pmacct: passive network monitoring tools
pmacct
pmacct is a small set of multi-purpose passive network monitoring tools. It can account, classify, aggregate, replicate and export forwarding-plane data, ie. IPv4 and IPv6 traffic; collect and correlate control-plane data via BGP and BMP; collect infrastructure data via Streaming Telemetry. Each component works both as a standalone daemon and as a thread of execution for correlation purposes (ie. enrich NetFlow with BGP data). pmacct main features are:
- Suitable to ISP, IXP, CDN, IP carrier, Cloud, DC and hot-spots environments and SDN solutions
- Runs on Linux, BSDs, Solaris and embedded systems
- Support for both IPv4 and IPv6
- Collects data through libpcap, Netlink/NFLOG, NetFlow v1/v5/v7/v8/v9, sFlow v2/v4/v5 and IPFIX
- Collects Streaming Telemetry data
- Supports Cisco NEL for CGNAT scenarios and Cisco NSEL
- Saves data to a number of backends including:
- Relational databases: MySQL, PostgreSQL and SQLite
- noSQL databases: MongoDB and BerkeleyDB
- AMQP message exchanges: RabbitMQ
- Kafka message brokers
- memory tables
- flat files
- Exports data to remote collectors through IPFIX, NetFlow v5/v9 and sFlow v5
- Replicates incoming IPFIX, NetFlow and sFlow packets to remote collectors
- Flexible architecture to tag, filter, redirect, aggregate and split captured data
- Comes with:
- a BGP daemon/thread for efficient visibility into the inter-domain routing plane. Read more here.
- Supports BGP/MPLS VPNs rfc4364, Label Unicast rfc3107
- Supports BGP ADD-PATHs (draft-IETF-IDR-add-paths) for visibility of BGP multi-path routes
- Can log live BGP messaging and/or dump BGP tables per peer at a regular time interval
- a BMP daemon/thread to gain insight in BGP data, events and statistics
- Supports draft-IETF-grow-bmp-loc-rib and draft-IETF-grow-bmp-adj-rib-out (from 1.7.1)
- an IS-IS/IGP daemon/thread for visibility of internal routes
- a BGP daemon/thread for efficient visibility into the inter-domain routing plane. Read more here.
- Packet classification via nDPI (from 1.7.0)
- Inspection of tunneled traffic (ie. GTP)
- GeoIP lookups leveraging Maxmind library
- Pluggable architecture for easy integration of new capturing environments and data backends
- Careful SQL support: data pre-processing, triggers, dynamic table naming
- It’s free, open-source, developed and supported with passion and an open mind for more than 10 years
