sessions logs to NETFLOW v9

[1223421]

feature request in subj, please

[ydahhrk]

Please elaborate. I've never used Netflow.

• What is Jool supposed to do?
• What constitutes a "session log"?
• Can't you just parse the output of stats display --csv and feed it to Netflow?

[1223421]

Please elaborate. I've never used Netflow.

* What is Jool supposed to do?

* What constitutes a "session log"?

* Can't you just parse the output of [`stats display --csv`](https://nicmx.github.io/Jool/en/usr-flags-stats.html) and feed it to Netflow?

i need log all connections... netflow is the best way.. example for netflow - https://github.com/aabc/ipt-netflow (natevents), just like "global update logging-session yes" but to netflow...

or maybe you can add "follow" option for "stats display --csv" to echo all new connections to stdout like daemon ? without "follow" may be lost fast connections if i do it with crontab ... like this: jool session display --csv --numeric --folow | script_for_parse_and_save

i can do it with "logging-session yes" and "dmesg -w | grep Jool | script_for_parse_and_save" but this way is many trash in dmesg

thank you, sorry for bad English, i hope you understand me

[ydahhrk]

Er... I don't know if you're still around, but this seems like a good idea. I don't have time to make something very formal, but I left a simple prototype in the jnetflow branch. Maybe it's all you need.

Assuming you have 4.1.12 installed, here's the installation recipe:

git clone https://github.com/NICMx/Jool.git
cd Jool
git checkout jnetflow
./autogen.sh
./configure
make
cd src/usr/jnetflow # No need to install anything else because you already have it
sudo make install

Then, once you have Jool running (and assuming its instance name is potato), do

$ sudo jool g u ss-enabled true
$ sudo jool g u ss-flush-asap false # Recommended, not actually necessary
$ jnetflow potato
2001:db8::5,1634,64:ff9b::c000:205,1634,192.0.2.2,2958,192.0.2.5,2958,ICMP,57248
2001:db8::5,1634,64:ff9b::c000:205,1634,192.0.2.2,2958,192.0.2.5,2958,ICMP,58248
2001:db8::5,1634,64:ff9b::c000:205,1634,192.0.2.2,2958,192.0.2.5,2958,ICMP,58248
2001:db8::5,1634,64:ff9b::c000:205,1634,192.0.2.2,2958,192.0.2.5,2958,ICMP,59248
2001:db8::5,1634,64:ff9b::c000:205,1634,192.0.2.2,2958,192.0.2.5,2958,ICMP,59248

(The instance name defaults to "default" as usual.)

For TCP and UDP, the columns are

• IPv6 peer address
• IPv6 peer port
• IPv6-masked IPv4 peer address
• IPv4 peer port (yes, this is redundant)
• IPv4-masked IPv6 peer address
• IPv4-masked IPv6 peer port
• IPv4 peer address
• IPv4 peer port
• Layer 4 Protocol (pretends ICMP is L4)
• Milliseconds to expiration

For ICMP,

• IPv6 peer address
• IPv6 ICMP identifier
• IPv6-masked IPv4 peer address
• IPv6 ICMP identifier (yes, this is redundant)
• IPv4-masked IPv6 peer address
• IPv4 identifier
• IPv4 peer address
• IPv4 identifier (yes, this is redundant)
• Layer 4 Protocol (pretends ICMP is L4)
• Milliseconds to expiration

Are you sure this is what you want? I feel like what you really want is BIB entries, not session entries.

[1223421]

Are you sure this is what you want? I feel like what you really want is BIB entries, not session entries.

yes, need sessions.

it's work, thank you!