Command Line Interface

Command Line Interface (CLI)

Netify Daemon Status

To view the current status of the Netify agent, execute:

sudo netifyd -s

The following can be helpful during troubleshooting:

  • Agent is running / PID - Indicates whether the Netify DPI agent is running. If not stopped by user initiation, could indicates a configuration problem.
  • Agent UUID - A unique identifier used during provisioning and API calls.
  • API Updates - If not enabled, the agent will never communicate to any Netify cloud service. If you are using Netify Informatics, this must indicate enabled.
  • API Application/Category Updates - An indication of whether the agent is able to receive continuous updates
  • Active Flows - If zero, could indicate an issue with interface configuration.
  • Maximum Memory Usage - Provides insight into how much RAM is being used during the heaviest load.
  • Interface [Mode -> Capture Method] - Helps identify issues with your network interface packet capture configuration.
  • Apps: NNNN, Domains: NNNN - If the number of apps is over 1500 it indicates you are using the commercial lists - otherwise, a sign that the open source signature list is in use.
  • Persistent State Path - Reminder on where the configuration files and supporting folders are located.
  • Volatile State Path - Reminder on where runtime data is written to as well as file sockets.

Application, Protocol and Category Lists

Applications and categories are determined using a set of signature and configuration files at run time. In contrast, protocols are compiled during the agents build time. The number of applications available to the netify agent is determined by type of signature list you are using. OEM integrators and Netify Informatics subscribers have access to the commercial signature files, and should see well over 1500 applications definitions. The open source list is restricted to 200 of the top ranking applications. The application signature file is found in:

/etc/netifyd/netify-apps.conf

The corresponding categories filename is:

/etc/netifyd/netify-categories.conf

Applications

Applications in Netify are imported at run time through the use of the Netify Application Signature file. 

netifyd --dump-apps
    0: Unknown
    1: FTP/C
    2: POP3
    3: SMTP
    4: IMAP
    ...
    ..
    .

Protocols

Protocols are compiled in at run time. New and updated protocols are added in updated versions of the Netify agent. 

netifyd --dump-protos
    0: Unknown
    1: FTP/C
    2: POP3
    3: SMTP
    4: IMAP
    ...
    ..
    .

Categories

Both applications and categories are group together in categories. 

netifyd --dump-categories
    1: application: adult
    2: application: advertiser
    3: application: business
    4: application: cdn
    ...
    ..
    .
    1: protocol: authentication
    2: protocol: database
    3: protocol: file-server
    4: protocol: file-sharing
    ...
    ..
    .

Analysing a Packet Capture File

The Netify Agent can be used to perform offline analysis of a network file capture, regardless of the system architecture it was taken from or the bitrate during which it was captured.

Real-Time Analysis

To playback a packet capture through the Netify agent in real-time, run: 

sudo netifyd -d -v -t -r -I /path/to/pcap

Simultaneously, open another shell and capture the output that will now be sent to the file socket, located at /var/run/netifyd/netifyd.sock: 

sudo netcat -U /var/run/netifyd/netifyd.sock | jq

You should see a stream of JSON data similar to the following:

{
  "flow": {
    "category": {
      "application": 27,
      "domain": 0,
      "network": 0,
      "protocol": 18
    },
    "detected_application": 10033,
    "detected_application_name": "netify.netify",
    "detected_protocol": 196,
    "detected_protocol_name": "HTTP/S",
    ...
    ..
    .
}
For more information on the types of data objects, review the documentation on the Core Plugin Data Output Format.

Fast Analysis

The -r flag forces Netify to analyze packets in the same timing in which they were captured. For example, if you have a 35 minute packet capture, this progress will take just over 35 minutes to process.

To modify this behaviour, remove the -r flag. Netify will process your packet capture as fast as it is capable of doing so - constrained by the resources of your system. 

sudo netifyd -d -v -t -I /path/to/pcap

Delayed Start

There can be times where a delayed capture start is desirable. The most common case occurs when you are trying to capture the output through the sink processor. Binding to a socket cannot be done until the analysis is underway which makes it difficult to capture the output of the beginning of the packet capture.

To solve this case, add the --capture-delay 5 argument, where 5 can be any positive integer and represents the time to wait, in seconds, before analysing a capture file. 

sudo netifyd --capture-delay 5 -d -v -t -I /path/to/pcap

Ignoring Interfaces

If you are using your agent to capture packets from the interfaces in real-time, but then want to use the same agent to analyze a packet capture file, it can be advantageous to temporarily disable the agent from listening on interfaces that would otherwise pollute the output.

To solve this case, add the --ignore-interface-configs argument. 

sudo netifyd --ignore-interface-configs -d -v -t -I /path/to/pcap

Running the Agent in Debug Mode

During times of troubleshooting, it can be helpful to run the Netify agent in debug mode. This is especially true if you are creating a support email, as this information can be extermely helpful in finding a solution to your problem. To run in debug mode, simply stop any existing daemons that may be running, then execute Netify's executable with the -d argument. 

sudo systemctl stop netifyd
    sudo netifyd -d

Further Reading

Documentation


Netify DPI Agent


Technical Support

Haven't found the answers you're looking for?

Contact Us