An Embedded GPL NetFlow Probe

nBox : an Embedded NetFlow v5 Probe

Many nProbe users, realized that running a probe on a PC is not always the best choice for several reasons:

PCs have moving parts that can break making the probe unavailable.
PCs are large, need monitors and keyboards, whereas probes often need to be deployed on places where there is not much space available.
Administering PCs is not cheap and they require the purchase of an OS, its installation and maintenance.
In large networks divided in several trunks it is necessary to have several probes each analyzing a trunk. This requires that multiple PC running nProbe are deployed across the network.
The cost (for both hardware and maintenance) of a PC+nProbe is not neglectable in particular if several probes need to be deployed.

If you're a user that does not want to bother with installing nProbe on a PC you are probably a nBox user where you have a low-cost small factor computer with no moving parts and nProbe on board easy to administer using the embedded web interface.

Main Features

Small NetFlow probe based on nProbe
Based on a Cyclades TS100 box
Dual-CPU PowerPC (MPC855T)
Linux Inside
Interfaces: 10/100 Ethernet, RS-232, RS-485
Access via SSH, Telnet, Web (http/https)
Small form factor (7x8.5x3 cm - 2.8x3.4x1.2 in)
Robust case with no moving parts
Boot in less than 30 seconds
Easy configuration via the Web interface

Performance

Although an embedded system might seem unsuitable for running a network probe, the nBox has been succesfully used for monitoring various networks including DSL and Ethernet. nBox is able to handle several thousand packets/sec thanks to its dual CPU that decouples the I/O from the packet processing.
Usually nBox is placed either on a mirrored port or next to the border gateway (e.g. a hub can be used to duplicate the traffic from/to the ethernet port of the gateway). Due to its low cost, remote maintenance, no moving parts, nBox is the ideal choice for adding NetFlow support to your existing network without the need to purchase or replace your existing router/switch nor allocating a PC for this task.

Usage

nBox is a small factor computer sporting two PowerPC CPUs and based on Linux. It includes nProbe tailored for the box and easily configurable using the embedded web server. nBox installation is very simple: find an empty power socket and an Ethernet cable on which the traffic to analyze is flowing. Connect them to nBox and wait until nBox starts up, usually within 30 seconds. When the nBox is ready to use you will see the led RDY on. At this point you can access nBox using one of the following methods: SSH, telnet, http/https or using the serial cable you received with nBox. Remember that the nBox is basically a Linux box with nProbe embedded. As this computer has no moving parts, you can plug/unplug it as you want without loosing any data. Although the box can be administered as a normal Linux box using command line tools, the best way to do this is by means of the embedded web interface. In order to do this, point your web browser to https://192.168.160.10 (if you want you can also use http://192.168.160.10) in order to access the web console.

At this point you can login and administer you box. The user interface is divided in two parts: a column on the left that contains all the available options and a central panel that allows parameters for the selected option to be tuned. The interface enable users to control all the parameters of the box ranging from simple IP address change to complex firewall rules configuration to restrict access to the box. The following figure shows the nProbe configuration page.

All the nProbe options can be controlled via the web interface without the burden of command line editors and configuration files. There is no difference between the nProbe you download and install on a PC and the one contained into nBox. If you want you can start nProbe that's part of nBox by opening a connection to the nBox (e.g. using SSH) and starting it from the command line.

Any standard NetFlow collector (e.g ntop, Cisco FlowCollector, or HP-OV) can be used to analyse the flows generated by nBox. When used with ntop, the nProbe can act as a remote and light traffic probe, and ntop as a central network monitoring console.

Availability

nBox is available under the GPL licence for a little fee. Currently there are two nBox versions available:

Software
You purchase a Cyclades TS100 box from your local reseller and upload the nBox firmware yourself (this is an operation that can be performed by any user in less than a minute).
Hardware
We can provide you an nBox with firmware uploaded. If interested, please drop us a mail specifying the number or units you would like to purchase.

If you want to test drive nBox yourself, find a Cyclades TS100 box, download the nBox firmware, upload it onto the box (see the User's Guide) and you're done within a couple of minutes.

FAQ

Q: Is the nBox source code available?
A: Yes of course, as nProbe is GPL.
Q: What do I need in order to build the nBox firmware?
A: You need a x86 RedHat Linux PC and some experitise as you're cross compiling code for a different box with little memory and disk (flash memory actually).
Q: What do you do with the money you get charging for nBox?
A: This money is invested for doing research in ntop, nProbe and nBox projects.

Credits