Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yes, You Too Can Be an Evil Network Overlord With OpenBSD

Posted by Unknown on from the using-pflow-for-fun-and-profit dept.

badger.foo writes "Have you ever wanted to know what's really going on in your network? Some free tools with surprising origins can help you to an almost frightening degree. Peter Hansteen shares some monitoring insights, anecdotes and practical advice in his latest column on how to really know your network. All of it with free software, of course." From the article: " The NetFlow protocol was invented at Cisco in the early 1990s. It's designed to collect traffic metadata, where the basic unit of reference is the flow, defined as the source and destination IP address pair, the matching source and destination port for protocols that use them, the protocol identifier, time started and ended, number of packets sent, number of bytes sent, and a few other fields that have varied somewhat over the NetFlow versions. ... On OpenBSD, various netflow sensors and collectors had been available for a while when the new network pseudo device pflow debuted in OpenBSD 4.5."

49 comments

  1. Ho Humm by ClownPenis · · Score: 1

    Is this news? It is certainly nerdy.

    1. Re:Ho Humm by Anonymous Coward · · Score: 1

      Post it on soylentnews and see what we/us think...

    2. Re:Ho Humm by davester666 · · Score: 1

      You have to know this stuff and think it is for children if you want a job at the NSA.

      --
      Sleep your way to a whiter smile...date a dentist!
  2. WHAT by Anonymous Coward · · Score: 0

    network admins can see and log what happens on their network

    as much as i love OpenBSD and like seeing them in the news.. this is... sad

    1. Re:WHAT by Anonymous Coward · · Score: 0

      Correction: they can see and log what happens on their network ... after the fact!

      One of the most annoying attributes of Netflow is that it only reports flows after the connection is closed? WAN link is suddenly getting choked? You're better off doing a netstat to see who's using it, because Netflow won't show it until that multi-gigabyte download has completed.

  3. Fake characters by SinaSa · · Score: 1

    Why is this post full of fake characters?

    --
    --
    The last digit of pi is four.
  4. All thanks to OpenBSD, eh? by Kichigai+Mentat · · Score: 5, Informative

    This isn't news. This isn't news at all! And it isn't even remotely shocking. TCP/IP tells you where a packet came from and where it wants to go, so that information is pretty easy to sniff, and originally Ethernet was just one big coax cable and everyone just shouted into, hoping the other machine would hear them, so it's no shock that something like this could sit on the network and collect all this data. There's nothing inherent about OpenBSD that makes this special.

    --
    Rawr
    1. Re:All thanks to OpenBSD, eh? by hobarrera · · Score: 1

      Plus, OpenBSD 4.5 is about ... 5 years old, or something like that!

    2. Re:All thanks to OpenBSD, eh? by Anonymous Coward · · Score: 0

      Ah, the good old vampire taps in 10Base Coax, brings back memories.

    3. Re:All thanks to OpenBSD, eh? by buchner.johannes · · Score: 1

      Yes, all you need is tcpdump, punchcards and butterflies.

      What do you use then to limit the bandwidth to/from certain sources, and monitor the bandwidth of certain types of traffic, e.g. on Linux? A port of this would be useful. In my usage scenario, a few hundred users share a upstream network, and the traffic from a few (youtube, streams) can dominate the others, making web pages slow for the others. A fair distribution would be nice, but when fewer users are online, the full bandwidth should be available.

      I only know iptables, which is too low-level and static, and you can't give it into users/administrators hand (so many things can go wrong). For analysis I use ntop so far (which does hang sometimes, requiring restarts). A really interactive tool for traffic shaping would be needed.

      pflow/nsfen seems to be the right thing for BSD. Is there something good for Linux?

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    4. Re:All thanks to OpenBSD, eh? by Anonymous Coward · · Score: 1

      OpenBSD 4.5 is when support for the NetFlow protocol was introduced... as mentioned in the article sourced by this /. entry.

    5. Re:All thanks to OpenBSD, eh? by Anonymous Coward · · Score: 0

      NetFlow support is significant to those who know why.

      You, obviously, don't know why.

      Perhaps you should find out why.

    6. Re:All thanks to OpenBSD, eh? by Kichigai+Mentat · · Score: 1

      I haven't a clue. Maybe there is, maybe there isn't. All I know is that there's nothing about BSD itself that makes this possible, so it seems reasonable to assume that such tools exist or can be created on other platforms.

      --
      Rawr
    7. Re:All thanks to OpenBSD, eh? by Anonymous Coward · · Score: 0

      On Linux it's "tc" to manipulate traffic control settings (bandwidth etc). For everything else it's iptables/nftables.

    8. Re:All thanks to OpenBSD, eh? by buttfuckinpimpnugget · · Score: 0

      Yeah, except that it works TODAY on OpenBSD. Go ahead, do it on FreeBSD or Linux RIGHT NOW!!! Thats what I thought. Nothing special save for that's where the fucking work was done.

    9. Re:All thanks to OpenBSD, eh? by Anonymous Coward · · Score: 1

      It isn't that no other tool exists, it's that it's done well compared.

      Same with pf vs iptables.

      Get a pf configuration file, and an iptables configuration file. Show the two to someone who doesn't know much about routing. They will likely be able to tell what the pf file is doing, and be clueless about the iptables file.

    10. Re:All thanks to OpenBSD, eh? by Anonymous Coward · · Score: 0

      You made this "all thanks to OpenBSD". Someone explains how to do something with software and you didn't. Is it supposed to be shocking? How highly your garbage comment is moderated is indicative of mindless masses here.

    11. Re:All thanks to OpenBSD, eh? by Anonymous Coward · · Score: 0

      Seems like you just don't know much of anything at all!

  5. Re:Really? by Anonymous Coward · · Score: 3, Insightful

    Still not nearly as useless as SlashBI, though!

  6. Metadata = Spying! by mythosaz · · Score: 3, Funny

    It's designed to collect traffic metadata, where the basic unit of reference is the flow, defined as the source and destination IP address pair, the matching source and destination port for protocols that use them, the protocol identifier, time started and ended, number of packets sent, number of bytes sent, and a few other fields that have varied somewhat over the NetFlow versions.

    Alert the authorities. The three-letter folks want to get some of this metadata!

  7. Uh by Anonymous Coward · · Score: 0

    Wireshark is free as well... Decodes the entire "scary" detail... I use Agilent LAN-advisor to build realtime traffic maps on a custom made promiscuous stealth switch, to log all packet headers... Protocol analysers are da bomb....

  8. Good by eneville · · Score: 2

    Despite the other comments in this thread I'm going to stick my neck out and say "Excellent". OpenBSD pf/carp was an excellent piece of work, it's great to see the obvious being implemented in a nice way that makes sense. Why all the hate?

    --
    Why UNIX?
    1. Re:Good by Anonymous Coward · · Score: 0

      Because this isn't 1995. This looks like someone ignorant of this kind of network analysis just found out about it and is all torqued up because of the whole NSA type stuff. "OMG! Look at the kind of info you can collect!" I hope this person is running on a single-user computer, because imagine their surprise if they find out what you can see with a root/admin account!

  9. oh yeah well wait until the hear about SNMP by trybywrench · · Score: 1

    just wait until they discover ( re-discover ) SNMP and all the hooks in there. Reminds me of the time our local news discovered, with horror, IRC.

    --
    I came to the datacenter drunk with a fake ID, don't you want to be just like me?
    1. Re:oh yeah well wait until the hear about SNMP by jon3k · · Score: 1

      Yeah I don't get it, NetFlow is news? We (and everyone else) has been using this in production environments for about 20 years.

  10. Network monitoring software by Anonymous Coward · · Score: 0

    Nowadays there is other software that is way more powerful and can tell you a lot about what is going on in your network.

    A popular example is bro - which is (more or less) a scripting language for network traffic and in its default configuration parses smtp, http, etc. and puts the contents in log-files...

  11. huh? by epyT-R · · Score: 1

    Wouldn't just about everyone who comes here know what netflow is? Why openbsd? netflow is available everywhere now.

    1. Re:huh? by wonkey_monkey · · Score: 2

      Wouldn't just about everyone who comes here know what netflow is?

      Not that I disagree that this isn't particularly newsworthy, but why would you assume most people who come here would know what netflow is?

      There was no entrance exam when I registered...

      --
      systemd is Roko's Basilisk.
  12. Does your OS do that? NOT by lesuth · · Score: 0
    The comments so far are full of assumptions. Let's highlight this a bit more and find out if it is really news...

    Does your OS provide tracking data, at the device-driver level, to help your loaded software provide you a near real-time view of your network traffic?

    If you have to put a port in promiscuous mode or use a hub (instead of a switch), then you are slowing down your near real-time view.

    TCPDUMP? Not!

    SNMP v1? v1.1? v2? Are you really going to risk that data on the network? Network data increases with SNMP too?

    Yes, there are some tricks to get near real-time views of your network traffic without adding to the bandwidth and risking certain data, but OpenBSD's new PFLOW device, introduced in this article, makes it easy! So, is it news? Yes!

    But, the first comment is correct, too... it *is* nerdy. CCNA Network Engineers are always nerdy. I have only met a few of us that go to the gym on a regular basis. Some of us are ex-military, so it is ingrained.

    1. Re:Does your OS do that? NOT by Anonymous Coward · · Score: 0

      So it is news in that using it is described in a 2011 book, where that book was in its 2nd edition in 2011. So, news maybe, but 3+ year-old news.

    2. Re:Does your OS do that? NOT by lesuth · · Score: 0

      And now I'm informed! Thanks. I like the tech.

  13. but... I'm already a network overlord... by David_Hart · · Score: 2

    Does this mean that I need BSD to become Evil.....?

  14. Free tools to be a network overlord.... by Anonymous Coward · · Score: 0

    I think that security onion takes the cake in this realm.

  15. Re:but... I'm already a network overlord... by genner · · Score: 4, Funny

    Does this mean that I need BSD to become Evil.....?

    No but it helps.

  16. US CERT FloCon - A yearly convention about Netflow by Anonymous Coward · · Score: 0

    Proceedings for the past 10 years are available:

    http://www.cert.org/flocon/

  17. Dumb alignment joke incoming by gman003 · · Score: 1

    OpenBSD is for Evil Network Admins. OK, I can accept that. So what would Windows be for? Lawful Evil, I would assume. Same for OS X. Extending that, Linux might work for True Neutral, or maybe Chaotic Good. HURD is obviously Chaotic Neutral or Chaotic Evil.

    1. Re:Dumb alignment joke incoming by ruir · · Score: 1

      and iOS is for Elves...

  18. Make this about pflow not evil overlord crap... by Anonymous Coward · · Score: 0

    All kinds of "netflow" techs have been available on most distros for a while. I'd read about pflow vs NetFlow rather then see this linked to EVIL SPYING crap.

    It is monitoring 101.

    For the interested:
    Have a look at nfsen/nfdump (nfsen.sourceforge.net) and the plugins (nfsen-plugins.sourceforge.net). SURFMap and nfsight are amazing.

  19. I ,for one, by Ukab+the+Great · · Score: 1

    welcome our new evil OpenBSD network overlords.

  20. nProbe works great! by Anonymous Coward · · Score: 0

    But my version is ancient.
    Can someone upload and post a link to the latest nProbe proplugins tarball?
    It is GPL so you are free to redistribute it. It would mean a lot, thanks :)

  21. Nobody is saying that this is "news" by plasticsquirrel · · Score: 3, Insightful

    This is an article helping people understand more about tools that ship in OpenBSD, and how they can be used in neat ways. Maybe you don't find anything informative or interesting, but I did and many others may too. Computing is a broad field, and not everyone has exposure to these networking tools. This is the sort of thing that should be on Slashdot, rather than "Why aren't there more female computer science majors so we can drive down wages?" type of "news items."

    --
    Systemd: the PulseAudio of init systems
  22. Worst way to do it... by evilviper · · Score: 1

    This is just a basic "How-to use Netflow on OpenBSD". Nothing more.

    IMHO, Netflow is interesting ONLY if you have no other way to gather info from hardware routers/switches. It's the only protocol likely to be supported.

    If, however, you can just mirror a port you're interested in (eg. the uplink), as you already would be doing with an IDS and similar, you don't need to bother with Netflow. Instead, you can get all the info you could want, with trivial ease, just by installing and running BandwidthD-2.x: http://bandwidthd.sourceforge....

    Anybody can set it up in 15 minutes, and immediately get a user-friendly web page with all the throughput and billing info you'd want, at any resolution you like. If you need in-depth detail, you just need to dive into querying the database directly.

    I'm anxiously awaiting software-defined networking taking over, and freeing us from all the horrible limitations and lock-in of expensive network gear. Until then, do everything you can with a computer, and traffic monitoring is absolutely one of those.

    --
    Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
    1. Re:Worst way to do it... by ruir · · Score: 1

      I prefer to use netflow if the equipment supports it. Port mirroring is all fine and dandy with low volumes of traffic, however for higher volumes you dont have much of a choice. Netflow tracks the transactions for you, whilst with mirroring with will have to deal with fragmentation and maintaining tables of TCP flows. And with mirroring you will received much more data. Netflow used to be a CPU hog on the router side, nowadays the load is barely notable, and they will send off summaries of the flows/transactions. The protocols is quite simple to use, at least up until v7. v9 upwards is unnecessarily complicated imo.

  23. You don't say ... by Anonymous Coward · · Score: 0

    Now, that's daemonic!

  24. Yeah.. by Anonymous Coward · · Score: 0

    Last night i mixed up my rectal thermometer with my toothbrush,... ..at least one my ass is clean