MQTT IPFIX Template? #590
Comments
|
Hi Philip, Thanks for reaching out. Let me ask you, are you looking for "own extensions" for IPFIX collection or for IPFIX export (i ask because you mentioned softflowd and that boils to IPFIX export). For collection, totally: Paolo |
|
Hi Paolo, thanks for your kind answer and your advices. Actually I am searching for open source netflow (IPFIX) exporter allowing the definition and extraction of specific fields out of pcap files or network interfaces. Thanks and best regards, |
|
Hi Philip, If you can bring some examples, we can see whether that is feasible or there is a gap - and whether the gap looks solvable or not. The more detailed the example, the better. Feel free to reach out by unicast email if there is sensible data. Paolo |
|
Hi Paolo, I try to be as concrete as possible. The data is not sensible but not that significant as fields may change or be missing. The main idea is to monitor MQTT traffic in IoT networks and analyze whether people access resources they aren't allowed to. The first milestone in my research involves the following PDF from a Czech university: https://www.fit.vut.cz/research/publication-file/12110/IPFIX%20Extension%20for%20MQTT.pdf The authors propose extensions for IPFIX to monitor MQTT network traffic successfully. These fields are also exciting, but I would also like to assess the MQTT topic messages. The following snippet shows an MQTT packet sent from a Zigbee coordinator in our internal IoT lab.
This packet does not currently exhibit all interesting fields, but I would like to extend the header in the next step, e.g., adding correlation IDs for request/response, etc. I hope to find a solution that allows the configuration of a NetFlow (IPFIX) exporter to include these details as MQTT is not happening on the IP or transport layer but more on the application of the ISO/OSI stack. I suggest enriching flows by MQTT data to make IoT monitoring more efficient. Is this feasible with pmacct? Philip |
|
Hi Philip, Thanks for the extra details. None of this exists right now in pmacct and i understand that your final wanted scenario is a long shot for the current status quo: that is, not only grab MQTT data here and there in a standalone fashion but also, in future, potentially save / cache IDs to correlate request/response messages, etc. I can leave this Issue open and mark it as Enhancement. Maybe somebody is also interested and/or can volunteer / help out to do (some of) the work. Can you yourself dedicate any resources to development of such a feature? Paolo |
|
Hi Paolo, Thank you for the conversation and the enhancement tag. If I would like to modify the exporter of pmacct, which file should I touch? This should be the first step if I have the resources available or if someone is interested in enhancing pmacct with MQTT capabilities. Have a nice evening! |
|
Hi Philip, I think there are 3 phases in this process. Collect info, store it in a meta-data format inside pmacct (so that it can be exported, surely, but it could be potentially accounted for in other plugins) and export it as IPFIX. In super brief: phase-1: in let's say we focus on pmacctd, the libpcap-based daemon. Packets with MQTT data are made available by the library; in phase-2: Having the playground set, you should cherry-pick what is of interest and transform it in meta-data. You can follow how this is done for phase-3: perhaps the most easy part, templates for MQTT data should be crafted and exported & meta-data pieces should be cherry-picked and framed in IPFIX format for export. This all happens in Paolo |
Hi guys,
i am trying to monitor IoT devices especially communicating via MQTT. I came across some extensions on Google, e.g., to include layer 7 data like topics etc. Is there any possibility to run your own extensions with pmacct? Sorry for that but I am pretty new to pmacct as I started with softflowd.
Thanks in advance and best regards
Philip
The text was updated successfully, but these errors were encountered: