Grouch mumbling about computers.

Thoughts, ideas.


Network update part 2: Monitoring the network with NetFlow, InfluxDB and Grafana

After adding a fancy router (see here ) to my setup I decided to monitor my network (now that it is possible). Having already a Grafana+InfluxDB setup for my standard monitoring I decided to (somehow) feed the network data into this setup.

Compile ipt_NETFLOW kernel module

To build ipt-netflow I needed to install some dependencies first: dkms iptables-dev pkg-config build-essential git-core .
On the espressobin I also needed linux-headers-next-mvebu64 instead of linux-headers-$(uname -r) .

build / install

git clone
cd ipt-netflow
make all install

test it out

As root (change your destination ip/port):

modprobe ipt_NETFLOW destination=
iptables -I FORWARD -j NETFLOW                                                                                                                        
iptables -I INPUT -j NETFLOW                                                                                                                          
iptables -I OUTPUT -j NETFLOW    

Start a netflow collector. I adapted a netflow decoder I found here with protocol help from here so I could make it feed my data into InfluxDB. You can find my script here .

Write some queries in grafana

SELECT sum("value") FROM "net_if" WHERE "scidr" = '' AND "dcidr" = '' AND "dport" != '80' AND "dport" != '443' AND "daddr" != '' AND $timeFilter GROUP BY time(24h), "saddr", "daddr", "dport" fill(none)

You end up with something like this:


This allowed me to find many hosts doing:

  • A LOT of DNS requests (1k+/min). As I didn't want to add a local DNS caching server (yet) for each of these (2) servers, I simply hard-coded the value in /etc/hosts.
  • NTP and DNS requests going to the outside world. Now these are dropped and my router is advertised as the DNS/NTP server.





DNS(ACCEPT) $FW     net
DNS(REJECT) loc     net

NTP(ACCEPT) $FW     net
NTP(REJECT) loc     net


I want to investigate using elasticsearch+kibana as it at least supports IPs as native datatypes, which would allow me to NOT have to decide on the cidr myself (and maybe find a way to do automatic name resolution to help out with debugging).