Re: pf visualization
Stuart Henderson wrote: On 2008-08-29, Stephan A. Rickauer<[EMAIL PROTECTED]> wrote: Thanks, I'll have a look into it. Maybe you could send me canacar's diff, so I can test it while I'm on it. I'd definitely prefer pfflowd over softflowd. here you go; it's needed for kernels from after the network hackathon. Yay! I've been hoping someone would post such a patch for some time, so thanks for this, and canacar, if you're reading thanks for the patch. That said, it seems[0] to be a pretty comprehensive patch, which fixes pfflowd and could well be a candidate for becoming pfflowd-0.8. I am aware that the original author, Damien Miller, is a dev, and is subscribed to the list. I do not doubt that there is a good reason he has not so far brought pfflowd up to date in the original tarball, and created pfflowd-0.8; I suspect this is mostly down to time, and I realise he probably has many better things to do. However, there may be other reasons, such as a lack of testing. As such: Damien, is there any way, such as testing this or any other patches, that I might help you in bringing your version of pfflowd up to date? If testing, what tests other than compiling and running a patched version? I am a sysadmin rather than a coder, but I will happily do anything I can to assist you. Dave Wilson. [0] Although granted, what I know about programming could fit on the back of an envelope.
Re: pf visualization
On 2008-08-29, Stephan A. Rickauer <[EMAIL PROTECTED]> wrote: > Thanks, I'll have a look into it. Maybe you could send me canacar's > diff, so I can test it while I'm on it. I'd definitely prefer pfflowd > over softflowd. here you go; it's needed for kernels from after the network hackathon. Index: Makefile === RCS file: /cvs/ports/net/pfflowd/Makefile,v retrieving revision 1.8 diff -u -p -r1.8 Makefile --- Makefile28 Jun 2008 08:30:00 - 1.8 +++ Makefile25 Jul 2008 14:29:14 - @@ -1,10 +1,9 @@ # $OpenBSD: Makefile,v 1.8 2008/06/28 08:30:00 ajacoutot Exp $ -BROKEN=needs to cope with recent network changes - COMMENT= PF to NetFlow converter DISTNAME= pfflowd-0.7 +PKGNAME= ${DISTNAME}p0 CATEGORIES=net MASTER_SITES= http://www.mindrot.org/files/pfflowd/ Index: patches/patch-pfflowd_c === RCS file: patches/patch-pfflowd_c diff -N patches/patch-pfflowd_c --- /dev/null 1 Jan 1970 00:00:00 - +++ patches/patch-pfflowd_c 25 Jul 2008 14:29:14 - @@ -0,0 +1,182 @@ +$OpenBSD$ +--- pfflowd.c.orig Fri Jun 13 02:40:21 2008 pfflowd.c Fri Jun 13 02:56:30 2008 +@@ -210,14 +210,14 @@ connsock(struct sockaddr *addr, socklen_t len) + } + + static void +-format_pf_host(char *buf, size_t n, struct pf_state_host *h, sa_family_t af) ++format_pf_addr(char *buf, size_t n, const struct pf_addr *h, sa_family_t af) + { + const char *err = NULL; + + switch (af) { + case AF_INET: + case AF_INET6: +- if (inet_ntop(af, &h->addr, buf, n) == NULL) ++ if (inet_ntop(af, h, buf, n) == NULL) + err = strerror(errno); + break; + default: +@@ -253,7 +253,8 @@ send_netflow_v1(const struct pfsync_state *st, u_int n + + hdr = (struct NF1_HEADER *)packet; + for(num_packets = offset = j = i = 0; i < n; i++) { +- struct pf_state_host src, dst; ++ const struct pf_addr *src, *dst; ++ u_int16_t src_port, dst_port; + u_int32_t bytes_in, bytes_out; + u_int32_t packets_in, packets_out; + char src_s[64], dst_s[64], rt_s[64], pbuf[16], creation_s[64]; +@@ -300,19 +301,23 @@ send_netflow_v1(const struct pfsync_state *st, u_int n + creation = uptime_ms; /* Avoid u_int wrap */ + + if (st[i].direction == PF_OUT) { +- memcpy(&src, &st[i].lan, sizeof(src)); +- memcpy(&dst, &st[i].ext, sizeof(dst)); ++ src = &st[i].key[PF_SK_WIRE].addr[1]; ++ dst = &st[i].key[PF_SK_WIRE].addr[0]; ++ src_port = st[i].key[PF_SK_WIRE].port[1]; ++ dst_port = st[i].key[PF_SK_WIRE].port[0]; + } else { +- memcpy(&src, &st[i].ext, sizeof(src)); +- memcpy(&dst, &st[i].lan, sizeof(dst)); ++ src = &st[i].key[PF_SK_STACK].addr[0]; ++ dst = &st[i].key[PF_SK_STACK].addr[1]; ++ src_port = st[i].key[PF_SK_STACK].port[0]; ++ dst_port = st[i].key[PF_SK_STACK].port[1]; + } + + flw = (struct NF1_FLOW *)(packet + offset); + if (netflow_socket != -1 && st[i].packets[0][0] != 0) { +- flw->src_ip = src.addr.v4.s_addr; +- flw->dest_ip = dst.addr.v4.s_addr; +- flw->src_port = src.port; +- flw->dest_port = dst.port; ++ flw->src_ip = src->v4.s_addr; ++ flw->dest_ip = dst->v4.s_addr; ++ flw->src_port = src_port; ++ flw->dest_port = dst_port; + flw->flow_packets = st[i].packets[0][0]; + flw->flow_octets = st[i].bytes[0][0]; + flw->flow_start = htonl(uptime_ms - creation); +@@ -325,10 +330,10 @@ send_netflow_v1(const struct pfsync_state *st, u_int n + } + flw = (struct NF1_FLOW *)(packet + offset); + if (netflow_socket != -1 && st[i].packets[1][0] != 0) { +- flw->src_ip = dst.addr.v4.s_addr; +- flw->dest_ip = src.addr.v4.s_addr; +- flw->src_port = dst.port; +- flw->dest_port = src.port; ++ flw->src_ip = dst->v4.s_addr; ++ flw->dest_ip = src->v4.s_addr; ++ flw->src_port = dst_port; ++ flw->dest_port = src_port; + flw->flow_packets = st[i].packets[1][0]; + flw->flow_octets = st[i].bytes[1][0]; + flw->flow_start = htonl(uptime_ms - creation); +@@ -352,17 +357,17 @@ send_netflo
Re: pf visualization
On Thu, 2008-08-28 at 16:03 +, Stuart Henderson wrote: > > > > Thanks for any ideas beyond pftop, tcpdump, hatched, darkstat and > > ntop ;) > > the nfdump/nfprofile tools (also in ports) are interesting too, > there's a web interface NfSen which is yet to be ported but can > be manually installed without huge trouble. they need to work > with a collector; our low-overhead one (pfflowd) needs mending > to work with the changes to PF (hmm, now where did I put > canacar's diff for that...) but there is also pcap-based > softflowd which should be ok (I haven't tried it on the pflog > interface, but if it works, that's probably the best way to > use it, and if it doesn't work like that, it's relatively > easy to add). Thanks, I'll have a look into it. Maybe you could send me canacar's diff, so I can test it while I'm on it. I'd definitely prefer pfflowd over softflowd.
Re: pf visualization
On Thu, 2008-08-28 at 11:52 -0400, Jason Dixon wrote: > > > Thanks for any ideas beyond pftop, tcpdump, hatched, darkstat and > > ntop ;) > > If I ever get off my lazy ass and finish/package it up, maybe this? > > http://www.netflowdashboard.com/demo/ http://www.netflowdashboard.com/download/ is down ;) > P.S. I just noticed it's actually somewhat useful in lynx as well. Go > figure. :) Looks nice. I guess you'd need pfflowd on the firewall and have the dashboard somewhere else?
Re: pf visualization
On 8/28/08 10:22 AM, Parvinder Bhasin wrote: > perhaps pfsysinfo and pfstat. Some of the stuff you'll have to make > your own graphs. > > -Parvinder Bhasin > > On Aug 28, 2008, at 8:24 AM, Stephan A. Rickauer wrote: > >> I am curious what tools people here use to visualize pf-generated logs >> and/or live traffic. What i'm basically looking for is a tool, that >> provides various stats about a pf firewall "usage" in a graphical way, >> but not only 'bytes in/bytes out' (i have that using snmp/cacti) but >> more detailed stuff like protocol and port distribution, IP based stats >> and whatnot. >> >> Thanks for any ideas beyond pftop, tcpdump, hatched, darkstat and >> ntop ;) >> Gave up on pfstat because of a need to watch multiple interfaces. Currently using packetmischief's pf MIB with cacti: http://www.packetmischief.ca/openbsd/snmp/#pfmib It's working OK. dn
Re: pf visualization
On Thu, Aug 28, 2008 at 12:25 PM, Daniel Melameth <[EMAIL PROTECTED]>wrote: > On Thu, Aug 28, 2008 at 9:52 AM, Jason Dixon <[EMAIL PROTECTED]> wrote: > > If I ever get off my lazy ass and finish/package it up, maybe this? > > > > http://www.netflowdashboard.com/demo/ > > VERY nice and simple Jason--which, unfortunately, is such a rarity. > Here's to you getting your second wind ;) . > > This would be a great asset to me.
Re: pf visualization
perhaps pfsysinfo and pfstat. Some of the stuff you'll have to make your own graphs. -Parvinder Bhasin On Aug 28, 2008, at 8:24 AM, Stephan A. Rickauer wrote: I am curious what tools people here use to visualize pf-generated logs and/or live traffic. What i'm basically looking for is a tool, that provides various stats about a pf firewall "usage" in a graphical way, but not only 'bytes in/bytes out' (i have that using snmp/cacti) but more detailed stuff like protocol and port distribution, IP based stats and whatnot. Thanks for any ideas beyond pftop, tcpdump, hatched, darkstat and ntop ;) Stephan
Re: pf visualization
On Thu, Aug 28, 2008 at 9:52 AM, Jason Dixon <[EMAIL PROTECTED]> wrote: > If I ever get off my lazy ass and finish/package it up, maybe this? > > http://www.netflowdashboard.com/demo/ VERY nice and simple Jason--which, unfortunately, is such a rarity. Here's to you getting your second wind ;) .
Re: pf visualization
On 2008-08-28, Stephan A. Rickauer <[EMAIL PROTECTED]> wrote: > I am curious what tools people here use to visualize pf-generated logs > and/or live traffic. What i'm basically looking for is a tool, that > provides various stats about a pf firewall "usage" in a graphical way, > but not only 'bytes in/bytes out' (i have that using snmp/cacti) but > more detailed stuff like protocol and port distribution, IP based stats > and whatnot. > > Thanks for any ideas beyond pftop, tcpdump, hatched, darkstat and > ntop ;) argus (in ports/net - http://qosient.com/argus/, as opposed to the other argus which is a server monitoring program) is a good collector/recorder, it has programs that can do some analysis on the data but you need to generate graphs yourself some way or other. the nfdump/nfprofile tools (also in ports) are interesting too, there's a web interface NfSen which is yet to be ported but can be manually installed without huge trouble. they need to work with a collector; our low-overhead one (pfflowd) needs mending to work with the changes to PF (hmm, now where did I put canacar's diff for that...) but there is also pcap-based softflowd which should be ok (I haven't tried it on the pflog interface, but if it works, that's probably the best way to use it, and if it doesn't work like that, it's relatively easy to add).
Re: pf visualization
On Thu, Aug 28, 2008 at 03:24:37PM +, Stephan A. Rickauer wrote: > I am curious what tools people here use to visualize pf-generated logs > and/or live traffic. What i'm basically looking for is a tool, that > provides various stats about a pf firewall "usage" in a graphical way, > but not only 'bytes in/bytes out' (i have that using snmp/cacti) but > more detailed stuff like protocol and port distribution, IP based stats > and whatnot. > > Thanks for any ideas beyond pftop, tcpdump, hatched, darkstat and > ntop ;) If I ever get off my lazy ass and finish/package it up, maybe this? http://www.netflowdashboard.com/demo/ P.S. I just noticed it's actually somewhat useful in lynx as well. Go figure. :) -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
pf visualization
I am curious what tools people here use to visualize pf-generated logs and/or live traffic. What i'm basically looking for is a tool, that provides various stats about a pf firewall "usage" in a graphical way, but not only 'bytes in/bytes out' (i have that using snmp/cacti) but more detailed stuff like protocol and port distribution, IP based stats and whatnot. Thanks for any ideas beyond pftop, tcpdump, hatched, darkstat and ntop ;) Stephan