Flexible FlowMon Probe 1.0.0 Handbook

The Flexible FlowMon Probe is a passive network monitoring device based on the COMBO6(X) technology. It is able to collect dynamic data about IP flows and export them to external collectors in the NetFlow (version 5 and 9) and IPFIX (IP Flow Information eXport) format. The probe has great contribution to the safety and reliability of your network. You can obtain information about attacks and data transfers going in and out of your network. The probe is remotely configurable using terminal interface.

Figure 1.1. Flexible FlowMon Probe Monitoring Principle

So far, NetFlow data are mostly generated by IP routers. In contrast, our NetFlow probe is designed as an autonomous device working essentially as a T-splitter: when inserted into a network link, the incoming traffic is passed directly to the original destination and a separate copy of the link data is processed by the probe in parallel. From the network perspective, the probe can be classified as a repeater that is invisible at both the network and link layer.

Using a specialized probe for gathering data about IP flows has several advantages over the traditional router-based setup:

In contrast, a standalone monitoring probe is essentially a hidden device - invisible at both Layer 3 and 2 - dedicating all its resources to the tasks of flow record acquisition and processing.

Figure 1.2. NetFlow Principle

Flexible FlowMon Probe can be used with the COMBO cards described in the following table. COMBO6X cards need to have installed PCI bridge version c610.05.0c or higher (you can find details about PCI bridge and its version at http://www.liberouter.org/documents/pci_bridge_upgrade.php).

Figure 2.1. COMBO6X Card

Supported firmware depends on the type of card you use.

The firmware supports processing of Ethernet and all basic IPv4 and IPv6 headers:

Flexible FlowMon software works on GNU/Linux OS with 2.4 and 2.6 versions of kernel. NetFlow v5, v9 and IPFIX protocols are supported. The software has been tested on computers running Red Hat Enterprise Linux, CentOS, Ubuntu and Debian.

After plugging COMBO card into your PCI slot, you should test connection between the card and your PC. We use lspci(8) utility for this purpose. lspci(8) is a utility for displaying information about all PCI buses in the system and all devices connected to them. For correct recognition of the COMBO card, you need to update the PCI ID Database used by lspci(8) or download pciutils-2.2.2 (a program collection containing lspci(8)) or later. If the lspci(8) output contains the following line your COMBO card is connected properly.

		$ lspci -d 18ec:
		03:01.0 Ethernet controller: Cesnet, z.s.p.o. COMBO6X (rev 01)
		

There are three possibilities, how to insert the Flexible FlowMon Probe to the network - you can connect Flexible FlowMon Probe at a mirror port of some network device, utilize network tap or insert into a line as a repeater.

Flexible FlowMon Probe at a Mirror Port

If you want to check Flexible FlowMon features you can simply mirror traffic from your router to the Flexible FlowMon Probe.

Figure 2.2. Flexible FlowMon Probe Inserted at Mirror Port

Flexible FlowMon Probe Connected via Network Tap

Another way how to connect the Flexible FlowMon Probe in your network is to utilize network tap, e.g. an optical splitter (see figure bellow).

Figure 2.3. Flexible FlowMon Probe Connected via Optical Splitter

Flexible FlowMon Probe Inserted in a Line

In this case the Flexible FlowMon Probe works as a T-splitter: when inserted into a network link, the traffic is passed directly to the original destination and a separate copy of link data is processed by the probe in parallel. From the network perspective, the probe can be classified as a repeater that is invisible at both the network and link layer. Description of this repeater mode is in chapter Repeater.

Figure 2.4. Flexible FlowMon Probe Inserted in Line as a Repeater and Sending Data to Collector

Flexible FlowMon Probe Port Numbers

The general rule for numbering card ports is that the ports closer to the motherboard (PCI slot) have lower numbers, e.g. the closest port has number 0, the next one number 1 etc. The repeater functionality is described in chapter Repeater. See figures bellow for examples:

Figure 2.5. Flexible FlowMon Probe COMBO-2XFP2 Card Port Numbers

Rx/Tx LED diodes at COMBO-2XFP2 cards represent the state of the link. Red diode has three modes:

• diode is off - this state should never happen
• diode is on - repeater is off or is not repeating data
• diode is blinking in 100 ms interval - repeater is on and is repeating data

The blinking green diode (in 100 ms interval) represents transmitting data from the card.

Liberouter project has a common centralized RPM repository for all projects. It is available on URL: https://www.liberouter.org/repo. Repository works over secured HTTPS channel. To obtain packages from it, you have to authorize yourself with login and password which you have received as our client. (Eventually, use login and password for SVN account.)

To make the standard tool yum(1) work properly with our repository, you have to setup some configuration. Add a new file liberouter.repo to directory /etc/yum.repos.d/ with content:

	[liberouter]
	name=Liberouter RPM repository
	baseurl=https://LOGIN:PASS@www.liberouter.org/repo/
	enabled=1
	gpgcheck=0

Now you can check your configuration using yum(1):

	# yum repolist
	...
	liberouter           Liberouter RPM repository                enabled
	...
	

Flexible FlowMon is distributed in form of several RPM packages. Currently RPM packages for only CentOS 5.3 distribution are supported. Because default CentOS linux kernel contains bug, that makes use of combo6 kernel modules impossible, it is necessary to install and use provided kernel which fixes this bug. Unfortunately this fixed kernel is older than current CentOS kernel and yum(1) will not allow to downgrade package. This is possible with yum-allowdowngrade plug-in so installation of this plug-in is also necessary. Run:

	# yum install yum-allowdowngrade
	# yum --allow-downgrade install kernel-2.6.18-128.1.6.el5.slab_fix
	

Reboot to this new kernel after installation. Make sure, that computer reboots to this kernel (check /etc/grub.conf).

Now proceed to install the fflowmon-1.0.0 package

	# yum install fflowmon-1.0.0
	

This package will automatically install all necessary RPM packages for Flexible FlowMon 1.0.0:

You can check installed files belonging to RPM packages by command:

	$ rpm -ql <package>
	

If you want to allow non-privileged user to use combo cards, add him to combo-rw group:

# usermod -G $(id -G <user> | sed 's/ /,/g'),combo-rw <user>
	

Or simply edit /etc/group file which should look like this:

combo-rw:x:10001:xluser00
	

This section describes fflowmon.conf(5) configuration file placed in the /etc/liberouter/ directory. This configuration file is read by Flexible FlowMon Probe starting programs ( fflowmonlkm(1) and fflowmon(1)) and by init script. fflowmon(1) script uses it for reading default values of Flexible FlowMon variables when the values are not set by fflowmon(1) parameters. Init script set Flexible FlowMon Probe completely according this configuration file.

fflowmon.conf(5) is actually a list of definition of environment variables.

    VARNAME=VALUE
    

The file can contain blank lines or lines starting with '#' which are ignored by programs and can be used for comments.

You can freely modify this file and redefine default values of the probe settings.

Variable definitions are divided into several parts.

After installation, the Flexible FlowMon tools (included man pages) are available as any other system tools. There are two main scripts to start the probe - fflowmonlkm(1) and fflowmon(1). Both scripts use fflowmon.conf(5) configuration file.

        $ fflowmon -h
        $ man fflowmon
        

        $ dmesg
        combo6#0: device 0xf1010101 (Flexible_FlowMon) successfully attached
	

        $ fflowmonctl -h
        $ man fflowmonctl
        

        $ fflowmonctl -c status
        Active timeout:   30.0 sec
        Inactive timeout: 10.0 sec
        Sampling type:    constant
        Sampling value:   1
        Repeater:         enabled
     

        user.*                  /var/log/user.log

        # fflowmonlkm -l
        Loading Flexible FlowMon kernel modules for COMBO6X card.
        combo6x                14208  1 szedata2_c6x
        combo6core             18908  2 szedata2_c6x,combo6x
        szedata2_c6x           11156  0
        szedata2               14484  1 szedata2_c6x
        $ fflowmon -ec collector.liberouter.org:60000
        

        $ csid -s
	Board    : combo6x
	Addon0   : xfp2.2
	Chip0    : xc2vp30
	Channels : 3/3 (RX/TX)
	Firmware : ok
	SW       : 0xf1010101
	HW       : 0x00010003
	Text     : Flexible_FlowMon
	PCI brver: c610.05.0c

        $ fflowmon -s
        

        # fflowmonlkm -r
        

	$  ps aux | grep fflowmon
	flowmon   3023  12:19   0:11 fflowmon_nf9 collector.liberouter.org 60000 -I 65535
	flowmon   3105  12:26   0:04 fflowmon_nf5 -d localhost 3003
	

Start-up scripts are used to start a service (or a script) at machine boot time. The Flexible FlowMon start-up script is used to automatically start up the Flexible FlowMon Probe (to load kernel modules if necessary, boot firmware and set up the probe behavior) anytime your PC is started up. After installation, the script is implicitly prepared in /etc/rc.d/init.d/ directory and enabled. In the next section we describe, how to change these boot settings.

The start-up script uses all variables in fflowmon.conf(5) and calls fflowmonlkm(1) and fflowmon(1) scripts.

        # ./fflowmon.rc stop
        

        # chkconfig fflowmon.rc off
        

        # ./fflowmon.rc status
	Running Flexible FlowMon exporter(s):
	-------------------------------------
        /usr/bin/fflowmon_nf5 -c /dev/szedataII0 1 -d localhost 60003
        /usr/bin/fflowmon_nf9 -c /dev/szedataII0 1 -d localhost 60001
        /usr/bin/fflowmon_nf9 -c /dev/szedataII0 1 -d localhost 60002

	Actual Flexible FlowMon probe parameters:
	-----------------------------------------
	Active timeout:   300.0 sec
	Inactive timeout: 10.0 sec
	Sampling type:    constant (0)
	Sampling value:   0
	Repeater:         enabled
        

In case you need to read data from HW and send them to the collector, you can run several instances of Flexible FlowMon exporters. Prior to running an exporter, you must start Flexible FlowMon Probe (load kernel modules and run fflowmon script).

A Flexible FlowMon exporter has the possibility to anonymize exported data, perform filtering, exporter sampling, use IPv4 or IPv6 for transport, etc. There are three versions of Flexible FlowMon exporter, fflowmon_nf5(1) for exporting in NetFlow version 5 export format, fflowmon_nf9(1) for exporting in NetFlow version 9 export format and fflowmon_ipfix(1) for exporting in IPFIX export format.

	$ fflowmon_nf5 -d collector.liberouter.org:60000
	$ fflowmon_nf9 -d collector.liberouter.org:60001
	$ fflowmon_ipfix -d collector.liberouter.org:60002

	$ fflowmon_nf9 -a aes:fields=src,dst -d collector.liberouter.org:60000 

The exporter program will start sending flow records to the configured collector. To test that it is really the case, you can run a packet sniffer such as tcpdump(1) or ethereal(1), for example

	# tcpdump -i interface 'dst port collector_port'
	# tcpdump -i eth0 'dst port 60000'
	tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
	listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
	12:23:41.656669 IP exporter.flowmon.org.32768 > collector.liberouter.org.60000: UDP, length 1424
	12:23:41.667760 IP exporter.flowmon.org.32768 > collector.liberouter.org.60000: UDP, length 1424
	12:23:41.667798 IP exporter.flowmon.org.32768 > collector.liberouter.org.60000: UDP, length 1420
	...

For further information please see exporters man pages:

	$ man fflowmon_nf5
	$ man fflowmon_nf9
	$ man fflowmon_ipfix
	

phyterctl(1) is a tool used to display and change configuration of 2 interfaces available on COMBO-2XFP2 cards. The tool displays information about link status, resolved speed or duplex mode on link. phyterctl(1) is also able to change the advertised speed and duplex mode and provides r/w access to internal registers of the physical layer IC.

ibufctl(1) is used to display and change configuration of IBUF components in Flexible FlowMon COMBO6X designs.

	$ phyterctl -s100 -i0 ... advertise 100 Mbps on interface 0
	$ ibufctl -s100 -i0 ... set 100 Mbps input on interface 0

Example of phyterctl(1) listing with GBIC EEPROM information:

	$ phyterctl -c gbic
	Settings for card 0 (device /dev/combosix/0):
	------------------------------ Interface 0 ---
	Phyter status    Disconnected
	------------------------------ Interface 1 ---
	Phyter vendor    VITESSE
	Phyter model     VSC8486 10GbE PHY (rev 3)
	Speed            10 Gb/s
	Receive signal   Detected
	TX status        Enabled
	TX/RX Fault      0/0
	Link status      Up
	------------------------------ Interface 2 ---
	Phyter vendor    VITESSE
	Phyter model     VSC8486 10GbE PHY (rev 3)
	Speed            10 Gb/s
	Receive signal   Loss
	TX status        Enabled
	TX/RX Fault      0/0
	Link status      Down
	

NfSen is a graphical web-based front-end for nfdump NetFlow tools. We recommend to use Flexible FlowMon Probe with this collector.

NfSen allows you to:

Different tasks need different interfaces to your NetFlow data. NfSen allows you to keep all the convenient advantages of the command line using nfdump directly and gives you also a graphical overview over your NetFlow data.

NfSen is available at http://nfsen.sourceforge.net.

Figure 5.1. NfSen Collector

Example of displaying stored NetFlow data by nfdump tool:

	$ nfdump -r nfcapd.200705141320 -c 10 ... listing first ten records
	Date flow start          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Packets    Bytes Flows
	2007-05-14 13:08:39.885     4.794 TCP      172.43.198.55:6994  ->    172.43.63.224:1854        18    10337     1
	2007-05-14 13:08:44.774     0.000 TCP       57.137.41.68:3039  ->     172.43.63.46:443          1       44     1
	2007-05-14 13:08:44.775     0.000 TCP      172.43.63.222:16422 ->  217.190.181.203:60099        1       40     1
	2007-05-14 13:08:44.708     0.123 TCP      172.43.198.55:443   ->    172.43.58.194:3341        37    48536     1
	2007-05-14 13:08:33.147    31.686 TCP      172.43.60.219:1619  ->    172.43.206.51:445       4657   391386     1
	2007-05-14 13:08:33.148    31.686 TCP      172.43.206.51:445   ->    172.43.60.219:1619      6234    7.3 M     1
	2007-05-14 13:08:44.707     0.127 TCP      172.43.58.194:3341  ->    172.43.198.55:443         23     1980     1
	2007-05-14 13:08:44.648     0.189 TCP      172.43.62.186:3075  ->  196.176.237.132:80           3      615     1
	2007-05-14 13:08:44.656     0.188 TCP      172.43.63.199:10080 ->     172.43.58.23:1341         3      128     1
	2007-05-14 13:08:44.656     0.190 TCP       172.43.58.23:1341  ->    172.43.63.199:10080        5      358     1
	Summary: total flows: 10, total bytes: 7.7 M, total packets: 10982, avg bps: 2.0 M, avg pps: 346, avg bpp: 739
	Time window: 2007-05-14 13:08:21 - 2007-05-14 13:11:09
	Total flows processed: 15015, skipped: 0, Bytes read: 840852
	Sys: 0.004s flows/second: 3004201.7  Wall: 0.005s flows/second: 2869291.0
	

The libipfix C library implements the IPFIX protocol defined by the IP Flow Information Export working group of the IETF. The library provides functions to collect IPFIX measurement and account data via IPFIX protocol.

The libipfix library is available at http://ants.fokus.fraunhofer.de/libipfix/.

Features:

For any questions or general technical support issues, please send mail to the netflow [at] liberouter.org general mailing list.

Suggestions, bug reports and contributions of code are always valued. Please do not hesitate to report any problems you find. If you encounter any suspicious behavior of your Flexible FlowMon Probe (it stops monitoring, reports non-existing flows, runs too slow, reports only a few flows, ... ) please contact us.

Please send the following information to us:

This will help us track the problem and resolve it. Bug reports with attached fixes are of course even more welcome.

Check our web pages for information about other projects, such as NIFIC (network interface card with packet filtering and forwarding) or Intrusion Detection System.

http://www.liberouter.org/