Trisul Network Analytics
Developer Zone

**This is an old revision of the document!** ----

====== Using a Shim Tunnel to send Netflow to a remote Trisul probe ====== A Shim tunnel encapsulates netflow payload inside a new UDP session by inserting a shim header ahead of the netflow header which will preserve the router/switch IP address. This is an alternative method when you cannot deploy the other two methods [[hardware:gatewaynetflow|NAT]] or [[hardware:gretunnel|GRE Tunnel]]. ===== The setup ===== Substitute these for your environment * Trisul Probe real IP : 192.168.2.99 * Gateway Node real IP : 192.169.2.81 (both should be able to ping each other) * Port used : UDP 5111 ===== Download the Shim software ===== The custom shim tunnel is provided by the netflow-shim-tunnel software running on the gateway node. Visit https://github.com/trisulnsm/netflow-shim-tunnel/tree/master/binaries and download the binary for your platform. Example <code> wget https://github.com/trisulnsm/netflow-shim-tunnel/raw/master/binaries/nfshim.el7 </code> ===== Run the nfshim server on the gateway node ===== The goal here is to forward all netflow packets received on UDP 5111 to the remote probe 192.168.2.99 on the same 5111 port Example <code> chmod +x nfshim.el7 ./nfshim.el7 -D 0.0.0.0:5111 192.168.2.99:5111 </code> Ensure you disable the firewall or allow port 5111 through ''systemctl stop firewalld'' or ''firewall-cmd --zone=public --add-port=5111/udp'' ===== Start Trisul Probe ===== Set the **EnableShimTunnel** option in the netflow config file. <code> vi /usr/local/etc/trisul-probe/domain0/probe0/config0/PI-7CA* </code> Set or add the following line in the Policy section <code> <EnableShimTunnel>true</EnableShimTunnel> </code> Restart Trisul. You should now be able to see the Netflow analysis on the Trisul node with the actual router/switch IP addresses.