Recent Events for foo.be MainPageDiary (Blog)

NetflowBiFlowConstruct

Netflow is uni-directional. As described in the Internet-Draft (http://www.ietf.org/internet-drafts/draft-boschi-ipfix-biflow-01.txt), a biflow is A biflow is the product of matching the two uniflow sides of a bidirectional communication session (e.g., TCP session, UDP DNS question and answer) into a single entity. Biflows are often required to rebuild interesting TCP session or UDP traffic and alike.

Following a hard discussion (ok as usual ;-)) between Yann Berthier and Alexandre Dulaunoy. I tried to implement something rebuilding biflow from an uni-directional Netflow data.

Testing data structure

SQL

create table biflows (
   flowID   varchar(32) primary key not null,
   ltime    bigint,
   htime    bigint,
   proto    smallint  unsigned not null,
   laddr    bigint    unsigned not null,
   haddr    bigint    unsigned not null,
   lport    int       unsigned not null,
   hport    int       unsigned not null,
   lpkts    bigint    unsigned,
   hpkts    bigint    unsigned,
   lbytes   bigint    unsigned,
   hbytes   bigint    unsigned,
   lcount   bigint    unsigned,
   hcount   bigint    unsigned,
   lflags   int       unsigned,
   hflags   int       unsigned,
   ltos     int       unsigned,
   htos     int       unsigned
);
mysql> describe biflows;
+--------+----------------------+------+-----+---------+-------+
| Field  | Type                 | Null | Key | Default | Extra |
+--------+----------------------+------+-----+---------+-------+
| flowID | varchar(16)          | NO   | PRI |         |       |
| ltime  | date                 | NO   |     |         |       |
| htime  | date                 | NO   |     |         |       |
| proto  | smallint(5) unsigned | NO   |     |         |       |
| laddr  | bigint(20) unsigned  | NO   |     |         |       |
| haddr  | bigint(20) unsigned  | NO   |     |         |       |
| lport  | int(10) unsigned     | NO   |     |         |       |
| hport  | int(10) unsigned     | NO   |     |         |       |
| lpkts  | bigint(20) unsigned  | YES  |     | NULL    |       |
| hpkts  | bigint(20) unsigned  | YES  |     | NULL    |       |
| lbytes | bigint(20) unsigned  | YES  |     | NULL    |       |
| hbytes | bigint(20) unsigned  | YES  |     | NULL    |       |
| lcount | bigint(20) unsigned  | YES  |     | NULL    |       |
| hcount | bigint(20) unsigned  | YES  |     | NULL    |       |
| lflags | int(10) unsigned     | YES  |     | NULL    |       |
| hflags | int(10) unsigned     | YES  |     | NULL    |       |
| ltos   | int(10) unsigned     | YES  |     | NULL    |       |
| htos   | int(10) unsigned     | YES  |     | NULL    |       |
+--------+----------------------+------+-----+---------+-------+
18 rows in set (0.00 sec)

mysql>

Evaluating life time and scope of Biflow

Building a software prototype