NetFlow / sFlow / IPFIX network probe proposal

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi All !

I would like to discuss about a little module idea.

I've been working with commodity hardware Linux-based software network
routers for many years.
In my experience, logging and accounting of network packets was one of
hardest problems.
Various technologies for logging and accounting network packets
exists, e.g. ulog/pcap/PF_RING + nProbe and so on. All these tools
work in user space and require a lot of context switches. Context
switches make soo heavy cpu load if you have 400kpps and more packet
throughput.

As far as I can see, the PF_RING socket is a fastest way for exporting
packets to user space, but aggregation is still doing in user space.
In my tests, it makes about 30-40% CPU load of modern Core Quad cpu,
where complex iptables + ipset rules can take not more than 10%.

I've been nurturing the idea of a network monitoring module for the
NetFilter subsystem for a long time.
This module may be useful for commodity hardware routers as well as
embedded devices and will allow to use the user space only for a
configuration.
Furthermore, its possible with iptables to capture packets in a
forward chain and fill correctly more fields in accounting records.

It would be really good to have such features:

1. Support multiple formats
NetFlow v5, v9 / IPFIX (RFC 3917, 3954, 5101, 5102, 5470) and sFlow (RFC 3176)
IPFIX is more universal and more flexible than NetFlow v5 and sFlow,
so its a more important.

2. Correctly and fully fill all fields in a packet
As I pointed above, pcap-based tools can't correctly fill all fields,
e.g. output interface, nexthop, and AS (but I don't know where get AS
information in the kernel yet).

3. Support multiple targets
Module need robust configuration, which should support more than one
target in same time. It can look like this:
---
sysctl -w net.probe.target0.format=v5
sysctl -w net.probe.target0.destination=172.16.12.12:9996

sysctl -w net.probe.target1.version=ipfix
# IPFIX template specification
sysctl -w net.probe.target1.fields=IPV4_SRC_ADDR,IPV4_DST_ADDR,PROTOCOL,IN_BYTES,IN_PKTS,OUT_BYTES,OUT_PKTS,L4_SRC_PORT,L4_DST_PORT
sysctl -w net.probe.target1.destination=172.16.12.14:9996

sysctl -w net.probe.target2.format=sflow
sysctl -w net.probe.target2.destination=172.16.12.15:6343

# Probe one network to first server
iptables -A FORWARD -s 192.168.0.0/24 -j PROBE --target 0
iptables -A FORWARD -d 192.168.0.0/24 -j PROBE --target 0

# Probe another network to second server
iptables -A FORWARD -s 192.168.5.0/24 -j PROBE --target 1
iptables -A FORWARD -d 192.168.5.0/24 -j PROBE --target 1

# Probe outgoing email flow to third server
iptables -A FORWARD -s 192.168.5.0/24 --dport 25 -j PROBE --target 2
---

4. Support for exporting statistics via /proc
Traffic and packet rate, udp socket information and everything what
can be useful.

5. Round-robin load-balancing for destinations
For high throughput networks it is impossible to save all flow data to
one server. Idea is to add support for round-robin balancing for the
collector address:
---
sysctl -w net.probe.target0.destinations="172.16.12.12:9996 172.16.12.13:9996"
---

6. Support for capturing mirrored to NIC packets (which is addressed
to another host).
Of course, Iptables simple drop these crap packets. May be make sysctl
option for this feature?

PROBE name is just an example and may be changed to something else.
Please correct me, if I forgot something.

What is wrong in ipt_NETFLOW module
(http://sourceforge.net/projects/ipt-netflow/) ?
Ipt_NETFLOW is a really useful module and it never load CPU more than
1%. But internal architecture of ipt_NETFLOW cannot support all of
described above features (because have one common hash table and
configuration with module params). I'd prefer not to reinvent the
wheel and think about redesigning ipt_NETFLOW or writing new module
using ipt_NETFLOW base.

I'm a student and want to work on this project within Summer of Code
program. The Linux Foundation site pointed to the mail list.
My main goal is to make high-quality featured module, that will be
useful for anybody and acceptable for inclusion into mainstream
Kernel.

What do you think about this? Please, advice me or give some ideas.
May be somebody wanted to be a mentor? I'll send detailed information
about my bio, contacts, skills, work experience as well as schedule
plan directly to a potential mentor and/or GSoC site.

BTW, a NetFlow exporter feature is a most rated request on the Vyatta
site, so it should be interesting not only for me.

-- 
WBR, Tsisyk Roman
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux