forked from tumi8/vermont
-
Notifications
You must be signed in to change notification settings - Fork 0
Example
Felix Erlacher edited this page Sep 27, 2017
·
3 revisions
Here we present a complete example configuration for Vermont. All sensors are checked every second and their values written to the file sensor_output.xml. The observer module reads packets from eth0 and hands them to the packetAggregator module via a packetQueue. The packetAggregator aggregates these packets to IPFIX bi-flows including HTTP related IEs (as stadardized with IANA). These IPFIX flows are sent to the ipfixPrinter via an ipfixQueue. The ipfixPrinter writes a textual representation of these flows to the file flows.dat.
<ipfixConfig>
<sensorManager id="99">
<checkinterval>1</checkinterval>
<outputfile>sensor_output.xml</outputfile>
</sensorManager>
<observer id="1">
<interface>eth0</interface>
<pcap_filter>ip and tcp</pcap_filter>
<instances>10000</instances>
<offlineAutoExit>1</offlineAutoExit>
<offlineSpeed>0</offlineSpeed>
<captureLength>1500</captureLength>
<next>2</next>
</observer>
<packetQueue id="2">
<maxSize>1000</maxSize>
<next>3</next>
</packetQueue>
<packetAggregator id="3">
<rule>
<templateId>999</templateId>
<httpAggregation>1</httpAggregation>
<httpSkipHeader>0</httpSkipHeader>
<httpMsgBufferSize>102400</httpMsgBufferSize>
<tcpMonitor>
<attemptedConnectionTimeout unit="sec">20</attemptedConnectionTimeout>
<establishedConnectionTimeout unit="sec">600</establishedConnectionTimeout>
<closedConnectionTimeout unit="sec">20</closedConnectionTimeout>
<connectionBufferSize>104857600</connectionBufferSize>
<usePCAPTimestamps>true</usePCAPTimestamps>
</tcpMonitor>
<flowKey>
<ieName>sourceIPv4Address</ieName>
</flowKey>
<flowKey>
<ieName>destinationIPv4Address</ieName>
</flowKey>
<flowKey>
<ieName>protocolIdentifier</ieName>
</flowKey>
<flowKey>
<ieName>sourceTransportPort</ieName>
</flowKey>
<flowKey>
<ieName>destinationTransportPort</ieName>
</flowKey>
<nonFlowKey>
<ieName>flowStartNanoSeconds</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>flowEndNanoSeconds</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>octetDeltaCount</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>packetDeltaCount</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>frontPayload</ieName>
<ieLength>20</ieLength>
</nonFlowKey>
<nonFlowKey>
<ieName>revFrontPayload</ieName>
<ieLength>20</ieLength>
</nonFlowKey>
<nonFlowKey>
<ieName>revflowStartNanoSeconds</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>revflowEndNanoSeconds</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>revOctetDeltaCount</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>revPacketDeltaCount</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>dpaForcedExport</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>dpaFlowCount</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>dpaReverseStart</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>httpRequestMethod</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>httpRequestTarget</ieName>
<ieLength>150</ieLength>
</nonFlowKey>
<nonFlowKey>
<ieName>httpMessageVersion</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>httpRequestHost</ieName>
<ieLength>50</ieLength>
</nonFlowKey>
<nonFlowKey>
<ieName>httpRespMessageVersion</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>httpStatusCode</ieName>
</nonFlowKey>
<nonFlowKey>
<ieName>httpStatusPhrase</ieName>
</nonFlowKey>
</rule>
<expiration>
<inactiveTimeout unit="sec">60</inactiveTimeout>
<activeTimeout unit="sec">300</activeTimeout>
</expiration>
<pollInterval unit="msec">100</pollInterval>
<next>4</next>
</packetAggregator>
<ipfixQueue id="4">
<entries>1000</entries>
<next>6</next>
</ipfixQueue>
<ipfixPrinter id="6">
<outputType>tree</outputType>
<filename>flows.dat</filename>
</ipfixPrinter>
</ipfixConfig>