Repository files navigation

The ipfixprobe is a high-performance, modular flow exporter that processes packets into bidirectional flows and exports them via a selected output plugin.It supports a wide range of application-layer protocol parsers, including TLS, QUIC, HTTP, DNS, and many others. These protocol-specific extensions can be enabled via process plugins in the configuration.

Need more details? Check out ourdocumentation for a full list of supported protocols and usage examples.

• Modular input–parser–output architecture
• High-speed processing (DPDK, multi-threaded, NUMA-aware)
• Built-in protocol parsers: TLS, QUIC, HTTP, DNS, …
• Bidirectional flow (biflow) support
• Real-time telemetry and statistics

If you are running a RHEL system or one of its derivatives (e.g. Oracle Linux, Rocky Linux, CentOS Stream), the easiest way to installipfixprobe is from ourcopr repository.

$ dnf install dnf-plugins-core# Extra step necessary on some systems$ dnf coprenable @CESNET/ipfixprobe$ dnf install ipfixprobe

This installs the mainipfixprobe binary along with core functionality.

The Copr repository provides modular RPM packages, so you can install only what you need.The following packages are available and can be installed individually as needed:

For other systems, follow the build instructions below.

You can build ipfixprobe from source using standard CMake.This lets you customize the build by enabling optional plugins and features as needed.

Note: Some plugins may require additional dependencies beyond the basic requirements.

$ dnf install epel-release git make cmake gcc-c++ rpm-build$ dnf install libunwind-devel lz4-devel openssl-devel fuse3-devel# for RHEL 8/9$ dnf install gcc-toolset-14-libatomic-devel# for RHEL 10+$ dnf install libatomic

$ apt install git make cmake g++ pkg-config rpm$ apt install libunwind-dev liblz4-dev libssl-dev libfuse3-dev libatomic1

git clone https://github.com/CESNET/ipfixprobe.gitcd ipfixprobemkdir build&&cd buildcmake ..make -j$(nproc)# make install

You can enable or disable optional plugins and features via CMake flags:

Run the command to view all available build options:

cmake -LAH

To build with DPDK and PCAP input support, and install to /usr:

cmake .. \  -DCMAKE_INSTALL_PREFIX=/usr \  -DENABLE_INPUT_PCAP=ON \  -DENABLE_INPUT_DPDK=ON

List of input plugins with estimated performance and configuration complexity.

These plugins extract protocol-specific or behavioral information from packets and enrich flow records with metadata.

These plugins export flow records to various formats and external systems.

Theipfixprobe processing pipeline can be launched directly or via theipfixprobed wrapper — a lightweight runtime designed to simplify plugin configuration using YAML files.This method is preferred for production deployments due to its clarity and flexibility.

/usr/bin/ipfixprobed<CONFIG_NAME> [LIBRARY_PATH]

• <CONFIG_NAME> – Name of the YAML configuration file (without the .conf extension).The full path must be/etc/ipfixprobe/<CONFIG_NAME>.conf.

• [LIBRARY_PATH] – (Optional) Path to the ipfixprobe plugin library directory.If not provided, the default/usr/lib64/ipfixprobe is used.

/usr/bin/ipfixprobed example

This will runipfixprobe using the YAML configuration from/etc/ipfixprobe/example.conf.

👉 See the full YAML configuration reference here:https://github.com/CESNET/ipfixprobe/blob/master/init/link0.conf.example

You may also run the processing pipeline using theipfixprobe binary directly, with CLI parameters.This method is not recommended for production use, as it lacks flexibility and clarity.

/usr/bin/ipfixprobe [OPTIONS]

• -i ARGS Activate input plugin (-h input for help)
• -s ARGS Activate storage plugin (-h storage for help)
• -o ARGS Activate output plugin (-h output for help)
• -p ARGS Activate processing plugin (-h process for help)
• -q SIZE Size of queue between input and storage plugins
• -b SIZE Size of input queue packet block
• -Q SIZE Size of queue between storage and output plugins
• -B SIZE Size of packet buffer
• -f NUM Export max flows per second
• -c SIZE Quit after number of packets are processed on each interface
• -P FILE Create a PID file
• -t PATH Mount point of AppFs telemetry directory
• -d Run as a standalone process
• -h [PLUGIN] Print help text. Supported help for input, storage, output and process plugins
• -V Show version and exit

Below are practical examples showcasing common plugin configurations using both CLI and YAML formats.

Capture network traffic from thewlp2s0 interface using a raw socket. Flow records are printed in plain-text format to the console.

🧪 Command-line usage:

/usr/bin/ipfixprobe -i'raw;ifc=wlp2s0' -o'text'

📄 Equivalent YAML configuration:

input_plugin:raw:interface:'wlp2s0'output_plugin:text:{}

Process packets from a.pcap file and export flows via IPFIX over UDP

🧪 Command-line usage:

/usr/bin/ipfixprobe -i'pcap;file=/data/capture.pcap' -o'ipfix;udp;host=collector.example.com;port=4739'

📄 Equivalent YAML configuration:

input_plugin:pcap_file:file:'/data/capture.pcap'output_plugin:ipfix:collector:host:collector.example.comport:4739protocol:udp:{}

Capture frometh0 interface using libpcap, split biflows into uniflows and use active/inactive timeouts, print flows to console.Telemetry data are exposed via the appFs library in/var/run/ipfixprobe directory.

🧪 Command-line usage:

/usr/bin/ipfixprobe -i'pcap;ifc=eth0' -s'cache;split;active=300;inactive=60' -o'text' -t /var/run/ipfixprobe

📄 Equivalent YAML configuration:

input_plugin:pcap_live:interface:'eth0'storage:cache:{}timeouts:active:300inactive:60split_biflow:trueoutput_plugin:text:{}telemetry:appfs:enabled:truemount_point:/var/run/ipfixprobe

Capture packets using DPDK from port 0 with 2 queues bound to a specific PCI device (0000:17:00.0), enable HTTP, TLS, and QUIC process plugins, and export flows via IPFIX to a local collector at 127.0.0.1.

🧪 Command-line usage:

/usr/bin/ipfixprobe -i"dpdk;p=0;q=2;e=-a 0000:17:00.0" -i dpdk -p http -p tls -p quic -o"ipfix;h=127.0.0.1"

📄 Equivalent YAML configuration:

input_plugin:dpdk:allowed_nics:"0000:17:00.0"rx_queues:2process_plugins:  -http  -tls  -quicoutput_plugin:ipfix:collector:host:'127.0.0.1'port:4739protocol:udp:{}