Monitoring Sflow
Applications
- nfdump/sfcapd: daemon to capture and report sflow. Needs to be configured in a specific way see [[#sfcapd]]
sfcapd
debian
cd /usr/src mkdir nfdump cd nfdump apt-get source nfdump # --enable-sflow in debian/rules debuild -uc -us cd .. sudo dpkg -i nfdump*.deb
For the init script you will need something like:
$> cat /etc/init.d/sfcapd #! /bin/sh ### BEGIN INIT INFO # Provides: sfcapd # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: collects sflow data into /var/lib/sflow # Description: This file should be used to construct scripts to be # placed in /etc/init.d. ### END INIT INFO
# Author: Foo Bar <foobar@baz.org> # # Please remove the "Author" lines above and replace them # with your own name if you copy and modify this script.
# Do NOT "set -e"
# PATH should only include /usr/* if it runs after the mountnfs.sh script PATH=/sbin:/usr/sbin:/bin:/usr/bin DATADIR="/var/lib/sflow" DESC="Collects sflow data into $DATADIR" NAME=sfcapd DAEMON=/usr/bin/$NAME PIDFILE=/var/run/$NAME.pid DAEMON_ARGS="-w -D -l $DATADIR -p 6343 -I myrouter -P $PIDFILE" SCRIPTNAME=/etc/init.d/$NAME
# Exit if the package is not installed [ -x "$DAEMON" ] || exit 0
# Read configuration variable file if it is present [ -r /etc/default/$NAME ] && . /etc/default/$NAME
# Load the VERBOSE setting and other rcS variables . /lib/init/vars.sh
# Define LSB log_* functions. # Depend on lsb-base (>= 3.0-6) to ensure that this file is present. . /lib/lsb/init-functions
#
# Function that starts the daemon/service
#
do_start()
{
# Return
# 0 if daemon has been started
# 1 if daemon was already running
# 2 if daemon could not be started
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
|| return 1
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
$DAEMON_ARGS \
|| return 2
# Add code here, if necessary, that waits for the process to be ready
# to handle requests from services started subsequently which depend
# on this one. As a last resort, sleep for some time.
}
#
# Function that stops the daemon/service
#
do_stop()
{
# Return
# 0 if daemon has been stopped
# 1 if daemon was already stopped
# 2 if daemon could not be stopped
# other if a failure occurred
start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
RETVAL="$?"
[ "$RETVAL" = 2 ] && return 2
# Wait for children to finish too if this is a daemon that forks
# and if the daemon is only ever run from this initscript.
# If the above conditions are not satisfied then add some other code
# that waits for the process to drop all resources that could be
# needed by services started subsequently. A last resort is to
# sleep for some time.
start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
[ "$?" = 2 ] && return 2
# Many daemons don't delete their pidfiles when they exit.
rm -f $PIDFILE
return "$RETVAL"
}
#
# Function that sends a SIGHUP to the daemon/service
#
do_reload() {
#
# If the daemon can reload its configuration without
# restarting (for example, when it is sent a SIGHUP),
# then implement that here.
#
start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
return 0
}
case "$1" in
start)
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
do_start
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
stop)
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
do_stop
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
status)
status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
;;
#reload|force-reload)
#
# If do_reload() is not implemented then leave this commented out
# and leave 'force-reload' as an alias for 'restart'.
#
#log_daemon_msg "Reloading $DESC" "$NAME"
#do_reload
#log_end_msg $?
#;;
restart|force-reload)
#
# If the "reload" option is implemented then remove the
# 'force-reload' alias
#
log_daemon_msg "Restarting $DESC" "$NAME"
do_stop
case "$?" in
0|1)
do_start
case "$?" in
0) log_end_msg 0 ;;
1) log_end_msg 1 ;; # Old process is still running
*) log_end_msg 1 ;; # Failed to start
esac
;;
*)
# Failed to stop
log_end_msg 1
;;
esac
;;
*)
#echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
exit 3
;;
esac
:
- create /etc/init.d/sfcapd - chmod a+rx /etc/init.d/sfcapd - update-rc.d sfcapd defauls
Reporting
Get Summary
* nfdump -R /var/lib/sflow -I Ident: myrouter Flows: 668 Flows_tcp: 570 Flows_udp: 97 Flows_icmp: 1 Flows_other: 0 Packets: 85504 Packets_tcp: 72960 Packets_udp: 12416 Packets_icmp: 128 Packets_other: 0 Bytes: 18279552 Bytes_tcp: 17764992 Bytes_udp: 506880 Bytes_icmp: 7680 Bytes_other: 0 First: 1287593210 Last: 1287594896 msec_first: 408 msec_last: 434 Sequence failures: 0
Top 10 IPs sorted by bits-per-second
(Note: use -K followed by 32 characters to anonymize IP addresses)
* nfdump -n 10 -R /var/lib/sflow -s ip -O bps
Top 10 IP Addr ordered by bps: Date first seen Duration Proto IP Addr Flows(%) Packets(%) Bytes(%) pps bps bpp 2010-10-20 13:40:23.462 0.993 any 184.82.242.160 4( 0.3) 512( 0.3) 145920( 0.4) 515 1.2 M 285 2010-10-20 12:49:33.418 0.994 any 116.128.214.177 2( 0.1) 256( 0.1) 120192( 0.3) 257 967340 469 2010-10-20 13:21:18.447 1.992 any 116.146.30.104 6( 0.4) 768( 0.4) 206848( 0.5) 385 830714 269 2010-10-20 13:40:13.464 0.990 any 247.155.64.122 3( 0.2) 384( 0.2) 102144( 0.3) 387 825406 266 2010-10-20 13:08:25.430 1.998 any 119.22.17.76 4( 0.3) 512( 0.3) 199424( 0.5) 256 798494 389 2010-10-20 13:02:43.432 2.992 any 119.22.17.9 3( 0.2) 384( 0.2) 164864( 0.4) 128 440812 429 2010-10-20 12:49:31.411 2.007 any 126.231.251.72 9( 0.6) 1152( 0.6) 59904( 0.1) 573 238780 52 2010-10-20 13:22:34.442 0.998 any 119.228.225.195 4( 0.3) 512( 0.3) 25344( 0.1) 513 203158 49 2010-10-20 13:37:35.452 1.000 any 240.230.200.246 3( 0.2) 384( 0.2) 17920( 0.0) 384 143360 46 2010-10-20 13:14:46.435 0.999 any 122.255.181.118 2( 0.1) 256( 0.1) 13312( 0.0) 256 106602 52
IP addresses anonymized Summary: total flows: 1434, total bytes: 40.8 M, total packets: 183552, avg bps: 93653, avg pps: 52, avg bpp: 222 Time window: 2010-10-20 12:46:50 - 2010-10-20 13:44:56 Total flows processed: 1434, Blocks skipped: 0, Bytes read: 86376 Sys: 0.000s flows/second: 0.0 Wall: 0.000s flows/second: 1452887.5
Top 10 IPs doing more than 1M of traffic sorted by bps
* nfdump -n 10 -R /var/lib/sflow -s ip -O bps -L 1M
Byte limit: > 1000000 bytes Top 10 IP Addr ordered by bps: Date first seen Duration Proto IP Addr Flows(%) Packets(%) Bytes(%) pps bps bpp 2010-10-20 12:47:05.408 4074.054 any 9.9.254.226 842(50.2) 107776(50.2) 39.7 M(77.5) 26 77894 368 2010-10-20 12:47:35.408 3942.053 any 9.5.16.99 200(11.9) 25600(11.9) 19.7 M(38.5) 6 40020 770 2010-10-20 12:52:31.414 3748.048 any 9.6.242.189 36( 2.1) 4608( 2.1) 5.3 M(10.4) 1 11326 1151 2010-10-20 12:50:22.412 3750.050 any 9.5.16.51 50( 3.0) 6400( 3.0) 4.7 M( 9.2) 1 10018 733 2010-10-20 12:46:50.408 4082.055 any 9.9.254.138 221(13.2) 28288(13.2) 4.8 M( 9.4) 6 9450 170 2010-10-20 12:47:12.408 3942.053 any 9.5.16.30 222(13.2) 28416(13.2) 4.5 M( 8.9) 7 9220 159 2010-10-20 12:46:58.417 4081.045 any 9.9.254.6 402(24.0) 51456(24.0) 2.7 M( 5.3) 12 5363 53 2010-10-20 12:46:58.417 4081.045 any 9.9.254.185 372(22.2) 47616(22.2) 2.3 M( 4.5) 11 4508 48 2010-10-20 12:46:50.408 4080.054 any 9.4.245.61 128( 7.6) 16384( 7.6) 2.2 M( 4.4) 4 4374 136
IP addresses anonymized Summary: total flows: 1676, total bytes: 51.2 M, total packets: 214528, avg bps: 100166, avg pps: 52, avg bpp: 238 Time window: 2010-10-20 12:46:50 - 2010-10-20 13:54:59 Total flows processed: 1676, Blocks skipped: 0, Bytes read: 100952 Sys: 0.000s flows/second: 0.0 Wall: 0.000s flows/second: 1689516.1
