04.12.2017

FastNetMon Advanced cli reference guide

Brief

fcli is a simplest way to configure FastNetMon in convenient network operations approach. You could use TAB for options auto completion. Please run this tool only with root permissions or with sudo, please use only following syntax:

sudo fcli

Overview

We have three configuration categories:

  • main – toolkit wide options
  • bgp – BGP configuration options
  • hostgroup – custom threshold configurations for different networks

For getting option value you could use following form:

show <category> <option_name>

If you want to change string or integer value you could use following form:

set <category> <option_name> value

For boolean fields we are using slightly different approach:

set <category> <option_name> (disable|enable)

If you want to add new value to list (networks_list for example) you could use:

set <category> <option_name> new_value

If you want to remove element from list option, please use this approach instead:

delete <category> <option_name> value_for_remove

Also you could retireve configuration options for whole category with this approach:

show <category_name>

After all changes, you could commit changes and reload fastnetmon daemon with commit command:

commit

Blackhole management

Block host:

set blackhole 11.22.33.44

Example output: Ban executed

Show blocked hosts:

show blackhole

Example output:

11.22.33.44/32 312e3232-2e33-332e-3434-000000000000

Unblock host:

delete blackhole 312e3232-2e33-332e-3434-000000000000

Example output: Disabled correctly

Flow spec rules management

Apply new rule:

set flowspec '{ "source_prefix": "4.0.0.0/24", "destination_prefix": "127.0.0.0/24", "destination_ports": [ 80 ], "source_ports": [ 53, 5353 ], "packet_lengths": [ 777, 1122 ], "protocols": [ "tcp" ], "fragmentation_flags": [ "is-fragment", "dont-fragment" ], "tcp_flags": [ "syn" ], "action_type": "rate-limit", "action": { "rate": 1024 } }'

List flow spec rules

show  flowspec

Example output:

{ "source_prefix": "4.0.0.0\/24", "destination_prefix": "127.0.0.0\/24", "destination_ports": [ 80 ], "source_ports": [ 53, 5353 ], "packet_lengths": [ 777, 1122 ], "protocols": [ "tcp" ], "fragmentation_flags": [ "is-fragment", "dont-fragment" ], "tcp_flags": [ "syn" ], "action_type": "rate-limit", "action": { "rate": 1024 } } c58b3558-e3ea-4202-b104-33d59587e283

Delete flow spec announce

delete blackhole 312e3232-2e33-332e-3434-000000000000

Example output: Disabled correctly

Get system counters

show system_counters

Example output:

our_ipv6_packets                       0
total_unparsed_packets_speed           0
total_unparsed_packets                 0
speed_recalculation_time_seconds       0
speed_recalculation_time_microseconds  407

Get total traffic counters

show total_traffic_counters

Example output:

incoming traffic   0
incoming traffic   0
outgoing traffic   0
outgoing traffic   0
internal traffic   0
internal traffic   0
other traffic      0
other traffic      0

Interfaces management

Get interfaces list

show interfaces

Example output:

em2

Get per subnet counters

Get counters for all subnets in networks list.

show network_counters incoming packets

Example output:

11.22.33.0/24      in packets: 0 out packets: 0 in mbps: 0 out mbps: 0

You could use following sort options here: bytes, packets, incoming or outgoing.

Get per host counters

Get top 10 hosts by specified traffic type (packets, bytes, flows) in specific direction (incoming, outgoing) from your network.

show host_counters flows incoming

You could use following sort options here: bytes, flows, packets, incoming or outgoing. Also, you could increase number of hosts in output with environment variable:

sudo HOST_COUNTERS_MAX_HOSTS=40 -i fcli

Enable or disable traffic capture

With this command you could enable or disable traffic capture with deep analytics. You could trigger it manually if you are sure that you are under attack.

set traffic_capture 11.22.33.44

Disable:

delete traffic_capture 11.22.33.44

List all host groups:

show hostgroup

show certain host group

show hostgroup my_group

Create new host group with name “new_group”

set hostgroup new_group

Delete host group with name:

delete hostgroup new_group

Check option value for cerain host group

show hostgroup global networks

Set option for certain host group:

show hostgroup host_group_name networks

Lookup host group for specified IP address

show ip_hostgroup 11.22.33.44

White lists

We have two kinds of whitelists. Local whitelist. Use only for your own hosts:

sudo fcli set main networks_whitelist 11.22.33.44/32

Remote whitelist. You could use it for remote hosts outside of your networks:

sudo fcli set main networks_whitelist_remote 11.22.33.44/32