Netify - Data Stream Socket

The Netify Agent handles the deep packet inspection and analysis, but how do you interact with the data available from the agent? You can either use one of the high-speed plugins (IP Sets, CT Labels, Stats) or the data stream described in this document.

Data via Socket Interface

Netifyd's Agent Socket Interface (TCP/IP and UNIX sockets) provides near real-time agent status and flow/DPI detection data via JSON encoded payloads. In CentOS, Debian, and Ubuntu, the default UNIX socket file is /var/run/netifyd/netifyd.sock (other platforms may have the socket file in a different location).

For information about the format and data available in the streams, you can skip to the Data Streams documentation. If you would like to interact with the data in a live environment, read on!

"type": "flow_purge"
  "flow": {
    "digest": "178bf5650a79d5e8ddc6a988d0c02b3d799180d0",
    "last_seen_at": 1606232131756,
    "local_bytes": 2434,
    "local_packets": 21,
    "other_bytes": 6139,
    "other_packets": 16,
    "total_bytes": 8573,
    "total_packets": 37
  },
  "reason": "terminate",
  ... snip ...
Not all platforms have Netify's Agent Socket Interface enabled by default. Check your /etc/netifyd.conf file for the following lines and restart the daemon if changes are made.
[socket]
listen_path[0] = /var/run/netifyd/netifyd.sock

Getting Started with Live Data Streams

If you haven't already done so, please start with the getting started introduction for instructions on how to get an environment with the Netify Agent up and running. Once ready, we can use some shell tools to connect to netifyd and display the JSON encoded payloads. First, we need to install the shell utilities:

Linux Command
CentOS yum install sudo jq bc netcat
Debian apt-get update; apt-get install sudo jq bc netcat-openbsd
Ubuntu apt-get update; apt-get install sudo jq bc netcat

Open up a separate terminal on a system with netifyd installed. On the first terminal, run the netifyd command to start processing either a PCAP capture file (instructions) or live network data. On the second terminal, run the following to connect to the JSON data stream and view formatted output:

sudo nc -U /var/run/netifyd/netifyd.sock | jq . -C

You should see a stream of JSON data similar to the following:

{
  "agent_version": 3.06,
  "build_version": "Netify Agent/3.06 (... features ...) nDPI/2.9.0 JSON/1.90",
  "json_version": 1.9,
  "type": "agent_hello"
}

Third Party Tools

We'll get to the details of the Data Stream Format in the next step. With a JSON-encoded data stream, it's possible to develop Netify-aware tools in any programming language:

  • Python
  • C/C++
  • Rust
  • etc.

In addition, it's also important to remember that the netifyd data stream is available over a TCP/IP socket (see man netifyd.conf to enable this feature). This makes it possible to run the Netify Agent detection on a dedicated network probe, but then run your Netify-enabled application on a different server host.

Netify Integrations

With the Netify JSON network stream, you can develop and create your own integrations: open source, proprietary, in-house... it's up to you. We have also built plugins and addons to help with getting started with firewalls/QoS and local reporting:

Next Steps

Now that you have been able to interact with the Netify Agent data stream, it's time to review what kind of network metadata is available in the stream. You can find more information in the Data Streams Documentation.

Evaluate Netify DPI

Do you want to get started with evaluating Netify DPI? Request the Integrators Kit today.

IntegraKors Kit