nProbe™ NetFlow-Lite Plugin

Implementing a NetFlow Cache for NetFlow-Lite


As previously explained in this blog post, NetFlow-Lite (NFlite)is a NetFlow-compliant flow format that encapsulates packet samples into v9/IPFIX flows. Initially implemented on Cisco 4948E switch series, it brings NetFlow visibility to switched environments. As NFlite flows encapsulate sampled packets, it is necessary to have a NFlite-to-NetFlow converted for implementing the NetFlow cache. nProbe supports NFlite in two flavours:

 

NFLite Conversion Speed Supported Platforms
nProbe with NFLite plugin 250k-400k flows/sec Unix/Windows
nProbe with NFLite plugin and PF_RING kernel module 600k-1M flows/sec Linux Only

 

The performance figures have been measured on Linux using a Core2Duo (low-end performance) and a Xeon (high-end performance) based server, over an Intel 10 Gbit interface connected to the Cisco 4948E switch.

The following section explains the difference among the above versions, and it describes how to use the various versions. In all examplex we suppose that the 4948E has IP address 1.2.3.4:32768 and it sends NFLite flows towards the collector running on a server with IP address 1.2.3.5 to UDP port 2055. We suppose that the NetFlow collector would be running on host 192.168.1.92 listening for flows on port 2056. Although on this example we use IPv4 addresses, nProbe supports both IPv4 and v6 for NFlite conversion.

NetFlow-Lite Support in nProbe with NFLite plugin (no PF_RING Plugin)


In order to expedite the NFlite flow collection, nProbe can be started (the plugin is available as option) with a NetFlow-Lite plugin. In this configuration, the plugin guarantees s significantly faster flow collection speed with respect to the previous version. Furthermore it supports NFLite collection over multiple UDP ports. In this case you need to start nProbe as follows for converting NFlite flows and emitting them in IPFIX format (-V 10):

nprobe –nflite 2055:16 -i none -n 192.168.1.92:2056 -V 10 –sender-address 1.2.3.4:32768

NetFlow-Lite Support in nProbe with NFLite plugin and PF_RING Plugin


The highest flow-coversion speed can be achieved on Linux platforms when using the NetFlow-Lite PF_RING kernel plugin. This plugin is bundled with the NFLite nProbe plugin and it convers NFLite flows in the Linux kernel, so that nProbe (but potentially other applications such as WireShark and snort) could be started on top of this plugin and use it for other purposes not limited to NetFlow. The plugin implements in-kernel NFLite collection and it decapsulates packet samples by sending nprobe just the encapsulated packets as if it would capture from a physical device with no NFLite encapsulation. During the decapsulation process some metadata information is passed to nProbe (e.g. source addres of the sender switch and switch interface on which the packet sample has been produced). In this case you need to start nProbe as follows for converting NFlite flows and emitting them in IPFIX format (-V 10):

nprobe –nflite 2055:16 -i ethX -n 192.168.1.92:2056 -V 10

Note that in this collection mode:

  • ethX is the interface on which you will be receiving NFLite flows.
  • nProbe performs automatic 4948E address spoofing (make sure your started nProbe as root).
  • You must have compiled and loaded (as root) the PF_RING plugin as follows:
    • insmod pf_ring.ko transparent_mode=1
    • insmod nflite_plugin.ko
  • For faster operations you need to use a PF_RING-aware driver that you can download as part of the PF_RING distribution.

Credits


NetFlow is copyright Cisco Systems.
nProbe™ is a trademark registered in USA and the European Union.

Get It


The nProbe is available for a little fee from the e-shop web site. No-profit institutions and universities can get them at no cost.