Capture Packets Seen for Analyzing Flows

[MrHamel]

Hello,

I'd like to be able to capture traffic flows as it traverses between the LAN and WAN interfaces, to gather information on src/dst hosts + ports, protocol, VLAN, application detection for analytics purposes. Ideally if the data can be sent through PF_RING's FT (Flow Table) code, that would make my life very easy.

Is it something that can be done with XDP, to not introduce a bottleneck?

Thanks!

Ryan Hamel

[interduo]

Why don't You like flows from Core/Edge switches?

[thebracket]

It's definitely possible to extract the flow information (TCP round trip time calculations already do some of it). Getting it summarized into userland (from the kernel space) and dispatched seems like it would be a lot more intensive on the CPU side.

I'd probably put this on the wishlist for now, and revisit once we've finished the architectural work for 1.4?

On Sun, Dec 4, 2022, 10:03 AM Interduo @.***> wrote:

Why don't You like flows from Core/Edge switches?

— Reply to this email directly, view it on GitHub https://github.com/LibreQoE/LibreQoS/issues/167#issuecomment-1336451884, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADRU43ZM7ETYC65NX2RQ5LTWLS6FHANCNFSM6AAAAAASMMFE3I . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[MrHamel]

@thebracket Thanks! This would really help me in ditching a vendor called Allot, which has very expensive appliances (servers really) and licenses. It uses DPDK to provide analytics and traffic shaping.

Exposing flow data would be huge in that we can store it in ElasticSearch and generate dashboards from it, useful for my team and clients.

[MrHamel]

@interduo: Why don't You like flows from Core/Edge switches?

Why go through all that work of setting up a bunch of exporters and collectors (which require servers), when I can have a box doing the traffic shaping between LAN and WAN, handle that at a central location? My employer would rather spend the money on slightly beefier, because it would still be cheaper than the Allot SG appliances (https://www.allot.com/enterprise/service-gateway/).

[interduo]

Why do the same work twice? On EDGE switch You need to have Flow collector for data retention logs.

Data retention could be also done here.

[MrHamel]

What work is done twice here? I am hoping the flow analytics is done once on the server when the bandwidth shaping is taken place.

[dtaht]

it would be possible to tap certain ips using ebpf and mirror them elsewhere. ebpf is nothing more than the bpf filter set on steriods. tcpdump -i eth0 (src net 10.21.0.0/16 and dst net 10.21.0.0/16)

adding this facility is both an extremely powerful debugging tool, as well as enabling calea, which is depressing, but probably desirable for some. Presently tho there is no way to create a mirror -> sink for this inside of libreqos, and both the mirror and the sink, expensive to implement in terms of cpu.

thx for the steer to allot, it doesn't look like the qoe portion of their product doesn't actually do anything other than monitor qoe using a method I'm not familiar with.

[MrHamel]

https://www.allot.com/resources/Symantec-PacketShaper-Migration-Guide-1.pdf

This may answer your question, not sure. It uses WRED.

[dtaht]

Well, it uses our language to describe what they are actually doing, so it may well be fq_codel or cake underneath. Our very first version of this stuff was sfq + RED, and for all I know they are using that.

packet captures can tell. pictures of the configuration info or other stats at this layer available?

[MrHamel]

Apologies for the delay, unfortunately the vendor keeps that information away from us in their UI and config files, we can only adjust protocols, subnets, VLANs, speeds (symmetrical or asymmetrical), that kind of stuff.

[dtaht]

enable ecn on your client and server, pound traffic (like fire up 32 iperf flows) through it, take a packet capture, see if anything gets converted from ecn == 2 to ecn == 3 - usually a good sign of fq_codel or cake.

https://www.bufferbloat.net/projects/cerowrt/wiki/Enable_ECN/

To get OSX to turn it on reliably nowadays:

sudo sysctl -w net.inet.tcp.disable_tcp_heuristics=1

[dtaht]

Any progress on determining their methods here? I have been getting a few places on this problem, but it is definitely in the future for us presently.

[MrHamel]

@dtaht I unfortunately lost my job at that employer, thus am not able to proceed with any testing or trials of this.

[dtaht]

oh, darn, we have made a lot of progress in just the last few days.

[rchac]

Solved with https://github.com/LibreQoE/LibreQoS/tree/heimdall