No traffic on FastNetMon 1.2.1
52 views
Skip to first unread message
Lam Nguyen Van
May 16, 2022, 10:36:21 AM5/16/22
to FastNetMon user group
Hi There,
I have deploy the FastNetMon 1.2.1 but when monitor via fastnetmon_client i does not see any traffic and flows. Could you help me
IPs ordered by: packets
Incoming traffic 0 pps 0 mbps 0 flows
Outgoing traffic 0 pps 0 mbps 0 flows
Internal traffic 0 pps 0 mbps
Other traffic 43059 pps 261 mbps
Screen updated in: 0 sec 210 microseconds
Traffic calculated in: 0 sec 67 microseconds
Not processed packets: 0 pps
==============
/etc/fastnetmon.conf
==================
==================
logging:local_syslog_logging = off
logging:remote_syslog_logging = on
logging:remote_syslog_server = 172.16.7.100
logging:remote_syslog_port = 514
enable_ban = off
enable_ban_ipv6 = off
process_incoming_traffic = on
process_outgoing_traffic = on
ban_details_records_count = 50
ban_time = 1900
unban_only_if_attack_finished = on
enable_subnet_counters = on
networks_list_path = /etc/networks_list
white_list_path = /etc/networks_whitelist
check_period = 1
enable_connection_tracking = on
ban_for_pps = off
ban_for_bandwidth = off
ban_for_flows = off
threshold_pps = 20000
threshold_mbps = 5000
threshold_flows = 3500
threshold_tcp_mbps = 100000
threshold_udp_mbps = 100000
threshold_icmp_mbps = 100000
threshold_tcp_pps = 100000
threshold_udp_pps = 100000
threshold_icmp_pps = 100000
ban_for_tcp_bandwidth = off
ban_for_udp_bandwidth = off
ban_for_icmp_bandwidth = off
ban_for_tcp_pps = off
ban_for_udp_pps = off
ban_for_icmp_pps = off
mirror = on
pfring_sampling_ratio = 1
mirror_netmap = off
mirror_afpacket = off
mirror_af_packet_custom_sampling_rate = 1
mirror_af_packet_fanout_mode = cpu
af_packet_read_packet_length_from_ip_header = off
netmap_sampling_ratio = 1
netmap_read_packet_length_from_ip_header = off
pcap = off
netflow = on
sflow = on
enable_pf_ring_zc_mode = off
interfaces = ens160,ens192,ens224
average_calculation_time = 1
average_calculation_time_for_subnets = 1
speed_calculation_delay = 30
netflow_port = 2055
netflow_host = 0.0.0.0
netflow_sampling_ratio = 3
sflow_port = 6343
sflow_host = 0.0.0.0
sflow_read_packet_length_from_ip_header = off
notify_script_path = /usr/local/bin/notify_about_attack.sh
notify_script_pass_details = on
collect_attack_pcap_dumps = off
process_pcap_attack_dumps_with_dpi = off
redis_enabled = off
redis_port = 6379
redis_host = 172.20.7.89
redis_prefix = fci
mongodb_enabled = off
mongodb_host = localhost
mongodb_port = 27017
mongodb_database_name = fastnetmon
exabgp = off
exabgp_command_pipe = /var/run/exabgp.cmd
exabgp_community = 65001:666
exabgp_next_hop = 10.0.3.114
exabgp_announce_host = on
exabgp_announce_whole_subnet = off
exabgp_flow_spec_announces = off
gobgp = off
gobgp_next_hop = 0.0.0.0
gobgp_announce_host = on
gobgp_announce_whole_subnet = off
gobgp_community_host = 65001:666
gobgp_community_subnet = 65001:777
gobgp_next_hop_ipv6 = 100::1
gobgp_announce_host_ipv6 = off
gobgp_announce_whole_subnet_ipv6 = off
gobgp_community_host_ipv6 = 65001:666
gobgp_community_subnet_ipv6 = 65001:777
graphite = on
graphite_host = 172.20.7.89
graphite_port = 2003
graphite_prefix = fastnetmon
influxdb = on
influxdb_host = 172.20.7.89
influxdb_port = 8086
influxdb_database = fastnetmon
influxdb_auth = on
influxdb_user = fastnetmon
influxdb_password = '"secure'
monitor_local_ip_addresses = on
monitor_openvz_vps_ip_addresses = off
my_hosts_enable_ban = off
my_hosts_ban_for_pps = off
my_hosts_ban_for_bandwidth = off
my_hosts_ban_for_flows = off
my_hosts_threshold_pps = 20000
my_hosts_threshold_mbps = 1000
my_hosts_threshold_flows = 3500
pid_path = /var/run/fastnetmon.pid
cli_stats_file_path = /tmp/fastnetmon.dat
cli_stats_ipv6_file_path = /tmp/fastnetmon_ipv6.dat
enable_api = on
sort_parameter = packets
max_ips_in_list = 7
logging:remote_syslog_logging = on
logging:remote_syslog_server = 172.16.7.100
logging:remote_syslog_port = 514
enable_ban = off
enable_ban_ipv6 = off
process_incoming_traffic = on
process_outgoing_traffic = on
ban_details_records_count = 50
ban_time = 1900
unban_only_if_attack_finished = on
enable_subnet_counters = on
networks_list_path = /etc/networks_list
white_list_path = /etc/networks_whitelist
check_period = 1
enable_connection_tracking = on
ban_for_pps = off
ban_for_bandwidth = off
ban_for_flows = off
threshold_pps = 20000
threshold_mbps = 5000
threshold_flows = 3500
threshold_tcp_mbps = 100000
threshold_udp_mbps = 100000
threshold_icmp_mbps = 100000
threshold_tcp_pps = 100000
threshold_udp_pps = 100000
threshold_icmp_pps = 100000
ban_for_tcp_bandwidth = off
ban_for_udp_bandwidth = off
ban_for_icmp_bandwidth = off
ban_for_tcp_pps = off
ban_for_udp_pps = off
ban_for_icmp_pps = off
mirror = on
pfring_sampling_ratio = 1
mirror_netmap = off
mirror_afpacket = off
mirror_af_packet_custom_sampling_rate = 1
mirror_af_packet_fanout_mode = cpu
af_packet_read_packet_length_from_ip_header = off
netmap_sampling_ratio = 1
netmap_read_packet_length_from_ip_header = off
pcap = off
netflow = on
sflow = on
enable_pf_ring_zc_mode = off
interfaces = ens160,ens192,ens224
average_calculation_time = 1
average_calculation_time_for_subnets = 1
speed_calculation_delay = 30
netflow_port = 2055
netflow_host = 0.0.0.0
netflow_sampling_ratio = 3
sflow_port = 6343
sflow_host = 0.0.0.0
sflow_read_packet_length_from_ip_header = off
notify_script_path = /usr/local/bin/notify_about_attack.sh
notify_script_pass_details = on
collect_attack_pcap_dumps = off
process_pcap_attack_dumps_with_dpi = off
redis_enabled = off
redis_port = 6379
redis_host = 172.20.7.89
redis_prefix = fci
mongodb_enabled = off
mongodb_host = localhost
mongodb_port = 27017
mongodb_database_name = fastnetmon
exabgp = off
exabgp_command_pipe = /var/run/exabgp.cmd
exabgp_community = 65001:666
exabgp_next_hop = 10.0.3.114
exabgp_announce_host = on
exabgp_announce_whole_subnet = off
exabgp_flow_spec_announces = off
gobgp = off
gobgp_next_hop = 0.0.0.0
gobgp_announce_host = on
gobgp_announce_whole_subnet = off
gobgp_community_host = 65001:666
gobgp_community_subnet = 65001:777
gobgp_next_hop_ipv6 = 100::1
gobgp_announce_host_ipv6 = off
gobgp_announce_whole_subnet_ipv6 = off
gobgp_community_host_ipv6 = 65001:666
gobgp_community_subnet_ipv6 = 65001:777
graphite = on
graphite_host = 172.20.7.89
graphite_port = 2003
graphite_prefix = fastnetmon
influxdb = on
influxdb_host = 172.20.7.89
influxdb_port = 8086
influxdb_database = fastnetmon
influxdb_auth = on
influxdb_user = fastnetmon
influxdb_password = '"secure'
monitor_local_ip_addresses = on
monitor_openvz_vps_ip_addresses = off
my_hosts_enable_ban = off
my_hosts_ban_for_pps = off
my_hosts_ban_for_bandwidth = off
my_hosts_ban_for_flows = off
my_hosts_threshold_pps = 20000
my_hosts_threshold_mbps = 1000
my_hosts_threshold_flows = 3500
pid_path = /var/run/fastnetmon.pid
cli_stats_file_path = /tmp/fastnetmon.dat
cli_stats_ipv6_file_path = /tmp/fastnetmon_ipv6.dat
enable_api = on
sort_parameter = packets
max_ips_in_list = 7
==============
/etc/networks_list
==========
Pavel Odintsov
May 16, 2022, 10:40:25 AM5/16/22
to Lam Nguyen Van, FastNetMon user group
Hello!
Looks like packet capture works fine but all your traffic is being classified as other.
Other means traffic which is non IP or does not belong to your networks list at all.
I can recommend checking that all networks were added to the networks list.
Thank you.
--
Follow us on social media: Twitter: https://twitter.com/fastnetmon | Facebook: https://www.facebook.com/fastnetmon/ | LinkedIn: https://www.linkedin.com/company/fastnetmon/
---
You received this message because you are subscribed to the Google Groups "FastNetMon user group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fastnetmon+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/fastnetmon/06094b94-6da5-44ee-85a3-4611dc39891an%40googlegroups.com.
--
Lam Nguyen Van
May 16, 2022, 11:04:28 AM5/16/22
to FastNetMon user group
Hi,
This is conntent of file networks_list. I added it but not working
Pavel Odintsov
May 16, 2022, 11:09:21 AM5/16/22
to Lam Nguyen Van, FastNetMon user group
Hello!
To debug this issue I can recommend using DUMP_ALL_PACKETS and DUMP_OTHER_PACKETS option for FastNetMon's daemon https://fastnetmon.com/docs/fastnetmon-community-fine-tuning/
it will dump all traffic to /var/log/fastnetmon.log and you may be able to see issues.
To view this discussion on the web visit https://groups.google.com/d/msgid/fastnetmon/0c726821-ef48-4f78-853b-e273d657f3c3n%40googlegroups.com.
Lam Nguyen Van
May 16, 2022, 12:09:59 PM5/16/22
to FastNetMon user group
Hi,
I have dump the results as below:
Dump: 2022-05-16 23:00:30.000000 x.x.x.x:38872 > x.x.x.x:27017 protocol: tcp flags: psh,ack frag: 0 packets: 1 size: 206 bytes ttl: 0 sample ratio: 3
DUMP_OTHER_PACKETS:
Dump other: 2022-05-16 23:00:19.000000 x.x.x.x:24796 > 124.158.7.230:443 protocol: tcp flags: ack frag: 0 packets: 1 size: 52 bytes ttl: 0 sample ratio: 64
Dump other: 2022-05-16 23:00:19.000000 x.x.x.x:24796 > 124.158.7.230:443 protocol: tcp flags: ack frag: 0 packets: 1 size: 52 bytes ttl: 0 sample ratio: 64
sorry to bother you, but what do the results tell us.
Pavel Odintsov
May 16, 2022, 12:12:39 PM5/16/22
to Lam Nguyen Van, FastNetMon user group
Hello!
Does this traffic belong to your prefixes in networks list or not?
To view this discussion on the web visit https://groups.google.com/d/msgid/fastnetmon/ab8de1d2-9ded-469b-82ac-7262187347can%40googlegroups.com.
Reply all
Reply to author
Forward
Message has been deleted
Message has been deleted
0 new messages