Socket Plugin
Netify DPI - Socket Plugin
The Netify Agent handles the deep packet inspection and analysis, but how do you interact with the data available from the agent? The Socket Plugin provides a standard TCP/IP and Unix socket that can be used to view stats and DPI metadata in JSON format.
Prerequisites
- How It Works- Installing Netifyd
- Network Interface Configuration or Packet Capture Files
- Core Processor or Aggregator Processor
Installation
The Socket Plugin is installed as a separate package. Please see the installing Netifyd documentation for details for your particular operating system.
Configuration
To enable the Socket Plugin, please make sure the enable parameter in /etc/netifyd/plugins.d/10-netify-sink-socket.conf is set to yes.
# /etc/netifyd/plugins.d/10-netify-sink-socket.conf
[sink-socket]
enable = yes
...
Data via Socket Interface
Netifyd's Agent Socket Interface (TCP/IP and UNIX sockets) provides near real-time agent status and flow/DPI detection data via JSON encoded payloads. In CentOS, Debian, and Ubuntu, the default UNIX socket file is /var/run/netifyd/netifyd.sock. Other Linux platforms may have the socket file in a different location.
For information about the format and data available in the streams, you can skip to the flow data format documentation. If you would like to interact with the data in a live environment, read on!
"type": "flow_purge"
"flow": {
"digest": "178bf5650a79d5e8ddc6a988d0c02b3d799180d0",
"last_seen_at": 1606232131756,
"local_bytes": 2434,
"local_packets": 21,
"other_bytes": 6139,
"other_packets": 16,
"total_bytes": 8573,
"total_packets": 37
},
"reason": "terminate",
... snip ...
Getting Started with Live Data Streams
If you haven't already done so, please start with the installation guide for instructions on how to get an environment with the Netify Agent up and running. Once ready, we can use some shell tools to connect to netifyd and display the JSON encoded payloads. First, we need to install the shell utilities:
| Linux | Command |
|---|---|
| CentOS | yum install sudo jq bc netcat |
| Debian | apt-get update; apt-get install sudo jq bc netcat-openbsd |
| Ubuntu | apt-get update; apt-get install sudo jq bc netcat |
Open up a separate terminal on a system with netifyd installed. On the first terminal, run the netifyd command to start processing either a PCAP capture file (instructions) or live network data (instructions). On the second terminal, run the following to connect to the JSON data stream and view formatted output:
sudo nc -U /var/run/netifyd/netifyd.sock | jq . -CYou should see a stream of JSON data similar to the following:
{
"agent_version": 3.06,
"build_version": "Netify Agent/3.06 (... features ...) nDPI/2.9.0 JSON/1.90",
"json_version": 1.9,
"type": "agent_hello"
}
The flow data format documentation provides details on the DPI data available in Netify.
Third Party Tools
With a JSON-encoded data stream, it's possible to develop Netify-aware tools in any programming language:
- Python
- C/C++
- Rust
- etc.
You can develop and create your own integrations: open source, proprietary, in-house... it's up to you.
In addition, it's also important to remember that the netifyd data stream is available over a TCP/IP socket (see man netifyd.conf to enable this feature). This makes it possible to run the Netify Agent detection on a dedicated network probe, but then run your Netify-enabled application on a different server host.
If you need to aggregate flow data from multiple agents, consider using the Message Queue plugin.
Further Reading
Processors
Outputs
Netify Agent
Inputs
Processor Plugins
Output Plugins
Output Formats
Other Links
Evaluate Netify DPI
Do you want to get started with evaluating Netify DPI? Request the Integrators Kit today.
Integrators Kit