|nBox : an Embedded NetFlow v5 Probe
Many nProbe users, realized that running a probe on a PC is not always the best choice for several reasons:
Although an embedded system might seem unsuitable for running a network probe, the nBox has been succesfully used for monitoring various networks including DSL and Ethernet. nBox is able to handle several thousand packets/sec thanks to its dual CPU that decouples the I/O from the packet processing.
Usually nBox is placed either on a mirrored port or next to the border gateway (e.g. a hub can be used to duplicate the traffic from/to the ethernet port of the gateway). Due to its low cost, remote maintenance, no moving parts, nBox is the ideal choice for adding NetFlow support to your existing network without the need to purchase or replace your existing router/switch nor allocating a PC for this task.
nBox is a small factor computer sporting two PowerPC CPUs and based on Linux. It includes nProbe tailored for the box and easily configurable using the embedded web server. nBox installation is very simple: find an empty power socket and an Ethernet cable on which the traffic to analyze is flowing. Connect them to nBox and wait until nBox starts up, usually within 30 seconds. When the nBox is ready to use you will see the led RDY on. At this point you can access nBox using one of the following methods: SSH, telnet, http/https or using the serial cable you received with nBox. Remember that the nBox is basically a Linux box with nProbe embedded. As this computer has no moving parts, you can plug/unplug it as you want without loosing any data. Although the box can be administered as a normal Linux box using command line tools, the best way to do this is by means of the embedded web interface. In order to do this, point your web browser to https://192.168.160.10 (if you want you can also use http://192.168.160.10) in order to access the web console.
At this point you can login and administer you box. The user interface is divided in two parts: a column on the left that contains all the available options and a central panel that allows parameters for the selected option to be tuned. The interface enable users to control all the parameters of the box ranging from simple IP address change to complex firewall rules configuration to restrict access to the box. The following figure shows the nProbe configuration page.
All the nProbe options can be controlled via the web interface without the burden of command line editors and configuration files. There is no difference between the nProbe you download and install on a PC and the one contained into nBox. If you want you can start nProbe that's part of nBox by opening a connection to the nBox (e.g. using SSH) and starting it from the command line.
Any standard NetFlow collector (e.g ntop, Cisco FlowCollector, or HP-OV) can be used to analyse the flows generated by nBox. When used with ntop, the nProbe can act as a remote and light traffic probe, and ntop as a central network monitoring console.
nBox is available under the GPL licence for a little fee. Currently there are two nBox versions available:
If you want to test drive nBox yourself, find a Cyclades TS100 box, download the nBox firmware, upload it onto the box (see the User's Guide) and you're done within a couple of minutes.
NetFlow is copyright Cisco Systems.