At my current place of work, we use all Linux routers. I need to do some IP
accounting/reporting and am currently trying to use Scrutinizer. Scrutinizer
can use netstream, jstream, ipfix, netflow, and sflow data without qualms.
My only issue is that I can't seem to find any good software for Linux that
works with multiple interfaces to generate the flow information. I've tried
ndsad, nprobe, softflowd, host sflow, and ipcad without much luck. Most of
the software only works on one interface (which is useless as I need to do
accounting for numerous interfaces).
I've had the best luck with ipcad. The only thing that seems to not work
with it is that it doesn't correctly give the interface number in the flow
information. It refers to all interfaces as interface 65535. I've tried the
config option for ipcad to map an interface directly to an SNMP interface
ID, but that option of the config file seems to be ignored.
Ntop functionally does exactly what I need, but it's extremely buggy. It
segfaults after a few minutes, regardless of Linux distro or Ntop version.
So..any ideas on what I can do to get good flow information from our Linux
routers?
IPtraf can be setup to look at flows per-block, per interface, per vlan, etc
and export the data every minute / 5 minutes. Back in the day I had it
scripted to dump data into rrdtool and give pretty graphs. See the man page,
it's well written.
fprobe doesn't work properly because it has the input and output interface
IDs as both 0. In Scrutinizer, this makes the flow look like all the data
came in the interface and immediately left via the same interface. Also,
this causes problems when running multiple instances of fprobe.
This seems to be the issue with most of the flow software I've tried.
Have you considered argus?
It can deliver "argus flows" from multiple interfaces.
From http://www.qosient.com/argus/ :
Argus can be considered an implementation of the architecture
described in the IETF IPFIX Working Group. Argus pre-dates IPFIX, and
the project has actively contributed to the IPFIX effort, however,
Argus technology should be considered a superset of the IPFIX
architecture, providing "proof of concept" implementations for most
aspects of the IPFIX applicability statement. Argus technology can
read and process Cisco Netflow data, and many sites develop audits
using a mixture of Argus and Netflow records.
It can, but then you are setting the input/output IDs statically. That would
work fine if your router only had 2 interfaces. We currently have routers
with a single (or few) WAN interfaces and multiple internal interfaces and
there isn't any way to statically categorize the data.
With a probe of this type, northbound/southbound tagging is generally sufficient, in my experience (i.e., let's not make the perfect the enemy of the merely good).
I just retested nprobe and it has the same issue as most of the other tools.
It doesn't specify the InputInt and OutputInt properly. Yes, you can
statically set it but that will drastically skew the data in this
environment. I'm not against running multiple processes, I've just not found
a product that runs using multiple processes that does what I need to.
I just noticed the ntop version in EPEL is fairly old, so I'll try to
compile the latest myself and see if it's more stable.
Also, FYI to anyone who is interested in this, I've opened a support ticket
with ipcad to fix the interface numbering issue.