Closed aouinizied closed 4 years ago
Hi!
I looked into the new code and couldn't recognize it, looks like you have done tons of low-level optimizations :)
According to the new API, I haven't found support for some features I need, e.g. TCP-flags. I saw accounting_mode
parameter, but it also is not clear if I can extract packet size and transport payload at the same time.
Do you think it is possible to extend the interface to allow access to arbitrary NFPacket
attributes? For example, the accounting_mode
could be replaced with something like extracted_packet_attributes
that is an iterable with NFPacket
specified attribute names. Thus, it will allow accounting for several raw features at the same time and the end user will have all possible options their might need.
What do you think? BR, Radion
Accounting mode affects only computed statistics (splt and post-mortem), When you have a Plugin he can access the same NFPacket attributes (which are not affected by accounting mode). https://www.nfstream.org/docs/api#nfpacket-object
TCP Flags are still there. And I added delta_time feature to facilitate time based Plugins.
So You have all NFPacket attributes. :)
@RadionBik That's why I think you can upgrade smoothly without even the need to have a Plugin.
I started adapting and noticed that one of the tests fails, since the new version exports one of the flows twice, although the active and passive timeouts remain the same. Is there something I haven't considered or this behaviour cannot be controlled?
@RadionBik what do you mean by "this behavior"?
Below are the raw sequences with the same 5-tuple ('TCP 213.180.204.179:443 192.168.0.105:55194').
As you see, I got 2 exported flows with the same identifier via the latest NFstream. And it is not expected, since the timeouts are set as before. I tested on the following .pcap: https://github.com/RadionBik/ML-based-network-traffic-classifier/blob/master/pcap_files/example.pcap
Now, I checked the IAT values, one of which is 60002 ms that is really close to 60 sec timeout I set. Looks like the previous version did not export the flow when it was necessary :)
After all, I updated flow parsing module with the latest NFstream. The pcap parsing tests on a small pcap runs twice faster now :) I haven't tested it on big ones though.
I pushed the commit to the branch I will merge soon: https://github.com/RadionBik/ML-based-network-traffic-classifier/pull/13
Thank you!
@RadionBik Yes, this is a bug the previous version that I fixed too. With n_meters=0 nfstream automatically scales on available cores on the machine. Did you use the native implementation of SPLT with splt_analysis=N?
@aouinizied yes, I used the native implementation that was complemented with a plugin in case some extended features are needed, see https://github.com/RadionBik/ML-based-network-traffic-classifier/pull/13/commits/7cb137234b0f2059c1b14e4e6252f6942afc78af
@RadionBik There two points:
Maybe in Future I will add TCP window extraction in C. Keep in mind that using a Plugin triggers some mechanism that are not triggered without Plugins and thus implies some speed overhead.
Zied
@aouinizied
tcpflags
attribute in NFPacket that served the purpose well. Now it is gone, and since I have been using dpkt for TCP window extraction, the integer TCP flag field can be get for no additional cost.
Is it possible to upgrade the flow parser to the latest nfstream version?
Pros:
I'm keen to see what is the speed gain of such an upgrade to your overall workflow.
BR, Zied