-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathTODO
84 lines (64 loc) · 2.65 KB
/
TODO
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
* indicates things to do before 1.0 release
- Inetd mode (listen on stdin)
- Exit value should indicate whether packet(s) were successfully parsed
- Very useful for regress tests
- or, listen on /unix/domain/path
- would need to to send netflow packets
- Capture from pcap
- Send from log (see below)
- Regress tests *
- Config
- Packet parsing
- Flow storage
- Output
- Filtering
- Improve Filters
- Port predicates, e.g. "port 1024-65536", "port > 1024"
- packets, octets (need predicates)
- other fields, in particular netflow version
- time of day filtering on flow_start|flow_finish
- clarify what happens when fields are missing
- allow specification of filter parameters in any order
- Improve log handling
- E.g. multiple log files, based on tag?
- support relaying of pre/post-filter packets to another agent
- UDP
- Vanilla text logging
- XML logging
- build binary flows from XML (useful for regress tests)
- Improve Perl and Python documentation *
- Add Perl and Python regress tests *
- Add writing of binary flows to perl module *
- Option to check TTL of inbound flow export packets
- Option to bind by interface name
- IPv4 Multicast group join by interface. e.g.
join group 224.22.33.44 on fxp0
- Tools collection:
- "flow-send", a small program to take on-disk flows and send them as
NetFlow packets to a chosen host
- (or, patch flow-tools)
- More protocols: sflow, IPFIX
- Add calculation and storage of "normalised" flow timers, correcting for
flow probe clock errors by using difference between header->time_sec and
localtime (assumes flow collector clock is accurate!)
- Track sequence per peer and alert on flow drops
- Define net store.h types for:
- min/max_pkt_lngth
- Discard protocol-specific state when we receive a packet in a different
protocol
- Don't record any nf9 flows unless the entire packet is valid (right now,
we only validate to the flowset level)
- Could at least iterate over packet and check for truncation?
- Renovate Perl API.
- This was my first attempt at writing C/Perl glue, so the interface is
pretty clumsy :(
- Add support for legacy store logs to perl/python APIs
- Allow startup of flowd with detached logsock (maybe return a /dev/null fd
from the monitor - it will error on send)
- Implement CryptoPAN address anonymisation
http://www.cc.gatech.edu/computing/Telecomm/cryptopan/
- Read/write zlib compressed flow logs
- Variable-length integer encoding for numeric fields
- Magic start bit pattern for records + checksum on record header,
so we can resynch on read errors
- separate inbound and outbound tags, or just allow multiple (within reason)