pmacct: passive network monitoring tools

by ddos ·

pmacct

pmacct is a small set of multi-purpose passive network monitoring tools. It can account, classify, aggregate, replicate and export forwarding-plane data, ie. IPv4 and IPv6 traffic; collect and correlate control-plane data via BGP and BMP; collect infrastructure data via Streaming Telemetry. Each component works both as a standalone daemon and as a thread of execution for correlation purposes (ie. enrich NetFlow with BGP data). pmacct main features are:

pmacct

 

  • Suitable to ISP, IXP, CDN, IP carrier, Cloud, DC and hot-spots environments and SDN solutions
  • Runs on Linux, BSDs, Solaris and embedded systems
  • Support for both IPv4 and IPv6
  • Collects data through libpcap, Netlink/NFLOG, NetFlow v1/v5/v7/v8/v9, sFlow v2/v4/v5 and IPFIX
  • Collects Streaming Telemetry data
  • Supports Cisco NEL for CGNAT scenarios and Cisco NSEL
  • Saves data to a number of backends including:
    • Relational databases: MySQL, PostgreSQL and SQLite
    • noSQL databases: MongoDB and BerkeleyDB
    • AMQP message exchanges: RabbitMQ
    • Kafka message brokers
    • memory tables
    • flat files
  • Exports data to remote collectors through IPFIX, NetFlow v5/v9 and sFlow v5
  • Replicates incoming IPFIX, NetFlow and sFlow packets to remote collectors
  • Flexible architecture to tag, filter, redirect, aggregate and split captured data
  • Comes with:
    • a BGP daemon/thread for efficient visibility into the inter-domain routing plane. Read more here.
      • Supports BGP/MPLS VPNs rfc4364, Label Unicast rfc3107
      • Supports BGP ADD-PATHs (draft-IETF-IDR-add-paths) for visibility of BGP multi-path routes
      • Can log live BGP messaging and/or dump BGP tables per peer at a regular time interval
    • a BMP daemon/thread to gain insight in BGP data, events and statistics
      • Supports draft-IETF-grow-bmp-loc-rib and draft-IETF-grow-bmp-adj-rib-out (from 1.7.1)
    • an IS-IS/IGP daemon/thread for visibility of internal routes
  • Packet classification via nDPI (from 1.7.0)
  • Inspection of tunneled traffic (ie. GTP)
  • GeoIP lookups leveraging Maxmind library
  • Pluggable architecture for easy integration of new capturing environments and data backends
  • Careful SQL support: data pre-processing, triggers, dynamic table naming
  • It’s free, open-source, developed and supported with passion and an open mind for more than 10 years

Download && Tutorial

Tags: pmacct