ng_netflow(4)
NAME
ng_netflow - Cisco's NetFlow implementation
SYNOPSIS
#include <sys/types.h> #include <netinet/in.h> #include <netgraph/netflow/ng_netflow.h>
DESCRIPTION
- The ng_netflow node implements Cisco's NetFlow export proto
- col on a
router running FreeBSD. The ng_netflow node listens for in - coming traffic
and identifies unique flows in it. Flows are distinguished - by endpoint
IP addresses, TCP/UDP port numbers, ToS and input interface. - Expired
flows are exported out of the node in NetFlow version 5 UDP - datagrams.
Expiration reason can be one of the following: - - RST or FIN TCP segment.
- - Active timeout. Flows cannot live more than the speci
- fied period of
- time. The default is 1800 seconds (30 minutes).
- - Inactive timeout. A flow was inactive for the specified
- period of
- time. The default is 15 seconds.
- Export information is stored in NetFlow version 5 datagrams.
HOOKS
- This node type supports up to NG_NETFLOW_MAXIFACES hooks
- named iface0,
iface1, etc., and the same number of hooks named out0, out1, - etc., plus a
single hook named export. The node does NetFlow accounting - of data
received on iface* hooks. If corresponding out hook is con - nected, unmodified data is bypassed to it, otherwise data is freed. If
- data is
received on out hook, it is bypassed to corresponding iface - hook without
any processing. When full export datagram is built it is - sent to the
export hook. In normal operation, the export hook is con - nected to the
inet/dgram/udp hook of the ng_ksocket(4) node.
CONTROL MESSAGES
- This node type supports the generic control messages, plus
- the following:
- NGM_NETFLOW_INFO
- Returns some node statistics and the current timeout
- values in a
struct ng_netflow_info. - NGM_NETFLOW_IFINFO
- Returns information about the ifaceN hook. The hook
- number is
passed as an argument. - NGM_NETFLOW_SETDLT
- Sets data link type on the ifaceN hook. Currently,
- supported
types are raw IP datagrams and Ethernet. This mess - sage type uses
struct ng_netflow_setdlt as an argument:
struct ng_netflow_setdlt {uint16_t iface; /* which ifaceto operate on */
uint8_t dlt; /* DLT_XXX frombpf.h */}; - The requested ifaceN hook must already be connected,
- otherwise
message send operation will return an error. - NGM_NETFLOW_SETIFINDEX
- In some cases, ng_netflow may be unable to determine
- the input
interface index of a packet. This can happen if - traffic enters
the ng_netflow node before it comes to the system - interface's
input queue. An example of such a setup is captur - ing a traffic
between synchronous data line and ng_iface(4). In - this case, the
input index should be associated with a given hook. - The interface's index can be determined via if_nametoindex(3)
- from userland. This message requires struct
- ng_netflow_setifindex as an
argument:
struct ng_netflow_setifindex {u_int16_t iface; /* which ifaceto operate on */
u_int16_t index; /* new index */}; - The requested ifaceN hook must already be connected,
- otherwise
the message send operation will return an error. - NGM_NETFLOW_SETTIMEOUTS
- Sets values in seconds for NetFlow active/inactive
- timeouts.
This message requires struct ng_netflow_settimeouts - as an argument:
struct ng_netflow_settimeouts {uint32_t inactive_timeout;
uint32_t active_timeout;}; - NGM_NETFLOW_SHOW
- This control message asks a node to dump the entire
- contents of
the flow cache. It is called from flowctl(8), not - directly from
ngctl(8). See also BUGS section.
ASCII CONTROL MESSAGES
- Most binary control messages have an ASCII equivalent. The
- supported
ASCII commands are: - NGM_NETFLOW_INFO "info"
NGM_NETFLOW_IFINFO "ifinfo %u"
NGM_NETFLOW_SETDLT "setdlt { iface = %u dlt = %u - }"
NGM_NETFLOW_SETIFINDEX "setifindex { iface = %u index - = %u }"
NGM_NETFLOW_SETTIMEOUTS "settimeouts { inactive = %u - active = %u }"
SHUTDOWN
- This node shuts down upon receipt of a NGM_SHUTDOWN control
- message, or
when all hooks have been disconnected.
EXAMPLES
- The simplest possible configuration is one Ethernet inter
- face, where flow
collecting is enabled.
/usr/sbin/ngctl -f- <<-SEQmkpeer fxp0: netflow lower iface0
name fxp0:lower netflow
connect fxp0: netflow: upper out0
mkpeer netflow: ksocket export inet/dgram/udp
msg netflow:export connect inet/10.0.0.1:4444- SEQ
- This is a more complicated example of a router with 2 Net
- Flow-enabled
interfaces fxp0 and ng0. Note that the ng0: node in this - example is connected to ng_tee(4). The latter sends us a copy of IP pack
- ets, which we
analyze and free. On fxp0: we do not use tee, but send - packets back to
ether node.
/usr/sbin/ngctl -f- <<-SEQ# connect ng0's tee to iface0 hook
mkpeer ng0:inet netflow right2left iface0
name ng0:inet.right2left netflow
# set DLT to raw mode
msg netflow: setdlt { iface=0 dlt=12 }
# set interface index (5 in this example)
msg netflow: setifindex { iface=0 index=5 }# Connect fxp0: to iface1 and out1 hook
connect fxp0: netflow: lower iface1
connect fxp0: netflow: upper out1# Create ksocket node on export hook, and configure it
# to send exports to proper destination
mkpeer netflow: ksocket export inet/dgram/udp
msg netflow:export connect inet/10.0.0.1:4444- SEQ
SEE ALSO
- netgraph(4), ng_ether(4), ng_iface(4), ng_ksocket(4),
- ng_tee(4),
flowctl(8), ngctl(8) - http://www.cisco.com/univercd/cc/td/doc/cisintwk/intsolns/netflsol/nfwhite.htm
AUTHORS
- The ng_netflow node type was written by Gleb Smirnoff <glebius@FreeBSD.org>, based on ng_ipacct written by Roman
- V. Palagin
<romanp@unshadow.net>.
BUGS
- Cache snapshot obtained via NGM_NETFLOW_SHOW command may
- lack some percentage of entries under severe load.
- The ng_netflow node type does not fill in AS numbers. This
- is due to the
lack of necessary information in the kernel routing table. - However, this
information can be injected into the kernel from a routing - daemon such as
GNU Zebra. This functionality may become available in fu - ture releases.
- BSD March 2, 2006