search

pavel-odintsov / fastnetmon

FastNetMon - very fast DDoS sensor with sFlow/Netflow/IPFIX/SPAN support
https://fastnetmon.com
GNU General Public License v2.0
3.41k stars 567 forks source link

Juniper and fastnetmon issue #802

Closed operations999 closed 4 years ago

operations999 commented 4 years ago

Hello, I configured juniper snmp, sflow and fastnetmon.conf with juniper ip and port. When I try to run fastnetmon_client I do not see any traffic. I configured same setting on other SNMP sflow program they works fine. Ports are opened and configured correctly and services are running fine. Can anyone guide me what could be the issue? Thanks

pavel-odintsov commented 4 years ago

Hello!

Can you try checking via tcpdump that you receive traffic on FastNetMon's machine?

operations999 commented 4 years ago

Hello, Yes I can see the flow data received on server from Juniper. No traffic showing when I run fastnetmon_client. Thanks

pavel-odintsov commented 4 years ago

Hello!

Do you have zero counters for other and internal traffic too? Have you disabled rp_filter explicitly?

operations999 commented 4 years ago

Here is the output.

sysctl -a | grep rp_filter | grep -v arp_filter sysctl: reading key "net.ipv6.conf.all.stable_secret" sysctl: reading key "net.ipv6.conf.default.stable_secret" sysctl: reading key "net.ipv6.conf.docker0.stable_secret" sysctl: reading key "net.ipv6.conf.eth0.stable_secret" sysctl: reading key "net.ipv6.conf.lo.stable_secret" sysctl: reading key "net.ipv6.conf.veth599f780.stable_secret" net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.docker0.rp_filter = 1 net.ipv4.conf.eth0.rp_filter = 1 net.ipv4.conf.lo.rp_filter = 0 net.ipv4.conf.veth599f780.rp_filter = 1

pavel-odintsov commented 4 years ago

You need to set all these values to 0.

operations999 commented 4 years ago

Did it sysctl -a | grep rp_filter | grep -v arp_filter sysctl: reading key "net.ipv6.conf.all.stable_secret" sysctl: reading key "net.ipv6.conf.default.stable_secret" sysctl: reading key "net.ipv6.conf.docker0.stable_secret" sysctl: reading key "net.ipv6.conf.eth0.stable_secret" sysctl: reading key "net.ipv6.conf.lo.stable_secret" sysctl: reading key "net.ipv6.conf.veth599f780.stable_secret" net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.docker0.rp_filter = 0 net.ipv4.conf.eth0.rp_filter = 0 net.ipv4.conf.lo.rp_filter = 0 net.ipv4.conf.veth599f780.rp_filter = 0

still see

IPs ordered by: packets Incoming traffic 0 pps 0 mbps 0 flows

Outgoing traffic 0 pps 0 mbps 0 flows

Internal traffic 0 pps 0 mbps

Other traffic 0 pps 0 mbps

Screen updated in: 0 sec 3428 microseconds Traffic calculated in: 0 sec 12227 microseconds Total amount of IPv6 packets related to our own network: 0 Not processed packets: 0 pps

pavel-odintsov commented 4 years ago

weird

Can you collect some traffic to sFlow port with tcpdump and share with me, please: pavel.odintsov@gmail.com, please?

You can do it this way:

tcpdump -w /root/sflow_data.pcap -n 'udp dst port 6343'
pavel-odintsov commented 4 years ago

Thank you!

It was parsed properly:

sflow_total_packets: 1406
sflow_bad_packets: 0
sflow_flow_samples: 7828
sflow_bad_flow_samples: 0
sflow_padding_flow_sample: 0
sflow_with_padding_at_the_end_of_packet: 0
sflow_parse_error_nested_header: 7
sflow_counter_sample: 37
sflow_raw_packet_headers_total: 7828
sflow_extended_router_data_records: 0
sflow_extended_switch_data_records: 7821
sflow_extended_gateway_data_records

Can you show FastNetmon's configuration from /etc/fastntemon.conf and share /var/log/fastnetmon.log privately, please?

Thank you!

pavel-odintsov commented 4 years ago

Hello!

You have got issue in your configuration:

2020-05-23 19:46:52,886 [INFO] sflow: plugin will listen on xx.xx.xx.xx:6343 udp port
2020-05-23 19:46:52,886 [ERROR] sflow: can't listen port: 6343

You need to specify host for listening this way:

sflow_host = 0.0.0.0.

After that, it will work fine.

operations999 commented 4 years ago

:) It worked :)

Sorry but did I miss something in documentation somewhere?

Gues you are parsing all flows from all sflow sender to fastnetmon and then filtering it as receiver ip?

Can we configure multiple switches to receive flow in fastnetmon?

Thank you

From: Pavel Odintsov notifications@github.com Sent: Sunday, May 24, 2020 2:19 PM To: pavel-odintsov/fastnetmon fastnetmon@noreply.github.com Cc: operations999 a@rackmails.com; Author author@noreply.github.com Subject: Re: [pavel-odintsov/fastnetmon] Juniper and fastnetmon issue (#802)

Hello!

You have got issue in your configuration:

2020-05-23 19:46:52,886 [INFO] sflow: plugin will listen on xx.xx.xx.xx:6343 udp port 2020-05-23 19:46:52,886 [ERROR] sflow: can't listen port: 6343

You need to specify host for listening this way:

sflow_host = 0.0.0.0.

After that, it will work fine.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/pavel-odintsov/fastnetmon/issues/802#issuecomment-633215793 , or unsubscribe https://github.com/notifications/unsubscribe-auth/AJOXKD2B442NH74ZZXITDADRTD7DBANCNFSM4NIRBMZQ . https://github.com/notifications/beacon/AJOXKDZW6UT2JCK2AJN4M53RTD7DBA5CNFSM4NIRBMZ2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEW7BWMI.gif

pavel-odintsov commented 4 years ago

There are no options to limit sFlow only for specific device. FastNetMon will accept all of them in same time. If you need more security you may use firewall or ACL for it. You can feed to FastNetMon data from any number of switches and routers. It will merge it and process.