How to export IPFIX flow data records with DPI

Tobias Roeder portrait

by Tobias Roeder
published on: 15.11.2022

Reading time: ( words)

IP Flow Information Export (IPFIX), also popularly referred to as Netflow v10, offers networking vendors an open standard for logging and exporting traffic information. It allows existing network devices such as routers or network gateways to gather and report traffic information from different parts of the network, delivering flow visibility and insights into traffic behavior. Building on the previous Netflow versions, Netflow v10 features a couple of major enhancements: the number of reporting fields was extended to 279, variable field lengths were introduced to cater for data such as URL addresses, hundreds of information elements (IEs) are supported and reporting is compatible with multi-vendor environments.

Breaking away from the restrictions of proprietary traffic flow monitoring protocols for broad-based monitoring, IPFIX allows network operators to configure agent devices such as routers, switches and firewalls to automatically sample, stamp, calculate, organize, and export traffic information to third-party IPFIX collectors and analyzers. With pre-configured templates, IPFIX delivers a built-in mechanism for collecting and organizing traffic data in any part of the network without requiring a dedicated monitoring infrastructure.

IPFIX is essentially a flow-based monitoring mechanism that builds its traffic intelligence based on metadata extracted from packet headers. As packets are sampled, flow attributes are established by IPFIX-enabled devices. Flow-based monitoring differs significantly from technologies that analyze traffic using full packet capture. Take Deep Packet Inspection (DPI) for example. Advanced DPI tools, such as R&S®PACE 2, inspect all packets in a flow and perform traffic identification using a mix of advanced statistical, behavioral and heuristic as well as machine learning and deep learning analyses. R&S®PACE 2 allows operators to classify packets by type of protocol, application and service, delivering packet-level insights into traffic flows. Without advanced DPI, insights provided by IPFIX exporters would be limited to data from only layer 3 and layer 4. This data encompasses information such as source and destination addresses, port numbers, packet sizes, data volumes and packet counts.

Increasing overheads and complexities

With different visibility needs across different use cases, networks often combine a number of traffic monitoring mechanisms. As these monitoring mechanisms evolve to cover more reporting points and variables, and as traffic volumes grow, reporting overlaps become more apparent, resulting in added network overheads. Activating network equipment or a server as an IPFIX agent device, for example, requires lengthy configurations and integration with IPFIX collectors and analyzers. Similarly, incorporating DPI capabilities into the network requires the deployment of stand‑alone DPI equipment or DPI-enabled network packet brokers and IP probes, and the integration of these devices into the relevant ecosystem.

Multiple reporting layers can also result in analysis discrepancies and gaps. A network performance monitoring tool connecting to an IPFIX collector receives flow information that is cached. This flow information is based on a limited sample of packets selected randomly from every reported flow. The same tool, tapping into DPI insights, may receive varying analyses based on real-time traffic intelligence that includes every packet. Similarly, a network tool compatible with only IPFIX-based analysis inputs, for example, an intrusion prevention system, has no access to real-time threat identification information captured by a DPI tool on the network. With different tools relying on different analyses, networks continue operating in information silos and may drive conflicting conclusions and policies.

Bridging the gap using the flow data exporter plug-in of the R&S®PACE2 DPI engine

Recognizing the need to address this fragmentation, ipoque very recently launched the R&S flow data exporter plug-in. As an extension to our market-leading OEM DPI engine R&S®PACE 2, the plug-in seamlessly enables networks to link their DPI deployments to their IPFIX monitoring systems. The flow data exporter plug-in enables DPI information logs to be translated into IPFIX-encoded messages via the configurable payload callbacks including IPFIX template updates. These callbacks can feed into TCP, UDP, SCTP and TLS-encrypted sockets and handle statistics as well as exporting to file handlers. The translated messages are exported to third-party IPFIX collectors using customizable IPv4 and IPv6 templates. This allows networks to fine-tune the type of IEs they wish to export based on the existing IPFIX reporting structure.

DPI data translated by ipoque’s flow data exporter plug-in is accessed on highly customizable dashboards provided by IPFIX collectors
Image 1: DPI data translated by ipoque’s flow data exporter plug-in is accessed on highly customizable dashboards provided by IPFIX collectors
Granular traffic information by DPI enriches IPFIX reporting with deep application-level insights
Image 2: Granular traffic information by DPI enriches IPFIX reporting with deep application-level insights

Advanced insights into network threats

The integration of DPI outputs into IPFIX-based analytics provides network security tools relying on IPFIX analyses access to the superior threat detection capabilities of DPI. Our DPI engine R&S®PACE 2 provides real‑time identification of traffic that is malicious, suspicious and anomalous, even for traffic that is encrypted. This allows threats hidden in flows that are encrypted, anonymized, and obfuscated to be reliably and accurately identified before they traverse further into the network. With the plug-in, IPFIX collectors gathering traffic logs from IPFIX agents can now enrich their analysis with security insights from R&S®PACE 2. The enriched analysis can then be used to power application-based firewalls, advanced threat protection/detection systems, antivirus and content filtering solutions. This allows for a timely and effective detection and mitigation of threats such as DDoS, malware and viruses.

Identify root issues

The seamless translation of DPI information logs into IPFIX records paves the way for better network performance management. While DPI inputs are used actively to feed various traffic management functionalities such as routing, content caching, and compression, IPFIX analyses are most often used passively to determine network performance in terms of speed, jitter, bandwidth consumption, round trip time, delay and latency. With the plug-in, DPI inputs can now be used to enrich IPFIX analyses. The protocol, application and service type awareness provided by DPI software is very valuable in uncovering traffic flows that are responsible for congestion or overuse of network resources. The impact of video traffic or mobile gaming, and incidences such as illegal tethering on network performance, can be established easily using traffic classification and metadata analysis provided by DPI software. Given that DPI traffic information is delivered in real time, network performance monitoring tools feeding on IPFIX analyses infused with DPI data can access information on network degradation and quality of service impairments faster.

Visibility into application traffic

The flow data exporter plug-in can greatly enhance network analytics. Leveraging ipoque’s advanced DPI library boasting thousands of applications, protocols and service types, IPFIX collectors and analyzers have access to granular insights on traffic flows covering a wide range of cloud and SaaS applications. This provides fine-grained traffic intelligence that is greatly beneficial in planning network capacity, managing peak-hour traffic and congestion, establishing granular security policies, engaging subscribers and users, and improving service quality. The plug-in comes with a low memory footprint and provides a lean implementation that can greatly augment the analytical capabilities of any IP network without eating into network capacity.

IPFIX provides a pervasive, lightweight mechanism to capture traffic information and delivers an off-the-shelf, vendor-agnostic model for monitoring networks. Deep packet inspection, in the meantime, provides application and threat awareness for managing burgeoning traffic from third-party applications often delivered via complex, cloud-based distributed networks and which are susceptible to various performance and network issues. By combining DPI’s advanced insights with the flexibility of IPFIX, the flow data exporter plug-in provides network operators with a powerful network intelligence layer that combines the best of both worlds.

To learn more, download our R&S®PACE 2 flow data exporter plug-in data sheet.

Tobias Roeder portrait

Tobias Roeder

Contact me on LinkedIn

Tobias holds a degree in electrical engineering and has more than eight years of experience in product development. For a number of years, Tobias has been working as an application engineer for the deep packet inspection (DPI) software R&S®PACE 2 at ipoque, a subsidiary of the Rohde & Schwarz company. Tobias provides engineering services from the packet processing level up to the application level. In customer consulting, he identifies the optimal implementation to fulfill customer requirements and assists with the architectural decisions that go along with embedding DPI into network solutions. When he’s not at work, Tobias plays disc golf and enjoys doing CrossFit.

ipoque blog - discover the latest news and trends in IP network analytics

Sign up for the ipoque newsletter

Stay informed about the latest advances and trends in
deep packet inspection and network traffic visibility