Anybody has successfully developed a system with a bridge forwarding traffic and a third network interface acting as a server for netflow stream, for a separate machine doing network graphing ? (note: this is all on a wired network.)
I have a network wich forwards about 10 mbits of traffic, with torrents, dc clients, mail, instant messaging, and all kinds of stuff, occupied about 8 mbits all of the time.
What I want to achieve is to see who and what kind of traffic goes trough this network:
what user gets most bandwidth ?
what kind of traffic do they use ? (ftp, http, torrent-like, dc connections, etc.) It would be enough to see the traffic split by protocol or ports used.
graph these.
For this I should use a traffic-flow + netflow, on a linux box.
My questions follow:
has anybody real data from a setup similar to this ?
has anybody measured cpu% during a 10 mbit load on a bridge ?
is this even possible ? with a bridge, as not to modify anything in the current setup, or do I have to implement this on the border router ?
What kind of machine specs do I need ? pc/rb ? Price might be an issue, though, but if it can be done properly, not a that big issue. Also, I would prefer a MT solution to this, as I am very familiar with it, and all the network infrastructure is based on it.
As of now, my idea of doing this is to setup a bridge, and on the router third interface (not participating in bridge) add an ip address, and forward traffic to a linux machine with netflow installed. If there’s an easier way, please suggest it. From what i’ve seen on the forum, I have not seen nothing enough usable for this yet.
If anybody can help me, I would really appreciate it. I’m no newbie, I can take a general guideline and implement it.
Just run torch on the interface you’re wanting to monitor. You won’t get the graphing but you’ll be able to see all the traffic and what ports/protocols/ip addresses is being used as well as bandwidth they are using.
Thank you Normis.
I know what I need. The question still remains: can this be put on a bridge ? And what would be the impact on a router with 8 to 10 mbits of traffic, 4000 - 10 000 p/s ?
If nobody did it this way, I guess i’ll have to do it myself and find out. If anybody did it, I would appreciate if it shared the results.
The reason I’m asking this is: my backbone link is on a tower wich is not easy accessible, and with restricted access. If i implement something that does work bad or it doesn’t at all, I’ll be disturbing traffic for a while, and I have a few “sensitive” clients.
3 years later, and I’m having the same issue. Hopefully someone will see this and provide some help.
I have Traffic Flow enabled, and sent to a PC where I have Netflow traffic monitoring software.
I also enabled SNMP so I could read the interfaces, so on so forth.
I have used netflow on single ports in the past, however a bridge presents a new challenge.
The problem I have is:
I can capture data from any port, as long as its not on a bridge. NOT if the port is on a bridge.
I can capture data from the bridge, however this is not relevant data.
I’ve tried:
Mirroring the port and capture the data on the mirrored port, however the mirroring was not successful, and I’m not sure if I did it correctly.
Messy things I can think of:
Give 2 ports an address, and use src-nats to redirect the traffic from one port to the other, and vice-versa, this however can cause some problems and I rather not do this.
Use a packet sniffer on the bridge, and then use the data to create graphs, connections, etc. Basically an alternate of using Netflow. But I’m really trying to get netflow to work on a bridge.
Any solutions/suggestions or help is very much appreciated.
Since you already have the collector, why not use it on your current central router instead of trying to set up a dedicated box in bridge mode for it? The CPU cost is minimal for it to send the data, so unless your board is already near 100% load all the time, you won’t see any problems having it on the same board. I’ve never set it up in bridged mode, but you should just be able to enable the traffic flow service and leave it at it’s default “all” interfaces and let it run.
I’m trying to do this for a client, and I do not have access to their main router, I’m cutting/intercepting the wire from their lan to the main router.
Very simple mikrotik setup.
ports 2&3 are bridged
e9 has a separate public ip address
netflow data is collected from bridge and sent elsewhere(encrypted) via the public ip address on e9
So physical setup is as follows.
From Main router to port 2 on the ti
from port 3 on the tik to their LAN(switches)
It seems to work, however the data received can not be distinguished from outbound/inbound, the bridge sees everything as both.
Any help? remember you cannot collect data from a port on the bridge, only from the bridge itself.
We use the netopics Zero delay tap. This support 10/100/1000Base-TX connections and will give you what you need in the way of monitoring as it replicates every packet received on and interface to a separate monitoring interface. I.E. every packet that is received on network port A is replicated on monitor port A.
If you sit this in front of the bridge then you can replicate all of the traffic that you want to monitor.
