Using nProbe for Collecting Ixia IPFIX with IxFlow extensions

Posted · Add Comment

Ixia allows to enrich IPFIX records with value-add extensions. Additional information that can be exported, along with standard fields such as source and destination IP addresses, include:

  • Geographical information such as region IP, latitude and city name
  • Application ID or name, device, browser and even SSL cipher used
  • Detail on application and handset (device) type for mobile users
  • HTTP URL and hostname for web activity tracking
  • HTTP and DNS metadata for rapid breach detection
  • Transaction Latency for application performance tracking

The latest version of nProbe provides full support for Ixia IPFIX with IxFlow extensions. This means that nProbe can be configured to export IxFlow fields as if they were regular NetFlow fields. How to do that? Well, it’s pretty straightforward, just fire up nProbe with the Ixia IxFlow configuration file we’ve prepared. The configuration file contains IxFlow field names along with other data necessary for nProbe to properly decode IxFlow fields out of the IPFIX.

This is an excerpt of the configuration file linked above

L7_APP_ID NONE 3054 110 4 dump_as_uint
L7_APP_NAME NONE 3054 111 128 dump_as_ascii
SRC_IP_COUNTRY_CODE NONE 3054 120 2 dump_as_ascii

Field names in the first column can be used in the nProbe template as if they were regular fields. Once you’ve told nProbe to use the configuration file (option --load-custom-fields) you can start exporting custom IxFlow fields. For example, the IxFlow L7_APP_ID can be exported by nProbe simply by specifying it in the template, along with other fields: -T "@NTOPNG@ %L7_APP_ID".

The following example shows a more comprehensive nProbe configuration that loads the configuration file under ../nProbe-opensource/custom_fields/Ixia/ixia_custom_fields.txt, listens for incoming Ixia IPFIX with IxFlow extensions on --collector-port 2056, and outputs to text files (-D t) under /tmp (-P /tmp/) a series of IxFlow fields, including %L7_APP_ID and  %L7_APP_NAME.


This is a text file output by nProbe (x.x and y.y used to anonimize sensitive data):


Happy IxFlow parsing!