This is VERMONT - VERsatile MONitoring Tool.
IPFIX/PSAMP probe
Released under GPL2, no guarantees, no warranty


REQUIREMENTS

Decent and recent gcc compiler w/ C++ support (there are some gcc-isms)
libpcap
*nix (Linux and recent FreeBSD preferred, other untested)


INSTALLATION

You have to create a configure script first. This can be done with the
script build-configure.sh. You need to install the autotools in order to
create the configure script.
I used aclocal-1.7.9, autoconf-2.60 and automake-1.7.9 to create the script.
Other versions might work as well, but aren't tested yet.

After you created the configure script run

$ ./configure
$ make

There are some configure switches that you should now about:

--with-ipheader-offset=ARG

You need to adjust the value according to the network that you want to
monitor. The default value is 14 for ethernet devices. Other common values
are 4 (BSD loop back device) and 18 (Ethernet von VLAN)

--enable-netflow-v9

Enables NetFlow v9 support (turned on by default)

--enable-dprint

Enables the DPRINT message system in VERMONT. Turned off by default

--enable-db

Enables support for DBWriter and DBReader (turned off by default)


CONFIGURATION

The configuration of VERMONT is now based on XML. Configuration files must 
conform with the XML Schema ipfix-config-schema.xsd. Though, there are 
additional restrictions.
See file CONFIGURATION for more information.


SAMPLER

Does packet sampling, reads raw packet data from an interface, put them thru
a filtering mechanism and finally export matching packets to an PSAMP/IPFIX 
collector.


CONCENTRATOR

Reads IPFIX/Netflow data from socket, aggregates data for certain flows, 
exports this data again via IPFIX.


THE HOOK

You can configure VERMONT to inject SAMPLER's captured packets into the
CONCENTRATOR for aggregation and export. Config option is in section main,
value packets.


DB READER/WRITER
New subsystems within the concentrator that allow reading from and writing
to a MySQL database.


NOTES ON MONITORING PORTS

Some switches add an additional field VLAN with size 4Bytes.
So you have to adjust the pcap_expression (pcap_filter) to "vlan and ip".
Futhermore, the Packet::IPHeaderOffset has to adjusted to 18. This can be
done via the configure script. Run configure with

configure --with-ipheader-offset=18 


NOTES ON THREADS

When threads are to be exited, their real exit is waited for using 
pthread_join().
This may lock for a while because I/O from sockets etc. is done in blocking
mode, so when no packet arrives, the thread will block in read().
You may want to rewrite the Thread class to do a pthread_detach() instread and
grep for further occurences of pthread_join().


NOTES ON SOCKET RECEIVE BUFFER
If incoming IPFIX traffic is bursty, increasing the socket receive buffer
reduces packet losses.
System calls for Linux with proc file system:
$ cat /proc/sys/net/core/rmem_default
$ cat /proc/sys/net/core/rmem_max
Write new value X (in bytes):
$ sysctl -w net/core/rmem_default=X
$ sysctl -w net/core/rmem_max=X


APPENDIX

faster Linux MMAP()ed PCAP: http://public.lanl.gov/cpw/