|--config CONFIGURATION_FILE||CONFIGURATION_FILE is the configuration file following the guidelines given in the super_mediator.conf man page. If this option is given, it should be the only command line option given.|
These options control where super_mediator will take its input from. super_mediator can read packets from a file, directory, live on a TCP or UDP port, or by subscribing to Spread group(s) through the Spread daemon. By default, if no input options are given, super_mediator reads an IPFIX file on standard input.
--in INPUT_SPECIFIER INPUT_SPECIFIER is an input specifier. If --ipfix-input is given and set to TCP or UDP, INPUT_SPECIFIER is the hostname or IP Address of the host to listen on. If --ipfix-input is SPREAD, INPUT_SPECIFIER is the daemon name of the Spread daemon to connect to. If the Spread daemon is running on remote host, the remote host or IP should be given in the form daemon_name@hostname. If --watch is given, INPUT_SPECIFIER should be a file glob pattern, which must be escaped or quoted to prevent shell expansion. Files that match this pattern will be processed by the super_mediator. If no other options are given, the super_mediator assumes INPUT_SPECIFIER is an IPFIX file. --ipfix-port PORT If <--ipfix-input> is present, export flows to TCP or UDP on port port. If not present, the default port 18000 is used. --ipfix-input TRANSPORT_PROTOCOL If present, causes super_mediator to operate as an IPFIX collector, listening for connections via the sepecified protocol TRANSPORT_PROTOCOL from a yaf(1) exporter named in the INPUT_SPECIFIER. Valid TRANSPORT_PROTOCOL values are tcp, udp, and spread; spread is only available if super_mediator was built with Spread support. UDP is not recommended, as it is not a reliable transport protocol, and cannot guarantee delivery of messages. If spread is specified, --groups must also be present. --watch POLL_TIME If present, process files that match the pattern given to --in every POLL_TIME seconds. super_mediator will run forever waiting for files that match the pattern. --watch should be used with --move. If --move is not present, files will be deleted after they have been processed. --move PROCESSED_INPUT_DIRECTORY If present, input files will be moved to PROCESSED_INPUT_DIRECTORY after they have been successfully processed. If this is not present with --watch, files will be deleted after they are processed. --lock If present, super_mediator will not read files that are locked, which means they have the extension .lock appended to the end of the filename. This can be used if super_mediator is reading from a yaf(1) export directory and yaf(1) is run with --lock. This will prevent super_mediator from removing the files out from under yaf(1). This does not lock files that the super_mediator is writing to. Use the super_mediator configuration file to enable locking of output files. --groups SPREAD_GROUPS If --ipfix-input is present and set to spread, use --group to specify the the Spread group name(s) to subscribe to. It is possible to list more than one group name in a comma-seperated list. See the Spread Documentation, www.spread.org, for more details on Spread.
These options control where super_mediator will send its output. super_mediator can write flows to an IPFIX file, text file, or to an IPFIX collector over TCP, UDP, or Spread. By default, if no options are given, yaf(1) writes IPFIX to standard out.
--out OUTPUT_SPECIFIER OUTPUT_SPECIFIER is an output specifier. If --output-mode is present, and set to TCP or UDP, the OUTPUT_SPECIFIER specifies the hostname or IP address of the collector to which the flows will be exported. Otherwise, if --output-mode is set to SPREAD, the OUTPUT_SPECIFIER should be the Spread daemon name. If the Spread daemon name is running on a remote host, it should be in the form daemon_name@hostname. If --output-mode is set to TEXT, OUTPUT_SPECIFIER is a filename in which the flows will be written in pipe-delimited format. Otherwise, OUTPUT_SPECIFIER is a filename in which flows will be written in IPFIX Format. The string - may be used to write to standard output (the default). If <--rotate> is present, OUTPUT_SPECIFIER is the prefix name of each output file to write to. super_mediator must be able to make an initial connection to the OUTPUT_SPECIFIER for super_mediator to start. If the connection is lost after the initial connection, super_mediator will immediately retry the connection after reporting a warning message to the log. If the retry is unsuccessful, super_mediator will retry the connection every 15 seconds until the connection is successful. Flows will be lost while the connection is down. --export-port PORT If --output-mode is present and set to TCP or UDP, export flows to port PORT. If not present, the default port 18001 will be used. --output-mode TRANSPORT_PROTOCOL If present, causes super_mediator to operate as an IPFIX or TEXT Exporter, exporting via the specified protocol TRANSPORT_PROTOCOL to a collector (e.g rwflowpack, flowcap) named in the OUTPUT_SPECIFIER. Valid TRANSPORT_PROTOCOL values are tcp, udp, text, and json; spread is only available through the configuration file. UDP is not recommended, as it is not a reliable transport protocol, and cannot guarantee delivery of messages. --udp-temp-timeout TIMEOUT_SECS Set UDP template timeout in seconds if --ipfix is set to udp. As per RFC 5101 recommendations, super_mediator will attempt to export templates three times within TEMPLATE_TIMEOUT. The default template timeout period is 600 seconds (10 minutes). --no-stats If present, super_mediator will not forward yaf(1) process statistics records
or log statistics. It is possible to configure certain exporters to process stats while others ignore stats messages. This must be done with through the super_mediator configuration file.
--sleep MICROSECONDS If present, super_mediator will sleep for MICROSECONDS between each call to fBufAppend, which appends the IPFIX messages to the output source. This is useful if super_mediator is reading an IPFIX file and transmitting IPFIX over UDP. super_mediator may send the messages too quickly for the IPFIX Collector to receive them (possibly dropping messages.) This option is only available with one collector and one exporter when executing super_mediator from the command line. --fields FIELD_LIST If present and --output-mode=TEXT is also present, write only the fields given in FIELD_LIST. FIELD_LIST is a list of integers corresponding to flow fields, separated by a comma. The list of acceptable fields are listed in super_mediator.conf(1) under FIELDS. Only the integer representation of the field is accepted. The below example will print: stime|etime|sip|dip|sport|dport|protocol|applabel for each flow to the file given to --out.
--fields 18,19,0,1,4,5,6,7 --print-headers If present for TEXT Exporters, the super_mediator will write a header for delimited flow data. If files rotate, it will write one header at the top of each flow data file. Ignored for custom field lists.
--log LOG_SPECIFIER Specifies the destination for log messages. LOG_FILE can be a syslog(3) facility name, the special value stderr for standard error, or the absolute path to a file for file logging. The default log specifier is stderr. The log level can be specified by the LOGLEVEL keyword in the Super_mediator configuration file or by using one of the following two options. Default level is WARNING. --log-dir LOG_PATH If present, super_mediator will write log files to LOG_PATH. LOG_PATH must be a complete directory path. The log files have the form
where YYYYMMDD is the current date. The log files are rotated at midnight local time. When the log files are rotated a new log is opened, the previous file is closed, and gzip(1) is invoked on the previous days log file. (Old log files will not be removed by super_mediator.)
--verbose If present, log all messages. The default log level is WARNING. This option will change the log level to DEBUG and log all yaf(1) and super_mediator process statistics, along with any IO operations. --quiet If present, turn off logging completely. super_mediator will not log errors. --daemonize If present, super_mediator will become a daemon. --pidfile PIDFILE_NAME Set the complete path to the file in which super_mediator writes its process ID (pid) when running as a daemon. --pid-file is ignored if --daemon is not present.
--dns-dedup If preset, super_mediator will cache DNS resource records and emit records only when new ones are seen or super_mediator has seen 500 of the same records, by default. DNS de-duplication can be further configured in the super_mediator configuration file.
The following IPFIX fields are exported by the super_mediator. DPI information will be exported in the same format as received by yaf(1), with the exception of the de-duplicated DNS records. Any statistics option messages will also be formatted in the same format as they are received.
Some fields are only exported if they are non-zero and were enabled in yaf. b<super_mediator> exports many variations of the following template. The following list contains all of the possible elements that could exist in the FLOW_ONLY record. Reverse elements are only exported if reversePacketTotalCount or reversePacketDeltaCount is nonzero.
flowStartMilliseconds, IE 152, 8 octets, unsigned flowEndMilliseconds, IE 153, 8 octets, unsigned octetTotalCount, IE 85, 8 octets, unsigned reverseOctetTotalCount Reverse IE 85 (PEN 29305), 8 octets, unsigned packetTotalcount, IE 86, 8 octets, unsigned reversePacketTotalcount, Reverse IE 86 (PEN 29305), 8 octets, unsigned octetDeltaCount, IE 1, 8 octets, unsigned reverseOctetDeltaCount, reverse IE 1 (PEN 29305), 8 octets, unsigned packetDeltaCount, IE 2, 8 octets, unsigned reversePacketDeltaCount, reverse IE 2 (PEN 29305), 8 octets, unsigned sourceIPv6Address, IE 27, 16 octets, unsigned destinationIPv6Address, IE 28, 16 octets, unsigned sourceIPv4Address, IE 8, 4 octets, unsigned destinationIPv4Address, IE 12, 4 octets, unsigned sourceTransportPort, IE 7, 2 octets, unsigned destinationTransportPort, IE 11, 2 octets, unsigned flowAttributes, CERT (PEN 6871) IE 40, 2 octets, unsigned reverseFlowAttributes, CERT (PEN 6871) IE 16424, 2 octets, unsigned protocolIdentifier, IE 4, 1 octet, unsigned flowEndReason, IE 136, 1 octet, unsigned silkAppLabel, CERT (PEN 6871) IE 33, 2 octets, unsigned reverseFlowDeltaMilliseconds, CERT (PEN 6871) IE 21, 4 octets, unsigned tcpSequenceNumber, IE 184, 4 octets, unsigned reverseTcpSequenceNumber, Reverse IE 184 (PEN 29305), 4 octets, unsigned initialTCPFlags, CERT (PEN 6871) IE 14, 1 octet, unsigned unionTCPFlags, CERT (PEN 6871) IE 15, 1 octet, unsigned reverseInitialTCPFlags, CERT (PEN 6871) IE 16398, 1 octet, unsigned reverseUnionTCPFlags, CERT (PEN 6871) IE 16399, 1 octet, unsigned vlanId, IE 58, 2 octets, unsigned reverseVlanId, Reverse IE 58 (PEN 29305), 2 octets, unsigned ipClassOfService, IE 5, 1 octet, unsigned reverseIpClassOfService, Reverse IE 15 (PEN 29305), 1 octet, unsigned mplsTopLabelStackSection, IE 70, 3 octets, unsigned mplsLabelStackSection2, IE 71, 3 octets, unsigned mplsLabelStackSection3, IE 72, 3 octets, unsigned observationDomainId, IE 149, 4 octets, unsigned The observation domain ID of the yaf(1) process that generated the flow. subTemplateMultiList, IE 293, Variable Length
DNS De-duplicated Record
flowStartMilliseconds, IE 152, 8 octets, unsigned The time in milliseconds of when the DNS resource record was first seen. flowEndMilliseconds, IE 153, 8 octets, unsigned The time in milliseconds of the last record seen by the B<super_mediator>. This is only exported if the B<super_mediator> is configured to LAST_SEEN. sourceIPv4Address, IE 8, 4 octets, unsigned The IPv4 Address found in a DNS A Record. dnsTTL, CERT (PEN 6871) IE 199, 4 octets, unsigned The maximum TTL seen for the aggregated DNS records. This is only exported if the B<super_mediator> is configured to LAST_SEEN. dnsQRType, CERT (PEN 6871) IE 175, 2 octets, unsigned The type of Resource Record. This corresponds with the QTYPE filed in the DNS Question Section or the TYP field in the DNS Resource Record Section. dnsHitCount, CERT (PEN 6871) IE 228, 2 octets, unsigned The number of times the B<super_mediator> saw this record in the FLUSH TIMEOUT period. This is only exported if the B<super_mediator> is configured to LAST_SEEN. dnsQName, CERT (PEN 6871) IE 179, variable length A DNS Response Name. This field corresponds with the NAME field in the DNS Resource Record Section. dnsRName, CERT (PEN 6871) IE 228, variable length A DNS Resource Record Data Element. This field corresponds with the RDATA in the DNS Resource Record Section. For CNAME records, this will be the canonical name. For NS Records, this will be the name server name. For AAAA records, this will be an IPv6 Address, etc.
To run super_mediator with the configuration file:
super_mediator -c /usr/local/etc/super_mediator.conf
To read a yaf(1) file and write delimited text to stdout:
super_mediator -i yaffile.yaf -o - -m text
To listen for connections from yaf(1) via TCP and write to rotating text files:
super_mediator -i localhost --ipfix-port 18000 --ipfix-input TCP --out /tmp/mediator --rotate 120 --log /tmp/mediator.log -v
To listen for connections from yaf(1) via UDP and send output to a rwflowpack process running on TCP port 18001:
super_mediator -p 18000 --ipfix-input UDP -o localhost -m TCP --export-port 18001
To only print the time and 5-tuple for each flow to stdout:
super_mediator -i /myyaffile.yaf -o - -m TEXT --fields=18,19,0,1,4,5,6
super_mediator requires libfixbuf 1.7.0 or later.
super_mediator will not create new file directories. All output directories must exist before you start super_mediator.
yaf presently encodes the ICMP type and code information into the destinationTransportPort information element for ICMP and ICMP6 flows. super_mediator running in TEXT output mode writes the type in the sourceTransportPort field and the ICMP code in the destinationTransportPort field.
Emily Sarneso and the CERT Network Situational Awareness Group Engineering Team <http://www.cert.org/netsa>. Bug reports and feature requests may be sent via email to <firstname.lastname@example.org>.
yaf(1), Spread Documentation at www.spread.org, and the following IETF Internet RFCs: Specification of the IPFIX Protocol for Exchange of IP Traffic Flow Information RFC 5101, Information Model for IP Flow Information Export RFC 5102, Export of Structured Data in RFC 6313.