“Samplicate This!” or “How to share your netflow”

It started out simple enough: boy needs free, web-based application to send netflow data to, boy finds one and is happy with it, boy realizes that Cisco devices will only let him send netflow to two netflow collectors at most, boy has another problem to solve. Yes, it’s very sad, and so universal.

And, as has been the case so many times before, the right woman saved me. I don’t remember the exact question I posed to her, but in a matter of seconds Ms. Google pointed me to a Google Code project called samplicator that does exactly what I needed.

Samplicator was a piece of cake to install from the archive I downloaded, but the options for running it weren’t completely obvious, and for those of us who want the application to run as a “service” when our server boots, there was no init script produced by the installer.

The gist of samplicator’s job is to listen on a particular UDP port(s)–yes, it can listen on more than one–then forward those packets with their original source addresses in-tact to any number of other hosts. Brad Reese’s packet capture makes this pretty clear.

When you run samplicator manually from the command line, you can pass it the new destinations and ports directly, like Brad shows, or you can pass it the location of a config file, as Joanne Ghidoni describes on the Plixer Systrax blog. I don’t want to have to remember to start samplicator manually every time I reboot my server, nor do I want to add it to a user’s crontab; I want it to be a manageable “service”.

I looked around a bit to find one someone else had already built, but the one I found seemed like complete overkill for my purposes and didn’t document the config files it references. So, I made and documented my own, using the shell I found here:

#! /bin/sh
# /etc/init.d/samplicator
#
# base script from http://www.debian-administration.org/articles/28

# SAMPLICATOR: http://code.google.com/p/samplicator/
#
# sudo ./configure
# sudo make
# sudo make install
#
# samplicator accepts UDP packets from any source via a listener and forwards, or
# relays, it to other hosts, *unchanged*, to whichever port it listens on.
#
# For instance, many Cisco devices will only send netflow to 2 or fewer
# destinations, which doesn't scale well for multiple netflow collectors. Using
# samplicator, we can receive on one host on a particular port or ports and forward
# to any number of other hosts, as prescribed in the samplicator config file:
# i.e. /etc/samplicator.conf
#
# config file example
#
# source/mask:destination/port
# 0.0.0.0/0.0.0.0:10.50.30.74/9996 10.50.38.185/2055
# 172.16.4.23/255.255.255.255:10.0.1.1/8888 10.1.0.1/8887
#
# This simple script merely stops and starts samplicator processes. Note that
# additional listeners can be added to the *start* section below, with other
# config files, as needed.
#
# CREATE: 'sudo nano /etc/init.d/samplicator', 'sudo chmod +x /etc/init./samplicator'
# ADD TO STARTUP: 'sudo update-rc.d samplicator defaults'

# Carry out specific functions when asked to by the system
case "$1" in
  start)
    echo "Starting script samplicator "
  # -S (spoof source address) -f (fork into background) -p (listening port)
  /usr/local/bin/samplicate -S -f -p 8885 -c /etc/samplicator.conf
  # add other listeners
  # /usr/local/bin/samplicate -S -f -p 8885 -c /etc/samplicator02.conf
  # /usr/local/bin/samplicate -S -f -p 8885 -c /etc/samplicator03.conf
    
    ;;
  stop)
    echo "Stopping script samplicator"
    # kill ALL samplicator listeners
    kill $(pgrep samplicate)
    ;;
  *)
    echo "Usage: /etc/init.d/samplicator {start|stop}"
    exit 1
    ;;
esac

exit 0

I’m sure there’s a more elegant start-up script out there somewhere, but this is mine and it works.

Following Joanne’s example, the config file I created is also very simple:

# source/mask:destination/port
0.0.0.0/0.0.0.0:10.50.30.74/9996 10.50.38.185/2055

Note that I chose all zeros for my source address and mask to allow for netflow received from any host to be forwarded to the same two destinations.

Next time, I’ll go over the whole reason for all of this netflow business: nfsen and nfdump.

Leave a Reply