Re: flow monitoring recommendations

To: lloyd%must-have-coffee.gen.nz@localhost, tech-net%netbsd.org@localhost
Subject: Re: flow monitoring recommendations
From: Martin Neitzel <neitzel%hackett.marshlabs.gaertner.de@localhost>
Date: Fri, 4 Oct 2024 16:42:30 +0200 (CEST)

LP> I have a small NetBSD router at home and I have decided that I would 
LP> like to collect network flow information from it. Something along the 
LP> lines of NetFlow or sFlow I guess.
LP>
LP> Can anyone recommend software that does this?

We have nothing in base for it.  Some pkgs, though:

pkg "nfdump" brings you:

	nfcapd     - netflow collector daemon
	nfdump     - netflow dump
	nfprofile  - netflow profiler - optional tool
	nfreplay   - netflow replay
	nfexpire   - expire old netflow data
	nfanon     - netflow anonymisation
	ft2nfdump  - read flow-tools format - optional tool
	sfcapd     - sflow collector daemon - optional tool

However, the "nfpcapd" tool of this suite was not compiled
for the pkg.  This tool would monitor an interface's packets on
your box and generate the flow data about them, typically to send
them to the "nfcapd" flow collector.

So you need something else to create the flow data.

Pkg "nprobe" is an extremely old version of Luca Deri's "nprobe"
which, unfortunately, which from open to closed source 20 years
ago.  The pkg just contains the binary and does not even have a
man page.  Run "nprobe" without any options to see possible options.

A minimal setup would be:

	# mkdir /var/spool/nf
	# nfcapd -D -l /var/spool/nf
	# nprobe -i vioif0 -n localhost:9995 -I nprobe-viof0 &

By default, nprobe will export flow infos every 2 minutes, nfcapd
will dump aggregated flow data every five minutes.   To see all
flow data, use

	# nfdump -R /var/spool/nfcap

You'll quickly want to read the nfdump(1) manpage on how to filter
on time ranges and certain traffic types (very similar to tcpdump),
and also on how to aggregate and sort flow stats.

A huge nprobe-1.3.1 caveat:  IIRC we had to acquire a license for
nprobe-2.x in order to cover IPv6 flows (Netflow-v5 won't do that,
Netflow-v9 will);

A sister project of nfdump was "NfSen".  This provides a nice
webfrontend for the "nfcapd"ed flow data with shiny graphs.  You'll
still need to use nfdump filter expressions to focus, say, on the
origin(s) of an (D)DoS attack.

We do not have an "nfsen" pkg.  Get sources from either the original
https://nfsen.sourceforge.net/   (1.3.2)
or
https://github.com/phaag/nfsen

The latter is newer (at 1.3.11) but too new to work with the pkgsrc
nfdump-1.16 version flow files, though.   The predecessor at Tag
"v1.3.8" might, though.  Bevor you downgrade to that, you might
as well get a fresh (1.7.4) nfdump version:

https://github.com/phaag/nfdump

These two nfdump/nfsen versions should play along nicely, and you
could also configure nfdump to give you nfpcapd, too.

(I tried to configure it yesterday on a NetBSD-9-stable box;
it requires libtoolize and our pkg libtool would in turn require
a just slightly updated gcc tool chain -- I stopped at that point.)

Then there's another pkg:  ntopng-6.2.

This is a flow collector and visiualizer (web based) in one, again
by Luca Deri.  I have no experience with that pkg (yet).  There is
certainly a huge difference between the open ntopng "community"
edition and all the commercial ones ("pro", "enterprise").  I don't
even know if the "community ntopng" provides a "nprobe" tool.  I
guess not, because then we'd probably have it in pkgsrc, too.
So you'd have combine this, again, with the old nprobe-1.3.1 pkg.

Hope this helps,

						Martin Neitzel

References:
- flow monitoring recommendations
  - From: Lloyd Parkes

Prev by Date: flow monitoring recommendations
Next by Date: Re: flow monitoring recommendations
Previous by Thread: flow monitoring recommendations
Next by Thread: Re: flow monitoring recommendations
Indexes:

Home | Main Index | Thread Index | Old Index