Core Plugin

Netify DPI - Core Processor

The Netify Core Processor is a free and open-source plugin for the Netify Agent. The processor ingests network traffic and transforms it into metadata.

This data can be sent to one or more of the output plugins available in Netify: Log, Socket, and Message Queue.

Prerequisites
- How It Works
- Installing Netifyd
- Network Interface Configuration or Packet Capture Files

# Sample flow metadata from core processor
...
"detected_protocol_name": "HTTPS",
"detected_application_name": "netify.whatsapp",
"ssl": {
  "alpn": [
    "h2",
    "http/1.1"
  ],
  "alpn_server": [],
  "version": "0x0303",
  "cipher_suite": "0xc02b",
  "client_sni": "static.whatsapp.net",
  "server_cn": "*.whatsapp.net",
  "client_ja3": "d8c87b9bfde38897979e4124262...",
  "server_ja3": "6e15a5bf660856fa03186247ca4...",
  "issuer_dn": "C=US, O=DigiCert Inc, OU=www...",
  "subject_dn": "C=US, ST=California, L=Menlo..."
},
... and many more ...

Installation

The Core Plugin is installed as a separate package. Please see the installing Netifyd documentation for details for your particular operating system.

Configuration

To enable the Core Plugin, please make sure the enable parameter in /etc/netifyd/plugins.d/10-netify-proc-core.conf is set to yes. 

# /etc/netifyd/plugins.d/10-netify-proc-core.conf

[proc-core]
enable = yes
...

Next, we must configure an output plugin to send the metadata somewhere! The configuration below provides an example for sending data out through the Socket Plugin. The example below is sending data to both the local Unix socket as well as the TCP socket on port 1750. Typically, you would only configure one of these options. 

# /etc/netifyd/netify-proc-core.json
{
   "format": "json",
   "compressor": "none",
   "sinks": {
      "sink-socket": {
         "default": {
             "enable": true,
             "types": [ "stream-flows", "stream-stats" ]
          },
          "tcp": {
             "enable": true,
             "types": [ "stream-flows", "stream-stats" ]
          },
      },
      "sink-mqtt": {
         "flows": {
            "enable": false,
            "types": [ "stream-flows" ]
         },
         "stats": {
            "enable": false,
            "types": [ "stream-stats" ]
         }
      }
   }
}

What data can you stream to the socket? There are two types of processors: stream-flows and stream-stats.

As soon as a flow is identified, the stream-flows type provides details on detected flows: applications, protocols, ports, etc.

The stream-stats type provides bandwidth statistics and key performance indicators for detected flows every 15 seconds (configurable).

You can find more information on the metadata formats in the flow data format documentation.

After making configuration changes, the Netify DPI Agent must be restarted.

Further Reading

Processors

Outputs

Netify Agent


Inputs


Processor Plugins


Output Plugins


Output Formats


Other Links

Evaluate Netify DPI

Do you want to get started with evaluating Netify DPI? Request the Integrators Kit today.

Integrators Kit