|
NAMEpacklogic-twoway.so - Packing logic for the twoway siteSYNOPSISrwflowpack --packing-logic=packlogic-twoway.so ... DESCRIPTIONThis manual page describes the packlogic-twoway.so plug-in that defines the packing logic that rwflowpack(8) may use to categorize flow records. (This document uses the term plug-in, but the builder of SiLK may choose to compile the packing logic into rwflowpack. See the SiLK Installation Handbook for details.)General Overview of rwflowpackThe primary job of rwflowpack is to categorize flow records into one or more class and type pairs. The class and type pair (also called a flowtype) are used by the analyst when selecting flow records from the data store using rwfilter(1).The settings that rwflowpack uses to categorize each flow record are determined by two textual configuration files and a compiled plug-in that is referred to as the packing logic. The first of the configuration files is silk.conf(5) which specifies the classes, types, and sensors that rwflowpack uses when writing files and that rwfilter uses when selecting flow files. The second configuration file is the sensor.conf(5) file. This file contains multiple sensor blocks, where each block contains information which the packing logic uses to categorize flow records collected by the probes specified for that sensor. The combination of a silk.conf file and a particular packing logic plug-in define a site. By having the configuration and packing logic outside of the core tools, users can more easily configure SiLK for their particular installation and a single installation of SiLK can support multiple sites. This manual page describes the packing logic for the twoway site. For a description of the packing logic at another site, see that site's manual page.
Networks, Classes, and Types for the "twoway" SiteThe silk.conf file and packlogic-twoway.so plug-in categorize a flow record based on how the packets that comprise the flow record moved between different networks.The packlogic-twoway.so plug-in specifies three network names to describe the logical address spaces that border the sensor:
There is an implicit fourth network, unknown, which is anything that does not match the three networks above. Given these networks, the following table describes how flows can move between the networks. Traffic between the networks is successfully routed unless the description explicitly says "blocked". SOURCE DESTINATION DESCRIPTION external internal incoming traffic internal external outgoing traffic external null blocked incoming traffic internal null blocked outgoing traffic external external strictly external traffic internal internal strictly internal traffic null any unclear: null should never be a source external unknown unclear internal unknown unclear unknown any unclear The silk.conf file and packlogic-twoway.so plug-in define a single class, all. The type assigned to a flow record within the all class depends on the how the record moves between the networks, and the types follow from the table above:
Assigning a flow to source and destination networksEach sensor block in the sensor.conf(5) file must specify how to determine the source and destination networks for each flow record collected by the probes specified for that sensor. There are two ways to do this.The first method sets the source and destination of all records to particular networks. This can be used, for example, when the physical network device at the sensor only sees one direction of the traffic. To do this, use the source-network and destination-network statements in the sensor block. The following sensor, S1, considers all traffic as blocked incoming: sensor S1 ipfix-probes S1 source-network external destination-network null end sensor The second method to determine how a flow record moves between the networks is to define the networks and use characteristics of the flow record to determine its source and destination networks. The sensor.conf file provides two ways to define a network: use the NET-ipblocks statement to specify the NET network as a list of IP address blocks, or use the NET-interfaces statement to specify the NET network using a list of SNMP interfaces. For the source network of a flow record to be considered external, either the source IP (SiLK field "sIP") must appear in the list of external-ipblocks or the incoming SNMP interface (SiLK field "in") must appear in the list of external-interfaces. Note: If the probe block that specifies where the flow was collected contains an interface-values vlan statement, the SiLK "in" field contains the VLAN ID. For the destination network of a flow record to be considered null, either the destination IP ("dIP") must appear in the list of null-ipblocks or the outgoing SNMP interface ("out") must appear in the list of null-interfaces. Consider the following two sensors: sensor S2 ipfix-probes S2 external-ipblocks 172.16.0.0/16 internal-ipblocks 172.20.0.0/16 end sensor sensor S3 ipfix-probes S3 external-interfaces 17,18,19 internal-interfaces 21,22,23 end sensor A flow record collected at probe S2 whose "sIP" is 172.16.1.1 and whose "dIP" is 172.20.2.2 is considered incoming. A flow record collected at probe S3 whose "in" is 23 and whose "out" is 18 is considered outgoing. A flow on S3 whose "in" is 23 and whose "out" is 27 is written to other since the "out" field is not matched. There are two constructs in the sensor.conf file that help when specifying these lists:
For details, see the sensor.conf(5) manual page. Valid sensorsWhen using the packlogic-twoway.so plug-in, the sensor blocks in the sensor.conf file supports the following types of probes:
In addition, each sensor block must meet the following rules:
Packing logic codeThis section provides the logic used to assign the class and type at the twoway site.A single sensor block will assign the flow record to a single class and type, and processing of the flow for that sensor block stops as soon as a type is assigned. When multiple sensor blocks reference the same probe, the flow records collected by that probe are processed by each of those sensor blocks. A flow record is always assigned to the class all unless the flow is ignored. A textual description of the code used to assign the type is shown here. As of SiLK 3.8.0, the type may be determined by the presence of certain IPFIX or NetFlowV9 information elements.
SEE ALSOrwfilter(1), rwflowpack(8), sensor.conf(5), silk.conf(5), packlogic-generic(3), silk(7), SiLK Installation Handbook
Visit the GSP FreeBSD Man Page Interface. |