fastnetmon-ng/README.md

FastNetMon
===========
FastNetMon - A high performance DoS/DDoS load analyzer built on top of multiple packet capture engines (NetFlow, IPFIX, sFLOW, SnabbSwitch, netmap, PF_RING, PCAP).

What can we do? We can detect hosts in our own network with a large amount of packets per second/bytes per second or flow per second incoming or outgoing from certain hosts. And we can call an external script which can notify you, switch off a server or blackhole the client.

To enable sFLOW simply specify IP of server with installed FastNetMon and specify port 6343.
To enable netflow simply specify IP of server with installed FastNetMon and specify port 2055.

Why did we write this? Because we can't find any software for solving this problem in the open source world! 

What is "flow" in FastNetMon terms? It's one or multiple udp, tcp, icmp connections with unique src IP, dst IP, src port, dst port and protocol.

License: GPLv2

[![Build Status](https://travis-ci.org/pavel-odintsov/fastnetmon.svg?branch=master)](https://travis-ci.org/pavel-odintsov/fastnetmon) [![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/FastVPSEestiOu/fastnetmon?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge) 


Project 
-------
- [Mailing list](https://groups.google.com/forum/#!forum/fastnetmon)
- [Roadmap](docs/ROADMAP.md)
- [Release Notes](docs/RELEASENOTES.md)
- Chat: #fastnetmon at irc.freenode.net [web client](https://webchat.freenode.net/)
- [Please fill survey, we need your voice!](https://docs.google.com/forms/d/1YoXQImMeEjBH-JPz3KYtcDwknHs8xrI538ObwSy9uZo/viewform)
- Detailed reference in Russian: [link](https://github.com/FastVPSEestiOu/fastnetmon/blob/master/docs/FastNetMon_Reference_Russian.pdf)

Supported packet capture engines
--------------------------------
- NetFlow v5, v9
- IPFIX
- ![sFLOW](http://sflow.org/images/sflowlogo.gif) v4 (dev branch only), v5
- Port mirror/SPAN capture with PF_RING (with ZC/DNA mode support [need license](http://www.ntop.org/products/pf_ring/)), SnabbSwitch, NETMAP and PCAP

You could look [comparison table](https://github.com/FastVPSEestiOu/fastnetmon/blob/master/docs/CAPTURE_BACKENDS.md) for all available packet capture engines.

Features
--------
- Complete [BGP Flow Spec support](docs/BGP_FLOW_SPEC.md), RFC 5575
- Can process incoming and outgoing traffic
- Can trigger block script if certain IP loads network with a large amount of packets/bytes/flows per second
- Thresholds could be configured in per subnet basis with hostgroups feature
- Could [announce blocked IPs](docs/EXABGP_INTEGRATION.md) to BGP router with [ExaBGP](https://github.com/Exa-Networks/exabgp)
- GoBGP [integration](docs/GOBGP.md) for unicast IPv4 announces
- Full integration with [Graphite](docs/GRAPHITE_INTEGRATION.md) and [InfluxDB](docs/INFLUXDB_INTEGRATION.md)
- API
- Redis integration
- MongoDB integration
- Deep packet inspection for attack traffic
- netmap support (open source; wire speed processing; only Intel hardware NICs or any hypervisor VM type)
- SnabbSwitch support (open source, very flexible, LUA driven, very-very-very fast)
- Could filter out NetFLOW v5 flows or sFLOW packets with script implemented in LUA (useful for port exclude)
- Supports L2TP decapsulation, VLAN untagging and MPLS processing in mirror mode 
- Can work on server/soft-router
- Can detect DoS/DDoS in 1-2 seconds
- [Tested](https://github.com/FastVPSEestiOu/fastnetmon/blob/master/docs/PERFORMANCE_TESTS.md) up to 10GE with 12 Mpps on Intel i7 3820 with Intel NIC 82599
- Complete plugin support
- Could capture attack fingerprint in pcap format
- Have [complete support](docs/DETECTED_ATTACK_TYPES.md) for most popular attack types

Running Fastnetmon
------------------
### Supported platforms
- Linux (Debian 6/7/8, CentOS 6/7, Ubuntu 12+)
- FreeBSD 9, 10, 11
- Mac OS X Yosemite

### Supported architectures
- x86 64 bit (recommended)
- x86 32 bit

### Router integration instructions
- [Juniper MX Routers](docs/JUNOS_INTEGRATION.md)

### Distributions supported
- We are part of [CloudRouter](https://cloudrouter.org/cloudrouter/2015/07/09/fastnetmon.html) distribution
- We are part of [official FreeBSD ports](https://freshports.org/net-mgmt/fastnetmon/), [manual install](docs/FreeBSD_INSTALL.md)
- [Amazon AMI image](docs/AMAZON.md)
- [VyOS based iso image with bundled FastNetMon](docs/VYOS_BINARY_ISO_IMAGE.md)
- [Docker image](docs/DOCKER_INSTALL.md)
- [Binary rpm packages for CentOS 6/7 and Fedora 21](docs/INSTALL_RPM_PACKAGES.md)
- [Automatic install script for Debian/Ubuntu/CentOS/Fedora/Gentoo](docs/INSTALL.md)
- [Automatic install script for Mac OS X](docs/MAC_OS_INSTALL.md)
- [Manual install on Slackware](docs/SLACKWARE_INSTALL.md)
- [Manual install for VyOS](docs/VyOS_INSTALL.md)

Screenshoots
------------

Main program screen image:

![Main screen image](docs/images/fastnetmon_screen.png)

Example for cpu load on Intel i7 2600 with Intel X540/82599 NIC on 400 kpps load:
![Cpu consumption](docs/images/fastnetmon_stats.png)

Example deployment scheme:
![Network diagramm](docs/images/network_map.png)

Example of [notification email](docs/ATTACK_REPORT_EXAMPLE.md) about detected attack.


How I can help project?
-----------------------
- We are looking for maintainer for Debian and Fedora/EPEL packages
- Test it! 
- Share your experience
- Share your use cases
- Share your improvements
- Test it with different equipment
- Create feature requests

Author: [Pavel Odintsov](http://ru.linkedin.com/in/podintsov/) pavel.odintsov at gmail.com [Follow my Twitter](https://twitter.com/odintsov_pavel)
Update README.md Add email examples. 2014-06-08 20:49:25 +02:00			`FastNetMon`
Readme fix 2013-11-14 09:23:10 +01:00			`===========`
readme rewrite 2015-10-06 17:37:27 +02:00			`FastNetMon - A high performance DoS/DDoS load analyzer built on top of multiple packet capture engines (NetFlow, IPFIX, sFLOW, SnabbSwitch, netmap, PF_RING, PCAP).`
Update README.md Add twitter :) 2015-03-10 23:38:10 +01:00
readme rewrite 2015-10-06 17:37:27 +02:00			`What can we do? We can detect hosts in our own network with a large amount of packets per second/bytes per second or flow per second incoming or outgoing from certain hosts. And we can call an external script which can notify you, switch off a server or blackhole the client.`
Add irc channel 2015-06-15 11:59:12 +02:00
readme rewrite 2015-10-06 17:37:27 +02:00			`To enable sFLOW simply specify IP of server with installed FastNetMon and specify port 6343.`
			`To enable netflow simply specify IP of server with installed FastNetMon and specify port 2055.`
Update README.md 2015-06-18 09:01:33 +02:00
readme rewrite 2015-10-06 17:37:27 +02:00			`Why did we write this? Because we can't find any software for solving this problem in the open source world!`
Add link to manual 2015-08-27 16:07:30 +02:00
small change in order of text 2015-10-07 05:33:15 +02:00			`What is "flow" in FastNetMon terms? It's one or multiple udp, tcp, icmp connections with unique src IP, dst IP, src port, dst port and protocol.`

Add explicit notification about license 2014-06-23 14:55:20 +02:00			`License: GPLv2`
Initial commit 2013-10-18 12:09:53 +02:00
Fix Travis CI build image link The link of the build image is pointing to an obsoleted/freezed project. 2015-10-30 14:13:43 +01:00			`[![Build Status](https://travis-ci.org/pavel-odintsov/fastnetmon.svg?branch=master)](https://travis-ci.org/pavel-odintsov/fastnetmon) [![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/FastVPSEestiOu/fastnetmon?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)`
small change in order of text 2015-10-07 05:33:15 +02:00

Move install guide in top of manual 2014-11-22 14:24:50 +01:00
readme rewrite 2015-10-06 17:37:27 +02:00			`Project`
			`-------`
			`- [Mailing list](https://groups.google.com/forum/#!forum/fastnetmon)`
			`- [Roadmap](docs/ROADMAP.md)`
			`- [Release Notes](docs/RELEASENOTES.md)`
			`- Chat: #fastnetmon at irc.freenode.net [web client](https://webchat.freenode.net/)`
			`- [Please fill survey, we need your voice!](https://docs.google.com/forms/d/1YoXQImMeEjBH-JPz3KYtcDwknHs8xrI538ObwSy9uZo/viewform)`
			`- Detailed reference in Russian: [link](https://github.com/FastVPSEestiOu/fastnetmon/blob/master/docs/FastNetMon_Reference_Russian.pdf)`
Add waffle badge 2015-05-02 18:36:34 +02:00
readme rewrite 2015-10-06 17:37:27 +02:00			`Supported packet capture engines`
			`--------------------------------`
README fix 2015-03-23 11:39:08 +01:00			`- NetFlow v5, v9`
			`- IPFIX`
Add sFLOW v4 to features 2015-06-24 16:49:04 +02:00			`- ![sFLOW](http://sflow.org/images/sflowlogo.gif) v4 (dev branch only), v5`
Completely working SnabbSwitch integration. 12 mpps with 4 NIC's 2015-08-31 14:15:16 +02:00			`- Port mirror/SPAN capture with PF_RING (with ZC/DNA mode support [need license](http://www.ntop.org/products/pf_ring/)), SnabbSwitch, NETMAP and PCAP`
Rewrite READMER 2015-03-23 11:37:29 +01:00
Update README.md 2015-04-28 21:39:08 +02:00			`You could look [comparison table](https://github.com/FastVPSEestiOu/fastnetmon/blob/master/docs/CAPTURE_BACKENDS.md) for all available packet capture engines.`

readme rewrite 2015-10-06 17:37:27 +02:00			`Features`
			`--------`
BGP Flow Spec RFC 5575 support have added 2015-07-30 08:13:57 +02:00			`- Complete [BGP Flow Spec support](docs/BGP_FLOW_SPEC.md), RFC 5575`
Upgrade documentation 2014-11-22 14:17:26 +01:00			`- Can process incoming and outgoing traffic`
Fix readme 2015-05-07 16:06:47 +02:00			`- Can trigger block script if certain IP loads network with a large amount of packets/bytes/flows per second`
Add remark about custom limits for subnets :) 2015-07-15 11:56:38 +02:00			`- Thresholds could be configured in per subnet basis with hostgroups feature`
Add documentation about ExaBGP 2015-04-26 15:00:47 +02:00			`- Could [announce blocked IPs](docs/EXABGP_INTEGRATION.md) to BGP router with [ExaBGP](https://github.com/Exa-Networks/exabgp)`
Add link to GoBGP docs 2015-10-05 13:02:05 +02:00			`- GoBGP [integration](docs/GOBGP.md) for unicast IPv4 announces`
Add InfluxDB exmples 2015-08-04 15:15:44 +02:00			`- Full integration with [Graphite](docs/GRAPHITE_INTEGRATION.md) and [InfluxDB](docs/INFLUXDB_INTEGRATION.md)`
Completely working API 2015-10-16 12:56:31 +02:00			`- API`
MongoDB ready for production 2015-10-01 11:23:14 +02:00			`- Redis integration`
			`- MongoDB integration`
Since this commit we could parse attack details with DPI 2015-07-29 17:15:04 +02:00			`- Deep packet inspection for attack traffic`
Add fix for netmap supported hw 2015-03-15 19:07:19 +01:00			`- netmap support (open source; wire speed processing; only Intel hardware NICs or any hypervisor VM type)`
Completely working SnabbSwitch integration. 12 mpps with 4 NIC's 2015-08-31 14:15:16 +02:00			`- SnabbSwitch support (open source, very flexible, LUA driven, very-very-very fast)`
Add support for LUA processors for sFLOW 2015-07-03 18:18:15 +02:00			`- Could filter out NetFLOW v5 flows or sFLOW packets with script implemented in LUA (useful for port exclude)`
Grammatical errors Figured I'd give this a glance for you. Not really wrong, but reads a bit odd in English! 2015-03-10 21:06:21 +01:00			`- Supports L2TP decapsulation, VLAN untagging and MPLS processing in mirror mode`
Upgrade documentation 2014-11-22 14:17:26 +01:00			`- Can work on server/soft-router`
			`- Can detect DoS/DDoS in 1-2 seconds`
Add performance tests 2015-05-13 23:06:47 +02:00			`- [Tested](https://github.com/FastVPSEestiOu/fastnetmon/blob/master/docs/PERFORMANCE_TESTS.md) up to 10GE with 12 Mpps on Intel i7 3820 with Intel NIC 82599`
Add plugin support 2015-01-26 13:11:51 +01:00			`- Complete plugin support`
Add pcap capture feature 2015-07-16 22:47:55 +02:00			`- Could capture attack fingerprint in pcap format`
Update README.md 2015-05-08 18:00:48 +02:00			`- Have [complete support](docs/DETECTED_ATTACK_TYPES.md) for most popular attack types`
Upgrade documentation 2014-11-22 14:17:26 +01:00
readme rewrite 2015-10-06 17:37:27 +02:00			`Running Fastnetmon`
			`------------------`
			`### Supported platforms`
Add Debian 8 Jessie suppotr 2015-04-26 21:30:38 +02:00			`- Linux (Debian 6/7/8, CentOS 6/7, Ubuntu 12+)`
Complete FreeBSD support 2015-02-10 14:36:09 +01:00			`- FreeBSD 9, 10, 11`
Update README.md Added info about only x86_64 architecture supported. 2015-05-19 00:14:27 +02:00			`- Mac OS X Yosemite`

readme rewrite 2015-10-06 17:37:27 +02:00			`### Supported architectures`
Full support for 32 bit platforms announced! 2015-06-12 21:05:32 +02:00			`- x86 64 bit (recommended)`
			`- x86 32 bit`
Add info about supported platforms 2015-01-09 23:53:31 +01:00
readme rewrite 2015-10-06 17:37:27 +02:00			`### Router integration instructions`
added router integration to README.md and docker image highlight 2015-07-22 22:07:33 +02:00			`- [Juniper MX Routers](docs/JUNOS_INTEGRATION.md)`

readme rewrite 2015-10-06 17:37:27 +02:00			`### Distributions supported`
			`- We are part of [CloudRouter](https://cloudrouter.org/cloudrouter/2015/07/09/fastnetmon.html) distribution`
			`- We are part of [official FreeBSD ports](https://freshports.org/net-mgmt/fastnetmon/), [manual install](docs/FreeBSD_INSTALL.md)`
			`- [Amazon AMI image](docs/AMAZON.md)`
			`- [VyOS based iso image with bundled FastNetMon](docs/VYOS_BINARY_ISO_IMAGE.md)`
			`- [Docker image](docs/DOCKER_INSTALL.md)`
			`- [Binary rpm packages for CentOS 6/7 and Fedora 21](docs/INSTALL_RPM_PACKAGES.md)`
			`- [Automatic install script for Debian/Ubuntu/CentOS/Fedora/Gentoo](docs/INSTALL.md)`
			`- [Automatic install script for Mac OS X](docs/MAC_OS_INSTALL.md)`
			`- [Manual install on Slackware](docs/SLACKWARE_INSTALL.md)`
			`- [Manual install for VyOS](docs/VyOS_INSTALL.md)`

			`Screenshoots`
			`------------`

Grammatical errors Figured I'd give this a glance for you. Not really wrong, but reads a bit odd in English! 2015-03-10 21:06:21 +01:00			`Main program screen image:`
Update README.md Fix alignment of image. 2014-06-08 12:30:03 +02:00
Move data files to src folder; Move images to doc folder; 2015-03-22 11:45:52 +01:00			`![Main screen image](docs/images/fastnetmon_screen.png)`
Update README.md Add explained documentation 2014-06-08 12:29:37 +02:00
Grammatical errors Figured I'd give this a glance for you. Not really wrong, but reads a bit odd in English! 2015-03-10 21:06:21 +01:00			`Example for cpu load on Intel i7 2600 with Intel X540/82599 NIC on 400 kpps load:`
Move data files to src folder; Move images to doc folder; 2015-03-22 11:45:52 +01:00			`![Cpu consumption](docs/images/fastnetmon_stats.png)`
Update README.md Add explained documentation 2014-06-08 12:29:37 +02:00
Upgrade documentation 2014-11-22 14:17:26 +01:00			`Example deployment scheme:`
Move data files to src folder; Move images to doc folder; 2015-03-22 11:45:52 +01:00			`![Network diagramm](docs/images/network_map.png)`
Add example deployment scheme 2014-11-14 21:43:00 +01:00
Update README.md 2015-05-07 16:00:29 +02:00			`Example of [notification email](docs/ATTACK_REPORT_EXAMPLE.md) about detected attack.`
Add manual about sFLOW 2014-12-02 14:42:40 +01:00
Fixes in READMER 2015-03-25 16:05:15 +01:00
Add help to project remark 2015-03-17 10:14:49 +01:00			`How I can help project?`
readme rewrite 2015-10-06 17:37:27 +02:00			`-----------------------`
Add remarks, we need maintainers for Debian/RedHat 2015-06-17 10:58:52 +02:00			`- We are looking for maintainer for Debian and Fedora/EPEL packages`
Add help to project remark 2015-03-17 10:14:49 +01:00			`- Test it!`
			`- Share your experience`
Add remarks, we need maintainers for Debian/RedHat 2015-06-17 10:58:52 +02:00			`- Share your use cases`
Add help to project remark 2015-03-17 10:14:49 +01:00			`- Share your improvements`
Fix typo 2015-03-22 12:09:29 +01:00			`- Test it with different equipment`
Add help to project remark 2015-03-17 10:14:49 +01:00			`- Create feature requests`
readme rewrite 2015-10-06 17:37:27 +02:00
			`Author: [Pavel Odintsov](http://ru.linkedin.com/in/podintsov/) pavel.odintsov at gmail.com [Follow my Twitter](https://twitter.com/odintsov_pavel)`