User:Ondra.lengal/FlowMon

FlowMon probe is an appliance for monitoring and reporting information on IP flows in high-speed computer networks. The probe is being developed by Liberouter team within the scope of CESNET research activity Optical National Research Network and its New Applications - 602 - Programmable hardware.

FlowMon probe is build upon a pair of programmable network cards, called COMBO, and a host computer with Linux operating system. The pair of COMBO cards consists of a main card with PCI-Express connector for a connection to a motherboard of the host computer and of an add-on card with 2 or 4 network interfaces. Both cards contain programmable chips (FPGA) which are able to process high amount of data at high speed. Flow monitoring process itself is split between hardware (acceleration cards) and application software running in a host computer. Following a principle of hardware software co-design, all time critical tasks are implemented in FPGA chips on acceleration cards while more complex operations are executed by application software. This concept enables for monitoring of modern high-speed networks (1Gbps, 10Gbps) with no packet loss and with no necessity of input sampling. At the same time a flexible and user-friendly interface is provided by software.

FlowMon probe is a passive monitoring device, i.e., it does not alter passing traffic in any way. Therefore its detection is hardly possible. When connected to a network FlowMon probe observes all passing traffic/packets, extracts and aggregates information on IP flows into so called flow records. FlowMon probe is able to export aggregated data to external collectors in NetFlow (version 5 and 9) and IPFIX format. Collectors collect incomming flow records and store them for automated or manual and visual analysis (automated malicious traffic detection, filter rules, graphs and statistical schemas). The whole system allows for monitoring of actual state of monitored network as well as it allows for a long-term traffic analysis.