gandalf/secubox-openwrt
gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9ce67f2da5
secubox-openwrt/package/secubox/luci-app-secubox-netifyd/README.md
CyberMind-FR 9ce67f2da5 fix: Use correct UCI section types in SecuBox settings view (v0.6.0-r12) 
- Changed form sections from type 'secubox' to match actual UCI config
- General/Dashboard/Module/Notification sections now use type 'core'
- Alert Thresholds section now uses type 'diagnostics'
- Security Settings section now uses type 'security'
- Advanced Settings section uses type 'core'
- Fixes "This section contains no values yet" errors

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-01-07 12:18:18 +01:00

11 KiB
Raw Blame History

SecuBox Netifyd Deep Packet Inspection Interface

Complete LuCI interface for Netifyd DPI engine with real-time flow monitoring, application detection, and network analytics.

Features

Real-Time Monitoring

  • Live Flow Tracking: Monitor active network flows in real-time via socket interface
  • Socket Integration: Connect to Netifyd via TCP or Unix domain socket
  • Auto-Refresh: Configurable polling intervals for live updates

Application & Protocol Detection

  • Deep Packet Inspection: Leverage Netifyd's DPI engine
  • Application Identification: Detect and track applications (HTTP, HTTPS, SSH, DNS, etc.)
  • Protocol Analysis: Identify network protocols and analyze traffic patterns
  • SSL/TLS Inspection: Extract SSL certificate information and cipher details

Device Tracking

  • Network Discovery: Automatically detect devices on the network
  • Traffic Analytics: Track upload/download statistics per device
  • MAC/IP Mapping: Correlate MAC addresses with IP addresses
  • Last Seen Tracking: Monitor device activity timestamps

Service Management

  • Start/Stop/Restart: Full control of Netifyd service
  • Enable/Disable: Configure auto-start on boot
  • Status Monitoring: View service health and uptime
  • Configuration: Manage Netifyd settings via UCI

Analytics & Reporting

  • Top Applications: Visual charts of most-used applications
  • Top Protocols: Protocol usage statistics
  • Traffic Statistics: Total bytes, packets, and flow counts
  • Export Functionality: Export flows to JSON or CSV format

Requirements

  • OpenWrt 21.02 or later
  • LuCI (luci-base)
  • netifyd package installed
  • jq (for JSON processing)
  • secubox-core

Installation

Via SecuBox App Store

# From LuCI Admin panel
Navigate to SecuBox → App Store → Search for "Netifyd"
Click "Install"

Manual Installation

opkg update
opkg install luci-app-secubox-netifyd
service rpcd restart

Configuration

Basic Setup

  1. Install netifyd:
opkg install netifyd
  1. Configure netifyd socket (edit /etc/netifyd.conf):
[socket]
listen_path[0] = /var/run/netifyd/netifyd.sock
listen_address[0] = 127.0.0.1:7150
  1. Start netifyd:
service netifyd start
service netifyd enable
  1. Access LuCI interface:
Navigate to: SecuBox → Network Intelligence

Advanced Configuration

Configure via LuCI Settings page or UCI:

uci set secubox-netifyd.settings.socket_address='127.0.0.1'
uci set secubox-netifyd.settings.socket_port='7150'
uci set secubox-netifyd.settings.auto_start='1'
uci set secubox-netifyd.monitoring.enable_app_detection='1'
uci set secubox-netifyd.analytics.enabled='1'
uci commit secubox-netifyd

Usage

Dashboard

  • View real-time service status
  • Monitor active flows, devices, and applications
  • Quick statistics overview
  • Service control buttons

Live Flows

  • Real-time flow table with auto-refresh
  • Source/destination IP and ports
  • Protocol and application detection
  • Traffic statistics (bytes, packets, duration)
  • Export flows to JSON/CSV

Applications

  • Top applications by traffic volume
  • Flow counts per application
  • Traffic percentage visualization
  • Sortable application list

Devices

  • Active device list with MAC/IP addresses
  • Upload/download statistics per device
  • Last seen timestamps
  • Total traffic tracking

Settings

  • Socket configuration (TCP/Unix)
  • Flow retention and limits
  • Monitoring toggles
  • Analytics preferences
  • Alert configuration

API Methods

Service Control

  • get_service_status - Get Netifyd service status
  • service_start - Start Netifyd service
  • service_stop - Stop Netifyd service
  • service_restart - Restart Netifyd service
  • service_enable - Enable auto-start
  • service_disable - Disable auto-start

Data Retrieval

  • get_realtime_flows - Get live flow data
  • get_flow_statistics - Get flow statistics
  • get_top_applications - Get top applications
  • get_top_protocols - Get top protocols
  • get_detected_devices - Get detected devices
  • get_dashboard - Get dashboard summary

Configuration

  • get_config - Get current configuration
  • update_config - Update configuration
  • get_interfaces - Get monitored interfaces

Utilities

  • clear_cache - Clear flow cache
  • export_flows - Export flows (JSON/CSV)

Architecture

┌─────────────────────────────────────────────┐
│           LuCI Frontend (JavaScript)        │
│  ┌─────────┐ ┌──────────┐ ┌──────────────┐ │
│  │Dashboard│ │  Flows   │ │Applications/ │ │
│  │         │ │          │ │   Devices    │ │
│  └─────────┘ └──────────┘ └──────────────┘ │
└──────────────────┬──────────────────────────┘
                   │ RPC Calls
┌──────────────────▼──────────────────────────┐
│         RPCD Backend (Shell)                │
│  luci.secubox-netifyd                       │
│  ┌────────────────────────────────────────┐ │
│  │ Service Control │ Data Aggregation    │ │
│  │ Config Management │ Statistics        │ │
│  └────────────────────────────────────────┘ │
└──────────────────┬──────────────────────────┘
                   │ Socket/CLI
┌──────────────────▼──────────────────────────┐
│            Netifyd DPI Engine               │
│  ┌────────────────────────────────────────┐ │
│  │ Deep Packet Inspection                 │ │
│  │ Application Detection                  │ │
│  │ Protocol Analysis                      │ │
│  │ Flow Tracking                          │ │
│  └────────────────────────────────────────┘ │
└─────────────────────────────────────────────┘

Netifyd Socket Interface

Netifyd streams JSON data via:

  • TCP Socket: 127.0.0.1:7150 (default)
  • Unix Socket: /var/run/netifyd/netifyd.sock

Example Flow Data Structure

{
  "ip_orig": "192.168.1.100",
  "ip_resp": "93.184.216.34",
  "port_orig": 54321,
  "port_resp": 443,
  "protocol": "TCP",
  "application": "HTTPS",
  "bytes_orig": 12345,
  "bytes_resp": 98765,
  "packets_orig": 45,
  "packets_resp": 123,
  "duration": 120,
  "ssl_sni": "example.com"
}

Flow Plugin Integration

SecuBox can emit the plugin configurations referenced in the Netify.ai examples for tagging BitTorrent traffic with IP sets and pushing verdicts into nftables. After copying the relevant Netify plugin binaries into /usr/lib/netifyd/, open the Flow Export → Flow Plugins section in LuCI to enable the mark-bittorrent-with-ip-sets and block-traffic-with-nftables templates. Hit Apply Flow Plugins to regenerate /etc/netifyd/plugins.d/secubox-*.conf and restart Netifyd so the new ipsets and nftables chains are activated.

Refer to the upstream examples for exact ipset/chain rules:

Troubleshooting

Netifyd Not Starting

# Check netifyd installation
which netifyd

# Check configuration
cat /etc/netifyd.conf

# View logs
logread | grep netifyd

# Restart manually
/etc/init.d/netifyd restart

Socket Connection Failed

# Test TCP socket
nc -z 127.0.0.1 7150

# Check netifyd process
ps | grep netifyd

# Verify socket configuration
grep listen /etc/netifyd.conf

No Flow Data

# Check if netifyd is capturing
netifyd -s

# Verify interfaces
grep interface /etc/netifyd.conf

# Check dump file
cat /run/netifyd/sink-request.json

Performance Considerations

  • Flow Limit: Default 10,000 flows (configurable)
  • Retention: Default 1 hour (configurable)
  • Polling Interval: 3-10 seconds (configurable)
  • Display Limit: 100 flows in UI (full export available)

Security Notes

  • Socket listens on localhost by default
  • No external access without explicit configuration
  • Flow data contains sensitive network information
  • Recommend firewall rules if exposing socket externally

Development

File Structure

luci-app-secubox-netifyd/
├── Makefile
├── README.md
├── root/
│   ├── etc/config/secubox-netifyd
│   └── usr/
│       ├── libexec/rpcd/luci.secubox-netifyd
│       └── share/
│           ├── rpcd/acl.d/luci-app-secubox-netifyd.json
│           └── luci/menu.d/luci-app-secubox-netifyd.json
└── htdocs/luci-static/resources/
    ├── secubox-netifyd/
    │   ├── api.js
    │   └── netifyd.css
    └── view/secubox-netifyd/
        ├── dashboard.js
        ├── flows.js
        ├── applications.js
        ├── devices.js
        └── settings.js

License

MIT License - Copyright (C) 2025 CyberMind.fr

Links

Credits

  • Netify by eGloo: Deep packet inspection engine
  • SecuBox Team: LuCI integration and interface design
  • OpenWrt Community: Platform and package ecosystem

Collector Setup Script

Use /usr/bin/netifyd-collector-setup to enable the flow exporter and install the cron job that runs /usr/bin/netifyd-collector every minute. The script accepts:

/usr/bin/netifyd-collector-setup [unix|tcp] [path_or_host[:port]]

Examples:

/usr/bin/netifyd-collector-setup unix /tmp/netifyd-flows.json
/usr/bin/netifyd-collector-setup tcp 127.0.0.1:9501

Each invocation updates /etc/config/secubox-netifyd, writes /etc/netifyd.d/secubox-sink.conf, creates the cron entry (* * * * * /usr/bin/netifyd-collector), and restarts netifyd.