nProbe™ NetFlow-Lite Plugin
Implementing a NetFlow Cache for NetFlow-Lite
As previously explained in this blog post, NetFlow-Lite (NFlite)is a NetFlow-compliant flow format that encapsulates packet samples into v9/IPFIX flows. Initially implemented on Cisco 4948E switch series, it brings NetFlow visibility to switched environments. As NFlite flows encapsulate sampled packets, it is necessary to have a NFlite-to-NetFlow converted for implementing the NetFlow cache. nProbe supports NFlite in three flavours:
|NFLite Conversion Speed||Supported Platforms|
|nProbe (Standard and Pro)||25k-50k flows/sec||Unix/Windows|
|nProbe with NFLite plugin||250k-400k flows/sec||Unix/Windows|
|nProbe with NFLite plugin and PF_RING kernel module||600k-1M flows/sec||Linux Only|
The performance figures have been measured on Linux using a Core2Duo (low-end performance) and a Xeon (high-end performance) based server, over an Intel 10 Gbit interface connected to the Cisco 4948E switch.
The following section explains the difference among the above versions, and it describes how to use the various versions. In all examplex we suppose that the 4948E has IP address 220.127.116.11:32768 and it sends NFLite flows towards the collector running on a server with IP address 18.104.22.168 to UDP port 2055. We suppose that the NetFlow collector would be running on host 192.168.1.92 listening for flows on port 2056. Although on this example we use IPv4 addresses, nProbe supports both IPv4 and v6 for NFlite conversion.
NetFlow-Lite Support in nProbe (Standard and Pro)
As nProbe can act as as probe, proxy and flow collector, all nProbe versions natively support NFlite. This is because the nProbe core features a flow collector engine that understands the NFlite flow format and thus fills the nprobe cache using the packet samples encapsulated into NFlite flows. As this engine has been designed to be generic and not support just NFlite flows, it has not been optimized for NFlite. This means that flow collection speed is the one typical of a fast netflow-collector, with no NFlite optimizations. In this case you need to start nProbe as follows for converting NFlite flows and emitting them in IPFIX format (-V 10):
Note that in this collection mode:
- nProbe can listen only on a single UDP port (i.e. no multiple UDP port collection).
- Switch IP address spoofing (–sender-address) has to be specified on the command line (Unix only) and it requires nProbe to be started as root.
NetFlow-Lite Support in nProbe with NFLite plugin (no PF_RING Plugin)
In order to expedite the NFlite flow collection, nProbe can be started (the plugin is available as option) with a NetFlow-Lite plugin. In this configuration, the plugin guarantees s significantly faster flow collection speed with respect to the previous version. Furthermore it supports NFLite collection over multiple UDP ports. In this case you need to start nProbe as follows for converting NFlite flows and emitting them in IPFIX format (-V 10):
NetFlow-Lite Support in nProbe with NFLite plugin and PF_RING Plugin
The highest flow-coversion speed can be achieved on Linux platforms when using the NetFlow-Lite PF_RING kernel plugin. This plugin is bundled with the NFLite nProbe plugin and it convers NFLite flows in the Linux kernel, so that nProbe (but potentially other applications such as WireShark and snort) could be started on top of this plugin and use it for other purposes not limited to NetFlow. The plugin implements in-kernel NFLite collection and it decapsulates packet samples by sending nprobe just the encapsulated packets as if it would capture from a physical device with no NFLite encapsulation. During the decapsulation process some metadata information is passed to nProbe (e.g. source addres of the sender switch and switch interface on which the packet sample has been produced). In this case you need to start nProbe as follows for converting NFlite flows and emitting them in IPFIX format (-V 10):
Note that in this collection mode:
- ethX is the interface on which you will be receiving NFLite flows.
- nProbe performs automatic 4948E address spoofing (make sure your started nProbe as root).
- You must have compiled and loaded (as root) the PF_RING plugin as follows:
- insmod pf_ring.ko transparent_mode=1
- insmod nflite_plugin.ko
- For faster operations you need to use a PF_RING-aware driver that you can download as part of the PF_RING distribution.
NetFlow is copyright Cisco Systems.
nProbe™ is a trademark registered in USA and the European Union.
The nProbe and the NFLite plugins are available for a little fee from the e-shop web site. No-profit institutions and universities can get them at no cost.