[netflow-tools] Netflow Library

[Damien Miller]

On Sat, 29 Sep 2007, Jesse Kempf wrote:

> Hi,
> So far I've moved all the parsers into their own file, and have wired  
> up flowd, at least, to use the library.
> Since I fell asleep trying to read the IPFIX RFC, how much work would  
> need to be done to support IPFIX itself in the parser library?

It would probably not be too much work, as IPFIX is somewhat like 
NetFlow v.9. I haven't looked at the drafts for quite a while though,
so it may have diverged. 

An important task in supporting IPFIX is to identify which subset of
fields to select, add them to store.[ch] and define mappings from the
wire representations to the store fields.

> It might not be a bad idea to combine the parser library from flowd  
> with the encoding library for softflowd to provide an alternative to  
> libfixbuf or whatever CMU is calling their IPFIX library.

Yeah, I have been meaning to unify flowd, softflowd and pfflowd for
a while. The ideal would be to make it easy for {pf,soft}flowd to be
able to log directly to disk (in store.c format), have flowd 
operate as a "translating relay" (e.g. from NetFlow v.9 or IPFIX to
NetFlow v.5 for legacy apps), and be able to replay logs as a stream
of NetFlow packets.

-d