Some questions about packet processing #94

stanpao · 2021-12-08T13:20:05Z

stanpao
Dec 8, 2021

As the netflow data source for network traffic machine learning, one of the most important step is to validate if the traffic picked up from massive monitored traffic is as expected. So analyzing packet in the format of flow and keep the original packet bytes to pcap for check is necessary. From the source, there is no way to persist the orginal packet data seemingly (only can obtain L3 data bytes) and from the cffi struct cdeclaration code, there is still no way to read from ffi buffer to get the original data seemingly(I'm not familiar with C ...) So, I ask for help if any practice to realize this function or just can be done by modifing nfstream framework code?

drnpkr · 2021-12-09T10:22:32Z

drnpkr
Dec 9, 2021
Collaborator

Hi @stanpao,

There is no need to reinvent the wheel. There are already awesome solutions that can be used to achieve this.

I think, you are trying to use NFStream for something it is not destined for. If you want a PCAP, you can use tcpdump. If you want to achieve packet capture with zero loss, you can use n2disk (nTOP, license is required). Once you have the PCAP, you can use NFStream to generate the flows.

You should also be aware of the fact that packet capture in a network with roughly 1Gbps is going to yield a PCAP file of tens of GB in just a couple of minutes or less (unless you want to throw the payload away).

1 reply

stanpao Dec 9, 2021
Author

Yes, I got this. Nfstream is a very friendly net flow extraction tool and has great performance. However, flow is the key feature for analysis and payload the the important feature for validation at the same time in some scenarios. Maybe I should choose some middleware for temp payload persistence. Thank you for your reply. I will close this discussion.

aouinizied · 2021-12-09T14:49:12Z

aouinizied
Dec 9, 2021
Maintainer

@stanpao Even if we expose a buffer with original packet within the NFPacket structure, you will need to store it somewhere and this will led you to drastic performances (memory consumption, disk etc) issues. NFStream is not intended for packet storage but rather flow oriented analytics. That why we expose the payload of each packet, user can do whatever analysis he wants and update a FLOW attribute.
As Adrian point it out, you can run NFStream and periodically/randomly do a capture of your network to check your results i an offline mode.

Zied

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Some questions about packet processing #94

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 2 comments 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Uh oh!

Some questions about packet processing #94

Uh oh!

Uh oh!

stanpao Dec 8, 2021

Replies: 2 comments · 1 reply

Uh oh!

drnpkr Dec 9, 2021 Collaborator

Uh oh!

stanpao Dec 9, 2021 Author

Uh oh!

aouinizied Dec 9, 2021 Maintainer

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

stanpao
Dec 8, 2021

Replies: 2 comments 1 reply

drnpkr
Dec 9, 2021
Collaborator

stanpao Dec 9, 2021
Author

aouinizied
Dec 9, 2021
Maintainer