Probe Overview

Rockfish Probe is a high-performance flow meter that captures network traffic and generates flow records in Apache Parquet format.

Features

• Packet capture via libpcap - Live interface capture or PCAP file reading
• High-performance AF_PACKET - Linux TPACKET_V3 with mmap ring buffer
• Fragment reassembly - Reassembles fragmented IP packets
• Bidirectional flows - Forward and reverse direction tracking
• nDPI integration - Application protocol detection
• GeoIP lookups - Geographic location via MaxMind databases
• IP reputation - AbuseIPDB integration with local caching
• S3 upload - Automatic upload to S3-compatible storage

Output Format

Flow records follow IPFIX Information Element naming conventions (RFC 5102/5103):

{
  "flowStartMilliseconds": "2025-01-15T10:30:00.000Z",
  "flowEndMilliseconds": "2025-01-15T10:30:05.123Z",
  "flowDurationMilliseconds": 5123,
  "ipVersion": 4,
  "protocolIdentifier": 6,
  "sourceIPAddress": "192.168.1.100",
  "sourceTransportPort": 54321,
  "destinationIPAddress": "93.184.216.34",
  "destinationTransportPort": 443,
  "octetTotalCount": 1234,
  "packetTotalCount": 15,
  "applicationName": "TLS"
}

Basic Usage

# Read from PCAP file
rockfish_probe -i capture.pcap --parquet-dir ./flows

# Live capture with libpcap
sudo rockfish_probe -i eth0 --live pcap --parquet-dir ./flows

# High-performance AF_PACKET (Linux)
sudo rockfish_probe -i eth0 --live afpacket --parquet-dir ./flows

# With nDPI application labeling
rockfish_probe -i capture.pcap --ndpi --parquet-dir ./flows

Next Steps

• Configuration - Full configuration reference
• Capture Modes - Platform-specific capture options
• Performance Tuning - High-speed capture optimization