2005-03-23 10:01:43 +00:00
|
|
|
.\" Copyright (c) 2004-2005 Gleb Smirnoff <glebius@FreeBSD.org>
|
2004-09-17 19:30:39 +00:00
|
|
|
.\" All rights reserved.
|
|
|
|
.\"
|
|
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
|
|
.\" modification, are permitted provided that the following conditions
|
|
|
|
.\" are met:
|
|
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
|
|
.\"
|
|
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
.\" SUCH DAMAGE.
|
|
|
|
.\"
|
|
|
|
.\" $FreeBSD$
|
|
|
|
.\"
|
2005-03-23 10:01:43 +00:00
|
|
|
.Dd March 23, 2005
|
2004-09-17 19:30:39 +00:00
|
|
|
.Os
|
|
|
|
.Dt NG_NETFLOW 4
|
|
|
|
.Sh NAME
|
|
|
|
.Nm ng_netflow
|
2004-09-17 20:09:59 +00:00
|
|
|
.Nd Cisco's NetFlow implementation
|
2005-02-05 11:30:59 +00:00
|
|
|
.Sh SYNOPSIS
|
|
|
|
.In sys/types.h
|
|
|
|
.In netinet/in.h
|
|
|
|
.In netgraph/netflow/ng_netflow.h
|
2004-09-17 19:30:39 +00:00
|
|
|
.Sh DESCRIPTION
|
|
|
|
The
|
|
|
|
.Nm
|
2004-09-17 20:09:59 +00:00
|
|
|
node implements Cisco's NetFlow export protocol on a router running
|
2004-09-17 19:30:39 +00:00
|
|
|
.Fx .
|
|
|
|
The
|
|
|
|
.Nm
|
|
|
|
node listens for incoming traffic and identifies unique flows in it.
|
|
|
|
Flows are distinguished by endpoint IP addresses, TCP/UDP port numbers,
|
|
|
|
ToS and input interface.
|
2004-09-17 20:09:59 +00:00
|
|
|
Expired flows are exported out of the node in NetFlow version 5 UDP datagrams.
|
2004-09-17 19:30:39 +00:00
|
|
|
Expiration reason can be one of the following:
|
|
|
|
.Bl -dash
|
|
|
|
.It
|
|
|
|
RST or FIN TCP segment.
|
|
|
|
.It
|
|
|
|
Active timeout.
|
|
|
|
Flows cannot live more than the specified period of time.
|
2004-12-17 20:49:01 +00:00
|
|
|
The default is 1800 seconds (30 minutes).
|
2004-09-17 19:30:39 +00:00
|
|
|
.It
|
|
|
|
Inactive timeout.
|
|
|
|
A flow was inactive for the specified period of time.
|
2004-12-17 20:49:01 +00:00
|
|
|
The default is 15 seconds.
|
2004-09-17 19:30:39 +00:00
|
|
|
.El
|
|
|
|
.Pp
|
2004-09-17 20:09:59 +00:00
|
|
|
Export information is stored in NetFlow version 5 datagrams.
|
2004-09-17 19:30:39 +00:00
|
|
|
.Sh HOOKS
|
|
|
|
This node type supports up to
|
|
|
|
.Dv NG_NETFLOW_MAXIFACES
|
|
|
|
hooks named
|
|
|
|
.Va iface0 , iface1 ,
|
|
|
|
etc.,
|
2005-03-23 10:01:43 +00:00
|
|
|
and the same number of hooks named
|
|
|
|
.Va out0 , out1 ,
|
|
|
|
etc.,
|
2004-09-17 19:30:39 +00:00
|
|
|
plus a single hook named
|
|
|
|
.Va export .
|
2005-03-23 10:08:28 +00:00
|
|
|
The node does NetFlow accounting of data received on
|
2004-09-17 19:30:39 +00:00
|
|
|
.Va iface*
|
2005-03-23 10:01:43 +00:00
|
|
|
hooks.
|
|
|
|
If corresponding
|
|
|
|
.Va out
|
|
|
|
hook is connected, unmodified data is bypassed to it, otherwise data is freed.
|
2005-03-23 10:08:28 +00:00
|
|
|
If data is received on
|
|
|
|
.Va out
|
|
|
|
hook, it is bypassed to corresponding
|
|
|
|
.Va iface
|
|
|
|
hook without any processing.
|
2005-03-23 10:01:43 +00:00
|
|
|
When full export datagram is built it is sent to the
|
2004-09-17 19:30:39 +00:00
|
|
|
.Va export
|
|
|
|
hook.
|
|
|
|
In normal operation, the
|
|
|
|
.Va export
|
|
|
|
hook is connected to the
|
|
|
|
.Va inet/dgram/udp
|
|
|
|
hook of the
|
|
|
|
.Xr ng_ksocket 4
|
|
|
|
node.
|
|
|
|
.Sh CONTROL MESSAGES
|
|
|
|
This node type supports the generic control messages, plus the following:
|
|
|
|
.Bl -tag -width indent
|
|
|
|
.It Dv NGM_NETFLOW_INFO
|
|
|
|
Returns some node statistics and the current timeout values in a
|
|
|
|
.Vt "struct ng_netflow_info" .
|
|
|
|
.It Dv NGM_NETFLOW_IFINFO
|
|
|
|
Returns information about the
|
|
|
|
.Va iface Ns Ar N
|
|
|
|
hook.
|
|
|
|
The hook number is passed as an argument.
|
|
|
|
.It Dv NGM_NETFLOW_SETDLT
|
|
|
|
Sets data link type on the
|
|
|
|
.Va iface Ns Ar N
|
|
|
|
hook.
|
|
|
|
Currently, supported types are raw IP datagrams and Ethernet.
|
|
|
|
This messsage type uses
|
|
|
|
.Vt "struct ng_netflow_setdlt"
|
|
|
|
as an argument:
|
|
|
|
.Bd -literal -offset 4n
|
|
|
|
struct ng_netflow_setdlt {
|
2004-09-17 20:09:59 +00:00
|
|
|
uint16_t iface; /* which iface to operate on */
|
2004-09-17 19:30:39 +00:00
|
|
|
uint8_t dlt; /* DLT_XXX from bpf.h */
|
|
|
|
};
|
|
|
|
.Ed
|
|
|
|
.Pp
|
|
|
|
The requested
|
|
|
|
.Va iface Ns Ar N
|
|
|
|
hook must already be connected, otherwise message send operation will
|
|
|
|
return an error.
|
|
|
|
.It Dv NGM_NETFLOW_SETIFINDEX
|
|
|
|
In some cases,
|
|
|
|
.Nm
|
|
|
|
may be unable to determine the input interface index of a packet.
|
|
|
|
This can happen if traffic enters the
|
|
|
|
.Nm
|
|
|
|
node before it comes to the system interface's input queue.
|
|
|
|
An example of such a setup is capturing a traffic
|
|
|
|
.Em between
|
|
|
|
synchronous data line and
|
|
|
|
.Xr ng_iface 4 .
|
|
|
|
In this case, the input index should be associated with a given hook.
|
|
|
|
The interface's index can be determined via
|
|
|
|
.Xr if_nametoindex 3
|
|
|
|
from userland.
|
|
|
|
This message requires
|
|
|
|
.Vt "struct ng_netflow_setifindex"
|
|
|
|
as an argument:
|
|
|
|
.Bd -literal -offset 4n
|
|
|
|
struct ng_netflow_setifindex {
|
2004-09-17 20:09:59 +00:00
|
|
|
u_int16_t iface; /* which iface to operate on */
|
2004-09-17 19:30:39 +00:00
|
|
|
u_int16_t index; /* new index */
|
|
|
|
};
|
|
|
|
.Ed
|
|
|
|
.Pp
|
|
|
|
The requested
|
|
|
|
.Va iface Ns Ar N
|
|
|
|
hook must already be connected, otherwise the message
|
|
|
|
send operation will return an error.
|
|
|
|
.It Dv NGM_NETFLOW_SETTIMEOUTS
|
2004-09-17 20:09:59 +00:00
|
|
|
Sets values in seconds for NetFlow active/inactive timeouts.
|
2004-09-17 19:30:39 +00:00
|
|
|
This message requires
|
|
|
|
.Vt "struct ng_netflow_settimeouts"
|
|
|
|
as an argument:
|
|
|
|
.Bd -literal -offset 4n
|
|
|
|
struct ng_netflow_settimeouts {
|
|
|
|
uint32_t inactive_timeout;
|
|
|
|
uint32_t active_timeout;
|
|
|
|
};
|
|
|
|
.Ed
|
|
|
|
.It Dv NGM_NETFLOW_SHOW
|
|
|
|
This control message asks a node to dump the entire contents of the flow cache.
|
|
|
|
It is called from
|
|
|
|
.Xr flowctl 8 ,
|
|
|
|
not directly from
|
|
|
|
.Xr ngctl 8 .
|
|
|
|
.El
|
|
|
|
.Sh ASCII CONTROL MESSAGES
|
|
|
|
Most binary control messages have an
|
|
|
|
.Tn ASCII
|
|
|
|
equivalent.
|
|
|
|
The supported
|
|
|
|
.Tn ASCII
|
|
|
|
commands are:
|
|
|
|
.Pp
|
|
|
|
.Bl -tag -width ".Dv NGM_NETFLOW_SETTIMEOUTS" -compact
|
|
|
|
.It Dv NGM_NETFLOW_INFO
|
|
|
|
.Qq Li info
|
|
|
|
.It Dv NGM_NETFLOW_IFINFO
|
2005-01-15 11:22:13 +00:00
|
|
|
.Qq Li "ifinfo %u"
|
2004-09-17 19:30:39 +00:00
|
|
|
.It Dv NGM_NETFLOW_SETDLT
|
|
|
|
.Qq Li "setdlt { iface = %u dlt = %u }"
|
|
|
|
.It Dv NGM_NETFLOW_SETIFINDEX
|
|
|
|
.Qq Li "setifindex { iface = %u index = %u }"
|
|
|
|
.It Dv NGM_NETFLOW_SETTIMEOUTS
|
|
|
|
.Qq Li "settimeouts { inactive = %u active = %u }"
|
|
|
|
.El
|
|
|
|
.Sh SHUTDOWN
|
|
|
|
This node shuts down upon receipt of a
|
|
|
|
.Dv NGM_SHUTDOWN
|
|
|
|
control message, or when all hooks have been disconnected.
|
|
|
|
.Sh EXAMPLES
|
|
|
|
The simplest possible configuration is one Ethernet interface, where
|
|
|
|
flow collecting is enabled.
|
|
|
|
.Bd -literal -offset indent
|
|
|
|
/usr/sbin/ngctl -f- <<-SEQ
|
2005-03-23 10:01:43 +00:00
|
|
|
mkpeer fxp0: netflow lower iface0
|
|
|
|
name fxp0:lower netflow
|
|
|
|
connect fxp0: netflow: upper out0
|
2004-09-17 19:30:39 +00:00
|
|
|
mkpeer netflow: ksocket export inet/dgram/udp
|
|
|
|
msg netflow:export connect inet/10.0.0.1:4444
|
|
|
|
SEQ
|
|
|
|
.Ed
|
|
|
|
.Pp
|
2004-09-17 20:09:59 +00:00
|
|
|
This is a more complicated example of a router with 2 NetFlow-enabled
|
2004-09-17 19:30:39 +00:00
|
|
|
interfaces
|
|
|
|
.Li fxp0
|
|
|
|
and
|
|
|
|
.Li ng0 .
|
|
|
|
Note that the
|
|
|
|
.Va ng0:
|
|
|
|
node in this example is connected to
|
|
|
|
.Xr ng_tee 4 .
|
2005-03-23 10:01:43 +00:00
|
|
|
The latter sends us a copy of IP packets, which we analyze and free.
|
|
|
|
On
|
|
|
|
.Va fxp0:
|
|
|
|
we don't use tee, but send packets back to ether node.
|
2004-09-17 19:30:39 +00:00
|
|
|
.Bd -literal -offset indent
|
|
|
|
/usr/sbin/ngctl -f- <<-SEQ
|
|
|
|
# connect ng0's tee to iface0 hook
|
|
|
|
mkpeer ng0:inet netflow right2left iface0
|
|
|
|
name ng0:inet.right2left netflow
|
|
|
|
# set DLT to raw mode
|
|
|
|
msg netflow: setdlt { iface=0 dlt=12 }
|
|
|
|
# set interface index (5 in this example)
|
|
|
|
msg netflow: setifindex { iface=0 index=5 }
|
|
|
|
|
2005-03-23 10:01:43 +00:00
|
|
|
# Connect fxp0: to iface1 and out1 hook
|
|
|
|
connect fxp0: netflow: lower iface1
|
|
|
|
connect fxp0: netflow: upper out1
|
2004-09-17 19:30:39 +00:00
|
|
|
|
|
|
|
# Create ksocket node on export hook, and configure it
|
|
|
|
# to send exports to proper destination
|
|
|
|
mkpeer netflow: ksocket export inet/dgram/udp
|
|
|
|
msg netflow:export connect inet/10.0.0.1:4444
|
|
|
|
SEQ
|
|
|
|
.Ed
|
|
|
|
.Sh SEE ALSO
|
2005-03-23 10:08:28 +00:00
|
|
|
.Xr flowctl 8 ,
|
2004-09-17 19:30:39 +00:00
|
|
|
.Xr netgraph 4 ,
|
|
|
|
.Xr ng_ksocket 4 ,
|
|
|
|
.Xr ng_tee 4 ,
|
|
|
|
.Xr ngctl 8
|
|
|
|
.Pp
|
|
|
|
.Pa http://www.cisco.com/warp/public/cc/pd/iosw/ioft/neflct/tech/napps_wp.htm
|
|
|
|
.Sh AUTHORS
|
|
|
|
.An -nosplit
|
|
|
|
The
|
|
|
|
.Nm
|
|
|
|
node type was written by
|
|
|
|
.An Gleb Smirnoff Aq glebius@FreeBSD.org ,
|
|
|
|
based on
|
|
|
|
.Nm ng_ipacct
|
|
|
|
written by
|
|
|
|
.An Roman V. Palagin Aq romanp@unshadow.net .
|
2005-01-21 08:36:40 +00:00
|
|
|
.Sh BUGS
|
|
|
|
The
|
|
|
|
.Nm
|
|
|
|
node type does not fill in AS numbers.
|
|
|
|
This is due to the lack of necessary information in the kernel routing table.
|
|
|
|
However, this information can be injected into the kernel from a routing daemon
|
|
|
|
such as GNU Zebra.
|
|
|
|
This functionality may become available in future releases.
|