16. Components » Packet Sensor

Packet Sensor inspects every packet it receives in order to perform packet-based traffic analysis. The advantages and disadvantages of packet-based traffic monitoring versus flow-based traffic monitoring are listed in the Choosing a Method of Traffic Monitoring chapter.

In switched networks, only the packets for a specific device reach the device’s network card. If the server running the Packet Sensor is not deployed inline in the main data path, a network TAP or a switch/router that offers a “monitoring port” or “mirroring port” has to be used. In this case, the network device sends copies of data packets traveling through selected ports or VLANs to the monitoring port.

To add a Packet Sensor, click the [+] button from the title bar of the Configuration » Components panel. To modify an existing Packet Sensor, go to Configuration » Components and click its name.

PACKET_SENSOR_CONFIGURATION8.01_png

Packet Sensor Configuration parameters:

Sensor Name – A short name to help you identify the Packet Sensor
Sensor Color – The color used in graphs for the Packet Sensor. The default color is a random one. You can change it from the drop-down menu
Sensor Visibility – Toggles the listing inside the Reports » Devices panel
Device Group – Enter a description if you wish to organize components (e.g. by location, characteristics) or to permit fine-grained access for roles
Sensor Server – Select a server that fulfills the minimum system requirements for running the Packet Sensor. If this is not the Console server, follow the NFS configuration steps to make the raw packet data visible in the web interface
Sensor License – The license used by the Packet Sensor. Wanguard provides all features; Wansight does not provide traffic anomaly detection and reaction
Capture Engine – Select the preferred packet capturing engine and its options:
Embedded Libpcap – Select to use the built-in libpcap library. Libpcap requires no additional setup, but it cannot run on multiple threads, and it may be too slow for multi-gigabit sniffing
PACKET_SENSOR_OPTIONS_LIBPCAP_8.2
Packet Sampling (1/N) – Must contain the packet sampling rate. On most systems, the correct value is 1
System Libpcap – Select to use the libpcap library provided by the Linux distribution
PACKET_SENSOR_OPTIONS_SYSTEM_LIBPCAP_8.2
Environment Variables – Some NIC drivers provide their own libpcap but require an environment variable to be set
Packet Sampling (1/N) – Must contain the packet sampling rate. On most systems, the correct value is 1
PF_RING – Select to use the PF_RING framework to speed up packet processing. PF_RING is much faster than Libpcap, but it requires the installation of additional kernel modules and supports only a limited number of NICs
PACKET_SENSOR_OPTIONS_PFRING_8.2
CPU Threads – Packet Sensor can run multi-threaded on a given set of CPU cores. Each thread increases the RAM usage. On most systems, activating more than 6 CPU threads hurts performance
Packet Sampling (1/N) – Must contain the packet sampling rate. On most systems, the correct value is 1
PF_RING ZC - PF_RING ZC is faster than “vanilla” PF_RING, but it requires purchasing a ZC license from ntop.org. When an interface enters PF_RING ZC mode, it is no longer available to the OS for other operations such as capturing packets, routing or switching
PF_RING Vanilla RX/TX – PF_RING can consider only those packets matching the specified direction
PF_RING Sampling (1/N) – PF_RING can sample packets directly into the kernel, which is much more efficient than doing it in user-space
Netmap – Select to use the Netmap framework to speed up packet processing. Netmap requires the installation of additional kernel modules, and it only supports a limited number of NICs. When an interface enters Netmap mode, it is no longer available to the OS for other operations such as routing or switching
PACKET_SENSOR_OPTIONS_NETMAP_8.2
CPU Threads – Packet Sensor can run multi-threaded on a given set of CPU cores. Each thread increases the RAM usage. On most systems, activating more than 6 CPU threads hurts performance
Packet Sampling (1/N) – Must contain the packet sampling rate. On most systems, the correct value is 1
DPDK – Select to use the DPDK framework, then click the button on the right of the Capture Engine field to configure DPDK-specific parameters as described in Appendix 1
Sniffing Interface – The network interface(s) listened by the Packet Sensor. Libpcap accepts only a single interface. PF_RING allows listening to multiple physical interfaces simultaneously when the interfaces are separated by a comma (“,”)
PACKET_SENSOR_OPTIONS_INTERFACE_8.2.png
Interface Type – Set accordingly when the Sniffing Interface is a TUN/TAP interface or a GRE interface
GRE Decapsulation – When enabled, Packet Sensor will analyze the encapsulated packet, not the GRE packet itself
Link Speed IN / OUT – Enter the monitored link’s speed (bandwidth, capacity). The values are used for percentage-based reports and percentage-based bits/s thresholds
IP Zone – Packet Sensor needs an IP Zone from which to learn the network’s boundaries and to extract per-subnet settings
Stats Engine – Collects traffic tops and AS graphs:
Basic – Enables tops for internal IPs, IP protocols, IP versions, and TCP/UDP ports. It adds a minimal performance penalty, so it’s the recommended value on most systems
Extended – Enables the tops from Basic as well as tops for external IPs (IPs not included in the IP Zone). It adds a performance penalty of over 20%, especially during spoofed attacks with randomized sources. Permits the detection of threshold violations for external IPs
PACKET_SENSOR_OPTIONS_STATS_EXTENDED_8.2
Max. Source IPs – Can limit the amount of RAM used to keep track of external IPs, or prevent interruptions during very powerful attacks from randomized sources
Full – Enables the tops from Extended as well as tops and graphs for autonomous systems. It adds a performance penalty of over 20%, especially during spoofed attacks with randomized sources. Permits the detection of threshold violations for external IPs
PACKET_SENSOR_OPTIONS_STATS_FULL_8.2
Max. Source IPs – Can limit the amount of RAM used to keep track of external IPs, or prevent interruptions during very powerful attacks from randomized sources
Refresh Interval – Set how often the MTR file should be reloaded in RAM. If it is set to Auto, then the file will be refreshed every time it is modified. It it is set to Never, the file will only be loaded when the Sensor starts
BGP Dump File – If it contains the path to an existing file exported by BGPd in MTR format, it enables tops and graphs for Transit ASNs
BGP Router IPv4/IPv6 – If the MTR file was entered, then you must also enter the IPv4 and/or IPv6 address of the next-hop BGP router. You can find the next-hop by observing the NEXT_HOP parameter from the bgpdump’s output
IP Validation – This option is the most frequently used method of establishing the direction of packets in relation to your network:
Off – Packet Sensor analyzes all traffic and uses MAC Validation to identify the direction of traffic
On – Packet Sensor analyzes the traffic that has the source and/or the destination IP in the selected IP Zone. This is the default value and the recommended one for most configurations
Strict – Packet Sensor analyzes the traffic that has either the source or the destination IP in the selected IP Zone
Exclusive – Packet Sensor analyzes the traffic that has the destination IP in the selected IP Zone, but not the source IP
MAC Validation/Options – This rarely-used option can be used to distinguish the direction of the packets or to ignore unwanted OSI Layer 2 traffic:
None – Packet Sensor analyzes all traffic and uses IP Validation to identify the direction of traffic
Upstream/Downstream MAC – MAC validation is active, and the MAC Address belongs to the upstream or downstream router
PACKET_SENSOR_OPTIONS_MAC_8.2
MAC Address - Enter the MAC address of the upstream or downstream router, written using the Linux convention – six groups of two hexadecimal values separated by colons (:)
Granularity – Interval between successive updates for traffic parameters and anomalies. A granularity of 1 second ensures the detection of anomalies in under one second at the expense of the SQL server’s load. The default value is 5 seconds
BPF Expression – You can use this parameter to filter the type of traffic received by the Packet Sensor. The tcpdump-style syntax is described when clicking the star button
Comments – Comments about the Packet Sensor can be saved here. They are not visible elsewhere
To start the Packet Sensor, click the small on/off button displayed next to its name in the Configuration » Components panel. Ensure that the Packet Sensor starts correctly by watching the event log. If the Packet Sensor starts, but you can’t see any data collected by it in Reports » Devices » Overview after 10 seconds, follow the troubleshooting steps listed below.

Note

To obtain detailed information about the sources of the attacks detected by Packet Sensor, add a Packet Filter, set the same Sniffing Interface and Capture Engine, and then activate it in the “When an anomaly is detected…” panel from the Response.

16.1. Packet Sensor Troubleshooting

✔ Look for warnings or errors produced by the Packet Sensor in the event log
✔ Go to Help » Software Updates to make sure that you are running the latest version of the software
✔ Ensure that you have correctly configured the Packet Sensor. Each configuration field is described above in this chapter
✔ The event log error License key not compatible with the existing server indicates that the server is unregistered and you need to send the string from Configuration » Servers » [Server] » Hardware Key to sales@andrisoft.com
✔ When IP Validation is not disabled, make sure that the selected IP Zone contains all your subnets
✔ Ensure that you have correctly configured the switch/TAP to send packets to the server on the configured interface
✔ Make sure that the sniffing interface is up:
[root@localhost ~]# ip link show <interface>
✔ Verify whether the server is receiving packets via the configured interface:
[root@localhost ~]# tcpdump -i <interface_usually_eth1_or_p1p2> -n -c 100
✔ If the CPU usage of the Packet Sensor is too high, set the Stats Engine parameter to Basic, install PF_RING, Netmap or DPDK to enable multi-threading, or use a network adapter that allows distributing Packet Sensors over multiple CPU cores
✔ To troubleshoot Sensor graph or IP graph issues, follow the Graphs Troubleshooting guide
✔ For PF_RING-related issues, contact ntop.org
✔ The system process responsible for capturing packets is called WANtrafficlogger. There will be as many such processes active as the number of packet dumps active in Reports » Tools » Packets

16.2. Optimization Steps for Intel XL710

To distribute the packet-processing tasks of the Packet Sensor over multiple CPU cores when using the Intel XL710 adapter and a ZC license:

➔ Install PF_RING ZC and switch to the PF_RING-aware Intel driver
➔ Create a separate Packet Sensor for every queue of your multi-queue NIC. For example, when having 12 queues, define 12 Packet Sensors defined named ‘queue0’ thru ‘queue11’. Each Packet Sensor must be configured to listen on an interface such as zc:enp134s0f0@0 for queue0, or zc:enp134s0f0@7 for queue7, and so forth. Each defined Packet Sensor needs to have the PF_RING Capture Engine selected, ZC checked, and further, needs a unique Cluster ID. So, ‘queue0’ has cluster id 0, while ‘queue7’ has cluster id 7, and so forth
➔ Add all Packet Sensors to a single Sensor Cluster to have a unified reporting and anomaly detection domain. No additional licensing is needed because all Packet Sensors defined to listen to a single interface use a single Sensor license

16.3. Optimization Steps for Intel 82599

To distribute the packet-processing tasks of the Packet Sensor over multiple CPU cores when using an adapter with the Intel 82599 chipset (Intel X520, Intel X540, HP X560, etc.):

➔ Follow the documentation and optimization guides provided by the network adapter vendor
➔ Install PF_RING and switch to the PF_RING-aware ixgbe driver
➔ See the number of RSS queues allocated by the ixgbe driver by executing dmesg, or by listing /var/log/messages or /var/log/syslog. By default, the number of RSS queues equals the number of CPU cores when hyper-threading is off, or double the number of CPU cores when hyper-threading is on. You can set the number of RSS queues manually by loading ixgbe.ko with the RSS=<number> option
➔ Enable multi-threading in the Packet Sensor configuration or define multiple Packet Sensors, each listening to ethX@queue_id or ethX@queue_range and add them to a Sensor Cluster to have a unified reporting and anomaly detection domain. No additional licensing is needed because all Packet Sensors defined to listen to a single interface use a single Sensor license
On a quad-core CPU with multi-threading, the ixgbe driver allocates 8 RSS queues. In this case, if you define a Packet Sensor for ethX@0-3 and another one for ethX@4-7, the packet-processing task will be distributed over 2 CPU cores.