Nagios Conference 2012 - Nicholas Scott - Netflow Monitoring and SNMP Trap Management With Nagios
•Download as ODP, PDF•
1 like•2,207 views
Nicholas Scott's presentation on Netflow and SNMP Trap monitoring with Nagios. The presentation was given during the Nagios World Conference North America held Sept 25-28th, 2012 in Saint Paul, MN. For more information on the conference (including photos and videos), visit: http://go.nagios.com/nwcna
Recommended
Recommended
More Related Content
More from Nagios
More from Nagios (20)
Recently uploaded
Recently uploaded (20)
Nagios Conference 2012 - Nicholas Scott - Netflow Monitoring and SNMP Trap Management With Nagios
- 1. NNA and NSTI Nicholas Scott nscott@nagios.com
- 2. Abstract Topics To Be Covered Network Analyzer What is it? Why do I care? Demonstration Trap Interface What is it? Why do I care? Demonstration Final Q & A 2012 2
- 4. Nagios Network Analyzer What is Netflow, sFlow? What is a flow? Commonalities: Interface Source IP Destination IP IP Protocol Source Port Destination Port 2012 4
- 5. Nagios Network Analyzer Components Flow Enabled Switch Routers TRAFFIC Switches Flow Enabled Router Other Network Analyzer Flow Infused 2012 5
- 6. Nagios Network Analyzer What are common use cases? Bandwidth Usage Per Port (application) Per IP/Subnet Source Destination Any combination of the above Aberrant Activity Watch for known worm/virus activity 2012 6
- 7. Nagios Network Analyzer Challenges Lots of data Easy to get buried Needs an easy to way to drill down Visualizations would be nice Must maintain flexibility As computationally/IO efficient as possible Cython / Compiled C 2012 7
- 8. Nagios Network Analyzer What is Nagios Network Analyzer Incoming Netflow Data Captures Data Archives Data Information Processing Intuitive Web Interface Visualizations Nagios Integration Currently Beta 2012 8
- 9. Nagios Network Analyzer Layout nfcapd View Network nfdump Analyzer 2012 9
- 10. Nagios Network Analyzer Sources RRD for general I/O Dynamic RRDs for user specified queries Some predefined queries Groupings Logical grouping of sources Can be treated as a single source 2012 10
- 11. Nagios Network Analyzer Data Dissemination Reports Aggregates Total Sorts Queries User Defined Aggregation Drill Down Modes TCP Dump style syntax Video Demonstration /home/nscott/Documents/NWC Presentations/NNANSTI/demo-hq/demo-hq.mp4 2012 11
- 12. Nagios Network Analyzer Notifications Built in simple email notifications Don't reinvent the wheel Nagios Integration Can notify Nagios with NRDP, NSCA Automated Nagios XI integration Video Demonstration /home/nscott/Documents/NWC Presentations/NNANSTI/integration-hq/integration-hq.mp4 2012 12
Editor's Notes
- Two new products NNA is an entreprise geared product, currently in Beta Looks to make Netflow more manageable, easier to access NSTI is open source Originally forked from NagTrap Rewritten in Python and added features, security Afterwards we'll open it up for questions (~10minutes left) so please hold questions,
- Traditionally exported via UDP to a central collector, which is the slot NNA is performing Multiple different versions causing some confusion: V5- common, Ipv4 only V7 – Used by catalyst switches Sflow has forced sampling, whereas netflow generally looks at every packet Flow is generally defined as...can be thought of a session between to instances, lauging at myself because thats so general, but hey, its networking.
- Routers: Most routers nowadays support netflow or sflow Switches: Somewhat rare among switches, definitely amongst cheaper switches. More common for switches to support sFlow due to the sheer volume packets flowing through a switch Software solution: Fprobe running a server, however that limits you solely to the collision domain of that NIC, with switching day, is pretty damn small, would have to force mirroring to a specific port, which can cause performance and security concerns.
- MySQL? Port 3306, is that eating the bandwidth. Used to be based on switch port, and then after that you'd have to guess Filtering based on subnet to identify possible attack subnets for use in firewall rules later Double ended, meaning EVERYTHING on both sides is recorded Recording all this information for posterity False alarm, Scott using DropBox
- LOTS of data, gigabytes, imagine stats for EVERY packet going through, amount of data is obviously dependent on the amount of traffic Kind of helps understand the forced sampling of sFlow Lots of numbers, useful numbers, but it gets hard to see the forest from the tree After looking that these a while you start feeling like you know these arabic numerals personally All this useful data, can't oversimplify it, too powerful Naturally computationally expensive
- Nfcapd → proprietary database NNA formulates proper nfdump style queries, and has hierarchal abstractions on them (next slide) Visualizing the numbers and differentiating the noise from what you want to know Currenly in Beta
- Each source gets an RRD for fast access to VERY general stats, total IO for the netflow source divided per protocol Use created queries like activity on Port 22 can also be created, there are some predefined (show in the demo) Groupings are ways to lump together routers, say there are multiple border routers to some location, these can lumped and treated as one, instead of having to runa query on all three individually
- Reports – Meant for a more top down view, commonly though of as top talkers Sorts by a given metric, available metrics are sorting by total packets, flows, bytes Can be top talker based on src ip, ip, port, etc Queries are much more advances and granular, if you've used tcpdump this is very similar, query ui gives a GUI style query interface to drill down, however for more complex queries the type in is still available
- Key that this be integrated with Nagios Has built in email notifications, but they aren't particularly smart, the complex work is left for Nagios Built in support for NRDP and NSCA by assigning each netflow check as a service to a nagios server Automated Nagios XI integration