Nicholas Scott's presentation on Netflow and SNMP Trap monitoring with Nagios.
The presentation was given during the Nagios World Conference North America held Sept 25-28th, 2012 in Saint Paul, MN. For more information on the conference (including photos and videos), visit: http://go.nagios.com/nwcna
2. Abstract
Topics To Be Covered
Network Analyzer
What is it?
Why do I care?
Demonstration
Trap Interface
What is it?
Why do I care?
Demonstration
Final Q & A
2012 2
4. Nagios Network Analyzer
What is Netflow, sFlow?
What is a flow?
Commonalities:
Interface
Source IP
Destination IP
IP Protocol
Source Port
Destination Port
2012 4
6. Nagios Network Analyzer
What are common use cases?
Bandwidth Usage
Per Port (application)
Per IP/Subnet
Source Destination
Any combination of the above
Aberrant Activity
Watch for known worm/virus activity
2012 6
7. Nagios Network Analyzer
Challenges
Lots of data
Easy to get buried
Needs an easy to way to drill down
Visualizations would be nice
Must maintain flexibility
As computationally/IO efficient as possible
Cython / Compiled C
2012 7
8. Nagios Network Analyzer
What is Nagios Network Analyzer
Incoming Netflow Data
Captures Data
Archives Data
Information Processing
Intuitive Web Interface
Visualizations
Nagios Integration
Currently Beta
2012 8
10. Nagios Network Analyzer
Sources
RRD for general I/O
Dynamic RRDs for user specified queries
Some predefined queries
Groupings
Logical grouping of sources
Can be treated as a single source
2012 10
11. Nagios Network Analyzer
Data Dissemination
Reports
Aggregates Total
Sorts
Queries
User Defined Aggregation
Drill Down Modes
TCP Dump style syntax
Video Demonstration
/home/nscott/Documents/NWC Presentations/NNANSTI/demo-hq/demo-hq.mp4
2012 11
12. Nagios Network Analyzer
Notifications
Built in simple email notifications
Don't reinvent the wheel
Nagios Integration
Can notify Nagios with NRDP, NSCA
Automated Nagios XI integration
Video Demonstration
/home/nscott/Documents/NWC Presentations/NNANSTI/integration-hq/integration-hq.mp4
2012 12
Hinweis der Redaktion
Two new products NNA is an entreprise geared product, currently in Beta Looks to make Netflow more manageable, easier to access NSTI is open source Originally forked from NagTrap Rewritten in Python and added features, security Afterwards we'll open it up for questions (~10minutes left) so please hold questions,
Traditionally exported via UDP to a central collector, which is the slot NNA is performing Multiple different versions causing some confusion: V5- common, Ipv4 only V7 – Used by catalyst switches Sflow has forced sampling, whereas netflow generally looks at every packet Flow is generally defined as...can be thought of a session between to instances, lauging at myself because thats so general, but hey, its networking.
Routers: Most routers nowadays support netflow or sflow Switches: Somewhat rare among switches, definitely amongst cheaper switches. More common for switches to support sFlow due to the sheer volume packets flowing through a switch Software solution: Fprobe running a server, however that limits you solely to the collision domain of that NIC, with switching day, is pretty damn small, would have to force mirroring to a specific port, which can cause performance and security concerns.
MySQL? Port 3306, is that eating the bandwidth. Used to be based on switch port, and then after that you'd have to guess Filtering based on subnet to identify possible attack subnets for use in firewall rules later Double ended, meaning EVERYTHING on both sides is recorded Recording all this information for posterity False alarm, Scott using DropBox
LOTS of data, gigabytes, imagine stats for EVERY packet going through, amount of data is obviously dependent on the amount of traffic Kind of helps understand the forced sampling of sFlow Lots of numbers, useful numbers, but it gets hard to see the forest from the tree After looking that these a while you start feeling like you know these arabic numerals personally All this useful data, can't oversimplify it, too powerful Naturally computationally expensive
Nfcapd → proprietary database NNA formulates proper nfdump style queries, and has hierarchal abstractions on them (next slide) Visualizing the numbers and differentiating the noise from what you want to know Currenly in Beta
Each source gets an RRD for fast access to VERY general stats, total IO for the netflow source divided per protocol Use created queries like activity on Port 22 can also be created, there are some predefined (show in the demo) Groupings are ways to lump together routers, say there are multiple border routers to some location, these can lumped and treated as one, instead of having to runa query on all three individually
Reports – Meant for a more top down view, commonly though of as top talkers Sorts by a given metric, available metrics are sorting by total packets, flows, bytes Can be top talker based on src ip, ip, port, etc Queries are much more advances and granular, if you've used tcpdump this is very similar, query ui gives a GUI style query interface to drill down, however for more complex queries the type in is still available
Key that this be integrated with Nagios Has built in email notifications, but they aren't particularly smart, the complex work is left for Nagios Built in support for NRDP and NSCA by assigning each netflow check as a service to a nagios server Automated Nagios XI integration