search

pavel-odintsov / fastnetmon

FastNetMon - very fast DDoS sensor with sFlow/Netflow/IPFIX/SPAN support
https://fastnetmon.com
GNU General Public License v2.0
3.42k stars 568 forks source link

Fastnetmon not processing flows in Ubuntu 14.04.1 LTS #645

Closed humbertosartini closed 7 years ago

humbertosartini commented 7 years ago

Hi.

I've installed Fastnetmon 1.1.3 in a virtual machine with Ubuntu 14.04.1 LTS, installed in a Xen. Using Netflow monitoring.

tela02

tela01

I read menu recommendations and tried some issues but the result is the same.

My conf file is attached fastnetmon.conf.txt

My log is attached fastnetmon.log.txt

Iptables output tela04

rp_filter tela05

tcpdump tela06 tela03

pavel-odintsov commented 7 years ago

Hello!

Could you reduce template timeout on your device?

This message:

2017-03-30 14:40:49,082 [INFO] We don't have a template for flowset_id: 256 but it's not an error if this message disappears in 5-10 seconds. We need some time to learn it!

Confirms that FNM received netflow correctly but could not calculate traffic because it haven't yet received required template for Netflow data :)

humbertosartini commented 7 years ago

Hello @pavel-odintsov

I´m using this template on Cisco Router:

ASR-1002#show running-config flow monitor V4_OUT Current configuration: ! flow monitor V4_OUT description "IPv4 OUT" exporter V4_EXPORT record netflow ipv4 original-output ! On Cisco site there is this explanation: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fnetflow/configuration/15-mt/fnf-15-mt-book/get-start-cfg-fnflow.html#GUID-400C1F82-9A50-4DF1-BAFD-E6A20889909E

Is necessary apply a specific configuration on flow to work weel with FNM?

humbertosartini commented 7 years ago

I checked the templates in the router and it has this:

ASR-1002#show flow exporter templates Flow Exporter EXPORT: Client: Flow Monitor V4_OUT Exporter Format: NetFlow Version 9 Template ID : 258 Source ID : 256 Record Size : 50 Template layout

| Field | Type | Offset | Size |

| timestamp sys-uptime first | 22 | 0 | 4 | | timestamp sys-uptime last | 21 | 4 | 4 | | counter bytes | 1 | 8 | 4 | | counter packets | 2 | 12 | 4 | | interface input snmp | 10 | 16 | 4 | | interface output snmp | 14 | 20 | 4 | | ipv4 source address | 8 | 24 | 4 | | ipv4 destination address | 12 | 28 | 4 | | ip protocol | 4 | 32 | 1 | | ip tos | 5 | 33 | 1 | | transport source-port | 7 | 34 | 2 | | transport destination-port | 11 | 36 | 2 | | flow sampler | 48 | 38 | 1 | | routing next-hop address ipv4 | 15 | 39 | 4 | | ipv4 destination mask | 13 | 43 | 1 | | ipv4 source mask | 9 | 44 | 1 | | transport tcp flags | 6 | 45 | 1 | | routing destination as | 17 | 46 | 2 | | routing source as | 16 | 48 | 2 |

Client: Flow Monitor V4_IN Exporter Format: NetFlow Version 9 Template ID : 259 Source ID : 512 Record Size : 50 Template layout

| Field | Type | Offset | Size |

| timestamp sys-uptime first | 22 | 0 | 4 | | timestamp sys-uptime last | 21 | 4 | 4 | | counter bytes | 1 | 8 | 4 | | counter packets | 2 | 12 | 4 | | interface input snmp | 10 | 16 | 4 | | interface output snmp | 14 | 20 | 4 | | ipv4 source address | 8 | 24 | 4 | | ipv4 destination address | 12 | 28 | 4 | | ip protocol | 4 | 32 | 1 | | ip tos | 5 | 33 | 1 | | transport source-port | 7 | 34 | 2 | | transport destination-port | 11 | 36 | 2 | | flow sampler | 48 | 38 | 1 | | routing next-hop address ipv4 | 15 | 39 | 4 | | ipv4 destination mask | 13 | 43 | 1 | | ipv4 source mask | 9 | 44 | 1 | | transport tcp flags | 6 | 45 | 1 | | routing destination as | 17 | 46 | 2 | | routing source as | 16 | 48 | 2 |

Client: Flow Monitor V6_OUT Exporter Format: NetFlow Version 9 Template ID : 0 Source ID : 0 Record Size : 94 Template layout

| Field | Type | Offset | Size |

| ipv6 flow-label | 31 | 0 | 3 | | ipv6 extension map | 64 | 3 | 4 | | ipv6 source address | 27 | 7 | 16 | | ipv6 destination address | 28 | 23 | 16 | | ip protocol | 4 | 39 | 1 | | ip tos | 5 | 40 | 1 | | transport source-port | 7 | 41 | 2 | | transport destination-port | 11 | 43 | 2 | | transport tcp flags | 6 | 45 | 1 | | routing source as | 16 | 46 | 2 | | ipv6 source mask | 29 | 48 | 1 | | interface input snmp | 10 | 49 | 4 | | routing destination as | 17 | 53 | 2 | | routing next-hop address ipv6 | 62 | 55 | 16 | | ipv6 destination mask | 30 | 71 | 1 | | interface output snmp | 14 | 72 | 4 | | flow direction | 61 | 76 | 1 | | flow sampler | 48 | 77 | 1 | | counter bytes | 1 | 78 | 4 | | counter packets | 2 | 82 | 4 | | timestamp sys-uptime first | 22 | 86 | 4 | | timestamp sys-uptime last | 21 | 90 | 4 |

Client: Flow Monitor V6_IN Exporter Format: NetFlow Version 9 Template ID : 0 Source ID : 0 Record Size : 94 Template layout

| Field | Type | Offset | Size |

| ipv6 flow-label | 31 | 0 | 3 | | ipv6 extension map | 64 | 3 | 4 | | ipv6 source address | 27 | 7 | 16 | | ipv6 destination address | 28 | 23 | 16 | | ip protocol | 4 | 39 | 1 | | ip tos | 5 | 40 | 1 | | transport source-port | 7 | 41 | 2 | | transport destination-port | 11 | 43 | 2 | | transport tcp flags | 6 | 45 | 1 | | routing source as | 16 | 46 | 2 | | ipv6 source mask | 29 | 48 | 1 | | interface input snmp | 10 | 49 | 4 | | routing destination as | 17 | 53 | 2 | | routing next-hop address ipv6 | 62 | 55 | 16 | | ipv6 destination mask | 30 | 71 | 1 | | interface output snmp | 14 | 72 | 4 | | flow direction | 61 | 76 | 1 | | flow sampler | 48 | 77 | 1 | | counter bytes | 1 | 78 | 4 | | counter packets | 2 | 82 | 4 | | timestamp sys-uptime first | 22 | 86 | 4 | | timestamp sys-uptime last | 21 | 90 | 4 |

pavel-odintsov commented 7 years ago

Hello!

It's very strange actually. According to your output, it should work well. But for some reasons, FNM could not decode traffic.

Do you have any intermediate boxes between FNM and your devices?

humbertosartini commented 7 years ago

Hello,

The equipments are in same network, obvious there is a switch, but is a connection in Layer 2 only.

Unfortunately I do not have more this scenario.

Thanks,

optimuscream commented 7 years ago

I have the same issue but know fixed because I forgot to change rp_filter value. Thanks

pavel-odintsov commented 7 years ago

Hello

Sorry I could not follow your request. What does it mean "make static route manually off" ? On Tue, 18 Apr 2017 at 03:32, optimuscream notifications@github.com wrote:

I have the same issue . FNM can capture the flow if I make static route manually off all the network I want to capture listed in /etc/networks_list. But I suspect it's not the way supposed to work like this . I'm still searching the root cause of this issue.

— You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub https://github.com/pavel-odintsov/fastnetmon/issues/645#issuecomment-294656123, or mute the thread https://github.com/notifications/unsubscribe-auth/ACnfZpFumQlEf2irL190vPRKWz6YDxJ1ks5rxCChgaJpZM4MuvhK .

-- Sincerely yours, Pavel Odintsov

optimuscream commented 7 years ago

I delete the comment after I found that I forget to set rp_filter to 0 . Yes .. I have to set static route for each subnet listed on /etc/networks_list to the correspond gateway interface to make it work. Weird but work but not the ideal solution. I'm using samplicator from https://github.com/sleinen/samplicator because I also using this box as a netflow analyzer. I have to redirect the flow to two different port on the same unit with each have it's own program to handle, which is nfsen and FNM. I thougth samplicator was the culprit, but now it works even I redirect the flow traffic to loopback interface. Great apps (y).

pavel-odintsov commented 7 years ago

Welcome :)