nfstream ubuntu monitor

Ubuntu optimize:

ethtool -G ens161 rx 4096 tx 4096
ip link set ens161 txqueuelen 100000
sysctl -w net.core.rmem_max=$((1024*1024*16))

sysctl

fs.aio-max-nr = 524288
fs.file-max = 611160
kernel.msgmax = 131072
kernel.msgmnb = 131072
kernel.panic = 15
kernel.pid_max = 65536
kernel.printk = 4 4 1 7
kernel.sysrq = 0
net.core.default_qdisc = fq
net.core.netdev_max_backlog = 262144
net.core.optmem_max = 16777216
net.core.somaxconn = 65535
net.core.wmem_max = 16777216
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.ip_forward = 0
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_congestion_control = bbr
net.ipv4.tcp_fin_timeout = 10
net.ipv4.tcp_keepalive_intvl = 10
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_time = 60
net.ipv4.tcp_low_latency = 1
net.ipv4.tcp_max_orphans = 10000
net.ipv4.tcp_max_syn_backlog = 65000
net.ipv4.tcp_max_tw_buckets = 1440000
net.ipv4.tcp_moderate_rcvbuf = 1
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_notsent_lowat = 16384
net.ipv4.tcp_rfc1337 = 1
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_sack = 0
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_window_scaling = 0
net.ipv4.tcp_wmem = 4096 65536 16777216
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
vm.dirty_background_ratio = 2
vm.dirty_ratio = 60
vm.max_map_count = 262144
vm.overcommit_memory = 1
vm.swappiness = 1

NFSTREAM:

from nfstream import NFStreamer
my_capture_streamer = NFStreamer(source=args.nic, statistical_analysis=True, splt_analysis=1 )

for flow in my_capture_streamer:
                NFEntry={
                        "epoch_first_seen":flow.bidirectional_first_seen_ms,
                        "epoch_last_seen":flow.bidirectional_last_seen_ms,
                        "timedate_first_seen":datetime_to_int(epoch_to_time(flow.bidirectional_first_seen_ms)),
                        "timedate_last_seen":datetime_to_int(epoch_to_time(flow.bidirectional_last_seen_ms)),
                        "time_duration":flow.bidirectional_duration_ms/1000,
                        "version":flow.ip_version,
                        "protocol":flow.protocol,
                        "src_ip":flow.src_ip,
                        "src_port":flow.src_port,
                        "dst_ip":flow.dst_ip,
                        "dst_port":flow.dst_port,
                        "dst_mac":flow.dst_mac,
                        "vlan_id":flow.vlan_id,
                        "src_mac":flow.src_mac,
                        "whois_destination_name": whois_cache.get(flow.dst_ip)[0],
                        "whois_destination_cidr": whois_cache.get(flow.dst_ip)[1],
                        #"process_name":''.join(find_process),
                        #"process_pid":find_pid[0],
                        #"process_name":''.join(retrieve_process_info(int(find_pid[0]))[0]),
                        #"process_exe":''.join(retrieve_process_info(int(find_pid[0]))[1]),
                        #"process_cmd_line":' '.join(retrieve_process_info(int(find_pid[0]))[2])[0:255],
                        #"process_parent_pid":retrieve_process_info(int(find_pid[0]))[3],
                        #"process_parent_name":''.join(retrieve_process_info(int(find_pid[0]))[4]),
                        #"process_create_time":retrieve_process_info(int(find_pid[0]))[5],
                        "total_packets":flow.bidirectional_packets,
                        "total_bytes":flow.bidirectional_bytes,
                        "src2dst_packets":flow.src2dst_packets,
 !/#@5                  "src2dst_bytes":flow.src2dst_bytes,
                        "dst2src_packets":flow.dst2src_packets,
                        "dst2src_bytes":flow.dst2src_bytes,
                        "application_name":flow.application_name,
                        "category_name":flow.application_category_name,
                        "auth0_signal_badip":auth0_signal(flow.dst_ip)
                }

                
                print(NFEntry)

Ref: https://github.com/nfstream/nfstream

API DOC: https://www.nfstream.org/docs/api

https://www.nfstream.org/resources/architecture_nfstream.png
   Send article as PDF   

Apache2 php8, php8-fpm

mikrotik change mac address
Pridaj komentár

61  +    =  66