Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Contact Us
Online Help
Domain Status
Man Pages

Virtual Servers

Topology Map

Server Agreement
Year 2038

USA Flag



Man Pages

Manual Reference Pages  -  PACKLOGIC-GENERIC (3)

.ds Aq ’

NAME - Packing logic for the generic site



 rwflowpack ...


This manual page describes the plug-in that defines the packing logic that rwflowpack(8) may use to categorize flow records. (This document uses the term plug-in, but the builder of SiLK may choose to compile the packing logic into rwflowpack. See the SiLK Installation Handbook for details.)

    General Overview of rwflowpack

The primary job of rwflowpack is to categorize flow records into one or more class and type pairs. The class and type pair (also called a flowtype) are used by the analyst when selecting flow records from the data store using rwfilter(1).

The settings that rwflowpack uses to categorize each flow record are determined by two textual configuration files and a compiled plug-in that is referred to as the packing logic.

The first of the configuration files is silk.conf(5) which specifies the classes, types, and sensors that rwflowpack uses when writing files and that rwfilter uses when selecting flow files.

The second configuration file is the sensor.conf(5) file. This file contains multiple sensor blocks, where each block contains information which the packing logic uses to categorize flow records collected by the probes specified for that sensor.

The combination of a silk.conf file and a particular packing logic plug-in define a site. By having the configuration and packing logic outside of the core tools, users can more easily configure SiLK for their particular installation and a single installation of SiLK can support multiple sites.

This manual page describes the packing logic for the generic site. For a description of the packing logic at another site, see that site’s manual page.
o packlogic-twoway(3)

    Networks, Classes, and Types for the ‘‘generic’’ Site

The plug-in uses three network names to describe the logical address spaces that border the sensor:
internal the space that is being monitored
external the space outside the monitored network
null the destination network for a flow that does not leave the router, because either the flow was blocked by the router’s access control list or its destination was the router itself---e.g., a BGP message
The generic site assumes that all packets are either blocked by the sensor (that is, their destination is the null network), or that the packets cross the sensor so the source and destination networks always differ.

The packing logic also assumes that the above networks completely describe the space around the sensor. Since the null network is strictly a destination network, any flow that does not originate from the external network must originate from the internal network.

This allows the generic site to categorizes a flow record primarily by comparing a flow record’s source to the external network, and the packing logic contains no comparisons to the internal network

The silk.conf file and plug-in define a single class, all.

The type assigned to a flow record within the all class is one of:
in, inweb Records whose source is the external network and whose destination is not the null network represent incoming traffic. The traffic is split into multiple types, and these types allow the analysts to query a subset of the flow records depending on their needs. Each incoming flow record is split into the one of incoming types using the following rules:
inweb Contains traffic where the protocol is TCP \fIs0(6) and either the source port or the destination port is one of 80, 443, or 8080
in Contains all other incoming traffic.
out, outweb Records whose source is not the external network and whose destination is not the null network represent outgoing traffic. The traffic is split among the types using rules similar to those for incoming traffic.
innull Records whose source is the external network and whose destination is the null network represent blocked incoming traffic.
outnull Records whose source is not the external network and whose destination is the null network represent blocked outgoing traffic.

    Assigning a flow to source and destination networks

Since the generic site uses the external network to determine a flow record’s type, each sensor block in the sensor.conf(5) file must specify a definition for the external network.

The sensor.conf file provides two ways to define a network: use the NET-ipblocks statement to specify the NET network as a list of IP address blocks, or use the NET-interfaces statement to specify the NET network using a list of SNMP interfaces.

For the source network of a flow record to be considered external, either the source IP (SiLK field sIP) must appear in the list of external-ipblocks or the incoming SNMP interface (SiLK field in) must appear in the list of external-interfaces. Note: If the probe block that specifies where the flow was collected contains an interface-values vlan statement, the SiLK in field contains the VLAN ID.

For the destination network of a flow record to be considered null, either the destination IP (dIP) must appear in the list of null-ipblocks or the outgoing SNMP interface (out) must appear in the list of null-interfaces.

Consider the following two sensors:

 sensor S2
   ipfix-probes S2
 end sensor

 sensor S3
   ipfix-probes S3
   external-interfaces 17,18,19
   internal-interfaces 21,22,23
 end sensor

A flow record collected at probe S2 whose sIP is is considered incoming, regardless of the destination IP.

A flow record collected at probe S3 whose in is 27 is considered outgoing. (Since in does not match the external-interfaces, the record is considered outgoing even though in does not match the internal-interfaces either.)

There are two constructs in the sensor.conf file that help when specifying these lists:
1. The NET-interfaces or NET-ipblocks statement in a sensor block may use remainder to denote interfaces or IP blocks that do not appear elsewhere in the block.
2. A group block can be used to give a name to a set of IP blocks or SNMP interfaces which a sensor block can reference.
For details, see the sensor.conf(5) manual page.

    Valid sensors

When using the plug-in, the sensor blocks in the sensor.conf file supports the following types of probes:
o ipfix
o netflow-v5
o netflow-v9
In addition, each sensor block must meet the following rules:
o Either external-interfaces or external-ipblocks must be specified. And,
o A sensor cannot mix NET-ipblocks and NET-interfaces, with the exception that null-interfaces are always allowed. And,
o Only one network on the sensor may use remainder. And,
o If a sensor contains only one NET-ipblocks statement, that statement may not use remainder. (The NET-interfaces statement does not have this restriction.)

    Packing logic code

This section provides the logic used to assign the class and type at the generic site.

A single sensor block will assign the flow record to a single class and type, and processing of the flow for that sensor block stops as soon as a type is assigned. When multiple sensor blocks reference the same probe, the flow records collected by that probe are processed by each of those sensor blocks.

A flow record is always assigned to the class all.

A textual description of the code used to assign the type is shown here. As of SiLK 3.8.0, the type may be determined by the presence of certain IPFIX or NetFlowV9 information elements.
o If sIP matches external-ipblocks or in matches external-interfaces, then
o If dIP matches null-ipblocks or out matches null-interfaces, pack as innull. Else,
o Pack as in or inweb.
o If dIP matches null-ipblocks or out matches null-interfaces, pack as outnull. Else,
o Pack as out or outweb.
o Potentially modify the type: If the probe has a quirks setting that includes firewall-event and if the incoming record contains the firewallEvent or NF_F_FW_EVENT information element whose value is 3 (flow denied), change the type where the flow is packed as follows:
o If the flow was denied due to an ingress ACL (NF_F_FW_EXT_EVENT of 1001), pack as innull.
o If the flow was denied due to an egress ACL (NF_F_FW_EXT_EVENT of 1002), pack as outnull.
o If the flow’s current type is innull, in, or inweb, pack as innull.
o If the flow’s current type is outnull, out, or outweb, pack as outnull.


rwfilter(1), rwflowpack(8), sensor.conf(5), silk.conf(5), packlogic-twoway(3), silk(7), SiLK Installation Handbook
Search for    or go to Top of page |  Section 3 |  Main Index


Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.