RE: Linux router traffic monitoring, how? netflow?
Hello Eliezer. Netflow will be the best solution to find the host that's generate load. First you need decide what netflow analyzer you'll use. I know about some plugin to Cacti. Than you need install IPT-NETFLOW to your Ubuntu router. Also you have another way, you can monitor (snmp traffic) all ports on switches and then find analyze. B.R. Murat -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Eliezer Croitoru Sent: Thursday, November 13, 2014 8:10 PM To: nanog@nanog.org Subject: Linux router traffic monitoring, how? netflow? -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hey all, I have a tiny linux router based on ubuntu and sometimes I get a massive load of UDP traffic because of one of the PCs in the network. Usually I handle the situation with a strict block using iptables. The main issue is to find it due to the load. For now I am monitoring the traffic load using MRTG but it won't notify me. I can try to use nagios to monitor traffic load for a period of time but before I start working on it I want another person opinion and options. I have seen netflow in the past but never actually used it. Thanks in advance, Eliezer -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJUZOXKAAoJENxnfXtQ8ZQUnCcIAJn/3LQa1CKl1mBGiWHUvrEZ GZIPYKDlDWscVaq2VhJQH/ZcUqX5466YTSLsFQBaCEynLfc4vgk5gBZzyLK9TI1R MSDXAQNYvqRGnDG5rBrthCCvSA8UZyqVH9feSXw+U8aiwZcmQz4SSVv86yy288qP eFlerXq43QvSzXgMPFFrzwVzcwY3UVg0VMxlqIRIl+sB8dfg6ofau61/lax9ALQ4 cfxE674vxKtQsf319lJTmq/3JMvANzZNYbX0+XnLNIDaCciM/GTT/Xvasq+oigm2 IE4T0098KMUyBdJx5ewX5d+rawI2283euiY0Co5UnfCYzBnJTj4xZR32Tip53lM= =gZaZ -END PGP SIGNATURE-
Re: Linux router traffic monitoring, how? netflow?
Hello I've used ntop in the past with great success. ntop.org Regards Wayne On 14 November 2014 02:35, Murat Kaipov wrote: > Hello Eliezer. > Netflow will be the best solution to find the host that's generate load. > First you need decide what netflow analyzer you'll use. I know about some > plugin to Cacti. Than you need install IPT-NETFLOW to your Ubuntu router. > Also you have another way, you can monitor (snmp traffic) all ports on > switches and then find analyze. > B.R. Murat > > > -Original Message- > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Eliezer Croitoru > Sent: Thursday, November 13, 2014 8:10 PM > To: nanog@nanog.org > Subject: Linux router traffic monitoring, how? netflow? > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hey all, > > I have a tiny linux router based on ubuntu and sometimes I get a massive > load of UDP traffic because of one of the PCs in the network. > Usually I handle the situation with a strict block using iptables. > The main issue is to find it due to the load. > For now I am monitoring the traffic load using MRTG but it won't notify me. > I can try to use nagios to monitor traffic load for a period of time but > before I start working on it I want another person opinion and options. > > I have seen netflow in the past but never actually used it. > > Thanks in advance, > Eliezer > -BEGIN PGP SIGNATURE- > Version: GnuPG v1 > > iQEcBAEBAgAGBQJUZOXKAAoJENxnfXtQ8ZQUnCcIAJn/3LQa1CKl1mBGiWHUvrEZ > GZIPYKDlDWscVaq2VhJQH/ZcUqX5466YTSLsFQBaCEynLfc4vgk5gBZzyLK9TI1R > MSDXAQNYvqRGnDG5rBrthCCvSA8UZyqVH9feSXw+U8aiwZcmQz4SSVv86yy288qP > eFlerXq43QvSzXgMPFFrzwVzcwY3UVg0VMxlqIRIl+sB8dfg6ofau61/lax9ALQ4 > cfxE674vxKtQsf319lJTmq/3JMvANzZNYbX0+XnLNIDaCciM/GTT/Xvasq+oigm2 > IE4T0098KMUyBdJx5ewX5d+rawI2283euiY0Co5UnfCYzBnJTj4xZR32Tip53lM= > =gZaZ > -END PGP SIGNATURE- >
Re: Linux router traffic monitoring, how? netflow?
On gio, 2014-11-13 at 19:09 +0200, Eliezer Croitoru wrote: > Hey all, > > I have a tiny linux router based on ubuntu and sometimes I get a > massive load of UDP traffic because of one of the PCs in the network. > Usually I handle the situation with a strict block using iptables. > The main issue is to find it due to the load. > For now I am monitoring the traffic load using MRTG but it won't > notify me. > I can try to use nagios to monitor traffic load for a period of time > but before I start working on it I want another person opinion and > options. > > I have seen netflow in the past but never actually used it. > > Thanks in advance, > Eliezer NFDump [1] also is good if you look at a less fancy analyzer (cmdline based) but very customizable. You search for that data the you want in the time slot that you want. I know there are other projects which can read captured data and present it in a GUI but I haven't used them myself. Regards, leonardo [1] http://nfdump.sourceforge.net/ signature.asc Description: This is a digitally signed message part
RE: Linux router traffic monitoring, how? netflow?
If you go the netflow route you might consider FlowViewer/SiLK for the collector/analyzer. It is web driven and allows you to easily establish traffic thresholds which will generate an alert email. https://sourceforge.net/projects/flowviewer Joe "NANOG" wrote on 11/14/2014 02:35:44 AM: > From: Murat Kaipov > To: "'Eliezer Croitoru'" , > Date: 11/14/2014 02:37 AM > Subject: RE: Linux router traffic monitoring, how? netflow? > Sent by: "NANOG" > > Hello Eliezer. > Netflow will be the best solution to find the host that's generate > load. First you need decide what netflow analyzer you'll use. I know > about some plugin to Cacti. Than you need install IPT-NETFLOW to > your Ubuntu router. > Also you have another way, you can monitor (snmp traffic) all ports > on switches and then find analyze. > B.R. Murat > > > -Original Message- > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Eliezer Croitoru > Sent: Thursday, November 13, 2014 8:10 PM > To: nanog@nanog.org > Subject: Linux router traffic monitoring, how? netflow? > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hey all, > > I have a tiny linux router based on ubuntu and sometimes I get a > massive load of UDP traffic because of one of the PCs in the network. > Usually I handle the situation with a strict block using iptables. > The main issue is to find it due to the load. > For now I am monitoring the traffic load using MRTG but it won't notify me. > I can try to use nagios to monitor traffic load for a period of time > but before I start working on it I want another person opinion and options. > > I have seen netflow in the past but never actually used it. > > Thanks in advance, > Eliezer > -BEGIN PGP SIGNATURE- > Version: GnuPG v1 > > iQEcBAEBAgAGBQJUZOXKAAoJENxnfXtQ8ZQUnCcIAJn/3LQa1CKl1mBGiWHUvrEZ > GZIPYKDlDWscVaq2VhJQH/ZcUqX5466YTSLsFQBaCEynLfc4vgk5gBZzyLK9TI1R > MSDXAQNYvqRGnDG5rBrthCCvSA8UZyqVH9feSXw+U8aiwZcmQz4SSVv86yy288qP > eFlerXq43QvSzXgMPFFrzwVzcwY3UVg0VMxlqIRIl+sB8dfg6ofau61/lax9ALQ4 > cfxE674vxKtQsf319lJTmq/3JMvANzZNYbX0+XnLNIDaCciM/GTT/Xvasq+oigm2 > IE4T0098KMUyBdJx5ewX5d+rawI2283euiY0Co5UnfCYzBnJTj4xZR32Tip53lM= > =gZaZ > -END PGP SIGNATURE-
Re: Linux router traffic monitoring, how? netflow?
You might want to take a look at the Host sFlow SourceForge project: http://host-sflow.sourceforge.net/ The hsflowd agent used the sFlow protocol to export interface counters, host performance statistics and packet flows (collected using iptables ULOG). Peter On Thu, Nov 13, 2014 at 9:09 AM, Eliezer Croitoru wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hey all, > > I have a tiny linux router based on ubuntu and sometimes I get a > massive load of UDP traffic because of one of the PCs in the network. > Usually I handle the situation with a strict block using iptables. > The main issue is to find it due to the load. > For now I am monitoring the traffic load using MRTG but it won't > notify me. > I can try to use nagios to monitor traffic load for a period of time > but before I start working on it I want another person opinion and > options. > > I have seen netflow in the past but never actually used it. > > Thanks in advance, > Eliezer > -BEGIN PGP SIGNATURE- > Version: GnuPG v1 > > iQEcBAEBAgAGBQJUZOXKAAoJENxnfXtQ8ZQUnCcIAJn/3LQa1CKl1mBGiWHUvrEZ > GZIPYKDlDWscVaq2VhJQH/ZcUqX5466YTSLsFQBaCEynLfc4vgk5gBZzyLK9TI1R > MSDXAQNYvqRGnDG5rBrthCCvSA8UZyqVH9feSXw+U8aiwZcmQz4SSVv86yy288qP > eFlerXq43QvSzXgMPFFrzwVzcwY3UVg0VMxlqIRIl+sB8dfg6ofau61/lax9ALQ4 > cfxE674vxKtQsf319lJTmq/3JMvANzZNYbX0+XnLNIDaCciM/GTT/Xvasq+oigm2 > IE4T0098KMUyBdJx5ewX5d+rawI2283euiY0Co5UnfCYzBnJTj4xZR32Tip53lM= > =gZaZ > -END PGP SIGNATURE-
Re: Linux router traffic monitoring, how? netflow?
fprobe is a linux-based netflow probe that uses libpcap (as does tcpdump) and is already in the ubuntu universe repository. There is an ipv4-only iptables based version too called fprobe-ulog. For collectors, it looks like the ones already available in ubuntu are nfcapd from nfdump and flow-capture from flow-tools. For analysis/alerts, cacti with the thold and flowview plugins might do the job. On 11/13/2014 09:09 AM, Eliezer Croitoru wrote: > Hey all, > > I have a tiny linux router based on ubuntu and sometimes I get a > massive load of UDP traffic because of one of the PCs in the network. > Usually I handle the situation with a strict block using iptables. > The main issue is to find it due to the load. > For now I am monitoring the traffic load using MRTG but it won't > notify me. > I can try to use nagios to monitor traffic load for a period of time > but before I start working on it I want another person opinion and > options. > > I have seen netflow in the past but never actually used it. > > Thanks in advance, > Eliezer >
Re: Linux router traffic monitoring, how? netflow?
Softflowd is also nice, supports "Netflow versions 1, 5 and 9 and is fully IPv6-capable". The package is included on ubuntu & debian. On 14.11.2014 20:38, srn.na...@prgmr.com wrote: fprobe is a linux-based netflow probe that uses libpcap (as does tcpdump) and is already in the ubuntu universe repository. There is an ipv4-only iptables based version too called fprobe-ulog. For collectors, it looks like the ones already available in ubuntu are nfcapd from nfdump and flow-capture from flow-tools. For analysis/alerts, cacti with the thold and flowview plugins might do the job. -- Best regards, Adrian Minta
Re: Linux router traffic monitoring, how? netflow?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thanks Wayne, I have used ntop in the past but was not very happy with the results and now I tried it once again and I am happy about it. It works and looks very nice. Eliezer On 11/14/2014 09:39 AM, Wayne Lee wrote: > Hello > > > I've used ntop in the past with great success. > > ntop.org > > > Regards > > Wayne -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJUaKNJAAoJENxnfXtQ8ZQUp6IH/i9B0GgtpGa2humQediDs9E4 EdOEj0Wd1/0+U7KqiYZhHMmBDueCVRkekJ/MseisqmiRUzrcVY5YB3M5slXrRes2 7/6XVhovjdYIahzGeUf5sMmMJ8LBV3dQdCPndOwo0gh8HT+ZDJOjjjgQn55wsgtE kCcsW6fNGiSksXGD98jJty4O+WPSro6GPI5As+LV/jEfqJHDVH0dGeRIHlwRg1X6 BMlEU0NX/cSyLcYX4iktCZHDf9FgaNGtfjKBMwl/rIXgqSnoXUGOlUEi2auFQA8H 5U+GQeH7wQ2R/2SKUq8ajPY/vmS3O/Ig7z7OmjyOWtK6UbtWtetuw/EQW85cP3U= =7Q7D -END PGP SIGNATURE-
