Introducing a new project that I’ve been working on: Roneo the NetFlow Duplicator.
It is essentially a very simplistic and fast UDP traffic forwarder written in Python, that’s designed to forward NetFlow/sFlow traffic. You might know that I work with vRealize Network Insight a lot, which ingests NetFlow data. There are some limitations with NetFlow devices (vSphere Distributed Switch can only send to 1 collector, and there are some other devices that have the same limitation), making a duplicator necessary when the flows need to go to multiple systems.
Why something new?
I’ve written about sending NetFlow to multiple collectors before, using Samplicator. I was using it before I went this direction and it’s fine for simple deployments. There were a few reasons to create Roneo; samplicator was buckling a bit under high loads and it interprets the NetFlow packets and resends them after inspection. The latter was causing issues when receiving flow records that had modified headers. Some vendors (like VMware’s VeloCloud and NSX) are putting more information into the flow records (like round-trip latency, firewall rule information, etc.), which gets lost if it does not follow NetFlow standards.
Network Insight also derives some information from the IP address that’s sending the flow record. Roneo uses IP spoofing to make sure the source IP address is preserved.
Roneo?
The name comes from the old Roneograph machine, which was basically a copier with a single drum (single drum pertaining to UDP). I had to name it something. 😉
Downloading & Installing
The source and instructions on how to install, configure and run it is available on Github, here: //github.com/smitmartijn/roneo-netflow-duplicator
Leave a Reply