Security Management

  • 1.  Jflow linux or VM Collector doubt

    Posted 12-11-2017 06:21

    Hi everybody,

    This may be a simple and easy question for you but I'm new in this. I have an SRX1400 cluster and I would like to generate flow statistics for outgoing internet traffic. Which free jflow collector tool would you recommend me? it could be a vm install or a linux based collector (this would be better for me).

    Thanks in advance for your comments.

    Regards,

    Luis


    #netflow
    #JFlow
    #SRX


  • 2.  RE: Jflow linux or VM Collector doubt
    Best Answer

    Posted 12-12-2017 05:08

    The interface is not great but the open source project nfsen does have a pretty full feature flow collector that I've used with Juniper equipment before.

     

    http://nfsen.sourceforge.net

     



  • 3.  RE: Jflow linux or VM Collector doubt

    Posted 12-20-2017 08:26

    Hi Spuluka,

    I've installed nfsen in a CentOS server and it's working perfect. Thanks for the advice man Smiley Happy now I'm not able to configure the Jflow lol

    The problem now is that I'm receiving the following error in nfsen:

    Dec 20 17:15:25 localhost sfcapd[1853]: SFLOW: unexpected datagram version number#012 (source IP = X.X.X.X) 00-09-00-03-<*>-5A-8D-80-1F-5A-3A-8B-49-00-00-00-07-01#01200-00-00-00-01-00-18-01-00-00-04-00-08-00-01-00#01200-00-23-00-01-00-22-00-04-00-00-01-00-00-0C-02#01200-00-00-64-00-00-00-00-00-00-5C-01-04-00-15-00#01208-00-04-00-0C-00-04-00-05-00-01-00-04-00-01-00#01207-00-02-00-0B-00-02-00-20-00-02-00-0A-00-04-00#01209-00-01-00-0D-00-01-00-10-00-04-00-11-00-04-00#01212-00-04-00-06-00-01-00-0E-00-04-00-0F-00-04-00#01201-00-04-00-02-00-04-00-16-00-04-00-15-00-04-00
Dec 20 17:15:25 localhost sfcapd[1853]: SFLOW: caught exception: 2

    Do you know why?

    I've configured nfsend like this:

    %sources = (
'JuniperSRX' => { 'port' => '9996', 'IP' => 'X.X.X.X', 'type' => 'sflow', 'col' => '#0000ff' },
'XR1' => { 'port' => '9997', 'IP' => 'X.X.X.X', 'type' => 'netflow', 'col' => '#ff0000' },
);

    Do you know if it's sflow or netflow for Juniper???? Do i have to export it as version9 or ipfix?? I'm a little confused and I can't find any info regarding that.

    Thanks in advance.

    Regards,

    Luis

     

     



  • 4.  RE: Jflow linux or VM Collector doubt

    Posted 12-20-2017 14:11

    On the SRX we configured jflow which is equivilent to netflow not sflow.

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB16677

     



  • 5.  RE: Jflow linux or VM Collector doubt

    Posted 12-21-2017 06:13

    Thanks Spuluka, now it's working Smiley Happy

    Just for the record if anyone has a similar doubt in the future I leave the configuration below:

    SRX1400

    set forwarding-options sampling instance instance1 input rate 100
set forwarding-options sampling instance instance1 input run-length 0
set forwarding-options sampling instance instance1 family inet output flow-server X.X.X.X port 9996
set forwarding-options sampling instance instance1 family inet output flow-server X.X.X.X version9 template ipv4-test
set forwarding-options sampling instance instance1 family inet output inline-jflow source-address X.X.X.X
set services flow-monitoring version9 template ipv4-test ipv4-template

set interfaces ge-0/0/0 unit 1 family inet sampling input
set interfaces ge-0/0/0 unit 1 family inet sampling output

    Nfsen

    %sources = (
    'JuniperSRX'        => { 'port' => '9996', 'IP' => 'X.X.X.X', 'type' => 'netflow', 'col' => '#0000ff' },
    'ASR1000'               => { 'port' => '9997', 'IP' => 'X.X.X.X', 'type' => 'netflow', 'col' => '#ff0000' },
);


    Thanks for your help Smiley Happy

    Regards,

    Luis



  • 6.  RE: Jflow linux or VM Collector doubt

     
    Posted 12-19-2017 21:31

    Hi Folks,

    Just my 2 cents on this..

     

    NetFlow Traffic Analyzer from SolarWinds is also a good one.