-
Notifications
You must be signed in to change notification settings - Fork 0
Fennec Architecture
Fennec represents the most major part of the entire project and is broadly responsible for listening, parsing, indexing, verifying and representation of all things traces. It represents both an Api and Flow Collector.
Fennec contains within it the means to listen on certain ports and receive traffic information from different flow export protocols such as Netflow and IPFIX. Fennec contains different such parsers and they can be found in the Fennec/Parsers directory.
Once such information has been parsed it is on its way through the system as a trace. A trace in the context of this project is any information about traffic flowing between two "entities". "Entities" is purposefully vague since as data comes into the system simple IP addresses can be substituted with database references and so forth. The type of device which conceived the communication is at not relevant for Fennec (at this time).
Fennec disposes of a concept implemented due to supporting multiple flow export protocols. Since the logic behind protocols differ, each protocol has to have it's own parser. To be able to host multiple parsers on multiple ports the concept of a multiplexer and a multiplexer monitor was applied.
The multiplexer enables us to act as an orchestrator for parsers. This means that before starting Fennec, in appsettings.json you can define which ports are supposed to answer to which export protocols. This however only enables us to run any type of parser on one port (1:n). If we want to be able to form a n:m, meaning any protocol on any port, we have to implement a multiplexer monitor.
The multiplexer monitor does the same thing for the multiplexer as the multiplexer for the parsers. It orchestrates and therefore keeps track of which ports are being utilized by which multiplexers. It is also run as a BackgroundService and therefore is the point where the whole parsing operation starts.
To be able to access the trace data Fennec also acts as an HTTP endpoint. What endpoints are available and how to access them can be found on the corresponding wiki entry.