Handling Traffic Directions with sFlow/NetFlow/IPFIX

Posted · Add Comment

Network interfaces natively support RX and TX directions, so tools such as ntopng can detect the traffic directions and depict this information accordingly.

In the above picture that ntopng shows in the top menubar, TX traffic is depicted in blue and RX in green. All simple.

Now suppose you need to analyse sFlow/NetFlow/IPFIX flows, and be interested to understand how much traffic leaves/enters your network. Example suppose you generate IPFIX flows on your Internet gateway: how much of this traffic is sent to the Internet and how much is received? With flow analysis we know the direction at the interface level (i.e. flow X has been received on interfaceId 5 and send on InterfaceId 3) but how do we map interfaces to global traffic directions?

In the latest dev packages you can specify this information in nProbe by specifying what is the list of your local networks. Observed traffic sent by a local host to a remote host is considered TX, whereas everything else is considered RX. Example suppose that your 192.168.1.0/24,172.16.0.0/16 network is monitored by observing flows on the Internet gateways. In order to specify directions based on IPs you can do this (flows are collected on port 2055 and sent via ZMQ to ntopng running on the same host where nProbe is active)

nprobe –collector-port 2055 -n none –zmq tcp://127.0.0.1:1234 –local-networks “192.168.1.0/24,172.16.0.0/16”

and

ntopng -i tcp://127.0.0.1:1234

This way automatically when nProne is in collector mode (–collector-port), the flow direction is set using the list of local networks. When ntopng receives the traffic, it interprets the direction according to what specified by nProbe in the flow with no other configuration on the ntopng side (e.g. –local-networks).

Note that:

  • flow direction works not only for flow collection but also when generating flows sniffing packets, so you can have a comprehensive solution for both flow and packet traffic analysis.
  • you can have multiple nProbe instances sending traffic to the same ntopng, and each nProbe instance compute the flow direction locally on the probe. This allows you to monitor heterogeneous/overlapping networks.

Enjoy !