Debugging flags.
DUMP_ALL_PACKETS will enable all packets dumping to /var/log/fastnetmon.log. It’s very useful for testing tool on non standard platforms.
DUMP_ALL_PACKETS=yes ./fastnetmon
If you want to dump only “other” (we could not detect direction for this packets) packets, please use: DUMP_OTHER_PACKETS.
I got very big packet size (more than mtu) in attack log? This behaviour may be related with offload features of NIC. For Intel 82599 I recommend disable all offload:
sudo ethtool -K eth0 gro off gso off tso off
Build script for reading Netflow (v5, v9, ipfix) data from pcap dump:
cmake .. -DBUILD_PCAP_READER=ON
Run pcap data:
./fastnetmon_pcap_reader sflow dump.pcap ./fastnetmon_pcap_reader netflow dump.pcap
How to run tests?
Build and run tests:
cmake -DBUILD_TESTS=ON .. ./fastnetmon_tests
Build script for running packet capture plugins without analyzer backend:
cmake .. -DBUILD_PLUGIN_RUNNER=ON
Examples for different plugins (plugin name could be netflow, netmap, sflow, pcap):
./fastnetmon_plugin_runner netflow
How to collect data for debugging netflow:
sudo tcpdump -w netflow_data.pcap -n 'udp dst port 2055'
How to collect data for debugging sFLOW:
sudo tcpdump -w sflow_data.pcap -n 'udp dst port 6343'
Performance tuning:
Do not use extremely big prefixes (/8, /16) because memory consumption will be enormous and very likely that traffic data will be miscalculated.
For development new code, please check .clang-format as code guide example.