From ISP admin

Contents 1 NETflow module 1.1 Laws and duties of the ISP 1.2 NETflow module installation and configuration 1.2.1 1) New disc setup 1.2.2 2) Flow-tools installation 1.2.3 Boundary router setting 1.2.4 4) Licence - NETflow module activation 1.3 Filtering data 1.4 Data export 1.5 Data back-up

NETflow module

Monitoring module NetFlow serves for completing the requirements of the public notice on electronic communications 485/2005 Coll. enactment § 97 par. 3 of law 127/2005 Call. (law on electronic communications). According to this public notice every provider has the duty to record the services and operations which go through their direction of screens from and to the clients. It is not necessary (and even not technically possible) to record also the individual packet contents, however, there is the duty to record the packet heads that contain source and target IP address, target port, the protocole type, the time of communication, the length of connection, number of packets and bytes, etc.

NETflow module runs recording all packets heads containing above mentioned data necessary for the police in case of one of your customers is suspected from, for example, illegal data sharing, ie. breach of copyright law, spreading children pornography, Internet attacks, etc.

In practice login works in this way: "data collection" is pre-set for the ISP admin and on the boundary router sending "the packet heads" for the ISP admin server. The boundary router must be placed before NAT, in other case the IP addresses of the clients would not be recorded, but the NATed addresses would be recorded, which is not correct.

NETflow module runs the required records of client communication, it is thus directly intended for monitoring of client accesses into public networks as well as the Internet. The recording is comprised of the information about all the transit packet heads contents.

For the time being, the main part of the NETflow is created when the login is run, as well as evaluation and export of the data int o CSV format. In future we plan to expand the display with more detailed statistics, for example the type of protocol ( HTTP, SMTP ) in certain time periods, transmitted data for the whole network, and others.

The test of running processes checks whether NETflow is running on the server and whether the data are being collected. The current status may be displayed by clicking into the bookmark of NETflow where the status of running processes is graphically displayed in red or green with an appropriate notice. In case NETflow is not running on the server, a warning sigh appears when logging in and the problem needs solving.

The module is fully working and is thus apt for completing the law purposes given by the above mentioned public notice number 485/2005 Coll.; in other words carries out these tasks:

• Login of the processes of the end clients.
• Evaluation of the data needed for creation of the necessary communication record.
• Export into CSV format in the form required by law.
• The system automatically monitors if the service of data collection run, in the contrary case a warning notification appears after the administrator

  logs in.

• Detailed statistics such as for example the type of protocol (HTTP, SMTP) in certain time periods.

NETflow module does not belong to the standard ISP admin installation, it is thus necessary to purchase it individually. At first, it is necessary to ensure adequate data disposal, then it is enough to correctly set the boundary router and our tech support will enable the module for you.

---

Laws and duties of the ISP

The duty to provide records of client communication is stated by the public notice number 485/2005 Coll.. Corporate body or a natural person ensuring a public communication network, ie. every ISP is obligated to monitor electronic communication of their clients, to store the data in a given electronic form for the time of six months and in case of a need, to be able to deliver the data to an authorized body (mainly Police of the Czech Republic).

According to the above mentioned public notice number 485/2005 Coll., every provider of electronic networks with packet switching is thus obliged to store the data about real communication. In practise it is thus enough to record the packet heads; packet contents do not have to be stored.

We have done some measurements and obtained the following information:

Average operation 40~60 Mbit/s:

• Data flow between the boundary router and the ISP admin is ca 150~300 kbit/s.
• Daily is stored about 50~60 MB of data, ie. ca přibližně 10~12GB for 6 months obligatorily given by the law.
• The boundary router (MikroTik, or common P4 ) is not loaded by this at all, or at least not significantly.
• Searching in the already stored data is rather more difficult and is dependant on the server performance (especially disc operations). This may be solved by optimalization of search and hiearchy of stored data.

Average operation 200 Mbit/s:

• Ca 1,6 GB stored daily
• Ca 230 GB occupied for a six-month period

Average operation 23 Mbit/s (600 active clients):

• Ca 280 MB (5,5 GB / month) stored daily‏
• Ca 33 GB stored within a six-month period

   

Average operation 78 Mbit/s (1800 active clients):

• Ca 330 MB (13,5 GB / month) stored daily‏
• Ca 80 GB occupied within a six-month period of running

Current disc space occupancy may be checked by means of the screen Statistics / Server statistics. In the command line environment, the following examples may be used:

Total size of NETflow data:

du -sh /data/support/flow/default/

Size of recorded data for a selected month:

du -sh /data/support/flow/default/2009/*

Size of recorded data for selected days:

du -sh /data/support/flow/default/2009/2009-10/*

NETflow module installation and configuration

1) New disc setup

For NETflow data storage purposes it is advisable to add a separate disc. According to the following instructions you can setup a new disc:

First, create a primary compartment throughout the whole disc

fdisk /dev/sdc1

Then format it by a file system xfs

mkfs.xfs /dev/sdc1

Then edit file /etc/fstab and mout the compartment

pico /etc/fstab
/dev/sdc1             /data/support/flow  xfs      defaults                    0     0

mount /dev/sdc1 

If there is not enough free space in the system compartment for backups, you can set backup storing to this new disc mv /data/backup /data/support/flow

ln -s  /data/support/flow/backup /data/backup

2) Flow-tools installation

For NETflow module operation it is necessary to install this package

apt-get install flow-tools

Then edit the configuration file. First, comment all the free lines and then in the last line write down the new configuration with the port over 30100

pico -w /etc/flow-tools/flow-capture.conf
-w /data/support/flow/default -n 100 -V 5 -N 3 0/0/30123

Later it is necessary to create a directory into which the flow-tools service will save collected data

mkdir -p /data/support/flow/default

IN the end, enable the flow-capture service and check if it is running

/etc/init.d/flow-capture restart
ps ax |grep flow

....Now the only thing is to set sending through packet headers on the boundary router onto the server with the ISPadmin.

Boundary router setting

In practice login works in this way: "data collection" is pre-set for the ISP admin and on the boundary router sending "the packet heads" for the ISP admin server. The boundary router must be placed before NAT, in other case the IP addresses of the clients would not be recorded, but the NATed addresses would be recorded, which is not correct. If you have your network connected through more boundary routers, set sending recorded data to the ISP admin on all of them.

The router function is not noticeably limited by data collection; the observed load by this activity is then not really noticeable.

A) MikroTik

Display the menu of IP / Traffic flow in the Winboxu, here it is necessary to add a new item and set following data:

 IP address of the ISP admin server.
 Port 30123 (the real port number must be identical to the one stated in the file /etc/flow-tools/flow-capture.conf )
 Version 5

Note: In the settings "Trafic Flow Settings", "Interface" must be set for "ALL", otherwise it does not work on the Mikrotik. Then it is important to have a correctly synchronized time on this router, otherwise you will not be able to find any information properly. Set the synchronization through "System / NTP Client" and set it as a server for synchronization "ntp.cesnet.cz".

You can use similar command:

/ip traffic-flow target add address=IP_server:Port version=5

4) Licence - NETflow module activation

The licence status may be checked by having a look into the bookmark of Users / Introduction where for the NETflow module item there must be stated ACTIVE. If your licence does not include NETflow, you need to contact the tech support sales@ispadmin.eu and ask for issuing a new licence file. This file will by return be sent back in an attachment. Updated licence file is then only to be copied into the directory /data/support/ispadmin/config/.

B) Linux

Router / PC ( a regular P4, does not require a server ), which gathers data. Or also a PC, common P4, does not have to be server. When you use Linux as a boundary router, set fprobe utility with the given parameters so that it automatically runs after the system is started:

fprobe IP_ISPamina:Port -i any 

The command may be written into the file /etc/rc.local, or list it among startup scripts.

Compiled file to be downloaded here:

fprobe.

Filtering data

Displaying of this NETflow screen is possible in the menu Settings / System settings / Public, where you edit by the item netflow_button - show the NetFlow button on the "1" value.

On this screen, all the recorded data are published:

• IP address Enter the IP address for which you desire the data to be displayed into this search field
• Date from / to Displayed records restrictions only on a certain time period.
• Protocol Displayed records restrictions only on communication by the means of a chosen protocol.
• Port Displayed records restrictions only on a chosen target address port, ie. general assessment of the service type (www, ftp, ssh...).

Show descriptions

By checking of this settings you allow a detailed description for individual records. For the time being only the numbers of known posts are replaced by service names (www, ftp, ssh...).

Data export

Export of currently chosen data. Exported data are possible to be displayed on the screen or saved into a text file in CSV format. Such file may be directly delivered to authorized bodies as an evidence for the purposes of investigation.

If you open such an exported CSV file by the means of the table processor MS Excel, or OO Calc and then choose a semi-colon as a separator mark, you can obtain for example this result.

Data back-up

On the screen Others / Backups / NETflow it is possible to read through the directory structure of the data gathered by the NETflow module directly from the administration boundary. You thus may run ocassional file check or watch the file bulk in a period of time.