JANOG36は株式会社IDCフロンティアとBBIX株式会社のホストにより開催します。

【プログラム紹介】オープンソースのネットフローツールの運用

JANOG36では、xFlowチュートリアルに引き続き、BoFとプログラムでもネットフローについて語ります。BoFではフローデータの収集と分析、そして他データとの連携に関する事例の紹介を、プログラムではオープンソースのツールを使用してどのように運用に役立てていくのかを紹介していただきます。

本プログラムの内容について、登壇者の荒井則之さん(BBIX株式会社)とPaolo Lucenteさん(pmacct Project)、担当プログラム委員にお話をうかがいました。(聞き手＝JANOG36企画編成委員)

What is pmacct?

Paolo: pmacct is a small set of passive network monitoring tools to account, classify, aggregate, replicate and export IPv4 and IPv6 traffic; a pluggable architecture allows to store collected data into memory tables, RDBMS (MySQL, PostgreSQL, SQLite), noSQL databases (MongoDB, BerkeleyDB), AMQP message exchanges (RabbitMQ) and flat-files and export through NetFlow or sFlow protocols to remote collectors. pmacct offers customizable historical data breakdown, BGP and IGP correlation, BMP stats and events, GeoIP lookups, sampling and renormalization, filtering, tagging and triggers. Libpcap, Linux Netlink/ULOG, sFlow v2/v4/v5, NetFlow v5/v8/v9 and IPFIX are supported. Replication of incoming NetFlow and sFlow datagrams is also available. Statistics can be easily exported to tools like RRDtool, Net-SNMP, MRTG, GNUPlot and Cacti.

Who(What kind of operator) are using pmacct?

Paolo: pmacct is suitable to ISP, IXP, CDN, IP carrier, DC and hot-spots enviroments and SDN solutions.

How to develop pmacct? (or how many people developing pmacct?)

Paolo: I'm myself the main and stable pmacct developer. Contributions are always welcome. People can submit patches to my attention via email or fork the project on GitHub (https://github.com/paololucente/pmacct).

What's your main motivation of this program proposal?

荒井: I did mistakenly think that the flow investigation needs sophisticated appliance as capturing and analysing traffic data in nearly real time costs resources. Through talking with some friends in the community, I also found the hurdle originates not only from inadequate information on the easy-to-use tools but also from the lack of collective understanding on the flow-data usage. I happened to meet Paolo when I was trying to test some open source flow tools and he told me the flow can be widely used, applicable for not only traffic profiling and DDoS detection, but also for leveraging the real operation. When Paolo told me he was interested in offering a talk in JANOG36, I think it must be a precious chance to share his experience and contribution to the JANOG community, and to link individuals' exploration into the JANOG community's collective understanding.

What's difference of purpose of BoF and program?

荒井: Considering the audience's diversity and the time limit, the program session is purposed on providing the information of an open source flow tool, the pmacct, and showing where it could be used and tested. On the other hand, the BoF focuses on how the pmacct tool is used in leveraging the real operations, making a discussion on the architecture and technical details of combining flow-analysis and routing.

Free comment to JANOG community

荒井: It is also a practice of bilingual presentations in the JANOG meeting. We expect that the JANOG meeting will become more international, attracting global experts to sharing their contributions to the community.