j Flow Lib A Java Library to Parse
j. Flow. Lib A Java Library to Parse and Generate s. Flow and IPFIX Data Dr. Thomas King Manager R&D
j. FLow. Lib • js. Flow: – Java library for s. Flow (v 5): Counter and Sampling – Supports s. Flow from Force 10 E-series and Alcatel Lucent 7750 (at least) • j. IPFIX: – Java library for IPFIX: L 2 IP Template – Supports IPFIX Alcatel Lucent 7750 (at least) 2
Motivation DE-CIX Switch/Rout er er Exporter IPFIX/s. Flow Internal monitoring Collector IPFIX/s. Flow Multiplexer Exporter IPFIX/s. Flow External monitoring 3
Main Use Case Multiplexing IPFIX/s. Flow: • 5000+ pkt/s IPFIX • 1000+ pkt/s s. Flow • Without packet loss • Many exporters (routers/switches) (up to 10) • Many (changing) collectors (up to 10) • IP spoofing (using RAWSockets) • Configuration 4
Main Use Case Snippet: <? xml version="1. 0"? > <jflowlib-muxer> <jipfix-muxer> <listen> <ip>10. 102. 200. 5</ip> <port>2055</port> <startmissingdatarecorddetector>false</startmissingdatarecorddetector> </listen> <ping> <collectors>true</collectors> <ip>10. 102. 0. 19</ip> </ping> <!-- DX sflow-counter-dev --> <muxer type="plain"> <collector> <ip>192. 168. 63. 19</ip> <port>2056</port> </collector> </muxer> </jipfix-muxer> </jflowlib-muxer> java -XX: +Use. Conc. Mark. Sweep. GC -Xmx 1024 m -Djava. library. path=/opt/j. Flow. Lib/lib -jar j. Flow. Lib. jar -cfg /opt/j. Flow. Lib/etc 5
Use Cases Reading data from network: Snippet: Datagram. Socket ds = new Datagram. Socket(2055); while (true) { byte[] data = new byte[65536]; Datagram. Packet dp = new Datagram. Packet(data, data. length); ds. receive(dp); Message. Header mh = Message. Header. parse(dp. get. Data()); System. out. println(mh); } Reading data from pcap files (using pcap 4 j): Snippet: Pcap. Handle handle. Read = Pcaps. open. Offline(“test. pcap”); Packet. Listener listener = new Packet. Listener() { public void got. Packet(Packet full. Packet) { Udp. Packet udp. Packet = full. Packet. get(Udp. Packet. class); byte[] only. IPFIX = new byte[udp. Packet. get. Raw. Data(). length - 8]; System. arraycopy(udp. Packet. get. Raw. Data(), 8, only. IPFIX, 0, bytes. length - 8); Message. Header mh = Message. Header. parse(only. IPFIX); … 6
Use Cases II Writing data to network: Snippet: Datagram. Socket ds = new Datagram. Socket(2055); Message. Header mh = new Message. Header(); mh. set. Version. Number(10); mh. set. Observation. Domain. ID(67108864); mh. set. Sequence. Number(seq. Number); … mh. set. Export. Time(new Date()); Datagram. Packet dp = new Datagram. Packet(mh. get. Bytes(), mh. get. Bytes(). length, collector. IPv 4 Value, collector. Port. Value); datagram. Socket. send(dp); 7
Use Cases III Writing data to pcap file (using pcap 4 j): Snippet: Pcap. Dumper dumper = handle. Read. dump. Open(“test. pcap”); Message. Header mh = new Message. Header(); mh. set. Version. Number(10); mh. set. Observation. Domain. ID(67108864); mh. set. Sequence. Number(seq. Number); … Unknown. Packet. Builder up. B = new Unknown. Packet. Builder(); up. B. raw. Data(mh. get. Bytes()); udp. B. payload. Builder(up. B); Packet. Builder ip. B = full. Packet. get(Ip. V 4 Packet. class). get. Builder(); ip. B. payload. Builder(udp. B); Packet. Builder ether. B = full. Packet. get(Ethernet. Packet. class). get. Builder(); ether. B. payload. Builder(ip. B); Packet new. Packet = ether. B. build(); dumper. dump(new. Packet, 0 l, 0); 8
Use Cases IV Anonymising IP addresses: Random (IPA -> IPRandom): Snippet: IPv 4 Address. Randomizer ip. V 4 randomizer = new IPv 4 Address. Randomizer(); IPv 6 Address. Randomizer ip. V 6 randomizer = new IPv 6 Address. Randomizer(); Inet 4 Address fake. Dest. Ipv 4 = (Inet 4 Address) ip. V 4 randomizer. randomize(real. Dest. Ipv 4); Inet 6 Address fake. Dest. Ipv 6 = (Inet 6 Address) ip. V 6 randomizer. randomize(real. Dest. Ipv 6); Pseudo-Random (IPA -> IPB): Snippet: IPv 4 Address. Randomizer ip. V 4 randomizer = new IPv 4 Address. Randomizer(true); IPv 6 Address. Randomizer ip. V 6 randomizer = new IPv 6 Address. Randomizer(true); Inet 4 Address fake. Dest. Ipv 4 = (Inet 4 Address) ip. V 4 randomizer. randomize(real. Dest. Ipv 4); Inet 6 Address fake. Dest. Ipv 6 = (Inet 6 Address) ip. V 6 randomizer. randomize(real. Dest. Ipv 6); 9
Status • • License: Apache 2. 0 Source code: https: //github. com/de-cix/j. Flow. Lib 47 commits, 4 contributors Major parts are covered by software tests • All relevant use cases for DE-CIX are implemented • j. Flow. Lib is actively used by DE-CIX • DE-CIX will maintains j. Flow. Lib in the future • Your contribution is highly appreciated 10
Questions, Comments, Feedback? 11
DE-CIX Management Gmb. H Lindleystr. 12 60314 Frankfurt Germany Phone +49 69 1730 902 0 sales@de-cix. net Thank you!
- Slides: 12