Linux router traffic monitoring, how? netflow?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey all, I have a tiny linux router based on ubuntu and sometimes I get a massive load of UDP traffic because of one of the PCs in the network. Usually I handle the situation with a strict block using iptables. The main issue is to find it due to the load. For now I am monitoring the traffic load using MRTG but it won't notify me. I can try to use nagios to monitor traffic load for a period of time but before I start working on it I want another person opinion and options. I have seen netflow in the past but never actually used it. Thanks in advance, Eliezer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJUZOXKAAoJENxnfXtQ8ZQUnCcIAJn/3LQa1CKl1mBGiWHUvrEZ GZIPYKDlDWscVaq2VhJQH/ZcUqX5466YTSLsFQBaCEynLfc4vgk5gBZzyLK9TI1R MSDXAQNYvqRGnDG5rBrthCCvSA8UZyqVH9feSXw+U8aiwZcmQz4SSVv86yy288qP eFlerXq43QvSzXgMPFFrzwVzcwY3UVg0VMxlqIRIl+sB8dfg6ofau61/lax9ALQ4 cfxE674vxKtQsf319lJTmq/3JMvANzZNYbX0+XnLNIDaCciM/GTT/Xvasq+oigm2 IE4T0098KMUyBdJx5ewX5d+rawI2283euiY0Co5UnfCYzBnJTj4xZR32Tip53lM= =gZaZ -----END PGP SIGNATURE-----
Hello Eliezer. Netflow will be the best solution to find the host that's generate load. First you need decide what netflow analyzer you'll use. I know about some plugin to Cacti. Than you need install IPT-NETFLOW to your Ubuntu router. Also you have another way, you can monitor (snmp traffic) all ports on switches and then find analyze. B.R. Murat -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Eliezer Croitoru Sent: Thursday, November 13, 2014 8:10 PM To: nanog@nanog.org Subject: Linux router traffic monitoring, how? netflow? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey all, I have a tiny linux router based on ubuntu and sometimes I get a massive load of UDP traffic because of one of the PCs in the network. Usually I handle the situation with a strict block using iptables. The main issue is to find it due to the load. For now I am monitoring the traffic load using MRTG but it won't notify me. I can try to use nagios to monitor traffic load for a period of time but before I start working on it I want another person opinion and options. I have seen netflow in the past but never actually used it. Thanks in advance, Eliezer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJUZOXKAAoJENxnfXtQ8ZQUnCcIAJn/3LQa1CKl1mBGiWHUvrEZ GZIPYKDlDWscVaq2VhJQH/ZcUqX5466YTSLsFQBaCEynLfc4vgk5gBZzyLK9TI1R MSDXAQNYvqRGnDG5rBrthCCvSA8UZyqVH9feSXw+U8aiwZcmQz4SSVv86yy288qP eFlerXq43QvSzXgMPFFrzwVzcwY3UVg0VMxlqIRIl+sB8dfg6ofau61/lax9ALQ4 cfxE674vxKtQsf319lJTmq/3JMvANzZNYbX0+XnLNIDaCciM/GTT/Xvasq+oigm2 IE4T0098KMUyBdJx5ewX5d+rawI2283euiY0Co5UnfCYzBnJTj4xZR32Tip53lM= =gZaZ -----END PGP SIGNATURE-----
Hello I've used ntop in the past with great success. ntop.org Regards Wayne On 14 November 2014 02:35, Murat Kaipov <mkaipov@outlook.com> wrote:
Hello Eliezer. Netflow will be the best solution to find the host that's generate load. First you need decide what netflow analyzer you'll use. I know about some plugin to Cacti. Than you need install IPT-NETFLOW to your Ubuntu router. Also you have another way, you can monitor (snmp traffic) all ports on switches and then find analyze. B.R. Murat
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Eliezer Croitoru Sent: Thursday, November 13, 2014 8:10 PM To: nanog@nanog.org Subject: Linux router traffic monitoring, how? netflow?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hey all,
I have a tiny linux router based on ubuntu and sometimes I get a massive load of UDP traffic because of one of the PCs in the network. Usually I handle the situation with a strict block using iptables. The main issue is to find it due to the load. For now I am monitoring the traffic load using MRTG but it won't notify me. I can try to use nagios to monitor traffic load for a period of time but before I start working on it I want another person opinion and options.
I have seen netflow in the past but never actually used it.
Thanks in advance, Eliezer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEcBAEBAgAGBQJUZOXKAAoJENxnfXtQ8ZQUnCcIAJn/3LQa1CKl1mBGiWHUvrEZ GZIPYKDlDWscVaq2VhJQH/ZcUqX5466YTSLsFQBaCEynLfc4vgk5gBZzyLK9TI1R MSDXAQNYvqRGnDG5rBrthCCvSA8UZyqVH9feSXw+U8aiwZcmQz4SSVv86yy288qP eFlerXq43QvSzXgMPFFrzwVzcwY3UVg0VMxlqIRIl+sB8dfg6ofau61/lax9ALQ4 cfxE674vxKtQsf319lJTmq/3JMvANzZNYbX0+XnLNIDaCciM/GTT/Xvasq+oigm2 IE4T0098KMUyBdJx5ewX5d+rawI2283euiY0Co5UnfCYzBnJTj4xZR32Tip53lM= =gZaZ -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks Wayne, I have used ntop in the past but was not very happy with the results and now I tried it once again and I am happy about it. It works and looks very nice. Eliezer On 11/14/2014 09:39 AM, Wayne Lee wrote:
Hello
I've used ntop in the past with great success.
ntop.org
Regards
Wayne
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJUaKNJAAoJENxnfXtQ8ZQUp6IH/i9B0GgtpGa2humQediDs9E4 EdOEj0Wd1/0+U7KqiYZhHMmBDueCVRkekJ/MseisqmiRUzrcVY5YB3M5slXrRes2 7/6XVhovjdYIahzGeUf5sMmMJ8LBV3dQdCPndOwo0gh8HT+ZDJOjjjgQn55wsgtE kCcsW6fNGiSksXGD98jJty4O+WPSro6GPI5As+LV/jEfqJHDVH0dGeRIHlwRg1X6 BMlEU0NX/cSyLcYX4iktCZHDf9FgaNGtfjKBMwl/rIXgqSnoXUGOlUEi2auFQA8H 5U+GQeH7wQ2R/2SKUq8ajPY/vmS3O/Ig7z7OmjyOWtK6UbtWtetuw/EQW85cP3U= =7Q7D -----END PGP SIGNATURE-----
From: Murat Kaipov <mkaipov@outlook.com> To: "'Eliezer Croitoru'" <eliezer@ngtech.co.il>, <nanog@nanog.org> Date: 11/14/2014 02:37 AM Subject: RE: Linux router traffic monitoring, how? netflow? Sent by: "NANOG" <nanog-bounces@nanog.org>
Hello Eliezer. Netflow will be the best solution to find the host that's generate load. First you need decide what netflow analyzer you'll use. I know about some plugin to Cacti. Than you need install IPT-NETFLOW to your Ubuntu router. Also you have another way, you can monitor (snmp traffic) all ports on switches and then find analyze. B.R. Murat
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Eliezer Croitoru Sent: Thursday, November 13, 2014 8:10 PM To: nanog@nanog.org Subject: Linux router traffic monitoring, how? netflow?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hey all,
I have a tiny linux router based on ubuntu and sometimes I get a massive load of UDP traffic because of one of the PCs in the network. Usually I handle the situation with a strict block using iptables. The main issue is to find it due to the load. For now I am monitoring the traffic load using MRTG but it won't notify me. I can try to use nagios to monitor traffic load for a period of time but before I start working on it I want another person opinion and
If you go the netflow route you might consider FlowViewer/SiLK for the collector/analyzer. It is web driven and allows you to easily establish traffic thresholds which will generate an alert email. https://sourceforge.net/projects/flowviewer Joe "NANOG" <nanog-bounces@nanog.org> wrote on 11/14/2014 02:35:44 AM: options.
I have seen netflow in the past but never actually used it.
Thanks in advance, Eliezer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEcBAEBAgAGBQJUZOXKAAoJENxnfXtQ8ZQUnCcIAJn/3LQa1CKl1mBGiWHUvrEZ GZIPYKDlDWscVaq2VhJQH/ZcUqX5466YTSLsFQBaCEynLfc4vgk5gBZzyLK9TI1R MSDXAQNYvqRGnDG5rBrthCCvSA8UZyqVH9feSXw+U8aiwZcmQz4SSVv86yy288qP eFlerXq43QvSzXgMPFFrzwVzcwY3UVg0VMxlqIRIl+sB8dfg6ofau61/lax9ALQ4 cfxE674vxKtQsf319lJTmq/3JMvANzZNYbX0+XnLNIDaCciM/GTT/Xvasq+oigm2 IE4T0098KMUyBdJx5ewX5d+rawI2283euiY0Co5UnfCYzBnJTj4xZR32Tip53lM= =gZaZ -----END PGP SIGNATURE-----
On gio, 2014-11-13 at 19:09 +0200, Eliezer Croitoru wrote:
Hey all,
I have a tiny linux router based on ubuntu and sometimes I get a massive load of UDP traffic because of one of the PCs in the network. Usually I handle the situation with a strict block using iptables. The main issue is to find it due to the load. For now I am monitoring the traffic load using MRTG but it won't notify me. I can try to use nagios to monitor traffic load for a period of time but before I start working on it I want another person opinion and options.
I have seen netflow in the past but never actually used it.
Thanks in advance, Eliezer
NFDump [1] also is good if you look at a less fancy analyzer (cmdline based) but very customizable. You search for that data the you want in the time slot that you want. I know there are other projects which can read captured data and present it in a GUI but I haven't used them myself. Regards, leonardo [1] http://nfdump.sourceforge.net/
You might want to take a look at the Host sFlow SourceForge project: http://host-sflow.sourceforge.net/ The hsflowd agent used the sFlow protocol to export interface counters, host performance statistics and packet flows (collected using iptables ULOG). Peter On Thu, Nov 13, 2014 at 9:09 AM, Eliezer Croitoru <eliezer@ngtech.co.il> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hey all,
I have a tiny linux router based on ubuntu and sometimes I get a massive load of UDP traffic because of one of the PCs in the network. Usually I handle the situation with a strict block using iptables. The main issue is to find it due to the load. For now I am monitoring the traffic load using MRTG but it won't notify me. I can try to use nagios to monitor traffic load for a period of time but before I start working on it I want another person opinion and options.
I have seen netflow in the past but never actually used it.
Thanks in advance, Eliezer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEcBAEBAgAGBQJUZOXKAAoJENxnfXtQ8ZQUnCcIAJn/3LQa1CKl1mBGiWHUvrEZ GZIPYKDlDWscVaq2VhJQH/ZcUqX5466YTSLsFQBaCEynLfc4vgk5gBZzyLK9TI1R MSDXAQNYvqRGnDG5rBrthCCvSA8UZyqVH9feSXw+U8aiwZcmQz4SSVv86yy288qP eFlerXq43QvSzXgMPFFrzwVzcwY3UVg0VMxlqIRIl+sB8dfg6ofau61/lax9ALQ4 cfxE674vxKtQsf319lJTmq/3JMvANzZNYbX0+XnLNIDaCciM/GTT/Xvasq+oigm2 IE4T0098KMUyBdJx5ewX5d+rawI2283euiY0Co5UnfCYzBnJTj4xZR32Tip53lM= =gZaZ -----END PGP SIGNATURE-----
fprobe is a linux-based netflow probe that uses libpcap (as does tcpdump) and is already in the ubuntu universe repository. There is an ipv4-only iptables based version too called fprobe-ulog. For collectors, it looks like the ones already available in ubuntu are nfcapd from nfdump and flow-capture from flow-tools. For analysis/alerts, cacti with the thold and flowview plugins might do the job. On 11/13/2014 09:09 AM, Eliezer Croitoru wrote:
Hey all,
I have a tiny linux router based on ubuntu and sometimes I get a massive load of UDP traffic because of one of the PCs in the network. Usually I handle the situation with a strict block using iptables. The main issue is to find it due to the load. For now I am monitoring the traffic load using MRTG but it won't notify me. I can try to use nagios to monitor traffic load for a period of time but before I start working on it I want another person opinion and options.
I have seen netflow in the past but never actually used it.
Thanks in advance, Eliezer
Softflowd is also nice, supports "Netflow versions 1, 5 and 9 and is fully IPv6-capable". The package is included on ubuntu & debian. On 14.11.2014 20:38, srn.nanog@prgmr.com wrote:
fprobe is a linux-based netflow probe that uses libpcap (as does tcpdump) and is already in the ubuntu universe repository. There is an ipv4-only iptables based version too called fprobe-ulog.
For collectors, it looks like the ones already available in ubuntu are nfcapd from nfdump and flow-capture from flow-tools. For analysis/alerts, cacti with the thold and flowview plugins might do the job.
-- Best regards, Adrian Minta
participants (8)
-
Adrian Minta
-
Eliezer Croitoru
-
Joe Loiacono
-
Leonardo Arena
-
Murat Kaipov
-
Peter Phaal
-
srn.nanog@prgmr.com
-
Wayne Lee