v4.15.0

Changes from v4.11.1

Improvements

• Fragmentation cache added.
• process/wg: Removed check for transport data length divisibility by 16.
• Enhanced DPDK memory pool creation using device socket ID.
• QUIC: Expanded flow detail extraction.
• Updated default packet queue burst size to 64 (consistent with input defaults).
• Workers CPU affinity improvements.
• Prefetch optimizations for better performance.
• IPv6: Improved header parsing and extension handling.
• DPDK: Timestamp read from hardware metadata when available.

New Features

Input Plugins:

• NDP: Support for custom packet header timestamps.
• DPDK: Added MTU size configuration and telemetry support.

Output Plugins:

• IPFIX: Introduced LZ4 compression support.
• IPFIX: Added non-blocking TCP socket option.

Telemetry:

• Introduced AppFS telemetry.
• Updated telemetry documentation in README.

Plugins:

• MQTT: Support for v3.1.1 protocol.
• TLS Extensions: Enhanced features for detailed analysis.

Bugfixes

• Fixed discrepancies in IPT PHIST features.
• Resolved issues with TCP options parsing.
• Corrected WireGuard byte order in IPFIX output.
• Addressed inconsistencies in IPv6 header parsing.
• Fixed RSS configuration in DPDK.
• Resolved DPDK queue size issues and packet parsing checks.

Documentation

• Introduced Jekyll-based documentation framework.
• Updated README with new telemetry features and examples.
• Minor fixes and revisions to improve clarity and navigation on the webpage.

Miscellaneous

• Added Docker container for processing PCAPs to CSVs.

Full Changelog: v4.11.1...v4.15.0

v4.11.1

Change from v4.11.0:

• fixed build on OpenWrt

Brief list of changes from v4.9.0:

Improvements:

• IPFIX: propose new variable (cmd line option) to set ipfix template refresh rate
• DPDK: improvement of config and init script
• Flow cache: improve hashing to incorporate VLAN info
• statistics: improved monitoring capability, added additional statistics

New plugins:

• GRE: add new plugin to export GRE tunnel information
• VLAN: add new plugin to export VLAN information
• NetTiSA: Add new NetTisa process plugin, see https://arxiv.org/abs/2310.05530
• OVPN: Improvements (Added RTP header validation function, Improve detection)
• HTTP: Add parsing HTTP response headers server and set-cookie names
• ICMP: Add new ICMP process plugin to export ICMP information
• Flow Hash: add new plugin to export Flow Hash field

BUGFIXES:

• templates and byte encoding (HTTP)
• QUIC: bugfixes and checks

v4.9.0

Changes in v4.9.0

Brief list of changes from v4.7.1:

• flow cache: add VLAN ID to the flow key
• ovpn: enhanced algorithm to minimize false positives
• SSADetector: add new plugin to detect possible SYN-SYNACK-ACK sequence to detect VPN within exiting connection
• Support parsing of IPv6 mobility header
• pstats: Improve Input & Output pugin stats
• pstats: bugfix of recognition of zero length packets
• optimization: do not export some additional info for short flows
• tls: fix buffer overflow error (causes crashing)
• tls: Support TLS v1.3
• tls: Support of extracting TLS version from handshake extension
• rpm hotfix: disable automatic setting of hardening flags
• DPDK: bugfix of HW timestamps
• DPDK: compliance, different constant names
• DPDK: bugfixes
• DPDK: changed RSS setting to use IP only
• DPDK: allow running as a secondary DPDK process, reading from mring
• DPDK: allow reading from multiple port of the network interface
• init/service: improved config & service to set lcores

v4.7.1

Changes in v4.7.1

• http: Removed trailing '\r' from HTTP exported fields
• tcp: fixed seq&ack tracking
• dpdk: reworked plugin
• slightly improved doc/help

v4.6.1

Compared to v4.6.0, this version contains only build-related fixes for OpenWrt compilation.

v4.6.0

Brief list of changes:
* Refactoring and fixes of QUIC plugin
* Zero-copy packet processing
* Update of xxhash code
* Remove std::future feature for workers terminations

v4.5.0

Brief list of changes:

• FIXED variable-length IE IPFIX export (quic, http, tls)
• FEATURE QUIC: Export of new information elements in QUIC plugin
• FIXED wrong export reason

v4.4.0

Brief list of changes:

• improved performance by replacing std::stringstream by std::string (due to global lock)
• improved WireGuard confidence
• fixed QUIC plugin
• fixed uninitialised variable
• fixed UniRec flow duplication
• cleanup IPFIX elements and fixed their duplicates (compatibility of some elements with flowmon exporter)
• added DLT_RAW link-layer of libpcap

v4.0.0

The ipfixprobe flow exporter is used to process packets of the high-speed network traffic to create aggregated information about ongoing traffic. The output of ipfixprobe are IP flows represented in the standard IPFIX format, thus the tool is compatible with common monitoring and detection systems. To receive packets from the network card, ipfixprobe supports libpcap and DPDK technologies and is also compatible with COMBO accelerator cards developed by CESNET. This makes it possible to monitor high-speed traffic at speeds of up to around 170Gb/s. The ipfixprobe architecture is modular and contains a number of plugins that extend common IPFIX data information. More advanced packet sequence statistics allow the use of machine learning methods to classify network traffic, including encrypted communication.