In previous blog posts we described big news in Flowmon 8.0 – new architecture of Flowmon Collectors, DHCP. Today we will have a quick look at another new features in Flowmon 8.0.
Extended L3 / L4 visibility
Flowmon 8.0 extends visibility into network (L3) and transport (L4) layer of OSI model. We added three parameters which can be used to detect unauthorized NAT (Network Address Translation) in the network: TCP Window Size, TCP SYN Size and TCP TTL (Time to Live). NAT detection is based on fact, that operation systems have different default values of these parameters. So if you list flows for one specific source IP address and you see different flows with different values of TCP windows size, TCP SYN size or TCP TTL and you see this in the same time period, you can say with high probability, that there is more than just one PC behind the IP address. Automatic detection will be available in Flowmon ADS 8.01.
Fig 1: NAT detection using extended network and transport layer visibility.
To enable this feature, you must allow “L3/L4 extended” at exporter side and at the collector side. Don’t know how? Check chapter “How to try” it in previous blog post.
Autonomous System Statistics
Flowmon 8.0 brings monitoring of Previous and Next AS (Autonomous System) to enable ISPs / Telcos to analyze and optimize their peering/transit traffic. So at the same time you can have evidence of origin/destination autonomous system based on IP ranges and previous/next autonomous system based on routing information from BGP.
Fig 2: Monitored AS statistics in Flowmon Monitoing Center.
The purpose of Flowmon Dashboard is to become a central information center across all Flowmon modules. It was launched with Flowmon 7.0 and had initial support for widgets from Flowmon Monitoring Center and Flowmon ADS. Each user can define his own set of widgets focusing on their points of interest across various Flowmon modules. The widget queries data from its parental module and user can read data only from module he has permissions to.
Since Flowmon 8.0 each user can define multiple dashboards arranged in separate Tabs. In addition to widgets, user can define own central reports that combine chapters from different modules. User obtains at-a-glance information preview in one place for now. Flowmon Dashboard supports displaying reports from Flowmon Monitoring Center as well as Flowmon ADS (Flowmon ADS 8.0 is required). The reports can be exported into PDF and regularly sent to specified e-mail addresses. Future plans are to add widgets from another Flowmon modules.
Fig. 3: Extended Flowmon Dashboard with reports and multiple dashboards per user.
Wire-speed Flowmon Probes
Thanks to the changes in software of Flowmon Probes, we newly achieve wire‑speed performance on all of our 1GbE hardware based Flowmon Probes. We are now able to provide wire-speed performance in all 1G/10G and even 100G networks. See specification document to get more information.
Fig. 4: Flowmon Probe
Stay tuned for more information about Flowmon. In next blog posts we will describe SMB monitoring and new features in Flowmon 8.01 (30 seconds granularity) and Flowmon DDoS Defender 3.0 (faster detection and mitigation using BGP Flowspec).