{"id":1810,"date":"2020-12-20T12:55:23","date_gmt":"2020-12-20T11:55:23","guid":{"rendered":"https:\/\/blog.mhasin.eu\/?p=1810"},"modified":"2021-02-10T07:56:44","modified_gmt":"2021-02-10T06:56:44","slug":"nfstream-ubuntu-monitor-send-to-elasticsearch","status":"publish","type":"post","link":"https:\/\/blog.mhasin.eu\/?p=1810","title":{"rendered":"nfstream ubuntu monitor"},"content":{"rendered":"\n

Ubuntu optimize:<\/p>\n\n\n\n

ethtool -G ens161 rx 4096 tx 4096\nip link set ens161 txqueuelen 100000\nsysctl -w net.core.rmem_max=$((1024*1024*16))<\/code><\/pre>\n\n\n\n
sysctl<\/p>\n\n\n\n
fs.aio-max-nr = 524288\nfs.file-max = 611160\nkernel.msgmax = 131072\nkernel.msgmnb = 131072\nkernel.panic = 15\nkernel.pid_max = 65536\nkernel.printk = 4 4 1 7\nkernel.sysrq = 0\nnet.core.default_qdisc = fq\nnet.core.netdev_max_backlog = 262144\nnet.core.optmem_max = 16777216\nnet.core.somaxconn = 65535\nnet.core.wmem_max = 16777216\nnet.ipv4.conf.all.accept_redirects = 0\nnet.ipv4.conf.all.log_martians = 1\nnet.ipv4.conf.all.rp_filter = 1\nnet.ipv4.conf.all.secure_redirects = 0\nnet.ipv4.conf.all.send_redirects = 0\nnet.ipv4.conf.default.accept_redirects = 0\nnet.ipv4.conf.default.accept_source_route = 0\nnet.ipv4.conf.default.rp_filter = 1\nnet.ipv4.conf.default.secure_redirects = 0\nnet.ipv4.conf.default.send_redirects = 0\nnet.ipv4.ip_forward = 0\nnet.ipv4.ip_local_port_range = 1024 65535\nnet.ipv4.tcp_congestion_control = bbr\nnet.ipv4.tcp_fin_timeout = 10\nnet.ipv4.tcp_keepalive_intvl = 10\nnet.ipv4.tcp_keepalive_probes = 5\nnet.ipv4.tcp_keepalive_time = 60\nnet.ipv4.tcp_low_latency = 1\nnet.ipv4.tcp_max_orphans = 10000\nnet.ipv4.tcp_max_syn_backlog = 65000\nnet.ipv4.tcp_max_tw_buckets = 1440000\nnet.ipv4.tcp_moderate_rcvbuf = 1\nnet.ipv4.tcp_no_metrics_save = 1\nnet.ipv4.tcp_notsent_lowat = 16384\nnet.ipv4.tcp_rfc1337 = 1\nnet.ipv4.tcp_rmem = 4096 87380 16777216\nnet.ipv4.tcp_sack = 0\nnet.ipv4.tcp_slow_start_after_idle = 0\nnet.ipv4.tcp_synack_retries = 2\nnet.ipv4.tcp_syncookies = 1\nnet.ipv4.tcp_syn_retries = 2\nnet.ipv4.tcp_timestamps = 0\nnet.ipv4.tcp_tw_reuse = 1\nnet.ipv4.tcp_window_scaling = 0\nnet.ipv4.tcp_wmem = 4096 65536 16777216\nnet.ipv6.conf.all.disable_ipv6 = 1\nnet.ipv6.conf.default.disable_ipv6 = 1\nnet.ipv6.conf.lo.disable_ipv6 = 1\nvm.dirty_background_ratio = 2\nvm.dirty_ratio = 60\nvm.max_map_count = 262144\nvm.overcommit_memory = 1\nvm.swappiness = 1<\/code><\/pre>\n\n\n\n
NFSTREAM:<\/p>\n\n\n\n
from nfstream import NFStreamer\nmy_capture_streamer = NFStreamer(source=args.nic, statistical_analysis=True, splt_analysis=1 )\n\nfor flow in my_capture_streamer:\n                NFEntry={\n                        \"epoch_first_seen\":flow.bidirectional_first_seen_ms,\n                        \"epoch_last_seen\":flow.bidirectional_last_seen_ms,\n                        \"timedate_first_seen\":datetime_to_int(epoch_to_time(flow.bidirectional_first_seen_ms)),\n                        \"timedate_last_seen\":datetime_to_int(epoch_to_time(flow.bidirectional_last_seen_ms)),\n                        \"time_duration\":flow.bidirectional_duration_ms\/1000,\n                        \"version\":flow.ip_version,\n                        \"protocol\":flow.protocol,\n                        \"src_ip\":flow.src_ip,\n                        \"src_port\":flow.src_port,\n                        \"dst_ip\":flow.dst_ip,\n                        \"dst_port\":flow.dst_port,\n                        \"dst_mac\":flow.dst_mac,\n                        \"vlan_id\":flow.vlan_id,\n                        \"src_mac\":flow.src_mac,\n                        \"whois_destination_name\": whois_cache.get(flow.dst_ip)[0],\n                        \"whois_destination_cidr\": whois_cache.get(flow.dst_ip)[1],\n                        #\"process_name\":''.join(find_process),\n                        #\"process_pid\":find_pid[0],\n                        #\"process_name\":''.join(retrieve_process_info(int(find_pid[0]))[0]),\n                        #\"process_exe\":''.join(retrieve_process_info(int(find_pid[0]))[1]),\n                        #\"process_cmd_line\":' '.join(retrieve_process_info(int(find_pid[0]))[2])[0:255],\n                        #\"process_parent_pid\":retrieve_process_info(int(find_pid[0]))[3],\n                        #\"process_parent_name\":''.join(retrieve_process_info(int(find_pid[0]))[4]),\n                        #\"process_create_time\":retrieve_process_info(int(find_pid[0]))[5],\n                        \"total_packets\":flow.bidirectional_packets,\n                        \"total_bytes\":flow.bidirectional_bytes,\n                        \"src2dst_packets\":flow.src2dst_packets,\n !\/#@5                  \"src2dst_bytes\":flow.src2dst_bytes,\n                        \"dst2src_packets\":flow.dst2src_packets,\n                        \"dst2src_bytes\":flow.dst2src_bytes,\n                        \"application_name\":flow.application_name,\n                        \"category_name\":flow.application_category_name,\n                        \"auth0_signal_badip\":auth0_signal(flow.dst_ip)\n                }\n\n                \n                print(NFEntry)\n<\/code><\/pre>\n\n\n\n
Ref: https:\/\/github.com\/nfstream\/nfstream<\/p>\n\n\n\n
API DOC: https:\/\/www.nfstream.org\/docs\/api<\/p>\n\n\n\n
\"https:\/\/www.nfstream.org\/resources\/architecture_nfstream.png\"\/<\/figure>\n
 \t
 \t\t \t\t\"\"<\/a> \t\t  <\/span> \t\tSend article as PDF<\/span> \t\t  <\/span> \t\t \t\t \t<\/form> <\/div>","protected":false},"excerpt":{"rendered":"Ubuntu optimize: sysctl NFSTREAM: Ref: https:\/\/github.com\/nfstream\/nfstream API DOC: https:\/\/www.nfstream.org\/docs\/api    Send article as PDF   \n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"arc_restricted_post":false,"footnotes":""},"categories":[8],"tags":[],"class_list":["post-1810","post","type-post","status-publish","format-standard","hentry","category-monitoring"],"_links":{"self":[{"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=\/wp\/v2\/posts\/1810","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1810"}],"version-history":[{"count":5,"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=\/wp\/v2\/posts\/1810\/revisions"}],"predecessor-version":[{"id":1875,"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=\/wp\/v2\/posts\/1810\/revisions\/1875"}],"wp:attachment":[{"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1810"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1810"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1810"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}