[Nfsen-discuss] nfsplit, tool for nfsen
Netflow visualisation and investigation tool
Brought to you by:
phaag
Menu
▾
▴
[Nfsen-discuss] nfsplit, tool for nfsen
|
From: Pascal G. <pas...@sp...> - 2006-05-08 23:44:42
|
Hi NfSen-ers, While starting to play with nfdump/nfsen, I noticed I can not have 'nice colors(tm)' per upstream/IX/customer, simply because they are common to a source (router). So I wrote nfsplit. nfsplit is some sort of netflow proxy to be used between the netflow sources (routers) and nfcapd. It splits the netflow records based on the input/output interface and forwards the records to a given ip:port (where nfcapd is listening). Typically, you will send all your netflow packets from all your devices to nfsplit. nfsplit will forward the records based on its config file to many nfcapd. Let take an example: router1 has interface1 (id 1) on which is upstream1. router1 also has interface2 (id 2) on which is upstream2. in a classic nfsen setup, both flows will appear as the same source, same color. in a nfsplit setup, each interface will appear as a unique source. # nfsplit sample config # where we listen for packets local:0.0.0.0:10000 # flow for interface id 1 flow:<router1 ip>:1:127.0.0.1:10001 flow:<router1 ip>:2:127.0.0.1:10002 flow records that input OR output interface id 1, will be sent to localhost port 10001 (where nfcapd is listening) flow records that input OR output interface id 2, will be sent to localhost port 10002 (where another nfcapd is listening) But that's not all, nfsplit can also aggregate. Often ISPs have redundant links to Internet Exchange Points and often from two different routers. With nfsplit, you can tell to send the two sources to the same nfcapd. flow:<router1 ip>:<if id>:127.0.0.1:10001 flow:<router2 ip>:<if id>:127.0.0.1:10002 The software: - written in C - Open source lisence (Apache 2.0) - tested on linux 2.6, freebsd 6, solaris 10 - light memory usage, 64kb per "flow" in the config plus the program itself - on a Xeon 2.4Ghz, with ~700 netflow packets / sec on input, 3% average CPU load. - http://www.spale.com/download/nfsplit/nfsplit-1.0.1.tar.gz The result, out of the box, looks like this (upstreams in red, peerings in green and BGP customers in blue) http://www.spale.com/download/nfsplit/demo.gif (sorry for the little hole in the graph, unexpected disk full ;P) Questions / Remarks? Regards, Pascal Gloor |
