MPLS Labels
2016 2 int16 43823 BRIDGE_CHANNEL_NUM Channel (vchannel) or bridge number. If vchannel is set in the DPI configuration, the channel number will be transmitted, otherwise the bridge number will be transmitted

Meta data recording to the files

Customer can write metadata of HTTP, SSL/TLS, SIP, DNS to the txt file local or remote system. Customer have select fields of protocol to storing in a file and set save path on the server.

HTTP

ajb_save_url activate recording of HTTP metadata
ajb_url_path directory to place files with these records (/var/dump/dpi by default)
ajb_url_ftimeout recording frequency by default 30 seconds
ajb_save_url_format list of metadata to record, should be separated by colon. 

ajb_save_url=-1
ajb_save_url_format=ts:prg:login:ipsrc:ipdst:host:path:ref:uagent:cookie:tphost:blockd:method
ajb_url_path=/var/dump/dpi
ajb_url_ftimeout=30

Possible options for ajb_save_url_format parameter 

ts	time stamp 
prg	id of the active services at the moment of request 
login	subscriber's login 
ipsrc	subscriber's IP address 
ipdst	host IP address (that of the request's addressee) 
host	the host name (Host field) 
path	the path to the requested resource (URI) 
ref	where from (Referer field) 
uagent	browser's type (User-Agent field) 
cookie	Cookie 
ssid	session ID (for binding with Netflow/IPFIX volume data) 
tphost	data type of Host (HTTP=1/CNAME=2/SNI=3/QUIC=4) 
blockd	bit mask, sign of blocking/forwarding (0x3 - for HTTP, 0x1 - for others) 
method	method 1 - GET, 2 - POST, 3 - PUT, 4 - DELETE

SSL/TLS

ajb_save_ssl activate recording of SSL metadata
ajb_ssl_path directory to place files with records (/var/dump/dpi by default)
ajb_ssl_ftimeout recording frequency by default 30 seconds
ajb_save_ssl_format list of metadata to record, should be separated by colon.

ajb_save_ssl is a mask:
0 - not saved
1 - sni (SSL)
2 - cname
3 - sni (QUIC)
-1 - to record everything 

ajb_save_ssl=-1
ajb_save_ssl_format=ts:prg:login:ipsrc:ipdst:host:tphost:blockd:method
ajb_ssl_path=/var/dump/dpi
ajb_ssl_ftimeout=30

Possible options for ajb_save_ssl_format parameter 

ts	time stamp 
prg	id of the active services at the moment of request 
login	subscriber's login ipsrc subscriber's IP address 
ipdst	host IP address (that of the request's addressee) host the host name (Host/CNAME/SNI/QUIC field) 
path	the path to the requested resource (URI) 
ref	where from (Referer field) 
uagent	browser's type (User-Agent field) 
cookie	Cookie 
ssid	session ID (for binding with Netflow/IPFIX volume data) 
tphost	data type of Host (HTTP=1/CNAME=2/SNI=3/QUIC=4) 
blockd	bit mask, sign of blocking/forwarding (0x3 - for HTTP, 0x1 - for others) 
method	method 1 - GET, 2 - POST, 3 - PUT, 4 - DELETE

SIP

ajb_save_sip activate recording of SIP metadata
ajb_sip_ftimeout recording frequency by default 30 seconds
ajb_sip_path directory to place files with records (/var/dump/dpi by default)
ajb_save_sip_format list of metadata to record, should be separated by colon. 

ajb_save_sip=1 
ajb_sip_ftimeout=15 
ajb_sip_path=/home/sip ajb_save_sip_format=ts:ssid:ipsrc:ipdst:login:msg:scode:from:to:callid:uagent

Possible options for ajb_save_sip_format parameter 

ts	time stamp 
ssid	session identifier (it's used to link to Netflow/IPFIX data to get bytes volume) 
ipsrc	subscriber’s IP ipdst server IP
login	subscriber’s LOGIN (from RADIUS) 
msg	message type
scode	status-code 
from	phone/identifier of calling party 
to	phone/identifier of called party 
callid	call identifier 
uagent	type of handset (User-Agent)

DNS

ajb_save_dns — flag for writing to a text file
ajb_dns_ftimeout — timeout (minutes) for switching to the next file
ajb_dns_bufsize — file write buffer
ajb_dns_fsize — file size limit
ajb_dns_path — path where to write

ajb_save_dns_format: format for writing to a text file
"ts" — time
"ipsrc" — ip source
"ipdst" — ip destination
"ssid" — session id
"login" — understandable
"host" — the name of which the information was requested
"rrtype" — RR types
"rrclass" — RR class
"ttl" — TTL
"rdlen" — rdata size
"rdata" — the resource itself
"psrc" — port source
"pdst" — port destination
"transport" — how the DNS query was received.

Default: ts:ssid:login:ipsrc:ipdst:psrc:pdst:transport:host:rrtype:rrclass:ttl:rdlen:rdata

1)
for the IPv6 variant, see difference above