Shulou(Shulou.com)06/03 Report--

Sharp tool for Network Traffic Analysis-Visual Network-netflow [1]-basic principles

Sharp tool for Network Traffic Analysis-Visual Network-netflow [2]-Cisco NetFlow working principle introduction and configuration

Sharp tool for Network Traffic Analysis-Visual Network-netflow [3]-difference between netflow version 5 and version 9

Sharp tool for Network Traffic Analysis-Visual Network-netflow [4]-introduction to receiver nfdump

Sharp tool for Network Traffic Analysis-Visual Network-data Collector fprobe under netflow [5]-linux

Sharp tool for Network Traffic Analysis-Visual Network-netflow [6]-Design of Traffic Monitoring Architecture for production Network

Fprobe parameter-e

Fprobe parameter-n-k

Deficiency of switch netflow

First of all, it is important to know that the switch consumes additional resources when processing packets, such as cpu and memory. After a long period of testing, we find that this consumption is very high. If the sampling ratio is 1:2, in a 10 Gigabit network, cpu directly increases by 10%. Of course, this increase is proportional to the amount of traffic in the network, but obviously, this consumption is too large, if you choose a large sampling ratio. For example, when restoring real traffic, the error will be very large. A test once found that the error is as high as 20%. So we have to find another way to find an alternative product.

Some people say that we only need approximate data, but when doing cost accounting, if it is only about, it will arouse the dissatisfaction of the cost bearers, who will think that you have calculated the cost too much. so the tool of sampling ratio 1:1 is what we are looking for.

Under linux, there is a software called fprobe, which can convert packets under the interface into netflow format and send data to the designated receiver. The default is netflow v5.

Installation

Environment: CentOS 6x7

Software:

Link: Baidu cloud disk-fprobe download extraction code: ttkz

Installation command: rpm-ivh fprobe-1.1-2.el7.lux.x86_64.rpm

Parameters.

I didn't understand the meaning of all the parameters. I used a few parameters and recorded them.

-p: do not set to promiscuous mode. By default, promiscuous mode can listen for all packets arriving at the interface, such as mirrored data. -I: monitor the network card. -f: filter rules. -e: this parameter is used for the transmission frequency. If you set it too high, you will find that no packet has been sent to the collector for a long time. For the test results, please see [fprobe parameter-e] (https://www.eazblog.com/fprobe%e5%8f%82%e6%95%b0-e/)-n: specify the version of netflow-a: specify the sending source address, and use for data filtering on the collector-b: memory size (not quite understood)-m:flow cache memory usage limit instance

Monitor the eth0 network card and send the data to port 9999 of 10.2.82.60 every 10s

Fprobe-I eth0-e 10 10.2.82.60 purr 9999

Monitor the eth0 network card, use non-promiscuous mode, and specify the original address 10.6.6.6, sent to port 9999 of 10.2.82.60

Fprobe-I eth0-p-a 10.6.6.6 10.2.82.60 purr 9999

Listen to bond1, intercept only packets about 10.10.10.10 and port 80, generate v7 version and send it to port 9999 of 10.2.82.60

Fprobe-I bond1-n 7-f "host 10.10.10.10 & & port 80" 10.2.82.60 host 9999 extension

The data packet mirrored by Cisco switch is correctly converted into netflow data by fprobe, but the data mirrored by Huawei switch is incorrect after fprobe conversion, so you need to use the-k parameter to remove VLAN heade. For more information, please see fprobe parameter-n-k.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.