We’ve introduced a traffic buffer which stores every single packet received by FastNetMon in a very efficient storage and when we detect an attack (when some host actually crosses threshold) we use a traffic buffer to retrieve all flows or packets arriving in the network before attack detection. So we can immediately trigger a blackhole or BGP Flow Spec announce and we do not need to wait for more traffic to arrive.
It reduces attack detection time by at least 15-90 seconds.
To use all capabilities on that page you need to upgrade FastNetMon to version 2.0.314.
To enable this logic you will need:
sudo fcli set main traffic_buffer enable
Traffic buffer will keep all traffic for sFlow, Netflow, IPFIX and Tera Flow protocols by default. To enable traffic buffer for port mirror you need to set this flag:
sudo fcli set main traffic_buffer_port_mirror true
But please be careful when you this option in non sampled port mirror setup as amount of packets will be enormous and it may degrade performance. We do recommend using this flag only for sampled port mirror setups.
Then you need to set buffer size:
sudo fcli set main traffic_buffer_size 100000
Buffer size calculation may be tricky as it should accommodate all traffic processed by FastNetMon for average_calculation_time seconds.
To get number for specific installation you will need to get number of arriving flows per second that way:
sudo fcli show system_counters |grep netflow_all_protocols_total_flows_speed
For sFlow based capture you need to use different value:
sudo fcli show system_counters | grep sflow_raw_packet_headers_total_speed
And then multiply one of these values by average_calculation_time. After that we recommend doubling or even tripling this value to cover possible spikes during peak time or attacks.
In addition to that we have runtime metric which shows how long in seconds FastNetMon can keep your traffic in memory:
sudo fcli show system_counters | grep traffic_buffer_duration
traffic_buffer_duration_seconds_ipv4 77 traffic_buffer_duration_seconds_ipv6 0
We do not recommend using traffic_buffer capability in Flow Spec mitigation mode in production environment as it may have some detection issues but feel free to trey it in lest labs.
Please note that due to performance reasons traffic buffer does not store packet payload and configuration option collect_attack_pcap_dumps will not store pcap dumps when traffic buffer is enabled.