Trisul Network Analytics
Developer Zone

User Tools

Site Tools

You are here: Home » hardware » Using a Shim Tunnel to send Netflow to a remote Trisul probe
Trace: Using a Shim Tunnel to send Netflow to a remote Trisul probe

Sidebar

Developer Zone

LUA Scripting

Usage Tips

Github Repos

Follow us on Twitter @trisulnsm

hardware:shimtunnel

**This is an old revision of the document!** ----

A PCRE internal error occured. This might be caused by a faulty plugin

====== Using a Shim Tunnel to send Netflow to a remote Trisul probe ====== A Shim tunnel encapsulates netflow payload inside a new UDP session by inserting a shim header ahead of the netflow header which will preserve the router/switch IP address. This is an alternative method when you cannot deploy the other two methods [[hardware:gatewaynetflow|NAT]] or [[hardware:gretunnel|GRE Tunnel]]. ===== The setup ===== Substitute these for your environment * Trisul Probe real IP : 192.168.2.99 * Gateway Node real IP : 192.169.2.81 (both should be able to ping each other) * Port used : UDP 5111 ===== Download the Shim software ===== The custom shim tunnel is provided by the netflow-shim-tunnel software running on the gateway node. Visit https://github.com/trisulnsm/netflow-shim-tunnel/tree/master/binaries and download the binary for your platform. <code> wget https://github.com/trisulnsm/netflow-shim-tunnel/raw/master/binaries/nfshim.el7 </code> ===== Run the nfshim server on the gateway node ===== The goal here is to forward all netflow packets received on UDP 5111 to the remote probe 192.168.2.99 on the same 5111 port ==== Example 1 : simple ==== <code> chmod +x nfshim.el7 ./nfshim.el7 -D 0.0.0.0:5111 192.168.2.99:5111 </code> ==== Example 2 : bind to a specific local address for tunnel endpoint ==== <code> chmod +x nfshim.el7 ./nfshim.el7 -D 0.0.0.0:5111 192.168.2.99:5111 10.259.52.4 </code> Ensure you disable the firewall or allow port 5111 through ''systemctl stop firewalld'' or ''firewall-cmd --zone=public --add-port=5111/udp'' ===== Start Trisul Probe ===== Set the **EnableShimTunnel** option in the netflow config file. <code> vi /usr/local/etc/trisul-probe/domain0/probe0/config0/PI-7CA* </code> Set or add the following line in the Policy section <code> <EnableShimTunnel>true</EnableShimTunnel> </code> Restart Trisul. You should now be able to see the Netflow analysis on the Trisul node with the actual router/switch IP addresses. ===== Options using Source NAT ===== If the above steps still do not work and a different source IP address is seen for the Shim tunnel use iptables to create a SNAT <code> iptables -t nat -A POSTROUTING -p udp --dport 5111 -o enp7s0 -j SNAT --to 10.10.10.10:5111 </code>

hardware/shimtunnel.1547198565.txt.gz · Last modified: 2019/01/11 09:22 by veera

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki