Exporting NetFlow from Linux to a collector over IPv6

There is another project out there in the ether that I have a hand in providing input for. One of the features that I felt was necessary for it is exporting NetFlow information from traffic the Linux machine handled, to a collector. This is dual-stack traffic, but I have the collector listening on IPv6.

Firstly, I needed something that would gather and export the data, so I found softflowd. My ubuntu server had it in the repo, so a quick apt install got it onto the machine easily enough. You need to edit /etc/default/softflowd and set what interface(s) you want it capturing & generating flow data from, and what options to feed to the daemon, like what server:port to export that data to:

INTERFACE="eth#"
OPTIONS="-v 9 -n [x:x:x:x::x]:9995"

Fill in the correct interface name you want to gather data from. The -v 9 option tells it to use Netflow v9, which has IPv6 support. The -n option is used for specifying the collector machine’s IP and port, so fill in for the correct IPv6 address of that collector. And that is the format for specifying an IPv6 host running a collector, like nfcapd. Then you can fire up the softflowd daemon, and you should start getting data sent to the collector:

Date flow start          Duration Proto                             Src IP Addr:Port                                 Dst IP Addr:Port   Packets    Bytes Flows
2015-02-13 23:18:13.316     0.001 UDP                              72.52.116.23:53    ->                            72.52.116.26:41933        1      213     1
2015-02-13 23:18:13.316     0.001 UDP                              72.52.116.26:41933 ->                            72.52.116.23:53           1       55     1
2015-02-13 23:15:17.715   180.139 ICMP6                         2001:470:1:9::1.0     ->                      2001:470:1:9::6666.0.0          4      288     1
2015-02-13 23:15:17.715   180.139 ICMP6                      2001:470:1:9::6666.0     ->                         2001:470:1:9::1.0.0          4      256     1
Summary: total flows: 75, total bytes: 291951, total packets: 1559, avg bps: 10006, avg pps: 6, avg bpp: 187
Time window: 2015-02-13 23:15:05 - 2015-02-13 23:18:58
Total flows processed: 75, Blocks skipped: 0, Bytes read: 5300
Sys: 0.008s flows/second: 9149.7     Wall: 0.006s flows/second: 12209.0

IPv6 and flows (using nfsen)

This will be about already having nfsen/nfdump configured, and are looking to just make a flow profile to graph IPv6 traffic from your routers. If you are looking to get nfsen iniitially configured, definitely follow their instructions on their site.

Say you have an sFlow capable router like…picking one totally not at random…..a Brocade XMR or MLX(e), and you want some basic flow data, especially IPv6. Depending on how many routers you are going to collect flow data from, will determine how beefy of a machine you will need. I know that at $lastjob, it was a hefty CPU (and definitely more than 1), tons of RAM, and hardware RAID. Right now, I’m using dual quad-core Xeon, tons of RAM and a small hardware RAID, but this machine serves many purposes. Right now I’m also only polling 4 MLX routers.

Go ahead and access your nfsen website, and on the Profiles pulldown, select “New Profile …”. In the creation dialog, give the profile whatever title you like; I went with the generic title of “IPv6”. If you want to add it to a group or make one for it, do as you please. I left that alone so I’d have it as a readily available profile to view. Select all the sources, or at least the ones you KNOW have IPv6 configured on as well as possible traffic (hosts, peers, transits, etc.). In the filter option, simply put: inet6

Save the profile, wait a while for data to get newly collected, and your graphs should start populating with delicious IPv6 flow information.

Today is World IPv6 Launch Day!

After the success of last year’s World IPv6 Day, where success was measured with little to no problems reported, World IPv6 Launch Day has arrived! For a while major players like Google and Facebook had been white-listing their AAAA records to specific ISP recursive nameservers. This meant you had to query one of those in order to see IPv6 entries for their websites. Now that white-listing has been removed and all properly operating recursive nameservers will now serve up these records. They aren’t the only companies participating of course! Take a look at this list to see whom else signed up to promote their enabling of IPv6. Want some stats, take a look at the following:

But what does this mean to the non-techies out there? It is meant to be a passive change. You shouldn’t notice much in the way of interruptions. Perhaps your ISP will have a shorter route to a destination over IPv6, and you might get what you are trying to access a tiny bit quicker. If you like video/chat applications, this will soon mean that you’ll be able to have proper end-to-end communication between your machine/application and someone remotely. No more NAT to muddle connections. If XBOX and similar console devices migrate, you could actually have more than one in the household online at the same time and not get mangled because of IPv4 NAT!

IPv6 and Google Analytics

So rather than rely on Webalizer 2.23 with proper IPv6 parsing support (yet all addresses end up being designated as sourcing from Montenegro?), I’m trying out Google Analytics. One of the first things I noticed is that all IPv6 hits/views end up being listed as “(not set)”. Since I control and access my logs I can get specifics, however I’d like a little more detail.

That is when I happened upon the APNIC Labs IPv6 Capability Tracker. Just had to follow their directions for adding the JS code, with some minor tweaks to work with my Google Analytics WP plugin. Now I’m seeing a bit more detail on the types of IPv6 visitors exactly how APNIC Labs promised 😀 Still need to read up on “events” to figure out what the negative values I’m seeing mean.