User:Syoder/Monitoring

From ImageStream Router Documentation

< User:Syoder
Revision as of 20:30, 5 June 2008 by Syoder (Talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Aggregate Ethernet Monitoring Setup

Hardware setup uses an Ethernet tap and requires 2 Ethernet ports on the router per Ethernet port tapped to monitor traffic in both directions. Our example uses Ethernet1 and Ethernet2 to receive the traffic from the tap. The ports are bridged together to allow a capture program to monitor both flows of traffic simultaneously. Even though the hardware tap disconnects the transmit lines we shouldn't be transmitting any data on the ports. We use the split-horizon feature of bridging to prevent packets received on one port from being transmitted on the other port.


Local Packet Capture Example
 
interface bvi1
 description Ethernet Ports 1+2
 no ip address
!
interface Ethernet1
 no ip address
 bridge-group 1 spanning-disabled horizon 1
!
interface Ethernet2
 no ip address
 bridge-group 1 spanning-disabled horizon 1
!

Run tcpdump -i bvi1 -w dump.cap to capture data from the bridge. The router's ramdisk has limited storage space so an add-on hard drive is recommended for captures over a few megabytes in size.

If an external monitoring server is to be used the data can be sent to the server by simply adding the port connecting to the monitoring server to the bridge group. The port can be an Ethernet port, VLAN interface, WAN port or tunnel.

External Packet Capture Example
 
interface bvi1
 description Ethernet Ports 1+2
 no ip address
!
interface Ethernet1
 no ip address
 bridge-group 1 spanning-disabled horizon 1
!
interface Ethernet2
 no ip address
 bridge-group 1 spanning-disabled horizon 1
!
interface Ethernet3
 no ip address
 bridge-group 1 spanning-disabled
!

Traffic from the monitored ports from Ethernet 1+2 will be sent to Ethernet3.


WAN Monitoring Setup

We use a Bonder interface to provide an aggregation interface for monitoring since no Ethernet headers are not present on WAN interfaces. We also must set the Bonder's device type to match the received data.

# Special Inetics chain designed to sense PPP/Cisco HDLC headers and
# set the skb packet type so monitoring applications can properly decode
# them.
loadchain protocol_autosense.o protocol_as
!
 # Attach the Inetics protocol autosensing chain to the receive DDP
 # (Decoded Data Processor) processing stage. This chain detects PPP and Cisco HDLC
 # protocol headers, sets the skb packet type and L2/L3 data pointers to allow packet
 # capture programs like tcpdump and wireshark to properly decode them.
 # We use the DDP stage because the raw encapsulation protocol will reset our data
 # pointers and set the skb packet type back to IP.
 # We can use the default priority for this chain since Inetics by default does
 # not perform any processing in the DDP stage.
!
interface Serial0
 encapsulation raw
 addchain protocol_as rx_ddp rx_ddp_default
 no shutdown
!
interface Serial1
 encapsulation raw
 addchain protocol_as rx_ddp rx_ddp_default
 no shutdown
!
interface Bonder0
 device-type ppp
 bond Serial0
 bond Serial1
!

Run tcpdump -i Bonder0 -w dump.cap to capture data from the Serial interfaces. The router's ramdisk has limited storage space so an add-on hard drive is recommended for captures over a few megabytes in size.

Personal tools
Router software releases