GIX – Flow Processor

GIXflow is a tool which analyses data received as NetFlow packets and visualise the data in real-time.

Currently GIXflow can

  • Listen on IPv4 and IPv6 addresses for NetFlow data
  • Decode NetFlow v1, v5, v9, v10 (IPFIX) packets
  • Analyse IPv4 and IPv6 flows
  • For flows without a src/dst ASN or with an ASN equals 4294967295 (see Junos issue/limitation) do a DNS lookup using one of IP2ASN mapping services Cymru (IPv4&6 support) or Route Views (IPv4 only)
  • Convert MaxMind geo data (ip2asn and ip2country databases for IPv4&6 addresses) to a SQLite3 database
  • Listen on IPv4 and IPv6 addresses to allow web access with SSL support
  • Display real-time graphs

Real-time graphs show

  • Total bandwidth of TCP, UDP, ICMP, IPv6 & OTHER traffic
  • Packet rate for TCP, UDP, ICMP, IPv6 & OTHER traffic
  • Received and processed packets
  • Received and processed flows
  • Prefix cache size
  • Flow queue size
  • Sent DNS queries

TODO list

  • Rewrite GIXflow code to use multiprocessing and ØMQ python libraries.
    A flowchart draft representing the planned modular design of GIXflow.
  • sFlow support
  • GIXflow code profiling as the current performance is about 15k flows/sec on a host with a single Intel Xeon [email protected]. That can be caused by the GIL (Global Interpreter Lock) and may require rewriting the code to use the multiprocessing instead of the threading package.
  • Integrating ExaBGP to import prefixes from a BGP session instead of using DNS based IP2ASN mapping services
  • Importing prefixes from MRT dump files
  • Replicating flows with added src & dst ASNs to further collectors
  • Splitting flows when a processed packet with additional src & dst ASNs would become larger than an allowed MTU

The source code of GIXflow is available as a GitHub repository here.

Click to see GIXflow live demo. If the demo would not work it could mean that I am working on it right now.

Sample screenshot

The first two with MaxMind GeoLite data imported and the last one with IP2ASN mapping enabled.
gixflow_realstats1
gixflow_realstats2
gixflow_realstats3

 

GIXflow is still in a very early stage and currently is more a proof of concept than a tool which could be used in a production environment.

This product includes GeoLite data created by MaxMind. The GeoLite data is converted and distributed as a SQLite3 database.

This product includes Highcharts charting library by Highsoft. The library is free for students, universities, public schools, non-profit organisations and for developing and testing applications using Highcharts/Highstock. Highsoft software products are not free for commercial use.