GIX – Flow Processor

GIXflow is a tool which analyses data received as NetFlow packets and visualise the data in real-time.

Currently GIXflow can

• Listen on IPv4 and IPv6 addresses for NetFlow data
• Decode NetFlow v1, v5, v9, v10 (IPFIX) packets
• Analyse IPv4 and IPv6 flows
• For flows without a src/dst ASN or with an ASN equals 4294967295 (see Junos issue/limitation) do a DNS lookup using one of IP2ASN mapping services Cymru (IPv4&6 support) or Route Views (IPv4 only)
• Convert MaxMind geo data (ip2asn and ip2country databases for IPv4&6 addresses) to a SQLite3 database
• Listen on IPv4 and IPv6 addresses to allow web access with SSL support
• Display real-time graphs

Real-time graphs show

• Total bandwidth of TCP, UDP, ICMP, IPv6 & OTHER traffic
• Packet rate for TCP, UDP, ICMP, IPv6 & OTHER traffic
• Received and processed packets
• Received and processed flows
• Prefix cache size
• Flow queue size
• Sent DNS queries

TODO list

• Rewrite GIXflow code to use multiprocessing and ØMQ python libraries.
  A flowchart draft representing the planned modular design of GIXflow.
  
• sFlow support
• GIXflow code profiling as the current performance is about 15k flows/sec on a host with a single Intel Xeon E3-1245V2@3.40GHz. That can be caused by the GIL (Global Interpreter Lock) and may require rewriting the code to use the multiprocessing instead of the threading package.
• Integrating ExaBGP to import prefixes from a BGP session instead of using DNS based IP2ASN mapping services
• Importing prefixes from MRT dump files
• Replicating flows with added src & dst ASNs to further collectors
• Splitting flows when a processed packet with additional src & dst ASNs would become larger than an allowed MTU
• …

The source code of GIXflow is available as a GitHub repository here.

Click to see GIXflow live demo. If the demo would not work it could mean that I am working on it right now.

Sample screenshot

The first two with MaxMind GeoLite data imported and the last one with IP2ASN mapping enabled.

GIXflow is still in a very early stage and currently is more a proof of concept than a tool which could be used in a production environment.

This product includes GeoLite data created by MaxMind. The GeoLite data is converted and distributed as a SQLite3 database.

This product includes Highcharts charting library by Highsoft. The library is free for students, universities, public schools, non-profit organisations and for developing and testing applications using Highcharts/Highstock. Highsoft software products are not free for commercial use.