subject:"Re\: pf visualization"

Re: pf visualization

2008-08-31 Thread Dave Wilson


Stuart Henderson wrote:

On 2008-08-29, Stephan A. Rickauer[EMAIL PROTECTED]  wrote:

Thanks, I'll have a look into it. Maybe you could send me canacar's
diff,  so I can test it while I'm on it. I'd definitely prefer pfflowd
over softflowd.


here you go; it's needed for kernels from after the network
hackathon.



Yay!

I've been hoping someone would post such a patch for some time, so 
thanks for this, and canacar, if you're reading thanks for the patch.


That said, it seems[0] to be a pretty comprehensive patch, which fixes 
pfflowd and could well be a candidate for becoming pfflowd-0.8. I am 
aware that the original author, Damien Miller, is a dev, and is 
subscribed to the list. I do not doubt that there is a good reason he 
has not so far brought pfflowd up to date in the original tarball, and 
created pfflowd-0.8; I suspect this is mostly down to time, and I 
realise he probably has many better things to do. However, there may be 
other reasons, such as a lack of testing. As such:


Damien, is there any way, such as testing this or any other patches, 
that I might help you in bringing your version of pfflowd up to date? If 
testing, what tests other than compiling and running a patched version? 
I am a sysadmin rather than a coder, but I will happily do anything I 
can to assist you.


Dave Wilson.


[0] Although granted, what I know about programming could fit on the 
back of an envelope.

Re: pf visualization

2008-08-29 Thread Stephan A. Rickauer

On Thu, 2008-08-28 at 11:52 -0400, Jason Dixon wrote:
  
  Thanks for any ideas beyond pftop, tcpdump, hatched, darkstat and
  ntop ;)
 
 If I ever get off my lazy ass and finish/package it up, maybe this?
 
 http://www.netflowdashboard.com/demo/


http://www.netflowdashboard.com/download/ is down ;)

 P.S.  I just noticed it's actually somewhat useful in lynx as well.  Go
 figure.  :)

Looks nice. I guess you'd need pfflowd on the firewall and have the
dashboard somewhere else?

Re: pf visualization

2008-08-29 Thread Stephan A. Rickauer

On Thu, 2008-08-28 at 16:03 +, Stuart Henderson wrote:
 
  Thanks for any ideas beyond pftop, tcpdump, hatched, darkstat and
  ntop ;)
 

 the nfdump/nfprofile tools (also in ports) are interesting too,
 there's a web interface NfSen which is yet to be ported but can
 be manually installed without huge trouble. they need to work
 with a collector; our low-overhead one (pfflowd) needs mending
 to work with the changes to PF (hmm, now where did I put
 canacar's diff for that...) but there is also pcap-based
 softflowd which should be ok (I haven't tried it on the pflog
 interface, but if it works, that's probably the best way to
 use it, and if it doesn't work like that, it's relatively
 easy to add).

Thanks, I'll have a look into it. Maybe you could send me canacar's
diff,  so I can test it while I'm on it. I'd definitely prefer pfflowd
over softflowd.

Re: pf visualization

2008-08-29 Thread Stuart Henderson

On 2008-08-29, Stephan A. Rickauer [EMAIL PROTECTED] wrote:
 Thanks, I'll have a look into it. Maybe you could send me canacar's
 diff,  so I can test it while I'm on it. I'd definitely prefer pfflowd
 over softflowd.

here you go; it's needed for kernels from after the network
hackathon.

Index: Makefile
===
RCS file: /cvs/ports/net/pfflowd/Makefile,v
retrieving revision 1.8
diff -u -p -r1.8 Makefile
--- Makefile28 Jun 2008 08:30:00 -  1.8
+++ Makefile25 Jul 2008 14:29:14 -
@@ -1,10 +1,9 @@
 # $OpenBSD: Makefile,v 1.8 2008/06/28 08:30:00 ajacoutot Exp $
 
-BROKEN=needs to cope with recent network changes
-
 COMMENT=   PF to NetFlow converter
 
 DISTNAME=  pfflowd-0.7
+PKGNAME=   ${DISTNAME}p0
 CATEGORIES=net
 MASTER_SITES=  http://www.mindrot.org/files/pfflowd/
 
Index: patches/patch-pfflowd_c
===
RCS file: patches/patch-pfflowd_c
diff -N patches/patch-pfflowd_c
--- /dev/null   1 Jan 1970 00:00:00 -
+++ patches/patch-pfflowd_c 25 Jul 2008 14:29:14 -
@@ -0,0 +1,182 @@
+$OpenBSD$
+--- pfflowd.c.orig Fri Jun 13 02:40:21 2008
 pfflowd.c  Fri Jun 13 02:56:30 2008
+@@ -210,14 +210,14 @@ connsock(struct sockaddr *addr, socklen_t len)
+ }
+ 
+ static void 
+-format_pf_host(char *buf, size_t n, struct pf_state_host *h, sa_family_t af)
++format_pf_addr(char *buf, size_t n, const struct pf_addr *h, sa_family_t af)
+ {
+   const char *err = NULL;
+ 
+   switch (af) {
+   case AF_INET:
+   case AF_INET6:
+-  if (inet_ntop(af, h-addr, buf, n) == NULL)
++  if (inet_ntop(af, h, buf, n) == NULL)
+   err = strerror(errno);
+   break;
+   default:
+@@ -253,7 +253,8 @@ send_netflow_v1(const struct pfsync_state *st, u_int n
+ 
+   hdr = (struct NF1_HEADER *)packet;
+   for(num_packets = offset = j = i = 0; i  n; i++) {
+-  struct pf_state_host src, dst;
++  const struct pf_addr *src, *dst;
++  u_int16_t src_port, dst_port;
+   u_int32_t bytes_in, bytes_out;
+   u_int32_t packets_in, packets_out;
+   char src_s[64], dst_s[64], rt_s[64], pbuf[16], creation_s[64];
+@@ -300,19 +301,23 @@ send_netflow_v1(const struct pfsync_state *st, u_int n
+   creation = uptime_ms; /* Avoid u_int wrap */
+ 
+   if (st[i].direction == PF_OUT) {
+-  memcpy(src, st[i].lan, sizeof(src));
+-  memcpy(dst, st[i].ext, sizeof(dst));
++  src = st[i].key[PF_SK_WIRE].addr[1];
++  dst = st[i].key[PF_SK_WIRE].addr[0];
++  src_port = st[i].key[PF_SK_WIRE].port[1];
++  dst_port = st[i].key[PF_SK_WIRE].port[0];
+   } else {
+-  memcpy(src, st[i].ext, sizeof(src));
+-  memcpy(dst, st[i].lan, sizeof(dst));
++  src = st[i].key[PF_SK_STACK].addr[0];
++  dst = st[i].key[PF_SK_STACK].addr[1];
++  src_port = st[i].key[PF_SK_STACK].port[0];
++  dst_port = st[i].key[PF_SK_STACK].port[1];
+   }
+ 
+   flw = (struct NF1_FLOW *)(packet + offset);
+   if (netflow_socket != -1  st[i].packets[0][0] != 0) {
+-  flw-src_ip = src.addr.v4.s_addr;
+-  flw-dest_ip = dst.addr.v4.s_addr;
+-  flw-src_port = src.port;
+-  flw-dest_port = dst.port;
++  flw-src_ip = src-v4.s_addr;
++  flw-dest_ip = dst-v4.s_addr;
++  flw-src_port = src_port;
++  flw-dest_port = dst_port;
+   flw-flow_packets = st[i].packets[0][0];
+   flw-flow_octets = st[i].bytes[0][0];
+   flw-flow_start = htonl(uptime_ms - creation);
+@@ -325,10 +330,10 @@ send_netflow_v1(const struct pfsync_state *st, u_int n
+   }
+   flw = (struct NF1_FLOW *)(packet + offset);
+   if (netflow_socket != -1  st[i].packets[1][0] != 0) {
+-  flw-src_ip = dst.addr.v4.s_addr;
+-  flw-dest_ip = src.addr.v4.s_addr;
+-  flw-src_port = dst.port;
+-  flw-dest_port = src.port;
++  flw-src_ip = dst-v4.s_addr;
++  flw-dest_ip = src-v4.s_addr;
++  flw-src_port = dst_port;
++  flw-dest_port = src_port;
+   flw-flow_packets = st[i].packets[1][0];
+   flw-flow_octets = st[i].bytes[1][0];
+   flw-flow_start = htonl(uptime_ms - creation);
+@@ -352,17 +357,17 @@ send_netflow_v1(const struct pfsync_state *st, u_int n
+

Re: pf visualization

2008-08-28 Thread Jason Dixon

On Thu, Aug 28, 2008 at 03:24:37PM +, Stephan A. Rickauer wrote:
 I am curious what tools people here use to visualize pf-generated logs
 and/or live traffic. What i'm basically looking for is a tool, that
 provides various stats about a pf firewall usage in a graphical way,
 but not only 'bytes in/bytes out' (i have that using snmp/cacti) but
 more detailed stuff like protocol and port distribution, IP based stats
 and whatnot.
 
 Thanks for any ideas beyond pftop, tcpdump, hatched, darkstat and
 ntop ;)

If I ever get off my lazy ass and finish/package it up, maybe this?

http://www.netflowdashboard.com/demo/

P.S.  I just noticed it's actually somewhat useful in lynx as well.  Go
figure.  :)

-- 
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: pf visualization

2008-08-28 Thread Stuart Henderson

On 2008-08-28, Stephan A. Rickauer [EMAIL PROTECTED] wrote:
 I am curious what tools people here use to visualize pf-generated logs
 and/or live traffic. What i'm basically looking for is a tool, that
 provides various stats about a pf firewall usage in a graphical way,
 but not only 'bytes in/bytes out' (i have that using snmp/cacti) but
 more detailed stuff like protocol and port distribution, IP based stats
 and whatnot.

 Thanks for any ideas beyond pftop, tcpdump, hatched, darkstat and
 ntop ;)

argus (in ports/net - http://qosient.com/argus/, as opposed to
the other argus which is a server monitoring program) is a good
collector/recorder, it has programs that can do some analysis on
the data but you need to generate graphs yourself some way or
other.

the nfdump/nfprofile tools (also in ports) are interesting too,
there's a web interface NfSen which is yet to be ported but can
be manually installed without huge trouble. they need to work
with a collector; our low-overhead one (pfflowd) needs mending
to work with the changes to PF (hmm, now where did I put
canacar's diff for that...) but there is also pcap-based
softflowd which should be ok (I haven't tried it on the pflog
interface, but if it works, that's probably the best way to
use it, and if it doesn't work like that, it's relatively
easy to add).

Re: pf visualization

2008-08-28 Thread Daniel Melameth

On Thu, Aug 28, 2008 at 9:52 AM, Jason Dixon [EMAIL PROTECTED] wrote:
 If I ever get off my lazy ass and finish/package it up, maybe this?

 http://www.netflowdashboard.com/demo/

VERY nice and simple Jason--which, unfortunately, is such a rarity.
Here's to you getting your second wind ;) .

Re: pf visualization

2008-08-28 Thread Parvinder Bhasin

perhaps pfsysinfo and pfstat.  Some of the stuff you'll have to make  
your own graphs.


-Parvinder Bhasin

On Aug 28, 2008, at 8:24 AM, Stephan A. Rickauer wrote:


I am curious what tools people here use to visualize pf-generated logs
and/or live traffic. What i'm basically looking for is a tool, that
provides various stats about a pf firewall usage in a graphical way,
but not only 'bytes in/bytes out' (i have that using snmp/cacti) but
more detailed stuff like protocol and port distribution, IP based  
stats

and whatnot.

Thanks for any ideas beyond pftop, tcpdump, hatched, darkstat and
ntop ;)

Stephan

Re: pf visualization

2008-08-28 Thread Andrew Konkol

On Thu, Aug 28, 2008 at 12:25 PM, Daniel Melameth [EMAIL PROTECTED]wrote:

 On Thu, Aug 28, 2008 at 9:52 AM, Jason Dixon [EMAIL PROTECTED] wrote:
  If I ever get off my lazy ass and finish/package it up, maybe this?
 
  http://www.netflowdashboard.com/demo/

 VERY nice and simple Jason--which, unfortunately, is such a rarity.
 Here's to you getting your second wind ;) .

 This would be a great asset to me.

Re: pf visualization

2008-08-28 Thread David Newman

On 8/28/08 10:22 AM, Parvinder Bhasin wrote:
 perhaps pfsysinfo and pfstat.  Some of the stuff you'll have to make
 your own graphs.
 
 -Parvinder Bhasin
 
 On Aug 28, 2008, at 8:24 AM, Stephan A. Rickauer wrote:
 
 I am curious what tools people here use to visualize pf-generated logs
 and/or live traffic. What i'm basically looking for is a tool, that
 provides various stats about a pf firewall usage in a graphical way,
 but not only 'bytes in/bytes out' (i have that using snmp/cacti) but
 more detailed stuff like protocol and port distribution, IP based stats
 and whatnot.

 Thanks for any ideas beyond pftop, tcpdump, hatched, darkstat and
 ntop ;)


Gave up on pfstat because of a need to watch multiple interfaces.

Currently using packetmischief's pf MIB with cacti:

http://www.packetmischief.ca/openbsd/snmp/#pfmib

It's working OK.

dn

Re: pf visualization

Re: pf visualization

Re: pf visualization

Re: pf visualization

Re: pf visualization

Re: pf visualization

Re: pf visualization

Re: pf visualization

Re: pf visualization

Re: pf visualization

10 matches

Site Navigation

Mail list logo

Footer information