Network monitoring with Sflow


Applications

 - nfdump/sfcapd: daemon to capture and report sflow. Needs to be configured in a specific way see [[#sfcapd]]

sfcapd

debian

 cd /usr/src
 mkdir nfdump
 cd nfdump
 apt-get source nfdump
 # --enable-sflow in debian/rules
 debuild -uc -us
 cd ..
 sudo dpkg -i nfdump*.deb
 

For the init script you will need something like:

   $> cat /etc/init.d/sfcapd 
   #! /bin/sh
   ### BEGIN INIT INFO
   # Provides:          sfcapd
   # Required-Start:    $remote_fs $syslog
   # Required-Stop:     $remote_fs $syslog
   # Default-Start:     2 3 4 5
   # Default-Stop:      0 1 6
   # Short-Description: collects sflow data into /var/lib/sflow
   # Description:       This file should be used to construct scripts to be
   #                    placed in /etc/init.d.
   ### END INIT INFO
   # Author: Foo Bar <foobar@baz.org>
   #
   # Please remove the "Author" lines above and replace them
   # with your own name if you copy and modify this script.
   # Do NOT "set -e"
   # PATH should only include /usr/* if it runs after the mountnfs.sh script
   PATH=/sbin:/usr/sbin:/bin:/usr/bin
   DATADIR="/var/lib/sflow"
   DESC="Collects sflow data into $DATADIR"
   NAME=sfcapd
   DAEMON=/usr/bin/$NAME
   PIDFILE=/var/run/$NAME.pid
   DAEMON_ARGS="-w -D -l $DATADIR -p 6343 -I myrouter -P $PIDFILE"
   SCRIPTNAME=/etc/init.d/$NAME
   # Exit if the package is not installed
   [ -x "$DAEMON" ] || exit 0
   # Read configuration variable file if it is present
   [ -r /etc/default/$NAME ] && . /etc/default/$NAME
   # Load the VERBOSE setting and other rcS variables
   . /lib/init/vars.sh
   # Define LSB log_* functions.
   # Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
   . /lib/lsb/init-functions
   #
   # Function that starts the daemon/service
   #
   do_start()
   {
           # Return
           #   0 if daemon has been started
           #   1 if daemon was already running
           #   2 if daemon could not be started
           start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
                   || return 1
           start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
                   $DAEMON_ARGS \
                   || return 2
           # Add code here, if necessary, that waits for the process to be ready
           # to handle requests from services started subsequently which depend
           # on this one.  As a last resort, sleep for some time.
   }
   #
   # Function that stops the daemon/service
   #
   do_stop()
   {
           # Return
           #   0 if daemon has been stopped
           #   1 if daemon was already stopped
           #   2 if daemon could not be stopped
           #   other if a failure occurred
           start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
           RETVAL="$?"
           [ "$RETVAL" = 2 ] && return 2
           # Wait for children to finish too if this is a daemon that forks
           # and if the daemon is only ever run from this initscript.
           # If the above conditions are not satisfied then add some other code
           # that waits for the process to drop all resources that could be
           # needed by services started subsequently.  A last resort is to
           # sleep for some time.
           start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
           [ "$?" = 2 ] && return 2
           # Many daemons don't delete their pidfiles when they exit.
           rm -f $PIDFILE
           return "$RETVAL"
   }
   #
   # Function that sends a SIGHUP to the daemon/service
   #
   do_reload() {
           #
           # If the daemon can reload its configuration without
           # restarting (for example, when it is sent a SIGHUP),
           # then implement that here.
           #
           start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
           return 0
   }
   case "$1" in
     start)
           [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
           do_start
           case "$?" in
                   0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
                   2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
           esac
           ;;
     stop)
           [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
           do_stop
           case "$?" in
                   0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
                   2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
           esac
           ;;
     status)
          status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
          ;;
     #reload|force-reload)
           #
           # If do_reload() is not implemented then leave this commented out
           # and leave 'force-reload' as an alias for 'restart'.
           #
           #log_daemon_msg "Reloading $DESC" "$NAME"
           #do_reload
           #log_end_msg $?
           #;;
     restart|force-reload)
           #
           # If the "reload" option is implemented then remove the
           # 'force-reload' alias
           #
           log_daemon_msg "Restarting $DESC" "$NAME"
           do_stop
           case "$?" in
             0|1)
                   do_start
                   case "$?" in
                           0) log_end_msg 0 ;;
                           1) log_end_msg 1 ;; # Old process is still running
                           *) log_end_msg 1 ;; # Failed to start
                   esac
                   ;;
             *)
                   # Failed to stop
                   log_end_msg 1
                   ;;
           esac
           ;;
     *)
           #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
           echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
           exit 3
           ;;
   esac
   :
 - create /etc/init.d/sfcapd
 - chmod a+rx /etc/init.d/sfcapd
 - update-rc.d sfcapd defauls

Reporting

Get Summary

 * nfdump -R /var/lib/sflow -I
   Ident: myrouter
   Flows: 668
   Flows_tcp: 570
   Flows_udp: 97
   Flows_icmp: 1
   Flows_other: 0
   Packets: 85504
   Packets_tcp: 72960
   Packets_udp: 12416
   Packets_icmp: 128
   Packets_other: 0
   Bytes: 18279552
   Bytes_tcp: 17764992
   Bytes_udp: 506880
   Bytes_icmp: 7680
   Bytes_other: 0
   First: 1287593210
   Last: 1287594896
   msec_first: 408
   msec_last: 434
   Sequence failures: 0

Top 10 IPs sorted by bits-per-second

(Note: use -K followed by 32 characters to anonymize IP addresses)

 * nfdump -n 10 -R /var/lib/sflow -s ip -O bps
   Top 10 IP Addr ordered by bps:
   Date first seen          Duration Proto           IP Addr    Flows(%)     Packets(%)       Bytes(%)         pps      bps   bpp
   2010-10-20 13:40:23.462     0.993 any      184.82.242.160        4( 0.3)      512( 0.3)   145920( 0.4)      515    1.2 M   285
   2010-10-20 12:49:33.418     0.994 any     116.128.214.177        2( 0.1)      256( 0.1)   120192( 0.3)      257   967340   469
   2010-10-20 13:21:18.447     1.992 any      116.146.30.104        6( 0.4)      768( 0.4)   206848( 0.5)      385   830714   269
   2010-10-20 13:40:13.464     0.990 any      247.155.64.122        3( 0.2)      384( 0.2)   102144( 0.3)      387   825406   266
   2010-10-20 13:08:25.430     1.998 any        119.22.17.76        4( 0.3)      512( 0.3)   199424( 0.5)      256   798494   389
   2010-10-20 13:02:43.432     2.992 any         119.22.17.9        3( 0.2)      384( 0.2)   164864( 0.4)      128   440812   429
   2010-10-20 12:49:31.411     2.007 any      126.231.251.72        9( 0.6)     1152( 0.6)    59904( 0.1)      573   238780    52
   2010-10-20 13:22:34.442     0.998 any     119.228.225.195        4( 0.3)      512( 0.3)    25344( 0.1)      513   203158    49
   2010-10-20 13:37:35.452     1.000 any     240.230.200.246        3( 0.2)      384( 0.2)    17920( 0.0)      384   143360    46
   2010-10-20 13:14:46.435     0.999 any     122.255.181.118        2( 0.1)      256( 0.1)    13312( 0.0)      256   106602    52
   IP addresses anonymized
   Summary: total flows: 1434, total bytes: 40.8 M, total packets: 183552, avg bps: 93653, avg pps: 52, avg bpp: 222
   Time window: 2010-10-20 12:46:50 - 2010-10-20 13:44:56
   Total flows processed: 1434, Blocks skipped: 0, Bytes read: 86376
   Sys: 0.000s flows/second: 0.0        Wall: 0.000s flows/second: 1452887.5 

Top 10 IPs doing more than 1M of traffic sorted by bps

 * nfdump -n 10 -R /var/lib/sflow -s ip -O bps -L 1M
   Byte limit: > 1000000 bytes
   Top 10 IP Addr ordered by bps:
   Date first seen          Duration Proto           IP Addr    Flows(%)     Packets(%)       Bytes(%)         pps      bps   bpp
   2010-10-20 12:47:05.408  4074.054 any         9.9.254.226      842(50.2)   107776(50.2)   39.7 M(77.5)       26    77894   368
   2010-10-20 12:47:35.408  3942.053 any           9.5.16.99      200(11.9)    25600(11.9)   19.7 M(38.5)        6    40020   770
   2010-10-20 12:52:31.414  3748.048 any         9.6.242.189       36( 2.1)     4608( 2.1)    5.3 M(10.4)        1    11326  1151
   2010-10-20 12:50:22.412  3750.050 any           9.5.16.51       50( 3.0)     6400( 3.0)    4.7 M( 9.2)        1    10018   733
   2010-10-20 12:46:50.408  4082.055 any         9.9.254.138      221(13.2)    28288(13.2)    4.8 M( 9.4)        6     9450   170
   2010-10-20 12:47:12.408  3942.053 any           9.5.16.30      222(13.2)    28416(13.2)    4.5 M( 8.9)        7     9220   159
   2010-10-20 12:46:58.417  4081.045 any           9.9.254.6      402(24.0)    51456(24.0)    2.7 M( 5.3)       12     5363    53
   2010-10-20 12:46:58.417  4081.045 any         9.9.254.185      372(22.2)    47616(22.2)    2.3 M( 4.5)       11     4508    48
   2010-10-20 12:46:50.408  4080.054 any          9.4.245.61      128( 7.6)    16384( 7.6)    2.2 M( 4.4)        4     4374   136
   IP addresses anonymized
   Summary: total flows: 1676, total bytes: 51.2 M, total packets: 214528, avg bps: 100166, avg pps: 52, avg bpp: 238
   Time window: 2010-10-20 12:46:50 - 2010-10-20 13:54:59
   Total flows processed: 1676, Blocks skipped: 0, Bytes read: 100952
   Sys: 0.000s flows/second: 0.0        Wall: 0.000s flows/second: 1689516.1 

Advertisement