search

phaag / nfdump

Netflow processing tools
Other
789 stars 206 forks source link

MQTT IPFIX Exporter #337

Closed philipempl closed 2 years ago

philipempl commented 2 years ago

Hi guys, i am trying to monitor IoT devices, especially communicating via MQTT. I came across some extensions on Google, e.g., to include layer 7 data like MQTT topics (see https://www.fit.vut.cz/research/publication/12110/), etc. Is there any possibility of running your extensions with nfdump/nfcapd? Sorry for that, but I am pretty new to nfdump. I see the main challenge in adapting to L5-L7 data as MQTT operates on the application layer. Thanks in advance and best regards Philip

phaag commented 2 years ago

Hi Philip, As far as I can see the paper proposes this ipfix extension but I did not found any RFC any any other specification. Furthermore, you need a sensor, which is able to detect the MQTT protocol and merges it with ipfix. Then this ipfix stream can be sent to nfcapd. If you have such a device, which sends ipfix with MQTT extension, I'd happily can check for an extension in nfdump. However, such an extension would go into the nfdump unicorn branch - which will become nfdump-1.7.

Another solution would be to adapt nfpcapd - the pcapd to netflow daemon. It may directly dissect the MQTT protocol. Maybe you could elaborate a bit more what you exactly want to do, once you have flow records including MQTT information. Collecting data is one point, but processing is another point.

Feel free to add your ideas.

philipempl commented 2 years ago

Hi Peter,

Thanks for your kind reply. First, what kind of RFC have you expected? Standards are always interesting to me. I try to elaborate more on the intended use case in the following. The main idea is to attach a Raspberry Pi to an IoT network (MQTT). The Raspberry Pi acts as a sniffer and captures PCAP/Netflow data. This data is sent to a collector and stored in a database. We then aim to analyze the typical behavior of devices in the network, e.g., access to topics, etc., to identify rogue devices or malicious actors.

However, I am not aware of any devices able to track MQTT IPFIX data. If you have any suggestions on tracking MQTT IPFIX data and sending it to nfcapd, let me know. The second approach sounds more like the case I am looking for. Configuring NetFlow probe/exporters should be the first step in capturing MQTT data. The next step is to allow a collector to read and process the additional data provided.

If you could introduce me to the contributions to this lovely project, I will first try to implement an extension to nfcapd, and second, I will define additional fields for nfdump.

phaag commented 2 years ago

No further comment from @philipempl. If requested - reopen.