Hey all,
I have a tiny linux router based on ubuntu and sometimes I get a
massive load of UDP traffic because of one of the PCs in the network.
Usually I handle the situation with a strict block using iptables.
The main issue is to find it due to the load.
For now I am monitoring the traffic load using MRTG but it won't
notify me.
I can try to use nagios to monitor traffic load for a period of time
but before I start working on it I want another person opinion and
options.
I have seen netflow in the past but never actually used it.
Thanks in advance,
Eliezer
Hello Eliezer.
Netflow will be the best solution to find the host that's generate load. First you need decide what netflow analyzer you'll use. I know about some plugin to Cacti. Than you need install IPT-NETFLOW to your Ubuntu router.
Also you have another way, you can monitor (snmp traffic) all ports on switches and then find analyze.
B.R. Murat
Hello
I've used ntop in the past with great success.
ntop.org
Regards
Wayne
NFDump [1] also is good if you look at a less fancy analyzer (cmdline
based) but very customizable. You search for that data the you want in
the time slot that you want.
I know there are other projects which can read captured data and present
it in a GUI but I haven't used them myself.
Regards,
leonardo
[1] http://nfdump.sourceforge.net/
If you go the netflow route you might consider FlowViewer/SiLK for the
collector/analyzer. It is web driven and allows you to easily establish
traffic thresholds which will generate an alert email.
https://sourceforge.net/projects/flowviewer
Joe
To: "'Eliezer Croitoru'" <eliezer@ngtech.co.il>, <nanog@nanog.org>
Date: 11/14/2014 02:37 AM
Subject: RE: Linux router traffic monitoring, how? netflow?
Sent by: "NANOG" <nanog-bounces@nanog.org>
Hello Eliezer.
Netflow will be the best solution to find the host that's generate
load. First you need decide what netflow analyzer you'll use. I know
about some plugin to Cacti. Than you need install IPT-NETFLOW to
your Ubuntu router.
Also you have another way, you can monitor (snmp traffic) all ports
on switches and then find analyze.
B.R. Murat
From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Eliezer
Croitoru
Sent: Thursday, November 13, 2014 8:10 PM
To: nanog@nanog.org
Subject: Linux router traffic monitoring, how? netflow?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hey all,
I have a tiny linux router based on ubuntu and sometimes I get a
massive load of UDP traffic because of one of the PCs in the network.
Usually I handle the situation with a strict block using iptables.
The main issue is to find it due to the load.
For now I am monitoring the traffic load using MRTG but it won't notify
me.
I can try to use nagios to monitor traffic load for a period of time
but before I start working on it I want another person opinion and
options.
You might want to take a look at the Host sFlow SourceForge project:
http://host-sflow.sourceforge.net/
The hsflowd agent used the sFlow protocol to export interface
counters, host performance statistics and packet flows (collected
using iptables ULOG).
Peter
fprobe is a linux-based netflow probe that uses libpcap (as does tcpdump) and is already in the
ubuntu universe repository. There is an ipv4-only iptables based version too called fprobe-ulog.
For collectors, it looks like the ones already available in ubuntu are nfcapd from nfdump and
flow-capture from flow-tools. For analysis/alerts, cacti with the thold and flowview plugins might
do the job.
Softflowd is also nice, supports "Netflow versions 1, 5 and 9 and is fully IPv6-capable".
The package is included on ubuntu & debian.
Thanks Wayne,
I have used ntop in the past but was not very happy with the results
and now I tried it once again and I am happy about it.
It works and looks very nice.
Eliezer