DUMP_ALL_PACKETS will enable all packets to be dumped to /var/log/fastnetmon.log. It’s very useful as a testing tool on non-standard platforms.
DUMP_ALL_PACKETS=yes ./fastnetmon
If you want to dump only “other” (we could not detect direction for these packets) packets, use: DUMP_OTHER_PACKETS.
If you have a very large packet size (more than mtu) in your attack log, it may be related to the offload features of NIC. For Intel 82599, we recommend disabling all offload:
sudo ethtool -K eth0 gro off gso off tso off
Build script for reading Netflow (v5, v9, ipfix) data from pcap dump:
cmake .. -DBUILD_PCAP_READER=ON
Run pcap data:
./fastnetmon_pcap_reader sflow dump.pcap ./fastnetmon_pcap_reader netflow dump.pcap
How to run tests?
Build and run tests:
cmake -DBUILD_TESTS=ON .. ./fastnetmon_tests
Build script for running packet capture plugins without analyser backend:
cmake .. -DBUILD_PLUGIN_RUNNER=ON
Examples for different plugins (plugin name could be netflow, netmap, sflow, pcap):
./fastnetmon_plugin_runner netflow
How to collect data for debugging NetFlow:
sudo tcpdump -w netflow_data.pcap -n 'udp dst port 2055'
How to collect data for debugging sFLOW:
sudo tcpdump -w sflow_data.pcap -n 'udp dst port 6343'
Performance tuning:
Do not use extremely big prefixes (/8, /16) because memory consumption will be enormous and very likely that traffic data will be miscalculated.
For developing new code, please check .clang-format as a code guide example.