From GEANT2-JRA1 Wiki

Contents 1 Flow Monitoring 1.1 Objectives 1.2 Testbed 1.3 Collector tools evaluation 1.4 perfSONAR flow monitoring MP and MAs 1.5 Flow Monitoring information and documents 1.6 Work in progress 2 References 2.1 Conference calls and meetings 2.2 List of netflow tools 2.3 Some netflow related documents and useful links 3 Contact

Flow Monitoring

Objectives

Goal: to identify and implement IP traffic flow monitoring tools within perfSONAR framework.

Testbed

• There are three boxes installed: one in GARR, one in CARNet and one in SURFnet. Here is detailed hardware specification.
• Testbed: list of servers

Collector tools evaluation

• Tool testing procedure: Netflow tools evaluation guidelines v0.1
• Tool testing report: , Individual tool testing reports

perfSONAR flow monitoring MP and MAs

The following flow monitoring MP and MAs are available:

The MP and MAs have each there own specific use and intended user groups:

Flow Subscription MP

This MP enables users to subscribe to a stream of flow information packets as if they were coming directly from the selected routers. Useful if they want to use there own collector and processing tools.

Intended users: researchers, grid users

Flow RRD MA

The Flow RRD MA uses RRD files to store information like total number of packets, total number of flows, flows per protocol, and flows per well known TCP or UDP port.

Intended users: NOCs

Flow Selection and Aggregation MA

This MA acts like a wrapper around nfdump allowing nfdump style queries on stored logfiles.

Intended users: security people, ordinary users

Stager MA

The Stager MA enables you to retrieve all reports that are supported by stager.

Intended users: NOCs, grid users, organization executives

Flow Monitoring information and documents

• PowerPoint presentation by Maruzio Molina: [Collection and analysis of Netflow data: applications and challenges], as presented on APM meeting, Oxford, 30th June 2005.
• Anonymization task within netflow activity
• Storing netflow data in SQL database (CARNet example, STAGER example)
• Installation and Configuration Guide for Flow-tools, NFDUMP, NFSEN, Stager and NERD - compiled by DANTE (also in
• Usage Guide and comparison of NFSEN, Stager and NERD - compiled by DANTE (also in )

Work in progress

• AAI issues in netflow implementation

References

Conference calls and meetings

• conference call 28th November 2007: announcement & agenda
• JRA1 meeting in Seville 30th October 2007: notes
• conference call 14th February 2007: minutes
• GN2 3rd Technical Workshop in Cambridge 12th January 2007: minutes
• conference call 13th December 2006: agenda & minutes
• conference call 15th November 2006: agenda & minutes
• JRA1 meeting in Montpellier 13th October 2006 minutes
• GN2 2nd Technical Workshop Cambridge 12th June 2006: minutes
• conference call 26th April 2006: agenda & minutes
• JRA1 meeting in Berlin 30th March 2006: minutes
• conference call 17th March 2006: agenda & minutes
• conference call 28th February 2006: agenda & minutes
• GN2 Technical Workshop Cambridge 12th January 2006: minutes
• conference call 5th December 2005: agenda & minutes
• conference call 25th November 2005: agenda & minutes

List of netflow tools

Here is the list of the netlow collector tool:

• flow-tools:collection of scripts to perform elementary operation on flow records (storing, filtering, replaying, some statistical analysis). Used as a backend for many visualization tools, like flowscan.
• NERD: Network Emergency Responder & Detector -NERD- is a security monitoring tool that collects and processes NetFlow data.
• Stager: a generic tool for storage, aggregation and presentation of network statistics. Stager consist of a web application for data presentation, and a perl back-end for data storage and aggregation. The current version of Stager include backend modules to collect and aggregate data for NetFlow, MPing and SNMP.
• nfdump tool collects and processes netflow data on the command line. Nfsen) tool is a graphical web based front end for the nfdump.
• IPFlow: a netflow collector developed by UTC (University of Technology of Compiegne, France), mainly for its internal use.
• FTAS: Flow Based Traffic Analysis System developed by (Cesnet)
• FLOWD: a small, fast and secure netflow collector.
• ntop: a network traffic probe that shows the network usage, supports netflow
• cflowd : flow analysis tool for analyzing NetFlow
• NetflowMet: a version of the Unix NeTraMet. It's an RTFM meter which takes its data from a Cisco router using Cisco's NetFlow data.

Some other netflow related tools:

• FlowMon probe is a passive monitoring device that is able to supply statistics about IP flows in NetFlow v5 and v9 formats.

Some netflow related documents and useful links

• Netflow documents on Cisco site
• IETF IPFIX working group

Contact

Partners involved in netflow monitoring are CARNet, GARR, Uninett and SURFnet. Main contact is Hans Trompert. Or you can send a message to the Flow Monitoring mailing list gn2-jra1-flowmon at surfnet.nl.