Fastnetmon 0pps

General questions
1

Hi Guys,

I want to use fastnetmon but i have an problem
after 1 min from restart of fastnetmon all incoming and outgoing ips have pps,mbps,flows equal to 0
Imediate after restart i have some values there but all of this value go down down down until 0 without any refresh (and i have some traffic) so normlay need to see some pps

Version: VyOS 1.3-rolling-202012160217
Release Train: equuleus

And also i use fastnetmon doc for this

set service ids ddos-protection direction ‘in’
set service ids ddos-protection listen-interface ‘eth0’
set service ids ddos-protection listen-interface ‘eth1’
set service ids ddos-protection listen-interface ‘eth2’
set service ids ddos-protection listen-interface ‘eth3’
set service ids ddos-protection listen-interface ‘eth4’
set service ids ddos-protection listen-interface ‘eth5’
set service ids ddos-protection mode mirror
set service ids ddos-protection network ‘x.x.x.x’
set service ids ddos-protection network ‘x.x.x.x’
set service ids ddos-protection network ‘x.x.x.x’
set service ids ddos-protection network ‘x.x.x.x’
set service ids ddos-protection network ‘x.x.x.x’
set service ids ddos-protection threshold fps ‘1000’
set service ids ddos-protection threshold mbps ‘50’
set service ids ddos-protection threshold pps ‘10000’

Where x.x.x.x are different /24

Some help?

Thanks,
Alin :slight_smile:

2

Try to check logs
/var/logs/fastnetmon/*log

3

this is from last restart

2021-02-25 08:55:49,270 [INFO] Logger initialized!
2021-02-25 08:55:49,271 [INFO] We have configured local syslog logging corectly
2021-02-25 08:55:49,271 [ERROR] We can’t find notify script /usr/local/bin/notify_about_attack.sh
2021-02-25 08:55:49,275 [INFO] Read configuration file
2021-02-25 08:55:49,275 [INFO] We start local syslog logging corectly
2021-02-25 08:55:49,275 [INFO] We loaded 0 networks from whitelist file
2021-02-25 08:55:49,275 [INFO] We are working on Linux and could use ip tool for detecting local IP’s
2021-02-25 08:55:49,293 [INFO] We found 8 local IP addresses and will monitor they
2021-02-25 08:55:49,293 [INFO] We loaded 4 networks from networks file
2021-02-25 08:55:49,293 [INFO] Totally we have 12 IPv4 subnets
2021-02-25 08:55:49,293 [INFO] Totally we have 0 IPv6 subnets
2021-02-25 08:55:49,293 [INFO] Total number of monitored hosts (total size of all networks): 1544
2021-02-25 08:55:49,293 [INFO] We need 0 MB of memory for storing counters for your networks
2021-02-25 08:55:49,293 [INFO] I will allocate 1 records for subnet 3141058570 cidr mask: 32
2021-02-25 08:55:49,293 [INFO] I will allocate 256 records for subnet 11882829 cidr mask: 24
2021-02-25 08:55:49,293 [INFO] I will allocate 1 records for subnet 28660045 cidr mask: 32
2021-02-25 08:55:49,293 [INFO] I will allocate 512 records for subnet 1581657 cidr mask: 23
2021-02-25 08:55:49,293 [INFO] I will allocate 1 records for subnet 18358873 cidr mask: 32
2021-02-25 08:55:49,293 [INFO] I will allocate 1 records for subnet 18424409 cidr mask: 32
2021-02-25 08:55:49,293 [INFO] I will allocate 512 records for subnet 11544921 cidr mask: 23
2021-02-25 08:55:49,294 [INFO] I will allocate 1 records for subnet 28322137 cidr mask: 32
2021-02-25 08:55:49,294 [INFO] I will allocate 1 records for subnet 28387673 cidr mask: 32
2021-02-25 08:55:49,294 [INFO] I will allocate 256 records for subnet 5822140 cidr mask: 24
2021-02-25 08:55:49,294 [INFO] I will allocate 1 records for subnet 22599356 cidr mask: 32
2021-02-25 08:55:49,294 [INFO] I will allocate 1 records for subnet 1684318400 cidr mask: 32
2021-02-25 08:55:49,294 [INFO] We start total zerofication of counters
2021-02-25 08:55:49,294 [INFO] We finished zerofication
2021-02-25 08:55:49,294 [INFO] We loaded 12 IPv4 subnets to our in-memory list of networks
2021-02-25 08:55:49,294 [INFO] AF_PACKET plugin started
2021-02-25 08:55:49,294 [INFO] AF_PACKET will listen on 6 interfaces
2021-02-25 08:55:49,294 [WARN] We support only single interface for AF_PACKET, sorry!
2021-02-25 08:55:49,294 [INFO] We have 24 cpus for AF_PACKET
2021-02-25 08:55:49,294 [INFO] Run banlist cleanup thread, we will awake every 60 second

4

You can use only one port. In port mirror mode.
Or you can mirror traffic from the switch to port VyOS and listen it with fastnetmon

5

You can be more specific? :smiley:
And i use embeded fastnetmon client into vyos 1.3
You weant to say to have only one of this set service ids ddos-protection listen-interface ‘eth5’

6

and also one more point
normaly i need to have 3 tables of measurments based on doc

show measurements

name: measurements

hosts

networks

total

But i have only 2 of them (hosts and total) but use the correct template into influxdb

templates = [
.networks. app.measurement.cidr.direction.resource”,
.hosts. app.measurement.cidr.direction.function.resource”,
.total. app.measurement.direction.resource”
]

7

Try to replace in the file /etc/fastnetmon.conf

mirror_afpacket = on
to
mirror = on

And restart fastnetmon service

If you want to use influxdb, you need to add it in the configuration ref. influx

We use only minimal config options for fastnetmon yet.

8

Well to allow fastnetmon to create network measurments row we need to set
enable_subnet_counters = on
Restart fastnetmon, and thet table row will be created.

Thanks,
Alin.

9

Hello,

How about the notify script ? do ii have to set

notify_script_enabled = enable > /etc/fastnetmon.conf

?

Or just in the vyos config

set service ids fastnetmon alert-script ‘/usr/local/bin/notify_script.bash’

echo ban_details | /usr/local/bin/notify_script.bash 11.22.33.44 incoming 100500 ban
/usr/local/bin/notify_script.bash: line 26: mail: command not found

10

Comment out “mail”
We don’t have such command.