pmacct [IP traffic accounting : BGP : BMP : RPKI : IGP : Streaming Telemetry] pmacct is Copyright (C) 2003-2024 by Paolo Lucente The keys used are: !: fixed/modified feature, -: deleted feature, +: new feature 1.7.9 -- 01-08-2024 + pmtelemetryd: gRPC data collection functionalities were added to the daemon. https://github.com/scuzzilla/mdt-dialout-collector is the library linked to add the functions required to collect data via gRPC dialout. Thanks to Salvatore Cuzzilla ( @scuzzilla ) for this contribution, along with the ninja support of Marc Sune ( @msune ). + BMP daemon: HA support introduced: in order to add redundancy at data collection, let multiple collectors to establish indentical BMP session, while only one is sending data to the backend. Thanks to Zhuoyao Lin ( @Zephyre777 ) and Leonardo Rodoni ( @rodonile ) for this contribution. + nfacctd: developed a more robust and streamlined NetFlow v9/ IPFIX template handling framework based on libcdada structures, hence dropping the previous ad-hoc home-grown memory structures. + nfacctd: introduced support for sampling rate calculation based on IANA entities IE309 (samplingSize), IE310 (samplingPopulation), which are being exported in IPFIX sampling options for a random-n- out-of-N sampler. Also, support for 16-bit and 32-bit selectorID is added as well. Thanks to Leonardo Rodoni ( @rodonile ) for this contribution. + nfacctd: extended the support of IE130 (exporterIPv4Address) and IE131 (exporterIPv6Address) for when this info is contained in data packets. Thanks to Leonardo Rodoni ( @rodonile ) for this contribution. + nfacctd: added nfacctd_ignore_exporter_address config knob to not honour IE130 (exporterIPv4Address), IE131 (exporterIPv6Address) and use the socket address instead. + nfacctd: improved support for Route Distinguisher (RD): added the case where the RD information has finer-grained scope in Option packets; also RD in IPFIX Options can now be used for correlating data against BGP/BMP. Finally priority of supplied RD info is streamlined as: RD in flow_to_rd.map > RD in IPFIX/NFv9 data packet > RD in IPFIX/NFv9 option packets. Thanks to Leonardo Rodoni ( @rodonile ) for these contributions. + nfacctd: added IEs 44 (sourceIPv4Prefix), 170 (sourceIPv6Prefix), 45 (destinationIPv4Prefix), and 169 (destinationIPv6Prefix) to flow heuristics. + nfacctd: as part of src_mac, dst_mac primitives, added support for IEs 365 (staMacAddress) and 366 (staIPv4Address). + nfacctd: introduced support for IE497 (srhSegmentIPv6ListSection), The SRv6 Segment List as defined in Section 2 of [RFC8754] as a series of octets in IPFIX. Also added Path Delay measurements PathDelay{Mean,Min,Max,Sum}DeltaUsecs. + nfacctd: tunnel primitives (tunnel_src_host, tunnel_dst_host, tunnel_proto, tunnel_tos, tunnel_src_port, tunnel_dst_port and tunnel_tcpflags) were linked to SRv6 code. Also, in this context, support for repeating IEs has been added. Thanks to Uwe Storbeck ( @ustorbeck ) for this contribution. + nfacctd: extended IE89 (forwardingStatus) support to be 2 or 4 bytes long. Also introduced support for IE31 (flowLabelIPv6). Thanks to Uwe Storbeck ( @ustorbeck ) for these contributions. + nfacctd: a new primitive 'nvgre' is defined representing the Tenant Network Identifier (TNI) for NVGRE L2 tunnels, which is encoded in IANA IE351 (layer2SegmentId) with MSB 0x02. Thanks to Leonardo Rodoni ( @rodonile ) for this contribution. + sfacctd: added support for accounting for ARP packets via a new aggregate_unknown_etype config knob. + nfacctd, sfacctd, pmacctd: added new 'in_cvlan' and 'out_cvlan' primitives. It identifies the VLAN to which the frame belongs to when it is transmitted in the customer network. + BGP daemon: added support for "Only to Customer" OTC attribute, RFC9234. + BGP daemon: extend MP nexthop length to support 48 bytes to fit the BGP VPNv6 nexthop length. Thanks to @FRIDM636 for this contribution. + BGP daemon: as specified by RFC8950, routers cannot advertise IPv4 or VPNV4 routes with an IPv6 next hop without an extra capability advertisement (Extended Next Hop Encoding). This has been added so that the daemon can reply with this capability to the remote peer. Thanks to Leonardo Rodoni ( @rodonile ) for this contribution. + BGP, BMP daemons: Two new configuration keys are introduced: bgp_comms_encode_as_array and as_path_encode_as_array to allow to specify that BGP communities and AS_PATH are encoded as an array in JSON or AVRO encodings. + BMP daemon: a new bmp_dump_exclude_stats config knob has been added: if enabled, BMP Stats messages are not going to be cached and thus not being included in the regular dump. + All daemons: added a -T / dry_run config knob. With the 'config' argument only configuration is validated; with the 'setup' one the daemon and its plugins are also instantiated and validated. + Kafka plugin: allowing to configure sub-minute historical time bins (ie. kafka_history, etc.). + pre_tag_map: introduced pre_tag_map_dont_recirculate config knob to explicitely disable v4/v6 recirculation of entries without an 'ip' key specified. Also if 'ip' key is not defined, still define the address family (AF) so to be memory-savvy and avoid creating duplicate entries in case of v4/v6 recirculation. + nDPI support: updated API calls to compile against nDPI 4.6. Also dropped support for previous versions of the library. ! fix, nfacctd: treat the result of (SysUptime - fstime) as signed to avoid a underflow in the case where fstime > SysUptime in NetFlow v9. Thanks to Jim Westfall ( @jwestfall69 ) for this contribution. ! fix, nfacctd: addressed a memory leak in handling NetFlow/IPFIX templates. Also performed code re-factoring to better encapsulate the template functionality, add a template header file, separate the module interface from local functions and reduce the scope of local functions. Thanks to Uwe Storbeck ( @ustorbeck ) for these contributions. ! fix, nfacctd: parsing of IPFIX/NetFlow data when a template does contain multiple padding octet fields IE 210 (paddingOctets) with different length. Thanks to Uwe Storbeck ( @ustorbeck ) for this contribution. ! fix, nfacctd: 4 bytes long IE95 (applicationID) is now supported; as part of this work the setup of nDPI and NBAR classifiers have been harmonized. ! fix, sfacctd: mispelled daemon type in sampling_direction handler was causing counters not to print. ! fix, pmacctd: restored packet data pointer for correct collection of ICMPv6 data. ! fix, uacctd: the daemon was crashing upon receipt an ICMP Echo Request packet (as a result, for example, of a ping). Thanks to Alexei A Smekalkine ( @ikle ) for this contribution. ! fix, pmtelemetryd: when no backend dump method is configured (and telemetry_dump_time_slots is not set) pmtelemetryd was crashing with SIGFPE. Also fixed the dump interval calculation when time slots are used. Thanks to Uwe Storbeck ( @ustorbeck ) for these contributions. ! fix, pmtelemetryd: restored ability of the daemon re-loading maps via SIGUSR2 signal. Thanks to Salvatore Cuzzilla ( @scuzzilla ) for this contribution. ! fix, BGP, BMP daemons: the hash function used to distribute per- peer information attached to RIB entries was enriched with the addition of Route Distinguisher (RD) data in order to minimize collisions. It is in fact crucial to have an efficient hash-table to perform data correlation between BGP/BMP & IPFIX. Thanks to Salvatore Cuzzilla ( @scuzzilla ), Leonardo Rodoni ( @rodonile ) for this contribution. ! fix, BMP daemon: finer grained control on support of ADD-PATH capability as part of the Peer Up message in order to support the case of remote peer receive-only scenario. ! fix, SQL plugins: 'in_vlan' primitive is not muxed anymore on 'vlan' keyword at configure time. Also, 'out_vlan' primitive is now properly handled if sql_optimize_clauses left false. ! fix, MySQL plugin: if timestamps_utc is set to true, enforce UTC for the current session. ! fix, tee plugin: missing variable definition when BSD definition is on was preventing the code to compile correctly. ! fix, pre_tag_map: check added to avoid daemon hanging if 'next' label was mentioned as part of the last map entry. ! fix, Redis: avoid to create a new file descriptor for every reconnect. Use redisReconnect instead of redisConnect. Thanks to Uwe Storbeck ( @ustorbeck ) for this contribution. ! fix, util.c: weekly time roundoff has been made consistent by correctly including the first day of the week. ! fix, util.c: when pidfile is specified, use mkdir_multilevel() to build dir structure if needed. ! fix, plugins_hook.c: when processing a pcap_savefile, perform an inter-buffer sleep of 1ms only if using home-grown buffering as ZeroMQ (plugin_pipe_zmq) would instead do fine absorbing the data burst. ! fix, rpki_msg.c: missing json_decref() in rpki_roas_file_load() was leaking memory on map reload. Also, solved a SEGV observed at times when reloading rpki_roas_file. Finally free'd the output of aspath_make_str_count() in rpki_roas_file_load(). - pmtelemetryd: removed legacy Python decoders and associated utils, also removed support for Kafka and ZeroMQ telemetry collection. - pre_tag_map: obsoleted 'fwdstatus' key. - GeoIP support: removed support for Maxmind API v1. 1.7.8 -- 31-12-2022 + Introduced support for eBPF for all daemons: if SO_REUSEPORT is supported by the OS and eBPF support is compiled in, this allows to load a custom load-balancer. To load-share, daemons have to be part of the same cluster_name and each be configured with a distinct cluster_id. + Introduced support for listening on VRF interfaces on Linux for all daemons. The feature can be enabled via nfacctd_interface, bgp_daemon_interface and equivalent knobs. Many thanks to Marcel Menzel ( @WRMSRwasTaken ) for this contribution. + pre_tag_map: introduced limited tagging / labelling support for BGP (pmbgpd), BMP (pmbmpd), Streaming Telemetry (pmtelemetryd) daemons. ip, set_tag, set_label keys being currently supported. + pre_tag_map: defined a new pre_tag_label_encode_as_map config knob to encode the output 'label' value as a map for JSON and Apache Avro encodings, ie. in JSON "label": { "key1": "value1", "key2": "value2" }. For keys and values to be correctly mapped, the '%' delimiter is used when composing a pre_tag_map, ie. "set_label=key1%value1,key2%value2 ip=0.0.0.0/0". Thanks to Salvatore Cuzzilla ( @scuzzilla ) for this contribution. + pre_tag_map: introduced support for IP prefixes for src_net and dst_net keys for indexed maps (maps_index set to true). Indexing being an hash map, this feature currently tests data against all defined IP prefix lenghts in the map for a match (first defined matching prefix wins). + pre_tag_map: introduced two new 'is_nsel', 'is_nel' keys to check for the presence of firewallEvent field (233) and natEvent field (230) in NetFlow/IPFIX respectively in order to infer whether data is NSEL / NEL. If set to 'true' this does match NSEL / NEL data, if set to 'false' it does match non NSEL / NEL data respectively. + Introduced a new mpls_label_stack primitive, encoded as a string and includes a comma-separated list of integers (label values). Thanks to Salvatore Cuzzilla ( @scuzzilla ) for this contribution. + Introduced a new fw_event primitive, to support NetFlow v9/ IPFIX firewallEvent 233 Information Element. + Introduced a new tunnel_tcp_flags primitive for pmacctd and sfacctd to record TCP flags for the inner layer of a tunneled technology (ie. VXLAN). Also tunnel_dst_port decoding was fixed for sfacctd. + Introduced support for in/out VLAN support for sfacctd. To be savy, 'in_vlan' and 'vlan' were muxed onto the same primitive depending on the daemon being used. Thanks to Jim Westfall ( @jwestfall69 ) for this contribution. + Introduced a new mpls_label_stack_encode_as_array config knob to encode the MPLS label stack as an array for JSON and Apache Avro encodings, ie. in JSON "mpls_label_stack": [ "0-label0", "1-label1", "2-label2", "3-label3", "4-label4", "5-label5" ] and in Avro "name": "mpls_label_stack", "type": { "type": "array", "items": { "type": "string" } }. Thanks to Salvatore Cuzzilla ( @scuzzilla ) for this contribution. + Introduced a new tcpflags_encode_as_array config knob to encode TCP flags as an array for JSON and Apache Avro, ie. in JSON "tcp_flags": [ "URG", "ACK", "PSH", "RST", "SYN", "FIN" ] and in Avro "name": "tcp_flags", "type": { "type": "array", "items": { "type": "string" } }. Thanks to Salvatore Cuzzilla ( @scuzzilla ) for this contribution. + Introduced a new fwd_status_encode_as_string config knob to encode the 'fwd_status' primitive in human-readable format like described by RFC-7270 Section 4.12 when JSON or Avro formats are selected for output. Thanks to Salvatore Cuzzilla ( @scuzzilla ) for this contribution. + Introduced a new protos_file to define a list of (known/ interesting/meaningful) IP protocols. Both protocol names, ie. "tcp", and protocol numbers, ie. 1 (for icmp), are accepted. IANA reserved protocol value 255 is used to bucket as 'others' those IP protocols not matching the ones defined in the list. + Introduced a new tos_file to define a list of (meaningful) IP ToS values; if tos_encode_as_dscp is set to true then DSCP values are expected as part of the file. The directive uses value 255 to bucket as 'others' those ToS/DSCP values not matching the ones defined in the list. + A new tos_encode_as_dscp config knob makes pmacct to honour only the 6 bits used by DSCP and report only on those. + BGP, BMP, Streaming Telemetry daemons: introduced a new dump_time_slots config knob to spread the load deriving by dumps over the configured refresh time interval. The interval is divided into time slots and nodes are assigned to such slots. The slot for each node is determined using its IP address. Thanks to Raphael Barazzutti ( @rbarazzutti ) for this contribution. + BGP, BMP daemons: End-of-RIB messages are now being exposed in the output feed in order to facilitate tracking their arrival (or not!). + pmtelemetryd: aligned daemon to the latest Unyte UDP-Notif API (0.6.1) and related standardization draft-ietf-netconf-udp-notif + RPKI daemon: added case for input "asn" value being integer (ie. "asn" : 2914) on top of the string case (ie. "asn" : "AS2914"). + Kafka, amqp plugins: introduced a new writer_id_string config knob to allow to customize the the "writer_id" field value. A few variables are supported along with static text definitions. + Added a new aggregate_unknown_etype config knob to account also frames with EtherTypes for which there is no decoding support and allow to aggregate them by the available Ethernet L2 fields (ie. 'src_mac', 'dst_mac', 'vlan', 'cos', 'etype'). Thanks to @singularsyntax for this contribution. + Added a new bgp_daemon_add_path_ignore config knob to ignore (do not advertise back) the ADD-PATH capability advertised by remote BGP peers. + nfacctd, sfacctd: extended the possibility to run daemons from a user with non root privileges to these daemons. + nfacctd: if Information Element 90 (MPLS VPN RD) is present in NetFlow v9/IPFIX, make it available for BGP/BMP correlation. + pmacctd, sfacctd: introduced basic support for QinQ, 802.1AD. + [print|kafka|amqp]_preprocess: added suppport for 'maxp', 'maxb' and 'maxf' keys when preprocessing aggregates of non- SQL plugins. Thanks to Andrew R. Lake ( @arlake228 ) for this contribution. + nDPI: newer versions of the library (ie. >= 4.0) bring changes to the API. pmacct is now aligned to compile against these. At the same time support for nDPI 3.x was dropped. ! fix, plugin_common.[ch]: when stitching feature was enabled, ie. nfacctd_stitching, timestamp_min was never reset. Also both timestamp_min and timestamp_max were clamped to sec granularity. ! fix, BGP, BMP daemons: added a tmp_bgp_daemon_origin_type_int to print out BGP "origin" field as int (legacy behaviour) instead of string (current behaviour). In a future major release the legacy behaviour will be dropped. ! fix, BGP, BMP daemons: MPLS labels are now encoded in both JSON and Apache Avro as 'mpls_label' instead of 'label'. This is to align behaviour with pre_tag_map where 'label' has a different semantic. ! fix, BGP, BMP daemons: resolved memory leak when encoding log messaging (logmsg) in Avro format with Schema Registry support. ! fix, BGP daemon: improved handling of ADD-PATH capability, making it per-AF (as it is supposed to be) and not global. ! fix, BMP daemon: now checking that ADD-PATH capability is enabled at both ends of the monitored session (check both BGP OPEN in a Peer Up message) in order to infer that the capability exchange was successful. Also some heuristics were added to conciliate BGP Open vs BGP Update 4-bytes ASN reality. ! fix, nfacctd: improved parsing of NetFlow v9 Options data particularly when multiple IEs are packed as part of a flowset. ! fix, nfacctd: corrected parsing of Information Element 351 (layer2SegmentId). ! fix, pmacctd: improved processing of pcap_interfaces_map for cases where the same interface is present multiple times (maybe with different directions). Also, if the map is empty then bail out at startup. ! fix, pmacctd: SEGV when ICMP/ICMPv6 traffic was processed and 'flows' primitive was enabled. ! fix, pmacctd: sampling_rate primitive value was not reported correctly when 'sampling_rate' config directive was specified. ! fix, pmbgpd, pmpmbd, pmtelemtryd: changed SIGCHLD handler to prevent zombification of last spawned data dump writer. ! fix, Kafka plugin: moved the schema registration from the dump writer to the plugin process in order to register the schemas only once at plugin startup and not on every start of a writer process. Thanks to Uwe Storbeck ( @ustorbeck ) for this contribution. ! fix, Kafka plugin: a check for kafka_partition was missing, leading the plugin to always use the default partitioner instead of sending data to the configured fixed partition. Thanks to Martin Pels ( @rodecker ) for this contribution. ! fix, nfprobe plugin: BGP data enrichment was not working due to a mistakenly moved pointer. ! fix, sfprobe plugin: AS-PATH was being populated even when null; added a check to see if the destination AS is not zero in order to put the destination AS into the AS-PATH for sFlow packets. Thanks to Marcel Menzel ( @WRMSRwasTaken ) for this contribution. ! fix, networks_file: remove_dupes() was making partial commits of valid rows hence creating data inconsistencies. ! fix, pre_tag_map: resolved a potential string overflow that was being triggered in pretag_append_label() when data would be assigned more than one single label. Also now allow ',' chars in set_label. ! fix, maps_index: uninitialized var could cause SEGV in case no results are found in the map index. Also introduced support for catch-all rules, ie. "set_label=unknown". ! fix, maps_index: optimized the case of no 'ip' key specified (for nfacctd and sfacctd): when indexing is enabled, prevent recirculation from happening, ie. test v4 first then v6, since the 'ip' key is not going to be part of the hash serializer. ! fix, pretag.c: allow to allocate maps greater than 2GB in size. Also several optimizations were carried out yelding to a better memory utilization for allocated maps along with improved times to resolve JEQs. ! fix, pre_tag_label_filter: optimized and improved runtime evaluation part of this feature, avoiding a costly strdup() and returning immediately on certain basic mismatch conditions. ! fix, kafka_common.[ch]: a new p_kafka_produce_data_and_free() is invoked to optimize memory allocations and releases. ! fix, plugin_cmn_avro.c: when a schema registry is being defined, ie. kafka_avro_schema_registry, the logic to generate the schema name has been changed: use topic plus record name as the schema name, use underscore as separator within the record name, stop adding a "-value" suffix. Thanks to Uwe Storbeck ( @ustorbeck ) for this contribution. ! fix, util.c: roundoff_time() to reason always with the locally configured time, like for the rest of functional (as in non-data) timestamps, ie. refresh time, deadline, etc. ! fix, log.c: when log messages are longer than message buffer, the message gets cut off. As the trailing newline also gets cut off the message will be concatenated with the following message which makes the log hard to read. Thanks to Uwe Storbeck ( @ustorbeck ) for this contribution. - Completed the retirement of legacy packet classification based on home-grown code (Shared Objects) and the L7 layer project. - Removed the mpls_stck_depth primitive due to the introduction of the mpls_label_stack primitive. 1.7.7 -- 07-11-2021 + BGP, BMP, Streaming Telemetry daemons: introduced parallelization of dump events via a configurable amount of workers where the unit of parallelization is the exporter (BGP, BMP, telemetry exporter), ie. in a scenario where there are 4 workers and 4 exporters each worker is assigned one exporter data to dump. + pmtelemetryd: added support for draft-ietf-netconf-udp-notif: a UDP-based notification mechanism to collect data from networking devices. A shim header is proposed to facilitate the data streaming directly from the publishing process on network processor of line cards to receivers. The objective is a lightweight approach to enable higher frequency and less performance impact on publisher and receiver process compared to already established notification mechanisms. Many thanks to Alex Huang Feng ( @ahuangfeng ) and the whole Unyte team. + BGP, BMP, Streaming Telemetry daemons: now correctly honouring the supplied Kafka partition key for BGP, BMP and Telemetry msg logs and dump events. + BGP, BMP daemons: a new "rd_origin" field is added to output log/ dump to specify the source of Route Distinguisher information (ie. flow vs BGP vs BMP). + pre_tag_map: added ability to tag new NetFlow/IPFIX and sFlow sample_type types: "flow-ipv4", "flow-ipv6", "flow-mpls-ipv4" and "flow-mpls-ipv6". Also added a new "is_bi_flow" true/false key to tag (or exclude) NSEL bidirectional flows. Added as well a new "is_multicast" true/false config key to tag (or exclude) IPv4/IPv6 multicast destinations. + maps_index: enables indexing of maps to increase lookup speeds on large maps and/or sustained lookup rates. The feature has been remplemented using stream-lined structures from libcdada. This is a major work that helps preventing the unpredictable behaviours caused by the homegrown map indexing mechanism. Many thanks to Marc Sune ( @msune ). + maps_index: support for indexing src_net and dst_net keywords has been added. + Added _ipv6_only config directives to optionally enable the IPV6_V6ONLY socket option. Also changed the wrong setsockopt() IPV6_BINDV6ONLY id to IPV6_V6ONLY. + Added log function to libserdes to debug transactions with the Schema Registry when kafka_avro_schema_registry is set. + nDPI: newer versions of the library (ie. >= 3.5) bring changes to the API. pmacct is now aligned to compile against these. + pmacctd: added pcap_arista_trailer_offset config directive since Arista has changed the structure of the trailer format in recent releases of EOS. Thanks to Jeremiah Millay ( @floatingstatic ) for his patch. + More improvements carried out on the Continuous Integration (CI) side by migrating from Travis CI to GitHub Actions. Huge thanks to Marc Sune ( @msune ) to make all of this possible. + More improvements also carried out in the space of the Docker images being created: optimized image size and a better layered pipeline. Thanks to Marc Sune ( @msune ) and Daniel Caballero ( @dcaba ) to make all of this possible. + libcdada shipped with pmacct was upgraded to version 0.3.5. Many thanks Marc Sune ( @msune ) for his work with libcdada. ! build system: several improvements carried out in this area, ie. improved MySQL checks, introduced pcap-config tool for libpcap, compiling on BSD/old compilers, etc. Monumental thanks to Marc Sune ( @msune ) for his continued help. ! fix, nfacctd: improved euristics to support the case of flows with both IPv4 and IPv6 source / destination addresses (either or populated). Also improved euristics to distinguish event data vs traffic data in NetFlow v9/IPFIX from Cisco 9300/9500, ASA firewalls and Cisco 4500X. ! fix, nfacctd: improved support for initiatorOctets (IE #231) and responderOctets (IE #232). Thanks to Esben Laursen ( @hyberdk ) for reporting the issue. ! fix, nfacctd: in NF_mpls_vpn_id_handler() double ntohl() calls were applied for the case of 'vrfid'-encoded mpls_vpn_rd field. ! fix, sfacctd: wrong ethertype set for VLAN-tagged, MPLS-labelled IPv6 traffic. Impacting BGP resolution among others. Thanks to Jeremiah Millay ( @floatingstatic ) for his help resolving the problem. ! fix, BGP, BMP daemons: parsing improvements: added a check for BGP Open message and BGP Open Options lengths. Strengthened parsing of Peer Up, Route Monitoring and Peer Down v4 messages. ! fix, BGP, BMP daemon: when using Avro encoding and Avro Schema Registry, attempt to reconnect if serdes schemas are voided. Also now checking for serdes schema definitions before doing a serdes_schema_serialize_avro() to avoid triggering a SEGV. Finally improved serdes logging. ! fix, BGP, Streaming Telemetry daemons: in daemon logs, summary counters for amount of tables / entries dumped were wrong. ! fix, BGP daemon: distinguish among null and zero value AIGP and Prefix SID attributes. Same applies for Local Preference and MED attributes. ! fix, BMP daemon: resolved a memory leak in bgp_peers_free(). Thanks to Peter Pothier ( @pothier-peter ) for his patch. Also resolved a leak caused by an invalid BGP message contained in a BMP Route Message v4. ! fix, BMP daemon: correctly setting peer_ip and peer_tcp_port JSON fields for Term messages. Also the correct bmp_router value when bmp_daemon_parse_proxy_header feature is enabled. ! fix, BMP daemon: several encoding issues when using Apache Avro ie. u_int64_t now correctly encoded with avro_value_set_long(), certain u_int32_t fields switched to avro_value_set_long() due to lack of unsignedness in Avro encoding, improved various aspectes of Avro-JSON format output, etc. ! fix, pmtelemetryd: wrong parsing of pm_tfind() output was leading to mistaken data attribution of UDP-based peers (always first peer to connect was being picked). ! fix, pmtelemetryd: when set, the pidfile config directive was not being correctly honoured. ! fix, RPKI: the RTR PDU element for maxLength is uint8, therefore it might have been possible to transmit incorrect RTR data. Thanks to Job Snijders ( @job ) for his patch. ! fix, SQL plugins: amended the text composition of SQL queries that are involving latitude and longitude keys. ! fix, MySQL plugin: check for 'unix:' prefix string only when a sql_host configuration directive is specified. ! fix, nfprobe: modernized Application Information export. Until the previous release pmacct was adhering to aging NBAR model whereas now NBAR2 has been implemented. Thanks to Rob Cowart ( @robcowart ) for helping out resolving this issue. ! fix, tee plugin: restored usefulness of tee_source_ip which was broken in 1.7.6. Thanks to Jeremiah Millay ( @floatingstatic ) for reporting the issue. ! fix, maps_index: indexing of mpls_pw_id was broken. Also now, when the feature is enabled, actual data is being referenced in the index structure instead of creating a copy of it; thanks to Sander van Delden ( @SanderDelden ) for reporting the memory leak that was resulting from the copy. ! fix, kafka_common.c: solved memory leak in p_kafka_set_topic() when Kafka session was getting in down state. Many thanks to Peter Pothier ( @pothier-peter ) for nailing the issue. ! fix, net_aggr.[ch]: when a networks_file is specified in the config, gracefully handle max memory structure depth; added also de-duplication of entries. ! fix, pmacct-defines.h: if PCAP_NETMASK_UNKNOWN is not defined, ie. in libpcap < 1.1.0, let's define it. ! fix, SO_REUSEPORT feature was being restricted to Linux only in previous releases: now it has been unlocked to all other OS that do support the feature. ! fix, split SO_REUSEPORT and SO_REUSEADDR setsockopt() calls. Thanks to @eduarrrd for reporting and resolving the issue. ! fix, several code warnings catched gcc9 and clang. - Obsoleted sql_history_since_epoch, pre_tag_map_entries and refresh_maps configuration directives. 1.7.6 -- 07-02-2021 + Added dependency to libcdada in an effort to streamline basic data structures needed for everyday coding. All new structures will make use of libcdada, old ones will be ported over time. Libcdada offers basic data structures in C: ie. list, set, map/ hash table, queue and is a libstdc++ wrapper. Many thanks to Marc Sune ( @msune ) for his work with libcdada and his enormous help facilitating the integration. + BGP daemon: added suppport for Accumulated IGP Metric Attribute (AIGP) and Label-Index TLV of Prefix-SID Attribute. + BGP daemon: added SO_KEEPALIVE TCP socket option (ie. to keep the sessions alive via a firewall / NAT kind of device). Thanks to Jared Mauch ( @jaredmauch ) for his patch. + BGP daemon: if comparing source TCP ports among BGP peers is being enabled (config directive tmp_bgp_lookup_compare_ports), print also BGP Router-ID as distinguisher as part of log/dump output. + BMP daemon: added support for HAProxy Proxy Protocol Header in the first BMP message in order to determine the original sender IP address and port. The new bmp_daemon_parse_proxy_header config directive enables the feature. Contribution is by Peter Pothier ( @pothier-peter ). + BMP daemon: improved support and brought implementation on par with the latest drafting efforts at IETF wrt draft-cppy-grow-bmp- path-marking-tlv, draft-xu-grow-bmp-route-policy-attr-trace, draft-ietf-grow-bmp-tlv and draft-lucente-grow-bmp-tlv-ebit. + BMP daemon: added 'bgp_agent_map' equivalent feature for BMP. + nfacctd, nfprobe plugin: added support for collection and export of NetFlow/IPFIX data over Datagram Transport Layer Security (in short DTLS). The feature depends on the GnuTLS library. + nfacctd: added support for deprecated NetFlow v9 IE #104 (layer2packetSectionData) as it is implemented for NetFlow-lite on Cisco devices. Reused code from IPFIX IE #315. + nfacctd: added support for MPLS VPN RD IE #90. This comes in two flavours both found across vendor implementations: 1) IE present in flow data and 2) IE present in Options data as a lookup from IE #234 (ingressVRFID) and #235 (egressVRFID). + nfacctd: added a new timestamp_export aggregation primitive to record the timestamp being carried in the header of NetFlow/IPFIX messates (that is, the time at which the export was performed). + nfprobe plugin: added support for ICMP/ICMPv6 information as part of the NetFlow/IPFIX export. The piece of info is encoded in the destination port field as per the current common understandings across vendors. As a result of that, the 'dst_port' primitive is to be part of the aggregation method in order to leverage this feature. + MySQL plugin: introduced support to connect to a MySQL server via UNIX sockets. + tee plugin: added crc32 hash algorithm as a new balancing option for nodes in the receiving pool. It hashes original exporter IP address against a crc32 function. Thanks to @edge-intelligence for the contribution. + Massive improvements carried out on the Continuous Integration (CI) side, ie. to ensure better quality of the code, and on the containerization side by offering official stable / bleeding edge Docker images. Huge thanks to Marc Sune ( @msune ) to make all of this possible. ! fix, BGP daemon: re-worked internal structuring of 'modern' BGP attributes: for the sake of large-scale space optimization certain attributes are confined in a separate (less used) bgp_info_extra structure. ! fix, BGP daemon: improved support for BGP ADD-PATH, ie. made it per Address-Family rather than global. Also comparisons upon doing route looup were improved and normalized. ! fix, BGP daemon: use split buffers for recv and send functions of the BGP x-connects feature. Also improved validation when processing a bgp_daemon_xconnect_map. ! fix, BGP daemon: when using BGP x-connects, close unused file descriptors in bgp_peer_xconnect_init() in order to avoid quickly reaching the maximum amount of allowed open descriptors in case of BGP flaps. ! fix, BGP daemon: trigger a log message for a missing entry while processing bgp_daemon_xconnect_map in bgp_peer_xconnect_init(). ! fix, BGP daemon: enabled log notifications (that is, log anti- spam measure) upon reaching limit of allowed BGP peers. ! fix, BGP daemon: ecommunity_ecom2str(), first thing make sure that the destination size is enough! Missing this did cause some SEGVs due to heap corruption. Thanks to Chris Danis ( @cdanis ) for his help resolving the issue. ! fix, BGP daemon: solved a memory leak in aspath_make_str_count() by returning result from aspath_make_empty(), if any. Thanks very much to Peter Pothier ( @pothier-peter ) for his contribution. ! fix, BMP daemon: several encoding issues when using Apache Avro ie. missing conditional branching, wrong field names, etc. Thanks also to Raphael Barazzutti ( @rbarazzutti ) for several of those fixes. ! fix, BMP daemon: throw an error for any issues (error or zero length) related to the BGP Update PDU parsing; also added marker and length checks for BGP Open PDU in Peer Up messages. ! fix, BMP daemon: both timestamp of the BMP event and its arrival at the collector are now recorded and printed out separately; before they were wrongly muxed on one single field making it uncertain for the user what was the time reference. ! fix, BMP daemon: correctly print Peer Distinguisher for Route Monitoring messages. Also improved BMP lookup comparisons in order to factor in Peer Distinguisher if any. ! fix, BMP daemon: print 'is_in' boolean for Adj-Rib-In data instead of having it implicit. Also print 'is_post' for Post- Policy Adj-Rib-In data. ! fix, BMP daemon: upon receipt of a Termination message, do proactively close the TCP session. ! fix, nDPI: newer versions of the library (ie. >= 3.2) require calling ndpi_finalize_initialization() somewhere after the detection module init finished. Contribution is from Toni Uhlig ( @lnslbrty ). ! fix, pmacctd: link checks were being mistakenly skipped when reading from a pcap_savefile. Also now if a selected aggregation primitive is unsuitable for a given Layer2, it is simply cleared (with an info message issued) instead of making the daemon bail out. | fix, print plugin: bail the plugin out if its output was set to stdout while the daemon was started as daemonized. ! fix, PostgreSQL plugin: in PG_compose_conn_string() allow any intersection of host, port and cafile options. ! fix, nfprobe plugin: changed default export version from NetFlow v5 to IPFIX. ! fix, sfprobe plugin: FreeBSD was complaining of errno 22 (Invalid argument) upon sendto(). ! fix, tee plugin: replication of IPv6 packets has been now tested working. Previously the output message size was obviously encoded wrongly and the checksum (mandatory piece of info to fill in IPv6, contrary to IPv4 where it is optional) was not being computed. ! fix, kafka_common.c: improved p_kafka_check_outq_len() error log message to report the amount of elements have been successfully processed in order to better assess impact and dynamics of the problem when inspecting logs. ! fix, net_aggr.c: if networks_file_filter is set to true, don't add a default route to the table. ! fix, cfg.c: throw error if config file is not a regular file. ! fix, compiling against gcc10: renamed some variables and unified declaration of others in order to be more friendly to the new version of gcc. Also fixed several code warnings catched gcc8. - Removed the IP prefix label feature that was enabled via the --enable-plabel configure script switch. 1.7.5 -- 17-06-2020 + pmacct & Redis: pmacct daemons can now connect to a Redis cache. The main use-case currenly covered is: registering every stable daemon component in a table so to have, when running a cluster comprising several daemons / components, an olistic view of what is currently running and where; shall a component stop running or crash it will disappear from the inventory. + BMP daemon: as part of the IETF 107 vHackaton, preliminar support for draft-xu-grow-bmp-route-policy-attr-trace and draft-lucente- grow-bmp-tlv-ebit was introduced. Also added support for Peer Distinguisher field in the BMP Per-Peer Header. + BMP daemon: added support for reading from savefiles in libpcap format (pcap_savefile, pcap_savefile_delay, pcap_savefile_replay, pcap_filter) as an alternative to the use of bmp_play.py. + BMP daemon: re-worked, improved and generalized support for TLVs at the end of BMP messages. In this context, unknown Stats data is handled as a generic TLV. + BMP daemon: added SO_KEEPALIVE TCP socket option (ie. to keep the sessions alive via a firewall / NAT kind of device). Thanks to Jared Mauch ( @jaredmauch ) for his patch. + nfacctd, nfprobe plugin: added usec timestamp resolution to IPFIX collector and export via IEs #154, #155. For export, this can be configured via the new nfprobe_tstamp_usec knob. + nfacctd: new nfacctd_templates_receiver and nfacctd_templates_port config directives allow respectively to specify a destination where to copy NetFlow v9/IPFIX templates to and a port where to listen for templates from. If nfacctd_templates_receiver points to a replicator and the replicator exports to nfacctd_templates_port of a set of collectors then, for example, it gets possible to share templates among collectors in a cluster for the purpose of seamless scale-out. + pmtelemetryd: in addition to existing TCP, UDP and ZeroMQ inputs, the daemon can now read Streaming Telemetry data in JSON format from a Kafka broker (telemetry_daemon_kafka_* config knobs). + pmgrpcd.py: Use of multiple processes for the Kafka Avro exporter to leverage the potential of multi-core/processors architectures. Code is from Raphael P. Barazzutti ( @rbarazzutti ). + pmgrpcd.py: added -F / --no-flatten command-line option to disable object flattening (default true for backward compatibility); also export to a Kafka broker for (flattened) JSON objects was added (in addition to existing export to ZeroMQ). + nDPI: introduced support for nDPI 3.2 and dropped support for all earlier versions of the library due to changes to the API. + Docker: embraced the technology for CI purposes; added a docker/ directory in the file distribution where Dockerfile and scripts to build pmacct and dependencies are shared. Thanks to Claudio Ortega ( @claudio-ortega ) for contributing his excellent work in the area. ! fix, pmacctd: pcap_setdirection() enabled and moved to the right place in code. Libpcap tested for function presence. Thanks to Mikhail Sennikovsky for his patch. ! fix, pmacctd: SEGV has been detected if passing messages with an unsupported link layer. ! fix, uacctd: handle non-ethernet packets correctly. Use mac_len = 0 for non-ethernet packets in which case a zeroed ethernet header is used. Thanks to @aleksandrgilfanov for his patch. ! fix, BGP daemon: improved handling of withdrawals for label-unicast and mpls-vpn NLRIs. ! fix, BGP daemon: improved decoding of MPLS labels by passing it via a "0x%02x%02x%01x" formatter. In the past some labels may have been printed out incorrectly. ! fix, BGP daemon: decoding origin field correctly. Thanks to Peter Pothier ( @pothier-peter ) for his patch. ! BGP Looking Glass: LG code was moved from pmbgpd to pmacct libbgp so to be re-used in other components (ie. BGP thread of a flow daemon, BMP daemon, etc.). ! fix, BMP daemon: timestamps for Route Monitoring message were set to the current time rather than timestamp in the Per-Peer Header. Thanks to Peter Pothier ( @pothier-peter ) for reporting the issue. ! fix, BMP daemon: V flag test to allow IPv6 prefixes/peers was not correct (details in PR #362 on GitHub). Thanks @bcavns01 for his patch. ! fix, BGP, BMP daemons: modified approach to message segmentation by ensuring reading exactly one message at a time (instead of the previous unaligned approach that was aiming to fill the available read buffer up) and waiting for all segments be available before processing a message (instead of the previous greedy approach that was trying to parse also partial messages). ! fix, RPKI daemon: in rpki_prefix_lookup_node_match_cmp() prevent invalid results to over-write a previously computed valid one. ! fix, pmtelemetryd: recv() does include a MSG_WAITALL option to make sure all data is available before processing a given message; now n alarm() syscall is introduced so to prevent stalls due to bogus / incomplete data. ! fix, tee plugin: Tee_init_socks() now does not overwrite previously computed address length anymore: issues were repoted with IPv6 IPv4- mapped addresses. ! fix, nfprobe plugin: take into account ingress/egress interfaces, if available, when comparing flows. Thanks to Mikhail Sennikovsky for his patch. ! fix, pretag.c: incorrect string termiantion in pretag_copy_label() was making the daemon SEGV upon certain conditions when defining set_label statements in a pre_tag_map. ! fix, pretag_handlers.c: pretag_copy_label() instead of memcpy() in pretag_label_handler() to not borrow reference to label value and consequently lead to SEGV. ! fix, zmq_common.c: missing variable init in p_zmq_zap_handler() was giving troubles with gcc7 compiler optimizations. Thanks to Yuri Lachin ( @yuyutime ) for his support resolving this bug. ! fix, sql_common.c: print custom primitives with hex semantics among quotes. Hexs require a char type defined in the SQL table schema. ! fix, addr.c: passing right aligned argument to ip6_addr_cmp() in host_addr_mask_cmp(). This was found to impact selective replication of IPv6 flows basing on src_net and/or dst_net primitives in the pre_tag_map. ! fix, several code warnings catched by gcc7 and gcc8. Also several functions were renamed to avoid namespace conflicts with linked libraries. - Obsoleted --enable-64bit knob which was already defaulting to true for some releases already. - Obsoleted savefile_wait config knob (pcap_savefile_wait must be used instead). 1.7.4p1 -- 09-02-2020 ! fix, pre_tag_map: a memory leak in pretag_entry_process() has been introduced in 1.7.4. Thanks to Fabien Vincent and Olivier Benghozi for their support resolving the issue. 1.7.4 -- 31-12-2019 + Released pmgrpcd.py v3: a Streaming Telemetry collector and decoder for multi-vendor environments written in Python3. It supports gRPC transport along with Protobuf encoding as input and can output to Kafka with Avro encoding. Output to files and JSON encoding is currently supported sending data via ZMQ to pmtelemetryd first. It was tested working with data input from Cisco and Huawei routers and v3 replaces v2. Thanks to the Streaming Telemetry core team: Matthias Arnold ( @tbearma1 ), Camilo Cardona ( @jccardonar ), Thomas Graf ( @graf3 , @graf3net ), Paolo Lucente ( @paololucente ). + Introduced support for the 'vxlan' VXLAN/VNI primitive in all traffic daemons (NetFlow/IPFIX, sFlow and libpcap/ULOG). Existing inner tunnel primitives (ie. tunnel_src_host, tunnel_dst_host, tunnel_proto, etc.) have been wired to the VXLAN decoding and new ones (tunnel_src_mac, tunnel_dst_mac, tunnel_src_port, tunnel_dst_port) were defined. + BMP daemon: added support for Peer Up message namespace for TLVs (draft-ietf-grow-bmp-peer-up) and also support for Route Monitor and Peer Down TLVs (draft-ietf-grow-bmp-tlv). + BGP, BMP daemons: in addition to existing JSON export, data can now be exported in Apache Avro format. There is also support for the Confluent Schema Registry. + Introduced support for JSON-encoded Apache Avro encoding. While the binary-encoded Apache Avro is always recommended for any production scenarios (also to optionallly leverage Confluent Schema Registry support), JSON-encoded is powerful for testing and troubleshooting scenarios. + sfprobe plugin: added support for IPv6 transport for sFlow export. sfprobe_agentip is an IP address put in the header of the sFlow packet. If underlying transport is IPv6, this must be configured to an IPv6 address. + zmq_common.[ch]: Improved modularity of the ZMQ internal API and decoupled bind/connect from push/pull and pub/sub; also improved support for inproc sockets. All to increase the amount of use-cases covered by the API. + bgp_peer_src_as_map: added 'filter' key to cover pmacctd/uacctd use cases. + nfprobe, sfprobe plugins: introduced [sn]fprobe_index_override to override ifindexes dynamically determined (ie. by NFLOG) with values computed by [sn]fprobe_ifindex. + MySQL, PostgreSQL plugins: added support for SSL/TLS connections by specifying a CA certificate (sql_conn_ca_file). + Kafka, AMQP plugins: amqp_markers and kafka_markers have now been properly re-implemented when output encoding is Avro using an own Avro schema (instead of squatting pieces of JSON in the data stream for the very purpose). + print plugin: introduced print_write_empty_file config knob (true, false) to create an empty output file when there are no cache entries to purge. Such behaviour was present in versions up to 0.14 and may be preferred by some to the new >= 1.5 versions behaviour. Thanks to Lee Yongjae ( @setup74 ) for the contribution. ! fix, signals.c: signals handling has been restructured in order to block certain signals during critical sections of data processing. Thanks to Vaibhav Phatarpekar ( @vphatarp ) for the contribution. ! fix, signals.c: slimmed reload() signal handler code and moved it to a synchronous section. The handler is to reset logging output to files or syslog. Thanks to Jared Mauch ( @jaredmauch ) for his support resolving this. ! fix, pmbgpd, pmbmpd and pmtelemetryd daemons: added extra signals handling (SIGINT, SIGTERM, SIGCHLD) consistently to traffic daemons. ! fix, BGP daemon: withdrawals of label-unicast (support introduced in 1.7.3) and mpls-vpn NLRIs did fail to parse in release 1.7.3 and were silently discarded. ! fix, nfacctd: wired (BGP, BMP, ISIS, etc) lookups to NetFlow (Secure) Event Logging (NEL/NSEL). ! fix, pmtelemetryd: re-implemented a decoder for so-called Cisco v1 Streaming Telemetry proprietary header over UDP/TCP streams. ! fix, pmtelemetryd: improved sanitization of input JSON objects by also checking for isspace() other than isprint() for pretty-printed objects. ! maps_index: optimized lookups, improved debugging output upon loading indexes. ! fix, tee plugin: overwriting computed IP address length with socket container length was found to prevent output data on some BSDs. ! fix, kafka_common.c: if taking the p_kafka_close() route, ensure to return and not perform any further polling in order to avoid SEGVs. ! fix, BMP daemon: incorrect decoding of type was preventing correct logging of Init and Term messages extra info. Also in Term messages TLV data was incorrectly consumed twice triggering length check warnings. ! fix, BMP daemon: added checks for successful BGP PDU parsing in both Peer Up (BGP OPEN) and Route Monitor (BGP UPDATE) messages. ! fix, BMP daemon: improved length checks and making sure that strings potentially non null-terminated are now terminated. Also TLV-related code has been refactored. ! fix, pmbgp.py: the example client for BGP Looking Glass was migrated to Python3: thanks to @brusilov for the contribution. ! fix, nfacctd: if src_port or dst_port primitives are selected, enable IP fragment handling. Needed to process L4 of IPFIX IE #351. ! fix, nfv9_template.c: correct handling of variable-length IPFIX fields. Thanks to Nimrod Mesika ( @nimrody ) for the contribution. ! fix, PostgreSQL plugin: ABSTIME was replaced with to_timestamp() in queries as support for ABSTIME was dropped as of PostgreSQL 12. Many thanks to Manuel Mendez ( @mmlb ) for the contribution. ! fix, PostgreSQL plugin: SEGVs were observed when the queue of pending queries was non-empty (ie. nfacctd_time_new set to false, default); thanks to Guo-Wei Su ( @nansenat16 ) for the contribution. ! fix, cfg_handlers: [sn]facctd_disable_checks, nfacctd_disable_opt_ scope_check could not be properly set to false. ! fix, sql_common.c: src_host_coords and dst_host_coords primitives have been correctly spaced in SQL queries. Also float values are now quoted. Finally, sampling_direction primitive is encoded correctly. ! fix, kafka plugin: if kafka_avro_schema_registry is in use, subject name is aligned to Kafka topic name (if topic is not dynamic). ! fix, pretag.c: when using 'label', store the label string in the heap (instead of the stack). Thanks to Raphael P. Barazzutti ( @rbarazzutti ) for the contribution. ! fix, pretag.c: JEQ labels are now correctly free() during init upon map reload. ! fix, zmq_common.c: missing variable init in p_zmq_zap_handler() was causing plugin_pipe_zmq operations to fail on certain compilers (ie. gcc7). Thanks to Yuri Lachin ( @yuyutime ) for his support. ! fix, cfg_handlers.c: reviewed handling of parsed 'zero' value for several config directives. ! fix, countless code warnings when enabling -Wall (--enable-debug); also included -Wall in Continuous Integration tests. Restructured globals, header inclusions, function prototypes definition, etc. Many thanks to Marc Sune ( @msune ) for all his efforts. ! fix, configure.ac: evaluation of --enable-debug pushed to the end of the script so to not interfere with tests (ie. alignment, endianess, etc.). - BMP daemon: retired support for draft-hsmit-bmp-extensible-routemon- -msgs. - AMQP plugin: obsoleted amqp_avro_schema feature (which includes amqp_avro_schema_routing_key and amqp_avro_schema_refresh_time keys config keys). Avro schemas can now only be written to files. 1.7.3 -- 16-05-2019 + Introduced the RPKI daemon to build a ROA database and check prefixes validation status and coverages. Resource Public Key Infrastructure (RPKI) is a specialized public key infrastructure (PKI) framework designed to secure the Internet routing. RPKI uses certificates to allow Local Internet Registries (LIRs) to list the Internet number resources they hold. These attestations are called Route Origination Authorizations (ROAs). ROA information can be acquired in one of the two following ways: 1) importing it using the rpki_roas_file config directive from a file in the RIPE Validator format or 2) connecting to a RPKI RTR Cache for live ROA updates; the cache IP address/port being defined by the rpki_rtr_cache config directive (and a few more optional rpki_rtr_* directives are available and can be reviwed in the CONFIG-KEYS doc). The ROA fields will be populated with one of these five values: 'u' Unknown, 'v' Valid, 'i' Invalid no overlaps, 'V' Invalid with a covering Valid prefix, 'U' Invalid with a covering Unknown prefix. Thanks to Job Snijders ( @job ) for his support and vision. + Introducing pmgrpcd.py, written in Python, a daemon to handle gRPC- based Streaming Telemetry sessions and unmarshall GPB data. Code was mostly courtesy by Matthias Arnold ( @tbearma1 ). This is in addition (or feeding into) pmtelemetryd, written in C, a daemon to handle TCP/UDP-based Streaming Telemetry sessions with JSON-encoded data. Thanks to Matthias Arnold ( @tbearma1 ) and Thomas Graf for their support and contributing code. + pmacctd, uacctd: added support for CFP (Cisco FabricPath) and Cisco Virtual Network Tag protocols. Both patches were courtesy by Stephen Clark ( @sclark46 ). + print plugin: added 'custom' to print_output. This is to cover two main use-cases: 1) use JSON or Avro encodings but fix the format of the messages in a custom way and 2) use a different encoding than JSON or Avro. See also example in examples/custom and new directives print_output_custom_lib and print_output_custom_cfg_file. The patch was courtesy by Edge Intelligence ( @edge-intelligence ). + Introducing mpls_pw_id aggregation primitive and mpls_pw_id key in pre_tag_map to filter on signalled L2 MPLS VPN Pseudowire IDs. + BGP daemon: added bgp_disable_router_id knob to enable/disable BGP Router-ID check, both at BGP OPEN time and BGP lookup. Useful, for example, in scenarios with split BGP v4/v6 AFs over v4/v6 transports. + BGP, BMP daemons: translate origin attribute numeric value into IGP (i), EGP (e) and Incomplete (u) strings. + plugins: added new plugin_exit_any feature to make the daemon bail out if any (not all, which is the default behaviour) of the plugins exits. + maps_index: improved selection of buckets for index hash structure by picking the closest prime number to the double of the entries of the map to be indexed in order to achieve better elements dispersion and hence better performances. + nfacctd: added support for IPFIX templateId-scoped (IE 145) sampling information. + pmacctd, uacctd, sfacctd, nfacctd: added a -M command-line option to set *_markers (ie. print_markers) to true and fixed -A command-line option to set print_output_file_append to align to true/false. ! fix, BGP, BMP, Streaming Telemetry daemons: improved sequencing of dump events by assigning a single sequence number per event (ie. for streaming pipeline scenarios in order to reduce correlation with dump_init/dump_close messages). Also amount of record dumped was added to the close message. ! fix, BGP, BMP, Streaming Telemetry daemons: removed hierarchical json_decref() since json_object_get() borrows reference. This was occasionaly leading to SEGVs. ! fix, uacctd: dynamically allocate jumbo_container buffer size as packets larger than 10KB, previous static allocation, would lead to crashes. ! fix, nfacctd: wired (BGP, BMP, ISIS, etc.) lookups to the NEL/NSEL use-case. ! fix, nfacctd: search for IE 408 (dataLinkFrameType) was leading to SEGVs. Also improved handling of variable-length IPFIX templates. ! fix, BMP daemon: solved an occasional truncation of the last message in a packet. ! fix, BGP daemon: when processing bgp_daemon_md5_file, ipv4 addresses were incorrectly translated to ipv4-mapped ipv6 ones as a result of which TCP-MD5 hashes were not correctly bound to sockets. ! fix, BGP daemon: improved label-unicast and mpls-vpn SAFIs handling (some bogus messages, multiple labels, etc.). ! fix, BGP daemon: introduced PREFIX_STRLEN to make enough room for prefix2str() calls (before unsufficient INET6_ADDRSTRLEN was used). ! fix, BMP daemon: improved handling of ADD-PATH capability. ! fix, plugins: an incorrect evaluation in P_cache_attach_new_node did make possible to buffer overrun in plugins cache allocation. This was found related to a "[..]: Assertion `!cache_ptr->stitch' failed." daemon bail-out message. ! fix, plugins: if pidfile directive was enabled, exit_gracefully() was mistakenly deleting the plugin pidfile when called by a child process (ie. writer, dumper, etc.). ! fix, plugins: when taking exit_gracefully(), if the process is marked as 'is_forked', just exit and don't perform extra ops in exit_all() or exit_plugin(). ! fix, plugins: re-evaluate dynamic tables/files name if *_refresh_time is different than *_history period. ! fix, SQL plugins: a missing 'AND' was making SQL statements related to src_host_coords and dst_host_coords fail. ! fix, GeoIPv2: if no match is returned by libmaxminddb, return O1 code (Other Country) instead of a null value. ! fix, flow_to_rd_map: mpls_vpn_id was not working when maps_index was enabled. Also partly re-written mpls_vpn_id handler. ! fix, nfprobe plugin: serialize_bin() function introduced for correct serialization of custom primitives defined with 'raw' semantics. ! fix, PostgreSQL plugin: testing for presence of PQlibVersion() in libpq to prevent compiling issues (ie. on CentOS 6). ! fix, MySQL plugin: including mysql_version.h to compile successfully against newer MariaDB releases. ! fix, nDPI classification: send log message if 'class' primitive is selected but nDPI is not compiled in; also updated code to follow API changes in versions >= 2.6 of the library. Dropped support for versions < 2.4. ! fix, sfprobe plugin: added (and documented) conditional for optional export of classification info. ! fix, aggregate_primitives: field_type is now also allowed for pmacctd and uaccd daemons so that it can be used for NetFlow v9/IPFIX export (nfprobe plugin) purposes. ! fix, pre_tag_map: if no 'ip' keyword is specified, an entry of the map gets recirculated in order to be set for both v4 and v6 maps. If a 'set_label' is also specified, it was causing a SEGV. Now the label is correctly copied in case of recirculation. ! fix, zmq_common.c: added option for non-blocking p_zmq_send_bin() as otherwise program would block in case of no consumers (main use-case: flow replication over ZeroMQ queues); as a result, a generous hwm value was added on both sides of these queues. ! fix, zmq_common.c: ZAP socket moved inside thread to prevent failed assert() when compiling with gcc7/gcc8. Also a single user/password auto-generated combination is used for all plugins. ! fix, signals.c: SIGUSR1 handler for nfacctd and nfacctd is changed to syncronous in order to prevent race conditions. Also, in pmacctd, upon sending SIGUSR1, stats were not printed when reading packets from a pcap_interfaaces_map. ! fix, plugin_cmn_json.c: if leaving protocols numerical (ie. proto, tunnel_proto primitives), convert them to string-represented numbers for data consistency for consumers. ! fix, util.c: open_output_file(), if file exists and it's a FIFO then set O_NONBLOCK when opening. ! fix, pretag.c: pretag_index_report() was reporting incorrect info of the hash structure built for the maps_index feature. Its format was has also changed to be better parseable. ! fix, compile time warnings: several warnings were addressed including but not restricted to -Wformat ones. Also an annotation was added to the Log function to inform the compiler it's a printf-style function, allowing it to give warnings for argument mismatches. - --enable-ipv6 configure script switch has been deprecated and, as a result, IPv6 support was made mandatory. - BGP daemon: removed unused pathlimit field from bgp_attr structure. - pmacct client: removed deprecated SYM field from from formatted and CSV headers. 1.7.2 -- 26-11-2018 + nfacctd, sfacctd: added Kafka broker among the options to receive NetFlow/IPFIX, sFlow data from. Host, port and topic should all be specified along with an optional config file to pass to librdkafka. + nfacctd, sfacctd, pmtelemetryd: added ZeroMQ queue among the options to receive NetFlow/IPFIX, sFlow or Streaming Telemetry data from. An IP address and port should be specified. + nfacctd, sfacctd: added sampling_direction to the set of supported primitives, valid values being ingress, egress and unknown. + nfacctd, sfacctd: stats, ie. amount of NetFlow/IPFIX or sFlow packets received per router, are now available when in tee mode. Stats can be retrieved via a SIGUSR1 UNIX signal. + pcap_savefile_replay: a feature to replay content for the specified amounf of time when reading from a pcap_savefile. + pre_tag_map: added several new keys: src_net and dst_net (to tag on source and destination IP prefixes respectively), bgp_nexthop (to tag on BGP nexthop) and nat_event. + BGP daemon: added bgp_lrgcomm_pattern feature to filter large BGP communities (in addition to existing equivalent knobs to filter on standard and extended communities). + BMP, Streaming Telemetry daemons: msglog_file and dump_file config directives now offer $bmp_router, $bmp_router_port, $telemetry_node and $telemetry_node_port variables. + BGP, BMP, Streaming Telemetry daemons: added BGP, BMP and Streaming Telemetry exporter TCP/UDP port as variable for dump/log filenames (to better support NAT traversal scenarios). + BGP, BMP daemons: added message sequencing to both BGP and BMP dumps (bgp_table_dump_*, bmp_dump_*). If dumping and logging are enabled in parallel then sequencing the dumps allows for check pointing at regular time intervals. + BMP daemon: implemented draft-hsmit-bmp-extensible-routemon-msgs for a tlv-based encoding of route-monitoring messages with a new message type. + Streaming Telemetry daemon: added sample decoders for gRPC / GPB for Cisco and Huawei platforms, written in Python. Telemetry data is decoded using vendor-supplied proto files and output in JSON format in a ZeroMQ queue - suitable for ingestion in pmtelemetryd. Docs and sample code is available in the telemetry/ directory. This is all in addition to TCP/UDP transports and JSON encoding supported natively in pmtelemetryd. + kafka plugin: introduced support for Confluent Schema Registry via libserdes. A registry can be supplied via kafka_avro_schema_registry config directive; the schema is generated automatically. The feature enables validation of data passed through a Kafka broker and uses Avro encoding. + kafka plugin: added $in_iface key (input interface) to the set of variables supported by kafka_partition_key. Extremely useful when coupled to $peer_src_ip in some scenarios. + print, IMT plugins: separator for CSV format can now be space (\s) or tab (\t). + tee plugin: added Kafka broker among the emitters. kafka_broker and kafka_topic knobs are now available in the tee_receivers map and a tee_kafka_config_file directive allows to define a file with config to pass to librdkafka. + tee plugin: added ZeroMQ queue among the emitters. zmq_address knob defines the queue IP address and port to emit to. + tee plugin: introducing support for complex pre_tag_map when doing replication of NetFlow/IPFIX (sFlow replication had already this). With this feature flows are individually evaluated against supplied filters (input interface, BGP next-hop, etc.) and (not) replicated accordingly. + GeoIP v2: added support for latitude and longitude primitives via src_host_coords and dst_host_coords knobs. This is in addition to existing country and pocode supports. + files_uid, files_gid: now also user and group strings are accepted. This is in addition to user and group IDs. ! fix, nfacctd: NF_evaluate_flow_type() improved to not detect Cisco ASA flows (ie. those including initiator and responder octets) as events. Also improved sanity checking of received NetFlow v9/IPFIX data and options templates and reviwed modulo functions and improved template hashing. ! fix, BGP, BMP, Streaming Telemetry daemons: improved log sequencing by handling counter wrap-up more gracefully. Also a log sequencing API was developed to improve code re-use. ! fix, BGP daemon: added check for duplicate Router-IDs at BGP OPEN parsing time. If a duplicate is detected, the session BGP OPENing of the new session is dropped. ! fix, BGP daemon: ADD-PATH capability was checked only in the first AFI/SAFI and was being set in the reply for last AFI/SAFI RECEIVE(1) if first included SEND(2) or SEND-RECEIVE(3). Thanks to Markus Weber ( @FvDxxx ) for his patch. ! fix, BGP daemon: upon route lookup, don't perform ADD-PATH logics if no PATH-ID (even if ADD-PATH capability is announced by the peer). Thanks to Camilo Cardona ( @jccardonar ) for his support solving the issue. ! fix, BGP daemon: graceful handling of invalid AS-PATH segment types (ie. AS-PATH in BGP UPDATE inconsistent with capabilities passed in BGP OPEN) in order to avoid SEGVs. ! fix, pmtelemetryd: improved support for UDP timeouts. Also reviewed natively supported encodings: removed zjson and GPB was moved to pre- processors (with samples available in telemetry/decoders directory). ! fix, pmtelemetryd: no dump_init / dump_close events sequencing since all messages are sequenced anyway (consistency with other daemons). ! fix, kafka_common.c: now destroying both config and topic config as part of p_kafka_close() in order to avoid memory leaks. Also, port is omitted from broker string if not passed to p_kafka_set_broker(). And finally output queue length checks in p_kafka_check_outq_len() have been relaxed (to counter temporary hickups that need more patience). ! fix, kafka plugin: kafka_partition default was zero (that is, a valid partition number) instead of -1 (RD_KAFKA_PARTITION_UA or unassigned) which allows librdkafka to attach a partitioner. ! fix, SQL plugins: sql_table_schema is honoured even if sql_table_name is non-dynamic. This is to cover cases where the table is rotated externally. ! fix, mysql plugin: my_bool replaced with bool. The plugin now does compile against MySQL 8.0. Also added inclusion of stdbool.h as on some systems bool is not defined. Improved overall probing for MySQL headers. ! fix, pgsql plugin: sql_recovery_backup_host was not being honoured. PG_create_backend() now composes a proper conn_string. ! fix, print plugin: increase successful queries number, QN, only if the output file was successfully opened. ! fix, zmq_common.c: moved ZAP socket initialization inside the ZAP handler. See: https://github.com/zeromq/libzmq/issues/3313 . ! fix, util.c: length checks in handle_dynname_internal_strings() were reviewed. Existings were not working in absence of starting/trailing non-variable strings. ! fix, util.c: use lockf() instead of more problematic flock(). Thanks to Yuri Lachin ( @yuyutime ) and Miki Takata ( @mikiT ) for their support. ! fix, util.c: in compose_timestamp() pad usecs and use "%ld" since time fields are signed longs. Thanks to @raymondrussell for the patch. ! fix, ndpi_util.c: a protocol bitmask is now set in order to increase match rate. Patch is courtesy by @rsolsn. ! fix, compile time warnings: several warnings were addressed including but not restricted to -Wreturn-time, -Wunused-variable, implicit func declarations, -Wformat-extra-args, -Wunused-label, -Wunused-value, -Wunused-function, sbrk calls, -Wpointer-to-int-cast, -Wparentheses and -Wint-to-pointer-cast. ! fix, dangerous uninitialized values: net_aggr.c, pmacct.c: in merge() argument with non-NULL attribute could be passed NULL; bmp_msg.c: in bmp_process_msg_route_monitor() bdata.tstamp could be uninitialized; sfprobe_plugin.c: calloc() return value (possibly null) was not being checked; sflow_agent.c: uninitialized ret value in sfl_agent_init() could lead to undefined bind() error behaviour. ! fix, thread_pool.c: reviewed logics in deallocate_thread_pool() and solved a minor memory leak in allocate_thread_pool(). - pmacctd: removed support for FDDI :) - nfacctd: discontinued support for NetFlow v1, v7 and v8 collection and replication. - pre_tag_map: matching on 'sampling_rate' is not supported anymore as a sampling_rate primitive is now available; the 'return' feature to return matched data before completing the map workflow has started being obsoleted (retired from docs but still available). - plugin_pipe_check_core_pid: deprecating feature given RabbitMQ and Kafka are not supported anymore for internal message delivery. - tee plugin: obsoleted tee_dissect_send_full_pkt knob, entire packets are now replicated only if no pre_tag_map or a simple pre_tag_map is defined. - nfprobe plugin: removed support for NetFlow v1 export. 1.7.1 -- 06-05-2018 + pmbgpd: introduced a BGP x-connect feature meant to map BGP peers (ie. PE routers) to BGP collectors (ie. nfacctd, sfacctd) via a standalone BGP daemon (pmbgpd). The aim is to facilitate operations when re-sizing/re-balancing the collection infrastructure without impacting (ie. re-configuring) BGP peers. bgp_daemon_xconnect_map expects full pathname to a file where cross-connects are defined; mapping works only against the IP source address and not the BGP Router ID, only 1:1 relationships can be formed (ie. this is about cross-connecting, not replication) and only one session per BGP peer is supported (ie. multiple BGP agents are running on the same IP address or NAT traversal scenarios are not supported [yet]). A sample map is provided in 'examples/bgp_xconnects.map.example'. + pmbgpd: introduced a BGP Looking Glass server allowing to perform queries, ie. lookup of IP addresses/prefixes or get the list of BGP peers, against available BGP RIBs. The server is asyncronous and uses ZeroMQ as transport layer to serve incoming queries. Sample C/Python LG clients are available in 'examples/lg'. A sample LG server config is available in QUICKSTART. Request/Reply Looking Glass formats are documented in 'docs/LOOKING_GLASS_FORMAT'. + pmacctd: a single daemon can now listen for traffic on multiple interfaces via a polling mechanism. This can be configured via a pcap_interfaces_map feature (interface/pcap_interface can still be used for backward compatiblity to listen on a single interface). The map allows to define also ifindex mapping and capturing direction on a per-interface basis. The map can be reloaded at runtime via a USR2 signal and a sample map is in examples/pcap_interfaces.map.example. + Kafka plugin: dynamic partitioning via kafka_partition_dynamic and kafka_partition_key knobs is introduced. The Kafka topic can contain variables, ie. $peer_src_ip, $src_host, $dst_port, $tag, etc., which are all computed when data is purged to the backend. This feature is in addition to the existing kafka_partition feature which allows to rely on the built-in Kafka partitioning to assign data statically to one partition or rely dynamically on the default partitioner. The feature is courtesy by Corentin Neau / Codethink ( @weyfonk ). + Introduced rfc3339 formatted timestamps: in logs, ie. UTC timezone represented as yyyy-MM-ddTHH:mm:ss(.ss)Z; for aggregation primitives the timestamps_rfc3339 knob can be used to enable this feature (left disabled by default for backward compatibility). + timestamps_utc: new knob to decode timestamps to UTC timezone even if the Operating System is set to a different timezone. On the goods of running a system set to UTC please read Q18 of FAQS. + sfacctd: implemented mpls_label_top, mpls_label_bottom and mpls_stack_depth primitives decoded from sFlow flow sample headers. Thanks to David Barroso ( @dbarrosop ) for his support. + nfacctd: added support for IEs 130 (exporterIPv4Address) and 131 (exporterIPv6Address) when passed as part of NetFlow v9/IPFIX option packets (these IEs were already supported when passed in flow data). Also added support for IE 351 (dataLinkFrameSection) which carries the initial portion of a sampled raw packet headers (a-la sFlow). This was tested working against a Cisco NCS 5k platform. + nfprobe plugin: added a new nfprobe_dont_cache knob allowing to disable caching and summarisation of flows (essentially letting the NetFlow/IPFIX probe behave like a sFlow probe). + nfprobe plugin: added support for MPLS_LABEL_1, NetFlow v9/IPFIX IE 70; improved support for BGP next-hop IE 18 and 63. Also support for IE 130/131 vi NetFlow v9/IPFIX Options was added. + sfprobe plugin: added sfprobe_source_ip knob to define the local IP address from which sFlow datagrams are exported; improved support for BGP next-hop. + nfacctd, sfacctd, BGP, BMP, Streaming Telemetry daemons: on Linux, if supported, use SO_REUSEPORT for the listening socket (added to existing SO_REUSEADDR option). + nfacctd, sfacctd: introduced new 'export_proto_sysid' primitive to give visibility to NetFlow v5/v8 engine_id / NetFlow v9 source ID / IPFIX Obs Domain ID / sFlow agentSubID. + nfacctd, sfacctd: extended nDPI support to NetFlow v9/IPFIX packets with IE 315 (dataLinkFrameSection) and sFlow v5 packets with header section. + nfacctd, sfacctd: extended custom primitives definition framework, aggregate_primitives, to NetFlow v9/IPFIX packets with IE 315 (dataLinkFrameSection) and sFlow v5 sampled headers section. + nfacctd, sfacctd: added per-collector packets and bytes counts to stats emitted via SIGUSR1. Also the output was made more formal (so to be more easily parsed) and is documented in the UPGRADE notes. + nfacctd, pmacctd, sfacctd: pcap_savefile_delay feature introduced to sleep for the supplied amount of seconds before playing a given pcap_savefile. Useful, for example, to let BGP/BMP sessions come up so that routing data is available for correlation when processing data in the trace. + Kafka plugin: configuring statistics.interval.ms to a positive value in a kafka_config_file makes now librdkafka log plenty of internal metrics. + BGP daemon: added support for Extended BGP Administrative Shutdown Communication (draft-snijders-idr-rfc8203bis-00). + BMP daemon: added support for draft-ietf-grow-bmp-adj-rib-out-01 and draft-ietf-grow-bmp-loc-rib-01. As a result of that, Route Monitor log messages now contain indication of is_out and is_filtered. + BMP daemon: added support for stats reports 9, 10, 11, 12 and 13 and descriptions for the different Peer Types and and Peer Down reasons. Finally, indication of is_post is now making to Route Monitor log messages. + plugin_pipe_zmq: introduced plugin_pipe_zmq_hwm (high water mark) knob to control the maximum amount of messages than can be stored in the ZeroMQ queue. + [ns]facctd_allow_file: the map is now made reloadable at runtime via SIGUSR2 and accepts IPv4/IPv6 prefixes increasing its scale (before it was only accepting individual IP addresses). + pmacctd: added support for IPv6, MPLS for DLT_LINUX_SLL captures. Thanks to David Barroso ( @dbarrosop ) for his support. + uacctd: added a global 'direction' knob to give visibility of data capturing direction, ie. in/out. Useful for pre_tag_map use. + MySQL plugin: added sql_port knob in order to specify non-default ports for connecting to the database. Patch is courtesy by Vadim Tkachenko ( @vadimtk ). ! fix, plugins: getppid() parent process health check improved so to work in Docker environments not assuming anymore parent PID is 1. Patch is courtesy by Hidde van der Heide ( @hvanderheide ). ! fix, plugins: imposing a budget for received messages (100) so to preserve fairness of other operations (ie. time keeping, bucketing, reloading maps, etc.) and prevent starvations. ! fix, plugins: retry when zmq_getsockopt() for ZMQ_EVENTS returns EINTR. Thanks to Wouter de Jong for his support solving the issue. ! fix, plugins: when executing triggers, the first argument passed to execv() should be the path to the invoked executable to prevent execv(3) to fail and return EFAULT on OpenBSD. Patch is courtesy by @higgsd. ! fix, BGP daemon: improved support of multiple capabilities per optional parameter in the OPEN message. Also add-path capability is now advertised if neighbor supports send/receive (previously it was sent back on send only) of such capability. Thanks to Radu Anghel ( @cozonac ) for his support. ! fix, BGP daemon: upon route lookup, don't perform ADD-PATH logics if no PATH-ID (even if ADD-PATH capability is announced by the peer). Thanks to Camilo Cardona ( @jccardonar ) for his support solving the issue. ! fix, BGP daemon: wrong type 2 32-bit ASN Route Distinguisher was defined in network.h. Thanks to Thomas Graf for reporting the issue. ! fix, BGP, BMP daemons: lookup of BGP-LU entries is now performed against the correct RIB. ! fix, BMP daemon: the BMP thread is now made mutually exclusive with the BGP one (until an use-case needs to run them both). This is to potentially prevent BGP and BMP information to interfere with each other when correlated. Also the 'bmp' keyword was added for *_as and *_net config directives (ie. nfacctd_as, nfacctd_net). Thanks to Juan Camilo Cardona ( @jccardonar ) for his support. ! fix, BMP daemon: improved correlation of BMP data with traffic data by supporting a replication use-case (the BMP exporter is a route -server rather than an actual Edge Router) upon lookup. Thanks to Juan Camilo Cardona ( @jccardonar ) for his support. ! fix, BMP daemon: in bgp_peer_cmp() and bgp_peer_host_addr_cmp() the comparison function has been changed from generic memcmp() to a more specific host_addr_cmp() as paddings were giving issues. Thanks to Juan Camilo Cardona ( @jccardonar ) for reporting the issue. ! fix, BMP daemon: a pm_tdestroy call in bmp_peer_close() was leading to SEGV under certain conditions by not NULL'ing all pointers. Thanks to Juan Camilo Cardona ( @jccardonar ) for reporting the issue. ! fix, nfacctd: prevent time calculations to underflow in cases in which sysUptime < first or last flow switched timestamps in NetFlow v5. Patch is courtesy by David Steinn Geirsson ( @dsgwork ). ! fix, nfacctd: in the context of aggregate_primitives, now enforcing terminating the zero when decoding variable-length IEs when applying string semantics. ! fix, nfprobe: changed ifIndex fields from u_int16_t to u_int32_t in order to prevent overflows and aligning to the rest of structs. ! fix, MySQL plugin: minor code revisions to restore compiling against MariaDB 10.2. ! fix, sql_common.c: increased read_SQLquery_from_file() buffer size so that sql_table_schema can be fed with longer CREATE TABLE statements. ! fix, print, SQL plugins: post_tag, post_tag2 support was added to sql_table and print_output_file. Also for Kafka, RabbitMQ plugins kafka_topic and amqp_routing_key variables support was harmonized with print and SQL plugins (ie. $pre_tag renamed to $tag), see UPGRADE notes. ! fix, SQL plugins: sql_startup_delay was not being honored when sql_trigger_exec was defined without a sql_trigger_time resulting in empty environment variables being passed to the triggered script. Thanks to Johannes Maybaum for his support resolving the issue. ! fix, pkt_handlers.c: tmp_asa_bi_flow value was ignored when applied to a specific plugin. ! fix, util.c: when data timestamp is not available, dynamic file and table names variables were populated with a 1-Jan-1970 date. Now the current timestamp is used instead as last resort. Patch is courtesy by Ivan F. Martinez ( @ivanfmartinez ). ! fix, addr.c: host_addr_mask_sa_cmp() and str_to_addr_mask() network mask computation for IPv6 addresses was wrong. allow_file feature was affected. ! fix, build system: several patches committed to the build system to simplify libraries probing, make sure to bail out upon error. Also now a minimum required version is imposed to almost all libraries. - --enable-threads / --disable-threads: removed the configure switch that was allowing to compile pmacct even when no pthreads library was available on a system. From now on support for threads is mandatory. - BGP daemon: offline code, ie. bgp_daemon_offline_* config directives, has been deprecated in favor of other approaches, ie. BGP Looking Glass and BGP Xconnects. - pkt_len_distrib: the primitive, which was meant to bucket packet / flow / sample lengths in a distribution has been obsoleted. 1.7.0 -- 21-10-2017 + ZeroMQ integration: by defining plugin_pipe_zmq to 'true', ZeroMQ is used for queueing between the Core Process and plugins. This is in alternative to the home-grown circular queue implementation (ie. plugin_pipe_size). plugin_pipe_zmq_profile can be set to one value of { micro, small, medium, large, xlarge } and allows to select among a few standard buffering profiles without having to fiddle with plugin_buffer_size. How to compile, install and operate ZeroMQ is documented in the "Internal buffering and queueing" section of the QUICKSTART document. + nDPI integration: enables packet classification, replacing existing L7-layer project integration, and is available for pmacctd and uacctd. The feature, once nDPI is compiled in, is simply enabled by specifying 'class' as part of the aggregation method. How to compile install and operate nDPI is documented in the "Quickstart guide to packet classification" section of the QUICKSTART document. + nfacctd: introduced nfacctd_templates_file so that NetFlow v9/IPFIX templates can be cached to disk to limit the amount of lost packets due to unknown templates when nfacctd (re)starts. The implementation is courtesy by Codethink Ltd. + nfacctd: introduced support for PEN on IPFIX option templates. This is in addition to already supported PEN for data templates. Thanks to Gilad Zamoshinski ( @zamog ) for his support. + sfacctd: introduced new aggregation primitives (tunnel_src_host, tunnel_dst_host, tunnel_proto, tunnel_tos) to support inner L3 layers. Thanks to Kaname Nishizuka ( @__kaname__ ) for his support. + nfacctd, sfacctd: pcap_savefile and pcap_savefile_wait were ported from pmacctd. They allow to process NetFlow/IPFIX and sFlow data from previously captured packets; these also ease some debugging by not having to resort anymore to tcpreplay for most cases. + pmacctd, sfacctd: nfacctd_time_new feature has been ported so, when historical accounting is enabled, to allow to choose among capture time and time of receipt at the collector for time-binning. + nfacctd: added support for NetFlow v9/IPFIX field types #130/#131, respectively the IPv4/IPv6 address of the element exporter. + nfacctd: introduced nfacctd_disable_opt_scope_check: mainly a work around to implementations not encoding NetFlow v9/IPIFX option scope correctly, this knob allows to disable option scope checking. Thanks to Gilad Zamoshinski ( @zamog ) for his support. + pre_tag_map: added 'source_id' key for tagging on NetFlow v9/IPFIX source_id field. Added also 'fwdstatus' for tagging on NetFlow v9/ IPFIX information element #89: this implementation is courtesy by Emil Palm ( @mrevilme ). + tee plugin: tagging is now possible on NetFlow v5-v8 engine_type/ engine_id, NetFlow v9/IPFIX source_id and sFlow AgentId. + tee plugin: added support for 'src_port' in tee_receivers map. When in non-transparent replication mode, use the specified UDP port to send data to receiver(s). This is in addition to tee_source_ip, which allows to set a configured IP address as source. + networks_no_mask_if_zero: a new knob so that IP prefixes with zero mask - that is, unknown ones or those hitting a default route - are not masked. The feature applies to *_net aggregation primitives and makes sure individual IP addresses belonging to unknown IP prefixes are not zeroed out. + networks_file: hooked up networks_file_no_lpm feature to peer and origin ASNs and (BGP) next-hop fields. + pmacctd: added support for calling pcap_set_protocol() if supported by libpcap. Patch is courtesy by Lennert Buytenhek ( @buytenh ). + pmbgpd, pmbmpd, pmtelemetryd: added a few CL options to ease output of BGP, BMP and Streaming Telemetry data, for example: -o supplies a b[gm]p_daemon_msglog_file, -O supplies a b[gm]p_dump_file and -i supplies b[gm]p_dump_refresh_time. + kafka plugin: in the examples section, added a Kafka consumer script using the performing confluent-kafka-python module. ! fix, BGP daemon: segfault with add-path enabled peers as per issue #128. Patch is courtesy by Markus Weber ( @FvDxxx ). ! fix, print plugin: do not update link to latest file if cause of purging is a safe action (ie. cache space is finished. Thanks to Camilo Cardona ( @jccardonar ) for reporting the issue. Also, for the same reason, do not execute triggers (ie. print_trigger_exec). ! fix, nfacctd: improved IP protocol check in NF_evaluate_flow_type() A missing length check was causing, under certain conditions, some flows to be marked as IPv6. Many thanks to Yann Belin for his support resolving the issue. ! fix, print and SQL plugins: optimized the cases when the dynamic filename/table has to be re-evaluated. This results in purge speed gains when the dynamic part is time-related and nfacctd_time_new is set to true. ! fix, bgp_daemon_md5_file: if the server socket is AF_INET and the compared peer address in MD5 file is AF_INET6 (v4-mapped v6), pass it through ipv4_mapped_to_ipv4(). Also if the server socket is AF_INET6 and the compared peer addess in MD5 file is AF_INET, pass it through ipv4_to_ipv4_mapped(). Thanks to Paul Mabey for reporting the issue. ! fix, nfacctd: improved length checks in resolve_vlen_template() to prevent SEGVs. Thanks to Josh Suhr and Levi Mason for their support. ! fix, nfacctd: flow stitching, improved flow end time checks. Thanks to Fabio Bindi ( @FabioLiv ) for his support resolving the issue. ! fix, amqp_common.c: amqp_persistent_msg now declares the RabbitMQ exchange as durable in addition to marking messages as persistent; this is related to issue #148. ! fix, nfacctd: added flowset count check to existing length checks for NetFlow v9/IPFIX datagrams. This is to avoid logs flooding in case of padding. Thanks to Steffen Plotner for reporting the issue. ! fix, BGP daemon: when dumping BGP data at regular time intervals, dump_close message contained wrongly formatted timestamp. Thanks to Yuri Lachin for reporting the issue. ! fix, MySQL plugin: if --enable-ipv6 and sql_num_hosts set to true, use INET6_ATON for both v4 and v6 addresses. Thanks to Guy Lowe ( @gunkaaa ) for reporting the issue and his support resolving it. ! fix, 'flows' primitive: it has been wired to sFlow so to count Flow Samples received. This is to support Q21 in FAQS document. ! fix, BGP daemon: Extended Communities value was printed with %d (signed) format string instead of %u (unsigned), causing issue on large values. ! fix, aggregate_primitives: improved support of 'u_int' semantics for 8 bytes integers. This is in addition to already supported 1, 2 and 4 bytes integers. ! fix, pidfile: pidfile created by plugin processes was not removed. Thanks to Yuri Lachin for reporting the issue. ! fix, print plugin: checking non-null file descriptor before setvbuf in order to prevent SEGV. Similar checks were added to prevent nulls be input to libavro calls when Apache Avro output is selected. ! fix, SQL plugins: MPLS aggregation primitives were not correctly activated in case sql_optimize_clauses was set to false. ! fix, building system: reviewed minimum requirement for libraries, removed unused m4 macros, split features in plugins (ie. MySQL) and supports (ie. JSON). ! fix, sql_history: it now correctly honors periods expressed is 's' seconds. ! fix, BGP daemon: rewritten bgp_peer_print() to be thread safe. ! fix, pretag.h: addressed compiler warning on 32-bit architectures, integer constant is too large for "long" type. Thanks to Stephen Clark ( @sclark46 ) for reporting the issue. - MongoDB plugin: it is being discontinued since the old Mongo API is not supported anymore and there has never been enough push from the community to transition to the new/current API (which would require a rewrite of most of the plugin). In this phase-1 the existing MongoDB plugin is still available using 'plugins: mongodb_legacy' in the configuration. - Packet classification basing on the L7-filter project is being discontinued (ie. 'classifiers' directive). This is being replaced by an implementation basing on the nDPI project. As part of this also the sql_aggressive_classification knob has been discontinued. - tee_receiver was part of the original implementation of the tee plugin, allowing to forward to a single target and hence requiring multiple plugins instantiated, one per target. Since 0.14.3 this directive was effectively outdated by tee_receivers. - tmp_net_own_field: the knob has been discontinued and was allowing to revert to backward compatible behaviour of IP prefixes (ie. src_net) being written in the same field as IP addresses (ie. src_host). - tmp_comms_same_field: the knob has been discontinued and was allowing to revert to backward compatible behaviour of BGP communities (standard and extended) being writeen all in the same field. - plugin_pipe_amqp and plugin_pipe_kafka features were meant as an alternative to the homegrown queue solution for internal messaging, ie. passing data from the Core Process to Plugins, and are being discontinued. They are being replaced by a new implementation, plugin_pipe_zmq, basing on ZeroMQ. - plugin_pipe_backlog was allowing to keep an artificial backlog of data in the Core Process so to maximise bypass poll() syscalls in plugins. If home-grown queueing is found limiting, instead of falling back to such strategies, ZeroMQ queueing should be used. - pmacctd: deprecated support for legacy link layers: FDDI, Token Ring and HDLC. 1.6.2 -- 21-04-2017 + BGP, BMP daemons: introduced support for BGP Large Communities IETF draft (draft-ietf-idr-large-community). Large Communities are stored in a variable-length field. Thanks to Job Snijders ( @job ) for his support. + BGP daemon: implemented draft-ietf-idr-shutdown. The draft defines a mechanism to transmit a short freeform UTF-8 message as part of a Cease NOTIFICATION message to inform the peer why the BGP session is being shutdown or reset. Thanks to Job Snijders ( @job ) for his support. + tee plugin, pre_tag_map: introduced support for inspetion of specific flow primitives and selective replication over them. The primitives supported are: input and output interfaces, source and destination MAC addresses, VLAN ID. The feature is now limited to sFlow v5 only. Thanks to Nick Hilliard and Barry O'Donovan for their support. + Added src_host_pocode and dst_host_pocode primitives, pocode being a compact and (de-)aggregatable (easy to identify districts, cities, metro areas, etc.) geographical representation, based on the Maxmind v2 City Database. Thanks to Jerred Horsman for his support. + Kafka support: introduced support for user-defined (librdkafka) config file via the new *_kafka_config_file config directives. Full pathname to a file containing directives to configure librdkafka is expected. All knobs whose values are string, integer, boolean are supported. + AMQP, Kafka plugins: introduced new directives kafka_avro_schema_topic, amqp_avro_schema_routing_key to transmit Apache Avro schemas at regular time intervals. The routing key/topic can overlap with the one used to send actual data. + AMQP, Kafka plugins: introduced support for start/stop markers when encoding is set to Avro (ie. 'kafka_output: avro'); also Avro schema is now embedded in a JSON envelope when sending it via a topic/routing key (ie. kafka_avro_schema_topic). + print plugin: introduced new config directive avro_schema_output_file to save the Apache Avro schema in a separate file (it was only possible to have it combined at the beginning of the data file). + BGP daemon: introduced a new bgp_daemon_as config directive to set a LocalAS which could be different from the remote peer one. This is to establish an eBGP session instead of a iBGP one (default). + flow_to_rd_map: introduced support for mpls_vpn_id. In NetFlow/IPFIX this is compared against Field Types #234 and #235. + sfacctd: introduced support for sFlow v2/v4 counter samples (generic, ethernet, vlan). This is in addition to existing support for sFlow v5 counters. + BGP, BMP and Streming Telemetry daemons: added writer_id field when writing to Kafka and/or RabbitMQ. The field reports the configured core_proc_name and the actual PID of the writer process (so, while being able to correlate writes to the same daemon, it's also possible to distinguish among overlapping writes). + amqp, kafka, print plugins: harmonized JSON output to the above: added event_type field, writer_id field with plugin name and PID. + BGP, BMP daemons: added AFI, SAFI information to log and dump outputs; also show VPN Label if SAFI is MPLS VPN. + pmbgpd, pmbmpd: added logics to bypass building RIBs if only logging BGP/BMP data real-time. + BMP daemon: added BMP peer TCP port to log and dump outputs (for NAT traversal scenarios). Contextually, multiple TCP sessions per IP are now supported for the same reason. + SQL plugins: ported (from print, etc. plugins) the 1.6.1 re-working of the max_writers feature. + uacctd: use current time when we don't have a timestamp from netlink. We only get a timestamp when there is a timestamp in the skb. Notably, locally generated packets don't get a timestamp. The patch is courtesy by Vincent Bernat ( @vincentbernat ). + build system: added configure options for partial linking of binaries with any selection/combination of IPv4/IPv6 accounting daemons, BGP daemon, BMP daemon and Streaming Telemetry daemon possible. By default all are compiled in. + BMP daemon: internal code changes to pass additional info from BMP per-peer header to bgp_parse_update_msg(). Goal is to expose further info, ie. pre- vs post- policy, when logging or dumping BMP info. ! fix, BGP daemon: introduced parsing of IPv6 MPLS VPN (vpnv6) NLRIs. Thanks to Alberto Santos ( @m4ccbr ) for reporting the issue. ! fix, BGP daemon: upon doing routes lookup, now correctly honouring the case of BGP-LU (SAFI_MPLS_LABEL). ! fix, BGP daemon: send BGP NOTIFICATION out in case of known failures in bgp_parse_msg(). ! fix, kafka_partition, *_kafka_partition: default value changed from 0 (partition zero) to -1 (RD_KAFKA_PARTITION_UA, partition unassigned). Thanks to Johan van den Dorpe ( @johanek ) for his support. ! fix, pre_tag_map: removed constraint for 'ip' keyword for nfacctd and sfacctd maps. While this is equivalent syntax to specifying rules with 'ip=0.0.0.0/0', it allows for map indexing (maps_index: true). ! fix, bgp_agent_map: improved sanity check against bgp_ip for IPv6 addresses (ie. an issue appeared for the case of '::1' where the first 64 bits are zeroed out). Thanks to Charlie Smurthwaite ( @catphish ) for reporting the issue. ! fix, maps_index: indexing now correctly works for IPv6 pre_tag_map entries. That is, those where 'ip', the IP address of the NetFlow/ IPFIX/sFlow exporter, is an IPv6 address. ! fix, pre_tag_map: if mpls_vpn_rd matching condition is specified and maps_index is enabled, PT_map_index_fdata_mpls_vpn_rd_handler() now picks the right (and expected) info. ! fix, pkt_handlers.c: improved definition and condition to free() in bgp_ext_handler() in order to prevent SEGVs. Thanks to Paul Mabey for his support. ! fix, kafka_common.c: removed waiting time from p_kafka_set_topic(). Added docs advicing to create in advance Kafka topics. ! fix, sfacctd, sfprobe: tag and tag2 are now correctly re-defined as 64 bits long. ! fix, sfprobe plugin, sfacctd: tags and class primitives are now being encoded/decoded using enterprise #43874, legit, instead of #8800, that was squatted back in the times. See issue #71 on GiHub for more info. ! fix, sfacctd: lengthCheck() + skipBytes() were producing an incorrect jump in case of unknown flow samples. Replaced by skipBytesAndCheck(). Thanks to Elisa Jasinska ( @fooelisa ) for her support. ! fix, pretag_handlers.c: in bgp_agent_map added case for 'vlan and ...' filter values. ! fix, BGP daemon: multiple issues of partial visibility of the stored RIBs and SEGVs when bgp_table_per_peer_buckets was not left default: don't mess with bms->table_per_peer_buckets given the multi-threaded scenario. Thanks to Dan Berger ( @dfberger ) for his support. ! fix, BGP, BMP daemons: bgp_process_withdraw() function init aligned to bgp_process_update() in order to prevent SEGVs. Thanks to Yuri Lachin for his support. ! fix, bgp_msg.c: Route Distinguisher was stored and printed incorrectly when of type RD_TYPE_IP. Thanks to Alberto Santos ( @m4ccbr ) for reporting the issue. ! fix, bgp_logdump.c: p_kafka_set_topic() was being wrongly applied to an amqp_host structure (instead of a kafka_host structure). Thanks to Corentin Neau ( @weyfonk ) for reporting the issue. ! fix, BGP daemon: improved BGP next-hop setting and comparison in cases of MP_REACH_NLRI and MPLS VPNs. Many thanks to both Catalin Petrescu ( @cpmarvin ) and Alberto Santos ( @m4ccbr ) for their support. ! fix, pmbgpd, pmbmpd: pidfile was not written even if configured. Thanks to Aaron Glenn ( @aaglenn ) for reporting the issue. ! fix, tee plugin: tee_max_receiver_pools is now correctly honoured and debug message shows the replicatd protocol, ie. NetFlow/IPFIX vs sFlow. ! AMQP, Kafka plugins: separate JSON objects, newline separated, are preferred to JSON arrays when buffering of output is enabled (ie. kafka_multi_values) and output is set to JSON. This is due to quicker serialisation performance shown by the Jansson library. ! build system: switched to enable IPv6 support by default (while the --disable-ipv6 knob can be used to reverse the behaviour). Patch is courtesy by Elisa Jasinska ( @fooelisa ). ! build system: given visibility, ie. via -V CL option, into compile options enabled by default (ie. IPv6, threads, 64bit counters, etc.). ! fix, nfprobe: free expired records when exporting to an unavailable collector in order to prevent a memory leak. Patch is courtersy by Vladimir Kunschikov ( @kunschikov ). ! fix, AMQP plugin: set content type to binary in case of Apache Avro output. ! fix, AMQP, Kafka plugins: optimized amqp_avro_schema_routing_key and kafka_avro_schema_topic. Avro schema is built only once at startup. ! fix, cfg.c: improved parsing of config key-values where squared brakets appear in the value part. Thanks to Brad Hein ( @regulatre ) for reporting the issue. Also, detection of duplicates among plugin and core process names was improved. ! fix, misc: compiler warnings: fix up missing includes and prototypes; the patch is courtesy by Tim LaBerge ( @tlaberge ). ! kafka_consumer.py, amqp_receiver.py: Kafka, RabbitMQ consumer example scripts have been greatly expanded to support posting to a REST API or to a new Kafka topic, including some stats. Also conversion of multiple newline-separated JSON objects to a JSON array has been added. Misc bugs were fixed. 1.6.1 -- 31-10-2016 + Introduced pmbgpd daemon: a stand-alone BGP collector daemon; acts as a passive neighbor and maintains per-peer RIBs; can log real-time and/or dump at regular time-intervals BGP data to configured backends. + Introduced pmbmpd daemon: a stand-alone BMP collector daemon; can log real-time and/or dump at regular time-intervals BMP and BGP data to configured backends. + Introduced Apache Avro as part of print, AMQP and Kafka output: Apache Avro is a data serialization system providing rich data structures, a compact, fast, binary data format, a container file to store persistent data, remote procedure call (RPC) and simple integration with dynamic languages. The implementation is courtesy by Codethink Ltd. + as_path, std_comm and ext_comm primitives: along with their src counter parts, ie. src_as_path etc., have been re-worked to a variagle-length internal representation which will lead, when using BGP primitives, to memory savings of up to 50% compared to previous releases. + std_comm, ext_comm primitives: primitives are de-coupled so that they are not multiplexed anymore in the same field, on output. Added a tmp_comms_same_field config directive for backward compatibility. + nfacctd: added support for repeated NetFlow v9/IPFIX field types. Also flowStartDeltaMicroseconds (IE #158) and flowEndDeltaMicroseconds (#159) are now supported for timestamping. + kafka plugin: it is now possible to specify -1 (RD_KAFKA_RTITION_UA) as part of the kafka_partition config directive. Also, introduced support for Kafka partition keys via kafka_partition_key and equivalent config directives. + kafka plugin: kafka_broker_host directive now allows to specify multiple brokers, ie. "broker1:10000,broker2". The feature relies on capabilities of underlying rd_kafka_brokers_add(). + tee, nfprobe, sfprobe plugins: introduced Kafka support for internal pipe and buffering, ie. plugin_pipe_kafka. This is in addition to the existing support for homegrown internal buffering and RabbitMQ. + tee plugin: introduced support for variable-length buffers which reduces CPU utilization. + print, MongoDB, AMQP and Kafka plugins: re-worked max_writers feature to not rely anymore on waitpid() inside signal handlers as it was failing on some OS versions (and could not be reproduced on others). Thanks to Janet Sullivan for her support. + bgp_follow_nexthop_external: introduced feature to return, when true, the next-hop from the routing table of the last node part of the supplied IP prefix(es) as value for the 'peer_ip_dst' primitive. When false, default, it returns the IP address of the last node part of the bgp_follow_nexthop config key. + pmtelemetryd: added initial support for GPB. Input GPB data is currently base64'd in the telemetry_data field of the daemon output JSON object. + pmtelemetryd: Added telemetry statistics. For each peer, track the number of packets received, how many bytes are pulled off the wire, and the resulting message payload. Dump these counts in logdump. Patch is courtesy by Tim LaBerge. + amqp_markers, kafka_markers: added start/end markers feature to AMQP and Kafka plugins output same as for the print plugin (print_markers). + pre_tag_map: 'direction' keyword now applies to sFlow too: it does expect values 0 (ingress direction) or 1 (egress direction), just like before. In sFlow v2/v4/v5 this returns a positive match if: 1) source_id equals to input interface and this 'direction' key is set to '0' or 2) source_id equals to output interface and this 'direction' key is set to '1'. + bgp_agent_map: introduced support for input and output interfaces. This is relevant to VPN scenarios. + tmp_asa_bi_flow hack: bi-flows use two counters to report counters, ie. bytes and packets, in forward and reverse directions. This hack (ab)uses the packets field in order to store the extra bytes counter. ! fix, nfacctd: debugging NetFlow v9/IPFIX templates, added original field type number to the output when the field is known and its description is presented. ! fix, Jansson: added JSON_PRESERVE_ORDER flag to json_dumps() to give output consistency across runs. ! fix, kafka_common.c: added rd_kafka_message_destroy() to p_kafka_consume_ _data() to prevent memory leaks. Thanks to Paul Mabey for his support solving the issue. ! fix, kafka_common.c: p_kafka_set_topic() now gives it some time for the topic to get (auto) created, if needed. ! fix, print plugin: improved check for when to print table title (csv, formatted). Either 1) print_output_file_append is set to false or 2) print_output_file_append is set to true and file is to be created. ! fix, print_markers: start marker is now printed also in the case where print_output_file_append is set to true. Also, markers are now printed as a JSON object, if output is set to JSON. ! fix, pkt_handlers.c: removed l3_proto checks from NF_peer_dst_ip_handler() for cases where a v6 flows has a v4 BGP next-hop (ie. vpnv6) ! fix, pre_tag_map: removed 32 chars length limit from set_label statement. ! fix, custom primitives: names are now interpreted as case-insensitive. Patch is courtesy by Corentin Neau. ! fix, BGP, BMP and Streaming Telemetry: if reopening [bgp, bmp, telemetry]_ daemon_msglog_file via SIGHUP, reset reload flag. ! fix, BGP, BMP and Streaming Telemetry: removed gettimeofday() from bgp_ peer_dump_init() and bgp_peer_dump_close() in order to maintain a single timestamp for a full dump event. Thanks to Tim LaBerge for his support. ! fix, BGP, BMP and Streaming Telemetry: output log and dump messages went through a general review to improve information consistency and usability. Message formats are now documented in docs/MSGLOG_DUMP_FORMATS so to more easily track future changes. ! fix, pmtelemetryd: avoiding un-necessary spawn of a default plugin if none is defined. ! fix, pmtelemetryd: Mask SIGCHLD during socket IO. If we happen to be blocked in recv() while a log dump happens, recv() will fail with EINTR. This is to mask SIGCHLD during socket IO and restores the original mask after the IO completes. Patch is courtesy by Tim LaBerge. ! fix, build system: misc improvements made to the build system introduced in 1.6.0. Thanks to Vincent Bernat for his support in this area. ! fix, compiler warnings: ongoing effort to suppress warning messages when compiling. Thanks to Tim LaBerge, Matin Mitchell for their contributions. 1.6.0 -- 07-06-2016 + Streaming telemetry daemon: quoting Cisco IOS-XR Telemetry Configuration Guide at the time of this writing: "Streaming telemetry [ .. ] data can be used for analysis and troubleshooting purposes to maintain the health of the network. This is achieved by leveraging the capabilities of machine-to-machine communication. [ .. ]" Streming telemetry support comes in two flavours: 1) a telemetry thread can be started in existing daemons, ie. sFlow, NetFlow/IPFIX, etc. for the purpose of data correlation and 2) a new daemon pmtelemetryd for standalone consumpton of data. Streaming network telemetry data can be logged real-time and/or dumped at regular time intervals to flat-files, RabbitMQ or Kafka brokers. + BMP daemon: introduced support for Route Monitoring messages. RM messages "provide an initial dump of all routes received from a peer as well as an ongoing mechanism that sends the incremental routes advertised and withdrawn by a peer to the monitoring station". Like for BMP events, RM messages can be logged real-time and/or dumped at regular time intervals to flat-files, RabbiMQ and Kafka brokers. RM messages are also saved in a RIB structure for IP prefix lookup. + uacctd: ULOG support switched to NFLOG, the newer and L3 independent Linux packet logging framework. One of the key advantages of NFLOG is support for IPv4 and IPv6 (whereas ULOG was restricted to IPv4 only). The code has been contributed by Vincent Bernat ( @vincentbernat ). + build system: it was modernized so not to rely on specific and old versions of automake and autoconf, as it was the case until 1.5. Among the things, pkg-config and libtool are leveraged and an autogen.sh script is generated. The code has been contributed by Vincent Bernat ( @vincentbernat ). + sfacctd: RabbitMQ and Kafka support was introduced to real-time log and/ or dump at regular time intervals of sFlow counters. This is in addition to existing support for flat-files. + maps_index: several improvements were carried out in the area of indexing of maps: optimizations to pretag_index_fill() and pretag_index_lookup() to improve lookup speeds; optimized id_entry structure, ie. by splitting key and non-key parts, and hashing key in order to consume less memory; added duplicate entry detection (cause of sudden index destruction); pretag_index_destroy() destroys hash keys for each index entry, solving a memory leak issue. Thanks to Job Snijders ( @job ) for his support. + Introduced 'export_proto_seqno' aggregation primitive to report on sequence number of the export protocol (ie. NetFlow, sFlow, IPFIX). This feature may enable more advanced offline analysis of packet loss, out of orders, etc. over time windows than basic online analytics provided by the daemons. + log.c: logging moved from standard output (stdout) to standard error (stderr) so to not conflict with stdout printing of statistics (print plugin). Thanks to Jim Westfall ( @jwestfall69 ) for his support. + print plugin: introduced a new print_output_lock_file config directive to lock standard output (stdout) output so to prevent multiple processes (instances of the same print plugin or different instances of print plugin) overlap output. Thanks to Jim Westfall ( @jwestfall69 ) for his support. + pkt_handlers.c: euristics in NetFlow v9/IPFIX VLAN handler were improved for the case of flows in egress direction. Also IP protocol checks were removed for UDP/TCP ports and TCP flags in case the export protocol is NetFlow v9/IPFIX. Thanks to Alexander Ponamarchuk for his support. ! Code refactoring: improved re-usability of much of the BGP code (so to make it possible to use it as a library for some BMP daemon features, ie. Route Monitoring messages support); consolidated functions to handle log and print plugin output files; improved log messages to always include process name and type. ! fix, bpf_filter.c: issue compiling against libpcap 1.7.x; introduced a check for existing bpf_filter() in libpcap in order to prevent namespace conflicts. ! fix, tmp_net_own_field default value changed to true. This knob can be still switched to false for this release but is going to be removed soon. ! fix, cfg.c, cfg_handlers.c, pmacct.c: some configuration directives and pmacct CL parameters requiring string parsing, ie. -T -O -c, are now passed through tolower(). ! fix, MongoDB plugin: removed version check around mongo_create_index() and now defaulting to latest MongoDB C legacy driver API. This is due to some versioning issue in the driver. ! fix, timestamp_arrival: primitive was reporting incorrect results (ie. always zero) if timestamp_start or timestamp_end were not also specified as part of the same aggregation method. Many thanks to Vincent Morel for reporting the issue. ! fix, thread stack: a value of 0, default, leaves the stack size to the system default or pmacct minimum (8192000) if system default is too low. Some systems may throw an error if the defined size is not a multiple of the system page size. ! fix, nfacctd: improved NetFlow v9/IPFIX parsing. Added new length checks and fixed some existing checks. Thanks to Robert Wuttke ( @Benocs ) for his support. ! fix, pretag_handlers.c: BPAS_map_bgp_nexthop_handler() and BPAS_map_bgp_ peer_dst_as_handler() were not setting a func_type. ! fix, JSON support: Jansson 2.2 does not have json_object_update_missing() function which was introduced in 2.3. This is not provided as part of a jansson.c file and compiled in conditionally, if needed. Jansson 2.2 is still shipped along by some recent OS releases. Thanks to Vincent Bernat ( @vincentbernat ) for contributing the patch. ! fix, log.c: use a format string when calling syslog(). Passing directly a potentially uncontrolled string could crash the program if the string contains formatting parameters. Thanks to Vincent Bernat ( @vincentbernat ) for contributing the patch. ! fix, sfacctd.c: default value for config.sfacctd_counter_max_nodes was set after sf_cnt_link_misc_structs(). Thanks to Robin Douine for his support resolving the issue. ! fix, sfacctd.c: timestamp was consistently being reported as null in sFlow counters output. Thanks to Robin Douine for his support resolving the issue. ! fix, SQL plugins: $SQL_HISTORY_BASETIME environment variable was reporting a wrong value (next basetime) in the sql_trigger_exec script. Thanks to Rain Nõmm for reporting the issue. ! fix, pretag.c: in pretag_index_fill(), replaced memcpy() with hash_dup_key() also a missing res_fdata initialization in pretag_index_lookup() was solved; these issues were originating false negatives upon lookup. Thanks to Rain Nõmm fo his suppor. ! fix, ISIS daemon: hash_* functions renamed into isis_hash_* to avoid name space clashes with their BGP daemon counter-parts. ! fix, kafka_common.c: rd_kafka_conf_set_log_cb moved to p_kafka_init_host() due to crashes seen in p_kafka_connect_to_produce(). Thanks to Paul Mabey for his support resolving the issue. ! fix, bgp_lookup.c: bgp_node_match_* were not returning any match in bgp_follow_nexthop_lookup(). Thanks to Tim Jackson ( @jackson-tim ) for his support resolving the issue. ! fix, sql_common.c: crashes observed when nfacctd_stitching was set to true and nfacctd_time_new was set to false. Thanks to Jaroslav Jiráse ( @jjirasek ) for his support solving the issue. - SQL plugins: sql_recovery_logfile feature was removed from the code due to lack of support and interest. Along with it, also pmmyplay and pmpgplay tools have been removed. - pre_tag_map: removed support for mpls_pw_id due to lack of interest. 1.5.3 -- 14-01-2016 + Introduced the Kafka plugin: Apache Kafka is publish-subscribe messaging rethought as a distributed commit log. Its qualities being: fast, scalable, durable and distributed by design. pmacct Kafka plugin is designed to send aggregated network traffic data, in JSON format, through a Kafka broker to 3rd party applications. + Introduced Kafka support to BGP and BMP daemons, in both their msglog and dump flavors (ie. see [bgp|bmp]_daemon_msglog_kafka_broker_host and [bgp_table|bmp]_dump_kafka_broker_host and companion config directives). + Introduced support for a Kafka broker to be used for queueing and data exchange between Core Process and plugins. plugin_pipe_kafka directive, along with all other plugin_pipe_kafka_* directives, can be set globally or apply on a per plugin basis - similarly to what was done for RabbitMQ (ie. plugin_pipe_amqp). Support is currently restricted only to print plugin. + Added a new timestamp_arrival primitive to expose NetFlow/IPFIX records observation time (ie. arrival at the collector), in addition to flows start and end times (timestamp_start and timestamp_end respectively). + plugin_pipe_amqp: feature extended to the plugins missing it: nfprobe, sfprobe and tee. + Introduced bgp_table_dump_latest_file: defines the full pathname to pointer(s) to latest file(s). Update of the latest pointer is done evaluating files modification time. Many thanks to Juan Camilo Cardona ( @jccardonar ) for proposing the feature. + Introduced pmacctd_nonroot config directive to allow to run pmacctd from a user with non root privileges. This can be desirable on systems supporting a tool like setcap, ie. 'setcap "cap_net_raw,cap_net_admin=ep" /path/to/pmacctd', to assign specific system capabilities to unprivileged users. Patch is courtesy by Laurent Oudot ( @loudot-tehtris ). + Introduced plugin_pipe_check_core_pid: when enabled (default), validates the sender of data at the plugin side. Useful when plugin_pipe_amqp or plugin_pipe_kafka are enabled and hence a broker sits between the daemon Core Process and the Plugins. + A new debug_internal_msg config directive to specifically enable debug of internal messaging between Core process and plugins. ! bgp_table_dump_refresh_time, bmp_dump_refresh_time: max allowed value raised to 86400 from 3600. ! [n|s]facctd_as_new renamed [n|s]facctd_as; improved input checks to all *_as (ie. nfacctd_as) and *_net (ie. nfacctd_net) config directives. ! pkt_handlers.c: NF_sampling_rate_handler(), SF_sampling_rate_handler() now perform a renormalization check at last (instead of at first) so to report the case of unknown (0) sampling rate. ! plugin_pipe_amqp_routing_key: default value changed to '$core_proc_name- $plugin_name-$plugin_type'. Also, increased flexibility for customizing the key with the use of variables (values computed at startup). ! Improved amqp_receiver.py example with CL arguments and better exception handling. Also removed file amqp_receiver_trace.py, example is now merged in amqp_receiver.py. ! fix, BGP daemon: several code optimizations and a few starving conditions fixed. Thanks to Markus Weber ( @FvDxxx ) for his peer index round-robin patch; thanks also to Job Snijders ( @job ) for his extensive support in this area. ! fix, BMP daemon: greatly improved message parsing and segment reassembly; RabbitMQ broker support found broken; several code optimizations are also included. ! fix, bgp_table.c: bgp_table_top(), added input check to prevent crashes in cases table contains no routes. ! fix, networks_file: missing atoi() for networks_cache_entries. Patch is courtesy by Markus Weber ( @FvDxxx ). ! fix, plugin_pipe_amqp_routing_key: check introduced to prevent multiple plugins to bind to the same RabbitMQ exchange, routing key combination. Thanks to Jerred Horsman for reporting the issue. ! fix, MongoDB plugin: added a custom oid fuzz generator to prevent concurrent inserts to fail; switched from deprecated mongo_connect() to mongo_client(); added MONGO_CONTINUE_ON_ERROR flag to mongo_insert_batch along with more verbose error reporting. Patches are all courtesy by Russell Heilling ( @xchewtoyx ). ! fix, nl.c: increments made too early after introduction of MAX_GTP_TRIALS Affected: pmacctd processing of GTP in releases 1.5.x. Patch is courtesy by TANAKA Masayuki ( @tanakamasayuki ). ! fix, pkt_handlers.c: improved case for no SAMPLER_ID, ALU & IPFIX in NF_sampling_rate_handler() on par with NF_counters_renormalize_handler(). ! fix, SQL scripts: always use "DROP TABLE IF EXISTS" for both PostgreSQL and SQLite. Pathes are courtesy by Vincent Bernat ( @vincentbernat ). ! fix, plugin_hooks.c: if p_amqp_publish_binary() calls were done while a sleeper thread was launched, a memory corruption was observed. ! fix, util.c: mkdir() calls in mkdir_multilevel() now default to mode 777 instead of 700; this allows more play with files_umask (by default 077). Thanks to Ruben Laban for reporting the issue. ! fix, BMP daemon: solved a build issue under MacOS X. Path is courtesy by Junpei YOSHINO ( @junpei-yoshino ). ! fix, util.c: self-defined Malloc() can allocate more than 4GB of memory; function is also now renamed pm_malloc(). ! fix, PostgreSQL plugin: upon purge, call sql_query() only if status of the entry is SQL_CACHE_COMMITTED. Thanks to Harry Foster ( @harryfoster ) for his support resolving the issue. ! fix, building system: link pfring before pcap to prevend failures when linking. Patch is courtesy by @matthewsf . ! fix, plugin_common.c: memory leak discovered when pending queries queue was involved (ie. cases where print_refresh_time > print_history). Thanks to Edward Henigin for reporting the issue. 1.5.2 -- 07-09-2015 + Introduced support for a RabbitMQ broker to be used for queueing and data exchange between Core Process and plugins. This is in alternative to the home-grown circular queue implementation. plugin_pipe_amqp directive, along with all other plugin_pipe_amqp_* directives, can be set globally or apply on a per plugin basis (ie. it is a valid scenario, if multiple plugins are instantiated, that some make use of home-grown queueing, while others use RabbitMQ based queueing). + Introducting support for Maximind GeoIP v2 (libmaxminddb) library: if pmacct is compiled with --enable-geoipv2, this defines full pathname to a Maxmind GeoIP database v2 (libmaxminddb) Only the binary database format is supported (ie. it is not possible to load distinct CSVs for IPv4 and IPv6 addresses). + Introduced infrastructure for sFlow counters and support specifically for generic, ethernet and vlan counters. Counters are exported in JSON format to files, specified via sfacctd_counter_file. The supplied filename can contain as variable the sFlow agent IP address. + Introduced a new thread_stack config directive to allow to modify the thread stack size. Natanael Copa reported that some libc implementations, ie. musl libc, may set a stack size that is too small by default. + Introduced networks_file_no_lpm feature: it applies when aggregation method includes src_net and/or dst_net and nfacctd_net (or equivalents) and/or nfacctd_as_new (or equivalents) are set to longest (or fallback): an IP prefix defined as part of the supplied networks_file wins always, even if it's not longest. + tee plugin: added support for (non-)transparent IPv6 replication [further QA required] + plugin_common.c, sql_common.c: added log message to estimate base cache memory usage. + print, AMQP, MongoDB plugins; sfacctd, BGP, BMP daemons: introducing timestamps_since_epoch to write timestamps in 'since Epoch' format. + nfacctd: flow bytes counter can now be sourced via element ID #352 (layer2OctetDeltaCount) in addition to element ID's already supported. Thanks to Jonathan Thorpe for his support. + Introducing proc_priority: redefines the process scheduling priority, equivalent to using the 'nice' tool. Each daemon process, ie. core, plugins, etc., can define a different priority. ! fix, BMP daemon: improved preliminar checks in bmp_log_msg() and added missing SIGHUP signal handling to reload bmp_daemon_msglog_file files. ! fix, bgp_logdump.c: under certain configuration conditions call to both write_and_free_json() and write_and_free_json_amqp() was leading to SEGV. Thanks to Yuriy Lachin for reporting the issue. ! fix, BGP daemon: improved BGP dump output: more accurate timestamping of dump_init, dump_close events. dump_close now mentions amount of entries and tables dumped. Thanks to Yuriy Lachin for brainstorming around this. ! fix, cfg.c: raised amount of allowed config lines from 256 to 8K. ! fix, print/AMQP/MongoDB plugins: SEGV observed when IPFIX vlen variables were stored in the pending_queries_queue structure (ie. as a result of a time mismatch among the IPFIX exporter and the collector box). ! fix, vlen primitives: when 'raw' semantics was selected, print_hex() was returning wrong hex string length (one char short). As a consequence occasionally some extra dirty chars were seen at the end of the converted string. ! fix, vlen primitives: memory leak verified in print/AMQP/MongoDB plugins. ! fix, print, MongoDB & AMQP plugins: dirty values printed as part of the 'proto' under certain conditions. Thanks to Rene Stoutjesdijk for his support resolving the issue. ! fix, amqp_common.c: amqp_exchange_declare() call changed so to address the change of rabbitmq-c API for support of auto_delete & internal for exchange.declare. Backward compatibility with rabbitmq-c <= 0.5.2 is also taken care of. Thanks to Brent Van Dussen for reporting the issue. ! fix, compiling on recent FreeBSD: solved some errors catched by the -Wall compiler flag. Thanks to Stephen Fulton for reporting the issue. Most of the patch is courtesy by Mike Bowie. ! fix, print/AMQP/MongoDB plugins: enforcing cleanup of malloc()ed structs part of entries added to the pending queue, ie. because seen as future entries due to a mismatch of the collector clock with the one of NetFlow/ IPFIX exporter(s). This may have lead to data inconsistencies. ! fix, amqp_common.c: Content type was only specified for messages published when the amqp_persistent_msg configuration option is specified. This info should always be applied to describe the payload of the message. Patch is courtesy by Will Dowling. ! fix, amqp_plugin.c: generate an error on compile if --enable-rabbitmq is specified without --enable-jansson. It's clear in the documentation that both are required for AMQP support, but if built without jansson it will silently not publish messages to AMQP. Patch is courtesy by Will Dowling. ! fix, amqp_common.c: modified the content type to "application/json" in line with RFC4627. Patch is courtesy by Will Dowling. ! fix, setsockopt(): u_int64_t pipe_size vars changed to int, in line with typical OS buffer limits (Linux, Solaris). Introduced check supplied pipe size values are not bigger than INT_MAX. Many thanks to Markus Weber for reporting the issue. ! fix, nl.c: removed pretag_free_label() from pcap_cb() and ensuring init of pptrs. Under certain conditions SEGVs could be noticed. ! fix, flow stitching: when print/AMQP/MongoDB plugins were making use of the pending queries queue, ie. to compensate for time offsets/flows in the future, the stitching feature could potentially lead to SEGV due to unsettled pointers. ! fix, pgsql plugin: SEGV were noticed when insert/update queries to the PostgreSQL database were returning different than PGRES_COMMAND_OK, hence triggering the reprocess mechanism. Thanks very much to Alan Turower for his support. ! fix, improved logging of elements received/sent at buffering point between core process and plugins. Also added explicit start/end purge log message for cases in which there is no data to purge. ! fix, signals.c: ignore_falling_child() now logs if a child process exited with abnormal conditions; this is useful to track writer processes (created by plugins) are terminated by a signal, ie. SEGV. This is already the case for plugins themselves, with the Core Process reporting a simlar log message in case of abnormal exit. Thanks very much to Rene Stoutjesdijk for his support. ! fix, preprocess-data.h: added supported functions minf, minb, minbpp and minppf to non SQL plugins. Thanks to Jared Deyo for reporting the issue. ! fix, nfprobe_plugin.c: IP protocol was not set up correctly for IPv6 traffic in NetFlow v9/IPFIX. Thanks to Gabriel Vermeulen his support solving the issue. 1.5.1 -- 21-02-2015 + BMP daemon: BMP, BGP Monitoring Protocol, can be used to monitor BGP sessions. The current implementation is base on the draft-ietf-grow-bmp-07 IETF draft. The daemon currently supports BMP events and stats only, ie. initiation, termination, peer up, peer down and stats reports messages. Route Monitoring is future (upcoming) work but routes can be currently sourced via the BGP daemon thread (best path only or ADD-PATH), making the two daemons complementary. The daemon enables to write BMP messages to files or AMQP queues, real-time (msglog) or at regular time intervals (dump) and is a separate thread in the NetFlow (nfacctd) or sFlow (sfacctd) collectors. + tmp_net_own_field directive is introduced to record both individual source and destination IP addresses and their IP prefix (nets) as part of the same aggregation method. While this should become default behaviour, a knob for backward-compatibility is made available for all 1.5 until the next major release. + Introduced nfacctd_stitching and equivalents (ie. sfacctd_stitching): when set to true, given an aggregation method, two new non-key fields are added to the aggregate upon purging data to the backend: timestamp_min is the timestamp of the first element contributing to a certain aggregate and timestamp_max is the timestamp of the last element. In case the export protocol provides time references, ie. NetFlow/IPFIX, these are used; if not the current time (hence time of arrival to the collector) is used instead. + Introduced amqp_routing_key_rr feature to perform round-robin load- balancing over a set of routing keys. This is in addition to existing, and more involved, functionality of tag-based load-balancing. + Introduced amqp_multi_values feature: this is same feature in concept as sql_multi_values (see docs). The value is the amount of elements to pack in each JSON array. + Introduced amqp_vhost and companion (ie. bgp_daemon_msglog_amqp_vhost) configuration directives to define the AMQP/RabbitMQ server virtual host. + BGP daemon: bgp_daemon_id now allows to define the BGP Router-ID disjoint from the bgp_daemon_ip definition. Thanks to Bela Toros for his patch. + tee plugin: introduced tee_ipprec feature to color replicated packets, both in transparent and non-transparent modes. Useful, especially when in transparent mode and replicating to hosts in different subnets, to verify which packets are coming from the replicator. + tee plugin: plugin-kernel send buffer size is now configurable via a new config directive tee_pipe_size. Improved logging of send() failures. + nfacctd: introduced support for IPFIX sampling/renormalization using element IDs: #302 (selectorId), #305 (samplingPacketInterval) and #306 (samplingPacketSpace). Many thanks to Rene Stoutjesdijk for his support. + nfacctd: added also support for VLAN ID for NetFlow v9/IPFIX via element type #243 (it was already supported via elements #58 and #59). Support was also added for 802.1p/CoS via element #244. + nfacctd: added native support for NetFlow v9/IPFIX IE #252 and #253 as part of existing primitives in_iface and out_iface (additional check). + pre_tag_map: introduced 'cvlan primitive. In NetFlow v9 and IPFIX this is compared against IE #245. The primitive also supports map indexing. + Introduced pre_tag_label_filter to filter on the 'label' primitive in a similar way how the existing pre_tag_filter feature works against the 'tag' primitive. Null label values (ie. unlabelled data) can be matched using the 'null' keyword. Negations are allowed by pre-pending a minus sign to the label value. + IMT plugin: introduced '-i' command-line option to pmacct client tool: it shows last time (in seconds) statistis were cleared via 'pmacct -e'. + print, MongoDB & AMQP plugins: sql_startup_delay feature ported to these plugins. ! sql_num_hosts: the feature has been improved to support IPv6 addresses. Pre-requisite is definition of INET6_ATON() function in the RDBMS, which is the case for MySQL >= 5.6.3. In SQLite such function has to be defined manually. ! nfacctd: improved NF_evaluate_flow_type() euristics to reckon NetFlow/ IPFIX event (NAT, Firewall, etc.) vs traffic (flows) records. ! fix, GeoIP: spit log notification (warning) in case GeoIP_open() returns null pointer. ! fix, IMT plugin: pmacct client -M and -N queries were failing to report results on exact matches. Affected: 1.5.0. Thanks to Xavier Vitard for reporting the issue. ! fix, pkt_handlers.c: missing else in NF_src_host_handler() was causing IPv6 prefix being copied instead of IPv6 address against NetFlow v9 recs containing both info. ! fix, uacctd: informational log message now shows the correct group the daemon is bound to. Thanks to Marco Marzetti for reporting the issue. ! fix, nfv9_template.c: missing byte conversion while decoding templates was causing SEGV under certain conditions. Thanks to Sergio Bellini for reporting the issue. 1.5.0 -- 28-08-2014 + Introduced bgp_daemon_msglog_file config directive to enable streamed logging of BGP messages/events. Each log entry features a time reference, BGP peer IP address, event type and a sequence number (to order events when time reference is not granular enough). BGP UPDATE messages also contain full prefix and BGP attributes information. Example given in QUICKSTART file, chapter XIIf. + Introduced dump of BGP tables at regular time intervals. The filename, which can include variables, is set by bgp_table_dump_file directive. The output format, currently only JSON, can be set in future via the bgp_table_dump_output directive. The time interval between dumps can be set via the bgp_table_dump_refresh_time directive. Example given in QUICKSTART file, chapter XIIf. + Introduced support for internally variable-length primitives (likely candidates are strings). Introduced also the 'label' primitive which is a variable-length string equivalent of tag and tag2 primitives. Its value are set via a 'set_label' statement in a pre_tag_map (see examples/ pretag.map.example). If, ie. as a result of JEQ's in a pre_tag_map, multiple 'set_label' are applied, then default operation is append labels and separate by a comma. + pmacct project has been assigned PEN #43874. nfprobe plugin: tag, tag2, label primitives are now encoded in IPFIX making use of the pmacct PEN. + Ported preprocess feature to print, MongoDB and AMQP plugins. Preprocess allows to process aggregates (via a comma-separated list of conditionals and checks) while purging data to the backend thus resulting in a powerful selection tier. minp, minb, minf, minbpp, minppf checks have been currently ported. As a result of the porting a new set of config directives are added, ie. print_preprocess and print_preprocess_type. + print, MongoDB & AMQP plugins: if data (start/base) time is greater than commit time then place in pending queue and after purging event re-insert in cache. Concept ported from SQL plugins. + MySQL, PostgreSQL plugins: sql_locking_style now supports keyword "none" to disable locking. This method can help in certain cases, for example when grants over the whole database (requirement for "table" locking in MySQL) is not available. + util.c: open_logfile() now calls mkdir_multilevel() to allow building intermediate directory levels, if not existing. This brings all log files in line with capabilities of print_output_file directive. + Introduced [u|pm]acctd_flow_tcp_lifetime to defines how long a TCP flow could remain inactive. This is in addition to [u|pm]acctd_flow_lifetime that allows to define the same for generic, ie. non-TCP, flows. Thanks to Stathis Gkotsis for his support. + Introducing nfacctd_account_options: if set to true account for NetFlow/ IPFIX option records as well as flow ones. pre_tag_map offers sample_type value of 'option' now to split option data records from flow ones. + nfprobe plugin: support for custom-defined primitives has been introduced in line with other plugins. With such feature it will be possible to augment NetFlow v9/IPFIX records with custom fields (in IPFIX also PENs are supported). + Built a minimal API, for internal use only, around AMQP. Goal is to make re-use of the same AMQP structures for different purposes (logging, BGP daemon dumps, AMQP plugin, etc.). ! fix, BGP daemon: introduced bgp_peer_info_delete() to delete/free BGP info after a BGP peer disconnects. ! fix, print, AMQP, memory plguins: when selecting JSON output, jansson library json_decref() is used in place of free() to free up memory allocated by JSON objects. Using free() was originating memory leaks. ! fix, AMQP plugin: in line with other plugins QN (query number or in case of AMQP messagess number) in log messages now reflects the real number of messages sent to the RabbitMQ message exchange and not just all messages in the queue. Thanks to Gabriel Snook for reporting the issue. ! fix, IMT plugin: memory leak due to missed calls to free_extra_allocs() in case all extras.off_* were null. Thanks to Tim Jackson for his support resolving the issue. ! fix, pmacctd: if reading from a pcap_savefile, introduce a short usleep() after each buffer worth of data so to give time plugins to process/cache it. ! fix, SQL plugins: SQL handler types now include primitives registry index ! fix, print, AMQP & MongoDB plugins: added free() for empty_pcust allocs ! fix, plugin hooks: improved checks to prevent the last buffer on a pipe to plugins (plugin_pipe_size) could go partly out of bounds. ! fix, nfacctd: improved handling of IPFIX vlen records. ! fix, nfprobe: SEGV if custom primitives are defined but array structure is not allocated. ! fix, nfprobe: wrong length was calculated in IPv6 templates for fields with PEN != 0. ! fix, plugin_common.c: declared struct pkt_data in P_cache_insert_pending to be pointed by prim_ptrs. primptrs_set_all_from_chained_cache() is now safe if prim_ptrs is null. ! fix, nfprobe: tackled the case of coexisting 1) PEN and non-PEN custom primitives and 2) variable and fixed custom primitives. ! fix, plugin_common.c: declared struct pkt_data in P_cache_insert_pending to be pointed by prim_ptrs. primptrs_set_all_from_chained_cache() is now safe if prim_ptrs is null. ! fix, lofging: selected configuration file is now logged. cfg_file is passed through realpath() in order to always log the absolute path. ! fix, print, MongoDB & AMQP plugins: pm_setproctitle() invoked upon forking writer processes in alignment with SQL plugins. ! fix, pmacct client: it's now possible to query and wildcard on primitives internally allocated over what_to_count_2 registry. 1.5.0rc3 -- 18-04-2014 + BGP daemon: support for BGP ADD-PATH capability draft-ietf-idr-add-paths has been introduced, useful to advertise known paths when BGP multi-path is enabled in a network. The correct BGP info is linked to traffic data using BGP next-hop (or IP next-hop if use_ip_next_hop is set to true) as selector among the paths available. + pre_tag_map: de-globalized the feature so that, while Pre-Tagging is evaluated in the Core Process, each plugin can be defined a own/local pre_tag_map. + maps_row_len: directive introduced to define the maximum length of map (ie. pre_tag_map) rows. The default value is suitable for most scenarios, though tuning it could be required either to save on memory or to allow for longer entries (ie. filters). + Introduced use_ip_next_hop config directive: when IP prefix aggregation (ie. nfacctd_net) is set to 'netflow', 'sflow' or 'fallback' populate 'peer_dst_ip' field from NetFlow/sFlow IP next hop field if BGP next-hop is not available. + AMQP plugin: implemented persistent messaging via amqp_persistent_msg configuration directive so to protect against RabbitMQ restarts. Feature is courtesy by Nick Douma. + pmacct in-memory plugin client: -T option now supports how many entries to show via ',[<# how many>]' argument syntax. + nfprobe plugin: take BGP next-hop from a defined networks_file. This is in addition to existing feature to take BGP next-hop from a BGP feed. + Set of *_proc_name configuration directives renamed to core_proc_name. Value of core_proc_name is now applied to logging functions and process title. + Re-implemented reverse BGP lookup based primitives, src_as_path src_med src_std_comm src_ext_comm and src_local_pref, in print, MongoDB and AMQP plugins. Primitives have also been re-documented. + pre_tag_map: set_tag and set_tag2 can now be auto-increasing values, ie. "set_tag=1++": "1" being the selected floor value at startup and "++" instructs to increase the tag value at every pre_tag_map iteration. Many thanks to Brent Van Dussen and Gabriel Snook for their support. + Added support for NetFlow v9/IPFIX source/destination IPv4/IPv6 prefixes encoded as flow types: #44, #45, #169 and #170. + [sql|print|mongo|amqp]_history and sql_trigger_time can now be specified also in seconds, ie. as '300' or '300s' alternatively to '5m'. This is to ease syncronization of these values against refresh time to the backend, ie. sql_refresh_time. + Added post_tag2 configuration directive to set tag2 similarly to what post_tag does. + SQL plugins: agent_id, agent_id2 fields renamed to tag, tag2. Issued SQL table schema #9 for agent_id backward compatibility. Renaming agent_id2 to tag2 is going to be disruptive to existing deployments instead. UPGRADE doc updated. + print, MongoDB, AMQP plugins: added [print|mongo|amqp]_max_writers set of configuration directives to port from SQL plugins the idea of max number of concurrent writer processes the plugin is allowed to start. + util.c: comments can now start with a '#' symbol in addition to existing '!'. ! fix, BGP daemon: removed a non-contextual BGP message length check. Same check is already done in the part handling payload reassembly. ! fix, BGP daemon: MP_REACH_NLRI not assumed to be anymore at the end of a route announcement. ! fix, MySQL plugin: added linking of pmacct code against -lstdc++ and -lrt if MySQL plugin is enabled, pre-requisite for MySQL 5.6. Many thanks to Stefano Birmani for reporting the issue. ! fix, sql_common.c: memory leak affecting AS-PATH and BGP communities. Version 1.5.0rc2 affected. Thanks to Brent Van Dussen for his support solving the issue. ! fix, MongoDB plugin: timestamp_start, timestamp_end moved from timestamp type, reserved for internal use, to date. ! fix, print, memory, MongoDB, AMQP plugins: if no AS_PATH information is available an empty string, ie. "", is placed as value (instead of former "^$"). Similar stream-lining was done for communities. Many thanks to Brent Van Dussen and Elisa Jasinska for reporting the issue. ! fix, AMQP, MongoDB plugins: increased default refresh time to 60 secs, up from 10 and in line with SQL plugins value. ! fix, nfprobe plugin: IPv6 source/destination masks passed as IE #29 and #30 and not anymore as their IPv4 counterparts. ! fix, pmacct.c: clibuf variable now malloc'd at runtime so to not impact the data segment. ! fix, log.c: removed sbrk() calls when logging to Syslog. ! fix, pmacctd: If compiling against PF_RING, check and compile against libnuma and librt which are new requirement since version 5.6.2. Thanks to Joan Juvanteny for reporting the issue. ! fix, net_aggr.c: 'prev' array to keep track of hierarchies of networks was being re-initialized by some compilers. Thanks to Joan Juvanteny for reporting the issue. ! fix, MongoDB, JSON outputs: dst_host_country primitive was not properly shown. Patch is courtesy by Stig Thormodsrud. ! fix, pre_tag_map: a memory leak was found when reloading rules containing 'filter' keywords. Thanks to Matt Jenkins for his support resolving the issue. ! fix, server.c: countered a timing issue to ensure EOF is sent after data. Issue was originated by conjunction of non-blocking socket and multiple CPU cores. Thanks to Juan Camilo Cardona and Joel Ouellette Jr for their support. ! fix, acct.c: added length check to hash_crc32() of custom primitives as selective pmacct IMT client queries, ie. -M and -N, were failing to match entries. Thanks to Joel Ouellette Jr for his support. ! fix, nfacctd: NetFlow v9/IPFIX sampling correlation has been improved by placing system scoped sampling options in a separate table. Such table is queried if no matching sampler ID is found for a given . Sampling-related fields (ie. sampler ID, interval, etc.) are now all supported if 1, 2 or 4 bytes long. ! fix, nfacctd: improved handling of the NAT64 case for NSEL. Thanks to Gregoire Leroy for his support. ! fix, nfacctd, sfacctd and BGP daemon: if IPv6 is enabled, IPv4 mapped is supported and can't obtain an IPv6 socket to listen to, retry with a IPv4 one. 1.5.0rc2 -- 25-12-2013 + nfacctd: introduced support for variable-length IPFIX fields for custom- defined aggregation primitives: 'string' semantics is supported and maximum expected length of the field should be specified as 'len' primitive definition. Also PENs are now supported: field_type can be or :. Finally, 'raw' semantics to print raw data, fixed or variable length in hex format was added. + pmacctd, uacctd: introducing custom-defined aggregation primitives in libpcap and ULOG daemons. A new 'packet_ptr' keyword is supported in the aggregate_primitives map for the task: it defines the base pointer in the packet where to read the primitive value; intuitively, this is to be used in conjunction with 'len'. The supported syntax is: :[]+[]. 'layer' keys are: 'packet', 'mac', 'vlan', 'mpls', 'l3', 'l4', 'payload'. Examples are provided in 'examples/primitives.lst'. + nfacctd: introduced pro rating algorithm if sql_history is enabled and nfacctd_time_new is disabled. Although ideal, the feature is disabled by default for now and can be enabled by setting nfacctd_pro_rating to true. Given a NetFlow/IPFIX flow duration greater than time-bins size as configured by sql_history, bytes/packets counters are proportionally distributed across all time-bins spanned by the flow. Many thanks to Stefano Birmani for his support. + Introducing index_maps: enables indexing of maps to increase lookup speeds on large maps and/or sustained lookup rates. Indexes are automatically defined basing on structure and content of the map, up to a maximum of 8. Indexing of pre_tag_map, bgp_peer_src_as_map, flows_to_rd_map is supported. + BGP daemon: introduced bgp_daemon_interval and bgp_daemon_batch config directives: to prevent massive syncronization of BGP peers to contend resources, BGP sessions are accepted in batches: these define the time interval between any two batches and the amount of BGP peers in each batch respectively. + Introducing historical accounting offset (ie. sql_history_offset) to set an offset to timeslots basetime. If history is set to 30 mins (by default creating 10:00, 10:30, 11:00, etc. time-bins), with an offset of, say, 900 seconds (so 15 mins) it will create 10:15, 10:45, 11:15, etc. time- bins. + print, MongoDB, SQL plugins: improved placement of tuples in the correct table when historical accounting (ie. sql_history) and dynamic table names (ie. sql_table) features are both in use. + print, MongoDB, SQL plugins: dynamic file names (print plugin) and tables (MongoDB and SQL plugins) can now include $peer_src_ip, $tag and $tag2 variables: value is populated using the processed record value for peer_src_ip, tag, tag2 primitives respectively. + print plugin: introduced print_latest_file to point latest filename for print_output_file time-series. Until 1.5.0rc1 selection was automagic. But having introduced variable spool directory structures and primitives- related variables the existing basic scheme of producing pointers had to be phased-out. + IMT plugin: added EOF in the client-server communication so to detect uncompleted messages and print an error message. Thanks to Adam Jacob Muller for his proposal. + Introduced [nf|sf|pm]acctd_pipe size and bgp_daemon_pipe_size config directives to define the size of the kernel socket used read traffic data and for BGP messaging respectively. + pmacctd, uacctd: mpls_top_label, mpls_bottom_label and mpls_stack_depth primitives have been implemented. + pmacctd, uacctd: GTP tunnel handler now supports inspection of GTPv1. + pre_tag_map: results of evaluation of pre_tag_map, in case of a positive match, overrides any tags passed by nfprobe/sfprobe plugins via NetFlow/ sFlow export. + pre_tag_map: stack keyword now supports logical or operator (A | B) in addition to sum (A + B). + pre_tag_map: introduced 'mpls_pw_id' keyword to match the signalled MPLS L2 VPNs Pseudowire ID. In NetFlow v9/IPFIX this is compared against IE #249; in sFlow v5 this is compared against vll_vc_id field, extended MPLS VC object. + Introduced log notifications facility: allows to note down specific log notifications have been sent so to prevent excessive repetitive output. ! fix, plugin_hooks.c: plugin_buffer_size variables are bumped to u_int64_t ! fix, plugin_hooks.c: improved protection of internal pmacct buffering (plugin_buffer_size, plugin_pipe_size) from inconsistencies: buffer is now also invalidated by the core process upon first writing into it. Thanks to Chris Wilson for his support. ! fix, plugin_hooks.c: a simple default value for plugin_pipe_size and plugin_buffer_size is now picked if none is supplied. This is to get around tricky estimates. 1.5.0rc1 release affected. ! fix, ll.c: ntohl() done against a char pointer instead of u_int32_t one in MPLS handler was causing incorrect parsing of labels. Thanks to Marco Marzetti for his support. ! fix, net_aggr.c: IPv6 networks debug messages now report correctly net and mask information. Also IPv6 prefix to peer source/destination ASN was crashing due to an incorrect pointer. Finally applying masks to IPv6 addresses was not done correctly. Thanks to Brent Van Dussen for reporting the issue. ! fix, classifiers: slightly optimized search_class_id_status_table() and added warning message if the amount of classifiers exceeds configured number of classifier_table_num (by default 256). ! fix, pre_tag_map: if a JEQ can be resolved into multiple labels, stop to the first occurrence. ! fix, nfacctd, sfacctd: IPv6 was not being correctly reported due to a re-definition of NF9_FTYPE_IPV6. 1.5.0rc1 release affected. Thanks to Andrew Boey for reporting the issue. ! fix, nfacctd: when historical accounting is enabled, ie. sql_history, not assume anymore start and end timestamps to be of the same kind (ie. field type #150/#151, #152/#153, etc.). ! fix, BGP daemon: default BGP RouterID used if supplied bgp_daemon_ip is "0.0.0.0" or "::" ! fix, BGP daemon: the socket opened to accept BGP peerings is restricted to che core process (ie. closed upon instantiating the plugins). Thanks to Olivier Benghozi for reporting the issue. ! fix, BGP daemon: memory leak detected accepting vpnv4 and vpnv6 routes. Thanks to Olivier Benghozi for his support solving the issue. ! fix, BGP daemon: compiling the package without IPv6 support and sending ipv6 AF was resulting in a buffer overrun. Thanks to Joel Krauska for his support resolving the issue. ! fix, IMT plugin: when gracefully exiting, ie. via a SIGINT signal, delete the pipe file in place for communicating with the pmacct IMT client tool. ! fix, print, MongoDB, AMQP plugins: saved_basetime variable initialized to basetime value. This prevents P_eval_historical_acct() to consume much resources during the first time-bin, if historical accounting is enabled (ie. print_history). 1.5.0rc1 release affected. ! fix, print, MongoDB and SQL plugins: purge function is escaped if there are no elements on the queue to process. ! fix, AMQP plugin: removed amqp_set_socket() call so to be able to compile against rabbitmq-c >= 0.4.1 ! fix, MongoDB plugin: change of API between C driver version 0.8 and 0.7 affected mongo_create_index(). MongoDB C driver version test introduced. Thanks to Maarten Bollen for reporting the issue. ! fix, print plugin: SEGV was received if no print_output_file is specified ie. print to standard output. ! fix, MongoDB: optimized usage of BSON objects array structure. ! fix, MongoDB plugin: brought a few numerical fields, ie. VLAN IDs, CoS, ToS, etc. to integer representation, ie. bson_append_int(), from string one, ie. bson_append_string(). Thanks to Job Snijders for his support. ! fix, MySQL plugin: improved catching condition of sql_multi_value set too little value. Thanks to Chris Wilson for reporting the issue. ! fix, nfprobe plugin: catch ENETUNREACH errors instead of bailing out. Patch is courtesy by Mike Jager. 1.5.0rc1 -- 29-08-2013 + Introducing custom-defined aggregation primitives: primitives are defined via a file pointed by aggregate_primitives config directive. The feature applies to NetFlow v9/IPFIX fields only, and with a pre-defined length. Semantics supported are: 'u_int' (unsigned integer, presented as decimal number), 'hex' (unsigned integer, presented as hexa- decimal number), 'ip' (IP address), 'mac' (MAC address)and 'str' (string). Syntax along with examples are available in the 'examples/primitives.lst' file. + Introducing JSON output in addition to tabular and CSV formats. Suitable for injection in 3rd party tools, JSON has the advantage of being a self- consisting format (ie. compared to CSV does not require a table title). Library leveraged is Jansson, available at: http://www.digip.org/jansson/ + Introducing RabbitMQ/AMQP pmacct plugin to publish network traffic data to message exchanges. Unicast, broadcast, load-balancing scenarios being supported. amqp_routing_key supports dynamic elements, like the value of peer_src_ip and tag primitives or configured post_tag value, enabling selective delivery of data to consumers. Messages are encoded in JSON format. + pre_tag_map (and other maps): 'ip' key, which is compared against the IP address originating NetFlow/IPFIX or the AgentId field in sFlow, can now be an IP prefix, ie. XXX.XXX.XXX.XXX/NN, so to apply tag statements to set of exporters or 0.0.0.0/0 to apply to any exporter. Many thanks to Stefano Birmani for his support. + Re-introducing support for Cisco ASA NSEL export. Previously it was just a hack. Now most of the proper work done for Cisco NEL is being reused: post_nat_src_host (field type #40001), post_nat_dst_host (field type #40002), post_nat_src_port (field type #40003), post_nat_dst_port (field type #40004), fw_event (variant of nat_event, field type #40005) and timestamp_start (observation time in msecs, field type #323). + Introducing MPLS-related aggregation primitives decoded from NetFlow v9/ IPFIX, mpls_label_top mpls_label_bottom and mpls_stack_depth, so to give visibility in export scenarios on egress towards core, MPLS interfaces. + mpls_vpn_rd: primitive value can now be sourced from NetFlow v9/IPFIX field types #234 (ingressVRFID) and #235 (egressVRFID). This is in addition to existing method to source value from a flow_to_rd_map file. + networks_file: AS field can now be defined as "_", Useful also to define (or override) elments of an internal port-to-port traffic matrix. + print plugin: creation of intermediate directory levels is now supported; directories can contain dynamic time-based elements hence the amount of variables in a given pathname was also lifted to 32 from 8. + print plugin: introduced print_history configuration directive, which supports same syntax as, for example, sql_history. When enabled, time- related variables substitution of dynamic print_output_file names are determined using this value instead of print_refresh_time one. + Introducing IP prefix labels, ie. for custom grouping of own IP address space. The feature can be enabled by a --enable-plabel when configuring the package for compiling. Labels can be defined via a networks_file. + mongo_user and mongo_passwd configuration directive have been added in order to support authentication with MongoDB. If both are omitted, for backward compatibility, authentication is disabled; if only one of the two is specified instead, the other is set to its default value. + Introducing mongo_indexes_file config directive to define indexes in collections with dynamic name. If the collection does not exist yet, it is created. Index names are picked by MongoDB. + print plugin: introduced print_output_file_append config directive: if set to true allows the plugin to append to an output file rather than overwrite. + bgp_agent_map: added bgp_port key to lookup a NetFlow agent also against a BGP session port (in addition to BGP session IP address/router ID): it aims to support scenarios where BGP sessions do NAT traverals. + peer_dst_ip (BGP next-hop) can now be inferred by MPLS_TOP_LABEL_ADDR (NetFlow v9/IPFIX field type #47). This field might replace BGP next-hop when NetFlow is exported egress on MPLS-enabled core interfaces. + Introducing [nf|pm|sf|u]acctd_proc_name config directives to define the name of the core process (by default always set to 'default'). This is the equivalent to instantiate named plugins but for the core process. Thanks to Brian Rak for bringing this up. + pre_tag_map: introduced key 'flowset_id' to tag NetFlow v9/IFPIX data records basing on their flowset ID value, part of the flowset header. + pmacct client: introduced '-V' command-line option to verify version, build info and compile options passed to the configure script; also a new -a option now allows to retrieve supported aggregation primitives and their description. + Check for mallopt() has been added at configure time. mallopt() calls are introduced in order to disable glibc malloc() boundary checks. ! flow_to_rd_map replaces iface_to_rd_map, increasing its scope: it is now possible to map couples to BGP/ MPLS VPN Route Distinguishers (RD). This is in addition to existing mapping method basing on . ! fix, nfacctd, sfacctd: Setsocksize() call effectiveness is now verified via a subsequent getsockopt(). If result is different than expected, an informational log message is issued. ! fix, building system: removed stale check for FreeBSD4 and introduced check for BSD systems. If on a BSD system, -DBSD is now passed over to the compiler. ! fix, tee plugin: transparent mode now works on FreeBSD systems. Patch is courtesy by Nikita V. Shirokov. ! fix, peer_dst_ip: uninitialized pointer variable was causing unexpected behaviours. Thanks to Maarten Bollen for his support resolving this. ! fix, IMT plugin: selective queries with -M and -N switches verified not working properly. Thanks to Acipia organization for providing a patch. ! fix, sql_common.c: src_port and dst_port primitives correctly spelled if used in conjunction with BGP primitives. Thanks to Brent Van Dussen and Elisa Jasinska for flagging the issue. ! fix, building system: added library checks in /usr/lib64 for OS's where it is not linked to /lib where required. ! fix, print, MongoDB and AMQP plugins: P_test_zero_elem() obsoleted. Instead, the cache structure 'valid' field is used to commit entries to the backend. ! fix, nfacctd: in NetFlow v9/IPFIX, if no time reference is specified as part of records, fall back to time reference in datagram header. ! fix, MongoDB plugin: mongo_insert_batch() now bails out with MONGO_FAIL if something went wrong while processing elements in the batch and an error message is issued. Typical reason for such condition is batch is too big for the resources, mainly memory, available. Thanks very much to Maarten Bollen for his support. ! fix, cfg_handlers.c: all functions parsing configuration directives, and expecting string arguments, are now calling lower_string() so to act as case insensitive. ! fix, IPv6 & NetFlow exporter IP address: upon enabling IPv6, NetFlow exporter IP addresses were written as IPv4-mapped IPv6 address. This was causing confusion when composing maps since the 'ip' field would change depending on whether IPv6 was enabled or not. This is now fixed and IPv4- mapped IPv6 addresses are now internally translated to plain IPv4 ones. ! fix, nfacctd: NetFlow v9/IPFIX source/destination peer ASN information elements have been found mixed up and are now in proper order. 0.14.3 -- 03-05-2013 + tee plugin: a new tee_receivers configuration directive allows multiple receivers to be defined. Receivers can be optionally grouped, for example for load-balancing (rr, hash) purposes, and attached a list of filters (via tagging). The list is fully reloadable at runtime. + A new pkt_len_distrib aggregation primitive is introduced: it works by defining length distribution bins, ie. "0-999,1000-1499,1500-9000" via the new pkt_len_distrib_bins configuration directive. Maximum amount of bins that can be defined is 255; lengths must be within the range 0-9000. + Introduced NAT primitives to support Cisco NetFlow Event Logging (NEL), for Carrier Grade NAT (CGNAT) scenarios: nat_event, post_nat_src_host, post_nat_dst_host, post_nat_src_port and post_nat_dst_port. Thanks to Simon Lockhart for his input and support developing the feature. + Introduced timestamp primitives (to msec resolution) to support generic logging functions: timestamp_start, timestamp_end (timestamp_end being currently applicable only to traffic flows). These primitives must not be confused with existing sql_history timestamps which are meant for the opposite function instead, temporal aggregation. + networks_file: introduced support for (BGP) next-hop (peer_dst_ip) in addition to existing fields. Improved debug output. Also introduced a new networks_file_filter feature to make networks_file work as a filter in addition to its resolver functionality: if set to true net and host values not belonging to defined networks are zeroed out. See UPGRADE document for backward compatibility. + BGP daemon: added support for IPv6 NLRI and IPv6 BGP next-hop elements for rfc4364 BGP/MPLS Virtual Private Networks. + MongoDB plugin: introduced mongo_insert_batch directive to define the amount of elements to be inserted per batch - allowing the plugin to scale better. Thanks for the strong support to Michiel Muhlenbaumer and Job Snijders. + pre_tag_map: 'set_qos' feature introduced: matching network traffic is set 'tos' primitive to the specified value. This is useful if collecting ingress NetFlow/IPFIX at both trusted and untrusted borders, allowing to selectively override ToS values at untrusted ones. For consistency, pre_tag_map keys id and id2 have been renamed to set_tag and set_tag2; legacy jargon is still supported for backward compatibility. + sfacctd: improved support for L2 accounting, ethernet length is being committed as packet length; this information gets replaced by any length information will come from upper layers, if any is reported. Thanks to Daniel Swarbrick for his support. + nfacctd: introduced nfacctd_peer_as directive to value peer_src_as and peer_dst_as primitives from NetFlow/IPFIX export src_as and dst_as values respectively (ie. as a result of a "ip flow-export .. peer-as" config on the exporter). The directive can be plugin-specific. + print, memory plugins: print_output_separator allows to select separator for CSV outputs. Default comma separator is generally fine except for BGP AS-SET representation. ! Building sub-system: two popular configure switches, --enable-threads and --enable-64bit, are now set to true by default. ! fix, print & mongodb plugins: added missing cases for src_net and dst_net primitives. Thanks to John Hess for his support. ! fix, SQL plugins: improved handling of fork() calls when return value is -1 (fork failed). Many thanks to Stefano Birmani for his valuable support troubleshooting the issue. ! fix, ISIS daemon: linked list functions got isis_ prefix in order to prevent namespace clashes with other libraries (ie. MySQL) we link against. Thanks to Stefano Birmani for reporting the issue. ! fix, tee plugin: can't bridge AFs when in transparent mode is not fatal error condition anymore to tackle transient interface conditions. Error message is throttled to once per 60 secs. Thanks to Evgeniy Kozhuhovskiy for his support troubleshooting the issue. ! fix, nfacctd: extra length checks introduced when parsing NetFlow v9/ IPFIX options and data template flowsets. Occasional daemon crashes were verified upon receipt of malformed/incomplete template data. ! fix: plugins now bail out with an error message if core process is found dead via a getppid() check. - nfacctd_sql_log feature removed. The same can now be achieved with the use of proper timestamp primitives (see above). 0.14.2 -- 14-01-2013 + pmacct opens to MongoDB, a leading noSQL document-oriented database via a new 'mongodb' plugin. Feature parity is maintained with all existing plugins. The QUICKSTART doc includes a brief section on how to getting started with it. Using MongoDB >= 2.2.0 is recommended; MongoDB C driver is required. + GeoIP lookups support has been introduced: geoip_ipv4 and geoip_ipv6 config directives now allow to load Maxmind IPv4/IPv6 GeoIP database files; two new traffic aggregation primitives are added to support the feature: src_host_country and dst_host_country. Feature implemented against all deamons and all plugins and supports both IPv4 and IPv6. Thanks to Vincent Bernat for his patches and precious support. + networks_file: user-supplied files to define IP networks and their associations to ASNs (optional) has been hooked up to the 'fallback' (longest match wins) setting of [pm|u|sf|nf]acctd_net, [pm|u]acctd_as and [sf|nf]acctd_as_new. Thanks to John Hess for his support. + A new sampling_rate traffic aggregation primitive has been introduced: to report on the sampling rate to be applied to renormalize counters (ie. useful to support troubleshooting of untrusted node exports and hybrid scenarios where a partial sampling_map is supplied). If renorm of counters is enabled (ie. [n|s]facctd_renormalize set to true) then sampling_rate will show as 1 (ie. already renormalized). + sql_table, print_output_file, mongo_table: dynamic table names are now enriched by a $ref variable, populated with the configured value for refresh time, and a $hst variable, populated with the configured value for sql_history (in secs). + Solved the limit of 64 traffic aggregation primitives: the original 64 bits bitmap is now split in a 16 bits index + 48 bits registry with multiple entries (currently 2). cfg_set_aggregate() and, in future, cfg_get_aggregate() functions are meant to safely manipulate the new bitmap structure and detect mistakes in primitives definition. ! fix, print plugin: removed print_output_file limitation to 64 chars. Now maximum filename length is imposed by underlying OS. ! fix, print plugin: primitives are selectively enabled for printing based on 'aggregate' directive. ! fix, print plugin: pointer to latest file been generated is updated at very last in the workflow. ! fix, ip_flow.c: incorrect initialization for IPv6 flow buffer. Thanks to Mike Jager for reporting the issue and providing a patch. ! fix, pre_tag_map: improved matching of pre_tag_map primitives against IPFIX fields. Thanks to Nikita V Shirokov for reporting the issue. ! fix, nfprobe plugin: improved handling of unsuccessful send() calls in order to prevent file descriptors depletion and log failure cause. Patch is courtesy by Mike Jager. ! fix, nfacctd: gracefully handling the case of NetFlow v9/IPFIX flowset length of zero; unproper handling of the condition was causing nfacctd to infinite loop over the packet; patch is courtesy by Mike Jager. ! fix, Setsocksize(): setsockopt() replaces Setsocksize() in certain cases and Setsocksize() fix to len parameter. Patch is courtesy by Vincent Bernat 0.14.1 -- 03-08-2012 + nfacctd: introduced support for IPFIX variable-length IEs (RFC5101), improved support for IPFIX PEN IEs. + nfacctd, sfacctd: positive/negative caching for bgp_agent_map and sampling_map is being introduced. Cache entries are invalidated upon reload of the maps. + bgp_agent_map: resolution of IPv4 NetFlow agents to BGP speakers with IPv6 sessions is now possible. This is to support dual-stack network deployments. Also the keyword 'filter' is introduced and supported values are only 'ip' and 'ip6'. + nfacctd: etype primitive can be populated from IP_PROTOCOL_VERSION, ie. Field Type #60, in addition to ETHERTYPE, ie. Field Type #256. Should both be present the latter has priority over the former. + print plugin: introduced a pointer to the latest filename in the set, ie. in cases when variable filenames are specified. The pointer comes in the shape of a symlink called "-latest". ! fix, pretag_handlers.c: BGP next-hop handlers are now hooked to the longest-match mechanism for destination IP prefix. ! fix, net_aggr.c: defining a networks_file configuration directive in conjunction with --enable-ipv6 was causing a SEGVs. This is now solved. ! fix, uacctd: cache routine is now being called in order to resolve in/out interface ifindexes. Patch is courtesy by Stig Thormodsrud. ! fix, BGP daemon: bgp_neighbors_file now lists also IPv6 BGP peerings. ! fix, sql_common.c: SQL writers due to safe action are now logged with a warning message rather than debug. ! fix, PostgreSQL table schemas: under certain conditions, default definition of stamp_inserted was generating a 'date/time field value out of range: "0000-01-01 00:00:00"' error. Many thanks to Marcello di Leonardo for reporting the issue and providing a fix. ! fix, IS-IS daemon: sockunion_print() function was found not portable and has been removed. ! fix, BGP daemon: memcpy() replaced by ip6_addr_cpy() upon writing to sockaddr_in6 structures. ! fix, EXAMPLES document has been renamed QUICKSTART for disambiguation on filesystems where case-sensitive names are not supported. ! Several code cleanups. Patches are courtesy by Osama Abu Elsorour and Ryan Steinmetz. 0.14.0 -- 11-04-2012 + pmacct now integrates an IS-IS daemon within collectors; the daemon is being run as a parallel thread within the collector core process; a single L2 P2P neighborship, ie. over a GRE tunnel, is supported; it implements P2P Hello, CSNP and PSNP - and does not send any LSP information out. The daemon is currently used for route resolution. It is well suited to several case-studies, popular one being: more specific internal routes are carried within the IGP while they are summarized in BGP crossing cluster boundaries. + A new aggregation primitive 'etype' has been introduced in order to support accounting against the EtherType field of Ethernet frames. The implementation is consistent across all data collection methods and backends. + sfacctd: introduced support for samples generated on ACL matches in Brocade (sFlow sample type: Enterprise: #1991, Format: #1). Thanks to Elisa Jasinska and Brent Van Dussen for their support. + sfacctd, pre_tag_map: introduced sample_type key. In sFlow v2/v4/v5 this is compared against the sample type field. Value is expected in : notation. ! fix, signals.c: ignoring SIGINT and SIGTERM in my_sigint_handler() to prevent multiple calls to fill_pipe_buffer(), condition that can cause pipe buffer overruns. Patch is courtesy by Osama Abu Elsorour. ! fix, pmacctd: tunnel registry now correctly supports multiple tunnel definitions for the same stack level. ! fix, print plugin: cos field now correctly shows up in the format title while CSV format is selected and L2 primitives are enabled. ! fix, util.c: a feof() check has been added to the fread() call in read_SQLquery_from_file(); thanks to Elisa Jasinska and Brent Van Dussen for their support. ! fix, nfprobe: NetFlow output socket is now re-opened after failing send() calls. Thanks to Maurizio Molina for reporting the problem. ! fix, sfacctd: length checks have been imporved while extracting string tokens (ie. AS-PATH and BGP communities) from sFlow Extended Gateway object. Thanks to Duncan Small for his support. 0.14.0rc3 -- 07-12-2011 + BGP daemon: BGP/MPLS VPNs (rfc4364) implemented! This encompasses both RIB storage (ie. virtualization layer) and lookup. bgp_iface_to_rd_map map correlates couples to Route Distinguishers (RDs). RD encapsulation types #0 (2-bytes ASN), #1 (IP address) and #2 (4-bytes ASN) are supported. Examples provided: examples/bgp_iface_to_rd.map and EXAMPLES files. + mpls_vpn_rd aggregation primitive has been added to the set. Also this is being supported key in Pre-Tagging (pre_tag_map). + print plugin: introduced print_output_file feature to write statistics to files. Output is text, formatted or CSV. Filenames can contain time- based variables to make them dynamic. If filename is static instead, content is overwritten over time. + print plugin: introduced print_time_roundoff feature to align time slots nicely, same as per the sql_history_roundoff directive. + print plugin: introduced print_trigger_exec feature to execute custom scripts at each print_refresh_time interval (ie. to process, expire, gzip, etc. files). Feature is in sync with wrap-up of data commit to screen or files. + pmacctd: introduced support for DLT_LOOP link-type (ie. OpenBSD tunnel interfaces). Thanks to Neil Reilly for his support. + uacctd: a cache of ifIndex is introduced. Hash structure with conflict chains and short expiration time (ie. to avoid getting tricked by cooked interfaces devices a-la ppp0). The cache is an effort to gain speed-ups. Implementation is courtesy by Stephen Hemminger, Vyatta. + Logging: introduced syslog-like timestamping when writing directly to files. Also a separate FD per process is used and SIGHUP elicits files reopening: all aimed at letting proper logs rotation by external tools. + Introduced plugin_pipe_backlog configuration directive: it induces a backlog of buffers on the pipe before actually releasing them to the plugin. The strategy helps optimizing inter-process communications, ie. when plugins are quicker processing data than the Core process. ! fix, peer_src_ip primitive: has been disconnected from [ns]facctd_as_new mechanism in order to ensure it's always representing a reference to the NetFlow or sFlow emitter. ! fix, nfprobe: input and output VLAN ID field types have been aligned to RFC3954, which appears to be also retroactively supported by IPFIX. The new field types are #58 and #59 respectively. Thanks to Maurizio Molina for pointing the issue out. ! fix, IMT plugin: fragmentation of the class table over multiple packets to the pmacct IMT client was failing and has been resolved. ! fix, nfprobe: individual flows start and end timestamps are now filled to the msec resolution. Thanks to Daniel Aschwanden for having reported the issue. ! fix, uacctd: NETLINK_NO_ENOBUFS is set to prevent the daemon being reported about ENOBUFS events by the underlying operating system. Works on kernels 2.6.30+. Patch is courtesy by Stephen Hemminger, Vyatta. ! fix, uacctd: get_ifindex() can now return values greater than 2^15. Patch is courtesy by Stephen Hemminger, Vyatta. ! fix, pmacctd, uacctd: case of zero IPv6 payload in conjunction with no IPv6 next header is now supported. Thanks to Quirin Scheitle for having reported the issue. - Support for is_symmetric aggregation primitive is discontinued. 0.14.0rc2 -- 26-08-2011 + sampling_map feature is introduced, allowing definition of static traffic sampling mappings. Content of the map is reloadable at runtime. If a specific router is not defined in the map, the sampling rate advertised by the router itself, if any, is applied. + nfacctd: introduced support for 16 bits SAMPLER_IDs in NetFlow v9/IPFIX; this appears to be the standard length with IOS-XR. + nfacctd: introduced support for (FLOW)_SAMPLING_INTERVAL fields as part of the NetFlow v9/IPFIX data record. This case is not prevented by the RFC although such information is typically exported as part of options. It appears some probes, ie. FlowMon by Invea-Tech, are getting down this way. + nfacctd, sfacctd: nfacctd_as_new and sfacctd_as_new got a new 'fallback' option; when specified, lookup of BGP-related primitives is done against BGP first and, if not successful, against the export protocol. + nfacctd, sfacctd: nfacctd_net and sfacctd_net got a new 'fallback' option that when specified looks up network-related primitives (prefixes, masks) against BGP first and, if not successful, against the export protocol. It gets useful for resolving prefixes advertised only in the IGP. + sql_num_hosts feature is being introduced: defines, in MySQL and SQLite plugins, whether IP addresses should be left numerical (in network bytes ordering) or converted into strings. For backward compatibility, default is to convert them into strings. + print_num_protos and sql_num_protos configuration directives have been introduced to allow to handle IP protocols (ie. tcp, udp) in numerical format. The default, backward compatible, is to look protocol names up. The feature is built against all plugins and can also be activated via the '-u' commandline switch. ! fix, nfacctd: NetFlow v9/IPFIX sampling option parsing now doesn't rely anymore solely on finding a SamplerID field; as an alternative, presence of a sampling interval field is also checked. Also a workaround is being introduced for sampled NetFlow v9 & C7600: if samplerID within a data record is defined and set to zero and no match was possible, then the last samplerID defined is returned. ! nfacctd: (FLOW)_SAMPLING_INTERVAL fields as part of the NetFlow v9/IPFIX data record are now supported also 16-bits long (in addition to 32-bits). ! fix, SQL plugins: sql_create_table() timestamp has been aligned with SQL queries (insert, update, lock); furthermore sql_create_table() is invoked every sql_refresh_time instead of every sql_history. Docs updated. Thanks to Luis Galan for having reported the issue. ! fix, pmacct client: error code when connection is refused on UNIX socket was 0; it has been changed to 1 to reflect the error condition. Thanks to Mateusz Viste for reporting the issue. ! fix, building system: CFLAGS were not always honoured. Patch is courtesy of Etienne Champetier ! fix, ll.c: empty return value was causing compiler with certain flags to complain about the issue. Patch is courtesy of Ryan Steinmetz. 0.14.0rc1 -- 31-03-2011 + IPFIX (IETF IP Flow Information Export protocol) replication and collector capabilities have been introduced as part of nfacctd, the NetFlow accounting daemon of the pmacct package. + nfprobe plugin: initial IPFIX export implementation. This is called via a 'nfprobe_version: 10' configuration directive. pmacctd, the promiscuous mode accounting daemon, and uacctd, the ULOG accounting daemon, both part of the pmacct package are now supported. + Oracle's BrekeleyDB 11gR2 offers a perfect combination of technologies by including an SQL API that is fully compatible with SQLite. As a result pmacct now opens to BerkeleyDB 5.x via its SQLite3 plugin. + sfacctd: BGP-related traffic primitives (AS Path, local preference, communities, etc.) are now read from sFlow Extended Gateway object if sfacctd_as_new is set to false (default). + nfacctd, sfacctd: source and destination peer ASNs are now read from NetFlow or sFlow data if [ns]facctd_as_new is set to false (default). + nfacctd: introduced support for NetFlow v9/IPFIX source and destination peer ASN field types 128 and 129. The support is enabled at runtime by setting to 'false' (default) the 'nfacctd_as_new' directive. + sfacctd: f_agent now points sFlow Agent ID instead of source IP address; among the other things, this allows to compare BGP source IP address/BGP Router-ID against the sFlow Agent ID. + PostgreSQL plugin: 'sql_delimiter' config directive being introduced: if sql_use_copy is true, uses the supplied character as delimiter.Useful in cases where the default delimiter is part of any of the supplied strings. + pmacct client: introduced support for Comma-Separated Values (CSV) output in addition to formatted-text. A -O commandline switch allows to enable the feature. ! fix, MySQL/PostgreSQL/SQLite3 plugins: insert of data into the database can get arbitrarily delayed under low traffic conditions. Many Thanks to Elisa Jasinska and Brent Van Dussen for their great support in solving the issue. ! fix, BGP daemon: multiple BGP capabilities per capability announcement were not supported - breaking compliancy with RFC5492. The issue was only verified against a OpenBGPd speaker. Patch is courtesy of Manuel Guesdon. ! fix, initial effort made to document uacctd, the ULOG accounting daemon 0.12.5 -- 28-12-2010 + nfacctd: introduced support for NAT L3/L4 field values via xlate_src and xlate_dst configuration directives. Implementation follows IPFIX standard for IPv4 and IPv6 (field types 225, 226, 227, 228, 281 and 282). + nfacctd: Cisco ASA NetFlow v9 NSEL field types 40001, 40002, 40003, 40004 and IPFIX/Cisco ASA NetFlow v9 NSEL msecs absolute timestamps field types 152, 153 and 323 have been added. + nfacctd: introduced support for 'new' TCP/UDP source/destination ports (field types 180, 181, 182, 183), as per IPFIX standard, basing on the L4 protocol value (if any is specified as part of the export; otherwise assume L4 is not TCP/UDP). + nfacctd, nfprobe: introduced support for application classification via NetFlow v9 field type #95 (application ID) and application name table option. This feature aligns with Cisco NBAR-NetFlow v9 integration feature. + nfacctd: introduced support for egress bytes and packet counters (field types 23, 24) basing on the direction value (if any is specified as part of the export; otherwise assume ingress as per RFC3954). + nfprobe: egress IPv4/IPv6 NetFlow v9 templates have been introduced; compatibility with Cisco (no use of OUT_BYTES, OUT_OUT_PACKETS) taken into account. + nfacctd: added support for egress datalink NetFlow v9 fields basing on direction field. + nfacctd, sfacctd: aggregate_filter can now filter against TCP flags; also, [ns]facctd_net directive can now be specified per-plugin. + BGP daemon: introduced support for IPv6 transport of BGP messaging. + BGP daemon: BGP peer information is now linked into the status table for caching purposes. This optimization results in good CPU savings in bigger deployments. ! fix, nfacctd, sfacctd: daemons were crashing on OpenBSD platform upon setting an aggregate_filter configuration directive. Patch is courtesy of Manuel Pata. ! fix, xflow_status.c: status entries were not properly linked to the hash conflict chain resulting in a memory leak. However the maximum number of table entries set by default was preventing the structure to grow undefinitely. ! fix, sql_common.c: increased buffer size available for sql_table_schema from 1KB to 8KB. Thanks to Michiel Muhlenbaumer his support. ! fix, bgp_agent_map has been improved to allow mapping of NetFlow/sFlow agents making use of IPv6 transport to either a) IPv4 transport address of BGP sessions or b) 32-bit BGP Router IDs. Mapping to IPv6 addresses is however not (yet) possible. ! fix, nfprobe: encoding of NetFlow v9 option scope has been improved; nfprobe source IPv4/IPv6 address, if specified via nfprobe_source_ip directive, is now being written. ! fix, util.c: string copies in trim_spaces(), trim_all_spaces() and strip_quotes() have been rewritten more safely. Patch is courtesy of Dmitry Koplovich. ! fix, sfacctd: interface format is now merged back into interface value fields so to ease keeping track of discards (and discard reasons) and multicast fanout. ! fix, MySQL, SQLite3 plugins: sql table version 8 issued to provide common naming convention when mapping primitives to database fields among the supported RDBMS base. Thanks to Chris Wilson for his support. ! fix, pmacct client: numeric variables output converted to unsigned from signed. ! fix, nfacctd_net, sfacctd_net: default value changed from null (and related error message) to 'netflow' for nfacctd_net and 'sflow' for sfacctd_net. ! fix, nfacctd, sfacctd: aggregate_filter was not catching L2 primitives (VLAN, MAC addresses) when performing egress measurements. 0.12.4 -- 01-10-2010 + BGP daemon: a new memory model is introduced by which IP prefixes are being shared among the BGP peers RIBs - leading to consistent memory savings whenever multiple BGP peers export full tables due to the almost total overlap of information. Longest match nature of IP lookups required to raise BGP peer awareness of the lookup algorithm. Updated INTERNALS document to support estimation of the memory footprint of the daemon. + BGP daemon: a new bgp_table_peer_buckets configuration directive is introduced: per-peer routing information is attached to IP prefixes and now hashed onto buckets with conflict chains. This parameter sets the number of buckets of such hash structure; the value is directly related to the number of expected BGP peers, should never exceed such amount and is best set to 1/10 of the expected number of peers. + nfprobe: support has been added to export direction field (NetFlow v9 field type #61); its value, 0=ingress 1=egress, is determined via nfprobe_direction configuration directive. + nfacctd: introduced support for Cisco ASA bytes counter, NetFlow v9 field type #85. Thanks to Ralf Reinartz for his support. + nfacctd: improved flow recognition heuristics for cases in which IPv4/IPv6/input/output data are combined within the same NetFlow v9 template. Thanks to Carsten Schoene for his support. ! fix, BGP daemon: bgp_nexthop_followup was not working correctly if pointed to a non-existing next-hop. ! fix, nfv9_template.c: ignoring unsupported NetFlow v9 field types; improved template logging. Thanks to Ralf Reinartz for his support. ! fix, print plugin: support for interfaces and network masks has been added. Numeric variables output converted to unsigned from signed. 0.12.3 -- 28-07-2010 + 'cos' aggregation primitive has been implemented providing support for 802.1p priority. Collection is supported via sFlow, libpcap and ULOG; export is supported via sFlow. + BGP daemon: TCP MD5 signature implemented. New 'bgp_daemon_md5_file' configuration directive is being added for the purpose of defining peers and their respective MD5 keys, one per line, in CSV format. The map is reloadable at runtime: existing MD5 keys are removed via setsockopt(), new ones are installed as per the newly supplied map. Sample map added in 'examples/bgp_md5.lst.example'. + BGP daemon: added support for RFC3107 (SAFI=4 label information) to enable receipt of labeled IPv4/IPv6 unicast prefixes. + nfprobe, sfprobe: introduced the concept of traffic direction. As a result, [ns]fprobe_direction and [ns]fprobe_ifindex configuration directives have been implemented. + [ns]fprobe_direction defines traffic direction. It can be statically defined via 'in' or 'out' keywords; values can also be dynamically determined through a pre_tag_map (1=input, 2=output) by means of 'tag' and 'tag2' keywords. + [ns]fprobe_ifindex either statically associate an interface index (ifIndex) to a given [ns]fprobe plugin or semi-dynamically via lookups against a pre_tag_map by means of 'tag' and 'tag2' keywords. + sfprobe: sfprobe_ifspeed configuration directive is introduced and aimed at statically associating an interface speed to an sfprobe plugin. + sfprobe: Switch Extension Header support added. Enabler for this development was support for 'cos' and in/out direction. Whereas VLAN information was already supported as an aggregation primitive. + sfprobe: added support for Counter Samples for multiple interfaces. Sampling function has been brought to the plugin so that Counter Samples can be populated with real bytes/packets traffic levels. ! nfprobe, sfprobe: send buffer size is now aligned to plugin_pipe_size, if specified, providing a way to tune buffers in case of sustained exports. ! fix, addr.c: pm_ntohll() and pm_htonll() routines rewritten. These are aimed at changing byte ordering of 64-bit variables. ! fix, BGP daemon: support for IPv6 global address/link-local address next-hops as part of MP_REACH_NLRI parsing. ! fix, cfg_handlers.c: bgp_daemon and bgp_daemon_msglog parsing was not correct, ie. enabled if specified as 'false'. Thanks to Brent Van Dussen for reporting the issue. ! fix, bgp.c: found a CPU hog issue caused by missing cleanup of the select() descriptors vector. ! fix, pmacct.c: in_iface/out_iface did erroneously fall inside a section protected by the "--disable-l2" switch. Thanks to Brent Van Dussen for reporting the issue. 0.12.2 -- 27-05-2010 + A new 'tee' plugin is introduced bringing both NetFlow and sFlow replication capabilities to pmacct. It supports transparent mode (tee_transparent), coarse-grained filtering capabilities via the Pre-Tagging infrastructure. Quickstart guide is included as part of the EXAMPLES file (chapter XII). + nfprobe, sfprobe: introduced support for export of the BGP next-hop information. Source data selection for BGP next-hop is being linked to [pmacctd_as|uacctd_as] configuration directive. Hence it must be set to 'bgp' in order for this feature to work. + nfprobe, sfprobe, BGP daemon: new set of features (nfprobe_ipprec, sfprobe_ipprec, bgp_daemon_ipprec) allows to mark self-originated sFlow, NetFlow and BGP datagrams with the supplied IP precedence value. + peer_src_ip (IP address of the NetFlow emitter, agent ID of the sFlow emitter) and peer_dst_ip (BGP next-hop) can now be filled from NetFlow/sFlow protocols data other than BGP. To activate the feature nfacctd_as_new/sfacctd_as_new have to be 'false' (default value), 'true' or 'file'. + print plugin: introduced support for Comma-Separated Values (CSV) output in addition to formatted-text. A new print_output feature allows to switch between the two. + pmacctd: improved 802.1ad support. While recursing, outer VLAN is always reported as value of the 'vlan' primitive. ! fix, pmacctd: 802.1p was kept integral part of the 'vlan' value. Now a 0x0FFF mask is applied in order to return only the VLAN ID. ! fix, pkt_handlers.c: added trailing '\0' symbol when truncating AS-PATH and BGP community strings due to length constraints. ! fix, sql_common.c: maximum SQL writers warning message was never reached unless a recovery method is specifited. Thanks to Sergio Charpinel Jr for reporting the issue. ! fix, MySQL and PostgreSQL plugins: PGRES_TUPLES_OK (PostgreSQL) and errno 1050 (MySQL) are now considered valid return codes when dynamic tables are involved (ie. sql_table_schema). Thanks to Sergio Charpinel Jr for his support. ! fix, BGP daemon: pkt_bgp_primitives struct has been explicitely 64-bit aligned. Mis-alignment was causing crashes when buffering was enabled (plugin_buffer_size). Verified on Solaris/sparc. 0.12.1 -- 07-04-2010 + Input/output interfaces (SNMP indexes) have now been implemented natively; it's therefore not required anymore to pass through the (Pre-)tag infrastructure. As a result two aggregation primitives are being introduced: 'in_iface' and 'out_iface'. + Support for source/destination IP prefix masks is introduced via two new aggregation primitives: src_mask and dst_mask. These are populated as defined by the [nf|sf|pm|u]acctd_net directive: NetFlow/sFlow protocols, BGP, Network files (networks_file) or static (networks_mask) being valid data sources. + A generic tunnel inspection infrastructure has been developed to benefit both pmacctd and uacctd daemons. Handlers are defined via configuration file. Once enabled daemons will account basing upon tunnelled headers rather than the envelope. Currently the only supported tunnel protocol is GTP, the GPRS tunnelling protocol (which can be configured as: "tunnel_0: gtp, "). Up to 8 different tunnel stacks and up to 4 tunnel layers per stack are supported. First matching stack, first matching layer wins. + uacctd: support for the MAC layer has been added for the Netlink/ ULOG Linux packet capturing framework. + 'nfprobe_source_ip' feature introduced: it allows to select the IPv4/IPv6 address to be used to export NetFlow datagrams to the collector. + nfprobe, sfprobe: network masks are now exported via NetFlow and sFlow. 'pmacctd_net' and its equivalent directives define how to populate src_mask and dst_mask values. ! cleanup, nfprobe/sfprobe: data source for 'src_as' and 'dst_as' primitives is now expected to be always explicitely defined (in line with how 'src_net' and 'dst_net' primitives work). See the UPGRADE doc for the (limited) backward compatibility impact. ! Updated SQL documentation: sql/README.iface guides on 'in_iface' and 'out_iface' primitives; sql/README.mask guides on 'src_mask' and 'dst_mask' primitives; sql/README.is_symmetric guides on 'is_symmetric' primitive. ! fix, nfacctd.h: source and destination network masks were twisted in the NetFlow v5 export structure definition. Affected releases are: 0.12.0rc4 and 0.12.0. ! fix, nfprobe_plugin.c: l2_to_flowrec() was missing some variable declaration when the package was configured for compilation with --disable-l2. Thanks to Brent Van Dussen for reporting the issue. ! fix, bgp.c: bgp_attr_munge_as4path() return code was not defined for some cases. This was causing some BGP messages to be marked as malformed. ! fix, sfprobe: a dummy MAC layer was created whenever this was not included as part of the captured packet. This behaviour has been changed and header protocol is now set to 11 (IPv4) or 12 (IPv6) accordingly. Thanks to Neil McKee for pointing the issue. ! workaround, building sub-system: PF_RING enabled libpcap was not recognized due to missing of pcap_dispatch(). This is now fixed. 0.12.0 -- 16-02-2010 + 'is_symmetric' aggregation primitive has been implemented: aimed at easing detection of asymmetric traffic. It's based on rule definitions supplied in a 'bgp_is_symmetric_map' map, reloadable at runtime. + A new 'bgp_daemon_allow_file' configuration directive allows to specify IP addresses that can establish a BGP session with the collector's BGP thread. Many thanks to Erik van der Burg for contributing the idea. + 'nfacctd_ext_sampling_rate' and 'sfacctd_ext_sampling_rate' are introduced: they flag the daemon that captured traffic is being sampled. Useful to tackle corner cases, ie. the sampling rate reported by the NetFlow/sFlow agent is missing or incorrect. + The 'bgp_follow_nexthop' feature has been extended so that extra IPv4/IPv6 prefixes can be supplied. Up to 32 IP prefixes are now supported and a warning message is generated whenever a supplied string fails parsing. + Pre-Tagging: implemented 'src_local_pref' and 'src_comms' keys. These allow tagging based on source IP prefix local_pref (sourced from either a map or BGP, ie. 'bgp_src_local_pref_type: map', 'bgp_src_local_pref_type: bgp') and standard BGP communities. + Pre-Tagging: 'src_peer_as' key was extended in order to match on BGP-sourced data (bgp_peer_src_as_type: bgp). + Pre-Tagging: introduced 'comms' key to tag basing on up to 16 standard BGP communities attached to the destination IP prefix. The lookup is done against the BGP RIB of the exporting router. Comparisons can be done in either match-any or match-all fashion; xidDocumentation and examples updated. ! fix, util.c: load_allow_file(), empty allow file was granting a connection to everybody being confused with a 'no map' condition. Now this case is properly recognized and correctly translates in a reject all clause. ! fix, sql_common.c: log of NetFlow micro-flows to a SQL database (nfacctd_sql_log directive) was not correctly getting committed to the backend, when sql_history was disabled. ! fix, mysql|pgsql|sqlite_plugin.c: 'flows' aggregation primitive was not suitable to mix-and-match with BGP related primitives (ie. peer_dst_as, etc.) due to an incorrect check. Many thanks to Zenon Mousmoulas for the bug report. ! fix, pretag_handlers.c: tagging against NetFlow v9 4-bytes in/out interfaces was not working properly. Thanks to Zenon Mousmoulas for reporting the issue. 0.12.0rc4 -- 21-12-2009 + BGP-related source primitives are introduced, namely: src_as_path, src_std_comm, src_ext_comm, src_local_pref and src_med. These add to peer_src_as which was already implemented. All can be resolved via reverse BGP lookups; peer_src_as, src_local_pref and src_med can also be resolved via lookup maps which support checks like: bgp_nexthop (RPF), peer_dst_as (RPF), input interface and source MAC address. Many thanks to Zenon Mousmoulas and GRNET for their fruitful cooperation. + Memory structures to store BGP-related primitives have been optimized. Memory is now allocated only for primitives part of the selected aggregation profile ('aggregate' config directive). + A new 'bgp_follow_nexthop' configuration directive is introduced to follow the BGP next-hop up to the edge of the routing domain. This is particularly aimed at networks not running MPLS, where hop-by-hop routing is in place. + Lookup maps for BGP-related source primitives (bgp_src_med_map, bgp_peer_src_as_map, bgp_src_local_pref_map): result of check(s) can now be the keyword 'bgp', ie. 'id=bgp' which triggers a BGP lookup. This is thought to handle exceptions to static mapping. + A new 'bgp_peer_as_skip_subas' configuration directive is being introduced. When computing peer_src_as and peer_dst_as, returns the first ASN which is not part of a BGP confederation; if only confederated ASNs are on the AS-Path, the first one is returned instead. + Pre-Tagging: support has been introduced for NetFlow v9 traffic direction (ingress/egress). + Network masks part of NetFlow/sFlow export protocols can now be used to compute src_net, dst_net and sum_net primitives. As a result a set of directives [nfacctd|sfacctd|pmacctd|uacctd]_net allows to globally select the method to resolve such primitives, valid values being: netflow, sflow, file (networks_file), mask (networks_mask) and bgp (bgp_daemon). + uacctd: introduced support for input/output interfaces, fetched via NetLink/ULOG API; interfaces are available for Pre-Tagging, and inclusion in NetFlow and sFlow exports. The implementation is courtesy of Stig Thormodsrud. + nfprobe, sfprobe: new [nfprobe|sfprobe]_peer_as option to set source/destination ASNs, part of the NetFlow and sFlow exports, to the peer-AS rather than origin-AS. This feature depends on a working BGP daemon thread setup. ! A few resource leaks were detected and fixed. Patch is courtesy of Eric Sesterhenn. ! bgp/bgp.c: thread concurrency was detected upon daemon startup under certain conditions. As a solution the BGP thread is being granted a time advantage over the traffic collector thread. ! bgp/bgp.c: fixed a security issue which could have allowed a malicious user to disrupt established working BGP sessions by exploiting the implemented concept of BGP session replenishment; this has been secured by a check against the session holdtime. Many thanks to Erik van der Burg for spotting the issue. ! bgp/bgp.c: BGP listener socket now sets SO_REUSEADDR option for quicker turn around times while stopping/starting the daemon. ! net_aggr.c: default route (0.0.0.0/0) was considered invalid; this is now fixed. 0.12.0rc3 -- 28-10-2009 + Support for NetFlow v9 sampling via Option templates and data is introduced; this is twofold: a) 'nfacctd_renormalize' configuration directive is now able to renormalize NetFlow v9 data on-the-fly by performing Option templates management; b) 'nfprobe', the NetFlow probe plugin, is able to flag sampling rate (either internal or external) when exporting flows to the collector. + '[pm|u]acctd_ext_sampling_rate' directives are introduced to support external sampling rate scenarios: packet selection is performed by the underlying packect capturing framework, ie. ULOG, PF_RING. Making the daemon aware of the sampling rate, allows to renormalize or export such information via NetFlow or sFlow. + pmacctd: the IPv4/IPv6 fragment handler engine was reviewed to make it sampling-friendly. The new code hooks get enabled when external sampling (pmacctd_ext_sampling_rate) is defined. + A new 'uacctd' daemon is added to the set; it is based on the Netlink ULOG packet capturing framework; this implies it works only on Linux and can be optionally enabled when compling by defining the '--enable-ulog' switch. The implementation is fully orthogonal with the existing feature set. Thanks very much to: A.O. Prokofiev for contributing the original idea and code; Stig Thormodsrud for his support and review. + The 'tag2' primitive is introduced. Its aim is to support traffic matrix scenarios by giving a second field dedicated to tag traffic. In a pre_tag_map this can be employed via the 'id2' key. See examples in the 'examples/pretag.map.example' document. SQL plugins write 'tag2' content in the 'agent_id2' field. Read 'sql/README.agent_id2' document for reference. + Some new directives to control and re-define file attributes written by the pmacct daemons, expecially when launched with increased priviledges, are introduced: file_umask, files_uid, files_gid. Files to which these apply include, ie. pidfile, logfile and BGP neighbors file. ! fix, bgp/bgp.c: upon reaching bgp_daemon_max_peers threshold, logs were flooded by warnings even when messages were coming from a previously accepted BGP neighbor. Warnings are now sent only when a new BGP connection is refused. ! fix, nfprobe/netflow9.c: tags (pre_tag_map, post_tag) were set per pair of flows, not respecting their uni-directional nature. It was generating hiding of some tags. ! fix, nfprobe/netflow9.c: templates were (wrongly) not being included in the count of flows sent in NetFlow v9 datagrams. While this was not generating any issues with parsing flows, it was originating visualization issues in Wireshark. ! fix, SQL plugins: CPU hitting 100% has been determined when sql_history is disabled but sql_history_roundoff is defined. Thanks to Charlie Allom for reporting the issue. ! fix, sfacctd.c: input and output interfaces (non-expaneded format) were not correcly decoded creating issues to Pre- tagging. Thanks to Jussi Sjostrom for reporting the issue. 0.12.0rc2 -- 09-09-2009 + BGP daemon thread has been tied up with both the NetFlow and sFlow probe plugins, nfprobe and sfprobe, allowing to encode dynamic ASN information (src_as, dst_as) instead of reading it from text files. This finds special applicability within open-source router solutions. + 'bgp_stdcomm_pattern_to_asn' feature is introduced: filters BGP standard communities against the supplied pattern. The first matching community is split using the ':' symbol. The first part is mapped onto the peer AS field while the second is mapped onto the origin AS field. The aim is to deal with prefixes on the own address space. Ie. BGP standard community XXXXX:YYYYY is mapped as: Peer-AS=XXXXX, Origin-AS=YYYYY. + 'bgp_neighbors_file' feature is introduced: writes a list of the BGP neighbors in the established state to the specified file. This gets particularly useful for automation purposes (ie. auto-discovery of devices to poll via SNMP). + 'bgp_stdcomm_pattern' feature was improved by supporting the regex '.' symbol which can be used to wildcard a pre-defined number of characters, ie. '65534:64...' will match community values in the range 64000-64999 only. + SQL preprocess layer: removed dependency between actions and checks. Overral logics was reviewed to act more consistently with recently introduced SQL cache entry status field. + SQL common layer: poll() timeout is now calculated adaptively for increased deadline precision. + sql_startup_delay feature functionality was improved in order to let it work as a sliding window to match NetFlow setups in which a) mainain original flow timestamps and b) enable the sql_dont_try_update feature is required. ! DST (Daylight Saving Time) support introduced to sql_history and sql_refresh_time directives. Thanks to for reporting the issue. ! fix, pmacctd.c: initial sfprobe plugin checks were disabling IP fragments handler. This was causing pmacctd to crash under certain conditions. Thanks to Stig Thormodsrud for having reported the issue. ! fix, nfprobe, netflow5.c: missing htons() call while encoding src_as primitive. ! fix, BGP thread, bgp_aspath.c: estimated AS-PATH length was not enough for 32-bit ASNs. String length per-ASN increased from 5 to 10 chars. ! Documentation update, EXAMPLES: how to establish a local BGP peering between pmacctd and Quagga 0.99.14 for NetFlow and sFlow probe purposes. ! fix, print_status_table(): SEGV was showing up while trying to retrieve xFlow statistics by sending a SIGUSR1 signal and a collector IP address was not configured. ! ip_flow.[c|h]: code cleanup. 0.12.0rc1 -- 01-08-2009 + a BGP daemon thread has been integrated in both the NetFlow and sFlow collectors, nfacctd and sfacctd. It maintains per- peer RIBs and supports MP-BGP (IPv4, IPv6) and 32-bit ASNs. As a result the following configuration directives are being introduced: bgp_daemon, bgp_daemon_ip, bgp_daemon_max_peers, bgp_daemon_port and bgp_daemon_msglog. For a quick-start and implementation notes refer to EXAMPLES document and detailed configuration directives description in CONFIG-KEYS. + A new set of BGP-related aggregation primitives are now supported by the "aggregate" directive: std_comm, ext_comm, as_path, peer_src_ip, peer_dst_ip, peer_src_as, peer_dst_as, med, local_pref. A few extra directives are being introduced to support (filter, map, cut down, etc.) some primitives: bgp_peer_src_as_type, bgp_peer_src_as_map, bgp_aspath_radius, bgp_stdcomm_pattern and bgp_extcomm_pattern. + nfacctd_as_new supports a new value "bgp". It is meant to populate src_as and dst_as primitives by looking up source and destination IP prefixes against the NetFlow (or sFlow) agent RIB. + A new sql_table_type directive is introduced: by combining it with sql_table_version, defines one of the standard BGP tables. + Two new directives have been developed to support scenarios where NetFlow (or sFlow) agents are not running BGP or have default-only or partial views: bgp_follow_default and bgp_agent_map. + 4-bytes ASNs are now supported: including NetFlow and sFlow collectors, NetFlow and sFlow probes, networks_file to map prefixes to ASNs. The new BGP daemon implementation is, of course, fully compliant. + Pre-Tagging: the ID is now a 32-bit unsigned value (it was 16-bit). As a result, there valid tags can be in the range 1-4294967295 and maps can now express the resulting ID as an IPv4 address (ie. bgp_agent_map). + Pre-tagging: support for 32-bit input/output interfaces is now available. ! fix, sql_common.c: read_SQLquery_from_file() was returning a random value, regardless of the successful result. Patch has been provided provided by Giedrius Liubavicius ! fix, pmacct.c: when unused, source/destination IP address fields were presented as NULL values. This is now replaced with a '0' value to improve output parsing. ! Standard major release compilation check-pointing: thanks very much to Manuel Pata and Tobias Lott for their strong support with OpenBSD and FreeBSD respectively. 0.11.6 -- 07-04-2009 + Introduced support for tag ranges into the 'pre_tag_filter' configuration directive (ie. '10-20' matches traffic tagged in the range 10..20). This works both in addition to and in combination with negations. + Tcpdump-style filters, ie. 'aggregate_filter', now support indexing within a packet, ie. 'ether[12:2]', to allow a more flexible separation of the traffic. + Introduced support for descriptions in networks definition files pointed by the 'networks_file' configuration directive. Thanks to Karl O. Pinc for contributing the patch. ! fix, pmacctd: libpcap DLT_LINUX_SLL type is not defined in older versions of the library. It was preventing successful compilation of pmacct on OpenBSD. This has been fixed by defining internally to pmacct all DLT types in use. Thanks to Karl O. Pinc for his support. ! fix, IPv6 networks_file, load_networks6(): wrong masks were applied to IPv6 networks due to dirty temporary buffers for storing IPv6 addresses and masks. Short '::' IPv6 format is currently not supported. Thanks to Robert Blechinger for flagging the issue. ! fix, pretag.c: Pre-Tagging infrastructure was SEGV'ing after having been instructed to reload via a SIGHUP signal. Patch is courtesy of Denis Cavrois and the Acipia development team. ! fix, sfacctd, nfacctd: Assign16() was not handling correctly 2-bytes EtherType values (ie. 0x86dd, 0x8847) in 802.1Q tags. As a result 'aggregate_filter' was not able to correctly match IPv6-related filters. Thanks to Axel Apitz for reporting the issue. ! fix, xflow_status.c: a cosmetic bug was displaying sequence numbers without applying previous increment. This definitely will help troubleshooting and debugging. ! fix, sfacctd, sfv245_check_status(): AF of the sFlow agent is now explicitely defined: when IPv6 is enabled the remote peer address can be reported as IPv4-mapped IPv6 address. This was causing warning messages to report the wrong sFlow agent IP address. Thanks to Axel Apitz for reporting the issue. ! fix, IMT plugin was crashing upon receipt of a classification table request (WANT_CLASS_TABLE) when stream classification was actually disabled. ! fix, pmacct.c: classifier index was not brought back to zero by the pmacct client. This was preventing the client to show correct stream classification when it was feeded with multiple queries. The fix is courtesy of Fabio Cairo. ! fix, MySQL plugin: upon enabling of the 'nfacctd_sql_log' directive, 'stamp_updated' field was incorrectly reported as '0000-00-00 00:00:00' due to wrong field formatting. Thanks to Brett D'Arcy for reporting and patching the issue. ! Initial effort to clean the code up by strcpy() calls. Thanks to Karl O. Pinc for taking such initiative. 0.11.5 -- 21-07-2008 + SQL UPDATE queries code has been rewritten for increased flexibility. The SET statement is now a vector and part of it has been shifted into the sql_compose_static_set() routine in the common SQL layer. + A new sql_locking_style directive is now supported in the MySQL plugin. To exploit it, an underlying InnoDB table is mandatory. Thanks to Matt Gillespie for his tests. + Support for Endace DAG cards is now available; this has been tested against libDAG 3.0.0. Many thanks to Robert Blechinger for his extensive support. + pmacctd, the Linux Cooked device (DLT_LINUX_SLL) handler has been enhanced by supporting 'src_mac' and 'vlan' aggregation primitives. ! fix, xflow_status.c: NetFlow/sFlow collector's IP address is being rewritten as 0.0.0.0 when NULL. Was causing SEGVs on Solaris/sparc. ! fix, server.c: WANT_RESET is copied in order to avoid losing it when handling long queries and need to fragment the reply. Thanks very much to Ruben Laban for his support. ! fix, MySQL plugin: the table name is now escaped in order to not conflict with reserved words, if one of those is selected. Thanks to Marcel Hecko for reporting the bug. ! An extra security check is being introduced in sfacctd as an unsupported extension sent over by a Foundry Bigiron 4000 kit was causing SEGV issues. Many Thanks to Michael Hoffrath for the strong support provided. ! fix, 'nfprobe' plugin: AS numbers were not correctly exported to the collector when pmacctd was in use. Patch is courtesy of Emerson Pinter. ! fix, 'nfprobe' plugin: MACs were not properly encapsulated resulting in wrong addresses being exported through NetFlow v9. The patch is courtesy of Alexander Bergolth. ! fix, buffers holding MAC address strings throughout the code had not enough space to store the trailing zero. The patch is courtesy of Alexander Bergolth. ! fix, logfile FD was not correctly passed onto active plugins. The patch is courtesy of Denis Cavrois. ! Missing field type 60 in NetFlow v9 IPv6 flows, was leading nfacctd to incorrect flow type selection (IPv4). An additional check on the source IP address has now been included to infer IPv6 flows. RFC3954 mandates such field type to be present for IPv6 flows. The issue has been verified against a Cisco 7600 w/ RSP720. Many thanks to Robert Blechinger for his extensive support. 0.11.4 -- 25-04-2007 + support for TCP flags has been introduced. Flags are ORed on a per-aggregate basis (same as what NetFlow does on a per-flow basis). The 'aggregate' directive now supports the 'tcpflags' keyword. SQL tables v7 have also been introduced in order to support the feature inside the SQL plugins. + 'nfacctd_sql_log' directive is being introduced. In nfacctd, it makes SQL plugins to use a) NetFlow's First Switched value as "stamp_inserted" timestamp and b) Last Switched value as "stamp_updated" timestamp. Then, a) by not aggregating flows and b) not making use of timeslots, this directive allows to log singular flows in the SQL database. + sfprobe and nfprobe plugins are now able to propagate tags to remote collectors through sFlow v5 and NetFlow v9 protocols. The 'tag' key must be appended to sfprobe/nfprobe 'aggregate' config directives. + pmacct memory client is now able to output either TopN bytes, flows or packets statistics. The feature is enabled by a new '-T' commandline switch. + The Pre-Tagging map is now dynamically allocated and a new 'pre_tag_map_entries' config directive allows to set the size of the map. Its default value (384) should be suitable for most common scenarios. ! Bugfix in nfprobe plugin: struct cb_ctxt was not initialized thus causing the application to exit prematurely (thinking it finished available memory). Thanks to Elio Eraseo for fixing the issue. ! Some misplaced defines were preventing 0.11.3 code to compile smoothly on OpenBSD boxes. Thanks to Dmitry Moshkov for fixing it. ! Bugfix in SQL handlers, MY_count_ip_proto_handler(): an array boundary was not properly checked and could cause the daemon to SEGV receiving certain packets. Thanks to Dmitry Frolov for debugging and fixing the issue. ! NF_counters_renormalize_handler() renormalizes sampled NetFlow v5 flows. It now checks whether a positive Sampling Rate value is defined rather than looking for the Sampling Mode. It makes the feature working on Juniper routers. Thanks once again to Inge Bjornvall Arnesen. 0.11.3 -- 31-01-2007 + 'aggregate_filter' directive now supports multiple pcap-style filters, comma separated. This, in turn, allows to bind up to 128 filters to each activated plugin. + nfacctd and sfacctd turn-back time when restarting the daemon has been significantly improved by both creating new listening sockets with SO_REUSEADDR option and disassociating them first thing on receiving SIGINT signal. + A new threaded version of pmacctd stream classification engine is being introduced. Code status is experimental and disabled by default; it could be enabled by providing --enable-threads at configure time. Many thanks to Francois Deppierraz and Eneo Tecnologia for contributing this useful piece of code. + A new 'flow_handling_threads' configuration directive allows to set the number of threads of the stream classification engine, by default 10. + A couple new '[ns]facctd_disable_checks' config directives aim to disable health checks over incoming NetFlow/sFlow streams (ie. in cases of non-standard vendor's implementations). Many thanks to Andrey Chernomyrdin for his patch. ! sfv245_check_status() was running checks (ie. verify sequence numbers) using sender's IP address. More correctly, it has to look at the Agent Address field included in sFlow datagrams. Many thanks to Juraj Sucik for spotting the issue. ! nfprobe plugin was not compiling properly in conjunction with --disable-l2 configure switch. Many thanks to Inge Bjornvall Arnesen for submitting the patch. ! sfacctd: fixed a bug which was preventing 'aggregate_filter' to match values properly in src_port, dst_port, ip proto and tos fields. Thanks to Chris Fletcher for spotting the issue. ! SQL cache: fixed a bug preventing safe actions to take place correctly. It has arisen in version 0.11.2 and hadn't severe impact. 0.11.2 -- 28-11-2006 + 'sql_max_writers' configuration directive is being introduced: sets the maximum number of concurrent writer processes the SQL plugin can fire, allowing the daemon to degrade gracefully in case of major database unavailibility. + 'sql_history_since_epoch' is being introduced: enables the use of timestamps (stamp_inserted, stamp_updated) in the standard seconds since the Epoch format as an alternative to the default date-time format. + 'sql_aggressive_classification' behaviour is changed: simpler more effective. It now operates by delaying cache-to-DB purge of unknown traffic streams - which would still have chances to be correctly classified - for a few 'sql_refresh_time' slots. The old mechanism was making use of negative UPDATE queries. + The way SQL writer processes are spawned by the SQL plugin has slightly changed in order to better exploit fork()'s copy-on- write behaviour: the writer now is mostly read-only while the plugin does most write operations before spawning the writer. ! The list of environment variables passed to the SQL triggers, 'sql_trigger_exec', has been updated. ! Fixed a bug related to sequence number checks for NetFlow v5 datagrams. Thanks very much to Peter Nixon for reporting it. 0.11.1 -- 25-10-2006 + PostgreSQL plugin: 'sql_use_copy' configuration directive has been introduced; instructs the plugin to build non-UPDATE SQL queries using COPY (in place of INSERT). While providing same functionalities of INSERT, COPY is more efficient. It requires 'sql_dont_try_update' to be enabled. Thanks to Arturas Lapiene for his support during the development. + nfprobe plugin: support for IPv4 ToS/DSCP, IPv6 CoS and MPLS top-most label has been introduced. ! Some alignment issues concerning both pkt_extras structure and Core process to Plugins memory rings have been fixed. Daemons are now reported to be running ok on MIPS/SPARC architectures. Many thanks to Michal Krzysztofowicz for his strong support. ! sfprobe plugin: a maximum default limit of 256 bytes is set on packet payload copy when building Flow Samples in pmacctd (ie. if capturing full packets through libpcap, we don't want them to be entirely copied into sFlow datagrams). ! Sanity checks now take place when processing 'sql_refresh_time' values and error messages are thrown out. ! Fixes have been committed to IPv6 code in xflow_status.c as it was not compiling properly on both Solaris and IRIX. 0.11.0 -- 27-09-2006 + NetFlow v5 sampling and renormalization are now supported: a) 'nfacctd' is able to renormalize bytes/packets counters and apply Pre-Tagging basing on the sampling rate specified in the datagram; b) 'sampling_rate' config key applies to 'nfprobe' plugin which is now able to generate sampling informations. + 'nfacctd' and 'sfacctd' are now able to give out informations about the status of active NetFlow/sFlow streams in terms of good/bad/missing datagrams. Whenever an anomaly happens (ie. missing or bad packets) a detailed message is logged; overral reports are logged by sending SIGUSR1 signals to the daemon. + 'logfile' configuration directive is introduced: it allows to log directly to custom files. This adds to console and syslog logging options. ! Old renormalization structure, renorm_table, has been dropped; the new one, which applies to both NetFlow and sFlow, is tied into the brand new xflow_status_table structure. ! When 'nfacctd_as_new' was not in use, NetFlow v5 src_as/dst_as values were erroneously swapped. Thanks to Thomas Stegbauer for reporting the bug. ! Incorrect timeout value for poll() has been fixed in 'sfprobe' plugin. It was leading the plugin to take too much resources. ! 'nfprobe' plugin was inserting jumps while generating sequence numbers. ! 'nfprobe' plugin behaviour in handling 'networks_file' content has been changed and now equals 'sfprobe': IP addresses which are not belonging to known networks/ASNs are no longer zeroed. ! 'sfprobe' was not generating correct sample_pool values. 0.11.0rc3 -- 30-08-2006 + 'sfprobe' plugin can now transport packet/flow classification tags inside sFlow v5 datagrams. Then, such tags can be read by the sFlow collector, sfacctd. + 'sfprobe' plugin is able to encapsulate basic Extended Gateway informations (src_as, dst_as) into sFlow v5 datagrams starting from a Networks File - networks_file configuration directive. + 'nfprobe' now supports network data coming from libpcap/tcpdump style savefile ('pcap_savefile', -I). + pmacctd is now able to capture packets from DLT_NULL, which is BSD loopback encapsulation link type. Thanks to Gert Burger for his support. + Sampling layer has been improved: it's now able to sample flows from NetFlow datagrams (not only packets arriving through sFlow or libpcap); 'sfprobe' sampling layer has been tied into this mechanism and as a result, 'sfprobe_sampling_rate' is now an alias for 'sampling_rate' and its default value is 1 (ie. no sampling). This change will benefit 'sfprobe' in terms of better efficiency. + A new 'pmacctd_flow_buffer_buckets' directive defines the number of buckets of the Flow Buffer. This value has to scale to higher power of 2 accordingly to the link traffic rate and is useful when packet classification is enabled. Many thanks for testing, debugging and support go to Steve Cliffe. + A new 'sql_locking_style' directive allows to choose among two types of locking: "table" (default) and "row". More details are in the CONFIG-KEYS document. "row" locking has to be considered as experimental. Many thanks go to Aaron Glenn and Peter Nixon for their close support, work and thoughts. ! IPv6 support is now working; it was broken in 0.11.0rc2; thanks to Nigel Roberts for signalling and fixing the issue. ! Fixed a few issues concerning the building system and related to the introduction of some new subtrees. Thanks to Kirill Ponomarew and Peter Nixon for signalling them. ! Fixed some signal()-related issues when running the package under DragonflyBSD. Being fork of FreeBSD 4.x, it needs same cautions. Thanks to Aaron Glenn for his support. 0.11.0rc2 -- 08-08-2006 + 'nfprobe' plugin can now transport packet/flow classification tags inside NetFlow v9 datagrams, using custom field type 200. Then, such tags can be read by the NetFlow collector, nfacctd. + 'nfprobe' plugin has now ability to select a Engine Type/Engine ID through a newly introduced 'nfprobe_engine' config directive. It will mainly allow a collector to distinguish between distinct probe instances originating from the same IP address. + 'nfprobe' plugin now can automagically select different NetFlow v9 template IDs, useful when multiple 'nfprobe' plugins run as part of the same daemon instance. + 'sfprobe' plugin is now able to redistribute NetFlow flows into sFlow samples. This adds to sFlow -> sFlow and libpcap -> sFlow. + A new data structure to pass extended data to specific plugins has been added. It is placed on the ring, next to pkt_data. It is meant to pass extra data to plugins and, same time, avoiding to inflate the main data structure. ! Wrong arguments were injected into a recently introduced Log() call in plugin_hooks.c; it's now fixed: under certain conditions, this was generating SEGV at startup while using 'sfprobe' plugin. ! Updated documentation; examples and quickstart guides for using pmacct as both emitter and collector of NetFlow and sFlow have been added. - Hooks to compile pmacct the no-mmap() style have been removed. 0.11.0rc1 -- 20-07-2006 + pmacct DAEMONS ARE NOW ABLE TO CREATE AND EXPORT NETFLOW PACKETS: a new 'nfprobe' plugin is available and allows to create NetFlow v1/v5/v9 datagrams and export them to a IPv4/IPv6 collector. The work is based on softflowd 0.9.7 software. A set of configuration directives allows to tune timeouts (nfprobe_timeouts), cache size (nfprobe_maxflows), collector parameters (nfprobe_receiver), TTL value (nfprobe_hoplimit) and NetFlow version of the datagrams to be exported (nfprobe_version). Many thanks to Ivan A. Beveridge, Peter Nixon and Sven Anderson for their support and thoughts and to Damien Miller, author of softflowd. + pmacct DAEMONS ARE NOW ABLE TO CREATE AND EXPORT SFLOW PACKETS: a new 'sfprobe' plugin is available and allows to create sFlow v5 datagrams and export them to a IPv4 collector. The work is based on InMon sFlow Agent 5.6 software. A set of configuration directives allows to tune sampling rate (sfprobe_sampling_rate), sFlow agent IP address (sfprobe_agentip), collector parameters (sfprobe_receiver) and agentSubId value (sfprobe_agentsubid). Many thanks to InMon for their software and Ivan A. Beveridge for his support. ! An incorrect pointer to the received packet was preventing Pre- Tagging filters to work correctly against DLT_LINUX_SLL links. Many thanks to Zhuang Yuyao for reporting the issue. ! Proper checks on protocol number were missing in pmacct client program, allowing to look further the bounds of the _protocols array. Many thanks to Denis N. Voituk for patching the issue. 0.10.3 -- 21-06-2006 + New Pre-Tagging key 'label': mark the rule with label's value. Labels don't need to be unique: when jumping, the first matching label wins. + New Pre-Tagging key 'jeq': Jump on EQual. Jumps to the supplied label in case of rule match. Before jumping, the tagged flow is returned to active plugins, as it happens for any regular match (set return=false to change this). In case of multiple matches for a signle flow, plugins showing 'tag' key inside 'aggregate' directive will receive each tagged copy; plugins not receiving tags will still receive unique copy of the flow. sFlow and NetFlow are usually uni-directional, ie. ingress-only or egress-only (to avoid duplicates). Meaningful application of JEQs is tagging flows two times: by incoming interface and by outgoing one. Only forward jumps are allowed. "next" is reserved label and causes to jump to the next rule. Many thanks to Aaron Glenn for brainstormings about this point. + New Pre-Tagging key 'return': if set to 'true' (which is default behaviour) returns the current packet/flow to active plugins, in case of match. If switched to 'false', it will prevent this to happen. It might be thought either as an extra filtering layer (bound to explicit Pre-Tagging rules) or (also in conjunction with 'stack') as a way to add flexibility to JEQs. + New Pre-Tagging key 'stack': actually '+' (ie. sum symbol) is the unique supported value. This key makes sense only if JEQs are in use. When matching, accumulate IDs, using the specified operator/ function. For example, usually =. By setting 'stack=+' you will be able to get =. ! Pre-Tagging table now supports a maximum of 384 rules. Because of the newly introduced flow alteration features, tables are no longer internally re-ordered. However, IPv4 and IPv6 stacks are still segregated each other. 0.10.2 -- 16-05-2006 + A new '-l' option is supported by pmacct client tool: it allows to enable locking of the memory table explicitely, when serving the requested operation. + Pre-Tagging infrastructure is now featuring negations for almost all supported keys with the exclusion of id, ip and filter. To negate, the '-' (minus symbol) need to be prepended; eg.: id=X ip=Y in=-1 means tag with X, data received from Net/sFlow agent with IP address Y and not coming from interface 1. + pre_tag_filter config directive is now featuring same negation capabilities as Pre-Tagging infrastructure. + Q16 added to FAQS document: a sum of tips for running smoothly SQL tables. Many thanks to Wim Kerkhoff and Sven Anderson for bringing up the points. 0.10.1 -- 18-04-2006 + AS numbers and IP addresses are no more multiplexed into the same field. This ends the limitation of being unable to have both data types in the same table (which could be useful for troubleshooting purposes, for example). A new SQL table version, v6, is introduced in order to support this new data model in all SQL plugins. ! Minor fixes to PostgreSQL table schemas, v2 to v5: a) the 'vlan' field was erroneously missing from primary keys, slowing down INSERT and UPDATE queries; b) primary keys were identified as 'acct_pk', thus not allowing multiple tables of different version to share the same database; now constraint name is: 'acct_vX_pk', with X being the version number. Many thanks to Sven Anderson for catching the a) ! An alignment issue has been catched when the etheraddr_string() gets called from count_src|dst_mac_handlers() in sql_handlers.c This seems to be closely connected to a similar trouble catched by Daniel Streicher on x86_64 recently. ! Fixed an issue with mask_elem() in server.c . Both src|dst_net primitives were not (positively, ie. copied back when required) masked. 0.10.0 -- 22-03-2006 + Collectors (ie. pmacctd) are now compiled exporting full Dynamic Symbol Table. This allows shared object (SO) classifiers to call routines included in the collector code. Moreover, a small set of library functions - specifically aimed to deal smoothly with the classifiers' table - are now included in the collector code: pmct_un|register(), pmct_find_first|last_free(), pmct_isfree(), pmct_get() and pmct_get_num_entries(). For further reading, take a look to README.developers document in classifiers tarball. + Classifiers table, which is the linked-list structure containing all the active classifiers (RE + SO), is now loaded into a shared memory segment, allowing plugins to keep updated about changes to the table. Furthermore, the table is now dynamically allocated at runtime, allowing an arbitrary number of classifiers to be loaded via the new 'classifier_table_num' configuration directive. + Pre-Tagging infrastructure adds two new primitives to tag network traffic: src_as and dst_as, the source and destination Autonomous System Number (ASN). In pmacctd they work against a Network Map ('networks_file' configuration directive). In nfacctd and sfacctd they work against both sFlow/NetFlow ASN fields and Network Maps. Many thanks to Aaron Glenn for his strong support. ! PostgreSQL plugin and pmpgplay no more make use of EXCLUSIVE LOCKS whenever the sql_dont_try_update directive is activated. We assume there is no need for them in a INSERTs-only framework as integrity of data is still guaranteed by transactions. The patch has been contributed by Jamie Wilkinson, many thanks ! ! Commandline switches and a configuration file should cohexist and the formers need to take precedence over the latter, if required. This is a rather standard (and definitely more flexible) approach; before this release they were mutual exclusive. Read UPGRADE notes at this propo. Thanks for the suggestion to Ivan A. Beveridge. ! Some glibc functions (noticeably syslog()) rely upon a rather non- standard "extern char *__progname" pointer. Now, its existence is properly checked at configuration time. On Linux, setproctitle() was causing plugin name/type to get cutted down in messages sent to the syslog facility. Thanks to Karl Latiss for his bug report. ! Solved a bug involving the load of IPv6 entries from Networks Maps. It was causing the count of such entries to be always zero. 0.10.0rc3 -- 01-03-2006 + Aapplication layer (L7) classification capabilities of pmacctd have been improved: shared object (SO) classifiers have been introduced; they are loaded runtime through dlopen(). pmacct offers them support for contexts (informations gathered - by the same classifier - from previous packets either in the same uni-directional flow or in the reverse one), private memory areas and lower layer header pointers, resulting in extra flexibility. Some examples can be found at the webpage: http://www.ba.cnr.it/~paolo/pmacct/classification/ + 'classifier_tentatives' configuration key has been added: it allows to customize the number of tentatives made in order to classify a flow. The default number is five, which has proven to be ok but for certain types of classification it might result restrictive. + 'pmacctd_conntrack_buffer_size' configuration key has been added: it (intuitively) defines the size for the connection tracking buffer. + Support for Token Ring (IEEE 802.5) interfaces has been introduced in pmacctd. Many thanks to Flavio Piccolo for his strong support. + 'savefile_wait' (-W commandline) configuration key has been added: if set to true causes pmacctd to not return but wait to be killed after being finished with the supplied savefile. Useful when pushing data from a tcpdump/ethereal tracefile into a memory table (ie. to build graphs). ! An erroneous replacement of dst with src in mask_elem() was causing queries like "pmacct -c dst_host -M|-N " to return zero counters. Thanks to Ryan Sleevi for signalling the weird behaviour. ! Management of the connection tracking buffer has been changed: now, a successful search frees the matched entry instead of moving it in a chain of stale entries, available for quick reuse. ! Error logging of SQL plugins has been somewhat improved: now, error messages returned by the SQL software are forwarded to sql_db_error() This will definitely allow to exit from the obscure crypticism of some generic error strings. 0.10.0rc2 -- 14-02-2006 + CONNECTION TRACKING modules has been introduced into pmacctd: they are C routines that hint IP address/port couples for upcoming data streams as signalled by one of the parties into the control channel whenever is not possible to go with a RE classificator. Conntrack modules for FTP, SIP and RTSP protocols are included. + 'pidfile' directive way of work has been improved: firstly, whenever a collector shuts down nicely, it now removes its pidfile. Secondly, active plugins now create a pidfile too: it takes the following form: -.. Thanks to Ivan A. Beveridge for sharing his thoughts at this propo. ! Minor fixes to the classification engine: TCP packets with no payload are not considered useful classification tentatives; a new flow can inherit the class of his reverse flow whenever it's still reasonably valid. ! Solved a segmentation fault issue affecting the classificator engine, whenever the 'snaplen' directive was not specified. Thanks to Flavio Piccolo for signalling it. ! Fixed a bug in the PostgreSQL plugin: it appeared in 0.10.0rc1 and was uniquely related to the newly introduced negative UPDATE SQL query. ! INTERNALS has been updated with few notes about the new classification and connection tracking features. 0.10.0rc1 -- 24-01-2006 + PACKET CLASSIFICATION capabilities have been introduced into pmacctd: the implemented approach is fully extensible: classification patterns are based on regular expressions (RE), human-readable, must be placed into a common directory and have a .pat file extension. Many patterns for widespread protocols are available at L7-filter project homepage. To support this feature, a new 'classifiers' configuration directive has been added. It expects full path to a spool directory containing the patterns. + A new 'sql_aggressive_classification' directive has been added aswell: it allows to move unclassified packets even in the case they are no more cached by the SQL plugin. This aggressive policy works by firing negative UPDATE SQL queries that, whenever successful, are followed by positive ones charging the extra packets to their final class. ! Input and Output interface fields (Pre-Tagging) have been set to be 32 bits wide. While NetFlow is ok with 16 bits, some sFlow agents are used to bigger integer values in order to identify their interfaces. The fix is courtesy of Aaron Glenn. Thank you. ! Flow filtering troubles have been noticed while handling MPLS-tagged flows inside NetFlow v9 datagrams. Thanks to Nitzan Tzelniker for his cooperation in solving the issue. ! A new exit_all() routine now handles nicely fatal errors detected by the Core Process, after plugins creation. It avoids leaving orphan plugins after the Core Process shutdown. 0.9.6 -- 27-Dec-2005 + Support for 'sql_multi_values' has been introduced into the new SQLite 3.x plugin. It allows to chain multiple INSERT queries into a single SQL statement. The idea is that inserting many rows at the same time is much faster than using separate single-row statements. ! MySQL plugin fix: AS numbers were sent to the database unquoted while the corresponding field was declared as CHAR. By correctly wrapping AS numbers, a major performance increase (expecially when UPDATE queries are spawned) has been confirmed. Many thanks to Inge Bjørnvall Arnesen for discovering, signalling and solving the issue. ! MySQL plugin fix: multi-values INSERT queries have been optimized by pushing out of the queue purging loop the proper handling for the EOQ event. ! The introduction of the intermidiate SQL layer in the 0.9.5 version choked the dynamic SQL table creation capability. This has been fixed. Thanks to Vitalij Brajchuk for promptly signalling the issue. ! The 'pidfile' configuration key has got incorrectly disabled in both nfacctd and sfacctd. Thanks to Aaron Glenn for signalling the issue. ! The 'daemonize' (-D) configuration key was incorrectly disabling the signal handlers from the Core Process once backgrounded. As a result the daemon was not listening for incoming SIGINTs. Again, many thanks go to Aaron Glenn. 0.9.5 -- 07-Dec-2005 + PMACCT OPENS TO SQLITE 3.x: a fully featured SQLite, version 3.x only, plugin has been introduced; SQLite is a small C library that implements a self-contained, embeddable, zero-configuration SQL (almost all SQL92) database engine. The plugin is LOCK-based and supports the "recovery mode" via an alternate database action. Expecially suitable for tiny and embedded environments. The plugin can be fired using the keyword 'sqlite3'. See CONFIG-KEYS and EXAMPLES for further informations. + A new SQL layer - common to MySQL, PostgreSQL and SQLite plugins - has been introduced. It's largely callback-based and results in a major architectural change: it sits below the specific SQL code (facing the Core Process's abstraction layer) and will (hopefully) help in reducing potential bugs and will allow for a quick implementation of new SQL plugins. ! A bug concerning the setup of insert callback functions for summed (in + out) IPv6 traffic has been fixed. The issue was affecting all SQL plugins. ! A bug concerning the handling of MPLS labels has been fixed in pmacctd. Many thanks to Gregoire Tourres and Frontier Online for their support. 0.9.4p1 -- 14-Nov-2005 ! Minor bugfix in pretag.c: a wrongly placed memcpy() was preventing the code to be compiled by gcc 2.x . Many thanks to Kirill Ponomarew and Kris Kennaway for signalling the issue. ! Fixed an alignment issue revealed in the query_header structure; it has been noticed only under some circumstances: '--enable-64bit' enabled, 64bit platform and gcc 3.x . Many thanks to Aaron Glenn for his strong support in solving the issue. 0.9.4 -- 08-Nov-2005 + Hot map reload has been introduced. Maps now can be modified and then reloaded without having to stop the daemon. SIGUSR2 has been reserved for this use. The feature applies to Pre-Tagging map (pre_tag_map), Networks map (networks_file) and Ports map (ports_file). It is enabled by default and might be disabled via the new 'refresh_maps' configuration directive. Further details are in CONFIG-KEYS. ! Some major issues have been solved in the processing of libpcap-format savefiles. Some output inconsistencies were caused by a corruption of the pcap file handler; bufferization is now enabled by default and the last buffer is correctly processed. Many thanks go to Amir Plivatsky for his strong support. ! 'sql_table_schema' directive: in read_SQLquery_from_file() the strchr() has been replaced by strrchr() allowing to chain more SQL statements as part of the SQL table creation. This results useful, for example, to do CREATE INDEX after CREATE TABLE. The patch is courtesy of Dmitriy Nikulin. ! SIGTERM signal is now handled properly to ensure a better compatibility of all pmacct daemons under the daemontools framework. The patch is courtesy of David C. Maple. ! Memory plugin: some issues caused by the mix of not compatible compilation parameters have been fixed. Now the pmacct client now correctly returns a warning message if: counters are of different size (32bit vs 64bit) or IP addresses are of different size (IPv4-only vs IPv6-enabled packages). ! Print plugin, few bugfixes: the handling of the data ring shared with the Core Process was not optimal; it has been rewritten. P_exit() routine was not correctly clearing cached data. 0.9.3 -- 11-Oct-2005 + IPv4/IPv6 multicast support has been introduced in the NetFlow (nfacctd) and the sFlow (sfacctd) daemons. A maximum of 20 multicast groups may be joined by a single daemon instance. Groups can be defined by using the two sister configuration keys: nfacctd_mcast_groups and sfacctd_mcast_groups. + sfacctd: a new 'sfacctd_renormalize' config key allows to automatically renormalize byte/packet counters value basing on informations acquired from the sFlow datagram. In particular, it allows to deal with scenarios in which multiple interfaces have been configured at different sampling rates. It also calculates an effective sampling rate which could differ from the configured one - expecially at high rates - because of various losses. Such estimated rate is then used for renormalization purposes. Many thanks go to Arnaud De-Bermingham and Ovanet for the strong support offered during the development. + sfacctd: a new 'sampling_rate' keyword is supported into the Pre-Tagging layer. It allows to tag aggregates - generated from sFlow datagrams - on a sampling rate basis. + setproctitle() calls have been introduced (quite conservatively) and are actually supported on Linux and BSDs. The process title is rewritten in the aim of giving the user more informations about the running processes (that is, it's not intended to be just a cosmetic stuff). ! sql_preprocess tier was suffering a bug: actions (eg. usrf, adjb), even if defined, were totally ignored if no checks were defined aswell. Many thanks to Draschl Clemens for signalling the issue. ! Some minor bugs have been catched around sfacctd and fixed accordingly. Again, many thanks to Arnaud De-Bermingham. 0.9.2 -- 14-Sep-2005 + A new 'usrf' keyword is now supported into the 'sql_preprocess' tier: it allows to apply a generic uniform renormalization factor to counters. Its use is particularly suitable for use in conjunction with uniform sampling methods (for example simple random - e.g. sFlow, 'sampling_rate' directive or simple systematic - e.g. sampled NetFlow by Cisco and Juniper). + A new 'adjb' keyword is now supported into the 'sql_preprocess' tier: it allows to add (or subtract in case of negative value) 'adjb' bytes to the bytes counter. This comes useful when fixed lower (link, llc, etc.) layer sizes need to be included into the bytes counter (as explained by the Q7 in the updated FAQS document). + A new '--enable-64bit' configuration switch allows to compile the package with byte/packet/flow counters of 64bit (instead of the usual 32bit ones). ! The sampling algorithm endorsed by the 'sampling_rate' feature has been enhanced to a simple randomic one (it was a simple systematic). ! Some static memory structures are now declared as constants allowing to save memory space (given the multi-process architecture) and offering an overral better efficiency. The patch is courtesy of Andreas Mohr. Thanks. ! Some noisy compiler warnings have been troubleshooted along with some minor code cleanups; the contribution is from Jamie Wilkinson. Thanks. ! Some unaligned pointer issues have been solved. 0.9.1 -- 16-Aug-2005 + Probabilistic, flow size dependent sampling has been introduced into the 'sql_preprocess' tier via the new 'fss' keyword: it is computed against the bytes counter and returns renormalized results. Aggregates which have collected more than the 'fss' threshold in the last time window are sampled. Those under the threshold are sampled with probability p(bytes). For further details read the CONFIG-KEYS and the paper: - N.G. Duffield, C. Lund, M. Thorup, "Charging from sampled network usage" http://www.research.att.com/~duffield/pubs/DLT01-usage.pdf + Probabilistic sampling under hard resource constraints has been introduced into the 'sql_preprocess' tier via the new 'fsrc' keyword: it is computed against the bytes counter and returns renormalized results. The method selects only 'fsrc' flows from the set of the flows collected during the last time window, providing an unbiasied estimate of the real bytes counter. For further details read the CONFIG-KEYS and the paper: - N.G. Duffield, C. Lund, M. Thorup, "Flow Sampling Under Hard Resource Constraints" http://www.research.att.com/~duffield/pubs/DLT03-constrained.pdf + A new 'networks_mask' configuration directive has been introduced: it allows to specify a network mask - in bits - to be applied apply to src_net and dst_net primitives. The mask is applied before evaluating the content of 'networks_file' (if any). + Added a new signal handler for SIGUSR1 in pmacctd: a 'killall -USR1 pmacctd' now returns a few statistics via either console or syslog; the syslog level reserved for such purpose is the NOTICE. ! sfacctd: an issue regarding non-IP packets has been fixed: some of them (mainly ARPs) were incorrectly reported. Now they are properly filtered out. ! A minor memory leak has been fixed; it was affecting running instances of pmacctd, nfacctd and sfacctd with multiple plugins attached. Now resources are properly recollected. 0.9.0 -- 25-Jul-2005 + PMACCT OPENS TO sFlow: support for the sFlow v2/v4/v5 protocol has been introduced and a new daemon 'sfacctd' has been added. The implementation includes support for BGP, MPLS, VLANs, IPv4, IPv6 along with packet tagging, filtering and aggregation capabilities. 'sfacctd' makes use of Flow Samples exported by a sFlow agent while Counter Samples are skipped and the MIB is ignored. All actually supported backends are available for storage: MySQL, PostgreSQL and In-Memory tables. http://www.sflow.org/products/network.php lists the network equipments supporting the sFlow protocol. + A new commandline option '-L' is now supported by 'nfacctd' and 'sfacctd'; it allows to specify an IPv4/IPv6 address where to bind the daemon. It is the equivalent for the 'nfacctd_ip' and 'sfacctd_ip' configuration directives. ! The NetFlow v9 MPLS stack handler has been fixed; it now also sticks the BoS bit (Bottom of the Stack) to the last processed label. This makes the flow compliant to BPF filters compiled by the newly released libpcap 0.9.3. ! Some Tru64 compilation issues related to the ip_flow.[c|h] files have been solved. ! Some configuration tests have been added; u_intXX_t definitions are tested and fixed (whenever possible, ie. uintXX_t types are available). Particularly useful on Solaris and IRIX platforms. ! Configuration hints for MySQL headers have been enhanced. This will ease the compilation of pmacct against MySQL library either from a precompiled binary distribution or from the FreeBSD ports. Many hhanks for the bug report go to John Von Essen. ! NetFlow v8 source/destination AS handlers have been fixed. 0.8.8 -- 27-Jun-2005 + Added IP flows support in pmacctd (release 0.8.5 has seen its introduction in nfacctd) for both IPv4 and IPv6 handlers. To enable flows accounting, the 'aggregate' directive now supports a new 'flows' keyword. The SQL table v4 has to be used in order to support this feature in both SQL plugins. + A new 'sum_mac' aggregation method has been added (this is in addition to the already consolidated ones: 'sum_host', 'sum_net', 'sum_as', 'sum_port'). Sum is intended to be the total traffic (inbound traffic summed to outbound one) produced by a specific MAC address. + Two new configuration directives have been introduced in order to set an upper bound to the growth of the fragment (default: 4Mb) and flow (default: 16Mb) buffers: 'pmacctd_frag_buffer_size', 'pmacctd_flows_buffer_size'. + A new configuration directive 'pmacctd_flow_lifetime' has been added and defines how long a flow could remain inactive (ie. no packets belonging to such flow are received) before considering it expired (default: 60 secs). This is part of the pmacctd IP flows support. + Console/syslog feedbacks about either generic errors or malformed packets have been greatly enhanced. Along with the cause of the message, now any generated message contains either the plugin name/type or the configuration file that is causing it. ! nfacctd: when IPv6 is enabled (on non-BSD systems) the daemon now listens by default on a IPv6 socket getting rid of the v4-in-v6 mapping feature which helps in receiving NetFlow datagrams from both IPv4 and IPv6 agents. A new configure script switch --enable-v4-mapped is aimed to turn manually on/off the feature. ! Fixed an issue with the SIGCHLD handling routine on FreeBSD 4.x systems. It was causing the sudden creation of zombie processes because of the not correct retirement of exited childs. Many thanks for his bug report and strong support go to John Von Essen. ! Fixed an endianess issue regarding Solaris/x86 platforms caused by not proper preprocessor tests. Many thanks to Imre Csatlos for his bug report. ! Fixed the default schema for the PostgreSQL table v4. The 'flows' field was lacking of the 'DEFAULT 0' modifier; it was causing some troubles expecially when such tables were used in conjunction with the 'sql_optimize_clauses' directive. Many thanks for his bug report and strong support go to Anik Rahman. 0.8.7 -- 14-Jun-2005 + pmacctd: MPLS support has been introduced. MPLS (on ethernet and ppp links) and MPLS-over-VLAN (ethernet only) packets are now supported and passed to upper layer routines. Filtering and tagging (Pre-Tagging) packets basing on MPLS labels is also supported. Recent libpcap is required (ie, CVS versions >= 06-06-2005 are highly adviceable because of the support for MPLS label hierarchies like "mpls 100000 and mpls 1024" that will match packets with an outer label of 100000 and an inner label of 1024). + nfacctd: VLAN and MAC addresses support for NetFlow v9 has been introduced. Each of them is mapped to its respective primitive (vlan, src_mac, dst_mac); filtering and tagging (Pre-Tagging) IPv4/IPv6 flows basing on them is also supported. + nfacctd: filtering and tagging (Pre-Tagging) IPv4/IPv6 flows basing on MPLS labels has been introduced (read the above notes regarding libpcap version requirements). + A new packet capturing size option has been added to pmacctd ('snaplen' configuration directive; '-L' commandline). It allows to change the default portion of the packet captured by the daemon. It results useful to cope with not fixed protocol stacks (ie, the MPLS stack). + pmacctd: CHDLC support has been introduced. IPv4, IPv6 and MPLS packets are supported on this link layer protocol. ! Cleanups have been added to the NetFlow packet processing cycle. They are mainly aimed to ensure that no stale data is read from circular buffers when processing NetFlow v8/v9 packets. ! The NetFlow v9 VLAN handling routine was missing a ntohs() call, resulting in an ncorrect VLAN id on little endian architectures. ! ether_aton()/ether_ntoa() routines were generating segmentation faults on x86_64 architectures. They have been replaced by a new handmade couple: etheraddr_string()/string_etheraddr(). Many thanks to Daniel Streicher for the bug report. 0.8.6 -- 23-May-2005 + The support for dynamic SQL tables has been introduced through the use of the following variables in the 'sql_table' directive: %d (the day of the month), %H (hours using an 24 hours clock), %m (month number), %M (minutes), %w (the day of the week as a decimal number), %W (week number in the current year) and %Y (the current year). This enables, for example, substitutions like the following ones: 'acct_v4_%Y%m%d_%H%M' ==> 'acct_v4_20050519_1500' 'acct_v4_%w' ==> 'acct_v4_05' + A new 'sql_table_schema' configuration directive has been added in order to allow the automatic creation of dynamic tables. It expects as value the full pathname to a file containing the schema to be used for table creation. An example of the schema follows: CREATE TABLE acct_v4_%Y%m%d_%H%M ( ... PostgreSQL/MySQL specific schema ... ); + Support for MySQL multi-values INSERT clauses has been added. Inserting many rows in a single shot has proven to be much faster (many times faster in some cases) than using separate single INSERT statements. A new 'sql_multi_values' configuration directive has been added to enable this feature. Its value is intended to be the size (in bytes) of the multi-values buffer. Out of the box, MySQL >= 4.0.x supports values up to 1024000 (1Mb). Because it does not require any changes on server side, people using MySQL are strongly encouraged to give it a try. + A new '--disable-l2' configure option has been added. It is aimed to compile pmacct without support for Layer-2 stuff: MAC addresses and VLANs. This option - along with some more optimizations to memory structures done in this same release - have produced memory savings up to 25% compared to previous versions. ! Recovery code for PostgreSQL plugin has been slightly revised and fixed. 0.8.5 -- 04-May-2005 + Added IP flows counter support in nfacctd, the NetFlow accounting daemon, in addition to the packets and bytes ones. To enable flows accounting, the 'aggregate' directive now supports a new 'flows' keyword. A new SQL table version, v4, has been also introduced to support this feature in both SQL plugins. + 'sql_preprocess' directive have been strongly improved by the addition of new keywords to handle thresholds. This preprocessing feature is aimed to process aggregates (via a comma-separated list of conditionals and checks) before they are pulled to the DB, thus resulting in a powerful selection tier; whether the check is meet, the aggregate goes on its way to the DB; the new thresholds are: maxp (maximum number of packets), maxb (maximum bytes transferred), minf/maxf (minimum/maximum number of flows), minbpp/maxbbp (minimum/maximum bytes per packet average value), minppf/maxppf (minimum/ maximum packets per flow average value). + Added a new 'sql_preprocess_type' directive; the values allowed are 'any' or 'all', with 'any' as default value. It is intended to be the connective whether 'sql_preprocess' contains multiple checks. 'any' requires that an aggregate has to match just one of the checks in order to be valid; 'all' requires a match against all of the checks instead. + Added the ability to instruct a BPF filter against the ToS field of a NetFlow packet. ! Minor optimizations on the 'sql_preprocess' handler chain. 0.8.4 -- 14-Apr-2005 + Added support for NetFlow v7/v8. The Version 7 (v7) format is exclusively supported by Cisco Catalyst series switches equipped with a NetFlow feature card (NFFC). v7 is not compatible with Cisco routers. The Version 8 (v8) format adds (with respect to older v5/v7 versions) router-based aggregation schemes. + Added the chance to tag packets basing on NetFlow v8 aggregation type field. As the keyword suggests, it will work successfully just when processing NetFlow v8 packets. Useful to split - backend side - data per aggregation type. + pmacct client now is able to ask for the '0' (that is, untagged packets) tag value. Moreover, all 'sum' aggregations (sum_host, sum_net, sum_as, sum_port) can now be associated with both Pre/Post-Tagging. ! Fixed a serious memory leak located in the routines for handling NetFlow v9 templates. While the bug was needing certain conditions to manifest, anyone using NetFlow v9 is strongly encouraged to upgrade to this version. All previous versions were affected. ! Some gcc4 compliance issues have been solved. The source code is known to work fine on amd64 architectures. Thanks very much to Marcelo Goes for his patch. ! Engine Type/Engine ID fields were not correctly evaluated when using NetFlow v5 and Pre-Tagging. The issue has been fixed. ! Long comments in the Ports Definition File were causing some incorrect error messages. However it seems the file were processed correctly. Thanks to Bruno Mattarollo for signalling the issue. ! Minor fix to plugins hooking code. The reception of sparse SIGCHLD signals were causing the poll() to return. The impact was null. The issue has been fixed by ignoring such signals. 0.8.3 -- 29-Mar-2005 + Pre-Tagging capabilities have been further enhanced: captured traffic can be now marked basing on the NetFlow nexthop/BGP nexthop fields. While the old NetFlow versions (v1, v5) carry an unique 'nexthop' field, NetFlow v9 supports them into two distinguished fields. + Packet/flows tagging is now explicit, gaining more flexibility: a new 'tag' keyword has been added to the 'aggregate' directive. It causes the traffic to be actually marked; the 'pre_tag_map' and 'post_tag' directives now just evaluate the tag to be assigned. Read further details about this topic in the UPGRADE document. + The 'pre_tag_filter' directive now accepts 0 (zero) as valid value: we have to remember that zero is not a valid tag; hence, its support allows to split or filter untagged traffic from tagged one. + Documentation has been expanded: a new FAQS entry now describes few and easy tweaks needed to replace the bytes counter type from u_int32_t to u_int64_t throughout the code (provided that the OS supports this type); it's useful in conjunction with the In-Memory plugin while exposed to very sustained traffic loads. A new FAQS entry describes the first efforts aimed to integrate pmacctd with popular flow-tools software by the way of the flow-export tool. A new UPGRADE document has been also created. ! pmacct client was handling counters returned by the '-N' switch as signed integers, which is not correct. The issue has been fixed. Many thanks to Tobias Bengtsson for signalling it. ! Two new routines file_lock()/file_unlock() have replaced the flock() calls because they were preventing the pmacct code to compile on Solaris. Basing over hints collected at configure time, the routines enable either the flock() or fcntl() code. Many thanks to Jan Baumann for signalling and solving the issue. 0.8.2 -- 08-Mar-2005 + Pre-Tagging capabilities have been enhanced: now, a Pre Tag Map allows to mark either packets or flows basing on the outcome of a BPF filter. Because of this new feature, Pre-tagging has been introduced in 'pmacctd' too. Pre-tagging was already allowing 'nfacctd' to translate some NetFlow packet fields (exporting agent IP address, Input/Output interface, Engine type and Engine ID) into an ID (also referred as 'tag'), a small number in the range 1-65535. + A new 'pmacctd_force_frag_handling' configuration directive has been added; it aims to support 'pmacctd' Pre-Tagging operations: whether the BPF filter requires tag assignation based on transport layer primitives (e.g. src port or dst port), this directive ensures the right tag is stamped to fragmented traffic too. + Pre Tag filtering (which can be enabled via 'pre_tag_filter' configuration directive) allows to filter aggregates basing on the previously evaluated ID: whether it matches with at least one of the filter values, the aggregate is delivered to the plugin. It has been enhanced by allowing to assign more tags to a specific plugin. + pmacctd: a new feature to read libpcap savefiles has been added; it can be enabled either via the 'pcap_savefile' configuration directive or the '-I' commandline switch. Files need to be already closed and correctly finalized in order to be read successfully. Many thanks to Rafael Portillo for proposing the idea. + pmacct client tool supports a new 'tag' keyword as value for the '-c' switch: it allows to query the daemon requesting a match against aggregate tags. + pmacct client: the behaviour of the '-N' switch (which makes the client to return a counter onto the screen suitable for data injection in tools like MRTG, Cacti, RRDtool, etc.), has been enhanced: it was already allowing to ask data from the daemon but basing only on exact matches. This concept has now extended, adding both wildcarding of specific fields and partial matches. Furthermore, when multiple requests are encapsulated into a single query, their results are by default splitted (that is, each request has its result); a newly introduced '-S' switch now allows to sum multiple results into a single counter. ! Bugfix: proper checks for the existence of a 'pre_tag_map' file were bypassed under certain conditions; however, this erroneous behaviour was not causing any serious issue. The correct behaviour is to quit and report the problem to the user. ! The sampling rate algorithm has been fixed from a minor issue: it was returning not expected results when 'sampling_rate: 1'. It now works as expected. Thanks to David C. Maple for his extensive support in gaining a better understanding of the problem. 0.8.1p1 -- 22-Feb-2005 ! 'sum_host' and 'sum_net' compound primitives have been fixed in order to work with IPv6 addresses. ! In-Memory Plugin: client queries spotted with both '-r' (reset counters) and '-N' (exact match, print counters only) switches enabled were causing the daemon to crash whether no entries were found. The problem has been fixed. Many thanks to Zach Chambers for signalling the issue. ! In-Memory Plugin: client queries spotted with either '-M' or '-N' switches enabled were failing to match actual data when either 'sum_host', 'sum_net' or 'sum_as' primitives were in use. The issue has been fixed. ! The modulo function applied to NetFlow v9 Template Cache has been enhanced in order to deal correctly with export agents having an IPv6 address. ! Networks/AS definition file: a new check has been added in order to verify whether network prefix/network mask pairs are compatible: if they are not, the mask is applied to the prefix. ! Documentation has been expanded and revised. 0.8.1 -- 25-Jan-2005 + Accounting and aggregation over DSCP, IPv4 ToS field and IPv6 traffic class field have been introduced ('aggregate' directive, 'tos' value): these fields are actually widely used to implement Layer-3 QoS policies by defining new classes of service (most noticeably 'Less than Best Effort' and 'Premium IP'). MySQL and PostgreSQL tables v3 (third version) have been introduced (they contain an additional 4-bytes 'tos' field) to support the new Layer-3 QoS accounting. + nfacctd core process has been slightly optimized: each flow is encapsulated (thus, copied field-by-field) into a BPF-suitable structure only if one or more plugins actually require BPF filtering ('aggregate_filter' directive). Otherwise, if either filtering is not required or all requested filters fail to compile, the copy is skipped. + 'pmacct', pmacct client tool: '-e' commandline option (which meaning is: full memory table erase) now might be supplied in conjunction with other options (thus avoiding the short time delays involved by two consecutive queries, ask-then-erase, which may also lead to small losses). The new implemented mechanism works as follow: queries over actual data (if any) are served before; the table is locked, new aggregates are queued until the erasure finishes (it may take seconds if the table is large enough); the table is unlocked; the queue of aggregates is processed and all normal operations are resumed. Many thanks to Piotr Gackiewicz for the valuable exchange of ideas. ! Bug fixed in nfacctd: source and destination AS numbers were incorrectly read from NetFlow packets. Thanks to Piotr Gackiewicz for his support. ! Bug fixed in pmacct client: while retrieving the whole table content was displaying espected data, asking just for 'dst_as' field was resulting in no results instead. Thanks, once more, to Piotr Gackiewicz. 0.8.0 -- 12-Jan-2005 + PMACCT OPENS TO IPv6: IPv6 support has been introduced in both 'pmacctd' and 'nfacctd' daemons. Because it requires larger memory structures to store its addresses, IPv6 support has been disabled by default. It could be enabled at configure time via '--enable-ipv6' switch. All filtering, tagging and mapping functions already support IPv6 addresses. Some notes about IPv6 and SQL table schema have been dropped into README.IPv6 file, sql section of the tarball. + PMACCT OPENS TO NetFlow v9: support for the template-based Cisco NetFlow v9 export protocol has been added. NetFlow v1/v5 were already supported. 'nfacctd' may now be bound to an IPv6 interface and is able to read both IPv4 and IPv6 data flowsets. A single 'nfacctd' instance may read flows of different versions and coming from multiple exporting agents. Source and destination MAC addresses and VLAN tags are supported in addition to the primitives already supported in v1/v5 (source/destination IP addresses, AS, ports and IP protocol). Templates are cached and refreshed as soon as they are resent by the exporting agent. + Pre Tag map ('pre_tag_map' configuration key), which allows to assign a small integer (ID) to an incoming flow basing on NetFlow auxiliar data, now may apply tags basing also over Engine Type (it provides uniqueness with respect to the routing engine on the exporting device) and Engine ID (it provides uniqueness with respect to the particular line card or VIP on the exporting device) fields. Incoming and Outcoming interfaces were already supported. See 'pretag.map.example' into tarball examples section and CONFIG-KEYS document for further details. + Raw protocol (DLT_RAW) routine has been added; it usually allows to read data from tunnels and sitX devices (used for IPv6-in-IPv4 encapsulation). + Some tests for architecture endianess, CPU type and MMU unaligned memory access capability have been added. A small and rough (yes, they work the hard way) set of unaligned copy functions have been added. They are aimed to be introduced through the code, however first tests over MIPS R10000 and Alpha EV67 (21264A) have shown positive results. ! PPPoE and VLAN layer handling routines have been slightly revised for some additional checks. ! Given the fairly good portability reported from the mmap() code introduced through the whole 0.7.x development stage, the use of shared memory segments is now enabled by default. The configure switch '--enable-mmap' has been replaced by '--disable-mmap'. ! 'pmacct' client tool: because of the IPv6 addresses introduction, separator character for multiple queries (commandline) have been changed to from ':' to ';'. ! 'nfacctd': '-F' commandline switch was listed into available options list, but getopt() stanza was missing, thus returning an invalid option message. Thanks to Chris Koutras for his support in fixing the issue. ! Some variable assignations were causing lvalue errors with gcc 4.0. Thanks to Andreas Jochens for his support in signalling and solving the problem. 0.7.9 -- 21-Dec-2004 + A new data pre-processor has been introduced in both SQL plugins: it allows to filter out data (via conditionals, checks and actions) during a cache-to-DB purging event, before building SQL queries; this way, for example, aggregates which have accounted just a few packets or bytes may be either discarded or saved through the recovery mechanism (if enabled). The small set of preprocessing directives is reported into CONFIG-KEYS document. + Some new environment variables are now available when firing a trigger from SQL plugins: $EFFECTIVE_ELEM_NUMBER reports the effective number of aggregates (that is, excluding those filtered out at preprocessing time) encapsulated in SQL queries; $TOTAL_ELEM_NUMBER reports the total number of aggregates instead. $INSERT_QUERIES_NUMBER and $UPDATE_QUERIES_NUMBER returns respectively the number of aggregates being successfully encapsulated into INSERT and UPDATE queries. $ELAPSED_TIME reports the time took to complete the last purging event. For further details and the list of supported environment variables take a look to TRIGGER_VARS document. + Some additions to both logfile players: a new '-n' switch allows to play N elements; this way, arbitrary portions of the file may be played using '-n' in conjunction with the (already existing) '-o' switch which allows to read the logfile starting at a specified offset. New switches '-H', '-D', '-T', '-U', '-P' have been introduced to override SQL parameters like hostname, DB, table, user and password. The '-t -d' combination (test only, debug) now allows to print over the screen the content of the logfile. + Logfiles size is now limited to a maximum of 2Gb, thus avoiding issues connected to the 32bit declaration of off_t. While many OS implment a solution to the problem, seems there are few chances to solve it in a portable way. When the maximum size is hit the old logfile is rotated appending to its filename a trailing small integer ( in a way similar to logrotate) and a fresh one is started. ! Logfile players: '-s' switch, which was allowing to play one element a time, has been superseded. Its current equivalent is: '-n 1'. ! The file opening algorithm has been slightly changed in SQL plugins: flock() follows shortly the fopen() and all subsequent operations and evaluations are thus strictly serialized. freopen() is avoided. 0.7.8 -- 02-Dec-2004 + Recovery logfile structure has been enhanced. Following the logfile header has been created a new template structure. Templates will avoid the issue of being not able to read old logfiles because of changes to internal data structures. Templates are made of an header and a number of entries, each describing a single field of the following data. Both players, pmmyplay and pmpgplay, are able to parse logfiles basing over the template description. Backward logfile compatibility is broken. + Execcutable triggering mechanism (from SQL plugins) has been enhanced: some status informations (eg. stats of the last purging event) are now passed to the trigged executable in the form of environment variables. The list of supported variables has been summarized into TRIGGER_VARS document. The mechanism allows to spawn executables for post-processsing operations at arbitrary timeframes. + Support for 'temporary' devices (like PPP and maybe PCMCIA cards too) has been introduced. A new configuration directive 'interface_wait' (or '-w' commandline) instructs pmacctd to wait for the listening device to become available. It works both when in startup phase and when already into main loop. A big thanks to Andre Berger for his support. ! ppp_handler() routine, which is in charge to handle PPP packets, have been totally rewritten. Thanks, again, to Andre Berger for his support. ! All link layer handling routines have been revised; some extra checks have been added to overcome issues caused from malicious handcrafted packets. ! Some time handling and timeout issues have been revised into PostgreSQL plugin code. They were affecting only the triggering mechanism. ! Fixed an execv() bug into MY_Exec() and PG_Exec(). It was causing the not correct execution of triggers. Now, a zeroed argv parameter is passed to the function. The problem has been verified on FreeBSD. 0.7.7 -- 16-Nov-2004 + Added two new aggregation primitives: 'src_as' and 'dst_as'. They allow accounting based over Autonomous System number; 'pmacctd' requires AS numbers to be supplied into a 'networks_file' configuration directive (which allows to specify the path to a networks definition file); 'nfacctd' may either look up AS numbers from the networks definition file or read them from each NetFlow flow (this is default). 'nfacctd_as_new' key could be used to switch 'nfacctd' behaviour. + Added some new aggregation modes: 'sum_net', 'sum_as', 'sum_port' ('sum' which is actually an alias for 'sum_host' has been already introduced early). Sum is intended to be the total traffic (that is, inbound plus outbound traffic amounts) for each entry. + Added another aggregation primitive: 'none'. It does not make use of any primitive: it allows to see total bytes and packets transferred through an interface. + The definition of a 'networks_file' enables network lookup: hosts inside defined networks are ok; hosts outside them are 'zeroed'. This behaviour may now also be applied to 'src_host', 'dst_host' and 'sum_host'. Under certain conditions (eg. when using only host/net/as primitives and defined networks comprise all transiting hosts) it may be seen an alternative way to filter data. ! 'frontend'/'backend' PostgreSQL plugin operations have been obsoleted. 'unified'/'typed' operations have been introduced instead. See 'sql_data' description, CONFIG-KEYS document, for further informations. ! Optimizations have been applied to: core process, the newly introduced cache code (see 0.7.6) and in-memory table plugin. ! Fixed some string handling routines: trim_all_spaces(), mark_columns() ! Solved a potential race condition which was affecting write_pid_file() 0.7.6 -- 27-Oct-2004 + Many changes has been introduced on 'pmacct' client side. '-m' switch (which output was suitable as MRTG input) has been obsoleted (though it will continue to work for next few releases). A new '-N' switch has been added: it returns counter value, suitable for integration with either RRDtool or MRTG. + Support for batch queries have also been added into pmacct client. It allows to join up to 4096 requests into a single query. Requests could either be concatenated commandline or read from a file (more details are in FAQS and EXAMPLES). Batch queries allow to handle efficiently high number of requests in a single shot (for example to timely feed data to a large amount of graphs). + Still pmacct client: '-r' switch, which already allows to reset counters for matched entries, now it also applies to group of matches (also referred as partial matches). + New scripts have been added into the examples tree which show how to integrate memory and SQL plugins with RRDtool, MRTG and GNUplot. + Memory plugin (IMT) has been further enhanced; each query from pmacct client is now evaluated and if involves just a short ride through the memory structure, it is served by the plugin itself without spawning a new child process. Batch queries support and reordering of fragmented queries have also been added. + New cache has been introduced in both SQL plugins; its layout is still an hash structure but it now features also chains, allocation, reuse and retirement of chained nodes. It also sports a LRU list of nodes which eases node handling. The new solution avoids the creation of a collision queue, ensuring uniqueness of data placed onto the queries queue. While this already greatly benefits a directive like 'sql_dont_try_update', it also opens new chances for post-processing operations of queries queue. 0.7.5 -- 14-Oct-2004 + Introduced support for the definition of a 'known ports' list, when either 'src_port' or 'dst_port' primitives are in use. Known ports will get written into the backend; unknown ports will be simply zeroed. It could be enabled via 'ports_file' configuration key or '-o' commandline switch. + Introduced support for weekly and monthly counters breakdown; hourly, minutely and daily were already supported. New breakdowns could be enabled via 'w' and 'M' words in 'sql_history' and related configuration keys. + Added a '-i' commandline switch to both 'pmmyplay' and 'pmpgplay' to avoid UPDATE SQL queries and skip directly to INSERT ones. Many thanks to Jamie Wilkinson. ! 'pmmyplay' and 'pmpgplay' code has been optimized and updated; some pieces of locking and transactional code were included into the inner loop. A big thanks goes to Wim Kerkhoff and Jamie Wilkinson. ! Networks aggregation code has been revised and optimized; a direct-mapped cache has been introduced to store (and search) last search results from the networks table. A binary search algorithm, though optimized, over the table has still been preferred over alternative approaches (hash, tries). 0.7.4 -- 30-Sep-2004 + Enhanced packet tagging support; it's now broken in Pre-Tagging and Post-Tagging; Pre-Tagging allows 'nfacctd' to assign an ID to a flow evaluating an arbitrary combination of supported NetFlow packet fields (actually: IP address, Input Interface, Output Interface); the Pre-Tagging map is global; Pre-Tag is applied as soon as each flow is processed; Post-Tagging allows both 'nfacctd' and 'pmacctd' to assign an ID to packets using a supplied value; Post-Tagging could be either global or local to a single plugin (and more plugins may tag differently); Post-Tag is applied as a last action before the packet is sent to the plugin. 'nfacctd_id_map' and 'pmacctd_id' configuration keys are now obsolete; 'pre_tag_map' and 'post_tag' are introduced to replace them. + Added support for Pre-Tag filtering; it allows to filter packets basing on their Pre-Tag value. The filter is evaluated after Pre-Tagging but before Post-Tagging; it adds to BPF filtering support ('aggregate_filter' configuration key); 'pre_tag_filter' configuration key is introduced. + Added support for Packet Sampling; the current implementation bases on a simple systematic algorithm; the new 'sampling_rate' configuration key expects a positive integer value >= 1 which is the ratio of the packets to be sampled (translates in: pick only 1 out of N packets). The key is either global or local (meaning that each plugin could apply different sampling rates). ! Fixed a bug which was causing crashes in both 'pmacctd' and 'nfacctd' when '-r' parameter was specified commandline. Thanks to Ali Nikham for his support. 0.7.3 -- 31-Aug-2004 + Added support for both Netflow 'input interface' and 'output interface' fields. These two fields are contained in each flow record inside a NetFlow packet. It works through ID mapping (read below). + The ID map file syntax has been enhanced to allow greater flexibility in ID assignation to packets; example: 'id=1 ip=192.168.1.1 in=3 out=5'; the above line will cause the 'ID' 1 to be assigned to flows exported by a NetFlow agent (for example a router) which IP address is '192.168.1.1' and transiting from interface '3' to interface '5'. + In-memory table operations have been enhanced when using shared memory; a new reset flag has been added to avoid race conditions. ! Configuration lines are no more limited to some fixed maximum length but are allocated dynamically; this to overcome the need for long configuration lines to declare arbitrary filters and plugin's list. Thanks to Jerry Ji for his support. ! Configuration handlers, which are responsible to parse and validate values for each configuration key, have been rewritten on the way for a better portability. ! Signal handler routines have been changed to better accomodate SysV semantics. ! Fixed shared memory mmap() operations on IRIX and SunOS; a further test checks for either 'MAP_ANON' or 'MAP_ANONYMOUS' definitions; in case of negative outcome, mmap() will use '/dev/zero'. ! Packet handlers have been revised and optimized. ! Some optimizations have been added when using shared memory; write() function has been usually called to signal the arrival of each new packet, through the core process/plugin control channel; now it does so if and only if the plugin, on the other side, is actually blocking over a poll(); because of sequence numbers guarantee, data is directly written into shared memory segment. 0.7.2p1 -- 08-Aug-2004 ! Multiple fixes in plugin's configuration post checks; negative outcome of some checks was leading to clear misbehaviours. Versions affected are >= 0.7.0 . A big thanks goes to Alexandra Walford for her support. 0.7.2 -- 02-Aug-2004 + VLAN accounting has been added. The new 'vlan' keyword is supported as argument of both '-c' commandline switch and 'aggregate' configuration key. + Distributed accounting support has been added. It could be enabled into 'pmacctd' via 'pmacctd_id' configuration key and into 'nfacctd' via the 'nfacctd_id_file' configuration key. While 'pmacctd_id' key expects as value a small integer, 'nfacctd_id_file' expects a path to a file which contains the mapping: 'IP address of the router (exporting Newflow) -> small integer'. This scheme ease tasks such as keeping track of who has generated what data and either cluster or keep disjoint data coming from different sources when using a SQL database as backend. + Introduced SQL table version 2. The SQL schema is the same as existing tables with the following additions: support for distributed accounting; support for VLAN accounting. + Added MAC addresses query capabilties to pmacct client. + Added '-r' commandline switch to pmacct client. It can only be used in conjunction with '-m' or '-M' switches. It allows to reset packet and bytes counters of the retrieved record. ! Exit codes have been fixed in both 'pmacctd' and 'nfacctd'. Thanks to Jerry Ji for his signallation. ! Fixed a problem when retrieving data from memory table: sometimes null data (without any error message) was returned to the client; the problem has been successfully reproduced only on FreeBSD 5.1: after an accept() call, the socket being returned inherits same flags of the listening socket, this case non-blocking flag. Thanks to Nicolas Deffayet for his support. ! Revised PostgreSQL creation script. 0.7.1 -- 14-Jul-2004 + Added shared memory implementation; core process, now, could push data into a shared memory segment and then signal arrival of new data to the plugin. Shared memory support could be enabled via '--enable-mmap' switch at configuration time. + Strongly enhanced gathering capabilities of pmacct client; pmacct client is used to fetch data from memory plugin; it is, now, able to ask exact or partial matches via '-M' switch and return a readable listing output. MRTG export capabilities, full table fetch and table status query are still supported. + Introduced SQL table versioning. It could be enabled via 'sql_table_version' configuration switch. It will enable to build new SQL tables (for example adding new aggregation methods) while allowing who is not interested in new setups to work with old tables. + Added checks for packet capture type; informations acquired are later used for better handling pcap interface. ! Fixed some issues concerning pmacctd VLAN and PPPOE code. ! Fixed a mmap() issue on Tru64 systems. ! Fixed some minor poll() misbehaviours in MySQL, PgSQL and print plugins; they were not correctly handled. 0.7.0p1 -- 13-Jul-2004 ! Fixes in cache code; affects MySQL, PgSQL and print plugins. 0.7.0 -- 01-Jul-2004 + PMACCT OPENS TO NETFLOW: a new network daemon, nfacctd, is introduced: nfacctd listens for Netflow V1/V5 packets; is able to apply BPF filters and to aggregate packets; it's then able to either save data in a memory table, MySQL or PostgreSQL database or simply output packets on the screen. It can read timestamps from Netflow packets in msecs, seconds or ignore them generating new timestamps; a simple allow table mechanism allows to silently discard Netflow packets not generated by a list of trusted hosts. + Strongly enhanced IP fragmentation handling in pmacctd. + Added new checks into the building systems; new hints when it searches for libraries and headers; initial tests for C compilers capabilities have been added. + Works to let pmacct run on IRIX platforms continue; some issues with MipsPRO compiler have been solved; added proper compilation flags/hints. SIGCHLD is now properly handled and child processes are correctly retired. (a thank for his support goes to Joerg Behrens) + First, timidous, introduction of mmap() calls in memory plugin; they need to be enabled with '--enable-mmap' flag at configure time. ! Fixed a potential deadlock issue in PostgreSQL plugin; changed locking mechanism. (a big thank to Wim Kerkhoff) ! Fixed an issue concerning networks aggregation on Tru64 systems. 0.6.4p1 -- 01-Jun-2004 ! Fixed an issue with cache aliasing in MySQL and PostgreSQL plugins. Other plugins are not affected; this potential issue affects only version 0.6.4, not previous ones. Anyone using these plugins with 0.6.4 is strongly encouraged to upgrade to 0.6.4p1. 0.6.4 -- 27-May-2004 + Added chance to launch executables from both SQL plugins at arbitrary time intervals to ease data post-processing tasks. Two new keys are available: 'sql_trigger_exec' and 'sql_trigger_time'. If any interval is supplied the specified executable is triggered every time data is purged from the cache. + Added a new 'print' plugin. Enabling it, data is pulled at regular intervals to stdout in a way similar to cflowd's 'flow-print'. tool. New config keys are 'print_refresh_time', 'print_cache_entries' and 'print_markers'. This last key enables the print of start/end markers each time the cache is purged. + Added 'sql_dont_try_update' switch to avoid UPDATE queries to the DB and skip directly to INSERT ones. Performance gains has been noticed when UPDATEs are not necessary (eg. when using timeslots to break up counters and sql_history = sql_refresh_time). Thanks to Jamie Wilkinson. + Optimized use of transactions in PostgreSQL plugin; in the new scheme is built a single big transaction for each cache purge process. This leads to good performance gains; recovery mechanisms have been modified to overcome whole transaction trashing. Many thanks to James Gregory and Jamie Wilkinson. ! Enhanced debug messages output when specific error conditions are returned by the DB. ! Fixed a potential counters overflow issue in both MySQL and PgSQL plugins cache. ! Fixed preprocessor definitions issue: LOCK_UN, LOCK_EX are undeclared on IRIX and Solaris. Thanks to Wilhelm Greiner for the fix. 0.6.3 -- 27-Apr-2004 + Added support for full libpcap-style filtering capabilities inside pmacctd. This allows to bind arbitrary filters to each plugin (in addition to already existing chance to apply them to the listening interface via 'pcap_filter' configuraiton key). The config key to specify these new filters is 'aggregate_filter'. + Strongly improved networks definition file handling; now the file is parsed and organized as a hierarchical tree in memory. This allows to recognize and support networks-in-networks. + Initial optimizations has been done over the code produced in last few months. + Preprocessor definitions has been added to some part of the code, to allow pmacctd compile over IRIX. It has been reported to work over a IRIX64 6.5.23 box. Thanks to Wilhelm Greiner for his efforts. + Added flock() protected access to recovery logfiles. ! Fixed an ugly SEGV issue detected in both 0.6.2's logfile player tools. 0.6.2 -- 14-Apr-2004 + Added support for networks aggregation. Two new primitives has been added 'src_net' and 'dst_net' to be used in conjunction with a network's definitions file (path is supplied via 'networks_file' configuration key). An example of this file is in the examples/ directory. When this aggregation is enabled, IP addresses are compared against the networks table; then the matching network will get written to the backend; if any match occurs a '0.0.0.0' is written. A really big thank goes to Martin Anderberg for his strong support during last weeks. + pipe() has been thrown away; socketpair() has been introduced to set up a communication channel between pmacctd core process and plugins. + Added 'plugin_pipe_size' configuration key to adjust queue depth (size) beween core process and plugins. A default value is set by operating system; it could not suffice when handling heavy traffic loads. Added also a specific error string when pipe gets filled. + Added 'plugin_buffer_size' configuration key to enable chances to bufferize data to be sent to plugins. When under great loads this helps in preventing high CPU usage and excessive pressure over kernel. + SQL plugins aliasing behaviour has been changed; when no free space for new data is found and old data has to be pulled out, it's now actually written to the DB but it's inserted in a new 'collision queue'. This new queue is purged together with the 'queries queue'. See INTERNALS for further details. + SQL plugins cache behaviour has been changed by a direct-mapped one to a 3-ways associative to get better scores when searching free space for new data. See INTERNALS for further details. + Added 'sql_cache_entries' configuration key to adjust bucket's number of SQL plugin cache. As every hashed structure, a prime number of buckets is advisable to get better dispersion of data through the table. ! Fixed a malloc() SEGV issue in in-memory table plugin first noticed with gcc 3.3.3 (Debian 20040320) and glibc 2.3.2. ! Fixed a SEGV issue carried with last release. Improved handling of communication channels between core process and plugins. ! Uniformed plugin's handling of signals; now sending a SIGINT to all pmacctd processes causes it to flush caches and exit nicely. ! Updated documentation; still no man page. 0.6.1 -- 24-Mar-2004 + A new concept has been introduced: plugin names. A name could be assigned to each running plugin allowing to run more instances of the same plugin type; each one is configurable with global or 'named' keys. Take a look to examples for further info. + Added support for PPPOE links. The code has been fully contributed by Vasiliy Ponomarev. A big thank goes to him. + Added a 'sql_startup_delay' configuration key to allow more plugin instances that need to write to the DB, to flush their data at same intervals but in different times to avoid locking stalls or DB overkills. + Improved handling of syslog connections. SIGHUP signal, used to reopen a connection with syslog (eg. for log rotation purposes), now is supported in all plugins. + A simple LRU (Last Recently Used) cache has been added to the in-memory table plugin. The cache gives great benefits (exploiting some kind of locality in communication flows) when the table gets large (and chain in buckets become long and expensive to traverse). + Down-up of listening interface are now handled properly. Such an event traps a reopening of connection with libpcap. [EXPERIMENTAL] + Some work has been done (mostly via directives to preprocessor) in order to get pmacct compiled under Solaris. [HIGLY EXPERIMENTAL, translates: don't assume it works but, please, try it out and some kind of feedback would be appreciated] ! Plugins have been better structured; plugin hooking has been simplified and re-documented; configuration parser has been strongly improved. ! Fixed a bug in 'configure' script; when supplying custom paths to MySQL libraries an erroneous library filename was searched for. (thanks to Wim Kerkhoff) 0.6.0p3 -- 09-Feb-2004 ! Fixed an issue concerning promiscuous mode; it was erroneously defaulting to 'false' under certain conditions. (Thanks to Royston Boot for signalling the problem) 0.6.0p2 -- 05-Feb-2004 ! Fixed pmacct daemon in-memory table plugin unstability, noticed under sustained loads. (A thank for signalling the problem goes to Martin Pot) ! Minor code rewritings for better optimizazion done in both in-memory table plugin and pmacct client. 0.6.0p1 -- 28-Jan-2004 ! Fixed a bug in in-memory table plugin that was causing incorrect memorization of statistics. (Many thanks for promptly signalling it go to Martin Pot) ! Fixed a bug in pmacct client, used to gather stats from in-memory table. Under high loads and certain conditions the client was returning SEGV due to a realloc() issue. (Thanks to Martin Pot) 0.6.0 -- 27-Jan-2004 + PMACCT OPENS TO POSTGRESQL: fully featured PostgreSQL plugin has been added; it's transaction based and already supports "recovery mode" both via logfile and backup DB actions. pmpgplay is the new tool that allows to play logfiles written in recovery mode by the plugin into a PostgreSQL DB. See CONFIG-KEYS and EXAMPLES for further informations. (Again, many thanks to Wim Kerkoff) + Added new "recovery mode" action to MySQL plugin: write data to a backup DB if primary DB fails. DB table/user/ password need to be the same as in the primary DB. The action could be enabled via "sql_backup_host" config key. + Added a "sql_data" configuration optinion; a "frontend" value means to write human readable (strings) data; a "backend" value means to write integers in network byte order. Currently, this option is supported only into the new PostgreSQL plugin. See CONFIG-KEYS and README.pgsql for further informations. + Added support for simple password authentication in client/server query mechanism for in-memory table statistics. It's available via "imt_passwd" config key. + Added a "-t" commandline switch to pmmyplay; it runs the tool in a test only mode; useful to check header infos or logfile integrity. ! Fixed an ugly bug that made impossible MAC accounting over certain links. Was affected only version 0.5.4. ! Many code and structure cleanups. 0.5.4 -- 18-Dec-2003 + Added a commandline and configuration switch to use or not promiscuous mode for traffic capturing; useful to avoid waste of resources if running over a router. + Introduced a "recovery mode" concept for MySQL plugin: if DB fails an action is taken; currently is possible to write data to a logfile. More failover solutions to come in next releases. Thanks also to Wim Kerkhoff. + Added a new "pmmyplay" tool. Allows to play logfiles previously written by a MySQL plugin in recovery mode. Check EXAMPLES for hints; see INTERNALS for further details about recovery mode and pmmyplay. + Added syslog logging and debugging. Thanks for long brainstormings to Wim Kerkhoff. + Added chance to write PID of pmacctd core process to a specified file; it could help in automating tasks that need to send signals to pmacctd (eg. to rotate logfiles and reopen syslog connection). Take a look to SIGNALS file for further informations. + support for 802.11 Wireless links. [EXPERIMENTAL] + support for linux cooked device links (DLT_LINUX_SLL). pcap library >= 0.6.x is needed. A big thank goes to KP Kirchdoerfer. ! Simplified client/server query mechanism; avoided all string comparison stuff. ! Large parts of in-memory table plugin code has been revised to achieve better efficiency and optimization of available resources. 0.5.3 -- 20-Nov-2003 ! pmacctd core has been optimized and a new loop-callback scheme driven by pcap library has been introduced; I/O multiplexing is avoided. ! In MySQL plugin, refresh of entries in the DB has been switched from a signal-driven approach to a lazy timeslot based one. If using historical recording, taking care to the choosen values, this greatly alleviates cache aliasing. ! In MySQL plugin, modulo function (for insertion of data in the direct mapped cache) has been changed: crc32 algorithm has been adopted. Experimental tests shown the reduction of cache aliasing to about 0.45%. ! The whole MySQL plugin has been inspected for performance bottlenecks resulted by the addition of new features in last releases. ! Fixed a bug in link layer handlers. 0.5.2 -- 03-Nov-2003 + "sql_history" configuration key syntax has been changed to support history recording at fixed times with mins, hrs and days granularity. A little of date arithmetics has been introduced (merely multiplicative factors, eg. to ease 95th percentile operations). + Added "sql_history_roundoff" configuration key to round off time of first timeslot. This little care gives cleaner time results and inductively affects all subsequent slots. + Achieved more precise calculations via timestamps added to the cache structure to avoid data counted during the current timeslot and not already fed in the DB to be accounted in next slot. ! Monthly historical aggregation is no more available. ! Fixed portability issues posed by vsnprintf() in MySQL plugin. Now the plugin compiles smoothly under Tru64 Unix. 0.5.1 -- 01-Oct-2003 + due to the proliferation of command-line options, the support for a configuration file has been added. All commandline switches until version 0.5.0 will be supported in the future. New configurable options (eg. log to a remote SQL server) will be only supported via configuration file. See CONFIG-KEYS file for available configuration keys. + added support for historical recording of counters in the MySQL database. Available granularities of aggregation are hourly, daily or monthly (eg. counters are separated hour by hour, daily of monthly for each record). Timestamps of last INSERT and UPDATE have been added over each record. (thanks to Wim Kerkhoff for his strong collaboration) + support for IP header options. + support for PPP links. [EXPERIMENTAL] ! Fixed a MySQL plugin direct-mapped cache issue: the cache now traps INSERT queries when an UPDATE fails due to any asyncronous table manipulation event (eg. external scripts, table truncation, etc.). ! MySQL plugin has been strongly revised and optimized; added options to save data to a remote sql server and to customize username, password and table; added MySQL locking stuff. (another big thank to Wim Kerkhoff). ! various code cleanups. 0.5.0 -- 22-Jul-2003 + static aggregation directives (src_host, dst_host, ..) are now superseded by primitives that can be stacked together to form complex aggregation methods. The commandline syntax of the client program has been consequently changed to support these new features. + two new primitives have been added: source MAC address and destination MAC address. + support for 802.1Q (VLANs) tagged packets (thanks to Rich Gade). + support for FDDI links. [EXPERIMENTAL] ! the core pmacctd loop (that gathers packets off the wire and feeds data to plugins) has been revised and strongly optimized. ! the main loop of MySQL plugin has been optimized with the introduction of adaptive selection queries during the update process. ! fixed a memory allocation issue (that caused a SIGSEGV, under certain circustances) in pmacct client: now the upper bound of dss is checked for large data retrieval. 0.4.2 -- 20-Jun-2003 + limited support for transport protocols (currently only tcp and udp): aggregation of statistics for source or destination port. + optimized query mechanism for in-memory table; solved few generalization issues that will enable (in future versions) to support complex queries. + added "-t" pmacctd commandline switch to specify a custom database table. ! fixed realloc() issue in pmacct client (thanks to Arjen Nienhuis). ! fixed an issue regarding mysql headers in the configure script. 0.4.1 -- 08-May-2003 ! missing break in a case statement that led pmacctd to misbehaviours; a cleaner approach to global vars (thanks to Peter Payne). ! fixed an issue with getopt() and external vars. Now pmacct has reported to compile without problems on FreeBSD 4.x (thanks to Kirill Ponomarew). ! missing conditional statement to check the runtime execution of compiled plugins in exec_plugins() 0.4.0 -- 02-May-2003 + switched to a plugin architecture: plugins need to be activated at configure time to be compiled and then used via "-P" command-line switch in pmacctd. See PLUGINS for more details. + added first plugin: Mysql driver. It uses a Mysql database as backend to store statistics other than in-memory table. See sql/ directory for scripts for creation of db needed to store data. + added the choice to collect statistics for traffic flows in addition to src|dst|sum aggregation via the "-c flows" command-line switch in pmacctd. + major code cleanups. + mostly rewritten configure script; switched back to autoconf 2.1. 0.3.4 -- 24-Mar-2003 + accounting of IP traffic for source, destination and aggregation of both. Introduced -c switch to pmacctd (thanks to Martynas Bieliauskas). + added daemonization of pmacctd process via -D command line switch + added buffering via pcap_open_live() timeout handling on those architectures where it is supported. + It compiles and works fine over FreeBSD 5.x; solved some pcap library issues. + added customization of pipe for client/server communication via -p command line switch both in pmacct and pmacctd 0.3.3 -- 19-Mar-2003 + introduced synchronous I/O multiplexing + support for -m 0 pmacctd switch, in-memory table can grow undefinitely. + revised memory pool descriptors table structure ! introduced realloc() in pmacct to support really large in-memory table transfers; solved additional alignment problems. ! solved compatibility issues with libpcap 0.4 ! solved nasty problem with -i pmacctd switch ! solved various memory code bugs and open issues 0.3.2 -- 13-Mar-2003 + support for pcap library filters ! minor bugfixes 0.3.1 -- 12-Mar-2003 + documentation stuff: updated TODO and added INTERNALS + revised query mechanism to server process, added a standard header to find command and optional values carried in query buffer. + added -s commandline switch to customize the size of each memory pool; see INTERNLS for more informations ! stability tests and fixes ! configure script enhancements 0.3.0 -- 11-Mar-2003 ! not public release + increased efficiency through allocation of memory pools instead of sparse malloc() calls when inserting new elements in in-memory table. + added -m commandline switch to pmacctd to set the number of available memory pools; the size of each memory pool is the number of buckets, chosen with -b commandline option, see INTERNALS for more informations. + switched client program to getopt() to acquire commandline inputs. + new -m commandline option in client program to acquire statistics of a specified IP address in a format useful for acquisition by MRTG program; see examples directory for a sample mrtg configuration. ! major bugfixes ! minor code cleanups 0.2.4 -- 07-Mar-2003 + portability: Tru64 5.x ! configure script fixes ! minor bugfixes 0.2.3 -- 05-Mar-2003 + first public release ! portability fixes ! minor bugfixes 0.2.2 -- 04-Mar-2003 + minor code cleanups + added autoconf, automake stuff 0.2.1 -- 03-Mar-2003 + fork()ing when handling queries + signal handling + command-line options using getopt() + usage instructions ! major bugfixes 0.2.0 -- 01-Mar-2003 + dynamic allocation of in-memory table + query (client/server) mechanism + added a Makefile ! major bugfixes 0.1.0 -- late Feb, 2003 + Initial release