Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Yes, You Too Can Be an Evil Network Overlord With OpenBSD

Unknown Lamer posted about 5 months ago | from the using-pflow-for-fun-and-profit dept.

Networking 49

badger.foo writes "Have you ever wanted to know what's really going on in your network? Some free tools with surprising origins can help you to an almost frightening degree. Peter Hansteen shares some monitoring insights, anecdotes and practical advice in his latest column on how to really know your network. All of it with free software, of course." From the article: " The NetFlow protocol was invented at Cisco in the early 1990s. It's designed to collect traffic metadata, where the basic unit of reference is the flow, defined as the source and destination IP address pair, the matching source and destination port for protocols that use them, the protocol identifier, time started and ended, number of packets sent, number of bytes sent, and a few other fields that have varied somewhat over the NetFlow versions. ... On OpenBSD, various netflow sensors and collectors had been available for a while when the new network pseudo device pflow debuted in OpenBSD 4.5."

cancel ×

49 comments

Ho Humm (1)

ClownPenis (1315157) | about 5 months ago | (#46362087)

Is this news? It is certainly nerdy.

Re:Ho Humm (1)

Anonymous Coward | about 5 months ago | (#46362199)

Post it on soylentnews and see what we/us think...

Re:Ho Humm (1)

davester666 (731373) | about 5 months ago | (#46365411)

You have to know this stuff and think it is for children if you want a job at the NSA.

WHAT (0)

Anonymous Coward | about 5 months ago | (#46362091)

network admins can see and log what happens on their network

as much as i love OpenBSD and like seeing them in the news.. this is... sad

Re:WHAT (0)

Anonymous Coward | about 5 months ago | (#46364225)

Correction: they can see and log what happens on their network ... after the fact!

One of the most annoying attributes of Netflow is that it only reports flows after the connection is closed? WAN link is suddenly getting choked? You're better off doing a netstat to see who's using it, because Netflow won't show it until that multi-gigabyte download has completed.

Fake characters (1)

SinaSa (709393) | about 5 months ago | (#46362119)

Why is this post full of fake characters?

Really? (-1)

Anonymous Coward | about 5 months ago | (#46362159)

This article is almost as useless as Slashdot Beta.
 
Almost.

Re:Really? (3, Insightful)

Anonymous Coward | about 5 months ago | (#46362181)

Still not nearly as useless as SlashBI, though!

All thanks to OpenBSD, eh? (5, Informative)

Kichigai Mentat (588759) | about 5 months ago | (#46362163)

This isn't news. This isn't news at all! And it isn't even remotely shocking. TCP/IP tells you where a packet came from and where it wants to go, so that information is pretty easy to sniff, and originally Ethernet was just one big coax cable and everyone just shouted into, hoping the other machine would hear them, so it's no shock that something like this could sit on the network and collect all this data. There's nothing inherent about OpenBSD that makes this special.

Re:All thanks to OpenBSD, eh? (1)

hobarrera (2008506) | about 5 months ago | (#46362281)

Plus, OpenBSD 4.5 is about ... 5 years old, or something like that!

Re:All thanks to OpenBSD, eh? (1)

Anonymous Coward | about 5 months ago | (#46363109)

OpenBSD 4.5 is when support for the NetFlow protocol was introduced... as mentioned in the article sourced by this /. entry.

Re:All thanks to OpenBSD, eh? (0)

Anonymous Coward | about 5 months ago | (#46362433)

Ah, the good old vampire taps in 10Base Coax, brings back memories.

Re:All thanks to OpenBSD, eh? (1)

buchner.johannes (1139593) | about 5 months ago | (#46362785)

Yes, all you need is tcpdump, punchcards and butterflies.

What do you use then to limit the bandwidth to/from certain sources, and monitor the bandwidth of certain types of traffic, e.g. on Linux? A port of this would be useful. In my usage scenario, a few hundred users share a upstream network, and the traffic from a few (youtube, streams) can dominate the others, making web pages slow for the others. A fair distribution would be nice, but when fewer users are online, the full bandwidth should be available.

I only know iptables, which is too low-level and static, and you can't give it into users/administrators hand (so many things can go wrong). For analysis I use ntop so far (which does hang sometimes, requiring restarts). A really interactive tool for traffic shaping would be needed.

pflow/nsfen seems to be the right thing for BSD. Is there something good for Linux?

Re:All thanks to OpenBSD, eh? (1)

Kichigai Mentat (588759) | about 5 months ago | (#46363131)

I haven't a clue. Maybe there is, maybe there isn't. All I know is that there's nothing about BSD itself that makes this possible, so it seems reasonable to assume that such tools exist or can be created on other platforms.

Re:All thanks to OpenBSD, eh? (1)

buttfuckinpimpnugget (662332) | about 5 months ago | (#46363337)

Yeah, except that it works TODAY on OpenBSD. Go ahead, do it on FreeBSD or Linux RIGHT NOW!!! Thats what I thought. Nothing special save for that's where the fucking work was done.

Re:All thanks to OpenBSD, eh? (1)

Anonymous Coward | about 5 months ago | (#46363713)

It isn't that no other tool exists, it's that it's done well compared.

Same with pf vs iptables.

Get a pf configuration file, and an iptables configuration file. Show the two to someone who doesn't know much about routing. They will likely be able to tell what the pf file is doing, and be clueless about the iptables file.

Re:All thanks to OpenBSD, eh? (0)

Anonymous Coward | about 4 months ago | (#46365761)

Seems like you just don't know much of anything at all!

Re:All thanks to OpenBSD, eh? (0)

Anonymous Coward | about 5 months ago | (#46363237)

On Linux it's "tc" to manipulate traffic control settings (bandwidth etc). For everything else it's iptables/nftables.

Re:All thanks to OpenBSD, eh? (0)

Anonymous Coward | about 5 months ago | (#46363125)

NetFlow support is significant to those who know why.

You, obviously, don't know why.

Perhaps you should find out why.

Nice post, but the ID is missing (-1)

Anonymous Coward | about 5 months ago | (#46363631)

I can't send a link to my friends so that they can read this message. The stupid Beta strikes again. How do we disable it?

nProbe works great! (0)

Anonymous Coward | about 5 months ago | (#46364385)

But my version is ancient.
Can someone upload and post a link to the latest nProbe proplugins tarball?
It is GPL so you are free to redistribute it. It would mean a lot, thanks :)

Nobody is saying that this is "news" (3, Insightful)

plasticsquirrel (637166) | about 5 months ago | (#46365009)

This is an article helping people understand more about tools that ship in OpenBSD, and how they can be used in neat ways. Maybe you don't find anything informative or interesting, but I did and many others may too. Computing is a broad field, and not everyone has exposure to these networking tools. This is the sort of thing that should be on Slashdot, rather than "Why aren't there more female computer science majors so we can drive down wages?" type of "news items."

Re:All thanks to OpenBSD, eh? (0)

Anonymous Coward | about 4 months ago | (#46365757)

You made this "all thanks to OpenBSD". Someone explains how to do something with software and you didn't. Is it supposed to be shocking? How highly your garbage comment is moderated is indicative of mindless masses here.

fuck beta (-1)

Anonymous Coward | about 5 months ago | (#46362297)

fuck beta

Tor is building an anonymous instant messenger (-1)

Anonymous Coward | about 5 months ago | (#46362321)

Tor is building an anonymous instant messenger

"Forget the $16 billion romance between Facebook and WhatsApp. There's a new messaging tool worth watching[1].

Tor[2], the team behind the world's leading online anonymity service, is developing a new anonymous instant messenger client, according to documents[3] produced at the Tor 2014 Winter Developers Meeting in Reykjavik, Iceland."

http://slashdot.org/submission... [slashdot.org]

[1] http://www.dailydot.com/techno... [dailydot.com]
[2] https://www.torproject.org/ [torproject.org]
[3] https://trac.torproject.org/pr... [torproject.org]

Metadata = Spying! (3, Funny)

mythosaz (572040) | about 5 months ago | (#46362363)

It's designed to collect traffic metadata, where the basic unit of reference is the flow, defined as the source and destination IP address pair, the matching source and destination port for protocols that use them, the protocol identifier, time started and ended, number of packets sent, number of bytes sent, and a few other fields that have varied somewhat over the NetFlow versions.

Alert the authorities. The three-letter folks want to get some of this metadata!

Uh (0)

Anonymous Coward | about 5 months ago | (#46362373)

Wireshark is free as well... Decodes the entire "scary" detail... I use Agilent LAN-advisor to build realtime traffic maps on a custom made promiscuous stealth switch, to log all packet headers... Protocol analysers are da bomb....

Good (2)

eneville (745111) | about 5 months ago | (#46362391)

Despite the other comments in this thread I'm going to stick my neck out and say "Excellent". OpenBSD pf/carp was an excellent piece of work, it's great to see the obvious being implemented in a nice way that makes sense. Why all the hate?

Re:Good (0)

Anonymous Coward | about 5 months ago | (#46362479)

Because this isn't 1995. This looks like someone ignorant of this kind of network analysis just found out about it and is all torqued up because of the whole NSA type stuff. "OMG! Look at the kind of info you can collect!" I hope this person is running on a single-user computer, because imagine their surprise if they find out what you can see with a root/admin account!

oh yeah well wait until the hear about SNMP (1)

trybywrench (584843) | about 5 months ago | (#46362441)

just wait until they discover ( re-discover ) SNMP and all the hooks in there. Reminds me of the time our local news discovered, with horror, IRC.

Re:oh yeah well wait until the hear about SNMP (1)

jon3k (691256) | about 5 months ago | (#46362655)

Yeah I don't get it, NetFlow is news? We (and everyone else) has been using this in production environments for about 20 years.

Network monitoring software (0)

Anonymous Coward | about 5 months ago | (#46362507)

Nowadays there is other software that is way more powerful and can tell you a lot about what is going on in your network.

A popular example is bro [bro.org] - which is (more or less) a scripting language for network traffic and in its default configuration parses smtp, http, etc. and puts the contents in log-files...

huh? (1)

epyT-R (613989) | about 5 months ago | (#46362575)

Wouldn't just about everyone who comes here know what netflow is? Why openbsd? netflow is available everywhere now.

Re:huh? (2)

wonkey_monkey (2592601) | about 5 months ago | (#46363403)

Wouldn't just about everyone who comes here know what netflow is?

Not that I disagree that this isn't particularly newsworthy, but why would you assume most people who come here would know what netflow is?

There was no entrance exam when I registered...

Does your OS do that? NOT (0)

lesuth (2998957) | about 5 months ago | (#46362791)

The comments so far are full of assumptions. Let's highlight this a bit more and find out if it is really news...

Does your OS provide tracking data, at the device-driver level, to help your loaded software provide you a near real-time view of your network traffic?

If you have to put a port in promiscuous mode or use a hub (instead of a switch), then you are slowing down your near real-time view.

TCPDUMP? Not!

SNMP v1? v1.1? v2? Are you really going to risk that data on the network? Network data increases with SNMP too?

Yes, there are some tricks to get near real-time views of your network traffic without adding to the bandwidth and risking certain data, but OpenBSD's new PFLOW device, introduced in this article, makes it easy! So, is it news? Yes!

But, the first comment is correct, too... it *is* nerdy. CCNA Network Engineers are always nerdy. I have only met a few of us that go to the gym on a regular basis. Some of us are ex-military, so it is ingrained.

Re:Does your OS do that? NOT (0)

Anonymous Coward | about 5 months ago | (#46363009)

So it is news in that using it is described in a 2011 book [openbsdsupport.com.ar] , where that book was in its 2nd edition in 2011. So, news maybe, but 3+ year-old news.

Re:Does your OS do that? NOT (1)

lesuth (2998957) | about 4 months ago | (#46367799)

And now I'm informed! Thanks. I like the tech.

but... I'm already a network overlord... (2)

David_Hart (1184661) | about 5 months ago | (#46363123)

Does this mean that I need BSD to become Evil.....?

Re:but... I'm already a network overlord... (4, Funny)

genner (694963) | about 5 months ago | (#46363201)

Does this mean that I need BSD to become Evil.....?

No but it helps.

Free tools to be a network overlord.... (0)

Anonymous Coward | about 5 months ago | (#46363157)

I think that security onion takes the cake in this realm.

US CERT FloCon - A yearly convention about Netflow (0)

Anonymous Coward | about 5 months ago | (#46363301)

Proceedings for the past 10 years are available:

http://www.cert.org/flocon/

Dumb alignment joke incoming (1)

gman003 (1693318) | about 5 months ago | (#46363657)

OpenBSD is for Evil Network Admins. OK, I can accept that. So what would Windows be for? Lawful Evil, I would assume. Same for OS X. Extending that, Linux might work for True Neutral, or maybe Chaotic Good. HURD is obviously Chaotic Neutral or Chaotic Evil.

Re:Dumb alignment joke incoming (1)

ruir (2709173) | about 4 months ago | (#46365971)

and iOS is for Elves...

Make this about pflow not evil overlord crap... (0)

Anonymous Coward | about 5 months ago | (#46363933)

All kinds of "netflow" techs have been available on most distros for a while. I'd read about pflow vs NetFlow rather then see this linked to EVIL SPYING crap.

It is monitoring 101.

For the interested:
Have a look at nfsen/nfdump (nfsen.sourceforge.net) and the plugins (nfsen-plugins.sourceforge.net). SURFMap and nfsight are amazing.

I ,for one, (1)

Ukab the Great (87152) | about 5 months ago | (#46364375)

welcome our new evil OpenBSD network overlords.

Worst way to do it... (1)

evilviper (135110) | about 5 months ago | (#46365099)

This is just a basic "How-to use Netflow on OpenBSD". Nothing more.

IMHO, Netflow is interesting ONLY if you have no other way to gather info from hardware routers/switches. It's the only protocol likely to be supported.

If, however, you can just mirror a port you're interested in (eg. the uplink), as you already would be doing with an IDS and similar, you don't need to bother with Netflow. Instead, you can get all the info you could want, with trivial ease, just by installing and running BandwidthD-2.x: http://bandwidthd.sourceforge.... [sourceforge.net]

Anybody can set it up in 15 minutes, and immediately get a user-friendly web page with all the throughput and billing info you'd want, at any resolution you like. If you need in-depth detail, you just need to dive into querying the database directly.

I'm anxiously awaiting software-defined networking taking over, and freeing us from all the horrible limitations and lock-in of expensive network gear. Until then, do everything you can with a computer, and traffic monitoring is absolutely one of those.

Re:Worst way to do it... (1)

ruir (2709173) | about 4 months ago | (#46365981)

I prefer to use netflow if the equipment supports it. Port mirroring is all fine and dandy with low volumes of traffic, however for higher volumes you dont have much of a choice. Netflow tracks the transactions for you, whilst with mirroring with will have to deal with fragmentation and maintaining tables of TCP flows. And with mirroring you will received much more data. Netflow used to be a CPU hog on the router side, nowadays the load is barely notable, and they will send off summaries of the flows/transactions. The protocols is quite simple to use, at least up until v7. v9 upwards is unnecessarily complicated imo.

You don't say ... (0)

Anonymous Coward | about 4 months ago | (#46365941)

Now, that's daemonic!

Yeah.. (0)

Anonymous Coward | about 4 months ago | (#46366519)

Last night i mixed up my rectal thermometer with my toothbrush,... ..at least one my ass is clean

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...