search

pavel-odintsov / fastnetmon

FastNetMon - very fast DDoS sensor with sFlow/Netflow/IPFIX/SPAN support
https://fastnetmon.com
GNU General Public License v2.0
3.42k stars 568 forks source link

Discrepant packet and traffic information #746

Closed marceloluizfranca closed 5 years ago

marceloluizfranca commented 5 years ago

Discrepant packet and traffic information

Package and traffic numeric information is incorrect. I have a Zabbix where I track the same information and it is misrepresented in fastnetmon_client, what could be wrong? I'm using sampling_rate 1 on both the router and fastnetmon. I am using for fastnetmon Ubuntu 18.04 with netflow (IPFIX)

follows the images of what Zabbix captures and what Fastnetmon captures

captura de tela 2018-11-18 as 13 40 29

captura de tela 2018-11-18 as 13 40 34

Here's my Juniper MX5 router configuration:

set forwarding-options sampling instance LOGICAFLOW input rate 1 set forwarding-options sampling instance LOGICAFLOW family inet output flow-server 187.xxx.224.44 port 2055 set forwarding-options sampling instance LOGICAFLOW family inet output flow-server 187.xxx.224.44 version-ipfix template logicaflow set forwarding-options sampling instance LOGICAFLOW family inet output inline-jflow source-address 177.xxx.95.253

marcelo@juniper-mx80# show chassis | display set set chassis aggregated-devices ethernet device-count 5 set chassis fpc 1 pic 0 tunnel-services set chassis tfeb slot 0 sampling-instance LOGICAFLOW set chassis alarm management-ethernet link-down ignore set chassis network-services enhanced-ip

marcelo@juniper-mx80# show services flow-monitoring | display set set services flow-monitoring version-ipfix template logicaflow flow-active-timeout 10 set services flow-monitoring version-ipfix template logicaflow flow-inactive-timeout 10 set services flow-monitoring version-ipfix template logicaflow template-refresh-rate packets 1000 set services flow-monitoring version-ipfix template logicaflow template-refresh-rate seconds 15 set services flow-monitoring version-ipfix template logicaflow option-refresh-rate packets 1000 set services flow-monitoring version-ipfix template logicaflow option-refresh-rate seconds 15 set services flow-monitoring version-ipfix template logicaflow ipv4-template

marcelo@juniper-mx80# show interfaces xe-0/0/2 | display set set interfaces xe-0/0/2 description "Link" set interfaces xe-0/0/2 vlan-tagging set interfaces xe-0/0/2 encapsulation flexible-ethernet-services set interfaces xe-0/0/2 unit 412 description "Vlan 412" set interfaces xe-0/0/2 unit 412 vlan-id 412 set interfaces xe-0/0/2 unit 412 family inet filter input ENTRADA-LINK set interfaces xe-0/0/2 unit 412 family inet sampling input set interfaces xe-0/0/2 unit 412 family inet sampling output set interfaces xe-0/0/2 unit 412 family inet address 177.xxx.13.173/30 set interfaces xe-0/0/2 unit 412 family inet6 address 2804:xxx:6::29/126

Here's my Fastnetmon configuration:

logging:local_syslog_logging = off logging:remote_syslog_logging = off logging:remote_syslog_server = 10.10.10.10 logging:remote_syslog_port = 514 enable_ban = off process_incoming_traffic = on process_outgoing_traffic = on ban_details_records_count = 500 ban_time = 1900 unban_only_if_attack_finished = on enable_subnet_counters = off networks_list_path = /etc/networks_list white_list_path = /etc/networks_whitelist check_period = 1 enable_connection_tracking = off ban_for_pps = on ban_for_bandwidth = on ban_for_flows = off threshold_pps = 20000 threshold_mbps = 1000 threshold_flows = 3500 threshold_tcp_mbps = 100000 threshold_udp_mbps = 100000 threshold_icmp_mbps = 100000 threshold_tcp_pps = 100000 threshold_udp_pps = 100000 threshold_icmp_pps = 100000 ban_for_tcp_bandwidth = off ban_for_udp_bandwidth = off ban_for_icmp_bandwidth = off ban_for_tcp_pps = off ban_for_udp_pps = off ban_for_icmp_pps = off mirror = off pfring_sampling_ratio = 10 mirror_netmap = off mirror_snabbswitch = off mirror_afpacket = off interfaces = eth0 netmap_sampling_ratio = 1 netmap_read_packet_length_from_ip_header = off pcap = off netflow = on sflow = off enable_pf_ring_zc_mode = off interfaces = eth0 average_calculation_time = 20 average_calculation_time_for_subnets = 20 netflow_port = 2055 netflow_host = 0.0.0.0 netflow_sampling_ratio = 1 netmap_read_packet_length_from_ip_header = off pcap = off netflow = on sflow = off enable_pf_ring_zc_mode = off interfaces = eth0 average_calculation_time = 20 average_calculation_time_for_subnets = 20 netflow_port = 2055 netflow_host = 0.0.0.0 netflow_sampling_ratio = 1 netflow_divide_counters_on_interval_length = off sflow_port = 6343 sflow_host = 0.0.0.0 notify_script_path = /usr/local/bin/notify_about_attack.sh notify_script_pass_details = off collect_attack_pcap_dumps = off process_pcap_attack_dumps_with_dpi = off redis_enabled = off redis_port = 6379 redis_host = 127.0.0.1 redis_prefix = mydc1 mongodb_enabled = off mongodb_host = localhost mongodb_port = 27017 mongodb_database_name = fastnetmon pfring_hardware_filters_enabled = off exabgp = off exabgp_command_pipe = /var/run/exabgp.cmd exabgp_community = 65001:666 exabgp_next_hop = 10.0.3.114 exabgp_announce_host = off exabgp_announce_whole_subnet = off exabgp_flow_spec_announces = off gobgp = off gobgp_next_hop = 0.0.0.0 gobgp_announce_host = on gobgp_announce_whole_subnet = off graphite = off graphite_host = 127.0.0.1 graphite_port = 2003 graphite_prefix = fastnetmon monitor_local_ip_addresses = off hostgroup = my_hosts:10.10.10.221/32,10.10.10.222/32 my_hosts_enable_ban = off my_hosts_ban_for_pps = off my_hosts_ban_for_bandwidth = off my_hosts_ban_for_flows = off my_hosts_threshold_pps = 20000 my_hosts_threshold_mbps = 1000 my_hosts_threshold_flows = 3500 pid_path = /var/run/fastnetmon.pid cli_stats_file_path = /tmp/fastnetmon.dat enable_api = off sort_parameter = packets max_ips_in_list = 10

marceloluizfranca commented 5 years ago

sorry for the formatting that went wrong

pavel-odintsov commented 5 years ago

Hello!

Sorry, I mixed up MX-80 and MX-5 configuration. Do you use both?

I see proper configuration for timeout for MX-80:

flow-inactive-timeout 10 
flow-active-timeout 10

And it should work well with FastNetMon. Can you set these options for MX-5?

Thank you!

marceloluizfranca commented 5 years ago

My router is the MX5-t with the last license, all the interfaces released, totals a traffic of 80GB.

marceloluizfranca commented 5 years ago

It's already set as you said it.

set services flow-monitoring version-ipfix template logicaflow flow-active-timeout 10 set services flow-monitoring version-ipfix template logicaflow flow-inactive-timeout 10 set services flow-monitoring version-ipfix template logicaflow template-refresh-rate packets 1000 set services flow-monitoring version-ipfix template logicaflow template-refresh-rate seconds 15 set services flow-monitoring version-ipfix template logicaflow option-refresh-rate packets 1000 set services flow-monitoring version-ipfix template logicaflow option-refresh-rate seconds 15 set services flow-monitoring version-ipfix template logicaflow ipv4-template

pavel-odintsov commented 5 years ago

Well, then it should work properly. You can expect 10-15% differences with port counters but it can calculate traffic pretty well.

For community edition we do not have very good debugging tools for Netflow but you may check our article about such issues: https://fastnetmon.com/2017/01/20/netflow-flows-duration/

marceloluizfranca commented 5 years ago

About traffic, really is very close, see on the screens that: 1728 mbps in - Fastnetmon 2240 mbps in - Zabix 402 mbps out - Fastnetmon 456 mbps out - Zabbix

Already the amount of packages distant: 212597 pps in - Fastnetmon 2110000 pps in - Zabbix 152562 pps out - Fastnetmon 1310000 pps out - Zabbix

It is as if Fastnetmon monitors the number of packets divided by 10.

This is my problem.

pavel-odintsov commented 5 years ago

Hello!

It looks very dodgy because FastNetMon calculates packet rate and bandwidth rate in same place.

Do you use any kind of sampling?

pavel-odintsov commented 5 years ago

Btw, for bandwidth differences you can expect about 10-15% differences because IPFIX information does not include ethernet header for each packet. But per interface counters does include it.

marceloluizfranca commented 5 years ago

In fastnetmon:

# Netflow v9 and IPFIX agents use different and very complex approaches for notifying about sample ratio # Here you could specify a sampling ratio for all this agents # For NetFLOW v5 we extract sampling ratio from packets directely and this option not used netflow_sampling_ratio = 1

In Juniper

set forwarding-options sampling instance LOGICAFLOW input rate 1