Introduction¶
Traffic measurements are necessary to operate all types of IP networks. Network admins need a detailed view of network traffic for several reasons and some of these could be security, accounting and management. The traffic compositions have to be analysed accurately when estimating traffic metrics or when finding network problems. All of these measurements have to be made by inspecting all the packets flowing into the network trunk analysed (such as router and/or switches). This analysis could be done on the fly or by logging all the packets and than post-processing them. But with the increasing network capacities and traffic volumes this kind of approach is not suitable for the most cases. Instead similar packets (packets with a set of common properties) can be grouped together composing what are called “flow”. As an example, a flow can be composed of all packets that share the same 5-tuple, so a flow can be derived using only some fields of a network packet. On this way, similar types of traffic can be stored in a more compact format without loosing the information we are interested in. This information can be aggregated in a flow datagram and exported to a collector able to report network metrics in a user-friendly format. When collected, this information provides a detailed view of the network traffic.
Precise network metric measurements are a challenging task so hard work has been done in this field. In commercial environments, NetFlow is probably the de-facto standard for network traffic accounting and billing. NetFlow is a technology which was originally created by Cisco in 1996 and is now standardised as Internet Protocol Flow Information eXport (IPFIX - RFC 3917). NetFlow is based on the probe/collector paradigm. The probe, usually part of network appliances such as routers or switches, is deployed on the measured network segment, it sends traffic information in NetFlow format towards a central collector.
nProbe is a software NetFlow v5/v9/IPFIX probe able to collect and aggregate network traffic, and export it using the standard Cisco NetFlow v5/v9/IPFIX format. It is available for most of the OSs on the market (Windows, FreeBSD, Linux, MacOS). When installed on a PC, nProbe turns it into a Network-aware monitoring appliance. Many users, who used nProbe, realised that running a network probe on a PC is not always the best choice for several reasons:
- PCs have moving parts that can break making the probe unavailable.
- PCs are large, need monitors and keyboards, whereas probes often need to be deployed on places where there is not much space available.
- Administering PCs is not cheap and they require the purchase of an OS, its installation and maintenance.
- In large networks divided in several trunks it is necessary to have several probes each analysing a trunk. This requires that multiple PC running nProbe are deployed across the network.
- The cost (for both hardware and maintenance) of a PC + nProbe is not neglect-able in particular if several probes need to be deployed.
- In many cases, no technician are available at the monitored site and sometimes plug and play is needed.
To face these matters and to provide an All-in-One high-performance and reliable solution, nBox has been designed and developed. nBox is based on Linux OS, and thanks to an optimised Linux kernel with the PF_RING module that significantly improves the packet capture process, nBox is able to monitor and analyse network trunks at full speed without the need of hardware accelerated cards. The nProbe application has been carefully optimised and extended to run on the nBox server and deliver optimal performance.
If you are a user that does not want to bother with installing nProbe on a PC or you need to use a high performance and reliable network probe solution then you are probably an nBox user.
In some environments it would be nice to distribute light network probes on the network sending traffic information towards a central traffic analysis console such as ntopng or any other NetFlow/IPFIX compliant collector. In order to satisfy the above requirements nProbe and ntopng can be used together. nBox includes both a NetFlow probe (nProbe) and a collector (ntopng) for v5/v9/IPFIX NetFlow flows. Based on your network speed and traffic volumes different nBox server could be used. nBox can be effectively used:
- To analyse NetFlow flows generated by your border gateway.
- To replace the embedded, low-speed NetFlow probe available on your router/switch
- As a NetFlow probe that sends flows towards one or more collectors either ntopng or a commercial one (e.g. Cisco NetFlow Collector or HP-OV).
- Both as a probe and collector at the same time. ntopng can be used as collector and analyser for nProbe-generated flows.
Finally it is worth saying that nBox is quite easy to administrate using the very intuitive embedded web interface. nBox is easy to setup and it is immediately ready to use with little configuration effort.
Throughout this guide we are going to describe the main components of the nBox UI Web interface.